軟體破解初體驗之 MacroClip 2000.2.7 程式碼修改破解 (15千字)
軟體破解初體驗之 MacroClip 2000.2.7 程式碼修改破解
破解物件: MacroClip
Version: 2000.2.7
Platform: Windows95/98/NT/2000.
URL:http://www.gentee.com/mclip/mclip.exe
破解工具: Hiew 6.76註冊版
Caspr 1.10 GUI版本
FI 2.45註冊版
W32DSM 8.93增強版
外加 大腦和手、紙、筆。
一、破解分析:
1、首先檢測軟體是否加殼:使用FI檢視得知,軟體使用aspack 1.00加殼,所以使用Caspr脫掉程式殼。
2、對拿到的脫殼後的檔案進行W32DSM反彙編,檢視程式碼。透過檢視“串式參考”檢視,無法得到出錯資訊,
只是能知道本程式是採用keyfile來做註冊的。沒有明顯的語句提示來提供破解參考。
3、執行程式知道程式有30天限制,同時顯示“Unregistered”字樣。
二、破解點選擇:
1、首先可以使用trw2000來跟蹤,下斷點bpx getsystemtime,bpx localtime等。
2、根據30天的限制,查詢彙編語句中帶有0000001E的比較語句。
這裡我們選擇第2種方法。
三、程式碼分析和查詢修改點
程式根據30天的限制來判斷是否是註冊版,使用的是標誌位判斷,標誌位不對就是肥註冊版,所以我們要把他判斷註冊標誌位的分支全部修改。讓它認為程式是註冊版,而不會去限制程式的使用時間和功能限制。
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004097AF(U)
|
:004097C4 8B0D0C2B4200 mov ecx, dword
ptr [00422B0C]
:004097CA 83C901
or ecx, 00000001
:004097CD 890D0C2B4200 mov dword ptr
[00422B0C], ecx
:004097D3 8B4DFC
mov ecx, dword ptr [ebp-04]
:004097D6 E8C5FEFFFF call 004096A0
:004097DB 833D802A420000 cmp dword ptr [00422A80],
00000000
:004097E2 7511
jne 004097F5 //-------------------->標誌位的判斷點
:004097E4 833D842A420000 cmp dword ptr [00422A84],
00000000
:004097EB 7508
jne 004097F5
:004097ED 8B4DFC
mov ecx, dword ptr [ebp-04]
:004097F0 E81C6E0000 call 00410611
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00409782(C), :004097E2(C), :004097EB(C)
|
:004097F5 8BE5
mov esp, ebp
:004097F7 5D
pop ebp
:004097F8 C3
ret
.......<中間省略程式碼大部分>......................
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040A9A1(C)
|
:0040A9FC 8BE5
mov esp, ebp
:0040A9FE 5D
pop ebp
:0040A9FF C3
ret
* Referenced by a CALL at Address:
|:0040AD27
|
:0040AA00 55
push ebp
:0040AA01 8BEC
mov ebp, esp
:0040AA03 83EC10
sub esp, 00000010
:0040AA06 894DF0
mov dword ptr [ebp-10], ecx
:0040AA09 8B45F0
mov eax, dword ptr [ebp-10]
:0040AA0C 8B88AA000000 mov ecx, dword
ptr [eax+000000AA]
:0040AA12 8B516A
mov edx, dword ptr [ecx+6A]
:0040AA15 8B4A52
mov ecx, dword ptr [edx+52]
:0040AA18 E82D4E0000 call 0040F84A
:0040AA1D 8945F4
mov dword ptr [ebp-0C], eax
:0040AA20 8B45F0
mov eax, dword ptr [ebp-10]
:0040AA23 8B88AE000000 mov ecx, dword
ptr [eax+000000AE]
:0040AA29 8B516A
mov edx, dword ptr [ecx+6A]
:0040AA2C 8B4A52
mov ecx, dword ptr [edx+52]
:0040AA2F E8164E0000 call 0040F84A
:0040AA34 8945FC
mov dword ptr [ebp-04], eax
:0040AA37 8B45F0
mov eax, dword ptr [ebp-10]
:0040AA3A 8B88A6000000 mov ecx, dword
ptr [eax+000000A6]
:0040AA40 8B5172
mov edx, dword ptr [ecx+72]
:0040AA43 C1EA03
shr edx, 03
:0040AA46 83E201
and edx, 00000001
:0040AA49 85D2
test edx, edx
:0040AA4B 742A
je 0040AA77
:0040AA4D 837DF403 cmp
dword ptr [ebp-0C], 00000003
:0040AA51 7C06
jl 0040AA59
:0040AA53 837DF41E cmp
dword ptr [ebp-0C], 0000001E
:0040AA57 7E1C
jle 0040AA75 //--------------------->分析重點
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040AA51(C)
|
:0040AA59 8B45F0
mov eax, dword ptr [ebp-10]
:0040AA5C 8B88AA000000 mov ecx, dword
ptr [eax+000000AA]
:0040AA62 51
push ecx
:0040AA63 BA36010000 mov edx,
00000136
:0040AA68 8B4DF0
mov ecx, dword ptr [ebp-10]
:0040AA6B E8D45A0000 call 00410544
:0040AA70 E9EB010000 jmp 0040AC60
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
透過對含有0000001E的語句分析得知 cmp dword ptr [00422A80], 00000000是標誌位的判斷,所以分析與此有關的程式碼段。下面是要修改的程式碼:
####################################################################
★Part One★
####################################################################
* Possible StringData Ref from Data Obj ->"?
