申请会员ID：Kylin

吾爱游客 *发表于 2018-5-16 11:50* · 发表于 2018-5-16 11:50

1、申请ID：Kylin
2、个人邮箱：digicount@qq.com
3、原创技术文章：

Navicat Premium移除试用时间限制
本次破解使用Windows平台Navicat Premium英文64位版，版本号12.0.23。Navicat程序启动时会有一个弹框，询问“试用”还是“注册”，而且这里的“试用”是有14天时间限制的，时限超过之后就变成灰色不可点击，届时只能选择“注册”，否则程序就会退出。因为试用版没有功能上的限制，所以我们只需要移除时间限制就可以了。首先要做的就是修改程序将这个弹框以及相应的检测逻辑屏蔽掉，用WinDBG加载navicat.exe然后运行程序，直到看到弹出框之后按“Ctrl+Break”中断程序，然后切换到0号线程，一般情况下的GUI线程，因为当前的对话框正在等待用户输入，所以可以看到线程在win32u!NtUserWaitMessage函数中等待：
Microsoft (R) Windows Debugger Version 10.0.14321.1024 AMD64Copyright (c) Microsoft Corporation. All rights reserved.CommandLine: "C:\Program Files\PremiumSoft\Navicat Premium 12\navicat2.exe"************* Symbol Path valIDAtion summary **************Response                      Time (ms)    LocationDeferred                                     srv*D:\Symbols*http://msdl.microsoft.com/download/symbolsSymbol search path is: srv*D:\Symbols*http://msdl.microsoft.com/download/symbolsExecutable search path is: ModLoad: 00000000`00400000 00000000`0391b000 image00000000`00400000ModLoad: 00007fff`00fb0000 00007fff`01190000 ntdll.dllModLoad: 00007fff`00d10000 00007fff`00dbe000 C:\WINDOWS\System32\KERNEL32.DLLModLoad: 00007ffe`fe210000 00007ffe`fe476000 C:\WINDOWS\System32\KERNELBASE.dllModLoad: 00007fff`000f0000 00007fff`001b5000 C:\WINDOWS\System32\oleaut32.dllModLoad: 00007ffe`fd4b0000 00007ffe`fd54b000 C:\WINDOWS\System32\msvcp_win.dllModLoad: 00007ffe`fd3b0000 00007ffe`fd4a6000 C:\WINDOWS\System32\ucrtbase.dllModLoad: 00007fff`00a00000 00007fff`00d08000 C:\WINDOWS\System32\combase.dllModLoad: 00007fff`00670000 00007fff`0078f000 C:\WINDOWS\System32\RPCRT4.dllModLoad: 00007ffe`fdf60000 00007ffe`fdfd2000 C:\WINDOWS\System32\bcryptPrimitives.dllModLoad: 00007fff`008b0000 00007fff`00951000 C:\WINDOWS\System32\advapi32.dllModLoad: 00007fff`00960000 00007fff`009fd000 C:\WINDOWS\System32\msvcrt.dllModLoad: 00007ffe`fe580000 00007ffe`fe5db000 C:\WINDOWS\System32\sechost.dllModLoad: 00007fff`00220000 00007fff`003af000 C:\WINDOWS\System32\user32.dllModLoad: 00007ffe`fd7a0000 00007ffe`fd7c0000 C:\WINDOWS\System32\win32u.dllModLoad: 00007fff`00450000 00007fff`00478000 C:\WINDOWS\System32\GDI32.dllModLoad: 00007ffe`fd550000 00007ffe`fd6e3000 C:\WINDOWS\System32\gdi32full.dllModLoad: 00007fff`00dc0000 00007fff`00f09000 C:\WINDOWS\System32\ole32.dllModLoad: 00007ffe`f6bb0000 00007ffe`f6bba000 C:\WINDOWS\SYSTEM32\version.dllModLoad: 00007ffe`e2bf0000 00007ffe`e2bf7000 C:\WINDOWS\SYSTEM32\SHFolder.dllModLoad: 00000000`05e60000 00000000`07296000 C:\WINDOWS\System32\SHELL32.dllModLoad: 00007ffe`fe5e0000 00007ffe`ffa16000 C:\WINDOWS\System32\shell32.dllModLoad: 00007ffe`f4500000 00007ffe`f4769000 C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.16299.192_none_15c8cdae9364c23b\comctl32.dllModLoad: 00007fff`007a0000 00007fff`008aa000 C:\WINDOWS\System32\comdlg32.dllModLoad: 00007ffe`e6fe0000 00007ffe`e7314000 C:\WINDOWS\SYSTEM32\wininet.dllModLoad: 00007ffe`fdf10000 00007ffe`fdf5a000 C:\WINDOWS\System32\cfgmgr32.dllModLoad: 00007ffe`fe4d0000 00007ffe`fe576000 C:\WINDOWS\System32\shcore.dllModLoad: 00007ffe`fd7c0000 00007ffe`fdf07000 C:\WINDOWS\System32\windows.storage.dllModLoad: 00007fff`00f20000 00007fff`00f71000 C:\WINDOWS\System32\SHLWAPI.dllModLoad: 00007ffe`fd300000 00007ffe`fd311000 C:\WINDOWS\System32\kernel.appcore.dllModLoad: 00007ffe`fd320000 00007ffe`fd36c000 C:\WINDOWS\System32\powrprof.dllModLoad: 00007ffe`f7950000 00007ffe`f79d6000 C:\WINDOWS\SYSTEM32\winspool.drvModLoad: 00000000`072a0000 00000000`07326000 C:\WINDOWS\SYSTEM32\winspool.drvModLoad: 00007ffe`f6850000 00007ffe`f68be000 C:\WINDOWS\SYSTEM32\oleacc.dllModLoad: 00007ffe`fd370000 00007ffe`fd38b000 C:\WINDOWS\System32\profapi.dllModLoad: 00007ffe`fb180000 00007ffe`fb1a3000 C:\WINDOWS\SYSTEM32\winmm.dllModLoad: 00007ffe`f6950000 00007ffe`f6aec000 C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.16299.192_none_46b3c093edf73c09\gdiplus.dllModLoad: 00007ffe`f8dd0000 00007ffe`f8dd9000 C:\WINDOWS\SYSTEM32\wsock32.dllModLoad: 00007ffe`fb620000 00007ffe`fb6b5000 C:\WINDOWS\SYSTEM32\uxtheme.dllModLoad: 00007fff`00080000 00007fff`000ec000 C:\WINDOWS\System32\WS2_32.dllModLoad: 00007ffe`e73a0000 00007ffe`e73b9000 C:\WINDOWS\SYSTEM32\usp10.dllModLoad: 00007ffe`de3b0000 00007ffe`de3d1000 C:\WINDOWS\SYSTEM32\FONTSUB.dllModLoad: 00000001`80000000 00000001`80136000 C:\Program Files\PremiumSoft\Navicat Premium 12\FreeImage.dllModLoad: 00007ffe`fc920000 00007ffe`fc959000 C:\WINDOWS\SYSTEM32\iphlpapi.dllModLoad: 00007ffe`fce60000 00007ffe`fce85000 C:\WINDOWS\SYSTEM32\bcrypt.dllModLoad: 00000000`00180000 00000000`001b9000 C:\WINDOWS\SYSTEM32\IPHLPAPI.DLLModLoad: 00007ffe`fb110000 00007ffe`fb13a000 C:\WINDOWS\SYSTEM32\winmmbase.dllModLoad: 00000000`00180000 00000000`001aa000 C:\WINDOWS\SYSTEM32\WINMMBASE.dllModLoad: 00000000`56f30000 00000000`56f4b000 C:\Program Files\PremiumSoft\Navicat Premium 12\zlib1.dllModLoad: 00007ffe`decb0000 00007ffe`decc7000 C:\Program Files\PremiumSoft\Navicat Premium 12\VCRUNTIME140.dll(4e3c.5238): Break instruction exception - code 80000003 (first chance)ntdll!LdrpDoDebuggerBreak+0x30:00007fff`01082ebc cc             int    30:000> gModLoad: 00007ffe`fe480000 00007ffe`fe4ad000 C:\WINDOWS\System32\IMM32.DLLModLoad: 00007fff`00480000 00007fff`005e7000 C:\WINDOWS\System32\MSCTF.dllModLoad: 00007ffe`fb8e0000 00007ffe`fb90a000 C:\WINDOWS\SYSTEM32\dwmapi.dllModLoad: 