檔案管理軟體管理大師演算法簡析!(簡單浮點)

〖軟體大小〗：1806KB
〖軟體語言〗：簡體中文
〖軟體類別〗：國產軟體/共享版/檔案管理
〖執行環境〗：Win9x/Me/NT/2000/XP
〖加入時間〗：2003-7-30 17:09:31
〖下載地址〗：http://218.30.21.125:7272/friendmake/utility/ex100.exe
〖軟體評級〗：☆☆☆☆

【軟體介紹】：

1 軟體分類：可以對電腦中的軟體按照五個大類，25個小類來仔細分類歸納。而且最多可對六百多個軟體進行分類，完全可以滿足使用者對常用軟體的分類管理的需要。
2 軟體啟動：本軟體的程式快速啟動可以說是我見過的最快的，對最常用125個軟體來說，無需點選便可方便查詢到。而且每次啟動軟體後，使用次數最多的軟體自動向上排序，所以最常用的軟體總是最方便啟動的。
3 分類設定：有一點要說，一般的軟體管理軟體所新增的軟體分類後如果覺得分類不好要改為其它類別是很麻煩的。本軟體提供了方便的軟體分類的更改和交換功能。（可以把滑鼠移到主視窗軟體圖示旁的箭頭上，彈出分類視窗。在分類視窗中的軟體圖示上單擊右鍵，在彈出的功能快捷選單中選擇。）
4 自定義分類：可以自定義自己喜歡的分類.

〖破解工具〗:TRW1.22娃娃修改版,OllyDbgV1.09,WdasmV10.0
〖作者宣告〗:初學破解,僅作學習交流之用,失誤之處敬請大俠賜教.

【簡要過程】:
使用者名稱:ShenGe[BCG]
機器碼:4618407
試驗碼:12345678

好久沒來論壇了，發覺鮮有破文，大概大家都太忙了,抽空找了兩個簡單的軟體，把過程
放上來頂頂人氣，高手莫見笑！
無殼,VB編的!
OD的斷點不大好用，先用bpx hmemcpy在TRW中攔截，再用OD載入分析。

* Reference To: MSVBVM60.__vbaFreeVar, Ord:0000h
|
:0044E577 FF1518104000 Call dword ptr [00401018]
:0044E57D C745FC0D000000 mov [ebp-04], 0000000D
:0044E584 6828434600 push 00464328
:0044E589 8D4DD8 lea ecx, dword ptr [ebp-28]
:0044E58C 51 push ecx

* Reference To: MSVBVM60.__vbaStrVarVal, Ord:0000h
|
:0044E58D FF153C114000 Call dword ptr [0040113C]
:0044E593 50 push eax
<===eax="4618407",機器碼

* Reference To: MSVBVM60.rtcR8ValFromBstr, Ord:0245h
|
:0044E594 FF1514124000 Call dword ptr [00401214]
<===機器碼由字串形式轉化為數值形式
:0044E59A DD9D44FFFFFF fstp qword ptr [ebp+FFFFFF44]
<===數值4618407存入[ebp+FFFFFF44]
:0044E5A0 6838434600 push 00464338
:0044E5A5 8D55DC lea edx, dword ptr [ebp-24]
:0044E5A8 52 push edx

* Reference To: MSVBVM60.__vbaStrVarVal, Ord:0000h
|
:0044E5A9 FF153C114000 Call dword ptr [0040113C]
:0044E5AF 50 push eax
<===eax="12345678",取得輸入的假碼

* Reference To: MSVBVM60.rtcR8ValFromBstr, Ord:0245h
|
:0044E5B0 FF1514124000 Call dword ptr [00401214]
<===見上註釋
:0044E5B6 DC25F0304000 fsub qword ptr [004030F0]
<===[004030F0]中為定值1978,作者生日?
此操作為同sub st0,[004030F0]，即
12345678-1978=12343700
:0044E5BC 833D0040460000 cmp dword ptr [00464000], 00000000
<===[00464000],此處的值從何而來?有何作用?沒跟!
:0044E5C3 7508 jne 0044E5CD
:0044E5C5 DC35E8304000 fdiv qword ptr [004030E8]
<===[004030E8]中為定值983,此操作為
12343700 div 983=12557.171922685657600

