下载页面:
http://www.skycn.com/soft/11000.html
软件大小:
914 KB
软件语言: 简体中文
软件类别: 国产软件 / 共享版 / 聊天工具
应用平台: Win9x/NT/2000/XP
加入时间:
2003-02-22 11:17:17
下载次数: 2232
推荐等级: ***
开 发 商: http://piaoxue666.51.net/
【软件简介】: 本软件是当今最好的局域网即时通讯工具。为QQ的局域网版本,拥有QQ的所有功能,并有所增强。对局域网内的的信息交流非常方便,比打内线电话方便多了。 1.PXQQ独创的所见所得信息功能支持发送所见所得信息! 包括图片、声音、Word文档等 支持超大文件传输,快!,非常强大您试试就知道了! 2. 不用任何中转站与服务器,随时打开本软件就可以看到当前在线的网友。当然,他们也知道您来了,除非您是隐身登录的。 3.支持文件传输,再也不用共享啦。安全!快!4.更换皮肤功能,而且自制皮肤非常容易。 5.信息的阅读收条。你发送信息时,如果选择“需要收条”,对方看到消息后,会自动给你发送一个收条。 6.信使服务。此功能利用Win2000的信使服务,给对方发送一个强制通知消息。当对方未打开PXQQ,你可以用此方式通知他。(Win98不支持此功能。)7.局域网扫描功能。你可以看到整个局域网的用户及其IP以及是否联机。8. 黑名单功能。当你不想收到某个人的消息时,你可以把他踢入黑名单。 但想收到他的消息时,别忘了把他加为好友。9. 可以很快的粘贴快捷用语,并可以自己根据需要添加、修改。10. 内置语音聊天功能,效果比美坐机电话。11. 如果您不嫌麻烦的话,可以设置为“系统”。
【软件限制】:8次试用。
【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:TRW2000娃娃修改版、Ollydbg1.09、PEiD、W32Dasm 10修改版
—————————————————————————————————
【过 程】:
呵呵,一看软件启动要求注册的画面,就知道又碰上Softsentry壳的东东了。这次作者下了点工夫,没有简单套用,而是加大了长度,string_1有20位,string_2有15位。但是这种壳的基本算法流程是改变不了多少的,呵呵,Let's
Go!
ID 号:95065
姓
名:fly
单 位:【OCN】
试炼码:1234567890ABCDEFGHIJ1234567890KLMNOPQRSTU
—————————————————————————————————
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0059AC05(C)
|
:0059AC5F
A1546C5A00 mov eax, dword ptr
[005A6C54]
:0059AC64 25FFFF0000 and
eax, 0000FFFF
:0059AC69 0F849B010000 je
0059AE0A
:0059AC6F 85C0
test eax, eax
:0059AC71 0F8E1A020000
jle 0059AE91
:0059AC77 83F802
cmp eax, 00000002
:0059AC7A 0F8F11020000
jg 0059AE91
:0059AC80 8B35F46B5A00
mov esi, dword ptr [005A6BF4]
====>ESI=[005A6BF4]=k(8^do586%hkf_,|5865
:0059AC86
83C9FF or ecx, FFFFFFFF
:0059AC89
8BFE mov
edi, esi
:0059AC8B 33C0
xor eax, eax
:0059AC8D F2
repnz
:0059AC8E AE
scasb
:0059AC8F F7D1
not ecx
:0059AC91
83C1FE add ecx,
FFFFFFFE
:0059AC94 6683F9FF
cmp cx, FFFF
:0059AC98 7422
je 0059ACBC
:0059AC9A 6685C9
test cx, cx
:0059AC9D 7C17
jl 0059ACB6
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0059ACB4(C)
|
:0059AC9F
0FBFC1 movsx eax,
cx
:0059ACA2 8A1430
mov dl, byte ptr [eax+esi]
====>DL=依次
倒序 取k(8^do586%hkf_,|5865的字符!
:0059ACA5
80FA3F cmp dl, 3F
:0059ACA8
7406 je 0059ACB0
:0059ACAA
3A540420 cmp dl, byte ptr
[esp+eax+20]
====>依次与试炼码前20位1234567890ABCDEFGHIJ的倒序字符比较!
