破解實錄(六)之 1toX 1.63
軟體名稱:1toX 1.63 -->(30天試用)
簡 介:檔案分割工具,支援 CRC 校驗、密碼保護、拖放等。
作 者:xiA Qin
級 別:剛學不久
解密日前:2000年7月19日
解密工具:Trw2000 1.22
破解目的:學習註冊碼的破解。(簡單)
說 明:
本文是在我的軟體破解記錄上整理出來的。所以在文中沒有任何的註冊碼,只作技術交流。如若有紕漏,請各位大俠多指教!
首先執行1toX 1.63
輸入註冊資訊
name: xiA Qin
&任意輸入
First Name: china
&任意輸入
register key: 9876543210 &任意輸入
下指令bpx hmemcpy //下中斷點
按F5回到程式,按確定,這時會被Trw2000攔截到。
下指令bd * //屏障中斷點
下指令pmodule //直接跳到程式的領空
按F10來到下面指令
...............
015F:00408E9F LEA EAX,[ESP+14]
//載入name , <<- 這裡是xiA
Qin
015F:00408EA3 LEA ECX,[ESP+68]
//載入First name, <<- 這裡是china
015F:00408EA7 PUSH EAX
015F:00408EA8 PUSH DWORD 00426464
015F:00408EAD PUSH ECX
015F:00408EAE LEA EDX,[ESP+06B8]
015F:00408EB5 PUSH DWORD 004272A4
015F:00408EBA PUSH EDX
015F:00408EBB CALL EBX
015F:00408EBD LEA EDI,[ESP+06C0]
015F:00408EC4 OR ECX,BYTE -01
015F:00408EC7 XOR EAX,EAX
015F:00408EC9 ADD ESP,BYTE +14
015F:00408ECC REPNE SCASB
015F:00408ECE NOT ECX
015F:00408ED0 SUB EDI,ECX
015F:00408ED2 LEA EDX,[ESP+0294]
015F:00408ED9 MOV EAX,ECX
015F:00408EDB MOV ESI,EDI
015F:00408EDD MOV EDI,EDX
015F:00408EDF SHR ECX,02
015F:00408EE2 REP MOVSD
015F:00408EE4 MOV ECX,EAX
015F:00408EE6 LEA EAX,[ESP+0294]
015F:00408EED AND ECX,BYTE +03
015F:00408EF0 REP MOVSB
015F:00408EF2 MOV CL,[ESP+0294]
015F:00408EF9 TEST CL,CL
015F:00408EFB JZ 00408F1C
015F:00408EFD CMP BYTE [EAX],5F
015F:00408F00 JNZ 00408F05
015F:00408F02 MOV BYTE [EAX],20
015F:00408F05 MOVSX ECX,BYTE [EAX]
015F:00408F08 XOR ECX,[ESP+10]
015F:00408F0C XOR ECX,13579ACE
015F:00408F12 INC EAX
015F:00408F13 MOV [ESP+10],ECX
015F:00408F17 CMP BYTE [EAX],00
015F:00408F1A JNZ 00408EFD
015F:00408F1C MOV EAX,[ESP+10]
015F:00408F20 LEA EDX,[ESP+BC]
015F:00408F27 XOR EAX,2468BDF0
015F:00408F2C PUSH EDX
015F:00408F2D MOV [0042A698],EAX
015F:00408F32 CALL 00418F27
015F:00408F37 MOV ECX,[0042A698]
015F:00408F3D ADD ESP,BYTE +04
015F:00408F40 CMP EAX,ECX
015F:00408F42 JZ 00408F72
015F:00408F44 PUSH BYTE +10
015F:00408F46 PUSH DWORD 004272FC
015F:00408F4B PUSH DWORD 00427254
015F:00408F50 PUSH EBP
015F:00408F51 CALL `USER32!MessageBoxA`
015F:00408F57 PUSH BYTE +01
015F:00408F59 PUSH EBP
015F:00408F5A CALL `USER32!EndDialog`
015F:00408F60 MOV EAX,01
015F:00408F65 POP EDI
015F:00408F66 POP ESI
015F:00408F67 POP EBP
015F:00408F68 POP EBX
