GoSURF v1.7 Beta 3 Build 1.7.307.4629

标题：时间限制——GoSURF v1.7 Beta 3 Build 1.7.307.4629
作者：fly
时间：2003/08/25 02:43am
链接：http://bbs.pediy.com

下载页面： http://www.skycn.com/soft/7169.html
软件大小： 1951 KB
软件语言：简体中文
软件类别：国产软件 / 免费版 / 主页浏览
应用平台： Win9x/NT/2000/XP
加入时间： 2003-07-06 17:15:42
下载次数： 333557
推荐等级： ****
开发商： http://www.mmjd.com/gosurf/

【软件简介】：最IN的多页面浏览器！重现最逼真的IE界面，并提供多项贴心功能：－加强对网页图片、文字的保存，一拖就存。－强大的广告过滤，可以阻挡弹出窗口和各种广告条。－超强的网页病毒保护，能防止恶意代码的袭击。－稳定的工作，对意外崩溃时进行数据保护。－提供方便的在线翻译和浏览代理，冲浪无障碍。－快速准确的分类搜索，轻松获得讯息。

【软件限制】：60天试用

【作者声明】：初学Crack，只是感兴趣，没有其它目的。失误之处敬请诸位大侠赐教！

【破解工具】：TRW2000娃娃修改版、Ollydbg1.09、PEiD、pe-scan、W32Dasm 9.0白金版

—————————————————————————————————
【过程】：

GoSuRF.exe 是EXE32Pack 1.38 壳，用 pe-scan 脱之。1.09M->3.92M。 Delphi 编写。

免费午餐结束了。60天试用，要求注册码。呵呵，先试试解除其时间限制了。算法以后再说吧 ^-^
下BPX GetLocalTime F5 2次，F11返回，终于来到核心！
—————————————————————————————————
一、发现下面的0040B13A ret 回这里！

:004B2F4C 7979 jns 004B2FC7
:004B2F4E 7979 jns 004B2FC9
:004B2F50 2D6D6D2D64 sub eax, 642D6D6D
:004B2F55 64 BYTE 064h
:004B2F56 0000 add byte ptr [eax], al

* Referenced by a CALL at Addresses:
|:004B20AE , :00581C43
|
:004B2F58 53 push ebx
:004B2F59 8BD8 mov ebx, eax
:004B2F5B E88C81F5FF call 0040B0EC
====>关键CALL①！取当前系统时间运算！进入！

:004B2F60 83C4F8 add esp, FFFFFFF8
:004B2F63 DD1C24 fstp qword ptr [esp]
====>ST=38186.594262615741170

:004B2F66 9B wait
:004B2F67 8BC3 mov eax, ebx
====>EAX=2003-11-09

:004B2F69 E81AFFFFFF call 004B2E88
====>关键CALL②！对2003-11-09运算！进入！

:004B2F6E 83C4F8 add esp, FFFFFFF8
:004B2F71 DD1C24 fstp qword ptr [esp]
====>ST=37934.000000000000000

:004B2F74 9B wait
:004B2F75 E8FAFEFFFF call 004B2E74
====>关键CALL③！进入！

:004B2F7A 5B pop ebx
:004B2F7B C3 ret

—————————————————————————————————
1、进入关键CALL①：004B2F5B call 0040B0EC 取当前系统时间运算！

* Referenced by a CALL at Addresses:
|:004B212E , :004B24B1 , :004B24C7 , :004B2AEC , :004B2F5B
|:005411FE , :0055AA2E , :0055AA37
|
:0040B0EC 83C4E0 add esp, FFFFFFE0
:0040B0EF 8D442408 lea eax, dword ptr [esp+08]
:0040B0F3 50 push eax

* Reference To: kernel32.GetLocalTime, Ord:0000h
====>GetLocalTime 取当前系统时间！

:0040B0F4 E823C9FFFF Call 00407A1C
:0040B0F9 668B4C240E mov cx, word ptr [esp+0E]
====>CX=12 日期：18日

