WinPowerDown完全破解
WinPowerDown完全破解
又是從古董老光碟上找的一個軟體,程式不大,功能也沒多少,就是一個自動關機,但保護卻做得相當不簡單(對於我這樣的菜鳥來說).我把它放了上來,當一個CrackMe吧!
執行,先來一個下馬威:"Soft-Ice detected
shutting down",好傢伙,祭出FrogsICE,點一個Enable按鈕,順利闖關!
HEHE~~,別找不到輸入註冊碼的地方喲.點About,再點第二行那個加下劃線的"Register Information",終於出來了(好隱蔽
)
輸入NAME:RoBa , CODE:87654321 下斷,很容易來到這裡:
:00455AAD 53
push ebx
:00455AAE 56
push esi
:00455AAF 8BD8
mov ebx, eax
:00455AB1 33C0
xor eax, eax
:00455AB3 55
push ebp
:00455AB4 68335C4500 push
00455C33
:00455AB9 64FF30 push
dword ptr fs:[eax]
:00455ABC 648920 mov
dword ptr fs:[eax], esp
:00455ABF 8D55F8 lea
edx, dword ptr [ebp-08]
:00455AC2 8B83D0020000 mov eax, dword
ptr [ebx+000002D0]
:00455AC8 E84736FDFF call
00429114
:00455ACD 8B45F8 mov
eax, dword ptr [ebp-08] <--剛進來是在這裡
:00455AD0 8D55FC lea
edx, dword ptr [ebp-04] <--EAX為假碼
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00455A64(C)
|
:00455AD3 E8C4200000 call
00457B9C <--這裡才是真正的關鍵(見下面的分析)
:00455AD8 8B45FC mov
eax, dword ptr [ebp-04]
:00455ADB 50
push eax
:00455ADC 8D55F8 lea
edx, dword ptr [ebp-08]
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00455A70(C)
|
:00455ADF 8B83CC020000 mov eax, dword
ptr [ebx+000002CC]
:00455AE5 E82A36FDFF call
00429114
:00455AEA 8B55F8 mov
edx, dword ptr [ebp-08]
:00455AED 58
pop eax
:00455AEE E8E5E1FAFF call
00403CD8 <--這個好像是關鍵的CALL,從下面很容易找到這裡
:00455AF3 0F85E6000000 jne 00455BDF
<--跳過去就OVER
:00455AF9 8B83CC020000 mov eax, dword
ptr [ebx+000002CC]
:00455AFF E88435FDFF call
00429088 <--得到NAME長度
:00455B04 83F804 cmp
eax, 00000004 <--NAME長度與4比較
:00455B07 0F8ED2000000 jle 00455BDF
<--小於等於4就OVER
:00455B0D B201
mov dl, 01
:00455B0F A10CE24400 mov eax,
dword ptr [0044E20C]
:00455B14 E83388FFFF call
0044E34C
:00455B19 8BF0
mov esi, eax
:00455B1B BA02000080 mov edx,
80000002
:00455B20 8BC6
mov eax, esi
:00455B22 E8BD88FFFF call
0044E3E4
:00455B27 B101
mov cl, 01
* Possible StringData Ref from
Code Obj ->"SOFTWARE\Koger\WinPowerDown"
|
:00455B29 BA485C4500 mov edx,
00455C48
:00455B2E 8BC6
mov eax, esi
:00455B30 E81389FFFF call
0044E448
:00455B35 8D55F8 lea
edx, dword ptr [ebp-08]
:00455B38 8B83CC020000 mov eax, dword
ptr [ebx+000002CC]
:00455B3E E8D135FDFF call
00429114
:00455B43 8B4DF8 mov
ecx, dword ptr [ebp-08]
* Possible StringData Ref from
Code Obj ->"Name"
|
:00455B46 BA6C5C4500 mov edx,
00455C6C
:00455B4B 8BC6
mov eax, esi
:00455B4D E8928AFFFF call
0044E5E4
:00455B52 8D55F8 lea
edx, dword ptr [ebp-08]
:00455B55 8B83D0020000 mov eax, dword
ptr [ebx+000002D0]
:00455B5B E8B435FDFF call
00429114
