文字反斗星 V4.1.0.5

标题：简单算法——文字反斗星 V4.1.0.5
作者：fly
时间：2003/04/01 01:40pm
链接：http://bbs.pediy.com

下载页面： http://www.skycn.com/soft/9537.html
软件大小： 401 KB
软件语言：简体中文
软件类别：国产软件 / 共享版 / 文字处理
应用平台： Win9x/NT/2000/XP
加入时间： 2003-03-23 09:01:54
下载次数： 1390
推荐等级： ***
开发商： http://softwind.longcity.net/

【软件简介】：本软件集合文本编辑器，文字绘图器，网页制作及游戏功能于一身。使您只须用鼠标轻点，便可制作出漂亮的文字符号图画，然后直接制作成为精美的彩色网页。同时又可将其作为普通的文本编辑器，象记事本程序一样简单使用。两种模式（绘图/编辑）切换只须轻轻一点，或按F3。如果做的闷了，打开游戏功能：一条由文字组成的贪吃蛇！看你能得多少分！最新功能：将横看的文本一下转换成为竖看的文本，连标点都一起改掉哟，好好玩，绝对反转文本文件为止！

【软件限制】：免费赠送注册码

【作者声明】：初学Crack，只是感兴趣，没有其它目的。失误之处敬请诸位大侠赐教！

【破解工具】：TRW2000娃娃修改版、Ollydbg1.09、FI2.5、W32Dasm 10修改版

—————————————————————————————————
【过程】：

draw_txt.exe无壳。Delphi 编写。

无出错提示。用TRW下万能断点。返回程序领空后用F12走过几个RET就能到达核心了。

机器码：03-3-dt03-3-31 （根据日期生成）
用户名：fly
试炼码：13572468
—————————————————————————————————
:00484035 E8EA49FDFF call 00458A24
====>请你输入用户名

:0048403A 837DF400 cmp dword ptr [ebp-0C], 00000000
====>没填用户名

:0048403E 0F8469010000 je 004841AD
:00484044 8B0D40AB4900 mov ecx, dword ptr [0049AB40]
:0048404A 8B09 mov ecx, dword ptr [ecx]
====>ECX=03-3-dt03-31

:0048404C 8D45E0 lea eax, dword ptr [ebp-20]
:0048404F 8B55F4 mov edx, dword ptr [ebp-0C]
====>EDX=fly

:00484052 E8D5FEF7FF call 00403F2C
====>检测用户名，并把用户名和机器码连接起来

:00484057 8D55EC lea edx, dword ptr [ebp-14]
:0048405A 8B45E0 mov eax, dword ptr [ebp-20]
====>EAX=fly03-3-dt03-31

:0048405D E896330000 call 004873F8
====>算法CALL！进入！！

:00484062 8D45F0 lea eax, dword ptr [ebp-10]
:00484065 50 push eax
:00484066 68F8414800 push 004841F8
:0048406B A140AB4900 mov eax, dword ptr [0049AB40]
:00484070 FF30 push dword ptr [eax]
:00484072 6814424800 push 00484214
:00484077 8D45D8 lea eax, dword ptr [ebp-28]
:0048407A BA03000000 mov edx, 00000003
:0048407F E81CFFF7FF call 00403FA0
:00484084 8B45D8 mov eax, dword ptr [ebp-28]
:00484087 33C9 xor ecx, ecx
:00484089 BA4C424800 mov edx, 0048424C
:0048408E E89149FDFF call 00458A24
====>请你输入注册号

:00484093 8B55F0 mov edx, dword ptr [ebp-10]
====>EDX=13572468

:00484096 8B45EC mov eax, dword ptr [ebp-14]
====>EAX=HN[ad-aIO\be-aJP]cf-a

:00484099 E85A40F8FF call 004080F8
====>比较CALL！进入！

:0048409E 85C0 test eax, eax
:004840A0 7414 je 004840B6
====>不跳则OVER！

:004840A2 BA60424800 mov edx, 00484260
:004840A7 A1A0BC4900 mov eax, dword ptr [0049BCA0]
:004840AC E803C7FAFF call 004307B4
:004840B1 E9F7000000 jmp 004841AD

