32bit Convert It 9.52.01破解手記--找到註冊碼
32bit
Convert It 9.52.01破解手記--找到註冊碼
作者:newlaos[CCG][DFCG]
軟體名稱:32bit
Convert It 9.52.01(理科工具)
整理日期:2003.4.4
最新版本:9.52.01
檔案大小:343KB
軟體授權:共享軟體
使用平臺:Win9x/Me/NT/2000/XP
釋出公司:http://www.electrasoft.com/
軟體簡介:32bit
Convert It 讓你不用再翻遍單位換算表就能直接在軟體上面執行單位換算的工作,有相當多種類的單位換算功能。
加密方式:註冊碼
功能限制:未註冊資訊提示
PJ工具:TRW20001.23註冊版,W32Dasm8.93黃金版,FI2.5
PJ日期:2003-04-09
作者newlaos申明:只是學習,請不用於商業用途或是將本文方法制作的序號產生器任意傳播,造成後果,本人一概不負。
1、先用FI2.5看一下主檔案“32bc.exe”,沒加殼。程式是用VC++6.0編的
2、用W32Dasm8.93黃金版對32bc.exe進行靜態反彙編,再用串式資料參考,找到"Thank
you for registering "
雙擊來到下面程式碼段。
3、再用TRW20001.23註冊版進行動態跟蹤,下斷BPX
0040B3A8(通常在註冊成功與否的前面一些下斷,這樣,才能找到關鍵部分),
先輸入姓名:newlaos
假碼: 78787878
.......
.......
:0040B3A8
E870F70100 call 0042AB1D <===ECX=7(註冊名的長度)
EDX=newlaos EAX=1(說明輸入了註冊名)
:0040B3AD A144CE4400
mov eax, dword ptr [0044CE44]
:0040B3B2 6A01
push 00000001
:0040B3B4
683CA74400 push 0044A73C
:0040B3B9
50 push
eax
:0040B3BA E8B11A0000 call
0040CE70
:0040B3BF 83C40C
add esp, 0000000C
:0040B3C2 33DB
xor ebx, ebx
:0040B3C4 83F801
cmp eax, 00000001
:0040B3C7
746A je 0040B433
<===我跳
.......
此處略一段無關程式碼
.......
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0040B3C7(C)
|
:0040B433 6A51
push 00000051 <===跳到這
:0040B435
68E8A64400 push 0044A6E8
*
Possible Reference to Dialog: DialogID_0093, CONTROL_ID:03F1, ""
|
:0040B43A 68F1030000
push 000003F1
:0040B43F B988A64400
mov ecx, 0044A688
:0040B444 E8D4F60100
call 0042AB1D
:0040B449 8B0D44CE4400
mov ecx, dword ptr [0044CE44]
:0040B44F
6A01 push
00000001
:0040B451 68E8A64400 push
0044A6E8
:0040B456 51
push ecx
:0040B457 E8A41A0000
call 0040CF00
:0040B45C 83C40C
add esp, 0000000C
:0040B45F 83F801
cmp eax, 00000001
:0040B462
746A je 0040B4CE
<===呵呵,我再跳
.......
此處略一段無關程式碼
.......
