破解心得之Windows優化大師篇
軟體名稱:Windows優化大師
版本:4.20
作者:時空幻影
時間:2001年11月25日
使用工具:TRW2000 V1.22已註冊版、CASPR(脫殼工具)、PW32DSM白金版漢化版
先用CASPR脫掉WINDOWS優化大師.EXE和OCTODLL.DLL的殼,然後進入TRW2000,再進入Windows優化大師,點選“軟體註冊”,
然後在註冊者姓名欄中填入自己的名字,按Enter鍵,點選“取消”,就會看見註冊申請碼,在註冊認證碼的兩個欄中分別隨便填入一
個長度為8的十進位制數。按CTRL+N啟用TRW2000後,設“萬能斷點”BPX HMEMCPY,回車,然後按F5回到WINDOWS下,點選“註冊認證”
會被攔下,輸入指令BD *、PMODULE,回車,然後按F10過了幾個RET後會來到如下所指的地方:
* Possible StringData Ref from Code Obj ->"
TSearchRecX"
|
:004D12C2 8B156C7E4000 mov edx, dword ptr [00407E6C]
:004D12C8 E87732F3FF call 00404544
:004D12CD 33C0 xor eax, eax
:004D12CF 55 push ebp
:004D12D0 682C164D00 push 004D162C
:004D12D5 64FF30 push dword ptr fs:[eax]
:004D12D8 648920 mov dword ptr fs:[eax], esp
:004D12DB 8D95A0FDFFFF lea edx, dword ptr [ebp+FFFFFDA0]
:004D12E1 8B861C030000 mov eax, dword ptr [esi+0000031C]
:004D12E7 E8E805F6FF call 004318D4
:004D12EC 83BDA0FDFFFF00 cmp dword ptr [ebp+FFFFFDA0], 00000000 <--停在這裡
:004D12F3 751D jne 004D1312
:004D12F5 6A10 push 00000010
* Possible StringData Ref from Code Obj ->"Windows優化大師"
|
:004D12F7 B93C164D00 mov ecx, 004D163C
* Possible StringData Ref from Code Obj ->"錯誤!沒有輸入註冊者姓名。" <--提示你沒有輸入註冊者姓名
|
:004D12FC BA4C164D00 mov edx, 004D164C
:004D1301 A174C25600 mov eax, dword ptr [0056C274]
:004D1306 8B00 mov eax, dword ptr [eax]
:004D1308 E89BEBF7FF call 0044FEA8
:004D130D E9E3020000 jmp 004D15F5
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D12F3(C)
|
:004D1312 8D959CFDFFFF lea edx, dword ptr [ebp+FFFFFD9C]
:004D1318 8B86E4020000 mov eax, dword ptr [esi+000002E4]
:004D131E E8B105F6FF call 004318D4
:004D1323 83BD9CFDFFFF00 cmp dword ptr [ebp+FFFFFD9C], 00000000
:004D132A 741A je 004D1346
:004D132C 8D9598FDFFFF lea edx, dword ptr [ebp+FFFFFD98]
:004D1332 8B86E8020000 mov eax, dword ptr [esi+000002E8]
:004D1338 E89705F6FF call 004318D4
:004D133D 83BD98FDFFFF00 cmp dword ptr [ebp+FFFFFD98], 00000000
:004D1344 751D jne 004D1363
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D132A(C)
|
:004D1346 6A10 push 00000010
* Possible StringData Ref from Code Obj ->"Windows優化大師"
|
:004D1348 B93C164D00 mov ecx, 004D163C
* Possible StringData Ref from Code Obj ->"錯誤!沒有輸入註冊認證碼。" <--提示你沒有輸入註冊認證碼
|
:004D134D BA68164D00 mov edx, 004D1668
:004D1352 A174C25600 mov eax, dword ptr [0056C274]
:004D1357 8B00 mov eax, dword ptr [eax]
:004D1359 E84AEBF7FF call 0044FEA8
:004D135E E992020000 jmp 004D15F5
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D1344(C)
|
:004D1363 8D8DA4FEFFFF lea ecx, dword ptr [ebp+FFFFFEA4]
:004D1369 BA3F000000 mov edx, 0000003F
* Possible StringData Ref from Code Obj ->"*.*" <--查詢當前目錄下的所有檔案
|
:004D136E B88C164D00 mov eax, 004D168C
:004D1373 E8B87EF3FF call 00409230
:004D1378 81BDA8FEFFFF00680200 cmp dword ptr [ebp+FFFFFEA8], 00026800
:004D1382 0F846D020000 je 004D15F5
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D13A9(C)
|
:004D1388 8D85A4FEFFFF lea eax, dword ptr [ebp+FFFFFEA4]
:004D138E E8ED7EF3FF call 00409280
:004D1393 85C0 test eax, eax
:004D1395 7510 jne 004D13A7
:004D1397 81BDA8FEFFFF00680200 cmp dword ptr [ebp+FFFFFEA8], 00026800
:004D13A1 0F844E020000 je 004D15F5
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D1395(C)
|
:004D13A7 85C0 test eax, eax
:004D13A9 74DD je 004D1388
:004D13AB 8D85A4FEFFFF lea eax, dword ptr [ebp+FFFFFEA4]
:004D13B1 E8EE7EF3FF call 004092A4
:004D13B6 6A00 push 00000000
:004D13B8 8BC6 mov eax, esi
:004D13BA E87566F6FF call 00437A34
:004D13BF 50 push eax
* Reference To: user32.GetWindow, Ord:0000h
|
:004D13C0 E81762F3FF Call 004075DC
:004D13C5 8BD8 mov ebx, eax
:004D13C7 85DB test ebx, ebx
:004D13C9 0F848A000000 je 004D1459
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D1453(C)
|
:004D13CF 68FF000000 push 000000FF
:004D13D4 8D85A5FDFFFF lea eax, dword ptr [ebp+FFFFFDA5]
:004D13DA 50 push eax
:004D13DB 53 push ebx
* Reference To: user32.GetWindowTextA, Ord:0000h <--呼叫WIN32 API函式GetWindowTextA取得標題欄上的字串
|
:004D13DC E82362F3FF Call 00407604
:004D13E1 85C0 test eax, eax
:004D13E3 7E62 jle 004D1447
:004D13E5 8D55FC lea edx, dword ptr [ebp-04]
:004D13E8 8D85A5FDFFFF lea eax, dword ptr [ebp+FFFFFDA5]
:004D13EE E8B584F3FF call 004098A8
:004D13F3 8B55FC mov edx, dword ptr [ebp-04]
* Possible StringData Ref from Code Obj ->"序號產生器"
|
:004D13F6 B898164D00 mov eax, 004D1698
:004D13FB E8242EF3FF call 00404224 <--檢查字串中是否含有"序號產生器"
:004D1400 85C0 test eax, eax
:004D1402 0F85ED010000 jne 004D15F5 <--不應該跳轉
:004D1408 8B55FC mov edx, dword ptr [ebp-04]
* Possible StringData Ref from Code Obj ->"wom"
|
:004D140B B8A8164D00 mov eax, 004D16A8
:004D1410 E80F2EF3FF call 00404224 <--檢查字串中是否含有"wom"
:004D1415 85C0 test eax, eax
:004D1417 0F85D8010000 jne 004D15F5 <--不應該跳轉
:004D141D 8B55FC mov edx, dword ptr [ebp-04]
* Possible StringData Ref from Code Obj ->"cr-wom"
|
:004D1420 B8B4164D00 mov eax, 004D16B4
:004D1425 E8FA2DF3FF call 00404224 <--檢查字串中是否含有"cr-wom"
:004D142A 85C0 test eax, eax
:004D142C 0F85C3010000 jne 004D15F5 <--不應該跳轉
:004D1432 8B55FC mov edx, dword ptr [ebp-04]
* Possible StringData Ref from Code Obj ->"Windowsyhds"
|
:004D1435 B8C4164D00 mov eax, 004D16C4
:004D143A E8E52DF3FF call 00404224 <--檢查字串中是否含有"Windowsyhds"
:004D143F 85C0 test eax, eax
:004D1441 0F85AE010000 jne 004D15F5 <--不應該跳轉
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D13E3(C)
|
:004D1447 6A02 push 00000002
:004D1449 53 push ebx
* Reference To: user32.GetWindow, Ord:0000h
|
:004D144A E88D61F3FF Call 004075DC
:004D144F 8BD8 mov ebx, eax
:004D1451 85DB test ebx, ebx
:004D1453 0F8576FFFFFF jne 004D13CF
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D13C9(C)
|
:004D1459 B811270000 mov eax, 00002711
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D145F(C)
|
:004D145E 48 dec eax
:004D145F 75FD jne 004D145E <--這可能是軟體作者故意加的,以提高難度,不過卻實在不敢恭維!
