[“五一”獻禮]WindowBlinds破解全書
【軟體名稱】: WindowBlinds V3.5 Enhanced
【軟體語言】: 英文
【軟體類別】: 國外軟體 / 共享版 / 桌面工具
【應用平臺】: Win9x/NT/2000/XP
【開 發 商】: http://www.stardock.com/
【軟體介紹】:
這個軟體除了可以讓你使用 BMP 圖形作為程式的背景底圖之外,它還可讓你 Windows 中的所有程式的視窗標題條 (Titlebar) 變成麥金塔電腦 Mac OS8 或是 BeOS 的樣子,而你也可以將 Windows 95 的視窗標題條(Titlebar) 弄成像 Windows 98 一樣的漸層顯示,漸層的顏色還可以自訂,標題條的文字可讓你放在中間而不是預設的左邊。另外各位可以發現現在一般的新軟體,其工具條的按鈕形式都已改成「浮動式」的,也就是當滑鼠移到按鈕上時它會浮起來,比較美觀而且有立體感,但仍能有一些軟體(如 ACDSee、NetTerm) 依舊是舊式的按鈕形式,你只要用這個軟體就夠將它們都改成「浮動式」的按鈕喔!其他還有許多功能,譬如可讓桌面 icon 的文字底色變成透明.....等等,在此不多敘述,各位自己抓回來玩看看吧!
【作 者】: cyclotron[BCG][DFCG][FCG][OCN]
【破解過程】:下斷點GetWindowTextA,來到下面的地方:(以下程式碼使用Softice抓取的,W32Dasm似乎對Wload.exe反彙編無效)
【第一部分】:追蹤使用者名稱無關注冊碼!
程式碼:
017F:0040ED69 MOV EBX,0040A660 017F:0040ED6E LEA ECX,[EBP-4C] 017F:0040ED71 PUSH EBX 017F:0040ED72 CALL 00428F0E 017F:0040ED77 PUSH 0040A658 017F:0040ED7C LEA ECX,[EBP-4C] 017F:0040ED7F CALL 00428F0E 017F:0040ED84 PUSH DWORD PTR [ESI+5C] 017F:0040ED87 LEA ECX,[EBP-4C] 017F:0040ED8A CALL 00428F0E 017F:0040ED8F PUSH EBX 017F:0040ED90 LEA ECX,[EBP-4C] 017F:0040ED93 CALL 00428F0E 017F:0040ED98 LEA ECX,[EBP-4C] 017F:0040ED9B CALL 004290CB 017F:0040EDA0 PUSH 0040A64C /* 黑名單wb-g1de774入棧 */ 017F:0040EDA5 PUSH DWORD PTR [EDI] /* 試煉碼入棧 */ 017F:0040EDA7 CALL 00417870 017F:0040EDAC POP ECX 017F:0040EDAD TEST EAX,EAX 017F:0040EDAF POP ECX 017F:0040EDB0 JNZ 0040EDD3 017F:0040EDB2 PUSH 10 017F:0040EDB4 PUSH 0040A634 017F:0040EDB9 PUSH 0040A5C0 017F:0040EDBE PUSH 0040A5B8 017F:0040EDC3 PUSH 0040A5B0 017F:0040EDC8 CALL 0040F4A2 017F:0040EDCD PUSH EAX 017F:0040EDCE JMP 0040F190 017F:0040EDD3 LEA EAX,[EBP-18] 017F:0040EDD6 PUSH 03 017F:0040EDD8 PUSH EAX 017F:0040EDD9 MOV ECX,EDI 017F:0040EDDB CALL 00423811 017F:0040EDE0 PUSH 0040A5AC 017F:0040EDE5 PUSH DWORD PTR [EAX] 017F:0040EDE7 CALL 00417870 /* 比較序列號前三位是否為WB- */ 017F:0040EDEC POP ECX 017F:0040EDED POP ECX 017F:0040EDEE TEST EAX,EAX 017F:0040EDF0 LEA ECX,[EBP-18] 017F:0040EDF3 SETNZ BL 017F:0040EDF6 CALL 00428901 017F:0040EDFB TEST BL,BL 017F:0040EDFD JZ 0040EE4C /* 比較結果一致就跳,目的地是使用者名稱相關注冊碼的驗證部分(見第二部分),但經我嘗試,這裡假如不跳,只要下面的關鍵call返回值為1,也能註冊成功 */ 017F:0040EDFF PUSH ECX 017F:0040EE00 MOV ECX,ESP 017F:0040EE02 MOV [EBP-1C],ESP 017F:0040EE05 PUSH EDI 017F:0040EE06 CALL 00428676 017F:0040EE0B CALL 00410E1C /* 關鍵call,追入 */ 017F:0040EE10 TEST EAX,EAX 017F:0040EE12 JZ 0040EDB2 /* 關鍵跳轉 */ 017F:0040EE14 MOV EAX,0040A5A4 017F:0040EE19 PUSH 40 017F:0040EE1B PUSH EAX 017F:0040EE1C PUSH 0040A56C 017F:0040EE21 PUSH EAX 017F:0040EE22 PUSH 0040A5B0 017F:0040EE27 CALL 0040F4A2 017F:0040EE2C PUSH EAX 017F:0040EE2D MOV ECX,ESI 017F:0040EE2F CALL 00425ECA 017F:0040EE34 PUSH 40 017F:0040EE36 PUSH 0040A54C 017F:0040EE3B PUSH 0040A4C4 017F:0040EE40 MOV ECX,ESI 017F:0040EE42 CALL 00425ECA 017F:0040EE47 JMP 0040F1D5 017F:0040EE4C LEA EAX,[EBP-014C] 017F:0040EE52 PUSH 0040A4C0 017F:0040EE57 PUSH EAX 017F:0040EE58 CALL 00417690 017F:0040EE5D PUSH DWORD PTR [ESI+5C] 017F:0040EE60 LEA EAX,[EBP-014C] 017F:0040EE66 PUSH EAX 017F:0040EE67 CALL 004176A0 ********************************************************** 關鍵CALL 00410E1C: 017F:00410E1C MOV EAX,0042F800 017F:00410E21 CALL 0041762C 017F:00410E26 SUB ESP,24 017F:00410E29 PUSH EBX 017F:00410E2A PUSH ESI 017F:00410E2B PUSH EDI 017F:00410E2C MOV EAX,[0040BE60] 017F:00410E31 XOR EDI,EDI 017F:00410E33 MOV [EBP-04],EDI 017F:00410E36 MOV [EBP-10],EAX 017F:00410E39 LEA EAX,[EBP+08] 017F:00410E3C LEA ECX,[EBP-10] 017F:00410E3F PUSH EAX 017F:00410E40 