00007ffe`f9350000 00007ffe`f9363000 C:\WINDOWS\SYSTEM32\wtsapi32.dllModLoad: 00007ffe`fc4b0000 00007ffe`fc505000 C:\WINDOWS\SYSTEM32\WINSTA.dllModLoad: 00007ffe`d2fd0000 00007ffe`d302d000 C:\Program Files\PremiumSoft\Navicat Premium 12\libcurl.dllModLoad: 00007ffe`ffa30000 00007ffe`ffa8e000 C:\WINDOWS\System32\WLDAP32.dllModLoad: 00007ffe`ffa20000 00007ffe`ffa28000 C:\WINDOWS\System32\Normaliz.dllModLoad: 00007ffe`d2f70000 00007ffe`d2fcc000 C:\Program Files\PremiumSoft\Navicat Premium 12\SSLEAY32.dllModLoad: 00007ffe`bb9a0000 00007ffe`bbba8000 C:\Program Files\PremiumSoft\Navicat Premium 12\LIBEAY32.dllModLoad: 00000000`09310000 00000000`09518000 C:\Program Files\PremiumSoft\Navicat Premium 12\LIBEAY32.dllModLoad: 00007ffe`dd590000 00007ffe`dd59c000 C:\WINDOWS\SYSTEM32\secur32.dllModLoad: 00007ffe`fd200000 00007ffe`fd230000 C:\WINDOWS\SYSTEM32\SSPICLI.DLLModLoad: 00007ffe`fcb90000 00007ffe`fcbf6000 C:\WINDOWS\system32\mswsock.dllModLoad: 00007ffe`ad7b0000 00007ffe`b04d9000 C:\Program Files\PremiumSoft\Navicat Premium 12\libcc.dllModLoad: 00007fff`00790000 00007fff`00798000 C:\WINDOWS\System32\PSAPI.DLLModLoad: 00007ffe`ec9c0000 00007ffe`ecb88000 C:\WINDOWS\SYSTEM32\dbghelp.dllModLoad: 00007ffe`d2ef0000 00007ffe`d2f66000 C:\Program Files\PremiumSoft\Navicat Premium 12\libssh.dllModLoad: 00007ffe`b9e80000 00007ffe`ba027000 C:\Program Files\PremiumSoft\Navicat Premium 12\libnsy.dllModLoad: 00000000`09310000 00000000`09c4c000 C:\Program Files\PremiumSoft\Navicat Premium 12\libxl.dllModLoad: 00007ffe`b9d30000 00007ffe`b9e7b000 C:\Program Files\PremiumSoft\Navicat Premium 12\libxml2.dllModLoad: 00000000`09310000 00000000`0939a000 C:\Program Files\PremiumSoft\Navicat Premium 12\libetpan.dllModLoad: 00007ffe`b9920000 00007ffe`b9d22000 C:\Program Files\PremiumSoft\Navicat Premium 12\libmariadb.dllModLoad: 00000000`08a40000 00000000`08a8a000 C:\Program Files\PremiumSoft\Navicat Premium 12\LIBPQ.dllModLoad: 00007ffe`e53c0000 00007ffe`e53d1000 C:\WINDOWS\SYSTEM32\credui.dllModLoad: 00007ffe`d07c0000 00007ffe`d085d000 C:\Program Files\PremiumSoft\Navicat Premium 12\MSVCP140.dllModLoad: 00000000`66000000 00000000`66179000 C:\Program Files\PremiumSoft\Navicat Premium 12\libiconv-2.dllModLoad: 00000000`09310000 00000000`09c4c000 C:\Program Files\PremiumSoft\Navicat Premium 12\libxl.dllModLoad: 00000000`08a40000 00000000`08a8a000 C:\Program Files\PremiumSoft\Navicat Premium 12\LIBPQ.dllModLoad: 00000000`09c50000 00000000`09cda000 C:\Program Files\PremiumSoft\Navicat Premium 12\libetpan.dllModLoad: 00007ffe`d11b0000 00007ffe`d11f6000 C:\Program Files\PremiumSoft\Navicat Premium 12\libsasl2.dllModLoad: 00000000`56eb0000 00000000`56f29000 C:\Program Files\PremiumSoft\Navicat Premium 12\gssapi64.dllModLoad: 00000000`56d40000 00000000`56ea9000 C:\Program Files\PremiumSoft\Navicat Premium 12\krb5_64.dllModLoad: 00000000`56d30000 00000000`56d39000 C:\Program Files\PremiumSoft\Navicat Premium 12\comerr64.dllModLoad: 00000000`56d10000 00000000`56d23000 C:\Program Files\PremiumSoft\Navicat Premium 12\k5sprt64.dllModLoad: 00000000`56c30000 00000000`56d02000 C:\Program Files\PremiumSoft\Navicat Premium 12\MSVCR100.dllModLoad: 00000000`09ce0000 00000000`09db2000 C:\Program Files\PremiumSoft\Navicat Premium 12\MSVCR100.dllModLoad: 00000000`09dc0000 00000000`09e92000 C:\Program Files\PremiumSoft\Navicat Premium 12\MSVCR100.dllModLoad: 00007ffe`f1a20000 00007ffe`f1a2f000 C:\Program Files\PremiumSoft\Navicat Premium 12\WSHELP64.dllModLoad: 00007ffe`fc960000 00007ffe`fca16000 C:\WINDOWS\SYSTEM32\DNSAPI.dllModLoad: 00007fff`00f10000 00007fff`00f18000 C:\WINDOWS\System32\NSI.dllModLoad: 00007ffe`fcd50000 00007ffe`fcd67000 C:\WINDOWS\SYSTEM32\CRYPTSP.dllModLoad: 00007ffe`fc7a0000 00007ffe`fc7d3000 C:\WINDOWS\system32\rsaenh.dllModLoad: 00007ffe`fcd70000 00007ffe`fcd7b000 C:\WINDOWS\SYSTEM32\CRYPTBASE.dllModLoad: 00007ffe`b9750000 00007ffe`b9914000 C:\Program Files\PremiumSoft\Navicat Premium 12\libee.dllModLoad: 00007ffe`f6af0000 00007ffe`f6af7000 C:\WINDOWS\SYSTEM32\Msimg32.DLLModLoad: 00007ffe`f8db0000 00007ffe`f8dc6000 C:\WINDOWS\system32\napinsp.dllModLoad: 00007ffe`f8d90000 00007ffe`f8daa000 C:\WINDOWS\system32\pnrpnsp.dllModLoad: 00007ffe`fae70000 00007ffe`fae88000 C:\WINDOWS\system32\NLAapi.dllModLoad: 00007ffe`f8d80000 00007ffe`f8d8e000 C:\WINDOWS\System32\winrnr.dllModLoad: 00007ffe`e94c0000 00007ffe`e94d5000 C:\WINDOWS\System32\wshbth.dllModLoad: 00000000`594d0000 00000000`594f6000 C:\Program Files\Bonjour\mdnsNSP.dllModLoad: 00007ffe`f3550000 00007ffe`f355a000 C:\Windows\System32\rasadhlp.dllModLoad: 00007ffe`b9650000 00007ffe`b974f000 C:\Program Files\PremiumSoft\Navicat Premium 12\sqlite3.dllModLoad: 00007ffe`d0760000 00007ffe`d07ba000 C:\Program Files\PremiumSoft\Navicat Premium 12\sqlite.dllModLoad: 00007ffe`d05e0000 00007ffe`d0695000 C:\WINDOWS\SYSTEM32\odbc32.dllModLoad: 00007ffe`fe040000 00007ffe`fe20e000 C:\WINDOWS\System32\CRYPT32.dllModLoad: 00007ffe`fd390000 00007ffe`fd3a2000 C:\WINDOWS\System32\MSASN1.dllModLoad: 00007ffe`fc7e0000 00007ffe`fc7ea000 C:\WINDOWS\SYSTEM32\DPAPI.DLLModLoad: 00007ffe`b8cd0000 00007ffe`b9104000 C:\Program Files\PremiumSoft\Navicat Premium 12\libdd.dllModLoad: 00000000`6d4c0000 00000000`6d4e2000 C:\Program Files\PremiumSoft\Navicat Premium 12\libpangocairo-1.0-0.dllModLoad: 00000000`68dc0000 00000000`68ed8000 C:\Program Files\PremiumSoft\Navicat