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0040B462(C)
|
:0040B4CE 53
push ebx
<===跳到這
:0040B4CF 6A01
push 00000001
:0040B4D1 E8EAE6FFFF
call 00409BC0
:0040B4D6 83C408
add esp, 00000008
:0040B4D9
B908000000 mov ecx, 00000008
:0040B4DE
33C0 xor
eax, eax
:0040B4E0 BF90A74400 mov
edi, 0044A790
:0040B4E5 F3
repz
:0040B4E6 AB
stosd
:0040B4E7 6A20
push 00000020
:0040B4E9
6890A74400 push 0044A790
*
Possible Reference to Dialog: DialogID_0093, CONTROL_ID:03EF, ""
|
:0040B4EE 68EF030000
push 000003EF
:0040B4F3 B988A64400
mov ecx, 0044A688
:0040B4F8 E820F60100
call 0042AB1D <===EAX=8,這裡下命令S 0 FFFFFFFF
'78787878'發現它已經位於程式的資料區
:0040B4FD B940000000
mov ecx, 00000040
:0040B502 33C0
xor eax, eax
:0040B504 BF4CB54400
mov edi, 0044B54C
:0040B509 684CB54400
push 0044B54C
* Possible StringData Ref from Data Obj ->"32bit Convert It"
:0040B50E
6890DD4300 push 0043DD90
:0040B513
683CA74400 push 0044A73C
:0040B518
F3 repz
:0040B519 AB
stosd
:0040B51A E8D1E9FFFF
call 00409EF0 <===關鍵的CALL,F8跟進
:0040B51F 684CB54400
push 0044B54C
:0040B524 E887E9FFFF
call 00409EB0
:0040B529 6890A74400
push 0044A790
:0040B52E E87DE9FFFF
call 00409EB0
:0040B533 BF4CB54400
mov edi, 0044B54C <===呵呵,EDI=303533373D36真正的註冊碼)
:0040B538
83C9FF or ecx, FFFFFFFF
<===這裡就可以用KEYMAKE做記憶體序號產生器了
:0040B53B 33C0
xor eax, eax
:0040B53D 83C414
add esp, 00000014
:0040B540
F2 repnz
:0040B541
AE scasb
:0040B542
F7D1 not
ecx
:0040B544 49
dec ecx
:0040B545 BF4CB54400
mov edi, 0044B54C
:0040B54A BE90A74400
mov esi, 0044A790
:0040B54F 33D2
xor edx, edx
:0040B551 F3
repz
:0040B552
A6 cmpsb
:0040B553
0F85B2000000 jne 0040B60B
<===第一個關鍵跳轉,跳了就OVER
:0040B559 BF4CB54400
mov edi, 0044B54C
:0040B55E 83C9FF
or ecx, FFFFFFFF
:0040B561 F2
repnz
:0040B562
AE scasb
:0040B563
F7D1 not
ecx
:0040B565 49
dec ecx
:0040B566 BF90A74400
mov edi, 0044A790
:0040B56B 8BD1
mov edx, ecx
:0040B56D 83C9FF
or ecx, FFFFFFFF
:0040B570
F2 repnz
:0040B571
AE scasb
:0040B572
F7D1 not
ecx
:0040B574 49
dec ecx
:0040B575 3BCA
cmp ecx, edx
:0040B577 0F858E000000
jne 0040B60B <===第二個關鍵跳轉,跳了就OVER
:0040B57D
BF90A74400 mov edi, 0044A790
:0040B582
83C9FF or ecx, FFFFFFFF
:0040B585
F2 repnz
:0040B586
AE scasb
.......
此處略一段註冊資訊儲存程式碼
.......
*
Possible StringData Ref from Data Obj ->"32bit Convert It"
|
:0040B5C4 6890DD4300
push 0043DD90
*
Possible StringData Ref from Data Obj ->"Thank you for registering "
|
:0040B5C9 6818294400
push 00442918 <===感謝你的註冊(註冊成功)
*
Possible StringData Ref from Data Obj ->"%s%s!"
