IconToy 3.1 註冊碼快速破解 (11千字)
http://www.lighttek.com/
1、先用W32Dasm的string reference功能找到判斷的地方:
:00485F9B A104E94800 mov eax,
dword ptr [0048E904] //輸入的假註冊碼
:00485FA0 E8B3FCFFFF call
00485C58 //判斷註冊碼
:00485FA5 803D00E9480001 cmp byte ptr [0048E900],
01 //標誌位
:00485FAC 0F85C4000000 jne 00486076
//為0則註冊碼錯誤
:00485FB2 8D55F8
lea edx, dword ptr [ebp-08]
:00485FB5 8B45FC
mov eax, dword ptr [ebp-04]
:00485FB8 8B800C030000 mov eax, dword
ptr [eax+0000030C]
:00485FBE E84955FAFF call
0042B50C
:00485FC3 8B55F8
mov edx, dword ptr [ebp-08]
:00485FC6 B808E94800 mov eax,
0048E908
:00485FCB E88CDBF7FF call
00403B5C
:00485FD0 B201
mov dl, 01
:00485FD2 A130E54500 mov eax,
dword ptr [0045E530]
:00485FD7 E80087FDFF call
0045E6DC
:00485FDC 8BD8
mov ebx, eax
:00485FDE B101
mov cl, 01
* Possible StringData Ref from Code Obj ->"\software\lighttek\icontoy"
|
:00485FE0 BAB4604800 mov edx,
004860B4
:00485FE5 8BC3
mov eax, ebx
:00485FE7 E8E488FDFF call
0045E8D0
:00485FEC DB0504E94800 fild dword
ptr [0048E904]
:00485FF2 D835D0604800 fdiv dword
ptr [004860D0]
:00485FF8 E887CAF7FF call
00402A84
:00485FFD 52
push edx
:00485FFE 50
push eax
:00485FFF 8D45F4
lea eax, dword ptr [ebp-0C]
:00486002 E8AD24F8FF call
004084B4
:00486007 8B4DF4
mov ecx, dword ptr [ebp-0C]
:0048600A BADC604800 mov edx,
004860DC
:0048600F 8BC3
mov eax, ebx
:00486011 E8568AFDFF call
0045EA6C
:00486016 8B0D08E94800 mov ecx, dword
ptr [0048E908]
:0048601C BAE8604800 mov edx,
004860E8
:00486021 8BC3
mov eax, ebx
:00486023 E8448AFDFF call
0045EA6C
:00486028 8BC3
mov eax, ebx
:0048602A E81587FDFF call
0045E744
:0048602F 8BC3
mov eax, ebx
:00486031 E802CFF7FF call
00402F38
* Possible StringData Ref from Code Obj ->"You are registered! Thank you."
|
:00486036 B8F4604800 mov eax,
004860F4
:0048603B E84080FCFF call
0044E080
:00486040 8D45F4
lea eax, dword ptr [ebp-0C]
:00486043 8B0D08E94800 mov ecx, dword
ptr [0048E908]
* Possible StringData Ref from Code Obj ->"Registered for: "
|
:00486049 BA1C614800 mov edx,
0048611C
:0048604E E87DDDF7FF call
00403DD0
:00486053 8B55F4
mov edx, dword ptr [ebp-0C]
:00486056 A1FCE84800 mov eax,
dword ptr [0048E8FC]
:0048605B 8B80E8020000 mov eax, dword
ptr [eax+000002E8]
:00486061 E8D654FAFF call
0042B53C
:00486066 A180D24800 mov eax,
dword ptr [0048D280]
:0048606B 8B00
mov eax, dword ptr [eax]
:0048606D B201
mov dl, 01
:0048606F 8B08
mov ecx, dword ptr [eax]
:00486071 FF5160
call [ecx+60]
:00486074 EB0A
jmp 00486080
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00485FAC(C)
|
* Possible StringData Ref from Code Obj ->"Registration key error!"
