📄 supercool bookmark 1.67.txt
字号:
软件名称:SuperCool Bookmark main.exe 1,297KB
下载地点:http://www.supercoolbookmark.com
发 信 人: 井 风
时 间: 2001-02-06
破解工具:Trw20001.22
解题难度:[专 业] [学 士] [硕 士] [博 士]
********
前 言:
这个软件注册码计算和验证的算法思路是一种类型的代表。
过 程:
1、注册窗口填入: 注册名:ABCD 注册码:12345678;
2、用“井风跟踪”法找到出错的CALL,详细过程参见“井风”之WINZIP8.0破解教学篇;
3、分析代码:(从后面向前分析)
015F:004E3AC5 CMP BYTE [EBP-16],00
015F:004E3AC9 JZ 004E3AD1
015F:004E3ACB MOV EAX,[EBP-28]
015F:004E3ACE MOV [EBP-2C],EAX
015F:004E3AD1 MOV BYTE [EBP-16],00
015F:004E3AD5 MOV EDI,[EBP-2C]
015F:004E3AD8 TEST EDI,EDI
015F:004E3ADA JNG 004E3B23
015F:004E3ADC MOV EBX,01
015F:004E3AE1 MOV EAX,[EBP-14] <****************************************
015F:004E3AE4 MOVZX ESI,BYTE [EAX+EBX-01]<
015F:004E3AE9 MOV EAX,[EBP-24] < 这段代码的功能就是将注册名的
015F:004E3AEC MOVZX EAX,BYTE [EAX+EBX-01]< 每一位和相应注册码的每一位的ASCII
015F:004E3AF1 XOR ESI,EAX < 值相异或,产生字符串,提供后面的
015F:004E3AF3 LEA EAX,[EBP-14] < CMP EAX,EDX数据。
015F:004E3AF6 MOV ECX,01 <
015F:004E3AFB MOV EDX,EBX <
015F:004E3AFD CALL 004044C4 <
015F:004E3B02 MOV EAX,ESI <
015F:004E3B04 MOV [EBP-15],AL <
015F:004E3B07 LEA EAX,[EBP-34] <
015F:004E3B0A MOV DL,[EBP-15] <
015F:004E3B0D CALL 004041A4 <
015F:004E3B12 MOV EAX,[EBP-34] <
015F:004E3B15 LEA EDX,[EBP-14] <
015F:004E3B18 MOV ECX,EBX <
015F:004E3B1A CALL 0040450C <
015F:004E3B1F INC EBX <
015F:004E3B20 DEC EDI <
015F:004E3B21 JNZ 004E3AE1 <********************************************
015F:004E3B23 LEA EAX,[EBP-1C]
015F:004E3B26 MOV EDX,[EBP-14]
015F:004E3B29 CALL 00404284
015F:004E3B2E MOV EAX,[EBP-2C]
015F:004E3B31 ADD [EBP-10],EAX
015F:004E3B34 MOV EAX,[EBP-10]
015F:004E3B37 CMP EAX,[EBP-28]
·
·
·
015F:00404389 LEA EAX,[EAX+00]
015F:0040438C PUSH EBX
015F:0040438D PUSH ESI
015F:0040438E PUSH EDI
015F:0040438F MOV ESI,EAX
015F:00404391 MOV EDI,EDX
015F:00404393 CMP EAX,EDX [***] <====D EAX见到以你输入信息计算的字符串 ppppU^
D EDX见到字符串 CuiWei, 两串相同则不跳。
那么ppppU^是如何计算出的呢,跟踪前面代码。
015F:00404395 JZ NEAR 0040442A <====不等则跳到**行,继儿执行*行,出错!
015F:0040439B TEST ESI,ESI
015F:0040439D JZ 00404407
015F:0040439F TEST EDI,EDI
015F:004043A1 JZ 0040440E
015F:004043A3 MOV EAX,[ESI-04]
015F:004043A6 MOV EDX,[EDI-04]
015F:004043A9 SUB EAX,EDX
015F:004043AB JA 004043AF
015F:004043AD ADD EDX,EAX
015F:004043AF PUSH EDX
·
·
·
015F:00404407 MOV EDX,[EDI-04]
015F:0040440A SUB EAX,EDX
015F:0040440C JMP SHORT 0040442A
015F:0040440E MOV EAX,[ESI-04]
015F:00404411 SUB EAX,EDX
015F:00404413 JMP SHORT 0040442A
015F:00404415 POP EDX
015F:00404416 CMP CL,BL
015F:00404418 JNZ 0040442A
015F:0040441A CMP CH,BH
015F:0040441C JNZ 0040442A
015F:0040441E SHR ECX,10
015F:00404421 SHR EBX,10
015F:00404424 CMP CL,BL
015F:00404426 JNZ 0040442A
015F:00404428 CMP CH,BH
015F:0040442A POP EDI <====如跳到此行则执行*行,出错!
015F:0040442B POP ESI
015F:0040442C POP EBX
015F:0040442D RET
015F:0040442E MOV EAX,EAX
015F:00404430 TEST EAX,EAX
015F:00404432 JZ 0040443E
015F:00404434 MOV EDX,[EAX-08]
015F:00404437 INC EDX
015F:00404438 JNG 0040443E
015F:0040443A LOCK INC DWORD [EAX-08]
015F:0040443E RET
015F:0040443F NOP
·
·
·
015F:0050ABA1 PUSH EAX
015F:0050ABA2 MOV EAX,[00510B54]
015F:0050ABA7 MOV EAX,[EAX+34]
015F:0050ABAA ADD EAX,BYTE +3C
015F:0050ABAD PUSH EAX
015F:0050ABAE MOV CX,[0050AD10]
015F:0050ABB5 MOV DL,01
015F:0050ABB7 MOV EAX,0050AD70
015F:0050ABBC CALL 0045B344 <====执行此行则出错,记作[*]
015F:0050ABC1 MOV EAX,[EBX+0414]
015F:0050ABC7 CMP BYTE [EAX+2C],01
015F:0050ABCB JNZ 0050ABE6
015F:0050ABCD PUSH BYTE +03
015F:0050ABCF PUSH BYTE +00
·
·
·
小 结:
注册验证方法为:将注册名的每一位与相对应的注册码的每一位的ASCII码值相异或值的与
CuiWei比较。只要注册名第一位的ASCII与注册码第一位的ASCII异或值等于C的ASCII码,其余
类推,相等即验证通过。
随便拼凑一对:注册名 qCXaQX 注册码 261641
另外还有一种修改数据段代码的方法:用16进制编辑器找出main.exe中的CuiWei串,用你
在***处D EAX 见到的串取代它,那么你输入的注册名、注册码就通过了。
后 记:
有疑问请与我联系:hz.cy@163.net⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -