破解心得之eXeScope篇 (9千字)
破解心得之eXeScope篇
作者:時空幻影
時間:2001年6月26日
使用工具:Fileinfo v2.43、W32DSM白金版漢化版、TRW2000 v1.22
由於這個軟體沒有加殼,因此破解相對容易一些,且註冊演算法也不復雜,很適合初學者破解。
先執行TRW2000,然後執行該軟體,填好Your Name和ID後,按Ctrl+N啟用TRW2000,然後鍵入"BPX HMEMCPY",
按F5跳回程式,然後點OK就會被攔下,再鍵入"pmodule",繼續按F10。
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A7BAA(C)
|
:004A7BBE 8D55F0
lea edx, dword ptr [ebp-10]
:004A7BC1 8B45FC
mov eax, dword ptr [ebp-04]
:004A7BC4 8B80D0020000 mov eax, dword
ptr [eax+000002D0]
:004A7BCA E885B7F8FF call 00433354
:004A7BCF 8B55F0
mov edx, dword ptr [ebp-10] <--經過幾個RET以後來到這裡
:004A7BD2 A1B8594B00 mov eax,
dword ptr [004B59B8]
:004A7BD7 E830C0F5FF call 00403C0C
:004A7BDC 8D55EC
lea edx, dword ptr [ebp-14]
:004A7BDF 8B45FC
mov eax, dword ptr [ebp-04]
:004A7BE2 8B80D4020000 mov eax, dword
ptr [eax+000002D4]
:004A7BE8 E867B7F8FF call 00433354
:004A7BED 8B55EC
mov edx, dword ptr [ebp-14]
:004A7BF0 A134594B00 mov eax,
dword ptr [004B5934]
:004A7BF5 E812C0F5FF call 00403C0C
:004A7BFA 8B1534594B00 mov edx, dword
ptr [004B5934]
:004A7C00 8B12
mov edx, dword ptr [edx]
:004A7C02 A174574B00 mov eax,
dword ptr [004B5774]
:004A7C07 8B00
mov eax, dword ptr [eax]
:004A7C09 E8DA8D0000 call 004B09E8
<--核心CALL,按F8進入
:004A7C0E 84C0
test al, al
:004A7C10 0F8498000000 je 004A7CAE
<--一定不能跳轉
:004A7C16 A1B8594B00 mov eax,
dword ptr [004B59B8]
:004A7C1B 8B00
mov eax, dword ptr [eax]
:004A7C1D E816C2F5FF call 00403E38
:004A7C22 85C0
test eax, eax
:004A7C24 0F8E84000000 jle 004A7CAE
<--一定不能跳轉
:004A7C2A 8D55E4
lea edx, dword ptr [ebp-1C]
:004A7C2D A1C4594B00 mov eax,
dword ptr [004B59C4]
:004A7C32 8B00
mov eax, dword ptr [eax]
:004A7C34 E82F9BFAFF call 00451768
:004A7C39 8B45E4
mov eax, dword ptr [ebp-1C]
:004A7C3C 8D4DE8
lea ecx, dword ptr [ebp-18]
* Possible StringData Ref from Code Obj ->".ini"
|
:004A7C3F BA0C7D4A00 mov edx,
004A7D0C
:004A7C44 E8F319F6FF call 0040963C
:004A7C49 8B4DE8
mov ecx, dword ptr [ebp-18]
:004A7C4C B201
mov dl, 01
* Possible StringData Ref from Code Obj ->"XuG"
|
:004A7C4E A1906E4700 mov eax,
dword ptr [00476E90]
:004A7C53 E8E0F2FCFF call 00476F38
:004A7C58 8945F8
mov dword ptr [ebp-08], eax
:004A7C5B A1B8594B00 mov eax,
dword ptr [004B59B8]
:004A7C60 8B00
mov eax, dword ptr [eax]
:004A7C62 50
push eax
* Possible StringData Ref from Code Obj ->"Name"
|
:004A7C63 B91C7D4A00 mov ecx,
004A7D1C
* Possible StringData Ref from Code Obj ->"Reg"
|
:004A7C68 BA2C7D4A00 mov edx,
004A7D2C
:004A7C6D 8B45F8
mov eax, dword ptr [ebp-08]
:004A7C70 8B18
mov ebx, dword ptr [eax]
:004A7C72 FF5304
call [ebx+04]
:004A7C75 A134594B00 mov eax,
dword ptr [004B5934]
:004A7C7A 8B00
mov eax, dword ptr [eax]
:004A7C7C 50
push eax
* Possible StringData Ref from Code Obj ->"Reg"
|
:004A7C7D BA2C7D4A00 mov edx,