MOV BYTE PTR [EBP-04],01 017F:00410E44 CALL 004289EE 017F:00410E49 LEA ECX,[EBP-10] 017F:00410E4C CALL 00428D14 /* 這個call把註冊碼中的大寫字母全部轉換為小寫字母 */ 017F:00410E51 LEA EAX,[EBP-14] 017F:00410E54 PUSH 02 017F:00410E56 PUSH EAX 017F:00410E57 LEA ECX,[EBP-10] 017F:00410E5A CALL 00423811 017F:00410E5F PUSH 0040B030 /* wb入棧 */ 017F:00410E64 PUSH DWORD PTR [EAX] /* 序列號前兩位入棧 */ 017F:00410E66 CALL 00417870 /* 比較是否一致 */ 017F:00410E6B POP ECX 017F:00410E6C CMP EAX,EDI 017F:00410E6E POP ECX 017F:00410E6F LEA ECX,[EBP-14] 017F:00410E72 SETNZ BL 017F:00410E75 CALL 00428901 017F:00410E7A TEST BL,BL 017F:00410E7C JZ 00410E85 /* 序列號前兩位是wb就跳 */ 017F:00410E7E XOR ESI,ESI 017F:00410E80 JMP 004110C1 017F:00410E85 PUSH 02 017F:00410E87 LEA EAX,[EBP-14] 017F:00410E8A PUSH 02 017F:00410E8C PUSH EAX 017F:00410E8D LEA ECX,[EBP-10] 017F:00410E90 CALL 004236FF 017F:00410E95 PUSH DWORD PTR [EAX] 017F:00410E97 CALL 0041797F /* 這是一個很關鍵的call,返回值eax */ 017F:00410E9C POP ECX 017F:00410E9D MOV [EBP-2C],EAX /* [ebp-2c]處是一個後面要用到的關鍵值。根據上面這個call,這個值取決於註冊碼的第四位,若第四位是數字i,則該處取值為dword[neg i];若第四位不是數字,則該處取值恆為dword 0 */ 017F:00410EA0 LEA ECX,[EBP-14] 017F:00410EA3 CALL 00428901 017F:00410EA8 MOV EAX,[0040BE60] 017F:00410EAD MOV [EBP-24],EAX 017F:00410EB0 MOV [EBP-20],EAX 017F:00410EB3 MOV [EBP-1C],EAX 017F:00410EB6 MOV [EBP-18],EAX 017F:00410EB9 PUSH 04 017F:00410EBB LEA EAX,[EBP-14] 017F:00410EBE POP ESI 017F:00410EBF LEA ECX,[EBP-10] 017F:00410EC2 PUSH ESI 017F:00410EC3 PUSH 05 017F:00410EC5 PUSH EAX 017F:00410EC6 MOV BYTE PTR [EBP-04],05 017F:00410ECA CALL 004236FF /* 分離註冊碼的第6至9位,字串地址送*eax */ 017F:00410ECF PUSH EAX 017F:00410ED0 LEA ECX,[EBP-24] 017F:00410ED3 MOV BYTE PTR [EBP-04],06 017F:00410ED7 CALL 004289EE 017F:00410EDC LEA ECX,[EBP-14] 017F:00410EDF MOV BYTE PTR [EBP-04],05 017F:00410EE3 CALL 00428901 017F:00410EE8 PUSH ESI 017F:00410EE9 LEA EAX,[EBP-14] 017F:00410EEC PUSH 0A 017F:00410EEE PUSH EAX 017F:00410EEF LEA ECX,[EBP-10] 017F:00410EF2 CALL 004236FF /* 分離註冊碼的第11至14位(如果有的話),字串地址送*eax */ 017F:00410EF7 PUSH EAX 017F:00410EF8 LEA ECX,[EBP-20] 017F:00410EFB MOV BYTE PTR [EBP-04],07 017F:00410EFF CALL 004289EE 017F:00410F04 LEA ECX,[EBP-14] 017F:00410F07 MOV BYTE PTR [EBP-04],05 017F:00410F0B CALL 00428901 017F:00410F10 PUSH ESI 017F:00410F11 LEA EAX,[EBP-14] 017F:00410F14 PUSH 0F 017F:00410F16 PUSH EAX 017F:00410F17 LEA ECX,[EBP-10] 017F:00410F1A CALL 004236FF /* 分離註冊碼的第16至19位(如果有的話),字串地址送*eax */ 017F:00410F1F PUSH EAX 017F:00410F20 LEA ECX,[EBP-1C] 017F:00410F23 MOV BYTE PTR [EBP-04],08 017F:00410F27 CALL 004289EE 017F:00410F2C LEA ECX,[EBP-14] 017F:00410F2F MOV BYTE PTR [EBP-04],05 017F:00410F33 CALL 00428901 017F:00410F38 PUSH ESI 017F:00410F39 LEA EAX,[EBP-28] 017F:00410F3C PUSH 14 017F:00410F3E PUSH EAX 017F:00410F3F LEA ECX,[EBP-10] 017F:00410F42 CALL 004236FF /* 分離註冊碼的第16至19位(如果有的話),字串地址送*eax */ 017F:00410F47 PUSH EAX 017F:00410F48 LEA ECX,[EBP-18] 017F:00410F4B MOV BYTE PTR [EBP-04],09 017F:00410F4F CALL 004289EE 017F:00410F54 LEA ECX,[EBP-28] 017F:00410F57 MOV BYTE PTR [EBP-04],05 017F:00410F5B CALL 00428901 017F:00410F60 MOV EAX,[0040BE60] 017F:00410F65 MOV [EBP-30],EAX 017F:00410F68 MOV EDX,[EBP-24] /* 取註冊碼6至9位字串的地址送edx */ 017F:00410F6B XOR ESI,ESI /* esi清零 */ 017F:00410F6D MOV EAX,[EDX-08] 017F:00410F70 TEST EAX,EAX 017F:00410F72 JLE 00410F8E /* 長度大於零? */ 017F:00410F74 MOVSX ECX,BYTE PTR [EDX+ESI] /* 依次取字串的每一位送ecx */ 017F:00410F78 SUB ECX,30 /* ecx=ecx-30h */ 017F:00410F7B CMP ECX,09 