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004840A0(C)
|
:004840B6 B201 mov dl, 01
:004840B8 A108B44600 mov eax, dword ptr [0046B408]
:004840BD E8B274FEFF call 0046B574
:004840C2 8945E8 mov dword ptr [ebp-18], eax
:004840C5 33C0 xor eax, eax
:004840C7 55 push ebp
:004840C8 683C414800 push 0048413C
:004840CD 64FF30 push dword ptr fs:[eax]
:004840D0 648920 mov dword ptr fs:[eax], esp
:004840D3 BA02000080 mov edx, 80000002
:004840D8 8B45E8 mov eax, dword ptr [ebp-18]
:004840DB E87075FEFF call 0046B650
:004840E0 8D45E4 lea eax, dword ptr [ebp-1C]
:004840E3 BA84424800 mov edx, 00484284
:004840E8 E80BFCF7FF call 00403CF8
====>注册信息写入注册表中

:004840ED B101 mov cl, 01
:004840EF 8B55E4 mov edx, dword ptr [ebp-1C]
:004840F2 8B45E8 mov eax, dword ptr [ebp-18]
:004840F5 E89A76FEFF call 0046B794
:004840FA 84C0 test al, al
:004840FC 7420 je 0048411E
:004840FE 8B4DF0 mov ecx, dword ptr [ebp-10]
:00484101 BAA0424800 mov edx, 004842A0
:00484106 8B45E8 mov eax, dword ptr [ebp-18]
:00484109 E8027AFEFF call 0046BB10
:0048410E 8B4DF4 mov ecx, dword ptr [ebp-0C]
:00484111 BAB0424800 mov edx, 004842B0
:00484116 8B45E8 mov eax, dword ptr [ebp-18]
:00484119 E8F279FEFF call 0046BB10

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004840FC(C)
|
:0048411E 8B45E8 mov eax, dword ptr [ebp-18]
:00484121 E8FA74FEFF call 0046B620
:00484126 33C0 xor eax, eax
:00484128 5A pop edx
:00484129 59 pop ecx
:0048412A 59 pop ecx
:0048412B 648910 mov dword ptr fs:[eax], edx
:0048412E 6843414800 push 00484143

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00484141(U)
|
:00484133 8B45E8 mov eax, dword ptr [ebp-18]
:00484136 E89DEEF7FF call 00402FD8
:0048413B C3 ret

:00484176 E89544FDFF call 00458610
====>呵呵，胜利女神！

—————————————————————————————————
进入算法CALL：48405D call 004873F8

* Referenced by a CALL at Addresses:
|:0048405D , :0048BA8A
|
:004873F8 55 push ebp
:004873F9 8BEC mov ebp, esp
:004873FB 83C4E4 add esp, FFFFFFE4
:004873FE 53 push ebx
:004873FF 56 push esi
:00487400 57 push edi
:00487401 33C9 xor ecx, ecx
:00487403 894DF4 mov dword ptr [ebp-0C], ecx
:00487406 894DF0 mov dword ptr [ebp-10], ecx
:00487409 8955F8 mov dword ptr [ebp-08], edx
:0048740C 8945FC mov dword ptr [ebp-04], eax
:0048740F 8B45FC mov eax, dword ptr [ebp-04]
:00487412 E87DCCF7FF call 00404094
:00487417 33C0 xor eax, eax
:00487419 55 push ebp
:0048741A 6801754800 push 00487501
:0048741F 64FF30 push dword ptr fs:[eax]
:00487422 648920 mov dword ptr fs:[eax], esp
:00487425 8D45F4 lea eax, dword ptr [ebp-0C]
:00487428 E833C8F7FF call 00403C60
:0048742D 837DFC00 cmp dword ptr [ebp-04], 00000000
====>为0？

:00487431 750D jne 00487440
:00487433 8D45FC lea eax, dword ptr [ebp-04]
:00487436 BA18754800 mov edx, 00487518
:0048743B E8B8C8F7FF call 00403CF8

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00487431(C), :0048745A(C)
|
:00487440 8D45FC lea eax, dword ptr [ebp-04]
:00487443 8B55FC mov edx, dword ptr [ebp-04]
====>EDX=fly03-3-dt03-31

:00487446 E89DCAF7FF call 00403EE8
====>再把用户名和机器码连接起来

:0048744B 8B45FC mov eax, dword ptr [ebp-04]
====>EAX=fly03-3-dt03-31fly03-3-dt03-31

:0048744E E88DCAF7FF call 00403EE0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004873F0(C)
|
:00487453 8945E8 mov dword ptr [ebp-18], eax
:00487456 837DE806 cmp dword ptr [ebp-18], 00000006
====>22位

:0048745A 7EE4 jle 00487440
:0048745C 8B45E8 mov eax, dword ptr [ebp-18]
:0048745F B906000000 mov ecx, 00000006
:00487464 99 cdq
:00487465 F7F9 idiv ecx
====>EDX=22 % 6=4

