彩票分析家-“樂透之王”V3.0
沒有加殼,VC++6.0的作品,反彙編後查詢字串資源,到下面
* Reference To: MFC42.Ordinal:181C, Ord:181Ch
|
:00430F72 E8BF100400 Call 00472036
:00430F77 8B8690020000 mov eax, dword ptr [esi+00000290]
:00430F7D 8B8094B10200 mov eax, dword ptr [eax+0002B194]
:00430F83 83F81E cmp eax, 0000001E
:00430F86 0F8E8A000000 jle 00431016--------------------------->跳則說明試用期沒有結束(1)
* Possible StringData Ref from Data Obj ->"試用期已完,"
|
:00430F8C 68D0004A00 push 004A00D0
:00430F91 8D4C2414 lea ecx, dword ptr [esp+14]
* Reference To: MFC42.Ordinal:0219, Ord:0219h
|
:00430F95 E87A0E0400 Call 00471E14
:00430F9A 8B442410 mov eax, dword ptr [esp+10]
:00430F9E 8B542434 mov edx, dword ptr [esp+34]
:00430FA2 C68424A800000006 mov byte ptr [esp+000000A8], 06
:00430FAA 8B48F8 mov ecx, dword ptr [eax-08]
:00430FAD 51 push ecx
:00430FAE 50 push eax
:00430FAF 68D2000000 push 000000D2
:00430FB4 6868010000 push 00000168
:00430FB9 8D4C2444 lea ecx, dword ptr [esp+44]
:00430FBD FF5264 call [edx+64]
:00430FC0 8D4C2410 lea ecx, dword ptr [esp+10]
:00430FC4 889C24A8000000 mov byte ptr [esp+000000A8], bl
* Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:00430FCB E8BA0D0400 Call 00471D8A
* Possible StringData Ref from Data Obj ->"如要繼續使用您請註冊!"
|
:00430FD0 68B8004A00 push 004A00B8
:00430FD5 8D4C2414 lea ecx, dword ptr [esp+14]
****************************************************************
上面(1)處更改以後可以無限期使用,但是每次使用都會出現提示框,很煩人。進一步跟蹤發現這個軟體註冊碼的比較是明文比較的,比較處如下:
* Possible StringData Ref from Data Obj ->"CPFXJLTZW"
|
:00465347 68341C4A00 push 004A1C34
* Reference To: MFC42.Ordinal:0219, Ord:0219h
|
:0046534C E8C3CA0000 Call 00471E14
:00465351 51 push ecx
:00465352 8D542428 lea edx, dword ptr [esp+28]
:00465356 8BCC mov ecx, esp
:00465358 89642444 mov dword ptr [esp+44], esp
:0046535C 52 push edx
:0046535D C68424FC0100000A mov byte ptr [esp+000001FC], 0A
* Reference To: MFC42.Ordinal:0217, Ord:0217h
|
:00465365 E832CA0000 Call 00471D9C----------------------->取得機器碼,存在堆疊中
:0046536A 53 push ebx
:0046536B 8D4C244C lea ecx, dword ptr [esp+4C]
:0046536F C68424FC01000006 mov byte ptr [esp+000001FC], 06
:00465377 E804B1FFFF call 00460480
:0046537C 8D442438 lea eax, dword ptr [esp+38]
:00465380 8D4C2440 lea ecx, dword ptr [esp+40]
:00465384 50 push eax
:00465385 E876ACFFFF call 00460000------------------------>生成真註冊碼,寫序號產生器可以仔細研究一下
:0046538A 8B4C241C mov ecx, dword ptr [esp+1C]---------->假註冊碼
:0046538E 8B3F mov edi, dword ptr [edi]------------->真註冊碼
:00465390 51 push ecx-----------------------------
:00465391 57 push edi-----------------------------/真假註冊碼入棧
:00465392 C68424F00100000B mov byte ptr [esp+000001F0], 0B
* Reference To: MSVCRT._mbscmp, Ord:0159h------------------------------>呼叫比較函式
|
:0046539A FF15507D4800 Call dword ptr [00487D50]
:004653A0 83C408 add esp, 00000008
:004653A3 85C0 test eax, eax-------------------------->以EAX為標誌
:004653A5 741E je 004653C5---------------------------->跳則正確
:004653A7 6A10 push 00000010
* Possible StringData Ref from Data Obj ->"註冊"
|
:004653A9 68D81C4A00 push 004A1CD8
* Possible StringData Ref from Data Obj ->"註冊碼輸入錯誤, 請重新註冊 !"
|
:004653AE 68141C4A00 push 004A1C14-------------------------->(2)
:004653B3 8BCE mov ecx, esi
* Reference To: MFC42.Ordinal:1080, Ord:1080h
|
:004653B5 E8FCCA0000 Call 00471EB6
:004653BA FF86C8000000 inc dword ptr [esi+000000C8]
:004653C0 E9B3000000 jmp 00465478
由於是明碼比較,而且註冊碼生成過程太複雜,所以新手還是做個自注冊版吧。上面(2)處是出錯對話方塊的提示資訊,我們讓他自己把註冊碼顯示出來,由於註冊碼比較完畢以後一直都在edi中(動態跟蹤發現的),所以我們把(2)改為 push edi ,即 57 ,其餘的四個位元組改90,儲存後ok!