Publish-iT v2.4b -超級印刷工廠
軟體名稱: Publish-iT v2.4b -超級印刷工廠
軟體語言:
英文
介面預覽:
軟體型別: 精品軟體 / 圖形處理 / 影像處理
執行環境: WinXP, Win2000, WinME
授權方式:
軟體大小: 1.62 MB
軟體等級:
整理時間: 2003-4-4
開 發 商:
軟體簡介
這程式能幫助你製作專業級的報紙、宣傳冊、廣告單等等出版品,它結合了文書處理器、圖形編輯軟體、以及所有排版軟體的優點於一身。你可以輕易的編排你的文字,加入任意的圖片。「主頁」的功能能讓你的出版品有著一致性的外觀。
下載地址: http://www.ttdown.com/SoftView_3663.ht
【破解工具】:Ollydbg1.09
中文版
【過 程】:
呵呵,我們開工吧!唉!^-^我的水平很低,許多地方表達的有問題,煩請各位指教!
用ollydbg載入執行 ,在註冊框中填註冊試驗碼:789456 (軟體提示只要5~6位數字)後下
bpx
GetDlgItemTextA 後按OK鍵後不久就能來到這裡:
00453AF4
CALL DWORD PTR DS:[<&USER32.GetDlgIt>
; \GetDlgItemTextA <---斷點
00453AFA
PUSH Publish.00495BD0 ; ASCII "FARKEL"
00453AFF
LEA EAX, [LOCAL.20] ; EAX<--0012E47C,(ASCII
"789456")
00453B02 PUSH EAX
00453B03
CALL Publish.0047CB30 <---是否是死亡註冊碼 "FARKEL"
F8
----------->
|
0047CB30 MOV EDX, DWORD PTR SS:[ESP+4]
; EDX<--0012E47C,(ASCII "789456")
0047CB34
MOV ECX, DWORD PTR SS:[ESP+8] ; 00495BD0 ASCII
"FARKEL"
0047CB38 TEST EDX, 3
0047CB3E JNZ
SHORT Publish.0047CB7C
0047CB40 /MOV EAX,
DWORD PTR DS:[EDX]
0047CB42 |CMP AL, BYTE PTR DS:[ECX]
0047CB44
|JNZ SHORT Publish.0047CB74
0047CB46 |OR
AL, AL
0047CB48 |JE SHORT Publish.0047CB70
0047CB4A
|CMP AH, BYTE PTR DS:[ECX+1]
0047CB4D |JNZ
SHORT Publish.0047CB74
0047CB4F |OR AH, AH
0047CB51
|JE SHORT Publish.0047CB70
0047CB53 |SHR
EAX, 10
0047CB56 |CMP AL, BYTE PTR DS:[ECX+2]
0047CB59
|JNZ SHORT Publish.0047CB74
0047CB5B |OR
AL, AL
0047CB5D |JE SHORT Publish.0047CB70
0047CB5F
|CMP AH, BYTE PTR DS:[ECX+3]
0047CB62 |JNZ
SHORT Publish.0047CB74
0047CB64 |ADD ECX, 4
0047CB67
|ADD EDX, 4
0047CB6A |OR AH,
AH
0047CB6C \JNZ SHORT Publish.0047CB40 ;
以上逐位比較
0047CB6E MOV EAX, EAX
0047CB70 XOR
EAX, EAX
<--設標誌為0
0047CB72 RETN
0047CB73 NOP
0047CB74
SBB EAX, EAX
0047CB76 SHL EAX, 1
0047CB78
INC EAX
<--設標誌為非0
0047CB79 RETN
返回<-----------------
|
00453B08
ADD ESP, 8
00453B0B TEST EAX, EAX
<--判斷
00453B0D
JNZ SHORT Publish.00453B35
00453B0F
MOV WORD PTR DS:[49E280], 0
00453B18 MOV
BYTE PTR DS:[49E2F8], 0
00453B1F PUSH 0
; /Result = 0
00453B21 MOV ECX,
[ARG.1]
; |
00453B24 PUSH ECX
; |hWnd
00453B25 CALL DWORD PTR DS:[<&USER32.EndDialog>]
; \EndDialog
00453B2B MOV EAX, 1
00453B30
JMP Publish.00453D24
00453B35 XOR
EDX, EDX
00453B37 MOV DL, BYTE PTR DS:[49E2F8]
00453B3D
TEST EDX, EDX
00453B3F JE SHORT
Publish.00453B62
00453B41 MOVSX EAX, WORD PTR DS:[49E280]
00453B48
TEST EAX, EAX
00453B4A JE SHORT
Publish.00453B62
00453B4C PUSH 0
; /Result = 0
00453B4E MOV ECX, [ARG.1]
; |
00453B51 PUSH ECX
;
|hWnd
00453B52 CALL DWORD PTR DS:[<&USER32.EndDialog>]
; \EndDialog
00453B58 MOV EAX, 1
00453B5D
JMP Publish.00453D24
00453B62 CMP
DWORD PTR DS:[4A00B4], 8
00453B69 JLE SHORT Publish.00453BA3
00453B6B
MOV EDX, DWORD PTR DS:[4A00B4]
00453B71 ADD
EDX, 1
00453B74 MOV DWORD PTR DS:[4A00B4], EDX
00453B7A
PUSH 0AF
; /Arg2
= 000000AF
00453B7F MOV EAX, DWORD PTR DS:[49F0F4]
; |
00453B84 PUSH EAX
; |Arg1 => 01310236
00453B85 CALL
Publish.00461D70
; \Publish.00461D70
00453B8A ADD
ESP, 8
00453B8D PUSH 0
; /Result = 0
00453B8F MOV ECX, [ARG.1]
;
|
00453B92 PUSH ECX
;
|hWnd
00453B93 CALL DWORD PTR DS:[<&USER32.EndDialog>]
; \EndDialog
00453B99 MOV EAX, 1
00453B9E
JMP Publish.00453D24
00453BA3 MOV
BYTE PTR SS:[EBP-56], 0
以上會跳到這裡:
|
00453BA7
LEA EDX, [LOCAL.23]
00453BAA PUSH EDX
00453BAB LEA EAX, [LOCAL.20] ;
EAX<--0012E47C,(ASCII "789456")
00453BAE PUSH EAX
00453BAF CALL Publish.00453EC2
; 用試驗碼在表中取值 "789456"-->"6i56bm"
//我不知道這個字串的作用,請大家看看.
