破解心得之eXeScope篇
使用工具:Fileinfo v2.43、W32DSM白金版漢化版、TRW2000 v1.22
由於這個軟體沒有加殼,因此破解相對容易一些,且註冊演算法也不復雜,很適合初學者破解。
先執行TRW2000,然後執行該軟體,填好Your Name和ID後,按Ctrl+N啟用TRW2000,然後鍵入"BPX HMEMCPY",
按F5跳回程式,然後點OK就會被攔下,再鍵入"pmodule",繼續按F10。
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A7BAA(C)
|
:004A7BBE 8D55F0 lea edx, dword ptr [ebp-10]
:004A7BC1 8B45FC mov eax, dword ptr [ebp-04]
:004A7BC4 8B80D0020000 mov eax, dword ptr [eax+000002D0]
:004A7BCA E885B7F8FF call 00433354
:004A7BCF 8B55F0 mov edx, dword ptr [ebp-10] <--經過幾個RET以後來到這裡
:004A7BD2 A1B8594B00 mov eax, dword ptr [004B59B8]
:004A7BD7 E830C0F5FF call 00403C0C
:004A7BDC 8D55EC lea edx, dword ptr [ebp-14]
:004A7BDF 8B45FC mov eax, dword ptr [ebp-04]
:004A7BE2 8B80D4020000 mov eax, dword ptr [eax+000002D4]
:004A7BE8 E867B7F8FF call 00433354
:004A7BED 8B55EC mov edx, dword ptr [ebp-14]
:004A7BF0 A134594B00 mov eax, dword ptr [004B5934]
:004A7BF5 E812C0F5FF call 00403C0C
:004A7BFA 8B1534594B00 mov edx, dword ptr [004B5934]
:004A7C00 8B12 mov edx, dword ptr [edx]
:004A7C02 A174574B00 mov eax, dword ptr [004B5774]
:004A7C07 8B00 mov eax, dword ptr [eax]
:004A7C09 E8DA8D0000 call 004B09E8 <--核心CALL,按F8進入
:004A7C0E 84C0 test al, al
:004A7C10 0F8498000000 je 004A7CAE <--一定不能跳轉
:004A7C16 A1B8594B00 mov eax, dword ptr [004B59B8]
:004A7C1B 8B00 mov eax, dword ptr [eax]
:004A7C1D E816C2F5FF call 00403E38
:004A7C22 85C0 test eax, eax
:004A7C24 0F8E84000000 jle 004A7CAE <--一定不能跳轉
:004A7C2A 8D55E4 lea edx, dword ptr [ebp-1C]
:004A7C2D A1C4594B00 mov eax, dword ptr [004B59C4]
:004A7C32 8B00 mov eax, dword ptr [eax]
:004A7C34 E82F9BFAFF call 00451768
:004A7C39 8B45E4 mov eax, dword ptr [ebp-1C]
:004A7C3C 8D4DE8 lea ecx, dword ptr [ebp-18]
* Possible StringData Ref from Code Obj ->".ini"
|
:004A7C3F BA0C7D4A00 mov edx, 004A7D0C
:004A7C44 E8F319F6FF call 0040963C
:004A7C49 8B4DE8 mov ecx, dword ptr [ebp-18]
:004A7C4C B201 mov dl, 01
* Possible StringData Ref from Code Obj ->"XuG"
|
:004A7C4E A1906E4700 mov eax, dword ptr [00476E90]
:004A7C53 E8E0F2FCFF call 00476F38
:004A7C58 8945F8 mov dword ptr [ebp-08], eax
:004A7C5B A1B8594B00 mov eax, dword ptr [004B59B8]
:004A7C60 8B00 mov eax, dword ptr [eax]
:004A7C62 50 push eax
* Possible StringData Ref from Code Obj ->"Name"
|
:004A7C63 B91C7D4A00 mov ecx, 004A7D1C
* Possible StringData Ref from Code Obj ->"Reg"
|
:004A7C68 BA2C7D4A00 mov edx, 004A7D2C
:004A7C6D 8B45F8 mov eax, dword ptr [ebp-08]
:004A7C70 8B18 mov ebx, dword ptr [eax]
:004A7C72 FF5304 call [ebx+04]
:004A7C75 A134594B00 mov eax, dword ptr [004B5934]
:004A7C7A 8B00 mov eax, dword ptr [eax]
:004A7C7C 50 push eax
* Possible StringData Ref from Code Obj ->"Reg"
|
:004A7C7D BA2C7D4A00 mov edx, 004A7D2C
