菜鸟破解录(19)之 XMLwriter 1.21
软件名称: XMLwriter
软件版本: 1.21
软件下载: http://xmlwriter.net/
软件简介: 支持XML、XSL、DTD、CSS、HTML和普通文本文件的编辑器,其功能有:预览窗口、XML帮助、语法加亮等。
作 者:xiA Qin
级 别:刚学不久
解密日前:2000年8月5日
解密工具:Trw2000 1.22
破解目的:学习注册码的破解。(简单)
说 明:
本文是在我的软件破解记录上整理出来的。如若有纰漏,请各位大侠多指教!
首先运行XMLwriter
输入注册信息
Name: xiA Qin &任意输入
SN: 1234567890 &任意输入
下指令bpx hmemcpy //下中断点
按F5回到程序,按确定,这时会被Trw2000拦截到。
下指令bd * //屏障中断点
下指令pmodule //直接跳到程序的领空
按F10来到下面指令
...............
015F:0042ADB7 CALL 004DC849
015F:0042ADBC MOV EBP,[EAX+04]
015F:0042ADBF PUSH ECX
015F:0042ADC0 LEA EBX,[EDI+0000011C]
//输入的姓名
015F:0042ADC6 MOV ECX,ESP
015F:0042ADC8 MOV [ESP+14],ESP
015F:0042ADCC PUSH EBX
015F:0042ADCD CALL 004B7535
015F:0042ADD2 LEA ESI,[EBP+000000C0]
015F:0042ADD8 PUSH 4C
015F:0042ADDA MOV ECX,ESI
015F:0042ADDC CALL 0044E240
015F:0042ADE1 PUSH ECX
015F:0042ADE2 LEA EAX,[EDI+00000120]
//输入的注册码
015F:0042ADE8 MOV ECX,ESP
015F:0042ADEA MOV [ESP+14],ESP
015F:0042ADEE PUSH EAX
015F:0042ADEF CALL 004B7535
015F:0042ADF4 PUSH 4D
015F:0042ADF6 MOV ECX,ESI
015F:0042ADF8 CALL 0044E240
015F:0042ADFD MOV ECX,EBP
015F:0042ADFF CALL 00448240 //注册码运算子程序。按F8进入
015F:0042AE04 TEST EAX,EAX
015F:0042AE06 JZ 0042AE23
//注册码比较。
.............................
按F8进入0042ADFF CALL 00448240
按F10来到下面指令
015F:00448240 PUSH FF
015F:00448242 PUSH 004ECA42
015F:00448247 MOV EAX,FS:[00000000]
015F:0044824D PUSH EAX
015F:0044824E MOV FS:[00000000],ESP
015F:00448255 SUB ESP,1C
015F:00448258 PUSH EBX
015F:00448259 PUSH ESI
015F:0044825A LEA EAX,[ESP+18]
015F:0044825E PUSH 4C
015F:00448260 MOV ESI,ECX
015F:00448262 PUSH EAX
015F:00448263 CALL 004435B0
015F:00448268 LEA ECX,[ESP+14]
015F:0044826C PUSH 4D
015F:0044826E XOR EBX,EBX
015F:00448270 PUSH ECX
015F:00448271 MOV ECX,ESI
015F:00448273 MOV [ESP+34],EBX
015F:00448277 CALL 004435B0
015F:0044827C PUSH 0052FB20
015F:00448281 PUSH 005286A0
015F:00448286 LEA ECX,[ESP+1C]
015F:0044828A MOV BYTE PTR [ESP+34],01
015F:0044828F CALL 004AE937
015F:00448294 MOV EDX,[0052D034]
015F:0044829A MOV [ESP+08],EDX
015F:0044829E PUSH ECX
015F:0044829F LEA EAX,[ESP+1C]
015F:004482A3 MOV ECX,ESP
015F:004482A5 MOV [ESP+20],ESP
015F:004482A9 PUSH EAX
015F:004482AA MOV BYTE PTR [ESP+34],02
015F:004482AF CALL 004B7535
015F:004482B4 MOV ECX,ESI
015F:004482B6 CALL 00448B10
015F:004482BB MOV [ESP+1C],EAX
015F:004482BF MOV [ESP+20],EBX
015F:004482C3 FILD QWORD PTR [ESP+1C]
015F:004482C7 FMUL REAL8 PTR [004FC170]
015F:004482CD FSTP REAL8 PTR [ESP+1C]
015F:004482D1 MOV ECX,[ESP+20]
015F:004482D5 MOV EDX,[ESP+1C]
015F:004482D9 PUSH ECX
015F:004482DA PUSH EDX
015F:004482DB CALL 0049E4DB
015F:004482E0 FSUBR REAL8 PTR [ESP+24]