Premium 12\libcairo-2.dllModLoad: 00000000`63a40000 00000000`63a98000 C:\Program Files\PremiumSoft\Navicat Premium 12\libgobject-2.0-0.dllModLoad: 00000000`65580000 00000000`655e0000 C:\Program Files\PremiumSoft\Navicat Premium 12\libpango-1.0-0.dllModLoad: 00007ffe`d0fd0000 00007ffe`d101b000 C:\Program Files\PremiumSoft\Navicat Premium 12\DParser.dllModLoad: 00000000`61a00000 00000000`61a44000 C:\Program Files\PremiumSoft\Navicat Premium 12\libpng14-14.dllModLoad: 00000000`685c0000 00000000`68708000 C:\Program Files\PremiumSoft\Navicat Premium 12\libglib-2.0-0.dllModLoad: 00000000`6b740000 00000000`6b75e000 C:\Program Files\PremiumSoft\Navicat Premium 12\libffi-6.dllModLoad: 00000000`64f80000 00000000`64fce000 C:\Program Files\PremiumSoft\Navicat Premium 12\libfontconfig-1.dllModLoad: 00000000`6d700000 00000000`6d80b000 C:\Program Files\PremiumSoft\Navicat Premium 12\libpangoft2-1.0-0.dllModLoad: 00000000`6c580000 00000000`6c62f000 C:\Program Files\PremiumSoft\Navicat Premium 12\libfreetype-6.dllModLoad: 00000000`6b280000 00000000`6b2a5000 C:\Program Files\PremiumSoft\Navicat Premium 12\libpangowin32-1.0-0.dllModLoad: 00000000`6dd00000 00000000`6dd19000 C:\Program Files\PremiumSoft\Navicat Premium 12\libgmodule-2.0-0.dllModLoad: 00000000`61cc0000 00000000`61ce4000 C:\Program Files\PremiumSoft\Navicat Premium 12\libintl-8.dllModLoad: 00000000`68f40000 00000000`68f83000 C:\Program Files\PremiumSoft\Navicat Premium 12\libexpat-1.dllModLoad: 00007ffe`ee700000 00007ffe`ee717000 C:\WINDOWS\SYSTEM32\netapi32.dllModLoad: 00007ffe`fca20000 00007ffe`fca2e000 C:\WINDOWS\SYSTEM32\NETUTILS.DLLModLoad: 00007ffe`b7640000 00007ffe`b83c3000 C:\Program Files\PremiumSoft\Navicat Premium 12\NParser.dllModLoad: 00007ffe`ce4b0000 00007ffe`ce584000 C:\Program Files\PremiumSoft\Navicat Premium 12\MSVCR110.dllModLoad: 00007ffe`bfeb0000 00007ffe`bff57000 C:\Program Files\PremiumSoft\Navicat Premium 12\MSVCP110.dllModLoad: 00007ffe`ba880000 00007ffe`ba930000 C:\Program Files\PremiumSoft\Navicat Premium 12\scilexer.dllModLoad: 00007ffe`cfe10000 00007ffe`cfe52000 C:\Program Files\PremiumSoft\Navicat Premium 12\updater.dllModLoad: 00000000`10000000 00000000`10088000 C:\Program Files\PremiumSoft\Navicat Premium 12\instantclient_10_2\oci.dllModLoad: 00007ffe`efc90000 00007ffe`efd28000 C:\WINDOWS\System32\TextInputFramework.dllModLoad: 00007ffe`f6bc0000 00007ffe`f6eae000 C:\WINDOWS\System32\CoreUIComponents.dllModLoad: 00007ffe`fa330000 00007ffe`fa40c000 C:\WINDOWS\System32\CoreMessaging.dllModLoad: 00007ffe`fc440000 00007ffe`fc471000 C:\WINDOWS\SYSTEM32\ntmarta.dllModLoad: 00007ffe`f93c0000 00007ffe`f94f6000 C:\WINDOWS\SYSTEM32\wintypes.dllModLoad: 00000000`0d9b0000 00000000`0dae6000 C:\WINDOWS\SYSTEM32\wintypes.dllModLoad: 00000000`0daf0000 00000000`0dc26000 C:\WINDOWS\SYSTEM32\wintypes.dll(4e3c.4c9c): Break instruction exception - code 80000003 (first chance)ntdll!DbgBreakPoint:00007fff`01053800 cc             int    30:005> ~0s*** ERROR: Module load completed but symbols could not be loaded for image00000000`00400000win32u!NtUserWaitMessage+0x14:00007ffe`fd7a1204 c3             ret0:000> k # Child-SP       RetAddr          Call Site00 00000000`0014fba8 00000000`0078f727 win32u!NtUserWaitMessage+0x1401 00000000`0014fbb0 00000000`0078e198 image00000000_00400000+0x38f72702 00000000`0014fc20 00000000`0078719d image00000000_00400000+0x38e19803 00000000`0014fc90 00000000`0236631b image00000000_00400000+0x38719d04 00000000`0014fd30 00000000`0240ad05 image00000000_00400000+0x1f6631b05 00000000`0014fe70 00007fff`00d21fe4 image00000000_00400000+0x200ad0506 00000000`0014ff60 00007fff`0101efb1 KERNEL32!BaseThreadInitThunk+0x1407 00000000`0014ff90 00000000`00000000 ntdll!RtlUserThreadStart+0x21查看当前线程的调用栈，然后在IDA中逐个分析这些函数，因为反编译过的代码可读性不能与源码相比，想要一击即中的找出适合的修改位置自然相当困难，所以其中少不了“修改、运行、调试”的循环尝试，最终找到合适的修改位置：
__int64 __fastcall sub_2365C50(char a1, __int64 a2){  __int64 v2; // rdx  __int64 v3; // r8  __int64 v4; // r8  int v5; // eax  __int64 v6; // r8  __int64 v7; // r8  __int64 v8; // r8  int v9; // eax  __int64 _0; // [rsp+0h] [rbp+0h]  __int64 vars28; // [rsp+28h] [rbp+28h]  __int64 vars30; // [rsp+30h] [rbp+30h]  __int64 vars38; // [rsp+38h] [rbp+38h]  __int64 vars40; // [rsp+40h] [rbp+40h]  char *__ptr32 *vars48; // [rsp+48h] [rbp+48h]  char vars50; // [rsp+50h] [rbp+50h]  __int64 vars58; // [rsp+58h] [rbp+58h]  void **vars60; // [rsp+60h] [rbp+60h]  char vars68; // [rsp+68h] [rbp+68h]  __int64 vars70; // [rsp+70h] [rbp+70h]  char vars78; // [rsp+78h] [rbp+78h]  __int64 vars80; // [rsp+80h] [rbp+80h]  __int64 *vars88; // [rsp+88h] [rbp+88h]  __int64 vars98; // [rsp+98h] [rbp+98h]  __int64 varsA0; // [rsp+A0h] [rbp+A0h]  __int64 varsA8; // [rsp+A8h] [rbp+A8h]  __int64 varsB0; // [rsp+B0h] [rbp+B0h]  __int64 varsB8; // [rsp+B8h] [rbp+B8h]  __int64 varsC0; // [rsp+C0h] [rbp+C0h]  __int64 varsC8; // [rsp+C8h] [rbp+C8h]  __int64 varsD0; // [rsp+D0h] [rbp+D0h]  __int64 varsD8; // [rsp+D8h] [rbp+D8h]  __int64 varsE0; // [rsp+E0h] [rbp+E0h]  __int64 varsE8; // [rsp+E8h] [rbp+E8h]  __int64 varsF0; // [rsp+F0h] [rbp+F0h]  __int64 varsF8; // [rsp+F8h] [rbp+F8h]  __int64 vars100; // [rsp+100h] [rbp+100h]  __int64 vars108; // [rsp+108h] [rbp+108h]  __int64 vars110; // [rsp+110h] [rbp+110h]  _QWORD *vars118; // [rsp+118h] [rbp+118h]  vars40 = 0i64;  vars58 = 0i64;  vars80 = 0i64;  vars110 = 0i64;  vars108 = 0i64;  varsF8 = 0i64;  