您的位置:首页精文荟萃破解文章 → iTime 破解实录

iTime 破解实录

时间:2004/10/15 0:49:00来源:本站整理作者:蓝点我要评论(0)

 


iTime 破解实录
iTime International Version
http://www.touchstone.de
一个可以同步你的电脑时钟的程序,在2000下不需要了。小弟还是比较喜欢用98作为破解平台,经常泡在SoftICE里面一转就是好几个小时。时钟经常不灵,最近在网上闲逛发现这个程序可以同步时钟,就抓了一个回来。居然还要注册,不然时间到了就不让用。我现在是一看到Register就会条件反射:),还是写个注册机出来吧。OK,Let's go!
1、工具:DeDe v2.50,TRW2000 or SoftICE,TC2.0 or asm(你喜欢的编译器)
2、用DeDe打开iTime.exe,在DeDe中点击Procedures按钮,找到options(unit name)那一项双击,在右边的窗口中找到mnuRegisterClick这一项,再双击,WOW!
来到这里你已经成功一半啦!^*^(这么简单?)
* Reference to: controls.TControl.GetText(TControl):System.String;
|
004078B4  E80F0C0300            call    004384C8
004078B9  8D45F8                lea    eax, [ebp-$08] <--d *eax 看到你输入的名字

|
004078BC  E827670500            call    0045DFE8
004078C1  8BF0                  mov    esi, eax
004078C3  83FE32                cmp    esi, +$32
004078C6  7E04                  jle    004078CC
004078C8  B232                  mov    dl, $32
004078CA  EB02                  jmp    004078CE
004078CC  8BD6                  mov    edx, esi
004078CE  889528FFFFFF          mov    [ebp+$FFFFFF28], dl
004078D4  33C0                  xor    eax, eax
004078D6  8A8528FFFFFF          mov    al, byte ptr [ebp+$FFFFFF28]
004078DC  50                    push    eax
004078DD  837DF800              cmp    dword ptr [ebp-$08], +$00
004078E1  7405                  jz      004078E8
004078E3  8B4DF8                mov    ecx, [ebp-$08]
004078E6  EB05                  jmp    004078ED
004078E8  B9C8AF4600            mov    ecx, $0046AFC8
004078ED  51                    push    ecx
004078EE  8D8529FFFFFF          lea    eax, [ebp+$FFFFFF29]
004078F4  50                    push    eax

* Reference to: _strncpy()
|
004078F5  E86C1C0600            call    00469566
004078FA  83C40C                add    esp, +$0C
004078FD  FF4DD4                dec    dword ptr [ebp-$2C]
00407900  8D45F8                lea    eax, [ebp-$08]
00407903  BA02000000            mov    edx, $00000002

|
00407908  E8DF650500            call    0045DEEC
0040790D  8D9528FFFFFF          lea    edx, [ebp+$FFFFFF28]
00407913  8D855CFFFFFF          lea    eax, [ebp+$FFFFFF5C]

|
00407919  E8C2B9FFFF            call    004032E0
0040791E  66C745C82C00          mov    word ptr [ebp-$38], $002C
00407924  33C9                  xor    ecx, ecx
00407926  894DF4                mov    [ebp-$0C], ecx
00407929  8D55F4                lea    edx, [ebp-$0C]
0040792C  FF45D4                inc    dword ptr [ebp-$2C]
0040792F  8B45B4                mov    eax, [ebp-$4C]

* Reference to control btnDel : TResButton
|
00407932  8B80EC010000          mov    eax, [eax+$01EC]

