[编辑:百家电脑学院] [- 该分类还没有添加任何内容!
【工程作者】深海游侠Star[CZG][OCN]
【作者邮箱】shenhaiyouxia@163.com
=====================================================================
【软件名称】中华灯谜 XP 2005 Build 01.20
【下载地址】http://www2.skycn.com/soft/6062.html
【所受限制】功能限制
【加壳保护】无壳
【软件介绍】《中华灯谜》可能是中国目前最好的灯谜软件。理由有三:(1)灯谜数目巨多,灯谜种类齐全,谜语条数可能是一个足以让你目瞪口呆的数字。而且支持用户继续添加。(2)《中华灯谜》软件使用简单,支持浏览、搜索、添加、翻页。(3)《中华灯谜》软件集成《中华灯谜宝典》,《中华灯谜宝典》是猜谜高手案头必备,资料极珍贵、极翔尽、极丰富。(4)《中华灯谜》是“澄海市夫子工作室”推出的软件,软件免费、绿色、环保,代码少,软件随时升级,升级简单。
=====================================================================
【工程平台】Win ME
【调试工具】TRW2000系列
=====================================================================
【破解过程】
前一段时间因为学习任务比较繁重,且考试较多,所以一直没怎么出过作品,
现在好了,放假了,终于可以继续我的cracker之旅了~~废话不多说!
1>破解过程:
首先查壳,无壳Borland Delphi 6.0 - 7.0,OK直接拿TRW2000载入,下万能断点。程序顺利断下,按N次F12程序到了这里:
016F:00524606 8D9574FFFFFF LEA EDX,[EBP+FFFFFF74]
016F:0052460C 8B83F8030000 MOV EAX,[EBX+03F8]
016F:00524612 E8FD17F2FF CALL 00445E14
016F:00524617 83BD74FFFFFF00 CMP DWORD [EBP+FFFFFF74],BYTE +00
016F:0052461E 741A JZ 0052463A //是否输入注册码
016F:00524620 8D9570FFFFFF LEA EDX,[EBP+FFFFFF70]
016F:00524626 8B83F4030000 MOV EAX,[EBX+03F4]
016F:0052462C E8E317F2FF CALL 00445E14
016F:00524631 83BD70FFFFFF00 CMP DWORD [EBP+FFFFFF70],BYTE +00
016F:00524638 750F JNZ 00524649 //是否输入定单号
016F:0052463A B828485200 MOV EAX,00524828
016F:0052463F E8C4A9F1FF CALL 0043F008
016F:00524644 E951010000 JMP 0052479A
016F:00524649 8D956CFFFFFF LEA EDX,[EBP+FFFFFF6C]
016F:0052464F 8B83F8030000 MOV EAX,[EBX+03F8]
016F:00524655 E8BA17F2FF CALL 00445E14
016F:0052465A 8B856CFFFFFF MOV EAX,[EBP+FFFFFF6C] //假码12121212出现
016F:00524660 50 PUSH EAX
016F:00524661 8D9564FFFFFF LEA EDX,[EBP+FFFFFF64]
016F:00524667 8B83F4030000 MOV EAX,[EBX+03F4]
016F:0052466D E8A217F2FF CALL 00445E14
016F:00524672 8B8564FFFFFF MOV EAX,[EBP+FFFFFF64] //定单号123456出现
016F:00524678 E8774FEEFF CALL 004095F4 //定单号转为十六位入EAX
016F:0052467D B909030000 MOV ECX,0309 //ECX=309
016F:00524682 99 CDQ //清EDX
016F:00524683 F7F9 IDIV ECX //EAX/ECX 商入EAX 余数入EDX(1E240 mod 309=2B2)
016F:00524685 8BC2 MOV EAX,EDX //EDX=2B2 入EAX ★注册码第1部分:690
016F:00524687 8D9568FFFFFF LEA EDX,[EBP+FFFFFF68]
016F:0052468D E8FE4EEEFF CALL 00409590
016F:00524692 8D8568FFFFFF LEA EAX,[EBP+FFFFFF68]
016F:00524698 50 PUSH EAX
016F:00524699 8D9558FFFFFF LEA EDX,[EBP+FFFFFF58]
016F:0052469F 8B83F4030000 MOV EAX,[EBX+03F4]
