WinBowl Version 3.2 PJ小记 -pc6资讯

您的位置：首页 → 精文荟萃 → 破解文章 → WinBowl Version 3.2 PJ小记

WinBowl Version 3.2 PJ小记 时间：2004/10/15 0:52:00来源：本站整理作者：蓝点我要评论(0): 　

破解作者：master
软件名称：WinBowl Version 3.2
软件简介：一款打保龄球的休闲娱乐游戏
下载地址: http://members.aol.com/revtjb/wb32.exe
破解工具：TRW2000 & W32Dasm
破解过程：用TRW载入Winbwl32.exe；点注册随便填入注册信息；激活TRW下bpx hmemcpy；点0K；拦后下pmodule；F10来到：

:0040D8ED 57 push edi
:0040D8EE E8AD590100 call 004232A0
:0040D8F3 83C404 add esp, 00000004
:0040D8F6 85C0 test eax, eax<-----------------测试输入的注册码是否为空
:0040D8F8 7536 jne 0040D930<------------------不为空则跳
:0040D8FA 6800010000 push 00000100
:0040D8FF BFC0D34300 mov edi, 0043D3C0
:0040D904 57 push edi

跳到此处：
:0040D930 8D45E0 lea eax, dword ptr [ebp-20]<---EAX为输入的假码
:0040D933 50 push eax
:0040D934 E897800100 call 004259D0<-----------------处理假注册码，将其转化为一个十六进制数
:0040D939 668BD8 mov bx, ax<--------------------在此处下? EAX显示假注册码的十六进制数
:0040D93C 83C404 add esp, 00000004
:0040D93F 53 push ebx
:0040D940 E893FAFFFF call 0040D3D8
:0040D945 83C404 add esp, 00000004
:0040D948 57 push edi

* Possible Reference to String Resource ID=00032: "Unregistered Shareware"
|
:0040D949 6A20 push 00000020

* Possible Reference to String Resource ID=00013: "Don't give up!"
|
:0040D94B 6A0D push 0000000D
:0040D94D BF07040000 mov edi, 00000407
:0040D952 57 push edi
:0040D953 FF7508 push [ebp+08]
:0040D956 FFD6 call esi
:0040D958 50 push eax

* Reference To: USER32.SendMessageA, Ord:01C6h
|
:0040D959 FF15BCF64300 Call dword ptr [0043F6BC]
:0040D95F 8D45E0 lea eax, dword ptr [ebp-20]<----EAX为输入的注册名
:0040D962 50 push eax
:0040D963 E838590100 call 004232A0
:0040D968 83C404 add esp, 00000004
:0040D96B 85C0 test eax, eax<------------------测试注册名是否为空
:0040D96D 7536 jne 0040D9A5<-------------------不为空则跳
:0040D96F 6800010000 push 00000100
:0040D974 BBC0D34300 mov ebx, 0043D3C0
:0040D979 53 push ebx
:0040D97A A11CD84300 mov eax, dword ptr [0043D81C]

* Possible Reference to String Resource ID=00039: "You must enter your name."
|
:0040D97F 6A27 push 00000027
:0040D981 50 push eax

* Reference To: USER32.LoadStringA, Ord:0177h
|
:0040D982 FF15E4F64300 Call dword ptr [0043F6E4]
:0040D988 53 push ebx
:0040D989 6A00 push 00000000
:0040D98B E882B60000 call 00419012
:0040D990 83C408 add esp, 00000008
:0040D993 57 push edi
:0040D994 FF7508 push [ebp+08]
:0040D997 FFD6 call esi
:0040D999 50 push eax

* Reference To: USER32.SetFocus, Ord:01E1h
|
:0040D99A FF1594F74300 Call dword ptr [0043F794]
:0040D9A0 E9DF010000 jmp 0040DB84

跳到这里：
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D96D(C)
|
:0040D9A5 8D45E0 lea eax, dword ptr [ebp-20]
:0040D9A8 50 push eax
:0040D9A9 E86AFAFFFF call 0040D418
:0040D9AE 83C404 add esp, 00000004
:0040D9B1 E8C4FAFFFF call 0040D47A<--------计算注册码关键处,跟进
:0040D9B6 85C0 test eax, eax<--------测试注册标记
:0040D9B8 0F840B010000 je 0040DAC9<----------注册失败则跳转
:0040D9BE 53 push ebx
:0040D9BF 8D45E0 lea eax, dword ptr [ebp-20]
:0040D9C2 50 push eax
....................
....................
显示成功注册对话框：
* Possible Reference to String Resource ID=00043: "Your game has now been registered. Save your code - it can b"
|
:0040DA27 6A2B push 0000002B
:0040DA29 50 push eax

下面将假注册码处理为一个十六进制处,由0040D934 E897800100 call 004259D0到此：
============================================================================
:004259D0 8B442404 mov eax, dword ptr [esp+04]
:004259D4 50 push eax
:004259D5 E846FFFFFF call 00425920<--------想CALL就进去
:004259DA 83C404 add esp, 00000004
:004259DD C3 ret

CALL到此：
:00425920 53 push ebx
:00425921 56 push esi
:00425922 8B74240C mov esi, dword ptr [esp+0C]
:00425926 57 push edi
:00425927 55 push ebp
.....................
.....................
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042596A(C)
|
:00425971 33DB xor ebx, ebx
:00425973 8A1E mov bl, byte ptr [esi]<----取一位注册码存入BL
:00425975 46 inc esi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042596F(C)
|
:00425976 33ED xor ebp, ebp<--------------累加器清零

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004259AF(U)
|
:00425978 833DEC6E430001 cmp dword ptr [00436EEC], 00000001
:0042597F 7E0D jle 0042598E
..............
..............
:0042598E 8B0DE06C4300 mov ecx, dword ptr [00436CE0]
:00425994 33C0 xor eax, eax
:00425996 668B0459 mov ax, word ptr [ecx+2*ebx]
:0042599A 83E004 and eax, 00000004

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042598C(U)
|
:0042599D 85C0 test eax, eax
:0042599F 7410 je 004259B1<-----------------------处理完毕跳出去
:004259A1 8D44AD00 lea eax, dword ptr [ebp+4*ebp]<----计算处理注册码
:004259A5 46 inc esi<---------------------------注册码移一位
:004259A6 8D6C43D0 lea ebp, dword ptr [ebx+2*eax-30]<-计算处理注册码
:004259AA 33DB xor ebx, ebx<----------------------清空EBX
:004259AC 8A5EFF mov bl, byte ptr [esi-01]<---------取下一位注册码
:004259AF EBC7 jmp 00425978

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042599F(C)
|
:004259B1 8BC5 mov eax, ebp<----------------------EBP为假注册码的十六进制数
..............
:004259BE C3 ret