* Reference to: controls.TControl.GetText(TControl):System.String;
|
00407938  E88B0B0300            call    004384C8
0040793D  8D45F4                lea    eax, [ebp-$0C] <--d *eax 看到你输入的密码

|
00407940  E8A3660500            call    0045DFE8
为了更快的找到关键比对核心,可以下bpr,或者,bpm等断点。当你看到这段代码:
0167:0040CA38  PUSH    EBP
0167:0040CA39  MOV      EBP,ESP
0167:0040CA3B  ADD      ESP,BYTE -1C
0167:0040CA3E  MOV      [EBP-0C],ECX
0167:0040CA41  MOV      [EBP-08],EDX
0167:0040CA44  MOV      [EBP-04],EAX
0167:0040CA47  MOV      BYTE [EBP-16],00
0167:0040CA4B  LEA      EAX,[EBP-16]
0167:0040CA4E  MOV      EDX,0040CB90
0167:0040CA53  MOV      CL,09
0167:0040CA55  CALL    0045B014
0167:0040CA5A  LEA      EAX,[EBP-1C]
0167:0040CA5D  MOV      EDX,[EBP-08]
0167:0040CA60  SHR      EDX,1C
0167:0040CA63  AND      EDX,BYTE +0F
0167:0040CA66  MOV      DL,[EDX+0046EE4C]
0167:0040CA6C  MOV      [EAX+01],DL
0167:0040CA6F  MOV      BYTE [EAX],01
0167:0040CA72  LEA      EDX,[EBP-1C]
0167:0040CA75  LEA      EAX,[EBP-16]
0167:0040CA78  MOV      CL,09
0167:0040CA7A  CALL    0045B014
0167:0040CA7F  LEA      EAX,[EBP-1C]
0167:0040CA82  MOV      EDX,[EBP-08]
0167:0040CA85  SHR      EDX,18
0167:0040CA88  AND      EDX,BYTE +0F
0167:0040CA8B  MOV      DL,[EDX+0046EE4C]
0167:0040CA91  MOV      [EAX+01],DL
0167:0040CA94  MOV      BYTE [EAX],01
0167:0040CA97  LEA      EDX,[EBP-1C]
0167:0040CA9A  LEA      EAX,[EBP-16]
0167:0040CA9D  MOV      CL,09
0167:0040CA9F  CALL    0045B014
0167:0040CAA4  LEA      EAX,[EBP-1C]
0167:0040CAA7  MOV      EDX,[EBP-08]
0167:0040CAAA  SHR      EDX,14
0167:0040CAAD  AND      EDX,BYTE +0F
0167:0040CAB0  MOV      DL,[EDX+0046EE4C]
0167:0040CAB6  MOV      [EAX+01],DL
0167:0040CAB9  MOV      BYTE [EAX],01
0167:0040CABC  LEA      EDX,[EBP-1C]
0167:0040CABF  LEA      EAX,[EBP-16]
0167:0040CAC2  MOV      CL,09
0167:0040CAC4  CALL    0045B014
0167:0040CAC9  LEA      EAX,[EBP-1C]
0167:0040CACC  MOV      EDX,[EBP-08]
0167:0040CACF  SHR      EDX,10
0167:0040CAD2  AND      EDX,BYTE +0F
0167:0040CAD5  MOV      DL,[EDX+0046EE4C]
0167:0040CADB  MOV      [EAX+01],DL
0167:0040CADE  MOV      BYTE [EAX],01
0167:0040CAE1  LEA      EDX,[EBP-1C]
0167:0040CAE4  LEA      EAX,[EBP-16]
0167:0040CAE7  MOV      CL,09
0167:0040CAE9  CALL    0045B014
0167:0040CAEE  LEA      EAX,[EBP-1C]
0167:0040CAF1  MOV      EDX,[EBP-08]
0167:0040CAF4  SHR      EDX,0C
0167:0040CAF7  AND      EDX,BYTE +0F
0167:0040CAFA  MOV      DL,[EDX+0046EE4C]
0167:0040CB00  MOV      [EAX+01],DL
0167:0040CB03  MOV      BYTE [EAX],01
0167:0040CB06  LEA      EDX,[EBP-1C]
0167:0040CB09  LEA      EAX,[EBP-16]
0167:0040CB0C  MOV      CL,09
0167:0040CB0E  CALL    0045B014
0167:0040CB13  LEA      EAX,[EBP-1C]
0167:0040CB16  MOV      EDX,[EBP-08]
0167:0040CB19  SHR      EDX,08
0167:0040CB1C  AND      EDX,BYTE +0F
0167:0040CB1F  MOV      DL,[EDX+0046EE4C]
0167:0040CB25  MOV      [EAX+01],DL
0167:0040CB28  MOV      BYTE [EAX],01
0167:0040CB2B  LEA      EDX,[EBP-1C]
0167:0040CB2E  LEA      EAX,[EBP-16]
0167:0040CB31  MOV      CL,09
0167:0040CB33  CALL    0045B014
0167:0040CB38  LEA      EAX,[EBP-1C]
0167:0040CB3B  MOV      EDX,[EBP-08]
0167:0040CB3E  SHR      EDX,04
0167:0040CB41  AND      EDX,BYTE +0F
0167:0040CB44  MOV      DL,[EDX+0046EE4C]
0167:0040CB4A  MOV      [EAX+01],DL
0167:0040CB4D  MOV      BYTE [EAX],01
0167:0040CB50  LEA      EDX,[EBP-1C]
0167:0040CB53  LEA      EAX,[EBP-16]
0167:0040CB56  MOV      CL,09
0167:0040CB58  CALL    0045B014
0167:0040CB5D  LEA      EAX,[EBP-1C]
0167:0040CB60  MOV      EDX,[EBP-08]
0167:0040CB63  AND      EDX,BYTE +0F
0167:0040CB66  MOV      DL,[EDX+0046EE4C]
0167:0040CB6C  MOV      [EAX+01],DL
0167:0040CB6F  MOV      BYTE [EAX],01
0167:0040CB72  LEA      EDX,[EBP-1C]
0167:0040CB75  LEA      EAX,[EBP-16]
0167:0040CB78  MOV      CL,09
0167:0040CB7A  CALL    0045B014
0167:0040CB7F  MOV      EAX,[EBP-0C]
0167:0040CB82  LEA      EDX,[EBP-16]
0167:0040CB85  MOV      CL,09
0167:0040CB87  CALL    0045B060
0167:0040CB8C  MOV      ESP,EBP
0167:0040CB8E  POP      EBP
0167:0040CB8F  RET   

