Photo Watermark V1.2.0.6 算法分析
-
下载页面: http://www.skycn.com/soft/8210.html
软件大小: 1265 KB
软件语言: 英文
软件类别: 国外软件 / 共享版 / 图像处理
应用平台: Win9x/NT/2000/XP
加入时间: 2003-03-31 08:38:47
下载次数: 2531
推荐等级: ****
开 发 商: http://www.unidreamtech.com/
【软件简介】:Photo Watermark 是一款专业的给图片加水印软件,如果你想在网络上保护你的图片,可以试试这个软件。
【软件限制】:15天试用、功能限制。
【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:TRW2000娃娃修改版、Ollydbg1.09、Fi2.5、Hex Workshop、UPX1.2、W32Dasm 9.0白金版
—————————————————————————————————
【过 程】:
首先说明的是我手里分析的是V1.2.0.6的版本,天空下载站上的是V3.0.0.0新版,呵呵,小猫上网就不去“喜新厌旧”了。可能有许多地方是不一样的。不过我的目的只是学习CRACK技术。
watermark.exe 用Fi2.5看是UPX壳,但是这个壳再次用其它工具做了保护。如:UPX-Scrambler RC 1.05 ——modifies files packed with UPX so that they cannot be unpacked with the "-d" command build into UPX。
呵呵,看了《看雪论坛精华》里 bottle 朋友的帖子学习了脱壳方法。谢谢 bottle 朋友!为了大家方便我转贴一下我所用到的关键部分。
用Hex Workshop打开watermark.exe:
00000400:5B66 FEFF 0410 4000 0307 426F 6F6C 6561 6E01 0009 2A05 46B3 DFDE FF61 6C73 6504
把00000400处的:5B66 FEFF 0410 改为5550 5821 0C09
保存后再用UPX1.2解压成功。556K->1.53M。Delphi编写。反汇编,根据提示很容易就找到核心了。
用户名:fly
电 邮:fly@263.net
试炼码:13572468
程序根据注册码的不同而分为2个版本,运算流程是相似的,因此我只是记录了第二次运算“Pro”版注册码时的参数。
—————————————————————————————————
* Possible StringData Ref from Code Obj ->"Plus"
|
:00535460 BAB0565300 mov edx, 005356B0
====>EDX=Plus
:00535465 E8FAEBECFF call 00404064
:0053546A 755B jne 005354C7
* Possible StringData Ref from Code Obj ->"Pro"
|
:0053546C 68C0565300 push 005356C0
:00535471 8D45FC lea eax, dword ptr [ebp-04]
:00535474 50 push eax
:00535475 8D55F8 lea edx, dword ptr [ebp-08]
:00535478 8B83D8020000 mov eax, dword ptr [ebx+000002D8]
:0053547E E83DFAEFFF call 00434EC0
:00535483 8B45F8 mov eax, dword ptr [ebp-08]
:00535486 50 push eax
:00535487 8D55F4 lea edx, dword ptr [ebp-0C]
:0053548A 8B83F4020000 mov eax, dword ptr [ebx+000002F4]
:00535490 E82BFAEFFF call 00434EC0
:00535495 8B55F4 mov edx, dword ptr [ebp-0C]
:00535498 8B83EC020000 mov eax, dword ptr [ebx+000002EC]
:0053549E 59 pop ecx
:0053549F E85CEDFFFF call 00534200
:005354A4 8B45FC mov eax, dword ptr [ebp-04]
:005354A7 50 push eax
:005354A8 8D55F0 lea edx, dword ptr [ebp-10]
:005354AB 8B83E0020000 mov eax, dword ptr [ebx+000002E0]
:005354B1 E80AFAEFFF call 00434EC0
:005354B6 8B55F0 mov edx, dword ptr [ebp-10]
:005354B9 58 pop eax
:005354BA E8E136EDFF call 00408BA0
:005354BF 85C0 test eax, eax
:005354C1 0F84C9000000 je 00535590
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0053546A(C)
|
* Possible StringData Ref from Code Obj ->"Plus"
|
:005354C7 68B0565300 push 005356B0
:005354CC 8D45EC lea eax, dword ptr [ebp-14]
====>EAX=fly@263.net
:005354CF 50 push eax
:005354D0 8D55E8 lea edx, dword ptr [ebp-18]
:005354D3 8B83D8020000 mov eax, dword ptr [ebx+000002D8]
:005354D9 E8E2F9EFFF call 00434EC0
:005354DE 8B45E8 mov eax, dword ptr [ebp-18]
====>EAX=fly@263.net
:005354E1 50 push eax
:005354E2 8D55E4 lea edx, dword ptr [ebp-1C]
:005354E5 8B83F4020000 mov eax, dword ptr [ebx+000002F4]
:005354EB E8D0F9EFFF call 00434EC0
:005354F0 8B55E4 mov edx, dword ptr [ebp-1C]
====>EDX=fly
:005354F3 8B83EC020000 mov eax, dword ptr [ebx+000002EC]
:005354F9 59 pop ecx
====>ECX=fly@263.net
:005354FA E801EDFFFF call 00534200
====>算法CALL!运算“Plus”版本的注册码!
