[“五一”獻禮]WindowBlinds破解全書

看雪資料發表於2004-04-30

【軟體名稱】:  WindowBlinds V3.5 Enhanced

【軟體語言】:  英文

【軟體類別】:  國外軟體 / 共享版 / 桌面工具

【應用平臺】:  Win9x/NT/2000/XP

【開 發 商】:  http://www.stardock.com/

【軟體介紹】:
    這個軟體除了可以讓你使用 BMP 圖形作為程式的背景底圖之外,它還可讓你 Windows 中的所有程式的視窗標題條 (Titlebar) 變成麥金塔電腦 Mac OS8 或是 BeOS 的樣子,而你也可以將 Windows 95 的視窗標題條(Titlebar) 弄成像 Windows 98 一樣的漸層顯示,漸層的顏色還可以自訂,標題條的文字可讓你放在中間而不是預設的左邊。另外各位可以發現現在一般的新軟體,其工具條的按鈕形式都已改成「浮動式」的,也就是當滑鼠移到按鈕上時它會浮起來,比較美觀而且有立體感,但仍能有一些軟體(如 ACDSee、NetTerm) 依舊是舊式的按鈕形式,你只要用這個軟體就夠將它們都改成「浮動式」的按鈕喔!其他還有許多功能,譬如可讓桌面 icon 的文字底色變成透明.....等等,在此不多敘述,各位自己抓回來玩看看吧!

【作    者】:  cyclotron[BCG][DFCG][FCG][OCN]

【破解過程】:下斷點GetWindowTextA,來到下面的地方:(以下程式碼使用Softice抓取的,W32Dasm似乎對Wload.exe反彙編無效)

【第一部分】:追蹤使用者名稱無關注冊碼!

程式碼:
017F:0040ED69  MOV       EBX,0040A660 017F:0040ED6E  LEA       ECX,[EBP-4C] 017F:0040ED71  PUSH      EBX 017F:0040ED72  CALL      00428F0E 017F:0040ED77  PUSH      0040A658 017F:0040ED7C  LEA       ECX,[EBP-4C] 017F:0040ED7F  CALL      00428F0E 017F:0040ED84  PUSH      DWORD PTR [ESI+5C] 017F:0040ED87  LEA       ECX,[EBP-4C] 017F:0040ED8A  CALL      00428F0E 017F:0040ED8F  PUSH      EBX 017F:0040ED90  LEA       ECX,[EBP-4C] 017F:0040ED93  CALL      00428F0E 017F:0040ED98  LEA       ECX,[EBP-4C] 017F:0040ED9B  CALL      004290CB 017F:0040EDA0  PUSH      0040A64C /* 黑名單wb-g1de774入棧 */ 017F:0040EDA5  PUSH      DWORD PTR [EDI] /* 試煉碼入棧 */ 017F:0040EDA7  CALL      00417870 017F:0040EDAC  POP       ECX 017F:0040EDAD  TEST      EAX,EAX 017F:0040EDAF  POP       ECX 017F:0040EDB0  JNZ       0040EDD3 017F:0040EDB2  PUSH      10 017F:0040EDB4  PUSH      0040A634 017F:0040EDB9  PUSH      0040A5C0 017F:0040EDBE  PUSH      0040A5B8 017F:0040EDC3  PUSH      0040A5B0 017F:0040EDC8  CALL      0040F4A2 017F:0040EDCD  PUSH      EAX 017F:0040EDCE  JMP       0040F190 017F:0040EDD3  LEA       EAX,[EBP-18] 017F:0040EDD6  PUSH      03 017F:0040EDD8  PUSH      EAX 017F:0040EDD9  MOV       ECX,EDI 017F:0040EDDB  CALL      00423811 017F:0040EDE0  PUSH      0040A5AC 017F:0040EDE5  PUSH      DWORD PTR [EAX] 017F:0040EDE7  CALL      00417870 /* 比較序列號前三位是否為WB- */ 017F:0040EDEC  POP       ECX 017F:0040EDED  POP       ECX 017F:0040EDEE  TEST      EAX,EAX 017F:0040EDF0  LEA       ECX,[EBP-18] 017F:0040EDF3  SETNZ     BL 017F:0040EDF6  CALL      00428901 017F:0040EDFB  TEST      BL,BL 017F:0040EDFD  JZ        0040EE4C /* 比較結果一致就跳,目的地是使用者名稱相關注冊碼的驗證部分(見第二部分),但經我嘗試,這裡假如不跳,只要下面的關鍵call返回值為1,也能註冊成功 */ 017F:0040EDFF  PUSH      ECX 017F:0040EE00  MOV       ECX,ESP 017F:0040EE02  MOV       [EBP-1C],ESP 017F:0040EE05  PUSH      EDI 017F:0040EE06  CALL      00428676 017F:0040EE0B  CALL      00410E1C /* 關鍵call,追入 */ 017F:0040EE10  TEST      EAX,EAX 017F:0040EE12  JZ        0040EDB2 /* 關鍵跳轉 */ 017F:0040EE14  MOV       EAX,0040A5A4 017F:0040EE19  PUSH      40 017F:0040EE1B  PUSH      EAX 017F:0040EE1C  PUSH      0040A56C 017F:0040EE21  PUSH      EAX 017F:0040EE22  PUSH      0040A5B0 017F:0040EE27  CALL      0040F4A2 017F:0040EE2C  PUSH      EAX 017F:0040EE2D  MOV       ECX,ESI 017F:0040EE2F  CALL      00425ECA 017F:0040EE34  PUSH      40 017F:0040EE36  PUSH      0040A54C 017F:0040EE3B  PUSH      0040A4C4 017F:0040EE40  MOV       ECX,ESI 017F:0040EE42  CALL      00425ECA 017F:0040EE47  JMP       0040F1D5 017F:0040EE4C  LEA       EAX,[EBP-014C] 017F:0040EE52  PUSH      0040A4C0 017F:0040EE57  PUSH      EAX 017F:0040EE58  CALL      00417690 017F:0040EE5D  PUSH      DWORD PTR [ESI+5C] 017F:0040EE60  LEA       EAX,[EBP-014C] 017F:0040EE66  PUSH      EAX 017F:0040EE67  CALL      004176A0 ********************************************************** 關鍵CALL 00410E1C: 017F:00410E1C  MOV       EAX,0042F800 017F:00410E21  CALL      0041762C 017F:00410E26  SUB       ESP,24 017F:00410E29  PUSH      EBX 017F:00410E2A  PUSH      ESI 017F:00410E2B  PUSH      EDI 017F:00410E2C  MOV       EAX,[0040BE60] 017F:00410E31  