简单算法——古今大战80分 V3.0 Beta
-
下载页面: http://www.skycn.com/soft/1516.html
软件大小: 442 KB
软件语言: 简体中文
软件类别: 国产软件 / 共享版 / 棋牌游戏
应用平台: Win9x/NT/2000/XP
加入时间: 2001-01-05 00:00:00
下载次数: 43870
推荐等级: ****
开 发 商: http://www.wj2000.50megs.com/
【软件简介】:80分,又叫拖拉机、双升等,相信大家不陌生。本游戏可说是此种扑克游戏的精品,囊括各种翻主、打牌、计分、升级的方法。玩家可以控制翻主过程,机器玩家采用人工智能出牌打法,有不同难度级别,试玩级别相信你是可以战胜它的。另外,界面美观并可设置背景、牌张、发、收牌速度;可以提取、保存进度;播放背景音乐;等等。
【软件限制】:功能限制
【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:TRW2000娃娃修改版、Ollydbg1.09、PEiD、W32Dasm 9.0白金版
—————————————————————————————————
【过 程】:
呵呵,看到 透明的 朋友有篇教程,我也写一下算法吧。沾光了,不知道 透明的 朋友是否有意见?
cents80.exe 无壳。Borland Delphi 编写。呵呵,我等菜鸟喜欢的类型呀。
不明白W32Dasm 10修改版为何许多“参考”反汇编不出来?换用 pll621[CCG] 大侠修改的白金版了。
序列号:456
试炼码:13572468
—————————————————————————————————
:0045578A 8BC0 mov eax, eax
:0045578C 55 push ebp
:0045578D 8BEC mov ebp, esp
:0045578F 6A00 push 00000000
:00455791 6A00 push 00000000
:00455793 53 push ebx
:00455794 56 push esi
:00455795 57 push edi
:00455796 8BF0 mov esi, eax
:00455798 33C0 xor eax, eax
:0045579A 55 push ebp
:0045579B 68AE584500 push 004558AE
:004557A0 64FF30 push dword ptr fs:[eax]
:004557A3 648920 mov dword ptr fs:[eax], esp
:004557A6 33C0 xor eax, eax
:004557A8 55 push ebp
:004557A9 68D6574500 push 004557D6
:004557AE 64FF30 push dword ptr fs:[eax]
:004557B1 648920 mov dword ptr fs:[eax], esp
:004557B4 8D55F8 lea edx, dword ptr [ebp-08]
:004557B7 8B86EC010000 mov eax, dword ptr [esi+000001EC]
:004557BD E8B690FCFF call 0041E878
====>取 序列号
:004557C2 8B45F8 mov eax, dword ptr [ebp-08]
====>EAX=456
:004557C5 E8B218FBFF call 0040707C
====>把 序列号 转换成用16进制值表示
:004557CA 8BD8 mov ebx, eax
====>EAX=1C8(H)=456(D)
:004557CC 33C0 xor eax, eax
:004557CE 5A pop edx
:004557CF 59 pop ecx
:004557D0 59 pop ecx
:004557D1 648910 mov dword ptr fs:[eax], edx
:004557D4 EB14 jmp 004557EA
:004557D6 E961DBFAFF jmp 0040333C
:004557DB E800DEFAFF call 004035E0
:004557E0 E9AB000000 jmp 00455890
:004557E5 E8F6DDFAFF call 004035E0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004557D4(U)
|
:004557EA 81FB48890100 cmp ebx, 00018948
====>序列号的16进制值大于18948?
:004557F0 7C14 jl 00455806
:004557F2 81FB52890100 cmp ebx, 00018952
:004557F8 7F0C jg 00455806
:004557FA 8D55FC lea edx, dword ptr [ebp-04]
:004557FD 8BC3 mov eax, ebx
:004557FF E890FBFFFF call 00455394
:00455804 EB0A jmp 00455810
====>这里跳走就OVER了!呵呵
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004557F0(C), :004557F8(C)
|
:00455806 8D55FC lea edx, dword ptr [ebp-04]
:00455809 8BC3 mov eax, ebx
:0045580B E804FCFFFF call 00455414
====>算法CALL!进入!
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00455804(U)
|
:00455810 8D55F8 lea edx, dword ptr [ebp-08]
:00455813 8B86F0010000 mov eax, dword ptr [esi+000001F0]
:00455819 E85A90FCFF call 0041E878
:0045581E 8B45F8 mov eax, dword ptr [ebp-08]
====>EAX=13572468 试炼码!
:00455821 8B55FC mov edx, dword ptr [ebp-04]
====>EDX=CJBHWRQG 注册码!
:00455824 E87BE6FAFF call 00403EA4
====>比较CALL!
