软件: cdrwin 4.0
破解者: 火翼[CCG]
组织 : [CCG] (China Cracking Group)
使用软件: w32dasm+trw2000
在白菜乐园下载了cdrwin 4.0
Name: CoKeBoTtLe99
Company/Email: Cokebottle@thefactory.com
Unlock Code: 60D015F4-600893EB-BEFF5755-53E4E943
Check Code: 3334FCB7-00D8861F-DEF7C4BE-ED1BBE16
注册时竟然提示注册号过期,没办法只好把过期检测K掉
用FI一看,源程序竟然没有加壳
用w32dasm反汇编,字符串,看到
String Resource ID=00180: "Welcome to CDRWIN...
This software is now unlocked and fully"
来到
* Possible Reference to String Resource ID=00180: "Welcome to CDRWIN...
This software is now unlocked and fully"
|
:0041DF45 68B4000000 push 000000B4
:0041DF4A E8D5270500 call 00470724
:0041DF4F 8BCE
mov ecx, esi
:0041DF51 E81AC90400 call 0046A870
:0041DF56 E81A090500 call 0046E875
:0041DF5B 85C0
test eax, eax
:0041DF5D 7409
je 0041DF68
:0041DF5F 8B10
mov edx, dword ptr [eax]
:0041DF61 8BC8
mov ecx, eax
:0041DF63 FF5274
call [edx+74]
:0041DF66 EB02
jmp 0041DF6A
向上看
* Possible StringData Ref from Data Obj ->"%lx-%lx-%lx-%lx" 比较可疑
|
:0041DEE6 68F4514A00 push 004A51F4
:0041DEEB 52
push edx
:0041DEEC E8AC9C0300 call 00457B9D
//校验unlock code格式
:0041DEF1 83C418
add esp, 00000018
:0041DEF4 83F804
cmp eax, 00000004
:0041DEF7 0F8597000000 jne 0041DF94
:0041DEFD 8D45CC
lea eax, dword ptr [ebp-34]
:0041DF00 8D4DD0
lea ecx, dword ptr [ebp-30]
:0041DF03 50
push eax
:0041DF04 8D55D4
lea edx, dword ptr [ebp-2C]
:0041DF07 51
push ecx
:0041DF08 8B4DEC
mov ecx, dword ptr [ebp-14]
:0041DF0B 8D45D8
lea eax, dword ptr [ebp-28]
:0041DF0E 52
push edx
:0041DF0F 50
push eax
* Possible StringData Ref from Data Obj ->"%lx-%lx-%lx-%lx"
|
:0041DF10 68F4514A00 push 004A51F4
:0041DF15 51
push ecx
:0041DF16 E8829C0300 call 00457B9D
//校验check code 格式
:0041DF1B 83C418
add esp, 00000018
:0041DF1E 83F804
cmp eax, 00000004
:0041DF21 7571
jne 0041DF94
:0041DF23 8B4DE4
mov ecx, dword ptr [ebp-1C]
:0041DF26 8845FC
mov byte ptr [ebp-04], al
:0041DF29 8D55CC
lea edx, dword ptr [ebp-34]
:0041DF2C 8D45BC
lea eax, dword ptr [ebp-44]
:0041DF2F 52
push edx
:0041DF30 8B55E0
mov edx, dword ptr [ebp-20]
:0041DF33 50
push eax
:0041DF34 51
push ecx
:0041DF35 52
push edx
:0041DF36 E855690000 call 00424890
//关键比较
:0041DF3B 83C410
add esp, 00000010
:0041DF3E 895DFC
mov dword ptr [ebp-04], ebx
* Possible Reference to String Resource ID=00255: "Invalid disc count specified."
