下载页面: http://www.skycn.com/soft/11652.html
软件大小:
468 KB
软件语言: 简体中文
软件类别: 国产软件 / 共享版 / 开关定时
应用平台: Win9x/NT/2000/XP
加入时间:
2003-04-15 14:33:11
下载次数: 368
推荐等级: ***
开 发 商: http://www.truethink.net/
【软件简介】:“创想游戏控制器软件”是为了防止未成年人过度沉溺于游戏之中以至耽误学习和影响身体而开发的一款软件。它主要具备两大功能。一、监控游戏的功能;二、终止游戏的功能。监控功能主要是让家长了解小孩一天倒底在电脑中玩了哪些游戏,分别玩了多久,什么时候开始玩的,什么时候退出的,等等。终止功能主要是电脑自动根据家长的设置,对游戏在玩到一定时间后进行终止,如设置今天只允许玩半个小时,则开始玩游戏半个小时后,电脑将自动关闭游戏。而且当天就不允许再玩。“创想游戏控制器软件”的推出,彻底解决了学生沉溺于电脑游戏而耽误学习和影响身体的不良弊端。
【软件限制】:功能限制。
【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:TRW2000娃娃修改版、Ollydbg1.09、PEiD、UnAspacka、GUW32、W32Dasm 9.0白金版
—————————————————————————————————
【过 程】:
安装后主文件放在C:\WINDOWS\SYSTEM\目录下。sgame.exe
无壳,VC++ 6.0 编写。
呵呵,程序比较简单,只是做 完美爆破 时想了会儿才搞定的。
机器码:33050A7B
试炼码:13572468
—————————————————————————————————
* Reference To: MFC42.Ordinal:18BE, Ord:18BEh
|
:00404986 E863610000 Call
0040AAEE
:0040498B 51
push ecx
:0040498C 8D8664010000
lea eax, dword ptr [esi+00000164]
:00404992 8BCC
mov ecx, esp
:00404994
89642408 mov dword ptr
[esp+08], esp
:00404998 50
push eax
*
Reference To: MFC42.Ordinal:0217, Ord:0217h
|
:00404999
E8E6610000 Call 0040AB84
:0040499E
B9141D4100 mov ecx, 00411D14
:004049A3
E868FCFFFF call 00404610
====>关键CALL!进入!
:004049A8
85C0 test
eax, eax
:004049AA 741D
je 004049C9
====>跳则OVER!
:004049AC 6A40 push 00000040
* Possible
StringData Ref from Data Obj ->"提示信息"
|
:004049AE 6898104100 push
00411098
* Possible
StringData Ref from Data Obj ->"注册成功!"
====>呵呵,胜利女神!
:004049B3 689C144100
push 0041149C
:004049B8 8BCE
mov ecx,
esi
* Reference To:
MFC42.Ordinal:1080, Ord:1080h
|
:004049BA
E853610000 Call 0040AB12
:004049BF
8BCE mov
ecx, esi
* Reference
To: MFC42.Ordinal:12F5, Ord:12F5h
|
:004049C1
E852610000 Call 0040AB18
:004049C6
5E pop
esi
:004049C7 59
pop ecx
:004049C8 C3
ret
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004049AA(C)
|
:004049C9
6A10 push
00000010
* Possible
StringData Ref from Data Obj ->"提示信息"
|
:004049CB 6898104100 push
00411098
* Possible
StringData Ref from Data Obj ->"注册失败: 注册码不正确,请检查是否输入有误。"
====>BAD BOY!
:004049D0 686C144100
push 0041146C
:004049D5 8BCE
mov ecx, esi
*
Reference To: MFC42.Ordinal:1080, Ord:1080h
|
:004049D7
E836610000 Call 0040AB12
:004049DC
5E pop
esi
:004049DD 59
pop ecx
:004049DE C3
ret
—————————————————————————————————
进入关键CALL:004049A3 call 00404610
*
Referenced by a CALL at Address:
|:004049A3
|
:00404610 6AFF
push FFFFFFFF
:00404612
68D8B84000 push 0040B8D8
:00404617
64A100000000 mov eax, dword ptr fs:[00000000]
:0040461D
50 push
eax
:0040461E 64892500000000 mov dword ptr
fs:[00000000], esp
:00404625 51
push ecx
:00404626 53
push ebx
:00404627 8D442404
lea eax, dword ptr [esp+04]
:0040462B
C744241000000000 mov [esp+10], 00000000
:00404633
50 push
eax
:00404634 E827FDFFFF call
00404360
====>算法CALL!进入!
