简单算法——秋天的落叶(AutumnLeaves) v1.10
下载地址: http://www.zizi.8u8.com/soft/autumnleaves.zip
软件大小: 1.07M
【软件简介】:"AutumnLeaves" for Windows 95/98/NT makes autumn leaves fall on your desktop, in between and on windows, with the leaves gradually building up on your windows, while you work! Also included is the screen saver version. 一个美丽的桌面工具。
【软件限制】:功能限制
【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:TRW2000娃娃修改版、Ollydbg1.09、pe-scan、W32Dasm 9.0白金版
—————————————————————————————————
【过 程】:
秋 —— 秋风秋雨愁煞人?否!看:斑斓的秋之落叶翩翩飘舞你的桌面,还有熟了的微笑着的大南瓜,蹦蹦跳跳来了两只小松鼠……
这就是绚丽的秋,绚丽的《AutumnLeaves》。
上面的地址下载的是汉化版,可能是汉化者重新加了壳。
AutumnLeaves.exe 是PECompact
1.4壳,用pe-scan脱之。173K->872K。 VC++ 6.0 编写。
名
字:fly
关键字:[OCN][FCG]
试炼码:13572468
—————————————————————————————————
*
Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:004089D9(C)
* Possible Reference to String Resource ID=01080: "螞??
|
:004089ED 6838040000
push 00000438
:004089F2 8B4D08
mov ecx, dword ptr
[ebp+08]
:004089F5 51
push ecx
* Reference To: USER32.GetDlgItem, Ord:0000h
|
:004089F6 FF15E0414100
Call dword ptr [004141E0]
====>取用户名
:004089FC 8945F4
mov dword ptr [ebp-0C], eax
:004089FF 6A63
push 00000063
:00408A01 68F08B4100
push 00418BF0
====>00418BF0=fly
:00408A06 8B55F4
mov edx, dword ptr [ebp-0C]
:00408A09 52
push edx
* Reference To: USER32.GetWindowTextA, Ord:0000h
|
:00408A0A FF15B4414100
Call dword ptr [004141B4]
:00408A10 683D040000
push 0000043D
:00408A15 8B4508
mov eax, dword ptr
[ebp+08]
:00408A18 50
push eax
* Reference To: USER32.GetDlgItem, Ord:0000h
|
:00408A19 FF15E0414100
Call dword ptr [004141E0]
:00408A1F 8945F4
mov dword ptr [ebp-0C], eax
:00408A22 6A02
push
00000002
:00408A24 8D4DFC
lea ecx, dword ptr [ebp-04]
:00408A27 51
push ecx
:00408A28
8B55F4 mov edx,
dword ptr [ebp-0C]
:00408A2B 52
push edx
* Reference To: USER32.GetWindowTextA, Ord:0000h
|
:00408A2C FF15B4414100
Call dword ptr [004141B4]
* Possible Reference to String Resource ID=01081: ""
|
:00408A32 6839040000
push 00000439
:00408A37 8B4508
mov eax, dword ptr [ebp+08]
:00408A3A 50
push
eax
* Reference To: USER32.GetDlgItem, Ord:0000h
|
:00408A3B FF15E0414100
Call dword ptr [004141E0]
:00408A41 8945F4
mov dword ptr [ebp-0C], eax
:00408A44 6A09
push
00000009
* Possible StringData Ref from Code Obj ->"
"
|
:00408A46 6868694100
push 00416968
:00408A4B 8B4DF4
mov ecx, dword ptr
[ebp-0C]
:00408A4E 51
push ecx
* Reference To: USER32.GetWindowTextA, Ord:0000h
|
:00408A4F FF15B4414100
Call dword ptr [004141B4]
====>取试炼码
:00408A55 8D55FC
lea edx, dword ptr [ebp-04]
:00408A58 52
push edx
* Possible StringData Ref from Code Obj ->"
"
|
:00408A59 6868694100
push 00416968
====>00416968=13572468
:00408A5E E84D320000 call
0040BCB0
====>连接试炼码和关键字的第一位
:00408A63 83C408
add esp, 00000008
:00408A66 E860FDFFFF
call 004087CB
====>关键CALL!进入!
:00408A6B 85C0
test eax, eax
:00408A6D 7518
jne 00408A87
====>不跳则OVER!