|
:0040B5CE 68443F4400
push 00443F44
:0040B5D3 684CAB4400
push 0044AB4C
:0040B5D8 E840C80000
call 00417E1D
:0040B5DD 83C410
add esp, 00000010
:0040B5E0 B988A64400
mov ecx, 0044A688
:0040B5E5
6A40 push
00000040
* Possible
StringData Ref from Data Obj ->"32bit Convert It"
|
:0040B5E7 6890DD4300
push 0043DD90
:0040B5EC 684CAB4400
push 0044AB4C
:0040B5F1 E8D6E30100
call 004299CC
:0040B5F6 B988A64400
mov ecx, 0044A688
:0040B5FB 891DF8CD4400
mov dword ptr [0044CDF8], ebx
:0040B601
E821C80100 call 00427E27
:0040B606
E9ED010000 jmp 0040B7F8
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040B553(C),
:0040B577(C) <===這裡可以看見有兩個關鍵跳轉
|
:0040B60B
6A0A push
0000000A
:0040B60D 6890A74400 push
0044A790
* Possible
Reference to Dialog: DialogID_0093, CONTROL_ID:03EF, ""
| <===exescope6.30看註冊資訊對話方塊時ID=148(十六進位制就是93)
:0040B612
68EF030000 push 000003EF
<===註冊資訊錯誤對話方塊
:0040B617 B988A64400
mov ecx, 0044A688
:0040B61C E8FCF40100
call 0042AB1D
:0040B621 6890A74400
push 0044A790
:0040B626 E865F4FFFF
call 0040AA90
:0040B62B 83C404
add esp, 00000004
:0040B62E
3BC3 cmp
eax, ebx
:0040B630 A348AB4400 mov
dword ptr [0044AB48], eax
:0040B635 0F8EA9010000
jle 0040B7E4
*
Possible StringData Ref from Data Obj ->"32BITCVT.INI"
|
:0040B63B 68A4DD4300
push 0043DDA4
:0040B640 6800080000
push 00000800
:0040B645 684CAB4400
push 0044AB4C
:0040B64A B900020000
mov ecx, 00000200
:0040B64F 33C0
xor eax, eax
:0040B651
BF4CAB4400 mov edi, 0044AB4C
:0040B656
684CAB4400 push 0044AB4C
---------------------------------------------------------------------------
:00409EF0
51 push
ecx
:00409EF1 53
push ebx
:00409EF2 8B54240C
mov edx, dword ptr [esp+0C]
:00409EF6 55
push ebp
:00409EF7
56 push
esi
:00409EF8 57
push edi
:00409EF9 B900020000
mov ecx, 00000200
:00409EFE 33C0
xor eax, eax
:00409F00 BF4CAB4400
mov edi, 0044AB4C
:00409F05 33DB
xor ebx, ebx
:00409F07
33F6 xor
esi, esi
:00409F09 F3
repz
:00409F0A AB
stosd
:00409F0B 89742410
mov dword ptr [esp+10], esi
:00409F0F BF4CAB4400
mov edi, 0044AB4C
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00409FAA(C)
.......
.......
此處略一段程式碼主要功能是查詢註冊名是不是用非常用字元,例:~!@#$%^&*()_+|}{"":
等
.......
.......
:00409FA6 89742410
mov dword ptr [esp+10], esi
:00409FAA 0F8C64FFFFFF
jl 00409F14
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00409F9F(C)
|
:00409FB0
B914000000 mov ecx, 00000014
:00409FB5
33C0 xor
eax, eax
:00409FB7 8BFA
mov edi, edx
:00409FB9 684CAB4400
push 0044AB4C
:00409FBE F3
repz
:00409FBF AB
stosd
:00409FC0
BF4CAB4400 mov edi, 0044AB4C
:00409FC5
83C9FF or ecx, FFFFFFFF
:00409FC8
F2 repnz
:00409FC9
AE scasb
:00409FCA
F7D1 not
ecx
:00409FCC 2BF9
sub edi, ecx
:00409FCE 8BC1
mov eax, ecx
:00409FD0 8BF7
mov esi, edi
:00409FD2
8BFA mov
edi, edx
:00409FD4 C1E902
shr ecx, 02
:00409FD7 F3
