慧琦網通-IE安全衛士 1.2 破解過程全面分析 (22千字)
慧琦網通-IE安全衛士 1.2 破解過程全面分析
軟體名稱:慧琦網通-IE安全衛士 V1.2
軟體簡介:在瀏覽某些網站時,使用者的個人電腦配置常常被這些網站偷樑換柱,許多人都碰到過這類情況。比如:網頁的主頁與標題被人設定,WINDOWS的某些功能被人禁用,每次開機時出現一些莫名其妙的網站等等。
下載地址:http://www.shareware.net.cn/download.asp?id={16A46F8E-45C7-4C22-9B0B-28F5EC38CA05}
未註冊版限制:最多隻能使用15次並有一些功能限制。
破解工具:W32DASM 8.93漢化版、PE iDentifier 0.7 Beta 漢化版、Hiew6.76、UPX 1.20。
破解人:飛鷹[BCG]
E-mail:flithawk@263.net
網址:http://flithawk.longcity.net
該軟體的註冊過程是透過你輸入註冊資訊後,將軟體關閉再開啟,進行註冊。
透過觀察登錄檔可知,該軟體的註冊資訊是被儲存在登錄檔的 HKLM\SOFTWARE\Microsoft\tpcip\CurrentVersion 專案中;每次啟動軟體都要與該項中的鍵值比較,看你是否已經註冊並判斷註冊資訊是否正確。
下面,我們用 PE iDentifier 0.7 Beta 漢化版 檢視可知該軟體被用 UPX 加了殼,現在用 UPX 1.20 的 upx -d 命令進行脫殼後,用
W32DASM 8.93漢化版 反編譯該軟體,並查詢 tpcip\CurrentVersion ,找到以下兩處:
第一處:
* Possible StringData Ref from Code Obj ->"SOFTWARE\Microsoft\tpcip\CurrentVersion"
|
:0049A644 68E4A64900 push 0049A6E4
:0049A649 6802000080 push 80000002
* Reference To: advapi32.RegCreateKeyExA, Ord:0000h
|
:0049A64E E851C5F6FF Call 00406BA4
:0049A653 85C0
test eax, eax
:0049A655 7563
jne 0049A6BA
:0049A657 8D55F4
lea edx, dword ptr [ebp-0C]
:0049A65A 8B8360050000 mov eax, dword
ptr [ebx+00000560]
:0049A660 E80F1DFAFF call 0043C374
:0049A665 8B4DF4
mov ecx, dword ptr [ebp-0C]
* Possible StringData Ref from Code Obj ->"Rotescode"
|
:0049A668 BA14A74900 mov edx,
0049A714
:0049A66D 8B45FC
mov eax, dword ptr [ebp-04]
:0049A670 E85F55FDFF call 0046FBD4
:0049A675 8D55F0
lea edx, dword ptr [ebp-10]
:0049A678 8B8370050000 mov eax, dword
ptr [ebx+00000570]
:0049A67E E8F11CFAFF call 0043C374
:0049A683 8B4DF0
mov ecx, dword ptr [ebp-10]
* Possible StringData Ref from Code Obj ->"RotesNum"
|
:0049A686 BA28A74900 mov edx,
0049A728
:0049A68B 8B45FC
mov eax, dword ptr [ebp-04]
:0049A68E E84155FDFF call 0046FBD4
:0049A693 8D55EC
lea edx, dword ptr [ebp-14]
:0049A696 8B8368050000 mov eax, dword
ptr [ebx+00000568]
:0049A69C E8D31CFAFF call 0043C374
:0049A6A1 8B4DEC
mov ecx, dword ptr [ebp-14]
* Possible StringData Ref from Code Obj ->"Object"
|
:0049A6A4 BA3CA74900 mov edx,
0049A73C
:0049A6A9 8B45FC
mov eax, dword ptr [ebp-04]
:0049A6AC E82355FDFF call 0046FBD4
:0049A6B1 8B45FC
mov eax, dword ptr [ebp-04]
:0049A6B4 50
push eax
* Reference To: advapi32.RegCloseKey, Ord:0000h
|
:0049A6B5 E8E2C4F6FF Call 00406B9C
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0049A629(C), :0049A655(C)
|
:0049A6BA 33C0
xor eax, eax
:0049A6BC 5A
pop edx
:0049A6BD 59
pop ecx
:0049A6BE 59
pop ecx
:0049A6BF 648910
mov dword ptr fs:[eax], edx
