下载地址:http://www.zizi.8u8.com/soft/autumnleaves.zip 【软件限制】:功能限制 【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教! 【破解工具】:TRW2000娃娃修改版、Ollydbg1.09、pe-scan、W32Dasm 9.0白金版 ————————————————————————————————— 【过 程】: 秋 —— 秋风秋雨愁煞人?否!看:斑斓的秋之落叶翩翩飘舞你的桌面,还有熟了的微笑着的大南瓜,蹦蹦跳跳来了两只小松鼠…… 这就是绚丽的秋,绚丽的《AutumnLeaves》。 上面的地址下载的是汉化版,可能是汉化者重新加了壳。 AutumnLeaves.exe 是PECompact 1.4壳,用pe-scan脱之。173K->872K。 VC++ 6.0 编写。 名 字:fly 关键字:[OCN][FCG] 试炼码:13572468 ————————————————————————————————— * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004089D9(C) * Possible Reference to String Resource ID=01080: "螞?? | :004089ED 6838040000 push 00000438 :004089F2 8B4D08 mov ecx, dword ptr [ebp+08] :004089F5 51 push ecx * Reference To: USER32.GetDlgItem, Ord:0000h | :004089F6 FF15E0414100 Call dword ptr [004141E0] ====>取用户名 :004089FC 8945F4 mov dword ptr [ebp-0C], eax :004089FF 6A63 push 00000063 :00408A01 68F08B4100 push 00418BF0 ====>00418BF0=fly :00408A06 8B55F4 mov edx, dword ptr [ebp-0C] :00408A09 52 push edx * Reference To: USER32.GetWindowTextA, Ord:0000h | :00408A0A FF15B4414100 Call dword ptr [004141B4] :00408A10 683D040000 push 0000043D :00408A15 8B4508 mov eax, dword ptr [ebp+08] :00408A18 50 push eax ..................... ............... * Reference To: USER32.GetWindowTextA, Ord:0000h | :00408A4F FF15B4414100 Call dword ptr [004141B4] ====>取试炼码 :00408A55 8D55FC lea edx, dword ptr [ebp-04] :00408A58 52 push edx * Possible StringData Ref from Code Obj ->" " | :00408A59 6868694100 push 00416968 ====>00416968=13572468 :00408A5E E84D320000 call 0040BCB0 ====>连接试炼码和关键字的第一位 :00408A63 83C408 add esp, 00000008 :00408A66 E860FDFFFF call 004087CB ====>关键CALL!进入! :00408A6B 85C0 test eax, eax :00408A6D 7518 jne 00408A87 ====>不跳则OVER! ............. ......... :00408A87 C705548C410001000000 mov dword ptr [00418C54], 00000001 :00408A91 6A00 push 00000000 :00408A93 8B0D70684100 mov ecx, dword ptr [00416870] :00408A99 51 push ecx * Possible Reference to String Resource ID=00001: "?緉vs項? | :00408A9A 6A01 push 00000001 :00408A9C 8B1580954100 mov edx, dword ptr [00419580] :00408AA2 52 push edx * Reference To: USER32.SetTimer, Ord:0000h | :00408AA3 FF1560424100 Call dword ptr [00414260] * Possible StringData Ref from Code Obj ->" " | :00408AA9 6868694100 push 00416968 :00408AAE 68F08B4100 push 00418BF0 :00408AB3 E8C1FBFFFF call 00408679 ====>保存注册信息! :00408AB8 83C408 add esp, 00000008 :00408ABB 85C0 test eax, eax :00408ABD 7418 je 00408AD7 :00408ABF 6A00 push 00000000 * Possible StringData Ref from Code Obj ->"Registration successful" | :00408AC1 6894744100 push 00417494 * Possible StringData Ref from Code Obj ->"Registration data saved ok, thank " ->"you for registering!" | :00408AC6 68AC744100 push 004174AC :00408ACB 8B4508 mov eax, dword ptr [ebp+08] :00408ACE 50 push eax * Reference To: USER32.MessageBoxA, Ord:0000h | :00408ACF FF15BC414100 Call dword ptr [004141BC] ====>呵呵,胜利女神! :00408AD5 EB16 jmp 00408AED ————————————————————————————————— 