vTuner Plus 3.0 在线注册的破解方法一:爆破篇
工具:TRW2K, W32dasm, System Mechanic,
Regshot
介绍: 新版的RealOne player爽极了, 是一个极好的在线播放器! vTuner Plus是RealOne Player伴侣.
利用vTuner可列出成千的电视与广播频道, 你可以迅速的在网络上找到现场节目、音乐、新闻节目
等任何你喜欢的广播内容. vTuner的主窗口非常酷. 注册费$29.95
下载: RealOne的下载地址最好用Google搜搜;
vTuner Plus 3.0 怕是不好找了.
主页: http://www.vtuner.com/vtunerApp.html
大小:
和RealOne一起下载的, 忘记了 ^_^
限制:VB,15天试用,在线注册,NAG窗口提示!
破解者: moonlite[FCG][BCG]
[过程]
1) 首先运行vtuner, 提示注册的NAG就出来了:) 如果输入注册码的话,点击Confirm
Number按钮后,
它还会去网上去验证,好让人烦!那就先去掉这个NAG吧:
启动TRW, 点击NAG窗口中的
Run vTuner按钮, Ctrl+D 后,会来到TRW的领空,
再pmodule一次:
:004B8D18 50
push eax
:004B8D19 FF92B0020000 call dword
ptr [edx+000002B0]//b8119 <----NAG 窗口
:004B8D1F 898508FFFFFF
mov dword ptr [ebp+FFFFFF08], eax
<----光标在这里!
:004B8D25 83BD08FFFFFF00
cmp dword ptr [ebp+FFFFFF08], 00000000
:004B8D2C 7D23
jge 004B8D51
:004B8D2E 68B0020000
push 000002B0
.........
将 004B8D19/offset: b8119 处的CALL NOP掉, 讨厌的提示窗口就没有了:-) ************补丁之一
2) 将时间往后调 30 天, 哈哈, 讨厌的窗口又来了, 这次所提示过期,让上网注册云云。。。
可见前面有暗桩。用Regshot比较发现:
[HKEY_LOCAL_MACHINE\Software\NEMS\vTuner]
处的键值从
"eDate"="06/23/2002 8:30:13 PM" ->变成了 "WWeWantToGetYouLikeACrackDealerWould"
很明显, 这是注册表中过期的标志键 值。
用W32dasm 反汇编并查找该字符串,共找到三处。 通过设断点, 不难找到这里:
:004B51C9 8B55A0
mov edx, dword ptr [ebp-60] <-----注册表中eDate KEY值字串
:004B51CC
52
push edx
<---------入栈
* Possible StringData Ref from Code Obj ->"WWeWantToGetYouLikeACrackDealerWould"
|
:004B51CD 6844754500
push 00457544
<-----过期的标志字符串
* Reference To: MSVBVM50.__vbaStrTextCmp,
Ord:0000h
|
:004B51D2 FF1588C47D00
Call dword ptr [007DC488] <-----两字符串比较的CALL;
不相同的话EAX=FFFFFFFF,否则EAX=0;
:004B51D8
8BF0 mov
esi, eax
:004B51DA F7DE
neg esi
:004B51DC 1BF6
sbb esi, esi
:004B51DE F7DE
neg esi
<--------字符串不相同时 ESI=1; 否则ESI=0
:004B51E0 8B45A0
mov eax, dword ptr [ebp-60] <-------仍为过期的标志字符串
:004B51E3 50
push eax
:004B51E4 68B00E4500
push 00450EB0 <-------d 450EB0 看看!
* Reference To: MSVBVM50.__vbaStrTextCmp, Ord:0000h
|
:004B51E9 FF1588C47D00
Call dword ptr [007DC488]<-----又是两字符串的比较;
eDate 键值不为空的话EAX=1;否则EAX=0
:004B51EF F7D8
neg eax
:004B51F1 1BC0
sbb eax, eax
:004B51F3 F7D8
neg eax
:004B51F5 23F0
and esi, eax <-------ESI
和EAX 与, 得到标志 ESI;
:004B51F7 85F6
test esi, esi
:004B51F9 0F8554020000
jne 004B5453 <-------正确的话应该跳转!