:0040B0FE 668B54240A mov dx, word ptr [esp+0A]
====>DX=07 7月

:0040B103 668B442408 mov ax, word ptr [esp+08]
====>AX=07D4 2004年

:0040B108 E843FDFFFF call 0040AE50
====>对当前日期进行运算！得出下面的值！

:0040B10D DD5C2418 fstp qword ptr [esp+18]
====>[esp+18]=38186.000000000000000

:0040B111 9B wait
:0040B112 668B442416 mov ax, word ptr [esp+16]
:0040B117 50 push eax
:0040B118 668B4C2418 mov cx, word ptr [esp+18]
====>CX=2C

:0040B11D 668B542416 mov dx, word ptr [esp+16]
====>DX=F

:0040B122 668B442414 mov ax, word ptr [esp+14]
====>AX=E

:0040B127 E84CFBFFFF call 0040AC78
====>对上面的值进行运算！得出下面的值！

:0040B12C DC442418 fadd qword ptr [esp+18]
====>[esp+18]=38186.000000000000000 + 0.5942626157407407961=38186.594262615740740

:0040B130 DD1C24 fstp qword ptr [esp]
:0040B133 9B wait
:0040B134 DD0424 fld qword ptr [esp]
:0040B137 83C420 add esp, 00000020
:0040B13A C3 ret

—————————————————————————————————
2、进入关键CALL②：004B2F69 call 004B2E88 取2003-11-09运算！

* Referenced by a CALL at Address:
|:004B2F69
|
:004B2E88 55 push ebp
:004B2E89 8BEC mov ebp, esp
:004B2E8B 83C4F0 add esp, FFFFFFF0
:004B2E8E 53 push ebx
:004B2E8F 56 push esi
:004B2E90 8945FC mov dword ptr [ebp-04], eax
:004B2E93 8B45FC mov eax, dword ptr [ebp-04]
:004B2E96 E86513F5FF call 00404200
:004B2E9B 33C0 xor eax, eax
:004B2E9D 55 push ebp
:004B2E9E 68142F4B00 push 004B2F14
:004B2EA3 64FF30 push dword ptr fs:[eax]
:004B2EA6 648920 mov dword ptr fs:[eax], esp
:004B2EA9 8B45FC mov eax, dword ptr [ebp-04]
:004B2EAC E89B11F5FF call 0040404C
:004B2EB1 83F80A cmp eax, 0000000A
:004B2EB4 7512 jne 004B2EC8
:004B2EB6 8B45FC mov eax, dword ptr [ebp-04]
:004B2EB9 8078042D cmp byte ptr [eax+04], 2D
:004B2EBD 7509 jne 004B2EC8
:004B2EBF 8B45FC mov eax, dword ptr [ebp-04]
:004B2EC2 8078072D cmp byte ptr [eax+07], 2D
:004B2EC6 740B je 004B2ED3

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004B2EB4(C), :004B2EBD(C)
|
:004B2EC8 E8F381F5FF call 0040B0C0
:004B2ECD DD5DF0 fstp qword ptr [ebp-10]
:004B2ED0 9B wait

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B2E56(C)
|
:004B2ED1 EB2B jmp 004B2EFE

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B2EC6(C)
|
:004B2ED3 8D45FC lea eax, dword ptr [ebp-04]
:004B2ED6 E84D72FFFF call 004AA128
:004B2EDB 8BD8 mov ebx, eax
:004B2EDD 8D45FC lea eax, dword ptr [ebp-04]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B2E6A(C)
|
:004B2EE0 E84372FFFF call 004AA128
:004B2EE5 8BF0 mov esi, eax
:004B2EE7 8D45FC lea eax, dword ptr [ebp-04]
:004B2EEA E83972FFFF call 004AA128
:004B2EEF 8BC8 mov ecx, eax
:004B2EF1 8BD6 mov edx, esi
:004B2EF3 8BC3 mov eax, ebx
:004B2EF5 E8567FF5FF call 0040AE50
====>运算！得出下面的值！

