【软件名称】: WindowBlinds V3.5 Enhanced
【软件语言】: 英文
【软件类别】: 国外软件 / 共享版 / 桌面工具
【应用平台】: Win9x/NT/2000/XP
【开 发 商】: http://www.stardock.com/
【软件介绍】:
这个软件除了可以让你使用 BMP 图形作为程序的背景底图之外,它还可让你 Windows 中的所有程序的窗口标题条 (Titlebar) 变成麦金塔电脑 Mac OS8 或是 BeOS 的样子,而你也可以将 Windows 95 的窗口标题条(Titlebar) 弄成像 Windows 98 一样的渐层显示,渐层的颜色还可以自订,标题条的文字可让你放在中间而不是预设的左边。另外各位可以发现现在一般的新软件,其工具条的按钮形式都已改成「浮动式」的,也就是当鼠标移到按钮上时它会浮起来,比较美观而且有立体感,但仍能有一些软件(如 ACDSee、NetTerm) 依旧是旧式的按钮形式,你只要用这个软件就够将它们都改成「浮动式」的按钮喔!其他还有许多功能,譬如可让桌面 icon 的文字底色变成透明.....等等,在此不多叙述,各位自己抓回来玩看看吧!
【作 者】: cyclotron[BCG][DFCG][FCG][OCN]
【破解过程】:下断点GetWindowTextA,来到下面的地方:(以下代码使用Softice抓取的,W32Dasm似乎对Wload.exe反汇编无效)
【第一部分】:追踪用户名无关注册码!
代码:
017F:0040ED69 MOV EBX,0040A660 017F:0040ED6E LEA ECX,[EBP-4C] 017F:0040ED71 PUSH EBX 017F:0040ED72 CALL 00428F0E 017F:0040ED77 PUSH 0040A658 017F:0040ED7C LEA ECX,[EBP-4C] 017F:0040ED7F CALL 00428F0E 017F:0040ED84 PUSH DWORD PTR [ESI+5C] 017F:0040ED87 LEA ECX,[EBP-4C] 017F:0040ED8A CALL 00428F0E 017F:0040ED8F PUSH EBX 017F:0040ED90 LEA ECX,[EBP-4C] 017F:0040ED93 CALL 00428F0E 017F:0040ED98 LEA ECX,[EBP-4C] 017F:0040ED9B CALL 004290CB 017F:0040EDA0 PUSH 0040A64C /* 黑名单wb-g1de774入栈 */ 017F:0040EDA5 PUSH DWORD PTR [EDI] /* 试炼码入栈 */ 017F:0040EDA7 CALL 00417870 017F:0040EDAC POP ECX 017F:0040EDAD TEST EAX,EAX 017F:0040EDAF POP ECX 017F:0040EDB0 JNZ 0040EDD3 017F:0040EDB2 PUSH 10 017F:0040EDB4 PUSH 0040A634 017F:0040EDB9 PUSH 0040A5C0 017F:0040EDBE PUSH 0040A5B8 017F:0040EDC3 PUSH 0040A5B0 017F:0040EDC8 CALL 0040F4A2 017F:0040EDCD PUSH EAX 017F:0040EDCE JMP 0040F190 017F:0040EDD3 LEA EAX,[EBP-18] 017F:0040EDD6 PUSH 03 017F:0040EDD8 PUSH EAX 017F:0040EDD9 MOV ECX,EDI 017F:0040EDDB CALL 00423811 017F:0040EDE0 PUSH 0040A5AC 017F:0040EDE5 PUSH DWORD PTR [EAX] 017F:0040EDE7 CALL 00417870 /* 比较序列号前三位是否为WB- */ 017F:0040EDEC POP ECX 017F:0040EDED POP ECX 017F:0040EDEE TEST EAX,EAX 017F:0040EDF0 LEA ECX,[EBP-18] 017F:0040EDF3 SETNZ BL 017F:0040EDF6 CALL 00428901 017F:0040EDFB TEST BL,BL 017F:0040EDFD JZ 0040EE4C /* 比较结果一致就跳,目的地是用户名相关注册码的验证部分(见第二部分),但经我尝试,这里假如不跳,只要下面的关键call返回值为1,也能注册成功 */ 017F:0040EDFF PUSH ECX 017F:0040EE00 MOV ECX,ESP 017F:0040EE02 MOV [EBP-1C],ESP 017F:0040EE05 PUSH EDI 017F:0040EE06 CALL 00428676 017F:0040EE0B CALL 00410E1C /* 关键call,追入 */ 017F:0040EE10 TEST EAX,EAX 017F:0040EE12 JZ 0040EDB2 /* 关键跳转 */ 017F:0040EE14 MOV EAX,0040A5A4 017F:0040EE19 PUSH 40 017F:0040EE1B PUSH EAX 017F:0040EE1C PUSH 0040A56C 017F:0040EE21 PUSH EAX 017F:0040EE22 PUSH 0040A5B0 017F:0040EE27 CALL 0040F4A2 017F:0040EE2C PUSH EAX 017F:0040EE2D MOV ECX,ESI 017F:0040EE2F CALL 00425ECA 017F:0040EE34 PUSH 40 017F:0040EE36 PUSH 0040A54C 017F:0040EE3B PUSH 0040A4C4 017F:0040EE40 MOV ECX,ESI 017F:0040EE42 CALL 00425ECA 017F:0040EE47 JMP 0040F1D5 017F:0040EE4C LEA EAX,[EBP-014C] 017F:0040EE52 PUSH 0040A4C0 017F:0040EE57 PUSH EAX 017F:0040EE58 CALL 00417690 017F:0040EE5D PUSH DWORD PTR [ESI+5C] 017F:0040EE60 LEA EAX,[EBP-014C] 017F:0040EE66 PUSH EAX 017F:0040EE67 CALL 004176A0 ********************************************************** 关键CALL 00410E1C: 017F:00410E1C MOV EAX,0042F800 017F:00410E21 CALL 0041762C 017F:00410E26 SUB ESP,24 017F:00410E29 PUSH EBX 017F:00410E2A PUSH ESI 017F:00410E2B PUSH EDI 017F:00410E2C MOV EAX,[0040BE60] 017F:00410E31 XOR EDI,EDI 017F:00410E33 MOV [EBP-04],EDI 017F:00410E36 MOV [EBP-10],EAX 017F:00410E39 LEA EAX,[EBP+08] 017F:00410E3C LEA ECX,[EBP-10] 017F:00410E3F PUSH EAX 017F:00410E40 MOV BYTE PTR [EBP-04],01 017F:00410E44 CALL 004289EE 017F:00410E49 LEA ECX,[EBP-10] 017F:00410E4C CALL 00428D14 /* 这个call把注册码中的大写字母全部转换为小写字母 */ 017F:00410E51 LEA EAX,[EBP-14] 017F:00410E54 PUSH 02 017F:00410E56 PUSH EAX 017F:00410E57 LEA ECX,[EBP-10] 017F:00410E5A CALL 00423811 017F:00410E5F PUSH 0040B030 /* wb入栈 */ 017F:00410E64 PUSH DWORD PTR [EAX] /* 序列号前两位入栈 */ 017F:00410E66 CALL 00417870 /* 比较是否一致 */ 017F:00410E6B POP ECX 017F:00410E6C CMP EAX,EDI 017F:00410E6E POP ECX 017F:00410E6F LEA ECX,[EBP-14] 017F:00410E72 SETNZ BL 017F:00410E75 CALL 00428901 017F:00410E7A TEST BL,BL 017F:00410E7C JZ 00410E85 /* 序列号前两位是wb就跳 */ 017F:00410E7E XOR ESI,ESI 017F:00410E80 JMP 004110C1 017F:00410E85 PUSH 02 017F:00410E87 LEA EAX,[EBP-14] 017F:00410E8A PUSH 02 017F:00410E8C PUSH EAX 017F:00410E8D LEA ECX,[EBP-10] 017F:00410E90 CALL 004236FF 017F:00410E95 PUSH DWORD PTR [EAX] 017F:00410E97 CALL 0041797F /* 这是一个很关键的call,返回值eax */ 017F:00410E9C POP ECX 017F:00410E9D MOV [EBP-2C],EAX /* [ebp-2c]处是一个后面要用到的关键值。根据上面这个call,这个值取决于注册码的第四位,若第四位是数字i,则该处取值为dword[neg i];若第四位不是数字,则该处取值恒为dword 0 */ 017F:00410EA0 LEA ECX,[EBP-14] 017F:00410EA3 CALL 00428901 017F:00410EA8 MOV EAX,[0040BE60] 017F:00410EAD MOV [EBP-24],EAX 017F:00410EB0 MOV [EBP-20],EAX 017F:00410EB3 MOV [EBP-1C],EAX 017F:00410EB6 MOV [EBP-18],EAX 017F:00410EB9 PUSH 04 017F:00410EBB LEA EAX,[EBP-14] 017F:00410EBE POP ESI 017F:00410EBF LEA ECX,[EBP-10] 017F:00410EC2 PUSH ESI 017F:00410EC3 PUSH 05 017F:00410EC5 PUSH EAX 017F:00410EC6 MOV BYTE PTR [EBP-04],05 017F:00410ECA CALL 004236FF /* 分离注册码的第6至9位,字串地址送*eax */ 017F:00410ECF PUSH EAX 017F:00410ED0 LEA ECX,[EBP-24] 017F:00410ED3 MOV BYTE PTR [EBP-04],06 017F:00410ED7 CALL 004289EE 017F:00410EDC LEA ECX,[EBP-14] 017F:00410EDF MOV BYTE PTR [EBP-04],05 017F:00410EE3 CALL 00428901 017F:00410EE8 PUSH ESI 017F:00410EE9 LEA EAX,[EBP-14] 017F:00410EEC PUSH 0A 017F:00410EEE PUSH EAX 017F:00410EEF LEA ECX,[EBP-10] 017F:00410EF2 CALL 004236FF /* 分离注册码的第11至14位(如果有的话),字串地址送*eax */ 017F:00410EF7 PUSH EAX 017F:00410EF8 LEA ECX,[EBP-20] 017F:00410EFB MOV BYTE PTR [EBP-04],07 017F:00410EFF CALL 004289EE 017F:00410F04 LEA ECX,[EBP-14] 017F:00410F07 MOV BYTE PTR [EBP-04],05 017F:00410F0B CALL 00428901 017F:00410F10 PUSH ESI 017F:00410F11 LEA EAX,[EBP-14] 017F:00410F14 PUSH 0F 017F:00410F16 PUSH EAX 017F:00410F17 LEA ECX,[EBP-10] 017F:00410F1A CALL 004236FF /* 分离注册码的第16至19位(如果有的话),字串地址送*eax */ 017F:00410F1F PUSH EAX 017F:00410F20 LEA ECX,[EBP-1C] 017F:00410F23 MOV BYTE PTR [EBP-04],08 017F:00410F27 CALL 004289EE 017F:00410F2C LEA ECX,[EBP-14] 017F:00410F2F MOV BYTE PTR [EBP-04],05 017F:00410F33 CALL 00428901 017F:00410F38 PUSH ESI 017F:00410F39 LEA EAX,[EBP-28] 017F:00410F3C PUSH 14 017F:00410F3E PUSH EAX 017F:00410F3F LEA ECX,[EBP-10] 017F:00410F42 CALL 004236FF /* 分离注册码的第16至19位(如果有的话),字串地址送*eax */ 017F:00410F47 PUSH EAX 017F:00410F48 LEA ECX,[EBP-18] 017F:00410F4B MOV BYTE PTR [EBP-04],09 017F:00410F4F CALL 004289EE 017F:00410F54 LEA ECX,[EBP-28] 017F:00410F57 MOV BYTE PTR [EBP-04],05 017F:00410F5B CALL 00428901 017F:00410F60 MOV EAX,[0040BE60] 