全面分析 卸载精灵v1.20 注册算法
软件名称:卸载精灵v1.20
软件简介:已经厌倦了WINDOWS控制面板那个功能很弱的“添加/删除程序”了吗?你是否发现你的电脑里面有些软件无法卸载?卸载精灵的智能卸载功能可以干净彻底地卸载软件,包括那些无法正常卸载的程序它都可以帮您卸载。
未注册版限制:软件只能被使用10次,即只能用该软件卸载10个程序。
下载地址:http://cn.geocities.com/legendsoftcn/clean120.zip
破解工具:TRW2000 1.22汉化版、W32DASM 8.93汉化版、PE iDentifier 0.7 Beta 汉化版、Hiew6.76。
破解人:飞鹰[BCG]
E-mail:flithawk@263.net
网址:http://flithawk.longcity.net
破解步骤:
一、暴破软件:(破除软件只能使用10次的限制)
首先,用 W32DASM 编译软件,查找注册码错误信息“软件试用期已到”,找到后,向上分析就可以知道软件是如何限制使用次数的。分析过程如下:
* Possible StringData Ref from Data Obj ->"SOFTWARE\Legendsoft\SysCleaner"
|
:00402FA2 68D0F04200
push 0042F0D0
:00402FA7 8D4C2434
lea ecx, dword ptr [esp+34]
:00402FAB C784248402000000000000 mov dword ptr [esp+00000284], 00000000
:00402FB6 89442418
mov dword ptr [esp+18], eax
:00402FBA 89442430
mov dword ptr [esp+30], eax
:00402FBE E8E88D0100
call 0041BDAB
:00402FC3 8B542430
mov edx, dword ptr [esp+30]
:00402FC7 8D4C2424 lea
ecx, dword ptr [esp+24]
:00402FCB 51
push ecx
:00402FCC 683F000F00
push 000F003F
:00402FD1 6A00
push 00000000
:00402FD3
52
push edx
:00402FD4 6802000080
push 80000002
:00402FD9 FFD5
call ebp
:00402FDB 8D44242C
lea eax, dword ptr [esp+2C]
:00402FDF 8D4C2434
lea ecx, dword ptr [esp+34]
:00402FE3 50
push eax
:00402FE4 8B442428
mov eax, dword ptr [esp+28]
:00402FE8 8D542418
lea edx, dword ptr [esp+18]
:00402FEC
51
push ecx
:00402FED 52
push edx
:00402FEE 6A00
push 00000000
* Possible StringData
Ref from Data Obj ->"UseCount"
|
:00402FF0 68F0F04200 push
0042F0F0
:00402FF5 50
push eax
==>上面的大概过程是:查找并打开注册表的相关的键值
* Reference
To: ADVAPI32.RegQueryValueExA, Ord:017Bh
==>RegQueryValueExA 的意思是:与注册表中的键值相比较
|
:00402FF6 FF1504504200
Call dword ptr [00425004]
:00402FFC 837C24340A
cmp dword ptr [esp+34], 0000000A
==>比较软件是否已经使用了10次
:00403001 7632
jbe 00403035
==>如果大于10,不跳转就OVER了;小于10,跳转则可继续使用
:00403003 6A10
push 00000010
* Possible StringData Ref from Data Obj ->"卸载精灵"
|
:00403005 689CF24200
push 0042F29C
* Possible StringData
Ref from Data Obj ->"软件试用期已到,如果要继续使用请注册,软件注册"
->"方法请查看帮助信息"
|
==>软件的出错信息,就是我们查找到的地方
:0040300A 6858F24200
push 0042F258
:0040300F 8BCE
mov ecx, esi
:00403011 E875700100
call 0041A08B
:00403016 8B4C2424
mov ecx, dword ptr [esp+24]
:0040301A 51
push ecx
* Reference To: ADVAPI32.RegCloseKey, Ord:015Bh
|
:0040301B FF1500504200
Call dword ptr [00425000]
:00403021 C7842480020000FFFFFFFF
mov dword ptr [esp+00000280], FFFFFFFF
:0040302C 8D4C2430
lea ecx, dword ptr [esp+30]
:00403030
E9A2040000 jmp 004034D7
所以,最终的修改方法有两种:
1、将 00402FFC 处的 837C24340A 改为:837C2434FF,即把只能10次,改为可以使用255次。
2、将 00403001 处的 7632 改为:9090,即让软件没有使用次数限制。
或者,你可以把注册表中 HKEY_LOCAL_MACHINE\Software\Legendsoft
下的 SysCleaner 项删除,就又可以使用10次了,不过这样做没有多少意思。
