|
|
-----------------------------------------------------------------------------------------------------------------------------
【破文作者】KuNgBiM
【破文作者E-mail】gb_1227@163.com
【破解平台】 Win2000/XP
【破解工具】 PEiD 0.92汉化版、破解辅助工具组 V1.0 Beta之AspackDie(Made By [D4.s])、W32Dasm10.0汉化修改版、keymake1.73。
Ps:(我为了使破解后的文件恢复到脱壳前的大小模样,还使用了ASPack2.12压缩 ^___^)
【破解类型】Explode Force Crack (爆破)
【未注册功能限制】未注册版本您将不能使用模拟考试功能以及分类练习功能!
【破解理由】我们都是无产阶级者!!
【破解目的】解除未注册前的所有功能限制!
【破文作者声明】由于本人刚接触Crack,所学知识甚微,但又对Cr情有独钟,但又读不懂,更不懂算法,只会对一些小软件实施爆破,
所以只有这样小打小闹一番。。。。哎~~~~望高手见谅!!!!多多指教小弟!!!敬请诸位大侠赐教啊~~~!谢谢!
----------------------------------------------------------------------------------------------------------------------------
【软件名称】轻轻松松考驾照 5.0
【文件大小】1967 KB
【软件简介】
《轻轻松松考驾照》是一套机动车驾驶员理论考试最新专用训练软件,软件界面简洁优美,用户操作方便,采用全国通用试题库,内容包含汽车和摩托车两部分。具体功能如下:1、提供法规标志查阅功能。本软件含有国家颁布的各种交通法规的原文,及国家标准GB5768-1999《道路交通标志和标线》中各种警告标志、禁令标志、指示标志、指路标志和道路交通标线等相关资料,以供用户查阅学习。2、提供分类练习功能。用户可以按照交通法规、交通标志及相关知识等三个大类,分别进行各个小类的练习,帮助用户理顺知识点,以便逐个击破。3、提供综合练习功能。用户可以通过顺序综合练习或随机综合练习进行整个通用题库的强化练习,以便全面掌握所需要学习的知识点,系统将动态反馈练习的准确率,以供参考。4、提供即时批阅功能。用户在进行分类练习或综合练习时,系统针对每道练习题,均实时进行批阅。5、提供试题标记功能。在进行分类练习时,用户可以将比较重要的试题或暂时不懂的试题进行手工标记,而在进行综合练习时,系统会自动将用户出错的试题进行标记,以便在相应的模块中进行集中强化练习。6、提供模拟考试功能。本软件按国家考试出题标准进行智能组卷,模拟出题,试题采取无序排列。 本软件将帮助您进行机动车驾驶员理论考试的各种训练,题型丰富,图文并茂,覆盖了应考的全部知识点。通过训练,可以极大提高您的应考技能、增加知识,使您轻轻松松通过驾照考试。
【下载地址】 [url=http://xj-http.skycn.net:8080/down/qqsskjz_setup50.exe]http://xj-http.skycn.net:8080/down/qqsskjz_setup50.exe[/url][url=http://js-http.skycn.net:8180/down/qqsskjz_setup50.exe]http://js-http.skycn.net:8180/down/qqsskjz_setup50.exe[/url]
-----------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------
【破解内容】
我们先用PEiD 0.92汉化版来看一下它用什么加壳。ASPack 2.12 -> Alexey Solodovnikov,。破解辅助工具组 V1.0 Beta之AspackDie出场,脱过壳后我们知道该软件为Borland Delphi 4.0 - 5.0,用W32Dasm花上半分钟或半小时的时间来对它进行反汇编。
===========================================================================
1.查找串式数据参考* Possible StringData Ref from Code Obj ->"轻轻松松考驾照 5.0 (注册版)"
===========================================================================
* Possible StringData Ref from Code Obj ->"轻轻松松考驾照 5.0 (注册版)"
|
:0054E613 BA24E75400 mov edx, 0054E724
:0054E618 8B83D0020000 mov eax, dword ptr [ebx+000002D0]
:0054E61E E8E920F1FF call 0046070C
:0054E623 33D2 xor edx, edx
:0054E625 8B83F4020000 mov eax, dword ptr [ebx+000002F4]
:0054E62B E84034EEFF call 00431A70
:0054E630 EB1D jmp 0054E64F
向上来到以下地点:
===========================================================================
* Possible StringData Ref from Code Obj ->"JSYKS"
|
:0054E5AA BA14E75400 mov edx, 0054E714
:0054E5AF E87C5CEBFF call 00404230
:0054E5B4 8D8568FFFFFF lea eax, dword ptr [ebp+FFFFFF68]
:0054E5BA 50 push eax
