文件管理软件管理大师

标题：文件管理软件管理大师算法简析!(简单浮点)　
作者：ShenGe
时间：2003/08/01 00:12am
链接：http://bbs.pediy.com

〖软件大小〗：1806KB
〖软件语言〗：简体中文
〖软件类别〗：国产软件/共享版/文件管理
〖运行环境〗：Win9x/Me/NT/2000/XP
〖加入时间〗：2003-7-30 17:09:31
〖下载地址〗：http://218.30.21.125:7272/friendmake/utility/ex100.exe
〖软件评级〗：☆☆☆☆

【软件介绍】：

1 软件分类：可以对电脑中的软件按照五个大类，25个小类来仔细分类归纳。而且最多可对六百多个软件进行分类，完全可以满足用户对常用软件的分类管理的需要。
2 软件启动：本软件的程序快速启动可以说是我见过的最快的，对最常用125个软件来说，无需点击便可方便查找到。而且每次启动软件后，使用次数最多的软件自动向上排序，所以最常用的软件总是最方便启动的。
3 分类设置：有一点要说，一般的软件管理软件所添加的软件分类后如果觉得分类不好要改为其它类别是很麻烦的。本软件提供了方便的软件分类的更改和交换功能。（可以把鼠标移到主窗口软件图标旁的箭头上，弹出分类窗口。在分类窗口中的软件图标上单击右键，在弹出的功能快捷菜单中选择。）
4 自定义分类：可以自定义自己喜欢的分类.

〖破解工具〗:TRW1.22娃娃修改版,OllyDbgV1.09,WdasmV10.0
〖作者声明〗:初学破解,仅作学习交流之用,失误之处敬请大侠赐教.

【简要过程】:
用户名:ShenGe[BCG]
机器码:4618407
试验码:12345678

好久没来论坛了，发觉鲜有破文，大概大家都太忙了,抽空找了两个简单的软件，把过程
放上来顶顶人气，高手莫见笑！
无壳,VB编的!
OD的断点不大好用，先用bpx hmemcpy在TRW中拦截，再用OD载入分析。

* Reference To: MSVBVM60.__vbaFreeVar, Ord:0000h
|
:0044E577 FF1518104000 Call dword ptr [00401018]
:0044E57D C745FC0D000000 mov [ebp-04], 0000000D
:0044E584 6828434600 push 00464328
:0044E589 8D4DD8 lea ecx, dword ptr [ebp-28]
:0044E58C 51 push ecx

* Reference To: MSVBVM60.__vbaStrVarVal, Ord:0000h
|
:0044E58D FF153C114000 Call dword ptr [0040113C]
:0044E593 50 push eax
<===eax="4618407",机器码

* Reference To: MSVBVM60.rtcR8ValFromBstr, Ord:0245h
|
:0044E594 FF1514124000 Call dword ptr [00401214]
<===机器码由字串形式转化为数值形式
:0044E59A DD9D44FFFFFF fstp qword ptr [ebp+FFFFFF44]
<===数值4618407存入[ebp+FFFFFF44]
:0044E5A0 6838434600 push 00464338
:0044E5A5 8D55DC lea edx, dword ptr [ebp-24]
:0044E5A8 52 push edx

* Reference To: MSVBVM60.__vbaStrVarVal, Ord:0000h
|
:0044E5A9 FF153C114000 Call dword ptr [0040113C]
:0044E5AF 50 push eax
<===eax="12345678",取得输入的假码

* Reference To: MSVBVM60.rtcR8ValFromBstr, Ord:0245h
|
:0044E5B0 FF1514124000 Call dword ptr [00401214]
<===见上注释
:0044E5B6 DC25F0304000 fsub qword ptr [004030F0]
<===[004030F0]中为定值1978,作者生日?
此操作为同sub st0,[004030F0]，即
12345678-1978=12343700
:0044E5BC 833D0040460000 cmp dword ptr [00464000], 00000000
<===[00464000],此处的值从何而来?有何作用?没跟!
:0044E5C3 7508 jne 0044E5CD
:0044E5C5 DC35E8304000 fdiv qword ptr [004030E8]
<===[004030E8]中为定值983,此操作为
12343700 div 983=12557.171922685657600

