[转载]去除Bassline WinPopUp时间限制(for 菜鸟)
<P>文章作者: qduwg</P><P><FONT face=宋体>题目:去除BasslineWinPopUp时间限制<BR>软件功能:此软件是在LAN内发送短信息,文件,EMAIL和聊天的工具。50天试用期限。<BR><BR>破解目的:去除50天限制<BR><BR>工具:Softice,OD,PEID<BR><BR>引子:今天试用了一下这个在局域网内聊天的工具,50天限制,没有注册码输入的地方,只有爆掉了:)。拿出PEID查看一下,是VC写的,没有带壳。把时间调快1年,再次启动程序,提示已经过期。下断点bpxgetlocaltime,F5退出,启动程序,被拦截,按<BR>F10跟踪,来到如下代码处:<BR>004536ED7506JNZSHORTPOPUP.004536F5<BR>004536EF8B4DF0MOVECX,DWORDPTRSS:[EBP-10]<BR>004536F289481CMOVDWORDPTRDS:[EAX+1C],ECX<BR>004536F5FF750CPUSHDWORDPTRSS:[EBP+C]<BR>004536F88B07MOVEAX,DWORDPTRDS:[EDI]<BR>004536FA8BCFMOVECX,EDI<BR>004536FC56PUSHESI<BR>004536FDFF75F0PUSHDWORDPTRSS:[EBP-10]<BR>00453700FF507CCALLDWORDPTRDS:[EAX+7C]//这个CALL出现提示框NAG。F8跟入。<BR>004537038BC6MOVEAX,ESI<BR>004537058B4DF4MOVECX,DWORDPTRSS:[EBP-C];KERNEL32.BFFC0D90<BR>004537085FPOPEDI;KERNEL32.BFF8B86C<BR>004537095EPOPESI;KERNEL32.BFF8B86C<BR>0045370A64:890D00000000MOVDWORDPTRFS:[0],ECX<BR>004537115BPOPEBX;KERNEL32.BFF8B86C<BR>00453712C9LEAVE<BR>00453713C20800RETN8<BR>==================================================================<BR>按F10跟踪来到如下代码处。<BR>0045BDC3|.E8CB5B0000CALLPOPUP.00461993<BR>0045BDC8|.8B4004MOVEAX,DWORDPTRDS:[EAX+4]<BR>0045BDCB|.3B701CCMPESI,DWORDPTRDS:[EAX+1C]<BR>0045BDCE|.7507JNZSHORTPOPUP.0045BDD7<BR>0045BDD0|.8B5874MOVEBX,DWORDPTRDS:[EAX+74]<BR>0045BDD3|.834874FFORDWORDPTRDS:[EAX+74],FFFFFFFF<BR>0045BDD7|>8B06MOVEAX,DWORDPTRDS:[ESI]<BR>0045BDD9|.53PUSHEBX<BR>0045BDDA|.8BCEMOVECX,ESI<BR>0045BDDC|.FF90D4000000CALLDWORDPTRDS:[EAX+D4]//这个地方出NAG,F8跟入。<BR>0045BDE2|.85FFTESTEDI,EDI<BR>0045BDE4|.740EJESHORTPOPUP.0045BDF4<BR>0045BDE6|.8B07MOVEAX,DWORDPTRDS:[EDI]<BR>==================================================================<BR>我们很快来到下面代码处了:<BR>00402044.E965010000JMPPOPUP.004021AE<BR>00402049>B932000000MOVECX,32//这里把50天的16进制送ECX。<BR>0040204E.2BCFSUBECX,EDI//试用天数减掉已用天数,剩余天数在ECX,如果超期则为负数。<BR>00402050.898EC0020000MOVDWORDPTRDS:[ESI+2C0],ECX//ECX值送内存保存。<BR>00402056.8D4C242CLEAECX,DWORDPTRSS:[ESP+2C]<BR>0040205A.E81B600400CALLPOPUP.0044807A<BR>0040205F.8B86C0020000MOVEAX,DWORDPTRDS:[ESI+2C0]//剩余天数送EAX。<BR>00402065.C644242401MOVBYTEPTRSS:[ESP+24],1<BR>0040206A.3BC3CMPEAX,EBX//如果超期EAX为负数,与EBX内的0比较。下面这个就不跳了,不跳则出过期对话框。<BR>0040206C.7D10JGESHORTPOPUP.0040207E//修改为直接JMP到4020D5即可跳过下面好几个不同情况的对话框。