varsF0 = 0i64;  varsE0 = 0i64;  varsD8 = 0i64;  varsC8 = 0i64;  varsC0 = 0i64;  varsB0 = 0i64;  varsA8 = 0i64;  vars98 = 0i64;  vars88 = &_0;  if ( a1 )  { if ( a1 == 1 ) {    LOBYTE(a2) = 1;    vars118 = (_QWORD *)sub_233D1D0(off_23604F0, a2, 0i64);    sub_4110F0(&varsF0, &off_2366558);    varsE8 = qword_2662700;    sub_4424E0(&varsE0, varsF0, v4, off_264C1C0);    vars60 = &off_2366758;    vars68 = 17;    vars70 = varsE0;    vars78 = 17;    sub_43B220(&vars80, &off_236670C, &vars60, 1i64);    sub_412D00(&vars110, 3i64, vars80, L"\r\n", &off_2366788, vars28, vars30, vars38);    sub_411070(vars118 + 243, vars110);    sub_2366B40(vars118, 0i64);    sub_5FC500(vars118[214], *(unsigned int *)(vars118[215] + 128i64));    v5 = sub_233D890(vars118, 108i64);    sub_5FC500(vars118[215], (unsigned int)(*(_DWORD *)(vars118[215] + 128i64) - v5));    sub_5FD640(vars118, &off_23667D0);    sub_5FD640(vars118[214], &off_23667F4);    sub_5FD640(vars118[215], &off_2366820);    sub_7835B0(vars118, vars118[215]);    (*(void (__fastcall **)(_QWORD *))(*vars118 + 592i64))(vars118);    sub_40D530(vars118); } else if ( a1 == 2 ) {    LOBYTE(a2) = 1;    vars118 = (_QWORD *)sub_233D1D0(off_23604F0, a2, 0i64);    sub_4110F0(&varsD8, &off_2366558);    varsD0 = qword_2662700;    sub_4424E0(&varsC8, varsD8, v6, off_264C1C0);    sub_412BE0(&vars110, &off_236657C, varsC8);    if ( byte_26626F4 == 73 )    {       sub_4110F0(&varsC0, &off_2366558);       varsB8 = qword_2662700;       sub_4424E0(&varsB0, varsC0, v7, off_264C1C0);       vars48 = &off_2366934;       vars50 = 17;       sub_43B220(&vars58, &off_23668A0, &vars48, 0i64);       sub_412D00(&vars110, 6i64, &off_2366848, vars58, L"\n\n", &off_236697C, L": ", varsB0);    }    else if ( byte_26626F4 == 74 )    {       sub_4110F0(&varsA8, &off_2366558);       varsA0 = qword_2662700;       sub_4424E0(&vars98, varsA8, v8, off_264C1C0);       vars48 = &off_2366934;       vars50 = 17;       sub_43B220(&vars40, &off_2366A08, &vars48, 0i64);       sub_412D00(&vars110, 6i64, &off_23669BC, vars40, L"\n\n", &off_236697C, L": ", vars98);    }    sub_411070(vars118 + 243, vars110);    sub_2366B40(vars118, 0i64);    (*(void (__fastcall **)(_QWORD, _QWORD))(*(_QWORD *)vars118[214] + 256i64))(vars118[214], 0i64);    if ( byte_26626F4 == 73 )    {       sub_5FC500(vars118[214], *(unsigned int *)(vars118[215] + 128i64));       v9 = sub_233D890(vars118, 108i64);       sub_5FC500(vars118[215], (unsigned int)(*(_DWORD *)(vars118[215] + 128i64) - v9));       sub_5FD640(vars118, &off_23667D0);       sub_5FD640(vars118[214], &off_23667F4);       sub_5FD640(vars118[215], &off_2366820);       sub_7835B0(vars118, vars118[215]);    }    (*(void (__fastcall **)(_QWORD *))(*vars118 + 592i64))(vars118);    sub_40D530(vars118); }  }  else if ( (signed int)sub_408F10() <= 0 )  { LOBYTE(v2) = 1; vars118 = (_QWORD *)sub_233D1D0(off_23604F0, v2, 0i64); sub_4110F0(&vars108, &off_2366558); vars100 = qword_2662700; sub_4424E0(&varsF8, vars108, v3, off_264C1C0); sub_412BE0(&vars110, &off_236657C, varsF8); sub_411070(vars118 + 243, vars110); sub_2366B40(vars118, 0i64); sub_7835B0(vars118, vars118[215]); (*(void (__fastcall **)(_QWORD *))(*vars118 + 592i64))(vars118); sub_40D530(vars118);  }  sub_410A20(&vars40);  sub_410A20(&vars58);  sub_410A20(&vars80);  sub_410A20(&vars98);  sub_410B00(&varsA8, 2i64);  sub_410B00(&varsC0, 2i64);  sub_410B00(&varsD8, 2i64);  sub_410B00(&varsF0, 2i64);  return sub_410B00(&vars108, 2i64);}通过分析与修改尝试，能够确定上面这个函数中的整个if语句中的任何一个分支都会弹框，只不过内容不太相同。如果让函数在入口处直接返回，应用程序又不能正常初始化。所以要做的就是跳过上面的if语句，直接执行最后的几个sub。
.text:0000000002365CFE                cmp    [rbp+arg_0], 0.text:0000000002365D05                jnz    loc_2365DFA.text:0000000002365D0B                call sub_408F10.text:0000000002365D10                test eax, eax.text:0000000002365D12                jg    loc_2366328通过查看汇编指令，决定将2365D0B地址处的call指令改成一条无条件跳转指令，跳转到2366328地址处，
.text:0000000002366328 loc_2366328:                         ; CODE XREF: sub_2365C50+C2↑j.text:0000000002366328                                        ; sub_2365C50+1A5↑j ....text:0000000002366328                nop.text:0000000002366329                lea    rcx, [rbp+var_s40].text:000000000236632D                call sub_410A20也就是将2365D0B地址处的16进制码E800320AFE改成E918060000，使用WinHex进行修改。屏蔽掉上面的试用时间弹框后，还会有一个“激活”弹框，因为我们是无法激活程序的，所以也要把这个弹框和相应的逻辑屏蔽掉，按照上面的思路还是先使用WinDGB确定调用栈，然后分析伪代码。最终确定的修改位置：
__int64 __fastcall sub_23654B0(__int64 a1, _BYTE *a2, _DWORD *a3, _QWORD *a4, char *a5, unsigned int *a6, int *a7){  __int64 v7; // rax  __int64 v8; // rax  __int64 v9; // rax  __int64 v10; // rdx  __int64 v11; // rbx  __int64 v12; // rax  __int64 v13; // rax  int v14; // eax  unsigned __int8 v15; // cl  bool v16; // al  bool v17; // al  int v18; // edx  __int64 v19; // rax  bool v20; // al  int v21; // eax  bool v22; // al  __int64 _0; // [rsp+0h] [rbp+0h]  char vars20; // [rsp+20h] [rbp+20h]  bool vars28; // [rsp+28h] [rbp+28h]  __int64 vars30; // [rsp+30h] [rbp+30h]  __int64 vars38; // [rsp+38h] [rbp+38h]  __int64 vars40; // [rsp+40h] [rbp+40h]  __int64 *vars48; // [rsp+48h] [rbp+48h]  __int64 vars58; // [rsp+58h] [rbp+58h]  __int64 vars60; // [rsp+60h] [rbp+60h]  bool vars6B; // [rsp+6Bh] [rbp+6Bh]  int vars6C; // [rsp+6Ch] [rbp+6Ch]  unsigned int vars70; // [rsp+70h] [rbp+70h]  unsigned int vars74; // [rsp+74h] [rbp+74h]  char *vars78; // [rsp+78h] [rbp+78h]  