如何完美破解winhex9.73的功能限制! (8千字)
完美破解winhex9.73的功能限制!
所用工具:trw2000國人的驕傲 w32dasm8.93破解利器
軟體下載:www.pchome.net
破解人:大老
郵件:dalao@top86.com
破解目標:衝破 WinHex 不能編輯儲存大於 250 KB 檔案的限制
軟體簡介:一個很不錯的16進位制檔案編輯與磁碟編輯軟體。WinHex以檔案小、速度快,功能不輸其它的Hex十六進位編輯器工具得到了ZDNet SoftwareLibrary五顆星最高評價,可做Hex與ASCII碼編輯修改,多檔案尋替換功能,一般運算及邏輯運算,磁碟磁區編輯(支援FAT16、FAT32和NTFS)自動搜尋編輯,檔案對比和分析等功能,另外8.3版新增了RAM編輯功能!
這個軟體的作者很變態加了很多的標誌來判斷是否為真的註冊版
而未註冊版的判斷則少了很多!注意:這就是漏洞!!xixi
進入正題:
先用w32dasm反編譯winhex.exe 注意:以下彙編是我改過後的!
然後查詢3DFA00會找到兩次
第一次
:0041666D E8DEC1FEFF call
00402850
:00416672 3DFA000000 cmp eax,
000000FA ===》開啟檔案時比較檔案是否大於250k (1)
:00416677 90
nop ====》這裡一定不能跳!
:00416678 90
nop
:00416679 C644240201 mov [esp+02],
01
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0041664D(U), :00416662(C)
|
:0041667E 8D842404010000 lea eax, dword
ptr [esp+00000104]
:00416685 BAC5F84500 mov edx,
0045F8C5
第二次
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043153E(C)
|
:0043154A DF6D08
fild qword ptr [ebp+08]
:0043154D D80D88154300 fmul dword
ptr [00431588]
:00431553 E8F812FDFF call
00402850
:00431558 3DFA000000 cmp eax,
000000FA ====》比較檔案是否大於250k (2)
:0043155D EB20
jmp 0043157F ====》這裡一定要跳
:0043155F 803DAEF9450000 cmp byte ptr [0045F9AE],
00
:00431566 7517
jne 0043157F
:00431568 66B84F00
mov ax, 004F
:0043156C E87B77FDFF call
00408CEC
以上是準備工作
現在用除錯工具trw2000來去掉250K的功能限制!
設斷點bpx 431558
開啟一個大於250K的檔案隨便改幾處!點激save
短點攔截按一次F12一次F10
:00453154 E8DBE3FDFF call
00431534
:00453159 84C0
test al, al =====》我們將來到這
:0045315B 0F84CA010000 je 0045332B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045314C(C)
|
:00453161 803D7AF9450002 cmp byte ptr [0045F97A],
02
:00453168 750D
jne 00453177
:0045316A 80BE4721000000 cmp byte ptr [esi+00002147],
00
:00453171 0F84B4010000 je 0045332B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00453168(C)
|
:00453177 8BC6
mov eax, esi
:00453179 E8AE3CFFFF call
00446E2C
:0045317E 84C0
test al, al
:00453180 0F84A5010000 je 0045332B
:00453186 837E2400
cmp dword ptr [esi+24], 00000000
:0045318A 7531
jne 004531BD
:0045318C 80BE4621000000 cmp byte ptr [esi+00002146],
00
:00453193 7528
jne 004531BD
:00453195 8B460C
mov eax, dword ptr [esi+0C]
:00453198 E81FA0FBFF call
0040D1BC
:0045319D 880424
mov byte ptr [esp], al
:004531A0 807E3203
cmp byte ptr [esi+32], 03
:004531A4 7417
je 004531BD
:004531A6 803C2400
cmp byte ptr [esp], 00
:004531AA 7511
jne 004531BD
:004531AC 8B560C
mov edx, dword ptr [esi+0C]
:004531AF 66B80A00
mov ax, 000A
:004531B3 E8806DFBFF call
00409F38
:004531B8 E96E010000 jmp 0045332B
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0045318A(C), :00453193(C), :004531A4(C), :004531AA(C)
|
:004531BD 807E3204
cmp byte ptr [esi+32], 04
:004531C1 7507
jne 004531CA
:004531C3 B301
mov bl, 01
:004531C5 E961010000 jmp 0045332B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004531C1(C)
|
:004531CA 80BE4621000000 cmp byte ptr [esi+00002146],
00
:004531D1 7434
je 00453207
:004531D3 8A8646210000 mov al, byte
ptr [esi+00002146]
:004531D9 E872F7FBFF call
00412950
