破解實錄（五）之虛擬光碟 2000 (tm) 中文版 V5.1 (7千字)

破解實錄（五）之虛擬光碟 2000 (tm) 中文版 V5.1

軟體名稱：虛擬光碟 2000 (tm) 中文版 V5.1 -->(21天試用)
簡介：

作者：xiA Qin
級別：入門級
解密日前：2000年7月19日
解密工具：Trw2000 1.22
破解目的：學習NAG視窗的去除的破解。(簡單)

說明：
本文是在我的軟體破解記錄上整理出來的。只作技術交流。如若有紕漏，請各位大俠多指教！

首先將系統的時間調快一個月。

Ctrl+N進入Trw2000

下指令bpx createwindowex //下中斷點

按X鍵回到桌面執行程式，這時會被Trw2000攔截到。

下指令bc * //清除斷點

下指令pmodule //直接跳到程式的領空

按F10來到下面,

015F:00408B1E PUSH BYTE +02
015F:00408B20 LEA ECX,[EBP-58]
015F:00408B23 MOV EAX,[EDX]
015F:00408B25 PUSH EAX
015F:00408B26 CALL `ZEN!??0ZRegApp@@QAE@PAUHKEY__@@H@Z`
015F:00408B2C MOV EAX,[EBX+D0]
015F:00408B32 LEA ECX,[EBP-1C]
015F:00408B35 PUSH ECX
015F:00408B36 MOV BYTE [EBP-04],0A
015F:00408B3A LEA EAX,[EAX+EAX*2]
015F:00408B3D LEA EAX,[EAX+EAX*4]
015F:00408B40 LEA EAX,[EAX+EAX*4]
015F:00408B43 LEA EDI,[EAX+EAX*8]
015F:00408B46 SHL EDI,07
015F:00408B49 CALL `MSVCRT!time`
015F:00408B4F ADD ESP,BYTE +04
015F:00408B52 LEA ECX,[EBP-58]
015F:00408B55 PUSH DWORD 1396
015F:00408B5A CALL `ZEN!?IsValueNameExist@ZRegBase@@QAEHH@Z`
015F:00408B60 CMP EAX,ESI
015F:00408B62 JZ NEAR 00408CF7
015F:00408B68 PUSH DWORD 1396
015F:00408B6D LEA ECX,[EBP-58]
015F:00408B70 CALL `ZEN!?GetDWORD@ZRegBase@@QAEKH@Z`
015F:00408B76 MOV ECX,EAX
015F:00408B78 MOV EAX,[EBP-1C]
015F:00408B7B CMP ECX,EAX
015F:00408B7D JNA 00408BDF
015F:00408B7F CALL `MGR!?dlgUpgrade@CMainFrame@@SAXXZ`
015F:00408B84 MOV EDI,[0041C8B4]
015F:00408B8A LEA ECX,[EBP-58]
015F:00408B8D MOV BYTE [EBP-04],09
015F:00408B91 CALL EDI
015F:00408B93 LEA ECX,[EBP+FFFFFF5C]
015F:00408B99 MOV BYTE [EBP-04],05
015F:00408B9D CALL `MFC42!ord_00000269`
015F:00408BA2 LEA ECX,[EBP-2C]
015F:00408BA5 MOV BYTE [EBP-04],04
015F:00408BA9 CALL EDI
015F:00408BAB LEA ECX,[EBP-14]
015F:00408BAE MOV BYTE [EBP-04],03
015F:00408BB2 CALL `MFC42!ord_00000320`
015F:00408BB7 MOV BYTE [EBP-04],00
015F:00408BBB CALL `MFC42!ord_0000061F`
015F:00408BC0 LEA ECX,[EBP-44]
015F:00408BC3 MOV DWORD [EBP-04],FFFFFFFF
015F:00408BCA CALL EDI
015F:00408BCC XOR EAX,EAX
015F:00408BCE MOV ECX,[EBP-0C]
015F:00408BD1 MOV [FS:00],ECX
015F:00408BD8 POP EDI
015F:00408BD9 POP ESI
015F:00408BDA POP EBX
015F:00408BDB MOV ESP,EBP
015F:00408BDD POP EBP
015F:00408BDE RET
015F:00408BDF LEA EDX,[ECX+EDI]
015F:00408BE2 CMP EAX,EDX
015F:00408BE4 JNA NEAR 00408C6D (NO JUMP) //這裡可以跳過下面兩個CALL.
015F:00408BEA PUSH DWORD 0042B5E8
015F:00408BEF PUSH DWORD 0042B5E4
015F:00408BF4 PUSH DWORD 0042B5DC
015F:00408BF9 CALL `KERNEL32!WriteProfileStringA`
015F:00408BFF PUSH BYTE -01
015F:00408C01 PUSH BYTE +10
015F:00408C03 PUSH DWORD 1B6D
015F:00408C08 CALL `MFC42!ord_000004AF` //彈出試用過期的對話方塊。
015F:00408C0D CALL `MGR!?dlgUpgrade@CMainFrame@@SAXXZ` //彈出訂購軟體的對話方塊

看看那裡可以跳過這裡。

上面00408BE4 JNA NEAR 00408C6D 好像可以跳過它耶!!!!

