[“五一”獻禮]WindowBlinds破解全書

看雪資料發表於2004-04-30

【軟體名稱】:  WindowBlinds V3.5 Enhanced

【軟體語言】:  英文

【軟體類別】:  國外軟體 / 共享版 / 桌面工具

【應用平臺】:  Win9x/NT/2000/XP

【開 發 商】:  http://www.stardock.com/

【軟體介紹】:
    這個軟體除了可以讓你使用 BMP 圖形作為程式的背景底圖之外,它還可讓你 Windows 中的所有程式的視窗標題條 (Titlebar) 變成麥金塔電腦 Mac OS8 或是 BeOS 的樣子,而你也可以將 Windows 95 的視窗標題條(Titlebar) 弄成像 Windows 98 一樣的漸層顯示,漸層的顏色還可以自訂,標題條的文字可讓你放在中間而不是預設的左邊。另外各位可以發現現在一般的新軟體,其工具條的按鈕形式都已改成「浮動式」的,也就是當滑鼠移到按鈕上時它會浮起來,比較美觀而且有立體感,但仍能有一些軟體(如 ACDSee、NetTerm) 依舊是舊式的按鈕形式,你只要用這個軟體就夠將它們都改成「浮動式」的按鈕喔!其他還有許多功能,譬如可讓桌面 icon 的文字底色變成透明.....等等,在此不多敘述,各位自己抓回來玩看看吧!

【作    者】:  cyclotron[BCG][DFCG][FCG][OCN]

【破解過程】:下斷點GetWindowTextA,來到下面的地方:(以下程式碼使用Softice抓取的,W32Dasm似乎對Wload.exe反彙編無效)

【第一部分】:追蹤使用者名稱無關注冊碼!

程式碼:

017F:0040ED69  MOV       EBX,0040A660
017F:0040ED6E  LEA       ECX,[EBP-4C]
017F:0040ED71  PUSH      EBX
017F:0040ED72  CALL      00428F0E
017F:0040ED77  PUSH      0040A658
017F:0040ED7C  LEA       ECX,[EBP-4C]
017F:0040ED7F  CALL      00428F0E
017F:0040ED84  PUSH      DWORD PTR [ESI+5C]
017F:0040ED87  LEA       ECX,[EBP-4C]
017F:0040ED8A  CALL      00428F0E
017F:0040ED8F  PUSH      EBX
017F:0040ED90  LEA       ECX,[EBP-4C]
017F:0040ED93  CALL      00428F0E
017F:0040ED98  LEA       ECX,[EBP-4C]
017F:0040ED9B  CALL      004290CB
017F:0040EDA0  PUSH      0040A64C
/* 黑名單wb-g1de774入棧 */
017F:0040EDA5  PUSH      DWORD PTR [EDI]
/* 試煉碼入棧 */
017F:0040EDA7  CALL      00417870
017F:0040EDAC  POP       ECX
017F:0040EDAD  TEST      EAX,EAX
017F:0040EDAF  POP       ECX
017F:0040EDB0  JNZ       0040EDD3
017F:0040EDB2  PUSH      10
017F:0040EDB4  PUSH      0040A634
017F:0040EDB9  PUSH      0040A5C0
017F:0040EDBE  PUSH      0040A5B8
017F:0040EDC3  PUSH      0040A5B0
017F:0040EDC8  CALL      0040F4A2
017F:0040EDCD  PUSH      EAX
017F:0040EDCE  JMP       0040F190
017F:0040EDD3  LEA       EAX,[EBP-18]
017F:0040EDD6  PUSH      03
017F:0040EDD8  PUSH      EAX
017F:0040EDD9  MOV       ECX,EDI
017F:0040EDDB  CALL      00423811
017F:0040EDE0  PUSH      0040A5AC
017F:0040EDE5  PUSH      DWORD PTR [EAX]
017F:0040EDE7  CALL      00417870
/* 比較序列號前三位是否為WB- */
017F:0040EDEC  POP       ECX
017F:0040EDED  POP       ECX
017F:0040EDEE  TEST      EAX,EAX
017F:0040EDF0  LEA       ECX,[EBP-18]
017F:0040EDF3  SETNZ     BL
017F:0040EDF6  CALL      00428901
017F:0040EDFB  TEST      BL,BL
017F:0040EDFD  JZ        0040EE4C
/* 比較結果一致就跳,目的地是使用者名稱相關注冊碼的驗證部分(見第二部分),但經我嘗試,這裡假如不跳,只要下面的關鍵call返回值為1,也能註冊成功 */
017F:0040EDFF  PUSH      ECX
017F:0040EE00  MOV       ECX,ESP
017F:0040EE02  MOV       [EBP-1C],ESP
017F:0040EE05  PUSH      EDI
017F:0040EE06  CALL      00428676
017F:0040EE0B  CALL      00410E1C
/* 關鍵call,追入 */
017F:0040EE10  TEST      EAX,EAX
017F:0040EE12  JZ        0040EDB2
/* 關鍵跳轉 */
017F:0040EE14  MOV       EAX,0040A5A4
017F:0040EE19  PUSH      40
017F:0040EE1B  PUSH      EAX
017F:0040EE1C  PUSH      0040A56C
017F:0040EE21  PUSH      EAX
017F:0040EE22  PUSH      0040A5B0
017F:0040EE27  CALL      0040F4A2
017F:0040EE2C  PUSH      EAX
017F:0040EE2D  MOV       ECX,ESI
017F:0040EE2F  CALL      00425ECA
017F:0040EE34  PUSH      40
017F:0040EE36  PUSH      0040A54C
017F:0040EE3B  PUSH      0040A4C4
017F:0040EE40  MOV       ECX,ESI
017F:0040EE42  CALL      00425ECA
017F:0040EE47  JMP       0040F1D5
017F:0040EE4C  LEA       EAX,[EBP-014C]
017F:0040EE52  PUSH      0040A4C0
017F:0040EE57  PUSH      EAX
017F:0040EE58  CALL      00417690
017F:0040EE5D  PUSH      DWORD PTR [ESI+5C]
017F:0040EE60  LEA       EAX,[EBP-014C]
017F:0040EE66  PUSH      EAX
017F:0040EE67  CALL      004176A0
**********************************************************
關鍵CALL 00410E1C:
017F:00410E1C  MOV       EAX,0042F800
017F:00410E21  CALL      0041762C
017F:00410E26  SUB       ESP,24
017F:00410E29  PUSH      EBX
017F:00410E2A  PUSH      ESI
017F:00410E2B  PUSH      EDI
017F:00410E2C  MOV       EAX,[0040BE60]
017F:00410E31  XOR       EDI,EDI
017F:00410E33  MOV       [EBP-04],EDI
017F:00410E36  MOV       [EBP-10],EAX
017F:00410E39  LEA       EAX,[EBP+08]
017F:00410E3C  LEA       ECX,[EBP-10]
017F:00410E3F  PUSH      EAX
017F:00410E40  MOV       BYTE PTR [EBP-04],01
017F:00410E44  CALL      004289EE
017F:00410E49  LEA       ECX,[EBP-10]
017F:00410E4C  CALL      00428D14
/* 這個call把註冊碼中的大寫字母全部轉換為小寫字母 */
017F:00410E51  LEA       EAX,[EBP-14]
017F:00410E54  PUSH      02
017F:00410E56  PUSH      EAX
017F:00410E57  LEA       ECX,[EBP-10]
017F:00410E5A  CALL      00423811
017F:00410E5F  PUSH      0040B030
/* wb入棧 */
017F:00410E64  PUSH      DWORD PTR [EAX]
/* 序列號前兩位入棧 */
017F:00410E66  CALL      00417870
/* 比較是否一致 */
017F:00410E6B  POP       ECX
017F:00410E6C  CMP       EAX,EDI
017F:00410E6E  POP       ECX
017F:00410E6F  LEA       ECX,[EBP-14]
017F:00410E72  SETNZ     BL
017F:00410E75  CALL      00428901
017F:00410E7A  TEST      BL,BL
017F:00410E7C  JZ        00410E85
/* 序列號前兩位是wb就跳 */
017F:00410E7E  XOR       ESI,ESI
017F:00410E80  JMP       004110C1
017F:00410E85  PUSH      02
017F:00410E87  LEA       EAX,[EBP-14]
017F:00410E8A  PUSH      02
017F:00410E8C  PUSH      EAX
017F:00410E8D  LEA       ECX,[EBP-10]
017F:00410E90  CALL      004236FF
017F:00410E95  PUSH      DWORD PTR [EAX]
017F:00410E97  CALL      0041797F
/* 這是一個很關鍵的call,返回值eax */
017F:00410E9C  POP       ECX
017F:00410E9D  MOV       [EBP-2C],EAX
/* [ebp-2c]處是一個後面要用到的關鍵值。根據上面這個call,這個值取決於註冊碼的第四位,若第四位是數字i,則該處取值為dword[neg i];若第四位不是數字,則該處取值恆為dword 0 */
017F:00410EA0  LEA       ECX,[EBP-14]
017F:00410EA3  CALL      00428901
017F:00410EA8  MOV       EAX,[0040BE60]
017F:00410EAD  MOV       [EBP-24],EAX
017F:00410EB0  MOV       [EBP-20],EAX
017F:00410EB3  MOV       [EBP-1C],EAX
017F:00410EB6  MOV       [EBP-18],EAX
017F:00410EB9  PUSH      04
017F:00410EBB  LEA       EAX,[EBP-14]
017F:00410EBE  POP       ESI
017F:00410EBF  LEA       ECX,[EBP-10]
017F:00410EC2  PUSH      ESI
017F:00410EC3  PUSH      05
017F:00410EC5  PUSH      EAX
017F:00410EC6  MOV       BYTE PTR [EBP-04],05
017F:00410ECA  CALL      004236FF
/* 分離註冊碼的第6至9位,字串地址送*eax */
017F:00410ECF  PUSH      EAX
017F:00410ED0  LEA       ECX,[EBP-24]
017F:00410ED3  MOV       BYTE PTR [EBP-04],06
017F:00410ED7  CALL      004289EE
017F:00410EDC  LEA       ECX,[EBP-14]
017F:00410EDF  MOV       BYTE PTR [EBP-04],05
017F:00410EE3  CALL      00428901
017F:00410EE8  PUSH      ESI
017F:00410EE9  LEA       EAX,[EBP-14]
017F:00410EEC  PUSH      0A
017F:00410EEE  PUSH      EAX
017F:00410EEF  LEA       ECX,[EBP-10]
017F:00410EF2  CALL      004236FF
/* 分離註冊碼的第11至14位(如果有的話),字串地址送*eax */
017F:00410EF7  PUSH      EAX
017F:00410EF8  LEA       ECX,[EBP-20]
017F:00410EFB  MOV       BYTE PTR [EBP-04],07
017F:00410EFF  CALL      004289EE
017F:00410F04  LEA       ECX,[EBP-14]
017F:00410F07  MOV       BYTE PTR [EBP-04],05
017F:00410F0B  CALL      00428901
017F:00410F10  PUSH      ESI
017F:00410F11  LEA       EAX,[EBP-14]
017F:00410F14  PUSH      0F
017F:00410F16  PUSH      EAX
017F:00410F17  LEA       ECX,[EBP-10]
017F:00410F1A  CALL      004236FF
/* 分離註冊碼的第16至19位(如果有的話),字串地址送*eax */
017F:00410F1F  PUSH      EAX
017F:00410F20  LEA       ECX,[EBP-1C]
017F:00410F23  MOV       BYTE PTR [EBP-04],08
017F:00410F27  CALL      004289EE
017F:00410F2C  LEA       ECX,[EBP-14]
017F:00410F2F  MOV       BYTE PTR [EBP-04],05
017F:00410F33  CALL      00428901
017F:00410F38  PUSH      ESI
017F:00410F39  LEA       EAX,[EBP-28]
017F:00410F3C  PUSH      14
017F:00410F3E  PUSH      EAX
017F:00410F3F  LEA       ECX,[EBP-10]
017F:00410F42  CALL      004236FF
/* 分離註冊碼的第16至19位(如果有的話),字串地址送*eax */
017F:00410F47  PUSH      EAX
017F:00410F48  LEA       ECX,[EBP-18]
017F:00410F4B  MOV       BYTE PTR [EBP-04],09