:004B2EFA DD5DF0 fstp qword ptr [ebp-10]
====>ST=37934.000000000000000

:004B2EFD 9B wait

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B2ED1(U)
|
:004B2EFE 33C0 xor eax, eax
:004B2F00 5A pop edx
:004B2F01 59 pop ecx
:004B2F02 59 pop ecx
:004B2F03 648910 mov dword ptr fs:[eax], edx
:004B2F06 681B2F4B00 push 004B2F1B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B2F19(U)
|
:004B2F0B 8D45FC lea eax, dword ptr [ebp-04]
:004B2F0E E8A90EF5FF call 00403DBC
:004B2F13 C3 ret

—————————————————————————————————
3、进入关键CALL③：004B2F75 call 004B2E74

* Referenced by a CALL at Addresses:
|:004B1ADD , :004B1B0D , :004B1D88 , :004B2F75
|
:004B2E74 55 push ebp
:004B2E75 8BEC mov ebp, esp
:004B2E77 DD4510 fld qword ptr [ebp+10]
:004B2E7A DC6508 fsub qword ptr [ebp+08]
====>ST=38186.594262615740740 - 37934.00000000000=252.59426261574117240

:004B2E7D E872FCF4FF call 00402AF4
:004B2E82 5D pop ebp
:004B2E83 C21000 ret 0010

—————————————————————————————————
二、上面一处004B2F7B ret 返回到4B20B3

* Referenced by a CALL at Address:
|:00581F0D
|
:004B2094 53 push ebx
:004B2095 56 push esi
:004B2096 8BF0 mov esi, eax
:004B2098 8BC6 mov eax, esi
:004B209A E87DFAFFFF call 004B1B1C
:004B209F 80BE9100000000 cmp byte ptr [esi+00000091], 00
:004B20A6 7427 je 004B20CF

:004B20A8 8B8694000000 mov eax, dword ptr [esi+00000094]
:004B20AE E8A50E0000 call 004B2F58
====>这里进入一！

:004B20B3 85C0 test eax, eax
====>返回到这里！EAX=252 即：4B2E7A处相减的结果！
====>完美去除时间限制！爆破点！让EAX永远=0 ^v^ ^v^

:004B20B5 7E0C jle 004B20C3
====>不跳！OVER！

:004B20B7 C6869000000003 mov byte ptr [esi+00000090], 03
:004B20BE E9D0000000 jmp 004B2193

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B20B5(C)
|
:004B20C3 C6869000000004 mov byte ptr [esi+00000090], 04
:004B20CA E9C4000000 jmp 004B2193

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B20A6(C)
|
:004B20CF 8BC6 mov eax, esi
:004B20D1 E832030000 call 004B2408
:004B20D6 84C0 test al, al
:004B20D8 0F858D000000 jne 004B216B
:004B20DE DD4630 fld qword ptr [esi+30]
:004B20E1 D81DC4214B00 fcomp dword ptr [004B21C4]
====>比较时间还剩多少！

:004B20E7 DFE0 fstsw ax
:004B20E9 9E sahf
:004B20EA 750C jne 004B20F8
:004B20EC 8BC6 mov eax, esi
:004B20EE E89D030000 call 004B2490
:004B20F3 E99B000000 jmp 004B2193

…… ……省略…… ……

—————————————————————————————————
附：进入关键CALL：0040B108 call 0040AE50 对日期进行运算！
再进入：0040AE7C call 0040AD88