|
:00486076 B838614800 mov eax,
00486138
:0048607B E80080FCFF call
0044E080
2、跟進call 00485C58,看見大堆hard-coded serial:
* Referenced by a CALL at Addresses:
|:00485FA0 , :00486233
|
:00485C58 55
push ebp
:00485C59 8BEC
mov ebp, esp
:00485C5B 6A00
push 00000000
:00485C5D 33D2
xor edx, edx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00485BF0(C)
|
:00485C5F 55
push ebp
:00485C60 68CD5E4800 push
00485ECD
:00485C65 64FF32
push dword ptr fs:[edx]
:00485C68 648922
mov dword ptr fs:[edx], esp
:00485C6B 3D8CA6BA00 cmp eax,
00BAA68C
:00485C70 0F84B9010000 je 00485E2F
:00485C76 3D6A5A1300 cmp eax,
00135A6A
:00485C7B 0F84AE010000 je 00485E2F
:00485C81 3DE0621300 cmp eax,
001362E0
:00485C86 0F84A3010000 je 00485E2F
:00485C8C 3D76281300 cmp eax,
00132876
:00485C91 0F8498010000 je 00485E2F
:00485C97 3DAEED3100 cmp eax,
0031EDAE
:00485C9C 0F848D010000 je 00485E2F
:00485CA2 3DC6E93100 cmp eax,
0031E9C6
:00485CA7 0F8482010000 je 00485E2F
:00485CAD 3DA8D81200 cmp eax,
0012D8A8
:00485CB2 0F8477010000 je 00485E2F
:00485CB8 3D267F1300 cmp eax,
00137F26
:00485CBD 0F846C010000 je 00485E2F
:00485CC3 3DB6B7B800 cmp eax,
00B8B7B6
:00485CC8 0F8461010000 je 00485E2F
:00485CCE 3DAE7A1200 cmp eax,
00127AAE
:00485CD3 0F8456010000 je 00485E2F
:00485CD9 3DA2D21200 cmp eax,
0012D2A2
:00485CDE 0F844B010000 je 00485E2F
:00485CE4 3D2AFAB900 cmp eax,
00B9FA2A
:00485CE9 0F8440010000 je 00485E2F
:00485CEF 3D36F8B900 cmp eax,
00B9F836
:00485CF4 0F8435010000 je 00485E2F
:00485CFA 3D0810C100 cmp eax,
00C11008
:00485CFF 0F842A010000 je 00485E2F
:00485D05 3D8630BA00 cmp eax,
00BA3086
:00485D0A 0F841F010000 je 00485E2F
:00485D10 3D78DB5B04 cmp eax,
045BDB78
:00485D15 0F8414010000 je 00485E2F
:00485D1B 3DD8D81400 cmp eax,
0014D8D8
:00485D20 0F8409010000 je 00485E2F
:00485D26 3D0C541400 cmp eax,
0014540C
:00485D2B 0F84FE000000 je 00485E2F
:00485D31 3D1A431500 cmp eax,
0015431A
:00485D36 0F84F3000000 je 00485E2F
:00485D3C 3D2AF61400 cmp eax,
0014F62A
:00485D41 0F84E8000000 je 00485E2F
:00485D47 3D825C1400 cmp eax,
00145C82
:00485D4C 0F84DD000000 je 00485E2F
:00485D52 3D9CF0C900 cmp eax,
00C9F09C
:00485D57 0F84D2000000 je 00485E2F
:00485D5D 3D5081DC07 cmp eax,
07DC8150
:00485D62 0F84C7000000 je 00485E2F
:00485D68 3D246DCA00 cmp eax,
00CA6D24
:00485D6D 0F84BC000000 je 00485E2F
:00485D73 3D8CA6BA00 cmp eax,
00BAA68C
:00485D78 0F84B1000000 je 00485E2F
:00485D7E 3D4A232400 cmp eax,
0024234A
:00485D83 0F84A6000000 je 00485E2F
:00485D89 3DC02B2400 cmp eax,
00242BC0
:00485D8E 0F849B000000 je 00485E2F
:00485D94 3D56F12300 cmp eax,
0023F156
:00485D99 0F8490000000 je 00485E2F
