嗨!大家好,這是EmEditor v3.00 b3破解過程;
讓我們從這裡開始吧……
key1 是我們輸入的第一串數字,我用1000
key2 是我們輸入的第二串數字,我用2000
key3 是我們輸入的第三串數字,我用3000
key4 是我們輸入的第四串數字,我用4000
key1 key2 key3 key4
| | | |
1000 - 2000 - 3000 - 4000
下 BPX GETDLGITEMINT
017F:00416F71 CALL `USER32!GetDlgItemInt` <--在這裡中斷
017F:00416F77 MOV [EDI],AX
017F:00416F7A INC ESI
017F:00416F7B INC EDI
017F:00416F7C INC EDI
017F:00416F7D CMP ESI,BYTE +04
017F:00416F80 JL 00416F65 <--這裡會向上跳4次(不管啦!抓緊時間)
017F:00416F82 LEA EAX,[EBP-0C]
017F:00416F85 PUSH EAX
017F:00416F86 CALL 00416E80 <--從這裡進去算註冊碼(F8)
017F:00416F8B CMP EAX,EBX <--比較EAX=EBX
017F:00416F8D POP EDI
017F:00416F8E JZ 00416FBA <--如果上面EAX<>EBX,則要出破框
017F:00416F90 XOR ECX,ECX
017F:00416F92 CMP EAX,BYTE +02
017F:00416F95 SETNZ CL
017F:00416F98 DEC ECX
017F:00416F99 PUSH BYTE +30
017F:00416F9B AND ECX,BYTE +03
017F:00416F9E ADD ECX,0454
017F:00416FA4 PUSH ECX
017F:00416FA5 CALL 00411E5E <--出破框的CALL
017F:00416FAA PUSH BYTE +02
017F:00416FAC PUSH DWORD [EBP+08]
017F:00416FAF CALL `USER32!EndDialog`
017F:00416FB5 JMP 0041703F <--註冊成功!
CALL 00416E80
從這裡開始算註冊碼key1即第一個框輸入的四個數字…
017F:00416E80 PUSH ESI
017F:00416E81 MOV ESI,[ESP+08]
017F:00416E85 PUSH EDI
017F:00416E86 PUSH BYTE +0A
017F:00416E88 MOVZX EAX,WORD [ESI]
017F:00416E8B CDQ
017F:00416E8C POP ECX
017F:00416E8D IDIV ECX
017F:00416E8F CMP EAX,AB <--得出註冊碼的第一串為1710
key1/A=AB
017F:00416E94 JZ 00416E9B <--這必需跳!
017F:00416E96 PUSH BYTE +01
017F:00416E98 POP EAX
017F:00416E99 JMP SHORT 00416EB0
017F:00416E9B MOV DI,[ESI+06]
017F:00416E9F PUSH ESI
017F:00416EA0 CALL 00416DD9 <--子CALL比較key2,key3,key4;進去
017F:00416EA5 TEST EAX,EAX
017F:00416EA7 JNZ 00416EB0
017F:00416EA9 CMP DI,[ESI+06] <--看看這裡的ESI+06“這不就是……”
017F:00416EAD SETNZ AL
017F:00416EB0 POP EDI
017F:00416EB1 POP ESI
017F:00416EB2 RET 04
CALL 00416E80
開始算key2 key3 key4
017F:00416DD9 PUSH ESI
017F:00416DDA MOV ESI,[ESP+08]
017F:00416DDE MOV AX,[ESI+02]
017F:00416DE2 AND WORD [ESI+06],BYTE +00
017F:00416DE7 CMP AX,270F
017F:00416DEB JA NEAR 00416E79
017F:00416DF1 MOV CX,[ESI+04]
017F:00416DF5 CMP CX,270F
017F:00416DFA JA 00416E79
017F:00416DFC TEST AX,AX
017F:00416DFF JZ 00416E75
017F:00416E01 CMP AX,08AE <--如果AX=08ae,即key2=2222
就跳進死穴
017F:00416E05 JZ 00416E75
017F:00416E07 CMP AX,162E <--如果AX=162e,即key2=4567
就跳進死穴
017F:00416E0B JZ 00416E75 (如此說來key2,key3只要不是2222或4567;就可以啦!)
017F:00416E0D PUSH EBX (以下的key4就是用key1,key2,key3來算的)
017F:00416E0E PUSH EBP (詳細看以下演算法,就可以寫出序號產生器啦!)
017F:00416E0F PUSH EDI
017F:00416E10 PUSH BYTE +0A
017F:00416E12 MOVZX EDI,CX
017F:00416E15 MOVZX ECX,WORD [ESI]
017F:00416E18 MOVZX EAX,AX
017F:00416E1B MOV [ESP+18],EAX
017F:00416E1F MOV EAX,ECX
017F:00416E21 CDQ
017F:00416E22 POP EBX
017F:00416E23 IDIV EBX
017F:00416E25 PUSH BYTE +64
017F:00416E27 POP EBP
017F:00416E28 PUSH EBP
017F:00416E29 MOV EBX,EAX
017F:00416E2B MOV EAX,EDI
017F:00416E2D CDQ
017F:00416E2E IDIV EBP
017F:00416E30 MOV EDX,[ESP+18]
017F:00416E34 ADD EDX,EBX
017F:00416E36 ADD EAX,EDX
017F:00416E38 ADD EAX,EDI
017F:00416E3A POP EDI
017F:00416E3B CDQ
017F:00416E3C IDIV EDI
017F:00416E3E MOV EAX,[ESP+14]
017F:00416E42 PUSH EBP
017F:00416E43 POP EBX
017F:00416E44 PUSH EBP
017F:00416E45 MOV EDI,[EDX*4+00436BA8]
017F:00416E4C CDQ
017F:00416E4D IMUL EDI,EDI,BYTE +64
017F:00416E50 IDIV EBX
017F:00416E52 MOV EBX,EAX
017F:00416E54 MOV EAX,ECX
017F:00416E56 CDQ
017F:00416E57 IDIV EBP
017F:00416E59 ADD ECX,EBX
017F:00416E5B ADD EAX,ECX
017F:00416E5D POP ECX
017F:00416E5E CDQ
017F:00416E5F IDIV ECX
017F:00416E61 MOV EAX,[EDX*4+00436BA8]
017F:00416E68 ADD EDI,EAX
017F:00416E6A XOR EAX,EAX
017F:00416E6C MOV [ESI+06],DI <--注意:DI就是你要的key4
017F:00416E70 POP EDI
017F:00416E71 POP EBP
017F:00416E72 POP EBX
017F:00416E73 JMP SHORT 00416E7C
017F:00416E75 PUSH BYTE +02
017F:00416E77 JMP SHORT 00416E7B
017F:00416E79 PUSH BYTE +01
017F:00416E7B POP EAX
017F:00416E7C POP ESI
017F:00416E7D RET 04
以上是用TRW2000 1.22跟的過程。
由於時間關係,就簡單寫一下,要寫序號產生器的請自己去摸索吧!
這也是我第一次寫的心得,有些地方不足。
或許有更好的方法,希望多提一點意見,大家以後互相多交流;謝謝!
木尼
2000/08/05
sxkok@163.net