探索杂志第六期

杂志宗旨：知识共享资料共享资源共享

制作成员：程式猎人

发行时间：

网站地址：http://programhunter.home.china.com

编辑寄语：

��这期将要向大家介绍什么呢？大家不要这样急吗，我当然是向大家介绍比较好的破解文章了，今天向大家介绍我个人破解的难度比较大的一个软件它的名字叫Custom StartUp 1.01，这个软件破解成功同我以前破解的一个软件有些极为相似的地方，另一个软件的破解过程同它是一样的注册过程，如果有必要的话，我将在下期放上那个软件的破解过程。那个软件是screen taker V2.31

1.	破解心得	Custom StartUp 1.01	程式猎人
		How to crack CD Player for Win95 Version 1.32	dREAMtHEATER
		How to crack a CD Protection in Blood2 by ByteBurn	ByteBurn
2.	初学天地
3.	问题答疑
4.	网站介绍
5.	杂志信箱

                  Custom StartUp 1.01 
                                程式猎人
软件名称：Custom StartUp 1.01 
文件大小：407 KB
软件授权：共享软件
使用平台：Win95/98/NT
发布公司：http://members.xoom.com/gboban/index.htm 
软件简介：让你管理、备份那些从“启动”文件夹、注册表、WIN.INI 自动启动的命令行。

追踪：RN：0123-01234567
   这个备份软件的注册过程同我以前注册的screen taker V2.31是非常的相似，相似的我
几乎一下子就知道它如何破解的了。现在就开始对它进行破解。
004464B7 FF75FC                  push [ebp-04]
004464BA 68E0654400              push 004465E0
004464BF 8D55F8                  lea edx, dword ptr [ebp-08]
004464C2 A1108D4400              mov eax, dword ptr [00448D10]
004464C7 8B00                    mov eax, dword ptr [eax]
004464C9 8B80F4010000            mov eax, dword ptr [eax+000001F4]
004464CF E8887DFDFF              call 0041E25C
004464D4 FF75F8                  push [ebp-08]
004464D7 8D4304                  lea eax, dword ptr [ebx+04]
004464DA BA03000000              mov edx, 00000003
004464DF E854D6FBFF              call 00403B38
004464E4 8BC3                    mov eax, ebx
004464E6 E875EBFFFF              call 00445060
004464EB 84C0                    test al, al
004464ED 7515                    jne 00446504
004464EF 6A00                    push 00000000
004464F1 668B0DE4654400          mov cx, word ptr [004465E4]
004464F8 B201                    mov dl, 01

* Possible StringData Ref from Code Obj ->"Invalid Registration Key!"
                                  |
004464FA B8F0654400              mov eax, 004465F0
004464FF E808F5FEFF              call 00435A0C
  从上面可以看到提示出错的地方，那么我们自然就进入call 00445060中
00445079 648920                  mov dword ptr fs:[eax], esp
0044507C 8B4304                  mov eax, dword ptr [ebx+04]
0044507F E8F4E9FBFF              call 00403A78
00445084 83F80F                  cmp eax, 0000000F  比较注册码个数为15
00445087 7407                    je 00445090
00445089 33DB                    xor ebx, ebx
0044508B E9DA000000              jmp 0044516A

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|00445087(C)
|
00445090 8B5304                  mov edx, dword ptr [ebx+04]
00445093 B8A0514400              mov eax, 004451A0
00445098 E867ECFBFF              call 00403D04
0044509D 83F805                  cmp eax, 00000005 比较"-"是否为第5位
004450A0 7407                    je 004450A9
004450A2 33DB                    xor ebx, ebx
004450A4 E9C1000000              jmp 0044516A
  上面还是相当的简单就可以轻易的得到的，下面才是这个软件关键的地方，
004450DD 8B049D0C8B4400          mov eax, dword ptr [4*ebx+00448B0C] 0123
004450E4 8B55FC                  mov edx, dword ptr [ebp-04]         rn10
004450E7 E89CEAFBFF              call 00403B88
004450EC 75E9                    jne 004450D7
  现在比较的是前面四位的值，这里是简单的，继续向下追踪：
00445108 8B55F8                  mov edx, dword ptr [ebp-08]
00445108 8B55F8                  mov edx, dword ptr [ebp-08]
0044510B 8B45FC                  mov eax, dword ptr [ebp-04]
0044510E E885FAFFFF              call 00444B98
00445113 8B45F4                  mov eax, dword ptr [ebp-0C]
00445116 E82119FCFF              call 00406A3C    <-出错
0044511B 8BD8                    mov ebx, eax
0044511D 33C0                    xor eax, eax
0044511F 5A                      pop edx
00445120 59                      pop ecx
00445121 59                      pop ecx
00445122 648910                  mov dword ptr fs:[eax], edx
00445125 EB13                    jmp 0044513A
00445127 E978DFFBFF              jmp 004030A4
0044512C 33DB                    xor ebx, ebx
0044512E E815E2FBFF              call 00403348
00445133 EB35                    jmp 0044516A
00445135 E80EE2FBFF              call 00403348

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|00445125(U)
|
0044513A 8BC3                    mov eax, ebx
0044513C B943000000              mov ecx, 00000043
00445141 99                      cdq
00445142 F7F9                    idiv ecx
00445144 8BC8                    mov ecx, eax
00445146 83F901                  cmp ecx, 00000001
00445149 7C08                    jl 00445153
0044514B 81F9E8030000            cmp ecx, 000003E8
00445151 7E04                    jle 00445157

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|00445149(C)
|
00445153 33DB                    xor ebx, ebx
00445155 EB13                    jmp 0044516A