* Referenced by a CALL at Addresses:
|:0040AE7C , :0040C2E3
|
:0040AD88 55 push ebp
:0040AD89 8BEC mov ebp, esp
:0040AD8B 83C4F8 add esp, FFFFFFF8
:0040AD8E 53 push ebx
:0040AD8F 56 push esi
:0040AD90 57 push edi
:0040AD91 8BD9 mov ebx, ecx
:0040AD93 8BFA mov edi, edx
:0040AD95 668945FE mov word ptr [ebp-02], ax
:0040AD99 C645FD00 mov [ebp-03], 00
:0040AD9D 668B45FE mov ax, word ptr [ebp-02]
:0040ADA1 E8A6FFFFFF call 0040AD4C
:0040ADA6 83E07F and eax, 0000007F
:0040ADA9 8D0440 lea eax, dword ptr [eax+2*eax]
:0040ADAC 8D34C53C315800 lea esi, dword ptr [8*eax+0058313C]
:0040ADB3 66837DFE01 cmp word ptr [ebp-02], 0001
:0040ADB8 0F8286000000 jb 0040AE44
:0040ADBE 66817DFE0F27 cmp word ptr [ebp-02], 270F
:0040ADC4 777E ja 0040AE44
:0040ADC6 6683FF01 cmp di, 0001
:0040ADCA 7278 jb 0040AE44
:0040ADCC 6683FF0C cmp di, 000C
:0040ADD0 7772 ja 0040AE44
:0040ADD2 6683FB01 cmp bx, 0001
:0040ADD6 726C jb 0040AE44
:0040ADD8 0FB7C7 movzx eax, di
:0040ADDB 663B5C46FE cmp bx, word ptr [esi+2*eax-02]
:0040ADE0 7762 ja 0040AE44
:0040ADE2 0FB7C7 movzx eax, di
:0040ADE5 48 dec eax
:0040ADE6 85C0 test eax, eax
:0040ADE8 7E0E jle 0040ADF8
:0040ADEA B901000000 mov ecx, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040ADF6(C)
|
:0040ADEF 66035C4EFE add bx, word ptr [esi+2*ecx-02]
:0040ADF4 41 inc ecx
:0040ADF5 48 dec eax
:0040ADF6 75F7 jne 0040ADEF

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040ADE8(C)
|
:0040ADF8 0FB74DFE movzx ecx, word ptr [ebp-02]
:0040ADFC 49 dec ecx
:0040ADFD 8BC1 mov eax, ecx
:0040ADFF BE64000000 mov esi, 00000064
:0040AE04 99 cdq
:0040AE05 F7FE idiv esi
:0040AE07 69F16D010000 imul esi, ecx, 0000016D
:0040AE0D 8BD1 mov edx, ecx
:0040AE0F 85D2 test edx, edx
:0040AE11 7903 jns 0040AE16
:0040AE13 83C203 add edx, 00000003

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040AE11(C)
|
:0040AE16 C1FA02 sar edx, 02
:0040AE19 03F2 add esi, edx
:0040AE1B 2BF0 sub esi, eax
:0040AE1D 8BC1 mov eax, ecx
:0040AE1F B990010000 mov ecx, 00000190
:0040AE24 99 cdq
:0040AE25 F7F9 idiv ecx
:0040AE27 03F0 add esi, eax
:0040AE29 0FB7C3 movzx eax, bx
:0040AE2C 03F0 add esi, eax
:0040AE2E 81EE5A950A00 sub esi, 000A955A
:0040AE34 8975F8 mov dword ptr [ebp-08], esi
:0040AE37 DB45F8 fild dword ptr [ebp-08]
:0040AE3A 8B4508 mov eax, dword ptr [ebp+08]
:0040AE3D DD18 fstp qword ptr [eax]
:0040AE3F 9B wait
:0040AE40 C645FD01 mov [ebp-03], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040ADB8(C), :0040ADC4(C), :0040ADCA(C), :0040ADD0(C), :0040ADD6(C)
|:0040ADE0(C)
|
:0040AE44 8A45FD mov al, byte ptr [ebp-03]
:0040AE47 5F pop edi
:0040AE48 5E pop esi
:0040AE49 5B pop ebx
:0040AE4A 59 pop ecx
:0040AE4B 59 pop ecx
:0040AE4C 5D pop ebp
:0040AE4D C20400 ret 0004

—————————————————————————————————
【完美爆破】：

004B20B3 85C0 test eax, eax
改为： 33C0 xor eax, eax 去除时间限制！

—————————————————————————————————

, _/
/| _.-~/ \_ , 青春都一饷
( /~ / \~-._ |\
`\\ _/ \ ~\ ) 忍把浮名
_-~~~-.) )__/;;,. \_ //'
/'_,\ --~ \ ~~~- ,;;\___( (.-~~~-. 换了破解轻狂
`~ _( ,_..--\ ( ,;'' / ~-- /._`\
/~~//' /' `~\ ) /--.._, )_ `~
" `~" " `" /~'`\ `\\~~\
" " "~' ""

Cracked By 巢水工作坊——fly [OCN][FCG]

2003-07-18 15:45:07