兩種破解 花貓時間精靈 v1.0 功能限制的方法,本人獻給破解初學者的第一篇破文!高手請匆入內~~ (24千字)
兩種破解 花貓時間精靈 v1.0 功能限制的方法
軟體名稱:花貓時間精靈 V1.0
軟體簡介:本軟體具有萬年曆、定時關機、定時提醒、網上校正時間、關閉網路計算機、立即關機、立即重啟、立即登出(重新登入)等功能,還能對軟體本身的文字顏色、字型、背景顏色進行設定,實現了軟體DIY。
破解工具:TRW2000 1.22漢化版、W32DASM 8.93漢化版、FI 2.5、Hiew6.76。
破解人:飛鷹[BCG]
E-mail:flithawk@263.net
網址:http://flithawk.longcity.net
一、爆力破解:
1、去掉軟體的未註冊提示資訊和時間限制:
首先,用 exescope 查詢這些限制的提示資訊,找到如下的字元及對應的ID號:
200,對不起 !您所使用的軟體已經超過了 15 天的試用期,有些功能將不能使用。$0A$0A如果您想繼續使用本軟體的全部功能,請進入關於對話方塊進行註冊,在您註冊後將可以重新使用全部功能。
201,您使用的軟體未經註冊 !$0A$0A未註冊的軟體只有 15 天的試用期,在試用期過後,您將不能正常使用此軟體 !$0A$0A如果您想註冊軟體,請進入關於對話方塊進行註冊。
202,未註冊的軟體
在這裡我們知道ID號為 200 是軟體過期提示資訊,201與202 是軟體未註冊提示資訊。在 W32DASM 反彙編該軟體,並分別在 W32DASM 中找到與這些字串ID號對應在位置,如下所示:
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040107B(U), :00401215(U)
|
:00401221 833D28D6410000 cmp dword ptr [0041D628],
00000000==>判斷是否已註冊,0 表示未註冊,1 表示已註冊
:00401228 0F85DD010000 jne 0040140B==>跳轉則表示軟體已註冊
:0040122E E8CFEB0000 call 0040FE02
:00401233 898564FBFFFF mov dword ptr
[ebp+FFFFFB64], eax
:00401239 8B9564FBFFFF mov edx, dword
ptr [ebp+FFFFFB64]
:0040123F 899558FBFFFF mov dword ptr
[ebp+FFFFFB58], edx
:00401245 83BD58FBFFFF00 cmp dword ptr [ebp+FFFFFB58],
00000000
:0040124C 741B
je 00401269==>跳轉則顯示過期提示資訊
:0040124E 83BD58FBFFFF01 cmp dword ptr [ebp+FFFFFB58],
00000001
:00401255 7474
je 004012CB==>跳轉則顯示未註冊提示資訊
:00401257 83BD58FBFFFF02 cmp dword ptr [ebp+FFFFFB58],
00000002
:0040125E 0F8409010000 je 0040136D==>跳轉則顯示未註冊提示資訊
:00401264 E9A0010000 jmp 00401409
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040124C(C)
|
:00401269 C7052CD6410000000000 mov dword ptr [0041D62C], 00000000
:00401273 6804010000 push 00000104
:00401278 8D8568FBFFFF lea eax, dword
ptr [ebp+FFFFFB68]
:0040127E 50
push eax
* Possible Reference to String Resource ID=00200: "w @(喏N?15 )f(
??(|?(,喏h??e"==>軟體過期提示資訊
|
:0040127F 68C8000000 push 000000C8
:00401284 8B0D48D64100 mov ecx, dword
ptr [0041D648]
:0040128A 51
push ecx
* Reference To: USER32.LoadStringA, Ord:0000h
|
:0040128B FF1520624100 Call dword ptr
[00416220]
:00401291 6804010000 push 00000104
:00401296 8D957CFCFFFF lea edx, dword
ptr [ebp+FFFFFC7C]
:0040129C 52
push edx
* Possible Reference to String Resource ID=00202: "*?
