Break these steps:
1. With softice loading windows (by CTRL + D to check softice is ready, press the F5 exit softice);
2. Run winzip, select the "help" under the "Enter Registration Code ...";
3. In the "Name:", type: KraneXH (free), "Registration #:", enter: 12345678 (random);
4. Using CTRL + D exhaled softice, under the universal breakpoint: bpx hmemcpy, press F5 to return to the winzip;
5. Winzip, select "OK", program will soon be softice intercept them (because we set a breakpoint bpx hmemcpy, when in winzip, select "OK" when, winzip Council hmemcpy this function to fetch the name of our input, " KraneXH "and the registration code" 12345678 ", softice detected hmemcpy is called, so he interrupted the operation of winzip, winzip call hmemcpy stay in place);
6. With bd backup bin conf config data eshow_sitemap.html generate.sh log maint sitemap.html svn tmp suspended just set breakpoints bpx hmemcpy (suspended breakpoint bpx hmemcpy Why? Because our aim is to take the name of winzip and the registration code to run when the interrupt it, but this break is not bpx hmemcpy winzip only valid for the computer to run the program may be invoked at any time. As we enter the name and winzip registration code in just after setting off point bpx hmemcpy, then winzip will immediately fetch the name and registration code we entered, so we can ensure that disruption in the winzip program, by bd backup bin conf config data eshow_sitemap.html generate.sh log maint sitemap.html svn tmp The order to suspend breakpoint bpx hmemcpy, to prevent the decryption process when interrupted by other extraneous affect the normal decryption);
7. Press F12 key 9, to return to the winzip's airspace (as just softice break in hmemcpy, this is the windows system area can not be changed, winzip just call this function only, so we must return to the winzip program before helpful), to the following areas:
......
0167:00407 F6DCALL [USER32! GetDlgItemTextA]
0167:00407 F73PUSHEDI 鈫?- program stop here, EDI point to "KraneXH"
0167:00407 F74CALL0043F89A
0167:00407 F79PUSHEDI
0167:00407 F7ACALL0043F8C3
0167:00407 F7FPOPECX
0167:00407 F80MOVESI, 0048CDA4
0167:00407 F85POPECX
0167:00407 F86PUSH0B
0167:00407 F88PUSHESI
0167:00407 F89PUSH00000C81
0167:00407 F8EPUSHEBX
0167:00407 F8FCALL [USER32! GetDlgItemTextA]
0167:00407 F95PUSHESI 鈫?- ESI point to "12345678"
0167:00407 F96CALL0043F89A
0167:00407 F9BPUSHESI
0167:00407 F9CCALL0043F8C3
0167:00407 FA1CMPBYTE PTR [0048CD78], 00 鈫?- [0048CD78] point "KraneXH"
0167:00407 FA8POPECX
0167:00407 FA9POPECX
0167:00407 FAAJZ00408005
0167:00407 FACCMPBYTE PTR [0048CDA4], 00 鈫?- [0048CDA4] points "12345678"
0167:00407 FB3JZ00408005
0167:00407 FB5CALL00407905
0167:00407 FBATESTEAX, EAX
0167:00407 FC3JZ00408005
......
8. We call hmemcpy the system back to winzip airspace area, the program stop at 0167:00407 F73PUSHEDI, the look on it by me instructions 0167:00407 F6DCALL [USER32! GetDlgItemTextA], this CALL is the procedure to take our input data , that is, the CALL Let us bpx hmemcpy to winzip block down. Since winzip CALL fetch with this input things, then certainly after the call to return the results, let us take a look at: The D EDI, the data observed softice area, you will see EDI point to the contents of memory is the input The name "KraneXH";
9. From the program can be seen, not far below the same place where there is a call to USER32! GetDlgItemTextA, both 0167:00407 F8FCALL [USER32! GetDlgItemTextA] this line. Press F10 key several times, went to the CALL to stop the next one, both processes stop at 0167:00407 F95PUSHESI this instruction, the use of D ESI, ESI same point we can see the contents of the memory region is registered input code "12345678." Winzip has now entered the name and registration code we have to come by, let us look at it what to do next?