:00455B60 8B45F8 mov
eax, dword ptr [ebp-08]
:00455B63 50
push eax
:00455B64 8D55FC lea
edx, dword ptr [ebp-04]
* Possible StringData Ref from
Code Obj ->"B269A74F" <--莫名其妙
|
:00455B67 B87C5C4500 mov eax,
00455C7C
:00455B6C E82B200000 call
00457B9C
:00455B71 8B55FC mov
edx, dword ptr [ebp-04]
:00455B74 8BC6
mov eax, esi
:00455B76 59
pop ecx
:00455B77 E8688AFFFF call
0044E5E4
:00455B7C 8BC6
mov eax, esi
:00455B7E E829D2FAFF call
00402DAC
:00455B83 A154BF4500 mov eax,
dword ptr [0045BF54]
:00455B88 C60001 mov
byte ptr [eax], 01
:00455B8B 6A00
push 00000000
* Possible StringData Ref from
Code Obj ->"Thank you "
|
:00455B8D 68905C4500 push
00455C90
:00455B92 8D55F8 lea
edx, dword ptr [ebp-08]
:00455B95 8B83CC020000 mov eax, dword
ptr [ebx+000002CC]
:00455B9B E87435FDFF call
00429114 <--到這裡就成功了
:00455BA0 FF75F8 push
[ebp-08]
:00455BA3 8D55F4 lea
edx, dword ptr [ebp-0C]
* Possible StringData Ref from
Code Obj ->"F561AE7092DD27E923E833D02DE531F4131542FC14E658"
->"B046DC26040315F4"
<--莫名其妙的干擾字串
|
:00455BA6 B8A45C4500 mov eax,
00455CA4
:00455BAB E8EC1F0000 call
00457B9C
:00455BB0 FF75F4 push
[ebp-0C]
* Possible StringData Ref from
Code Obj ->". If you have any suggestions, "
->"please
write to me at koger@iname.com"
|
:00455BB3 68EC5C4500 push
00455CEC
:00455BB8 8D45FC lea
eax, dword ptr [ebp-04]
:00455BBB BA04000000 mov edx,
00000004
:00455BC0 E8C3E0FAFF call
00403C88
:00455BC5 8B45FC mov
eax, dword ptr [ebp-04]
:00455BC8 668B0D345D4500 mov cx, word ptr
[00455D34]
:00455BCF B202
mov dl, 02
:00455BD1 E8C647FFFF call
0044A39C
:00455BD6 8BC3
mov eax, ebx
:00455BD8 E827C9FEFF call
00442504
:00455BDD EB2E
jmp 00455C0D
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:00455AF3(C), :00455B07(C)
|
:00455BDF 6A00
push 00000000
:00455BE1 8D55FC lea
edx, dword ptr [ebp-04]
* Possible StringData Ref from
Code Obj ->"E34CD729E72037CC40C342C259BC77859E61B8BD53A664"
->"BEB1"
<--又是一堆干擾字串
|
:00455BE4 B8405D4500 mov eax,
00455D40
:00455BE9 E8AE1F0000 call
00457B9C
:00455BEE 8B45FC mov
eax, dword ptr [ebp-04]
:00455BF1 668B0D345D4500 mov cx, word ptr
[00455D34]
:00455BF8 B201
mov dl, 01
:00455BFA E89D47FFFF call
0044A39C <--在這裡會有出錯提示,向上找跳過此處的地方
:00455BFF 8B83CC020000 mov eax, dword
ptr [ebx+000002CC]
:00455C05 8B10
mov edx, dword ptr [eax]
:00455C07 FF92B4000000 call dword
ptr [edx+000000B4]
好像不太難嘛,進入455AEE處的CALL看看.追了半天發現,程式將我輸入的使用者名稱RoBa與一個亂七八糟,根本不是可輸入字元的東東比較(下面會有比較過程),一樣的話就註冊成功.難道我們能從鍵盤上輸入這種字元?當然不是.注意一開始的時候程式就把假碼87654321取了出來,因此我推測程式是從註冊碼反算出使用者名稱(好狡猾 ),因為我們的假碼不符合規定,所以算出的NAME也就亂七八糟啦.
