您的位置:首页精文荟萃破解文章 → eBook Edit Pro 3.21破解手记

eBook Edit Pro 3.21破解手记

时间:2004/10/15 0:57:00来源:本站整理作者:蓝点我要评论(0)

 软件名称:eBook Edit Pro 3.21
下载地址: http://www.eBookEdit.com
大 小:2.383MB(脱壳后)
加密方式:注册码
使用工具:TRW2000中文1.23注册版,fi2.5,keymake1.73,AspackDie 1.41
pj日期:2003年3月10日
***************************************************

软件说明:一个编辑eBook的软件,十分好用!指定一个含有网页文件的文件夹,它就会把它做成一个exe可执行文件的E书。

PJ说明:
我也是新手,学习破解还不到两个星期,不足之处,请大家批评指正!
本文件中提到的主文件,即用于制作E书的主运行程序ebookedit.exe
本文件中提到的exe文件,即制作为成品的E书文件

这个软件的注册方式很特别! 在主文件运行过程中,注册部分只有输入用户名和注册码,但除了保存这个信息在注册表的HKEY_CURRENT_USER\Software\Cybershare\Registration位置外(错的也保存),并不做任何检验注册码是否正确的动作。而真正的注册码检验部分是在生成的exe文件中,呵呵,很有意思吧! 如果在主文件当中输入的注册码不正确,那么生成的exe文件在运行的时候,会出现一个未注册的信息。由于exe文件可以脱离原生成程序运行,所以,我们可以判断出来,主文件在生成exe文件的过程中,已经将输入的用户名和注册码信息放入exe文件里了,那么exe文件一运行,就会将这部分信息提取出来,进行注册码正确检验。
得出的结论:要想得真正的注册码,不是研究主文件,而是研究生成的exe文件(找出这个关键,我费了2个小时)


1、先试用一下软件,运行出现欢迎画片,只有一个授权给:和注册键:,分别输入newlaos和78787878(学前辈的试用码),然后按正常步骤生成一个exe文件(不要太大),这里假设为crack.exe文件。

2、用fi2.5一看,exe文件加了一个aspack2.1的壳,用TRW2000可以手动脱壳,自动脱壳我选择了AspackDie 1.41(脱壳过程中,它会发现一个附加信息,选择“是”),生成unpack.exe文件。

3、用TRW2000载入unpack.exe文件,按F10步进(因为按F12一下就出现了未注册信息),来到下面代码段:
......
...... |
:0047C7DC A1D8F04000 mov eax, dword ptr [0040F0D8]
:0047C7E1 E8B260F9FF call 00412898
:0047C7E6 A3D40A4800 mov dword ptr [00480AD4], eax
:0047C7EB 33C0 xor eax, eax
:0047C7ED 55 push ebp
:0047C7EE 6859C84700 push 0047C859
:0047C7F3 64FF30 push dword ptr fs:[eax]
:0047C7F6 648920 mov dword ptr fs:[eax], esp
:0047C7F9 A10CE84700 mov eax, dword ptr [0047E80C]
:0047C7FE 8B00 mov eax, dword ptr [eax]
:0047C800 E8F7DBFCFF call 0044A3FC
:0047C805 A10CE84700 mov eax, dword ptr [0047E80C]
:0047C80A 8B00 mov eax, dword ptr [eax]
:0047C80C C6404B00 mov [eax+4B], 00
:0047C810 A1F0E64700 mov eax, dword ptr [0047E6F0]
:0047C815 8B15D40A4800 mov edx, dword ptr [00480AD4]
:0047C81B 8910 mov dword ptr [eax], edx
:0047C81D 8B0D34E64700 mov ecx, dword ptr [0047E634]
:0047C823 A10CE84700 mov eax, dword ptr [0047E80C]
:0047C828 8B00 mov eax, dword ptr [eax]

* Possible StringData Ref from Code Obj ->"?C"
|
:0047C82A 8B15F0964700 mov edx, dword ptr [004796F0]
:0047C830 E8DFDBFCFF call 0044A414 <===因为一过这里就出现了未注册信息,所以F8进入(后面很多是这种情况)
:0047C835 A10CE84700 mov eax, dword ptr [0047E80C]
:0047C83A 8B00 mov eax, dword ptr [eax]
:0047C83C E853DCFCFF call 0044A494
:0047C841 33C0 xor eax, eax
:0047C843 5A pop edx
:0047C844 59 pop ecx
:0047C845 59 pop ecx
:0047C846 648910 mov dword ptr fs:[eax], edx
:0047C849 6860C84700 push 0047C860

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047C85E(U)
|
:0047C84E A1D40A4800 mov eax, dword ptr [00480AD4]
:0047C853 E86866F8FF call 00402EC0
:0047C858 C3 ret
......
......

_______________________________F8来到下面代码段_______________________________________________

:0044A414 55 push ebp
:0044A415 8BEC mov ebp, esp
:0044A417 51 push ecx
:0044A418 53 push ebx
:0044A419 56 push esi
:0044A41A 57 push edi
:0044A41B 894DFC mov dword ptr [ebp-04], ecx
:0044A41E 8BDA mov ebx, edx
:0044A420 8BF0 mov esi, eax
:0044A422 8BC3 mov eax, ebx
:0044A424 FF50F4 call [eax-0C]
:0044A427 8BD8 mov ebx, eax
:0044A429 8B45FC mov eax, dword ptr [ebp-04]
:0044A42C 8918 mov dword ptr [eax], ebx
:0044A42E 33C0 xor eax, eax
:0044A430 55 push ebp
:0044A431 6852A44400 push 0044A452
:0044A436 64FF30 push dword ptr fs:[eax]
:0044A439 648920 mov dword ptr fs:[eax], esp
:0044A43C 8BCE mov ecx, esi
:0044A43E 83CAFF or edx, FFFFFFFF
:0044A441 8BC3 mov eax, ebx
:0044A443 8B38 mov edi, dword ptr [eax]
:0044A445 FF572C call [edi+2C] <===因为一过这里就出现了未注册信息,所以F8再进入
:0044A448 33C0 xor eax, eax
:0044A44A 5A pop edx
:0044A44B 59 pop ecx
:0044A44C 59 pop ecx
:0044A44D 648910 mov dword ptr fs:[eax], edx
:0044A450 EB16 jmp 0044A468
:0044A452 E9158FFBFF jmp 0040336C
:0044A457 8B45FC mov eax, dword ptr [ebp-04]
:0044A45A 33D2 xor edx, edx
:0044A45C 8910 mov dword ptr [eax], edx
:0044A45E E81192FBFF call 00403674
:0044A463 E86092FBFF call 004036C8
......
......


_______________________________F8来到下面代码段_______________________________________________

:0047C448 53 push ebx
:0047C449 56 push esi
:0047C44A 84D2 test dl, dl
:0047C44C 7408 je 0047C456 <===不跳
:0047C44E 83C4F0 add esp, FFFFFFF0
:0047C451 E8AA6DF8FF call 00403200

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047C44C(C)
|
:0047C456 8BDA mov ebx, edx
:0047C458 8BF0 mov esi, eax
:0047C45A 33D2 xor edx, edx
:0047C45C 8BC6 mov eax, esi
:0047C45E E80571FCFF call 00443568
:0047C463 8BC6 mov eax, esi
:0047C465 84DB test bl, bl
:0047C467 740F je 0047C478 <===不跳
:0047C469 E8EA6DF8FF call 00403258 <===因为一过这里就出现了未注册信息,所以F8第三次进入(不要晕!胜利就在前方)
:0047C46E 648F0500000000 pop dword ptr fs:[00000000]
:0047C475 83C40C add esp, 0000000C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047C467(C)
|
:0047C478 8BC6 mov eax, esi
:0047C47A 5E pop esi
:0047C47B 5B pop ebx
:0047C47C C3 ret
......
......


_______________________________F8来到下面代码段_______________________________________________
:00403258 50 push eax
:00403259 8B10 mov edx, dword ptr [eax]
:0040325B FF52E4 call [edx-1C]
:0040325E 58 pop eax
:0040325F C3 ret
......

_______________________________程序进到402EA5_______________________________________________
:00402EA5 648F0500000000 pop dword ptr fs:[00000000]
:00402EAC 83C40C add esp, 0000000C
:00402EAF C3 ret
......

_______________________________程序进到47AA21_______________________________________________
:0047AA21 89832C030000 mov dword ptr [ebx+0000032C], eax
:0047AA27 33C0 xor eax, eax
:0047AA29 898330030000 mov dword ptr [ebx+00000330], eax
:0047AA2F 8BCB mov ecx, ebx
:0047AA31 B201 mov dl, 01

* Possible StringData Ref from Code Obj ->"?C"
|
:0047AA33 A194614700 mov eax, dword ptr [00476194]
:0047AA38 E82B8BFCFF call 00443568
:0047AA3D 8BF0 mov esi, eax
:0047AA3F 89B338030000 mov dword ptr [ebx+00000338], esi
:0047AA45 8BC6 mov eax, esi
:0047AA47 E844C8FCFF call 00447290
:0047AA4C 8B8338030000 mov eax, dword ptr [ebx+00000338]
:0047AA52 8998EC020000 mov dword ptr [eax+000002EC], ebx

* Possible StringData Ref from Code Obj ->"U嬱j"
|
:0047AA58 C780E8020000A8C14700 mov dword ptr [ebx+000002E8], 0047C1A8
:0047AA62 E8F1B1FFFF call 00475C58
:0047AA67 833DCC0A480000 cmp dword ptr [00480ACC], 00000000
:0047AA6E 740D je 0047AA7D
:0047AA70 8B15CC0A4800 mov edx, dword ptr [00480ACC]
:0047AA76 8BC3 mov eax, ebx
:0047AA78 E893FDFFFF call 0047A810 <===因为一过这里就出现了未注册信息,所以F8第四次进入(呵呵!)

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047AA6E(C)
|
:0047AA7D A1F4E74700 mov eax, dword ptr [0047E7F4]
:0047AA82 C60000 mov byte ptr [eax], 00
:0047AA85 8BC3 mov eax, ebx
:0047AA87 E860140000 call 0047BEEC
:0047AA8C A1F4E74700 mov eax, dword ptr [0047E7F4]
:0047AA91 C60001 mov byte ptr [eax], 01
:0047AA94 8BC3 mov eax, ebx
:0047AA96 E849140000 call 0047BEE4
:0047AA9B 8BC3 mov eax, ebx
:0047AA9D E832160000 call 0047C0D4
:0047AAA2 A1CC0A4800 mov eax, dword ptr [00480ACC]
......
......



