WebTimeSync 5.2.0 破解過程 (14千字)
作 者:tieji
破解時間:2001-9-29
破解工具:W32dasm黃金版 ,UltraEdit-32 ,trw2000
作者主頁:http://www.victechsoftware.com/
說 明:可以讓你的計算機時鐘變得十分精確的軟體,它會連線到全世界7個原子鐘的
當中的一個(你可以選擇連線到哪個),得到準確的時間後再更改你的系統時間,
這個軟體可以計算你與格林威治時間的偏移量然後再調成為本地時間。
引子:用trw時間長了,系統時間老是變慢,常常弄錯時間 :=(
無奈,上網找了個軟體WebTimeSync,使其校正系統時間,可這軟體很摳門,只能用15次,
於是.............
先開啟trw2000,執行WebTimeSync程式試圖破解註冊碼,發現程式是用vb編的,老在dll中打轉,煩啊.....
改變方向,暴力破解吧:
用W32dasm開啟kroot.exe檔案,在串式參考中找"AAll of your uses have been exhausted. " 即15次
用完後執行webtimesync所跳出的話。
發現有3個地方:00425e3e ,00428b61 ,0042a8c1
用trw2000對這三個地方設中斷,bpx 00425e3e ; bpx 00428b61 ; bpx 0042a8c1
執行webtimesync,中斷在00428b61上:
:004289E4 DC2570174000 fsub qword ptr
[00401770]
:004289EA DFE0
fstsw ax
:004289EC A80D
test al, 0D
:004289EE 0F856E050000 jne 00428F62
* Reference To: MSVBVM60.__vbaFpR8, Ord:0000h
|
:004289F4 FF15D8104000 Call dword ptr
[004010D8]
:004289FA DC1D80174000 fcomp qword
ptr [00401780]
:00428A00 DFE0
fstsw ax
:00428A02 F6C440
test ah, 40
:00428A05 0F84AC010000 je 00428BB7
<--------改跳可跳過“All of your uses have been exhausted”提示框
:00428A0B C745FC6C000000 mov [ebp-04], 0000006C
:00428A12 8B4D08
mov ecx, dword ptr [ebp+08]
:00428A15 8B11
mov edx, dword ptr [ecx]
:00428A17 8B4508
mov eax, dword ptr [ebp+08]
:00428A1A 50
push eax
:00428A1B FF92C0030000 call dword ptr
[edx+000003C0]
:00428A21 50
push eax
:00428A22 8D4DC8
lea ecx, dword ptr [ebp-38]
:00428A25 51
push ecx
..............
..............
..............
|
:00428B15 FF1594124000 Call dword ptr
[00401294]
:00428B1B C745FC70000000 mov [ebp-04], 00000070
:00428B22 C7458C04000280 mov [ebp-74], 80020004
:00428B29 C745840A000000 mov [ebp-7C], 0000000A
:00428B30 C7459C04000280 mov [ebp-64], 80020004
:00428B37 C745940A000000 mov [ebp-6C], 0000000A
* Possible StringData Ref from Code Obj ->"WWebTimeSync"
|
:00428B3E C7856CFFFFFF0C2E4100 mov dword ptr [ebp+FFFFFF6C], 00412E0C
:00428B48 C78564FFFFFF08000000 mov dword ptr [ebp+FFFFFF64], 00000008
:00428B52 8D9564FFFFFF lea edx, dword
ptr [ebp+FFFFFF64]
:00428B58 8D4DA4
lea ecx, dword ptr [ebp-5C]
* Reference To: MSVBVM60.__vbaVarDup, Ord:0000h
|
:00428B5B FF153C124000 Call dword ptr
[0040123C]
* Possible StringData Ref from Code Obj ->"AAll of your uses have been exhausted.
"
->" Please register
or uninstall "
->"the product."
