算法分析——迷你日历 V2.2(MiniCalendar)
下载地址: http://www.skycn.com/soft/9249.html
软件大小: 814 KB
软件语言: 简体中文
软件类别: 国产软件 / 共享版 / 时钟日历
应用平台: Win9x/NT/2000/XP
加入时间: 2003-02-07 11:06:35
下载次数: 15122
推荐等级: * * *
开 发 商: http://asp2.6to23.com/gar/
【软件简介】:迷你日历是集公历农历(1901-2099年)双界面对照查询、记事栏、记事查询、重要记事动态提醒、自定义节日、节日预告、日历打印和多种日历信息(节气、节日、九九、三伏、生肖、时辰等)查询于一身的多功能日历软件。其具体特点简述如下:1.公历、农历双界面:可按照以公历为主或以农历为主的两种界面显示日历,两种界面可随意切换,在任一界面中均可进行农历和公历的对照查询,这对以农历为主计算日期的人们来说尤为方便。2.记事栏、记事查询:软件为每一日期安排有记事栏,你可以将日程安排或备忘等写入记事栏;当日久天长记事很多时,可利用记事查询功能方便地找到以往的记事。3.重要记事动态提醒:可将你认为重要的记事定义为动态提醒记事,这样软件会定时动态地在屏幕上用醒目的游动提醒窗显示重要记事,并伴有铃声及动画提醒。4.界面配置魔术师:能满足不同网友的个人爱好,可随意改变界面不同区域的色彩、字体、换肤、贴图等等,定制出变化无穷、丰富多采的日历界面。5.自定义节日:可将你喜欢的节日或你的生日定义到日历当中,使日历更具个性化。6.节日预告:可分别对各类节日进行预告,这将更加方便你对节日的安排。7.打印日历:可打印任意尺寸、独具特色的精美日历。
【软件限制】:功能限制
【作者声明】:小弟初学Crack,只是感兴趣,没有其它目的。失误之处敬请各大侠赐教!
【破解工具】:TRW2000娃娃修改版、W32Dasm8.93黄金版、Ollydbg1.09
—————————————————————————————
【过 程】:
准备好一杯浓茶、一盒烟、一支笔、一本草稿纸、一颗安静的心……
呵呵,我们开工吧!唉!^-^^-^ 我的水平很低,许多地方表达的有问题,烦请各位老师指教!
机器码:A8F4W303XY
试炼码:BCDEFGHIJKSTUVWXCDEF
(试炼码须20位,且有限制。单是试炼码就不太好填^-^)
程序无壳,Delphi编写。反汇编。还好,重要提示都在。
——————————————————————————————
:004A8F86 E8FD0BFAFF call 00449B88
:004A8F8B 8B45F0 mov eax, dword ptr [ebp-10]
:004A8F8E 8D55F4 lea edx, dword ptr [ebp-0C]
:004A8F91 E8CAF8FEFF call 00498860
:004A8F96 8B45F4 mov eax, dword ptr [ebp-0C]
:004A8F99 8D55F8 lea edx, dword ptr [ebp-08]
:004A8F9C E8DB00F6FF call 0040907C
:004A8FA1 8B45F8 mov eax, dword ptr [ebp-08]
:004A8FA4 E897BEF5FF call 00404E40
:004A8FA9 83F814 cmp eax, 00000014
====>试炼码是否20位?
:004A8FAC 741D je 004A8FCB
====>应跳!
:004A8FAE 6A00 push 00000000
:004A8FB0 B914914A00 mov ecx, 004A9114
* Possible StringData Ref from Code Obj ->"注册码输入长度非法 !"
|
:004A8FB5 BA20914A00 mov edx, 004A9120
:004A8FBA A194314F00 mov eax, dword ptr [004F3194]
:004A8FBF 8B00 mov eax, dword ptr [eax]
:004A8FC1 E8360EFCFF call 00469DFC
:004A8FC6 E90C010000 jmp 004A90D7
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A8FAC(C)
|
:004A8FCB 33FF xor edi, edi
:004A8FCD B801000000 mov eax, 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A8FF9(C)
下面是检查输入的注册码是否在BCDEFGHIJKSTUVWX之中,如不在,则为“非法字符”!