进入关键CALL:00408A66 call 004087CB * Referenced by a CALL at Addresses: | :004087CB 55 push ebp :004087CC 8BEC mov ebp, esp :004087CE 83EC14 sub esp, 00000014 :004087D1 68648C4100 push 00418C64 * Possible StringData Ref from Code Obj ->" " | :004087D6 6868694100 push 00416968 :004087DB E8B0350000 call 0040BD90 :004087E0 83C408 add esp, 00000008 :004087E3 85C0 test eax, eax :004087E5 7507 jne 004087EE :004087E7 33C0 xor eax, eax :004087E9 E9BF000000 jmp 004088AD * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004087E5(C) * Possible StringData Ref from Code Obj ->" " | :004087EE 6868694100 push 00416968 ====>00416968=13572468[ :004087F3 8D45F0 lea eax, dword ptr [ebp-10] :004087F6 50 push eax :004087F7 E8A4340000 call 0040BCA0 :004087FC 83C408 add esp, 00000008 :004087FF 8A4DF6 mov cl, byte ptr [ebp-0A] ====>CL=36 取 13572468[ 第7位字符的HEX值 :00408802 884DEC mov byte ptr [ebp-14], cl ====>[ebp-14]=CL :00408805 C645F600 mov [ebp-0A], 00 :00408809 8D55F0 lea edx, dword ptr [ebp-10] ====>EDX=135724 取 13572468[ 前6位 :0040880C 52 push edx :0040880D E8B8380000 call 0040C0CA ====>取135724的16进制值0002122C :00408812 83C404 add esp, 00000004 :00408815 8945FC mov dword ptr [ebp-04], eax ====>[ebp-04]=EAX=0002122C :00408818 0FBE45EC movsx eax, byte ptr [ebp-14] ====>EAX=[ebp-14]=36 即:13572468[第7位字符的HEX值 :0040881C 8B0C8530604100 mov ecx, dword ptr [4*eax+00416030] ====>以第7位字符的HEX值为参数取值 ====>ECX=[4*36+00416030]=[416108]=00040A3F ☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆ [4*eax+00416030]内存中有张不小的表:^O^ ^O^ 00416030 C7 AA 01 00 BF 42 08 00 DF 3D 02 00 FA F5 0D 00 仟.緽.?...BF 4 00416040 93 E8 0C 00 C4 FA 06 00 61 B5 03 00 1C E4 08 00 撹..您.a?.?.C4 F 00416050 11 2D 09 00 AC 1A 03 00 0E AC 0D 00 33 FE 06 00 -..?.?.3?.C 1 00416060 5E AC 0E 00 3D 11 02 00 4C 9D 08 00 5D EF 09 00 ^?.=.L?.]?.D 1 00416070 CE 96 03 00 06 59 0C 00 19 95 02 00 69 1B 04 00 螙.Y..?.i. 5 00416080 36 D8 07 00 7B 9A 0B 00 BB C2 09 00 14 4E 0C 00 6?.{?.宦..N..B 9 00416090 DA 56 04 00 8C 06 00 6F C5 07 00 21 A0 04 00 赩.實.o?.!?.8C 8 004160A0 0D D5 01 00 32 34 04 00 68 8C 02 00 95 99 04 00 .?.24.h?.暀.2 3 004160B0 7F E4 0C 00 C6 4E 07 00 3E 1D 0E 00 8B 9D 05 00 ?.芅.>.嫕.6 4 004160C0 B1 32 0F 00 E4 B3 02 00 D4 B5 01 00 EB 2E 06 00 ?.涑.缘.?.E4 B 004160D0 FA 56 0D 00 DA 37 0E 00 EC 86 0E 00 D0 90 0C 00 鶹..?.靻.袗..DA 3 004160E0 C5 49 03 00 2A 49 0A 00 2E B6 09 00 CC 32 0F 00 臝.*I...?.?.A 4 004160F0 38 9A 05 00 5B 94 0C 00 31 68 08 00 B7 24 07 00 8?.[?.1h.?.B 9 00416100 F8 BE 0A 00 31 92 03 00 3F 0A 04 00 A4 CE 09 00 ..1?.?..の..1 9 00416110 7E 96 02 00 74 CB 06 00 69 3A 05 00 2B 5F 09 00 ~?.t?.i:.+_.. C 00416120 1C 50 0D 00 B2 5D 06 00 E1 08 0C 00 30 A2 02 00 P..瞉.?..0?.2 5 …… …… 省 略 …… …… ☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆ :00408823 3B4DFC cmp ecx, dword ptr [ebp-04] ====>ECX=00040A3F(H)=264767(D) ====>[ebp-04]=0002122C(H)=135724(D) ====>因此前6位注册码应是264767 :00408826 7507 jne 0040882F * Possible Reference to String Resource ID=00001: "?