image optimizer v3.0之暴力破解
軟體下載:http://www.xxtt.freeserve.co.uk/xatio.exe
軟體說明:該軟體是一個影像批處理軟體,可成批的壓縮影像檔案、轉換格式,以及簡單的編輯影像。
限制說明:日期限制,過期後功能限制和NAG限制。
工具:trw2K122,十六進位制編輯軟體隨意。
解法一:
執行軟體看關於,會發現“You are on day 1 of your 30 day evaluation”。據此
可以推斷程式肯定是把日期寫入一個地方,是什麼呢?無非一個是KEYFILE,一個是登錄檔。先
看登錄檔吧(^-^,總是要從簡單的入手嘛)。開啟登錄檔,查詢optimizer,你會在下面找到:
HKEY_CURRENT_USER\Software\xat.com\xat.com Image optimizer\Application
OK,把xat.com幹掉,執行程式看看,又出現第一次執行的畫面了,也就是說你又獲得了30
天的試用時間。至此時間限制破掉,但這樣每過30天便要刪一次登錄檔,太煩了吧。那就來看第
二種解法吧。
解法二:
用trw2k122 load optimizer.exe,下斷點getsystemtime,F5,中斷後,pmodule,你
將來到:
* Reference To: KERNEL32.GetSystemTime, Ord:015Dh
|
:004A64A0 FF15FC214E00 Call dword ptr
[004E21FC]
:004A64A6 668B45EA mov
ax, word ptr [ebp-16] **中斷於此**
:004A64AA 663B056AE95400 cmp ax, word ptr
[0054E96A]
:004A64B1 753B
jne 004A64EE
:004A64B3 668B45E8 mov
ax, word ptr [ebp-18]
:004A64B7 663B0568E95400 cmp ax, word ptr
[0054E968]
:004A64BE 752E
jne 004A64EE
:004A64C0 668B45E6 mov
ax, word ptr [ebp-1A]
:004A64C4 663B0566E95400 cmp ax, word ptr
[0054E966]
:004A64CB 7521
jne 004A64EE
:004A64CD 668B45E2 mov
ax, word ptr [ebp-1E]
:004A64D1 663B0562E95400 cmp ax, word ptr
[0054E962]
:004A64D8 7514
jne 004A64EE
:004A64DA 668B45E0 mov
ax, word ptr [ebp-20]
:004A64DE 663B0560E95400 cmp ax, word ptr
[0054E960]
:004A64E5 7507
jne 004A64EE
:004A64E7 A158E95400 mov eax,
dword ptr [0054E958]
:004A64EC EB45
jmp 004A6533
按F12兩次,按F10,你將來到以下地方:
:0041A38E 6AFF
push FFFFFFFF
:0041A390 E87B050000 call 0041A910
:0041A395 83C404
add esp, 00000004
:0041A398 8D54243C lea
edx, dword ptr [esp+3C]
:0041A39C 8BCF
mov ecx, edi
:0041A39E 50
push eax
:0041A39F 8D442420 lea
eax, dword ptr [esp+20]
:0041A3A3 52
push edx
:0041A3A4 50
push eax
:0041A3A5 E85E960B00 call 004D3A08
:0041A3AA 50
push eax
:0041A3AB E860050000 call 0041A910
:0041A3B0 83C404
add esp, 00000004
:0041A3B3 8D8C2490010000 lea ecx, dword ptr
[esp+00000190]
:0041A3BA 8BF0
mov esi, eax
:0041A3BC 51
push ecx
:0041A3BD E86BD50900 call 004B792D
:0041A3C2 8B10
mov edx, dword ptr [eax] **中斷於此**
:0041A3C4 51
push ecx
:0041A3C5 8BC4
mov eax, esp
:0041A3C7 8954241C mov
dword ptr [esp+1C], edx
:0041A3CB 89A42494010000 mov dword ptr [esp+00000194],
esp
:0041A3D2 8D4C241C lea
ecx, dword ptr [esp+1C]
:0041A3D6 8930
mov dword ptr [eax], esi
