下载页面:
http://tongtian.net/pediy/usr/19/19_1835.rar
软件大小:
58K
开 发 商: http://www.smwuce.com
【软件简介】:物探专业解释系统。使用简单,功能强大,是物探解释工作的好助手。
【软件限制】:30次试用
【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:TRW2000娃娃修改版、Ollydbg1.09、FI2.5、W32Dasm 10修改版
—————————————————————————————————
【过 程】:
关于Softsentry壳:
能设置软件的使用时间限制、使用次数限制、使用日期限制、给软件加密码等等,功能很强,是制作软件DEMO版软件的很好的加密工具。加密的软件可根据每台不同的电脑给出不同的注册码,故该软件也是制作试用软件的绝好工具。
呵呵,原先看上面的说明是VB的东东,我就没DOWN了。^-^^-^
后来看见几位朋友的帖子感觉象是加了Softsentry 3.0的壳。下来分析看看就是加了这个壳!只是有些参数变了。其实这种壳的保护应该说是不强的,脱了壳之后就没有限制了。
System
ID:95065
姓 名:fly (呵呵,姓名和公司名不参与运算,可以随意输入)
公
司:【OCN】
试 炼 码:1357246890
—————————————————————————————————
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004219F6(C)
|
:00421A1B
8D542454 lea edx, dword
ptr [esp+54]
:00421A1F 6A32
push 00000032
:00421A21 52
push edx
:00421A22 6801100000
push 00001001
:00421A27 51
push
ecx
:00421A28 FF15ECE14200 call dword
ptr [0042E1EC]
:00421A2E 8D7C2454
lea edi, dword ptr [esp+54]
====>EDI=[esp+54]=1357246890
:00421A32
83C9FF or ecx, FFFFFFFF
:00421A35
8944241C mov dword ptr
[esp+1C], eax
:00421A39 33C0
xor eax, eax
:00421A3B F2
repnz
:00421A3C AE
scasb
:00421A3D F7D1
not ecx
:00421A3F
2BF9 sub
edi, ecx
:00421A41 8D942488000000 lea edx,
dword ptr [esp+00000088]
:00421A48 8BC1
mov eax, ecx
:00421A4A 8BF7
mov esi, edi
:00421A4C
8BFA mov
edi, edx
:00421A4E C744241000000000 mov [esp+10],
00000000
:00421A56 C1E902
shr ecx, 02
:00421A59 F3
repz
:00421A5A A5
movsd
:00421A5B 8BC8
mov ecx, eax
:00421A5D
83E103 and ecx,
00000003
:00421A60 66833DCEDB420000 cmp word ptr
[0042DBCE], 0000
:00421A68 F3
repz
:00421A69 A4
movsb
:00421A6A 0F8E15040000
jle 00421E85
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421E7D(C)
|
:00421A70
8D7C2454 lea edi, dword
ptr [esp+54]
:00421A74 83C9FF
or ecx, FFFFFFFF
:00421A77 33C0
xor eax, eax
:00421A79 8D542420
lea edx, dword ptr [esp+20]
:00421A7D
F2 repnz
:00421A7E
AE scasb
:00421A7F
F7D1 not
ecx
:00421A81 2BF9
sub edi, ecx
:00421A83 C744241400000000 mov
[esp+14], 00000000
:00421A8B 8BC1
mov eax, ecx
:00421A8D 8BF7
mov esi, edi
:00421A8F 8BFA
mov edi,
edx
:00421A91 C1E902
shr ecx, 02
:00421A94 F3
repz
:00421A95 A5
movsd
:00421A96 8BC8
mov ecx, eax
:00421A98
0FBF442410 movsx eax, word ptr
[esp+10]
:00421A9D 83E103
and ecx, 00000003
:00421AA0 F3
repz
:00421AA1 A4
movsb
:00421AA2 8B0DECDB4200
mov ecx, dword ptr [0042DBEC]
:00421AA8
C1E006 shl eax,
06
:00421AAB 8D3C08
lea edi, dword ptr [eax+ecx]
:00421AAE 668B0408
mov ax, word ptr [eax+ecx]
:00421AB2 66A354DC4200
mov word ptr [0042DC54], ax
:00421AB8
8B5F08 mov ebx,
dword ptr [edi+08]
:00421ABB 891DE4DB4200
mov dword ptr [0042DBE4], ebx
:00421AC1 8B570C
mov edx, dword ptr [edi+0C]
:00421AC4 8915F4DB4200
mov dword ptr [0042DBF4], edx
:00421ACA
8B4F10 mov ecx,
dword ptr [edi+10]
:00421ACD 890DD4DB4200
mov dword ptr [0042DBD4], ecx
:00421AD3 668B5714
mov dx, word ptr [edi+14]
:00421AD7 663D0100
cmp ax, 0001
:00421ADB
668915FADB4200 mov word ptr [0042DBFA], dx
:00421AE2
740A je 00421AEE
:00421AE4
663D0200 cmp ax, 0002
:00421AE8
0F8512010000 jne 00421C00
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421AE2(C)
|
:00421AEE
8B6F20 mov ebp,
dword ptr [edi+20]
====>EBP=[edi+20]=qmx
呵呵,这是string_1了!
