软件名称: Publish-iT v2.4b -超级印刷工厂
软件语言: 英文
界面预览:
软件类型: 精品软件 / 图形处理 / 图像处理
运行环境: WinXP, Win2000, WinME
授权方式:
软件大小: 1.62 MB
软件等级:
整理时间: 2003-4-4
开 发 商:
软件简介
这程序能帮助你制作专业级的报纸、宣传册、广告单等等出版品,它结合了文书处理器、图形编辑软件、以及所有排版软体的优点于一身。你可以轻易的编排你的文字,加入任意的图片。「主页」的功能能让你的出版品有着一致性的外观。
下载地址: http://www.ttdown.com/SoftView_3663.ht
【破解工具】:Ollydbg1.09 中文版
【过 程】:
呵呵,我们开工吧!唉!^-^我的水平很低,许多地方表达的有问题,烦请各位指教!
用ollydbg加载运行 ,在注册框中填注册试验码:789456 (软件提示只要5~6位数字)后下
bpx GetDlgItemTextA 后按OK键后不久就能来到这里:
00453AF4 CALL DWORD PTR DS:[<&USER32.GetDlgIt>
; \GetDlgItemTextA <---断点
00453AFA PUSH Publish.00495BD0 ; ASCII "FARKEL"
00453AFF LEA EAX, [LOCAL.20] ; EAX<--0012E47C,(ASCII "789456")
00453B02 PUSH EAX
00453B03 CALL Publish.0047CB30 <---是否是死亡注册码 "FARKEL"
F8 ----------->
|
0047CB30 MOV EDX, DWORD PTR SS:[ESP+4]
; EDX<--0012E47C,(ASCII "789456")
0047CB34 MOV ECX, DWORD PTR SS:[ESP+8] ; 00495BD0 ASCII "FARKEL"
0047CB38 TEST EDX, 3
0047CB3E JNZ SHORT Publish.0047CB7C
0047CB40 /MOV EAX, DWORD PTR DS:[EDX]
0047CB42 |CMP AL, BYTE PTR DS:[ECX]
0047CB44 |JNZ SHORT Publish.0047CB74
0047CB46 |OR AL, AL
0047CB48 |JE SHORT Publish.0047CB70
0047CB4A |CMP AH, BYTE PTR DS:[ECX+1]
0047CB4D |JNZ SHORT Publish.0047CB74
0047CB4F |OR AH, AH
0047CB51 |JE SHORT Publish.0047CB70
0047CB53 |SHR EAX, 10
0047CB56 |CMP AL, BYTE PTR DS:[ECX+2]
0047CB59 |JNZ SHORT Publish.0047CB74
0047CB5B |OR AL, AL
0047CB5D |JE SHORT Publish.0047CB70
0047CB5F |CMP AH, BYTE PTR DS:[ECX+3]
0047CB62 |JNZ SHORT Publish.0047CB74
0047CB64 |ADD ECX, 4
0047CB67 |ADD EDX, 4
0047CB6A |OR AH, AH
0047CB6C \JNZ SHORT Publish.0047CB40 ; 以上逐位比较
0047CB6E MOV EAX, EAX
0047CB70 XOR EAX, EAX <--设标志为0
0047CB72 RETN
0047CB73 NOP
0047CB74 SBB EAX, EAX
0047CB76 SHL EAX, 1
0047CB78 INC EAX <--设标志为非0
0047CB79 RETN
返回<-----------------
|
00453B08 ADD ESP, 8
00453B0B TEST EAX, EAX <--判断
00453B0D JNZ SHORT Publish.00453B35
00453B0F MOV WORD PTR DS:[49E280], 0
00453B18 MOV BYTE PTR DS:[49E2F8], 0
00453B1F PUSH 0 ; /Result = 0
00453B21 MOV ECX, [ARG.1] ; |
00453B24 PUSH ECX ; |hWnd
00453B25 CALL DWORD PTR DS:[<&USER32.EndDialog>] ; \EndDialog
00453B2B MOV EAX, 1
00453B30 JMP Publish.00453D24
00453B35 XOR EDX, EDX
00453B37 MOV DL, BYTE PTR DS:[49E2F8]
00453B3D TEST EDX, EDX
00453B3F JE SHORT Publish.00453B62
00453B41 MOVSX EAX, WORD PTR DS:[49E280]
00453B48 TEST EAX, EAX
00453B4A JE SHORT Publish.00453B62
00453B4C PUSH 0 ; /Result = 0
00453B4E MOV ECX, [ARG.1] ; |
00453B51 PUSH ECX ; |hWnd
00453B52 CALL DWORD PTR DS:[<&USER32.EndDialog>] ; \EndDialog
00453B58 MOV EAX, 1
00453B5D JMP Publish.00453D24
00453B62 CMP DWORD PTR DS:[4A00B4], 8
00453B69 JLE SHORT Publish.00453BA3
00453B6B MOV EDX, DWORD PTR DS:[4A00B4]
00453B71 ADD EDX, 1
00453B74 MOV DWORD PTR DS:[4A00B4], EDX
00453B7A PUSH 0AF ; /Arg2 = 000000AF
00453B7F MOV EAX, DWORD PTR DS:[49F0F4] ; |
00453B84 PUSH EAX ; |Arg1 => 01310236
00453B85 CALL Publish.00461D70 ; \Publish.00461D70
00453B8A ADD ESP, 8
00453B8D PUSH 0 ; /Result = 0
00453B8F MOV ECX, [ARG.1] ; |
00453B92 PUSH ECX ; |hWnd
00453B93 CALL DWORD PTR DS:[<&USER32.EndDialog>] ; \EndDialog
00453B99 MOV EAX, 1
00453B9E JMP Publish.00453D24
00453BA3 MOV BYTE PTR SS:[EBP-56], 0
以上会跳到这里:
|
00453BA7 LEA EDX, [LOCAL.23]
00453BAA PUSH EDX
00453BAB LEA EAX, [LOCAL.20] ; EAX<--0012E47C,(ASCII "789456")
00453BAE PUSH EAX
00453BAF CALL Publish.00453EC2 ; 用试验码在表中取值 "789456"-->"6i56bm"
//我不知道这个字符串的作用,请大家看看.
