龙文输入通 2.0 破解过程 -pc6资讯

您的位置：首页 → 精文荟萃 → 破解文章 → 龙文输入通 2.0 破解过程

龙文输入通 2.0 破解过程 时间：2004/10/15 0:55:00来源：本站整理作者：蓝点我要评论(0)

　本文参照了Maomao[CCG]的1.34版文章

破解工具：TRW
打开软件注册窗口,填入注册码.并下断点"bpx hmemcpy".就因为这个断点我才用的TRW.谁让它在XP下不能用呢.确定后软件被中断.按F12返回几次.来到这里

* Reference To: USER32.GetWindowTextA, Ord:015Eh
|
:100232EB FF1598E30310 Call dword ptr [1003E398] ;<==返回处
:100232F1 8B1594960410 mov edx, dword ptr [10049694]
以下无事.往下走啊走.
:10023379 8D4C2424 lea ecx, dword ptr [esp+24]
:1002337D 51 push ecx
:1002337E E88DF9FFFF call 10022D10 ;<==这里就是注册码的判断处了
:10023383 8D542410 lea edx, dword ptr [esp+10]
:10023387 A336B30410 mov dword ptr [1004B336], eax
:1002338C 52 push edx
:1002338D 6802000080 push 80000002
:10023392 E8F9F2FEFF call 10012690
:10023397 85C0 test eax, eax
:10023399 7415 je 100233B0
:1002339B 8D442410 lea eax, dword ptr [esp+10]
:1002339F 50 push eax
进入子进程10022D10,一直往下走.

:10022DA2 8A03 mov al, byte ptr [ebx] ;输入的注册码
:10022DA4 8A4B06 mov cl, byte ptr [ebx+06]
:10022DA7 884306 mov byte ptr [ebx+06], al
:10022DAA 33C0 xor eax, eax
:10022DAC 880B mov byte ptr [ebx], cl ;第一组第一位与第二组第一位互换
:10022DAE 668B4500 mov ax, word ptr [ebp+00] ;机器码
:10022DB2 C1E005 shl eax, 05 ;第一组乘32
:10022DB5 89442410 mov dword ptr [esp+10], eax
:10022DB9 66894500 mov word ptr [ebp+00], ax
:10022DBD 33C0 xor eax, eax
:10022DBF 89B42480000000 mov dword ptr [esp+00000080], esi
:10022DC6 668B4502 mov ax, word ptr [ebp+02] ;第二组
:10022DCA 8D04C0 lea eax, dword ptr [eax+8*eax];乘36
:10022DCD C1E002 shl eax, 02
:10022DD0 89442410 mov dword ptr [esp+10], eax
:10022DD4 66894502 mov word ptr [ebp+02], ax
:10022DD8 33C0 xor eax, eax
:10022DDA 668B4504 mov ax, word ptr [ebp+04] ;第三组
:10022DDE 8D0CC500000000 lea ecx, dword ptr [8*eax+00000000]
:10022DE5 2BC8 sub ecx, eax
:10022DE7 8D0489 lea eax, dword ptr [ecx+4*ecx];乘以35
:10022DEA 33C9 xor ecx, ecx
:10022DEC 89442410 mov dword ptr [esp+10], eax
:10022DF0 66894504 mov word ptr [ebp+04], ax
:10022DF4 8A4308 mov al, byte ptr [ebx+08] ;注册码变换
:10022DF7 8A531B mov dl, byte ptr [ebx+1B] ;5-4 <==> 3-4
:10022DFA 885308 mov byte ptr [ebx+08], dl
:10022DFD 88431B mov byte ptr [ebx+1B], al
:10022E00 668B4D06 mov cx, word ptr [ebp+06] ;第四组
:10022E04 8BC1 mov eax, ecx
:10022E06 C1E004 shl eax, 04
:10022E09 03C1 add eax, ecx
:10022E0B D1E0 shl eax, 1 ;乘以34
:10022E0D 89442410 mov dword ptr [esp+10], eax
:10022E11 66894506 mov word ptr [ebp+06], ax
:10022E15 33C0 xor eax, eax
:10022E17 668B4508 mov ax, word ptr [ebp+08] ;第五组
:10022E1B 8D0C80 lea ecx, dword ptr [eax+4*eax]
:10022E1E C1E103 shl ecx, 03
:10022E21 2BC8 sub ecx, eax ;乘以39
:10022E23 33C0 xor eax, eax
:10022E25 894C2410 mov dword ptr [esp+10], ecx
:10022E29 668B450A mov ax, word ptr [ebp+0A] ;第六组
:10022E2D 66894D08 mov word ptr [ebp+08], cx
:10022E31 8D0CC0 lea ecx, dword ptr [eax+8*eax]
:10022E34 8D0488 lea eax, dword ptr [eax+4*ecx];乘以37
:10022E37 89442410 mov dword ptr [esp+10], eax
:10022E3B 6689450A mov word ptr [ebp+0A], ax
:10022E3F 8A430D mov al, byte ptr [ebx+0D] ;注册码变换
:10022E42 8A5317 mov dl, byte ptr [ebx+17] ;2-4 <==> 6-3
:10022E45 8844242C mov byte ptr [esp+2C], al
:10022E49 884317 mov byte ptr [ebx+17], al
:10022E4C 33C0 xor eax, eax
:10022E4E 88530D mov byte ptr [ebx+0D], dl
:10022E51 668B4500 mov ax, word ptr [ebp+00]
:10022E55 8BC8 mov ecx, eax
:10022E57 33C0 xor eax, eax
:10022E59 668B450A mov ax, word ptr [ebp+0A] ;第六组乘以33+第一组乘以2
:10022E5D 8BD0 mov edx, eax
:10022E5F C1E205 shl edx, 05
:10022E62 03D0 add edx, eax
:10022E64 8D044A lea eax, dword ptr [edx+2*ecx]
:10022E67 89442410 mov dword ptr [esp+10], eax
:10022E6B 6689450A mov word ptr [ebp+0A], ax
:10022E6F 33C0 xor eax, eax
:10022E71 33C9 xor ecx, ecx
:10022E73 668B4504 mov ax, word ptr [ebp+04] ;第五组+第三组乘以2
:10022E77 668B4D08 mov cx, word ptr [ebp+08]
:10022E7B 8D0441 lea eax, dword ptr [ecx+2*eax]
:10022E7E 89442410 mov dword ptr [esp+10], eax
:10022E82 66894508 mov word ptr [ebp+08], ax

