簡單演算法――Modem Spy V3.2 + Build 2002.11.10

簡單演算法――Modem Spy V3.2 + Build 2002.11.10

下載頁面： http://www.skycn.com/soft/5631.html
軟體大小： 244 KB
軟體語言：英文
軟體類別：國外軟體 / 共享版 / 網路電話
應用平臺： Win9x/2000/XP
加入時間： 2002-11-12 09:45:13
下載次數： 4745
推薦等級： ****
開發商： http://www.modemspy.com/

【軟體簡介】：Modem Spy 可以對網路電話進行談話錄音、紀錄所有來電資料、軟體內建自動應答功能、可以檢測顯示來電者的電腦ID，錄音的聲音檔案可存成MP3或WAV檔案。

【軟體限制】：30 days

【作者宣告】：初學Crack，只是感興趣，沒有其它目的。失誤之處敬請諸位大俠賜教！

【破解工具】：TRW2000娃娃修改版、Ollydbg1.09、FI2.5、W32Dasm8.93黃金版

―――――――――――――――――――――――――――――――――
【過程】：

從天空看見一個小小的E文軟體，拉下來看看，呵呵，很簡單。

modemspy.exe 無殼，VC++6.0編寫。我等菜鳥喜歡的型別。^O^^O^
反彙編，查詢關鍵提示，發現核心。

Your Name ：fly
試煉碼：13572468

―――――――――――――――――――――――――――――――――

* Referenced by a CALL at Address:
|:0041E40D
|
:0041E460 56 push esi

* Possible Ref to Menu: MenuID_0017, Item: "Delete"
|
:0041E461 6880000000 push 00000080
:0041E466 6804A44300 push 0043A404
:0041E46B 8BF1 mov esi, ecx
:0041E46D 6A53 push 00000053
:0041E46F E8BC72FEFF call 00405730

* Possible Ref to Menu: MenuID_0017, Item: "Delete"
|
:0041E474 6880000000 push 00000080
:0041E479 6884A44300 push 0043A484
:0041E47E 6A55 push 00000055
:0041E480 8BCE mov ecx, esi
:0041E482 E8A972FEFF call 00405730
:0041E487 E814040000 call 0041E8A0
====>關鍵CALL！進入！

:0041E48C 85C0 test eax, eax
:0041E48E 7408 je 0041E498
====>跳則OVER！

:0041E490 6A40 push 00000040

* Possible Reference to String Resource ID=00059: "Thanks"
|
:0041E492 6A3B push 0000003B

* Possible Reference to String Resource ID=00057: "Thank you for your support!"
====>呵呵，勝利女神！

:0041E494 6A39 push 00000039
:0041E496 EB14 jmp 0041E4AC

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041E48E(C)
|

* Possible Reference to String Resource ID=00016: "Dialtone detected"
|
:0041E498 6A10 push 00000010

* Possible Reference to String Resource ID=00045: "Error"
|
:0041E49A 6A2D push 0000002D
:0041E49C C60584A4430000 mov byte ptr [0043A484], 00
:0041E4A3 C60504A4430000 mov byte ptr [0043A404], 00

* Possible Reference to String Resource ID=00062: "Wrong key or name!
Please contact the author"
====>BAD BOY！

:0041E4AA 6A3E push 0000003E

―――――――――――――――――――――――――――――――――
進入關鍵CALL：41E487 call 0041E8A0

* Referenced by a CALL at Addresses:
|:004165EA , :00416C78 , :0041E487 , :0041E9D0 , :0041FD83
|
:0041E8A0 A084A44300 mov al, byte ptr [0043A484]
:0041E8A5 53 push ebx
:0041E8A6 56 push esi
:0041E8A7 3C6D cmp al, 6D
:0041E8A9 57 push edi
:0041E8AA BB01000000 mov ebx, 00000001
:0041E8AF 7479 je 0041E92A
:0041E8B1 3C4D cmp al, 4D
:0041E8B3 7475 je 0041E92A
:0041E8B5 6884A44300 push 0043A484
:0041E8BA E853310000 call 00421A12
====>把試煉碼轉換成16進位制值

:0041E8BF 8BF8 mov edi, eax
====>EDI=EAX=00CF1974（H）=13572468（D）

:0041E8C1 83C404 add esp, 00000004
:0041E8C4 85FF test edi, edi
:0041E8C6 7429 je 0041E8F1