重新下斷點bpx 00408BE4

按X鍵回到桌面執行程式，這時被Trw2000攔截到。

當游標走到00408BE4 JNA NEAR 00408C6D，

打入命令 CODE ON 記下指令碼

下指令A 寫入彙編程式碼
將 00408BE4 JNA NEAR 00408C6D
改 00408BE4 JNZ NEAR 00408C6D

又可以進入程式了。

015F:00408C12 MOV EDI,[0041C8B4]
015F:00408C18 LEA ECX,[EBP-58]
015F:00408C1B MOV BYTE [EBP-04],09
015F:00408C1F CALL EDI
015F:00408C21 LEA ECX,[EBP+FFFFFF5C]
015F:00408C27 MOV BYTE [EBP-04],05
015F:00408C2B CALL `MFC42!ord_00000269`
015F:00408C30 MOV BYTE [EBP-04],04
015F:00408C34 LEA ECX,[EBP-2C]
015F:00408C37 CALL EDI
015F:00408C39 LEA ECX,[EBP-14]
015F:00408C3C MOV BYTE [EBP-04],03
015F:00408C40 CALL `MFC42!ord_00000320`
015F:00408C45 MOV BYTE [EBP-04],00
015F:00408C49 CALL `MFC42!ord_0000061F`
015F:00408C4E LEA ECX,[EBP-44]
015F:00408C51 MOV DWORD [EBP-04],FFFFFFFF
..............................

015F:00408D38 8D4DEC LEA ECX,[EBP-14]
015F:00408D3B C645FC03 MOV BYTE [EBP-04],03
015F:00408D3F E8BAF80000 CALL `MFC42!ord_00000320`
015F:00408D44 C745FC00000000 MOV DWORD [EBP-04],00
015F:00408D4B E8E2FA0000 CALL `MFC42!ord_0000061F`
015F:00408D50 6A02 PUSH BYTE +02
015F:00408D52 8D4D90 LEA ECX,[EBP-70]
015F:00408D55 E8A6930000 CALL `MGR!??0MgrRegSet@@QAE@H@Z`
015F:00408D5A 8D4D90 LEA ECX,[EBP-70]
015F:00408D5D 6A02 PUSH BYTE +02
015F:00408D5F 51 PUSH ECX
015F:00408D60 8D4D80 LEA ECX,[EBP-80]
015F:00408D63 C645FC11 MOV BYTE [EBP-04],11
015F:00408D67 E8B4920000 CALL `MGR!??0MgrRegSet_SheetPrefer@@QAE@PAVZRegBase@@H@Z`
015F:00408D6C 6864140000 PUSH DWORD 1464
015F:00408D71 8D4D80 LEA ECX,[EBP-80]
015F:00408D74 C645FC12 MOV BYTE [EBP-04],12
015F:00408D78 FF1574C84100 CALL `ZEN!?GetDWORD@ZRegBase@@QAEKH@Z`
015F:00408D7E 8BF8 MOV EDI,EAX
015F:00408D80 A168BC4200 MOV EAX,[0042BC68]
015F:00408D85 85C0 TEST EAX,EAX
015F:00408D87 744C JZ 00408DD5 //這裡可以跳過下面那個CALL
^^^^^^^^
下指令A 寫入彙編程式碼
將00408D87 744C JZ 00408DD5
改00408D87 744C JZ 00408D97
就可以跳過評估版的對話方塊

015F:00408D89 6AFF PUSH BYTE -01
015F:00408D8B 6A00 PUSH BYTE +00
015F:00408D8D 68C8010000 PUSH DWORD 01C8
015F:00408D92 E871FA0000 CALL `MFC42!ord_000004AF` //彈出軟體是評估版的對話方塊，
015F:00408D97 85FF TEST EDI,EDI 並不影響使用。
015F:00408D99 0F84A8000000 JZ NEAR 00408E47
015F:00408D9F 8B8378010000 MOV EAX,[EBX+0178]
015F:00408DA5 85C0 TEST EAX,EAX
015F:00408DA7 0F849A000000 JZ NEAR 00408E47
015F:00408DAD FF1594C04100 CALL `KERNEL32!GetSystemDefaultLangID`
015F:00408DB3 8B0D68BC4200 MOV ECX,[0042BC68]
015F:00408DB9 25FF030000 AND EAX,03FF
015F:00408DBE 85C9 TEST ECX,ECX
015F:00408DC0 746F JZ 00408E31
015F:00408DC2 663D1100 CMP AX,11
015F:00408DC6 7569 JNZ 00408E31
015F:00408DC8 8B5320 MOV EDX,[EBX+20]
015F:00408DCB 6A08 PUSH BYTE +08
015F:00408DCD 52 PUSH EDX
015F:00408DCE 6800010000 PUSH DWORD 0100
015F:00408DD3 EB67 JMP SHORT 00408E3C

整裡一下，用Ultraedt開啟MGR.EXE

找到OF 86 83 00 00 00

改成0F 85 83 00 00 00

可以跳過試用過期的對話方塊，訂購軟體的對話方塊進入程式。

但是，會彈出軟體是評估版的對話方塊。我不知道如何用Ultraedt
將00408D87 744C JZ 00408DD5
改00408D87 744C JZ 00408D97
跳過此對話方塊。或者有其他更好的方法。望各位大俠指點。多謝！！！

破解實錄（五）之 虛擬光碟 2000 (tm) 中文版 V5.1 (7千字)

相關文章

破解實錄（五）之虛擬光碟 2000 (tm) 中文版 V5.1 (7千字)