_______________________________F8来到下面代码段_______________________________________________

:0047A810 55 push ebp
:0047A811 8BEC mov ebp, esp
:0047A813 83C4E8 add esp, FFFFFFE8
:0047A816 53 push ebx
:0047A817 56 push esi
:0047A818 57 push edi
:0047A819 33C9 xor ecx, ecx
:0047A81B 894DEC mov dword ptr [ebp-14], ecx
:0047A81E 894DE8 mov dword ptr [ebp-18], ecx
:0047A821 8BDA mov ebx, edx
:0047A823 8BF0 mov esi, eax
:0047A825 33C0 xor eax, eax
:0047A827 55 push ebp
:0047A828 684AA94700 push 0047A94A
:0047A82D 64FF30 push dword ptr fs:[eax]
:0047A830 648920 mov dword ptr fs:[eax], esp
:0047A833 8BC3 mov eax, ebx
:0047A835 E8F27DF9FF call 0041262C
:0047A83A 8BD0 mov edx, eax
:0047A83C 83EA10 sub edx, 00000010
:0047A83F 33C9 xor ecx, ecx
:0047A841 8BC3 mov eax, ebx
:0047A843 8B38 mov edi, dword ptr [eax]
:0047A845 FF570C call [edi+0C]
:0047A848 8D55F0 lea edx, dword ptr [ebp-10]
:0047A84B B910000000 mov ecx, 00000010
:0047A850 8BC3 mov eax, ebx
:0047A852 8B38 mov edi, dword ptr [eax]
:0047A854 FF5704 call [edi+04]
:0047A857 8B7DFC mov edi, dword ptr [ebp-04]
:0047A85A 81FF97130000 cmp edi, 00001397
:0047A860 7440 je 0047A8A2 <===跳转了,不然就进看下面:-)
:0047A862 6A00 push 00000000
:0047A864 8D4DE8 lea ecx, dword ptr [ebp-18]
:0047A867 33D2 xor edx, edx
:0047A869 8BC7 mov eax, edi
:0047A86B E8C0E0F8FF call 00408930
:0047A870 8B4DE8 mov ecx, dword ptr [ebp-18]
:0047A873 8D45EC lea eax, dword ptr [ebp-14]

* Possible StringData Ref from Code Obj ->"这本 eBook 具有一个错误的签名. "
->"这个程序将被终止.
签名: "
|
:0047A876 BA60A94700 mov edx, 0047A960
:0047A87B E8F095F8FF call 00403E70
:0047A880 8B45EC mov eax, dword ptr [ebp-14]
:0047A883 668B0DB4A94700 mov cx, word ptr [0047A9B4]
:0047A88A B201 mov dl, 01
:0047A88C E8D337FDFF call 0044E064
:0047A891 A10CE84700 mov eax, dword ptr [0047E80C]
:0047A896 8B00 mov eax, dword ptr [eax]
:0047A898 E8ABFCFCFF call 0044A548
:0047A89D E98D000000 jmp 0047A92F

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047A860(C)
|
:0047A8A2 8BC3 mov eax, ebx <===程序跳到这里,继续往下走
:0047A8A4 E8837DF9FF call 0041262C
:0047A8A9 8BF8 mov edi, eax
:0047A8AB 2B7DF0 sub edi, dword ptr [ebp-10]
:0047A8AE 89BE1C030000 mov dword ptr [esi+0000031C], edi
:0047A8B4 33C9 xor ecx, ecx
:0047A8B6 8BD7 mov edx, edi
:0047A8B8 8BC3 mov eax, ebx
:0047A8BA 8B38 mov edi, dword ptr [eax]
:0047A8BC FF570C call [edi+0C]
:0047A8BF 8BD3 mov edx, ebx
:0047A8C1 8BC6 mov eax, esi
:0047A8C3 E858030000 call 0047AC20
:0047A8C8 8BD3 mov edx, ebx
:0047A8CA 8BC6 mov eax, esi
:0047A8CC E807F5FFFF call 00479DD8 <===因为一过这里就出现了未注册信息,所以F8第五次进入(555555~~~~还要进)
:0047A8D1 8BD3 mov edx, ebx
:0047A8D3 8BC6 mov eax, esi
:0047A8D5 E816FAFFFF call 0047A2F0
:0047A8DA 8BD3 mov edx, ebx
:0047A8DC 8BC6 mov eax, esi
:0047A8DE E8C9F5FFFF call 00479EAC
:0047A8E3 80BE6C03000000 cmp byte ptr [esi+0000036C], 00
:0047A8EA 7509 jne 0047A8F5
:0047A8EC 8BD3 mov edx, ebx
:0047A8EE 8BC6 mov eax, esi
:0047A8F0 E83BFAFFFF call 0047A330
......
......


_______________________________F8来到下面代码段_______________________________________________

:00479DD8 55 push ebp
:00479DD9 8BEC mov ebp, esp
:00479DDB 51 push ecx
:00479DDC 53 push ebx
:00479DDD 56 push esi
:00479DDE 8BF2 mov esi, edx
:00479DE0 8BD8 mov ebx, eax
:00479DE2 8D9320030000 lea edx, dword ptr [ebx+00000320]
:00479DE8 8BC6 mov eax, esi
:00479DEA E83DE5FFFF call 0047832C
:00479DEF 8D9324030000 lea edx, dword ptr [ebx+00000324]
:00479DF5 8BC6 mov eax, esi
:00479DF7 E830E5FFFF call 0047832C
:00479DFC 8D9328030000 lea edx, dword ptr [ebx+00000328]
:00479E02 8BC6 mov eax, esi
:00479E04 E823E5FFFF call 0047832C
:00479E09 6A00 push 00000000
:00479E0B 8B9324030000 mov edx, dword ptr [ebx+00000324]
:00479E11 8B8320030000 mov eax, dword ptr [ebx+00000320]

* Possible StringData Ref from Code Obj ->"~TurnIde@$IntoProfit$w/eBook$!>>YouC@n$ucceed!"
->"<<"
|
:00479E17 B9789E4700 mov ecx, 00479E78
:00479E1C E83BE2FFFF call 0047805C <===算法CALL了,最后一次F8进入,看个究竟
:00479E21 84C0 test al, al
:00479E23 7544 jne 00479E69 <===关键跳转(终于到了),爆破只针对每个exe文件,所以没多大意思
:00479E25 8BCB mov ecx, ebx
:00479E27 B201 mov dl, 01

* Possible StringData Ref from Code Obj ->"?C"
|
:00479E29 A1B4744700 mov eax, dword ptr [004774B4]
:00479E2E E83597FCFF call 00443568
:00479E33 8945FC mov dword ptr [ebp-04], eax
:00479E36 33C0 xor eax, eax
:00479E38 55 push ebp
:00479E39 68629E4700 push 00479E62
:00479E3E 64FF30 push dword ptr fs:[eax]
:00479E41 648920 mov dword ptr fs:[eax], esp
:00479E44 8B45FC mov eax, dword ptr [ebp-04]
:00479E47 E88CD8FFFF call 004776D8
:00479E4C 33C0 xor eax, eax
:00479E4E 5A pop edx
:00479E4F 59 pop ecx
:00479E50 59 pop ecx
:00479E51 648910 mov dword ptr fs:[eax], edx
:00479E54 68699E4700 push 00479E69

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00479E67(U)
|
:00479E59 8B45FC mov eax, dword ptr [ebp-04]
:00479E5C E85F90F8FF call 00402EC0
:00479E61 C3 ret


:00479E62 E9B997F8FF jmp 00403620
:00479E67 EBF0 jmp 00479E59

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00479E23(C)
|
:00479E69 5E pop esi
:00479E6A 5B pop ebx
:00479E6B 59 pop ecx
:00479E6C 5D pop ebp
:00479E6D C3 ret


_______________________________F8来到下面代码段_______________________________________________

:0047805C 55 push ebp <===此处下D EAX发现EAX=newlaos,下D EDX发现EDX=78787878
:0047805D 8BEC mov ebp, esp
:0047805F 81C4FCFEFFFF add esp, FFFFFEFC
:00478065 53 push ebx
:00478066 56 push esi
:00478067 57 push edi
:00478068 33DB xor ebx, ebx
:0047806A 895DFC mov dword ptr [ebp-04], ebx
:0047806D 8BF9 mov edi, ecx
:0047806F 8BF2 mov esi, edx
:00478071 8BD8 mov ebx, eax
:00478073 8B4508 mov eax, dword ptr [ebp+08]
:00478076 E85DBFF8FF call 00403FD8
:0047807B 33C0 xor eax, eax
:0047807D 55 push ebp
:0047807E 68D7804700 push 004780D7
:00478083 64FF30 push dword ptr fs:[eax]
:00478086 648920 mov dword ptr fs:[eax], esp
:00478089 8D85FCFEFFFF lea eax, dword ptr [ebp+FFFFFEFC]
:0047808F 50 push eax
:00478090 8B4D08 mov ecx, dword ptr [ebp+08]
:00478093 8BD7 mov edx, edi
:00478095 8BC3 mov eax, ebx
:00478097 E810FEFFFF call 00477EAC  <===此CALL算出与用户名相对应的注册码
:0047809C 8D95FCFEFFFF lea edx, dword ptr [ebp+FFFFFEFC] 
:004780A2 8D45FC lea eax, dword ptr [ebp-04] <===此处下D EAX发现注册码,但位置不正确
:004780A5 E81EBDF8FF call 00403DC8
:004780AA 8B45FC mov eax, dword ptr [ebp-04] <===此处将真码放入EAX
:004780AD 8BD6 mov edx, esi    <===将假码78787878放入EDX,在这下命令D EAX可以看见注册码
:004780AF E880BEF8FF call 00403F34    
:004780B4 0F94C0 sete al
:004780B7 8BD8 mov ebx, eax
:004780B9 33C0 xor eax, eax
:004780BB 5A pop edx
:004780BC 59 pop ecx
:004780BD 59 pop ecx
:004780BE 648910 mov dword ptr fs:[eax], edx
:004780C1 68DE804700 push 004780DE

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004780DC(U)
|
:004780C6 8D45FC lea eax, dword ptr [ebp-04]
:004780C9 E8D6BAF8FF call 00403BA4
:004780CE 8D4508 lea eax, dword ptr [ebp+08]
:004780D1 E8CEBAF8FF call 00403BA4
:004780D6 C3 ret



4、制作内存注册机:(keymake 1.73)
一、选择F8 → 另类注册机!
程序名称:crack.exe
添加数据:
  中断地址:004780AD
中断次数:1
第一字节:8B
指令长度:2
   保存下列信息为注册码 → 内存方式 → 寄存器 → EAX
二、选择内存方式:内存地址 → BF693C → 点生成,就有你乐的了(这一句是学老师的;)
三、内存注册机的使用:由于是针对生成的exe文件,如果要用注册机,就必须将exe文件改名为在制作注册机时定义的程序名称(本例制作出的注册机,使用时就应把exe文件改名为crack.exe),否则不能完成找注册码的工作。找到注册码,只取前面16字符就可以了!


5、我的注册信息
受权给:newlaos
注册键:EDwKZK84BuzRTYQ2


____________________________________________________________________________________________________________
____________________________________________________________________________________________________________

____________________________________________________________________________________________________________

::学习::
______________________以下是高手对算法的分析_________________________________
破解者:HMILY[CCG][BCG]
说 明:该软件注册码的查找,已经有人破解了,我来补充算法分析。
下载了它的汉化版后,感觉还不错,就分析了一下它的注册过程,
算法并不难,只是过于复杂。
备 注:在调试过程中,不知道是哪里错了,注册名只能支持到10位。
:00478097 E810FEFFFF call 00477EAC ->注册码的计算call
:0047809C 8D95FCFEFFFF lea edx, dword ptr [ebp+FFFFFEFC]
:004780A2 8D45FC lea eax, dword ptr [ebp-04]
:004780A5 E81EBDF8FF call 00403DC8
:004780AA 8B45FC mov eax, dword ptr [ebp-04]
:004780AD 8BD6 mov edx, esi
:004780AF E880BEF8FF call 00403F34
:004780B4 0F94C0 sete al
:004780B7 8BD8 mov ebx, eax
:004780B9 33C0 xor eax, eax
:004780BB 5A pop edx
:004780BC 59 pop ecx
:004780BD 59 pop ecx
:004780BE 648910 mov dword ptr fs:[eax], edx
:004780C1 68DE804700 push 004780DE