|
:00405E3D B9B0274200 mov ecx,
004227B0
:00405E42 E8F5B60000 call 0041153C
:00405E47 A390314200 mov dword
ptr [00423190], eax
:00405E4C 6A00
push 00000000
:00405E4E 686A434000 push 0040436A
:00405E53 BA10000000 mov edx,
00000010
:00405E58 8B0D90314200 mov ecx, dword
ptr [00423190]
:00405E5E E8FAA60000 call 0041055D
:00405E63 E8521B0000 call 004079BA
:00405E68 6A00
push 00000000
:00405E6A BACE000000 mov edx,
000000CE
:00405E6F 8B0D202E4200 mov ecx, dword
ptr [00422E20]
:00405E75 E8CAA60000 call 00410544
:00405E7A 833D802A420000 cmp dword ptr [00422A80],
00000000
:00405E81 7542
jne 00405EC5 //----------->這裡要跳轉。75-->74
* Possible StringData Ref from Data Obj ->""
|
:00405E83 68A8214200 push 004221A8
* Possible StringData Ref from Data Obj ->"?
|
:00405E88 BA60274200 mov edx,
00422760
:00405E8D 8B0D202E4200 mov ecx, dword
ptr [00422E20]
:00405E93 E809A70000 call 004105A1
:00405E98 8985E4FEFFFF mov dword ptr
[ebp+FFFFFEE4], eax
:00405E9E 8B85E4FEFFFF mov eax, dword
ptr [ebp+FFFFFEE4]
:00405EA4 8B4842
mov ecx, dword ptr [eax+42]
:00405EA7 83C940
or ecx, 00000040
:00405EAA 8B95E4FEFFFF mov edx, dword
ptr [ebp+FFFFFEE4]
:00405EB0 894A42
mov dword ptr [edx+42], ecx
:00405EB3 6A00
push 00000000
:00405EB5 BACC000000 mov edx,
000000CC
:00405EBA 8B8DE4FEFFFF mov ecx, dword
ptr [ebp+FFFFFEE4]
:00405EC0 E87FA60000 call 00410544
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
####################################################################
★Part Two★
####################################################################
* Possible StringData Ref from Data Obj ->"jj@BA"
|
:00406F75 BA30274200 mov edx,
00422730
:00406F7A 8B8D4CFFFFFF mov ecx, dword
ptr [ebp+FFFFFF4C]
:00406F80 E81C960000 call 004105A1
:00406F85 8BC8
mov ecx, eax
:00406F87 8BD6
mov edx, esi
:00406F89 E8B6950000 call 00410544
:00406F8E 833D802A420000 cmp dword ptr [00422A80],
00000000
:00406F95 0F85EB000000 jne 00407086
//----------->這裡要跳轉。75-->74
:00406F9B C7458437000000 mov [ebp-7C], 00000037
:00406FA2 8D8578FFFFFF lea eax, dword
ptr [ebp+FFFFFF78]
:00406FA8 50
push eax
* Possible StringData Ref from Data Obj ->"jj@BA"
|
:00406FA9 BA30274200 mov edx,
00422730
:00406FAE 8B0D782C4200 mov ecx, dword
ptr [00422C78]
:00406FB4 E8E8950000 call 004105A1
:00406FB9 8945F8
mov dword ptr [ebp-08], eax
:00406FBC 6A00
push 00000000
:00406FBE BACD000000 mov edx,
000000CD
:00406FC3 8B4DF8
mov ecx, dword ptr [ebp-08]
:00406FC6 E879950000 call 00410544
* Possible StringData Ref from Data Obj ->""
|
:00406FCB 68A8214200 push 004221A8
* Possible StringData Ref from Data Obj ->"?
