软件名称:PassMark PerformanceTest 3.4
破解目的:30 天试用期,程序启动时跳出注册窗
破解工具:TRW2000、W32Dsm89、UltraEdit
首先用 TRW2000 载入程序,停留在程序入口处,然后开始不停的按 F10 单步跟踪……
//******************** Program Entry Point ********
.
.
.
* Reference To: KERNEL32.GetModuleHandleA, Ord:0126h
|
:00416B34 FF1520314200 Call dword
ptr [00423120]
:00416B3A 50
push eax
:00416B3B E8302AFFFF call
00409570 <---- 这里跳出注册窗,F8 跟进
:00416B40 8945A0
mov dword ptr [ebp-60], eax
:00416B43 50
push eax
:00416B44 E8D9F9FFFF call
00416522
:00416B49 8B45EC
mov eax, dword ptr [ebp-14]
:00416B4C 8B08
mov ecx, dword ptr [eax]
:00416B4E 8B09
mov ecx, dword ptr [ecx]
:00416B50 894D98
mov dword ptr [ebp-68], ecx
:00416B53 50
push eax
:00416B54 51
push ecx
:00416B55 E802570000 call
0041C25C
:00416B5A 59
pop ecx
:00416B5B 59
pop ecx
:00416B5C C3
ret
重新载入,按 F8 跟进 call 00409570,继续按 F10 单步跟踪……
.
.
.
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00409973(C)
|
:0040997D 8B0DC0144400 mov ecx, dword
ptr [004414C0]
:00409983 8B742414
mov esi, dword ptr [esp+14]
:00409987 33C0
xor eax, eax
:00409989 83F910
cmp ecx, 00000010
:0040998C 0F9DC0
setnl al
:0040998F 3BF3
cmp esi, ebx
:00409991 A388144400 mov dword
ptr [00441488], eax
:00409996 7410
je 004099A8
:00409998 8BCE
mov ecx, esi
:0040999A E861550000 call
0040EF00
:0040999F 56
push esi
:004099A0 E883B80000 call
00415228
:004099A5 83C404
add esp, 00000004
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00409996(C)
|
:004099A8 E8A3480000 call
0040E250 <---- 这里跳出注册窗,F8 跟进
:004099AD 85C0
test eax, eax
:004099AF 750C
jne 004099BD
:004099B1 E85A200000 call
0040BA10
:004099B6 53
push ebx
重新载入,按 F8 跟进 call 0040E250,按 F10 单步跟踪……
* Possible StringData Ref from Data Obj ->"2旒"
|
:0040E250 C705F81F440040B34200 mov dword ptr [00441FF8], 0042B340
:0040E25A C705F41F440000000000 mov dword ptr [00441FF4], 00000000
:0040E264 E8C7000000 call
0040E330 <---- 这里跳出注册窗。跟踪到这里的时候,我已经
没什么耐心了,而且我在下面发现了一些重要
的提示……
:0040E269 83F801
cmp eax, 00000001
:0040E26C 7501
jne 0040E26F
:0040E26E C3
ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040E26C(C)
|
:0040E26F 83F803
cmp eax, 00000003
:0040E272 0F84A7000000 je 0040E31F
:0040E278 833DF41F44000F cmp dword ptr [00441FF4],
0000000F
:0040E27F 7523
jne 0040E2A4
:0040E281 6A30
push 00000030
* Reference To: USER32.MessageBeep, Ord:01BDh
|
:0040E283 FF15F8324200 Call dword
ptr [004232F8]
:0040E289 A1C41A4400 mov eax,
dword ptr [00441AC4]
:0040E28E 6A10
push 00000010
* Possible StringData Ref from Data Obj ->"Date / Time Error"
|
:0040E290 6804B44200 push
0042B404
* Possible StringData Ref from Data Obj ->"The date and time on this machine
" <--程序记录了使用
