拱豬大戰 V2.3XP 演算法破解手記
標 題:拱豬大戰 V2.3XP 演算法破解手記
發信人:李逍遙
時 間:2003/06/30 00:25am
詳細資訊:
拱豬大戰
V2.3XP 演算法破解手記
機器碼:928257269
註冊名:leexoyo (不參與運算)
假碼:98765432109
真碼:41589464321
工具:TRW20001.23註冊版、PE-SCAN3.31、W32Dasm8.93黃金版,PEiD
PEiD偵殼,ASPack 2.12 -> Alexey Solodovnikov的殼,PE-scan脫之,hmemcpy,bd *,pmodule來到下面,在442758改跳轉後提示重啟驗證,
0187:00442684 8D4DFC LEA
ECX,[EBP-04]
0187:00442687 51 PUSH
ECX
0187:00442688 BA163F5700 MOV EDX,00573F16
0187:0044268D 8D45F8 LEA
EAX,[EBP-08]
0187:00442690 E833C90F00 CALL 0053EFC8
0187:00442695 FF471C INC
DWORD [EDI+1C]
0187:00442698 8D55F8 LEA
EDX,[EBP-08]
0187:0044269B 58 POP
EAX
0187:0044269C E84FCB0F00 CALL 0053F1F0
0187:004426A1 50 PUSH
EAX
0187:004426A2 FF4F1C DEC
DWORD [EDI+1C]
0187:004426A5 8D45F8 LEA
EAX,[EBP-08]
0187:004426A8 BA02000000 MOV EDX,02
0187:004426AD E86ECA0F00 CALL 0053F120
0187:004426B2 FF4F1C DEC
DWORD [EDI+1C]
0187:004426B5 8D45FC LEA
EAX,[EBP-04]
0187:004426B8 BA02000000 MOV EDX,02
0187:004426BD E85ECA0F00 CALL 0053F120
0187:004426C2 59 POP
ECX
0187:004426C3 84C9 TEST
CL,CL
0187:004426C5 7427 JZ
004426EE //下r fl z提示請輸入註冊名
0187:004426C7 6A40 PUSH
BYTE +40
0187:004426C9 682D3F5700 PUSH DWORD 00573F2D
0187:004426CE 68173F5700 PUSH DWORD 00573F17
0187:004426D3 8BC3 MOV
EAX,EBX
0187:004426D5 E81E090900 CALL 004D2FF8
0187:004426DA 50 PUSH
EAX
0187:004426DB E8AA4F1200 CALL `USER32!MessageBoxA`
0187:004426E0 8B17 MOV
EDX,[EDI]
0187:004426E2 64891500000000 MOV [FS:00],EDX
0187:004426E9 E9B4020000 JMP 004429A2
0187:004426EE 66C747101400 MOV WORD [EDI+10],14
//★★★
0187:004426F4 33C9 XOR
ECX,ECX
0187:004426F6 894DF4 MOV
[EBP-0C],ECX
0187:004426F9 8D55F4 LEA
EDX,[EBP-0C]
0187:004426FC FF471C INC
DWORD [EDI+1C]
0187:004426FF 8B830C030000 MOV EAX,[EBX+030C]
0187:00442705 E8CAA00800 CALL 004CC7D4
0187:0044270A 8D4DF4 LEA
ECX,[EBP-0C]
0187:0044270D 33D2 XOR
EDX,EDX
0187:0044270F 8B01 MOV
EAX,[ECX]
0187:00442711 50 PUSH
EAX
0187:00442712 8955F0 MOV
[EBP-10],EDX
0187:00442715 FF471C INC
DWORD [EDI+1C]
0187:00442718 8D55F0 LEA
EDX,[EBP-10]
0187:0044271B 8B8314030000 MOV EAX,[EBX+0314]
0187:00442721 E8AEA00800 CALL 004CC7D4
0187:00442726 8D4DF0 LEA
ECX,[EBP-10]
0187:00442729 8B01 MOV
EAX,[ECX] //eax=假碼
0187:0044272B 50 PUSH
EAX
0187:0044272C E83BF3FBFF CALL 00401A6C
//演算法call,迴圈太多,看暈過去了。
0187:00442731 83C408 ADD
ESP,BYTE +08
0187:00442734 BA02000000 MOV EDX,02
0187:00442739 50 PUSH
EAX
0187:0044273A 8D45F0 LEA
EAX,[EBP-10]
0187:0044273D FF4F1C DEC
DWORD [EDI+1C]
0187:00442740 E8DBC90F00 CALL 0053F120
0187:00442745 FF4F1C DEC
DWORD [EDI+1C]
0187:00442748 8D45F4 LEA
EAX,[EBP-0C]
0187:0044274B BA02000000 MOV EDX,02
0187:00442750 E8CBC90F00 CALL 0053F120
0187:00442755 59 POP
ECX
0187:00442756 84C9 TEST
CL,CL //cl為0嗎?
