mIRC 6.01 PJ 记录 -pc6资讯

您的位置：首页 → 精文荟萃 → 破解文章 → mIRC 6.01 PJ 记录

mIRC 6.01 PJ 记录 时间：2004/10/15 0:52:00来源：本站整理作者：蓝点我要评论(0): 　

目标软件： mIRC 6.01

软件简介：呵呵，根本就不需要再我来介绍这款大名鼎鼎的软件了吧？：）

软件性质：共享软件，免费试用30天。

使用工具： W32Dasm中文版(GOLD)、TRW2000。

:004C3C13 6837D75600 push 0056D737 <====序列号入栈。
:004C3C18 6850D35600 push 0056D350 <====用户名入栈。
:004C3C1D E88FFBFFFF call 004C37B1 <====关键CALL。
:004C3C22 85C0 test eax, eax <====测试EAX。
:004C3C24 0F84B7000000 je 004C3CE1 <====不跳注册成功。
.............................................................................................

* Reference To: USER32.EndDialog, Ord:0000h
|
:004C3C97 E84EB30800 Call 0054EFEA
:004C3C9C 6A00 push 00000000
:004C3C9E 6A00 push 00000000

* Possible Reference to String Resource ID=01912: "Registration"
|
:004C3CA0 6878070000 push 00000778
:004C3CA5 E80D8AF6FF call 0042C6B7
:004C3CAA 50 push eax
:004C3CAB 6A00 push 00000000

* Possible Reference to String Resource ID=01911: "Your registration has been entered successfully."
|
:004C3CAD 6877070000 push 00000777
:004C3CB2 E8008AF6FF call 0042C6B7
:004C3CB7 50 push eax
:004C3CB8 FF7508 push [ebp+08]

* Reference To: USER32.MessageBoxA, Ord:0000h
|
:004C3CBB E8F2B40800 Call 0054F1B2
:004C3CC0 6A00 push 00000000

.............................................................................................

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C3C24(C)
|

.............................................................................................

* Possible Reference to String Resource ID=01912: "Registration"
|
:004C3D18 6878070000 push 00000778
:004C3D1D E89589F6FF call 0042C6B7
:004C3D22 50 push eax
:004C3D23 6A00 push 00000000

* Possible Reference to String Resource ID=01913: "The registration name and number you have entered do not mat"
|
:004C3D25 6879070000 push 00000779
:004C3D2A E88889F6FF call 0042C6B7

进入 4C3C1D 处的关键 CALL，直到：

:004C38CB E8EEFDFFFF call 004C36BE <====测试你输入的序列号。
:004C38D0 85C0 test eax, eax
:004C38D2 7407 je 004C38DB <====跳走就会 Game Over ！

所以进入 4C38CB 看看：

* Referenced by a CALL at Addresses:
|:004C3839 , :004C38CB
|
:004C36BE 55 push ebp
:004C36BF 8BEC mov ebp, esp
:004C36C1 83C4F4 add esp, FFFFFFF4
:004C36C4 53 push ebx
:004C36C5 56 push esi
:004C36C6 57 push edi
:004C36C7 8B750C mov esi, dword ptr [ebp+0C]
:004C36CA FF7508 push [ebp+08]
:004C36CD E84ECA0700 call 00540120 <====获得用户名位数。
:004C36D2 59 pop ecx <====ECX 弹出栈。
:004C36D3 83F805 cmp eax, 00000005<====和 5 比较。
:004C36D6 7307 jnb 004C36DF <====不小于就进行下一步
的比较。
:004C36D8 33C0 xor eax, eax
:004C36DA E9C9000000 jmp 004C37A8 <====否则 Game Over ！

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C36D6(C)
|
:004C36DF 6A2D push 0000002D
:004C36E1 56 push esi
:004C36E2 E899C90700 call 00540080 <====测试你输入的序列号
的格式。
:004C36E7 83C408 add esp, 00000008
:004C36EA 8BD8 mov ebx, eax
:004C36EC 85DB test ebx, ebx
:004C36EE 7507 jne 004C36F7 <====正确就行下一步的计算。
:004C36F0 33C0 xor eax, eax
:004C36F2 E9B1000000 jmp 004C37A8 <====否则 Game Over ！

由于不知道序列号的正确形式是什么，所以进入 4C36E2：

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00540220(U), :00540225(U)
|
:00540080 55 push ebp
:00540081 8BEC mov ebp, esp
:00540083 53 push ebx <====用户名入栈。
:00540084 8B5508 mov edx, dword ptr [ebp+08]
:00540087 8BCA mov ecx, edx
:00540089 8A450C mov al, byte ptr [ebp+0C] <====“-”送入AL。
:0054008C FC cld

