CacheX v4.00

标题：解除CacheX for Internet Explorer V 4.00的crc校验及破解 (19千字)
作者：玉川
时间：2001-9-19 0:12:48
链接：http://bbs.pediy.com

解除CacheX for Internet Explorer V 4.00的crc校验及破解,

发信人:玉川
整理时间:2001-09-18
软件介绍：

　 CacheX for Internet Explorer
　来自：Matthias Wolf, Albertinenstr
　版本： 4.00
　最新更新： 2001-07-30
　文件大小： 296 KB
　软件授权： Share Ware
　作业平台： Win 95/98/NT/2000
　可以在离线后轻松访问曾经浏览过的网页。包括全文检索，建立整个访问文档的结构。可以保存，隐藏和删除离线文档。当我们在线浏览网页时，浏览器自身已经下载了所需的页面和图片，在浏览器的缓存里面已经有很多我们需要的内容，如果能好好地利用它们，有时并不需要我们再次连线上网去查询和下载，那可是能节省不少银子的哟！CacheX就是一个可以充分利用这些资源的离线浏览软件。

首先说明，我走的是一条最笨的破解之路，最便捷的还是破解它的注册码.这条弯弯拐拐的路可花了我不少时间.其中没有详细说明为何这样改，原因很简单，连我自己的笔记也不能看懂了，我也只能按笔记这样修改.不过，如果你有兴趣，按下面的顺序依次中断，就会发现东东.

还有一点想说的是，该软件的离线浏览功能制作没有它的防解密好。其实，我们用好IE的“历史”功能，同样很方便离线浏览.
　

首先，用topo打开cxie.exe,我增加了300字节，但最好是增加400字节.得到
memory 0044a01d
file offset 00045e1d
以上得到的空间作为修改程序之用。如果你得到的地址与这不同，那下面修改部分的跳转地址就有所改变，请注意.

1。调试器检测

* Referenced by a CALL at Address:
|:0043DAE4
|
:0043DAF0 56 push esi
:0043DAF1 33C0 xor eax, eax
:0043DAF3 8B742408 mov esi, dword ptr [esp+08]
:0043DAF7 57 push edi
:0043DAF8 F7D6 not esi
:0043DAFA 8B7C2410 mov edi, dword ptr [esp+10]
:0043DAFE F7D7 not edi
:0043DB00 CC int 03
:0043DB01 5F pop edi
:0043DB02 40 inc eax
:0043DB03 5E pop esi
:0043DB04 C3 ret

2。crc校验（第一）

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043D4A7(C)
|
:0043D4CA 8D85DCFAFFFF lea eax, dword ptr [ebp+FFFFFADC]
:0043D4D0 50 push eax
:0043D4D1 E854180000 call 0043ED2A
:0043D4D6 3B35A8294400 cmp esi, dword ptr [004429A8]
:0043D4DC 754A jne 0043D528 《----必须nop掉
:0043D4DE 8B45F0 mov eax, dword ptr [ebp-10]
:0043D4E1 F7D0 not eax
:0043D4E3 3B0518E64300 cmp eax, dword ptr [0043E618]
:0043D4E9 753D jne 0043D528 《----必须nop掉
:0043D4EB 8B45E4 mov eax, dword ptr [ebp-1C]
:0043D4EE 8B4DE8 mov ecx, dword ptr [ebp-18]
:0043D4F1 2D008049B7 sub eax, B7498000

3、crc校验（第二）

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043DF5E(C)
|
:0043DF7E 8D8B00100000 lea ecx, dword ptr [ebx+00001000]
:0043DF84 8D9348100000 lea edx, dword ptr [ebx+00001048]
:0043DF8A F7D0 not eax 《-------此处必须修改eax的值
:0043DF8C 8BF1 mov esi, ecx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043DF9E(U)
|
:0043DF8E 3BCA cmp ecx, edx
:0043DF90 730E jnb 0043DFA0
:0043DF92 8B39 mov edi, dword ptr [ecx]
:0043DF94 33F8 xor edi, eax

