【破文标题】 开目CAD2005---企业资源管理器破解分析 【破文作者】 WGC3306 [CZG] 04.09.18 【作者邮箱】 WGC3306@163.com QQ:24803353 【使用工具】 TRW2000 【破解平台】 WinME 【软件名称】 企业资源管理器 【下载地址】 【软件简介】 【软件大小】 【破解目的】 喜欢该软件,朋友要求。大家还是要支持国产软件的。 【破解声明】 我乃小菜鸟一只,偶得一点心得,愿与大家分享^-^ ---------------------------------------------------------------------- 【破解内容】 运行TRW2000,BPX DEVICEIOCONTROL下断,F5,运行企业资源管理器,断下,N次F12,出现没狗框,点确定,回到TRW2000,往上看见下面代码,可以看到006C985E E8BB50D4FF Call 0040E91E-----产生错误的CALL,我们现在只需要往上找什么地方能跳过此处就成功了,一直找,直到:006C9636 0F8544020000 jne 006C9880---关键跳,跳走就成功; * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:006C9418(U), :006C952D(U), :006C95AB(U), :006C9629(U) | :006C9630 0FBF45D8 movsx eax, word ptr [ebp-28] :006C9634 85C0 test eax, eax---------------------------------------注意此处EAX=0 :006C9636 0F8544020000 jne 006C9880--------------------------------关键跳,跳走就成功, :006C963C 833D78FC710000 cmp dword ptr [0071FC78], 00000000 :006C9643 751B jne 006C9660 :006C9645 6878FC7100 push 0071FC78 :006C964A 68D4A54300 push 0043A5D4 * Reference T MSVBVM60.__vbaNew2, Ord:0000h | :006C964F E86E51D4FF Call 0040E7C2 :006C9654 C7853CFEFFFF78FC7100 mov dword ptr [ebp+FFFFFE3C], 0071FC78 :006C965E EB0A jmp 006C966A * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:006C9643(C) | :006C9660 C7853CFEFFFF78FC7100 mov dword ptr [ebp+FFFFFE3C], 0071FC78 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:006C965E(U) | :006C966A 8B853CFEFFFF mov eax, dword ptr [ebp+FFFFFE3C] :006C9670 8B00 mov eax, dword ptr [eax] :006C9672 8985D8FEFFFF mov dword ptr [ebp+FFFFFED8], eax :006C9678 833D90D8710000 cmp dword ptr [0071D890], 00000000 :006C967F 751B jne 006C969C :006C9681 6890D87100 push 0071D890 :006C9686 687CF54000 push 0040F57C * Reference T MSVBVM60.__vbaNew2, Ord:0000h | :006C968B E83251D4FF Call 0040E7C2 :006C9690 C78538FEFFFF90D87100 mov dword ptr [ebp+FFFFFE38], 0071D890 :006C969A EB0A jmp 006C96A6 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:006C967F(C) | :006C969C C78538FEFFFF90D87100 mov dword ptr [ebp+FFFFFE38], 0071D890 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:006C969A(U) | :006C96A6 8B8538FEFFFF mov eax, dword ptr [ebp+FFFFFE38] :006C96AC FF30 push dword ptr [eax] :006C96AE 8D8564FFFFFF lea eax, dword ptr [ebp+FFFFFF64] :006C96B4 50 push eax * Reference T MSVBVM60.__vbaObjSetAddref, Ord:0000h | :006C96B5 E83251D4FF Call 0040E7EC :006C96BA 50 push eax :006C96BB 8B85D8FEFFFF mov eax, dword ptr [ebp+FFFFFED8] :006C96C1 8B00 mov eax, dword ptr [eax] :006C96C3 FFB5D8FEFFFF push dword ptr [ebp+FFFFFED8] :006C96C9 FF5010 call [eax+10] :006C96CC DBE2 fclex :006C96CE 8985D4FEFFFF mov dword ptr [ebp+FFFFFED4], eax :006C96D4 83BDD4FEFFFF00 cmp dword ptr [ebp+FFFFFED4], 00000000 :006C96DB 7D20 jge 006C96FD :006C96DD 6A10 push 00000010 :006C96DF 68C4A54300 push 0043A5C4 :006C96E4 FFB5D8FEFFFF push dword ptr [ebp+FFFFFED8] :006C96EA FFB5D4FEFFFF push dword ptr [ebp+FFFFFED4] * Reference T MSVBVM60.