成功GTD时间管理软件破文
软件下载地址我就不帖了,自己搜索吧,我用的版本是5.7。相信看完我的破文,其它的版本你也能秒破。软件的快捷图标指向的时GTDWidget.exe,但是该文件只有868K,而这个程序的功能是相当多的,868K不可能是主文件。而在文件夹里有个GTDOperator.exe有22M,很可疑。直接运行他,程序就跑起来了。和运行GTDWidget.exe的效果是一样的。所以GTDOperator.exe才是主文件。我们直接来破解GTDOperator.exe
运行程序,我们发现程序左下角有“未注册”几个字。试一下查字符串。
OD载入GTDOperator.exe,然后搜字符串,这样搜一次,发现搜不到什么有用的信息。在OD里运行程序,然后查看可执行模块。然后找到GTDOperator.exe,双击它之后,打开了汇编窗口。再查字符串,搜索“未注册”。会有好几个,我们把几处的代码,拉出来比较一下。
00D0A4EF|.8B38 mov edi,dword ptr ds:
00D0A4F1|.FF57 60 call dword ptr ds:
00D0A4F4|.807D FF 00 cmp byte ptr ss:,0x0
00D0A4F8|.74 06 je XGTDOpera.00D0A500
00D0A4FA|.807D FE 00 cmp byte ptr ss:,0x0
00D0A4FE|.74 2F je XGTDOpera.00D0A52F
00D0A500|>A1 78B4D400 mov eax,dword ptr ds:
00D0A505|.8B00 mov eax,dword ptr ds:
00D0A507|.8B10 mov edx,dword ptr ds:
00D0A509|.FF92 14010000 call dword ptr ds:
00D0A50F|.83F8 02 cmp eax,0x2
00D0A512|.7C 1B jl XGTDOpera.00D0A52F
00D0A514|.6A 10 push 0x10
00D0A516|.68 5CA5D000 push GTDOpera.00D0A55C ;提示
00D0A51B|.68 64A5D000 push GTDOpera.00D0A564 ;未注册版,最多只能创建2个项目,注册版无此限制
00D0A520|.8BC6 mov eax,esi
00C7FEFB|.FF57 5C call dword ptr ds:
00C7FEFE|.84C0 test al,al
00C7FF00|.74 3A je XGTDOpera.00C7FF3C
00C7FF02|.8D55 E4 lea edx,
00C7FF05|.8B06 mov eax,dword ptr ds:
00C7FF07|.8B08 mov ecx,dword ptr ds:
00C7FF09|.FF51 48 call dword ptr ds:
00C7FF0C|.8B55 E4 mov edx,
00C7FF0F|.8D4D FE lea ecx,dword ptr ss:
00C7FF12|.8B06 mov eax,dword ptr ds:
00C7FF14|.8B38 mov edi,dword ptr ds:
00C7FF16|.FF57 60 call dword ptr ds:
00C7FF19|.84C0 test al,al
00C7FF1B|.75 1F jnz XGTDOpera.00C7FF3C
00C7FF1D|.BA B8FFC700 mov edx,GTDOpera.00C7FFB8 ;已注册
00C7FF22|.8B83 A8030000 mov eax,dword ptr ds:
00C7FF28|.E8 3F407FFF call GTDOpera.00473F6C
00C7FF2D|.33D2 xor edx,edx
00C7FF2F|.8B83 8C030000 mov eax,dword ptr ds:
00C7FF35|.8B08 mov ecx,dword ptr ds:
00C7FF37|.FF51 68 call dword ptr ds:
00C7FF3A|.EB 48 jmp XGTDOpera.00C7FF84
00C7FF3C|>8B06 mov eax,dword ptr ds:
00C7FF3E|.8B10 mov edx,dword ptr ds:
00C7FF40|.FF52 70 call dword ptr ds:
00C7FF43|.83F8 64 cmp eax,0x64
00C7FF46|.7C 1F jl XGTDOpera.00C7FF67
00C7FF48|.BA C8FFC700 mov edx,GTDOpera.00C7FFC8 ;注册码已经失效
00C7FF4D|.8B83 A8030000 mov eax,dword ptr ds:
00C7FF53|.E8 14407FFF call GTDOpera.00473F6C
00C7FF58|.B2 01 mov dl,0x1
00C7FF5A|.8B83 8C030000 mov eax,dword ptr ds:
00C7FF60|.8B08 mov ecx,dword ptr ds:
00C7FF62|.FF51 68 call dword ptr ds:
00C7FF65|.EB 1D jmp XGTDOpera.00C7FF84