F8
--------->
|
00453F3B MOV EDX, [ARG.1]
; EDX<--0012E47C,(ASCII "789456")
00453F3E
MOVSX EAX, BYTE PTR DS:[EDX+3] ; EAX<--DS:[EDX+3]=34
('4') 第四位3]
00453F42 MOVSX ECX, BYTE PTR DS:[EAX+495930];
ECX=DS:[EAX+495930]=39 ('9')
00453F49 SUB ECX, 3
00453F4C
MOV EDX, [ARG.2]
00453F4F MOV BYTE
PTR DS:[EDX], CL ; CL=36 ('6')
00453F51
MOV EAX, [ARG.1]
; EAX<--0012E47C,(ASCII "789456")
00453F54 MOVSX
ECX, BYTE PTR DS:[EAX] ; ECX<--DS:[EAX]=37 ('7')
第一位X]
00453F57 MOVSX EDX, BYTE PTR DS:[ECX+495900] ; EDX=DS:[ECX+495900]=68
('h')
00453F5E ADD EDX, 1
00453F61 MOV
EAX, [ARG.2]
00453F64 MOV BYTE PTR DS:[EAX+1],
DL ; DL=69 ('i')
00453F67 MOV ECX,
[ARG.1] ; ECX<--0012E47C,(ASCII
"789456")
00453F6A MOVSX EDX, BYTE PTR DS:[ECX+1]
; EDX=DS:[ECX+1]=38 ('8')
00453F6E MOVSX EAX, BYTE
PTR DS:[EDX+495910] ; EAX=DS:[EDX+495910]=34 ('4')
00453F75
ADD EAX, 1
00453F78 MOV ECX, [ARG.2]
00453F7B
MOV BYTE PTR DS:[ECX+2], AL ; AL=35
('5')
00453F7E MOV EDX, [ARG.1]
; EDX<--0012E47C,(ASCII "789456")
00453F81
MOVSX EAX, BYTE PTR DS:[EDX+2] ; EAX=DS:[EDX+2]=39
('9')
00453F85 MOVSX ECX, BYTE PTR DS:[EAX+495920] ; ECX=DS:[EAX+495920]=32
('2')
00453F8C ADD ECX, 4
00453F8F MOV
EDX, [ARG.2]
00453F92 MOV BYTE PTR DS:[EDX+3],
CL ; CL=36 ('6')
00453F95 MOV EAX,
[ARG.1] ; EAX<--0012E47C,(ASCII
"789456")
00453F98 MOVSX ECX, BYTE PTR DS:[EAX+5]
; ECX=DS:[EAX+5]=36 ('6')
00453F9C MOVSX EDX, BYTE
PTR DS:[ECX+495950]; EDX=DS:[ECX+495950]=64 ('d')
00453FA3
SUB EDX, 2
00453FA6 MOV EAX, [ARG.2]
00453FA9
MOV BYTE PTR DS:[EAX+4], DL ; DL=62
('b')
00453FAC MOV ECX, [ARG.1]
; ECX<--0012E47C,(ASCII "789456")
00453FAF
MOVSX EDX, BYTE PTR DS:[ECX+4] ; EDX=DS:[ECX+4]=35
('5')
00453FB3 MOVSX EAX, BYTE PTR DS:[EDX+495940]; EAX=DS:[EDX+495940]=68
('h')
00453FBA ADD EAX, 5
00453FBD MOV
ECX, [ARG.2]
00453FC0 MOV BYTE PTR DS:[ECX+5],
AL ; AL=6D ('m')
00453FC3 POP
EBP
00453FC4 RETN
--------------
|
記憶體資料:
00495930
61 7A 78 62 6B 69 67 68 azxbkigh
00495938 73 71 62 00 00
00 00 00 sqb.....
00495940 73 68 65 69 70 79 35 33 sheipy53
00495948
34 67 78 00 00 00 00 00 4gx.....
00495950 6C 6B 6A 76 64
71 64 72 lkjvdqdr
00495958 62 32 36 00 00 00 00 00 b26.....
00495960
77 69 78 35 39 71 61 63 wix59qac
00495968 66 67 65 00 00
00 00 00 fge.....
00495970 70 34 63 6B 71 68 62 6F p4ckqhbo
00495978
62 62 79 00 00 00 00 00 bby.....
00495980 38 32 6E 63 74
71 64 61 82nctqda
00495988 76 69 64 00 52 63 00 00 vid.Rc..
