软件名称: xxxx管理 V6.56 下载地址:http://www.skycn.com/ 【破解声明】:本人只是对Crack感兴趣,没有其它目的,本破文仅供研究使用,请不要参照本破文进行D版。 【破解工具】:TRW2000 ————————————————————————————— 【过 程】: 下断:bpx hmemcpy 很容易到如下代码:
0167:006172F2 8BF0 MOV ESI,EAX 0167:006172F4 8D55F4 LEA EDX,[EBP-0C] 0167:006172F7 8B8348030000 MOV EAX,[EBX+0348] 0167:006172FD E83E93E6FF CALL 00480640 0167:00617302 8B45F4 MOV EAX,[EBP-0C] 0167:00617305 50 PUSH EAX 0167:00617306 8D45F0 LEA EAX,[EBP-10] 0167:00617309 E8BA5FEFFF CALL 0050D2C8 0167:0061730E 8B45F0 MOV EAX,[EBP-10] EAX=机器码 0167:00617311 E81AFFFFFF CALL 00617230 这个CALL里面的运算和下面CALL2的一样 0167:00617316 B90A000000 MOV ECX,0A ECX=10(0xA) 0167:0061731B 33D2 XOR EDX,EDX 0167:0061731D F7F1 DIV ECX 除ECX 0167:0061731F 8BCA MOV ECX,EDX 余数放到 0167:00617321 8BD6 MOV EDX,ESI 0167:00617323 58 POP EAX 0167:00617324 E85734EFFF CALL 0050A780 //关键CALL1 0167:00617329 84C0 TEST AL,AL 0167:0061732B 7468 JZ 00617395 0167:0061732D 8D55EC LEA EDX,[EBP-14]
-------------------//关键CALL1//------------------- ..略一部分.. 0167:0050A95C 8D45C4 LEA EAX,[EBP-3C] 0167:0050A95F E864290000 CALL 0050D2C8 0167:0050A964 8B4DC4 MOV ECX,[EBP-3C] 0167:0050A967 8D45C8 LEA EAX,[EBP-38] 0167:0050A96A 8B55FC MOV EDX,[EBP-04] 0167:0050A96D E81EA0EFFF CALL 00404990 连接用户名和机器码和余数 0167:0050A972 8B45C8 MOV EAX,[EBP-38] 字串"jxtour"&"673-0-0-387F9FF"&"余数" 0167:0050A975 E8E2F8FFFF CALL 0050A25C //关键CALL2 0167:0050A97A 3BD8 CMP EBX,EAX 0167:0050A97C 7404 JZ 0050A982 注册码不对就完了! 0167:0050A97E 33C0 XOR EAX,EAX 0167:0050A980 EB02 JMP SHORT 0050A984 0167:0050A982 B001 MOV AL,01 0167:0050A984 8BD8 MOV EBX,EAX 0167:0050A986 E9B0000000 JMP 0050AA3B 0167:0050A98B 85DB TEST EBX,EBX ..略一部分..
-------------------//关键CALL2//-------------------
0167:0050A25C 55 PUSH EBP 0167:0050A25D 8BEC MOV EBP,ESP 0167:0050A25F 51 PUSH ECX 0167:0050A260 53 PUSH EBX 0167:0050A261 8945FC MOV [EBP-04],EAX 0167:0050A264 8B45FC MOV EAX,[EBP-04] 0167:0050A267 E8C8A8EFFF CALL 00404B34 0167:0050A26C 33C0 XOR EAX,EAX 0167:0050A26E 55 PUSH EBP 0167:0050A26F 68CBA25000 PUSH DWORD 0050A2CB 0167:0050A274 64FF30 PUSH DWORD [FS:EAX] 0167:0050A277 648920 MOV [FS:EAX],ESP 0167:0050A27A 8B45FC MOV EAX,[EBP-04] 0167:0050A27D E8C2A6EFFF CALL 00404944 0167:0050A282 33D2 XOR EDX,EDX EDX设为0 0167:0050A284 8BC8 MOV ECX,EAX 0167:0050A286 85C9 TEST ECX,ECX 0167:0050A288 7629 JNA 0050A2B3 0167:0050A28A B801000000 MOV EAX,01 0167:0050A28F 8D1492 LEA EDX,[EDX+EDX*4] //EDX开始为0 0167:0050A292 8D1492 LEA EDX,[EDX+EDX*4] 0167:0050A295 8B5DFC MOV EBX,[EBP-04] //取字串"jxtour673-0-0-387F9FF" 0167:0050A298 0FB65C03FF MOVZX EBX,BYTE [EBX+EAX-01] //逐位取ascii码 0167:0050A29D 03D3 ADD EDX,EBX //加到edx 0167:0050A29F 8B5DFC MOV EBX,[EBP-04] //取字串"jxtour673-0-0-387F9FF" 0167:0050A2A2 0FB65C03FF MOVZX EBX,BYTE [EBX+EAX-01] //逐位取ascii码 0167:0050A2A7 6BDB0D IMUL EBX,EBX,BYTE +0D ebx=ebx*0xD 0167:0050A2AA C1E314 SHL EBX,14 ebx=ebx*2^14 0167:0050A2AD 33D3 XOR EDX,EBX edx=edx xor ebx 0167:0050A2AF 40 INC EAX 计数器加一 0167:0050A2B0 49 DEC ECX 长度减一 0167:0050A2B1 75DC JNZ 0050A28F 没完跳回循环 0167:0050A2B3 8BDA MOV EBX,EDX 计算结果到EBX,?ebx就是真注册码! 0167:0050A2B5 33C0 XOR EAX,EAX 0167:0050A2B7 5A POP EDX 0167:0050A2B8 59 POP ECX 0167:0050A2B9 59 POP ECX 0167:0050A2BA 648910 MOV [FS:EAX],EDX 0167:0050A2BD 68D2A25000 PUSH DWORD 0050A2D2 0167:0050A2C2 8D45FC LEA EAX,[EBP-04] 0167:0050A2C5 E8BAA3EFFF CALL 00404684 算法注册机代码略! |
|
查看所有0条评论>>