:005354FF 8B45EC mov eax, dword ptr [ebp-14]
====>EAX=Y1728-E7272
:00535502 50 push eax
:00535503 8D55E0 lea edx, dword ptr [ebp-20]
:00535506 8B83E0020000 mov eax, dword ptr [ebx+000002E0]
:0053550C E8AFF9EFFF call 00434EC0
====>取试炼码
:00535511 8B45E0 mov eax, dword ptr [ebp-20]
====>EAX=13572468
:00535514 5A pop edx
:00535515 E81AC5FCFF call 00501A34
====>比较“Plus”版本的注册码!
:0053551A 85C0 test eax, eax
:0053551C 7572 jne 00535590
====>跳则“Plus”版本注册成功!
:0053551E A1CC8C5400 mov eax, dword ptr [00548CCC]
:00535523 8B00 mov eax, dword ptr [eax]
* Possible StringData Ref from Code Obj ->"Watermark"
|
:00535525 BACC565300 mov edx, 005356CC
====>EDX=Watermark
:0053552A E835EBECFF call 00404064
:0053552F 0F85DC000000 jne 00535611
* Possible StringData Ref from Code Obj ->"Watermark"
|
:00535535 68CC565300 push 005356CC
:0053553A 8D45DC lea eax, dword ptr [ebp-24]
:0053553D 50 push eax
:0053553E 8D55D8 lea edx, dword ptr [ebp-28]
:00535541 8B83D8020000 mov eax, dword ptr [ebx+000002D8]
:00535547 E874F9EFFF call 00434EC0
:0053554C 8B45D8 mov eax, dword ptr [ebp-28]
====>EAX=fly@263.net
:0053554F 50 push eax
:00535550 8D55D4 lea edx, dword ptr [ebp-2C]
:00535553 8B83F4020000 mov eax, dword ptr [ebx+000002F4]
:00535559 E862F9EFFF call 00434EC0
:0053555E 8B55D4 mov edx, dword ptr [ebp-2C]
====>EDX=fly
:00535561 8B83EC020000 mov eax, dword ptr [ebx+000002EC]
:00535567 59 pop ecx
:00535568 E893ECFFFF call 00534200
====>算法CALL!运算“Pro”版本的注册码!进入!
:0053556D 8B45DC mov eax, dword ptr [ebp-24]
====>EAX=7761746572-Y1728-6D61726BE7272
:00535570 50 push eax
:00535571 8D55D0 lea edx, dword ptr [ebp-30]
:00535574 8B83E0020000 mov eax, dword ptr [ebx+000002E0]
:0053557A E841F9EFFF call 00434EC0
====>取试炼码
:0053557F 8B55D0 mov edx, dword ptr [ebp-30]
====>EDX=13572468
:00535582 58 pop eax
:00535583 E81836EDFF call 00408BA0
====>比较“Pro”版本的注册码!
:00535588 85C0 test eax, eax
:0053558A 0F8581000000 jne 00535611
====>不跳则“Pro”版本注册成功!