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|00445151(C)
|
00445157 8BC3                    mov eax, ebx
00445159 B943000000              mov ecx, 00000043
0044515E 99                      cdq
0044515F F7F9                    idiv ecx
00445161 4A                      dec edx
00445162 7404                    je 00445168
00445164 33DB                    xor ebx, ebx
00445166 EB02                    jmp 0044516A

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|00445162(C)
|
00445168 B301                    mov bl, 01

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|0044508B(U), 004450A4(U), 004450F5(U), 00445133(U), 00445155(U)
|00445166(U)
|
0044516A 33C0                    xor eax, eax  
 从0044510E到0044516A这里是这个程序主要的比较过程，在上面标记的地方出错，我因为
已经将这个软件破解出来了，所以现在来讲解时，当然可以从系统的方面来介绍它。那个出
错的地方我们以后一定要进入，但是现在是先介绍它如何能注册成功。这个对以后的运算目
的是很重要的。在***处大家看到了吧，这里将使bl=1，而出错时是将bl=0，这就说明这个
程序如果要注册成功一定要让程序走到这个位置，那么我们必需回避那里才能使用程序走到
这里，我们在前比较明码的地方就已经知道了一个地方，就是下面的地方。
0044516A 33C0                    xor eax, eax  
这里将bl=0，现在我想对那些初学者说一个小经验，就是象上面那里可以跳到出错的地方，
记住这个出错的地方的地址，只要以后能跳到这个地址的地方，都是我们要避开的地方。现
在大家向上看，那里有可以跳到出错的地方。
  上面共有两个地方可以跳到出错的地方，那么我们就一定要回避这两个地方。现在就分析
一下如何回避它们。首先来看第一个地方，在那里我们将有什么样的结论呢？程序在那里使
用的eax/43(H)后，得到的余数一定要大于0小于3E8(H)，这样它才能不跳到出错的地方，不
知道你们是否看明白没有，如果没有可就不能怪我，你们就要学习学习汇编语言了。对于我
们已经知道的第一个可以避开出错的地方，那么有人会问那个eax从何而来的，这个大家先
不要去管它，我们先弄明白如何能避开出错的地方，到以后就是水到渠成了。现在我们再研
究一下第二个出错的地方。在这里它还是使用eax/43后得到余数edx，将edx-1应当等于0，
这样它才能跳到使bl=1的地方，这个也就是说eax/43后得到的余数一定要为1，这样才满足
程序的要求。好了现在所有的出错的地方我们都已经研究过了，我们现在的任务就是要如何
解决掉那个出错的call。现在就进入那个出错的call中，开始对它进行攻击。
如下：
00406A4D 55                      push ebp
00406A4E 68A46A4000              push 00406AA4
00406A53 64FF30                  push dword ptr fs:[eax]
00406A56 648920                  mov dword ptr fs:[eax], esp
00406A59 8D55FC                  lea edx, dword ptr [ebp-04]
00406A5C 8BC3                    mov eax, ebx
00406A5E E891BFFFFF              call 004029F4   ***
00406A63 8BF0                    mov esi, eax
00406A65 837DFC00                cmp dword ptr [ebp-04], 00000000
00406A69 7423                    je 00406A8E
00406A6B 8D55F8                  lea edx, dword ptr [ebp-08]
00406A6E B8F0644000              mov eax, 004064F0
00406A73 E890DDFFFF              call 00404808
00406A78 8B45F8                  mov eax, dword ptr [ebp-08]
00406A7B 50                      push eax
00406A7C 895DF0                  mov dword ptr [ebp-10], ebx
00406A7F C645F40B                mov [ebp-0C], 0B
00406A83 8D55F0                  lea edx, dword ptr [ebp-10]
00406A86 33C9                    xor ecx, ecx
00406A88 58                      pop eax
00406A89 E8EAFCFFFF              call 00406778
***处是一个关键地方，所以我们还要进入call中。
00402A07 8A1E                    mov bl, byte ptr [esi]
00402A09 46                      inc esi
00402A0A 80FB20                  cmp bl, 20
00402A0D 74F8                    je 00402A07
00402A0F B500                    mov ch, 00
00402A11 80FB2D                  cmp bl, 2D
00402A14 7445                    je 00402A5B
00402A16 80FB2B                  cmp bl, 2B
00402A19 7442                    je 00402A5D
00402A1B 80FB24                  cmp bl, 24
00402A1E 7442                    je 00402A62

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|00402A60(U)
|
00402A20 84DB                    test bl, bl
00402A22 7432                    je 00402A56

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|00402A3C(C)
|
00402A24 80EB30                  sub bl, 30
00402A27 80FB09                  cmp bl, 09
00402A2A 772A                    ja 00402A56
00402A2C 39F8                    cmp eax, edi
00402A2E 7726                    ja 00402A56
00402A30 8D0480                  lea eax, dword ptr [eax+4*eax]
00402A33 01C0                    add eax, eax
00402A35 01D8                    add eax, ebx
00402A37 8A1E                    mov bl, byte ptr [esi]
00402A39 46                      inc esi
00402A3A 84DB                    test bl, bl
00402A3C 75E6                    jne 00402A24
00402A3E FECD                    dec ch
00402A40 7410                    je 00402A52
00402A42 85C0                    test eax, eax
00402A44 7C10                    jl 00402A56
我们进入call 004029F4后将来到这里，上面的地方大家发现没有，其实它就是运算我们前
面所研究的那个eax，在这里我们可以看到那个bl要有一定的要求。bl的值一定要在30(H)到
39(H)之间，也就是数字，而上面的过程就是将字符数字转化为运算的数字。也就是说字符
串12345使用上面的过程就可以将字符串转化为数字12345，这个有什么不同的？我想这个就
不用我再说了吧。再说一下，那个转化的数字是10进位的。
  现在我们就可以知道了它的过程了。那么我们研究的关键是如何得到那个bl值，对了，这
个软件的注册关键就在这里。我们将如何得到那个经过运算过的bl值。
  现在就应当展开搜捕了，捕捉到那个bl值了。经过我的追踪发现在主程序中call 00444B9
8这里将是第一次的运算bl过程。我们就进入call中看一看它将如何计算。