017F:00410F4F  CALL      004289EE
017F:00410F54  LEA       ECX,[EBP-28]
017F:00410F57  MOV       BYTE PTR [EBP-04],05
017F:00410F5B  CALL      00428901
017F:00410F60  MOV       EAX,[0040BE60]
017F:00410F65  MOV       [EBP-30],EAX
017F:00410F68  MOV       EDX,[EBP-24]
/* 取註冊碼6至9位字串的地址送edx */
017F:00410F6B  XOR       ESI,ESI
/* esi清零 */
017F:00410F6D  MOV       EAX,[EDX-08]
017F:00410F70  TEST      EAX,EAX
017F:00410F72  JLE       00410F8E
/* 長度大於零? */
017F:00410F74  MOVSX     ECX,BYTE PTR [EDX+ESI]
/* 依次取字串的每一位送ecx */
017F:00410F78  SUB       ECX,30
/* ecx=ecx-30h */
017F:00410F7B  CMP       ECX,09
017F:00410F7E  JLE       00410F83
/* 小於等於9? */
017F:00410F80  SUB       ECX,27
/* 不滿足就再減27h */
017F:00410F83  LEA       EDI,[EDI*8+EDI]
/* edi=edi*9,edi初值為零 */
017F:00410F86  INC       ESI
/* esi=esi+1 */
017F:00410F87  CMP       ESI,EAX
/* 是否取完? */
017F:00410F89  LEA       EDI,[EDI*2+ECX]
/* edi=edi*2+ecx,即最後取得的值送edi */
017F:00410F8C  JL        00410F74
/* 沒取完則返回繼續 */
017F:00410F8E  MOV       EDX,[EBP-20]
/* 取註冊碼11至14位字串的地址送edx */
017F:00410F91  XOR       ESI,ESI
017F:00410F93  XOR       ECX,ECX
017F:00410F95  MOV       [EBP-14],ESI
017F:00410F98  MOV       EBX,[EDX-08]
017F:00410F9B  TEST      EBX,EBX
017F:00410F9D  JLE       00410FC1
/* 沒有這段字串就跳走,且[ebp-14]置零 */
017F:00410F9F  JMP       00410FA4
017F:00410FA1  MOV       ESI,[EBP-14]
017F:00410FA4  MOVSX     EAX,BYTE PTR [EDX+ECX]
017F:00410FA8  SUB       EAX,30
017F:00410FAB  CMP       EAX,09
017F:00410FAE  JLE       00410FB3
017F:00410FB0  SUB       EAX,27
017F:00410FB3  LEA       ESI,[ESI*8+ESI]
017F:00410FB6  INC       ECX
017F:00410FB7  CMP       ECX,EBX
017F:00410FB9  LEA       EAX,[ESI*2+EAX]
017F:00410FBC  MOV       [EBP-14],EAX
017F:00410FBF  JL        00410FA1
/* 以上程式碼取註冊碼11至14位字串進行運算(如果有的話),運算結果儲存在[ebp-14] */
017F:00410FC1  MOV       EDX,[EBP-1C]
/* 取註冊碼16至19位字串的地址送edx */
017F:00410FC4  XOR       ESI,ESI
017F:00410FC6  XOR       ECX,ECX
017F:00410FC8  MOV       EBX,[EDX-08]
017F:00410FCB  TEST      EBX,EBX
017F:00410FCD  JLE       00410FE9
/* 沒有這段字串就跳走,且esi置零 */
017F:00410FCF  MOVSX     EAX,BYTE PTR [EDX+ECX]
017F:00410FD3  SUB       EAX,30
017F:00410FD6  CMP       EAX,09
017F:00410FD9  JLE       00410FDE
017F:00410FDB  SUB       EAX,27
017F:00410FDE  LEA       ESI,[ESI*8+ESI]
017F:00410FE1  INC       ECX
017F:00410FE2  CMP       ECX,EBX
017F:00410FE4  LEA       ESI,[ESI*2+EAX]
017F:00410FE7  JL        00410FCF
/* 以上程式碼取註冊碼16至19位字串進行運算(如果有的話),運算結果儲存在[ebp-14] */
017F:00410FE9  MOV       EBX,[EBP-18]
/* 取註冊碼21至24位字串的地址送edx */
017F:00410FEC  XOR       EDX,EDX
017F:00410FEE  XOR       ECX,ECX
017F:00410FF0  CMP       [EBX-08],EDX
017F:00410FF3  JLE       00411010
/* 沒有這段字串就跳走,且ecx置零 */
017F:00410FF5  MOVSX     EAX,BYTE PTR [EBX+EDX]
017F:00410FF9  SUB       EAX,30
017F:00410FFC  CMP       EAX,09
017F:00410FFF  JLE       00411004
017F:00411001  SUB       EAX,27
017F:00411004  LEA       ECX,[ECX*8+ECX]
017F:00411007  INC       EDX
017F:00411008  CMP       EDX,[EBX-08]
017F:0041100B  LEA       ECX,[ECX*2+EAX]
017F:0041100E  JL        00410FF5
/* 以上程式碼取註冊碼21至24位字串進行運算(如果有的話),運算結果儲存在[ebp-14] */
017F:00411010  MOV       EAX,[EBP-2C]
/* 取得關鍵值送eax */
017F:00411013  PUSH      03
017F:00411015  SUB       [EBP-14],EAX
017F:00411018  SUB       EDI,EAX
017F:0041101A  SUB       ESI,EAX
017F:0041101C  SUB       ECX,EAX
/* 四個運算結果分別減去eax,結果依次設為num2,num1,num3,num4 */
017F:0041101E  MOV       EAX,EDI
017F:00411020  POP       EBX
/* ebx=3 */
017F:00411021  CDQ
017F:00411022  IDIV      EBX
017F:00411024  TEST      EDX,EDX
/* 餘數是否為零 */
017F:00411026  JZ        0041102C
/* 為零就跳,意即num1能被3整除 */
017F:00411028  XOR       ESI,ESI
017F:0041102A  JMP       00411085
/* 上面不跳的話,這裡就直接走向出口,註冊失敗*/
017F:0041102C  MOV       EAX,[EBP-14]
017F:0041102F  PUSH      02
017F:00411031  CDQ
017F:00411032  POP       EBX
/* ebx=2 */
017F:00411033  IDIV      EBX
017F:00411035  TEST      EDX,EDX
017F:00411037  JNZ       00411028
/* 不能跳,意即num2能被2整除 */
017F:00411039  MOV       EAX,ESI
017F:0041103B  PUSH      06
017F:0041103D  CDQ
017F:0041103E  POP       EBX
/* ebx=6 */
017F:0041103F  IDIV      EBX
017F:00411041  TEST      EDX,EDX
017F:00411043  JNZ       00411028
/* 不能跳,意即num3能被6整除 */
017F:00411045  MOV       EAX,ECX
017F:00411047  PUSH      04
017F:00411049  CDQ
017F:0041104A  POP       EBX
/* ebx=4 */
017F:0041104B  IDIV      EBX
017F:0041104D  TEST      EDX,EDX
017F:0041104F  JNZ       00411028
/* 不能跳,意即num4能被4整除 */
017F:00411051  MOV       EDX,[EBP-14]
017F:00411054  LEA       EAX,[EDI+ESI]
/* eax=num1+num3 */
017F:00411057  ADD       ESI,EDX
/* esi=num3+num2 */
017F:00411059  PUSH      06
017F:0041105B  LEA       EBX,[EDX+ECX]
/* ebx=num2+num4 */
017F:0041105E  MOV       [EBP-2C],ESI
017F:00411061  XOR       EDX,EDX
017F:00411063  POP       ESI
017F:00411064  DIV       ESI
017F:00411066  ADD       ECX,EDI
/* ecx=num4+num1 */
017F:00411068  TEST      EDX,EDX
017F:0041106A  JNZ       00411028
/* num1+num3能被6整除 */
017F:0041106C  PUSH      03
017F:0041106E  MOV       EAX,EBX
017F:00411070  POP       ESI
017F:00411071  DIV       ESI
017F:00411073  TEST      EDX,EDX
017F:00411075  JNZ       00411028
/* num2+num4能被3整除 */
017F:00411077  TEST      BYTE PTR [EBP-2C],01
017F:0041107B  JNZ       00411028
/* num3+num2最末位不是1 */
017F:0041107D  TEST      CL,01
/* num4+num1最末位不是1 */
017F:00411080  JNZ       00411028
017F:00411082  PUSH      01
017F:00411084  POP       ESI
/* 上面兩句是給esi賦值1,由於esi的值最終要傳給eax作為返回值,這兩句必須走過 */
017F:00411085  LEA       ECX,[EBP-30]
017F:00411088  MOV       BYTE PTR [EBP-04],05
017F:0041108C  CALL      00428901
017F:00411091  LEA       ECX,[EBP-18]
017F:00411094  MOV       BYTE PTR [EBP-04],04
017F:00411098  CALL      00428901
017F:0041109D  LEA       ECX,[EBP-1C]
017F:004110A0  MOV       BYTE PTR [EBP-04],03
017F:004110A4  CALL      00428901
017F:004110A9  LEA       ECX,[EBP-20]
017F:004110AC  MOV       BYTE PTR [EBP-04],02
017F:004110B0  CALL      00428901
017F:004110B5  LEA       ECX,[EBP-24]
017F:004110B8  MOV       BYTE PTR [EBP-04],01
017F:004110BC  CALL      00428901
017F:004110C1  AND       BYTE PTR [EBP-04],00
017F:004110C5  LEA       ECX,[EBP-10]
017F:004110C8  CALL      00428901
017F:004110CD  OR        DWORD PTR [EBP-04],-01
017F:004110D1  LEA       ECX,[EBP+08]
017F:004110D4  CALL      00428901
017F:004110D9  MOV       ECX,[EBP-0C]
017F:004110DC  MOV       EAX,ESI
/* 返回值eax的值取決於esi */
017F:004110DE  POP       EDI
017F:004110DF  POP       ESI
017F:004110E0  POP       EBX
017F:004110E1  MOV       FS:[00000000],ECX
017F:004110E8  LEAVE
017F:004110E9  RET       0004
    以上運算過程與使用者名稱無關,因而是通用註冊碼。
******************************************************************
【整    理】:
     General Regcode:
  wb-677knun5hveu569uks3my
  wb-6fkefuyoiv60qmp6ivsbc
  wb-7yjb35yyzi13h28nyer3r
  wb-2lkr64f6bfugrvv433qt8
  wb-5fa6m7pg7zzipm179pu8r
  wb-7y3c8znz87lym0zhwq9h7

