KoolMoves V1.33

标题：献给初学者(高手也点评点评!!)KoolMoves V1.33的破解！！ (10千字)
作者：gcehi
时间：2000-9-16 13:38:42
链接：http://bbs.pediy.com

献给出学者的KoolMoves V1.33(简单)
简介：和flash一样的动画软件(不错，比flash启动快多了)
下载地址:
现在我也是很少再破解软件了。毕竟没有时间了(学习要紧)，现在又想玩动画，所以拿来试手，哈哈
!!!!!(可恶的记事本，颜色都没有!)!!!!!!!
欢迎光临：http://www.luosz.cn.gs

破解过程如下：
添入：gce (随便添)
1234567890(要10位，后5位可以随便添，看完就知道了，会分解的!)
使用bpx hmemcpy后拦下来，用pmodule+F10或F12 22下来到
:0048D757 8D8DE0FDFFFF lea ecx, dword ptr [ebp+FFFFFDE0]
:0048D75D 51 push ecx
:0048D75E 8D4DEC lea ecx, dword ptr [ebp-14]
:0048D761 E846E70500 call 004EBEAC
:0048D766 C745FC00000000 mov [ebp-04], 00000000
:0048D76D 6800020000 push 00000200
:0048D772 8D95E0FDFFFF lea edx, dword ptr [ebp+FFFFFDE0]
:0048D778 52 push edx
:0048D779 8B8DBCFDFFFF mov ecx, dword ptr [ebp+FFFFFDBC]
:0048D77F 81C198000000 add ecx, 00000098
:0048D785 E851310600 call 004F08DB
:0048D78A 8D85E0FDFFFF lea eax, dword ptr [ebp+FFFFFDE0]
:0048D790 50 push eax
:0048D791 8D4DE8 lea ecx, dword ptr [ebp-18]
:0048D794 E813E70500 call 004EBEAC
:0048D799 C645FC01 mov [ebp-04], 01
:0048D79D E8DE60F8FF call 00413880
:0048D7A2 8985D8FDFFFF mov dword ptr [ebp+FFFFFDD8], eax
:0048D7A8 8D4DE4 lea ecx, dword ptr [ebp-1C]
:0048D7AB E8C046FAFF call 00431E70
:0048D7B0 C645FC02 mov [ebp-04], 02
:0048D7B4 8D4DE8 lea ecx, dword ptr [ebp-18]
:0048D7B7 51 push ecx
:0048D7B8 8D4DE4 lea ecx, dword ptr [ebp-1C]
:0048D7BB E88B040000 call 0048DC4B
:0048D7C0 8985DCFDFFFF mov dword ptr [ebp+FFFFFDDC], eax
:0048D7C6 83BDDCFDFFFF00 cmp dword ptr [ebp+FFFFFDDC], 00000000
:0048D7CD 0F8418010000 je 0048D8EB

:0048D8EB C745F000000000 mov [ebp-10], 00000000
:0048D8F2 8D45F0 lea eax, dword ptr [ebp-10]
:0048D8F5 50 push eax
:0048D8F6 8D4DE8 lea ecx, dword ptr [ebp-18]
:0048D8F9 51 push ecx
:0048D8FA 8D55EC lea edx, dword ptr [ebp-14]
:0048D8FD 52 push edx
:0048D8FE 8D4DE4 lea ecx, dword ptr [ebp-1C]
:0048D901 E890040000 call 0048DD96 ------------------可看出此call为比较注册码的地方
:0048D906 8945E0 mov dword ptr [ebp-20], eax (因为下面的跳到注册错误的地方 )
:0048D909 837DF000 cmp dword ptr [ebp-10], 00000000
:0048D90D 7537 jne 0048D946 ---------------------跳了就完蛋!!
:0048D90F 8B8DBCFDFFFF mov ecx, dword ptr [ebp+FFFFFDBC]
:0048D915 E86DF50500 call 004ECE87
:0048D91A C645FC01 mov [ebp-04], 01
:0048D91E 8D4DE4 lea ecx, dword ptr [ebp-1C]
:0048D921 E85A45FAFF call 00431E80
:0048D926 C645FC00 mov [ebp-04], 00
:0048D92A 8D4DE8 lea ecx, dword ptr [ebp-18]
:0048D92D E80CE50500 call 004EBE3E
:0048D932 C745FCFFFFFFFF mov [ebp-04], FFFFFFFF
:0048D939 8D4DEC lea ecx, dword ptr [ebp-14]
:0048D93C E8FDE40500 call 004EBE3E
:0048D941 E94D010000 jmp 0048DA93

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048D90D(C)
|
:0048D946 837DE000 cmp dword ptr [ebp-20], 00000000
:0048D94A 0F84DA000000 je 0048DA2A (jump) --------------跳了就完蛋了!!
:0048D950 8B85D8FDFFFF mov eax, dword ptr [ebp+FFFFFDD8]
:0048D956 C780D400000001000000 mov dword ptr [ebx+000000D4], 00000001
:0048D960 8D4DE8 lea ecx, dword ptr [ebp-18]
:0048D963 51 push ecx
:0048D964 8B8DD8FDFFFF mov ecx, dword ptr [ebp+FFFFFDD8]
:0048D96A 81C1E0000000 add ecx, 000000E0
:0048D970 E802E60500 call 004EBF77
:0048D975 8D55EC lea edx, dword ptr [ebp-14]
:0048D978 52 push edx
:0048D979 8B8DD8FDFFFF mov ecx, dword ptr [ebp+FFFFFDD8]
:0048D97F 81C1E4000000 add ecx, 000000E4
:0048D985 E8EDE50500 call 004EBF77

.................

