最近无事,拿一GPS玩,谁知其弹出
“This XXXXXX sample product will expire in 20 days”,感情还可以用20来天,虽说可用,感觉还是有点不爽,再说前些时间在看雪上学破解,干脆拿它来练练手,实际动手学习一下。
由于本人是菜鸟,不妥之处,敬请各位大侠谅解。
GPS运行环境:WinCE
破解环境:WinXP
工具 :IDA PRO 5.0 MP3与电脑的数据线一根 作同步线用
准备:需要在XP上安装 MicrosoftActiveSync,通过此软件进行同步调试
下面开始工作
1、 用IDA打开GPS程序,
2、 在IDA中查找字符串 “This XXXXXX sample product will expire”
如下:
data:00210B58 00000068 unicode This XXXXXX sample product will expire in %d days
3、双击此行,来到:
.data:00210B48 s_Rb_9 unicode 0, <rb>,0 ; DATA XREF: sub_14B598:off_14BA80 o
.data:00210B4E ALIGN 0x10
.data:00210B50 s_RB_1 unicode 0, <r+b>,0 ; DATA XREF: sub_14B598:off_14BA78 o
.data:00210B58 s_This XXXXXX _0 unicode 0, <This XXXXXX sample product will expire in %d days>,0
.data:00210B58 ;
DATA XREF: sub_14B598:off_14BA70 o
.data:00210BC0 s_Warning unicode 0, <Warning>,0 ; DATA XREF: sub_14B598:lpCaption o
.data:00210BD0 s_Expired unicode 0, <EXPIRED>,0 ; DATA XREF: sub_14B598:off_14BA68 o
.data:00210BE0 s_This XXXXXX Sa unicode 0, <This XXXXXX sample product is expired. Please contact your XXXXXX repr>
.data:00210BE0 ; DATA XREF: sub_14B598:lpText o
.data:00210BE0 unicode 0, <esentative.>,0
.data:00210C8C s_Apr272007 DCB "Apr 27 2007",0 ; DATA XREF: sub_14B598:off_14BA60 o
.data:00210C98 s_Expired_0 unicode 0, <EXPIRED>,0 ; DATA XREF: .text:off_14C990 o
.data:00210CA8 s_This XXXXXX _1 unicode 0, <This XXXXXX sample product is expired. Please contact your XXXXXX repr>
.data:00210CA8 ; DATA XREF: .text:off_14C98C o
.data:00210CA8 unicode 0, <esentative.>,0
.data:00210D54 s_WrongContex_2 unicode 0, <wrong context> ; DATA XREF: .text:off_14D1D4 o
.data:00210D54 DCW 0xA
.data:00210D54 unicode 0, <>,0
.data:00210D72 ALIGN 4
4、再次双击
DATA XREF: sub_14B598:off_14BA70 o 来到
.text:0014BA58 ; ---------------------------------------------------------------------------
.text:0014BA5C off_14BA5C DCD off_210A34 ; DATA XREF: sub_14B598+480 r
.text:0014BA60 off_14BA60 DCD s_Apr272007 ; DATA XREF: sub_14B598:loc_14B9E4 r
.text:0014BA60 ; "Apr 27 2007"
.text:0014BA64 ; LPCWSTR lpText
.text:0014BA64 lpText DCD s_This XXXXXX Sa ; DATA XREF: sub_14B598+414 r
.text:0014BA64 ; "This XXXXXX sample product is expired"...
.text:0014BA68 ; LPCWSTR off_14BA68
.text:0014BA68 off_14BA68 DCD s_Expired ; DATA XREF: sub_14B598+40C r
.text:0014BA68 ; "EXPIRED"
.text:0014BA6C ; LPCWSTR lpCaption
.text:0014BA6C lpCaption DCD s_Warning ; DATA XREF: sub_14B598+39C r
.text:0014BA6C ; "Warning"
.text:0014BA70 ; wchar_t *off_14BA70
.text:0014BA70 off_14BA70 DCD s_This XXXXXX _0 ;
DATA XREF: sub_14B598+38C r.text:0014BA70 ; "This XXXXXX sample product will expir"...
