在win2000下破解CopyFaster
---庆祝 Beijing 2008 奥运申办成功!
破解者:moonlite
目标: CopyFaster 1.0 Final Release
应用平台:Windows 2000 only
下载:http://www.lowtek.com/copyfaster/download/
大小:101k
软件用途: CopyFaster is a software utility that enables Windows 2000 Explorer
to copy big files faster when
copying to and from the same hard drive.
工具:SoftIce For NT
保护: 每次启动都弹出注册窗,提示注册; CRC校验。
破解过程:
[1] 启动 Symbol Loader,并加载执行copyfast.exe。SoftIce 被激活, F5一次,copyfaster注册窗弹出。
[2] 输入姓名“moonlite” 和注册码“1818518”。CTL+D 来到ICE的领空。键入:
S 10:0 L FFFFFFFF "1818518", 找到一处地址并BPM下断点,F5回到注册窗,点击 OK,没拦到,奇怪?
试着该为S 10:0 L FFFFFFFF 31,00,38,00,31,00,38,00,35,00,31,00,18
(注:seach注册码的WideChar
形式,即:“1 8 1 8 5 1 8”)。找到一处地址,但BPM下断点后,仍然没拦到。
改方法:BPM GETWINDOWTEXTW,返回主程点击OK,被ICE拦住去路。如下:
-------------------
:0040373C FF75E0
push [ebp-20]
:0040373F 895DFC
mov dword ptr [ebp-04], ebx
:00403742 FF75DC
push [ebp-24]
:00403745 FF75EC
push [ebp-14]
* Reference To: USER32.GetWindowTextW, Ord:0165h
|
:00403748 FF1568B24000 Call dword ptr
[0040B268]//读取姓名;
:0040374E 85C0
test eax, eax // eax=姓名字符串的长度;<===光标在这!
:00403750 7506
jne 00403758//不为空则跳;
:00403752 8B45DC
mov eax, dword ptr [ebp-24]
:00403755 668918
mov word ptr [eax], bx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403750(C)
|
:00403758 8B4610
mov eax, dword ptr [esi+10]
--------------
再按F5,又被ICE拦住:
--------------
:00403783 FF75E4
push [ebp-1C]
:00403786 FF75EC
push [ebp-14]
* Reference To: USER32.GetWindowTextW, Ord:0165h
|
:00403789 FF1568B24000 Call dword ptr
[0040B268]
:0040378F 85C0
test eax, eax//eax=密码字符串的长度;<===光标在这!
:00403791 7506
jne 00403799//不为空则跳;
:00403793 8B45E4
mov eax, dword ptr [ebp-1C]
:00403796 668918
mov word ptr [eax], bx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403791(C)
|
:00403799 FF75E4
push [ebp-1C]
---------------
[3]好看的部分:
-->在00403791处跳到了这里:
:00403799 FF75E4
push [ebp-1C]
:0040379C FF75DC
push [ebp-24]
:0040379F E853FDFFFF call 004034F7//进去瞧瞧
******┐
:004037A4 FF75E4
push [ebp-1C]
:004037A7 FF75DC
push [ebp-24]
:004037AA E8C2E4FFFF call 00401C71
:004037AF 8D4DC8
lea ecx, dword ptr [ebp-38]
:004037B2 E8F7FBFFFF call 004033AE
:004037B7 8D45C8
lea eax, dword ptr [ebp-38]
:004037BA 8BCE
mov ecx, esi
:004037BC 50
push eax
:004037BD C645FC02 mov
[ebp-04], 02
:004037C1 E86FFDFFFF call 00403535
----------
call 到了这里:
* Referenced by a CALL at Addresses:
|:004034BF , :0040379F
|
:004034F7 FF742404 push
[esp+04]
:004034FB E867E3FFFF call 00401867
:00403500 85C0
test eax, eax
:00403502 750A
jne 0040350E
:00403504 68040000E2 push E2000004
:00403509 E8F4030000 call 00403902
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403502(C)
|
:0040350E 56
push esi
:0040350F FF742408 push
[esp+08]
:00403513 E866E2FFFF call 0040177E//注意:这个call不远就有个JE跳转,
机不可失,得进去看看……》
:00403518 8BF0
mov esi, eax
:0040351A FF74240C push
[esp+0C]
:0040351E E885E3FFFF call 004018A8
:00403523 3BF0
cmp esi, eax
:00403525 5E
pop esi
:00403526 740A
je 00403532
:00403528 68050000E2 push E2000005
:0040352D E8D0030000 call 00403902
----------
* Referenced by a CALL at Address:
|:00403513
|
:0040177E 55
push ebp
:0040177F 8BEC
mov ebp, esp
:00401781 83EC0C
sub esp, 0000000C
:00401784 56
push esi
:00401785 8B7508
mov esi, dword ptr [ebp+08]
:00401788 8D45F4
lea eax, dword ptr [ebp-0C]//eax指向输入的姓名:
为WideChar形式:
“m.o.o.n.l.i.t.e.”
:0040178B 6A00
push 00000000
:0040178D 50
push eax
:0040178E E8D6FEFFFF call 00401669
:00401793 8D45F4
lea eax, dword ptr [ebp-0C]
* Possible StringData Ref from Data Obj ->"CopyFaster is Copyright (c) 2000
"
->"Spencer Low.
All rights reserved. "
->"If you use
CopyFaster, pay $9.99 "
->"to register
it by going to: http://www.lowtek."
->"com/copyfaster/"
|
:00401796 6868E14000 push 0040E168
:0040179B 50
push eax
:0040179C E806FFFFFF call 004016A7
-------------
接下来,从 004017A1 到 004017D4便是对姓名字符串变换。
-----------
:00403513 E866E2FFFF call 0040177E//算注册码;
:00403518 8BF0
mov esi, eax//返回的eax=通过姓名算出的真正的注册码送给esi:
我的是:“1756057853”,用钢笔记下来,
以防丢失;
:0040351A FF74240C push
[esp+0C]//将输入的伪注册码地址入栈;
:0040351E E885E3FFFF call 004018A8//将输入的伪注册码经转换后变为十进制形式:
返回的eax为“0001818518”;
:00403523 3BF0
cmp esi, eax//真假注册码相比较;
:00403525 5E
pop esi
:00403526 740A
je 00403532//相等,则是good boy;
:00403528 68050000E2 push E2000005
:0040352D E8D0030000 call 00403902
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403526(C)
|
:00403532 C20800
ret 0008
-------------
F5,返回主程。
[4] 尾声:
将注册码该为 “1756057853”,输入。按OK,成功!
注册成功后,在注册表中生成两个键值:
[ H K E Y _ U S E R S \ S - 1 - 5 - 2 1 - 1 8 4 4 2 3 7 6 1 5 - 1 6 8 2 5 2
6 4 8 8 - 1 9 5 7 9 9 4 4 8 8 - 5 0 0 \ S o f t w a r e \ L o w T e k \ C o
p y F a s t e r \ R e g i s t r a t i o n ]
" N a m e " = " m o o n l i t e "
" N u m b e r " = " 1 7 5 6 0 5 7 8 5 3 "
[5]后语:已经有半年多没用SICE啦,可是在WIN2K下还没有别的选择。这是本人第一次在WIN2000下破解。望各位高手多多指教!
★☆ moonlite 于2001-7-13☆★
- 标 题:在win2000下破解CopyFaster (7千字)
- 作 者:moonlite
- 时 间:2001-7-14 12:25:36
- 链 接:http://bbs.pediy.com