算法分析——批量更名专家V1.5 Build 1111
下载地址: http://www.skycn.com/soft/7412.html
软件大小: 888 KB
软件语言: 简体中文
软件类别: 国产软件 / 免费版 / 文件更名
应用平台: Win9x/NT/2000/XP
加入时间: 2002-11-11 14:32:01
下载次数: 12853
推荐等级: ***
开 发 商: http://zigsoft.yeah.net
【软件简介】: 批量更名专家是一款优秀的批量文件改名工具,更名速度极快。简明的资源管理器界面,上手极为方便。提供批量修改文件属性和日期,修改扩展名,修改大小写,可以插入,删除,替换,独特的序数改名功能,直接编辑文件名,根据MP3文件的Id3信息改名等。
【软件限制】:30天试用。
【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请各大侠赐教!
【破解工具】:TRW2000娃娃修改版、FI2.5、AspackDie、RegMon、W32Dasm8.93黄金版
—————————————————————————————
【过 程】:
呵呵,这个软件简单,很多朋友都已经解过了。在 天空 溜达,看见它的个头不大,索性DOWN下来练练手。
找注册码挺简单,但是要细细的分析算法可就需要耐心与毅力了。
唉,菜鸟分析算法真难呀!算法虽简单却转来绕去,让我头大。
填入试炼信息。
用户名:flysky12(不能少于8位)
试炼码:13572468
—————————————————————————————
软件需要重启验证注册码,因此软件肯定把注册码保存在注册表或其它文件中。用RegMon监测,在注册表中发现了它留下的“尾巴”。
呵呵,发现了"RWCode"的键名,老方法,在反汇编代码里搜索RWCode,简简单单我们就找到了核心:4B8E92。于是,首先在TRW里下BPX 4B8E92,然后重新载入程序。F5,程序被拦下!
—————————————————————————————
1、用户名不能少于8位
:004B979C E81FA8F4FF call 00403FC0
:004B97A1 83F808 cmp eax, 00000008
====>比较用户名是否少于8位?
:004B97A4 7D1D jge 004B97C3
====>少于8位则不跳则OVER!
:004B97A6 6A00 push 00000000
* Possible StringData Ref from Code Obj ->"警告框"
|
:004B97A8 B930994B00 mov ecx, 004B9930
* Possible StringData Ref from Code Obj ->"用户名太短或者注册号不对!"
|
:004B97AD BA38994B00 mov edx, 004B9938
—————————————————————————————
2、开始追踪!
* Possible StringData Ref from Code Obj ->"RWCode"
====>注册信息存放位置!
:004B8E92 BA28904B00 mov edx, 004B9028
====>我们拦在这儿!
F10走,多加注意!经过一个RET,很快的我们就来到了核心!
…… ……
:004B8EF0 8D55F0 lea edx, dword ptr [ebp-10]
:004B8EF3 8B45FC mov eax, dword ptr [ebp-04]
====>D EAX=我们输入的试炼信息
:004B8EF6 E845FDFFFF call 004B8C40
====>算法CALL!F8进入!
:004B8EFB 8B45F0 mov eax, dword ptr [ebp-10]
:004B8EFE 8B55F8 mov edx, dword ptr [ebp-08]
:004B8F01 E8CAB1F4FF call 004040D0
====>比较CALL!F8进入!
:004B8F06 0F85AB000000 jne 004B8FB7
====>跳则OVER!
:004B8F0C B201 mov dl, 01
:004B8FA7 8B45F4 mov eax, dword ptr [ebp-0C]
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004B8EE0(C), :004B8EEA(C), :004B8F06(C)
|
:004B8FB7 33C0 xor eax, eax
—————————————————————————————
3、F8进入算法CALL:004B8EF6 call 004B8C40
注:下面的“1、2、3……”是指循环的次序,最好自己跟踪一下,很容易晕头的。呵呵,让我难受。关键结果下面我都标上 ******** 的记号!