:0059ACAE 7506
jne 0059ACB6
====>不同则跳则OVER! 索性NOP掉,省得老是要跳
^-^ ^-^
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:0059ACA8(C)
|
:0059ACB0
49 dec
ecx
:0059ACB1 6685C9
test cx, cx
:0059ACB4 7DE9
jge 0059AC9F
====>循环逐位检查前20位!有一位不同就OVER了!
一、 ====>所以注册码的前20位=k(8^do586%hkf_,|5865
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0059AC9D(C),
:0059ACAE(C)
|
:0059ACB6 6683F9FF
cmp cx, FFFF
:0059ACBA 7508
jne 0059ACC4
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0059AC98(C)
|
:0059ACBC
C744241401000000 mov [esp+14], 00000001
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0059ACBA(C)
|
:0059ACC4
8B3DD46B5A00 mov edi, dword ptr [005A6BD4]
====>EDI=[005A6BD4]=5697|ogj56+&123
:0059ACCA
83C9FF or ecx, FFFFFFFF
:0059ACCD
33C0 xor
eax, eax
:0059ACCF F2
repnz
:0059ACD0 AE
scasb
:0059ACD1 F7D1
not ecx
:0059ACD3 49
dec ecx
:0059ACD4
8D7C2420 lea edi, dword
ptr [esp+20]
====>EDI=[esp+20]=1234567890KLMNOPQRSTU
:0059ACD8
8BE9 mov
ebp, ecx
:0059ACDA 83C9FF
or ecx, FFFFFFFF
:0059ACDD F2
repnz
:0059ACDE AE
scasb
:0059ACDF F7D1
not ecx
:0059ACE1
49 dec
ecx
:0059ACE2 2BCD
sub ecx, ebp
:0059ACE4 6685C9
test cx, cx
:0059ACE7 7E32
jle 0059AD1B
:0059ACE9 33F6
xor esi,
esi
:0059ACEB 6685ED
test bp, bp
:0059ACEE 7E22
jle 0059AD12
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0059AD10(C)
|
:0059ACF0
8B15D46B5A00 mov edx, dword ptr [005A6BD4]
====>EDX=5697|ogj56+&123
:0059ACF6
0FBFC6 movsx eax,
si
:0059ACF9 8A1410
mov dl, byte ptr [eax+edx]
====>DL=依次取5697|ogj56+&123的字符!
:0059ACFC
80FA3F cmp dl, 3F
:0059ACFF
740B je 0059AD0C
:0059AD01
0FBFF9 movsx edi,
cx
:0059AD04 03F8
add edi, eax
:0059AD06 3A543C20
cmp dl, byte ptr [esp+edi+20]
====>EDX=依次与试炼码后15位7890KLMNOPQRSTU的字符比较!
:0059AD0A
7506 jne
0059AD12
====>不同则跳则OVER! 索性NOP掉,省得老是要跳
^-^ ^-^
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:0059ACFF(C)
|
:0059AD0C
46 inc
esi
:0059AD0D 663BF5
cmp si, bp
:0059AD10 7CDE
jl 0059ACF0
====>循环逐位检查后15位!有一位不同就OVER了!
二、 ====>所以注册码的后15位=5697|ogj56+&123
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0059ACEE(C),
:0059AD0A(C)
|
:0059AD12 663BF5
cmp si, bp
:0059AD15 7504
jne 0059AD1B
:0059AD17 FF442414
inc [esp+14]
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0059ACE7(C),
:0059AD15(C)
|
:0059AD1B 837C241402
cmp dword ptr [esp+14], 00000002
:0059AD20 740A
je 0059AD2C
:0059AD22 B8FEFFFFFF
mov eax, FFFFFFFE
:0059AD27
E941010000 jmp 0059AE6D
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0059AD20(C)
|
:0059AD2C
8B3DF46B5A00 mov edi, dword ptr [005A6BF4]
:0059AD32
83C9FF or ecx, FFFFFFFF
:0059AD35
33C0 xor
eax, eax
:0059AD37 F2
repnz
:0059AD38 AE
scasb
:0059AD39 8B3DD46B5A00
mov edi, dword ptr [005A6BD4]
:0059AD3F F7D1
not ecx
:0059AD41
49 dec
ecx
:0059AD42 8D740C20 lea
esi, dword ptr [esp+ecx+20]
:0059AD46 83C9FF
or ecx, FFFFFFFF
:0059AD49 F2
repnz
:0059AD4A AE
scasb
:0059AD4B
F7D1 not
ecx
:0059AD4D 49
dec ecx
:0059AD4E 8BD6
mov edx, esi
:0059AD50 2BD1
sub edx, ecx
:0059AD52 8BFE
mov edi,
esi
:0059AD54 83C9FF
or ecx, FFFFFFFF
:0059AD57 F2
repnz
:0059AD58 AE
scasb
:0059AD59 F7D1
not ecx
:0059AD5B
49 dec
ecx
:0059AD5C 88040A
mov byte ptr [edx+ecx], al
:0059AD5F 8BCE
mov ecx, esi
====>ECX=123456 呵呵,是试炼码的中间6位!