:0054E5BB 8B8310030000 mov eax, dword ptr [ebx+00000310]
:0054E5C1 E81E5CEBFF call 004041E4
:0054E5C6 8BC8 mov ecx, eax
:0054E5C8 49 dec ecx
:0054E5C9 BA03000000 mov edx, 00000003
:0054E5CE 8B8314030000 mov eax, dword ptr [ebx+00000314]
:0054E5D4 E8135EEBFF call 004043EC
:0054E5D9 8B8568FFFFFF mov eax, dword ptr [ebp+FFFFFF68]
:0054E5DF 50 push eax
:0054E5E0 8D8564FFFFFF lea eax, dword ptr [ebp+FFFFFF64]
:0054E5E6 50 push eax
:0054E5E7 8B8310030000 mov eax, dword ptr [ebx+00000310]
:0054E5ED E8F25BEBFF call 004041E4
:0054E5F2 8BC8 mov ecx, eax
:0054E5F4 49 dec ecx
:0054E5F5 BA01000000 mov edx, 00000001
:0054E5FA 8B8310030000 mov eax, dword ptr [ebx+00000310]
:0054E600 E8E75DEBFF call 004043EC
:0054E605 8B9564FFFFFF mov edx, dword ptr [ebp+FFFFFF64]
:0054E60B 58 pop eax
:0054E60C E8E35CEBFF call 004042F4 //识别注册版与共享版 关键CALL
:0054E611 751F jne 0054E632 //识别注册版与共享版 关键跳转,跳就来到共享版位置!下面就没戏咯~~~
===========================================================================
2.查找串式数据参考* Possible StringData Ref from Code Obj ->"本功能仅对注册用户开放。"
===========================================================================
* Possible StringData Ref from Code Obj ->"本功能仅对注册用户开放。"
|
:0054E25F BAA4E25400 mov edx, 0054E2A4
:0054E264 A1B4155500 mov eax, dword ptr [005515B4]
:0054E269 8B00 mov eax, dword ptr [eax]
:0054E26B E8682BF0FF call 00450DD8
向上来到以下地点:
===========================================================================
:0054E1C8 55 push ebp
:0054E1C9 8BEC mov ebp, esp
:0054E1CB 6A00 push 00000000
:0054E1CD 6A00 push 00000000
:0054E1CF 53 push ebx
:0054E1D0 8BD8 mov ebx, eax
:0054E1D2 33C0 xor eax, eax
:0054E1D4 55 push ebp
:0054E1D5 688BE25400 push 0054E28B
:0054E1DA 64FF30 push dword ptr fs:[eax]
:0054E1DD 648920 mov dword ptr fs:[eax], esp
:0054E1E0 8D45FC lea eax, dword ptr [ebp-04]
:0054E1E3 50 push eax
:0054E1E4 8B8310030000 mov eax, dword ptr [ebx+00000310]
:0054E1EA E8F55FEBFF call 004041E4
:0054E1EF 8BC8 mov ecx, eax
:0054E1F1 49 dec ecx
:0054E1F2 BA03000000 mov edx, 00000003
:0054E1F7 8B8314030000 mov eax, dword ptr [ebx+00000314]
:0054E1FD E8EA61EBFF call 004043EC
:0054E202 8B45FC mov eax, dword ptr [ebp-04]
:0054E205 50 push eax
:0054E206 8D45F8 lea eax, dword ptr [ebp-08]
:0054E209 50 push eax
:0054E20A 8B8310030000 mov eax, dword ptr [ebx+00000310]
:0054E210 E8CF5FEBFF call 004041E4
:0054E215 8BC8 mov ecx, eax
:0054E217 49 dec ecx
:0054E218 BA01000000 mov edx, 00000001
:0054E21D 8B8310030000 mov eax, dword ptr [ebx+00000310]
:0054E223 E8C461EBFF call 004043EC
:0054E228 8B55F8 mov edx, dword ptr [ebp-08]
:0054E22B 58 pop eax
:0054E22C E8C360EBFF call 004042F4 //功能限制CALL,检测是否注册信息存在于注册表内
:0054E231 7525 jne 0054E258 //功能限制跳转,识别是否注册,跳就S!
:0054E233 A12C2F5500 mov eax, dword ptr [00552F2C]
:0054E238 E8D7F8EFFF call 0044DB14
:0054E23D A100175500 mov eax, dword ptr [00551700]
:0054E242 8B00 mov eax, dword ptr [eax]
:0054E244 8B10 mov edx, dword ptr [eax]
:0054E246 FF92D8000000 call dword ptr [edx+000000D8]
:0054E24C A12C2F5500 mov eax, dword ptr [00552F2C]
:0054E251 E8C6F8EFFF call 0044DB1C
:0054E256 EB18 jmp 0054E270
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0054E231(C)
| :0054E258 6A00 push 00000000
* Possible StringData Ref from Code Obj ->"信息提示"
|
:0054E25A B998E25400 mov ecx, 0054E298
===========================================================================
3.查找串式数据参考* Possible StringData Ref from Code Obj ->"本部分仅对注册用户开放。"
发现该处有两处调用:
第一处:
===========================================================================
* Possible StringData Ref from Code Obj ->"本部分仅对注册用户开放。"
|
:00548D2E BA28925400 mov edx, 00549228
:00548D33 A1B4155500 mov eax, dword ptr [005515B4]
:00548D38 8B00 mov eax, dword ptr [eax]
:00548D3A E89980F0FF call 00450DD8
:00548D3F 33C0 xor eax, eax
:00548D41 898368030000 mov dword ptr [ebx+00000368], eax
:00548D47 E9A6040000 jmp 005491F2
向上来到以下地点:
===========================================================================
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00548CAA(C)
| :00548CA5 6A00 push 00000000
:00548CA7 6A00 push 00000000
:00548CA9 49 dec ecx
:00548CAA 75F9 jne 00548CA5
:00548CAC 51 push ecx
:00548CAD 874DFC xchg dword ptr [ebp-04], ecx
:00548CB0 53 push ebx
:00548CB1 56 push esi
:00548CB2 8BF1 mov esi, ecx
:00548CB4 8BD8 mov ebx, eax
:00548CB6 33C0 xor eax, eax
:00548CB8 55 push ebp
:00548CB9 680D925400 push 0054920D
:00548CBE 64FF30 push dword ptr fs:[eax]
:00548CC1 648920 mov dword ptr fs:[eax], esp
:00548CC4 8BC3 mov eax, ebx
:00548CC6 E855EBFFFF call 00547820
:00548CCB 33C0 xor eax, eax
:00548CCD 89836C030000 mov dword ptr [ebx+0000036C], eax
:00548CD3 B201 mov dl, 01
:00548CD5 8BC6 mov eax, esi
:00548CD7 E88852F7FF call 004BDF64
:00548CDC 33D2 xor edx, edx
:00548CDE 8B8348030000 mov eax, dword ptr [ebx+00000348]
:00548CE4 E8878DEEFF call 00431A70
:00548CE9 8D55FC lea edx, dword ptr [ebp-04]
:00548CEC 8B4658 mov eax, dword ptr [esi+58]
:00548CEF E83408ECFF call 00409528
:00548CF4 8B45FC mov eax, dword ptr [ebp-04]
:00548CF7 50 push eax
:00548CF8 8B83D8020000 mov eax, dword ptr [ebx+000002D8]
:00548CFE 8B80F0010000 mov eax, dword ptr [eax+000001F0]
:00548D04 33D2 xor edx, edx
:00548D06 E89DA0F3FF call 00482DA8
:00548D0B 5A pop edx
:00548D0C E80FA0F3FF call 00482D20
:00548D11 80BB7003000000 cmp byte ptr [ebx+00000370], 00
:00548D18 7532 jne 00548D4C //功能限制跳转,识别是否注册,跳就S!
:00548D1A 8B93F8020000 mov edx, dword ptr [ebx+000002F8] //检测是否注册信息存在于注册表内
:00548D20 8BC3 mov eax, ebx //往往这些不起眼的地方不能乱改!
