ebookmark 1.8.1.94 多语言版破解过程

软件简介：很好用的网页书签采集和管理,支持右键菜单....原版下载http://www.etoolssoft.com/files/ebmen.exe 主程序用W32DASM反汇编后找不到有用的信息。一时找不到破解的突破口。先运行程序看看再说。在程序运行时可以发现有个提示注册框，其中有30天限制的说明，还有已使用天数的提示。好！就用这个“30”作为突破口。用OLLYDBG载入后搜索全部常数1E，可以发现很多与1E有关的代码。其中只有004A64E2和004A650B两处是比较代码。先来到004A64E2处：004A64CE . E8 198DF9FF CALL ebm.0043F1EC004A64D3 . B0 01 MOV AL,1004A64D5 . E8 D2F60000 CALL ebm.004B5BAC＝＝＝＞此CALL计算已使用天数，并存入EAX。004A64DA 8BF0 MOV ESI,EAX004A64DC 89B3 E0020000 MOV DWORD PTR DS:[EBX+2E0],ESI004A64E2 . 83FE 1E CMP ESI,1E＝＝＝＞在此处下断可以发现ESI保存的就是已使用天数。004A64E5 . 7E 1B JLE SHORT ebm.004A6502004A64E7 . 8B83 D0020000 MOV EAX,DWORD PTR DS:[EBX+2D0]004A64ED . C740 0C 760E0>MOV DWORD PTR DS:[EAX+C],0E76004A64F4 . A1 54F24B00 MOV EAX,DWORD PTR DS:[4BF254]004A64F9 . 8B00 MOV EAX,DWORD PTR DS:[EAX]004A64FB . 33D2 XOR EDX,EDX004A64FD . 8B08 MOV ECX,DWORD PTR DS:[EAX]004A64FF . FF51 5C CALL DWORD PTR DS:[ECX+5C]004A6502 > 8BC3 MOV EAX,EBX004A6504 . E8 5FFDFFFF CALL ebm.004A6268004A6509 . 5E POP ESI004A650A . 5B POP EBX004A650B . C3 RETN＝＝＝＞在此下断看看程序返回到哪里。程序运行到此时按一下F8来到下面代码处。004A650C . 53 PUSH EBX004325D7 . 8945 FC MOV DWORD PTR SS:[EBP-4],EAX004325DA . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]004325DD . 66:83B8 BA020>CMP WORD PTR DS:[EAX+2BA],0004325E5 . 74 41 JE SHORT ebm.00432628004325E7 . 33C0 XOR EAX,EAX004325E9 . 55 PUSH EBP004325EA . 68 11264300 PUSH ebm.00432611004325EF . 64:FF30 PUSH DWORD PTR FS:[EAX]004325F2 . 64:8920 MOV DWORD PTR FS:[EAX],ESP004325F5 . 8B5D FC MOV EBX,DWORD PTR SS:[EBP-4]004325F8 . 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]004325FB . 8B83 BC020000 MOV EAX,DWORD PTR DS:[EBX+2BC]00432601 . FF93 B8020000 CALL DWORD PTR DS:[EBX+2B8]00432607 . 33C0 XOR EAX,EAX＝＝＝＞返回到这里。00432609 . 5A POP EDX0043260A . 59 POP ECX0043260B . 59 POP ECX0043260C . 64:8910 MOV DWORD PTR FS:[EAX],EDX0043260F . EB 17 JMP SHORT ebm.0043262800432611 .^ E9 320DFDFF JMP ebm.0040334800432616 . 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]00432619 . A1 50074C00 MOV EAX,DWORD PTR DS:[4C0750]0043261E . E8 416C0000 CALL ebm.0043926400432623 . E8 7C10FDFF CALL ebm.004036A400432628 > 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]0043262B . F680 CC020000>TEST BYTE PTR DS:[EAX+2CC],200432632 . 74 0A JE SHORT ebm.0043263E00432634 . B2 01 MOV DL,100432636 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]00432639 . E8 EA080000 CALL ebm.00432F280043263E > 5F POP EDI0043263F . 5E POP ESI00432640 . 5B POP EBX00432641 . 59 POP ECX00432642 . 5D POP EBP00432643 . C3 RETN＝＝＝＝＞在此下断看看程序返回到哪里。程序运行到此时按一下F8来到下面代码处。004322ED . 56 PUSH ESI004322EE . 8BF0 MOV ESI,EAX004322F0 . 80BE 1C020000>CMP BYTE PTR DS:[ESI+21C],0004322F7 . 75 0A JNZ SHORT ebm.00432303004322F9 . 8BC6 MOV EAX,ESI004322FB . 