下载页面:
http://www.skycn.com/soft/8210.html
软件大小:
1265 KB
软件语言: 英文
软件类别: 国外软件 / 共享版 / 图像处理
应用平台: Win9x/NT/2000/XP
加入时间:
2003-03-31 08:38:47
下载次数: 2531
推荐等级: ****
开
发 商: http://www.unidreamtech.com/
【软件简介】:Photo
Watermark 是一款专业的给图片加水印软件,如果你想在网络上保护你的图片,可以试试这个软件。
【软件限制】:15天试用、功能限制。
【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:TRW2000娃娃修改版、Ollydbg1.09、Fi2.5、Hex Workshop、UPX1.2、W32Dasm 9.0白金版
—————————————————————————————————
【过 程】:
首先说明的是我手里分析的是V1.2.0.6的版本,天空下载站上的是V3.0.0.0新版,呵呵,小猫上网就不去“喜新厌旧”了。可能有许多地方是不一样的。不过我的目的只是学习CRACK技术。
watermark.exe 用Fi2.5看是UPX壳,但是这个壳再次用其它工具做了保护。如:UPX-Scrambler RC 1.05 ——modifies files packed with UPX so that they cannot be unpacked with the "-d" command build into UPX。
呵呵,看了《看雪论坛精华》里 bottle 朋友的帖子学习了脱壳方法。谢谢 bottle 朋友!为了大家方便我转贴一下我所用到的关键部分。
用Hex
Workshop打开watermark.exe:
00000400:5B66 FEFF 0410 4000 0307 426F 6F6C 6561 6E01
0009 2A05 46B3 DFDE FF61 6C73 6504
把00000400处的:5B66 FEFF 0410 改为5550 5821 0C09
保存后再用UPX1.2解压成功。556K->1.53M。Delphi编写。反汇编,根据提示很容易就找到核心了。
用户名:fly
电
邮:fly@263.net
试炼码:13572468
程序根据注册码的不同而分为2个版本,运算流程是相似的,因此我只是记录了第二次运算“Pro”版注册码时的参数。
—————————————————————————————————
* Possible StringData Ref from Code Obj ->"Plus"
|
:00535460 BAB0565300
mov edx, 005356B0
====>EDX=Plus
:00535465
E8FAEBECFF call 00404064
:0053546A
755B jne
005354C7
* Possible
StringData Ref from Code Obj ->"Pro"
|
:0053546C 68C0565300 push
005356C0
:00535471 8D45FC
lea eax, dword ptr [ebp-04]
:00535474 50
push eax
:00535475 8D55F8
lea edx, dword ptr
[ebp-08]
:00535478 8B83D8020000 mov
eax, dword ptr [ebx+000002D8]
:0053547E E83DFAEFFF
call 00434EC0
:00535483 8B45F8
mov eax, dword ptr [ebp-08]
:00535486 50
push
eax
:00535487 8D55F4
lea edx, dword ptr [ebp-0C]
:0053548A 8B83F4020000
mov eax, dword ptr [ebx+000002F4]
:00535490 E82BFAEFFF
call 00434EC0
:00535495 8B55F4
mov edx, dword ptr
[ebp-0C]
:00535498 8B83EC020000 mov
eax, dword ptr [ebx+000002EC]
:0053549E 59
pop ecx
:0053549F E85CEDFFFF
call 00534200
:005354A4 8B45FC
mov eax, dword ptr [ebp-04]
:005354A7
50 push
eax
:005354A8 8D55F0
lea edx, dword ptr [ebp-10]
:005354AB 8B83E0020000
mov eax, dword ptr [ebx+000002E0]
:005354B1 E80AFAEFFF
call 00434EC0
:005354B6 8B55F0
mov edx, dword ptr
[ebp-10]
:005354B9 58
pop eax
:005354BA E8E136EDFF
call 00408BA0
:005354BF 85C0
test eax, eax
:005354C1 0F84C9000000
je 00535590
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0053546A(C)
|
*
Possible StringData Ref from Code Obj ->"Plus"
|
:005354C7 68B0565300
push 005356B0
:005354CC 8D45EC
lea eax, dword ptr [ebp-14]
====>EAX=fly@263.net
:005354CF
50 push
eax
:005354D0 8D55E8
lea edx, dword ptr [ebp-18]
:005354D3 8B83D8020000
mov eax, dword ptr [ebx+000002D8]
:005354D9 E8E2F9EFFF
call 00434EC0
:005354DE 8B45E8
mov eax, dword ptr
[ebp-18]
====>EAX=fly@263.net
:005354E1
50 push
eax
:005354E2 8D55E4
lea edx, dword ptr [ebp-1C]
:005354E5 8B83F4020000
mov eax, dword ptr [ebx+000002F4]
:005354EB E8D0F9EFFF
call 00434EC0
:005354F0 8B55E4
mov edx, dword ptr
[ebp-1C]
====>EDX=fly
:005354F3
8B83EC020000 mov eax, dword ptr [ebx+000002EC]
:005354F9
59 pop
ecx
====>ECX=fly@263.net
:005354FA
E801EDFFFF call 00534200
====>算法CALL!运算“Plus”版本的注册码!