017F:00410F7E JLE 00410F83 /* 小於等於9? */ 017F:00410F80 SUB ECX,27 /* 不滿足就再減27h */ 017F:00410F83 LEA EDI,[EDI*8+EDI] /* edi=edi*9,edi初值為零 */ 017F:00410F86 INC ESI /* esi=esi+1 */ 017F:00410F87 CMP ESI,EAX /* 是否取完? */ 017F:00410F89 LEA EDI,[EDI*2+ECX] /* edi=edi*2+ecx,即最後取得的值送edi */ 017F:00410F8C JL 00410F74 /* 沒取完則返回繼續 */ 017F:00410F8E MOV EDX,[EBP-20] /* 取註冊碼11至14位字串的地址送edx */ 017F:00410F91 XOR ESI,ESI 017F:00410F93 XOR ECX,ECX 017F:00410F95 MOV [EBP-14],ESI 017F:00410F98 MOV EBX,[EDX-08] 017F:00410F9B TEST EBX,EBX 017F:00410F9D JLE 00410FC1 /* 沒有這段字串就跳走,且[ebp-14]置零 */ 017F:00410F9F JMP 00410FA4 017F:00410FA1 MOV ESI,[EBP-14] 017F:00410FA4 MOVSX EAX,BYTE PTR [EDX+ECX] 017F:00410FA8 SUB EAX,30 017F:00410FAB CMP EAX,09 017F:00410FAE JLE 00410FB3 017F:00410FB0 SUB EAX,27 017F:00410FB3 LEA ESI,[ESI*8+ESI] 017F:00410FB6 INC ECX 017F:00410FB7 CMP ECX,EBX 017F:00410FB9 LEA EAX,[ESI*2+EAX] 017F:00410FBC MOV [EBP-14],EAX 017F:00410FBF JL 00410FA1 /* 以上程式碼取註冊碼11至14位字串進行運算(如果有的話),運算結果儲存在[ebp-14] */ 017F:00410FC1 MOV EDX,[EBP-1C] /* 取註冊碼16至19位字串的地址送edx */ 017F:00410FC4 XOR ESI,ESI 017F:00410FC6 XOR ECX,ECX 017F:00410FC8 MOV EBX,[EDX-08] 017F:00410FCB TEST EBX,EBX 017F:00410FCD JLE 00410FE9 /* 沒有這段字串就跳走,且esi置零 */ 017F:00410FCF MOVSX EAX,BYTE PTR [EDX+ECX] 017F:00410FD3 SUB EAX,30 017F:00410FD6 CMP EAX,09 017F:00410FD9 JLE 00410FDE 017F:00410FDB SUB EAX,27 017F:00410FDE LEA ESI,[ESI*8+ESI] 017F:00410FE1 INC ECX 017F:00410FE2 CMP ECX,EBX 017F:00410FE4 LEA ESI,[ESI*2+EAX] 017F:00410FE7 JL 00410FCF /* 以上程式碼取註冊碼16至19位字串進行運算(如果有的話),運算結果儲存在[ebp-14] */ 017F:00410FE9 MOV EBX,[EBP-18] /* 取註冊碼21至24位字串的地址送edx */ 017F:00410FEC XOR EDX,EDX 017F:00410FEE XOR ECX,ECX 017F:00410FF0 CMP [EBX-08],EDX 017F:00410FF3 JLE 00411010 /* 沒有這段字串就跳走,且ecx置零 */ 017F:00410FF5 MOVSX EAX,BYTE PTR [EBX+EDX] 017F:00410FF9 SUB EAX,30 017F:00410FFC CMP EAX,09 017F:00410FFF JLE 00411004 017F:00411001 SUB EAX,27 017F:00411004 LEA ECX,[ECX*8+ECX] 017F:00411007 INC EDX 017F:00411008 CMP EDX,[EBX-08] 017F:0041100B LEA ECX,[ECX*2+EAX] 017F:0041100E JL 00410FF5 /* 以上程式碼取註冊碼21至24位字串進行運算(如果有的話),運算結果儲存在[ebp-14] */ 017F:00411010 MOV EAX,[EBP-2C] /* 取得關鍵值送eax */ 017F:00411013 PUSH 03 017F:00411015 SUB [EBP-14],EAX 017F:00411018 SUB EDI,EAX 017F:0041101A SUB ESI,EAX 017F:0041101C SUB ECX,EAX /* 四個運算結果分別減去eax,結果依次設為num2,num1,num3,num4 */ 017F:0041101E MOV EAX,EDI 017F:00411020 POP EBX /* ebx=3 */ 017F:00411021 CDQ 017F:00411022 IDIV EBX 017F:00411024 TEST EDX,EDX /* 餘數是否為零 */ 017F:00411026 JZ 0041102C /* 為零就跳,意即num1能被3整除 */ 017F:00411028 XOR ESI,ESI 017F:0041102A JMP 00411085 /* 上面不跳的話,這裡就直接走向出口,註冊失敗*/ 017F:0041102C MOV EAX,[EBP-14] 017F:0041102F PUSH 02 017F:00411031 CDQ 017F:00411032 POP EBX /* ebx=2 */ 017F:00411033 IDIV EBX 017F:00411035 TEST EDX,EDX 017F:00411037 JNZ 00411028 /* 不能跳,意即num2能被2整除 */ 017F:00411039 MOV EAX,ESI 017F:0041103B PUSH 06 017F:0041103D CDQ 017F:0041103E POP EBX /* ebx=6 */ 017F:0041103F IDIV EBX 017F:00411041 TEST EDX,EDX 017F:00411043 JNZ 00411028 /* 不能跳,意即num3能被6整除 */ 017F:00411045 MOV EAX,ECX 017F:00411047 PUSH 04 017F:00411049 CDQ 017F:0041104A POP EBX /* ebx=4 */ 017F:0041104B IDIV EBX 017F:0041104D TEST EDX,EDX 017F:0041104F JNZ 00411028 /* 不能跳,意即num4能被4整除 */ 017F:00411051 MOV EDX,[EBP-14] 017F:00411054 LEA EAX,[EDI+ESI] /* eax=num1+num3 */ 017F:00411057 ADD ESI,EDX /* esi=num3+num2 */ 017F:00411059 PUSH 06 017F:0041105B LEA EBX,[EDX+ECX] /* ebx=num2+num4 */ 017F:0041105E MOV [EBP-2C],ESI 