下载:http://211.152.134.220/guitarpp/yu/GuitarPro300.zip
用 dede 找出“确定”按钮的地址 004CEC8C 用 trw2k 下断,
输入注册信息,用户名:LANCELOT[CCG] 注册码:12345-67890-434343
按确定到这里
=================================================================================================
004CEC8C 55
push ebp
004CEC8D 8BEC
mov ebp, esp
004CEC8F 81C4E8FEFFFF add
esp, $FFFFFEE8
004CEC95 53
push ebx
004CEC96 56
push esi
004CEC97 57
push edi
004CEC98 33C9
xor ecx, ecx
004CEC9A 898DECFEFFFF mov
[ebp+$FFFFFEEC], ecx
004CECA0 898DE8FEFFFF mov
[ebp+$FFFFFEE8], ecx
004CECA6 894DFC
mov [ebp-$04], ecx
004CECA9 894DF8
mov [ebp-$08], ecx
004CECAC 894DF4
mov [ebp-$0C], ecx
004CECAF 894DF0
mov [ebp-$10], ecx
004CECB2 8BD8
mov ebx, eax
004CECB4 33C0
xor eax, eax
004CECB6 55
push ebp
* Possible String Reference to: '檑G?脎_^[嬪]?
|
004CECB7 68FCEE4C00 push
$004CEEFC
***** TRY
|
004CECBC 64FF30
push dword ptr fs:[eax]
004CECBF 648920
mov fs:[eax], esp
004CECC2 8D55F8
lea edx, [ebp-$08]
* Reference to control TFLicence.Cle1 : TEdit
|
004CECC5 8B83E4020000 mov
eax, [ebx+$02E4]
* Reference to: controls.TControl.GetText(TControl):System.String;<-------读取注册码的第1段
|
12345
004CECCB E81C74F6FF call
004360EC
004CECD0 FF75F8
push dword ptr [ebp-$08]
004CECD3 8D55F4
lea edx, [ebp-$0C]
* Reference to control TFLicence.Cle2 : TEdit
|
004CECD6 8B83EC020000 mov
eax, [ebx+$02EC]
* Reference to: controls.TControl.GetText(TControl):System.String;<-------读取注册码的第2段
|
67890
004CECDC E80B74F6FF call
004360EC
004CECE1 FF75F4
push dword ptr [ebp-$0C]
004CECE4 8D55F0
lea edx, [ebp-$10]
* Reference to control TFLicence.Cle3 : TEdit
|
004CECE7 8B83F4020000 mov
eax, [ebx+$02F4]
* Reference to: controls.TControl.GetText(TControl):System.String;<-------读取注册码的第3段
|
43434
004CECED E8FA73F6FF call
004360EC
004CECF2 FF75F0
push dword ptr [ebp-$10]
004CECF5 8D45FC
lea eax, [ebp-$04]
004CECF8 BA03000000 mov
edx, $00000003
* Reference to: system.@LStrCatN;<----------------------------------------连接在一起
|
123456789043434
004CECFD E8DA52F3FF call
00403FDC
004CED02 8B45FC
mov eax, [ebp-$04]
004CED05 50
push eax
004CED06 8D55F8
lea edx, [ebp-$08]
* Reference to control TFLicence.Nom : TLabel
|
004CED09 8B83CC020000 mov
eax, [ebx+$02CC]
* Reference to: controls.TControl.GetText(TControl):System.String;<--------读取用户名
|
004CED0F E8D873F6FF call
004360EC
004CED14 8B45F8
mov eax, [ebp-$08]
004CED17 B92C010000 mov
ecx, $0000012C
004CED1C 5A
pop edx
|
004CED1D E8EECC0800 call
0055BA10<-------------------------核心计算,跟进去
===============================================================================================
0055BA10 55
push ebp
0055BA11 8BEC
mov ebp, esp
0055BA13 83C4EC
add esp, -$14
0055BA16 53
push ebx
0055BA17 56
push esi
0055BA18 57
push edi
0055BA19 33DB
xor ebx, ebx
0055BA1B 895DF0
mov [ebp-$10], ebx
0055BA1E 895DEC
