考易电子试卷制作软件 v3.2破解
软件名称:考易电子试卷制作软件 v3.2因为看到了一个帖子,地址:https://www.chinapyg.com/viewthread.php?tid=37265&extra=page%3D1
我就做了这个教程姑且叫做原创吧!
软件的下载到:https://www.chinapyg.com/viewthread.php?tid=37265&extra=page%3D1
不多说了我们开始吧!
Peid:Borland Delphi 4.0 - 5.0
这个软件一运行就提示:软件过期
我们先来解决这个问题:
用OD载入:
下断点:
bp MessageBoxA
f9来到:
77D50702 >8BFF mov edi, edi ; 考易电子.004160C0
77D50704 55 push ebp
77D50705 8BEC mov ebp, esp
77D50707 833D BC14D777 0>cmp dword ptr , 0
77D5070E 74 24 je short 77D50734
77D50710 64:A1 18000000mov eax, dword ptr fs:
77D50716 6A 00 push 0
77D50718 FF70 24 push dword ptr
77D5071B 68 241BD777 push 77D71B24
77D50720 FF15 C412D177 call dword ptr [<&KERNEL32.Interlocke>; kernel32.InterlockedCompareExchange
77D50726 85C0 test eax, eax
77D50728 75 0A jnz short 77D50734
alt+f9来到:
00415F86|.9B wait
00415F87|.8D45 FC lea eax, dword ptr
00415F8A|.BA 8C604100 mov edx, 0041608C ;yyyy-mm-dd
00415F8F|.E8 E8BBFEFF call <jmp.&Vcl50.Sysutils::DateTimeTo>
00415F94|.8B45 FC mov eax, dword ptr
00415F97|.BA A0604100 mov edx, 004160A0 ;2005-10-03
00415F9C|.E8 27B2FEFF call <jmp.&Vcl50.System::LStrCmp>
00415FA1|.77 0F ja short 00415FB2
00415FA3|.8B45 FC mov eax, dword ptr
00415FA6|.BA B4604100 mov edx, 004160B4 ;2004-10-03
00415FAB|.E8 18B2FEFF call <jmp.&Vcl50.System::LStrCmp>
00415FB0|.73 24 jnb short 00415FD6
00415FB2|>6A 00 push 0
00415FB4|.B9 C0604100 mov ecx, 004160C0 ;提示3.2
00415FB9|.BA C8604100 mov edx, 004160C8 ;该版本软件已过期,请到http://www.yyebook.com下载更新版本使用!
00415FBE|.A1 88464200 mov eax, dword ptr [<&Vcl50.Forms::A>
00415FC3|.8B00 mov eax, dword ptr
00415FC5|.E8 B6B5FEFF call <jmp.&Vcl50.Forms::TApplication:>
00415FCA|.BA 10614100 mov edx, 00416110 ;kkright
00415FCF|.8BC3 mov eax, ebx
00415FD1|.E8 B6BCFEFF call <jmp.&Vcl50.Controls::TControl::>
我们在断首下好断点然后取消刚才的断点
00415ED0/.55 push ebp 这里f2
00415ED1|.8BEC mov ebp, esp
00415ED3|.33C9 xor ecx, ecx
00415ED5|.51 push ecx
00415ED6|.51 push ecx
00415ED7|.51 push ecx
00415ED8|.51 push ecx
00415ED9|.51 push ecx
重新运行:
00415ED0/.55 push ebp
00415ED1|.8BEC mov ebp, esp
00415ED3|.33C9 xor ecx, ecx
00415ED5|.51 push ecx
00415ED6|.51 push ecx
00415ED7|.51 push ecx
00415ED8|.51 push ecx
00415ED9|.51 push ecx
00415EDA|.51 push ecx
00415EDB|.53 push ebx
00415EDC|.56 push esi
00415EDD|.8BF2 mov esi, edx
00415EDF|.8BD8 mov ebx, eax
00415EE1|.33C0 xor eax, eax
00415EE3|.55 push ebp
00415EE4|.68 75604100 push 00416075