在0043df8a处，必须修改eax的值，使eax=555200a3,我这样修改:
0043df7e e99ac00000 jmp 0044a01d
0043df83 90 nop
在0044a01d处:
0044a01d 8d8b00100000 lea ecx,dword ptr [ebx+1000]
0044a023 b8a3005255 mov eax,555200a3
0044a028 e9573fffff jmp 43df84

4、crc校验（第三）

:0043EE28 6A00 push 00000000
:0043EE2A 50 push eax
:0043EE2B E836F4FFFF call 0043E266
:0043EE30 FF75FC push [ebp-04] 《----修改此处
:0043EE33 8D459C lea eax, dword ptr [ebp-64]

* Possible Reference to Menu: MenuID_0001
|

* Possible Reference to String Resource ID=00001: "CacheX for Internet Explorer"
|
:0043EE36 6A01 push 00000001

* Possible Reference to String Resource ID=00020: "Week of %s"
|
:0043EE38 6A14 push 00000014
:0043EE3A 50 push eax
:0043EE3B E891F0FFFF call 0043DED1
:0043EE40 33C0 xor eax, eax
:0043EE42 8D7D9C lea edi, dword ptr [ebp-64]
:0043EE45 AB stosd
:0043EE46 AB stosd
:0043EE47 AB stosd
:0043EE48 8B75F8 mov esi, dword ptr [ebp-08]
:0043EE4B 53 push ebx
:0043EE4C AB stosd
:0043EE4D AB stosd
:0043EE4E BFFAF64300 mov edi, 0043F6FA
:0043EE53 56 push esi
:0043EE54 57 push edi
:0043EE55 FF75FC push [ebp-04]
:0043EE58 E821F3FFFF call 0043E17E
:0043EE5D FF75FC push [ebp-04]
:0043EE60 E84DF2FFFF call 0043E0B2
:0043EE65 57 push edi
:0043EE66 53 push ebx
:0043EE67 56 push esi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043EEDB(C)
|
:0043EE68 E8DAEFFFFF call 0043DE47
:0043EE6D 85C0 test eax, eax
:0043EE6F 7505 jne 0043EE76
:0043EE71 E878E9FFFF call 0043D7EE

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043EE6F(C)
|
:0043EE76 FF7510 push [ebp+10]
:0043EE79 FF750C push [ebp+0C]
:0043EE7C FF7508 push [ebp+08]
:0043EE7F FF75FC push [ebp-04]
:0043EE82 FFD6 call esi 《---注意此call,程序启动第一次中断在此，为利用注册名和注册码计算的key来解密已加密的程序代码，此key在[ebp+08]中的地址中。
:0043EE84 8BCB mov ecx, ebx
:0043EE86 894510 mov dword ptr [ebp+10], eax
:0043EE89 8BD1 mov edx, ecx
:0043EE8B 33C0 xor eax, eax
:0043EE8D 8BFE mov edi, esi
:0043EE8F FF75FC push [ebp-04]
:0043EE92 C1E902 shr ecx, 02
:0043EE95 F3 repz

在43ee30处,改为:
0043ee30 e9fbb10000 jmp 0044a030
0043ee35 90 nop

在0044a030(offset 45e30)处，改为：
0044a030 ff75fc push [ebp-04]
0044a033 8d459c lea eax,dword ptr [ebp-64]
0044a036 c700bc6c4684 mov [eax],84466cbc
0044a03c c7400481ff001e mov [eax+04],1e00ff81
0044a043 c740085c3ae70e mov [eax+08],0ee73a5c
0044a04a c7400c74c49c35 mov [eax+0c],359cc474
0044a051 c74010f7fc284b mov [eax+10],4b28fcf7
0044a058 e9d84dffff jmp 0043ee36

5、crc校验 (第四)

:0043D0CA 50 push eax
:0043D0CB E896110000 call 0043E266
:0043D0D0 53 push ebx

* Possible Reference to Menu: MenuID_0001
|

* Possible Reference to String Resource ID=00001: "CacheX for Internet Explorer"
|
:0043D0D1 6A01 push 00000001