返回<-----------------
|
00453BB4
ADD ESP, 8
00453BB7 LEA ECX, [LOCAL.20]
; ECX<--0012E47C,(ASCII
"789456")
00453BBA PUSH ECX
00453BBB
CALL Publish.0047E160 <---把它變成16進位制lish.0
F8
-------------->
|
0047E0C0 PUSH EBX
0047E0C1
PUSH EBP
0047E0C2 PUSH ESI
0047E0C3
PUSH EDI
0047E0C4 MOV EDI, DWORD PTR SS:[ESP+14]
; EDI<--0012E47C,(ASCII "789456")
0047E0C8 /CMP
DWORD PTR DS:[49A664], 1
0047E0CF |JLE SHORT
Publish.0047E0E2
0047E0D1 |XOR EAX, EAX
0047E0D3 |PUSH
8
0047E0D5 |MOV AL, BYTE PTR DS:[EDI]
0047E0D7
|PUSH EAX
0047E0D8 |CALL Publish.00485230
0047E0DD
|ADD ESP, 8
0047E0E0 |JMP SHORT Publish.0047E0F2
0047E0E2
|MOV EDX, DWORD PTR DS:[49A458] ; Publish.0049A462
0047E0E8
|XOR ECX, ECX
0047E0EA |MOV CL, BYTE
PTR DS:[EDI]
; CL=DS:[EDI]=37 ('7')<--試驗碼的第一位
0047E0EC |MOV AL, BYTE PTR DS:[EDX+ECX*2]
; AL=DS:[EDX+ECX*2]=84 EDX=49A462* ECX=37
0047E0EF
|AND EAX, 8
0047E0F2 |TEST EAX, EAX
0047E0F4
|JE SHORT Publish.0047E0F9
0047E0F6 |INC
EDI
0047E0F7 \JMP SHORT Publish.0047E0C8
0047E0F9
XOR EAX, EAX
0047E0FB MOV AL, BYTE
PTR DS:[EDI] ; AL=DS:[EDI]=37 ('7')
0047E0FD
INC EDI
0047E0FE MOV ESI, EAX
0047E100
CMP ESI, 2D
0047E103 MOV EBP, ESI
0047E105
JE SHORT Publish.0047E10C
0047E107 CMP
ESI, 2B
0047E10A JNZ SHORT Publish.0047E113
0047E10C
XOR ECX, ECX
0047E10E MOV CL, BYTE
PTR DS:[EDI]
0047E110 INC EDI
0047E111 MOV
ESI, ECX
0047E113 XOR EBX, EBX
0047E115 /CMP
DWORD PTR DS:[49A664], 1
0047E11C |JLE SHORT
Publish.0047E12B
0047E11E |PUSH 4
0047E120 |PUSH
ESI
0047E121 |CALL Publish.00485230
0047E126
|ADD ESP, 8
0047E129 |JMP SHORT Publish.0047E137
0047E12B
|MOV EDX, DWORD PTR DS:[49A458] ;
Publish.0049A462
0047E131 |MOV AL, BYTE PTR DS:[EDX+ESI*2]
0047E134
|AND EAX, 4
0047E137 |TEST EAX, EAX
0047E139
|JE SHORT Publish.0047E14B
; 保證註冊碼是數字
0047E13B |LEA EAX, DWORD PTR
DS:[EBX+EBX*4]
0047E13E |XOR ECX, ECX
0047E140 |MOV
CL, BYTE PTR DS:[EDI] ; CL=DS:[EDI]=38
('8')
0047E142 |INC EDI
0047E143 |LEA
EBX, DWORD PTR DS:[ESI+EAX*2-30]; EBX=DS:[ESI+EAX*2-30]=07...|==C0BD0
0047E147
|MOV ESI, ECX
// 把它變成16進位制
0047E149 \JMP
SHORT Publish.0047E115 // 轉變的方式是:前位*A+後一位
0047E14B
CMP EBP, 2D
0047E14E MOV EAX, EBX
0047E150
JNZ SHORT Publish.0047E154
0047E152 NEG
EAX
0047E154 POP EDI
0047E155 POP
ESI
0047E156 POP EBP
0047E157 POP
EBX
0047E158 RETN
Publish.0049A462
記憶體值:
|
0049A460 20 00 20 00 20 00
. . .
0049A468 20 00 20 00 20 00 20 00 . . . .
0049A470 20
00 20 00 28 00 28 00 . .(.(.
0049A478 28 00 28 00 28 00 20 00
(.(.(. .
0049A480 20 00 20 00 20 00 20 00 . . . .
0049A488
20 00 20 00 20 00 20 00 . . . .
0049A490 20 00 20 00 20
00 20 00 . . . .
0049A498 20 00 20 00 20 00 20 00 . . .
.
0049A4A0 20 00 48 00 10 00 10 00 .H...
0049A4A8 10
00 10 00 10 00 10 00 ....
0049A4B0 10 00 10 00 10 00 10 00
....
0049A4B8 10 00 10 00 10 00 10 00 ....
0049A4C0
10 00 84 00 84 00 84 00 .???
0049A4C8 84 00 84 00 84 00
84 00 ????
0049A4D0 84 00 84 00 84 00 10 00 ???.
0049A4D8
10 00 10 00 10 00 10 00 ....
0049A4E0 10 00 10 00 81
00 81 00 ..??
0049A4E8 81 00 81 00 81 00 81 00 ????
0049A4F0
01 00 01 00 01 00 01 00 ....
0049A4F8 01 00 01 00 01
00 01 00 ....
0049A500 01 00 01 00 01 00 01 00 ....
0049A508
01 00 01 00 01 00 01 00 ....
0049A510 01 00 01 00 01
00 01 00 ....
0049A518 10 00 10 00 10 00 10 00 ....
0049A520
10 00 10 00 82 00 82 00 ..??
0049A528 82 00 82 00 82 00
82 00 ????
0049A530 02 00 02 00 02 00 02 00 ....
0049A538
02 00 02 00 02 00 02 00 ....
0049A540 02 00 02 00 02
00 02 00 ....
0049A548 02 00 02 00 02 00 02 00 ....
0049A550
02 00 02 00 02 00 02 00 ....
0049A558 10 00 10 00 10
00 10 00 ....
以上計算的總結:註冊碼取值範圍
1.第一個比較迴圈時用第二次計算的字串的hex值*2作指標在以 0049A460 開始的記憶體中查表,得到的值 AND
8 ,比較得數如果是0就到第二個比較迴圈.
2.第二個比較迴圈用第二次計算的字串的hex值*2作指標在以 0049A460 開始的記憶體中查表,得到的值 AND
4 ,比較得數如果是0就OVER.即查表得到的值 AND 4 不能=0
經過計算可以知道表中 0049A460 開始的十個值-'84 '符合條件,第一個84的偏移量=60h那麼第二次計算的字串的hex值的範圍是60/2=30到3A即第二次計算的字串的範圍是0~9.
(以上是一個定式)
這樣就能保證註冊碼是數字 .