00415EE9|.64:FF30 push dword ptr fs:
00415EEC|.64:8920 mov dword ptr fs:, esp
00415EEF|.C683 61170500>mov byte ptr , 1
00415EF6|.33D2 xor edx, edx
00415EF8|.8B83 D0020000 mov eax, dword ptr
00415EFE|.E8 09C4FEFF call <jmp.&Vcl50.Comctrls::TPageContr>
00415F03|.33C0 xor eax, eax
00415F05|.8983 280A0500 mov dword ptr , eax
00415F0B|.68 AF030000 push 3AF
00415F10|.8D55 F8 lea edx, dword ptr
00415F13|.A1 88464200 mov eax, dword ptr [<&Vcl50.Forms::A>
00415F18|.8B00 mov eax, dword ptr
00415F1A|.E8 69B6FEFF call <jmp.&Vcl50.Forms::TApplication:>
00415F1F|.8B55 F8 mov edx, dword ptr
00415F22|.33C9 xor ecx, ecx
00415F24|.8BC3 mov eax, ebx
00415F26|.E8 15060000 call 00416540
00415F2B|.8D55 F0 lea edx, dword ptr
00415F2E|.A1 88464200 mov eax, dword ptr [<&Vcl50.Forms::A>
00415F33|.8B00 mov eax, dword ptr
00415F35|.E8 4EB6FEFF call <jmp.&Vcl50.Forms::TApplication:>
00415F3A|.8B45 F0 mov eax, dword ptr
00415F3D|.8D55 F4 lea edx, dword ptr
00415F40|.E8 C7BBFEFF call <jmp.&Vcl50.Sysutils::ExtractFil>
00415F45|.8B55 F4 mov edx, dword ptr
00415F48|.8B83 6C030000 mov eax, dword ptr
00415F4E|.E8 E1C1FEFF call <jmp.&Vcl50.Dialogs::TOpenDialog>
00415F53|.8D55 E8 lea edx, dword ptr
00415F56|.A1 88464200 mov eax, dword ptr [<&Vcl50.Forms::A>
00415F5B|.8B00 mov eax, dword ptr
00415F5D|.E8 26B6FEFF call <jmp.&Vcl50.Forms::TApplication:>
00415F62|.8B45 E8 mov eax, dword ptr
00415F65|.8D55 EC lea edx, dword ptr
00415F68|.E8 9FBBFEFF call <jmp.&Vcl50.Sysutils::ExtractFil>
00415F6D|.8B55 EC mov edx, dword ptr
00415F70|.8B83 68030000 mov eax, dword ptr
00415F76|.E8 B9C1FEFF call <jmp.&Vcl50.Dialogs::TOpenDialog>
00415F7B|.E8 ECBBFEFF call <jmp.&Vcl50.Sysutils::Date>
00415F80|.83C4 F8 add esp, -8
00415F83|.DD1C24 fstp qword ptr
00415F86|.9B wait
00415F87|.8D45 FC lea eax, dword ptr
00415F8A|.BA 8C604100 mov edx, 0041608C ;ASCII "yyyy-mm-dd"
00415F8F|.E8 E8BBFEFF call <jmp.&Vcl50.Sysutils::DateTimeTo>
00415F94|.8B45 FC mov eax, dword ptr
00415F97|.BA A0604100 mov edx, 004160A0 ;ASCII "2005-10-03"
00415F9C|.E8 27B2FEFF call <jmp.&Vcl50.System::LStrCmp>
00415FA1|.77 0F ja short 00415FB2 这里跳走了 NOP掉
00415FA3|.8B45 FC mov eax, dword ptr
00415FA6|.BA B4604100 mov edx, 004160B4 ;ASCII "2004-10-03"
00415FAB|.E8 18B2FEFF call <jmp.&Vcl50.System::LStrCmp>
00415FB0|.73 24 jnb short 00415FD6
下面我们来解决注册的问题:
修改后保存一份(假设文件名为:1)我们运行一下程序1看看,可是程序不能运行!
