查詢漢字筆畫 V1.1
標 題:查詢漢字筆畫 V1.1
發信人:fly
時 間:2003/04/19 01:12pm
詳細資訊:
下載頁面:http://gaoasp.nease.net/doc/hzbh.htm
軟體大小:538K
執行環境:Windows
9x/NT/2000
【軟體簡介】:可查詢任一漢字或一段漢字的筆畫,功能經擴充套件後可用於教學、娛樂、文書處理等領域,如兒童識字、筆畫算命以及需要按筆畫排序處理等方面的應用
【軟體限制】:NAG
【作者宣告】:初學Crack,只是感興趣,沒有其它目的。失誤之處敬請諸位大俠賜教!
【破解工具】:TRW2000娃娃修改版、Ollydbg1.09、PEiD、W32Dasm 9.0白金版
―――――――――――――――――――――――――――――――――
【過 程】:
hzbh.exe
無殼。Visual C++ 6.0 編寫。
使用者名稱:FLY
試煉碼:13572468
反彙編,根據出錯提示很容易就找到核心了。
―――――――――――――――――――――――――――――――――
:004025B1 E8D60C0000 Call
0040328C
:004025B6 8D442424
lea eax, dword ptr [esp+24]
:004025BA 8D4C2418
lea ecx, dword ptr [esp+18]
:004025BE 50
push eax
:004025BF
51 push
ecx
:004025C0 57
push edi
:004025C1 683F000F00
push 000F003F
:004025C6 57
push edi
*
Possible StringData Ref from Data Obj ->"REG_SZ"
|
:004025C7 6814CA4000
push 0040CA14
:004025CC 57
push edi
*
Possible StringData Ref from Data Obj ->"SOFTWARE\HZBH"
|
:004025CD 6804CA4000
push 0040CA04
:004025D2 6802000080
push 80000002
:004025D7 C644245801
mov [esp+58], 01
:004025DC C7442448FF000000
mov [esp+48], 000000FF
:004025E4 897C2440
mov dword ptr [esp+40], edi
*
Reference To: ADVAPI32.RegCreateKeyExA, Ord:015Fh
|
:004025E8 FF1500404000 Call
dword ptr [00404000]
:004025EE 3BC7
cmp eax, edi
:004025F0 0F854C010000
jne 00402742
:004025F6 8D542410
lea edx, dword ptr [esp+10]
:004025FA 8BCE
mov ecx,
esi
:004025FC 52
push edx
:004025FD 68F1030000
push 000003F1
*
Reference To: MFC42.Ordinal:0C19, Ord:0C19h
|
:00402602
E8E50C0000 Call 004032EC
:00402607
8D442414 lea eax, dword
ptr [esp+14]
:0040260B 8BCE
mov ecx, esi
:0040260D 50
push eax
:0040260E 68F2030000
push 000003F2
*
Reference To: MFC42.Ordinal:0C19, Ord:0C19h
|
:00402613
E8D40C0000 Call 004032EC
:00402618
8D4C2410 lea ecx, dword
ptr [esp+10]
* Reference
To: MFC42.Ordinal:188A, Ord:188Ah
|
:0040261C
E80D0D0000 Call 0040332E
:00402621
8D4C2410 lea ecx, dword
ptr [esp+10]
* Reference
To: MFC42.Ordinal:188B, Ord:188Bh
|
:00402625
E8FE0C0000 Call 00403328
:0040262A
8D4C2414 lea ecx, dword
ptr [esp+14]
* Reference
To: MFC42.Ordinal:188A, Ord:188Ah
|
:0040262E
E8FB0C0000 Call 0040332E
:00402633
8D4C2414 lea ecx, dword
ptr [esp+14]
* Reference
To: MFC42.Ordinal:188B, Ord:188Bh
|
:00402637
E8EC0C0000 Call 00403328
:0040263C
8D4C2410 lea ecx, dword