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004780DC(U)
|
:004780C6 8D45FC lea eax, dword ptr [ebp-04]
:004780C9 E8D6BAF8FF call 00403BA4
:004780CE 8D4508 lea eax, dword ptr [ebp+08]
:004780D1 E8CEBAF8FF call 00403BA4
:004780D6 C3 ret
========================================================================
* Referenced by a CALL at Address:
|:00478097
|
:00477EAC 55 push ebp ->跟进上面那个call,来到这里
:00477EAD 8BEC mov ebp, esp
:00477EAF 83C4DC add esp, FFFFFFDC
:00477EB2 53 push ebx
:00477EB3 56 push esi
:00477EB4 57 push edi
:00477EB5 33DB xor ebx, ebx
:00477EB7 895DDC mov dword ptr [ebp-24], ebx
:00477EBA 895DE0 mov dword ptr [ebp-20], ebx
:00477EBD 895DF0 mov dword ptr [ebp-10], ebx
:00477EC0 894DF4 mov dword ptr [ebp-0C], ecx
:00477EC3 8955F8 mov dword ptr [ebp-08], edx
:00477EC6 8945FC mov dword ptr [ebp-04], eax
:00477EC9 8B45FC mov eax, dword ptr [ebp-04]
:00477ECC E807C1F8FF call 00403FD8
:00477ED1 8B45F8 mov eax, dword ptr [ebp-08]
:00477ED4 E8FFC0F8FF call 00403FD8
:00477ED9 8B45F4 mov eax, dword ptr [ebp-0C]
:00477EDC E8F7C0F8FF call 00403FD8
:00477EE1 33C0 xor eax, eax
:00477EE3 55 push ebp
:00477EE4 684C804700 push 0047804C
:00477EE9 64FF30 push dword ptr fs:[eax]
:00477EEC 648920 mov dword ptr fs:[eax], esp
:00477EEF 837DFC00 cmp dword ptr [ebp-04], 00000000
:00477EF3 746D je 00477F62
:00477EF5 BB01000000 mov ebx, 00000001 ->ebx置1先
:00477EFA 8D75E4 lea esi, dword ptr [ebp-1C]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477F2A(C)
|
:00477EFD 8B45FC mov eax, dword ptr [ebp-04]
:00477F00 E81FBFF8FF call 00403E24 |
:00477F05 50 push eax |
:00477F06 8BC3 mov eax, ebx |
:00477F08 48 dec eax 无
:00477F09 5A pop edx 用
:00477F0A 8BCA mov ecx, edx |
:00477F0C 99 cdq |
:00477F0D F7F9 idiv ecx |
:00477F0F 8B45FC mov eax, dword ptr [ebp-04] ->注册名传入eax
:00477F12 8A0410 mov al, byte ptr [eax+edx] ->依次取注册名
:00477F15 50 push eax ->注册名入栈
:00477F16 8B45FC mov eax, dword ptr [ebp-04] ->注册名传入eax
:00477F19 E806BFF8FF call 00403E24 ->取注册名位数
:00477F1E 5A pop edx ->注册名出栈
:00477F1F 32D0 xor dl, al ->dl=位数^依次取的注册名
:00477F21 32D3 xor dl, bl ->dl=dl^bl
:00477F23 8816 mov byte ptr [esi], dl ->保存dl
:00477F25 43 inc ebx ->ebx++
:00477F26 46 inc esi ->esi++
:00477F27 83FB0D cmp ebx, 0000000D ->比较ebx是否等于13
:00477F2A 75D1 jne 00477EFD ->不相等继续循环
:00477F2C 8B45FC mov eax, dword ptr [ebp-04]
:00477F2F E8F0BEF8FF call 00403E24
:00477F34 8BF0 mov esi, eax
:00477F36 85F6 test esi, esi
:00477F38 7E28 jle 00477F62
:00477F3A BB01000000 mov ebx, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477F60(C)
|
:00477F3F 8B45FC mov eax, dword ptr [ebp-04]
:00477F42 E8DDBEF8FF call 00403E24
:00477F47 2BC3 sub eax, ebx
:00477F49 8B55FC mov edx, dword ptr [ebp-04] ->注册名传入edx
:00477F4C 8A0C02 mov cl, byte ptr [edx+eax] ->依次取取反的注册名
:00477F4F 8BC3 mov eax, ebx |
:00477F51 48 dec eax 无
:00477F52 BF0C000000 mov edi, 0000000C 用
:00477F57 99 cdq |
:00477F58 F7FF idiv edi |
:00477F5A 304C15E4 xor byte ptr [ebp+edx-1C], cl ->将上面计算出来的字符串与取反的注册名依次做异或运算
:00477F5E 43 inc ebx
:00477F5F 4E dec esi
:00477F60 75DD jne 00477F3F ->注册名没取完,继续

