软件名称: Battery Bar
软件版本: 1.07
软件大小: 907.00
软件授权: 共享软件
使用平台: Win95/98/NT
发布公司: http://www.nistech.com/
软件简介: 能显示出你的笔记本电脑的电池还能用多长时间,电量剩余的百分比。
软件下载: bat_bar.zip
设断点:bpx hmemcpy
按F12 12次(第13次出错误画面)
然后按F10若干次可找到下面程序段
:00406542 E88D300300 call 004395D4
:00406547 8D4DF8
lea ecx, dword ptr [ebp-08]
:0040654A 8B01
mov eax, dword ptr [ecx]
:0040654C 50
push eax
:0040654D 53
push ebx
:0040654E E889010000 call 004066DC
<----此CALL是计算注册码,我改下面的跳转不成功
才找到这儿
:00406553 83C40C
add esp, 0000000C
:00406556 3C01
cmp al, 01
:00406558 0F94C2
sete dl
:0040655B 83E201
and edx, 00000001
:0040655E 8D45F8
lea eax, dword ptr [ebp-08]
:00406561 52
push edx
:00406562 BA02000000 mov edx,
00000002
:00406567 FF4E1C
dec [esi+1C]
:0040656A E8D5660600 call 0046CC44
:0040656F FF4E1C
dec [esi+1C]
:00406572 8D45FC
lea eax, dword ptr [ebp-04]
:00406575 BA02000000 mov edx,
00000002
:0040657A E8C5660600 call 0046CC44
:0040657F 59
pop ecx
:00406580 84C9
test cl, cl
:00406582 0F84F1000000 je 00406679
<-----若在此改变程序方向
可显示注册成功,但若重新
启动程序,看About项,:-{
进入004066DC,按F10若干次后,找到计算注册码的部分,就是下面这段:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040689D(C)
|
:004067B7 8BF3
mov esi, ebx
:004067B9 56
push esi
:004067BA 8D45F8
lea eax, dword ptr [ebp-08]
:004067BD 50
push eax
:004067BE E801630600 call 0046CAC4
:004067C3 83C408
add esp, 00000008
:004067C6 8D45F8
lea eax, dword ptr [ebp-08]
:004067C9 E8E2650600 call 0046CDB0
:004067CE 0375F8
add esi, dword ptr [ebp-08]
:004067D1 4E
dec esi
:004067D2 803E00
cmp byte ptr [esi], 00
:004067D5 7534
jne 0040680B
:004067D7 8BF3
mov esi, ebx
:004067D9 56
push esi
:004067DA 8D55F8
lea edx, dword ptr [ebp-08]
:004067DD 52
push edx
:004067DE E8E1620600 call 0046CAC4
:004067E3 83C408
add esp, 00000008
:004067E6 8D45F8
lea eax, dword ptr [ebp-08]
:004067E9 E8C2650600 call 0046CDB0
:004067EE 8BC7
mov eax, edi
:004067F0 B91A000000 mov ecx,
0000001A
:004067F5 99
cdq
:004067F6 F7F9
idiv ecx
:004067F8 0375F8
add esi, dword ptr [ebp-08]
:004067FB 8955C8
mov dword ptr [ebp-38], edx
:004067FE 8B45C8
mov eax, dword ptr [ebp-38]
:00406801 4E
dec esi
:00406802 99
cdq
:00406803 33C2
xor eax, edx
:00406805 2BC2
sub eax, edx
:00406807 0441
add al, 41
:00406809 8806
mov byte ptr [esi], al
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004067D5(C)
|
:0040680B 8BF3
mov esi, ebx
:0040680D 56
push esi
:0040680E 8D4DF8
lea ecx, dword ptr [ebp-08]
:00406811 51
push ecx
:00406812 E8AD620600 call 0046CAC4
:00406817 83C408
add esp, 00000008
:0040681A 8D45F8
lea eax, dword ptr [ebp-08]
:0040681D E88E650600 call 0046CDB0
:00406822 0375F8
add esi, dword ptr [ebp-08]
:00406825 4E
dec esi
:00406826 0FBE3E
movsx edi, byte ptr [esi]
:00406829 8BF3
mov esi, ebx
:0040682B 56
push esi
:0040682C 8D45FC
lea eax, dword ptr [ebp-04]
:0040682F 50
push eax
:00406830 E88F620600 call 0046CAC4
:00406835 83C408
add esp, 00000008
:00406838 8D45FC
lea eax, dword ptr [ebp-04]
:0040683B E870650600 call 0046CDB0