返回<------------
|
00453BC0
ADD ESP, 4
00453BC3 MOV [LOCAL.24],
EAX ; EAX=C0BD0 <--試驗碼變成的16進位制
00453BC6
MOV EDX, [LOCAL.24]
; EDX=C0BD0 <--試驗碼變成的16進位制
00453BC9 ADD
EDX, 3D0C09
; EDX=C0BD0+3D0C09=4917D9 (註冊碼的第一次變換)
00453BCF
PUSH EDX
00453BD0
CALL Publish.00453D2A <---第1部分比較(去掉21天限制的比較)
00453BD5
ADD ESP, 4
00453BD8 AND EAX, 0FF
<---取低位
00453BDD
TEST EAX, EAX
<---根據標誌判斷跳轉
00453BDF JE SHORT
Publish.00453C20
00453BE1 CALL Publish.00453FC5
00453BE6
ADD EAX, 15B30
00453BEB MOV DWORD
PTR DS:[49EFF8], EAX
00453BF0 MOV WORD PTR DS:[49E280],
1
00453BF9 PUSH 8167
00453BFE
MOV EAX, [ARG.1]
00453C01 PUSH EAX
00453C02 CALL Publish.00461D8E
<---去除21天限制的提示
00453C07 ADD ESP, 8
00453C0A PUSH
0
00453C0C MOV ECX, [ARG.1]
00453C0F
PUSH ECX
00453C10 CALL
DWORD PTR DS:[<&USER32.EndDialog>]
00453C16
MOV EAX, 1
00453C1B JMP Publish.00453D24
00453C20
MOV EDX, [LOCAL.24]
; EDX=C0BD0<--試驗碼變成的16進位制
00453C23 ADD EDX,
3D0A43
; EDX=C0BD0+3D0A43= (註冊碼的第二次變換)
00453C29
PUSH EDX
; EDX= 491613
00453C2A
CALL Publish.00453D2A <---第二部分比較(去掉21天限制的比較)
00453C2F ADD ESP, 4
00453C32 AND
EAX, 0FF <---取低位
00453C37
TEST EAX, EAX
<---根據標誌判斷跳轉
00453C39 JE SHORT Publish.00453C81
00453C3B
MOV BYTE PTR DS:[49E2F8], 1
00453C42 CALL
Publish.00453FC5
00453C47 ADD EAX, 15194
00453C4C
MOV DWORD PTR DS:[49EFF8], EAX
00453C51 MOV
WORD PTR DS:[49E280], 1
00453C5A PUSH 8168
00453C5F MOV EAX, [ARG.1]
00453C62
PUSH EAX
00453C63 CALL
Publish.00461D8E <---註冊成功正確的提示框
00453C68 ADD ESP, 8
00453C6B PUSH 0
00453C6D MOV ECX,
[ARG.1]
00453C70 PUSH ECX
00453C71 CALL DWORD PTR DS:[<&USER32.EndDialog>]
00453C77 MOV EAX, 1
00453C7C JMP
Publish.00453D24
00453C81 MOV EDX, [LOCAL.24]
; EDX=C0BD0<--試驗碼變成的16進位制
00453C84
ADD EDX, 3D09A7
; EDX=C0BD0+3D09A7 (註冊碼的第三次變換)
00453C8A
PUSH EDX
; EDX= 00491577
00453C8B
CALL Publish.00453D2A <---第3部分比較(Pro版的比較)
00453C90
ADD ESP, 4
00453C93 AND EAX, 0FF
<---取低位
00453C98
TEST EAX, EAX
<---根據標誌判斷跳轉
00453C9A JE SHORT
Publish.00453D03
00453C9C MOVSX EAX, WORD PTR DS:[49E280]
00453CA3
CMP EAX, 1
00453CA6 JE SHORT
Publish.00453CC0 <---根據標誌判斷跳轉
00453CA8 PUSH
8169
00453CAD MOV
ECX, [ARG.1]
00453CB0 PUSH ECX
00453CB1 CALL Publish.00461D8E
<---OVER
00453CB6 ADD ESP, 8
00453CB9
MOV EAX, 1
00453CBE JMP SHORT Publish.00453D24
00453CC0
MOV BYTE PTR DS:[49E2F8], 1
00453CC7 CALL
Publish.00453FC5
00453CCC ADD EAX, 15194
00453CD1 MOV
DWORD PTR DS:[49EFF8], EAX
00453CD6 MOV WORD PTR
DS:[49E280], 1
00453CDF PUSH 8168
00453CE4 MOV EDX, [ARG.1]
00453CE7 PUSH
EDX
00453CE8 CALL Publish.00461D8E
<---Pro版註冊成功正確的提示框
00453CED
ADD ESP, 8
00453CF0 PUSH 0
00453CF2 MOV EAX, [ARG.1]
00453CF5
PUSH EAX
00453CF6
CALL DWORD PTR DS:[<&USER32.EndDialog>]
00453CFC
MOV EAX, 1
00453D01 JMP SHORT Publish.00453D24
00453D03
PUSH 0AF
00453D08
MOV ECX, DWORD PTR DS:[49F0F4]
00453D0E
PUSH ECX
00453D0F
CALL Publish.00461D70
<---OVER
00453D14 ADD ESP, 8
00453D17
MOV EAX, 1
00453D1C JMP SHORT Publish.00453D24
00453D1E
XOR EAX, EAX
00453D20 JMP SHORT Publish.00453D24
00453D22
XOR EAX, EAX
00453D24 MOV ESP, EBP
00453D26
POP EBP
00453D27 RETN 10
====================================================
CALL
Publish.00453D2A <---重要部分計算和註冊碼比較的地方
|
00453D2A
PUSH EBP
00453D2B MOV EBP, ESP
00453D2D
SUB ESP, 14
00453D30 CALL Publish.00453DF2
F8
---------->
|
00453DF2 PUSH EBP
00453DF3
MOV EBP, ESP
00453DF5 SUB ESP, 10
00453DF8
MOV [LOCAL.4], 0
00453DFF MOV [LOCAL.3],
0
00453E06 JMP SHORT Publish.00453E11