|
:0040129D 68CA000000 push 000000CA
:004012A2 A148D64100 mov eax,
dword ptr [0041D648]
:004012A7 50
push eax
* Reference To: USER32.LoadStringA, Ord:0000h
|
:004012A8 FF1520624100 Call dword ptr
[00416220]
* Possible Reference to String Resource ID=00016: "\b ||"
|
:004012AE 6A10
push 00000010
:004012B0 8D8D7CFCFFFF lea ecx, dword
ptr [ebp+FFFFFC7C]
:004012B6 51
push ecx
:004012B7 8D9568FBFFFF lea edx, dword
ptr [ebp+FFFFFB68]
:004012BD 52
push edx
:004012BE 6A00
push 00000000
* Reference To: USER32.MessageBoxA, Ord:0000h
|
:004012C0 FF15E4614100 Call dword ptr
[004161E4]
:004012C6 E93E010000 jmp 00401409
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401255(C)
|
* Possible Reference to String Resource ID=00001: "\bL? u2e<?B?n>2L-n"
|
:004012CB C7052CD6410001000000 mov dword ptr [0041D62C], 00000001
:004012D5 8D856CFCFFFF lea eax, dword
ptr [ebp+FFFFFC6C]
:004012DB 50
push eax
* Reference To: KERNEL32.GetLocalTime, Ord:0000h
|
:004012DC FF1554614100 Call dword ptr
[00416154]
* Possible Reference to String Resource ID=00001: "\bL? u2e<?B?n>2L-n"
|
:004012E2 6A01
push 00000001
:004012E4 83EC10
sub esp, 00000010
:004012E7 8BCC
mov ecx, esp
:004012E9 8B956CFCFFFF mov edx, dword
ptr [ebp+FFFFFC6C]
:004012EF 8911
mov dword ptr [ecx], edx
:004012F1 8B8570FCFFFF mov eax, dword
ptr [ebp+FFFFFC70]
:004012F7 894104
mov dword ptr [ecx+04], eax
:004012FA 8B9574FCFFFF mov edx, dword
ptr [ebp+FFFFFC74]
:00401300 895108
mov dword ptr [ecx+08], edx
:00401303 8B8578FCFFFF mov eax, dword
ptr [ebp+FFFFFC78]
:00401309 89410C
mov dword ptr [ecx+0C], eax
:0040130C E85CE40000 call 0040F76D
:00401311 83C414
add esp, 00000014
:00401314 6804010000 push 00000104
:00401319 8D8D68FBFFFF lea ecx, dword
ptr [ebp+FFFFFB68]
:0040131F 51
push ecx
* Possible Reference to String Resource ID=00201: "?(??*喏
15 )f((f(N?c8(d喏 |?==>軟體未註冊提示資訊
|
:00401320 68C9000000 push 000000C9
:00401325 8B1548D64100 mov edx, dword
ptr [0041D648]
:0040132B 52
push edx
* Reference To: USER32.LoadStringA, Ord:0000h
|
:0040132C FF1520624100 Call dword ptr
[00416220]
:00401332 6804010000 push 00000104
:00401337 8D857CFCFFFF lea eax, dword
ptr [ebp+FFFFFC7C]
:0040133D 50
push eax
* Possible Reference to String Resource ID=00202: "*?==>軟體未註冊提示資訊
|
:0040133E 68CA000000 push 000000CA
:00401343 8B0D48D64100 mov ecx, dword
ptr [0041D648]
:00401349 51
push ecx
* Reference To: USER32.LoadStringA, Ord:0000h
|
:0040134A FF1520624100 Call dword ptr
[00416220]
* Possible Reference to String Resource ID=00064: "yyyy t M "
|
:00401350 6A40
push 00000040
:00401352 8D957CFCFFFF lea edx, dword
ptr [ebp+FFFFFC7C]
:00401358 52
push edx
:00401359 8D8568FBFFFF lea eax, dword
ptr [ebp+FFFFFB68]
:0040135F 50
push eax
:00401360 6A00
push 00000000
* Reference To: USER32.MessageBoxA, Ord:0000h
|
:00401362 FF15E4614100 Call dword ptr
[004161E4]
:00401368 E99C000000 jmp 00401409
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040125E(C)
