机器翻译:

注册WinRar 3 。22
作者: DarkSlider &.lt;.darkslider@list 。ru&.gt;

这篇我的第一篇文章因此我请分开地不踢。

我看了文章关于那至于lamat ' WinRar 但那里为新手对koim 和我大概关系, slozhnovato 。 这里 variantik 是简单, 为我在任何情况下。

--------------------------------------------------------------------------------

目的:
WinRar 3 。22

工具:
Windasm - dizasemmbler
Hiew - 不吉利的东西编辑
Restorator - 资源编辑。

在我WinRar 英语版本因此文本在英语, 但与ruskim 版本完全地相符。 因而让我们开始。 4 古柏WinRar 非常为长期, 但我立刻将写事实那ponakhodil, 没有进入我到达在nemogu 的所有死胡同本身。

首先我审查了资源WinRara Restoratorom 。 并且它发现了非常有趣的线在串资源? 55:

--------------------------------------------------------------------------------

870 注册失败
871 谢谢支持
872 正确注册
873 个评估拷贝
874 唯一%.d 天离开买执照

--------------------------------------------------------------------------------

并且这推挤了我反对想法那在资源之前电话872 必须是某一比较(不是问为什么简单地必须:) ).

在文件的dizasemblirovaniyem 之前 WinRar 。exe (是均匀任一ekzeshnika 我通常一般创造文件* 。exx * 。w32 闻悉这在一tutoriale 在英语) WinRar 。exx WinRar 。w32 。

在文件的创作以后由dizasemblim 文件WinRar 。w32 。

我们参加 串参考 并且我们发现我们的资源。

串资源ID=00872: "正确注册"
我们点击它并且我们看见:

--------------------------------------------------------------------------------

* 在串资源的可能的参考ID=00872: "正确注册"
                                  |
:0043.E2CA B868030000 运动Eax, 00000368
:0043.E2CF E84424FDFF 电话00410718
:0043.E2D4 50 推挤eax

* 在串资源的可能的参考ID=00871: "谢谢支持"
                                  |
:0043.E2D5 B867030000 运动Eax, 00000367
:0043.E2DA E83924FDFF 电话00410718
:0043.E2DF 50 推挤eax
:0043.E2.E0 FF35FCC44.A00 推挤Dword Ptr [ 004.AC4FC ]

* 参考对: USER32 。MessageBoxA, Ord:0000h
                                  |
:0043.E2.E6 E8811A0500 电话0048FD6C
:0043.E2.EB EB0B Jmp 0043.E2F8

--------------------------------------------------------------------------------

两资源872 和871 转移到作用被地址 00410718. 它是好的, 和现在看起来, 它缺乏地被找出得更高:

--------------------------------------------------------------------------------

:0043.E2B7 E840ECFCFF 电话0040CEFC
:0043.E2BC 8BD8 运动Ebx, eax
:0043.E2BE 881D3CDD4900 运动字节Ptr [ 0049DD3C ], bl
:0043.E2C4 84DB 测试Bl, bl
:0043.E2C6 7425 je 0043.E2.ED
:0043.E2C8 6.A30 推挤00000030

--------------------------------------------------------------------------------

但记数器的比较上面被找出 bl 以零。 这是有趣。.. 我这里什么时代neizvesno 参观了想法看通过查寻和仍然改变价值与的地方地址 0049DD3C.

并且我发布了给查寻线:

运动字节ptr [ 0049DD3C ]
这是遇到的azh 6 次:

--------------------------------------------------------------------------------

:0043.E2B7 E840ECFCFF 电话0040CEFC
:0043.E2BC 8BD8 运动Ebx, eax
:0043.E2BE 881D3CDD4900 运动字节Ptr [ 0049DD3C ], bl

--------------------------------------------------------------------------------

:0043.E607 E8F0E8FCFF 电话0040CEFC
:0043.E60C A23CDD4900 运动字节Ptr [ 0049DD3C ], al

--------------------------------------------------------------------------------

:00447DC8 E82F51FCFF 电话0040CEFC
:00447DCD A23CDD4900 运动字节Ptr [ 0049DD3C ], al

--------------------------------------------------------------------------------

:0044870F E8E847FCFF 电话0040CEFC
:00448714 8BD8 运动ebx, eax
:00448716 881D3CDD4900 运动字节ptr [ 0049DD3C ], bl

--------------------------------------------------------------------------------

:0044B120 C6053CDD490000 运动字节Ptr [ 0049DD3C ], 00

--------------------------------------------------------------------------------

:0045C8C3 E83406FBFF 电话0040CEFC
:0045C8C8 A23CDD4900 运动字节Ptr [ 0049DD3C ], al

--------------------------------------------------------------------------------

而且最有趣在事实5 次在以后作用的电话:

电话0040CEFC
I... 在1 和3 案件由于命令 运动ebx, eax 我们获得没什么但入5 个案件从6 钛调动记数器的价值 al 在字节以地址 [ 0049DD3C ].