:0049A6C2 68DCA64900 push 0049A6DC
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049A6DA(U)
|
:0049A6C7 8D45EC
lea eax, dword ptr [ebp-14]
:0049A6CA BA03000000 mov edx,
00000003
:0049A6CF E8C49FF6FF call 00404698
:0049A6D4 C3
ret
上面這些彙編程式碼的作用是:當軟體退出時,把你輸入的註冊資訊寫入到登錄檔相關的專案中。
第二處:
* Possible StringData Ref from Code Obj ->"SOFTWARE\Microsoft\tpcip\CurrentVersion"
|
:0049A0FB 6850A44900 push 0049A450
:0049A100 6802000080 push 80000002
* Reference To: advapi32.RegCreateKeyExA, Ord:0000h
|
:0049A105 E89ACAF6FF Call 00406BA4
:0049A10A 85C0
test eax, eax
:0049A10C 7548
jne 0049A156
:0049A10E 8D45FC
lea eax, dword ptr [ebp-04]
:0049A111 50
push eax
* Possible StringData Ref from Code Obj ->"PPPPP"
|
:0049A112 B980A44900 mov ecx,
0049A480
* Possible StringData Ref from Code Obj ->"Rotescode"
|
:0049A117 BA90A44900 mov edx,
0049A490
:0049A11C 8B45F0
mov eax, dword ptr [ebp-10]
:0049A11F E87859FDFF call 0046FA9C
:0049A124 8D45F8
lea eax, dword ptr [ebp-08]
:0049A127 50
push eax
* Possible StringData Ref from Code Obj ->"H012123"
|
:0049A128 B9A4A44900 mov ecx,
0049A4A4
* Possible StringData Ref from Code Obj ->"RotesNum"
|
:0049A12D BAB4A44900 mov edx,
0049A4B4
:0049A132 8B45F0
mov eax, dword ptr [ebp-10]
:0049A135 E86259FDFF call 0046FA9C
:0049A13A 8D45F4
lea eax, dword ptr [ebp-0C]
:0049A13D 50
push eax
:0049A13E 33C9
xor ecx, ecx
* Possible StringData Ref from Code Obj ->"Object"
|
:0049A140 BAC8A44900 mov edx,
0049A4C8
:0049A145 8B45F0
mov eax, dword ptr [ebp-10]
:0049A148 E84F59FDFF call 0046FA9C
:0049A14D 8B45F0
mov eax, dword ptr [ebp-10]
:0049A150 50
push eax
* Reference To: advapi32.RegCloseKey, Ord:0000h
|
:0049A151 E846CAF6FF Call 00406B9C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049A10C(C)
|
:0049A156 8B45F8
mov eax, dword ptr [ebp-08]
* Possible StringData Ref from Code Obj ->"AHF000186"
|
:0049A159 BAD8A44900 mov edx,
0049A4D8
:0049A15E E80DA9F6FF call 00404A70
:0049A163 7516
jne 0049A17B
:0049A165 8D55D8
lea edx, dword ptr [ebp-28]
:0049A168 8B45F8
mov eax, dword ptr [ebp-08]
:0049A16B E884E6F6FF call 004087F4
:0049A170 8B55D8
mov edx, dword ptr [ebp-28]
:0049A173 8D45F8
lea eax, dword ptr [ebp-08]
:0049A176 E891A5F6FF call 0040470C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049A163(C)
|
:0049A17B 8D4DD4
lea ecx, dword ptr [ebp-2C]
:0049A17E 8B55F8
mov edx, dword ptr [ebp-08]
:0049A181 8B45FC
mov eax, dword ptr [ebp-04]
:0049A184 E85B53FDFF call 0046F4E4
:0049A189 8B45D4
mov eax, dword ptr [ebp-2C]==>EAX中存著算出的真註冊碼
:0049A18C 8B55F4
mov edx, dword ptr [ebp-0C]==>EDX是存著你輸入的註冊碼
:0049A18F E8DCA8F6FF call 00404A70
:0049A194 740C
je 0049A1A2==>判斷輸入註冊碼是否正確,正確則跳轉
:0049A196 C683E005000001 mov byte ptr [ebx+000005E0],
01
:0049A19D E9BC000000 jmp 0049A25E
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049A194(C)
|
:0049A1A2 C683E005000000 mov byte ptr [ebx+000005E0],
00
:0049A1A9 837DF800 cmp
dword ptr [ebp-08], 00000000
:0049A1AD 0F84AB000000 je 0049A25E==>這裡如果跳轉就OVER了
:0049A1B3 8B45F8
mov eax, dword ptr [ebp-08]==>將你輸入的使用者編碼賦給eax
:0049A1B6 8A00
mov al, byte ptr [eax]==>取使用者編碼的第一位16進位制值賦給al
:0049A1B8 04BF
add al, BF==>al=al+BF
:0049A1BA 2C1A
sub al, 1A==>al=al-1A
:0049A1BC 731E
jnb 0049A1DC==>CF位的值是1則不跳,一跳就進入作者設好的陷井了
:0049A1BE 8B45F8
mov eax, dword ptr [ebp-08]==>將你輸入的使用者編碼賦給eax
:0049A1C1 8A4001
mov al, byte ptr [eax+01]==>取使用者編碼的第二位16進位制值賦給al
:0049A1C4 04BF
add al, BF==>al=al+BF
:0049A1C6 2C0C
sub al, 0C==>al=al-0C
:0049A1C8 7312
jnb 0049A1DC==>CF位的值是1則不跳,一跳就進入作者設好的陷井了
:0049A1CA 8B45F8
mov eax, dword ptr [ebp-08]==>將你輸入的使用者編碼賦給eax
:0049A1CD 8A4002
mov al, byte ptr [eax+02]==>取使用者編碼的第三位16進位制值賦給al
:0049A1D0 04BF
add al, BF==>al=al+BF
:0049A1D2 2C1A
sub al, 1A==>al=al-1A
:0049A1D4 722E
jb 0049A204==>CF位的值是1則跳,一跳就快註冊成功了
:0049A1D6 04FA
add al, FA==>al=al+FA
:0049A1D8 2C06
sub al, 06==>al=al-06
:0049A1DA 7228
jb 0049A204==>CF位的值是1則跳,不跳將會進入作者設好的陷井
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0049A1BC(C), :0049A1C8(C)
|
:0049A1DC C683E005000001 mov byte ptr [ebx+000005E0],
01 -------+軟
:0049A1E3 B804000000 mov eax,
00000004
-------+件
-------+作
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
-------+者
|:0049A202(C)
-------+布
|
-------+置
:0049A1E8 8B55F8
mov edx, dword ptr [ebp-08] -------+的
:0049A1EB 8A5402FF mov
dl, byte ptr [edx+eax-01] -------+陷
:0049A1EF 80C2D0
add dl, D0
-------+井
:0049A1F2 80EA0A
sub dl, 0A
-------+用
:0049A1F5 7207
jb 0049A1FE
-------+來
:0049A1F7 C683E005000001 mov byte ptr [ebx+000005E0],
01 -------+破
-------+壞
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
-------+你
|:0049A1F5(C)
-------+的
|
-------+分
:0049A1FE 40
inc eax
-------+析
:0049A1FF 83F80A
cmp eax, 0000000A
-------+思
:0049A202 75E4
jne 0049A1E8
-------+路
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0049A1D4(C), :0049A1DA(C)
|
:0049A204 80BBE005000000 cmp byte ptr [ebx+000005E0],
00
:0049A20B 7551
jne 0049A25E==>這裡如果跳轉就OVER了
:0049A20D 8B55FC
mov edx, dword ptr [ebp-04]
:0049A210 8B8360050000 mov eax, dword
