软件下载地址:http://www.pchome.net/dld/download.php?url=themes/hanami1005.zip
软件大小: 737 KB
软件语言: 英文
软件类别: 共享版
应用平台: Win9x/NT/2000/
【软件简介】:用途:可爱的桌面玩具、它可在桌面顶端放置漂亮的樱花树、而让树叶飘落、相当富含诗意,而程序提供多组花色供选择、并可调整落叶的方式及风量的大小。
【软件限制】:NAG +功能限制
【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:Ollydbg,W32Dasm
—————————————————————————————————
【过 程】:
试练码
注册名:weifeng
关键字:203
注册码:12345678
:00406DE1 689C084100
push 0041089C
:00406DE6 E8650E0000 call
00407C50 //假码后面加上关键字的第一位2,变成123456782
:00406DEB 83C408 add
esp, 00000008
:00406DEE E835FEFFFF call
00406C28 //关键CALL,跟入
:00406DF3 85C0
test eax, eax
:00406DF5 7518
jne 00406E0F //不跳就OVER
:00406DF7 6A00
push 00000000
* Possible StringData Ref from
Data Obj ->"Error"
|
:00406DF9 68D80F4100 push
00410FD8
* Possible StringData Ref from
Data Obj ->"The registration code entered "
->"is
not correct"
|
//BAD BOY!
:00406DFE 68E00F4100 push
00410FE0
:00406E03 8B4D08 mov
ecx, dword ptr [ebp+08]
:00406E06 51
push ecx
* Reference To: USER32.MessageBoxA,
Ord:01BEh
|
:00406E07 FF1510E24000 Call dword
ptr [0040E210]
:00406E0D EB5A
jmp 00406E69
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00406DF5(C)
|
* Possible Reference to String
Resource ID=00001: "Hanami"
|
:00406E0F C7052C20410001000000 mov dword ptr [0041202C], 00000001
* Possible StringData Ref from
Data Obj ->" "
|
:00406E19 689C084100 push
0041089C
:00406E1E 68C81F4100 push
00411FC8
:00406E23 E8AEFCFFFF call
00406AD6
:00406E28 83C408 add
esp, 00000008
:00406E2B 85C0
test eax, eax
:00406E2D 7418
je 00406E47
:00406E2F 6A00
push 00000000
* Possible StringData Ref from
Data Obj ->"Registration successful"
|
:00406E31 6810104100 push
00411010
* Possible StringData Ref from
Data Obj ->"Registration data saved ok, thank "
->"you
for registering!"
|
//Good Job
:00406E36 6828104100 push
00411028
--------------------------------------关键CALL↓(下面的代码在OD调试中复制出来,而上面的是W32DASM反汇编所得)
00406C28 /$ 55 PUSH EBP
00406C29 |. 8BEC MOV EBP,ESP
00406C2B |. 83EC 14 SUB ESP,14
00406C2E |. 68 34204100 PUSH HANAMI.00412034
00406C33 |. 68 9C084100 PUSH HANAMI.0041089C
; ASCII
"123456782"
00406C38 |. E8 43120000 CALL HANAMI.00407E80
00406C3D |. 83C4 08 ADD ESP,8
00406C40 |. 85C0 TEST EAX,EAX
00406C42 |. 75 07 JNZ SHORT HANAMI.00406C4B
00406C44 |. 33C0 XOR EAX,EAX
00406C46 |. E9 BF000000 JMP HANAMI.00406D0A
00406C4B |> 68 9C084100 PUSH HANAMI.0041089C
; ASCII
"123456782"
00406C50 |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
00406C53 |. 50 PUSH EAX
00406C54 |. E8 E70F0000 CALL HANAMI.00407C40
00406C59 |. 83C4 08 ADD ESP,8
00406C5C |. 8A4D F6 MOV CL,BYTE PTR SS:[EBP-A]
//cl=SS:[EBP-A]=37 (7的ASCII码,假码第7位)
00406C5F |. 884D EC MOV BYTE PTR SS:[EBP-14],CL
//SS:[EBP-14]=CL=37
00406C62 |. C645 F6 00 MOV BYTE PTR SS:[EBP-A],0
00406C66 |. 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