:00487467 42 inc edx
====>EDX=4 + 1=5 (小循环次数)

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004873F2(C)
|
:00487468 8955E8 mov dword ptr [ebp-18], edx
====>EDX 入 [ebp-18]

:0048746B B80A000000 mov eax, 0000000A
:00487470 99 cdq
:00487471 F77DE8 idiv [ebp-18]
====>EAX=A / 5=2

:00487474 40 inc eax
====>EAX=2 + 1=3 (大循环次数)

:00487475 85C0 test eax, eax
:00487477 7E5A jle 004874D3
:00487479 8945E4 mov dword ptr [ebp-1C], eax
====>EAX 入 [ebp-1C]

:0048747C C745EC01000000 mov [ebp-14], 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004874D1(C)
|
:00487483 8B5DE8 mov ebx, dword ptr [ebp-18]
:00487486 85DB test ebx, ebx
:00487488 7E34 jle 004874BE
:0048748A BE01000000 mov esi, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004874BC(C)
|
:0048748F 8B45FC mov eax, dword ptr [ebp-04]
====>EAX=fly03-3-dt03-31fly03-3-dt03-31

:00487492 0FB64430FF movzx eax, byte ptr [eax+esi-01]
循环 1、 ====>EAX=66
2、 ====>EAX=6C
3、 ====>EAX=79
4、 ====>EAX=30
5、 ====>EAX=33

:00487497 0345EC add eax, dword ptr [ebp-14]
第一个大循环 1、 ====>EAX=66 + 1=67
2、 ====>EAX=6C + 1=6D
3、 ====>EAX=79 + 1=7A
4、 ====>EAX=30 + 1=31
5、 ====>EAX=33 + 1=34
——————————————————————

第二个大循环 1、 ====>EAX=66 + 2=68
　　…… …… 省略　……　……

——————————————————————
第三个大循环 1、 ====>EAX=66 + 3=69
　　…… …… 省略　……　……
——————————————————————

:0048749A B94F000000 mov ecx, 0000004F
====>ECX=4F

:0048749F 99 cdq
:004874A0 F7F9 idiv ecx
第一个大循环 1、 ====>EDX=67 % 4F=18
2、 ====>EDX=6D % 4F=1E
3、 ====>EDX=7A % 4F=2B
4、 ====>EDX=31 % 4F=31
5、 ====>EDX=34 % 4F=34
第一个大循环所得值：18、1E、2B、31、34
——————————————————————

第二个大循环 1、 ====>EDX=68 % 4F=19
　　…… …… 省略　……　……
第二个大循环所得值：19、1F、2C、32、35
——————————————————————

第三个大循环 1、 ====>EDX=69 % 4F=1A
　　…… …… 省略　……　……
第三个大循环所得值：1A、20、2D、33、36
——————————————————————

:004874A2 8BFA mov edi, edx
====>EDX 入 EDI

:004874A4 8D45F0 lea eax, dword ptr [ebp-10]
:004874A7 8D5730 lea edx, dword ptr [edi+30]
====>每次EDI+30 后入 EDX
第一个大循环 1、 ====>EDX=18 + 30=48
2、 ====>EDX=1E + 30=4E
3、 ====>EDX=2B + 30=5B
4、 ====>EDX=31 + 30=61
5、 ====>EDX=34 + 30=65
第一个大循环所得字符：HN[ad
——————————————————————

第二个大循环 1、 ====>EDX=19 + 30=49
　　…… …… 省略　……　……

第二个大循环所得字符：IO\be
——————————————————————

第三个大循环 1、 ====>EDX=1A + 30=4A
　　…… …… 省略　……　……

第二个大循环所得字符：JP]cf
——————————————————————

:004874AA E859C9F7FF call 00403E08
====>把上面所得的值转化为对应的字符！

:004874AF 8D45F4 lea eax, dword ptr [ebp-0C]
:004874B2 8B55F0 mov edx, dword ptr [ebp-10]
:004874B5 E82ECAF7FF call 00403EE8
:004874BA 46 inc esi
:004874BB 4B dec ebx
:004874BC 75D1 jne 0048748F
====>小循环5次
HN[ad-aIO\be-aJP]cf-a
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00487488(C)
|
:004874BE 8D45F4 lea eax, dword ptr [ebp-0C]
:004874C1 BA28754800 mov edx, 00487528
====>小循环结束后，在所得字符后面加上-a 共加3次
第一个大循环结果： HN[ad-a