:004531DE 84C0
test al, al
:004531E0 0F8445010000 je 0045332B
:004531E6 8D4604
lea eax, dword ptr [esi+04]
:004531E9 E83A4CFCFF call
00417E28
:004531EE 84C0
test al, al
:004531F0 740E
je 00453200
:004531F2 B301
mov bl, 01
:004531F4 8BC6
mov eax, esi
:004531F6 E8ED38FFFF call
00446AE8
:004531FB E92B010000 jmp 0045332B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004531F0(C)
|
:00453200 33DB
xor ebx, ebx
:00453202 E924010000 jmp 0045332B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004531D1(C)
|
:00453207 DF6E10
fild qword ptr [esi+10]
:0045320A D81D34334500 fcomp dword
ptr [00453334]
:00453210 DFE0
fstsw ax
:00453212 9E
sahf
:00453213 EB0D
jmp 00453222 ======》判斷是否為註冊版這一定要跳
:00453215 803DAEF9450000 cmp byte ptr [0045F9AE],
00
:0045321C 0F8409010000 je 0045332B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00453213(U)
|
:00453222 803D7AF9450000 cmp byte ptr [0045F97A],
00
:00453229 7521
jne 0045324C
:0045322B 803DDDF9450000 cmp byte ptr [0045F9DD],
00
:00453232 7518
jne 0045324C
:00453234 803C2400
cmp byte ptr [esp], 00
:00453238 7412
je 0045324C
:0045323A 8B460C
mov eax, dword ptr [esi+0C]
:0045323D B201
mov dl, 01
:0045323F E83091FBFF call
0040C374
:00453244 84C0
test al, al
:00453246 0F84DF000000 je 0045332B
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00453229(C), :00453232(C), :00453238(C)
|
:0045324C DF6E10
fild qword ptr [esi+10]
:0045324F D81D38334500 fcomp dword
ptr [00453338]
:00453255 DFE0
fstsw ax
:00453257 9E
sahf
:00453258 EB0D
jmp 00453267 ==============》還有這一定要跳
:0045325A 803DAEF9450000 cmp byte ptr [0045F9AE],
00
:00453261 0F84C4000000 je 0045332B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00453258(U)
|
* Possible Reference to Menu: MenuID_0002
|
:00453267 6A02
push 00000002
:00453269 668B8620210000 mov ax, word ptr
[esi+00002120]
:00453270 E82FA1FBFF call
0040D3A4
:00453275 8BD0
mov edx, eax
:00453277 8B4E0C
mov ecx, dword ptr [esi+0C]
:0045327A 8D4604
lea eax, dword ptr [esi+04]
:0045327D E82E36FCFF call
004168B0 ==============》注意這個call控制寫盤操作 (3)
:00453282 84C0
test al, al
:00453284 0F84A1000000 je 0045332B
:0045328A 807E3203
cmp byte ptr [esi+32], 03
:0045328E 750D
jne 0045329D
:00453290 A017EF4500 mov al,
byte ptr [0045EF17]
:00453295 888645210000 mov byte ptr
[esi+00002145], al
:0045329B EB26
jmp 004532C3
進入(3)的call
------------------------------------------------------------
:00416014 DB45D4
fild dword ptr [ebp-2C]
:00416017 DF6DE4
fild qword ptr [ebp-1C]
:0041601A DEC1
faddp st(1), st(0)
:0041601C DF7DE4
fistp qword ptr [ebp-1C]
:0041601F 9B
wait
:00416020 DF6DE4
fild qword ptr [ebp-1C]
:00416023 D81DB0614100 fcomp dword
ptr [004161B0]
:00416029 DFE0
fstsw ax
:0041602B 9E
sahf
:0041602C EB21
jmp 0041604F ================>>關鍵必須跳!不跳只能儲存280K (4)
:0041602E DF6DE4
fild qword ptr [ebp-1C]
:00416031 D81DB4614100 fcomp dword
ptr [004161B4]
:00416037 DFE0
fstsw ax
:00416039 9E
sahf
:0041603A 7313
jnb 0041604F
-----------------------------------------------------------
這樣 save的功能限制就解除了!
