算法分析 创想游戏控制软件 V1.03
-
下载页面: http://www.skycn.com/soft/11652.html
软件大小: 468 KB
软件语言: 简体中文
软件类别: 国产软件 / 共享版 / 开关定时
应用平台: Win9x/NT/2000/XP
加入时间: 2003-04-15 14:33:11
下载次数: 368
推荐等级: ***
开 发 商: http://www.truethink.net/
【软件简介】:“创想游戏控制器软件”是为了防止未成年人过度沉溺于游戏之中以至耽误学习和影响身体而开发的一款软件。它主要具备两大功能。一、监控游戏的功能;二、终止游戏的功能。监控功能主要是让家长了解小孩一天倒底在电脑中玩了哪些游戏,分别玩了多久,什么时候开始玩的,什么时候退出的,等等。终止功能主要是电脑自动根据家长的设置,对游戏在玩到一定时间后进行终止,如设置今天只允许玩半个小时,则开始玩游戏半个小时后,电脑将自动关闭游戏。而且当天就不允许再玩。“创想游戏控制器软件”的推出,彻底解决了学生沉溺于电脑游戏而耽误学习和影响身体的不良弊端。
【软件限制】:功能限制。
【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:TRW2000娃娃修改版、Ollydbg1.09、PEiD、UnAspacka、GUW32、W32Dasm 9.0白金版
—————————————————————————————————
【过 程】:
安装后主文件放在C:\WINDOWS\SYSTEM\目录下。sgame.exe 无壳,VC++ 6.0 编写。
呵呵,程序比较简单,只是做 完美爆破 时想了会儿才搞定的。
机器码:33050A7B
试炼码:13572468
—————————————————————————————————
* Reference To: MFC42.Ordinal:18BE, Ord:18BEh
|
:00404986 E863610000 Call 0040AAEE
:0040498B 51 push ecx
:0040498C 8D8664010000 lea eax, dword ptr [esi+00000164]
:00404992 8BCC mov ecx, esp
:00404994 89642408 mov dword ptr [esp+08], esp
:00404998 50 push eax
* Reference To: MFC42.Ordinal:0217, Ord:0217h
|
:00404999 E8E6610000 Call 0040AB84
:0040499E B9141D4100 mov ecx, 00411D14
:004049A3 E868FCFFFF call 00404610
====>关键CALL!进入!
:004049A8 85C0 test eax, eax
:004049AA 741D je 004049C9
====>跳则OVER!
:004049AC 6A40 push 00000040
* Possible StringData Ref from Data Obj ->"提示信息"
|
:004049AE 6898104100 push 00411098
* Possible StringData Ref from Data Obj ->"注册成功!"
====>呵呵,胜利女神!
:004049B3 689C144100 push 0041149C
:004049B8 8BCE mov ecx, esi
* Reference To: MFC42.Ordinal:1080, Ord:1080h
|
:004049BA E853610000 Call 0040AB12
:004049BF 8BCE mov ecx, esi
* Reference To: MFC42.Ordinal:12F5, Ord:12F5h
|
:004049C1 E852610000 Call 0040AB18
:004049C6 5E pop esi
:004049C7 59 pop ecx
:004049C8 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004049AA(C)
|
:004049C9 6A10 push 00000010
* Possible StringData Ref from Data Obj ->"提示信息"
|
:004049CB 6898104100 push 00411098
* Possible StringData Ref from Data Obj ->"注册失败: 注册码不正确,请检查是否输入有误。"
====>BAD BOY!