:004D1461 8D9594FDFFFF lea edx, dword ptr [ebp+FFFFFD94] <--其實只要把光條移到該行,然後按F7即可!
:004D1467 8B86E4020000 mov eax, dword ptr [esi+000002E4]
:004D146D E86204F6FF call 004318D4
:004D1472 8B8594FDFFFF mov eax, dword ptr [ebp+FFFFFD94]
:004D1478 E81BFDFFFF call 004D1198 <--把輸入的Regcode1轉化為一個十六進位制的32位數,並送入到EAX中!
:004D147D 99 cdq
:004D147E 52 push edx
:004D147F 50 push eax
:004D1480 8D9590FDFFFF lea edx, dword ptr [ebp+FFFFFD90]
:004D1486 8B86E8020000 mov eax, dword ptr [esi+000002E8]
:004D148C E84304F6FF call 004318D4
:004D1491 8B8590FDFFFF mov eax, dword ptr [ebp+FFFFFD90]
:004D1497 E8FCFCFFFF call 004D1198 <--把輸入的Regcode2轉化為一個十六進位制的32位數,並送入到EAX中!
:004D149C 99 cdq
:004D149D 52 push edx
:004D149E 50 push eax
:004D149F 8D958CFDFFFF lea edx, dword ptr [ebp+FFFFFD8C]
:004D14A5 8B86E0020000 mov eax, dword ptr [esi+000002E0]
:004D14AB E82404F6FF call 004318D4
:004D14B0 8B858CFDFFFF mov eax, dword ptr [ebp+FFFFFD8C] <--EAX中為註冊申請碼的首地址
:004D14B6 E8412CF3FF call 004040FC
* Reference To: Octodll.Registed, Ord:0000h
|
:004D14BB E8D0FCFFFF Call 004D1190 <--核心CALL,按F8進入Octodll.dll
:004D14C0 83F814 cmp eax, 00000014 <--比較第二部分的計算結果的低16位是否等於14
:004D14C3 7417 je 004D14DC <--是的話則跳轉,如果要暴破的話,把這裡的je改成jmp即可
:004D14C5 B811270000 mov eax, 00002711
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D14CB(C)
|
:004D14CA 48 dec eax
:004D14CB 75FD jne 004D14CA
:004D14CD A114E05600 mov eax, dword ptr [0056E014]
:004D14D2 E88DB5F7FF call 0044CA64
:004D14D7 E919010000 jmp 004D15F5
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D14C3(C)
|
:004D14DC B201 mov dl, 01
:004D14DE A1787F4500 mov eax, dword ptr [00457F78]
:004D14E3 E8906BF8FF call 00458078
:004D14E8 8BD8 mov ebx, eax
:004D14EA BA02000080 mov edx, 80000002
:004D14EF 8BC3 mov eax, ebx
:004D14F1 E8226CF8FF call 00458118
:004D14F6 B101 mov cl, 01
* Possible StringData Ref from Code Obj ->"Software\Wom"
|
:004D14F8 BAD8164D00 mov edx, 004D16D8
:004D14FD 8BC3 mov eax, ebx
:004D14FF E8586DF8FF call 0045825C
:004D1504 8D9588FDFFFF lea edx, dword ptr [ebp+FFFFFD88]
:004D150A 8B861C030000 mov eax, dword ptr [esi+0000031C]
:004D1510 E8BF03F6FF call 004318D4
:004D1515 8B8D88FDFFFF mov ecx, dword ptr [ebp+FFFFFD88]
* Possible StringData Ref from Code Obj ->"Register"
|
:004D151B BAF0164D00 mov edx, 004D16F0
:004D1520 8BC3 mov eax, ebx
:004D1522 E88572F8FF call 004587AC
:004D1527 8D9584FDFFFF lea edx, dword ptr [ebp+FFFFFD84]
:004D152D 8B86E4020000 mov eax, dword ptr [esi+000002E4]
:004D1533 E89C03F6FF call 004318D4
:004D1538 8B8D84FDFFFF mov ecx, dword ptr [ebp+FFFFFD84]
* Possible StringData Ref from Code Obj ->"Register_1"
|
:004D153E BA04174D00 mov edx, 004D1704
:004D1543 8BC3 mov eax, ebx
:004D1545 E86272F8FF call 004587AC
:004D154A 8D9580FDFFFF lea edx, dword ptr [ebp+FFFFFD80]
:004D1550 8B86E8020000 mov eax, dword ptr [esi+000002E8]
:004D1556 E87903F6FF call 004318D4
:004D155B 8B8D80FDFFFF mov ecx, dword ptr [ebp+FFFFFD80]
* Possible StringData Ref from Code Obj ->"Register_2"
|
:004D1561 BA18174D00 mov edx, 004D1718
:004D1566 8BC3 mov eax, ebx
:004D1568 E83F72F8FF call 004587AC
:004D156D 8BC3 mov eax, ebx
:004D156F E8746BF8FF call 004580E8
:004D1574 8BC3 mov eax, ebx
:004D1576 E8F119F3FF call 00402F6C
:004D157B A138C45600 mov eax, dword ptr [0056C438]
:004D1580 8B00 mov eax, dword ptr [eax]
:004D1582 8B8064050000 mov eax, dword ptr [eax+00000564]
* Possible StringData Ref from Code Obj ->"Windows優化大師 V4.2 (已註冊)"
|
:004D1588 BA2C174D00 mov edx, 004D172C
:004D158D E87203F6FF call 00431904
:004D1592 A138C45600 mov eax, dword ptr [0056C438]
:004D1597 8B00 mov eax, dword ptr [eax]
:004D1599 8B806C030000 mov eax, dword ptr [eax+0000036C]
* Possible StringData Ref from Code Obj ->"網上升級"
|
:004D159F BA54174D00 mov edx, 004D1754
:004D15A4 E85B03F6FF call 00431904
:004D15A9 B201 mov dl, 01
:004D15AB A1787F4500 mov eax, dword ptr [00457F78]
:004D15B0 E8C36AF8FF call 00458078
:004D15B5 8BD8 mov ebx, eax
:004D15B7 BA02000080 mov edx, 80000002
:004D15BC 8BC3 mov eax, ebx
:004D15BE E8556BF8FF call 00458118
:004D15C3 B101 mov cl, 01
* Possible StringData Ref from Code Obj ->"Software\Wom"
|
:004D15C5 BAD8164D00 mov edx, 004D16D8
:004D15CA 8BC3 mov eax, ebx
:004D15CC E88B6CF8FF call 0045825C
* Possible StringData Ref from Code Obj ->"Masters"
|
:004D15D1 BA68174D00 mov edx, 004D1768
:004D15D6 8BC3 mov eax, ebx
8:004D15D8 E81B6FF8FF call 004584F8
:004D15DD 8BC3 mov eax, ebx
:004D15DF E8046BF8FF call 004580E8
:004D15E4 8BC3 mov eax, ebx
:004D15E6 E88119F3FF call 00402F6C
:004D15EB A114E05600 mov eax, dword ptr [0056E014]
:004D15F0 E86FB4F7FF call 0044CA64
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004D130D(U), :004D135E(U), :004D1382(C), :004D13A1(C), :004D1402(C)
|:004D1417(C), :004D142C(C), :004D1441(C), :004D14D7(U)
|
:004D15F5 33C0 xor eax, eax
:004D15F7 5A pop edx
:004D15F8 59 pop ecx
:004D15F9 59 pop ecx
:004D15FA 648910 mov dword ptr fs:[eax], edx
:004D15FD 6833164D00 push 004D1633
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D1631(U)
|
:004D1602 8D8580FDFFFF lea eax, dword ptr [ebp+FFFFFD80]
:004D1608 BA09000000 mov edx, 00000009
:004D160D E8CA26F3FF call 00403CDC
:004D1612 8D85A4FEFFFF lea eax, dword ptr [ebp+FFFFFEA4]
* Possible StringData Ref from Code Obj ->"
TSearchRecX"
|
:004D1618 8B156C7E4000 mov edx, dword ptr [00407E6C]
:004D161E E8ED2FF3FF call 00404610
:004D1623 8D45FC lea eax, dword ptr [ebp-04]
