作者:Sun Bird [CCG](我,Sun Bird 属于破解团体 China Cracking Group ^_^)
日期:2000年3月22日
在网上已经有高手公布了使用 FileMon 跟踪分析注册 WinBoost 2000 Gold
的方法,思路之巧妙、方法之简单,真是令人佩服!我个人感觉,能够使用简单
方法注册成功,应该是 WinBoost 2000 Gold 的疏漏。国外著名 Cracker LW2000
也撰写了同样使用 FileMon 跟踪分析并注册成功的简单方法。看来,无论国内还
是国外,天下 Cracker 是一家^_^
但是很多朋友希望能够使用 SoftICE 追踪出 WinBoost 2000 Gold 的真正注
册码,恰巧 LW2000 还写了这篇教程。那么,就让我用我那蹩脚的 E 文和糟糕的
中文将之 Translate 吧(无关紧要的部分就省略了,因为我只会使用全拼……)。
需要声明的是,我没有安装 WinBoost 2000 Gold,因而译文可能会有错误,
但关键是思路和技巧,所以大家将就着看吧^_^
Name : WinBoost 2000 Gold
Version : generic
Editor : Magellass
s/n saved : win.ini
注册码存储位置:win.ini
Tools : Softice & Brain
Cracker : LW2000
破解人: LW2000(好象属于国际著名破解团体 Phrozen Crew 或 CiA)
翻译人: Sun Bird [CCG](就是属于破解团体 China Cracking Group
的
意思啦^_^)
日期: 2000年3月16日(刚刚过完“3.15”,哎-我们这些可怜的消费者
强烈要求电信部门提速、降价!)
---
DISCLAIMER
For educational purposes only!
I hold no responsibility of the mis-used of this material!
---
(1) Mhmm... Enter the following details:
输入下面的注册信息:
User Name: LW2000
WB98 Registration Code: 1239900
WB2000 Registration Code: 1230099
I always try to break on GetDlgItemTextA and GetWindowTextA,
you
should do the same... it saves a lot of time =)
我通常设断点 GetDlgItemTextA 和 GetWindowTextA……
Try to validate the code.
*BOOM* Sice pops up.
程序被 SoftICE 中断。
We'll have to hit F12 about 13x times till we get
a usefull piece
of code:
按 F12 13 次,直到我们到达这段代码:
.004D33D9: 8B80C8020000 mov eax,[eax][0000002C8]
.004D33DF: E88CB9F5FF call .00042ED70
.004D33E4: 8D55F0 lea
edx,[ebp][-0010] <-
.004D33E7: 8B45FC mov
eax,[ebp][-0004]
.004D33EA: 8B80D8020000 mov eax,[eax][0000002D8]
.004D33F0: E87BB9F5FF call .00042ED70
.004D33F5: 8D55EC lea
edx,[ebp][-0014]
.004D33F8: 8B45FC mov
eax,[ebp][-0004]
.004D33FB: 8B80CC020000 mov eax,[eax][0000002CC]
.004D3401: E86AB9F5FF call .00042ED70
.004D3406: 8D45F4 lea
eax,[ebp][-000C]
.004D3409: 8B55EC mov
edx,[ebp][-0014]
.004D340C: E81B07F3FF call .000403B2C
.004D3411: 8B55F8 mov
edx,[ebp][-0008]
.004D3414: 8B45FC mov
eax,[ebp][-0004]
.004D3417: E8F8FCFFFF call .0004D3114
.004D341C: 8D55E0 lea
edx,[ebp][-0020]
.004D341F: E83C4DF3FF call .000408160
.004D3424: 33C0 xor
eax,eax
.004D3426: 5A
pop edx
.004D3427: 59
pop ecx
.004D3428: 59
pop ecx
.004D3429: 648910 mov
fs:[eax],edx
.004D342C: 686E3F4D00 push 0004D3F6E
.004D3431: 837DF000 cmp
d,[ebp][-0010],000
.004D3435: 0F84F7090000 je .0004D3E32
(2) Only bullshit, because we don't want to write a keygen, we
only
want to have one serial ...
.004D343B: 8B45F0 mov
eax,[ebp][-0010] <- WB98 key
我们输入的 WB98 注册码
.004D343E: 8B55E0 mov
edx,[ebp][-0020] <- correct key
正确的注册码
.004D3441: E8DA09F3FF call .000403E20
<- compare string
比较注册码
.004D3446: 0F851F010000 jne .0004D356B
There are about 17 more checks after this. The checked
key will
not work, because Magellass has found them in the Web!
这里会检测注册码,超过 17 个网上可以找到的注册码不会工作!
(3) Mhmm... great! Then just step until you are by .004D3441.
Then
type 'd edx' and write your key down and set a bpx on it.
跟踪到 .004D3441 时,下“ d edx”,记下注册码并在这里设断点。
Ok.. lets type the new key as WB98 code...
重新输入“WB98”正确的注册码……
Back in SoftIce we step through the next code:
回到 SoftICE 跟踪至下面的代码:
.004D35DB: 8B45EC mov
eax,[ebp][-0014] <-- WB2K Key
我们输入的 WB2K 注册码
.004D35DE: E82D07F3FF call .000403D10
.004D35E3: 83F814 cmp
eax,014 <-- length
长度
.004D35E6: 0F8E5A030000 jle .0004D3946
(4) Mhmm.. does that mean we must have 14h (= 20) or more characters?
maybe, but let the jump do ...
这意味着我们必须输入 14H(20)位或更长的字符?也许,让跳转命令继
续……
.004D3946: 8D45E8
lea eax,[ebp][-0018]
.004D3949: 8B55EC
mov edx,[ebp][-0014]
.004D394C: E8DB01F3FF
call .000403B2C
.004D3951: 8B45EC
mov eax,[ebp][-0014]
.004D3954: E8B703F3FF
call .000403D10
.004D3959: 83F817
cmp eax,017 <-- length
长度
.004D395C: 0F8EEA030000
jle .0004D3D4C
(5) Next check.. this time with 17h (=23) or more chars? Let it
be ... trace on with F10
再检测……这次是 17H(23)位或更长?按 F10 继续跟踪
.004D3D4C: 8D45E4 lea
eax,[ebp][-001C]
.004D3D4F: 8B55EC mov
edx,[ebp][-0014]
.004D3D52: E8D5FDF2FF call .000403B2C
.004D3D57: 33DB
xor ebx,ebx
.004D3D59: 8D4DDC lea
ecx,[ebp][-0024]
.004D3D5C: 0FBFF3 movsx
esi,bx
.004D3D5F: 8BD6
mov edx,esi
.004D3D61: A110684D00 mov
eax,[0004D6810]
.004D3D66: 8B00
mov eax,[eax]
.004D3D68: 8B8054020000 mov eax,[eax][000000254]
.004D3D6E: 8B4024 mov
eax,[eax][00024]
.004D3D71: 8B38
mov edi,[eax]
.004D3D73: FF570C call
d,[edi][0000C]
.004D3D76: 8B55DC mov
edx,[ebp][-0024] <-- our key
我们输入的注册码
.004D3D79: 8B45E4 mov
eax,[ebp][-001C] <-- a key
一个正确的注册码
.004D3D7C: E89F00F3FF call
.000403E20 <-- compare
比较
.004D3D81: 7427
je .0004D3DAA
.004D3D83: 8D4DDC lea
ecx,[ebp][-0024]
(6) *g* 'd eax' ... so just write the key down. Let's try it!
下“d eax”,记下注册码
Congratulation! You are an registered user.
祝贺!你是注册用户了。
FINISH! Easy, or?