:00406840 8D045B
lea eax, dword ptr [ebx+2*ebx]<----给EAX赋值
:00406843 B91A000000 mov ecx,
0000001A <----后面作为除数
:00406848 C1E003
shl eax, 03 <----EAX乘以8
:0040684B 0375FC
add esi, dword ptr [ebp-04]
:0040684E 2BC3
sub eax, ebx <----EAX=EAX-EBX
:00406850 4E
dec esi
:00406851 03C0
add eax, eax <----EAX=EAX*2
:00406853 03C7
add eax, edi
:00406855 99
cdq
:00406856 F7F9
idiv ecx <-----做除法
:00406858 8955C4
mov dword ptr [ebp-3C], edx
:0040685B B905000000 mov ecx,
00000005 <-----注册码4位一组,中间用'-'隔开
:00406860 8B45C4
mov eax, dword ptr [ebp-3C]
:00406863 99
cdq
:00406864 33C2
xor eax, edx
:00406866 2BC2
sub eax, edx
:00406868 0441
add al, 41 <-----EAX=EAX+41
:0040686A 8806
mov byte ptr [esi], al <----加后的数值即是注册码的一位
:0040686C 8BC3
mov eax, ebx
:0040686E 99
cdq
:0040686F F7F9
idiv ecx
:00406871 85D2
test edx, edx
:00406873 751E
jne 00406893
:00406875 8BF3
mov esi, ebx
:00406877 56
push esi
:00406878 8D45FC
lea eax, dword ptr [ebp-04]
:0040687B 50
push eax
:0040687C E843620600 call 0046CAC4
:00406881 83C408
add esp, 00000008
:00406884 8D45FC
lea eax, dword ptr [ebp-04]
:00406887 E824650600 call 0046CDB0
:0040688C 0375FC
add esi, dword ptr [ebp-04]
:0040688F 4E
dec esi
:00406890 C6062D
mov byte ptr [esi], 2D
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406873(C)
|
:00406893 8D3C5B
lea edi, dword ptr [ebx+2*ebx]
:00406896 83C709
add edi, 00000009
:00406899 43
inc ebx
:0040689A 83FB13
cmp ebx, 00000013
:0040689D 0F8E14FFFFFF jle 004067B7
<----比较19位注册码未计算完,返回
举例:
用户名:LiuTong
对于ASCII为:4C 69 75 54 6F 6E 67
计算过程:
EAX=3*EBX EAX=EAX*8
EAX=EAX-EBX EAX=EAX*2 EAX=EAX+输入用户名 EAX=余数(EAX/26)+41
以下数据为十六进制
EBX=1 EAX=3 EAX=18 EAX=17
EAX=2E EAX=2E+4C=7A EAX=12+41=53
EBX=2 EAX=6 EAX=30 EAX=2E
EAX=5C EAX=5C+69=C5 EAX=F+41=50
EBX=3 EAX=9 EAX=48 EAX=45
EAX=8A EAX=8A+75=FF EAX=15+41=56
EBX=4 EAX=C EAX=60 EAX=5C
EAX=B8 EAX=B8+54=102 EAX=8+41=49
EBX=5 EAX=F EAX=78 EAX=73
EAX=E6 EAX=E6+6F=155 EAX=3+41=44
EBX=6 EAX=12 EAX=90 EAX=8A
EAX=114 EAX=114+6E=182 EAX=16+41=57
EBX=7 EAX=15 EAX=A8 EAX=A1
EAX=142 EAX=142+67=1A9 EAX=9+41=4A
EBX=8 EAX=18 EAX=C0 EAX=B8
EAX=170 EAX=170+20=190 EAX=A+41=4B
EBX=9 EAX=1B EAX=D8 EAX=CF
EAX=19E EAX=19E+20=1BE EAX=4+41=45
EBX=A EAX=1E EAX=F0 EAX=E6
EAX=1CC EAX=1CC+20=1EC EAX=18+41=59
EBX=B EAX=21 EAX=108 EAX=FD
EAX=1FA EAX=1FA+20=21A EAX=12+41=53
EBX=C EAX=24 EAX=120 EAX=114 EAX=228
EAX=228+20=248 EAX=C+41=4D
EBX=D EAX=27 EAX=138 EAX=12B EAX=256
EAX=256+20=276 EAX=6+41=47
EBX=E EAX=2A EAX=150 EAX=142 EAX=284
EAX=284+20=2A4 EAX=0+41=41
EBX=F EAX=2D EAX=168 EAX=159 EAX=2B2
EAX=2B2+20=2D2 EAX=14+41=55
EBX=10 EAX=30 EAX=180 EAX=170 EAX=2E0
EAX=2E0+20=300 EAX=E+41=4F
EBX=11 EAX=33 EAX=198 EAX=187 EAX=30E
EAX=30E+20=32E EAX=8+41=49
EBX=12 EAX=36 EAX=1B0 EAX=19E EAX=33C
EAX=33C+20=35C EAX=2+41=43
EBX=13 EAX=39 EAX=1C8 EAX=1B5 EAX=36A
EAX=36A+20=38A EAX=16+41=57
整理后注册码应为:SPVI-WJKE-SMGA-OICW
- 标 题:初学者(10) (8千字)
- 作 者:liutong
- 时 间:2000-5-14 11:11:20
- 链 接:http://bbs.pediy.com