簡單演算法――鼠到擒來 V3.1
下載頁面:http://www.380000.com/download/show.asp?id=sdql
軟體分類:影像工具
執行平臺:Win98/ME/2000/XP
軟體大小:80KB
軟體授權:共享軟體
註冊方式:序列號-註冊碼
出品日期:2002-12-1
【軟體簡介】:鼠到擒來V3.1 是一款能從檔案中提取圖示、點陣圖的並可處理圖片的影像工具。
【軟體限制】:NAG、功能限制。
【作者宣告】:初學Crack,只是感興趣,沒有其它目的。失誤之處敬請諸位大俠賜教!
【破解工具】:TRW2000娃娃修改版、Ollydbg1.09、pe-scan、UnAspacka、W32Dasm 10修改版
―――――――――――――――――――――――――――――――――
【過 程】:
鼠到擒來.exe
是ASPack 1.07殼,用UnAspacka脫之。76K->372K。VC++ 6.0編寫。
呵呵,壓縮後才76K,很是小巧呀。佩服作者的功力!
軟體重啟驗證。註冊資訊儲存在同目錄下的sign.ini中,因此在反彙編程式碼裡查詢sign.ini,能找到下面的核心。《鼠到擒來》和其同門兄弟的註冊碼演算法差不多,呵呵,變了點,經常跳來跳去。迷惑我們Cracker的視線。
序列號:922836698
試煉碼:123456-7890ABC
―――――――――――――――――――――――――――――――――
* Referenced by a CALL at Addresses:
|:00401FE7 , :00406831
|
:00406C20 A0A45A4100 mov
al, byte ptr [00415AA4]
:00406C25 81EC94010000
sub esp, 00000194
:00406C2B 84C0
test al, al
:00406C2D 56
push esi
:00406C2E 0F8511010000
jne 00406D45
*
Possible StringData Ref from Data Obj ->"rb"
|
:00406C34 68D8404100
push 004140D8
*
Possible StringData Ref from Data Obj ->"sign.ini"
====>註冊資訊儲存的地方!
|
:00406C39
6888434100 push 00414388
:00406C3E
E857190000 call 0040859A
:00406C43
8BF0 mov
esi, eax
:00406C45 83C408
add esp, 00000008
:00406C48 85F6
test esi, esi
:00406C4A 7511
jne 00406C5D
:00406C4C
C605A45A410001 mov byte ptr [00415AA4], 01
:00406C53
32C0 xor
al, al
:00406C55 5E
pop esi
:00406C56 81C494010000
add esp, 00000194
:00406C5C C3
ret
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406C4A(C)
|
:00406C5D
56 push
esi
:00406C5E 8D442408 lea
eax, dword ptr [esp+08]
:00406C62 68C9000000
push 000000C9
:00406C67 50
push eax
:00406C68 E8DD170000
call 0040844A
:00406C6D 56
push esi
:00406C6E
E881170000 call 004083F4
:00406C73
8D4C2414 lea ecx, dword
ptr [esp+14]
====>ECX=123456-7890ABC
*
Possible Reference to Dialog:
|
:00406C77
6830444100 push 00414430
:00406C7C
51 push
ecx
:00406C7D E87E190000 call
00408600
====>呵呵,裡面有很多運算呀。跟進去?^*^
:00406C82
83C418 add esp,
00000018
:00406C85 85C0
test eax, eax
:00406C87 7511
jne 00406C9A
:00406C89 C605A45A410001
mov byte ptr [00415AA4], 01
:00406C90 32C0
xor al, al
:00406C92
5E pop
esi
:00406C93 81C494010000 add esp,
00000194
:00406C99 C3
ret
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406C87(C)
|
:00406C9A
57 push
edi
:00406C9B 8D542408 lea
edx, dword ptr [esp+08]
*
Possible Reference to Dialog:
|
:00406C9F
6830444100 push 00414430
:00406CA4
52 push
edx
:00406CA5 E856190000 call
00408600
====>呵呵,裡面有很多運算呀。跟進去?^*^
:00406CAA
8BF8 mov
edi, eax
:00406CAC 83C9FF
or ecx, FFFFFFFF
:00406CAF 47
inc edi
:00406CB0 33C0
xor eax, eax
:00406CB2
F2 repnz
:00406CB3
AE scasb
:00406CB4
F7D1 not
ecx
:00406CB6 2BF9
sub edi, ecx
:00406CB8 8D942440010000
lea edx, dword ptr [esp+00000140]
:00406CBF 8BC1
mov eax, ecx
:00406CC1 8BF7
mov esi,
edi
:00406CC3 8BFA
mov edi, edx
*
Possible Reference to Dialog:
|
:00406CC5
6830444100 push 00414430
:00406CCA
C1E902 shr ecx,
02
:00406CCD F3
repz
:00406CCE A5
movsd
:00406CCF 8BC8
mov ecx, eax
:00406CD1 83E103
and ecx, 00000003
:00406CD4
F3 repz
:00406CD5
A4 movsb
:00406CD6
8D4C2414 lea ecx, dword
ptr [esp+14]
:00406CDA 51
push ecx
:00406CDB E820190000
call 00408600
:00406CE0 8BF8
mov edi, eax
:00406CE2 83C9FF
or ecx, FFFFFFFF
:00406CE5
33C0 xor
eax, eax
:00406CE7 8D542418
lea edx, dword ptr [esp+18]
:00406CEB F2
repnz
:00406CEC AE
scasb
:00406CED
F7D1 not
ecx
:00406CEF 49
dec ecx
:00406CF0 8D7C2418
lea edi, dword ptr [esp+18]
:00406CF4 2BD1
sub edx, ecx
:00406CF6
83C9FF or ecx, FFFFFFFF
:00406CF9
F2 repnz
:00406CFA
AE scasb
:00406CFB
F7D1 not
ecx
:00406CFD 49
dec ecx
:00406CFE 8D7C2418
lea edi, dword ptr [esp+18]
:00406D02 88040A
mov byte ptr [edx+ecx], al
:00406D05
83C9FF or ecx, FFFFFFFF
:00406D08
F2 repnz
:00406D09
AE scasb
:00406D0A
F7D1 not
ecx
:00406D0C 2BF9
sub edi, ecx
:00406D0E 8D9424E4000000
lea edx, dword ptr [esp+000000E4]
:00406D15 8BC1
mov eax, ecx
:00406D17 8BF7
mov esi,
edi
:00406D19 8BFA
mov edi, edx
:00406D1B 8D9424E4000000
lea edx, dword ptr [esp+000000E4]
:00406D22 C1E902
shr ecx, 02
:00406D25 F3
repz
:00406D26
A5 movsd
:00406D27
8BC8 mov
ecx, eax
:00406D29 83E103
and ecx, 00000003
:00406D2C F3
repz
:00406D2D A4
movsb
:00406D2E 8D8C2448010000
lea ecx, dword ptr [esp+00000148]
:00406D35
51 push
ecx
:00406D36 52
push edx
:00406D37 E824FCFFFF
call 00406960
====>關鍵CALL!進入!
^-^ ^-^
:00406D3C 83C418
add esp, 00000018
:00406D3F
A2A55A4100 mov byte ptr [00415AA5],
al
====>註冊標誌位 值入[00415AA5]
:00406D44 5F pop edi
* Referenced by
a (U)nconditional or (C)onditional Jump at Address:
|:00406C2E(C)
|
:00406D45
A0A55A4100 mov al, byte ptr [00415AA5]
:00406D4A
C605A45A410001 mov byte ptr [00415AA4], 01
:00406D51
5E pop
esi
:00406D52 81C494010000 add esp,
00000194
:00406D58 C3
ret
―――――――――――――――――――――――――――――――――
進入關鍵CALLL:406D37
call 00406960
*
Referenced by a CALL at Address:
|:00406D37
|
:00406960 83EC18
sub esp, 00000018
:00406963
53 push
ebx
:00406964 56
push esi
:00406965 57
push edi
:00406966 E8C5FFFFFF
call 00406930
====>取硬碟序列號,並運算得到軟體序列號!
:0040696B
8BF8 mov
edi, eax
====>EDI=EAX=37015EDA
:0040696D
8D44240C lea eax, dword
ptr [esp+0C]
:00406971 81F717108519 xor
edi, 19851017
====>EDI=37015EDA XOR
19851017=2E844ECD
呵呵,用運算得到的2E844ECD作為重要引數,經過下面CALL的運算得出第一組註冊碼!
:00406977
6A24 push
00000024
:00406979 50
push eax
:0040697A 57
push edi
:0040697B E8FFA70000
call 0041117F
====>第一個運算CALL!進入!
:00406980
8B442434 mov eax, dword
ptr [esp+34]
====>EAX=[esp+34]=123456
試煉碼的前半部分
:00406984
83C40C add esp,
0000000C
:00406987 8D74240C
lea esi, dword ptr [esp+0C]
====>ESI=[esp+0C]=cwn64t
註冊碼的前半部分
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004069AD(C)
====>下面是逐位比較!有一處不同就OVER了!