然后它遮蔽了我, 并且将是如果 al 将是1 和没有0 在vozvreta 以后从作用。 作用采取这个形式:

--------------------------------------------------------------------------------

* 由电话参考在地址:
|:0043.E2B7,:0043.E607,:00447DC8,:0044870F,:0045C8C3
|
:0040CEFC 55 推挤ebp
:0040CEFD 8BEC 运动Ebp, 特别是
:0040CEFF 81.C404F0FFFF 特别是增加, FFFFF004
:0040CF05 50 推挤eax
:0040CF06 81.C448FDFFFF 特别是增加, FFFFFD48
:0040CF0C 53 推挤ebx
:0040CF0D 56 推挤esi
:0040CF0E 57 推挤edi
:0040CF0F 8885.E3FEFFFF 运动字节Ptr [ ebp+.FFFFFEE3 ], al
:0040CF15 BE38D74900 运动Esi, 0049D738
:0040CF1A B848174900 运动Eax, 00491748
:0040CF1F E82C5.A0700 电话00482950
:0040CF24 8D95C8FAFFFF Lea Edx, dword ptr [ ebp+.FFFFFAC8 ]

* 可能的StringData Ref 从数据Obj -&.gt;".rarreg 。* "
                                  |
:0040CF2.A B843104900 运动Eax, 00491043
:0040CF2F E839EDFFFF 电话0040BC6D
:0040CF34 84C0 测试Al, al
:0040CF36 7514 jne 0040CF4C
:0040CF38 33C0 Xor Eax, eax
:0040CF3.A 8B95.E4FEFFFF 运动Edx, dword ptr [ ebp+.FFFFFEE4 ]
:0040CF40 64891500000000 运动dword ptr fs:[ 00000000 ], edx
:0040CF47 E9D0050000 Jmp 0040D51.C

．..

* 由a 参考(U).nconditional 或(C).onditional 跃迁在
地址:
|:0040CF47(.U),:0040CFB7(.U),:0040D0DD(.U),:0040D12D(.U),:0040D2.A5(.U)
|:0040D350(.U),:0040D3C3(.U),:0040D461(.U),:0040D4F2(.U)
|
:0040D51.C 5F 流行音乐Edi
:0040D51D 5.E 流行音乐Esi
:0040D51E 5B 流行音乐Ebx
:0040D51F 8BE5 运动特别是, ebp
:0040D521 5D 流行音乐Ebp
:0040D522 C3 Ret

--------------------------------------------------------------------------------

但是, 和那我看见?

:0040CF38 33C0 Xor Eax, eax
与中性的连接 eax (和 al 相应地) 和它决定改正这。 熔铸神色这条线地址在WinDasme 这 C538h.

被打开的文件WinRar 。exe 在Hiew 的帮助下。

它收获了二次进入为段落装配代码的政权。 被收获的F5 它介绍了地址 C538 并且它行动了必要对我命令。 然后被收获的F3 为编辑和F2 为介绍代码在asme 。 代码被介绍 运动al, 1 或在代码 B001 一切它保存了和左。 以庄严开始没有我的纳卡语( 只从本身它没有获得很好它已经简单地到达了), 不是题字评估拷贝。

评论Bad_.guy'4:
对我它一定是非常方便给它的工作做广告在陌生人文章, 但我将允许自己做例外。 事实是, 我创造了普遍补丁为WinRAR 并且它是已经检查版本从3 。00 到3 。30 决赛, 而且不重要地英国VinRAR 用您或俄语- http://.chrachklab 。narod 。ru/dload/wrar3xp 。邮编 什么电子署名- 您不会能使用它, 而是她被解释了没人它不是必要的- 在论坛对我没人能可理解obya"snit ' 为什么对它它是必要的这电子署名, 它意味一切在所有没人它不是之后必要, 它能只如果为ponta 。

Z 。Y 。 这篇文章被写只指示的目的。 如果对您很大地是喜悦的WinRar 更好它您将购买。他写了因为它能, 他尝试了以便所有它可理解地会是, 因此作为本身我读了文章和不总一切我了解。

看起来更加迷糊了。。。

最初由 baby2008 发布
:0040CF2.A B843104900 运动Eax, 00491043

:0040CF2F E839EDFFFF 电话0040BC6D

:0040D51.C 5F 流行音乐Edi

:0040CEFC 55 推挤ebp

:00447DCD A23CDD4900 运动字节Ptr [ 0049DD3C ], al

:0040D51F 8BE5 运动特别是, ebp

指正：

运动 = mov
电话 = call
流行音乐 = pop
推挤 = push
运动字节 = mov byte
运动特别是 = mov esp



看来机器翻译还不是特别准确哦~~~~

最初由 KuNgBiM 发布



运动特别是 = mov dword

........

