破解心得之CDRWin 4.0A BETA篇 (18千字)
破解心得之CDRWin 4.0A BETA篇
作者:時空幻影
時間:2001年4月20日
破解工具:W32DASM v8.93白金版漢化版、TRW2000 v1.23註冊版
軟體名稱:CDRWin
釋出公司:Golden Hawk Technology
最新版本:4.0A Beta
作業系統:Win9x/ME/NT4/2000
軟體簡介:CDRWin 是一套強力的特點極多的燒錄軟體,它可以:支援 AUDIO、CDROM (Mode1)、CDROM-XA (Mode2)、CD-I、混合型、多重扇區碟片;獨有的
CUE SHEET 語言可以 100% 定製碟片的佈局,避免其他燒錄軟體在不同 track 之間產生間隔的現象;強大的備份功能可以防止碟片上原有資料的損失;符合
ISO9660 磁碟控制標準;可以製作光碟啟動盤;支援 Karaoke CD G 碟片(需要Sony CDW-900E, Panasonic 或 Yamaha
燒錄機);僅有的支援 Philips/Kodak/HP 家族燒錄機 Disc-at-once 技術的軟體;支援碟片的 UPC 碼和 track 的
ISRC 碼;支援“Kodak Disc Transporter”高速碟片複製技術。
由於該軟體沒有加殼,所以破解相對容易一些!!!呵呵,希望大家指出不足之處!!!
1.執行CDRWin 4.0A BETA,點選unlock圖示,填入
name:shikonghuanying
company:Changsha
Unlock Key:12345-67890-09876-54321
Check Key:ABCDE-BCDEF-FEDCB-EDCBA(為什麼要這樣?待會兒再告知)
2.執行TRW2000,按ctrl+N啟用它,用BPX HMEMCPY設定斷點,再按F5繼續.
3.點選Unlock,會被TRW2000攔下,輸入BD *使斷點暫時失效,再輸入PMODULE跳入程式領空。
4.再按幾下F10,會到以下所指的地方:
* Possible Reference to String Resource ID=00255: "Invalid disc count specified."
|
:0041DF43 6AFF
push FFFFFFFF
:0041DF45 68D0664700 push
004766D0
:0041DF4A 64A100000000 mov eax, dword
ptr fs:[00000000]
:0041DF50 50
push eax
:0041DF51 64892500000000 mov dword ptr fs:[00000000],
esp
:0041DF58 83EC38
sub esp, 00000038
:0041DF5B A1F0A04A00 mov eax,
dword ptr [004AA0F0]
:0041DF60 53
push ebx
:0041DF61 56
push esi
:0041DF62 57
push edi
:0041DF63 8965F0
mov dword ptr [ebp-10], esp
:0041DF66 8BF1
mov esi, ecx
:0041DF68 8945E0
mov dword ptr [ebp-20], eax
:0041DF6B C745FC00000000 mov [ebp-04], 00000000
:0041DF72 8945E4
mov dword ptr [ebp-1C], eax
:0041DF75 8945E8
mov dword ptr [ebp-18], eax
:0041DF78 8945EC
mov dword ptr [ebp-14], eax
:0041DF7B 8B4E68
mov ecx, dword ptr [esi+68]
:0041DF7E 8D45E0
lea eax, dword ptr [ebp-20]
:0041DF81 BB03000000 mov ebx,
00000003
:0041DF86 50
push eax
:0041DF87 885DFC
mov byte ptr [ebp-04], bl
:0041DF8A E81DC30400 call
0046A2AC
:0041DF8F 8D4DE4
lea ecx, dword ptr [ebp-1C]
:0041DF92 51
push ecx
<--按F10會到這裡,然後繼續按F10
:0041DF93 8B4E6C
mov ecx, dword ptr [esi+6C]
:0041DF96 E811C30400 call
0046A2AC
:0041DF9B 8B4E70
mov ecx, dword ptr [esi+70]
:0041DF9E 8D55E8
lea edx, dword ptr [ebp-18]
:0041DFA1 52
push edx
:0041DFA2 E805C30400 call
0046A2AC
:0041DFA7 8B4E74
mov ecx, dword ptr [esi+74]
:0041DFAA 8D45EC
lea eax, dword ptr [ebp-14]
:0041DFAD 50
push eax
:0041DFAE E8F9C20400 call
0046A2AC
:0041DFB3 8D4DBC
lea ecx, dword ptr [ebp-44]
:0041DFB6 8D55C0
lea edx, dword ptr [ebp-40]
:0041DFB9 51
push ecx
:0041DFBA 8D45C4
lea eax, dword ptr [ebp-3C]
:0041DFBD 52
push edx
:0041DFBE 8B55E8
mov edx, dword ptr [ebp-18]
:0041DFC1 8D4DC8
lea ecx, dword ptr [ebp-38]
:0041DFC4 50
push eax
:0041DFC5 51
push ecx
* Possible StringData Ref from Data Obj ->"%lx-%lx-%lx-%lx" <--指明瞭Unlock