0187:00442758 0F8422020000 JZ NEAR 00442980
//為0則跳,下r fl z使它不跳,提示註冊成功,請重啟驗證。
0187:0044275E B201 MOV
DL,01
0187:00442760 A170805000 MOV EAX,[00508070]
**********************************************************
跟進44272C E83BF3FBFF CALL 00401A6C 這個call:
:00401A6C 55
push ebp
:00401A6D 8BEC
mov ebp, esp
:00401A6F 81C4BCFEFFFF add esp, FFFFFEBC
:00401A75 53
push ebx
:00401A76 56
push esi
:00401A77 57
push edi
:00401A78 8D7DCC lea
edi, dword ptr [ebp-34]
:00401A7B B8FC835600 mov eax,
005683FC
:00401A80 E8C7EA1100 call
0052054C
:00401A85 C7471C02000000 mov [edi+1C], 00000002
:00401A8C 8D550C lea
edx, dword ptr [ebp+0C]
:00401A8F 8D450C lea
eax, dword ptr [ebp+0C]
:00401A92 E869D51300 call
0053F000
:00401A97 FF471C inc
[edi+1C]
:00401A9A 8D5508 lea
edx, dword ptr [ebp+08]
:00401A9D 66C747100800 mov [edi+10],
0008
:00401AA3 8D4508 lea
eax, dword ptr [ebp+08]
:00401AA6 E855D51300 call
0053F000
:00401AAB FF471C inc
[edi+1C]
:00401AAE 57
push edi
:00401AAF 8DBDBCFEFFFF lea edi, dword
ptr [ebp+FFFFFEBC]
:00401AB5 BE44815600 mov esi,
00568144
:00401ABA B90C000000 mov ecx,
0000000C
:00401ABF F3
repz
:00401AC0 A5
movsd
:00401AC1 837D0800 cmp
dword ptr [ebp+08], 00000000
:00401AC5 5F
pop edi
:00401AC6 7408
je 00401AD0
:00401AC8 8B4508 mov
eax, dword ptr [ebp+08] //eax=假碼
:00401ACB 8B50FC mov
edx, dword ptr [eax-04] //edx=假碼的位數
:00401ACE EB02
jmp 00401AD2 //Go!!
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401AC6(C)
|
:00401AD0 33D2
xor edx, edx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401ACE(U)
|
:00401AD2 83FA0B cmp
edx, 0000000B //註冊碼是11位嗎?
:00401AD5 7432
je 00401B09 //不是?over,是則跳
:00401AD7 33C0
xor eax, eax
:00401AD9 BA02000000 mov edx,
00000002
:00401ADE 50
push eax
:00401ADF 8D4508 lea
eax, dword ptr [ebp+08]
:00401AE2 FF4F1C dec
[edi+1C]
:00401AE5 E836D61300 call
0053F120
:00401AEA FF4F1C dec
[edi+1C]
:00401AED 8D450C lea
eax, dword ptr [ebp+0C]
:00401AF0 BA02000000 mov edx,
00000002
:00401AF5 E826D61300 call
0053F120
:00401AFA 58
pop eax
:00401AFB 8B17
mov edx, dword ptr [edi]
:00401AFD 64891500000000 mov dword ptr fs:[00000000],
edx
:00401B04 E9B0020000 jmp 00401DB9
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401AD5(C)
|
:00401B09 BE01000000 mov esi,
00000001 //esi置1
:00401B0E 8D8548FFFFFF lea eax, dword
ptr [ebp+FFFFFF48]
:00401B14 8945C8 mov
dword ptr [ebp-38], eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401BDF(C)
|
:00401B17 66C747101400 mov [edi+10],
0014
:00401B1D 33D2
xor edx, edx
:00401B1F 8D4DFC lea
ecx, dword ptr [ebp-04]
:00401B22 8955FC mov
dword ptr [ebp-04], edx
:00401B25 51
push ecx
:00401B26 FF471C inc
[edi+1C]
:00401B29 B901000000 mov ecx,
00000001
:00401B2E 8BD6
mov edx, esi