那麼我們從455ACD處取出假碼後向後看,到455AEE處一共有兩個CALL,先進455AD3看看:
* Referenced by a CALL at Addresses:
|:00455AD3 , :00455B6C , :00455BAB , :00455BE9
, :00457D8D
|:00458D51 , :00458D6A
|
:00457B9C 55
push ebp
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00457B28(C)
|
:00457B9D 8BEC
mov ebp, esp
:00457B9F 83C4DC add
esp, FFFFFFDC
:00457BA2 53
push ebx
:00457BA3 56
push esi
:00457BA4 57
push edi
:00457BA5 33C9
xor ecx, ecx
:00457BA7 894DE0 mov
dword ptr [ebp-20], ecx
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00457B3B(C)
|
:00457BAA 894DDC mov
dword ptr [ebp-24], ecx
:00457BAD 894DE8 mov
dword ptr [ebp-18], ecx
:00457BB0 894DE4 mov
dword ptr [ebp-1C], ecx
:00457BB3 8955F8 mov
dword ptr [ebp-08], edx
:00457BB6 8945FC mov
dword ptr [ebp-04], eax
:00457BB9 8B45FC mov
eax, dword ptr [ebp-04]
:00457BBC E8BBC1FAFF call
00403D7C
:00457BC1 33C0
xor eax, eax
:00457BC3 55
push ebp
:00457BC4 68F57C4500 push
00457CF5
:00457BC9 64FF30 push
dword ptr fs:[eax]
:00457BCC 648920 mov
dword ptr fs:[eax], esp
:00457BCF 8D45E8 lea
eax, dword ptr [ebp-18]
* Possible StringData Ref from
Code Obj ->"winpowerdown"
|
:00457BD2 BA0C7D4500 mov edx,
00457D0C
:00457BD7 E808BEFAFF call
004039E4
:00457BDC 8B45E8 mov
eax, dword ptr [ebp-18]
:00457BDF E8E4BFFAFF call
00403BC8
:00457BE4 8945F4 mov
dword ptr [ebp-0C], eax
:00457BE7 33F6
xor esi, esi
:00457BE9 33C0
xor eax, eax
:00457BEB 55
push ebp
:00457BEC 68BD7C4500 push
00457CBD
:00457BF1 64FF30 push
dword ptr fs:[eax]
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00457B85(C)
|
:00457BF4 648920 mov
dword ptr fs:[eax], esp
:00457BF7 8D45DC lea
eax, dword ptr [ebp-24]
:00457BFA 50
push eax
:00457BFB B902000000 mov ecx,
00000002
:00457C00 BA01000000 mov edx,
00000001 <--EDX=1 這是下面CALL的一個引數
:00457C05 8B45FC mov
eax, dword ptr [ebp-04] <--EAX=假碼
:00457C08 E8BFC1FAFF call
00403DCC <--這個CALL是從第EDX個字元起取假碼的兩個字元,作為下面比較的"舊數"
<--我是從結果推測出來的
:00457C0D 8B4DDC mov
ecx, dword ptr [ebp-24] <--ECX=取出來的兩字元
:00457C10 8D45E0 lea
eax, dword ptr [ebp-20]
:00457C13 BA247D4500 mov edx,
00457D24 <--EDX='$'
:00457C18 E8F7BFFAFF call
00403C14 <--把'$'和兩個字元合並起來
:00457C1D 8B45E0 mov
eax, dword ptr [ebp-20] <--合併後給EAX
<--DELPHI中表現十六進位制數的方法
:00457C20 E8FBFFFAFF call
00407C20 <--把兩個字元變成數給了EAX
<--如果你的假碼出現了0-F以外的就OVER了
:00457C25 8BF8
mov edi, eax
:00457C27 C745F003000000 mov [ebp-10], 00000003
<--[ebp-10]是迴圈變數=3
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00457CAD(C)
|
:00457C2E 8D45DC lea
eax, dword ptr [ebp-24]
:00457C31 50
push eax
:00457C32 B902000000 mov ecx,
00000002
:00457C37 8B55F0 mov
