初學者(10) (8千字)

軟體名稱： Battery Bar
軟體版本： 1.07
軟體大小： 907.00
軟體授權：共享軟體
使用平臺： Win95/98/NT
釋出公司： http://www.nistech.com/
軟體簡介：能顯示出你的膝上型電腦的電池還能用多長時間，電量剩餘的百分比。
軟體下載： bat_bar.zip

設斷點:bpx hmemcpy
按F12 12次(第13次出錯誤畫面)
然後按F10若干次可找到下面程式段
:00406542 E88D300300 call 004395D4
:00406547 8D4DF8 lea ecx, dword ptr [ebp-08]
:0040654A 8B01 mov eax, dword ptr [ecx]
:0040654C 50 push eax
:0040654D 53 push ebx
:0040654E E889010000 call 004066DC <----此CALL是計算註冊碼,我改下面的跳轉不成功
才找到這兒
:00406553 83C40C add esp, 0000000C
:00406556 3C01 cmp al, 01
:00406558 0F94C2 sete dl
:0040655B 83E201 and edx, 00000001
:0040655E 8D45F8 lea eax, dword ptr [ebp-08]
:00406561 52 push edx
:00406562 BA02000000 mov edx, 00000002
:00406567 FF4E1C dec [esi+1C]
:0040656A E8D5660600 call 0046CC44
:0040656F FF4E1C dec [esi+1C]
:00406572 8D45FC lea eax, dword ptr [ebp-04]
:00406575 BA02000000 mov edx, 00000002
:0040657A E8C5660600 call 0046CC44
:0040657F 59 pop ecx
:00406580 84C9 test cl, cl
:00406582 0F84F1000000 je 00406679 <-----若在此改變程式方向
可顯示註冊成功,但若重新
啟動程式,看About項,:-{

進入004066DC,按F10若干次後,找到計算註冊碼的部分,就是下面這段:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040689D(C)
|
:004067B7 8BF3 mov esi, ebx
:004067B9 56 push esi
:004067BA 8D45F8 lea eax, dword ptr [ebp-08]
:004067BD 50 push eax
:004067BE E801630600 call 0046CAC4
:004067C3 83C408 add esp, 00000008
:004067C6 8D45F8 lea eax, dword ptr [ebp-08]
:004067C9 E8E2650600 call 0046CDB0
:004067CE 0375F8 add esi, dword ptr [ebp-08]
:004067D1 4E dec esi
:004067D2 803E00 cmp byte ptr [esi], 00
:004067D5 7534 jne 0040680B
:004067D7 8BF3 mov esi, ebx
:004067D9 56 push esi
:004067DA 8D55F8 lea edx, dword ptr [ebp-08]
:004067DD 52 push edx
:004067DE E8E1620600 call 0046CAC4
:004067E3 83C408 add esp, 00000008
:004067E6 8D45F8 lea eax, dword ptr [ebp-08]
:004067E9 E8C2650600 call 0046CDB0
:004067EE 8BC7 mov eax, edi
:004067F0 B91A000000 mov ecx, 0000001A
:004067F5 99 cdq
:004067F6 F7F9 idiv ecx
:004067F8 0375F8 add esi, dword ptr [ebp-08]
:004067FB 8955C8 mov dword ptr [ebp-38], edx
:004067FE 8B45C8 mov eax, dword ptr [ebp-38]
:00406801 4E dec esi
:00406802 99 cdq
:00406803 33C2 xor eax, edx
:00406805 2BC2 sub eax, edx
:00406807 0441 add al, 41
:00406809 8806 mov byte ptr [esi], al