:004B51FF C745FC18000000
mov [ebp-04], 00000018
:004B5206 8B4DA0
mov ecx, dword ptr [ebp-60]
:004B5209 51
push ecx
:004B520A 68B00E4500
push 00450EB0
* Reference To: MSVBVM50.__vbaStrTextCmp,
Ord:0000h
|
:004B520F FF1588C47D00
Call dword ptr [007DC488]
:004B5215 85C0
test eax, eax
:004B5217 0F85BB000000 jne 004B52D8<-------过期的话应该在这里跳转!
:004B521D C745FC19000000 mov [ebp-04],
00000019 <-------eDate 键值为空的话
会从这里接着向下走下去。。。
:004B5224 66C78510FFFFFFFFFF mov word ptr [ebp+FFFFFF10],
FFFF
* Possible StringData Ref from Code Obj ->"WWeWantToGetYouLikeACrackDealerWould"
|
:004B522D BA44754500
mov edx, 00457544
:004B5232 8D8D78FFFFFF
lea ecx, dword ptr [ebp+FFFFFF78]
* Reference To: MSVBVM50.__vbaStrCopy, Ord:0000h
|
:004B5238 FF15DCC57D00
Call dword ptr [007DC5DC]
* Possible StringData Ref from Code Obj ->"eeDate"
|
:004B523E BA34754500
mov edx, 00457534
:004B5243 8D8D7CFFFFFF
lea ecx, dword ptr [ebp+FFFFFF7C]
* Reference To: MSVBVM50.__vbaStrCopy, Ord:0000h
|
:004B5249 FF15DCC57D00
Call dword ptr [007DC5DC]
* Possible StringData Ref from Code Obj ->"SSOFTWARE\nems\vTuner"
<-------看出作者的意图了吧?!
|
:004B524F
BAA8334500 mov edx, 004533A8
:004B5254 8D4D80
lea ecx, dword ptr [ebp-80]
*****************
4) 看看从004B51F9
跳过来的代码--------->
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:004B51F9(C)
|
:004B5453 C745FC24000000
mov [ebp-04], 00000024
:004B545A 6A09
push 00000009
:004B545C
8B45A0 mov eax,
dword ptr [ebp-60] <-----注册表中eDate键值
:004B545F 50
push eax
* Reference
To: MSVBVM50.rtcLeftCharBstr, Ord:0268h
|
:004B5460 FF1538C67D00 Call dword
ptr [007DC638]
:004B5466 8BD0
mov edx, eax
:004B5468 8D4D80
lea ecx, dword ptr [ebp-80]
* Reference
To: MSVBVM50.__vbaStrMove, Ord:0000h
|
:004B546B FF1554C67D00 Call dword
ptr [007DC654]
:004B5471 50
push eax <-----注册表中eDate 键值
* Possible
StringData Ref from Code Obj ->"ssetupdate" <------这里俺搞不懂作者有什么意图
|
:004B5472 68B0754500
push 004575B0
* Reference To: MSVBVM50.__vbaStrTextCmp,
Ord:0000h
|
:004B5477 FF1588C47D00
Call dword ptr [007DC488] <-----注册表中eDate
KEY值和字符串
"setupdate"
比较;不相同的话EAX=FFFFFFFF,否则EAX=0
:004B547D F7D8
neg eax
:004B547F 1BC0
sbb eax, eax
:004B5481
40
inc eax
:004B5482 F7D8
neg eax
:004B5484 66898508FFFFFF
mov word ptr [ebp+FFFFFF08], ax <-----ax值送存;
:004B548B 8D4D80
lea ecx, dword ptr [ebp-80]
* Reference To: MSVBVM50.__vbaFreeStr, Ord:0000h
|
:004B548E FF15A4C67D00
Call dword ptr [007DC6A4]
:004B5494 0FBF8D08FFFFFF
movsx ecx, word ptr [ebp+FFFFFF08]
:004B549B 85C9
test ecx, ecx
:004B549D 0F84CE010000 je 004B5671 //
b489d <-----不要在这里跳!!
:004B54A3 C745FC25000000
mov [ebp-04], 00000025
从这里再往下走, 就走到罗马了。。。^_^
。。。。
在 004B549D/offset: B489D 处改成不跳, 或者eDate 键值改成 "setupdate" ************补丁之二
=>哈哈,搞定!
如果想完美注册的话, 请看它的续篇-->
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(待续)...
- 标 题:vTuner Plus 3.0 在线注册的破解方法一:爆破篇 (7千字)
- 作 者:moonlite
- 时 间:2002-6-16 14:43:12
- 链 接:http://bbs.pediy.com