ptr [esp+10]
* Reference
To: MFC42.Ordinal:106A, Ord:106Ah
|
:00402640
E8DD0C0000 Call 00403322
====>把使用者名稱轉換成小寫字母
:00402645
8B4C2410 mov ecx, dword
ptr [esp+10]
====>ECX=fly
呵呵,取使用者名稱的小寫字母運算
:00402649
8B542414 mov edx, dword
ptr [esp+14]
====>EDX=13572468
:0040264D
8B79F8 mov edi,
dword ptr [ecx-08]
====>EDI=3
使用者名稱長度
:00402650
8B6AF8 mov ebp,
dword ptr [edx-08]
====>EBP=8
試煉碼長度
:00402653
47 inc
edi
:00402654 8D4C2410 lea
ecx, dword ptr [esp+10]
:00402658 57
push edi
:00402659 45
inc ebp
*
Reference To: MFC42.Ordinal:0B63, Ord:0B63h
|
:0040265A
E8BD0C0000 Call 0040331C
:0040265F
55 push
ebp
:00402660 8D4C2418 lea
ecx, dword ptr [esp+18]
:00402664 89442424
mov dword ptr [esp+24], eax
*
Reference To: MFC42.Ordinal:0B63, Ord:0B63h
|
:00402668
E8AF0C0000 Call 0040331C
:0040266D
8BD8 mov
ebx, eax
:0040266F 8D4FFF
lea ecx, dword ptr [edi-01]
:00402672 33C0
xor eax, eax
:00402674 895C2428
mov dword ptr [esp+28],
ebx
:00402678 85C9
test ecx, ecx
:0040267A 761C
jbe 00402698
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402692(C)
|
:0040267C
8B5C2420 mov ebx, dword
ptr [esp+20]
====>EBX=[esp+20]=fly
:00402680
33D2 xor
edx, edx
:00402682 8A1418
mov dl, byte ptr [eax+ebx]
====>依次取fly字元的HEX值
1、 ====>DL=66
2、 ====>DL=6C
3、 ====>DL=79
:00402685
8B5C241C mov ebx, dword
ptr [esp+1C]
:00402689 03DA
add ebx, edx
1、 ====>EDX=66
+ 00=66
2、 ====>EDX=6C + 66=D2
3、
====>EDX=79 + D2=14B
:0040268B
40 inc
eax
:0040268C 3BC1
cmp eax, ecx
:0040268E 895C241C
mov dword ptr [esp+1C], ebx
:00402692 72E8
jb 0040267C
====>迴圈累加使用者名稱字元的HEX值
:00402694
8B5C2428 mov ebx, dword
ptr [esp+28]
====>EBX=13572468
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040267A(C)
|
:00402698
53 push
ebx
* Reference To:
MSVCRT.atol, Ord:023Eh
|
:00402699 FF1578424000
Call dword ptr [00404278]
====>求13572468的16進位制值:EAX=00CF1974
:0040269F
8B4C2420 mov ecx, dword
ptr [esp+20]
====>ECX=0000014B
:004026A3
83C404 add esp,
00000004
:004026A6 3BC8
cmp ecx, eax
====>比較了!
====>ECX=0000014B 使用者名稱字元HEX值累加的結果
====>EAX=00CF1974 試煉碼的16進位制值
:004026A8
7577 jne
00402721
====>跳則OVER!
爆破點 ①
:004026AA
83FF01 cmp edi,
00000001
====>使用者名稱長度要至少1位
:004026AD
7672 jbe
00402721
====>跳則OVER!
爆破點 ②
:004026AF
83FD01 cmp ebp,
00000001
====>註冊碼長度要至少1位
:004026B2
766D jbe
00402721
====>跳則OVER!
