暴破 Turbo Browser 2001 V8.0
作者: Fpc @2001/04/17
工具:SoftIce 4.05,W32dasm 8.93,Hedit 2.0,Exescope
目标:解除30天试用限制,但还不清楚注册机制
软件名称:Turbo Browser Ver 8.0 Build 110325
作 者: FileStream Inc.
文件大小:1,823KB
授权方式:共享软件
使用平台:Win95/98
主文件名:Turbob.exe
软件简介:类资源管理器,功能强大
下载地址:http://software.wx88.net/down/tb2k1et8.exe
这是个类资源管理器类软件,比较肥大,当然功能比较多,我也没试过是否方便,我们只关注它的保护方式。对不起大家,没找到注册机制,只好暴掉了:-(
1、用Hedit把它打开,简单浏览一下。这一步是必要的,因为这有助于知道下一步该怎样做。浏览中能找到一些字符串,在结尾处是一些对话框,初步断定没有被压缩,一个仁慈的敌人^_^
2、运行TB,它只能用30天(当然在这台机器上不是的^_^),没有NAG,没有功能限制,也没有输入注册码的对话框 *_*。退出,将日期调后一年,再运行,出现对话框,内容“This
trial version of TB has expired....”。记下这个对话框,关闭,并将系统时间改回。
3、用Exescope打开TB,能找到过期对话框的ID是3307(DEC),再找字符串。~~~好长一列,从头到尾,没有有用的,那只有从这个对话框入手。
4、Fire Up W32Dasm DeCompile,好慢,在 PII机器上用了5、6分钟才完成,找对话框0CEBh,双击之,在046162F处有调用;再双击,在0464B3A有调用,不过看此处的上下关联内容,这个不是。好了,只有这两处。
5、下面用SI的Symbol Loader载入TB,下BPX 46162F,F5运行程序,正常。关闭TB,将日期调后一年,再载入,F5运行,这次立刻被SI拦到,哈!找对了。下面是此处的程式码:
* Referenced by a CALL at Address:
|:004CB5EA
|
:0046161B B89B455400 mov eax,
0054459B
:00461620 E83FED0700 call
004E0364
:00461625 51
push ecx
:00461626 56
push esi
:00461627 8BF1
mov esi, ecx
:00461629 FF7508
push [ebp+08]
:0046162C 8975F0
mov dword ptr [ebp-10], esi
* Possible Reference to Dialog: DialogID_0CEB
|
* Possible Reference to Dialog: DialogID_0129, CONTROL_ID:0CEB, "&Exact
(=)"
|
:0046162F 68EB0C0000 push
00000CEB
:00461634 E8B92B0A00 call
005041F2
:00461639 8365FC00
and dword ptr [ebp-04], 00000000
:0046163D 8D4E5C
lea ecx, dword ptr [esi+5C]
:00461640 E8748B0600 call
004CA1B9
:00461645 8D8EB0000000 lea ecx, dword
ptr [esi+000000B0]
:0046164B C645FC01
mov [ebp-04], 01
:0046164F E8658B0600 call
004CA1B9
:00461654 8B4DF4
mov ecx, dword ptr [ebp-0C]
:00461657 C70638B45500 mov dword
ptr [esi], 0055B438
:0046165D 8BC6
mov eax, esi
:0046165F 5E
pop esi
:00461660 64890D00000000 mov dword ptr fs:[00000000],
ecx
:00461667 C9
leave
:00461668 C20400
ret 0004
看上面的REFERENCE,到04CB5EA处:
:004CB5BF 8D4DEC
lea ecx, dword ptr [ebp-14]
:004CB5C2 E86C970300 call
00504D33
:004CB5C7 8D85ACFCFFFF lea eax, dword
ptr [ebp+FFFFFCAC]
:004CB5CD 50
push eax
:004CB5CE E865910100 call
004E4738
:004CB5D3 59
pop ecx
:004CB5D4 898690000000 mov dword
ptr [esi+00000090], eax
:004CB5DA E824DDFFFF call
004C9303
:004CB5DF 85C0
test eax, eax
:004CB5E1 7563
jne 004CB646
:004CB5E3 53
push ebx
:004CB5E4 8D8DB0FDFFFF lea ecx, dword
ptr [ebp+FFFFFDB0]
:004CB5EA E82C60F9FF call
0046161B
:004CB5EF 8D8DB0FDFFFF lea ecx, dword
ptr [ebp+FFFFFDB0]
:004CB5F5 C645FC01
mov [ebp-04], 01
:004CB5F9 E8A98C0300 call
005042A7
:004CB5FE 51
push ecx
:004CB5FF 8BCC
mov ecx, esp
:004CB601 8965EC
mov dword ptr [ebp-14], esp
很明显那个call 004C9303值得怀疑,出口的Eax=0是Bad Guy:
* Referenced by a CALL at Address:
|:004CB5DA
|
:004C9303 56
push esi
* Possible StringData Ref from Data Obj ->"fsutil80.dll"
|
:004C9304 682CAA5A00 push
005AAA2C
* Reference To: KERNEL32.LoadLibraryA, Ord:01C2h
|
:004C9309 FF15FC045500 Call dword
ptr [005504FC]