:004D1626 E88D26F3FF call 00403CB8
:004D162B C3 ret
//--------------------------------------------------------------------------------------------------
在上面的核心CALL中按F8進入後,會來到如下地方(注意:由於程式碼在DLL中,所以地址與記憶體中的地址會有所不同):
:004043AC 55 push ebp
:004043AD 68FE434000 push 004043FE
:004043B2 64FF30 push dword ptr fs:[eax]
:004043B5 648920 mov dword ptr fs:[eax], esp
:004043B8 8B4510 mov eax, dword ptr [ebp+10]
:004043BB 8945F8 mov dword ptr [ebp-08], eax
:004043BE 8B4508 mov eax, dword ptr [ebp+08]
:004043C1 8945FC mov dword ptr [ebp-04], eax
:004043C4 8D45F0 lea eax, dword ptr [ebp-10]
:004043C7 8BD3 mov edx, ebx
:004043C9 E876EBFFFF call 00402F44 <--處理申請註冊碼
:004043CE 8B45F0 mov eax, dword ptr [ebp-10]
:004043D1 8D55F6 lea edx, dword ptr [ebp-0A]
:004043D4 8D4DF8 lea ecx, dword ptr [ebp-08]
:004043D7 E8FCFDFFFF call 004041D8 <--進行註冊碼計算的核心CALL,按F8進入
:004043DC 85C0 test eax, eax
:004043DE 7504 jne 004043E4 <--一定要跳轉
:004043E0 33DB xor ebx, ebx
:004043E2 EB04 jmp 004043E8
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040437D(C), :004043DE(C)
|
:004043E4 0FB75DF6 movzx ebx, word ptr [ebp-0A] <--把第二部分的計算結果的低16位送到EBX中
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004043E2(U)
|
:004043E8 33C0 xor eax, eax
:004043EA 5A pop edx
:004043EB 59 pop ecx
:004043EC 59 pop ecx
:004043ED 648910 mov dword ptr fs:[eax], edx
:004043F0 6805444000 push 00404405
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404403(U)
|
:004043F5 8D45F0 lea eax, dword ptr [ebp-10]
:004043F8 E85FEAFFFF call 00402E5C
:004043FD C3 ret
:004043FE E9D5E4FFFF jmp 004028D8
:00404403 EBF0 jmp 004043F5
:00404405 8BC3 mov eax, ebx <--把第二部分的計算結果的低16位送到EAX中
:00404407 5B pop ebx
:00404408 8BE5 mov esp, ebp
:0040440A 5D pop ebp
:0040440B C21000 ret 0010
//--------------------------------------------------------------------------------------------------
在上面的核心CALL按F8進入後,會來到如下地方:
:004041D8 55 push ebp
:004041D9 8BEC mov ebp, esp
:004041DB 83C4DC add esp, FFFFFFDC
:004041DE 53 push ebx
:004041DF 56 push esi
:004041E0 57 push edi
:004041E1 33DB xor ebx, ebx
:004041E3 895DEC mov dword ptr [ebp-14], ebx
:004041E6 8BF1 mov esi, ecx
:004041E8 8D7DF0 lea edi, dword ptr [ebp-10]
:004041EB A5 movsd <--把輸入的註冊碼的第一部分的32位十六進位制數送到EDI所指向的記憶體中
:004041EC A5 movsd <--把輸入的註冊碼的第二部分的32位十六進位制數送到EDI所指向的記憶體中
:004041ED 8955F8 mov dword ptr [ebp-08], edx
:004041F0 8945FC mov dword ptr [ebp-04], eax
:004041F3 8B45FC mov eax, dword ptr [ebp-04]
:004041F6 E8C5EDFFFF call 00402FC0
:004041FB 33C0 xor eax, eax
:004041FD 55 push ebp
:004041FE 685F434000 push 0040435F
:00404203 64FF30 push dword ptr fs:[eax]
:00404206 648920 mov dword ptr fs:[eax], esp
:00404209 8D45EC lea eax, dword ptr [ebp-14]
* Possible StringData Ref from Code Obj ->"You are big pig."
|
:0040420C BA78434000 mov edx, 00404378
:00404211 E8AEECFFFF call 00402EC4
:00404216 8B45FC mov eax, dword ptr [ebp-04]
:00404219 E856EDFFFF call 00402F74
:0040421E 2507000080 and eax, 80000007
:00404223 7905 jns 0040422A
:00404225 48 dec eax
:00404226 83C8F8 or eax, FFFFFFF8
:00404229 40 inc eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404223(C)
|
:0040422A 85C0 test eax, eax
:0040422C 742C je 0040425A
:0040422E 8D45FC lea eax, dword ptr [ebp-04]
* Possible StringData Ref from Code Obj ->"1234567"
|
:00404231 BA94434000 mov edx, 00404394
:00404236 E841EDFFFF call 00402F7C <--把"1234567"連線到註冊申請碼的後面形成新的字串
:0040423B 8B45FC mov eax, dword ptr [ebp-04]
:0040423E E831EDFFFF call 00402F74 <--求新字串的長度
:00404243 85C0 test eax, eax
:00404245 7903 jns 0040424A <--一般都會跳轉
:00404247 83C007 add eax, 00000007
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404245(C)
|
:0040424A C1F803 sar eax, 03
:0040424D 8BD0 mov edx, eax
:0040424F C1E203 shl edx, 03
:00404252 8D45FC lea eax, dword ptr [ebp-04]
:00404255 E8AEEDFFFF call 00403008 <--截斷新字串,使其長度位8
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040422C(C)
|
:0040425A 33F6 xor esi, esi
:0040425C 8D45FC lea eax, dword ptr [ebp-04]
:0040425F E86CEDFFFF call 00402FD0
:00404264 8BF8 mov edi, eax
:00404266 8D45EC lea eax, dword ptr [ebp-14]
:00404269 E862EDFFFF call 00402FD0 <--拷貝字串"You are big pig."到EAX所指的記憶體中
:0040426E 8BD8 mov ebx, eax
:00404270 EB30 jmp 004042A2
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004042B6(C)
|
:00404272 8B04B7 mov eax, dword ptr [edi+4*esi]
:00404275 8945E4 mov dword ptr [ebp-1C], eax
:00404278 8B44B704 mov eax, dword ptr [edi+4*esi+04]
:0040427C 8945E8 mov dword ptr [ebp-18], eax
:0040427F 8BD3 mov edx, ebx
:00404281 8D45E4 lea eax, dword ptr [ebp-1C]
:00404284 E8E7FEFFFF call 00404170 <--按F8進入,編號為(1)
:00404289 8B03 mov eax, dword ptr [ebx]
:0040428B 894308 mov dword ptr [ebx+08], eax
:0040428E 8B4304 mov eax, dword ptr [ebx+04]
:00404291 89430C mov dword ptr [ebx+0C], eax
:00404294 8B45E4 mov eax, dword ptr [ebp-1C] <--計算結果的第一部分送入EAX中
:00404297 8903 mov dword ptr [ebx], eax
:00404299 8B45E8 mov eax, dword ptr [ebp-18] <--計算結果的第二部分送入EAX中
:0040429C 894304 mov dword ptr [ebx+04], eax
:0040429F 83C602 add esi, 00000002
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404270(U)
|
:004042A2 8B45FC mov eax, dword ptr [ebp-04]
:004042A5 E8CAECFFFF call 00402F74 <--取註冊申請碼的長度
:004042AA 85C0 test eax, eax
:004042AC 7903 jns 004042B1 <--會跳轉
:004042AE 83C003 add eax, 00000003
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004042AC(C)
|
:004042B1 C1F802 sar eax, 02
:004042B4 3BF0 cmp esi, eax
:004042B6 72BA jb 00404272 <--會跳轉