:00485D9F 3D0E322400 cmp eax,
0024320E
:00485DA4 0F8485000000 je 00485E2F
:00485DAA 3D262E2400 cmp eax,
00242E26
:00485DAF 747E
je 00485E2F
:00485DB1 3D88A12300 cmp eax,
0023A188
:00485DB6 7477
je 00485E2F
:00485DB8 3DA6CE2500 cmp eax,
0025CEA6
:00485DBD 7470
je 00485E2F
:00485DBF 3DB6D26F01 cmp eax,
016FD2B6
:00485DC4 7469
je 00485E2F
:00485DC6 3D2ECA2400 cmp eax,
0024CA2E
:00485DCB 7462
je 00485E2F
:00485DCD 3D22222500 cmp eax,
00252222
:00485DD2 745B
je 00485E2F
:00485DD4 3D2A157101 cmp eax,
0171152A
:00485DD9 7454
je 00485E2F
:00485DDB 3D36137101 cmp eax,
01711336
:00485DE0 744D
je 00485E2F
:00485DE2 3D88D38A02 cmp eax,
028AD388
:00485DE7 7446
je 00485E2F
:00485DE9 3D864B7101 cmp eax,
01714B86
:00485DEE 743F
je 00485E2F
:00485DF0 3D382D7001 cmp eax,
01702D38
:00485DF5 7438
je 00485E2F
:00485DF7 3DB8A12500 cmp eax,
0025A1B8
:00485DFC 7431
je 00485E2F
:00485DFE 3DDCF52400 cmp eax,
0024F5DC
:00485E03 742A
je 00485E2F
:00485E05 3DFA0B2600 cmp eax,
00260BFA
:00485E0A 7423
je 00485E2F
:00485E0C 3DAA452700 cmp eax,
002745AA
:00485E11 741C
je 00485E2F
:00485E13 3D02AC2600 cmp eax,
0026AC02
:00485E18 7415
je 00485E2F
:00485E1A 3D9C0B8101 cmp eax,
01810B9C
:00485E1F 740E
je 00485E2F
:00485E21 3DD0128B01 cmp eax,
018B12D0
:00485E26 7407
je 00485E2F
:00485E28 3D24888101 cmp eax,
01818824
:00485E2D 757C
jne 00485EAB
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00485C70(C), :00485C7B(C), :00485C86(C), :00485C91(C), :00485C9C(C)
|:00485CA7(C), :00485CB2(C), :00485CBD(C), :00485CC8(C), :00485CD3(C)
|:00485CDE(C), :00485CE9(C), :00485CF4(C), :00485CFF(C), :00485D0A(C)
|:00485D15(C), :00485D20(C), :00485D2B(C), :00485D36(C), :00485D41(C)
|:00485D4C(C), :00485D57(C), :00485D62(C), :00485D6D(C), :00485D78(C)
|:00485D83(C), :00485D8E(C), :00485D99(C), :00485DA4(C), :00485DAF(C)
|:00485DB6(C), :00485DBD(C), :00485DC4(C), :00485DCB(C), :00485DD2(C)
|:00485DD9(C), :00485DE0(C), :00485DE7(C), :00485DEE(C), :00485DF5(C)
|:00485DFC(C), :00485E03(C), :00485E0A(C), :00485E11(C), :00485E18(C)
|:00485E1F(C), :00485E26(C)
|
:00485E2F C60500E9480001 mov byte ptr [0048E900],
01 //標誌位
:00485E36 A1FCE84800 mov eax,
dword ptr [0048E8FC]
:00485E3B 8B80D0020000 mov eax, dword
ptr [eax+000002D0]
:00485E41 33D2
xor edx, edx
:00485E43 E818C0FCFF call
00451E60
:00485E48 A1FCE84800 mov eax,
dword ptr [0048E8FC]
:00485E4D 8B90CC020000 mov edx, dword
ptr [eax+000002CC]
:00485E53 A1FCE84800 mov eax,
dword ptr [0048E8FC]
:00485E58 8B80C8020000 mov eax, dword
ptr [eax+000002C8]
:00485E5E E8E5C6FCFF call
00452548
:00485E63 8D45FC
lea eax, dword ptr [ebp-04]