:004A8FD2 8B55F8 mov edx, dword ptr [ebp-08]
:004A8FD5 8A5402FF mov dl, byte ptr [edx+eax-01]
:004A8FD9 8BCA mov ecx, edx
:004A8FDB 80C1BE add cl, BE
:004A8FDE 80E90A sub cl, 0A
:004A8FE1 7212 jb 004A8FF5
:004A8FE3 8B4DF8 mov ecx, dword ptr [ebp-08]
:004A8FE6 80C2AD add dl, AD
:004A8FE9 80EA06 sub dl, 06
:004A8FEC 7207 jb 004A8FF5
:004A8FEE BF01000000 mov edi, 00000001
:004A8FF3 EB06 jmp 004A8FFB
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004A8FE1(C), :004A8FEC(C)
|
:004A8FF5 40 inc eax
:004A8FF6 83F815 cmp eax, 00000015
:004A8FF9 75D7 jne 004A8FD2
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A8FF3(U)
|
:004A8FFB 4F dec edi
:004A8FFC 751D jne 004A901B
====>应跳!
:004A8FFE 6A00 push 00000000
:004A9000 B914914A00 mov ecx, 004A9114
* Possible StringData Ref from Code Obj ->"注册码中输入了非法字符 !"
|
:004A9005 BA38914A00 mov edx, 004A9138
:004A900A A194314F00 mov eax, dword ptr [004F3194]
:004A900F 8B00 mov eax, dword ptr [eax]
:004A9011 E8E60DFCFF call 00469DFC
:004A9016 E9BC000000 jmp 004A90D7
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A8FFC(C)
|
:004A901B 8D45EC lea eax, dword ptr [ebp-14]
:004A901E E88102FFFF call 004992A4
:004A9023 8B45EC mov eax, dword ptr [ebp-14]
:004A9026 50 push eax
:004A9027 8D55E8 lea edx, dword ptr [ebp-18]
:004A902A 8B45F8 mov eax, dword ptr [ebp-08]
:004A902D E8B2EEFEFF call 00497EE4
====>关键CALL!F8进入!
:004A9032 8B55E8 mov edx, dword ptr [ebp-18]
====>D EDX=1BDAC2999555E7B2EBB6
:004A9035 58 pop eax
====>D EAX=A8F4W303XY
:004A9036 E849BFF5FF call 00404F84
====>比较CALL!F8进入!
:004A903B 756E jne 004A90AB
====>跳则OVER!
:004A903D 8B45F8 mov eax, dword ptr [ebp-08]
:004A9040 E807ECFEFF call 00497C4C
:004A9045 A1DC304F00 mov eax, dword ptr [004F30DC]
:004A904A C70001000000 mov dword ptr [eax], 00000001
:004A9050 A1F42E4F00 mov eax, dword ptr [004F2EF4]
:004A9055 C70001000000 mov dword ptr [eax], 00000001
:004A905B A16C2F4F00 mov eax, dword ptr [004F2F6C]
:004A9060 C70001000000 mov dword ptr [eax], 00000001
:004A9066 A1842C4F00 mov eax, dword ptr [004F2C84]
:004A906B C70001000000 mov dword ptr [eax], 00000001
:004A9071 A1A8324F00 mov eax, dword ptr [004F32A8]
:004A9076 C70001000000 mov dword ptr [eax], 00000001
:004A907C A19C334F00 mov eax, dword ptr [004F339C]
:004A9081 C70058020000 mov dword ptr [eax], 00000258
:004A9087 6A00 push 00000000
* Possible StringData Ref from Code Obj ->"注册《迷你日历》提醒 !!!"
|
:004A9089 B954914A00 mov ecx, 004A9154
* Possible StringData Ref from Code Obj ->"真诚地感谢您对《迷你日历》开发工作的支持 "
->"!
请注意:您现在使用的是共享免费版,功能受到"
->"限制,
只有使用我们发给您的真正共享版进行注册"
->",才能得到全部功能。
"
->" 祝您注册顺利 !