下面处理注册名及比较处，由0040D9B1 E8C4FAFFFF call 0040D47A到此：
================================================================
:0040D47A 66C70508BC43000000 mov word ptr [0043BC08], 0000
:0040D483 56 push esi
:0040D484 57 push edi
:0040D485 E893020000 call 0040D71D
:0040D48A 668B1508BC4300 mov dx, word ptr [0043BC08]<--计算一个值X开始处
:0040D491 B9FF000000 mov ecx, 000000FF
:0040D496 668BC2 mov ax, dx
:0040D499 66C1EA08 shr dx, 08
:0040D49D 3477 xor al, 77
:0040D49F 6623C1 and ax, cx
:0040D4A2 0FB7F0 movzx esi, ax
:0040D4A5 668B3C7510BC4300 mov di, word ptr [2*esi+0043BC10]
:0040D4AD 6633FA xor di, dx
:0040D4B0 668BC7 mov ax, di
:0040D4B3 66893D08BC4300 mov word ptr [0043BC08], di
:0040D4BA 3462 xor al, 62
:0040D4BC 6623C1 and ax, cx
:0040D4BF 66C1EF08 shr di, 08
:0040D4C3 0FB7F0 movzx esi, ax
:0040D4C6 668B147510BC4300 mov dx, word ptr [2*esi+0043BC10]
:0040D4CE 6633D7 xor dx, di
:0040D4D1 668BC2 mov ax, dx
:0040D4D4 66891508BC4300 mov word ptr [0043BC08], dx
:0040D4DB 3432 xor al, 32
:0040D4DD 6623C1 and ax, cx
:0040D4E0 66C1EA08 shr dx, 08
:0040D4E4 0FB7F0 movzx esi, ax
:0040D4E7 668B3C7510BC4300 mov di, word ptr [2*esi+0043BC10]
:0040D4EF 6633FA xor di, dx
:0040D4F2 668BC7 mov ax, di
:0040D4F5 66893D08BC4300 mov word ptr [0043BC08], di
:0040D4FC 3430 xor al, 30
:0040D4FE 6623C1 and ax, cx
:0040D501 66C1EF08 shr di, 08
:0040D505 0FB7F0 movzx esi, ax
:0040D508 668B147510BC4300 mov dx, word ptr [2*esi+0043BC10]
:0040D510 6633D7 xor dx, di<-----------------以上到此处计算出一个值X=0x1EAF(固定不变，所以不必了解其算法)
:0040D513 8B3D70854300 mov edi, dword ptr [00438570]
:0040D519 85FF test edi, edi<--------------测试注册名长度
:0040D51B 742D je 0040D54A<----------------为空则跳
:0040D51D 8D347D76854300 lea esi, dword ptr [2*edi+00438576]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D548(C)
|
:0040D524 0FB64601 movzx eax, byte ptr [esi+01]<-------取一位注册名
:0040D528 0FB7CA movzx ecx, dx<----------------------取值 X 存入ECX
:0040D52B 66C1EA08 shr dx, 08<-------------------------取 X 高8位存入DX
:0040D52F 33C1 xor eax, ecx<-----------------------注册名异或 X
:0040D531 25FF000000 and eax, 000000FF<------------------取低8位值
:0040D536 83EE02 sub esi, 00000002<------------------注册名地址-2
:0040D539 668B044510BC4300 mov ax, word ptr [2*eax+0043BC10]<--从[2*EAX+43BC10]中取个数Y
:0040D541 6633C2 xor ax, dx<-------------------------Y=Y XOR X的高8位
:0040D544 4F dec edi<----------------------------计数器-1
:0040D545 668BD0 mov dx, ax<-------------------------X=Y
:0040D548 75DA jne 0040D524<-----------------------循环

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D51B(C)
|
:0040D54A 668BC2 mov ax, dx<-------------------------上面计算完后X的值存入AX
:0040D54D B9FF000000 mov ecx, 000000FF<------------------ECX=FF
:0040D552 66891508BC4300 mov word ptr [0043BC08], dx
:0040D559 3430 xor al, 30<-------------------------X低位 XOR 30
:0040D55B 6623C1 and ax, cx<-------------------------取AX低位
:0040D55E 66C1EA08 shr dx, 08<-------------------------取X的高位
:0040D562 0FB7F8 movzx edi, ax<----------------------存入EDI
:0040D565 668B347D10BC4300 mov si, word ptr [2*edi+0043BC10]<--从中取出一个数Y
:0040D56D 6633F2 xor si, dx<-------------------------Y异或X的高位
:0040D570 668BC6 mov ax, si<-------------------------存入AX
:0040D573 66893508BC4300 mov word ptr [0043BC08], si
:0040D57A 3432 xor al, 32<-------------------------X低位 XOR 32
:0040D57C 6623C1 and ax, cx<-------------------------取EAX低位
:0040D57F 66C1EE08 shr si, 08<-------------------------取X的高位
:0040D583 0FB7F8 movzx edi, ax<----------------------存入EDI
:0040D586 668B147D10BC4300 mov dx, word ptr [2*edi+0043BC10]<--从中取出一个数Y
:0040D58E 6633D6 xor dx, si<-------------------------Y异或X的高位
:0040D591 668BC2 mov ax, dx<-------------------------存入AX
:0040D594 66891508BC4300 mov word ptr [0043BC08], dx
:0040D59B 3462 xor al, 62<-------------------------X低位 XOR 62
:0040D59D 6623C1 and ax, cx<-------------------------取AX低位
:0040D5A0 66C1EA08 shr dx, 08<-------------------------取X的高位
:0040D5A4 0FB7F8 movzx edi, ax<----------------------存入EDI
:0040D5A7 668B347D10BC4300 mov si, word ptr [2*edi+0043BC10]<--从中取出一个数Y
:0040D5AF 6633F2 xor si, dx<-------------------------Y异或X的高位
:0040D5B2 668BC6 mov ax, si<-------------------------存入AX
:0040D5B5 66893508BC4300 mov word ptr [0043BC08], si
:0040D5BC 3477 xor al, 77<-------------------------X低位 XOR 77
:0040D5BE 6623C1 and ax, cx<-------------------------取AX低位
:0040D5C1 66C1EE08 shr si, 08<-------------------------取X的高位
:0040D5C5 0FB7C8 movzx ecx, ax<----------------------存入ECX
:0040D5C8 668B044D10BC4300 mov ax, word ptr [2*ecx+0043BC10]<--从中取出一个数Y
:0040D5D0 8B0DB8854300 mov ecx, dword ptr [004385B8]
:0040D5D6 6633C6 xor ax, si<-------------------------Y异或X的高位
:0040D5D9 66A308BC4300 mov word ptr [0043BC08], ax<--------AX则为真注册码(下命令? AX显示正确注册码)
:0040D5DF 6635A494 xor ax, 94A4
:0040D5E3 668BD0 mov dx, ax
:0040D5E6 80F2A4 xor dl, A4
:0040D5E9 3AD1 cmp dl, cl<---------比较真假注册码低位
:0040D5EB 7512 jne 0040D5FF<-------不等则跳
:0040D5ED C1E910 shr ecx, 10
:0040D5F0 66C1E808 shr ax, 08
:0040D5F4 3494 xor al, 94
:0040D5F6 3AE8 cmp ch, al<---------比较真假注册码高位

