破解實戰(三)之 WinZip8.0
軟體名稱:WinZip 8.0
簡 介:一個強大並且易用的壓縮實用程式.(30天試用)
解密日前:2000年7月15日
解密工具:Trw2000 1.22
破解目的:學習註冊碼的破解。
說 明:
本文是在我的軟體破解記錄上整理出來的。所以在文中沒有任何的註冊碼,只作技術交流。如若有紕漏,請各位大俠多指教!
首先用Trw2000載入Winzip 8.0
輸入註冊資訊
name:xiA Qin
&任意輸入
register key:1949101 &任意輸入
下指令bpx hmemcpy //下中斷點
按F5回到程式,按確定,這時會被Trw2000攔截到。
下指令bd * //屏障中斷點
下指令pmodule //直接跳到程式的領空
一、按F10來到下面指令
015F:00407F73 PUSH EDI
015F:00407F74 CALL 0043F89A
015F:00407F79 PUSH EDI
015F:00407F7A CALL 0043F8C3
015F:00407F7F POP ECX
015F:00407F80 MOV ESI,0048CDA4
015F:00407F85 POP ECX
015F:00407F86 PUSH BYTE +0B
015F:00407F88 PUSH ESI
015F:00407F89 PUSH DWORD 0C81
015F:00407F8E PUSH EBX
015F:00407F8F CALL `USER32!GetDlgItemTextA`
015F:00407F95 PUSH ESI
015F:00407F96 CALL 0043F89A
015F:00407F9B PUSH ESI
015F:00407F9C CALL 0043F8C3
015F:00407FA1 CMP BYTE [0048CD78],00
015F:00407FA8 POP ECX
015F:00407FA9 POP ECX
015F:00407FAA JZ 00408005
015F:00407FAC CMP BYTE [0048CDA4],00
015F:00407FB3 JZ 00408005
015F:00407FB5 CALL 004079D5
//關鍵CALL。有問題,按F8進入。
015F:00407FBA TEST EAX,EAX
//是不是很眼熟。
015F:00407FBC JZ 00408005
//註冊碼不相等跳到00408005。
1、按F8進入00407FB5 CALL。
015F:00407A7C JZ 00407A91
015F:00407A7E CALL 004082A6
015F:00407A83 AND DWORD [00489FDC],BYTE +00
015F:00407A8A XOR EAX,EAX
015F:00407A8C JMP 00407B42
015F:00407A91 LEA EAX,[EBP+FFFFFEC0]
015F:00407A97 PUSH EAX
015F:00407A98 PUSH EDI
015F:00407A99 CALL 00407B47
015F:00407A9E MOV ESI,0048CDA4
015F:00407AA3 LEA EAX,[EBP+FFFFFEC0]
//下指令D ESI, 你輸入的註冊碼。
015F:00407AA9 PUSH ESI
//下指令D EAX,真正的註冊碼。
015F:00407AAA PUSH EAX
015F:00407AAB CALL 004692D0
015F:00407AB0 ADD ESP,BYTE +10
015F:00407AB3 NEG EAX
015F:00407AB5 SBB EAX,EAX
015F:00407AB7 INC EAX
015F:00407AB8 MOV [00489FDC],EAX
015F:00407ABD JNZ 00407B27
015F:00407ABF LEA EAX,[EBP+FFFFFEC0]
//下指令D EAX,真正的註冊碼。
015F:00407AC5 PUSH EAX
015F:00407AC6 PUSH EDI
015F:00407AC7 CALL 00407BE4
015F:00407ACC LEA EAX,[EBP+FFFFFEC0]
//下指令D EAX,真正的註冊碼。(與上面的註冊碼不同)
015F:00407AD2 PUSH ESI
//下指令D ESI, 你輸入的註冊碼。
015F:00407AD3 PUSH EAX
015F:00407AD4 CALL 004692D0
015F:00407AD9 ADD ESP,BYTE +10
015F:00407ADC NEG EAX
015F:00407ADE SBB EAX,EAX
015F:00407AE0 INC EAX
015F:00407AE1 MOV [00489FDC],EAX
015F:00407AE6 JNZ 00407B27
015F:00407AE8 LEA EAX,[EBP+FFFFFEC4]
015F:00407AEE PUSH BYTE +04
015F:00407AF0 PUSH EAX
015F:00407AF1 PUSH ESI
015F:00407AF2 CALL 004696C0
015F:00407AF7 ADD ESP,BYTE +0C
015F:00407AFA TEST EAX,EAX
015F:00407AFC JNZ 00407B20
015F:00407AFE LEA EAX,[EBP+FFFFFEC0]
015F:00407B04 PUSH BYTE +04
015F:00407B06 PUSH EAX
015F:00407B07 PUSH DWORD 0048CDA8
015F:00407B0C CALL 004696C0
015F:00407B11 ADD ESP,BYTE +0C
015F:00407B14 TEST EAX,EAX
015F:00407B16 JNZ 00407B20
015F:00407B18 MOV [00489FDC],EBX
015F:00407B1E JMP SHORT 00407B27
015F:00407B20 AND DWORD [00489FDC],BYTE +00
015F:00407B27 PUSH DWORD 012C
015F:00407B2C LEA EAX,[EBP+FFFFFEC0]
015F:00407B32 PUSH BYTE +00
//下指令D EAX,真正的註冊碼。
015F:00407B34 PUSH EAX
015F:00407B35 CALL 00467C10
015F:00407B3A MOV EAX,[00489FDC]
015F:00407B3F ADD ESP,BYTE +0C
015F:00407B42 POP EDI
015F:00407B43 POP ESI
015F:00407B44 POP EBX
.......................................
015F:00407FBE PUSH EDI
015F:00407FBF MOV EDI,0047FFA4
015F:00407FC4 PUSH DWORD 0047DB24
015F:00407FC9 PUSH EDI
015F:00407FCA CALL 0043B5DA
015F:00407FCF PUSH ESI
015F:00407FD0 PUSH DWORD 0047E66C
015F:00407FD5 PUSH EDI
015F:00407FD6 CALL 0043B5DA
015F:00407FDB PUSH DWORD 0047FFC4
015F:00407FE0 PUSH BYTE +00
015F:00407FE2 PUSH BYTE +00
015F:00407FE4 PUSH DWORD 0047DB30
015F:00407FE9 CALL 0043B5C1
015F:00407FEE MOV EAX,[00487AF4]
015F:00407FF3 ADD ESP,BYTE +28
015F:00407FF6 TEST EAX,EAX
015F:00407FF8 JZ 00408001
015F:00407FFA PUSH EAX
015F:00407FFB CALL `GDI32!DeleteObject`
015F:00408001 PUSH BYTE +01
015F:00408003 JMP SHORT 00408035
015F:00408005 CALL 004082A6
015F:0040800A PUSH DWORD 028E
015F:0040800F CALL 0043F5ED
015F:00408014 PUSH EAX
015F:00408015 PUSH EBX
015F:00408016 PUSH BYTE +3D
015F:00408018 CALL 00430025
//到這裡GAME OVER了,
向上看什麼地方可以
跳過這個CALL.
後記:
地址00407AA3、00407ABF與00407ACC、00407B2C顯示的註冊碼不同,但是都可以使用。
太簡單了!用了不到五分鐘就破了。難怪網上沒有winzip 8.0的破解,大俠們不屑一“破”。只好我來破之、記之。