GetSmart暴力破解
作者:孫鋒
Email:sffs@263.net
主頁:http://sffs.6to23.com
據說這個軟體比Jetcar還好,可是我沒覺出來,呵呵,不管了,破解了再說。
修改點3ECB8和4857A。 下面我們來看看嘍:
首先破解的是使用天數的限制,我們先使軟體過期,然後查詢出錯提示語句:
* Possible Reference to String Resource ID=00012: "FireWall refused to connect."
|
:0043ECA2 6A0C
push 0000000C
* Reference To: GDI32.CreateFontA, Ord:0036h
|
:0043ECA4 FF1578904700 Call dword
ptr [00479078]
:0043ECAA A3301F4900 mov dword
ptr [00491F30], eax
:0043ECAF 33C0
xor eax, eax
:0043ECB1 A0325F4800 mov al,
byte ptr [00485F32]
:0043ECB6 85C0
test eax, eax
:0043ECB8 751D
jne 0043ECD7 //------------就是這裡了,改751D->741D,即jne->je
:0043ECBA 8B0DF46F4800 mov ecx, dword
ptr [00486FF4]
:0043ECC0 51
push ecx
* Possible StringData Ref from Data Obj ->"Unregistered - day %ld of evaluation."
//未註冊版本
|
//天數限制提示
:0043ECC1 68F41E4800 push
00481EF4
:0043ECC6 8D9500FCFFFF lea edx, dword
ptr [ebp+FFFFFC00]
:0043ECCC 52
push edx
:0043ECCD E80DFF0200 call
0046EBDF
:0043ECD2 83C40C
add esp, 0000000C
:0043ECD5 EB14
jmp 0043ECEB
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043ECB8(C) //-------------->這就是我們修改成註冊版本的地方,往上找吧。
|
* Possible StringData Ref from Data Obj ->"Registered version." //註冊版本
|
:0043ECD7 681C1F4800 push
00481F1C
:0043ECDC 8D8500FCFFFF lea eax, dword
ptr [ebp+FFFFFC00]
:0043ECE2 50
push eax
:0043ECE3 E8F7FE0200 call
0046EBDF
:0043ECE8 83C408
add esp, 00000008
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043ECD5(U)
|
:0043ECEB 8D8D00FCFFFF lea ecx, dword
ptr [ebp+FFFFFC00]
:0043ECF1 51
push ecx
:0043ECF2 6827040000 push
00000427
:0043ECF7 8B5508
mov edx, dword ptr [ebp+08]
:0043ECFA 52
push edx
然後我們們再來破解註冊失敗的地方,修改為註冊成功,查詢出錯提示語句,會看到:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00448F1C(U)
|
:00448F2D 8B8530F9FFFF mov eax, dword
ptr [ebp+FFFFF930]
:00448F33 25FF000000 and eax,
000000FF
:00448F38 3B8580F9FFFF cmp eax, dword
ptr [ebp+FFFFF980]
:00448F3E 7310
jnb 00448F50
:00448F40 8B8D34F9FFFF mov ecx, dword
ptr [ebp+FFFFF934]
:00448F46 8B11
mov edx, dword ptr [ecx]
:00448F48 899534F9FFFF mov dword
ptr [ebp+FFFFF934], edx
:00448F4E EBCE
jmp 00448F1E
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00448F3E(C)
|
:00448F50 8B8534F9FFFF mov eax, dword
ptr [ebp+FFFFF934]
:00448F56 8A4804
mov cl, byte ptr [eax+04]
:00448F59 880DDF6C4800 mov byte ptr
[00486CDF], cl
:00448F5F E8DAD4FDFF call
0042643E
:00448F64 6A00
push 00000000
* Possible StringData Ref from Data Obj ->"GetSmart is now registered!!" //註冊成功
|
:00448F66 68F42B4800 push
00482BF4
* Possible StringData Ref from Data Obj ->"Thanks you for supporting GetSmart."
//註冊成功
|
:00448F6B 68142C4800 push
00482C14
* Possible Reference to String Resource ID=00192: "Thanks you for supporting
GetSmart." //註冊成功
|
:00448F70 68C0000000 push
000000C0
:00448F75 E8C5810100 call
0046113F
:00448F7A 83C408
add esp, 00000008
:00448F7D 50
push eax
:00448F7E E815850100 call
00461498
:00448F83 83C40C
add esp, 0000000C
:00448F86 E8F3810100 call
0046117E
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044857A(C) //---------------修改這裡了,呵呵。
|
:00448F8B EB44
jmp 00448FD1
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044856B(C)
|
:00448F8D C605325F480000 mov byte ptr [00485F32],
00
* Possible Reference to String Resource ID=00024: "Can't start download!"
|
:00448F94 6A18
push 00000018
:00448F96 6A00
push 00000000
:00448F98 68C86C4800 push
00486CC8
:00448F9D E87E5F0200 call
0046EF20
:00448FA2 83C40C
add esp, 0000000C
:00448FA5 E894D4FDFF call
0042643E
:00448FAA 6A00
push 00000000
* Possible StringData Ref from Data Obj ->"Wrong serial number!" //錯誤提示
|
:00448FAC 68382C4800 push
00482C38
* Possible StringData Ref from Data Obj ->"Your serial number is invalid"
//錯誤提示
|
:00448FB1 68502C4800 push
00482C50
* Possible Reference to String Resource ID=00193: "Your serial number is invalid"
//錯誤提示
|
:00448FB6 68C1000000 push
000000C1
:00448FBB E87F810100 call
0046113F
:00448FC0 83C408
add esp, 00000008
:00448FC3 50
push eax
:00448FC4 E8CF840100 call
00461498
:00448FC9 83C40C
add esp, 0000000C
:00448FCC E8AD810100 call
0046117E
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00448F8B(U)
|
:00448FD1 833D286D480000 cmp dword ptr [00486D28],
00000000
:00448FD8 740F
je 00448FE9
我們晚上找找看看0044857A地方;
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044854D(C)
|
:0044855F 8B8D70F9FFFF mov ecx, dword
ptr [ebp+FFFFF970]
:00448565 0FBE5104
movsx edx, byte ptr [ecx+04]
:00448569 85D2
test edx, edx
:0044856B 0F841C0A0000 je 00448F8D
:00448571 33C0
xor eax, eax
:00448573 A0325F4800 mov al,
byte ptr [00485F32]
:00448578 85C0
test eax, eax
:0044857A 0F850B0A0000 jne 00448F8B
//--------->修改85->84,即jne->je
:00448580 C605325F480001 mov byte ptr [00485F32],
01
* Reference To: KERNEL32.GetTickCount, Ord:016Dh
|
:00448587 FF15A0914700 Call dword
ptr [004791A0]
:0044858D 33D2
xor edx, edx
好了,完成了破解,在修改後一定要注意先隨便輸入註冊碼,成為“正版”喲,呵呵。