image optimizer v3.0之暴力破解
软件下载:http://www.xxtt.freeserve.co.uk/xatio.exe
软件说明:该软件是一个图像批处理软件,可成批的压缩图像文件、转换格式,以及简单的编辑图像。
限制说明:日期限制,过期后功能限制和NAG限制。
工具:trw2K122,十六进制编辑软件随意。
解法一:
运行软件看关于,会发现“You are on day 1 of your 30 day evaluation”。据此
可以推断程序肯定是把日期写入一个地方,是什么呢?无非一个是KEYFILE,一个是注册表。先
看注册表吧(^-^,总是要从简单的入手嘛)。打开注册表,查找optimizer,你会在下面找到:
HKEY_CURRENT_USER\Software\xat.com\xat.com Image optimizer\Application
OK,把xat.com干掉,运行程序看看,又出现第一次运行的画面了,也就是说你又获得了30
天的试用时间。至此时间限制破掉,但这样每过30天便要删一次注册表,太烦了吧。那就来看第
二种解法吧。
解法二:
用trw2k122 load optimizer.exe,下断点getsystemtime,F5,中断后,pmodule,你
将来到:
* Reference To: KERNEL32.GetSystemTime, Ord:015Dh
|
:004A64A0 FF15FC214E00 Call dword ptr
[004E21FC]
:004A64A6 668B45EA mov
ax, word ptr [ebp-16] **中断于此**
:004A64AA 663B056AE95400 cmp ax, word ptr
[0054E96A]
:004A64B1 753B
jne 004A64EE
:004A64B3 668B45E8 mov
ax, word ptr [ebp-18]
:004A64B7 663B0568E95400 cmp ax, word ptr
[0054E968]
:004A64BE 752E
jne 004A64EE
:004A64C0 668B45E6 mov
ax, word ptr [ebp-1A]
:004A64C4 663B0566E95400 cmp ax, word ptr
[0054E966]
:004A64CB 7521
jne 004A64EE
:004A64CD 668B45E2 mov
ax, word ptr [ebp-1E]
:004A64D1 663B0562E95400 cmp ax, word ptr
[0054E962]
:004A64D8 7514
jne 004A64EE
:004A64DA 668B45E0 mov
ax, word ptr [ebp-20]
:004A64DE 663B0560E95400 cmp ax, word ptr
[0054E960]
:004A64E5 7507
jne 004A64EE
:004A64E7 A158E95400 mov eax,
dword ptr [0054E958]
:004A64EC EB45
jmp 004A6533
按F12两次,按F10,你将来到以下地方:
:0041A38E 6AFF
push FFFFFFFF
:0041A390 E87B050000 call 0041A910
:0041A395 83C404
add esp, 00000004
:0041A398 8D54243C lea
edx, dword ptr [esp+3C]
:0041A39C 8BCF
mov ecx, edi
:0041A39E 50
push eax
:0041A39F 8D442420 lea
eax, dword ptr [esp+20]
:0041A3A3 52
push edx
:0041A3A4 50
push eax
:0041A3A5 E85E960B00 call 004D3A08
:0041A3AA 50
push eax
:0041A3AB E860050000 call 0041A910
:0041A3B0 83C404
add esp, 00000004
:0041A3B3 8D8C2490010000 lea ecx, dword ptr
[esp+00000190]
:0041A3BA 8BF0
mov esi, eax
:0041A3BC 51
push ecx
:0041A3BD E86BD50900 call 004B792D
:0041A3C2 8B10
mov edx, dword ptr [eax] **中断于此**
:0041A3C4 51
push ecx
:0041A3C5 8BC4
mov eax, esp
:0041A3C7 8954241C mov
dword ptr [esp+1C], edx
:0041A3CB 89A42494010000 mov dword ptr [esp+00000194],
esp
:0041A3D2 8D4C241C lea
ecx, dword ptr [esp+1C]
:0041A3D6 8930
mov dword ptr [eax], esi
:0041A3D8 8D842494010000 lea eax, dword ptr
[esp+00000194]
:0041A3DF 50
