程序名称:轻松试卷 V4.5版
作者:魏拾俊
作者主页:http://www.shijun.com
破解工具:TRW2000
机器码:0082698E
用户名:zhaocuo
注册码:78787878
用TRW2000载入程序,下断,拦截后,来到
0167:00406FF6 8D55E0 LEA
EDX,[EBP-20] //停在这里
0167:00406FF9 8D45F0
LEA EAX,[EBP-10]
0167:00406FFC E87B891400
CALL 0054F97C
0167:00407001 FF4DCC
DEC DWORD [EBP-34]
0167:00407004
8D45E0 LEA EAX,[EBP-20]
0167:00407007 BA02000000 MOV EDX,02
0167:0040700C E83B891400 CALL 0054F94C
0167:00407011 66C745C06800 MOV WORD [EBP-40],68
0167:00407017 33C9 XOR
ECX,ECX
0167:00407019 894DDC MOV
[EBP-24],ECX
0167:0040701C 8D55DC
LEA EDX,[EBP-24]
0167:0040701F FF45CC
INC DWORD [EBP-34]
0167:00407022
8B86F8020000 MOV EAX,[ESI+02F8]
0167:00407028
E817E40E00 CALL 004F5444
0167:0040702D 8D55DC
LEA EDX,[EBP-24]
0167:00407030
8D45EC LEA EAX,[EBP-14]
0167:00407033 E844891400 CALL 0054F97C
0167:00407038 FF4DCC DEC
DWORD [EBP-34]
0167:0040703B 8D45DC LEA
EAX,[EBP-24]
0167:0040703E BA02000000 MOV
EDX,02
0167:00407043 E804891400 CALL
0054F94C
0167:00407048 68946D4000 PUSH
DWORD 00406D94
0167:0040704D 68406D4000 PUSH
DWORD 00406D40
0167:00407052 8B4D98 MOV
ECX,[EBP-68]
0167:00407055 51
PUSH ECX
0167:00407056 837DEC00
CMP DWORD [EBP-14],BYTE +00
0167:0040705A 7405
JZ 00407061 //这里判断注册码是不是为空?
0167:0040705C 8B45EC MOV
EAX,[EBP-14]
0167:0040705F EB05
JMP SHORT 00407066
0167:00407061 B8677B5600
MOV EAX,00567B67
0167:00407066 50
PUSH EAX
0167:00407067 837DF000
CMP DWORD [EBP-10],BYTE +00
0167:0040706B
7405 JZ 00407072
//这里判断用户名是不是为空?
0167:0040706D 8B55F0 MOV
EDX,[EBP-10]
0167:00407070 EB05
JMP SHORT 00407077
0167:00407072 BA667B5600
MOV EDX,00567B66
0167:00407077 52
PUSH EDX
0167:00407078
837DF400 CMP DWORD [EBP-0C],BYTE
+00
0167:0040707C 7405 JZ
00407083 //这里判断机器码是不是为空?
0167:0040707E 8B45F4
MOV EAX,[EBP-0C]
0167:00407081 EB05
JMP SHORT 00407088
0167:00407083 B8657B5600 MOV EAX,00567B65
0167:00407088 50 PUSH
EAX
0167:00407089 FFD3 CALL
EBX //关键的call,进入
0167:0040708B 803D9882570000 CMP
BYTE [00578298],00
0167:00407092 740E
JZ 004070A2 //
0167:00407094 8D55EC
LEA EDX,[EBP-14]
0167:00407097 8D45F0
LEA EAX,[EBP-10]
0167:0040709A
8B4D98 MOV ECX,[EBP-68]
0167:0040709D E81AED0100 CALL 00425DBC
0167:004070A2 FF4DCC DEC
DWORD [EBP-34]
0167:004070A5 8D45EC LEA
EAX,[EBP-14]
0167:004070A8 BA02000000 MOV
EDX,02
0167:004070AD E89A881400 CALL
0054F94C
0167:004070B2 FF4DCC DEC
DWORD [EBP-34]
0167:004070B5 8D45F0
LEA EAX,[EBP-10]
0167:004070B8 BA02000000
MOV EDX,02
0167:004070BD E88A881400
CALL 0054F94C
进入上面的call后来到:
0167:006D73DF
90 NOP
0167:006D73E0
8B44240C MOV EAX,[ESP+0C] //停在这里
0167:006D73E4 8B4C2408 MOV
ECX,[ESP+08]
0167:006D73E8 8B542404 MOV
EDX,[ESP+04]
0167:006D73EC 50
PUSH EAX
0167:006D73ED 51
PUSH ECX
0167:006D73EE 52
PUSH EDX
0167:006D73EF
E81CFFFFFF CALL 006D7310 //计算注册码的call,进去看看
0167:006D73F4 83C40C ADD
ESP,BYTE +0C
0167:006D73F7 85C0
TEST EAX,EAX
0167:006D73F9 740D
JZ 006D7408
0167:006D73FB 8B442410
MOV EAX,[ESP+10]
0167:006D73FF 40
INC EAX
0167:006D7400
50 PUSH EAX
0167:006D7401 FF54241C CALL NEAR [ESP+1C]
0167:006D7405 C21800 RET
18