8B10 MOV EDX,DWORD PTR DS:[EAX]004322FD . FF92 C0000000 CALL DWORD PTR DS:[EDX+C0]00432303 > F686 CC020000>TEST BYTE PTR DS:[ESI+2CC],20＝＝＝＞返回到这里。0043230A . 74 12 JE SHORT ebm.0043231E0043230C . 8BC6 MOV EAX,ESI0043230E . 66:BB B6FF MOV BX,0FFB600432312 . E8 610DFDFF CALL ebm.0040307800432317 . 80A6 CC020000>AND BYTE PTR DS:[ESI+2CC],0DF0043231E > 5E POP ESI0043231F . 5B POP EBX00432320 . C3 RETN＝＝＝＞在此下断看看程序返回到哪里。程序运行到此时按一下F8来到下面代码处。00403234 /$ 50 PUSH EAX00403235 |. 8B10 MOV EDX,DWORD PTR DS:[EAX]00403237 |. FF52 E4 CALL DWORD PTR DS:[EDX-1C]0040323A |. 58 POP EAX ; 00DB194C＝＝＝＞返回到这里。0040323B \. C3 RETN＝＝＝＞在此下断看看程序返回到哪里。程序运行到此时按一下F8来到下面代码处。004322C4 .^\E9 3313FDFF JMP ebm.004035FC004322C9 .^ EB ED JMP SHORT ebm.004322B8004322CB . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]004322CE . 807D FB 00 CMP BYTE PTR SS:[EBP-5],0004322D2 . 74 0F JE SHORT ebm.004322E3004322D4 . E8 5B0FFDFF CALL ebm.00403234004322D9 . 64:8F05 00000>POP DWORD PTR FS:[0] ; 0012F098＝＝＝＞返回到这里。004322E0 . 83C4 0C ADD ESP,0C004322E3 > 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]004322E6 . 5B POP EBX004322E7 . 8BE5 MOV ESP,EBP004322E9 . 5D POP EBP004322EA . C3 RETN＝＝＝＞在此下断看看程序返回到哪里。程序运行到此时按一下F8来到下面代码处。004B07A9 . 80B8 75050000>CMP BYTE PTR DS:[EAX+575],0004B07B0 . 74 35 JE SHORT ebm.004B07E7004B07B2 . A1 70F34B00 MOV EAX,DWORD PTR DS:[4BF370]004B07B7 . 8B00 MOV EAX,DWORD PTR DS:[EAX]004B07B9 8378 0C 00 CMP DWORD PTR DS:[EAX+C],0004B07BD 75 28 JNZ SHORT ebm.004B07E7＝＝＝＝＞跳过004B07C4处的检查使用天数及出现注册提示框的CALL。只要此处能跳就可以避开使用天数的检查和出现提示注册框。因此此处改为JMP就能完美破解了。004B07BF . 8B0D 70F34B00 MOV ECX,DWORD PTR DS:[4BF370] ; ebm.004C0750004B07C5 . 8B09 MOV ECX,DWORD PTR DS:[ECX]004B07C7 . B2 01 MOV DL,1004B07C9 . A1 6C604A00 MOV EAX,DWORD PTR DS:[4A606C]004B07CE . E8 8D19F8FF CALL ebm.00432160004B07D3 . 8B15 CCF34B00 MOV EDX,DWORD PTR DS:[4BF3CC] ; ebm.004C09EC＝＝＝＞返回到这里。这时要注意了！前面几处最后返回到这里，说明上面的CALL是检查使用天数及出现提示注册框处。看看有无跳过此处的地方。往上找可以发现004B07BD的跳转可以跳过此处。004B07D9 . 8902 MOV DWORD PTR DS:[EDX],EAX004B07DB . A1 CCF34B00 MOV EAX,DWORD PTR DS:[4BF3CC]004B07E0 . 8B00 MOV EAX,DWORD PTR DS:[EAX]004B07E2 . E8 1159F8FF CALL ebm.004360F8004B07E7 > 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]004B07EA . C680 75050000>MOV BYTE PTR DS:[EAX+575],0004B07F1 . 33C0 XOR EAX,EAX004B07F3 . 5A POP EDX004B07F4 . 59 POP ECX004B07F5 . 59 POP ECX004B07F6 . 64:8910 MOV DWORD PTR FS:[EAX],EDX004B07F9 . 68 20084B00 PUSH ebm.004B0820004B07FE > 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C]004B0801 . BA 07000000 MOV EDX,7004B0806 . E8 0134F5FF CALL ebm.00403C0C004B080B . 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]004B080E . BA 02000000 MOV EDX,2004B0813 . E8 F433F5FF CALL ebm.00403C0C004B0818 . C3 RETN总结：只要将004B07BD . 75 28 JNZ SHORT ebm.004B07E7处改为004B07BD . 75 28 JMP SHORT ebm.004B07E7就可以完美破解了。此破解很简单，只是给初学者提供一个思路。高手就免进了。