菜鸟学习算法破解PGWARE PCBoost 3.8.7.2006
【破解文件】PGWARE PCBoost 3.8.7.2006【下载地址】http://www.newhua.com/soft/2295.htm
【软件类别】国外软件/共享版/系统设置
【运行环境】Win9x/Me/NT/2000/XP/2003
【保护方式】PECompact 2.x + Name + Serial
【作者声明】只是感兴趣,消遣业余时间,错误之处敬请诸位前辈不吝赐教
【使用工具】OllyDBD、PEiD
【软件信息】帮您完成系统自动加速、私人档案保、手动个别设定调整,包括桌面、开始功能表、网路、硬 体、光碟机、记忆体、关机的优化。
一、破解过程
PEiD检查:PECompact 2.x -> Jeremy Collake
利用ESP定律可以顺利脱壳
脱壳后PEiD再查:Borland Delphi 6.0 - 7.0
超级字串参考找到:文本字串=\software\pgware\pcboost再找对该子程序的调用,
在0048D497处下断,F9 一次异常,Shift+F9 。
填入 Name:wzwgpSerial:12345678
0048D497 .51 PUSH ECX ;断下
0048D498 .53 PUSH EBX
0048D499 .56 PUSH ESI
0048D49A .57 PUSH EDI
0048D49B .8BD8 MOV EBX,EAX
0048D49D .33C0 XOR EAX,EAX
0048D49F .55 PUSH EBP
0048D4A0 .68 ADD64800 PUSH tk.0048D6AD
0048D4A5 .64:FF30 PUSH DWORD PTR FS:
0048D4A8 .64:8920 MOV DWORD PTR FS:,ESP
0048D4AB .8D55 FC LEA EDX,DWORD PTR SS:
0048D4AE .8B83 38030000 MOV EAX,DWORD PTR DS:
0048D4B4 .E8 43A1FDFF CALL tk.004675FC ;得到用户名位数
0048D4B9 .837D FC 00 CMP DWORD PTR SS:,0 ;=用户名
0048D4BD .0F84 98010000 JE tk.0048D65B
0048D4C3 .8D55 F8 LEA EDX,DWORD PTR SS:
0048D4C6 .8B83 34030000 MOV EAX,DWORD PTR DS:
0048D4CC .E8 2BA1FDFF CALL tk.004675FC
0048D4D1 .837D F8 00 CMP DWORD PTR SS:,0 ;=假码
0048D4D5 .0F84 80010000 JE tk.0048D65B
0048D4DB .8D55 F0 LEA EDX,DWORD PTR SS:
0048D4DE .8B83 34030000 MOV EAX,DWORD PTR DS:
0048D4E4 .E8 13A1FDFF CALL tk.004675FC
0048D4E9 .8B45 F0 MOV EAX,DWORD PTR SS:
0048D4EC .8D55 F4 LEA EDX,DWORD PTR SS:
0048D4EF .E8 78AFF7FF CALL tk.0040846C
0048D4F4 .8B45 F4 MOV EAX,DWORD PTR SS:
0048D4F7 .50 PUSH EAX
0048D4F8 .8D55 E8 LEA EDX,DWORD PTR SS:
0048D4FB .8B83 38030000 MOV EAX,DWORD PTR DS:
0048D501 .E8 F6A0FDFF CALL tk.004675FC
0048D506 .8B45 E8 MOV EAX,DWORD PTR SS:
0048D509 .8D55 EC LEA EDX,DWORD PTR SS:
0048D50C .E8 5BAFF7FF CALL tk.0040846C
0048D511 .8B45 EC MOV EAX,DWORD PTR SS:
0048D514 .5A POP EDX
0048D515 .E8 C62D0000 CALL tk.004902E0 ;验证注册码F7进入
0048D51A .3C 01 CMP AL,1 ;AL=1 通过验证
0048D51C 0F85 03010000 JNZ tk.0048D625 ;跳验证失败
0048D522 .A1 F4724900 MOV EAX,DWORD PTR DS:
0048D527 .8B00 MOV EAX,DWORD PTR DS:
0048D529 .8B80 38030000 MOV EAX,DWORD PTR DS:
0048D52F .33D2 XOR EDX,EDX
0048D531 .E8 E69FFDFF CALL tk.0046751C
0048D536 .A1 F4724900 MOV EAX,DWORD PTR DS:
0048D53B .8B00 MOV EAX,DWORD PTR DS:
0048D53D .8B80 2C030000 MOV EAX,DWORD PTR DS:
0048D543 .33D2 XOR EDX,EDX
0048D545 .E8 D29FFDFF CALL tk.0046751C