XOR       EDI,EDI 017F:00410E33  MOV       [EBP-04],EDI 017F:00410E36  MOV       [EBP-10],EAX 017F:00410E39  LEA       EAX,[EBP+08] 017F:00410E3C  LEA       ECX,[EBP-10] 017F:00410E3F  PUSH      EAX 017F:00410E40  MOV       BYTE PTR [EBP-04],01 017F:00410E44  CALL      004289EE 017F:00410E49  LEA       ECX,[EBP-10] 017F:00410E4C  CALL      00428D14 /* 這個call把註冊碼中的大寫字母全部轉換為小寫字母 */ 017F:00410E51  LEA       EAX,[EBP-14] 017F:00410E54  PUSH      02 017F:00410E56  PUSH      EAX 017F:00410E57  LEA       ECX,[EBP-10] 017F:00410E5A  CALL      00423811 017F:00410E5F  PUSH      0040B030 /* wb入棧 */ 017F:00410E64  PUSH      DWORD PTR [EAX] /* 序列號前兩位入棧 */ 017F:00410E66  CALL      00417870 /* 比較是否一致 */ 017F:00410E6B  POP       ECX 017F:00410E6C  CMP       EAX,EDI 017F:00410E6E  POP       ECX 017F:00410E6F  LEA       ECX,[EBP-14] 017F:00410E72  SETNZ     BL 017F:00410E75  CALL      00428901 017F:00410E7A  TEST      BL,BL 017F:00410E7C  JZ        00410E85 /* 序列號前兩位是wb就跳 */ 017F:00410E7E  XOR       ESI,ESI 017F:00410E80  JMP       004110C1 017F:00410E85  PUSH      02 017F:00410E87  LEA       EAX,[EBP-14] 017F:00410E8A  PUSH      02 017F:00410E8C  PUSH      EAX 017F:00410E8D  LEA       ECX,[EBP-10] 017F:00410E90  CALL      004236FF 017F:00410E95  PUSH      DWORD PTR [EAX] 017F:00410E97  CALL      0041797F /* 這是一個很關鍵的call,返回值eax */ 017F:00410E9C  POP       ECX 017F:00410E9D  MOV       [EBP-2C],EAX /* [ebp-2c]處是一個後面要用到的關鍵值。根據上面這個call,這個值取決於註冊碼的第四位,若第四位是數字i,則該處取值為dword[neg i];若第四位不是數字,則該處取值恆為dword 0 */ 017F:00410EA0  LEA       ECX,[EBP-14] 017F:00410EA3  CALL      00428901 017F:00410EA8  MOV       EAX,[0040BE60] 017F:00410EAD  MOV       [EBP-24],EAX 017F:00410EB0  MOV       [EBP-20],EAX 017F:00410EB3  MOV       [EBP-1C],EAX 017F:00410EB6  MOV       [EBP-18],EAX 017F:00410EB9  PUSH      04 017F:00410EBB  LEA       EAX,[EBP-14] 017F:00410EBE  POP       ESI 017F:00410EBF  LEA       ECX,[EBP-10] 017F:00410EC2  PUSH      ESI 017F:00410EC3  PUSH      05 017F:00410EC5  PUSH      EAX 017F:00410EC6  MOV       BYTE PTR [EBP-04],05 017F:00410ECA  CALL      004236FF /* 分離註冊碼的第6至9位,字串地址送*eax */ 017F:00410ECF  PUSH      EAX 017F:00410ED0  LEA       ECX,[EBP-24] 017F:00410ED3  MOV       BYTE PTR [EBP-04],06 017F:00410ED7  CALL      004289EE 017F:00410EDC  LEA       ECX,[EBP-14] 017F:00410EDF  MOV       BYTE PTR [EBP-04],05 017F:00410EE3  CALL      00428901 017F:00410EE8  PUSH      ESI 017F:00410EE9  LEA       EAX,[EBP-14] 017F:00410EEC  PUSH      0A 017F:00410EEE  PUSH      EAX 017F:00410EEF  LEA       ECX,[EBP-10] 017F:00410EF2  CALL      004236FF /* 分離註冊碼的第11至14位(如果有的話),字串地址送*eax */ 017F:00410EF7  PUSH      EAX 017F:00410EF8  LEA       ECX,[EBP-20] 017F:00410EFB  MOV       BYTE PTR [EBP-04],07 017F:00410EFF  CALL      004289EE 017F:00410F04  LEA       ECX,[EBP-14] 017F:00410F07  MOV       BYTE PTR [EBP-04],05 017F:00410F0B  CALL      00428901 017F:00410F10  PUSH      ESI 017F:00410F11  LEA       EAX,[EBP-14] 017F:00410F14  PUSH      0F 017F:00410F16  PUSH      EAX 017F:00410F17  LEA       ECX,[EBP-10] 017F:00410F1A  CALL      004236FF /* 分離註冊碼的第16至19位(如果有的話),字串地址送*eax */ 017F:00410F1F  PUSH      EAX 017F:00410F20  LEA       ECX,[EBP-1C] 017F:00410F23  MOV       BYTE PTR [EBP-04],08 017F:00410F27  CALL      004289EE 017F:00410F2C  LEA       ECX,[EBP-14] 017F:00410F2F  MOV       BYTE PTR [EBP-04],05 017F:00410F33  CALL      00428901 017F:00410F38  PUSH      ESI 017F:00410F39  LEA       EAX,[EBP-28] 017F:00410F3C  PUSH      14 017F:00410F3E  PUSH      EAX 017F:00410F3F  LEA       ECX,[EBP-10] 017F:00410F42  CALL      004236FF /* 分離註冊碼的第16至19位(如果有的話),字串地址送*eax */ 017F:00410F47  PUSH      EAX 017F:00410F48  LEA       ECX,[EBP-18] 017F:00410F4B  MOV       BYTE PTR [EBP-04],09 017F:00410F4F  CALL      004289EE 017F:00410F54  LEA       ECX,[EBP-28] 017F:00410F57  MOV       BYTE PTR [EBP-04],05 017F:00410F5B  CALL      00428901 017F:00410F60  MOV       EAX,[0040BE60] 017F:00410F65  MOV       [EBP-30],EAX 017F:00410F68  MOV       EDX,[EBP-24] /* 取註冊碼6至9位字串的地址送edx */ 017F:00410F6B  XOR       ESI,ESI /* esi清零 */ 017F:00410F6D  MOV       EAX,[EDX-08] 017F:00410F70  TEST      EAX,EAX 017F:00410F72  JLE       00410F8E /* 長度大於零? */ 017F:00410F74  MOVSX     ECX,BYTE PTR [EDX+ESI] /* 依次取字串的每一位送ecx */ 017F:00410F78  SUB       ECX,30 /* ecx=ecx-30h */ 017F:00410F7B  CMP       ECX,09 017F:00410F7E  JLE       00410F83 /* 小於等於9? */ 017F:00410F80  SUB       ECX,27 /* 不滿足就再減27h */ 017F:00410F83  LEA       EDI,[EDI*8+EDI] /* edi=edi*9,edi初值為零 */ 017F:00410F86  INC       ESI /* esi=esi+1 */ 017F:00410F87  CMP       ESI,EAX /* 是否取完? */ 017F:00410F89  LEA       EDI,[EDI*2+ECX] /* edi=edi*2+ecx,即最後取得的值送edi */ 017F:00410F8C  JL        00410F74 /* 沒取完則返回繼續 */ 017F:00410F8E  MOV       EDX,[EBP-20] /* 取註冊碼11至14位字串的地址送edx */ 017F:00410F91  XOR       ESI,ESI 017F:00410F93  XOR       ECX,ECX 017F:00410F95  MOV       [EBP-14],ESI 017F:00410F98  MOV       EBX,[EDX-08] 017F:00410F9B  TEST      EBX,EBX 017F:00410F9D  JLE       00410FC1 /* 沒有這段字串就跳走,且[ebp-14]置零 */ 017F:00410F9F  JMP       00410FA4 017F:00410FA1  MOV       ESI,[EBP-14] 017F:00410FA4  MOVSX     EAX,BYTE PTR [EDX+ECX] 017F:00410FA8  SUB       EAX,30 017F:00410FAB  CMP       EAX,09 017F:00410FAE  JLE       00410FB3 017F:00410FB0  SUB       EAX,27 017F:00410FB3  LEA       ESI,[ESI*8+ESI] 017F:00410FB6  INC       ECX 017F:00410FB7  CMP       ECX,EBX 017F:00410FB9  LEA       EAX,[ESI*2+EAX] 017F:00410FBC  MOV       [EBP-14],EAX 017F:00410FBF  JL        00410FA1 /* 以上程式碼取註冊碼11至14位字串進行運算(如果有的話),運算結果儲存在[ebp-14] */ 017F:00410FC1  MOV       EDX,[EBP-1C] /* 取註冊碼16至19位字串的地址送edx */ 017F:00410FC4  XOR       ESI,ESI 017F:00410FC6  XOR       ECX,ECX 017F:00410FC8  MOV       EBX,[EDX-08] 017F:00410FCB  TEST      EBX,EBX 017F:00410FCD  JLE       00410FE9 /* 沒有這段字串就跳走,且esi置零 */ 017F:00410FCF  MOVSX     EAX,BYTE PTR [EDX+ECX] 017F:00410FD3  SUB       EAX,30 017F:00410FD6  CMP       EAX,09 017F:00410FD9  JLE       00410FDE 017F:00410FDB  SUB       EAX,27 017F:00410FDE  LEA       ESI,[ESI*8+ESI] 017F:00410FE1  INC       ECX 017F:00410FE2  CMP       ECX,EBX 017F:00410FE4  LEA       ESI,[ESI*2+EAX] 017F:00410FE7  JL        00410FCF /* 以上程式碼取註冊碼16至19位字串進行運算(如果有的話),運算結果儲存在[ebp-14] */ 017F:00410FE9  MOV       EBX,[EBP-18] /* 取註冊碼21至24位字串的地址送edx */ 017F:00410FEC  XOR       EDX,EDX 017F:00410FEE  XOR       ECX,ECX 017F:00410FF0  CMP       [EBX-08],EDX 017F:00410FF3  JLE       00411010 /* 沒有這段字串就跳走,且ecx置零 */ 017F:00410FF5  MOVSX     EAX,BYTE PTR [EBX+EDX] 017F:00410FF9  SUB       EAX,30 017F:00410FFC  CMP       EAX,09 017F:00410FFF  JLE       00411004 017F:00411001  SUB       EAX,27 017F:00411004  LEA       ECX,[ECX*8+ECX] 017F:00411007  INC       EDX 017F:00411008  CMP       EDX,[EBX-08] 017F:0041100B  LEA       ECX,[ECX*2+EAX] 017F:0041100E  JL        00410FF5 /* 以上程式碼取註冊碼21至24位字串進行運算(如果有的話),運算結果儲存在[ebp-14] */ 017F:00411010  MOV       EAX,[EBP-2C] /* 取得關鍵值送eax */ 017F:00411013  PUSH      03 017F:00411015  SUB       [EBP-14],EAX 017F:00411018  SUB       EDI,EAX 017F:0041101A  SUB       ESI,EAX 017F:0041101C  SUB       ECX,EAX /* 四個運算結果分別減去eax,結果依次設為num2,num1,num3,num4 */ 017F:0041101E  MOV       EAX,EDI 017F:00411020  POP       EBX /* ebx=3 */ 017F:00411021  CDQ 017F:00411022  IDIV      EBX 017F:00411024  TEST      EDX,EDX /* 餘數是否為零 */ 017F:00411026  JZ        0041102C /* 為零就跳,意即num1能被3整除 */ 017F:00411028  XOR       ESI,ESI 017F:0041102A  JMP       00411085 /* 上面不跳的話,這裡就直接走向出口,註冊失敗*/ 017F:0041102C  MOV       EAX,[EBP-14] 017F:0041102F  PUSH      02 017F:00411031  CDQ 017F:00411032  POP       EBX /* ebx=2 */ 017F:00411033  IDIV      EBX 017F:00411035  TEST      EDX,EDX 017F:00411037  JNZ       00411028 /* 不能跳,意即num2能被2整除 */ 017F:00411039  