|
* Possible Reference to String Resource ID=00001: "\bL? u2e<?B?n>2L-n"
|
:0040136D C7052CD6410001000000 mov dword ptr [0041D62C], 00000001
:00401377 8D8D6CFCFFFF lea ecx, dword
ptr [ebp+FFFFFC6C]
:0040137D 51
push ecx
* Reference To: KERNEL32.GetLocalTime, Ord:0000h
|
:0040137E FF1554614100 Call dword ptr
[00416154]
:00401384 6A00
push 00000000
:00401386 83EC10
sub esp, 00000010
:00401389 8BD4
mov edx, esp
:0040138B 8B856CFCFFFF mov eax, dword
ptr [ebp+FFFFFC6C]
:00401391 8902
mov dword ptr [edx], eax
:00401393 8B8D70FCFFFF mov ecx, dword
ptr [ebp+FFFFFC70]
:00401399 894A04
mov dword ptr [edx+04], ecx
:0040139C 8B8574FCFFFF mov eax, dword
ptr [ebp+FFFFFC74]
:004013A2 894208
mov dword ptr [edx+08], eax
:004013A5 8B8D78FCFFFF mov ecx, dword
ptr [ebp+FFFFFC78]
:004013AB 894A0C
mov dword ptr [edx+0C], ecx
:004013AE E8BAE30000 call 0040F76D
:004013B3 83C414
add esp, 00000014
:004013B6 6804010000 push 00000104
:004013BB 8D9568FBFFFF lea edx, dword
ptr [ebp+FFFFFB68]
:004013C1 52
push edx
* Possible Reference to String Resource ID=00201: "?(??*喏
15 )f((f(N?c8(d喏 |?==>軟體未註冊提示資訊
|
:004013C2 68C9000000 push 000000C9
:004013C7 A148D64100 mov eax,
dword ptr [0041D648]
:004013CC 50
push eax
* Reference To: USER32.LoadStringA, Ord:0000h
|
:004013CD FF1520624100 Call dword ptr
[00416220]
:004013D3 6804010000 push 00000104
:004013D8 8D8D7CFCFFFF lea ecx, dword
ptr [ebp+FFFFFC7C]
:004013DE 51
push ecx
* Possible Reference to String Resource ID=00202: "*?==>軟體未註冊提示資訊
|
:004013DF 68CA000000 push 000000CA
:004013E4 8B1548D64100 mov edx, dword
ptr [0041D648]
:004013EA 52
push edx
* Reference To: USER32.LoadStringA, Ord:0000h
|
:004013EB FF1520624100 Call dword ptr
[00416220]
* Possible Reference to String Resource ID=00064: "yyyy t M "
|
:004013F1 6A40
push 00000040
:004013F3 8D857CFCFFFF lea eax, dword
ptr [ebp+FFFFFC7C]
:004013F9 50
push eax
:004013FA 8D8D68FBFFFF lea ecx, dword
ptr [ebp+FFFFFB68]
:00401400 51
push ecx
:00401401 6A00
push 00000000
* Reference To: USER32.MessageBoxA, Ord:0000h
|
:00401403 FF15E4614100 Call dword ptr
[004161E4]
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00401264(U), :004012C6(U), :00401368(U)
|
:00401409 EB0A
jmp 00401415
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401228(C)
|
* Possible Reference to String Resource ID=00001: "\bL? u2e<?B?n>2L-n"
|
:0040140B C7052CD6410001000000 mov dword ptr [0041D62C], 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401409(U)
|
:00401415 8B5508
mov edx, dword ptr [ebp+08]
:00401418 891548D64100 mov dword ptr
[0041D648], edx
用 Hiew 把 00401221 處的 833D28D6410000 改為 833D28D6410001,就可以去掉去掉軟體的未註冊提示資訊和時間限制。當然,如果你不怕改著麻煩的話,你也可以分別把
0040124C、00401255、0040125E 這三處的 741B、7474、0F8409010000 改為 751B、7574、0F8509010000,這種改法一樣可以達到預期的目標,只是顯的非常麻煩。
2、去掉軟體“關於”對話方塊中的“軟體未授權”字樣:
首先,用 exescope 查詢這些限制的提示資訊,找到如下的字元及對應的ID號:
191,本產品使用權屬於:$0D$0A%s$0D$0A序列號:%04x-%04x-%04x-%04x
