winimage完全破解 (8千字)

winimage完全破解
===================================================
Henan China peiyou

先執行註冊，出現錯誤提示，懷疑是messageboxa中斷.

隨用trw2000輸入peiyou 88888888 下bpx messageboxa 設斷，中斷於：

:00421F35 FF1588F94400 Call user!messageboxa

向上找:

注:以下程式碼出自w32dasm.

|:00402FAA , :00403BC7 , :00403C49 , :00405946 , :00409017
|:004090AD , :0040B82F , :0040BB65 , :00421F9E , :0042201C
|
:00421F16 55 push ebp
:00421F17 8BEC mov ebp, esp
:00421F19 51 push ecx
:00421F1A A1D0C34400 mov eax, dword ptr [0044C3D0]
:00421F1F 85C0 test eax, eax
:00421F21 7405 je 00421F28
^^^^^^^^^^^^跳到錯誤處
:00421F23 FFD0 call eax
:00421F25 8945FC mov dword ptr [ebp-04], eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421F21(C)
|
:00421F28 56 push esi
:00421F29 FF7514 push [ebp+14]
:00421F2C FF7510 push [ebp+10]
:00421F2F FF750C push [ebp+0C]
:00421F32 FF7508 push [ebp+08]

* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:00421F35 FF1588F94400 Call dword ptr [0044F988]
^^^^^^^^^^^^^^^^^^^^^^^^^錯誤提示
:00421F3B 8BF0 mov esi, eax
:00421F3D A1D4C34400 mov eax, dword ptr [0044C3D4]
:00421F42 85C0 test eax, eax
:00421F44 7406 je 00421F4C
:00421F46 FF75FC push [ebp-04]
:00421F49 FFD0 call eax
:00421F4B 59 pop ecx

來到421f21處:
:00421F1F 85C0 test eax, eax
:00421F21 7405 je 00421F28
^^^^^^^^^^^^跳到錯誤處
改74 05 為90 90 嗎？照死！再向上分析？
|:00402FAA , :00403BC7 , :00403C49 , :00405946 , :00409017
|:004090AD , :0040B82F , :0040BB65 , :00421F9E , :0042201C

我靠，你殺了我吧！！！

只好從註冊成功資訊如手。

用exescope找成功資訊，看到了"你的註冊碼是正確的，$0A現在你是一個註冊使用者了，$感謝你的使用。"
用w32dsam找註冊資訊吧，慢！！！w32dsam找中文註冊資訊?亂碼,我頭疼
(國之悲衷,我真希望中國的cracker們能寫出中文w32dsam,而不是漢化)
在資訊前加入kissyou,你沒記錄改動？我倒！！

執行w32dsam查kissyou,找到kissyou+亂碼,亂吧，反正就是你了，向上看：

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004340B8(U)
^^^^^^^^^^^^^^來自4340b8

:004340E3 6800200000 push 00002000

* Possible Reference to String Resource ID=01069: "WinImage "
|
:004340E8 682D040000 push 0000042D
:004340ED 89150CD34400 mov dword ptr [0044D30C], edx
:004340F3 891564D44400 mov dword ptr [0044D464], edx

註冊成功提示
* Possible Reference to String Resource ID=01066: "kissyou`?/cn?
?`/"
:004340F9 682A040000 push 0000042A

到4340B8看一下：
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004340AC(C)
|
:004340B3 6A01 push 00000001
:004340B5 3BC2 cmp eax, edx
:004340B7 5E pop esi
:004340B8 7529 jnz 004340E3
^^^^^^^^^^^跳到註冊成功處
:004340BA 6800200000 push 00002000
我等你很久了，75 29 改為EB 29.
重執行，隨便輸入註冊，出現註冊成功資訊，我跳....不起來，怎麼？
未註冊資訊仍未消除，重執行，討厭的註冊提示仍然存在，註冊不成功!!!

我起不來了，拉我一把.

看來註冊成功資訊出現之前，作者已做了手腳。我很懶，總愛暴破，
但這次看來要玩一把了。

重新用trw2000載入除錯,這次輸入peiyou 88888888 用hmemcpy設斷

中斷於434066 mov EDI 004d06c 跟蹤:

:00434066 BF6CD04400 mov edi, 0044D06C

* Possible Ref to Menu: WINIMAGMENU, Item: "U(D)..."
|
:0043406B 6A7F push 0000007F
:0043406D 57 push edi

* Possible Reference to Dialog: REGISTER, CONTROL_ID:0817, ""
|
:0043406E 6817080000 push 00000817
:00434073 FF7508 push [ebp+08]
:00434076 FFD6 call esi
:00434078 6840D44400 push 0044D440
:0043407D 57 push edi
:0043407E 53 push ebx
:0043407F E89C5C0000 call 00439D20
^^^^^^^^^^^^^^
:00434084 8B0D40D44400 mov ecx, dword ptr [0044D440]
:0043408A 83C40C add esp, 0000000C
:0043408D 33D2 xor edx, edx
:0043408F A334D24400 mov dword ptr [0044D234], eax
:00434094 3BC2 cmp eax, edx
:00434096 5F pop edi
:00434097 5B pop ebx
:00434098 7406 je 004340A0
:0043409A 890D04D44400 mov dword ptr [0044D404], ecx

到這裡
:0043407F E89C5C0000 call 00439D20
^^^^^^^^^^^^^^它最有可能是密碼處理,F8追進去.