:0059AD61
E84A5B0000 call 005A08B0
====>检测上面的中间几位是否为数字?
:0059AD66
85C0 test
eax, eax
:0059AD68 750A
jne 0059AD74
====>不是数字则不跳则OVER!
:0059AD6A
B8FDFFFFFF mov eax, FFFFFFFD
:0059AD6F
E9F9000000 jmp 0059AE6D
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0059AD68(C)
|
:0059AD74
BA64315A00 mov edx, 005A3164
====>EDX=0604
呵呵,程序自给的!
:0059AD79
8BCE mov
ecx, esi
====>ECX=123456
呵呵,是试炼码的中间6位!
:0059AD7B
E8705B0000 call 005A08F0
====>再次检测123456是否为数字?
不是数字则“invalid digital number!”。并且把123456转化为用16进制值表示!
:0059AD80
8BF8 mov
edi, eax
====>EDI=0001E240(H)=123456(D)
:0059AD82
66A1546C5A00 mov ax, word ptr [005A6C54]
:0059AD88
663D0100 cmp ax, 0001
:0059AD8C
7546 jne
0059ADD4
:0059AD8E 66A1FA6B5A00 mov
ax, word ptr [005A6BFA]
:0059AD94 8B15006C5A00
mov edx, dword ptr [005A6C00]
:0059AD9A 33C9
xor ecx, ecx
:0059AD9C 8ACC
mov cl, ah
:0059AD9E
25FF000000 and eax, 000000FF
:0059ADA3
8BF1 mov
esi, ecx
:0059ADA5 8BC8
mov ecx, eax
:0059ADA7 E854FBFFFF
call 0059A900
:0059ADAC 8B15FC6B5A00
mov edx, dword ptr [005A6BFC]
:0059ADB2 03F8
add edi, eax
:0059ADB4
6685F6 test si,
si
:0059ADB7 7504
jne 0059ADBD
:0059ADB9 33C9
xor ecx, ecx
:0059ADBB EB03
jmp 0059ADC0
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0059ADB7(C)
|
:0059ADBD
8D4E01 lea ecx,
dword ptr [esi+01]
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0059ADBB(U)
|
:0059ADC0
E83BFBFFFF call 0059A900
:0059ADC5
8BC8 mov
ecx, eax
:0059ADC7 85C9
test ecx, ecx
:0059ADC9 7438
je 0059AE03
:0059ADCB 8BC7
mov eax, edi
:0059ADCD
99 cdq
:0059ADCE
F7F9 idiv
ecx
:0059ADD0 8BC2
mov eax, edx
:0059ADD2 EB27
jmp 0059ADFB
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0059AD8C(C)
|
:0059ADD4
663D0200 cmp ax, 0002
:0059ADD8
7529 jne
0059AE03
:0059ADDA 8B15FC6B5A00 mov
edx, dword ptr [005A6BFC]
====>EDX=[005A6BFC]=564g5fiofj9&^6kfd
:0059ADE0
A1006C5A00 mov eax, dword ptr
[005A6C00]
====>EAX=[005A6C00]=dkjfkdu5f2g445]
:0059ADE5
8B0D386D5A00 mov ecx, dword ptr [005A6D38]
====>ECX=[005A6D38]=17359(H)=95605(D)呵呵,我的ID号
:0059ADEB
52 push
edx
:0059ADEC 668B15FA6B5A00 mov dx, word
ptr [005A6BFA]
:0059ADF3 50
push eax
:0059ADF4 E897FBFFFF
call 0059A990
====>算法CALL!得出下面的EAX值。进入!
:0059ADF9
2BC7 sub
eax, edi
====>EAX=5DECC - 1E240=3FC8C
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0059ADD2(U)
|
:0059ADFB
85C0 test
eax, eax
====>相减结果是否为0?即:上面2部分是否相等?
