破解作者:master
软件名称:WinBowl Version 3.2
软件简介:一款打保龄球的休闲娱乐游戏
下载地址: http://members.aol.com/revtjb/wb32.exe
破解工具:TRW2000 & W32Dasm
破解过程:用TRW载入Winbwl32.exe;点注册随便填入注册信息;激活TRW下bpx
hmemcpy;点0K;拦后下pmodule;F10来到:
:0040D8ED 57
push edi
:0040D8EE E8AD590100
call 004232A0
:0040D8F3 83C404
add esp, 00000004
:0040D8F6 85C0
test eax, eax<-----------------测试输入的注册码是否为空
:0040D8F8 7536
jne 0040D930<------------------不为空则跳
:0040D8FA 6800010000 push
00000100
:0040D8FF BFC0D34300
mov edi, 0043D3C0
:0040D904 57
push edi
跳到此处:
:0040D930 8D45E0
lea eax, dword ptr [ebp-20]<---EAX为输入的假码
:0040D933 50
push eax
:0040D934 E897800100
call 004259D0<-----------------处理假注册码,将其转化为一个十六进制数
:0040D939
668BD8 mov bx, ax<--------------------在此处下?
EAX显示假注册码的十六进制数
:0040D93C 83C404
add esp, 00000004
:0040D93F 53
push ebx
:0040D940 E893FAFFFF
call 0040D3D8
:0040D945 83C404
add esp, 00000004
:0040D948 57
push edi
* Possible Reference to String Resource ID=00032: "Unregistered
Shareware"
|
:0040D949 6A20
push 00000020
* Possible Reference to String Resource ID=00013: "Don't give up!"
|
:0040D94B 6A0D
push 0000000D
:0040D94D BF07040000
mov edi, 00000407
:0040D952 57
push edi
:0040D953 FF7508
push [ebp+08]
:0040D956 FFD6
call esi
:0040D958 50
push eax
* Reference To: USER32.SendMessageA,
Ord:01C6h
|
:0040D959 FF15BCF64300
Call dword ptr [0043F6BC]
:0040D95F 8D45E0
lea eax, dword ptr [ebp-20]<----EAX为输入的注册名
:0040D962 50
push eax
:0040D963 E838590100
call 004232A0
:0040D968 83C404
add esp, 00000004
:0040D96B 85C0
test eax, eax<------------------测试注册名是否为空
:0040D96D 7536
jne 0040D9A5<-------------------不为空则跳
:0040D96F 6800010000
push 00000100
:0040D974 BBC0D34300
mov ebx, 0043D3C0
:0040D979 53
push ebx
:0040D97A A11CD84300 mov
eax, dword ptr [0043D81C]
* Possible Reference to String Resource ID=00039:
"You must enter your name."
|
:0040D97F
6A27 push
00000027
:0040D981 50
push eax
* Reference To: USER32.LoadStringA, Ord:0177h
|
:0040D982 FF15E4F64300
Call dword ptr [0043F6E4]
:0040D988 53
push ebx
:0040D989 6A00
push 00000000
:0040D98B E882B60000
call 00419012
:0040D990 83C408
add esp, 00000008
:0040D993 57
push edi
:0040D994
FF7508 push [ebp+08]
:0040D997 FFD6
call esi
:0040D999 50
push eax
* Reference To: USER32.SetFocus,
Ord:01E1h
|
:0040D99A FF1594F74300
Call dword ptr [0043F794]
:0040D9A0 E9DF010000
jmp 0040DB84
跳到这里:
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D96D(C)
|
:0040D9A5 8D45E0
lea eax, dword ptr [ebp-20]
:0040D9A8 50
push eax
:0040D9A9 E86AFAFFFF
call 0040D418
:0040D9AE 83C404
add esp, 00000004
:0040D9B1 E8C4FAFFFF call 0040D47A<--------计算注册码关键处,跟进
:0040D9B6 85C0
test eax, eax<--------测试注册标记
:0040D9B8 0F840B010000
je 0040DAC9<----------注册失败则跳转
:0040D9BE 53
push ebx
:0040D9BF 8D45E0
lea eax, dword ptr [ebp-20]
:0040D9C2 50
push eax
....................
....................