:00421AF1
BE78A14200 mov esi, 0042A178
:00421AF6
8BC5 mov
eax, ebp
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00421B16(C)
|
:00421AF8
8A10 mov
dl, byte ptr [eax]
:00421AFA 8ACA
mov cl, dl
:00421AFC 3A16
cmp dl, byte ptr [esi]
:00421AFE 751C
jne 00421B1C
:00421B00
84C9 test
cl, cl
:00421B02 7414
je 00421B18
:00421B04 8A5001
mov dl, byte ptr [eax+01]
:00421B07 8ACA
mov cl, dl
:00421B09
3A5601 cmp dl, byte
ptr [esi+01]
:00421B0C 750E
jne 00421B1C
:00421B0E 83C002
add eax, 00000002
:00421B11 83C602
add esi, 00000002
:00421B14
84C9 test
cl, cl
:00421B16 75E0
jne 00421AF8
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421B02(C)
|
:00421B18
33C0 xor
eax, eax
:00421B1A EB05
jmp 00421B21
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00421AFE(C),
:00421B0C(C)
|
:00421B1C 1BC0
sbb eax, eax
:00421B1E 83D8FF
sbb eax, FFFFFFFF
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421B1A(U)
|
:00421B21
85C0 test
eax, eax
:00421B23 750C
jne 00421B31
:00421B25 A194DE4200
mov eax, dword ptr [0042DE94]
:00421B2A A300DC4200
mov dword ptr [0042DC00], eax
:00421B2F
EB46 jmp
00421B77
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00421B23(C)
|
:00421B31
BE6CA14200 mov esi, 0042A16C
:00421B36
8BC5 mov
eax, ebp
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00421B56(C)
|
:00421B38
8A10 mov
dl, byte ptr [eax]
:00421B3A 8ACA
mov cl, dl
:00421B3C 3A16
cmp dl, byte ptr [esi]
:00421B3E 751C
jne 00421B5C
:00421B40
84C9 test
cl, cl
:00421B42 7414
je 00421B58
:00421B44 8A5001
mov dl, byte ptr [eax+01]
:00421B47 8ACA
mov cl, dl
:00421B49
3A5601 cmp dl, byte
ptr [esi+01]
:00421B4C 750E
jne 00421B5C
:00421B4E 83C002
add eax, 00000002
:00421B51 83C602
add esi, 00000002
:00421B54
84C9 test
cl, cl
:00421B56 75E0
jne 00421B38
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421B42(C)
|
:00421B58
33C0 xor
eax, eax
:00421B5A EB05
jmp 00421B61
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00421B3E(C),
:00421B4C(C)
|
:00421B5C 1BC0
sbb eax, eax
:00421B5E 83D8FF
sbb eax, FFFFFFFF
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421B5A(U)
|
:00421B61
85C0 test
eax, eax
:00421B63 750C
jne 00421B71
:00421B65 A198DE4200
mov eax, dword ptr [0042DE98]
:00421B6A A300DC4200
mov dword ptr [0042DC00], eax
:00421B6F
EB06 jmp
00421B77
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00421B63(C)
|
:00421B71
892D00DC4200 mov dword ptr [0042DC00],
ebp
* Referenced by
a (U)nconditional or (C)onditional Jump at Addresses:
|:00421B2F(U), :00421B6F(U)
|
:00421B77
8B6F24 mov ebp,
dword ptr [edi+24]
====>EBP=[edi+24]=7904
呵呵,程序自给的!