192,您所使用的產品沒有獲得授權。$0D$0A如果您想獲得授權,$0A請點選以下注冊按鈕進行註冊。
在這裡我們知道ID號為 191 是顯示軟體註冊後的使用者名稱和序列號,192 是顯示軟體未授權等字樣。在 W32DASM 反彙編該軟體,並分別在 W32DASM
中找到與這些字串ID號對應在位置,如下所示:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408816(C)
|
:00408928 833D28D6410000 cmp dword ptr [0041D628],
00000000
:0040892F 0F84B8000000 je 004089ED==>跳轉則顯示軟體未授權等字樣
:00408935 6804010000 push 00000104
:0040893A 8D85DCFDFFFF lea eax, dword
ptr [ebp+FFFFFDDC]
:00408940 50
push eax
* Possible Reference to String Resource ID=00191: ","?(l?%s?_:%04x-%04x-%04x-%04x"==>顯示軟體註冊後的使用者名稱和序列號
|
:00408941 68BF000000 push 000000BF
:00408946 8B0D48D64100 mov ecx, dword
ptr [0041D648]
:0040894C 51
push ecx
* Reference To: USER32.LoadStringA, Ord:0000h
|
:0040894D FF1520624100 Call dword ptr
[00416220]
:00408953 8D55F8
lea edx, dword ptr [ebp-08]
:00408956 52
push edx
:00408957 8D85F4FEFFFF lea eax, dword
ptr [ebp+FFFFFEF4]
:0040895D 50
push eax
* Reference To: KERNEL32.GetComputerNameA, Ord:0000h
|
:0040895E FF15BC604100 Call dword ptr
[004160BC]
:00408964 E82C510000 call 0040DA95
:00408969 89859CFCFFFF mov dword ptr
[ebp+FFFFFC9C], eax
:0040896F 8995A0FCFFFF mov dword ptr
[ebp+FFFFFCA0], edx
:00408975 8B8D9CFCFFFF mov ecx, dword
ptr [ebp+FFFFFC9C]
:0040897B 898DA4FCFFFF mov dword ptr
[ebp+FFFFFCA4], ecx
:00408981 8B95A0FCFFFF mov edx, dword
ptr [ebp+FFFFFCA0]
:00408987 8995A8FCFFFF mov dword ptr
[ebp+FFFFFCA8], edx
:0040898D 8B85AAFCFFFF mov eax, dword
ptr [ebp+FFFFFCAA]
:00408993 25FFFF0000 and eax,
0000FFFF
:00408998 50
push eax
:00408999 8B8DA8FCFFFF mov ecx, dword
ptr [ebp+FFFFFCA8]
:0040899F 81E1FFFF0000 and ecx, 0000FFFF
:004089A5 51
push ecx
:004089A6 8B95A6FCFFFF mov edx, dword
ptr [ebp+FFFFFCA6]
:004089AC 81E2FFFF0000 and edx, 0000FFFF
:004089B2 52
push edx
:004089B3 8B85A4FCFFFF mov eax, dword
ptr [ebp+FFFFFCA4]
:004089B9 25FFFF0000 and eax,
0000FFFF
:004089BE 50
push eax
:004089BF 8D8DF4FEFFFF lea ecx, dword
ptr [ebp+FFFFFEF4]
:004089C5 51
push ecx
:004089C6 8D95DCFDFFFF lea edx, dword
ptr [ebp+FFFFFDDC]
:004089CC 52
push edx
:004089CD 8D85B8FCFFFF lea eax, dword
ptr [ebp+FFFFFCB8]
:004089D3 50
push eax
:004089D4 E8367E0000 call 0041080F
:004089D9 83C41C
add esp, 0000001C
:004089DC 8D8DB8FCFFFF lea ecx, dword
ptr [ebp+FFFFFCB8]
:004089E2 51
push ecx
:004089E3 E8FEC50000 call 00414FE6
:004089E8 83C404
add esp, 00000004
:004089EB EB1D
jmp 00408A0A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040892F(C)
|
:004089ED 6804010000 push 00000104
:004089F2 8D95B8FCFFFF lea edx, dword
ptr [ebp+FFFFFCB8]
:004089F8 52
push edx
* Possible Reference to String Resource ID=00192: "@(? rr
x清 2L"==>顯示軟體未授權等字樣
|
:004089F9 68C0000000 push 000000C0
:004089FE A148D64100 mov eax,
dword ptr [0041D648]
:00408A03 50
push eax
用 Hiew 把 00408928 處的 833D28D6410000 改為 833D28D6410001,就可以去掉軟體“關於”對話方塊中的“軟體未授權”字樣,顯示軟體註冊後的使用者名稱和序列號。
二、追出註冊碼:
首先,用 exescope 查詢註冊成功和註冊失敗等提示資訊,可找到如下的字元及對應的ID號:
198,您所輸入的序列號不正確,請重新輸入正確的序列號!