:004049D0 686C144100 push 0041146C
:004049D5 8BCE mov ecx, esi
* Reference To: MFC42.Ordinal:1080, Ord:1080h
|
:004049D7 E836610000 Call 0040AB12
:004049DC 5E pop esi
:004049DD 59 pop ecx
:004049DE C3 ret
—————————————————————————————————
进入关键CALL:004049A3 call 00404610
* Referenced by a CALL at Address:
|:004049A3
|
:00404610 6AFF push FFFFFFFF
:00404612 68D8B84000 push 0040B8D8
:00404617 64A100000000 mov eax, dword ptr fs:[00000000]
:0040461D 50 push eax
:0040461E 64892500000000 mov dword ptr fs:[00000000], esp
:00404625 51 push ecx
:00404626 53 push ebx
:00404627 8D442404 lea eax, dword ptr [esp+04]
:0040462B C744241000000000 mov [esp+10], 00000000
:00404633 50 push eax
:00404634 E827FDFFFF call 00404360
====>算法CALL!进入!
:00404639 8B00 mov eax, dword ptr [eax]
====>EAX=231C6021 注册码
:0040463B 8B4C2418 mov ecx, dword ptr [esp+18]
====>ECX=13572468 试炼码
:0040463F 50 push eax
:00404640 51 push ecx
* Reference To: MSVCRT._mbscmp, Ord:0159h
|
:00404641 FF15A8D34000 Call dword ptr [0040D3A8]
====>比较CALL!
:00404647 83C408 add esp, 00000008
:0040464A 8D4C2404 lea ecx, dword ptr [esp+04]
:0040464E 85C0 test eax, eax
====>爆破点 ①
:00404650 0F94C3 sete bl
====>设置BL值
* Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:00404653 E860640000 Call 0040AAB8
:00404658 84DB test bl, bl
:0040465A 5B pop ebx
:0040465B 743C je 00404699
====>跳则OVER!
:0040465D 8B542414 mov edx, dword ptr [esp+14]
====>爆破点 ②
:00404661 52 push edx
* Possible StringData Ref from Data Obj ->"RegisterCode"
|
:00404662 685C144100 push 0041145C
* Possible StringData Ref from Data Obj ->"TrueThink"
|
:00404667 6858114100 push 00411158
* Reference To: KERNEL32.WriteProfileStringA, Ord:02EDh
|
:0040466C FF1570D04000 Call dword ptr [0040D070]
====>保存注册信息!
:00404672 8D4C2414 lea ecx, dword ptr [esp+14]
:00404676 C744240CFFFFFFFF mov [esp+0C], FFFFFFFF
* Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:0040467E E835640000 Call 0040AAB8
:00404683 B801000000 mov eax, 00000001
====>置1则OK!
:00404688 8B4C2404 mov ecx, dword ptr [esp+04]
:0040468C 64890D00000000 mov dword ptr fs:[00000000], ecx
:00404693 83C410 add esp, 00000010
:00404696 C20400 ret 0004
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040465B(C)
|
:00404699 8D4C2414 lea ecx, dword ptr [esp+14]
:0040469D C744240CFFFFFFFF mov [esp+0C], FFFFFFFF
* Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:004046A5 E80E640000 Call 0040AAB8
:004046AA 8B4C2404 mov ecx, dword ptr [esp+04]
:004046AE 33C0 xor eax, eax
====>清0则OVER!