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
[0054027B]内存处的值:
程序自给?!
0054027B 71
6D 78 00 77 74 00 64 00 71 6D 78 00 37 39 30 qmx.wt.d.qmx.790
0054028B
34 00 02 00 1E 00 1E 00 D0 02 00 00 00 C4 E3 B5 4....?...你
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
:00421B7A
BE78A14200 mov esi, 0042A178
:00421B7F
8BC5 mov
eax, ebp
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00421B9F(C)
|
:00421B81
8A10 mov
dl, byte ptr [eax]
:00421B83 8ACA
mov cl, dl
:00421B85 3A16
cmp dl, byte ptr [esi]
:00421B87 751C
jne 00421BA5
:00421B89
84C9 test
cl, cl
:00421B8B 7414
je 00421BA1
:00421B8D 8A5001
mov dl, byte ptr [eax+01]
:00421B90 8ACA
mov cl, dl
:00421B92
3A5601 cmp dl, byte
ptr [esi+01]
:00421B95 750E
jne 00421BA5
:00421B97 83C002
add eax, 00000002
:00421B9A 83C602
add esi, 00000002
:00421B9D
84C9 test
cl, cl
:00421B9F 75E0
jne 00421B81
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421B8B(C)
|
:00421BA1
33C0 xor
eax, eax
:00421BA3 EB05
jmp 00421BAA
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00421B87(C),
:00421B95(C)
|
:00421BA5 1BC0
sbb eax, eax
:00421BA7 83D8FF
sbb eax, FFFFFFFF
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421BA3(U)
|
:00421BAA
85C0 test
eax, eax
:00421BAC 750C
jne 00421BBA
:00421BAE A194DE4200
mov eax, dword ptr [0042DE94]
:00421BB3 A3FCDB4200
mov dword ptr [0042DBFC], eax
:00421BB8
EB46 jmp
00421C00
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00421BAC(C)
|
:00421BBA
BE6CA14200 mov esi, 0042A16C
:00421BBF
8BC5 mov
eax, ebp
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00421BDF(C)
|
:00421BC1
8A10 mov
dl, byte ptr [eax]
:00421BC3 8ACA
mov cl, dl
:00421BC5 3A16
cmp dl, byte ptr [esi]
:00421BC7 751C
jne 00421BE5
:00421BC9
84C9 test
cl, cl
:00421BCB 7414
je 00421BE1
:00421BCD 8A5001
mov dl, byte ptr [eax+01]
:00421BD0 8ACA
mov cl, dl
:00421BD2
3A5601 cmp dl, byte
ptr [esi+01]
:00421BD5 750E
jne 00421BE5
:00421BD7 83C002
add eax, 00000002
:00421BDA 83C602
add esi, 00000002
:00421BDD
84C9 test
cl, cl
:00421BDF 75E0
jne 00421BC1
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421BCB(C)
|
:00421BE1
33C0 xor
eax, eax
:00421BE3 EB05
jmp 00421BEA
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00421BC7(C),
:00421BD5(C)
|
:00421BE5 1BC0
sbb eax, eax
:00421BE7 83D8FF
sbb eax, FFFFFFFF
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421BE3(U)
|
:00421BEA
85C0 test
eax, eax
:00421BEC 750C
jne 00421BFA
:00421BEE A198DE4200
mov eax, dword ptr [0042DE98]
:00421BF3 A3FCDB4200
mov dword ptr [0042DBFC], eax
:00421BF8
EB06 jmp
00421C00
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00421BEC(C)
|
:00421BFA
892DFCDB4200 mov dword ptr [0042DBFC],
ebp
* Referenced by
a (U)nconditional or (C)onditional Jump at Addresses:
|:00421AE8(C), :00421BB8(U),
:00421BF8(U)
|
:00421C00 66837F0400
cmp word ptr [edi+04], 0000
:00421C05 7558
jne 00421C5F
:00421C07 8D4C2420
lea ecx, dword ptr [esp+20]
:00421C0B
E820F9FFFF call 00421530
:00421C10
A154DC4200 mov eax, dword ptr
[0042DC54]
:00421C15 25FFFF0000 and
eax, 0000FFFF
:00421C1A 7432
je 00421C4E
:00421C1C 85C0
test eax, eax
:00421C1E 7E39
jle 00421C59
:00421C20
83F802 cmp eax,
00000002
:00421C23 7F34
jg 00421C59
:00421C25 8B0DF4DB4200
mov ecx, dword ptr [0042DBF4]
:00421C2B E800F9FFFF
call 00421530
:00421C30 8B0DD4DB4200
mov ecx, dword ptr [0042DBD4]
====>ECX=[0042DBD4]=wt 呵呵,这是string_2了!
