某工程项目管理软件《投标版》

标题：异想天开的打狗记录(高手免进） (12千字)
作者：lzhqqq
时间：2002-7-17 21:50:42
链接：http://bbs.pediy.com

异想天开的打狗记录：（如有雷同，请版主删除…………）

* QQ于2002年7月15日晨，共用时29.6分钟（不包括写破文20分钟），其中试用软件20分钟。

*目标：国内某工程项目管理软件《投标版》（VERSION 2.52）
保护 :一只狗（啊？什么狗，你问我啊？我不认识，我一只狗都不认识，但绝对不是“狼狗” ^_^ ）
目的：去掉不能打印和不能输出为图片文件的限制
工具：W32DASM，fi2.45，UltraEdit8.0，TRW2000 （看雪兄的光盘里有）

（hai wen gong cheng xiang mu guan li ruan jian）
*软件简介：网络计划技术在现代管理中已经得到了广泛的应用。作为智能工具的计算机，对网络计划技术在工程项目的计划管理、进度控制、资源管理的应用中可以发挥极大的作用。但是过去的一些计算机软件还不尽人意：网络图的编辑功能差、资源管理功能不能满足实际要求。“XX工程项目管理软件”在这些方面有了明显的改进。该软件采用先进的软件开发技术，界面美观，操作简单明了。用户不需要太多的网络计划和计算机知识，只要懂工程就可轻松地进行工作，………………

*我不愿意见到的：软件在运行时，如果没有狗，为试用版 ①标题显示 “软件序列号：没有注册” ②打印时会出现一个对话框"请插好软件狗"，然后就返回，不让你打印

*气死我了!气死我了!气死我了!气死我了!气死我了!气死我了!气死我了!气死我了!………………我打……

开工：
先用fi检查没有加壳，^_^ 我喜欢!!!!!!!!!!!!!!!!!
那下一步就先用 W32dsm 看看，反编译成功后，在串式参考查找出错的信息"请插好软件狗"，找到下面第一部分内容。在串式参考查找信息"没有注册"，找到下面第二部分内容（纯属灌水）。
然后呢，就用TRW2000跟踪，bpx 005050FB (后面的内容请看代码段注释………别忘了，只有在打印的时候才有的看哦……）

**********************************
第一部分：
:005050AF 90 nop
:005050B0 55 push ebp
:005050B1 8BEC mov ebp, esp
:005050B3 33C9 xor ecx, ecx
:005050B5 51 push ecx
:005050B6 51 push ecx
:005050B7 51 push ecx
:005050B8 51 push ecx
:005050B9 51 push ecx
:005050BA 51 push ecx
:005050BB 53 push ebx
:005050BC 56 push esi
:005050BD 57 push edi
:005050BE 8BF8 mov edi, eax
:005050C0 33C0 xor eax, eax
:005050C2 55 push ebp
:005050C3 6836525000 push 00505236
:005050C8 64FF30 push dword ptr fs:[eax]
:005050CB 648920 mov dword ptr fs:[eax], esp
:005050CE 8D4DFC lea ecx, dword ptr [ebp-04]
:005050D1 BA09000000 mov edx, 00000009
:005050D6 B801000000 mov eax, 00000001
:005050DB E81CC3FFFF call 005013FC
:005050E0 8D4DF0 lea ecx, dword ptr [ebp-10]
:005050E3 BA09000000 mov edx, 00000009
:005050E8 B801000000 mov eax, 00000001
:005050ED E80AC3FFFF call 005013FC
:005050F2 8B45F0 mov eax, dword ptr [ebp-10]
:005050F5 80780454 cmp byte ptr [eax+04], 54 **
:005050F9 7438 je 00505133 **
:005050FB 8D4DEC lea ecx, dword ptr [ebp-14] ** 停在这里
:005050FE BA09000000 mov edx, 00000009
:00505103 B801000000 mov eax, 00000001
:00505108 E8EFC2FFFF call 005013FC ** 按F10跳过
:0050510D 8B45EC mov eax, dword ptr [ebp-14] ** D EAX 显示的是"no dog" ^_^
:00505110 80780454 cmp byte ptr [eax+04], 54 ** 这个比较重要!!!! 54→“T”
:00505114 741D je 00505133 ** 想用吗?“你就跳啊,大胆的跳啊”
:00505116 6A10 push 00000010
:00505118 B944525000 mov ecx, 00505244

* Possible StringData Ref from Code Obj ->"请插好软件狗"
|
:0050511D BA4C525000 mov edx, 0050524C
:00505122 A1D8075400 mov eax, dword ptr [005407D8]
:00505127 8B00 mov eax, dword ptr [eax]
:00505129 E826C5F4FF call 00451654
:0050512E E9D8000000 jmp 0050520B

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:005050F9(C), :00505114(C)
|
:00505133 8B87E4020000 mov eax, dword ptr [edi+000002E4] ** 到这里，一切OK
:00505139 83B8F801000000 cmp dword ptr [eax+000001F8], 00000000
:00505140 7566 jne 005051A8
:00505142 A100095400 mov eax, dword ptr [00540900]
:00505147 8B00 mov eax, dword ptr [eax]
:00505149 C6803803000001 mov byte ptr [eax+00000338], 01
:00505150 8B87DC020000 mov eax, dword ptr [edi+000002DC]
:00505156 E819C0F9FF call 004A1174
:0050515B 85C0 test eax, eax
:0050515D 7E39 jle 00505198
:0050515F 8945F4 mov dword ptr [ebp-0C], eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00505196(C)
|
:00505162 8B87D4020000 mov eax, dword ptr [edi+000002D4]
:00505168 E807C0F9FF call 004A1174
:0050516D 8BF0 mov esi, eax
:0050516F 8B87D8020000 mov eax, dword ptr [edi+000002D8]
:00505175 E8FABFF9FF call 004A1174
:0050517A 8BD8 mov ebx, eax
:0050517C 2BDE sub ebx, esi
:0050517E 7C13 jl 00505193
:00505180 43 inc ebx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00505191(C)
|
:00505181 A100095400 mov eax, dword ptr [00540900]
:00505186 8B00 mov eax, dword ptr [eax]
:00505188 8BD6 mov edx, esi
:0050518A E8D52B0000 call 00507D64
:0050518F 46 inc esi
:00505190 4B dec ebx
:00505191 75EE jne 00505181

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0050517E(C)
|
:00505193 FF4DF4 dec [ebp-0C]
:00505196 75CA jne 00505162

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0050515D(C)
|
:00505198 A100095400 mov eax, dword ptr [00540900]
:0050519D 8B00 mov eax, dword ptr [eax]
:0050519F C6803803000000 mov byte ptr [eax+00000338], 00
:005051A6 EB63 jmp 0050520B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00505140(C)
|
:005051A8 8B87E8020000 mov eax, dword ptr [edi+000002E8]
:005051AE 83C054 add eax, 00000054

* Possible StringData Ref from Code Obj ->"Bitmap Files(*.bmp)|*.bmp"
|
:005051B1 BA64525000 mov edx, 00505264
:005051B6 E879EBEFFF call 00403D34
:005051BB 8B87E8020000 mov eax, dword ptr [edi+000002E8]
:005051C1 8B10 mov edx, dword ptr [eax]
:005051C3 FF523C call [edx+3C]
:005051C6 3C01 cmp al, 01
:005051C8 7541 jne 0050520B
:005051CA B201 mov dl, 01
:005051CC A164A24100 mov eax, dword ptr [0041A264]
:005051D1 E822B6F1FF call 004207F8
:005051D6 8945F8 mov dword ptr [ebp-08], eax
:005051D9 8D55F8 lea edx, dword ptr [ebp-08]
:005051DC A100095400 mov eax, dword ptr [00540900]
:005051E1 8B00 mov eax, dword ptr [eax]
:005051E3 E87C280000 call 00507A64
:005051E8 8D55E8 lea edx, dword ptr [ebp-18]
:005051EB 8B87E8020000 mov eax, dword ptr [edi+000002E8]
:005051F1 E82234F5FF call 00458618
:005051F6 8B55E8 mov edx, dword ptr [ebp-18]
:005051F9 8B45F8 mov eax, dword ptr [ebp-08]
:005051FC 8B08 mov ecx, dword ptr [eax]
:005051FE FF514C call [ecx+4C]
:00505201 B201 mov dl, 01
:00505203 8B45F8 mov eax, dword ptr [ebp-08]
:00505206 8B08 mov ecx, dword ptr [eax]
:00505208 FF51FC call [ecx-04]

**********************************
第二部分：

:00523B96 8BC0 mov eax, eax
:00523B98 55 push ebp
:00523B99 8BEC mov ebp, esp
:00523B9B B904000000 mov ecx, 00000004

