异想天开的打狗记录:(如有雷同,请版主删除…………)
* QQ于2002年7月15日晨,共用时29.6分钟(不包括写破文20分钟),其中试用软件20分钟。
*目标:国内某工程项目管理软件《投标版》(VERSION 2.52)
保护 :一只狗 (啊?什么狗,你问我啊?我不认识,我一只狗都不认识
,但绝对不是“狼狗” ^_^ )
目的:去掉不能打印和不能输出为图片文件的限制
工具:W32DASM,fi2.45,UltraEdit8.0,TRW2000
(看雪兄的光盘里有)
(hai wen gong cheng xiang mu guan li ruan jian)
*软件简介:网络计划技术在现代管理中已经得到了广泛的应用。作为智能工具的计算机,对网络计划技术在工程项目的计划管理、进度控制、资源管理的应用中可以发挥极大的作用。但是过去的一些计算机软件还不尽人意:网络图的编辑功能差、资源管理功能不能满足实际要求。“XX工程项目管理软件”在这些方面有了明显的改进。该软件采用先进的软件开发技术,界面美观,操作简单明了。用户不需要太多的网络计划和计算机知识,只要懂工程就可轻松地进行工作,………………
*我不愿意见到的:软件在运行时,如果没有狗,为试用版 ①标题显示 “软件序列号:没有注册” ②打印时会出现一个对话框"请插好软件狗",然后就返回,不让你打印
*气死我了!气死我了!气死我了!气死我了!气死我了!气死我了!气死我了!气死我了!………………我打……
开工:
先用fi检查没有加壳,^_^ 我喜欢!!!!!!!!!!!!!!!!!
那下一步就先用 W32dsm 看看,反编译成功后,在串式参考查找出错的信息"请插好软件狗",找到下面第一部分内容。在串式参考查找信息"没有注册",找到下面第二部分内容(纯属灌水)。
然后呢,就用TRW2000跟踪,bpx 005050FB (后面的内容请看代码段注释………别忘了,只有在打印的时候才有的看哦……)
**********************************
第一部分:
:005050AF 90
nop
:005050B0 55
push ebp
:005050B1 8BEC
mov ebp, esp
:005050B3 33C9
xor ecx, ecx
:005050B5 51
push ecx
:005050B6 51
push ecx
:005050B7 51
push ecx
:005050B8 51
push ecx
:005050B9
51
push ecx
:005050BA 51
push ecx
:005050BB 53
push ebx
:005050BC 56
push esi
:005050BD
57
push edi
:005050BE 8BF8
mov edi, eax
:005050C0 33C0
xor eax, eax
:005050C2 55
push ebp
:005050C3
6836525000 push 00505236
:005050C8 64FF30
push dword ptr fs:[eax]
:005050CB 648920
mov dword ptr fs:[eax], esp
:005050CE 8D4DFC
lea ecx, dword ptr [ebp-04]
:005050D1 BA09000000 mov
edx, 00000009
:005050D6 B801000000
mov eax, 00000001
:005050DB E81CC3FFFF
call 005013FC
:005050E0 8D4DF0
lea ecx, dword ptr [ebp-10]
:005050E3
BA09000000 mov edx, 00000009
:005050E8 B801000000 mov eax,
00000001
:005050ED E80AC3FFFF
call 005013FC
:005050F2 8B45F0
mov eax, dword ptr [ebp-10]
:005050F5 80780454
cmp byte ptr [eax+04], 54
**
:005050F9 7438
je 00505133
**
:005050FB 8D4DEC
lea ecx, dword ptr [ebp-14] ** 停在这里
:005050FE BA09000000
mov edx, 00000009
:00505103 B801000000
mov eax, 00000001
:00505108 E8EFC2FFFF
call 005013FC
** 按F10跳过
:0050510D 8B45EC
mov eax, dword ptr [ebp-14] **
D EAX 显示的是"no dog" ^_^
:00505110 80780454
cmp byte ptr [eax+04], 54 ** 这个比较重要!!!!
