Title:
Learn from 井风 in cracking Winimage6.00.6000
Software:
Winimage6.00.6000
Downloaded from: http://www.winimag.com
Author: 看雪学苑学员wlq
Tool:
trw2000
Procedure:
Step 1. Run trw2000 ,then hide it.
Step 2. Run Winimage6.0
Step 3. Click "Options"-"Registering",fill in the
blanks:
name:wlq Registration
code:000000
Step 4. Ctrl+n ,call trw2000, bpx hmemcpy ,then press F5.
Step 5. Click "OK", we stop at
:9E62 PUSH BP
:9E63 MOV BP,SP
Step 6. BD *
sTEP 7. Pmodule , We come to the Winimage6.0
land.
After we press F10 thirty-six times, we arrive
at
:00434567 BF0CD14400 mov
edi, 0044D10C
.
.
.
:00434602 E84ADBFEFF call 00422151
:00434607 83C410
add esp, 00000010 --- The wrong message box springs up.
**************************************************************************
Step 8. Repeat Step 1 to Step 7. Press F10 to find the crucial
call.
**********************
:00434567 BF0CD14400
mov edi, 0044D10C
* Possible Ref
to Menu: WINIMAGMENU, Item: "Create directory..."
|
:0043456C 6A7F
push 0000007F
:0043456E 57
push edi
* Possible Reference
to Dialog: REGISTER, CONTROL_ID:0817, ""
|
:0043456F 6817080000 push
00000817
:00434574 FF7508
push [ebp+08]
:00434577 FFD6
call esi
:00434579 68E8D44400
push 0044D4E8
:0043457E 57
push edi
:0043457F
53
push ebx
:00434580 E8535D0000
call 0043A2D8 --- Press F8 ,enter this crucial call.
***********************************************************************************
:00434585 8B0DE8D44400 mov ecx,
dword ptr [0044D4E8]
:0043458B 83C40C
add esp, 0000000C
:0043458E 33D2
xor edx, edx
:00434590 A3D4D24400
mov dword ptr [0044D2D4], eax
:00434595
3BC2 cmp
eax, edx
:00434597 5F
pop edi
:00434598 5B
pop ebx
:00434599 7406
je 004345A1
:0043459B
890DACD44400 mov dword ptr [0044D4AC],
ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00434599(C)
|
:004345A1 3915ACD44400
cmp dword ptr [0044D4AC], edx
:004345A7 890D38D74400
mov dword ptr [0044D738], ecx
:004345AD
7505 jne
004345B4
:004345AF A338D74400
mov dword ptr [0044D738], eax
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:004345AD(C)
|
:004345B4 6A01
push 00000001
:004345B6
3BC2 cmp
eax, edx
:004345B8 5E
pop esi
:004345B9 7529
jne 004345E4
:004345BB 6800200000
push 00002000
* Possible Reference
to String Resource ID=01069: "WinImage Registration"
|
:004345C0 682D040000
push 0000042D
:004345C5 8935B4D34400
mov dword ptr [0044D3B4], esi
:004345CB 89350CD54400
mov dword ptr [0044D50C], esi
:004345D1 88150CD14400
mov byte ptr [0044D10C], dl
:004345D7
881510D54400 mov byte ptr [0044D510],
dl
* Possible Reference to String Resource ID=01067: "Registering information
is invalid"
|
__________________________________
:004345E2
EB1B jmp
004345FF
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:004345B9(C)
|
:004345E4 6800200000
push 00002000
* Possible Reference to String
Resource ID=01069: "WinImage Registration"
|
:004345E9 682D040000 push
0000042D
:004345EE 8915B4D34400
mov dword ptr [0044D3B4], edx
:004345F4 89150CD54400
mov dword ptr [0044D50C], edx
* Possible Reference
to String Resource ID=01066: "Your registration code is valid.
You are now
a registered us"
|
_____________________________________________________________
:004345FA 682A040000 push
0000042A
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:004345E2(U)
|
:004345FF FF7508
push [ebp+08]
:00434602 E84ADBFEFF
call 00422151
**************
:00434607 83C410
add esp, 00000010 --- The wrong box springs
up here.
***************************************************
Step 9. After entering the crucial call, we press F10 step by step to look for
the
registration key(s).