运动特别是 = mov esp

我倒~~~~~~~~~~~~~`不要机器翻译更好。

晕倒哈哈

哦文真是有难度

哦文我看不懂,难度高.

俄文翻译用什么软件啊

怎么会这样呢~1晕

有没有清楚一点的

Home | Clauses | the Forum | Programming | Skachat | CD and DVD  

CRACK | to the Beginner | FAQ | References | Interview | Archive | News | Communication  

Registration WinRar 3.22
The Author: DarkSlider <darkslider@list.ru>

It is my first clause therefore I ask to not kick especially.

I saw clauses about that as lamat WinRar but there for beginners to which and I likely concern, slozhnovato. Here variantik is easier, for me anyway.

--------------------------------------------------------------------------------

The Purpose:
WinRar 3.22

Tools:
Windasm - dizasemmbler
Hiew - the HEX-editor
Restorator - the editor of resources.

At me WinRar the English version therefore the text in an English, but completely coincides with ruskim a variant. So we shall begin. I dug WinRar very long, but at once I shall write that that ponahodil, not pressing deadlocks in which I got into all on most nemogu.

All over again I have seen resources WinRara Restoratorom. Also has found very interesting lines in String a resource ? 55:

--------------------------------------------------------------------------------

870 Registration failed
871 Thank you for support
872 Correct registration
873 evaluation copy
874 only %d days left to buy a license

--------------------------------------------------------------------------------

And it natolknulo me on an idea that before a call of a resource 872 should be any comparison (do not ask why it should is simple:)).

Before dizasemblirovaniem file WinRar.exe (and in general any ekzeshnika I usually create files *.exx *.w32 has read through about it in one tutoriale in the English) WinRar.exx WinRar.w32.

After creation of files dizasemblim file WinRar.w32.

We Come in String References and our resource is found.

String Resource ID=00872: " Correct registration "
We Click on it and it is visible:

--------------------------------------------------------------------------------

* Possible Reference to String Resource ID=00872: " Correct registration "
|
:0043E2CA B868030000 mov eax, 00000368
:0043E2CF E84424FDFF call 00410718
:0043E2D4 50 push eax
* Possible Reference to String Resource ID=00871: " Thank you for support "
|
:0043E2D5 B867030000 mov eax, 00000367
:0043E2DA E83924FDFF call 00410718
:0043E2DF 50 push eax
:0043E2E0 FF35FCC44A00 push dword ptr [004AC4FC]
* Reference To: USER32. MessageBoxA, Ord:0000h
|
:0043E2E6 E8811A0500 call 0048FD6C
:0043E2EB EB0B jmp 0043E2F8

--------------------------------------------------------------------------------

Both of a resource 872 and 871 are transferred function to the address of 00410718. Well, and now look that is hardly above:

--------------------------------------------------------------------------------

:0043E2B7 E840ECFCFF call 0040CEFC
:0043E2BC 8BD8 mov ebx, eax
:0043E2BE 881D3CDD4900 mov byte ptr [0049DD3C], bl
:0043E2C4 84DB test bl, bl
:0043E2C6 7425 je 0043E2ED
:0043E2C8 6A30 push 00000030

--------------------------------------------------------------------------------

And above there is a comparison of the register bl with zero. Interestingly... I here with neizvesno what time was visited with an idea to look through search and where value to the address of 0049DD3C. Still changes

And I have started up a line on search:

mov byte ptr [0049DD3C]
It meets already 6 times:

--------------------------------------------------------------------------------

:0043E2B7 E840ECFCFF call 0040CEFC
:0043E2BC 8BD8 mov ebx, eax
:0043E2BE 881D3CDD4900 mov byte ptr [0049DD3C], bl

--------------------------------------------------------------------------------

:0043E607 E8F0E8FCFF call 0040CEFC
:0043E60C A23CDD4900 mov byte ptr [0049DD3C], al

--------------------------------------------------------------------------------

:00447DC8 E82F51FCFF call 0040CEFC
:00447DCD A23CDD4900 mov byte ptr [0049DD3C], al

