破解心得之CDRWin 4.0A BETA篇
作者:时空幻影
时间:2001年4月20日
破解工具:W32DASM v8.93白金版汉化版、TRW2000 v1.23注册版
软件名称:CDRWin
发布公司:Golden Hawk Technology
最新版本:4.0A Beta
操作系统:Win9x/ME/NT4/2000
软件简介:CDRWin 是一套强力的特点极多的刻录软件,它可以:支持 AUDIO、CDROM (Mode1)、CDROM-XA (Mode2)、CD-I、混合型、多重扇区盘片;独有的
CUE SHEET 语言可以 100% 定制盘片的布局,避免其他刻录软件在不同 track 之间产生间隔的现象;强大的备份功能可以防止盘片上原有数据的损失;符合
ISO9660 磁盘控制标准;可以制作光盘启动盘;支持 Karaoke CD G 盘片(需要Sony CDW-900E, Panasonic 或 Yamaha
刻录机);仅有的支持 Philips/Kodak/HP 家族刻录机 Disc-at-once 技术的软件;支持盘片的 UPC 码和 track 的
ISRC 码;支持“Kodak Disc Transporter”高速盘片复制技术。
由于该软件没有加壳,所以破解相对容易一些!!!呵呵,希望大家指出不足之处!!!
1.执行CDRWin 4.0A BETA,点击unlock图标,填入
name:shikonghuanying
company:Changsha
Unlock Key:12345-67890-09876-54321
Check Key:ABCDE-BCDEF-FEDCB-EDCBA(为什么要这样?待会儿再告知)
2.执行TRW2000,按ctrl+N激活它,用BPX HMEMCPY设置断点,再按F5继续.
3.点击Unlock,会被TRW2000拦下,输入BD *使断点暂时失效,再输入PMODULE跳入程序领空。
4.再按几下F10,会到以下所指的地方:
* Possible Reference to String Resource ID=00255: "Invalid disc count specified."
|
:0041DF43 6AFF
push FFFFFFFF
:0041DF45 68D0664700 push
004766D0
:0041DF4A 64A100000000 mov eax, dword
ptr fs:[00000000]
:0041DF50 50
push eax
:0041DF51 64892500000000 mov dword ptr fs:[00000000],
esp
:0041DF58 83EC38
sub esp, 00000038
:0041DF5B A1F0A04A00 mov eax,
dword ptr [004AA0F0]
:0041DF60 53
push ebx
:0041DF61 56
push esi
:0041DF62 57
push edi
:0041DF63 8965F0
mov dword ptr [ebp-10], esp
:0041DF66 8BF1
mov esi, ecx
:0041DF68 8945E0
mov dword ptr [ebp-20], eax
:0041DF6B C745FC00000000 mov [ebp-04], 00000000
:0041DF72 8945E4
mov dword ptr [ebp-1C], eax
:0041DF75 8945E8
mov dword ptr [ebp-18], eax
:0041DF78 8945EC
mov dword ptr [ebp-14], eax
:0041DF7B 8B4E68
mov ecx, dword ptr [esi+68]
:0041DF7E 8D45E0
lea eax, dword ptr [ebp-20]
:0041DF81 BB03000000 mov ebx,
00000003
:0041DF86 50
push eax
:0041DF87 885DFC
mov byte ptr [ebp-04], bl
:0041DF8A E81DC30400 call
0046A2AC
:0041DF8F 8D4DE4
lea ecx, dword ptr [ebp-1C]
:0041DF92 51
push ecx
<--按F10会到这里,然后继续按F10
:0041DF93 8B4E6C
mov ecx, dword ptr [esi+6C]
:0041DF96 E811C30400 call
0046A2AC
:0041DF9B 8B4E70
mov ecx, dword ptr [esi+70]
:0041DF9E 8D55E8
lea edx, dword ptr [ebp-18]
:0041DFA1 52
push edx
:0041DFA2 E805C30400 call
0046A2AC
:0041DFA7 8B4E74
mov ecx, dword ptr [esi+74]
:0041DFAA 8D45EC
lea eax, dword ptr [ebp-14]
:0041DFAD 50
push eax
:0041DFAE E8F9C20400 call
0046A2AC
:0041DFB3 8D4DBC
lea ecx, dword ptr [ebp-44]
:0041DFB6 8D55C0
lea edx, dword ptr [ebp-40]
:0041DFB9 51
push ecx
:0041DFBA 8D45C4
lea eax, dword ptr [ebp-3C]
:0041DFBD 52
push edx
:0041DFBE 8B55E8
mov edx, dword ptr [ebp-18]
:0041DFC1 8D4DC8
lea ecx, dword ptr [ebp-38]
:0041DFC4 50
push eax
:0041DFC5 51
push ecx
* Possible StringData Ref from Data Obj ->"%lx-%lx-%lx-%lx" <--指明了Unlock
Key的格式
|
:0041DFC6 68FC214A00 push
004A21FC
:0041DFCB 52
push edx
:0041DFCC E82C860300 call
004565FD <--检查是不是符合上面的格式,并把字符转为HEX
:0041DFD1 83C418
add esp, 00000018
:0041DFD4 83F804
cmp eax, 00000004
:0041DFD7 0F8597000000 jne 0041E074
:0041DFDD 8D45CC
lea eax, dword ptr [ebp-34]