:0040698B 8A10
mov dl, byte
ptr [eax]
:0040698D 8A1E
mov bl, byte ptr [esi]
:0040698F 8ACA
mov cl, dl
:00406991 3AD3
cmp dl, bl
:00406993
751E jne
004069B3
====>跳則OVER!
:00406995
84C9 test
cl, cl
:00406997 7416
je 004069AF
:00406999 8A5001
mov dl, byte ptr [eax+01]
:0040699C 8A5E01
mov bl, byte ptr [esi+01]
:0040699F
8ACA mov
cl, dl
:004069A1 3AD3
cmp dl, bl
:004069A3 750E
jne 004069B3
====>跳則OVER!
:004069A5
83C002 add eax,
00000002
:004069A8 83C602
add esi, 00000002
:004069AB 84C9
test cl, cl
:004069AD 75DC
jne 0040698B
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406997(C)
|
:004069AF
33C0 xor
eax, eax
:004069B1 EB05
jmp 004069B8
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00406993(C),
:004069A3(C)
|
:004069B3 1BC0
sbb eax, eax
:004069B5 83D8FF
sbb eax, FFFFFFFF
====>爆破點 1
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004069B1(U)
|
:004069B8
85C0 test
eax, eax
:004069BA 756B
jne 00406A27
====>應不跳!
:004069BC
B801000000 mov eax, 00000001
====>置1則OK!
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004069CA(C)
|
:004069C1
8BC8 mov
ecx, eax
:004069C3 0FAFF9
imul edi, ecx
====>EDI=2E844ECD*1*2*3*4*5*6*7*8*9=9A541B80
:004069C6
40 inc
eax
:004069C7 83F80A
cmp eax, 0000000A
:004069CA 7CF5
jl 004069C1
====>迴圈9次相乘!得出9A541B80作為運算第二組註冊碼的引數!
:004069CC
8D542418 lea edx, dword
ptr [esp+18]
:004069D0 6A24
push 00000024
:004069D2 52
push edx
:004069D3 57
push edi
:004069D4
E8A6A70000 call 0041117F
====>第二個運算CALL!
和第一組註冊碼的運算流程相同,只是引數換成了9A541B80!
:004069D9
8B442438 mov eax, dword
ptr [esp+38]
====>EAX=7890ABC
試煉碼的後半部分
:004069DD
83C40C add esp,
0000000C
:004069E0 8D742418
lea esi, dword ptr [esp+18]
====>ESI=16tjm2o
註冊碼的後半部分
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406A06(C)
====>下面是逐位比較!有一處不同就OVER了!
:004069E4 8A10
mov dl, byte
ptr [eax]
:004069E6 8A1E
mov bl, byte ptr [esi]
:004069E8 8ACA
mov cl, dl
:004069EA 3AD3
cmp dl, bl
:004069EC
7528 jne
00406A16
====>跳則OVER!
:004069EE
84C9 test
cl, cl
:004069F0 7416
je 00406A08
:004069F2 8A5001
mov dl, byte ptr [eax+01]
:004069F5 8A5E01
mov bl, byte ptr [esi+01]
:004069F8
8ACA mov
cl, dl
:004069FA 3AD3
cmp dl, bl
:004069FC 7518
jne 00406A16
====>跳則OVER!
:004069FE
83C002 add eax,
00000002
:00406A01 83C602
add esi, 00000002
:00406A04 84C9
test cl, cl
:00406A06 75DC
jne 004069E4
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004069F0(C)
|
:00406A08
33C0 xor
eax, eax
:00406A0A 5F
pop edi
:00406A0B 85C0
test eax, eax
:00406A0D 5E
pop esi
:00406A0E
5B pop
ebx
:00406A0F 0F94C0
sete al
====>置1則OK!
:00406A12
83C418 add esp,
00000018
:00406A15 C3
ret
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004069EC(C),
:004069FC(C)
|
:00406A16 1BC0
sbb eax, eax
:00406A18 5F
pop edi
:00406A19 83D8FF
sbb eax, FFFFFFFF
====>爆破點2
:00406A1C 5E
pop esi
:00406A1D 85C0
test eax, eax
:00406A1F
0F94C0 sete al
:00406A22
5B pop
ebx
:00406A23 83C418
add esp, 00000018
:00406A26 C3
ret
―――――――――――――――――――――――――――――――――
進入406966
call 00406930 看看是如何得到軟體序列號的!
*
Referenced by a CALL at Addresses:
|:004063D6 , :00406966
|
:00406930
51 push
ecx
:00406931 6A00
push 00000000
:00406933 6A00
push 00000000
:00406935 6A00
push 00000000
:00406937
8D44240C lea eax, dword
ptr [esp+0C]
:0040693B 6A00
push 00000000
:0040693D 50
push eax
:0040693E 6A00
push 00000000
:00406940
6A00 push
00000000
* Possible
StringData Ref from Data Obj ->"C:\"
|
:00406942 68F8434100 push
004143F8
* Reference
To: KERNEL32.GetVolumeInformationA, Ord:0177h
|
:00406947 FF1514214100 Call
dword ptr [00412114]
====>取硬碟序列號。呵呵:GetVolumeInformationA
:0040694D
8B442400 mov eax, dword
ptr [esp]
====>EAX=211C1E09 是我的硬碟序列號!
:00406951
35D3401D16 xor eax, 161D40D3
====>EAX=211C1E09 XOR 161D40D3=37015EDA(H)=922836698(D)
:00406956
99 cdq
:00406957
33C2 xor
eax, edx
:00406959 2BC2
sub eax, edx
:0040695B 59
pop ecx
:0040695C C3
ret
―――――――――――――――――――――――――――――――――
進入運算CALL:40697B
call 0041117F 因為兩輪運算的流程相同,所以我只是記錄了第一組的資料!
再進入:0041119C call 00411123
*
Referenced by a CALL at Addresses:
|:00411116 , :0041119C
|
:00411123
55 push
ebp
:00411124 8BEC
mov ebp, esp
:00411126 837D1400
cmp dword ptr [ebp+14], 00000000
:0041112A 8B4D0C
mov ecx, dword ptr [ebp+0C]
:0041112D
53 push
ebx
:0041112E 56
push esi
:0041112F 57
push edi
:00411130 740B
je 0041113D
:00411132 8B7508
mov esi, dword ptr
[ebp+08]
:00411135 C6012D
mov byte ptr [ecx], 2D
:00411138 41
inc ecx
:00411139 F7DE
neg esi
:0041113B
EB03 jmp
00411140
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00411130(C)
|
:0041113D
8B7508 mov esi,
dword ptr [ebp+08]
====>ESI=2E844ECD
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041113B(U)
|
:00411140
8BF9 mov
edi, ecx
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00411166(C)
|
:00411142
8BC6 mov
eax, esi
:00411144 33D2
xor edx, edx
:00411146 F77510
div [ebp+10]
====>[ebp+10]=24
1、 ====>EDX=2E844ECD % 24=1D
2、
====>EDX=014AC94C % 24=04
3、
====>EDX=00093042 % 24=06
4、 ====>EDX=00004157
% 24=17
5、 ====>EDX=000001D0 %
24=20
6、 ====>EDX=0000000C % 24=0C
:00411149
8BC6 mov
eax, esi
:0041114B 8BDA
mov ebx, edx
:0041114D 33D2
xor edx, edx
:0041114F F77510
div [ebp+10]
1、
====>EAX=2E844ECD / 24=014AC94C
2、
====>EAX=014AC94C / 24=00093042
3、
====>EAX=00093042 / 24=00004157
4、
====>EAX=00004157 / 24=000001D0
5、
====>EAX=000001D0 / 24=0000000C
6、
====>EAX=0000000C / 24=00000000
:00411152
83FB09 cmp ebx,
00000009
:00411155 8BF0
mov esi, eax
====>ESI=EAX
用商繼續運算! 直至為0!
:00411157
7605 jbe
0041115E
:00411159 80C357
add bl, 57
1、 ====>BL=1D + 57=74
即字元:t
4、 ====>BL=17 + 57=6E
即字元:n
5、 ====>BL=20 + 57=77
即字元:w
6、 ====>BL=0C + 57=63
即字元:c
:0041115C EB03 jmp 00411161
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00411157(C)
|
:0041115E
80C330 add bl, 30
2、 ====>BL=04 + 30=34 即字元:4
3、 ====>BL=06 + 30=36 即字元:6
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041115C(U)
|
:00411161
8819 mov
byte ptr [ecx], bl
====>BL 入 [ecx]處
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
迴圈結束後[ECX]記憶體中的值:
0068F528
74 34 36 6E 77 63 t46nwc
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
:00411163
41 inc
ecx
:00411164 85F6
test esi, esi
:00411166 77DA
ja 00411142
====>迴圈!