:004042B8 8B45F0 mov eax, dword ptr [ebp-10] <--輸入註冊碼的第一部分的32位十六進位制數送到EAX中
:004042BB 33D2 xor edx, edx
:004042BD 52 push edx <--輸入註冊碼的第一部分的高32位入棧(恆為0)
:004042BE 50 push eax <--輸入註冊碼的第一部分的低32位入棧
:004042BF FF35D0504000 push dword ptr [004050D0] <--RSA中加密金鑰e的高32位(0)
:004042C5 FF35CC504000 push dword ptr [004050CC] <--RSA中加密金鑰e的低32位(0x3B442AF9)
:004042CB FF35D8504000 push dword ptr [004050D8] <--RSA中n的高32位(0)
:004042D1 FF35D4504000 push dword ptr [004050D4] <--RSA中n的低位(0x69AAA0E3)
:004042D7 E8DCFDFFFF call 004040B8 <--按F8進入,編號為(2)
:004042DC 83E802 sub eax, 00000002 <--結果減去2
:004042DF 8945DC mov dword ptr [ebp-24], eax <--儲存第一部分的計算結果
:004042E2 8B45F4 mov eax, dword ptr [ebp-0C] <--輸入註冊碼的第二部分的32位十六進位制數送到EAX中
:004042E5 33D2 xor edx, edx
:004042E7 52 push edx <--輸入註冊碼的第二部分的高32位入棧(恆為0)
:004042E8 50 push eax <--輸入註冊碼的第二部分的低32位入棧
:004042E9 FF35D0504000 push dword ptr [004050D0] <--RSA中加密金鑰e的高32位(0)
:004042EF FF35CC504000 push dword ptr [004050CC] <--RSA中加密金鑰e的低32位(0x3B442AF9)
:004042F5 FF35D8504000 push dword ptr [004050D8] <--RSA中n的高32位(0)
:004042FB FF35D4504000 push dword ptr [004050D4] <--RSA中n的低位(0x69AAA0E3)
:00404301 E8B2FDFFFF call 004040B8 <--按F8進入,編號為(2)
:00404306 83E802 sub eax, 00000002 <--結果減去2
:00404309 8945E0 mov dword ptr [ebp-20], eax <--儲存第二部分的計算結果
:0040430C C165DC02 shl dword ptr [ebp-24], 02 <--第一部分的計算結果向左移2位
:00404310 8D4DDC lea ecx, dword ptr [ebp-24]
:00404313 8B01 mov eax, dword ptr [ecx] <--第一部分的計算結果送EAX
:00404315 8B5104 mov edx, dword ptr [ecx+04] <--第二部分的計算結果送EDX
:00404318 0FACD002 shrd eax, edx, 02 <--這條和下面一條完成64位環形向右移2位
:0040431C C1EA02 shr edx, 02
:0040431F 8901 mov dword ptr [ecx], eax <--儲存第一部分的計算結果
:00404321 895104 mov dword ptr [ecx+04], edx <--儲存第二部分的計算結果
:00404324 8B45DC mov eax, dword ptr [ebp-24] <--第一部分的計算結果送EAX
:00404327 3B45E4 cmp eax, dword ptr [ebp-1C] <--比較輸入註冊碼第一部分的計算結果是否等於註冊
申請碼計算結果的第一部分
:0040432A 7404 je 00404330 <--應該跳轉
:0040432C 33DB xor ebx, ebx
:0040432E EB11 jmp 00404341
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040432A(C)
|
:00404330 668B45E0 mov ax, word ptr [ebp-20] <--把第二部分的計算結果的低16位送AX
:00404334 6625FFFF and ax, FFFF
:00404338 8B55F8 mov edx, dword ptr [ebp-08]
:0040433B 668902 mov word ptr [edx], ax <--儲存第二部分的計算結果的低16位
:0040433E 83CBFF or ebx, FFFFFFFF
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040432E(U)
|
:00404341 33C0 xor eax, eax
:00404343 5A pop edx
:00404344 59 pop ecx
:00404345 59 pop ecx
:00404346 648910 mov dword ptr fs:[eax], edx
:00404349 6866434000 push 00404366
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404364(U)
|
:0040434E 8D45EC lea eax, dword ptr [ebp-14]
:00404351 E806EBFFFF call 00402E5C
:00404356 8D45FC lea eax, dword ptr [ebp-04]
:00404359 E8FEEAFFFF call 00402E5C
:0040435E C3 ret
//--------------------------------------------------------------------------------------------------
在上面的編號為(1)的CALL按F8進入後會來到如下地方(對註冊申請碼和字串"You are big pig."進行計算):
* Referenced by a CALL at Address:
|:00404284
|
:00404170 53 push ebx
:00404171 56 push esi
:00404172 57 push edi
:00404173 51 push ecx
:00404174 890424 mov dword ptr [esp], eax
:00404177 B820000000 mov eax, 00000020 <--該過程使下面的迴圈進行0x20次
:0040417C 8B0C24 mov ecx, dword ptr [esp]
:0040417F 8B09 mov ecx, dword ptr [ecx] <--將註冊申請碼的高16位送入ECX中
:00404181 8B1C24 mov ebx, dword ptr [esp]
:00404184 8B5B04 mov ebx, dword ptr [ebx+04] <--將註冊申請碼的低16位送入ECX中
:00404187 33F6 xor esi, esi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004041C5(C)
|
:00404189 48 dec eax
:0040418A 0335C8504000 add esi, dword ptr [004050C8] <--[004050C8]中初始值為0x9E3779B9
:00404190 8BFB mov edi, ebx
:00404192 C1E704 shl edi, 04
:00404195 03CF add ecx, edi
:00404197 8B3A mov edi, dword ptr [edx] <--EDX為指向字串"You are big pig."的首地址
:00404199 33FB xor edi, ebx
:0040419B 03CF add ecx, edi
:0040419D 8BFB mov edi, ebx
:0040419F C1EF05 shr edi, 05
:004041A2 33FE xor edi, esi
:004041A4 03CF add ecx, edi
:004041A6 034A04 add ecx, dword ptr [edx+04]
:004041A9 8BF9 mov edi, ecx
:004041AB C1E704 shl edi, 04
:004041AE 03DF add ebx, edi
:004041B0 8B7A08 mov edi, dword ptr [edx+08]
:004041B3 33F9 xor edi, ecx
:004041B5 03DF add ebx, edi
:004041B7 8BF9 mov edi, ecx
:004041B9 C1EF05 shr edi, 05
:004041BC 33FE xor edi, esi
:004041BE 03DF add ebx, edi
:004041C0 035A0C add ebx, dword ptr [edx+0C]
:004041C3 85C0 test eax, eax
:004041C5 77C2 ja 00404189
:004041C7 8B0424 mov eax, dword ptr [esp]
:004041CA 8908 mov dword ptr [eax], ecx
:004041CC 8B0424 mov eax, dword ptr [esp]
:004041CF 895804 mov dword ptr [eax+04], ebx
:004041D2 5A pop edx
:004041D3 5F pop edi
:004041D4 5E pop esi
:004041D5 5B pop ebx
:004041D6 C3 ret
//--------------------------------------------------------------------------------------------------
編號為(2)的CALL實際上等價下面的偽C程式碼(摘自論壇精華III中dr0的《Windows優化大師v2.9+的註冊碼加密演算法》):
ReturnValueType encrypt_decrypt(m, e, n)
{
LocalVariables a, b, c;
a = m;
b = e;
c = 1;
while(b)
{
if ((b mod 2) == 0)
{
b = b / 2; //降階
a = (a * a) mod n;
}
else
{
b = b - 1;
c = (a * c) mod n;
}
}
return c;
}
在上面的編號為(2)的CALL按F8進入後會來到如下地方:
* Referenced by a CALL at Addresses:
|:004042D7 , :00404301
|
:004040B8 55 push ebp
:004040B9 8BEC mov ebp, esp
:004040BB 83C4F8 add esp, FFFFFFF8
:004040BE C745F801000000 mov [ebp-08], 00000001 <--c = 1
:004040C5 C745FC00000000 mov [ebp-04], 00000000
:004040CC EB7C jmp 0040414A
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00404154(C), :0040415C(C)