其实就是把一个4字节的十六进制数转换为字符串。比如它第一次是把一个0x426B2FA9转换为$426B2FA9
第二次把0x6FB73A24转换为$6FB73A24.
-----------------------------------------
0167:0040CBBF  MOV      AL,[EBP-4D]
0167:0040CBC2  INC      EAX
0167:0040CBC3  CMP      EAX,BYTE +32
0167:0040CBC6  JG      0040CBDC
0167:0040CBC8  MOV      [EBP-10],EAX
0167:0040CBCB  MOV      EAX,[EBP-10]
0167:0040CBCE  MOV      BYTE [EBP+EAX-4D],2A
0167:0040CBD3  INC      DWORD [EBP-10]
0167:0040CBD6  CMP      DWORD [EBP-10],BYTE +33
0167:0040CBDA  JNZ      0040CBCB
0167:0040CBDC  LEA      EAX,[EBP+FFFFFF6C]
0167:0040CBE2  MOV      [EBP-0C],EAX
0167:0040CBE5  LEA      ECX,[EBP+FFFFFF60]
0167:0040CBEB  MOV      EAX,[EBP-04]
0167:0040CBEE  MOV      EDX,[EAX+0224]
0167:0040CBF4  MOV      EAX,[EBP-04]
0167:0040CBF7  CALL    0040CA38
这段代码就是把name不足50个字符的地方全部用'*'添满。然后再把上面的两个字符串加到你的名字像下面那样
--------------------------------------------------------------
    $426B2FA9CoolBob*******************************************    $6FB73A24

