破解心得之eXeScope篇
作者:时空幻影
时间:2001年6月26日
使用工具:Fileinfo v2.43、W32DSM白金版汉化版、TRW2000 v1.22
由于这个软件没有加壳,因此破解相对容易一些,且注册算法也不复杂,很适合初学者破解。
先执行TRW2000,然后运行该软件,填好Your Name和ID后,按Ctrl+N激活TRW2000,然后键入"BPX HMEMCPY",
按F5跳回程序,然后点OK就会被拦下,再键入"pmodule",继续按F10。
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A7BAA(C)
|
:004A7BBE 8D55F0
lea edx, dword ptr [ebp-10]
:004A7BC1 8B45FC
mov eax, dword ptr [ebp-04]
:004A7BC4 8B80D0020000 mov eax, dword
ptr [eax+000002D0]
:004A7BCA E885B7F8FF call 00433354
:004A7BCF 8B55F0
mov edx, dword ptr [ebp-10] <--经过几个RET以后来到这里
:004A7BD2 A1B8594B00 mov eax,
dword ptr [004B59B8]
:004A7BD7 E830C0F5FF call 00403C0C
:004A7BDC 8D55EC
lea edx, dword ptr [ebp-14]
:004A7BDF 8B45FC
mov eax, dword ptr [ebp-04]
:004A7BE2 8B80D4020000 mov eax, dword
ptr [eax+000002D4]
:004A7BE8 E867B7F8FF call 00433354
:004A7BED 8B55EC
mov edx, dword ptr [ebp-14]
:004A7BF0 A134594B00 mov eax,
dword ptr [004B5934]
:004A7BF5 E812C0F5FF call 00403C0C
:004A7BFA 8B1534594B00 mov edx, dword
ptr [004B5934]
:004A7C00 8B12
mov edx, dword ptr [edx]
:004A7C02 A174574B00 mov eax,
dword ptr [004B5774]
:004A7C07 8B00
mov eax, dword ptr [eax]
:004A7C09 E8DA8D0000 call 004B09E8
<--核心CALL,按F8进入
:004A7C0E 84C0
test al, al
:004A7C10 0F8498000000 je 004A7CAE
<--一定不能跳转
:004A7C16 A1B8594B00 mov eax,
dword ptr [004B59B8]
:004A7C1B 8B00
mov eax, dword ptr [eax]
:004A7C1D E816C2F5FF call 00403E38
:004A7C22 85C0
test eax, eax
:004A7C24 0F8E84000000 jle 004A7CAE
<--一定不能跳转
:004A7C2A 8D55E4
lea edx, dword ptr [ebp-1C]
:004A7C2D A1C4594B00 mov eax,
dword ptr [004B59C4]
:004A7C32 8B00
mov eax, dword ptr [eax]
:004A7C34 E82F9BFAFF call 00451768
:004A7C39 8B45E4
mov eax, dword ptr [ebp-1C]
:004A7C3C 8D4DE8
lea ecx, dword ptr [ebp-18]
* Possible StringData Ref from Code Obj ->".ini"
|
:004A7C3F BA0C7D4A00 mov edx,
004A7D0C
:004A7C44 E8F319F6FF call 0040963C
:004A7C49 8B4DE8
mov ecx, dword ptr [ebp-18]
:004A7C4C B201
mov dl, 01
* Possible StringData Ref from Code Obj ->"XuG"
|
:004A7C4E A1906E4700 mov eax,
dword ptr [00476E90]
:004A7C53 E8E0F2FCFF call 00476F38
:004A7C58 8945F8
mov dword ptr [ebp-08], eax
:004A7C5B A1B8594B00 mov eax,
dword ptr [004B59B8]
:004A7C60 8B00
mov eax, dword ptr [eax]
:004A7C62 50
push eax
* Possible StringData Ref from Code Obj ->"Name"
|
:004A7C63 B91C7D4A00 mov ecx,
004A7D1C
* Possible StringData Ref from Code Obj ->"Reg"
|
:004A7C68 BA2C7D4A00 mov edx,
004A7D2C
:004A7C6D 8B45F8
mov eax, dword ptr [ebp-08]
:004A7C70 8B18
mov ebx, dword ptr [eax]
:004A7C72 FF5304
call [ebx+04]
:004A7C75 A134594B00 mov eax,
dword ptr [004B5934]
:004A7C7A 8B00
mov eax, dword ptr [eax]
:004A7C7C 50
push eax
* Possible StringData Ref from Code Obj ->"Reg"
|
:004A7C7D BA2C7D4A00 mov edx,
004A7D2C
:004A7C82 B9387D4A00 mov ecx,
004A7D38
:004A7C87 8B45F8
mov eax, dword ptr [ebp-08]
:004A7C8A 8B18
mov ebx, dword ptr [eax]
:004A7C8C FF5304
call [ebx+04]
:004A7C8F 8B45F8
mov eax, dword ptr [ebp-08]
:004A7C92 E83DB2F5FF call 00402ED4
:004A7C97 A17C574B00 mov eax,
dword ptr [004B577C]
:004A7C9C C60001
mov byte ptr [eax], 01
:004A7C9F 8B45FC
mov eax, dword ptr [ebp-04]
:004A7CA2 C7803402000001000000 mov dword ptr [ebx+00000234], 00000001
:004A7CAC EB20
jmp 004A7CCE
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004A7C10(C), :004A7C24(C)
|
:004A7CAE 6A00
push 00000000
:004A7CB0 8D55E0
lea edx, dword ptr [ebp-20]
