您的位置:首页精文荟萃破解文章 → 简单算法——控制测量坐标换算

简单算法——控制测量坐标换算

时间:2004/10/15 0:55:00来源:本站整理作者:蓝点我要评论(0)

 

下载页面: http://tongtian.net/pediy/usr/19/19_1835.rar
软件大小: 58K
开 发 商: http://www.smwuce.com

【软件简介】:物探专业解释系统。使用简单,功能强大,是物探解释工作的好助手。

【软件限制】:30次试用

【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!

【破解工具】:TRW2000娃娃修改版、Ollydbg1.09、FI2.5、W32Dasm 10修改版

—————————————————————————————————
【过 程】:


关于Softsentry壳:

能设置软件的使用时间限制、使用次数限制、使用日期限制、给软件加密码等等,功能很强,是制作软件DEMO版软件的很好的加密工具。加密的软件可根据每台不同的电脑给出不同的注册码,故该软件也是制作试用软件的绝好工具。


呵呵,原先看上面的说明是VB的东东,我就没DOWN了。^-^^-^ 后来看见几位朋友的帖子感觉象是加了Softsentry 3.0的壳。下来分析看看就是加了这个壳!只是有些参数变了。其实这种壳的保护应该说是不强的,脱了壳之后就没有限制了。


System ID:95065
姓 名:fly (呵呵,姓名和公司名不参与运算,可以随意输入)
公 司:【OCN】
试 炼 码:1357246890

—————————————————————————————————
* Referenced by a (U)nconditional or ?onditional Jump at Address:
|:004219F6?
|
:00421A1B 8D542454 lea edx, dword ptr [esp+54]
:00421A1F 6A32 push 00000032
:00421A21 52 push edx
:00421A22 6801100000 push 00001001
:00421A27 51 push ecx
:00421A28 FF15ECE14200 call dword ptr [0042E1EC]
:00421A2E 8D7C2454 lea edi, dword ptr [esp+54]
====>EDI=[esp+54]=1357246890

:00421A32 83C9FF or ecx, FFFFFFFF
:00421A35 8944241C mov dword ptr [esp+1C], eax
:00421A39 33C0 xor eax, eax
:00421A3B F2 repnz
:00421A3C AE scasb
:00421A3D F7D1 not ecx
:00421A3F 2BF9 sub edi, ecx
:00421A41 8D942488000000 lea edx, dword ptr [esp+00000088]
:00421A48 8BC1 mov eax, ecx
:00421A4A 8BF7 mov esi, edi
:00421A4C 8BFA mov edi, edx
:00421A4E C744241000000000 mov [esp+10], 00000000
:00421A56 C1E902 shr ecx, 02
:00421A59 F3 repz
:00421A5A A5 movsd
:00421A5B 8BC8 mov ecx, eax
:00421A5D 83E103 and ecx, 00000003
:00421A60 66833DCEDB420000 cmp word ptr [0042DBCE], 0000
:00421A68 F3 repz
:00421A69 A4 movsb
:00421A6A 0F8E15040000 jle 00421E85

* Referenced by a (U)nconditional or ?onditional Jump at Address:
|:00421E7D?
|
:00421A70 8D7C2454 lea edi, dword ptr [esp+54]
:00421A74 83C9FF or ecx, FFFFFFFF
:00421A77 33C0 xor eax, eax
:00421A79 8D542420 lea edx, dword ptr [esp+20]
:00421A7D F2 repnz
:00421A7E AE scasb
:00421A7F F7D1 not ecx
:00421A81 2BF9 sub edi, ecx
:00421A83 C744241400000000 mov [esp+14], 00000000
:00421A8B 8BC1 mov eax, ecx
:00421A8D 8BF7 mov esi, edi
:00421A8F 8BFA mov edi, edx
:00421A91 C1E902 shr ecx, 02
:00421A94 F3 repz
:00421A95 A5 movsd
:00421A96 8BC8 mov ecx, eax
:00421A98 0FBF442410 movsx eax, word ptr [esp+10]
:00421A9D 83E103 and ecx, 00000003
:00421AA0 F3 repz
:00421AA1 A4 movsb
:00421AA2 8B0DECDB4200 mov ecx, dword ptr [0042DBEC]
:00421AA8 C1E006 shl eax, 06
:00421AAB 8D3C08 lea edi, dword ptr [eax+ecx]
:00421AAE 668B0408 mov ax, word ptr [eax+ecx]
:00421AB2 66A354DC4200 mov word ptr [0042DC54], ax
:00421AB8 8B5F08 mov ebx, dword ptr [edi+08]
:00421ABB 891DE4DB4200 mov dword ptr [0042DBE4], ebx
:00421AC1 8B570C mov edx, dword ptr [edi+0C]
:00421AC4 8915F4DB4200 mov dword ptr [0042DBF4], edx
:00421ACA 8B4F10 mov ecx, dword ptr [edi+10]
:00421ACD 890DD4DB4200 mov dword ptr [0042DBD4], ecx
:00421AD3 668B5714 mov dx, word ptr [edi+14]
:00421AD7 663D0100 cmp ax, 0001
:00421ADB 668915FADB4200 mov word ptr [0042DBFA], dx
:00421AE2 740A je 00421AEE
:00421AE4 663D0200 cmp ax, 0002
:00421AE8 0F8512010000 jne 00421C00