用OD载入修改后的文件1,单步走:
0042009C >/$55 push ebp
0042009D|.8BEC mov ebp, esp
0042009F|.83C4 EC add esp, -14
004200A2|.33C0 xor eax, eax
004200A4|.8945 EC mov dword ptr , eax
004200A7|.8945 F0 mov dword ptr , eax
004200AA|.B8 8CFE4100 mov eax, 0041FE8C
004200AF|.E8 E012FEFF call 00401394
004200B4|.33C0 xor eax, eax
004200B6|.55 push ebp
004200B7|.68 55014200 push 00420155
004200BC|.64:FF30 push dword ptr fs:
004200BF|.64:8920 mov dword ptr fs:, esp
004200C2|.A1 88464200 mov eax, dword ptr [<&Vcl50.Forms::A>
004200C7|.8B00 mov eax, dword ptr
004200C9|.E8 9214FEFF call <jmp.&Vcl50.Forms::TApplication:>
004200CE|.8B0D B0174200 mov ecx, dword ptr ;考易电子.00423A9C
004200D4|.A1 88464200 mov eax, dword ptr [<&Vcl50.Forms::A>
004200D9|.8B00 mov eax, dword ptr
004200DB|.8B15 103C4100 mov edx, dword ptr ;考易电子.00413C5C
004200E1|.E8 8214FEFF call <jmp.&Vcl50.Forms::TApplication:>
004200E6|.8D55 F0 lea edx, dword ptr
004200E9|.A1 B0174200 mov eax, dword ptr
004200EE|.8B00 mov eax, dword ptr
004200F0|.E8 8F1BFEFF call <jmp.&Vcl50.Controls::TControl::>
004200F5|.8B45 F0 mov eax, dword ptr
004200F8|.BA 6C014200 mov edx, 0042016C ;ASCII "closeform"
004200FD|.E8 C610FEFF call <jmp.&Vcl50.System::LStrCmp>
00420102|.74 1E je short 00420122
00420104|.8D55 EC lea edx, dword ptr
00420107|.A1 B0174200 mov eax, dword ptr
0042010C|.8B00 mov eax, dword ptr
0042010E|.E8 711BFEFF call <jmp.&Vcl50.Controls::TControl::>
00420113|.8B45 EC mov eax, dword ptr
00420116|.BA 80014200 mov edx, 00420180 ;ASCII "kkright"
0042011B|.E8 A810FEFF call <jmp.&Vcl50.System::LStrCmp>
00420120|.75 0C jnz short 0042012E 这里让它跳就行了 改为JZ
00420122|>A1 B0174200 mov eax, dword ptr
00420127|.8B00 mov eax, dword ptr
00420129|.E8 DA13FEFF call <jmp.&Vcl50.Forms::TCustomForm::>
0042012E|>A1 88464200 mov eax, dword ptr [<&Vcl50.Forms::A>
00420133|.8B00 mov eax, dword ptr
00420135|.E8 3614FEFF call <jmp.&Vcl50.Forms::TApplication:>
0042013A|.33C0 xor eax, eax
0042013C|.5A pop edx
0042013D|.59 pop ecx
0042013E|.59 pop ecx
0042013F|.64:8910 mov dword ptr fs:, edx
00420142|.68 5C014200 push 0042015C
00420147|>8D45 EC lea eax, dword ptr
0042014A|.BA 02000000 mov edx, 2
0042014F|.E8 0C10FEFF call <jmp.&Vcl50.System::LStrArrayClr>
00420154\.C3 retn
修改后文件保存为:2
运行程序2,运行正常
OD载入文件2:
因为程序运行后标题显示未注册,点击注册后其中的注册号中内容为:未注册
我们就从这里下手吧
查找字符串:
本机未注册
(商用版)
(非商用版)
未注册
regkysoft.dll(这个应该是注册文件在字符串参考中有两处这里只是其中的一处,大家自己研究一下)