"
|
:004A908E BA70914A00 mov edx, 004A9170
:004A9093 A194314F00 mov eax, dword ptr [004F3194]
:004A9098 8B00 mov eax, dword ptr [eax]
:004A909A E85D0DFCFF call 00469DFC
:004A909F 8B55FC mov edx, dword ptr [ebp-04]
:004A90A2 8BC6 mov eax, esi
:004A90A4 E80BFEFFFF call 004A8EB4
:004A90A9 EB2C jmp 004A90D7
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A903B(C)
|
:004A90AB A1DC304F00 mov eax, dword ptr [004F30DC]
:004A90B0 33D2 xor edx, edx
:004A90B2 8910 mov dword ptr [eax], edx
:004A90B4 A19C334F00 mov eax, dword ptr [004F339C]
:004A90B9 C70006000000 mov dword ptr [eax], 00000006
:004A90BF 6A00 push 00000000
* Possible StringData Ref from Code Obj ->" 注册失败 !"
|
:004A90C1 B934924A00 mov ecx, 004A9234
* Possible StringData Ref from Code Obj ->"注册没有通过,再试一试。"
|
:004A90C6 BA44924A00 mov edx, 004A9244
:004A90CB A194314F00 mov eax, dword ptr [004F3194]
:004A90D0 8B00 mov eax, dword ptr [eax]
:004A90D2 E8250DFCFF call 00469DFC
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004A8FC6(U), :004A9016(U), :004A90A9(U)
|
:004A90D7 33C0 xor eax, eax
--------------------------------------------------------
一、F8进入关键CALL:004A902D call 00497EE4
* Referenced by a CALL at Addresses:
|:004A902D , :004A9339 , :004ED991
|
:00497EE4 55 push ebp
:00497EE5 8BEC mov ebp, esp
:00497EE7 B906000000 mov ecx, 00000006
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00497EF1(C)
|
:00497EEC 6A00 push 00000000
:00497EEE 6A00 push 00000000
:00497EF0 49 dec ecx
:00497EF1 75F9 jne 00497EEC
:00497EF3 51 push ecx
:00497EF4 53 push ebx
:00497EF5 56 push esi
:00497EF6 57 push edi
:00497EF7 8955F8 mov dword ptr [ebp-08], edx
:00497EFA 8945FC mov dword ptr [ebp-04], eax
:00497EFD 8B45FC mov eax, dword ptr [ebp-04]
:00497F00 E823D1F6FF call 00405028
:00497F05 33C0 xor eax, eax
:00497F07 55 push ebp
:00497F08 68FD804900 push 004980FD
:00497F0D 64FF30 push dword ptr fs:[eax]
:00497F10 648920 mov dword ptr fs:[eax], esp
:00497F13 8D55E0 lea edx, dword ptr [ebp-20]
:00497F16 8B45FC mov eax, dword ptr [ebp-04]
====>D EAX=BCDEFGHIJKSTUVWXCDEF
:00497F19 E89A11F7FF call 004090B8
====>此CALL将试炼码转成小写!
:00497F1E 8D45EC lea eax, dword ptr [ebp-14]
:00497F21 8B55E0 mov edx, dword ptr [ebp-20]
====>D EDX=bcdefghijkstuvwxcdef
:00497F24 E8F7CCF6FF call 00404C20
:00497F29 8D45F0 lea eax, dword ptr [ebp-10]
:00497F2C E857CCF6FF call 00404B88
:00497F31 BB01000000 mov ebx, 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00497F58(C)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1、下面循环是将上面小写字母的HEX值分别减去32,得到新的值!
:00497F36 8D45E8 lea eax, dword ptr [ebp-18]
:00497F39 8B55EC mov edx, dword ptr [ebp-14]
:00497F3C 0FB6541AFF movzx edx, byte ptr [edx+ebx-01]
====>依次取小写字母字符对应的HEX值
:00497F41 83EA32 sub edx, 00000032
====>依次减32
:00497F44 E81FCEF6FF call 00404D68
:00497F49 8D45F0 lea eax, dword ptr [ebp-10]
:00497F4C 8B55E8 mov edx, dword ptr [ebp-18]
:00497F4F E8F4CEF6FF call 00404E48
:00497F54 43 inc ebx
:00497F55 83FB15 cmp ebx, 00000015
:00497F58 75DC jne 00497F36
====>呵呵,循环吧。
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2、将上面循环所得的HEX值转为字符!