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00523BA5(C)
|
:00523BA0 6A00 push 00000000
:00523BA2 6A00 push 00000000
:00523BA4 49 dec ecx
:00523BA5 75F9 jne 00523BA0
:00523BA7 51 push ecx
:00523BA8 53 push ebx
:00523BA9 56 push esi
:00523BAA 57 push edi
:00523BAB 8945FC mov dword ptr [ebp-04], eax
:00523BAE 8B1DCC0A5400 mov ebx, dword ptr [00540ACC]
:00523BB4 8B3504075400 mov esi, dword ptr [00540704]
:00523BBA 33C0 xor eax, eax
:00523BBC 55 push ebp
:00523BBD 6809425200 push 00524209
:00523BC2 64FF30 push dword ptr fs:[eax]
:00523BC5 648920 mov dword ptr fs:[eax], esp
:00523BC8 8D4DEC lea ecx, dword ptr [ebp-14]
:00523BCB BA09000000 mov edx, 00000009
:00523BD0 B801000000 mov eax, 00000001
:00523BD5 E822D8FDFF call 005013FC
:00523BDA 8B45EC mov eax, dword ptr [ebp-14]

* Possible StringData Ref from Code Obj ->"no dog" **
|
:00523BDD BA20425200 mov edx, 00524220
:00523BE2 E88504EEFF call 0040406C
:00523BE7 750D jne 00523BF6
:00523BE9 8D45EC lea eax, dword ptr [ebp-14]

* Possible StringData Ref from Code Obj ->"没有注册" **
|
:00523BEC BA30425200 mov edx, 00524230
:00523BF1 E88201EEFF call 00403D78

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00523BE7(C)
|
:00523BF6 8D55E4 lea edx, dword ptr [ebp-1C]
:00523BF9 8B45FC mov eax, dword ptr [ebp-04]
:00523BFC E81710F1FF call 00434C18
:00523C01 FF75E4 push [ebp-1C]

* Possible StringData Ref from Code Obj ->" 软件序列号：" **
|
:00523C04 6844425200 push 00524244
:00523C09 FF75EC push [ebp-14]
:00523C0C 8D45E8 lea eax, dword ptr [ebp-18]
:00523C0F BA03000000 mov edx, 00000003
:00523C14 E80304EEFF call 0040401C
:00523C19 8B55E8 mov edx, dword ptr [ebp-18]
:00523C1C 8B45FC mov eax, dword ptr [ebp-04]
:00523C1F E82410F1FF call 00434C48
:00523C24 A1C8205400 mov eax, dword ptr [005420C8]
:00523C29 8B9094040000 mov edx, dword ptr [eax+00000494]
:00523C2F A1D8075400 mov eax, dword ptr [005407D8]
:00523C34 8B00 mov eax, dword ptr [eax]
:00523C36 83C038 add eax, 00000038

* Possible StringData Ref from Code Obj ->"Havenprj.hlp"
|
:00523C39 B95C425200 mov ecx, 0052425C
:00523C3E E86503EEFF call 00403FA8

那怎么改呢？改je 00505133为jmp，没有意思
:00505110 80780454 cmp byte ptr [eax+04], 54 ** 这个比较重要!!!! 54→“T”
:00505114 741D je 00505133

那……………………（以下在WINDOWS XP下测试能用，98下稍有不同，但也能用）
我异想天开，我用UltraEdit8.0查找“no dog”，全部替换为“TTTTTT”（咳，只有一处，没劲）

运行，“软件序列号：没有注册”变为“软件序列号：TTTTTT” ^_^ 有点意思，
更有意思的是：居然能打印了，爽啊!!!!!!!!

那干脆，我改!我改!我改!我改!我改!我改! （纯属个人爱好）
"请插好软件狗"->“我好喜欢你哦” "没有注册"->“我不需要” （但运行时，我无论如何都看不见了）
"no dog"->“QQQTTT” " 软件序列号："->“某某某破解” （^_^ 每次我看见就爽啊!!!!!!!!）

第一次写破文，大家见笑了……
我学习CRACK已经6个月了，也颇有收获（狗2，A盘1，序列号x个仅供内部传阅）
我只是觉得这个破解很有意思，我才写出来，请高手不要笑…………

我的格言是：不求最好，能用就好，不好也好! ^_^ QQ