自动保存真码——空当接龙工具 V2.1
下载页面: http://notabdc.vip.sina.com/CnSoft/freecelltool.zip
软件大小: 316 KB
【软件简介】:求解任何空当接龙游戏。自动读取牌局,自动操作,批量操作,样样精通。
【软件限制】:功能限制
【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:TRW2000娃娃修改版、Ollydbg1.09、PEiD、W32Dasm 9.0白金版
—————————————————————————————————
【过 程】:
FreecellTool.exe 无壳。 Visual C++ 6.0 编写。
信息码:401012
用户名:fly
试炼码:13572468
—————————————————————————————————
:004063CD E88E080000 call 00406C60
====>判断是否已经注册?
:004063D2 8A86C1000000 mov al, byte ptr [esi+000000C1]
====>[esi+000000C1]=1 则已经注册
:004063D8 C784240001000000000000 mov dword ptr [esp+00000100], 00000000
:004063E3 84C0 test al, al
:004063E5 88442470 mov byte ptr [esp+70], al
:004063E9 89AC24F0000000 mov dword ptr [esp+000000F0], ebp
:004063F0 745B je 0040644D
* Possible StringData Ref from Data Obj ->"UnknownUser"
|
:004063F2 68CC414500 push 004541CC
* Possible StringData Ref from Data Obj ->"UserName"
|
:004063F7 68B0414500 push 004541B0
:004063FC 8D442414 lea eax, dword ptr [esp+14]
* Possible StringData Ref from Data Obj ->"Options"
|
:00406400 6858414500 push 00454158
:00406405 50 push eax
:00406406 8BCE mov ecx, esi
:00406408 E89DB10300 call 004415AA
:0040640D 50 push eax
:0040640E 8D8C24F0000000 lea ecx, dword ptr [esp+000000F0]
:00406415 C684240401000001 mov byte ptr [esp+00000104], 01
:0040641D E863F50200 call 00435985
:00406422 8D4C240C lea ecx, dword ptr [esp+0C]
:00406426 C684240001000000 mov byte ptr [esp+00000100], 00
:0040642E E865F40200 call 00435898
:00406433 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"RegisterCode"
|
:00406435 68BC414500 push 004541BC
* Possible StringData Ref from Data Obj ->"Options"
|
:0040643A 6858414500 push 00454158
:0040643F 8BCE mov ecx, esi
:00406441 E8F8B00300 call 0044153E
:00406446 898424F4000000 mov dword ptr [esp+000000F4], eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004063F0(C)
|
:0040644D 8D4C2414 lea ecx, dword ptr [esp+14]
:00406451 E8FFB50200 call 00431A55
====>弹出注册框
:00406456 83F801 cmp eax, 00000001
:00406459 0F85C1000000 jne 00406520
====>是否输入注册信息?
:0040645F 8A86C1000000 mov al, byte ptr [esi+000000C1]
:00406465 84C0 test al, al
:00406467 0F85B3000000 jne 00406520
:0040646D 8D8C24EC000000 lea ecx, dword ptr [esp+000000EC]
:00406474 51 push ecx
:00406475 8D4C2410 lea ecx, dword ptr [esp+10]
:00406479 E88FF10200 call 0043560D
:0040647E 8BBC24F4000000 mov edi, dword ptr [esp+000000F4]
====>EDI=00CF1974 试炼码的16进制值
:00406485 51 push ecx
:00406486 8D542410 lea edx, dword ptr [esp+10]
:0040648A 8BCC mov ecx, esp
:0040648C 89642414 mov dword ptr [esp+14], esp
:00406490 52 push edx
:00406491 C684240801000002 mov byte ptr [esp+00000108], 02
:00406499 E86FF10200 call 0043560D
:0040649E 55 push ebp
:0040649F E83CF9FFFF call 00405DE0
====>算法CALL!