|
:00428B61 C7857CFFFFFF10464100 mov dword ptr [ebp+FFFFFF7C], 00414610
<--------在這裡,向上看哪裡可以跳過
:00428B6B C78574FFFFFF08000000 mov dword ptr [ebp+FFFFFF74], 00000008
:00428B75 8D9574FFFFFF lea edx, dword
ptr [ebp+FFFFFF74]
:00428B7B 8D4DB4
lea ecx, dword ptr [ebp-4C]
:00428B7E FF153C124000 Call dword ptr
[0040123C]
:00428B84 8D4D84
lea ecx, dword ptr [ebp-7C]
:00428B87 51
push ecx
:00428B88 8D5594
lea edx, dword ptr [ebp-6C]
:00428B8B 52
push edx
:00428B8C 8D45A4
lea eax, dword ptr [ebp-5C]
:00428B8F 50
push eax
:00428B90 6A30
push 00000030
:00428B92 8D4DB4
lea ecx, dword ptr [ebp-4C]
:00428B95 51
push ecx
* Reference To: MSVBVM60.rtcMsgBox, Ord:0253h
|
:00428B96 FF15AC104000 Call dword ptr
[004010AC] <--------跳出“All of your uses have been exhausted”提示框
:00428B9C 8D5584
lea edx, dword ptr [ebp-7C]
:00428B9F 52
push edx
:00428BA0 8D4594
lea eax, dword ptr [ebp-6C]
現在“All of your uses have been exhausted”提示框是跳過了,但按“check and adjust time”按鈕,
仍出現“All of your uses have been exhausted”提示框,
同上再用trw2000對三個地方設中斷,bpx 00425e3e ; bpx 00428b61 ; bpx 0042a8c1
按“check and adjust time”按鈕,中斷在00425e3e上:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042524D(C) <--------這裡,看到是0042524d跳過來的,到0042524d處看看...
|
:00425DF8 C745FC3D000000 mov [ebp-04], 0000003D
:00425DFF C7459004000280 mov [ebp-70], 80020004
:00425E06 C745880A000000 mov [ebp-78], 0000000A
:00425E0D C745A004000280 mov [ebp-60], 80020004
:00425E14 C745980A000000 mov [ebp-68], 0000000A
* Possible StringData Ref from Code Obj ->"WWebTimeSync"
|
:00425E1B C78570FFFFFF0C2E4100 mov dword ptr [ebp+FFFFFF70], 00412E0C
:00425E25 C78568FFFFFF08000000 mov dword ptr [ebp+FFFFFF68], 00000008
:00425E2F 8D9568FFFFFF lea edx, dword
ptr [ebp+FFFFFF68]
:00425E35 8D4DA8
lea ecx, dword ptr [ebp-58]
* Reference To: MSVBVM60.__vbaVarDup, Ord:0000h
|
:00425E38 FF153C124000 Call dword ptr
[0040123C]
* Possible StringData Ref from Code Obj ->"AAll of your uses have been exhausted.
"
->" Please register
or uninstall "
->"the product."
|
:00425E3E C7458010464100 mov [ebp-80], 00414610<--------在這裡,向上看哪裡可以跳過
:00425E45 C78578FFFFFF08000000 mov dword ptr [ebp+FFFFFF78], 00000008
:00425E4F 8D9578FFFFFF lea edx, dword
ptr [ebp+FFFFFF78]
:00425E55 8D4DB8
lea ecx, dword ptr [ebp-48]
* Reference To: MSVBVM60.__vbaVarDup, Ord:0000h
|
:00425E58 FF153C124000 Call dword ptr
[0040123C]
:00425E5E 8D4588
lea eax, dword ptr [ebp-78]
:00425E61 50
push eax
:00425E62 8D4D98
lea ecx, dword ptr [ebp-68]
:00425E65 51
push ecx
:00425E66 8D55A8
lea edx, dword ptr [ebp-58]
:00425E69 52
push edx
:00425E6A 6A30
push 00000030
:00425E6C 8D45B8
lea eax, dword ptr [ebp-48]
:00425E6F 50
push eax
* Reference To: MSVBVM60.rtcMsgBox, Ord:0253h
|
:00425E70 FF15AC104000 Call dword ptr
[004010AC]<--------跳出“All of your uses have been exhausted”提示框
:00425E76 8D4D88
lea ecx, dword ptr [ebp-78]
:00425E79 51
push ecx
====================================================================
:0042523E FF1590124000 Call dword ptr
[00401290]
:00425244 0FBF8D30FFFFFF movsx ecx, word ptr
[ebp+FFFFFF30]
:0042524B 85C9
test ecx, ecx
:0042524D 0F84A50B0000 je 00425DF8
<--------跳過去,就完了,此處nop掉
:00425253 C745FC03000000 mov [ebp-04], 00000003
:0042525A 6A01
push 00000001
* Reference To: MSVBVM60.__vbaOnError, Ord:0000h
|
:0042525C FF15A8104000 Call dword ptr
[004010A8]
:00425262 C745FC05000000 mov [ebp-04], 00000005
:00425269 8B5508
mov edx, dword ptr [ebp+08]
:0042526C 8B02
mov eax, dword ptr [edx]
:0042526E 8B4D08
mov ecx, dword ptr [ebp+08]
:00425271 51
push ecx
:00425272 FF90D4030000 call dword ptr
[eax+000003D4]
:00425278 50
push eax
:00425279 8D55CC
lea edx, dword ptr [ebp-34]
:0042527C 52
push edx
* Reference To: MSVBVM60.__vbaObjSet, Ord:0000h
|
:0042527D FF15B0104000 Call dword ptr
[004010B0]
:00425283 898530FFFFFF mov dword ptr
[ebp+FFFFFF30], eax
* Possible StringData Ref from Code Obj ->"CConnecting..." <--------哈!看到連線intrenet了!!!