00453E08 /MOV
EAX, [LOCAL.3]
00453E0B |ADD EAX, 1
00453E0E
|MOV [LOCAL.3], EAX
00453E11 CMP [LOCAL.3],
0C
00453E15 |JGE SHORT Publish.00453E49
00453E17 |PUSH
3
00453E19 |MOV ECX, [LOCAL.3]
00453E1C
|MOV EDX, DWORD PTR DS:[ECX*4+495BD8]
00453E23 |PUSH
EDX
00453E24 |PUSH Publish.004958E8
; ASCII
"Apr 8 2003"
00453E29 |CALL Publish.0047B4A0
00453E2E
|ADD ESP, 0C
00453E31 |TEST EAX, EAX
00453E33
|JNZ SHORT Publish.00453E37
00453E35 |JMP
SHORT Publish.00453E49
00453E37 |MOV EAX, [LOCAL.3]
00453E3A
|MOV ECX, [LOCAL.4]
00453E3D |ADD ECX,
DWORD PTR DS:[EAX*4+495900]
00453E44 |MOV [LOCAL.4], ECX
00453E47
\JMP SHORT Publish.00453E08
00453E49 PUSH
Publish.004958EC
; ASCII " 8 2003"
00453E4E CALL
Publish.0047E160
; EAX=8 EBX=68CA38
00453E53 ADD
ESP, 4
00453E56 MOV EDX, [LOCAL.4]
; EDX=5A
00453E59
ADD EDX, EAX
; EDX=5A+8=62
00453E5B
MOV [LOCAL.4], EDX
00453E5E PUSH Publish.004958EE
; ASCII
" 2003"
00453E63 CALL Publish.0047E160
; 把"2003"變成16進位制
00453E68
ADD ESP, 4
00453E6B SUB EAX, 7B2
; EAX=7D3-7B2=21
00453E70 MOV
[LOCAL.1], EAX
; EAX=21
00453E73 MOV EAX, [LOCAL.1]
;
EAX=21
00453E76 IMUL EAX, EAX, 16D
; EAX=21*16D=2F0D
00453E7C
MOV ECX, [LOCAL.4]
; ECX=62
00453E7F ADD
ECX, EAX
; ECX=2F0D+62=2F6F
00453E81
MOV EAX, [LOCAL.1]
; EAX=21
00453E84 CDQ
00453E85
AND EDX, 3
00453E88 ADD EAX, EDX
00453E8A
SAR EAX, 2
; EAX=8
00453E8D
ADD ECX, EAX
; ECX=2F6F+8=2F77
00453E8F
MOV [LOCAL.4], ECX
; ECX=2F6F+8=2F77
00453E92
MOV EDX, [LOCAL.4]
; EDX=2F6F+8=2F77
00453E95 SUB
EDX, 1
00453E98 IMUL EDX, EDX, 18
;
EDX=2F76*18=
00453E9B IMUL EDX, EDX, 0E10
; EDX=47310*E10=
00453EA1
MOV [LOCAL.4], EDX
; EDX=3E92110
00453EA4
LEA EAX, [LOCAL.2]
00453EA7 PUSH EAX
00453EA8
CALL Publish.0047C6A0
00453EAD ADD
ESP, 4
00453EB0 MOV ECX, [LOCAL.2]
; ECX=3E96D071
00453EB3
CMP ECX, [LOCAL.4]
; SS:[12E42C]=3E921100
00453EB6
JGE SHORT Publish.00453EBC
00453EB8 XOR
AL, AL
00453EBA JMP SHORT Publish.00453EBE
00453EBC
MOV AL, 1
00453EBE MOV ESP, EBP
00453EC0
POP EBP
00453EC1 RETN
這個call是把字元 ASCII "Apr 8 2003"計算
返回<-----------
|
00453D35
AND EAX, 0FF
00453D3A TEST EAX, EAX
00453D3C
JNZ SHORT Publish.00453D45
00453D3E XOR
AL, AL
00453D40 JMP Publish.00453DEE
00453D45
LEA EAX, [LOCAL.1]
00453D48 PUSH EAX
00453D49
CALL Publish.0047C6A0 <----計算引數並傳送到記憶體特定的地址中
00453D4E
ADD ESP, 4
00453D51 LEA ECX, [LOCAL.1]
00453D54
PUSH ECX
00453D55 CALL Publish.0047E170
<----計算引數並傳送到記憶體特定的地址中
00453D5A ADD
ESP, 4
00453D5D MOV [LOCAL.4], EAX
; EAX=4A1EC0
00453D60
MOV EDX, [LOCAL.4]
; EDX=4A1EC0
00453D63 MOV
EAX, DWORD PTR DS:[EDX+1C]
00453D66 CDQ
00453D67
MOV ECX, 7
00453D6C IDIV ECX
00453D6E
ADD EAX, 1
00453D71 MOV [LOCAL.3],
EAX
00453D74 MOV EDX, [LOCAL.4]
00453D77 MOV
EAX, DWORD PTR DS:[EDX+14] ;
EAX=67 ('g')
00453D7A MOV ECX, [LOCAL.3]
00453D7D
LEA EDX, DWORD PTR DS:[EAX+ECX*4+76C]
; EDX=80F <---計算的基本引數(透過上面計算得到的)
00453D84
MOV [LOCAL.2], EDX
00453D87 MOV EAX,
[LOCAL.2]
00453D8A IMUL EAX, [LOCAL.2]
00453D8E
MOV [LOCAL.5], EAX ; EAX=40F0E1
00453D91
MOV ECX, [LOCAL.2] ;
ECX=80F
00453D94 IMUL ECX, [LOCAL.2]
; ECX=ECX*ECX
00453D98
CMP [ARG.1], ECX
;
SS:[12E460]=4917D9 <--試驗碼計算的值 ECX=40F0E1(第一固定值)
00453D9B
JNZ SHORT Publish.00453DA1
00453D9D MOV
AL, 1 <---設成功標誌
00453D9F
JMP SHORT Publish.00453DEE
00453DA1 MOV
EDX, [LOCAL.2]
00453DA4 ADD EDX, 4
; EDX=80F+4=813
00453DA7
MOV [LOCAL.2], EDX
00453DAA MOV EAX,
[LOCAL.2]
00453DAD IMUL EAX, [LOCAL.2]
; EAX=EAX*EAX