unsigned int vars84; // [rsp+84h] [rbp+84h]  char *vars88; // [rsp+88h] [rbp+88h]  bool vars97; // [rsp+97h] [rbp+97h]  _QWORD *vars98; // [rsp+98h] [rbp+98h]  unsigned __int8 varsA7; // [rsp+A7h] [rbp+A7h]  char varsA8; // [rsp+A8h] [rbp+A8h]  char varsAB; // [rsp+ABh] [rbp+ABh]  char varsAC; // [rsp+ACh] [rbp+ACh]  char varsAD; // [rsp+ADh] [rbp+ADh]  unsigned __int8 varsAE; // [rsp+AEh] [rbp+AEh]  unsigned __int8 varsAF; // [rsp+AFh] [rbp+AFh]  __int64 varsB0; // [rsp+B0h] [rbp+B0h]  __int64 varsB8; // [rsp+B8h] [rbp+B8h]  _BYTE *varsC0; // [rsp+C0h] [rbp+C0h]  __int64 varsC8; // [rsp+C8h] [rbp+C8h]  __int64 varsD0; // [rsp+D0h] [rbp+D0h]  __int64 varsD8; // [rsp+D8h] [rbp+D8h]  __int64 v55; // [rsp+100h] [rbp+100h]  _BYTE *v56; // [rsp+108h] [rbp+108h]  _DWORD *v57; // [rsp+110h] [rbp+110h]  _QWORD *v58; // [rsp+118h] [rbp+118h]  vars30 = 0i64;  vars38 = 0i64;  vars40 = 0i64;  varsC0 = 0i64;  varsB8 = 0i64;  varsB0 = 0i64;  vars60 = 0i64;  vars58 = 0i64;  vars48 = &_0;  v55 = a1;  v56 = a2;  v57 = a3;  v58 = a4;  sub_410BD0(a1);  *v56 = 71;  *v57 = 0;  *v58 = 0i64;  *a6 = 0;  *a7 = 0;  vars88 = off_263FD18[0];  vars84 = 0;  if ( off_263FD18[0] ) vars84 = *((_DWORD *)vars88 - 1);  v7 = sub_411D00(off_263FD18[0]);  sub_2364650(&varsB8, v7, vars84);  vars78 = off_263FD20;  vars74 = 0;  if ( off_263FD20 ) vars74 = *((_DWORD *)vars78 - 1);  v8 = sub_411D00(off_263FD20);  sub_2364650(&varsB0, v8, vars74);  vars70 = 0;  if ( v55 ) vars70 = *(_DWORD *)(v55 - 4);  v9 = sub_411D00(v55);  sub_23648D0(&varsC0, v9, vars70);  vars6C = 0;  if ( varsC0 ) vars6C = *((_DWORD *)varsC0 - 1);  if ( vars6C == 10 ) vars6B = *varsC0 == 104;  else vars6B = 0;  if ( vars6B && varsC0[1] == 42 )  { LOBYTE(v10) = 1; varsC8 = sub_9146A0(off_235D410, v10, 0i64); v11 = sub_411390(&varsB8); v12 = sub_411390(&varsB0); (*(void (__fastcall **)(__int64, __int64, signed __int64, __int64))(*(_QWORD *)varsC8 + 160i64))(    varsC8,    v11,    64i64,    v12); v13 = sub_411390(&varsC0); (*(void (__fastcall **)(__int64, __int64, char *))(*(_QWORD *)varsC8 + 272i64))(varsC8, v13 + 2, &varsA8); sub_40D530(varsC8); if ( varsAB == -84 && varsAC == -120 && varsAF && (unsigned int)varsAE >> 4 >= 0xC ) {    if ( varsAD == 101 )    {       *v56 = 67;    }    else if ( varsAD == 102 )    {       *v56 = 69;    }    else    {       *v56 = 71;    }    *v57 = varsAF;    *a6 = (unsigned int)varsAE >> 4;    *a7 = varsAE & 0xF; }  }  *a5 = 0;  v14 = (signed int)v56;  v15 = *v56 - 64;  if ( v15 > 7u )  { v16 = 0;  }  else  { LOBYTE(v14) = 1; v16 = ((v14 << v15) & 0x78) != 0;  }  if ( v16 )  { switch ( *v57 ) {    case 0xFF:       *a5 = 1;       break;    case 0xFE:       *a5 = 1;       break;    case 0xFD:       *a5 = 2;       break;    case 0xFC:       *a5 = 3;       break;    case 0xFB:       *a5 = 4;       break;    default:       if ( *v57 < 201 )       *a5 = 1;       break; }  }  LOBYTE(v10) = 1;  varsD8 = sub_40D470(off_4E8FC8, v10);  vars98 = 0i64;  sub_4128D0(&vars40, v55);  if ( (unsigned __int8)sub_23632B0(vars40, (unsigned __int8)*a5, varsD8) ) vars98 = (_QWORD *)sub_2362B70(varsD8);  sub_40D530(varsD8);  v17 = 0;  if ( vars98 )  { sub_4128D0(&vars38, v55); if ( !(unsigned int)sub_412DE0(vars98[1], vars38) )    v17 = 1;  }  vars97 = v17;  byte_2662708 = v17;  if ( v17 ) sub_4110F0(&vars60, vars98[2]);  else sub_410A20(&vars60);  sub_411070(&unk_2662710, vars60);  if ( vars97 ) sub_4110F0(&vars58, vars98[3]);  else sub_410A20(&vars58);  sub_411070(&unk_2662718, vars58);  if ( *a5 != 1 || !vars97 )  { sub_4128D0(&vars30, v55); LOBYTE(v18) = 1; vars20 = *a5; vars28 = vars97; varsD0 = sub_2363B50((unsigned __int64)off_2360C08, v18, 0); v19 = sub_2363C60(varsD0, &varsA7, v58); if ( varsA7 > 7u ) {    v20 = 0; } else {    LOBYTE(v19) = 1;    v20 = (((_DWORD)v19 << varsA7) & 0x4E) != 0; } if ( v20 ) {    if ( *a5 )    {       if ( *a5 == 1 )       {       *v56 = 73;       }       else if ( *a5 == 4 )       {       *v56 = 74;       }       else       {       v21 = (signed int)a5;       if ( (unsigned __int8)*a5 > 7u )       {          v22 = 0;       }       else       {          LOBYTE(v21) = 1;          v22 = ((v21 << *a5) & 0xC) != 0;       }       if ( v22 )       {          if ( vars97 )             *v56 = 74;          else             *v56 = 73;       }       }    }    else    {       *v56 = 72;    } } sub_40D530(varsD0);  }  sub_410B00(&vars30, 3i64);  sub_410B00(&vars58, 2i64);  sub_410B30(&varsB0, 3i64);  return sub_410A70(&v55);}这里需要跳过if ( *a5 != 1 || !vars97 )开头的整个if语句，汇编代码如下：
.text:00000000023659DE                call sub_411070.text:00000000023659E3                mov    rax, [rbp+arg_20].text:00000000023659EA                cmp    byte ptr [rax], 1.text:00000000023659ED                jnz    short loc_23659FC.text:00000000023659EF                cmp    [rbp+var_s97], 0将23659EA地址处的cmp指令修改为一条无条件跳转指令，跳转到2365B28地址处：
.text:0000000002365B28.text:0000000002365B28 loc_2365B28:                         ; CODE XREF: sub_23654B0+546↑j.text:0000000002365B28                lea    rcx, [rbp+var_s30].text:0000000002365B2C                mov    edx, 3.text:0000000002365B32                call sub_410B00也就是将23659EA地址处的16进制码803801750D修改为E939010000。这样就可以不受试用时间的限制了，Navicat的试用版没有功能上的限制，所以只要能一直试用就可以了。最后搞点小幽默，搜索到字符串“Unregistered”，将其改成“Free Version”。
关于Mac OS X版的破解
使用中文12.0.26版进行分析。Mac版本使用OC开发，函数名都以明文显示，更加便于分析，首先是屏蔽程序启动时的注册验证：