二、追注册码:(分析出该软件真正的注册码)
:00403BE1 8D6E5C
lea ebp, dword ptr [esi+5C]
:00403BE4 8D442410
lea eax, dword ptr [esp+10]
:00403BE8 50
push eax
:00403BE9 8BCD
mov ecx, ebp
:00403BEB C644242C01
mov [esp+2C], 01
:00403BF0 E8DD580100
call 004194D2
:00403BF5 8D4C2414
lea ecx, dword ptr [esp+14]
:00403BF9
8DBE98000000 lea edi, dword ptr [esi+00000098]
:00403BFF 51
push ecx
:00403C00 8BCF
mov ecx, edi
:00403C02 E8CB580100
call 004194D2
:00403C07 8B542414
mov edx, dword ptr [esp+14]
:00403C0B 6874134300 push 00431374
:00403C10 52
push edx
:00403C11 E89B830000
call 0040BFB1
:00403C16 83C408
add esp, 00000008
:00403C19 85C0
test eax, eax
==>判断你输入注册名是否为空
:00403C1B 0F8458010000 je 00403D79
==>输入的注册名为空,将跳转,出现错误信息
:00403C21 8B442410
mov eax, dword ptr [esp+10]
:00403C25 6874134300
push 00431374
:00403C2A 50
push eax
:00403C2B E881830000 call
0040BFB1
:00403C30 83C408
add esp, 00000008
:00403C33 85C0
test eax, eax
==>判断你输入注册码是否为空
:00403C35 0F843E010000 je 00403D79
==>输入的注册码为空,将跳转,出现错误信息
:00403C3B 51
push ecx
:00403C3C 8D542414
lea edx, dword ptr [esp+14]
:00403C40
8BCC mov
ecx, esp
:00403C42 89642420
mov dword ptr [esp+20], esp
:00403C46 52
push edx
:00403C47 E88F7D0100
call 0041B9DB
:00403C4C 8B0D70134300
mov ecx, dword ptr [00431370]
:00403C52
E8D9FCFFFF call 00403930
==>此 Call 是注册码的算法部分,应该跟踪进入
:00403C57 3BC3
cmp eax, ebx
==>判断eax与ebx中的值是否相等
:00403C59 0F84DC000000 je 00403D3B
==>如果相等,跳转将注册失败;不相等,不跳转将注册成功
:00403C5F A100F54200
mov eax, dword ptr [0042F500]
:00403C64 8944241C
mov dword ptr [esp+1C], eax
* Possible StringData Ref from Data Obj ->"SOFTWARE\Legendsoft\SysCleaner"
|
:00403C68 68D0F04200
push 0042F0D0
:00403C6D 8D4C2420
lea ecx, dword ptr [esp+20]
:00403C71 C644242C02 mov [esp+2C],
02
:00403C76 E830810100 call
0041BDAB
:00403C7B 8B54241C
mov edx, dword ptr [esp+1C]
:00403C7F 8D4C2418
lea ecx, dword ptr [esp+18]
:00403C83
51
push ecx
:00403C84 683F000F00
push 000F003F
:00403C89 53
push ebx
:00403C8A 52
push edx
:00403C8B 6802000080
push 80000002
* Reference
To: ADVAPI32.RegOpenKeyExA, Ord:0172h
|
:00403C90 FF1508504200 Call dword
ptr [00425008]
:00403C96 8B442410
mov eax, dword ptr [esp+10]
:00403C9A 8D4C2410
lea ecx, dword ptr [esp+10]
:00403C9E
8B40F8 mov eax,
dword ptr [eax-08]
:00403CA1 50
push eax
:00403CA2 50
push eax
:00403CA3
E891820100 call 0041BF39
:00403CA8 8B4C241C mov
ecx, dword ptr [esp+1C]
* Reference To: ADVAPI32.RegSetValueExA, Ord:0186h
|
:00403CAC 8B3D0C504200
mov edi, dword ptr [0042500C]
:00403CB2
50
push eax
:00403CB3 6A01
push 00000001
:00403CB5 53
push ebx
* Possible StringData
Ref from Data Obj ->"RegCode"
|
:00403CB6
6800F14200 push 0042F100
:00403CBB 51
push ecx
:00403CBC FFD7