【Turbo C 序號產生器】:
#include "stdio.h"
#include "string.h"
#include "stdlib.h"
#include "ctype.h"
long calnum(char *start,char extra)
{int i;
 long num=0;
 char temp;
 for(i=0;i<4;i++)
    {temp=isdigit(start[i])?start[i]-0x30:start[i]-0x57;
     num=num*18+temp;
    }
 return num+extra;
}
void main()
{int i;
 long num[4];
 char regcode[22],regname[30];
 regcode[21]='\0';
 printf("\t*************************************************\n");
 printf("\n\t\tKeyGen for WindowBlinds V3.5 Enhanced\n\t\t\tProduced by cyclotron\n");
 printf("\n\t*************************************************\n");
 do
    printf("\n\tPlease input your Regname:");
 while(!strlen(gets(regname)));
 randomize();
 do
   {regcode[0]=0x30+random(10);
    for(i=1;i<21;i++)
       do
          regcode[i]=0x30+random(0x50);
       while(!isdigit(regcode[i])&&!islower(regcode[i]));
    for(i=0;i<4;i++)
       num[i]=calnum(regcode+2+i*5,regcode[0]);
   }
 while(num[0]%3||num[1]%2||num[2]%6||num[3]%4||(num[0]+num[2])%6||(num[1]+num[3])%3||(num[2]+num[1])&(num[3]+num[0])&1);
 printf("\n\tYour Regcode is:\twb-%s\n\n\tThank you for your use!",regcode);
 getchar();
}