10. To continue to press F10 many times, when the program went 0167:00407 FA1CMPBYTE PTR [0048CD78], 00 when to stop, this instruction will be data in the memory 0048CD78 and 00 more, and then compare the results to determine procedures. With D 0048CD78, observed softice data area, we can see 0048CD78 the data is "KraneXH", now we know the role of this instruction is to determine whether the name of our input is empty, if not entered anything, the program will Skip 00,408,005 to; the same, according to F10 went 0407FACCMPBYTE PTR [0048CDA4], 00 line stop, and then use D 0048CDA4, you can see 0048CDA4 the data is "12345678." As we enter the name and registration code, so the program does not jump to 00408005 to, the program checks the input name and registration code, if any one does not enter (both its value is 00), the program will jump to 00408005, thus we should think very likely display an error 00408005 place, that is, when the program reached 00,408,005, when the input of name and registration code is wrong;
11. Press F10 twice to the following that CALL00407905 (because the process just stops at 0167:00407 FACCMPBYTE PTR [0048CDA4], 00 above):
......
0167:00407 FB5CALL00407905 鈫?- program stops here
0167:00407 FBATESTEAX, EAX
0167:00407 FC3JZ00408005
......
Procedure to judge whether the input name and registration key after the call is empty CALL00407905, that the results returned to the CALL EAX, the EAX value judgments according to procedures. From the program can know that if the return value of EAX is 0, then the program will jump to 00,408,005, that is, we determine there is a problem just the place. CALL What are they going to hide then the transmission of the disease you? Is not yet clear, and then press F10 twice to JZ00408005 stop. Now look at softice of zero (ie Z) flag, its value is zero, so the program will jump to 00408005, 00408005 Let us see what happens by F10 jump:
......
0167:00408005 CALL004082A6 鈫?- program stops here
0167:0040800 APUSH0000028E
0167:0040800 FCALL0043F5ED
0167:00408014 PUSHEAX
0167:00408015 PUSHEBX
0167:00408016 PUSH3D
0167:00408018 CALL00430025 鈫?- Error Box
0167:0040801 DADDESP, 10
0167:00408020 INCDWORD PTR [00487AF8]
0167:00408026 CMPDWORD PTR [00487AF8], 03 鈫?- to judge whether the number of errors to 3 times?
0167:0040802 DJNZ0040812C
0167:00408033 PUSH00
0167:00408035 PUSHEBX
0167:00408036 CALL [USER32! EndDialog]
0167:0040803 CJMP0040812C
......
12. Has been passed by F10 0167:00408018 CALL00430025, this is the program pop out a window, a warning: Incomplete or incorrect information (incomplete or incorrect information), the program came up here is very clear: if the program in the preceding Skip 00,408,005 to time, enter the name and registration code that is wrong, so just compare that 0167:00407 FB5CALL00407905 must enter the registration code is the right place, that is, which certainly will enter the registration code and correct our The registration code comparison Therefore, we have to go take a look into the CALL00430025. If you continue to read the following statement CALL00430025, you will see the following few:
0167:00408020 INCDWORD PTR [00487AF8]
0167:00408026 CMPDWORD PTR [00487AF8], 03
0167:0040802 DJNZ0040812C
Process value first memory 00487AF8 Department plus 1 (the initial value of 0, can be used in this statement before the D 00487AF8 view), and then compare whether it is 3, if not to jump 0040812C, if the implementation of the subsequent 0167 : 00408036CALL [USER32! EndDialog], its role is to close the dialog box, that is, we enter the name and registration code window. We can see here the role of procedure is to check the error input name, registration code whether the number of errors to 3 times, if to 3 times, then close the dialog box, do not allow re-importation; if less than 3 times, can be have the opportunity to once again enter the name and registration code.
13. Repeat the previous steps 1 through 11, let the program stop at 0167:00407 FB5CALL00407905, and then press F8 to enter the inside CALL:
......
0167:004079 D5PUSHEBP
0167:004079 D6PUSHEBP, ESP
0167:004079 D8SUBESP, 00000208
0167:004079 DEPUSHEBX
0167:004079 DFPUSHESI
0167:004079 E0XORESI, ESI
0167:004079 E2CMPBYTE PTR [0048CD78], 00
0167:004079 E9PUSHEDI
0167:004079 EAJZ00407A8A
......