* Possible Reference to String Resource ID=00020: "Week of %s"
|
:0043D0D3 6A14 push 00000014 《----修改此处
:0043D0D5 8D4590 lea eax, dword ptr [ebp-70]
:0043D0D8 50 push eax
:0043D0D9 E8F30D0000 call 0043DED1
:0043D0DE 33C0 xor eax, eax
:0043D0E0 8D7DEC lea edi, dword ptr [ebp-14]
:0043D0E3 AB stosd
:0043D0E4 AB stosd
:0043D0E5 AB stosd
:0043D0E6 AB stosd
:0043D0E7 33C0 xor eax, eax

在43d0d3处，如下修改：
0043d0d3 e988cf0000 jmp 0044a060

在0044a060 (offset 45e60)处打入如下数据:
6a148d4590
c7006bba11d0
c74004e8c340bb
c74008afaf5906
c7400c09e66d52
c7401040e6efbb
e94c30ffff

6、crc校验 (第五)

:0040BB86 8D4590 lea eax, dword ptr [ebp-70]
:0040BB89 53 push ebx
:0040BB8A 50 push eax
:0040BB8B E8D6260300 call 0043E266
:0040BB90 FF75FC push [ebp-04] 《----修改此处
:0040BB93 8D4590 lea eax, dword ptr [ebp-70]
:0040BB96 57 push edi

* Possible Reference to String Resource ID=00020: "Week of %s"
|
:0040BB97 6A14 push 00000014
:0040BB99 50 push eax
:0040BB9A E832230300 call 0043DED1
:0040BB9F 8D45EC lea eax, dword ptr [ebp-14]

* Possible Reference to Dialog: DialogID_014D, CONTROL_ID:0010, "Image and media files:"
|

* Possible Reference to String Resource ID=00016: " (not in Master Category List)"
|
:0040BBA2 6A10 push 00000010
:0040BBA4 50 push eax
:0040BBA5 6898864400 push 00448698

在0040bb90处，如下修改:
0040bb90 e9f7e40300 jmp 0044a08c
0040bb95 90 nop

在0044a08c处(offset 45e8c)打入如下数据:
ff75fc8d4590
c700f4622151
c740046717c3d7
c7400831aa0084
c7400cbefe6e71
c740109e675f97
e9dd1afcff

7、crc校验（第六）

:0040BC2D 53 push ebx
:0040BC2E 50 push eax
:0040BC2F E832260300 call 0043E266
:0040BC34 8B7DFC mov edi, dword ptr [ebp-04] 《---修改此处
:0040BC37 8D4590 lea eax, dword ptr [ebp-70]
:0040BC3A 57 push edi

* Possible Reference to Menu: MenuID_0001
|

* Possible Reference to String Resource ID=00001: "CacheX for Internet Explorer"
|
:0040BC3B 6A01 push 00000001

* Possible Reference to String Resource ID=00020: "Week of %s"
|
:0040BC3D 6A14 push 00000014
:0040BC3F 50 push eax
:0040BC40 E88C220300 call 0043DED1

* Possible Reference to Dialog: DialogID_014D, CONTROL_ID:0010, "Image and media files:"
|

* Possible Reference to String Resource ID=00016: " (not in Master Category List)"
|
:0040BC45 6A10 push 00000010
:0040BC47 8D45EC lea eax, dword ptr [ebp-14]
:0040BC4A 53 push ebx

在0040bc34处，如下修改:
0040bc34 e980e40300 jmp 0044a0b9
0040bc39 90 nop

在0044a0b9处(offset 45eb9)打入如下数据:
8b7dfc8d4590
c700670b6c92
c740041abcfe56
c7400894914c33
c7400cc7ce935c
c7401099aca6b8
e9541bfcff

8、crc校验 (第七)

:00418CCA 50 push eax
:00418CCB E896550200 call 0043E266
:00418CD0 53 push ebx

* Possible Reference to Menu: MenuID_0001
|

* Possible Reference to String Resource ID=00001: "CacheX for Internet Explorer"
|
:00418CD1 6A01 push 00000001 《----修改此处
:00418CD3 8D4590 lea eax, dword ptr [ebp-70]

* Possible Reference to String Resource ID=00020: "Week of %s"
|
:00418CD6 6A14 push 00000014
:00418CD8 50 push eax
:00418CD9 E8F3510200 call 0043DED1
:00418CDE 8945FC mov dword ptr [ebp-04], eax

