破解心得之WinImage篇 (15千字)
破解心得之WinImage篇
作者:時空幻影
時間:2001年6月25日
使用工具:Fileinfo v2.43、W32DSM白金版漢化版、TRW2000 v1.22
軟體名稱:WinImage
釋出公司:Gilles Vollant
最新版本:v5.0.5009
作業系統:Win9x/ME/NT4/2000
軟體說明:
可製作、解壓磁碟映像(iso bin等)
由於這個軟體沒有加殼,因此破解相對容易一些,且註冊演算法也不復雜,很適合初學者破解。
破解步驟:
1、先把執行檔案用Fileinfo檢視一下有沒有加殼,結果沒有;
2、用W32DSM反編譯該執行檔案,查詢出錯字串,找出比對點,然後根據比對點找出核心CALL,記下該CALL的偏移地
址,如這個軟體核心CALL的偏移地址為0043407F;
3、執行TRW2000,再執行該軟體,填好Name和Registration Code後,按Ctrl+N啟用TRW2000,然後鍵入"BPX HMEMCPY"
按F5跳回程式,然後點OK就會被攔下,再鍵入"pmodule"。
* Possible Reference to Dialog: REGISTER, CONTROL_ID:0816, ""
|
:0043405C 6816080000 push 00000816
:00434061 FF7508
push [ebp+08]
:00434064 FFD6
call esi
:00434066 BF6CD04400 mov edi,
0044D06C <--pmodule後到這裡,D EAX可看到自己輸入的Name
* Possible Ref to Menu: WINIMAGMENU, Item: "Create directory..."
|
:0043406B 6A7F
push 0000007F
:0043406D 57
push edi
* Possible Reference to Dialog: REGISTER, CONTROL_ID:0817, ""
|
:0043406E 6817080000 push 00000817
:00434073 FF7508
push [ebp+08]
:00434076 FFD6
call esi
:00434078 6840D44400 push 0044D440
<--D EDI可看到輸入的註冊碼
:0043407D 57
push edi
:0043407E 53
push ebx
:0043407F E89C5C0000 call 00439D20
<--核心CALL,按F8進入
:00434084 8B0D40D44400 mov ecx, dword
ptr [0044D440]
:0043408A 83C40C
add esp, 0000000C
:0043408D 33D2
xor edx, edx
:0043408F A334D24400 mov dword
ptr [0044D234], eax
:00434094 3BC2
cmp eax, edx
:00434096 5F
pop edi
:00434097 5B
pop ebx
:00434098 7406
je 004340A0
:0043409A 890D04D44400 mov dword ptr
[0044D404], ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00434098(C)
|
:004340A0 391504D44400 cmp dword ptr
[0044D404], edx
:004340A6 890D90D64400 mov dword ptr
[0044D690], ecx
:004340AC 7505
jne 004340B3
:004340AE A390D64400 mov dword
ptr [0044D690], eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004340AC(C)
|
:004340B3 6A01
push 00000001
:004340B5 3BC2
cmp eax, edx
:004340B7 5E
pop esi
:004340B8 7529
jne 004340E3 <--暴破的話把這個JNE改成JMP即可,即把75改成EB
:004340BA 6800200000 push 00002000
* Possible Reference to String Resource ID=01069: "WinImage Registration"
|
:004340BF 682D040000 push 0000042D
:004340C4 89350CD34400 mov dword ptr
[0044D30C], esi
:004340CA 893564D44400 mov dword ptr
[0044D464], esi
:004340D0 88156CD04400 mov byte ptr
[0044D06C], dl
:004340D6 881568D44400 mov byte ptr
[0044D468], dl
* Possible Reference to String Resource ID=01067: "Registering information is
invalid" <--註冊失敗對話方塊
|
:004340DC 682B040000 push 0000042B
:004340E1 EB1B
jmp 004340FE
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004340B8(C)
|
:004340E3 6800200000 push 00002000
* Possible Reference to String Resource ID=01069: "WinImage Registration"
|
:004340E8 682D040000 push 0000042D
:004340ED 89150CD34400 mov dword ptr
[0044D30C], edx
:004340F3 891564D44400 mov dword ptr
[0044D464], edx
* Possible Reference to String Resource ID=01066: "Your registration code is
valid.