:004C930F 85C0
test eax, eax
:004C9311 7479
je 004C938C
* Possible StringData Ref from Data Obj ->"Init"
|
:004C9313 6824AA5A00 push
005AAA24
:004C9318 50
push eax
* Reference To: KERNEL32.GetProcAddress, Ord:013Eh
|
:004C9319 FF1500055500 Call dword
ptr [00550500]
:004C931F 85C0
test eax, eax
:004C9321 A3946A5B00 mov dword
ptr [005B6A94], eax
:004C9326 7464
je 004C938C
* Possible StringData Ref from Data Obj ->"Warning"
|
:004C9328 BE1CAA5A00 mov esi,
005AAA1C
:004C932D 6A00
push 00000000
:004C932F 56
push esi
* Possible Reference to Dialog: DialogID_008F, CONTROL_ID:006F, ""
|
* Possible Reference to String Resource ID=00111: "Default"
|
:004C9330 6A6F
push 0000006F
:004C9332 E83B3CFAFF call
0046CF72
:004C9337 59
pop ecx
:004C9338 8B0D786B5B00 mov ecx, dword
ptr [005B6B78]
:004C933E 50
push eax
:004C933F E8EEAE0500 call
00524232 <- 检查注册表中有无
Warning 项
:004C9344 33C9
xor ecx, ecx <-
不过EAX的返回值在下面的CALL中不起作用
:004C9346 85C0
test eax, eax <-
偶不知道这是什么原因,只好暴破
注册表中的这一项是手工加上去的:
REGEDIT4
[HKEY_CURRENT_USER\Software\FileStream\Turbo Browser\8\Default]
"warning"=dword:00000100
:004C9348 0F94C1
sete cl
:004C934B 51
push ecx
:004C934C FF15946A5B00 call dword
ptr [005B6A94] <- 这个CALL用于计算是否过期
<-
如不过期,EAX=3(唯一正确的返回值);过期则EAX=0;而EAX=1则注册表中有Warning 项
:004C9352 83E800
sub eax, 00000000 <- 暴破改这里 PUSH 03;POP EAX(6A 03 58)
:004C9355 7435
je 004C938C <- INC EAX;DEC
EAX (40 48)--其实是NOP
:004C9357 48
dec eax
:004C9358 7432
je 004C938C
:004C935A 48
dec eax
:004C935B 7405
je 004C9362
:004C935D 48
dec eax
:004C935E 752C
jne 004C938C
:004C9360 EB25
jmp 004C9387
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C935B(C)
|
* Possible Reference to String Resource ID=00255: "Shell|*.sh;*.conf|"
|
:004C9362 6AFF
push FFFFFFFF
:004C9364 6A00
push 00000000
:004C9366 6896EF0000 push
0000EF96
:004C936B E85E640400 call
0050F7CE
* Possible Reference to String Resource ID=00001: "File Save As"
|
:004C9370 6A01
push 00000001
:004C9372 56
push esi
* Possible Reference to Dialog: DialogID_008F, CONTROL_ID:006F, ""
|
* Possible Reference to String Resource ID=00111: "Default"
|
:004C9373 6A6F
push 0000006F
:004C9375 E8F83BFAFF call
0046CF72
:004C937A 59
pop ecx
:004C937B 8B0D786B5B00 mov ecx, dword
ptr [005B6B78]
:004C9381 50
push eax
:004C9382 E8CA660400 call
0050FA51
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C9360(U)
|
* Possible Reference to String Resource ID=00001: "File Save As"
|
:004C9387 6A01
push 00000001
:004C9389 58
pop eax
:004C938A 5E
pop esi
:004C938B C3
ret
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004C9311(C), :004C9326(C), :004C9355(C), :004C9358(C), :004C935E(C)
|
:004C938C 33C0
xor eax, eax
:004C938E 5E
pop esi
:004C938F C3
ret
暴破只要改主文件的0XC9352处,改为:6A 03 58 40 48
这样处理后就没有期限限制,但主窗口还是显示(Trial version),这好办:在其主文件中找 T r i a l (中间不是空格,是0X00),第一处的不是,将第二处的改为
F u c k !,这回可以了吧。
- 标 题:暴破 Turbo Browser 2001 V8.0 (8千字)
- 作 者:Fpc
- 时 间:2001-4-17 19:46:33
- 链 接:http://bbs.pediy.com