:00408A6F 6A00 push 00000000
* Possible StringData Ref from Code Obj ->"Error"
|
:00408A71 685C744100
push 0041745C
* Possible StringData Ref from Code Obj ->"The registration code entered
"
->"is
not correct"
|
:00408A76 6864744100
push 00417464
:00408A7B
8B4508 mov eax,
dword ptr [ebp+08]
:00408A7E 50
push eax
* Reference To: USER32.MessageBoxA, Ord:0000h
|
:00408A7F FF15BC414100
Call dword ptr [004141BC]
====>BAD BOY!
:00408A85 EB72 jmp 00408AF9
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:00408A6D(C)
* Possible Reference to String Resource ID=00001: "?緉vs項?
|
:00408A87 C705548C410001000000 mov
dword ptr [00418C54], 00000001
:00408A91 6A00
push 00000000
:00408A93 8B0D70684100
mov ecx, dword ptr
[00416870]
:00408A99 51
push ecx
* Possible Reference to String Resource ID=00001: "?緉vs項?
|
:00408A9A 6A01
push 00000001
:00408A9C 8B1580954100
mov edx, dword ptr
[00419580]
:00408AA2 52
push edx
* Reference To: USER32.SetTimer, Ord:0000h
|
:00408AA3 FF1560424100
Call dword ptr [00414260]
* Possible StringData Ref from Code Obj ->"
"
|
:00408AA9 6868694100
push 00416968
:00408AAE 68F08B4100
push 00418BF0
:00408AB3
E8C1FBFFFF call
00408679
====>保存注册信息!
:00408AB8 83C408
add esp, 00000008
:00408ABB 85C0
test eax, eax
:00408ABD 7418
je 00408AD7
:00408ABF
6A00 push
00000000
* Possible StringData Ref from Code Obj ->"Registration
successful"
|
:00408AC1 6894744100
push 00417494
* Possible StringData Ref from Code Obj ->"Registration data saved ok,
thank "
->"you
for registering!"
|
:00408AC6
68AC744100 push
004174AC
:00408ACB 8B4508
mov eax, dword ptr [ebp+08]
:00408ACE 50
push eax
* Reference To: USER32.MessageBoxA, Ord:0000h
|
:00408ACF FF15BC414100
Call dword ptr [004141BC]
====>呵呵,胜利女神!
:00408AD5 EB16 jmp 00408AED
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:00408ABD(C)
|
:00408AD7 6A00
push 00000000
* Possible StringData Ref from Code Obj ->"Registration failed"
|
:00408AD9 68E4744100
push 004174E4
* Possible StringData Ref from Code Obj ->"Sorry, an error occurred while
"
->"saving your registration data!"
|
:00408ADE 68F8744100
push 004174F8
:00408AE3 8B4D08
mov ecx, dword ptr [ebp+08]
:00408AE6 51
push ecx
* Reference To: USER32.MessageBoxA, Ord:0000h
|
:00408AE7 FF15BC414100
Call dword ptr [004141BC]
—————————————————————————————————
进入关键CALL:00408A66 call
004087CB
* Referenced by a CALL at Addresses:
|:004010CB , :00408A66
, :0040A71E
|
:004087CB 55
push ebp
:004087CC 8BEC
mov ebp,
esp
:004087CE 83EC14
sub esp, 00000014
:004087D1 68648C4100
push 00418C64
* Possible StringData Ref from Code Obj ->"
"
|
:004087D6 6868694100
push 00416968
:004087DB E8B0350000
call 0040BD90
:004087E0
83C408 add esp,
00000008