* Possible Reference to String Resource ID=00020: "Week of %s"
|
:00418CE1 6A14 push 00000014

在00418cd1处如下修改:
00418cd1 e910140300 jmp 0044a0e6

在0044a0e6处(offset 45ee6)打入如下数据:
6a018d4590
c700fa4614e4
c74004bd5ca7ea
c74008728b6d4f
c7400cf2c711a8
c74010907874c3
e9c4ebfcff

9、crc校验 (第八)

:00421891 72DD jb 00421870

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042186E(C)
|
:00421893 8B45F8 mov eax, dword ptr [ebp-08] 《----修改此处
:00421896 8BD7 mov edx, edi
:00421898 F7D1 not ecx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004218AC(C)
|
:0042189A 8B3A mov edi, dword ptr [edx]
:0042189C 83C204 add edx, 00000004
:0042189F 33F9 xor edi, ecx
:004218A1 8938 mov dword ptr [eax], edi
:004218A3 83C004 add eax, 00000004
:004218A6 81FA7C244400 cmp edx, 0044247C
:004218AC 72EC jb 0042189A
:004218AE 8B86E8060000 mov eax, dword ptr [esi+000006E8]

在00421893处如下修改:
0042893 e97a880200 jmp 0044a112

在0044a112处(offset 45f12)打入如下数据:
8b45f88bd7b9a3005255e97777fdff

10、crc校验 (第九)

:004046F8 53 push ebx
:004046F9 68B8074400 push 004407B8 《----修改此处
:004046FE FF75F8 push [ebp-08]
:00404701 E88A410300 call 00438890
:00404706 8B8680000000 mov eax, dword ptr [esi+00000080]
:0040470C 83C40C add esp, 0000000C
:0040470F 8BD0 mov edx, eax
:00404711 8D8890000000 lea ecx, dword ptr [eax+00000090]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404728(U)
|
:00404717 3BC1 cmp eax, ecx
:00404719 730F jnb 0040472A
:0040471B 8B18 mov ebx, dword ptr [eax]
:0040471D 335DFC xor ebx, dword ptr [ebp-04]
:00404720 891A mov dword ptr [edx], ebx
:00404722 83C204 add edx, 00000004
:00404725 83C004 add eax, 00000004
:00404728 EBED jmp 00404717

在004046f9处如下修改:
004046f9 e9235a0400 jmp 0044a121

在0044a121处(offset 45f21)打入如下数据:
68b8074400c745fca2461300e9cca5fbff

11、关于delete的破解

:0041C582 33C8 xor ecx, eax
:0041C584 FF45FC inc [ebp-04]
:0041C587 817DFCF4EE4300 cmp dword ptr [ebp-04], 0043EEF4
:0041C58E 72D9 jb 0041C569

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041C567(C)
|
:0041C590 57 push edi 《----修改此处
:0041C591 53 push ebx
:0041C592 FF75F8 push [ebp-08]
:0041C595 F7D1 not ecx
:0041C597 894DFC mov dword ptr [ebp-04], ecx
:0041C59A E8F1C20100 call 00438890
:0041C59F 8B4658 mov eax, dword ptr [esi+58]
:0041C5A2 83C40C add esp, 0000000C
:0041C5A5 8BD0 mov edx, eax
:0041C5A7 8D8890000000 lea ecx, dword ptr [eax+00000090]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041C5BE(U)
|
:0041C5AD 3BC1 cmp eax, ecx
:0041C5AF 730F jnb 0041C5C0
:0041C5B1 8B38 mov edi, dword ptr [eax]
:0041C5B3 337DFC xor edi, dword ptr [ebp-04]
:0041C5B6 893A mov dword ptr [edx], edi
:0041C5B8 83C204 add edx, 00000004
:0041C5BB 83C004 add eax, 00000004
:0041C5BE EBED jmp 0041C5AD

在41c590处，作如下修改:
0041c590 e99ddb0200 jmp 44a132
然后在44a132处(offset 45f32)打入：
5753ff75f8b9a3005255e95424fdff