54→“T”
:00505114 741D
je 00505133
** 想用吗?“你就跳啊,大胆的跳啊”
:00505116 6A10
push 00000010
:00505118 B944525000
mov ecx, 00505244
* Possible
StringData Ref from Code Obj ->"请插好软件狗"
|
:0050511D BA4C525000 mov
edx, 0050524C
:00505122 A1D8075400
mov eax, dword ptr [005407D8]
:00505127 8B00
mov eax, dword ptr [eax]
:00505129
E826C5F4FF call 00451654
:0050512E E9D8000000 jmp 0050520B
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:005050F9(C), :00505114(C)
|
:00505133 8B87E4020000
mov eax, dword ptr [edi+000002E4]
** 到这里,一切OK
:00505139 83B8F801000000 cmp
dword ptr [eax+000001F8], 00000000
:00505140 7566
jne 005051A8
:00505142 A100095400
mov eax, dword ptr [00540900]
:00505147
8B00 mov
eax, dword ptr [eax]
:00505149 C6803803000001
mov byte ptr [eax+00000338], 01
:00505150 8B87DC020000
mov eax, dword ptr [edi+000002DC]
:00505156 E819C0F9FF
call 004A1174
:0050515B 85C0
test eax, eax
:0050515D 7E39
jle 00505198
:0050515F 8945F4
mov dword ptr [ebp-0C], eax
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00505196(C)
|
:00505162 8B87D4020000
mov eax, dword ptr [edi+000002D4]
:00505168
E807C0F9FF call 004A1174
:0050516D 8BF0
mov esi, eax
:0050516F 8B87D8020000
mov eax, dword ptr [edi+000002D8]
:00505175 E8FABFF9FF
call 004A1174
:0050517A 8BD8
mov ebx, eax
:0050517C 2BDE
sub ebx, esi
:0050517E 7C13
jl 00505193
:00505180 43
inc ebx
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00505191(C)
|
:00505181 A100095400
mov eax, dword ptr [00540900]
:00505186
8B00 mov
eax, dword ptr [eax]
:00505188 8BD6
mov edx, esi
:0050518A E8D52B0000
call 00507D64
:0050518F 46
inc esi
:00505190
4B
dec ebx
:00505191 75EE
jne 00505181
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:0050517E(C)
|
:00505193 FF4DF4
dec [ebp-0C]
:00505196 75CA
jne 00505162
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0050515D(C)
|
:00505198 A100095400
mov eax, dword ptr [00540900]
:0050519D 8B00
mov eax, dword ptr [eax]
:0050519F C6803803000000 mov byte ptr [eax+00000338],
00
:005051A6 EB63
jmp 0050520B
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:00505140(C)
|
:005051A8 8B87E8020000
mov eax, dword ptr [edi+000002E8]
:005051AE 83C054
add eax, 00000054
* Possible StringData Ref from Code Obj ->"Bitmap Files(*.bmp)|*.bmp"
|
:005051B1 BA64525000
mov edx, 00505264
:005051B6 E879EBEFFF
call 00403D34
:005051BB 8B87E8020000
mov eax, dword ptr [edi+000002E8]
:005051C1
8B10 mov
edx, dword ptr [eax]
:005051C3 FF523C
call [edx+3C]
:005051C6 3C01
cmp al, 01
:005051C8 7541
jne 0050520B
:005051CA B201
mov dl, 01
:005051CC A164A24100
mov eax, dword ptr [0041A264]
:005051D1 E822B6F1FF
call 004207F8
:005051D6 8945F8
mov dword ptr [ebp-08], eax
:005051D9
8D55F8 lea edx,
dword ptr [ebp-08]
:005051DC A100095400
mov eax, dword ptr [00540900]
:005051E1 8B00
mov eax, dword ptr [eax]
:005051E3 E87C280000 call 00507A64
:005051E8 8D55E8
lea edx, dword ptr [ebp-18]
:005051EB 8B87E8020000
mov eax, dword ptr [edi+000002E8]
:005051F1 E82234F5FF
call 00458618
:005051F6 8B55E8
mov edx, dword ptr [ebp-18]
:005051F9 8B45F8
mov eax, dword ptr [ebp-08]
:005051FC 8B08