call edi
:00403CBE 6AFF
push FFFFFFFF
:00403CC0 8D4C2414
lea ecx, dword ptr [esp+14]
:00403CC4 E8BF820100 call 0041BF88
:00403CC9 8B542414
mov edx, dword ptr [esp+14]
:00403CCD 8D4C2414
lea ecx, dword ptr [esp+14]
:00403CD1 8B42F8
mov eax, dword ptr [edx-08]
:00403CD4 50
push eax
:00403CD5 50
push eax
:00403CD6 E85E820100
call 0041BF39
:00403CDB 50
push eax
:00403CDC
8B442420 mov eax, dword
ptr [esp+20]
:00403CE0 6A01
push 00000001
:00403CE2 53
push ebx
* Possible
StringData Ref from Data Obj ->"RegName"
|
:00403CE3 68C8F04200 push
0042F0C8
:00403CE8 50
push eax
:00403CE9 FFD7
call edi
:00403CEB 6AFF
push FFFFFFFF
:00403CED
8D4C2418 lea ecx, dword
ptr [esp+18]
:00403CF1 E892820100
call 0041BF88
:00403CF6 8B4C2418
mov ecx, dword ptr [esp+18]
:00403CFA 51
push ecx
* Reference To: ADVAPI32.RegCloseKey, Ord:015Bh
|
:00403CFB FF1500504200
Call dword ptr [00425000]
:00403D01 6A40
push 00000040
==>上面的大概过程是:把已注册成功的名称和注册码写入到注册表相关的键值中
* Possible StringData Ref from Data Obj ->"软件注册"
|
:00403D03 68F8F24200
push 0042F2F8
* Possible StringData Ref from Data Obj
->"注册成功"
|
:00403D08 68ECF24200
push 0042F2EC
:00403D0D 8BCE
mov ecx, esi
:00403D0F E877630100 call 0041A08B
:00403D14 8B0D70134300 mov ecx,
dword ptr [00431370]
* Possible StringData Ref from Data Obj ->"卸载精灵"
|
:00403D1A 689CF24200
push 0042F29C
:00403D1F E85D750100
call 0041B281
:00403D24 8BCE
mov ecx, esi
:00403D26 E8C8470100 call 004184F3
:00403D2B 8D4C241C
lea ecx, dword ptr [esp+1C]
:00403D2F C644242801
mov [esp+28], 01
:00403D34 E82D7F0100
call 0041BC66
:00403D39 EB7F
jmp 00403DBA
==>上面是:软件注册成功后,软件给出的提示信息
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403C59(C)
|
:00403D3B 6A10
push 00000010
* Possible StringData
Ref from Data Obj ->"软件注册"
|
:00403D3D
68F8F24200 push 0042F2F8
* Possible StringData Ref from Data Obj ->"注册码错误!请重新输入"
|
:00403D42 68D4F24200
push 0042F2D4
:00403D47 8BCE
mov ecx, esi
:00403D49 E83D630100
call 0041A08B
:00403D4E 8B542410
mov edx, dword ptr [esp+10]
* Reference To: USER32.SendMessageA, Ord:0214h
|
:00403D52 8B35A4544200
mov esi, dword ptr [004254A4]
:00403D58 8B42F8
mov eax, dword ptr [edx-08]
:00403D5B
50
push eax
:00403D5C 8B451C
mov eax, dword ptr [ebp+1C]
:00403D5F 53
push ebx
:00403D60
68B1000000 push 000000B1
:00403D65 50
push eax
:00403D66 FFD6
call esi
:00403D68 8B4D1C
mov ecx, dword ptr [ebp+1C]
:00403D6B
53
push ebx
:00403D6C 53
push ebx
:00403D6D 68B7000000
push 000000B7
:00403D72 51
push ecx
:00403D73 FFD6
call esi
:00403D75
8BCD mov
ecx, ebp
:00403D77 EB3C
jmp 00403DB5
==>上面是:软件注册失败后,软件给出的提示信息
* Referenced
by a (U)nconditional or (C)onditional Jump at Addresses:
|:00403C1B(C), :00403C35(C)
|
