silktest 破解 转帖未验证
注:本破解方法仅适用于 Borland 官方网站下载的 SilkTest2008 30 天试用版(先要注册一些信息),仅作学习交流使用。
破解方法一:
下载 破解补丁(请右键另存为,下载后将扩展名改为rar,解压后放到 SilkTest2008 安装目录下运行)。
破解方法二:
用 UltraEdit 之类的32位编辑器打开 SilkTest2008 安装目录下的 partner.exe 文件,找到偏移地址 0x46239 处,将 0x74 改为 0x75 即可。
破解过程:
使用Ollydbg,运行 partner.exe。由于当系统时间在试用期30天外(提前也不行)时,提示“No License for 'SilkTest_GUI 9.0'!”,因此“查找所有参考文本字串”,搜索“License”,找到地址 0x004463D0 处有 PUSH partner.007C4468,而地址 0x007C4468处正是字串 UNICODE "No License for '%s %s'!"。
跟踪到该位置,该段代码为:
00446206 /$ 55 PUSH EBP
00446207 |. 8BEC MOV EBP,ESP
00446209 |. 81EC 1C040000 SUB ESP,41C
0044620F |. 68 00010000 PUSH 100 ; /BufSize = 100 (256.)
00446214 |. 8D85 F8FDFFFF LEA EAX,DWORD PTR SS:[EBP-208] ; |
0044621A |. 50 PUSH EAX ; |PathBuffer
0044621B |. 8B0D 60BF8D00 MOV ECX,DWORD PTR DS:[8DBF60] ; |
00446221 |. 8B11 MOV EDX,DWORD PTR DS:[ECX] ; |
00446223 |. 52 PUSH EDX ; |hModule
00446224 |. FF15 08947800 CALL DWORD PTR DS:[<&KERNEL32.GetModuleF>; /GetModuleFileNameW
0044622A |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
0044622D |. A1 60BF8D00 MOV EAX,DWORD PTR DS:[8DBF60]
00446232 |. 83B8 54D60000>CMP DWORD PTR DS:[EAX+D654],0
00446239 |. 74 0A JE SHORT partner.00446245
0044623B |. B8 01000000 MOV EAX,1
00446240 |. E9 AB010000 JMP partner.004463F0
00446245 |> 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
00446248 |. 66:C7844D F8F>MOV WORD PTR SS:[EBP+ECX*2-208],0
00446252 |. 6A 5C PUSH 5C ; /c = 005C ('/')
00446254 |. 8D95 F8FDFFFF LEA EDX,DWORD PTR SS:[EBP-208] ; |
0044625A |. 52 PUSH EDX ; |s
0044625B |. FF15 34977800 CALL DWORD PTR DS:[<&MSVCRT.wcsrchr>] ; /wcsrchr
00446261 |. 83C4 08 ADD ESP,8
00446264 |. 8985 F0FDFFFF MOV DWORD PTR SS:[EBP-210],EAX
0044626A |. 83BD F0FDFFFF>CMP DWORD PTR SS:[EBP-210],0
00446271 |. 74 0B JE SHORT partner.0044627E
00446273 |. 8B85 F0FDFFFF MOV EAX,DWORD PTR SS:[EBP-210]
00446279 |. 66:C700 0000 MOV WORD PTR DS:[EAX],0
0044627E |> 68 00010000 PUSH 100
00446283 |. 8D8D ECFBFFFF LEA ECX,DWORD PTR SS:[EBP-414]
00446289 |. 51 PUSH ECX
0044628A |. 8D95 F8FDFFFF LEA EDX,DWORD PTR SS:[EBP-208]
00446290 |. 52 PUSH EDX
00446291 |. FF15 50937800 CALL DWORD PTR DS:[<&KERNEL32.GetLongPat>; kernel32.GetLongPathNameW
00446297 |. 8985 ECFDFFFF MOV DWORD PTR SS:[EBP-214],EAX
0044629D |. 83BD ECFDFFFF>CMP DWORD PTR SS:[EBP-214],0
004462A4 |. 74 11 JE SHORT partner.004462B7
004462A6 |. 8D85 ECFBFFFF LEA EAX,DWORD PTR SS:[EBP-414]
004462AC |. 50 PUSH EAX ; /Arg1
004462AD |. E8 69471B00 CALL partner.005FAA1B ; /partner.005FAA1B
004462B2 |. 83C4 04 ADD ESP,4
004462B5 |. EB 0F JMP SHORT partner.004462C6
004462B7 |> 8D8D F8FDFFFF LEA ECX,DWORD PTR SS:[EBP-208]
004462BD |. 51 PUSH ECX ; /Arg1
004462BE |. E8 58471B00 CALL partner.005FAA1B ; /partner.005FAA1B
004462C3 |. 83C4 04 ADD ESP,4
004462C6 |> 8B15 60BF8D00 MOV EDX,DWORD PTR DS:[8DBF60]
004462CC |. 83BA 4CD60000>CMP DWORD PTR DS:[EDX+D64C],0
004462D3 |. 74 0C JE SHORT partner.004462E1
004462D5 |. C785 F4FDFFFF>MOV DWORD PTR SS:[EBP-20C],8000
004462DF |. EB 3A JMP SHORT partner.0044631B
004462E1 |> 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
004462E4 |. 83B8 48230000>CMP DWORD PTR DS:[EAX+2348],0
004462EB |. 74 0C JE SHORT partner.004462F9