<BR>0040206E.683CE34800PUSHPOPUP.0048E33C;ASCII"Thisprogramhasexpired"<BR>00402073.8D4C2430LEAECX,DWORDPTRSS:[ESP+30]<BR>00402077.E891620400CALLPOPUP.0044830D<BR>0040207C.EB13JMPSHORTPOPUP.00402091//跳到下面提示信息框。<BR>0040207E>50PUSHEAX;POPUP.<ModuleEntryPoint>//如果没有过期,则显示下面这个提示框。<BR>0040207F.8D542430LEAEDX,DWORDPTRSS:[ESP+30]<BR>00402083.6810E34800PUSHPOPUP.0048E310;ASCII"Youhave%ddaystoevaluatethissoftware"<BR>00402088.52PUSHEDX<BR>00402089.E852430400CALLPOPUP.004463E0<BR>0040208E.83C40CADDESP,0C<BR>00402091>68D8E24800PUSHPOPUP.0048E2D8;ASCII"<BR>WouldyouseetheregistrationinformationinWWW?"<BR>00402096.8D4C2430LEAECX,DWORDPTRSS:[ESP+30]<BR>0040209A.E8C2640400CALLPOPUP.00448561<BR>0040209F.8B86C0020000MOVEAX,DWORDPTRDS:[ESI+2C0]<BR>004020A5.3BC3CMPEAX,EBX<BR>004020A7.7C09JLSHORTPOPUP.004020B2<BR>004020A9.83F814CMPEAX,14<BR>004020AC.7F04JGSHORTPOPUP.004020B2<BR>004020AE.33C0XOREAX,EAX;POPUP.<ModuleEntryPoint><BR>004020B0.EB05JMPSHORTPOPUP.004020B7<BR>004020B2>B800010000MOVEAX,100<BR>004020B7>8B4C242CMOVECX,DWORDPTRSS:[ESP+2C]<BR>004020BB.0C04ORAL,4<BR>004020BD.50PUSHEAX;POPUP.<ModuleEntryPoint><BR>004020BE.8B442414MOVEAX,DWORDPTRSS:[ESP+14]<BR>004020C2.50PUSHEAX;POPUP.<ModuleEntryPoint><BR>004020C3.51PUSHECX<BR>004020C4.8BCEMOVECX,ESI<BR>004020C6.E8206B0500CALLPOPUP.00458BEB//显示对话框的函数。如果按"Cancel"按钮,则返回7,否则返回6。<BR>004020CB.83F806CMPEAX,6//如果返回7则比较结果不为0。<BR>004020CE.7505JNZSHORTPOPUP.004020D5//不为0则跳到主程序运行。所以跳到这里,就可以掠过前面所有垃圾。<BR>004020D0.E8CB860200CALLPOPUP.0042A7A0<BR>004020D5>399EC0020000CMPDWORDPTRDS:[ESI+2C0],EBX<BR>004020DB.7D1BJGESHORTPOPUP.004020F8<BR>004020DD.8B561CMOVEDX,DWORDPTRDS:[ESI+1C]<BR>004020E0.53PUSHEBX;/lParam=5D0000<BR>004020E1.53PUSHEBX;|wParam=5D0000<BR>004020E2.6A10PUSH10;|Message=WM_CLOSE<BR>004020E4.52PUSHEDX;|hWnd=8172463C<BR>004020E5.FF15C4364700CALLDWORDPTRDS:[<&USER32.PostMessageA>];\PostMessageA<BR>004020EB.885C2424MOVBYTEPTRSS:[ESP+24],BL<BR>004020EF.8D4C242CLEAECX,DWORDPTRSS:[ESP+2C]<BR>004020F3.E9B1000000JMPPOPUP.004021A9<BR>==================================================================<BR>后记:<BR>打开UltraEdit把上面所指地方修改一下即可。程序比较简单,设防也比较简单,用30分钟写出此文,没有多少含金量,希望大侠不要取笑。<BR><BR>结论:把0040206C处的7D10改为EB67。</FONT><BR></P>
页:
[1]