Vopt99 v4.31的註冊碼破解 (11千字)
Vopt99 v4.31的註冊碼破解
工具:TRW2000和Wdasm 8.93
目標說明:Vopt99可將分裂在硬碟上不同扇區的檔案快速和安全的重整,幫你節省更多時間,
支援FAT16和FAT32格式及中文長檔名,速度特快!真不知道M$的那個是怎麼寫的!
下載地址:ftp://member.myrice.com/czy/dl3/V99v431.exe
難度:中級?
===========================================================================
執行程式,輸入Name:sUpErbOss Location:Super Personal key:1234567890ABCDEFGHIJ
按Ctrl-N切換到TRW2000下,設段BPX HMEMCPY,點選“OK”按鈕,被攔下,打"BD *"。
按幾次F12鍵,回到Vopt99模組下,再一直按F10鍵,直到下面所指的重點處:
:00456F63 8BF8
mov edi, eax
:00456F65 FF91A0000000 call dword ptr
[ecx+000000A0]
:00456F6B 3BC3
cmp eax, ebx <----我們首先在此登陸!
:00456F6D 7D12
jge 00456F81
:00456F6F 68A0000000 push 000000A0
:00456F74 68A4244100 push 004124A4
.
.
.
* Reference To: MSVBVM50.__vbaStrMove, Ord:0000h
|
:004570B0 FF15C4D44500 Call dword ptr
[0045D4C4]
:004570B6 8D4DE4
lea ecx, dword ptr [ebp-1C]
:004570B9 51
push ecx
:004570BA E87124FDFF call 00429530
<-----重點哦!!(按F8鍵吧!^_^)
:004570BF 8D55E4
lea edx, dword ptr [ebp-1C]
:004570C2 8D45E8
lea eax, dword ptr [ebp-18]
進去後,很快來到下面所指的地方,現在該明白了,註冊碼為什麼要輸20個字元吧?!
還有啦!呆會兒,程式會把輸入的字元打亂,未免產生混亂,所以要按一定的順序輸入註冊碼!
這是破解軟體的好習慣!
* Reference To: MSVBVM50.__vbaLenBstr, Ord:0000h
|
:004295ED 8B3DC4D24500 mov edi, dword
ptr [0045D2C4]
:004295F3 FFD7
call edi
:004295F5 33DB
xor ebx, ebx
:004295F7 83F814
cmp eax, 00000014 <-----註冊碼長度要為20個字元
:004295FA 0F94C3
sete bl
:004295FD A148964500 mov eax,
dword ptr [00459648]
:00429602 50
push eax
:00429603 FFD7
call edi
:00429605 33C9
xor ecx, ecx
:00429607 83F805
cmp eax, 00000005 <-----Location的長度不能小於5個字元
:0042960A 0F9DC1
setnl cl
:0042960D 85D9
test ecx, ebx
:0042960F 0F8599000000 jne 004296AE
.
.
.
:00429BCC 50
push eax <-----"IGJFH"
:00429BCD 8B55A0
mov edx, dword ptr [ebp-60]
:00429BD0 52
push edx <-----"CEPUB"
* Reference To: MSVBVM50.__vbaStrCmp, Ord:0000h
|
:00429BD1 FF1590D34500 Call dword ptr
[0045D390] <---註冊碼的第一個比對處!
:00429BD7 8BD8
mov ebx, eax
:00429BD9 F7DB
neg ebx
:00429BDB 1BDB
sbb ebx, ebx
:00429BDD 43
inc ebx
:00429BDE F7DB
neg ebx
看到上面的比對後,二話不說,先在00429BD1處設段(什麼鍵?!當然是F9鍵啦),再改註冊碼:"1234567890ABCDEUEBCP"
再往下走,就到了程式的迷魂陣了,在主程式中什麼也找不到!
其實,Vopt99還藉助了第三方的註冊碼校驗器,它就是ShareLock,其主檔案shrlk21.dll位於系統目錄下。
用WDasm反彙編後,會找到如下的輸出函式,這就是我們的突破點,Let's Go!!
