PixWizard ver 1.24
程式獵人
簡介:支援相當多圖形檔案格式及容易使用的秀圖軟體,除了秀圖外,還可做影像處
理,轉換,螢幕擷取等,支援OS/2的BMP,Windows的BMP,EMF,GIF,IFF,
JPEG,MAC,MSP,PCD,PCX,PIC,PICT,PNG,PPM,Targa,TIFF,WMF,WPG等
格式的秀圖和圖形檔案轉換。
追蹤:這個軟體是time bomb型別的軟體,所以將它的時間限制刪除就可以了。
使用W32來反彙編這個軟體後查詢字串,如下:
|:004074C3(C)
|
* Possible StringData Ref from Data Obj ->"days"
|
:004074CC 68F8E54700 push 0047E5F8
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004074CA(U)
|
:004074D1 8D4C2414 lea
ecx, dword ptr [esp+14]
* Reference To: MFC42.Ordinal:03AD, Ord:03ADh
|
:004074D5 E8E0390200 Call 0042AEBA
* Possible StringData Ref from Data Obj ->" left in your evaluation period."
|
:004074DA 68D4E54700 push 0047E5D4
:004074DF 8D4C2414 lea
ecx, dword ptr [esp+14]
* Reference To: MFC42.Ordinal:03AD, Ord:03ADh
|
:004074E3 E8D2390200 Call 0042AEBA
:004074E8 EB0E
jmp 004074F8
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00407484(C), :00407489(C)
|
* Possible StringData Ref from Data Obj ->"Your evaluation period has expired."
|
:004074EA 68B0E54700 push 0047E5B0
:004074EF 8D4C2414 lea
ecx, dword ptr [esp+14]
* Reference To: MFC42.Ordinal:035C, Ord:035Ch
|
:004074F3 E8DA390200 Call 0042AED2
在這上面可以看到程式在試用期內和過期的字串,所以向上查詢從何處跳躍到這裡來的。
* Reference To: MFC42.Ordinal:0B02, Ord:0B02h
|
:00407474 E8353A0200 Call 0042AEAE
:00407479 8B86FC000000 mov eax, dword
ptr [esi+000000FC]
:0040747F 83C40C
add esp, 0000000C
:00407482 3BC5
cmp eax, ebp
:00407484 7E64
jle 004074EA
:00407486 83F81E
cmp eax, 0000001E
:00407489 7F5F
jg 004074EA
從這裡跳躍向上面的地方,現在知道了,只要將這裡修改一下就可以破解這個軟體的時間炸彈了。
現在大家同一樣認為這樣做破解就算完成了,可是如果你按照上面去做的話,會得到什麼的結果呢?我修改完後再執行程式,程式就無論如何也不再出現視窗了。
我想程式很有可能是有CRC驗證過程,我們再追蹤,看一看程式到底是在哪裡使用了CRC驗證過程。
:0041F32C E8E5C50000 Call 0042B916
:0041F331 8D9424B4010000 lea edx, dword ptr
[esp+000001B4]
:0041F338 6804010000 push 00000104
:0041F33D 52
push edx
:0041F33E 8D8C24BC010000 lea ecx, dword ptr
[esp+000001BC]
:0041F345 E8360A0000 call 0041FD80
:0041F34A 3B442418 cmp
eax, dword ptr [esp+18]
:0041F34E 743A
je 0041F38A
:0041F350 8D8C249C000000 lea ecx, dword ptr
[esp+0000009C]
:0041F357 C684246408000004 mov byte ptr [esp+00000864],
04
:0041F35F E8AB540200 call 0044480F
:0041F364 8D8C248C000000 lea ecx, dword ptr
[esp+0000008C]
:0041F36B 889C2464080000 mov byte ptr [esp+00000864],
bl
* Reference To: MFC42.Ordinal:0299, Ord:0299h
|
:0041F372 E899C50000 Call 0042B910
:0041F377 8D4C2410 lea
ecx, dword ptr [esp+10]
:0041F37B C684246408000001 mov byte ptr [esp+00000864],
01
* Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:0041F383 E81ABB0000 Call 0042AEA2
:0041F388 EB40
jmp 0041F3CA
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041F34E(C)
|
* Possible StringData Ref from Data Obj ->"Shareware Version"
|
:0041F38A 68308B4A00 push 004A8B30
:0041F38F 8D8C24B8010000 lea ecx, dword ptr
[esp+000001B8]
:0041F396 E825EFFFFF call 0041E2C0
:0041F39B 8BF0
mov esi, eax
:0041F39D 889C2464080000 mov byte ptr [esp+00000864],
bl
:0041F3A4 85F6
test esi, esi
:0041F3A6 8D8C248C000000 lea ecx, dword ptr
[esp+0000008C]
:0041F3AD 7423
je 0041F3D2
:0041F3AF E87C090000 call 0041FD30
:0041F3B4 8D4C2410 lea
ecx, dword ptr [esp+10]
:0041F3B8 C684246408000001 mov byte ptr [esp+00000864],
01
* Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:0041F3C0 E8DDBA0000 Call 0042AEA2
:0041F3C5 83FE01
cmp esi, 00000001
:0041F3C8 741E
je 0041F3E8
經過追蹤,發現在上面的比較地方是關鍵的跳躍,這裡如果改掉後,就可以執行了。
現在將時間調後一年,再執行程式,大家想一想如何,程式出現程式視窗,也出現了提示視窗,但是就是當你點選contune後,程式自動退出,所以說這個程式還有驗證地方,沒有辦法,再追蹤。在比較時間的地方向下追蹤,因為程式在哪裡可以被攔下來,所以就向下追蹤:
:00407547 50
push eax
:00407548 8D4C2458 lea
ecx, dword ptr [esp+58]
:0040754C FF5264
call [edx+64]
:0040754F 8B86FC000000 mov eax, dword
ptr [esi+000000FC]
:00407555 3BC5
cmp eax, ebp
:00407557 7E0F
jle 00407568
:00407559 83F81E
cmp eax, 0000001E
:0040755C 7F0A
jg 00407568
:0040755E C7860C01000001000000 mov dword ptr [esi+0000010C], 00000001
來到這裡,大家發現吧,程式在這裡又是一個驗證時間的地方,不用多說,改掉它,這回程式再執行,可以了,在提示視窗中提示你已經是-345天了。
現在可以說這個軟體是破解成功了。