:00497F5A 8D45EC lea eax, dword ptr [ebp-14]
:00497F5D E826CCF6FF call 00404B88
====>将上面循环所得的HEX值转为字符
:00497F62 BB01000000 mov ebx, 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00497F95(C)
|
:00497F67 8D45E8 lea eax, dword ptr [ebp-18]
:00497F6A 8B55F0 mov edx, dword ptr [ebp-10]
====>D EDX=0123456789ABCDEF1234
====>这就是我的试炼码转化的结果!
##################################################################
3、下面循环的作用是将0123456789ABCDEF1234转化为用二进制表示!
请教一下:OllyDbg中直接执行到光标所在位置是命令是什么?(相当于TRW中的F7命令),ALT+F9不好使。这么多的循环,我只好在循环外下断,然后CTR+F9了。否则我会累趴的。^-^
:00497F6D 8A541AFF mov dl, byte ptr [edx+ebx-01]
====>依次取新得的字符
:00497F71 E8F2CDF6FF call 00404D68
:00497F76 8D4DE4 lea ecx, dword ptr [ebp-1C]
:00497F79 BA03000000 mov edx, 00000003
:00497F7E 8B45E8 mov eax, dword ptr [ebp-18]
:00497F81 E8E2030000 call 00498368
:00497F86 8D45EC lea eax, dword ptr [ebp-14]
:00497F89 8B55E4 mov edx, dword ptr [ebp-1C]
:00497F8C E8B7CEF6FF call 00404E48
:00497F91 43 inc ebx
:00497F92 83FB15 cmp ebx, 00000015
:00497F95 75D0 jne 00497F67
====>呵呵,真不嫌累,又是循环!
循环所得的结果:
00000001001000110100010101100111100010011010101111001101111011110001001000110100
##################################################################
:00497F97 8D45F0 lea eax, dword ptr [ebp-10]
:00497F9A E8E9CBF6FF call 00404B88
:00497F9F 8D45E8 lea eax, dword ptr [ebp-18]
:00497FA2 E8E1CBF6FF call 00404B88
:00497FA7 8D45E4 lea eax, dword ptr [ebp-1C]
:00497FAA E8D9CBF6FF call 00404B88
:00497FAF BE01000000 mov esi, 00000001
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
4、按照奇、偶位次序分别交替从上面的二进制码中取数,倒序存放!
分别得出新的二进制数!
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00497FF9(C)
:00497FB4 8BC6 mov eax, esi
:00497FB6 48 dec eax
:00497FB7 8BD8 mov ebx, eax
:00497FB9 03DB add ebx, ebx
:00497FBB 43 inc ebx
:00497FBC 8D45D8 lea eax, dword ptr [ebp-28]
:00497FBF 8B55EC mov edx, dword ptr [ebp-14]
====>D EDX=00000001001000110100
010101100111100010011010101111001101111011110001001000110100
====>这就是我的试炼码第2次转化的结果!
:00497FC2 8A541AFF mov dl, byte ptr [edx+ebx-01]
====>这从上面的二进制码按奇数位依次取数!
即:取1、3、5、7、…… ……位
:00497FC6 E89DCDF6FF call 00404D68
:00497FCB 8B55D8 mov edx, dword ptr [ebp-28]
:00497FCE 8D45E8 lea eax, dword ptr [ebp-18]
====>结果 倒序 放[ebp-18]
* * * *
:00497FD1 8B4DE8 mov ecx, dword ptr [ebp-18]
====>循环结果
ECX=0010100011110101111101011010000010100000
:00497FD4 E8B3CEF6FF call 00404E8C
:00497FD9 8D45D4 lea eax, dword ptr [ebp-2C]
:00497FDC 8B55EC mov edx, dword ptr [ebp-14]
====>D EDX=00000001001000110100
010101100111100010011010101111001101111011110001001000110100
:00497FDF 8A141A mov dl, byte ptr [edx+ebx]
====>这从上面的二进制码按偶数位依次取数!