:0041A3D8 8D842494010000 lea eax, dword ptr
[esp+00000194]
:0041A3DF 50
push eax
:0041A3E0 E8BB0A0000 call 0041AEA0
:0041A3E5 8B08
mov ecx, dword ptr [eax]
:0041A3E7 B807452EC2 mov eax,
C22E4507
:0041A3EC F7E9
imul ecx
:0041A3EE 03D1
add edx, ecx
:0041A3F0 C1FA10
sar edx, 10
:0041A3F3 8BCA
mov ecx, edx
:0041A3F5 C1E91F
shr ecx, 1F
:0041A3F8 03D1
add edx, ecx
:0041A3FA 83FA1E
cmp edx, 0000001E **此處EDX存放已過的天數,
將其與30比較**
:0041A3FD 891588B15200 mov dword ptr
[0052B188], edx
:0041A403 7D0E
jge 0041A413 **大於等於則跳到NAG屏,並禁用
部分功能**
:0041A405 3BD5
cmp edx, ebp
:0041A407 C70590B15200F35E43AB mov dword ptr [0052B190], AB435EF3
:0041A411 7D0A
jge 0041A41D
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041A403(C)
|
:0041A413 C70590B15200C35A42A3 mov dword ptr [0052B190], A3425AC3
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0041A289(U), :0041A33B(U), :0041A389(U), :0041A411(C)
|
:0041A41D 33C0
xor eax, eax
因該軟體為可註冊版本,所以推測一下,它是否判斷為非註冊版本後,方進行時間判斷的呢?
下面進行驗證一下。向上翻動CODE窗,找離41a3bd最近的一個跳躍點。
:0041A340 83EC08
sub esp, 00000008
:0041A343 8D84249C010000 lea eax, dword ptr
[esp+0000019C]
:0041A34A 8BCC
mov ecx, esp
:0041A34C 89642420 mov
dword ptr [esp+20], esp
:0041A350 50
push eax
:0041A351 E82AE5FFFF call 00418880
:0041A356 8D8C2490010000 lea ecx, dword ptr
[esp+00000190]
:0041A35D E8FEE3FFFF call 00418760
:0041A362 3BC5
cmp eax, ebp
:0041A364 7528
jne 0041A38E **程式從此處跳到判斷日期程式碼
中,在此設斷**
:0041A366 39AC24DC010000 cmp dword ptr [esp+000001DC],
ebp
:0041A36D 7410
je 0041A37F
:0041A36F 55
push ebp
:0041A370 8D8C24E4000000 lea ecx, dword ptr
[esp+000000E4]
:0041A377 6A30
push 00000030
:0041A379 51
push ecx
:0041A37A E874B60A00 call 004C59F3
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041A36D(C)
|
:0041A37F C70590B152006DE15404 mov dword ptr [0052B190], 0454E16D
:0041A389 E98F000000 jmp 0041A41D
可以發現程式是從0041A364跳過來的,設斷後重新LOAD,中斷後下指令:
r eip eip+2(我之所以不用r fl z指令,是為以後JMP做準備,若為判斷標誌暫存器的
話,就不能直接跳過了。)
F5
將發現程式正常執行,看關於,wosai!!!"This is the full registered
version of image optimizer."且輸入註冊碼的選單也沒了^-^,由此可見0041A364是一個
判斷是否註冊的標誌點。
抄下程式碼:
8D8C2490010000 E8FEE3FFFF 3BC5 7528
改為-> -------------- ---------- ---- eb--
後記:
大凡“有時間限制 && 可輸入註冊碼”的軟體,大體思路都是如此,下斷getsystemtime
|| getlocaltime 找到判斷時間的程式碼區,然後向上找進入此區域的跳躍點,大概便可找到關
鍵點。若"實在沒有 || 找不到便JMP",讓其成為永不過期的試用版便是。
<Cracked by
KanKer>