Vopt99 v4.31的註冊碼破解 (11千字)

Vopt99 v4.31的註冊碼破解
工具:TRW2000和Wdasm 8.93
目標說明:Vopt99可將分裂在硬碟上不同扇區的檔案快速和安全的重整，幫你節省更多時間，
支援FAT16和FAT32格式及中文長檔名，速度特快！真不知道M$的那個是怎麼寫的！
下載地址:ftp://member.myrice.com/czy/dl3/V99v431.exe
難度：中級?
===========================================================================
執行程式，輸入Name:sUpErbOss Location:Super Personal key:1234567890ABCDEFGHIJ
按Ctrl-N切換到TRW2000下，設段BPX HMEMCPY，點選“OK”按鈕，被攔下,打"BD *"。
按幾次F12鍵，回到Vopt99模組下，再一直按F10鍵，直到下面所指的重點處：

:00456F63 8BF8 mov edi, eax
:00456F65 FF91A0000000 call dword ptr [ecx+000000A0]
:00456F6B 3BC3 cmp eax, ebx <----我們首先在此登陸！
:00456F6D 7D12 jge 00456F81
:00456F6F 68A0000000 push 000000A0
:00456F74 68A4244100 push 004124A4
.
.
.
* Reference To: MSVBVM50.__vbaStrMove, Ord:0000h
|
:004570B0 FF15C4D44500 Call dword ptr [0045D4C4]
:004570B6 8D4DE4 lea ecx, dword ptr [ebp-1C]
:004570B9 51 push ecx
:004570BA E87124FDFF call 00429530 <-----重點哦！！(按F8鍵吧！^_^)
:004570BF 8D55E4 lea edx, dword ptr [ebp-1C]
:004570C2 8D45E8 lea eax, dword ptr [ebp-18]

進去後，很快來到下面所指的地方，現在該明白了，註冊碼為什麼要輸20個字元吧？！
還有啦！呆會兒，程式會把輸入的字元打亂，未免產生混亂，所以要按一定的順序輸入註冊碼！
這是破解軟體的好習慣！

* Reference To: MSVBVM50.__vbaLenBstr, Ord:0000h
|
:004295ED 8B3DC4D24500 mov edi, dword ptr [0045D2C4]
:004295F3 FFD7 call edi
:004295F5 33DB xor ebx, ebx
:004295F7 83F814 cmp eax, 00000014 <-----註冊碼長度要為20個字元
:004295FA 0F94C3 sete bl
:004295FD A148964500 mov eax, dword ptr [00459648]
:00429602 50 push eax
:00429603 FFD7 call edi
:00429605 33C9 xor ecx, ecx
:00429607 83F805 cmp eax, 00000005 <-----Location的長度不能小於5個字元
:0042960A 0F9DC1 setnl cl
:0042960D 85D9 test ecx, ebx
:0042960F 0F8599000000 jne 004296AE
.
.
.
:00429BCC 50 push eax <-----"IGJFH"
:00429BCD 8B55A0 mov edx, dword ptr [ebp-60]
:00429BD0 52 push edx <-----"CEPUB"

* Reference To: MSVBVM50.__vbaStrCmp, Ord:0000h
|
:00429BD1 FF1590D34500 Call dword ptr [0045D390] <---註冊碼的第一個比對處！
:00429BD7 8BD8 mov ebx, eax
:00429BD9 F7DB neg ebx
:00429BDB 1BDB sbb ebx, ebx
:00429BDD 43 inc ebx
:00429BDE F7DB neg ebx

看到上面的比對後，二話不說，先在00429BD1處設段（什麼鍵？！當然是F9鍵啦)，再改註冊碼:"1234567890ABCDEUEBCP"
再往下走，就到了程式的迷魂陣了，在主程式中什麼也找不到！
其實，Vopt99還藉助了第三方的註冊碼校驗器，它就是ShareLock，其主檔案shrlk21.dll位於系統目錄下。
用WDasm反彙編後，會找到如下的輸出函式，這就是我們的突破點，Let's Go!!
按Ctrl-N切換到TRW2000下,打"pdll32 shrlk21.dll",按F5鍵回到系統，將Vopt99關閉。
被攔下後，記一下當前指令的地址(即shrlk21.dll入口處的地址),將它與Wdasm中shrlk21.dll的入口地址比較一下，如：
指令的地址為00F88E50，而Wdasm中顯示的為00448E50，那麼下面可這樣打"BPX 00F87548"。
重新輸入註冊碼："1234567890ABCDEUEBCP"，點選“OK”按鈕，被攔下,打"BD *"。
接著，一直按F10鍵往下走，到了核心Call_1處，按F8鍵進入:

Exported fn(): InputUnlockCode - Ord:000Ch
:00447548 55 push ebp
:00447549 8BEC mov ebp, esp
:0044754B 6A00 push 00000000
:0044754D 6A00 push 00000000
:0044754F 6A00 push 00000000
:00447551 33C0 xor eax, eax
:00447553 55 push ebp
:00447554 68AD754400 push 004475AD
:00447559 64FF30 push dword ptr fs:[eax]
:0044755C 648920 mov dword ptr fs:[eax], esp
:0044755F 8D45FC lea eax, dword ptr [ebp-04]
:00447562 8B5510 mov edx, dword ptr [ebp+10]
:00447565 E8C6C4FBFF call 00403A30
:0044756A 8B45FC mov eax, dword ptr [ebp-04]
:0044756D 50 push eax
:0044756E 8D45F8 lea eax, dword ptr [ebp-08]
:00447571 8B550C mov edx, dword ptr [ebp+0C]
:00447574 E8B7C4FBFF call 00403A30
:00447579 8B45F8 mov eax, dword ptr [ebp-08]
:0044757C 50 push eax
:0044757D 8D45F4 lea eax, dword ptr [ebp-0C]
:00447580 8B5508 mov edx, dword ptr [ebp+08]
:00447583 E8A8C4FBFF call 00403A30
:00447588 8B45F4 mov eax, dword ptr [ebp-0C]
:0044758B 5A pop edx
:0044758C 59 pop ecx
:0044758D E8F2D5FFFF call 00444B84 <----核心Call_1！(別忘了按F8鍵哦!)
:00447592 33C0 xor eax, eax

進入核心Call_1後，再一直按F10鍵往下走，直到核心Call_2處，按F8鍵進入:

:00444B84 55 push ebp
:00444B85 8BEC mov ebp, esp
:00444B87 83C4E8 add esp, FFFFFFE8
:00444B8A 53 push ebx
:00444B8B 33DB xor ebx, ebx
:00444B8D 895DE8 mov dword ptr [ebp-18], ebx
:00444B90 894DF4 mov dword ptr [ebp-0C], ecx
:00444B93 8955F8 mov dword ptr [ebp-08], edx
:00444B96 8945FC mov dword ptr [ebp-04], eax
:00444B99 8B45FC mov eax, dword ptr [ebp-04]
:00444B9C E80BF1FBFF call 00403CAC
:00444BA1 8B45F8 mov eax, dword ptr [ebp-08]
:00444BA4 E803F1FBFF call 00403CAC
:00444BA9 8B45F4 mov eax, dword ptr [ebp-0C]
:00444BAC E8FBF0FBFF call 00403CAC
:00444BB1 33C0 xor eax, eax
:00444BB3 55 push ebp
:00444BB4 68524D4400 push 00444D52
:00444BB9 64FF30 push dword ptr fs:[eax]
:00444BBC 648920 mov dword ptr fs:[eax], esp
:00444BBF C645F300 mov [ebp-0D], 00
:00444BC3 C645F300 mov [ebp-0D], 00
:00444BC7 33C0 xor eax, eax
:00444BC9 8945EC mov dword ptr [ebp-14], eax
:00444BCC 803D8DA8440000 cmp byte ptr [0044A88D], 00
:00444BD3 741D je 00444BF2
:00444BD5 8D45EC lea eax, dword ptr [ebp-14]
:00444BD8 50 push eax
:00444BD9 8D45E8 lea eax, dword ptr [ebp-18]
:00444BDC 50 push eax

* Reference To: ShrLk21.GetDriveNumber
|
:00444BDD E84E300000 call 00447C30
:00444BE2 8B55E8 mov edx, dword ptr [ebp-18]
:00444BE5 8D4DF3 lea ecx, dword ptr [ebp-0D]
:00444BE8 8B45FC mov eax, dword ptr [ebp-04]
:00444BEB E8AC010000 call 00444D9C
:00444BF0 EB1D jmp 00444C0F

