魔法转换 v2.1 Beta 2 测试版
http://www.keksoft.com
email:support@keksoft.com
作者:X man or lb[BCG][CCG]
简介
====
功能强大的图像转换工具。包括图像浏览、批量转换、图像增强及作品预览四
大部分。图像增强包括调整图像大小、调整层次、旋转、镜象,还有锐化、模
糊、马塞克、浮雕、底片、旋涡、喷雾等效果。你可以将这些效果自定义成方
案,然后再进行批量转换。而且它还支持拖入文件到批量转换列表。它的输出
格式为:bmp、jpg、gif、png、tif、wmf、emf、tga、ico,还包括txt、rtf、
htm、mmc等特效格式。特效格式包括正常模式、缩小一倍、缩小两倍、原图大
小、彩字单一、彩字规律。同时它还能方便的将图像生成.EXE可执行文件。
等级:VERY EASY
目标:破解15天试用的限制
今天打开魔法转换来转几幅图,没想到双击之后却弹出个NAG。说15天试用以到,请
注册云云……
于是哪出宝刀(调试工具),把拦路虎砍掉。
废话少说,用FI检测有无加壳,一试。555555~~,居然有,是ASP的壳,没关系。用
CASPR一下就搞定。(懒人有懒富,不用手动脱壳,哈哈!)
用W32DASM反编译后,来到程序入口处:
:00578890 55
push ebp
:00578891 8BEC
mov ebp, esp
:00578893 83C4F0
add esp, FFFFFFF0
:00578896 53
push ebx
:00578897 33C0
xor eax, eax
:00578899 8945F0
mov dword ptr [ebp-10], eax
:0057889C B890835700 mov eax,
00578390
:005788A1 E832E7E8FF call 00406FD8
:005788A6 8B1DDCE65700 mov ebx, dword
ptr [0057E6DC]
:005788AC 33C0
xor eax, eax
:005788AE 55
push ebp
:005788AF 68678A5700 push 00578A67
:005788B4 64FF30
push dword ptr fs:[eax]
:005788B7 648920
mov dword ptr fs:[eax], esp
:005788BA 8B03
mov eax, dword ptr [ebx]
:005788BC E82FE9EDFF call 004571F0
:005788C1 8B03
mov eax, dword ptr [ebx]
* Possible StringData Ref from Code Obj ->"魔法转换 2.1 Beta 2"
|
:005788C3 BA7C8A5700 mov edx,
00578A7C
:005788C8 E827E5EDFF call 00456DF4
:005788CD A190E85700 mov eax,
dword ptr [0057E890]
:005788D2 8B00
mov eax, dword ptr [eax]
:005788D4 E87BC5FEFF call 00564E54
:005788D9 84C0
test al, al
:005788DB 7432
je 0057890F---------》这里就是判断是否
进入主程序的
所以改成jmp 0057890F
(即EB32)
:005788DD 8B0D90E85700 mov ecx, dword
ptr [0057E890]
:005788E3 8B03
mov eax, dword ptr [ebx]
* Possible StringData Ref from Code Obj ->"鵆"
|
:005788E5 8B1544435600 mov edx, dword
ptr [00564344]
:005788EB E818E9EDFF call 00457208
:005788F0 8B0DECE55700 mov ecx, dword
ptr [0057E5EC]
:005788F6 8B03
mov eax, dword ptr [ebx]
* Possible StringData Ref from Code Obj ->"鵆"
|
:005788F8 8B15503B5600 mov edx, dword
ptr [00563B50]
:005788FE E805E9EDFF call 00457208
:00578903 8B03
mov eax, dword ptr [ebx]
:00578905 E87EE9EDFF call 00457288
:0057890A E942010000 jmp 00578A51
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005788DB(C)
|
:0057890F E884A1E8FF call 00402A98
:00578914 85C0
test eax, eax
:00578916 7E3B
jle 00578953
:00578918 8D55F0
lea edx, dword ptr [ebp-10]
:0057891B B801000000 mov eax,
00000001
:00578920 E8D3A1E8FF call 00402AF8
:00578925 8B45F0
mov eax, dword ptr [ebp-10]
* Possible StringData Ref from Code Obj ->"-toweb"
|
