文章作者: qduwg
题目:去除BasslineWinPopUp时间限制
软件功能:此软件是在LAN内发送短信息,文件,EMAIL和聊天的工具。50天试用期限。
破解目的:去除50天限制
工具:Softice,OD,PEID
引子:今天试用了一下这个在局域网内聊天的工具,50天限制,没有注册码输入的地方,只有爆掉了:)。拿出PEID查看一下,是VC写的,没有带壳。把时间调快1年,再次启动程序,提示已经过期。下断点bpxgetlocaltime,F5退出,启动程序,被拦截,按
F10跟踪,来到如下代码处:
004536ED7506JNZSHORTPOPUP.004536F5
004536EF8B4DF0MOVECX,DWORDPTRSS:[EBP-10]
004536F289481CMOVDWORDPTRDS:[EAX+1C],ECX
004536F5FF750CPUSHDWORDPTRSS:[EBP+C]
004536F88B07MOVEAX,DWORDPTRDS:[EDI]
004536FA8BCFMOVECX,EDI
004536FC56PUSHESI
004536FDFF75F0PUSHDWORDPTRSS:[EBP-10]
00453700FF507CCALLDWORDPTRDS:[EAX+7C]//这个CALL出现提示框NAG。F8跟入。
004537038BC6MOVEAX,ESI
004537058B4DF4MOVECX,DWORDPTRSS:[EBP-C];KERNEL32.BFFC0D90
004537085FPOPEDI;KERNEL32.BFF8B86C
004537095EPOPESI;KERNEL32.BFF8B86C
0045370A64:890D00000000MOVDWORDPTRFS:[0],ECX
004537115BPOPEBX;KERNEL32.BFF8B86C
00453712C9LEAVE
00453713C20800RETN8
==================================================================
按F10跟踪来到如下代码处。
0045BDC3|.E8CB5B0000CALLPOPUP.00461993
0045BDC8|.8B4004MOVEAX,DWORDPTRDS:[EAX+4]
0045BDCB|.3B701CCMPESI,DWORDPTRDS:[EAX+1C]
0045BDCE|.7507JNZSHORTPOPUP.0045BDD7
0045BDD0|.8B5874MOVEBX,DWORDPTRDS:[EAX+74]
0045BDD3|.834874FFORDWORDPTRDS:[EAX+74],FFFFFFFF
0045BDD7|>8B06MOVEAX,DWORDPTRDS:[ESI]
0045BDD9|.53PUSHEBX
0045BDDA|.8BCEMOVECX,ESI
0045BDDC|.FF90D4000000CALLDWORDPTRDS:[EAX+D4]//这个地方出NAG,F8跟入。
0045BDE2|.85FFTESTEDI,EDI
0045BDE4|.740EJESHORTPOPUP.0045BDF4
0045BDE6|.8B07MOVEAX,DWORDPTRDS:[EDI]
==================================================================
我们很快来到下面代码处了:
00402044.E965010000JMPPOPUP.004021AE
00402049>B932000000MOVECX,32//这里把50天的16进制送ECX。
0040204E.2BCFSUBECX,EDI//试用天数减掉已用天数,剩余天数在ECX,如果超期则为负数。
00402050.898EC0020000MOVDWORDPTRDS:[ESI+2C0],ECX//ECX值送内存保存。
00402056.8D4C242CLEAECX,DWORDPTRSS:[ESP+2C]
0040205A.E81B600400CALLPOPUP.0044807A
0040205F.8B86C0020000MOVEAX,DWORDPTRDS:[ESI+2C0]//剩余天数送EAX。
00402065.C644242401MOVBYTEPTRSS:[ESP+24],1
0040206A.3BC3CMPEAX,EBX//如果超期EAX为负数,与EBX内的0比较。下面这个就不跳了,不跳则出过期对话框。
0040206C.7D10JGESHORTPOPUP.0040207E//修改为直接JMP到4020D5即可跳过下面好几个不同情况的对话框。
0040206E.683CE34800PUSHPOPUP.0048E33C;ASCII"Thisprogramhasexpired"
00402073.8D4C2430LEAECX,DWORDPTRSS:[ESP+30]
00402077.E891620400CALLPOPUP.0044830D
0040207C.EB13JMPSHORTPOPUP.00402091//跳到下面提示信息框。
0040207E>50PUSHEAX;POPUP.//如果没有过期,则显示下面这个提示框。
0040207F.8D542430LEAEDX,DWORDPTRSS:[ESP+30]
00402083.6810E34800PUSHPOPUP.0048E310;ASCII"Youhave%ddaystoevaluatethissoftware"
00402088.52PUSHEDX
00402089.E852430400CALLPOPUP.004463E0
0040208E.83C40CADDESP,0C
00402091>68D8E24800PUSHPOPUP.0048E2D8;ASCII"
WouldyouseetheregistrationinformationinWWW?"
00402096.8D4C2430LEAECX,DWORDPTRSS:[ESP+30]
0040209A.E8C2640400CALLPOPUP.00448561
0040209F.8B86C0020000MOVEAX,DWORDPTRDS:[ESI+2C0]
004020A5.3BC3CMPEAX,EBX
004020A7.7C09JLSHORTPOPUP.004020B2
004020A9.83F814CMPEAX,14
004020AC.7F04JGSHORTPOPUP.004020B2
004020AE.33C0XOREAX,EAX;POPUP.
004020B0.EB05JMPSHORTPOPUP.004020B7
004020B2>B800010000MOVEAX,100
004020B7>8B4C242CMOVECX,DWORDPTRSS:[ESP+2C]
004020BB.0C04ORAL,4
004020BD.50PUSHEAX;POPUP.
004020BE.8B442414MOVEAX,DWORDPTRSS:[ESP+14]
004020C2.50PUSHEAX;POPUP.
004020C3.51PUSHECX
004020C4.8BCEMOVECX,ESI
004020C6.E8206B0500CALLPOPUP.00458BEB//显示对话框的函数。如果按"Cancel"按钮,则返回7,否则返回6。
004020CB.83F806CMPEAX,6//如果返回7则比较结果不为0。
004020CE.7505JNZSHORTPOPUP.004020D5//不为0则跳到主程序运行。所以跳到这里,就可以掠过前面所有垃圾。
004020D0.E8CB860200CALLPOPUP.0042A7A0
004020D5>399EC0020000CMPDWORDPTRDS:[ESI+2C0],EBX
004020DB.7D1BJGESHORTPOPUP.004020F8
004020DD.8B561CMOVEDX,DWORDPTRDS:[ESI+1C]
004020E0.53PUSHEBX;/lParam=5D0000
004020E1.53PUSHEBX;|wParam=5D0000
004020E2.6A10PUSH10;|Message=WM_CLOSE
004020E4.52PUSHEDX;|hWnd=8172463C
004020E5.FF15C4364700CALLDWORDPTRDS:[<&USER32.PostMessageA>];\PostMessageA
004020EB.885C2424MOVBYTEPTRSS:[ESP+24],BL
004020EF.8D4C242CLEAECX,DWORDPTRSS:[ESP+2C]
004020F3.E9B1000000JMPPOPUP.004021A9
==================================================================
后记:
打开UltraEdit把上面所指地方修改一下即可。程序比较简单,设防也比较简单,用30分钟写出此文,没有多少含金量,希望大侠不要取笑。
结论:把0040206C处的7D10改为EB67。