0167:006D7408 FF542414 CALL NEAR
[ESP+14]
0167:006D740C C21800 RET
18
由上面的call进入来到:
0167:006D730F 90
NOP
0167:006D7310 83EC10
SUB ESP,BYTE +10 //停在这里
0167:006D7313
53 PUSH EBX
0167:006D7314 55 PUSH
EBP
0167:006D7315 56 PUSH
ESI
0167:006D7316 8B742420 MOV
ESI,[ESP+20]
0167:006D731A 57
PUSH EDI
0167:006D731B 8BFE
MOV EDI,ESI
0167:006D731D 83C9FF
OR ECX,BYTE -01
0167:006D7320
33C0 XOR EAX,EAX
0167:006D7322 F2AE REPNE SCASB
0167:006D7324 8B6C2428 MOV EBP,[ESP+28]
0167:006D7328 F7D1 NOT
ECX
0167:006D732A 49
DEC ECX
0167:006D732B 8BFD
MOV EDI,EBP
0167:006D732D 8BD9
MOV EBX,ECX
0167:006D732F
83C9FF OR ECX,BYTE -01
0167:006D7332 F2AE REPNE SCASB
0167:006D7334
8B7C242C MOV EDI,[ESP+2C]
0167:006D7338 F7D1 NOT
ECX
0167:006D733A 49 DEC
ECX
0167:006D733B 894C2424 MOV
[ESP+24],ECX
0167:006D733F 83C9FF
OR ECX,BYTE -01
0167:006D7342 F2AE
REPNE SCASB
0167:006D7344 F7D1
NOT ECX
0167:006D7346 49
DEC ECX
0167:006D7347
83F90F CMP ECX,BYTE +0F
0167:006D734A 740D JZ
006D7359
0167:006D734C 5F
POP EDI
0167:006D734D 5E
POP ESI
0167:006D734E 5D
POP EBP
0167:006D734F
B801000000 MOV EAX,01
0167:006D7354
5B POP EBX
0167:006D7355 83C410 ADD
ESP,BYTE +10
0167:006D7358 C3
RET
0167:006D7359 33C9
XOR ECX,ECX
0167:006D735B 8BC1
MOV EAX,ECX
0167:006D735D 99
CDQ
0167:006D735E F7FB
IDIV EBX
0167:006D7360 0FBE0432
MOVSX EAX,BYTE [EDX+ESI]
0167:006D7364
99 CDQ
0167:006D7365
8BF8 MOV EDI,EAX
0167:006D7367 8BC1 MOV
EAX,ECX
0167:006D7369 33FA
XOR EDI,EDX
0167:006D736B 2BFA
SUB EDI,EDX
0167:006D736D 99
CDQ
0167:006D736E F77C2424
IDIV DWORD [ESP+24]
0167:006D7372 0FBE042A
MOVSX EAX,BYTE [EDX+EBP]
0167:006D7376
99 CDQ
0167:006D7377
33C2 XOR EAX,EDX
0167:006D7379 2BC2 SUB
EAX,EDX
0167:006D737B 03C7
ADD EAX,EDI
0167:006D737D BF1A000000
MOV EDI,1A
0167:006D7382 99
CDQ
0167:006D7383 F7FF
IDIV EDI
0167:006D7385 80C241
ADD DL,41
0167:006D7388 88540C10
MOV [ESP+ECX+10],DL
0167:006D738C
41 INC ECX
0167:006D738D 83F90F CMP
ECX,BYTE +0F
0167:006D7390 7CC9
JL 006D735B
0167:006D7392 8B44242C
MOV EAX,[ESP+2C]
0167:006D7396 8D742410
LEA ESI,[ESP+10]
0167:006D739A 8A10
MOV DL,[EAX] //假注册码给dl
0167:006D739C 8A1E MOV
BL,[ESI] //真注册码给bl
在这里下d esi 可以得到真的注册码:OWXFXSLJWPLTPMW
0167:006D739E
8ACA MOV CL,DL
0167:006D73A0 3AD3 CMP
DL,BL
0167:006D73A2 7524 JNZ
006D73C8
0167:006D73A4 84C9
TEST CL,CL
0167:006D73A6 7416
JZ 006D73BE
0167:006D73A8 8A5001
MOV DL,[EAX+01]
0167:006D73AB
8A5E01 MOV BL,[ESI+01]
0167:006D73AE 8ACA MOV
CL,DL
0167:006D73B0 3AD3 CMP
DL,BL
0167:006D73B2 7514
JNZ 006D73C8
0167:006D73B4 83C002
ADD EAX,BYTE +02
0167:006D73B7 83C602
ADD ESI,BYTE +02
0167:006D73BA
84C9 TEST CL,CL
0167:006D73BC
75DC JNZ 006D739A
0167:006D73BE 5F POP
EDI
0167:006D73BF 5E
POP ESI
0167:006D73C0 5D
POP EBP
0167:006D73C1 33C0
XOR EAX,EAX
0167:006D73C3
5B POP EBX
0167:006D73C4 83C410 ADD
ESP,BYTE +10
0167:006D73C7 C3
RET
欢迎光临我的破解小站:
http://crackzc.126.com
我的QQ : 44357921 (不是破解爱好者不要
Q 我哦!)
(文)crackzc
crackzc@163.com
- 标 题:轻松试卷 V4.5版破解实录。 (8千字)
- 作 者:xcdm
- 时 间:2002-6-30 22:09:28
- 链 接:http://bbs.pediy.com