* Referenced by a (U)nconditional or ?onditional Jump at Address:
|:00421AE2?
|
:00421AEE 8B6F20 mov ebp, dword ptr [edi+20]
====>EBP=[edi+20]=qmx 呵呵,这是string_1了!

:00421AF1 BE78A14200 mov esi, 0042A178
:00421AF6 8BC5 mov eax, ebp

* Referenced by a (U)nconditional or ?onditional Jump at Address:
|:00421B16?
|
:00421AF8 8A10 mov dl, byte ptr [eax]
:00421AFA 8ACA mov cl, dl
:00421AFC 3A16 cmp dl, byte ptr [esi]
:00421AFE 751C jne 00421B1C
:00421B00 84C9 test cl, cl
:00421B02 7414 je 00421B18
:00421B04 8A5001 mov dl, byte ptr [eax+01]
:00421B07 8ACA mov cl, dl
:00421B09 3A5601 cmp dl, byte ptr [esi+01]
:00421B0C 750E jne 00421B1C
:00421B0E 83C002 add eax, 00000002
:00421B11 83C602 add esi, 00000002
:00421B14 84C9 test cl, cl
:00421B16 75E0 jne 00421AF8

* Referenced by a (U)nconditional or ?onditional Jump at Address:
|:00421B02?
|
:00421B18 33C0 xor eax, eax
:00421B1A EB05 jmp 00421B21

* Referenced by a (U)nconditional or ?onditional Jump at Addresses:
|:00421AFE?, :00421B0C?
|
:00421B1C 1BC0 sbb eax, eax
:00421B1E 83D8FF sbb eax, FFFFFFFF

* Referenced by a (U)nconditional or ?onditional Jump at Address:
|:00421B1A(U)
|
:00421B21 85C0 test eax, eax
:00421B23 750C jne 00421B31
:00421B25 A194DE4200 mov eax, dword ptr [0042DE94]
:00421B2A A300DC4200 mov dword ptr [0042DC00], eax
:00421B2F EB46 jmp 00421B77

* Referenced by a (U)nconditional or ?onditional Jump at Address:
|:00421B23?
|
:00421B31 BE6CA14200 mov esi, 0042A16C
:00421B36 8BC5 mov eax, ebp

* Referenced by a (U)nconditional or ?onditional Jump at Address:
|:00421B56?
|
:00421B38 8A10 mov dl, byte ptr [eax]
:00421B3A 8ACA mov cl, dl
:00421B3C 3A16 cmp dl, byte ptr [esi]
:00421B3E 751C jne 00421B5C
:00421B40 84C9 test cl, cl
:00421B42 7414 je 00421B58
:00421B44 8A5001 mov dl, byte ptr [eax+01]
:00421B47 8ACA mov cl, dl
:00421B49 3A5601 cmp dl, byte ptr [esi+01]
:00421B4C 750E jne 00421B5C
:00421B4E 83C002 add eax, 00000002
:00421B51 83C602 add esi, 00000002
:00421B54 84C9 test cl, cl
:00421B56 75E0 jne 00421B38

* Referenced by a (U)nconditional or ?onditional Jump at Address:
|:00421B42?
|
:00421B58 33C0 xor eax, eax
:00421B5A EB05 jmp 00421B61

* Referenced by a (U)nconditional or ?onditional Jump at Addresses:
|:00421B3E?, :00421B4C?
|
:00421B5C 1BC0 sbb eax, eax
:00421B5E 83D8FF sbb eax, FFFFFFFF