|------------------一共71个字符------------------|

下面就要小心跟踪了,来到这里:
0167:0040C9E3  MOV      [EBP-08],EDX
0167:0040C9E6  MOV      [EBP-04],EAX
0167:0040C9E9  MOV      BYTE [EBP-15],00
0167:0040C9ED  MOV      EAX,[EBP-08]    <---EAX初始化为0xABCDEF
0167:0040C9F0  SHR      EAX,08
0167:0040C9F3  AND      EAX,00FFFFFF
0167:0040C9F8  MOV      [EBP-10],EAX
0167:0040C9FB  XOR      EAX,EAX
0167:0040C9FD  MOV      AL,[EBP-15]
0167:0040CA00  MOVZX    EAX,BYTE [EBP+EAX-5C] <---这里也就是刚才那个71个字符了
0167:0040CA05  XOR      EAX,[EBP-08]
0167:0040CA08  AND      EAX,FF
0167:0040CA0D  MOV      EAX,[EAX*4+0046EA44]  <----在TRW2000下把这段数据用                                                  <----w 46EA44 fe*4+46EA44 c:\data.bin抓下来
                          <----后面作注册机少不了这个。
0167:0040CA14  MOV      [EBP-14],EAX
0167:0040CA17  MOV      EAX,[EBP-10]
0167:0040CA1A  XOR      EAX,[EBP-14]
0167:0040CA1D  MOV      [EBP-08],EAX
0167:0040CA20  INC      BYTE [EBP-15]
0167:0040CA23  CMP      BYTE [EBP-15],47
0167:0040CA27  JNZ      0040C9ED          <----循环0x47次,也就是71次
这里算出来的EAX就是注册码的原型了,只是要把EAX包含的十六进制数转换为字符串输出即可!
----------------------------
0167:0040CE14  MOV      CL,[EAX+0375]
0167:0040CE1A  LEA      EDX,[EBP-42]
0167:0040CE1D  MOV      EAX,[EBP-04]
0167:0040CE20  CALL    0040CB94
0167:0040CE25  LEA      EAX,[EBP-50]     <-----d EAX (real code)
0167:0040CE28  LEA      EDX,[EBP-0E]    <-----d edx (our  code)
0167:0040CE2B  XOR      ECX,ECX
0167:0040CE2D  MOV      CL,[EAX]
0167:0040CE2F  INC      ECX
0167:0040CE30  CALL    0045B114    <-----比较是否相等
0167:0040CE35  SETZ    [EBP-0F]    <-----相等的话置注册成功标志1到[EBP-0F]
0167:0040CE39  CMP      BYTE [EBP-0F],00
0167:0040CE3D  JNZ      0040CE85    <-----if jump good boy:)
0167:0040CE3F  MOV      EAX,[EBP-04]
0167:0040CE42  MOV      BYTE [EAX+0375],01
0167:0040CE49  LEA      EAX,[EBP-50]
0167:0040CE4C  PUSH    EAX
0167:0040CE4D  MOV      EAX,[EBP-04]
0167:0040CE50  MOV      CL,[EAX+0375]
0167:0040CE56  LEA      EDX,[EBP-42]
0167:0040CE59  MOV      EAX,[EBP-04]
0167:0040CE5C  CALL    0040CB94
0167:0040CE61  LEA      EAX,[EBP-50]
0167:0040CE64  LEA      EDX,[EBP-0E]
0167:0040CE67  XOR      ECX,ECX
0167:0040CE69  MOV      CL,[EAX]
0167:0040CE6B  INC      ECX
0167:0040CE6C  CALL    0045B114
0167:0040CE71  SETZ    [EBP-0F]
0167:0040CE75  CMP      BYTE [EBP-0F],01
0167:0040CE79  JNZ      0040CE85
0167:0040CE7B  MOV      EAX,[EBP-04]
0167:0040CE7E  MOV      BYTE [EAX+0375],01
0167:0040CE85  MOV      AL,[EBP-0F]
0167:0040CE88  POP      EDI
0167:0040CE89  POP      ESI
0167:0040CE8A  MOV      ESP,EBP
0167:0040CE8C  POP      EBP
0167:0040CE8D  RET   
该程序注册正确后,会在其目录下生成一个叫iTime.key的文件。