:00578928 BA988A5700 mov edx,
00578A98
:0057892D E866B8E8FF call 00404198
:00578932 751F
jne 00578953
:00578934 8B0DECE65700 mov ecx, dword
ptr [0057E6EC]
:0057893A 8B03
mov eax, dword ptr [ebx]
* Possible StringData Ref from Code Obj ->"鵆"
|
:0057893C 8B1590A55600 mov edx, dword
ptr [0056A590]
:00578942 E8C1E8EDFF call 00457208
:00578947 8B03
mov eax, dword ptr [ebx]
:00578949 E83AE9EDFF call 00457288
:0057894E E9FE000000 jmp 00578A51
程序可以进了,可是没有注册号就是不爽,好吧!跟我来:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00563EF5(C)
|
:00563F60 1400
adc al, 00
:00563F62 0000
add byte ptr [eax], al
:00563F64 CE
into
:00563F65 D2D7
rcl bh, cl
:00563F67 D4BA
aam (base186)
:00563F69 C0A3ACCED2D2D1 shl byte ptr [ebx+D2D2CEAC],
D1
:00563F70 BEADD7A2B2 mov esi,
B2A2D7AD
:00563F75 E1A3
loopz 00563F1A
:00563F77 A100000000 mov eax,
dword ptr [00000000]
:00563F7C 55
push ebp
:00563F7D 8BEC
mov ebp, esp
:00563F7F 33C9
xor ecx, ecx
:00563F81 51
push ecx
:00563F82 51
push ecx
:00563F83 51
push ecx
:00563F84 51
push ecx
:00563F85 51
push ecx
:00563F86 51
push ecx
:00563F87 51
push ecx
:00563F88 51
push ecx
:00563F89 53
push ebx
:00563F8A 56
push esi
:00563F8B 8BD8
mov ebx, eax
:00563F8D 33C0
xor eax, eax
:00563F8F 55
push ebp
:00563F90 680F415600 push 0056410F
:00563F95 64FF30
push dword ptr fs:[eax]
:00563F98 648920
mov dword ptr fs:[eax], esp
:00563F9B 8D55FC
lea edx, dword ptr [ebp-04]
:00563F9E 8B83E4020000 mov eax, dword
ptr [ebx+000002E4]
:00563FA4 E8E74BEDFF call 00438B90
:00563FA9 837DFC00 cmp
dword ptr [ebp-04], 00000000-----比较姓名是否为空
:00563FAD 7518
jne 00563FC7-------------不为空就跳走
:00563FAF 6A30
push 00000030
:00563FB1 681C415600 push 0056411C
* Possible StringData Ref from Code Obj ->"请输入姓名!"
|
:00563FB6 6824415600 push 00564124
:00563FBB 6A00
push 00000000
* Reference To: user32.MessageBoxA, Ord:0000h
|
:00563FBD E8AA3BEAFF Call 00407B6C
:00563FC2 E908010000 jmp 005640CF
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00563FAD(C)
|
:00563FC7 8D55F8
lea edx, dword ptr [ebp-08]
:00563FCA 8B83E8020000 mov eax, dword
ptr [ebx+000002E8]
:00563FD0 E8BB4BEDFF call 00438B90
:00563FD5 8B45F8
mov eax, dword ptr [ebp-08]
:00563FD8 50
push eax
:00563FD9 8D55F0
lea edx, dword ptr [ebp-10]
:00563FDC 8B83E4020000 mov eax, dword
ptr [ebx+000002E4]
:00563FE2 E8A94BEDFF call 00438B90
:00563FE7 8B45F0
mov eax, dword ptr [ebp-10]
:00563FEA 8D55F4
lea edx, dword ptr [ebp-0C]
:00563FED E8A299FFFF call 0055D994
:00563FF2 8B55F4
mov edx, dword ptr [ebp-0C]-----这几处好眼熟,没错!
