破解实录(六)之 1toX 1.63
软件名称:1toX 1.63 -->(30天试用)
简 介:文件分割工具,支持 CRC 校验、密码保护、拖放等。
作 者:xiA Qin
级 别:刚学不久
解密日前:2000年7月19日
解密工具:Trw2000 1.22
破解目的:学习注册码的破解。(简单)
说 明:
本文是在我的软件破解记录上整理出来的。所以在文中没有任何的注册码,只作技术交流。如若有纰漏,请各位大侠多指教!
首先运行1toX 1.63
输入注册信息
name: xiA Qin
&任意输入
First Name: china
&任意输入
register key: 9876543210 &任意输入
下指令bpx hmemcpy //下中断点
按F5回到程序,按确定,这时会被Trw2000拦截到。
下指令bd * //屏障中断点
下指令pmodule //直接跳到程序的领空
按F10来到下面指令
...............
015F:00408E9F LEA EAX,[ESP+14]
//载入name , <<- 这里是xiA
Qin
015F:00408EA3 LEA ECX,[ESP+68]
//载入First name, <<- 这里是china
015F:00408EA7 PUSH EAX
015F:00408EA8 PUSH DWORD 00426464
015F:00408EAD PUSH ECX
015F:00408EAE LEA EDX,[ESP+06B8]
015F:00408EB5 PUSH DWORD 004272A4
015F:00408EBA PUSH EDX
015F:00408EBB CALL EBX
015F:00408EBD LEA EDI,[ESP+06C0]
015F:00408EC4 OR ECX,BYTE -01
015F:00408EC7 XOR EAX,EAX
015F:00408EC9 ADD ESP,BYTE +14
015F:00408ECC REPNE SCASB
015F:00408ECE NOT ECX
015F:00408ED0 SUB EDI,ECX
015F:00408ED2 LEA EDX,[ESP+0294]
015F:00408ED9 MOV EAX,ECX
015F:00408EDB MOV ESI,EDI
015F:00408EDD MOV EDI,EDX
015F:00408EDF SHR ECX,02
015F:00408EE2 REP MOVSD
015F:00408EE4 MOV ECX,EAX
015F:00408EE6 LEA EAX,[ESP+0294]
015F:00408EED AND ECX,BYTE +03
015F:00408EF0 REP MOVSB
015F:00408EF2 MOV CL,[ESP+0294]
015F:00408EF9 TEST CL,CL
015F:00408EFB JZ 00408F1C
015F:00408EFD CMP BYTE [EAX],5F
015F:00408F00 JNZ 00408F05
015F:00408F02 MOV BYTE [EAX],20
015F:00408F05 MOVSX ECX,BYTE [EAX]
015F:00408F08 XOR ECX,[ESP+10]
015F:00408F0C XOR ECX,13579ACE
015F:00408F12 INC EAX
015F:00408F13 MOV [ESP+10],ECX
015F:00408F17 CMP BYTE [EAX],00
015F:00408F1A JNZ 00408EFD
015F:00408F1C MOV EAX,[ESP+10]
015F:00408F20 LEA EDX,[ESP+BC]
015F:00408F27 XOR EAX,2468BDF0
015F:00408F2C PUSH EDX
015F:00408F2D MOV [0042A698],EAX
015F:00408F32 CALL 00418F27
015F:00408F37 MOV ECX,[0042A698]
015F:00408F3D ADD ESP,BYTE +04
015F:00408F40 CMP EAX,ECX
015F:00408F42 JZ 00408F72
015F:00408F44 PUSH BYTE +10
015F:00408F46 PUSH DWORD 004272FC
015F:00408F4B PUSH DWORD 00427254
015F:00408F50 PUSH EBP
015F:00408F51 CALL `USER32!MessageBoxA`
015F:00408F57 PUSH BYTE +01
015F:00408F59 PUSH EBP
015F:00408F5A CALL `USER32!EndDialog`
015F:00408F60 MOV EAX,01
015F:00408F65 POP EDI
015F:00408F66 POP ESI
015F:00408F67 POP EBP
015F:00408F68 POP EBX
015F:00408F69 ADD ESP,089C
015F:00408E9F LEA EAX,[ESP+14]