__vbaHresultCheckObj, Ord:0000h | :006C96F0 E81B51D4FF Call 0040E810 :006C96F5 898534FEFFFF mov dword ptr [ebp+FFFFFE34], eax :006C96FB EB07 jmp 006C9704 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:006C96DB(C) | :006C96FD 83A534FEFFFF00 and dword ptr [ebp+FFFFFE34], 00000000 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:006C96FB(U) | :006C9704 8D8D64FFFFFF lea ecx, dword ptr [ebp+FFFFFF64] * Reference T MSVBVM60.__vbaFreeObj, Ord:0000h | :006C970A E8D750D4FF Call 0040E7E6 :006C970F 8B55C8 mov edx, dword ptr [ebp-38] :006C9712 8D8DBCFEFFFF lea ecx, dword ptr [ebp+FFFFFEBC] * Reference T MSVBVM60.__vbaStrCopy, Ord:0000h | :006C9718 E85351D4FF Call 0040E870 :006C971D FFB5BCFEFFFF push dword ptr [ebp+FFFFFEBC] :006C9723 68CCB64300 push 0043B6CC * Reference T MSVBVM60.__vbaStrCmp, Ord:0000h | :006C9728 E8C151D4FF Call 0040E8EE :006C972D 85C0 test eax, eax :006C972F 753C jne 006C976D :006C9731 6884C54400 push 0044C584 :006C9736 FF3518D17100 push dword ptr [0071D118] * Reference T MSVBVM60.__vbaStrCat, Ord:0000h | :006C973C E8B951D4FF Call 0040E8FA :006C9741 8BD0 mov edx, eax :006C9743 8D4D8C lea ecx, dword ptr [ebp-74] * Reference T MSVBVM60.__vbaStrMove, Ord:0000h | :006C9746 E88350D4FF Call 0040E7CE :006C974B 50 push eax :006C974C 68A8C54400 push 0044C5A8 * Reference T MSVBVM60.__vbaStrCat, Ord:0000h | :006C9751 E8A451D4FF Call 0040E8FA :006C9756 8BD0 mov edx, eax :006C9758 8D4DDC lea ecx, dword ptr [ebp-24] * Reference T MSVBVM60.__vbaStrMove, Ord:0000h | :006C975B E86E50D4FF Call 0040E7CE :006C9760 8D4D8C lea ecx, dword ptr [ebp-74] * Reference T MSVBVM60.__vbaFreeStr, Ord:0000h | :006C9763 E86050D4FF Call 0040E7C8 :006C9768 E984000000 jmp 006C97F1 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:006C972F(C) | :006C976D FFB5BCFEFFFF push dword ptr [ebp+FFFFFEBC] :006C9773 6878C54400 push 0044C578 * Reference T MSVBVM60.__vbaStrCmp, Ord:0000h | :006C9778 E87151D4FF Call 0040E8EE :006C977D 85C0 test eax, eax :006C977F 7539 jne 006C97BA :006C9781 68B0C54400 push 0044C5B0 :006C9786 FF3518D17100 push dword ptr [0071D118] * Reference T MSVBVM60.__vbaStrCat, Ord:0000h | :006C978C E86951D4FF Call 0040E8FA :006C9791 8BD0 mov edx, eax :006C9793 8D4D8C lea ecx, dword ptr [ebp-74] * Reference T MSVBVM60.__vbaStrMove, Ord:0000h | :006C9796 E83350D4FF Call 0040E7CE :006C979B 50 push eax :006C979C 68A8C54400 push 0044C5A8 * Reference T MSVBVM60.__vbaStrCat, Ord:0000h | :006C97A1 E85451D4FF Call 0040E8FA :006C97A6 8BD0 mov edx, eax :006C97A8 8D4DDC lea ecx, dword ptr [ebp-24] * Reference T MSVBVM60.__vbaStrMove, Ord:0000h | :006C97AB E81E50D4FF Call 0040E7CE :006C97B0 8D4D8C lea ecx, dword ptr [ebp-74] * Reference T MSVBVM60.__vbaFreeStr, Ord:0000h | :006C97B3 E81050D4FF Call 0040E7C8 :006C97B8 EB37 jmp 006C97F1 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:006C977F(C) | :006C97BA 68D4C54400 push 0044C5D4 :006C97BF FF3518D17100 push dword ptr [0071D118] * Reference T MSVBVM60.