017F:00411061 XOR EDX,EDX 017F:00411063 POP ESI 017F:00411064 DIV ESI 017F:00411066 ADD ECX,EDI /* ecx=num4+num1 */ 017F:00411068 TEST EDX,EDX 017F:0041106A JNZ 00411028 /* num1+num3能被6整除 */ 017F:0041106C PUSH 03 017F:0041106E MOV EAX,EBX 017F:00411070 POP ESI 017F:00411071 DIV ESI 017F:00411073 TEST EDX,EDX 017F:00411075 JNZ 00411028 /* num2+num4能被3整除 */ 017F:00411077 TEST BYTE PTR [EBP-2C],01 017F:0041107B JNZ 00411028 /* num3+num2最末位不是1 */ 017F:0041107D TEST CL,01 /* num4+num1最末位不是1 */ 017F:00411080 JNZ 00411028 017F:00411082 PUSH 01 017F:00411084 POP ESI /* 上面兩句是給esi賦值1,由於esi的值最終要傳給eax作為返回值,這兩句必須走過 */ 017F:00411085 LEA ECX,[EBP-30] 017F:00411088 MOV BYTE PTR [EBP-04],05 017F:0041108C CALL 00428901 017F:00411091 LEA ECX,[EBP-18] 017F:00411094 MOV BYTE PTR [EBP-04],04 017F:00411098 CALL 00428901 017F:0041109D LEA ECX,[EBP-1C] 017F:004110A0 MOV BYTE PTR [EBP-04],03 017F:004110A4 CALL 00428901 017F:004110A9 LEA ECX,[EBP-20] 017F:004110AC MOV BYTE PTR [EBP-04],02 017F:004110B0 CALL 00428901 017F:004110B5 LEA ECX,[EBP-24] 017F:004110B8 MOV BYTE PTR [EBP-04],01 017F:004110BC CALL 00428901 017F:004110C1 AND BYTE PTR [EBP-04],00 017F:004110C5 LEA ECX,[EBP-10] 017F:004110C8 CALL 00428901 017F:004110CD OR DWORD PTR [EBP-04],-01 017F:004110D1 LEA ECX,[EBP+08] 017F:004110D4 CALL 00428901 017F:004110D9 MOV ECX,[EBP-0C] 017F:004110DC MOV EAX,ESI /* 返回值eax的值取決於esi */ 017F:004110DE POP EDI 017F:004110DF POP ESI 017F:004110E0 POP EBX 017F:004110E1 MOV FS:[00000000],ECX 017F:004110E8 LEAVE 017F:004110E9 RET 0004 以上運算過程與使用者名稱無關,因而是通用註冊碼。 ****************************************************************** 【整 理】: General Regcode: wb-677knun5hveu569uks3my wb-6fkefuyoiv60qmp6ivsbc wb-7yjb35yyzi13h28nyer3r wb-2lkr64f6bfugrvv433qt8 wb-5fa6m7pg7zzipm179pu8r wb-7y3c8znz87lym0zhwq9h7 【Turbo C 序號產生器】: #include "stdio.h" #include "string.h" #include "stdlib.h" #include "ctype.h" long calnum(char *start,char extra) {int i; long num=0; char temp; for(i=0;i<4;i++) {temp=isdigit(start[i])?start[i]-0x30:start[i]-0x57; num=num*18+temp; } return num+extra; } void main() {int i; long num[4]; char regcode[22],regname[30]; regcode[21]='\0'; printf("\t*************************************************\n"); printf("\n\t\tKeyGen for WindowBlinds V3.5 Enhanced\n\t\t\tProduced by cyclotron\n"); printf("\n\t*************************************************\n"); do printf("\n\tPlease input your Regname:"); while(!strlen(gets(regname))); randomize(); do {regcode[0]=0x30+random(10); for(i=1;i<21;i++) do regcode[i]=0x30+random(0x50); while(!isdigit(regcode[i])&&!islower(regcode[i])); for(i=0;i<4;i++) num[i]=calnum(regcode+2+i*5,regcode[0]); } while(num[0]%3||num[1]%2||num[2]%6||num[3]%4||(num[0]+num[2])%6||(num[1]+num[3])%3||(num[2]+num[1])&(num[3]+num[0])&1); printf("\n\tYour Regcode is:\twb-%s\n\n\tThank you for your use!",regcode); getchar(); } ________________________________________________________ 【第二部分】:追蹤使用者名稱相關注冊碼! 017F:0040EE4C LEA EAX,[EBP-014C] 017F:0040EE52 PUSH 0040A4C0 /* 字元WB入棧 */ 017F:0040EE57 PUSH EAX /* 存放WB的空地址入棧 */ 017F:0040EE58 CALL 00417690 017F:0040EE5D PUSH DWORD PTR [ESI+5C] /* 使用者名稱地址入棧 */ 017F:0040EE60 LEA EAX,[EBP-014C] /* 這還是前面用於存放"WB"的地址 */ 017F:0040EE66 PUSH EAX /* 地址入棧 */ 017F:0040EE67 CALL 004176A0 /* 這個call把WB和使用者名稱連線起來 */ 017F:0040EE6C MOV EAX,[ESI+5C] /* 使用者名稱的地址 */ 017F:0040EE6F XOR EBX,EBX 017F:0040EE71 ADD ESP,10 017F:0040EE74 MOV [EBP-28],EBX 017F:0040EE77 CMP [EAX-08],EBX /* 使用者名稱長度是否為零? */ 017F:0040EE7A JLE 0040EF1A 017F:0040EE80 LEA EAX,[EBP-014C] /* 字串“WBcyclotron”的地址 */ 017F:0040EE86 MOV DWORD PTR [EBP-10],00000001 017F:0040EE8D SUB [EBP-10],EAX 017F:0040EE90 FLD REAL8 PTR [EBP-30] /* 8位元組浮點數送st(0) */ 1). 