破解ClockWise 3.03 (7千字)
軟體名稱:ClockWise 3.03
下載地址:http://software.wx88.net/down/InstallCW.exe
軟體簡介:一個結合了數字時鐘、日曆、提醒/備忘時鐘、計時和程式排程的時間管理實用工具,它可以安排5個提醒和多達30個單獨的程式事件,另外,它還可以透過Inter
net或原子鐘自動設定系統時間。你可以用它自動安排關機和重新啟動的時間。
破解難度:簡單
破解人:Edea (QQ:3849036)
先用Fi分析,發現沒有加殼(呵呵,佔便宜了)
用WDASM反彙編:隨便填註冊碼,點Register,彈出ERROR的對話方塊,在WDASM中查詢ERROR。找到後往上看,發現是從0041b04a跳過來的,上面的0041b043可能就是關鍵CALL。
0177:0041B040 PUSH ESI
0177:0041B041 MOV ESI,ECX
0177:0041B043 CALL 0041B090
----->值得注意,跟入
0177:0041B048 TEST EAX,EAX
0177:0041B04A JZ 0041B071
------>跳則死
0177:0041B04C MOV ECX,ESI
0177:0041B04E CALL 0041B2A0
0177:0041B053 PUSH BYTE +40
0177:0041B055 PUSH DWORD 00452920
0177:0041B05A PUSH DWORD 00452D58
0177:0041B05F MOV ECX,ESI
0177:0041B061 CALL 0043714E
0177:0041B066 PUSH BYTE +00
0177:0041B068 MOV ECX,ESI
開啟註冊對話方塊,填入:
User Name:Edea
Serial Number:300 (這個地方必須是300、1000、2000、5000等,後面再詳細說明)
Registration:9876543210 (隨便填一個)
開啟TRW2000,下斷點bpx 0041B043,點Register,被攔下。
按F8跟入
Call form 0041B043
0177:0041B090 SUB ESP,BYTE +0C
0177:0041B093 PUSH EBX
0177:0041B094 PUSH EBP
0177:0041B095 MOV EBP,ECX
0177:0041B097 PUSH ESI
0177:0041B098 XOR ECX,ECX
0177:0041B09A XOR ESI,ESI
0177:0041B09C MOV EAX,[EBP+60]
------>將User Name放入EAX
0177:0041B09F PUSH EDI
0177:0041B0A0 MOV EAX,[EAX-08]
0177:0041B0A3 TEST EAX,EAX
0177:0041B0A5 MOV [ESP+10],EAX
0177:0041B0A9 JZ NEAR 0041B28B
0177:0041B0AF MOV EAX,[EBP+68]
------->將Serial Number放入EAX
0177:0041B0B2 MOV EDX,[EAX-08]
0177:0041B0B5 TEST EDX,EDX
0177:0041B0B7 JNG NEAR 0041B28B
0177:0041B0BD MOV EDX,[EBP+64]
------>將Registration放入EDX
0177:0041B0C0 CMP DWORD [EDX-08],BYTE +05
0177:0041B0C4 JNG NEAR 0041B28B
0177:0041B0CA PUSH EAX
0177:0041B0CB CALL 004249C3
0177:0041B0D0 MOV EBX,EAX
0177:0041B0D2 ADD ESP,BYTE +04
0177:0041B0D5 CMP EBX,BYTE +01
0177:0041B0D8 JC NEAR 0041B281
0177:0041B0DE CMP EBX,012C
------>這幾個地方要注意了,程式把
0177:0041B0E4 JNA 0041B0F2
Serial Number分別與300,
0177:0041B0E6 CMP EBX,03E8
1000,2000,5000等比較,如果
0177:0041B0EC JC NEAR 0041B281
不是它們中的一個,就註冊失敗
0177:0041B0F2 CMP EBX,07D0
0177:0041B0F8 JNA 0041B106
0177:0041B0FA CMP EBX,1388
0177:0041B100 JC NEAR 0041B281
0177:0041B106 CMP EBX,1B58
0177:0041B10C JNA 0041B11A
0177:0041B10E CMP EBX,2767
0177:0041B114 JC NEAR 0041B281
0177:0041B11A CMP EBX,2A16
0177:0041B120 JNA 0041B12E
0177:0041B122 CMP EBX,2A53
0177:0041B128 JC NEAR 0041B281
0177:0041B12E CMP EBX,2EE0
0177:0041B134 JNA 0041B142
0177:0041B136 CMP EBX,4E20
0177:0041B13C JC NEAR 0041B281
0177:0041B142 CMP EBX,5208
0177:0041B148 JA NEAR 0041B281
0177:0041B14E MOV ECX,[ESP+10]
0177:0041B152 XOR EAX,EAX
0177:0041B154 TEST ECX,ECX
0177:0041B156 JNG 0041B175
0177:0041B158 MOV EDX,[EBP+60]
0177:0041B15B LEA ECX,[EAX+01]
0177:0041B15E MOV EDI,[ESP+10]
0177:0041B162 MOVSX EAX,BYTE [EDX+EAX]
0177:0041B166 IMUL EAX,ECX
0177:0041B169 ADD EAX,EDI
0177:0041B16B ADD ESI,EAX
0177:0041B16D MOV EAX,ECX
0177:0041B16F MOV ECX,EDI
0177:0041B171 CMP EAX,ECX
0177:0041B173 JL 0041B15B
0177:0041B175 MOV EDX,[ESP+10]
0177:0041B179 LEA ECX,[ESP+14]
----->中間很多迴圈,如果你不想做序號產生器
0177:0041B17D IMUL EDX,EBX
就不用管它了
0177:0041B180 PUSH BYTE +10
0177:0041B182 ADD EDX,ESI
0177:0041B184 PUSH ECX
0177:0041B185 PUSH EDX
0177:0041B186 CALL 0042F30B
0177:0041B18B MOV DL,[ESP+20]
0177:0041B18F ADD ESP,BYTE +0C
0177:0041B192 TEST DL,DL
0177:0041B194 JZ 0041B1B4
0177:0041B196 LEA ESI,[ESP+14]
0177:0041B19A MOVSX EAX,DL
0177:0041B19D PUSH EAX
0177:0041B19E CALL 00425F90
0177:0041B1A3 ADD ESP,BYTE +04
0177:0041B1A6 MOV [ESI],AL
0177:0041B1A8 MOV DL,[ESI+01]
0177:0041B1AB INC ESI
0177:0041B1AC TEST DL,DL
0177:0041B1AE JNZ 0041B19A
0177:0041B1B0 MOV DL,[ESP+14]
0177:0041B1B4 LEA EDI,[ESP+14]
0177:0041B1B8 OR ECX,BYTE -01
0177:0041B1BB XOR EAX,EAX
0177:0041B1BD REPNE SCASB
0177:0041B1BF NOT ECX
0177:0041B1C1 DEC ECX
0177:0041B1C2 CMP ECX,BYTE +04
0177:0041B1C5 JNC 0041B20C
0177:0041B1C7 LEA EDI,[ESP+14]
0177:0041B1CB OR ECX,BYTE -01
0177:0041B1CE XOR EAX,EAX
0177:0041B1D0 REPNE SCASB
0177:0041B1D2 NOT ECX
0177:0041B1D4 DEC ECX
0177:0041B1D5 LEA EDI,[ESP+14]
0177:0041B1D9 MOV [ESP+ECX+15],AL
0177:0041B1DD OR ECX,BYTE -01
0177:0041B1E0 REPNE SCASB
0177:0041B1E2 NOT ECX
0177:0041B1E4 DEC ECX
0177:0041B1E5 INC ECX
0177:0041B1E6 JZ 0041B1F3
0177:0041B1E8 MOV DL,[ESP+ECX+13]
0177:0041B1EC MOV [ESP+ECX+14],DL
0177:0041B1F0 DEC ECX
0177:0041B1F1 JNZ 0041B1E8
0177:0041B1F3 MOV DL,30
0177:0041B1F5 LEA EDI,[ESP+14]
0177:0041B1F9 OR ECX,BYTE -01
0177:0041B1FC XOR EAX,EAX
0177:0041B1FE MOV [ESP+14],DL
0177:0041B202 REPNE SCASB
0177:0041B204 NOT ECX
0177:0041B206 DEC ECX
0177:0041B207 CMP ECX,BYTE +04
0177:0041B20A JC 0041B1C7
0177:0041B20C MOV AL,[ESP+17]
0177:0041B210 MOV CL,[ESP+16]
0177:0041B214 MOV [ESP+19],AL
0177:0041B218 MOV [ESP+18],CL
0177:0041B21C MOV CL,[ESP+15]
0177:0041B220 MOV AL,BL
0177:0041B222 MOV BYTE [ESP+1A],00
0177:0041B227 MOV [ESP+17],CL
0177:0041B22B MOV [ESP+16],DL
0177:0041B22F IMUL DL
0177:0041B231 CMP AL,41
0177:0041B233 JC 0041B239
0177:0041B235 CMP AL,5A
0177:0041B237 JNA 0041B247
0177:0041B239 ADD AL,4A
0177:0041B23B CMP AL,4F
0177:0041B23D JZ 0041B243
0177:0041B23F CMP AL,49
0177:0041B241 JNZ 0041B231
0177:0041B243 ADD AL,4A
0177:0041B245 JMP SHORT 0041B231
0177:0041B247 MOV [ESP+14],AL
0177:0041B24B MOV AL,[ESP+10]
0177:0041B24F IMUL CL
0177:0041B251 CMP AL,30
0177:0041B253 JC 0041B259
0177:0041B255 CMP AL,39
0177:0041B257 JNA 0041B25D
0177:0041B259 ADD AL,4A
0177:0041B25B JMP SHORT 0041B251
0177:0041B25D MOV [ESP+15],AL
0177:0041B261 MOV EAX,[EBP+64]
------>把假的Registration放入EAX
0177:0041B264 LEA EDX,[ESP+14]
------>把真的Registration放入EDX
0177:0041B268 PUSH EAX
0177:0041B269 PUSH EDX
0177:0041B26A CALL `KERNEL32!lstrcmpA`
------>比較
0177:0041B270 TEST EAX,EAX
0177:0041B272 JNZ 0041B281
------>不相等嗎?去死吧!