如下：
00444C0B 8A4402FE                mov al, byte ptr [edx+eax-02]
00444C0F E870FFFFFF              call 00444B84
00444C14 8BD8                    mov ebx, eax
00444C16 C1E302                  shl ebx, 02
00444C19 8BC6                    mov eax, esi
00444C1B 03C0                    add eax, eax
00444C1D 8B55F8                  mov edx, dword ptr [ebp-08]
00444C20 8A4402FF                mov al, byte ptr [edx+eax-01] 奇数位上的值
00444C24 E85BFFFFFF              call 00444B84
00444C29 0AD8                    or bl, al
00444C2B 8D45E0                  lea eax, dword ptr [ebp-20]  相邻偶数上的值
00444C2E 8BD3                    mov edx, ebx
00444C30 E86BEDFBFF              call 004039A0
00444C35 8B55E0                  mov edx, dword ptr [ebp-20]
00444C38 8D45E8                  lea eax, dword ptr [ebp-18]
00444C3B E840EEFBFF              call 00403A80
00444C40 46                      inc esi
00444C41 4F                      dec edi
00444C42 75C0                    jne 00444C04
上面就开始使用我们输入的后面10位值了。程序首先使用奇数位上的值如第1位1，将它带入
call 00444B84中，算出一个值来，再将它*4后，得到bl值，然后再使用相邻的偶数位上的
值（这里偶数位上的值是指奇数位后面的偶数），这里就将使用2来计算，将2带入同样的ca
ll中，运算出第二个值来al，将bl OR al就可以得到一个运算的值，但是这个运算的值还不
是我们上面的bl值，在下面我们还要有一次运算。现在我们就来说一下那个call是如何运算
值的。这个就要参考我在下面提供的附表1了，call 00444B84的计算实际上就是将我们输入
的字符找出在附表1中的位置值，如我输入的2，它在附表中的值就为36，那么它在出这个ca
ll后的al=36，现在你们就应当明白它是如何计算我们输入的值了。现在我们还不能做什么
，因为在下面还有一个地方等着我们去分析它。

如下：

00444C53 BE01000000              mov esi, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|00444C85(C)
|
00444C58 8B45E8                  mov eax, dword ptr [ebp-18]
00444C5B 8A5C30FF                mov bl, byte ptr [eax+esi-01]
00444C5F 8BC6                    mov eax, esi
00444C61 99                      cdq
00444C62 F77DEC                  idiv [ebp-14]
00444C65 8B45FC                  mov eax, dword ptr [ebp-04]
00444C68 8A4410FF                mov al, byte ptr [eax+edx-01] <-72 6E 31 00 7200444C6C 32D8                    xor bl, al
00444C6E 8D45E0                  lea eax, dword ptr [ebp-20]
00444C71 8BD3                    mov edx, ebx
00444C73 E828EDFBFF              call 004039A0
00444C78 8B55E0                  mov edx, dword ptr [ebp-20]
00444C7B 8D45E4                  lea eax, dword ptr [ebp-1C]
00444C7E E8FDEDFBFF              call 00403A80
00444C83 46                      inc esi
00444C84 4F                      dec edi
00444C85 75D1                    jne 00444C58
上面就是程序第二个计算的地方，当在这里计算完后的值就是我们在将字符串转为数字的值
了。上面是如何计算的呢？上面我已经标明的所需要的条件了。它实际上就是使用我们在前
面第一次得到的bl值（共5个值）再同下面的那5个值进行XOR操作，得到的bl值将是我们想
要得到的值。
  我们到此已经明白了这个软件的整个注册过程了，现在就是如何通过计算得到注册码了问
题了。那么我们将怎样计算得到注册码呢？我们在前面得到的可以避开出错地方的条件在这
里就得到了应用了。程序要求我们计算后的值除以43(H)后应当得到余数1，那么满足这个条
件的数值将有什么呢？这里我使用了最简单的一个值因为43(H)=67(D),那么只要计算得到68
就满足条件了。现在我们有了一个明确的值了，再进行前面的XOR操作就简单多了。
  我们完成XOR后，应当得到0 0 0 6 8这5个值，这样就能注册成功了。我们就使用反推法来
计算第一个值，
  bl XOR 72 =30
  通过计算这个bl值应当等于42，而这个42的值是通过第1位的位置值*4再同第2位的位置值
进行或操作得到的。现在就再来讨论如何得到这两个值，因为a OR b =42，这里因为使用了
OR操作，经我查OR表发现只有当0 OR 4 =4，4 OR 4=4（这里专指4的位），因为a和b都为附
表中的位置值，所以没有一个可以在首位上等于4的，所以在这里只有首位为0和1的满足条
件（因为bl*4）。现在就设第1位为Q，那么第二位应当等于什么呢？现在就开始计算第二个
值，因为第一个值为Q，它的位置值为10则有 10 or b =42，查OR表可以知道当b=02时就能
够满足上面的要求，所以前两个值就为QC，其它的8个值同上面计算一样，我就不再介绍了
。
  好了，我这节课也应当结束了，也不知道大家都听懂没有，如果没有听懂可以给我写信，
。再见！！！

      30        30         30          36           38
      72        6e         31          00           72
 xor  42        5e         01          36           4a
  a   10        10         00          00           10
  b   02        1e         01          36           0a

