解魔法转换 v2.1 Beta 2

标题：破解魔法转换 v2.1 Beta 2 测试版 (11千字)
作者：lb[CCG]
时间：2001-10-28 17:59:37
链接：http://bbs.pediy.com

魔法转换 v2.1 Beta 2 测试版
http://www.keksoft.com
email:support@keksoft.com
作者：X man or lb[BCG][CCG]
简介
====
功能强大的图像转换工具。包括图像浏览、批量转换、图像增强及作品预览四
大部分。图像增强包括调整图像大小、调整层次、旋转、镜象，还有锐化、模
糊、马塞克、浮雕、底片、旋涡、喷雾等效果。你可以将这些效果自定义成方
案，然后再进行批量转换。而且它还支持拖入文件到批量转换列表。它的输出
格式为：bmp、jpg、gif、png、tif、wmf、emf、tga、ico，还包括txt、rtf、
htm、mmc等特效格式。特效格式包括正常模式、缩小一倍、缩小两倍、原图大
小、彩字单一、彩字规律。同时它还能方便的将图像生成.EXE可执行文件。
等级：VERY EASY
目标：破解15天试用的限制

今天打开魔法转换来转几幅图，没想到双击之后却弹出个NAG。说15天试用以到，请
注册云云……
于是哪出宝刀（调试工具），把拦路虎砍掉。

废话少说，用FI检测有无加壳，一试。555555~~，居然有，是ASP的壳，没关系。用
CASPR一下就搞定。（懒人有懒富，不用手动脱壳，哈哈！）

用W32DASM反编译后，来到程序入口处：
:00578890 55 push ebp
:00578891 8BEC mov ebp, esp
:00578893 83C4F0 add esp, FFFFFFF0
:00578896 53 push ebx
:00578897 33C0 xor eax, eax
:00578899 8945F0 mov dword ptr [ebp-10], eax
:0057889C B890835700 mov eax, 00578390
:005788A1 E832E7E8FF call 00406FD8
:005788A6 8B1DDCE65700 mov ebx, dword ptr [0057E6DC]
:005788AC 33C0 xor eax, eax
:005788AE 55 push ebp
:005788AF 68678A5700 push 00578A67
:005788B4 64FF30 push dword ptr fs:[eax]
:005788B7 648920 mov dword ptr fs:[eax], esp
:005788BA 8B03 mov eax, dword ptr [ebx]
:005788BC E82FE9EDFF call 004571F0
:005788C1 8B03 mov eax, dword ptr [ebx]

* Possible StringData Ref from Code Obj ->"魔法转换 2.1 Beta 2"
|
:005788C3 BA7C8A5700 mov edx, 00578A7C
:005788C8 E827E5EDFF call 00456DF4
:005788CD A190E85700 mov eax, dword ptr [0057E890]
:005788D2 8B00 mov eax, dword ptr [eax]
:005788D4 E87BC5FEFF call 00564E54
:005788D9 84C0 test al, al
:005788DB 7432 je 0057890F---------》这里就是判断是否
                          进入主程序的
                          所以改成jmp 0057890F
                          (即EB32)
:005788DD 8B0D90E85700 mov ecx, dword ptr [0057E890]
:005788E3 8B03 mov eax, dword ptr [ebx]

* Possible StringData Ref from Code Obj ->"鵆"
|
:005788E5 8B1544435600 mov edx, dword ptr [00564344]
:005788EB E818E9EDFF call 00457208
:005788F0 8B0DECE55700 mov ecx, dword ptr [0057E5EC]
:005788F6 8B03 mov eax, dword ptr [ebx]

* Possible StringData Ref from Code Obj ->"鵆"
|
:005788F8 8B15503B5600 mov edx, dword ptr [00563B50]
:005788FE E805E9EDFF call 00457208
:00578903 8B03 mov eax, dword ptr [ebx]
:00578905 E87EE9EDFF call 00457288
:0057890A E942010000 jmp 00578A51

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005788DB(C)
|
:0057890F E884A1E8FF call 00402A98
:00578914 85C0 test eax, eax
:00578916 7E3B jle 00578953
:00578918 8D55F0 lea edx, dword ptr [ebp-10]
:0057891B B801000000 mov eax, 00000001
:00578920 E8D3A1E8FF call 00402AF8
:00578925 8B45F0 mov eax, dword ptr [ebp-10]