0177:0041B274 POP EDI
正確的註冊碼:
User Name:Edea
Serial Number:300
Registration:F00880
相關文章
- Konvertor 3.03的註冊碼演算法模組的分析
(7千字)2015-11-15演算法
- 快速破解CCProxy 4.30(7千字)2002-01-26
- 暴力破解Security setup II (7千字)2001-10-24
- 用Ollydbg破解SWFBrowser 2.93 (7千字)2002-01-11
- 一篇破解入門 (7千字)2000-09-04
- 完美解除安裝7.00版破解 (7千字)2002-03-18
- 詞彙終結者破解實錄 (7千字)2000-08-13
- 破解 開機小精靈 2.11 (7千字)2001-11-12
- 輕鬆提取資源1.45破解心得
(7千字)2015-11-15
- ClockWise 3.22e註冊碼演算法分析 - OCG (17千字)2002-04-10演算法
- ArtCursors 3.03 ASPR殼軟體脫殼後修整記 (10千字)2015-11-15
- 請看小弟KeyFile保護的破解 (7千字)2001-02-01
- 在win2000下破解CopyFaster (7千字)2001-07-14AST
- 兩個月的破解回顧以及7個軟體的破解! (3千字)2000-12-28
- 電腦幽靈pcGhost4.0破解實錄 (7千字)2001-03-07
- VirTime HTMLock V1.4.0 破解之暴力篇 (7千字)2001-05-06HTML
- 《WinImage v5.00.5007 註冊碼破解》 (7千字)2001-05-10
- 菜鳥破解錄(11)之 WinGlobe2.0 (7千字)2000-07-24
- Hardlock加密狗破解過程-----外殼型加密狗的破解方法 (7千字)2001-10-15加密
- 文晟掃描5. 0
之破解經過 (7千字)2002-09-25
- Recover4All v1.03的破解探討 (7千字)2000-09-30
- 正版“盟軍敢死隊”密匙光碟加密破解實錄 (7千字)2000-10-19加密
- 暴力破解Paragon CD Emulator時間及功能限制 (7千字)2001-03-24Go
- 如何破解Multimedia Builder MP3 4.7b (7千字)2001-10-04UI
- Lockup2000 v4.0破解實戰 (7千字)2001-11-06
- 真相大白!我的真正的入門破解4 (7千字)2000-08-30
- PolyView 破解 (5千字)2000-12-31View
- 破解FAQGenie (4千字)2001-04-10
- 破解MyMahj (5千字)2001-06-20
- 破解winimage (1千字)2001-10-07
- 轉貼 Ronnier 的 AcqURL 5.1 註冊黑名單的破解 (7千字)2001-05-14
- 來一篇:暴力破解Crystal Button 1.31A (7千字)2015-11-15
- 破解TurboLaunch 4.04 (5千字)2001-06-06
- winimage完全破解 (8千字)2001-07-04
- Authorware 5.0破解 (4千字)2001-09-10
- 破解“Mail Scan” (1千字)2000-08-04AI
- vTuner Plus 3.0 線上註冊的破解方法一:爆破篇 (7千字)2002-06-16
- SmartCheck 6.03的InstallShield序列號破解(上)――好久沒研究了。 (7千字)2001-08-20