__vbaStrCat, Ord:0000h | :006C97C5 E83051D4FF Call 0040E8FA :006C97CA 8BD0 mov edx, eax :006C97CC 8D4D8C lea ecx, dword ptr [ebp-74] * Reference T MSVBVM60.__vbaStrMove, Ord:0000h | :006C97CF E8FA4FD4FF Call 0040E7CE :006C97D4 50 push eax :006C97D5 68A8C54400 push 0044C5A8 * Reference T MSVBVM60.__vbaStrCat, Ord:0000h | :006C97DA E81B51D4FF Call 0040E8FA :006C97DF 8BD0 mov edx, eax :006C97E1 8D4DDC lea ecx, dword ptr [ebp-24] * Reference T MSVBVM60.__vbaStrMove, Ord:0000h | :006C97E4 E8E54FD4FF Call 0040E7CE :006C97E9 8D4D8C lea ecx, dword ptr [ebp-74] * Reference T MSVBVM60.__vbaFreeStr, Ord:0000h | :006C97EC E8D74FD4FF Call 0040E7C8 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:006C9768(U), :006C97B8(U) | :006C97F1 C7854CFFFFFF04000280 mov dword ptr [ebp+FFFFFF4C], 80020004 :006C97FB C78544FFFFFF0A000000 mov dword ptr [ebp+FFFFFF44], 0000000A :006C9805 C7855CFFFFFF04000280 mov dword ptr [ebp+FFFFFF5C], 80020004 :006C980F C78554FFFFFF0A000000 mov dword ptr [ebp+FFFFFF54], 0000000A :006C9819 C7850CFFFFFF18D17100 mov dword ptr [ebp+FFFFFF0C], 0071D118 :006C9823 C78504FFFFFF08400000 mov dword ptr [ebp+FFFFFF04], 00004008 :006C982D 8D45DC lea eax, dword ptr [ebp-24] :006C9830 89851CFFFFFF mov dword ptr [ebp+FFFFFF1C], eax :006C9836 C78514FFFFFF08400000 mov dword ptr [ebp+FFFFFF14], 00004008 :006C9840 8D8544FFFFFF lea eax, dword ptr [ebp+FFFFFF44] :006C9846 50 push eax :006C9847 8D8554FFFFFF lea eax, dword ptr [ebp+FFFFFF54] :006C984D 50 push eax :006C984E 8D8504FFFFFF lea eax, dword ptr [ebp+FFFFFF04] :006C9854 50 push eax :006C9855 6A10 push 00000010 :006C9857 8D8514FFFFFF lea eax, dword ptr [ebp+FFFFFF14] :006C985D 50 push eax * Reference T MSVBVM60.rtcMsgBox, Ord:0253h | :006C985E E8BB50D4FF Call 0040E91E--------产生错误的CALL,“没有找到……狗” :006C9863 8D8544FFFFFF lea eax, dword ptr [ebp+FFFFFF44] :006C9869 50 push eax :006C986A 8D8554FFFFFF lea eax, dword ptr [ebp+FFFFFF54] :006C9870 50 push eax :006C9871 6A02 push 00000002 经过上面的分析,我们把关键跳转改之,运行,OK成功了,不过启动太慢,显然有找狗的CALL。我们继续,现在的目的是找到找狗的CALL,然后把它干掉; 这个应该很好找吧,运行TRW2000,BPX DEVICEIOCONTROL下断,F5,运行企业资源管理器,断下,PMODULE,到KmRes.exe领空,当有一段长时间找狗后,将回到TRW2000,往上找到找狗CALL见下面代码,为00627664 E8EB22E2FF call 00449954。 * Reference T MSVBVM60.__vbaFpI4, Ord:0000h | :00627653 E84E72DEFF Call 0040E8A6 :00627658 8945F4 mov dword ptr [ebp-0C], eax :0062765B FF7510 push [ebp+10] :0062765E FF750C push [ebp+0C] :00627661 FF7508 push [ebp+08] :00627664 E8EB22E2FF call 00449954---------------------------找狗CALL,干掉! :00627669 8945F0 mov dword ptr [ebp-10], eax * Reference T MSVBVM60.__vbaSetSystemError, Ord:0000h 破解总结: 爆破:006C9636 0F8544020000 jne 006C9880 处的0F8544020000改为0F8444020000 :00627664 E8EB22E2FF call 00449954 处的E8EB22E2FF改为9090909090即可! 【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!