目标软件: mjqchess V1.5
软件大小: 770 KB
软件语言: 中文
应用平台: Win9x/NT/2000/XP
下载地址: http://reddog.myrice.com/chess.exe
软件介绍:
下午考完期末考试的第一科,第二科还好几天,感觉无聊,那就和电脑下下象棋玩玩吧:)可刚一双击图标,跳出来的却是个注册对话框(还好没晕倒:)),算了,“下次再说”,刚下了两步,蹦出个消息框:“请注册”!
经过n-1次的容忍,我受不了了!!!我要踩了你。。。。。。好,开工! 破解过程:
* Possible Reference to Dialog: DialogID_00AA, CONTROL_ID:03E9, "" * Referenced by a (U)nconditional or (C)onditional Jump at
Addresses: :00407263 3C57
cmp al, 57
//‘W’ * Referenced by a (U)nconditional or (C)onditional Jump at
Addresses: * Referenced by a (U)nconditional or (C)onditional Jump at
Addresses: * Referenced by a (U)nconditional or (C)onditional Jump at
Addresses: * Referenced by a (U)nconditional or (C)onditional Jump at
Address: * Referenced by a (U)nconditional or (C)onditional Jump at
Addresses: * Possible StringData Ref from Data Obj ->"chess.mjq"
///上面所有的步骤都通过了,表明注册码正确,加密后写入文件“chess.mjq”中,以便程序启动时检查 * Reference To: USER32.ShowWindow, Ord:026Ah * Possible StringData Ref from Data Obj ->"谢谢" * Possible StringData Ref from Data Obj ->"非常感谢您的注册!" * Reference To: USER32.MessageBoxA, Ord:01BEh * Referenced by a (U)nconditional or (C)onditional Jump at
Address: * Reference To: USER32.EndDialog, Ord:00B9h * Referenced by a (U)nconditional or (C)onditional Jump at
Addresses: * Referenced by a (U)nconditional or (C)onditional Jump at
Address:
* Referenced by a (U)nconditional or (C)onditional Jump at
Addresses: * Possible StringData Ref from Data Obj ->"错误" * Possible StringData Ref from Data Obj ->"您输入的注册码不正确!" * Reference To: USER32.MessageBoxA, Ord:01BEh * Referenced by a (U)nconditional or (C)onditional Jump at
Addresses: * Possible StringData Ref from Data Obj ->"错误" * Possible StringData Ref from Data Obj ->"输入项不能为空!"
总结:此软件只要你输入的注册码是9位,它的第3个字符要求ASCII值能被11H(也就是十进制17)整除,第3个字符要求ASCII值能被03H(也就是十进制3)整除,第9个字符要求ASCII值能被0DH(也就是十进制13)整除,并且其它每一位对应的字符为上面分析的一个就行(用户名并不参与运算)。 注:破解过程中的辅助工具是我自己搞的,感觉还比较好用吧。已经传到“工具区”了,或者下载: knock. 2003-6-2
下象棋的,做得还比较好,分三个级别:初,中,高级。
工具:pw32dasmgold,
od109b-cn,
CrackTools(破解辅助工具,让计数器靠边站)
|
:00407208 68E9030000
push 000003E9
:0040720D 53
push ebx
:0040720E
FFD6 call
esi
:00407210 8D7C2440
lea edi, dword ptr [esp+40] //读入用户名
:00407214 83C9FF
or ecx, FFFFFFFF
:00407217
33C0 xor
eax, eax
:00407219 F2
repnz
:0040721A AE
scasb
:0040721B F7D1
not ecx
:0040721D 49
dec
ecx //用户名位数
:0040721E 0F84E5010000
je 00407409 //位数为0,挂!
:00407224 8D7C2420
lea edi, dword ptr [esp+20]
//读入注册(假)
:00407228 83C9FF
or ecx, FFFFFFFF
:0040722B F2
repnz
:0040722C AE
scasb
:0040722D
F7D1 not
ecx
:0040722F 49
dec ecx //注册码长度
:00407230 0F84D3010000
je 00407409 //长度为0,挂!
:00407236 8D7C2420
lea edi, dword ptr
[esp+20]//注册码(假)
:0040723A 83C9FF
or ecx, FFFFFFFF
:0040723D F2
repnz
:0040723E AE
scasb
:0040723F F7D1
not ecx
:00407241 49
dec ecx
:00407242 83F909
cmp ecx, 00000009
//长度为9 ?
:00407245 0F85A9010000
jne 004073F4 //不为9,去死吧
:0040724B 8A442420
mov al, byte ptr [esp+20]
//读入第一个字符
:0040724F 3C4D
cmp al, 4D
//和'M'比较
:00407251 740C
je 0040725F
//相等则比较下一个
:00407253 3C41
cmp al, 41
//和'A'比较
:00407255 7408
je 0040725F
:00407257 3C4F
cmp al, 4F
//和'O'比较
:00407259 0F8595010000 jne
004073F4
//不相等,死吧
|:00407251(C), :00407255(C)
|
:0040725F 8A442421
mov al, byte ptr [esp+21]
//第二个字符
:00407265 7410
je 00407277
:00407267 3C45
cmp al, 45
//‘E’
:00407269 740C
je
00407277
:0040726B 3C4E
cmp al, 4E
//‘N’
:0040726D 7408
je 00407277
:0040726F 3C47
cmp al, 47
//‘G’
:00407271 0F857D010000
jne 004073F4
|:00407265(C), :00407269(C), :0040726D(C)
|
:00407277
0FBE442422 movsx eax, byte ptr
[esp+22] //第3个字符
:0040727C 99
cdq
:0040727D B911000000
mov ecx, 00000011
:00407282 F7F9
idiv
ecx
:00407284 85D2
test edx, edx
:00407286 0F8568010000
jne 004073F4
//能否被16进制数11整除,不能就挂了
:0040728C 8A442423
mov al, byte ptr [esp+23] //第4个字符
:00407290 3C4A
cmp al, 4A
//‘J’
:00407292 7410
je
004072A4
:00407294 3C49
cmp al, 49
//‘I’
:00407296 740C
je 004072A4
:00407298 3C41
cmp al, 41
//‘A’
:0040729A 7408
je 004072A4
:0040729C 3C4E
cmp al, 4E
//‘N’
:0040729E 0F8550010000
jne 004073F4
|:00407292(C), :00407296(C), :0040729A(C)
|
:004072A4
8A442424 mov al, byte ptr
[esp+24]//第5个字符
:004072A8 3C58
cmp al, 58
//‘X’
:004072AA 740C
je 004072B8
:004072AC 3C49
cmp al, 49
//‘I’
:004072AE 7408
je 004072B8
:004072B0 3C55
cmp al, 55
//‘U’
:004072B2 0F853C010000
jne 004073F4
|:004072AA(C), :004072AE(C)
|
:004072B8 0FBE442425
movsx eax, byte ptr [esp+25]
//第6个字符
:004072BD 99
cdq
:004072BE B903000000
mov ecx, 00000003
:004072C3 F7F9
idiv ecx
:004072C5 85D2
test edx,
edx
:004072C7 0F8527010000 jne
004073F4 //ASCII值能否被3整除,不能就挂
:004072CD 8A442426
mov al, byte ptr
[esp+26]//第7个字符
:004072D1 3C51
cmp al, 51 //‘Q’
:004072D3 7408
je
004072DD
:004072D5 3C49
cmp al, 49
//‘I’
:004072D7 0F8517010000
jne 004073F4
|:004072D3(C)
|
:004072DD 8A442427
mov al, byte ptr [esp+27]//第8个字符
:004072E1 3C59
cmp al, 59
//‘Y’
:004072E3 740C
je
004072F1
:004072E5 3C55
cmp al, 55
//‘U’
:004072E7 7408
je 004072F1
:004072E9 3C4E
cmp al, 4E
//‘N’
:004072EB 0F8503010000
jne 004073F4
|:004072E3(C), :004072E7(C)
|
:004072F1 0FBE442428
movsx eax, byte ptr [esp+28]
//第9个字符
:004072F6 99
cdq
:004072F7 B90D000000
mov ecx, 0000000D
:004072FC F7F9
idiv ecx
:004072FE 85D2
test edx,
edx
:00407300 0F85EE000000 jne
004073F4 //ASCII值能否被0D整除,不能则挂
:00407306 8D4C2410
lea ecx, dword ptr
[esp+10]
:0040730A E8F6960000
call 00410A05
|
:0040730F BF78B14100
mov edi, 0041B178
:00407314 83C9FF
or ecx, FFFFFFFF
:00407317 33C0
xor eax,
eax
:00407319 8D542454
lea edx, dword ptr [esp+54]
:0040731D F2
repnz
:0040731E AE
scasb
:0040731F F7D1
not ecx
:00407321 2BF9
sub edi, ecx
:00407323
C784246001000000000000 mov dword ptr [esp+00000160], 00000000
:0040732E
8BC1 mov
eax, ecx
:00407330 8BF7
mov esi, edi
:00407332 8BFA
mov edi, edx
:00407334 C644240F0B
mov [esp+0F], 0B
:00407339
C1E902 shr ecx,
02
:0040733C F3
repz
:0040733D A5
movsd
:0040733E 8BC8
mov ecx, eax
:00407340
83E103 and ecx,
00000003
:00407343 F3
repz
:00407344 A4
movsb
:00407345 8D4C2454
lea ecx, dword ptr
[esp+54]
:00407349 51
push ecx
:0040734A E8B1FDFFFF
call 00407100
:0040734F 83C404
add esp, 00000004
:00407352 8D542454
lea edx, dword ptr
[esp+54]
:00407356 8D4C2410
lea ecx, dword ptr [esp+10]
:0040735A 6A00
push 00000000
:0040735C 6802300000
push 00003002
:00407361 52
push
edx
:00407362 E8B0970000 call
00410B17
:00407367 6A02
push 00000002
:00407369 6A00
push 00000000
:0040736B 8B442418
mov eax, dword ptr
[esp+18]
:0040736F 8D4C2418
lea ecx, dword ptr [esp+18]
:00407373 FF5028
call [eax+28]
:00407376 6A01
push
00000001
:00407378 6AFF
push FFFFFFFF
:0040737A 8D4C2418
lea ecx, dword ptr [esp+18]
:0040737E
E836990000 call
00410CB9
:00407383 8D4C240F
lea ecx, dword ptr [esp+0F]
:00407387 6A01
push 00000001
:00407389 51
push
ecx
:0040738A 8D4C2418
lea ecx, dword ptr [esp+18]
:0040738E E8DB980000
call 00410C6E
:00407393 8D4C2410
lea ecx, dword ptr
[esp+10]
:00407397 E896990000
call 00410D32
:0040739C 6A00
push 00000000
:0040739E 53
push ebx
|
:0040739F FF15AC734100
Call dword ptr [004173AC]
:004073A5 6A00
push 00000000
|
:004073A7 68CCB14100
push 0041B1CC
|
:004073AC 68B8B14100
push 0041B1B8
:004073B1 53
push ebx
|
:004073B2 FF15B0734100
Call dword ptr [004173B0]
:004073B8 8D4C2410
lea ecx, dword ptr [esp+10]
:004073BC
C7842460010000FFFFFFFF mov dword ptr [esp+00000160], FFFFFFFF
:004073C7
E88E960000 call
00410A5A
:004073CC 6A01
push 00000001
:004073CE 53
push ebx
|:0040742E(U)
|
|
:004073CF FF15BC734100
Call dword ptr [004173BC]
|:004071C7(C), :00407407(U), :0040741C(U)
|
:004073D5
B801000000 mov eax, 00000001
|:00407432(U)
|
:004073DA 8B8C2458010000
mov ecx, dword ptr [esp+00000158]
:004073E1 5F
pop
edi
:004073E2 5E
pop esi
:004073E3 5B
pop ebx
:004073E4 64890D00000000
mov dword ptr fs:[00000000], ecx
:004073EB
81C458010000 add esp,
00000158
:004073F1 C21000
ret 0010
|:00407245(C), :00407259(C), :00407271(C), :00407286(C),
:0040729E(C)
|:004072B2(C), :004072C7(C), :004072D7(C), :004072EB(C),
:00407300(C)
|
:004073F4 6A00
push 00000000
|
:004073F6 68B0B14100
push 0041B1B0
|
:004073FB 6898B14100
push 0041B198
:00407400 53
push ebx
|
:00407401 FF15B0734100
Call dword ptr [004173B0]
:00407407 EBCC
jmp 004073D5
|:0040721E(C), :00407230(C)
|
:00407409 6A00
push 00000000
|
:0040740B 68B0B14100
push 0041B1B0
|
:00407410 6884B14100
push 0041B184
:00407415 53
push ebx
所以,得到一个可用的:(注册机我就不想做了,因为它只能组合成那么多个注册码,没必要做:))
name:knock
Serial:MW3JX3QY4
http://reddog.myrice.com/CrackTools.rar