Windows系統切換工具 演算法分析+序號產生器

看雪資料發表於2004-07-02

下載地址: http://www4.skycn.com/soft/8306.html

Windows系統切換工具 V1.09.1208 

軟體大小:  1312 KB
軟體語言:  簡體中文
軟體類別:  國產軟體 / 共享版 / 系統其它
應用平臺:  Win9x/NT/2000/XP
介面預覽:  
加入時間:  2002-12-10 10:07:34
下載次數:  11796
推薦等級:  
線上註冊:  點選這裡成為正版使用者==>

聯 系 人:  easunlee@21cn.com  
開 發 商:  http://easunlee.diy.163.com/

軟體介紹:   

    Easun Studio Windows 系統切換工具是是安裝多Windows系統的使用者的福音。不知道您是否有這種體會,為了工作需要,安裝了多個Windows(比如中文Win98、英文Win98及Win2000),可是切換起來卻太是困難,Windows 2000 還提供了啟動選單,而多Win95/98/Me根本上就沒有這種選單供您選擇,就只有自己在DOS下用批處理進行切換。網上進行多系統切換的工具也可謂多也,但是幾乎都是用自己的模組替換BOOT區來完成的,而且都是在DOS(字元介面)下進行切換選擇,既麻煩有不安全,而且介面操作複雜,那能不能有一種介面友好,安全,方便在Windows介面下進行操作的系統切換工具呢?路楊就是本著這個原因開發這個軟體的,該軟體介面大方美觀,操作上手,不用自身模組覆蓋BOOT區,安全可靠,工作在Windows95/98/Me/2000/Xp 環境下,讓您徹底拋開DOS介面和字元介面!另外,本軟體還有設定系統和恢復IE設定的功能,當然,這就是附加功能了。

=========================================================================================
前兩天我的機子上boot.ini被我搞得一團糟,下了這個東東來整理一下,順便把它破了,挺簡單的,現在這樣的很難找了。

先檢查,AsPack的殼,脫了,是我最喜歡的VC :D ,很容易找到下面:

:0040715B 50                      push eax

* Possible StringData Ref from Data Obj ->"%s"
                                  |
:0040715C 68A4A24100              push 0041A2A4
:00407161 51                      push ecx

* Reference To: MFC42.Ordinal:0B02, Ord:0B02h
                                  |
:00407162 E8B5970000              Call 0041091C    ;這個CALL是GetWindowText(MFC寫的東東用IDA很容易明白)
:00407167 8B542420                mov edxdword ptr [esp+20]
:0040716B 83C40C                  add esp, 0000000C
:0040716E 8B42F8                  mov eaxdword ptr [edx-08]
:00407171 85C0                    test eaxeax    ;使用者名稱長度不能為0
:00407173 750E                    jne 00407183

..........

:004071AA 50                      push eax

* Possible StringData Ref from Data Obj ->"%s"
                                  |
:004071AB 68A4A24100              push 0041A2A4
:004071B0 51                      push ecx

* Reference To: MFC42.Ordinal:0B02, Ord:0B02h
                                  |
:004071B1 E866970000              Call 0041091C    ;GetWindowText,得到註冊名
:004071B6 8B4C241C                mov ecxdword ptr [esp+1C]
:004071BA BB03000000              mov ebx, 00000003  ;EBX=3
:004071BF 83C40C                  add esp, 0000000C
:004071C2 8B41F8                  mov eaxdword ptr [ecx-08]
:004071C5 3BC3                    cmp eaxebx
:004071C7 7D0E                    jge 004071D7    ;註冊名長度必須大於等於3
:004071C9 6AFF                    push FFFFFFFF
:004071CB 6A00                    push 00000000
:004071CD 6833F00000              push 0000F033
:004071D2 E997020000              jmp 0040746E    ;不然就有你好看

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004071C7(C)
|

* Reference To: MSVCRT._mbsicmp, Ord:015Fh
                                  |
:004071D7 8B3580444100            mov esidword ptr [00414480]

* Possible StringData Ref from Data Obj ->"白山破解網"    ;黑名單
                                  |
:004071DD 6898A64100              push 0041A698
:004071E2 51                      push ecx
:004071E3 FFD6                    call esi
:004071E5 83C408                  add esp, 00000008
:004071E8 85C0                    test eaxeax
:004071EA 0F8475020000            je 00407465
:004071F0 8B542410                mov edxdword ptr [esp+10]

