简单算法——梦幻家庭相册
V1.0
下载页面: http://www.dreamcnsoft.com
软件大小: 1374K
适用平台: WIN9x, Win2000, WinNT
【软件简介】:梦幻家庭相册可以将你电脑中的图片收藏在一个数据库中,利于图片的保存,收藏,浏览和管理,你可以对图片进行分类管理,可以对分类进行加密,可以全屏幻灯片浏览图片,可以分页查看图像的缩略图。
【软件限制】:NAG
【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:TRW2000娃娃修改版、Ollydbg1.09、PEiD、CasprGui、W32Dasm 9.0白金版
—————————————————————————————————
【过
程】:
DreamPhoto.exe 是ASProtect 1.2壳,用CasprGui脱之。328K->813K。
Visual C++ 6.0 编写。
晕,又是一个点注册毫无提示的家伙,反汇编也没有什么发现,只好用TRW的万能断点拦截了。
机器码:693923357
试炼码:13572468
—————————————————————————————————
:0040BCA5
FF15FC614300 call dword ptr [004361FC]
====>呵呵,取我的硬盘序列号
:0040BCAB
8B442414 mov eax, dword
ptr [esp+14]
====>EAX=211C1E09
:0040BCAF
68F8514400 push 004451F8
:0040BCB4
3514704008 xor eax, 08407014
====>EAX=211C1E09 XOR 08407014=295C6E1D
====>295C6E1D(H)=693923357(D)这就是显示的机器码
:0040BCB9
8D4C2420 lea ecx, dword
ptr [esp+20]
:0040BCBD 89442418
mov dword ptr [esp+18], eax
:0040BCC1 8BD8
mov ebx, eax
:0040BCC3 E8CFE40100
call 0042A197
:0040BCC8 A1E85A4400
mov eax, dword ptr [00445AE8]
:0040BCCD
33C9 xor
ecx, ecx
====>ECX=0
:0040BCCF
898C24BC000000 mov dword ptr [esp+000000BC],
ecx
:0040BCD6 89442418 mov
dword ptr [esp+18], eax
:0040BCDA 89442420
mov dword ptr [esp+20], eax
:0040BCDE 8B74241C
mov esi, dword ptr [esp+1C]
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
[esp+1C]内存中的值:
这个参数是程序自给!
01254660 37 78 6C 34 31 30
38 30 34 6C 33 30 31 38 30 31 7xl410804l301801
01254670 30 30 33
31
0031
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
:0040BCE2
C68424BC00000002 mov byte ptr [esp+000000BC], 02
:0040BCEA
8B56F8 mov edx,
dword ptr [esi-08]
====>取上面字符串的长度
:0040BCED
3BD1 cmp
edx, ecx
====>EDX=14
:0040BCEF 7E21 jle 0040BD12
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:0040BD10(C)
|
:0040BCF1 8A0431
mov al, byte ptr [ecx+esi]
====>依次取7xl410804l3018010031字符的HEX值
:0040BCF4
8B7C2414 mov edi, dword
ptr [esp+14]
====>EDI=[esp+14]
:0040BCF8
2C78 sub
al, 78
1、 ====>AL=37 - 78=BF
2、
====>AL=78 - 78=00
3、 ====>AL=6C - 78=F4
…… …… 省 略 …… ……
20、 ====>AL=31 - 78=B9
:0040BCFA
88442410 mov byte ptr [esp+10],
al
:0040BCFE 8B442410 mov
eax, dword ptr [esp+10]
:0040BD02 25FF000000
and eax, 000000FF
:0040BD07 33F8
xor edi, eax
1、 ====>EDI=295C6E1D
XOR BF=295C6EA2
2、 ====>EDI=295C6EA2 XOR 00=295C6EA2
3、 ====>EDI=295C6EA2 XOR F4=295C6E56
……
…… 省 略 …… ……
20、 ====>EDI=295C6E1B XOR
B9=295C6EA2
:0040BD09 41
inc ecx
:0040BD0A 3BCA
cmp ecx,
edx
:0040BD0C 897C2414 mov
dword ptr [esp+14], edi
====>结果入[esp+14]
:0040BD10
7CDF jl 0040BCF1
====>循环异或20次!
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040BCEF(C)
|
:0040BD12
8B442414 mov eax, dword
ptr [esp+14]
====>EDX=295C6EA2
:0040BD16
8D4C2410 lea ecx, dword
ptr [esp+10]
:0040BD1A 99
cdq
:0040BD1B 33C2
xor eax, edx
:0040BD1D 2BC2
sub eax, edx
:0040BD1F
50 push
eax
:0040BD20 51
push ecx
:0040BD21 8BCD
mov ecx, ebp
:0040BD23 E8A8020000
call 0040BFD0
====>关键CALL!进入!
:0040BD28 50
push eax
:0040BD29
8D4C241C lea ecx, dword
ptr [esp+1C]
:0040BD2D C68424C000000003 mov byte
ptr [esp+000000C0], 03
:0040BD35 E828E50100
call 0042A262
:0040BD3A 8D4C2410
lea ecx, dword ptr [esp+10]
:0040BD3E C68424BC00000002
mov byte ptr [esp+000000BC], 02
:0040BD46 E8DEE30100
call 0042A129
:0040BD4B 8B542418
mov edx, dword ptr [esp+18]
====>EDX=r1jdDltrcR-+vf=!3?fHE 注册码
:0040BD4F
8B859C000000 mov eax, dword ptr [ebp+0000009C]
====>EAX=13572468
试炼码
:0040BD55 52
push edx
:0040BD56
50 push
eax
:0040BD57 E8A6BD0000 call
00417B02
====>比较CALL!
:0040BD5C
83C408 add esp,
00000008
:0040BD5F 85C0
test eax, eax
:0040BD61 0F8576010000
jne 0040BEDD
====>跳则OVER!
:0040BD67
B919000000 mov ecx, 00000019
:0040BD6C
8D7C2450 lea edi, dword
ptr [esp+50]
:0040BD70 F3
repz
:0040BD71 AB
stosd
:0040BD72 8B7C2418
mov edi, dword ptr [esp+18]
:0040BD76
83C9FF or ecx, FFFFFFFF
:0040BD79
F2 repnz
:0040BD7A
AE scasb
:0040BD7B
F7D1 not
ecx
:0040BD7D 2BF9
sub edi, ecx
:0040BD7F 8D542450
lea edx, dword ptr [esp+50]
:0040BD83 8BC1
mov eax, ecx
:0040BD85
8BF7 mov
esi, edi
:0040BD87 8BFA
mov edi, edx
:0040BD89 C1E902
shr ecx, 02
:0040BD8C F3
repz
:0040BD8D A5
movsd
:0040BD8E
8BC8 mov
ecx, eax
:0040BD90 83E103
and ecx, 00000003
:0040BD93 F3
repz
:0040BD94 A4
movsb
:0040BD95 8D4C2424
lea ecx, dword ptr [esp+24]
:0040BD99
51 push
ecx
:0040BD9A 6898564400 push
00445698
:0040BD9F 6801000080 push
80000001
:0040BDA4 FF1518604300 call
dword ptr [00436018]
:0040BDAA 8B542424
mov edx, dword ptr [esp+24]
:0040BDAE 52
push edx
:0040BDAF
FF1500604300 call dword ptr [00436000]
:0040BDB5
8D4C2428 lea ecx, dword
ptr [esp+28]
:0040BDB9 E8D2C3FFFF
call 00408190
:0040BDBE 6898564400
push 00445698
:0040BDC3 6801000080
push 80000001
:0040BDC8 8D4C2430
lea ecx, dword ptr [esp+30]
:0040BDCC C68424C400000004
mov byte ptr [esp+000000C4], 04
:0040BDD4 C744243001000080
mov [esp+30], 80000001
:0040BDDC E8DFC3FFFF
call 004081C0
:0040BDE1 6A00
push 00000000
:0040BDE3
6894564400 push 00445694
:0040BDE8
688C564400 push 0044568C
:0040BDED
8D4C2434 lea ecx, dword
ptr [esp+34]
:0040BDF1 E80AC5FFFF
call 00408300
:0040BDF6 6A00
push 00000000
:0040BDF8 53
push ebx
:0040BDF9 6880564400
push 00445680
:0040BDFE 8D4C2434
lea ecx, dword ptr [esp+34]
:0040BE02
E8B9C4FFFF call 004082C0
:0040BE07
8D442450 lea eax, dword
ptr [esp+50]
:0040BE0B 6A00
push 00000000
:0040BE0D 50
push eax
:0040BE0E 6814524400
push 00445214
:0040BE13 8D4C2434
lea ecx, dword ptr [esp+34]
:0040BE17
E8E4C4FFFF call 00408300
:0040BE1C
8D4C2428 lea ecx, dword
ptr [esp+28]
:0040BE20 E8EBC3FFFF
call 00408210
:0040BE25 8B0DE85A4400
mov ecx, dword ptr [00445AE8]
:0040BE2B 894C2410
mov dword ptr [esp+10], ecx
:0040BE2F 8D542450
lea edx, dword ptr [esp+50]
:0040BE33
8D442410 lea eax, dword
ptr [esp+10]
:0040BE37 52
push edx
:0040BE38 53
push ebx
:0040BE39 6848564400
push 00445648
:0040BE3E 50
push
eax
:0040BE3F C68424CC00000005 mov byte ptr [esp+000000CC],
05
:0040BE47 E8C08B0100 call
00424A0C
:0040BE4C 83C410
add esp, 00000010
:0040BE4F 8D4C2438
lea ecx, dword ptr [esp+38]
:0040BE53 E85BF10100
call 0042AFB3
:0040BE58 6A00
push 00000000
:0040BE5A
6801100000 push 00001001
:0040BE5F
6838564400 push 00445638
:0040BE64
8D4C2444 lea ecx, dword
ptr [esp+44]
:0040BE68 C68424C800000006 mov byte
ptr [esp+000000C8], 06
:0040BE70 E850F20100
call 0042B0C5
:0040BE75 8B442410
mov eax, dword ptr [esp+10]
:0040BE79 8B48F8
mov ecx, dword ptr [eax-08]
:0040BE7C
51 push
ecx
:0040BE7D 50
push eax
:0040BE7E 8D4C2440
lea ecx, dword ptr [esp+40]
:0040BE82 E895F30100
call 0042B21C
:0040BE87 8D4C2438
lea ecx, dword ptr [esp+38]
:0040BE8B
E850F40100 call 0042B2E0
:0040BE90
6A00 push
00000000
:0040BE92 6830564400 push
00445630
:0040BE97 6820564400 push
00445620
:0040BE9C 8BCD
mov ecx, ebp
:0040BE9E E848C60100
call 004284EB
====>呵呵,胜利女神!
—————————————————————————————————
进入关键CALL:0040BD23
call 0040BFD0
* Referenced by a CALL at
Address:
|:0040BD23
|
:0040BFD0 6AFF
push FFFFFFFF
*
Possible Reference to Dialog:
|
:0040BFD2
682F434300 push 0043432F
:0040BFD7
64A100000000 mov eax, dword ptr fs:[00000000]
:0040BFDD
50 push
eax
:0040BFDE 64892500000000 mov dword ptr
fs:[00000000], esp
:0040BFE5 83EC1C
sub esp, 0000001C
:0040BFE8 A1E85A4400
mov eax, dword ptr [00445AE8]
:0040BFED 53
push ebx
:0040BFEE
55 push
ebp
:0040BFEF 56
push esi
:0040BFF0 33F6
xor esi, esi
:0040BFF2 57
push edi
:0040BFF3 89742428
mov dword ptr [esp+28],
esi
:0040BFF7 89442414 mov
dword ptr [esp+14], eax
:0040BFFB C744243401000000 mov
[esp+34], 00000001
:0040C003 89442418
mov dword ptr [esp+18], eax
:0040C007 89442410
mov dword ptr [esp+10], eax
:0040C00B 8B442440
mov eax, dword ptr [esp+40]
====>EAX=295C6EA2
:0040C00F
C644243403 mov [esp+34], 03
:0040C014
0FAFC0 imul eax,
eax
====>EAX=295C6EA2 * 295C6EA2=983F9E84
:0040C017
69C039A91A70 imul eax, 701AA939
====>EAX=983F9E84 * 701AA939=BF376F64(H)
:0040C01D
50 push
eax
:0040C01E 8D442414 lea
eax, dword ptr [esp+14]
:0040C022 6850524400
push 00445250
:0040C027 50
push eax
:0040C028 E8DF890100
call 00424A0C
====>取BF376F64的10进制值
:0040C02D 8B44241C
mov eax, dword ptr [esp+1C]
====>EAX=3208081252(D)=BF376F64(H)
:0040C031
8B3D10634300 mov edi, dword ptr [00436310]
:0040C037
83C40C add esp,
0000000C
:0040C03A 3970F8
cmp dword ptr [eax-08], esi
:0040C03D 7E77
jle 0040C0B6
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040C0B4(C)
|
:0040C03F
8A0C06 mov cl, byte
ptr [esi+eax]
====>CL=依次正序取3208081252字符的HEX值
:0040C042
6A01 push
00000001
:0040C044 884C2444
mov byte ptr [esp+44], cl
:0040C048 8B542444
mov edx, dword ptr [esp+44]
:0040C04C 52
push edx
:0040C04D
8D4C2424 lea ecx, dword
ptr [esp+24]
:0040C051 E867850100
call 004245BD
:0040C056 8B00
mov eax, dword ptr [eax]
:0040C058 50
push eax
:0040C059
FFD7 call
edi
====>把所取字符的HEX值转化为数字,即:-30
:0040C05B
8D4C241C lea ecx, dword
ptr [esp+1C]
:0040C05F 8BE8
mov ebp, eax
====>EBP=EAX=依次正序所取的数字
:0040C061
E8C3E00100 call 0042A129
:0040C066
8B4C2410 mov ecx, dword
ptr [esp+10]
:0040C06A 6A01
push 00000001
:0040C06C 8B41F8
mov eax, dword ptr [ecx-08]
====>取3208081252长度 EAX=A
:0040C06F
2BC6 sub
eax, esi
:0040C071 8A4408FF
mov al, byte ptr [eax+ecx-01]
====>AL=依次倒序取3208081252字符的HEX值
:0040C075
88442424 mov byte ptr [esp+24],
al
:0040C079 8B4C2424 mov
ecx, dword ptr [esp+24]
:0040C07D 51
push ecx
:0040C07E 8D4C242C
lea ecx, dword ptr [esp+2C]
:0040C082
E836850100 call 004245BD
:0040C087
8B00 mov
eax, dword ptr [eax]
:0040C089 50
push eax
:0040C08A FFD7
call edi
====>把所取字符的HEX值转化为数字,即:-30
:0040C08C
8D4C2424 lea ecx, dword
ptr [esp+24]
:0040C090 8BD8
mov ebx, eax
====>EBX=EAX=依次倒序所取的数字
:0040C092
E892E00100 call 0042A129
:0040C097
8D54AD00 lea edx, dword
ptr [ebp+4*ebp]
====>EDX=依次正序所取的数字 *
5
:0040C09B 8D4C2414
lea ecx, dword ptr [esp+14]
:0040C09F 8A845358554400
mov al, byte ptr [ebx+2*edx+00445558]
====>AL=以(依次倒序所取的数字+依次正序所取的数字
* 5 * 2)为指针从[00445558]的表中取值!
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
[00445558]内存中是一张表
:
00445558 64 67 6A 3B 63 73 74 46 44 39 64
72 65 54 6D 73 dgj;cstFD9dreTms
00445568 4D 66 74 73 72 53
79 52 71 31 36 30 71 6E 77 65 MftsrSyRq160qnwe
00445578 72 66 73
62 4A 6B 6C 39 61 66 68 43 54 59 53 47 rfsbJkl9afhCTYSG
00445588 6B
6E 6D 67 63 67 72 6B 74 62 6F 49 6C 68 68 69 knmgcgrktboIlhhi
00445598
76 55 34 74 63 4F 78 69 65 35 75 32 72 76 78 50 vU4tcOxie5u2rvxP
004455A8
6C 64 79 77 65 6C 45 62 4A 56 5A 37 58 34 56 4E ldywelEbJVZ7X4VN
004455B8
31 45 4C 4D 40 31 66 45 45 48 58 4E 21 78 71 21 1ELM@1fEEHXN!xq!
004455C8
68 61 46 73 48 53 3F 4B 66 40 23 45 62 76 63 45 haFsHS?Kf@#EbvcE
004455D8
7A 46 23 2D 2B 21 47 35 21 53 7C 3D 3D 24 2F 40 zF#-+!G5!S|==$/@
004455E8
21 2F 39 35 33 36 46 40 48 4A 7C 63 2D 78 67 34 !/9536F@HJ|c-xg4
004455F8
31 2D 34 3D 35 67 6A 2F 6A 2B 40 30 30 43 2A 2D 1-4=5gj/j+@00C*-
00445608
24 21 6E 33 33 3D 23 39 7C 32 3D 35 58 5A 2A 24 $!n33=#9|2=5XZ*$
00445618
7C 33 43 42 4D 41 53 44
|3CBMASD
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
====>依次所取的字符是:r、1、j、d、D、l、t、r、c、R
:0040C0A6
50 push
eax
:0040C0A7 E880E40100 call
0042A52C
:0040C0AC 8B442410
mov eax, dword ptr [esp+10]
:0040C0B0 46
inc esi
:0040C0B1 3B70F8
cmp esi, dword ptr [eax-08]
:0040C0B4
7C89 jl 0040C03F
====>循环10次
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040C03D(C)
|
:0040C0B6
8B48F8 mov ecx,
dword ptr [eax-08]
:0040C0B9 33F6
xor esi, esi
:0040C0BB 85C9
test ecx, ecx
:0040C0BD 7E77
jle 0040C136
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040C134(C)
|
:0040C0BF
8A0C06 mov cl, byte
ptr [esi+eax]
====>CL=依次正序取3208081252字符的HEX值
:0040C0C2
6A01 push
00000001
:0040C0C4 884C2444
mov byte ptr [esp+44], cl
:0040C0C8 8B542444
mov edx, dword ptr [esp+44]
:0040C0CC 52
push edx
:0040C0CD
8D4C242C lea ecx, dword
ptr [esp+2C]
:0040C0D1 E8E7840100
call 004245BD
:0040C0D6 8B00
mov eax, dword ptr [eax]
:0040C0D8 50
push eax
:0040C0D9
FFD7 call
edi
====>把所取字符的HEX值转化为数字,即:-30
:0040C0DB
8D4C2424 lea ecx, dword
ptr [esp+24]
:0040C0DF 8BE8
mov ebp, eax
====>EBP=EAX=依次正序所取的数字
:0040C0E1
E843E00100 call 0042A129
:0040C0E6
8B4C2410 mov ecx, dword
ptr [esp+10]
:0040C0EA 6A01
push 00000001
:0040C0EC 8B41F8
mov eax, dword ptr [ecx-08]
====>取3208081252长度 EAX=A
:0040C0EF
2BC6 sub
eax, esi
:0040C0F1 8A4408FF
mov al, byte ptr [eax+ecx-01]
====>AL=依次倒序取3208081252字符的HEX值
:0040C0F5
88442424 mov byte ptr [esp+24],
al
:0040C0F9 8B4C2424 mov
ecx, dword ptr [esp+24]
:0040C0FD 51
push ecx
:0040C0FE 8D4C2424
lea ecx, dword ptr [esp+24]
:0040C102
E8B6840100 call 004245BD
:0040C107
8B00 mov
eax, dword ptr [eax]
:0040C109 50
push eax
:0040C10A FFD7
call edi
====>把所取字符的HEX值转化为数字,即:-30
:0040C10C
8D4C241C lea ecx, dword
ptr [esp+1C]
:0040C110 8BD8
mov ebx, eax
====>EBX=EAX=依次倒序所取的数字
:0040C112
E812E00100 call 0042A129
:0040C117
8D54AD00 lea edx, dword
ptr [ebp+4*ebp]
====>EDX=依次正序所取的数字 *
5
:0040C11B 8D4C2418
lea ecx, dword ptr [esp+18]
:0040C11F 8A8453BC554400
mov al, byte ptr [ebx+2*edx+004455BC]
====>AL=以(依次倒序所取的数字+依次正序所取的数字
* 5 * 2)为指针从[004455BC]的表中取值!
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
[004455BC]内存中是一张表
:
004455BC 40 31 66 45 45 48 58 4E 21 78 71
21 68 61 46 73 @1fEEHXN!xq!haFs
004455CC 48 53 3F 4B 66 40 23 45
62 76 63 45 7A 46 23 2D HS?Kf@#EbvcEzF#-
004455DC 2B 21 47 35 21
53 7C 3D 3D 24 2F 40 21 2F 39 35 +!G5!S|==$/@!/95
004455EC 33 36
46 40 48 4A 7C 63 2D 78 67 34 31 2D 34 3D 36F@HJ|c-xg41-4=
004455FC 35
67 6A 2F 6A 2B 40 30 30 43 2A 2D 24 21 6E 33 5gj/j+@00C*-$!n3
0044560C
33 3D 23 39 7C 32 3D 35 58 5A 2A 24 7C 33 43 42 3=#9|2=5XZ*$|3CB
0044561C
4D 41 53 44
MASD
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
====>依次所取的字符是:+、v、f、=、!、3、?、f、H、E
:0040C126
50 push
eax
:0040C127 E800E40100 call
0042A52C
:0040C12C 8B442410
mov eax, dword ptr [esp+10]
:0040C130 46
inc esi
:0040C131 3B70F8
cmp esi, dword ptr [eax-08]
:0040C134
7C89 jl 0040C0BF
====>循环10次
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040C0BD(C)
|
:0040C136
8D4C2414 lea ecx, dword
ptr [esp+14]
:0040C13A 684C524400
push 0044524C
:0040C13F 8D542428
lea edx, dword ptr [esp+28]
:0040C143 51
push ecx
:0040C144 52
push
edx
:0040C145 E874E20100 call
0042A3BE
====>在第一组字符后插入-
:0040C14A
8D4C2418 lea ecx, dword
ptr [esp+18]
:0040C14E 8D542440
lea edx, dword ptr [esp+40]
:0040C152 51
push ecx
:0040C153 B304
mov bl, 04
:0040C155
50 push
eax
====>EAX=r1jdDltrcR-
:0040C156
52 push
edx
:0040C157 885C2440 mov
byte ptr [esp+40], bl
:0040C15B E8F8E10100
call 0042A358
====>将以上2次大循环所得的字符连接起来(中间已插入-)
:0040C160
50 push
eax
====>EAX=r1jdDltrcR-+vf=!3?fHE
这就是我的注册码了!
:0040C161 8D4C2418
lea ecx, dword ptr [esp+18]
:0040C165 C644243805
mov [esp+38], 05
:0040C16A
E8F3E00100 call 0042A262
:0040C16F
8D4C2440 lea ecx, dword
ptr [esp+40]
:0040C173 885C2434
mov byte ptr [esp+34], bl
:0040C177 E8ADDF0100
call 0042A129
:0040C17C 8D4C2424
lea ecx, dword ptr [esp+24]
:0040C180 C644243403
mov [esp+34], 03
:0040C185
E89FDF0100 call 0042A129
:0040C18A
8B74243C mov esi, dword
ptr [esp+3C]
:0040C18E 8D442414
lea eax, dword ptr [esp+14]
:0040C192 50
push eax
:0040C193 8BCE
mov ecx, esi
:0040C195
E804DD0100 call 00429E9E
:0040C19A
C744242801000000 mov [esp+28], 00000001
:0040C1A2
8D4C2410 lea ecx, dword
ptr [esp+10]
:0040C1A6 C644243402
mov [esp+34], 02
:0040C1AB E879DF0100
call 0042A129
:0040C1B0 8D4C2418
lea ecx, dword ptr [esp+18]
:0040C1B4 C644243401
mov [esp+34], 01
:0040C1B9 E86BDF0100
call 0042A129
:0040C1BE 8D4C2414
lea ecx, dword ptr [esp+14]
:0040C1C2
C644243400 mov [esp+34], 00
:0040C1C7
E85DDF0100 call 0042A129
:0040C1CC
8B4C242C mov ecx, dword
ptr [esp+2C]
:0040C1D0 8BC6
mov eax, esi
:0040C1D2 5F
pop edi
:0040C1D3 5E
pop esi
:0040C1D4
5D pop
ebp
:0040C1D5 5B
pop ebx
:0040C1D6 64890D00000000 mov
dword ptr fs:[00000000], ecx
:0040C1DD 83C428
add esp, 00000028
:0040C1E0 C20800
ret 0008
—————————————————————————————————
【算
法 总 结】:
1、取我的硬盘序列号211C1E09 XOR 08407014=295C6E1D(H)=693923357(D)这就是显示的机器码
2、取程序给的7xl410804l3018010031字符的HEX值,依次-78,再循环异或295C6E1D
295C6E1D XOR BF XOR 00 XOR F4 …… XOR B9=295C6EA2
3、295C6EA2 * 295C6EA2 * 701AA939=BF376F64(H)
4、取BF376F64的10进制值3208081252
5、以(依次倒序所取的数字+依次正序所取的数字
* 5 * 2)为指针从[00445558]的表中取值
依次所取的字符是:r、1、j、d、D、l、t、r、c、R
6、以(依次倒序所取的数字+依次正序所取的数字
* 5 * 2)为指针从[004455BC]的表中取值
依次所取的字符是:+、v、f、=、!、3、?、f、H、E
7、在2组字符间插入-
8、连接这三部分,得出注册码:r1jdDltrcR-+vf=!3?fHE
—————————————————————————————————
【完 美 爆 破】:
0040BD4F 8B859C000000
mov eax, dword ptr [ebp+0000009C]
改为:
8B4424189090 mov edx, dword ptr [esp+18]
补2个NOP
呵呵,让真码去和真码比较吧! ^O^ ^O^
程序自动保存真码了!
—————————————————————————————————
【KeyMake之{81th}内存注册机】:
中断地址:0040BD55
中断次数:1
第一字节:52
指令长度:1
内存方式:EDX
—————————————————————————————————
【注册信息保存】:
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Dreamcn.Net\DreamPhoto\1.0]
"RegYes"="1"
"MachineNo"=dword:295c6e1d
"RegCode"="r1jdDltrcR-+vf=!3?fHE"
—————————————————————————————————
【整 理】:
机器码:693923357
注册码:r1jdDltrcR-+vf=!3?fHE
—————————————————————————————————
, _/
/| _.-~/
\_ , 青春都一饷
( /~ / \~-._
|\
`\\ _/
\ ~\ ) 忍把浮名
_-~~~-.) )__/;;,. \_ //'
/'_,\ --~ \ ~~~- ,;;\___( (.-~~~-.
换了破解轻狂
`~ _( ,_..--\ ( ,;'' /
~-- /._`\
/~~//' /' `~\
) /--.._, )_ `~
" `~" "
`" /~'`\ `\\~~\
"
" "~' ""
Cracked By 巢水工作坊——fly [OCN][FCG]
2003-05-06 14:33