edx, dword ptr [ebp-10] <--EDX=[EBP-10]
:00457C3A 8B45FC mov
eax, dword ptr [ebp-04] <--EAX=假碼
:00457C3D E88AC1FAFF call
00403DCC <--從第[EBP-10]個字元起取兩個字元(和上面一樣)
:00457C42 8B4DDC mov
ecx, dword ptr [ebp-24]
:00457C45 8D45E0 lea
eax, dword ptr [ebp-20]
:00457C48 BA247D4500 mov edx,
00457D24
:00457C4D E8C2BFFAFF call
00403C14
:00457C52 8B45E0 mov
eax, dword ptr [ebp-20]
:00457C55 E8C6FFFAFF call
00407C20 <--和上面相同的計算 EAX=字元變成的數(記為"新數")
:00457C5A 8945EC mov
dword ptr [ebp-14], eax <--"新數"放在[EBP-14]
:00457C5D 3B75F4 cmp
esi, dword ptr [ebp-0C] <--看ESI是否大於10
:00457C60 7D03
jge 00457C65
:00457C62 46
inc esi <--ESI不大於10就ESI+1
:00457C63 EB05
jmp 00457C6A
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00457C60(C)
|
:00457C65 BE01000000 mov esi,
00000001 <--ESI大於10就ESI=1
<--從下面知道ESI是控制迴圈取出"winpowerdown"這10個字元
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00457C63(U)
|
:00457C6A 8B45E8 mov
eax, dword ptr [ebp-18] <--[ebp-18]處是字串"winpowerdown"
:00457C6D 33DB
xor ebx, ebx
:00457C6F 8A5C30FF mov
bl, byte ptr [eax+esi-01]<--依次取出字元
:00457C73 335DEC xor
ebx, dword ptr [ebp-14] <--[EBP-14]是剛取出的"新數",與字元進行異或運算,放入EBX
:00457C76 3BFB
cmp edi, ebx <--EDI為"舊數",與EBX比較
:00457C78 7C0A
jl 00457C84
:00457C7A 81C3FF000000 add ebx, 000000FF
:00457C80 2BDF
sub ebx, edi
:00457C82 EB02
jmp 00457C86
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00457C78(C)
|
:00457C84 2BDF
sub ebx, edi <--若EBX>EDI則EBX=EBX-EDI,否則EBX=EBX+$FF-EDI
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00457C82(U)
|
:00457C86 8D45E0 lea
eax, dword ptr [ebp-20]
:00457C89 8BD3
mov edx, ebx
:00457C8B E860BEFAFF call
00403AF0 <--這個CALL好像是把計算結果放入記憶體中
:00457C90 8B55E0 mov
edx, dword ptr [ebp-20]
:00457C93 8D45E4 lea
eax, dword ptr [ebp-1C]
:00457C96 E835BFFAFF call
00403BD0
:00457C9B 8B7DEC mov
edi, dword ptr [ebp-14]<--把"新數"存入EDI作下次比較的"舊數"
:00457C9E 8345F002 add
dword ptr [ebp-10], 00000002 <--[EBP-10]每次+2
:00457CA2 8B45FC mov
eax, dword ptr [ebp-04]
:00457CA5 E81EBFFAFF call
00403BC8
:00457CAA 3B45F0 cmp
eax, dword ptr [ebp-10] <--EAX為假碼長度,看是否計算完畢
:00457CAD 0F8F7BFFFFFF jg 00457C2E
<--迴圈結束
:00457CB3 33C0
xor eax, eax
:00457CB5 5A
pop edx
:00457CB6 59
pop ecx
:00457CB7 59
pop ecx
:00457CB8 648910 mov
dword ptr fs:[eax], edx
:00457CBB EB0A
jmp 00457CC7
:00457CBD E942B5FAFF jmp 00403204
:00457CC2 E8EDB7FAFF call
004034B4
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00457CBB(U)
|
:00457CC7 8B45F8 mov
eax, dword ptr [ebp-08]
:00457CCA 8B55E4 mov
edx, dword ptr [ebp-1C]
:00457CCD E812BDFAFF call
004039E4
:00457CD2 33C0
xor eax, eax
:00457CD4 5A
pop edx