附表1：
  序号：0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F 10  11  12  13  14  15
  字母：A  B  C  D  E  F  G  H  I  J  K  L  M  N  O  P  Q   R   S  T   U    V
  序号：16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27 28 29 2A 2B 2C
  字母：W  X  Y  Z  a  b   c  d  e  f  g  h  i  j  k  l  m  n  o  p  q  r  s
  序号：2D 2E 2F 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D
  字母： t  u  v  w  x  y  z  0  1  2  3  4  5  6  7  8  9

                    ************************
                    *  RN:rn10-QCQeABA2QK  *
                    ************************

                 Tutor4  How to crack CD Player for Win95 Version 1.32

作者:dREAMtHEATER
写作日期: 30th, July 1999

软件背景资料

运行平台: Win9X  
文件名称: cdply132.zip
程序类型: CD播放器
下载地点: http://www43.pair.com/pkayser/
文件大小: 378KB

使用的工具

SoftIce V3.25--Win9X Debugger
W32Dasm V8.93--Win9X Dissembler
Hex WorkShop v2.54--Hex Editor
RegSnap V2.51--Registry Tracer

难易程度

Easy(x)  Medium( )  Hard( )  Pro( )

                   ----------=======声明========----------

      本教程只供教学用，其他一切用途皆被禁止。

               
                  ----------=======软件介绍========----------

      CD Player is a full featured CD Player that has a touch sensitive LED display. 
Shows elapsed time or remaining time. Will also display the title of the song. CD 
Player has controls for Stop, Play, Pause, Eject, Skip forward, Skip backward, Seek 
forward and Seek backward.  CD Player has touch sensitive controls for continuous 
play, random play,  introduction play, and volume. Play lists may also be created. 
The play lists may be configured to skip or repeat selected tracks. 

                ----------=======软件的保护机制========-------

      单纯的Password保护，未注册时，每次启动均会出现提示请注册的窗口（nag screen)
,注册后将code存在HKEY_USERS\.DEFAULT\Software\Kayser\CD Player\Password
      
                     ----------=======正文========----------
       
Part1 寻找HardCode
      
      前面我已说到，此软件只需输入password即可注册，这说明这个code是程序本身内
建的（built-in),专业术语称之为hardcode。
      今天我不讲如何从内存中如何嗅出他的注册码，由于软件作者的弱智，使我数分钟之
内找出他的注册码。
      首先在W32Dasm中反汇编文件pkcdplay.exe,点击工具栏图标“String Data 
References”，出现的窗口将列出所有本程序参考的字符串，截取如下：

"U5A"
"Unable to open volume control"
"Unhandled Exception"
"Unknown error"
"Unknown Exception"
"unknown"
"Unknown"
"UsePlayList"
"USER32"
"VW926AR2"     <==Reg Code
"W}A"
"What's this?"
"Written"
"X"
"x"
"X)D"
"x=trace into it
:004055E9 59                      pop ecx
:004055EA 84C0                    test al, al
:004055EC 750D                    jne 004055FB    <==注册时跳转

* Possible StringData Ref from Data Obj ->"CD Player    Unregistered"
                                  |
:004055EE 68BAA04400              push 0044A0BA
:004055F3 53                      push ebx

* Reference To: KERNEL32.lstrcpyA, Ord:0000h
                                  |
:004055F4 E8FA250400              Call 00447BF3

2)
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402DAA(C)
|

* Possible StringData Ref from Data Obj ->"CD Player    Unregistered"
                                  |
:00402DB7 682C954400              push 0044952C

         经验证，第一部分是我们需要的，具体分析过程我就不在赘述了。
         在004055E4至004055EC处又是经典的call/test/conditional jump语句,让我
们trace into那个call

* Referenced by a CALL at Addresses:
|:00404240   , :004055E4   
|
:0040C78F 55                      push ebp
:0040C790 8BEC                    mov ebp, esp
:0040C792 83C4F4                  add esp, FFFFFFF4
:0040C795 53                      push ebx
:0040C796 56                      push esi
:0040C797 33DB                    xor ebx, ebx
:0040C799 8D45F8                  lea eax, dword ptr [ebp-08]
:0040C79C 50                      push eax
:0040C79D 8D55FC                  lea edx, dword ptr [ebp-04]
:0040C7A0 52                      push edx
:0040C7A1 6A00                    push 00000000
:0040C7A3 683F000F00              push 000F003F
:0040C7A8 6A00                    push 00000000

* Possible StringData Ref from Data Obj ->"CD Player"
                                  |
:0040C7AA 688FA54400              push 0044A58F
:0040C7AF 6A00                    push 00000000

* Possible StringData Ref from Data Obj ->"Software\Kayser\CD Player\Password"
                                  |
:0040C7B1 686CA54400              push 0044A56C
:0040C7B6 6801000080              push 80000001

* Reference To: ADVAPI32.RegCreateKeyExA, Ord:0000h
                                  |
:0040C7BB E8EDB70300              Call 00447FAD
:0040C7C0 8D4DF4                  lea ecx, dword ptr [ebp-0C]
:0040C7C3 51                      push ecx
:0040C7C4 6A00                    push 00000000
:0040C7C6 6A00                    push 00000000
:0040C7C8 6A00                    push 00000000
:0040C7CA 6A00                    push 00000000
:0040C7CC FF75FC                  push [ebp-04]

* Reference To: ADVAPI32.RegQueryValueExA, Ord:0000h
                                  |
:0040C7CF E8D3B70300              Call 00447FA7
:0040C7D4 FF75F4                  push [ebp-0C]
:0040C7D7 E8448A0300              call 00445220
:0040C7DC 8BF0                    mov esi, eax
:0040C7DE 8D45F4                  lea eax, dword ptr [ebp-0C]
:0040C7E1 59                      pop ecx
:0040C7E2 50                      push eax
:0040C7E3 56                      push esi
:0040C7E4 6A00                    push 00000000
:0040C7E6 6A00                    push 00000000
:0040C7E8 6A00                    push 00000000
:0040C7EA FF75FC                  push [ebp-04]