ptr [ebx+00000560]
:0049A216 E88921FAFF call 0043C3A4
:0049A21B 8B55F8
mov edx, dword ptr [ebp-08]
:0049A21E 8B8370050000 mov eax, dword
ptr [ebx+00000570]
:0049A224 E87B21FAFF call 0043C3A4
:0049A229 8B55F4
mov edx, dword ptr [ebp-0C]
:0049A22C 8B8368050000 mov eax, dword
ptr [ebx+00000568]
:0049A232 E86D21FAFF call 0043C3A4
:0049A237 33D2
xor edx, edx
:0049A239 8B8360050000 mov eax, dword
ptr [ebx+00000560]
:0049A23F 8B08
mov ecx, dword ptr [eax]
:0049A241 FF5164
call [ecx+64]
:0049A244 33D2
xor edx, edx
:0049A246 8B8370050000 mov eax, dword
ptr [ebx+00000570]
:0049A24C 8B08
mov ecx, dword ptr [eax]
:0049A24E FF5164
call [ecx+64]
:0049A251 33D2
xor edx, edx
:0049A253 8B8368050000 mov eax, dword
ptr [ebx+00000568]
:0049A259 8B08
mov ecx, dword ptr [eax]
:0049A25B FF5164
call [ecx+64]
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0049A19D(U), :0049A1AD(C), :0049A20B(C)
|
:0049A25E 8D55C8
lea edx, dword ptr [ebp-38]
:0049A261 A1ACDA4900 mov eax,
dword ptr [0049DAAC]
:0049A266 8B00
mov eax, dword ptr [eax]
:0049A268 E89725FCFF call 0045C804
:0049A26D 8B45C8
mov eax, dword ptr [ebp-38]
:0049A270 8D55CC
lea edx, dword ptr [ebp-34]
:0049A273 E81C8AFFFF call 00492C94
:0049A278 8B4DCC
mov ecx, dword ptr [ebp-34]
:0049A27B 8D45D0
lea eax, dword ptr [ebp-30]
* Possible StringData Ref from Code Obj ->"當前版本號:"
|
:0049A27E BAECA44900 mov edx,
0049A4EC
:0049A283 E8F0A6F6FF call 00404978
:0049A288 8B55D0
mov edx, dword ptr [ebp-30]
:0049A28B 8B8388050000 mov eax, dword
ptr [ebx+00000588]
:0049A291 E80E21FAFF call 0043C3A4
:0049A296 33D2
xor edx, edx
:0049A298 8B83F4020000 mov eax, dword
ptr [ebx+000002F4]
:0049A29E E835E5FCFF call 004687D8
:0049A2A3 80BBE005000000 cmp byte ptr [ebx+000005E0],
00
:0049A2AA 7467
je 0049A313==>這裡如果跳轉就註冊成功了
:0049A2AC 33D2
xor edx, edx
:0049A2AE 8B8340040000 mov eax, dword
ptr [ebx+00000440]
:0049A2B4 8B08
mov ecx, dword ptr [eax]
:0049A2B6 FF5164
call [ecx+64]
:0049A2B9 33D2
xor edx, edx
:0049A2BB 8B83AC040000 mov eax, dword
ptr [ebx+000004AC]
:0049A2C1 8B08
mov ecx, dword ptr [eax]
:0049A2C3 FF5164
call [ecx+64]
:0049A2C6 33D2
xor edx, edx
:0049A2C8 8B8398050000 mov eax, dword
ptr [ebx+00000598]
:0049A2CE 8B08
mov ecx, dword ptr [eax]
:0049A2D0 FF5164
call [ecx+64]
:0049A2D3 33D2
xor edx, edx
:0049A2D5 8B83E0030000 mov eax, dword
ptr [ebx+000003E0]
:0049A2DB 8B08
mov ecx, dword ptr [eax]
:0049A2DD FF5164
call [ecx+64]
* Possible StringData Ref from Code Obj ->"本版為未註冊試用版,部分功能只能在註冊後才能使"
->"用!"