3、在作注册机前的准备:
    我们要对那个TRW2000抓下来的data.bin进行一番处理。可以编个小程序来处理:
------------------------------------Start here--------------------------------------
#include
main(){
FILE *fp1,*fp2;
unsigned long buffer[0xfe];
int i;
clrscr();
fp=fopen("c:\\data.bin","rb+");
fp2=fopen("c:\\x.bin","w+");
for(i=0;i<0xfe;i++)
{fread(&buffer[i],4,1,fp1);
printf("0x%lX,",buffer[i]);
fprintf(fp2,"0x%lX,",buffer[i]);
if (i%6==0) fprintf(fp2,"\n");
}
}
------------------------------------Cut here----------------------------------------    
上面这个程序就是把data.bin里面的二进制数据转换成4字节的长整数。
4、注册机
-------------------start here------------------
#include
#include
main()
{
char string1[]={0x9,0x24,0x34,0x32,0x36,0x42,0x32,0x46,0x41,0x39};
char string2[]={0x9,0x24,0x36,0x46,0x42,0x37,0x33,0x41,0x32,0x34};
char name[50];
char code[8];
char sns[71];
unsigned long data[]={0x0,
0x77073096,0xEE0E612C,0x990951BA,0x76DC419,0x706AF48F,0xE963A535,
0x9E6495A3,0xEDB8832,0x79DCB8A4,0xE0D5E91E,0x97D2D988,0x9B64C2B,
0x7EB17CBD,0xE7B82D07,0x90BF1D91,0x1DB71064,0x6AB020F2,0xF3B97148,
0x84BE41DE,0x1ADAD47D,0x6DDDE4EB,0xF4D4B551,0x83D385C7,0x136C9856,
0x646BA8C0,0xFD62F97A,0x8A65C9EC,0x14015C4F,0x63066CD9,0xFA0F3D63,
0x8D080DF5,0x3B6E20C8,0x4C69105E,0xD56041E4,0xA2677172,0x3C03E4D1,
0x4B04D447,0xD20D85FD,0xA50AB56B,0x35B5A8FA,0x42B2986C,0xDBBBC9D6,
0xACBCF940,0x32D86CE3,0x45DF5C75,0xDCD60DCF,0xABD13D59,0x26D930AC,
0x51DE003A,0xC8D75180,0xBFD06116,0x21B4F4B5,0x56B3C423,0xCFBA9599,
0xB8BDA50F,0x2802B89E,0x5F058808,0xC60CD9B2,0xB10BE924,0x2F6F7C87,
0x58684C11,0xC1611DAB,0xB6662D3D,0x76DC4190,0x1DB7106,0x98D220BC,
0xEFD5102A,0x71B18589,0x6B6B51F,0x9FBFE4A5,0xE8B8D433,0x7807C9A2,
0xF00F934,0x9609A88E,0xE10E9818,0x7F6A0DBB,0x86D3D2D,0x91646C97,
0xE6635C01,0x6B6B51F4,0x1C6C6162,0x856530D8,0xF262004E,0x6C0695ED,
0x1B01A57B,0x8208F4C1,0xF50FC457,0x65B0D9C6,0x12B7E950,0x8BBEB8EA,
0xFCB9887C,0x62DD1DDF,0x15DA2D49,0x8CD37CF3,0xFBD44C65,0x4DB26158,
0x3AB551CE,0xA3BC0074,0xD4BB30E2,0x4ADFA541,0x3DD895D7,0xA4D1C46D,
0xD3D6F4FB,0x4369E96A,0x346ED9FC,0xAD678846,0xDA60B8D0,0x44042D73,
0x33031DE5,0xAA0A4C5F,0xDD0D7CC9,0x5005713C,0x270241AA,0xBE0B1010,
0xC90C2086,0x5768B525,0x206F85B3,0xB966D409,0xCE61E49F,0x5EDEF90E,
0x29D9C998,0xB0D09822,0xC7D7A8B4,0x59B33D17,0x2EB40D81,0xB7BD5C3B,
0xC0BA6CAD,0xEDB88320,0x9ABFB3B6,0x3B6E20C,0x74B1D29A,0xEAD54739,
0x9DD277AF,0x4DB2615,0x73DC1683,0xE3630B12,0x94643B84,0xD6D6A3E,
