破解實錄(六)之 1toX 1.63 (6千字)
破解實錄(六)之 1toX 1.63
軟體名稱:1toX 1.63 -->(30天試用)
簡 介:檔案分割工具,支援 CRC 校驗、密碼保護、拖放等。
作 者:xiA Qin
級 別:剛學不久
解密日前:2000年7月19日
解密工具:Trw2000 1.22
破解目的:學習註冊碼的破解。(簡單)
說 明:
本文是在我的軟體破解記錄上整理出來的。所以在文中沒有任何的註冊碼,只作技術交流。如若有紕漏,請各位大俠多指教!
首先執行1toX 1.63
輸入註冊資訊
name: xiA Qin
&任意輸入
First Name: china
&任意輸入
register key: 9876543210 &任意輸入
下指令bpx hmemcpy //下中斷點
按F5回到程式,按確定,這時會被Trw2000攔截到。
下指令bd * //屏障中斷點
下指令pmodule //直接跳到程式的領空
按F10來到下面指令
...............
015F:00408E9F LEA EAX,[ESP+14]
//載入name , <<- 這裡是xiA
Qin
015F:00408EA3 LEA ECX,[ESP+68]
//載入First name, <<- 這裡是china
015F:00408EA7 PUSH EAX
015F:00408EA8 PUSH DWORD 00426464
015F:00408EAD PUSH ECX
015F:00408EAE LEA EDX,[ESP+06B8]
015F:00408EB5 PUSH DWORD 004272A4
015F:00408EBA PUSH EDX
015F:00408EBB CALL EBX
015F:00408EBD LEA EDI,[ESP+06C0]
015F:00408EC4 OR ECX,BYTE -01
015F:00408EC7 XOR EAX,EAX
015F:00408EC9 ADD ESP,BYTE +14
015F:00408ECC REPNE SCASB
015F:00408ECE NOT ECX
015F:00408ED0 SUB EDI,ECX
015F:00408ED2 LEA EDX,[ESP+0294]
015F:00408ED9 MOV EAX,ECX
015F:00408EDB MOV ESI,EDI
015F:00408EDD MOV EDI,EDX
015F:00408EDF SHR ECX,02
015F:00408EE2 REP MOVSD
015F:00408EE4 MOV ECX,EAX
015F:00408EE6 LEA EAX,[ESP+0294]
015F:00408EED AND ECX,BYTE +03
015F:00408EF0 REP MOVSB
015F:00408EF2 MOV CL,[ESP+0294]
015F:00408EF9 TEST CL,CL
015F:00408EFB JZ 00408F1C
015F:00408EFD CMP BYTE [EAX],5F
015F:00408F00 JNZ 00408F05
015F:00408F02 MOV BYTE [EAX],20
015F:00408F05 MOVSX ECX,BYTE [EAX]
015F:00408F08 XOR ECX,[ESP+10]
015F:00408F0C XOR ECX,13579ACE
015F:00408F12 INC EAX
015F:00408F13 MOV [ESP+10],ECX
015F:00408F17 CMP BYTE [EAX],00
015F:00408F1A JNZ 00408EFD
015F:00408F1C MOV EAX,[ESP+10]
015F:00408F20 LEA EDX,[ESP+BC]
015F:00408F27 XOR EAX,2468BDF0
015F:00408F2C PUSH EDX
015F:00408F2D MOV [0042A698],EAX
015F:00408F32 CALL 00418F27
015F:00408F37 MOV ECX,[0042A698]
015F:00408F3D ADD ESP,BYTE +04
015F:00408F40 CMP EAX,ECX
015F:00408F42 JZ 00408F72
015F:00408F44 PUSH BYTE +10
015F:00408F46 PUSH DWORD 004272FC
015F:00408F4B PUSH DWORD 00427254
015F:00408F50 PUSH EBP
015F:00408F51 CALL `USER32!MessageBoxA`
015F:00408F57 PUSH BYTE +01
015F:00408F59 PUSH EBP
015F:00408F5A CALL `USER32!EndDialog`
015F:00408F60 MOV EAX,01
015F:00408F65 POP EDI
015F:00408F66 POP ESI
015F:00408F67 POP EBP
015F:00408F68 POP EBX
015F:00408F69 ADD ESP,089C
015F:00408E9F LEA EAX,[ESP+14]
015F:00408EA3 LEA ECX,[ESP+68]
015F:00408EA7 PUSH EAX
015F:00408EA8 PUSH DWORD 00426464
015F:00408EAD PUSH ECX
015F:00408EAE LEA EDX,[ESP+06B8]
015F:00408EB5 PUSH DWORD 004272A4
015F:00408EBA PUSH EDX
015F:00408EBB CALL EBX
015F:00408EBD LEA EDI,[ESP+06C0]
015F:00408EC4 OR ECX,BYTE -01
015F:00408EC7 XOR EAX,EAX
015F:00408EC9 ADD ESP,BYTE +14
015F:00408ECC REPNE SCASB
015F:00408ECE NOT ECX
015F:00408ED0 SUB EDI,ECX
015F:00408ED2 LEA EDX,[ESP+0294]
015F:00408ED9 MOV EAX,ECX
015F:00408EDB MOV ESI,EDI
015F:00408EDD MOV EDI,EDX
015F:00408EDF SHR ECX,02
015F:00408EE2 REP MOVSD
015F:00408EE4 MOV ECX,EAX
015F:00408EE6 LEA EAX,[ESP+0294]
015F:00408EED AND ECX,BYTE +03
015F:00408EF0 REP MOVSB