Key的格式
|
:0041DFC6 68FC214A00 push
004A21FC
:0041DFCB 52
push edx
:0041DFCC E82C860300 call
004565FD <--檢查是不是符合上面的格式,並把字元轉為HEX
:0041DFD1 83C418
add esp, 00000018
:0041DFD4 83F804
cmp eax, 00000004
:0041DFD7 0F8597000000 jne 0041E074
:0041DFDD 8D45CC
lea eax, dword ptr [ebp-34]
:0041DFE0 8D4DD0
lea ecx, dword ptr [ebp-30]
:0041DFE3 50
push eax
:0041DFE4 8D55D4
lea edx, dword ptr [ebp-2C]
:0041DFE7 51
push ecx
:0041DFE8 8B4DEC
mov ecx, dword ptr [ebp-14]
:0041DFEB 8D45D8
lea eax, dword ptr [ebp-28]
:0041DFEE 52
push edx
:0041DFEF 50
push eax
* Possible StringData Ref from Data Obj ->"%lx-%lx-%lx-%lx" <--指明瞭Check
Key的格式
|
:0041DFF0 68FC214A00 push
004A21FC
:0041DFF5 51
push ecx
:0041DFF6 E802860300 call
004565FD <--檢查是不是符合上面的格式,並把字元轉為HEX
:0041DFFB 83C418
add esp, 00000018
:0041DFFE 83F804
cmp eax, 00000004
:0041E001 7571
jne 0041E074
:0041E003 8B4DE4
mov ecx, dword ptr [ebp-1C]
:0041E006 8845FC
mov byte ptr [ebp-04], al
:0041E009 8D55CC
lea edx, dword ptr [ebp-34]
:0041E00C 8D45BC
lea eax, dword ptr [ebp-44]
:0041E00F 52
push edx
:0041E010 8B55E0
mov edx, dword ptr [ebp-20]
:0041E013 50
push eax
:0041E014 51
push ecx
:0041E015 52
push edx
:0041E016 E845630000 call
00424360 <--按F8進入
:0041E01B 83C410
add esp, 00000010
:0041E01E 895DFC
mov dword ptr [ebp-04], ebx
下面為Unlock Key和Check Key比較的部分,假設Key的各部分為:
Unlock Key:12345-67890-09876-54321
^^^^^ ^^^^^ ^^^^^ ^^^^^
u1 u2
u3 u4
Check Key:ABCDE-BCDEF-FEDCB-EDCBA
^^^^^ ^^^^^ ^^^^^ ^^^^^
c1 c2
c3 c4
* Referenced by a CALL at Address:
|:0041E016
|
:00424360 8B4C2410
mov ecx, dword ptr [esp+10]
:00424364 53
push ebx
:00424365 55
push ebp
:00424366 56
push esi
:00424367 8B742418
mov esi, dword ptr [esp+18]
:0042436B 8B19
mov ebx, dword ptr [ecx] <--ebx=c4
:0042436D 57
push edi
:0042436E 8B3E
mov edi, dword ptr [esi] <--edi=u4
:00424370 8B4604
mov eax, dword ptr [esi+04] <--eax=u3
:00424373 8BD7
mov edx, edi
:00424375 33D0
xor edx, eax
:00424377 3BDA
cmp ebx, edx
:00424379 7525
jne 004243A0
<--這個和下面兩個jne一定不能跳轉
:0042437B 8B5608
mov edx, dword ptr [esi+08] <--edx=u2
:0042437E 8BDA
mov ebx, edx
:00424380 33D8
xor ebx, eax
:00424382 8B4104
mov eax, dword ptr [ecx+04] <--eax=c3
:00424385 3BC3
cmp eax, ebx
:00424387 7517
jne 004243A0
:00424389 8B460C
mov eax, dword ptr [esi+0C] <--eax=u1
:0042438C 8BD8
mov ebx, eax
:0042438E 33DA
xor ebx, edx
:00424390 8B5108
mov edx, dword ptr [ecx+08] <--edx=c2
:00424393 3BD3
cmp edx, ebx
:00424395 7509
jne 004243A0
:00424397 8B510C
mov edx, dword ptr [ecx+0C] <--edx=c1
:0042439A 33C7
xor eax, edi
:0042439C 3BD0
cmp edx, eax
:0042439E 7413
je 004243B3
<--這個則一定要跳轉
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00424379(C), :00424387(C), :00424395(C)