:00421C36
E8F5F8FFFF call 00421530
:00421C3B
8B0D00DC4200 mov ecx, dword ptr [0042DC00]
:00421C41
E8EAF8FFFF call 00421530
:00421C46
8B0DFCDB4200 mov ecx, dword ptr [0042DBFC]
:00421C4C
EB06 jmp
00421C54
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00421C1A(C)
|
:00421C4E
8B0DE4DB4200 mov ecx, dword ptr [0042DBE4]
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421C4C(U)
|
:00421C54
E8D7F8FFFF call 00421530
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00421C1E(C),
:00421C23(C)
|
:00421C59 8B1DE4DB4200
mov ebx, dword ptr [0042DBE4]
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421C05(C)
|
:00421C5F
A154DC4200 mov eax, dword ptr
[0042DC54]
:00421C64 25FFFF0000 and
eax, 0000FFFF
:00421C69 0F849B010000 je
00421E0A
:00421C6F 85C0
test eax, eax
:00421C71 0F8E1A020000
jle 00421E91
:00421C77 83F802
cmp eax, 00000002
:00421C7A 0F8F11020000
jg 00421E91
:00421C80 8B35F4DB4200
mov esi, dword ptr [0042DBF4]
:00421C86 83C9FF
or ecx, FFFFFFFF
:00421C89
8BFE mov
edi, esi
:00421C8B 33C0
xor eax, eax
:00421C8D F2
repnz
:00421C8E AE
scasb
:00421C8F F7D1
not ecx
:00421C91
83C1FE add ecx,
FFFFFFFE
:00421C94 6683F9FF
cmp cx, FFFF
:00421C98 7422
je 00421CBC
:00421C9A 6685C9
test cx, cx
:00421C9D 7C17
jl 00421CB6
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421CB4(C)
|
:00421C9F
0FBFC1 movsx eax,
cx
:00421CA2 8A1430
mov dl, byte ptr [eax+esi]
1、 ====>DL=78(H)
即:x
2、 ====>DL=6D(H) 即:m
3、 ====>DL=71(H) 即:q
:00421CA5
80FA3F cmp dl, 3F
:00421CA8
7406 je 00421CB0
:00421CAA
3A540420 cmp dl, byte ptr
[esp+eax+20]
====>比较前3位是否是qmx
1、 ====>DL=78 [esp+eax+20]=35
即:注册码的第3位应是 x
2、 ====>DL=6D [esp+eax+20]=33
即:注册码的第2位应是
m
3、 ====>DL=71 [esp+eax+20]=31
即:注册码的第1位应是
q
:00421CAE
7506 jne
00421CB6
====>不同则跳则OVER! 可下 R
FL Z 改变跳转
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00421CA8(C)
|
:00421CB0
49 dec
ecx
:00421CB1 6685C9
test cx, cx
:00421CB4 7DE9
jge 00421C9F
====>循环3次
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00421C9D(C),
:00421CAE(C)
|
:00421CB6 6683F9FF
cmp cx, FFFF
:00421CBA 7508
jne 00421CC4
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421C98(C)
|
:00421CBC
C744241401000000 mov [esp+14], 00000001
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421CBA(C)
|
:00421CC4
8B3DD4DB4200 mov edi, dword ptr [0042DBD4]
:00421CCA
83C9FF or ecx, FFFFFFFF
:00421CCD
33C0 xor
eax, eax
:00421CCF F2
repnz
:00421CD0 AE
scasb
