- UID
- 2446
注册时间2005-7-21
阅读权限30
最后登录1970-1-1
龙战于野
该用户从未签到
|
文章标题: 天天音频转换专家 V5.60 Build 051101 贵宾版 算法分析
破解作者: 风球[PYG]
作者邮箱: [email protected]
破解工具: PEID,OD
破解声明: 初学CrAck,偶的一点心得,跟大家分享^_^
软件下载: http://www.skycn.com/soft/24472.html
软件大小: 4051 KB
软件语言: 简体中文
软件类别: 国产软件 / 共享版 / 音频转换
应用平台: Win9x/NT/2000/XP
软件介绍: 『天天音频转换专家』是一款专业的音频转换工具。 支持MP2, MP3, AAC, AC3, WMA, OGG, AMR, WAV( PCM, DSP, GSM, ADPCM ), G721, G723, G726, G729, VOX, ALAW, ULAW等常见的音频格式之间的转换。 可以批量转换文件而不必理会它们的源文件格式和目标文件格式。 内置播放器支持多种格式的播放功能。
-------------------------------------------------------------------------------------------
今天同学叫我搞搞这个东东,幸亏不难```哈```顺便分析了一下算法```不知这个东东好不好用,没用过```
[破解过程]
PEiD查壳为Microsoft Visual Basic 5.0 / 6.0
分析知道注册信息放在安装目录\tt.ini文件中,OD载入查找字符来到这里
-----------------------------
[system]
user=feng //用户名
pass=123456789 //我输入的假码
-------------------------------------------------------------------------------------------
00420310 68 50514000 push tt.00405150 ; UNICODE "\tt.ini" //下断往下看
00420315 FF15 48104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCat>] ; MSVBVM60.__vbaStrCat
```省略部分代码```
0042034F BA 7C514000 mov edx,tt.0040517C ; UNICODE "user"
00420354 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
00420357 C745 B4 6400000>mov dword ptr ss:[ebp-4C],64
0042035E FFD7 call edi
00420360 BA 68514000 mov edx,tt.00405168 ; UNICODE "system"
00420365 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
00420368 FFD7 call edi
```省略部分代码```
00420392 50 push eax
00420393 FF15 54104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckObj>; MSVBVM60.__vbaHresultCheckObj
00420399 8B55 DC mov edx,dword ptr ss:[ebp-24] ; //用户名feng出来
0042039C 8D5E 3C lea ebx,dword ptr ds:[esi+3C]
```省略部分代码```
004203B1 FF15 3C114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ; MSVBVM60.__vbaFreeStrList
004203B7 83C4 10 add esp,10
004203BA BA 8C514000 mov edx,tt.0040518C ; UNICODE "pass"
004203BF 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
004203C2 C745 B4 6400000>mov dword ptr ss:[ebp-4C],64
004203C9 FFD7 call edi
004203CB BA 68514000 mov edx,tt.00405168 ; UNICODE "system"
004203D0 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
```省略部分代码```
004203FD 50 push eax
004203FE FF15 54104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckObj>; MSVBVM60.__vbaHresultCheckObj
00420404 8B55 DC mov edx,dword ptr ss:[ebp-24] ; //假码123456789出来
00420407 8D4E 40 lea ecx,dword ptr ds:[esi+40]
0042040A FFD7 call edi
0042040C 8D45 DC lea eax,dword ptr ss:[ebp-24]
0042040F 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
00420412 50 push eax
00420413 8D55 E4 lea edx,dword ptr ss:[ebp-1C]
00420416 51 push ecx
00420417 52 push edx
00420418 6A 03 push 3
0042041A FF15 3C114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ; MSVBVM60.__vbaFreeStrList