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00477EF3(C), :00477F38(C)
|
:00477F62 837DF800 cmp dword ptr [ebp-08], 00000000
:00477F66 7439 je 00477FA1
:00477F68 BB01000000 mov ebx, 00000001 ->ebx置1先
:00477F6D 8D75E4 lea esi, dword ptr [ebp-1C]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477F9F(C)
|
:00477F70 8B45F8 mov eax, dword ptr [ebp-08] ->计算基数传入eax
:00477F73 E8ACBEF8FF call 00403E24 ->这里面是取eax-04,没有字符,所以取0x30
:00477F78 50 push eax
:00477F79 8BC3 mov eax, ebx
:00477F7B 48 dec eax
:00477F7C 5A pop edx
:00477F7D 8BCA mov ecx, edx
:00477F7F 99 cdq
:00477F80 F7F9 idiv ecx
:00477F82 8B45F8 mov eax, dword ptr [ebp-08] ->基数传入eax
:00477F85 8A0410 mov al, byte ptr [eax+edx] ->依次取基数到al
:00477F88 3206 xor al, byte ptr [esi] ->al与第二次计算出来的字符串做异或运算
:00477F8A 50 push eax ->计算结果入栈
:00477F8B 8B45F8 mov eax, dword ptr [ebp-08]
:00477F8E E891BEF8FF call 00403E24 ->这里面是取eax-04,没有字符,所以取0x30
:00477F93 5A pop edx ->计算结果出栈
:00477F94 32D0 xor dl, al ->dl=dl^al
:00477F96 32D3 xor dl, bl ->dl=dl^bl
:00477F98 8816 mov byte ptr [esi], dl ->保存计算结果
:00477F9A 43 inc ebx ->ebx++
:00477F9B 46 inc esi ->esi++
:00477F9C 83FB0D cmp ebx, 0000000D ->比较ebx是否等于13
:00477F9F 75CF jne 00477F70 ->不等,继续

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477F66(C)
|
:00477FA1 837DF400 cmp dword ptr [ebp-0C], 00000000
:00477FA5 7439 je 00477FE0 ->这里跳走
:00477FA7 BB01000000 mov ebx, 00000001
:00477FAC 8D75E4 lea esi, dword ptr [ebp-1C]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477FDE(C)
|
:00477FAF 8B45F4 mov eax, dword ptr [ebp-0C]
:00477FB2 E86DBEF8FF call 00403E24
:00477FB7 50 push eax
:00477FB8 8BC3 mov eax, ebx
:00477FBA 48 dec eax
:00477FBB 5A pop edx
:00477FBC 8BCA mov ecx, edx
:00477FBE 99 cdq
:00477FBF F7F9 idiv ecx
:00477FC1 8B45F4 mov eax, dword ptr [ebp-0C]
:00477FC4 8A0410 mov al, byte ptr [eax+edx]
:00477FC7 3206 xor al, byte ptr [esi]
:00477FC9 50 push eax
:00477FCA 8B45F4 mov eax, dword ptr [ebp-0C]
:00477FCD E852BEF8FF call 00403E24
:00477FD2 5A pop edx
:00477FD3 32D0 xor dl, al
:00477FD5 32D3 xor dl, bl
:00477FD7 8816 mov byte ptr [esi], dl
:00477FD9 43 inc ebx
:00477FDA 46 inc esi
:00477FDB 83FB0D cmp ebx, 0000000D
:00477FDE 75CF jne 00477FAF

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477FA5(C)
|
:00477FE0 8D45F0 lea eax, dword ptr [ebp-10] ->上面那个跳转到这里
:00477FE3 E8BCBBF8FF call 00403BA4
:00477FE8 BB0C000000 mov ebx, 0000000C
:00477FED 8D75E4 lea esi, dword ptr [ebp-1C]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00478007(C)
|
:00477FF0 8D45E0 lea eax, dword ptr [ebp-20]
:00477FF3 8A16 mov dl, byte ptr [esi]
:00477FF5 E852BDF8FF call 00403D4C
:00477FFA 8B55E0 mov edx, dword ptr [ebp-20]
:00477FFD 8D45F0 lea eax, dword ptr [ebp-10]
:00478000 E827BEF8FF call 00403E2C
:00478005 46 inc esi
:00478006 4B dec ebx
:00478007 75E7 jne 00477FF0
:00478009 8D55DC lea edx, dword ptr [ebp-24]
:0047800C 8B45F0 mov eax, dword ptr [ebp-10] ->这里d eax可看到计算后的字符串->计为(end)
:0047800F E83CFBFFFF call 00477B50 ->最后注册码的计算->跟进去
:00478014 8B55DC mov edx, dword ptr [ebp-24]
:00478017 8B4508 mov eax, dword ptr [ebp+08]
:0047801A B9FF000000 mov ecx, 000000FF
:0047801F E8DCBDF8FF call 00403E00
:00478024 33C0 xor eax, eax
:00478026 5A pop edx
:00478027 59 pop ecx
:00478028 59 pop ecx
:00478029 648910 mov dword ptr fs:[eax], edx
:0047802C 6853804700 push 00478053

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00478051(U)
|
:00478031 8D45DC lea eax, dword ptr [ebp-24]
:00478034 BA02000000 mov edx, 00000002
:00478039 E88ABBF8FF call 00403BC8
:0047803E 8D45F0 lea eax, dword ptr [ebp-10]
:00478041 BA04000000 mov edx, 00000004
:00478046 E87DBBF8FF call 00403BC8
:0047804B C3 ret
===================================================================
* Referenced by a CALL at Addresses:
|:00477DB1 , :0047800F
|
:00477B50 55 push ebp ->跟进0047800F到这里
:00477B51 8BEC mov ebp, esp
:00477B53 83C4F0 add esp, FFFFFFF0
:00477B56 53 push ebx
:00477B57 56 push esi
:00477B58 57 push edi
:00477B59 33C9 xor ecx, ecx
:00477B5B 894DF0 mov dword ptr [ebp-10], ecx
:00477B5E 8BFA mov edi, edx
:00477B60 8945FC mov dword ptr [ebp-04], eax
:00477B63 8B45FC mov eax, dword ptr [ebp-04]
:00477B66 E86DC4F8FF call 00403FD8
:00477B6B 33C0 xor eax, eax
:00477B6D 55 push ebp
:00477B6E 68847C4700 push 00477C84
:00477B73 64FF30 push dword ptr fs:[eax]
:00477B76 648920 mov dword ptr fs:[eax], esp
:00477B79 8BC7 mov eax, edi
:00477B7B E824C0F8FF call 00403BA4
:00477B80 E9D7000000 jmp 00477C5C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477C60(C)
|
:00477B85 8B45FC mov eax, dword ptr [ebp-04]
:00477B88 E897C2F8FF call 00403E24
:00477B8D 8BC8 mov ecx, eax
:00477B8F 8BC1 mov eax, ecx
:00477B91 BB03000000 mov ebx, 00000003
:00477B96 99 cdq
:00477B97 F7FB idiv ebx
:00477B99 85C0 test eax, eax
:00477B9B 7E07 jle 00477BA4
:00477B9D BB03000000 mov ebx, 00000003
:00477BA2 EB02 jmp 00477BA6