You are now a registered us" <-- <--註冊成功對話方塊
|
:004340F9 682A040000 push 0000042A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004340E1(U)
|
:004340FE FF7508
push [ebp+08]
:00434101 E84BDEFEFF call 00421F51
:00434106 83C410
add esp, 00000010
:00434109 56
push esi
:0043410A FF7508
push [ebp+08]
按F8後會進入如下地方:
* Referenced by a CALL at Addresses:
|:0043407F , :00439225
|
:00439D20 55
push ebp
:00439D21 8BEC
mov ebp, esp
:00439D23 81EC00020000 sub esp, 00000200
:00439D29 56
push esi
:00439D2A 8B7510
mov esi, dword ptr [ebp+10]
:00439D2D 85F6
test esi, esi
:00439D2F 57
push edi
:00439D30 7403
je 00439D35
:00439D32 832600
and dword ptr [esi], 00000000
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00439D30(C)
|
:00439D35 FF750C
push [ebp+0C]
:00439D38 8D8500FFFFFF lea eax, dword
ptr [ebp+FFFFFF00]
:00439D3E 50
push eax
:00439D3F E8E0FEFFFF call 00439C24
:00439D44 FF7508
push [ebp+08]
:00439D47 E804FFFFFF call 00439C50
<--核心CALL,按F8進入
:00439D4C 8BF8
mov edi, eax <--EDI和EAX中的內容均為第一個註冊碼
:00439D4E 83C40C
add esp, 0000000C
:00439D51 81FF26DDDCB8 cmp edi, B8DCDD26
:00439D57 0F84FE000000 je 00439E5B
<--這裡一定不能跳轉
:00439D5D 8D8500FFFFFF lea eax, dword
ptr [ebp+FFFFFF00]
:00439D63 50
push eax
:00439D64 8D8500FEFFFF lea eax, dword
ptr [ebp+FFFFFE00]
:00439D6A 57
push edi
:00439D6B 50
push eax
:00439D6C E862FFFFFF call 00439CD3
:00439D71 59
pop ecx <--按D EAX可以看到第一個正確的註冊碼
:00439D72 59
pop ecx
:00439D73 50
push eax
* Reference To: CRTDLL.strcmp, Ord:01CFh
|
:00439D74 E8FF3A0000 Call 0043D878
:00439D79 59
pop ecx
:00439D7A 85C0
test eax, eax
:00439D7C 59
pop ecx
:00439D7D 0F84A0000000 je 00439E23
:00439D83 8D8500FFFFFF lea eax, dword
ptr [ebp+FFFFFF00]
:00439D89 50
push eax
:00439D8A 8D8748190514 lea eax, dword
ptr [edi+14051948]
:00439D90 50
push eax
:00439D91 8D8500FEFFFF lea eax, dword
ptr [ebp+FFFFFE00]
:00439D97 50
push eax
:00439D98 E836FFFFFF call 00439CD3
:00439D9D 59
pop ecx <--按D EAX可以看到第二個正確的註冊碼
:00439D9E 59
pop ecx
:00439D9F 50
push eax
* Reference To: CRTDLL.strcmp, Ord:01CFh
|
:00439DA0 E8D33A0000 Call 0043D878
:00439DA5 59
pop ecx
:00439DA6 85C0
test eax, eax
:00439DA8 59
pop ecx
:00439DA9 7478
je 00439E23
:00439DAB 8D8500FFFFFF lea eax, dword
ptr [ebp+FFFFFF00]
:00439DB1 50
push eax
:00439DB2 8D8754190617 lea eax, dword
ptr [edi+17061954]
:00439DB8 50
push eax
:00439DB9 8D8500FEFFFF lea eax, dword
ptr [ebp+FFFFFE00]
:00439DBF 50
push eax
:00439DC0 E80EFFFFFF call 00439CD3
:00439DC5 59
pop ecx <--按D EAX可以看到第三個正確的註冊碼
:00439DC6 59
pop ecx
:00439DC7 50
push eax
* Reference To: CRTDLL.strcmp, Ord:01CFh
|
:00439DC8 E8AB3A0000 Call 0043D878
:00439DCD 59
pop ecx
:00439DCE 85C0
test eax, eax
:00439DD0 59
pop ecx
:00439DD1 7450
je 00439E23
:00439DD3 8D8500FFFFFF lea eax, dword
ptr [ebp+FFFFFF00]
:00439DD9 50
push eax
:00439DDA 8D8781190510 lea eax, dword
ptr [edi+10051981]
:00439DE0 50
push eax
:00439DE1 8D8500FEFFFF lea eax, dword
ptr [ebp+FFFFFE00]
:00439DE7 50
push eax