__text:00000001006A7A05 ; void __cdecl -[AppDelegate applicationDidFinishLaunching:](AppDelegate *self, SEL, id)
__text:00000001006A7A05 __AppDelegate_applicationDidFinishLaunching__ proc near
__text:00000001006A7A05
__text:00000001006A7A05 var_290       = xmmword ptr -290h
__text:00000001006A7A05 var_280       = xmmword ptr -280h
__text:00000001006A7A05 var_270       = xmmword ptr -270h
__text:00000001006A7A05 var_260       = xmmword ptr -260h
__text:00000001006A7A05 var_250       = xmmword ptr -250h
__text:00000001006A7A05 var_240       = xmmword ptr -240h
__text:00000001006A7A05 var_230       = xmmword ptr -230h
__text:00000001006A7A05 var_220       = xmmword ptr -220h
__text:00000001006A7A05 var_210       = qword ptr -210h
__text:00000001006A7A05 var_208       = qword ptr -208h
__text:00000001006A7A05 var_200       = qword ptr -200h
__text:00000001006A7A05 var_1F8       = qword ptr -1F8h
__text:00000001006A7A05 var_1F0       = qword ptr -1F0h
__text:00000001006A7A05 var_1E8       = qword ptr -1E8h
__text:00000001006A7A05 var_1E0       = qword ptr -1E0h
__text:00000001006A7A05 var_1D8       = qword ptr -1D8h
__text:00000001006A7A05 var_1D0       = qword ptr -1D0h
__text:00000001006A7A05 var_1C8       = qword ptr -1C8h
__text:00000001006A7A05 var_1C0       = qword ptr -1C0h
__text:00000001006A7A05 var_1B8       = qword ptr -1B8h
__text:00000001006A7A05 var_1B0       = qword ptr -1B0h
__text:00000001006A7A05 var_1A8       = qword ptr -1A8h
__text:00000001006A7A05 var_1A0       = xmmword ptr -1A0h
__text:00000001006A7A05 var_190       = qword ptr -190h
__text:00000001006A7A05 var_180       = qword ptr -180h
__text:00000001006A7A05 var_178       = qword ptr -178h
__text:00000001006A7A05 var_170       = qword ptr -170h
__text:00000001006A7A05 var_168       = qword ptr -168h
__text:00000001006A7A05 var_160       = qword ptr -160h
__text:00000001006A7A05 var_158       = qword ptr -158h
__text:00000001006A7A05 var_150       = qword ptr -150h
__text:00000001006A7A05 var_148       = qword ptr -148h
__text:00000001006A7A05 var_140       = qword ptr -140h
__text:00000001006A7A05 var_138       = qword ptr -138h
__text:00000001006A7A05 var_130       = byte ptr -130h
__text:00000001006A7A05 var_B0       = byte ptr -0B0h
__text:00000001006A7A05 var_30       = qword ptr -30h
__text:00000001006A7A05
__text:00000001006A7A05                push rbp
__text:00000001006A7A06                mov    rbp, rsp
__text:00000001006A7A09                push r15
__text:00000001006A7A0B                push r14
__text:00000001006A7A0D                push r13
__text:00000001006A7A0F                push r12
__text:00000001006A7A11                push rbx
__text:00000001006A7A12                sub    rsp, 268h
__text:00000001006A7A19                mov    [rbp+var_148], rdi
__text:00000001006A7A20                mov    rax, cs:___stack_chk_guard_ptr
__text:00000001006A7A27                mov    rax, [rax]
__text:00000001006A7A2A                mov    [rbp+var_30], rax
__text:00000001006A7A2E                mov    rdi, rdx
__text:00000001006A7A31                call cs:_objc_retain_ptr
__text:00000001006A7A37                mov    [rbp+var_138], rax
__text:00000001006A7A3E                mov    rdi, cs:classRef_NAVMainMenuManager
__text:00000001006A7A45                mov    rsi, cs:selRef_defaultManager
__text:00000001006A7A4C                call cs:_objc_msgSend_ptr
__text:00000001006A7A52                mov    rdi, rax
__text:00000001006A7A55                call _objc_retainAutoreleasedReturnValue
__text:00000001006A7A5A                mov    rbx, rax
__text:00000001006A7A5D                mov    rsi, cs:selRef_reloadMainMenu
__text:00000001006A7A64                mov    rdi, rbx
__text:00000001006A7A67                call cs:_objc_msgSend_ptr
__text:00000001006A7A6D                mov    rdi, rbx
__text:00000001006A7A70                call cs:_objc_release_ptr
__text:00000001006A7A76                mov    r14, cs:classRef_Registration
__text:00000001006A7A7D                mov    rcx, cs:_OBJC_IVAR_$_AppDelegate__mainWinCtrl ; MainWindowController *_mainWinCtrl;
__text:00000001006A7A84                mov    rax, [rbp+var_148]
__text:00000001006A7A8B                mov    rdi, [rax+rcx]
__text:00000001006A7A8F                mov    rsi, cs:selRef_window
__text:00000001006A7A96                call cs:_objc_msgSend_ptr
__text:00000001006A7A9C                mov    rdi, rax
__text:00000001006A7A9F                call _objc_retainAutoreleasedReturnValue
__text:00000001006A7AA4                mov    rbx, rax
__text:00000001006A7AA7                mov    rsi, cs:selRef_ApplicationChecking_isLaunch_
__text:00000001006A7AAE                mov    ecx, 1
__text:00000001006A7AB3                mov    rdi, r14
__text:00000001006A7AB6                mov    rdx, rbx
__text:00000001006A7AB9                call cs:_objc_msgSend_ptr
__text:00000001006A7ABF                mov    rdi, rbx
__text:00000001006A7AC2                call cs:_objc_release_ptr
__text:00000001006A7AC8                mov    rdi, cs:classRef_VersionMigrateManager
__text:00000001006A7ACF                mov    rsi, cs:selRef_defaultManager
__text:00000001006A7AD6                call cs:_objc_msgSend_ptr
__text:00000001006A7ADC                mov    rdi, rax
__text:00000001006A7ADF                call _objc_retainAutoreleasedReturnValue
__text:00000001006A7AE4                mov    rbx, rax
__text:00000001006A7AE7                mov    rsi, cs:selRef_tryMigrate
__text:00000001006A7AEE                mov    rdi, rbx
__text:00000001006A7AF1                call cs:_objc_msgSend_ptr
__text:00000001006A7AF7                mov    rdi, rbx
__text:00000001006A7AFA                call cs:_objc_release_ptr
__text:00000001006A7B00                mov    rdi, cs:classRef_PlistManager
__text:00000001006A7B07                mov    rsi, cs:selRef_defaultManager
__text:00000001006A7B0E                call cs:_objc_msgSend_ptr
__text:00000001006A7B14                mov    rdi, rax
__text:00000001006A7B17                call _objc_retainAutoreleasedReturnValue
__text:00000001006A7B1C                mov    rbx, rax
__text:00000001006A7B1F                mov    rsi, cs:selRef_tryRestore
__text:00000001006A7B26                mov    rdi, rbx
__text:00000001006A7B29                call cs:_objc_msgSend_ptr
__text:00000001006A7B2F                mov    rdi, rbx
__text:00000001006A7B32                call cs:_objc_release_ptr