199,註冊成功 !
在這裡我們知道ID號為 198 是註冊錯誤提示資訊,199 是註冊成功提示資訊。在 W32DASM 反彙編該軟體,並分別在 W32DASM 中找到與這些字串ID號對應在位置,如下所示:
* Possible StringData Ref from Data Obj ->"%02x%02x%02x%02x%02x%02x%02x%02x"
|
:0040E7DD 68AC9E4100 push 00419EAC
:0040E7E2 8D8DF8FEFFFF lea ecx, dword ptr [ebp+FFFFFEF8]
:0040E7E8 51 push ecx
:0040E7E9 E821200000 call 0041080F
:0040E7EE 83C428 add esp, 00000028
:0040E7F1 8D95F8FEFFFF lea edx, dword ptr [ebp+FFFFFEF8]
:0040E7F7 52 push edx
:0040E7F8 E8E9670000 call 00414FE6
:0040E7FD 83C404 add esp, 00000004
:0040E800 8D85CCFCFFFF lea eax, dword ptr [ebp+FFFFFCCC]
:0040E806 50 push eax
:0040E807 E8DA670000 call 00414FE6
:0040E80C 83C404 add esp, 00000004
:0040E80F 8D8DF8FEFFFF lea ecx, dword ptr [ebp+FFFFFEF8]
:0040E815 51 push ecx
:0040E816 8D95CCFCFFFF lea edx, dword ptr [ebp+FFFFFCCC]
:0040E81C 52 push edx
:0040E81D E84E230000 call 00410B70==>關鍵點,應該跟進去看看
:0040E822 83C408 add esp, 00000008
:0040E825 85C0 test eax, eax
:0040E827 0F84B9000000 je 0040E8E6==>跳轉則顯示註冊成功提示資訊
:0040E82D 6804010000 push 00000104
:0040E832 8D85CCFCFFFF lea eax, dword ptr [ebp+FFFFFCCC]
:0040E838 50 push eax
* Possible Reference to String Resource ID=00198: "@8e_cn送?ecn_"==>註冊錯誤提示資訊
|
:0040E839 68C6000000 push 000000C6
:0040E83E 8B0D48D64100 mov ecx, dword ptr [0041D648]
:0040E844 51 push ecx
* Reference To: USER32.LoadStringA, Ord:0000h
|
:0040E845 FF1520624100 Call dword ptr [00416220]
:0040E84B 6804010000 push 00000104
:0040E850 8D95D0FDFFFF lea edx, dword ptr [ebp+FFFFFDD0]
:0040E856 52 push edx
* Possible Reference to String Resource ID=00059: "BH"
|
:0040E857 6A3B push 0000003B
:0040E859 A148D64100 mov eax, dword ptr [0041D648]
:0040E85E 50 push eax
* Reference To: USER32.LoadStringA, Ord:0000h
|
:0040E85F FF1520624100 Call dword ptr [00416220]
* Possible Reference to String Resource ID=00016: "\b ||"
|
:0040E865 6A10 push 00000010
:0040E867 8D8DD0FDFFFF lea ecx, dword ptr [ebp+FFFFFDD0]
:0040E86D 51 push ecx
:0040E86E 8D95CCFCFFFF lea edx, dword ptr [ebp+FFFFFCCC]
:0040E874 52 push edx
:0040E875 8B4508 mov eax, dword ptr [ebp+08]
:0040E878 50 push eax
* Reference To: USER32.MessageBoxA, Ord:0000h
|
:0040E879 FF15E4614100 Call dword ptr [004161E4]
:0040E87F 6A00 push 00000000
:0040E881 6856040000 push 00000456
:0040E886 8B4D08 mov ecx, dword ptr [ebp+08]
:0040E889 51 push ecx
* Reference To: USER32.GetDlgItem, Ord:0000h
|
:0040E88A FF1548624100 Call dword ptr [00416248]
:0040E890 50 push eax
* Reference To: USER32.SetWindowTextA, Ord:0000h
|
:0040E891 FF1544624100 Call dword ptr [00416244]
:0040E897 6A00 push 00000000
:0040E899 6857040000 push 00000457
:0040E89E 8B5508 mov edx, dword ptr [ebp+08]
:0040E8A1 52 push edx
* Reference To: USER32.GetDlgItem, Ord:0000h
|
:0040E8A2 FF1548624100 Call dword ptr [00416248]
:0040E8A8 50 push eax
* Reference To: USER32.SetWindowTextA, Ord:0000h
|
:0040E8A9 FF1544624100 Call dword ptr [00416244]
:0040E8AF 6A00 push 00000000
