vTuner Plus 3.0 線上註冊的破解方法一：爆破篇 (7千字)

vTuner Plus 3.0 線上註冊的破解方法一：爆破篇

工具：TRW2K, W32dasm, System Mechanic, Regshot
介紹：新版的RealOne player爽極了, 是一個極好的線上播放器！ vTuner Plus是RealOne Player伴侶.
利用vTuner可列出成千的電視與廣播頻道, 你可以迅速的在網路上找到現場節目、音樂、新聞節目
等任何你喜歡的廣播內容. vTuner的主視窗非常酷. 註冊費$29.95
下載： RealOne的下載地址最好用Google搜搜; vTuner Plus 3.0 怕是不好找了.
主頁： http://www.vtuner.com/vtunerApp.html
大小：和RealOne一起下載的，忘記了 ^_^
限制：VB，15天試用，線上註冊，NAG視窗提示！
破解者: moonlite[FCG][BCG]

[過程]

1) 首先執行vtuner，提示註冊的NAG就出來了：) 如果輸入註冊碼的話，點選Confirm Number按鈕後，
它還會去網上去驗證，好讓人煩！那就先去掉這個NAG吧：

啟動TRW，點選NAG視窗中的 Run vTuner按鈕, Ctrl+D 後，會來到TRW的領空，

再pmodule一次：

:004B8D18 50 push eax
:004B8D19 FF92B0020000 call dword ptr [edx+000002B0]//b8119 <----NAG 視窗
:004B8D1F 898508FFFFFF mov dword ptr [ebp+FFFFFF08], eax <----游標在這裡！
:004B8D25 83BD08FFFFFF00 cmp dword ptr [ebp+FFFFFF08], 00000000
:004B8D2C 7D23 jge 004B8D51
:004B8D2E 68B0020000 push 000002B0

.........

將 004B8D19/offset: b8119 處的CALL NOP掉，討厭的提示視窗就沒有了：-) ************補丁之一

2) 將時間往後調 30 天，哈哈，討厭的視窗又來了，這次所提示過期，讓上網註冊云云。。。
可見前面有暗樁。用Regshot比較發現:

[HKEY_LOCAL_MACHINE\Software\NEMS\vTuner] 處的鍵值從
"eDate"="06/23/2002 8:30:13 PM" ->變成了 "WWeWantToGetYouLikeACrackDealerWould"

很明顯，這是登錄檔中過期的標誌鍵值。
用W32dasm 反彙編並查詢該字串，共找到三處。透過設斷點，不難找到這裡：

:004B51C9 8B55A0 mov edx, dword ptr [ebp-60] <-----登錄檔中eDate KEY值字串
:004B51CC 52 push edx <---------入棧

* Possible StringData Ref from Code Obj ->"WWeWantToGetYouLikeACrackDealerWould"
|
:004B51CD 6844754500 push 00457544 <-----過期的標誌字串

* Reference To: MSVBVM50.__vbaStrTextCmp, Ord:0000h
|
:004B51D2 FF1588C47D00 Call dword ptr [007DC488] <-----兩字串比較的CALL;
不相同的話EAX=FFFFFFFF，否則EAX=0;

:004B51D8 8BF0 mov esi, eax
:004B51DA F7DE neg esi
:004B51DC 1BF6 sbb esi, esi
:004B51DE F7DE neg esi <--------字串不相同時 ESI=1; 否則ESI=0
:004B51E0 8B45A0 mov eax, dword ptr [ebp-60] <-------仍為過期的標誌字串

:004B51E3 50 push eax
:004B51E4 68B00E4500 push 00450EB0 <-------d 450EB0 看看！

* Reference To: MSVBVM50.__vbaStrTextCmp, Ord:0000h
|
:004B51E9 FF1588C47D00 Call dword ptr [007DC488]<-----又是兩字串的比較;
eDate 鍵值不為空的話EAX=1;否則EAX=0

:004B51EF F7D8 neg eax
:004B51F1 1BC0 sbb eax, eax
:004B51F3 F7D8 neg eax
:004B51F5 23F0 and esi, eax <-------ESI 和EAX 與，得到標誌 ESI；
:004B51F7 85F6 test esi, esi
:004B51F9 0F8554020000 jne 004B5453 <-------正確的話應該跳轉！
:004B51FF C745FC18000000 mov [ebp-04], 00000018
:004B5206 8B4DA0 mov ecx, dword ptr [ebp-60]
:004B5209 51 push ecx
:004B520A 68B00E4500 push 00450EB0