|
####################################################################
★Part Three★
####################################################################
:00407674 833800
cmp dword ptr [eax], 00000000
:00407677 740A
je 00407683
:00407679 B901000000 mov ecx,
00000001
:0040767E E8A9BBFFFF call 0040322C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407677(C)
|
:00407683 833D802A420000 cmp dword ptr [00422A80],
00000000
:0040768A 753C
jne 004076C8 //----------->這裡要跳轉。75-->74
:0040768C 833D842A420000 cmp dword ptr [00422A84],
00000000
:00407693 741E
je 004076B3
:00407695 8B15842A4200 mov edx, dword
ptr [00422A84]
:0040769B 52
push edx
:0040769C B9A2010000 mov ecx,
000001A2
:004076A1 E84A3C0000 call 0040B2F0
:004076A6 50
push eax
:004076A7 6A08
push 00000008
:004076A9 E87899FFFF call 00401026
:004076AE 83C40C
add esp, 0000000C
:004076B1 EB15
jmp 004076C8
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407693(C)
|
:004076B3 B9A3010000 mov ecx,
000001A3
:004076B8 E8333C0000 call 0040B2F0
:004076BD 50
push eax
:004076BE 6A01
push 00000001
:004076C0 E86199FFFF call 00401026
:004076C5 83C408
add esp, 00000008
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
####################################################################
★Part Four★
####################################################################
:0040976A BA77270000 mov edx,
00002777
:0040976F A1082B4200 mov eax,
dword ptr [00422B08]
:00409774 8B0C85602E4200 mov ecx, dword ptr
[4*eax+00422E60]
:0040977B E8496D0000 call 004104C9
:00409780 85C0
test eax, eax
:00409782 7571
jne 004097F5
:00409784 833D802A420000 cmp dword ptr [00422A80],
00000000
:0040978B 7524
jne 004097B1 //----------->這裡要跳轉。75-->74
:0040978D 833D842A420000 cmp dword ptr [00422A84],
00000000
:00409794 751B
jne 004097B1
:00409796 B9A3010000 mov ecx,
000001A3
:0040979B E8501B0000 call 0040B2F0
:004097A0 8BD0
mov edx, eax
* Possible StringData Ref from Data Obj ->"ZZ`BKA"
|
:004097A2 B9D0264200 mov ecx,
004226D0
:004097A7 E8907D0000 call 0041153C
:004097AC 8945FC
mov dword ptr [ebp-04], eax
:004097AF EB13
jmp 004097C4
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040978B(C), :00409794(C)
|
:004097B1 8B0D082B4200 mov ecx, dword
ptr [00422B08]
:004097B7 8B148D602E4200 mov edx, dword ptr
[4*ecx+00422E60]
:004097BE 8B4261
mov eax, dword ptr [edx+61]
:004097C1 8945FC
mov dword ptr [ebp-04], eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004097AF(U)
####################################################################
★Part Five★
####################################################################
|:004097AF(U)
|
:004097C4 8B0D0C2B4200 mov ecx, dword
ptr [00422B0C]
:004097CA 83C901
or ecx, 00000001
:004097CD 890D0C2B4200 mov dword ptr
[00422B0C], ecx
:004097D3 8B4DFC
mov ecx, dword ptr [ebp-04]
:004097D6 E8C5FEFFFF call 004096A0
:004097DB 833D802A420000 cmp dword ptr [00422A80],
00000000
:004097E2 7511
jne 004097F5 //----------->這裡要跳轉。75-->74
:004097E4 833D842A420000 cmp dword ptr [00422A84],
00000000
:004097EB 7508
jne 004097F5
:004097ED 8B4DFC
mov ecx, dword ptr [ebp-04]
:004097F0 E81C6E0000 call 00410611
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00409782(C), :004097E2(C), :004097EB(C)
|
:004097F5 8BE5
mov esp, ebp