:005354FF
8B45EC mov eax,
dword ptr [ebp-14]
====>EAX=Y1728-E7272
:00535502
50 push
eax
:00535503 8D55E0
lea edx, dword ptr [ebp-20]
:00535506 8B83E0020000
mov eax, dword ptr [ebx+000002E0]
:0053550C E8AFF9EFFF
call 00434EC0
====>取试炼码
:00535511
8B45E0 mov eax,
dword ptr [ebp-20]
====>EAX=13572468
:00535514
5A pop
edx
:00535515 E81AC5FCFF call
00501A34
====>比较“Plus”版本的注册码!
:0053551A
85C0 test
eax, eax
:0053551C 7572
jne 00535590
====>跳则“Plus”版本注册成功!
:0053551E
A1CC8C5400 mov eax, dword ptr
[00548CCC]
:00535523 8B00
mov eax, dword ptr [eax]
*
Possible StringData Ref from Code Obj ->"Watermark"
|
:00535525 BACC565300
mov edx, 005356CC
====>EDX=Watermark
:0053552A
E835EBECFF call 00404064
:0053552F
0F85DC000000 jne 00535611
*
Possible StringData Ref from Code Obj ->"Watermark"
|
:00535535 68CC565300
push 005356CC
:0053553A 8D45DC
lea eax, dword ptr [ebp-24]
:0053553D 50
push eax
:0053553E
8D55D8 lea edx,
dword ptr [ebp-28]
:00535541 8B83D8020000
mov eax, dword ptr [ebx+000002D8]
:00535547 E874F9EFFF
call 00434EC0
:0053554C 8B45D8
mov eax, dword ptr [ebp-28]
====>EAX=fly@263.net
:0053554F
50 push
eax
:00535550 8D55D4
lea edx, dword ptr [ebp-2C]
:00535553 8B83F4020000
mov eax, dword ptr [ebx+000002F4]
:00535559 E862F9EFFF
call 00434EC0
:0053555E 8B55D4
mov edx, dword ptr
[ebp-2C]
====>EDX=fly
:00535561
8B83EC020000 mov eax, dword ptr [ebx+000002EC]
:00535567
59 pop
ecx
:00535568 E893ECFFFF call
00534200
====>算法CALL!运算“Pro”版本的注册码!进入!
:0053556D
8B45DC mov eax,
dword ptr [ebp-24]
====>EAX=7761746572-Y1728-6D61726BE7272
:00535570
50 push
eax
:00535571 8D55D0
lea edx, dword ptr [ebp-30]
:00535574 8B83E0020000
mov eax, dword ptr [ebx+000002E0]
:0053557A E841F9EFFF
call 00434EC0
====>取试炼码
:0053557F
8B55D0 mov edx,
dword ptr [ebp-30]
====>EDX=13572468
:00535582
58 pop
eax
:00535583 E81836EDFF call
00408BA0
====>比较“Pro”版本的注册码!
:00535588
85C0 test
eax, eax
:0053558A 0F8581000000 jne
00535611
====>不跳则“Pro”版本注册成功!
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:005354C1(C),
:0053551C(C)
|
:00535590 8D55CC
lea edx, dword ptr [ebp-34]
:00535593 8B83D8020000
mov eax, dword ptr [ebx+000002D8]
:00535599
E822F9EFFF call 00434EC0
:0053559E
8B55CC mov edx,
dword ptr [ebp-34]
:005355A1 8B83EC020000
mov eax, dword ptr [ebx+000002EC]
:005355A7 E8E8EEFFFF
call 00534494
:005355AC 8D55C8
lea edx, dword ptr [ebp-38]
:005355AF
8B83F4020000 mov eax, dword ptr [ebx+000002F4]
:005355B5
E806F9EFFF call 00434EC0
:005355BA
8B55C8 mov edx,
dword ptr [ebp-38]
:005355BD 8B83EC020000
mov eax, dword ptr [ebx+000002EC]
:005355C3 83C034
add eax, 00000034
:005355C6 E895EEECFF
call 00404460
:005355CB 8B83EC020000
mov eax, dword ptr [ebx+000002EC]
:005355D1
05C0000000 add eax, 000000C0
:005355D6
8B15CC8C5400 mov edx, dword ptr [00548CCC]
:005355DC
8B12 mov
edx, dword ptr [edx]
:005355DE E845E7ECFF
call 00403D28
:005355E3 33D2
xor edx, edx
:005355E5 8B83EC020000
mov eax, dword ptr [ebx+000002EC]
:005355EB
E844EEFFFF call 00534434
:005355F0
8D55C4 lea edx,
dword ptr [ebp-3C]
:005355F3 8B83E0020000
mov eax, dword ptr [ebx+000002E0]
:005355F9 E8C2F8EFFF
call 00434EC0
:005355FE 8B55C4
mov edx, dword ptr [ebp-3C]
:00535601
8B83EC020000 mov eax, dword ptr [ebx+000002EC]
:00535607
E84CF3FFFF call 00534958
:0053560C
C60601 mov byte
ptr [esi], 01
:0053560F EB32
jmp 00535643
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0053552F(C),
:0053558A(C)
|
:00535611 6A00
push 00000000
:00535613 8D4DC0
lea ecx, dword ptr [ebp-40]
*
Possible StringData Ref from Code Obj ->"InvalidKeyStr"
|
:00535616 BAE0565300
mov edx, 005356E0
*
Possible StringData Ref from Code Obj ->"The information you entered
is "
->"not
valid. Please retry."
====>BAD
BOY!
* Possible
StringData Ref from Code Obj ->"RegisteredStr"
|
:0053E85D BA98E95300
mov edx, 0053E998
*
Possible StringData Ref from Code Obj ->"Thank you for registering %s.
"
->"Please
keep your key code in a "
->"secret place. Program will restart."
:0053E8B7 FF92D8000000 call
dword ptr [edx+000000D8]
====>呵呵,胜利女神!
—————————————————————————————————
进入算法CALL:00535568 call 00534200
*
Referenced by a CALL at Addresses:
|:00534A15 , :00534E78 , :00534EA8
, :00534ED8 , :0053549F
|:005354FA , :00535568
|
:00534200 55
push ebp
:00534201 8BEC
mov ebp, esp
:00534203 51
push ecx
:00534204
B908000000 mov ecx, 00000008
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0053420E(C)
|
:00534209
6A00 push
00000000
:0053420B 6A00
push 00000000
:0053420D 49
dec ecx
:0053420E 75F9
jne 00534209
:00534210
51 push
ecx
:00534211 874DFC
xchg dword ptr [ebp-04], ecx
:00534214 53
push ebx
:00534215 894DF8
mov dword ptr [ebp-08],
ecx
:00534218 8955FC
mov dword ptr [ebp-04], edx
:0053421B 8BD8
mov ebx, eax
:0053421D 8B45FC
mov eax, dword ptr [ebp-04]
====>EAX=[ebp-04]=fly
:00534220
E8E3FEECFF call 00404108
:00534225
8B45F8 mov eax,
dword ptr [ebp-08]
====>EAX=[ebp-08]=fly@263.net
:00534228
E8DBFEECFF call 00404108
:0053422D
8B450C mov eax,
dword ptr [ebp+0C]
====>EAX=Plus
:00534230
E8D3FEECFF call 00404108
:00534235
33C0 xor
eax, eax
:00534237 55
push ebp
:00534238 68BC435300
push 005343BC
:0053423D 64FF30
push dword ptr fs:[eax]
:00534240 648920
mov dword ptr fs:[eax],
esp
:00534243 8B450C
mov eax, dword ptr [ebp+0C]
*
Possible StringData Ref from Code Obj ->"Pro"
|
:00534246 BAD4435300
mov edx, 005343D4
====>EDX=Pro
:0053424B
E814FEECFF call 00404064
====>判断是哪个版本?
:00534250
7572 jne
005342C4
:00534252 8D55F4
lea edx, dword ptr [ebp-0C]
*
Possible StringData Ref from Code Obj ->"pro"
|
:00534255 B8E0435300
mov eax, 005343E0
:0053425A E8F5E7FCFF
call 00502A54
:0053425F FF75F4
push [ebp-0C]
:00534262 68EC435300
push 005343EC
:00534267 8D55EC
lea edx, dword ptr [ebp-14]
:0053426A
8B45FC mov eax,
dword ptr [ebp-04]
:0053426D E87E47EDFF
call 004089F0
:00534272 8B55EC
mov edx, dword ptr [ebp-14]
:00534275 8D4DF0
lea ecx, dword ptr [ebp-10]
:00534278
8BC3 mov
eax, ebx
:0053427A E8AD080000 call
00534B2C
:0053427F FF75F0
push [ebp-10]
:00534282 68EC435300
push 005343EC
:00534287 8D55E8
lea edx, dword ptr [ebp-18]
*
Possible StringData Ref from Code Obj ->"Pro"
|
:0053428A B8D4435300
mov eax, 005343D4
:0053428F E8C0E7FCFF
call 00502A54
:00534294 FF75E8
push [ebp-18]
:00534297 8D55E0
lea edx, dword ptr [ebp-20]
:0053429A
8B45F8 mov eax,
dword ptr [ebp-08]
:0053429D E88A47EDFF
call 00408A2C
:005342A2 8B55E0
mov edx, dword ptr [ebp-20]
:005342A5 8D4DE4
lea ecx, dword ptr [ebp-1C]
:005342A8
8BC3 mov
eax, ebx
:005342AA E87D080000 call
00534B2C
:005342AF FF75E4
push [ebp-1C]
:005342B2 8B4508
mov eax, dword ptr [ebp+08]
:005342B5 BA06000000
mov edx, 00000006
:005342BA
E855FDECFF call 00404014
:005342BF
E9D5000000 jmp 00534399
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00534250(C)
|
:005342C4
8B450C mov eax,
dword ptr [ebp+0C]
*
Possible StringData Ref from Code Obj ->"Watermark"
|
:005342C7 BAF8435300
mov edx, 005343F8
====>EDX=Watermark
:005342CC
E893FDECFF call 00404064
:005342D1
756F jne
00534342
====>第一次运算“Plus”版时从这跳走。
:005342D3 8D55DC lea edx, dword ptr [ebp-24]
*
Possible StringData Ref from Code Obj ->"water"
|
:005342D6 B80C445300
mov eax, 0053440C
====>EAX=water
:005342DB
E874E7FCFF call 00502A54
====>取water字符的ASCII码7761746572
:005342E0
FF75DC push [ebp-24]
① ====>[ebp-24]=7761746572
:005342E3
68EC435300 push 005343EC
:005342E8
8D55D4 lea edx,
dword ptr [ebp-2C]
:005342EB 8B45FC
mov eax, dword ptr [ebp-04]
====>EAX=[ebp-04]=fly
:005342EE
E8FD46EDFF call 004089F0
====>将fly转化为大写字母
:005342F3
8B55D4 mov edx,
dword ptr [ebp-2C]
====>EDX=FLY
:005342F6
8D4DD8 lea ecx,
dword ptr [ebp-28]
:005342F9 8BC3
mov eax, ebx
:005342FB E82C080000
call 00534B2C
====>对FLY进行运算得出下面的Y1728 进入!
:00534300
FF75D8 push [ebp-28]
② ====>[ebp-28]=Y1728
:00534303
68EC435300 push 005343EC
:00534308
8D55D0 lea edx,
dword ptr [ebp-30]
*
Possible StringData Ref from Code Obj ->"mark"
|
:0053430B B81C445300
mov eax, 0053441C
====>EAX=mark
:00534310
E83FE7FCFF call 00502A54
====>取mark字符的ASCII码6D61726B
:00534315
FF75D0 push [ebp-30]
③ ====>[ebp-30]=6D61726B
:00534318
8D55C8 lea edx,
dword ptr [ebp-38]
:0053431B 8B45F8
mov eax, dword ptr [ebp-08]
====>EAX=[ebp-08]=fly@263.net
:0053431E
E80947EDFF call 00408A2C
====>对fly@263.net进行检测,如果有大写字母则转化为小写
:00534323
8B55C8 mov edx,
dword ptr [ebp-38]
====>EDX=[ebp-38]=fly@263.net
:00534326
8D4DCC lea ecx,
dword ptr [ebp-34]
:00534329 8BC3
mov eax, ebx
:0053432B E8FC070000
call 00534B2C
====>对fly@263.net进行运算得出下面的E7272
====>与
005342FB 处的运算流程相同
:00534330
FF75CC push [ebp-34]
④ ====>[ebp-34]=E7272
:00534333
8B4508 mov eax,
dword ptr [ebp+08]
:00534336 BA06000000
mov edx, 00000006
:0053433B E8D4FCECFF
call 00404014
====>将上面得出的①②③④连接成①-②-③④
:00534340
EB57 jmp
00534399
====>“Pro”版本注册码运算结束!跳走!
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005342D1(C)
|
:00534342
8B450C mov eax,
dword ptr [ebp+0C]
====>下面是第一次时运算“Plus”版本的注册码
* Possible
StringData Ref from Code Obj ->"Plus"
|
:00534345 BA2C445300 mov
edx, 0053442C
:0053434A E815FDECFF
call 00404064
:0053434F 7548
jne 00534399
:00534351 8D55C0
lea edx, dword ptr [ebp-40]
:00534354
8B45FC mov eax,
dword ptr [ebp-04]
:00534357 E89446EDFF
call 004089F0
:0053435C 8B55C0
mov edx, dword ptr [ebp-40]
:0053435F 8D4DC4
lea ecx, dword ptr [ebp-3C]
:00534362
8BC3 mov
eax, ebx
:00534364 E8C3070000 call
00534B2C
:00534369 FF75C4
push [ebp-3C]
:0053436C 68EC435300
push 005343EC
:00534371 8D55B8
lea edx, dword ptr [ebp-48]
:00534374 8B45F8
mov eax, dword ptr
[ebp-08]
:00534377 E8B046EDFF call
00408A2C
:0053437C 8B55B8
mov edx, dword ptr [ebp-48]
:0053437F 8D4DBC
lea ecx, dword ptr [ebp-44]
:00534382
8BC3 mov
eax, ebx
:00534384 E8A3070000 call
00534B2C
:00534389 FF75BC
push [ebp-44]
:0053438C 8B4508
mov eax, dword ptr [ebp+08]
:0053438F BA03000000
mov edx, 00000003
:00534394
E87BFCECFF call 00404014
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:005342BF(U),
:00534340(U), :0053434F(C)
|
:00534399 33C0
xor eax, eax
:0053439B 5A
pop edx
:0053439C
59 pop
ecx
:0053439D 59
pop ecx
:0053439E 648910
mov dword ptr fs:[eax], edx
:005343A1 68C3435300
push 005343C3
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005343C1(U)
|
:005343A6
8D45B8 lea eax,
dword ptr [ebp-48]
:005343A9 BA12000000
mov edx, 00000012
:005343AE E845F9ECFF
call 00403CF8
:005343B3 8D450C
lea eax, dword ptr [ebp+0C]
:005343B6 E819F9ECFF
call 00403CD4
:005343BB C3
ret
—————————————————————————————————
进入:005342FB call 00534B2C
*
Referenced by a CALL at Addresses:
|:0053427A , :005342AA , :005342FB
, :0053432B , :00534364
|:00534384
|
:00534B2C
55 push
ebp
:00534B2D 8BEC
mov ebp, esp
:00534B2F 6A00
push 00000000
:00534B31 6A00
push 00000000
:00534B33
6A00 push
00000000
:00534B35 6A00
push 00000000
:00534B37 6A00
push 00000000
:00534B39 6A00
push 00000000
:00534B3B
6A00 push
00000000
:00534B3D 53
push ebx
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00534ACD(C)
|
:00534B3E
56 push
esi
:00534B3F 57
push edi
:00534B40 894DF8
mov dword ptr [ebp-08], ecx
:00534B43 8955FC
mov dword ptr [ebp-04], edx
:00534B46
8B45FC mov eax,
dword ptr [ebp-04]
====>EAX=FLY
:00534B49
E8BAF5ECFF call 00404108
:00534B4E
33C0 xor
eax, eax
:00534B50 55
push ebp
:00534B51 68154C5300
push 00534C15
:00534B56 64FF30
push dword ptr fs:[eax]
:00534B59 648920
mov dword ptr fs:[eax],
esp
:00534B5C 33FF
xor edi, edi
:00534B5E 8D45F4
lea eax, dword ptr [ebp-0C]
:00534B61 8B55FC
mov edx, dword ptr [ebp-04]
====>EDX=FLY
:00534B64