00C7FF67|>BA E0FFC700 mov edx,GTDOpera.00C7FFE0 ;未注册
00C7FF6C|.8B83 A8030000 mov eax,dword ptr ds:
00C7FF72|.E8 F53F7FFF call GTDOpera.00473F6C
00C7FF77|.B2 01 mov dl,0x1
00CE4C36|.8D4D FE lea ecx,dword ptr ss:
00CE4C39|.A1 78B4D400 mov eax,dword ptr ds:
00CE4C3E|.8B00 mov eax,dword ptr ds:
00CE4C40|.8B30 mov esi,dword ptr ds:
00CE4C42|.FF56 60 call dword ptr ds:
00CE4C45|.807D FF 00 cmp byte ptr ss:,0x0
00CE4C49|.74 06 je XGTDOpera.00CE4C51
00CE4C4B|.807D FE 00 cmp byte ptr ss:,0x0
00CE4C4F|.74 1B je XGTDOpera.00CE4C6C
00CE4C51|>6A 40 push 0x40
00CE4C53|.68 BC4CCE00 push GTDOpera.00CE4CBC ;提示
00CE4C58|.68 C44CCE00 push GTDOpera.00CE4CC4 ;未注册版不能同步数据,注册之后无此限制
00CE4C5D|.8BC3 mov eax,ebx
00CE4C5F|.E8 4C7479FF call GTDOpera.0047C0B0
00CE4C64|.50 push eax ; |hOwner
00CE4C65|.E8 664C72FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
00CE4C6A|.EB 25 jmp XGTDOpera.00CE4C91
00CE4C6C|>8BC3 mov eax,ebx
00CE4C6E|.E8 3D7479FF call GTDOpera.0047C0B0
00CE6D65|.8B30 mov esi,dword ptr ds:
00CE6D67|.FF56 60 call dword ptr ds:
00CE6D6A|.807D FF 00 cmp byte ptr ss:,0x0
00CE6D6E|.74 06 je XGTDOpera.00CE6D76
00CE6D70|.807D FE 00 cmp byte ptr ss:,0x0
00CE6D74|.74 1F je XGTDOpera.00CE6D95
00CE6D76|>8B83 58080000 mov eax,dword ptr ds:
00CE6D7C|.8B80 08030000 mov eax,dword ptr ds:
00CE6D82|.33D2 xor edx,edx
00CE6D84|.E8 3365A8FF call GTDOpera.0076D2BC
00CE6D89|.BA E46DCE00 mov edx,GTDOpera.00CE6DE4 ;已注册
00CE6D8E|.E8 3D64A8FF call GTDOpera.0076D1D0
00CE6D93|.EB 1D jmp XGTDOpera.00CE6DB2
00CE6D95|>8B83 58080000 mov eax,dword ptr ds:
00CE6D9B|.8B80 08030000 mov eax,dword ptr ds:
00CE6DA1|.33D2 xor edx,edx
00CE6DA3|.E8 1465A8FF call GTDOpera.0076D2BC
00CE6DA8|.BA F46DCE00 mov edx,GTDOpera.00CE6DF4 ;未注册
第一种方法是狂轰乱炸,把所有的未注册的地方全部JMP掉,我以前就是这么干的。
第二种方法,找到关键CALL,直接改关键CALL里的值。
下面来说一下第二种方法。
综合考虑上面搜到字符串的地方,大致有两类,
一种是如
00D0A4F4|.807D FF 00 cmp byte ptr ss:,0x0
00D0A4F8|.74 06 je XGTDOpera.00D0A500
00D0A4FA|.807D FE 00 cmp byte ptr ss:,0x0
00D0A4FE|.74 2F je XGTDOpera.00D0A52F
比较两个值,改变两个跳转,
一个种是
00C7FEFB|.FF57 5C call dword ptr ds:
00C7FEFE|.84C0 test al,al
00C7FF00|.74 3A je XGTDOpera.00C7FF3C
00C7FF02|.8D55 E4 lea edx,
00C7FF05|.8B06 mov eax,dword ptr ds:
00C7FF07|.8B08 mov ecx,dword ptr ds:
00C7FF09|.FF51 48 call dword ptr ds:
00C7FF0C|.8B55 E4 mov edx,
00C7FF0F|.8D4D FE lea ecx,dword ptr ss:
00C7FF12|.8B06 mov eax,dword ptr ds:
00C7FF14|.8B38 mov edi,dword ptr ds:
00C7FF16|.FF57 60 call dword ptr ds:
00C7FF19|.84C0 test al,al
00C7FF1B|.75 1F jnz XGTDOpera.00C7FF3C
00C7FF1D|.BA B8FFC700 mov edx,GTDOpera.00C7FFB8 ;已注册
00C7FF22|.8B83 A8030000 mov eax,dword ptr ds:
00C7FF28|.E8 3F407FFF call GTDOpera.00473F6C
00C7FF2D|.33D2 xor edx,edx
00C7FF2F|.8B83 8C030000 mov eax,dword ptr ds:
00C7FF35|.8B08 mov ecx,dword ptr ds:
00C7FF37|.FF51 68 call dword ptr ds:
00C7FF3A|.EB 48 jmp XGTDOpera.00C7FF84
00C7FF3C|>8B06 mov eax,dword ptr ds:
00C7FF3E|.8B10 mov edx,dword ptr ds:
00C7FF40|.FF52 70 call dword ptr ds:
00C7FF43|.83F8 64 cmp eax,0x64
00C7FF46|.7C 1F jl XGTDOpera.00C7FF67
00C7FF48|.BA C8FFC700 mov edx,GTDOpera.00C7FFC8 ;注册码已经失效
第一种两个值的比较,跟进来比较麻烦。(我跟过,发现有两个CALL分别改变两个值,而且最后改了两个CALL之后也没成功)。
第二种是两个CALL后接两个关键跳。
我位直接在两个CALL的断首00C7FE58处下断,而且这附近,有“注册码已失效”,“已注册”,“未注册”等字。发现是在注册功能窗口的模块。点注册就直接断下来了。
断在00C7FE58后,单步到
00C7FED6|.8B38 mov edi,dword ptr ds:
00C7FED8|.FF57 60 call dword ptr ds:
00C7FEDB|.807D FF 00 cmp byte ptr ss:,0x0
00C7FEDF|.74 5B je XGTDOpera.00C7FF3C
00C7FEE1|.807D FE 00 cmp byte ptr ss:,0x0
00C7FEE5|.75 55 jnz XGTDOpera.00C7FF3C
00C7FEE7|.8D55 E8 lea edx,
发现这里就跳过了已注册,也跳过了两个关键CALL,我们先改一下标志位不让他跳(没有注册或没有破解之前,这里可能不会跳的),
然后跟进 00C7FF16|.FF57 60 call dword ptr ds:
0067F795 .05 6CFFFFFF add eax,-0x94
0067F79A .E9 F14E0000 jmp GTDOpera.00684690
00684690/> \55 push ebp
00684691|.8BEC mov ebp,esp
00684693|.51 push ecx
00684694|.B9 05000000 mov ecx,0x5
00684699|>6A 00 /push 0x0
0068469B|.6A 00 |push 0x0
0068469D|.49 |dec ecx
0068469E|.^ 75 F9 \jnz XGTDOpera.00684699
006846A0|.51 push ecx
006846A1|.874D FC xchg ,ecx
006846A4|.53 push ebx
006846A5|.56 push esi
006846A6|.57 push edi
006846A7|.894D EC mov ,ecx
006846AA|.8955 FC mov ,edx
006846AD|.8BF0 mov esi,eax
006846AF|.8B45 FC mov eax,
006846B2|.E8 7D16D8FF call GTDOpera.00405D34
006846B7|.33C0 xor eax,eax
006846B9|.55 push ebp
006846BA|.68 42486800 push GTDOpera.00684842
006846BF|.64:FF30 push dword ptr fs:
006846C2|.64:8920 mov dword ptr fs:,esp
006846C5|.8B45 EC mov eax,
006846C8|.C600 00 mov byte ptr ds:,0x0
006846CB|.33DB xor ebx,ebx
006846CD|.E8 6EC1F8FF call GTDOpera.00610840
006846D2|.8D55 F8 lea edx,
006846D5|.8BC6 mov eax,esi
006846D7|.E8 FCFAFFFF call GTDOpera.006841D8
006846DC|.8B55 F8 mov edx,
006846DF|.8BC2 mov eax,edx
006846E1|.85C0 test eax,eax
006846E3|.74 05 je XGTDOpera.006846EA
006846E5|.83E8 04 sub eax,0x4