:004097F7 5D
pop ebp
:004097F8 C3
ret
* Referenced by a CALL at Addresses:
|:004098D5 , :004098E2 , :004098EC , :00409902
|
:004097F9 55
push ebp
:004097FA 8BEC
mov ebp, esp
####################################################################
★Part Six★
####################################################################
:0040BE75 8B15F0344200 mov edx, dword
ptr [004234F0]
:0040BE7B 6BD203
imul edx, 00000003
:0040BE7E 89953CFFFFFF mov dword ptr
[ebp+FFFFFF3C], edx
:0040BE84 C78530FFFFFF0D000000 mov dword ptr [ebp+FFFFFF30], 0000000D
:0040BE8E 8B854CFFFFFF mov eax, dword
ptr [ebp+FFFFFF4C]
:0040BE94 24F3
and al, F3
:0040BE96 89854CFFFFFF mov dword ptr
[ebp+FFFFFF4C], eax
:0040BE9C 8B8D4CFFFFFF mov ecx, dword
ptr [ebp+FFFFFF4C]
:0040BEA2 83C940
or ecx, 00000040
:0040BEA5 898D4CFFFFFF mov dword ptr
[ebp+FFFFFF4C], ecx
:0040BEAB 833D802A420000 cmp dword ptr [00422A80],
00000000
:0040BEB2 740E
je 0040BEC2 //----------->這裡要跳轉。75-->74
:0040BEB4 8B15802A4200 mov edx, dword
ptr [00422A80]
:0040BEBA 8995DCFEFFFF mov dword ptr
[ebp+FFFFFEDC], edx
:0040BEC0 EB0A
jmp 0040BECC
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040BEB2(C)
|
:0040BEC2 C785DCFEFFFFA02A4200 mov dword ptr [ebp+FFFFFEDC], 00422AA0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040BEC0(U)
|
:0040BECC 8B85DCFEFFFF mov eax, dword
ptr [ebp+FFFFFEDC]
####################################################################
★Part End★
####################################################################
四、修改程式程式碼
用Hiew6.76註冊版選擇主檔案,然後使用F4選擇Dcode模式,分別查詢上面程式碼中要修改的地方的offset值(可以在W32DSM中游標雙擊程式碼行,看W32DSM視窗的狀態列,裡面的@OffSet
*********h,中的*******就是要的值)。分別修改就完成了破解。
五、軟體漢化
複製Langage目錄中的English.ln為Chinese.ln,然後漢化翻譯其中的語句即可在程式選單中選擇中文。
六、最終破解漢化檔案下載
借用CrackerABC[BCG]老兄的FTP,謝謝!
http://sffs.china.com/soft/hy-macroclip2000.2.2.zip
歡迎測試和交流,初寫破解,請大客多指教!小妹這廂有禮了,^_^
翠微池兒
2001年10月9日
相關文章
- unix軟體ncftpd 2.7.1之破解(11千字)2002-04-07FTP
- 軟體破解2008-06-02
- 菜鳥初鳴--最易破解的軟體 supercleaner (2千字)2001-10-11
- 破解勒索軟體2020-08-19
- 破解心得之WinImage篇 (15千字)2001-07-01
- 初學破解!請指導(4)
破解2SCR(屏保製作軟體)2004-08-20
- 菜鳥破解之軟體自己顯示註冊碼2015-11-15
- 英語全文朗讀軟體---破解 (1千字)2000-10-04
- 一個超容易破解的軟體! (5千字)2001-01-21
- 一篇破解教程-----面向初學者 (15千字)2001-04-01
- 兩個月的破解回顧以及7個軟體的破解! (3千字)2000-12-28
- 破解軟體下載網站有哪些?破解軟體分享網站合集2020-06-21網站
- html程式碼初體驗2016-07-26HTML
- 我的第一個破解軟體,試驗成功!2013-12-26
- TDMD軟體狗破解方法(帶狗殺狗) (6千字)2001-10-25
- 軟體 system menachinc 的它用(附:序列號破解)
(1千字)2000-03-19
- mago進來,要漢化的軟體己破解 (1千字)2000-07-05Go
- 請高手破解這款軟體!2000-11-28
- 流光 4.5 完全破解 (15千字)2002-08-24
- 一個典型的時間限制軟體的破解 (4千字)2001-01-29
- 破解一個CCG的軟體,改半位元組! (6千字)2002-01-27
- 股票賬戶管理軟體 1.12(破解手記) (9千字)2002-02-16
- 超級個人軟體 V2.5 破解過程! (3千字)2002-03-04
- 破解flash32(抓圖軟體)實站錄 (2千字)2000-05-28
- Navicat Premium 12軟體下載及破解碼分享2018-11-01REM
- xp下軟體限制策略限制軟體以及破解方法2006-09-11
- 財智證券結算軟體2.5 破解註冊碼分析!使用ollydbg 破解註冊動畫!高手莫入! (1千字)2001-11-20動畫
- 再來篇輸入驗證+重啟驗證的軟體破解2015-11-15
- 軟體管理專家
v1.22a 之完美破解2004-06-30
- "正版破解"軟體下載站大全2006-08-22
- Tornado2之Licence暴力破解 (15千字)2000-10-22
- Crack之親歷手跡6---破解AuthorWare5的軟體狗() (2千字)2002-03-09
- WinRAR 2.71的初級破解 (4千字)2001-02-16
- iTime 破解實錄 (15千字)2001-04-26
- Help & Manual 3.0.4.619 破解 (15千字)2015-11-15
- 什麼國產軟體不許破解,我就破就破!!!------FlashSoft1.07破解方法 (2千字)2001-05-19
- 破解ACD Systems試用軟體的三步曲 (1千字)2000-03-04
- 分析破解某個軟體公司出的理財東東!
(14千字)2015-11-15