00420420 8B13 mov edx,dword ptr ds:[ebx] ; ds:[0014E174]=0014FAD4, (UNICODE "feng")
00420422 8B06 mov eax,dword ptr ds:[esi]
00420424 83C4 10 add esp,10
00420427 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
0042042A 51 push ecx
0042042B 52 push edx ; edx=0014FAD4, (UNICODE "feng")
0042042C 68 9C514000 push tt.0040519C ; UNICODE "ice_ttaduio"
00420431 56 push esi
00420432 FF90 0C070000 call dword ptr ds:[eax+70C] ; //算法CALL,跟进
00420438 8B45 E8 mov eax,dword ptr ss:[ebp-18] ; //出来真码
0042043B 8B4E 40 mov ecx,dword ptr ds:[esi+40] ; //出来假码
0042043E 50 push eax
0042043F 51 push ecx
00420440 FF15 B8104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>] ; //比较,可做内存注册机
00420446 85C0 test eax,eax
00420448 0F85 D1000000 jnz tt.0042051F ; //跳则OVER
0042044E A1 10104200 mov eax,dword ptr ds:[421010]
00420453 85C0 test eax,eax
00420455 75 10 jnz short tt.00420467
00420457 68 10104200 push tt.00421010
0042045C 68 DC864000 push tt.004086DC
00420461 FF15 24114000 call dword ptr ds:[<&MSVBVM60.__vbaNew2>] ; MSVBVM60.__vbaNew2
-------------------------------------------------------------------------------------------
************** 跟进算法CALL 00420432 FF90 0C070000 call dword ptr ds:[eax+70C] 来到这里 **************
0041F2D0 55 push ebp
0041F2D1 8BEC mov ebp,esp
0041F2D3 83EC 08 sub esp,8
0041F2D6 68 B6174000 push <jmp.&MSVBVM60.__vbaExceptHandler>
0041F2DB 64:A1 00000000 mov eax,dword ptr fs:[0]
0041F2E1 50 push eax
0041F2E2 64:8925 0000000>mov dword ptr fs:[0],esp
0041F2E9 83EC 4C sub esp,4C
0041F2EC 53 push ebx
0041F2ED 56 push esi
0041F2EE 57 push edi
0041F2EF 8965 F8 mov dword ptr ss:[ebp-8],esp
0041F2F2 C745 FC 2017400>mov dword ptr ss:[ebp-4],tt.00401720
0041F2F9 8B55 0C mov edx,dword ptr ss:[ebp+C] ; //堆栈 UNICODE "ice_ttaduio"
0041F2FC 8B35 34114000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaStrCopy>] ; MSVBVM60.__vbaStrCopy
0041F302 33C0 xor eax,eax
0041F304 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
0041F307 8945 E8 mov dword ptr ss:[ebp-18],eax
0041F30A 8945 E4 mov dword ptr ss:[ebp-1C],eax
0041F30D 8945 DC mov dword ptr ss:[ebp-24],eax
0041F310 8945 D4 mov dword ptr ss:[ebp-2C],eax
0041F313 8945 C4 mov dword ptr ss:[ebp-3C],eax
0041F316 8945 B4 mov dword ptr ss:[ebp-4C],eax
0041F319 8945 B0 mov dword ptr ss:[ebp-50],eax
0041F31C FFD6 call esi
0041F31E 8B55 10 mov edx,dword ptr ss:[ebp+10] ; (UNICODE "feng")
0041F321 8D4D DC lea ecx,dword ptr ss:[ebp-24]
0041F324 FFD6 call esi
0041F326 8B45 08 mov eax,dword ptr ss:[ebp+8]
0041F329 8D55 B0 lea edx,dword ptr ss:[ebp-50]
0041F32C 52 push edx
0041F32D 8B55 E8 mov edx,dword ptr ss:[ebp-18] ; (UNICODE "ice_ttaduio")
0041F330 8B08 mov ecx,dword ptr ds:[eax]
0041F332 52 push edx
0041F333 50 push eax
