PixWizard ver 1.24
程式猎人
简介:支持相当多图形文件格式及容易使用的秀图软件,除了秀图外,还可做影像处
理,转换,屏幕撷取等,支持OS/2的BMP,Windows的BMP,EMF,GIF,IFF,
JPEG,MAC,MSP,PCD,PCX,PIC,PICT,PNG,PPM,Targa,TIFF,WMF,WPG等
格式的秀图和图形文件转换。
追踪:这个软件是time bomb类型的软件,所以将它的时间限制删除就可以了。
使用W32来反汇编这个软件后查找字符串,如下:
|:004074C3(C)
|
* Possible StringData Ref from Data Obj ->"days"
|
:004074CC 68F8E54700 push 0047E5F8
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004074CA(U)
|
:004074D1 8D4C2414 lea
ecx, dword ptr [esp+14]
* Reference To: MFC42.Ordinal:03AD, Ord:03ADh
|
:004074D5 E8E0390200 Call 0042AEBA
* Possible StringData Ref from Data Obj ->" left in your evaluation period."
|
:004074DA 68D4E54700 push 0047E5D4
:004074DF 8D4C2414 lea
ecx, dword ptr [esp+14]
* Reference To: MFC42.Ordinal:03AD, Ord:03ADh
|
:004074E3 E8D2390200 Call 0042AEBA
:004074E8 EB0E
jmp 004074F8
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00407484(C), :00407489(C)
|
* Possible StringData Ref from Data Obj ->"Your evaluation period has expired."
|
:004074EA 68B0E54700 push 0047E5B0
:004074EF 8D4C2414 lea
ecx, dword ptr [esp+14]
* Reference To: MFC42.Ordinal:035C, Ord:035Ch
|
:004074F3 E8DA390200 Call 0042AED2
在这上面可以看到程序在试用期内和过期的字符串,所以向上查找从何处跳跃到这里来的。
* Reference To: MFC42.Ordinal:0B02, Ord:0B02h
|
:00407474 E8353A0200 Call 0042AEAE
:00407479 8B86FC000000 mov eax, dword
ptr [esi+000000FC]
:0040747F 83C40C
add esp, 0000000C
:00407482 3BC5
cmp eax, ebp
:00407484 7E64
jle 004074EA
:00407486 83F81E
cmp eax, 0000001E
:00407489 7F5F
jg 004074EA
从这里跳跃向上面的地方,现在知道了,只要将这里修改一下就可以破解这个软件的时间炸弹了。
现在大家同一样认为这样做破解就算完成了,可是如果你按照上面去做的话,会得到什么的结果呢?我修改完后再运行程序,程序就无论如何也不再出现窗口了。
我想程序很有可能是有CRC验证过程,我们再追踪,看一看程序到底是在哪里使用了CRC验证过程。
:0041F32C E8E5C50000 Call 0042B916
:0041F331 8D9424B4010000 lea edx, dword ptr
[esp+000001B4]
:0041F338 6804010000 push 00000104
:0041F33D 52
push edx
:0041F33E 8D8C24BC010000 lea ecx, dword ptr
[esp+000001BC]
:0041F345 E8360A0000 call 0041FD80
:0041F34A 3B442418 cmp
eax, dword ptr [esp+18]
:0041F34E 743A
je 0041F38A
:0041F350 8D8C249C000000 lea ecx, dword ptr
[esp+0000009C]
:0041F357 C684246408000004 mov byte ptr [esp+00000864],
04
:0041F35F E8AB540200 call 0044480F
:0041F364 8D8C248C000000 lea ecx, dword ptr
[esp+0000008C]
:0041F36B 889C2464080000 mov byte ptr [esp+00000864],
bl
* Reference To: MFC42.Ordinal:0299, Ord:0299h
|
:0041F372 E899C50000 Call 0042B910
:0041F377 8D4C2410 lea
ecx, dword ptr [esp+10]
:0041F37B C684246408000001 mov byte ptr [esp+00000864],
01
* Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:0041F383 E81ABB0000 Call 0042AEA2
:0041F388 EB40
jmp 0041F3CA
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041F34E(C)
|
* Possible StringData Ref from Data Obj ->"Shareware Version"
|
:0041F38A 68308B4A00 push 004A8B30
:0041F38F 8D8C24B8010000 lea ecx, dword ptr
[esp+000001B8]
:0041F396 E825EFFFFF call 0041E2C0
:0041F39B 8BF0
mov esi, eax
:0041F39D 889C2464080000 mov byte ptr [esp+00000864],
bl
:0041F3A4 85F6
test esi, esi
:0041F3A6 8D8C248C000000 lea ecx, dword ptr
[esp+0000008C]
:0041F3AD 7423
je 0041F3D2
:0041F3AF E87C090000 call 0041FD30
:0041F3B4 8D4C2410 lea
ecx, dword ptr [esp+10]
:0041F3B8 C684246408000001 mov byte ptr [esp+00000864],
01
* Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:0041F3C0 E8DDBA0000 Call 0042AEA2
:0041F3C5 83FE01
cmp esi, 00000001
:0041F3C8 741E
je 0041F3E8
经过追踪,发现在上面的比较地方是关键的跳跃,这里如果改掉后,就可以运行了。
现在将时间调后一年,再运行程序,大家想一想如何,程序出现程序窗口,也出现了提示窗口,但是就是当你点击contune后,程序自动退出,所以说这个程序还有验证地方,没有办法,再追踪。在比较时间的地方向下追踪,因为程序在哪里可以被拦下来,所以就向下追踪:
:00407547 50
push eax
:00407548 8D4C2458 lea
ecx, dword ptr [esp+58]
:0040754C FF5264
call [edx+64]
:0040754F 8B86FC000000 mov eax, dword
ptr [esi+000000FC]
:00407555 3BC5
cmp eax, ebp
:00407557 7E0F
jle 00407568
:00407559 83F81E
cmp eax, 0000001E
:0040755C 7F0A
jg 00407568
:0040755E C7860C01000001000000 mov dword ptr [esi+0000010C], 00000001
来到这里,大家发现吧,程序在这里又是一个验证时间的地方,不用多说,改掉它,这回程序再运行,可以了,在提示窗口中提示你已经是-345天了。
现在可以说这个软件是破解成功了。
- 标 题:PixWizard ver 1.24破解方法,这个版本可能比较老了,但是值得大家研究啊!不信
- 作 者:程式猎人
- 时 间:2000-11-27 20:26:13
- 链 接:http://bbs.pediy.com