自動儲存真碼――空當接龍工具 V2.1

自動儲存真碼――空當接龍工具 V2.1
 
 
 
下載頁面：  http://notabdc.vip.sina.com/CnSoft/freecelltool.zip  
軟體大小：  316 KB


【軟體簡介】：求解任何空當接龍游戲。自動讀取牌局，自動操作，批次操作，樣樣精通。

【軟體限制】：功能限制

【作者宣告】：初學Crack，只是感興趣，沒有其它目的。失誤之處敬請諸位大俠賜教！

【破解工具】：TRW2000娃娃修改版、Ollydbg1.09、PEiD、W32Dasm 9.0白金版

――――――――――――――――――――――――――――――――― 
【過    程】：
          
          

FreecellTool.exe 無殼。 Visual C++ 6.0 編寫。

資訊碼：401012
使用者名稱：fly
試煉碼：13572468
―――――――――――――――――――――――――――――――――
:004063CD E88E080000              call 00406C60
                                  ====>判斷是否已經註冊？

:004063D2 8A86C1000000            mov al, byte ptr [esi+000000C1]
                                  ====>[esi+000000C1]=1  則已經註冊

:004063D8 C784240001000000000000  mov dword ptr [esp+00000100], 00000000
:004063E3 84C0                    test al, al
:004063E5 88442470                mov byte ptr [esp+70], al
:004063E9 89AC24F0000000          mov dword ptr [esp+000000F0], ebp
:004063F0 745B                    je 0040644D

* Possible StringData Ref from Data Obj ->"UnknownUser"
                                  |
:004063F2 68CC414500              push 004541CC

* Possible StringData Ref from Data Obj ->"UserName"
                                  |
:004063F7 68B0414500              push 004541B0
:004063FC 8D442414                lea eax, dword ptr [esp+14]

* Possible StringData Ref from Data Obj ->"Options"
                                  |
:00406400 6858414500              push 00454158
:00406405 50                      push eax
:00406406 8BCE                    mov ecx, esi
:00406408 E89DB10300              call 004415AA
:0040640D 50                      push eax
:0040640E 8D8C24F0000000          lea ecx, dword ptr [esp+000000F0]
:00406415 C684240401000001        mov byte ptr [esp+00000104], 01
:0040641D E863F50200              call 00435985
:00406422 8D4C240C                lea ecx, dword ptr [esp+0C]
:00406426 C684240001000000        mov byte ptr [esp+00000100], 00
:0040642E E865F40200              call 00435898
:00406433 6A00                    push 00000000

* Possible StringData Ref from Data Obj ->"RegisterCode"
                                  |
:00406435 68BC414500              push 004541BC

* Possible StringData Ref from Data Obj ->"Options"
                                  |
:0040643A 6858414500              push 00454158
:0040643F 8BCE                    mov ecx, esi
:00406441 E8F8B00300              call 0044153E
:00406446 898424F4000000          mov dword ptr [esp+000000F4], eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004063F0(C)
|
:0040644D 8D4C2414                lea ecx, dword ptr [esp+14]
:00406451 E8FFB50200              call 00431A55
                                  ====>彈出註冊框

:00406456 83F801                  cmp eax, 00000001
:00406459 0F85C1000000            jne 00406520
                                  ====>是否輸入註冊資訊？

:0040645F 8A86C1000000            mov al, byte ptr [esi+000000C1]
:00406465 84C0                    test al, al
:00406467 0F85B3000000            jne 00406520
:0040646D 8D8C24EC000000          lea ecx, dword ptr [esp+000000EC]
:00406474 51                      push ecx
:00406475 8D4C2410                lea ecx, dword ptr [esp+10]
:00406479 E88FF10200              call 0043560D
:0040647E 8BBC24F4000000          mov edi, dword ptr [esp+000000F4]
                                  ====>EDI=00CF1974                試煉碼的16進位制值

:00406485 51                      push ecx
:00406486 8D542410                lea edx, dword ptr [esp+10]
:0040648A 8BCC                    mov ecx, esp
:0040648C 89642414                mov dword ptr [esp+14], esp
:00406490 52                      push edx
:00406491 C684240801000002        mov byte ptr [esp+00000108], 02
:00406499 E86FF10200              call 0043560D
:0040649E 55                      push ebp
:0040649F E83CF9FFFF              call 00405DE0
                                  ====>演算法CALL！