在[AppDelegate applicationDidFinishLaunching:]中，将00000001006A7A76地址处的16进制码4C8B35B319修改为E94D000000，就是一条跳转指令，跳转到00000001006A7AC8，从而绕过检查。下面的修改主要是为了防止你不小心点了菜单中的“注册”按钮，也会触发检查：

__text:000000010028ED40 ; void __cdecl -[Registration sheetDidDismissActivation:returnCode:contextInfo:](Registration *self, SEL, id, signed __int64, void *)
__text:000000010028ED40 __Registration_sheetDidDismissActivation_returnCode_contextInfo__ proc near
__text:000000010028ED40                push rbp
__text:000000010028ED41                mov    rbp, rsp
__text:000000010028ED44                push r15
__text:000000010028ED46                push r14
__text:000000010028ED48                push rbx
__text:000000010028ED49                push rax
__text:000000010028ED4A                cmp    rcx, 3EAh
__text:000000010028ED51                mov    r14, cs:classRef_Registration
__text:000000010028ED58                jnz    short loc_10028ED74
__text:000000010028ED5A                mov    rsi, cs:selRef_LaunchManualActivationForm
__text:000000010028ED61                mov    rdi, r14
__text:000000010028ED64                add    rsp, 8
__text:000000010028ED68                pop    rbx
__text:000000010028ED69                pop    r14
__text:000000010028ED6B                pop    r15
__text:000000010028ED6D                pop    rbp
__text:000000010028ED6E                jmp    cs:_objc_msgSend_ptr
__text:000000010028ED74 ; ---------------------------------------------------------------------------
__text:000000010028ED74
__text:000000010028ED74 loc_10028ED74:                         ; CODE XREF: -[Registration sheetDidDismissActivation:returnCode:contextInfo:]+18↑j
__text:000000010028ED74                mov    rax, cs:_NSApp_ptr
__text:000000010028ED7B                mov    rdi, [rax]
__text:000000010028ED7E                mov    rsi, cs:selRef_mainWindow
__text:000000010028ED85                mov    r15, cs:_objc_msgSend_ptr
__text:000000010028ED8C                call r15 ; _objc_msgSend
__text:000000010028ED8F                mov    rdi, rax
__text:000000010028ED92                call _objc_retainAutoreleasedReturnValue
__text:000000010028ED97                mov    rbx, rax
__text:000000010028ED9A                mov    rsi, cs:selRef_ApplicationChecking_isLaunch_
__text:000000010028EDA1                xor    ecx, ecx
__text:000000010028EDA3                mov    rdi, r14
__text:000000010028EDA6                mov    rdx, rbx
__text:000000010028EDA9                call r15 ; _objc_msgSend
__text:000000010028EDAC                mov    rdi, rbx
__text:000000010028EDAF                add    rsp, 8
__text:000000010028EDB3                pop    rbx
__text:000000010028EDB4                pop    r14
__text:000000010028EDB6                pop    r15
__text:000000010028EDB8                pop    rbp
__text:000000010028EDB9                jmp    cs:_objc_release_ptr
__text:000000010028EDB9 __Registration_sheetDidDismissActivation_returnCode_contextInfo__ endp

