Regediter 1.3 破解(得到註冊碼) (9千字)

Regediter 1.3 破解(得到註冊碼)
crack by fwnl
破解工具:trw2000 1.22 W32DASM 8.93
軟體下載：http://file2.mydrivers.com/tools/reg/RegEditer.zip
http://newhua.ruyi.com/down/RegEditer.zip
軟體說明:RegEditer 1.3中文版For Win9x/ME/2000/XP 放棄微軟自帶的登錄檔編輯器吧！使用RegEditer每個人都可以成為登錄檔高手，永遠解除你對註冊標的那種神秘感。如果你細心的使用RegEditer，你會發現管理登錄檔是件輕鬆、愉快地事情
RegEditer是用來編輯、管理“登錄檔”設定的功能強大的工具。RegEditer為你提供了許多強大、有趣的功能。如強大的查詢功能（支援萬用字元）。大資料儲存，將一個檔案裝入登錄檔（長度太大不推薦）。將登錄檔內容按圖片看（如果資料是支援的圖片格式，參閱“圖片格式”），將某一選定資料存入檔案。批次替換指定字串。登錄檔主鍵複製，貼上。批次登錄檔資料複製貼上。收藏夾、直接跳磚、地址輸入支援。等功能是你能快速定位要編輯的內容。你能利用RegEditer能檢視主鍵下的所有內容，你能批次編輯它，將它直接匯入登錄檔的功能。類似的新穎強大的功能還有很多。如果你細心的使用RegEditer。你會發現管理登錄檔很輕鬆，很有趣，不再繁雜，難懂，甚至可以成為一門藝術。RegEditer是一個綠色軟體，你直接將它拷到你的計算機上就可執行。

用trw2000載入regediter.exe，按F5後出現註冊對話方塊，名字可以亂填.
註冊碼以KGL-XXXXX-XXXX-XXXXXX的形式填，至於為什麼可看下面程式碼註釋.
(XXXXXXXXX代表任意字元)
Ctrl+N 回trw2000後下 bpx hmemcpy,按F5返回程式後按確定被中斷, bd * 暫時關掉斷點後按F12幾下來到(我按了14下)下面這裡
:0048202 ret ==>按F10就到了 004BFE5C
:0048203 nop
:0048204 push ebp

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:004BFDED(C)

:004BFE5C 8B45FC mov eax, dword ptr [ebp-04]
:004BFE5F E82C55FDFF call 00495390 //關鍵call，F8進入
:004BFE64 84C0 test al, al
:004BFE66 7460 je 004BFEC8 //一定不能跳

上面按F8後來進入call來到:
* Referenced by a CALL at Addresses:
|:004BFE5F , :004C1C0E
|
:00495390 55 push ebp
:00495391 8BEC mov ebp, esp
:00495393 33C9 xor ecx, ecx
:00495395 51 push ecx
:00495396 51 push ecx
:00495397 51 push ecx
:00495398 51 push ecx
:00495399 51 push ecx
:0049539A 53 push ebx
:0049539B 56 push esi
:0049539C 57 push edi
:0049539D 8945FC mov dword ptr [ebp-04], eax
:004953A0 8B45FC mov eax, dword ptr [ebp-04]
:004953A3 E8E8F3F6FF call 00404790
:004953A8 33C0 xor eax, eax
:004953AA 55 push ebp
:004953AB 6803554900 push 00495503
:004953B0 64FF30 push dword ptr fs:[eax]
:004953B3 648920 mov dword ptr fs:[eax], esp
:004953B6 33DB xor ebx, ebx
:004953B8 33C0 xor eax, eax
:004953BA 55 push ebp
:004953BB 68DC544900 push 004954DC
:004953C0 64FF30 push dword ptr fs:[eax]
:004953C3 648920 mov dword ptr fs:[eax], esp
:004953C6 8B45FC mov eax, dword ptr [ebp-04]
:004953C9 E8DAF1F6FF call 004045A8
:004953CE 83F816 cmp eax, 00000016
:004953D1 740D je 004953E0
:004953D3 33C0 xor eax, eax
:004953D5 5A pop edx
:004953D6 59 pop ecx
:004953D7 59 pop ecx
:004953D8 648910 mov dword ptr fs:[eax], edx
:004953DB E908010000 jmp 004954E8