:00403D79 6A10
push 00000010
* Possible StringData Ref from Data Obj
->"软件注册"
|
:00403D7B 68F8F24200
push 0042F2F8
* Possible StringData
Ref from Data Obj ->"用户名及注册码不能为空"
|
:00403D80 68BCF24200 push
0042F2BC
:00403D85 8BCE
mov ecx, esi
:00403D87 E8FF620100
call 0041A08B
:00403D8C 8B542414
mov edx, dword ptr [esp+14]
* Reference
To: USER32.SendMessageA, Ord:0214h
|
:00403D90 8B35A4544200 mov esi,
dword ptr [004254A4]
:00403D96 8B42F8
mov eax, dword ptr [edx-08]
:00403D99 50
push eax
:00403D9A
8B471C mov eax,
dword ptr [edi+1C]
:00403D9D 53
push ebx
:00403D9E 68B1000000
push 000000B1
:00403DA3 50
push eax
:00403DA4
FFD6 call
esi
:00403DA6 8B4F1C
mov ecx, dword ptr [edi+1C]
:00403DA9 53
push ebx
:00403DAA 53
push ebx
:00403DAB 68B7000000 push
000000B7
:00403DB0 51
push ecx
:00403DB1 FFD6
call esi
:00403DB3 8BCF
mov ecx, edi
==>上面是:软件注册过程中,如果你输入的用户名及注册码为空时,软件给出的提示信息
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403D77(U)
|
:00403DB5 E831760100
call 0041B3EB
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00403D39(U)
|
:00403DBA 8D4C2410
lea ecx, dword ptr [esp+10]
:00403DBE 885C2428 mov
byte ptr [esp+28], bl
:00403DC2 E89F7E0100
call 0041BC66
:00403DC7 8D4C2414
lea ecx, dword ptr [esp+14]
:00403DCB C7442428FFFFFFFF
mov [esp+28], FFFFFFFF
:00403DD3 E88E7E0100
call 0041BC66
:00403DD8 8B4C2420
mov ecx, dword ptr [esp+20]
:00403DDC 5F
pop edi
:00403DDD 5E
pop esi
:00403DDE 5D
pop ebp
:00403DDF 64890D00000000
mov dword ptr fs:[00000000], ecx
:00403DE6 5B
pop ebx
:00403DE7 83C41C
add esp, 0000001C
:00403DEA C3
ret
跟踪进入 00403930 后:
* Referenced
by a CALL at Addresses:
|:004037D3 , :00403C52
|
:00403930
64A100000000 mov eax, dword ptr fs:[00000000]
:00403936 6AFF
push FFFFFFFF
:00403938 6838394200
push 00423938
:0040393D 50
push eax
:0040393E 64892500000000
mov dword ptr fs:[00000000], esp
:00403945 56
push esi
:00403946 8B442414
mov eax, dword ptr [esp+14]
==>EAX中存放着你输入的注册码
:0040394A 8B48F8
mov ecx, dword ptr [eax-08]
:0040394D 83F908
cmp ecx, 00000008
==>判断你输入的注册码位数是否为8位
:00403950 7425
je 00403977
==>如果注册码位数为8位,则跳转;不跳转将注册失败
:00403952 8D4C2414
lea ecx, dword ptr [esp+14]
:00403956 C744240CFFFFFFFF
mov [esp+0C], FFFFFFFF
:0040395E E803830100
call 0041BC66
:00403963 33C0
xor eax, eax
:00403965 8B4C2404
mov ecx, dword ptr [esp+04]
:00403969 64890D00000000 mov dword ptr fs:[00000000],
ecx
:00403970 5E
pop esi
:00403971 83C40C
add esp, 0000000C
:00403974 C20400
ret 0004
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403950(C)
|
:00403977 8A10 mov dl, byte ptr [eax]
==>取你输入注册码的第 1 位,赋值给 dl
:00403979 0FBE4802 movsx ecx, byte ptr [eax+02]
==>取你输入注册码的第 3 位,赋值给 ecx
:0040397D 0FBEF2 movsx esi, dl