|
==>未註冊版出現的提示
:0049A2E0 BA04A54900 mov edx,
0049A504
:0049A2E5 8B8380050000 mov eax, dword
ptr [ebx+00000580]
:0049A2EB E8B420FAFF call 0043C3A4
:0049A2F0 8D55C4
lea edx, dword ptr [ebp-3C]
:0049A2F3 8BC3
mov eax, ebx
:0049A2F5 E87A20FAFF call 0043C374
:0049A2FA 8D45C4
lea eax, dword ptr [ebp-3C]
* Possible StringData Ref from Code Obj ->"[未註冊功能限制版]"
|
==>未註冊版出現的提示
:0049A2FD BA40A54900 mov edx,
0049A540
:0049A302 E82DA6F6FF call 00404934
:0049A307 8B55C4
mov edx, dword ptr [ebp-3C]
:0049A30A 8BC3
mov eax, ebx
:0049A30C E89320FAFF call 0043C3A4
:0049A311 EB63
jmp 0049A376
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049A2AA(C)
|
* Possible StringData Ref from Code Obj ->"恭喜您成為完全版的榮譽註冊使用者!"
|
==>註冊版出現的提示
:0049A313 BA5CA54900 mov edx, 0049A55C
:0049A318 8B8380050000 mov eax, dword ptr [ebx+00000580]
:0049A31E E88120FAFF call 0043C3A4
:0049A323 8D55BC lea edx, dword ptr [ebp-44]
:0049A326 8BC3 mov eax, ebx
:0049A328 E84720FAFF call 0043C374
:0049A32D FF75BC push [ebp-44]
* Possible StringData Ref from Code Obj ->" [榮譽註冊使用者:"
|
==>註冊版出現的提示
:0049A330 6888A54900 push 0049A588
:0049A335 8D55B8 lea edx, dword ptr [ebp-48]
:0049A338 8B8360050000 mov eax, dword ptr [ebx+00000560]
:0049A33E E83120FAFF call 0043C374
:0049A343 FF75B8 push [ebp-48]
:0049A346 68A4A54900 push 0049A5A4
:0049A34B 8D45C0 lea eax, dword ptr [ebp-40]
:0049A34E BA04000000 mov edx, 00000004
:0049A353 E894A6F6FF call 004049EC
:0049A358 8B55C0 mov edx, dword ptr [ebp-40]
:0049A35B 8BC3 mov eax, ebx
:0049A35D E84220FAFF call 0043C3A4
:0049A362 33D2 xor edx, edx
:0049A364 8B8384050000 mov eax, dword ptr [ebx+00000584]
:0049A36A 8B08 mov ecx, dword ptr [eax]
:0049A36C FF5164 call [ecx+64]
:0049A36F C683E105000000 mov byte ptr [ebx+000005E1], 00
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049A311(U)
|
:0049A376 80BBE105000000 cmp byte ptr [ebx+000005E1], 00
:0049A37D 7413 je 0049A392==>這裡如果不跳轉將出現“未註冊版”提示對話方塊
:0049A37F 6A00 push 00000000
* Possible StringData Ref from Code Obj ->"提示!"
|
:0049A381 68A8A54900 push 0049A5A8
* Possible StringData Ref from Code Obj ->"本軟體的試用版只能使用15次!如果您對試用結果滿"
->"意,可以向我們註冊。註冊費用為12元。"
|
:0049A386 68B0A54900 push 0049A5B0
:0049A38B 6A00 push 00000000
* Reference To: user32.MessageBoxA, Ord:0000h
|
:0049A38D E882D0F6FF Call 00407414
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049A37D(C)
|
:0049A392 80BBE105000000 cmp byte ptr [ebx+000005E1], 00
:0049A399 7410 je 0049A3AB
:0049A39B 83BBE40500000F cmp dword ptr [ebx+000005E4], 0000000F==>判斷是否已用了15次
:0049A3A2 7E07 jle 0049A3AB==>跳轉將執行程式,不跳轉將不會執行程式
:0049A3A4 33C0 xor eax, eax