:00401B30 8D4508 lea
eax, dword ptr [ebp+08]
:00401B33 E860D71300 call
0053F298
:00401B38 837DFC00 cmp
dword ptr [ebp-04], 00000000
:00401B3C 7405
je 00401B43
:00401B3E 8B45FC mov
eax, dword ptr [ebp-04]
:00401B41 EB05
jmp 00401B48
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401B3C(C)
|
:00401B43 B878815600 mov eax,
00568178
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401B41(U)
|
:00401B48 8A18
mov bl, byte ptr [eax]
:00401B4A FF4F1C dec
[edi+1C]
:00401B4D 8D45FC lea
eax, dword ptr [ebp-04]
:00401B50 BA02000000 mov edx,
00000002
:00401B55 E8C6D51300 call
0053F120
:00401B5A 0FBEC3 movsx
eax, bl //依次取輸入假碼的hex值送eax
:00401B5D 83F830 cmp
eax, 00000030
:00401B60 7C05
jl 00401B67
:00401B62 83F839 cmp
eax, 00000039
:00401B65 7E32
jle 00401B99 //上面兩個比較是看輸入的註冊碼是否是數字,是則繼續,有一個不是則over
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401B60(C)
|
:00401B67 33C0
xor eax, eax
:00401B69 BA02000000 mov edx,
00000002
:00401B6E 50
push eax
:00401B6F 8D4508 lea
eax, dword ptr [ebp+08]
:00401B72 FF4F1C dec
[edi+1C]
:00401B75 E8A6D51300 call
0053F120
:00401B7A FF4F1C dec
[edi+1C]
:00401B7D 8D450C lea
eax, dword ptr [ebp+0C]
:00401B80 BA02000000 mov edx,
00000002
:00401B85 E896D51300 call
0053F120
:00401B8A 58
pop eax
:00401B8B 8B17
mov edx, dword ptr [edi]
:00401B8D 64891500000000 mov dword ptr fs:[00000000],
edx
:00401B94 E920020000 jmp 00401DB9
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401B65(C)
|
:00401B99 66C747102000 mov [edi+10],
0020
:00401B9F 33C9
xor ecx, ecx
:00401BA1 8D45F8 lea
eax, dword ptr [ebp-08]
:00401BA4 894DF8 mov
dword ptr [ebp-08], ecx
:00401BA7 50
push eax
:00401BA8 FF471C inc
[edi+1C]
:00401BAB 8D4508 lea
eax, dword ptr [ebp+08]
:00401BAE B901000000 mov ecx,
00000001
:00401BB3 8BD6
mov edx, esi
:00401BB5 E8DED61300 call
0053F298
:00401BBA 8D45F8 lea
eax, dword ptr [ebp-08]
:00401BBD E8BAD71300 call
0053F37C
:00401BC2 8B55C8 mov
edx, dword ptr [ebp-38]
:00401BC5 8902
mov dword ptr [edx], eax
:00401BC7 FF4F1C dec
[edi+1C]
:00401BCA 8D45F8 lea
eax, dword ptr [ebp-08]
:00401BCD BA02000000 mov edx,
00000002
:00401BD2 E849D51300 call
0053F120
:00401BD7 46
inc esi
:00401BD8 8345C804 add
dword ptr [ebp-38], 00000004
:00401BDC 83FE0B cmp
esi, 0000000B
:00401BDF 0F8E32FFFFFF jle 00401B17
:00401BE5 BE01000000 mov esi,
00000001
:00401BEA 8D85F0FEFFFF lea eax, dword
ptr [ebp+FFFFFEF0]
:00401BF0 8945C4 mov
dword ptr [ebp-3C], eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401CBB(C)
|
:00401BF3 66C747102C00 mov [edi+10],
002C
:00401BF9 33D2
xor edx, edx
:00401BFB 8D4DF4 lea
ecx, dword ptr [ebp-0C]
:00401BFE 8955F4 mov
dword ptr [ebp-0C], edx
:00401C01 51
push ecx
:00401C02 FF471C inc