004A7D2C
:004A7C82 B9387D4A00 mov ecx,
004A7D38
:004A7C87 8B45F8
mov eax, dword ptr [ebp-08]
:004A7C8A 8B18
mov ebx, dword ptr [eax]
:004A7C8C FF5304
call [ebx+04]
:004A7C8F 8B45F8
mov eax, dword ptr [ebp-08]
:004A7C92 E83DB2F5FF call 00402ED4
:004A7C97 A17C574B00 mov eax,
dword ptr [004B577C]
:004A7C9C C60001
mov byte ptr [eax], 01
:004A7C9F 8B45FC
mov eax, dword ptr [ebp-04]
:004A7CA2 C7803402000001000000 mov dword ptr [ebx+00000234], 00000001
:004A7CAC EB20
jmp 004A7CCE
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004A7C10(C), :004A7C24(C)
|
:004A7CAE 6A00
push 00000000
:004A7CB0 8D55E0
lea edx, dword ptr [ebp-20]
* Possible StringData Ref from Code Obj ->"Invalid ID or Name;o^IDO"
<--錯誤資訊對話方塊
|
:004A7CB3 B8447D4A00 mov eax,
004A7D44
:004A7CB8 E8D79D0000 call 004B1A94
:004A7CBD 8B45E0
mov eax, dword ptr [ebp-20]
:004A7CC0 668B0D747D4A00 mov cx, word ptr
[004A7D74]
:004A7CC7 B201
mov dl, 01
:004A7CC9 E88E01FBFF call 00457E5C
在上面的核心CALL按F8進入後會來到如下地方:
* Referenced by a CALL at Addresses:
|:004A7C09 , :004B088C
|
:004B09E8 55
push ebp
:004B09E9 8BEC
mov ebp, esp
:004B09EB 83C4F0
add esp, FFFFFFF0
:004B09EE 8955F8
mov dword ptr [ebp-08], edx
:004B09F1 8945FC
mov dword ptr [ebp-04], eax
:004B09F4 8B45F8
mov eax, dword ptr [ebp-08]
:004B09F7 E8F035F5FF call 00403FEC
:004B09FC 33C0
xor eax, eax
:004B09FE 55
push ebp
:004B09FF 689F0A4B00 push 004B0A9F
:004B0A04 64FF30
push dword ptr fs:[eax]
:004B0A07 648920
mov dword ptr fs:[eax], esp
:004B0A0A C645F700 mov
[ebp-09], 00
:004B0A0E 8B45F8
mov eax, dword ptr [ebp-08]
:004B0A11 E82234F5FF call 00403E38
<--求ID長度
:004B0A16 83F80A
cmp eax, 0000000A <--判斷ID的長度是否等於10
:004B0A19 756E
jne 004B0A89 <--不等的話跳轉,一定不能跳轉
:004B0A1B 8B55F8
mov edx, dword ptr [ebp-08]
* Possible StringData Ref from Code Obj ->"A1910"
|
:004B0A1E B8B80A4B00 mov eax,
004B0AB8 <--[004B0AB8]為"A1910"
:004B0A23 E8FC36F5FF call 00404124
<--判斷ID的前五個字元是否為"A1910"
:004B0A28 48
dec eax
:004B0A29 7410
je 004B0A3B
:004B0A2B 8B55F8
mov edx, dword ptr [ebp-08]
* Possible StringData Ref from Code Obj ->"A1423"
|
:004B0A2E B8C80A4B00 mov eax,
004B0AC8 <--[004B0AC8]為"A1423"
:004B0A33 E8EC36F5FF call 00404124
<--判斷ID的前五個字元是否為"A1423"
:004B0A38 48
dec eax
:004B0A39 754E
jne 004B0A89 <--這個一定不能跳轉
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B0A29(C)
|
:004B0A3B C745F002000000 mov [ebp-10], 00000002
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B0A65(C)
|
:004B0A42 8B45F8
mov eax, dword ptr [ebp-08]
:004B0A45 8B55F0
mov edx, dword ptr [ebp-10]
:004B0A48 8A4410FF mov
al, byte ptr [eax+edx-01]
:004B0A4C 3C30
cmp al, 30
:004B0A4E 7239
jb 004B0A89
:004B0A50 8B45F8
mov eax, dword ptr [ebp-08]
:004B0A53 8B55F0
mov edx, dword ptr [ebp-10]
:004B0A56 8A4410FF mov