解除save as的功能限制和解除save的功能限制一樣(設斷點bpx 431558)
希望大家能舉一反三!另外說一下!其中(4)的判斷是winhex9.71版以後才加上的!請大家注意!
相關文章
- PwlTool的功能限制的破解---DDXia[CCG] (8千字)2001-03-10
- 破解flax 1.31的校驗及功能限制 (3千字)2001-10-25
- 如何完美破解PE EXPLORER 1.2 (5千字)2001-06-13
- 暴力破解Paragon CD Emulator時間及功能限制 (7千字)2001-03-24Go
- 完美破解ip-tools2.04,不對之處請大家指正. (8千字)2002-02-05
- winimage完全破解 (8千字)2001-07-04
- Java 程式的破解方法 (8千字)2002-08-15Java
- 我的破解心得(8) (2千字)2001-03-13
- 完美解除安裝7.00版破解 (7千字)2002-03-18
- 如何完美破解PE EXPLORER 1.3(加入BCG的第二篇) (9千字)2001-06-29
- VB輸入限制的記憶體破解 (2千字)2003-04-28記憶體
- 轉貼:破解時間限制的老文章(一) (2千字)2000-10-23
- 轉貼:破解時間限制的老文章(二) (2千字)2000-10-23
- 巨好的俄羅斯方塊時間限制破解 (1千字)2001-05-04
- 一個典型的時間限制軟體的破解 (4千字)2001-01-29
- Unfoxall 2.0 增強版完美破解方法 (2千字)2000-05-17
- Advanced
PDF Password Recovery Pro 2.12的不完美破解 (12千字)2003-05-20
- ssreader 360正式版 完美破解版本 (3千字)2002-01-06
- ThemeFreak V1.6破解 (8千字)2001-03-07
- 炒股理財1.65破解方法 (8千字)2001-04-13
- Trojan Remover 4.3.0破解手記 (8千字)2001-08-31REM
- 破解GIF Movie Gear 3.01 (8千字)2002-03-13
- 如何破解CuteFTP 4.0 (5千字)2000-07-20FTP
- Embird32 防破解技術的分析 (8千字)2001-04-29
- 乾涸的(Asp maker version 2.2 破解手記) (8千字)2015-11-15
- winxp總管破解筆記(一) (8千字)2002-10-07筆記
- 破解WS_FTP Pro 7.02 (8千字)2001-10-28FTP
- SeaMoon Pic Hunter 1.2破解手記 (8千字)2015-11-15
- 破解WorkgroupMail 的30天的時間限制(FCG作業)---高手莫入! (10千字)2015-11-15AI
- 功能限制的程式2015-11-15
- disk-check如何破解? (1千字)2001-03-22
- Rhino 8 中文安裝包「犀牛 Rhino 8破解新功能」2023-11-03
- Password Keeper v6.3破解過程 (8千字)2002-04-12
- 破解華琦庫管精靈1.2.4 (8千字)2000-09-11
- 使用KERNEL32.DLL破解???(譯文)
(8千字)2000-08-29
- ModelMaker
CodeExplorer Expert 1.05 Demo時間限制破解 (32千字)2002-03-21
- Visual CHM 4.0的演算法“特別破解” (8千字)2015-11-15演算法
- ACDSee 4.0 Trial
Version和FotoCanvas Lite Trial Version時間限制破解 (7千字)2002-03-30Canvas