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:005354C1(C), :0053551C(C)
|
:00535590 8D55CC lea edx, dword ptr [ebp-34]
:00535593 8B83D8020000 mov eax, dword ptr [ebx+000002D8]
:00535599 E822F9EFFF call 00434EC0
:0053559E 8B55CC mov edx, dword ptr [ebp-34]
:005355A1 8B83EC020000 mov eax, dword ptr [ebx+000002EC]
:005355A7 E8E8EEFFFF call 00534494
:005355AC 8D55C8 lea edx, dword ptr [ebp-38]
:005355AF 8B83F4020000 mov eax, dword ptr [ebx+000002F4]
:005355B5 E806F9EFFF call 00434EC0
:005355BA 8B55C8 mov edx, dword ptr [ebp-38]
:005355BD 8B83EC020000 mov eax, dword ptr [ebx+000002EC]
:005355C3 83C034 add eax, 00000034
:005355C6 E895EEECFF call 00404460
:005355CB 8B83EC020000 mov eax, dword ptr [ebx+000002EC]
:005355D1 05C0000000 add eax, 000000C0
:005355D6 8B15CC8C5400 mov edx, dword ptr [00548CCC]
:005355DC 8B12 mov edx, dword ptr [edx]
:005355DE E845E7ECFF call 00403D28
:005355E3 33D2 xor edx, edx
:005355E5 8B83EC020000 mov eax, dword ptr [ebx+000002EC]
:005355EB E844EEFFFF call 00534434
:005355F0 8D55C4 lea edx, dword ptr [ebp-3C]
:005355F3 8B83E0020000 mov eax, dword ptr [ebx+000002E0]
:005355F9 E8C2F8EFFF call 00434EC0
:005355FE 8B55C4 mov edx, dword ptr [ebp-3C]
:00535601 8B83EC020000 mov eax, dword ptr [ebx+000002EC]
:00535607 E84CF3FFFF call 00534958
:0053560C C60601 mov byte ptr [esi], 01
:0053560F EB32 jmp 00535643
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0053552F(C), :0053558A(C)
|
:00535611 6A00 push 00000000
:00535613 8D4DC0 lea ecx, dword ptr [ebp-40]
* Possible StringData Ref from Code Obj ->"InvalidKeyStr"
|
:00535616 BAE0565300 mov edx, 005356E0
* Possible StringData Ref from Code Obj ->"The information you entered is "
->"not valid. Please retry."
====>BAD BOY!
* Possible StringData Ref from Code Obj ->"RegisteredStr"
|
:0053E85D BA98E95300 mov edx, 0053E998
* Possible StringData Ref from Code Obj ->"Thank you for registering %s. "
->"Please keep your key code in a "
->"secret place. Program will restart."
:0053E8B7 FF92D8000000 call dword ptr [edx+000000D8]
====>呵呵,胜利女神!
—————————————————————————————————
进入算法CALL:00535568 call 00534200
* Referenced by a CALL at Addresses:
|:00534A15 , :00534E78 , :00534EA8 , :00534ED8 , :0053549F
|:005354FA , :00535568
|
:00534200 55 push ebp
:00534201 8BEC mov ebp, esp
:00534203 51 push ecx
:00534204 B908000000 mov ecx, 00000008
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0053420E(C)
|
:00534209 6A00 push 00000000
:0053420B 6A00 push 00000000
:0053420D 49 dec ecx
:0053420E 75F9 jne 00534209
:00534210 51 push ecx
:00534211 874DFC xchg dword ptr [ebp-04], ecx
:00534214 53 push ebx
:00534215 894DF8 mov dword ptr [ebp-08], ecx
:00534218 8955FC mov dword ptr [ebp-04], edx
:0053421B 8BD8 mov ebx, eax
:0053421D 8B45FC mov eax, dword ptr [ebp-04]
====>EAX=[ebp-04]=fly
:00534220 E8E3FEECFF call 00404108
:00534225 8B45F8 mov eax, dword ptr [ebp-08]
====>EAX=[ebp-08]=fly@263.net
:00534228 E8DBFEECFF call 00404108
:0053422D 8B450C mov eax, dword ptr [ebp+0C]
====>EAX=Plus
:00534230 E8D3FEECFF call 00404108
:00534235 33C0 xor eax, eax
:00534237 55 push ebp
:00534238 68BC435300 push 005343BC
:0053423D 64FF30 push dword ptr fs:[eax]
:00534240 648920 mov dword ptr fs:[eax], esp
:00534243 8B450C mov eax, dword ptr [ebp+0C]
* Possible StringData Ref from Code Obj ->"Pro"
|
:00534246 BAD4435300 mov edx, 005343D4
====>EDX=Pro
:0053424B E814FEECFF call 00404064
====>判断是哪个版本?