.text:0014BA74 off_14BA74 DCD __rt_sdiv64by64 ; DATA XREF: sub_14B598:loc_14B908 r
.text:0014BA78 off_14BA78 DCD s_RB_1 ; DATA XREF: sub_14B598+2B8 r
.text:0014BA78 ; "r+b"
.text:0014BA7C off_14BA7C DCD unk_25FCB4 ; DATA XREF: sub_14B598+210 r
.text:0014BA80 off_14BA80 DCD s_Rb_9 ; DATA XREF: sub_14B598+1E8 r
.text:0014BA80 ; "rb"
.text:0014BA84 off_14BA84 DCD unk_25FCBE ; DATA XREF: sub_14B598+144 r
.text:0014BA88 off_14BA88 DCD unk_260088 ; DATA XREF: sub_14B598+38 r
.text:0014BA8C off_14BA8C DCD unk_25FCB0 ; DATA XREF: sub_14B598+14 r
.text:0014BA90 dword_14BA90 DCD 0xFFFFF2DC ; DATA XREF: sub_14B598+4 r
.text:0014BA94 ; ---------------------------------------------------------------------------
5、双击 DATA XREF: sub_14B598+38C r 就到了代码引用的地方
.text:0014B8A0 loc_14B8A0 ; CODE XREF: sub_14B598+2C8 j
.text:0014B8A0 LDR R6, [SP,#0xD48+Buffer]
.text:0014B8A0
.text:0014B8A4
.text:0014B8A4 loc_14B8A4 ; CODE XREF: sub_14B598+2B4 j
.text:0014B8A4 LDR R3, [SP,#0xD48+ft]
.text:0014B8A8 MOV R5, R10
.text:0014B8AC LDR R4, [SP,#0xD48+ft.dwHighDateTime]
.text:0014B8B0 MOV R2, #0x2680
.text:0014B8B4 SUBS R0, R3, R5
.text:0014B8B8 STR R5, [SP,#0xD48+var_D1C]
.text:0014B8BC SBC R1, R4, R6
.text:0014B8C0 STR R6, [SP,#0xD48+var_D18]
.text:0014B8C4 ORR R2, R2, #1
.text:0014B8C8 MOV R7, #0x2C00
.text:0014B8CC MOV R8, #0x47000000 ; <suspicious>
.text:0014B8D0 ORR R7, R7, #1
.text:0014B8D4 ORR R8, R8, #unk_220000
.text:0014B8D8 CMP R1, R2
.text:0014B8DC BLT loc_14B960
.text:0014B8DC
.text:0014B8E0 BGT loc_14B8F4
.text:0014B8E0
.text:0014B8E4 MOVL R2, 0x1E3DC000 ; <suspicious>
.text:0014B8EC CMP R0, R2
.text:0014B8F0 BLS loc_14B960
.text:0014B8F0
.text:0014B8F4
.text:0014B8F4 loc_14B8F4 ; CODE XREF: sub_14B598+348 j
.text:0014B8F4 CMP R1, R7
.text:0014B8F8 BGT loc_14B960 ;关键的跳转,跳入此,就可以不显示还有多久过期的信息
.text:0014B8F8
.text:0014B8FC BLT loc_14B908
.text:0014B8FC
.text:0014B900 CMP R0, R8
.text:0014B904 BCS loc_14B960 ;关键的跳转,跳入此,就可以不显示还有多久过期的信息
.text:0014B904
.text:0014B908
.text:0014B908 loc_14B908 ; CODE XREF: sub_14B598+364 j
.text:0014B908 LDR R4, =__rt_sdiv64by64
.text:0014B90C MOVL R2, 0x2A69C000 ; <suspicious>
.text:0014B914 LDR R4, [R4]
.text:0014B918 MOV R3, #0xC9
.text:0014B91C MOV LR, PC
.text:0014B920 MOV PC, R4
.text:0014B924 LDR R1, =s_ThisXXXXXX_0 ; wchar_t *
.text:0014B928 RSB R2, R0, #0x38
.text:0014B92C ADD R0, SP, #0xD48+Text ; wchar_t *
.text:0014B930 BL swprintf ; 格式化提示信息
.text:0014B930
.text:0014B934 LDR R2, =s_Warning ; lpCaption
.text:0014B938 MOVL R0, 0x10638
.text:0014B940 LDR R0, [R9,R0] ; hWnd
.text:0014B944 MOV R3, #0 ; uType
.text:0014B948 ADD R1, SP, #0xD48+Text ; lpText
.text:0014B94C BL MessageBoxW ;
.text:0014B94C
.text:0014B950 LDR R3, [SP,#0xD48+ft]
.text:0014B954 LDR R4, [SP,#0xD48+ft.dwHighDateTime]
.text:0014B958 LDR R5, [SP,#0xD48+var_D1C]
.text:0014B95C LDR R6, [SP,#0xD48+var_D18]
.text:0014B95C
从上面可以看到
.text:0014B8F8 BGT loc_14B960 ;关键的跳转,跳入此,就可以不显示还有多久过期的信息
与
.text:0014B904 BCS loc_14B960 ;关键的跳转,跳入此,就可以不显示还有多久过期的信息
是关键的跳转指令,要暴破可以在此进行,
将 text:0014B8F8 BGT loc_14B960 ; 此句对应机器码为: 18 00 00 CA
改为 text:0014B8F8 B loc_14B960 ;强制跳转到 lox_14B960处
B loc_14B960 ;此句对应的机器码为: 18 00 00 EA
从而实现了不显示还有多久过期的信息
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