:0044E5CB EB11 jmp 0044E5DE

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044E5C3(C)
|
:0044E5CD FF35EC304000 push dword ptr [004030EC]
:0044E5D3 FF35E8304000 push dword ptr [004030E8]

* Reference To: MSVBVM60._adj_fdiv_m64, Ord:0000h
|
:0044E5D9 E8E653FBFF Call 004039C4

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044E5CB(U)
|
:0044E5DE DFE0 fstsw ax
<===儲存狀態字的值到ax中
:0044E5E0 A80D test al, 0D
<===此處的判斷作何用?
:0044E5E2 0F85F4060000 jne 0044ECDC

* Reference To: MSVBVM60.__vbaFpR8, Ord:0000h
|
:0044E5E8 FF15A0104000 Call dword ptr [004010A0]
<===資料型別轉換
:0044E5EE DD9D04FFFFFF fstp qword ptr [ebp+FFFFFF04]
:0044E5F4 DD8544FFFFFF fld qword ptr [ebp+FFFFFF44]
<===[ebp+FFFFFF44]中為機器碼的數值形式
此命令同mov st0,[ebp+FFFFFF44]

* Reference To: MSVBVM60.__vbaFpR8, Ord:0000h
|
:0044E5FA FF15A0104000 Call dword ptr [004010A0]
:0044E600 DC9D04FFFFFF fcomp qword ptr [ebp+FFFFFF04]
<===同CMP st0,[ebp+FFFFFF04]
[ebp+FFFFFF04]中為上面的差值12557,
st0中為機器碼的數值形式4618407
:0044E606 DFE0 fstsw ax
:0044E608 F6C440 test ah, 40
:0044E60B 740C je 0044E619
<===關鍵跳轉
:0044E60D C78500FFFFFF01000000 mov dword ptr [ebp+FFFFFF00], 00000001
<===置[ebp+FFFFFF00]為1
:0044E617 EB0A jmp 0044E623

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044E60B(C)
|
:0044E619 C78500FFFFFF00000000 mov dword ptr [ebp+FFFFFF00], 00000000
<===置[ebp+FFFFFF00]為0,同上是孿生兄弟

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044E617(U)
|
:0044E623 8B8500FFFFFF mov eax, dword ptr [ebp+FFFFFF00]
:0044E629 F7D8 neg eax
:0044E62B 66898540FFFFFF mov word ptr [ebp+FFFFFF40], ax
:0044E632 8D4DD8 lea ecx, dword ptr [ebp-28]
:0044E635 51 push ecx
:0044E636 8D55DC lea edx, dword ptr [ebp-24]
:0044E639 52 push edx
:0044E63A 6A02 push 00000002

* Reference To: MSVBVM60.__vbaFreeStrList, Ord:0000h
|
:0044E63C FF1588114000 Call dword ptr [00401188]
:0044E642 83C40C add esp, 0000000C
:0044E645 0FBF8540FFFFFF movsx eax, word ptr [ebp+FFFFFF40]
:0044E64C 85C0 test eax, eax
:0044E64E 0F8411050000 je 0044EB65
<===爆破的話此處也要改,要是跳了,哼哼,:(
:0044E654 C745FC0E000000 mov [ebp-04], 0000000E
:0044E65B C7459804000280 mov [ebp-68], 80020004
:0044E662 C745900A000000 mov [ebp-70], 0000000A
:0044E669 C745A804000280 mov [ebp-58], 80020004
:0044E670 C745A00A000000 mov [ebp-60], 0000000A
:0044E677 C745B804000280 mov [ebp-48], 80020004
:0044E67E C745B00A000000 mov [ebp-50], 0000000A
:0044E685 C7458830074100 mov [ebp-78], 00410730
:0044E68C C7458008000000 mov [ebp-80], 00000008
:0044E693 8D5580 lea edx, dword ptr [ebp-80]
:0044E696 8D4DC0 lea ecx, dword ptr [ebp-40]

* Reference To: MSVBVM60.__vbaVarDup, Ord:0000h
|
:0044E699 FF15AC114000 Call dword ptr [004011AC]
:0044E69F 8D4D90 lea ecx, dword ptr [ebp-70]
:0044E6A2 51 push ecx
:0044E6A3 8D55A0 lea edx, dword ptr [ebp-60]
:0044E6A6 52 push edx
:0044E6A7 8D45B0 lea eax, dword ptr [ebp-50]
:0044E6AA 50 push eax
:0044E6AB 6A00 push 00000000
:0044E6AD 8D4DC0 lea ecx, dword ptr [ebp-40]
:0044E6B0 51 push ecx