017F:00410F65 MOV [EBP-30],EAX 017F:00410F68 MOV EDX,[EBP-24] /* 取注册码6至9位字串的地址送edx */ 017F:00410F6B XOR ESI,ESI /* esi清零 */ 017F:00410F6D MOV EAX,[EDX-08] 017F:00410F70 TEST EAX,EAX 017F:00410F72 JLE 00410F8E /* 长度大于零? */ 017F:00410F74 MOVSX ECX,BYTE PTR [EDX+ESI] /* 依次取字串的每一位送ecx */ 017F:00410F78 SUB ECX,30 /* ecx=ecx-30h */ 017F:00410F7B CMP ECX,09 017F:00410F7E JLE 00410F83 /* 小于等于9? */ 017F:00410F80 SUB ECX,27 /* 不满足就再减27h */ 017F:00410F83 LEA EDI,[EDI*8+EDI] /* edi=edi*9,edi初值为零 */ 017F:00410F86 INC ESI /* esi=esi+1 */ 017F:00410F87 CMP ESI,EAX /* 是否取完? */ 017F:00410F89 LEA EDI,[EDI*2+ECX] /* edi=edi*2+ecx,即最后取得的值送edi */ 017F:00410F8C JL 00410F74 /* 没取完则返回继续 */ 017F:00410F8E MOV EDX,[EBP-20] /* 取注册码11至14位字串的地址送edx */ 017F:00410F91 XOR ESI,ESI 017F:00410F93 XOR ECX,ECX 017F:00410F95 MOV [EBP-14],ESI 017F:00410F98 MOV EBX,[EDX-08] 017F:00410F9B TEST EBX,EBX 017F:00410F9D JLE 00410FC1 /* 没有这段字串就跳走,且[ebp-14]置零 */ 017F:00410F9F JMP 00410FA4 017F:00410FA1 MOV ESI,[EBP-14] 017F:00410FA4 MOVSX EAX,BYTE PTR [EDX+ECX] 017F:00410FA8 SUB EAX,30 017F:00410FAB CMP EAX,09 017F:00410FAE JLE 00410FB3 017F:00410FB0 SUB EAX,27 017F:00410FB3 LEA ESI,[ESI*8+ESI] 017F:00410FB6 INC ECX 017F:00410FB7 CMP ECX,EBX 017F:00410FB9 LEA EAX,[ESI*2+EAX] 017F:00410FBC MOV [EBP-14],EAX 017F:00410FBF JL 00410FA1 /* 以上代码取注册码11至14位字串进行运算(如果有的话),运算结果保存在[ebp-14] */ 017F:00410FC1 MOV EDX,[EBP-1C] /* 取注册码16至19位字串的地址送edx */ 017F:00410FC4 XOR ESI,ESI 017F:00410FC6 XOR ECX,ECX 017F:00410FC8 MOV EBX,[EDX-08] 017F:00410FCB TEST EBX,EBX 017F:00410FCD JLE 00410FE9 /* 没有这段字串就跳走,且esi置零 */ 017F:00410FCF MOVSX EAX,BYTE PTR [EDX+ECX] 017F:00410FD3 SUB EAX,30 017F:00410FD6 CMP EAX,09 017F:00410FD9 JLE 00410FDE 017F:00410FDB SUB EAX,27 017F:00410FDE LEA ESI,[ESI*8+ESI] 017F:00410FE1 INC ECX 017F:00410FE2 CMP ECX,EBX 017F:00410FE4 LEA ESI,[ESI*2+EAX] 017F:00410FE7 JL 00410FCF /* 以上代码取注册码16至19位字串进行运算(如果有的话),运算结果保存在[ebp-14] */ 017F:00410FE9 MOV EBX,[EBP-18] /* 取注册码21至24位字串的地址送edx */ 017F:00410FEC XOR EDX,EDX 017F:00410FEE XOR ECX,ECX 017F:00410FF0 CMP [EBX-08],EDX 017F:00410FF3 JLE 00411010 /* 没有这段字串就跳走,且ecx置零 */ 017F:00410FF5 MOVSX EAX,BYTE PTR [EBX+EDX] 017F:00410FF9 SUB EAX,30 017F:00410FFC CMP EAX,09 017F:00410FFF JLE 00411004 017F:00411001 SUB EAX,27 017F:00411004 LEA ECX,[ECX*8+ECX] 017F:00411007 INC EDX 017F:00411008 CMP EDX,[EBX-08] 017F:0041100B LEA ECX,[ECX*2+EAX] 017F:0041100E JL 00410FF5 /* 以上代码取注册码21至24位字串进行运算(如果有的话),运算结果保存在[ebp-14] */ 017F:00411010 MOV EAX,[EBP-2C] /* 取得关键值送eax */ 017F:00411013 PUSH 03 017F:00411015 SUB [EBP-14],EAX 017F:00411018 SUB EDI,EAX 017F:0041101A SUB ESI,EAX 017F:0041101C SUB ECX,EAX /* 四个运算结果分别减去eax,结果依次设为num2,num1,num3,num4 */ 017F:0041101E MOV EAX,EDI 017F:00411020 POP EBX /* ebx=3 */ 017F:00411021 CDQ 017F:00411022 IDIV EBX 017F:00411024 TEST EDX,EDX /* 余数是否为零 */ 017F:00411026 JZ 0041102C /* 为零就跳,意即num1能被3整除 */ 017F:00411028 XOR ESI,ESI 017F:0041102A JMP 00411085 /* 上面不跳的话,这里就直接走向出口,注册失败*/ 017F:0041102C MOV EAX,[EBP-14] 017F:0041102F PUSH 02 017F:00411031 CDQ 017F:00411032 POP EBX /* ebx=2 */ 017F:00411033 IDIV EBX 017F:00411035 TEST EDX,EDX 017F:00411037 JNZ 00411028 /* 不能跳,意即num2能被2整除 */ 017F:00411039 MOV EAX,ESI 017F:0041103B PUSH 06 017F:0041103D CDQ 017F:0041103E