:0041DFE0 8D4DD0
lea ecx, dword ptr [ebp-30]
:0041DFE3 50
push eax
:0041DFE4 8D55D4
lea edx, dword ptr [ebp-2C]
:0041DFE7 51
push ecx
:0041DFE8 8B4DEC
mov ecx, dword ptr [ebp-14]
:0041DFEB 8D45D8
lea eax, dword ptr [ebp-28]
:0041DFEE 52
push edx
:0041DFEF 50
push eax
* Possible StringData Ref from Data Obj ->"%lx-%lx-%lx-%lx" <--指明了Check
Key的格式
|
:0041DFF0 68FC214A00 push
004A21FC
:0041DFF5 51
push ecx
:0041DFF6 E802860300 call
004565FD <--检查是不是符合上面的格式,并把字符转为HEX
:0041DFFB 83C418
add esp, 00000018
:0041DFFE 83F804
cmp eax, 00000004
:0041E001 7571
jne 0041E074
:0041E003 8B4DE4
mov ecx, dword ptr [ebp-1C]
:0041E006 8845FC
mov byte ptr [ebp-04], al
:0041E009 8D55CC
lea edx, dword ptr [ebp-34]
:0041E00C 8D45BC
lea eax, dword ptr [ebp-44]
:0041E00F 52
push edx
:0041E010 8B55E0
mov edx, dword ptr [ebp-20]
:0041E013 50
push eax
:0041E014 51
push ecx
:0041E015 52
push edx
:0041E016 E845630000 call
00424360 <--按F8进入
:0041E01B 83C410
add esp, 00000010
:0041E01E 895DFC
mov dword ptr [ebp-04], ebx
下面为Unlock Key和Check Key比较的部分,假设Key的各部分为:
Unlock Key:12345-67890-09876-54321
^^^^^ ^^^^^ ^^^^^ ^^^^^
u1 u2
u3 u4
Check Key:ABCDE-BCDEF-FEDCB-EDCBA
^^^^^ ^^^^^ ^^^^^ ^^^^^
c1 c2
c3 c4
* Referenced by a CALL at Address:
|:0041E016
|
:00424360 8B4C2410
mov ecx, dword ptr [esp+10]
:00424364 53
push ebx
:00424365 55
push ebp
:00424366 56
push esi
:00424367 8B742418
mov esi, dword ptr [esp+18]
:0042436B 8B19
mov ebx, dword ptr [ecx] <--ebx=c4
:0042436D 57
push edi
:0042436E 8B3E
mov edi, dword ptr [esi] <--edi=u4
:00424370 8B4604
mov eax, dword ptr [esi+04] <--eax=u3
:00424373 8BD7
mov edx, edi
:00424375 33D0
xor edx, eax
:00424377 3BDA
cmp ebx, edx
:00424379 7525
jne 004243A0
<--这个和下面两个jne一定不能跳转
:0042437B 8B5608
mov edx, dword ptr [esi+08] <--edx=u2
:0042437E 8BDA
mov ebx, edx
:00424380 33D8
xor ebx, eax
:00424382 8B4104
mov eax, dword ptr [ecx+04] <--eax=c3
:00424385 3BC3
cmp eax, ebx
:00424387 7517
jne 004243A0
:00424389 8B460C
mov eax, dword ptr [esi+0C] <--eax=u1
:0042438C 8BD8
mov ebx, eax
:0042438E 33DA
xor ebx, edx
:00424390 8B5108
mov edx, dword ptr [ecx+08] <--edx=c2
:00424393 3BD3
cmp edx, ebx
:00424395 7509
jne 004243A0
:00424397 8B510C
mov edx, dword ptr [ecx+0C] <--edx=c1
:0042439A 33C7
xor eax, edi
:0042439C 3BD0
cmp edx, eax
:0042439E 7413
je 004243B3
<--这个则一定要跳转
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00424379(C), :00424387(C), :00424395(C)
|
:004243A0 6A00
push 00000000
:004243A2 6A00
push 00000000
:004243A4 6A00
push 00000000
:004243A6 6838FFFFFF push
FFFFFF38
:004243AB E8F0360000 call
00427AA0 <--弹出注册失败窗口
:004243B0 83C410
add esp, 00000010
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042439E(C)
|
:004243B3 8B6C2418
mov ebp, dword ptr [esp+18]
:004243B7 8B7C2414
mov edi, dword ptr [esp+14]
:004243BB 56
push esi
:004243BC 55
push ebp
:004243BD 57
push edi
:004243BE E8ED040000 call
004248B0 <--按F8进入
:004243C3 83C40C
add esp, 0000000C
:004243C6 85C0
test eax, eax
:004243C8 7510
jne 004243DA