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00444BD3(C)
|
:00444BF2 8D45EC lea eax, dword ptr [ebp-14]
:00444BF5 50 push eax
:00444BF6 8D55E8 lea edx, dword ptr [ebp-18]
:00444BF9 8B45F8 mov eax, dword ptr [ebp-08]
:00444BFC E85B2AFCFF call 0040765C
:00444C01 8B55E8 mov edx, dword ptr [ebp-18]
:00444C04 8D4DF3 lea ecx, dword ptr [ebp-0D]
:00444C07 8B45FC mov eax, dword ptr [ebp-04]
:00444C0A E88D010000 call 00444D9C <----核心Call_2! (別忘了按F8鍵哦!)

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00444BF0(U)
|
:00444C0F 8A45F3 mov al, byte ptr [ebp-0D]

進了核心Call_2，就到站啦！往下看吧！

:00444D9C 55 push ebp
:00444D9D 8BEC mov ebp, esp
:00444D9F 83C4E4 add esp, FFFFFFE4
:00444DA2 53 push ebx
:00444DA3 33DB xor ebx, ebx
:00444DA5 895DE8 mov dword ptr [ebp-18], ebx
.
.
.
:00444E59 8AC3 mov al, bl
:00444E5B 83E841 sub eax, 00000041 <---eax必須為41，即字母"A"
:00444E5E 6BC01A imul eax, 0000001A
:00444E61 33D2 xor edx, edx
:00444E63 8A55EF mov dl, byte ptr [ebp-11] <---dl必須也為41，即字母"A"
:00444E66 83EA41 sub edx, 00000041
:00444E69 03C2 add eax, edx
:00444E6B 8B5508 mov edx, dword ptr [ebp+08]
:00444E6E 8902 mov dword ptr [edx], eax <---eax必須為0，下面會比對！
:00444E70 33DB xor ebx, ebx
.
.
:00444EAF 8BD3 mov edx, ebx
:00444EB1 E8BA070000 call 00445670
:00444EB6 8B55E8 mov edx, dword ptr [ebp-18] <------"1C41A5EAD6F2"
:00444EB9 8B45FC mov eax, dword ptr [ebp-04] <------"54B7DE038296"
:00444EBC E847EDFBFF call 00403C08 <----比對註冊碼！(光帶移到此處，按F9鍵設段)
:00444EC1 7506 jne 00444EC9
:00444EC3 8B45F4 mov eax, dword ptr [ebp-0C]
:00444EC6 C60001 mov byte ptr [eax], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00444EC1(C)
|
:00444EC9 8B4508 mov eax, dword ptr [ebp+08]
:00444ECC 833800 cmp dword ptr [eax], 00000000 <----[eax]的值必須為0
:00444ECF 750C jne 00444EDD
:00444ED1 807DEE43 cmp byte ptr [ebp-12], 43 <------[ebp-12]的值必須為"C"
:00444ED5 7406 je 00444EDD
:00444ED7 8B45F4 mov eax, dword ptr [ebp-0C]
:00444EDA C60000 mov byte ptr [eax], 00

注意哦！Vopt99在核心Call_2中設定了一個小小的陷阱,第一次打"D EDX"，看到的註冊碼是假的。如果你用假的註冊碼
註冊，程式也會顯示註冊成功，但在About對話方塊中，會顯示授權給非法的版本。再次啟動Vopt99，根本就不能執行了！
所以，第一次到這時，設定一個斷點，按F5鍵再次攔下，這時打"D EDX",看到的註冊碼才是真的。
下面排一下注冊碼：
1 2 3 4 5 6 7 8 9 0 A B C D E U E B C P
| | | | | | | | | | | | | | |
| 6 A C 1 2 1 D F E | 4 | A 5
C A A
很明顯，註冊碼為"C6AC121DFEA4AA5UEBCP",重新輸入，成功啦！
不過，此註冊碼並不能流通，也就是說，不同的機器，註冊碼是不一樣的！可能還有安裝時間或機器硬體資訊也參與了註冊碼
的運算,看來只能用算號器，來得到註冊碼了！:（

Vopt99 v4.31的註冊碼破解 (11千字)

相關文章