虚拟光碟 2000

标题：破解实录（五）之虚拟光碟 2000 (tm) 中文版 V5.1 (7千字)
作者：xiA Qin
时间：2000-7-19 15:49:02
链接：http://bbs.pediy.com

破解实录（五）之虚拟光碟 2000 (tm) 中文版 V5.1

软件名称：虚拟光碟 2000 (tm) 中文版 V5.1 -->(21天试用)
简介：

作者：xiA Qin
级别：入门级
解密日前：2000年7月19日
解密工具：Trw2000 1.22
破解目的：学习NAG窗口的去除的破解。(简单)

说明：
本文是在我的软件破解记录上整理出来的。只作技术交流。如若有纰漏，请各位大侠多指教！

首先将系统的时间调快一个月。

Ctrl+N进入Trw2000

下指令bpx createwindowex //下中断点

按X键回到桌面运行程序，这时会被Trw2000拦截到。

下指令bc * //清除断点

下指令pmodule //直接跳到程序的领空

按F10来到下面,

015F:00408B1E PUSH BYTE +02
015F:00408B20 LEA ECX,[EBP-58]
015F:00408B23 MOV EAX,[EDX]
015F:00408B25 PUSH EAX
015F:00408B26 CALL `ZEN!??0ZRegApp@@QAE@PAUHKEY__@@H@Z`
015F:00408B2C MOV EAX,[EBX+D0]
015F:00408B32 LEA ECX,[EBP-1C]
015F:00408B35 PUSH ECX
015F:00408B36 MOV BYTE [EBP-04],0A
015F:00408B3A LEA EAX,[EAX+EAX*2]
015F:00408B3D LEA EAX,[EAX+EAX*4]
015F:00408B40 LEA EAX,[EAX+EAX*4]
015F:00408B43 LEA EDI,[EAX+EAX*8]
015F:00408B46 SHL EDI,07
015F:00408B49 CALL `MSVCRT!time`
015F:00408B4F ADD ESP,BYTE +04
015F:00408B52 LEA ECX,[EBP-58]
015F:00408B55 PUSH DWORD 1396
015F:00408B5A CALL `ZEN!?IsValueNameExist@ZRegBase@@QAEHH@Z`
015F:00408B60 CMP EAX,ESI
015F:00408B62 JZ NEAR 00408CF7
015F:00408B68 PUSH DWORD 1396
015F:00408B6D LEA ECX,[EBP-58]
015F:00408B70 CALL `ZEN!?GetDWORD@ZRegBase@@QAEKH@Z`
015F:00408B76 MOV ECX,EAX
015F:00408B78 MOV EAX,[EBP-1C]
015F:00408B7B CMP ECX,EAX
015F:00408B7D JNA 00408BDF
015F:00408B7F CALL `MGR!?dlgUpgrade@CMainFrame@@SAXXZ`
015F:00408B84 MOV EDI,[0041C8B4]
015F:00408B8A LEA ECX,[EBP-58]
015F:00408B8D MOV BYTE [EBP-04],09
015F:00408B91 CALL EDI
015F:00408B93 LEA ECX,[EBP+FFFFFF5C]
015F:00408B99 MOV BYTE [EBP-04],05
015F:00408B9D CALL `MFC42!ord_00000269`
015F:00408BA2 LEA ECX,[EBP-2C]
015F:00408BA5 MOV BYTE [EBP-04],04
015F:00408BA9 CALL EDI
015F:00408BAB LEA ECX,[EBP-14]
015F:00408BAE MOV BYTE [EBP-04],03
015F:00408BB2 CALL `MFC42!ord_00000320`
015F:00408BB7 MOV BYTE [EBP-04],00
015F:00408BBB CALL `MFC42!ord_0000061F`
015F:00408BC0 LEA ECX,[EBP-44]
015F:00408BC3 MOV DWORD [EBP-04],FFFFFFFF
015F:00408BCA CALL EDI
015F:00408BCC XOR EAX,EAX
015F:00408BCE MOV ECX,[EBP-0C]
015F:00408BD1 MOV [FS:00],ECX
015F:00408BD8 POP EDI
015F:00408BD9 POP ESI
015F:00408BDA POP EBX
015F:00408BDB MOV ESP,EBP
015F:00408BDD POP EBP
015F:00408BDE RET
015F:00408BDF LEA EDX,[ECX+EDI]
015F:00408BE2 CMP EAX,EDX
015F:00408BE4 JNA NEAR 00408C6D (NO JUMP) //这里可以跳过下面两个CALL.
015F:00408BEA PUSH DWORD 0042B5E8
015F:00408BEF PUSH DWORD 0042B5E4
015F:00408BF4 PUSH DWORD 0042B5DC
015F:00408BF9 CALL `KERNEL32!WriteProfileStringA`
015F:00408BFF PUSH BYTE -01
015F:00408C01 PUSH BYTE +10
015F:00408C03 PUSH DWORD 1B6D
015F:00408C08 CALL `MFC42!ord_000004AF` //弹出试用过期的对话框。
015F:00408C0D CALL `MGR!?dlgUpgrade@CMainFrame@@SAXXZ` //弹出订购软件的对话框

看看那里可以跳过这里。

上面00408BE4 JNA NEAR 00408C6D 好像可以跳过它耶!!!!