* Reference To: MSVBVM60.rtcMsgBox, Ord:0253h
|
:0044E6B1 FF157C104000 Call dword ptr [0040107C]
<===註冊成功!
:0044E6B7 8D5590 lea edx, dword ptr [ebp-70]
:0044E6BA 52 push edx
:0044E6BB 8D45A0 lea eax, dword ptr [ebp-60]
:0044E6BE 50 push eax
:0044E6BF 8D4DB0 lea ecx, dword ptr [ebp-50]

...........（略）

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044E64E(C)
|
:0044EB65 C745FC16000000 mov [ebp-04], 00000016
:0044EB6C C7459804000280 mov [ebp-68], 80020004
:0044EB73 C745900A000000 mov [ebp-70], 0000000A
:0044EB7A C745A804000280 mov [ebp-58], 80020004
:0044EB81 C745A00A000000 mov [ebp-60], 0000000A
:0044EB88 C745B804000280 mov [ebp-48], 80020004
:0044EB8F C745B00A000000 mov [ebp-50], 0000000A
:0044EB96 C7458884074100 mov [ebp-78], 00410784
:0044EB9D C7458008000000 mov [ebp-80], 00000008
:0044EBA4 8D5580 lea edx, dword ptr [ebp-80]
:0044EBA7 8D4DC0 lea ecx, dword ptr [ebp-40]

* Reference To: MSVBVM60.__vbaVarDup, Ord:0000h
|
:0044EBAA FF15AC114000 Call dword ptr [004011AC]
:0044EBB0 8D4D90 lea ecx, dword ptr [ebp-70]
:0044EBB3 51 push ecx
:0044EBB4 8D55A0 lea edx, dword ptr [ebp-60]
:0044EBB7 52 push edx
:0044EBB8 8D45B0 lea eax, dword ptr [ebp-50]
:0044EBBB 50 push eax
:0044EBBC 6A00 push 00000000
:0044EBBE 8D4DC0 lea ecx, dword ptr [ebp-40]
:0044EBC1 51 push ecx

* Reference To: MSVBVM60.rtcMsgBox, Ord:0253h
|
:0044EBC2 FF157C104000 Call dword ptr [0040107C]
<===註冊失敗!
:0044EBC8 8D5590 lea edx, dword ptr [ebp-70]
:0044EBCB 52 push edx
:0044EBCC 8D45A0 lea eax, dword ptr [ebp-60]
:0044EBCF 50 push eax
:0044EBD0 8D4DB0 lea ecx, dword ptr [ebp-50]
:0044EBD3 51 push ecx
:0044EBD4 8D55C0 lea edx, dword ptr [ebp-40]
:0044EBD7 52 push edx
:0044EBD8 6A04 push 00000004

* Reference To: MSVBVM60.__vbaFreeVarList, Ord:0000h
|
:0044EBDA FF1528104000 Call dword ptr [00401028]
:0044EBE0 83C414 add esp, 00000014
:0044EBE3 C745FC17000000 mov [ebp-04], 00000017
:0044EBEA 8B4508 mov eax, dword ptr [ebp+08]
:0044EBED 8B08 mov ecx, dword ptr [eax]
:0044EBEF 8B5508 mov edx, dword ptr [ebp+08]
:0044EBF2 52 push edx
:0044EBF3 FF9110030000 call dword ptr [ecx+00000310]
:0044EBF9 50 push eax
:0044EBFA 8D45D0 lea eax, dword ptr [ebp-30]
:0044EBFD 50 push eax

【總結】:這個軟體的演算法真是簡單，只是涉及到浮點運算，很適合新手作熟悉浮點運算練手用。詳細浮點運算見論壇精華合集。

註冊碼與使用者名稱無關，只需滿足(n-1978)/983=機器碼這個表示式即可(n為註冊碼)

如我的註冊碼為:4618407*983+1987=4539896059

軟體將註冊資訊儲存在登錄檔的"HKEY_LOCAL_MACHINE\Software\hayuguang"下。

Cracked By ShenGe[BCG] 2003.7.31

檔案管理軟體管理大師演算法簡析!(簡單浮點)

相關文章