F8 --------->
|
00453F3B MOV EDX, [ARG.1] ; EDX<--0012E47C,(ASCII "789456")
00453F3E MOVSX EAX, BYTE PTR DS:[EDX+3] ; EAX<--DS:[EDX+3]=34 ('4') 第四位3]
00453F42 MOVSX ECX, BYTE PTR DS:[EAX+495930]; ECX=DS:[EAX+495930]=39 ('9')
00453F49 SUB ECX, 3
00453F4C MOV EDX, [ARG.2]
00453F4F MOV BYTE PTR DS:[EDX], CL ; CL=36 ('6')
00453F51 MOV EAX, [ARG.1] ; EAX<--0012E47C,(ASCII "789456")
00453F54 MOVSX ECX, BYTE PTR DS:[EAX] ; ECX<--DS:[EAX]=37 ('7') 第一位X]
00453F57 MOVSX EDX, BYTE PTR DS:[ECX+495900] ; EDX=DS:[ECX+495900]=68 ('h')
00453F5E ADD EDX, 1
00453F61 MOV EAX, [ARG.2]
00453F64 MOV BYTE PTR DS:[EAX+1], DL ; DL=69 ('i')
00453F67 MOV ECX, [ARG.1] ; ECX<--0012E47C,(ASCII "789456")
00453F6A MOVSX EDX, BYTE PTR DS:[ECX+1] ; EDX=DS:[ECX+1]=38 ('8')
00453F6E MOVSX EAX, BYTE PTR DS:[EDX+495910] ; EAX=DS:[EDX+495910]=34 ('4')
00453F75 ADD EAX, 1
00453F78 MOV ECX, [ARG.2]
00453F7B MOV BYTE PTR DS:[ECX+2], AL ; AL=35 ('5')
00453F7E MOV EDX, [ARG.1] ; EDX<--0012E47C,(ASCII "789456")
00453F81 MOVSX EAX, BYTE PTR DS:[EDX+2] ; EAX=DS:[EDX+2]=39 ('9')
00453F85 MOVSX ECX, BYTE PTR DS:[EAX+495920] ; ECX=DS:[EAX+495920]=32 ('2')
00453F8C ADD ECX, 4
00453F8F MOV EDX, [ARG.2]
00453F92 MOV BYTE PTR DS:[EDX+3], CL ; CL=36 ('6')
00453F95 MOV EAX, [ARG.1] ; EAX<--0012E47C,(ASCII "789456")
00453F98 MOVSX ECX, BYTE PTR DS:[EAX+5] ; ECX=DS:[EAX+5]=36 ('6')
00453F9C MOVSX EDX, BYTE PTR DS:[ECX+495950]; EDX=DS:[ECX+495950]=64 ('d')
00453FA3 SUB EDX, 2
00453FA6 MOV EAX, [ARG.2]
00453FA9 MOV BYTE PTR DS:[EAX+4], DL ; DL=62 ('b')
00453FAC MOV ECX, [ARG.1] ; ECX<--0012E47C,(ASCII "789456")
00453FAF MOVSX EDX, BYTE PTR DS:[ECX+4] ; EDX=DS:[ECX+4]=35 ('5')
00453FB3 MOVSX EAX, BYTE PTR DS:[EDX+495940]; EAX=DS:[EDX+495940]=68 ('h')
00453FBA ADD EAX, 5
00453FBD MOV ECX, [ARG.2]
00453FC0 MOV BYTE PTR DS:[ECX+5], AL ; AL=6D ('m')
00453FC3 POP EBP
00453FC4 RETN
--------------
|
内存数据:
00495930 61 7A 78 62 6B 69 67 68 azxbkigh
00495938 73 71 62 00 00 00 00 00 sqb.....
00495940 73 68 65 69 70 79 35 33 sheipy53
00495948 34 67 78 00 00 00 00 00 4gx.....
00495950 6C 6B 6A 76 64 71 64 72 lkjvdqdr
00495958 62 32 36 00 00 00 00 00 b26.....
00495960 77 69 78 35 39 71 61 63 wix59qac
00495968 66 67 65 00 00 00 00 00 fge.....
00495970 70 34 63 6B 71 68 62 6F p4ckqhbo
00495978 62 62 79 00 00 00 00 00 bby.....
00495980 38 32 6E 63 74 71 64 61 82nctqda
00495988 76 69 64 00 52 63 00 00 vid.Rc..