第二个大循环结果： IO\be-a

第三个大循环结果： JP]cf-a

:004874C6 E81DCAF7FF call 00403EE8
:004874CB FF45EC inc [ebp-14]
====>每次大循环后[ebp-14]增1

:004874CE FF4DE4 dec [ebp-1C]
:004874D1 75B0 jne 00487483
====>大循环3次

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00487477(C)
|
:004874D3 8B45F8 mov eax, dword ptr [ebp-08]
:004874D6 8B55F4 mov edx, dword ptr [ebp-0C]
====>EDX=HN[ad-aIO\be-aJP]cf-a

:004874D9 E8D6C7F7FF call 00403CB4
:004874DE 33C0 xor eax, eax
:004874E0 5A pop edx
:004874E1 59 pop ecx
:004874E2 59 pop ecx
:004874E3 648910 mov dword ptr fs:[eax], edx
:004874E6 6808754800 push 00487508

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00487506(U)
|
:004874EB 8D45F0 lea eax, dword ptr [ebp-10]
:004874EE BA02000000 mov edx, 00000002
:004874F3 E88CC7F7FF call 00403C84
:004874F8 8D45FC lea eax, dword ptr [ebp-04]
:004874FB E860C7F7FF call 00403C60
:00487500 C3 ret

—————————————————————————————————
进入比较CALL：484099 call 004080F8

* Referenced by a CALL at Addresses:
|:00408160 , :0044616B , :0044619F , :0044648F , :00484099
|:0048BA95
|
:004080F8 56 push esi
:004080F9 57 push edi
:004080FA 53 push ebx
:004080FB 89C6 mov esi, eax
:004080FD 89D7 mov edi, edx
:004080FF 09C0 or eax, eax
:00408101 7403 je 00408106
:00408103 8B40FC mov eax, dword ptr [eax-04]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408101(C)
|
:00408106 09D2 or edx, edx
:00408108 7403 je 0040810D
:0040810A 8B52FC mov edx, dword ptr [edx-04]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408108(C)
|
:0040810D 89C1 mov ecx, eax
:0040810F 39D1 cmp ecx, edx
====>比较位数 20位？

:00408111 7602 jbe 00408115
====>不跳则OVER！

:00408113 89D1 mov ecx, edx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408111(C)
|
:00408115 39C9 cmp ecx, ecx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040813D(C)
|
:00408117 F3 repz
:00408118 A6 cmpsb
====>逐位比较！

:00408119 742A je 00408145
====>不跳则OVER！

:0040811B 8A5EFF mov bl, byte ptr [esi-01]
:0040811E 80FB61 cmp bl, 61
:00408121 7208 jb 0040812B
:00408123 80FB7A cmp bl, 7A
:00408126 7703 ja 0040812B
:00408128 80EB20 sub bl, 20

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00408121(C), :00408126(C)
|
:0040812B 8A7FFF mov bh, byte ptr [edi-01]
:0040812E 80FF61 cmp bh, 61
:00408131 7208 jb 0040813B
:00408133 80FF7A cmp bh, 7A
:00408136 7703 ja 0040813B
:00408138 80EF20 sub bh, 20

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00408131(C), :00408136(C)
|
:0040813B 38FB cmp bl, bh
:0040813D 74D8 je 00408117
:0040813F 0FB6C3 movzx eax, bl
:00408142 0FB6D7 movzx edx, bh

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408119(C)
|
:00408145 29D0 sub eax, edx
====>再检测一下位数

:00408147 5B pop ebx
:00408148 5F pop edi
:00408149 5E pop esi
:0040814A C3 ret

—————————————————————————————————
【KeyMake之内存注册机】：

中断地址：484099
中断次数：1
第一字节：E8
指令长度：5

内存方式：EAX

—————————————————————————————————
【注册信息保存】：

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\drawtxt]
"Passwd"="HN[ad-aIO\\be-aJP]cf-a"
"UsrName"="fly"
"Date"=hex:00,00,00,00,e0,69,e2,40
"Machine"="03-3-dt03-3-31"

—————————————————————————————————
【整理】：

机器码：03-3-dt03-3-31
用户名：fly
注册码：HN[ad-aIO\be-aJP]cf-a

—————————————————————————————————

呵呵，今天愚人节，送给所有CRACKER朋友们一张CRACKER的“自画像”，^6^6^6^6^
请看：http://www.1699.net/bbs/dispbbs.asp?boardID=54&ID=21064

Cracked By 巢水工作坊——fly【OCN】

13:16 03-3-31