:004243CA 50
push eax
:004243CB 50
push eax
:004243CC 50
push eax
:004243CD 6837FFFFFF push
FFFFFF37
:004243D2 E8C9360000 call
00427AA0 <--弹出注册失败窗口
:004243D7 83C410
add esp, 00000010
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004243C8(C)
|
:004243DA 8B1E
mov ebx, dword ptr [esi]
:004243DC C1EB10
shr ebx, 10
:004243DF 66335E04
xor bx, word ptr [esi+04]
:004243E3 81E3FFFF0000 and ebx, 0000FFFF
:004243E9 8D43F1
lea eax, dword ptr [ebx-0F]
:004243EC 3DBC040000 cmp eax,
000004BC
:004243F1 7E13
jle 00424406
<--这个一定要跳转
:004243F3 6A00
push 00000000
:004243F5 6A00
push 00000000
:004243F7 6A00
push 00000000
:004243F9 6834FFFFFF push
FFFFFF34
:004243FE E89D360000 call
00427AA0 <--弹出注册失败窗口
:00424403 83C410
add esp, 00000010
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004243F1(C)
|
:00424406 83C30F
add ebx, 0000000F
:00424409 81FBBC040000 cmp ebx, 000004BC
:0042440F 7D13
jge 00424424
<--这个也一定要跳转
:00424411 6A00
push 00000000
:00424413 6A00
push 00000000
:00424415 6A00
push 00000000
:00424417 6835FFFFFF push
FFFFFF35
:0042441C E87F360000 call
00427AA0 <--弹出注册失败窗口
:00424421 83C410
add esp, 00000010
在那个call 00427AA0按F8进入后来到以下:
* Referenced by a CALL at Addresses:
|:004242D8 , :004243BE
|
:004248B0 8B44240C
mov eax, dword ptr [esp+0C]
:004248B4 8B542404
mov edx, dword ptr [esp+04]
:004248B8 53
push ebx
:004248B9 55
push ebp
:004248BA 8B18
mov ebx, dword ptr [eax] <--ebx=54321
:004248BC 57
push edi
:004248BD 8BFA
mov edi, edx
:004248BF 83C9FF
or ecx, FFFFFFFF
:004248C2 33C0
xor eax, eax
:004248C4 F2
repnz
:004248C5 AE
scasb
:004248C6 F7D1
not ecx
:004248C8 49
dec ecx
:004248C9 83F906
cmp ecx, 00000006 <--检查name的长度是否大于等于6,
:004248CC 726B
jb 00424939
name的长度应该>=6
:004248CE 8B6C2414
mov ebp, dword ptr [esp+14]
:004248D2 83C9FF
or ecx, FFFFFFFF
:004248D5 8BFD
mov edi, ebp
:004248D7 F2
repnz
:004248D8 AE
scasb
:004248D9 F7D1
not ecx
:004248DB 49
dec ecx
:004248DC 83F906
cmp ecx, 00000006 <--检查company的长度是否大于等于6,
:004248DF 7258
jb 00424939
company的长度应该>=6
:004248E1 F7C3FFFF0000 test ebx,
0000FFFF
:004248E7 7450
je 00424939
:004248E9 F7C30000FFFF test ebx,
FFFF0000
:004248EF 7448
je 00424939
:004248F1 56
push esi
:004248F2 6A02
push 00000002
:004248F4 52
push edx
:004248F5 E846000000 call
00424940 <--按F8进入
:004248FA 6A02
push 00000002
:004248FC 55
push ebp
:004248FD 8BF0
mov esi, eax
:004248FF E83C000000 call
00424940 <--按F8进入
:00424904 8BC8
mov ecx, eax
:00424906 8BD0
mov edx, eax
:00424908 81E10000FF00 and ecx, 00FF0000
:0042490E 83C410
add esp, 00000010
:00424911 C1EA10
shr edx, 10
:00424914 0BCA
or ecx, edx
:00424916 8BD0
mov edx, eax
:00424918 81E200FF0000 and edx, 0000FF00
:0042491E C1E010
shl eax, 10
:00424921 0BD0
or edx, eax
:00424923 33C0
xor eax, eax
:00424925 C1E908
shr ecx, 08
:00424928 C1E208
shl edx, 08
:0042492B 0BCA
or ecx, edx
:0042492D 33CE
xor ecx, esi
:0042492F 5E
pop esi
:00424930 3BCB
cmp ecx, ebx
:00424932 5F
pop edi
:00424933 5D
pop ebp
:00424934 5B
pop ebx
:00424935 0F94C0
sete al
