《Quick View Plus 5.0》30天試用版的破解
目標:QVP
綜合評價:★★★★★
這個軟體支援檢視超過200種應用程式所建立的檔案和文件,包括字處理、資料庫、電子表格、圖形等等
。你可以直接用它檢視Office 97檔案以及HTML文件。是一個功能強,執行快,操作簡單,與Windows無
縫銜接的檔案檢視器。該評測版不支援win31,不過正式版支援。
作者:RATARICE[BCG]
工具:TRW2000 1.22、ULTRAEDIT-32
過程:
一、 執行軟體,沒有找到輸入註冊碼的地方,所以要爆破。而且沒有功能限制。
二、 將時間向後調30天,再執行,有出錯框。
三、 啟動TRW,下bpx getsystemtime。再執行,被攔。pmodule後,看到下面程式碼:
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040173D(C), :00401759(C)
|
:0040176D 83FE01
cmp esi, 00000001
:00401770 7523
jne 00401795
:00401772 68C0B44000 push 0040B4C0
* Reference To: KERNEL32.InitializeCriticalSection, Ord:0179h
|
:00401777 FF15E0D14000 Call dword ptr
[0040D1E0]
:0040177D 68C0B44000 push 0040B4C0
* Reference To: QVP.QVPManager, Ord:0009h
|
:00401782 E8690C0000 Call 004023F0
---------------------------->有問題,要進入!!
:00401787 83C404
add esp, 00000004 ------------------------>我們停在這!
:0040178A 68C0B44000 push 0040B4C0
* Reference To: KERNEL32.DeleteCriticalSection, Ord:004Ch
|
:0040178F FF15B0D14000 Call dword ptr
[0040D1B0]
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004016D1(C), :004016FC(C), :00401770(C)
|
:00401795 5F
pop edi
:00401796 33C0
xor eax, eax
:00401798 5E
pop esi
:00401799 81C448040000 add esp, 00000448
:0040179F C21000
ret 0010
進入後來到QVP.DLL的領域:
Exported fn(): QVPManager - Ord:000Ah
:20805A40 55
push ebp
:20805A41 8BEC
mov ebp, esp
:20805A43 6AFF
push FFFFFFFF
:20805A45 68108B8120 push 20818B10
:20805A4A 64A100000000 mov eax, dword
ptr fs:[00000000]
:20805A50 50
push eax
:20805A51 64892500000000 mov dword ptr fs:[00000000],
esp
:20805A58 51
push ecx
:20805A59 81EC48070000 sub esp, 00000748
:20805A5F 53
push ebx
:20805A60 56
push esi
:20805A61 57
push edi
:20805A62 8965F0
mov dword ptr [ebp-10], esp
:20805A65 6A01
push 00000001
* Reference To: QVP.QVPTrialWareStart
|
:20805A67 E8D4FCFFFF call 20805740
--------------------------->在這出錯,要進入!
:20805A6C 83C404
add esp, 00000004
:20805A6F 85C0
test eax, eax
:20805A71 0F84DD060000 je 20806154
:20805A77 8B4508
mov eax, dword ptr [ebp+08]
:20805A7A A388FA8120 mov dword
ptr [2081FA88], eax
:20805A7F E84C240000 call 20807ED0
:20805A84 8BF0
mov esi, eax
:20805A86 A1A4F58120 mov eax,
dword ptr [2081F5A4]
:20805A8B 33FF
xor edi, edi
進入上面的CALL,一直追到這:
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:208058C1(C), :208058C9(U), :208058E3(U), :208058E9(U), :20805904(C)
|:20805908(U)
|
:20805910 837C241002 cmp dword
ptr [esp+10], 00000002 --------------->重點比較!
:20805915 7507
jne 2080591E ----------------------------------->關鍵跳轉!
:20805917 8BF5
mov esi, ebp
將它nop掉!
:20805919 E9DE000000 jmp 208059FC
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:20805915(C)
|
:2080591E 8B84243C010000 mov eax, dword ptr
[esp+0000013C]
:20805925 892D94FA8120 mov dword ptr
[2081FA94], ebp
:2080592B 85C0
test eax, eax
:2080592D 0F8495000000 je 208059C8
:20805933 80FB68
cmp bl, 68
:20805936 751E
jne 20805956
:20805938 8B15ACF58120 mov edx, dword
ptr [2081F5AC]
:2080593E 56
push esi
:2080593F 6880538020 push 20805380
:20805944 6A00
push 00000000
:20805946 68D1100000 push 000010D1
:2080594B 52
push edx
* Reference To: USER32.DialogBoxParamA, Ord:008Eh
|
:2080594C FF1564288220 Call dword ptr
[20822864] ---------------------->這是根源!
:20805952 8BF0
mov esi, eax
想辦法跳過它
:20805954 EB7D
jmp 208059D3
我們向上找!
四、 啟動ULTRAEDIT-32,開啟QVP.DLL找到7507改為9090!OK!
另外、這個軟體比較差勁 20805910 處它要檢查兩次,第一次過去,就可以啟動了;但不能開啟任何檔案,只有第二次也過去,才能正常使用!