:00534250 7572 jne 005342C4
:00534252 8D55F4 lea edx, dword ptr [ebp-0C]
* Possible StringData Ref from Code Obj ->"pro"
|
:00534255 B8E0435300 mov eax, 005343E0
:0053425A E8F5E7FCFF call 00502A54
:0053425F FF75F4 push [ebp-0C]
:00534262 68EC435300 push 005343EC
:00534267 8D55EC lea edx, dword ptr [ebp-14]
:0053426A 8B45FC mov eax, dword ptr [ebp-04]
:0053426D E87E47EDFF call 004089F0
:00534272 8B55EC mov edx, dword ptr [ebp-14]
:00534275 8D4DF0 lea ecx, dword ptr [ebp-10]
:00534278 8BC3 mov eax, ebx
:0053427A E8AD080000 call 00534B2C
:0053427F FF75F0 push [ebp-10]
:00534282 68EC435300 push 005343EC
:00534287 8D55E8 lea edx, dword ptr [ebp-18]
* Possible StringData Ref from Code Obj ->"Pro"
|
:0053428A B8D4435300 mov eax, 005343D4
:0053428F E8C0E7FCFF call 00502A54
:00534294 FF75E8 push [ebp-18]
:00534297 8D55E0 lea edx, dword ptr [ebp-20]
:0053429A 8B45F8 mov eax, dword ptr [ebp-08]
:0053429D E88A47EDFF call 00408A2C
:005342A2 8B55E0 mov edx, dword ptr [ebp-20]
:005342A5 8D4DE4 lea ecx, dword ptr [ebp-1C]
:005342A8 8BC3 mov eax, ebx
:005342AA E87D080000 call 00534B2C
:005342AF FF75E4 push [ebp-1C]
:005342B2 8B4508 mov eax, dword ptr [ebp+08]
:005342B5 BA06000000 mov edx, 00000006
:005342BA E855FDECFF call 00404014
:005342BF E9D5000000 jmp 00534399
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00534250(C)
|
:005342C4 8B450C mov eax, dword ptr [ebp+0C]
* Possible StringData Ref from Code Obj ->"Watermark"
|
:005342C7 BAF8435300 mov edx, 005343F8
====>EDX=Watermark
:005342CC E893FDECFF call 00404064
:005342D1 756F jne 00534342
====>第一次运算“Plus”版时从这跳走。
:005342D3 8D55DC lea edx, dword ptr [ebp-24]
* Possible StringData Ref from Code Obj ->"water"
|
:005342D6 B80C445300 mov eax, 0053440C
====>EAX=water
:005342DB E874E7FCFF call 00502A54
====>取water字符的ASCII码7761746572
:005342E0 FF75DC push [ebp-24]
① ====>[ebp-24]=7761746572
:005342E3 68EC435300 push 005343EC
:005342E8 8D55D4 lea edx, dword ptr [ebp-2C]
:005342EB 8B45FC mov eax, dword ptr [ebp-04]
====>EAX=[ebp-04]=fly
:005342EE E8FD46EDFF call 004089F0
====>将fly转化为大写字母
:005342F3 8B55D4 mov edx, dword ptr [ebp-2C]
====>EDX=FLY
:005342F6 8D4DD8 lea ecx, dword ptr [ebp-28]
:005342F9 8BC3 mov eax, ebx
:005342FB E82C080000 call 00534B2C
====>对FLY进行运算得出下面的Y1728 进入!
:00534300 FF75D8 push [ebp-28]
② ====>[ebp-28]=Y1728
:00534303 68EC435300 push 005343EC
:00534308 8D55D0 lea edx, dword ptr [ebp-30]
* Possible StringData Ref from Code Obj ->"mark"
|
:0053430B B81C445300 mov eax, 0053441C
====>EAX=mark
:00534310 E83FE7FCFF call 00502A54
====>取mark字符的ASCII码6D61726B
:00534315 FF75D0 push [ebp-30]
③ ====>[ebp-30]=6D61726B
:00534318 8D55C8 lea edx, dword ptr [ebp-38]
:0053431B 8B45F8 mov eax, dword ptr [ebp-08]
====>EAX=[ebp-08]=fly@263.net
:0053431E E80947EDFF call 00408A2C
====>对fly@263.net进行检测,如果有大写字母则转化为小写
:00534323 8B55C8 mov edx, dword ptr [ebp-38]
====>EDX=[ebp-38]=fly@263.net
:00534326 8D4DCC lea ecx, dword ptr [ebp-34]
:00534329 8BC3 mov eax, ebx
:0053432B E8FC070000 call 00534B2C
====>对fly@263.net进行运算得出下面的E7272
====>与 005342FB 处的运算流程相同
:00534330 FF75CC push [ebp-34]
④ ====>[ebp-34]=E7272
:00534333 8B4508 mov eax, dword ptr [ebp+08]
:00534336 BA06000000 mov edx, 00000006
:0053433B E8D4FCECFF call 00404014
====>将上面得出的①②③④连接成①-②-③④
:00534340 EB57 jmp 00534399
====>“Pro”版本注册码运算结束!跳走!