:00439DE8 E8E6FEFFFF call 00439CD3
:00439DED 59
pop ecx <--按D EAX可以看到第四個正確的註冊碼
:00439DEE 59
pop ecx
:00439DEF 50
push eax
* Reference To: CRTDLL.strcmp, Ord:01CFh
|
:00439DF0 E8833A0000 Call 0043D878
:00439DF5 59
pop ecx
:00439DF6 85C0
test eax, eax
:00439DF8 59
pop ecx
:00439DF9 7455
je 00439E50
:00439DFB 8D8500FFFFFF lea eax, dword
ptr [ebp+FFFFFF00]
:00439E01 50
push eax
:00439E02 8D8795190104 lea eax, dword
ptr [edi+04011995]
:00439E08 50
push eax
:00439E09 8D8500FEFFFF lea eax, dword
ptr [ebp+FFFFFE00]
:00439E0F 50
push eax
:00439E10 E8BEFEFFFF call 00439CD3
:00439E15 59
pop ecx <--按D EAX可以看到第五個正確的註冊碼
:00439E16 59
pop ecx
:00439E17 50
push eax
* Reference To: CRTDLL.strcmp, Ord:01CFh
|
:00439E18 E85B3A0000 Call 0043D878
:00439E1D 59
pop ecx
:00439E1E 85C0
test eax, eax
:00439E20 59
pop ecx
:00439E21 7505
jne 00439E28
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00439D7D(C), :00439DA9(C), :00439DD1(C)
|
:00439E23 6A01
push 00000001
:00439E25 58
pop eax
:00439E26 EB35
jmp 00439E5D
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00439E21(C)
|
:00439E28 8D8500FFFFFF lea eax, dword
ptr [ebp+FFFFFF00]
:00439E2E 81C797190602 add edi, 02061997
:00439E34 50
push eax
:00439E35 8D8500FEFFFF lea eax, dword
ptr [ebp+FFFFFE00]
:00439E3B 57
push edi
:00439E3C 50
push eax
:00439E3D E891FEFFFF call 00439CD3
:00439E42 59
pop ecx <--按D EAX可以看到第六個正確的註冊碼
:00439E43 59
pop ecx
:00439E44 50
push eax
* Reference To: CRTDLL.strcmp, Ord:01CFh
|
:00439E45 E82E3A0000 Call 0043D878
:00439E4A 59
pop ecx
:00439E4B 85C0
test eax, eax
:00439E4D 59
pop ecx
:00439E4E 750B
jne 00439E5B <--這裡也一定不能跳轉
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00439DF9(C)
|
:00439E50 6A01
push 00000001
:00439E52 85F6
test esi, esi
:00439E54 58
pop eax
:00439E55 7406
je 00439E5D
:00439E57 8906
mov dword ptr [esi], eax
:00439E59 EB02
jmp 00439E5D
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00439D57(C), :00439E4E(C)
|
:00439E5B 33C0
xor eax, eax <--如果跳到這裡的話就OVER了
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00439E26(U), :00439E55(C), :00439E59(U)
|
:00439E5D 5F
pop edi
:00439E5E 5E
pop esi
:00439E5F C9
leave
:00439E60 C3
ret
上面的那個CALL進入後會來到如下地方:
* Referenced by a CALL at Addresses:
|:00433C57 , :00433C69 , :00439D47
|
:00439C50 55
push ebp
:00439C51 8BEC
mov ebp, esp
:00439C53 81EC04010000 sub esp, 00000104
:00439C59 FF7508
push [ebp+08]
:00439C5C 8D85FCFEFFFF lea eax, dword
ptr [ebp+FFFFFEFC]
:00439C62 C745FC4C694700 mov [ebp-04], 0047694C
<--賦初值到[EBP-04]
:00439C69 50
push eax
:00439C6A E8B5FFFFFF call 00439C24
<--把使用者名稱複製到記憶體另一個區域,並把所有的小寫轉換成大寫
:00439C6F 59
pop ecx
:00439C70 8D85FCFEFFFF lea eax, dword
ptr [ebp+FFFFFEFC]
:00439C76 59
pop ecx
:00439C77 50
push eax
* Reference To: KERNEL32.lstrlenA, Ord:0308h
|
:00439C78 FF15C8F84400 Call dword ptr
[0044F8C8]
:00439C7E 33C9
xor ecx, ecx
:00439C80 894508
mov dword ptr [ebp+08], eax
:00439C83 85C0
test eax, eax
:00439C85 7E47
jle 00439CCE
:00439C87 53
push ebx