* Possible StringData Ref from Data Obj ->"Thank you for registering."看见了吗?上面跳过了成功!!
| (大伙英文肯定比我好)
:0048DA00 68F45D5500 push 00555DF4
:0048DA05 E852C50600 call 004F9F5C
:0048DA0A C645FC05 mov [ebp-04], 05
:0048DA0E 8D8DC0FDFFFF lea ecx, dword ptr [ebp+FFFFFDC0]
:0048DA14 E832070000 call 0048E14B
:0048DA19 C645FC02 mov [ebp-04], 02
:0048DA1D 8D8DC8FDFFFF lea ecx, dword ptr [ebp+FFFFFDC8]
:0048DA23 E816E40500 call 004EBE3E
:0048DA28 EB37 jmp 0048DA61

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048D94A(C)
|
:0048DA2A 6A00 push 00000000
:0048DA2C 6A00 push 00000000

* Possible StringData Ref from Data Obj ->"Registration Key is not correct."错误信息(最可恶!)
|
:0048DA2E 68105E5500 push 00555E10
:0048DA33 E824C50600 call 004F9F5C
:0048DA38 C645FC01 mov [ebp-04], 01
:0048DA3C 8D4DE4 lea ecx, dword ptr [ebp-1C]
:0048DA3F E83C44FAFF call 00431E80

进入此call可见
:0048DD96 55 push ebp
:0048DD97 8BEC mov ebp, esp
:0048DD99 6AFF push FFFFFFFF
:0048DD9B 68955C5100 push 00515C95
:0048DDA0 64A100000000 mov eax, dword ptr fs:[00000000]
:0048DDA6 50 push eax
:0048DDA7 64892500000000 mov dword ptr fs:[00000000], esp
:0048DDAE 83EC24 sub esp, 00000024
:0048DDB1 894DD0 mov dword ptr [ebp-30], ecx
:0048DDB4 8B4510 mov eax, dword ptr [ebp+10]
:0048DDB7 C70001000000 mov dword ptr [eax], 00000001
:0048DDBD 8B4D0C mov ecx, dword ptr [ebp+0C]
:0048DDC0 51 push ecx
:0048DDC1 8D4DF0 lea ecx, dword ptr [ebp-10]
:0048DDC4 E8EADD0500 call 004EBBB3
:0048DDC9 C745FC00000000 mov [ebp-04], 00000000
:0048DDD0 8D4DF0 lea ecx, dword ptr [ebp-10]
:0048DDD3 E847890500 call 004E671F
:0048DDD8 8D4DF0 lea ecx, dword ptr [ebp-10]
:0048DDDB E87070F7FF call 00404E50
:0048DDE0 83F80A cmp eax, 0000000A-------------比较你输入的注册码是否为10位
:0048DDE3 741E je 0048DE03-----------------是就跳 (0A=10) :0048DDE5 C745EC00000000 mov [ebp-14], 00000000
:0048DDEC C745FCFFFFFFFF mov [ebp-04], FFFFFFFF
----------------跳到关键的地方(睁大你的眼睛!!)--------------------
:0048DE03 6A00 push 00000000 *下面的数字都是相对ASCII值
:0048DE05 8D4DF0 lea ecx, dword ptr [ebp-10] (破解里常有，要记住哦)
:0048DE08 E83301F9FF call 0041DF40
:0048DE0D 0FBED0 movsx edx, al
:0048DE10 83FA36 cmp edx, 00000036------------------36=6
:0048DE13 7566 jne 0048DE7B
:0048DE15 6A01 push 00000001
:0048DE17 8D4DF0 lea ecx, dword ptr [ebp-10]
:0048DE1A E82101F9FF call 0041DF40
:0048DE1F 0FBEC0 movsx eax, al
:0048DE22 83F834 cmp eax, 00000034------------------34=4
:0048DE25 7554 jne 0048DE7B
:0048DE27 6A02 push 00000002
:0048DE29 8D4DF0 lea ecx, dword ptr [ebp-10]
:0048DE2C E80F01F9FF call 0041DF40
:0048DE31 0FBEC8 movsx ecx, al
:0048DE34 83F933 cmp ecx, 00000033------------------33=3
:0048DE37 7542 jne 0048DE7B
:0048DE39 6A03 push 00000003
:0048DE3B 8D4DF0 lea ecx, dword ptr [ebp-10]
:0048DE3E E8FD00F9FF call 0041DF40
:0048DE43 0FBED0 movsx edx, al
:0048DE46 83FA58 cmp edx, 00000058-------------------58=X (大写)
:0048DE49 7412 je 0048DE5D
:0048DE4B 6A03 push 00000003
:0048DE4D 8D4DF0 lea ecx, dword ptr [ebp-10]
:0048DE50 E8EB00F9FF call 0041DF40
:0048DE55 0FBEC0 movsx eax, al
:0048DE58 83F878 cmp eax, 00000078-------------------78=x (小写)
:0048DE5B 751E jne 0048DE7B

**注册码的前5位是固定的，为643Xx ,后面嘛，你喜欢多迷信就多迷信了!! ^-^(谁能想出新的笑脸)**
欢迎光临：http://www.luosz.cn.gs