目标软件: DesktopX v1.0
下载地址: http://qiuyong.x168.net/image/talismandesktop/desktopx_1.0.htm
软件简介: DesktopX是一套革命性的桌面设置工具,用户可以往桌面上添加物件,它以物件的方式可完全的自定桌面,包括一切如:我的电脑、运行、开关机、垃圾箱、打开程序或文件夹等。通过这些物件的使用,用户可以创造一个非常活泼的独特的桌面。父母可以为孩子创建一个非常可爱活泼的适于孩子学习的桌面环境。
使用工具: TRW2000,FengMa's Toy Beta1
破解过程:
在某期封面酷酷的《软件王》光盘上找到一个挺有意思的软件,一试之下,觉得还挺不错的~~~
可是,软件每次启动的时候,总是拿屁股对着我!就算我唱“7654321歌”她都不买俺的帐,所以便有了下文:
Hmemcpy 设断,易来到:
LEA
ECX,[ESP+74]
PUSH BYTE +64
PUSH ECX
PUSH
DWORD 05B1
PUSH ESI
CALL EDI
LEA
EDX,[ESP+0C]
PUSH EDX
PUSH
DWORD 000F003F
PUSH BYTE +00
PUSH DWORD 00450580
PUSH
DWORD 80000002
CALL `ADVAPI32!RegOpenKeyExA`
//准备将注册信息写入注册表。
MOV EDI,[0044B140]
LEA
EAX,[ESP+10]
PUSH EAX
CALL
EDI
MOV EBX,[0044B000]
INC EAX
MOV
EDX,[ESP+0C]
LEA ECX,[ESP+10]
PUSH
EAX
PUSH ECX
PUSH BYTE +01
PUSH
BYTE +00
PUSH DWORD 00450E7C
PUSH
EDX
CALL EBX
LEA EAX,[ESP+74]
PUSH
EAX
CALL EDI
INC EAX
LEA
ECX,[ESP+74]
MOV EDX,[ESP+0C]
PUSH
EAX
PUSH ECX
PUSH BYTE +01
PUSH
BYTE +00
PUSH DWORD 00450E74
PUSH
EDX
CALL EBX
MOV EAX,[ESP+0C]
PUSH
EAX
CALL `ADVAPI32!RegCloseKey`
//关闭注册表。
CALL 0040DED0
//关键CALL,进入。
POP
EDI
POP EBX
TEST EAX,EAX
PUSH
BYTE +00
JZ 0040E0B9
PUSH
BYTE +01
PUSH DWORD 119E
PUSH ESI
CALL
`USER32!SendMessageA` //God job!
MOV
ECX,[0045AF44]
PUSH BYTE +01
PUSH
BYTE +00
PUSH DWORD 040D
PUSH ECX
CALL
`USER32!PostMessageA`
PUSH BYTE +01
PUSH
ESI
CALL `USER32!EndDialog`
XOR EAX,EAX
POP
ESI
ADD ESP,CC
RET
10
PUSH BYTE +02
PUSH DWORD 119E
PUSH
ESI
CALL `USER32!SendMessageA`
//Bad Cracker!
