• 标 题:金锋屏幕保护程序2.0破解
  • 作 者:poppig
  • 时 间:2003-12-23 周二, 下午3:21
  • 链 接:http://bbs.pediy.com

金锋屏幕保护程序2.0是一款制作屏幕保护的软件,能够实现的效果有200多个
,如果你感兴趣的话,可以到http://www.jinfengsoft.com下载.
  好了还是看看文件,用Upx加壳,脱之!看看,原来是Delphi文件!
  找到关键的地方!
  我们输入注册码:1234567890

我们到了下面的地方.......
016F:004BDF67 8B45FC           MOV      EAX,[EBP-04]
016F:004BDF6A E83165F4FF       CALL     004044A0
016F:004BDF6F 83F80A           CMP      EAX,BYTE +0A ;比较注册码个数<10?
016F:004BDF72 0F8CEA010000     JL       NEAR 004BE162 ;小于就出错了!
016F:004BDF78 8D45F4           LEA      EAX,[EBP-0C]
016F:004BDF7B 50               PUSH     EAX
016F:004BDF7C 8D55F0           LEA      EDX,[EBP-10]
016F:004BDF7F 8B86FC020000     MOV      EAX,[ESI+02FC]
016F:004BDF85 E87EE0F9FF       CALL     0045C008
016F:004BDF8A 8B45F0           MOV      EAX,[EBP-10]
016F:004BDF8D B902000000       MOV      ECX,02
016F:004BDF92 BA01000000       MOV      EDX,01
016F:004BDF97 E86467F4FF       CALL     00404700 ;取注册码的前2位
016F:004BDF9C 8B4DF4           MOV      ECX,[EBP-0C]
016F:004BDF9F 8D45F8           LEA      EAX,[EBP-08]
016F:004BDFA2 BA50E24B00       MOV      EDX,004BE250
016F:004BDFA7 E84065F4FF       CALL     004044EC
016F:004BDFAC 8B45F8           MOV      EAX,[EBP-08]
016F:004BDFAF E88CA7F4FF       CALL     00408740
016F:004BDFB4 8BD8             MOV      EBX,EAX ;1,2位存入EBX
016F:004BDFB6 8D45E8           LEA      EAX,[EBP-18]
016F:004BDFB9 50               PUSH     EAX
016F:004BDFBA 8D55E4           LEA      EDX,[EBP-1C]
016F:004BDFBD 8B86FC020000     MOV      EAX,[ESI+02FC]
016F:004BDFC3 E840E0F9FF       CALL     0045C008
016F:004BDFC8 8B45E4           MOV      EAX,[EBP-1C]
016F:004BDFCB B902000000       MOV      ECX,02
016F:004BDFD0 BA03000000       MOV      EDX,03 ;取注册码的3,4位
016F:004BDFD5 E82667F4FF       CALL     00404700
016F:004BDFDA 8B4DE8           MOV      ECX,[EBP-18]
016F:004BDFDD 8D45EC           LEA      EAX,[EBP-14]
016F:004BDFE0 BA50E24B00       MOV      EDX,004BE250
016F:004BDFE5 E80265F4FF       CALL     004044EC
016F:004BDFEA 8B45EC           MOV      EAX,[EBP-14] ;此时EAX存入3,4位
016F:004BDFED E84EA7F4FF       CALL     00408740
016F:004BDFF2 8BD3             MOV      EDX,EBX ;保存的1,2为结果送入EDX
016F:004BDFF4 80F20B           XOR      DL,0B 
016F:004BDFF7 81E2FF000000     AND      EDX,FF
016F:004BDFFD 3BC2             CMP      EAX,EDX ;计算的结果进行比较
016F:004BDFFF 0F855D010000     JNZ      NEAR 004BE162 ;不等就出错
016F:004BE005 80F30B           XOR      BL,0B ;上次的1,2位的值运算
016F:004BE008 8D45DC           LEA      EAX,[EBP-24]
016F:004BE00B 50               PUSH     EAX
016F:004BE00C 8D55D8           LEA      EDX,[EBP-28]
016F:004BE00F 8B86FC020000     MOV      EAX,[ESI+02FC]
016F:004BE015 E8EEDFF9FF       CALL     0045C008
016F:004BE01A 8B45D8           MOV      EAX,[EBP-28]
016F:004BE01D B902000000       MOV      ECX,02
016F:004BE022 BA05000000       MOV      EDX,05
016F:004BE027 E8D466F4FF       CALL     00404700 ;取注册码的5,6位
016F:004BE02C 8B4DDC           MOV      ECX,[EBP-24]
016F:004BE02F 8D45E0           LEA      EAX,[EBP-20]
016F:004BE032 BA50E24B00       MOV      EDX,004BE250
016F:004BE037 E8B064F4FF       CALL     004044EC
016F:004BE03C 8B45E0           MOV      EAX,[EBP-20]
016F:004BE03F E8FCA6F4FF       CALL     00408740
016F:004BE044 8BD3             MOV      EDX,EBX ;4BE005处运算的值
016F:004BE046 80F216           XOR      DL,16 
016F:004BE049 81E2FF000000     AND      EDX,FF
016F:004BE04F 3BC2             CMP      EAX,EDX ;与5,6位比较
016F:004BE051 0F850B010000     JNZ      NEAR 004BE162
016F:004BE057 80F316           XOR      BL,16 ;上次的EBX值xor 16H
016F:004BE05A 8D45D0           LEA      EAX,[EBP-30]
016F:004BE05D 50               PUSH     EAX
016F:004BE05E 8D55CC           LEA      EDX,[EBP-34]
016F:004BE061 8B86FC020000     MOV      EAX,[ESI+02FC]
016F:004BE067 E89CDFF9FF       CALL     0045C008
016F:004BE06C 8B45CC           MOV      EAX,[EBP-34]
016F:004BE06F B902000000       MOV      ECX,02
016F:004BE074 BA07000000       MOV      EDX,07
016F:004BE079 E88266F4FF       CALL     00404700  ;取注册码的7,8位
016F:004BE07E 8B4DD0           MOV      ECX,[EBP-30]
016F:004BE081 8D45D4           LEA      EAX,[EBP-2C]
016F:004BE084 BA50E24B00       MOV      EDX,004BE250
016F:004BE089 E85E64F4FF       CALL     004044EC
016F:004BE08E 8B45D4           MOV      EAX,[EBP-2C]
016F:004BE091 E8AAA6F4FF       CALL     00408740
016F:004BE096 8BD3             MOV      EDX,EBX ;004BE057处计算的值送给EDX
016F:004BE098 80F221           XOR      DL,21 ;开始计算
016F:004BE09B 81E2FF000000     AND      EDX,FF
016F:004BE0A1 3BC2             CMP      EAX,EDX ;与7,8位比较
016F:004BE0A3 0F85B9000000     JNZ      NEAR 004BE162
016F:004BE0A9 80F321           XOR      BL,21 ;上次的EBX的值xor 21H
016F:004BE0AC 8D45C4           LEA      EAX,[EBP-3C]
016F:004BE0AF 50               PUSH     EAX
016F:004BE0B0 8D55C0           LEA      EDX,[EBP-40]
016F:004BE0B3 8B86FC020000     MOV      EAX,[ESI+02FC]
016F:004BE0B9 E84ADFF9FF       CALL     0045C008
016F:004BE0BE 8B45C0           MOV      EAX,[EBP-40]
016F:004BE0C1 B902000000       MOV      ECX,02
016F:004BE0C6 BA09000000       MOV      EDX,09  ;取9,10位
016F:004BE0CB E83066F4FF       CALL     00404700
016F:004BE0D0 8B4DC4           MOV      ECX,[EBP-3C]
016F:004BE0D3 8D45C8           LEA      EAX,[EBP-38]
016F:004BE0D6 BA50E24B00       MOV      EDX,004BE250
016F:004BE0DB E80C64F4FF       CALL     004044EC
016F:004BE0E0 8B45C8           MOV      EAX,[EBP-38]
016F:004BE0E3 E858A6F4FF       CALL     00408740
016F:004BE0E8 80F32C           XOR      BL,2C ;进行XOR
016F:004BE0EB 33D2             XOR      EDX,EDX ;清0
016F:004BE0ED 8AD3             MOV      DL,BL ;存入DL
016F:004BE0EF 3BC2             CMP      EAX,EDX ;与9,10位比较
016F:004BE0F1 756F             JNZ      004BE162
016F:004BE0F3 8D55BC           LEA      EDX,[EBP-44]
016F:004BE0F6 8B86FC020000     MOV      EAX,[ESI+02FC]
016F:004BE0FC E807DFF9FF       CALL     0045C008
016F:004BE101 8B4DBC           MOV      ECX,[EBP-44]
016F:004BE104 BA5CE24B00       MOV      EDX,004BE25C
016F:004BE109 B86CE24B00       MOV      EAX,004BE26C
016F:004BE10E E889F0FFFF       CALL     004BD19C
016F:004BE113 8D45B8           LEA      EAX,[EBP-48]
016F:004BE116 E83DF9FFFF       CALL     004BDA58
016F:004BE11B 8B4DB8           MOV      ECX,[EBP-48]
016F:004BE11E BA80E24B00       MOV      EDX,004BE280
016F:004BE123 B86CE24B00       MOV      EAX,004BE26C
016F:004BE128 E86FF0FFFF       CALL     004BD19C
016F:004BE12D 6A40             PUSH     BYTE +40
016F:004BE12F 8D55B4           LEA      EDX,[EBP-4C]
016F:004BE132 A1D8AF4C00       MOV      EAX,[004CAFD8]
016F:004BE137 8B00             MOV      EAX,[EAX]
  
  总结一下,通过输入注册码1234567890,分成5组,通过第一组12进行计算
12 xor 0B And FFH,最后的结果和3,4位进行比较!然后在通过上次BL的值
计算保存到EDX中,然后计算5,6位的值,和输入的5,6位的值进行比较,依此类
推.可以说是通过计算1,2位值的计算得出3,4位的值,然后通过3,4位的值得到
5,6位的值,然后通过5,6位的值得到7,8位的值,然后通过计算7,8位的值得到
9,10位的值.但是当我们输入正确的注册码时提示"注册已完成",但是重新启动
后还是会出现没有注册时的窗口,提示你还能用多少天.


我的机器码是:91F19201BD75E771F7761111D76
注册码为:12190F2E02

   
不好意思,一篇烂文又诞生了!  


Made By dengkeng
E-mail:shellc0de@sohu.com
欢迎转载,请保持文章的完整性