* Reference To: MSVBVM50.__vbaStrTextCmp, Ord:0000h
|
:004B520F FF1588C47D00 Call dword ptr [007DC488]
:004B5215 85C0 test eax, eax
:004B5217 0F85BB000000 jne 004B52D8<-------過期的話應該在這裡跳轉！
:004B521D C745FC19000000 mov [ebp-04], 00000019 <-------eDate 鍵值為空的話
會從這裡接著向下走下去。。。

:004B5224 66C78510FFFFFFFFFF mov word ptr [ebp+FFFFFF10], FFFF

* Possible StringData Ref from Code Obj ->"WWeWantToGetYouLikeACrackDealerWould"
|
:004B522D BA44754500 mov edx, 00457544
:004B5232 8D8D78FFFFFF lea ecx, dword ptr [ebp+FFFFFF78]

* Reference To: MSVBVM50.__vbaStrCopy, Ord:0000h
|
:004B5238 FF15DCC57D00 Call dword ptr [007DC5DC]

* Possible StringData Ref from Code Obj ->"eeDate"
|
:004B523E BA34754500 mov edx, 00457534
:004B5243 8D8D7CFFFFFF lea ecx, dword ptr [ebp+FFFFFF7C]

* Reference To: MSVBVM50.__vbaStrCopy, Ord:0000h
|
:004B5249 FF15DCC57D00 Call dword ptr [007DC5DC]

* Possible StringData Ref from Code Obj ->"SSOFTWARE\nems\vTuner" <-------看出作者的意圖了吧？！
|
:004B524F BAA8334500 mov edx, 004533A8
:004B5254 8D4D80 lea ecx, dword ptr [ebp-80]

*****************

4) 看看從004B51F9 跳過來的程式碼--------->

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B51F9(C)
|
:004B5453 C745FC24000000 mov [ebp-04], 00000024
:004B545A 6A09 push 00000009
:004B545C 8B45A0 mov eax, dword ptr [ebp-60] <-----登錄檔中eDate鍵值
:004B545F 50 push eax

* Reference To: MSVBVM50.rtcLeftCharBstr, Ord:0268h
|
:004B5460 FF1538C67D00 Call dword ptr [007DC638]
:004B5466 8BD0 mov edx, eax
:004B5468 8D4D80 lea ecx, dword ptr [ebp-80]

* Reference To: MSVBVM50.__vbaStrMove, Ord:0000h
|
:004B546B FF1554C67D00 Call dword ptr [007DC654]
:004B5471 50 push eax <-----登錄檔中eDate 鍵值

* Possible StringData Ref from Code Obj ->"ssetupdate" <------這裡俺搞不懂作者有什麼意圖
|
:004B5472 68B0754500 push 004575B0

* Reference To: MSVBVM50.__vbaStrTextCmp, Ord:0000h
|
:004B5477 FF1588C47D00 Call dword ptr [007DC488] <-----登錄檔中eDate KEY值和字串
"setupdate" 比較；不相同的話EAX=FFFFFFFF，否則EAX=0

:004B547D F7D8 neg eax
:004B547F 1BC0 sbb eax, eax
:004B5481 40 inc eax
:004B5482 F7D8 neg eax
:004B5484 66898508FFFFFF mov word ptr [ebp+FFFFFF08], ax <-----ax值送存；
:004B548B 8D4D80 lea ecx, dword ptr [ebp-80]

* Reference To: MSVBVM50.__vbaFreeStr, Ord:0000h
|
:004B548E FF15A4C67D00 Call dword ptr [007DC6A4]
:004B5494 0FBF8D08FFFFFF movsx ecx, word ptr [ebp+FFFFFF08]
:004B549B 85C9 test ecx, ecx
:004B549D 0F84CE010000 je 004B5671 // b489d <-----不要在這裡跳！！
:004B54A3 C745FC25000000 mov [ebp-04], 00000025

從這裡再往下走，就走到羅馬了。。。^_^

。。。。

在 004B549D/offset: B489D 處改成不跳，或者eDate 鍵值改成 "setupdate" ************補丁之二

=>哈哈，搞定!

如果想完美註冊的話, 請看它的續篇-->

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

(待續)...

vTuner Plus 3.0 線上註冊的破解方法一：爆破篇 (7千字)

相關文章