显示成功注册对话框:
* Possible Reference to String Resource
ID=00043: "Your game has now been registered. Save your code - it can b"
|
:0040DA27 6A2B
push 0000002B
:0040DA29 50
push eax
下面将假注册码处理为一个十六进制处,由0040D934 E897800100 call 004259D0到此:
============================================================================
:004259D0 8B442404 mov
eax, dword ptr [esp+04]
:004259D4 50
push eax
:004259D5 E846FFFFFF
call 00425920<--------想CALL就进去
:004259DA
83C404 add esp,
00000004
:004259DD C3
ret
CALL到此:
:00425920 53
push ebx
:00425921
56
push esi
:00425922 8B74240C
mov esi, dword ptr [esp+0C]
:00425926 57
push edi
:00425927 55
push ebp
.....................
.....................
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0042596A(C)
|
:00425971 33DB
xor ebx, ebx
:00425973 8A1E
mov bl, byte ptr [esi]<----取一位注册码存入BL
:00425975 46
inc esi
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:0042596F(C)
|
:00425976 33ED
xor ebp, ebp<--------------累加器清零
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:004259AF(U)
|
:00425978 833DEC6E430001
cmp dword ptr [00436EEC], 00000001
:0042597F
7E0D jle
0042598E
..............
..............
:0042598E 8B0DE06C4300
mov ecx, dword ptr [00436CE0]
:00425994
33C0 xor
eax, eax
:00425996 668B0459
mov ax, word ptr [ecx+2*ebx]
:0042599A 83E004
and eax, 00000004
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:0042598C(U)
|
:0042599D 85C0
test eax, eax
:0042599F 7410
je 004259B1<-----------------------处理完毕跳出去
:004259A1 8D44AD00 lea
eax, dword ptr [ebp+4*ebp]<----计算处理注册码
:004259A5 46
inc esi<---------------------------注册码移一位
:004259A6 8D6C43D0
lea ebp, dword ptr [ebx+2*eax-30]<-计算处理注册码
:004259AA 33DB
xor ebx, ebx<----------------------清空EBX
:004259AC 8A5EFF
mov bl, byte ptr [esi-01]<---------取下一位注册码
:004259AF EBC7
jmp 00425978
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042599F(C)
|
:004259B1 8BC5
mov eax, ebp<----------------------EBP为假注册码的十六进制数
..............
:004259BE C3
ret
下面处理注册名及比较处,由0040D9B1 E8C4FAFFFF call 0040D47A到此:
================================================================
:0040D47A
66C70508BC43000000 mov word ptr [0043BC08], 0000
:0040D483
56
push esi
:0040D484 57
push edi
:0040D485 E893020000
call 0040D71D
:0040D48A 668B1508BC4300
mov dx, word ptr [0043BC08]<--计算一个值X开始处
:0040D491
B9FF000000 mov ecx, 000000FF
:0040D496 668BC2
mov ax, dx
:0040D499 66C1EA08
shr dx, 08
:0040D49D 3477
xor al, 77
:0040D49F 6623C1
and ax, cx
:0040D4A2 0FB7F0
movzx esi, ax
:0040D4A5
668B3C7510BC4300 mov di, word ptr [2*esi+0043BC10]
:0040D4AD 6633FA
xor di, dx
:0040D4B0 668BC7
mov ax, di
:0040D4B3 66893D08BC4300
mov word ptr [0043BC08], di
:0040D4BA 3462
xor al, 62
:0040D4BC 6623C1
and ax, cx
:0040D4BF
66C1EF08 shr di, 08
:0040D4C3 0FB7F0
movzx esi, ax
:0040D4C6 668B147510BC4300 mov dx,
word ptr [2*esi+0043BC10]
:0040D4CE 6633D7
xor dx, di
:0040D4D1 668BC2
mov ax, dx
:0040D4D4 66891508BC4300
mov word ptr [0043BC08], dx
:0040D4DB 3432
xor al, 32
:0040D4DD 6623C1
and ax, cx
:0040D4E0 66C1EA08
shr dx, 08
:0040D4E4 0FB7F0
movzx esi, ax
:0040D4E7 668B3C7510BC4300
mov di, word ptr [2*esi+0043BC10]
:0040D4EF 6633FA
xor di, dx
:0040D4F2 668BC7
mov ax, di
:0040D4F5
66893D08BC4300 mov word ptr [0043BC08], di
:0040D4FC 3430
xor al, 30
:0040D4FE 6623C1
and ax, cx
:0040D501 66C1EF08
shr di, 08
:0040D505 0FB7F0
movzx esi, ax