重新下断点bpx 00408BE4

按X键回到桌面运行程序，这时被Trw2000拦截到。

当光标走到00408BE4 JNA NEAR 00408C6D，

打入命令 CODE ON 记下指令码

下指令A 写入汇编代码
将 00408BE4 JNA NEAR 00408C6D
改 00408BE4 JNZ NEAR 00408C6D

又可以进入程序了。

015F:00408C12 MOV EDI,[0041C8B4]
015F:00408C18 LEA ECX,[EBP-58]
015F:00408C1B MOV BYTE [EBP-04],09
015F:00408C1F CALL EDI
015F:00408C21 LEA ECX,[EBP+FFFFFF5C]
015F:00408C27 MOV BYTE [EBP-04],05
015F:00408C2B CALL `MFC42!ord_00000269`
015F:00408C30 MOV BYTE [EBP-04],04
015F:00408C34 LEA ECX,[EBP-2C]
015F:00408C37 CALL EDI
015F:00408C39 LEA ECX,[EBP-14]
015F:00408C3C MOV BYTE [EBP-04],03
015F:00408C40 CALL `MFC42!ord_00000320`
015F:00408C45 MOV BYTE [EBP-04],00
015F:00408C49 CALL `MFC42!ord_0000061F`
015F:00408C4E LEA ECX,[EBP-44]
015F:00408C51 MOV DWORD [EBP-04],FFFFFFFF
..............................

015F:00408D38 8D4DEC LEA ECX,[EBP-14]
015F:00408D3B C645FC03 MOV BYTE [EBP-04],03
015F:00408D3F E8BAF80000 CALL `MFC42!ord_00000320`
015F:00408D44 C745FC00000000 MOV DWORD [EBP-04],00
015F:00408D4B E8E2FA0000 CALL `MFC42!ord_0000061F`
015F:00408D50 6A02 PUSH BYTE +02
015F:00408D52 8D4D90 LEA ECX,[EBP-70]
015F:00408D55 E8A6930000 CALL `MGR!??0MgrRegSet@@QAE@H@Z`
015F:00408D5A 8D4D90 LEA ECX,[EBP-70]
015F:00408D5D 6A02 PUSH BYTE +02
015F:00408D5F 51 PUSH ECX
015F:00408D60 8D4D80 LEA ECX,[EBP-80]
015F:00408D63 C645FC11 MOV BYTE [EBP-04],11
015F:00408D67 E8B4920000 CALL `MGR!??0MgrRegSet_SheetPrefer@@QAE@PAVZRegBase@@H@Z`
015F:00408D6C 6864140000 PUSH DWORD 1464
015F:00408D71 8D4D80 LEA ECX,[EBP-80]
015F:00408D74 C645FC12 MOV BYTE [EBP-04],12
015F:00408D78 FF1574C84100 CALL `ZEN!?GetDWORD@ZRegBase@@QAEKH@Z`
015F:00408D7E 8BF8 MOV EDI,EAX
015F:00408D80 A168BC4200 MOV EAX,[0042BC68]
015F:00408D85 85C0 TEST EAX,EAX
015F:00408D87 744C JZ 00408DD5 //这里可以跳过下面那个CALL
^^^^^^^^
下指令A 写入汇编代码
将00408D87 744C JZ 00408DD5
改00408D87 744C JZ 00408D97
就可以跳过评估版的对话框

015F:00408D89 6AFF PUSH BYTE -01
015F:00408D8B 6A00 PUSH BYTE +00
015F:00408D8D 68C8010000 PUSH DWORD 01C8
015F:00408D92 E871FA0000 CALL `MFC42!ord_000004AF` //弹出软件是评估版的对话框，
015F:00408D97 85FF TEST EDI,EDI 并不影响使用。
015F:00408D99 0F84A8000000 JZ NEAR 00408E47
015F:00408D9F 8B8378010000 MOV EAX,[EBX+0178]
015F:00408DA5 85C0 TEST EAX,EAX
015F:00408DA7 0F849A000000 JZ NEAR 00408E47
015F:00408DAD FF1594C04100 CALL `KERNEL32!GetSystemDefaultLangID`
015F:00408DB3 8B0D68BC4200 MOV ECX,[0042BC68]
015F:00408DB9 25FF030000 AND EAX,03FF
015F:00408DBE 85C9 TEST ECX,ECX
015F:00408DC0 746F JZ 00408E31
015F:00408DC2 663D1100 CMP AX,11
015F:00408DC6 7569 JNZ 00408E31
015F:00408DC8 8B5320 MOV EDX,[EBX+20]
015F:00408DCB 6A08 PUSH BYTE +08
015F:00408DCD 52 PUSH EDX
015F:00408DCE 6800010000 PUSH DWORD 0100
015F:00408DD3 EB67 JMP SHORT 00408E3C

整里一下，用Ultraedt打开MGR.EXE

找到OF 86 83 00 00 00

改成0F 85 83 00 00 00

可以跳过试用过期的对话框，订购软件的对话框进入程序。

但是，会弹出软件是评估版的对话框。我不知道如何用Ultraedt
将00408D87 744C JZ 00408DD5
改00408D87 744C JZ 00408D97
跳过此对话框。或者有其他更好的方法。望各位大侠指点。多谢！！！