repz
:00409FD8 A5
movsd
:00409FD9 8BC8
mov ecx, eax
:00409FDB
83E103 and ecx,
00000003
:00409FDE F3
repz
:00409FDF A4
movsb
:00409FE0 E8E2EB0000
call 00418BC7
:00409FE5 8D4C2414
lea ecx, dword ptr [esp+14]
:00409FE9
8D54241C lea edx, dword
ptr [esp+1C]
:00409FED 51
push ecx
:00409FEE 52
push edx
:00409FEF 895C2424
mov dword ptr [esp+24],
ebx
:00409FF3 C744241C01000000 mov [esp+1C], 00000001
:00409FFB
E880010000 call 0040A180
:0040A000
8B7C2428 mov edi, dword
ptr [esp+28]
:0040A004 83C9FF
or ecx, FFFFFFFF
:0040A007 33C0
xor eax, eax
:0040A009 83C40C
add esp, 0000000C
:0040A00C
F2 repnz
:0040A00D
AE scasb
:0040A00E
F7D1 not
ecx
:0040A010 2BF9
sub edi, ecx
:0040A012 8BF7
mov esi, edi
:0040A014 8BD1
mov edx, ecx
:0040A016
BF4CAB4400 mov edi, 0044AB4C
:0040A01B
83C9FF or ecx, FFFFFFFF
:0040A01E
F2 repnz
:0040A01F
AE scasb
:0040A020
8BCA mov
ecx, edx
:0040A022 4F
dec edi
:0040A023 C1E902
shr ecx, 02
:0040A026 F3
repz
:0040A027 A5
movsd
:0040A028
8BCA mov
ecx, edx
:0040A02A 8B542418
mov edx, dword ptr [esp+18]
:0040A02E 83E103
and ecx, 00000003
:0040A031 F3
repz
:0040A032
A4 movsb
:0040A033
8A0D4CAB4400 mov cl, byte ptr [0044AB4C]
<===你會發現[0044AB4C]位置上,輸入的註冊名已經和"32bit convert
it"合在一起了
:0040A039 33F6
xor esi, esi
:0040A03B 3ACB
cmp cl, bl
:0040A03D 89742410
mov dword ptr [esp+10], esi
:0040A041
7431 je 0040A074
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040A06A(C)
<===從這裡開始迴圈結構
|
:0040A043 8BC1
mov eax, ecx
:0040A045
25FF000000 and eax, 000000FF
:0040A04A
8D3CC0 lea edi,
dword ptr [eax+8*eax]
:0040A04D 03C6
add eax, esi
:0040A04F 8D0478
lea eax, dword ptr [eax+2*edi]
:0040A052
03D0 add
edx, eax
:0040A054 80F960
cmp cl, 60
:0040A057 7305
jnb 0040A05E
:0040A059 83C215
add edx, 00000015
:0040A05C EB03
jmp 0040A061
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040A057(C)
|
:0040A05E
83EA15 sub edx,
00000015
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:0040A05C(U)
|
:0040A061
8A8E4DAB4400 mov cl, byte ptr [esi+0044AB4D]
:0040A067
46 inc
esi
:0040A068 3ACB
cmp cl, bl
:0040A06A 75D7
jne 0040A043
<===這一迴圈結構,對"newlaos32bit convert it",進行初步計算
:0040A06C
89742410 mov dword ptr
[esp+10], esi <===這個為整個字串的長度17(十進位制23個)
:0040A070 89542418
mov dword ptr [esp+18], edx <===這裡上一迴圈計算出的結果(A213)
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040A041(C)
|
:0040A074
B980000000 mov ecx, 00000080
:0040A079
33C0 xor
eax, eax
:0040A07B BF4CB34400 mov
edi, 0044B34C
:0040A080 52
push edx
*
Possible StringData Ref from Data Obj ->"%06lu"
|
:0040A081 6854394400
push 00443954
:0040A086 684CB34400
push 0044B34C
:0040A08B F3
repz
:0040A08C AB
stosd
:0040A08D
E88BDD0000 call 00417E1D <===這裡算出第一步的計算結果041491
*
Reference To: KERNEL32.lstrlenA, Ord:0308h
|
:0040A092
8B2DC8314300 mov ebp, dword ptr [004331C8]
