在win2000下破解CopyFaster (7千字)

在win2000下破解CopyFaster
---慶祝 Beijing 2008 奧運申辦成功！

破解者：moonlite
目標： CopyFaster 1.0 Final Release
應用平臺：Windows 2000 only
下載：http://www.lowtek.com/copyfaster/download/
大小：101k
軟體用途： CopyFaster is a software utility that enables Windows 2000 Explorer
to copy big files faster when copying to and from the same hard drive.
工具：SoftIce For NT
保護：每次啟動都彈出註冊窗，提示註冊; CRC校驗。

破解過程：
[1] 啟動 Symbol Loader,並載入執行copyfast.exe。SoftIce 被啟用， F5一次，copyfaster註冊窗彈出。
[2] 輸入姓名“moonlite” 和註冊碼“1818518”。CTL+D 來到ICE的領空。鍵入：
S 10:0 L FFFFFFFF "1818518"，找到一處地址並BPM下斷點，F5回到註冊窗，點選 OK，沒攔到，奇怪？
試著該為S 10:0 L FFFFFFFF 31,00,38,00,31,00,38,00,35,00,31,00,18 (注：seach註冊碼的WideChar
形式，即：“1 8 1 8 5 1 8”）。找到一處地址，但BPM下斷點後，仍然沒攔到。

改方法：BPM GETWINDOWTEXTW，返回主程點選OK，被ICE攔住去路。如下：

-------------------
:0040373C FF75E0 push [ebp-20]
:0040373F 895DFC mov dword ptr [ebp-04], ebx
:00403742 FF75DC push [ebp-24]
:00403745 FF75EC push [ebp-14]

* Reference To: USER32.GetWindowTextW, Ord:0165h
|
:00403748 FF1568B24000 Call dword ptr [0040B268]//讀取姓名；
:0040374E 85C0 test eax, eax // eax=姓名字串的長度；<===游標在這！
:00403750 7506 jne 00403758//不為空則跳；
:00403752 8B45DC mov eax, dword ptr [ebp-24]
:00403755 668918 mov word ptr [eax], bx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403750(C)
|
:00403758 8B4610 mov eax, dword ptr [esi+10]
--------------

再按F5，又被ICE攔住：

--------------
:00403783 FF75E4 push [ebp-1C]
:00403786 FF75EC push [ebp-14]

* Reference To: USER32.GetWindowTextW, Ord:0165h
|
:00403789 FF1568B24000 Call dword ptr [0040B268]
:0040378F 85C0 test eax, eax//eax=密碼字串的長度；<===游標在這！
:00403791 7506 jne 00403799//不為空則跳；
:00403793 8B45E4 mov eax, dword ptr [ebp-1C]
:00403796 668918 mov word ptr [eax], bx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403791(C)
|
:00403799 FF75E4 push [ebp-1C]
---------------

[3]好看的部分：

-->在00403791處跳到了這裡：
:00403799 FF75E4 push [ebp-1C]
:0040379C FF75DC push [ebp-24]
:0040379F E853FDFFFF call 004034F7//進去瞧瞧 ******┐
:004037A4 FF75E4 push [ebp-1C]
:004037A7 FF75DC push [ebp-24]
:004037AA E8C2E4FFFF call 00401C71
:004037AF 8D4DC8 lea ecx, dword ptr [ebp-38]
:004037B2 E8F7FBFFFF call 004033AE
:004037B7 8D45C8 lea eax, dword ptr [ebp-38]
:004037BA 8BCE mov ecx, esi
:004037BC 50 push eax
:004037BD C645FC02 mov [ebp-04], 02
:004037C1 E86FFDFFFF call 00403535
----------

call 到了這裡：
* Referenced by a CALL at Addresses:
|:004034BF , :0040379F
|
:004034F7 FF742404 push [esp+04]
:004034FB E867E3FFFF call 00401867
:00403500 85C0 test eax, eax
:00403502 750A jne 0040350E
:00403504 68040000E2 push E2000004
:00403509 E8F4030000 call 00403902

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403502(C)
|
:0040350E 56 push esi
:0040350F FF742408 push [esp+08]
:00403513 E866E2FFFF call 0040177E//注意：這個call不遠就有個JE跳轉，
機不可失，得進去看看……》
:00403518 8BF0 mov esi, eax
:0040351A FF74240C push [esp+0C]
:0040351E E885E3FFFF call 004018A8
:00403523 3BF0 cmp esi, eax
:00403525 5E pop esi
:00403526 740A je 00403532
:00403528 68050000E2 push E2000005
:0040352D E8D0030000 call 00403902
----------

* Referenced by a CALL at Address:
|:00403513
|
:0040177E 55 push ebp
:0040177F 8BEC mov ebp, esp
:00401781 83EC0C sub esp, 0000000C
:00401784 56 push esi
:00401785 8B7508 mov esi, dword ptr [ebp+08]
:00401788 8D45F4 lea eax, dword ptr [ebp-0C]//eax指向輸入的姓名：
為WideChar形式：
“m.o.o.n.l.i.t.e.”

:0040178B 6A00 push 00000000
:0040178D 50 push eax
:0040178E E8D6FEFFFF call 00401669
:00401793 8D45F4 lea eax, dword ptr [ebp-0C]

* Possible StringData Ref from Data Obj ->"CopyFaster is Copyright (c) 2000 "
->"Spencer Low. All rights reserved. "
->"If you use CopyFaster, pay $9.99 "
->"to register it by going to: http://www.lowtek."
->"com/copyfaster/"
|
:00401796 6868E14000 push 0040E168
:0040179B 50 push eax
:0040179C E806FFFFFF call 004016A7
-------------

接下來，從 004017A1 到 004017D4便是對姓名字串變換。

-----------
:00403513 E866E2FFFF call 0040177E//算註冊碼；
:00403518 8BF0 mov esi, eax//返回的eax=透過姓名算出的真正的註冊碼送給esi：
我的是：“1756057853”，用鋼筆記下來，
以防丟失；
:0040351A FF74240C push [esp+0C]//將輸入的偽註冊碼地址入棧；
:0040351E E885E3FFFF call 004018A8//將輸入的偽註冊碼經轉換後變為十進位制形式：
返回的eax為“0001818518”；

:00403523 3BF0 cmp esi, eax//真假註冊碼相比較；
:00403525 5E pop esi
:00403526 740A je 00403532//相等，則是good boy;
:00403528 68050000E2 push E2000005
:0040352D E8D0030000 call 00403902

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403526(C)
|
:00403532 C20800 ret 0008
-------------
F5，返回主程。

[4] 尾聲：
將註冊碼該為 “1756057853”，輸入。按OK，成功！
註冊成功後，在登錄檔中生成兩個鍵值：

[ H K E Y _ U S E R S \ S - 1 - 5 - 2 1 - 1 8 4 4 2 3 7 6 1 5 - 1 6 8 2 5 2 6 4 8 8 - 1 9 5 7 9 9 4 4 8 8 - 5 0 0 \ S o f t w a r e \ L o w T e k \ C o p y F a s t e r \ R e g i s t r a t i o n ]
" N a m e " = " m o o n l i t e "
" N u m b e r " = " 1 7 5 6 0 5 7 8 5 3 "

[5]後語：已經有半年多沒用SICE啦，可是在WIN2K下還沒有別的選擇。這是本人第一次在WIN2000下破解。望各位高手多多指教！

★☆ moonlite 於2001-7-13☆★

在win2000下破解CopyFaster (7千字)

相關文章