:00439D83 8D8500FFFFFF lea eax, dword ptr [ebp+FFFFFF00]
:00439D89 50 push eax
:00439D8A 8D8748190514 lea eax, dword ptr [edi+14051948]
:00439D90 50 push eax
:00439D91 8D8500FEFFFF lea eax, dword ptr [ebp+FFFFFE00]
:00439D97 50 push eax
:00439D98 E836FFFFFF call 00439CD3 處理I
:00439D9D 59 pop ecx
:00439D9E 59 pop ecx
:00439D9F 50 push eax

* Reference To: CRTDLL.strcmp, Ord:01CFh
|
:00439DA0 E8D33A0000 Call 0043D878
:00439DA5 59 pop ecx
:00439DA6 85C0 test eax, eax
:00439DA8 59 pop ecx
:00439DA9 7478 je 00439E23
:00439DAB 8D8500FFFFFF lea eax, dword ptr [ebp+FFFFFF00]
:00439DB1 50 push eax
:00439DB2 8D8754190617 lea eax, dword ptr [edi+17061954]
:00439DB8 50 push eax
:00439DB9 8D8500FEFFFF lea eax, dword ptr [ebp+FFFFFE00]
:00439DBF 50 push eax
:00439DC0 E80EFFFFFF call 00439CD3 處理II
:00439DC5 59 pop ecx
:00439DC6 59 pop ecx
:00439DC7 50 push eax

* Reference To: CRTDLL.strcmp, Ord:01CFh
|
:00439DC8 E8AB3A0000 Call 0043D878
:00439DCD 59 pop ecx
:00439DCE 85C0 test eax, eax
:00439DD0 59 pop ecx
:00439DD1 7450 je 00439E23
:00439DD3 8D8500FFFFFF lea eax, dword ptr [ebp+FFFFFF00]
:00439DD9 50 push eax
:00439DDA 8D8781190510 lea eax, dword ptr [edi+10051981]
:00439DE0 50 push eax
:00439DE1 8D8500FEFFFF lea eax, dword ptr [ebp+FFFFFE00]
:00439DE7 50 push eax
:00439DE8 E8E6FEFFFF call 00439CD3 處理III
:00439DED 59 pop ecx
:00439DEE 59 pop ecx
:00439DEF 50 push eax

* Reference To: CRTDLL.strcmp, Ord:01CFh
|
:00439DF0 E8833A0000 Call 0043D878
:00439DF5 59 pop ecx
:00439DF6 85C0 test eax, eax
:00439DF8 59 pop ecx
:00439DF9 7455 je 00439E50
:00439DFB 8D8500FFFFFF lea eax, dword ptr [ebp+FFFFFF00]
:00439E01 50 push eax
:00439E02 8D8795190104 lea eax, dword ptr [edi+04011995]
:00439E08 50 push eax
:00439E09 8D8500FEFFFF lea eax, dword ptr [ebp+FFFFFE00]
:00439E0F 50 push eax
:00439E10 E8BEFEFFFF call 00439CD3
^^^^^^^^^^^^^
:00439E15 59 pop ecx
:00439E16 59 pop ecx
:00439E17 50 push eax

經過三次處理，到439f10我CALL處出現錯框:

再次跟蹤到:00439E0F 50 push eax處,下D eax
出現 105E9A34.
註冊peiyou 105E9A34

註冊成功，什麼汙七八糟的東西，全沒了，成功註冊。

另外,透過對登錄檔的分析發現它的註冊資訊存在於:

HKEY_CURRENT_USER\Software\WinImage

"WinImageUseRegistry"="TRUE" 是否過30天期

"CDImageSetting"="0"
"ConnectedFileOption"="1" 已使用的天數
"NameRegistered"="" 註冊姓名
"CodeRegistered"="" 註冊碼
"ProMode"="TRUE" 執行於專業版，還是標準版模

如果不想破,把promode中的Ture 改為FAlSE即為專業版，但提醒註冊照出.

為了那片放飛夢想的天空而努力!!!!!!!!!1

winimage完全破解 (8千字)

相關文章