* Referenced by a CALL at Address:
|:004B8EF6
|
:004B8C40 55 push ebp
:004B8C41 8BEC mov ebp, esp
:004B8C43 B904000000 mov ecx, 00000004
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B8C4D(C)
|
:004B8C48 6A00 push 00000000
:004B8C4A 6A00 push 00000000
:004B8C4C 49 dec ecx
:004B8C4D 75F9 jne 004B8C48
:004B8C4F 51 push ecx
:004B8C50 53 push ebx
:004B8C51 56 push esi
:004B8C52 57 push edi
:004B8C53 8955F8 mov dword ptr [ebp-08], edx
:004B8C56 8945FC mov dword ptr [ebp-04], eax
:004B8C59 8B45FC mov eax, dword ptr [ebp-04]
====>用户名入EAX
:004B8C5C E813B5F4FF call 00404174
:004B8C61 33C0 xor eax, eax
:004B8C63 55 push ebp
:004B8C64 68DC8D4B00 push 004B8DDC
:004B8C69 64FF30 push dword ptr fs:[eax]
:004B8C6C 648920 mov dword ptr fs:[eax], esp
:004B8C6F B201 mov dl, 01
* Possible StringData Ref from Code Obj ->"|"A"
|
:004B8C71 A1F8034100 mov eax, dword ptr [004103F8]
:004B8C76 E849A3F4FF call 00402FC4
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B8C02(C)
|
:004B8C7B 8945EC mov dword ptr [ebp-14], eax
:004B8C7E 33C0 xor eax, eax
:004B8C80 55 push ebp
:004B8C81 689A8D4B00 push 004B8D9A
:004B8C86 64FF30 push dword ptr fs:[eax]
:004B8C89 648920 mov dword ptr fs:[eax], esp
:004B8C8C 8D45F4 lea eax, dword ptr [ebp-0C]
:004B8C8F 8B55FC mov edx, dword ptr [ebp-04]
:004B8C92 E841B1F4FF call 00403DD8
:004B8C97 8B45F4 mov eax, dword ptr [ebp-0C]
:004B8C9A E821B3F4FF call 00403FC0
====>取用户名位数。
:004B8C9F 8BF0 mov esi, eax
====>?EAX=8,入ESI
:004B8CA1 8B45F4 mov eax, dword ptr [ebp-0C]
:004B8CA4 E817B3F4FF call 00403FC0
:004B8CA9 8BD8 mov ebx, eax
:004B8CAB 85DB test ebx, ebx
====>?EBX=8,用户名位数
:004B8CAD 0F8EA0000000 jle 004B8D53
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B8D4D(C)
注册码算法的循环开始了!要细心看了!作者真不怕麻烦,我都快追晕了。^-^
:004B8CB3 8BC3 mov eax, ebx
====>EAX是循环的次数,依次递减。
:004B8CB5 2501000080 and eax, 80000001
====>保留eax的最后一位,如果eax是奇数那他的最后一位就是1那么在下面
:004B8CBA 7905 jns 004B8CC1
:004B8CBC 48 dec eax
:004B8CBD 83C8FE or eax, FFFFFFFE
:004B8CC0 40 inc eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B8CBA(C)
|
:004B8CC1 85C0 test eax, eax
:004B8CC3 752E jne 004B8CF3
====>是否是判断奇、偶数的?分别跳转?