|
:004243A0 6A00
push 00000000
:004243A2 6A00
push 00000000
:004243A4 6A00
push 00000000
:004243A6 6838FFFFFF push
FFFFFF38
:004243AB E8F0360000 call
00427AA0 <--彈出註冊失敗視窗
:004243B0 83C410
add esp, 00000010
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042439E(C)
|
:004243B3 8B6C2418
mov ebp, dword ptr [esp+18]
:004243B7 8B7C2414
mov edi, dword ptr [esp+14]
:004243BB 56
push esi
:004243BC 55
push ebp
:004243BD 57
push edi
:004243BE E8ED040000 call
004248B0 <--按F8進入
:004243C3 83C40C
add esp, 0000000C
:004243C6 85C0
test eax, eax
:004243C8 7510
jne 004243DA
:004243CA 50
push eax
:004243CB 50
push eax
:004243CC 50
push eax
:004243CD 6837FFFFFF push
FFFFFF37
:004243D2 E8C9360000 call
00427AA0 <--彈出註冊失敗視窗
:004243D7 83C410
add esp, 00000010
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004243C8(C)
|
:004243DA 8B1E
mov ebx, dword ptr [esi]
:004243DC C1EB10
shr ebx, 10
:004243DF 66335E04
xor bx, word ptr [esi+04]
:004243E3 81E3FFFF0000 and ebx, 0000FFFF
:004243E9 8D43F1
lea eax, dword ptr [ebx-0F]
:004243EC 3DBC040000 cmp eax,
000004BC
:004243F1 7E13
jle 00424406
<--這個一定要跳轉
:004243F3 6A00
push 00000000
:004243F5 6A00
push 00000000
:004243F7 6A00
push 00000000
:004243F9 6834FFFFFF push
FFFFFF34
:004243FE E89D360000 call
00427AA0 <--彈出註冊失敗視窗
:00424403 83C410
add esp, 00000010
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004243F1(C)
|
:00424406 83C30F
add ebx, 0000000F
:00424409 81FBBC040000 cmp ebx, 000004BC
:0042440F 7D13
jge 00424424
<--這個也一定要跳轉
:00424411 6A00
push 00000000
:00424413 6A00
push 00000000
:00424415 6A00
push 00000000
:00424417 6835FFFFFF push
FFFFFF35
:0042441C E87F360000 call
00427AA0 <--彈出註冊失敗視窗
:00424421 83C410
add esp, 00000010
在那個call 00427AA0按F8進入後來到以下:
* Referenced by a CALL at Addresses:
|:004242D8 , :004243BE
|
:004248B0 8B44240C
mov eax, dword ptr [esp+0C]
:004248B4 8B542404
mov edx, dword ptr [esp+04]
:004248B8 53
push ebx
:004248B9 55
push ebp
:004248BA 8B18
mov ebx, dword ptr [eax] <--ebx=54321
:004248BC 57
push edi
:004248BD 8BFA
mov edi, edx
:004248BF 83C9FF
or ecx, FFFFFFFF
:004248C2 33C0
xor eax, eax
:004248C4 F2
repnz
:004248C5 AE
scasb
:004248C6 F7D1
not ecx
:004248C8 49
dec ecx
:004248C9 83F906
cmp ecx, 00000006 <--檢查name的長度是否大於等於6,
:004248CC 726B
jb 00424939
name的長度應該>=6
:004248CE 8B6C2414
mov ebp, dword ptr [esp+14]
:004248D2 83C9FF
or ecx, FFFFFFFF
:004248D5 8BFD
mov edi, ebp
:004248D7 F2
repnz
:004248D8 AE
scasb
:004248D9 F7D1
not ecx
:004248DB 49
dec ecx
:004248DC 83F906
cmp ecx, 00000006 <--檢查company的長度是否大於等於6,
:004248DF 7258
jb 00424939
company的長度應該>=6
:004248E1 F7C3FFFF0000 test ebx,
0000FFFF
:004248E7 7450
je 00424939