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005400B9(C)
|
:0054008D 8A1A mov bl, byte ptr [edx] <====序列号第一位
送入BL。
:0054008F 3AC3 cmp al, bl <====和 AL 比较。
:00540091 742C je 005400BF <====等于就成功
返回。
:00540093 84DB test bl, bl <====测试 BL。
:00540095 7424 je 005400BB <====已比较完则
返回。
:00540097 8A5A01 mov bl, byte ptr [edx+01] <====序列号第二
位送入BL。
:0054009A 3AC3 cmp al, bl <====和 AL 比较。
:0054009C 7425 je 005400C3 <====等于就成功
返回。
:0054009E 84DB test bl, bl <====测试 BL。
:005400A0 7419 je 005400BB <====已比较完则
返回。
:005400A2 8A5A02 mov bl, byte ptr [edx+02] <====序列号第三
位送入BL。
:005400A5 3AC3 cmp al, bl <====和 AL 比较。
:005400A7 741F je 005400C8 <====等于就成功
返回。
:005400A9 84DB test bl, bl <====测试 BL。
:005400AB 740E je 005400BB <====已比较完则
返回。
:005400AD 8A5A03 mov bl, byte ptr [edx+03] <====序列号第四
位送入BL。
:005400B0 3AC3 cmp al, bl <====和 AL 比较。
:005400B2 7419 je 005400CD <====等于就成功
返回。
:005400B4 83C204 add edx, 00000004
:005400B7 84DB test bl, bl
:005400B9 75D2 jne 0054008D <====没比较完就
向上循环。

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00540095(C), :005400A0(C), :005400AB(C)
|
:005400BB 33C0 xor eax, eax
:005400BD EB11 jmp 005400D0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00540091(C)
|
:005400BF 8BC2 mov eax, edx
:005400C1 EB0D jmp 005400D0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0054009C(C)
|
:005400C3 8D4201 lea eax, dword ptr [edx+01]
:005400C6 EB08 jmp 005400D0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005400A7(C)
|
:005400C8 8D4202 lea eax, dword ptr [edx+02]
:005400CB EB03 jmp 005400D0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005400B2(C)
|
:005400CD 8D4203 lea eax, dword ptr [edx+03]

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:005400BD(U), :005400C1(U), :005400C6(U), :005400CB(U)
|
:005400D0 5B pop ebx
:005400D1 5D pop ebp
:005400D2 C3 ret

这下知道序列号的形式了：）！原来序列号的任意的一位必须是“-”。所以从新输入序列号（随便输）：765-4321，然后继续：

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C36EE(C)
|
:004C36F7 C60300 mov byte ptr [ebx], 00
:004C36FA 56 push esi <====第一个“-”前的
数字入栈。
:004C36FB E874580800 call 00548F74 <====将其转换为十六
进制。
:004C3700 59 pop ecx
:004C3701 8945FC mov dword ptr [ebp-04], eax
:004C3704 C6032D mov byte ptr [ebx], 2D
:004C3707 43 inc ebx
:004C3708 803B00 cmp byte ptr [ebx], 00
:004C370B 7507 jne 004C3714
:004C370D 33C0 xor eax, eax
:004C370F E994000000 jmp 004C37A8

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C370B(C)
|
:004C3714 53 push ebx <====第一个“-”后
的数字入栈。
:004C3715 E85A580800 call 00548F74 <====将其转换为十六
进制。
:004C371A 59 pop ecx
:004C371B 8945F8 mov dword ptr [ebp-08], eax
:004C371E FF7508 push [ebp+08] <====用户名入栈。
:004C3721 E8FAC90700 call 00540120 <====获得其位数。
:004C3726 59 pop ecx
:004C3727 8945F4 mov dword ptr [ebp-0C], eax
:004C372A 33C0 xor eax, eax
:004C372C 33DB xor ebx, ebx
:004C372E BA03000000 mov edx, 00000003
:004C3733 8B4D08 mov ecx, dword ptr [ebp+08]
:004C3736 83C103 add ecx, 00000003
:004C3739 3B55F4 cmp edx, dword ptr [ebp-0C]
:004C373C 7D1C jge 004C375A

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C3758(C)
|
:004C373E 0FB631 movzx esi, byte ptr [ecx] <====取序列号第
四位。
:004C3741 0FAF34852CC45500 imul esi, dword ptr [4*eax+0055C42C] <====：（
:004C3749 03DE add ebx, esi
:004C374B 40 inc eax
:004C374C 83F826 cmp eax, 00000026
:004C374F 7E02 jle 004C3753
:004C3751 33C0 xor eax, eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C374F(C)
|
:004C3753 42 inc edx
:004C3754 41 inc ecx
:004C3755 3B55F4 cmp edx, dword ptr [ebp-0C]
:004C3758 7CE4 jl 004C373E