:0049A3A6 E8B1A2F6FF call 0040465C
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0049A399(C), :0049A3A2(C)
|
:0049A3AB 33C0 xor eax, eax
:0049A3AD 5A pop edx
:0049A3AE 59 pop ecx
:0049A3AF 59 pop ecx
:0049A3B0 648910 mov dword ptr fs:[eax], edx
:0049A3B3 68E7A34900 push 0049A3E7
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049A3E5(U)
|
:0049A3B8 8D45B8 lea eax, dword ptr [ebp-48]
:0049A3BB BA04000000 mov edx, 00000004
:0049A3C0 E8D3A2F6FF call 00404698
:0049A3C5 8D45C8 lea eax, dword ptr [ebp-38]
:0049A3C8 BA09000000 mov edx, 00000009
:0049A3CD E8C6A2F6FF call 00404698
:0049A3D2 8D45F4 lea eax, dword ptr [ebp-0C]
:0049A3D5 BA03000000 mov edx, 00000003
:0049A3DA E8B9A2F6FF call 00404698
:0049A3DF C3 ret
上面這些彙編程式碼總的來說,是軟體啟動時對註冊資訊進行檢驗,判斷是否正確。
使用者編碼的格式:
第一位::0049A1B3 8B45F8 mov eax, dword ptr [ebp-08]
==>將你輸入的使用者編碼賦給eax
:0049A1B6 8A00 mov al, byte ptr [eax]
==>取你輸入使用者編碼的第一位16進位制值賦給al
:0049A1B8 04BF add al, BF
==>al=al+BF
:0049A1BA 2C1A sub al, 1A
==>al=al-1A
:0049A1BC 731E jnb 0049A1DC
==>判斷CF進位位是否為1,CF是1則不跳轉,不跳轉說明格式正確
取你輸入的使用者編碼第一位的16進位制值1A,看最後CF位的值是否為1。如果CF位為1,說明你輸入的使用者編碼第一位是正確的。
例如:
1、ASCII碼 0 的16進位制值是30,則30+BF=EF,CF的值為0(無進位);EF-1A=D5,CF的值也為0(無借位),最終CF的值就為0,說明你輸入的使用者編碼第一位是錯誤的;
2、ASCII碼 a 的16進位制值是61,則61+BF=120,CF的值為1(有進位);120-1A=106,CF的值也為0(無借位),最終CF的值就為0,說明你輸入的使用者編碼第一位是錯誤的;
3、ASCII碼 A 的16進位制值是41,則41+BF=100,CF的值為1(有進位);100-1A=E6,CF的值也為1(有借位),最終CF的值就為1,說明你輸入的使用者編碼第一位是正確的;
所以,最後證明使用者編碼的第一位必須是大寫字母A至Z才符合程式要求。
按照上面的這種推理過程,可以知道使用者編碼的第二、三位的值。
第二位::0049A1BE 8B45F8 mov eax, dword ptr [ebp-08]
:0049A1C1 8A4001 mov al, byte ptr [eax+01]
:0049A1C4 04BF add al, BF
:0049A1C6 2C0C sub al, 0C
:0049A1C8 7312 jnb 0049A1DC
使用者編碼的第二位必須是大寫字母A至L才符合程式要求。
第三位::0049A1CA 8B45F8 mov eax, dword ptr [ebp-08]
:0049A1CD 8A4002 mov al, byte ptr [eax+02]
:0049A1D0 04BF add al, BF
:0049A1D2 2C1A sub al, 1A
:0049A1D4 722E jb 0049A204
==>判斷CF進位位是否為1,CF是1則跳轉,跳轉說明格式正確
:0049A1D6 04FA add al, FA
:0049A1D8 2C06 sub al, 06
:0049A1DA 7228 jb 0049A204
==>判斷CF進位位是否為1,CF是1則跳轉,跳轉說明格式正確
使用者編碼的第三位必須是大寫字母A至Z、或者是小寫字母a至f才符合程式要求。
從反編譯出來的彙編程式碼中,可以知道該軟體只會判斷你輸入使用者編碼的前三位,至於後面是什麼值它就管不著你了。
如果你輸入的使用者編碼格式正確的話,用TRW2000在 0049A18C 處下命令 d eax,就可以知道真的註冊碼。
下面給出一個可用的註冊資訊:
註冊名稱:flithawk@263.net
註冊密碼:CP7RBh7p
使用者編號:BCG-flithawk
從 0049A1DC 至 0049202 的這些彙編程式碼我想可能是軟體的作者設計出來的陷井,就算滿足了執行這些程式碼需要的條件,你也無法成功註冊該軟體。
如果你要暴破該軟體的話,只要修改下面三處就行了:
第一處:0049A194 740C 改為:EB0C
第二處:0049A20B 7551 改為:9090
第三處:0049A2AA 7467 改為:EB67
如果怕麻煩的話,就改第三處就行了,但最好還是這三處都改一下。
我在破解過程中,發現這樣一句話,"Dear Sir: I know you're pefer cracking program. But..My work is hard. Please don't distribute the key to others, thank you very much!"