POP EBX /* ebx=6 */ 017F:0041103F IDIV EBX 017F:00411041 TEST EDX,EDX 017F:00411043 JNZ 00411028 /* 不能跳,意即num3能被6整除 */ 017F:00411045 MOV EAX,ECX 017F:00411047 PUSH 04 017F:00411049 CDQ 017F:0041104A POP EBX /* ebx=4 */ 017F:0041104B IDIV EBX 017F:0041104D TEST EDX,EDX 017F:0041104F JNZ 00411028 /* 不能跳,意即num4能被4整除 */ 017F:00411051 MOV EDX,[EBP-14] 017F:00411054 LEA EAX,[EDI+ESI] /* eax=num1+num3 */ 017F:00411057 ADD ESI,EDX /* esi=num3+num2 */ 017F:00411059 PUSH 06 017F:0041105B LEA EBX,[EDX+ECX] /* ebx=num2+num4 */ 017F:0041105E MOV [EBP-2C],ESI 017F:00411061 XOR EDX,EDX 017F:00411063 POP ESI 017F:00411064 DIV ESI 017F:00411066 ADD ECX,EDI /* ecx=num4+num1 */ 017F:00411068 TEST EDX,EDX 017F:0041106A JNZ 00411028 /* num1+num3能被6整除 */ 017F:0041106C PUSH 03 017F:0041106E MOV EAX,EBX 017F:00411070 POP ESI 017F:00411071 DIV ESI 017F:00411073 TEST EDX,EDX 017F:00411075 JNZ 00411028 /* num2+num4能被3整除 */ 017F:00411077 TEST BYTE PTR [EBP-2C],01 017F:0041107B JNZ 00411028 /* num3+num2最末位不是1 */ 017F:0041107D TEST CL,01 /* num4+num1最末位不是1 */ 017F:00411080 JNZ 00411028 017F:00411082 PUSH 01 017F:00411084 POP ESI /* 上面两句是给esi赋值1,由于esi的值最终要传给eax作为返回值,这两句必须走过 */ 017F:00411085 LEA ECX,[EBP-30] 017F:00411088 MOV BYTE PTR [EBP-04],05 017F:0041108C CALL 00428901 017F:00411091 LEA ECX,[EBP-18] 017F:00411094 MOV BYTE PTR [EBP-04],04 017F:00411098 CALL 00428901 017F:0041109D LEA ECX,[EBP-1C] 017F:004110A0 MOV BYTE PTR [EBP-04],03 017F:004110A4 CALL 00428901 017F:004110A9 LEA ECX,[EBP-20] 017F:004110AC MOV BYTE PTR [EBP-04],02 017F:004110B0 CALL 00428901 017F:004110B5 LEA ECX,[EBP-24] 017F:004110B8 MOV BYTE PTR [EBP-04],01 017F:004110BC CALL 00428901 017F:004110C1 AND BYTE PTR [EBP-04],00 017F:004110C5 LEA ECX,[EBP-10] 017F:004110C8 CALL 00428901 017F:004110CD OR DWORD PTR [EBP-04],-01 017F:004110D1 LEA ECX,[EBP+08] 017F:004110D4 CALL 00428901 017F:004110D9 MOV ECX,[EBP-0C] 017F:004110DC MOV EAX,ESI /* 返回值eax的值取决于esi */ 017F:004110DE POP EDI 017F:004110DF POP ESI 017F:004110E0 POP EBX 017F:004110E1 MOV FS:[00000000],ECX 017F:004110E8 LEAVE 017F:004110E9 RET 0004 以上运算过程与用户名无关,因而是通用注册码。 ****************************************************************** 【整 理】: General Regcode: wb-677knun5hveu569uks3my wb-6fkefuyoiv60qmp6ivsbc wb-7yjb35yyzi13h28nyer3r wb-2lkr64f6bfugrvv433qt8 wb-5fa6m7pg7zzipm179pu8r wb-7y3c8znz87lym0zhwq9h7 【Turbo C 注册机】: #include "stdio.h" #include "string.h" #include "stdlib.h" #include "ctype.h" long calnum(char *start,char extra) {int i; long num=0; char temp; for(i=0;i<4;i++) {temp=isdigit(start[i])?start[i]-0x30:start[i]-0x57; num=num*18+temp; } return num+extra; } void main() {int i; long num[4]; char regcode[22],regname[30]; regcode[21]='\0'; printf("\t*************************************************\n"); printf("\n\t\tKeyGen for WindowBlinds V3.5 Enhanced\n\t\t\tProduced by cyclotron\n"); printf("\n\t*************************************************\n"); do printf("\n\tPlease input your Regname:"); while(!strlen(gets(regname))); randomize(); do {regcode[0]=0x30+random(10); for(i=1;i<21;i++) do regcode[i]=0x30+random(0x50); while(!isdigit(regcode[i])&&!islower(regcode[i])); for(i=0;i<4;i++) num[i]=calnum(regcode+2+i*5,regcode[0]); } while(num[0]%3||num[1]%2||num[2]%6||num[3]%4||(num[0]+num[2])%6||(num[1]+num[3])%3||(num[2]+num[1])&(num[3]+num[0])&1); printf("\n\tYour Regcode is:\twb-%s\n\n\tThank you for your use!",regcode); getchar(); } ________________________________________________________ 【第二部分】:追踪用户名相关注册码! 