80114111.103114 2). 81527323.91804 …… 017F:0040EE93 CALL 00416EF4 /* 取整送eax */ 1). 80114111即0x4C671BF 2). 81527323即0x4DC021B …… 017F:0040EE98 PUSH EAX 017F:0040EE99 CALL 0041785B 017F:0040EE9E MOV [EBP-18],EAX /* 該整數送區域性變數(ebp-18) */ 017F:0040EEA1 MOV EAX,[ESI+5C] /* eax取得使用者名稱地址 */ 017F:0040EEA4 MOVZX EDX,BYTE PTR [EBX+EBP-014C] /* 依次取"WBcyclotron"的每一位 */ 017F:0040EEAC FILD DWORD PTR [EBP-18] /* (ebp-18)裝入st(0) */ 1). st(0)=80114111 2). st(0)=81527323 …… 017F:0040EEAF POP ECX 017F:0040EEB0 MOV [EBP-18],EDX 017F:0040EEB3 MOV ECX,[EAX-08] /* ecx取得使用者名稱長度 */ 017F:0040EEB6 LEA EAX,[EBX+EBP-014C] 017F:0040EEBD MOV EDX,[EBP-10] 017F:0040EEC0 MOV [EBP-1C],ECX 017F:0040EEC3 ADD EDX,EAX 1). edx=1 2). edx=2 …… 017F:0040EEC5 MOV EAX,[EBP-18] 017F:0040EEC8 MOV [EBP-2C],EDX 017F:0040EECB CDQ 017F:0040EECC FILD DWORD PTR [EBP-2C] 1). (ebp-2C)=1 2). (ebp-2C)=2 …… 017F:0040EECF IDIV ECX 017F:0040EED1 FMUL REAL8 PTR [00401E68] /* st(0)=st(0)*2.12 */ 017F:0040EED7 FISUB DWORD PTR [EBP-28] 1). (ebp-28)=0 2). (ebp-28)=1 …… 017F:0040EEDA MOV ECX,000000FF /* ecx=0xFF */ 017F:0040EEDF MOVZX EAX,BYTE PTR [EDX+EBP-014C] /* 根據餘數取得"WBcyclotron"中的字元 */ 1). eax=0x6F 1). eax=0x79 …… 017F:0040EEE7 IMUL EAX,EBX /* eax=eax*ebx */ 017F:0040EEEA MOV [EBP-2C],EAX /* 乘積送(ebp-2C) */ 017F:0040EEED MOV EAX,[EBP-18] /* eax取得剛才字元的ASCII值 */ 017F:0040EEF0 CDQ 017F:0040EEF1 FILD DWORD PTR [EBP-2C] /* st(0)=(ebp-2C) */ 017F:0040EEF4 IDIV ECX 017F:0040EEF6 FMULP ST(1),ST /* st(1)=st(1)*st(0) */ 017F:0040EEF8 INC EBX /* ebx++ */ 017F:0040EEF9 CMP EBX,[EBP-1C] /* 是否取完使用者名稱 */ 017F:0040EEFC MOV [EBP-28],EBX /* (ebp-28)=ebx */ 017F:0040EEFF MOV [EBP-2C],EAX /* (ebp-2C)=eax */ 017F:0040EF02 FILD DWORD PTR [EBP-2C] /* st(0)=(ebp-2C) */ 017F:0040EF05 FADDP ST(1),ST /* st(1)=st(1)+st(0)並出棧 */ 017F:0040EF07 FADD REAL8 PTR [00401E60] /* st(0)=st(0)+1.01764 */ 017F:0040EF0D FMUL ST,ST(1) /* st(0)=st(1)*st(0) */ 017F:0040EF0F FSTP REAL8 PTR [EBP-30] /* st(0)送(ebp-30)並出棧 */ 017F:0040EF12 FSTP ST(0) /* st(0)出棧 */ 017F:0040EF14 JL 0040EE90 /* 未取完則返回 */ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 以上運算用TC2.0實現: #include "string.h" #include "math.h" double floatize(char *regname,char *link) {int i,length; double time=80114111.103114; length=strlen(regname); strcpy(link+2,regname); for(i=0;i<length;i++) time=fabs((link[link[i]%length]*i*(2.12*(i+1)-i)+1.01764)*(long)time); return time; } $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 017F:0040EF1A FLD REAL8 PTR [EBP-30] 017F:0040EF1D CALL 00416EF4 017F:0040EF22 PUSH EAX 017F:0040EF23 CALL 0041785B 017F:0040EF28 MOV [EBP-1C],EAX 017F:0040EF2B MOV EAX,[ESI+5C] 017F:0040EF2E FILD DWORD PTR [EBP-1C] 017F:0040EF31 MOV EAX,[EAX-08] /* 取得使用者名稱長度 */ 017F:0040EF34 POP ECX 017F:0040EF35 CMP EAX,08 017F:0040EF38 JGE 0040EF3E 017F:0040EF3A MOV AL,0E /* 使用者名稱長度小於8,則al=0xE */ 017F:0040EF3C JMP 0040EF49 017F:0040EF3E CMP EAX,1F /* 使用者名稱長度大於等於8且小於0x1F的,al=strlen(regname)+0x6 */ 017F:0040EF41 JGE 0040EF47 017F:0040EF43 ADD AL,06 017F:0040EF45 JMP 0040EF49 017F:0040EF47 MOV AL,17 /* 使用者名稱長度大於等於0x1F的,al=0x17 */ 017F:0040EF49 MOVZX EAX,AL 017F:0040EF4C PUSH EAX 017F:0040EF4D LEA EAX,[EBP-014C] 017F:0040EF53 PUSH EAX 017F:0040EF54 CALL 00416EF4 