0048D54A .A1 A8714900 MOV EAX,DWORD PTR DS:
0048D54F .8B00 MOV EAX,DWORD PTR DS:
0048D551 .B2 06 MOV DL,6
0048D553 .E8 7042FFFF CALL tk.004817C8
0048D558 .A1 A8714900 MOV EAX,DWORD PTR DS:
0048D55D .8B00 MOV EAX,DWORD PTR DS:
0048D55F .8B10 MOV EDX,DWORD PTR DS:
0048D561 .FF92 EC000000 CALL NEAR DWORD PTR DS: ;注册成功提示
0048D567 .48 DEC EAX
0048D568 .75 0A JNZ SHORT tk.0048D574
0048D515 处F7进入验证注册码
004902E0 $55 PUSH EBP
004902E1 .8BEC MOV EBP,ESP
004902E3 .B9 12000000 MOV ECX,12
004902E8 >6A 00 PUSH 0
004902EA .6A 00 PUSH 0
004902EC .49 DEC ECX
004902ED .^ 75 F9 JNZ SHORT tk.004902E8 ;堆栈留出空间
004902EF .51 PUSH ECX
004902F0 .53 PUSH EBX
004902F1 .56 PUSH ESI
004902F2 .57 PUSH EDI
004902F3 .8955 F8 MOV DWORD PTR SS:,EDX
004902F6 .8945 FC MOV DWORD PTR SS:,EAX
004902F9 .8B45 FC MOV EAX,DWORD PTR SS:
004902FC .E8 5B42F7FF CALL tk.0040455C
00490301 .8B45 F8 MOV EAX,DWORD PTR SS:
00490304 .E8 5342F7FF CALL tk.0040455C
00490309 .33C0 XOR EAX,EAX
0049030B .55 PUSH EBP
0049030C .68 82094900 PUSH tk.00490982
00490311 .64:FF30 PUSH DWORD PTR FS:
00490314 .64:8920 MOV DWORD PTR FS:,ESP
00490317 .33C0 XOR EAX,EAX
00490319 .55 PUSH EBP
0049031A .68 33094900 PUSH tk.00490933
0049031F .64:FF30 PUSH DWORD PTR FS:
00490322 .64:8920 MOV DWORD PTR FS:,ESP
00490325 .837D FC 00 CMP DWORD PTR SS:,0 ;注册框是否输入用户名
00490329 .74 73 JE SHORT tk.0049039E ;未输入跳到下面读注册表信息
0049032B .837D F8 00 CMP DWORD PTR SS:,0 ;假码地址
0049032F .74 6D JE SHORT tk.0049039E ;未输入假码就跳走
00490331 .33C0 XOR EAX,EAX
00490333 .55 PUSH EBP
00490334 .68 92034900 PUSH tk.00490392
00490339 .64:FF30 PUSH DWORD PTR FS:
0049033C .64:8920 MOV DWORD PTR FS:,ESP
0049033F .B2 01 MOV DL,1
00490341 .A1 F48E4300 MOV EAX,DWORD PTR DS:
00490346 .E8 A98CFAFF CALL tk.00438FF4
0049034B .8BD8 MOV EBX,EAX
0049034D .BA 02000080 MOV EDX,80000002
00490352 .8BC3 MOV EAX,EBX
00490354 .E8 3B8DFAFF CALL tk.00439094
00490359 .B1 01 MOV CL,1
0049035B .BA 9C094900 MOV EDX,tk.0049099C ;注册信息地址\software\pgware\pcboost
00490360 .8BC3 MOV EAX,EBX
00490362 .E8 918DFAFF CALL tk.004390F8
00490367 .8B4D FC MOV ECX,DWORD PTR SS: ;用户名
0049036A .BA C0094900 MOV EDX,tk.004909C0 ;name
0049036F .8BC3 MOV EAX,EBX
00490371 .E8 3E8FFAFF CALL tk.004392B4 ;用户名写入注册表
00490376 .8B4D F8 MOV ECX,DWORD PTR SS: ;假码
00490379 .BA D0094900 MOV EDX,tk.004909D0 ;serial
0049037E .8BC3 MOV EAX,EBX
00490380 .E8 2F8FFAFF CALL tk.004392B4 ;假码写入注册表