所以,最後我要宣告一下:我寫這篇文章純粹是為了研究該軟體的註冊過程,我不會因此釋出關於該軟體的任何序號產生器及註冊碼。
Crack by 飛鷹[BCG] flithawk@263.net 2002.01.13
歡迎光臨漢化新世紀: http://www.hanzify.org
相關文章
- 專業掃雷 1.2破解過程 (4千字)2001-02-17
- 新手破解:敏思硬碟衛士 2.2 (1千字)2001-07-25硬碟
- 美萍安全衛士V8.45序號產生器制作分析過程,及序號產生器! (11千字)2001-10-28
- 敏思硬碟衛士 v2.2破解手記 (4千字)2001-11-20硬碟
- 分析周鴻禕的安全衛士360[轉]2011-01-07
- 對VCDCUT 4.03的分析破解過程 (18千字)2001-08-08
- 標誌位法破解----美萍反黃衛士2.26 (4千字)2001-07-27
- 美萍網管大師及安全衛士快速查註冊碼。 (1千字)2001-07-18
- 伺服器安全衛士2024-04-28伺服器
- 冬奧網路安全衛士招募正式啟動!2021-12-17
- Internet Maniac ver 1.2b 破解過程(適合初學者)
(7千字)2000-09-13
- 美萍電腦安全衛士(V7.52標準版)終極破解(註冊法 &
暴力破解法) (1千字)2001-02-24
- 美萍安全衛士v6.9標準版(天意II+W32dasm)破解實戰!
(3千字)2000-09-09ASM
- 挖礦木馬猖獗,360安全衛士破解“黑礦工”之困2021-12-07
- 破解 程式獵人 1.2 (2千字)2000-08-10
- 紫禁城反黃衛士個人版破解(註冊演算法) (10千字)2001-10-31演算法
- 破解華琦庫管精靈1.2.4 (8千字)2000-09-11
- 貫通詞典破解過程2004-12-20
- 長安“戰疫”網路安全衛士守護賽writeup2022-01-08
- 怎麼突破安全狗和360網站衛士的2016-08-30網站
- 360安全衛士的替代軟體2017-12-12
- OICQ HACK 1.0 破解過程 (9千字)2001-04-23
- Nullz CrackMe 1.1破解過程 (13千字)2001-09-18Null
- WebTimeSync 5.2.0 破解過程 (14千字)2001-10-05Web
- 衛士通渠道釋出會:同迎產業盛世 共享安全未來2018-09-06產業
- 我終於破解了魔裝網神了,破解過程!!,不過是用2.70破解的。 (1千字)2001-10-15
- 360安全衛士網管版:讓網管輕鬆管理內網電腦安全配置2011-09-01內網
- 360安全衛士阻止SQL Server安裝2011-09-06SQLServer
- 密碼擷取(getpassword)2.8破解全面分析 (3千字)2001-12-11密碼
- dfx V4.0破解過程 (10千字)2000-09-24
- 破解過程-----請多多指教 (2千字)2000-12-31
- 電腦字型秀破解過程 (1千字)2001-03-18
- webeasymail的簡單破解過程 (2千字)2001-08-04WebAI
- Kryptel 3.8 暴力破解過程 (18千字)2001-09-18
- PUZZLER1.20破解過程 (4千字)2002-01-26
- SuperCleaner2.30破解過程 (11千字)2002-02-04
- 網路安全衛士X-KEY,讓檔案更私密(轉)2007-08-12
- 全面分析全息投影的成像過程2023-04-18