* Possible StringData Ref from Code Obj ->"Invalid ID or Name;o^IDO"
<--错误信息对话框
|
:004A7CB3 B8447D4A00 mov eax,
004A7D44
:004A7CB8 E8D79D0000 call 004B1A94
:004A7CBD 8B45E0
mov eax, dword ptr [ebp-20]
:004A7CC0 668B0D747D4A00 mov cx, word ptr
[004A7D74]
:004A7CC7 B201
mov dl, 01
:004A7CC9 E88E01FBFF call 00457E5C
在上面的核心CALL按F8进入后会来到如下地方:
* Referenced by a CALL at Addresses:
|:004A7C09 , :004B088C
|
:004B09E8 55
push ebp
:004B09E9 8BEC
mov ebp, esp
:004B09EB 83C4F0
add esp, FFFFFFF0
:004B09EE 8955F8
mov dword ptr [ebp-08], edx
:004B09F1 8945FC
mov dword ptr [ebp-04], eax
:004B09F4 8B45F8
mov eax, dword ptr [ebp-08]
:004B09F7 E8F035F5FF call 00403FEC
:004B09FC 33C0
xor eax, eax
:004B09FE 55
push ebp
:004B09FF 689F0A4B00 push 004B0A9F
:004B0A04 64FF30
push dword ptr fs:[eax]
:004B0A07 648920
mov dword ptr fs:[eax], esp
:004B0A0A C645F700 mov
[ebp-09], 00
:004B0A0E 8B45F8
mov eax, dword ptr [ebp-08]
:004B0A11 E82234F5FF call 00403E38
<--求ID长度
:004B0A16 83F80A
cmp eax, 0000000A <--判断ID的长度是否等于10
:004B0A19 756E
jne 004B0A89 <--不等的话跳转,一定不能跳转
:004B0A1B 8B55F8
mov edx, dword ptr [ebp-08]
* Possible StringData Ref from Code Obj ->"A1910"
|
:004B0A1E B8B80A4B00 mov eax,
004B0AB8 <--[004B0AB8]为"A1910"
:004B0A23 E8FC36F5FF call 00404124
<--判断ID的前五个字符是否为"A1910"
:004B0A28 48
dec eax
:004B0A29 7410
je 004B0A3B
:004B0A2B 8B55F8
mov edx, dword ptr [ebp-08]
* Possible StringData Ref from Code Obj ->"A1423"
|
:004B0A2E B8C80A4B00 mov eax,
004B0AC8 <--[004B0AC8]为"A1423"
:004B0A33 E8EC36F5FF call 00404124
<--判断ID的前五个字符是否为"A1423"
:004B0A38 48
dec eax
:004B0A39 754E
jne 004B0A89 <--这个一定不能跳转
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B0A29(C)
|
:004B0A3B C745F002000000 mov [ebp-10], 00000002
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B0A65(C)
|
:004B0A42 8B45F8
mov eax, dword ptr [ebp-08]
:004B0A45 8B55F0
mov edx, dword ptr [ebp-10]
:004B0A48 8A4410FF mov
al, byte ptr [eax+edx-01]
:004B0A4C 3C30
cmp al, 30
:004B0A4E 7239
jb 004B0A89
:004B0A50 8B45F8
mov eax, dword ptr [ebp-08]
:004B0A53 8B55F0
mov edx, dword ptr [ebp-10]
:004B0A56 8A4410FF mov
al, byte ptr [eax+edx-01]
:004B0A5A 3C39
cmp al, 39
:004B0A5C 772B
ja 004B0A89
:004B0A5E FF45F0
inc [ebp-10]
:004B0A61 837DF00B cmp
dword ptr [ebp-10], 0000000B
:004B0A65 75DB
jne 004B0A42
:004B0A67 8B45F8
mov eax, dword ptr [ebp-08]
:004B0A6A 0FB64008 movzx
eax, byte ptr [eax+08] <--输入的ID的倒数第二个字符的ASCII码送入EAX
:004B0A6E 8B55F8
mov edx, dword ptr [ebp-08]
:004B0A71 0FB65209 movzx
edx, byte ptr [edx+09] <--输入的ID的倒数最后一个字符的ASCII码送入EDX
:004B0A75 03C2
add eax, edx
:004B0A77 B90A000000 mov ecx,
0000000A
:004B0A7C 33D2
xor edx, edx
:004B0A7E F7F1
div ecx <--EAX除以10
:004B0A80 83FA04
cmp edx, 00000004 <--比较余数是否等于4
:004B0A83 7504
jne 004B0A89 <--不等于4的话则跳转,一定不能跳转
:004B0A85 C645F701 mov
[ebp-09], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004B0A19(C), :004B0A39(C), :004B0A4E(C), :004B0A5C(C), :004B0A83(C)
|
:004B0A89 33C0
xor eax, eax
:004B0A8B 5A
pop edx
:004B0A8C 59
pop ecx
:004B0A8D 59
pop ecx
:004B0A8E 648910
mov dword ptr fs:[eax], edx
:004B0A91 68A60A4B00 push 004B0AA6
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B0AA4(U)
|
:004B0A96 8D45F8
lea eax, dword ptr [ebp-08]
:004B0A99 E81A31F5FF call 00403BB8
:004B0A9E C3
ret
现在我们知道了注册码的形式为A1910xxxxx或A1423xxxxx,其中第6、7、8个字符为任意字符,而第9、10个字符的ASCII
码的和的个位数为4就可以正确的注册了!!!