* Possible StringData Ref from Data Obj ->"Zhenlong[BCG]"  ;BCG的一位老兄進黑名單了:D
                                  |
:004071F4 6888A64100              push 0041A688
:004071F9 52                      push edx
:004071FA FFD6                    call esi
:004071FC 83C408                  add esp, 00000008
:004071FF 85C0                    test eaxeax
:00407201 0F845E020000            je 00407465    
:00407207 6A01                    push 00000001
:00407209 6A00                    push 00000000
:0040720B 6874040000              push 00000474
:00407210 8BCD                    mov ecxebp

* Reference To: MFC42.Ordinal:0C17, Ord:0C17h
                                  |
:00407212 E811970000              Call 00410928
:00407217 8BF0                    mov esieax
:00407219 8D442410                lea eaxdword ptr [esp+10]
:0040721D 56                      push esi
:0040721E 51                      push ecx
:0040721F 8BCC                    mov ecxesp
:00407221 89642420                mov dword ptr [esp+20], esp
:00407225 50                      push eax

* Reference To: MFC42.Ordinal:0217, Ord:0217h
                                  |
:00407226 E847980000              Call 00410A72
:0040722B 8BCD                    mov ecxebp
:0040722D E80E030000              call 00407540    ;這個CALL有鬼
:00407232 85C0                    test eaxeax
:00407234 0F842B020000            je 00407465    ;關鍵跳轉,跳下去就OVER

跟進上面CALL:

* Referenced by a CALL at Address:
|:0040722D   
|
:00407540 6AFF                    push FFFFFFFF
:00407542 68581D4100              push 00411D58
:00407547 64A100000000            mov eaxdword ptr fs:[00000000]
:0040754D 50                      push eax
:0040754E 64892500000000          mov dword ptr fs:[00000000], esp
:00407555 83EC10                  sub esp, 00000010
:00407558 53                      push ebx
:00407559 55                      push ebp
:0040755A 56                      push esi
:0040755B 57                      push edi
:0040755C 8BF9                    mov ediecx
:0040755E 51                      push ecx
:0040755F 8D442434                lea eaxdword ptr [esp+34]
:00407563 8BCC                    mov ecxesp
:00407565 8964241C                mov dword ptr [esp+1C], esp
:00407569 50                      push eax
:0040756A C744243000000000        mov [esp+30], 00000000

* Reference To: MFC42.Ordinal:0217, Ord:0217h
                                  |
:00407572 E8FB940000              Call 00410A72
:00407577 8BCF                    mov ecxedi  ;此處D *EAX可以看到輸入的註冊名,作CALL的引數
:00407579 E822010000              call 004076A0  ;這個CALL很重要,下面多次出現(分析見下)
:0040757E 8BF0                    mov esieax  ;EAX是返回的值,放進ESI
:00407580 85F6                    test esiesi
:00407582 0F84F0000000            je 00407678    
:00407588 51                      push ecx
:00407589 8BCC                    mov ecxesp
:0040758B 8964241C                mov dword ptr [esp+1C], esp

* Possible StringData Ref from Data Obj ->"EasunLee" 
                                  |
:0040758F 68F4A64100              push 0041A6F4

* Reference To: MFC42.Ordinal:0219, Ord:0219h
                                  |
:00407594 E8BF930000              Call 00410958
:00407599 8BCF                    mov ecxedi
:0040759B E800010000              call 004076A0  ;把字串"EasunLee"作同樣計算
:004075A0 51                      push ecx
:004075A1 8BD8                    mov ebxeax  ;結果1放在EBX
:004075A3 8BCC                    mov ecxesp
:004075A5 8964241C                mov dword ptr [esp+1C], esp

* Possible StringData Ref from Data Obj ->"EasunLee"
                                  |
:004075A9 68F4A64100              push 0041A6F4

* Reference To: MFC42.Ordinal:0219, Ord:0219h
                                  |
:004075AE E8A5930000              Call 00410958
:004075B3 8BCF                    mov ecxedi
:004075B5 E8E6000000              call 004076A0
:004075BA 51                      push ecx
:004075BB 8BE8                    mov ebpeax  ;結果1放在EBP
:004075BD 8BCC                    mov ecxesp
:004075BF 8964241C                mov dword ptr [esp+1C], esp