al, byte ptr [eax+edx-01]
:004B0A5A 3C39
cmp al, 39
:004B0A5C 772B
ja 004B0A89
:004B0A5E FF45F0
inc [ebp-10]
:004B0A61 837DF00B cmp
dword ptr [ebp-10], 0000000B
:004B0A65 75DB
jne 004B0A42
:004B0A67 8B45F8
mov eax, dword ptr [ebp-08]
:004B0A6A 0FB64008 movzx
eax, byte ptr [eax+08] <--輸入的ID的倒數第二個字元的ASCII碼送入EAX
:004B0A6E 8B55F8
mov edx, dword ptr [ebp-08]
:004B0A71 0FB65209 movzx
edx, byte ptr [edx+09] <--輸入的ID的倒數最後一個字元的ASCII碼送入EDX
:004B0A75 03C2
add eax, edx
:004B0A77 B90A000000 mov ecx,
0000000A
:004B0A7C 33D2
xor edx, edx
:004B0A7E F7F1
div ecx <--EAX除以10
:004B0A80 83FA04
cmp edx, 00000004 <--比較餘數是否等於4
:004B0A83 7504
jne 004B0A89 <--不等於4的話則跳轉,一定不能跳轉
:004B0A85 C645F701 mov
[ebp-09], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004B0A19(C), :004B0A39(C), :004B0A4E(C), :004B0A5C(C), :004B0A83(C)
|
:004B0A89 33C0
xor eax, eax
:004B0A8B 5A
pop edx
:004B0A8C 59
pop ecx
:004B0A8D 59
pop ecx
:004B0A8E 648910
mov dword ptr fs:[eax], edx
:004B0A91 68A60A4B00 push 004B0AA6
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B0AA4(U)
|
:004B0A96 8D45F8
lea eax, dword ptr [ebp-08]
:004B0A99 E81A31F5FF call 00403BB8
:004B0A9E C3
ret
現在我們知道了註冊碼的形式為A1910xxxxx或A1423xxxxx,其中第6、7、8個字元為任意字元,而第9、10個字元的ASCII
碼的和的個位數為4就可以正確的註冊了!!!
相關文章
- 破解心得之eXeScope篇2015-11-15
- 破解心得之WinImage篇 (15千字)2001-07-01
- 我的破解心得(9) (4千字)2001-03-13
- 我的破解心得(11) (9千字)2001-03-13
- 破解心得之CDRWin 4.0A BETA篇 (18千字)2001-04-24
- 破解心得之3DMark2001篇 (10千字)2001-04-183D
- 破解心得之CHMMaker(耶圃歟┢ (11千字)2002-01-27HMM
- 《漂葉網咖管理系統4.0》破解心得: (9千字)2001-01-14
- 破解心得之Windows優化大師篇2015-11-15Windows優化
- 初學者請進(一篇破解javagirl的心得) (2千字)2000-05-09Java
- 再次湊湊熱鬧:破解心得之ChinaZip 5.0(中華壓縮)篇
(8千字)2001-04-10
- 我的破解心得(1) (3千字)2001-03-13
- 我的破解心得(5) (16千字)2001-03-13
- 我的破解心得(6) (3千字)2001-03-13
- 我的破解心得(8) (2千字)2001-03-13
- 我的破解心得(12) (1千字)2001-03-13
- 菜鳥破解錄(19)之 XMLwriter 1.21 (9千字)2000-08-08XML
- 登陸奇兵3.0破解心得 (5千字)2001-05-02
- Readbook 1.31破解心得
(3千字)2000-03-01
- 風之紋章(Proc)破解實戰 我的第一篇水文 (9千字)2002-03-12
- BrickShooter 2.1破解心得(新手看看吧) (18千字)2001-03-09
- 菜鳥破解實錄之 Dynamic Desktop 1.4.2 (9千字)2000-08-09
- 菜鳥破解實錄 之 GWD Text Editor 3.0 (9千字)2000-08-16
- Soundnailsd的破解教程(一) (9千字)2001-10-17AI
- 輕鬆提取資源1.45破解心得
(7千字)2015-11-15
- VirTime HTMLock V1.4.0 破解之暴力篇 (7千字)2001-05-06HTML
- OICQ HACK 1.0 破解過程 (9千字)2001-04-23
- PowerDirector 1.00.06.9 破解. 恭喜小球! (9千字)2002-02-03
- eXeScope
V6.41 的註冊演算法破解2004-05-03演算法
- 如何完美破解PE EXPLORER 1.3(加入BCG的第二篇) (9千字)2001-06-29
- 申請加入BCG之第二篇!博奧彩票白金版破解---破解初學者之嘔血篇 (5千字)2001-10-06
- 半位元組破解Vopt Millennium edition (9千字)2001-05-13
- Regediter 1.3 破解(得到註冊碼) (9千字)2002-01-23
- 一篇破解入門 (7千字)2000-09-04
- FINDITNOW!1.25 or 102 中文版 破解心得 (14千字)2002-02-09
- EmEditor v3.16破解過程 (9千字)2001-07-22
- 木馬克星5.33.60破解過程
(9千字)2002-03-28
- 用TRW2000破解EXESCOPE5.12 (855字)2000-04-24