* Possible Reference to String Resource ID=00001: "Do you want to save the game in progress first?"
|
:0040D5F8 B801000000 mov eax, 00000001<--设置注册标记
:0040D5FD 7402 je 0040D601<--------完全相等则跳

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D5EB(C)
|
:0040D5FF 33C0 xor eax, eax<-------不等则清除注册标记

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D5FD(C)
|
:0040D601 5F pop edi
:0040D602 5E pop esi
:0040D603 C3 ret

算法小结：
======================================================================
int z[]=0x30,0x32,0x62,0x77; //定义4个常量
int i=0;x=0x1EAF; //赋初值
for(i=0;i<注册名长度;i++) //处理
x= 地址43BC10处偏移((取name第i+1位 xor x)的低8位的值*4+1)位的值 xor x高8位的值; //计算
for(i=0;i<4;i++) //再处理
x= (x的低8位的值 xor z[i]) xor x的高8位的值; //再计算
最终X的值的十进制数为真注册码!

附地址43BC10＝"0000C1C081C1400101C3C003800241C201C6C006800741C70005C1C581C4400401CCC00C800D41CD000FC1CF81CE400E000AC1CA81CB400B01C9C009800841C801D8C018801941D9001BC1DB81DA401A001EC1DE81DF401F01DDC01D801C41DC0014C1D481D5401501D7C017801641D601D2C012801341D30011C1D181D0401001F0C030803141F10033C1F381F240320036C1F681F7403701F5C035803441F4003CC1FC81FD403D01FFC03F803E41FE01FAC03A803B41FB0039C1F981F840380028C1E881E9402901EBC02B802A41EA01EEC02E802F41EF002DC1ED81EC402C01E4C024802541E50027C1E781E640260022C1E281E3402301E1C021802041E001A0C060806141A10063C1A381A240620066C1A681A7406701A5C065806441A4006CC1AC81AD406D01AFC06F806E41AE01AAC06A806B41AB0069C1A981A840680078C1B881B9407901BBC07B807A41BA01BEC07E807F41BF007DC1BD81BC407C01B4C074807541B50077C1B781B640760072C1B281B3407301B1C071807041B00050C190819140510193C053805241920196C056805741970055C19581944054019CC05C805D419D005FC19F819E405E005AC19A819B405B0199C059805841980188C04880494189004BC18B818A404A004EC18E818F404F018DC04D804C418C0044C184818540450187C047804641860182C042804341830041C18181804040"

注册机：
======================================================================
内存注册机：
中断地址：40D5D9
次数：1
指令：66
长度：6
保存寄存器方式EAX十进制为注册码

算法注册机下载地址：
http://fcg.5599.net/master/WinBowl.rar
欢迎测试!

================================END==========================

文章评论

查看所有0条评论>>

热门文章 去除winrar注册框方法