简单算法——消费增埴卡管理 V2.0单机版
下载页面: http://www.skycn.com/soft/7912.html
软件大小: 699 KB
软件语言: 简体中文
软件类别: 国产软件 / 共享版 / 商业贸易
应用平台:
Win95/98/Me
加入时间: 2002-04-15 14:06:37
下载次数: 282
推荐等级:
****
开 发 商: http://www.leathernet.com.cn/
【软件简介】:适用于零售商场、电器商场、娱乐场所的会员消费管理,资料管理、消费增值管理。
【软件限制】:必须注册,否则无法使用。
【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:TRW2000娃娃修改版、Ollydbg1.09、FI2.5、W32Dasm8.93黄金版
—————————————————————————————————
【过 程】:
消费卡管理.exe可以反汇编。Visual
FoxPro编写?不清楚。
系统代码:95065
试
炼 码:1357246890
根据失败提示可以找到下面的核心。
—————————————————————————————————
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407C05(C)
|
:00407C5F
A1643B4100 mov eax, dword ptr
[00413B64]
:00407C64 25FFFF0000 and
eax, 0000FFFF
:00407C69 0F849B010000 je
00407E0A
:00407C6F 85C0
test eax, eax
:00407C71 0F8E1A020000
jle 00407E91
:00407C77 83F802
cmp eax, 00000002
:00407C7A 0F8F11020000
jg 00407E91
:00407C80 8B35043B4100
mov esi, dword ptr [00413B04]
====>ESI=AC 从[00413B04]处取值
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
[00413B04]内存处的值:
程序自给?!
0052027B 41 43 00 4D 45 00 00 00 32 31 00 37 00 AC.ME...21.7.
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
:00407C86
83C9FF or ecx, FFFFFFFF
:00407C89
8BFE mov
edi, esi
:00407C8B 33C0
xor eax, eax
:00407C8D F2
repnz
:00407C8E AE
scasb
:00407C8F F7D1
not ecx
:00407C91
83C1FE add ecx,
FFFFFFFE
:00407C94 6683F9FF
cmp cx, FFFF
:00407C98 7422
je 00407CBC
:00407C9A 6685C9
test cx, cx
:00407C9D 7C17
jl 00407CB6
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407CB4(C)
|
:00407C9F
0FBFC1 movsx eax,
cx
:00407CA2 8A1430
mov dl, byte ptr [eax+esi]
1、 ====>DL=43(H)
即:C
2、 ====>DL=41(H) 即:A
:00407CA5
80FA3F cmp dl, 3F
:00407CA8
7406 je 00407CB0
:00407CAA
3A540420 cmp dl, byte ptr
[esp+eax+20]
1、 ====>DL=43 [esp+eax+20]=33
即:注册码的第2位应是 C
2、 ====>DL=41 [esp+eax+20]=31
即:注册码的第1位应是
A
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
[esp+20]内存处的值是我的试炼码:
0064F9EC 31 33 35 37 32 34 36 38 39 30 1357246890
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
:00407CAE
7506 jne
00407CB6
====>不同则跳则OVER! 可下 R
FL Z 改变跳转
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00407CA8(C)
|
:00407CB0
49 dec
ecx
:00407CB1 6685C9
test cx, cx
:00407CB4 7DE9
jge 00407C9F
====>循环2次
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00407C9D(C),
:00407CAE(C)
|
:00407CB6 6683F9FF
cmp cx, FFFF
:00407CBA 7508
jne 00407CC4
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407C98(C)
|
*
Possible Reference to String Resource ID=00001: "èèèèèèèèèèèèèèèèèèèèèèèèèèèèèè"
|
:00407CBC C744241401000000
mov [esp+14], 00000001
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407CBA(C)
|
:00407CC4
8B3DE43A4100 mov edi, dword ptr [00413AE4]
====>EDI=ME 从[00413AE4]处取值
:00407CCA
83C9FF or ecx, FFFFFFFF
:00407CCD
33C0 xor
eax, eax
:00407CCF F2
repnz
:00407CD0 AE
scasb
:00407CD1 F7D1
not ecx
:00407CD3 49
dec ecx
:00407CD4
8D7C2420 lea edi, dword
ptr [esp+20]
====>EDI=1357246890
:00407CD8
8BE9 mov
ebp, ecx
:00407CDA 83C9FF
or ecx, FFFFFFFF
:00407CDD F2
repnz
:00407CDE AE
scasb
:00407CDF F7D1
not ecx
:00407CE1
49 dec
ecx
:00407CE2 2BCD
sub ecx, ebp
:00407CE4 6685C9
test cx, cx
:00407CE7 7E32
jle 00407D1B
:00407CE9 33F6
xor esi,
esi
:00407CEB 6685ED
test bp, bp
:00407CEE 7E22
jle 00407D12
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407D10(C)
|
:00407CF0
8B15E43A4100 mov edx, dword ptr [00413AE4]
====>EDX=ME
:00407CF6
0FBFC6 movsx eax,
si
:00407CF9 8A1410
mov dl, byte ptr [eax+edx]
1、 ====>DL=4D(H)
即:M
2、 ====>DL=45(H) 即:E
:00407CFC
80FA3F cmp dl, 3F
:00407CFF
740B je 00407D0C
:00407D01
0FBFF9 movsx edi,
cx
:00407D04 03F8