mov [ebp-$14], ebx
0055BA21 894DF4
mov [ebp-$0C], ecx
0055BA24 8955F8
mov [ebp-$08], edx
0055BA27 8945FC
mov [ebp-$04], eax
0055BA2A 8B45FC
mov eax, [ebp-$04]
* Reference to: system.@LStrAddRef;
|
0055BA2D E89E86EAFF call
004040D0
0055BA32 8B45F8
mov eax, [ebp-$08]
* Reference to: system.@LStrAddRef;
|
0055BA35 E89686EAFF call
004040D0
0055BA3A 33C0
xor eax, eax
0055BA3C 55
push ebp
0055BA3D 68D7BC5500 push
$0055BCD7
***** TRY
|
0055BA42 64FF30
push dword ptr fs:[eax]
0055BA45 648920
mov fs:[eax], esp
0055BA48 33DB
xor ebx, ebx
0055BA4A 837DFC00 cmp
dword ptr [ebp-$04], +$00
0055BA4E 740D
jz 0055BA5D
0055BA50 8B45F8
mov eax, [ebp-$08]
* Reference to: system.@LStrLen:Integer;
| or: system.@DynArrayLength;
| or: system.DynArraySize(Pointer):Integer;
|
0055BA53 E8C484EAFF call
00403F1C
0055BA58 83F80F
cmp eax, +$0F
0055BA5B 7407
jz 0055BA64
0055BA5D 33DB
xor ebx, ebx
0055BA5F E94B020000 jmp
0055BCAF
0055BA64 33FF
xor edi, edi
0055BA66 8B45FC
mov eax, [ebp-$04]
* Reference to: system.@LStrLen:Integer;
| or: system.@DynArrayLength;
| or: system.DynArraySize(Pointer):Integer;
|
0055BA69 E8AE84EAFF call
00403F1C
0055BA6E 8BF0
mov esi, eax
0055BA70 85F6
test esi, esi
0055BA72 7E21
jle 0055BA95
0055BA74 B901000000 mov
ecx, $00000001
0055BA79 8B45FC
mov eax, [ebp-$04]
0055BA7C 0FB64408FF movzx
eax, byte ptr [eax+ecx-$01]<-------用户名的第一个字 L==0x4c
0055BA81 F7E9
imul ecx<-------------------------------乘上序号
0055BA83 03F8
add edi, eax<--------------------------和加上edi中的值
0055BA85 8BC7
mov eax, edi
0055BA87 BFE8030000 mov
edi, $000003E8
0055BA8C 99
cdq
0055BA8D F7FF
idiv edi<-------------------------------和除去 0x3e8
0055BA8F 8BFA
mov edi, edx<--------------------------余数放到edi
0055BA91 41
inc ecx
0055BA92 4E
dec esi
0055BA93 75E4
jnz 0055BA79<--------------------------循环计算,用户名的13个字母
0055BA95 85FF
test edi, edi
0055BA97 7505
jnz 0055BA9E
0055BA99 BF01000000 mov
edi, $00000001
0055BA9E 8B45F4
mov eax, [ebp-$0C]<---------------------0x12c
0055BAA1 2DDC000000 sub
eax, $000000DC<---------------------0x12c-0xdc==0x50
0055BAA6 03C7
add eax, edi<---------------------------0x50+0x15==0x65
0055BAA8 40
inc eax<--------------------------------0x65+0x1==0x66
0055BAA9 B9E8030000 mov
ecx, $000003E8
0055BAAE 99
cdq
0055BAAF F7F9
idiv ecx
0055BAB1 8BFA
mov edi, edx<-------------------------- 0x66
0055BAB3 8D45F0
lea eax, [ebp-$10]
0055BAB6 8B55F8
mov edx, [ebp-$08]
0055BAB9 8A520A
mov dl, byte ptr [edx+$0A]<--------------注册码的第11位
* Reference to: system.@LStrFromChar(String;Char);
| or: system.@LStrFromWChar(String;WideChar);
| or: system.@WStrFromChar(WideString;Char);
| or: system.@WStrFromWChar(WideString;WideChar);
|
0055BABC E88383EAFF call
00403E44
0055BAC1 8B45F0
mov eax, [ebp-$10]
0055BAC4 50
push eax
0055BAC5 8D45EC
lea eax, [ebp-$14]