016F:005246A5 E86A17F2FF CALL 00445E14
016F:005246AA 8B8558FFFFFF MOV EAX,[EBP+FFFFFF58] //EAX=123456定单号
016F:005246B0 E83F4FEEFF CALL 004095F4 //转为十六位入EAX=1E240
016F:005246B5 8D955CFFFFFF LEA EDX,[EBP+FFFFFF5C]
016F:005246BB E844DBFFFF CALL 00522204 //算法CALL(1)跟进
016F:005246C0 8B855CFFFFFF MOV EAX,[EBP+FFFFFF5C] //算出过渡码EAX=70648174
016F:005246C6 E8294FEEFF CALL 004095F4 //转为十六位入EAX=436016E
016F:005246CB 8D9560FFFFFF LEA EDX,[EBP+FFFFFF60]
016F:005246D1 E80EDCFFFF CALL 005222E4 //关键算法CALL(2)跟进
016F:005246D6 8B9560FFFFFF MOV EDX,[EBP+FFFFFF60] //EDX=3615u412~f1449 ★注册码第2部分
016F:005246DC 58 POP EAX
016F:005246DD E8DA04EEFF CALL 00404BBC //两部分连接
016F:005246E2 8B9568FFFFFF MOV EDX,[EBP+FFFFFF68] //EDX=6903615u412~f1449
016F:005246E8 58 POP EAX //EAX=12121212 (内存注册机断这里)
016F:005246E9 E80A06EEFF CALL 00404CF8 //比较
016F:005246EE 0F858F000000 JNZ NEAR 00524783 //关键跳
关键算法CALL(1)
|
016F:00522204 55 PUSH EBP
016F:00522205 8BEC MOV EBP,ESP
016F:00522207 33C9 XOR ECX,ECX
016F:00522209 51 PUSH ECX
016F:0052220A 51 PUSH ECX
016F:0052220B 51 PUSH ECX
016F:0052220C 51 PUSH ECX
016F:0052220D 53 PUSH EBX
016F:0052220E 56 PUSH ESI
016F:0052220F 8BF2 MOV ESI,EDX
016F:00522211 8BD8 MOV EBX,EAX //EAX=1E240
016F:00522213 33C0 XOR EAX,EAX
016F:00522215 55 PUSH EBP
016F:00522216 68D4225200 PUSH DWORD 005222D4
016F:0052221B 64FF30 PUSH DWORD [FS:EAX]
016F:0052221E 648920 MOV [FS:EAX],ESP
016F:00522221 81F3F1250B00 XOR EBX,000B25F1 //EBX=1E240 xor B25F1=AC7B1
016F:00522227 8BC3 MOV EAX,EBX
016F:00522229 33D2 XOR EDX,EDX
016F:0052222B 52 PUSH EDX
016F:0052222C 50 PUSH EAX
016F:0052222D 8D45FC LEA EAX,[EBP-04]
016F:00522230 E88B73EEFF CALL 004095C0 //AC7B1转为十进制入[EBP-04]
016F:00522235 8B45FC MOV EAX,[EBP-04] //EAX=706481
016F:00522238 0FB600 MOVZX EAX,BYTE [EAX] //EAX=37
016F:0052223B 8B55FC MOV EDX,[EBP-04] //EDX=706481
016F:0052223E 0FB65201 MOVZX EDX,BYTE [EDX+01] //EDX=30
016F:00522242 03C2 ADD EAX,EDX //EAX=37+30=67
016F:00522244 B905000000 MOV ECX,05
016F:00522249 99 CDQ
016F:0052224A F7F9 IDIV ECX //EDX=EAX mod 5=3
016F:0052224C 80C234 ADD DL,34 //DL=3+34=37
016F:0052224F 8855F8 MOV [EBP-08],DL //存起来
016F:00522252 8B45FC MOV EAX,[EBP-04] //EAX=706481
016F:00522255 0FB64002 MOVZX EAX,BYTE [EAX+02] //EAX=36
016F:00522259 8B55FC MOV EDX,[EBP-04]
016F:0052225C 0FB65203 MOVZX EDX,BYTE [EDX+03] //EDX=34