017F:0040EE4C LEA EAX,[EBP-014C] 017F:0040EE52 PUSH 0040A4C0 /* 字符WB入栈 */ 017F:0040EE57 PUSH EAX /* 存放WB的空地址入栈 */ 017F:0040EE58 CALL 00417690 017F:0040EE5D PUSH DWORD PTR [ESI+5C] /* 用户名地址入栈 */ 017F:0040EE60 LEA EAX,[EBP-014C] /* 这还是前面用于存放"WB"的地址 */ 017F:0040EE66 PUSH EAX /* 地址入栈 */ 017F:0040EE67 CALL 004176A0 /* 这个call把WB和用户名连接起来 */ 017F:0040EE6C MOV EAX,[ESI+5C] /* 用户名的地址 */ 017F:0040EE6F XOR EBX,EBX 017F:0040EE71 ADD ESP,10 017F:0040EE74 MOV [EBP-28],EBX 017F:0040EE77 CMP [EAX-08],EBX /* 用户名长度是否为零? */ 017F:0040EE7A JLE 0040EF1A 017F:0040EE80 LEA EAX,[EBP-014C] /* 字串“WBcyclotron”的地址 */ 017F:0040EE86 MOV DWORD PTR [EBP-10],00000001 017F:0040EE8D SUB [EBP-10],EAX 017F:0040EE90 FLD REAL8 PTR [EBP-30] /* 8字节浮点数送st(0) */ 1). 80114111.103114 2). 81527323.91804 …… 017F:0040EE93 CALL 00416EF4 /* 取整送eax */ 1). 80114111即0x4C671BF 2). 81527323即0x4DC021B …… 017F:0040EE98 PUSH EAX 017F:0040EE99 CALL 0041785B 017F:0040EE9E MOV [EBP-18],EAX /* 该整数送局部变量(ebp-18) */ 017F:0040EEA1 MOV EAX,[ESI+5C] /* eax取得用户名地址 */ 017F:0040EEA4 MOVZX EDX,BYTE PTR [EBX+EBP-014C] /* 依次取"WBcyclotron"的每一位 */ 017F:0040EEAC FILD DWORD PTR [EBP-18] /* (ebp-18)装入st(0) */ 1). st(0)=80114111 2). st(0)=81527323 …… 017F:0040EEAF POP ECX 017F:0040EEB0 MOV [EBP-18],EDX 017F:0040EEB3 MOV ECX,[EAX-08] /* ecx取得用户名长度 */ 017F:0040EEB6 LEA EAX,[EBX+EBP-014C] 017F:0040EEBD MOV EDX,[EBP-10] 017F:0040EEC0 MOV [EBP-1C],ECX 017F:0040EEC3 ADD EDX,EAX 1). edx=1 2). edx=2 …… 017F:0040EEC5 MOV EAX,[EBP-18] 017F:0040EEC8 MOV [EBP-2C],EDX 017F:0040EECB CDQ 017F:0040EECC FILD DWORD PTR [EBP-2C] 1). (ebp-2C)=1 2). (ebp-2C)=2 …… 017F:0040EECF IDIV ECX 017F:0040EED1 FMUL REAL8 PTR [00401E68] /* st(0)=st(0)*2.12 */ 017F:0040EED7 FISUB DWORD PTR [EBP-28] 1). (ebp-28)=0 2). (ebp-28)=1 …… 017F:0040EEDA MOV ECX,000000FF /* ecx=0xFF */ 017F:0040EEDF MOVZX EAX,BYTE PTR [EDX+EBP-014C] /* 根据余数取得"WBcyclotron"中的字符 */ 1). eax=0x6F 1). eax=0x79 …… 017F:0040EEE7 IMUL EAX,EBX /* eax=eax*ebx */ 017F:0040EEEA MOV [EBP-2C],EAX /* 乘积送(ebp-2C) */ 017F:0040EEED MOV EAX,[EBP-18] /* eax取得刚才字符的ASCII值 */ 017F:0040EEF0 CDQ 017F:0040EEF1 FILD DWORD PTR [EBP-2C] /* st(0)=(ebp-2C) */ 017F:0040EEF4 IDIV ECX 017F:0040EEF6 FMULP ST(1),ST /* st(1)=st(1)*st(0) */ 017F:0040EEF8 INC EBX /* ebx++ */ 017F:0040EEF9 CMP EBX,[EBP-1C] /* 是否取完用户名 */ 017F:0040EEFC MOV [EBP-28],EBX /* (ebp-28)=ebx */ 017F:0040EEFF MOV [EBP-2C],EAX /* (ebp-2C)=eax */ 017F:0040EF02 FILD DWORD PTR [EBP-2C] /* st(0)=(ebp-2C) */ 017F:0040EF05 FADDP ST(1),ST /* st(1)=st(1)+st(0)并出栈 */ 017F:0040EF07 FADD REAL8 PTR [00401E60] /* st(0)=st(0)+1.01764 */ 017F:0040EF0D FMUL ST,ST(1) /* st(0)=st(1)*st(0) */ 017F:0040EF0F FSTP REAL8 PTR [EBP-30] /* st(0)送(ebp-30)并出栈 */ 017F:0040EF12 FSTP ST(0) /* st(0)出栈 */ 017F:0040EF14 JL 0040EE90 /* 未取完则返回 */ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 以上运算用TC2.0实现: #include "string.h" #include "math.h" double floatize(char *regname,char *link) {int i,length; double