也就是在[Registration sheetDidDismissActivation:returnCode:contextInfo:]中，将000000010028ED9A地址处的16进制码488B357F80修改为E90D000000，直接跳转到000000010028EDAC处。需要注意的是Mac上12版本的Navicat将数据库连接密码存在系统钥匙串里，所以破解之后想要正常使用的话，需要使用自签名证书进行重新签名。附件中是当前最新版12.0.26 Mac版和12.0.28 Windows版修改后得到的diff文件，大家可以使用WinHex自行修改。

Hmily · 发表于 2018-5-17 10:24

写的好乱，最后是爆破吗？没看懂

阳光丶 · 发表于 2018-5-17 14:01

还行吧就是__text:000000010028ED40 ; void __cdecl -[Registration sheetDidDismissActivation:returnCode:contextInfo:](Registration *self, SEL, id, signed __int64, void *) 有点多余了建议修改

吾爱游客 *发表于 2018-5-18 11:41* · 发表于 2018-5-18 11:41

Hmily 发表于 2018-5-17 10:24
写的好乱，最后是爆破吗？没看懂

原本编辑的时候还好好的，提交之后排版乱掉了。
满足自己使用，不想花太多时间。通过修改指令达到屏蔽试用时间限制，应该算是暴力破解，这个软件内嵌了公钥，应该没有不需要Patch的keygen。
只是Mac OS X下因为密码保存在钥匙串中，所以需要重新签名，不过可以把自签名证书一起打包，给别人导入一下就可以了。

吾爱游客 *发表于 2018-5-18 11:43* · 发表于 2018-5-18 11:43

阳光丶发表于 2018-5-17 14:01
还行吧就是__text:000000010028ED40 ; void __cdecl -[Registration sheetDidDismissActivation:returnCo ...

有人会去点“注册”菜单，弹框点“取消”后程序会检测License并退出。这是Mac版的行为，Windows版没有。

Hmily · 发表于 2018-5-18 14:26

Kylin这个账号已经被注册过了，申请前先测试好账号可用性。

帐号		自动登录	找回密码
密码			注册[Register]

选中篇:

[会员申请] 申请会员ID：Kylin

个人中心


	选中篇: 置顶\|

选中 篇:

[会员申请] 申请会员ID：Kylin

个人中心

选中篇: