hanami1005

标题：hanami1005破解手记　　
作者：独孤求胜
时间：2003/08/19 08:45pm
链接：http://bbs.pediy.com

软件下载地址：http://www.pchome.net/dld/download.php?url=themes/hanami1005.zip
软件大小： 737 KB
软件语言：英文
软件类别：共享版
应用平台： Win9x/NT/2000/
【软件简介】：用途：可爱的桌面玩具、它可在桌面顶端放置漂亮的樱花树、而让树叶飘落、相当富含诗意，而程序提供多组花色供选择、并可调整落叶的方式及风量的大小。
【软件限制】：NAG +功能限制

【作者声明】：初学Crack，只是感兴趣，没有其它目的。失误之处敬请诸位大侠赐教！

【破解工具】：Ollydbg，W32Dasm

—————————————————————————————————
【过程】：
试练码
注册名：weifeng
关键字：203
注册码：12345678

:00406DE1 689C084100 push 0041089C
:00406DE6 E8650E0000 call 00407C50 //假码后面加上关键字的第一位2，变成123456782
:00406DEB 83C408 add esp, 00000008
:00406DEE E835FEFFFF call 00406C28 //关键CALL，跟入
:00406DF3 85C0 test eax, eax
:00406DF5 7518 jne 00406E0F //不跳就OVER
:00406DF7 6A00 push 00000000

* Possible StringData Ref from Data Obj ->"Error"
|
:00406DF9 68D80F4100 push 00410FD8

* Possible StringData Ref from Data Obj ->"The registration code entered "
->"is not correct"
| //BAD BOY！
:00406DFE 68E00F4100 push 00410FE0
:00406E03 8B4D08 mov ecx, dword ptr [ebp+08]
:00406E06 51 push ecx

* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:00406E07 FF1510E24000 Call dword ptr [0040E210]
:00406E0D EB5A jmp 00406E69

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406DF5(C)
|

* Possible Reference to String Resource ID=00001: "Hanami"
|
:00406E0F C7052C20410001000000 mov dword ptr [0041202C], 00000001

* Possible StringData Ref from Data Obj ->" "
|
:00406E19 689C084100 push 0041089C
:00406E1E 68C81F4100 push 00411FC8
:00406E23 E8AEFCFFFF call 00406AD6
:00406E28 83C408 add esp, 00000008
:00406E2B 85C0 test eax, eax
:00406E2D 7418 je 00406E47
:00406E2F 6A00 push 00000000

* Possible StringData Ref from Data Obj ->"Registration successful"
|
:00406E31 6810104100 push 00411010