:00404639
8B00 mov
eax, dword ptr [eax]
====>EAX=231C6021
注册码
:0040463B
8B4C2418 mov ecx, dword
ptr [esp+18]
====>ECX=13572468
试炼码
:0040463F
50 push
eax
:00404640 51
push ecx
*
Reference To: MSVCRT._mbscmp, Ord:0159h
|
:00404641
FF15A8D34000 Call dword ptr [0040D3A8]
====>比较CALL!
:00404647
83C408 add esp,
00000008
:0040464A 8D4C2404
lea ecx, dword ptr [esp+04]
:0040464E 85C0
test eax, eax
====>爆破点 ①
:00404650
0F94C3 sete bl
====>设置BL值
*
Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:00404653
E860640000 Call 0040AAB8
:00404658
84DB test
bl, bl
:0040465A 5B
pop ebx
:0040465B 743C
je 00404699
====>跳则OVER!
:0040465D
8B542414 mov edx, dword
ptr [esp+14]
====>爆破点 ②
:00404661 52 push edx
* Possible StringData
Ref from Data Obj ->"RegisterCode"
|
:00404662 685C144100 push
0041145C
* Possible
StringData Ref from Data Obj ->"TrueThink"
|
:00404667 6858114100
push 00411158
*
Reference To: KERNEL32.WriteProfileStringA, Ord:02EDh
|
:0040466C FF1570D04000 Call
dword ptr [0040D070]
====>保存注册信息!
:00404672
8D4C2414 lea ecx, dword
ptr [esp+14]
:00404676 C744240CFFFFFFFF mov [esp+0C],
FFFFFFFF
* Reference
To: MFC42.Ordinal:0320, Ord:0320h
|
:0040467E
E835640000 Call 0040AAB8
:00404683
B801000000 mov eax, 00000001
====>置1则OK!
:00404688
8B4C2404 mov ecx, dword
ptr [esp+04]
:0040468C 64890D00000000 mov
dword ptr fs:[00000000], ecx
:00404693 83C410
add esp, 00000010
:00404696 C20400
ret 0004
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040465B(C)
|
:00404699
8D4C2414 lea ecx, dword
ptr [esp+14]
:0040469D C744240CFFFFFFFF mov [esp+0C],
FFFFFFFF
* Reference
To: MFC42.Ordinal:0320, Ord:0320h
|
:004046A5
E80E640000 Call 0040AAB8
:004046AA
8B4C2404 mov ecx, dword
ptr [esp+04]
:004046AE 33C0
xor eax, eax
====>清0则OVER!
:004046B0
64890D00000000 mov dword ptr fs:[00000000],
ecx
:004046B7 83C410
add esp, 00000010
:004046BA C20400
ret 0004
—————————————————————————————————
进入算法CALL:00404634 call 00404360 转到下面的代码处
*
Possible StringData Ref from Data Obj ->"c:\"
|
:00404389 6858144100
push 00411458
:0040438E 895C2434
mov dword ptr [esp+34], ebx
*
Reference To: KERNEL32.GetVolumeInformationA, Ord:0177h
|
:00404392 FF1534D04000
Call dword ptr [0040D034]
====>取硬盘序列号
:00404398
8B44240C mov eax, dword
ptr [esp+0C]
====>EAX=[esp+0C]=211C1E09
:0040439C
8D4C2408 lea ecx, dword
ptr [esp+08]
:004043A0 3515360002
xor eax, 02003615
====>EAX=211C1E09
XOR 02003615=231C281C
:004043A5 8944240C mov dword ptr [esp+0C], eax
* Reference
To: MFC42.Ordinal:021C, Ord:021Ch
|
:004043A9
E81C670000 Call 0040AACA
:004043AE
8B4C240C mov ecx, dword
ptr [esp+0C]
:004043B2 8D542408
lea edx, dword ptr [esp+08]
:004043B6 51
push ecx
*
Possible StringData Ref from Data Obj ->"%X"
|
:004043B7 6854144100
push 00411454
:004043BC 52
push edx
:004043BD C744242C01000000
mov [esp+2C], 00000001
*
Reference To: MFC42.Ordinal:0B02, Ord:0B02h
|
:004043C5
E856680000 Call 0040AC20
:004043CA
8B4C2414 mov ecx, dword
ptr [esp+14]
:004043CE 8B442418
mov eax, dword ptr [esp+18]
:004043D2 83C40C
add esp, 0000000C
:004043D5 89442410
mov dword ptr [esp+10], eax
====>[esp+10]=EAX=231C281C
:004043D9
8B71F8 mov esi,
dword ptr [ecx-08]
====>ESI=8
取231C281C长度
:004043DC
3BF3 cmp
esi, ebx
:004043DE 7E4C
jle 0040442C
:004043E0 55
push ebp
:004043E1 57