:00485E66 8B0D08E94800 mov ecx, dword
ptr [0048E908]
* Possible StringData Ref from Code Obj ->"Registered for: "
|
:00485E6C BAE05E4800 mov edx,
00485EE0
:00485E71 E85ADFF7FF call
00403DD0
:00485E76 8B55FC
mov edx, dword ptr [ebp-04]
:00485E79 A1FCE84800 mov eax,
dword ptr [0048E8FC]
:00485E7E 8B80E8020000 mov eax, dword
ptr [eax+000002E8]
:00485E84 E8B356FAFF call
0042B53C
:00485E89 A180D24800 mov eax,
dword ptr [0048D280]
:00485E8E 8B00
mov eax, dword ptr [eax]
:00485E90 8B80D8030000 mov eax, dword
ptr [eax+000003D8]
:00485E96 33D2
xor edx, edx
:00485E98 E88755FAFF call
0042B424
:00485E9D A180D24800 mov eax,
dword ptr [0048D280]
:00485EA2 8B00
mov eax, dword ptr [eax]
:00485EA4 33D2
xor edx, edx
:00485EA6 89500C
mov dword ptr [eax+0C], edx
:00485EA9 EB0C
jmp 00485EB7
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00485E2D(C)
|
:00485EAB C60500E9480000 mov byte ptr [0048E900],
00 //標誌位
三分鐘搞定。新手不妨抓來玩玩
BF
相關文章
- Icontoy3.1破解紀錄(上) (5千字)2000-12-29
- 《TxEdit 4.6》的註冊碼破解 (11千字)2001-07-28
- winimp1.11註冊碼破解 (2千字)2000-07-16
- Regediter 1.3 破解(得到註冊碼) (9千字)2002-01-23
- Vopt99 v4.31的註冊碼破解 (11千字)2000-09-28
- BabyGame 破解方法及註冊碼錶 (1千字)2001-07-04GAM
- 《chm幫助編輯器V2.61》註冊碼破解心得: (11千字)2001-02-17
- 《ICONSCAN 2.4》註冊碼破解 高手莫入! (3千字)2001-05-06
- 《MAGICWIN RELEASE 1.2》註冊碼破解 高手莫入! (2千字)2001-05-07
- Kugle Regediter 1.0 註冊碼破解法(非明碼) (8千字)2001-11-03
- 一種非明碼比較程式的註冊------NS-SHAFT註冊碼破解 (9千字)2015-11-15
- SMailserver2.5註冊碼的破解手記 (1千字)2001-03-01AIServer
- 《WinImage v5.00.5007 註冊碼破解》 (7千字)2001-05-10
- 盲打之友V2.5破解(包括註冊演算法) (11千字)2001-10-29演算法
- 財智證券結算軟體2.5 破解註冊碼分析!使用ollydbg 破解註冊動畫!高手莫入! (1千字)2001-11-20動畫
- 如何破解《彩票快車黃金版》註冊碼 (1千字)2001-04-21
- 豪傑大眼睛共享版註冊碼破解 (1千字)2001-07-08
- Pycharm安裝破解 註冊碼2017-06-25PyCharm
- 開心鬥地主1.6標準版 註冊碼破解 (4千字)2001-04-25
- 如何破解Cool ASCII Art Maker V1.21註冊碼 (2千字)2001-05-03ASCII
- 《EASY MP3 2.2》的註冊碼破解 高手莫入! (2千字)2001-05-05
- 猜數記---BCWIPE註冊半破解 (25千字)2001-04-02
- 『凌雲郵神』 註冊碼破解 (非明碼比較的哦 ^_^) (6千字)2001-11-05
- chm幫助編輯器v2.6 註冊碼破解詳談之二*解碼篇* (11千字)2001-02-04
- Diskbase 5.11的破解和註冊演算法(俺是新手) (18千字)2001-05-21演算法
- 檔案密使2.6註冊碼分析詳解 (11千字)2001-11-30
- 《OFFLINE EXPLORER 1.0》的註冊碼破解 高手莫入!! (2千字)2001-05-18
- 交一篇作業---破解Hedit 2.0的註冊碼 (7千字)2001-09-30
- 破解HappyEO電子琴203版的註冊碼。 (7千字)2001-09-28APP
- 破解<<生日字典密碼生成器 v3.7 password>> 的註冊碼 (4千字)2001-10-21密碼
- 註冊碼演算法 (2千字)2001-01-14演算法
- Quickness 3.1
註冊演算法分析 + 序號產生器原始碼(tc2) (15千字)2003-04-13UI演算法原始碼
- 某穿牆輔助的註冊碼破解2018-03-10
- 某電子書註冊破解實錄,高手莫入。 (6千字)2002-10-05
- 黑馬課表管理系統2.6註冊破解 (1千字)2002-01-12
- 美萍網管大師及安全衛士快速查註冊碼。 (1千字)2001-07-18
- Mover98 V3.1 暴力破解 + 註冊碼破解(有實時檢驗、自校驗,還有一個非常捉弄人的地方,小心
:D) (8千字)2001-05-07
- Navicat for MySQL 11註冊碼\啟用碼2019-02-11MySql