016F:00522260 03C2 ADD EAX,EDX //EAX=36+34=6A
016F:00522262 B905000000 MOV ECX,05
016F:00522267 99 CDQ
016F:00522268 F7F9 IDIV ECX //EDX=EAX mod 5=1
016F:0052226A 8BDA MOV EBX,EDX
016F:0052226C 80C333 ADD BL,33 //BL=1+33=34
016F:0052226F 885DF9 MOV [EBP-07],BL //存起来
016F:00522272 8D45F4 LEA EAX,[EBP-0C]
016F:00522275 8A55F8 MOV DL,[EBP-08]
016F:00522278 E85F28EEFF CALL 00404ADC //37转为ASCII码为7存入寄存器
016F:0052227D 8B45F4 MOV EAX,[EBP-0C]
016F:00522280 8D55FC LEA EDX,[EBP-04]
016F:00522283 B91B000000 MOV ECX,1B
016F:00522288 E8072CEEFF CALL 00404E94
016F:0052228D 8D45F0 LEA EAX,[EBP-10]
016F:00522290 8BD3 MOV EDX,EBX
016F:00522292 E84528EEFF CALL 00404ADC //34转为ASCII码为4存入寄存器
016F:00522297 8B45F0 MOV EAX,[EBP-10]
016F:0052229A 8D55FC LEA EDX,[EBP-04]
016F:0052229D B919000000 MOV ECX,19
016F:005222A2 E8ED2BEEFF CALL 00404E94 //706481 & 7 & 4=70648174
016F:005222A7 8BC6 MOV EAX,ESI
016F:005222A9 8B55FC MOV EDX,[EBP-04] //EDX=70648174
016F:005222AC E89F26EEFF CALL 00404950
016F:005222B1 33C0 XOR EAX,EAX
016F:005222B3 5A POP EDX
016F:005222B4 59 POP ECX
016F:005222B5 59 POP ECX
016F:005222B6 648910 MOV [FS:EAX],EDX
016F:005222B9 68DB225200 PUSH DWORD 005222DB
016F:005222BE 8D45F0 LEA EAX,[EBP-10]
016F:005222C1 BA02000000 MOV EDX,02
016F:005222C6 E85526EEFF CALL 00404920
016F:005222CB 8D45FC LEA EAX,[EBP-04]
016F:005222CE E82926EEFF CALL 004048FC
016F:005222D3 C3 RET
关键算法CALL(2)
|
016F:005222E4 55 PUSH EBP
016F:005222E5 8BEC MOV EBP,ESP
016F:005222E7 33C9 XOR ECX,ECX
016F:005222E9 51 PUSH ECX
016F:005222EA 51 PUSH ECX
016F:005222EB 51 PUSH ECX
016F:005222EC 51 PUSH ECX
016F:005222ED 51 PUSH ECX
016F:005222EE 51 PUSH ECX
016F:005222EF 53 PUSH EBX
016F:005222F0 56 PUSH ESI
016F:005222F1 8BF2 MOV ESI,EDX
016F:005222F3 8BD8 MOV EBX,EAX //EAX=436016E
016F:005222F5 33C0 XOR EAX,EAX
016F:005222F7 55 PUSH EBP
016F:005222F8 6830245200 PUSH DWORD 00522430
016F:005222FD 64FF30 PUSH DWORD [FS:EAX]
016F:00522300 648920 MOV [FS:EAX],ESP
016F:00522303 81F38776FBDD XOR EBX,DDFB7687 //EBX=436016E xor DDFB7687=D9CD77E9
016F:00522309 8BC3 MOV EAX,EBX
016F:0052230B 33D2 XOR EDX,EDX
016F:0052230D 52 PUSH EDX
016F:0052230E 50 PUSH EAX
016F:0052230F 8D45FC LEA EAX,[EBP-04]
016F:00522312 E8A972EEFF CALL 004095C0 //D9CD77E9转为十进制入[EBP-04]
016F:00522317 8B45FC MOV EAX,[EBP-04] //EAX=3654121449
016F:0052231A 0FB600 MOVZX EAX,BYTE [EAX] //EAX=33
