《teleport pro 1.28》破解實錄
破解人:RATARICE
工具:W32DSM89,TRW1.22,ULTRAEDIT-32
一、執行teleport pro(下簡稱tp),點help-->register...
your:RATARICE
company:peNcil grOup
sn:87654321 (都是瞎填的)
點OK!記下“we're sorry!”
二、執行W32DSM89,找到上面的話!摘抄的程式在下!
:0040E3D5 E8F6D60000 call 0041BAD0
:0040E3DA 83C404
add esp, 00000004
:0040E3DD 3BC5
cmp eax, ebp
:0040E3DF 0F85B2000000 jne 0040E497
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^------------------>909090909090
:0040E3E5 6AFF
push FFFFFFFF
:0040E3E7 53
push ebx
* Possible Reference to String Resource ID=03022: "Thank you! Your copy
of Teleport Pro is now registered. Al"
|
:0040E3E8 68CE0B0000 push 00000BCE
:0040E3ED E87C190500 call 0045FD6E
:0040E3F2 A18CA24800 mov eax,
dword ptr [0048A28C]
:0040E3F7 8898A4020000 mov byte ptr
[eax+000002A4], bl
:0040E3FD A18CA24800 mov eax,
dword ptr [0048A28C]
:0040E402 8898A5020000 mov byte ptr
[eax+000002A5], bl
:0040E408 391DC4114900 cmp dword ptr
[004911C4], ebx
:0040E40E 740B
je 0040E41B
:0040E410 A1C4114900 mov eax,
dword ptr [004911C4]
:0040E415 8898520F0000 mov byte ptr
[eax+00000F52], bl
.
.
.
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040E3DF(C)
^^^^^^^^
|
:0040E497 8B07
mov eax, dword ptr [edi]
:0040E499 8378F800 cmp
dword ptr [eax-08], 00000000
:0040E49D 7513
jne 0040E4B2
:0040E49F 6A00
push 00000000
:0040E4A1 6A00
push 00000000
* Possible StringData Ref from Data Obj ->"You must enter your username in "
->"the Name field,
exactly as you "
->"spelled it
when you registered, "
->"in order for
the registration "
->"code to work."
|
:0040E4A3 688CB04800 push 0048B08C
:0040E4A8 E8A2180500 call 0045FD4F
:0040E4AD 5D
pop ebp
:0040E4AE 5F
pop edi
:0040E4AF 5E
pop esi
:0040E4B0 5B
pop ebx
:0040E4B1 C3
ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040E49D(C)
^^^^^^^^
|
:0040E4B2 50
push eax
:0040E4B3 E818D60000 call 0041BAD0
:0040E4B8 83C404
add esp, 00000004
:0040E4BB 85C0
test eax, eax
:0040E4BD 7513
jne 0040E4D2
:0040E4BF 6A00
push 00000000
:0040E4C1 6A00
push 00000000
* Possible StringData Ref from Data Obj ->"You haven't entered a valid username.
"
->" Your username
must be at least "
->"six letters
long."
|
:0040E4C3 6834B04800 push 0048B034
:0040E4C8 E882180500 call 0045FD4F
:0040E4CD 5D
pop ebp
:0040E4CE 5F
pop edi
:0040E4CF 5E
pop esi
:0040E4D0 5B
pop ebx
:0040E4D1 C3
ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040E4BD(C)
^^^^^^^^
|
:0040E4D2 6AFF
push FFFFFFFF
:0040E4D4 6A00
push 00000000
* Possible Reference to String Resource ID=03023: "We're sorry! The registration
number you entered appears to"
|
:0040E4D6 68CF0B0000 push 00000BCF
:0040E4DB E88E180500 call 0045FD6E
用ULTRAEDIT改完後,執行,提示“thank you...”,但下次執行時還需註冊!
由於本人學藝不精,找不到標記點!又想將其註冊為之己用,遂叫出TRW2000!
三、執行TRW2000,再執行TELEPORT,填好註冊專案。
ctrl+N, bpx hmemcpy ,ctrl+N
點OK,彈出TRW,下bd *,pmodule,按3次F12(4次出錯)。
按F10,下F9設斷!程式如下:
015F:0040E397 FLD TWORD [EDX+01]
015F:0040E39A CALL 0045944B
015F:0040E39F PUSH BYTE +0A
015F:0040E3A1 MOV EAX,[ESI+DD]
015F:0040E3A7 PUSH EBX
015F:0040E3A8 PUSH EAX
015F:0040E3A9 CALL 00442800
015F:0040E3AE ADD ESP,BYTE +0C
015F:0040E3B1 MOV EBP,EAX
015F:0040E3B3 MOV EAX,[0048A28C]
015F:0040E3B8 CMP [EAX+02A4],BL
015F:0040E3BE JZ NEAR 0040E48B
015F:0040E3C4 TEST EBP,EBP
015F:0040E3C6 JZ NEAR 0040E48B
015F:0040E3CC LEA EDI,[ESI+D5]
015F:0040E3D2 MOV EAX,[EDI]
015F:0040E3D4 PUSH EAX
015F:0040E3D5 CALL 0041BAD0
015F:0040E3DA ADD ESP,BYTE +04
015F:0040E3DD CMP EAX,EBP
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 下?eax 可看到真註冊碼
下?ebp 可看到假註冊碼
015F:0040E3DF JNZ NEAR 0040E497
015F:0040E3E5 PUSH BYTE -01
四、總結
1、 爆破法:將0F85B2000000――――――――――>909090909090 (但每次啟動仍需註冊)
2、 註冊碼:
本人的為:your: RATARICE
company:
peNcil grOup
registration: 1156637346