:0040A098
83C40C add esp,
0000000C
:0040A09B B900020000 mov
ecx, 00000200
:0040A0A0 33C0
xor eax, eax
:0040A0A2 BF4CAB4400
mov edi, 0044AB4C
:0040A0A7 684CB34400
push 0044B34C
:0040A0AC F3
repz
:0040A0AD
AB stosd
:0040A0AE
895C2414 mov dword ptr
[esp+14], ebx
:0040A0B2 FFD5
call ebp
:0040A0B4 8B4C2410
mov ecx, dword ptr [esp+10]
:0040A0B8 3BC8
cmp ecx, eax
:0040A0BA
7D37 jge
0040A0F3
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:0040A0F1(C)
<===從這裡開始迴圈結構
|
:0040A0BC 0FBE914CB34400
movsx edx, byte ptr [ecx+0044B34C] <===依次取出041491的每個值的ASC碼值
:0040A0C3
03D1 add
edx, ecx
:0040A0C5 8D044D4CAB4400 lea eax,
dword ptr [2*ecx+0044AB4C]
:0040A0CC 52
push edx
*
Possible StringData Ref from Data Obj ->"%02X"
|
:0040A0CD 684C394400
push 0044394C
:0040A0D2 50
push eax
:0040A0D3 E845DD0000
call 00417E1D <===每經過一次,計算出兩位註冊碼
:0040A0D8
8B7C241C mov edi, dword
ptr [esp+1C]
:0040A0DC 83C40C
add esp, 0000000C
:0040A0DF 47
inc edi
:0040A0E0 684CB34400
push 0044B34C
:0040A0E5 897C2414
mov dword ptr [esp+14], edi
:0040A0E9
FFD5 call
ebp
:0040A0EB 8B4C2410 mov
ecx, dword ptr [esp+10]
:0040A0EF 3BC8
cmp ecx, eax <===迴圈6次
:0040A0F1 7CC9
jl 0040A0BC
<===這個迴圈結構就算出最後的註冊碼
.......
.......
此處省略一段程式碼,與演算法無關
.......
.......
:0040A16D
F3 repz
:0040A16E
A4 movsb
:0040A16F
5F pop
edi
:0040A170 5E
pop esi
:0040A171 5D
pop ebp
:0040A172 5B
pop ebx
:0040A173 59
pop
ecx
:0040A174 C3
ret
------------------------------------------
:00417E1D
55 push
ebp
:00417E1E 8BEC
mov ebp, esp
:00417E20 83EC20
sub esp, 00000020
:00417E23 8B4508
mov eax, dword ptr [ebp+08]
:00417E26
56 push
esi
:00417E27 8945E8
mov dword ptr [ebp-18], eax
:00417E2A 8945E0
mov dword ptr [ebp-20], eax
:00417E2D 8D4510
lea eax, dword ptr
[ebp+10]
:00417E30 C745EC42000000 mov [ebp-14],
00000042
:00417E37 50
push eax
:00417E38 8D45E0
lea eax, dword ptr [ebp-20]
:00417E3B FF750C
push [ebp+0C]
:00417E3E
C745E4FFFFFF7F mov [ebp-1C], 7FFFFFFF
:00417E45
50 push
eax
:00417E46 E8004E0000 call
0041CC4B <===這裡就已經算出我們所要的值了,F8跟進(不用進去了,天大一串,呵呵)
:00417E4B 83C40C
add esp, 0000000C
:00417E4E
FF4DE4 dec [ebp-1C]
:00417E51
8BF0 mov
esi, eax
:00417E53 7808
js 00417E5D
:00417E55 8B45E0
mov eax, dword ptr [ebp-20]
:00417E58 802000
and byte ptr [eax], 00
:00417E5B
EB0D jmp
00417E6A
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00417E53(C)
|
:00417E5D
8D45E0 lea eax,
dword ptr [ebp-20]
:00417E60 50
push eax
:00417E61 6A00
push 00000000
:00417E63 E8CB4C0000
call 0041CB33
:00417E68 59
pop
ecx
:00417E69 59
pop ecx
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00417E5B(U)
|
:00417E6A
8BC6 mov
eax, esi
:00417E6C 5E
pop esi
:00417E6D C9
leave
:00417E6E C3
ret
---------------------------------------------------------------------
4、用KEYMAKE
1.73製作記憶體序號產生器
一、選擇F8 → 另類序號產生器!