XOR EAX,EAX
POP
ESI
ADD ESP,CC
RET 10
SUB
ESP,D4
MOV AL,[00458E70]
PUSH
ESI
PUSH EDI
MOV [ESP+78],AL
MOV
ECX,18
XOR EAX,EAX
LEA
EDI,[ESP+79]
PUSH DWORD 004505C4
REP STOSD
STOSW
LEA ECX,[ESP+18]
PUSH ECX
STOSB
CALL `KERNEL32!lstrcpyA`
XOR ECX,ECX
MOV
EDX,ECX
AND EDX,80000001
JNS
0040DF12
DEC EDX
OR
EDX,BYTE -02
INC EDX
MOV AL,[ESP+ECX+14]
JZ
0040DF1C
ADD AL,0B
JMP
SHORT 0040DF1E
ADD AL,F9
MOV [ESP+ECX+14],AL
MOV
EAX,ECX
CDQ
MOV ESI,03
IDIV
ESI
MOV AL,[ESP+ECX+14]
ADD
AL,DL
MOV [ESP+ECX+14],AL
INC ECX
CMP
ECX,BYTE +06
JL 0040DF03
LEA
EAX,[ESP+08]
PUSH EAX
PUSH BYTE
+01
PUSH BYTE +00
PUSH DWORD 00450580
PUSH
DWORD 80000002
CALL `ADVAPI32!RegOpenKeyExA`
LEA
ECX,[ESP+10]
LEA EDX,[ESP+78]
PUSH
ECX
LEA EAX,[ESP+10]
PUSH
EDX
MOV EDX,[ESP+10]
PUSH EAX
LEA
ECX,[ESP+20]
PUSH BYTE +00
PUSH
ECX
PUSH EDX
MOV DWORD [ESP+28],64
MOV
DWORD [ESP+24],01
CALL `ADVAPI32!RegQueryvalueExA`
MOV
EAX,[ESP+08]
PUSH EAX
CALL
`ADVAPI32!RegCloseKey`
LEA ECX,[ESP+78]
PUSH
ECX
CALL 0040DC50
//进入。
ADD ESP,BYTE
+04
POP EDI
POP ESI
ADD
ESP,D4
RET
MOV
EAX,[ESP+04]
SUB ESP,A4
LEA
ECX,[ESP+3C]
PUSH EBX
PUSH EBP
PUSH
ESI
PUSH EAX
PUSH ECX
CALL
`KERNEL32!lstrcpyA`
LEA EDX,[ESP+48]
PUSH
EDX
CALL `MSVCRT!_strlwr`
//将序列号中的大写字符转换为小写。
MOV AL,[ESP+4C]
ADD
ESP,BYTE +04
CMP AL,64
JNZ
NEAR 0040DEBE
//序列号第一位不为“d”则 Game Over !
CMP BYTE [ESP+49],78
JNZ
NEAR 0040DEBE
//序列号第一位不为“x”则 Game Over !
MOV AL,[ESP+4A]
MOV
CL,[ESP+4B]
LEA EDX,[ESP+7C]
PUSH
EDI
PUSH EDX
MOV [ESP+84],AL
MOV
[ESP+85],CL
MOV BYTE [ESP+86],00
CALL
`MSVCRT!atoi`
//将序列号第三和第四位转换为十进制。
MOV CL,[ESP+56]
MOV
DL,[ESP+57]
MOV [ESP+4C],EAX
MOV
AL,[ESP+55]
MOV [ESP+41],CL
MOV
CL,[ESP+5A]
MOV [ESP+40],AL
MOV
AL,[ESP+58]
MOV [ESP+1C],CL
MOV
CL,[ESP+5D]
MOV [ESP+42],DL
MOV
DL,[ESP+5B]
MOV [ESP+43],AL
MOV
AL,[ESP+5C]
MOV [ESP+1F],CL
MOV
CL,[ESP+61]
MOV [ESP+1D],DL
MOV
DL,[ESP+5F]
MOV [ESP+1E],AL
MOV
AL,[ESP+60]
MOV EDI,[0044B140]
MOV
[ESP+2A],CL
MOV CL,[ESP+65]
MOV
[ESP+28],DL
MOV DL,[ESP+62]
MOV
[ESP+29],AL
MOV AL,[ESP+64]
ADD
ESP,BYTE +04
MOV [ESP+31],CL
MOV
[ESP+27],DL
MOV DL,[ESP+62]
MOV
[ESP+30],AL
MOV AL,[ESP+63]
LEA
ECX,[ESP+3C]
PUSH ECX
MOV BYTE [ESP+44],00
MOV
BYTE [ESP+20],00
MOV BYTE [ESP+2C],00
MOV
[ESP+36],DL
MOV [ESP+37],AL
MOV
BYTE [ESP+38],00
XOR EBP,EBP
XOR
ESI,ESI
CALL EDI
//循环的次数。
TEST
EAX,EAX
JNG 0040DD8B
MOVSX EAX,BYTE
[ESP+ESI+3C] //SN1的 Hex 依次送入 EAX。
SUB
EAX,BYTE +30 //减去0x30。
CMP
EAX,BYTE +09
//结果是否大于0x9.