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005342D1(C)
|
:00534342 8B450C mov eax, dword ptr [ebp+0C]
====>下面是第一次时运算“Plus”版本的注册码
* Possible StringData Ref from Code Obj ->"Plus"
|
:00534345 BA2C445300 mov edx, 0053442C
:0053434A E815FDECFF call 00404064
:0053434F 7548 jne 00534399
:00534351 8D55C0 lea edx, dword ptr [ebp-40]
:00534354 8B45FC mov eax, dword ptr [ebp-04]
:00534357 E89446EDFF call 004089F0
:0053435C 8B55C0 mov edx, dword ptr [ebp-40]
:0053435F 8D4DC4 lea ecx, dword ptr [ebp-3C]
:00534362 8BC3 mov eax, ebx
:00534364 E8C3070000 call 00534B2C
:00534369 FF75C4 push [ebp-3C]
:0053436C 68EC435300 push 005343EC
:00534371 8D55B8 lea edx, dword ptr [ebp-48]
:00534374 8B45F8 mov eax, dword ptr [ebp-08]
:00534377 E8B046EDFF call 00408A2C
:0053437C 8B55B8 mov edx, dword ptr [ebp-48]
:0053437F 8D4DBC lea ecx, dword ptr [ebp-44]
:00534382 8BC3 mov eax, ebx
:00534384 E8A3070000 call 00534B2C
:00534389 FF75BC push [ebp-44]
:0053438C 8B4508 mov eax, dword ptr [ebp+08]
:0053438F BA03000000 mov edx, 00000003
:00534394 E87BFCECFF call 00404014
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:005342BF(U), :00534340(U), :0053434F(C)
|
:00534399 33C0 xor eax, eax
:0053439B 5A pop edx
:0053439C 59 pop ecx
:0053439D 59 pop ecx
:0053439E 648910 mov dword ptr fs:[eax], edx
:005343A1 68C3435300 push 005343C3
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005343C1(U)
|
:005343A6 8D45B8 lea eax, dword ptr [ebp-48]
:005343A9 BA12000000 mov edx, 00000012
:005343AE E845F9ECFF call 00403CF8
:005343B3 8D450C lea eax, dword ptr [ebp+0C]
:005343B6 E819F9ECFF call 00403CD4
:005343BB C3 ret
—————————————————————————————————
进入:005342FB call 00534B2C
* Referenced by a CALL at Addresses:
|:0053427A , :005342AA , :005342FB , :0053432B , :00534364
|:00534384
|
:00534B2C 55 push ebp
:00534B2D 8BEC mov ebp, esp
:00534B2F 6A00 push 00000000
:00534B31 6A00 push 00000000
:00534B33 6A00 push 00000000
:00534B35 6A00 push 00000000
:00534B37 6A00 push 00000000
:00534B39 6A00 push 00000000
:00534B3B 6A00 push 00000000
:00534B3D 53 push ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00534ACD(C)
|
:00534B3E 56 push esi
:00534B3F 57 push edi
:00534B40 894DF8 mov dword ptr [ebp-08], ecx
:00534B43 8955FC mov dword ptr [ebp-04], edx
:00534B46 8B45FC mov eax, dword ptr [ebp-04]
====>EAX=FLY
:00534B49 E8BAF5ECFF call 00404108
:00534B4E 33C0 xor eax, eax
:00534B50 55 push ebp
:00534B51 68154C5300 push 00534C15
:00534B56 64FF30 push dword ptr fs:[eax]
:00534B59 648920 mov dword ptr fs:[eax], esp
:00534B5C 33FF xor edi, edi
:00534B5E 8D45F4 lea eax, dword ptr [ebp-0C]
:00534B61 8B55FC mov edx, dword ptr [ebp-04]
====>EDX=FLY
:00534B64 E803F2ECFF call 00403D6C
:00534B69 8B45F4 mov eax, dword ptr [ebp-0C]