|
:00425289 6844454100 push 00414544
:0042528E 8B8530FFFFFF mov eax, dword
ptr [ebp+FFFFFF30]
=====================================
整理:
1.在00428A05 0F84AC010000 je 00428BB7 處改為 0F85AC010000
2.在0042524D 0F84A50B0000 je 00425DF8 處nop掉
=====================================
另:登錄檔破解法:
因每用一次,Updates left:次數就減一次,所以
用W32dasm開啟kroot.exe檔案,在串式參考中找"Updates left: " 如下:
=========================================================================
=========================================================================
:004276E1 FF1590124000 Call dword ptr
[00401290]
:004276E7 C745FC19000000 mov [ebp-04], 00000019
* Possible StringData Ref from Code Obj ->"8850"
|
:004276EE BAAC484100 mov edx,
004148AC
:004276F3 8D4DD4
lea ecx, dword ptr [ebp-2C]
* Reference To: MSVBVM60.__vbaStrCopy, Ord:0000h
|
:004276F6 FF15F4114000 Call dword ptr
[004011F4]
* Possible StringData Ref from Code Obj ->"SShellExtendedData"
|
:004276FC BA44484100 mov edx,
00414844
:00427701 8D4DD8
lea ecx, dword ptr [ebp-28]
* Reference To: MSVBVM60.__vbaStrCopy, Ord:0000h
|
:00427704 FF15F4114000 Call dword ptr
[004011F4]
* Possible StringData Ref from Code Obj ->"SSoftware\Microsoft\Windows\CurrentVersion\Exp"
->"lorer"
|
:0042770A BAD8474100 mov edx,
004147D8
:0042770F 8D4DDC
lea ecx, dword ptr [ebp-24]
* Reference To: MSVBVM60.__vbaStrCopy, Ord:0000h
|
:00427712 FF15F4114000 Call dword ptr
[004011F4]
:00427718 C7853CFFFFFF01000080 mov dword ptr [ebp+FFFFFF3C], 80000001
:00427722 8D4DD4
lea ecx, dword ptr [ebp-2C]
:00427725 51
push ecx
:00427726 8D55D8
lea edx, dword ptr [ebp-28]
:00427729 52
push edx
:0042772A 8D45DC
lea eax, dword ptr [ebp-24]
:0042772D 50
push eax
:0042772E 8D8D3CFFFFFF lea ecx, dword
ptr [ebp+FFFFFF3C]
:00427734 51
push ecx
:00427735 E8C646FFFF call 0041BE00
:0042773A 8D55D4
lea edx, dword ptr [ebp-2C]
:0042773D 52
push edx
:0042773E 8D45D8
lea eax, dword ptr [ebp-28]
:00427741 50
push eax
:00427742 8D4DDC
lea ecx, dword ptr [ebp-24]
:00427745 51
push ecx
:00427746 6A03
push 00000003
* Reference To: MSVBVM60.__vbaFreeStrList, Ord:0000h
|
:00427748 FF1504124000 Call dword ptr
[00401204]
:0042774E 83C410
add esp, 00000010
:00427751 C745FC1A000000 mov [ebp-04], 0000001A
:00427758 8B15B0304400 mov edx, dword
ptr [004430B0]
:0042775E 52
push edx
:0042775F 8B4508
mov eax, dword ptr [ebp+08]
:00427762 8B888C010000 mov ecx, dword
ptr [eax+0000018C]
:00427768 51
push ecx
:00427769 E802030100 call 00437A70
:0042776E 50
push eax
* Reference To: MSVBVM60.__vbaStrI4, Ord:0000h
|
:0042776F FF151C104000 Call dword ptr
[0040101C]
:00427775 8BD0
mov edx, eax
:00427777 8D4DDC
lea ecx, dword ptr [ebp-24]
* Reference To: MSVBVM60.__vbaStrMove, Ord:0000h
|
:0042777A FF1568124000 Call dword ptr
[00401268]
:00427780 50
push eax
* Possible StringData Ref from Code Obj ->"SServerData"
|
:00427781 687C484100 push 0041487C
* Possible StringData Ref from Code Obj ->"SSettings"