JNG 0040DD78
//是就不做处理。
SUB
EAX,BYTE +27
//否则减 0x27。
LEA EDX,[EBP+EBP*8+00]
//EDX=EBP+EBP*8+0x0。
INC ESI
//ESI++。
LEA EBP,[EAX+EDX*2]
//EBP=EAX+EDX*2。
LEA EAX,[ESP+3C]
PUSH
EAX
CALL EDI
CMP ESI,EAX
JL
0040DD68
//没取完则向上循环。
LEA ECX,[ESP+18]
XOR
EBX,EBX
PUSH ECX
MOV [ESP+14],EBX
XOR
ESI,ESI
CALL EDI
TEST EAX,EAX
JNG
0040DDCA
JMP SHORT 0040DDA4
MOV
EBX,[ESP+10]
//ESP+0x10 处的值送回 EBX。
MOVSX EAX,BYTE [ESP+ESI+18]
//SN2的 Hex 依次送入 EAX。
SUB EAX,BYTE
+30 //减去0x30。
CMP
EAX,BYTE +09
//结果是否大于0x9.
JNG 0040DDB4
//是就不做处理。
SUB
EAX,BYTE +27
//否则减 0x27。
LEA EDX,[EBX+EBX*8]
//EDX=EBX+EBX*8。
LEA ECX,[ESP+18]
PUSH
ECX
INC ESI
//ESI++。
LEA
EAX,[EAX+EDX*2]
//EAX+=EDX*2。
MOV [ESP+14],EAX
//结果送到 ESP+0X14 处。
CALL EDI
CMP
ESI,EAX
JL 0040DDA0
//没取完则向上循环。
LEA
EDX,[ESP+24]
(下面还有几处类似的计算,略)
XOR EBX,EBX
PUSH
EDX
MOV [ESP+18],EBX
XOR ESI,ESI
CALL
EDI
TEST EAX,EAX
JNG 0040DE09
JMP
SHORT 0040DDE3
MOV EBX,[ESP+14]
MOVSX
EAX,BYTE [ESP+ESI+24]
SUB EAX,BYTE +30
CMP
EAX,BYTE +09
JNG 0040DDF3
SUB
EAX,BYTE +27
LEA ECX,[EBX+EBX*8]
INC
ESI
LEA EDX,[EAX+ECX*2]
LEA
EAX,[ESP+24]
PUSH EAX
MOV [ESP+18],EDX
CALL
EDI
CMP ESI,EAX
JL
0040DDDF
LEA ECX,[ESP+30]
XOR EBX,EBX
PUSH
ECX
XOR ESI,ESI
CALL EDI
TEST
EAX,EAX
JNG 0040DE3A
MOVSX EAX,BYTE
[ESP+ESI+30]
SUB EAX,BYTE +30
CMP EAX,BYTE
+09
JNG 0040DE28
SUB EAX,BYTE +27
LEA
EDX,[EBX+EBX*8]
INC ESI
LEA
EBX,[EAX+EDX*2]
LEA EAX,[ESP+30]
PUSH
EAX
CALL EDI
CMP ESI,EAX
JL
0040DE18
MOV EAX,[ESP+48]
//ESP+0x48 (即SN1 前两位的 ASC) 值送入 EAX。
MOV
ESI,[ESP+10] //ESP+0x10
处的值送入 ESI。
MOV ECX,[ESP+14]
//ESP+0x14 处的值送入 ECX。
SUB EBP,EAX
//EBP-=EAX。
SUB
ESI,EAX
//ESI-=EAX。
SUB ECX,EAX
//ECX-=EEAX。
SUB EBX,EAX
//EBX-=EAX。
MOV
EAX,EBP
//将 EBP 送入 EAX。
CDQ
MOV EDI,06
IDIV
EDI
//除以 0x6。
POP EDI
TEST EDX,EDX
JNZ
0040DEBE
//余数不为零就 Game Over !
