前言: 本帖不能让你一次性成为破解大侠。
但是我们通过各种实验来推演各种复杂的变化,落点,制造不同的结局。
就像玩五子棋一样,等跳转的运用,落子的时机,顺序,棋型,走位,最终影响胜率 的不同变数。
最终我们可以总结出各种公式化、实例化,具有某种特性和规律的东西,从中享受到破解的带来奇趣 艺术体验。无论学思路,还是编程都能从中得到最大的启示。
  • 强制去水印输出
  • 对比走位法去时间(利用x64dbg的插件)--->扩展分支:编程实现文件夹/文件/注册表键值的监控新技能和升级《法王版x64dbg走火入魔2.0版》
  • 授权的流程-->扩展分支:三度一体:编程实现《对比走位报告器2.0版》
  • 强制干翻ReportForm异常(利用软件的bug)
  • 解除文档为只读(编程抽码法)
  • 去恶心提醒label(让软件崩溃)
  • 意外获得的宝藏(伯乐识宝马篇)
  • 额外的启迪与思考

每天晚上继续更新传奇故事:
纯爆破流强制去水印,对比走位去时间,授权的流程,强制干翻ReportForm异常,文档为只读
这是els PJ网站上极其牛逼的软件;作为为数及其少的所见所得的CHM编辑软件,它是唯一的一款完整版的。
另外我知道的那款叫CHMEditor不少坑爹网站都用Demo版修改而成的。而今天咱们说的这个主角,则是完全版的哟~~
另外再给大家科普下,CHM编辑类软件无非分为3种:
  • 第1 种是解包后编辑,诸如国内知名的SuperCHM, EasyCHM。。。太多了。
  • 第2种就是咱们上面提到的。
  • 第3种编辑转码或另存输出的

但是前面说的该网站上面给出的不少爆破品不少是坑爹的,是经不起时间的考验的。
我下载的算是比较新的版本吧,但是安装输出一个chm之后就会发现注册成功是假的;因为输出有乱码字符+随机水印。
于是又找零下七度表哥要了一个比较老的绿色注册版的测试;结果发现一旦输出同样有上述问题,所以,还是自己动手的最靠谱。
毕竟又有乐子,还有成就感,那自己做主的感觉就是好啊,想怎么修改就怎么修改。下面截图请出今天的主角来吧。
这个软件比较拖沓的研究了几个月时间吧,算是一个总结和交待吧,几天是不太可能全部交待明白的。所以边编辑,边修改,边总结,边说明吧。
纯爆破流强制去水印,对比走位去时间,授权的流程,强制干翻ReportForm异常,文档为只读
第1章功能限制汇总与Delphi编程实现的遐想
配图
纯爆破流强制去水印,对比走位去时间,授权的流程,强制干翻ReportForm异常,文档为只读
粉圈1 2 3  授权key、试用过期、未注册评估字样(其中圈3又与关于中调用的内容相同)
纯爆破流强制去水印,对比走位去时间,授权的流程,强制干翻ReportForm异常,文档为只读
未注册发布的页面 圈 4
图圈 5(以发布*.chm文件为例)
发布后的文档
输出后的随机水印+随机字符串限制
纯爆破流强制去水印,对比走位去时间,授权的流程,强制干翻ReportForm异常,文档为只读
打开RegSPY一眼我就知道过期的标志是哪一个,楼下的你能说出为什么吗?
纯爆破流强制去水印,对比走位去时间,授权的流程,强制干翻ReportForm异常,文档为只读
上来还是四处搜集信息,这些你都能说出个所以然来,后面的就更易理解。
纯爆破流强制去水印,对比走位去时间,授权的流程,强制干翻ReportForm异常,文档为只读
第2章
输出后的随机水印+随机字符串限制
纯爆破流强制去水印,对比走位去时间,授权的流程,强制干翻ReportForm异常,文档为只读
先来解决时间过期问题吧:
干掉时间限制:
  • 能想到的传统方式inc 变dec
  • 找到源头永远重置为空
  • 使用大白补丁注入或HOOK
  • 论坛bester姥爷的玩法:HOOK GetLocalTime补丁(内嵌补丁)
  • 找到过期的地方修改
  • 法王姥爷最爱的方式,把注册表写记号的动作干掉

可疑的几个api:
  • FileTimeToLocalFileTime
  • FileTimeToSystemTime
  • GetLocalTime

利用插件、脚本、跟踪3种方法来对比走势和最终的分水岭。
都需要用到  1个开始的VA  和   结束的VA
猜测哪种方式更少、更快、更好?
  • 开始VA、结束VA+跟踪窗对比
  • 开始VA、结束VA+插件对比
  • 开始VA、结束VA+脚本对比

先是GetLocalTime
接着01C8F255   | E8 9A9F78FE               | call <JMP.&FileTimeToSystemTime>                 
接着01C8F280   | E8 6F9F78FE               | call <JMP.&FileTimeToSystemTime>           
后面就是下面的流程了:      
过期原因:HKEY_CURRENT_USER\Software\Classes\RichOleLink.TOleLink.1\CLSID 检测此记号

[Asm] 纯文本查看 复制代码
01B15431   | B2 01                     | mov dl,1                                       01B15433   | A1 D41B5900               | mov eax,dword ptr ds:[591BD4]                   |01B15438   | E8 A3E8A7FE               | call patch_bester_helpman1.593CE0               |01B1543D   | 8945 EC                   | mov dword ptr ss:[ebp-14],eax                   |01B15440   | BA 01000080               | mov edx,80000001                                |01B15445   | 8B45 EC                   | mov eax,dword ptr ss:[ebp-14]                   |01B15448   | E8 37E9A7FE               | call patch_bester_helpman1.593D84               |01B1544D   | C645 EB 00                | mov byte ptr ss:[ebp-15],0                      |01B15451   | 837D F8 00                | cmp dword ptr ss:[ebp-8],0                      |改法1:01B15455   | 0F8E 0B010000             | jle patch_bester_helpman1.1B15566====>这里跳过01B1545B   | BA 3056B101               | mov edx,patch_bester_helpman1.1B15630           | 利用字串搜索扩展插件,全局搜索那个地址常量定位到这里L"Software\\Classes\\RichOleLink.TOleLink.1"01B15460   | 8B45 EC                   | mov eax,dword ptr ss:[ebp-14]                   |01B15463   | E8 48FDA7FE               | call patch_bester_helpman1.5951B0               |01B15468   | 84C0                      | test al,al                                      |01B1546A   | 0F84 F6000000             | je patch_bester_helpman1.1B15566                |01B15470   | 33C0                      | xor eax,eax                                     |01B15472   | 55                        | push ebp                                        |01B15473   | 68 5C55B101               | push patch_bester_helpman1.1B1555C              |01B15478   | 64:FF30                   | push dword ptr fs:[eax]                         |01B1547B   | 64:8920                   | mov dword ptr fs:[eax],esp                      |01B1547E   | BA 8C56B101               | mov edx,patch_bester_helpman1.1B1568C   ==>1B1568C:L"Software\\Classes\\RichOleLink.TOleLink.1\\CLSID"01B15483   | 8B45 EC                   | mov eax,dword ptr ss:[ebp-14]                   |01B15486   | E8 25FDA7FE               | call patch_bester_helpman1.5951B0               |01B1548B   | 84C0                      | test al,al                                      |01B1548D   | 0F84 BF000000             | je patch_bester_helpman1.1B15552                |01B15493   | 33C9                      | xor ecx,ecx                                     |01B15495   | BA 8C56B101               | mov edx,patch_bester_helpman1.1B1568C           | 1B1568C:L"Software\\Classes\\RichOleLink.TOleLink.1\\CLSID"01B1549A   | 8B45 EC                   | mov eax,dword ptr ss:[ebp-14]                   |01B1549D   | E8 3AEAA7FE               | call patch_bester_helpman1.593EDC               |01B154A2   | 84C0                      | test al,al                                      |01B154A4   | 0F84 A8000000             | je patch_bester_helpman1.1B15552                |01B154AA   | 8D4D F4                   | lea ecx,dword ptr ss:[ebp-C]                    |01B154AD   | 33D2                      | xor edx,edx                                     |01B154AF   | 8B45 EC                   | mov eax,dword ptr ss:[ebp-14]                   |01B154B2   | E8 E1F3A7FE               | call patch_bester_helpman1.594898               |01B154B7   | 33C0                      | xor eax,eax                                     |01B154B9   | 55                        | push ebp                                        |01B154BA   | 68 4055B101               | push patch_bester_helpman1.1B15540              |01B154BF   | 64:FF30                   | push dword ptr fs:[eax]                         |01B154C2   | 64:8920                   | mov dword ptr fs:[eax],esp                      |01B154C5   | 8D45 E0                   | lea eax,dword ptr ss:[ebp-20]                   |01B154C8   | 50                        | push eax                                        |01B154C9   | B9 0C000000               | mov ecx,C                                       | C:'\f'01B154CE   | BA 1A000000               | mov edx,1A                                      |01B154D3   | 8B45 F4                   | mov eax,dword ptr ss:[ebp-C]                    |01B154D6   | E8 C1758FFE               | call patch_bester_helpman1.40CA9C               |01B154DB   | 8B4D E0                   | mov ecx,dword ptr ss:[ebp-20]                   |01B154DE   | 8D45 E4                   | lea eax,dword ptr ss:[ebp-1C]                   |01B154E1   | BA F456B101               | mov edx,patch_bester_helpman1.1B156F4           |01B154E6   | E8 E1738FFE               | call patch_bester_helpman1.40C8CC               |01B154EB   | 8B45 E4                   | mov eax,dword ptr ss:[ebp-1C]                   |01B154EE   | E8 E13394FE               | call patch_bester_helpman1.4588D4               |01B154F3   | 83E8 46                   | sub eax,46                                      |01B154F6   | 2B45 F8                   | sub eax,dword ptr ss:[ebp-8]                    |01B154F9   | 8945 F0                   | mov dword ptr ss:[ebp-10],eax                   |01B154FC   | 8D45 D8                   | lea eax,dword ptr ss:[ebp-28]                   |01B154FF   | 50                        | push eax                                        |01B15500   | B9 04000000               | mov ecx,4                                       |01B15505   | BA 15000000               | mov edx,15                                      |01B1550A   | 8B45 F4                   | mov eax,dword ptr ss:[ebp-C]                    |01B1550D   | E8 8A758FFE               | call patch_bester_helpman1.40CA9C               |01B15512   | 8B4D D8                   | mov ecx,dword ptr ss:[ebp-28]                   |01B15515   | 8D45 DC                   | lea eax,dword ptr ss:[ebp-24]                   |01B15518   | BA F456B101               | mov edx,patch_bester_helpman1.1B156F4           |01B1551D   | E8 AA738FFE               | call patch_bester_helpman1.40C8CC               |01B15522   | 8B45 DC                   | mov eax,dword ptr ss:[ebp-24]                   |01B15525   | E8 AA3394FE               | call patch_bester_helpman1.4588D4               |01B1552A   | 2D 01C00000               | sub eax,C001                                    |01B1552F   | 3B45 FC                   | cmp eax,dword ptr ss:[ebp-4]                    |01B15532   | 0F9D45 EB                 | setge byte ptr ss:[ebp-15]                      |01B15536   | 33C0                      | xor eax,eax                                     |01B15538   | 5A                        | pop edx                                         |01B15539   | 59                        | pop ecx                                         |01B1553A   | 59                        | pop ecx                                         |01B1553B   | 64:8910                   | mov dword ptr fs:[eax],edx                      |01B1553E   | EB 0A                     | jmp patch_bester_helpman1.1B1554A               |01B15540   | E9 B7508FFE               | jmp patch_bester_helpman1.40A5FC                |01B15545   | E8 CE558FFE               | call patch_bester_helpman1.40AB18               |01B1554A   | 8B45 EC                   | mov eax,dword ptr ss:[ebp-14]                   |01B1554D   | E8 02E8A7FE               | call patch_bester_helpman1.593D54               |01B15552   | 33C0                      | xor eax,eax                                     |01B15554   | 5A                        | pop edx                                         |01B15555   | 59                        | pop ecx                                         |01B15556   | 59                        | pop ecx                                         |01B15557   | 64:8910                   | mov dword ptr fs:[eax],edx                      |01B1555A   | EB 0A                     | jmp patch_bester_helpman1.1B15566               |01B1555C   | E9 9B508FFE               | jmp patch_bester_helpman1.40A5FC                |01B15561   | E8 B2558FFE               | call patch_bester_helpman1.40AB18               |01B15566   | 807D EB 00                | cmp byte ptr ss:[ebp-15],0                      |01B1556A   | 75 73                     | jne patch_bester_helpman1.1B155DF    ===> 这里跳过!

改法2:
01C8F2AA   | E8 5161E8FF               | call <patch1_跳过启动注册┼无限试用.sub_1B15400>            | 当然NOP上一级这个call也是成立的
效果是永远 剩余:44822+x天
纯爆破流强制去水印,对比走位去时间,授权的流程,强制干翻ReportForm异常,文档为只读
改法3:
纯爆破流强制去水印,对比走位去时间,授权的流程,强制干翻ReportForm异常,文档为只读
因为
01C8F2E4 | 83C0 1E                  | add eax,1E       执行过后eax=剩余天数
所以0x027AA95C里存的是天数
上边高亮后,看到3处
改法4:用大白补丁给 01C8F2E7这里的eax进行修改
纯爆破流强制去水印,对比走位去时间,授权的流程,强制干翻ReportForm异常,文档为只读
纯爆破流强制去水印,对比走位去时间,授权的流程,强制干翻ReportForm异常,文档为只读
纯爆破流强制去水印,对比走位去时间,授权的流程,强制干翻ReportForm异常,文档为只读
纯爆破流强制去水印,对比走位去时间,授权的流程,强制干翻ReportForm异常,文档为只读
载入软件后,先bp GetLocalTime
跟踪窗口,开始跟踪
Shift+F9断下来,取消断点
Ctrl+F8让它单步步过方式运行到【未过期时的】注册窗口处
这样做的缺陷,走的太慢了
优点是不容易错过(比Ctrl+F7更快些)
这次,我们改变下策略:
不取消GetLocalTime断点
Shift+F9
Ctrl+F9 两次
Ctrl+F8
如果再遇到GetLocalTime断下时,再次Ctrl+F9 ...Ctrl+F8伺候,不再赘述
效果有改善,还是行进速度太慢!
纯爆破流强制去水印,对比走位去时间,授权的流程,强制干翻ReportForm异常,文档为只读
去除水印和随机字符串限制:
Alt+E==>WriteFile下断
断到之后来到027AF9F8  kernel32.WriteFile
Ctrl+F9之后来到 :
00459020  | E8 6309FCFF         call <JMP.&WriteFile>                           就来到了这个关键地带
然后Ctrl+F8
用IDR解出来的是:23F6F4C  push ebp
纯爆破流强制去水印,对比走位去时间,授权的流程,强制干翻ReportForm异常,文档为只读
到23F7652这结束的:
纯爆破流强制去水印,对比走位去时间,授权的流程,强制干翻ReportForm异常,文档为只读
解禁思路
  • 要么传送全局注册成功标志的状态
  • 要么NOP掉不好的call

这里为你演示两种成功的玩法:纯爆破流强制去水印,对比走位去时间,授权的流程,强制干翻ReportForm异常,文档为只读
先思考:随机输出的垃圾字符串+垃圾块+随机禁用超链接
纯爆破流强制去水印,对比走位去时间,授权的流程,强制干翻ReportForm异常,文档为只读
到底是什么?
纯爆破流强制去水印,对比走位去时间,授权的流程,强制干翻ReportForm异常,文档为只读
无非就是 *.html的源代码,或进一步说就是html标签
要学会进一步看到本质
到这里垃圾块的问题是不是就想通了?
随机输出的垃圾字符串?!  又是啥呢?无非是Delphi编程过程中作者设计的一个函数。
随机禁用超链接呢? 其实意思差不多。
这里把它们全部理解为:不友好的子程序(call就OK了。)
先下一个写入文件的断点
慢慢F8单步向下跟踪
直到。。。垃圾html标签的字符串现身就快到NOP掉的call位置了。
比较暴力的改法1:
[Asm] 纯文本查看 复制代码
<p class="p_Normal">TEXT SCRAMBLING in TRIAL VERSION OUTPUT! In evaluation mode, Help+Manual will scramble individual characters in random words in your published output files. This is a limitation of the free trial version. <a href="https://www." target="_blank" class="weblink"> This help system was created with an evaluation copy of Help+Manual.</a></p>UNREGISTERED EVALUATION VERSION随机乱字符串输出=============lbDemoPublish4   1fcedaalbDemoPublish     1fcf75blbDemoPublish     3c4e8a2断到了!0054586F | FF57 14                  | call dword ptr ds:[edi+14]              | 调用Demo的那个Label控件 lbDemoPublish==================================================Alt+E, 027AF9F8  kernel32.WriteFile断到之后,堆栈窗口之后00459020  | E8 6309FCFF           | call <JMP.&WriteFile>                           就来到了这个关键地带然后Ctrl+F8==================================================023F7296  | 0F85 78020000          | jne 强制去1干掉unregistered evaluation version.23F7514      | 貌似修改这JMP更好吧?023F729C  | 8B07                   | mov eax,dword ptr ds:[edi]                             |023F729E  | 8B80 C8030000          | mov eax,dword ptr ds:[eax+3C8]                         |023F72A4  | 8B80 90000000          | mov eax,dword ptr ds:[eax+90]                          |023F72AA  | E8 B93A9BFE            | call <强制去1干掉unregistered evaluation version.sub_DAAD68 |023F72AF  | BA 08000000            | mov edx,8                                              |023F72B4  | E8 E3D89AFE            | call 强制去1干掉unregistered evaluation version.DA4B9C      |023F72B9  | 8B07                   | mov eax,dword ptr ds:[edi]                             |023F72BB  | 8B80 C8030000          | mov eax,dword ptr ds:[eax+3C8]                         |023F72C1  | 8B80 94000000          | mov eax,dword ptr ds:[eax+94]                          |023F72C7  | E8 D8CB9BFE            | call <强制去1干掉unregistered evaluation version.sub_DB3EA4 |023F72CC  | C640 35 02             | mov byte ptr ds:[eax+35],2                             |023F72D0  | 8B40 38                | mov eax,dword ptr ds:[eax+38]                          |023F72D3  | 8B40 14                | mov eax,dword ptr ds:[eax+14]                          |023F72D6  | C640 04 01             | mov byte ptr ds:[eax+4],1                              |023F72DA  | 55                     | push ebp                                               |不如这个上面几行的吧?023F72DB  | E8 3CFCFFFF           | call <patch1_跳过启动注册┼无限试用1.sub_23F6F1C>   ==>右边这里有写入评估水印之类的字符串(粘贴bug过不来)023F72E0  | 59                    | pop ecx                                         |023F72E1  | 84C0                  | test al,al                                      |023F72E3  | 0F84 F1000000         | je patch1_跳过启动注册┼无限试用1.23F73DA                ===>▲修改这里【未注册字符串的写入】NOP掉!023F72E9  | 8B07                  | mov eax,dword ptr ds:[edi]                      | [edi]:&"\f沶"023F72EB  | 8B80 C8030000         | mov eax,dword ptr ds:[eax+3C8]                  |023F72F1  | 8B90 94000000         | mov edx,dword ptr ds:[eax+94]                   |023F72F7  | 8B52 08               | mov edx,dword ptr ds:[edx+8]                    |023F72FA  | 8B52 08               | mov edx,dword ptr ds:[edx+8]                    |023F72FD  | 4A                    | dec edx                                         |023F72FE  | 52                    | push edx                                        |023F72FF  | 6A 00                 | push 0                                          |023F7301  | 8B80 90000000         | mov eax,dword ptr ds:[eax+90]                   |023F7307  | 8B40 08               | mov eax,dword ptr ds:[eax+8]                    |023F730A  | 8B48 08               | mov ecx,dword ptr ds:[eax+8]                    |023F730D  | 49                    | dec ecx                                         |023F730E  | 8B07                  | mov eax,dword ptr ds:[edi]                      | [edi]:&"\f沶"023F7310  | 8B80 C0030000         | mov eax,dword ptr ds:[eax+3C0]                  |023F7316  | 33D2                  | xor edx,edx                                     |023F7318  | E8 A76395FE           | call <patch1_跳过启动注册┼无限试用1.sub_D4D6C4>           |023F731D  | 8B07                  | mov eax,dword ptr ds:[edi]                      | [edi]:&"\f沶"023F731F  | 8BB0 C8030000         | mov esi,dword ptr ds:[eax+3C8]                  | esi:&"劋S"023F7325  | 8B86 94000000         | mov eax,dword ptr ds:[esi+94]                   |023F732B  | 8B40 08               | mov eax,dword ptr ds:[eax+8]                    |023F732E  | 8B40 08               | mov eax,dword ptr ds:[eax+8]                    |023F7331  | 48                    | dec eax                                         |023F7332  | 50                    | push eax                                        |023F7333  | 68 D8773F02           | push patch1_跳过启动注册┼无限试用1.23F77D8                | 23F77D8:L"DISPLAY="023F7338  | 8D55 98               | lea edx,dword ptr ss:[ebp-68]                   |023F733B  | 33C0                  | xor eax,eax                                     |023F733D  | E8 261306FE           | call <patch1_跳过启动注册┼无限试用1.sub_458668>           |023F7342  | FF75 98               | push dword ptr ss:[ebp-68]                      |023F7345  | 68 F8773F02           | push patch1_跳过启动注册┼无限试用1.23F77F8                |023F734A  | 68 08783F02           | push patch1_跳过启动注册┼无限试用1.23F7808                | 23F7808:L"VALID=1"023F734F  | 68 F8773F02           | push patch1_跳过启动注册┼无限试用1.23F77F8                |023F7354  | 68 24783F02           | push patch1_跳过启动注册┼无限试用1.23F7824                | 23F7824:L"TYPE="023F7359  | 8D55 94               | lea edx,dword ptr ss:[ebp-6C]                   |023F735C  | B8 01000000           | mov eax,1                                       |023F7361  | E8 021306FE           | call <patch1_跳过启动注册┼无限试用1.sub_458668>           |023F7366  | FF75 94               | push dword ptr ss:[ebp-6C]                      |023F7369  | 68 F8773F02           | push patch1_跳过启动注册┼无限试用1.23F77F8                |023F736E  | 68 3C783F02           | push patch1_跳过启动注册┼无限试用1.23F783C                | 23F783C:L"DATA="023F7373  | 68 54783F02           | push <patch1_跳过启动注册┼无限试用1.sub_23F7854>          | 23F7854:L"T=https://www."023F7378  | 68 A0783F02           | push patch1_跳过启动注册┼无限试用1.23F78A0                | 23F78A0:L"\r\n"023F737D  | 68 B4783F02           | push patch1_跳过启动注册┼无限试用1.23F78B4                | 23F78B4:L"W=_blank"023F7382  | 8D45 9C               | lea eax,dword ptr ss:[ebp-64]                   |023F7385  | BA 0C000000           | mov edx,C                                       | C:'\f'23F6F1C这个call F7进入后,发现:023F6F22  | 8D45 F8               | lea eax,dword ptr ss:[ebp-8]                    | [ebp-8]:L"idh_class_tcustomrvparainfo" 显然是Delphi中的自定义控件类023F7245  | 85C0                   | test eax,eax                          | eax:&L"TEXT SCRAMBLING in TRIAL VERSION OUTPUT! In evaluation mode, Help+Manual will scramble individual characters in random words in your published output files. This is a limitation of the free trial version. "=========================================02396299  | 8B80 E8010000          | mov eax,dword ptr ds:[eax+1E8]        | eax:&"劋S", [eax+1E8]:"447858949346180"0239629F  | 33D2                   | xor edx,edx                           |023962A1  | E8 2A9D3FFE            | call patch1_跳过启动注册.78FFD0             |023962A6  | 8B45 FC                | mov eax,dword ptr ss:[ebp-4]          | [ebp-4]:&"劋S"023962A9  | 8B80 E8010000          | mov eax,dword ptr ds:[eax+1E8]        | eax:&"劋S", [eax+1E8]:"447858949346180"023962AF  | E8 F0723FFE            | call patch1_跳过启动注册.78D5A4             |023962B4  | 84C0                   | test al,al                            |023962B6  | 75 1F                  | jne patch1_跳过启动注册.23962D7             |023962B8  | 8B45 FC                | mov eax,dword ptr ss:[ebp-4]          | [ebp-4]:&"劋S"023962BB  | 8B80 E8010000          | mov eax,dword ptr ds:[eax+1E8]        | eax:&"劋S", [eax+1E8]:"447858949346180"023962C1  | E8 C2430CFE            | call patch1_跳过启动注册.45A688             |023962C6  | 84C0                   | test al,al                            |023962C8  | 75 0D                  | jne patch1_跳过启动注册.23962D7             |023962CA  | 8B45 FC                | mov eax,dword ptr ss:[ebp-4]          | [ebp-4]:&"劋S"023962CD  | 05 E8010000            | add eax,1E8                           | eax:&"劋S"023962D2  | E8 715107FE            | call patch1_跳过启动注册.40B448             |023962D7  | 8B45 FC                | mov eax,dword ptr ss:[ebp-4]          | [ebp-4]:&"劋S"023962DA  | 83B8 E8010000 00       | cmp dword ptr ds:[eax+1E8],0          | [eax+1E8]:"447858949346180"023962E1  | 0F9585 4FFFFFFF        | setne byte ptr ss:[ebp-B1]            |023962E8  | 8B45 FC                | mov eax,dword ptr ss:[ebp-4]          | [ebp-4]:&"劋S"023962EB  | 05 EC010000            | add eax,1EC                           | eax:&"劋S"023962F0  | 8B55 FC                | mov edx,dword ptr ss:[ebp-4]          | [ebp-4]:&"劋S"023962F3  | 8B92 E8010000          | mov edx,dword ptr ds:[edx+1E8]        |023962F9  | E8 2A5507FE            | call patch1_跳过启动注册.40B828             |023962FE  | 8B45 FC                | mov eax,dword ptr ss:[ebp-4]          | [ebp-4]:&"劋S"02396301  | 05 F4010000            | add eax,1F4                           | eax:&"劋S"02396306  | 8B55 FC                | mov edx,dword ptr ss:[ebp-4]          | [ebp-4]:&"劋S"02396309  | 8B92 E8010000          | mov edx,dword ptr ds:[edx+1E8]        |0239630F  | E8 145507FE            | call patch1_跳过启动注册.40B828             |02396314  | 8B45 FC                | mov eax,dword ptr ss:[ebp-4]          | [ebp-4]:&"劋S"02396317  | 05 F0010000            | add eax,1F0                           | eax:&"劋S"0239631C  | 8B55 FC                | mov edx,dword ptr ss:[ebp-4]          | [ebp-4]:&"劋S"0239631F  | 8B92 E8010000          | mov edx,dword ptr ds:[edx+1E8]        |02396325  | E8 FE5407FE            | call patch1_跳过启动注册.40B828             |0239632A  | 8B45 FC                | mov eax,dword ptr ss:[ebp-4]          | [ebp-4]:&"劋S"0239632D  | 8B90 E8010000          | mov edx,dword ptr ds:[eax+1E8]        | [eax+1E8]:"447858949346180"02396333  | 8B45 FC                | mov eax,dword ptr ss:[ebp-4]          | [ebp-4]:&"劋S"02396336  | 05 F8010000            | add eax,1F8                           | eax:&"劋S"0239633B  | B9 FC933902            | mov ecx,patch1_跳过启动注册.23993FC         | ecx:&"劋S", 23993FC:L"\\xplain"02396340  | E8 876507FE            | call patch1_跳过启动注册.40C8CC             |02396345  | 80BD 4FFFFFFF 00       | cmp byte ptr ss:[ebp-B1],0            |0239634C  | 75 32                  | jne patch1_跳过启动注册.2396380             |0239634E  | 8D85 8CFEFFFF          | lea eax,dword ptr ss:[ebp-174]        |02396354  | 50                     | push eax                              | eax:&"劋S"02396355  | 6A FF                  | push FFFFFFFF                         |02396357  | 6A 00                  | push 0                                |02396359  | 8D95 34FBFFFF          | lea edx,dword ptr ss:[ebp-4CC]        |0239635F  | B8 E0423802            | mov eax,patch1_跳过启动注册.23842E0         | eax:&"劋S"02396364  | E8 D79C07FE            | call patch1_跳过启动注册.410040             |02396369  | 8B8D 34FBFFFF          | mov ecx,dword ptr ss:[ebp-4CC]        |0239636F  | A1 10857502            | mov eax,dword ptr ds:[2758510]        | eax:&"劋S"02396374  | 8B00                   | mov eax,dword ptr ds:[eax]            | eax:&"劋S", [eax]:"劋S"02396376  | BA B80B0000            | mov edx,BB8                           |0239637B  | E8 900D0700            | call patch1_跳过启动注册.2407110            | --->关注这里!!!!02396380  | 80BD 4FFFFFFF 00       | cmp byte ptr ss:[ebp-B1],0            |02396387  | 0F84 040A0000          | je patch1_跳过启动注册.2396D91              |0239638D  | 8B45 FC                | mov eax,dword ptr ss:[ebp-4]          | [ebp-4]:&"劋S"02396390  | C680 D1010000 01       | mov byte ptr ds:[eax+1D1],1           |02396397  | A1 10857502            | mov eax,dword ptr ds:[2758510]        | eax:&"劋S"0239639C  | 8B00                   | mov eax,dword ptr ds:[eax]            | eax:&"劋S", [eax]:"劋S"0239639E  | 8B80 F0030000          | mov eax,dword ptr ds:[eax+3F0]        | eax:&"劋S"023963A4  | E8 FB9374FF            | call patch1_跳过启动注册.1ADF7A4            |023963A9  | 8BD8                   | mov ebx,eax                           | eax:&"劋S"023963AB  | 8B45 FC                | mov eax,dword ptr ss:[ebp-4]          | [ebp-4]:&"劋S"023963AE  | 8998 CC000000          | mov dword ptr ds:[eax+CC],ebx         |023963B4  | 8B45 FC                | mov eax,dword ptr ss:[ebp-4]          | [ebp-4]:&"劋S"023963B7  | 80B8 CB010000 00       | cmp byte ptr ds:[eax+1CB],0           |023963BE  | 0F84 B4090000          | je patch1_跳过启动注册.2396D78              |023963C4  | 8BC3                   | mov eax,ebx                           | eax:&"劋S"023963C6  | E8 8D9774FF            | call patch1_跳过启动注册.1ADFB58            |023963CB  | 85C0                   | test eax,eax                          | eax:&"劋S"023963CD  | 0F84 A5090000          | je patch1_跳过启动注册.2396D78              |023963D3  | 8D85 8CFEFFFF          | lea eax,dword ptr ss:[ebp-174]        |023963D9  | 50                     | push eax                              | eax:&"劋S"023963DA  | 6A FF                  | push FFFFFFFF                         |023963DC  | 6A 00                  | push 0                                |023963DE  | 8D95 30FBFFFF          | lea edx,dword ptr ss:[ebp-4D0]        |023963E4  | B8 D8423802            | mov eax,patch1_跳过启动注册.23842D8         | eax:&"劋S"023963E9  | E8 529C07FE            | call patch1_跳过启动注册.410040             |023963EE  | 8B8D 30FBFFFF          | mov ecx,dword ptr ss:[ebp-4D0]        |023963F4  | A1 10857502            | mov eax,dword ptr ds:[2758510]        | eax:&"劋S"023963F9  | 8B00                   | mov eax,dword ptr ds:[eax]            | eax:&"劋S", [eax]:"劋S"023963FB  | BA B80B0000            | mov edx,BB8                           |02396400  | E8 0B0D0700            | call patch1_跳过启动注册.2407110            |02396405  | C685 4FFFFFFF 00       | mov byte ptr ss:[ebp-B1],0            |0239640C  | E9 67090000            | jmp patch1_跳过启动注册.2396D78             |02396411  | 8B45 FC                | mov eax,dword ptr ss:[ebp-4]          | [ebp-4]:&"劋S"02396414  | 8B88 D8010000          | mov ecx,dword ptr ds:[eax+1D8]        | ecx:&"劋S"0239641A  | 8B45 FC                | mov eax,dword ptr ss:[ebp-4]          | [ebp-4]:&"劋S"0239641D  | 8B80 DC010000          | mov eax,dword ptr ds:[eax+1DC]        | eax:&"劋S"02396423  | BA 64000000            | mov edx,64                            | 64:'d'02396428  | E8 6BF364FF            | call patch1_跳过启动注册.19E5798            |0239642D  | 50                     | push eax                              | eax:&"劋S"0239642E  | 8D85 4FFFFFFF          | lea eax,dword ptr ss:[ebp-B1]         |02396434  | 50                     | push eax                              | eax:&"劋S"02396435  | 8D95 2CFBFFFF          | lea edx,dword ptr ss:[ebp-4D4]        |0239643B  | B8 F0423802            | mov eax,patch1_跳过启动注册.23842F0         | eax:&"劋S"02396440  | E8 FB9B07FE            | call patch1_跳过启动注册.410040             |02396445  | 8D85 2CFBFFFF          | lea eax,dword ptr ss:[ebp-4D4]        |0239644B  | 8B55 FC                | mov edx,dword ptr ss:[ebp-4]          | [ebp-4]:&"劋S"0239644E  | 8B92 CC000000          | mov edx,dword ptr ds:[edx+CC]         |02396454  | 8B52 38                | mov edx,dword ptr ds:[edx+38]         |02396457  | 8B52 04                | mov edx,dword ptr ds:[edx+4]          |0239645A  | E8 156407FE            | call patch1_跳过启动注册.40C874             |0239645F  | 8B85 2CFBFFFF          | mov eax,dword ptr ss:[ebp-4D4]        |02396465  | 50                     | push eax                              | eax:&"劋S"02396466  | 8D95 28FBFFFF          | lea edx,dword ptr ss:[ebp-4D8]        |0239646C  | B8 E8423802            | mov eax,patch1_跳过启动注册.23842E8         | eax:&"劋S"02396471  | E8 CA9B07FE            | call patch1_跳过启动注册.410040             |02396476  | 8B95 28FBFFFF          | mov edx,dword ptr ss:[ebp-4D8]        |0239647C  | 59                     | pop ecx                               | ecx:&"劋S"0239647D  | 8B05 94C57A02          | mov eax,dword ptr ds:[27AC594]        | eax:&"劋S"02396483  | FF15 90C57A02          | call dword ptr ds:[27AC590]           |02396489  | 80BD 4FFFFFFF 00       | cmp byte ptr ss:[ebp-B1],0            |02396490  | 0F84 55070000          | je patch1_跳过启动注册.2396BEB              |02396496  | 8B45 FC                | mov eax,dword ptr ss:[ebp-4]          | [ebp-4]:&"劋S"02396499  | 8B80 CC000000          | mov eax,dword ptr ds:[eax+CC]         | eax:&"劋S"0239649F  | E8 289074FF            | call patch1_跳过启动注册.1ADF4CC            |023964A4  | 48                     | dec eax                               | eax:&"劋S"023964A5  | 0F85 40070000          | jne patch1_跳过启动注册.2396BEB             |023964AB  | 8B45 FC                | mov eax,dword ptr ss:[ebp-4]          | [ebp-4]:&"劋S"023964AE  | 8B80 CC000000          | mov eax,dword ptr ds:[eax+CC]         | eax:&"劋S"023964B4  | 8B50 3C                | mov edx,dword ptr ds:[eax+3C]         |023964B7  | 33C9                   | xor ecx,ecx                           | ecx:&"劋S"023964B9  | 8B45 FC                | mov eax,dword ptr ss:[ebp-4]          | [ebp-4]:&"劋S"023964BC  | E8 3FE7FBFF            | call patch1_跳过启动注册.2354C00            |023964C1  | 84C0                   | test al,al                            |023964C3  | 0F85 22070000          | jne patch1_跳过启动注册.2396BEB             |023964C9  | 8B45 FC                | mov eax,dword ptr ss:[ebp-4]          | [ebp-4]:&"劋S"023964CC  | FF80 DC010000          | inc dword ptr ds:[eax+1DC]            |023964D2  | 6A 01                  | push 1                                |023964D4  | 8B45 FC                | mov eax,dword ptr ss:[ebp-4]          | [ebp-4]:&"劋S"023964D7  | 8B80 CC000000          | mov eax,dword ptr ds:[eax+CC]         | eax:&"劋S"023964DD  | 8B48 3C                | mov ecx,dword ptr ds:[eax+3C]         | ecx:&"劋S"023964E0  | 8B45 FC                | mov eax,dword ptr ss:[ebp-4]          | [ebp-4]:&"劋S"023964E3  | 8B80 CC000000          | mov eax,dword ptr ds:[eax+CC]         | eax:&"劋S"023964E9  | 8B50 78                | mov edx,dword ptr ds:[eax+78]         |023964EC  | A1 10857502            | mov eax,dword ptr ds:[2758510]        | eax:&"劋S"023964F1  | 8B00                   | mov eax,dword ptr ds:[eax]            | eax:&"劋S", [eax]:"劋S"023964F3  | E8 540A0600            | call patch1_跳过启动注册.23F6F4C            | =============>里边有那个未注册字符调用1)023964F8  | 84C0                   | test al,al                            |023964FA  | 0F84 3F060000          | je patch1_跳过启动注册.2396B3F              |$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$023F7409  | 8B55 84                 | mov edx,dword ptr ss:[ebp-7C]          | ▲▲▲我烤,原来你在这里啦!!!TEXT SCRAMBLING in TRIAL VERSION OUTPUT! In evaluation mode, Help+Manual will scramble individual characters in random words in your published output files. This is a limitation of the free trial version. "023F740C  | 8D45 88                 | lea eax,dword ptr ss:[ebp-78]          |023F740F  | E8 245301FE             | call patch1_跳过启动注册.40C738              |023F7414  | 8B55 88                 | mov edx,dword ptr ss:[ebp-78]          |023F7417  | 8B07                    | mov eax,dword ptr ds:[edi]             | [edi]:&"\f沶"023F7419  | 8B80 C0030000           | mov eax,dword ptr ds:[eax+3C0]         |023F741F  | 33C9                    | xor ecx,ecx                            |023F7421  | E8 02758EFE             | call patch1_跳过启动注册.CDE928              |$$$$$$$$$$023F72E3  | 0F84 F1000000           | je patch1_跳过启动注册.23F73DA               | 设为B1(此处实现就完犊子了!!!)▲可以干掉顶部的那个TEXT SCRAMBLING in TRIAL VERSION OUTPUT! 023F72E9  | 8B07                    | mov eax,dword ptr ds:[edi]             | eax:L"in-familysafety-childaccount-l1-1-0", edi:"U嬱笿"023F72EB  | 8B80 C8030000           | mov eax,dword ptr ds:[eax+3C8]         | eax:L"in-familysafety-childaccount-l1-1-0", [eax+3C8]:sub_78005F+6023F72F1  | 8B90 94000000           | mov edx,dword ptr ds:[eax+94]          | eax+94:L"in-feclient-encryptedfile-l1-1-3"023F72F7  | 8B52 08                 | mov edx,dword ptr ds:[edx+8]           |023F72FA  | 8B52 08                 | mov edx,dword ptr ds:[edx+8]           |====================================================================================cmp dword ptr ds:[eax+0x28], 0x1 反转也可跳过过期 和 部分时间限制!cmp dword ptr ds:[eax+0x28], 0x0向下跟发现的向下跟发现的02661A9E   mov edx, 0x2662D44   LicMode:%s This help system was created with an evaluation copy of Help+Manual. 这玩意 也得干掉!-------------------------------------------------------------------------------------------------------00459020  | E8 6309FCFF           | call <JMP.&WriteFile>                           就来到了这个关键地带然后Ctrl+F8023F716F   | 0F95C0             | setne al  ====>反转成94023F7172  | 2245 08             | and al,byte ptr ss:[ebp+8]        023F72E3  | 90                  | nop                                 | 我们从这里开始NOP023F72E4  | 90                  | nop                                 |023F72E5  | 90                  | nop                                 |023F72E6  | 90                  | nop                                 |023F72E7  | 90                  | nop                                 |023F72E8  | 90                  | nop                                 |023F72E9  | 8B07                | mov eax,dword ptr ds:[edi]          | edi:"U嬱笿"023F72EB  | 8B80 C8030000       | mov eax,dword ptr ds:[eax+3C8]      |023F72F1  | 8B90 94000000       | mov edx,dword ptr ds:[eax+94]       |023F72F7  | 8B52 08             | mov edx,dword ptr ds:[edx+8]        |023F72FA  | 8B52 08             | mov edx,dword ptr ds:[edx+8]        |023F72FD  | 4A                  | dec edx                             |023F72FE  | 52                  | push edx                            |023F72FF  | 6A 00               | push 0                              |023F7301  | 8B80 90000000       | mov eax,dword ptr ds:[eax+90]       |023F7307  | 8B40 08             | mov eax,dword ptr ds:[eax+8]        |023F730A  | 8B48 08             | mov ecx,dword ptr ds:[eax+8]        |023F730D  | 49                  | dec ecx                             |023F730E  | 8B07                | mov eax,dword ptr ds:[edi]          | edi:"U嬱笿"023F7310  | 8B80 C0030000       | mov eax,dword ptr ds:[eax+3C0]      |023F7316  | 33D2                | xor edx,edx                         |023F7318  | E8 A76395FE         | call 4554454545545445455454.D4D6C4  |023F731D  | 8B07                | mov eax,dword ptr ds:[edi]          | edi:"U嬱笿"023F731F  | 8BB0 C8030000       | mov esi,dword ptr ds:[eax+3C8]      | esi:"U嬱笿"023F7325  | 8B86 94000000       | mov eax,dword ptr ds:[esi+94]       |023F732B  | 8B40 08             | mov eax,dword ptr ds:[eax+8]        |023F732E  | 8B40 08             | mov eax,dword ptr ds:[eax+8]        |023F7331  | 48                  | dec eax                             |023F7332  | 50                  | push eax                            |023F7333  | 68 D8773F02         | push 4554454545545445455454.23F77D8 | 23F77D8:L"DISPLAY="023F7338  | 8D55 98             | lea edx,dword ptr ss:[ebp-68]       | [ebp-68]:"U嬱笿"023F733B  | 33C0                | xor eax,eax                         |023F733D  | E8 261306FE         | call 4554454545545445455454.458668  |023F7342  | FF75 98             | push dword ptr ss:[ebp-68]          | [ebp-68]:"U嬱笿"023F7345  | 68 F8773F02         | push 4554454545545445455454.23F77F8 |023F734A  | 68 08783F02         | push 4554454545545445455454.23F7808 | 23F7808:L"VALID=1"023F734F  | 68 F8773F02         | push 4554454545545445455454.23F77F8 |023F7354  | 68 24783F02         | push 4554454545545445455454.23F7824 | 23F7824:L"TYPE="023F7359  | 8D55 94             | lea edx,dword ptr ss:[ebp-6C]       |023F735C  | B8 01000000         | mov eax,1                           |023F7361  | E8 021306FE         | call 4554454545545445455454.458668  |023F7366  | FF75 94             | push dword ptr ss:[ebp-6C]          |023F7369  | 68 F8773F02         | push 4554454545545445455454.23F77F8 |023F736E  | 68 3C783F02         | push 4554454545545445455454.23F783C | 23F783C:L"DATA="023F7373  | 68 54783F02         | push 4554454545545445455454.23F7854 | 23F7854:L"T=https://www."023F7378  | 68 A0783F02         | push 4554454545545445455454.23F78A0 | 23F78A0:L"\r\n"023F737D  | 68 B4783F02         | push 4554454545545445455454.23F78B4 | 23F78B4:L"W=_blank"023F7382  | 8D45 9C             | lea eax,dword ptr ss:[ebp-64]       |023F7385  | BA 0C000000         | mov edx,C                           | C:'\f'023F738A  | E8 C55501FE         | call 4554454545545445455454.40C954  |023F738F  | 8B45 9C             | mov eax,dword ptr ss:[ebp-64]       |023F7392  | 50                  | push eax                            |023F7393  | 8D4D 8C             | lea ecx,dword ptr ss:[ebp-74]       |023F7396  | A1 5CB37502         | mov eax,dword ptr ds:[275B35C]      |023F739B  | 8B00                | mov eax,dword ptr ds:[eax]          |023F739D  | 8B80 94000000       | mov eax,dword ptr ds:[eax+94]       |023F73A3  | BA D4783F02         | mov edx,4554454545545445455454.23F7 |023F73A8  | E8 377938FE         | call 4554454545545445455454.77ECE4  |023F73AD  | 8B55 8C             | mov edx,dword ptr ss:[ebp-74]       |023F73B0  | 8D45 90             | lea eax,dword ptr ss:[ebp-70]       |023F73B3  | E8 805301FE         | call 4554454545545445455454.40C738  |023F73B8  | 8B55 90             | mov edx,dword ptr ss:[ebp-70]       |023F73BB  | 8B86 90000000       | mov eax,dword ptr ds:[esi+90]       |023F73C1  | 8B40 08             | mov eax,dword ptr ds:[eax+8]        |023F73C4  | 8B48 08             | mov ecx,dword ptr ds:[eax+8]        |023F73C7  | 49                  | dec ecx                             |023F73C8  | 8B07                | mov eax,dword ptr ds:[edi]          | edi:"U嬱笿"023F73CA  | 8B80 C0030000       | mov eax,dword ptr ds:[eax+3C0]      |023F73D0  | E8 EF6295FE         | call 4554454545545445455454.D4D6C4  JMP(到此处的上行结束!)