按Ctrl-N切換到TRW2000下,打"pdll32 shrlk21.dll",按F5鍵回到系統,將Vopt99關閉。
被攔下後,記一下當前指令的地址(即shrlk21.dll入口處的地址),將它與Wdasm中shrlk21.dll的入口地址比較一下,如:
指令的地址為00F88E50,而Wdasm中顯示的為00448E50,那麼下面可這樣打"BPX 00F87548"。
重新輸入註冊碼:"1234567890ABCDEUEBCP",點選“OK”按鈕,被攔下,打"BD *"。
接著,一直按F10鍵往下走,到了核心Call_1處,按F8鍵進入:
Exported fn(): InputUnlockCode - Ord:000Ch
:00447548 55
push ebp
:00447549 8BEC
mov ebp, esp
:0044754B 6A00
push 00000000
:0044754D 6A00
push 00000000
:0044754F 6A00
push 00000000
:00447551 33C0
xor eax, eax
:00447553 55
push ebp
:00447554 68AD754400 push 004475AD
:00447559 64FF30
push dword ptr fs:[eax]
:0044755C 648920
mov dword ptr fs:[eax], esp
:0044755F 8D45FC
lea eax, dword ptr [ebp-04]
:00447562 8B5510
mov edx, dword ptr [ebp+10]
:00447565 E8C6C4FBFF call 00403A30
:0044756A 8B45FC
mov eax, dword ptr [ebp-04]
:0044756D 50
push eax
:0044756E 8D45F8
lea eax, dword ptr [ebp-08]
:00447571 8B550C
mov edx, dword ptr [ebp+0C]
:00447574 E8B7C4FBFF call 00403A30
:00447579 8B45F8
mov eax, dword ptr [ebp-08]
:0044757C 50
push eax
:0044757D 8D45F4
lea eax, dword ptr [ebp-0C]
:00447580 8B5508
mov edx, dword ptr [ebp+08]
:00447583 E8A8C4FBFF call 00403A30
:00447588 8B45F4
mov eax, dword ptr [ebp-0C]
:0044758B 5A
pop edx
:0044758C 59
pop ecx
:0044758D E8F2D5FFFF call 00444B84
<----核心Call_1!(別忘了按F8鍵哦!)
:00447592 33C0
xor eax, eax
進入核心Call_1後,再一直按F10鍵往下走,直到核心Call_2處,按F8鍵進入:
:00444B84 55
push ebp
:00444B85 8BEC
mov ebp, esp
:00444B87 83C4E8
add esp, FFFFFFE8
:00444B8A 53
push ebx
:00444B8B 33DB
xor ebx, ebx
:00444B8D 895DE8
mov dword ptr [ebp-18], ebx
:00444B90 894DF4
mov dword ptr [ebp-0C], ecx
:00444B93 8955F8
mov dword ptr [ebp-08], edx
:00444B96 8945FC
mov dword ptr [ebp-04], eax
:00444B99 8B45FC
mov eax, dword ptr [ebp-04]
:00444B9C E80BF1FBFF call 00403CAC
:00444BA1 8B45F8
mov eax, dword ptr [ebp-08]
:00444BA4 E803F1FBFF call 00403CAC
:00444BA9 8B45F4
mov eax, dword ptr [ebp-0C]
:00444BAC E8FBF0FBFF call 00403CAC
:00444BB1 33C0
xor eax, eax
:00444BB3 55
push ebp
:00444BB4 68524D4400 push 00444D52
:00444BB9 64FF30
push dword ptr fs:[eax]
:00444BBC 648920
mov dword ptr fs:[eax], esp
:00444BBF C645F300 mov
[ebp-0D], 00
:00444BC3 C645F300 mov
[ebp-0D], 00
:00444BC7 33C0
xor eax, eax
:00444BC9 8945EC
mov dword ptr [ebp-14], eax
:00444BCC 803D8DA8440000 cmp byte ptr [0044A88D],
00
:00444BD3 741D
je 00444BF2
:00444BD5 8D45EC
lea eax, dword ptr [ebp-14]
:00444BD8 50
push eax
:00444BD9 8D45E8
lea eax, dword ptr [ebp-18]
:00444BDC 50
push eax
* Reference To: ShrLk21.GetDriveNumber
|
:00444BDD E84E300000 call 00447C30
:00444BE2 8B55E8
mov edx, dword ptr [ebp-18]
:00444BE5 8D4DF3
lea ecx, dword ptr [ebp-0D]
:00444BE8 8B45FC
mov eax, dword ptr [ebp-04]
:00444BEB E8AC010000 call 00444D9C
:00444BF0 EB1D
jmp 00444C0F
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00444BD3(C)
|
:00444BF2 8D45EC
lea eax, dword ptr [ebp-14]
:00444BF5 50
push eax
:00444BF6 8D55E8
lea edx, dword ptr [ebp-18]
:00444BF9 8B45F8
mov eax, dword ptr [ebp-08]
:00444BFC E85B2AFCFF call 0040765C
:00444C01 8B55E8
mov edx, dword ptr [ebp-18]
:00444C04 8D4DF3
lea ecx, dword ptr [ebp-0D]
:00444C07 8B45FC
mov eax, dword ptr [ebp-04]
:00444C0A E88D010000 call 00444D9C
<----核心Call_2! (別忘了按F8鍵哦!)