________________________________________________________
【第二部分】:追蹤使用者名稱相關注冊碼!
017F:0040EE4C  LEA       EAX,[EBP-014C]
017F:0040EE52  PUSH      0040A4C0
/* 字元WB入棧 */
017F:0040EE57  PUSH      EAX
/* 存放WB的空地址入棧 */
017F:0040EE58  CALL      00417690
017F:0040EE5D  PUSH      DWORD PTR [ESI+5C]
/* 使用者名稱地址入棧 */
017F:0040EE60  LEA       EAX,[EBP-014C]
/* 這還是前面用於存放"WB"的地址 */
017F:0040EE66  PUSH      EAX
/* 地址入棧 */
017F:0040EE67  CALL      004176A0
/* 這個call把WB和使用者名稱連線起來 */
017F:0040EE6C  MOV       EAX,[ESI+5C]
/* 使用者名稱的地址 */
017F:0040EE6F  XOR       EBX,EBX
017F:0040EE71  ADD       ESP,10
017F:0040EE74  MOV       [EBP-28],EBX
017F:0040EE77  CMP       [EAX-08],EBX
/* 使用者名稱長度是否為零? */
017F:0040EE7A  JLE       0040EF1A
017F:0040EE80  LEA       EAX,[EBP-014C]
/* 字串“WBcyclotron”的地址 */
017F:0040EE86  MOV       DWORD PTR [EBP-10],00000001
017F:0040EE8D  SUB       [EBP-10],EAX
017F:0040EE90  FLD       REAL8 PTR [EBP-30]
/* 8位元組浮點數送st(0) */
  1).  80114111.103114
  2).  81527323.91804
    ……
017F:0040EE93  CALL      00416EF4
/* 取整送eax */
  1).  80114111即0x4C671BF
  2).  81527323即0x4DC021B
    ……
017F:0040EE98  PUSH      EAX
017F:0040EE99  CALL      0041785B
017F:0040EE9E  MOV       [EBP-18],EAX
/* 該整數送區域性變數(ebp-18) */
017F:0040EEA1  MOV       EAX,[ESI+5C]
/* eax取得使用者名稱地址 */
017F:0040EEA4  MOVZX     EDX,BYTE PTR [EBX+EBP-014C]
/* 依次取"WBcyclotron"的每一位 */
017F:0040EEAC  FILD      DWORD PTR [EBP-18]
/* (ebp-18)裝入st(0) */
  1).  st(0)=80114111
  2).  st(0)=81527323
    ……
017F:0040EEAF  POP       ECX
017F:0040EEB0  MOV       [EBP-18],EDX
017F:0040EEB3  MOV       ECX,[EAX-08]
/* ecx取得使用者名稱長度 */
017F:0040EEB6  LEA       EAX,[EBX+EBP-014C]
017F:0040EEBD  MOV       EDX,[EBP-10]
017F:0040EEC0  MOV       [EBP-1C],ECX
017F:0040EEC3  ADD       EDX,EAX
  1).  edx=1
  2).  edx=2
    ……
017F:0040EEC5  MOV       EAX,[EBP-18]
017F:0040EEC8  MOV       [EBP-2C],EDX
017F:0040EECB  CDQ
017F:0040EECC  FILD      DWORD PTR [EBP-2C]
  1).  (ebp-2C)=1
  2).  (ebp-2C)=2
    ……
017F:0040EECF  IDIV      ECX
017F:0040EED1  FMUL      REAL8 PTR [00401E68]
/* st(0)=st(0)*2.12 */
017F:0040EED7  FISUB     DWORD PTR [EBP-28]
  1).  (ebp-28)=0
  2).  (ebp-28)=1
    ……
017F:0040EEDA  MOV       ECX,000000FF
/* ecx=0xFF */
017F:0040EEDF  MOVZX     EAX,BYTE PTR [EDX+EBP-014C]
/* 根據餘數取得"WBcyclotron"中的字元 */
  1).  eax=0x6F
  1).  eax=0x79
    ……
017F:0040EEE7  IMUL      EAX,EBX
/* eax=eax*ebx */
017F:0040EEEA  MOV       [EBP-2C],EAX
/* 乘積送(ebp-2C) */
017F:0040EEED  MOV       EAX,[EBP-18]
/* eax取得剛才字元的ASCII值 */
017F:0040EEF0  CDQ
017F:0040EEF1  FILD      DWORD PTR [EBP-2C]
/* st(0)=(ebp-2C) */
017F:0040EEF4  IDIV      ECX
017F:0040EEF6  FMULP     ST(1),ST
/* st(1)=st(1)*st(0) */
017F:0040EEF8  INC       EBX
/* ebx++ */
017F:0040EEF9  CMP       EBX,[EBP-1C]
/* 是否取完使用者名稱 */
017F:0040EEFC  MOV       [EBP-28],EBX
/* (ebp-28)=ebx */
017F:0040EEFF  MOV       [EBP-2C],EAX
/* (ebp-2C)=eax */
017F:0040EF02  FILD      DWORD PTR [EBP-2C]
/* st(0)=(ebp-2C) */
017F:0040EF05  FADDP     ST(1),ST
/* st(1)=st(1)+st(0)並出棧 */
017F:0040EF07  FADD      REAL8 PTR [00401E60]
/* st(0)=st(0)+1.01764 */
017F:0040EF0D  FMUL      ST,ST(1)
/* st(0)=st(1)*st(0) */
017F:0040EF0F  FSTP      REAL8 PTR [EBP-30]
/* st(0)送(ebp-30)並出棧 */
017F:0040EF12  FSTP      ST(0)
/* st(0)出棧 */
017F:0040EF14  JL        0040EE90
/* 未取完則返回 */

