Software:浪漫情书 v3.11
http://go3.163.com/pyeditor/
专业级的情书编辑软件
Tools:TRW 2000、Win98Se
Cracker:lq7972[bruceyu13@sina.com]
Notes:永远向大家学习,向你学习~
国庆假期没有了,再弄几个软件
用TRW载入,断点“bpx hmemcpy”,输入注册信息后确定,拦住;按6次F12,按F10到:
0167:00488F52 8B45F0 MOV EAX,[EBP-10] ;用户名
0167:00488F55 E836ADF7FF CALL 00403C90 ; 及其长度
0167:00488F5A 83F806 CMP EAX,BYTE +06 ;长度大于等于6吗?
0167:00488F5D 7D20 JNL 00488F7F
0167:00488F5F B8F4914800 MOV EAX,004891F4
0167:00488F64 E8E78AFCFF CALL 00451A50
0167:00488F69 8B45FC MOV EAX,[EBP-04]
0167:00488F6C 8B80E0020000 MOV EAX,[EAX+02E0]
0167:00488F72 8B10 MOV EDX,[EAX]
0167:00488F74 FF92B4000000 CALL NEAR [EDX+B4]
0167:00488F7A E92F020000 JMP 004891AE
0167:00488F7F 8D55F0 LEA EDX,[EBP-10] ;一定要跳到这里哟
0167:00488F82 8B45FC MOV EAX,[EBP-04]
0167:00488F85 8B80D0020000 MOV EAX,[EAX+02D0]
0167:00488F8B E8A05CFAFF CALL 0042EC30
0167:00488F90 8B45F0 MOV EAX,[EBP-10] ;假码
0167:00488F93 E8F8ACF7FF CALL 00403C90 ; 及其长度
0167:00488F98 48 DEC EAX
0167:00488F99 7D20 JNL 00488FBB ;输入了吗?
0167:00488F9B B81C924800 MOV EAX,0048921C
0167:00488FA0 E8AB8AFCFF CALL 00451A50
0167:00488FA5 8B45FC MOV EAX,[EBP-04]
0167:00488FA8 8B80D0020000 MOV EAX,[EAX+02D0]
0167:00488FAE 8B10 MOV EDX,[EAX]
0167:00488FB0 FF92B4000000 CALL NEAR [EDX+B4]
0167:00488FB6 E9F3010000 JMP 004891AE
0167:00488FBB 8D45F8 LEA EAX,[EBP-08] ;也要跳到这里
0167:00488FBE E851AAF7FF CALL 00403A14
0167:00488FC3 8D55F4 LEA EDX,[EBP-0C]
0167:00488FC6 8B45FC MOV EAX,[EBP-04]
0167:00488FC9 8B80D0020000 MOV EAX,[EAX+02D0]
0167:00488FCF E85C5CFAFF CALL 0042EC30
0167:00488FD4 8B45F4 MOV EAX,[EBP-0C]
0167:00488FD7 E8B4ACF7FF CALL 00403C90
0167:00488FDC 8BF0 MOV ESI,EAX ;假码长度
0167:00488FDE 85F6 TEST ESI,ESI
0167:00488FE0 7C37 JL 00489019
0167:00488FE2 46 INC ESI
0167:00488FE3 33DB XOR EBX,EBX
0167:00488FE5 8B45F4 MOV EAX,[EBP-0C] ;假码
0167:00488FE8 8A4418FF MOV AL,[EAX+EBX-01] ; 第i位,i随ebx变化
0167:00488FEC 3C30 CMP AL,30 ; 小于0?
0167:00488FEE 7225 JC 00489015
0167:00488FF0 8B55F4 MOV EDX,[EBP-0C]
0167:00488FF3 3C39 CMP AL,39 ; 大于9?
0167:00488FF5 771E JA 00489015
0167:00488FF7 8D45EC LEA EAX,[EBP-14] ;这几行是检查用户输入的注册码中有
0167:00488FFA 50 PUSH EAX ;非数字字符否?有则丢去
0167:00488FFB B901000000 MOV ECX,01
0167:00489000 8BD3 MOV EDX,EBX
0167:00489002 8B45F4 MOV EAX,[EBP-0C]
0167:00489005 E88AAEF7FF CALL 00403E94
0167:0048900A 8B55EC MOV EDX,[EBP-14]
0167:0048900D 8D45F8 LEA EAX,[EBP-08]
0167:00489010 E883ACF7FF CALL 00403C98
0167:00489015 43 INC EBX
0167:00489016 4E DEC ESI
0167:00489017 75CC JNZ 00488FE5
0167:00489019 8D55F0 LEA EDX,[EBP-10]
0167:0048901C 8B45FC MOV EAX,[EBP-04]
0167:0048901F 8B80E0020000 MOV EAX,[EAX+02E0]
0167:00489025 E8065CFAFF CALL 0042EC30
;***************************************************************;这里才是关键
0167:0048902A 8B45F0 MOV EAX,[EBP-10] ;用户名
0167:0048902D 8D55EC LEA EDX,[EBP-14]
0167:00489030 E83BFEFFFF CALL 00488E70 ;这个Call就是注册算法所在【跟进】
0167:00489035 8B45EC MOV EAX,[EBP-14] ;计算出的(正确的)注册码
0167:00489038 8B55F8 MOV EDX,[EBP-08]
0167:0048903B E860ADF7FF CALL 00403DA0
0167:00489040 0F8556010000 JNZ NEAR 0048919C ;JumP,gAMeoVEr
;【跟进】
0167:00488E70 55 PUSH EBP
0167:00488E71 8BEC MOV EBP,ESP
0167:00488E73 83C4F8 ADD ESP,BYTE -08
0167:00488E76 53 PUSH EBX
0167:00488E77 56 PUSH ESI
0167:00488E78 57 PUSH EDI
0167:00488E79 33C9 XOR ECX,ECX
0167:00488E7B 894DF8 MOV [EBP-08],ECX
0167:00488E7E 8BF2 MOV ESI,EDX
0167:00488E80 8945FC MOV [EBP-04],EAX ;用户名
0167:00488E83 8B45FC MOV EAX,[EBP-04]
0167:00488E86 E8B9AFF7FF CALL 00403E44
0167:00488E8B 33C0 XOR EAX,EAX
0167:00488E8D 55 PUSH EBP
0167:00488E8E 68118F4800 PUSH DWORD 00488F11
0167:00488E93 64FF30 PUSH DWORD [FS:EAX]
0167:00488E96 648920 MOV [FS:EAX],ESP
0167:00488E99 33DB XOR EBX,EBX ;ebx清零
0167:00488E9B 8D55F8 LEA EDX,[EBP-08]
0167:00488E9E A1E4784A00 MOV EAX,[004A78E4]
0167:00488EA3 8B00 MOV EAX,[EAX]
;****************************************************************把你的眼球转到这里来
0167:00488EA5 E882D90000 CALL 0049682C
0167:00488EAA 8B55F8 MOV EDX,[EBP-08] ;机器码递edx
0167:00488EAD 8D45FC LEA EAX,[EBP-04]
0167:00488EB0 8B4DFC MOV ECX,[EBP-04] ;用户名递ecx
0167:00488EB3 E824AEF7FF CALL 00403CDC ; 把二者连起来:机器码+用户名
0167:00488EB8 8B45FC MOV EAX,[EBP-04] ; 再递给eax
0167:00488EBB E8D0ADF7FF CALL 00403C90 ; 并得到其长度,返回到eax
0167:00488EC0 8BD0 MOV EDX,EAX ; 把这个长度递给edx
0167:00488EC2 85D2 TEST EDX,EDX
0167:00488EC4 7C17 JL 00488EDD
0167:00488EC6 42 INC EDX ;edx加1,这并没有影响
0167:00488EC7 33C0 XOR EAX,EAX ;eax清零
;---------------------------------------------------------------;下面就是注册算法核心了
0167:00488EC9 8B4DFC MOV ECX,[EBP-04] ;机器码+用户名
0167:00488ECC 0FB64C01FF MOVZX ECX,BYTE [ECX+EAX-01] ; 第i位ASCII码,初始值是0
0167:00488ED1 8D7803 LEA EDI,[EAX+03] ;edi=eax+3
0167:00488ED4 0FAFCF IMUL ECX,EDI ;ecx=ecx*edi
0167:00488ED7 03D9 ADD EBX,ECX ;ebx=ebx+ecx
0167:00488ED9 40 INC EAX ;eax加1
0167:00488EDA 4A DEC EDX ;edx减1
0167:00488EDB 75EC JNZ 00488EC9 ; 循环
0167:00488EDD 8BC3 MOV EAX,EBX ;上面的结果送eax
0167:00488EDF 99 CDQ ;edx=0
0167:00488EE0 33C2 XOR EAX,EDX
0167:00488EE2 2BC2 SUB EAX,EDX
0167:00488EE4 69C0C9430000 IMUL EAX,EAX,43C9 ;eax=eax*43C9h
0167:00488EEA 05BBEF9505 ADD EAX,0595EFBB ;eax=eax+595EFBBh
;这就是我们的注册码!
;--------------------------------------------------------------
0167:00488EEF 8BD6 MOV EDX,ESI
;。。。
【总结】
注册算法还是挺简单的,跟踪过程也不烦--你比我先搞定了吧。。。
【注册机】
/////////////////////////////////////////////////////////////////////////////////
// The KeyGen by lq7972,with Delphi 6
// E-Mail:bruceyu13@sina.com
/////////////////////////////////////////////////////////////////////////////////
procedure TForm1.Button1Click(Sender: TObject);
var
i,N1:Integer;
Name,Code,Reg,Temp:String;
begin
Name:=Edit1.Text; // 用户名
Code:=Edit2.Text; //机器码
if length(Name) < 6 then
begin
ShowMessage('你的尊姓大名似乎短了耶!'+Chr(13)+'它要不小于6哟。。。');
Edit1.SetFocus;
end
else if Code = '' then
begin
ShowMessage('你似乎忘了输入机器码!');
Edit2.Setfocus;
end;
Temp:=Concat(Code,Name); //连接字符串
N1:=0;
for i:=1 to length(Temp) do
begin
N1:=N1+Ord(Temp[i])*(i+$3);
end;
Reg:=IntToStr(N1*$43C9+$595EFBB);
Edit3.Text:=Reg; //注册码
end;
//////////////////////////////////////////////////////////////////////////////////