:00457CD5 59
pop ecx
:00457CD6 59
pop ecx
:00457CD7 648910 mov
dword ptr fs:[eax], edx
:00457CDA 68FC7C4500 push
00457CFC
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00457CFA(U)
|
:00457CDF 8D45DC lea
eax, dword ptr [ebp-24]
:00457CE2 BA04000000 mov edx,
00000004
:00457CE7 E884BCFAFF call
00403970
:00457CEC 8D45FC lea
eax, dword ptr [ebp-04]
:00457CEF E858BCFAFF call
0040394C
:00457CF4 C3
ret
整理一下思路,程式先取出CODE的前兩位(用M表示),然後再取後面的兩位(用N表示),並且從字串"winpowerdown"中每次迴圈取出一個字元(用P表示),計算S=(N XOR P)-M,如果結果S小於0則加上S=S+$FF(這個S必須與NAME中的字元符合)然後把N給了M,再取後面的兩位作為N計算,直到CODE取完為止,計算出的一串字元與NAME完全相同則註冊成功.
下面是455AED處的CALL,只是將計算結果與使用者名稱比較(這個陰險的軟體害得我在這裡面找了半天才發現不對):
* Referenced by a CALL at Addresses:
|:0040F477 , :004137C9 , :00418999 , :00419848
, :00428232
|:004282BD , :00428EF7 , :0042916C , :00433BB3
, :0043419D
|:0043430D , :00434481 , :004371D9 , :0043729D
, :00437678
|:00437737 , :00437B92 , :00437DE6 , :00438351
, :0043850F
|:00445F17 , :0044BC14 , :0044BFF9 , :00455AEE
, :004564EE
|:00458356 , :00458D87 , :00459677 , :004596F6 <--無數次的進行檢查,想暴破真的不容易
|
:00403CD8 53
push ebx
:00403CD9 56
push esi
:00403CDA 57
push edi
:00403CDB 89C6
mov esi, eax <--[esi]處是上面的計算結果
:00403CDD 89D7
mov edi, edx <--[edi]處是輸入的NAME
:00403CDF 39D0
cmp eax, edx
:00403CE1 0F848F000000 je 00403D76
:00403CE7 85F6
test esi, esi
:00403CE9 7468
je 00403D53
:00403CEB 85FF
test edi, edi
:00403CED 746B
je 00403D5A
:00403CEF 8B46FC mov
eax, dword ptr [esi-04]
:00403CF2 8B57FC mov
edx, dword ptr [edi-04]
:00403CF5 29D0
sub eax, edx
:00403CF7 7702
ja 00403CFB
:00403CF9 01C2
add edx, eax
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00403CF7(C)
|
:00403CFB 52
push edx
:00403CFC C1EA02 shr
edx, 02
:00403CFF 7426
je 00403D27
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00403D1D(C)
|
:00403D01 8B0E
mov ecx, dword ptr [esi]
:00403D03 8B1F
mov ebx, dword ptr [edi]
:00403D05 39D9
cmp ecx, ebx
:00403D07 7558
jne 00403D61
:00403D09 4A
dec edx
:00403D0A 7415
je 00403D21
:00403D0C 8B4E04 mov
ecx, dword ptr [esi+04]
:00403D0F 8B5F04 mov
ebx, dword ptr [edi+04]
:00403D12 39D9
cmp ecx, ebx
:00403D14 754B
jne 00403D61
:00403D16 83C608 add
esi, 00000008
:00403D19 83C708 add
edi, 00000008
:00403D1C 4A
dec edx
:00403D1D 75E2
jne 00403D01
:00403D1F EB06
jmp 00403D27
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00403D0A(C)
|
:00403D21 83C604 add
esi, 00000004
:00403D24 83C704 add
edi, 00000004
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:00403CFF(C), :00403D1F(U)
|
:00403D27 5A
pop edx
:00403D28 83E203 and
edx, 00000003
:00403D2B 7422