这样修改后，delete不会出错了，但是，程序会退出。可以肯定，还有一个更狡猾的crc校验。我跟踪了一阵，如下代码可疑:

:004079E6 FF742410 push [esp+10]
:004079EA B9607C4400 mov ecx, 00447C60
:004079EF 55 push ebp
:004079F0 E8F59CFFFF call 004016EA
:004079F5 8B742418 mov esi, dword ptr [esp+18]
:004079F9 50 push eax
:004079FA 8BCE mov ecx, esi
:004079FC E8694C0100 call 0041C66A 《---此处可疑,里面的代码很长。
:00407A01 6AFF push FFFFFFFF
:00407A03 8BCF mov ecx, edi
:00407A05 E865000200 call 00427A6F 《---此处可疑,里面的代码很长。
:00407A0A 8B06 mov eax, dword ptr [esi]
:00407A0C 3BDD cmp ebx, ebp
:00407A0E 55 push ebp
:00407A0F 7507 jne 00407A18
:00407A11 8BCE mov ecx, esi
:00407A13 FF5074 call [eax+74]
:00407A16 EB06 jmp 00407A1E

不知正确与否，望有兴趣的朋友仔细研究一下，指教小弟几招.

小弟无能，仍然没能完全搞定cachex,望各位赐教.

12、通过以上crc校验修改后，便可对程序进行任意修改了.

除去时间限制:

:0043D70C 0FB705A8864400 movzx eax, word ptr [004486A8]
:0043D713 0FB70DB8864400 movzx ecx, word ptr [004486B8]
:0043D71A 2BC8 sub ecx, eax
:0043D71C 780B js 0043D729
:0043D71E 0FBE0590864400 movsx eax, byte ptr [00448690]
:0043D725 2BC1 sub eax, ecx 《----eax中为2e,ecx为已使用天数.
:0043D727 7902 jns 0043D72B 《---改为jmp

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043D71C(C)
|
:0043D729 33C0 xor eax, eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043D727(C)
|
:0043D72B C3 ret

在0043d725处,随你改，我将2bc1改为b008,这样每每都有8天的使用时间,永不过期.0043d727必改.

通过上面的时间限制修改，仍有未注册的时间提示窗口，如你不满意的话，想去掉该窗口，可作如下修改:

:0043D13C 8BC3 mov eax, ebx
:0043D13E 2BC7 sub eax, edi
:0043D140 50 push eax
:0043D141 FF750C push [ebp+0C] 《----修改此处
:0043D144 FF7508 push [ebp+08]
:0043D147 FFD3 call ebx
:0043D149 8BCE mov ecx, esi
:0043D14B 89450C mov dword ptr [ebp+0C], eax
:0043D14E 8BD1 mov edx, ecx
:0043D150 33C0 xor eax, eax
:0043D152 8BFB mov edi, ebx
:0043D154 53 push ebx
:0043D155 C1E902 shr ecx, 02
:0043D158 F3 repz
:0043D159 AB stosd
:0043D15A 8BCA mov ecx, edx
:0043D15C 83E103 and ecx, 00000003
:0043D15F F3 repz
:0043D160 AA stosb
:0043D161 E8FFAAFEFF call 00427C65
:0043D166 8B450C mov eax, dword ptr [ebp+0C]
:0043D169 59 pop ecx
:0043D16A 5F pop edi
:0043D16B 5E pop esi
:0043D16C 5B pop ebx
:0043D16D C9 leave
:0043D16E C20800 ret 0008

在0043d141处，将ff750c改为6a0390即可.但这样一来，"about "的窗口将不再出现.

但在标题栏仍有Unregistered Version字样，如何将(Unregistered Version)去掉呢？好办，用winhex打开CXie.exe,
在offset 5bb14处，看到了吧,将Unregistered Version改为你喜欢的东东。我改为了(version 4.00)

通过这样修改，除了delete外，其它功能应该没有问题.唯一遗憾的是delete还未解决,不过我正在努力。我相信，没有破不了的东东。(注意那个about窗口)
感谢你花了这么长时间看到这里，望及时指教.

玉川

2001.09.18