WinBoost 2000 Gold 破解教程

作者：Sun Bird [CCG]（我，Sun Bird 屬於破解團體 China Cracking Group ^_^）

日期：2000年3月22日

在網上已經有高手公佈了使用 FileMon 跟蹤分析註冊 WinBoost 2000 Gold
的方法，思路之巧妙、方法之簡單，真是令人佩服！我個人感覺，能夠使用簡單
方法註冊成功，應該是 WinBoost 2000 Gold 的疏漏。國外著名 Cracker LW2000
也撰寫了同樣使用 FileMon 跟蹤分析並註冊成功的簡單方法。看來，無論國內還
是國外，天下 Cracker 是一家^_^

但是很多朋友希望能夠使用 SoftICE 追蹤出 WinBoost 2000 Gold 的真正注
冊碼，恰巧 LW2000 還寫了這篇教程。那麼，就讓我用我那蹩腳的 E 文和糟糕的
中文將之 Translate 吧（無關緊要的部分就省略了，因為我只會使用全拼……）。

需要宣告的是，我沒有安裝 WinBoost 2000 Gold，因而譯文可能會有錯誤，
但關鍵是思路和技巧，所以大家將就著看吧^_^

Name : WinBoost 2000 Gold

Version : generic

Editor : Magellass

s/n saved : win.ini
註冊碼儲存位置：win.ini
Tools : Softice & Brain

Cracker : LW2000
破解人： LW2000（好象屬於國際著名破解團體 Phrozen Crew 或 CiA）

翻譯人： Sun Bird [CCG]（就是屬於破解團體 China Cracking Group 的
意思啦^_^）

日期： 2000年3月16日（剛剛過完“3.15”，哎－我們這些可憐的消費者
強烈要求電信部門提速、降價！）

---
DISCLAIMER
For educational purposes only!
I hold no responsibility of the mis-used of this material!
---

(1) Mhmm... Enter the following details:
輸入下面的註冊資訊：

User Name: LW2000
WB98 Registration Code: 1239900
WB2000 Registration Code: 1230099

I always try to break on GetDlgItemTextA and GetWindowTextA, you
should do the same... it saves a lot of time =)
我通常設斷點 GetDlgItemTextA 和 GetWindowTextA……

Try to validate the code.

*BOOM* Sice pops up.
程式被 SoftICE 中斷。

We'll have to hit F12 about 13x times till we get a usefull piece
of code:
按 F12 13 次，直到我們到達這段程式碼：

.004D33D9: 8B80C8020000 mov eax,[eax][0000002C8]
.004D33DF: E88CB9F5FF call .00042ED70
.004D33E4: 8D55F0 lea edx,[ebp][-0010] <-
.004D33E7: 8B45FC mov eax,[ebp][-0004]
.004D33EA: 8B80D8020000 mov eax,[eax][0000002D8]
.004D33F0: E87BB9F5FF call .00042ED70
.004D33F5: 8D55EC lea edx,[ebp][-0014]
.004D33F8: 8B45FC mov eax,[ebp][-0004]
.004D33FB: 8B80CC020000 mov eax,[eax][0000002CC]
.004D3401: E86AB9F5FF call .00042ED70
.004D3406: 8D45F4 lea eax,[ebp][-000C]
.004D3409: 8B55EC mov edx,[ebp][-0014]
.004D340C: E81B07F3FF call .000403B2C
.004D3411: 8B55F8 mov edx,[ebp][-0008]
.004D3414: 8B45FC mov eax,[ebp][-0004]
.004D3417: E8F8FCFFFF call .0004D3114
.004D341C: 8D55E0 lea edx,[ebp][-0020]
.004D341F: E83C4DF3FF call .000408160
.004D3424: 33C0 xor eax,eax
.004D3426: 5A pop edx
.004D3427: 59 pop ecx
.004D3428: 59 pop ecx
.004D3429: 648910 mov fs:[eax],edx
.004D342C: 686E3F4D00 push 0004D3F6E
.004D3431: 837DF000 cmp d,[ebp][-0010],000
.004D3435: 0F84F7090000 je .0004D3E32

(2) Only bullshit, because we don't want to write a keygen, we only
want to have one serial ...