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00444BF0(U)
|
:00444C0F 8A45F3
mov al, byte ptr [ebp-0D]
進了核心Call_2,就到站啦!往下看吧!
:00444D9C 55
push ebp
:00444D9D 8BEC
mov ebp, esp
:00444D9F 83C4E4
add esp, FFFFFFE4
:00444DA2 53
push ebx
:00444DA3 33DB
xor ebx, ebx
:00444DA5 895DE8
mov dword ptr [ebp-18], ebx
.
.
.
:00444E59 8AC3
mov al, bl
:00444E5B 83E841
sub eax, 00000041 <---eax必須為41,即字母"A"
:00444E5E 6BC01A
imul eax, 0000001A
:00444E61 33D2
xor edx, edx
:00444E63 8A55EF
mov dl, byte ptr [ebp-11] <---dl必須也為41,即字母"A"
:00444E66 83EA41
sub edx, 00000041
:00444E69 03C2
add eax, edx
:00444E6B 8B5508
mov edx, dword ptr [ebp+08]
:00444E6E 8902
mov dword ptr [edx], eax <---eax必須為0,下面會比對!
:00444E70 33DB
xor ebx, ebx
.
.
:00444EAF 8BD3
mov edx, ebx
:00444EB1 E8BA070000 call 00445670
:00444EB6 8B55E8
mov edx, dword ptr [ebp-18] <------"1C41A5EAD6F2"
:00444EB9 8B45FC
mov eax, dword ptr [ebp-04] <------"54B7DE038296"
:00444EBC E847EDFBFF call 00403C08
<----比對註冊碼!(光帶移到此處,按F9鍵設段)
:00444EC1 7506
jne 00444EC9
:00444EC3 8B45F4
mov eax, dword ptr [ebp-0C]
:00444EC6 C60001
mov byte ptr [eax], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00444EC1(C)
|
:00444EC9 8B4508
mov eax, dword ptr [ebp+08]
:00444ECC 833800
cmp dword ptr [eax], 00000000 <----[eax]的值必須為0
:00444ECF 750C
jne 00444EDD
:00444ED1 807DEE43 cmp
byte ptr [ebp-12], 43 <------[ebp-12]的值必須為"C"
:00444ED5 7406
je 00444EDD
:00444ED7 8B45F4
mov eax, dword ptr [ebp-0C]
:00444EDA C60000
mov byte ptr [eax], 00
注意哦!Vopt99在核心Call_2中設定了一個小小的陷阱,第一次打"D EDX",看到的註冊碼是假的。如果你用假的註冊碼
註冊,程式也會顯示註冊成功,但在About對話方塊中,會顯示授權給非法的版本。再次啟動Vopt99,根本就不能執行了!
所以,第一次到這時,設定一個斷點,按F5鍵再次攔下,這時打"D EDX",看到的註冊碼才是真的。
下面排一下注冊碼:
1 2 3 4 5 6 7 8 9 0
A B C D E U E B C P
| | | | | | | | | |
| | | | |
| 6 A C 1 2 1 D F E
| 4 | A 5
C
A A
很明顯,註冊碼為"C6AC121DFEA4AA5UEBCP",重新輸入,成功啦!