00490385 .33C0 XOR EAX,EAX
00490387 .5A POP EDX
00490388 .59 POP ECX
00490389 .59 POP ECX
0049038A .64:8910 MOV DWORD PTR FS:,EDX
0049038D .E9 89000000 JMP tk.0049041B ;注册框输入注册码就跳过读注册表
00490392 .^ E9 C133F7FF JMP tk.00403758
00490397 .E8 2437F7FF CALL tk.00403AC0
0049039C .EB 7D JMP SHORT tk.0049041B
0049039E >33C0 XOR EAX,EAX
004903A0 .55 PUSH EBP
004903A1 .68 11044900 PUSH tk.00490411
004903A6 .64:FF30 PUSH DWORD PTR FS:
004903A9 .64:8920 MOV DWORD PTR FS:,ESP
004903AC .B2 01 MOV DL,1
004903AE .A1 F48E4300 MOV EAX,DWORD PTR DS:
004903B3 .E8 3C8CFAFF CALL tk.00438FF4
004903B8 .8BD8 MOV EBX,EAX
004903BA .BA 02000080 MOV EDX,80000002
004903BF .8BC3 MOV EAX,EBX
004903C1 .E8 CE8CFAFF CALL tk.00439094
004903C6 .C743 18 19000200 MOV DWORD PTR DS:,20019
004903CD .33C9 XOR ECX,ECX
004903CF .BA 9C094900 MOV EDX,tk.0049099C ;\software\pgware\pcboost
004903D4 .8BC3 MOV EAX,EBX
004903D6 .E8 1D8DFAFF CALL tk.004390F8
004903DB .8D4D FC LEA ECX,DWORD PTR SS:
004903DE .BA C0094900 MOV EDX,tk.004909C0 ;name
004903E3 .8BC3 MOV EAX,EBX
004903E5 .E8 F68EFAFF CALL tk.004392E0 ;用户名
004903EA .8D4D F8 LEA ECX,DWORD PTR SS:
004903ED .BA D0094900 MOV EDX,tk.004909D0 ;serial
004903F2 .8BC3 MOV EAX,EBX
004903F4 .E8 E78EFAFF CALL tk.004392E0 ;注册码
004903F9 .8BC3 MOV EAX,EBX
004903FB .E8 648CFAFF CALL tk.00439064
00490400 .8BC3 MOV EAX,EBX
00490402 .E8 B12EF7FF CALL tk.004032B8
00490407 .33C0 XOR EAX,EAX
00490409 .5A POP EDX
0049040A .59 POP ECX
0049040B .59 POP ECX
0049040C .64:8910 MOV DWORD PTR FS:,EDX
0049040F .EB 0A JMP SHORT tk.0049041B
00490411 .^ E9 4233F7FF JMP tk.00403758
00490416 .E8 A536F7FF CALL tk.00403AC0
0049041B >33C0 XOR EAX,EAX
0049041D .55 PUSH EBP
0049041E .68 1B094900 PUSH tk.0049091B
00490423 .64:FF30 PUSH DWORD PTR FS:
00490426 .64:8920 MOV DWORD PTR FS:,ESP
00490429 .837D FC 00 CMP DWORD PTR SS:,0 ;=用户名
0049042D .0F84 DE040000 JE tk.00490911
00490433 .837D F8 00 CMP DWORD PTR SS:,0 ;=注册码
00490437 .0F84 D4040000 JE tk.00490911
0049043D .B8 FC9B4900 MOV EAX,tk.00499BFC
00490442 .8B55 FC MOV EDX,DWORD PTR SS:
00490445 .E8 B63CF7FF CALL tk.00404100
0049044A .68 009C4900 PUSH tk.00499C00
0049044F .8D45 D8 LEA EAX,DWORD PTR SS:
00490452 .50 PUSH EAX
00490453 .8B55 F8 MOV EDX,DWORD PTR SS:
00490456 .B8 E0094900 MOV EAX,tk.004909E0 ;+
0049045B .E8 5042F7FF CALL tk.004046B0 ;检查注册码中是否有+(2B)
00490460 .40 INC EAX 重新输入假码S(s1+s2+s3)