015F:004482E4 FMUL REAL8 PTR [004FC168]
015F:004482EA FSTP REAL8 PTR [ESP]
015F:004482ED CALL 0049E4DB
015F:004482F2 CALL 0049E4B4
015F:004482F7 PUSH EAX
015F:004482F8 LEA EAX,[ESP+14]
015F:004482FC PUSH 0052869C
015F:00448301 PUSH EAX
015F:00448302 CALL 004AF06B
015F:00448307 MOV ECX,[ESP+1C]
//注册码的前面部分 D ECX
015F:0044830B ADD ESP,14
015F:0044830E MOV EAX,[ECX-08]
015F:00448311 CMP EAX,0A
015F:00448314 JGE 0044832E
015F:00448316 PUSH 00522B28
015F:0044831B LEA ECX,[ESP+0C]
015F:0044831F CALL 004B7B9C
015F:00448324 MOV EDX,[ESP+08]
015F:00448328 CMP DWORD PTR [EDX-08],0A
015F:0044832C JL 00448316
015F:0044832E PUSH ECX
015F:0044832F LEA EAX,[ESP+0C]
015F:00448333 MOV ECX,ESP
015F:00448335 MOV [ESP+20],ESP
015F:00448339 PUSH EAX
015F:0044833A CALL 004B7535
015F:0044833F MOV ECX,ESI
015F:00448341 CALL 00448CB0
015F:00448346 XOR EDX,EDX
015F:00448348 MOV ECX,00000064
015F:0044834D DIV ECX
015F:0044834F MOV EAX,[0052D034]
015F:00448354 MOV [ESP+10],EAX
015F:00448358 PUSH EDX
015F:00448359 LEA ECX,[ESP+14]
015F:0044835D PUSH 0052869C
015F:00448362 PUSH ECX
015F:00448363 MOV BYTE PTR [ESP+38],03
015F:00448368 CALL 004AF06B
015F:0044836D MOV EAX,[ESI+1C]
015F:00448370 ADD ESP,0C
015F:00448373 CMP EAX,EBX
015F:00448375 JNZ 004483A4
015F:00448377 PUSH 00002094
015F:0044837C CALL 004B7E4E
015F:00448381 ADD ESP,04
015F:00448384 MOV [ESP+1C],EAX
015F:00448388 CMP EAX,EBX
015F:0044838A MOV BYTE PTR [ESP+2C],04
015F:0044838F JZ 0044839A
015F:00448391 MOV ECX,EAX
015F:00448393 CALL 00418FF0
015F:00448398 JMP 0044839C
015F:0044839A XOR EAX,EAX
015F:0044839C MOV BYTE PTR [ESP+2C],03
015F:004483A1 MOV [ESI+1C],EAX
015F:004483A4 MOV EDX,[ESP+10]
015F:004483A8 MOV ESI,00000002
//注册码的后面两位。D ECX
015F:004483AD CMP [EDX-08],ESI
015F:004483B0 JGE 004483C9
015F:004483B2 PUSH 00522B28
015F:004483B7 LEA ECX,[ESP+14]
015F:004483BB CALL 004B7B9C
015F:004483C0 MOV EAX,[ESP+10]
015F:004483C4 CMP [EAX-08],ESI
015F:004483C7 JL 004483B2
015F:004483C9 LEA ECX,[ESP+10]
015F:004483CD PUSH ECX
015F:004483CE LEA ECX,[ESP+0C]
015F:004483D2 CALL 004B7BD8
015F:004483D7 LEA EDX,[ESP+18]
015F:004483DB LEA ECX,[ESP+0C]
015F:004483DF PUSH EDX
015F:004483E0 CALL 004B7535
015F:004483E5 LEA ECX,[ESP+0C]
015F:004483E9 MOV BYTE PTR [ESP+2C],05
015F:004483EE CALL 004B7D39
015F:004483F3 PUSH 00528694
015F:004483F8 LEA ECX,[ESP+10]
015F:004483FC CALL 004AECE5
015F:00448401 TEST EAX,EAX
015F:00448403 JZ 004484DE
015F:00448409 PUSH 0052868C
015F:0044840E LEA ECX,[ESP+10]
015F:00448412 CALL 004AECE5
015F:00448417 TEST EAX,EAX
015F:00448419 JZ 004484DE
015F:0044841F PUSH 00528684
015F:00448424 LEA ECX,[ESP+10]
015F:00448428 CALL 004AECE5
