WinBoost 2000 Gold 破解教程 -pc6资讯

您的位置：首页 → 精文荟萃 → 破解文章 → WinBoost 2000 Gold 破解教程

WinBoost 2000 Gold 破解教程 时间：2004/10/15 1:01:00来源：本站整理作者：蓝点我要评论(0): 　在网上已经有高手公布了使用 FileMon 跟踪分析注册 WinBoost 2000 Gold
的方法，思路之巧妙、方法之简单，真是令人佩服！我个人感觉，能够使用简单
方法注册成功，应该是 WinBoost 2000 Gold 的疏漏。国外著名 Cracker LW2000
也撰写了同样使用 FileMon 跟踪分析并注册成功的简单方法。看来，无论国内还
是国外，天下 Cracker 是一家^_^

但是很多朋友希望能够使用 SoftICE 追踪出 WinBoost 2000 Gold 的真正注
册码，恰巧 LW2000 还写了这篇教程。那么，就让我用我那蹩脚的 E 文和糟糕的
中文将之 Translate 吧（无关紧要的部分就省略了，因为我只会使用全拼……）。

需要声明的是，我没有安装 WinBoost 2000 Gold，因而译文可能会有错误，
但关键是思路和技巧，所以大家将就着看吧^_^

Name : WinBoost 2000 Gold

Version : generic

Editor : Magellass

s/n saved : win.ini
注册码存储位置：win.ini
Tools : Softice & Brain

Cracker : LW2000
破解人： LW2000（好象属于国际著名破解团体 Phrozen Crew 或 CiA）

翻译人： Sun Bird [CCG]（就是属于破解团体 China Cracking Group 的
意思啦^_^）

日期： 2000年3月16日（刚刚过完“3.15”，哎－我们这些可怜的消费者
强烈要求电信部门提速、降价！）

---
DISCLAIMER
For educational purposes only!
I hold no responsibility of the mis-used of this material!
---

(1) Mhmm... Enter the following details:
输入下面的注册信息：

User Name: LW2000
WB98 Registration Code: 1239900
WB2000 Registration Code: 1230099

I always try to break on GetDlgItemTextA and GetWindowTextA, you
should do the same... it saves a lot of time =)
我通常设断点 GetDlgItemTextA 和 GetWindowTextA……

Try to validate the code.

*BOOM* Sice pops up.
程序被 SoftICE 中断。

We'll have to hit F12 about 13x times till we get a usefull piece
of code:
按 F12 13 次，直到我们到达这段代码：

.004D33D9: 8B80C8020000 mov eax,[eax][0000002C8]
.004D33DF: E88CB9F5FF call .00042ED70
.004D33E4: 8D55F0 lea edx,[ebp][-0010] <-
.004D33E7: 8B45FC mov eax,[ebp][-0004]
.004D33EA: 8B80D8020000 mov eax,[eax][0000002D8]
.004D33F0: E87BB9F5FF call .00042ED70
.004D33F5: 8D55EC lea edx,[ebp][-0014]
.004D33F8: 8B45FC mov eax,[ebp][-0004]
.004D33FB: 8B80CC020000 mov eax,[eax][0000002CC]
.004D3401: E86AB9F5FF call .00042ED70
.004D3406: 8D45F4 lea eax,[ebp][-000C]
.004D3409: 8B55EC mov edx,[ebp][-0014]
.004D340C: E81B07F3FF call .000403B2C
.004D3411: 8B55F8 mov edx,[ebp][-0008]
.004D3414: 8B45FC mov eax,[ebp][-0004]
.004D3417: E8F8FCFFFF call .0004D3114
.004D341C: 8D55E0 lea edx,[ebp][-0020]
.004D341F: E83C4DF3FF call .000408160
.004D3424: 33C0 xor eax,eax
.004D3426: 5A pop edx
.004D3427: 59 pop ecx
.004D3428: 59 pop ecx
.004D3429: 648910 mov fs:[eax],edx
.004D342C: 686E3F4D00 push 0004D3F6E
.004D3431: 837DF000 cmp d,[ebp][-0010],000
.004D3435: 0F84F7090000 je .0004D3E32

(2) Only bullshit, because we don't want to write a keygen, we only
want to have one serial ...