三、 ====>所以:注册码的中间部分=5DECC(H)=384716(D)
:0059ADFD
0F848E000000 je 0059AE91
====>不为0则不跳则OVER!
:0059B013
FF1500725A00 call dword ptr [005A7200]
====>BAD BOY!
—————————————————————————————————
进入算法CALL:59ADF4
call 0059A990
*
Referenced by a CALL at Addresses:
|:0059ADF4 , :0059B1DA
|
:0059A990
53 push
ebx
:0059A991 56
push esi
:0059A992 668BDA
mov bx, dx
:0059A995 8BF1
mov esi, ecx
:0059A997 8B54240C
mov edx, dword ptr [esp+0C]
====>EDX=[esp+0C]=dkjfkdu5f2g445]
:0059A99B
8ACB mov
cl, bl
:0059A99D 57
push edi
:0059A99E 81E1FF000000
and ecx, 000000FF
:0059A9A4 E857FFFFFF
call 0059A900
====>对程序给的dkjfkdu5f2g445]进行运算得出下面的EAX值!进入!
:0059A9A9
8B542414 mov edx, dword
ptr [esp+14]
====>EDX=dkjfkdu5f2g445]
:0059A9AD
8BF8 mov
edi, eax
====>EDI=EAX=1B86B 上面CALL对dkjfkdu5f2g445]进行运算得出的值!
:0059A9AF
33C0 xor
eax, eax
:0059A9B1 8AC7
mov al, bh
:0059A9B3 6685C0
test ax, ax
:0059A9B6 7512
jne 0059A9CA
====>跳下去!
:0059A9B8
33C9 xor
ecx, ecx
:0059A9BA E841FFFFFF call
0059A900
:0059A9BF 03FE
add edi, esi
:0059A9C1 0FAFC7
imul eax, edi
:0059A9C4 5F
pop edi
:0059A9C5 5E
pop
esi
:0059A9C6 5B
pop ebx
:0059A9C7 C20800
ret 0008
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0059A9B6(C)
|
:0059A9CA
8D4801 lea ecx,
dword ptr [eax+01]
====>EAX=63
:0059A9CD
E82EFFFFFF call 0059A900
====>对程序给的564g5fiofj9&^6kfd进行运算得出下面的EAX值!
此处与59A9A4
call 0059A900的运算流程相同,只是参数不同,因此就不再记录了。循环得出EAX=2B308
:0059A9D2
03C7 add
eax, edi
====>EAX=2B308 + 1B86B=46B73
:0059A9D4
03C6 add
eax, esi
====>EAX=46B73 + 17359=5DECC
呵呵,把上面运算的结果5DECC(H)转化成10进制值384716(D),就是注册码的中间部分了!
:0059A9D6
5F pop
edi
:0059A9D7 5E
pop esi
:0059A9D8 5B
pop ebx
:0059A9D9 C20800
ret 0008
—————————————————————————————————
进入关键CALL:59A9A4 call 0059A900
*
Referenced by a CALL at Addresses:
|:0059A9A4 , :0059A9BA , :0059A9CD
, :0059ADA7 , :0059ADC0
|
:0059A900 53
push ebx
:0059A901
8BDA mov
ebx, edx
====>EBX=EDX=dkjfkdu5f2g445]
:0059A903
56 push
esi
:0059A904 8BF1
mov esi, ecx
====>ESI=ECX=31
:0059A906
85DB test
ebx, ebx
:0059A908 7472
je 0059A97C
:0059A90A 803B00
cmp byte ptr [ebx], 00
:0059A90D 746D
je 0059A97C
:0059A90F
57 push
edi
:0059A910 8BFB
mov edi, ebx
:0059A912 83C9FF
or ecx, FFFFFFFF
:0059A915 33C0
xor eax, eax
:0059A917 F2
repnz
:0059A918
AE scasb
:0059A919
F7D1 not
ecx
:0059A91B 49
dec ecx
====>ECX=F
取dkjfkdu5f2g445]的位数
:0059A91C
6685F6 test si,
si
:0059A91F 7443
je 0059A964
:0059A921 6683FE01
cmp si, 0001
:0059A925 743D
je 0059A964