注册版
未注册版
双击本机未注册来到:
004138B4/.55 push ebp 下好断点
004138B5|.8BEC mov ebp, esp
004138B7|.6A 00 push 0
004138B9|.6A 00 push 0
004138BB|.6A 00 push 0
004138BD|.53 push ebx
004138BE|.8BD8 mov ebx, eax
004138C0|.33C0 xor eax, eax
004138C2|.55 push ebp
004138C3|.68 7C3A4100 push 00413A7C
004138C8|.64:FF30 push dword ptr fs:
004138CB|.64:8920 mov dword ptr fs:, esp
004138CE|.A1 B0174200 mov eax, dword ptr
004138D3|.8B00 mov eax, dword ptr
004138D5|.8B90 54110500 mov edx, dword ptr
004138DB|.8B83 0C030000 mov eax, dword ptr
004138E1|.E8 A6E3FEFF call <jmp.&Vcl50.Controls::TControl::>
004138E6|.BA 903A4100 mov edx, 00413A90 ;3.2
004138EB|.8B83 F4020000 mov eax, dword ptr
004138F1|.E8 96E3FEFF call <jmp.&Vcl50.Controls::TControl::>
004138F6|.BA 9C3A4100 mov edx, 00413A9C ;本机未注册
004138FB|.8B83 10030000 mov eax, dword ptr
00413901|.E8 86E3FEFF call <jmp.&Vcl50.Controls::TControl::>
00413906|.A1 B0174200 mov eax, dword ptr
0041390B|.8B00 mov eax, dword ptr
双击regkysoft.dll来到:
00415B9D|.E8 6ABFFEFF call <jmp.&Vcl50.Sysutils::ExtractFil>
00415BA2|.8D45 DC lea eax, dword ptr
00415BA5|.BA D85C4100 mov edx, 00415CD8 ;regkysoft.dll
00415BAA|.E8 01B6FEFF call <jmp.&Vcl50.System::LStrCat>
在断首下好断点(就是004159E0/$55 push ebp)
开始分析了f9来到了:
004159E0/$55 push ebp
004159E1|.8BEC mov ebp, esp
004159E3|.B9 06000000 mov ecx, 6
.......
.......
.......
.......
00415B6E|.8D83 5C170500 lea eax, dword ptr
00415B74|.BA C45C4100 mov edx, 00415CC4 ;00000066
00415B79|.E8 EAB5FEFF call <jmp.&Vcl50.System::LStrAsg>
00415B7E|.C783 64170500>mov dword ptr , 30
00415B88|.8D55 D8 lea edx, dword ptr
00415B8B|.A1 88464200 mov eax, dword ptr [<&Vcl50.Forms::A>
00415B90|.8B00 mov eax, dword ptr
00415B92|.E8 F1B9FEFF call <jmp.&Vcl50.Forms::TApplication:>
00415B97|.8B45 D8 mov eax, dword ptr
00415B9A|.8D55 DC lea edx, dword ptr
00415B9D|.E8 6ABFFEFF call <jmp.&Vcl50.Sysutils::ExtractFil>
00415BA2|.8D45 DC lea eax, dword ptr
00415BA5|.BA D85C4100 mov edx, 00415CD8 ;regkysoft.dll
00415BAA|.E8 01B6FEFF call <jmp.&Vcl50.System::LStrCat>
00415BAF|.8B55 DC mov edx, dword ptr
00415BB2|.8BC3 mov eax, ebx
00415BB4|.E8 EF810000 call 0041DDA8
00415BB9|.48 dec eax
00415BBA|.75 51 jnz short 00415C0D 不让它跳 JZ
00415BBC|.C683 61170500>mov byte ptr , 0C
00415BC3|.C783 64170500>mov dword ptr , 3EA
00415BCD|.BA F05C4100 mov edx, 00415CF0 ;软件信息