017F:0040EF59 PUSH EAX 017F:0040EF5A CALL 00422A30 /* 關鍵call,進入(設al的值為divisor) */ 017F:0040EF5F ADD ESP,0C 017F:0040EF62 LEA ECX,[EBP-14] 017F:0040EF65 PUSH 0040A5AC 017F:0040EF6A CALL 00428A3E 017F:0040EF6F MOV EAX,[0040BE60] 017F:0040EF74 LEA ECX,[EBP-10] 017F:0040EF77 MOV [EBP-10],EAX 017F:0040EF7A LEA EAX,[EBP-014C] 017F:0040EF80 PUSH EAX 017F:0040EF81 CALL 00428A3E 017F:0040EF86 LEA EAX,[EBP-10] 017F:0040EF89 LEA ECX,[EBP-14] 017F:0040EF8C PUSH EAX 017F:0040EF8D MOV BYTE PTR [EBP-04],03 017F:0040EF91 CALL 00428C18 /* *eax指向1.x版的註冊碼 */ 017F:0040EF96 LEA ECX,[EBP-10] 017F:0040EF99 MOV BYTE PTR [EBP-04],02 017F:0040EF9D CALL 00428901 017F:0040EFA2 CMP BYTE PTR [EBP-014C],77 017F:0040EFA9 JNZ 0040EFB2 017F:0040EFAB MOV BYTE PTR [EBP-014C],57 017F:0040EFB2 CMP BYTE PTR [EBP-014B],62 017F:0040EFB9 JNZ 0040EFC2 017F:0040EFBB MOV BYTE PTR [EBP-014B],42 017F:0040EFC2 PUSH DWORD PTR [EBP-14] 017F:0040EFC5 PUSH DWORD PTR [EDI] 017F:0040EFC7 CALL 00417870 017F:0040EFCC XOR EBX,EBX 017F:0040EFCE POP ECX 017F:0040EFCF CMP EAX,EBX 017F:0040EFD1 POP ECX 017F:0040EFD2 JNZ 0040F016 /* 比較是否為1.x版的註冊碼 */ 017F:0040EFD4 PUSH 0040A4AC 017F:0040EFD9 PUSH DWORD PTR [ESI+5C] 017F:0040EFDC CALL 00417870 017F:0040EFE1 POP ECX 017F:0040EFE2 CMP EAX,EBX 017F:0040EFE4 POP ECX 017F:0040EFE5 JZ 0040F016 017F:0040EFE7 PUSH EBX 017F:0040EFE8 LEA ECX,[EBP-01A8] 017F:0040EFEE CALL 0040E74F 017F:0040EFF3 LEA ECX,[EBP-01A8] 017F:0040EFF9 MOV BYTE PTR [EBP-04],05 017F:0040EFFD CALL 0042828A 017F:0040F002 LEA ECX,[EBP-01A8] 017F:0040F008 MOV BYTE PTR [EBP-04],02 017F:0040F00C CALL 00427EC0 017F:0040F011 JMP 0040F2A7 017F:0040F016 FLD REAL8 PTR [00401E58] 017F:0040F01C LEA EAX,[EBP-02A8] 017F:0040F022 PUSH 0040A4C0 017F:0040F027 FSTP REAL8 PTR [EBP-20] /* 4111.103114送st(0),下面部分的計算和前面的完全一樣 */ 017F:0040F02A PUSH EAX 017F:0040F02B CALL 00417690 017F:0040F030 PUSH DWORD PTR [ESI+5C] 017F:0040F033 LEA EAX,[EBP-02A8] 017F:0040F039 PUSH EAX 017F:0040F03A CALL 004176A0 017F:0040F03F MOV EAX,[ESI+5C] 017F:0040F042 ADD ESP,10 017F:0040F045 MOV [EBP-28],EBX 017F:0040F048 CMP DWORD PTR [EAX-08],00 017F:0040F04C JLE 0040F0EC 017F:0040F052 LEA EAX,[EBP-02A8] 017F:0040F058 MOV DWORD PTR [EBP-10],00000001 017F:0040F05F SUB [EBP-10],EAX 017F:0040F062 FLD REAL8 PTR [EBP-20] 017F:0040F065 CALL 00416EF4 017F:0040F06A PUSH EAX 017F:0040F06B CALL 0041785B 017F:0040F070 MOV [EBP-1C],EAX 017F:0040F073 MOV EAX,[ESI+5C] 017F:0040F076 MOVZX EDX,BYTE PTR [EBX+EBP-02A8] 017F:0040F07E FILD DWORD PTR [EBP-1C] 017F:0040F081 POP ECX 017F:0040F082 MOV [EBP-18],EDX 017F:0040F085 MOV ECX,[EAX-08] 017F:0040F088 LEA EAX,[EBX+EBP-02A8] 017F:0040F08F MOV EDX,[EBP-10] 017F:0040F092 MOV [EBP-2C],ECX 017F:0040F095 ADD EDX,EAX 017F:0040F097 MOV EAX,[EBP-18] 017F:0040F09A MOV [EBP-1C],EDX 017F:0040F09D CDQ 017F:0040F09E FILD DWORD PTR [EBP-1C] 017F:0040F0A1 IDIV ECX 017F:0040F0A3 FMUL REAL8 PTR [00401E68] /* 這裡也是2.12 */ 017F:0040F0A9 FISUB DWORD PTR [EBP-28] 017F:0040F0AC MOV ECX,000000D3 /* 注意這裡ecx=0xD3 */ 017F:0040F0B1 MOVZX EAX,BYTE PTR [EDX+EBP-02A8] 017F:0040F0B9 IMUL EAX,EBX 017F:0040F0BC MOV [EBP-1C],EAX 017F:0040F0BF MOV EAX,[EBP-18] 017F:0040F0C2 CDQ 017F:0040F0C3 FILD DWORD PTR [EBP-1C] 017F:0040F0C6 IDIV ECX 017F:0040F0C8 FMULP ST(1),ST 017F:0040F0CA INC EBX 017F:0040F0CB CMP EBX,[EBP-2C] 017F:0040F0CE MOV [EBP-28],EBX 017F:0040F0D1 MOV [EBP-1C],EAX 017F:0040F0D4 FILD DWORD PTR [EBP-1C] 017F:0040F0D7 FADDP ST(1),ST 017F:0040F0D9 