* Possible StringData Ref from Code Obj ->"-toweb"
|
:00578928 BA988A5700 mov edx, 00578A98
:0057892D E866B8E8FF call 00404198
:00578932 751F jne 00578953
:00578934 8B0DECE65700 mov ecx, dword ptr [0057E6EC]
:0057893A 8B03 mov eax, dword ptr [ebx]

* Possible StringData Ref from Code Obj ->"鵆"
|
:0057893C 8B1590A55600 mov edx, dword ptr [0056A590]
:00578942 E8C1E8EDFF call 00457208
:00578947 8B03 mov eax, dword ptr [ebx]
:00578949 E83AE9EDFF call 00457288
:0057894E E9FE000000 jmp 00578A51

程序可以进了，可是没有注册号就是不爽，好吧！跟我来：
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00563EF5(C)
|
:00563F60 1400 adc al, 00
:00563F62 0000 add byte ptr [eax], al
:00563F64 CE into
:00563F65 D2D7 rcl bh, cl
:00563F67 D4BA aam (base186)
:00563F69 C0A3ACCED2D2D1 shl byte ptr [ebx+D2D2CEAC], D1
:00563F70 BEADD7A2B2 mov esi, B2A2D7AD
:00563F75 E1A3 loopz 00563F1A
:00563F77 A100000000 mov eax, dword ptr [00000000]
:00563F7C 55 push ebp
:00563F7D 8BEC mov ebp, esp
:00563F7F 33C9 xor ecx, ecx
:00563F81 51 push ecx
:00563F82 51 push ecx
:00563F83 51 push ecx
:00563F84 51 push ecx
:00563F85 51 push ecx
:00563F86 51 push ecx
:00563F87 51 push ecx
:00563F88 51 push ecx
:00563F89 53 push ebx
:00563F8A 56 push esi
:00563F8B 8BD8 mov ebx, eax
:00563F8D 33C0 xor eax, eax
:00563F8F 55 push ebp
:00563F90 680F415600 push 0056410F
:00563F95 64FF30 push dword ptr fs:[eax]
:00563F98 648920 mov dword ptr fs:[eax], esp
:00563F9B 8D55FC lea edx, dword ptr [ebp-04]
:00563F9E 8B83E4020000 mov eax, dword ptr [ebx+000002E4]
:00563FA4 E8E74BEDFF call 00438B90
:00563FA9 837DFC00 cmp dword ptr [ebp-04], 00000000-----比较姓名是否为空
:00563FAD 7518 jne 00563FC7-------------不为空就跳走
:00563FAF 6A30 push 00000030
:00563FB1 681C415600 push 0056411C

* Possible StringData Ref from Code Obj ->"请输入姓名！"
|
:00563FB6 6824415600 push 00564124
:00563FBB 6A00 push 00000000

* Reference To: user32.MessageBoxA, Ord:0000h
|
:00563FBD E8AA3BEAFF Call 00407B6C
:00563FC2 E908010000 jmp 005640CF

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00563FAD(C)
|
:00563FC7 8D55F8 lea edx, dword ptr [ebp-08]
:00563FCA 8B83E8020000 mov eax, dword ptr [ebx+000002E8]
:00563FD0 E8BB4BEDFF call 00438B90
:00563FD5 8B45F8 mov eax, dword ptr [ebp-08]
:00563FD8 50 push eax
:00563FD9 8D55F0 lea edx, dword ptr [ebp-10]
:00563FDC 8B83E4020000 mov eax, dword ptr [ebx+000002E4]
:00563FE2 E8A94BEDFF call 00438B90
:00563FE7 8B45F0 mov eax, dword ptr [ebp-10]
:00563FEA 8D55F4 lea edx, dword ptr [ebp-0C]
:00563FED E8A299FFFF call 0055D994
:00563FF2 8B55F4 mov edx, dword ptr [ebp-0C]-----这几处好眼熟，没错！
:00563FF5 58 pop eax------------------------D一下就可以看到真的
:00563FF6 E89D01EAFF call 00404198------------------注册码
:00563FFB 0F85CE000000 jne 005640CF-------------------
:00564001 8D45EC lea eax, dword ptr [ebp-14]
:00564004 E84396FFFF call 0055D64C
:00564009 8D45EC lea eax, dword ptr [ebp-14]

* Possible StringData Ref from Code Obj ->"\win.ini"
|
:0056400C BA3C415600 mov edx, 0056413C
:00564011 E87A00EAFF call 00404090
:00564016 8B4DEC mov ecx, dword ptr [ebp-14]
:00564019 B201 mov dl, 01

* Possible StringData Ref from Code Obj ->"\3G"
|
:0056401B A1EC2B4700 mov eax, dword ptr [00472BEC]
:00564020 E817EDF0FF call 00472D3C
:00564025 A3C8135800 mov dword ptr [005813C8], eax
:0056402A 8D55E8 lea edx, dword ptr [ebp-18]
:0056402D 8B83E4020000 mov eax, dword ptr [ebx+000002E4]
:00564033 E8584BEDFF call 00438B90
:00564038 8B45E8 mov eax, dword ptr [ebp-18]
:0056403B 50 push eax

* Possible StringData Ref from Code Obj ->"name"
|
:0056403C B950415600 mov ecx, 00564150

* Possible StringData Ref from Code Obj ->"magct"
|
:00564041 BA60415600 mov edx, 00564160
:00564046 A1C8135800 mov eax, dword ptr [005813C8]
:0056404B 8B30 mov esi, dword ptr [eax]
:0056404D FF5604 call [esi+04]
:00564050 8D55E4 lea edx, dword ptr [ebp-1C]
:00564053 8B83E8020000 mov eax, dword ptr [ebx+000002E8]
:00564059 E8324BEDFF call 00438B90
:0056405E 8B45E4 mov eax, dword ptr [ebp-1C]
:00564061 50 push eax

* Possible StringData Ref from Code Obj ->"code"
|
:00564062 B970415600 mov ecx, 00564170

* Possible StringData Ref from Code Obj ->"magct"
|
:00564067 BA60415600 mov edx, 00564160
:0056406C A1C8135800 mov eax, dword ptr [005813C8]
:00564071 8B30 mov esi, dword ptr [eax]
:00564073 FF5604 call [esi+04]
:00564076 A1C8135800 mov eax, dword ptr [005813C8]
:0056407B E810F0E9FF call 00403090

* Possible StringData Ref from Code Obj ->"关闭"
|
:00564080 BA80415600 mov edx, 00564180
:00564085 8B83F4020000 mov eax, dword ptr [ebx+000002F4]
:0056408B E8304BEDFF call 00438BC0
:00564090 33D2 xor edx, edx
:00564092 8B83F0020000 mov eax, dword ptr [ebx+000002F0]
:00564098 8B08 mov ecx, dword ptr [eax]
:0056409A FF515C call [ecx+5C]
:0056409D 6A40 push 00000040

* Possible StringData Ref from Code Obj ->"魔法转换"
|
:0056409F 6888415600 push 00564188
:005640A4 8D55E0 lea edx, dword ptr [ebp-20]
:005640A7 8B83E4020000 mov eax, dword ptr [ebx+000002E4]
:005640AD E8DE4AEDFF call 00438B90
:005640B2 8D45E0 lea eax, dword ptr [ebp-20]

* Possible StringData Ref from Code Obj ->"，恭喜你成功注册！"
|
:005640B5 BA9C415600 mov edx, 0056419C
:005640BA E8D1FFE9FF call 00404090
:005640BF 8B45E0 mov eax, dword ptr [ebp-20]
:005640C2 E88501EAFF call 0040424C
:005640C7 50 push eax
:005640C8 6A00 push 00000000

于是得到
name=lb[CCG]
code=069002CA017C

后记：
该软件的注册码放在WINDOWS目录下的WIN.INI里面

由于没时间了，对软件是否完全破完我没有测试。请高手指教

.---._ ___
--===^ ~-......---.==\\\
/' _/-/ \ )))
`-~~ \ , ___\ ) ((
/ /---~~ \(`\( ))
</'|; .---" \>
  | | " |
`" ; ;
X man or lb[BCG][CCG]
  QQ:9832285
E-mail:lbcool@elong.com
  2001.10.28 17：50