:0040E8B1 6858040000 push 00000458
:0040E8B6 8B4508 mov eax, dword ptr [ebp+08]
:0040E8B9 50 push eax
* Reference To: USER32.GetDlgItem, Ord:0000h
|
:0040E8BA FF1548624100 Call dword ptr [00416248]
:0040E8C0 50 push eax
* Reference To: USER32.SetWindowTextA, Ord:0000h
|
:0040E8C1 FF1544624100 Call dword ptr [00416244]
:0040E8C7 6A00 push 00000000
:0040E8C9 6859040000 push 00000459
:0040E8CE 8B4D08 mov ecx, dword ptr [ebp+08]
:0040E8D1 51 push ecx
* Reference To: USER32.GetDlgItem, Ord:0000h
|
:0040E8D2 FF1548624100 Call dword ptr [00416248]
:0040E8D8 50 push eax
* Reference To: USER32.SetWindowTextA, Ord:0000h
|
:0040E8D9 FF1544624100 Call dword ptr [00416244]
:0040E8DF 33C0 xor eax, eax
:0040E8E1 E9A4000000 jmp 0040E98A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040E827(C)
|
:0040E8E6 8D95D8FEFFFF lea edx, dword ptr [ebp+FFFFFED8]
:0040E8EC 52 push edx
:0040E8ED E8A70D0000 call 0040F699
:0040E8F2 83C404 add esp, 00000004
* Possible Reference to String Resource ID=00001: "\bL? u2e<?B?n>2L-n"
|
:0040E8F5 C70528D6410001000000 mov dword ptr [0041D628], 00000001
* Possible Reference to String Resource ID=00001: "\bL? u2e<?B?n>2L-n"
|
:0040E8FF C7052CD6410001000000 mov dword ptr [0041D62C], 00000001
:0040E909 6804010000 push 00000104
:0040E90E 8D85CCFCFFFF lea eax, dword ptr [ebp+FFFFFCCC]
:0040E914 50 push eax
* Possible Reference to String Resource ID=00199: "?"==>註冊成功提示資訊
|
:0040E915 68C7000000 push 000000C7
:0040E91A 8B0D48D64100 mov ecx, dword ptr [0041D648]
:0040E920 51 push ecx
跟蹤進入 call 00410B70 後,彙編程式碼如下:
* Referenced by a CALL at Address:
|:0040E81D
|
:00410B70 8B542404 mov edx, dword ptr [esp+04]==>edx 中放著你輸入的註冊碼
:00410B74 8B4C2408 mov ecx, dword ptr [esp+08]==>ecx 中放著真的註冊碼
* Possible Reference to String Resource ID=00003: ""
|
:00410B78 F7C203000000 test edx, 00000003
:00410B7E 753C jne 00410BBC
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00410BAC(C), :00410BD6(C), :00410BF2(U)
|
:00410B80 8B02 mov eax, dword ptr [edx]
:00410B82 3A01 cmp al, byte ptr [ecx]
:00410B84 752E jne 00410BB4
:00410B86 0AC0 or al, al
:00410B88 7426 je 00410BB0
:00410B8A 3A6101 cmp ah, byte ptr [ecx+01]
:00410B8D 7525 jne 00410BB4
:00410B8F 0AE4 or ah, ah
:00410B91 741D je 00410BB0
:00410B93 C1E810 shr eax, 10
:00410B96 3A4102 cmp al, byte ptr [ecx+02]
:00410B99 7519 jne 00410BB4
:00410B9B 0AC0 or al, al
:00410B9D 7411 je 00410BB0
:00410B9F 3A6103 cmp ah, byte ptr [ecx+03]
:00410BA2 7510 jne 00410BB4
:00410BA4 83C104 add ecx, 00000004
:00410BA7 83C204 add edx, 00000004
:00410BAA 0AE4 or ah, ah
:00410BAC 75D2 jne 00410B80
:00410BAE 8BFF mov edi, edi
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00410B88(C), :00410B91(C), :00410B9D(C), :00410BCE(C), :00410BE4(C)
|:00410BED(C)
|
:00410BB0 33C0 xor eax, eax
:00410BB2 C3 ret
用 TRW2000 在 00410B78 處下斷後,用 d ecx 命令就可以知道真的註冊碼。
我的使用者名稱是:FLITHAWK,機器號是:574B-3147-3735-3935,註冊號是:C1D7-B567-6484-F9E2
至此,該軟體的破解全部結束,希望此篇能對破解初學者有所幫助!