:00534B6C E8E3F3ECFF call 00403F54
====>取FLY长度
:00534B71 8BF0 mov esi, eax
====>ESI=EAX=3
:00534B73 85F6 test esi, esi
:00534B75 7E58 jle 00534BCF
:00534B77 BB01000000 mov ebx, 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00534BCD(C)
|
:00534B7C 8B45F4 mov eax, dword ptr [ebp-0C]
====>EAX=FLY
:00534B7F 8A4418FF mov al, byte ptr [eax+ebx-01]
====>依次取FLY字符的HEX值
1、 ====>AL=46
2、 ====>AL=4C
3、 ====>AL=59
:00534B83 E858FFFFFF call 00534AE0
====>呵呵,这里面有一个分支判断有点意思!猜测一下:程序检测上面所取字符的HEX(DEC)值是否是素数?如果是素数的话,则下面不跳,保留该字符到结果中。并且是小写字母的则转化为大写字母。^O^^O^
:00534B88 84C0 test al, al
:00534B8A 7425 je 00534BB1
:00534B8C 8D45E8 lea eax, dword ptr [ebp-18]
:00534B8F 8B55F4 mov edx, dword ptr [ebp-0C]
:00534B92 8A541AFF mov dl, byte ptr [edx+ebx-01]
3、 ====>DL=59
:00534B96 E8E1F2ECFF call 00403E7C
:00534B9B 8B45E8 mov eax, dword ptr [ebp-18]
3、 ====>EAX=Y
:00534B9E 8D55EC lea edx, dword ptr [ebp-14]
:00534BA1 E84A3EEDFF call 004089F0
:00534BA6 8B55EC mov edx, dword ptr [ebp-14]
:00534BA9 8D45F0 lea eax, dword ptr [ebp-10]
:00534BAC E8ABF3ECFF call 00403F5C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00534B8A(C)
|
:00534BB1 83FB01 cmp ebx, 00000001
====>第一位字符运算2遍
:00534BB4 740A je 00534BC0
:00534BB6 8B45F4 mov eax, dword ptr [ebp-0C]
:00534BB9 0FB64418FE movzx eax, byte ptr [eax+ebx-02]
2、 ====>EAX=46
3、 ====>EAX=4C
:00534BBE EB06 jmp 00534BC6
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00534BB4(C)
|
:00534BC0 8B45F4 mov eax, dword ptr [ebp-0C]
:00534BC3 0FB600 movzx eax, byte ptr [eax]
1、 ====>EAX=46
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00534BBE(U)
|
:00534BC6 C1E003 shl eax, 03
1、 ====>EAX=46 SHL 3=00000230
2、 ====>EAX=46 SHL 3=00000230
3、 ====>EAX=4C SHL 3=00000260
:00534BC9 03F8 add edi, eax
1、 ====>EDI=00000230 + 00000000=00000230
2、 ====>EDI=00000230 + 00000230=00000460
3、 ====>EDI=00000460 + 00000260=000006C0(H)=1728(D)
:00534BCB 43 inc ebx
:00534BCC 4E dec esi
:00534BCD 75AD jne 00534B7C
====>循环用户名位数次
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00534B75(C)
|
:00534BCF 8D55E4 lea edx, dword ptr [ebp-1C]
:00534BD2 8BC7 mov eax, edi
====>EAX=EDI=6C0
:00534BD4 E81B42EDFF call 00408DF4
====>将6C0转化成10进制值1728
:00534BD9 8B4DE4 mov ecx, dword ptr [ebp-1C]
====>ECX=1728
:00534BDC 8D45F4 lea eax, dword ptr [ebp-0C]
:00534BDF 8B55F0 mov edx, dword ptr [ebp-10]
====>EDX=Y
:00534BE2 E8B9F3ECFF call 00403FA0
====>将Y和1728连接起来
:00534BE7 8B45F8 mov eax, dword ptr [ebp-08]
:00534BEA 8B55F4 mov edx, dword ptr [ebp-0C]
====>EDX=Y1728
:00534BED E836F1ECFF call 00403D28
:00534BF2 33C0 xor eax, eax
:00534BF4 5A pop edx
:00534BF5 59 pop ecx
:00534BF6 59 pop ecx
:00534BF7 648910 mov dword ptr fs:[eax], edx
