【破解作者】 落魄浪子
【作者邮箱】 zxy223_szb@21cn.net
【使用工具】 od1.1c
【破解平台】 Win9x/NT/2000/XP
【软件名称】 EmEditor V4.09
【软件简介】 一个很好的可以替换记事本的软件。
【破解声明】 我是一只菜菜,这几天被acp壳搞得头晕,所以就找一个不难的软件来开开刀,也好満足下自己。
--------------------------------------------------------------------------------
【破解内容】
软件无壳,呵呵,但愿所有的软件都这样。
静态反汇编程序找不到出错的提示字串,只好先用OD载入程序,查找MESSAGEBOXW下断点,运行,填入注册码0000-11
11-2222-3333,按确正,OK,OD断下了,向上找看看是从哪里跳过来的,一步步往上找,看到有好多地方都调用它,
不管,我全下断。最后找到004165EF处,这是个算法CALL,呵呵,总算给我找到了,进入后来到:
004272C4 /$ 56 push esi 注册码入栈
004272C5 |. 8BF0 mov esi,eax
004272C7 |. 0FB706 movzx eax,word ptr ds:[esi] 注册码第一组的DWORD值放入EAX
004272CA |. 6A 0A push 0A
004272CC |. 99 cdq
004272CD |. 59 pop ecx
004272CE |. F7F9 idiv ecx EAX整除A,商回送AX余数回送DX
004272D0 |. 3D B5000000 cmp eax,0B5 比较商是否等于0B5 ;0B5*0A这里得到第一组注册码为0721
004272D5 |. 74 05 je short emeditor.004272DC 不跳就玩完
004272D7 |. 83C8 FF or eax,FFFFFFFF
004272DA |. 5E pop esi
004272DB |. C3 retn
004272DC |> 57 push edi
004272DD |. 66:8B7E 06 mov di,word ptr ds:[esi+6] 注册码最后四位的DWORD值放入DI
004272E1 |. E8 FAFEFFFF call emeditor.004271E0 *进入
004272E6 |. 83F8 01 cmp eax,1
004272E9 |. 75 0D jnz short emeditor.004272F8
004272EB |. 33C0 xor eax,eax
004272ED |. 66:3B7E 06 cmp di,word ptr ds:[esi+6]
004272F1 |. 0F94C0 sete al
004272F4 |. 8D4400 FF lea eax,dword ptr ds:[eax+eax-1]
004272F8 |> 5F pop edi
004272F9 |. 5E pop esi
004272FA \. C3 retn
进入后来到这里:
004271E0 /$ 51 push ecx
004271E1 |. 51 push ecx
004271E2 |. 66:8B56 02 mov dx,word ptr ds:[esi+2] 注册码第二组放入DX
004271E6 |. 66:8366 06 00 and word ptr ds:[esi+6],0
004271EB |. 66:81FA 0F27 cmp dx,270F 比较第二组注册码是否等于最大数9999
004271F0 |. 0F87 C8000000 ja emeditor.004272BE
004271F6 |. 66:8B46 04 mov ax,word ptr ds:[esi+4] 第三组注册码放入AX
004271FA |. 66:3D 0F27 cmp ax,270F 比较第三组注册码是否等于最大数9999
004271FE |. 0F87 BA000000 ja emeditor.004272BE
00427204 |. 66:8B0E mov cx,word ptr ds:[esi] 第一组注册码放入CX
00427207 |. 66:81F9 1507 cmp cx,715 比较第一组注册码是否等于715
0042720C |. 894C24 04 mov dword ptr ss:[esp+4],ecx
00427210 |. 75 14 jnz short emeditor.00427226
00427212 |. 66:81FA 1E1C cmp dx,1C1E
00427217 |. 75 0D jnz short emeditor.00427226
00427219 |. 66:3D 9D15 cmp ax,159D
0042721D |. 75 07 jnz short emeditor.00427226
0042721F |> 6A FE push -2
00427221 |. E9 95000000 jmp emeditor.004272BB
00427226 |> 66:81F9 1A07 cmp cx,71A 比较第一组注册码是否等于71A
0042722B |. 75 0D jnz short emeditor.0042723A
0042722D |. 66:81FA 0910 cmp dx,1009
00427232 |. 75 06 jnz short emeditor.0042723A
00427234 |. 66:3D 1500 cmp ax,15
00427238 |.^ 74 E5 je short emeditor.0042721F
0042723A |> 53 push ebx
0042723B |. 55 push ebp
0042723C |. 57 push edi
0042723D |. 0FB7F8 movzx edi,ax 第三组注册码放入EDI
00427240 |. 0FB7C2 movzx eax,dx 第二组注册码产入EAX
00427243 |. 894424 0C mov dword ptr ss:[esp+C],eax
00427247 |. 6A 64 push 64
00427249 |. 5B pop ebx
0042724A |. 8BC7 mov eax,edi 第三组注册码放入EAX
0042724C |. 99 cdq
0042724D |. F7FB idiv ebx EAX/EBX=64 商=AX=16,余数=DX=16
0042724F |. 6A 0A push 0A
00427251 |. 5D pop ebp
00427252 |. 0FB7C9 movzx ecx,cx 第一组注册码放入ECX
00427255 |. 6A 64 push 64
00427257 |. 8BD8 mov ebx,eax 商=AX=16入EBX
00427259 |. 8BC1 mov eax,ecx 第一组注册码入EAX
0042725B |. 99 cdq
0042725C |. F7FD idiv ebp 第一组注册码0721/0A 商=AX=B5
0042725E |. 035C24 10 add ebx,dword ptr ss:[esp+10] 第二组注册码与余数=DX=16相加 记为N1
00427262 |. 03C3 add eax,ebx N1与 商=AX=B5相加 记为N2
00427264 |. 03C7 add eax,edi 第三组注册码与N2相加 记为N3
00427266 |. 99 cdq
00427267 |. 5F pop edi
00427268 |. F7FF idiv edi N3/64 商=AX=23,余数=DX=24
0042726A |. 8B4424 0C mov eax,dword ptr ss:[esp+C] 第二组注册码放入EAX
0042726E |. 6A 64 push 64
00427270 |. 5B pop ebx
00427271 |. 6A 64 push 64
00427273 |. 5D pop ebp
00427274 |. 55 push ebp
00427275 |. 66:8B3C95 38D7440>mov di,word ptr ds:[edx*4+44D738] 余数=DX=24 * 4 + 44D738 查表得 37
0042727D |. 99 cdq
0042727E |. 66:6BFF 64 imul di,di,64 37*64 记为 N4
00427282 |. F7FB idiv ebx 第二组注册码/64 商=AX=0B,余数=DX=0B
00427284 |. 8BD8 mov ebx,eax 商=AX=0B放入EBX 记为N5
00427286 |. 8BC1 mov eax,ecx 第一组注册码入EAX
00427288 |. 99 cdq
00427289 |. F7FD idiv ebp 第一组注册码/64 商=AX=12,余数=DX=0A
0042728B |. 03D9 add ebx,ecx N5 ADD 第一组注册码 记为N6
0042728D |. 59 pop ecx
0042728E |. 03C3 add eax,ebx N6 ADD 商=AX=12 记为N7
00427290 |. 99 cdq
00427291 |. F7F9 idiv ecx N7/64 商=AX=12,余数=DX=27
00427293 |. 66:033C95 38D7440>add di,word ptr ds:[edx*4+44D738] 余数=DX=27 * 4 + 44D738 查表得 4D ADD N4 记为N8
0042729B |. 66:817C24 10 1707 cmp word ptr ss:[esp+10],717 比较第一组注册码是否等于717
004272A2 |. 66:897E 06 mov word ptr ds:[esi+6],di
004272A6 |. 5F pop edi
004272A7 |. 5D pop ebp
004272A8 |. 5B pop ebx
004272A9 |. 74 0E je short emeditor.004272B9
004272AB |. 66:817C24 04 1607 cmp word ptr ss:[esp+4],716 比较第一组注册码是否等于716
004272B2 |. 74 05 je short emeditor.004272B9
004272B4 |. 33C0 xor eax,eax
004272B6 |. 40 inc eax
004272B7 |. EB 08 jmp short emeditor.004272C1
004272B9 |> 6A 02 push 2
004272BB |> 58 pop eax
004272BC |. EB 03 jmp short emeditor.004272C1
004272BE |> 83C8 FF or eax,FFFFFFFF
004272C1 |> 59 pop ecx
004272C2 |. 59 pop ecx
004272C3 \. C3 retn 返回
004272E6 |. 83F8 01 cmp eax,1 返回到这里 如果不等就玩完
004272E9 |. 75 0D jnz short emeditor.004272F8
004272EB |. 33C0 xor eax,eax
004272ED |. 66:3B7E 06 cmp di,word ptr ds:[esi+6] 比较最后一组注册码是否等于 N8
004272F1 |. 0F94C0 sete al 置注册标志
004272F4 |. 8D4400 FF lea eax,dword ptr ds:[eax+eax-1]
004272F8 |> 5F pop edi
004272F9 |. 5E pop esi
004272FA \. C3 retn
以下是码表:
0044D738 26 00 00 00 5B 00 00 00
0044D740 62 00 00 00 36 00 00 00
0044D748 34 00 00 00 60 00 00 00
0044D750 13 00 00 00 35 00 00 00
0044D758 19 00 00 00 54 00 00 00
0044D760 3F 00 00 00 44 00 00 00
0044D768 4C 00 00 00 38 00 00 00
0044D770 5D 00 00 00 33 00 00 00
0044D778 56 00 00 00 61 00 00 00
0044D780 42 00 00 00 21 00 00 00
0044D788 3E 00 00 00 2D 00 00 00
0044D790 23 00 00 00 0E 00 00 00
0044D798 1E 00 00 00 5F 00 00 00
0044D7A0 57 00 00 00 12 00 00 00
0044D7A8 1B 00 00 00 17 00 00 00
0044D7B0 22 00 00 00 58 00 00 00
0044D7B8 2C 00 00 00 63 00 00 00
0044D7C0 5C 00 00 00 18 00 00 00
0044D7C8 37 00 00 00 41 00 00 00
0044D7D0 59 00 00 00 4D 00 00 00
0044D7D8 15 00 00 00 5A 00 00 00
0044D7E0 53 00 00 00 0B 00 00 00
0044D7E8 05 00 00 00 1C 00 00 00
0044D7F0 10 00 00 00 2E 00 00 00
0044D7F8 49 00 00 00 40 00 00 00
0044D800 0D 00 00 00 07 00 00 00
0044D808 50 00 00 00 3D 00 00 00
0044D810 32 00 00 00 46 00 00 00
0044D818 0A 00 00 00 43 00 00 00
0044D820 2B 00 00 00 00 00 00 00
0044D828 3B 00 00 00 48 00 00 00
0044D830 5E 00 00 00 4E 00 00 00
0044D838 51 00 00 00 1F 00 00 00
0044D840 20 00 00 00 3A 00 00 00
0044D848 01 00 00 00 2A 00 00 00
0044D850 45 00 00 00 55 00 00 00
0044D858 4A 00 00 00 02 00 00 00
0044D860 52 00 00 00 27 00 00 00
0044D868 03 00 00 00 4B 00 00 00
0044D870 08 00 00 00 3C 00 00 00
0044D878 0F 00 00 00 14 00 00 00
0044D880 24 00 00 00 25 00 00 00
0044D888 28 00 00 00 29 00 00 00
0044D890 16 00 00 00 1D 00 00 00
0044D898 1A 00 00 00 11 00 00 00
0044D8A0 2F 00 00 00 39 00 00 00
0044D8A8 09 00 00 00 47 00 00 00
0044D8B0 06 00 00 00 4F 00 00 00
0044D8B8 04 00 00 00 31 00 00 00
0044D8C0 0C 00 00 00 30 00 00 00
0044D8C8 01 00 00 00 01 00 00 00
--------------------------------------------------------------------------------
【破解总结】
总的来说这个软件的算法非常简单
现在来总决算法:
注册码:R1-R2-R3-R4
预置数:A,64
R1/A=B5 R1符合条件的有712,715,71A ,717 ,716
第二组和第三组注册码不能大于9999
((((R2+(R3/64的余数))+(R1/A的商)+R3)/64的余数*4+44D738)查表*64)+((((R2/64的商+R1)+R1/64的商)/64的余数)*4+44D738)查表=R4
取上面R1的任何一个为第一组注册码,然后第二组和第三组取任何四位数但小于9999,按上面的算法可以得到第四组注册码
--------------------------------------------------------------------------------
【版权声明】 在本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!