FADD REAL8 PTR [00401E60] 017F:0040F0DF FMUL ST,ST(1) 017F:0040F0E1 FSTP REAL8 PTR [EBP-20] 017F:0040F0E4 FSTP ST(0) 017F:0040F0E6 JL 0040F062 017F:0040F0EC FLD REAL8 PTR [EBP-20] 017F:0040F0EF CALL 00416EF4 017F:0040F0F4 PUSH EAX 017F:0040F0F5 CALL 0041785B 017F:0040F0FA MOV [EBP-1C],EAX 017F:0040F0FD MOV EAX,[ESI+5C] 017F:0040F100 FILD DWORD PTR [EBP-1C] 017F:0040F103 MOV EAX,[EAX-08] 017F:0040F106 POP ECX 017F:0040F107 CMP EAX,08 017F:0040F10A JGE 0040F110 /* 使用者名稱長度小於8,則al=0x10 */ 017F:0040F10C MOV AL,10 017F:0040F10E JMP 0040F11B 017F:0040F110 CMP EAX,0F 017F:0040F113 JGE 0040F119 017F:0040F115 ADD AL,08 /* 使用者名稱長度大於等於8且小於0xF的,al=strlen(regname)+0x8 */ 017F:0040F117 JMP 0040F11B 017F:0040F119 MOV AL,17 /* 使用者名稱長度大於等於0xF的,al=0x17 */ 017F:0040F11B MOVZX EAX,AL 017F:0040F11E PUSH EAX 017F:0040F11F LEA EAX,[EBP-02A8] 017F:0040F125 PUSH EAX 017F:0040F126 CALL 00416EF4 017F:0040F12B PUSH EAX 017F:0040F12C CALL 00422A30 /* 這個跟前面的call一樣 */ 017F:0040F131 ADD ESP,0C 017F:0040F134 LEA ECX,[EBP-14] 017F:0040F137 PUSH 0040A5AC 017F:0040F13C CALL 00428A3E 017F:0040F141 MOV EAX,[0040BE60] 017F:0040F146 LEA ECX,[EBP-10] 017F:0040F149 MOV [EBP-10],EAX 017F:0040F14C LEA EAX,[EBP-02A8] 017F:0040F152 PUSH EAX 017F:0040F153 CALL 00428A3E 017F:0040F158 LEA EAX,[EBP-10] 017F:0040F15B LEA ECX,[EBP-14] 017F:0040F15E PUSH EAX 017F:0040F15F MOV BYTE PTR [EBP-04],04 017F:0040F163 CALL 00428C18 /* *eax指向真正的註冊碼 */ 017F:0040F168 LEA ECX,[EBP-10] 017F:0040F16B MOV BYTE PTR [EBP-04],02 017F:0040F16F CALL 00428901 017F:0040F174 PUSH DWORD PTR [EBP-14] /* 真正的註冊碼 */ 017F:0040F177 PUSH DWORD PTR [EDI] /* 試煉碼 */ 017F:0040F179 CALL 00417870 017F:0040F17E POP ECX 017F:0040F17F TEST EAX,EAX 017F:0040F181 POP ECX 017F:0040F182 JZ 0040F19C 017F:0040F184 PUSH 10 017F:0040F186 PUSH 0040A49C 017F:0040F18B PUSH 0040A3E4 ********************************************************** 017F:0040EF5A CALL 00422A30 進入: 017F:00422A30 PUSH EBP 017F:00422A31 MOV EBP,ESP 017F:00422A33 XOR EAX,EAX 017F:00422A35 CMP DWORD PTR [EBP+10],0A 017F:00422A39 JNZ 00422A43 017F:00422A3B CMP [EBP+08],EAX 017F:00422A3E JGE 00422A43 017F:00422A40 PUSH 01 017F:00422A42 POP EAX 017F:00422A43 PUSH EAX 017F:00422A44 PUSH DWORD PTR [EBP+10] 017F:00422A47 PUSH DWORD PTR [EBP+0C] 017F:00422A4A PUSH DWORD PTR [EBP+08] 017F:00422A4D CALL 004229D4 /* 關鍵,進入 */ 017F:00422A52 MOV EAX,[EBP+0C] 017F:00422A55 ADD ESP,10 017F:00422A58 POP EBP 017F:00422A59 RET ********************************************** 017F:00422A4D CALL 004229D4 進入: 017F:004229D4 PUSH EBP 017F:004229D5 MOV EBP,ESP 017F:004229D7 CMP DWORD PTR [EBP+14],00 017F:004229DB MOV ECX,[EBP+0C] 017F:004229DE PUSH EBX 017F:004229DF PUSH ESI 017F:004229E0 PUSH EDI 017F:004229E1 JZ 004229EE 017F:004229E3 MOV ESI,[EBP+08] 017F:004229E6 MOV BYTE PTR [ECX],2D 017F:004229E9 INC ECX 017F:004229EA NEG ESI 017F:004229EC JMP 004229F1 017F:004229EE MOV ESI,[EBP+08] 017F:004229F1 MOV EDI,ECX 017F:004229F3 MOV EAX,ESI /* 取得前面一輪浮點運算結果取整後的值 */ 017F:004229F5 XOR EDX,EDX 017F:004229F7 DIV DWORD PTR [EBP+10] /* 無符號除法,除數為divisor */ 017F:004229FA MOV EAX,ESI 017F:004229FC MOV EBX,EDX 017F:004229FE XOR EDX,EDX 017F:00422A00 DIV DWORD PTR [EBP+10] 017F:00422A03 CMP EBX,09 /* 餘數是否大於等於9 */ 017F:00422A06 MOV ESI,EAX 017F:00422A08 JBE 00422A0F 017F:00422A0A ADD BL,57 /* 小於9就加57h */ 017F:00422A0D JMP 00422A12 017F:00422A0F ADD BL,30 /* 餘數大於等於9就加30h */ 017F:00422A12 MOV [ECX],BL /* 儲存至ecx指向的記憶體單元 */ 017F:00422A14 