:00439C88 56
push esi
:00439C89 8DB5FCFEFFFF lea esi, dword
ptr [ebp+FFFFFEFC]
:00439C8F 57
push edi
:00439C90 8B7D08
mov edi, dword ptr [ebp+08]
:00439C93 83EE03
sub esi, 00000003
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00439CC9(C)
|
:00439C96 8BC1
mov eax, ecx
:00439C98 6A0E
push 0000000E
:00439C9A 99
cdq
:00439C9B 5B
pop ebx
:00439C9C F7FB
idiv ebx
:00439C9E 85D2
test edx, edx
:00439CA0 7503
jne 00439CA5
:00439CA2 6A27
push 00000027
:00439CA4 5F
pop edi <--EDI置初始值0x27
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00439CA0(C)
|
:00439CA5 0FB6540E03 movzx edx,
byte ptr [esi+ecx+03] <--[ESI+03]中為使用者名稱
:00439CAA 8D4103
lea eax, dword ptr [ecx+03]
:00439CAD 0FAFD7
imul edx, edi
:00439CB0 0155FC
add dword ptr [ebp-04], edx
:00439CB3 6A0E
push 0000000E
:00439CB5 99
cdq
:00439CB6 5B
pop ebx
:00439CB7 F7FB
idiv ebx <--EAX除以0xE
:00439CB9 85D2
test edx, edx <--判斷餘數是否為零
:00439CBB 7405
je 00439CC2 <--是的話則跳轉
:00439CBD 8D3C7F
lea edi, dword ptr [edi+2*edi]
:00439CC0 EB03
jmp 00439CC5
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00439CBB(C)
|
:00439CC2 6BFF07
imul edi, 00000007
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00439CC0(U)
|
:00439CC5 41
inc ecx
:00439CC6 3B4D08
cmp ecx, dword ptr [ebp+08] <--比較ECX中的數是否大於[EBP+08](即使用者名稱長度)
:00439CC9 7CCB
jl 00439C96
:00439CCB 5F
pop edi
:00439CCC 5E
pop esi
:00439CCD 5B
pop ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00439C85(C)
|
:00439CCE 8B45FC
mov eax, dword ptr [ebp-04]
:00439CD1 C9
leave
:00439CD2 C3
ret
相關文章
- 破解心得之eXeScope篇 (9千字)2001-07-01
- 破解winimage (1千字)2001-10-07
- winimage完全破解 (8千字)2001-07-04
- 破解心得之CDRWin 4.0A BETA篇 (18千字)2001-04-24
- 破解心得之eXeScope篇2015-11-15
- 破解心得之3DMark2001篇 (10千字)2001-04-183D
- WinImage密碼的另一種破解――WinHex破解法 (2千字)2001-07-12密碼
- 破解心得之CHMMaker(耶圃歟┢ (11千字)2002-01-27HMM
- 破解心得之Windows優化大師篇2015-11-15Windows優化
- 《WinImage v5.00.5007 註冊碼破解》 (7千字)2001-05-10
- 初學者請進(一篇破解javagirl的心得) (2千字)2000-05-09Java
- 再次湊湊熱鬧:破解心得之ChinaZip 5.0(中華壓縮)篇
(8千字)2001-04-10
- 一篇破解教程-----面向初學者 (15千字)2001-04-01
- 我的破解心得(1) (3千字)2001-03-13
- 我的破解心得(5) (16千字)2001-03-13
- 我的破解心得(6) (3千字)2001-03-13
- 我的破解心得(8) (2千字)2001-03-13
- 我的破解心得(9) (4千字)2001-03-13
- 我的破解心得(11) (9千字)2001-03-13
- 我的破解心得(12) (1千字)2001-03-13
- 登陸奇兵3.0破解心得 (5千字)2001-05-02
- Readbook 1.31破解心得
(3千字)2000-03-01
- BrickShooter 2.1破解心得(新手看看吧) (18千字)2001-03-09
- Tornado2之Licence暴力破解 (15千字)2000-10-22
- 流光 4.5 完全破解 (15千字)2002-08-24
- 輕鬆提取資源1.45破解心得
(7千字)2015-11-15
- VirTime HTMLock V1.4.0 破解之暴力篇 (7千字)2001-05-06HTML
- iTime 破解實錄 (15千字)2001-04-26
- Help & Manual 3.0.4.619 破解 (15千字)2015-11-15
- 軟體破解初體驗之 MacroClip 2000.2.7 程式碼修改破解 (15千字)2001-10-09Mac
- 申請加入BCG之第二篇!博奧彩票白金版破解---破解初學者之嘔血篇 (5千字)2001-10-06
- 《漂葉網咖管理系統4.0》破解心得: (9千字)2001-01-14
- 一篇破解入門 (7千字)2000-09-04
- FINDITNOW!1.25 or 102 中文版 破解心得 (14千字)2002-02-09
- 申請加入BCG之第一篇!------LC3破解! (2千字)2001-10-06
- 硬碟保護卡破解--小哨兵篇 (1千字)2002-06-16硬碟
- 轉載一篇破解教程(LeapFTP) (10千字)2001-03-29FTP
- 爆笑破解之-----ACDSEE 3.0 (4千字)2001-03-18