一口氣破解ResTools的四個軟體：ResScope1.35、freeRes0.94、HexEdit0.20、GetVBRes0.51全過程 (10千字)

今天無意中發現ResTools的四個軟體：ResScope1.35、freeRes0.94、HexEdit0.20、GetVBRes0.51都還不錯，
全部下載進行研究，憑我以前用過freeRes0.94的經驗，知道這些軟體都需要輸入四○位的註冊碼〔太恐怖，手都要打麻了！〕這次我就不再找註冊碼了，直接修改軟體，免得我每次輸的麻煩。

下面開始一個個的開刀！

第一個是ResScope1.35，發現是用ASPack加的殼，輕鬆幹掉。
脫殼後用W32Dasm開啟ResScope.exe，查詢字串"regcode"找到以下程式碼：

* Possible StringData Ref from Code Obj ->"regcode"…………………………向下看↓↓↓
|
:004B9B4E BA249C4B00 mov edx, 004B9C24
:004B9B53 8B45F8 mov eax, dword ptr [ebp-08]
:004B9B56 E80DFAFFFF call 004B9568

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B9B49(C)
|
:004B9B5B 8B45F0 mov eax, dword ptr [ebp-10]
:004B9B5E E87DA3F4FF call 00403EE0
:004B9B63 83F828 cmp eax, 00000028…………………………這裡是比較你輸入的註冊碼是否為四○位〔28轉換十進位制為40〕。
:004B9B66 7538 jne 004B9BA0…………………………註冊碼不是四○位就跳走。
:004B9B68 8B45F4 mov eax, dword ptr [ebp-0C]
:004B9B6B E870A3F4FF call 00403EE0
:004B9B70 85C0 test eax, eax
:004B9B72 7E2C jle 004B9BA0
:004B9B74 68338C0000 push 00008C33
:004B9B79 8D45EC lea eax, dword ptr [ebp-14]
:004B9B7C 50 push eax
:004B9B7D B982310000 mov ecx, 00003182
:004B9B82 BAD5030000 mov edx, 000003D5
:004B9B87 8B45F4 mov eax, dword ptr [ebp-0C]
:004B9B8A E80DFCFFFF call 004B979C
:004B9B8F 8B45EC mov eax, dword ptr [ebp-14]
:004B9B92 8B55F0 mov edx, dword ptr [ebp-10]
:004B9B95 E856A4F4FF call 00403FF0
:004B9B9A 7504 jne 004B9BA0…………………………這個數字和上面註冊碼不為四○位時跳到地方一樣，不用說當然是跳到註冊失敗的位置。
:004B9B9C C645FF01 mov [ebp-01], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004B9B03(C), :004B9B66(C), :004B9B72(C), :004B9B9A(C)
|
:004B9BA0 33C0 xor eax, eax
:004B9BA2 5A pop edx
:004B9BA3 59 pop ecx
:004B9BA4 59 pop ecx
:004B9BA5 648910 mov dword ptr fs:[eax], edx
:004B9BA8 68BD9B4B00 push 004B9BBD

看來這個程式的註冊碼有四○位之多，即便是找到正確的註冊碼抄下來也要累得半死。乾脆讓它什麼碼都認多省事！嘻嘻``

決定將上面兩個跳給它NOP掉！這樣隨意輸入使用者名稱和若干位註冊碼〔包括零位註冊碼－就是不輸註冊碼〕

於是用UltraEdit將上面兩個跳轉7538和7504都改為9090，現在輸入任意使用者名稱都可以成功註冊了！
注意看中間還有個跳：
:004B9B72 7E2C jle 004B9BA0
這也是跳到註冊失敗的位置，這裡也可以NOP調，不過這裡改了後就沒有輸入註冊資訊的樂趣了！
現在試試，隨意填入註冊資訊，哈，註冊成功！

搞定第一個，下面幾個想必大同小異吧！

下面就拿GetVBRes0.51開刀了！
還是那種殼，輕鬆搞定！
脫殼後用W32Dasm開啟GetVBRes.exe，還是查詢字串"regcode"找到以下程式碼：

* Possible StringData Ref from Code Obj ->"regcode"…………………………向下看↓↓↓
|
:0049AE74 BAA8AF4900 mov edx, 0049AFA8
:0049AE79 8B45F8 mov eax, dword ptr [ebp-08]
:0049AE7C E8BFA3FCFF call 00465240