:0040D508 668B147510BC4300
mov dx, word ptr [2*esi+0043BC10]
:0040D510 6633D7
xor dx, di<-----------------以上到此处计算出一个值X=0x1EAF(固定不变,所以不必了解其算法)
:0040D513 8B3D70854300 mov edi,
dword ptr [00438570]
:0040D519 85FF
test edi, edi<--------------测试注册名长度
:0040D51B
742D je 0040D54A<----------------为空则跳
:0040D51D 8D347D76854300 lea esi, dword
ptr [2*edi+00438576]
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:0040D548(C)
|
:0040D524 0FB64601
movzx eax, byte ptr [esi+01]<-------取一位注册名
:0040D528 0FB7CA
movzx ecx, dx<----------------------取值 X 存入ECX
:0040D52B 66C1EA08
shr dx, 08<-------------------------取
X 高8位存入DX
:0040D52F 33C1
xor eax, ecx<-----------------------注册名异或 X
:0040D531
25FF000000 and eax, 000000FF<------------------取低8位值
:0040D536 83EE02
sub esi, 00000002<------------------注册名地址-2
:0040D539 668B044510BC4300
mov ax, word ptr [2*eax+0043BC10]<--从[2*EAX+43BC10]中取个数Y
:0040D541 6633C2
xor ax, dx<-------------------------Y=Y XOR X的高8位
:0040D544 4F
dec edi<----------------------------计数器-1
:0040D545 668BD0
mov dx, ax<-------------------------X=Y
:0040D548 75DA
jne 0040D524<-----------------------循环
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D51B(C)
|
:0040D54A 668BC2
mov ax, dx<-------------------------上面计算完后X的值存入AX
:0040D54D B9FF000000 mov
ecx, 000000FF<------------------ECX=FF
:0040D552 66891508BC4300
mov word ptr [0043BC08], dx
:0040D559 3430
xor al, 30<-------------------------X低位
XOR 30
:0040D55B 6623C1
and ax, cx<-------------------------取AX低位
:0040D55E 66C1EA08
shr dx, 08<-------------------------取X的高位
:0040D562 0FB7F8
movzx edi, ax<----------------------存入EDI
:0040D565 668B347D10BC4300
mov si, word ptr [2*edi+0043BC10]<--从中取出一个数Y
:0040D56D
6633F2 xor si, dx<-------------------------Y异或X的高位
:0040D570 668BC6
mov ax, si<-------------------------存入AX
:0040D573 66893508BC4300
mov word ptr [0043BC08], si
:0040D57A 3432
xor al, 32<-------------------------X低位
XOR 32
:0040D57C 6623C1
and ax, cx<-------------------------取EAX低位
:0040D57F 66C1EE08
shr si, 08<-------------------------取X的高位
:0040D583 0FB7F8
movzx edi, ax<----------------------存入EDI
:0040D586 668B147D10BC4300
mov dx, word ptr [2*edi+0043BC10]<--从中取出一个数Y
:0040D58E
6633D6 xor dx, si<-------------------------Y异或X的高位
:0040D591 668BC2
mov ax, dx<-------------------------存入AX
:0040D594 66891508BC4300
mov word ptr [0043BC08], dx
:0040D59B 3462
xor al, 62<-------------------------X低位
XOR 62
:0040D59D 6623C1
and ax, cx<-------------------------取AX低位
:0040D5A0 66C1EA08
shr dx, 08<-------------------------取X的高位
:0040D5A4 0FB7F8
movzx edi, ax<----------------------存入EDI
:0040D5A7 668B347D10BC4300
mov si, word ptr [2*edi+0043BC10]<--从中取出一个数Y
:0040D5AF
6633F2 xor si, dx<-------------------------Y异或X的高位
:0040D5B2 668BC6
mov ax, si<-------------------------存入AX
:0040D5B5 66893508BC4300
mov word ptr [0043BC08], si
:0040D5BC 3477
xor al, 77<-------------------------X低位
XOR 77
:0040D5BE 6623C1
and ax, cx<-------------------------取AX低位
:0040D5C1 66C1EE08
shr si, 08<-------------------------取X的高位
:0040D5C5 0FB7C8
movzx ecx, ax<----------------------存入ECX
:0040D5C8 668B044D10BC4300
mov ax, word ptr [2*ecx+0043BC10]<--从中取出一个数Y
:0040D5D0
8B0DB8854300 mov ecx, dword ptr [004385B8]
:0040D5D6 6633C6
xor ax, si<-------------------------Y异或X的高位
:0040D5D9 66A308BC4300
mov word ptr [0043BC08], ax<--------AX则为真注册码(下命令?