:004064A4 83C408                  add esp, 00000008
:004064A7 3BC7                    cmp eax, edi
                                  ====>EAX=F08417C0（H）=4035188672（D）  註冊碼
                                  ====>EDI=00CF1974（H）=13572468（D）    試煉碼

:004064A9 7564                    jne 0040650F
                                  ====>跳則OVER！

:004064AB 6A00                    push 00000000
:004064AD 6A00                    push 00000000

* Possible StringData Ref from Data Obj ->"註冊成功!"
                                  |
:004064AF 688C424500              push 0045428C
:004064B4 E8E1200300              call 0043859A
                                  ====>呵呵，勝利女神！

:004064B9 8B44240C                mov eax, dword ptr [esp+0C]
:004064BD 8BCE                    mov ecx, esi
:004064BF 50                      push eax

* Possible StringData Ref from Data Obj ->"UserName"
                                  |
:004064C0 68B0414500              push 004541B0

* Possible StringData Ref from Data Obj ->"Options"
                                  |
:004064C5 6858414500              push 00454158
:004064CA E879220300              call 00438748
:004064CF 57                      push edi
                                  ====>儲存註冊碼  呵呵，自動儲存註冊碼就從這裡想辦法了

* Possible StringData Ref from Data Obj ->"RegisterCode"
                                  |
:004064D0 68BC414500              push 004541BC

* Possible StringData Ref from Data Obj ->"Options"
                                  |
:004064D5 6858414500              push 00454158
:004064DA 8BCE                    mov ecx, esi
:004064DC E8F2210300              call 004386D3
                                  ====>儲存註冊資訊！


 
――――――――――――――――――――――――――――――――― 
進入演算法CALL：0040649F  call 00405DE0



* Referenced by a CALL at Addresses:
|:0040612C   , :0040649F   
|
:00405DE0 8B442408                mov eax, dword ptr [esp+08]
                                  ====>EAX=fly               使用者名稱

:00405DE4 56                      push esi
:00405DE5 57                      push edi
:00405DE6 33FF                    xor edi, edi
:00405DE8 8B48F8                  mov ecx, dword ptr [eax-08]
:00405DEB BE31D40000              mov esi, 0000D431
                                  ====>ESI=0000D431

:00405DF0 85C9                    test ecx, ecx
:00405DF2 7E34                    jle 00405E28

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00405E26(C)
|
:00405DF4 0FBE0407                movsx eax, byte ptr [edi+eax]
                                  ====>逐位取使用者名稱fly字元的HEX值 

:00405DF8 3535211414              xor eax, 14142135
                            ①、  ====>EAX=66 XOR 14142135=14142153
                            ……省 略……

:00405DFD 50                      push eax
:00405DFE E8E1AB0000              call 004109E4
:00405E03 83C404                  add esp, 00000004
:00405E06 E8E6AB0000              call 004109F1
                                  ====>對上面的結果再次處理
                                （ *000343FD+00269EC3）SHR 10  AND 00007FFF

:00405E0B 8BCE                    mov ecx, esi
:00405E0D C1E910                  shr ecx, 10
                            ①、  ====>ESI=ECX=0000D431 SHR 10=0

:00405E10 C1E610                  shl esi, 10
                                  ====>ESI=0000D431 SHL 10=D4310000

:00405E13 0BCE                    or ecx, esi
                                  ====>ECX=0 OR D4310000=D4310000 

:00405E15 03C1                    add eax, ecx
                            ①、  ====>EAX=000000BD + D4310000=D43100BD
                            ……省 略……

:00405E17 3528181827              xor eax, 27181828
                            ①、  ====>EAX=D43100BD XOR 27181828=F3291895
                            ……省 略……
                            ③、  ====>EAX=CCC9581B

:00405E1C 47                      inc edi
:00405E1D 8BF0                    mov esi, eax
:00405E1F 8B442410                mov eax, dword ptr [esp+10]
:00405E23 3B78F8                  cmp edi, dword ptr [eax-08]
:00405E26 7CCC                    jl 00405DF4
                                  ====>迴圈使用者名稱位數次

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00405DF2(C)
|
:00405E28 6815CD5B07              push 075BCD15
:00405E2D E8B2AB0000              call 004109E4
:00405E32 83C404                  add esp, 00000004

* Possible Reference to Dialog: DialogID_0064 
                                  |

* Possible Reference to Dialog: DialogID_7801, CONTROL_ID:0064, ""
                                  |
:00405E35 BF64000000              mov edi, 00000064