緉vs項? | :00408828 B801000000 mov eax, 00000001 ====>置1则OK! :0040882D EB7E jmp 004088AD * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00408826(C) | * Possible StringData Ref from Code Obj ->" " | :0040882F 6868694100 push 00416968 :00408834 8D55F0 lea edx, dword ptr [ebp-10] :00408837 52 push edx :00408838 E863340000 call 0040BCA0 :0040883D 83C408 add esp, 00000008 :00408840 8D45F0 lea eax, dword ptr [ebp-10] :00408843 50 push eax :00408844 E82A390000 call 0040C173 :00408849 83C404 add esp, 00000004 :0040884C 8A4DF6 mov cl, byte ptr [ebp-0A] :0040884F 884DEC mov byte ptr [ebp-14], cl :00408852 C645F600 mov [ebp-0A], 00 :00408856 0FBE55EC movsx edx, byte ptr [ebp-14] :0040885A 8B049530604100 mov eax, dword ptr [4*edx+00416030] :00408861 3B45FC cmp eax, dword ptr [ebp-04] ====>还有机会 :00408864 7507 jne 0040886D * Possible Reference to String Resource ID=00001: "?緉vs項? | :00408866 B801000000 mov eax, 00000001 ====>置1则OK! :0040886B EB40 jmp 004088AD * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00408864(C) * Possible StringData Ref from Code Obj ->" " | :0040886D 6868694100 push 00416968 :00408872 8D4DF0 lea ecx, dword ptr [ebp-10] :00408875 51 push ecx :00408876 E825340000 call 0040BCA0 :0040887B 83C408 add esp, 00000008 :0040887E 8D55F0 lea edx, dword ptr [ebp-10] :00408881 52 push edx :00408882 E84E380000 call 0040C0D5 :00408887 83C404 add esp, 00000004 :0040888A 8A45F6 mov al, byte ptr [ebp-0A] :0040888D 8845EC mov byte ptr [ebp-14], al :00408890 C645F600 mov [ebp-0A], 00 :00408894 0FBE4DEC movsx ecx, byte ptr [ebp-14] :00408898 8B148D30604100 mov edx, dword ptr [4*ecx+00416030] :0040889F 3B55FC cmp edx, dword ptr [ebp-04] ====>还有机会 :004088A2 7507 jne 004088AB ====>跳则OVER! * Possible Reference to String Resource ID=00001: "?緉vs項? | :004088A4 B801000000 mov eax, 00000001 ====>置1则OK! :004088A9 EB02 jmp 004088AD * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004088A2(C) | :004088AB 33C0 xor eax, eax ====>清0则OVER!爆破点! * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:004087E9(U), :0040882D(U), :0040886B(U), :004088A9(U) | :004088AD 8BE5 mov esp, ebp :004088AF 5D pop ebp :004088B0 C3 ret ————————————————————————————————— 【算 法 总 结】: EAX=第7位字符的HEX值。注册码前6位数字的16进制值应等于[4*eax+00416030]处的值。 ————————————————————————————————— 【完 美 爆 破】: 004088AB 33C0 xor eax, eax 改为: B001 mov al, 01 ————————————————————————————————— 【注册信息保存】: REGEDIT4 [HKEY_CURRENT_USER\Software\Rick Jansen\AutumnLeaves for Windows\Register] "AutumnLeaves register code"=hex:32,36,34,37,36,37,36,5b,00,00 "AutumnLeaves register name"=hex:66,6c,79,00,b7,c9,00,00,00,00 ————————————————————————————————— 【整 理】: 名 字:fly (Anything) 关键字:[OCN][FCG] (Anything) 注册码:2647676 名字、关键字无须填,最简单的注册码:109255 呵呵,注册码是很多的 ^O^ ^O^ …… …… |
相关视频
相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么
热门文章 去除winrar注册框方法
最新文章
比特币病毒怎么破解 比去除winrar注册框方法
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据
人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程
查看所有1条评论>>