:00421CD1 F7D1
not ecx
:00421CD3 49
dec ecx
:00421CD4
8D7C2420 lea edi, dword
ptr [esp+20]
:00421CD8 8BE9
mov ebp, ecx
:00421CDA 83C9FF
or ecx, FFFFFFFF
:00421CDD F2
repnz
:00421CDE
AE scasb
:00421CDF
F7D1 not
ecx
:00421CE1 49
dec ecx
:00421CE2 2BCD
sub ecx, ebp
:00421CE4 6685C9
test cx, cx
:00421CE7 7E32
jle 00421D1B
:00421CE9
33F6 xor
esi, esi
:00421CEB 6685ED
test bp, bp
:00421CEE 7E22
jle 00421D12
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421D10(C)
|
:00421CF0
8B15D4DB4200 mov edx, dword ptr [0042DBD4]
====>EDI=[0042DBD4]=wt
:00421CF6
0FBFC6 movsx eax,
si
:00421CF9 8A1410
mov dl, byte ptr [eax+edx]
1、 ====>DL=77(H)
即:w
2、 ====>DL=74(H) 即:t
:00421CFC
80FA3F cmp dl, 3F
:00421CFF
740B je 00421D0C
:00421D01
0FBFF9 movsx edi,
cx
:00421D04 03F8
add edi, eax
:00421D06 3A543C20
cmp dl, byte ptr [esp+edi+20]
1、 ====>DL=77
[esp+eax+20]=39
即:注册码的倒数第1位应是 w
2、 ====>DL=74
[esp+eax+20]=30
即:注册码的倒数第2位应是 t
:00421D0A
7506 jne
00421D12
====>不同则跳则OVER! 可下 R
FL Z 改变跳转
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00421CFF(C)
|
:00421D0C
46 inc
esi
:00421D0D 663BF5
cmp si, bp
:00421D10 7CDE
jl 00421CF0
====>循环2次
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00421CEE(C),
:00421D0A(C)
|
:00421D12 663BF5
cmp si, bp
:00421D15 7504
jne 00421D1B
:00421D17 FF442414
inc [esp+14]
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00421CE7(C),
:00421D15(C)
|
:00421D1B 837C241402
cmp dword ptr [esp+14], 00000002
:00421D20 740A
je 00421D2C
:00421D22 B8FEFFFFFF
mov eax, FFFFFFFE
:00421D27
E941010000 jmp 00421E6D
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421D20(C)
|
:00421D2C
8B3DF4DB4200 mov edi, dword ptr [0042DBF4]
:00421D32
83C9FF or ecx, FFFFFFFF
:00421D35
33C0 xor
eax, eax
:00421D37 F2
repnz
:00421D38 AE
scasb
:00421D39 8B3DD4DB4200
mov edi, dword ptr [0042DBD4]
:00421D3F F7D1
not ecx
:00421D41
49 dec
ecx
:00421D42 8D740C20 lea
esi, dword ptr [esp+ecx+20]
:00421D46 83C9FF
or ecx, FFFFFFFF
:00421D49 F2
repnz
:00421D4A AE
scasb
:00421D4B
F7D1 not
ecx
:00421D4D 49
dec ecx
:00421D4E 8BD6
mov edx, esi
:00421D50 2BD1
sub edx, ecx
:00421D52 8BFE
mov edi,
esi
:00421D54 83C9FF
or ecx, FFFFFFFF
:00421D57 F2
repnz
:00421D58 AE
scasb
:00421D59 F7D1
not ecx
:00421D5B
49 dec
ecx
:00421D5C 88040A
mov byte ptr [edx+ecx], al
:00421D5F 8BCE
mov ecx, esi
====>ECX=DESI=72468 即去掉第1、2、9、10位后的试炼码
:00421D61
E84A5B0000 call 004278B0
====>检测上面的中间几位是否为数字?
:00421D66
85C0 test
eax, eax
:00421D68 750A
jne 00421D74
====>不是数字则不跳则OVER!
:00421D6A
B8FDFFFFFF mov eax, FFFFFFFD
:00421D6F
E9F9000000 jmp 00421E6D
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421D68(C)
|
:00421D74
BA64A14200 mov edx, 0042A164
====>EDX=0604 呵呵,程序自给的!
:00421D79 8BCE
mov ecx,
esi
====>ECX=ESI=572468
:00421D7B
E8705B0000 call 004278F0
====>再次检测72468是否为数字?
不是数字则“invalid digital number!”。并且把72468转化为用16进制值表示!
:00421D80
8BF8 mov
edi, eax
====>EDI=EAI=00011B14(H)=72468(D)
:00421D82
66A154DC4200 mov ax, word ptr [0042DC54]
:00421D88
663D0100 cmp ax, 0001
:00421D8C
7546 jne
00421DD4
:00421D8E 66A1FADB4200 mov
ax, word ptr [0042DBFA]
:00421D94 8B1500DC4200
mov edx, dword ptr [0042DC00]
:00421D9A 33C9
xor ecx, ecx
:00421D9C 8ACC
mov cl, ah
:00421D9E
25FF000000 and eax, 000000FF
:00421DA3
8BF1 mov
esi, ecx
:00421DA5 8BC8
mov ecx, eax
:00421DA7 E854FBFFFF
call 00421900
:00421DAC 8B15FCDB4200
mov edx, dword ptr [0042DBFC]
:00421DB2 03F8
add edi, eax
:00421DB4
6685F6 test si,
si
:00421DB7 7504
jne 00421DBD
:00421DB9 33C9
xor ecx, ecx
:00421DBB EB03
jmp 00421DC0
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421DB7(C)
|
:00421DBD
8D4E01 lea ecx,
dword ptr [esi+01]
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421DBB(U)
|
:00421DC0
E83BFBFFFF call 00421900
:00421DC5
8BC8 mov
ecx, eax
:00421DC7 85C9
test ecx, ecx
:00421DC9 7438
je 00421E03
:00421DCB 8BC7
mov eax, edi
:00421DCD
99 cdq
:00421DCE
F7F9 idiv
ecx
:00421DD0 8BC2
mov eax, edx
:00421DD2 EB27
jmp 00421DFB
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421D8C(C)
|
:00421DD4
663D0200 cmp ax, 0002
:00421DD8
7529 jne
00421E03
:00421DDA 8B15FCDB4200 mov
edx, dword ptr [0042DBFC]
====>EDX=7904
取[00540288]内存处的值
:00421DE0
A100DC4200 mov eax, dword ptr
[0042DC00]
====>EAX=qmx
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
[00540284]内存处的值:
程序自给?!
00540284 71
6D 78 00 37 39 30 34 00 02 00 1E 00 1E 00 D0 qmx.7904....
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
:00421DE5
8B0D38DD4200 mov ecx, dword ptr [0042DD38]
====>ECX=17359(H)=95605(D)呵呵,系统代码
:00421DEB
52 push
edx
:00421DEC 668B15FADB4200 mov dx, word
ptr [0042DBFA]
:00421DF3 50
push eax
:00421DF4 E897FBFFFF
call 00421990
====>算法CALL!得出下面的EAX值。进入!
:00421DF9
2BC7 sub
eax, edi
====>EAX=3403B020 - 11B14=3402950C
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421DD2(U)
|
:00421DFB
85C0 test
eax, eax
====>相减结果是否为0?即:上面2部分是否相等?
:00421DFD
0F848E000000 je 00421E91
====>不为0则不跳则OVER!
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00421DC9(C),
:00421DD8(C)
|
:00421E03 B8FBFFFFFF
mov eax, FFFFFFFB
:00421E08 EB63
jmp 00421E6D
:00422013
FF1500E24200 call dword ptr [0042E200]
====>BAD BOY!
—————————————————————————————————
进入算法CALL:
*
Referenced by a CALL at Addresses:
|:00421DF4 , :004221DA
|
:00421990
53 push
ebx
:00421991 56
push esi
:00421992 668BDA
mov bx, dx
:00421995 8BF1
mov esi, ecx
====>ESI=ECX=17359 呵呵,系统代码
:00421997
8B54240C mov edx, dword
ptr [esp+0C]
====>EDX=qmx
从[00540284]处取值
:0042199B
8ACB mov
cl, bl
:0042199D 57
push edi
:0042199E 81E1FF000000
and ecx, 000000FF
:004219A4 E857FFFFFF
call 00421900
====>对程序给的qmx进行运算得出下面的EAX值!进入关键CALL!
:004219A9
8B542414 mov edx, dword
ptr [esp+14]
====>EDX=7904
从[00540288]处取值
:004219AD
8BF8 mov
edi, eax
====>EDI=EAX=00003BEE(H)=15342(D)
:004219AF
33C0 xor
eax, eax
:004219B1 8AC7
mov al, bh
:004219B3 6685C0
test ax, ax
:004219B6 7512
jne 004219CA
:004219B8 33C9
xor ecx,
ecx
:004219BA E841FFFFFF call
00421900
====>把7904转化为用16进制值表示!EAX=7904(H)=1EE0(D)
:004219BF
03FE add
edi, esi
====>EDI=3BEE + 17359=1AF47
:004219C1 0FAFC7
imul eax, edi
====>EAX=1EE0 * 1AF47=3403B020(H)
呵呵,把上面运算的结果3403B020(H)转化成10进制值872656928(D),就是注册码的中间部分了!
:004219C4
5F pop
edi
:004219C5 5E
pop esi
:004219C6 5B
pop ebx
:004219C7 C20800
ret 0008
—————————————————————————————————
进入关键CALL:4219A4
call 00421900
*
Referenced by a CALL at Addresses:
|:004219A4 , :004219BA , :004219CD
, :00421DA7 , :00421DC0
|
:00421900 53
push ebx
:00421901
8BDA mov
ebx, edx
====>EBX=EDX=qmx
:00421903
56 push
esi
:00421904 8BF1
mov esi, ecx
====>ESI=ECX=64
:00421906
85DB test
ebx, ebx
:00421908 7472
je 0042197C
:0042190A 803B00
cmp byte ptr [ebx], 00
:0042190D 746D
je 0042197C
:0042190F
57 push
edi
:00421910 8BFB
mov edi, ebx
:00421912 83C9FF
or ecx, FFFFFFFF
:00421915 33C0
xor eax, eax
:00421917 F2
repnz
:00421918
AE scasb
:00421919
F7D1 not
ecx
:0042191B 49
dec ecx
====>ECX=3
取qmx的位数
:0042191C 6685F6
test si, si
:0042191F
7443 je 00421964
:00421921
6683FE01 cmp si, 0001
:00421925
743D je 00421964
:00421927
81E6FFFF0000 and esi, 0000FFFF
:0042192D
8BC6 mov
eax, esi
====>EAX=ESI=64
:0042192F
99 cdq
:00421930
F7F9 idiv
ecx
====>EDX=64 % 3=1
:00421932
0FBE041A movsx eax, byte
ptr [edx+ebx]
====>EAX=6D
即:m的HEX值
:00421936
0FAFC6 imul eax,
esi
====>EAX=6D * 64=2A94
:00421939
0FAFC2 imul eax,
edx
====>EAX=2A94 * 01=2A94
:0042193C
03C1 add
eax, ecx
====>EAX=2A94 + 03=2A97
呵呵,不明白上面这段代码的意思了。请各位老师指教!
:0042193E
33D2 xor
edx, edx
:00421940 85C9
test ecx, ecx
:00421942 7E16
jle 0042195A
:00421944 8BF9
mov edi, ecx
====>EDI=ECX=3
:00421946
2BFE sub
edi, esi
====>EDI=3 - 64=FFFFFF9F 即:-97(D)
:00421948
83C76F add edi,
0000006F
====>EDI=FFFFFF9F + 6F=E
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421958(C)
|
:0042194B
0FBE341A movsx esi, byte
ptr [edx+ebx]
====>依次取qmx字符的HEX值
:0042194F
0FAFF7 imul esi,
edi
1、 ====>ESI=71 * 0E=62E
2、 ====>ESI=6D * 0D=589
3、
====>ESI=78 * 0C=5A0
:00421952
03C6 add
eax, esi
1、 ====>EAX=2A97 + 62E=30C5
2、
====>EAX=30C5 + 589=364E
3、 ====>EAX=364E
+ 5A0=3BEE
:00421954
42 inc
edx
:00421955 4F
dec edi
:00421956 3BD1
cmp edx, ecx
:00421958 7CF1
jl 0042194B
====>循环3次
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421942(C)
|
:0042195A
85C0 test
eax, eax
:0042195C 7D1A
jge 00421978
:0042195E 5F
pop edi
:0042195F 5E
pop esi
:00421960 F7D8
neg eax
:00421962
5B pop
ebx
:00421963 C3
ret
—————————————————————————————————
【算
法 总 结】:
1、注册码
第1、2、3位固定为:qmx
2、注册码倒数第1、2位固定为:wt
3、注册码中间几位的运算:
①、取系统代码:95065,转化为16进制值:17359(H)
②、17359
+ 3BEE=1AF47
③、1AF47 * 1EE0=3403B020(H)=872656928(D),就是注册码的中间部分了!
即:(系统代码 + 3BEE)* 1EE0 运算结果的10进制值
—————————————————————————————————
【C++ KeyGen】:
呵呵,刚看了几天的C++,偶然又碰到了这个简单的算法。
呵呵,就用我这“超级蹩脚”的C++做
fly 的第三个算法注册机吧!诸位老师见笑了!
#include<iostream.h>
#include<math.h>
void
main()
{
unsigned long int m;
cout<<"\n★★★★控制测量坐标换算 KeyGen{4th}★★★★\n\n\n\n";
cout<<"请输入System
ID:";
cin >>m;
m+=0X00003BEE;
m*=0X00001EE0;
cout<<"\n呵呵,口
令:"<<"qmx"<<m<<"wt"<<endl;
cout<<"\n姓名和公司随意输入";
cout<<"\n\n\nCracked
By 巢水工作坊——fly【OCN】 03-4-5 11:11 COMPILE";
cout<<"\n\n\n
* * * 按回车退出!* * *";cin.get();cin.get();
}
—————————————————————————————————
【注册信息保存】:
1、注册表中
REGEDIT4
[HKEY_CLASSES_ROOT\{onUJAYs36y}]
@="NUQ=%!!5!\"!!5!#9!-Q$5!T5Q.4)U!!!!!!\"=R1!!>`^R<8AY.T)W.49Z-DBXN>!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!#!!!!!!!!N!!!!!!!Y!.-(\"!!'!!5!#1!'!$9!5A-!!!)!!!!!!!!!!*XO7A&G<(E!7U^$64FU!!!!!!!!!!!!!!!!!!!!!!!!!"
2、REGEDIT4
[HKEY_CLASSES_ROOT\SystemAppIDs]
@="N!Q!!!!!!!!\"\\45NU6%*'/']S-8V\\-XJ';E>04W*638V\\<WZ63E&:=T-W?8U!"
3、C:\WINDOWS\SYSTEM
下的access.ctl文件。
如果想重新注册必须把以上3处删干净。
真是狡兔三窟呀。加了Softsentry
3.0壳的软件的保存注册信息的方式大都差不多。
—————————————————————————————————
【整 理】:
System
ID:95065
姓 名:fly
公
司:【OCN】
口 令:qmx872656928wt
—————————————————————————————————
Cracked By
巢水工作坊——fly【OCN】
2003-4-5 11:44