MOV       EAX,ESI 017F:0041103B  PUSH      06 017F:0041103D  CDQ 017F:0041103E  POP       EBX /* ebx=6 */ 017F:0041103F  IDIV      EBX 017F:00411041  TEST      EDX,EDX 017F:00411043  JNZ       00411028 /* 不能跳,意即num3能被6整除 */ 017F:00411045  MOV       EAX,ECX 017F:00411047  PUSH      04 017F:00411049  CDQ 017F:0041104A  POP       EBX /* ebx=4 */ 017F:0041104B  IDIV      EBX 017F:0041104D  TEST      EDX,EDX 017F:0041104F  JNZ       00411028 /* 不能跳,意即num4能被4整除 */ 017F:00411051  MOV       EDX,[EBP-14] 017F:00411054  LEA       EAX,[EDI+ESI] /* eax=num1+num3 */ 017F:00411057  ADD       ESI,EDX /* esi=num3+num2 */ 017F:00411059  PUSH      06 017F:0041105B  LEA       EBX,[EDX+ECX] /* ebx=num2+num4 */ 017F:0041105E  MOV       [EBP-2C],ESI 017F:00411061  XOR       EDX,EDX 017F:00411063  POP       ESI 017F:00411064  DIV       ESI 017F:00411066  ADD       ECX,EDI /* ecx=num4+num1 */ 017F:00411068  TEST      EDX,EDX 017F:0041106A  JNZ       00411028 /* num1+num3能被6整除 */ 017F:0041106C  PUSH      03 017F:0041106E  MOV       EAX,EBX 017F:00411070  POP       ESI 017F:00411071  DIV       ESI 017F:00411073  TEST      EDX,EDX 017F:00411075  JNZ       00411028 /* num2+num4能被3整除 */ 017F:00411077  TEST      BYTE PTR [EBP-2C],01 017F:0041107B  JNZ       00411028 /* num3+num2最末位不是1 */ 017F:0041107D  TEST      CL,01 /* num4+num1最末位不是1 */ 017F:00411080  JNZ       00411028 017F:00411082  PUSH      01 017F:00411084  POP       ESI /* 上面兩句是給esi賦值1,由於esi的值最終要傳給eax作為返回值,這兩句必須走過 */ 017F:00411085  LEA       ECX,[EBP-30] 017F:00411088  MOV       BYTE PTR [EBP-04],05 017F:0041108C  CALL      00428901 017F:00411091  LEA       ECX,[EBP-18] 017F:00411094  MOV       BYTE PTR [EBP-04],04 017F:00411098  CALL      00428901 017F:0041109D  LEA       ECX,[EBP-1C] 017F:004110A0  MOV       BYTE PTR [EBP-04],03 017F:004110A4  CALL      00428901 017F:004110A9  LEA       ECX,[EBP-20] 017F:004110AC  MOV       BYTE PTR [EBP-04],02 017F:004110B0  CALL      00428901 017F:004110B5  LEA       ECX,[EBP-24] 017F:004110B8  MOV       BYTE PTR [EBP-04],01 017F:004110BC  CALL      00428901 017F:004110C1  AND       BYTE PTR [EBP-04],00 017F:004110C5  LEA       ECX,[EBP-10] 017F:004110C8  CALL      00428901 017F:004110CD  OR        DWORD PTR [EBP-04],-01 017F:004110D1  LEA       ECX,[EBP+08] 017F:004110D4  CALL      00428901 017F:004110D9  MOV       ECX,[EBP-0C] 017F:004110DC  MOV       EAX,ESI /* 返回值eax的值取決於esi */ 017F:004110DE  POP       EDI 017F:004110DF  POP       ESI 017F:004110E0  POP       EBX 017F:004110E1  MOV       FS:[00000000],ECX 017F:004110E8  LEAVE 017F:004110E9  RET       0004     以上運算過程與使用者名稱無關,因而是通用註冊碼。 ****************************************************************** 【整    理】:      General Regcode:   wb-677knun5hveu569uks3my   wb-6fkefuyoiv60qmp6ivsbc   wb-7yjb35yyzi13h28nyer3r   wb-2lkr64f6bfugrvv433qt8   wb-5fa6m7pg7zzipm179pu8r   wb-7y3c8znz87lym0zhwq9h7 【Turbo C 序號產生器】: #include "stdio.h" #include "string.h" #include "stdlib.h" #include "ctype.h" long calnum(char *start,char extra) {int i;  long num=0;  char temp;  for(i=0;i<4;i++)     {temp=isdigit(start[i])?start[i]-0x30:start[i]-0x57;      num=num*18+temp;     }  return num+extra; } void main() {int i;  long num[4];  char regcode[22],regname[30];  regcode[21]='\0';  printf("\t*************************************************\n");  printf("\n\t\tKeyGen for WindowBlinds V3.5 Enhanced\n\t\t\tProduced by cyclotron\n");  printf("\n\t*************************************************\n");  do     printf("\n\tPlease input your Regname:");  while(!strlen(gets(regname)));  randomize();  do    {regcode[0]=0x30+random(10);     for(i=1;i<21;i++)        do           regcode[i]=0x30+random(0x50);        while(!isdigit(regcode[i])&&!islower(regcode[i]));     for(i=0;i<4;i++)        num[i]=calnum(regcode+2+i*5,regcode[0]);    }  while(num[0]%3||num[1]%2||num[2]%6||num[3]%4||(num[0]+num[2])%6||(num[1]+num[3])%3||(num[2]+num[1])&(num[3]+num[0])&1);  printf("\n\tYour Regcode is:\twb-%s\n\n\tThank you for your use!",regcode);  getchar(); } ________________________________________________________ 【第二部分】:追蹤使用者名稱相關注冊碼! 