• 标 题:自动保存真码——空当接龙工具 V2.1
  • 作 者:fly
  • 时 间:2003-9-09 周二, 上午1:37
  • 链 接:http://bbs.pediy.com

自动保存真码——空当接龙工具 V2.1
 
 
 
下载页面:  http://notabdc.vip.sina.com/CnSoft/freecelltool.zip  
软件大小:  316 KB


【软件简介】:求解任何空当接龙游戏。自动读取牌局,自动操作,批量操作,样样精通。

【软件限制】:功能限制

【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!

【破解工具】:TRW2000娃娃修改版、Ollydbg1.09、PEiD、W32Dasm 9.0白金版

————————————————————————————————— 
【过    程】:
          
          

FreecellTool.exe 无壳。 Visual C++ 6.0 编写。

信息码:401012
用户名:fly
试炼码:13572468
—————————————————————————————————
:004063CD E88E080000              call 00406C60
                                  ====>判断是否已经注册?

:004063D2 8A86C1000000            mov albyte ptr [esi+000000C1]
                                  ====>[esi+000000C1]=1  则已经注册

:004063D8 C784240001000000000000  mov dword ptr [esp+00000100], 00000000
:004063E3 84C0                    test alal
:004063E5 88442470                mov byte ptr [esp+70], al
:004063E9 89AC24F0000000          mov dword ptr [esp+000000F0], ebp
:004063F0 745B                    je 0040644D

* Possible StringData Ref from Data Obj ->"UnknownUser"
                                  |
:004063F2 68CC414500              push 004541CC

* Possible StringData Ref from Data Obj ->"UserName"
                                  |
:004063F7 68B0414500              push 004541B0
:004063FC 8D442414                lea eaxdword ptr [esp+14]

* Possible StringData Ref from Data Obj ->"Options"
                                  |
:00406400 6858414500              push 00454158
:00406405 50                      push eax
:00406406 8BCE                    mov ecxesi
:00406408 E89DB10300              call 004415AA
:0040640D 50                      push eax
:0040640E 8D8C24F0000000          lea ecxdword ptr [esp+000000F0]
:00406415 C684240401000001        mov byte ptr [esp+00000104], 01
:0040641D E863F50200              call 00435985
:00406422 8D4C240C                lea ecxdword ptr [esp+0C]
:00406426 C684240001000000        mov byte ptr [esp+00000100], 00
:0040642E E865F40200              call 00435898
:00406433 6A00                    push 00000000

* Possible StringData Ref from Data Obj ->"RegisterCode"
                                  |
:00406435 68BC414500              push 004541BC

* Possible StringData Ref from Data Obj ->"Options"
                                  |
:0040643A 6858414500              push 00454158
:0040643F 8BCE                    mov ecxesi
:00406441 E8F8B00300              call 0044153E
:00406446 898424F4000000          mov dword ptr [esp+000000F4], eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004063F0(C)
|
:0040644D 8D4C2414                lea ecxdword ptr [esp+14]
:00406451 E8FFB50200              call 00431A55
                                  ====>弹出注册框

:00406456 83F801                  cmp eax, 00000001
:00406459 0F85C1000000            jne 00406520
                                  ====>是否输入注册信息?

:0040645F 8A86C1000000            mov albyte ptr [esi+000000C1]
:00406465 84C0                    test alal
:00406467 0F85B3000000            jne 00406520
:0040646D 8D8C24EC000000          lea ecxdword ptr [esp+000000EC]
:00406474 51                      push ecx
:00406475 8D4C2410                lea ecxdword ptr [esp+10]
:00406479 E88FF10200              call 0043560D
:0040647E 8BBC24F4000000          mov edidword ptr [esp+000000F4]
                                  ====>EDI=00CF1974                试炼码的16进制值

:00406485 51                      push ecx
:00406486 8D542410                lea edxdword ptr [esp+10]
:0040648A 8BCC                    mov ecxesp
:0040648C 89642414                mov dword ptr [esp+14], esp
:00406490 52                      push edx
:00406491 C684240801000002        mov byte ptr [esp+00000108], 02
:00406499 E86FF10200              call 0043560D
:0040649E 55                      push ebp
:0040649F E83CF9FFFF              call 00405DE0
                                  ====>算法CALL!

:004064A4 83C408                  add esp, 00000008
:004064A7 3BC7                    cmp eaxedi
                                  ====>EAX=F08417C0(H)=4035188672(D)  注册码
                                  ====>EDI=00CF1974(H)=13572468(D)    试炼码

:004064A9 7564                    jne 0040650F
                                  ====>跳则OVER!

:004064AB 6A00                    push 00000000
:004064AD 6A00                    push 00000000

* Possible StringData Ref from Data Obj ->"注册成功!"
                                  |
:004064AF 688C424500              push 0045428C
:004064B4 E8E1200300              call 0043859A
                                  ====>呵呵,胜利女神!

:004064B9 8B44240C                mov eaxdword ptr [esp+0C]
:004064BD 8BCE                    mov ecxesi
:004064BF 50                      push eax

* Possible StringData Ref from Data Obj ->"UserName"
                                  |
:004064C0 68B0414500              push 004541B0

* Possible StringData Ref from Data Obj ->"Options"
                                  |
:004064C5 6858414500              push 00454158
:004064CA E879220300              call 00438748
:004064CF 57                      push edi
                                  ====>保存注册码  呵呵,自动保存注册码就从这里想办法了

* Possible StringData Ref from Data Obj ->"RegisterCode"
                                  |
:004064D0 68BC414500              push 004541BC

* Possible StringData Ref from Data Obj ->"Options"
                                  |
:004064D5 6858414500              push 00454158
:004064DA 8BCE                    mov ecxesi
:004064DC E8F2210300              call 004386D3
                                  ====>保存注册信息!


 
————————————————————————————————— 
进入算法CALL:0040649F  call 00405DE0



* Referenced by a CALL at Addresses:
|:0040612C   , :0040649F   
|
:00405DE0 8B442408                mov eaxdword ptr [esp+08]
                                  ====>EAX=fly               用户名

:00405DE4 56                      push esi
:00405DE5 57                      push edi
:00405DE6 33FF                    xor ediedi
:00405DE8 8B48F8                  mov ecxdword ptr [eax-08]
:00405DEB BE31D40000              mov esi, 0000D431
                                  ====>ESI=0000D431

:00405DF0 85C9                    test ecxecx
:00405DF2 7E34                    jle 00405E28

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00405E26(C)
|
:00405DF4 0FBE0407                movsx eaxbyte ptr [edi+eax]
                                  ====>逐位取用户名fly字符的HEX值 

:00405DF8 3535211414              xor eax, 14142135
                            ①、  ====>EAX=66 XOR 14142135=14142153
                            ……省 略……

:00405DFD 50                      push eax
:00405DFE E8E1AB0000              call 004109E4
:00405E03 83C404                  add esp, 00000004
:00405E06 E8E6AB0000              call 004109F1
                                  ====>对上面的结果再次处理
                                ( *000343FD+00269EC3)SHR 10  AND 00007FFF

:00405E0B 8BCE                    mov ecxesi
:00405E0D C1E910                  shr ecx, 10
                            ①、  ====>ESI=ECX=0000D431 SHR 10=0

:00405E10 C1E610                  shl esi, 10
                                  ====>ESI=0000D431 SHL 10=D4310000

:00405E13 0BCE                    or ecxesi
                                  ====>ECX=0 OR D4310000=D4310000 

:00405E15 03C1                    add eaxecx
                            ①、  ====>EAX=000000BD + D4310000=D43100BD
                            ……省 略……

:00405E17 3528181827              xor eax, 27181828
                            ①、  ====>EAX=D43100BD XOR 27181828=F3291895
                            ……省 略……
                            ③、  ====>EAX=CCC9581B

:00405E1C 47                      inc edi
:00405E1D 8BF0                    mov esieax
:00405E1F 8B442410                mov eaxdword ptr [esp+10]
:00405E23 3B78F8                  cmp edidword ptr [eax-08]
:00405E26 7CCC                    jl 00405DF4
                                  ====>循环用户名位数次

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00405DF2(C)
|
:00405E28 6815CD5B07              push 075BCD15
:00405E2D E8B2AB0000              call 004109E4
:00405E32 83C404                  add esp, 00000004

* Possible Reference to Dialog: DialogID_0064 
                                  |

* Possible Reference to Dialog: DialogID_7801, CONTROL_ID:0064, ""
                                  |
:00405E35 BF64000000              mov edi, 00000064

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00405E53(C)
|
:00405E3A E8B2AB0000              call 004109F1
:00405E3F 8BD6                    mov edxesi
:00405E41 C1EA10                  shr edx, 10
                            ①、  ====>EDX=CCC9581B SHR 10=0000CCC9
                            ……省 略……

:00405E44 C1E610                  shl esi, 10
                            ①、  ====>ESI=CCC9581B SHL 10=581B0000
                            ……省 略……

:00405E47 0BD6                    or edxesi
                            ①、  ====>EDX=0000CCC9 OR 581B0000=581BCCC9
                            ……省 略……

:00405E49 03C2                    add eaxedx
                            ①、  ====>EAX=000033CB + 581BCCC9=581C0094
                            ……省 略……

:00405E4B 3508053217              xor eax, 17320508
                            ①、  ====>EAX=581C0094 XOR 17320508=4F2E059C
                            ……省 略……

:00405E50 4F                      dec edi
:00405E51 8BF0                    mov esieax
:00405E53 75E5                    jne 00405E3A
                                  ====>循环100次  EAX=F08417C0

:00405E55 8D4C2410                lea ecxdword ptr [esp+10]
:00405E59 E83AFA0200              call 00435898
:00405E5E 8BC6                    mov eaxesi
                                  ====>EAX=F08417C0

:00405E60 5F                      pop edi
:00405E61 5E                      pop esi
:00405E62 C3                      ret


————————————————————————————————— 
进入:00405E06  call 004109F1


* Referenced by a CALL at Addresses:
|:00404F45   , :00404F51   , :00405E06   , :00405E3A   , :00408899   
|:0040B6D5   
|
:004109F1 E8BD390000              call 004143B3
:004109F6 8B4814                  mov ecxdword ptr [eax+14]
:004109F9 69C9FD430300            imul ecx, 000343FD
                            ①、  ====>ECX=14142153 * 000343FD=8096A807

:004109FF 81C1C39E2600            add ecx, 00269EC3
                            ①、  ====>ECX=8096A807 + 00269EC3=80BD46CA

:00410A05 894814                  mov dword ptr [eax+14], ecx
:00410A08 8BC1                    mov eaxecx
:00410A0A C1E810                  shr eax, 10
                            ①、  ====>EAX=80BD46CA SHR 10=000080BD

:00410A0D 25FF7F0000              and eax, 00007FFF
                            ①、  ====>EAX=000080BD AND 00007FFF=000000BD

:00410A12 C3                      ret



—————————————————————————————————
【算 法  总 结】:


对用户名简单运算,然后经过100次的循环得出注册码。
算法麻烦,写这点东西只是说说下面的如何让程序自动保存真的注册码。

————————————————————————————————— 
【自动保存真码】:


:004064A7 3BC7                    cmp eaxedi
:004064A9 7564                    jne 0040650F
  
把上面的代码改为:

:004064A7 8BF8                    mov edi,eax //把真注册码移入EDI
:004064A9 90                                  //把这个跳转NOP掉
:004064AA 90 

:004064CF 57                      push edi    //这里就自动保存了


————————————————————————————————— 
【KeyMake之{109th}内存注册机】:


中断地址:004064A7
中断次数:1
第一字节:3B
指令长度:2

寄存器方式:EDI             
十进制值

————————————————————————————————— 
【注册信息保存】:


REGEDIT4

[HKEY_CURRENT_USERSoftwareGeYong Software空当接龙工具Options]

"UserName"="fly"
"RegisterCode"=dword:f08417c0

————————————————————————————————— 
【整        理】:


信息码:401012
用户名:fly
注册码:4035188672

—————————————————————————————————
    
                                
         ,     _/ 
        /| _.-~/            _     ,        青春都一饷
       ( /~   /              ~-._ |
       `\  _/                   ~ )          忍把浮名 
   _-~~~-.)  )__/;;,.          _  //'
  /'_,   --~    ~~~-  ,;;___(  (.-~~~-.        换了破解轻狂
 `~ _( ,_..-- (     ,;'' /    ~--   /._` 
  /~~//'   /' `~         ) /--.._, )_  `~
  "  `~"  "      `"      /~'`    `\~~   
                         "     "   "~'  ""

    

                    Cracked By 巢水工作坊——fly [OCN][FCG]

                           2003-09-06  14:00