je 00403D4F
:00403D2D 8B0E
mov ecx, dword ptr [esi]
:00403D2F 8B1F
mov ebx, dword ptr [edi]
:00403D31 38D9
cmp cl, bl
:00403D33 7541
jne 00403D76
:00403D35 4A
dec edx
:00403D36 7417
je 00403D4F
:00403D38 38FD
cmp ch, bh
:00403D3A 753A
jne 00403D76
:00403D3C 4A
dec edx
:00403D3D 7410
je 00403D4F
:00403D3F 81E30000FF00 and ebx, 00FF0000
:00403D45 81E10000FF00 and ecx, 00FF0000
:00403D4B 39D9
cmp ecx, ebx
:00403D4D 7527
jne 00403D76
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:00403D2B(C), :00403D36(C), :00403D3D(C)
|
:00403D4F 01C0
add eax, eax
:00403D51 EB23
jmp 00403D76
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00403CE9(C)
|
:00403D53 8B57FC mov
edx, dword ptr [edi-04]
:00403D56 29D0
sub eax, edx
:00403D58 EB1C
jmp 00403D76
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00403CED(C)
|
:00403D5A 8B46FC mov
eax, dword ptr [esi-04]
:00403D5D 29D0
sub eax, edx
:00403D5F EB15
jmp 00403D76
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:00403D07(C), :00403D14(C)
|
:00403D61 5A
pop edx
:00403D62 38D9
cmp cl, bl
:00403D64 7510
jne 00403D76
:00403D66 38FD
cmp ch, bh
:00403D68 750C
jne 00403D76
:00403D6A C1E910 shr
ecx, 10
:00403D6D C1EB10 shr
ebx, 10
:00403D70 38D9
cmp cl, bl
:00403D72 7502
jne 00403D76
:00403D74 38FD
cmp ch, bh
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:00403CE1(C), :00403D33(C), :00403D3A(C), :00403D4D(C), :00403D51(U)
|:00403D58(U), :00403D5F(U), :00403D64(C), :00403D68(C), :00403D72(C)
|
:00403D76 5F
pop edi
:00403D77 5E
pop esi
:00403D78 5B
pop ebx
:00403D79 C3
ret
這上面一堆跳來跳去讓人煩,大致是每次取出32位(即4位字元)進行比較,然後再後跳32位再比等等,(我打字打得太累了,各位湊合看看吧,哪位大哥給補上註釋小弟感激不盡~~~)總之只要NAME與註冊碼反算得到的一致就成功了.
演算法搞定了,剩下的就是序號產生器了.因為判斷是從CODE到NAME,寫序號產生器還要逆回來:得到NAME以後,先任取兩位數作CODE的前兩位,然後CODE的(N*2+1)和(N*2+2)兩位=[CODE的(N*2-1)和(N*2)兩位組成的數+NAME中的第N個字元] XOR ['winpowerdown'中的第N個字元] (XOR的逆運算恰巧也是XOR)
我寫的序號產生器:(Borland Pascal 7.0)
Program CrackWinPowerDown;
var name,st,code:string;
a:array[1..10] of integer;
p,s,h,l :integer;
begin
st:='winpowerdown';
fillchar(code,sizeof(code),0);
write('Please input your name:');
readln(name);
a[1]:=$66; //可以在$00--$FF中任意選取
for p:=1 to length(name) do
begin
s:=a[p]+ord(name[p]);
if s>$FF then s:=s-$FF;
a[p+1]:=(s xor ord(st[p]));
end;
for p:=1 to length(name)+1 do
begin
h:=a[p] div 16; l:=a[p] mod 16;
if h<=9 then code[p*2-1]:=chr(48+h)
else code[p*2-1]:=chr(55+h);
if l<=9 then code[p*2]:=chr(48+l)
else code[p*2]:=chr(55+l);
//不知道怎麼轉成十六進位制,用了一個笨方法
end;
write('CODE:');
for p:=1 to (length(name)+1)*2 do
write(code[p]); writeln;
writeln('Crack by RoBa Thank you');
end.