time=80114111.103114; length=strlen(regname); strcpy(link+2,regname); for(i=0;i<length;i++) time=fabs((link[link[i]%length]*i*(2.12*(i+1)-i)+1.01764)*(long)time); return time; } $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 017F:0040EF1A FLD REAL8 PTR [EBP-30] 017F:0040EF1D CALL 00416EF4 017F:0040EF22 PUSH EAX 017F:0040EF23 CALL 0041785B 017F:0040EF28 MOV [EBP-1C],EAX 017F:0040EF2B MOV EAX,[ESI+5C] 017F:0040EF2E FILD DWORD PTR [EBP-1C] 017F:0040EF31 MOV EAX,[EAX-08] /* 取得用户名长度 */ 017F:0040EF34 POP ECX 017F:0040EF35 CMP EAX,08 017F:0040EF38 JGE 0040EF3E 017F:0040EF3A MOV AL,0E /* 用户名长度小于8,则al=0xE */ 017F:0040EF3C JMP 0040EF49 017F:0040EF3E CMP EAX,1F /* 用户名长度大于等于8且小于0x1F的,al=strlen(regname)+0x6 */ 017F:0040EF41 JGE 0040EF47 017F:0040EF43 ADD AL,06 017F:0040EF45 JMP 0040EF49 017F:0040EF47 MOV AL,17 /* 用户名长度大于等于0x1F的,al=0x17 */ 017F:0040EF49 MOVZX EAX,AL 017F:0040EF4C PUSH EAX 017F:0040EF4D LEA EAX,[EBP-014C] 017F:0040EF53 PUSH EAX 017F:0040EF54 CALL 00416EF4 017F:0040EF59 PUSH EAX 017F:0040EF5A CALL 00422A30 /* 关键call,进入(设al的值为divisor) */ 017F:0040EF5F ADD ESP,0C 017F:0040EF62 LEA ECX,[EBP-14] 017F:0040EF65 PUSH 0040A5AC 017F:0040EF6A CALL 00428A3E 017F:0040EF6F MOV EAX,[0040BE60] 017F:0040EF74 LEA ECX,[EBP-10] 017F:0040EF77 MOV [EBP-10],EAX 017F:0040EF7A LEA EAX,[EBP-014C] 017F:0040EF80 PUSH EAX 017F:0040EF81 CALL 00428A3E 017F:0040EF86 LEA EAX,[EBP-10] 017F:0040EF89 LEA ECX,[EBP-14] 017F:0040EF8C PUSH EAX 017F:0040EF8D MOV BYTE PTR [EBP-04],03 017F:0040EF91 CALL 00428C18 /* *eax指向1.x版的注册码 */ 017F:0040EF96 LEA ECX,[EBP-10] 017F:0040EF99 MOV BYTE PTR [EBP-04],02 017F:0040EF9D CALL 00428901 017F:0040EFA2 CMP BYTE PTR [EBP-014C],77 017F:0040EFA9 JNZ 0040EFB2 017F:0040EFAB MOV BYTE PTR [EBP-014C],57 017F:0040EFB2 CMP BYTE PTR [EBP-014B],62 017F:0040EFB9 JNZ 0040EFC2 017F:0040EFBB MOV BYTE PTR [EBP-014B],42 017F:0040EFC2 PUSH DWORD PTR [EBP-14] 017F:0040EFC5 PUSH DWORD PTR [EDI] 017F:0040EFC7 CALL 00417870 017F:0040EFCC XOR EBX,EBX 017F:0040EFCE POP ECX 017F:0040EFCF CMP EAX,EBX 017F:0040EFD1 POP ECX 017F:0040EFD2 JNZ 0040F016 /* 比较是否为1.x版的注册码 */ 017F:0040EFD4 PUSH 0040A4AC 017F:0040EFD9 PUSH DWORD PTR [ESI+5C] 017F:0040EFDC CALL 00417870 017F:0040EFE1 POP ECX 017F:0040EFE2 CMP EAX,EBX 017F:0040EFE4 POP ECX 017F:0040EFE5 JZ 0040F016 017F:0040EFE7 PUSH EBX 017F:0040EFE8 LEA ECX,[EBP-01A8] 017F:0040EFEE CALL 0040E74F 017F:0040EFF3 LEA ECX,[EBP-01A8] 017F:0040EFF9 MOV BYTE PTR [EBP-04],05 017F:0040EFFD CALL 0042828A 017F:0040F002 LEA ECX,[EBP-01A8] 017F:0040F008 MOV BYTE PTR [EBP-04],02 017F:0040F00C CALL 00427EC0 017F:0040F011 JMP 0040F2A7 017F:0040F016 FLD REAL8 PTR [00401E58] 017F:0040F01C LEA EAX,[EBP-02A8] 017F:0040F022 PUSH 0040A4C0 017F:0040F027 FSTP REAL8 PTR [EBP-20] /* 4111.103114送st(0),下面部分的计算和前面的完全一样 */ 017F:0040F02A PUSH EAX 017F:0040F02B CALL 00417690 017F:0040F030 PUSH DWORD PTR [ESI+5C] 017F:0040F033 LEA EAX,[EBP-02A8] 017F:0040F039 PUSH EAX 017F:0040F03A CALL 004176A0 017F:0040F03F MOV EAX,[ESI+5C] 017F:0040F042 ADD ESP,10 017F:0040F045 MOV [EBP-28],EBX 017F:0040F048 CMP DWORD PTR [EAX-08],00 017F:0040F04C JLE 0040F0EC 017F:0040F052 LEA EAX,[EBP-02A8] 017F:0040F058 MOV DWORD PTR [EBP-10],00000001 017F:0040F05F SUB [EBP-10],EAX 017F:0040F062 FLD REAL8 PTR [EBP-20] 017F:0040F065 CALL 00416EF4 017F:0040F06A