* Referenced by a (U)nconditional or ?onditional Jump at Address:
|:00421B5A(U)
|
:00421B61 85C0 test eax, eax
:00421B63 750C jne 00421B71
:00421B65 A198DE4200 mov eax, dword ptr [0042DE98]
:00421B6A A300DC4200 mov dword ptr [0042DC00], eax
:00421B6F EB06 jmp 00421B77

* Referenced by a (U)nconditional or ?onditional Jump at Address:
|:00421B63?
|
:00421B71 892D00DC4200 mov dword ptr [0042DC00], ebp

* Referenced by a (U)nconditional or ?onditional Jump at Addresses:
|:00421B2F(U), :00421B6F(U)
|
:00421B77 8B6F24 mov ebp, dword ptr [edi+24]
====>EBP=[edi+24]=7904 呵呵,程序自给的!

☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
[0054027B]内存处的值: 程序自给?!

0054027B 71 6D 78 00 77 74 00 64 00 71 6D 78 00 37 39 30 qmx.wt.d.qmx.790
0054028B 34 00 02 00 1E 00 1E 00 D0 02 00 00 00 C4 E3 B5 4....?...你
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆

:00421B7A BE78A14200 mov esi, 0042A178
:00421B7F 8BC5 mov eax, ebp

* Referenced by a (U)nconditional or ?onditional Jump at Address:
|:00421B9F?
|
:00421B81 8A10 mov dl, byte ptr [eax]
:00421B83 8ACA mov cl, dl
:00421B85 3A16 cmp dl, byte ptr [esi]
:00421B87 751C jne 00421BA5
:00421B89 84C9 test cl, cl
:00421B8B 7414 je 00421BA1
:00421B8D 8A5001 mov dl, byte ptr [eax+01]
:00421B90 8ACA mov cl, dl
:00421B92 3A5601 cmp dl, byte ptr [esi+01]
:00421B95 750E jne 00421BA5
:00421B97 83C002 add eax, 00000002
:00421B9A 83C602 add esi, 00000002
:00421B9D 84C9 test cl, cl
:00421B9F 75E0 jne 00421B81

* Referenced by a (U)nconditional or ?onditional Jump at Address:
|:00421B8B?
|
:00421BA1 33C0 xor eax, eax
:00421BA3 EB05 jmp 00421BAA

* Referenced by a (U)nconditional or ?onditional Jump at Addresses:
|:00421B87?, :00421B95?
|
:00421BA5 1BC0 sbb eax, eax
:00421BA7 83D8FF sbb eax, FFFFFFFF

* Referenced by a (U)nconditional or ?onditional Jump at Address:
|:00421BA3(U)
|
:00421BAA 85C0 test eax, eax
:00421BAC 750C jne 00421BBA
:00421BAE A194DE4200 mov eax, dword ptr [0042DE94]
:00421BB3 A3FCDB4200 mov dword ptr [0042DBFC], eax
:00421BB8 EB46 jmp 00421C00

* Referenced by a (U)nconditional or ?onditional Jump at Address:
|:00421BAC?
|
:00421BBA BE6CA14200 mov esi, 0042A16C
:00421BBF 8BC5 mov eax, ebp

* Referenced by a (U)nconditional or ?onditional Jump at Address:
|:00421BDF?
|
:00421BC1 8A10 mov dl, byte ptr [eax]
:00421BC3 8ACA mov cl, dl
:00421BC5 3A16 cmp dl, byte ptr [esi]
:00421BC7 751C jne 00421BE5
:00421BC9 84C9 test cl, cl
:00421BCB 7414 je 00421BE1
:00421BCD 8A5001 mov dl, byte ptr [eax+01]
:00421BD0 8ACA mov cl, dl
:00421BD2 3A5601 cmp dl, byte ptr [esi+01]
:00421BD5 750E jne 00421BE5
:00421BD7 83C002 add eax, 00000002
:00421BDA 83C602 add esi, 00000002
:00421BDD 84C9 test cl, cl
:00421BDF 75E0 jne 00421BC1

* Referenced by a (U)nconditional or ?onditional Jump at Address:
|:00421BCB?
|
:00421BE1 33C0 xor eax, eax
:00421BE3 EB05 jmp 00421BEA

* Referenced by a (U)nconditional or ?onditional Jump at Addresses:
|:00421BC7?, :00421BD5?
|
:00421BE5 1BC0 sbb eax, eax
:00421BE7 83D8FF sbb eax, FFFFFFFF