:004087E3 85C0
test eax, eax
:004087E5 7507
jne 004087EE
:004087E7 33C0
xor eax,
eax
:004087E9 E9BF000000 jmp
004088AD
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:004087E5(C)
|
* Possible StringData Ref from Code Obj ->"
"
|
:004087EE 6868694100
push 00416968
====>00416968=13572468[
:004087F3 8D45F0
lea eax, dword ptr [ebp-10]
:004087F6 50
push eax
:004087F7 E8A4340000
call 0040BCA0
:004087FC
83C408 add esp,
00000008
:004087FF 8A4DF6
mov cl, byte ptr [ebp-0A]
====>CL=36 取 13572468[ 第7位字符的HEX值
:00408802 884DEC
mov byte ptr [ebp-14], cl
====>[ebp-14]=CL
:00408805 C645F600 mov
[ebp-0A], 00
:00408809 8D55F0
lea edx, dword ptr [ebp-10]
====>EDX=135724 取 13572468[ 前6位
:0040880C 52
push edx
:0040880D E8B8380000
call 0040C0CA
====>取135724的16进制值0002122C
:00408812 83C404
add esp, 00000004
:00408815 8945FC
mov dword ptr [ebp-04], eax
====>[ebp-04]=EAX=0002122C
:00408818 0FBE45EC
movsx eax, byte ptr [ebp-14]
====>EAX=[ebp-14]=36 即:13572468[第7位字符的HEX值
:0040881C 8B0C8530604100 mov ecx, dword ptr
[4*eax+00416030]
====>以第7位字符的HEX值为参数取值
====>ECX=[4*36+00416030]=[416108]=00040A3F
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
[4*eax+00416030]内存中有张不小的表:^O^
^O^
00416030 C7 AA 01 00 BF 42 08 00 DF 3D 02 00 FA F5 0D 00
仟.緽.?...BF 4
00416040 93 E8 0C 00 C4 FA 06 00 61 B5 03 00 1C
E4 08 00 撹..您.a?.?.C4 F
00416050 11 2D 09 00 AC 1A 03 00 0E AC
0D 00 33 FE 06 00 -..?.?.3?.C 1
00416060 5E AC 0E 00 3D 11 02
00 4C 9D 08 00 5D EF 09 00 ^?.=.L?.]?.D 1
00416070 CE 96 03 00
06 59 0C 00 19 95 02 00 69 1B 04 00 螙.Y..?.i. 5
00416080 36
D8 07 00 7B 9A 0B 00 BB C2 09 00 14 4E 0C 00 6?.{?.宦..N..B 9
00416090 DA 56 04 00 8C 80 06 00 6F C5 07 00 21 A0 04 00 赩.實.o?.!?.8C
8
004160A0 0D D5 01 00 32 34 04 00 68 8C 02
00 95 99 04 00 .?.24.h?.暀.2 3
004160B0 7F E4 0C 00 C6 4E 07 00
3E 1D 0E 00 8B 9D 05 00 ?.芅.>.嫕.6 4
004160C0 B1 32 0F 00
E4 B3 02 00 D4 B5 01 00 EB 2E 06 00 ?.涑.缘.?.E4 B
004160D0 FA
56 0D 00 DA 37 0E 00 EC 86 0E 00 D0 90 0C 00 鶹..?.靻.袗..DA 3
004160E0
C5 49 03 00 2A 49 0A 00 2E B6 09 00 CC 32 0F 00 臝.*I...?.?.A
4
004160F0 38 9A 05 00 5B 94 0C 00 31 68 08 00 B7 24 07 00
8?.[?.1h.?.B 9
00416100 F8 BE 0A 00 31 92 03 00 3F 0A 04 00 A4
CE 09 00 ..1?.?..の..1 9
00416110 7E 96 02 00 74 CB 06 00 69 3A
05 00 2B 5F 09 00 ~?.t?.i:.+_.. C
00416120 1C 50 0D 00 B2 5D 06
00 E1 08 0C 00 30 A2 02 00 P..瞉.?..0?.2 5
…… …… 省 略 …… ……
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
:00408823 3B4DFC
cmp ecx, dword ptr [ebp-04]
====>ECX=00040A3F(H)=264767(D)
====>[ebp-04]=0002122C(H)=135724(D)
====>因此前6位注册码应是264767
:00408826 7507 jne 0040882F
* Possible Reference to String Resource ID=00001: "?緉vs項?
|
:00408828 B801000000
mov eax, 00000001
====>置1则OK!