AND ESI,80000003
//将 ESI 和 0x80000003 做与运算。
JNS
0040DE6A
//结果不为零就 Game Over !
DEC ESI
OR
ESI,BYTE -04
INC ESI
JNZ 0040DEBE
MOV
EAX,ECX
//ECX的值送入EAX。
MOV ESI,03
CDQ
IDIV
ESI
//除以 0x3。
TEST EDX,EDX
JNZ 0040DEBE
//余数不为零就 Game Over
!
MOV EAX,EBX
//将 EBX 的值 送入 EAX。
MOV ESI,05
CDQ
IDIV ESI
//除以 0x5。
TEST EDX,EDX
JNZ
0040DEBE
//余数不为零就 Game Over !
SHL EBP,10
//EBP<<=0x10。
MOV
ESI,03
LEA EAX,[ECX+EBP]
//EAX=ECX+EBP。
DIV ESI
//除以
0x3。
TEST EDX,EDX
JNZ 0040DEBE
//余数不为零就 Game Over !
TEST
BL,01
//BL 和 0x1 做与运算。
JNZ 0040DEBE
//结果不为零就 Game Over !
TEST
CL,03 //CL
和 0x3 做与运算。
JNZ 0040DEBE
//结果不为零就 Game Over !
LEA EAX,[EBX+EBP]
//EAX=EBX+EBP。
MOV
ECX,06
DIV ECX
//除以 0x6。
POP ESI
POP
EBP
POP EBX
MOV EAX,EDX
NEG
EAX
//余数不为零就 Game Over !
SBB EAX,EAX
INC
EAX
ADD ESP,A4
RET
POP ESI
POP EBP
XOR
EAX,EAX
POP EBX
ADD ESP,A4
RET
总结一下:
合法的序列号应满足如下条件:
(1):序列号和用户名无关;
(2):序列号至少为 24 位,且前两位必须为“dx”,记为:dxPQ*SN1*SN2*SN3*SN4;
(3):(SN1 - PQ) MOD 6 = 0;
(4):(SN2 - PQ) AND &H80000003& = 0;
(5):(SN3 - PQ)MOD 3 = 0;
(6):((SN1 * 2^16)+(SN3 - PQ)) MOD 3 = 0;
(7):(SN3 MOD 256)AND 3 = 0;
(8):(SN4 - PQ) MOD 5= 0;
(9):((SN1 * 2^16)+(SN4 - PQ))MOD 6= 0;
(A):(SN4 MOD 256) AND 1 = 0;
写完破解纪录之后用 Fengma's Toy beta1 删掉前面的地址,这样初学者朋友看破文就不会偷懒了~~:)
然后据此写出注册机:
Dim
EAX1 As Integer
Dim EAX2 As Integer
Dim EAX3 As Integer
Dim EAX4 As Integer
Dim
EBX2 As Integer
Dim EBX3 As Integer
Dim EBX4 As Integer
Dim ECX3 As Integer
Dim
EDX1 As Integer
Dim EDX2 As Integer
Dim EDX4 As Integer
Dim EBP1 As Integer
Dim
Temp_A As Integer
Dim Temp_B As Integer
Dim Condition_A As Integer
Dim
Condition_B As Integer
Dim Condition_C As Integer
Dim Condition_D As Integer
Dim
Condition_E As Integer
Dim Condition_F As Integer
Dim Condition_G As Integer
Dim
SN_A As String
Dim SN_B As String
Dim SN_C As String
Dim SN_D As String
Dim
SHL As Double
Dim EAX31 As Double
Dim EAX41 As Double
Private
Sub Command1_Click()
About_message = MsgBox("This keygen made by
fengma(fengma@2911.net) !", 4096 + vbExclamation, "About...")