* Referenced by a (U)nconditional or ?onditional Jump at Address:
|:00421BE3(U)
|
:00421BEA 85C0 test eax, eax
:00421BEC 750C jne 00421BFA
:00421BEE A198DE4200 mov eax, dword ptr [0042DE98]
:00421BF3 A3FCDB4200 mov dword ptr [0042DBFC], eax
:00421BF8 EB06 jmp 00421C00

* Referenced by a (U)nconditional or ?onditional Jump at Address:
|:00421BEC?
|
:00421BFA 892DFCDB4200 mov dword ptr [0042DBFC], ebp

* Referenced by a (U)nconditional or ?onditional Jump at Addresses:
|:00421AE8?, :00421BB8(U), :00421BF8(U)
|
:00421C00 66837F0400 cmp word ptr [edi+04], 0000
:00421C05 7558 jne 00421C5F
:00421C07 8D4C2420 lea ecx, dword ptr [esp+20]
:00421C0B E820F9FFFF call 00421530
:00421C10 A154DC4200 mov eax, dword ptr [0042DC54]
:00421C15 25FFFF0000 and eax, 0000FFFF
:00421C1A 7432 je 00421C4E
:00421C1C 85C0 test eax, eax
:00421C1E 7E39 jle 00421C59
:00421C20 83F802 cmp eax, 00000002
:00421C23 7F34 jg 00421C59
:00421C25 8B0DF4DB4200 mov ecx, dword ptr [0042DBF4]
:00421C2B E800F9FFFF call 00421530
:00421C30 8B0DD4DB4200 mov ecx, dword ptr [0042DBD4]
====>ECX=[0042DBD4]=wt 呵呵,这是string_2了!

:00421C36 E8F5F8FFFF call 00421530
:00421C3B 8B0D00DC4200 mov ecx, dword ptr [0042DC00]
:00421C41 E8EAF8FFFF call 00421530
:00421C46 8B0DFCDB4200 mov ecx, dword ptr [0042DBFC]
:00421C4C EB06 jmp 00421C54

* Referenced by a (U)nconditional or ?onditional Jump at Address:
|:00421C1A?
|
:00421C4E 8B0DE4DB4200 mov ecx, dword ptr [0042DBE4]

* Referenced by a (U)nconditional or ?onditional Jump at Address:
|:00421C4C(U)
|
:00421C54 E8D7F8FFFF call 00421530

* Referenced by a (U)nconditional or ?onditional Jump at Addresses:
|:00421C1E?, :00421C23?
|
:00421C59 8B1DE4DB4200 mov ebx, dword ptr [0042DBE4]

* Referenced by a (U)nconditional or ?onditional Jump at Address:
|:00421C05?
|
:00421C5F A154DC4200 mov eax, dword ptr [0042DC54]
:00421C64 25FFFF0000 and eax, 0000FFFF
:00421C69 0F849B010000 je 00421E0A
:00421C6F 85C0 test eax, eax
:00421C71 0F8E1A020000 jle 00421E91
:00421C77 83F802 cmp eax, 00000002
:00421C7A 0F8F11020000 jg 00421E91
:00421C80 8B35F4DB4200 mov esi, dword ptr [0042DBF4]
:00421C86 83C9FF or ecx, FFFFFFFF
:00421C89 8BFE mov edi, esi
:00421C8B 33C0 xor eax, eax
:00421C8D F2 repnz
:00421C8E AE scasb
:00421C8F F7D1 not ecx
:00421C91 83C1FE add ecx, FFFFFFFE
:00421C94 6683F9FF cmp cx, FFFF
:00421C98 7422 je 00421CBC
:00421C9A 6685C9 test cx, cx
:00421C9D 7C17 jl 00421CB6

* Referenced by a (U)nconditional or ?onditional Jump at Address:
|:00421CB4?
|
:00421C9F 0FBFC1 movsx eax, cx
:00421CA2 8A1430 mov dl, byte ptr [eax+esi]
1、 ====>DL=78(H) 即:x
2、 ====>DL=6D(H) 即:m
3、 ====>DL=71(H) 即:q

:00421CA5 80FA3F cmp dl, 3F
:00421CA8 7406 je 00421CB0
:00421CAA 3A540420 cmp dl, byte ptr [esp+eax+20]
====>比较前3位是否是qmx
1、 ====>DL=78 [esp+eax+20]=35
即:注册码的第3位应是 x