:0040882D EB7E jmp 004088AD
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:00408826(C)
|
* Possible StringData Ref from Code Obj ->"
"
|
:0040882F 6868694100
push 00416968
:00408834 8D55F0
lea edx, dword ptr
[ebp-10]
:00408837 52
push edx
:00408838 E863340000
call 0040BCA0
:0040883D 83C408
add esp, 00000008
:00408840 8D45F0
lea eax, dword ptr
[ebp-10]
:00408843 50
push eax
:00408844 E82A390000
call 0040C173
:00408849 83C404
add esp, 00000004
:0040884C 8A4DF6
mov cl, byte ptr
[ebp-0A]
:0040884F 884DEC
mov byte ptr [ebp-14], cl
:00408852 C645F600
mov [ebp-0A], 00
:00408856 0FBE55EC
movsx edx, byte ptr
[ebp-14]
:0040885A 8B049530604100 mov eax,
dword ptr [4*edx+00416030]
:00408861 3B45FC
cmp eax, dword ptr [ebp-04]
====>还有机会
:00408864 7507 jne 0040886D
* Possible Reference to String Resource ID=00001: "?緉vs項?
|
:00408866 B801000000
mov eax, 00000001
====>置1则OK!
:0040886B EB40 jmp 004088AD
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:00408864(C)
* Possible StringData Ref from Code Obj ->"
"
|
:0040886D 6868694100
push 00416968
:00408872 8D4DF0
lea ecx, dword ptr
[ebp-10]
:00408875 51
push ecx
:00408876 E825340000
call 0040BCA0
:0040887B 83C408
add esp, 00000008
:0040887E 8D55F0
lea edx, dword ptr
[ebp-10]
:00408881 52
push edx
:00408882 E84E380000
call 0040C0D5
:00408887 83C404
add esp, 00000004
:0040888A 8A45F6
mov al, byte ptr
[ebp-0A]
:0040888D 8845EC
mov byte ptr [ebp-14], al
:00408890 C645F600
mov [ebp-0A], 00
:00408894 0FBE4DEC
movsx ecx, byte ptr
[ebp-14]
:00408898 8B148D30604100 mov edx,
dword ptr [4*ecx+00416030]
:0040889F 3B55FC
cmp edx, dword ptr [ebp-04]
====>还有机会
:004088A2 7507
jne 004088AB
====>跳则OVER!
* Possible Reference to String Resource ID=00001: "?緉vs項?
|
:004088A4 B801000000
mov eax, 00000001
====>置1则OK!
:004088A9 EB02 jmp 004088AD
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:004088A2(C)
|
:004088AB 33C0
xor eax, eax
====>清0则OVER!爆破点!
* Referenced by a (U)nconditional or (C)onditional Jump at
Addresses:
|:004087E9(U), :0040882D(U), :0040886B(U),
:004088A9(U)
|
:004088AD 8BE5
mov esp, ebp
:004088AF 5D
pop ebp
:004088B0 C3
ret
—————————————————————————————————
【算 法 总 结】:
EAX=第7位字符的HEX值。注册码前6位数字的16进制值应等于[4*eax+00416030]处的值。
—————————————————————————————————
【完 美 爆 破】:
004088AB 33C0
xor eax, eax
改为: B001
mov al, 01
—————————————————————————————————
【注册信息保存】:
REGEDIT4
[HKEY_CURRENT_USER\Software\Rick Jansen\AutumnLeaves for
Windows\Register]
"AutumnLeaves register
code"=hex:32,36,34,37,36,37,36,5b,00,00
"AutumnLeaves register
name"=hex:66,6c,79,00,b7,c9,00,00,00,00
—————————————————————————————————
【整 理】:
名 字:fly (Anything)
关键字:[OCN][FCG] (Anything)
注册码:2647676
名字、关键字无须填,最简单的注册码:109255
呵呵,注册码是很多的 ^O^ ^O^ ……
……
—————————————————————————————————
, _/
/| _.-~/
\_ , 青春都一饷
( /~ / \~-._
|\
`\\ _/
\ ~\ ) 忍把浮名
_-~~~-.) )__/;;,. \_
//'
/'_,\ --~ \ ~~~- ,;;\___( (.-~~~-.
换了破解轻狂
`~ _( ,_..--\ ( ,;'' /
~-- /._`\
/~~//' /' `~\
) /--.._, )_ `~
" `~" " `"
/~'`\ `\\~~\
" "
"~' ""
Cracked By 巢水工作坊——fly [OCN][FCG]
2003-05-25 22:22