PUSH EAX 017F:0040F06B CALL 0041785B 017F:0040F070 MOV [EBP-1C],EAX 017F:0040F073 MOV EAX,[ESI+5C] 017F:0040F076 MOVZX EDX,BYTE PTR [EBX+EBP-02A8] 017F:0040F07E FILD DWORD PTR [EBP-1C] 017F:0040F081 POP ECX 017F:0040F082 MOV [EBP-18],EDX 017F:0040F085 MOV ECX,[EAX-08] 017F:0040F088 LEA EAX,[EBX+EBP-02A8] 017F:0040F08F MOV EDX,[EBP-10] 017F:0040F092 MOV [EBP-2C],ECX 017F:0040F095 ADD EDX,EAX 017F:0040F097 MOV EAX,[EBP-18] 017F:0040F09A MOV [EBP-1C],EDX 017F:0040F09D CDQ 017F:0040F09E FILD DWORD PTR [EBP-1C] 017F:0040F0A1 IDIV ECX 017F:0040F0A3 FMUL REAL8 PTR [00401E68] /* 这里也是2.12 */ 017F:0040F0A9 FISUB DWORD PTR [EBP-28] 017F:0040F0AC MOV ECX,000000D3 /* 注意这里ecx=0xD3 */ 017F:0040F0B1 MOVZX EAX,BYTE PTR [EDX+EBP-02A8] 017F:0040F0B9 IMUL EAX,EBX 017F:0040F0BC MOV [EBP-1C],EAX 017F:0040F0BF MOV EAX,[EBP-18] 017F:0040F0C2 CDQ 017F:0040F0C3 FILD DWORD PTR [EBP-1C] 017F:0040F0C6 IDIV ECX 017F:0040F0C8 FMULP ST(1),ST 017F:0040F0CA INC EBX 017F:0040F0CB CMP EBX,[EBP-2C] 017F:0040F0CE MOV [EBP-28],EBX 017F:0040F0D1 MOV [EBP-1C],EAX 017F:0040F0D4 FILD DWORD PTR [EBP-1C] 017F:0040F0D7 FADDP ST(1),ST 017F:0040F0D9 FADD REAL8 PTR [00401E60] 017F:0040F0DF FMUL ST,ST(1) 017F:0040F0E1 FSTP REAL8 PTR [EBP-20] 017F:0040F0E4 FSTP ST(0) 017F:0040F0E6 JL 0040F062 017F:0040F0EC FLD REAL8 PTR [EBP-20] 017F:0040F0EF CALL 00416EF4 017F:0040F0F4 PUSH EAX 017F:0040F0F5 CALL 0041785B 017F:0040F0FA MOV [EBP-1C],EAX 017F:0040F0FD MOV EAX,[ESI+5C] 017F:0040F100 FILD DWORD PTR [EBP-1C] 017F:0040F103 MOV EAX,[EAX-08] 017F:0040F106 POP ECX 017F:0040F107 CMP EAX,08 017F:0040F10A JGE 0040F110 /* 用户名长度小于8,则al=0x10 */ 017F:0040F10C MOV AL,10 017F:0040F10E JMP 0040F11B 017F:0040F110 CMP EAX,0F 017F:0040F113 JGE 0040F119 017F:0040F115 ADD AL,08 /* 用户名长度大于等于8且小于0xF的,al=strlen(regname)+0x8 */ 017F:0040F117 JMP 0040F11B 017F:0040F119 MOV AL,17 /* 用户名长度大于等于0xF的,al=0x17 */ 017F:0040F11B MOVZX EAX,AL 017F:0040F11E PUSH EAX 017F:0040F11F LEA EAX,[EBP-02A8] 017F:0040F125 PUSH EAX 017F:0040F126 CALL 00416EF4 017F:0040F12B PUSH EAX 017F:0040F12C CALL 00422A30 /* 这个跟前面的call一样 */ 017F:0040F131 ADD ESP,0C 017F:0040F134 LEA ECX,[EBP-14] 017F:0040F137 PUSH 0040A5AC 017F:0040F13C CALL 00428A3E 017F:0040F141 MOV EAX,[0040BE60] 017F:0040F146 LEA ECX,[EBP-10] 017F:0040F149 MOV [EBP-10],EAX 017F:0040F14C LEA EAX,[EBP-02A8] 017F:0040F152 PUSH EAX 017F:0040F153 CALL 00428A3E 017F:0040F158 LEA EAX,[EBP-10] 017F:0040F15B LEA ECX,[EBP-14] 017F:0040F15E PUSH EAX 017F:0040F15F MOV BYTE PTR [EBP-04],04 017F:0040F163 CALL 00428C18 /* *eax指向真正的注册码 */ 017F:0040F168 LEA ECX,[EBP-10] 017F:0040F16B MOV BYTE PTR [EBP-04],02 017F:0040F16F CALL 00428901 017F:0040F174 PUSH DWORD PTR [EBP-14] /* 真正的注册码 */ 017F:0040F177 PUSH DWORD PTR [EDI] /* 试炼码 */ 017F:0040F179 CALL 00417870 017F:0040F17E POP ECX 017F:0040F17F TEST EAX,EAX 017F:0040F181 POP ECX 017F:0040F182 JZ 0040F19C 017F:0040F184 PUSH 10 017F:0040F186 PUSH 0040A49C 017F:0040F18B PUSH 0040A3E4 ********************************************************** 017F:0040EF5A CALL 00422A30 进入: 017F:00422A30 PUSH EBP 017F:00422A31 MOV EBP,ESP 017F:00422A33 XOR EAX,EAX 017F:00422A35 CMP DWORD PTR [EBP+10],0A 017F:00422A39 JNZ 00422A43 017F:00422A3B CMP [EBP+08],EAX 017F:00422A3E JGE 00422A43 017F:00422A40 