00490461 .50 PUSH EAX (12345678+123+234)
00490462 .8B45 F8 MOV EAX,DWORD PTR SS:
00490465 .E8 023FF7FF CALL tk.0040436C ;得到假码位数
0049046A .8BC8 MOV ECX,EAX
0049046C .8B45 F8 MOV EAX,DWORD PTR SS:
0049046F .5A POP EDX
00490470 .E8 5741F7FF CALL tk.004045CC
00490475 .8B55 D8 MOV EDX,DWORD PTR SS: ;=s2+s3
00490478 .B8 E0094900 MOV EAX,tk.004909E0 ;+
0049047D .E8 2E42F7FF CALL tk.004046B0 ;检查第一个+号后的假码中是否还有+号
00490482 .48 DEC EAX
00490483 .50 PUSH EAX
00490484 .8D45 D4 LEA EAX,DWORD PTR SS:
00490487 .50 PUSH EAX
00490488 .8B55 F8 MOV EDX,DWORD PTR SS:
0049048B .B8 E0094900 MOV EAX,tk.004909E0 ;+
00490490 .E8 1B42F7FF CALL tk.004046B0
00490495 .40 INC EAX
00490496 .50 PUSH EAX
00490497 .8B45 F8 MOV EAX,DWORD PTR SS:
0049049A .E8 CD3EF7FF CALL tk.0040436C
0049049F .8BC8 MOV ECX,EAX
004904A1 .8B45 F8 MOV EAX,DWORD PTR SS:
004904A4 .5A POP EDX
004904A5 .E8 2241F7FF CALL tk.004045CC
004904AA .8B45 D4 MOV EAX,DWORD PTR SS:
004904AD .BA 01000000 MOV EDX,1
004904B2 .59 POP ECX
004904B3 .E8 1441F7FF CALL tk.004045CC
004904B8 .BB 01000000 MOV EBX,1 ;EBX赋值1
004904BD >8D45 CC LEA EAX,DWORD PTR SS:
004904C0 .50 PUSH EAX
004904C1 .B9 01000000 MOV ECX,1
004904C6 .8BD3 MOV EDX,EBX
004904C8 .8B45 FC MOV EAX,DWORD PTR SS: ;设用户名为N(n1、n2、…ni)
004904CB .E8 FC40F7FF CALL tk.004045CC ;逐位取出用户名ni
004904D0 .8B45 CC MOV EAX,DWORD PTR SS: ;ni地址
004904D3 .0FB600 MOVZX EAX,BYTE PTR DS: ;用户名16进制数入EAX
004904D6 .F7EB IMUL EBX ;EBX=i
004904D8 .8945 C8 MOV DWORD PTR SS:,EAX
004904DB .DB45 C8 FILD DWORD PTR SS: ;ni*i转成浮点数入st(0)
004904DE .E8 D925F7FF CALL tk.00402ABC ;ni入栈
004904E3 .8945 C0 MOV DWORD PTR SS:,EAX
004904E6 .8955 C4 MOV DWORD PTR SS:,EDX
004904E9 .DF6D C0 FILD QWORD PTR SS: ;ni*i装入st(0)
004904EC .83C4 F4 ADD ESP,-0C
004904EF .DB3C24 FSTP TBYTE PTR SS: ; |保存ni到
004904F2 .9B WAIT ; |
004904F3 .8D55 D0 LEA EDX,DWORD PTR SS: ; |
004904F6 .B8 EC094900 MOV EAX,tk.004909EC ; |#
004904FB .E8 3CA3F7FF CALL tk.0040A83C ; \ni*i转成10进制
00490500 .FF75 D0 PUSH DWORD PTR SS:
00490503 .8D55 BC LEA EDX,DWORD PTR SS:
00490506 .8BC3 MOV EAX,EBX
00490508 .E8 2F83F7FF CALL tk.0040883C
0049050D .FF75 BC PUSH DWORD PTR SS:
00490510 .FF35 009C4900 PUSH DWORD PTR DS: ;=s2
00490516 .8D45 E4 LEA EAX,DWORD PTR SS:
00490519 .BA 03000000 MOV EDX,3
0049051E .E8 093FF7FF CALL tk.0040442C ;ni*i+i+s2(连接)
00490523 .8B45 E4 MOV EAX,DWORD PTR SS: ;=ni*i+i+s2
00490526 .E8 4D84F7FF CALL tk.00408978 ;转成16进制