:004A7C82 B9387D4A00 mov ecx, 004A7D38
:004A7C87 8B45F8 mov eax, dword ptr [ebp-08]
:004A7C8A 8B18 mov ebx, dword ptr [eax]
:004A7C8C FF5304 call [ebx+04]
:004A7C8F 8B45F8 mov eax, dword ptr [ebp-08]
:004A7C92 E83DB2F5FF call 00402ED4
:004A7C97 A17C574B00 mov eax, dword ptr [004B577C]
:004A7C9C C60001 mov byte ptr [eax], 01
:004A7C9F 8B45FC mov eax, dword ptr [ebp-04]
:004A7CA2 C7803402000001000000 mov dword ptr [ebx+00000234], 00000001
:004A7CAC EB20 jmp 004A7CCE
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004A7C10(C), :004A7C24(C)
|
:004A7CAE 6A00 push 00000000
:004A7CB0 8D55E0 lea edx, dword ptr [ebp-20]
* Possible StringData Ref from Code Obj ->"Invalid ID or Name;o^IDO" <--錯誤資訊對話方塊
|
:004A7CB3 B8447D4A00 mov eax, 004A7D44
:004A7CB8 E8D79D0000 call 004B1A94
:004A7CBD 8B45E0 mov eax, dword ptr [ebp-20]
:004A7CC0 668B0D747D4A00 mov cx, word ptr [004A7D74]
:004A7CC7 B201 mov dl, 01
:004A7CC9 E88E01FBFF call 00457E5C
在上面的核心CALL按F8進入後會來到如下地方:
* Referenced by a CALL at Addresses:
|:004A7C09 , :004B088C
|
:004B09E8 55 push ebp
:004B09E9 8BEC mov ebp, esp
:004B09EB 83C4F0 add esp, FFFFFFF0
:004B09EE 8955F8 mov dword ptr [ebp-08], edx
:004B09F1 8945FC mov dword ptr [ebp-04], eax
:004B09F4 8B45F8 mov eax, dword ptr [ebp-08]
:004B09F7 E8F035F5FF call 00403FEC
:004B09FC 33C0 xor eax, eax
:004B09FE 55 push ebp
:004B09FF 689F0A4B00 push 004B0A9F
:004B0A04 64FF30 push dword ptr fs:[eax]
:004B0A07 648920 mov dword ptr fs:[eax], esp
:004B0A0A C645F700 mov [ebp-09], 00
:004B0A0E 8B45F8 mov eax, dword ptr [ebp-08]
:004B0A11 E82234F5FF call 00403E38 <--求ID長度
:004B0A16 83F80A cmp eax, 0000000A <--判斷ID的長度是否等於10
:004B0A19 756E jne 004B0A89 <--不等的話跳轉,一定不能跳轉
:004B0A1B 8B55F8 mov edx, dword ptr [ebp-08]
* Possible StringData Ref from Code Obj ->"A1910"
|
:004B0A1E B8B80A4B00 mov eax, 004B0AB8 <--[004B0AB8]為"A1910"
:004B0A23 E8FC36F5FF call 00404124 <--判斷ID的前五個字元是否為"A1910"
:004B0A28 48 dec eax
:004B0A29 7410 je 004B0A3B
:004B0A2B 8B55F8 mov edx, dword ptr [ebp-08]
* Possible StringData Ref from Code Obj ->"A1423"
|
:004B0A2E B8C80A4B00 mov eax, 004B0AC8 <--[004B0AC8]為"A1423"
:004B0A33 E8EC36F5FF call 00404124 <--判斷ID的前五個字元是否為"A1423"
:004B0A38 48 dec eax
:004B0A39 754E jne 004B0A89 <--這個一定不能跳轉
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B0A29(C)
|
:004B0A3B C745F002000000 mov [ebp-10], 00000002
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B0A65(C)
|
:004B0A42 8B45F8 mov eax, dword ptr [ebp-08]
:004B0A45 8B55F0 mov edx, dword ptr [ebp-10]
:004B0A48 8A4410FF mov al, byte ptr [eax+edw-01]
:004B0A4C 3C30 cmp al, 30
:004B0A4E 7239 jb 004B0A89
:004B0A50 8B45F8 mov eax, dword ptr [ebp-08]
:004B0A53 8B55F0 mov edx, dword ptr [ebp-10]