0041F334 FF91 14070000 call dword ptr ds:[ecx+714] ; //跟进去知道根据字符ice_ttaduio运算得到一个值
0041F33A 8B45 B0 mov eax,dword ptr ss:[ebp-50] ; //得到1B742920存入EAX
0041F33D 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
0041F340 51 push ecx
0041F341 8945 E4 mov dword ptr ss:[ebp-1C],eax ; [ebp-1c] <- eax=1B742920=十进制460597536
0041F344 C745 CC FFFFFFF>mov dword ptr ss:[ebp-34],-1
0041F34B C745 C4 0200000>mov dword ptr ss:[ebp-3C],2
0041F352 FF15 64104000 call dword ptr ds:[<&MSVBVM60.#593>] ; MSVBVM60.rtcRandomNext
0041F358 8B1D 1C104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
0041F35E 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
0041F361 D95D B0 fstp dword ptr ss:[ebp-50] ; //相当于Rnd(-1)=st=0.2240070104598999024
0041F364 FFD3 call ebx
0041F366 8D45 B4 lea eax,dword ptr ss:[ebp-4C]
0041F369 8D55 E4 lea edx,dword ptr ss:[ebp-1C]
0041F36C 50 push eax
0041F36D 8955 BC mov dword ptr ss:[ebp-44],edx
0041F370 C745 B4 0340000>mov dword ptr ss:[ebp-4C],4003
0041F377 FF15 6C104000 call dword ptr ds:[<&MSVBVM60.#594>] ; MSVBVM60.rtcRandomize
//上面这段相当于 Rnd(-1)
// Randomize (460597536)
0041F37D 8B4D DC mov ecx,dword ptr ss:[ebp-24] ; //用户名feng
0041F380 51 push ecx
0041F381 FF15 20104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; MSVBVM60.__vbaLenBstr //获取用户名长度
0041F387 8BC8 mov ecx,eax
0041F389 FF15 C0104000 call dword ptr ds:[<&MSVBVM60.__vbaI2I4>] ; MSVBVM60.__vbaI2I4
0041F38F 8B3D 7C114000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
0041F395 8945 E0 mov dword ptr ss:[ebp-20],eax
0041F398 B8 01000000 mov eax,1
0041F39D 8945 EC mov dword ptr ss:[ebp-14],eax
0041F3A0 66:3B45 E0 cmp ax,word ptr ss:[ebp-20]
0041F3A4 0F8F 00010000 jg tt.0041F4AA
0041F3AA 8B4D DC mov ecx,dword ptr ss:[ebp-24] ; //用户名feng
0041F3AD 8D55 C4 lea edx,dword ptr ss:[ebp-3C]
0041F3B0 0FBFC0 movsx eax,ax
0041F3B3 52 push edx
0041F3B4 50 push eax
0041F3B5 51 push ecx
0041F3B6 C745 CC 0100000>mov dword ptr ss:[ebp-34],1
0041F3BD C745 C4 0200000>mov dword ptr ss:[ebp-3C],2
0041F3C4 FF15 A4104000 call dword ptr ds:[<&MSVBVM60.#631>] ; MSVBVM60.rtcMidCharBstr
0041F3CA 8BD0 mov edx,eax
0041F3CC 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
0041F3CF FFD7 call edi
0041F3D1 50 push eax
0041F3D2 FF15 3C104000 call dword ptr ds:[<&MSVBVM60.#516>] ; MSVBVM60.rtcAnsiValueBstr
0041F3D8 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
0041F3DB 8BF0 mov esi,eax ; // 转为ASCII码->esi
0041F3DD FF15 A4114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
0041F3E3 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
0041F3E6 FFD3 call ebx
0041F3E8 66:83FE 20 cmp si,20 ;
0041F3EC 0F8C A5000000 jl tt.0041F497 ; //小于20则跳到下面
0041F3F2 66:83FE 7E cmp si,7E ;
0041F3F6 0F8F 9B000000 jg tt.0041F497 ; //大于7E则跳到下面
0041F3FC 8D55 C4 lea edx,dword ptr ss:[ebp-3C] ; //即32至126 标准ASCII范围