返回<-----------------
|
00453BB4 ADD ESP, 8
00453BB7 LEA ECX, [LOCAL.20] ; ECX<--0012E47C,(ASCII "789456")
00453BBA PUSH ECX
00453BBB CALL Publish.0047E160 <---把它变成16进制lish.0
F8 -------------->
|
0047E0C0 PUSH EBX
0047E0C1 PUSH EBP
0047E0C2 PUSH ESI
0047E0C3 PUSH EDI
0047E0C4 MOV EDI, DWORD PTR SS:[ESP+14] ; EDI<--0012E47C,(ASCII "789456")
0047E0C8 /CMP DWORD PTR DS:[49A664], 1
0047E0CF |JLE SHORT Publish.0047E0E2
0047E0D1 |XOR EAX, EAX
0047E0D3 |PUSH 8
0047E0D5 |MOV AL, BYTE PTR DS:[EDI]
0047E0D7 |PUSH EAX
0047E0D8 |CALL Publish.00485230
0047E0DD |ADD ESP, 8
0047E0E0 |JMP SHORT Publish.0047E0F2
0047E0E2 |MOV EDX, DWORD PTR DS:[49A458] ; Publish.0049A462
0047E0E8 |XOR ECX, ECX
0047E0EA |MOV CL, BYTE PTR DS:[EDI]
; CL=DS:[EDI]=37 ('7')<--试验码的第一位
0047E0EC |MOV AL, BYTE PTR DS:[EDX+ECX*2]
; AL=DS:[EDX+ECX*2]=84 EDX=49A462* ECX=37
0047E0EF |AND EAX, 8
0047E0F2 |TEST EAX, EAX
0047E0F4 |JE SHORT Publish.0047E0F9
0047E0F6 |INC EDI
0047E0F7 \JMP SHORT Publish.0047E0C8
0047E0F9 XOR EAX, EAX
0047E0FB MOV AL, BYTE PTR DS:[EDI] ; AL=DS:[EDI]=37 ('7')
0047E0FD INC EDI
0047E0FE MOV ESI, EAX
0047E100 CMP ESI, 2D
0047E103 MOV EBP, ESI
0047E105 JE SHORT Publish.0047E10C
0047E107 CMP ESI, 2B
0047E10A JNZ SHORT Publish.0047E113
0047E10C XOR ECX, ECX
0047E10E MOV CL, BYTE PTR DS:[EDI]
0047E110 INC EDI
0047E111 MOV ESI, ECX
0047E113 XOR EBX, EBX
0047E115 /CMP DWORD PTR DS:[49A664], 1
0047E11C |JLE SHORT Publish.0047E12B
0047E11E |PUSH 4
0047E120 |PUSH ESI
0047E121 |CALL Publish.00485230
0047E126 |ADD ESP, 8
0047E129 |JMP SHORT Publish.0047E137
0047E12B |MOV EDX, DWORD PTR DS:[49A458] ; Publish.0049A462
0047E131 |MOV AL, BYTE PTR DS:[EDX+ESI*2]
0047E134 |AND EAX, 4
0047E137 |TEST EAX, EAX
0047E139 |JE SHORT Publish.0047E14B ; 保证注册码是数字
0047E13B |LEA EAX, DWORD PTR DS:[EBX+EBX*4]
0047E13E |XOR ECX, ECX
0047E140 |MOV CL, BYTE PTR DS:[EDI] ; CL=DS:[EDI]=38 ('8')
0047E142 |INC EDI
0047E143 |LEA EBX, DWORD PTR DS:[ESI+EAX*2-30]; EBX=DS:[ESI+EAX*2-30]=07...|==C0BD0
0047E147 |MOV ESI, ECX // 把它变成16进制
0047E149 \JMP SHORT Publish.0047E115 // 转变的方式是:前位*A+后一位
0047E14B CMP EBP, 2D
0047E14E MOV EAX, EBX
0047E150 JNZ SHORT Publish.0047E154
0047E152 NEG EAX
0047E154 POP EDI
0047E155 POP ESI
0047E156 POP EBP
0047E157 POP EBX
0047E158 RETN
Publish.0049A462 内存值:
|
0049A460 20 00 20 00 20 00 . . .
0049A468 20 00 20 00 20 00 20 00 . . . .
0049A470 20 00 20 00 28 00 28 00 . .(.(.
0049A478 28 00 28 00 28 00 20 00 (.(.(. .
0049A480 20 00 20 00 20 00 20 00 . . . .
0049A488 20 00 20 00 20 00 20 00 . . . .
0049A490 20 00 20 00 20 00 20 00 . . . .
0049A498 20 00 20 00 20 00 20 00 . . . .
0049A4A0 20 00 48 00 10 00 10 00 .H...
0049A4A8 10 00 10 00 10 00 10 00 ....
0049A4B0 10 00 10 00 10 00 10 00 ....
0049A4B8 10 00 10 00 10 00 10 00 ....
0049A4C0 10 00 84 00 84 00 84 00 .???
0049A4C8 84 00 84 00 84 00 84 00 ????
0049A4D0 84 00 84 00 84 00 10 00 ???.
0049A4D8 10 00 10 00 10 00 10 00 ....
0049A4E0 10 00 10 00 81 00 81 00 ..??
0049A4E8 81 00 81 00 81 00 81 00 ????
0049A4F0 01 00 01 00 01 00 01 00 ....
0049A4F8 01 00 01 00 01 00 01 00 ....
0049A500 01 00 01 00 01 00 01 00 ....
0049A508 01 00 01 00 01 00 01 00 ....
0049A510 01 00 01 00 01 00 01 00 ....
0049A518 10 00 10 00 10 00 10 00 ....
0049A520 10 00 10 00 82 00 82 00 ..??
0049A528 82 00 82 00 82 00 82 00 ????
0049A530 02 00 02 00 02 00 02 00 ....
0049A538 02 00 02 00 02 00 02 00 ....
0049A540 02 00 02 00 02 00 02 00 ....
0049A548 02 00 02 00 02 00 02 00 ....