==>将 dl 中的值赋给 esi
:00403980 8D4C31A0 lea ecx, dword ptr [ecx+esi-60]
==>将你输入注册码的第 1 位和第 3 位的值相加后,再减去 60h 并赋给ecx
:00403984 83F907 cmp ecx, 00000007
==>判断 ecx 的值是否为7
:00403987 7425 je 004039AE
==>如果 ecx 的值为7,则跳转继续下面的比较,不跳转将注册失败
:00403989 8D4C2414 lea ecx, dword ptr [esp+14]
:0040398D C744240CFFFFFFFF mov [esp+0C], FFFFFFFF
:00403995 E8CC820100 call 0041BC66
:0040399A 33C0 xor eax, eax
:0040399C 8B4C2404 mov ecx, dword ptr [esp+04]
:004039A0 64890D00000000 mov dword ptr fs:[00000000], ecx
:004039A7 5E pop esi
:004039A8 83C40C add esp, 0000000C
:004039AB C20400 ret 0004
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403987(C)
|
:004039AE 8A4801 mov cl, byte ptr [eax+01]
==>取你输入注册码的第 2 位,赋值给 cl
:004039B1 0FBE7003 movsx esi, byte ptr [eax+03]
==>取你输入注册码的第 4 位,赋值给 esi
:004039B5 0FBEC9 movsx ecx, cl
==>将 cl 中的值赋给 ecx
:004039B8 8D4C0EA0 lea ecx, dword ptr [esi+ecx-60]
==>将你输入注册码的第 2 位和第 4 位的值相加后,再减去 60h 并赋给ecx
:004039BC 83F908 cmp ecx, 00000008
==>判断 ecx 的值是否为8
:004039BF 7425 je 004039E6
==>如果 ecx 的值为8,则跳转继续下面的比较,不跳转将注册失败
:004039C1 8D4C2414 lea ecx, dword ptr [esp+14]
:004039C5 C744240CFFFFFFFF mov [esp+0C], FFFFFFFF
:004039CD E894820100 call 0041BC66
:004039D2 33C0 xor eax, eax
:004039D4 8B4C2404 mov ecx, dword ptr [esp+04]
:004039D8 64890D00000000 mov dword ptr fs:[00000000], ecx
:004039DF 5E pop esi
:004039E0 83C40C add esp, 0000000C
:004039E3 C20400 ret 0004
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004039BF(C)
|
:004039E6 8A4804 mov cl, byte ptr [eax+04]
==>取你输入注册码的第 5 位,赋值给 cl
:004039E9 0FBE7006 movsx esi, byte ptr [eax+06]
==>取你输入注册码的第 7 位,赋值给 esi
:004039ED 0FBEC9 movsx ecx, cl
==>将 cl 中的值赋给 ecx
:004039F0 8D4C0EA0 lea ecx, dword ptr [esi+ecx-60]
==>将你输入注册码的第 5 位和第 7 位的值相加后,再减去 60h 并赋给ecx
:004039F4 83F909 cmp ecx, 00000009
==>判断 ecx 的值是否为9
:004039F7 7425 je 00403A1E
==>如果 ecx 的值为9,则跳转继续下面的比较,不跳转将注册失败
:004039F9 8D4C2414 lea ecx, dword ptr [esp+14]
:004039FD C744240CFFFFFFFF mov [esp+0C], FFFFFFFF
:00403A05 E85C820100 call 0041BC66
:00403A0A 33C0 xor eax, eax
:00403A0C 8B4C2404 mov ecx, dword ptr [esp+04]
:00403A10 64890D00000000 mov dword ptr fs:[00000000], ecx
:00403A17 5E pop esi
:00403A18 83C40C add esp, 0000000C
:00403A1B C20400 ret 0004
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004039F7(C)
|
:00403A1E 8A4805 mov cl, byte ptr [eax+05]
==>取你输入注册码的第 6 位,赋值给 cl
:00403A21 8A4007 mov al, byte ptr [eax+07]
==>取你输入注册码的第 8 位,赋值给 al
:00403A24 0FBEF0 movsx esi, al
==>将 al 中的值赋给 esi
:00403A27 0FBEC9 movsx ecx, cl
==>将 cl 中的值赋给 ecx
:00403A2A 8D4C0EA0 lea ecx, dword ptr [esi+ecx-60]
==>将你输入注册码的第 6 位和第 8 位的值相加后,再减去 60h 并赋给ecx
:00403A2E 83F90A cmp ecx, 0000000A
==>判断 ecx 的值是否为A(16进制),换算为10进制是10
