秋天的落叶（AutumnLeaves） v1.10 -pc6资讯

您的位置：首页 → 精文荟萃 → 破解文章 → 秋天的落叶（AutumnLeaves） v1.10

秋天的落叶（AutumnLeaves） v1.10 时间：2004/10/15 1:01:00来源：本站整理作者：蓝点我要评论(1)

下载地址：

http://www.zizi.8u8.com/soft/autumnleaves.zip
【软件限制】：功能限制
【作者声明】：初学Crack，只是感兴趣，没有其它目的。失误之处敬请诸位大侠赐教！
【破解工具】：TRW2000娃娃修改版、Ollydbg1.09、pe-scan、W32Dasm 9.0白金版
—————————————————————————————————
【过    程】：
秋 ——  秋风秋雨愁煞人？否！看：斑斓的秋之落叶翩翩飘舞你的桌面，还有熟了的微笑着的大南瓜，蹦蹦跳跳来了两只小松鼠……   这就是绚丽的秋，绚丽的《AutumnLeaves》。

上面的地址下载的是汉化版，可能是汉化者重新加了壳。
AutumnLeaves.exe 是PECompact 1.4壳，用pe-scan脱之。173K->872K。 VC++ 6.0 编写。
名  字：fly
关键字：[OCN][FCG]
试炼码：13572468
—————————————————————————————————
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004089D9(C)

* Possible Reference to String Resource ID=01080: "螞??
                                 |
:004089ED 6838040000              push 00000438
:004089F2 8B4D08                  mov ecx, dword ptr [ebp+08]
:004089F5 51                      push ecx

* Reference To: USER32.GetDlgItem, Ord:0000h
                                 |
:004089F6 FF15E0414100            Call dword ptr [004141E0]
                                 ====>取用户名

:004089FC 8945F4                  mov dword ptr [ebp-0C], eax
:004089FF 6A63                    push 00000063
:00408A01 68F08B4100              push 00418BF0
                                 ====>00418BF0=fly

:00408A06 8B55F4                  mov edx, dword ptr [ebp-0C]
:00408A09 52                      push edx

* Reference To: USER32.GetWindowTextA, Ord:0000h
                                 |
:00408A0A FF15B4414100            Call dword ptr [004141B4]
:00408A10 683D040000              push 0000043D
:00408A15 8B4508                  mov eax, dword ptr [ebp+08]
:00408A18 50                      push eax

.....................
...............

* Reference To: USER32.GetWindowTextA, Ord:0000h
                                 |
:00408A4F FF15B4414100            Call dword ptr [004141B4]
                                 ====>取试炼码

:00408A55 8D55FC                  lea edx, dword ptr [ebp-04]
:00408A58 52                      push edx

* Possible StringData Ref from Code Obj ->"          "
                                 |
:00408A59 6868694100              push 00416968
                                 ====>00416968=13572468

:00408A5E E84D320000              call 0040BCB0
                                 ====>连接试炼码和关键字的第一位

:00408A63 83C408                  add esp, 00000008
:00408A66 E860FDFFFF              call 004087CB
                                 ====>关键CALL！进入！

:00408A6B 85C0                    test eax, eax
:00408A6D 7518                    jne 00408A87
                                 ====>不跳则OVER！
.............
.........

:00408A87 C705548C410001000000    mov dword ptr [00418C54], 00000001
:00408A91 6A00                    push 00000000
:00408A93 8B0D70684100            mov ecx, dword ptr [00416870]
:00408A99 51                      push ecx

* Possible Reference to String Resource ID=00001: "?緉vs項?
                                 |
:00408A9A 6A01                    push 00000001
:00408A9C 8B1580954100            mov edx, dword ptr [00419580]
:00408AA2 52                      push edx

* Reference To: USER32.SetTimer, Ord:0000h
                                 |
:00408AA3 FF1560424100            Call dword ptr [00414260]

* Possible StringData Ref from Code Obj ->"          "
                                 |
:00408AA9 6868694100              push 00416968
:00408AAE 68F08B4100              push 00418BF0
:00408AB3 E8C1FBFFFF              call 00408679
                                 ====>保存注册信息！

:00408AB8 83C408                  add esp, 00000008
:00408ABB 85C0                    test eax, eax
:00408ABD 7418                    je 00408AD7
:00408ABF 6A00                    push 00000000

* Possible StringData Ref from Code Obj ->"Registration successful"
                                 |
:00408AC1 6894744100              push 00417494

* Possible StringData Ref from Code Obj ->"Registration data saved ok, thank "
                                       ->"you for registering!"
                                 |
:00408AC6 68AC744100              push 004174AC
:00408ACB 8B4508                  mov eax, dword ptr [ebp+08]
:00408ACE 50                      push eax