* Possible StringData Ref from Data Obj ->"Registration data saved ok, thank "
->"you for registering!"
| //Good Job
:00406E36 6828104100 push 00411028
--------------------------------------关键CALL↓（下面的代码在OD调试中复制出来，而上面的是W32DASM反汇编所得）
00406C28 /$ 55 PUSH EBP
00406C29 |. 8BEC MOV EBP,ESP
00406C2B |. 83EC 14 SUB ESP,14
00406C2E |. 68 34204100 PUSH HANAMI.00412034
00406C33 |. 68 9C084100 PUSH HANAMI.0041089C ; ASCII "123456782"
00406C38 |. E8 43120000 CALL HANAMI.00407E80
00406C3D |. 83C4 08 ADD ESP,8
00406C40 |. 85C0 TEST EAX,EAX
00406C42 |. 75 07 JNZ SHORT HANAMI.00406C4B
00406C44 |. 33C0 XOR EAX,EAX
00406C46 |. E9 BF000000 JMP HANAMI.00406D0A
00406C4B |> 68 9C084100 PUSH HANAMI.0041089C ; ASCII "123456782"
00406C50 |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
00406C53 |. 50 PUSH EAX
00406C54 |. E8 E70F0000 CALL HANAMI.00407C40
00406C59 |. 83C4 08 ADD ESP,8
00406C5C |. 8A4D F6 MOV CL,BYTE PTR SS:[EBP-A] //cl=SS:[EBP-A]=37 (7的ASCII码,假码第7位)
00406C5F |. 884D EC MOV BYTE PTR SS:[EBP-14],CL //SS:[EBP-14]=CL=37
00406C62 |. C645 F6 00 MOV BYTE PTR SS:[EBP-A],0
00406C66 |. 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10] //EDX= SS:[EBP-10]=123456
00406C69 |. 52 PUSH EDX //EDX=123456入栈
00406C6A |. E8 72130000 CALL HANAMI.00407FE1 //此CALL的主要作用应该就是将123456转为16进数存入EAX
00406C6F |. 83C4 04 ADD ESP,4
00406C72 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX //SS:[EBP-4]=EAX=1E240（123456的16进数）
00406C75 |. 0FBE45 EC MOVSX EAX,BYTE PTR SS:[EBP-14] //EAX=SS:[EBP-14]=37
00406C79 |. 8B0C85 3000410>MOV ECX,DWORD PTR DS:[EAX*4+410030] //ECX=DS:[EAX*4+410030]=72292（10进制为467602）
//将DWORD PTR DS:[EAX*4+410030]改成1E240，12345678就变成万能注册码，改后的代码看后面
00406C80 |. 3B4D FC CMP ECX,DWORD PTR SS:[EBP-4] //将72292与1E240 比较（所以注册码为46760278）
00406C83 |. 75 07 JNZ SHORT HANAMI.00406C8C 相等就成功了
00406C85 |. B8 01000000 MOV EAX,1
---------晕了，不行的话还在下面作同样的比较，呵呵~~一共三处
00406C8A |. EB 7E JMP SHORT HANAMI.00406D0A
00406C8C |> 68 9C084100 PUSH HANAMI.0041089C ; ASCII "123456782"
00406C91 |. 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
00406C94 |. 52 PUSH EDX
00406C95 |. E8 A60F0000 CALL HANAMI.00407C40
00406C9A |. 83C4 08 ADD ESP,8
00406C9D |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
00406CA0 |. 50 PUSH EAX
00406CA1 |. E8 E4130000 CALL HANAMI.0040808A
00406CA6 |. 83C4 04 ADD ESP,4
00406CA9 |. 8A4D F6 MOV CL,BYTE PTR SS:[EBP-A]
00406CAC |. 884D EC MOV BYTE PTR SS:[EBP-14],CL
00406CAF |. C645 F6 00 MOV BYTE PTR SS:[EBP-A],0
00406CB3 |. 0FBE55 EC MOVSX EDX,BYTE PTR SS:[EBP-14]
00406CB7 |. 8B0495 3000410>MOV EAX,DWORD PTR DS:[EDX*4+410030]
00406CBE |. 3B45 FC CMP EAX,DWORD PTR SS:[EBP-4]
00406CC1 |. 75 07 JNZ SHORT HANAMI.00406CCA
00406CC3 |. B8 01000000 MOV EAX,1
00406CC8 |. EB 40 JMP SHORT HANAMI.00406D0A
00406CCA |> 68 9C084100 PUSH HANAMI.0041089C ; ASCII "123456782"
00406CCF |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
00406CD2 |. 51 PUSH ECX
00406CD3 |. E8 680F0000 CALL HANAMI.00407C40
00406CD8 |. 83C4 08 ADD ESP,8
00406CDB |. 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
00406CDE |. 52 PUSH EDX
00406CDF |. E8 08130000 CALL HANAMI.00407FEC
00406CE4 |. 83C4 04 ADD ESP,4
00406CE7 |. 8A45 F6 MOV AL,BYTE PTR SS:[EBP-A]
00406CEA |. 8845 EC MOV BYTE PTR SS:[EBP-14],AL
00406CED |. C645 F6 00 MOV BYTE PTR SS:[EBP-A],0
00406CF1 |. 0FBE4D EC MOVSX ECX,BYTE PTR SS:[EBP-14]
00406CF5 |. 8B148D 3000410>MOV EDX,DWORD PTR DS:[ECX*4+410030]
00406CFC |. 3B55 FC CMP EDX,DWORD PTR SS:[EBP-4]
00406CFF |. 75 07 JNZ SHORT HANAMI.00406D08
------------------------------------------
【注册码改法】
将
00406C79 MOV ECX,DWORD PTR DS:[EAX*4+410030]
变成以下代码就能将12345678变成万能注册码了，不影响你用真码注册，因为三个比较一样的
00406C79 B9 40E20100 MOV ECX,1E240
00406C7E 90 NOP
00406C7F 90 NOP
-----------------------------------------
【注册码】
好像与用户名无关，有一个不明的地方就是DWORD PTR DS:[EAX*4+410030]里的数，不知道怎么得来
用户名：任意一个
关键字：任意一个
注册码：46760278
---------------------------
加上我的汉化补丁：)
补丁下载地址：http://www.jxlb.com/non-cgi//usr/19/19_1412.rar