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00405E53(C)
|
:00405E3A E8B2AB0000              call 004109F1
:00405E3F 8BD6                    mov edx, esi
:00405E41 C1EA10                  shr edx, 10
                            ①、  ====>EDX=CCC9581B SHR 10=0000CCC9
                            ……省 略……

:00405E44 C1E610                  shl esi, 10
                            ①、  ====>ESI=CCC9581B SHL 10=581B0000
                            ……省 略……

:00405E47 0BD6                    or edx, esi
                            ①、  ====>EDX=0000CCC9 OR 581B0000=581BCCC9
                            ……省 略……

:00405E49 03C2                    add eax, edx
                            ①、  ====>EAX=000033CB + 581BCCC9=581C0094
                            ……省 略……

:00405E4B 3508053217              xor eax, 17320508
                            ①、  ====>EAX=581C0094 XOR 17320508=4F2E059C
                            ……省 略……

:00405E50 4F                      dec edi
:00405E51 8BF0                    mov esi, eax
:00405E53 75E5                    jne 00405E3A
                                  ====>迴圈100次  EAX=F08417C0

:00405E55 8D4C2410                lea ecx, dword ptr [esp+10]
:00405E59 E83AFA0200              call 00435898
:00405E5E 8BC6                    mov eax, esi
                                  ====>EAX=F08417C0

:00405E60 5F                      pop edi
:00405E61 5E                      pop esi
:00405E62 C3                      ret


――――――――――――――――――――――――――――――――― 
進入：00405E06  call 004109F1


* Referenced by a CALL at Addresses:
|:00404F45   , :00404F51   , :00405E06   , :00405E3A   , :00408899   
|:0040B6D5   
|
:004109F1 E8BD390000              call 004143B3
:004109F6 8B4814                  mov ecx, dword ptr [eax+14]
:004109F9 69C9FD430300            imul ecx, 000343FD
                            ①、  ====>ECX=14142153 * 000343FD=8096A807

:004109FF 81C1C39E2600            add ecx, 00269EC3
                            ①、  ====>ECX=8096A807 + 00269EC3=80BD46CA

:00410A05 894814                  mov dword ptr [eax+14], ecx
:00410A08 8BC1                    mov eax, ecx
:00410A0A C1E810                  shr eax, 10
                            ①、  ====>EAX=80BD46CA SHR 10=000080BD

:00410A0D 25FF7F0000              and eax, 00007FFF
                            ①、  ====>EAX=000080BD AND 00007FFF=000000BD

:00410A12 C3                      ret



―――――――――――――――――――――――――――――――――
【算 法  總 結】：


對使用者名稱簡單運算，然後經過100次的迴圈得出註冊碼。
演算法麻煩，寫這點東西只是說說下面的如何讓程式自動儲存真的註冊碼。

――――――――――――――――――――――――――――――――― 
【自動儲存真碼】：


:004064A7 3BC7                    cmp eax, edi
:004064A9 7564                    jne 0040650F
  
把上面的程式碼改為：

:004064A7 8BF8                    mov edi,eax //把真註冊碼移入EDI
:004064A9 90                                  //把這個跳轉NOP掉
:004064AA 90 

:004064CF 57                      push edi    //這裡就自動儲存了


――――――――――――――――――――――――――――――――― 
【KeyMake之{109th}記憶體序號產生器】：


中斷地址：004064A7
中斷次數：1
第一位元組：3B
指令長度：2

暫存器方式：EDI             
十進位制值

――――――――――――――――――――――――――――――――― 
【註冊資訊儲存】：


REGEDIT4

[HKEY_CURRENT_USERSoftwareGeYong Software空當接龍工具Options]

"UserName"="fly"
"RegisterCode"=dword:f08417c0

――――――――――――――――――――――――――――――――― 
【整        理】：


資訊碼：401012
使用者名稱：fly
註冊碼：4035188672

―――――――――――――――――――――――――――――――――
    
                                
         ,     _/ 
        /| _.-~/            _     ,        青春都一餉
       ( /~   /              ~-._ |
       `\  _/                   ~ )          忍把浮名 
   _-~~~-.)  )__/;;,.          _  //'
  /'_,   --~    ~~~-  ,;;___(  (.-~~~-.        換了破解輕狂
 `~ _( ,_..-- (     ,;'' /    ~--   /._` 
  /~~//'   /' `~         ) /--.._, )_  `~
  "  `~"  "      `"      /~'`    `\~~   
                         "     "   "~'  ""

    

                    Cracked By 巢水工作坊――fly [OCN][FCG]

                           2003-09-06  14:00