00453DB1 CMP
[ARG.1], EAX
;
SS:[12E460]=4917D9 <--試驗碼計算的值 EAX=413169(第二固定值)
00453DB4
JNZ SHORT Publish.00453DBA
00453DB6 MOV
AL, 1 <---設成功標誌
00453DB8
JMP SHORT Publish.00453DEE
00453DBA MOV
ECX, [LOCAL.2]
00453DBD SUB ECX, 8
; ECX=813-8=80B
00453DC0
MOV [LOCAL.2], ECX
00453DC3 MOV EDX,
[LOCAL.2]
00453DC6 IMUL EDX, [LOCAL.2]
; EDX=EDX*EDX
00453DCA CMP [ARG.1],
EDX
; SS:[12E460]=4917D9 <--試驗碼計算的值 EDX=40B079(第三固定值)
00453DCD
JNZ SHORT Publish.00453DD3
00453DCF MOV
AL, 1 <---設成功標誌
00453DD1
JMP SHORT Publish.00453DEE
00453DD3 MOV
EAX, [LOCAL.2]
00453DD6 SUB EAX, 4
; EAX=80D-4=809
00453DD9
MOV [LOCAL.2], EAX
00453DDC MOV ECX,
[LOCAL.2]
00453DDF IMUL ECX, [LOCAL.2]
; ECX=ECX*ECX
00453DE3 CMP [ARG.1],
ECX
; SS:[12E460]=4917D9 <--試驗碼計算的值 ECX=407031(第四固定值)
00453DE6
JNZ SHORT Publish.00453DEC
00453DE8 MOV
AL, 1 <---設成功標誌
00453DEA
JMP SHORT Publish.00453DEE
00453DEC XOR
AL, AL
00453DEE MOV ESP, EBP
00453DF0
POP EBP
00453DF1 RETN
****************************************
以下是基本引數計算的地方,過於複雜.不過得到的值是固定的所以就不分析了
|
0047C742
|> 8B5424 00 MOV EDX, DWORD PTR SS:[ESP]
0047C746
|. 8B4C24 04 MOV ECX, DWORD PTR SS:[ESP+4]
0047C74A
|. 8915 C81B4A00 MOV DWORD PTR DS:[4A1BC8], EDX
0047C750
|. 8B5424 08 MOV EDX, DWORD PTR SS:[ESP+8]
0047C754
|. 890D CC1B4A00 MOV DWORD PTR DS:[4A1BCC], ECX
0047C75A
|. 8B4C24 0C MOV ECX, DWORD PTR SS:[ESP+C]
0047C75E
|. A3 C01B4A00 MOV DWORD PTR DS:[4A1BC0], EAX
0047C763
|. 8915 D01B4A00 MOV DWORD PTR DS:[4A1BD0], EDX
0047C769
|. 890D D41B4A00 MOV DWORD PTR DS:[4A1BD4], ECX
0047C76F
|> 8B5424 1C MOV EDX, DWORD PTR SS:[ESP+1C]
0047C773
|. 8B4C24 18 MOV ECX, DWORD PTR SS:[ESP+18]
0047C777
|. 50 PUSH EAX
0047C778
|. 8B4424 1E MOV EAX, DWORD PTR SS:[ESP+1E]
0047C77C
|. 81E2 FFFF0000 AND EDX, 0FFFF
0047C782 |.
25 FFFF0000 AND EAX, 0FFFF
0047C787 |. 52
PUSH EDX
0047C788 |.
8B5424 1E MOV EDX, DWORD PTR SS:[ESP+1E]
0047C78C
|. 81E1 FFFF0000 AND ECX, 0FFFF
0047C792 |.
50 PUSH EAX
0047C793
|. 8B4424 1E MOV EAX, DWORD PTR SS:[ESP+1E]
0047C797
|. 51 PUSH ECX
0047C798
|. 8B4C24 20 MOV ECX, DWORD PTR SS:[ESP+20]
0047C79C
|. 81E2 FFFF0000 AND EDX, 0FFFF
0047C7A2 |.
25 FFFF0000 AND EAX, 0FFFF
0047C7A7 |. 52
PUSH EDX
0047C7A8 |.
81E1 FFFF0000 AND ECX, 0FFFF
0047C7AE |. 50
PUSH EAX
0047C7AF |.
51 PUSH ECX
0047C7B0
|. E8 1B810000 CALL Publish.004848D0
0047C7B5
|. 8B8C24 EC0000>MOV ECX, DWORD PTR SS:[ESP+EC]
0047C7BC
|. 83C4 1C ADD ESP, 1C
0047C7BF
|. 85C9 TEST ECX, ECX
0047C7C1
|. 74 02 JE SHORT
Publish.0047C7C5
0047C7C3 |. 8901 MOV
DWORD PTR DS:[ECX], EAX
0047C7C5 |> 81C4 CC000000
ADD ESP, 0CC
0047C7CB \. C3
RETN
00487330
/$ 53 PUSH EBX
00487331
|. 8B5C24 08 MOV EBX, DWORD PTR SS:[ESP+8]
00487335
|. 56 PUSH ESI
00487336
|. 33F6 XOR ESI, ESI
00487338
|. 8B0B MOV ECX, DWORD
PTR DS:[EBX]
0048733A |. 85C9 TEST
ECX, ECX
0048733C |. 7D 05
JGE SHORT Publish.00487343
0048733E |. 33C0
XOR EAX, EAX
00487340 |. 5E
POP ESI
00487341 |.
5B POP EBX
00487342
|. C3 RETN
00487343 |>
B8 792D0311 MOV EAX, 11032D79
00487348 |.
57 PUSH EDI
00487349
|. F7E9 IMUL ECX
0048734B
|. C1FA 17 SAR EDX, 17
0048734E
|. 8BC2 MOV EAX, EDX
00487350
|. 55 PUSH EBP
00487351
|. C1E8 1F SHR EAX, 1F
00487354
|. 03D0 ADD EDX, EAX
00487356
|. 8BC2 MOV EAX, EDX
00487358
|. 69C0 80E079F8 IMUL EAX, EAX, F879E080
0048735E
|. 03C8 ADD ECX, EAX
00487360
|. 8D0495 460000>LEA EAX, DWORD PTR DS:[EDX*4+46]
00487367
|. 81F9 8033E101 CMP ECX, 1E13380
0048736D |.