--------------------------------------------------------------------------------

:0044870F E8E847FCFF call 0040CEFC
:00448714 8BD8 mov ebx, eax
:00448716 881D3CDD4900 mov byte ptr [0049DD3C], bl

--------------------------------------------------------------------------------

:0044B120 C6053CDD490000 mov byte ptr [0049DD3C], 00

--------------------------------------------------------------------------------

:0045C8C3 E83406FBFF call 0040CEFC
:0045C8C8 A23CDD4900 mov byte ptr [0049DD3C], al

--------------------------------------------------------------------------------

And the most interesting in that that 5 times after a call of function:

call 0040CEFC
.. In 1 and 3 case because of commands mov ebx, eax we receive not that other as in 5 cases from 6-oe a transfer of meaning of the register al in byte to the address of [0049DD3C.]

Then upon me has dawned, and that will be if in al will be 1 instead of 0 after vozvreta from function. Function has such appearance:

--------------------------------------------------------------------------------

* Referenced by a CALL at Addresses:
|:0043E2B7,:0043E607,:00447DC8,:0044870F,:0045C8C3
|
:0040CEFC 55 push ebp
:0040CEFD 8BEC mov ebp, esp
:0040CEFF 81C404F0FFFF add esp, FFFFF004
:0040CF05 50 push eax
:0040CF06 81C448FDFFFF add esp, FFFFFD48
:0040CF0C 53 push ebx
:0040CF0D 56 push esi
:0040CF0E 57 push edi
:0040CF0F 8885E3FEFFFF mov byte ptr [ebp+FFFFFEE3], al
:0040CF15 BE38D74900 mov esi, 0049D738
:0040CF1A B848174900 mov eax, 00491748
:0040CF1F E82C5A0700 call 00482950
:0040CF24 8D95C8FAFFFF lea edx, dword ptr [ebp+FFFFFAC8]
* Possible StringData Ref from Data Obj-> " rarreg. * "
|
:0040CF2A B843104900 mov eax, 00491043
:0040CF2F E839EDFFFF call 0040BC6D
:0040CF34 84C0 test al, al
:0040CF36 7514 jne 0040CF4C
:0040CF38 33C0 xor eax, eax
:0040CF3A 8B95E4FEFFFF mov edx, dword ptr [ebp+FFFFFEE4]
:0040CF40 64891500000000 mov dword ptr fs: [00000000], edx
:0040CF47 E9D0050000 jmp 0040D51C
...
* Referenced by a (U) nconditional or (C) onditional Jump at Addresses:
|:0040CF47 (U),:0040CFB7 (U),:0040D0DD (U),:0040D12D (U),:0040D2A5 (U)
|:0040D350 (U),:0040D3C3 (U),:0040D461 (U),:0040D4F2 (U)
|
:0040D51C 5F pop edi
:0040D51D 5E pop esi
:0040D51E 5B pop ebx
:0040D51F 8BE5 mov esp, ebp
:0040D521 5D pop ebp
:0040D522 C3 ret

--------------------------------------------------------------------------------

Also what I have seen?

:0040CF38 33C0 xor eax, eax
Zanulenie eax (and al accordingly) also has decided it to correct. The address of the given line in WinDasme it C538h. Has looked

Has opened file WinRar.exe by means of Hiew.

Has pressed two times Enter for transition in a mode assemblernyh codes. Has pressed F5 has entered C538 address and has moved at the command necessary to me. Then has pressed F3 for editing and F2 for input of a code on asme. Has entered a code mov al, 1 or in codes B001 all has kept and has left. At solemn start is not present it is nude (which me hardly from itself has not deduced well has simply got already), inscriptions evaluation copy.

Comment Bad_guy'y:
Certainly it is not so convenient to me to advertise the works in another's clause, but I shall allow to make to myself exception. The matter is that I have created a universal patch for WinRAR and it is checked already up on versions from 3.00 till FINAL, and unimportantly English VinRAR at you or Russian - http: // cracklab.narod.ru/dload/wrar3xp.zip As to a digital signature - you cannot use it, but it as was found out nobody is necessary - at a forum to me nobody could intelligibly objasnit what for to it this digital signature is necessary, it means all taki is necessary nobody, can only if for ponta.

Z.Y.g clause is written only with a view of training. If to you has very much liked WinRar that is better it buy. Wrote as could, tried that all it was clear, therefore as itself I read clauses and not always all I understand.

DarkSlider <darkslider@list.ru>

Comments  

To add

Your name

The comment

Estimation-12345

  

--------------------------------------------------------------------------------

Materials are on a site http: // cracklab.ru/art /

You are on CRACKLAB.RU, today on July, 31st, 2005 13:56:57 MSK

很难,内容不全呀!