:004046B0 64890D00000000 mov dword ptr fs:[00000000], ecx
:004046B7 83C410 add esp, 00000010
:004046BA C20400 ret 0004
—————————————————————————————————
进入算法CALL:00404634 call 00404360 转到下面的代码处
* Possible StringData Ref from Data Obj ->"c:\"
|
:00404389 6858144100 push 00411458
:0040438E 895C2434 mov dword ptr [esp+34], ebx
* Reference To: KERNEL32.GetVolumeInformationA, Ord:0177h
|
:00404392 FF1534D04000 Call dword ptr [0040D034]
====>取硬盘序列号
:00404398 8B44240C mov eax, dword ptr [esp+0C]
====>EAX=[esp+0C]=211C1E09
:0040439C 8D4C2408 lea ecx, dword ptr [esp+08]
:004043A0 3515360002 xor eax, 02003615
====>EAX=211C1E09 XOR 02003615=231C281C
:004043A5 8944240C mov dword ptr [esp+0C], eax
* Reference To: MFC42.Ordinal:021C, Ord:021Ch
|
:004043A9 E81C670000 Call 0040AACA
:004043AE 8B4C240C mov ecx, dword ptr [esp+0C]
:004043B2 8D542408 lea edx, dword ptr [esp+08]
:004043B6 51 push ecx
* Possible StringData Ref from Data Obj ->"%X"
|
:004043B7 6854144100 push 00411454
:004043BC 52 push edx
:004043BD C744242C01000000 mov [esp+2C], 00000001
* Reference To: MFC42.Ordinal:0B02, Ord:0B02h
|
:004043C5 E856680000 Call 0040AC20
:004043CA 8B4C2414 mov ecx, dword ptr [esp+14]
:004043CE 8B442418 mov eax, dword ptr [esp+18]
:004043D2 83C40C add esp, 0000000C
:004043D5 89442410 mov dword ptr [esp+10], eax
====>[esp+10]=EAX=231C281C
:004043D9 8B71F8 mov esi, dword ptr [ecx-08]
====>ESI=8 取231C281C长度
:004043DC 3BF3 cmp esi, ebx
:004043DE 7E4C jle 0040442C
:004043E0 55 push ebp
:004043E1 57 push edi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404428(C)
|
:004043E2 8BC3 mov eax, ebx
:004043E4 B906000000 mov ecx, 00000006
:004043E9 99 cdq
:004043EA F7F9 idiv ecx
:004043EC 8B442410 mov eax, dword ptr [esp+10]
====>EAX=[esp+10]=231C281C
:004043F0 8A0C03 mov cl, byte ptr [ebx+eax]
====>依次取231C281C字符的HEX值
:004043F3 8AC3 mov al, bl
====>AL=BL
:004043F5 83C202 add edx, 00000002
:004043F8 FEC0 inc al
====>AL 加 1
:004043FA F6E9 imul cl
1、 ====>AL=01 * 32=32
2、 ====>AL=02 * 33=66
3、 ====>AL=03 * 31=93
4、 ====>AL=04 * 43=0C
5、 ====>AL=05 * 32=FA
6、 ====>AL=06 * 38=50
7、 ====>AL=07 * 31=57
8、 ====>AL=08 * 43=18
:004043FC 84C0 test al, al
:004043FE 7D02 jge 00404402
:00404400 F6D8 neg al
3、 ====>AL=93 NEG=6D
5、 ====>AL=FA NEG=06
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004043FE(C)
|
:00404402 0FBEC0 movsx eax, al
====>EAX=AL
:00404405 8ACA mov cl, dl
====>CL=DL
:00404407 8BF8 mov edi, eax
====>EDI=EAX
:00404409 FEC9 dec cl
====>CL 减 1
:0040440B 8BE8 mov ebp, eax
====>EBP=EAX
:0040440D D3FF sar edi, cl
1、 ====>EDI=00000032 SAR 01=00000019
2、 ====>EDI=00000066 SAR 02=00000019
3、 ====>EDI=0000006D SAR 03=0000000D
4、 ====>EDI=0000000C SAR 04=00000000
5、 ====>EDI=00000006 SAR 05=00000000
6、 ====>EDI=00000050 SAR 06=00000001
7、 ====>EDI=00000057 SAR 01=0000002B
8、 ====>EDI=00000018 SAR 02=00000006
:0040440F 8ACA mov cl, dl
====>CL=DL
:00404411 D3FD sar ebp, cl
1、 ====>EBP=00000032 SAR 02=0000000C
2、 ====>EBP=00000066 SAR 03=0000000C
3、 ====>EBP=0000006D SAR 04=00000006
4、 ====>EBP=0000000C SAR 05=00000000
5、 ====>EBP=00000006 SAR 06=00000000
6、 ====>EBP=00000050 SAR 07=00000000
7、 ====>EBP=00000057 SAR 02=00000015
8、 ====>EBP=00000018 SAR 03=00000003
:00404413 8BCA mov ecx, edx
:00404415 8B542418 mov edx, dword ptr [esp+18]