0x7A6A5AA8,0xE40ECF0B,0x9309FF9D,0xA00AE27,0x7D079EB1,0xF00F9344,
0x8708A3D2,0x1E01F268,0x6906C2FE,0xF762575D,0x806567CB,0x196C3671,
0x6E6B06E7,0xFED41B76,0x89D32BE0,0x10DA7A5A,0x67DD4ACC,0xF9B9DF6F,
0x8EBEEFF9,0x17B7BE43,0x60B08ED5,0xD6D6A3E8,0xA1D1937E,0x38D8C2C4,
0x4FDFF252,0xD1BB67F1,0xA6BC5767,0x3FB506DD,0x48B2364B,0xD80D2BDA,
0xAF0A1B4C,0x36034AF6,0x41047A60,0xDF60EFC3,0xA867DF55,0x316E8EEF,
0x4669BE79,0xCB61B38C,0xBC66831A,0x256FD2A0,0x5268E236,0xCC0C7795,
0xBB0B4703,0x220216B9,0x5505262F,0xC5BA3BBE,0xB2BD0B28,0x2BB45A92,
0x5CB36A04,0xC2D7FFA7,0xB5D0CF31,0x2CD99E8B,0x5BDEAE1D,0x9B64C2B0,
0xEC63F226,0x756AA39C,0x26D930A,0x9C0906A9,0xEB0E363F,0x72076785,
0x5005713,0x95BF4A82,0xE2B87A14,0x7BB12BAE,0xCB61B38,0x92D28E9B,
0xE5D5BE0D,0x7CDCEFB7,0xBDBDF21,0x86D3D2D4,0xF1D4E242,0x68DDB3F8,
0x1FDA836E,0x81BE16CD,0xF6B9265B,0x6FB077E1,0x18B74777,0x88085AE6,
0xFF0F6A70,0x66063BCA,0x11010B5C,0x8F659EFF,0xF862AE69,0x616BFFD3,
0x166CCF45,0xA00AE278,0xD70DD2EE,0x4E048354,0x3903B3C2,0xA7672661,
0xD06016F7,0x4969474D,0x3E6E77DB,0xAED16A4A,0xD9D65ADC,0x40DF0B66,
0x37D83BF0,0xA9BCAE53,0xDEBB9EC5,0x47B2CF7F,0x30B5FFE9,0xBDBDF21C,
0xCABAC28A,0x53B39330,0x24B4A3A6,0xBAD03605,0xCDD70693,0x54DE5729,
0x23D967BF,0xB3667A2E,0xC4614AB8,0x5D681B02,0x2A6F2B94,0xB40BBE37,
0xC30C8EA1};
int i,j;unsigned long ebp=0xABCDEF,eax;
clrscr();
printf("iTime (International Version) Keymaker by CoolBob[CCG]\n");
printf("written at 2001.4.25\n");
printf("name: ");
scanf("%s",name);printf("\n");
for(i=0;i<10;i++)sns[i]=string1[i];
sns[10]=strlen(name);
for(i=11;iif (strlen(name)<50) {for(i=strlen(name)+11;i<61;i++) sns[i]='*';};
for(i=61;i<71;i++) sns[i]=string2[i-61];
for(i=0;i<0x47;i++)
{
eax=ebp;
eax=(eax>>8)&0x00FFFFFF;
j=(sns[i]^ebp)&0xFF;
ebp=eax^data[j];
}
printf("code: %lX\n\n",ebp);
printf("Hmm,OK,that's your code!!enjoy yourself! Contact me at CoolBob@21cn.com :-)\n");
printf("press any key to exit!!");
getch();
}



--------------------cut here---------------------

written by CoolBob[CCG]
2001.4.26
(CIH??)
CopyRight reserved by China Cracker Group

标准的crc32算法 (空)



    
    
     
    
    
     

相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么

文章评论
发表评论

热门文章 去除winrar注册框方法

最新文章 比特币病毒怎么破解 比去除winrar注册框方法 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据

人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程