:00403A31 7425 je 00403A58
==>如果 ecx 的值为10,则跳转继续下面的比较,不跳转将注册失败
:00403A33 8D4C2414 lea ecx, dword ptr [esp+14]
:00403A37 C744240CFFFFFFFF mov [esp+0C], FFFFFFFF
:00403A3F E822820100 call 0041BC66
:00403A44 33C0 xor eax, eax
:00403A46 8B4C2404 mov ecx, dword ptr [esp+04]
:00403A4A 64890D00000000 mov dword ptr fs:[00000000], ecx
:00403A51 5E pop esi
:00403A52 83C40C add esp, 0000000C
:00403A55 C20400 ret 0004
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403A31(C)
|
:00403A58 0FBEC0 movsx eax, al
==>将你输入注册码的第 8 位(即 al 中的值),赋值给 eax
:00403A5B 0FBECA movsx ecx, dl
==>将你输入注册码的第 1 位(即 dl 中的值),赋值给 ecx
:00403A5E C744240CFFFFFFFF mov [esp+0C], FFFFFFFF
:00403A66 8D5408A0 lea edx, dword ptr [eax+ecx-60]
==>将你输入注册码的第 8 位和第 1 位的值相加后,再减去 60h 并赋给edx
:00403A6A 8D4C2414 lea ecx, dword ptr [esp+14]
:00403A6E 83FA08 cmp edx, 00000008
==>判断 edx 的值是否为8
:00403A71 7419 je 00403A8C
==>如果 ecx 的值为8,则跳转,至此注册码的比较过程完毕;不跳转将注册失败
:00403A73 E8EE810100 call 0041BC66
:00403A78 33C0 xor eax, eax
:00403A7A 8B4C2404 mov ecx, dword ptr [esp+04]
:00403A7E 64890D00000000 mov dword ptr fs:[00000000], ecx
:00403A85 5E pop esi
:00403A86 83C40C add esp, 0000000C
:00403A89 C20400 ret 0004
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403A71(C)
|
:00403A8C E8D5810100 call 0041BC66
:00403A91 8B4C2404 mov ecx, dword ptr [esp+04]
:00403A95 B801000000 mov eax, 00000001
:00403A9A 64890D00000000 mov dword ptr fs:[00000000], ecx
:00403AA1 5E pop esi
:00403AA2 83C40C add esp, 0000000C
:00403AA5 C20400 ret 0004
算法总结:
例如:你输入的注册码是:12345678,则注册算法是:
条 件:ASCII码:1 的16进制为31,2 的16进制为32,……(与此类推),8 的16进制为38
第一次:用注册码的第 1 位和第 3 位的值相加,再减去60h(16进制)后,与值 7 相比;
即 31+32-60=3,判断 3 是否与 7 相等;
所以,注册码的第 1 位可以是ASCII码8(16进制为38),第 3 位可以是ASCII码/(16进制为2A)
第二次:用注册码的第 2 位和第 4 位的值相加,再减去60h(16进制)后,与值 8 相比;
即 32+34-60=6,判断 6 是否与 8 相等;
所以,注册码的第 2 位可以是ASCII码8(16进制为38),第 4 位可以是ASCII码0(16进制为30)
第三次:用注册码的第 5 位和第 7 位的值相加,再减去60h(16进制)后,与值 9 相比;
即 35+37-60=12(16进制为C),判断 12 是否与 9 相等;
所以,注册码的第 5 位可以是ASCII码9(16进制为39),第 7 位可以是ASCII码0(16进制为30)
第四次:用注册码的第 6 位和第 8 位的值相加,再减去60h(16进制)后,与值 10 相比;
即 36+38-60=14(16进制为E),判断 14 是否与 9 相等;
所以,注册码的第 6 位可以是ASCII码:(16进制为40),第 7 位可以是ASCII码0(16进制为30)
第五次:用注册码的第 8 位和第 1 位的值相加,再减去60h(16进制)后,与值 8 相比;
即 38+31-60=9(16进制为E),判断 9 是否与 8 相等;
所以,注册码的第 8 位可以是ASCII码0(16进制为30),第 1 位可以是ASCII码8(16进制为38)
软件就这样计算出了真正的注册码。最后得到的真正注册码为:88/09:00,注意该注册码不是唯一的,按此算法还可以得到其它的注册码,该软件的注册码与注册名无关。
该软件注册成功后,注册信息存放在注册表的下面两个键值中:
HKEY_LOCAL_MACHINE\Software\Legendsoft\SysCleaner\RegCode
HKEY_LOCAL_MACHINE\Software\Legendsoft\SysCleaner\RegName
最后,我衷心祝愿与我认识的所有朋友春节快乐,天天开心;也祝愿 看雪论坛 在新的一年里人气越来越旺。
Crack by 飞鹰[BCG] flithawk@263.net 2002.2.9
欢迎光临汉化新世纪: http://www.hanzify.org