0049A550 02 00 02 00 02 00 02 00 ....
0049A558 10 00 10 00 10 00 10 00 ....
以上计算的总结:注册码取值范围
1.第一个比较循环时用第二次计算的字符串的hex值*2作指针在以 0049A460 开始的内存中查表,得到的值 AND 8 ,比较得数如果是0就到第二个比较循环.
2.第二个比较循环用第二次计算的字符串的hex值*2作指针在以 0049A460 开始的内存中查表,得到的值 AND 4 ,比较得数如果是0就OVER.即查表得到的值 AND 4 不能=0
经过计算可以知道表中 0049A460 开始的十个值-'84 '符合条件,第一个84的偏移量=60h那么第二次计算的字符串的hex值的范围是60/2=30到3A即第二次计算的字符串的范围是0~9.
(以上是一个定式)
这样就能保证注册码是数字 .
返回<------------
|
00453BC0 ADD ESP, 4
00453BC3 MOV [LOCAL.24], EAX ; EAX=C0BD0 <--试验码变成的16进制
00453BC6 MOV EDX, [LOCAL.24] ; EDX=C0BD0 <--试验码变成的16进制
00453BC9 ADD EDX, 3D0C09
; EDX=C0BD0+3D0C09=4917D9 (注册码的第一次变换)
00453BCF PUSH EDX
00453BD0 CALL Publish.00453D2A <---第1部分比较(去掉21天限制的比较)
00453BD5 ADD ESP, 4
00453BD8 AND EAX, 0FF <---取低位
00453BDD TEST EAX, EAX <---根据标志判断跳转
00453BDF JE SHORT Publish.00453C20
00453BE1 CALL Publish.00453FC5
00453BE6 ADD EAX, 15B30
00453BEB MOV DWORD PTR DS:[49EFF8], EAX
00453BF0 MOV WORD PTR DS:[49E280], 1
00453BF9 PUSH 8167
00453BFE MOV EAX, [ARG.1]
00453C01 PUSH EAX
00453C02 CALL Publish.00461D8E <---去除21天限制的提示
00453C07 ADD ESP, 8
00453C0A PUSH 0
00453C0C MOV ECX, [ARG.1]
00453C0F PUSH ECX
00453C10 CALL DWORD PTR DS:[<&USER32.EndDialog>]
00453C16 MOV EAX, 1
00453C1B JMP Publish.00453D24
00453C20 MOV EDX, [LOCAL.24] ; EDX=C0BD0<--试验码变成的16进制
00453C23 ADD EDX, 3D0A43
; EDX=C0BD0+3D0A43= (注册码的第二次变换)
00453C29 PUSH EDX ; EDX= 491613
00453C2A CALL Publish.00453D2A <---第二部分比较(去掉21天限制的比较)
00453C2F ADD ESP, 4
00453C32 AND EAX, 0FF <---取低位
00453C37 TEST EAX, EAX <---根据标志判断跳转
00453C39 JE SHORT Publish.00453C81
00453C3B MOV BYTE PTR DS:[49E2F8], 1
00453C42 CALL Publish.00453FC5
00453C47 ADD EAX, 15194
00453C4C MOV DWORD PTR DS:[49EFF8], EAX
00453C51 MOV WORD PTR DS:[49E280], 1
00453C5A PUSH 8168
00453C5F MOV EAX, [ARG.1]
00453C62 PUSH EAX
00453C63 CALL Publish.00461D8E <---注册成功正确的提示框
00453C68 ADD ESP, 8
00453C6B PUSH 0
00453C6D MOV ECX, [ARG.1]
00453C70 PUSH ECX
00453C71 CALL DWORD PTR DS:[<&USER32.EndDialog>]
00453C77 MOV EAX, 1
00453C7C JMP Publish.00453D24
00453C81 MOV EDX, [LOCAL.24] ; EDX=C0BD0<--试验码变成的16进制
00453C84 ADD EDX, 3D09A7
; EDX=C0BD0+3D09A7 (注册码的第三次变换)
00453C8A PUSH EDX ; EDX= 00491577
00453C8B CALL Publish.00453D2A <---第3部分比较(Pro版的比较)
00453C90 ADD ESP, 4
00453C93 AND EAX, 0FF <---取低位
00453C98 TEST EAX, EAX <---根据标志判断跳转
00453C9A JE SHORT Publish.00453D03
00453C9C MOVSX EAX, WORD PTR DS:[49E280]
00453CA3 CMP EAX, 1
00453CA6 JE SHORT Publish.00453CC0 <---根据标志判断跳转
00453CA8 PUSH 8169
00453CAD MOV ECX, [ARG.1]
00453CB0 PUSH ECX
00453CB1 CALL Publish.00461D8E <---OVER
00453CB6 ADD ESP, 8
00453CB9 MOV EAX, 1
00453CBE JMP SHORT Publish.00453D24
00453CC0 MOV BYTE PTR DS:[49E2F8], 1
00453CC7 CALL Publish.00453FC5
00453CCC ADD EAX, 15194
00453CD1 MOV DWORD PTR DS:[49EFF8], EAX
00453CD6 MOV WORD PTR DS:[49E280], 1
00453CDF PUSH 8168
00453CE4 MOV EDX, [ARG.1]
00453CE7 PUSH EDX
00453CE8 CALL Publish.00461D8E <---Pro版注册成功正确的提示框
00453CED ADD ESP, 8
00453CF0 PUSH 0
00453CF2 MOV EAX, [ARG.1]
00453CF5 PUSH EAX
00453CF6 CALL DWORD PTR DS:[<&USER32.EndDialog>]
00453CFC MOV EAX, 1
00453D01 JMP SHORT Publish.00453D24
00453D03 PUSH 0AF
00453D08 MOV ECX, DWORD PTR DS:[49F0F4]
00453D0E PUSH ECX
00453D0F CALL Publish.00461D70 <---OVER
00453D14 ADD ESP, 8
00453D17 MOV EAX, 1
00453D1C JMP SHORT Publish.00453D24
00453D1E XOR EAX, EAX
00453D20 JMP SHORT Publish.00453D24
00453D22 XOR EAX, EAX
00453D24 MOV ESP, EBP
00453D26 POP EBP
00453D27 RETN 10
====================================================
CALL Publish.00453D2A <---重要部分计算和注册码比较的地方
|
00453D2A PUSH EBP
00453D2B MOV EBP, ESP
00453D2D SUB ESP, 14
00453D30 CALL Publish.00453DF2
F8 ---------->
|
00453DF2 PUSH EBP
00453DF3 MOV EBP, ESP
00453DF5 SUB ESP, 10
00453DF8 MOV [LOCAL.4], 0
00453DFF MOV [LOCAL.3], 0
00453E06 JMP SHORT Publish.00453E11
00453E08 /MOV EAX, [LOCAL.3]
00453E0B |ADD EAX, 1
00453E0E |MOV [LOCAL.3], EAX
00453E11 CMP [LOCAL.3], 0C
00453E15 |JGE SHORT Publish.00453E49
00453E17 |PUSH 3
00453E19 |MOV ECX, [LOCAL.3]
00453E1C |MOV EDX, DWORD PTR DS:[ECX*4+495BD8]
00453E23 |PUSH EDX
00453E24 |PUSH Publish.004958E8 ; ASCII "Apr 8 2003"
00453E29 |CALL Publish.0047B4A0
00453E2E |ADD ESP, 0C
00453E31 |TEST EAX, EAX
00453E33 |JNZ SHORT Publish.00453E37
00453E35 |JMP SHORT Publish.00453E49
00453E37 |MOV EAX, [LOCAL.3]
00453E3A |MOV ECX, [LOCAL.4]
00453E3D |ADD ECX, DWORD PTR DS:[EAX*4+495900]
00453E44 |MOV [LOCAL.4], ECX
00453E47 \JMP SHORT Publish.00453E08
00453E49 PUSH Publish.004958EC ; ASCII " 8 2003"
00453E4E CALL Publish.0047E160 ; EAX=8 EBX=68CA38
00453E53 ADD ESP, 4
00453E56 MOV EDX, [LOCAL.4] ; EDX=5A
00453E59 ADD EDX, EAX ; EDX=5A+8=62
00453E5B MOV [LOCAL.4], EDX
00453E5E PUSH Publish.004958EE ; ASCII " 2003"
00453E63 CALL Publish.0047E160 ; 把"2003"变成16进制
00453E68 ADD ESP, 4
00453E6B SUB EAX, 7B2 ; EAX=7D3-7B2=21
00453E70 MOV [LOCAL.1], EAX ; EAX=21
00453E73 MOV EAX, [LOCAL.1] ; EAX=21
00453E76 IMUL EAX, EAX, 16D ; EAX=21*16D=2F0D
00453E7C MOV ECX, [LOCAL.4] ; ECX=62
00453E7F ADD ECX, EAX ; ECX=2F0D+62=2F6F
00453E81 MOV EAX, [LOCAL.1] ; EAX=21
00453E84 CDQ
00453E85 AND EDX, 3
00453E88 ADD EAX, EDX
00453E8A SAR EAX, 2 ; EAX=8
00453E8D ADD ECX, EAX ; ECX=2F6F+8=2F77
00453E8F MOV [LOCAL.4], ECX ; ECX=2F6F+8=2F77
00453E92 MOV EDX, [LOCAL.4] ; EDX=2F6F+8=2F77
00453E95 SUB EDX, 1
00453E98 IMUL EDX, EDX, 18 ; EDX=2F76*18=
00453E9B IMUL EDX, EDX, 0E10 ; EDX=47310*E10=
00453EA1 MOV [LOCAL.4], EDX ; EDX=3E92110
00453EA4 LEA EAX, [LOCAL.2]
00453EA7 PUSH EAX
00453EA8 CALL Publish.0047C6A0
00453EAD ADD ESP, 4
00453EB0 MOV ECX, [LOCAL.2] ; ECX=3E96D071
00453EB3 CMP ECX, [LOCAL.4] ; SS:[12E42C]=3E921100
00453EB6 JGE SHORT Publish.00453EBC
00453EB8 XOR AL, AL
00453EBA JMP SHORT Publish.00453EBE
00453EBC MOV AL, 1
00453EBE MOV ESP, EBP
00453EC0 POP EBP
00453EC1 RETN
这个call是把字符 ASCII "Apr 8 2003"计算
返回<-----------
|
00453D35 AND EAX, 0FF
00453D3A TEST EAX, EAX
00453D3C JNZ SHORT Publish.00453D45
00453D3E XOR AL, AL
00453D40 JMP Publish.00453DEE
00453D45 LEA EAX, [LOCAL.1]
00453D48 PUSH EAX
00453D49 CALL Publish.0047C6A0 <----计算参数并传送到内存特定的地址中
00453D4E ADD ESP, 4
00453D51 LEA ECX, [LOCAL.1]
00453D54 PUSH ECX