即:取2、4、6、8、…… ……位
:00497FE2 E881CDF6FF call 00404D68
:00497FE7 8B55D4 mov edx, dword ptr [ebp-2C]
:00497FEA 8D45E4 lea eax, dword ptr [ebp-1C]
====>结果 倒序 放[ebp-1C]
* * * *
:00497FED 8B4DE4 mov ecx, dword ptr [ebp-1C]
====>循环结果
ECX=0110001011011101100010001101110110001000
:00497FF0 E897CEF6FF call 00404E8C
:00497FF5 46 inc esi
:00497FF6 83FE29 cmp esi, 00000029
====>40次
:00497FF9 75B9 jne 00497FB4
====>呵呵,“没完没了”的循环!
:00497FFB 8D45F0 lea eax, dword ptr [ebp-10]
:00497FFE 8B4DE4 mov ecx, dword ptr [ebp-1C]
D ECX=0110001011011101100010001101110110001000
:00498001 8B55E8 mov edx, dword ptr [ebp-18]
D EDX=0010100011110101111101011010000010100000
:00498004 E883CEF6FF call 00404E8C
:00498009 8D45EC lea eax, dword ptr [ebp-14]
:0049800C E877CBF6FF call 00404B88
:00498011 BE01000000 mov esi, 00000001
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
5、下面循环的作用是将上面所得的二进制码每4位转化为对应的16进制码!
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00498055(C)
|
:00498016 8BC6 mov eax, esi
:00498018 48 dec eax
:00498019 8BD8 mov ebx, eax
:0049801B C1E303 shl ebx, 03
:0049801E 43 inc ebx
:0049801F 8D45E8 lea eax, dword ptr [ebp-18]
:00498022 50 push eax
:00498023 B908000000 mov ecx, 00000008
:00498028 8BD3 mov edx, ebx
:0049802A 8B45F0 mov eax, dword ptr [ebp-10]
====>EAX=00101000111101011111010110
100000101000000110001011011101100010001101110110001000
:0049802D E866D0F6FF call 00405098
:00498032 8B45E8 mov eax, dword ptr [ebp-18]
:00498035 E822FEFFFF call 00497E5C
:0049803A 8BD8 mov ebx, eax
:0049803C 8D45D0 lea eax, dword ptr [ebp-30]
:0049803F 8BD3 mov edx, ebx
:00498041 E822CDF6FF call 00404D68
:00498046 8B55D0 mov edx, dword ptr [ebp-30]
:00498049 8D45EC lea eax, dword ptr [ebp-14]
:0049804C E8F7CDF6FF call 00404E48
:00498051 46 inc esi
:00498052 83FE0B cmp esi, 0000000B
:00498055 75BF jne 00498016
====>呵呵,循环吧。
第5步得出:28 F5 F5 A0 A0 62 DD 88 DD
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
:00498057 C745DC07000000 mov [ebp-24], 00000007
:0049805E BE01000000 mov esi, 00000001
:00498063 8D45F0 lea eax, dword ptr [ebp-10]
:00498066 E81DCBF6FF call 00404B88
:0049806B BB01000000 mov ebx, 00000001
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
6、分别从程序自给的5078346中取数运算,与上面所得的值异或!
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004980C0(C)
|
:00498070 8B45EC mov eax, dword ptr [ebp-14]
:00498073 0FB67C18FF movzx edi, byte ptr [eax+ebx-01]
====>分别取数!