2、 ====>DL=6D [esp+eax+20]=33
即:注册码的第2位应是 m

3、 ====>DL=71 [esp+eax+20]=31
即:注册码的第1位应是 q


:00421CAE 7506 jne 00421CB6
====>不同则跳则OVER! 可下 R FL Z 改变跳转

* Referenced by a (U)nconditional or ?onditional Jump at Address:
|:00421CA8?
|
:00421CB0 49 dec ecx
:00421CB1 6685C9 test cx, cx
:00421CB4 7DE9 jge 00421C9F
====>循环3次

* Referenced by a (U)nconditional or ?onditional Jump at Addresses:
|:00421C9D?, :00421CAE?
|
:00421CB6 6683F9FF cmp cx, FFFF
:00421CBA 7508 jne 00421CC4

* Referenced by a (U)nconditional or ?onditional Jump at Address:
|:00421C98?
|
:00421CBC C744241401000000 mov [esp+14], 00000001

* Referenced by a (U)nconditional or ?onditional Jump at Address:
|:00421CBA?
|
:00421CC4 8B3DD4DB4200 mov edi, dword ptr [0042DBD4]
:00421CCA 83C9FF or ecx, FFFFFFFF
:00421CCD 33C0 xor eax, eax
:00421CCF F2 repnz
:00421CD0 AE scasb
:00421CD1 F7D1 not ecx
:00421CD3 49 dec ecx
:00421CD4 8D7C2420 lea edi, dword ptr [esp+20]
:00421CD8 8BE9 mov ebp, ecx
:00421CDA 83C9FF or ecx, FFFFFFFF
:00421CDD F2 repnz
:00421CDE AE scasb
:00421CDF F7D1 not ecx
:00421CE1 49 dec ecx
:00421CE2 2BCD sub ecx, ebp
:00421CE4 6685C9 test cx, cx
:00421CE7 7E32 jle 00421D1B
:00421CE9 33F6 xor esi, esi
:00421CEB 6685ED test bp, bp
:00421CEE 7E22 jle 00421D12

* Referenced by a (U)nconditional or ?onditional Jump at Address:
|:00421D10?
|
:00421CF0 8B15D4DB4200 mov edx, dword ptr [0042DBD4]
====>EDI=[0042DBD4]=wt

:00421CF6 0FBFC6 movsx eax, si
:00421CF9 8A1410 mov dl, byte ptr [eax+edx]
1、 ====>DL=77(H) 即:w
2、 ====>DL=74(H) 即:t

:00421CFC 80FA3F cmp dl, 3F
:00421CFF 740B je 00421D0C
:00421D01 0FBFF9 movsx edi, cx
:00421D04 03F8 add edi, eax
:00421D06 3A543C20 cmp dl, byte ptr [esp+edi+20]
1、 ====>DL=77 [esp+eax+20]=39
即:注册码的倒数第1位应是 w

2、 ====>DL=74 [esp+eax+20]=30
即:注册码的倒数第2位应是 t


:00421D0A 7506 jne 00421D12
====>不同则跳则OVER! 可下 R FL Z 改变跳转

* Referenced by a (U)nconditional or ?onditional Jump at Address:
|:00421CFF?
|
:00421D0C 46 inc esi
:00421D0D 663BF5 cmp si, bp
:00421D10 7CDE jl 00421CF0
====>循环2次

* Referenced by a (U)nconditional or ?onditional Jump at Addresses:
|:00421CEE?, :00421D0A?
|
:00421D12 663BF5 cmp si, bp
:00421D15 7504 jne 00421D1B
:00421D17 FF442414 inc [esp+14]

* Referenced by a (U)nconditional or ?onditional Jump at Addresses:
|:00421CE7?, :00421D15?
|
:00421D1B 837C241402 cmp dword ptr [esp+14], 00000002
:00421D20 740A je 00421D2C
:00421D22 B8FEFFFFFF mov eax, FFFFFFFE
:00421D27 E941010000 jmp 00421E6D