015F:00408EF2 MOV CL,[ESP+0294]
015F:00408EF9 TEST CL,CL
015F:00408EFB JZ 00408F1C
<--|
015F:00408EFD CMP BYTE [EAX],5F
|這裡是透過
015F:00408F00 JNZ 00408F05
|First name+1toX+name
015F:00408F02 MOV BYTE [EAX],20
|來運算註冊碼
015F:00408F05 MOVSX ECX,BYTE [EAX]
|
015F:00408F08 XOR ECX,[ESP+10]
|
015F:00408F0C XOR ECX,13579ACE
|
015F:00408F12 INC EAX
|
015F:00408F13 MOV [ESP+10],ECX
|
015F:00408F17 CMP BYTE [EAX],00
|
015F:00408F1A JNZ 00408EFD
<--|
015F:00408F1C MOV EAX,[ESP+10]
015F:00408F20 LEA EDX,[ESP+BC]
//輸入的註冊碼9876543210
015F:00408F27 XOR EAX,2468BDF0
015F:00408F2C PUSH EDX
015F:00408F2D MOV [0042A698],EAX
015F:00408F32 CALL 00418F27
015F:00408F37 MOV ECX,[0042A698]
015F:00408F3D ADD ESP,BYTE +04
015F:00408F40 CMP EAX,ECX
//比較註冊碼
015F:00408F42 JZ 00408F72
//註冊碼相等,就跳到00408F72
015F:00408F44 PUSH BYTE +10
015F:00408F46 PUSH DWORD 004272FC
015F:00408F4B PUSH DWORD 00427254
015F:00408F50 PUSH EBP
015F:00408F51 CALL `USER32!MessageBoxA`
//註冊失敗的對話方塊
015F:00408F57 PUSH BYTE +01
015F:00408F59 PUSH EBP
015F:00408F5A CALL `USER32!EndDialog`
015F:00408F60 MOV EAX,01
015F:00408F65 POP EDI
015F:00408F66 POP ESI
015F:00408F67 POP EBP
015F:00408F68 POP EBX
................................
從上面可以看出.
將00408F42 742E JZ 00408F72
改00408F42 752E JNZ 00408F72
就可以註冊。
整裡一下,用Ultraedt開啟1toX.exe
找到74 2E 6A 10 68
改成75 2E 6A 10 68
儲存修改檔案,重新執行
輸入註冊資訊 ,現在是想輸入什麼都可以。
name: &任意輸入
First Name: &任意輸入
register key: &任意輸入
後 記:
1toX 1.63是透過讀取安裝目錄下的檔案1toXe.cnt來判斷,程式是否註冊。如果把檔案1toXe.cnt刪除,1toX
1.63又成了非註冊版。
相關文章
- Teleport Pro破解實戰錄 (6千字)2000-05-28
- 菜鳥破解錄(10)之 A Day in the Life 1.51
(6千字)2000-07-23
- 美萍反黃專家 版本3.2破解實錄 (6千字)2001-12-08
- 菜鳥破解實錄(八)之 超級信封列印工具 v3.2 (6千字)2000-07-21
- 菜鳥破解實錄 之Terrapin FTP Browser (5千字)2000-09-09APIFTP
- 某電子書註冊破解實錄,高手莫入。 (6千字)2002-10-05
- iTime 破解實錄 (15千字)2001-04-26
- 菜鳥破解錄之 The Cleaner (4千字)2000-08-12
- 菜鳥破解錄之 DlgXRSizer (4千字)2000-08-17
- 破解實錄(四)之 NoteTab Pro Trial 4.81 (3千字)2000-07-18
- 菜鳥破解實錄之 Dynamic Desktop 1.4.2 (9千字)2000-08-09
- 菜鳥破解實錄 之 GWD Text Editor 3.0 (9千字)2000-08-16
- 最新 英語聽力通 v2.1 破解實錄 (6千字)2002-01-21
- Gifline破解實錄 (4千字)2001-08-05
- 菜鳥破解錄之 Animated Screen (4千字)2000-08-13
- 菜鳥破解錄之 CleanReg 3.2.6 (3千字)2000-08-15
- 菜鳥破解錄之 AutoDialogs (3千字)2000-08-18
- 菜鳥破解錄自之 Dialup Constructor 及演算法分析
(6千字)2000-09-11Struct演算法
- 菜鳥破解錄 JPEG Optimizer3.15 (6千字)2000-08-14
- DISKdata v3.2.0之暴力破解 (6千字)2000-10-01
- 菜鳥破解實錄(16)之 CD Box Labeler Pro (4千字)2000-08-03
- RegHance v1.1破解實錄 (5千字)2001-03-26
- 詞彙終結者破解實錄 (7千字)2000-08-13
- 菜鳥破解錄(九)之 CDSpace 1.95 (4千字)2000-07-22
- 菜鳥破解錄(17)之 BackupXpress Pro (3千字)2000-08-05
- 菜鳥破解錄(19)之 XMLwriter 1.21 (9千字)2000-08-08XML
- 菜鳥破解實錄(五)之 EditPlus v2.01 (7千字)2000-08-01
- image optimizer v3.0之暴力破解 (6千字)2000-10-12
- 禁用登錄檔之暴力破解法。 (4千字)2001-10-14
- vfp&exe加密程式破解實錄 (1千字)2001-08-17加密
- KeyGhost V3.2 破解實錄 (11千字)2000-08-17
- 暴力破解3 (6千字)2001-02-18
- Registry Crawler 4.0.0.3破解 (6千字)2002-02-28
- 菜鳥破解錄(11)之 WinGlobe2.0 (7千字)2000-07-24
- 菜鳥破解錄(12)之 AxMan3.10 (3千字)2000-07-26
- 菜鳥破解錄(18)之 GWD Text Editor 3.0 (4千字)2000-08-06
- Vopt99另類破解實戰錄
(3千字)2000-09-27
- 《teleport pro 1.28》破解實錄 !!高手莫進!! (5千字)2001-05-03