7C 2C JL SHORT Publish.0048739B
0048736F
|. 81E9 8033E101 SUB ECX, 1E13380
00487375 |.
40 INC EAX
00487376
|. 81F9 8033E101 CMP ECX, 1E13380
0048737C |.
7C 1D JL SHORT Publish.0048739B
0048737E
|. 81E9 8033E101 SUB ECX, 1E13380
00487384 |.
40 INC EAX
00487385
|. 81F9 0085E201 CMP ECX, 1E28500
0048738B |.
7C 09 JL SHORT Publish.00487396
0048738D
|. 40 INC EAX
0048738E
|. 81E9 0085E201 SUB ECX, 1E28500
00487394 |.
EB 05 JMP SHORT Publish.0048739B
00487396
|> BE 01000000 MOV ESI, 1
0048739B |>
A3 D41E4A00 MOV DWORD PTR DS:[4A1ED4], EAX
004873A0
|. B8 07452EC2 MOV EAX, C22E4507
004873A5
|. F7E9 IMUL ECX
004873A7
|. 8BC2 MOV EAX, EDX
004873A9
|. BF F0A94900 MOV EDI, Publish.0049A9F0
004873AE
|. 03C1 ADD EAX, ECX
004873B0
|. C1F8 10 SAR EAX, 10
004873B3
|. 8BD0 MOV EDX, EAX
004873B5
|. C1EA 1F SHR EDX, 1F
004873B8
|. 03C2 ADD EAX, EDX
004873BA
|. 8BD0 MOV EDX, EAX
004873BC
|. A3 DC1E4A00 MOV DWORD PTR DS:[4A1EDC], EAX
004873C1
|. C1E2 04 SHL EDX, 4
004873C4
|. 2BD0 SUB EDX, EAX
004873C6
|. F7DA NEG EDX
004873C8
|. 8D1492 LEA EDX, DWORD
PTR DS:[EDX+EDX*4]
004873CB |. 8D14D2 LEA
EDX, DWORD PTR DS:[EDX+EDX*8]
004873CE |. C1E2 07
SHL EDX, 7
004873D1 |. 03CA
ADD ECX, EDX
004873D3 |.
85F6 TEST ESI, ESI
004873D5
|. 75 05 JNZ SHORT Publish.004873DC
004873D7
|. BF 28AA4900 MOV EDI, Publish.0049AA28
004873DC
|> 8B6F 04 MOV EBP, DWORD PTR
DS:[EDI+4]
004873DF |. 8D77 04 LEA
ESI, DWORD PTR DS:[EDI+4]
004873E2 |. 3BE8
CMP EBP, EAX
004873E4 |. BA 01000000
MOV EDX, 1
004873E9 |. 7D 0B
JGE SHORT Publish.004873F6
004873EB |>
8B6E 04 /MOV EBP, DWORD PTR DS:[ESI+4]
004873EE
|. 83C6 04 |ADD ESI, 4
004873F1
|. 42 |INC
EDX
004873F2 |. 3BE8 |CMP
EBP, EAX
004873F4 |.^ 7C F5 \JL
SHORT Publish.004873EB
004873F6 |> 8B6C97 FC
MOV EBP, DWORD PTR DS:[EDI+EDX*4-4]
004873FA |.
4A DEC EDX
004873FB
|. 2BC5 SUB EAX, EBP
004873FD
|. 8915 D01E4A00 MOV DWORD PTR DS:[4A1ED0], EDX
00487403
|. A3 CC1E4A00 MOV DWORD PTR DS:[4A1ECC], EAX
00487408
|. 8B33 MOV ESI, DWORD
PTR DS:[EBX]
0048740A |. B8 07452EC2 MOV EAX,
C22E4507
0048740F |. 5D POP
EBP
00487410 |. F7EE
IMUL ESI
00487412 |. 03D6
ADD EDX, ESI
00487414 |. BE 07000000
MOV ESI, 7
00487419 |. C1FA 10
SAR EDX, 10
0048741C |. 8BC2
MOV EAX, EDX
0048741E |. 5F
POP EDI
0048741F |. C1E8
1F SHR EAX, 1F
00487422 |. C705
E01E4A00>MOV DWORD PTR DS:[4A1EE0], 0
0048742C |. 8D4402
04 LEA EAX, DWORD PTR DS:[EDX+EAX+4]
00487430 |.
99 CDQ
00487431 |. F7FE
IDIV ESI
00487433 |. B8
C5B3A291 MOV EAX, 91A2B3C5
00487438 |. 5E
POP ESI
00487439 |.
5B POP EBX
0048743A
|. 8915 D81E4A00 MOV DWORD PTR DS:[4A1ED8], EDX
00487440
|. F7E9 IMUL ECX
00487442
|. 03D1 ADD EDX, ECX
00487444
|. C1FA 0B SAR EDX, 0B
00487447
|. 8BC2 MOV EAX, EDX
00487449
|. C1E8 1F SHR EAX, 1F
0048744C
|. 03D0 ADD EDX, EAX
0048744E
|. B8 89888888 MOV EAX, 88888889
00487453
|. 8915 C81E4A00 MOV DWORD PTR DS:[4A1EC8], EDX
00487459
|. 69D2 F0F1FFFF IMUL EDX, EDX, -0E10
0048745F |.