->"is earlier
than when
the program " 时间,所以修改
->"was previously
run. In order to " 系统时间以延长
->"enforce
the
unregistered version's " 使用期是没用的
->"eval period,
this is not be allowed"
|
:0040E295 6858B34200 push
0042B358
:0040E29A 50
push eax
* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:0040E29B FF1584324200 Call dword
ptr [00423284]
:0040E2A1 33C0
xor eax, eax
:0040E2A3 C3
ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040E27F(C)
|
:0040E2A4 53
push ebx
:0040E2A5 56
push esi
:0040E2A6 57
push edi
* Possible StringData Ref from Data Obj ->"Dqqnqctqhmfrs`qsto-Bgdbjvqhsdodqlhrrhnmh"
->"r`u`hk`akdhmsgddwdbts`akdchqdbsnqx+
Bgdbj"
->"sgdjdx-c`sehkddwhrsrhmsgddwdbts`akdch"
->"qdbsnqx-
Sqxsntmhmrs`kk%qdhmrs`kksgdrnes"
->"v`qd+heoqnakdlrodqrhrs
Bnms`bs9vvv-o`rrl`q"
->"j-bnlenqrtoonqs
Rs`qstoDqqnqmtladq"
|
↑ 上面这些怪码是不是就是提示过期的信息,难怪
我查找不到。
:0040E2A7 68E8AF4200 push
0042AFE8
:0040E2AC E85FFFFFFF call
0040E210
* Possible StringData Ref from Data Obj ->"Dqqnq"
|
:0040E2B1 68ACB14200 push
0042B1AC
:0040E2B6 8BF0
mov esi, eax
:0040E2B8 E853FFFFFF call
0040E210
:0040E2BD 8BD8
mov ebx, eax
:0040E2BF 8BFE
mov edi, esi
:0040E2C1 83C9FF
or ecx, FFFFFFFF
:0040E2C4 33C0
xor eax, eax
:0040E2C6 F2
repnz
:0040E2C7 AE
scasb
:0040E2C8 F7D1
not ecx
:0040E2CA 83C113
add ecx, 00000013
:0040E2CD 51
push ecx
:0040E2CE E81B6E0000 call
004150EE
:0040E2D3 83C40C
add esp, 0000000C
:0040E2D6 8BF8
mov edi, eax
:0040E2D8 6A30
push 00000030
* Reference To: USER32.MessageBeep, Ord:01BDh
|
:0040E2DA FF15F8324200 Call dword
ptr [004232F8]
:0040E2E0 8B0DF41F4400 mov ecx, dword
ptr [00441FF4]
:0040E2E6 51
push ecx
:0040E2E7 56
push esi
:0040E2E8 684CB34200 push
0042B34C
:0040E2ED 57
push edi
:0040E2EE E84D6B0000 call
00414E40
:0040E2F3 8B15C41A4400 mov edx, dword
ptr [00441AC4]
:0040E2F9 83C410
add esp, 00000010
:0040E2FC 6A10
push 00000010
:0040E2FE 53
push ebx
:0040E2FF 57
push edi
:0040E300 52
push edx
* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:0040E301 FF1584324200 Call dword
ptr [00423284]
:0040E307 56
push esi
:0040E308 E8F86C0000 call
00415005
:0040E30D 53
push ebx
:0040E30E E8F26C0000 call
00415005
:0040E313 57
push edi
:0040E314 E8EC6C0000 call
00415005
:0040E319 83C40C
add esp, 0000000C
:0040E31C 5F
pop edi
:0040E31D 5E
pop esi
:0040E31E 5B
pop ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040E272(C)
|
:0040E31F 33C0
xor eax, eax
:0040E321 C3
ret
用 UltraEdit 查找 :0040E264 处的代码:
查找 E8 C7 00 00 00 83 F8 01 75 01
改为 90 90 90 90 90 90 90 90 90 90
fishs
http://fishs.126.com
- 标 题:暴破 PerformanceTest 3.4 (8千字)
- 作 者:fishs
- 时 间:2001-4-25 23:02:28
- 链 接:http://bbs.pediy.com