* Referenced by a (U)nconditional or ?onditional Jump at Address:
|:00421D20?
|
:00421D2C 8B3DF4DB4200 mov edi, dword ptr [0042DBF4]
:00421D32 83C9FF or ecx, FFFFFFFF
:00421D35 33C0 xor eax, eax
:00421D37 F2 repnz
:00421D38 AE scasb
:00421D39 8B3DD4DB4200 mov edi, dword ptr [0042DBD4]
:00421D3F F7D1 not ecx
:00421D41 49 dec ecx
:00421D42 8D740C20 lea esi, dword ptr [esp+ecx+20]
:00421D46 83C9FF or ecx, FFFFFFFF
:00421D49 F2 repnz
:00421D4A AE scasb
:00421D4B F7D1 not ecx
:00421D4D 49 dec ecx
:00421D4E 8BD6 mov edx, esi
:00421D50 2BD1 sub edx, ecx
:00421D52 8BFE mov edi, esi
:00421D54 83C9FF or ecx, FFFFFFFF
:00421D57 F2 repnz
:00421D58 AE scasb
:00421D59 F7D1 not ecx
:00421D5B 49 dec ecx
:00421D5C 88040A mov byte ptr [edx+ecx], al
:00421D5F 8BCE mov ecx, esi
====>ECX=DESI=72468 即去掉第1、2、9、10位后的试炼码

:00421D61 E84A5B0000 call 004278B0
====>检测上面的中间几位是否为数字?

:00421D66 85C0 test eax, eax
:00421D68 750A jne 00421D74
====>不是数字则不跳则OVER!

:00421D6A B8FDFFFFFF mov eax, FFFFFFFD
:00421D6F E9F9000000 jmp 00421E6D

* Referenced by a (U)nconditional or ?onditional Jump at Address:
|:00421D68?
|
:00421D74 BA64A14200 mov edx, 0042A164
====>EDX=0604 呵呵,程序自给的!

:00421D79 8BCE mov ecx, esi
====>ECX=ESI=572468

:00421D7B E8705B0000 call 004278F0
====>再次检测72468是否为数字?
不是数字则“invalid digital number!”。并且把72468转化为用16进制值表示!

:00421D80 8BF8 mov edi, eax
====>EDI=EAI=00011B14(H)=72468(D)

:00421D82 66A154DC4200 mov ax, word ptr [0042DC54]
:00421D88 663D0100 cmp ax, 0001
:00421D8C 7546 jne 00421DD4
:00421D8E 66A1FADB4200 mov ax, word ptr [0042DBFA]
:00421D94 8B1500DC4200 mov edx, dword ptr [0042DC00]
:00421D9A 33C9 xor ecx, ecx
:00421D9C 8ACC mov cl, ah
:00421D9E 25FF000000 and eax, 000000FF
:00421DA3 8BF1 mov esi, ecx
:00421DA5 8BC8 mov ecx, eax
:00421DA7 E854FBFFFF call 00421900
:00421DAC 8B15FCDB4200 mov edx, dword ptr [0042DBFC]
:00421DB2 03F8 add edi, eax
:00421DB4 6685F6 test si, si
:00421DB7 7504 jne 00421DBD
:00421DB9 33C9 xor ecx, ecx
:00421DBB EB03 jmp 00421DC0

* Referenced by a (U)nconditional or ?onditional Jump at Address:
|:00421DB7?
|
:00421DBD 8D4E01 lea ecx, dword ptr [esi+01]

* Referenced by a (U)nconditional or ?onditional Jump at Address:
|:00421DBB(U)
|
:00421DC0 E83BFBFFFF call 00421900
:00421DC5 8BC8 mov ecx, eax
:00421DC7 85C9 test ecx, ecx
:00421DC9 7438 je 00421E03
:00421DCB 8BC7 mov eax, edi
:00421DCD 99 cdq
:00421DCE F7F9 idiv ecx
:00421DD0 8BC2 mov eax, edx
:00421DD2 EB27 jmp 00421DFB

* Referenced by a (U)nconditional or ?onditional Jump at Address:
|:00421D8C?
|
:00421DD4 663D0200 cmp ax, 0002
:00421DD8 7529 jne 00421E03
:00421DDA 8B15FCDB4200 mov edx, dword ptr [0042DBFC]
====>EDX=7904 取[00540288]内存处的值

:00421DE0 A100DC4200 mov eax, dword ptr [0042DC00]
====>EAX=qmx

☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
[00540284]内存处的值: 程序自给?!

00540284 71 6D 78 00 37 39 30 34 00 02 00 1E 00 1E 00 D0 qmx.7904....
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆

:00421DE5 8B0D38DD4200 mov ecx, dword ptr [0042DD38]
====>ECX=17359(H)=95605(D)呵呵,系统代码

:00421DEB 52 push edx
:00421DEC 668B15FADB4200 mov dx, word ptr [0042DBFA]
:00421DF3 50 push eax
:00421DF4 E897FBFFFF call 00421990
====>算法CALL!得出下面的EAX值。进入!