006846E8|.8B00 mov eax,dword ptr ds:
006846EA|>83F8 03 cmp eax,0x3
006846ED|.7E 31 jle XGTDOpera.00684720
006846EF|.8BFA mov edi,edx
006846F1|.85FF test edi,edi
006846F3|.74 05 je XGTDOpera.006846FA
006846F5|.83EF 04 sub edi,0x4
006846F8|.8B3F mov edi,dword ptr ds:
006846FA|>8D45 DC lea eax,
006846FD|.50 push eax
006846FE|.8BD7 mov edx,edi
00684700|.83EA 03 sub edx,0x3
00684703|.42 inc edx
00684704|.B9 03000000 mov ecx,0x3
00684709|.8B45 F8 mov eax,
0068470C|.E8 9B16D8FF call GTDOpera.00405DAC
00684711|.8B45 DC mov eax,
00684714|.BA 5C486800 mov edx,GTDOpera.0068485C ;-V1
00684719|.E8 F272D8FF call GTDOpera.0040BA10
0068471E|.EB 02 jmp XGTDOpera.00684722
00684720|>33C0 xor eax,eax
00684722|>84C0 test al,al
00684724|.74 31 je XGTDOpera.00684757
00684726|.8B4D EC mov ecx,
00684729|.8B55 FC mov edx,
0068472C|.8B45 F8 mov eax,
0068472F|.E8 E8ADFFFF call GTDOpera.0067F51C
00684734|.8BD8 mov ebx,eax
00684736|.84DB test bl,bl
00684738|.74 10 je XGTDOpera.0068474A
0068473A|.8BC6 mov eax,esi
0068473C|.E8 2B0B0300 call GTDOpera.006B526C
00684741|.83F8 64 cmp eax,0x64
00684744|.0F8E CB000000 jle GTDOpera.00684815
0068474A|>33DB xor ebx,ebx
0068474C|.8B45 EC mov eax,
0068474F|.C600 00 mov byte ptr ds:,0x0
00684752|.E9 BE000000 jmp GTDOpera.00684815
00684757|>68 68486800 push GTDOpera.00684868 ;--
0068475C|.8B45 F8 mov eax,
0068475F|.50 push eax
00684760|.8D45 F0 lea eax,
00684763|.50 push eax
00684764|.E8 478EF8FF call GTDOpera.0060D5B0
00684769|.68 68486800 push GTDOpera.00684868 ;--
0068476E|.8B45 F8 mov eax,
00684771|.50 push eax
00684772|.8D45 D8 lea eax,
00684775|.50 push eax
00684776|.E8 A98DF8FF call GTDOpera.0060D524
0068477B|.8B55 D8 mov edx,
0068477E|.8D45 F8 lea eax,
00684781|.E8 B611D8FF call GTDOpera.0040593C
00684786|.8D45 F4 lea eax,
00684789|.8B55 FC mov edx,
0068478C|.E8 AB11D8FF call GTDOpera.0040593C
00684791|.8D55 D4 lea edx,
00684794|.8B45 F4 mov eax,
00684797|.E8 3CC0FEFF call GTDOpera.006707D8
0068479C|.8B55 D4 mov edx,
0068479F|.8D45 F4 lea eax,
006847A2|.E8 9511D8FF call GTDOpera.0040593C
006847A7|.68 68486800 push GTDOpera.00684868 ;--
006847AC|.8B45 F4 mov eax,
006847AF|.50 push eax
006847B0|.8D45 D0 lea eax,
006847B3|.50 push eax
006847B4|.E8 6B8DF8FF call GTDOpera.0060D524
006847B9|.8B55 D0 mov edx,
006847BC|.8D45 F4 lea eax,
006847BF|.E8 7811D8FF call GTDOpera.0040593C
006847C4|.8B45 F0 mov eax,