:00534BFA 681C4C5300 push 00534C1C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00534C1A(U)
|
:00534BFF 8D45E4 lea eax, dword ptr [ebp-1C]
:00534C02 BA05000000 mov edx, 00000005
:00534C07 E8ECF0ECFF call 00403CF8
:00534C0C 8D45FC lea eax, dword ptr [ebp-04]
:00534C0F E8C0F0ECFF call 00403CD4
:00534C14 C3 ret
—————————————————————————————————
看看 素数 分支判断:00534B83 call 00534AE0
* Referenced by a CALL at Address:
|:00534B83
|
:00534AE0 55 push ebp
:00534AE1 8BEC mov ebp, esp
:00534AE3 51 push ecx
:00534AE4 53 push ebx
:00534AE5 56 push esi
:00534AE6 8845FF mov byte ptr [ebp-01], al
:00534AE9 C645FD02 mov [ebp-03], 02
:00534AED C645FE01 mov [ebp-02], 01
:00534AF1 8A4DFF mov cl, byte ptr [ebp-01]
:00534AF4 49 dec ecx
:00534AF5 80E902 sub cl, 02
:00534AF8 722A jb 00534B24
:00534AFA 41 inc ecx
:00534AFB B302 mov bl, 02
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00534B22(C)
|
:00534AFD 33C0 xor eax, eax
:00534AFF 8A45FF mov al, byte ptr [ebp-01]
:00534B02 33D2 xor edx, edx
:00534B04 8AD3 mov dl, bl
:00534B06 8BF2 mov esi, edx
:00534B08 33D2 xor edx, edx
:00534B0A F7F6 div esi
:00534B0C 85D2 test edx, edx
:00534B0E 7503 jne 00534B13
:00534B10 FE45FD inc [ebp-03]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00534B0E(C)
|
:00534B13 807DFD02 cmp byte ptr [ebp-03], 02
:00534B17 7606 jbe 00534B1F
:00534B19 C645FE00 mov [ebp-02], 00
:00534B1D EB05 jmp 00534B24
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00534B17(C)
|
:00534B1F 43 inc ebx
:00534B20 FEC9 dec cl
:00534B22 75D9 jne 00534AFD
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00534AF8(C), :00534B1D(U)
|
:00534B24 8A45FE mov al, byte ptr [ebp-02]
:00534B27 5E pop esi
:00534B28 5B pop ebx
:00534B29 59 pop ecx
:00534B2A 5D pop ebp
:00534B2B C3 ret
—————————————————————————————————
【KeyMake之{66th}Pro版内存注册机】:
中断地址:00535583
中断次数:1
第一字节:E8
指令长度:5
内存方式:EAX
—————————————————————————————————
【注册信息保存】:
C:\WINDOWS\SYSTEM 下的udmwm.sys文件。呵呵,想尽办法的隐藏自己呀。
可以用记事本打开的。
[5468616E6B796F75]
4964=3337373332
4C64=3337373333
487569=0
4D61=373736313734363537322D59313732382D36443631373236424537323732
4D696E67=666C79403236332E6E6574
55736572=666C79
4C6963656E7365=506C7573
—————————————————————————————————
【整 理】:
用户名:fly
电 邮:fly@263.net
注册码:Y1728-E7272 (Plus版)
注册码:7761746572-Y1728-6D61726BE7272 (Pro 版)
—————————————————————————————————
, _/
/| _.-~/ \_ , 青春都一饷
( /~ / \~-._ |\
`\\ _/ \ ~\ ) 忍把浮名
_-~~~-.) )__/;;,. \_ //'
/'_,\ --~ \ ~~~- ,;;\___( (.-~~~-. 换了破解轻狂
`~ _( ,_..--\ ( ,;'' / ~-- /._`\
/~~//' /' `~\ ) /--.._, )_ `~
" `~" " `" /~'`\ `\\~~\
" " "~' ""
Cracked By 巢水工作坊——fly [OCN][FCG]
相关视频
相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么
- 文章评论
-
热门文章
去除winrar注册框方法
最新文章
比特币病毒怎么破解 比去除winrar注册框方法
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程
查看所有2条评论>>