:00421DF9 2BC7 sub eax, edi
====>EAX=3403B020 - 11B14=3402950C

* Referenced by a (U)nconditional or ?onditional Jump at Address:
|:00421DD2(U)
|
:00421DFB 85C0 test eax, eax
====>相减结果是否为0?即:上面2部分是否相等?

:00421DFD 0F848E000000 je 00421E91
====>不为0则不跳则OVER!

* Referenced by a (U)nconditional or ?onditional Jump at Addresses:
|:00421DC9?, :00421DD8?
|
:00421E03 B8FBFFFFFF mov eax, FFFFFFFB
:00421E08 EB63 jmp 00421E6D


:00422013 FF1500E24200 call dword ptr [0042E200]
====>BAD BOY!

—————————————————————————————————
进入算法CALL:


* Referenced by a CALL at Addresses:
|:00421DF4 , :004221DA
|
:00421990 53 push ebx
:00421991 56 push esi
:00421992 668BDA mov bx, dx
:00421995 8BF1 mov esi, ecx
====>ESI=ECX=17359 呵呵,系统代码

:00421997 8B54240C mov edx, dword ptr [esp+0C]
====>EDX=qmx 从[00540284]处取值

:0042199B 8ACB mov cl, bl
:0042199D 57 push edi
:0042199E 81E1FF000000 and ecx, 000000FF
:004219A4 E857FFFFFF call 00421900
====>对程序给的qmx进行运算得出下面的EAX值!进入关键CALL!

:004219A9 8B542414 mov edx, dword ptr [esp+14]
====>EDX=7904 从[00540288]处取值

:004219AD 8BF8 mov edi, eax
====>EDI=EAX=00003BEE(H)=15342(D)

:004219AF 33C0 xor eax, eax
:004219B1 8AC7 mov al, bh
:004219B3 6685C0 test ax, ax
:004219B6 7512 jne 004219CA
:004219B8 33C9 xor ecx, ecx
:004219BA E841FFFFFF call 00421900
====>把7904转化为用16进制值表示!EAX=7904(H)=1EE0(D)

:004219BF 03FE add edi, esi
====>EDI=3BEE + 17359=1AF47

:004219C1 0FAFC7 imul eax, edi
====>EAX=1EE0 * 1AF47=3403B020(H)
呵呵,把上面运算的结果3403B020(H)转化成10进制值872656928(D),就是注册码的中间部分了!


:004219C4 5F pop edi
:004219C5 5E pop esi
:004219C6 5B pop ebx
:004219C7 C20800 ret 0008

—————————————————————————————————
进入关键CALL:4219A4 call 00421900


* Referenced by a CALL at Addresses:
|:004219A4 , :004219BA , :004219CD , :00421DA7 , :00421DC0
|
:00421900 53 push ebx
:00421901 8BDA mov ebx, edx
====>EBX=EDX=qmx

:00421903 56 push esi
:00421904 8BF1 mov esi, ecx
====>ESI=ECX=64

:00421906 85DB test ebx, ebx
:00421908 7472 je 0042197C
:0042190A 803B00 cmp byte ptr [ebx], 00
:0042190D 746D je 0042197C
:0042190F 57 push edi
:00421910 8BFB mov edi, ebx
:00421912 83C9FF or ecx, FFFFFFFF
:00421915 33C0 xor eax, eax
:00421917 F2 repnz
:00421918 AE scasb
:00421919 F7D1 not ecx
:0042191B 49 dec ecx
====>ECX=3 取qmx的位数

:0042191C 6685F6 test si, si
:0042191F 7443 je 00421964
:00421921 6683FE01 cmp si, 0001
:00421925 743D je 00421964
:00421927 81E6FFFF0000 and esi, 0000FFFF
:0042192D 8BC6 mov eax, esi
====>EAX=ESI=64

:0042192F 99 cdq
:00421930 F7F9 idiv ecx
====>EDX=64 % 3=1

:00421932 0FBE041A movsx eax, byte ptr [edx+ebx]
====>EAX=6D 即:m的HEX值

:00421936 0FAFC6 imul eax, esi
====>EAX=6D * 64=2A94

:00421939 0FAFC2 imul eax, edx
====>EAX=2A94 * 01=2A94

:0042193C 03C1 add eax, ecx
====>EAX=2A94 + 03=2A97
呵呵,不明白上面这段代码的意思了。请各位老师指教!