0041F3FF 66:83EE 20 sub si,20 ; // -20
0041F403 52 push edx
0041F404 C745 CC 0400028>mov dword ptr ss:[ebp-34],80020004
0041F40B 0F80 DF000000 jo tt.0041F4F0
0041F411 C745 C4 0A00000>mov dword ptr ss:[ebp-3C],0A ; 10
0041F418 FF15 64104000 call dword ptr ds:[<&MSVBVM60.#593>] ; MSVBVM60.rtcRandomNext
0041F41E D95D B0 fstp dword ptr ss:[ebp-50] ; //随机数 Rnd(10)
0041F421 D945 B0 fld dword ptr ss:[ebp-50] ; //随机数 = 0.4863158
0041F424 D80D B0114000 fmul dword ptr ds:[4011B0] ; *96.0000
0041F42A DFE0 fstsw ax ; AX<-MSW
0041F42C A8 0D test al,0D
0041F42E 0F85 B7000000 jnz tt.0041F4EB
0041F434 FF15 88114000 call dword ptr ds:[<&MSVBVM60.__vbaR8IntI4>] ; MSVBVM60.__vbaR8IntI4
0041F43A 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
0041F43D 8945 E4 mov dword ptr ss:[ebp-1C],eax
0041F440 FFD3 call ebx ; ebx=660FEA4C (MSVBVM60.__vbaFreeVar)
0041F442 0FBFC6 movsx eax,si ; eax<-si
0041F445 8B75 E4 mov esi,dword ptr ss:[ebp-1C]
0041F448 B9 5F000000 mov ecx,5F
0041F44D 03C6 add eax,esi ; //两者相加
0041F44F 0F80 9B000000 jo tt.0041F4F0
0041F455 99 cdq
0041F456 F7F9 idiv ecx
0041F458 8BCA mov ecx,edx ; //余数EDX入ECX
0041F45A FF15 C0104000 call dword ptr ds:[<&MSVBVM60.__vbaI2I4>] ; MSVBVM60.__vbaI2I4
0041F460 8B75 14 mov esi,dword ptr ss:[ebp+14]
0041F463 66:05 2000 add ax,20 ; +20
0041F467 0F80 83000000 jo tt.0041F4F0
0041F46D 8B16 mov edx,dword ptr ds:[esi]
0041F46F 0FBFC0 movsx eax,ax
0041F472 52 push edx
0041F473 50 push eax
0041F474 FF15 14114000 call dword ptr ds:[<&MSVBVM60.#537>] ; MSVBVM60.rtcBstrFromAnsi
0041F47A 8BD0 mov edx,eax
0041F47C 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
0041F47F FFD7 call edi
0041F481 50 push eax
0041F482 FF15 48104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCat>] ; MSVBVM60.__vbaStrCat
0041F488 8BD0 mov edx,eax
0041F48A 8BCE mov ecx,esi
0041F48C FFD7 call edi
0041F48E 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
0041F491 FF15 A4114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
0041F497 B8 01000000 mov eax,1 ; //ascii码小于20大于7E的跳到此处
0041F49C 66:0345 EC add ax,word ptr ss:[ebp-14]
0041F4A0 70 4E jo short tt.0041F4F0
0041F4A2 8945 EC mov dword ptr ss:[ebp-14],eax
0041F4A5 ^ E9 F6FEFFFF jmp tt.0041F3A0 ; 没取完循环
0041F4AA 9B wait
0041F4AB 68 D6F44100 push tt.0041F4D6
0041F4B0 EB 13 jmp short tt.0041F4C5
```省略部分代码```
0041F4E5 8BE5 mov esp,ebp
0041F4E7 5D pop ebp
0041F4E8 C2 1000 retn 10
-------------------------------------------------------------------------------------------
************** 跟进算法CALL 0041F334 FF91 14070000 call dword ptr ds:[ecx+714] 来到这里 **************
这段主要是根据固定字符“ice_ttaduio”进行一系列列运算,从而得到一个值1B742920(十进制460597536)来初始化随机数生成器即实现Randomize(460597536),没仔细分析这段的算法,这个值应该是固定的吧``没必要分析```贴出来有兴趣的可以看一下,哈```
0041F740 55 push ebp