* Possible StringData Ref from Data Obj ->"easunlee98meiosys"
                                  |
:004075C3 68E0A64100              push 0041A6E0

* Reference To: MFC42.Ordinal:0219, Ord:0219h
                                  |
:004075C8 E88B930000              Call 00410958
:004075CD 8BCF                    mov ecxedi
:004075CF E8CC000000              call 004076A0  ;字串"easunlee98meiosys"同樣的計算
:004075D4 51                      push ecx
:004075D5 89442418                mov dword ptr [esp+18], eax  ;結果2在[ESP+18]
:004075D9 8BCC                    mov ecxesp
:004075DB 8964241C                mov dword ptr [esp+1C], esp

* Possible StringData Ref from Data Obj ->"Luyanghs&&Tsai&&bluebird"
                                  |
:004075DF 68C4A64100              push 0041A6C4

* Reference To: MFC42.Ordinal:0219, Ord:0219h
                                  |
:004075E4 E86F930000              Call 00410958
:004075E9 8BCF                    mov ecxedi
:004075EB E8B0000000              call 004076A0  ;字串"Luyanghs&&Tsai&&bluebird"
:004075F0 51                      push ecx
:004075F1 89442414                mov dword ptr [esp+14], eax  ;結果3在[ESP+14]
:004075F5 8BCC                    mov ecxesp
:004075F7 8964241C                mov dword ptr [esp+1C], esp

* Possible StringData Ref from Data Obj ->"heshengwssu1091119"
                                  |
:004075FB 68B0A64100              push 0041A6B0

* Reference To: MFC42.Ordinal:0219, Ord:0219h
                                  |
:00407600 E853930000              Call 00410958
:00407605 8BCF                    mov ecxedi
:00407607 E894000000              call 004076A0  ;字串"heshengwssu1091119"
:0040760C 51                      push ecx
:0040760D 8944241C                mov dword ptr [esp+1C], eax  ;結果4在[ESP+1C]
:00407611 8BCC                    mov ecxesp
:00407613 89642420                mov dword ptr [esp+20], esp

* Possible StringData Ref from Data Obj ->"200970878"
                                  |
:00407617 68A4A64100              push 0041A6A4

* Reference To: MFC42.Ordinal:0219, Ord:0219h
                                  |
:0040761C E837930000              Call 00410958
:00407621 8BCF                    mov ecxedi
:00407623 E878000000              call 004076A0    ;字串"200970878"同樣的計算,結果5在EAX
:00407628 81F678EE0220            xor esi, 2002EE78  ;ESI是註冊名經運算的結果,與2002EE78異或
:0040762E 8B7C2414                mov edidword ptr [esp+14]  ;把結果2放入EDI  
:00407632 81EE21050E20            sub esi, 200E0521  ;再減200E0521
:00407638 8B542418                mov edxdword ptr [esp+18]  ;把結果4放在EDX
:0040763C 81F678563472            xor esi, 72345678  ;再與72345678異或
:00407642 81EE88F76877            sub esi, 7768F788  ;再減7768F788
:00407648 33F3                    xor esiebx    ;再與結果1異或
:0040764A 8B5C2410                mov ebxdword ptr [esp+10]  ;把結果3放入EBX
:0040764E 03F5                    add esiebp    ;再加結果1
:00407650 33F3                    xor esiebx    ;與結果3異或
:00407652 33F7                    xor esiedi    ;與結果2異或
:00407654 2BF2                    sub esiedx    ;減去結果4
:00407656 03F0                    add esieax    ;加上結果5
:00407658 8B442434                mov eaxdword ptr [esp+34]  ;EAX是我們輸入的註冊碼數值
:0040765C 3BF0                    cmp esieax    ;上面一堆運算的結果必須與輸入的註冊碼相等
:0040765E 7518                    jne 00407678    ;不等就跳
:00407660 8D4C2430                lea ecxdword ptr [esp+30]
:00407664 C7442428FFFFFFFF        mov [esp+28], FFFFFFFF

* Reference To: MFC42.Ordinal:0320, Ord:0320h
                                  |
:0040766C E899920000              Call 0041090A
:00407671 B801000000              mov eax, 00000001  ;如果相等來到這裡EAX=1,成功
:00407676 EB13                    jmp 0040768B

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00407582(C), :0040765E(C)
|
:00407678 8D4C2430                lea ecxdword ptr [esp+30]
:0040767C C7442428FFFFFFFF        mov [esp+28], FFFFFFFF

* Reference To: MFC42.Ordinal:0320, Ord:0320h
                                  |
:00407684 E881920000              Call 0041090A
:00407689 33C0                    xor eaxeax    ;如果不等EAX在這裡被幹掉了

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407676(U)
|
:0040768B 8B4C2420                mov ecxdword ptr [esp+20]
:0040768F 5F                      pop edi
:00407690 5E                      pop esi
:00407691 5D                      pop ebp
:00407692 64890D00000000          mov dword ptr fs:[00000000], ecx
:00407699 5B                      pop ebx
:0040769A 83C41C                  add esp, 0000001C
:0040769D C20800                  ret 0008

那個多次涉及的CALL:

* Referenced by a CALL at Addresses:
|:00407579   , :0040759B   , :004075B5   , :004075CF   , :004075EB   
|:00407607   , :00407623   
|
:004076A0 64A100000000            mov eaxdword ptr fs:[00000000]
:004076A6 6AFF                    push FFFFFFFF
:004076A8 68781D4100              push 00411D78
:004076AD 50                      push eax
:004076AE 64892500000000          mov dword ptr fs:[00000000], esp
:004076B5 56                      push esi
:004076B6 57                      push edi
:004076B7 8B7C2418                mov edidword ptr [esp+18]
:004076BB 8B57F8                  mov edxdword ptr [edi-08]
:004076BE 83FA03                  cmp edx, 00000003
:004076C1 7D26                    jge 004076E9    ;字串長度必須大於等於3
:004076C3 8D4C2418                lea ecxdword ptr [esp+18]
:004076C7 C7442410FFFFFFFF        mov [esp+10], FFFFFFFF

............

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004076C1(C)
|
:004076E9 33F6                    xor esiesi
:004076EB 33C9                    xor ecxecx
:004076ED 85D2                    test edxedx
:004076EF 7E0D                    jle 004076FE

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004076FC(C)
|
:004076F1 0FBE0439                movsx eaxbyte ptr [ecx+edi]  ;迴圈,依次取出每一個字元
:004076F5 D3E0                    shl eaxcl  ;ECX為迴圈變數i,取出的字元左移i位
:004076F7 03F0                    add esieax  ;累加起來
:004076F9 41                      inc ecx
:004076FA 3BCA                    cmp ecxedx  ;ECX是否大於字串長度
:004076FC 7CF3                    jl 004076F1   ;迴圈取數

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004076EF(C)
|
:004076FE 8D4C2418                lea ecxdword ptr [esp+18]
:00407702 C7442410FFFFFFFF        mov [esp+10], FFFFFFFF

* Reference To: MFC42.Ordinal:0320, Ord:0320h
                                  |
:0040770A E8FB910000              Call 0041090A
:0040770F 8B4C2408                mov ecxdword ptr [esp+08]
:00407713 8BC6                    mov eaxesi  ;把累加結果給EAX,作為返回值
:00407715 5F                      pop edi
:00407716 64890D00000000          mov dword ptr fs:[00000000], ecx
:0040771D 5E                      pop esi
:0040771E 83C40C                  add esp, 0000000C
:00407721 C20400                  ret 0004
[/code]
整理一下思路:設F()為上面計算的CALL
則 註冊碼=(((F(使用者名稱) XOR 2002EE78 - 200E0521)XOR 72345678 - 7768F788) XOR F("EasunLee") + F("EasunLee")) XOR F("Luyanghs&&Tsai&&bluebird") XOR F("easunlee98meiosys") - F("heshengwssu1091119") + F("200970878")

序號產生器:
[code]
#include <iostream.h>
#include <string.h>

int F(char st[])
{
  int len=strlen(st);
  int s=0;
  for (int i=0;i<len;i++)
    s=s+(st[i]<<i);
  return s;
}

void main()
{
  char name[20];
  int code;
  cout<<"Please input your name : ";
  cin>>name;
  code=F(name);
  code=(code^0x2002EE78)-0x200E0521;
  code=(code^0x72345678)-0x7768F788;
  code=(code^F("EasunLee"))+F("EasunLee");
  code=code^F("Luyanghs&&Tsai&&bluebird")^F("easunlee98meiosys");
  code=code-F("heshengwssu1091119")+F("200970878");
  cout<<"Your seiral number is "<<code<<endl;
}

相關文章