|
:004040CE 6A00 push 00000000
:004040D0 6A02 push 00000002
:004040D2 8B4510 mov eax, dword ptr [ebp+10]
:004040D5 8B5514 mov edx, dword ptr [ebp+14]
:004040D8 E890FAFFFF call 00403B6D <--b mod 2
:004040DD 83FA00 cmp edx, 00000000
:004040E0 7539 jne 0040411B
:004040E2 83F800 cmp eax, 00000000
:004040E5 7534 jne 0040411B
:004040E7 6A00 push 00000000
:004040E9 6A02 push 00000002
:004040EB 8B4510 mov eax, dword ptr [ebp+10]
:004040EE 8B5514 mov edx, dword ptr [ebp+14]
:004040F1 E884F9FFFF call 00403A7A <--b = b / 2
:004040F6 894510 mov dword ptr [ebp+10], eax
:004040F9 895514 mov dword ptr [ebp+14], edx
:004040FC FF751C push [ebp+1C]
:004040FF FF7518 push [ebp+18]
:00404102 FF751C push [ebp+1C]
:00404105 FF7518 push [ebp+18]
:00404108 FF750C push [ebp+0C]
:0040410B FF7508 push [ebp+08]
:0040410E E84DFFFFFF call 00404060 <--a = (a * a) mod n
:00404113 894518 mov dword ptr [ebp+18], eax
:00404116 89551C mov dword ptr [ebp+1C], edx
:00404119 EB2F jmp 0040414A
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004040E0(C), :004040E5(C)
|
:0040411B 8B4510 mov eax, dword ptr [ebp+10]
:0040411E 8B5514 mov edx, dword ptr [ebp+14]
:00404121 83E801 sub eax, 00000001 <--b = b - 1
:00404124 83DA00 sbb edx, 00000000
:00404127 894510 mov dword ptr [ebp+10], eax
:0040412A 895514 mov dword ptr [ebp+14], edx
:0040412D FF751C push [ebp+1C]
:00404130 FF7518 push [ebp+18]
:00404133 FF75FC push [ebp-04]
:00404136 FF75F8 push [ebp-08]
:00404139 FF750C push [ebp+0C]
:0040413C FF7508 push [ebp+08]
:0040413F E81CFFFFFF call 00404060 <--c = (a * c) mod n
:00404144 8945F8 mov dword ptr [ebp-08], eax
:00404147 8955FC mov dword ptr [ebp-04], edx
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004040CC(U), :00404119(U)
|
:0040414A 837D1400 cmp dword ptr [ebp+14], 00000000 <--b等於0嗎?
:0040414E 750C jne 0040415C
:00404150 837D1000 cmp dword ptr [ebp+10], 00000000
:00404154 0F8774FFFFFF ja 004040CE
:0040415A EB06 jmp 00404162 <--繼續迴圈
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040414E(C)
|
:0040415C 0F8F6CFFFFFF jg 004040CE <--繼續迴圈
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040415A(U)
|
:00404162 8B45F8 mov eax, dword ptr [ebp-08] <--返回值c
:00404165 8B55FC mov edx, dword ptr [ebp-04]
:00404168 59 pop ecx
:00404169 59 pop ecx
:0040416A 5D pop ebp
:0040416B C21800 ret 0018
//--------------------------------------------------------------------------------------------------
現在我們可以得到RSA中的相關引數:
兩個素因數之積: n=0x69AAA0E3
加密金鑰: e=0x3B442AF9
解密金鑰: d=0x002C86F9
//------------------------------------------------------------------------------
至此我們已經對《WINDOWS優化大師》的註冊碼機制進行了比較完全的分析,所以我相信大家對其寫序號產生器沒有太大的困難了。
希望大家沒事的時候寫一寫序號產生器,以提高自己的程式設計水平!!!
後記:今天終於買到了看雪兄的書了(嗚~~~~~~~~~~~~~),真是等你等到我心痛啊!!!
================================================================================
破解心得之Windows優化大師篇(補充)
軟體名稱:Windows優化大師
版本:4.20
作者:時空幻影
時間:2001年11月25日
使用工具:TRW2000 V1.22已註冊版、CASPR(脫殼工具)、PW32DSM白金版漢化版
在我破解的過程中,我發現在輸入註冊碼後軟體可以變成已註冊的,也能進行自動優化,但當退出後再重新執行又變成未註冊的了。
經過跟蹤除錯分析後,我發現原來是由於我為了能夠反編譯OCTODLL.DLL,對該檔案進行了脫殼,並把脫殼後的檔案拷貝到軟體目錄下覆蓋
了原來的未脫殼的檔案而導致了軟體變成了未註冊的。
現在讓我們來看一看有哪些因素會導致軟體變成了未註冊的:
* Referenced by a CALL at Addresses:
|:00534EFA , :005360D8
|
:0052738C 55 push ebp
:0052738D 8BEC mov ebp, esp
:0052738F 81C48CFEFFFF add esp, FFFFFE8C
:00527395 53 push ebx
:00527396 56 push esi
:00527397 33D2 xor edx, edx
:00527399 89958CFEFFFF mov dword ptr [ebp+FFFFFE8C], edx
:0052739F 899590FEFFFF mov dword ptr [ebp+FFFFFE90], edx
:005273A5 8955F8 mov dword ptr [ebp-08], edx
:005273A8 8955F4 mov dword ptr [ebp-0C], edx
:005273AB 8955F0 mov dword ptr [ebp-10], edx
:005273AE 8955EC mov dword ptr [ebp-14], edx
:005273B1 8945FC mov dword ptr [ebp-04], eax
:005273B4 8D8594FEFFFF lea eax, dword ptr [ebp+FFFFFE94]
* Possible StringData Ref from Code Obj ->"
TSearchRecX"
|
:005273BA 8B156C7E4000 mov edx, dword ptr [00407E6C]
:005273C0 E87FD1EDFF call 00404544
:005273C5 33C0 xor eax, eax
:005273C7 55 push ebp
:005273C8 68B8785200 push 005278B8
:005273CD 64FF30 push dword ptr fs:[eax]
:005273D0 648920 mov dword ptr fs:[eax], esp
:005273D3 B201 mov dl, 01
:005273D5 A1787F4500 mov eax, dword ptr [00457F78]
:005273DA E8990CF3FF call 00458078
:005273DF 8BD8 mov ebx, eax
:005273E1 BA02000080 mov edx, 80000002
:005273E6 8BC3 mov eax, ebx
:005273E8 E82B0DF3FF call 00458118
:005273ED B101 mov cl, 01
* Possible StringData Ref from Code Obj ->"Software\Wom"
|
:005273EF BAD0785200 mov edx, 005278D0
:005273F4 8BC3 mov eax, ebx
:005273F6 E8610EF3FF call 0045825C
:005273FB 8D9590FEFFFF lea edx, dword ptr [ebp+FFFFFE90]
:00527401 A174C25600 mov eax, dword ptr [0056C274]
:00527406 8B00 mov eax, dword ptr [eax]
:00527408 E8838EF2FF call 00450290
:0052740D 8B8D90FEFFFF mov ecx, dword ptr [ebp+FFFFFE90]
* Possible StringData Ref from Code Obj ->"location"
|
:00527413 BAE8785200 mov edx, 005278E8
:00527418 8BC3 mov eax, ebx
:0052741A E88D13F3FF call 004587AC
* Possible StringData Ref from Code Obj ->"Register"
|
:0052741F BAFC785200 mov edx, 005278FC
:00527424 8BC3 mov eax, ebx
:00527426 E8E115F3FF call 00458A0C <--讀取註冊者姓名
:0052742B 84C0 test al, al
:0052742D 752B jne 0052745A <--有註冊者姓名的話則跳轉
:0052742F 8B45FC mov eax, dword ptr [ebp-04]
:00527432 8B8064050000 mov eax, dword ptr [eax+00000564]
* Possible StringData Ref from Code Obj ->"Windows優化大師 V4.2 (未註冊)"
|
:00527438 BA10795200 mov edx, 00527910
:0052743D E8C2A4F0FF call 00431904
