破解心得之eXeScope篇

看雪資料發表於2015-11-15

使用工具:Fileinfo v2.43、W32DSM白金版漢化版、TRW2000 v1.22

    由於這個軟體沒有加殼,因此破解相對容易一些,且註冊演算法也不復雜,很適合初學者破解。
    先執行TRW2000,然後執行該軟體,填好Your Name和ID後,按Ctrl+N啟用TRW2000,然後鍵入"BPX HMEMCPY",
按F5跳回程式,然後點OK就會被攔下,再鍵入"pmodule",繼續按F10。
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A7BAA(C)
|
:004A7BBE 8D55F0                  lea edx, dword ptr [ebp-10]
:004A7BC1 8B45FC                  mov eax, dword ptr [ebp-04]
:004A7BC4 8B80D0020000            mov eax, dword ptr [eax+000002D0]
:004A7BCA E885B7F8FF              call 00433354
:004A7BCF 8B55F0                  mov edx, dword ptr [ebp-10]  <--經過幾個RET以後來到這裡
:004A7BD2 A1B8594B00              mov eax, dword ptr [004B59B8]
:004A7BD7 E830C0F5FF              call 00403C0C
:004A7BDC 8D55EC                  lea edx, dword ptr [ebp-14]
:004A7BDF 8B45FC                  mov eax, dword ptr [ebp-04]
:004A7BE2 8B80D4020000            mov eax, dword ptr [eax+000002D4]
:004A7BE8 E867B7F8FF              call 00433354
:004A7BED 8B55EC                  mov edx, dword ptr [ebp-14]
:004A7BF0 A134594B00              mov eax, dword ptr [004B5934]
:004A7BF5 E812C0F5FF              call 00403C0C
:004A7BFA 8B1534594B00            mov edx, dword ptr [004B5934]
:004A7C00 8B12                    mov edx, dword ptr [edx]
:004A7C02 A174574B00              mov eax, dword ptr [004B5774]
:004A7C07 8B00                    mov eax, dword ptr [eax]
:004A7C09 E8DA8D0000              call 004B09E8  <--核心CALL,按F8進入
:004A7C0E 84C0                    test al, al
:004A7C10 0F8498000000            je 004A7CAE  <--一定不能跳轉
:004A7C16 A1B8594B00              mov eax, dword ptr [004B59B8]
:004A7C1B 8B00                    mov eax, dword ptr [eax]
:004A7C1D E816C2F5FF              call 00403E38
:004A7C22 85C0                    test eax, eax
:004A7C24 0F8E84000000            jle 004A7CAE  <--一定不能跳轉
:004A7C2A 8D55E4                  lea edx, dword ptr [ebp-1C]
:004A7C2D A1C4594B00              mov eax, dword ptr [004B59C4]
:004A7C32 8B00                    mov eax, dword ptr [eax]
:004A7C34 E82F9BFAFF              call 00451768
:004A7C39 8B45E4                  mov eax, dword ptr [ebp-1C]
:004A7C3C 8D4DE8                  lea ecx, dword ptr [ebp-18]

* Possible StringData Ref from Code Obj ->".ini"
                                  |
:004A7C3F BA0C7D4A00              mov edx, 004A7D0C
:004A7C44 E8F319F6FF              call 0040963C
:004A7C49 8B4DE8                  mov ecx, dword ptr [ebp-18]
:004A7C4C B201                    mov dl, 01

* Possible StringData Ref from Code Obj ->"XuG"
                                  |
:004A7C4E A1906E4700              mov eax, dword ptr [00476E90]
:004A7C53 E8E0F2FCFF              call 00476F38
:004A7C58 8945F8                  mov dword ptr [ebp-08], eax
:004A7C5B A1B8594B00              mov eax, dword ptr [004B59B8]
:004A7C60 8B00                    mov eax, dword ptr [eax]
:004A7C62 50                      push eax

* Possible StringData Ref from Code Obj ->"Name"
                                  |
:004A7C63 B91C7D4A00              mov ecx, 004A7D1C

* Possible StringData Ref from Code Obj ->"Reg"
                                  |
:004A7C68 BA2C7D4A00              mov edx, 004A7D2C
:004A7C6D 8B45F8                  mov eax, dword ptr [ebp-08]
:004A7C70 8B18                    mov ebx, dword ptr [eax]
:004A7C72 FF5304                  call [ebx+04]
:004A7C75 A134594B00              mov eax, dword ptr [004B5934]
:004A7C7A 8B00                    mov eax, dword ptr [eax]
:004A7C7C 50                      push eax

* Possible StringData Ref from Code Obj ->"Reg"
                                  |
:004A7C7D BA2C7D4A00              mov edx, 004A7D2C
:004A7C82 B9387D4A00              mov ecx, 004A7D38
:004A7C87 8B45F8                  mov eax, dword ptr [ebp-08]
:004A7C8A 8B18                    mov ebx, dword ptr [eax]
:004A7C8C FF5304                  call [ebx+04]
:004A7C8F 8B45F8                  mov eax, dword ptr [ebp-08]
:004A7C92 E83DB2F5FF              call 00402ED4
:004A7C97 A17C574B00              mov eax, dword ptr [004B577C]
:004A7C9C C60001                  mov byte ptr [eax], 01
:004A7C9F 8B45FC                  mov eax, dword ptr [ebp-04]
:004A7CA2 C7803402000001000000    mov dword ptr [ebx+00000234], 00000001
:004A7CAC EB20                    jmp 004A7CCE

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004A7C10(C), :004A7C24(C)
|
:004A7CAE 6A00                    push 00000000
:004A7CB0 8D55E0                  lea edx, dword ptr [ebp-20]