0041F741 8BEC mov ebp,esp
0041F743 83EC 08 sub esp,8
0041F746 68 B6174000 push <jmp.&MSVBVM60.__vbaExceptHandler>
0041F74B 64:A1 00000000 mov eax,dword ptr fs:[0]
0041F751 50 push eax
0041F752 64:8925 0000000>mov dword ptr fs:[0],esp
0041F759 83EC 70 sub esp,70
0041F75C 53 push ebx
0041F75D 56 push esi
0041F75E 57 push edi
0041F75F 8965 F8 mov dword ptr ss:[ebp-8],esp
0041F762 C745 FC 4017400>mov dword ptr ss:[ebp-4],tt.00401740
0041F769 8B55 0C mov edx,dword ptr ss:[ebp+C] ; //(UNICODE "ice_ttaduio")
0041F76C 33FF xor edi,edi
0041F76E 33DB xor ebx,ebx
0041F770 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
0041F773 897D E8 mov dword ptr ss:[ebp-18],edi
0041F776 895D DC mov dword ptr ss:[ebp-24],ebx
0041F779 897D D4 mov dword ptr ss:[ebp-2C],edi
0041F77C 897D CC mov dword ptr ss:[ebp-34],edi
0041F77F 897D BC mov dword ptr ss:[ebp-44],edi
0041F782 FF15 34114000 call dword ptr ds:[<&MSVBVM60.__vbaStrCopy>] ; MSVBVM60.__vbaStrCopy
0041F788 8B45 E8 mov eax,dword ptr ss:[ebp-18]
0041F78B 50 push eax
0041F78C FF15 20104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; MSVBVM60.__vbaLenBstr
0041F792 8BC8 mov ecx,eax ; //获得长度eax=0000000B
0041F794 FF15 C0104000 call dword ptr ds:[<&MSVBVM60.__vbaI2I4>] ; MSVBVM60.__vbaI2I4
0041F79A 8945 D8 mov dword ptr ss:[ebp-28],eax
0041F79D BE 01000000 mov esi,1
0041F7A2 66:3B75 D8 cmp si,word ptr ss:[ebp-28]
0041F7A6 0F8F EE000000 jg tt.0041F89A
0041F7AC 8B45 E8 mov eax,dword ptr ss:[ebp-18]
0041F7AF 8D4D BC lea ecx,dword ptr ss:[ebp-44]
0041F7B2 0FBFD6 movsx edx,si
0041F7B5 51 push ecx
0041F7B6 52 push edx
0041F7B7 50 push eax
0041F7B8 C745 C4 0100000>mov dword ptr ss:[ebp-3C],1
0041F7BF C745 BC 0200000>mov dword ptr ss:[ebp-44],2
0041F7C6 FF15 A4104000 call dword ptr ds:[<&MSVBVM60.#631>] ; MSVBVM60.rtcMidCharBstr
0041F7CC 8BD0 mov edx,eax
0041F7CE 8D4D CC lea ecx,dword ptr ss:[ebp-34]
0041F7D1 FF15 7C114000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
0041F7D7 50 push eax
0041F7D8 FF15 3C104000 call dword ptr ds:[<&MSVBVM60.#516>] ; MSVBVM60.rtcAnsiValueBstr
0041F7DE 0FBFC8 movsx ecx,ax ; //取字符ASCii
0041F7E1 894D D0 mov dword ptr ss:[ebp-30],ecx
0041F7E4 8D4D CC lea ecx,dword ptr ss:[ebp-34]
0041F7E7 FF15 A4114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
0041F7ED 8D4D BC lea ecx,dword ptr ss:[ebp-44]
0041F7F0 FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
0041F7F6 DB45 DC fild dword ptr ss:[ebp-24]
0041F7F9 DD5D 98 fstp qword ptr ss:[ebp-68]
0041F7FC 8B55 9C mov edx,dword ptr ss:[ebp-64]
0041F7FF 8B45 98 mov eax,dword ptr ss:[ebp-68]
0041F802 52 push edx
0041F803 50 push eax
0041F804 68 00000040 push 40000000
0041F809 6A 00 push 0
0041F80B FF15 44114000 call dword ptr ds:[<&MSVBVM60.__vbaPowerR8>] ; MSVBVM60.__vbaPowerR8