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049AE6F(C)
|
:0049AE81 8B45F0 mov eax, dword ptr [ebp-10]
:0049AE84 E83B8FF6FF call 00403DC4
:0049AE89 83F828 cmp eax, 00000028…………………………這裡是比較你輸入的註冊碼是否為四○位〔28轉換十進位制為40〕。
:0049AE8C 0F8591000000 jne 0049AF23…………………………註冊碼不是四○位就跳走。
:0049AE92 8B45F4 mov eax, dword ptr [ebp-0C]
:0049AE95 E82A8FF6FF call 00403DC4
:0049AE9A 85C0 test eax, eax
:0049AE9C 0F8E81000000 jle 0049AF23
:0049AEA2 68368C0000 push 00008C36
:0049AEA7 8D45EC lea eax, dword ptr [ebp-14]
:0049AEAA 50 push eax
:0049AEAB B985310000 mov ecx, 00003185
:0049AEB0 BAD8030000 mov edx, 000003D8
:0049AEB5 8B45F4 mov eax, dword ptr [ebp-0C]
:0049AEB8 E847FBFFFF call 0049AA04
:0049AEBD 8B55EC mov edx, dword ptr [ebp-14]
:0049AEC0 8D45F4 lea eax, dword ptr [ebp-0C]
:0049AEC3 E8148DF6FF call 00403BDC
:0049AEC8 8D55E8 lea edx, dword ptr [ebp-18]
:0049AECB 8B45F4 mov eax, dword ptr [ebp-0C]
:0049AECE E8C1F9FFFF call 0049A894
:0049AED3 8B45E8 mov eax, dword ptr [ebp-18]
:0049AED6 8B55F0 mov edx, dword ptr [ebp-10]
:0049AED9 E8F68FF6FF call 00403ED4
:0049AEDE 750C jne 0049AEEC…………………………別看走了眼，不是這裡！這裡可不能NOP掉，不然就沒得玩了。
:0049AEE0 A1F0CA4A00 mov eax, dword ptr [004ACAF0]
:0049AEE5 8B00 mov eax, dword ptr [eax]
:0049AEE7 E85CFEFAFF call 0044AD48

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049AEDE(C)
|
:0049AEEC 68368C0000 push 00008C36
:0049AEF1 8D45E4 lea eax, dword ptr [ebp-1C]
:0049AEF4 50 push eax
:0049AEF5 B985310000 mov ecx, 00003185
:0049AEFA BAD8030000 mov edx, 000003D8
:0049AEFF 8B45F0 mov eax, dword ptr [ebp-10]
:0049AF02 E8EDF8FFFF call 0049A7F4
:0049AF07 8B55E4 mov edx, dword ptr [ebp-1C]
:0049AF0A 8D45F0 lea eax, dword ptr [ebp-10]
:0049AF0D E8CA8CF6FF call 00403BDC
:0049AF12 8B45F4 mov eax, dword ptr [ebp-0C]
:0049AF15 8B55F0 mov edx, dword ptr [ebp-10]
:0049AF18 E8B78FF6FF call 00403ED4
:0049AF1D 7504 jne 0049AF23…………………………這個數字和上面註冊碼不為四○位時跳到地方一樣，不用說當然是跳到註冊失敗的位置。
:0049AF1F C645FF01 mov [ebp-01], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0049AE29(C), :0049AE8C(C), :0049AE9C(C), :0049AF1D(C)
|
:0049AF23 33C0 xor eax, eax
:0049AF25 5A pop edx
:0049AF26 59 pop ecx
:0049AF27 59 pop ecx
:0049AF28 648910 mov dword ptr fs:[eax], edx
:0049AF2B 6840AF4900 push 0049AF40
一樣的，連我的註釋都不用改！
再用UltraEdit將上面兩個跳轉0F8591000000和7504都改為9090，現在輸入任意使用者名稱又註冊成功了！

現在是HexEdit0.20了。
同樣的方法找到以下程式碼：

* Possible StringData Ref from Code Obj ->"regcode"
|
:0045F1B8 BAECF24500 mov edx, 0045F2EC
:0045F1BD 8B45F8 mov eax, dword ptr [ebp-08]
:0045F1C0 E80FF6FFFF call 0045E7D4