====>1、EDI=28
====>2、EDI=F5
====>3、EDI=F5
====>4、EDI=A0
====>5、EDI=A0
====>6、EDI=62
====>7、EDI=DD
====>8、EDI=88
====>9、EDI=DD
====>10、EDI=88
:00498078 8D45CC lea eax, dword ptr [ebp-34]
:0049807B 50 push eax
:0049807C B901000000 mov ecx, 00000001
:00498081 8BD6 mov edx, esi
* Possible StringData Ref from Code Obj ->"5078346"
====>注意5078346
后来发现下面的CALL从5078346中取数是固定的!呵呵,总算是捡了点“便宜”
:00498083 B814814900 mov eax, 00498114
:00498088 E80BD0F6FF call 00405098
:0049808D 8B45CC mov eax, dword ptr [ebp-34]
:00498090 E8D715F7FF call 0040966C
:00498095 03C3 add eax, ebx
====>1、1+5=6
====>2、0+2=2
====>3、7+3=A
====>4、8+4=C
====>5、3+5=8
====>6、4+6=A
====>7、6+7=D
====>8、5+8=D
====>9、0+9=9
====>10、7+A=11
:00498097 83C02D add eax, 0000002D
====>1、6+2D=33
====>2、2+2D=2F
====>3、A+2D=37
====>4、C+2D=39
====>5、8+2D=35
====>6、A+2D=37
====>7、D+2D=3A
====>8、D+2D=3A
====>9、9+2D=36
====>10、11+2D=3E
:0049809A 33F8 xor edi, eax
====>分别与第5步得到的值异或!
====>1、28 XOR 33=1B
====>2、F5 XOR 2F=DA
====>3、F5 XOR 37=C2
====>4、A0 XOR 39=99
====>5、A0 XOR 35=95
====>6、62 XOR 37=55
====>7、DD XOR 3A=E7
====>8、88 XOR 3A=B2
====>9、DD XOR 36=EB
====>10、88 XOR 3E=B6
异或后所得的结果:1BDAC2999555E7B2EBB6 将和我们的机器码进行比较,
如果相同就注册成功了!
:0049809C 8D45F4 lea eax, dword ptr [ebp-0C]
:0049809F 8BD7 mov edx, edi
:004980A1 E8C2CCF6FF call 00404D68
:004980A6 8D45F0 lea eax, dword ptr [ebp-10]
:004980A9 8B55F4 mov edx, dword ptr [ebp-0C]
:004980AC E897CDF6FF call 00404E48
:004980B1 46 inc esi
:004980B2 3B75DC cmp esi, dword ptr [ebp-24]
:004980B5 7E05 jle 004980BC
:004980B7 BE01000000 mov esi, 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004980B5(C)
|
:004980BC 43 inc ebx
:004980BD 83FB0B cmp ebx, 0000000B
:004980C0 75AE jne 00498070
====>循环!
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
:004980C2 8B45F8 mov eax, dword ptr [ebp-08]
:004980C5 8B55F0 mov edx, dword ptr [ebp-10]
:004980C8 E80FCBF6FF call 00404BDC
:004980CD 33C0 xor eax, eax
:004980CF 5A pop edx
:004980D0 59 pop ecx
:004980D1 59 pop ecx
:004980D2 648910 mov dword ptr fs:[eax], edx
:004980D5 6804814900 push 00498104
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00498102(U)
|
:004980DA 8D45CC lea eax, dword ptr [ebp-34]
:004980DD BA04000000 mov edx, 00000004
:004980E2 E8C5CAF6FF call 00404BAC
:004980E7 8D45E0 lea eax, dword ptr [ebp-20]
:004980EA BA06000000 mov edx, 00000006
:004980EF E8B8CAF6FF call 00404BAC
:004980F4 8D45FC lea eax, dword ptr [ebp-04]
:004980F7 E88CCAF6FF call 00404B88
:004980FC C3 ret
—————————————————————————————
二、F8进入比较CALL:004A9036 call 00404F84
:00404F84 53 push ebx
:00404F85 56 push esi
:00404F86 57 push edi
:00404F87 89C6 mov esi, eax
:00404F89 89D7 mov edi, edx
:00404F8B 39D0 cmp eax, edx
====>D EDX=1BDAC2999555E7B2EBB6
====>D EAX=A8F4W303XY
呵呵,把我们输入的试炼码经过“千折百转”折腾后得到的字符与机器码比较,
如果相同就OK,不同则OVER!有线索了!!!