:00527442 8BC3 mov eax, ebx
:00527444 E89F0CF3FF call 004580E8
:00527449 8BC3 mov eax, ebx
:0052744B E81CBBEDFF call 00402F6C
:00527450 BB01000000 mov ebx, 00000001
:00527455 E922040000 jmp 0052787C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0052742D(C)
|
:0052745A 8D4DF0 lea ecx, dword ptr [ebp-10]
* Possible StringData Ref from Code Obj ->"Register"
|
:0052745D BAFC785200 mov edx, 005278FC
:00527462 8BC3 mov eax, ebx
:00527464 E86F13F3FF call 004587D8
:00527469 8BC3 mov eax, ebx
:0052746B E8780CF3FF call 004580E8
:00527470 8BC3 mov eax, ebx
:00527472 E8F5BAEDFF call 00402F6C
:00527477 8D45EC lea eax, dword ptr [ebp-14]
:0052747A 8B1554FF5600 mov edx, dword ptr [0056FF54]
:00527480 E8CBC8EDFF call 00403D50
:00527485 C705E0FE560001000000 mov dword ptr [0056FEE0], 00000001
:0052748F 8B45F0 mov eax, dword ptr [ebp-10]
:00527492 E8A1CAEDFF call 00403F38
:00527497 8BC8 mov ecx, eax
:00527499 85C9 test ecx, ecx
:0052749B 7E2F jle 005274CC
:0052749D BB01000000 mov ebx, 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005274CA(C)
|
:005274A2 8B45F0 mov eax, dword ptr [ebp-10]
:005274A5 0FB64418FF movzx eax, byte ptr [eax+ebx-01]
:005274AA F72DE0FE5600 imul dword ptr [0056FEE0]
:005274B0 0578080D00 add eax, 000D0878
:005274B5 99 cdq
:005274B6 33C2 xor eax, edx
:005274B8 2BC2 sub eax, edx
:005274BA BE40420F00 mov esi, 000F4240
:005274BF 99 cdq
:005274C0 F7FE idiv esi
:005274C2 8915E0FE5600 mov dword ptr [0056FEE0], edx
:005274C8 43 inc ebx
:005274C9 49 dec ecx
:005274CA 75D6 jne 005274A2
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0052749B(C)
|
:005274CC 8B45EC mov eax, dword ptr [ebp-14]
:005274CF E864CAEDFF call 00403F38
:005274D4 8BC8 mov ecx, eax
:005274D6 85C9 test ecx, ecx
:005274D8 7E2F jle 00527509
:005274DA BB01000000 mov ebx, 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00527507(C)
|
:005274DF 8B45EC mov eax, dword ptr [ebp-14]
:005274E2 0FB64418FF movzx eax, byte ptr [eax+ebx-01]
:005274E7 F72DE0FE5600 imul dword ptr [0056FEE0]
:005274ED 057D590200 add eax, 0002597D
:005274F2 99 cdq
:005274F3 33C2 xor eax, edx
:005274F5 2BC2 sub eax, edx
:005274F7 BE40420F00 mov esi, 000F4240
:005274FC 99 cdq
:005274FD F7FE idiv esi
:005274FF 8915E0FE5600 mov dword ptr [0056FEE0], edx
:00527505 43 inc ebx
:00527506 49 dec ecx
:00527507 75D6 jne 005274DF
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005274D8(C)
|
:00527509 B201 mov dl, 01
:0052750B A1787F4500 mov eax, dword ptr [00457F78]
:00527510 E8630BF3FF call 00458078
:00527515 8BF0 mov esi, eax
:00527517 BA02000080 mov edx, 80000002
:0052751C 8BC6 mov eax, esi
:0052751E E8F50BF3FF call 00458118
:00527523 B101 mov cl, 01
* Possible StringData Ref from Code Obj ->"Software\Wom"
|
:00527525 BAD0785200 mov edx, 005278D0
:0052752A 8BC6 mov eax, esi
:0052752C E82B0DF3FF call 0045825C
* Possible StringData Ref from Code Obj ->"Register_1"
|
:00527531 BA38795200 mov edx, 00527938
:00527536 8BC6 mov eax, esi
:00527538 E8CF14F3FF call 00458A0C <--讀取註冊碼第一部分
:0052753D 84C0 test al, al
:0052753F 752B jne 0052756C <--有註冊碼第一部分的話則跳轉
:00527541 8B45FC mov eax, dword ptr [ebp-04]
:00527544 8B8064050000 mov eax, dword ptr [eax+00000564]
* Possible StringData Ref from Code Obj ->"Windows優化大師 V4.2 (未註冊)"
|
:0052754A BA10795200 mov edx, 00527910
:0052754F E8B0A3F0FF call 00431904
:00527554 8BC6 mov eax, esi
:00527556 E88D0BF3FF call 004580E8
:0052755B 8BC6 mov eax, esi
:0052755D E80ABAEDFF call 00402F6C
:00527562 BB01000000 mov ebx, 00000001
:00527567 E910030000 jmp 0052787C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0052753F(C)
|
* Possible StringData Ref from Code Obj ->"Register_2"
|
:0052756C BA4C795200 mov edx, 0052794C
:00527571 8BC6 mov eax, esi
:00527573 E89414F3FF call 00458A0C <--讀取註冊碼第二部分
:00527578 84C0 test al, al
:0052757A 752B jne 005275A7 <--有註冊碼第二部分的話則跳轉
:0052757C 8B45FC mov eax, dword ptr [ebp-04]
:0052757F 8B8064050000 mov eax, dword ptr [eax+00000564]
* Possible StringData Ref from Code Obj ->"Windows優化大師 V4.2 (未註冊)"
|
:00527585 BA10795200 mov edx, 00527910
:0052758A E875A3F0FF call 00431904
:0052758F 8BC6 mov eax, esi
:00527591 E8520BF3FF call 004580E8
:00527596 8BC6 mov eax, esi
:00527598 E8CFB9EDFF call 00402F6C
:0052759D BB01000000 mov ebx, 00000001
:005275A2 E9D5020000 jmp 0052787C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0052757A(C)
|
:005275A7 8D8D94FEFFFF lea ecx, dword ptr [ebp+FFFFFE94]
:005275AD BA3F000000 mov edx, 0000003F
* Possible StringData Ref from Code Obj ->"*.*"
|
:005275B2 B860795200 mov eax, 00527960
:005275B7 E8741CEEFF call 00409230
:005275BC 8B85A0FEFFFF mov eax, dword ptr [ebp+FFFFFEA0]
* Possible StringData Ref from Code Obj ->"OctoDll.dll"
|
:005275C2 BA6C795200 mov edx, 0052796C
:005275C7 E87CCAEDFF call 00404048 <--校驗檔案OctoDll.dll是否有改變
:005275CC 7537 jne 00527605
:005275CE 81BD98FEFFFF00460000 cmp dword ptr [ebp+FFFFFE98], 00004600
:005275D8 742B je 00527605
:005275DA 8B45FC mov eax, dword ptr [ebp-04]
:005275DD 8B8064050000 mov eax, dword ptr [eax+00000564]
* Possible StringData Ref from Code Obj ->"Windows優化大師 V4.2 (未註冊)"
|
:005275E3 BA10795200 mov edx, 00527910
:005275E8 E817A3F0FF call 00431904
:005275ED 8BC6 mov eax, esi
:005275EF E8F40AF3FF call 004580E8
:005275F4 8BC6 mov eax, esi
:005275F6 E871B9EDFF call 00402F6C
:005275FB BB01000000 mov ebx, 00000001
:00527600 E977020000 jmp 0052787C
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:005275CC(C), :005275D8(C)
