【破解工具】:TRW2000 1.23、FI2.4
【作者声明】:初学Crack,只是感兴趣,没有其它目的.
【过 程】:
由于Easy CD Ripper好像能检测出Trw,所以要先运行Easy CD Ripper,再运行Trw2000.
下断点bpx hmemcpy,pmodule,F10,来到下面:
016F:00484AF4 CALL 0042FEA0 //取用户名
016F:00484AF9 MOV EAX,[EBP-08] //放在eax中
.
. //省略n行代码
016F:00484B50 MOV EAX,[EBP-0C] //我们输入的注册码
016F:00484B53 CALL 00408818 //对注册码进行处理
|
|----016F:00408818 PUSH EBX
| 016F:00408819 PUSH ESI
| 016F:0040881A ADD ESP,BYTE -0C
| 016F:0040881D MOV EBX,EAX
| 016F:0040881F MOV EDX,ESP
| 016F:00408821 MOV EAX,EBX
| 016F:00408823 CALL 00402B38 //这里是对我们输入的注册码进行处理
| | //代码如下:
| |--016F:00402B38 PUSH EBX
016F:00402B39 PUSH ESI
016F:00402B3A PUSH EDI
016F:00402B3B MOV ESI,EAX
016F:00402B3D PUSH EAX
016F:00402B3E TEST EAX,EAX
016F:00402B40 JZ 00402BB5
016F:00402B42 XOR EAX,EAX
016F:00402B44 XOR EBX,EBX
016F:00402B46 MOV EDI,0CCCCCCC
016F:00402B4B MOV BL,[ESI] //这里指向我们的注册码
016F:00402B4D INC ESI
016F:00402B4E CMP BL,20
016F:00402B51 JZ 00402B4B
016F:00402B53 MOV CH,00
016F:00402B55 CMP BL,2D
016F:00402B58 JZ 00402BC3
016F:00402B5A CMP BL,2B
016F:00402B5D JZ 00402BC5
016F:00402B5F CMP BL,24
016F:00402B62 JZ 00402BCA
016F:00402B64 CMP BL,78
016F:00402B67 JZ 00402BCA
016F:00402B69 CMP BL,58
016F:00402B6C JZ 00402BCA
016F:00402B6E CMP BL,30
016F:00402B71 JNZ 00402B86
016F:00402B73 MOV BL,[ESI]
016F:00402B75 INC ESI
016F:00402B76 CMP BL,78
016F:00402B79 JZ 00402BCA
016F:00402B7B CMP BL,58
016F:00402B7E JZ 00402BCA
016F:00402B80 TEST BL,BL
016F:00402B82 JZ 00402BA4
016F:00402B84 JMP SHORT 00402B8A
016F:00402B86 TEST BL,BL
016F:00402B88 JZ 00402BBE
016F:00402B8A SUB BL,30
016F:00402B8D CMP BL,09
016F:00402B90 JA 00402BBE
016F:00402B92 CMP EAX,EDI
016F:00402B94 JA 00402BBE
016F:00402B96 LEA EAX,[EAX+EAX*4] //eax=eax+eax*4
016F:00402B99 ADD EAX,EAX //eax=eax+eax
016F:00402B9B ADD EAX,EBX //eax=eax+ebx
016F:00402B9D MOV BL,[ESI]
016F:00402B9F INC ESI
016F:00402BA0 TEST BL,BL
016F:00402BA2 JNZ 00402B8A
016F:00402BA4 DEC CH
016F:00402BA6 JZ 00402BB8
016F:00402BA8 TEST EAX,EAX
016F:00402BAA JL 00402BBE
016F:00402BAC POP ECX
016F:00402BAD XOR ESI,ESI
016F:00402BAF MOV [EDX],ESI
016F:00402BB1 POP EDI
016F:00402BB2 POP ESI
016F:00402BB3 POP EBX
016F:00402BB4 RET
| . \
| . / 省略n行代码
|----016F:00408850 RET
.
.
.//省略n行代码
016F:00484B70 PUSH BYTE +00
016F:00484B72 PUSH BYTE +00
016F:00484B74 PUSH DWORD 8193
016F:00484B79 MOV EAX,[EBP-04]
016F:00484B7C CALL 00435F78
016F:00484B81 PUSH EAX
016F:00484B82 CALL `USER32!SendMessageA`
016F:00484B87 MOV EAX,[00492E00] //取出通过用户名(wolverine[CCG])算出的数字.eax=1557FH
016F:00484B8C XOR EDX,EDX
016F:00484B8E PUSH EDX
016F:00484B8F PUSH EAX
016F:00484B90 MOV EAX,EBX //eax=通过我们输入的注册码算出的数字
016F:00484B92 CDQ
016F:00484B93 CMP EDX,[ESP+04]
016F:00484B97 JNZ 00484B9C
016F:00484B99 CMP EAX,[ESP] //比较是否相等
016F:00484B9C POP EDX
016F:00484B9D POP EAX
016F:00484B9E JNZ NEAR 00484CAE //不等,就Game Over
=================================>>>
整理:
首先对Name(实际上只取前8位)进行处理,算出一个值(由于某些原因我没有找到对Name处理的算法,我只看到了结果.那位仁兄找到,请告诉我,我将万分感谢)
再对输入的注册码计算,得出一值.(注册码只收数字字符)
然后,将两个值进行比较,如果不相等就Over了.
对输入的注册码处理的算法如下:
设结果放在S中,注册码放在X中,则:
S=0
1.取一位注册码的ASCII码放到X中
2.计算S=S+S*4
3.计算S=S*2
4.计算S=S+(X-30h)
5.重复1,2,3,4直到处理完所有位
S就是最后结果
我无法通过反运算算出正确的注册码,所以,这个Code是我试出来的.(用缩小范围法能很快试出来)