push edi
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404428(C)
|
:004043E2
8BC3 mov
eax, ebx
:004043E4 B906000000 mov
ecx, 00000006
:004043E9 99
cdq
:004043EA F7F9
idiv ecx
:004043EC 8B442410
mov eax, dword ptr [esp+10]
====>EAX=[esp+10]=231C281C
:004043F0
8A0C03 mov cl, byte
ptr [ebx+eax]
====>依次取231C281C字符的HEX值
:004043F3
8AC3 mov
al, bl
====>AL=BL
:004043F5
83C202 add edx,
00000002
:004043F8 FEC0
inc al
====>AL 加 1
:004043FA
F6E9 imul
cl
1、 ====>AL=01 * 32=32
2、
====>AL=02 * 33=66
3、 ====>AL=03 * 31=93
4、 ====>AL=04 * 43=0C
5、 ====>AL=05
* 32=FA
6、 ====>AL=06 * 38=50
7、
====>AL=07 * 31=57
8、 ====>AL=08 * 43=18
:004043FC
84C0 test
al, al
:004043FE 7D02
jge 00404402
:00404400 F6D8
neg al
3、 ====>AL=93
NEG=6D
5、 ====>AL=FA NEG=06
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004043FE(C)
|
:00404402
0FBEC0 movsx eax,
al
====>EAX=AL
:00404405
8ACA mov
cl, dl
====>CL=DL
:00404407
8BF8 mov
edi, eax
====>EDI=EAX
:00404409
FEC9 dec
cl
====>CL 减 1
:0040440B
8BE8 mov
ebp, eax
====>EBP=EAX
:0040440D
D3FF sar
edi, cl
1、 ====>EDI=00000032 SAR 01=00000019
2、 ====>EDI=00000066 SAR 02=00000019
3、
====>EDI=0000006D SAR 03=0000000D
4、 ====>EDI=0000000C
SAR 04=00000000
5、 ====>EDI=00000006 SAR 05=00000000
6、 ====>EDI=00000050 SAR 06=00000001
7、
====>EDI=00000057 SAR 01=0000002B
8、 ====>EDI=00000018
SAR 02=00000006
:0040440F
8ACA mov
cl, dl
====>CL=DL
:00404411
D3FD sar
ebp, cl
1、 ====>EBP=00000032 SAR 02=0000000C
2、 ====>EBP=00000066 SAR 03=0000000C
3、
====>EBP=0000006D SAR 04=00000006
4、 ====>EBP=0000000C
SAR 05=00000000
5、 ====>EBP=00000006 SAR 06=00000000
6、 ====>EBP=00000050 SAR 07=00000000
7、
====>EBP=00000057 SAR 02=00000015
8、 ====>EBP=00000018
SAR 03=00000003
:00404413
8BCA mov
ecx, edx
:00404415 8B542418
mov edx, dword ptr [esp+18]
:00404419 D3E0
shl eax, cl
1、
====>EAX=00000032 SHL 02=000000C8
2、 ====>EAX=00000066
SHL 03=00000330
3、 ====>EAX=0000006D SHL 04=000006D0
4、 ====>EAX=0000000C SHL 05=00000180
5、
====>EAX=00000006 SHL 06=00000180
6、 ====>EAX=00000050
SHL 07=00002800
7、 ====>EAX=00000057 SHL 02=0000015C
8、 ====>EAX=00000018 SHL 03=000000C0
:0040441B
33FD xor
edi, ebp
1、 ====>EDI=00000019 XOR 0000000C=00000015
2、 ====>EDI=00000019 XOR 0000000C=00000015
3、
====>EDI=0000000D XOR 00000006=0000000B
4、
====>EDI=00000000 XOR 00000000=00000000
5、 ====>EDI=00000000
XOR 00000000=00000000
6、 ====>EDI=00000001 XOR 00000000=00000001
7、 ====>EDI=0000002B XOR 00000015=0000003E
8、
====>EDI=00000006 XOR 00000003=00000005
:0040441D
33F8 xor
edi, eax
1、 ====>EDI=00000015 XOR 000000C8=000000DD
2、 ====>EDI=00000015 XOR 00000330=00000325
3、
====>EDI=0000000B XOR 000006D0=000006DB
4、
====>EDI=00000000 XOR 00000180=00000180
5、 ====>EDI=00000000
XOR 00000180=00000180
6、 ====>EDI=00000001 XOR 00002800=00002801
7、 ====>EDI=0000003E XOR 0000015C=00000162
8、
====>EDI=00000005 XOR 000000C0=000000C5
:0040441F
03D7 add
edx, edi
1、 ====>EDX=231C281C ADD 000000DD=231C28F9
2、 ====>EDX=231C28F9 ADD 00000325=231C2C1E
3、
====>EDX=231C2C1E ADD 000006DB=231C32F9
4、
====>EDX=231C32F9 ADD 00000180=231C3479
5、 ====>EDX=231C3479
ADD 00000180=231C35F9
6、 ====>EDX=231C35F9 ADD 00002801=231C5DFA
7、 ====>EDX=231C5DFA ADD 00000162=231C5F5C
8、
====>EDX=231C5F5C ADD 000000C5=231C6021
呵呵,好了,循环的结果231C6021就是我的注册码了!