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
以上運算用TC2.0實現:
#include "string.h"
#include "math.h"
double floatize(char *regname,char *link)
{int i,length;
 double time=80114111.103114;
 length=strlen(regname);
 strcpy(link+2,regname);
 for(i=0;i<length;i++)
  time=fabs((link[link[i]%length]*i*(2.12*(i+1)-i)+1.01764)*(long)time);
 return time;
}
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
017F:0040EF1A  FLD       REAL8 PTR [EBP-30]
017F:0040EF1D  CALL      00416EF4
017F:0040EF22  PUSH      EAX
017F:0040EF23  CALL      0041785B
017F:0040EF28  MOV       [EBP-1C],EAX
017F:0040EF2B  MOV       EAX,[ESI+5C]
017F:0040EF2E  FILD      DWORD PTR [EBP-1C]
017F:0040EF31  MOV       EAX,[EAX-08]
/* 取得使用者名稱長度 */
017F:0040EF34  POP       ECX
017F:0040EF35  CMP       EAX,08
017F:0040EF38  JGE       0040EF3E
017F:0040EF3A  MOV       AL,0E
/* 使用者名稱長度小於8,則al=0xE */
017F:0040EF3C  JMP       0040EF49
017F:0040EF3E  CMP       EAX,1F
/* 使用者名稱長度大於等於8且小於0x1F的,al=strlen(regname)+0x6 */
017F:0040EF41  JGE       0040EF47
017F:0040EF43  ADD       AL,06
017F:0040EF45  JMP       0040EF49
017F:0040EF47  MOV       AL,17
/* 使用者名稱長度大於等於0x1F的,al=0x17 */
017F:0040EF49  MOVZX     EAX,AL
017F:0040EF4C  PUSH      EAX
017F:0040EF4D  LEA       EAX,[EBP-014C]
017F:0040EF53  PUSH      EAX
017F:0040EF54  CALL      00416EF4
017F:0040EF59  PUSH      EAX
017F:0040EF5A  CALL      00422A30
/* 關鍵call,進入(設al的值為divisor) */
017F:0040EF5F  ADD       ESP,0C
017F:0040EF62  LEA       ECX,[EBP-14]
017F:0040EF65  PUSH      0040A5AC
017F:0040EF6A  CALL      00428A3E
017F:0040EF6F  MOV       EAX,[0040BE60]
017F:0040EF74  LEA       ECX,[EBP-10]
017F:0040EF77  MOV       [EBP-10],EAX
017F:0040EF7A  LEA       EAX,[EBP-014C]
017F:0040EF80  PUSH      EAX
017F:0040EF81  CALL      00428A3E
017F:0040EF86  LEA       EAX,[EBP-10]
017F:0040EF89  LEA       ECX,[EBP-14]
017F:0040EF8C  PUSH      EAX
017F:0040EF8D  MOV       BYTE PTR [EBP-04],03
017F:0040EF91  CALL      00428C18
/* *eax指向1.x版的註冊碼 */
017F:0040EF96  LEA       ECX,[EBP-10]
017F:0040EF99  MOV       BYTE PTR [EBP-04],02
017F:0040EF9D  CALL      00428901
017F:0040EFA2  CMP       BYTE PTR [EBP-014C],77
017F:0040EFA9  JNZ       0040EFB2
017F:0040EFAB  MOV       BYTE PTR [EBP-014C],57
017F:0040EFB2  CMP       BYTE PTR [EBP-014B],62
017F:0040EFB9  JNZ       0040EFC2
017F:0040EFBB  MOV       BYTE PTR [EBP-014B],42
017F:0040EFC2  PUSH      DWORD PTR [EBP-14]
017F:0040EFC5  PUSH      DWORD PTR [EDI]
017F:0040EFC7  CALL      00417870
017F:0040EFCC  XOR       EBX,EBX
017F:0040EFCE  POP       ECX
017F:0040EFCF  CMP       EAX,EBX
017F:0040EFD1  POP       ECX
017F:0040EFD2  JNZ       0040F016
/* 比較是否為1.x版的註冊碼 */
017F:0040EFD4  PUSH      0040A4AC
017F:0040EFD9  PUSH      DWORD PTR [ESI+5C]
017F:0040EFDC  CALL      00417870
017F:0040EFE1  POP       ECX
017F:0040EFE2  CMP       EAX,EBX
017F:0040EFE4  POP       ECX
017F:0040EFE5  JZ        0040F016
017F:0040EFE7  PUSH      EBX
017F:0040EFE8  LEA       ECX,[EBP-01A8]
017F:0040EFEE  CALL      0040E74F
017F:0040EFF3  LEA       ECX,[EBP-01A8]
017F:0040EFF9  MOV       BYTE PTR [EBP-04],05
017F:0040EFFD  CALL      0042828A
017F:0040F002  LEA       ECX,[EBP-01A8]
017F:0040F008  MOV       BYTE PTR [EBP-04],02
017F:0040F00C  CALL      00427EC0
017F:0040F011  JMP       0040F2A7
017F:0040F016  FLD       REAL8 PTR [00401E58]
017F:0040F01C  LEA       EAX,[EBP-02A8]
017F:0040F022  PUSH      0040A4C0
017F:0040F027  FSTP      REAL8 PTR [EBP-20]
/* 4111.103114送st(0),下面部分的計算和前面的完全一樣 */
017F:0040F02A  PUSH      EAX
017F:0040F02B  CALL      00417690
017F:0040F030  PUSH      DWORD PTR [ESI+5C]
017F:0040F033  LEA       EAX,[EBP-02A8]
017F:0040F039  PUSH      EAX
017F:0040F03A  CALL      004176A0
017F:0040F03F  MOV       EAX,[ESI+5C]
017F:0040F042  ADD       ESP,10
017F:0040F045  MOV       [EBP-28],EBX
017F:0040F048  CMP       DWORD PTR [EAX-08],00
017F:0040F04C  JLE       0040F0EC
017F:0040F052  LEA       EAX,[EBP-02A8]
017F:0040F058  MOV       DWORD PTR [EBP-10],00000001
017F:0040F05F  SUB       [EBP-10],EAX
017F:0040F062  FLD       REAL8 PTR [EBP-20]
017F:0040F065  CALL      00416EF4
017F:0040F06A  PUSH      EAX
017F:0040F06B  CALL      0041785B
017F:0040F070  MOV       [EBP-1C],EAX
017F:0040F073  MOV       EAX,[ESI+5C]
017F:0040F076  MOVZX     EDX,BYTE PTR [EBX+EBP-02A8]
017F:0040F07E  FILD      DWORD PTR [EBP-1C]
017F:0040F081  POP       ECX
017F:0040F082  MOV       [EBP-18],EDX
017F:0040F085  MOV       ECX,[EAX-08]
017F:0040F088  LEA       EAX,[EBX+EBP-02A8]
017F:0040F08F  MOV       EDX,[EBP-10]
017F:0040F092  MOV       [EBP-2C],ECX
017F:0040F095  ADD       EDX,EAX
017F:0040F097  MOV       EAX,[EBP-18]
017F:0040F09A  MOV       [EBP-1C],EDX
017F:0040F09D  CDQ
017F:0040F09E  FILD      DWORD PTR [EBP-1C]
017F:0040F0A1  IDIV      ECX
017F:0040F0A3  FMUL      REAL8 PTR [00401E68]
/* 這裡也是2.12 */
017F:0040F0A9  FISUB     DWORD PTR [EBP-28]
017F:0040F0AC  MOV       ECX,000000D3
/* 注意這裡ecx=0xD3 */
017F:0040F0B1  MOVZX     EAX,BYTE PTR [EDX+EBP-02A8]
017F:0040F0B9  IMUL      EAX,EBX
017F:0040F0BC  MOV       [EBP-1C],EAX
017F:0040F0BF  MOV       EAX,[EBP-18]
017F:0040F0C2  CDQ
017F:0040F0C3  FILD      DWORD PTR [EBP-1C]
017F:0040F0C6  IDIV      ECX
017F:0040F0C8  FMULP     ST(1),ST
017F:0040F0CA  INC       EBX
017F:0040F0CB  CMP       EBX,[EBP-2C]
017F:0040F0CE  MOV       [EBP-28],EBX
017F:0040F0D1  MOV       [EBP-1C],EAX
017F:0040F0D4  FILD      DWORD PTR [EBP-1C]
017F:0040F0D7  FADDP     ST(1),ST
017F:0040F0D9  FADD      REAL8 PTR [00401E60]
017F:0040F0DF  FMUL      ST,ST(1)
017F:0040F0E1  FSTP      REAL8 PTR [EBP-20]
017F:0040F0E4  FSTP      ST(0)
017F:0040F0E6  JL        0040F062
017F:0040F0EC  FLD       REAL8 PTR [EBP-20]
017F:0040F0EF  CALL      00416EF4
017F:0040F0F4  PUSH      EAX
017F:0040F0F5  CALL      0041785B
017F:0040F0FA  MOV       [EBP-1C],EAX
017F:0040F0FD  MOV       EAX,[ESI+5C]
017F:0040F100  FILD      DWORD PTR [EBP-1C]
017F:0040F103  MOV       EAX,[EAX-08]
017F:0040F106  POP       ECX
017F:0040F107  CMP       EAX,08
017F:0040F10A  JGE       0040F110
/* 使用者名稱長度小於8,則al=0x10 */
017F:0040F10C  MOV       AL,10
017F:0040F10E  JMP       0040F11B
017F:0040F110  CMP       EAX,0F
017F:0040F113  JGE       0040F119
017F:0040F115  ADD       AL,08
/* 使用者名稱長度大於等於8且小於0xF的,al=strlen(regname)+0x8 */
017F:0040F117  JMP       0040F11B
017F:0040F119  MOV       AL,17
/* 使用者名稱長度大於等於0xF的,al=0x17 */
017F:0040F11B  MOVZX     EAX,AL
017F:0040F11E  PUSH      EAX
017F:0040F11F  LEA       EAX,[EBP-02A8]
017F:0040F125  PUSH      EAX
017F:0040F126  CALL      00416EF4
017F:0040F12B  PUSH      EAX
017F:0040F12C  CALL      00422A30
/* 這個跟前面的call一樣 */
017F:0040F131  ADD       ESP,0C
017F:0040F134  LEA       ECX,[EBP-14]
017F:0040F137  PUSH      0040A5AC
017F:0040F13C  CALL      00428A3E
017F:0040F141  MOV       EAX,[0040BE60]
017F:0040F146  LEA       ECX,[EBP-10]
017F:0040F149  MOV       [EBP-10],EAX
017F:0040F14C  LEA       EAX,[EBP-02A8]
017F:0040F152  PUSH      EAX
017F:0040F153  CALL      00428A3E
017F:0040F158  LEA       EAX,[EBP-10]
017F:0040F15B  LEA       ECX,[EBP-14]
017F:0040F15E  PUSH      EAX
017F:0040F15F  MOV       BYTE PTR [EBP-04],04
017F:0040F163  CALL      00428C18
/* *eax指向真正的註冊碼 */
017F:0040F168  LEA       ECX,[EBP-10]
017F:0040F16B  MOV       BYTE PTR [EBP-04],02
017F:0040F16F  CALL      00428901
017F:0040F174  PUSH      DWORD PTR [EBP-14]
/* 真正的註冊碼 */
017F:0040F177  PUSH      DWORD PTR [EDI]
/* 試煉碼 */
017F:0040F179  CALL      00417870
017F:0040F17E  POP       ECX
017F:0040F17F  TEST      EAX,EAX
017F:0040F181  POP       ECX
017F:0040F182  JZ        0040F19C
017F:0040F184  PUSH      10
017F:0040F186  PUSH      0040A49C
017F:0040F18B  PUSH      0040A3E4
**********************************************************
017F:0040EF5A  CALL      00422A30 進入:

017F:00422A30  PUSH      EBP
017F:00422A31  MOV       EBP,ESP
017F:00422A33  XOR       EAX,EAX
017F:00422A35  CMP       DWORD PTR [EBP+10],0A
017F:00422A39  JNZ       00422A43
017F:00422A3B  CMP       [EBP+08],EAX
017F:00422A3E  JGE       00422A43
017F:00422A40  PUSH      01
017F:00422A42  POP       EAX
017F:00422A43  PUSH      EAX
017F:00422A44  PUSH      DWORD PTR [EBP+10]
017F:00422A47  PUSH      DWORD PTR [EBP+0C]
017F:00422A4A  PUSH      DWORD PTR [EBP+08]
017F:00422A4D  CALL      004229D4
/* 關鍵,進入 */
017F:00422A52  MOV       EAX,[EBP+0C]
017F:00422A55  ADD       ESP,10
017F:00422A58  POP       EBP
017F:00422A59  RET
**********************************************
017F:00422A4D  CALL      004229D4 進入:

017F:004229D4  PUSH      EBP
017F:004229D5  MOV       EBP,ESP
017F:004229D7  CMP       DWORD PTR [EBP+14],00
017F:004229DB  MOV       ECX,[EBP+0C]
017F:004229DE  PUSH      EBX
017F:004229DF  PUSH      ESI
017F:004229E0  PUSH      EDI
017F:004229E1  JZ        004229EE
017F:004229E3  MOV       ESI,[EBP+08]
017F:004229E6  MOV       BYTE PTR [ECX],2D
017F:004229E9  INC       ECX
017F:004229EA  NEG       ESI
017F:004229EC  JMP       004229F1
017F:004229EE  MOV       ESI,[EBP+08]
017F:004229F1  MOV       EDI,ECX
017F:004229F3  MOV       EAX,ESI
/* 取得前面一輪浮點運算結果取整後的值 */
017F:004229F5  XOR       EDX,EDX
017F:004229F7  DIV       DWORD PTR [EBP+10]
/* 無符號除法,除數為divisor */
017F:004229FA  MOV       EAX,ESI
017F:004229FC  MOV       EBX,EDX
017F:004229FE  XOR       EDX,EDX
017F:00422A00  DIV       DWORD PTR [EBP+10]
017F:00422A03  CMP       EBX,09
/* 餘數是否大於等於9 */
017F:00422A06  MOV       ESI,EAX
017F:00422A08  JBE       00422A0F
017F:00422A0A  ADD       BL,57
/* 小於9就加57h */
017F:00422A0D  JMP       00422A12
017F:00422A0F  ADD       BL,30
/* 餘數大於等於9就加30h */
017F:00422A12  MOV       [ECX],BL
/* 儲存至ecx指向的記憶體單元 */
017F:00422A14  INC       ECX
017F:00422A15  TEST      ESI,ESI
017F:00422A17  JA        004229F3
017F:00422A19  AND       BYTE PTR [ECX],00
017F:00422A1C  DEC       ECX
017F:00422A1D  MOV       DL,[EDI]
017F:00422A1F  MOV       AL,[ECX]
017F:00422A21  MOV       [ECX],DL
017F:00422A23  MOV       [EDI],AL
017F:00422A25  DEC       ECX
017F:00422A26  INC       EDI
017F:00422A27  CMP       EDI,ECX
017F:00422A29  JB        00422A1D
/* 上面這段程式碼將運算獲得的字串逆序儲存 */
017F:00422A2B  POP       EDI
017F:00422A2C  POP       ESI
017F:00422A2D  POP       EBX
017F:00422A2E  POP       EBP
017F:00422A2F  RET
【整理】:
  name:cyclotron[BCG]
  code:WB-hcjfb89