E803F2ECFF call 00403D6C
:00534B69
8B45F4 mov eax,
dword ptr [ebp-0C]
:00534B6C E8E3F3ECFF
call 00403F54
====>取FLY长度
:00534B71
8BF0 mov
esi, eax
====>ESI=EAX=3
:00534B73
85F6 test
esi, esi
:00534B75 7E58
jle 00534BCF
:00534B77 BB01000000
mov ebx, 00000001
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00534BCD(C)
|
:00534B7C
8B45F4 mov eax,
dword ptr [ebp-0C]
====>EAX=FLY
:00534B7F
8A4418FF mov al, byte ptr
[eax+ebx-01]
====>依次取FLY字符的HEX值
1、 ====>AL=46
2、 ====>AL=4C
3、 ====>AL=59
:00534B83
E858FFFFFF call 00534AE0
====>呵呵,这里面有一个分支判断有点意思!猜测一下:程序检测上面所取字符的HEX(DEC)值是否是素数?如果是素数的话,则下面不跳,保留该字符到结果中。并且是小写字母的则转化为大写字母。^O^^O^
:00534B88
84C0 test
al, al
:00534B8A 7425
je 00534BB1
:00534B8C 8D45E8
lea eax, dword ptr [ebp-18]
:00534B8F 8B55F4
mov edx, dword ptr [ebp-0C]
:00534B92
8A541AFF mov dl, byte ptr
[edx+ebx-01]
3、 ====>DL=59
:00534B96
E8E1F2ECFF call 00403E7C
:00534B9B
8B45E8 mov eax,
dword ptr [ebp-18]
3、 ====>EAX=Y
:00534B9E
8D55EC lea edx,
dword ptr [ebp-14]
:00534BA1 E84A3EEDFF
call 004089F0
:00534BA6 8B55EC
mov edx, dword ptr [ebp-14]
:00534BA9 8D45F0
lea eax, dword ptr [ebp-10]
:00534BAC
E8ABF3ECFF call 00403F5C
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00534B8A(C)
|
:00534BB1
83FB01 cmp ebx,
00000001
====>第一位字符运算2遍
:00534BB4
740A je 00534BC0
:00534BB6
8B45F4 mov eax,
dword ptr [ebp-0C]
:00534BB9 0FB64418FE
movzx eax, byte ptr [eax+ebx-02]
2、 ====>EAX=46
3、 ====>EAX=4C
:00534BBE EB06 jmp 00534BC6
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00534BB4(C)
|
:00534BC0
8B45F4 mov eax,
dword ptr [ebp-0C]
:00534BC3 0FB600
movzx eax, byte ptr [eax]
1、 ====>EAX=46
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00534BBE(U)
|
:00534BC6
C1E003 shl eax,
03
1、 ====>EAX=46 SHL 3=00000230
2、 ====>EAX=46 SHL 3=00000230
3、 ====>EAX=4C
SHL 3=00000260
:00534BC9
03F8 add
edi, eax
1、 ====>EDI=00000230 + 00000000=00000230
2、 ====>EDI=00000230 + 00000230=00000460
3、 ====>EDI=00000460 + 00000260=000006C0(H)=1728(D)
:00534BCB
43 inc
ebx
:00534BCC 4E
dec esi
:00534BCD 75AD
jne 00534B7C
====>循环用户名位数次
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00534B75(C)
|
:00534BCF
8D55E4 lea edx,
dword ptr [ebp-1C]
:00534BD2 8BC7
mov eax, edi
====>EAX=EDI=6C0
:00534BD4
E81B42EDFF call 00408DF4
====>将6C0转化成10进制值1728
:00534BD9
8B4DE4 mov ecx,
dword ptr [ebp-1C]
====>ECX=1728
:00534BDC
8D45F4 lea eax,
dword ptr [ebp-0C]
:00534BDF 8B55F0
mov edx, dword ptr [ebp-10]
====>EDX=Y
:00534BE2
E8B9F3ECFF call 00403FA0
====>将Y和1728连接起来
:00534BE7
8B45F8 mov eax,
dword ptr [ebp-08]
:00534BEA 8B55F4
mov edx, dword ptr [ebp-0C]
====>EDX=Y1728
:00534BED
E836F1ECFF call 00403D28
:00534BF2
33C0 xor
eax, eax
:00534BF4 5A
pop edx
:00534BF5 59
pop ecx