:0043A2D8 55
push ebp
*************
:0043A2D9 8BEC
mov ebp, esp
:0043A2DB 81EC00020000
sub esp, 00000200
:0043A2E1 56
push esi
:0043A2E2 8B7510
mov esi, dword ptr [ebp+10]
:0043A2E5 85F6
test esi, esi --d esi ,we get
our name:wlq
:0043A2E7 57
push edi
:0043A2E8 7403
je 0043A2ED
:0043A2EA
832600 and dword
ptr [esi], 00000000
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:0043A2E8(C)
|
:0043A2ED FF750C
push [ebp+0C]
:0043A2F0
8D8500FFFFFF lea eax, dword ptr [ebp+FFFFFF00]
:0043A2F6 50
push eax
:0043A2F7 E8E0FEFFFF
call 0043A1DC
:0043A2FC FF7508
push [ebp+08]
:0043A2FF E804FFFFFF
call 0043A208
:0043A304 8BF8
mov edi, eax
:0043A306
83C40C add esp,
0000000C
:0043A309 81FF26DDDCB8
cmp edi, B8DCDD26
:0043A30F 0F84FE000000
je 0043A413
:0043A315 8D8500FFFFFF
lea eax, dword ptr [ebp+FFFFFF00]
:0043A31B 50
push eax
----d eax
, we get our incorrect key:000000
:0043A31C 8D8500FEFFFF
lea eax, dword ptr [ebp+FFFFFE00]
:0043A322 57
push edi
:0043A323 50
push eax
:0043A324 E862FFFFFF
call 0043A28B
:0043A329
59
pop ecx
:0043A32A 59
pop ecx
:0043A32B 50
push eax
* Reference To: CRTDLL.strcmp,
Ord:01CFh
|
:0043A32C E8E93B0000
Call 0043DF1A
:0043A331 59
pop ecx
:0043A332 85C0
test eax, eax
:0043A334 59
pop ecx
:0043A335 0F84A0000000
je 0043A3DB
:0043A33B 8D8500FFFFFF
lea eax, dword ptr [ebp+FFFFFF00]
:0043A341 50
push eax
-----d
eax, get one key:4B0B5B
:0043A342 8D8748190514
lea eax, dword ptr [edi+14051948]
:0043A348 50
push eax
:0043A349
8D8500FEFFFF lea eax, dword ptr [ebp+FFFFFE00]
:0043A34F 50
push eax
:0043A350 E836FFFFFF
call 0043A28B
:0043A355 59
pop ecx
:0043A356 59
pop ecx
:0043A357
50
push eax
* Reference To: CRTDLL.strcmp, Ord:01CFh
|
:0043A358 E8BD3B0000
Call 0043DF1A
:0043A35D 59
pop ecx
:0043A35E 85C0
test eax, eax
:0043A360
59
pop ecx
:0043A361 7478
je 0043A3DB
:0043A363 8D8500FFFFFF
lea eax, dword ptr [ebp+FFFFFF00]
:0043A369 50
push eax
---d
eax , we get our incorrect key:000000
:0043A36A 8D8754190617
lea eax, dword ptr [edi+17061954]
:0043A370 50
push eax
:0043A371 8D8500FEFFFF lea eax,
dword ptr [ebp+FFFFFE00]
:0043A377 50
push eax
-----d eax, get another key:144D21A0
:0043A378 E80EFFFFFF
call 0043A28B
:0043A37D 59
pop ecx
:0043A37E 59
pop ecx
:0043A37F 50
push eax
* Reference To: CRTDLL.strcmp, Ord:01CFh
|
:0043A380 E8953B0000
Call 0043DF1A
:0043A385 59
pop ecx
:0043A386
85C0 test
eax, eax
:0043A388 59
pop ecx
:0043A389 7450
je 0043A3DB
:0043A38B 8D8500FFFFFF
lea eax, dword ptr [ebp+FFFFFF00]
:0043A391
50
push eax
:0043A392 8D8781190510
lea eax, dword ptr [edi+10051981]
:0043A398 50
push eax
:0043A399 8D8500FEFFFF
lea eax, dword ptr [ebp+FFFFFE00]
:0043A39F
50
push eax
:0043A3A0 E8E6FEFFFF
call 0043A28B
:0043A3A5 59
pop ecx
:0043A3A6 59
pop ecx
:0043A3A7
50
push eax
* Reference To: CRTDLL.strcmp, Ord:01CFh
|
:0043A3A8 E86D3B0000
Call 0043DF1A
:0043A3AD 59
pop ecx
:0043A3AE 85C0
test eax, eax
:0043A3B0
59
pop ecx
:0043A3B1 7455
je 0043A408
:0043A3B3 8D8500FFFFFF
lea eax, dword ptr [ebp+FFFFFF00]
:0043A3B9 50
push eax
---d
eax , we get our incorrect key:000000
:0043A3BA 8D8795190104
lea eax, dword ptr [edi+04011995]
:0043A3C0 50
push eax
:0043A3C1 8D8500FEFFFF lea eax,
dword ptr [ebp+FFFFFE00]
:0043A3C7 50
push eax
d eax, get another key:104D21D9
:0043A3C8 E8BEFEFFFF call
0043A28B
:0043A3CD 59
pop ecx
:0043A3CE 59
pop ecx
:0043A3CF 50
push eax
* Reference To: CRTDLL.strcmp, Ord:01CFh
|
:0043A3D0 E8453B0000 Call
0043DF1A
:0043A3D5 59
pop ecx
:0043A3D6 85C0
test eax, eax
:0043A3D8 59
pop ecx
:0043A3D9
7505 jne
0043A3E0
* Referenced by a (U)nconditional or (C)onditional Jump at
Addresses:
|:0043A335(C), :0043A361(C), :0043A389(C)
|
:0043A3DB
6A01 push
00000001
:0043A3DD 58
pop eax
:0043A3DE EB35
jmp 0043A415
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0043A3D9(C)
|
:0043A3E0 8D8500FFFFFF
lea eax, dword ptr [ebp+FFFFFF00]
:0043A3E6
81C797190602 add edi, 02061997
---d eax , we get our incorrect
key:000000
:0043A3EC 50
push eax
:0043A3ED 8D8500FEFFFF
lea eax, dword ptr [ebp+FFFFFE00]
:0043A3F3 57
push edi
d
eax, get another key:44921ED
:0043A3F4 50
push eax
:0043A3F5 E891FEFFFF
call 0043A28B
:0043A3FA 59
pop ecx
:0043A3FB 59
pop ecx
:0043A3FC 50
push eax
To sum up ,with the user's
name:wlq , we get altogether four keys:4B0B5B,144D21A0,104D21D9,44921ED.
- 标 题:Learn from 井风 in cracking Winimage6.00.6000 (11千字)
- 作 者:wangliqiang
- 时 间:2001-9-10
23:58:48
- 链 接:http://bbs.pediy.com