0049052B .8BF0 MOV ESI,EAX ;EAX=122CD3
0049052D .8B45 E4 MOV EAX,DWORD PTR SS:
00490530 .E8 4384F7FF CALL tk.00408978
00490535 .03F0 ADD ESI,EAX ;ESI=(ni+i+s2)相加,即乘2
00490537 .8BC6 MOV EAX,ESI
00490539 .8D55 B8 LEA EDX,DWORD PTR SS:
0049053C .E8 FB82F7FF CALL tk.0040883C ;转成10进制
00490541 .8B55 B8 MOV EDX,DWORD PTR SS: ;=(ni+i+s2)*2 (D)
00490544 .8D45 E4 LEA EAX,DWORD PTR SS: ;=(ni*i+i+s2) (D)
00490547 .E8 F83BF7FF CALL tk.00404144
0049054C .43 INC EBX ;EBX + 1
0049054D .8B45 FC MOV EAX,DWORD PTR SS: ;=wzwgp(用户名)
00490550 .E8 173EF7FF CALL tk.0040436C
00490555 .40 INC EAX ;EAX=用户名位数
00490556 .3BD8 CMP EBX,EAX
00490558 .^ 0F85 5FFFFFFF JNZ tk.004904BD ;用户名位数是循环次数
0049055E .6A 04 PUSH 4
00490560 .68 FD4E5A09 PUSH 95A4EFD
00490565 .8B45 E4 MOV EAX,DWORD PTR SS: ;=11210246(末位用户名计算结果)
00490568 .E8 0B84F7FF CALL tk.00408978 ;EAX=AB0E06(转成16进制)
0049056D .99 CDQ
0049056E .E8 614AF7FF CALL tk.00404FD4 ;运算用户名计算结果F7
F7进入运算用户名计算结果:
00404FD4/$52 PUSH EDX
00404FD5|.50 PUSH EAX
00404FD6|.8B4424 10 MOV EAX,DWORD PTR SS: ;=4(常数)
00404FDA|.F72424 MUL DWORD PTR SS: ;=AB0E06
00404FDD|.89C1 MOV ECX,EAX ;EAX=AB0E06*4=2AC3818
00404FDF|.8B4424 04 MOV EAX,DWORD PTR SS: ;=0
00404FE3|.F76424 0C MUL DWORD PTR SS: ;=095A4EFD(常数)
00404FE7|.01C1 ADD ECX,EAX
00404FE9|.8B0424 MOV EAX,DWORD PTR SS: ;=00AB0E06
00404FEC|.F76424 0C MUL DWORD PTR SS: ;EAX=AB0E06*95A4EFD=EB6EAFEE
00404FF0|.01CA ADD EDX,ECX ;EDX=63FD5(溢出部分)+2AC3818=2B277ED
00404FF2|.59 POP ECX
00404FF3|.59 POP ECX
00404FF4\.C2 0800 RETN 8 ;返回到 00490573
00490573 .8945 C0 MOV DWORD PTR SS:,EAX ;EAX=EB6EAFEE
00490576 .8955 C4 MOV DWORD PTR SS:,EDX ;EDX=02B277ED
00490579 .DF6D C0 FILD QWORD PTR SS: ;=2B277EDEB6EAFEE
0049057C .83C4 F4 ADD ESP,-0C
0049057F .DB3C24 FSTP TBYTE PTR SS: ; |ST=1.9434959767120689400e+17
00490582 .9B WAIT ; |
00490583 .8D55 B4 LEA EDX,DWORD PTR SS: ; |
00490586 .B8 EC094900 MOV EAX,tk.004909EC ; |#
0049058B .E8 ACA2F7FF CALL tk.0040A83C ; \tk.0040A83C
00490590 .8B55 B4 MOV EDX,DWORD PTR SS: ;计算结果
00490593 .8D45 E4 LEA EAX,DWORD PTR SS:
00490596 .E8 A93BF7FF CALL tk.00404144 ;EDX=11210246
0049059B .8D45 F0 LEA EAX,DWORD PTR SS:
0049059E .50 PUSH EAX
0049059F .8B55 F8 MOV EDX,DWORD PTR SS:
004905A2 .B8 E0094900 MOV EAX,tk.004909E0 ;+
004905A7 .E8 0441F7FF CALL tk.004046B0
004905AC .8BC8 MOV ECX,EAX
004905AE .49 DEC ECX
004905AF .BA 01000000 MOV EDX,1
004905B4 .8B45 F8 MOV EAX,DWORD PTR SS:
004905B7 .E8 1040F7FF CALL tk.004045CC ;取出s1
004905BC .8D45 B0 LEA EAX,DWORD PTR SS:
004905BF .50 PUSH EAX
004905C0 .8B45 F0 MOV EAX,DWORD PTR SS:
004905C3 .E8 A43DF7FF CALL tk.0040436C ;s1位数
004905C8 .8BD8 MOV EBX,EAX
004905CA .A1 009C4900 MOV EAX,DWORD PTR DS: ;=s2
004905CF .E8 983DF7FF CALL tk.0040436C ;第二段假码位数
004905D4 .03D8 ADD EBX,EAX ;s1、s2位数相加
004905D6 .83C3 03 ADD EBX,3 ;再加3
004905D9 .53 PUSH EBX
004905DA .8B45 F8 MOV EAX,DWORD PTR SS:
004905DD .E8 8A3DF7FF CALL tk.0040436C ;假码位数
004905E2 .8BC8 MOV ECX,EAX
004905E4 .8B45 F8 MOV EAX,DWORD PTR SS:
004905E7 .5A POP EDX
004905E8 .E8 DF3FF7FF CALL tk.004045CC ;s3地址
004905ED .8B45 B0 MOV EAX,DWORD PTR SS: ;=s3
004905F0 .8D55 EC LEA EDX,DWORD PTR SS:
004905F3 .E8 747EF7FF CALL tk.0040846C
004905F8 .8B55 EC MOV EDX,DWORD PTR SS:
004905FB .B8 E0094900 MOV EAX,tk.004909E0 ;+
00490600 .E8 AB40F7FF CALL tk.004046B0
00490605 .85C0 TEST EAX,EAX
00490607 .0F8E 6B010000 JLE tk.00490778 ;跳
0049060D .8D45 AC LEA EAX,DWORD PTR SS:
00490610 .50 PUSH EAX
---------------------------中间省略-------------------------------------
0049076B .8B55 90 MOV EDX,DWORD PTR SS:
0049076E .8D45 E0 LEA EAX,DWORD PTR SS:
00490771 .E8 CE39F7FF CALL tk.00404144
00490776 .EB 1A JMP SHORT tk.00490792
00490778 >8D45 E8 LEA EAX,DWORD PTR SS: ;跳到此
0049077B .BA F8094900 MOV EDX,tk.004909F8 ;1
00490780 .E8 BF39F7FF CALL tk.00404144
00490785 .8D45 E0 LEA EAX,DWORD PTR SS:
00490788 .BA F8094900 MOV EDX,tk.004909F8 ;1
0049078D .E8 B239F7FF CALL tk.00404144
00490792 >8B45 F0 MOV EAX,DWORD PTR SS: ;=s1
00490795 .E8 FAA0F7FF CALL tk.0040A894 ;假码中无+号将出现异常
0049079A .DB7D 84 FSTP TBYTE PTR SS: ;假码(s1)
0049079D .9B WAIT
0049079E .8B45 E4 MOV EAX,DWORD PTR SS: ;=计算结果
004907A1 .E8 EEA0F7FF CALL tk.0040A894
004907A6 .DB6D 84 FLD TBYTE PTR SS:
004907A9 .DEE1 FSUBRP ST(1),ST ;st(1)=假码(s1)减计算结果
004907AB .D81D FC094900 FCOMP DWORD PTR DS: ;比较是否相等
004907B1 .DFE0 FSTSW AX ;AX=100(保存状态字的值)
004907B3 .9E SAHF ;AH装入标志寄存器
004907B4 .0F87 53010000 JA tk.0049090D ;大于跳
004907BA .8B45 E4 MOV EAX,DWORD PTR SS: ;=194349597671206894
004907BD .E8 D2A0F7FF CALL tk.0040A894
004907C2 .DBBD 78FFFFFF FSTP TBYTE PTR SS:
004907C8 .9B WAIT
004907C9 .8B45 F0 MOV EAX,DWORD PTR SS:
004907CC .E8 C3A0F7FF CALL tk.0040A894
004907D1 .DBAD 78FFFFFF FLD TBYTE PTR SS:
004907D7 .DEE1 FSUBRP ST(1),ST ;计算结果减s1
004907D9 .D81D FC094900 FCOMP DWORD PTR DS:
004907DF .DFE0 FSTSW AX ;AX=0
004907E1 .9E SAHF
004907E2 .0F87 25010000 JA tk.0049090D ;大于跳到标志位置0
004907E8 .8B45 E8 MOV EAX,DWORD PTR SS:
004907EB .8B55 E0 MOV EDX,DWORD PTR SS:
004907EE .E8 C53CF7FF CALL tk.004044B8
004907F3 .75 0B JNZ SHORT tk.00490800
---------------------------中间省略-------------------------------------
00490904 .8BC6 MOV EAX,ESI
00490906 .E8 AD29F7FF CALL tk.004032B8
0049090B .EB 04 JMP SHORT tk.00490911
0049090D >C645 F7 00 MOV BYTE PTR SS:,0 ;标志位
00490911 >33C0 XOR EAX,EAX
00490913 .5A POP EDX
00490914 .59 POP ECX
00490915 .59 POP ECX
00490916 .64:8910 MOV DWORD PTR FS:,EDX
00490919 .EB 0E JMP SHORT tk.00490929
0049091B .^ E9 382EF7FF JMP tk.00403758
00490920 .C645 F7 00 MOV BYTE PTR SS:,0
00490924 .E8 9731F7FF CALL tk.00403AC0
00490929 >33C0 XOR EAX,EAX
---------------------------中间省略-------------------------------------
00490977 .BA 02000000 MOV EDX,2
0049097C .E8 4F37F7FF CALL tk.004040D0
00490981 .C3 RETN
00490982 .^ E9 8530F7FF JMP tk.00403A0C
00490987 .^ EB C1 JMP SHORT tk.0049094A
00490989 8A45 F7 MOV AL,BYTE PTR SS: ;标志位、爆破点
0049098C 5F POP EDI
0049098D 5E POP ESI
0049098E .5B POP EBX
0049098F .8BE5 MOV ESP,EBP
00490991 .5D POP EBP
00490992 .C3 RETN ;返回到 0048D51A
二、算法小结
1.注册码有二种形式:(1)*** + *** + ***(2)*** + ***
12345678+123+234 12345678+123
2.用户名最后一位16进制数乘位数,再转成10进制(wzwgp70*5=230 -->560)
3.第一种形式的注册码
连接:用户名乘位数、位数、第一个加号后的注册码
560+5+123 --> 5605123
转成16进制:5605123 --> 558703
相加:558703+558703=AB0E06
AB0E06*95A4EFD(常数)=63FD5EB6EAFEE (EB6EAFEE r 00063FD5)
63FD5+AB0E06*4(常数)=2B277ED
连接:2B277ED+EB6EAFEE --> 2B277EDEB6EAFEE
转换:2B277EDEB6EAFEE(H) -->1.9434959767120689400e+17(浮点数) --> 194349597671206894(D)
用户名:wzwgp
注册码:194349597671206894+123+234 (第二个加号后面可填任意数或不填)
4.第二种形式的注册码
连接:用户名乘位数、位数
560+5 --> 5605
转成16进制:5605 --> 15E5
相加:15E5+15E5=2BCA
2BCA*95A4EFD(常数)=1998C86D2A2 (8C86D2A2 r 00000199)
199+2BCA*4(常数)=B0C1
连接:B0C1+8C86D2A2 --> B0C18C86D2A2
转换:B0C18C86D2A2(H) -->1.9434533282269000000e+14(浮点数) --> 194345332822690(D)
用户名:wzwgp
注册码:194345332822690+123 (加号后面可填任意数或不填)
5.第一种形式注册成功后“About”窗口显示:
Licensed To:123 Computer(s)
wzwgp
第二种形式注册成功后“About”窗口显示:
Licensed To: Computer(s)
wzwgp 好强的算法,向wzwgp兄学习班咯~ 不好意思,该软件有网络验证。
我在调试时没让程序连接网络,刚才试了一下。算出的注册码网络验证后就没用了。:lol: 是篇好文章,希望继续!/:D 兄弟好强 学习了~
有网络验证~ 相当与一个暗桩吧
连网后的软件提示 可以作为判断软件连网处代码下断的依据
网络验证其实也是一个跳转 不过弄这个很多时候就要靠运气了
喜欢兄弟的算法文章 哦转了不少过来 才发现大哥也是PYG的 呵呵 哦继续学习之~~
页:
[1]