017F:0040EE4C  LEA       EAX,[EBP-014C] 017F:0040EE52  PUSH      0040A4C0 /* 字元WB入棧 */ 017F:0040EE57  PUSH      EAX /* 存放WB的空地址入棧 */ 017F:0040EE58  CALL      00417690 017F:0040EE5D  PUSH      DWORD PTR [ESI+5C] /* 使用者名稱地址入棧 */ 017F:0040EE60  LEA       EAX,[EBP-014C] /* 這還是前面用於存放"WB"的地址 */ 017F:0040EE66  PUSH      EAX /* 地址入棧 */ 017F:0040EE67  CALL      004176A0 /* 這個call把WB和使用者名稱連線起來 */ 017F:0040EE6C  MOV       EAX,[ESI+5C] /* 使用者名稱的地址 */ 017F:0040EE6F  XOR       EBX,EBX 017F:0040EE71  ADD       ESP,10 017F:0040EE74  MOV       [EBP-28],EBX 017F:0040EE77  CMP       [EAX-08],EBX /* 使用者名稱長度是否為零? */ 017F:0040EE7A  JLE       0040EF1A 017F:0040EE80  LEA       EAX,[EBP-014C] /* 字串“WBcyclotron”的地址 */ 017F:0040EE86  MOV       DWORD PTR [EBP-10],00000001 017F:0040EE8D  SUB       [EBP-10],EAX 017F:0040EE90  FLD       REAL8 PTR [EBP-30] /* 8位元組浮點數送st(0) */   1).  80114111.103114   2).  81527323.91804     …… 017F:0040EE93  CALL      00416EF4 /* 取整送eax */   1).  80114111即0x4C671BF   2).  81527323即0x4DC021B     …… 017F:0040EE98  PUSH      EAX 017F:0040EE99  CALL      0041785B 017F:0040EE9E  MOV       [EBP-18],EAX /* 該整數送區域性變數(ebp-18) */ 017F:0040EEA1  MOV       EAX,[ESI+5C] /* eax取得使用者名稱地址 */ 017F:0040EEA4  MOVZX     EDX,BYTE PTR [EBX+EBP-014C] /* 依次取"WBcyclotron"的每一位 */ 017F:0040EEAC  FILD      DWORD PTR [EBP-18] /* (ebp-18)裝入st(0) */   1).  st(0)=80114111   2).  st(0)=81527323     …… 017F:0040EEAF  POP       ECX 017F:0040EEB0  MOV       [EBP-18],EDX 017F:0040EEB3  MOV       ECX,[EAX-08] /* ecx取得使用者名稱長度 */ 017F:0040EEB6  LEA       EAX,[EBX+EBP-014C] 017F:0040EEBD  MOV       EDX,[EBP-10] 017F:0040EEC0  MOV       [EBP-1C],ECX 017F:0040EEC3  ADD       EDX,EAX   1).  edx=1   2).  edx=2     …… 017F:0040EEC5  MOV       EAX,[EBP-18] 017F:0040EEC8  MOV       [EBP-2C],EDX 017F:0040EECB  CDQ 017F:0040EECC  FILD      DWORD PTR [EBP-2C]   1).  (ebp-2C)=1   2).  (ebp-2C)=2     …… 017F:0040EECF  IDIV      ECX 017F:0040EED1  FMUL      REAL8 PTR [00401E68] /* st(0)=st(0)*2.12 */ 017F:0040EED7  FISUB     DWORD PTR [EBP-28]   1).  (ebp-28)=0   2).  (ebp-28)=1     …… 017F:0040EEDA  MOV       ECX,000000FF /* ecx=0xFF */ 017F:0040EEDF  MOVZX     EAX,BYTE PTR [EDX+EBP-014C] /* 根據餘數取得"WBcyclotron"中的字元 */   1).  eax=0x6F   1).  eax=0x79     …… 017F:0040EEE7  IMUL      EAX,EBX /* eax=eax*ebx */ 017F:0040EEEA  MOV       [EBP-2C],EAX /* 乘積送(ebp-2C) */ 017F:0040EEED  MOV       EAX,[EBP-18] /* eax取得剛才字元的ASCII值 */ 017F:0040EEF0  CDQ 017F:0040EEF1  FILD      DWORD PTR [EBP-2C] /* st(0)=(ebp-2C) */ 017F:0040EEF4  IDIV      ECX 017F:0040EEF6  FMULP     ST(1),ST /* st(1)=st(1)*st(0) */ 017F:0040EEF8  INC       EBX /* ebx++ */ 017F:0040EEF9  CMP       EBX,[EBP-1C] /* 是否取完使用者名稱 */ 017F:0040EEFC  MOV       [EBP-28],EBX /* (ebp-28)=ebx */ 017F:0040EEFF  MOV       [EBP-2C],EAX /* (ebp-2C)=eax */ 017F:0040EF02  FILD      DWORD PTR [EBP-2C] /* st(0)=(ebp-2C) */ 017F:0040EF05  FADDP     ST(1),ST /* st(1)=st(1)+st(0)並出棧 */ 017F:0040EF07  FADD      REAL8 PTR [00401E60] /* st(0)=st(0)+1.01764 */ 017F:0040EF0D  FMUL      ST,ST(1) /* st(0)=st(1)*st(0) */ 017F:0040EF0F  FSTP      REAL8 PTR [EBP-30] /* st(0)送(ebp-30)並出棧 */ 017F:0040EF12  FSTP      ST(0) /* st(0)出棧 */ 017F:0040EF14  JL        0040EE90 /* 未取完則返回 */ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 以上運算用TC2.0實現: #include "string.h" #include "math.h" double floatize(char *regname,char *link) {int i,length;  double time=80114111.103114;  length=strlen(regname);  strcpy(link+2,regname);  for(i=0;i<length;i++)   time=fabs((link[link[i]%length]*i*(2.12*(i+1)-i)+1.01764)*(long)time);  return time; } $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 017F:0040EF1A  FLD       REAL8 PTR [EBP-30] 017F:0040EF1D  CALL      00416EF4 017F:0040EF22  PUSH      EAX 017F:0040EF23  CALL      0041785B 017F:0040EF28  MOV       [EBP-1C],EAX 017F:0040EF2B  MOV       EAX,[ESI+5C] 017F:0040EF2E  FILD      DWORD PTR [EBP-1C] 017F:0040EF31  MOV       EAX,[EAX-08] /* 取得使用者名稱長度 */ 017F:0040EF34  POP       ECX 017F:0040EF35  CMP       EAX,08 017F:0040EF38  JGE       0040EF3E 017F:0040EF3A  MOV       AL,0E /* 使用者名稱長度小於8,則al=0xE */ 017F:0040EF3C  JMP       0040EF49 017F:0040EF3E  CMP       EAX,1F /* 使用者名稱長度大於等於8且小於0x1F的,al=strlen(regname)+0x6 */ 017F:0040EF41  JGE       0040EF47 017F:0040EF43  ADD       AL,06 017F:0040EF45  JMP       0040EF49 017F:0040EF47  MOV       AL,17 /* 使用者名稱長度大於等於0x1F的,al=0x17 */ 017F:0040EF49  MOVZX     EAX,AL 017F:0040EF4C  PUSH      EAX 017F:0040EF4D  LEA       EAX,[EBP-014C] 017F:0040EF53  PUSH      EAX 017F:0040EF54  CALL      00416EF4 017F:0040EF59  PUSH      EAX 017F:0040EF5A  CALL      00422A30 /* 關鍵call,進入(設al的值為divisor) */ 017F:0040EF5F  ADD       ESP,0C 017F:0040EF62  LEA       ECX,[EBP-14] 017F:0040EF65  PUSH      0040A5AC 017F:0040EF6A  CALL      00428A3E 017F:0040EF6F  MOV       EAX,[0040BE60] 017F:0040EF74  LEA       ECX,[EBP-10] 017F:0040EF77  MOV       [EBP-10],EAX 017F:0040EF7A  LEA       EAX,[EBP-014C] 017F:0040EF80  PUSH      EAX 017F:0040EF81  CALL      00428A3E 017F:0040EF86  LEA       EAX,[EBP-10] 017F:0040EF89  LEA       ECX,[EBP-14] 017F:0040EF8C  PUSH      EAX 017F:0040EF8D  MOV       BYTE PTR [EBP-04],03 017F:0040EF91  CALL      00428C18 /* *eax指向1.x版的註冊碼 */ 017F:0040EF96  LEA       ECX,[EBP-10] 017F:0040EF99  MOV       BYTE PTR [EBP-04],02 017F:0040EF9D  CALL      00428901 017F:0040EFA2  CMP       BYTE PTR [EBP-014C],77 017F:0040EFA9  JNZ       0040EFB2 017F:0040EFAB  MOV       BYTE PTR [EBP-014C],57 017F:0040EFB2  CMP       BYTE PTR [EBP-014B],62 017F:0040EFB9  JNZ       0040EFC2 017F:0040EFBB  MOV       BYTE PTR [EBP-014B],42 017F:0040EFC2  PUSH      DWORD PTR [EBP-14] 017F:0040EFC5  PUSH      DWORD PTR [EDI] 017F:0040EFC7  CALL      00417870 017F:0040EFCC  XOR       EBX,EBX 017F:0040EFCE  POP       ECX 017F:0040EFCF  CMP       EAX,EBX 017F:0040EFD1  POP       ECX 017F:0040EFD2  JNZ       0040F016 /* 比較是否為1.x版的註冊碼 */ 017F:0040EFD4  PUSH      0040A4AC 017F:0040EFD9  PUSH      DWORD PTR [ESI+5C] 017F:0040EFDC  CALL      00417870 017F:0040EFE1  POP       ECX 017F:0040EFE2  CMP       EAX,EBX 017F:0040EFE4  POP       ECX 017F:0040EFE5  JZ        0040F016 017F:0040EFE7  PUSH      EBX 017F:0040EFE8  LEA       ECX,[EBP-01A8] 017F:0040EFEE  CALL      0040E74F 017F:0040EFF3  LEA       ECX,[EBP-01A8] 017F:0040EFF9  MOV       BYTE PTR [EBP-04],05 017F:0040EFFD  CALL      0042828A 017F:0040F002  LEA       ECX,[EBP-01A8] 017F:0040F008  MOV       BYTE PTR [EBP-04],02 017F:0040F00C  CALL      00427EC0 017F:0040F011  JMP       0040F2A7 017F:0040F016  FLD       REAL8 PTR [00401E58] 017F:0040F01C  LEA       EAX,[EBP-02A8] 017F:0040F022  PUSH      0040A4C0 017F:0040F027  FSTP      REAL8 PTR [EBP-20] /* 4111.103114送st(0),下面部分的計算和前面的完全一樣 */ 017F:0040F02A  PUSH      EAX 017F:0040F02B  CALL      00417690 017F:0040F030  PUSH      DWORD PTR [ESI+5C] 017F:0040F033  LEA       EAX,[EBP-02A8] 017F:0040F039  PUSH      EAX 017F:0040F03A  CALL      004176A0 017F:0040F03F  MOV       EAX,[ESI+5C] 017F:0040F042  ADD       ESP,10 017F:0040F045  MOV       [EBP-28],EBX 017F:0040F048  CMP       DWORD PTR [EAX-08],00 017F:0040F04C  JLE       0040F0EC 017F:0040F052  LEA       EAX,[EBP-02A8] 017F:0040F058  MOV       DWORD PTR [EBP-10],00000001 017F:0040F05F  SUB       [EBP-10],EAX 017F:0040F062  FLD       REAL8 PTR [EBP-20] 017F:0040F065  CALL      00416EF4 017F:0040F06A  PUSH      EAX 017F:0040F06B  CALL      0041785B 017F:0040F070  MOV       [EBP-1C],EAX 