:00411168
802100 and byte
ptr [ecx], 00
:0041116B 49
dec ecx
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00411178(C)
|
:0041116C
8A17 mov
dl, byte ptr [edi]
:0041116E 8A01
mov al, byte ptr [ecx]
:00411170 8811
mov byte ptr [ecx], dl
:00411172
8807 mov
byte ptr [edi], al
:00411174 49
dec ecx
:00411175 47
inc edi
:00411176 3BF9
cmp edi, ecx
:00411178
72F2 jb 0041116C
====>這個小迴圈是將t46nwc倒序為:cwn64t
:0041117A
5F pop
edi
:0041117B 5E
pop esi
:0041117C 5B
pop ebx
:0041117D 5D
pop ebp
:0041117E C3
ret
―――――――――――――――――――――――――――――――――
【算
法 總 結】:
一、取硬碟序列號211C1E09 XOR 161D40D3=37015EDA,得到軟體序列號。
二、軟體序列號37015EDA
XOR 19851017=2E844ECD,用2E844ECD迴圈和24求模,直至商為0。
餘數若小於9則加30,轉化為數字;否則加57轉化為小寫字母。再倒序排列。
得到註冊碼前半部分:cwn64t
三、軟體序列號2E844ECD*1*2*3*4*5*6*7*8*9=9A541B80,用9A541B80迴圈和24求模,直至商為0。
餘數若小於9則加30,轉化為數字;否則加57轉化為小寫字母。再倒序排列。
得到註冊碼後半部分:16tjm2o
所以,我的註冊碼是:cwn64t-16tjm2o
―――――――――――――――――――――――――――――――――
【完 美 爆 破】:
1、004069B5 83D8FF
sbb eax, FFFFFFFF
改為: 33C090
xor eax, eax
補一個NOP
2、00406A19
83D8FF sbb eax,
FFFFFFFF
改為: 33C090
xor eax, eax 補一個NOP
―――――――――――――――――――――――――――――――――
【註冊資訊儲存】:
同目錄下的sign.ini中:cwn64t-16tjm2o
―――――――――――――――――――――――――――――――――
【整 理】:
序列號:922836698
註冊碼:cwn64t-16tjm2o
―――――――――――――――――――――――――――――――――
Cracked By 巢水工作坊――fly【OCN】
2003-10-11 15:51
相關文章
- 擒賊先擒王,簡單談一下JavaScript作用域鏈(Scope Chain)2019-02-28JavaScriptAI
- Windows System Optimizer V3.1演算法分析2015-11-15Windows演算法
- 簡單演算法2024-08-09演算法
- 簡單排序演算法2020-11-27排序演算法
- 史上最簡單的排序演算法?看起來卻滿是bug2021-11-12排序演算法
- iOS 面試大全從簡單到複雜(簡單篇)2015-09-04iOS面試
- LRU演算法簡單例子2013-11-26演算法單例
- 擒敵拳的學習2020-07-30
- web到service簡單原理例子2017-09-23Web
- 土撥鼠2024-05-15
- 簡單理解Paxos演算法(譯)2019-03-04演算法
- 15道簡單演算法題2014-06-08演算法
- Teleport
pro 演算法簡單分析2004-07-15演算法
- 越來越“簡單”的Java2015-05-20Java
- 淘寶放大鏡的簡單實現,原來道理很簡單2018-08-01
- 對CAS演算法的簡單理解2018-03-18演算法
- 十道簡單演算法題2018-03-30演算法
- 簡單的幾個排序演算法2018-04-10排序演算法
- RSA加密演算法的簡單案例2016-08-16加密演算法
- 演算法學習之簡單排序2016-04-23演算法排序
- 如何簡單解釋 MapReduce 演算法2014-11-06演算法
- 簡單的java遞迴演算法2011-02-15Java遞迴演算法
- 排序演算法——簡單選擇排序2013-05-06排序演算法
- A*演算法的簡單實現薦2012-02-28演算法
- PCMark04的簡單演算法2015-11-15演算法
- 策略模式原來這麼簡單!2018-12-28模式
- 容器DevOps,原來如此簡單!2018-01-10dev
- 短影片配音原來如此簡單2024-04-07
- 演算法學習---歸併演算法簡單記錄2020-10-29演算法
- 演算法(3)簡單四則運算2019-04-08演算法
- 簡單演算法――熱鍵大師1.132003-03-06演算法
- 簡單演算法――The All-Seeing Eye2015-11-15演算法
- 簡單演算法之貪吃豆豆龍2015-11-15演算法
- 來了老弟,最簡單的Promise原理2019-04-03Promise
- 簡單來談談Unicode與emoji2019-03-04Unicode
- 策略模式原來就這麼簡單!2018-12-24模式
- JavaScript本來就很簡單(初識JavaScript )2017-09-16JavaScript
- 高效程式設計之慾擒故縱2010-12-13程式設計