PassMark PerformanceTest使用TRW2000+UE爆破思路
首先用 TRW2000 载入程序,停留在程序入口处,然后开始不停的按 F10 单步跟踪……//******************** Program Entry Point ********
.
.
.
* Reference To: KERNEL32.GetModuleHandleA, Ord:0126h
|
:00416B34 FF1520314200 Call dword ptr
:00416B3A 50 push eax
:00416B3B E8302AFFFF call 00409570<---- 这里跳出注册窗,F8 跟进
:00416B40 8945A0 mov dword ptr , eax
:00416B43 50 push eax
:00416B44 E8D9F9FFFF call 00416522
:00416B49 8B45EC mov eax, dword ptr
:00416B4C 8B08 mov ecx, dword ptr
:00416B4E 8B09 mov ecx, dword ptr
:00416B50 894D98 mov dword ptr , ecx
:00416B53 50 push eax
:00416B54 51 push ecx
:00416B55 E802570000 call 0041C25C
:00416B5A 59 pop ecx
:00416B5B 59 pop ecx
:00416B5C C3 ret
重新载入,按 F8 跟进 call 00409570,继续按 F10 单步跟踪……
.
.
.
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00409973(C)
|
:0040997D 8B0DC0144400 mov ecx, dword ptr
:00409983 8B742414 mov esi, dword ptr
:00409987 33C0 xor eax, eax
:00409989 83F910 cmp ecx, 00000010
:0040998C 0F9DC0 setnl al
:0040998F 3BF3 cmp esi, ebx
:00409991 A388144400 mov dword ptr , eax
:00409996 7410 je 004099A8
:00409998 8BCE mov ecx, esi
:0040999A E861550000 call 0040EF00
:0040999F 56 push esi
:004099A0 E883B80000 call 00415228
:004099A5 83C404 add esp, 00000004
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00409996(C)
|
:004099A8 E8A3480000 call 0040E250<---- 这里跳出注册窗,F8 跟进
:004099AD 85C0 test eax, eax
:004099AF 750C jne 004099BD
:004099B1 E85A200000 call 0040BA10
:004099B6 53 push ebx
重新载入,按 F8 跟进 call 0040E250,按 F10 单步跟踪……
* Possible StringData Ref from Data Obj ->"2旒"
|
:0040E250 C705F81F440040B34200 mov dword ptr , 0042B340
:0040E25A C705F41F440000000000 mov dword ptr , 00000000
:0040E264 E8C7000000 call 0040E330<---- 这里跳出注册窗。跟踪到这里的时候,我已经
没什么耐心了,而且我在下面发现了一些重要
的提示……
:0040E269 83F801 cmp eax, 00000001
:0040E26C 7501 jne 0040E26F
:0040E26E C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040E26C(C)
|
:0040E26F 83F803 cmp eax, 00000003
:0040E272 0F84A7000000 je 0040E31F
:0040E278 833DF41F44000F cmp dword ptr , 0000000F
:0040E27F 7523 jne 0040E2A4
:0040E281 6A30 push 00000030
* Reference To: USER32.MessageBeep, Ord:01BDh
|
:0040E283 FF15F8324200 Call dword ptr
:0040E289 A1C41A4400 mov eax, dword ptr
:0040E28E 6A10 push 00000010
* Possible StringData Ref from Data Obj ->"Date / Time Error"
|
:0040E290 6804B44200 push 0042B404
* Possible StringData Ref from Data Obj ->"The date and time on this machine "<--程序记录了使用
->"is earlier than when
the program " 时间,所以修改
->"was previously run. In order to " 系统时间以延长
->"enforce the
unregistered version's " 使用期是没用的
->"eval period, this is not be allowed"
|
:0040E295 6858B34200 push 0042B358
:0040E29A 50 push eax
* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:0040E29B FF1584324200 Call dword ptr
:0040E2A1 33C0 xor eax, eax
:0040E2A3 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040E27F(C)
|
:0040E2A4 53 push ebx
:0040E2A5 56 push esi
:0040E2A6 57 push edi
* Possible StringData Ref from Data Obj ->"Dqqnq ctqhmf rs`qsto- Bgdbj vqhsd odqlhrrhnm h"
->"r `u`hk`akd hm sgd dwdbts`akd chqdbsnqx+ Bgdbj"
->" sgd jdx-c`s ehkd dwhrsr hm sgd dwdbts`akd ch"
->"qdbsnqx- Sqx sn tmhmrs`kk % qdhmrs`kk sgd rnes"
->"v`qd+ he oqnakdlr odqrhrs Bnms`bs9 vvv-o`rrl`q"
->"j-bnl enq rtoonqs Rs`qsto Dqqnq mtladq "
| ↑ 上面这些怪码是不是就是提示过期的信息,难怪
我查找不到。
:0040E2A7 68E8AF4200 push 0042AFE8
:0040E2AC E85FFFFFFF call 0040E210
* Possible StringData Ref from Data Obj ->"Dqqnq"
|
:0040E2B1 68ACB14200 push 0042B1AC
:0040E2B6 8BF0 mov esi, eax
:0040E2B8 E853FFFFFF call 0040E210
:0040E2BD 8BD8 mov ebx, eax
:0040E2BF 8BFE mov edi, esi
:0040E2C1 83C9FF or ecx, FFFFFFFF
:0040E2C4 33C0 xor eax, eax
:0040E2C6 F2 repnz
:0040E2C7 AE scasb
:0040E2C8 F7D1 not ecx
:0040E2CA 83C113 add ecx, 00000013
:0040E2CD 51 push ecx
:0040E2CE E81B6E0000 call 004150EE
:0040E2D3 83C40C add esp, 0000000C
:0040E2D6 8BF8 mov edi, eax
:0040E2D8 6A30 push 00000030
* Reference To: USER32.MessageBeep, Ord:01BDh
|
:0040E2DA FF15F8324200 Call dword ptr
:0040E2E0 8B0DF41F4400 mov ecx, dword ptr
:0040E2E6 51 push ecx
:0040E2E7 56 push esi
:0040E2E8 684CB34200 push 0042B34C
:0040E2ED 57 push edi
:0040E2EE E84D6B0000 call 00414E40
:0040E2F3 8B15C41A4400 mov edx, dword ptr
:0040E2F9 83C410 add esp, 00000010
:0040E2FC 6A10 push 00000010
:0040E2FE 53 push ebx
:0040E2FF 57 push edi
:0040E300 52 push edx
* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:0040E301 FF1584324200 Call dword ptr
:0040E307 56 push esi
:0040E308 E8F86C0000 call 00415005
:0040E30D 53 push ebx
:0040E30E E8F26C0000 call 00415005
:0040E313 57 push edi
:0040E314 E8EC6C0000 call 00415005
:0040E319 83C40C add esp, 0000000C
:0040E31C 5F pop edi
:0040E31D 5E pop esi
:0040E31E 5B pop ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040E272(C)
|
:0040E31F 33C0 xor eax, eax
:0040E321 C3 ret
用 UltraEdit 查找 :0040E264 处的代码:
查找 E8 C7 00 00 00 83 F8 01 75 01
改为 90 90 90 90 90 90 90 90 90 90
为了尊重每一位原作者,YuLiLoo注意转载的时候不要用“原创”分类。
你的头像很霸气{:5_188:}
我就想问你的头像是不是秦始皇
[快捷回复]-学破解防逆向,知进攻懂防守! 此处应该有鼓励~ [快捷回复]-学破解防逆向,知进攻懂防守!
[快捷回复]-软件反汇编逆向分析,软件安全必不可少! 新技能已get√
页:
[1]
2