用序號產生器算出一個可用的NAME: RoBa1986
CODE:
66CF56F62836183519
輸入以後,顯示"THANK YOU",點確定~~~~????怎麼還是Unregistered?難道還有暗樁?我暈倒...N分鐘後悠悠醒轉,關閉程式,再開啟一次,"Register To RoBa1986". 原來如此!!
相關文章
- 不完全的破解2000-11-23
- winimage完全破解 (8千字)2001-07-04
- All Aboard! SE 完全破解實戰2001-07-18
- 流光 4.5 完全破解 (15千字)2002-08-24
- Restools系列完全破解~~~~~~~~~~~~~~~~~~~~~~~ (12千字)2002-03-03REST
- BubbleKing V2.63 完全靜態破解2004-06-14
- My Flash player 1.3 完全破解 (5千字)2001-12-05
- 金山毒霸試用版完全破解 (5千字)2001-07-16
- oicq build 0425 的不完全破解 (3千字)2000-05-28UI
- H******** 4.01.11的不完全破解 (4千字)2001-04-14
- AT2000的不完全破解! (2千字)2001-06-19
- 流光2001完全暴力破解 (3千字)2001-08-14
- 有誰能名將它完全破解了 (5千字)2000-08-26
- powerarchiver 8.00.58 之不完全破解+簡單演算法分析2015-11-15Hive演算法
- Navicat Premium for Mac v12.0.22.0 破解版,完全免費啟用方法之完美破解2019-04-02REMMac
- 賽事分為 “完全破解”以及“查詢漏洞”兩個挑戰2022-01-21
- picturetoexe v3.60 beta #2不完全破解 (2千字)2001-04-30
- 《大航海時代3:新世紀》的不完全破解 (4千字)2001-01-16
- Resource
Builder 1.1.0 完全破解~~附彙編序號產生器 (10千字)2015-11-15UI
- 大家請進!!!我破解了一個小遊戲,但沒有完全破解它,想請高手指點一下!!!
(507字)2001-01-01遊戲
- 一個水族箱屏保,破解不完全,誰幫忙看看? (2千字)2001-04-12
- Pexplorer 1.70 完全破解(KeyFile&Name+Code),附序號產生器~~~~~~~~~
(17千字)2002-04-03
- 人事資訊綜合管理系統 Ver3.2 (完全版本)的破解過程 (7千字)2002-01-20
- SWF2Video Pro V1.0.1.2 完全破解 演算法分析+序號產生器2015-11-15IDE演算法
- Swish 2.0 alpha 1不完全破解,看來得找找EnableMenuItem的標記
(2千字)2000-12-28UI
- 【Mysql】完全恢復與不完全恢復2015-10-21MySql
- JAVA 完全數2020-10-22Java
- Webbrowser 完全搞定2009-11-29Web
- 完全平方數2024-03-09
- asmstudio5.0完全完美破解版的誕生過程(和初學者共同學習!) (1千字)2001-05-02ASM
- 金山詞霸2009牛津with SP3完全破解版(含全部本地詞庫和語音包)2012-04-16
- SQLAlchemy完全入門2022-01-09SQL
- 完全吃透 TLS/SSL2018-06-25TLS
- Java Servlet完全教程2015-01-26JavaServlet
- systemctl 命令完全指南2015-07-31
- RMAN全庫【完全恢復/不完全恢復brief version】2012-04-04
- Java的破解和反破解之道 (轉)2007-12-09Java
- 破解 HIEW6.70 完全版軟體的讀 Hiew.key 檔案的功能。<=高手不要進入。 (3千字)2001-07-02