日期:2005年4月24日 破解人:yijun
———————————————————————————————————————————
【软件名称】:疯狂小游戏2005 软件版本:2.0
【软件大小】:2.23M
【下载地址】:internet
【软件限制】:功能
【破解声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:OD PEID
———————————————————————————————————————————
【破解过程】:
PEID查壳知道该软件无壳,Borland Delphi 6.0 - 7.0编写。OD载入,通过UNICODE很容易来到以下地方:
004C27DB 55 push ebp //在此下断
004C27DC 68 D62A4C00 push 疯狂小游.004C2AD6
004C27E1 64:FF30 push dword ptr fs:[eax]
004C27E4 64:8920 mov dword ptr fs:[eax],esp
004C27E7 8D55 F0 lea edx,dword ptr ss:[ebp-10]
004C27EA 8B45 FC mov eax,dword ptr ss:[ebp-4]
004C27ED 8B80 00030000 mov eax,dword ptr ds:[eax+300]
004C27F3 E8 3444F8FF call 疯狂小游.00446C2C //计算输入假码位数
004C27F8 837D F0 00 cmp dword ptr ss:[ebp-10],0 //和0比较
004C27FC 74 29 je short 疯狂小游.004C2827 //为0就跳
004C27FE 8D55 E8 lea edx,dword ptr ss:[ebp-18]
004C2801 8B45 FC mov eax,dword ptr ss:[ebp-4]
004C2804 8B80 00030000 mov eax,dword ptr ds:[eax+300]
004C280A E8 1D44F8FF call 疯狂小游.00446C2C
004C280F 8B45 E8 mov eax,dword ptr ss:[ebp-18]
004C2812 8D55 EC lea edx,dword ptr ss:[ebp-14]
004C2815 E8 725EF4FF call 疯狂小游.0040868C
004C281A 8B45 EC mov eax,dword ptr ss:[ebp-14]
004C281D E8 DA1BF4FF call 疯狂小游.004043FC
004C2822 83F8 08 cmp eax,8
004C2825 7E 0F jle short 疯狂小游.004C2836 //注册码必须小于等于8,否则不跳,就OVER~~~
004C2827 B8 EC2A4C00 mov eax,疯狂小游.004C2AEC
004C282C E8 6BC1F6FF call 疯狂小游.0042E99C
004C2831 E9 23020000 jmp 疯狂小游.004C2A59
004C2836 8D45 E0 lea eax,dword ptr ss:[ebp-20]
004C2839 50 push eax
004C283A 8D55 DC lea edx,dword ptr ss:[ebp-24]
004C283D 8B45 FC mov eax,dword ptr ss:[ebp-4]
004C2840 8B80 10030000 mov eax,dword ptr ds:[eax+310]
004C2846 E8 E143F8FF call 疯狂小游.00446C2C
004C284B 8B45 DC mov eax,dword ptr ss:[ebp-24] //机器码送EAX
004C284E B9 06000000 mov ecx,6 //6送ECX
004C2853 BA 01000000 mov edx,1 //EDX置1
004C2858 E8 FF1DF4FF call 疯狂小游.0040465C //去掉机器码后两位
004C285D 8B4D E0 mov ecx,dword ptr ss:[ebp-20] //去掉后的值送ECX
004C2860 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
004C2863 BA 082B4C00 mov edx,疯狂小游.004C2B08 “0x”送EDX
004C2868 E8 DB1BF4FF call 疯狂小游.00404448 //计算去掉后两位的机器码位数,结果送EAX;并且将“0x”和去掉后两位的机器码连起来。我的是“0xCF0875”
004C286D 8B45 E4 mov eax,dword ptr ss:[ebp-1C]//将刚才的结果送EAX
004C2870 E8 BB61F4FF call 疯狂小游.00408A30 //将“0xCF0875”保存到ECX,此时EAX=00CF0875
004C2875 8BF0 mov esi,eax //EAX值送ESI保存
004C2877 33C0 xor eax,eax //EAX清0
004C2879 55 push ebp
004C287A 68 052A4C00 push 疯狂小游.004C2A05
004C287F 64:FF30 push dword ptr fs:[eax]
004C2882 64:8920 mov dword ptr fs:[eax],esp
004C2885 8D55 D4 lea edx,dword ptr ss:[ebp-2C]
004C2888 8B45 FC mov eax,dword ptr ss:[ebp-4]
004C288B 8B80 00030000 mov eax,dword ptr ds:[eax+300]
004C2891 E8 9643F8FF call 疯狂小游.00446C2C //计算假码位数送EAX
004C2896 8B45 D4 mov eax,dword ptr ss:[ebp-2C]
004C2899 8D55 D8 lea edx,dword ptr ss:[ebp-28]
004C289C E8 EB5DF4FF call 疯狂小游.0040868C
004C28A1 8B45 D8 mov eax,dword ptr ss:[ebp-28] //假码送EAX
004C28A4 E8 8761F4FF call 疯狂小游.00408A30 //关键CALL,跟进
004C28A9 8BD8 mov ebx,eax //EAX送EBX
004C28AB 8BC3 mov eax,ebx //EBX送EAX
004C28AD 2BC6 sub eax,esi //EAX=EAX-ESI
004C28AF 3B05 88B74C00 cmp eax,dword ptr ds:[4CB788] //相减结果和99E1E(十进制630302)比较,相等就注册成功~~~~
004C28B5 74 43 je short 疯狂小游.004C28FA //关键跳
004C28B7 68 142B4C00 push 疯狂小游.004C2B14 //以下是保存注册信息~~~~~~~~~~~~~
004C28BC 8D55 C8 lea edx,dword ptr ss:[ebp-38]
004C28BF 8B45 FC mov eax,dword ptr ss:[ebp-4]
004C28C2 8B80 00030000 mov eax,dword ptr ds:[eax+300]
004C28C8 E8 5F43F8FF call 疯狂小游.00446C2C
004C28CD 8B45 C8 mov eax,dword ptr ss:[ebp-38]
004C28D0 8D55 CC lea edx,dword ptr ss:[ebp-34]
004C28D3 E8 B45DF4FF call 疯狂小游.0040868C
004C28D8 FF75 CC push dword ptr ss:[ebp-34]
004C28DB 68 302B4C00 push 疯狂小游.004C2B30
004C28E0 8D45 D0 lea eax,dword ptr ss:[ebp-30]
004C28E3 BA 03000000 mov edx,3
004C28E8 E8 CF1BF4FF call 疯狂小游.004044BC
004C28ED 8B45 D0 mov eax,dword ptr ss:[ebp-30]
004C28F0 E8 A7C0F6FF call 疯狂小游.0042E99C
004C28F5 E9 01010000 jmp 疯狂小游.004C29FB
004C28FA 8D55 F4 lea edx,dword ptr ss:[ebp-C]
004C28FD A1 8CB74C00 mov eax,dword ptr ds:[4CB78C]
004C2902 03C3 add eax,ebx
004C2904 E8 EB5FF4FF call 疯狂小游.004088F4
004C2909 8D55 BC lea edx,dword ptr ss:[ebp-44]
004C290C A1 D4BC4C00 mov eax,dword ptr ds:[4CBCD4]
004C2911 8B00 mov eax,dword ptr ds:[eax]
004C2913 E8 904BFAFF call 疯狂小游.004674A8
004C2918 8B45 BC mov eax,dword ptr ss:[ebp-44]
004C291B 8D55 C0 lea edx,dword ptr ss:[ebp-40]
004C291E E8 8D65F4FF call 疯狂小游.00408EB0
004C2923 FF75 C0 push dword ptr ss:[ebp-40]
004C2926 68 502B4C00 push 疯狂小游.004C2B50
004C292B FF75 F4 push dword ptr ss:[ebp-C]
004C292E 68 5C2B4C00 push 疯狂小游.004C2B5C
004C2933 8D45 C4 lea eax,dword ptr ss:[ebp-3C]
004C2936 BA 04000000 mov edx,4
004C293B E8 7C1BF4FF call 疯狂小游.004044BC
004C2940 8B4D C4 mov ecx,dword ptr ss:[ebp-3C]
004C2943 B2 01 mov dl,1
004C2945 A1 E85F4300 mov eax,dword ptr ds:[435FE8]
004C294A E8 4937F7FF call 疯狂小游.00436098
004C294F 8945 F8 mov dword ptr ss:[ebp-8],eax
004C2952 33C0 xor eax,eax
004C2954 55 push ebp
004C2955 68 8A294C00 push 疯狂小游.004C298A
004C295A 64:FF30 push dword ptr fs:[eax]
004C295D 64:8920 mov dword ptr fs:[eax],esp
004C2960 6A 01 push 1
004C2962 B9 6C2B4C00 mov ecx,疯狂小游.004C2B6C
004C2967 BA 782B4C00 mov edx,疯狂小游.004C2B78
004C296C 8B45 F8 mov eax,dword ptr ss:[ebp-8]
004C296F 8B18 mov ebx,dword ptr ds:[eax]
004C2971 FF53 14 call dword ptr ds:[ebx+14]
004C2974 33C0 xor eax,eax
004C2976 5A pop edx
004C2977 59 pop ecx
004C2978 59 pop ecx
004C2979 64:8910 mov dword ptr fs:[eax],edx
004C297C 68 91294C00 push 疯狂小游.004C2991
004C2981 8B45 F8 mov eax,dword ptr ss:[ebp-8]
004C2984 E8 BF09F4FF call 疯狂小游.00403348
004C2989 C3 retn
004C298A ^ E9 0D11F4FF jmp 疯狂小游.00403A9C
004C298F ^ EB F0 jmp short 疯狂小游.004C2981
004C2991 6A 00 push 0
004C2993 66:8B0D 802B4C0>mov cx,word ptr ds:[4C2B80]
004C299A B2 02 mov dl,2
004C299C B8 8C2B4C00 mov eax,疯狂小游.004C2B8C
004C29A1 E8 FEBEF6FF call 疯狂小游.0042E8A4
004C29A6 48 dec eax
004C29A7 75 52 jnz short 疯狂小游.004C29FB
004C29A9 A1 A4BE4C00 mov eax,dword ptr ds:[4CBEA4]
004C29AE 8B00 mov eax,dword ptr ds:[eax]
004C29B0 E8 2B0DFAFF call 疯狂小游.004636E0
004C29B5 6A 01 push 1
004C29B7 6A 00 push 0
004C29B9 6A 00 push 0
004C29BB 8D55 B4 lea edx,dword ptr ss:[ebp-4C]
004C29BE A1 D4BC4C00 mov eax,dword ptr ds:[4CBCD4]
004C29C3 8B00 mov eax,dword ptr ds:[eax]
004C29C5 E8 DE4AFAFF call 疯狂小游.004674A8
004C29CA 8B45 B4 mov eax,dword ptr ss:[ebp-4C]
004C29CD 8D55 B8 lea edx,dword ptr ss:[ebp-48]
004C29D0 E8 DB64F4FF call 疯狂小游.00408EB0
004C29D5 8D45 B8 lea eax,dword ptr ss:[ebp-48]
004C29D8 BA B42B4C00 mov edx,疯狂小游.004C2BB4
004C29DD E8 221AF4FF call 疯狂小游.00404404
004C29E2 8B45 B8 mov eax,dword ptr ss:[ebp-48]
004C29E5 E8 121CF4FF call 疯狂小游.004045FC
004C29EA 50 push eax
004C29EB 6A 00 push 0
004C29ED 8B45 FC mov eax,dword ptr ss:[ebp-4]
004C29F0 E8 83ABF8FF call 疯狂小游.0044D578
004C29F5 50 push eax
004C29F6 E8 DDACF6FF call <jmp.&shell32.ShellExecuteA>
004C29FB 33C0 xor eax,eax
004C29FD 5A pop edx
004C29FE 59 pop ecx
004C29FF 59 pop ecx
004C2A00 64:8910 mov dword ptr fs:[eax],edx
004C2A03 EB 54 jmp short 疯狂小游.004C2A59
004C2A05 ^ E9 0A0FF4FF jmp 疯狂小游.00403914
004C2A0A 0100 add dword ptr ds:[eax],eax
004C2A0C 0000 add byte ptr ds:[eax],al
****************************************************************
跟进004C28A4处CALL来到这里:
00408A30 53 push ebx
00408A31 56 push esi
00408A32 83C4 F4 add esp,-0C
00408A35 8BD8 mov ebx,eax //假码送EBX
00408A37 8BD4 mov edx,esp //ESP送EDX
00408A39 8BC3 mov eax,ebx
00408A3B E8 30A3FFFF call 疯狂小游.00402D70 //将假码转为16进制,结果保存在EAX
00408A40 8BF0 mov esi,eax //EAX送ESI
00408A42 833C24 00 cmp dword ptr ss:[esp],0
00408A46 74 19 je short 疯狂小游.00408A61
00408A48 895C24 04 mov dword ptr ss:[esp+4],ebx
00408A4C C64424 08 0B mov byte ptr ss:[esp+8],0B
00408A51 8D5424 04 lea edx,dword ptr ss:[esp+4]
00408A55 A1 9CBA4C00 mov eax,dword ptr ds:[4CBA9C]
00408A5A 33C9 xor ecx,ecx
00408A5C E8 33F9FFFF call 疯狂小游.00408394
00408A61 8BC6 mov eax,esi
00408A63 83C4 0C add esp,0C
00408A66 5E pop esi
00408A67 5B pop ebx
00408A68 C3 retn //跳出去
———————————————————————————————————————————
【Crack_总结】:
首先注册码必须小于等于8位,将机器码去掉后两位记为S与“0x”组合成"0x+S",即值为S的16进制数;再将输入的注册码转化为16进制记为N,如果N-S=99E1E(十进制630302)即注册成功,所以N=S+99E1E(十进制630302),再把N转为10进制即为注册码!!!
我的机器码:CF08752A
我的注册码:14198419