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004953D1(C)
|
:004953E0 8D45F0 lea eax, dword ptr [ebp-10]
:004953E3 E808EFF6FF call 004042F0
:004953E8 8D45F0 lea eax, dword ptr [ebp-10]
:004953EB BA1C554900 mov edx, 0049551C
:004953F0 E8BBF1F6FF call 004045B0 <==d edx 得 K
:004953F5 8D45F0 lea eax, dword ptr [ebp-10]
:004953F8 BA28554900 mov edx, 00495528 <==d edx 得 G
:004953FD E8AEF1F6FF call 004045B0
:00495402 8D45F0 lea eax, dword ptr [ebp-10]
:00495405 BA34554900 mov edx, 00495534 <==d edx 得 L
:0049540A E8A1F1F6FF call 004045B0
:0049540F 8D45F0 lea eax, dword ptr [ebp-10]
:00495412 BA40554900 mov edx, 00495540 <==d edx 得 -
:00495417 E894F1F6FF call 004045B0
:0049541C 8B45F0 mov eax, dword ptr [ebp-10]
:0049541F E87CF3F6FF call 004047A0 <==d eax 得 KGL-
:00495424 50 push eax
:00495425 8B45FC mov eax, dword ptr [ebp-04]
:00495428 E873F3F6FF call 004047A0
:0049542D 8BF0 mov esi, eax
:0049542F 8BC6 mov eax, esi
:00495431 5A pop edx
:00495432 E8B93EF7FF call 004092F0
:00495437 8BF8 mov edi, eax
:00495439 3BFE cmp edi, esi
:0049543B 740D je 0049544A
:0049543D 33C0 xor eax, eax
:0049543F 5A pop edx
:00495440 59 pop ecx
:00495441 59 pop ecx
:00495442 648910 mov dword ptr fs:[eax], edx
:00495445 E99E000000 jmp 004954E8

透過上面這一段程式碼可知正解註冊碼形式為KGL-xxxxxxxxxxxxxxxxxx 共22位

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049543B(C)
|
:0049544A 8B45FC mov eax, dword ptr [ebp-04] 2d 的ASCⅡ碼是 -
:0049544D 8078032D cmp byte ptr [eax+03], 2D <==比較註冊碼第3後是否是 "-"
:00495451 7512 jne 00495465
:00495453 8B45FC mov eax, dword ptr [ebp-04]
:00495456 80780A2D cmp byte ptr [eax+0A], 2D <==比較註冊碼第10後是否是 -
:0049545A 7509 jne 00495465
:0049545C 8B45FC mov eax, dword ptr [ebp-04]
:0049545F 80780F2D cmp byte ptr [eax+0F], 2D <==比較註冊碼第15後是否是 -
:00495463 740A je 0049546F
透過上面這一段程式碼可知正解註冊碼形式為KGL-xxxxxx-xxxx-xxxxxx 共22位
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00495451(C), :0049545A(C)
|
:00495465 33C0 xor eax, eax
:00495467 5A pop edx
:00495468 59 pop ecx
:00495469 59 pop ecx
:0049546A 648910 mov dword ptr fs:[eax], edx
:0049546D EB79 jmp 004954E8

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00495463(C)
|
:0049546F 8D45F8 lea eax, dword ptr [ebp-08]
:00495472 50 push eax
:00495473 B906000000 mov ecx, 00000006
:00495478 BA05000000 mov edx, 00000005
:0049547D 8B45FC mov eax, dword ptr [ebp-04]
:00495480 E87BF3F6FF call 00404800
:00495485 8D45F4 lea eax, dword ptr [ebp-0C]
:00495488 50 push eax
:00495489 B904000000 mov ecx, 00000004
:0049548E BA0C000000 mov edx, 0000000C
:00495493 8B45FC mov eax, dword ptr [ebp-04]
:00495496 E865F3F6FF call 00404800
:0049549B 8D45EC lea eax, dword ptr [ebp-14]
:0049549E 50 push eax
:0049549F B906000000 mov ecx, 00000006
:004954A4 BA11000000 mov edx, 00000011
:004954A9 8B45FC mov eax, dword ptr [ebp-04]
:004954AC E84FF3F6FF call 00404800
:004954B1 8D4DF0 lea ecx, dword ptr [ebp-10]
:004954B4 8B55F4 mov edx, dword ptr [ebp-0C]
:004954B7 8B45F8 mov eax, dword ptr [ebp-08]
:004954BA E895FBFFFF call 00495054
:004954BF 8B45EC mov eax, dword ptr [ebp-14]
:004954C2 8B55F0 mov edx, dword ptr [ebp-10]
:004954C5 E822F2F6FF call 004046EC <===d edx 得註冊碼的最後6位真碼
:004954CA 7504 jne 004954D0
:004954CC B301 mov bl, 01
:004954CE EB02 jmp 004954D2

上面這段是透過計算 KGL- 後你填的10 位註冊碼來得出最後6位真碼，由於本人太菜所以是怎麼算出的就
搞不明白了 :)
最後總結一下: 註冊碼為22位，因為不填22位那個註冊按鍵不亮
形式為KGL-XXXXXX-XXXX-XXXXX
我破解時填的註冊碼為 KGL-8FWNL8-FWNL-888888 , 在004954C5處 d edx 得 COY75I
所以我得出正確註冊碼是: KGL-8FWNL8-FWNL-COY75I 註冊碼與姓名無關最後特別感謝好友alphakk的指點.
祝各位玩得開心!!!
fwnl
　　 2002.1.22　　
長沙
　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　

Regediter 1.3 破解(得到註冊碼) (9千字)

相關文章