004462ED |. C785 F4FDFFFF>MOV DWORD PTR SS:[EBP-20C],200000
004462F7 |. EB 22 JMP SHORT partner.0044631B
004462F9 |> 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
004462FC |. 83B9 4C230000>CMP DWORD PTR DS:[ECX+234C],0
00446303 |. 74 0C JE SHORT partner.00446311
00446305 |. C785 F4FDFFFF>MOV DWORD PTR SS:[EBP-20C],partner.00400>
0044630F |. EB 0A JMP SHORT partner.0044631B
00446311 |> C785 F4FDFFFF>MOV DWORD PTR SS:[EBP-20C],400
0044631B |> 68 10447C00 PUSH partner.007C4410 ; UNICODE "9.0"
00446320 |. 8B95 F4FDFFFF MOV EDX,DWORD PTR SS:[EBP-20C]
00446326 |. 52 PUSH EDX
00446327 |. E8 123B1B00 CALL partner.005F9E3E
0044632C |. 83C4 08 ADD ESP,8
0044632F |. 8985 E8FBFFFF MOV DWORD PTR SS:[EBP-418],EAX
00446335 |. E8 643E1B00 CALL partner.005FA19E
0044633A |. 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
0044633D |. 83BD E8FBFFFF>CMP DWORD PTR SS:[EBP-418],0
00446344 |. 74 54 JE SHORT partner.0044639A
00446346 |. 8B85 F4FDFFFF MOV EAX,DWORD PTR SS:[EBP-20C]
0044634C |. 8985 E4FBFFFF MOV DWORD PTR SS:[EBP-41C],EAX
00446352 |. 81BD E4FBFFFF>CMP DWORD PTR SS:[EBP-41C],200000
0044635C |. 74 1A JE SHORT partner.00446378
0044635E |. 81BD E4FBFFFF>CMP DWORD PTR SS:[EBP-41C],partner.00400>
00446368 |. 74 02 JE SHORT partner.0044636C
0044636A |. EB 16 JMP SHORT partner.00446382
0044636C |> C705 A4B48800>MOV DWORD PTR DS:[88B4A4],1
00446376 |. EB 0A JMP SHORT partner.00446382
00446378 |> C705 A0B48800>MOV DWORD PTR DS:[88B4A0],1
00446382 |> 837D F8 00 CMP DWORD PTR SS:[EBP-8],0
00446386 |. 7E 10 JLE SHORT partner.00446398
00446388 |. 8B0D 60BF8D00 MOV ECX,DWORD PTR DS:[8DBF60]
0044638E |. C781 64D60000>MOV DWORD PTR DS:[ECX+D664],1
00446398 |> EB 51 JMP SHORT partner.004463EB
0044639A |> 837D F8 00 CMP DWORD PTR SS:[EBP-8],0
0044639E |. 75 1B JNZ SHORT partner.004463BB
004463A0 |. 68 18447C00 PUSH partner.007C4418 ; /Arg2 = 007C4418
004463A5 |. 8B15 60BF8D00 MOV EDX,DWORD PTR DS:[8DBF60] ; |
004463AB |. 8B42 34 MOV EAX,DWORD PTR DS:[EDX+34] ; |
004463AE |. 50 PUSH EAX ; |Arg1
004463AF |. E8 2B4DFFFF CALL partner.0043B0DF ; /partner.0043B0DF
004463B4 |. 83C4 08 ADD ESP,8
004463B7 |. 33C0 XOR EAX,EAX
004463B9 |. EB 35 JMP SHORT partner.004463F0
004463BB |> 68 60447C00 PUSH partner.007C4460 ; UNICODE "9.0"
004463C0 |. 8B8D F4FDFFFF MOV ECX,DWORD PTR SS:[EBP-20C]
004463C6 |. 51 PUSH ECX ; /Arg1
004463C7 |. E8 91461B00 CALL partner.005FAA5D ; /partner.005FAA5D
004463CC |. 83C4 04 ADD ESP,4
004463CF |. 50 PUSH EAX ; |Arg3
004463D0 |. 68 68447C00 PUSH partner.007C4468 ; |Arg2 = 007C4468
004463D5 |. 8B15 60BF8D00 MOV EDX,DWORD PTR DS:[8DBF60] ; |
004463DB |. 8B42 34 MOV EAX,DWORD PTR DS:[EDX+34] ; |
004463DE |. 50 PUSH EAX ; |Arg1
004463DF |. E8 FB4CFFFF CALL partner.0043B0DF ; /partner.0043B0DF
004463E4 |. 83C4 10 ADD ESP,10
004463E7 |. 33C0 XOR EAX,EAX
004463E9 |. EB 05 JMP SHORT partner.004463F0
004463EB |> B8 01000000 MOV EAX,1
004463F0 |> 8BE5 MOV ESP,EBP
004463F2 |. 5D POP EBP
004463F3 /. C3 RETN
尝试着将上方最近,即地址 0x44639E 处的 JNZ 改为 JE,结果提示变为了“Your Evaluation period has expired”。
再往上寻找能跳转到 0x004463D0 下方的代码,定位到 0x00446239 处的 JE,改为 JNZ 后,破解成功。
再往上寻找能跳转到 0x004463D0 下方的代码,定位到 0x00446239 处的 JE,改为 JNZ 后,破解成功。