* Reference To: USER32.MessageBoxA, Ord:0000h
                                 |
:00408ACF FF15BC414100            Call dword ptr [004141BC]
                                 ====>呵呵，胜利女神！
:00408AD5 EB16                    jmp 00408AED

—————————————————————————————————
进入关键CALL：00408A66  call 004087CB

* Referenced by a CALL at Addresses:
|
:004087CB 55                      push ebp
:004087CC 8BEC                    mov ebp, esp
:004087CE 83EC14                  sub esp, 00000014
:004087D1 68648C4100              push 00418C64

* Possible StringData Ref from Code Obj ->"          "
                                 |
:004087D6 6868694100              push 00416968
:004087DB E8B0350000              call 0040BD90
:004087E0 83C408                  add esp, 00000008
:004087E3 85C0                    test eax, eax
:004087E5 7507                    jne 004087EE
:004087E7 33C0                    xor eax, eax
:004087E9 E9BF000000              jmp 004088AD

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004087E5(C)

* Possible StringData Ref from Code Obj ->"          "
                                 |
:004087EE 6868694100              push 00416968
                                 ====>00416968=13572468[

:004087F3 8D45F0                  lea eax, dword ptr [ebp-10]
:004087F6 50                      push eax
:004087F7 E8A4340000              call 0040BCA0
:004087FC 83C408                  add esp, 00000008
:004087FF 8A4DF6                  mov cl, byte ptr [ebp-0A]
                                 ====>CL=36       取 13572468[ 第7位字符的HEX值

:00408802 884DEC                  mov byte ptr [ebp-14], cl
                                 ====>[ebp-14]=CL

:00408805 C645F600                mov [ebp-0A], 00
:00408809 8D55F0                  lea edx, dword ptr [ebp-10]
                                 ====>EDX=135724   取 13572468[ 前6位

:0040880C 52                      push edx
:0040880D E8B8380000              call 0040C0CA
                                 ====>取135724的16进制值0002122C

:00408812 83C404                  add esp, 00000004
:00408815 8945FC                  mov dword ptr [ebp-04], eax
                                 ====>[ebp-04]=EAX=0002122C

:00408818 0FBE45EC                movsx eax, byte ptr [ebp-14]
                                 ====>EAX=[ebp-14]=36 即：13572468[第7位字符的HEX值

:0040881C 8B0C8530604100          mov ecx, dword ptr [4*eax+00416030]
                                 ====>以第7位字符的HEX值为参数取值
                                 ====>ECX=[4*36+00416030]=[416108]=00040A3F

☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
[4*eax+00416030]内存中有张不小的表：^O^ ^O^

00416030  C7 AA 01 00 BF 42 08 00 DF 3D 02 00 FA F5 0D 00  仟.緽.?...BF 4
00416040  93 E8 0C 00 C4 FA 06 00 61 B5 03 00 1C E4 08 00  撹..您.a?.?.C4 F
00416050  11 2D 09 00 AC 1A 03 00 0E AC 0D 00 33 FE 06 00  -..?.?.3?.C 1
00416060  5E AC 0E 00 3D 11 02 00 4C 9D 08 00 5D EF 09 00  ^?.=.L?.]?.D 1
00416070  CE 96 03 00 06 59 0C 00 19 95 02 00 69 1B 04 00  螙.Y..?.i. 5
00416080  36 D8 07 00 7B 9A 0B 00 BB C2 09 00 14 4E 0C 00  6?.{?.宦..N..B 9
00416090  DA 56 04 00 8C  06 00 6F C5 07 00 21 A0 04 00  赩.實.o?.!?.8C 8
004160A0  0D D5 01 00 32 34 04 00 68 8C 02 00 95 99 04 00  .?.24.h?.暀.2 3
004160B0  7F E4 0C 00 C6 4E 07 00 3E 1D 0E 00 8B 9D 05 00  ?.芅.>.嫕.6 4
004160C0  B1 32 0F 00 E4 B3 02 00 D4 B5 01 00 EB 2E 06 00  ?.涑.缘.?.E4 B
004160D0  FA 56 0D 00 DA 37 0E 00 EC 86 0E 00 D0 90 0C 00  鶹..?.靻.袗..DA 3
004160E0  C5 49 03 00 2A 49 0A 00 2E B6 09 00 CC 32 0F 00  臝.*I...?.?.A 4
004160F0  38 9A 05 00 5B 94 0C 00 31 68 08 00 B7 24 07 00  8?.[?.1h.?.B 9
00416100  F8 BE 0A 00 31 92 03 00 3F 0A 04 00 A4 CE 09 00  ..1?.?..の..1 9
00416110  7E 96 02 00 74 CB 06 00 69 3A 05 00 2B 5F 09 00  ~?.t?.i:.+_.. C
00416120  1C 50 0D 00 B2 5D 06 00 E1 08 0C 00 30 A2 02 00  P..瞉.?..0?.2 5
…… …… 省略 …… ……

☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆

:00408823 3B4DFC                  cmp ecx, dword ptr [ebp-04]
                                 ====>ECX=00040A3F（H）=264767（D）
                                 ====>[ebp-04]=0002122C（H）=135724（D）
                                 ====>因此前6位注册码应是264767

:00408826 7507                    jne 0040882F

* Possible Reference to String Resource ID=00001: "?緉vs項?
                                 |
:00408828 B801000000              mov eax, 00000001
                                 ====>置1则OK！

:0040882D EB7E                    jmp 004088AD

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408826(C)
|

* Possible StringData Ref from Code Obj ->"          "
                                 |
:0040882F 6868694100              push 00416968
:00408834 8D55F0                  lea edx, dword ptr [ebp-10]
:00408837 52                      push edx
:00408838 E863340000              call 0040BCA0
:0040883D 83C408                  add esp, 00000008
:00408840 8D45F0                  lea eax, dword ptr [ebp-10]
:00408843 50                      push eax
:00408844 E82A390000              call 0040C173
:00408849 83C404                  add esp, 00000004
:0040884C 8A4DF6                  mov cl, byte ptr [ebp-0A]
:0040884F 884DEC                  mov byte ptr [ebp-14], cl
:00408852 C645F600                mov [ebp-0A], 00
:00408856 0FBE55EC                movsx edx, byte ptr [ebp-14]
:0040885A 8B049530604100          mov eax, dword ptr [4*edx+00416030]
:00408861 3B45FC                  cmp eax, dword ptr [ebp-04]
                                 ====>还有机会

:00408864 7507                    jne 0040886D

* Possible Reference to String Resource ID=00001: "?緉vs項?
                                 |
:00408866 B801000000              mov eax, 00000001
                                 ====>置1则OK！

:0040886B EB40                    jmp 004088AD

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408864(C)

* Possible StringData Ref from Code Obj ->"          "
                                 |
:0040886D 6868694100              push 00416968
:00408872 8D4DF0                  lea ecx, dword ptr [ebp-10]
:00408875 51                      push ecx
:00408876 E825340000              call 0040BCA0
:0040887B 83C408                  add esp, 00000008
:0040887E 8D55F0                  lea edx, dword ptr [ebp-10]
:00408881 52                      push edx
:00408882 E84E380000              call 0040C0D5
:00408887 83C404                  add esp, 00000004
:0040888A 8A45F6                  mov al, byte ptr [ebp-0A]
:0040888D 8845EC                  mov byte ptr [ebp-14], al
:00408890 C645F600                mov [ebp-0A], 00
:00408894 0FBE4DEC                movsx ecx, byte ptr [ebp-14]
:00408898 8B148D30604100          mov edx, dword ptr [4*ecx+00416030]
:0040889F 3B55FC                  cmp edx, dword ptr [ebp-04]
                                 ====>还有机会

:004088A2 7507                    jne 004088AB
                                 ====>跳则OVER！

* Possible Reference to String Resource ID=00001: "?緉vs項?
                                 |
:004088A4 B801000000              mov eax, 00000001
                                 ====>置1则OK！

:004088A9 EB02                    jmp 004088AD

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004088A2(C)
|
:004088AB 33C0                    xor eax, eax
                                 ====>清0则OVER！爆破点！

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004087E9(U), :0040882D(U), :0040886B(U), :004088A9(U)
|
:004088AD 8BE5                    mov esp, ebp
:004088AF 5D                      pop ebp
:004088B0 C3                      ret
—————————————————————————————————
【算法  总结】：
EAX=第7位字符的HEX值。注册码前6位数字的16进制值应等于[4*eax+00416030]处的值。
—————————————————————————————————
【完美  爆破】：
004088AB 33C0                    xor eax, eax
改为： B001                    mov  al, 01
—————————————————————————————————
【注册信息保存】：
REGEDIT4
[HKEY_CURRENT_USER\Software\Rick Jansen\AutumnLeaves for Windows\Register]
"AutumnLeaves register code"=hex:32,36,34,37,36,37,36,5b,00,00
"AutumnLeaves register name"=hex:66,6c,79,00,b7,c9,00,00,00,00
—————————————————————————————————
【整        理】：
名  字：fly           (Anything)
关键字：[OCN][FCG]    (Anything)
注册码：2647676
名字、关键字无须填，最简单的注册码：109255
呵呵，注册码是很多的 ^O^ ^O^      …… ……

文章评论

查看所有1条评论>>

热门文章 去除winrar注册框方法