【Turbo C 序號產生器】:
#include "stdio.h"
#include "string.h"
#include "math.h"
#define ABS(x) x>0?x:-x
double floatize(char *regname,char *link)
  {int i,length;
   double time=4111.103114;
   length=strlen(regname);
   strcpy(link+2,regname);
   for(i=0;i<length;i++)
    time=fabs((link[link[i]%length]*i*(2.12*(i+1)-i)+1.01764)*(long)time);
   return time;
  }
void genereverse(int length,char *link,unsigned long power)
  {int i=0,j=0,divisor,rest;
   if(length<8) divisor=0x10;
     else if(length>=8&&length<0xF) divisor=length+8;
       else divisor=0x17;
   do
     {rest=power%divisor;
      power/=divisor;
      link[i++]=rest<=9?rest+0x30:rest+0x57;
     }
   while(power);
   link[i]='\0';
   do
     {link[--i]^=link[j];
      link[j]^=link[i];
      link[i]^=link[j++];
     }
   while(i-1>j);
  }
void main()
  {char regname[30],regcode[13],link[32];
   double iptr;
   link[0]=regcode[0]='W';
   link[1]=regcode[1]='B';
   regcode[2]='-';
   printf("\t***********************************************\n");
   printf("\n\t\tKeyGen for WindowBlinds V3.5\n\t\t(Generating Regname-related Regcode)");
   printf("\n\t\t\tProduced by cyclotron\n");
   printf("\n\t***********************************************\n");
   do
     printf("\n\tPlease input your Regname:");
   while(!strlen(gets(regname)));
   modf(floatize(regname,link),&iptr);
   genereverse(strlen(regname),link,ABS((long)iptr));
   strcpy(regcode+3,link);
   printf("\n\tYour Regcode is:\t%s\n",regcode);
   printf("\n\tThank you for your use!\n");
   getchar();
  }


             cyclotron[BCG][DFCG][FCG][OCN]
                                                    2004.4

相關文章