:004248E9 F7C30000FFFF test ebx,
FFFF0000
:004248EF 7448
je 00424939
:004248F1 56
push esi
:004248F2 6A02
push 00000002
:004248F4 52
push edx
:004248F5 E846000000 call
00424940 <--按F8進入
:004248FA 6A02
push 00000002
:004248FC 55
push ebp
:004248FD 8BF0
mov esi, eax
:004248FF E83C000000 call
00424940 <--按F8進入
:00424904 8BC8
mov ecx, eax
:00424906 8BD0
mov edx, eax
:00424908 81E10000FF00 and ecx, 00FF0000
:0042490E 83C410
add esp, 00000010
:00424911 C1EA10
shr edx, 10
:00424914 0BCA
or ecx, edx
:00424916 8BD0
mov edx, eax
:00424918 81E200FF0000 and edx, 0000FF00
:0042491E C1E010
shl eax, 10
:00424921 0BD0
or edx, eax
:00424923 33C0
xor eax, eax
:00424925 C1E908
shr ecx, 08
:00424928 C1E208
shl edx, 08
:0042492B 0BCA
or ecx, edx
:0042492D 33CE
xor ecx, esi
:0042492F 5E
pop esi
:00424930 3BCB
cmp ecx, ebx
:00424932 5F
pop edi
:00424933 5D
pop ebp
:00424934 5B
pop ebx
:00424935 0F94C0
sete al
:00424938 C3
ret
第一個call 00424940是把name進行計算,第二個call 00424940是把company進行計算。
* Referenced by a CALL at Addresses:
|:004248F5 , :004248FF
|
:00424940 8B442408
mov eax, dword ptr [esp+08]
:00424944 56
push esi
:00424945 48
dec eax
:00424946 740E
je 00424956
:00424948 48
dec eax
:00424949 7404
je 0042494F <--在這裡一般都會跳轉,而且應該要跳轉
:0042494B 33C0
xor eax, eax
:0042494D 5E
pop esi
:0042494E C3
ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00424949(C)
|
:0042494F BEA0804A00 mov esi,
004A80A0
:00424954 EB05
jmp 0042495B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00424946(C)
|
:00424956 BE60804A00 mov esi,
004A8060
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00424954(U)
|
:0042495B 8B542408
mov edx, dword ptr [esp+08]
:0042495F 57
push edi
:00424960 8BFA
mov edi, edx
:00424962 83C9FF
or ecx, FFFFFFFF
:00424965 33C0
xor eax, eax
:00424967 6A00
push 00000000
:00424969 F2
repnz
:0042496A AE
scasb
:0042496B F7D1
not ecx
:0042496D 49
dec ecx
:0042496E 51
push ecx
:0042496F 52
push edx
:00424970 56
push esi
:00424971 E8DA2E0200 call
00447850 <--按F8進入
:00424976 83C410
add esp, 00000010
:00424979 5F
pop edi
:0042497A 5E
pop esi
:0042497B C3
ret
進入後的這一段程式碼比較重要,對求出註冊碼的u4部分起關鍵作用。
進入後的這一段程式碼比較重要,對求出註冊碼的u4部分起關鍵作用。
* Referenced by a CALL at Addresses:
|:0042463C , :004247FE , :00424971 , :0042508B , :00447F8D
|
:00447850 8B442410 mov eax, dword ptr [esp+10]
:00447854 8B542408 mov edx, dword ptr [esp+08]
:00447858 57 push edi
:00447859 8B7C2410 mov edi, dword ptr [esp+10]
:0044785D 6685FF test di, di
:00447860 743E je 004478A0
:00447862 53 push ebx
:00447863 55 push ebp
:00447864 56 push esi
:00447865 8B742414 mov esi, dword ptr [esp+14]
:00447869 81E7FFFF0000 and edi, 0000FFFF
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044789B(C)
|
:0044786F 33C9 xor ecx, ecx