:00404419 D3E0 shl eax, cl
1、 ====>EAX=00000032 SHL 02=000000C8
2、 ====>EAX=00000066 SHL 03=00000330
3、 ====>EAX=0000006D SHL 04=000006D0
4、 ====>EAX=0000000C SHL 05=00000180
5、 ====>EAX=00000006 SHL 06=00000180
6、 ====>EAX=00000050 SHL 07=00002800
7、 ====>EAX=00000057 SHL 02=0000015C
8、 ====>EAX=00000018 SHL 03=000000C0
:0040441B 33FD xor edi, ebp
1、 ====>EDI=00000019 XOR 0000000C=00000015
2、 ====>EDI=00000019 XOR 0000000C=00000015
3、 ====>EDI=0000000D XOR 00000006=0000000B
4、 ====>EDI=00000000 XOR 00000000=00000000
5、 ====>EDI=00000000 XOR 00000000=00000000
6、 ====>EDI=00000001 XOR 00000000=00000001
7、 ====>EDI=0000002B XOR 00000015=0000003E
8、 ====>EDI=00000006 XOR 00000003=00000005
:0040441D 33F8 xor edi, eax
1、 ====>EDI=00000015 XOR 000000C8=000000DD
2、 ====>EDI=00000015 XOR 00000330=00000325
3、 ====>EDI=0000000B XOR 000006D0=000006DB
4、 ====>EDI=00000000 XOR 00000180=00000180
5、 ====>EDI=00000000 XOR 00000180=00000180
6、 ====>EDI=00000001 XOR 00002800=00002801
7、 ====>EDI=0000003E XOR 0000015C=00000162
8、 ====>EDI=00000005 XOR 000000C0=000000C5
:0040441F 03D7 add edx, edi
1、 ====>EDX=231C281C ADD 000000DD=231C28F9
2、 ====>EDX=231C28F9 ADD 00000325=231C2C1E
3、 ====>EDX=231C2C1E ADD 000006DB=231C32F9
4、 ====>EDX=231C32F9 ADD 00000180=231C3479
5、 ====>EDX=231C3479 ADD 00000180=231C35F9
6、 ====>EDX=231C35F9 ADD 00002801=231C5DFA
7、 ====>EDX=231C5DFA ADD 00000162=231C5F5C
8、 ====>EDX=231C5F5C ADD 000000C5=231C6021
呵呵,好了,循环的结果231C6021就是我的注册码了!
:00404421 43 inc ebx
:00404422 3BDE cmp ebx, esi
:00404424 89542418 mov dword ptr [esp+18], edx
====>[esp+18]=EDX
:00404428 7CB8 jl 004043E2
====>继续循环?!
:0040442A 5F pop edi
:0040442B 5D pop ebp
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004043DE(C)
|
:0040442C 8B4C2410 mov ecx, dword ptr [esp+10]
====>ECX=231C6021
:00404430 8D542408 lea edx, dword ptr [esp+08]
:00404434 51 push ecx
* Possible StringData Ref from Data Obj ->"%X"
|
:00404435 6854144100 push 00411454
:0040443A 52 push edx
* Reference To: MFC42.Ordinal:0B02, Ord:0B02h
|
:0040443B E8E0670000 Call 0040AC20
:00404440 83C40C add esp, 0000000C
:00404443 8D4C2408 lea ecx, dword ptr [esp+08]
* Reference To: MFC42.Ordinal:106C, Ord:106Ch
|
:00404447 E8E6670000 Call 0040AC32
:0040444C 8D4C2408 lea ecx, dword ptr [esp+08]
* Reference To: MFC42.Ordinal:188A, Ord:188Ah
|
:00404450 E8CF660000 Call 0040AB24
:00404455 8D4C2408 lea ecx, dword ptr [esp+08]
* Reference To: MFC42.Ordinal:188B, Ord:188Bh
|
:00404459 E8C0660000 Call 0040AB1E
:0040445E 8B742428 mov esi, dword ptr [esp+28]
:00404462 8D442408 lea eax, dword ptr [esp+08]
:00404466 50 push eax
:00404467 8BCE mov ecx, esi
* Reference To: MFC42.Ordinal:0217, Ord:0217h
|
:00404469 E816670000 Call 0040AB84
:0040446E C744241401000000 mov [esp+14], 00000001
:00404476 8D4C2408 lea ecx, dword ptr [esp+08]
:0040447A C644242000 mov [esp+20], 00
* Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:0040447F E834660000 Call 0040AAB8
:00404484 8B4C2418 mov ecx, dword ptr [esp+18]
:00404488 8BC6 mov eax, esi
:0040448A 5E pop esi
:0040448B 5B pop ebx
:0040448C 64890D00000000 mov dword ptr fs:[00000000], ecx
:00404493 83C41C add esp, 0000001C
:00404496 C20400 ret 0004
—————————————————————————————————
【完 美 爆 破】:
1、0040464E 85C0 test eax, eax
改为: 33C0 xor eax, eax
呵呵,使其“正确”设置404650处的BL值!