//EDX= SS:[EBP-10]=123456
00406C69 |. 52 PUSH EDX
//EDX=123456入栈
00406C6A |. E8 72130000 CALL HANAMI.00407FE1
//此CALL的主要作用应该就是将123456转为16进数存入EAX
00406C6F |. 83C4 04 ADD ESP,4
00406C72 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
//SS:[EBP-4]=EAX=1E240(123456的16进数)
00406C75 |. 0FBE45 EC MOVSX EAX,BYTE PTR SS:[EBP-14]
//EAX=SS:[EBP-14]=37
00406C79 |. 8B0C85 3000410>MOV ECX,DWORD PTR DS:[EAX*4+410030]
//ECX=DS:[EAX*4+410030]=72292(10进制为467602)
//将DWORD PTR DS:[EAX*4+410030]改成1E240,12345678就变成万能注册码,改后的代码看后面
00406C80 |. 3B4D FC CMP ECX,DWORD PTR SS:[EBP-4]
//将72292与1E240 比较(所以注册码为46760278)
00406C83 |. 75 07 JNZ SHORT HANAMI.00406C8C
相等就成功了
00406C85 |. B8 01000000 MOV EAX,1
---------晕了,不行的话还在下面作同样的比较,呵呵~~一共三处
00406C8A |. EB 7E JMP SHORT HANAMI.00406D0A
00406C8C |> 68 9C084100 PUSH HANAMI.0041089C
; ASCII
"123456782"
00406C91 |. 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
00406C94 |. 52 PUSH EDX
00406C95 |. E8 A60F0000 CALL HANAMI.00407C40
00406C9A |. 83C4 08 ADD ESP,8
00406C9D |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
00406CA0 |. 50 PUSH EAX
00406CA1 |. E8 E4130000 CALL HANAMI.0040808A
00406CA6 |. 83C4 04 ADD ESP,4
00406CA9 |. 8A4D F6 MOV CL,BYTE PTR SS:[EBP-A]
00406CAC |. 884D EC MOV BYTE PTR SS:[EBP-14],CL
00406CAF |. C645 F6 00 MOV BYTE PTR SS:[EBP-A],0
00406CB3 |. 0FBE55 EC MOVSX EDX,BYTE PTR SS:[EBP-14]
00406CB7 |. 8B0495 3000410>MOV EAX,DWORD PTR DS:[EDX*4+410030]
00406CBE |. 3B45 FC CMP EAX,DWORD PTR SS:[EBP-4]
00406CC1 |. 75 07 JNZ SHORT HANAMI.00406CCA
00406CC3 |. B8 01000000 MOV EAX,1
00406CC8 |. EB 40 JMP SHORT HANAMI.00406D0A
00406CCA |> 68 9C084100 PUSH HANAMI.0041089C
; ASCII
"123456782"
00406CCF |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
00406CD2 |. 51 PUSH ECX
00406CD3 |. E8 680F0000 CALL HANAMI.00407C40
00406CD8 |. 83C4 08 ADD ESP,8
00406CDB |. 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
00406CDE |. 52 PUSH EDX
00406CDF |. E8 08130000 CALL HANAMI.00407FEC
00406CE4 |. 83C4 04 ADD ESP,4
00406CE7 |. 8A45 F6 MOV AL,BYTE PTR SS:[EBP-A]
00406CEA |. 8845 EC MOV BYTE PTR SS:[EBP-14],AL
00406CED |. C645 F6 00 MOV BYTE PTR SS:[EBP-A],0
00406CF1 |. 0FBE4D EC MOVSX ECX,BYTE PTR SS:[EBP-14]
00406CF5 |. 8B148D 3000410>MOV EDX,DWORD PTR DS:[ECX*4+410030]
00406CFC |. 3B55 FC CMP EDX,DWORD PTR SS:[EBP-4]
00406CFF |. 75 07 JNZ SHORT HANAMI.00406D08
------------------------------------------
【注册码改法】
将
00406C79 MOV
ECX,DWORD PTR DS:[EAX*4+410030]
变成以下代码就能将12345678变成万能注册码了,不影响你用真码注册,因为三个比较一样的
00406C79 B9 40E20100 MOV ECX,1E240
00406C7E 90 NOP
00406C7F 90 NOP
-----------------------------------------
【注册码】
好像与用户名无关,有一个不明的地方就是DWORD PTR DS:[EAX*4+410030]里的数,不知道怎么得来
用户名:任意一个
关键字:任意一个
注册码:46760278
---------------------------
加上我的汉化补丁:)
补丁下载地址:http://www.jxlb.com/non-cgi//usr/19/19_1412.rar