PacWorld v 1.3 詳細破解過程(對不起,上一篇貼錯了,更正一下!!!) (7千字)

軟體名稱：PacWorld v 1.3

大小：423K

下載： http://gd.skycn.net/down/pacworld.zip

簡介:

一個外國遊戲，在大型機臺和電視遊樂器都很受歡迎的古典遊戲－小精靈大嘴吃豆，你是否很懷念呢？
現在有了PacWorld 這個舊酒裝新瓶的小精靈遊戲，可以讓你在PC上回味一下過去的感覺。PacWorld完
全重新設計關卡、獎金制度、美麗的圖形和音效等。

URL: http://gd.skycn.net/down/PacWorld.exe

保護方式：vc++6.0編寫，未加殼,未註冊有功能限制。

破解人　：龍笑天[BCG]

破解時間：2002.4.23

破解工具：trw2000 v1.22 w32dasm

破解流程：1.用trw載入PacWorld v 1.3 ，輸入假碼13141314

    2.ctrl+N撥出trw,下 bpx __HMEMCPY　F5返回到程式，按下注冊按鈕

　　　　　3.攔下後，再按9次F12（第10次失敗）
4.來到程式下面段：

:0042057C 8B06 mov eax, dword ptr [esi]
:0042057E 8BCE mov ecx, esi
:00420580 FF5070 call [eax+70]
:00420583 85C0 test eax, eax
:00420585 743C je 004205C3
:00420587 E8A1150000 call 00421B2D
:0042058C 8B10 mov edx, dword ptr [eax]------->下dedx即得到註冊碼
:0042058E 55 push ebp
:0042058F 8BC8 mov ecx, eax
:00420591 FF5264 call [edx+64]
:00420594 85C0 test eax, eax
:00420596 740C je 004205A4
:00420598 C744241801000000 mov [esp+18], 00000001
:004205A0 897C2414 mov dword ptr [esp+14], edi

詳細分析：
用 w32dasm載入，按串式參考“Get a valid password for $10”，雙擊來到以下程式段：

* Reference To: USER32.DeleteMenu, Ord:0087h
|
:00407739 FF15F4934200 Call dword ptr [004293F4]------>可疑call，追入!!
:0040773F EB1D jmp 0040775E

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004076D9(C)
|

* Possible StringData Ref from Data Obj ->"Get a valid password for $10"
|
:00407741 68DC134300 push 004313DC
:00407746 8D4DEC lea ecx, dword ptr [ebp-14]
:00407749 885DE8 mov byte ptr [ebp-18], bl
:0040774C E8539E0100 call 004215A4

追入call 來到：
* Possible StringData Ref from Data Obj ->"Password"
|
:0040765D 6888134300 push 00431388
:00407662 53 push ebx
:00407663 FFD7 call edi
:00407665 5F pop edi
:00407666 5E pop esi
:00407667 5B pop ebx
:00407668 C9 leave
:00407669 C3 ret

:0040766A B8D77D4200 mov eax, 00427DD7
:0040766F E8EC940000 call 00410B60------------>可疑call，追入!!
:00407674 81EC78010000 sub esp, 00000178
:0040767A 53 push ebx
:0040767B 56 push esi
:0040767C 8BF1 mov esi, ecx
:0040767E 33DB xor ebx, ebx
:00407680 53 push ebx
:00407681 8D8D7CFEFFFF lea ecx, dword ptr [ebp+FFFFFE7C]
:00407687 E856180000 call 00408EE2
:0040768C 8D8D7CFEFFFF lea ecx, dword ptr [ebp+FFFFFE7C]
:00407692 895DFC mov dword ptr [ebp-04], ebx
:00407695 E801620100 call 0041D89B
:0040769A 83F801 cmp eax, 00000001
:0040769D 0F85CE000000 jne 00407771
:004076A3 68784F4300 push 00434F78
:004076A8 FF7588 push [ebp-78]
:004076AB E817990000 call 00410FC7
:004076B0 59 pop ecx
:004076B1 85C0 test eax, eax
:004076B3 59 pop ecx
:004076B4 0F84B7000000 je 00407771
:004076BA 53 push ebx
:004076BB 8D4D8C lea ecx, dword ptr [ebp-74]
:004076BE E8561A0000 call 00409119
:004076C3 FF3558504300 push dword ptr [00435058]
:004076C9 C645FC01 mov [ebp-04], 01
:004076CD FF7588 push [ebp-78]
:004076D0 E8F2980000 call 00410FC7
:004076D5 59 pop ecx
:004076D6 85C0 test eax, eax
:004076D8 59 pop ecx
:004076D9 7566 jne 00407741