00453D55 CALL Publish.0047E170 <----计算参数并传送到内存特定的地址中
00453D5A ADD ESP, 4
00453D5D MOV [LOCAL.4], EAX ; EAX=4A1EC0
00453D60 MOV EDX, [LOCAL.4] ; EDX=4A1EC0
00453D63 MOV EAX, DWORD PTR DS:[EDX+1C]
00453D66 CDQ
00453D67 MOV ECX, 7
00453D6C IDIV ECX
00453D6E ADD EAX, 1
00453D71 MOV [LOCAL.3], EAX
00453D74 MOV EDX, [LOCAL.4]
00453D77 MOV EAX, DWORD PTR DS:[EDX+14] ; EAX=67 ('g')
00453D7A MOV ECX, [LOCAL.3]
00453D7D LEA EDX, DWORD PTR DS:[EAX+ECX*4+76C]
; EDX=80F <---计算的基本参数(通过上面计算得到的)
00453D84 MOV [LOCAL.2], EDX
00453D87 MOV EAX, [LOCAL.2]
00453D8A IMUL EAX, [LOCAL.2]
00453D8E MOV [LOCAL.5], EAX ; EAX=40F0E1
00453D91 MOV ECX, [LOCAL.2] ; ECX=80F
00453D94 IMUL ECX, [LOCAL.2] ; ECX=ECX*ECX
00453D98 CMP [ARG.1], ECX
; SS:[12E460]=4917D9 <--试验码计算的值 ECX=40F0E1(第一固定值)
00453D9B JNZ SHORT Publish.00453DA1
00453D9D MOV AL, 1 <---设成功标志
00453D9F JMP SHORT Publish.00453DEE
00453DA1 MOV EDX, [LOCAL.2]
00453DA4 ADD EDX, 4 ; EDX=80F+4=813
00453DA7 MOV [LOCAL.2], EDX
00453DAA MOV EAX, [LOCAL.2]
00453DAD IMUL EAX, [LOCAL.2] ; EAX=EAX*EAX
00453DB1 CMP [ARG.1], EAX
; SS:[12E460]=4917D9 <--试验码计算的值 EAX=413169(第二固定值)
00453DB4 JNZ SHORT Publish.00453DBA
00453DB6 MOV AL, 1 <---设成功标志
00453DB8 JMP SHORT Publish.00453DEE
00453DBA MOV ECX, [LOCAL.2]
00453DBD SUB ECX, 8 ; ECX=813-8=80B
00453DC0 MOV [LOCAL.2], ECX
00453DC3 MOV EDX, [LOCAL.2]
00453DC6 IMUL EDX, [LOCAL.2] ; EDX=EDX*EDX
00453DCA CMP [ARG.1], EDX
; SS:[12E460]=4917D9 <--试验码计算的值 EDX=40B079(第三固定值)
00453DCD JNZ SHORT Publish.00453DD3
00453DCF MOV AL, 1 <---设成功标志
00453DD1 JMP SHORT Publish.00453DEE
00453DD3 MOV EAX, [LOCAL.2]
00453DD6 SUB EAX, 4 ; EAX=80D-4=809
00453DD9 MOV [LOCAL.2], EAX
00453DDC MOV ECX, [LOCAL.2]
00453DDF IMUL ECX, [LOCAL.2] ; ECX=ECX*ECX
00453DE3 CMP [ARG.1], ECX
; SS:[12E460]=4917D9 <--试验码计算的值 ECX=407031(第四固定值)
00453DE6 JNZ SHORT Publish.00453DEC
00453DE8 MOV AL, 1 <---设成功标志
00453DEA JMP SHORT Publish.00453DEE
00453DEC XOR AL, AL
00453DEE MOV ESP, EBP
00453DF0 POP EBP
00453DF1 RETN
****************************************
以下是基本参数计算的地方,过于复杂.不过得到的值是固定的所以就不分析了
|
0047C742 |> 8B5424 00 MOV EDX, DWORD PTR SS:[ESP]
0047C746 |. 8B4C24 04 MOV ECX, DWORD PTR SS:[ESP+4]
0047C74A |. 8915 C81B4A00 MOV DWORD PTR DS:[4A1BC8], EDX
0047C750 |. 8B5424 08 MOV EDX, DWORD PTR SS:[ESP+8]
0047C754 |. 890D CC1B4A00 MOV DWORD PTR DS:[4A1BCC], ECX
0047C75A |. 8B4C24 0C MOV ECX, DWORD PTR SS:[ESP+C]
0047C75E |. A3 C01B4A00 MOV DWORD PTR DS:[4A1BC0], EAX
0047C763 |. 8915 D01B4A00 MOV DWORD PTR DS:[4A1BD0], EDX
0047C769 |. 890D D41B4A00 MOV DWORD PTR DS:[4A1BD4], ECX
0047C76F |> 8B5424 1C MOV EDX, DWORD PTR SS:[ESP+1C]
0047C773 |. 8B4C24 18 MOV ECX, DWORD PTR SS:[ESP+18]
0047C777 |. 50 PUSH EAX
0047C778 |. 8B4424 1E MOV EAX, DWORD PTR SS:[ESP+1E]
0047C77C |. 81E2 FFFF0000 AND EDX, 0FFFF
0047C782 |. 25 FFFF0000 AND EAX, 0FFFF
0047C787 |. 52 PUSH EDX
0047C788 |. 8B5424 1E MOV EDX, DWORD PTR SS:[ESP+1E]
0047C78C |. 81E1 FFFF0000 AND ECX, 0FFFF
0047C792 |. 50 PUSH EAX
0047C793 |. 8B4424 1E MOV EAX, DWORD PTR SS:[ESP+1E]
0047C797 |. 51 PUSH ECX
0047C798 |. 8B4C24 20 MOV ECX, DWORD PTR SS:[ESP+20]