015F:00408EA3 LEA ECX,[ESP+68]
015F:00408EA7 PUSH EAX
015F:00408EA8 PUSH DWORD 00426464
015F:00408EAD PUSH ECX
015F:00408EAE LEA EDX,[ESP+06B8]
015F:00408EB5 PUSH DWORD 004272A4
015F:00408EBA PUSH EDX
015F:00408EBB CALL EBX
015F:00408EBD LEA EDI,[ESP+06C0]
015F:00408EC4 OR ECX,BYTE -01
015F:00408EC7 XOR EAX,EAX
015F:00408EC9 ADD ESP,BYTE +14
015F:00408ECC REPNE SCASB
015F:00408ECE NOT ECX
015F:00408ED0 SUB EDI,ECX
015F:00408ED2 LEA EDX,[ESP+0294]
015F:00408ED9 MOV EAX,ECX
015F:00408EDB MOV ESI,EDI
015F:00408EDD MOV EDI,EDX
015F:00408EDF SHR ECX,02
015F:00408EE2 REP MOVSD
015F:00408EE4 MOV ECX,EAX
015F:00408EE6 LEA EAX,[ESP+0294]
015F:00408EED AND ECX,BYTE +03
015F:00408EF0 REP MOVSB
015F:00408EF2 MOV CL,[ESP+0294]
015F:00408EF9 TEST CL,CL
015F:00408EFB JZ 00408F1C
<--|
015F:00408EFD CMP BYTE [EAX],5F
|这里是通过
015F:00408F00 JNZ 00408F05
|First name+1toX+name
015F:00408F02 MOV BYTE [EAX],20
|来运算注册码
015F:00408F05 MOVSX ECX,BYTE [EAX]
|
015F:00408F08 XOR ECX,[ESP+10]
|
015F:00408F0C XOR ECX,13579ACE
|
015F:00408F12 INC EAX
|
015F:00408F13 MOV [ESP+10],ECX
|
015F:00408F17 CMP BYTE [EAX],00
|
015F:00408F1A JNZ 00408EFD
<--|
015F:00408F1C MOV EAX,[ESP+10]
015F:00408F20 LEA EDX,[ESP+BC]
//输入的注册码9876543210
015F:00408F27 XOR EAX,2468BDF0
015F:00408F2C PUSH EDX
015F:00408F2D MOV [0042A698],EAX
015F:00408F32 CALL 00418F27
015F:00408F37 MOV ECX,[0042A698]
015F:00408F3D ADD ESP,BYTE +04
015F:00408F40 CMP EAX,ECX
//比较注册码
015F:00408F42 JZ 00408F72
//注册码相等,就跳到00408F72
015F:00408F44 PUSH BYTE +10
015F:00408F46 PUSH DWORD 004272FC
015F:00408F4B PUSH DWORD 00427254
015F:00408F50 PUSH EBP
015F:00408F51 CALL `USER32!MessageBoxA`
//注册失败的对话框
015F:00408F57 PUSH BYTE +01
015F:00408F59 PUSH EBP
015F:00408F5A CALL `USER32!EndDialog`
015F:00408F60 MOV EAX,01
015F:00408F65 POP EDI
015F:00408F66 POP ESI
015F:00408F67 POP EBP
015F:00408F68 POP EBX
................................
从上面可以看出.
将00408F42 742E JZ 00408F72
改00408F42 752E JNZ 00408F72
就可以注册。
整里一下,用Ultraedt打开1toX.exe
找到74 2E 6A 10 68
改成75 2E 6A 10 68
保存修改文件,重新运行
输入注册信息 ,现在是想输入什么都可以。
name: &任意输入
First Name: &任意输入
register key: &任意输入
后 记:
1toX 1.63是通过读取安装目录下的文件1toXe.cnt来判断,程序是否注册。如果把文件1toXe.cnt删除,1toX
1.63又成了非注册版。
- 标 题:破解实录(六)之 1toX 1.63 (6千字)
- 作 者:xiA Qin
- 时 间:2000-7-20 11:27:47
- 链 接:http://bbs.pediy.com