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045F1B3(C)
|
:0045F1C5 8B45F0 mov eax, dword ptr [ebp-10]
:0045F1C8 E80F4BFAFF call 00403CDC
:0045F1CD 83F828 cmp eax, 00000028
:0045F1D0 0F8591000000 jne 0045F267
:0045F1D6 8B45F4 mov eax, dword ptr [ebp-0C]
:0045F1D9 E8FE4AFAFF call 00403CDC
:0045F1DE 85C0 test eax, eax
:0045F1E0 0F8E81000000 jle 0045F267
:0045F1E6 68358C0000 push 00008C35
:0045F1EB 8D45EC lea eax, dword ptr [ebp-14]
:0045F1EE 50 push eax
:0045F1EF B984310000 mov ecx, 00003184
:0045F1F4 BAD7030000 mov edx, 000003D7
:0045F1F9 8B45F4 mov eax, dword ptr [ebp-0C]
:0045F1FC E823FCFFFF call 0045EE24
:0045F201 8B55EC mov edx, dword ptr [ebp-14]
:0045F204 8D45F4 lea eax, dword ptr [ebp-0C]
:0045F207 E8E848FAFF call 00403AF4
:0045F20C 8D55E8 lea edx, dword ptr [ebp-18]
:0045F20F 8B45F4 mov eax, dword ptr [ebp-0C]
:0045F212 E89DFAFFFF call 0045ECB4
:0045F217 8B45E8 mov eax, dword ptr [ebp-18]
:0045F21A 8B55F0 mov edx, dword ptr [ebp-10]
:0045F21D E8CA4BFAFF call 00403DEC
:0045F222 750C jne 0045F230
:0045F224 A1DC774800 mov eax, dword ptr [004877DC]
:0045F229 8B00 mov eax, dword ptr [eax]
:0045F22B E8A8CFFEFF call 0044C1D8

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045F222(C)
|
:0045F230 68358C0000 push 00008C35
:0045F235 8D45E4 lea eax, dword ptr [ebp-1C]
:0045F238 50 push eax
:0045F239 B984310000 mov ecx, 00003184
:0045F23E BAD7030000 mov edx, 000003D7
:0045F243 8B45F0 mov eax, dword ptr [ebp-10]
:0045F246 E8C9F9FFFF call 0045EC14
:0045F24B 8B55E4 mov edx, dword ptr [ebp-1C]
:0045F24E 8D45F0 lea eax, dword ptr [ebp-10]
:0045F251 E89E48FAFF call 00403AF4
:0045F256 8B45F4 mov eax, dword ptr [ebp-0C]
:0045F259 8B55F0 mov edx, dword ptr [ebp-10]
:0045F25C E88B4BFAFF call 00403DEC
:0045F261 7504 jne 0045F267
:0045F263 C645FF01 mov [ebp-01], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0045F16D(C), :0045F1D0(C), :0045F1E0(C), :0045F261(C)
|
:0045F267 33C0 xor eax, eax
:0045F269 5A pop edx
:0045F26A 59 pop ecx
:0045F26B 59 pop ecx
:0045F26C 648910 mov dword ptr fs:[eax], edx
:0045F26F 6884F24500 push 0045F284

現在知道改哪了吧！

最後一個是freeRes0.94，它的修改方法是一樣的，就是用TRW脫殼後不能執行，這樣即使修改也不起作用了！幸好我有KeyMake1.6，用它製作記憶體補丁就可以了！

開啟KeyMake，按F6鍵，出現“製作記憶體補丁”視窗。填入程式名freeRes.exe，在記憶體資料中單擊“新增”按鈕，出現“新增資料”視窗。在修改地址中填入：4BBCBC；修改長度：6；原始指令：0F8591000000；修改指令：909090909090，再按“新增”按鈕再次輸入修改地址：4BBD4D；修改長度：2；原始指令：7504；修改指令：9090。儲存退出，將它複製到freeRes.exe同一目錄下執行，輸入任意使用者名稱再次註冊成功了！

搞完！
leeyam
http://leeyam.126.com/
http://leeyam.yeah.net/

一口氣破解ResTools的四個軟體：ResScope1.35、freeRes0.94、HexEdit0.20、GetVBRes0.51全過程 (10千字)

相關文章