* Reference To: ADVAPI32.RegQueryValueExA, Ord:0000h
                                  |
:0040C7ED E8B5B70300              Call 00447FA7

* Possible StringData Ref from Data Obj ->"VW926AR2"    <==看到了什么
                                  |
:0040C7F2 6899A54400              push 0044A599
:0040C7F7 56                      push esi

* Reference To: KERNEL32.lstrcmpiA, Ord:0000h
                                  |
:0040C7F8 E8BAB30300              Call 00447BB7
:0040C7FD 85C0                    test eax, eax
:0040C7FF 7509                    jne 0040C80A
:0040C801 C6053F44450001          mov byte ptr [0045443F], 01
:0040C808 B301                    mov bl, 01

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040C7FF(C)
|
:0040C80A FF75FC                  push [ebp-04]

* Reference To: ADVAPI32.RegCloseKey, Ord:0000h
                                  |
:0040C80D E8A1B70300              Call 00447FB3
:0040C812 56                      push esi
:0040C813 E8B0890300              call 004451C8
:0040C818 59                      pop ecx
:0040C819 8BC3                    mov eax, ebx
:0040C81B 5E                      pop esi
:0040C81C 5B                      pop ebx
:0040C81D 8BE5                    mov esp, ebp
:0040C81F 5D                      pop ebp
:0040C820 C3                      ret

       Cool!这段代码寻找注册表中的注册码，并验证是否正确，以寄存器al为返回值。
若al=1,即表示已注册。你还发现此段代码还被另一个地方呼叫，经验证，是检查程序启始
是否出现nag screen。
       好！我们怎么修改此段代码呢？我没有再仔细分析这段代码，既然他需要用al作为
返回值，并且等于1为注册，我用了最简单的方法：
       在0040C78F处，修改代码为mov eax, 00000001; ret
       不要告诉我你不太明白。最后，还需提醒你，这也是最关键的，那就是请注意堆栈
（Stack)平衡，否则会使你的系统#$%@^!* 其方法就是看看CALL语句的前面是否有参数被
Push, 以及CALl后是否被Pop掉。
       到此为止，该收兵了！      

                  ----------=======The Patch========----------

       在文件pkcdplay.exe的offset:0000BD8F处，修改558BEC83C4F4 为 B801000000C3

   Warning, this tutorial is a real mother!!  *grin*
 
   Ok, let's rock!!
 
 
   You'll need the following tools:
 
   (I use these tools, I assume you'll use 'em, but it doesn't
   mean that you'll need to use all those tools, so be sure to
   get them handy for the examples in this tutorial!)
 
   SoftIce 3.25 Beta
   W32Dasm 8.93
   Hacker's View 6.02
   SmartCheck 6.01
   TASM 5.00
   Windows Commander 3.53 (I use it coz of easier to multitask)
 
   Don't ask me where to download all these tools since you had
   a chance to get them when you used my older tutorials. Here
   are a few good cracking sites where you can grab tools from:
 
   http://cracking.home.ml.org or http://surf.to/HarvestR
 
   or ask any crackers to get you these tools!
 
   Are you ready?!
 
   OK! ;)
 
 
PART 1: How to crack a CD Protection in Blood2 by ByteBurn
 
 
At first excuse my english i know that it isnt the best and i'll do my best ;)
 
 
What we need:
-------------
 
You need Wdasm8.9 and Hiew5.9.There are new versions out but i always use this two.
W32Dasm 8.9 is a Windows disassembler.You can use it on W95/98 cause it is 32-Bit.
Hiew is a nice Hex-Editor with Decode function.
 
 
1.Hello
-------
 
Hello dudes.Now i'll explain you how to crack Blood2.Blood2 is a cute little
shoot磂m up with a very simple copy protection.We can talk here about a cd-protection.
Cause when you dont have the game cd in drive it wont run.Thats the first thing you see
when you start it.And thats the first thing you're to know when you want to crack it.
Which kind of protection.There are many protection shemes but i'll explain here the most 
using protections you'll see in your later life as a cracker ;).
 
At first we're a simply protection sheme i'll here call WEB.Hmm whats that?It磗 simply
to explain.A protection sheme most found on games like Blood2 - Anno1602 - Quake2 - NFSI-IISE...
We talk 碽out cd-protections.Very simple.Anything checks if there is the cd in drive,if it is
then it'll continous if not anything else let pops up the error message you recieve on the 
screen.This error message is in a little message box.And cause we're using Windows95-98 (i think
you do) its a Windows message box.And cause the message box contain a error message i call it
Window Error Box and WEB is the shortcut i'll use in this tutorial (ehhh now you know it ;)).
 
If you know how to handle Delphi i am sure you used this kind of message box in any of your coded
programms like when the user click on Exit it'll pop up a message box which contain the sentence
Good Bye or anything else.Easy to create with Delphi by creating a button,doubleclick on it so 
you come to the unit window and then you're to enter: showmessage('Good Bye Dude');  thats all.
But back to the tutor.This is the WEB protection.Then we're Nag-Screens.This little dudes are 
harder to crack then WEB磗 cause you cant crack them with Wdasm (how i know...maybe anyone is so
good to crack it with WDasm).Here you're to use Soft-Ice.A Nag-Screen is a little Window most
with any nice picture where you can read that your trial period has expired or something else.
This kind you can see in LBA2 - Commandos...If a time period is over the programm register this
in most kinds by your system clock and you see the Nag-Screen.In some kind of games you can find
this protection shemes too.Then we're a key protection.Found on most applications like WinZip - 
WinRAR - PhotoShop...Here you're to enter any key to unlock your version from trial to full.
 