PUSH 01 017F:00422A42 POP EAX 017F:00422A43 PUSH EAX 017F:00422A44 PUSH DWORD PTR [EBP+10] 017F:00422A47 PUSH DWORD PTR [EBP+0C] 017F:00422A4A PUSH DWORD PTR [EBP+08] 017F:00422A4D CALL 004229D4 /* 关键,进入 */ 017F:00422A52 MOV EAX,[EBP+0C] 017F:00422A55 ADD ESP,10 017F:00422A58 POP EBP 017F:00422A59 RET ********************************************** 017F:00422A4D CALL 004229D4 进入: 017F:004229D4 PUSH EBP 017F:004229D5 MOV EBP,ESP 017F:004229D7 CMP DWORD PTR [EBP+14],00 017F:004229DB MOV ECX,[EBP+0C] 017F:004229DE PUSH EBX 017F:004229DF PUSH ESI 017F:004229E0 PUSH EDI 017F:004229E1 JZ 004229EE 017F:004229E3 MOV ESI,[EBP+08] 017F:004229E6 MOV BYTE PTR [ECX],2D 017F:004229E9 INC ECX 017F:004229EA NEG ESI 017F:004229EC JMP 004229F1 017F:004229EE MOV ESI,[EBP+08] 017F:004229F1 MOV EDI,ECX 017F:004229F3 MOV EAX,ESI /* 取得前面一轮浮点运算结果取整后的值 */ 017F:004229F5 XOR EDX,EDX 017F:004229F7 DIV DWORD PTR [EBP+10] /* 无符号除法,除数为divisor */ 017F:004229FA MOV EAX,ESI 017F:004229FC MOV EBX,EDX 017F:004229FE XOR EDX,EDX 017F:00422A00 DIV DWORD PTR [EBP+10] 017F:00422A03 CMP EBX,09 /* 余数是否大于等于9 */ 017F:00422A06 MOV ESI,EAX 017F:00422A08 JBE 00422A0F 017F:00422A0A ADD BL,57 /* 小于9就加57h */ 017F:00422A0D JMP 00422A12 017F:00422A0F ADD BL,30 /* 余数大于等于9就加30h */ 017F:00422A12 MOV [ECX],BL /* 保存至ecx指向的内存单元 */ 017F:00422A14 INC ECX 017F:00422A15 TEST ESI,ESI 017F:00422A17 JA 004229F3 017F:00422A19 AND BYTE PTR [ECX],00 017F:00422A1C DEC ECX 017F:00422A1D MOV DL,[EDI] 017F:00422A1F MOV AL,[ECX] 017F:00422A21 MOV [ECX],DL 017F:00422A23 MOV [EDI],AL 017F:00422A25 DEC ECX 017F:00422A26 INC EDI 017F:00422A27 CMP EDI,ECX 017F:00422A29 JB 00422A1D /* 上面这段代码将运算获得的字串逆序保存 */ 017F:00422A2B POP EDI 017F:00422A2C POP ESI 017F:00422A2D POP EBX 017F:00422A2E POP EBP 017F:00422A2F RET 【整理】: name:cyclotron[BCG] code:WB-hcjfb89 【Turbo C 注册机】: #include "stdio.h" #include "string.h" #include "math.h" #define ABS(x) x>0?x:-x double floatize(char *regname,char *link) {int i,length; double time=4111.103114; length=strlen(regname); strcpy(link+2,regname); for(i=0;i<length;i++) time=fabs((link[link[i]%length]*i*(2.12*(i+1)-i)+1.01764)*(long)time); return time; } void genereverse(int length,char *link,unsigned long power) {int i=0,j=0,divisor,rest; if(length<8) divisor=0x10; else if(length>=8&&length<0xF) divisor=length+8; else divisor=0x17; do {rest=power%divisor; power/=divisor; link[i++]=rest<=9?rest+0x30:rest+0x57; } while(power); link[i]='\0'; do {link[--i]^=link[j]; link[j]^=link[i]; link[i]^=link[j++]; } while(i-1>j); } void main() {char regname[30],regcode[13],link[32]; double iptr; link[0]=regcode[0]='W'; link[1]=regcode[1]='B'; regcode[2]='-'; printf("\t***********************************************\n"); printf("\n\t\tKeyGen for WindowBlinds V3.5\n\t\t(Generating Regname-related Regcode)"); printf("\n\t\t\tProduced by cyclotron\n"); printf("\n\t***********************************************\n"); do printf("\n\tPlease input your Regname:"); while(!strlen(gets(regname))); modf(floatize(regname,link),&iptr); genereverse(strlen(regname),link,ABS((long)iptr)); strcpy(regcode+3,link); printf("\n\tYour Regcode is:\t%s\n",regcode); printf("\n\tThank you for your use!\n"); getchar(); }
cyclotron[BCG][DFCG][FCG][OCN]
2004.4