:0042193E 33D2 xor edx, edx
:00421940 85C9 test ecx, ecx
:00421942 7E16 jle 0042195A
:00421944 8BF9 mov edi, ecx
====>EDI=ECX=3

:00421946 2BFE sub edi, esi
====>EDI=3 - 64=FFFFFF9F 即:-97(D)

:00421948 83C76F add edi, 0000006F
====>EDI=FFFFFF9F + 6F=E

* Referenced by a (U)nconditional or ?onditional Jump at Address:
|:00421958?
|
:0042194B 0FBE341A movsx esi, byte ptr [edx+ebx]
====>依次取qmx字符的HEX值

:0042194F 0FAFF7 imul esi, edi
1、 ====>ESI=71 * 0E=62E
2、 ====>ESI=6D * 0D=589
3、 ====>ESI=78 * 0C=5A0

:00421952 03C6 add eax, esi
1、 ====>EAX=2A97 + 62E=30C5
2、 ====>EAX=30C5 + 589=364E
3、 ====>EAX=364E + 5A0=3BEE

:00421954 42 inc edx
:00421955 4F dec edi
:00421956 3BD1 cmp edx, ecx
:00421958 7CF1 jl 0042194B
====>循环3次

* Referenced by a (U)nconditional or ?onditional Jump at Address:
|:00421942?
|
:0042195A 85C0 test eax, eax
:0042195C 7D1A jge 00421978
:0042195E 5F pop edi
:0042195F 5E pop esi
:00421960 F7D8 neg eax
:00421962 5B pop ebx
:00421963 C3 ret

—————————————————————————————————
【算 法 总 结】:


1、注册码 第1、2、3位固定为:qmx

2、注册码倒数第1、2位固定为:wt

3、注册码中间几位的运算:
①、取系统代码:95065,转化为16进制值:17359(H)
②、17359 + 3BEE=1AF47
③、1AF47 * 1EE0=3403B020(H)=872656928(D),就是注册码的中间部分了!

即:(系统代码 + 3BEE)* 1EE0 运算结果的10进制值


—————————————————————————————————
【C++ KeyGen】:


呵呵,刚看了几天的C++,偶然又碰到了这个简单的算法。
呵呵,就用我这“超级蹩脚”的C++做 fly 的第三个算法注册机吧!诸位老师见笑了!


#include
#include
void main()
{
unsigned long int m;
cout<<"\n★★★★控制测量坐标换算 KeyGen{4th}★★★★\n\n\n\n";
cout<<"请输入System ID:";
cin >>m;
m+=0X00003BEE;
m*=0X00001EE0;
cout<<"\n呵呵,口 令:"<<"qmx"< cout<<"\n姓名和公司随意输入";
cout<<"\n\n\nCracked By 巢水工作坊——fly【OCN】 03-4-5 11:11 COMPILE";
cout<<"\n\n\n * * * 按回车退出!* * *";cin.get();cin.get();
}


—————————————————————————————————
【注册信息保存】:


1、注册表中

REGEDIT4

[HKEY_CLASSES_ROOT\{onUJAYs36y}]
@="NUQ=%!!5!\"!!5!#9!-Q$5!T5Q.4)U!!!!!!\"=R1!!>`^R<8AY.T)W.49Z-DBXN>!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!#!!!!!!!!N!!!!!!!Y!.-(\"!!'!!5!#1!'!$9!5A-!!!)!!!!!!!!!!*XO7A&G<(E!7U^$64FU!!!!!!!!!!!!!!!!!!!!!!!!!"


2、REGEDIT4

[HKEY_CLASSES_ROOT\SystemAppIDs]
@="N!Q!!!!!!!!\"\\45NU6%*'/']S-8V\\-XJ';E>04W*638V\\

3、C:\WINDOWS\SYSTEM 下的access.ctl文件。


如果想重新注册必须把以上3处删干净。
真是狡兔三窟呀。加了Softsentry 3.0壳的软件的保存注册信息的方式大都差不多。

—————————————————————————————————
【整 理】:


System ID:95065
姓 名:fly
公 司:【OCN】
口 令:qmx872656928wt

—————————————————————————————————



Cracked By 巢水工作坊——fly【OCN】

2003-4-5 11:44

    
    
     
    
    
     

相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么

文章评论
发表评论

热门文章 去除winrar注册框方法

最新文章 比特币病毒怎么破解 比去除winrar注册框方法 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据

人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程