:00424938 C3
ret
第一个call 00424940是把name进行计算,第二个call 00424940是把company进行计算。
* Referenced by a CALL at Addresses:
|:004248F5 , :004248FF
|
:00424940 8B442408
mov eax, dword ptr [esp+08]
:00424944 56
push esi
:00424945 48
dec eax
:00424946 740E
je 00424956
:00424948 48
dec eax
:00424949 7404
je 0042494F <--在这里一般都会跳转,而且应该要跳转
:0042494B 33C0
xor eax, eax
:0042494D 5E
pop esi
:0042494E C3
ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00424949(C)
|
:0042494F BEA0804A00 mov esi,
004A80A0
:00424954 EB05
jmp 0042495B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00424946(C)
|
:00424956 BE60804A00 mov esi,
004A8060
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00424954(U)
|
:0042495B 8B542408
mov edx, dword ptr [esp+08]
:0042495F 57
push edi
:00424960 8BFA
mov edi, edx
:00424962 83C9FF
or ecx, FFFFFFFF
:00424965 33C0
xor eax, eax
:00424967 6A00
push 00000000
:00424969 F2
repnz
:0042496A AE
scasb
:0042496B F7D1
not ecx
:0042496D 49
dec ecx
:0042496E 51
push ecx
:0042496F 52
push edx
:00424970 56
push esi
:00424971 E8DA2E0200 call
00447850 <--按F8进入
:00424976 83C410
add esp, 00000010
:00424979 5F
pop edi
:0042497A 5E
pop esi
:0042497B C3
ret
进入后的这一段代码比较重要,对求出注册码的u4部分起关键作用。
进入后的这一段代码比较重要,对求出注册码的u4部分起关键作用。 * Referenced by a CALL at Addresses: |:0042463C , :004247FE , :00424971 , :0042508B , :00447F8D | :00447850 8B442410 mov eax, dword ptr [esp+10] :00447854 8B542408 mov edx, dword ptr [esp+08] :00447858 57 push edi :00447859 8B7C2410 mov edi, dword ptr [esp+10] :0044785D 6685FF test di, di :00447860 743E je 004478A0 :00447862 53 push ebx :00447863 55 push ebp :00447864 56 push esi :00447865 8B742414 mov esi, dword ptr [esp+14] :00447869 81E7FFFF0000 and edi, 0000FFFF * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0044789B(C) | :0044786F 33C9 xor ecx, ecx :00447871 8BE8 mov ebp, eax :00447873 8A0A mov cl, byte ptr [edx] <--edx为存放name或company的内存地址 :00447875 42 inc edx :00447876 8BD9 mov ebx, ecx :00447878 33D8 xor ebx, eax :0044787A 83E30F and ebx, 0000000F :0044787D C1ED04 shr ebp, 04 :00447880 8B049E mov eax, dword ptr [esi+4*ebx] <--esi为存放密码表的内存地址 :00447883 33C5 xor eax, ebp :00447885 C1E904 shr ecx, 04 :00447888 8BD8 mov ebx, eax :0044788A 83E10F and ecx, 0000000F :0044788D 83E30F and ebx, 0000000F :00447890 33CB xor ecx, ebx :00447892 C1E804 shr eax, 04 :00447895 8B0C8E mov ecx, dword ptr [esi+4*ecx] :00447898 33C1 xor eax, ecx :0044789A 4F dec edi :0044789B 75D2 jne 0044786F :0044789D 5E pop esi :0044789E 5D pop ebp :0044789F 5B pop ebx * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00447860(C) | :004478A0 5F pop edi :004478A1 C3 ret 密码表: 0x00000000 0x1C3E887E 0x387D10FC 0x24439882 0x70FA21F8 0x6CC4A986 0x48873104 0x54B9B97A 0xE1F443F0 0xFDCACB8E 0xD989530C 0xC5B7DB72 0x910E6208 0x8D30EA76 0xA97372F4 0xB54DFA8A 到这里,相信大家应该对其注册算法比较清楚了,自己写一下注册机,提高一下自己的编程能力。 我的注册码为: name:时空幻影 company:湖南长沙 Unlock Key:3520A324-303B8C46-1810AD6E-A9D27FF5 Check Key:9CF2DCD1-051B2F62-282B2128-B1C2D29B |
tr>