016F:0052231D 8B55FC MOV EDX,[EBP-04] //EDX=3654121449
016F:00522320 0FB65201 MOVZX EDX,BYTE [EDX+01] //EDX=36
016F:00522324 03C2 ADD EAX,EDX //EAX=33+36=69
016F:00522326 B905000000 MOV ECX,05
016F:0052232B 99 CDQ
016F:0052232C F7F9 IDIV ECX //EDX=69 mod 5=0
016F:0052232E 80C266 ADD DL,66 //DL=0+66=66 ★注册码其中一位
016F:00522331 8855F8 MOV [EBP-08],DL
016F:00522334 8B45FC MOV EAX,[EBP-04] //EAX=3654121449
016F:00522337 0FB64002 MOVZX EAX,BYTE [EAX+02] //EAX=35
016F:0052233B 8B55FC MOV EDX,[EBP-04]
016F:0052233E 0FB65203 MOVZX EDX,BYTE [EDX+03] //EDX=34
016F:00522342 03C2 ADD EAX,EDX //EAX=35+34=69
016F:00522344 B905000000 MOV ECX,05
016F:00522349 99 CDQ
016F:0052234A F7F9 IDIV ECX //EDX=69 mod 5=0
016F:0052234C 80C275 ADD DL,75 //DL=0+75=75 ★注册码其中一位
016F:0052234F 8855F9 MOV [EBP-07],DL
016F:00522352 8B45FC MOV EAX,[EBP-04] //EAX=3654121449
016F:00522355 0FB64004 MOVZX EAX,BYTE [EAX+04] //EAX=31
016F:00522359 8B55FC MOV EDX,[EBP-04]
016F:0052235C 0FB65205 MOVZX EDX,BYTE [EDX+05] //EDX=32
016F:00522360 03C2 ADD EAX,EDX //EAX=31+32=63
016F:00522362 B905000000 MOV ECX,05
016F:00522367 99 CDQ
016F:00522368 F7F9 IDIV ECX //EDX=63 mod 5=4
016F:0052236A 80C27A ADD DL,7A //DL=4+7A=7E ★注册码其中一位
016F:0052236D 8855FA MOV [EBP-06],DL
016F:00522370 8B45FC MOV EAX,[EBP-04] //EAX=3654121449
016F:00522373 0FB64006 MOVZX EAX,BYTE [EAX+06] //EAX=31
016F:00522377 8B55FC MOV EDX,[EBP-04]
016F:0052237A 0FB65207 MOVZX EDX,BYTE [EDX+07] //EDX=34
016F:0052237E 03C2 ADD EAX,EDX //EAX=34+31=65
016F:00522380 8B55FC MOV EDX,[EBP-04] //EDX=3654121449
016F:00522383 0FB65208 MOVZX EDX,BYTE [EDX+08] //EDX=34
016F:00522387 03C2 ADD EAX,EDX //EAX=65+34=99
016F:00522389 B905000000 MOV ECX,05
016F:0052238E 99 CDQ
016F:0052238F F7F9 IDIV ECX //EDX=99 mod 5=3
016F:00522391 80C269 ADD DL,69 //DL=69+3=6C ★注册码其中一位
016F:00522394 8855FB MOV [EBP-05],DL
016F:00522397 8D45F4 LEA EAX,[EBP-0C]
016F:0052239A 8A55F8 MOV DL,[EBP-08] //DL=66
016F:0052239D E83A27EEFF CALL 00404ADC //转为ASCII码f
016F:005223A2 8B45F4 MOV EAX,[EBP-0C]
016F:005223A5 8D55FC LEA EDX,[EBP-04]
016F:005223A8 B907000000 MOV ECX,07 //应放在3654121449的第7位
016F:005223AD E8E22AEEFF CALL 00404E94 //实现365412f1449
016F:005223B2 8D45F0 LEA EAX,[EBP-10]
016F:005223B5 8A55FB MOV DL,[EBP-05] //DL=6C
016F:005223B8 E81F27EEFF CALL 00404ADC //转为ASCII码l
