• 标 题:Vopt99 v4.31暴力破解实录(仅供初学者参考) (5千字)
  • 作 者:mjing
  • 时 间:2001-2-19 9:25:59
  • 链 接:http://bbs.pediy.com

Vopt99 v4.31暴力破解实录(仅供初学者参考)

所需工具:Softice或trw2000,DASM黄金版,UltraEdit

    VOPT99是一个非常好的磁盘整理软件,我一用就喜欢上它了。
可是,它有30天限制,要注册,本人没有$$$,只好对不住它了。

    Vopt99是用VB5写的(我向来看见VB的东东就头晕),尝试找出
注册码,但是,它的注册码保护得很好,我功力又尚浅(成为大侠是
没有什么希望了:<),好了,言归正传。先用DASM将它反编译,以什么为
突破口呢?主界面上不是有这么一句话:“30 day trial:”,一找,
嘿,还真找到了:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004318B7(C)
|
:004318D6 C78560FFFFFF00000000    mov dword ptr [ebp+FFFFFF60], 00000000

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004318D4(U)
|
:004318E0 8B55B4                  mov edx, dword ptr [ebp-4C]
:004318E3 895580                  mov dword ptr [ebp-80], edx

* Possible StringData Ref from Code Obj ->"330 day trial: "
                                  |
:004318E6 68DCF94000              push 0040F9DC
:004318EB 668B45CC                mov ax, word ptr [ebp-34]
:004318EF 50                      push eax

* Reference To: MSVBVM50.__vbaStrI2, Ord:0000h
                                  |
:004318F0 FF159CD24500            Call dword ptr [0045D29C]
:004318F6 8BD0                    mov edx, eax
:004318F8 8D4DC4                  lea ecx, dword ptr [ebp-3C]

* Reference To: MSVBVM50.__vbaStrMove, Ord:0000h
                                  |
:004318FB FF15C4D44500            Call dword ptr [0045D4C4]
:00431901 50                      push eax

* Reference To: MSVBVM50.__vbaStrCat, Ord:0000h
                                  |
:00431902 FF1504D34500            Call dword ptr [0045D304]
:00431908 8BD0                    mov edx, eax
:0043190A 8D4DC0                  lea ecx, dword ptr [ebp-40]

分析一下,如果试用期未过期的话,004318E3处的代码是应该被执行到的,
如果过期了则此部分代码不会被执行。因此向上查看跳转代码:


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043181E(C)
|
:0043183D C78564FFFFFF00000000    mov dword ptr [ebp+FFFFFF64], 00000000

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043183B(U)
|
:00431847 8D4DB8                  lea ecx, dword ptr [ebp-48]

* Reference To: MSVBVM50.__vbaFreeObj, Ord:0000h
                                  |
:0043184A FF15F4D44500            Call dword ptr [0045D4F4]
:00431850 C745FC25000000          mov [ebp-04], 00000025
:00431857 66837DCC00              cmp word ptr [ebp-34], 0000
:0043185C 7E07                    jle 00431865        ;此处只要不跳就可以继续试用了
:0043185E 66837DCC2D              cmp word ptr [ebp-34], 002D
:00431863 7E15                    jle 0043187A

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043185C(C)
|
:00431865 C745FC26000000          mov [ebp-04], 00000026
:0043186C 66C70576904500FFFF      mov word ptr [00459076], FFFF
:00431875 E920010000              jmp 0043199A    ;此处跳到了显示主界面和要求输入注册码

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00431863(C)
|
:0043187A C745FC28000000          mov [ebp-04], 00000028
:00431881 8B4D08                  mov ecx, dword ptr [ebp+08]
:00431884 8B11                    mov edx, dword ptr [ecx]
:00431886 8B4508                  mov eax, dword ptr [ebp+08]
:00431889 50                      push eax
:0043188A FF9218030000            call dword ptr [edx+00000318]
:00431890 50                      push eax
:00431891 8D4DB8                  lea ecx, dword ptr [ebp-48]
:00431894 51                      push ecx

* Reference To: MSVBVM50.__vbaObjSet, Ord:0000h
                                  |
:00431895 FF1538D34500            Call dword ptr [0045D338]
:0043189B 894588                  mov dword ptr [ebp-78], eax
:0043189E 8D55B4                  lea edx, dword ptr [ebp-4C]
:004318A1 52                      push edx
:004318A2 6A01                    push 00000001
:004318A4 8B4588                  mov eax, dword ptr [ebp-78]
:004318A7 8B08                    mov ecx, dword ptr [eax]
:004318A9 8B5588                  mov edx, dword ptr [ebp-78]
:004318AC 52                      push edx
:004318AD FF5140                  call [ecx+40]
:004318B0 894584                  mov dword ptr [ebp-7C], eax
:004318B3 837D8400                cmp dword ptr [ebp-7C], 00000000
:004318B7 7D1D                    jge 004318D6
:004318B9 6A40                    push 00000040
:004318BB 68BC154100              push 004115BC
:004318C0 8B4588                  mov eax, dword ptr [ebp-78]
:004318C3 50                      push eax
:004318C4 8B4D84                  mov ecx, dword ptr [ebp-7C]
:004318C7 51                      push ecx

* Reference To: MSVBVM50.__vbaHresultCheckObj, Ord:0000h
                                  |
:004318C8 FF1518D34500            Call dword ptr [0045D318]
:004318CE 898560FFFFFF            mov dword ptr [ebp+FFFFFF60], eax
:004318D4 EB0A                    jmp 004318E0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004318B7(C)
|
:004318D6 C78560FFFFFF00000000    mov dword ptr [ebp+FFFFFF60], 00000000

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004318D4(U)
|
:004318E0 8B55B4                  mov edx, dword ptr [ebp-4C]
:004318E3 895580                  mov dword ptr [ebp-80], edx

* Possible StringData Ref from Code Obj ->"330 day trial: "
                                  |
:004318E6 68DCF94000              push 0040F9DC
:004318EB 668B45CC                mov ax, word ptr [ebp-34]
:004318EF 50                      push eax

如果你对这些跳转判断不出的话,可以在跳转上设断,逐一试试,就可以了,
我也是试出来的。

总结一下:
用十六进制编辑器打开vopt99.exe,
找66 83 7D CC 00 7E 07
                ^^ ^^
                90 90
               
这样就完成了。运行后,主界面上显示您的试用期还-XX天,没关系啦,
试用一下功能,一切正常。


2001.2.19 by mjing,E-mail:mjing@wx88.net