程式名稱:32bc.exe
新增資料:
中斷地址:0040B538
中斷次數:1
第一位元組:83
指令長度:3
儲存下列資訊為註冊碼
→ 記憶體方式 → 暫存器 → EDI
二、選擇記憶體方式:記憶體地址 → 0044B54C → 點生成,就有你樂的了
5、我的註冊資訊儲存在32bitcvt.ini檔案裡:
我的註冊資訊:
NAME:newlaos[CCG]
CODE:30353935353E
EMAIL:newlaos@km169.net
相關文章
- 快捷反垃圾郵件破解手記--找出註冊碼2015-11-15
- i-view32註冊碼的破解手記 (778字)2001-02-03View
- SMailserver2.5註冊碼的破解手記 (1千字)2001-03-01AIServer
- 奇門遁甲演義V6.3破解手記--註冊碼演算法分析2015-11-15演算法
- Emeditor 註冊碼2017-08-14
- WebStorm註冊碼2014-04-29WebORM
- 超級魔法兔子設定
V4.0破 解(得到完全註冊碼)2002-01-14
- PhpStorm註冊碼2020-04-07PHPORM
- Navicat for MySQL註冊碼2020-04-07MySql
- SecureCRT 7 註冊碼2016-09-02Securecrt
- 已找到NMI's Java Code Viewer 4.8.2的註冊碼,內詳
(3千字)2000-06-07JavaView
- 註冊中心 Eureka 原始碼解析 —— 應用例項註冊發現(一)之註冊2019-03-03原始碼
- Viscosity for Mac 註冊碼:2019-09-19Mac
- PLSQL Developer 12 註冊碼2018-06-07SQLDeveloper
- PLSQL Developer 9.0註冊碼2013-01-22SQLDeveloper
- sublime text for Mac註冊啟用 sublime text4註冊碼2023-10-11Mac
- Instant Source 註冊演算法分析+註冊器原始碼2015-11-15演算法原始碼
- wing ftp server 註冊碼2020-11-23FTPServer
- phpstrom 註冊碼獲取2018-05-23PHP
- IntelliJ IDEA 註冊碼2017-05-05IntelliJIdea
- Pycharm安裝破解 註冊碼2017-06-25PyCharm
- Myeclipse10註冊碼2014-05-20Eclipse
- myeclipse獲取註冊碼2011-12-07Eclipse
- Theme Builder註冊碼分析2015-11-15UI
- Bannershop 4.5破解手記2015-11-15
- Navicat for MySQL 11註冊碼\啟用碼2019-02-11MySql
- 記一次中斷註冊2024-03-17
- 今天好多人 phpstrom 編譯器註冊碼失效了,最新可用註冊碼2019-12-24PHP編譯
- 找尋3DMark2001se的註冊碼,第一篇破文!2003-06-293D
- 申請加入CNCG破文-小李登錄檔大師D註冊碼法 (2千字)2001-11-07
- GetSmart暴力破解手記-----有誰願意寫追註冊碼和序號產生器!下載http://sffs.6to23.com
(6千字)2001-02-07HTTP
- nacos註冊中心原始碼流程分析2020-12-23原始碼
- IntelliJ IDEA 14 註冊碼2017-04-09IntelliJIdea
- pycharm 2016.3.2註冊碼2017-05-15PyCharm
- Pycharm 2016註冊碼2017-11-22PyCharm
- PLSQL Developer V9 註冊碼2013-03-22SQLDeveloper
- 動態註冊和靜態註冊2018-05-21
- 靜態註冊和動態註冊2013-11-27