:004064A4 83C408 add esp, 00000008
:004064A7 3BC7 cmp eax, edi
====>EAX=F08417C0(H)=4035188672(D) 注册码
====>EDI=00CF1974(H)=13572468(D) 试炼码
:004064A9 7564 jne 0040650F
====>跳则OVER!
:004064AB 6A00 push 00000000
:004064AD 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"注册成功!"
|
:004064AF 688C424500 push 0045428C
:004064B4 E8E1200300 call 0043859A
====>呵呵,胜利女神!
:004064B9 8B44240C mov eax, dword ptr [esp+0C]
:004064BD 8BCE mov ecx, esi
:004064BF 50 push eax
* Possible StringData Ref from Data Obj ->"UserName"
|
:004064C0 68B0414500 push 004541B0
* Possible StringData Ref from Data Obj ->"Options"
|
:004064C5 6858414500 push 00454158
:004064CA E879220300 call 00438748
:004064CF 57 push edi
====>保存注册码 呵呵,自动保存注册码就从这里想办法了
* Possible StringData Ref from Data Obj ->"RegisterCode"
|
:004064D0 68BC414500 push 004541BC
* Possible StringData Ref from Data Obj ->"Options"
|
:004064D5 6858414500 push 00454158
:004064DA 8BCE mov ecx, esi
:004064DC E8F2210300 call 004386D3
====>保存注册信息!
—————————————————————————————————
进入算法CALL:0040649F call 00405DE0
* Referenced by a CALL at Addresses:
|:0040612C , :0040649F
|
:00405DE0 8B442408 mov eax, dword ptr [esp+08]
====>EAX=fly 用户名
:00405DE4 56 push esi
:00405DE5 57 push edi
:00405DE6 33FF xor edi, edi
:00405DE8 8B48F8 mov ecx, dword ptr [eax-08]
:00405DEB BE31D40000 mov esi, 0000D431
====>ESI=0000D431
:00405DF0 85C9 test ecx, ecx
:00405DF2 7E34 jle 00405E28
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00405E26(C)
|
:00405DF4 0FBE0407 movsx eax, byte ptr [edi+eax]
====>逐位取用户名fly字符的HEX值
:00405DF8 3535211414 xor eax, 14142135
①、 ====>EAX=66 XOR 14142135=14142153
……省 略……
:00405DFD 50 push eax
:00405DFE E8E1AB0000 call 004109E4
:00405E03 83C404 add esp, 00000004
:00405E06 E8E6AB0000 call 004109F1
====>对上面的结果再次处理
( *000343FD+00269EC3)SHR 10 AND 00007FFF
:00405E0B 8BCE mov ecx, esi
:00405E0D C1E910 shr ecx, 10
①、 ====>ESI=ECX=0000D431 SHR 10=0
:00405E10 C1E610 shl esi, 10
====>ESI=0000D431 SHL 10=D4310000
:00405E13 0BCE or ecx, esi
====>ECX=0 OR D4310000=D4310000
:00405E15 03C1 add eax, ecx
①、 ====>EAX=000000BD + D4310000=D43100BD
……省 略……
:00405E17 3528181827 xor eax, 27181828
①、 ====>EAX=D43100BD XOR 27181828=F3291895
……省 略……
③、 ====>EAX=CCC9581B
:00405E1C 47 inc edi
:00405E1D 8BF0 mov esi, eax
:00405E1F 8B442410 mov eax, dword ptr [esp+10]
:00405E23 3B78F8 cmp edi, dword ptr [eax-08]
:00405E26 7CCC jl 00405DF4
====>循环用户名位数次
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00405DF2(C)
|
:00405E28 6815CD5B07 push 075BCD15
:00405E2D E8B2AB0000 call 004109E4
:00405E32 83C404 add esp, 00000004
* Possible Reference to Dialog: DialogID_0064
|
* Possible Reference to Dialog: DialogID_7801, CONTROL_ID:0064, ""
|
:00405E35 BF64000000 mov edi, 00000064
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00405E53(C)
|
:00405E3A E8B2AB0000 call 004109F1
:00405E3F 8BD6 mov edx, esi
:00405E41 C1EA10 shr edx, 10
①、 ====>EDX=CCC9581B SHR 10=0000CCC9
……省 略……
:00405E44 C1E610 shl esi, 10
①、 ====>ESI=CCC9581B SHL 10=581B0000
……省 略……
:00405E47 0BD6 or edx, esi
①、 ====>EDX=0000CCC9 OR 581B0000=581BCCC9
……省 略……
:00405E49 03C2 add eax, edx
①、 ====>EAX=000033CB + 581BCCC9=581C0094
……省 略……
:00405E4B 3508053217 xor eax, 17320508
①、 ====>EAX=581C0094 XOR 17320508=4F2E059C
……省 略……
:00405E50 4F dec edi
:00405E51 8BF0 mov esi, eax
:00405E53 75E5 jne 00405E3A
====>循环100次 EAX=F08417C0
:00405E55 8D4C2410 lea ecx, dword ptr [esp+10]
:00405E59 E83AFA0200 call 00435898
:00405E5E 8BC6 mov eax, esi
====>EAX=F08417C0
:00405E60 5F pop edi
:00405E61 5E pop esi
:00405E62 C3 ret
—————————————————————————————————
进入:00405E06 call 004109F1
* Referenced by a CALL at Addresses:
|:00404F45 , :00404F51 , :00405E06 , :00405E3A , :00408899
|:0040B6D5
|
:004109F1 E8BD390000 call 004143B3
:004109F6 8B4814 mov ecx, dword ptr [eax+14]
:004109F9 69C9FD430300 imul ecx, 000343FD
①、 ====>ECX=14142153 * 000343FD=8096A807
:004109FF 81C1C39E2600 add ecx, 00269EC3
①、 ====>ECX=8096A807 + 00269EC3=80BD46CA
:00410A05 894814 mov dword ptr [eax+14], ecx
:00410A08 8BC1 mov eax, ecx
:00410A0A C1E810 shr eax, 10
①、 ====>EAX=80BD46CA SHR 10=000080BD
:00410A0D 25FF7F0000 and eax, 00007FFF
①、 ====>EAX=000080BD AND 00007FFF=000000BD
:00410A12 C3 ret
—————————————————————————————————
【算 法 总 结】:
对用户名简单运算,然后经过100次的循环得出注册码。
算法麻烦,写这点东西只是说说下面的如何让程序自动保存真的注册码。
—————————————————————————————————
【自动保存真码】:
:004064A7 3BC7 cmp eax, edi
:004064A9 7564 jne 0040650F
把上面的代码改为:
:004064A7 8BF8 mov edi,eax //把真注册码移入EDI
:004064A9 90 //把这个跳转NOP掉
:004064AA 90
:004064CF 57 push edi //这里就自动保存了
—————————————————————————————————
【KeyMake之{109th}内存注册机】:
中断地址:004064A7
中断次数:1
第一字节:3B
指令长度:2
寄存器方式:EDI
十进制值
—————————————————————————————————
【注册信息保存】:
REGEDIT4
[HKEY_CURRENT_USERSoftwareGeYong Software空当接龙工具Options]
"UserName"="fly"
"RegisterCode"=dword:f08417c0
—————————————————————————————————
【整 理】:
信息码:401012
用户名:fly
注册码:4035188672
—————————————————————————————————
, _/
/| _.-~/ _ , 青春都一饷
( /~ / ~-._ |
`\ _/ ~ ) 忍把浮名
_-~~~-.) )__/;;,. _ //'
/'_, --~ ~~~- ,;;___( (.-~~~-. 换了破解轻狂
`~ _( ,_..-- ( ,;'' / ~-- /._`
/~~//' /' `~ ) /--.._, )_ `~
" `~" " `" /~'` `\~~
" " "~' ""
Cracked By 巢水工作坊——fly [OCN][FCG]
2003-09-06 14:00