:00455829 7554 jne 0045587F
====>跳则OVER!
====>下面是保存注册信息
* Possible StringData Ref from Code Obj ->"wjupgrad.ini"
|
:0045582B B9C4584500 mov ecx, 004558C4
:00455830 B201 mov dl, 01
:00455832 A110A54400 mov eax, dword ptr [0044A510]
:00455837 E8304DFFFF call 0044A56C
:0045583C 8BF0 mov esi, eax
:0045583E 53 push ebx
* Possible StringData Ref from Code Obj ->"SerialNo"
|
:0045583F B9DC584500 mov ecx, 004558DC
* Possible StringData Ref from Code Obj ->"Register"
|
:00455844 BAF0584500 mov edx, 004558F0
:00455849 8BC6 mov eax, esi
:0045584B E8144FFFFF call 0044A764
:00455850 8B45FC mov eax, dword ptr [ebp-04]
:00455853 50 push eax
* Possible StringData Ref from Code Obj ->"Code"
|
:00455854 B904594500 mov ecx, 00455904
* Possible StringData Ref from Code Obj ->"Register"
|
:00455859 BAF0584500 mov edx, 004558F0
:0045585E 8BC6 mov eax, esi
:00455860 E89B4DFFFF call 0044A600
:00455865 A1348D4600 mov eax, dword ptr [00468D34]
:0045586A 8B00 mov eax, dword ptr [eax]
:0045586C C6807716000001 mov byte ptr [eax+00001677], 01
* Possible StringData Ref from Code Obj ->"注册成功"
====>呵呵,胜利女神!
:00455873 B814594500 mov eax, 00455914
:00455878 E8E73EFEFF call 00439764
:0045587D EB11 jmp 00455890
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00455829(C)
|
* Possible StringData Ref from Code Obj ->"注册码不正确"
:0045587F B828594500 mov eax, 00455928
====>BAD BOY!
—————————————————————————————————
进入算法CALL:45580B E804FCFFFF call 00455414
* Referenced by a CALL at Addresses:
|:0045580B , :004559B4 , :00456A87
|
:00455414 55 push ebp
:00455415 8BEC mov ebp, esp
:00455417 6A00 push 00000000
:00455419 6A00 push 00000000
:0045541B 6A00 push 00000000
:0045541D 53 push ebx
:0045541E 56 push esi
:0045541F 8BF2 mov esi, edx
:00455421 8BD8 mov ebx, eax
:00455423 33C0 xor eax, eax
:00455425 55 push ebp
:00455426 6887544500 push 00455487
:0045542B 64FF30 push dword ptr fs:[eax]
:0045542E 648920 mov dword ptr fs:[eax], esp
:00455431 8D55FC lea edx, dword ptr [ebp-04]
:00455434 8BC3 mov eax, ebx
====>EAX=EBX=1C8
:00455436 03C0 add eax, eax
第一步: ====>EAX=1C8 + 1C8=390
:00455438 E8DFFEFFFF call 0045531C
====>子运算CALL!得出注册码的前几位
:0045543D FF75FC push [ebp-04]
====>[ebp-04]=CJB
:00455440 8D55F8 lea edx, dword ptr [ebp-08]
:00455443 8BC3 mov eax, ebx
====>EAX=EBX=1C8
:00455445 C1E806 shr eax, 06
第二步: ====>EAX=1C8 SHR 06=7
:00455448 E8CFFEFFFF call 0045531C
====>子运算CALL!得出注册码中间几位
:0045544D FF75F8 push [ebp-08]
====>[ebp-08]=H
:00455450 8D55F4 lea edx, dword ptr [ebp-0C]
:00455453 8BC3 mov eax, ebx
====>EAX=EBX=1C8
:00455455 C1E008 shl eax, 08
第三步: ====>EAX=1C8 SHL 08=1C800
:00455458 E8BFFEFFFF call 0045531C
====>子运算CALL!得出注册码的后几位
:0045545D FF75F4 push [ebp-0C]
====>[ebp-0C]=WRQG
:00455460 8BC6 mov eax, esi
:00455462 BA03000000 mov edx, 00000003
:00455467 E8E8E9FAFF call 00403E54
====>此CALL把以上3步所得字符连接起来!