[edi+1C]
:00401C05 B901000000 mov ecx,
00000001
:00401C0A 8BD6
mov edx, esi
:00401C0C 8D450C lea
eax, dword ptr [ebp+0C]
:00401C0F E884D61300 call
0053F298
:00401C14 837DF400 cmp
dword ptr [ebp-0C], 00000000
:00401C18 7405
je 00401C1F
:00401C1A 8B45F4 mov
eax, dword ptr [ebp-0C]
:00401C1D EB05
jmp 00401C24
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401C18(C)
|
:00401C1F B879815600 mov eax,
00568179
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401C1D(U)
|
:00401C24 8A18
mov bl, byte ptr [eax]
:00401C26 FF4F1C dec
[edi+1C]
:00401C29 8D45F4 lea
eax, dword ptr [ebp-0C]
:00401C2C BA02000000 mov edx,
00000002
:00401C31 E8EAD41300 call
0053F120
:00401C36 0FBEC3 movsx
eax, bl
:00401C39 83F830 cmp
eax, 00000030
:00401C3C 7C05
jl 00401C43
:00401C3E 83F839 cmp
eax, 00000039
:00401C41 7E32
jle 00401C75
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401C3C(C)
|
:00401C43 33C0
xor eax, eax
:00401C45 BA02000000 mov edx,
00000002
:00401C4A 50
push eax
:00401C4B 8D4508 lea
eax, dword ptr [ebp+08]
:00401C4E FF4F1C dec
[edi+1C]
:00401C51 E8CAD41300 call
0053F120
:00401C56 FF4F1C dec
[edi+1C]
:00401C59 8D450C lea
eax, dword ptr [ebp+0C]
:00401C5C BA02000000 mov edx,
00000002
:00401C61 E8BAD41300 call
0053F120
:00401C66 58
pop eax
:00401C67 8B17
mov edx, dword ptr [edi]
:00401C69 64891500000000 mov dword ptr fs:[00000000],
edx
:00401C70 E944010000 jmp 00401DB9
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401C41(C)
|
:00401C75 66C747103800 mov [edi+10],
0038
:00401C7B 33C9
xor ecx, ecx
:00401C7D 8D45F0 lea
eax, dword ptr [ebp-10]
:00401C80 894DF0 mov
dword ptr [ebp-10], ecx
:00401C83 50
push eax
:00401C84 FF471C inc
[edi+1C]
:00401C87 8D450C lea
eax, dword ptr [ebp+0C]
:00401C8A B901000000 mov ecx,
00000001
:00401C8F 8BD6
mov edx, esi
:00401C91 E802D61300 call
0053F298
:00401C96 8D45F0 lea
eax, dword ptr [ebp-10]
:00401C99 E8DED61300 call
0053F37C
:00401C9E 8B55C4 mov
edx, dword ptr [ebp-3C]
:00401CA1 8902
mov dword ptr [edx], eax
:00401CA3 FF4F1C dec
[edi+1C]
:00401CA6 8D45F0 lea
eax, dword ptr [ebp-10]
:00401CA9 BA02000000 mov edx,
00000002
:00401CAE E86DD41300 call
0053F120
:00401CB3 46
inc esi
:00401CB4 8345C404 add
dword ptr [ebp-3C], 00000004
:00401CB8 83FE09 cmp
esi, 00000009
:00401CBB 0F8E32FFFFFF jle 00401BF3
:00401CC1 33F6
xor esi, esi
:00401CC3 8D95BCFEFFFF lea edx, dword
ptr [ebp+FFFFFEBC]
:00401CC9 8D8548FFFFFF lea eax, dword
ptr [ebp+FFFFFF48]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401CE4(C)
|
:00401CCF 8B1A
mov ebx, dword ptr [edx]
:00401CD1 8B08
mov ecx, dword ptr [eax]
:00401CD3 83C004 add
eax, 00000004
:00401CD6 83C204 add
edx, 00000004
:00401CD9 46
inc esi