:00534BF6 59
pop ecx
:00534BF7
648910 mov dword
ptr fs:[eax], edx
:00534BFA 681C4C5300
push 00534C1C
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00534C1A(U)
|
:00534BFF
8D45E4 lea eax,
dword ptr [ebp-1C]
:00534C02 BA05000000
mov edx, 00000005
:00534C07 E8ECF0ECFF
call 00403CF8
:00534C0C 8D45FC
lea eax, dword ptr [ebp-04]
:00534C0F E8C0F0ECFF
call 00403CD4
:00534C14 C3
ret
—————————————————————————————————
看看
素数 分支判断:00534B83 call 00534AE0
*
Referenced by a CALL at Address:
|:00534B83
|
:00534AE0 55
push ebp
:00534AE1
8BEC mov
ebp, esp
:00534AE3 51
push ecx
:00534AE4 53
push ebx
:00534AE5 56
push esi
:00534AE6
8845FF mov byte
ptr [ebp-01], al
:00534AE9 C645FD02
mov [ebp-03], 02
:00534AED C645FE01
mov [ebp-02], 01
:00534AF1 8A4DFF
mov cl, byte ptr [ebp-01]
:00534AF4
49 dec
ecx
:00534AF5 80E902
sub cl, 02
:00534AF8 722A
jb 00534B24
:00534AFA 41
inc ecx
:00534AFB B302
mov bl, 02
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00534B22(C)
|
:00534AFD
33C0 xor
eax, eax
:00534AFF 8A45FF
mov al, byte ptr [ebp-01]
:00534B02 33D2
xor edx, edx
:00534B04 8AD3
mov dl, bl
:00534B06
8BF2 mov
esi, edx
:00534B08 33D2
xor edx, edx
:00534B0A F7F6
div esi
:00534B0C 85D2
test edx, edx
:00534B0E 7503
jne 00534B13
:00534B10
FE45FD inc [ebp-03]
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00534B0E(C)
|
:00534B13
807DFD02 cmp byte ptr [ebp-03],
02
:00534B17 7606
jbe 00534B1F
:00534B19 C645FE00
mov [ebp-02], 00
:00534B1D EB05
jmp 00534B24
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00534B17(C)
|
:00534B1F
43 inc
ebx
:00534B20 FEC9
dec cl
:00534B22 75D9
jne 00534AFD
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00534AF8(C),
:00534B1D(U)
|
:00534B24 8A45FE
mov al, byte ptr [ebp-02]
:00534B27 5E
pop esi
:00534B28 5B
pop
ebx
:00534B29 59
pop ecx
:00534B2A 5D
pop ebp
:00534B2B C3
ret
—————————————————————————————————
【KeyMake之{66th}Pro版内存注册机】:
中断地址:00535583
中断次数:1
第一字节:E8
指令长度:5
内存方式:EAX
—————————————————————————————————
【注册信息保存】:
C:\WINDOWS\SYSTEM
下的udmwm.sys文件。呵呵,想尽办法的隐藏自己呀。
可以用记事本打开的。
[5468616E6B796F75]
4964=3337373332
4C64=3337373333
487569=0
4D61=373736313734363537322D59313732382D36443631373236424537323732
4D696E67=666C79403236332E6E6574
55736572=666C79
4C6963656E7365=506C7573
—————————————————————————————————
【整 理】:
用户名:fly
电
邮:fly@263.net
注册码:Y1728-E7272
(Plus版)
注册码:7761746572-Y1728-6D61726BE7272
(Pro 版)
—————————————————————————————————
, _/
/| _.-~/
\_ , 青春都一饷
( /~ / \~-._
|\
`\\ _/
\ ~\ ) 忍把浮名
_-~~~-.) )__/;;,. \_ //'
/'_,\ --~ \ ~~~- ,;;\___( (.-~~~-.
换了破解轻狂
`~ _( ,_..--\ ( ,;'' /
~-- /._`\
/~~//' /' `~\
) /--.._, )_ `~
" `~" "
`" /~'`\ `\\~~\
"
" "~' ""
Cracked By 巢水工作坊——fly [OCN][FCG]
2003-04-22 2:08