This protection is mostly found with a Nag-Screen and a WEB.At first your time expired.Then you
have to enter the serial key and then comes the message box which contain a good or bad message.
Serial Key protection you can crack with soft-ice.In some kinds you can crack it with Wdasm.
When you use Soft-Ice you create a own key for your name or read the original key from the prog.
When you use Wdasm you can only change the prog that it wont show you the bad error message but
will always show you something like "Thanks for Register this Programm" no matter which name or
key you enter.But thats not so good like make the key with Soft-Ice cause it wont work every 
time.A good example is WinRAR.When you crack it with Wdasm you can enter any key and it say 
"Thank you for Registry" but when you restart the prog you're to register it a second time.
How you see,on the one site its easyer to crack on the other site its not so good.
Ok now lets go to Blood2.
 
 
2.Blood2
--------
 
Ok install Blood2 on regular size and grab the cd outa drive.Now click on Blood2.exe.Wow which
special effect,you hear a scream and a little window pops up.Now after you make all your options
ready and click on Start...bing...there is our little WEB.Please insert the cd into drive.
Now your option.Insert the cd and click on ok or click on abort to return to windows.This is the
time for you where you're to buy it,get a crack from the net,kill it from hd,or read a nice tut
like this one and make it by yourself ;).You chose the last one great ;).Ok at first go to your
hd manager programm like Norton Commander and go to your directory where you installed Blood2.
 
This part is very needfull for you so please read it!!!
Now you're on Blood2 directory.Make two copys of the original Blood2.exe.One you're to call
Blood2.w32 and one Blood2.exx.Why?Its very easy to explain.Cause when you must disassemble the 
exe in WDasm,you can use the Blood2.exe.Hmm ok...But what when you make a error and have to 
disassemble the file again?Thats not so good for bigger files.Cause you cant use one file in 
different programms at the same time.A example.You disassembled the file with Wdasm,right your
numbers down and now you want to patch it with Hiew.Hmm...now you're to close Wdasm to use the
exe in Hiew so you can edit it.If you dont close Wdasm and want to edit it in Hiew you get a 
error like "Read mode only".Thats what i mean.You use it with Wdasm so you cant use it with Hiew
too.Now when you want to disassemble the file disassemble the *.w32 file.Now its no problem to 
look on the file in Wdasm and also edit the same file in Hiew.
The second copy you're to call Blood.exx.Its a backup of the original exe.No one is perfect and
make any mistake in cracking.So if yo patch any wrong part of the file so that the programm wont
run you can copy the Blood2.exx to Blood2.exe and everything is alright now ;).
 
 
3.Go to cracking
----------------
 
Now the interesting part.Run W32Dasm and disassemble the Blood2.w32 file by clicking on 
Disassembler\Open file to disassemble.Now go to your directory where you installed Blood2 and
where you saved Blood2.w32 and doubleclick on Blood2.w32.The disassembling process start.
At this point you're to know that how bigger the file to disassemble so more time it will take.
 
For example:
I're a AMD K6 2-350 with 64MB SD-RAM and a 9ms HD.A 4MB file take up to 10mins to disassemble.
So you can calculate what it'll do when you're only a P133 with 16MB EDO...good bye time ;).
Ok back to Blood2.Hey it finished the process great.Uno momento por favor!!!Whats that!?!
Ther is only wirr warr written with wingdings font.No mucho problemo amigo!Click on Disassembler\
Font\Select Font.Now you can select your favorit font.Its good to say that you may dont chose any
font like HandWriting or MickeyMouse ;).You may have to chose Arial or better Terminal.
Ok you chose terminal and click on ok.Now a second time on Disassembler\Font\Save Font.Do that
or you can on the next start chose a second time your font.So please save your font.Ok.
Now click on String Data References Button on the upper right corner.We'll call it SDR button.
 
Ahh a little window pops up.What is all that?Here you can see the messages and other things of 
the prog.At this point it is usefull to say that you dont have everytime a SDR button avaible 
but can crack it with Wdasm.Thats the part where you're to Search for your error message.Click
on Search\Fint Text.Now a little window pops up.Here you can enter the error message you recieved
by the game.You dont have to enter all the text only the first word like "Please".Then click
on ok and wait until your message was found.In our case we dont have to search for it,we can
click on SDR button.Aha.You can see our error message on the first page.Do you see it?No matter 
you cant answer my question ;)."Please insert the Blood2 CD-ROM into your CD-ROM Drive".
Doubleclick on it.Hey heeeyyy...You was warped on the main screen to the line which contain the
error message.A little tip for the SDR window.Its alphabetical order.So when you're a error 
message like "Please insert CD" you can scroll down a bit until you see the messages which begin
with "P".Thats not everytime so,like on Blood2 its on the first page.Ok.Now minimize the SDR 
window and take a look on Wdasm.Use your arrow keys to scroll up a bit until you see this
(if you're the same version of the exe like me):
 
* Possible StringData Ref from Data Obj ->"Please insert the game CD-ROM"
                                        ->"into the drive."
 
:00403FBF BFE4A54200                 mov edi, 0042A5E4
:00403FC4 83C9FF                     or ecx, FFFFFFFF
:00403FC7 F2                         repnz
:00403FC8 AE                         scasb
:00403FC9 F7D1                       not ecx
:00403FCB 2BF9                       sub edi, ecx
 
and so on and so on...
 