:00404421
43 inc
ebx
:00404422 3BDE
cmp ebx, esi
:00404424 89542418
mov dword ptr [esp+18], edx
====>[esp+18]=EDX
:00404428
7CB8 jl 004043E2
====>继续循环?!
:0040442A
5F pop
edi
:0040442B 5D
pop ebp
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004043DE(C)
|
:0040442C
8B4C2410 mov ecx, dword
ptr [esp+10]
====>ECX=231C6021
:00404430
8D542408 lea edx, dword
ptr [esp+08]
:00404434 51
push ecx
*
Possible StringData Ref from Data Obj ->"%X"
|
:00404435 6854144100
push 00411454
:0040443A 52
push edx
*
Reference To: MFC42.Ordinal:0B02, Ord:0B02h
|
:0040443B
E8E0670000 Call 0040AC20
:00404440
83C40C add esp,
0000000C
:00404443 8D4C2408
lea ecx, dword ptr [esp+08]
*
Reference To: MFC42.Ordinal:106C, Ord:106Ch
|
:00404447
E8E6670000 Call 0040AC32
:0040444C
8D4C2408 lea ecx, dword
ptr [esp+08]
* Reference
To: MFC42.Ordinal:188A, Ord:188Ah
|
:00404450
E8CF660000 Call 0040AB24
:00404455
8D4C2408 lea ecx, dword
ptr [esp+08]
* Reference
To: MFC42.Ordinal:188B, Ord:188Bh
|
:00404459
E8C0660000 Call 0040AB1E
:0040445E
8B742428 mov esi, dword
ptr [esp+28]
:00404462 8D442408
lea eax, dword ptr [esp+08]
:00404466 50
push eax
:00404467 8BCE
mov ecx, esi
*
Reference To: MFC42.Ordinal:0217, Ord:0217h
|
:00404469
E816670000 Call 0040AB84
:0040446E
C744241401000000 mov [esp+14], 00000001
:00404476
8D4C2408 lea ecx, dword
ptr [esp+08]
:0040447A C644242000
mov [esp+20], 00
*
Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:0040447F
E834660000 Call 0040AAB8
:00404484
8B4C2418 mov ecx, dword
ptr [esp+18]
:00404488 8BC6
mov eax, esi
:0040448A 5E
pop esi
:0040448B 5B
pop ebx
:0040448C
64890D00000000 mov dword ptr fs:[00000000],
ecx
:00404493 83C41C
add esp, 0000001C
:00404496 C20400
ret 0004
—————————————————————————————————
【完 美 爆 破】:
1、0040464E
85C0 test
eax, eax
改为: 33C0
xor eax, eax
呵呵,使其“正确”设置404650处的BL值!
2、0040465D
8B542414 mov edx, dword
ptr [esp+14]
改为: 8B142490
mov edx, dword ptr [esp] 补一个NOP
呵呵,让程序把真的注册码保存起来,这样程序就自动显示真码了,相当于用程序本身做了个注册机!
—————————————————————————————————
【KeyMake之{63th}内存注册机】:
中断地址:0040463F
中断次数:1
第一字节:50
指令长度:1
内存方式:EAX
说明:把内存注册机放到C:\WINDOWS\SYSTEM目录下,然后用杀进程的工具把C:\WINDOWS\SYSTEM\sgame.exe的进程禁止掉!再运行内存注册机,按热键激活创想游戏控制软件,随意输入试炼码,确定后即可弹出正确注册码!
—————————————————————————————————
【注册信息保存】:
C:\WINDOWS
下的Win.ini中:
[TrueThink]
Password=C7
RegisterCode=231C6021
—————————————————————————————————
【整 理】:
机器码:33050A7B
注册码:231C6021
—————————————————————————————————
Cracked By
巢水工作坊——fly [OCN][FCG]
2003-4-17 15:55