.004D343B: 8B45F0 mov eax,[ebp][-0010] <- WB98 key
我們輸入的 WB98 註冊碼
.004D343E: 8B55E0 mov edx,[ebp][-0020] <- correct key
正確的註冊碼
.004D3441: E8DA09F3FF call .000403E20 <- compare string
比較註冊碼
.004D3446: 0F851F010000 jne .0004D356B

There are about 17 more checks after this. The checked key will
not work, because Magellass has found them in the Web!
這裡會檢測註冊碼，超過 17 個網上可以找到的註冊碼不會工作！

(3) Mhmm... great! Then just step until you are by .004D3441. Then
type 'd edx' and write your key down and set a bpx on it.
跟蹤到 .004D3441 時，下“ d edx”，記下注冊碼並在這裡設斷點。

Ok.. lets type the new key as WB98 code...
重新輸入“WB98”正確的註冊碼……

Back in SoftIce we step through the next code:
回到 SoftICE 跟蹤至下面的程式碼：

.004D35DB: 8B45EC mov eax,[ebp][-0014] <-- WB2K Key
我們輸入的 WB2K 註冊碼
.004D35DE: E82D07F3FF call .000403D10
.004D35E3: 83F814 cmp eax,014 <-- length
長度
.004D35E6: 0F8E5A030000 jle .0004D3946

(4) Mhmm.. does that mean we must have 14h (= 20) or more characters?
maybe, but let the jump do ...
這意味著我們必須輸入 14H（20）位或更長的字元？也許，讓跳轉命令繼
續……

.004D3946: 8D45E8 lea eax,[ebp][-0018]
.004D3949: 8B55EC mov edx,[ebp][-0014]
.004D394C: E8DB01F3FF call .000403B2C
.004D3951: 8B45EC mov eax,[ebp][-0014]
.004D3954: E8B703F3FF call .000403D10
.004D3959: 83F817 cmp eax,017 <-- length
長度
.004D395C: 0F8EEA030000 jle .0004D3D4C

(5) Next check.. this time with 17h (=23) or more chars? Let it
be ... trace on with F10
再檢測……這次是 17H（23）位或更長？按 F10 繼續跟蹤

.004D3D4C: 8D45E4 lea eax,[ebp][-001C]
.004D3D4F: 8B55EC mov edx,[ebp][-0014]
.004D3D52: E8D5FDF2FF call .000403B2C
.004D3D57: 33DB xor ebx,ebx
.004D3D59: 8D4DDC lea ecx,[ebp][-0024]
.004D3D5C: 0FBFF3 movsx esi,bx
.004D3D5F: 8BD6 mov edx,esi
.004D3D61: A110684D00 mov eax,[0004D6810]
.004D3D66: 8B00 mov eax,[eax]
.004D3D68: 8B8054020000 mov eax,[eax][000000254]
.004D3D6E: 8B4024 mov eax,[eax][00024]
.004D3D71: 8B38 mov edi,[eax]
.004D3D73: FF570C call d,[edi][0000C]
.004D3D76: 8B55DC mov edx,[ebp][-0024] <-- our key
我們輸入的註冊碼
.004D3D79: 8B45E4 mov eax,[ebp][-001C] <-- a key
一個正確的註冊碼
.004D3D7C: E89F00F3FF call .000403E20 <-- compare
比較
.004D3D81: 7427 je .0004D3DAA
.004D3D83: 8D4DDC lea ecx,[ebp][-0024]

(6) *g* 'd eax' ... so just write the key down. Let's try it!
下“d eax”，記下注冊碼

Congratulation! You are an registered user.
祝賀！你是註冊使用者了。

FINISH! Easy, or?

WinBoost 2000 Gold 破解教程

相關文章