* Possible StringData Ref from Code Obj ->"Invalid ID or Name;o^IDO"  <--錯誤資訊對話方塊
                                  |
:004A7CB3 B8447D4A00              mov eax, 004A7D44
:004A7CB8 E8D79D0000              call 004B1A94
:004A7CBD 8B45E0                  mov eax, dword ptr [ebp-20]
:004A7CC0 668B0D747D4A00          mov cx, word ptr [004A7D74]
:004A7CC7 B201                    mov dl, 01
:004A7CC9 E88E01FBFF              call 00457E5C

    在上面的核心CALL按F8進入後會來到如下地方:
* Referenced by a CALL at Addresses:
|:004A7C09   , :004B088C   
|
:004B09E8 55                      push ebp
:004B09E9 8BEC                    mov ebp, esp
:004B09EB 83C4F0                  add esp, FFFFFFF0
:004B09EE 8955F8                  mov dword ptr [ebp-08], edx
:004B09F1 8945FC                  mov dword ptr [ebp-04], eax
:004B09F4 8B45F8                  mov eax, dword ptr [ebp-08]
:004B09F7 E8F035F5FF              call 00403FEC
:004B09FC 33C0                    xor eax, eax
:004B09FE 55                      push ebp
:004B09FF 689F0A4B00              push 004B0A9F
:004B0A04 64FF30                  push dword ptr fs:[eax]
:004B0A07 648920                  mov dword ptr fs:[eax], esp
:004B0A0A C645F700                mov [ebp-09], 00
:004B0A0E 8B45F8                  mov eax, dword ptr [ebp-08]
:004B0A11 E82234F5FF              call 00403E38  <--求ID長度
:004B0A16 83F80A                  cmp eax, 0000000A  <--判斷ID的長度是否等於10
:004B0A19 756E                    jne 004B0A89  <--不等的話跳轉,一定不能跳轉
:004B0A1B 8B55F8                  mov edx, dword ptr [ebp-08]

* Possible StringData Ref from Code Obj ->"A1910"
                                  |
:004B0A1E B8B80A4B00              mov eax, 004B0AB8  <--[004B0AB8]為"A1910"
:004B0A23 E8FC36F5FF              call 00404124  <--判斷ID的前五個字元是否為"A1910"
:004B0A28 48                      dec eax
:004B0A29 7410                    je 004B0A3B
:004B0A2B 8B55F8                  mov edx, dword ptr [ebp-08]

* Possible StringData Ref from Code Obj ->"A1423"
                                  |
:004B0A2E B8C80A4B00              mov eax, 004B0AC8  <--[004B0AC8]為"A1423"
:004B0A33 E8EC36F5FF              call 00404124  <--判斷ID的前五個字元是否為"A1423"
:004B0A38 48                      dec eax
:004B0A39 754E                    jne 004B0A89  <--這個一定不能跳轉

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B0A29(C)
|
:004B0A3B C745F002000000          mov [ebp-10], 00000002

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B0A65(C)
|
:004B0A42 8B45F8                  mov eax, dword ptr [ebp-08]
:004B0A45 8B55F0                  mov edx, dword ptr [ebp-10]
:004B0A48 8A4410FF                mov al, byte ptr [eax+edw-01]
:004B0A4C 3C30                    cmp al, 30
:004B0A4E 7239                    jb 004B0A89
:004B0A50 8B45F8                  mov eax, dword ptr [ebp-08]
:004B0A53 8B55F0                  mov edx, dword ptr [ebp-10]
:004B0A56 8A4410FF                mov al, byte ptr [eax+edw-01]
:004B0A5A 3C39                    cmp al, 39
:004B0A5C 772B                    ja 004B0A89
:004B0A5E FF45F0                  inc [ebp-10]
:004B0A61 837DF00B                cmp dword ptr [ebp-10], 0000000B
:004B0A65 75DB                    jne 004B0A42
:004B0A67 8B45F8                  mov eax, dword ptr [ebp-08]
:004B0A6A 0FB64008                movzx eax, byte ptr [eax+08]  <--輸入的ID的倒數第二個字元的ASCII碼送入EAX
:004B0A6E 8B55F8                  mov edx, dword ptr [ebp-08]
:004B0A71 0FB65209                movzx edx, byte ptr [edx+09]  <--輸入的ID的倒數最後一個字元的ASCII碼送入EDX
:004B0A75 03C2                    add eax, edx
:004B0A77 B90A000000              mov ecx, 0000000A
:004B0A7C 33D2                    xor edx, edx
:004B0A7E F7F1                    div ecx  <--EAX除以10
:004B0A80 83FA04                  cmp edx, 00000004  <--比較餘數是否等於4
:004B0A83 7504                    jne 004B0A89  <--不等於4的話則跳轉,一定不能跳轉
:004B0A85 C645F701                mov [ebp-09], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004B0A19(C), :004B0A39(C), :004B0A4E(C), :004B0A5C(C), :004B0A83(C)
|
:004B0A89 33C0                    xor eax, eax
:004B0A8B 5A                      pop edx
:004B0A8C 59                      pop ecx
:004B0A8D 59                      pop ecx
:004B0A8E 648910                  mov dword ptr fs:[eax], edx
:004B0A91 68A60A4B00              push 004B0AA6

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B0AA4(U)
|
:004B0A96 8D45F8                  lea eax, dword ptr [ebp-08]
:004B0A99 E81A31F5FF              call 00403BB8
:004B0A9E C3                      ret

    現在我們知道了註冊碼的形式為A1910xxxxx或A1423xxxxx,其中第6、7、8個字元為任意字元,而第9、10個字元的ASCII
碼的和的個位數為4就可以正確的註冊了!!

相關文章