017F:0040F073  MOV       EAX,[ESI+5C] 017F:0040F076  MOVZX     EDX,BYTE PTR [EBX+EBP-02A8] 017F:0040F07E  FILD      DWORD PTR [EBP-1C] 017F:0040F081  POP       ECX 017F:0040F082  MOV       [EBP-18],EDX 017F:0040F085  MOV       ECX,[EAX-08] 017F:0040F088  LEA       EAX,[EBX+EBP-02A8] 017F:0040F08F  MOV       EDX,[EBP-10] 017F:0040F092  MOV       [EBP-2C],ECX 017F:0040F095  ADD       EDX,EAX 017F:0040F097  MOV       EAX,[EBP-18] 017F:0040F09A  MOV       [EBP-1C],EDX 017F:0040F09D  CDQ 017F:0040F09E  FILD      DWORD PTR [EBP-1C] 017F:0040F0A1  IDIV      ECX 017F:0040F0A3  FMUL      REAL8 PTR [00401E68] /* 這裡也是2.12 */ 017F:0040F0A9  FISUB     DWORD PTR [EBP-28] 017F:0040F0AC  MOV       ECX,000000D3 /* 注意這裡ecx=0xD3 */ 017F:0040F0B1  MOVZX     EAX,BYTE PTR [EDX+EBP-02A8] 017F:0040F0B9  IMUL      EAX,EBX 017F:0040F0BC  MOV       [EBP-1C],EAX 017F:0040F0BF  MOV       EAX,[EBP-18] 017F:0040F0C2  CDQ 017F:0040F0C3  FILD      DWORD PTR [EBP-1C] 017F:0040F0C6  IDIV      ECX 017F:0040F0C8  FMULP     ST(1),ST 017F:0040F0CA  INC       EBX 017F:0040F0CB  CMP       EBX,[EBP-2C] 017F:0040F0CE  MOV       [EBP-28],EBX 017F:0040F0D1  MOV       [EBP-1C],EAX 017F:0040F0D4  FILD      DWORD PTR [EBP-1C] 017F:0040F0D7  FADDP     ST(1),ST 017F:0040F0D9  FADD      REAL8 PTR [00401E60] 017F:0040F0DF  FMUL      ST,ST(1) 017F:0040F0E1  FSTP      REAL8 PTR [EBP-20] 017F:0040F0E4  FSTP      ST(0) 017F:0040F0E6  JL        0040F062 017F:0040F0EC  FLD       REAL8 PTR [EBP-20] 017F:0040F0EF  CALL      00416EF4 017F:0040F0F4  PUSH      EAX 017F:0040F0F5  CALL      0041785B 017F:0040F0FA  MOV       [EBP-1C],EAX 017F:0040F0FD  MOV       EAX,[ESI+5C] 017F:0040F100  FILD      DWORD PTR [EBP-1C] 017F:0040F103  MOV       EAX,[EAX-08] 017F:0040F106  POP       ECX 017F:0040F107  CMP       EAX,08 017F:0040F10A  JGE       0040F110 /* 使用者名稱長度小於8,則al=0x10 */ 017F:0040F10C  MOV       AL,10 017F:0040F10E  JMP       0040F11B 017F:0040F110  CMP       EAX,0F 017F:0040F113  JGE       0040F119 017F:0040F115  ADD       AL,08 /* 使用者名稱長度大於等於8且小於0xF的,al=strlen(regname)+0x8 */ 017F:0040F117  JMP       0040F11B 017F:0040F119  MOV       AL,17 /* 使用者名稱長度大於等於0xF的,al=0x17 */ 017F:0040F11B  MOVZX     EAX,AL 017F:0040F11E  PUSH      EAX 017F:0040F11F  LEA       EAX,[EBP-02A8] 017F:0040F125  PUSH      EAX 017F:0040F126  CALL      00416EF4 017F:0040F12B  PUSH      EAX 017F:0040F12C  CALL      00422A30 /* 這個跟前面的call一樣 */ 017F:0040F131  ADD       ESP,0C 017F:0040F134  LEA       ECX,[EBP-14] 017F:0040F137  PUSH      0040A5AC 017F:0040F13C  CALL      00428A3E 017F:0040F141  MOV       EAX,[0040BE60] 017F:0040F146  LEA       ECX,[EBP-10] 017F:0040F149  MOV       [EBP-10],EAX 017F:0040F14C  LEA       EAX,[EBP-02A8] 017F:0040F152  PUSH      EAX 017F:0040F153  CALL      00428A3E 017F:0040F158  LEA       EAX,[EBP-10] 017F:0040F15B  LEA       ECX,[EBP-14] 017F:0040F15E  PUSH      EAX 017F:0040F15F  MOV       BYTE PTR [EBP-04],04 017F:0040F163  CALL      00428C18 /* *eax指向真正的註冊碼 */ 017F:0040F168  LEA       ECX,[EBP-10] 017F:0040F16B  MOV       BYTE PTR [EBP-04],02 017F:0040F16F  CALL      00428901 017F:0040F174  PUSH      DWORD PTR [EBP-14] /* 真正的註冊碼 */ 017F:0040F177  PUSH      DWORD PTR [EDI] /* 試煉碼 */ 017F:0040F179  CALL      00417870 017F:0040F17E  POP       ECX 017F:0040F17F  TEST      EAX,EAX 017F:0040F181  POP       ECX 017F:0040F182  JZ        0040F19C 017F:0040F184  PUSH      10 017F:0040F186  PUSH      0040A49C 017F:0040F18B  PUSH      0040A3E4 ********************************************************** 017F:0040EF5A  CALL      00422A30 進入: 017F:00422A30  PUSH      EBP 017F:00422A31  MOV       EBP,ESP 017F:00422A33  XOR       EAX,EAX 017F:00422A35  CMP       DWORD PTR [EBP+10],0A 017F:00422A39  JNZ       00422A43 017F:00422A3B  CMP       [EBP+08],EAX 017F:00422A3E  JGE       00422A43 017F:00422A40  PUSH      01 017F:00422A42  