:0044E5CB EB11 jmp 0044E5DE

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044E5C3(C)
|
:0044E5CD FF35EC304000 push dword ptr [004030EC]
:0044E5D3 FF35E8304000 push dword ptr [004030E8]

* Reference To: MSVBVM60._adj_fdiv_m64, Ord:0000h
|
:0044E5D9 E8E653FBFF Call 004039C4

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044E5CB(U)
|
:0044E5DE DFE0 fstsw ax
<===保存状态字的值到ax中
:0044E5E0 A80D test al, 0D
<===此处的判断作何用?
:0044E5E2 0F85F4060000 jne 0044ECDC

* Reference To: MSVBVM60.__vbaFpR8, Ord:0000h
|
:0044E5E8 FF15A0104000 Call dword ptr [004010A0]
<===数据类型转换
:0044E5EE DD9D04FFFFFF fstp qword ptr [ebp+FFFFFF04]
:0044E5F4 DD8544FFFFFF fld qword ptr [ebp+FFFFFF44]
<===[ebp+FFFFFF44]中为机器码的数值形式
此命令同mov st0,[ebp+FFFFFF44]

* Reference To: MSVBVM60.__vbaFpR8, Ord:0000h
|
:0044E5FA FF15A0104000 Call dword ptr [004010A0]
:0044E600 DC9D04FFFFFF fcomp qword ptr [ebp+FFFFFF04]
<===同CMP st0,[ebp+FFFFFF04]
[ebp+FFFFFF04]中为上面的差值12557,
st0中为机器码的数值形式4618407
:0044E606 DFE0 fstsw ax
:0044E608 F6C440 test ah, 40
:0044E60B 740C je 0044E619
<===关键跳转
:0044E60D C78500FFFFFF01000000 mov dword ptr [ebp+FFFFFF00], 00000001
<===置[ebp+FFFFFF00]为1
:0044E617 EB0A jmp 0044E623

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044E60B(C)
|
:0044E619 C78500FFFFFF00000000 mov dword ptr [ebp+FFFFFF00], 00000000
<===置[ebp+FFFFFF00]为0,同上是孪生兄弟

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044E617(U)
|
:0044E623 8B8500FFFFFF mov eax, dword ptr [ebp+FFFFFF00]
:0044E629 F7D8 neg eax
:0044E62B 66898540FFFFFF mov word ptr [ebp+FFFFFF40], ax
:0044E632 8D4DD8 lea ecx, dword ptr [ebp-28]
:0044E635 51 push ecx
:0044E636 8D55DC lea edx, dword ptr [ebp-24]
:0044E639 52 push edx
:0044E63A 6A02 push 00000002

* Reference To: MSVBVM60.__vbaFreeStrList, Ord:0000h
|
:0044E63C FF1588114000 Call dword ptr [00401188]
:0044E642 83C40C add esp, 0000000C
:0044E645 0FBF8540FFFFFF movsx eax, word ptr [ebp+FFFFFF40]
:0044E64C 85C0 test eax, eax
:0044E64E 0F8411050000 je 0044EB65
<===爆破的话此处也要改,要是跳了,哼哼,:(
:0044E654 C745FC0E000000 mov [ebp-04], 0000000E
:0044E65B C7459804000280 mov [ebp-68], 80020004
:0044E662 C745900A000000 mov [ebp-70], 0000000A
:0044E669 C745A804000280 mov [ebp-58], 80020004
:0044E670 C745A00A000000 mov [ebp-60], 0000000A
:0044E677 C745B804000280 mov [ebp-48], 80020004
:0044E67E C745B00A000000 mov [ebp-50], 0000000A
:0044E685 C7458830074100 mov [ebp-78], 00410730
:0044E68C C7458008000000 mov [ebp-80], 00000008
:0044E693 8D5580 lea edx, dword ptr [ebp-80]
:0044E696 8D4DC0 lea ecx, dword ptr [ebp-40]

* Reference To: MSVBVM60.__vbaVarDup, Ord:0000h
|
:0044E699 FF15AC114000 Call dword ptr [004011AC]
:0044E69F 8D4D90 lea ecx, dword ptr [ebp-70]
:0044E6A2 51 push ecx
:0044E6A3 8D55A0 lea edx, dword ptr [ebp-60]
:0044E6A6 52 push edx
:0044E6A7 8D45B0 lea eax, dword ptr [ebp-50]
:0044E6AA 50 push eax
:0044E6AB 6A00 push 00000000
:0044E6AD 8D4DC0 lea ecx, dword ptr [ebp-40]
:0044E6B0 51 push ecx