:0045546C 33C0 xor eax, eax
:0045546E 5A pop edx
:0045546F 59 pop ecx
:00455470 59 pop ecx
:00455471 648910 mov dword ptr fs:[eax], edx
:00455474 688E544500 push 0045548E
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045548C(U)
|
:00455479 8D45F4 lea eax, dword ptr [ebp-0C]
:0045547C BA03000000 mov edx, 00000003
:00455481 E8B6E6FAFF call 00403B3C
:00455486 C3 ret
—————————————————————————————————
进入子运算CALL:455438 call 0045531C
因为3部分的运算流程都是相同的,只是参数不同。所以我只记录了第一步的过程。
* Referenced by a CALL at Addresses:
|:004553B9 , :004553C8 , :004553D8 , :00455438 , :00455448
|:00455458
|
:0045531C 55 push ebp
:0045531D 8BEC mov ebp, esp
:0045531F 6A00 push 00000000
:00455321 53 push ebx
:00455322 56 push esi
:00455323 8BF2 mov esi, edx
:00455325 8BD8 mov ebx, eax
:00455327 33C0 xor eax, eax
:00455329 55 push ebp
:0045532A 6885534500 push 00455385
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004552BF(C)
|
:0045532F 64FF30 push dword ptr fs:[eax]
:00455332 648920 mov dword ptr fs:[eax], esp
:00455335 8BC6 mov eax, esi
:00455337 E8DCE7FAFF call 00403B18
:0045533C 85DB test ebx, ebx
:0045533E 7E2F jle 0045536F
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045536D(C)
|
:00455340 8BC3 mov eax, ebx
====>EAX=EBX=390
:00455342 B91A000000 mov ecx, 0000001A
====>ECX=1A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004552D1(C)
|
:00455347 99 cdq
:00455348 F7F9 idiv ecx
====>循环与1A求模,直至商为0!
1、 ====>EDX=390 % 1A=2
2、 ====>EDX=23 % 1A=9
3、 ====>EDX=1 % 1A=1
:0045534A 83C241 add edx, 00000041
====>余数加41
1、 ====>EDX=2 + 41=43 既:字符C
2、 ====>EDX=9 + 41=4A 既:字符J
3、 ====>EDX=1 + 41=42 既:字符B
:0045534D 8D45FC lea eax, dword ptr [ebp-04]
:00455350 E867E9FAFF call 00403CBC
:00455355 8B55FC mov edx, dword ptr [ebp-04]
:00455358 8BC6 mov eax, esi
:0045535A E83DEAFAFF call 00403D9C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00455309(C)
|
:0045535F 8BC3 mov eax, ebx
:00455361 B91A000000 mov ecx, 0000001A
:00455366 99 cdq
:00455367 F7F9 idiv ecx
====>循环除以1A,求商!
1、 ====>EDX=390 / 1A=23
2、 ====>EDX=23 / 1A=1
3、 ====>EDX=1 / 1A=0
:00455369 8BD8 mov ebx, eax
====>商入EBX,继续下次求模!
:0045536B 85DB test ebx, ebx
:0045536D 7FD1 jg 00455340
====>循环
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045533E(C)
|
:0045536F 33C0 xor eax, eax
:00455371 5A pop edx
:00455372 59 pop ecx
:00455373 59 pop ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00455305(C)
|
:00455374 648910 mov dword ptr fs:[eax], edx
:00455377 688C534500 push 0045538C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045538A(U)
|
:0045537C 8D45FC lea eax, dword ptr [ebp-04]
:0045537F E894E7FAFF call 00403B18
:00455384 C3 ret
—————————————————————————————————
【算 法 总 结】:
一、将用户输入的序列号转化为16进制值,
二、用序列号的16进制值的平方 循环和 1A 求模,直至商为0。余数+41。
三、用序列号的16进制值逻辑右移6位后的值,循环和 1A 求模,直至商为0。余数+41。
四、用序列号的16进制值逻辑左移8位后的值,循环和 1A 求模,直至商为0。余数+41。
五、以上3部分运算所得字符连接起来就是注册码了。
—————————————————————————————————
【完 美 爆 破】:
0045581E 8B45F8 mov eax, dword ptr [ebp-08]
改为: 8B45FC mov eax, dword ptr [ebp-04]
呵呵,和下面的00455821处相映成趣!让真的注册码去和真注册码比较,岂有不OK的?
—————————————————————————————————
【KeyMake之{56th}内存注册机】:
中断地址:455824
中断次数:1
第一字节:E8
指令长度:5
内存方式:EDX
—————————————————————————————————
【注册信息保存】:
C:\WINDOWS下的wjupgrad.ini文件中:
[Register]
SerialNo=456
Code=CJBHWRQG
—————————————————————————————————
【整 理】:
序列号:456
注册码:CJBHWRQG
—————————————————————————————————
Cracked By 巢水工作坊——fly【OCN】
2003-4-13 18:18
相关视频
相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么
- 文章评论
-
热门文章
去除winrar注册框方法
最新文章
比特币病毒怎么破解 比去除winrar注册框方法
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程
查看所有0条评论>>