End
Sub
Private Sub Command2_Click()
If
Len(Text1.Text) < 2 Then
message_enter_name = MsgBox("Use a
name at least 2 Chars long , please !", 4096 + vbExclamation, "Information")
Exit Sub
End If
If Command2.Caption = "Get Now !" Then
Randomize
Dim
Data()
Dim SN1_(4), SN2_(4), SN3_(4), SN4_(4) As String
Data = Array("1",
"2", "3", "4", "5", "6", "7",
"8", "9", "0", "q", "w", "e",
"r", "t", "y", "u", "i", "o",
"p", "a", "s", "d", "f", "g",
"h", "j", "k", "l", "z", "x",
"c", "v", "b", "n", "m")
Do
SN_B
= ""
EBX2 = 0
For i = 1 To 4
SN2_(i) = Data(Int(Rnd
* 36))
EAX2 = Asc(SN2_(i)) - 48
If EAX2 > 9 Then
EAX2 = EAX2 - 39
End If
EDX2 =
EBX2 + EBX2 * 8
EBX2 = EAX2 + EDX2 * 2
SN_B = SN_B & SN2_(i)
Next
i
Condition_B = (EBX2 - 10) And &H80000003
Loop While Condition_B <>
0
Do
SN_A = ""
EBP1
= 0
For i = 1 To 4
SN1_(i) = Data(Int(Rnd * 36))
EAX1 =
Asc(SN1_(i)) - 48
If EAX1 > 9 Then
EAX1
= EAX1 - 39
End If
EDX1 = EBP1 + EBP1 * 8
EBP1
= EAX1 + EDX1 * 2
SN_A = SN_A & SN1_(i)
Next i
Condition_A
= (EBP1 - 10) Mod 6
SN_C
= ""
EBX3 = 0
For i = 1 To 4
SN3_(i) = Data(Int(Rnd
* 36))
EAX3 = Asc(SN3_(i)) - 48
If EAX3 > 9 Then
EAX3 = EAX3 - 39
End If
ECX3 =
EBX3 + EBX3 * 8
EBX3 = EAX3 + ECX3 * 2
SN_C = SN_C & SN3_(i)
Next
i
Condition_C = (EBX3 - 10) Mod 3
SHL
= (EBP1 - 10) * 2 ^ 16
EAX_31 = SHL + (EBX3 - 10)
Do
If
EAX_31 > 4294967296# Then
EAX_31 = EAX_31 - 4294967296#
End If
Loop
While EAX_31 > 4294967296#
Temp_A
= 0
For i = 1 To Len(EAX_31)
Temp_A = Temp_A + Asc(Mid$(EAX_31, i,
1)) - 48
Next i
Condition_D = Temp_A Mod 3
Condition_E = ((EBX3 - 10) Mod 256) And 3
SN_D
= ""
EBX4 = 0
For i = 1 To 4
SN4_(i) = Data(Int(Rnd
* 36))
EAX4 = Asc(SN4_(i)) - 48
If EAX4 > 9 Then
EAX4 = EAX4 - 39
End If
EDX4 =
EBX4 + EBX4 * 8
EBX4 = EAX4 + EDX4 * 2
SN_D = SN_D & SN4_(i)
Next
i
Condition_F = (EBX4 - 10) Mod 5
EAX_41 = SHL + (EBX4 - 10)
Do
If
EAX_41 >= 4294967296# Then
EAX_41 = EAX_41 - 4294967296#
End If
Loop
While EAX_41 >= 4294967296#
Temp_B
= 0
For i = 1 To Len(EAX_41)
Temp_B = Temp_B + Asc(Mid$(EAX_41, i,
1)) - 48
Next i
Condition_G = Temp_B Mod 2
Condition_H = Temp_B Mod 3
Condition_I = ((EBX4 - 10) Mod 256) And 1
Loop While Condition_A + Condition_C + Condition_D + Condition_E + Condition_F + Condition_G + Condition_H + Condition_I <> 0
Text2.Text = "DX10-" & UCase(SN_A) & "-" & UCase(SN_B) & "-" & UCase(SN_C) & "-" & UCase(SN_D)
With
Command2
.Font = Tahoma
.Caption = "Bye !"
End With
Else
End
End If
End Sub
fengma[FCG]
Cracked