注册Talisman
by Fpc[CCG] & 6767[BCG]
tools: Trw2000, Wdasm
level: 1/5
软件名称:Talisman
整理日期:2001.8.15
最新版本:1.76
文件大小:2278KB
软件授权:共享软件
使用平台:Win9x/Me/NT/2000
发布公司:Home Page
软件简介:这是一套可将Windows的桌面环境改变成宛如置身多媒体光碟环境的软件,内建以Themes为主轴,可加入按钮、图片等来当成捷径且可有如JAVA按钮的效果,也可用程序本身的Icon文件来使用,另可编辑图片的变化模式,让您的桌面环境更眩、更美。
下 载:http://gt.onlinedown.net/down/talisman.zip
你可试试这个小东东,使你的桌面变漂亮起来,注册很简单,下面是过程:
这一段代码是你按“register”后程序会作的。在左下角的开始项选“关于和注册”,输入你的信息,到Trw200中下bpx hmemcpy。回来,按注册,被中断。打命令Pmoudle,不过你还需要按几次F12才能返回到主线中来:
[Begin]
:0047AB28 55
push ebp
:0047AB29 8BEC
mov ebp, esp
... ...
:0047AB45 8D55F4
lea edx, dword ptr [ebp-0C] <- 缓冲区了
:0047AB48 8B83E0020000 mov eax, dword
ptr [ebx+000002E0] <- 这个是注册码的编辑框
:0047AB4E E84903FBFF call 0042AE9C
<- 这个call是读取编辑框的内容,下面会几次用到
:0047AB53 837DF400 cmp
dword ptr [ebp-0C], 00000000 <- 是否有输入
:0047AB57 0F8460010000 je 0047ACBD
<- 没有就跳走。小经验:当你发现跳转比较远时,通常是跳向错误的地方;
<- 而且你可根据跳转距离的长短大致判断出程序代码的强度,这个就不会太强。
:0047AB5D 8D55F0
lea edx, dword ptr [ebp-10]
:0047AB60 8B83E4020000 mov eax, dword
ptr [ebx+000002E4] <- 这个是名字
:0047AB66 E83103FBFF call 0042AE9C
:0047AB6B 837DF000 cmp
dword ptr [ebp-10], 00000000 <- 是否输入名字
:0047AB6F 0F8448010000 je 0047ACBD
:0047AB75 8D55F4
lea edx, dword ptr [ebp-0C]
:0047AB78 8B83E0020000 mov eax, dword
ptr [ebx+000002E0]
:0047AB7E E81903FBFF call 0042AE9C
<- 保险起见,它又读了一次注册码
:0047AB83 8B45F4
mov eax, dword ptr [ebp-0C]
:0047AB86 E82DD5F8FF call 004080B8
<- 这个我没有跟进去,根据上下的代码判断,这个可能是将输入的String变为Int。
:0047AB8B 8945EC
mov dword ptr [ebp-14], eax <- 果然是,输入的:123654,返回:eax=0x1E306。运气,否则要跟进去作苦工了。
:0047AB8E DB45EC
fild dword ptr [ebp-14] <- 装整数到浮点寄存器st(0),如果用softice看的清楚些
:0047AB91 E8D67DF8FF call 0040296C
>>>>>>>>
|
:0040296C 83EC08
sub esp, 00000008
:0040296F DF3C24
fistp qword ptr [esp] <-
st(0)内容到[esp]
:00402972 9B
wait
:00402973 58
pop eax
<- 结果保存到eax
:00402974 5A
pop edx
<- 保持堆栈平衡,没别的用处
:00402975 C3
ret
<<<<<<<<
:0047AB96 8945FC
mov dword ptr [ebp-04], eax <- 保存结果到这里
:0047AB99 8D55F8
lea edx, dword ptr [ebp-08]
:0047AB9C 8B83E4020000 mov eax, dword
ptr [ebx+000002E4]
:0047ABA2 E8F502FBFF call 0042AE9C
<- 读名字编辑框
:0047ABA7 33F6
xor esi, esi
<- 使exi=0,下面有用到
:0047ABA9 8B45F8
mov eax, dword ptr [ebp-08]
:0047ABAC E80F91F8FF call 00403CC0
<- 上下文判断是取名字的长度,果然是(不是感觉敏锐,而是软件简单)
>>>>>>
|
:00403CC0 85C0
test eax, eax
:00403CC2 7403
je 00403CC7
:00403CC4 8B40FC
mov eax, dword ptr [eax-04] <- 此处是字符串长度
|
:00403CC7 C3
ret
<<<<<<<