015F:00408F69 ADD ESP,089C
015F:00408E9F LEA EAX,[ESP+14]
015F:00408EA3 LEA ECX,[ESP+68]
015F:00408EA7 PUSH EAX
015F:00408EA8 PUSH DWORD 00426464
015F:00408EAD PUSH ECX
015F:00408EAE LEA EDX,[ESP+06B8]
015F:00408EB5 PUSH DWORD 004272A4
015F:00408EBA PUSH EDX
015F:00408EBB CALL EBX
015F:00408EBD LEA EDI,[ESP+06C0]
015F:00408EC4 OR ECX,BYTE -01
015F:00408EC7 XOR EAX,EAX
015F:00408EC9 ADD ESP,BYTE +14
015F:00408ECC REPNE SCASB
015F:00408ECE NOT ECX
015F:00408ED0 SUB EDI,ECX
015F:00408ED2 LEA EDX,[ESP+0294]
015F:00408ED9 MOV EAX,ECX
015F:00408EDB MOV ESI,EDI
015F:00408EDD MOV EDI,EDX
015F:00408EDF SHR ECX,02
015F:00408EE2 REP MOVSD
015F:00408EE4 MOV ECX,EAX
015F:00408EE6 LEA EAX,[ESP+0294]
015F:00408EED AND ECX,BYTE +03
015F:00408EF0 REP MOVSB
015F:00408EF2 MOV CL,[ESP+0294]
015F:00408EF9 TEST CL,CL
015F:00408EFB JZ 00408F1C
<--|
015F:00408EFD CMP BYTE [EAX],5F
|這裡是透過
015F:00408F00 JNZ 00408F05
|First name+1toX+name
015F:00408F02 MOV BYTE [EAX],20
|來運算註冊碼
015F:00408F05 MOVSX ECX,BYTE [EAX]
|
015F:00408F08 XOR ECX,[ESP+10]
|
015F:00408F0C XOR ECX,13579ACE
|
015F:00408F12 INC EAX
|
015F:00408F13 MOV [ESP+10],ECX
|
015F:00408F17 CMP BYTE [EAX],00
|
015F:00408F1A JNZ 00408EFD
<--|
015F:00408F1C MOV EAX,[ESP+10]
015F:00408F20 LEA EDX,[ESP+BC]
//輸入的註冊碼9876543210
015F:00408F27 XOR EAX,2468BDF0
015F:00408F2C PUSH EDX
015F:00408F2D MOV [0042A698],EAX
015F:00408F32 CALL 00418F27
015F:00408F37 MOV ECX,[0042A698]
015F:00408F3D ADD ESP,BYTE +04
015F:00408F40 CMP EAX,ECX
//比較註冊碼
015F:00408F42 JZ 00408F72
//註冊碼相等,就跳到00408F72
015F:00408F44 PUSH BYTE +10
015F:00408F46 PUSH DWORD 004272FC
015F:00408F4B PUSH DWORD 00427254
015F:00408F50 PUSH EBP
015F:00408F51 CALL `USER32!MessageBoxA`
//註冊失敗的對話方塊
015F:00408F57 PUSH BYTE +01
015F:00408F59 PUSH EBP
015F:00408F5A CALL `USER32!EndDialog`
015F:00408F60 MOV EAX,01
015F:00408F65 POP EDI
015F:00408F66 POP ESI
015F:00408F67 POP EBP
015F:00408F68 POP EBX
................................
從上面可以看出.
將00408F42 742E JZ 00408F72
改00408F42 752E JNZ 00408F72
就可以註冊。
整裡一下,用Ultraedt開啟1toX.exe
找到74 2E 6A 10 68
改成75 2E 6A 10 68
儲存修改檔案,重新執行
輸入註冊資訊 ,現在是想輸入什麼都可以。
name: &任意輸入
First Name: &任意輸入
register key: &任意輸入
後 記:
1toX 1.63是透過讀取安裝目錄下的檔案1toXe.cnt來判斷,程式是否註冊。如果把檔案1toXe.cnt刪除,1toX
1.63又成了非註冊版。