Hmm...was that our error message?No it wasnt.Our one was "Please insert the Blood2 CD-ROM into
your CD-ROM drive".So we dont need this one.Use your arrow keys to scroll up a bit until you
come to our message and a bit more.Now it have to looks like this:
 
:00403F89 0F8503010000               jne 00404092       <--------thats our one
:00403F8F E876C0100                  call 0042060A
:00403F94 8B4804                     mov ecx, dword ptr [eax+04]
:00403F97 E8952E0100                 call 00416E31
:00403F9C 8BAC24E0000000             mov ebp, dword ptr [esp+000000E0]
 
* Reference To: USER32.LoadStringA,  Ord:0183h
 
:00403FA3 8B1D3C344200               mov ebx, dword ptr [0042343C]
 
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
?:00404082(U)
?
:00403FA9 8B0DB8E74200               mov ecx, dword ptr [0042E7B8]
:00403FAF 8D442450                   lea eax, dword ptr [esp+50]
:00403FB3 6A7C                       push 0000007C
:00403FB5 50                         push ecx
 
* Possible Reference to String Resource ID=00008: "Please insert the Blood2 CD-ROM into your 
CD-ROM drive."
 
:00403FB6 6A08                       push 00000008
:00403FB8 51                         push ecx
:00403FB9 FFD3                       call ebx
:00403FBB 85C0                       test eax ,eax
:00403FBD 7524                       jne 00403FE3
 
* Possible StringData Ref from Data Obj ->"Please insert the game CD-ROM "
                                        ->"into the drive."
 
Ok thats it.Now you see the line contain the error text "Please insert the Blood2..."?
thats our message.The little jne (jump if not equal) command let pop it up.Ok we now know
two things.First there is a dude which checks if there is a cd in drive.That one is the 
call command.It checks if eax is 1.If eax is 1 everything is fine,there is cd in drive and we
can continous.But when it is 0...uhhh nothing is fine and we cant continous cause there isnt a
cd in drive.Hmm...Then there is the jump command.It let pop up the error message on our screen.
jne = jump if not eqaul je = jump if equal.Now we're to options.We can attack the prog when we
kill the call.This will happens when we nop it.Nop = no operation.Or we can set the call on eax1
so it'll always think there is a cd in drive when he checks.At this point i're to tell you that
some programms are not stupid and the notice when you nop.So its better to set the eax on 1.
 
How to nop? 90 is the nop number.When a call or jump or whatever for a command have maybe the 
number E890987832 that are 10 numbers.That means that they're 5 bytes.Every two numbers are one
byte.E8=1 90=1 98=one 78=one 32=one.So we're to replace it with five 90磗.Dont worry when it flip
down a line in Hiew when you enter the first 90.Enter four other 90磗 too.That is how to nop.
How to set eax on 1?Our number is E890987832.So replace it with E801000000.Ok that was how to 
set eax on 1.Now our second chance how to attack the prog.We now know that we can disable the 
check or fake it.Now we can kill the error box so it wont be shown on the screen and the game
runs.Thats what we're doing in Blood2.Do you see the jne command at the top?
 
:00403F89 0F8503010000               jne 00404092     
 
use your arrow keys to place the bar on it.Hey the bar change his color!Yes it changes to green.
Now you can see on the bottom of the screen something in the status bar:
Line:6601 Pg 62 and 63 of 745 Code Data @:00403F89 @Offset 00003389h in File:Blood2.w32
What does that means?Hmm...Ok.We're on line 6601,on page 62 and 63 of all 745,the code data is
00403F89 (:00403F89 <---look here  0F8503010000               jne 00404092),the Offset number is
00003389 (its the number we'll need when we want to patch it later) and all that is in File
Blood2.w32.Not so hard to understand or?Now what we need is the @Offset number of the jne 
command.That is 00003389.Write down 3389 (you dont need the 0磗 so write it down without all the
000磗 and without the little h at the end of the number).Now start Hiew.
 
 
4.At Hiew
---------
 
Ok start Hiew.No matter what you use if H.exe or H95.exe.Ohh its dos.Ok switch in Hiew to your
directory where you installed Blood2 and where you have Blood2.exe.Then open Blood2.exe.
Uff what that?No panic.Press F4.Now chose Decode and press enter.Ahh looks a little bit better.
Now press F5 (goto).In the upper left corner you can now enter a number.Thats the place where
you're to enter your @Offset numbers.Our is 3389.Enter 3389 and press Enter.Hey...you was warped
to the place which contain the jne command.Haha we got you baby!Now press F3....
 
ShortCut:
 
Now it can be the time for you where you'll recieve something like bad data read only mode...
Do you?Tstststsss....what did i said at the beginning?"please read this its very needfull for 
you"...You make the mistake and dont made two copys.Now you disassembled the Blood2.exe and want
to edit it with Hiew.AEEE...that wont work.How i said you cant edit one file with two different
programms.Ok switch back to Wdasm.Close wdasm and switch back to Hiew.Now try it again...and next
time you do what i said!!!;)
 
You can edit the line.You see that the cursor was placed on the 0F8503010000 .Hmm a bit long...
No problem.The number for jne is 75/85...How you see it is there after the 0F.Now use the 
arrow keys to put the cursor on the 85.Change it to 84.Press F9 (save) and then F10 (quit).
Ok how you see we dont nop it we change it from jne (jump if not equal) to je (jump if equal).
If weare nop it weare to replace the numbers with six 90磗.No matter now we're to look if it works.
Go back to windows and click on Blood2.exe.Peng AHHHH the special effect scream is great ;).
Now...wait!!!Are you sure you want to risk it?Maybe we change a wrong byte and now it'll
shut down your pc or destroy any files (dont laugh thats possible)?Ohh dude what we gonna do?
 
Are you brave enough to take it up with your machine?Ok..slowly move your fat slimy burger finger
on the Enter key...you're not sure...some seconds pass but then you cant wait!!!!OHH MY GOD!!!
What i're done!?!TADA!!!THE GAME RUNS WITHOUT CD!!! ;))))) You crack it dude.
Ok thats all for now i hope you like this little tutorial.Watch out for my tutorial compilation
called DephStar!Coming soon...
 