push eax
:0041A3E0 E8BB0A0000 call 0041AEA0
:0041A3E5 8B08
mov ecx, dword ptr [eax]
:0041A3E7 B807452EC2 mov eax,
C22E4507
:0041A3EC F7E9
imul ecx
:0041A3EE 03D1
add edx, ecx
:0041A3F0 C1FA10
sar edx, 10
:0041A3F3 8BCA
mov ecx, edx
:0041A3F5 C1E91F
shr ecx, 1F
:0041A3F8 03D1
add edx, ecx
:0041A3FA 83FA1E
cmp edx, 0000001E **此处EDX存放已过的天数,
将其与30比较**
:0041A3FD 891588B15200 mov dword ptr
[0052B188], edx
:0041A403 7D0E
jge 0041A413 **大于等于则跳到NAG屏,并禁用
部分功能**
:0041A405 3BD5
cmp edx, ebp
:0041A407 C70590B15200F35E43AB mov dword ptr [0052B190], AB435EF3
:0041A411 7D0A
jge 0041A41D
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041A403(C)
|
:0041A413 C70590B15200C35A42A3 mov dword ptr [0052B190], A3425AC3
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0041A289(U), :0041A33B(U), :0041A389(U), :0041A411(C)
|
:0041A41D 33C0
xor eax, eax
因该软件为可注册版本,所以推测一下,它是否判断为非注册版本后,方进行时间判断的呢?
下面进行验证一下。向上翻动CODE窗,找离41a3bd最近的一个跳跃点。
:0041A340 83EC08
sub esp, 00000008
:0041A343 8D84249C010000 lea eax, dword ptr
[esp+0000019C]
:0041A34A 8BCC
mov ecx, esp
:0041A34C 89642420 mov
dword ptr [esp+20], esp
:0041A350 50
push eax
:0041A351 E82AE5FFFF call 00418880
:0041A356 8D8C2490010000 lea ecx, dword ptr
[esp+00000190]
:0041A35D E8FEE3FFFF call 00418760
:0041A362 3BC5
cmp eax, ebp
:0041A364 7528
jne 0041A38E **程序从此处跳到判断日期代码
中,在此设断**
:0041A366 39AC24DC010000 cmp dword ptr [esp+000001DC],
ebp
:0041A36D 7410
je 0041A37F
:0041A36F 55
push ebp
:0041A370 8D8C24E4000000 lea ecx, dword ptr
[esp+000000E4]
:0041A377 6A30
push 00000030
:0041A379 51
push ecx
:0041A37A E874B60A00 call 004C59F3
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041A36D(C)
|
:0041A37F C70590B152006DE15404 mov dword ptr [0052B190], 0454E16D
:0041A389 E98F000000 jmp 0041A41D
可以发现程序是从0041A364跳过来的,设断后重新LOAD,中断后下指令:
r eip eip+2(我之所以不用r fl z指令,是为以后JMP做准备,若为判断标志寄存器的
话,就不能直接跳过了。)
F5
将发现程序正常运行,看关于,wosai!!!"This is the full registered
version of image optimizer."且输入注册码的菜单也没了^-^,由此可见0041A364是一个
判断是否注册的标志点。
抄下代码:
8D8C2490010000 E8FEE3FFFF 3BC5 7528
改为-> -------------- ---------- ---- eb--
后记:
大凡“有时间限制 && 可输入注册码”的软件,大体思路都是如此,下断getsystemtime
|| getlocaltime 找到判断时间的代码区,然后向上找进入此区域的跳跃点,大概便可找到关
键点。若"实在没有 || 找不到便JMP",让其成为永不过期的试用版便是。
<Cracked by
KanKer>
- 标 题:image optimizer v3.0之暴力破解 (6千字)
- 作 者:KanKer
- 时 间:2000-10-12 11:59:59
- 链 接:http://bbs.pediy.com