14. Press F10 key to N times (I do not know a few times, you count it ^_^), has been stopped to the following areas:
......
0167:00407 A91LEAEAX, [EBP-0140] 鈫?- program stops here
0167:00407 A97PUSHEAX
0167:00407 A98PUSHEDI 鈫?- EDI point to enter the name of "KraneXH"
0167:00407 A99CALL00407B47 鈫?- Calculation of License
0167:00407 A9EMOVESI, 0048CDA4
0167:00407 AA3LEAEAX, [EBP-0140]
0167:00407 AA9PUSHESI 鈫?- ESI point to enter the registration code "12345678"
0167:00407 AAAPUSHEAX 鈫?- EAX pointing to the correct registration code "5CFC0875"
0167:00407 AABCALL004692D0
0167:00407 AB0ADDESP, 10
0167:00407 AB3NEGEAX
0167:00407 AB5SBBEAX, EAX
0167:00407 AB7INCEAX
0167:00407 AB8MOV [00489FDC], EAX
0167:00407 ABDJNZ00407B27
0167:00407 ABFLEAEAX, [EBP-0140]
0167:00407 AC5PUSHEAX
0167:00407 AC6PUSHEDI 鈫?- EDI point to enter the name of "KraneXH"
0167:00407 AC7CALL00407BE4 鈫?- Calculation of License
0167:00407 ACCLEAEAX, [EBP-0140]
0167:00407 AD2PUSHESI 鈫?- ESI point to enter the registration code "12345678"
0167:00407 AD3PUSHEAX 鈫?- EAX pointing to the correct registration code "23804216"
0167:00407 AD4CALL004692D0
0167:00407 AD9ADDESP, 10
0167:00407 ADCNEGEAX
0167:00407 ADESBBEAX, EAX
0167:00407 AE0INCEAX
0167:00407 AE1MOV [00489FDC], EAX
0167:00407 AE6JNZ00407B27
......
15. We must ask: Why stop here, and not other places? I have been in the previous procedure with D backup bin conf config data eshow_sitemap.html generate.sh log maint sitemap.html svn tmp read, and did not find anything suspicious ah ^ _ ^!
Press F10 went 0167:00407 A99CALL00407B47 Department, with the D EAX and D EDI to observe what is inside? We can see the EDI point to enter the name of "KraneXH", EAX points to no particular area of memory data; immediately following CALL00407B47 would "KraneXH" some treatment, specific we do not know, continue to go backwards;
16. By F10 went 0167:00407 AABCALL004692D0 this one, then D ESI and D EAX view the data in memory, you can see ESI point we enter the registration code "12345678", and EAX points to another string of characters "5CFC0875". Needless to say, in all likelihood this is the correct registration code, they must write it on paper it ^ _ ^! Continue to go down, we will immediately find another place below a similar program segment, which are also a bunch of code "23804216";
17. Verify License: press F5 to return winzip, choose to register, enter the name of "KraneXH" and the registration code "5CFC0875" or "23804216." Then you see? Registration Successful screen appears, directly confirm buttoned, and Ha ha ha. . . !
18. Now we know CALL00407B47 the role of this statement is based on the name of our input to calculate the correct registration code, then enter the registration code and our comparison to see whether the two are equal. Take care of things: Last but not with CTRL + D exhaled softice, then under the command BC backup bin conf config data eshow_sitemap.html generate.sh log maint sitemap.html svn tmp clear all breakpoints! !
相关链接:
Lesson: Payment orders I have lost 170 000
Moderate BPM
SAIC Ssangyong Qin Zhu
WIZARD Religion
MTS to AVI
DAT to 3GP
Compare Browser Tools
Pipeline
Good Chat And Instant Messaging
Closed more than 80 million Baidu PPC Keywords
lg kc 780 ideal for PHOTOGRAPHY
Taste CorelDRAW10: color docker
Do Small Business Know-how To Master The Four
DivX to ZUNE
Fraud warning: Fishing the latest plot and potential threats
Operators Around Loose Charges Tariff War Is Inevitable That The First