Crack by 飛鷹[BCG] flithawk@263.net 2001.10.25
歡迎光臨漢化新世紀: http://www.hanzify.org
相關文章
- 獻給初學者(高手也看看) 破解 Cpukiller 2.0 (1千字)2000-09-17
- 獻給初學者(高手也點評點評!!)KoolMoves V1.33的破解!!
(10千字)2000-09-16
- 英語會話精靈 2.0 --謹以此文獻給初學破解的愛好者
(7千字)2015-11-15會話
- 我的第一篇破文,獻給看學學院的!^_^高手免進! (10千字)2015-11-15
- 破解WorkgroupMail 的30天的時間限制(FCG作業)---高手莫入! (10千字)2015-11-15AI
- 我的第一篇破文,獻給看學學院! 高手免進! (2千字)2002-06-29
- 破解 Add/Remove Plus! 2001 的 30 天時間限制(初學者快看)
(1千字)2001-04-22REM
- 小小助手V2.01的破解過程-----算是我留給初學者的一偏破文
(7千字)2015-11-15
- 申請加入BCG第二篇:破解網頁特效小精靈 V2.0時間限制。 (2千字)2001-10-06網頁特效
- 初學者請進(一篇破解javagirl的心得) (2千字)2000-05-09Java
- 獻給UNIX的初學者2012-03-08
- 暴力破解Paragon CD Emulator時間及功能限制 (7千字)2001-03-24Go
- 本人首次自己試破解(請各位高手指教一下) (1千字)2000-08-11
- 轉貼:破解時間限制的老文章(一) (2千字)2000-10-23
- 轉貼:破解時間限制的老文章(二) (2千字)2000-10-23
- 巨好的俄羅斯方塊時間限制破解 (1千字)2001-05-04
- 一個典型的時間限制軟體的破解 (4千字)2001-01-29
- PwlTool的功能限制的破解---DDXia[CCG] (8千字)2001-03-10
- 瘋狂單詞破解實錄(初學者請進!) (9千字)2000-08-24
- 破解badcat21---真正的初學者 (5千字)2001-05-19
- 一個簡單的破解,供初學者參考!望高手多加指點! (1千字)2001-03-26
- 如何完美破解winhex9.73的功能限制! (8千字)2001-03-13
- 用VB“破解”有時間限制的程式 (轉)2007-12-04
- 本人超級奉獻!初學者如果看得明白就是入門直徑! bye! (16千字)2001-04-09
- 一篇破解教程-----面向初學者 (15千字)2001-04-01
- 破文一篇:易經八卦占卜程式7.0的破解(高手莫入) (8千字)2001-08-31
- 申請加入BCG破文3--加密精靈EncryptGenie22註冊碼破解及序號產生器制作 (5千字)2001-10-28加密
- 破解flax 1.31的校驗及功能限制 (3千字)2001-10-25
- 破解華琦庫管精靈1.2.4 (8千字)2000-09-11
- 破解 開機小精靈 2.11 (7千字)2001-11-12
- VB輸入限制的記憶體破解 (2千字)2003-04-28記憶體
- 演算法分析: <獻給初學者>
之一 (4千字)2002-06-06演算法
- 演算法分析: <獻給初學者>
之四 (9千字)2002-06-06演算法
- 演算法分析:
<獻給初學者> 之二 (7千字)2002-06-07演算法
- 用“破解除錯”的方法修改序號產生器(SDK)功能――獻給自由的FCG和所有Cracker (23千字)2015-11-15除錯
- 5StarZip 2001 破解----初學者破解入門 ---
[BCG]系列 (1千字)2001-04-13
- 加密精靈V2.2破解過程 (9千字)2001-10-28加密
- ModelMaker
CodeExplorer Expert 1.05 Demo時間限制破解 (32千字)2002-03-21