:00401CDA 898C9D14FFFFFF mov dword ptr [ebp+4*ebx-000000EC],
ecx
:00401CE1 83FE0A cmp
esi, 0000000A
:00401CE4 7EE9
jle 00401CCF
:00401CE6 BE01000000 mov esi,
00000001
:00401CEB 8D55A0 lea
edx, dword ptr [ebp-60]
:00401CEE 8D8518FFFFFF lea eax, dword
ptr [ebp+FFFFFF18]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401D02(C)
|
//上面都是一些迴圈,不知道什麼用,沒看明白。
:00401CF4 8B08
mov ecx, dword ptr [eax] //ECX= (假碼:98765432109)
1、取假碼第7位(3)
2、取假碼第6位(4)
3、取假碼第8位(2)
4、取假碼第1位(9)
5、取假碼第9位(1)
6、取假碼第3位(7)
7、取假碼第10位(0)
8、取假碼第4位(6)
9、取假碼第5位(5)
沒有假碼第2位和第11位,大概是任意數字吧,往下看。
:00401CF6 890A
mov dword ptr [edx], ecx //ecx=342917065
:00401CF8 46
inc esi
:00401CF9 83C204 add
edx, 00000004
:00401CFC 83C004 add
eax, 00000004
:00401CFF 83FE09 cmp
esi, 00000009
:00401D02 7EF0
jle 00401CF4
:00401D04 BB04000000 mov ebx,
00000004
:00401D09 BE01000000 mov esi,
00000001
:00401D0E 3BDE
cmp ebx, esi
:00401D10 7C2B
jl 00401D3D
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401D3B(C)
|
:00401D12 8D8574FFFFFF lea eax, dword
ptr [ebp+FFFFFF74]
:00401D18 50
push eax
:00401D19 8D559C lea
edx, dword ptr [ebp-64]
:00401D1C 52
push edx
:00401D1D E8FAFCFFFF call
00401A1C
:00401D22 83C408 add
esp, 00000008
:00401D25 8D4D9C lea
ecx, dword ptr [ebp-64]
:00401D28 51
push ecx
:00401D29 8D8574FFFFFF lea eax, dword
ptr [ebp+FFFFFF74]
:00401D2F 50
push eax
:00401D30 E8E7FCFFFF call
00401A1C
:00401D35 83C408 add
esp, 00000008
:00401D38 46
inc esi
:00401D39 3BDE
cmp ebx, esi //ebx=4
:00401D3B 7DD5
jge 00401D12 //這裡迴圈了4次,有兩個相同的CALL,所以342917065(假碼的第一次變形)被變形了8次,具體跟進00401A1C這個call
看看 -:)
將342917065變形後為:586638915
將586638915變形後為:508885365
將508885365變形後為:055353215
將055353215變形後為:550587665
將550587665變形後為:141962515
將141962515變形後為:295633965
將295633965變形後為:027885815
將027885815變形後為:284353265
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401D10(C)
|
:00401D3D BE01000000 mov esi,
00000001
:00401D42 8D95F0FEFFFF lea edx, dword
ptr [ebp+FFFFFEF0]
:00401D48 8D45A0 lea
eax, dword ptr [ebp-60]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401D8A(C)
|
:00401D4B 8B08
mov ecx, dword ptr [eax] //依次取最終變形後的值284353265
:00401D4D 3B0A
cmp ecx, dword ptr [edx] //和機器碼928257269依次比較
:00401D4F 742F
je 00401D80 //有一個不等則over,所以這裡必須跳
:00401D51 33C0
xor eax, eax
:00401D53 BA02000000 mov edx,
00000002
:00401D58 50
push eax
:00401D59 8D4508 lea
eax, dword ptr [ebp+08]
:00401D5C FF4F1C dec
[edi+1C]
:00401D5F E8BCD31300 call
0053F120
:00401D64 FF4F1C dec
[edi+1C]
:00401D67 8D450C lea
eax, dword ptr [ebp+0C]
:00401D6A BA02000000 mov edx,
00000002
:00401D6F E8ACD31300 call
0053F120
:00401D74 58
pop eax
:00401D75 8B17
mov edx, dword ptr [edi]
:00401D77 64891500000000 mov dword ptr fs:[00000000],
edx
:00401D7E EB39