爆破點 ②
:004026B4
8B442420 mov eax, dword
ptr [esp+20]
:004026B8 8B4C2418
mov ecx, dword ptr [esp+18]
:004026BC 57
push edi
*
Reference To: ADVAPI32.RegSetvalueExA, Ord:0186h
|
:004026BD 8B3D08404000 mov
edi, dword ptr [00404008]
:004026C3 50
push eax
:004026C4 6A01
push 00000001
:004026C6 6A00
push 00000000
====>下面儲存註冊資訊
*
Possible StringData Ref from Data Obj ->"UserName"
|
:004026C8 68F8C94000
push 0040C9F8
:004026CD 51
push ecx
:004026CE FFD7
call edi
:004026D0 8B542418
mov edx, dword ptr [esp+18]
:004026D4
55 push
ebp
:004026D5 53
push ebx
:004026D6 6A01
push 00000001
:004026D8 6A00
push 00000000
*
Possible StringData Ref from Data Obj ->"PassWord"
|
:004026DA 68ECC94000
push 0040C9EC
:004026DF 52
push edx
:004026E0 FFD7
call edi
:004026E2 8B442418
mov eax, dword ptr [esp+18]
:004026E6
50 push
eax
* Reference To:
ADVAPI32.RegCloseKey, Ord:015Bh
|
:004026E7
FF150C404000 Call dword ptr [0040400C]
:004026ED
8B4E20 mov ecx,
dword ptr [esi+20]
:004026F0 6A01
push 00000001
:004026F2 51
push ecx
*
Reference To: USER32.KillTimer, Ord:0195h
|
:004026F3
FF15DC424000 Call dword ptr [004042DC]
:004026F9
6840100000 push 00001040
*
Possible StringData Ref from Data Obj ->"註冊資訊"
|
:004026FE 6854CB4000
push 0040CB54
*
Possible StringData Ref from Data Obj ->"您成功註冊!"
====>呵呵,勝利女神!
:00402703
6844CB4000 push 0040CB44
:00402708
8BCE mov
ecx, esi
* Reference
To: MFC42.Ordinal:1080, Ord:1080h
|
:0040270A
E8010C0000 Call 00403310
:0040270F
8B15ACCC4000 mov edx, dword ptr [0040CCAC]
:00402715
6A00 push
00000000
:00402717 8D4A64
lea ecx, dword ptr [edx+64]
*
Reference To: MFC42.Ordinal:0A52, Ord:0A52h
|
:0040271A
E8910B0000 Call 004032B0
:0040271F
EB21 jmp
00402742
* Referenced
by a (U)nconditional or (C)onditional Jump at Addresses:
|:004026A8(C), :004026AD(C),
:004026B2(C)
|
:00402721 8B442418
mov eax, dword ptr [esp+18]
:00402725 50
push eax
*
Reference To: ADVAPI32.RegCloseKey, Ord:015Bh
|
:00402726 FF150C404000 Call
dword ptr [0040400C]
:0040272C 6810100000
push 00001010
*
Possible StringData Ref from Data Obj ->"註冊資訊"
|
:00402731 6854CB4000
push 0040CB54
*
Possible StringData Ref from Data Obj ->"註冊失敗!"
====>BAD BOY!