00415BD2|.8B83 40030000 mov eax, dword ptr
00415BD8|.E8 3FC3FEFF call <jmp.&Vcl50.Menus::TMenuItem::Se>
00415BDD|.33D2 xor edx, edx
00415BDF|.8B83 1C040000 mov eax, dword ptr
00415BE5|.E8 7AC0FEFF call <jmp.&Vcl50.Controls::TControl::>
00415BEA|.8D55 D4 lea edx, dword ptr
00415BED|.8BC3 mov eax, ebx
00415BEF|.E8 90C0FEFF call <jmp.&Vcl50.Controls::TControl::>
00415BF4|.8D45 D4 lea eax, dword ptr
00415BF7|.BA 045D4100 mov edx, 00415D04 ; 注册版
00415BFC|.E8 AFB5FEFF call <jmp.&Vcl50.System::LStrCat>
00415C01|.8B55 D4 mov edx, dword ptr
00415C04|.8BC3 mov eax, ebx
00415C06|.E8 81C0FEFF call <jmp.&Vcl50.Controls::TControl::>
00415C0B|.EB 21 jmp short 00415C2E
00415C0D|>8D55 D0 lea edx, dword ptr
00415C10|.8BC3 mov eax, ebx
00415C12|.E8 6DC0FEFF call <jmp.&Vcl50.Controls::TControl::>
00415C17|.8D45 D0 lea eax, dword ptr
00415C1A|.BA 185D4100 mov edx, 00415D18 ; 未注册版
00415C1F|.E8 8CB5FEFF call <jmp.&Vcl50.System::LStrCat>
00415C24|.8B55 D0 mov edx, dword ptr
00415C27|.8BC3 mov eax, ebx
00415C29|.E8 5EC0FEFF call <jmp.&Vcl50.Controls::TControl::>
00415C2E|>33C0 xor eax, eax
00415C30|.5A pop edx
00415C31|.59 pop ecx
00415C32|.59 pop ecx
00415C33|.64:8910 mov dword ptr fs:, edx
00415C36|.68 5D5C4100 push 00415C5D
00415C3B|>8D45 D0 lea eax, dword ptr
00415C3E|.BA 02000000 mov edx, 2
00415C43|.E8 18B5FEFF call <jmp.&Vcl50.System::LStrArrayClr>
00415C48|.8D45 D8 lea eax, dword ptr
00415C4B|.BA 0A000000 mov edx, 0A
00415C50|.E8 0BB5FEFF call <jmp.&Vcl50.System::LStrArrayClr>
00415C55\.C3 retn
00415C56 .^ E9 C5B4FEFF jmp <jmp.&Vcl50.System::HandleFinall>
00415C5B .^ EB DE jmp short 00415C3B
00415C5D .5B pop ebx
00415C5E .8BE5 mov esp, ebp
00415C60 .5D pop ebp
00415C61 .C3 retn
程序运行后(f9)点击软件信息到了:
004138B4/.55 push ebp
004138B5|.8BEC mov ebp, esp
004138B7|.6A 00 push 0
004138B9|.6A 00 push 0
004138BB|.6A 00 push 0
004138BD|.53 push ebx
004138BE|.8BD8 mov ebx, eax
004138C0|.33C0 xor eax, eax
004138C2|.55 push ebp
004138C3|.68 7C3A4100 push 00413A7C
004138C8|.64:FF30 push dword ptr fs:
004138CB|.64:8920 mov dword ptr fs:, esp
004138CE|.A1 B0174200 mov eax, dword ptr
004138D3|.8B00 mov eax, dword ptr
004138D5|.8B90 54110500 mov edx, dword ptr
004138DB|.8B83 0C030000 mov eax, dword ptr
004138E1|.E8 A6E3FEFF call <jmp.&Vcl50.Controls::TControl::>
004138E6|.BA 903A4100 mov edx, 00413A90 ;3.2
004138EB|.8B83 F4020000 mov eax, dword ptr