:00447871 8BE8 mov ebp, eax
:00447873 8A0A mov cl, byte ptr [edx] <--edx為存放name或company的記憶體地址
:00447875 42 inc edx
:00447876 8BD9 mov ebx, ecx
:00447878 33D8 xor ebx, eax
:0044787A 83E30F and ebx, 0000000F
:0044787D C1ED04 shr ebp, 04
:00447880 8B049E mov eax, dword ptr [esi+4*ebx] <--esi為存放密碼錶的記憶體地址
:00447883 33C5 xor eax, ebp
:00447885 C1E904 shr ecx, 04
:00447888 8BD8 mov ebx, eax
:0044788A 83E10F and ecx, 0000000F
:0044788D 83E30F and ebx, 0000000F
:00447890 33CB xor ecx, ebx
:00447892 C1E804 shr eax, 04
:00447895 8B0C8E mov ecx, dword ptr [esi+4*ecx]
:00447898 33C1 xor eax, ecx
:0044789A 4F dec edi
:0044789B 75D2 jne 0044786F
:0044789D 5E pop esi
:0044789E 5D pop ebp
:0044789F 5B pop ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00447860(C)
|
:004478A0 5F pop edi
:004478A1 C3 ret
密碼錶:
0x00000000 0x1C3E887E 0x387D10FC 0x24439882
0x70FA21F8 0x6CC4A986 0x48873104 0x54B9B97A
0xE1F443F0 0xFDCACB8E 0xD989530C 0xC5B7DB72
0x910E6208 0x8D30EA76 0xA97372F4 0xB54DFA8A
到這裡,相信大家應該對其註冊演算法比較清楚了,自己寫一下注冊機,提高一下自己的程式設計能力。
我的註冊碼為:
name:時空幻影
company:湖南長沙
Unlock Key:3520A324-303B8C46-1810AD6E-A9D27FF5
Check Key:9CF2DCD1-051B2F62-282B2128-B1C2D29B
|
tr>
相關文章
- 破解心得之WinImage篇 (15千字)2001-07-01
- 破解心得之eXeScope篇 (9千字)2001-07-01
- 破解心得之eXeScope篇2015-11-15
- BrickShooter 2.1破解心得(新手看看吧) (18千字)2001-03-09
- 破解心得之3DMark2001篇 (10千字)2001-04-183D
- 破解心得之CHMMaker(耶圃歟┢ (11千字)2002-01-27HMM
- 破解心得之Windows優化大師篇2015-11-15Windows優化
- 初學者請進(一篇破解javagirl的心得) (2千字)2000-05-09Java
- 再次湊湊熱鬧:破解心得之ChinaZip 5.0(中華壓縮)篇
(8千字)2001-04-10
- 我的破解心得(1) (3千字)2001-03-13
- 我的破解心得(5) (16千字)2001-03-13
- 我的破解心得(6) (3千字)2001-03-13
- 我的破解心得(8) (2千字)2001-03-13
- 我的破解心得(9) (4千字)2001-03-13
- 我的破解心得(11) (9千字)2001-03-13
- 我的破解心得(12) (1千字)2001-03-13
- serv-u 3.0 beta破解 (2千字)2001-04-20
- 登陸奇兵3.0破解心得 (5千字)2001-05-02
- Readbook 1.31破解心得
(3千字)2000-03-01
- 輕鬆提取資源1.45破解心得
(7千字)2015-11-15
- 菜鳥破解錄(18)之 GWD Text Editor 3.0 (4千字)2000-08-06
- VirTime HTMLock V1.4.0 破解之暴力篇 (7千字)2001-05-06HTML
- 天網防火牆個人版2.0(beta)的破解!!! (20千字)2001-01-26防火牆
- picturetoexe v3.60 beta #2不完全破解 (2千字)2001-04-30
- 申請加入BCG之第二篇!博奧彩票白金版破解---破解初學者之嘔血篇 (5千字)2001-10-06
- 天網防火牆個人版2.0.2.98(beta)的破解,參考TAE!的破解。
(5千字)2001-02-10防火牆
- 《漂葉網咖管理系統4.0》破解心得: (9千字)2001-01-14
- WinRAR v3.0 Beta 4 破解^程-我是@悠 (3千字)2002-03-07
- 一篇破解入門 (7千字)2000-09-04
- FINDITNOW!1.25 or 102 中文版 破解心得 (14千字)2002-02-09
- Kryptel 3.8 暴力破解過程 (18千字)2001-09-18
- 破解魔法轉換 v2.1 Beta 2 測試版 (11千字)2001-10-28
- 手工脫殼 Advanced Administrative Tools 4.0a (8千字)2000-06-06
- LogoManager 1.18破解手記 (1千字)2001-02-18Go
- 對VCDCUT 4.03的分析破解過程 (18千字)2001-08-08
- 申請加入BCG之第一篇!------LC3破解! (2千字)2001-10-06
- 硬碟保護卡破解--小哨兵篇 (1千字)2002-06-16硬碟
- 轉載一篇破解教程(LeapFTP) (10千字)2001-03-29FTP