【破解工具】:TRW2000 1.23、FI2.4 【作者声明】:初学Crack,只是感兴趣,没有其它目的. 【过 程】: 由于Easy CD Ripper好像能检测出Trw,所以要先运行Easy CD Ripper,再运行Trw2000. 下断点bpx hmemcpy,pmodule,F10,来到下面: 016F:00484AF4 CALL 0042FEA0 //取用户名 016F:00484AF9 MOV EAX,[EBP-08] //放在eax中 . . //省略n行代码 016F:00484B50 MOV EAX,[EBP-0C] //我们输入的注册码 016F:00484B53 CALL 00408818 //对注册码进行处理 | |----016F:00408818 PUSH EBX | 016F:00408819 PUSH ESI | 016F:0040881A ADD ESP,BYTE -0C | 016F:0040881D MOV EBX,EAX | 016F:0040881F MOV EDX,ESP | 016F:00408821 MOV EAX,EBX | 016F:00408823 CALL 00402B38 //这里是对我们输入的注册码进行处理 | | //代码如下: | |--016F:00402B38 PUSH EBX 016F:00402B39 PUSH ESI 016F:00402B3A PUSH EDI 016F:00402B3B MOV ESI,EAX 016F:00402B3D PUSH EAX 016F:00402B3E TEST EAX,EAX 016F:00402B40 JZ 00402BB5 016F:00402B42 XOR EAX,EAX 016F:00402B44 XOR EBX,EBX 016F:00402B46 MOV EDI,0CCCCCCC 016F:00402B4B MOV BL,[ESI] //这里指向我们的注册码 016F:00402B4D INC ESI 016F:00402B4E CMP BL,20 016F:00402B51 JZ 00402B4B 016F:00402B53 MOV CH,00 016F:00402B55 CMP BL,2D 016F:00402B58 JZ 00402BC3 016F:00402B5A CMP BL,2B 016F:00402B5D JZ 00402BC5 016F:00402B5F CMP BL,24 016F:00402B62 JZ 00402BCA 016F:00402B64 CMP BL,78 016F:00402B67 JZ 00402BCA 016F:00402B69 CMP BL,58 016F:00402B6C JZ 00402BCA 016F:00402B6E CMP BL,30 016F:00402B71 JNZ 00402B86 016F:00402B73 MOV BL,[ESI] 016F:00402B75 INC ESI 016F:00402B76 CMP BL,78 016F:00402B79 JZ 00402BCA 016F:00402B7B CMP BL,58 016F:00402B7E JZ 00402BCA 016F:00402B80 TEST BL,BL 016F:00402B82 JZ 00402BA4 016F:00402B84 JMP SHORT 00402B8A 016F:00402B86 TEST BL,BL 016F:00402B88 JZ 00402BBE 016F:00402B8A SUB BL,30 016F:00402B8D CMP BL,09 016F:00402B90 JA 00402BBE 016F:00402B92 CMP EAX,EDI 016F:00402B94 JA 00402BBE 016F:00402B96 LEA EAX,[EAX+EAX*4] //eax=eax+eax*4 016F:00402B99 ADD EAX,EAX //eax=eax+eax 016F:00402B9B ADD EAX,EBX //eax=eax+ebx 016F:00402B9D MOV BL,[ESI] 016F:00402B9F INC ESI 016F:00402BA0 TEST BL,BL 016F:00402BA2 JNZ 00402B8A 016F:00402BA4 DEC CH 016F:00402BA6 JZ 00402BB8 016F:00402BA8 TEST EAX,EAX 016F:00402BAA JL 00402BBE 016F:00402BAC POP ECX 016F:00402BAD XOR ESI,ESI 016F:00402BAF MOV [EDX],ESI 016F:00402BB1 POP EDI 016F:00402BB2 POP ESI 016F:00402BB3 POP EBX 016F:00402BB4 RET | . \ | . / 省略n行代码 |----016F:00408850 RET . . .//省略n行代码 016F:00484B70 PUSH BYTE +00 016F:00484B72 PUSH BYTE +00 016F:00484B74 PUSH DWORD 8193 016F:00484B79 MOV EAX,[EBP-04] 016F:00484B7C CALL 00435F78 016F:00484B81 PUSH EAX 016F:00484B82 CALL `USER32!SendMessageA` 016F:00484B87 MOV EAX,[00492E00] //取出通过用户名(wolverine[CCG])算出的数字.eax=1557FH 016F:00484B8C XOR EDX,EDX 016F:00484B8E PUSH EDX 016F:00484B8F PUSH EAX 016F:00484B90 MOV EAX,EBX //eax=通过我们输入的注册码算出的数字 016F:00484B92 CDQ 016F:00484B93 CMP EDX,[ESP+04] 016F:00484B97 JNZ 00484B9C 016F:00484B99 CMP EAX,[ESP] //比较是否相等 016F:00484B9C POP EDX 016F:00484B9D POP EAX 016F:00484B9E JNZ NEAR 00484CAE //不等,就Game Over =================================>>> 整理: 首先对Name(实际上只取前8位)进行处理,算出一个值(由于某些原因我没有找到对Name处理的算法,我只看到了结果.那位仁兄找到,请告诉我,我将万分感谢) 再对输入的注册码计算,得出一值.(注册码只收数字字符) 然后,将两个值进行比较,如果不相等就Over了. 对输入的注册码处理的算法如下: 设结果放在S中,注册码放在X中,则: S=0 1.取一位注册码的ASCII码放到X中 2.计算S=S+S*4 3.计算S=S*2 4.计算S=S+(X-30h) 5.重复1,2,3,4直到处理完所有位 S就是最后结果 我无法通过反运算算出正确的注册码,所以,这个Code是我试出来的.(用缩小范围法能很快试出来)
|
|
查看所有0条评论>>