:004B8CC5 8B45F4 mov eax, dword ptr [ebp-0C]
====>D EAX=flysky12
:004B8CC8 0FB64418FF movzx eax, byte ptr [eax+ebx-01]
EBX=8 取第8位 ====>1、?EAX=32 即2的HEX值
EBX=6 取第6位 ====>3、?EAX=79 即y的HEX值
EBX=4 取第4位 ====>5、?EAX=73 即s的HEX值
EBX=2 取第2位 ====>7、?EAX=6C 即l的HEX值
:004B8CCD 8BD6 mov edx, esi
====>8入EDX
:004B8CCF 2BD3 sub edx, ebx
====>1、EDX=8-8=0
====>3、EDX=8-6=2
====>5、EDX=8-4=4
====>7、EDX=8-2=6
:004B8CD1 8B4DF4 mov ecx, dword ptr [ebp-0C]
====>D ECX=flysky12
:004B8CD4 0FB65411FF movzx edx, byte ptr [ecx+edx-01]
从第0位取字符 ====>1、EDX=0, 即从第0位取字符
从第2位取字符 ====>3、EDX=6C,即l的HEX值
从第4位取字符 ====>5、EDX=73,即s的HEX值
从第6位取字符 ====>7、EAX=79,即y的HEX值
:004B8CD9 F7EA imul edx
====>1、EAX=32*0=0
====>3、EAX=79*6C=330C
====>5、EAX=73*73=33A9
====>7、EAX=6C*79=330C
:004B8CDB 83E003 and eax, 00000003
====>1、EAX=0&3=0(分别进行“与”运算)
====>3、EAX=330C&3=0
====>5、EAX=33A9&3=1
====>7、EAX=330C&3=0
:004B8CDE 8D55E8 lea edx, dword ptr [ebp-18]
:004B8CE1 E87E04F5FF call 00409164
====>此CALL把以上所得值转化为十进制值
:004B8CE6 8B55E8 mov edx, dword ptr [ebp-18]
====>结果入EDX
====>1、EDX=0
********
====>3、EDX=0
********
====>5、EDX=1
********
====>7、EDX=0
********
:004B8CE9 8B45EC mov eax, dword ptr [ebp-14]
:004B8CEC 8B08 mov ecx, dword ptr [eax]
:004B8CEE FF5134 call [ecx+34]
:004B8CF1 EB57 jmp 004B8D4A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B8CC3(C)
|
:004B8CF3 8BC3 mov eax, ebx
====>2、7入EAX
====>4、5入EAX
====>6、3入EAX
====>8、1入EAX
:004B8CF5 B903000000 mov ecx, 00000003
====>3入ECX
:004B8CFA 99 cdq
:004B8CFB F7F9 idiv ecx
====>2、EAX=7/3=2余1
====>4、EAX=5/3=1余2
====>6、EAX=3/3=1余0
====>8、EAX=1/3
:004B8CFD 85D2 test edx, edx
:004B8CFF 752B jne 004B8D2C
====>EDX=0则不跳!即不可整除就跳!
:004B8D01 8B45F4 mov eax, dword ptr [ebp-0C]
====>EAX=flysky12
:004B8D04 0FB64418FF movzx eax, byte ptr [eax+ebx-01]
EBX=3 取第3位 ====>6、EAX=79,即y的HEX值
:004B8D09 8BD6 mov edx, esi
:004B8D0B 2BD3 sub edx, ebx
====>6、EDX=8-3=5
:004B8D0D 8B4DF4 mov ecx, dword ptr [ebp-0C]
====>D ECX=flysky12
:004B8D10 0FB65411FF movzx edx, byte ptr [ecx+edx-01]
EDX=5 取第5位 ====>6、D EDX=6B,即k的HEX值
:004B8D15 03C2 add eax, edx
====>6、EAX=79+6B=E4
:004B8D17 8D55E4 lea edx, dword ptr [ebp-1C]
:004B8D1A E84504F5FF call 00409164
====>此CALL把以上所得值转化为十进制值
:004B8D1F 8B55E4 mov edx, dword ptr [ebp-1C]
====>6、EDX=228,即E4的Decimal值
********
:004B8D22 8B45EC mov eax, dword ptr [ebp-14]
:004B8D25 8B08 mov ecx, dword ptr [eax]
:004B8D27 FF5134 call [ecx+34]
:004B8D2A EB1E jmp 004B8D4A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B8CFF(C)
|
:004B8D2C 8B45F4 mov eax, dword ptr [ebp-0C]
====>EAX=flysky12
:004B8D2F 0FB64418FF movzx eax, byte ptr [eax+ebx-01]
EBX=7 ====>2、EAX=31,即第7位的字符
EBX=5 ====>4、EAX=6B,即第5位的字符
EBX=1 ====>8、EAX=66,即第1位的字符
:004B8D34 83C005 add eax, 00000005
====>2、EAX=31+5=36
====>4、EAX=6B+5=70
====>8、EAX=66+5=6B
:004B8D37 8D55E0 lea edx, dword ptr [ebp-20]