POP       EAX 017F:00422A43  PUSH      EAX 017F:00422A44  PUSH      DWORD PTR [EBP+10] 017F:00422A47  PUSH      DWORD PTR [EBP+0C] 017F:00422A4A  PUSH      DWORD PTR [EBP+08] 017F:00422A4D  CALL      004229D4 /* 關鍵,進入 */ 017F:00422A52  MOV       EAX,[EBP+0C] 017F:00422A55  ADD       ESP,10 017F:00422A58  POP       EBP 017F:00422A59  RET ********************************************** 017F:00422A4D  CALL      004229D4 進入: 017F:004229D4  PUSH      EBP 017F:004229D5  MOV       EBP,ESP 017F:004229D7  CMP       DWORD PTR [EBP+14],00 017F:004229DB  MOV       ECX,[EBP+0C] 017F:004229DE  PUSH      EBX 017F:004229DF  PUSH      ESI 017F:004229E0  PUSH      EDI 017F:004229E1  JZ        004229EE 017F:004229E3  MOV       ESI,[EBP+08] 017F:004229E6  MOV       BYTE PTR [ECX],2D 017F:004229E9  INC       ECX 017F:004229EA  NEG       ESI 017F:004229EC  JMP       004229F1 017F:004229EE  MOV       ESI,[EBP+08] 017F:004229F1  MOV       EDI,ECX 017F:004229F3  MOV       EAX,ESI /* 取得前面一輪浮點運算結果取整後的值 */ 017F:004229F5  XOR       EDX,EDX 017F:004229F7  DIV       DWORD PTR [EBP+10] /* 無符號除法,除數為divisor */ 017F:004229FA  MOV       EAX,ESI 017F:004229FC  MOV       EBX,EDX 017F:004229FE  XOR       EDX,EDX 017F:00422A00  DIV       DWORD PTR [EBP+10] 017F:00422A03  CMP       EBX,09 /* 餘數是否大於等於9 */ 017F:00422A06  MOV       ESI,EAX 017F:00422A08  JBE       00422A0F 017F:00422A0A  ADD       BL,57 /* 小於9就加57h */ 017F:00422A0D  JMP       00422A12 017F:00422A0F  ADD       BL,30 /* 餘數大於等於9就加30h */ 017F:00422A12  MOV       [ECX],BL /* 儲存至ecx指向的記憶體單元 */ 017F:00422A14  INC       ECX 017F:00422A15  TEST      ESI,ESI 017F:00422A17  JA        004229F3 017F:00422A19  AND       BYTE PTR [ECX],00 017F:00422A1C  DEC       ECX 017F:00422A1D  MOV       DL,[EDI] 017F:00422A1F  MOV       AL,[ECX] 017F:00422A21  MOV       [ECX],DL 017F:00422A23  MOV       [EDI],AL 017F:00422A25  DEC       ECX 017F:00422A26  INC       EDI 017F:00422A27  CMP       EDI,ECX 017F:00422A29  JB        00422A1D /* 上面這段程式碼將運算獲得的字串逆序儲存 */ 017F:00422A2B  POP       EDI 017F:00422A2C  POP       ESI 017F:00422A2D  POP       EBX 017F:00422A2E  POP       EBP 017F:00422A2F  RET 【整理】:   name:cyclotron[BCG]   code:WB-hcjfb89 【Turbo C 序號產生器】: #include "stdio.h" #include "string.h" #include "math.h" #define ABS(x) x>0?x:-x double floatize(char *regname,char *link)   {int i,length;    double time=4111.103114;    length=strlen(regname);    strcpy(link+2,regname);    for(i=0;i<length;i++)     time=fabs((link[link[i]%length]*i*(2.12*(i+1)-i)+1.01764)*(long)time);    return time;   } void genereverse(int length,char *link,unsigned long power)   {int i=0,j=0,divisor,rest;    if(length<8) divisor=0x10;      else if(length>=8&&length<0xF) divisor=length+8;        else divisor=0x17;    do      {rest=power%divisor;       power/=divisor;       link[i++]=rest<=9?rest+0x30:rest+0x57;      }    while(power);    link[i]='\0';    do      {link[--i]^=link[j];       link[j]^=link[i];       link[i]^=link[j++];      }    while(i-1>j);   } void main()   {char regname[30],regcode[13],link[32];    double iptr;    link[0]=regcode[0]='W';    link[1]=regcode[1]='B';    regcode[2]='-';    printf("\t***********************************************\n");    printf("\n\t\tKeyGen for WindowBlinds V3.5\n\t\t(Generating Regname-related Regcode)");    printf("\n\t\t\tProduced by cyclotron\n");    printf("\n\t***********************************************\n");    do      printf("\n\tPlease input your Regname:");    while(!strlen(gets(regname)));    modf(floatize(regname,link),&iptr);    genereverse(strlen(regname),link,ABS((long)iptr));    strcpy(regcode+3,link);    printf("\n\tYour Regcode is:\t%s\n",regcode);    printf("\n\tThank you for your use!\n");    getchar();   }


             cyclotron[BCG][DFCG][FCG][OCN]
                                                    2004.4


相關文章