虚拟光碟防复制技术破解

下指令bpx createwindowex //下中断点

按X键回到桌面运行程序，这时会被Trw2000拦截到。

下指令bc * //清除断点

下指令pmodule //直接跳到程序的领空

按F10来到下面,
015F:00408B1E PUSH BYTE +02
015F:00408B20 LEA ECX,[EBP-58]
015F:00408B23 MOV EAX,[EDX]
015F:00408B25 PUSH EAX
015F:00408B26 CALL `ZEN!??0ZRegApp@@QAE@PAUHKEY__@@H@Z`
015F:00408B2C MOV EAX,[EBX+D0]
015F:00408B32 LEA ECX,[EBP-1C]
015F:00408B35 PUSH ECX
015F:00408B36 MOV BYTE [EBP-04],0A
015F:00408B3A LEA EAX,[EAX+EAX*2]
015F:00408B3D LEA EAX,[EAX+EAX*4]
015F:00408B40 LEA EAX,[EAX+EAX*4]
015F:00408B43 LEA EDI,[EAX+EAX*8]
015F:00408B46 SHL EDI,07
015F:00408B49 CALL `MSVCRT!time`
015F:00408B4F ADD ESP,BYTE +04
015F:00408B52 LEA ECX,[EBP-58]
015F:00408B55 PUSH DWORD 1396
015F:00408B5A CALL `ZEN!?IsValueNameExist@ZRegBase@@QAEHH@Z`
015F:00408B60 CMP EAX,ESI
015F:00408B62 JZ NEAR 00408CF7
015F:00408B68 PUSH DWORD 1396
015F:00408B6D LEA ECX,[EBP-58]
015F:00408B70 CALL `ZEN!?GetDWORD@ZRegBase@@QAEKH@Z`
015F:00408B76 MOV ECX,EAX
015F:00408B78 MOV EAX,[EBP-1C]
015F:00408B7B CMP ECX,EAX
015F:00408B7D JNA 00408BDF
015F:00408B7F CALL `MGR!?dlgUpgrade@CMainFrame@@SAXXZ`
015F:00408B84 MOV EDI,[0041C8B4]
015F:00408B8A LEA ECX,[EBP-58]
015F:00408B8D MOV BYTE [EBP-04],09
015F:00408B91 CALL EDI
015F:00408B93 LEA ECX,[EBP+FFFFFF5C]
015F:00408B99 MOV BYTE [EBP-04],05
015F:00408B9D CALL `MFC42!ord_00000269`
015F:00408BA2 LEA ECX,[EBP-2C]
015F:00408BA5 MOV BYTE [EBP-04],04
015F:00408BA9 CALL EDI
015F:00408BAB LEA ECX,[EBP-14]
015F:00408BAE MOV BYTE [EBP-04],03
015F:00408BB2 CALL `MFC42!ord_00000320`
015F:00408BB7 MOV BYTE [EBP-04],00
015F:00408BBB CALL `MFC42!ord_0000061F`
015F:00408BC0 LEA ECX,[EBP-44]
015F:00408BC3 MOV DWORD [EBP-04],FFFFFFFF
015F:00408BCA CALL EDI
015F:00408BCC XOR EAX,EAX
015F:00408BCE MOV ECX,[EBP-0C]
015F:00408BD1 MOV [FS:00],ECX
015F:00408BD8 POP EDI
015F:00408BD9 POP ESI
015F:00408BDA POP EBX
015F:00408BDB MOV ESP,EBP
015F:00408BDD POP EBP
015F:00408BDE RET
015F:00408BDF LEA EDX,[ECX+EDI]
015F:00408BE2 CMP EAX,EDX
015F:00408BE4 JNA NEAR 00408C6D (NO JUMP) //这里可以跳过下面两个CALL.
015F:00408BEA PUSH DWORD 0042B5E8
015F:00408BEF PUSH DWORD 0042B5E4
015F:00408BF4 PUSH DWORD 0042B5DC
015F:00408BF9 CALL `KERNEL32!WriteProfileStringA`
015F:00408BFF PUSH BYTE -01
015F:00408C01 PUSH BYTE +10
015F:00408C03 PUSH DWORD 1B6D
015F:00408C08 CALL `MFC42!ord_000004AF` //弹出试用过期的对话框。
015F:00408C0D CALL `MGR!?dlgUpgrade@CMainFrame@@SAXXZ` //弹出订购软件的对话框

看看那里可以跳过这里。

上面00408BE4 JNA NEAR 00408C6D 好像可以跳过它耶!!!!

