《teleport pro 1.28》破解實錄！！高手莫進！！ (5千字)

《teleport pro 1.28》破解實錄
破解人：RATARICE
工具：W32DSM89，TRW1.22，ULTRAEDIT-32

一、執行teleport pro（下簡稱tp），點help-->register...
your:RATARICE
company:peNcil grOup
sn:87654321 （都是瞎填的）
點OK!記下“we're sorry!”
二、執行W32DSM89，找到上面的話!摘抄的程式在下！
:0040E3D5 E8F6D60000 call 0041BAD0
:0040E3DA 83C404 add esp, 00000004
:0040E3DD 3BC5 cmp eax, ebp
:0040E3DF 0F85B2000000 jne 0040E497
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^------------------>909090909090
:0040E3E5 6AFF push FFFFFFFF
:0040E3E7 53 push ebx

* Possible Reference to String Resource ID=03022: "Thank you! Your copy of Teleport Pro is now registered. Al"
|
:0040E3E8 68CE0B0000 push 00000BCE
:0040E3ED E87C190500 call 0045FD6E
:0040E3F2 A18CA24800 mov eax, dword ptr [0048A28C]
:0040E3F7 8898A4020000 mov byte ptr [eax+000002A4], bl
:0040E3FD A18CA24800 mov eax, dword ptr [0048A28C]
:0040E402 8898A5020000 mov byte ptr [eax+000002A5], bl
:0040E408 391DC4114900 cmp dword ptr [004911C4], ebx
:0040E40E 740B je 0040E41B
:0040E410 A1C4114900 mov eax, dword ptr [004911C4]
:0040E415 8898520F0000 mov byte ptr [eax+00000F52], bl
.
.
.
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040E3DF(C)
^^^^^^^^
|
:0040E497 8B07 mov eax, dword ptr [edi]
:0040E499 8378F800 cmp dword ptr [eax-08], 00000000
:0040E49D 7513 jne 0040E4B2
:0040E49F 6A00 push 00000000
:0040E4A1 6A00 push 00000000

* Possible StringData Ref from Data Obj ->"You must enter your username in "
->"the Name field, exactly as you "
->"spelled it when you registered, "
->"in order for the registration "
->"code to work."
|
:0040E4A3 688CB04800 push 0048B08C
:0040E4A8 E8A2180500 call 0045FD4F
:0040E4AD 5D pop ebp
:0040E4AE 5F pop edi
:0040E4AF 5E pop esi
:0040E4B0 5B pop ebx
:0040E4B1 C3 ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040E49D(C)
^^^^^^^^
|
:0040E4B2 50 push eax
:0040E4B3 E818D60000 call 0041BAD0
:0040E4B8 83C404 add esp, 00000004
:0040E4BB 85C0 test eax, eax
:0040E4BD 7513 jne 0040E4D2
:0040E4BF 6A00 push 00000000
:0040E4C1 6A00 push 00000000

* Possible StringData Ref from Data Obj ->"You haven't entered a valid username. "
->" Your username must be at least "
->"six letters long."
|
:0040E4C3 6834B04800 push 0048B034
:0040E4C8 E882180500 call 0045FD4F
:0040E4CD 5D pop ebp
:0040E4CE 5F pop edi
:0040E4CF 5E pop esi
:0040E4D0 5B pop ebx
:0040E4D1 C3 ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040E4BD(C)
^^^^^^^^
|
:0040E4D2 6AFF push FFFFFFFF
:0040E4D4 6A00 push 00000000

* Possible Reference to String Resource ID=03023: "We're sorry! The registration number you entered appears to"
|
:0040E4D6 68CF0B0000 push 00000BCF
:0040E4DB E88E180500 call 0045FD6E
用ULTRAEDIT改完後，執行，提示“thank you...”，但下次執行時還需註冊！
由於本人學藝不精，找不到標記點！又想將其註冊為之己用，遂叫出TRW2000！
三、執行TRW2000，再執行TELEPORT，填好註冊專案。
ctrl+N, bpx hmemcpy ,ctrl+N
點OK，彈出TRW，下bd *,pmodule,按3次F12（4次出錯）。
按F10，下F9設斷！程式如下：
015F:0040E397 FLD TWORD [EDX+01]
015F:0040E39A CALL 0045944B
015F:0040E39F PUSH BYTE +0A
015F:0040E3A1 MOV EAX,[ESI+DD]
015F:0040E3A7 PUSH EBX
015F:0040E3A8 PUSH EAX
015F:0040E3A9 CALL 00442800
015F:0040E3AE ADD ESP,BYTE +0C
015F:0040E3B1 MOV EBP,EAX
015F:0040E3B3 MOV EAX,[0048A28C]
015F:0040E3B8 CMP [EAX+02A4],BL
015F:0040E3BE JZ NEAR 0040E48B
015F:0040E3C4 TEST EBP,EBP
015F:0040E3C6 JZ NEAR 0040E48B
015F:0040E3CC LEA EDI,[ESI+D5]
015F:0040E3D2 MOV EAX,[EDI]
015F:0040E3D4 PUSH EAX
015F:0040E3D5 CALL 0041BAD0
015F:0040E3DA ADD ESP,BYTE +04
015F:0040E3DD CMP EAX,EBP
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 下？eax 可看到真註冊碼
下？ebp 可看到假註冊碼
015F:0040E3DF JNZ NEAR 0040E497
015F:0040E3E5 PUSH BYTE -01
四、總結
1、爆破法：將0F85B2000000――――――――――>909090909090 （但每次啟動仍需註冊）
2、註冊碼：
本人的為：your: RATARICE
company: peNcil grOup
registration: 1156637346

《teleport pro 1.28》破解實錄 ！！高手莫進！！ (5千字)

相關文章

《teleport pro 1.28》破解實錄！！高手莫進！！ (5千字)