http://newhua.xingtai.net/down/winimp111-32.exe
winimp1.11註冊碼破解
WINIMP是一個壓縮軟體,同等條件下其壓縮率遠高於WINZIP,是我的新愛。
因為在最新的番外地3。6註冊碼查詢系統中winimp只有0。99版的,不能用,所以就自己破了。
在HELP中可以輸入註冊碼。
首先隨便輸入一個號碼,得到告示“the keys do not match the names...”,再用W32DASM反彙編,從STRING
DATA REFERENCE中找到
:004260B5 81FA00000001 cmp edx, 01000000
:004260BB 7216 jb 004260D3
:004260BD 3D00000001 cmp eax, 01000000
:004260C2 720F jb 004260D3
:004260C4 89D0 mov eax, edx
:004260C6 8B55F8 mov edx, dword ptr [ebp-08]
:004260C9 E8D9010000 call 004262A7
:004260CE 3B45FC cmp eax, dword ptr [ebp-04]
:004260D1 7418 je 004260EB
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004260BB(C), :004260C2(C)
|
:004260D3 6A30 push 00000030
* Possible StringData Ref from Data Obj ->"WinImp"
|
:004260D5 6830D24400 push 0044D230
* Possible StringData Ref from Data Obj ->"The keys do not match the name.
"
->"Please check
your registration "
->"details
and try again."
|
:004260DA 6828CC4400 push 0044CC28
:004260DF 56 push esi
* Reference To: USER32.MessageBoxA, Ord:0048h
|
:004260E0 2EFF150CD84300 Call dword ptr cs:[0043D80C]
:004260E7 31C0 xor eax, eax
:004260E9 EB68 jmp 00426153
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004260D1(C)
|
:004260EB BB603C4500 mov ebx, 00453C60
向上看,
1、:004260B5 cmp edx, 01000000 <--edx為key1,必須大於等於01000000
:004260BB jb 004260D3
2、:004260BD cmp eax, 01000000 <--eax為key2,也必須大於等於01000000
:004260C2 jb 004260D3
3、:004260CE cmp eax, dword ptr [ebp-04] <--相等就註冊成功
:004260D1 je 004260EB
所以要追入:004260C9 call 004262A7
遺憾的是,其中的計算很煩,不能搞懂,但是我發現在
:004260CE cmp eax, dword ptr [ebp-04],只要使用者名稱,key1固定,key2值的變化只是影響到eax的變化,且各個數位之間是對應的,所以可以用斷點bpx
004260CE,透過改變key2值來猜。
4、結果
name: xixiaolou [CCG]
key1: 10000000
key2: 3e64a67e