0055BAC8 8B55F8
mov edx, [ebp-$08]
0055BACB 8A12
mov dl, byte ptr [edx]<--------------注册码的第1位
* Reference to: system.@LStrFromChar(String;Char);
| or: system.@LStrFromWChar(String;WideChar);
| or: system.@WStrFromChar(WideString;Char);
| or: system.@WStrFromWChar(WideString;WideChar);
|
0055BACD E87283EAFF call
00403E44
0055BAD2 8B45EC
mov eax, [ebp-$14]
* Reference to: sysutils.StrToInt(System.AnsiString):System.Integer;
|
0055BAD5 E8CAD4EAFF call
00408FA4
0055BADA 8BF0
mov esi, eax
0055BADC 8D45EC
lea eax, [ebp-$14]
0055BADF 8B55F8
mov edx, [ebp-$08]
0055BAE2 8A5201
mov dl, byte ptr [edx+$01]<--------------注册码的第2位
* Reference to: system.@LStrFromChar(String;Char);
| or: system.@LStrFromWChar(String;WideChar);
| or: system.@WStrFromChar(WideString;Char);
| or: system.@WStrFromWChar(WideString;WideChar);
|
0055BAE5 E85A83EAFF call
00403E44
0055BAEA 8B45EC
mov eax, [ebp-$14]
* Reference to: sysutils.StrToInt(System.AnsiString):System.Integer;
|
0055BAED E8B2D4EAFF call
00408FA4
0055BAF2 03F0
add esi, eax<--------------注册码的第1,2位之和
0055BAF4 8BC6
mov eax, esi
0055BAF6 F7EF
imul edi<-------------------乘上0x66
0055BAF8 B90A000000 mov
ecx, $0000000A<--------除与 0xa
0055BAFD 99
cdq
0055BAFE F7F9
idiv ecx
0055BB00 8BC2
mov eax, edx<-------------余数放在eax
0055BB02 8D55EC
lea edx, [ebp-$14]
* Reference to: sysutils.IntToStr(System.Integer):System.AnsiString;overload;
|
0055BB05 E836D4EAFF call
00408F40
0055BB0A 8B55EC
mov edx, [ebp-$14]
0055BB0D 58
pop eax
* Reference to: system.@LStrCmp;<-------------------------------余数在与注册码的第10位比较
|
0055BB0E E81985EAFF call
0040402C
0055BB13 0F8596010000 jnz
0055BCAF<-------------不想等就完蛋了
下面循环计算略
=================================================================================================
总结一下:
1) 用户名:LANCELOT[CCG]==>0x4c,0x41,0x4e,0x43,0x45,0x4c,0x4f,0x54,0x5b,0x43,0x43,0x47,0x5d
2) (0x4c*0x1+0x0 ) % 0x3e8==0x4c
(0x41*0x2+0x4c ) % 0x3e8==0xce
(0x4e*0x3+0xce ) % 0x3e8==0x1b8
(0x43*0x4+0x1b8) % 0x3e8==0x2c4
(0x45*0x5+0x2c4) % 0x3e8==0x35
(0x4c*0x6+0x35 ) % 0x3e8==0x1fd
(0x4f*0x7+0x1fd) % 0x3e8==0x3e
(0x54*0x8+0x3e ) % 0x3e8==0x2de
(0x5b*0x9+0x2de) % 0x3e8==0x229
(0x43*0xa+0x229) % 0x3e8==0xdf
(0x43*0xb+0xdf ) % 0x3e8==0x3c0
(0x47*0xc+0x3c0) % 0x3e8==0x32c
(0x5d*0xd+0x32c) % 0x3e8==0x15<-------这个值如果为0,就用1代入
3) (0x12c-0xdc+0x15+0x1) % 0x3e8==0x66
4) 注册码:123456789043434
5) ((0x1+0x2)*0x66) % 0xa==0x6<----------注册码的第11位
((0x3+0x4)*0x66) % 0xa==0x4<----------注册码的第12位
((0x5+0x6)*0x66) % 0xa==0x2<----------注册码的第13位
((0x7+0x8)*0x66) % 0xa==0x0<----------注册码的第14位
((0x9+0x0)*0x66) % 0xa==0x8<----------注册码的第15位
所以:
用户名:LANCELOT[CCG] 注册码: 12345-67890-64208
Crack by lancelot[CCG][FCG]
2001.09.08
- 标 题:Guitar Pro v3.0 的破文 (11千字)
- 作 者:lancelot[CCG]
- 时 间:2001-9-8 23:08:48
- 链 接:http://bbs.pediy.com