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477B9B(C)
|
:00477BA4 8BD9 mov ebx, ecx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477BA2(U)
|
:00477BA6 8D45F9 lea eax, dword ptr [ebp-07]
:00477BA9 33C9 xor ecx, ecx
:00477BAB BA03000000 mov edx, 00000003
:00477BB0 E8B3AFF8FF call 00402B68
:00477BB5 8D45F5 lea eax, dword ptr [ebp-0B]
:00477BB8 B940000000 mov ecx, 00000040
:00477BBD BA04000000 mov edx, 00000004
:00477BC2 E8A1AFF8FF call 00402B68
:00477BC7 8D45FC lea eax, dword ptr [ebp-04]
:00477BCA E825C4F8FF call 00403FF4
:00477BCF 8D55F9 lea edx, dword ptr [ebp-07]
:00477BD2 8BCB mov ecx, ebx
:00477BD4 E8B7ACF8FF call 00402890
:00477BD9 83FB03 cmp ebx, 00000003
:00477BDC 7C08 jl 00477BE6
:00477BDE 8A45FB mov al, byte ptr [ebp-05] ->计算从这里开始,取end的第三位
:00477BE1 243F and al, 3F ->和0x3f做与运算,al=al&0x3f
:00477BE3 8845F8 mov byte ptr [ebp-08], al ->保存al

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477BDC(C)
|
:00477BE6 83FB02 cmp ebx, 00000002
:00477BE9 7C15 jl 00477C00
:00477BEB 8A45FA mov al, byte ptr [ebp-06] ->取end的第二位到al
:00477BEE C1E002 shl eax, 02 ->eax=eax<<2
:00477BF1 33D2 xor edx, edx
:00477BF3 8A55FB mov dl, byte ptr [ebp-05] ->取end的第三位到dl
:00477BF6 C1EA06 shr edx, 06 ->edx=edx>>6
:00477BF9 0AC2 or al, dl ->al=al|dl
:00477BFB 243F and al, 3F ->al=al&0x3f
:00477BFD 8845F7 mov byte ptr [ebp-09], al ->保存al

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477BE9(C)
|
:00477C00 8A45F9 mov al, byte ptr [ebp-07] ->取end的第一位
:00477C03 8BD0 mov edx, eax ->edx=eax
:00477C05 C1E204 shl edx, 04 ->edx=edx<<4
:00477C08 33C9 xor ecx, ecx
:00477C0A 8A4DFA mov cl, byte ptr [ebp-06] ->取end的第二位到cl
:00477C0D C1E904 shr ecx, 04 ->ecx=ecx>>4
:00477C10 0AD1 or dl, cl ->dl=dl|cl
:00477C12 80E23F and dl, 3F ->dl=dl&0x3f
:00477C15 8855F6 mov byte ptr [ebp-0A], dl ->保存dl
:00477C18 25FF000000 and eax, 000000FF ->eax=eax&0xff
:00477C1D C1E802 shr eax, 02 ->eax=eax>>2
:00477C20 243F and al, 3F ->al=al&0x3f
:00477C22 8845F5 mov byte ptr [ebp-0B], al ->保存al
:00477C25 8D45FC lea eax, dword ptr [ebp-04]
:00477C28 8BCB mov ecx, ebx
:00477C2A BA01000000 mov edx, 00000001
:00477C2F E838C4F8FF call 0040406C
:00477C34 BE04000000 mov esi, 00000004
:00477C39 8D5DF5 lea ebx, dword ptr [ebp-0B]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477C5A(C)
|
:00477C3C 8D45F0 lea eax, dword ptr [ebp-10]
:00477C3F 33D2 xor edx, edx
:00477C41 8A13 mov dl, byte ptr [ebx] ->依次取计算的结果
:00477C43 8A929DE44700 mov dl, byte ptr [edx+0047E49D] ->用结果在基数相对位置上的字符
:00477C49 E8FEC0F8FF call 00403D4C
:00477C4E 8B55F0 mov edx, dword ptr [ebp-10] ->将找到的字符传到edx
:00477C51 8BC7 mov eax, edi
:00477C53 E8D4C1F8FF call 00403E2C
:00477C58 43 inc ebx
:00477C59 4E dec esi
:00477C5A 75E0 jne 00477C3C ->比较是否取完,没有继续

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477B80(U)
|
:00477C5C 837DFC00 cmp dword ptr [ebp-04], 00000000 ->比较end是否取完
:00477C60 0F851FFFFFFF jne 00477B85 ->没有则继续,后面位数的取法,见注册机源码
:00477C66 33C0 xor eax, eax
:00477C68 5A pop edx
:00477C69 59 pop ecx
:00477C6A 59 pop ecx
:00477C6B 648910 mov dword ptr fs:[eax], edx
:00477C6E 688B7C4700 push 00477C8B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477C89(U)
|
:00477C73 8D45F0 lea eax, dword ptr [ebp-10]
:00477C76 E829BFF8FF call 00403BA4
:00477C7B 8D45FC lea eax, dword ptr [ebp-04]
:00477C7E E821BFF8FF call 00403BA4
:00477C83 C3 ret

