DLL cracking time limit

Because a DLL is needed, the time limit of the DLL is worried, and the modification between systems becomes expired. Find a way to crack the DLL. In fact, the time limit of this DLL is not very complicated. Record the basic steps: 1. Check the shell check tool and find that there is no shell 2. There is no need to shell the shell if there is no shell 3. Crack the Ollydbg tool. 1) OllyDbg only supports ASCII text search. Use ULTRAEDIT to open the XX after shelling. DLL file, find the text described above (the Chinese characters are not encrypted in the DLL file after shelling), 2) Unify the relevant Chinese text in the right sidebar Of The hexadecimal mode and change it to the acⅱ code. open the program A that calls this DLL file in OllyDbg. EXE, which reads the relevant DLL library file called into the memory, press ALT + E (execution module), you can see which DLL files are read, and then select our XX. DLL file, right-click and select "follow entry" to go to the XX in CPU mode. the content window of the DLL file. 3) How can I find code with SO many characters? Right-click the form and select "Search"-> "character reference". In the displayed DLL, you can view the list of all accios that can be recognized. You can easily see the previously modified strings. right-click the string and select "following in disassembly ". you can get to that section. 4) after finding the relevant location, we will usually see MessageBox. We will jump to the execution of the MessageBox statement to modify things. I cannot understand the compilation, and even the conditional jump statement before the row is modified by the without guesses, jump to the MessageBox statement. The method mentioned in the above article is as follows (with some reference value): "read 10002404 898D E4FCFFFF mov dword ptr ss: [EBP-31C], ECX1000240A 8B95 D6FCFFFF mov edx, dword ptr ss: [EBP-32A] 10002410 81E2 FFFF0000 and edx, 0FFFF10002416 8995 C8FCFFFF mov dword ptr ss: [EBP-338], EDX1000241C 81BD E4FCFFFF D5> cmp dword ptr ss: [EBP-31C], 7D510002426 75 20 jnz short SGIP.1000244110002428 83BD C8FCFFFF 09 cmp dword ptr ss: [EBP-338], 91000242F EB 24 JMP SHORT SGI P.1000245510002431 C685 A4F5FFFF 00 mov byte ptr ss: [EBP-A5C], 010002438 75 1B jnz short SGIP.100024411000243A C685 A4F5FFFF 01 mov byte ptr ss: [EBP-A5C], 110002441 6A 00 PUSH 010002443 68 pull PUSH limit 68 84C00010 PUSH limit; ASCII "chocobo chocob chocobo cho" 1000244D 6A 00 PUSH 01000244F FF15 44910010 CALL DWORD PT R ds: [<& USER32.MessageBoxA>; USER32.MessageBoxA10002455 B0 01 mov al, 110002457 8BE5 mov esp, EBP10002459 5D POP EBP1000245A C3 RETN see the two sections 10002426 and 10002438 jump to the "function" area where the registration fails to POP up. change it to another statement, such as jmp short SGIP.10002455. PASS after running. modify the part to determine whether the file is modified. the JMP operation code is the last step of EB. It is to modify the DLL file and open it with ULTRAEDIT. Find 81 BD E4 fc ff. After setting the bit, change the original 75 20 to EB 20, save the disk, run the EXE file call, PASS, there is no time limit, and does not judge whether the DLL file has been modified. at the beginning, I thought that I could just change the sentence that caused the pop-up box. The ESI data storage error occurs, so it should be determined based on the actual situation. However, it should generally be directed to the next line of MessageBox, just like jumping to 10002455 in the previous example. Note: The version of OllyDbg is 1.09C. It has an updated version, but this version is the same as the steps mentioned in the above method. Other versions cannot be found.