AX显示正确注册码)
:0040D5DF 6635A494
xor ax, 94A4
:0040D5E3 668BD0
mov dx, ax
:0040D5E6 80F2A4
xor dl, A4
:0040D5E9 3AD1
cmp dl, cl<---------比较真假注册码低位
:0040D5EB 7512
jne 0040D5FF<-------不等则跳
:0040D5ED C1E910
shr ecx, 10
:0040D5F0 66C1E808
shr ax, 08
:0040D5F4 3494
xor al, 94
:0040D5F6 3AE8
cmp ch, al<---------比较真假注册码高位
* Possible Reference to String Resource
ID=00001: "Do you want to save the game in progress first?"
|
:0040D5F8 B801000000
mov eax, 00000001<--设置注册标记
:0040D5FD 7402
je 0040D601<--------完全相等则跳
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D5EB(C)
|
:0040D5FF 33C0
xor eax, eax<-------不等则清除注册标记
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D5FD(C)
|
:0040D601 5F
pop edi
:0040D602 5E
pop esi
:0040D603 C3
ret
算法小结:
======================================================================
int z[]=0x30,0x32,0x62,0x77; //定义4个常量
int i=0;x=0x1EAF;
//赋初值
for(i=0;i<注册名长度;i++) //处理
x= 地址43BC10处偏移((取name第i+1位
xor x)的低8位的值*4+1)位的值 xor x高8位的值; //计算
for(i=0;i<4;i++) //再处理
x= (x的低8位的值 xor z[i]) xor x的高8位的值; //再计算
最终X的值的十进制数为真注册码!
附地址43BC10="0000C1C081C1400101C3C003800241C201C6C006800741C70005C1C581C4400401CCC00C800D41CD000FC1CF81CE400E000AC1CA81CB400B01C9C009800841C801D8C018801941D9001BC1DB81DA401A001EC1DE81DF401F01DDC01D801C41DC0014C1D481D5401501D7C017801641D601D2C012801341D30011C1D181D0401001F0C030803141F10033C1F381F240320036C1F681F7403701F5C035803441F4003CC1FC81FD403D01FFC03F803E41FE01FAC03A803B41FB0039C1F981F840380028C1E881E9402901EBC02B802A41EA01EEC02E802F41EF002DC1ED81EC402C01E4C024802541E50027C1E781E640260022C1E281E3402301E1C021802041E001A0C060806141A10063C1A381A240620066C1A681A7406701A5C065806441A4006CC1AC81AD406D01AFC06F806E41AE01AAC06A806B41AB0069C1A981A840680078C1B881B9407901BBC07B807A41BA01BEC07E807F41BF007DC1BD81BC407C01B4C074807541B50077C1B781B640760072C1B281B3407301B1C071807041B00050C190819140510193C053805241920196C056805741970055C19581944054019CC05C805D419D005FC19F819E405E005AC19A819B405B0199C059805841980188C04880494189004BC18B818A404A004EC18E818F404F018DC04D804C418C0044C184818540450187C047804641860182C042804341830041C18181804040"
注册机:
======================================================================
内存注册机:
中断地址:40D5D9
次数:1
指令:66
长度:6
保存寄存器方式EAX十进制为注册码
算法注册机下载地址:
http://fcg.5599.net/master/WinBowl.rar
欢迎测试!
================================END==========================本人能力不足错误之处请高手指点
- 标 题:WinBowl Version 3.2 PJ小记 (16千字)
- 作 者:mastor
- 时 间:2002-10-14 19:17:42
- 链 接:http://bbs.pediy.com