具体过程:
1、打开一个terminal,进入debussy/platform/LINUX/bin/
2、启动gdb, gdb debussy回车。
3、设置断点, break snsCheckOut回车, 程序将返回一个地址,我的是0x92bf604
4、反汇编, disassemble 0x92bf600 0x92bf700 回车, 给出该程序段的内容。
5、参照proteus兄的发言译成机器码是55 89 e5 57 56 53 81 ec 5c 94 00 00,根据安装不同可能会不一样,要自己对照最下面的例子看。
6、打开KHEX编辑器,打开debussy文件(platform下的那个35M的)搜索55 89 e5 57 56 53 81 ec 5c 94 00 00,将头三位改为31 c0 c3 ,存盘退出。
7、再起debussy,一切ok.无须license,也不会trace几次就退出了。
All N0v@$ products for all Operating systems can be cr@cked easily without license file.
Just force the return value of the procedure "snsCheckOut" to "0" or fool the "compare and jump" instruction after calling "snsCheckOut"
For example,
(1) Linux version:
Before modifications:
090de7d0 <snsCheckOut>:
90de7d0: 55 push %ebp
90de7d1: 89 e5 mov %esp,%ebp
90de7d3: 57 push %edi
90de7d4: 56 push %esi
90de7d5: 53 push %ebx
90de7d6: 81 ec 2c 58 00 00 sub $0x582c,%esp
90de7dc: 8a 45 18 mov 0x18(%ebp),%al
90de7df: 88 85 cf a7 ff ff mov %al,0xffffa7cf(%ebp)
90de7e5: 8a 55 28 mov 0x28(%ebp),%dl
90de7e8: 88 95 ce a7 ff ff mov %dl,0xffffa7ce(%ebp)
90de7ee: bf 00 00 00 00 mov $0x0,%edi
90de7f3: 83 3d a8 72 36 09 00 cmpl $0x0,0x93672a8
After modifications:
090de7d0 <snsCheckOut>:
90de7d0: 31 c0 xor %eax,%eax
90de7d2: c3 ret
(2) Solaris 5.7, 5.8 Version
Before modifications:
10046cc98: 40 00 05 e8 call snsCheckOut
10046cc9c: 99 3e 60 00 sra %i1, 0, %o4
10046cca0: 80 a6 60 00 cmp %i1, 0
10046cca4: 12 40 00 09 bne,pn %icc,0x10046ccc8
10046cca8: 80 a2 20 00 cmp %o0, 0
10046ccac: 90 10 20 01 mov 1, %o0
10046ccb0: 02 48 00 3b be,pt %icc,0x10046cd9c
10046ccb4: b1 3a 20 00 sra %o0, 0, %i0
10046ccb8: 90 10 20 00 clr %o0
10046ccbc: b1 3a 20 00 sra %o0, 0, %i0
10046ccc0: 81 c7 e0 08 ret
10046ccc4: 81 e8 00 00 restore
10046ccc8: 02 40 00 05 be,pn %icc,0x10046ccdc
10046cccc: 90 10 20 00 clr %o0
10046ccd0: b1 3a 20 00 sra %o0, 0, %i0
10046ccd4: 81 c7 e0 08 ret
10046ccd8: 81 e8 00 00 restore
10046ccdc: 05 00 00 00 sethi %hi(0x0), %g2
10046cce0: 07 00 16 04 sethi %hi(0x581000), %g3
10046cce4: 84 10 a0 01 or %g2, 1, %g2
10046cce8: 86 10 e0 e4 or %g3, 228, %g3
10046ccec: 85 28 b0 20 sllx %g2, 32, %g2
10046ccf0: 90 07 a3 ff add %fp, 1023, %o0
10046ccf4: 92 10 c0 02 or %g3, %g2, %o1
10046ccf8: 94 07 a3 f3 add %fp, 1011, %o2
10046ccfc: 40 00 01 d9 call snsParseVendorString
After modifications:
10046ccc4: 81 e8 00 00 restore
10046ccc8: 12 40 00 05 bne,pn %icc,0x10046ccdc
(3) Solaris 5.5, 5.6 Version
Before modifications:
.text:003BB124 set -0x2078, %g1 03 3F FF F7 82 00 63 88
.text:003BB12C save %sp, %g1, %sp 9D E3 80 01
.text:003BB130 st %i3, [%fp+arg_50] F6 27 A0 50
.text:003BB134 mov %i2, %l1 A2 10 00 1A
After modifications:
.text:003BB124 mov 0, %o0 90 10 20 00
.text:003BB128 ret 81 C7 E0 08
.text:003BB13C restore 81 E8 00 00
(4) Windows version:
"snsCheckOut" can not be obviously found, but it is actually in the program. Carefully tracing the program can find it.
