下载页面:
http://www.skycn.com/soft/10315.html
软件大小:
378 KB
软件语言: 简体中文
软件类别: 国产软件 / 共享版 / 杂类工具
应用平台: Win9x/NT/2000/XP
加入时间:
2003-01-05 09:01:25
下载次数: 383
推荐等级: ***
开 发 商: http://www.380000.com/
【软件简介】:
《暴风共享软件管理器I》是一款专业的共享软件管理工具,它能帮助你方便地管理你的共享软件。《暴风共享软件管理器I》利用“接口式动态链接库注册码自动生成系统”可以自动用你提供的算法算出相应的注册码;可以画出各产品销售额、利润、销售量的统计图形;采用适合中国共享软件销售方式的定单式管理风格。《暴风共享软件管理器I》必将成为你管理共享软件的好帮手。
【软件限制】:30天试用。
【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:TRW2000娃娃修改版、Ollydbg1.09、PEiD、W32Dasm 10修改版
—————————————————————————————————
【过 程】:
暴风共享软件管理器I.exe
无壳。Visual C++ 6.0编写。
呵呵,分析完了后看到newlaos兄写的《奇门遁甲演义V6.3》,发觉算法很相似,再看看软件的开发公司,哦,是一家的,“共享”了一套注册算法。看来 函数图像大师、鼠到擒来 等等同门软件也是差不多了。
虽然注册码很长,但算法基本的流程是一样的,变换了参数而得到其它几组注册码,所以我只是记录了第一组的算法过程。
用户名:fly
试炼码:12345-67890-ABCDE-FGHIJ-KLMNO
反汇编,看看参考,很容易就能找到下面的核心。
—————————————————————————————————
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00408C13(C)
|
:00408C21 8D44242C
lea eax, dword ptr [esp+2C]
:00408C25
6A1E push
0000001E
:00408C27 50
push eax
:00408C28 8D8E0C010000
lea ecx, dword ptr [esi+0000010C]
:00408C2E E88D350000
call 0040C1C0
:00408C33 8D4C240C
lea ecx, dword ptr [esp+0C]
:00408C37
6A1E push
0000001E
:00408C39 51
push ecx
:00408C3A 8D8E1C010000
lea ecx, dword ptr [esi+0000011C]
:00408C40 E87B350000
call 0040C1C0
:00408C45 8D7C242C
lea edi, dword ptr [esp+2C]
:00408C49
83C9FF or ecx, FFFFFFFF
:00408C4C
33C0 xor
eax, eax
:00408C4E F2
repnz
:00408C4F AE
scasb
:00408C50 F7D1
not ecx
:00408C52 49
dec ecx
:00408C53
7511 jne
00408C66
====>填用户名了吗?
:00408C55 6A10 push 00000010
* Possible
StringData Ref from Data Obj ->"错误"
|
:00408C57 680CC24200 push
0042C20C
* Possible
StringData Ref from Data Obj ->"没有用户名!"
|
:00408C5C 68F0C34200
push 0042C3F0
:00408C61 E983000000
jmp 00408CE9
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408C53(C)
|
:00408C66
8D7C240C lea edi, dword
ptr [esp+0C]
:00408C6A 83C9FF
or ecx, FFFFFFFF
:00408C6D 33C0
xor eax, eax
:00408C6F F2
repnz
:00408C70 AE
scasb
:00408C71
F7D1 not
ecx
:00408C73 49
dec ecx
:00408C74 7512
jne 00408C88
====>填注册码了吗?
:00408C76
8B460C mov eax,
dword ptr [esi+0C]
:00408C79 6A10
push 00000010
*
Possible StringData Ref from Data Obj ->"错误"
|
:00408C7B 680CC24200
push 0042C20C
*
Possible StringData Ref from Data Obj ->"没有注册码!"
|
:00408C80 68E0C34200
push 0042C3E0
:00408C85 50
push eax
:00408C86 EB65
jmp 00408CED
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408C74(C)
|
:00408C88
8B8E08010000 mov ecx, dword ptr [esi+00000108]
:00408C8E
E8DD84FFFF call 00401170
:00408C93
84C0 test
al, al
:00408C95 7412
je 00408CA9
====>注册过了吗?呵呵,挺逗。
:00408C97
8B4E0C mov ecx,
dword ptr [esi+0C]
:00408C9A 6A40
push 00000040
*
Possible StringData Ref from Data Obj ->"你已经注册过了。"
|
:00408C9C 6898C34200
push 0042C398
*
Possible StringData Ref from Data Obj ->"你已经注册过了。"
|
:00408CA1 6898C34200
push 0042C398
:00408CA6 51
push ecx
:00408CA7 EB44
jmp 00408CED
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408C95(C)
|
:00408CA9
8B8E08010000 mov ecx, dword ptr [esi+00000108]
:00408CAF
8D54240C lea edx, dword
ptr [esp+0C]
====>EDX=12345-67890-ABCDE-FGHIJ-KLMNO
:00408CB3
8D44242C lea eax, dword
ptr [esp+2C]
====>EAX=fly
用户名
:00408CB7
52 push
edx
:00408CB8 50
push eax
:00408CB9 E88286FFFF
call 00401340
:00408CBE 8B8E08010000
mov ecx, dword ptr [esi+00000108]
:00408CC4 E8A784FFFF
call 00401170
====>关键CALL!进入!