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041E977(C)
|

* Possible Reference to Dialog:
|
:0041E8C8 BE18134300 mov esi, 00431318

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041E8EF(C)
|
:0041E8CD 8B4E04 mov ecx, dword ptr [esi+04]
:0041E8D0 6804A44300 push 0043A404
:0041E8D5 51 push ecx
:0041E8D6 E825010000 call 0041EA00
:0041E8DB 83C408 add esp, 00000008
:0041E8DE 85C0 test eax, eax
:0041E8E0 7404 je 0041E8E6
:0041E8E2 393E cmp dword ptr [esi], edi
:0041E8E4 7422 je 0041E908

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041E8E0(C)
|
:0041E8E6 83C608 add esi, 00000008
:0041E8E9 81FE60144300 cmp esi, 00431460
:0041E8EF 72DC jb 0041E8CD

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041E8C6(C)
|
:0041E8F1 6884A44300 push 0043A484
:0041E8F6 6804A44300 push 0043A404
:0041E8FB E810FCFFFF call 0041E510
====>關鍵CALL！進入！

:0041E900 83C408 add esp, 00000008
:0041E903 83F801 cmp eax, 00000001
:0041E906 7D77 jge 0041E97F
====>不跳則OVER！

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0041E8E4(C), :0041E93A(C), :0041E97D(U)
|
:0041E908 33D2 xor edx, edx

* Possible Reference to String Resource ID=00032: "Another program accepted the call"
|
:0041E90A B920000000 mov ecx, 00000020
:0041E90F 33C0 xor eax, eax
:0041E911 BF84A44300 mov edi, 0043A484
:0041E916 F3 repz
:0041E917 AB stosd

* Possible Reference to String Resource ID=00032: "Another program accepted the call"
|
:0041E918 B920000000 mov ecx, 00000020
:0041E91D BF04A44300 mov edi, 0043A404
:0041E922 F3 repz
:0041E923 AB stosd
:0041E924 5F pop edi
:0041E925 5E pop esi
:0041E926 8BC2 mov eax, edx
:0041E928 5B pop ebx
:0041E929 C3 ret

―――――――――――――――――――――――――――――――――
進入關鍵CALL：41E8FB call 0041E510

* Referenced by a CALL at Address:
|:0041E8FB
|
:0041E510 53 push ebx
:0041E511 8B5C240C mov ebx, dword ptr [esp+0C]
:0041E515 56 push esi
:0041E516 57 push edi

* Reference To: KERNEL32.lstrlenA, Ord:0308h
|
:0041E517 8B3DC8914200 mov edi, dword ptr [004291C8]
:0041E51D 53 push ebx
:0041E51E FFD7 call edi
:0041E520 83F803 cmp eax, 00000003
:0041E523 0F8C07010000 jl 0041E630
:0041E529 8B742410 mov esi, dword ptr [esp+10]
:0041E52D 56 push esi
:0041E52E FFD7 call edi
:0041E530 83F803 cmp eax, 00000003
:0041E533 0F8CF7000000 jl 0041E630
:0041E539 8A03 mov al, byte ptr [ebx]
:0041E53B 3C4D cmp al, 4D
:0041E53D 0F848E000000 je 0041E5D1
:0041E543 3C6D cmp al, 6D
:0041E545 0F8486000000 je 0041E5D1
:0041E54B 53 push ebx
:0041E54C FFD7 call edi
:0041E54E 8D4418FF lea eax, dword ptr [eax+ebx-01]
:0041E552 3BC3 cmp eax, ebx
:0041E554 760A jbe 0041E560

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041E55E(C)
|
:0041E556 80382D cmp byte ptr [eax], 2D
:0041E559 7405 je 0041E560
:0041E55B 48 dec eax
:0041E55C 3BC3 cmp eax, ebx
:0041E55E 77F6 ja 0041E556

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0041E554(C), :0041E559(C)
|
:0041E560 8A06 mov al, byte ptr [esi]
:0041E562 33FF xor edi, edi
:0041E564 84C0 test al, al
:0041E566 8BCE mov ecx, esi
:0041E568 7439 je 0041E5A3