jmp 00401DB9
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401D4F(C)
|
:00401D80 46
inc esi //計數器esi加1
:00401D81 83C204 add
edx, 00000004
:00401D84 83C004 add
eax, 00000004
:00401D87 83FE09 cmp
esi, 00000009 //比較9次
:00401D8A 7EBF
jle 00401D4B
:00401D8C B001
mov al, 01 //全部正確,則al置1
:00401D8E BA02000000 mov edx,
00000002
:00401D93 50
push eax
:00401D94 8D4508 lea
eax, dword ptr [ebp+08]
:00401D97 FF4F1C dec
[edi+1C]
:00401D9A E881D31300 call
0053F120
:00401D9F FF4F1C dec
[edi+1C]
:00401DA2 8D450C lea
eax, dword ptr [ebp+0C]
:00401DA5 BA02000000 mov edx,
00000002
:00401DAA E871D31300 call
0053F120
:00401DAF 58
pop eax
:00401DB0 8B17
mov edx, dword ptr [edi]
:00401DB2 64891500000000 mov dword ptr fs:[00000000],
edx
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00401B04(U), :00401B94(U), :00401C70(U), :00401D7E(U)
|
:00401DB9 5F
pop edi
:00401DBA 5E
pop esi
:00401DBB 5B
pop ebx
:00401DBC 8BE5
mov esp, ebp
:00401DBE 5D
pop ebp
:00401DBF C3
ret
**************************************************************
跟進401D1D E8FAFCFFFF call 00401A1C這個call,以假碼第一次變形後的值342917065為例:
:00401A1C 55
push ebp
:00401A1D 8BEC
mov ebp, esp
:00401A1F 53
push ebx
:00401A20 8B450C mov
eax, dword ptr [ebp+0C]
:00401A23 8B5508 mov
edx, dword ptr [ebp+08]
:00401A26 8B4A24 mov
ecx, dword ptr [edx+24]
:00401A29 894824 mov
dword ptr [eax+24], ecx
:00401A2C 8B4A20 mov
ecx, dword ptr [edx+20]
:00401A2F 3B4A24 cmp
ecx, dword ptr [edx+24] //第8位與第9位相比
:00401A32 7D04
jge 00401A38 //大於等於則跳
:00401A34 8342200A add
dword ptr [edx+20], 0000000A //如果小於,這裡第8位就加上A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401A32(C)
|
:00401A38 8B4A20 mov
ecx, dword ptr [edx+20] //ecx=第8位的值“6”
:00401A3B 2B4A24 sub
ecx, dword ptr [edx+24] //如果第8位與第9位相等,則ECX=0;如果不等,則ECX=第8位-第9位=1
:00401A3E 894820 mov
dword ptr [eax+20], ecx //將ECX的值送入[eax+20]
:00401A41 B907000000 mov ecx,
00000007 //ECX為計數器,初始值為7
:00401A46 83C020 add
eax, 00000020
:00401A49 83C21C add
edx, 0000001C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401A66(C)
|
:00401A4C 8B1A
mov ebx, dword ptr [edx] //ebx=
1、第7位:0
2、第6位:7
3、第5位:1
4、第4位:9
5、第3位:2
6、第2位:4
7、第1位:3
:00401A4E 3B18
cmp ebx, dword ptr [eax] //[eax]=
1、上次第8位-第9位的值:1
2、下面計算的ebx的結果:9
3、下面計算的ebx的結果:8
4、下面計算的ebx的結果:3
5、下面計算的ebx的結果:6
6、下面計算的ebx的結果:6
7、下面計算的ebx的結果:8
:00401A50 7D03
jge 00401A55 //大於等於則跳
:00401A52 83020A add
dword ptr [edx], 0000000A //否則ebx加A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401A50(C)
|
:00401A55 8B1A
mov ebx, dword ptr [edx] //ecx=
1、第7位的值0+A
2、第6位的值7+A
3、第5位的值1+A
4、第4位的值9
5、第3位的值2+A
6、第2位的值4+A
7、第1位的值3+A
:00401A57 2B18
sub ebx, dword ptr [eax] //ebx=
1、A-1=9
2、11-9=8
3、B-8=3
4、9-3=6
5、C-6=6
6、E-6=8
7、D-8=5
