Regediter 1.3 破解(得到注册码)
crack by fwnl
破解工具:trw2000 1.22 W32DASM 8.93
软件下载:http://file2.mydrivers.com/tools/reg/RegEditer.zip
http://newhua.ruyi.com/down/RegEditer.zip
软件说明:RegEditer 1.3中文版For Win9x/ME/2000/XP 放弃微软自带的注册表编辑器吧!使用RegEditer每个人都可以成为注册表高手,永远解除你对注册标的那种神秘感。如果你细心的使用RegEditer,你会发现管理注册表是件轻松、愉快地事情
RegEditer是用来编辑、管理“注册表”设置的功能强大的工具。RegEditer为你提供了许多强大、有趣的功能。如强大的查找功能(支持通配符)。大数据存储,将一个文件装入注册表(长度太大不推荐)。将注册表内容按图片看(如果数据是支持的图片格式,参阅“图片格式”),将某一选定数据存入文件。批量替换指定字符串。注册表主键拷贝,粘贴。批量注册表数据拷贝粘贴。收藏夹、直接跳砖、地址输入支持。等功能是你能快速定位要编辑的内容。你能利用RegEditer能查看主键下的所有内容,你能批量编辑它,将它直接导入注册表的功能。类似的新颖强大的功能还有很多。如果你细心的使用RegEditer。你会发现管理注册表很轻松,很有趣,不再繁杂,难懂,甚至可以成为一门艺术。RegEditer是一个绿色软件,你直接将它拷到你的计算机上就可运行。
用trw2000载入regediter.exe,按F5后出现注册对话框,名字可以乱填.
注册码以KGL-XXXXX-XXXX-XXXXXX的形式填,至于为什么可看下面代码注释.
(XXXXXXXXX代表任意字符)
Ctrl+N 回trw2000后下 bpx hmemcpy,按F5返回程序后按确定被中断, bd * 暂时关掉断点后按F12几下来到(我按了14下)下面这里
:0048202
ret ==>按F10就到了
004BFE5C
:0048203
nop
:0048204
push ebp
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:004BFDED(C)
:004BFE5C 8B45FC
mov eax, dword ptr [ebp-04]
:004BFE5F E82C55FDFF call 00495390
//关键call,F8进入
:004BFE64 84C0
test al, al
:004BFE66 7460
je 004BFEC8 //一定不能跳
上面按F8后来进入call来到:
* Referenced by a CALL at Addresses:
|:004BFE5F , :004C1C0E
|
:00495390 55
push ebp
:00495391 8BEC
mov ebp, esp
:00495393 33C9
xor ecx, ecx
:00495395 51
push ecx
:00495396 51
push ecx
:00495397 51
push ecx
:00495398 51
push ecx
:00495399 51
push ecx
:0049539A 53
push ebx
:0049539B 56
push esi
:0049539C 57
push edi
:0049539D 8945FC
mov dword ptr [ebp-04], eax
:004953A0 8B45FC
mov eax, dword ptr [ebp-04]
:004953A3 E8E8F3F6FF call 00404790
:004953A8 33C0
xor eax, eax
:004953AA 55
push ebp
:004953AB 6803554900 push 00495503
:004953B0 64FF30
push dword ptr fs:[eax]
:004953B3 648920
mov dword ptr fs:[eax], esp
:004953B6 33DB
xor ebx, ebx
:004953B8 33C0
xor eax, eax
:004953BA 55
push ebp
:004953BB 68DC544900 push 004954DC
:004953C0 64FF30
push dword ptr fs:[eax]
:004953C3 648920
mov dword ptr fs:[eax], esp
:004953C6 8B45FC
mov eax, dword ptr [ebp-04]
:004953C9 E8DAF1F6FF call 004045A8
:004953CE 83F816
cmp eax, 00000016
:004953D1 740D
je 004953E0
:004953D3 33C0
xor eax, eax
:004953D5 5A
pop edx
:004953D6 59
pop ecx
:004953D7 59
pop ecx
:004953D8 648910
mov dword ptr fs:[eax], edx
:004953DB E908010000 jmp 004954E8
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004953D1(C)
|
:004953E0 8D45F0
lea eax, dword ptr [ebp-10]
:004953E3 E808EFF6FF call 004042F0
:004953E8 8D45F0
lea eax, dword ptr [ebp-10]
:004953EB BA1C554900 mov edx,
0049551C
:004953F0 E8BBF1F6FF call 004045B0
<==d edx 得 K
:004953F5 8D45F0
lea eax, dword ptr [ebp-10]
:004953F8 BA28554900 mov edx,
00495528 <==d edx 得 G
:004953FD E8AEF1F6FF call 004045B0
:00495402 8D45F0
lea eax, dword ptr [ebp-10]
:00495405 BA34554900 mov edx,
00495534 <==d edx 得 L
:0049540A E8A1F1F6FF call 004045B0
:0049540F 8D45F0
lea eax, dword ptr [ebp-10]
:00495412 BA40554900 mov edx,
00495540 <==d edx 得 -
:00495417 E894F1F6FF call 004045B0
:0049541C 8B45F0
mov eax, dword ptr [ebp-10]
:0049541F E87CF3F6FF call 004047A0
<==d eax 得 KGL-
:00495424 50
push eax
:00495425 8B45FC
mov eax, dword ptr [ebp-04]
:00495428 E873F3F6FF call 004047A0
:0049542D 8BF0
mov esi, eax
:0049542F 8BC6
mov eax, esi
:00495431 5A
pop edx
:00495432 E8B93EF7FF call 004092F0
:00495437 8BF8
mov edi, eax
:00495439 3BFE
cmp edi, esi
:0049543B 740D
je 0049544A
:0049543D 33C0
xor eax, eax
:0049543F 5A
pop edx
:00495440 59
pop ecx
:00495441 59
pop ecx
:00495442 648910
mov dword ptr fs:[eax], edx
:00495445 E99E000000 jmp 004954E8
通过上面这一段代码可知正解注册码形式为KGL-xxxxxxxxxxxxxxxxxx
共22位
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049543B(C)
|
:0049544A 8B45FC
mov eax, dword ptr [ebp-04] 2d 的ASCⅡ码是 -
:0049544D 8078032D cmp
byte ptr [eax+03], 2D <==比较注册码第3后是否是 "-"
:00495451 7512
jne 00495465
:00495453 8B45FC
mov eax, dword ptr [ebp-04]
:00495456 80780A2D cmp
byte ptr [eax+0A], 2D <==比较注册码第10后是否是 -
:0049545A 7509
jne 00495465
:0049545C 8B45FC
mov eax, dword ptr [ebp-04]
:0049545F 80780F2D cmp
byte ptr [eax+0F], 2D <==比较注册码第15后是否是 -
:00495463 740A
je 0049546F
通过上面这一段代码可知正解注册码形式为KGL-xxxxxx-xxxx-xxxxxx
共22位
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00495451(C), :0049545A(C)
|
:00495465 33C0
xor eax, eax
:00495467 5A
pop edx
:00495468 59
pop ecx
:00495469 59
pop ecx
:0049546A 648910
mov dword ptr fs:[eax], edx
:0049546D EB79
jmp 004954E8
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00495463(C)
|
:0049546F 8D45F8
lea eax, dword ptr [ebp-08]
:00495472 50
push eax
:00495473 B906000000 mov ecx,
00000006
:00495478 BA05000000 mov edx,
00000005
:0049547D 8B45FC
mov eax, dword ptr [ebp-04]
:00495480 E87BF3F6FF call 00404800
:00495485 8D45F4
lea eax, dword ptr [ebp-0C]
:00495488 50
push eax
:00495489 B904000000 mov ecx,
00000004
:0049548E BA0C000000 mov edx,
0000000C
:00495493 8B45FC
mov eax, dword ptr [ebp-04]
:00495496 E865F3F6FF call 00404800
:0049549B 8D45EC
lea eax, dword ptr [ebp-14]
:0049549E 50
push eax
:0049549F B906000000 mov ecx,
00000006
:004954A4 BA11000000 mov edx,
00000011
:004954A9 8B45FC
mov eax, dword ptr [ebp-04]
:004954AC E84FF3F6FF call 00404800
:004954B1 8D4DF0
lea ecx, dword ptr [ebp-10]
:004954B4 8B55F4
mov edx, dword ptr [ebp-0C]
:004954B7 8B45F8
mov eax, dword ptr [ebp-08]
:004954BA E895FBFFFF call 00495054
:004954BF 8B45EC
mov eax, dword ptr [ebp-14]
:004954C2 8B55F0
mov edx, dword ptr [ebp-10]
:004954C5 E822F2F6FF call 004046EC
<===d edx 得注册码的最后6位真码
:004954CA 7504
jne 004954D0
:004954CC B301
mov bl, 01
:004954CE EB02
jmp 004954D2
上面这段是通过计算 KGL- 后你填的10 位注册码来得出最后6位真码,由于本人太菜所以是怎么算出的就
搞不明白了 :)
最后总结一下: 注册码为22位,因为不填22位那个注册按键不亮
形式为KGL-XXXXXX-XXXX-XXXXX
我破解时填的注册码为 KGL-8FWNL8-FWNL-888888 , 在004954C5处 d edx 得 COY75I
所以我得出正确注册码是: KGL-8FWNL8-FWNL-COY75I 注册码与姓名无关 最后特别感谢好友alphakk的指点.
祝各位玩得开心!!!
fwnl
2002.1.22
长沙
- 标 题:Regediter 1.3 破解(得到注册码) (9千字)
- 作 者:fwnl
- 时 间:2002-1-23 10:13:14
- 链 接:http://bbs.pediy.com