:004B8D3A E82504F5FF call 00409164
====>此CALL把以上所得值转化为十进制值
:004B8D3F 8B55E0 mov edx, dword ptr [ebp-20]
====>2、EDX= 54,即36的Decimal值
********
====>4、EDX=112,即70的Decimal值
********
====>8、EDX=107,即6B的Decimal值
********
:004B8D42 8B45EC mov eax, dword ptr [ebp-14]
:004B8D45 8B08 mov ecx, dword ptr [eax]
:004B8D47 FF5134 call [ecx+34]
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004B8CF1(U), :004B8D2A(U)
|
:004B8D4A 4B dec ebx
====>EBX依次减一
====>1、EBX=7
====>2、EBX=6
…… ……
:004B8D4B 85DB test ebx, ebx
:004B8D4D 0F8F60FFFFFF jg 004B8CB3
====>没取完?继续循环!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B8CAD(C)
|
:004B8D53 8B45EC mov eax, dword ptr [ebp-14]
:004B8D56 8B10 mov edx, dword ptr [eax]
:004B8D58 FF5214 call [edx+14]
:004B8D5B 8BF0 mov esi, eax
:004B8D5D 4E dec esi
:004B8D5E 85F6 test esi, esi
:004B8D60 7C22 jl 004B8D84
:004B8D62 46 inc esi
:004B8D63 33DB xor ebx, ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B8D82(C)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
下面循环代码的作用是把上面8次循环所得的结果,按照8、7、6、5、4、3、2、1的倒序方式连接起来,所得到的最后结果存入[EBP-10]处!这就是咱们“千辛万苦”追踪的真码!
:004B8D65 8D4DDC lea ecx, dword ptr [ebp-24]
:004B8D68 8BD3 mov edx, ebx
:004B8D6A 8B45EC mov eax, dword ptr [ebp-14]
:004B8D6D 8B38 mov edi, dword ptr [eax]
:004B8D6F FF570C call [edi+0C]
:004B8D72 8B55DC mov edx, dword ptr [ebp-24]
:004B8D75 8D45F0 lea eax, dword ptr [ebp-10]
:004B8D78 8B4DF0 mov ecx, dword ptr [ebp-10]
:004B8D7B E88CB2F4FF call 0040400C
:004B8D80 43 inc ebx
:004B8D81 4E dec esi
:004B8D82 75E1 jne 004B8D65
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B8D60(C)
|
:004B8D84 33C0 xor eax, eax
:004B8D86 5A pop edx
:004B8D87 59 pop ecx
:004B8D88 59 pop ecx
:004B8D89 648910 mov dword ptr fs:[eax], edx
:004B8D8C 68A18D4B00 push 004B8DA1
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B8D9F(U)
|
:004B8D91 8B45EC mov eax, dword ptr [ebp-14]
:004B8D94 E85BA2F4FF call 00402FF4
:004B8D99 C3 ret
—————————————————————————————
4、F8进入比较CALL:004B8F01 call 004040D0
:004040D0 53 push ebx
:004040D1 56 push esi
:004040D2 57 push edi
:004040D3 89C6 mov esi, eax
:004040D5 89D7 mov edi, edx
:004040D7 39D0 cmp eax, edx
====>D EAX=真码!!
====>D EDX=试炼码
:004040D9 0F848F000000 je 0040416E
—————————————————————————————
【KeyMake之内存注册机】:
中断地址:4B8F01
中断次数:1
第一字节:E8
指令长度:5
中断地址:4040D7
中断次数:1
第一字节:39
指令长度:2
内存方式:EAX
—————————————————————————————
【注册信息保存】:
HKEY_LOCAL_MACHINE\Software\zigsoft\rw1.5\setup]
"RWUser"="flysky12"
"RWCode"="107022811120540"
—————————————————————————————
【整 理】:
用户名:flysky12
注册码:107022811120540
—————————————————————————————
Cracked By 巢水工作坊——fly【OCN】
2003-2-7 23:00
相关视频
相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么
热门文章 去除winrar注册框方法
最新文章
比特币病毒怎么破解 比去除winrar注册框方法
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据
人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程
查看所有0条评论>>