|
:00527605 81BD98FEFFFF00680200 cmp dword ptr [ebp+FFFFFE98], 00026800
:0052760F 752B jne 0052763C
:00527611 8B45FC mov eax, dword ptr [ebp-04]
:00527614 8B8064050000 mov eax, dword ptr [eax+00000564]
* Possible StringData Ref from Code Obj ->"Windows優化大師 V4.2 (未註冊)"
|
:0052761A BA10795200 mov edx, 00527910
:0052761F E8E0A2F0FF call 00431904
:00527624 8BC6 mov eax, esi
:00527626 E8BD0AF3FF call 004580E8
:0052762B 8BC6 mov eax, esi
:0052762D E83AB9EDFF call 00402F6C
:00527632 BB01000000 mov ebx, 00000001
:00527637 E940020000 jmp 0052787C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0052760F(C)
|
:0052763C 8B95A0FEFFFF mov edx, dword ptr [ebp+FFFFFEA0]
* Possible StringData Ref from Code Obj ->"cr-wom"
|
:00527642 B880795200 mov eax, 00527980
:00527647 E8D8CBEDFF call 00404224 <--檢查當前目錄下的所有檔案的檔名中是否包含有"cr-wom"字眼
:0052764C 85C0 test eax, eax
:0052764E 742B je 0052767B
:00527650 8B45FC mov eax, dword ptr [ebp-04]
:00527653 8B8064050000 mov eax, dword ptr [eax+00000564]
* Possible StringData Ref from Code Obj ->"Windows優化大師 V4.2 (未註冊)"
|
:00527659 BA10795200 mov edx, 00527910
:0052765E E8A1A2F0FF call 00431904
:00527663 8BC6 mov eax, esi
:00527665 E87E0AF3FF call 004580E8
:0052766A 8BC6 mov eax, esi
:0052766C E8FBB8EDFF call 00402F6C
:00527671 BB01000000 mov ebx, 00000001
:00527676 E901020000 jmp 0052787C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0052764E(C)
|
* Possible StringData Ref from Code Obj ->"Windowsyhds.exe"
|
:0052767B B890795200 mov eax, 00527990
:00527680 E8FB1AEEFF call 00409180 <--檢查當前目錄下的所有檔案的檔名中是否有"Windowsyhds.exe"
:00527685 84C0 test al, al
:00527687 751C jne 005276A5
* Possible StringData Ref from Code Obj ->"fwd.txt"
|
:00527689 B8A8795200 mov eax, 005279A8
:0052768E E8ED1AEEFF call 00409180 <--檢查當前目錄下的所有檔案的檔名中是否有"fwd.txt"
:00527693 84C0 test al, al
:00527695 750E jne 005276A5
* Possible StringData Ref from Code Obj ->"wom29a_k.exe"
|
:00527697 B8B8795200 mov eax, 005279B8
:0052769C E8DF1AEEFF call 00409180 <--檢查當前目錄下的所有檔案的檔名中是否有"wom29a_k.exe"
:005276A1 84C0 test al, al
:005276A3 742B je 005276D0
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00527687(C), :00527695(C)
|
:005276A5 8B45FC mov eax, dword ptr [ebp-04]
:005276A8 8B8064050000 mov eax, dword ptr [eax+00000564]
* Possible StringData Ref from Code Obj ->"Windows優化大師 V4.2 (未註冊)"
|
:005276AE BA10795200 mov edx, 00527910
:005276B3 E84CA2F0FF call 00431904
:005276B8 8BC6 mov eax, esi
:005276BA E8290AF3FF call 004580E8
:005276BF 8BC6 mov eax, esi
:005276C1 E8A6B8EDFF call 00402F6C
:005276C6 BB01000000 mov ebx, 00000001
:005276CB E9AC010000 jmp 0052787C
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:005276A3(C), :005277FB(C)
|
:005276D0 8D8594FEFFFF lea eax, dword ptr [ebp+FFFFFE94]
:005276D6 E8A51BEEFF call 00409280
:005276DB 8BD8 mov ebx, eax
:005276DD 85DB test ebx, ebx
:005276DF 0F8514010000 jne 005277F9
:005276E5 8B85A0FEFFFF mov eax, dword ptr [ebp+FFFFFEA0]
* Possible StringData Ref from Code Obj ->"OctoDll.dll"
|
:005276EB BA6C795200 mov edx, 0052796C
:005276F0 E853C9EDFF call 00404048
:005276F5 7537 jne 0052772E
:005276F7 81BD98FEFFFF00460000 cmp dword ptr [ebp+FFFFFE98], 00004600
:00527701 742B je 0052772E
:00527703 8B45FC mov eax, dword ptr [ebp-04]
:00527706 8B8064050000 mov eax, dword ptr [eax+00000564]
* Possible StringData Ref from Code Obj ->"Windows優化大師 V4.2 (未註冊)"
|
:0052770C BA10795200 mov edx, 00527910
:00527711 E8EEA1F0FF call 00431904
:00527716 8BC6 mov eax, esi
:00527718 E8CB09F3FF call 004580E8
:0052771D 8BC6 mov eax, esi
:0052771F E848B8EDFF call 00402F6C
:00527724 BB01000000 mov ebx, 00000001
:00527729 E94E010000 jmp 0052787C
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:005276F5(C), :00527701(C)
|
:0052772E 81BD98FEFFFF00680200 cmp dword ptr [ebp+FFFFFE98], 00026800
:00527738 752B jne 00527765
:0052773A 8B45FC mov eax, dword ptr [ebp-04]
:0052773D 8B8064050000 mov eax, dword ptr [eax+00000564]
* Possible StringData Ref from Code Obj ->"Windows優化大師 V4.2 (未註冊)"
|
:00527743 BA10795200 mov edx, 00527910
:00527748 E8B7A1F0FF call 00431904
:0052774D 8BC6 mov eax, esi
:0052774F E89409F3FF call 004580E8
:00527754 8BC6 mov eax, esi
:00527756 E811B8EDFF call 00402F6C
:0052775B BB01000000 mov ebx, 00000001
:00527760 E917010000 jmp 0052787C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00527738(C)
|
:00527765 8B95A0FEFFFF mov edx, dword ptr [ebp+FFFFFEA0]
* Possible StringData Ref from Code Obj ->"cr-wom"
|
:0052776B B880795200 mov eax, 00527980
:00527770 E8AFCAEDFF call 00404224
:00527775 85C0 test eax, eax
:00527777 742B je 005277A4
:00527779 8B45FC mov eax, dword ptr [ebp-04]
:0052777C 8B8064050000 mov eax, dword ptr [eax+00000564]
* Possible StringData Ref from Code Obj ->"Windows優化大師 V4.2 (未註冊)"
|
:00527782 BA10795200 mov edx, 00527910
:00527787 E878A1F0FF call 00431904
:0052778C 8BC6 mov eax, esi
:0052778E E85509F3FF call 004580E8
:00527793 8BC6 mov eax, esi
:00527795 E8D2B7EDFF call 00402F6C
:0052779A BB01000000 mov ebx, 00000001
:0052779F E9D8000000 jmp 0052787C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00527777(C)
|
* Possible StringData Ref from Code Obj ->"Windowsyhds.exe"
|
:005277A4 B890795200 mov eax, 00527990
:005277A9 E8D219EEFF call 00409180
:005277AE 84C0 test al, al
:005277B0 751C jne 005277CE
* Possible StringData Ref from Code Obj ->"fwd.txt"
|