:00402736 6838CB4000
push 0040CB38
:0040273B 8BCE
mov ecx, esi
*
Reference To: MFC42.Ordinal:1080, Ord:1080h
|
:0040273D
E8CE0B0000 Call 00403310
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004025F0(C),
:0040271F(U)
|
:00402742 8BCE
mov ecx, esi
*
Reference To: MFC42.Ordinal:12F5, Ord:12F5h
|
:00402744
E8470A0000 Call 00403190
:00402749
8D4C2414 lea ecx, dword
ptr [esp+14]
:0040274D C644243400
mov [esp+34], 00
*
Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:00402752
E8150A0000 Call 0040316C
:00402757
8D4C2410 lea ecx, dword
ptr [esp+10]
:0040275B C7442434FFFFFFFF mov [esp+34],
FFFFFFFF
* Reference
To: MFC42.Ordinal:0320, Ord:0320h
|
:00402763
E8040A0000 Call 0040316C
:00402768
8B4C242C mov ecx, dword
ptr [esp+2C]
:0040276C 5F
pop edi
:0040276D 5E
pop esi
:0040276E 5D
pop ebp
:0040276F
5B pop
ebx
:00402770 64890D00000000 mov dword ptr
fs:[00000000], ecx
:00402777 83C428
add esp, 00000028
:0040277A C3
ret
―――――――――――――――――――――――――――――――――
呵呵,程式在啟動時還有校驗。爆破順手也就看看。
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402238(C)
|
:0040221F
33C0 xor
eax, eax
:00402221 8D7C2420
lea edi, dword ptr [esp+20]
:00402225 8A441420
mov al, byte ptr [esp+edx+20]
:00402229 83C9FF
or ecx, FFFFFFFF
:0040222C
03F0 add
esi, eax
:0040222E 33C0
xor eax, eax
:00402230 42
inc edx
:00402231 F2
repnz
:00402232 AE
scasb
:00402233
F7D1 not
ecx
:00402235 49
dec ecx
:00402236 3BD1
cmp edx, ecx
:00402238 72E5
jb 0040221F
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040221D(C)
|
:0040223A
8D4C2454 lea ecx, dword
ptr [esp+54]
:0040223E 51
push ecx
*
Reference To: MSVCRT.atol, Ord:023Eh
|
:0040223F
FF1578424000 Call dword ptr [00404278]
:00402245
83C404 add esp,
00000004
:00402248 3BF0
cmp esi, eax
====>呵呵,再比較一次!
:0040224A
753A jne
00402286
:0040224C 8D7C2420
lea edi, dword ptr [esp+20]
:00402250 83C9FF
or ecx, FFFFFFFF
:00402253 33C0
xor eax, eax
:00402255
F2 repnz
:00402256
AE scasb
:00402257
F7D1 not
ecx
:00402259 49
dec ecx
:0040225A 83F901
cmp ecx, 00000001
====>呵呵,再比較一次!
:0040225D
7627 jbe
00402286
:0040225F 8D7C2454
lea edi, dword ptr [esp+54]
:00402263 83C9FF
or ecx, FFFFFFFF
:00402266 F2
repnz
:00402267
AE scasb
:00402268
F7D1 not
ecx
:0040226A 49
dec ecx
:0040226B 83F901
cmp ecx, 00000001
====>呵呵,再比較一次!
:0040226E
7616 jbe
00402286
:00402270 8B54240C
mov edx, dword ptr [esp+0C]
:00402274 B301
mov bl, 01
====>置1則OK!
:00402276 52 push edx
* Reference To:
ADVAPI32.RegCloseKey, Ord:015Bh
|
:00402277
FF150C404000 Call dword ptr [0040400C]
:0040227D
5F pop
edi
:0040227E 8AC3
mov al, bl
:00402280 5E
pop esi
:00402281 5B
pop ebx
:00402282 83C47C
add esp, 0000007C
:00402285
C3 ret
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040224A(C),
:0040225D(C), :0040226E(C)
|
:00402286 8B54240C
mov edx, dword ptr [esp+0C]
:0040228A 32DB
xor bl, bl
====>清0則OVER!呵呵, 爆破點 ④
:0040228C 52 push edx
* Reference To:
ADVAPI32.RegCloseKey, Ord:015Bh
|
:0040228D
FF150C404000 Call dword ptr [0040400C]
:00402293
5F pop
edi
:00402294 8AC3
mov al, bl
:00402296 5E
pop esi
:00402297 5B
pop ebx
:00402298 83C47C
add esp, 0000007C
:0040229B
C3 ret
―――――――――――――――――――――――――――――――――
【算
法 總 結】:
1、使用者名稱和註冊碼長度要至少1位。
2、使用者名稱字元HEX值累加的之和應等於註冊碼數字的HEX值
簡單求逆:
fly=66
+ 6C + 79=14B
14B(H)=331(D)
呵呵,所以我的註冊碼就是331
―――――――――――――――――――――――――――――――――
【完 美 爆 破】:
1、004026A8
7577 jne
00402721
改為: 9090
NOP掉
2、004026AD
7672 jbe
00402721
改為: 9090
NOP掉
3、004026B2
766D jbe
00402721
改為: 9090
NOP掉
4、0040228A 32DB
xor bl, bl
改為:
B301 mov
bl, 01
―――――――――――――――――――――――――――――――――
【KeyMake之{64th}記憶體序號產生器】:
中斷地址:4026A6
中斷次數:1
第一位元組:3B
指令長度:2
暫存器方式:ECX
十進位制
―――――――――――――――――――――――――――――――――
【註冊資訊儲存】:
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\HZBH]
"UserName"="fly"
"PassWord"="331"
―――――――――――――――――――――――――――――――――
【整 理】:
使用者名稱:FLY
註冊碼:331
―――――――――――――――――――――――――――――――――
Cracked By 巢水工作坊――fly [OCN][FCG]
2003-4-18 15:30
相關文章
- Excel表格如何按漢字的筆畫排序?Excel表格按漢字的筆畫排序的方法2020-10-24Excel排序
- iOS 獲取漢字【簡體中文】筆畫數2019-01-18iOS
- SQLSERVER中實現返回漢字筆畫數的函式;2007-01-26SQLServer函式
- mssql sqlserver 獲取指定漢字的筆畫數的方法分享2018-08-02SQLServer
- ORACLE中查詢出姓名列中 含有非漢字的字元2018-11-09Oracle字元
- 【NLSSORT】改變Oralce 對簡體漢字的排序規則(拼音、部首、筆畫)2010-02-23排序
- 86、98五筆成字字根漢字2024-06-21
- 【ORDER】改變Oralce對簡體漢字的排序規則(拼音、部首、筆畫)(session級調整)2010-02-25排序Session
- 折半查詢排序樹畫圖和2021-11-28排序
- MYSQL學習筆記25: 多表查詢(子查詢)[標量子查詢,列子查詢]2024-03-10MySql筆記
- 使用多執行緒查詢百萬條使用者資料將漢字轉化成拼音2018-08-27執行緒
- C#漢字轉漢語拼音2021-12-21C#
- MYSQL學習筆記26: 多表查詢|子查詢2024-03-14MySql筆記
- java 漢字轉配音2019-04-15Java
- C:漢字儲存2021-07-20
- 只提取漢字部分2024-04-28
- mysql帶IN關鍵字的查詢2020-12-05MySql
- 數字查詢統計重複2017-03-24
- Spring Data Jpa 的簡單查詢多表查詢HQL,SQL ,動態查詢, QueryDsl ,自定義查詢筆記2018-08-15SpringSQL筆記
- JS 漢字轉換拼音2019-04-29JS
- UNICODE碼轉漢字2016-04-26Unicode
- 漢字處理問題?2004-07-01
- 漢字轉拼音pl/sql2012-01-05SQL
- 阿拉伯-漢字-數字轉換2019-02-16
- PHP 將數字轉換為漢字2024-03-29PHP
- linux根據字尾查詢文字2021-03-18Linux
- 將查詢的關鍵字返紅2007-10-05
- 子查詢學習筆記12013-12-25筆記
- RegHance v1.1破解實錄 (5千字)2001-03-26
- MYSQL學習筆記24: 多表查詢(聯合查詢,Union, Union All)2024-03-10MySql筆記
- 蒙納字型檔:深耕漢字美學與技術,讓漢字走向世界2022-12-12
- oracle sql去掉漢字保留數字或字母2015-05-12OracleSQL
- 漢字通破解手記 (19千字)2000-09-06
- C#漢字拼音檢索2019-05-12C#
- JavaScript 漢字方式輸出星期2019-06-10JavaScript
- C#中漢字轉拼音2018-09-07C#
- js 漢字按照拼音排序效果2017-03-28JS排序
- 去除字串中的漢字function2013-02-20字串Function