【软件类别】:国外软件 / 共享版 / 文件管理 【开 发 商】http://www.lightlink.com/ym/chkfiles.htm 【破解过程】:用Fi2.45检查,VC 5.0编写,无壳。于是用W32Dasm反汇编后查找错误信息,找到关键点如下:
【破解过程】: :00408483 E8017B0100 call 0041FF89 :00408488 8BC8 mov ecx, eax :0040848A E8217C0100 call 004200B0 /* 取用户名位数 */ :0040848F 85C0 test eax, eax :00408491 7518 jne 004084AB :00408493 50 push eax
* Possible StringData Ref from Data Obj ->"CheckFiles Registration" | :00408494 6848ED4200 push 0042ED48
* Possible StringData Ref from Data Obj ->"You need to enter a user name." | :00408499 6828ED4200 push 0042ED28 :0040849E 8BCE mov ecx, esi :004084A0 E87DA20100 call 00422722 :004084A5 5F pop edi :004084A6 5E pop esi :004084A7 83C420 add esp, 00000020 :004084AA C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00408491(C) | :004084AB 83F814 cmp eax, 00000014 /* 用户名是否在20位以内? */ :004084AE 7E19 jle 004084C9 :004084B0 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"CheckFiles Registration" | :004084B2 6848ED4200 push 0042ED48
* Possible StringData Ref from Data Obj ->"The user name must be 20 characters " ->"or less." | :004084B7 68F8EC4200 push 0042ECF8 :004084BC 8BCE mov ecx, esi :004084BE E85FA20100 call 00422722 :004084C3 5F pop edi :004084C4 5E pop esi :004084C5 83C420 add esp, 00000020 :004084C8 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004084AE(C) | :004084C9 8D44240C lea eax, dword ptr [esp+0C] :004084CD 6A17 push 00000017 :004084CF 50 push eax
* Possible Reference to Dialog: DialogID_0087, CONTROL_ID:040F, "" | :004084D0 680F040000 push 0000040F :004084D5 8BCE mov ecx, esi :004084D7 E8AD7A0100 call 0041FF89 :004084DC 8BC8 mov ecx, eax :004084DE E8CD7B0100 call 004200B0 /* 取试炼码位数 */ :004084E3 85C0 test eax, eax :004084E5 7518 jne 004084FF :004084E7 50 push eax
* Possible StringData Ref from Data Obj ->"CheckFiles Registration" | :004084E8 6848ED4200 push 0042ED48
* Possible StringData Ref from Data Obj ->"You need to enter a registration " ->"number." | :004084ED 68CCEC4200 push 0042ECCC :004084F2 8BCE mov ecx, esi :004084F4 E829A20100 call 00422722 :004084F9 5F pop edi :004084FA 5E pop esi :004084FB 83C420 add esp, 00000020 :004084FE C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004084E5(C) | :004084FF 8D4C2408 lea ecx, dword ptr [esp+08] :00408503 8D54240C lea edx, dword ptr [esp+0C] /* 取试炼码地址 */ :00408507 51 push ecx
* Possible StringData Ref from Data Obj ->"%lu" | :00408508 6854E24200 push 0042E254 :0040850D 52 push edx :0040850E E8AD100000 call 004095C0 /* 判断试炼码是否全是数字,若是则转为16进制,不是则给出错误信息 */ :00408513 83C40C add esp, 0000000C :00408516 83F801 cmp eax, 00000001 :00408519 7419 je 00408534 :0040851B 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"CheckFiles Registration" | :0040851D 6848ED4200 push 0042ED48
* Possible StringData Ref from Data Obj ->"You need to enter a valid registration " ->"number." | :00408522 689CEC4200 push 0042EC9C :00408527 8BCE mov ecx, esi :00408529 E8F4A10100 call 00422722 :0040852E 5F pop edi :0040852F 5E pop esi :00408530 83C420 add esp, 00000020 :00408533 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00408519(C) | :00408534 8B442408 mov eax, dword ptr [esp+08] /* 16进制值送eax */ :00408538 85C0 test eax, eax :0040853A 7519 jne 00408555 :0040853C 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"CheckFiles Registration" | :0040853E 6848ED4200 push 0042ED48
* Possible StringData Ref from Data Obj ->"You need to enter a valid registartion " ->"number." | :00408543 686CEC4200 push 0042EC6C :00408548 8BCE mov ecx, esi :0040854A E8D3A10100 call 00422722 :0040854F 5F pop edi :00408550 5E pop esi :00408551 83C420 add esp, 00000020 :00408554 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040853A(C) | :00408555 68282D4300 push 00432D28 /* 用户名地址入栈 */ :0040855A E8A18AFFFF call 00401000 /* 算法call */ :0040855F 8B4C240C mov ecx, dword ptr [esp+0C] :00408563 83C404 add esp, 00000004 :00408566 3BC8 cmp ecx, eax /* 关键比较 */ :00408568 7419 je 00408583 /* 一定要跳 */ :0040856A 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"CheckFiles Registration" | :0040856C 6848ED4200 push 0042ED48
* Possible StringData Ref from Data Obj ->"Sorry, this registration number " ->"is not valid." | :00408571 683CEC4200 push 0042EC3C :00408576 8BCE mov ecx, esi :00408578 E8A5A10100 call 00422722 :0040857D 5F pop edi :0040857E 5E pop esi :0040857F 83C420 add esp, 00000020 :00408582 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00408568(C) | * Possible StringData Ref from Data Obj ->"ww" | :00408583 68FCE34200 push 0042E3FC
