ere:00649163 B9B862C100 mov ecx, 00C162B8
:00649168 47 inc edi
:00649169 E8C2961D00 call 00822830
:0064916E 3BF8 cmp edi, eax
:00649170 0F8C2AFFFFFF jl 006490A0
:00649176 8B742410 mov esi, dword ptr [esp+10]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00649090(C)
|
:0064917A B9BC62C100 mov ecx, 00C162BC
:0064917F C6863001000001 mov byte ptr [esi+00000130], 01
/突破口
* Reference To: MatRegistration01.?ShowRegistrationDialog@MLicenceManager@@UAEXXZ, Ord:0019h
|
:00649186 FF1530DAA700 Call dword ptr [00A7DA30]
0064E7D0 |. E8 D3781600 |call <jmp.&MFC71.#1123> <----弹出没有注册的对话框
0064E7D5 |. 83F8 07 |cmp eax,7
0064E7D8 |. 0F84 DB0000>|je SimPlant.0064E8B9
0064E7DE |. B9 BC62C100 |mov ecx,SimPlant.00C162BC
0064E7E3 |. FF15 30DAA7>|call dword ptr ds:[<&MatRegistration01.MLicenceManager::ShowRegistrat>; MatRegis.MLicenceManager::ShowRegistrationDialog
本软件的破解是先在messageboxa上面下断点,然后在上下文看到ShowRegistrationDialog这个调用,正确的流程应该是不调用这个call,走到这个call的最上面,下断点,看到是从别处call而来,来到调用出,上下文的64f2ed比较可疑,改为jmp就搞定了。
0064F2E3 . E8 98F2F1FF call SimPlant.0056E580
0064F2E8 . 83C4 08 add esp,8
0064F2EB . 84C0 test al,al
0064F2ED E9 BA000000 jmp SimPlant.0064F3AC
0064F2F2 90 nop