mov ecx, dword ptr [eax]
:005051FE FF514C
call [ecx+4C]
:00505201
B201 mov
dl, 01
:00505203 8B45F8
mov eax, dword ptr [ebp-08]
:00505206 8B08
mov ecx, dword ptr [eax]
:00505208
FF51FC call [ecx-04]
**********************************
第二部分:
:00523B96 8BC0
mov eax, eax
:00523B98 55
push ebp
:00523B99 8BEC
mov ebp, esp
:00523B9B B904000000
mov ecx, 00000004
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00523BA5(C)
|
:00523BA0 6A00
push 00000000
:00523BA2 6A00
push 00000000
:00523BA4 49
dec ecx
:00523BA5 75F9
jne 00523BA0
:00523BA7 51
push ecx
:00523BA8 53
push ebx
:00523BA9 56
push esi
:00523BAA 57
push edi
:00523BAB
8945FC mov dword
ptr [ebp-04], eax
:00523BAE 8B1DCC0A5400
mov ebx, dword ptr [00540ACC]
:00523BB4 8B3504075400
mov esi, dword ptr [00540704]
:00523BBA 33C0
xor eax, eax
:00523BBC 55
push ebp
:00523BBD 6809425200
push 00524209
:00523BC2 64FF30
push dword ptr fs:[eax]
:00523BC5 648920
mov dword ptr fs:[eax], esp
:00523BC8 8D4DEC
lea ecx, dword ptr [ebp-14]
:00523BCB BA09000000
mov edx, 00000009
:00523BD0 B801000000
mov eax, 00000001
:00523BD5 E822D8FDFF
call 005013FC
:00523BDA 8B45EC
mov eax, dword ptr [ebp-14]
* Possible StringData Ref from Code Obj ->"no dog"
**
|
:00523BDD BA20425200 mov
edx, 00524220
:00523BE2 E88504EEFF
call 0040406C
:00523BE7 750D
jne 00523BF6
:00523BE9 8D45EC
lea eax, dword ptr [ebp-14]
* Possible StringData Ref from Code Obj ->"没有注册"
**
|
:00523BEC BA30425200
mov edx, 00524230
:00523BF1 E88201EEFF
call 00403D78
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00523BE7(C)
|
:00523BF6 8D55E4
lea edx, dword ptr [ebp-1C]
:00523BF9 8B45FC
mov eax, dword ptr [ebp-04]
:00523BFC
E81710F1FF call 00434C18
:00523C01 FF75E4
push [ebp-1C]
* Possible StringData Ref from Code Obj ->" 软件序列号:"
**
|
:00523C04
6844425200 push 00524244
:00523C09 FF75EC
push [ebp-14]
:00523C0C 8D45E8
lea eax, dword ptr [ebp-18]
:00523C0F BA03000000
mov edx, 00000003
:00523C14 E80304EEFF
call 0040401C
:00523C19 8B55E8
mov edx, dword ptr [ebp-18]
:00523C1C 8B45FC
mov eax, dword ptr [ebp-04]
:00523C1F E82410F1FF
call 00434C48
:00523C24 A1C8205400
mov eax, dword ptr [005420C8]
:00523C29 8B9094040000
mov edx, dword ptr [eax+00000494]
:00523C2F
A1D8075400 mov eax, dword ptr
[005407D8]
:00523C34 8B00
mov eax, dword ptr [eax]
:00523C36 83C038
add eax, 00000038
*
Possible StringData Ref from Code Obj ->"Havenprj.hlp"
|
:00523C39 B95C425200
mov ecx, 0052425C
:00523C3E E86503EEFF
call 00403FA8
那怎么改呢?改je 00505133为jmp,没有意思
:00505110 80780454
cmp byte ptr [eax+04], 54 ** 这个比较重要!!!! 54→“T”
:00505114 741D
je 00505133
那……………………(以下在WINDOWS XP下测试能用,98下稍有不同,但也能用)
我异想天开,我用UltraEdit8.0查找“no
dog”,全部替换为“TTTTTT”(咳,只有一处,没劲)
运行,“软件序列号:没有注册”变为“软件序列号:TTTTTT”
^_^ 有点意思,
更有意思的是:居然能打印了,爽啊!!!!!!!!
那干脆,我改!我改!我改!我改!我改!我改!
(纯属个人爱好)
"请插好软件狗"->“我好喜欢你哦” "没有注册"->“我不需要” (但运行时,我无论如何都看不见了)
"no dog"->“QQQTTT” " 软件序列号:"->“某某某破解” (^_^ 每次我看见就
爽啊!!!!!!!!)
第一次写破文,大家见笑了……
我学习CRACK已经6个月了,也颇有收获(狗2,A盘1,序列号x个
仅供内部传阅)
我只是觉得这个破解很有意思,我才写出来,请高手不要笑…………
我的格言是:不求最好,能用就好,不好也好!
^_^ QQ
- 标 题:异想天开的打狗记录(高手免进) (12千字)
- 作 者:lzhqqq
- 时 间:2002-7-17 21:50:42
- 链 接:http://bbs.pediy.com