2、0040465D 8B542414 mov edx, dword ptr [esp+14]
改为: 8B142490 mov edx, dword ptr [esp] 补一个NOP
呵呵,让程序把真的注册码保存起来,这样程序就自动显示真码了,相当于用程序本身做了个注册机!
—————————————————————————————————
【KeyMake之{63th}内存注册机】:
中断地址:0040463F
中断次数:1
第一字节:50
指令长度:1
内存方式:EAX
说明:把内存注册机放到C:\WINDOWS\SYSTEM目录下,然后用杀进程的工具把C:\WINDOWS\SYSTEM\sgame.exe的进程禁止掉!再运行内存注册机,按热键激活创想游戏控制软件,随意输入试炼码,确定后即可弹出正确注册码!
—————————————————————————————————
【注册信息保存】:
C:\WINDOWS 下的Win.ini中:
[TrueThink]
Password=C7
RegisterCode=231C6021
—————————————————————————————————
【整 理】:
机器码:33050A7B
注册码:231C6021
—————————————————————————————————
Cracked By 巢水工作坊——fly [OCN][FCG]
2003-4-17 15:55
标 题:注册机
发信人: HMILYBCG
时 间:2003/04/19 10:58pm
详细信息:
我写这个注册机时感觉上和软件本身给的机器码没有关系,希望大伙能够帮忙测试一下。
本论坛不能上传注册机,有需要的发E-mail给我。gyyxll@21cn.com
另:多谢ikki的说明,呵呵,我是汇编学艺不精呀!!!
本来,我前面发了一个贴问neg用C怎么来做,看雪也说是用嵌入汇编,我从来没有
试过,今天调试了老半天,终于写出来了。
第一次用嵌入汇编的方法写注册机!!!呵呵,自己快乐一下先!!!
注册机源码:
String code_1;
Ma_1=IntToHex(StrToInt64(Ma)^0x2003615,1); //这里取的C:\的机器码,取机器码的
那一部分没有贴出来
Ma_2=Ma^0x2003615;
int a,b=1,c,d=1,e=2;a=Ma_1.Length();
long reg1=0,reg2=0,reg3=0,reg4=0,reg5=0,reg6=0;
while(b<=a)
{
reg1=Ma_1[b];
__asm mov eax,reg1;
__asm mov ecx,b;
__asm imul cl;
__asm test al,al;
__asm jge st0;
__asm neg al;
st0:
__asm movsx eax,al
__asm mov c,eax;
if(d==7) d=1;
reg2=c>>d;
if(e==8) e=2;
reg3=c>>e;
reg4=c<
reg6=reg5^reg4;
Ma_2+=reg6;
code_1=IntToHex(int(Ma_2),1);b++;d++;e++;
}
CEdit->Text=code_1;
相关视频
相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么
- 文章评论
-
热门文章
去除winrar注册框方法
最新文章
比特币病毒怎么破解 比去除winrar注册框方法
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程
查看所有0条评论>>