在破解不知不觉背单词时,我总是找不到它的注册码(请恕在下水平实在有限),总是用TRW跳过注册检测直接注册。但是每次重做机子都必须用TRW跟踪,有点麻烦。后来无意居然发现,它居然判定你是否注册,是查看你windows\system\下面有没有Mkrnl57.dll(注意57前面是英文字母L,可别搞错),好了,这下简单了,只有在windows\system下建一个零字节的文件Mkrnl57.dll,再注册,哈哈,你已经是注册用户了。我今天重装机子,马上试了一下,OK,连不知不觉都不用关闭就已经是注册用户了。
我知道这样类似的文件是否已经有人发表,但这是我自己发现的,可没有抄袭,我非常乐意交破解的朋友,看雪学院是我的师父,我很感谢他教会我破解软件.
第一处:下中断 —— bpx 4142bc do "t; do *eax" 在数据窗口里你看到的是你的用户号
:004142BC 8D45FC
lea eax, dword ptr [ebp-04]
:004142BF E8B8E0FEFF call
0040237C
:004142C4 8945BC
mov dword ptr [ebp-44], eax
:004142C7 33D2
xor edx, edx
:004142C9 8955B8
mov dword ptr [ebp-48], edx
:004142CC 33C9
xor ecx, ecx
:004142CE 894DB4
mov dword ptr [ebp-4C], ecx
:004142D1 EB10
jmp 004142E3
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004142EF(C)
|
:004142D3 8B45BC
mov eax, dword ptr [ebp-44]
:004142D6 8B55B4
mov edx, dword ptr [ebp-4C]
:004142D9 0FBE0C10
movsx ecx, byte ptr [eax+edx]
:004142DD 014DB8
add dword ptr [ebp-48], ecx
:004142E0 FF45B4
inc [ebp-4C]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004142D1(U)
|
:004142E3 8D45FC
lea eax, dword ptr [ebp-04]
:004142E6 E869990800 call
0049DC54
:004142EB 48
dec eax
:004142EC 3B45B4
cmp eax, dword ptr [ebp-4C]
:004142EF 7FE2
jg 004142D3
:004142F1 DB45B8
fild dword ptr [ebp-48]
:004142F4 83C4F8
add esp, FFFFFFF8
:004142F7 DD1C24
fstp qword ptr [esp]
:004142FA E81D2B0800 call
00496E1C
:004142FF 83C408
add esp, 00000008
:00414302 D805C4444100 fadd dword
ptr [004144C4]
:00414308 D83DC4444100 fdivr dword
ptr [004144C4]
:0041430E DD9D70FFFFFF fstp qword
ptr [ebp+FFFFFF70]
:00414314 6800804C40 push
404C8000
:00414319 6A00
push 00000000
:0041431B E87C2F0800 call
0049729C
:00414320 83C408
add esp, 00000008
:00414323 DCBD70FFFFFF fdivr qword
ptr [ebp+FFFFFF70]
:00414329 D95DB0
fstp dword ptr [ebp-50]
:0041432C 66C745D80800 mov [ebp-28],
0008
:00414332 D945B0
fld dword ptr [ebp-50]
:00414335 E8062D0800 call
00497040
:0041433A 898574FFFFFF mov dword
ptr [ebp+FFFFFF74], eax
:00414340 DB8574FFFFFF fild dword
ptr [ebp+FFFFFF74]
:00414346 D86DB0
fsubr dword ptr [ebp-50]
:00414349 DC0DC8444100 fmul qword
ptr [004144C8]
:0041434F E8EC2C0800 call
00497040
:00414354 898570FFFFFF mov dword
ptr [ebp+FFFFFF70], eax
:0041435A DB8570FFFFFF fild dword
ptr [ebp+FFFFFF70]
:00414360 83C4F8
add esp, FFFFFFF8
:00414363 DD1C24
fstp qword ptr [esp]
:00414366 E8912C0800 call
00496FFC
:0041436B 83C408
add esp, 00000008
:0041436E E8CD2C0800 call
00497040
:00414373 8945AC
mov dword ptr [ebp-54], eax
:00414376 8D45F4
lea eax, dword ptr [ebp-0C]
:00414379 E88AD4FEFF call
00401808
:0041437E 8BD0
mov edx, eax
:00414380 FF45E4
inc [ebp-1C]
:00414383 8B4DC4
mov ecx, dword ptr [ebp-3C]
:00414386 8B81C8030000 mov eax, dword
ptr [ecx+000003C8]
:0041438C E83B010500 call
004644CC
:00414391 8D55F4
lea edx, dword ptr [ebp-0C]
第二处:下中断 —— bpx 414394 do "d *edx" 你输入的Virtual Code
:00414394 52
push edx
:00414395 66C745D82000 mov [ebp-28],
0020
:0041439B 8D45F8
lea eax, dword ptr [ebp-08]
:0041439E E865D4FEFF call
00401808
:004143A3 8BD0
mov edx, eax
:004143A5 FF45E4
inc [ebp-1C]
:004143A8 8B45AC
mov eax, dword ptr [ebp-54]
:004143AB E8906B0700 call
0048AF40
:004143B0 8D45F8
lea eax, dword ptr [ebp-08]
第三处:下中断 —— bpx 4143b3 do "d *eax" 正确的注册码
:004143B3 5A
pop edx
:004143B4 E8F7970800 call
0049DBB0
:004143B9 50
push eax
:004143BA FF4DE4
dec [ebp-1C]
:004143BD 8D45F4
lea eax, dword ptr [ebp-0C]
:004143C0 BA02000000 mov edx,
00000002
:004143C5 E802970800 call
0049DACC
:004143CA FF4DE4
dec [ebp-1C]
:004143CD 8D45F8
lea eax, dword ptr [ebp-08]
:004143D0 BA02000000 mov edx,
00000002
:004143D5 E8F2960800 call
0049DACC
:004143DA 59
pop ecx
第四处: 下中断 —— bpx 4143db 如果CL中的值为1,那么注册成功
:004143DB 84C9
test cl, cl
:004143DD 0F8482000000 je 00414465
:004143E3 6A32
push 00000032
在4142bc处中断后,运行引号中的语句,这个句话"t; d *eax;"
等同于你在4142bc中断跳出时,手动输入两条命令t和d *eax
d *eax其实就是d [EAX](只是不能这么写,[EAX]中的内容你可以用
d eax看到),而要写成d *eax,*符号跟C里面的指针类似。