* Reference To: MSVBVM60.rtcMsgBox, Ord:0253h
|
:0044E6B1 FF157C104000 Call dword ptr [0040107C]
<===注册成功!
:0044E6B7 8D5590 lea edx, dword ptr [ebp-70]
:0044E6BA 52 push edx
:0044E6BB 8D45A0 lea eax, dword ptr [ebp-60]
:0044E6BE 50 push eax
:0044E6BF 8D4DB0 lea ecx, dword ptr [ebp-50]

...........（略）

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044E64E(C)
|
:0044EB65 C745FC16000000 mov [ebp-04], 00000016
:0044EB6C C7459804000280 mov [ebp-68], 80020004
:0044EB73 C745900A000000 mov [ebp-70], 0000000A
:0044EB7A C745A804000280 mov [ebp-58], 80020004
:0044EB81 C745A00A000000 mov [ebp-60], 0000000A
:0044EB88 C745B804000280 mov [ebp-48], 80020004
:0044EB8F C745B00A000000 mov [ebp-50], 0000000A
:0044EB96 C7458884074100 mov [ebp-78], 00410784
:0044EB9D C7458008000000 mov [ebp-80], 00000008
:0044EBA4 8D5580 lea edx, dword ptr [ebp-80]
:0044EBA7 8D4DC0 lea ecx, dword ptr [ebp-40]

* Reference To: MSVBVM60.__vbaVarDup, Ord:0000h
|
:0044EBAA FF15AC114000 Call dword ptr [004011AC]
:0044EBB0 8D4D90 lea ecx, dword ptr [ebp-70]
:0044EBB3 51 push ecx
:0044EBB4 8D55A0 lea edx, dword ptr [ebp-60]
:0044EBB7 52 push edx
:0044EBB8 8D45B0 lea eax, dword ptr [ebp-50]
:0044EBBB 50 push eax
:0044EBBC 6A00 push 00000000
:0044EBBE 8D4DC0 lea ecx, dword ptr [ebp-40]
:0044EBC1 51 push ecx

* Reference To: MSVBVM60.rtcMsgBox, Ord:0253h
|
:0044EBC2 FF157C104000 Call dword ptr [0040107C]
<===注册失败!
:0044EBC8 8D5590 lea edx, dword ptr [ebp-70]
:0044EBCB 52 push edx
:0044EBCC 8D45A0 lea eax, dword ptr [ebp-60]
:0044EBCF 50 push eax
:0044EBD0 8D4DB0 lea ecx, dword ptr [ebp-50]
:0044EBD3 51 push ecx
:0044EBD4 8D55C0 lea edx, dword ptr [ebp-40]
:0044EBD7 52 push edx
:0044EBD8 6A04 push 00000004

* Reference To: MSVBVM60.__vbaFreeVarList, Ord:0000h
|
:0044EBDA FF1528104000 Call dword ptr [00401028]
:0044EBE0 83C414 add esp, 00000014
:0044EBE3 C745FC17000000 mov [ebp-04], 00000017
:0044EBEA 8B4508 mov eax, dword ptr [ebp+08]
:0044EBED 8B08 mov ecx, dword ptr [eax]
:0044EBEF 8B5508 mov edx, dword ptr [ebp+08]
:0044EBF2 52 push edx
:0044EBF3 FF9110030000 call dword ptr [ecx+00000310]
:0044EBF9 50 push eax
:0044EBFA 8D45D0 lea eax, dword ptr [ebp-30]
:0044EBFD 50 push eax

【总结】:这个软件的算法真是简单，只是涉及到浮点运算，很适合新手作熟悉浮点运算练手用。详细浮点运算见论坛精华合集。

注册码与用户名无关，只需满足(n-1978)/983=机器码这个表达式即可(n为注册码)

如我的注册码为:4618407*983+1987=4539896059

软件将注册信息保存在注册表的"HKEY_LOCAL_MACHINE\Software\hayuguang"下。

Cracked By ShenGe[BCG] 2003.7.31