:00563FF5 58
pop eax------------------------D一下就可以看到真的
:00563FF6 E89D01EAFF call 00404198------------------注册码
:00563FFB 0F85CE000000 jne 005640CF-------------------
:00564001 8D45EC
lea eax, dword ptr [ebp-14]
:00564004 E84396FFFF call 0055D64C
:00564009 8D45EC
lea eax, dword ptr [ebp-14]
* Possible StringData Ref from Code Obj ->"\win.ini"
|
:0056400C BA3C415600 mov edx,
0056413C
:00564011 E87A00EAFF call 00404090
:00564016 8B4DEC
mov ecx, dword ptr [ebp-14]
:00564019 B201
mov dl, 01
* Possible StringData Ref from Code Obj ->"\3G"
|
:0056401B A1EC2B4700 mov eax,
dword ptr [00472BEC]
:00564020 E817EDF0FF call 00472D3C
:00564025 A3C8135800 mov dword
ptr [005813C8], eax
:0056402A 8D55E8
lea edx, dword ptr [ebp-18]
:0056402D 8B83E4020000 mov eax, dword
ptr [ebx+000002E4]
:00564033 E8584BEDFF call 00438B90
:00564038 8B45E8
mov eax, dword ptr [ebp-18]
:0056403B 50
push eax
* Possible StringData Ref from Code Obj ->"name"
|
:0056403C B950415600 mov ecx,
00564150
* Possible StringData Ref from Code Obj ->"magct"
|
:00564041 BA60415600 mov edx,
00564160
:00564046 A1C8135800 mov eax,
dword ptr [005813C8]
:0056404B 8B30
mov esi, dword ptr [eax]
:0056404D FF5604
call [esi+04]
:00564050 8D55E4
lea edx, dword ptr [ebp-1C]
:00564053 8B83E8020000 mov eax, dword
ptr [ebx+000002E8]
:00564059 E8324BEDFF call 00438B90
:0056405E 8B45E4
mov eax, dword ptr [ebp-1C]
:00564061 50
push eax
* Possible StringData Ref from Code Obj ->"code"
|
:00564062 B970415600 mov ecx,
00564170
* Possible StringData Ref from Code Obj ->"magct"
|
:00564067 BA60415600 mov edx,
00564160
:0056406C A1C8135800 mov eax,
dword ptr [005813C8]
:00564071 8B30
mov esi, dword ptr [eax]
:00564073 FF5604
call [esi+04]
:00564076 A1C8135800 mov eax,
dword ptr [005813C8]
:0056407B E810F0E9FF call 00403090
* Possible StringData Ref from Code Obj ->"关闭"
|
:00564080 BA80415600 mov edx,
00564180
:00564085 8B83F4020000 mov eax, dword
ptr [ebx+000002F4]
:0056408B E8304BEDFF call 00438BC0
:00564090 33D2
xor edx, edx
:00564092 8B83F0020000 mov eax, dword
ptr [ebx+000002F0]
:00564098 8B08
mov ecx, dword ptr [eax]
:0056409A FF515C
call [ecx+5C]
:0056409D 6A40
push 00000040
* Possible StringData Ref from Code Obj ->"魔法转换"
|
:0056409F 6888415600 push 00564188
:005640A4 8D55E0
lea edx, dword ptr [ebp-20]
:005640A7 8B83E4020000 mov eax, dword
ptr [ebx+000002E4]
:005640AD E8DE4AEDFF call 00438B90
:005640B2 8D45E0
lea eax, dword ptr [ebp-20]
* Possible StringData Ref from Code Obj ->",恭喜你成功注册!"
|
:005640B5 BA9C415600 mov edx,
0056419C
:005640BA E8D1FFE9FF call 00404090
:005640BF 8B45E0
mov eax, dword ptr [ebp-20]
:005640C2 E88501EAFF call 0040424C
:005640C7 50
push eax
:005640C8 6A00
push 00000000
于是得到
name=lb[CCG]
code=069002CA017C
后记:
该软件的注册码放在WINDOWS目录下的WIN.INI里面
由于没时间了,对软件是否完全破完我没有测试。请高手指教
.---._ ___
--===^ ~-......---.==\\\
/' _/-/ \ )))
`-~~ \ , ___\ ) ((
/ /---~~ \(`\( ))
</'|; .---" \>
| | " |
`" ; ;
X man or lb[BCG][CCG]
QQ:9832285
E-mail:lbcool@elong.com
2001.10.28 17:50
- 标 题:破解魔法转换 v2.1 Beta 2 测试版 (11千字)
- 作 者:lb[CCG]
- 时 间:2001-10-28 17:59:37
- 链 接:http://bbs.pediy.com