下面为注册机源码:CB v6.0 win98 SE下调试通过
呵呵,可能是自己的编程水平不高,只能写出这样的源程序,我想它应该可以更简化一些。

void __fastcall Tform1::OKBtnClick(TObject *Sender)
{
int key_11[29]={'~','T','u','r','n','I','d','e','@','$','I',
'n','t','o','P','r','o','f','i','t','$','w',
'/','e','B','o','o','k'},*p=key_11;
int key_22[15]={'0','0','0','0','0','0','0','0','0','0','0',
'0','0','0','0'} ,*p1=key_22;
String name,key_1,key_2,T,key_3,name_key,code_1,code_2,code_3,
code_4,code_5,code_6,code_7,code_8,code_9,
code_10,code_11,code_12,code_13,code_14,
code_15,code_16;
int a,b=1,c=1,d=0,d_1=0,j=1,k=1;
unsigned long e=0,f=0,g=0,h=0,i=0,l=0,m=0,x=0;
if(UEdit->Text=="") {CEdit->Text="未输入注册名!";return;}
if(UEdit->Text.Length()>10) {CEdit->Text="注册名不能大于10位!";return;}
if(UEdit->Text!="")
{
name=UEdit->Text;a=UEdit->Text.Length();
while(c<=12)
{
if(c>a) {name=name+name;d++;e=name[d];}
else e=name[c];
f=e^a;g=f^b;
c++;b++;
key_1=key_1+char(g);
}
while(a>=1)
{
h=name[a]^key_1[j];
a--;j++;
key_2=key_2+char(h);
}
if(j<12)
{
while(j<=12)
{
x=key_1[j];
name_key=name_key+char(x);j++;
}
key_2=key_2+name_key;
while(k<=12)
{
i=key_2[k]^*p1;
l=i^*p;m=l^k;k++;p++;p1++;
key_3=key_3+char(m);
}
unsigned long a_1=0,b_1=0,c_1=0,a_11=0,b_11=0,c_11=0,
c_12=0,c_13=0,c_14=0,c_15=0;
a_1=key_3[3]&0x3f;
b_1=key_3[2]<<2;
b_11=key_3[2]>>6;
c_15=((b_11|b_1)^0x100)&0x3f;
c_1=((b_11|b_1)&0x100)+key_3[1];
c_11=c_1<<4;c_12=key_3[2]>>4;
c_13=(c_11|c_12)&0x3f;
c_14=(c_1&0xff)>>2;
char key_111[]={'I','Y','A','G','P','X','D','J','Q','W',
'M','H','V','C','N','F','U','Z','R','B',
'K','E','S','O','L','T','t','f','k','y',
's','b','o','h','l','u','j','w','e','c',
'p','m','i','a','q','n','d','x','z','v',
'g','r','4','6','+','0','2','5','7','3',
'/','8','1','=','9'};
code_1=key_111[c_14];code_2=key_111[c_13];
code_3=key_111[c_15];code_4=key_111[a_1];
unsigned long aa_1=0,ab_1=0,ac_1=0,aa_11=0,ab_11=0,ac_11=0,
ac_12=0,ac_13=0,ac_14=0,ac_15=0;
aa_1=key_3[6]&0x3f;
ab_1=key_3[5]<<2;
ab_11=key_3[6]>>6;
ac_15=((ab_11|ab_1)^0x100)&0x3f;
ac_1=((ab_11|ab_1)&0x100)+key_3[4];
ac_11=ac_1<<4;ac_12=key_3[5]>>4;
ac_13=(ac_11|ac_12)&0x3f;
ac_14=(ac_1&0xff)>>2;
code_5=key_111[ac_14];code_6=key_111[ac_13];
code_7=key_111[ac_15];code_8=key_111[aa_1];
unsigned long ba_1=0,bb_1=0,bc_1=0,ba_11=0,bb_11=0,bc_11=0,
bc_12=0,bc_13=0,bc_14=0,bc_15=0;
ba_1=key_3[9]&0x3f;
bb_1=key_3[8]<<2;
bb_11=key_3[9]>>6;
bc_15=((bb_11|bb_1)^0x100)&0x3f;
bc_1=((bb_11|bb_1)&0x100)+key_3[7];
bc_11=bc_1<<4;bc_12=key_3[8]>>4;
bc_13=(bc_11|bc_12)&0x3f;
bc_14=(bc_1&0xff)>>2;
code_9=key_111[bc_14];code_10=key_111[bc_13];
code_11=key_111[bc_15];code_12=key_111[ba_1];
unsigned long ca_1=0,cb_1=0,cc_1=0,ca_11=0,cb_11=0,cc_11=0,
cc_12=0,cc_13=0,cc_14=0,cc_15=0;
ca_1=key_3[12]&0x3f;
cb_1=key_3[11]<<2;
cb_11=key_3[12]>>6;
cc_15=((cb_11|cb_1)^0x100)&0x3f;
cc_1=((cb_11|cb_1)&0x100)+key_3[10];
cc_11=cc_1<<4;cc_12=key_3[11]>>4;
cc_13=(cc_11|cc_12)&0x3f;
cc_14=(cc_1&0xff)>>2;
code_13=key_111[cc_14];code_14=key_111[cc_13];
code_15=key_111[cc_15];code_16=key_111[ca_1];
CEdit->Text=CEdit->Text+code_1+code_2+code_3+code_4
+code_5+code_6+code_7+code_8+code_9+code_10+code_11
+code_12+code_13+code_14+code_15+code_16;

    
    
     
    
    
     

相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么

文章评论
发表评论

热门文章 去除winrar注册框方法

最新文章 去除winrar注册框方法通过Access破解MSSQL获 JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据安装office2003 出现错误提示1402、1308、1

人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程