:0059A927 81E6FFFF0000
and esi, 0000FFFF
:0059A92D 8BC6
mov eax, esi
:0059A92F
99 cdq
:0059A930
F7F9 idiv
ecx
====>EDX=31 % F=4
:0059A932
0FBE041A movsx eax, byte
ptr [edx+ebx]
====>EAX=6B
即:第5个字符k的HEX值
:0059A936
0FAFC6 imul eax,
esi
====>EAX=6B * 31=147B
:0059A939
0FAFC2 imul eax,
edx
====>EAX=147B * 4=51EC
:0059A93C
03C1 add
eax, ecx
====>EAX=51EC + F=51FB
:0059A93E
33D2 xor
edx, edx
:0059A940 85C9
test ecx, ecx
:0059A942 7E16
jle 0059A95A
:0059A944 8BF9
mov edi, ecx
:0059A946
2BFE sub
edi, esi
====>EDI=F - 31=FFFFFFDE
:0059A948
83C76F add edi,
0000006F
====>EDI=FFFFFFDE + 6F=4D
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0059A958(C)
|
:0059A94B
0FBE341A movsx esi, byte
ptr [edx+ebx]
====>依次取dkjfkdu5f2g445]字符的HEX值
:0059A94F
0FAFF7 imul esi,
edi
1、 ====>ESI=64 * 4D=1E14
2、 ====>ESI=6B * 4C=1FC4
3、
====>ESI=6A * 4B=1F0E
……
……省 略…… ……
15、 ====>ESI=5D * 3F=16E3
:0059A952
03C6 add
eax, esi
1、 ====>EAX=51FB + 1E14=700F
2、
====>EAX=700F + 1FC4=8FD3
3、 ====>EAX=8FD3
+ 1F0E=AEE1
…… ……省 略…… ……
15、 ====>EAX=1A188 + 16E3=1B86B
:0059A954
42 inc
edx
:0059A955 4F
dec edi
====>EDI依次减1
:0059A956
3BD1 cmp
edx, ecx
:0059A958 7CF1
jl 0059A94B
====>循环15次
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0059A942(C)
|
:0059A95A
85C0 test
eax, eax
:0059A95C 7D1A
jge 0059A978
:0059A95E 5F
pop edi
:0059A95F 5E
pop esi
:0059A960 F7D8
neg eax
:0059A962
5B pop
ebx
:0059A963 C3
ret
—————————————————————————————————
【算 法 总 结】:
因为作者做了不少改动,有些参数我没能验证,只能大体猜测一下。有可能是不确切的。
一、注册码
前20位固定为:k(8^do586%hkf_,|5865
二、注册码 后15位固定为:5697|ogj56+&123
三、注册码中间几位的运算:
1、取系统代码:95065,转化为16进制值:17359(H)
2、17359
+ 46B73=5DECC
运算的结果5DECC(H)转化成10进制值384716(D),就是我的注册码的中间部分了!
—————————————————————————————————
【注册信息保存】:
1、注册表中
REGEDIT4
[HKEY_CLASSES_ROOT\{7YTg0oKAVm}]
@="NUQ=%!!5!#Q!3!!)!.!#U!$5Q.4)U!!!!!!\"=R1!!>`^L+$B?:']V/$9F;'NGN8SR].4AW.4-Y.$=R.D5W/4>]<W>K.49L*D%S-Q!!!!!!!!!!!!!#!!!!!!!!N!!!!!!!'!.-(\"!!&!!M!%A!#!$1!N!!!!!)!!!!!!!!!!-%.1Q&G<(E!-$%!3!!!!!!!!!!!!!!!!!!!!!!!!"
2、REGEDIT4
[HKEY_CLASSES_ROOT\SystemAppIDs]
@="N\"!!!!!!!!!\"\\<WZ63E&:=T-W?8V\\2V\".3'6K17.%-(V\\=X.Y6F:D75N8:XV\\-.VF5:T\"P3U&7<8U!"
3、C:\WINDOWS\SYSTEM 下的access.ctl文件。
不明白:Softsentry
3.0壳的软件的注册信息都如此保存,如果一个系统里有几个注册的Softsentry 3.0壳的软件,那会怎样?!
—————————————————————————————————
【整 理】:
ID
号:95065
姓 名:fly (呵呵,姓名和单位不参与运算,可以随意输入)
单
位:【OCN】
注册码:k(8^do586%hkf_,|58653847165697|ogj56+&123
—————————————————————————————————
Cracked By
巢水工作坊——fly【OCN】
2003-4-12 0:30