03CA ADD ECX, EDX
00487461
|. F7E9 IMUL ECX
00487463
|. 03D1 ADD EDX, ECX
00487465
|. C1FA 05 SAR EDX, 5
00487468
|. 8BC2 MOV EAX, EDX
0048746A
|. C1E8 1F SHR EAX, 1F
0048746D
|. 03D0 ADD EDX, EAX
0048746F
|. 8915 C41E4A00 MOV DWORD PTR DS:[4A1EC4], EDX
00487475
|. 8D0452 LEA EAX, DWORD
PTR DS:[EDX+EDX*2]
00487478 |. 8D1480 LEA
EDX, DWORD PTR DS:[EAX+EAX*4]
0048747B |. B8 C01E4A00
MOV EAX, Publish.004A1EC0
00487480 |. C1E2
02 SHL EDX, 2
00487483 |. 2BCA
SUB ECX, EDX
00487485 |.
890D C01E4A00 MOV DWORD PTR DS:[4A1EC0], ECX
0048748B \.
C3 RETN
====================================================
到這裡註冊碼的演算法跟蹤完成,下面來分析註冊碼的計算方法.
(按照提示長度是5~6位數字)
經過分析可以知道,註冊碼分三種情況.每種有4個符合條件的註冊碼
1.去除21天限制版,價值$12.
計算方法:
1.)註冊碼的16進位制值+3D0C09 = 40F0E1
可逆的計算是註冊碼=40F0E1-3D0C09=3E4D8(H)==> 255192
2.)註冊碼的16進位制值+3D0C09 = 413169
可逆的計算是註冊碼=413169-3D0C09=4258D(H)==> 271757
3.)註冊碼的16進位制值+3D0C09 = 40B079
可逆的計算是註冊碼=40B079-3D0C09=3A470(H)==> 238704
4.)註冊碼的16進位制值+3D0C09 = 407031
可逆的計算是註冊碼=407031-3D0C09=36428(H)==> 222248
2.去除21天限制版,價值$15.
計算方法:
1.)註冊碼的16進位制值+3D0A43 = 40F0E1
可逆的計算是註冊碼=40F0E1-3D0A43=3E69E(H)==> 255646
2.)註冊碼的16進位制值+3D0C09 = 413169
可逆的計算是註冊碼=413169-3D0A43=42726(H)==> 272166
3.)註冊碼的16進位制值+3D0C09 = 40B079
可逆的計算是註冊碼=40B079-3D0A43=3A636(H)==> 239158
4.)註冊碼的16進位制值+3D0C09 = 407031
可逆的計算是註冊碼=407031-3D0A43=365EE(H)==> 222702
3.PRO版,價值$200.
計算方法:
1.)註冊碼的16進位制值+3D09A7
= 40F0E1
可逆的計算是註冊碼=40F0E1-3D09A7=3E73A(H)==>
255802
2.)註冊碼的16進位制值+3D0C09
= 413169
可逆的計算是註冊碼=413169-3D09A7=427C2(H)==>
272322
3.)註冊碼的16進位制值+3D0C09 = 40B079
可逆的計算是註冊碼=40B079-3D09A7=3A6D2(H)==>
239314
4.)註冊碼的16進位制值+3D0C09 = 407031
可逆的計算是註冊碼=407031-3D09A7=3668A(H)==>
222858
Cracded fxyang[OCN]
2003.4.12
相關文章
- [原創]Stuxnet蠕蟲(超級工廠病毒)驅動分析2010-11-20UX
- 解析超級買手遊戲廠商:低估值、跨平臺、渠道式微2021-05-06遊戲
- iOS超級超級詳細介紹GCD2018-01-17iOSGC
- 深度佈局智慧終端產業,竹芒科技打造自有“超級工廠”2023-03-24產業
- 「補課」進行時:設計模式(2)——通過一個超級汽車工廠來了解工廠模式2020-10-22設計模式
- 輕量級超級 css 工具2019-11-04CSS
- 超級鋼琴2024-03-20
- 超級膠水2024-03-30
- 超級表達2024-08-08
- FPGA -- SPI 時序實現(超級靈活,超級好用)2020-11-15FPGA
- 特斯拉釋出Q1財報,並稱將在中國建造超級電池工廠2018-03-06
- WebService之超級HelloWorld2011-09-20Web
- 超級SQL--------Oracle2009-12-08SQLOracle
- 天河二號:中國的超級計算機及其超級應用2014-05-14計算機
- 2020年5月全球頂級超休閒遊戲廠商獲7億下載量,同比增長超40%2020-06-23遊戲
- 超級程式設計師2015-01-10程式設計師
- 超級有用的網站2011-07-04網站
- 超級賬本-頂級專案介紹2018-11-09
- JAVA 實現《超級瑪麗升級版》遊戲2022-08-17Java遊戲
- IntelliJ IDEA 15款 神級超級牛逼外掛推薦(真的超級牛X)2020-11-03IntelliJIdea
- 華為手機超級夜景模式使用教程 華為超級夜景怎麼用?2018-07-28模式
- 薪酬、人數上不封頂,這家網際網路大廠正在瘋搶超級畢業生2024-03-21
- 上市遊戲廠商Top100:新增百億級廠商 小廠命運多舛2020-05-20遊戲
- PHP 超級全域性變數2020-01-14PHP變數
- AUTOCAD——超級填充命令22022-03-23
- AUTOCAD——超級填充命令32022-03-24
- 超級右鍵專業版2021-09-29
- 演算法提高 超級瑪麗2017-03-12演算法
- 超級方便Linux手冊2013-11-21Linux
- 超級詳細Tcpdump 的用法2013-12-15TCP
- 超級黑客的傳奇事件2014-10-14黑客事件
- 超輕量級PHP框架BroPHP2012-11-23PHP框架
- 光貓超級帳號密碼,重置光貓獲取超級帳號密碼2020-03-21密碼
- AI的殺手級應用會是一個“超級能幹的同事”!RAG會造就超級智慧麼?2024-06-12AI
- Sensor Tower:2020年5月全球頂級超休閒遊戲廠商獲7億下載量 同比增長超40%2020-06-23遊戲
- 鴻蒙系統超級終端怎麼使用?鴻蒙系統超級終端開啟教程2021-12-09鴻蒙
- 英偉達贏麻了!馬斯克xAI超級算力工廠曝光,10萬塊H100、數十億美元2024-05-27馬斯克AI
- 解決超級模型部署難題2020-02-27模型