破解实战(三)之 WinZip8.0
软件名称:WinZip 8.0
简 介:一个强大并且易用的压缩实用程序.(30天试用)
解密日前:2000年7月15日
解密工具:Trw2000 1.22
破解目的:学习注册码的破解。
说 明:
本文是在我的软件破解记录上整理出来的。所以在文中没有任何的注册码,只作技术交流。如若有纰漏,请各位大侠多指教!
首先用Trw2000载入Winzip 8.0
输入注册信息
name:xiA Qin
&任意输入
register key:1949101 &任意输入
下指令bpx hmemcpy //下中断点
按F5回到程序,按确定,这时会被Trw2000拦截到。
下指令bd * //屏障中断点
下指令pmodule //直接跳到程序的领空
一、按F10来到下面指令
015F:00407F73 PUSH EDI
015F:00407F74 CALL 0043F89A
015F:00407F79 PUSH EDI
015F:00407F7A CALL 0043F8C3
015F:00407F7F POP ECX
015F:00407F80 MOV ESI,0048CDA4
015F:00407F85 POP ECX
015F:00407F86 PUSH BYTE +0B
015F:00407F88 PUSH ESI
015F:00407F89 PUSH DWORD 0C81
015F:00407F8E PUSH EBX
015F:00407F8F CALL `USER32!GetDlgItemTextA`
015F:00407F95 PUSH ESI
015F:00407F96 CALL 0043F89A
015F:00407F9B PUSH ESI
015F:00407F9C CALL 0043F8C3
015F:00407FA1 CMP BYTE [0048CD78],00
015F:00407FA8 POP ECX
015F:00407FA9 POP ECX
015F:00407FAA JZ 00408005
015F:00407FAC CMP BYTE [0048CDA4],00
015F:00407FB3 JZ 00408005
015F:00407FB5 CALL 004079D5
//关键CALL。有问题,按F8进入。
015F:00407FBA TEST EAX,EAX
//是不是很眼熟。
015F:00407FBC JZ 00408005
//注册码不相等跳到00408005。
1、按F8进入00407FB5 CALL。
015F:00407A7C JZ 00407A91
015F:00407A7E CALL 004082A6
015F:00407A83 AND DWORD [00489FDC],BYTE +00
015F:00407A8A XOR EAX,EAX
015F:00407A8C JMP 00407B42
015F:00407A91 LEA EAX,[EBP+FFFFFEC0]
015F:00407A97 PUSH EAX
015F:00407A98 PUSH EDI
015F:00407A99 CALL 00407B47
015F:00407A9E MOV ESI,0048CDA4
015F:00407AA3 LEA EAX,[EBP+FFFFFEC0]
//下指令D ESI, 你输入的注册码。
015F:00407AA9 PUSH ESI
//下指令D EAX,真正的注册码。
015F:00407AAA PUSH EAX
015F:00407AAB CALL 004692D0
015F:00407AB0 ADD ESP,BYTE +10
015F:00407AB3 NEG EAX
015F:00407AB5 SBB EAX,EAX
015F:00407AB7 INC EAX
015F:00407AB8 MOV [00489FDC],EAX
015F:00407ABD JNZ 00407B27
015F:00407ABF LEA EAX,[EBP+FFFFFEC0]
//下指令D EAX,真正的注册码。
015F:00407AC5 PUSH EAX
015F:00407AC6 PUSH EDI
015F:00407AC7 CALL 00407BE4
015F:00407ACC LEA EAX,[EBP+FFFFFEC0]
//下指令D EAX,真正的注册码。(与上面的注册码不同)
015F:00407AD2 PUSH ESI
//下指令D ESI, 你输入的注册码。
015F:00407AD3 PUSH EAX
015F:00407AD4 CALL 004692D0
015F:00407AD9 ADD ESP,BYTE +10
015F:00407ADC NEG EAX
015F:00407ADE SBB EAX,EAX
015F:00407AE0 INC EAX
015F:00407AE1 MOV [00489FDC],EAX
015F:00407AE6 JNZ 00407B27
015F:00407AE8 LEA EAX,[EBP+FFFFFEC4]
015F:00407AEE PUSH BYTE +04
015F:00407AF0 PUSH EAX
015F:00407AF1 PUSH ESI
015F:00407AF2 CALL 004696C0
015F:00407AF7 ADD ESP,BYTE +0C
015F:00407AFA TEST EAX,EAX
015F:00407AFC JNZ 00407B20
015F:00407AFE LEA EAX,[EBP+FFFFFEC0]
015F:00407B04 PUSH BYTE +04
015F:00407B06 PUSH EAX
015F:00407B07 PUSH DWORD 0048CDA8
015F:00407B0C CALL 004696C0
015F:00407B11 ADD ESP,BYTE +0C
015F:00407B14 TEST EAX,EAX
015F:00407B16 JNZ 00407B20
015F:00407B18 MOV [00489FDC],EBX
015F:00407B1E JMP SHORT 00407B27
015F:00407B20 AND DWORD [00489FDC],BYTE +00
015F:00407B27 PUSH DWORD 012C
015F:00407B2C LEA EAX,[EBP+FFFFFEC0]
015F:00407B32 PUSH BYTE +00
//下指令D EAX,真正的注册码。
015F:00407B34 PUSH EAX
015F:00407B35 CALL 00467C10
015F:00407B3A MOV EAX,[00489FDC]
015F:00407B3F ADD ESP,BYTE +0C
015F:00407B42 POP EDI
015F:00407B43 POP ESI
015F:00407B44 POP EBX
.......................................
015F:00407FBE PUSH EDI
015F:00407FBF MOV EDI,0047FFA4
015F:00407FC4 PUSH DWORD 0047DB24
015F:00407FC9 PUSH EDI
015F:00407FCA CALL 0043B5DA
015F:00407FCF PUSH ESI
015F:00407FD0 PUSH DWORD 0047E66C
015F:00407FD5 PUSH EDI
015F:00407FD6 CALL 0043B5DA
015F:00407FDB PUSH DWORD 0047FFC4
015F:00407FE0 PUSH BYTE +00
015F:00407FE2 PUSH BYTE +00
015F:00407FE4 PUSH DWORD 0047DB30
015F:00407FE9 CALL 0043B5C1
015F:00407FEE MOV EAX,[00487AF4]
015F:00407FF3 ADD ESP,BYTE +28
015F:00407FF6 TEST EAX,EAX
015F:00407FF8 JZ 00408001
015F:00407FFA PUSH EAX
015F:00407FFB CALL `GDI32!DeleteObject`
015F:00408001 PUSH BYTE +01
015F:00408003 JMP SHORT 00408035
015F:00408005 CALL 004082A6
015F:0040800A PUSH DWORD 028E
015F:0040800F CALL 0043F5ED
015F:00408014 PUSH EAX
015F:00408015 PUSH EBX
015F:00408016 PUSH BYTE +3D
015F:00408018 CALL 00430025
//到这里GAME OVER了,
向上看什么地方可以
跳过这个CALL.
后记:
地址00407AA3、00407ABF与00407ACC、00407B2C显示的注册码不同,但是都可以使用。
太简单了!用了不到五分钟就破了。难怪网上没有winzip 8.0的破解,大侠们不屑一“破”。只好我来破之、记之。
- 标 题:破解实战(三)之 WinZip8.0 (5千字)
- 作 者:xiA Qin
- 时 间:2000-7-17 13:27:30
- 链 接:http://bbs.pediy.com