:00408CC9
84C0 test
al, al
:00408CCB 6A40
push 00000040
:00408CCD 7410
je 00408CDF
====>跳则OVER!
:00408CCF 8B4E0C mov ecx, dword ptr [esi+0C]
*
Possible StringData Ref from Data Obj ->"成功"
====>呵呵,胜利女神!
:00408CD2
68D8C34200 push 0042C3D8
*
Possible StringData Ref from Data Obj ->"注册将在重启后生效!"
|
:00408CD7 68C0C34200
push 0042C3C0
:00408CDC 51
push ecx
:00408CDD EB0E
jmp 00408CED
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408CCD(C)
|
*
Possible StringData Ref from Data Obj ->"失败"
|
:00408CDF 68B8C34200
push 0042C3B8
*
Possible StringData Ref from Data Obj ->"非法注册码"
====>BAD BOY!
:00408CE4
68ACC34200 push 0042C3AC
—————————————————————————————————
进入关键CALL:408CC4
call 00401170
*
Referenced by a CALL at Addresses:
|:00403D92 , :00408B93 , :00408C8E
, :00408CC4
…… ……省 略…… ……
:00401223
8A4C2425 mov cl, byte ptr
[esp+25]
:00401227 B02D
mov al, 2D
====>AL=2D
即:-
:00401229
3AC8 cmp
cl, al
====>比较注册码第6个字符是否是 -
:0040122B
7572 jne
0040129F
:0040122D 3844242B
cmp byte ptr [esp+2B], al
====>比较注册码第12个字符是否是
-
:00401231 756C
jne 0040129F
:00401233
38442431 cmp byte ptr [esp+31],
al
====>比较注册码第18个字符是否是 -
:00401237
7566 jne
0040129F
:00401239 38442437
cmp byte ptr [esp+37], al
====>比较注册码第24个字符是否是
-
:0040123D 7560
jne 0040129F
:0040123F
33FF xor
edi, edi
:00401241 8D742422
lea esi, dword ptr [esp+22]
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401294(C)
|
:00401245
8D4C2418 lea ecx, dword
ptr [esp+18]
:00401249 8D542440
lea edx, dword ptr [esp+40]
====>EDX=fly
:0040124D
51 push
ecx
:0040124E 57
push edi
:0040124F 52
push edx
:00401250 8BCD
mov ecx, ebp
:00401252 E859000000
call 004012B0
====>算法CALL!进入!
====>下面是逐位比较!有一处不同就OVER了!
:00401257 8A46FE
mov al, byte ptr [esi-02]
====>[esi-02]=12345
:0040125A
8A4C2418 mov cl, byte ptr
[esp+18]
====>[esp+18]=1E9TT
第一个大循环得出:1E9TT
第二个大循环得出:5GDGG
第三个大循环得出:72WW8
第四个大循环得出:72WR9
第五个大循环得出:11MGG
:0040125E
3AC1 cmp
al, cl
:00401260 753D
jne 0040129F
:00401262 8A4EFF
mov cl, byte ptr [esi-01]
:00401265 8A442419
mov al, byte ptr [esp+19]
:00401269
3AC8 cmp
cl, al
:0040126B 7532
jne 0040129F
:0040126D 8A16
mov dl, byte ptr [esi]
:0040126F 8A44241A
mov al, byte ptr [esp+1A]
:00401273
3AD0 cmp
dl, al
:00401275 7528
jne 0040129F
:00401277 8A4601
mov al, byte ptr [esi+01]
:0040127A 8A4C241B
mov cl, byte ptr [esp+1B]
:0040127E
3AC1 cmp
al, cl
:00401280 751D
jne 0040129F
:00401282 8A4E02
mov cl, byte ptr [esi+02]
:00401285 8A44241C
mov al, byte ptr [esp+1C]
:00401289
3AC8 cmp
cl, al
:0040128B 7512
jne 0040129F
:0040128D 47
inc edi
:0040128E 83C606
add esi, 00000006
:00401291 83FF05
cmp edi, 00000005
:00401294
7CAF jl 00401245
:00401296
5F pop
edi
:00401297 5E
pop esi
:00401298 B001
mov al, 01
====>置1则OK!
:0040129A
5D pop
ebp
:0040129B 83C454
add esp, 00000054
:0040129E C3
ret
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00401221(C),
:0040122B(C), :00401231(C), :00401237(C), :0040123D(C)
|:00401260(C), :0040126B(C),
:00401275(C), :00401280(C), :0040128B(C)
|
:0040129F 5F
pop edi
:004012A0 5E
pop
esi
:004012A1 32C0
xor al, al
====>清0则OVER!
:004012A3
5D pop
ebp
:004012A4 83C454
add esp, 00000054
:004012A7 C3
ret
—————————————————————————————————
进入算法CALL:401252 call 004012B0
*
Referenced by a CALL at Address:
|:00401252
|
:004012B0 8B4C2408
mov ecx, dword ptr [esp+08]
:004012B4
8B542404 mov edx, dword
ptr [esp+04]
====>EDX=fly
:004012B8
03D1 add
edx, ecx
:004012BA 83EC0C
sub esp, 0000000C
:004012BD B801000000
mov eax, 00000001
:004012C2 8A0A
mov cl, byte ptr [edx]
====>CL=66
:004012C4
56 push
esi
:004012C5 84C9
test cl, cl
:004012C7 7413
je 004012DC
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004012DA(C)
|
:004012C9
0FBEC9 movsx ecx,
cl
1、 ====>ECX=CL=66
2、
====>ECX=6C
3、 ====>ECX=79
:004012CC
8BF1 mov
esi, ecx
:004012CE 0FAFF1
imul esi, ecx
1、 ====>ESI=66 * 66=28A4
2、 ====>ESI=6C * 6C=2D90
3、
====>ESI=79 * 79=3931
:004012D1
8A4A01 mov cl, byte
ptr [edx+01]
1、 ====>CL=6C
:004012D4
0FAFC6 imul eax,
esi
1、 ====>EAX=01 * 28A4=28A4
2、 ====>EAX=28A4 * 2D90=073BB040
3、
====>EAX=073BB040 * 3931=ACAAFC40
:004012D7
42 inc
edx
:004012D8 84C9
test cl, cl
:004012DA 75ED
jne 004012C9
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004012C7(C)
|
:004012DC
8B74241C mov esi, dword
ptr [esp+1C]
:004012E0 33C9
xor ecx, ecx
:004012E2 8BD6
mov edx, esi
:004012E4 6A24
push 00000024
:004012E6
3517108519 xor eax, 19851017
====>EAX=ACAAFC40 XOR 19851017=B52FEC57
:004012EB
890A mov
dword ptr [edx], ecx
:004012ED 66894A04
mov word ptr [edx+04], cx
:004012F1 8D4C2408
lea ecx, dword ptr [esp+08]
:004012F5
51 push
ecx
:004012F6 50
push eax
:004012F7 E8C70B0200
call 00421EC3
====>又是一个子运算CALL!进入!
:004012FC
8D542410 lea edx, dword
ptr [esp+10]
====>EDX=1e9ttnb
:00401300 52 push edx
* Possible StringData
Ref from Data Obj ->"%.5s"
|
:00401301
681CC14200 push 0042C11C
:00401306
56 push
esi
:00401307 E8BC730100 call
004186C8
====>此CALL将上面所得字符截取前5位!
====>ESI=1e9tt
:0040130C
83C418 add esp,
00000018
:0040130F 33C9
xor ecx, ecx
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040132F(C)
|
:00401311
8A0431 mov al, byte
ptr [ecx+esi]
:00401314 3C61
cmp al, 61
:00401316 7C0B
jl 00401323
:00401318 3C7A
cmp al, 7A
:0040131A
7F07 jg 00401323
:0040131C
2C20 sub
al, 20
:0040131E 880431
mov byte ptr [ecx+esi], al
:00401321 EB08
jmp 0040132B
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00401316(C),
:0040131A(C)
|
:00401323 84C0
test al, al
:00401325 7504
jne 0040132B
:00401327 C6043130
mov byte ptr [ecx+esi],
30
* Referenced by a
(U)nconditional or (C)onditional Jump at Addresses:
|:00401321(U), :00401325(C)
|
:0040132B
41 inc
ecx
:0040132C 83F905
cmp ecx, 00000005
:0040132F 7CE0
jl 00401311
====>这个小循环是将1e9tt中的小写字母转换为大写字母!
====>ESI=1e9tt 转换为 1E9TT
:00401331
5E pop
esi
:00401332 83C40C
add esp, 0000000C
:00401335 C20C00
ret 000C
—————————————————————————————————
进入子运算CALL:004012F7
call 00421EC3
再进入:00421EE0 call 00421E67
*
Referenced by a CALL at Addresses:
|:00421E5A , :00421EE0
|
:00421E67
55 push
ebp
:00421E68 8BEC
mov ebp, esp
:00421E6A 837D1400
cmp dword ptr [ebp+14], 00000000
:00421E6E 8B4D0C
mov ecx, dword ptr [ebp+0C]
:00421E71
53 push
ebx
:00421E72 56
push esi
:00421E73 57
push edi
:00421E74 740B
je 00421E81
:00421E76 8B7508
mov esi, dword ptr
[ebp+08]
:00421E79 C6012D
mov byte ptr [ecx], 2D
:00421E7C 41
inc ecx
:00421E7D F7DE
neg esi
:00421E7F
EB03 jmp
00421E84
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00421E74(C)
|
:00421E81
8B7508 mov esi,
dword ptr [ebp+08]
====>ESI=B52FEC57
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421E7F(U)
|
:00421E84
8BF9 mov
edi, ecx
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00421EAA(C)
|
:00421E86
8BC6 mov
eax, esi
:00421E88 33D2
xor edx, edx
:00421E8A F77510
div [ebp+10]
====>[ebp+10]=24
1、 ====>EDX=B52FEC57 % 24=0B
2、
====>EDX=0508713B % 24=17
3、
====>EDX=0023CA41 % 24=1D
4、 ====>EDX=0000FE81
% 24=1D
5、 ====>EDX=00000711 %
24=09
6、 ====>EDX=00000032 % 24=0E
7、 ====>EDX=00000001 % 24=01
:00421E8D
8BC6 mov
eax, esi
:00421E8F 8BDA
mov ebx, edx
:00421E91 33D2
xor edx, edx
:00421E93 F77510
div [ebp+10]
1、
====>EAX=B52FEC57 / 24=0508713B
2、
====>EAX=0508713B / 24=0023CA41
3、
====>EAX=0023CA41 / 24=0000FE81
4、
====>EAX=0000FE81 / 24=00000711
5、
====>EAX=00000711 / 24=00000032
6、
====>EAX=00000032 / 24=00000001
7、
====>EAX=00000001 / 24=00000000
:00421E96
83FB09 cmp ebx,
00000009
:00421E99 8BF0
mov esi, eax
====>ESI=EAX
:00421E9B
7605 jbe
00421EA2
:00421E9D 80C357
add bl, 57
1、 ====>BL=0B + 57=62
即字符:b
2、 ====>BL=17 + 57=6E
即字符:n
3、 ====>BL=1D + 57=74
即字符:t
4、 ====>BL=1D + 57=74
即字符:t
6、 ====>BL=0E + 57=65
即字符:e
:00421EA0 EB03 jmp 00421EA5
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00421E9B(C)
|
:00421EA2
80C330 add bl, 30
5、 ====>BL=09 + 30=39 即字符:9
7、 ====>BL=01 + 30=31 即字符:1
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421EA0(U)
|
:00421EA5
8819 mov
byte ptr [ecx], bl
====>BL 入 [ecx]处
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
循环结束后[ECX]内存中的值:
006DEE3C
62 6E 74 74 39 65 31
bntt9e1
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
:00421EA7
41 inc
ecx
:00421EA8 85F6
test esi, esi
:00421EAA 77DA
ja 00421E86
====>循环!
:00421EAC
802100 and byte
ptr [ecx], 00
:00421EAF 49
dec ecx
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421EBC(C)
|
:00421EB0
8A17 mov
dl, byte ptr [edi]
:00421EB2 8A01
mov al, byte ptr [ecx]
:00421EB4 8811
mov byte ptr [ecx], dl
:00421EB6
8807 mov
byte ptr [edi], al
:00421EB8 49
dec ecx
:00421EB9 47
inc edi
:00421EBA 3BF9
cmp edi, ecx
:00421EBC
72F2 jb 00421EB0
====>这个小循环是将bntt9e1倒序为:1e9ttnb
:00421EBE
5F pop
edi
:00421EBF 5E
pop esi
:00421EC0 5B
pop ebx
:00421EC1 5D
pop ebp
:00421EC2 C3
ret
—————————————————————————————————
【完 美 爆 破】:
呵呵,完美爆破很简单。
004012A1
32C0 xor
al, al
改为: B001
mov al, 01 就OK了!与401298处相映成趣!
—————————————————————————————————
【注册信息保存】:
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\SsmI]
"User
Name"=hex:66,6c,79,00,4c,ef,6d,00,80,ef,6d,00,18,02,00,00,37,01,00,00,17,\
03,00,00,fd,01,00,00,8f,03
"Register Code"=hex:31,45,39,54,54,2d,35,47,44,47,47,2d,37,32,57,57,38,2d,37,\
32,57,52,39,2d,31,31,4d,47,47,00
—————————————————————————————————
【整 理】:
用户名:fly
注册码:1E9TT-5GDGG-72WW8-72WR9-11MGG
—————————————————————————————————
Cracked By
巢水工作坊——fly【OCN】
2003-10-10 21:21