:00548D22 E839E9FFFF call 00547660
:00548D27 6A00 push 00000000
* Possible StringData Ref from Code Obj ->"信息提示"
|
:00548D29 B91C925400 mov ecx, 0054921C
===========================================================================
第二处:
===========================================================================
* Possible StringData Ref from Code Obj ->"本部分仅对注册用户开放。"
|
:005497A1 BA3CA15400 mov edx, 0054A13C
:005497A6 A1B4155500 mov eax, dword ptr [005515B4]
:005497AB 8B00 mov eax, dword ptr [eax]
:005497AD E82676F0FF call 00450DD8
:005497B2 33C0 xor eax, eax
:005497B4 898368030000 mov dword ptr [ebx+00000368], eax
:005497BA E944090000 jmp 0054A103
向上来到以下地点:
===========================================================================
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00549712(C)
| :0054970D 6A00 push 00000000
:0054970F 6A00 push 00000000
:00549711 49 dec ecx
:00549712 75F9 jne 0054970D
:00549714 874DFC xchg dword ptr [ebp-04], ecx
:00549717 53 push ebx
:00549718 56 push esi
:00549719 8BF1 mov esi, ecx
:0054971B 8BD8 mov ebx, eax
:0054971D 33C0 xor eax, eax
:0054971F 55 push ebp
:00549720 6821A15400 push 0054A121
:00549725 64FF30 push dword ptr fs:[eax]
:00549728 648920 mov dword ptr fs:[eax], esp
:0054972B 8BC3 mov eax, ebx
:0054972D E8EEE0FFFF call 00547820
:00549732 33C0 xor eax, eax
:00549734 89836C030000 mov dword ptr [ebx+0000036C], eax
:0054973A B201 mov dl, 01
:0054973C 8BC6 mov eax, esi
:0054973E E82148F7FF call 004BDF64
:00549743 33D2 xor edx, edx
:00549745 8B8348030000 mov eax, dword ptr [ebx+00000348]
:0054974B E82083EEFF call 00431A70
:00549750 8D55FC lea edx, dword ptr [ebp-04]
:00549753 8B4658 mov eax, dword ptr [esi+58]
:00549756 E8CDFDEBFF call 00409528
:0054975B 8B45FC mov eax, dword ptr [ebp-04]
:0054975E 50 push eax
:0054975F 8B83D8020000 mov eax, dword ptr [ebx+000002D8]
:00549765 8B80F0010000 mov eax, dword ptr [eax+000001F0]
:0054976B 33D2 xor edx, edx
:0054976D E83696F3FF call 00482DA8
:00549772 5A pop edx
:00549773 E8A895F3FF call 00482D20
:00549778 8BC6 mov eax, esi
:0054977A E86991ECFF call 004128E8
:0054977F 83F80D cmp eax, 0000000D
:00549782 743B je 005497BF //功能限制跳转,识别是否注册,跳就S!
:00549784 80BB7003000000 cmp byte ptr [ebx+00000370], 00 //检测是否注册信息存在于注册表内
:0054978B 7532 jne 005497BF //功能限制跳转,识别是否注册,跳就S!
:0054978D 8B93F8020000 mov edx, dword ptr [ebx+000002F8]
:00549793 8BC3 mov eax, ebx
:00549795 E8C6DEFFFF call 00547660
:0054979A 6A00 push 00000000
* Possible StringData Ref from Code Obj ->"信息提示"
|
:0054979C B930A15400 mov ecx, 0054A130
================================================================================
分析完毕!对症下“药”!本文为爆破~~~~~ v^o^v 我们开始放“雷管”咯~~~
PS:这个软件要爆破它还真有点N!只能一步一步的来爆!要用W32Dasm修改它4次。。。
一步一步来解除它的功能限制。。。。我狂倒。。。(几次处于极度昏迷中。。。。)
================================================================================
爆破点:(一定要分步修改!)
第一次打开W32Dasm修改这里:
①:0054E611 751F jne 0054E632 jne--->je
第二次打开W32Dasm修改这里:
②:0054E231 7525 jne 0054E258 jne--->nop
第三次打开W32Dasm修改这里:
③:00548D18 7532 jne 00548D4C jne--->je
第四次打开W32Dasm修改这里:
④:00549782 743B je 005497BF je--->jne
⑤:0054978B 7532 jne 005497BF jne--->je
************************************************************************************
* 切记!!!不要同时修改以上这些地方!不然又只有变成 -----→(共享版)的命咯~~~ T_T *
* *
* 俗话说:“心急吃不到热豆腐嘛~~~” 嘎嘎~~~ V^o^V *
************************************************************************************
我汇编功力有限,几乎全无,对该软件的注册算法没有研究清楚,所以就先用ASPack2.12压缩了刚刚破好的程序,然后用keymake制作一个文件补
丁文件放上吧!汗~~~~~~
-----------------------------------------------------------------------------------------------------------------------------
KuNgBiM 2004.7.23晨 于 四川·成都
 本贴包含图片附件:
 |
|
发表于 2006-10-21 11:28:40