* Possible StringData Ref from Data Obj ->"chkfiles.ser" | :00408588 685CE24200 push 0042E25C :0040858D E86E120000 call 00409800 :00408592 8BF8 mov edi, eax :00408594 83C408 add esp, 00000008 :00408597 85FF test edi, edi :00408599 7439 je 004085D4 :0040859B 8B442408 mov eax, dword ptr [esp+08] :0040859F 50 push eax :004085A0 68282D4300 push 00432D28
* Possible StringData Ref from Data Obj ->"%s%lu" :004085A5 6834EC4200 push 0042EC34 :004085AA 57 push edi :004085AB E870120000 call 00409820 :004085B0 83C410 add esp, 00000010 :004085B3 83F8FF cmp eax, FFFFFFFF :004085B6 741C je 004085D4 :004085B8 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"CheckFiles Registration" | :004085BA 6848ED4200 push 0042ED48
* Possible StringData Ref from Data Obj ->"Thank you for registering." | :004085BF 6818EC4200 push 0042EC18 :004085C4 8BCE mov ecx, esi :004085C6 E857A10100 call 00422722 :004085CB C605202D430001 mov byte ptr [00432D20], 01 :004085D2 EB13 jmp 004085E7
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00408599(C), :004085B6(C) | :004085D4 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"CheckFiles Registration" | :004085D6 6848ED4200 push 0042ED48
* Possible StringData Ref from Data Obj ->"Error writing registration file." | :004085DB 68F4EB4200 push 0042EBF4 :004085E0 8BCE mov ecx, esi :004085E2 E83BA10100 call 00422722
* Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004085D2(U) | :004085E7 57 push edi :004085E8 E873080000 call 00408E60 :004085ED 83C404 add esp, 00000004 :004085F0 8BCE mov ecx, esi :004085F2 E8394B0100 call 0041D130 :004085F7 5F pop edi :004085F8 5E pop esi :004085F9 83C420 add esp, 00000020 :004085FC C3 ret ___________________________________________________________ 算法call: :00401000 53 push ebx :00401001 55 push ebp :00401002 8B6C240C mov ebp, dword ptr [esp+0C] :00401006 56 push esi :00401007 57 push edi :00401008 8BFD mov edi, ebp :0040100A 83C9FF or ecx, FFFFFFFF :0040100D 33C0 xor eax, eax :0040100F F2 repnz :00401010 AE scasb :00401011 F7D1 not ecx :00401013 49 dec ecx /* 这里取得用户名长度 */ :00401014 8BC1 mov eax, ecx :00401016 8BD8 mov ebx, eax :00401018 7452 je 0040106C :0040101A 83F814 cmp eax, 00000014 :0040101D 7F4D jg 0040106C :0040101F 7D1D jge 0040103E :00401021 B914000000 mov ecx, 00000014 :00401026 8D3C28 lea edi, dword ptr [eax+ebp] :00401029 2BC8 sub ecx, eax :0040102B B820202020 mov eax, 20202020 :00401030 8BD1 mov edx, ecx :00401032 C1E902 shr ecx, 02 :00401035 F3 repz :00401036 AB stosd /* 上面这段指令用0x20将未满20位的用户名补足20位 */ :00401037 8BCA mov ecx, edx :00401039 83E103 and ecx, 00000003 :0040103C F3 repz :0040103D AA stosb
* Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040101F(C) | :0040103E BE322DFB21 mov esi, 21FB2D32 :00401043 B929197C6B mov ecx, 6B7C1929 /* 以上是两个计算关键值 */ :00401048 33D2 xor edx, edx /* edx清零 */
* Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040105F(C) | :0040104A 33C0 xor eax, eax /* eax清零 */ :0040104C 8A042A mov al, byte ptr [edx+ebp] /* 依次取用户名的每一位 */ :0040104F 0FAFC1 imul eax, ecx /* eax=eax*ecx */ :00401052 03F0 add esi, eax /* esi=eax+esi */ :00401054 42 inc edx /* edx++ */ :00401055 83FA14 cmp edx, 00000014 /* 20位是否都算完? */ :00401058 8D8C092106471E lea ecx, dword ptr [ecx+ecx+1E470621] /* ecx=ecx*2+1E470621 */ :0040105F 7CE9 jl 0040104A /* 未满20位则返回继续运算 */ :00401061 C6042B00 mov byte ptr [ebx+ebp], 00 :00401065 8BC6 mov eax, esi /* 运算结果作为返回值送出 */ :00401067 5F pop edi :00401068 5E pop esi :00401069 5D pop ebp :0040106A 5B pop ebx :0040106B C3 ret
【整 理】: 用户名:cyclotron 注册码:101258879
【注册信息存放】: 主目录下chkfiles.ser
【Turbo C 注册机】: #include "stdio.h" #include "string.h" void main() {char regname[21]; unsigned long regcode=0x21FB2D32,ecx=0x6B7C1929; int i,length; printf("\t*******************************************************************\n\n"); printf("\t\tKeyGen for CheckFiles V1.5\n\t\t\tProduced by cyclotron\n\n"); printf("\t*******************************************************************\n\n"); do {printf("\n\tPlease input your Regname(less than or equal to 20):"); length=strlen(gets(regname)); } while(!length||length>20); for(i=length;i<20;i++) regname[i]=0x20; for(i=0;i<20;i++) {regcode+=regname[i]*ecx; ecx=ecx*2+0x1E470621; } printf("\n\tYour Regcode is:\t%lu\n",regcode); printf("\n\tThank you for your use!\n"); getchar(); }
|
|
查看所有0条评论>>