add edi, eax
:00407D06 3A543C20
cmp dl, byte ptr [esp+edi+20]
1、 ====>DL=4D
[esp+eax+20]=39
即:注册码的第9 位应是 M
2、 ====>DL=45
[esp+eax+20]=30
即:注册码的第10位应是 E
:00407D0A
7506 jne
00407D12
====>不同则跳则OVER! 可下 R
FL Z 改变跳转
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00407CFF(C)
|
:00407D0C
46 inc
esi
:00407D0D 663BF5
cmp si, bp
:00407D10 7CDE
jl 00407CF0
====>循环2次
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00407CEE(C),
:00407D0A(C)
|
:00407D12 663BF5
cmp si, bp
:00407D15 7504
jne 00407D1B
:00407D17 FF442414
inc [esp+14]
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00407CE7(C),
:00407D15(C)
|
:00407D1B 837C241402
cmp dword ptr [esp+14], 00000002
:00407D20 740A
je 00407D2C
:00407D22 B8FEFFFFFF
mov eax, FFFFFFFE
:00407D27
E941010000 jmp 00407E6D
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407D20(C)
|
:00407D2C
8B3D043B4100 mov edi, dword ptr [00413B04]
:00407D32
83C9FF or ecx, FFFFFFFF
:00407D35
33C0 xor
eax, eax
:00407D37 F2
repnz
:00407D38 AE
scasb
:00407D39 8B3DE43A4100
mov edi, dword ptr [00413AE4]
:00407D3F F7D1
not ecx
:00407D41
49 dec
ecx
:00407D42 8D740C20 lea
esi, dword ptr [esp+ecx+20]
:00407D46 83C9FF
or ecx, FFFFFFFF
:00407D49 F2
repnz
:00407D4A AE
scasb
:00407D4B
F7D1 not
ecx
:00407D4D 49
dec ecx
:00407D4E 8BD6
mov edx, esi
:00407D50 2BD1
sub edx, ecx
:00407D52 8BFE
mov edi,
esi
:00407D54 83C9FF
or ecx, FFFFFFFF
:00407D57 F2
repnz
:00407D58 AE
scasb
:00407D59 F7D1
not ecx
:00407D5B
49 dec
ecx
:00407D5C 88040A
mov byte ptr [edx+ecx], al
:00407D5F 8BCE
mov ecx, esi
====>ECX=DESI=572468 即去掉第1、2、9、10位后的试炼码
:00407D61
E83A5B0000 call 0040D8A0
====>检测上面的中间几位是否为数字?
:00407D66
85C0 test
eax, eax
:00407D68 750A
jne 00407D74
====>不是数字则不跳则OVER!
:00407D6A
B8FDFFFFFF mov eax, FFFFFFFD
:00407D6F
E9F9000000 jmp 00407E6D
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407D68(C)
|
:00407D74
BA64014100 mov edx, 00410164
:00407D79
8BCE mov
ecx, esi
====>ECX=ESI=572468
:00407D7B
E8605B0000 call 0040D8E0
====>再次检测572468是否为数字?
不是数字则“invalid digital number!”。并且把572468转化为用16进制值表示!
:00407D80
8BF8 mov
edi, eax
====>EDI=EAI=8BC34(H)=572468(D)
:00407D82
66A1643B4100 mov ax, word ptr [00413B64]
:00407D88
663D0100 cmp ax, 0001
:00407D8C
7546 jne
00407DD4
:00407D8E 66A10A3B4100 mov
ax, word ptr [00413B0A]
:00407D94 8B15103B4100
mov edx, dword ptr [00413B10]
:00407D9A 33C9
xor ecx, ecx
:00407D9C 8ACC
mov cl, ah
:00407D9E
25FF000000 and eax, 000000FF
:00407DA3
8BF1 mov
esi, ecx
:00407DA5 8BC8
mov ecx, eax
:00407DA7 E854FBFFFF
call 00407900
:00407DAC 8B150C3B4100
mov edx, dword ptr [00413B0C]
:00407DB2 03F8
add edi, eax
:00407DB4
6685F6 test si,
si
:00407DB7 7504
jne 00407DBD
:00407DB9 33C9
xor ecx, ecx
:00407DBB EB03
jmp 00407DC0
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407DB7(C)
|
:00407DBD
8D4E01 lea ecx,
dword ptr [esi+01]
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407DBB(U)
|
:00407DC0
E83BFBFFFF call 00407900
:00407DC5
8BC8 mov
ecx, eax
:00407DC7 85C9
test ecx, ecx
:00407DC9 7438
je 00407E03
:00407DCB 8BC7
mov eax, edi
:00407DCD
99 cdq
:00407DCE
F7F9 idiv
ecx
:00407DD0 8BC2
mov eax, edx
:00407DD2 EB27
jmp 00407DFB
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407D8C(C)
|
:00407DD4
663D0200 cmp ax, 0002
:00407DD8
7529 jne
00407E03
:00407DDA 8B150C3B4100 mov
edx, dword ptr [00413B0C]
:00407DE0 A1103B4100
mov eax, dword ptr [00413B10]
:00407DE5 8B0D483C4100
mov ecx, dword ptr [00413C48]
====>ECX=17359(H)=95605(D)呵呵,系统代码
:00407DEB
52 push
edx
:00407DEC 668B150A3B4100 mov dx, word
ptr [00413B0A]
:00407DF3 50
push eax
:00407DF4 E897FBFFFF
call 00407990
====>算法CALL!得出下面的EAX值。进入!