INC ECX 017F:00422A15 TEST ESI,ESI 017F:00422A17 JA 004229F3 017F:00422A19 AND BYTE PTR [ECX],00 017F:00422A1C DEC ECX 017F:00422A1D MOV DL,[EDI] 017F:00422A1F MOV AL,[ECX] 017F:00422A21 MOV [ECX],DL 017F:00422A23 MOV [EDI],AL 017F:00422A25 DEC ECX 017F:00422A26 INC EDI 017F:00422A27 CMP EDI,ECX 017F:00422A29 JB 00422A1D /* 上面這段程式碼將運算獲得的字串逆序儲存 */ 017F:00422A2B POP EDI 017F:00422A2C POP ESI 017F:00422A2D POP EBX 017F:00422A2E POP EBP 017F:00422A2F RET 【整理】: name:cyclotron[BCG] code:WB-hcjfb89 【Turbo C 序號產生器】: #include "stdio.h" #include "string.h" #include "math.h" #define ABS(x) x>0?x:-x double floatize(char *regname,char *link) {int i,length; double time=4111.103114; length=strlen(regname); strcpy(link+2,regname); for(i=0;i<length;i++) time=fabs((link[link[i]%length]*i*(2.12*(i+1)-i)+1.01764)*(long)time); return time; } void genereverse(int length,char *link,unsigned long power) {int i=0,j=0,divisor,rest; if(length<8) divisor=0x10; else if(length>=8&&length<0xF) divisor=length+8; else divisor=0x17; do {rest=power%divisor; power/=divisor; link[i++]=rest<=9?rest+0x30:rest+0x57; } while(power); link[i]='\0'; do {link[--i]^=link[j]; link[j]^=link[i]; link[i]^=link[j++]; } while(i-1>j); } void main() {char regname[30],regcode[13],link[32]; double iptr; link[0]=regcode[0]='W'; link[1]=regcode[1]='B'; regcode[2]='-'; printf("\t***********************************************\n"); printf("\n\t\tKeyGen for WindowBlinds V3.5\n\t\t(Generating Regname-related Regcode)"); printf("\n\t\t\tProduced by cyclotron\n"); printf("\n\t***********************************************\n"); do printf("\n\tPlease input your Regname:"); while(!strlen(gets(regname))); modf(floatize(regname,link),&iptr); genereverse(strlen(regname),link,ABS((long)iptr)); strcpy(regcode+3,link); printf("\n\tYour Regcode is:\t%s\n",regcode); printf("\n\tThank you for your use!\n"); getchar(); }
cyclotron[BCG][DFCG][FCG][OCN]
2004.4
相關文章
- WindowBlinds v3.0 enhanced 破解 (17千字)2002-02-28
- 五一鉅獻,問答有禮,105QB送給IT網際網路界的勞動人民2015-04-30
- 開源:具有永遠奉獻精神的禮物2007-12-18
- 獻給 Dapper 使用者的一份禮物2020-12-07APP
- 2005新年獻禮:JdonFramework開源專案正式推出!2004-12-27Framework
- WindowBlinds 2.0
(入門)?????? (729字)2000-10-02
- 【智慧製造】中國製造2025獻禮之汽車篇2018-04-22
- 開源髮絲分割資料集CelebAHairMask-HQ(國慶獻禮)2020-10-02AI
- 電子書DRM破解2018-04-28
- 五一特獻|交通安全反思日的反思:當人工智慧有了“休假意識”…2018-03-07人工智慧
- Bookends for mac(文獻書籍下載管理)2021-11-07Mac
- 五一總結2006-05-07
- 四庫全書(F)2007-06-28
- 複習全書 + 6602024-04-25
- Bookends Mac文獻書籍管理工具2021-01-24Mac
- 華為雲學院給大學生的獻禮:輕鬆玩轉微認證2018-11-19
- 【實驗】【SQL】為祖國60華誕獻禮之格式化行政區劃2009-09-21SQL
- 獻給初學者(高手也看看) 破解 Cpukiller 2.0 (1千字)2000-09-17
- 施瓦辛格健身全書筆記2017-10-11筆記
- 破解webclaw――全憑眼力 (14千字)2001-05-21Web
- 螞蟻金服開源服務註冊中心 SOFARegistry | SOFA 開源一週年獻禮2019-03-28
- 獻禮網安周 | 極光無限AI自動化漏洞挖掘平臺正式釋出2020-10-10AI
- 《圖解機器學習》全書程式碼2016-04-22圖解機器學習
- 【設計模式——全書概覽】2016-02-15設計模式
- 塗抹ORACLE全書目錄~2009-11-01Oracle
- 螞蟻金服分散式事務開源以及實踐 | SOFA 開源一週年獻禮2019-04-09分散式
- 新年獻禮 技術胖262集前端免費視訊 讓您走的更容易些2018-12-13前端
- 豆包MarsCode國慶獻禮,輕鬆開發開發一款電子賀卡製作工具2024-10-01
- MySQL下載安裝全過程(包含Navicat破解)2017-05-26MySql
- EditPlus
v2.12en破解全過程2004-12-22
- TempClean 3.04的破解 ---- http://crackerabc.longcity.net奉獻
(2千字)2001-04-17HTTPGC
- 魔術情書
6.55 破解過程+不脫殼打破解補丁【原創】2004-12-07
- 破解<<破解堅盾磁碟加密系統 V4.0>>的全過程 (10千字)2001-10-23加密
- 開學典禮2024-08-27
- GaitCD破解全過程(installshield) (3千字)2015-11-15AI
- 1024 | 程式設計師節獻禮:SACC2018 大會PPT合集首發免費下載,還有熱門技術圖書免費送!2018-10-26程式設計師
- Unity3D熱更新全書-PageZero2014-08-07Unity3D
- Unity3D熱更新全書FAQ2014-08-12Unity3D