For thanks that i make a so nice tutorial or for STUPID QUESTIONS mail me to:
ByteBurn@onecooldude.com or reach me on IRC EFnet anywhere in #cracking4newbies #cracks ....
 
Have a nice day and dont get busted by the cops ;)
Thanks for reading this tutorial...by the way i love to write data lines down....;)

初学天地：

                  破解教程五
                     程式猎人
   不是我当教师的说你们，为什么我每次为大家精心准备的作业却没有一个人来向我交作
业，那么大家一定是太忙了吧，那么好，从这周开始我将不再向大家留任何作业，这个可是
相应国家对小学生减负的精神啊。
   好了，课吗我还是要上的，现在开始大家想一想我都向大家介绍了几个比较形式，有谁
知道没有，看来大家是都不想发言了。没有办法，我在大学时也同大家一样最害怕教师的提
问，那么就由我自己向大家介绍吧。
  第一个比较形式如下：
     mov  eax [      ]  这里可以是地址，也可以是其它寄存器
     mov  edx [      ]  同上  通常这两个地址就储存着重要信息
     call 00??????
     test eax eax
     jz(jnz)
  第二个
     mov  eax [      ]  这里可以是地址，也可以是其它寄存器
     mov  edx [      ]  同上  通常这两个地址就储存着重要信息
     call 00??????
     jne(je)
  第三个
   mov eax [   ]
   mov edx [   ]
   cmp eax,edx
   jnz(jz)
或者
begin  mov al [   ]
       mov cl [   ]
       cmp al,cl
       jnz(jz)
       mov al [  +1]
       mov cl [  +1]
       cmp al,cl
       jnz(jz)
       cmp eax ecx (eax为计数器）
       jnl begin
       mov al 01
  我想我就向大家介绍了如上三种形式的比较形式，那么大家对它掌握的如何呢，我可就不
知道了。因为没有作业上交所以也无法了解大家掌握情况。但是没有关系，只要大家能够从
中学到想要的东西就可以了。
  今天向大家介绍另一个比较常用的形式，如下所示：
     lea edi [    ]
     lea esi [    ]
     repz cmpsd
     jz(jnz)
  这个比较形式就是较为重要比较形式，如果你在破解过程中看到有这样一个比较的形式，
的话，通常你就能够得到软件的注册码了，因为使用这个比较形式的话，你将在edi和esi中
得到注册码。
   现在向大家举一个例子。如下：
                   Split V3.1.4.1
简介：文件分割工具
追踪：还是使用我前面介绍过的方法进行前面追踪过程。
  1 先输入
      name:dahuilang
      company:program hunter
      RN:0123-4567-8901-23456
  2 ctrl+M调出TRW（crtl+D调出SI），在这里设bpx hmemcpy
  3 回到程序中，点击OK，TRW弹出。 
  4 在这里你可以使用F12，跳跃直到上面0040323D处就可以了。
* Possible StringData Ref from Data Obj ->"Concat/Split"
                                  |
:100012DA 6880A00010              push 1000A080
:100012DF 8D9424E0000000          lea edx, dword ptr [esp+000000E0]
:100012E6 51                      push ecx
:100012E7 52                      push edx
:100012E8 E823250000              call 10003810
:100012ED 83C40C                  add esp, 0000000C
:100012F0 84C0                    test al, al
:100012F2 741F                    je 10001313
:100012F4 8D442428                lea eax, dword ptr [esp+28]
:100012F8 8D8C24DC000000          lea ecx, dword ptr [esp+000000DC]
:100012FF 50                      push eax
进入call 10003810
:10003826 50                      push eax

* Reference To: KERNEL32.lstrcpyA, Ord:0302h
                                  |
:10003827 FF1540810010            Call dword ptr [10008140]
:1000382D 6A20                    push 00000020
:1000382F 56                      push esi
:10003830 E87B090000              call 100041B0
:10003835 83C408                  add esp, 00000008
:10003838 85C0                    test eax, eax
:1000383A 0F84C9000000            je 10003909
   这个可是程序设的一个障碍，如果你不仔细研究它的话，你将无法得到这个软件的注册
码，它在这里调用了name，没有调用RN，所以这个call只与name有关，call又调用了20(H),
这个值，它在ASC码中为空格符号。现在大家想一下name同这个空格有什么关系。大家可以
想到了吧，name中一定要有空格，这样你可以顺利的到达下面。
:100038EA B903000000              mov ecx, 00000003
:100038EF 8D7C2418                lea edi, dword ptr [esp+18]
:100038F3 8D742424                lea esi, dword ptr [esp+24]
:100038F7 33D2                    xor edx, edx
:100038F9 F3                      repz
:100038FA A7                      cmpsd
:100038FB 5F                      pop edi
:100038FC 5D                      pop ebp
:100038FD 5E                      pop esi
:100038FE 5B                      pop ebx
:100038FF 0F94C0                  sete al
:10003902 81C484000000            add esp, 00000084
:10003908 C3                      ret
  当你来到上面的时候，大家现在想到我上面介绍的方法。这里
:100038EF 8D7C2418                lea edi, dword ptr [esp+18]
:100038F3 8D742424                lea esi, dword ptr [esp+24]
:100038F7 33D2                    xor edx, edx
:100038F9 F3                      repz
:100038FA A7                      cmpsd
……
:100038FF 0F94C0                  sete al
  这个就是比较典型比较形式，从上面你就可以得到这个软件的注册码了。你也学到了这个
比较形式了。
  好了，这节课也讲完了，可惜啊没有授课费啊，下课了。

问题答疑：

网站介绍：

杂志信箱：

投稿信箱：discoveredit@china.com

答疑信箱：discoveranswer@china.com

斑竹信箱：programhunter@china.com