:00401A59 8958FC mov
dword ptr [eax-04], ebx
:00401A5C 49
dec ecx //計數器ecx減1
:00401A5D 83C0FC add
eax, FFFFFFFC
:00401A60 83C2FC add
edx, FFFFFFFC
:00401A63 83F901 cmp
ecx, 00000001
:00401A66 7DE4
jge 00401A4C //ecx大於等於1結束迴圈,否則跳上去繼續
:00401A68 5B
pop ebx
:00401A69 5D
pop ebp
:00401A6A C3
ret
//此迴圈功能將得到的9位數字,從尾部開始依次取值,例如取到第N位值,減去新值的第N+1的值(如果N是最後一位,則是減0,就是說最後一位始終不變,如果不夠減,則第N位值就加上10再去減),得到的數就是新值的第N位值。
//這裡342917065經過這段處理後,得到586638915
****************************************************
演算法總結:
㈠將註冊碼98765432109,按(7->1、6->2、8->3、1->4、9->5、3->6、10->7、4->8、5->9)這樣的規律得到342917065
㈡將342917065經過8次的處理後的值284353265與機器碼928257269比較
㈢反推:新值第N位=舊第N位值+舊第N+1位值(如果有進位,就只取個位數,最後一位保持不變),機器碼經過8次反推,再按步驟1規律反歸位,在得到的數字的第2位和最後一位插上任意數字就得到了正確的註冊碼。
㈣我的機器碼是:928257269 ,反推:
1推---100729859
2推---107917349
3推---176080739
4推---836887029
5推---194657219
6推---030129309
7推---331312399
8推---644435289
再按照步驟㈠復位,得到我的註冊碼:4*58946432*(*為任意數字)
***************************************************
正確註冊後,註冊資訊保留在以下鍵值,刪除即為未註冊版。
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Hearts\Register]
"user"="leexoyo"
"pass"="41589464321"
李逍遙[cschina]
2003.06.30
相關文章
- 拱豬大戰 1.8破解手記--演算法分析2015-11-15演算法
- 《豬弟拱Java》連載番外篇:Java代理(中)2018-01-16Java
- 《豬弟拱Java》連載番外篇:Java代理(上)2018-01-15Java
- HTMLock 1.9.3破解手記---演算法分析2003-06-27HTML演算法
- IEPopupKiller 1.2破解手記--演算法分析2015-11-15演算法
- QuickCD 1.0.320破解手記--演算法分析2015-11-15UI演算法
- GreenBrowser 1.0.312破解手記--演算法分析2015-11-15演算法
- Golden 5.7 Build 391破解手記--演算法分析2015-11-15GoUI演算法
- Setup2Go 1.97破解手記--演算法分析2015-11-15Go演算法
- Bannershop 4.5破解手記2015-11-15
- Irfanview破解手記 (668字)2001-02-02View
- pcmedik V5.4.8.2003破解手記--演算法分析2003-05-10演算法
- 極速傳真[SpeedFax] 2.4 破解手記--程式逆向分析演算法2015-11-15演算法
- Advanced MP3WMA Recorder 3.7.3破解手記--完美演算法分析2015-11-15演算法
- 法律文書、合同樣本庫
5.10破解手記--演算法分析2015-11-15演算法
- Download Boost 2002 Go 2.0漢化版演算法破解手記2015-11-15Go演算法
- Iparmor 木馬克星 V5.40 Build 0414破解手記-演算法分析2015-11-15UI演算法
- 《鐵甲風暴之黑色戰線》免CD破解手記 (5千字)2002-02-14
- 破大防2024-09-22
- hanami1005破解手記2003-08-19
- 《Erlang
4.08》另類破解手記2002-06-24
- 大豬網網頁遊戲平臺2019-05-11網頁遊戲
- 奇門遁甲演義V6.3破解手記--註冊碼演算法分析2015-11-15演算法
- 【 標題:SmartWhoIs 3.0 (build 21) 破解手記
】2000-11-30UI
- GetSmart破解手記 (1011字)2001-02-02
- 【筆記】《Python大戰機器學習》2018-03-12筆記Python機器學習
- MySQL Manager 2.8.0.1脫殼破解手記破解分析2004-11-03MySql
- Turbo Note+ 破解手記 (4千字)2001-05-13
- Trojan Remover 4.3.0破解手記 (8千字)2001-08-31REM
- 漢字通破解手記 (19千字)2000-09-06
- 當 JS 大豬蹄子遇到 HTML 小姐姐2018-10-21JSHTML
- SolSuite v8.0破解手記 (3千字)2001-09-08UI
- ACDSEE4.0的破解手記 (1千字)2002-01-20
- ReGet Junior 2.0破解手記(一) (3千字)2002-02-23
- 轉載:“亂刀”破解手記 (1千字)2000-09-03
- SeaMoon Pic Hunter 1.2破解手記 (8千字)2015-11-15
- ReGet Junior 2.0破解手記(二) (4千字)2015-11-15
- ReGet Junior 2.0破解手記(三) (1千字)2015-11-15