004138F1|.E8 96E3FEFF call <jmp.&Vcl50.Controls::TControl::>
004138F6|.BA 9C3A4100 mov edx, 00413A9C ;本机未注册
004138FB|.8B83 10030000 mov eax, dword ptr
00413901|.E8 86E3FEFF call <jmp.&Vcl50.Controls::TControl::>
00413906|.A1 B0174200 mov eax, dword ptr
0041390B|.8B00 mov eax, dword ptr
0041390D|.80B8 61170500>cmp byte ptr , 0C
00413914|.0F85 05010000 jnz 00413A1F
0041391A|.B2 01 mov dl, 1
0041391C|.8B83 24030000 mov eax, dword ptr
00413922|.E8 3DE3FEFF call <jmp.&Vcl50.Controls::TControl::>
00413927|.33D2 xor edx, edx
00413929|.8B83 D0020000 mov eax, dword ptr
0041392F|.E8 30E3FEFF call <jmp.&Vcl50.Controls::TControl::>
00413934|.BA DF000000 mov edx, 0DF
00413939|.A1 943A4200 mov eax, dword ptr
0041393E|.E8 F1E2FEFF call <jmp.&Vcl50.Controls::TControl::>
00413943|.A1 B0174200 mov eax, dword ptr
00413948|.8B00 mov eax, dword ptr
0041394A|.8B80 5C170500 mov eax, dword ptr
00413950|.E8 87E1FEFF call <jmp.&Vcl50.Sysutils::StrToInt>
00413955|.3D 30750000 cmp eax, 7530
0041395A|.7E 19 jle short 00413975
0041395C|.A1 B0174200 mov eax, dword ptr
00413961|.8B00 mov eax, dword ptr
00413963|.8B80 5C170500 mov eax, dword ptr
00413969|.E8 6EE1FEFF call <jmp.&Vcl50.Sysutils::StrToInt>
0041396E|.3D 50C30000 cmp eax, 0C350
00413973|.7C 32 jl short 004139A7
00413975|>A1 B0174200 mov eax, dword ptr
0041397A|.8B00 mov eax, dword ptr
0041397C|.8B80 5C170500 mov eax, dword ptr
00413982|.E8 55E1FEFF call <jmp.&Vcl50.Sysutils::StrToInt>
00413987|.3D C8000000 cmp eax, 0C8
0041398C|.7E 43 jle short 004139D1 不让它跳 NOP
0041398E|.A1 B0174200 mov eax, dword ptr
00413993|.8B00 mov eax, dword ptr
00413995|.8B80 5C170500 mov eax, dword ptr
0041399B|.E8 3CE1FEFF call <jmp.&Vcl50.Sysutils::StrToInt>
004139A0|.3D E8030000 cmp eax, 3E8
004139A5|.7D 2A jge short 004139D1
004139A7|>A1 B0174200 mov eax, dword ptr
004139AC|.8B00 mov eax, dword ptr
004139AE|.8B90 5C170500 mov edx, dword ptr
004139B4|.8D45 FC lea eax, dword ptr
004139B7|.B9 B03A4100 mov ecx, 00413AB0 ; (商用版)
004139BC|.E8 F7D7FEFF call <jmp.&Vcl50.System::LStrCat3>
004139C1|.8B55 FC mov edx, dword ptr
004139C4|.8B83 10030000 mov eax, dword ptr
004139CA|.E8 BDE2FEFF call <jmp.&Vcl50.Controls::TControl::>
004139CF|.EB 28 jmp short 004139F9
保存后即可
[ 本帖最后由 xinldy 于 2008-9-2 11:08 编辑 ] 抢沙发啊 第一个顶! 哎~~ 这个软件生成试卷的时候还有效验的 不信你试试。。。。 精神可佳,分析一个软件,竟修改几次,再接着分析,真是难能可贵,值得学习。 呵呵,不错哦,精彩的教程,感谢了
页:
[1]