:0047ABB1 85C0
test eax, eax
:0047ABB3 7E13
jle 0047ABC8
:0047ABB5 BA01000000 mov edx,
00000001 <- edx=1,是个循环变量
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047ABC6(C)
<- 这个小循环根据名字生成累加和
|
:0047ABBA 8B4DF8
mov ecx, dword ptr [ebp-08] <- ecx指向名字
:0047ABBD 0FB64C11FF movzx ecx,
byte ptr [ecx+edx-01] <- 顺序取第i个字符
:0047ABC2 03F1
add esi, ecx
<- 累加到esi
:0047ABC4 42
inc edx
:0047ABC5 48
dec eax
:0047ABC6 75F2
jne 0047ABBA
<- 未完继续
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047ABB3(C)
|
:0047ABC8 8975EC
mov dword ptr [ebp-14], esi <- 保存到这里
:0047ABCB DB45EC
fild dword ptr [ebp-14] <- 还是装到st(0)
:0047ABCE E8997DF8FF call 0040296C
<- 见上面
:0047ABD3 69C009030000 imul eax, 00000309
<- 累加和与0x309相乘
:0047ABD9 8BF0
mov esi, eax
:0047ABDB 3B75FC
cmp esi, dword ptr [ebp-04] <- 与你输入的注册码比较,显然一致就成功,否则失败
:0047ABDE 0F85BF000000 jne 0047ACA3
:0047ABE4 B201
mov dl, 01
... ... 这段代码是保存注册码到注册表中,省略
:0047ACA1 EB1A
jmp 0047ACBD
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047ABDE(C)
|
:0047ACA3 B201
mov dl, 01
:0047ACA5 8B83FC020000 mov eax, dword
ptr [ebx+000002FC]
:0047ACAB E80401FBFF call 0042ADB4
:0047ACB0 B201
mov dl, 01
:0047ACB2 8B8300030000 mov eax, dword
ptr [ebx+00000300]
:0047ACB8 E80B01FDFF call 0044ADC8
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0047AB57(C), :0047AB6F(C), :0047ACA1(U)
|
:0047ACBD 33C0
xor eax, eax
:0047ACBF 5A
pop edx
:0047ACC0 59
pop ecx
:0047ACC1 59
pop ecx
:0047ACC2 648910
mov dword ptr fs:[eax], edx
:0047ACC5 68EFAC4700 push 0047ACEF
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047ACED(U)
|
:0047ACCA 8D45E8
lea eax, dword ptr [ebp-18]
:0047ACCD E8728DF8FF call 00403A44
:0047ACD2 8D45F0
lea eax, dword ptr [ebp-10]
:0047ACD5 BA02000000 mov edx,
00000002
:0047ACDA E8898DF8FF call 00403A68
:0047ACDF 8D45F8
lea eax, dword ptr [ebp-08]
:0047ACE2 E85D8DF8FF call 00403A44
:0047ACE7 C3
ret
:0047ACE8 E99387F8FF jmp 00403480
:0047ACED EBDB
jmp 0047ACCA
:0047ACEF 5E
pop esi
:0047ACF0 5B
pop ebx
:0047ACF1 8BE5
mov esp, ebp
:0047ACF3 5D
pop ebp
:0047ACF4 C3
ret <-
返回
注册机制:名字累加和 * 0x309,结果就是注册码。
作者可能是不指望用这个软件来赚钱,所以不作注册机。可用注册码:
Name:Fpc[CCG]
Code:520590
Name:6767[BCG]
Code:470862
注册表中位置:
REGEDIT4
[HKEY_CURRENT_USER\Software\Lighttek\Talisman]
"username"="YourName"
"usercode"=hex:EncryptData
- 标 题:找一个软柿子:注册Talisman 1.76 (6千字)
- 作 者:6767[BCG]
- 时 间:2001-8-16 1:42:22
- 链 接:http://bbs.pediy.com