至此注册码生成.下边是注册码的比较处
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10023151(C)
|
:1002313D 33C0 xor eax, eax
:1002313F 668B01 mov ax, word ptr [ecx]
:10023142 83C102 add ecx, 00000002
:10023145 83C034 add eax, 00000034
:10023148 4A dec edx
:10023149 89442410 mov dword ptr [esp+10], eax
:1002314D 668941FE mov word ptr [ecx-02], ax
:10023151 75EA jne 1002313D
:10023153 B909000000 mov ecx, 00000009
:10023158 8BFB mov edi, ebx ;输入的注册码
:1002315A 8D742454 lea esi, dword ptr [esp+54] ;生成的注册码
:1002315E 33D2 xor edx, edx
:10023160 F3 repz
:10023161 A6 cmpsb ;<==比较第一组和第二组
:10023162 7424 je 10023188 ;一定要跳的噢

...
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1002322D(C)
|
:100231B4 33C0 xor eax, eax
:100231B6 668B4500 mov ax, word ptr [ebp+00]
:100231BA 0500100000 add eax, 00001000
:100231BF 83FE02 cmp esi, 00000002 ;从第三组开始比较
:100231C2 89442410 mov dword ptr [esp+10], eax
:100231C6 66894500 mov word ptr [ebp+00], ax
:100231CA 7D15 jge 100231E1
:100231CC 8B542410 mov edx, dword ptr [esp+10]
:100231D0 81E2FFFF0000 and edx, 0000FFFF
:100231D6 0FAFD6 imul edx, esi
:100231D9 D1E2 shl edx, 1
:100231DB 89542410 mov dword ptr [esp+10], edx
:100231DF EB42 jmp 10023223

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100231CA(C)
|
:100231E1 8B03 mov eax, dword ptr [ebx]
:100231E3 8D4C2410 lea ecx, dword ptr [esp+10]
:100231E7 51 push ecx
:100231E8 8D542428 lea edx, dword ptr [esp+28]

* Possible StringData Ref from Data Obj ->"%lx"
|
:100231EC 68FC070410 push 100407FC
:100231F1 52 push edx
:100231F2 C644243400 mov [esp+34], 00
:100231F7 89442430 mov dword ptr [esp+30], eax
:100231FB FFD7 call edi
:100231FD 8B44241C mov eax, dword ptr [esp+1C]
:10023201 8B0D80950410 mov ecx, dword ptr [10049580]
:10023207 03C1 add eax, ecx
:10023209 33D2 xor edx, edx
:1002320B 25FFFF0000 and eax, 0000FFFF
:10023210 83C40C add esp, 0000000C
:10023213 89442410 mov dword ptr [esp+10], eax
:10023217 668B5500 mov dx, word ptr [ebp+00]
:1002321B 3BC2 cmp eax, edx ;edx中为正确的注册码值+1234H,edx-1234h就可以得到注册码
:1002321D 0F8541FFFFFF jne 10023164 ;一条死,九筒和.:)

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100231DF(U)
|
:10023223 46 inc esi
:10023224 83C305 add ebx, 00000005
:10023227 83C502 add ebp, 00000002
:1002322A 83FE06 cmp esi, 00000006
:1002322D 7C85 jl 100231B4 ;未比较完转回
:1002322F 8B15F0630410 mov edx, dword ptr [100463F0]
:10023235 8B4C2414 mov ecx, dword ptr [esp+14]
:10023239 51 push ecx
:1002323A C7421801000000 mov [edx+18], 00000001
:10023241 A1F0630410 mov eax, dword ptr [100463F0]
:10023246 66C74050BC00 mov [eax+50], 00BC

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10023125(U)
|

* Reference To: KERNEL32.HeapDestroy, Ord:019Dh
|
:1002324C FF1598E10310 Call dword ptr [1003E198]
:10023252 5F pop edi
:10023253 5E pop esi
:10023254 5D pop ebp
:10023255 B801000000 mov eax, 00000001
:1002325A 5B pop ebx
:1002325B 83C468 add esp, 00000068
:1002325E C20C00 ret 000C

算法如下:
机器码六组.注册码六组.
KeyCode1=UserID1*32
KeyCode2=UserID2*36
KeyCode3=UserID3*35
KeyCode4=UserID4*34
KeyCode5=UserID5*39+UserID3*35*2
KeyCode6=UserID6*37*33+UserID1*32*2
最后进行变换操作.
第一组的第一位与第二组的第二位互换,第三组的第四位与第五组的第四位互换,第二组的第四位与第六组的第三位互换.

文章评论

查看所有0条评论>>

热门文章 去除winrar注册框方法