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C373C(C)
|
:004C375A 3B5DFC cmp ebx, dword ptr [ebp-04] <====关键比
较（1）。
:004C375D 7404 je 004C3763 <====等于就进入
下一步比较。
:004C375F 33C0 xor eax, eax
:004C3761 EB45 jmp 004C37A8 <====否则返回。

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C375D(C)
|
:004C3763 33C0 xor eax, eax
:004C3765 33DB xor ebx, ebx
:004C3767 BA03000000 mov edx, 00000003
:004C376C 8B4D08 mov ecx, dword ptr [ebp+08]
:004C376F 83C103 add ecx, 00000003
:004C3772 3B55F4 cmp edx, dword ptr [ebp-0C]
:004C3775 7D23 jge 004C379A

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C3798(C)
|
:004C3777 0FB631 movzx esi, byte ptr [ecx]
:004C377A 0FB679FF movzx edi, byte ptr [ecx-01]
:004C377E 0FAFF7 imul esi, edi
:004C3781 0FAF34852CC45500 imul esi, dword ptr [4*eax+0055C42C]
:004C3789 03DE add ebx, esi
:004C378B 40 inc eax
:004C378C 83F826 cmp eax, 00000026
:004C378F 7E02 jle 004C3793
:004C3791 33C0 xor eax, eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C378F(C)
|
:004C3793 42 inc edx
:004C3794 41 inc ecx
:004C3795 3B55F4 cmp edx, dword ptr [ebp-0C]
:004C3798 7CDD jl 004C3777

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C3775(C)
|
:004C379A 3B5DF8 cmp ebx, dword ptr [ebp-08] <====关键比
较（2）。
:004C379D 7404 je 004C37A3 <====等于就可
成功返回。
:004C379F 33C0 xor eax, eax
:004C37A1 EB05 jmp 004C37A8 <====否则出错。

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C379D(C)
|
:004C37A3 B801000000 mov eax, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004C36DA(U), :004C36F2(U), :004C370F(U), :004C3761(U), :004C37A1(U)
|
:004C37A8 5F pop edi
:004C37A9 5E pop esi
:004C37AA 5B pop ebx
:004C37AB 8BE5 mov esp, ebp
:004C37AD 5D pop ebp
:004C37AE C20800 ret 0008

终于到了最后的 BOSS 战了^_^！用 TRW 2000 依次在上面两处关键比较处下断点，获得正确的序列号：

在 4C375A 处下断点，成功断下来之后，下：

？ EBX
DEC = 3436
HEX = d6c

D EBP-04

0177:008DF0C0 FD 02 00 00 E0 F0 8D 00-3E 38 4C 00 D0 3C 57 00 ?..囵?>8L.?W.
0177:008DF0D0 D4 3D 57 00 00 F1 8D 00-70 81 00 00 4C F1 8D 00 ?W..駦.p?.L駦.
0177:008DF0E0 F8 F0 8D 00 22 3C 4C 00-50 D3 56 00 37 D7 56 00 ?"0177:008DF0F0 00 F1 8D 00 70 81 00 00-18 F1 8D 00 13 36 F6 BF .駦.p?..駦..6隹

？ 02FD
DEC = 765
HEX = 2fd

从新填入序列号：3436-4321，然后在 4C379A 处下断点，成功断下来之后，下：

？ EBX
DEC = 371733
HEX = 5ac15

D EBP-08

0177:008DF0BC E1 10 00 00 6C 0D 00 00-E0 F0 8D 00 3E 38 4C 00 ?..l...囵?>8L.
0177:008DF0CC D0 3C 57 00 D4 3D 57 00-00 F1 8D 00 70 81 00 00 ?W.?W..駦.p?.
0177:008DF0DC 4C F1 8D 00 F8 F0 8D 00-22 3C 4C 00 50 D3 56 00 L駦.?"0177:008DF0EC 37 D7 56 00 00 F1 8D 00-70 81 00 00 18 F1 8D 00 7譜..駦.p?..駦.

？ 10E1
DEC = 4321
HEX = 10e1

最后小节：mIRC 是先测试你输入的序列号的形式是否正确，然后才根据你输入的用户名进行计算，之后拿计算的结果分别和你输入的序列号进行比较，相等即可注册成功。

注册之后，注册信息保存在注册表：HKEY_CURRENT_USER\Software\mIRC\License 子键中。

整理：
用户名：fengma
序列号：3436-371733

15:02 2002-08-11

风马

文章评论

查看所有0条评论>>

热门文章 去除winrar注册框方法