006847C7|.50 push eax
006847C8|.E8 438FF8FF call GTDOpera.0060D710
006847CD|.84C0 test al,al
006847CF|.75 21 jnz XGTDOpera.006847F2
006847D1|.6A 00 push 0x0
006847D3|.6A 00 push 0x0
006847D5|.6A 00 push 0x0
006847D7|.8B45 F0 mov eax,
006847DA|.E8 5DAFD8FF call GTDOpera.0040F73C
006847DF|.DD5D E0 fstp qword ptr ss:
006847E2|.9B wait
006847E3|.DD45 E0 fld qword ptr ss:
006847E6|.D81D 6C486800 fcomp dword ptr ds:
006847EC|.9B wait
006847ED|.DFE0 fstsw ax
006847EF|.9E sahf
006847F0|.77 28 ja XGTDOpera.0068481A
006847F2|>8B55 F4 mov edx,
006847F5|.8B45 F8 mov eax,
006847F8|.E8 1372D8FF call GTDOpera.0040BA10
006847FD|.84C0 test al,al
006847FF|.74 14 je XGTDOpera.00684815
00684801|.8BC6 mov eax,esi
00684803|.E8 640A0300 call GTDOpera.006B526C
00684808|.83F8 64 cmp eax,0x64
0068480B|.7F 08 jg XGTDOpera.00684815
0068480D|.8B45 EC mov eax,
00684810|.C600 01 mov byte ptr ds:,0x1
00684813|.B3 01 mov bl,0x1
00684815|>E8 26C0F8FF call GTDOpera.00610840
0068481A|>33C0 xor eax,eax
0068481C|.5A pop edx
0068481D|.59 pop ecx
0068481E|.59 pop ecx
0068481F|.64:8910 mov dword ptr fs:,edx
00684822|.68 49486800 push GTDOpera.00684849
00684827|>8D45 D0 lea eax,
0068482A|.BA 04000000 mov edx,0x4
0068482F|.E8 9410D8FF call GTDOpera.004058C8
00684834|.8D45 F0 lea eax,
00684837|.BA 04000000 mov edx,0x4
0068483C|.E8 8710D8FF call GTDOpera.004058C8
00684841\.C3 retn
00684842 .^ E9 ED07D8FF jmp GTDOpera.00405034
00684847 .^ EB DE jmp XGTDOpera.00684827
00684849 .8BC3 mov eax,ebx
0068484B .5F pop edi
0068484C .5E pop esi
0068484D .5B pop ebx
0068484E .8BE5 mov esp,ebp
00684850 .5D pop ebp
00684851 .C3 retn
我们要让EAX的值不为0,看00684849 .8BC3 mov eax,ebx 也就是让EBX不为0. 经单步跟踪分析。只要NOP在这里改两个跳转就可以了
00684720|> \33C0 XOR EAX,EAX+ F7 [& Vt* K& L( n; c8 f2 s
00684722|>84C0 TEST AL,AL
00684724 EB 31 JMP SHORT 00684757 修改的地方
9 F00684726|.8B4D EC MOV ECX,DWORD PTR SS:2 a& k$ n" z& l6 z$ R4 \
h. a& b; H3 l
006847F5|.8B45 F8 MOV EAX,DWORD PTR SS:
006847F8|.E8 1372D8FF CALL 0040BA10
006847FD|.84C0 TEST AL,AL/ _( _8 R* A; y0 p1 {& I
006847FF 90 NOP 修改的地方
00684800 90 NOP
改了之后,后面的
00C7FF16|.FF57 60 call dword ptr ds:
00C7FF19|.84C0 test al,al
00C7FF1B|.75 1F jnz XGTDOpera.00C7FF3C
也没有跳。
保存运行一下。成功搞定,我们找对了关键CALL。
慢慢看{:1_908:} 终于找到它的破解方法了,, 谢谢楼主,学会了 不错 完美破解!谢谢分享 本帖最后由 freewold 于 2011-11-4 14:55 编辑
找到关键CALL后,修改两个跳转就OK了。不过要删除升级文件,否则会弹出未注册版不能自动升级的提示框。 不错哟,实现了爆破 哈哈,测试成功。感恩你
不错,看的懂
页:
[1]
2