:004B0A56 8A4410FF mov al, byte ptr [eax+edw-01]
:004B0A5A 3C39 cmp al, 39
:004B0A5C 772B ja 004B0A89
:004B0A5E FF45F0 inc [ebp-10]
:004B0A61 837DF00B cmp dword ptr [ebp-10], 0000000B
:004B0A65 75DB jne 004B0A42
:004B0A67 8B45F8 mov eax, dword ptr [ebp-08]
:004B0A6A 0FB64008 movzx eax, byte ptr [eax+08] <--輸入的ID的倒數第二個字元的ASCII碼送入EAX
:004B0A6E 8B55F8 mov edx, dword ptr [ebp-08]
:004B0A71 0FB65209 movzx edx, byte ptr [edx+09] <--輸入的ID的倒數最後一個字元的ASCII碼送入EDX
:004B0A75 03C2 add eax, edx
:004B0A77 B90A000000 mov ecx, 0000000A
:004B0A7C 33D2 xor edx, edx
:004B0A7E F7F1 div ecx <--EAX除以10
:004B0A80 83FA04 cmp edx, 00000004 <--比較餘數是否等於4
:004B0A83 7504 jne 004B0A89 <--不等於4的話則跳轉,一定不能跳轉
:004B0A85 C645F701 mov [ebp-09], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004B0A19(C), :004B0A39(C), :004B0A4E(C), :004B0A5C(C), :004B0A83(C)
|
:004B0A89 33C0 xor eax, eax
:004B0A8B 5A pop edx
:004B0A8C 59 pop ecx
:004B0A8D 59 pop ecx
:004B0A8E 648910 mov dword ptr fs:[eax], edx
:004B0A91 68A60A4B00 push 004B0AA6
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B0AA4(U)
|
:004B0A96 8D45F8 lea eax, dword ptr [ebp-08]
:004B0A99 E81A31F5FF call 00403BB8
:004B0A9E C3 ret
現在我們知道了註冊碼的形式為A1910xxxxx或A1423xxxxx,其中第6、7、8個字元為任意字元,而第9、10個字元的ASCII
碼的和的個位數為4就可以正確的註冊了!!
相關文章
- 破解心得之eXeScope篇 (9千字)2001-07-01
- 破解心得之WinImage篇 (15千字)2001-07-01
- 破解心得之Windows優化大師篇2015-11-15Windows優化
- 破解心得之CDRWin 4.0A BETA篇 (18千字)2001-04-24
- 破解心得之3DMark2001篇 (10千字)2001-04-183D
- eXeScope
V6.41 的註冊演算法破解2004-05-03演算法
- 用TRW2000破解EXESCOPE5.12 (855字)2000-04-24
- 破解心得之CHMMaker(耶圃歟┢ (11千字)2002-01-27HMM
- 再次湊湊熱鬧:破解心得之ChinaZip 5.0(中華壓縮)篇
(8千字)2001-04-10
- 初學者請進(一篇破解javagirl的心得) (2千字)2000-05-09Java
- Xamarin for VisualStudio 3.1.224 破解心得2015-02-03
- ollydbg破解教學之--------萬能斷點篇2015-11-15斷點
- eXeScope中文版怎麼啟用?eXeScope安裝啟用使用圖文教程2022-05-16
- K專案的一些心得之專案管理篇2021-05-05專案管理
- 我的破解心得(1) (3千字)2001-03-13
- 我的破解心得(5) (16千字)2001-03-13
- 我的破解心得(6) (3千字)2001-03-13
- 我的破解心得(8) (2千字)2001-03-13
- 我的破解心得(9) (4千字)2001-03-13
- 我的破解心得(11) (9千字)2001-03-13
- 我的破解心得(12) (1千字)2001-03-13
- 無線Wifi密碼之暴力破解篇(WPA)2013-11-25WiFi密碼
- 申請加入BCG之第二篇!博奧彩票白金版破解---破解初學者之嘔血篇 (5千字)2001-10-06
- 登陸奇兵3.0破解心得 (5千字)2001-05-02
- Readbook 1.31破解心得
(3千字)2000-03-01
- Linux安全-攻擊篇-密碼破解之Hydra工具2020-08-10Linux密碼
- treejs 記錄心得--開篇2020-09-23JS
- 關於WiFi密碼破解的一些心得2020-04-05WiFi密碼
- BrickShooter 2.1破解心得(新手看看吧) (18千字)2001-03-09
- 寫給想入門的朋友,侃侃自己的破解心得。2015-11-15
- VirTime HTMLock V1.4.0 破解之暴力篇 (7千字)2001-05-06HTML
- 輕鬆提取資源1.45破解心得
(7千字)2015-11-15
- iOS學習心得之:KVO2017-04-30iOS
- 新人如何入門自動化-心得篇2017-07-24
- 《漂葉網咖管理系統4.0》破解心得: (9千字)2001-01-14
- RabbitMQ學習心得體會之Exchange2024-10-08MQ
- FINDITNOW!1.25 or 102 中文版 破解心得 (14千字)2002-02-09
- 申請加入BCG之第一篇!------LC3破解! (2千字)2001-10-06