|
:00427786 68282E4100 push 00412E28
* Possible StringData Ref from Code Obj ->"WWebTimeSync"
|
:0042778B 680C2E4100 push 00412E0C
* Reference To: MSVBVM60.rtcSaveSetting, Ord:02B2h
|
:00427790 FF1508104000 Call dword ptr
[00401008]
:00427796 8D4DDC
lea ecx, dword ptr [ebp-24]
* Reference To: MSVBVM60.__vbaFreeStr, Ord:0000h
|
:00427799 FF1590124000 Call dword ptr
[00401290]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00427691(C)
|
:0042779F C745FC1D000000 mov [ebp-04], 0000001D
:004277A6 8B5508
mov edx, dword ptr [ebp+08]
:004277A9 8B02
mov eax, dword ptr [edx]
:004277AB 8B4D08
mov ecx, dword ptr [ebp+08]
:004277AE 51
push ecx
:004277AF FF90C4030000 call dword ptr
[eax+000003C4]
:004277B5 50
push eax
:004277B6 8D55C8
lea edx, dword ptr [ebp-38]
:004277B9 52
push edx
* Reference To: MSVBVM60.__vbaObjSet, Ord:0000h
|
:004277BA FF15B0104000 Call dword ptr
[004010B0]
:004277C0 89852CFFFFFF mov dword ptr
[ebp+FFFFFF2C], eax
* Possible StringData Ref from Code Obj ->"UUpdates left: "
|
:004277C6 68B8484100 push 004148B8
:004277CB 8B4508
mov eax, dword ptr [ebp+08]
:004277CE 668B887A010000 mov cx, word ptr
[eax+0000017A]
:004277D5 666BC904 imul
cx, 0004
找登錄檔:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer]
"ShellExtendedData"="850" ---->變1105又可以用15次了。
相關文章
- OICQ HACK 1.0 破解過程 (9千字)2001-04-23
- Nullz CrackMe 1.1破解過程 (13千字)2001-09-18Null
- dfx V4.0破解過程 (10千字)2000-09-24
- 破解過程-----請多多指教 (2千字)2000-12-31
- 電腦字型秀破解過程 (1千字)2001-03-18
- webeasymail的簡單破解過程 (2千字)2001-08-04WebAI
- Kryptel 3.8 暴力破解過程 (18千字)2001-09-18
- PUZZLER1.20破解過程 (4千字)2002-01-26
- SuperCleaner2.30破解過程 (11千字)2002-02-04
- EMEDITOR V3.0破解過程~~~~~呵呵~~~~~我第一次寫過程~~~~累死我了~~~~呵呵
(14千字)2001-01-11
- Password Keeper v6.3破解過程 (8千字)2002-04-12
- post NOW! 破解過程!有意思。 (1千字)2000-12-30
- 有聲有色3.33破解過程 (4千字)2001-02-09
- 專業掃雷 1.2破解過程 (4千字)2001-02-17
- fulldisk A32 破解過程!(簡單) (1千字)2001-03-20
- 具體的破解過程來也! (10千字)2001-04-21
- 密碼大師4.0破解過程 (3千字)2001-05-06密碼
- EmEditor v3.16破解過程 (9千字)2001-07-22
- 對VCDCUT 4.03的分析破解過程 (18千字)2001-08-08
- 木馬克星5.33.60破解過程
(9千字)2002-03-28
- GaitCD破解全過程(installshield) (3千字)2015-11-15AI
- 音樂賀卡廠4.10破解過程 (6千字)2001-08-11
- 蒙泰5.0加密狗破解過程 (6千字)2001-10-11加密
- 加密精靈V2.2破解過程 (9千字)2001-10-28加密
- 破解 OverNimble Localize Plus 1.04
全過程! (13千字)2015-11-15
- 我終於破解了魔裝網神了,破解過程!!,不過是用2.70破解的。 (1千字)2001-10-15
- 如何破解Bestofware SmartUI Activex 所有版本。(過程)
(5千字)2000-12-31UI
- PassWD2000破解過程~~~轉貼~~~~~~ (11千字)2001-10-10
- 貼一個朋友問的關於《學生評語系統》的破解過程14千字)2002-02-07
- PowerArchiver破解過程。2015-11-15Hive
- 破解<<破解堅盾磁碟加密系統 V4.0>>的全過程 (10千字)2001-10-23加密
- supercleaner 2.0 超酷的系統清潔工具破解過程!
(3千字)2001-03-23
- 《伊妹捕神中文版》 破解過程詳解 (6千字)2001-04-29
- Don't Panic 3.2的破解過程(俺是新手) (3千字)2001-05-15
- 交作業了!!!!!!PECompact1.48破解過程 (6千字)2001-06-26
- PE-explorer 1.4 的簡要破解過程(1千字)2001-08-08
- LocalWEB2000 Professional 2.1.0破解過程 (2千字)2001-12-23Web
- 超級個人軟體 V2.5 破解過程! (3千字)2002-03-04