不過,此註冊碼並不能流通,也就是說,不同的機器,註冊碼是不一樣的!可能還有安裝時間或機器硬體資訊也參與了註冊碼
的運算,看來只能用算號器,來得到註冊碼了!:(
相關文章
- 《TxEdit 4.6》的註冊碼破解 (11千字)2001-07-28
- IconToy 3.1 註冊碼快速破解 (11千字)2001-03-02
- winimp1.11註冊碼破解 (2千字)2000-07-16
- Vopt99 v4.31暴力破解實錄(僅供初學者參考) (5千字)2001-02-19
- Regediter 1.3 破解(得到註冊碼) (9千字)2002-01-23
- BabyGame 破解方法及註冊碼錶 (1千字)2001-07-04GAM
- SMailserver2.5註冊碼的破解手記 (1千字)2001-03-01AIServer
- 一種非明碼比較程式的註冊------NS-SHAFT註冊碼破解 (9千字)2015-11-15
- 《chm幫助編輯器V2.61》註冊碼破解心得: (11千字)2001-02-17
- 《ICONSCAN 2.4》註冊碼破解 高手莫入! (3千字)2001-05-06
- 《MAGICWIN RELEASE 1.2》註冊碼破解 高手莫入! (2千字)2001-05-07
- Kugle Regediter 1.0 註冊碼破解法(非明碼) (8千字)2001-11-03
- 《WinImage v5.00.5007 註冊碼破解》 (7千字)2001-05-10
- 《EASY MP3 2.2》的註冊碼破解 高手莫入! (2千字)2001-05-05
- 盲打之友V2.5破解(包括註冊演算法) (11千字)2001-10-29演算法
- 『凌雲郵神』 註冊碼破解 (非明碼比較的哦 ^_^) (6千字)2001-11-05
- Vopt99另類破解實戰錄
(3千字)2000-09-27
- Diskbase 5.11的破解和註冊演算法(俺是新手) (18千字)2001-05-21演算法
- 財智證券結算軟體2.5 破解註冊碼分析!使用ollydbg 破解註冊動畫!高手莫入! (1千字)2001-11-20動畫
- 如何破解《彩票快車黃金版》註冊碼 (1千字)2001-04-21
- 豪傑大眼睛共享版註冊碼破解 (1千字)2001-07-08
- 《OFFLINE EXPLORER 1.0》的註冊碼破解 高手莫入!! (2千字)2001-05-18
- 交一篇作業---破解Hedit 2.0的註冊碼 (7千字)2001-09-30
- Pycharm安裝破解 註冊碼2017-06-25PyCharm
- 開心鬥地主1.6標準版 註冊碼破解 (4千字)2001-04-25
- 如何破解Cool ASCII Art Maker V1.21註冊碼 (2千字)2001-05-03ASCII
- 猜數記---BCWIPE註冊半破解 (25千字)2001-04-02
- 破解HappyEO電子琴203版的註冊碼。 (7千字)2001-09-28APP
- chm幫助編輯器v2.6 註冊碼破解詳談之二*解碼篇* (11千字)2001-02-04
- 破解<<生日字典密碼生成器 v3.7 password>> 的註冊碼 (4千字)2001-10-21密碼
- 檔案密使2.6註冊碼分析詳解 (11千字)2001-11-30
- 某穿牆輔助的註冊碼破解2018-03-10
- Flash ActionScript Tool 的註冊碼! (22千字)2001-05-04
- 轉貼 Ronnier 的 AcqURL 5.1 註冊黑名單的破解 (7千字)2001-05-14
- CuteFTP最新版V4.2.4 線上註冊的破解 (10千字)2001-09-27FTP
- 註冊碼演算法 (2千字)2001-01-14演算法
- 某電子書註冊破解實錄,高手莫入。 (6千字)2002-10-05
- 黑馬課表管理系統2.6註冊破解 (1千字)2002-01-12