0041F811 DB45 D0 fild dword ptr ss:[ebp-30]
0041F814 DD5D 90 fstp qword ptr ss:[ebp-70]
0041F817 DC4D 90 fmul qword ptr ss:[ebp-70]
0041F81A DFE0 fstsw ax
0041F81C A8 0D test al,0D
0041F81E 0F85 BB000000 jnz tt.0041F8DF
0041F824 FF15 6C114000 call dword ptr ds:[<&MSVBVM60.__vbaFpI4>] ; MSVBVM60.__vbaFpI4
0041F82A DB45 D4 fild dword ptr ss:[ebp-2C]
0041F82D 33F8 xor edi,eax
0041F82F DD5D 88 fstp qword ptr ss:[ebp-78]
0041F832 8B4D 8C mov ecx,dword ptr ss:[ebp-74]
0041F835 8B55 88 mov edx,dword ptr ss:[ebp-78]
0041F838 51 push ecx
0041F839 52 push edx
0041F83A 68 00000040 push 40000000
0041F83F 6A 00 push 0
0041F841 FF15 44114000 call dword ptr ds:[<&MSVBVM60.__vbaPowerR8>] ; MSVBVM60.__vbaPowerR8
0041F847 DB45 D0 fild dword ptr ss:[ebp-30]
0041F84A DD5D 80 fstp qword ptr ss:[ebp-80]
0041F84D DC4D 80 fmul qword ptr ss:[ebp-80]
0041F850 DFE0 fstsw ax
0041F852 A8 0D test al,0D
0041F854 0F85 85000000 jnz tt.0041F8DF
0041F85A FF15 6C114000 call dword ptr ds:[<&MSVBVM60.__vbaFpI4>] ; MSVBVM60.__vbaFpI4
0041F860 33F8 xor edi,eax
0041F862 8BC3 mov eax,ebx
0041F864 83C0 07 add eax,7 ; +7
0041F867 B9 13000000 mov ecx,13
0041F86C 70 76 jo short tt.0041F8E4
0041F86E 99 cdq
0041F86F F7F9 idiv ecx ; /13
0041F871 8B45 D4 mov eax,dword ptr ss:[ebp-2C]
0041F874 B9 17000000 mov ecx,17
0041F879 83C0 0D add eax,0D
0041F87C 70 66 jo short tt.0041F8E4
0041F87E 8BDA mov ebx,edx ; ebx<-edx
0041F880 99 cdq
0041F881 F7F9 idiv ecx ; /17
0041F883 B8 01000000 mov eax,1
0041F888 895D DC mov dword ptr ss:[ebp-24],ebx ; [ebp-24]<-ebx
0041F88B 66:03C6 add ax,si
0041F88E 70 54 jo short tt.0041F8E4
0041F890 8BF0 mov esi,eax
0041F892 8955 D4 mov dword ptr ss:[ebp-2C],edx ; 余数入[ebp-2C]
0041F895 ^ E9 08FFFFFF jmp tt.0041F7A2 ; 循环
0041F89A 897D E4 mov dword ptr ss:[ebp-1C],edi ; 出来结果edi=1B742920
0041F89D 68 C2F84100 push tt.0041F8C2
```省略部分代码```
0041F8DB 5D pop ebp
0041F8DC C2 0C00 retn 0C
-------------------------------------------------------------------------------------------
[破解总结]
算法:注册码由用户名运算得来```逐位取用户名的ASCII码值,如果在32-126范围则跟取得随机数进行一系列运算得到注册码
下面是VB算法注册机源码,只支持Ascii码在32-126范围的```所以不支持中文,因为我不会写```哈```如果想用中文用户名的话,使用内存注册机吧
Private Sub Command1_Click()
Rnd (-1)
Randomize (460597536)
For i = 1 To Len(Text1.Text)
a = Asc(Mid(Text1.Text, i)) - 32
B = Int(Rnd(10) * 96 + a) Mod 95 + 32
sn = sn & Chr(B)
Next i
Text2.Text = sn
End Sub
[内存注册机]
选一组即可```
①实时比较的: ② 启动时比较的:
中断地址:412561 中断地址:00420440
中断次数:1 中断次数:1
第一字节:FF 第一字节:FF
指令长度:6 指令长度:6
注册码:内存方式--寄存器--EDX--宽字符串 注册码:内存方式--寄存器--EDX--宽字符串
-------------------------------------------------------------------------------------------2005年12月22日
【版权声明】 本文纯属技术交流, 转载请注明作者信息并保持文章的完整, 谢谢! |
|
IP卡
发表于 2005-12-22 17:25:07
提升卡
置顶卡
变色卡
千斤顶
显身卡
楼主
发表于 2005-12-23 01:02:25
发表于 2005-12-23 07:00:40
发表于 2005-12-23 21:50:25