|
:0041DF41 6AFF
push FFFFFFFF
:0041DF43 6A40
push 00000040
用trw2000 load
在00416F36处跟进去
一直按F10直到
:00424936 83C30F
add ebx, 0000000F
:00424939 81FBC5040000 cmp ebx, 000004C5
:0042493F 7D13
jge 00424954
:00424941 6A00
push 00000000
:00424943 6A00
push 00000000
:00424945 6A00
push 00000000
:00424947 6835FFFFFF push FFFFFF35
:0042494C E85F340000 call 00427DB0
//按F10就弹出过期提示
把 0042493f 改为eb13
再点注册 显示注册成功
但再启动时 又提示注册号过期
再用trw2000 load 在00427db0处设断
发现又断了下来
于是重新载入,从入口点一直按f10直到
:00458074 FF1598B24700 Call dword ptr
[0047B298]
:0045807A 50
push eax
:0045807B E867FA0000 call 00467AE7
//按F10就弹出过期提示
跟进去
* Referenced by a CALL at Address:
|:0045807B
|
:00467AE7 FF742410 push
[esp+10]
:00467AEB FF742410 push
[esp+10]
:00467AEF FF742410 push
[esp+10]
:00467AF3 FF742410 push
[esp+10]
:00467AF7 E8517F0000 call 0046FA4D
//**************//
:00467AFC C21000
ret 0010
继续跟进 call 0046fa4d
* Referenced by a CALL at Address:
|:00467AF7
|
:0046FA4D 53
push ebx
:0046FA4E 56
push esi
:0046FA4F 57
push edi
:0046FA50 83CBFF
or ebx, FFFFFFFF
:0046FA53 E81DEEFFFF call 0046E875
:0046FA58 8BF0
mov esi, eax
:0046FA5A E8753C0000 call 004736D4
:0046FA5F FF74241C push
[esp+1C]
:0046FA63 8B7804
mov edi, dword ptr [eax+04]
:0046FA66 FF74241C push
[esp+1C]
:0046FA6A FF74241C push
[esp+1C]
:0046FA6E FF74241C push
[esp+1C]
:0046FA72 E851540000 call 00474EC8
:0046FA77 85C0
test eax, eax
:0046FA79 743B
je 0046FAB6
:0046FA7B 85FF
test edi, edi
:0046FA7D 740E
je 0046FA8D
:0046FA7F 8B07
mov eax, dword ptr [edi]
:0046FA81 8BCF
mov ecx, edi
:0046FA83 FF9084000000 call dword ptr
[eax+00000084]
:0046FA89 85C0
test eax, eax
:0046FA8B 7429
je 0046FAB6
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046FA7D(C)
|
:0046FA8D 8B06
mov eax, dword ptr [esi]
:0046FA8F 8BCE
mov ecx, esi
:0046FA91 FF5050
call [eax+50] //按f10弹出过期提示
:0046FA94 85C0
test eax, eax
:0046FA96 7515
jne 0046FAAD
:0046FA98 8B4E1C
mov ecx, dword ptr [esi+1C]
:0046FA9B 85C9
test ecx, ecx
:0046FA9D 7405
je 0046FAA4
:0046FA9F 8B01
mov eax, dword ptr [ecx]
:0046FAA1 FF5058
call [eax+58]
跟进去
直到
:00424847 6A00
push 00000000
:00424849 6A00
push 00000000
:0042484B 6834FFFFFF push FFFFFF34
:00424850 E85B350000 call 00427DB0
:00424855 83C410
add esp, 00000010
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00424843(C)
|
:00424858 83C60F
add esi, 0000000F
:0042485B 81FEC5040000 cmp esi, 000004C5
:00424861 5E
pop esi
:00424862 7D13
jge 00424877
:00424864 6A00
push 00000000
:00424866 6A00
push 00000000
:00424868 6A00
push 00000000
:0042486A 6835FFFFFF push FFFFFF35
:0042486F E83C350000 call 00427DB0
//关键call
:00424874 83C410
add esp, 00000010
是不是有点眼熟,对,就是和前面一样的判断代码,
改00424862处7d13为eb13
ctrl+N程序正常运行
整理
用16进制编辑器查找 fd 13 6a 00 6a 00 6a 00
改为 eb 13 -- -- -- -- -- --
注册号:
Name: CoKeBoTtLe99
Company/Email: Cokebottle@thefactory.com
Unlock Code: 60D015F4-600893EB-BEFF5755-53E4E943
Check Code: 3334FCB7-00D8861F-DEF7C4BE-ED1BBE16
- 标 题:cdrwin注册号+注册号过期爆破 (7千字)
- 作 者:火翼[CCG]
- 时 间:2002-2-27 10:09:28
- 链 接:http://bbs.pediy.com