0047C79C |. 81E2 FFFF0000 AND EDX, 0FFFF
0047C7A2 |. 25 FFFF0000 AND EAX, 0FFFF
0047C7A7 |. 52 PUSH EDX
0047C7A8 |. 81E1 FFFF0000 AND ECX, 0FFFF
0047C7AE |. 50 PUSH EAX
0047C7AF |. 51 PUSH ECX
0047C7B0 |. E8 1B810000 CALL Publish.004848D0
0047C7B5 |. 8B8C24 EC0000>MOV ECX, DWORD PTR SS:[ESP+EC]
0047C7BC |. 83C4 1C ADD ESP, 1C
0047C7BF |. 85C9 TEST ECX, ECX
0047C7C1 |. 74 02 JE SHORT Publish.0047C7C5
0047C7C3 |. 8901 MOV DWORD PTR DS:[ECX], EAX
0047C7C5 |> 81C4 CC000000 ADD ESP, 0CC
0047C7CB \. C3 RETN
00487330 /$ 53 PUSH EBX
00487331 |. 8B5C24 08 MOV EBX, DWORD PTR SS:[ESP+8]
00487335 |. 56 PUSH ESI
00487336 |. 33F6 XOR ESI, ESI
00487338 |. 8B0B MOV ECX, DWORD PTR DS:[EBX]
0048733A |. 85C9 TEST ECX, ECX
0048733C |. 7D 05 JGE SHORT Publish.00487343
0048733E |. 33C0 XOR EAX, EAX
00487340 |. 5E POP ESI
00487341 |. 5B POP EBX
00487342 |. C3 RETN
00487343 |> B8 792D0311 MOV EAX, 11032D79
00487348 |. 57 PUSH EDI
00487349 |. F7E9 IMUL ECX
0048734B |. C1FA 17 SAR EDX, 17
0048734E |. 8BC2 MOV EAX, EDX
00487350 |. 55 PUSH EBP
00487351 |. C1E8 1F SHR EAX, 1F
00487354 |. 03D0 ADD EDX, EAX
00487356 |. 8BC2 MOV EAX, EDX
00487358 |. 69C0 80E079F8 IMUL EAX, EAX, F879E080
0048735E |. 03C8 ADD ECX, EAX
00487360 |. 8D0495 460000>LEA EAX, DWORD PTR DS:[EDX*4+46]
00487367 |. 81F9 8033E101 CMP ECX, 1E13380
0048736D |. 7C 2C JL SHORT Publish.0048739B
0048736F |. 81E9 8033E101 SUB ECX, 1E13380
00487375 |. 40 INC EAX
00487376 |. 81F9 8033E101 CMP ECX, 1E13380
0048737C |. 7C 1D JL SHORT Publish.0048739B
0048737E |. 81E9 8033E101 SUB ECX, 1E13380
00487384 |. 40 INC EAX
00487385 |. 81F9 0085E201 CMP ECX, 1E28500
0048738B |. 7C 09 JL SHORT Publish.00487396
0048738D |. 40 INC EAX
0048738E |. 81E9 0085E201 SUB ECX, 1E28500
00487394 |. EB 05 JMP SHORT Publish.0048739B
00487396 |> BE 01000000 MOV ESI, 1
0048739B |> A3 D41E4A00 MOV DWORD PTR DS:[4A1ED4], EAX
004873A0 |. B8 07452EC2 MOV EAX, C22E4507
004873A5 |. F7E9 IMUL ECX
004873A7 |. 8BC2 MOV EAX, EDX
004873A9 |. BF F0A94900 MOV EDI, Publish.0049A9F0
004873AE |. 03C1 ADD EAX, ECX
004873B0 |. C1F8 10 SAR EAX, 10
004873B3 |. 8BD0 MOV EDX, EAX
004873B5 |. C1EA 1F SHR EDX, 1F
004873B8 |. 03C2 ADD EAX, EDX
004873BA |. 8BD0 MOV EDX, EAX
004873BC |. A3 DC1E4A00 MOV DWORD PTR DS:[4A1EDC], EAX
004873C1 |. C1E2 04 SHL EDX, 4
004873C4 |. 2BD0 SUB EDX, EAX
004873C6 |. F7DA NEG EDX
004873C8 |. 8D1492 LEA EDX, DWORD PTR DS:[EDX+EDX*4]
004873CB |. 8D14D2 LEA EDX, DWORD PTR DS:[EDX+EDX*8]
004873CE |. C1E2 07 SHL EDX, 7
004873D1 |. 03CA ADD ECX, EDX
004873D3 |. 85F6 TEST ESI, ESI
004873D5 |. 75 05 JNZ SHORT Publish.004873DC
004873D7 |. BF 28AA4900 MOV EDI, Publish.0049AA28
004873DC |> 8B6F 04 MOV EBP, DWORD PTR DS:[EDI+4]
004873DF |. 8D77 04 LEA ESI, DWORD PTR DS:[EDI+4]
004873E2 |. 3BE8 CMP EBP, EAX
004873E4 |. BA 01000000 MOV EDX, 1
004873E9 |. 7D 0B JGE SHORT Publish.004873F6
004873EB |> 8B6E 04 /MOV EBP, DWORD PTR DS:[ESI+4]
004873EE |. 83C6 04 |ADD ESI, 4
004873F1 |. 42 |INC EDX
004873F2 |. 3BE8 |CMP EBP, EAX
004873F4 |.^ 7C F5 \JL SHORT Publish.004873EB