经过测试,完全可用。
1、打开一个terminal,进入debussy/platform/LINUX/bin/
2、启动gdb, gdb debussy回车。
3、设置断点, break snsCheckOut回车, 程序将返回一个地址,我的是0x92bf604
4、反汇编, disassemble 0x92bf600 0x92bf700 回车, 给出该程序段的内容。
5、参照proteus兄的发言译成机器码是55 89 e5 57 56 53 81 ec 5c 94 00 00,根据安装不同可能会不一样,要自己对照最下面的例子看。
6、打开KHEX编辑器,打开debussy文件(platform下的那个35M的)搜索55 89 e5 57 56 53 81 ec 5c 94 00 00,将头三位改为31 c0 c3 ,存盘退出。
7、再起debussy,一切ok.无须license,也不会trace几次就退出了。
All N0v@$ products for all Operating systems can be cr@cked easily without license file.
Just force the return value of the procedure "snsCheckOut" to "0" or fool the "compare and jump" instruction after calling "snsCheckOut"
For example,
(1) Linux version:
Before modifications:
090de7d0 <snsCheckOut>:
90de7d0: 55 push %ebp
90de7d1: 89 e5 mov %esp,%ebp
90de7d3: 57 push %edi
90de7d4: 56 push %esi
90de7d5: 53 push %ebx
90de7d6: 81 ec 2c 58 00 00 sub $0x582c,%esp
90de7dc: 8a 45 18 mov 0x18(%ebp),%al
90de7df: 88 85 cf a7 ff ff mov %al,0xffffa7cf(%ebp)
90de7e5: 8a 55 28 mov 0x28(%ebp),%dl
90de7e8: 88 95 ce a7 ff ff mov %dl,0xffffa7ce(%ebp)
90de7ee: bf 00 00 00 00 mov $0x0,%edi
90de7f3: 83 3d a8 72 36 09 00 cmpl $0x0,0x93672a8
After modifications:
090de7d0 <snsCheckOut>:
90de7d0: 31 c0 xor %eax,%eax
90de7d2: c3 ret
(2) Solaris 5.7, 5.8 Version
Before modifications:
10046cc98: 40 00 05 e8 call snsCheckOut
10046cc9c: 99 3e 60 00 sra %i1, 0, %o4
10046cca0: 80 a6 60 00 cmp %i1, 0
10046cca4: 12 40 00 09 bne,pn %icc,0x10046ccc8
10046cca8: 80 a2 20 00 cmp %o0, 0
10046ccac: 90 10 20 01 mov 1, %o0
10046ccb0: 02 48 00 3b be,pt %icc,0x10046cd9c
10046ccb4: b1 3a 20 00 sra %o0, 0, %i0
10046ccb8: 90 10 20 00 clr %o0
10046ccbc: b1 3a 20 00 sra %o0, 0, %i0
10046ccc0: 81 c7 e0 08 ret
10046ccc4: 81 e8 00 00 restore
10046ccc8: 02 40 00 05 be,pn %icc,0x10046ccdc
10046cccc: 90 10 20 00 clr %o0
10046ccd0: b1 3a 20 00 sra %o0, 0, %i0
10046ccd4: 81 c7 e0 08 ret
10046ccd8: 81 e8 00 00 restore
10046ccdc: 05 00 00 00 sethi %hi(0x0), %g2
10046cce0: 07 00 16 04 sethi %hi(0x581000), %g3
10046cce4: 84 10 a0 01 or %g2, 1, %g2
10046cce8: 86 10 e0 e4 or %g3, 228, %g3
10046ccec: 85 28 b0 20 sllx %g2, 32, %g2
10046ccf0: 90 07 a3 ff add %fp, 1023, %o0
10046ccf4: 92 10 c0 02 or %g3, %g2, %o1
10046ccf8: 94 07 a3 f3 add %fp, 1011, %o2
10046ccfc: 40 00 01 d9 call snsParseVendorString
After modifications:
10046ccc4: 81 e8 00 00 restore
10046ccc8: 12 40 00 05 bne,pn %icc,0x10046ccdc
(3) Solaris 5.5, 5.6 Version
Before modifications:
.text:003BB124 set -0x2078, %g1 03 3F FF F7 82 00 63 88
.text:003BB12C save %sp, %g1, %sp 9D E3 80 01
.text:003BB130 st %i3, [%fp+arg_50] F6 27 A0 50
.text:003BB134 mov %i2, %l1 A2 10 00 1A
After modifications:
.text:003BB124 mov 0, %o0 90 10 20 00
.text:003BB128 ret 81 C7 E0 08
.text:003BB13C restore 81 E8 00 00
(4) Windows version:
"snsCheckOut" can not be obviously found, but it is actually in the program. Carefully tracing the program can find it.
经过测试,完全可用。
文章评论(2条评论)
登录后参与讨论
EE直播间
更多
-
第三代功率半导体器件测试解决方案 直播时间: 03月06日 10:00
关闭
站长推荐
/3 
/3
-
返回顶部
-
用户19921 2008-3-1 13:20
ash_riple_768180695 2008-2-1 09:16