:00404F8D 0F848F000000 je 00405022
:00404F93 85F6 test esi, esi
:00404F95 7468 je 00404FFF
:00404F97 85FF test edi, edi
:00404F99 746B je 00405006
:00404F9B 8B46FC mov eax, dword ptr [esi-04]
:00404F9E 8B57FC mov edx, dword ptr [edi-04]
:00404FA1 29D0 sub eax, edx
:00404FA3 7702 ja 00404FA7
—————————————————————————————
【总 结】:
OK!虽然我现在已是头晕眼花了,但还是乘胜追击!“不可沽名学霸王”,呵呵,说不定一觉睡后算法忘了大半,岂不可惜!
算法已经知道了,我们就来对它进行逆反追击!
一、现在知道:我们输入的试炼码经过层层转化后必须与我们的机器码 A8F4W303XY 相同!所以,从第6步的循环开始逆转!
A8F4W303XY所对应的HEX值为41384634573330335859
1、28 XOR 33=1B (1)、33 XOR 41=72
2、F5 XOR 2F=DA (2)、2F XOR 38=17
3、F5 XOR 37=C2 (3)、37 XOR 46=71
4、A0 XOR 39=99 (4)、39 XOR 34=0D
5、A0 XOR 35=95 (5)、35 XOR 57=62
6、62 XOR 37=55 (6)、37 XOR 33=04
7、DD XOR 3A=E7 (7)、3A XOR 30=0A
8、88 XOR 3A=B2 (8)、3A XOR 33=09
9、DD XOR 36=EB (9)、36 XOR 58=6E
10、88 XOR 3E=B6 (10)、3E XOR 59=67
呵呵,得出了第5个循环的另个结果:7217710D62040A096E67
二、逆反第5步的循环!
把 7217710D62
040A096E67作为十六进制数转化为二进制数:
0111 0010 0001 0111 0111 0001 0000 1101 0110 0010
0000 0100 0000 1010 0000 1001 0110 1110 0110 0111
三、逆反第4步!
先把上面的二进制码次序变反:
0100 0110 1011 0000 1000 1110 1110 1000 0100 1110
1110 0110 0111 0110 1001 0000 0101 0000 0010 0000
然后再把奇、偶位的次序恢复!得到第3步循环的另个结果:
0111 0100 0011 1100 1001 1111 0001 0100 1100 0001 1010 1000 1011 1001 1000 0000 0010 0100 1010 1000
四、逆反我们的第3步!
上面二进制码转化为字符:
7 4 3 C 9 F 1 4 C 1 A 8 B 9 8 0 2 4 A 8
五、逆反我们的第2步、第1步!
呵呵,偷点巧,我们不用再转化为HEX值再分别加上32再转化为大写字母。
看看程序是如何转化我们的试炼码吧:
BCDEFGHIJKSTUVWXCDEF ====> 0123456789ABCDEF1234
所以:我们简单的就找到对应关系了!
IFEUKXCFUCSJTKJBDFSJ <===> 743C9F14C1A8B98024A8
呵呵,IFEUKXCFUCSJTKJBDFSJ 就是我“千辛万苦”所追击的真码了!
“大功”告成!我也该休息了。^-^
从下载到现在完成,用了一下午加大半个晚上,哦,10个小时才饶幸解开了这个家伙。这应该是我学破解以来分析过的最“复杂”的算法了。
—————————————————————————————
【注册信息保存】:
程序文件夹下的 Encode.ini 中。
—————————————————————————————
【整 理】:
机器码:A8F4W303XY
注册码:IFEUKXCFUCSJTKJBDFSJ
OK!我们成功了!但是程序会提示:“请注意:您现在使用的是共享免费版,功能受到限制,只有使用我们发给您的真正共享版进行注册才能得到全部功能。”
呵呵,这可不是我的错呀!作者很精明的。
不过我没打算要使用这个软件。^-^^-^
Cracked By 巢水工作坊——fly【OCN】
2003-2-11 凌晨 2:30
相关视频
相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么
热门文章 去除winrar注册框方法
最新文章
比特币病毒怎么破解 比去除winrar注册框方法
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据
人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程
查看所有0条评论>>