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041E59B(C)
|
:0041E56A 3C20 cmp al, 20
:0041E56C 7427 je 0041E595
:0041E56E 3C0D cmp al, 0D
:0041E570 7423 je 0041E595
:0041E572 3C0A cmp al, 0A
:0041E574 741F je 0041E595
:0041E576 3C61 cmp al, 61
:0041E578 7C0C jl 0041E586
:0041E57A 3C7A cmp al, 7A
:0041E57C 7F08 jg 0041E586
:0041E57E 0FBEC0 movsx eax, al
====>依次取 fly 字元的HEX值
1、 ====>EAX=66
2、 ====>EAX=6C
3、 ====>EAX=79

:0041E581 83E820 sub eax, 00000020
1、 ====>EAX=66 - 20=46
2、 ====>EAX=6C - 20=4C
3、 ====>EAX=79 - 20=59

:0041E584 EB03 jmp 0041E589

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0041E578(C), :0041E57C(C)
|
:0041E586 0FBEC0 movsx eax, al

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041E584(U)
|
:0041E589 8D1440 lea edx, dword ptr [eax+2*eax]
1、 ====>EDX=46 * 3=D2
2、 ====>ECX=4C * 3=E4
3、 ====>ECX=59 * 3=10B

:0041E58C C1E203 shl edx, 03
1、 ====>EDX=66 << 3=690
2、 ====>ECX=E4 << 3=720
3、 ====>ECX=10B << 3=858

:0041E58F 2BD0 sub edx, eax
1、 ====>EDX=690 - 46=64A
2、 ====>EDX=720 - 4C=6D4
3、 ====>EDX=858 - 59=7FF

:0041E591 8D7C1713 lea edi, dword ptr [edi+edx+13]
1、 ====>EDI=0 + 64A + 13=65D
2、 ====>EDI=65D + 6D4 + 13=D44
3、 ====>EDI=D44 + 7FF + 13=1556

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0041E56C(C), :0041E570(C), :0041E574(C)
|
:0041E595 8A4101 mov al, byte ptr [ecx+01]
====>依次取 fly 字元

:0041E598 41 inc ecx
:0041E599 84C0 test al, al
:0041E59B 75CD jne 0041E56A
:0041E59D 85FF test edi, edi
====>EDI=1556

:0041E59F 7D02 jge 0041E5A3
:0041E5A1 F7DF neg edi

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0041E568(C), :0041E59F(C)
|
:0041E5A3 8A03 mov al, byte ptr [ebx]
:0041E5A5 8BCB mov ecx, ebx
:0041E5A7 84C0 test al, al
:0041E5A9 7410 je 0041E5BB

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041E5B9(C)
|
:0041E5AB 3C30 cmp al, 30
:0041E5AD 7C04 jl 0041E5B3
:0041E5AF 3C39 cmp al, 39
:0041E5B1 7E08 jle 0041E5BB

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041E5AD(C)
|
:0041E5B3 8A4101 mov al, byte ptr [ecx+01]
:0041E5B6 41 inc ecx
:0041E5B7 84C0 test al, al
:0041E5B9 75F0 jne 0041E5AB

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0041E5A9(C), :0041E5B1(C)
|
:0041E5BB 51 push ecx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041E62E(U)
|
:0041E5BC E851340000 call 00421A12
:0041E5C1 83C404 add esp, 00000004
:0041E5C4 33C9 xor ecx, ecx
:0041E5C6 3BC7 cmp eax, edi
====>比較註冊碼！
====>EAX=00CF1974（H）=13572468（D）
====>EDI=00001556（H）=5462（D）
呵呵，明碼比較。把1556（H）轉換成10進位制值5462 就是註冊碼了！

:0041E5C8 0F94C1 sete cl
====>設標誌位

:0041E5CB 5F pop edi
:0041E5CC 5E pop esi
:0041E5CD 8BC1 mov eax, ecx
:0041E5CF 5B pop ebx
:0041E5D0 C3 ret

―――――――――――――――――――――――――――――――――
【KeyMake之記憶體序號產生器】：

中斷地址：41E5C6
中斷次數：1
第一位元組：3B
指令長度：2

暫存器方式：EDI
十進位制

―――――――――――――――――――――――――――――――――
【註冊資訊儲存】：

同資料夾下的modemspy.ini中。

rkey=5462
rname=fly

―――――――――――――――――――――――――――――――――
【整理】：

Your Name ：fly
UnLock Code：5462

―――――――――――――――――――――――――――――――――

Cracked By 巢水工作坊――fly【OCN】

2003-03-15 14:13:21

簡單演算法――Modem Spy V3.2 + Build 2002.11.10

相關文章