重新下断点bpx 00408BE4

按X键回到桌面运行程序，这时被Trw2000拦截到。

当光标走到00408BE4 JNA NEAR 00408C6D，

打入命令 CODE ON 记下指令码

下指令A 写入汇编代码
将 00408BE4 JNA NEAR 00408C6D
改 00408BE4 JNZ NEAR 00408C6D

又可以进入程序了。

015F:00408C12 MOV EDI,[0041C8B4]
015F:00408C18 LEA ECX,[EBP-58]
015F:00408C1B MOV BYTE [EBP-04],09
015F:00408C1F CALL EDI
015F:00408C21 LEA ECX,[EBP+FFFFFF5C]
015F:00408C27 MOV BYTE [EBP-04],05
015F:00408C2B CALL `MFC42!ord_00000269`
015F:00408C30 MOV BYTE [EBP-04],04
015F:00408C34 LEA ECX,[EBP-2C]
015F:00408C37 CALL EDI
015F:00408C39 LEA ECX,[EBP-14]
015F:00408C3C MOV BYTE [EBP-04],03
015F:00408C40 CALL `MFC42!ord_00000320`
015F:00408C45 MOV BYTE [EBP-04],00
015F:00408C49 CALL `MFC42!ord_0000061F`
015F:00408C4E LEA ECX,[EBP-44]
015F:00408C51 MOV DWORD [EBP-04],FFFFFFFF
…………………………

015F:00408D38 8D4DEC LEA ECX,[EBP-14]
015F:00408D3B C645FC03 MOV BYTE [EBP-04],03
015F:00408D3F E8BAF80000 CALL `MFC42!ord_00000320`
015F:00408D44 C745FC00000000 MOV DWORD [EBP-04],00
015F:00408D4B E8E2FA0000 CALL `MFC42!ord_0000061F`
015F:00408D50 6A02 PUSH BYTE +02
015F:00408D52 8D4D90 LEA ECX,[EBP-70]
015F:00408D55 E8A6930000 CALL `MGR!??0MgrRegSet@@QAE@H@Z`
015F:00408D5A 8D4D90 LEA ECX,[EBP-70]
015F:00408D5D 6A02 PUSH BYTE +02
015F:00408D5F 51 PUSH ECX
015F:00408D60 8D4D80 LEA ECX,[EBP-80]
015F:00408D63 C645FC11 MOV BYTE [EBP-04],11
015F:00408D67 E8B4920000 CALL `MGR!??0MgrRegSet_SheetPrefer@@QAE@PAVZRegBase@@H@Z`
015F:00408D6C 6864140000 PUSH DWORD 1464
015F:00408D71 8D4D80 LEA ECX,[EBP-80]
015F:00408D74 C645FC12 MOV BYTE [EBP-04],12
015F:00408D78 FF1574C84100 CALL `ZEN!?GetDWORD@ZRegBase@@QAEKH@Z`
015F:00408D7E 8BF8 MOV EDI,EAX
015F:00408D80 A168BC4200 MOV EAX,[0042BC68]
015F:00408D85 85C0 TEST EAX,EAX
015F:00408D87 744C JZ 00408DD5 //这里可以跳过下面那个CALL
^^^^^^^^
下指令A 写入汇编代码
将00408D87 744C JZ 00408DD5
改00408D87 744C JZ 00408D97
就可以跳过评估版的对话框

015F:00408D89 6AFF PUSH BYTE -01
015F:00408D8B 6A00 PUSH BYTE +00
015F:00408D8D 68C8010000 PUSH DWORD 01C8
015F:00408D92 E871FA0000 CALL `MFC42!ord_000004AF` //弹出软件是评估版的对话框，
015F:00408D97 85FF TEST EDI,EDI 并不影响使用。
015F:00408D99 0F84A8000000 JZ NEAR 00408E47
015F:00408D9F 8B8378010000 MOV EAX,[EBX+0178]
015F:00408DA5 85C0 TEST EAX,EAX
015F:00408DA7 0F849A000000 JZ NEAR 00408E47
015F:00408DAD FF1594C04100 CALL `KERNEL32!GetSystemDefaultLangID`
015F:00408DB3 8B0D68BC4200 MOV ECX,[0042BC68]
015F:00408DB9 25FF030000 AND EAX,03FF
015F:00408DBE 85C9 TEST ECX,ECX
015F:00408DC0 746F JZ 00408E31
015F:00408DC2 663D1100 CMP AX,11
015F:00408DC6 7569 JNZ 00408E31
015F:00408DC8 8B5320 MOV EDX,[EBX+20]
015F:00408DCB 6A08 PUSH BYTE +08
015F:00408DCD 52 PUSH EDX
015F:00408DCE 6800010000 PUSH DWORD 0100
015F:00408DD3 EB67 JMP SHORT 00408E3C

整里一下，用Ultraedt打开MGR.EXE

找到OF 86 83 00 00 00

改成0F 85 83 00 00 00

可以跳过试用过期的对话框，订购软件的对话框进入程序。

但是，会弹出软件是评估版的对话框。我不知道如何用Ultraedt
将00408D87 744C JZ 00408DD5
改00408D87 744C JZ 00408D97
跳过此对话框。或者有其他更好的方法。望各位大侠指点。多谢！！！

虚拟光碟防复制技术破解

发表评论

ROCKEY-ARM加密狗

WIBU威步CmStick/T加密锁

龙脉SmartX3加密锁时钟版

龙脉Smart 2000加密锁

虚拟光碟防复制技术破解

相关推荐

发表评论