爆破方式2:   0F95C0  setne al  反转此处,因为为最上级,因此下面的流程走向都会被影响到,所以立竿见影。
爆破方式3: 直接给注册表取键值后返回1,目前还没找到,不过按经验来说必然是成立的。
爆破水印的功能仅用时15分钟就解决困扰了。
一般输出是没啥影响的。。。。但是!!! 一旦载入example的树状的js调用的代码(X:\HelpAndManual6\Examples\Get Me Started Example\Get_Me_Started.hmxz),
就会有js调用不正常的网页框出现纯爆破流强制去水印,对比走位去时间,授权的流程,强制干翻ReportForm异常,文档为只读
。。。
还是老办法,把*.chm 解出来,变成 看得见的*.html 文件,查看源代码
这里可以照样 6.0 去暗桩正常的输出  与  不正常的输出对照着看,修补下我们的补丁程序。。。
纯爆破流强制去水印,对比走位去时间,授权的流程,强制干翻ReportForm异常,文档为只读
激活按钮不可用
诡异的cmd授权窗口
授权信息
注册码的两种存放形式与位置:
A.注册表键值
B.主程序名+.lic
纯爆破流强制去水印,对比走位去时间,授权的流程,强制干翻ReportForm异常,文档为只读
6.0版的授权流程比较简单:
[Asm] 纯文本查看 复制代码
013E21CA   | 8038 00             | cmp byte ptr ds:[eax],0           |013E21CD   | 0F84 41020000       | je helpman.13E2414                | 这里跳了,注册不注册都一样013E21D3   | A1 94404601         | mov eax,dword ptr ds:[1464094]    |013E21D8   | C600 00             | mov byte ptr ds:[eax],0           |013E21DB   | 8D55 E0             | lea edx,dword ptr ss:[ebp-20]     |013E21DE   | B8 02000000         | mov eax,2                         |013E21E3   | E8 EC2702FF         | call helpman.4049D4               |013E21E8   | 8B45 E0             | mov eax,dword ptr ss:[ebp-20]     |013E21EB   | BA 8C253E01         | mov edx,helpman.13E258C           | 13E258C:L"/fc"013E21F0   | E8 2B6D02FF         | call helpman.408F20               |013E21F5   | 74 15               | je helpman.13E220C                |013E21F7   | 6A FF               | push FFFFFFFF                     |013E21F9   | A1 E8384601         | mov eax,dword ptr ds:[14638E8]    |013E21FE   | 8B00                | mov eax,dword ptr ds:[eax]        |013E2200   | FFD0                | call eax                          |013E2202   | 85C0                | test eax,eax                      |013E2204   | A1 94404601         | mov eax,dword ptr ds:[1464094]    |013E2209   | 0F9500              | setne byte ptr ds:[eax]           |013E220C   | A1 94404601         | mov eax,dword ptr ds:[1464094]    |013E2211   | 8038 00             | cmp byte ptr ds:[eax],0           |013E2214   | 74 47               | je helpman.13E225D                |013E2216   | 33C0                | xor eax,eax                       |013E2218   | 55                  | push ebp                          |013E2219   | 68 46223E01         | push helpman.13E2246              |013E221E   | 64:FF30             | push dword ptr fs:[eax]           |013E2221   | 64:8920             | mov dword ptr fs:[eax],esp        |013E2224   | A1 EC464601         | mov eax,dword ptr ds:[14646EC]    |013E2229   | 66:BA 2000          | mov dx,20                         | 20:' '013E222D   | E8 AE3402FF         | call helpman.4056E0               |013E2232   | E8 492D02FF         | call helpman.404F80               |013E2237   | E8 B02402FF         | call helpman.4046EC               |013E223C   | 33C0                | xor eax,eax                       |013E223E   | 5A                  | pop edx                           |013E223F   | 59                  | pop ecx                           |013E2240   | 59                  | pop ecx                           |013E2241   | 64:8910             | mov dword ptr fs:[eax],edx        |013E2244   | EB 17               | jmp helpman.13E225D               |013E2246   | E9 F94902FF         | jmp helpman.406C44                |013E224B   | A1 94404601         | mov eax,dword ptr ds:[1464094]    |013E2250   | C600 00             | mov byte ptr ds:[eax],0           |013E2253   | E8 4CD102FF         | call <JMP.&FreeConsole>           |013E2258   | E8 034F02FF         | call helpman.407160               |013E225D   | A1 94404601         | mov eax,dword ptr ds:[1464094]    |013E2262   | 8038 00             | cmp byte ptr ds:[eax],0           |013E2265   | 75 13               | jne helpman.13E227A               |013E2267   | E8 B8CF02FF         | call <JMP.&AllocConsole>          |013E226C   | 83F8 01             | cmp eax,1                         |013E226F   | 1BC0                | sbb eax,eax                       |013E2271   | 40                  | inc eax                           |013E2272   | 8B15 94404601       | mov edx,dword ptr ds:[1464094]    |013E2278   | 8802                | mov byte ptr ds:[edx],al          |013E227A   | 33D2                | xor edx,edx                       |013E227C   | 55                  | push ebp                          |013E227D   | 68 0D243E01         | push helpman.13E240D              |013E2282   | 64:FF32             | push dword ptr fs:[edx]           |013E2285   | 64:8922             | mov dword ptr fs:[edx],esp        |013E2288   | 8B0D BC574601       | mov ecx,dword ptr ds:[14657BC]    |013E228E   | 8B09                | mov ecx,dword ptr ds:[ecx]        |013E2290   | B2 01               | mov dl,1                          |013E2292   | A1 3CE7F000         | mov eax,dword ptr ds:[F0E73C]     | 00F0E73C:&"砾D"013E2297   | E8 60DEB2FF         | call helpman.F100FC               |013E229C   | 8B15 185A4601       | mov edx,dword ptr ds:[1465A18]    |013E22A2   | 8902                | mov dword ptr ds:[edx],eax        |013E22A4   | 33D2                | xor edx,edx                       |013E22A6   | 55                  | push ebp                          |013E22A7   | 68 E9233E01         | push helpman.13E23E9              |013E22AC   | 64:FF32             | push dword ptr fs:[edx]           |013E22AF   | 64:8922             | mov dword ptr fs:[edx],esp        |013E22B2   | 8B0D B03A4601       | mov ecx,dword ptr ds:[1463AB0]    |013E22B8   | A1 BC574601         | mov eax,dword ptr ds:[14657BC]    |013E22BD   | 8B00                | mov eax,dword ptr ds:[eax]        |013E22BF   | 8B15 ACA22C01       | mov edx,dword ptr ds:[12CA2AC]    | 012CA2AC:&"悂J"013E22C5   | E8 DEFA16FF         | call helpman.551DA8               |013E22CA   | 33D2                | xor edx,edx                       |013E22CC   | 55                  | push ebp                          |013E22CD   | 68 BE233E01         | push helpman.13E23BE              |013E22D2   | 64:FF32             | push dword ptr fs:[edx]           |013E22D5   | 64:8922             | mov dword ptr fs:[edx],esp        |013E22D8   | A1 78454601         | mov eax,dword ptr ds:[1464578]    |013E22DD   | C600 00             | mov byte ptr ds:[eax],0           |013E22E0   | A1 94404601         | mov eax,dword ptr ds:[1464094]    |013E22E5   | 8038 00             | cmp byte ptr ds:[eax],0           |013E22E8   | 0F84 A0000000       | je helpman.13E238E                |013E22EE   | 33C0                | xor eax,eax                       |013E22F0   | 55                  | push ebp                          |013E22F1   | 68 7C233E01         | push helpman.13E237C              |013E22F6   | 64:FF30             | push dword ptr fs:[eax]           |013E22F9   | 64:8920             | mov dword ptr fs:[eax],esp        |013E22FC   | 68 A0253E01         | push helpman.13E25A0              | 13E25A0:"Help & Manual command line compiler version "013E2301   | A1 185A4601         | mov eax,dword ptr ds:[1465A18]    |013E2306   | 8B00                | mov eax,dword ptr ds:[eax]        |013E2308   | FF70 74             | push dword ptr ds:[eax+74]        |013E230B   | 68 DC253E01         | push helpman.13E25DC              | 13E25DC:" build "013E2310   | A1 185A4601         | mov eax,dword ptr ds:[1465A18]    |013E2315   | 8B00                | mov eax,dword ptr ds:[eax]        |013E2317   | FF70 78             | push dword ptr ds:[eax+78]        |013E231A   | 8D45 DC             | lea eax,dword ptr ss:[ebp-24]     |013E231D   | BA 04000000         | mov edx,4                         |013E2322   | E8 D15F02FF         | call helpman.4082F8               |013E2327   | 8B55 DC             | mov edx,dword ptr ss:[ebp-24]     |013E232A   | A1 EC464601         | mov eax,dword ptr ds:[14646EC]    |013E232F   | E8 903202FF         | call helpman.4055C4               |013E2334   | E8 133402FF         | call helpman.40574C               |013E2339   | E8 AE2302FF         | call helpman.4046EC               |013E233E   | 8D55 D4             | lea edx,dword ptr ss:[ebp-2C]     |013E2341   | B8 01000000         | mov eax,1                         |013E2346   | E8 892602FF         | call helpman.4049D4               |013E234B   | 8B4D D4             | mov ecx,dword ptr ss:[ebp-2C]     |013E234E   | 8D45 D8             | lea eax,dword ptr ss:[ebp-28]     |013E2351   | BA F0253E01         | mov edx,helpman.13E25F0           | 13E25F0:L"Compiling "013E2356   | E8 2D6A02FF         | call helpman.408D88               |013E235B   | 8B55 D8             | mov edx,dword ptr ss:[ebp-28]     |013E235E   | A1 EC464601         | mov