.004D343B: 8B45F0 mov eax,[ebp][-0010] <- WB98 key
我们输入的 WB98 注册码
.004D343E: 8B55E0 mov edx,[ebp][-0020] <- correct key
正确的注册码
.004D3441: E8DA09F3FF call .000403E20 <- compare string
比较注册码
.004D3446: 0F851F010000 jne .0004D356B

There are about 17 more checks after this. The checked key will
not work, because Magellass has found them in the Web!
这里会检测注册码，超过 17 个网上可以找到的注册码不会工作！

(3) Mhmm... great! Then just step until you are by .004D3441. Then
type 'd edx' and write your key down and set a bpx on it.
跟踪到 .004D3441 时，下“ d edx”，记下注册码并在这里设断点。

Ok.. lets type the new key as WB98 code...
重新输入“WB98”正确的注册码……

Back in SoftIce we step through the next code:
回到 SoftICE 跟踪至下面的代码：

.004D35DB: 8B45EC mov eax,[ebp][-0014] <-- WB2K Key
我们输入的 WB2K 注册码
.004D35DE: E82D07F3FF call .000403D10
.004D35E3: 83F814 cmp eax,014 <-- length
长度
.004D35E6: 0F8E5A030000 jle .0004D3946

(4) Mhmm.. does that mean we must have 14h (= 20) or more characters?
maybe, but let the jump do ...
这意味着我们必须输入 14H（20）位或更长的字符？也许，让跳转命令继
续……

.004D3946: 8D45E8 lea eax,[ebp][-0018]
.004D3949: 8B55EC mov edx,[ebp][-0014]
.004D394C: E8DB01F3FF call .000403B2C
.004D3951: 8B45EC mov eax,[ebp][-0014]
.004D3954: E8B703F3FF call .000403D10
.004D3959: 83F817 cmp eax,017 <-- length
长度
.004D395C: 0F8EEA030000 jle .0004D3D4C

(5) Next check.. this time with 17h (=23) or more chars? Let it
be ... trace on with F10
再检测……这次是 17H（23）位或更长？按 F10 继续跟踪

.004D3D4C: 8D45E4 lea eax,[ebp][-001C]
.004D3D4F: 8B55EC mov edx,[ebp][-0014]
.004D3D52: E8D5FDF2FF call .000403B2C
.004D3D57: 33DB xor ebx,ebx
.004D3D59: 8D4DDC lea ecx,[ebp][-0024]
.004D3D5C: 0FBFF3 movsx esi,bx
.004D3D5F: 8BD6 mov edx,esi
.004D3D61: A110684D00 mov eax,[0004D6810]
.004D3D66: 8B00 mov eax,[eax]
.004D3D68: 8B8054020000 mov eax,[eax][000000254]
.004D3D6E: 8B4024 mov eax,[eax][00024]
.004D3D71: 8B38 mov edi,[eax]
.004D3D73: FF570C call d,[edi][0000C]
.004D3D76: 8B55DC mov edx,[ebp][-0024] <-- our key
我们输入的注册码
.004D3D79: 8B45E4 mov eax,[ebp][-001C] <-- a key
一个正确的注册码
.004D3D7C: E89F00F3FF call .000403E20 <-- compare
比较
.004D3D81: 7427 je .0004D3DAA
.004D3D83: 8D4DDC lea ecx,[ebp][-0024]

(6) *g* 'd eax' ... so just write the key down. Let's try it!
下“d eax”，记下注册码

Congratulation! You are an registered user.
祝贺！你是注册用户了。

FINISH! Easy, or?

文章评论

查看所有0条评论>>

热门文章 去除winrar注册框方法