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004067D5(C)
|
:0040680B 8BF3 mov esi, ebx
:0040680D 56 push esi
:0040680E 8D4DF8 lea ecx, dword ptr [ebp-08]
:00406811 51 push ecx
:00406812 E8AD620600 call 0046CAC4
:00406817 83C408 add esp, 00000008
:0040681A 8D45F8 lea eax, dword ptr [ebp-08]
:0040681D E88E650600 call 0046CDB0
:00406822 0375F8 add esi, dword ptr [ebp-08]
:00406825 4E dec esi
:00406826 0FBE3E movsx edi, byte ptr [esi]
:00406829 8BF3 mov esi, ebx
:0040682B 56 push esi
:0040682C 8D45FC lea eax, dword ptr [ebp-04]
:0040682F 50 push eax
:00406830 E88F620600 call 0046CAC4
:00406835 83C408 add esp, 00000008
:00406838 8D45FC lea eax, dword ptr [ebp-04]
:0040683B E870650600 call 0046CDB0
:00406840 8D045B lea eax, dword ptr [ebx+2*ebx]<----給EAX賦值
:00406843 B91A000000 mov ecx, 0000001A <----後面作為除數
:00406848 C1E003 shl eax, 03 <----EAX乘以8
:0040684B 0375FC add esi, dword ptr [ebp-04]
:0040684E 2BC3 sub eax, ebx <----EAX=EAX-EBX
:00406850 4E dec esi
:00406851 03C0 add eax, eax <----EAX=EAX*2
:00406853 03C7 add eax, edi
:00406855 99 cdq
:00406856 F7F9 idiv ecx <-----做除法
:00406858 8955C4 mov dword ptr [ebp-3C], edx
:0040685B B905000000 mov ecx, 00000005 <-----註冊碼4位一組,中間用'-'隔開
:00406860 8B45C4 mov eax, dword ptr [ebp-3C]
:00406863 99 cdq
:00406864 33C2 xor eax, edx
:00406866 2BC2 sub eax, edx
:00406868 0441 add al, 41 <-----EAX=EAX+41
:0040686A 8806 mov byte ptr [esi], al <----加後的數值即是註冊碼的一位
:0040686C 8BC3 mov eax, ebx
:0040686E 99 cdq
:0040686F F7F9 idiv ecx
:00406871 85D2 test edx, edx
:00406873 751E jne 00406893
:00406875 8BF3 mov esi, ebx
:00406877 56 push esi
:00406878 8D45FC lea eax, dword ptr [ebp-04]
:0040687B 50 push eax
:0040687C E843620600 call 0046CAC4
:00406881 83C408 add esp, 00000008
:00406884 8D45FC lea eax, dword ptr [ebp-04]
:00406887 E824650600 call 0046CDB0
:0040688C 0375FC add esi, dword ptr [ebp-04]
:0040688F 4E dec esi
:00406890 C6062D mov byte ptr [esi], 2D

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406873(C)
|
:00406893 8D3C5B lea edi, dword ptr [ebx+2*ebx]
:00406896 83C709 add edi, 00000009
:00406899 43 inc ebx
:0040689A 83FB13 cmp ebx, 00000013
:0040689D 0F8E14FFFFFF jle 004067B7 <----比較19位註冊碼未計算完,返回

舉例:
使用者名稱:LiuTong
對於ASCII為:4C 69 75 54 6F 6E 67
計算過程:
EAX=3*EBX EAX=EAX*8 EAX=EAX-EBX EAX=EAX*2 EAX=EAX+輸入使用者名稱 EAX=餘數(EAX/26)+41
以下資料為十六進位制
EBX=1 EAX=3 EAX=18 EAX=17 EAX=2E EAX=2E+4C=7A EAX=12+41=53
EBX=2 EAX=6 EAX=30 EAX=2E EAX=5C EAX=5C+69=C5 EAX=F+41=50
EBX=3 EAX=9 EAX=48 EAX=45 EAX=8A EAX=8A+75=FF EAX=15+41=56
EBX=4 EAX=C EAX=60 EAX=5C EAX=B8 EAX=B8+54=102 EAX=8+41=49
EBX=5 EAX=F EAX=78 EAX=73 EAX=E6 EAX=E6+6F=155 EAX=3+41=44
EBX=6 EAX=12 EAX=90 EAX=8A EAX=114 EAX=114+6E=182 EAX=16+41=57
EBX=7 EAX=15 EAX=A8 EAX=A1 EAX=142 EAX=142+67=1A9 EAX=9+41=4A
EBX=8 EAX=18 EAX=C0 EAX=B8 EAX=170 EAX=170+20=190 EAX=A+41=4B
EBX=9 EAX=1B EAX=D8 EAX=CF EAX=19E EAX=19E+20=1BE EAX=4+41=45
EBX=A EAX=1E EAX=F0 EAX=E6 EAX=1CC EAX=1CC+20=1EC EAX=18+41=59
EBX=B EAX=21 EAX=108 EAX=FD EAX=1FA EAX=1FA+20=21A EAX=12+41=53
EBX=C EAX=24 EAX=120 EAX=114 EAX=228 EAX=228+20=248 EAX=C+41=4D
EBX=D EAX=27 EAX=138 EAX=12B EAX=256 EAX=256+20=276 EAX=6+41=47
EBX=E EAX=2A EAX=150 EAX=142 EAX=284 EAX=284+20=2A4 EAX=0+41=41
EBX=F EAX=2D EAX=168 EAX=159 EAX=2B2 EAX=2B2+20=2D2 EAX=14+41=55
EBX=10 EAX=30 EAX=180 EAX=170 EAX=2E0 EAX=2E0+20=300 EAX=E+41=4F
EBX=11 EAX=33 EAX=198 EAX=187 EAX=30E EAX=30E+20=32E EAX=8+41=49
EBX=12 EAX=36 EAX=1B0 EAX=19E EAX=33C EAX=33C+20=35C EAX=2+41=43
EBX=13 EAX=39 EAX=1C8 EAX=1B5 EAX=36A EAX=36A+20=38A EAX=16+41=57

整理後註冊碼應為:SPVI-WJKE-SMGA-OICW

初學者(10) (8千字)

相關文章