eax,dword ptr ds:[14646EC]    |013E2363   | E8 883202FF         | call helpman.4055F0               |013E2368   | E8 DF3302FF         | call helpman.40574C               |013E236D   | E8 7A2302FF         | call helpman.4046EC               |013E2372   | 33C0                | xor eax,eax                       |013E2374   | 5A                  | pop edx                           |013E2375   | 59                  | pop ecx                           |013E2376   | 59                  | pop ecx                           |013E2377   | 64:8910             | mov dword ptr fs:[eax],edx        |013E237A   | EB 12               | jmp helpman.13E238E               |013E237C   | E9 C34802FF         | jmp helpman.406C44                |013E2381   | A1 94404601         | mov eax,dword ptr ds:[1464094]    |013E2386   | C600 00             | mov byte ptr ds:[eax],0           |013E2389   | E8 D24D02FF         | call helpman.407160               |013E238E   | A1 B03A4601         | mov eax,dword ptr ds:[1463AB0]    |013E2393   | 8B00                | mov eax,dword ptr ds:[eax]        |013E2395   | E8 B6FFF1FF         | call helpman.1302350              |013E239A   | 33C0                | xor eax,eax                       |013E239C   | 5A                  | pop edx                           |013E239D   | 59                  | pop ecx                           |013E239E   | 59                  | pop ecx                           |013E239F   | 64:8910             | mov dword ptr fs:[eax],edx        |013E23A2   | 68 C5233E01         | push helpman.13E23C5              |013E23A7   | A1 B03A4601         | mov eax,dword ptr ds:[1463AB0]    |013E23AC   | 8B00                | mov eax,dword ptr ds:[eax]        |013E23AE   | 8B15 B03A4601       | mov edx,dword ptr ds:[1463AB0]    |013E23B4   | 33C9                | xor ecx,ecx                       |013E23B6   | 890A                | mov dword ptr ds:[edx],ecx        |013E23B8   | E8 5B3A02FF         | call helpman.405E18               |013E23BD   | C3                  | ret                               |013E23BE   | E9 354B02FF         | jmp helpman.406EF8                |013E23C3   | EB E2               | jmp helpman.13E23A7               |013E23C5   | 33C0                | xor eax,eax                       |013E23C7   | 5A                  | pop edx                           |013E23C8   | 59                  | pop ecx                           |013E23C9   | 59                  | pop ecx                           |013E23CA   | 64:8910             | mov dword ptr fs:[eax],edx        |013E23CD   | 68 F0233E01         | push helpman.13E23F0              |013E23D2   | A1 185A4601         | mov eax,dword ptr ds:[1465A18]    |013E23D7   | 8B00                | mov eax,dword ptr ds:[eax]        |013E23D9   | 8B15 185A4601       | mov edx,dword ptr ds:[1465A18]    |013E23DF   | 33C9                | xor ecx,ecx                       |013E23E1   | 890A                | mov dword ptr ds:[edx],ecx        |013E23E3   | E8 303A02FF         | call helpman.405E18               |013E23E8   | C3                  | ret                               |013E23E9   | E9 0A4B02FF         | jmp helpman.406EF8                |013E23EE   | EB E2               | jmp helpman.13E23D2               |013E23F0   | 33C0                | xor eax,eax                       |013E23F2   | 5A                  | pop edx                           |013E23F3   | 59                  | pop ecx                           |013E23F4   | 59                  | pop ecx                           |013E23F5   | 64:8910             | mov dword ptr fs:[eax],edx        |013E23F8   | 68 8D243E01         | push helpman.13E248D              |013E23FD   | A1 94404601         | mov eax,dword ptr ds:[1464094]    |013E2402   | 8038 00             | cmp byte ptr ds:[eax],0           |013E2405   | 74 05               | je helpman.13E240C                |013E2407   | E8 98CF02FF         | call <JMP.&FreeConsole>           |013E240C   | C3                  | ret                               |013E240D   | E9 E64A02FF         | jmp helpman.406EF8                |013E2412   | EB E9               | jmp helpman.13E23FD               |013E2414   | 8B0D BC574601       | mov ecx,dword ptr ds:[14657BC]    | 然后向下执行4句013E241A   | 8B09                | mov ecx,dword ptr ds:[ecx]        |013E241C   | B2 01               | mov dl,1                          |013E241E   | A1 3CE7F000         | mov eax,dword ptr ds:[F0E73C]     | 00F0E73C:&"砾D"

纯爆破流强制去水印,对比走位去时间,授权的流程,强制干翻ReportForm异常,文档为只读
第3章
[Asm] 纯文本查看 复制代码
009851C2  | E8 F50BF2FF             | call <原版helpman.sub_8A5DBC>         |009851C7  | 837D F0 00              | cmp dword ptr ss:[ebp-10],0         | [ebp-10]:L"HMLIC"009851CB  | 0F84 F5000000           | je 原版helpman.9852C6                 |009851D1  | 33C0                    | xor eax,eax                         |009851D3  | 8943 70                 | mov dword ptr ds:[ebx+70],eax       |009851D6  | 8D95 98FDFFFF           | lea edx,dword ptr ss:[ebp-268]      | [ebp-268]:L"\\SOFTWARE\\ECSOFTWARE\\Help+Manual 8"009851DC  | 8B45 F4                 | mov eax,dword ptr ss:[ebp-C]        | [ebp-C]:&L"Help+Manual 8"009851DF  | E8 58E8FFFF             | call <原版helpman.sub_983A3C>         |009851E4  | 8B85 98FDFFFF           | mov eax,dword ptr ss:[ebp-268]      | [ebp-268]:L"\\SOFTWARE\\ECSOFTWARE\\Help+Manual 8"009851EA  | 8D8D 9CFDFFFF           | lea ecx,dword ptr ss:[ebp-264]      |009851F0  | BA CC549800             | mov edx,<原版helpman.&sub_6C0041>     | 9854CC:L"AlternateBaseURL"009851F5  | E8 1EE1FFFF             | call 原版helpman.983318               |009851FA  | 8B85 9CFDFFFF           | mov eax,dword ptr ss:[ebp-264]      |00985200  | 8D55 F8                 | lea edx,dword ptr ss:[ebp-8]        |00985203  | E8 082AADFF             | call <原版helpman.sub_457C10>         |00985208  | 837D F8 00              | cmp dword ptr ss:[ebp-8],0          |0098520C  | 0F84 A8000000           | je 原版helpman.9852BA                 |00985212  | BA FC549800             | mov edx,原版helpman.9854FC            | 9854FC:L"^(https:\\/\\/)[-A-Za-z0-9+&#/%?=~_|!:,.;]+[-A-Za-z0-9+&#/%=~_|]$"00985217  | 8B45 F8                 | mov eax,dword ptr ss:[ebp-8]        |0098521A  | E8 11B7EDFF             | call 原版helpman.860930               |0098521F  | 84C0                    | test al,al                          |00985221  | 0F84 93000000           | je 原版helpman.9852BA                 |00985227  | A1 FC957502             | mov eax,dword ptr ds:[27595FC]      |0098522C  | 8B55 F8                 | mov edx,dword ptr ss:[ebp-8]        |0098522F  | E8 F465A8FF             | call 原版helpman.40B828               |00985234  | EB 2B                   | jmp 原版helpman.985261                |00985236  | 8B35 FC957502           | mov esi,dword ptr ds:[27595FC]      | esi:sub_2662D8C+2C0098523C  | 8B36                    | mov esi,dword ptr ds:[esi]          | esi:sub_2662D8C+2C0098523E  | 85F6                    | test esi,esi                        | esi:sub_2662D8C+2C00985240  | 74 05                   | je 原版helpman.985247                 |00985242  | 83EE 04                 | sub esi,4                           | esi:sub_2662D8C+2C00985245  | 8B36                    | mov esi,dword ptr ds:[esi]          | esi:sub_2662D8C+2C00985247  | A1 FC957502             | mov eax,dword ptr ds:[27595FC]      |0098524C  | 50                      | push eax                            |0098524D  | 8BCE                    | mov ecx,esi                         | esi:sub_2662D8C+2C0098524F  | 49                      | dec ecx                             |00985250  | A1 FC957502             | mov eax,dword ptr ds:[27595FC]      |00985255  | 8B00                    | mov eax,dword ptr ds:[eax]          |00985257  | BA 01000000             | mov edx,1                           |0098525C  | E8 3B78A8FF             | call <原版helpman.sub_40CA9C>         |00985261  | 8D85 94FDFFFF           | lea eax,dword ptr ss:[ebp-26C]      |00985267  | 50                      | push eax                            |00985268  | A1 FC957502             | mov eax,dword ptr ds:[27595FC]      |0098526D  | 8B00                    | mov eax,dword ptr ds:[eax]          |0098526F  | E8 CC66A8FF             | call <原版helpman.sub_40B940>         |00985274  | 8BD0                    | mov edx,eax                         |00985276  | A1 FC957502             | mov eax,dword ptr ds:[27595FC]      |0098527B  | 8B00                    | mov eax,dword ptr ds:[eax]          |0098527D  | B9 01000000             | mov ecx,1                           |00985282  | E8 1578A8FF             | call <原版helpman.sub_40CA9C>         |00985287  | 8B85 94FDFFFF           | mov eax,dword ptr ss:[ebp-26C]      |0098528D  | BA 88559800             | mov edx,原版helpman.985588            |00985292  | E8 CD77A8FF             | call <原版helpman.sub_40CA64>         |00985297  | 74 9D                   | je 原版helpman.985236                 |00985299  | A1 FC957502             | mov eax,dword ptr ds:[27595FC]      |0098529E  | 8B00                    | mov eax,dword ptr ds:[eax]          |009852A0  | BA FC549800             | mov edx,原版helpman.9854FC            | 9854FC:L"^(https:\\/\\/)[-A-Za-z0-9+&#/%?