:00407DF9
2BC7 sub
eax, edi
====>EAX=A2802 - 8BC34=16BCE
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407DD2(U)
|
:00407DFB
85C0 test
eax, eax
====>相减结果是否为0?即:上面2部分是否相等?
:00407DFD
0F848E000000 je 00407E91
====>不为0则不跳则OVER!
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00407DC9(C),
:00407DD8(C)
|
:00407E03 B8FBFFFFFF
mov eax, FFFFFFFB
:00407E08 EB63
jmp 00407E6D
:00408013
FF1500424100 call dword ptr [00414200]
====>BAD BOY!“无效的注册码!”
—————————————————————————————————
进入算法CALL:407DF4
call 00407990
*
Referenced by a CALL at Addresses:
|:00407DF4 , :004081DA
|
:00407990
53 push
ebx
:00407991 56
push esi
:00407992 668BDA
mov bx, dx
:00407995 8BF1
mov esi, ecx
:00407997 8B54240C
mov edx, dword ptr [esp+0C]
====>EDX=21 从[esp+0C]处取值
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
[esp]内存处的值:
0052027B 41 43 00 4D 45 00 00 00 32 31 00 37 00 AC.ME...21.7.
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
:0040799B
8ACB mov
cl, bl
:0040799D 57
push edi
:0040799E 81E1FF000000
and ecx, 000000FF
:004079A4 E857FFFFFF
call 00407900
====>检测21是否为数字?
并且把21转化为用16进制值表示!EAX=15(H)=21(D)
:004079A9
8B542414 mov edx, dword
ptr [esp+14]
====>EDX=7
从[esp+14]处取值
:004079AD
8BF8 mov
edi, eax
====>EDI=EAX=15
:004079AF
33C0 xor
eax, eax
:004079B1 8AC7
mov al, bh
:004079B3 6685C0
test ax, ax
:004079B6 7512
jne 004079CA
:004079B8 33C9
xor ecx,
ecx
:004079BA E841FFFFFF call
00407900
====>检测7是否为数字?
并且把7转化为用16进制值表示!EAX=7(H)=7(D)
:004079BF
03FE add
edi, esi
====>EDI=15 + 17359=1736E
:004079C1
0FAFC7 imul eax,
edi
====>EAX= 7 * 1736E=A2802(H)
呵呵,把上面运算的结果A2802(H)转化成10进制值665602(D),就是注册码的中间部分了!
:004079C4
5F pop
edi
:004079C5 5E
pop esi
:004079C6 5B
pop ebx
:004079C7 C20800
ret 0008
—————————————————————————————————
【算
法 总 结】:
1、注
册 码第1、2位固定为:AC (呵呵,猜一下?)
2、注册码倒数第1、2位固定为:ME (呵呵,猜一下?)
3、注册码中间几位的运算:
①、取系统代码:95065,转化为16进制值:17359(H)
②、17359
+ 15=1736E
③、1736E * 7=A2802(H)=665602(D),就是注册码的中间部分了!
既:(系统代码 + 15) * 7 运算结果的10进制值
呵呵,说明一下:上面的参数只是我的机子调试时程序自给的,我不知道是否是固定参数,所以只能猜测一下。但是注册码的校验过程应该是大体相同的。
—————————————————————————————————
【KeyMake之内存注册机】:
呵呵,内存注册机有点麻烦,需要说明中间几位必须是数字,还要改变几个跳转。
—————————————————————————————————
【注册信息保存】:
1、注册表中
REGEDIT4
[HKEY_CLASSES_ROOT\{3zFjGOObUI}]
@="NUQ=$!!5!&1!1!#5!(1!+!$5Q.4)U!!!!!!\"=R1!!>`^\"1T9W.49Q-EV&!!!!N!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!#!!!!!!!!N!!!!!!!I!>-(!Q!&!\"5!%!!I!\"!!J!%!!!)!!!!!!!!!!.>Z5!%!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!"
2、REGEDIT4
[HKEY_CLASSES_ROOT\SystemAppIDs]
@="6!1!!!!!!!!\"\\-XJ';E>04W*638U!"
3、C:\WINDOWS\SYSTEM
下的access.ctl文件。
如果想重新注册必须把以上3处删干净,否则,呵呵……
真是狡兔三窟呀。如此保存注册信息的方式使我想起了网络电话
Talking anywhere 5.0,简直是一模一样。
—————————————————————————————————
【整 理】:
系统代码:95065
注
册 码:AC665602ME
—————————————————————————————————
Cracked By
巢水工作坊——fly【OCN】
2003-03-21 18:36:32