004873F6 |> 8B6C97 FC MOV EBP, DWORD PTR DS:[EDI+EDX*4-4]
004873FA |. 4A DEC EDX
004873FB |. 2BC5 SUB EAX, EBP
004873FD |. 8915 D01E4A00 MOV DWORD PTR DS:[4A1ED0], EDX
00487403 |. A3 CC1E4A00 MOV DWORD PTR DS:[4A1ECC], EAX
00487408 |. 8B33 MOV ESI, DWORD PTR DS:[EBX]
0048740A |. B8 07452EC2 MOV EAX, C22E4507
0048740F |. 5D POP EBP
00487410 |. F7EE IMUL ESI
00487412 |. 03D6 ADD EDX, ESI
00487414 |. BE 07000000 MOV ESI, 7
00487419 |. C1FA 10 SAR EDX, 10
0048741C |. 8BC2 MOV EAX, EDX
0048741E |. 5F POP EDI
0048741F |. C1E8 1F SHR EAX, 1F
00487422 |. C705 E01E4A00>MOV DWORD PTR DS:[4A1EE0], 0
0048742C |. 8D4402 04 LEA EAX, DWORD PTR DS:[EDX+EAX+4]
00487430 |. 99 CDQ
00487431 |. F7FE IDIV ESI
00487433 |. B8 C5B3A291 MOV EAX, 91A2B3C5
00487438 |. 5E POP ESI
00487439 |. 5B POP EBX
0048743A |. 8915 D81E4A00 MOV DWORD PTR DS:[4A1ED8], EDX
00487440 |. F7E9 IMUL ECX
00487442 |. 03D1 ADD EDX, ECX
00487444 |. C1FA 0B SAR EDX, 0B
00487447 |. 8BC2 MOV EAX, EDX
00487449 |. C1E8 1F SHR EAX, 1F
0048744C |. 03D0 ADD EDX, EAX
0048744E |. B8 89888888 MOV EAX, 88888889
00487453 |. 8915 C81E4A00 MOV DWORD PTR DS:[4A1EC8], EDX
00487459 |. 69D2 F0F1FFFF IMUL EDX, EDX, -0E10
0048745F |. 03CA ADD ECX, EDX
00487461 |. F7E9 IMUL ECX
00487463 |. 03D1 ADD EDX, ECX
00487465 |. C1FA 05 SAR EDX, 5
00487468 |. 8BC2 MOV EAX, EDX
0048746A |. C1E8 1F SHR EAX, 1F
0048746D |. 03D0 ADD EDX, EAX
0048746F |. 8915 C41E4A00 MOV DWORD PTR DS:[4A1EC4], EDX
00487475 |. 8D0452 LEA EAX, DWORD PTR DS:[EDX+EDX*2]
00487478 |. 8D1480 LEA EDX, DWORD PTR DS:[EAX+EAX*4]
0048747B |. B8 C01E4A00 MOV EAX, Publish.004A1EC0
00487480 |. C1E2 02 SHL EDX, 2
00487483 |. 2BCA SUB ECX, EDX
00487485 |. 890D C01E4A00 MOV DWORD PTR DS:[4A1EC0], ECX
0048748B \. C3 RETN
====================================================
到这里注册码的算法跟踪完成,下面来分析注册码的计算方法.
(按照提示长度是5~6位数字)
经过分析可以知道,注册码分三种情况.每种有4个符合条件的注册码
1.去除21天限制版,价值$12.
计算方法:
1.)注册码的16进制值+3D0C09 = 40F0E1
可逆的计算是注册码=40F0E1-3D0C09=3E4D8(H)==> 255192
2.)注册码的16进制值+3D0C09 = 413169
可逆的计算是注册码=413169-3D0C09=4258D(H)==> 271757
3.)注册码的16进制值+3D0C09 = 40B079
可逆的计算是注册码=40B079-3D0C09=3A470(H)==> 238704
4.)注册码的16进制值+3D0C09 = 407031
可逆的计算是注册码=407031-3D0C09=36428(H)==> 222248
2.去除21天限制版,价值$15.
计算方法:
1.)注册码的16进制值+3D0A43 = 40F0E1
可逆的计算是注册码=40F0E1-3D0A43=3E69E(H)==> 255646
2.)注册码的16进制值+3D0C09 = 413169
可逆的计算是注册码=413169-3D0A43=42726(H)==> 272166
3.)注册码的16进制值+3D0C09 = 40B079
可逆的计算是注册码=40B079-3D0A43=3A636(H)==> 239158
4.)注册码的16进制值+3D0C09 = 407031
可逆的计算是注册码=407031-3D0A43=365EE(H)==> 222702
3.PRO版,价值$200.
计算方法:
1.)注册码的16进制值+3D09A7 = 40F0E1
可逆的计算是注册码=40F0E1-3D09A7=3E73A(H)==> 255802
2.)注册码的16进制值+3D0C09 = 413169
可逆的计算是注册码=413169-3D09A7=427C2(H)==> 272322
3.)注册码的16进制值+3D0C09 = 40B079
可逆的计算是注册码=40B079-3D09A7=3A6D2(H)==> 239314
4.)注册码的16进制值+3D0C09 = 407031
可逆的计算是注册码=407031-3D09A7=3668A(H)==> 222858
Cracded fxyang[OCN]
2003.4.12
相关视频
相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么
热门文章 去除winrar注册框方法
最新文章
比特币病毒怎么破解 比去除winrar注册框方法
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据
人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程
查看所有10条评论>>