=~_|!:,.;]+[-A-Za-z0-9+&#/%=~_|]$"009852A5  | E8 86B6EDFF             | call 原版helpman.860930               |009852AA  | 84C0                    | test al,al                          |009852AC  | 75 1F                   | jne 原版helpman.9852CD                |009852AE  | A1 FC957502             | mov eax,dword ptr ds:[27595FC]      |009852B3  | E8 9061A8FF             | call <原版helpman.sub_40B448>         |009852B8  | EB 13                   | jmp 原版helpman.9852CD                |009852BA  | A1 FC957502             | mov eax,dword ptr ds:[27595FC]      |009852BF  | E8 8461A8FF             | call <原版helpman.sub_40B448>         |009852C4  | EB 07                   | jmp 原版helpman.9852CD                |009852C6  | C743 70 01000000        | mov dword ptr ds:[ebx+70],1         |009852CD  | 8B45 FC                 | mov eax,dword ptr ss:[ebp-4]        |009852D0  | 8943 50                 | mov dword ptr ds:[ebx+50],eax       |009852D3  | 8BC3                    | mov eax,ebx                         | ebx:&L"Help+Manual 8"009852D5  | 8B55 F4                 | mov edx,dword ptr ss:[ebp-C]        | [ebp-C]:&L"Help+Manual 8"009852D8  | 8B0D A0349800           | mov ecx,dword ptr ds:[9834A0]       |009852DE  | E8 4581A8FF             | call <原版helpman.sub_40D428>         |009852E3  | 8D43 08                 | lea eax,dword ptr ds:[ebx+8]        | [ebx+8]:L"HM"009852E6  | 8BD7                    | mov edx,edi                         | edi:L"HM"009852E8  | E8 3B65A8FF             | call 原版helpman.40B828               |009852ED  | 8D43 0C                 | lea eax,dword ptr ds:[ebx+C]        | [ebx+C]:L"HMLIC"009852F0  | 8B55 F0                 | mov edx,dword ptr ss:[ebp-10]       | [ebp-10]:L"HMLIC"009852F3  | E8 3065A8FF             | call 原版helpman.40B828               |009852F8  | 8D85 90FDFFFF           | lea eax,dword ptr ss:[ebp-270]      |009852FE  | E8 0990EEFF             | call 原版helpman.86E30C               |00985303  | 8B95 90FDFFFF           | mov edx,dword ptr ss:[ebp-270]      |00985309  | 8D43 14                 | lea eax,dword ptr ds:[ebx+14]       |0098530C  | E8 B7A4A8FF             | call 原版helpman.40F7C8               |00985311  | E8 AA83ADFF             | call <原版helpman.sub_45D6C0>         | 像!====================================================01C8F1DC  | 68 F1F1C801             | push <原版helpman.sub_1C8F1F1>        |01C8F1E1  | 8B45 EC                 | mov eax,dword ptr ss:[ebp-14]       | [ebp-14]:&"CRC=\\software\\Microsoft\\Internet Account Manager\\Accounts"01C8F1E4  | E8 C3A377FE             | call <原版helpman.sub_4095AC>         |01C8F1E9  | C3                      | ret                                 |01C8F1EA  | E9 C1B677FE             | jmp 原版helpman.40A8B0                |01C8F1EF  | EB F0                   | jmp <原版helpman.sub_1C8F1E1>         |01C8F1F1  | 8B45 FC                 | mov eax,dword ptr ss:[ebp-4]        | [ebp-4]:&"劋S"01C8F1F4  | 8B40 68                 | mov eax,dword ptr ds:[eax+68]       |01C8F1F7  | BA 74F4C801             | mov edx,<原版helpman.sub_1C8F474>     | 1C8F474:"lang1033.txt"01C8F1FC  | E8 B3F3FFFF             | call 原版helpman.1C8E5B4              |01C8F201  | 8BD0                    | mov edx,eax                         |01C8F203  | 8B45 FC                 | mov eax,dword ptr ss:[ebp-4]        | [ebp-4]:&"劋S"01C8F206  | 8B80 94000000           | mov eax,dword ptr ds:[eax+94]       |01C8F20C  | 8B08                    | mov ecx,dword ptr ds:[eax]          |01C8F20E  | FF51 6C                 | call dword ptr ds:[ecx+6C]          |01C8F211  | 8D85 94FDFFFF           | lea eax,dword ptr ss:[ebp-26C]      |01C8F217  | 50                      | push eax                            |01C8F218  | 8D95 40FDFFFF           | lea edx,dword ptr ss:[ebp-2C0]      | [ebp-2C0]:L"X:\\HelpAndManual8\\原版HELPMAN.EXE"01C8F21E  | A1 B0AF7502             | mov eax,dword ptr ds:[275AFB0]      |01C8F223  | 8B00                    | mov eax,dword ptr ds:[eax]          |01C8F225  | E8 7696A2FE             | call 原版helpman.6B88A0               |01C8F22A  | 8B85 40FDFFFF           | mov eax,dword ptr ss:[ebp-2C0]      | [ebp-2C0]:L"X:\\HelpAndManual8\\原版HELPMAN.EXE"01C8F230  | E8 2BD477FE             | call <原版helpman.sub_40C660>         |01C8F235  | 50                      | push eax                            |01C8F236  | E8 D19F78FE             | call <JMP.&FindFirstFileW>          |01C8F23B  | 8BD8                    | mov ebx,eax                         |01C8F23D  | 85DB                    | test ebx,ebx                        |01C8F23F  | 74 5C                   | je 原版helpman.1C8F29D                |01C8F241  | 8D85 98FDFFFF           | lea eax,dword ptr ss:[ebp-268]      |01C8F247  | 8945 E8                 | mov dword ptr ss:[ebp-18],eax       |01C8F24A  | 8D85 84FDFFFF           | lea eax,dword ptr ss:[ebp-27C]      | [ebp-27C]:L"-0"01C8F250  | 50                      | push eax                            |01C8F251  | 8B45 E8                 | mov eax,dword ptr ss:[ebp-18]       |01C8F254  | 50                      | push eax                            |01C8F255  | E8 9A9F78FE             | call <JMP.&FileTimeToSystemTime>=======================>01C8F25A  | 8D85 84FDFFFF           | lea eax,dword ptr ss:[ebp-27C]      | [ebp-27C]:L"-0"01C8F260  | E8 6BE37CFE             | call <原版helpman.sub_45D5D0>         |01C8F265  | DD1D 70A97A02           | fstp qword ptr ds:[27AA970],st(0)   |01C8F26B  | 9B                      | fwait                               |01C8F26C  | 8D85 A8FDFFFF           | lea eax,dword ptr ss:[ebp-258]      |01C8F272  | 8945 E4                 | mov dword ptr ss:[ebp-1C],eax       |01C8F275  | 8D85 84FDFFFF           | lea eax,dword ptr ss:[ebp-27C]      | [ebp-27C]:L"-0"01C8F27B  | 50                      | push eax                            |01C8F27C  | 8B45 E4                 | mov eax,dword ptr ss:[ebp-1C]       |01C8F27F  | 50                      | push eax                            |01C8F280  | E8 6F9F78FE             | call <JMP.&FileTimeToSystemTime>    |01C8F285  | 8D85 84FDFFFF           | lea eax,dword ptr ss:[ebp-27C]      | [ebp-27C]:L"-0"01C8F28B  | E8 40E37CFE             | call <原版helpman.sub_45D5D0>         |01C8F290  | DD1D 78A97A02           | fstp qword ptr ds:[27AA978],st(0)   |01C8F296  | 9B                      | fwait                               |01C8F297  | 53                      | push ebx                            |01C8F298  | E8 679F78FE             | call <JMP.&FindClose>               |01C8F29D  | E8 1EE47CFE             | call <原版helpman.sub_45D6C0>        ===>里边是多个GetLocalTime的调用点

纯爆破流强制去水印,对比走位去时间,授权的流程,强制干翻ReportForm异常,文档为只读
第4章
纯爆破流强制去水印,对比走位去时间,授权的流程,强制干翻ReportForm异常,文档为只读
第5章过期后,有意思的是文档会为只读。
由于我知道该软件使用了RichViewEdit控件,因此查询一下帮助该方法的实现。
配图
我们就可以用Delphi 11.2 + RichViewEdit控件编程来模拟实现。
[Delphi] 纯文本查看 复制代码
procedure TForm4.Button1Click(Sender: TObject);begin  RichViewEdit1.ReadOnly := True;   //只读end;

[Delphi] 纯文本查看 复制代码
procedure TForm4.Button1Click(Sender: TObject);beginRichViewEdit1.ReadOnly := False; //取消只读end;

纯爆破流强制去水印,对比走位去时间,授权的流程,强制干翻ReportForm异常,文档为只读
用IDR分别打开两份,对比一下机器码一目了然吧?纯爆破流强制去水印,对比走位去时间,授权的流程,强制干翻ReportForm异常,文档为只读
回到x64dbg中,Ctrl+B定位修改OK了吧?只有call的那一行不一样。
配图
纯爆破流强制去水印,对比走位去时间,授权的流程,强制干翻ReportForm异常,文档为只读
第6章
配图
纯爆破流强制去水印,对比走位去时间,授权的流程,强制干翻ReportForm异常,文档为只读
第7章
配图
又过了数月,意外在某QQ群中的某群文件中发现了一个控件名字很有意思
索性上网搜索下吧,一看界面和实现的功能,马上一切疑问一扫而空,天亮了下雪了。。。
纯爆破流强制去水印,对比走位去时间,授权的流程,强制干翻ReportForm异常,文档为只读
第8章  额外的启迪与思考
纯爆破流强制去水印,对比走位去时间,授权的流程,强制干翻ReportForm异常,文档为只读
配图
额外的RichViewEdit插件
额外的库pdfium.dll接口
额外的调试输出日志插件
这些调用方法,法王姥爷你编程都掌握了么?
纯爆破流强制去水印,对比走位去时间,授权的流程,强制干翻ReportForm异常,文档为只读
后记:该软件作为Delphi开发的软件还是相当牛逼的。具体表现在几个方面:
  • 功能比较完备
  • 授权机制中规中矩
  • 使用了特殊的日志与堆栈输出控件
  • 有网络校验
  • 功能限制方面做得可圈可点,对Delphi老粉来说是个非常好的素材和模仿对象

如果12分是满分的话,至少我给他打11分。纯爆破流强制去水印,对比走位去时间,授权的流程,强制干翻ReportForm异常,文档为只读
再说下缺陷吧:正是因为上面的第三点才更快的被破解者找到堆栈调用地址,一击必杀。
我觉得作者这么做还是存在争议的。
华山资源网 Design By www.eoogi.com
广告合作:本站广告合作请联系QQ:858582 申请时备注:广告合作(否则不回)
免责声明:本站资源来自互联网收集,仅供用于学习和交流,请遵循相关法律法规,本站一切资源不代表本站立场,如有侵权、后门、不妥请联系本站删除!
华山资源网 Design By www.eoogi.com