:005277B2 B8A8795200 mov eax, 005279A8
:005277B7 E8C419EEFF call 00409180
:005277BC 84C0 test al, al
:005277BE 750E jne 005277CE
* Possible StringData Ref from Code Obj ->"wom29a_k.exe"
|
:005277C0 B8B8795200 mov eax, 005279B8
:005277C5 E8B619EEFF call 00409180
:005277CA 84C0 test al, al
:005277CC 742B je 005277F9
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:005277B0(C), :005277BE(C)
|
:005277CE 8B45FC mov eax, dword ptr [ebp-04]
:005277D1 8B8064050000 mov eax, dword ptr [eax+00000564]
* Possible StringData Ref from Code Obj ->"Windows優化大師 V4.2 (未註冊)"
|
:005277D7 BA10795200 mov edx, 00527910
:005277DC E823A1F0FF call 00431904
:005277E1 8BC6 mov eax, esi
:005277E3 E80009F3FF call 004580E8
:005277E8 8BC6 mov eax, esi
:005277EA E87DB7EDFF call 00402F6C
:005277EF BB01000000 mov ebx, 00000001
:005277F4 E983000000 jmp 0052787C
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:005276DF(C), :005277CC(C)
|
:005277F9 85DB test ebx, ebx
:005277FB 0F84CFFEFFFF je 005276D0
:00527801 8D8594FEFFFF lea eax, dword ptr [ebp+FFFFFE94] <--只要能夠執行到這裡,那麼除了註冊碼錯誤,
也就沒有其他的問題了
:00527807 E8981AEEFF call 004092A4
:0052780C 8D4DF8 lea ecx, dword ptr [ebp-08]
* Possible StringData Ref from Code Obj ->"Register_1"
|
:0052780F BA38795200 mov edx, 00527938
:00527814 8BC6 mov eax, esi
:00527816 E8BD0FF3FF call 004587D8
:0052781B 8D4DF4 lea ecx, dword ptr [ebp-0C]
* Possible StringData Ref from Code Obj ->"Register_2"
|
:0052781E BA4C795200 mov edx, 0052794C
:00527823 8BC6 mov eax, esi
:00527825 E8AE0FF3FF call 004587D8
:0052782A 8BC6 mov eax, esi
:0052782C E8B708F3FF call 004580E8
:00527831 8BC6 mov eax, esi
:00527833 E834B7EDFF call 00402F6C
:00527838 8B45F8 mov eax, dword ptr [ebp-08]
:0052783B E870FAFFFF call 005272B0
:00527840 99 cdq
:00527841 52 push edx
:00527842 50 push eax
:00527843 8B45F4 mov eax, dword ptr [ebp-0C]
:00527846 E865FAFFFF call 005272B0
:0052784B 99 cdq
:0052784C 52 push edx
:0052784D 50 push eax
:0052784E 8D958CFEFFFF lea edx, dword ptr [ebp+FFFFFE8C]
:00527854 A1E0FE5600 mov eax, dword ptr [0056FEE0]
:00527859 E83616EEFF call 00408E94
:0052785E 8B858CFEFFFF mov eax, dword ptr [ebp+FFFFFE8C]
:00527864 E893C8EDFF call 004040FC
* Reference To: Octodll.Registed, Ord:0000h
|
:00527869 E896E7FFFF Call 00526004
:0052786E 83F814 cmp eax, 00000014
:00527871 7407 je 0052787A
:00527873 BB01000000 mov ebx, 00000001
:00527878 EB02 jmp 0052787C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00527871(C)
|
:0052787A 33DB xor ebx, ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00527455(U), :00527567(U), :005275A2(U), :00527600(U), :00527637(U)
|:00527676(U), :005276CB(U), :00527729(U), :00527760(U), :0052779F(U)
|:005277F4(U), :00527878(U)
|
:0052787C 33C0 xor eax, eax
:0052787E 5A pop edx
:0052787F 59 pop ecx
:00527880 59 pop ecx
:00527881 648910 mov dword ptr fs:[eax], edx
:00527884 68BF785200 push 005278BF
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005278BD(U)
|
:00527889 8D858CFEFFFF lea eax, dword ptr [ebp+FFFFFE8C]
:0052788F BA02000000 mov edx, 00000002
:00527894 E843C4EDFF call 00403CDC
:00527899 8D8594FEFFFF lea eax, dword ptr [ebp+FFFFFE94]
* Possible StringData Ref from Code Obj ->"
TSearchRecX"
|
:0052789F 8B156C7E4000 mov edx, dword ptr [00407E6C]
:005278A5 E866CDEDFF call 00404610
:005278AA 8D45EC lea eax, dword ptr [ebp-14]
:005278AD BA04000000 mov edx, 00000004
:005278B2 E825C4EDFF call 00403CDC
:005278B7 C3 ret
:005278B8 E90FBEEDFF jmp 004036CC
:005278BD EBCA jmp 00527889
:005278BF 8BC3 mov eax, ebx
:005278C1 5E pop esi
:005278C2 5B pop ebx
:005278C3 8BE5 mov esp, ebp
:005278C5 5D pop ebp
:005278C6 C3 ret
//--------------------------------------------------------------------------------------------------
另外值得注意的是在寫序號產生器的時候,當求Code2是不要直接使用0x14,因為算出來的註冊碼與作者不符。其實Code2並不唯一,
除了最高2位和低16位不能動,剩餘的14位可以為任意數。經過我的分析,使用0x93E0014算出來的註冊碼才與作者相符。
相關文章
- 破解心得之eXeScope篇2015-11-15
- 破解心得之WinImage篇 (15千字)2001-07-01
- 破解心得之eXeScope篇 (9千字)2001-07-01
- CUDA程式優化心得之序列優化2010-05-20優化
- Windows優化大師整理工具使用教程2016-12-21Windows優化
- 破解心得之CDRWin 4.0A BETA篇 (18千字)2001-04-24
- SMC技術在破解WINDOWS優化大師3.2A中的運用。 (8千字)2001-01-20Windows優化
- 可恨的Windows優化大師 (3千字)2000-08-01Windows優化
- windows優化大師 v1.0.2.7 (10千字)2001-03-11Windows優化
- Windows優化大師2.5的patch (1千字)2000-06-04Windows優化
- Windows優化大師 v2.9+ (11千字)2000-08-22Windows優化
- Add Remove Plus! 2000 v2.0破解手記 附:Windows
優化大師 3.3的破解方法 (4千字)2001-02-02REMWindows優化
- CUDA程式優化心得之錯誤處理2010-05-14優化
- 破解心得之3DMark2001篇 (10千字)2001-04-183D
- Android效能優化篇之服務優化2018-06-14Android優化
- CUDA優化心得之測時函式設計2010-05-06優化函式
- 系統優化大師V2004
build 12.10 破解教程2004-12-19優化UI
- hadoop之yarn(優化篇)2020-11-13HadoopYarn優化
- Android效能優化篇之計算效能優化1970-01-01Android優化
- Linux 效能優化之 CPU 篇 ----- 套路篇2020-06-27Linux優化
- Linux 效能優化之 IO 篇2020-07-03Linux優化
- Linux 效能優化之 cup 篇2020-06-25Linux優化
- Webpack 打包優化之體積篇2017-08-08Web優化
- Android效能優化之渲染篇2015-09-16Android優化
- iOS效能優化系列篇之“列表流暢度優化”2018-08-14iOS優化
- iOS效能優化系列篇之“優化總體原則”2018-04-02iOS優化
- 前端優化常用技術心得2018-10-25前端優化
- Android效能優化之運算篇2015-09-16Android優化
- Android效能優化之電量篇2015-09-16Android優化
- SQL優化之操作符篇(zt)2008-08-13SQL優化
- Shader:優化破解變體的 “影分身” 之術2020-12-16優化
- 破解心得之CHMMaker(耶圃歟┢ (11千字)2002-01-27HMM
- Windows優化大師v3.0-v3.4的序號產生器原始碼2015-11-15Windows優化原始碼
- Windows系統之XP應用優化指南2017-11-16Windows優化
- 再次湊湊熱鬧:破解心得之ChinaZip 5.0(中華壓縮)篇
(8千字)2001-04-10
- Linux 效能優化之 記憶體 篇2020-06-30Linux優化記憶體
- 前端效能JQuery篇之選擇器優化2017-11-10前端jQuery優化
- Android效能優化之記憶體篇2015-09-16Android優化記憶體