015F:0044842D TEST EAX,EAX
015F:0044842F JZ 004484DE
015F:00448435 PUSH 00528678
015F:0044843A LEA ECX,[ESP+10]
015F:0044843E CALL 004AECE5
015F:00448443 TEST EAX,EAX
015F:00448445 JZ 004484DE
015F:0044844B MOV ESI,[ESP+14]
015F:0044844F MOV EAX,[ESP+08] //输入的注册码
D EAX
015F:00448453 MOV DL,[EAX]
//正确的注册码 D EAX
015F:00448455 MOV CL,DL
015F:00448457 CMP DL,[ESI]
015F:00448459 JNZ 00448477
015F:0044845B CMP CL,BL
015F:0044845D JZ 00448473
015F:0044845F MOV DL,[EAX+01]
015F:00448462 MOV CL,DL
015F:00448464 CMP DL,[ESI+01]
015F:00448467 JNZ 00448477
015F:00448469 ADD EAX,02
015F:0044846C ADD ESI,02
015F:0044846F CMP CL,BL
015F:00448471 JNZ 00448453
015F:00448473 XOR EAX,EAX
015F:00448475 JMP 0044847C
015F:00448477 SBB EAX,EAX
015F:00448479 SBB EAX,-01
015F:0044847C CMP EAX,EBX
015F:0044847E MOV BYTE PTR [ESP+2C],03
015F:00448483 LEA ECX,[ESP+0C]
015F:00448487 JNZ 004484E7
015F:00448489 CALL 004B77C0
015F:0044848E LEA ECX,[ESP+10]
015F:00448492 MOV BYTE PTR [ESP+2C],02
015F:00448497 CALL 004B77C0
015F:0044849C LEA ECX,[ESP+08]
015F:004484A0 MOV BYTE PTR [ESP+2C],01
015F:004484A5 CALL 004B77C0
015F:004484AA LEA ECX,[ESP+14]
015F:004484AE MOV [ESP+2C],BL
015F:004484B2 CALL 004B77C0
015F:004484B7 LEA ECX,[ESP+18]
015F:004484BB MOV DWORD PTR [ESP+2C],FFFFFFFF
015F:004484C3 CALL 004B77C0
015F:004484C8 MOV EAX,00000001
015F:004484CD MOV ECX,[ESP+24]
015F:004484D1 MOV FS:[00000000],ECX
015F:004484D8 POP ESI
015F:004484D9 POP EBX
015F:004484DA ADD ESP,28
015F:004484DD RET
............................
015F:0042AE08 MOV ECX,EDI
015F:0042AE0A CALL 004B369D
015F:0042AE0F PUSH 4C
015F:0042AE11 MOV ECX,ESI
015F:0042AE13 CALL 0044E3E0
015F:0042AE18 PUSH 4D
015F:0042AE1A MOV ECX,ESI
015F:0042AE1C CALL 0044E3E0
015F:0042AE21 JMP 0042AE95
015F:0042AE23 PUSH ECX
015F:0042AE24 LEA EAX,[EDI+00000120]
015F:0042AE2A MOV ECX,ESP
015F:0042AE2C MOV [ESP+14],ESP
015F:0042AE30 PUSH EAX
015F:0042AE31 CALL 004B7535
015F:0042AE36 PUSH ECX
015F:0042AE37 MOV BYTE PTR [ESP+28],01
015F:0042AE3C MOV ECX,ESP
015F:0042AE3E MOV [ESP+1C],ESP
015F:0042AE42 PUSH EBX
015F:0042AE43 CALL 004B7535
015F:0042AE48 MOV ECX,EBP
015F:0042AE4A MOV BYTE PTR [ESP+28],00
015F:0042AE4F CALL 00448540
//注册失败对话框
015F:0042AE54 TEST EAX,EAX
015F:0042AE56 JZ 0042AE61
015F:0042AE58 MOV ECX,EDI
015F:0042AE5A CALL 004B36B6
015F:0042AE5F JMP 0042AE95
整理一下,输入注册信息。
Name: xiA Qin
Serial Number: 397203763183
注册信息在注册表中
[HKEY_CURRENT_USER\Software\Wattle Software\XMLwriter 1.0\Preferences]
"RegName"="xiA Qin"
"RegNo"="397203763183"
- 标 题:菜鸟破解录(19)之 XMLwriter 1.21 (9千字)
- 作 者:xiA Qin
- 时 间:2000-8-8 17:12:53
- 链 接:http://bbs.pediy.com