* Possible StringData Ref from Data Obj ->"Thank you for registering"
|
:004076DB 681C144300 push 0043141C
:004076E0 8D4DEC lea ecx, dword ptr [ebp-14]
:004076E3 C645E801 mov [ebp-18], 01
:004076E7 E8B89E0100 call 004215A4

* Possible StringData Ref from Data Obj ->"You can now play all 12 Levels"

又追入call 來到（此時心中一喜，好像找到演算法啦!!)：
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00410B9F(C)
|
:00410BA9 8BC8 mov ecx, eax-------->把eax的值賦給ecx
:00410BAB C1E008 shl eax, 08-------->eax左移8位
:00410BAE 03C1 add eax, ecx-------->eax和eax相加
:00410BB0 8BC8 mov ecx, eax-------->把eax的值賦給ecx
:00410BB2 C1E010 shl eax, 10-------->eax再左移10位
:00410BB5 03C1 add eax, ecx-------->eax和eax相加
:00410BB7 8BCA mov ecx, edx-------->把edx的值賦給ecx
:00410BB9 83E203 and edx, 00000003-------->edx和3進行與運算
:00410BBC C1E902 shr ecx, 02-------->ecx右移8位
:00410BBF 7406 je 00410BC7-------->比較大小
:00410BC1 F3 repz
:00410BC2 AB stosd
:00410BC3 85D2 test edx, edx
:00410BC5 7406 je 00410BCD

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00410B98(C), :00410BBF(C), :00410BCB(C)
|
:00410BC7 8807 mov byte ptr [edi], al
:00410BC9 47 inc edi
:00410BCA 4A dec edx
:00410BCB 75FA jne 00410BC7

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00410BC5(C)
|
:00410BCD 8B442408 mov eax, dword ptr [esp+08]
:00410BD1 5F pop edi
:00410BD2 C3 ret

既然找到演算法,就分析暫存器的值,又用trw2000載入,來到以下程式段:
:00410BA9 8BC8 mov ecx, eax
:00410BAB C1E008 shl eax, 08
:00410BAE 03C1 add eax, ecx
:00410BB0 8BC8 mov ecx, eax
:00410BB2 C1E010 shl eax, 10
:00410BB5 03C1 add eax, ecx
:00410BB7 8BCA mov ecx, edx
:00410BB9 83E203 and edx, 00000003
:00410BBC C1E902 shr ecx, 02
:00410BBF 7406 je 00410BC7
:00410BC1 F3 repz
在此段連下deax,decx,dedx都發現eax,ecx為空運算元,因此剛才的不是找註冊碼的演算法,我暈!!
再回去追入幾個call都徒勞無功!＠＾＠

只好再參考"串式參考"，突然，我看到註冊碼竟然在串式參考裡！哈哈！！看來這個程式的註冊方法是
絕對的明碼比較．雙擊"k9B8PT4z81U49i"來到明碼比較以下程式段就是的程式段：
以下程式段就是拿輸入的假碼和真碼比較！！^O^^O^

* Referenced by a CALL at Address:
|:004026C5
|

* Possible StringData Ref from Data Obj ->"k9B8PT4z81U49i"
|
:004026CF 6894114300 push 00431194
:004026D4 B958504300 mov ecx, 00435058
:004026D9 E8F7ED0100 call 004214D5
:004026DE C3 ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004026CA(U)
|
:004026DF 68EB264000 push 004026EB
:004026E4 E89DE80000 call 00410F86
:004026E9 59 pop ecx
:004026EA C3 ret

總結:這是一個特殊的絕對明碼比較的程式．程式一執行就定了註冊碼！！！
註冊碼：k9B8PT4z81U49i

好，執行PacWorld v 1.3 ，輸入註冊碼按下確定即顯示註冊成功,可以全玩12關遊戲！！


龍笑天[BCG]：　整理於2002.4.23 23:20

PacWorld v 1.3 詳細破解過程(對不起,上一篇貼錯了,更正一下!!!) (7千字)

相關文章