016F:005223BD 8B45F0 MOV EAX,[EBP-10]
016F:005223C0 8D55FC LEA EDX,[EBP-04]
016F:005223C3 B903000000 MOV ECX,03 //应放在365412f1449的第3位
016F:005223C8 E8C72AEEFF CALL 00404E94 //实现36l5412f1449
016F:005223CD 8D45EC LEA EAX,[EBP-14]
016F:005223D0 8A55F9 MOV DL,[EBP-07] //DL=75
016F:005223D3 E80427EEFF CALL 00404ADC //转为ASCII码u
016F:005223D8 8B45EC MOV EAX,[EBP-14]
016F:005223DB 8D55FC LEA EDX,[EBP-04]
016F:005223DE B905000000 MOV ECX,05 //应放在36l5412f1449的第5位
016F:005223E3 E8AC2AEEFF CALL 00404E94 //实现36l5u412f1449
016F:005223E8 8D45E8 LEA EAX,[EBP-18]
016F:005223EB 8A55FA MOV DL,[EBP-06] //DL=7E
016F:005223EE E8E926EEFF CALL 00404ADC //转为ASCII码~
016F:005223F3 8B45E8 MOV EAX,[EBP-18]
016F:005223F6 8D55FC LEA EDX,[EBP-04]
016F:005223F9 B909000000 MOV ECX,09 //应放在36l5u412f1449的第9位
016F:005223FE E8912AEEFF CALL 00404E94 //实现36l5u412~f1449
016F:00522403 8BC6 MOV EAX,ESI
016F:00522405 8B55FC MOV EDX,[EBP-04] //EDX=36l5u412~f1449 ★注册码第二部分
016F:00522408 E84325EEFF CALL 00404950
016F:0052240D 33C0 XOR EAX,EAX
016F:0052240F 5A POP EDX
016F:00522410 59 POP ECX
016F:00522411 59 POP ECX
016F:00522412 648910 MOV [FS:EAX],EDX
016F:00522415 6837245200 PUSH DWORD 00522437
016F:0052241A 8D45E8 LEA EAX,[EBP-18]
016F:0052241D BA04000000 MOV EDX,04
016F:00522422 E8F924EEFF CALL 00404920
016F:00522427 8D45FC LEA EAX,[EBP-04]
016F:0052242A E8CD24EEFF CALL 004048FC
016F:0052242F C3 RET
2>总结:
注册码由主要两部分组成,两部分运行不相连,但基本大同。
1)注册码第1部分:
先把输入定单号123456转为16进制1E240,然后1E240 mod 309=2B2,再把结果转为10进制690,就是注册码第一部分。
2)注册码第2部分:
首先利用定单号1E240计算出过渡码436016E,然后再经过一系列计算(计算过程上边我已标明),最后得出注册码第2部分3615u412~f1449
3>推算过程:
注册码第1部分
1E240 mod 309=2B2 (690)
过渡码:1E240 xor B25F1=AC7B1 (706481) 再计算得:70648174
(70648174)436016E xor DDFB7687=D9CD77E9(3654121449)
注册码第2部分
第1位 33(3)
第2位 36(6)
第3位 [(34+31+34) mod 5]+69=6C(l)
第4位 35(5)
第5位 [(35+34) mod 5]+75=75(u)
第6位 34(4)
第7位 31(1)
第8位 32(2)
第9位 [(31+32) mod 5]+7A=7E(~)
第10位 [(33+36) mod 5]+66=66(f)
第11位 31(1)
第12位 34(4)
第13位 34(4)
第14位 39(9)
最后两部分组合: 69036l5u412~f1449
4>内存注册机:
中断地址:005246E8
中断次数:1
第一字节:58
字节长度:1
寄存器方式:EDX *内存方式*
5>破后总结:
其实本软件早在两天前已经被刀刀兄弟做出内存注册机,我纯粹是为了学习才看算法的,因为我也是新手,所以写的尽量的简单,希望老鸟们不要笑我罗嗦。
如果大家能从我这篇文章中学到点什么,那么我的目的也就达到了。
感冒了,该吃药了.....
=====================================================================
【工程声明】本过程只供内部学习之用!如要转载请保持过程完整!
=====================================================================
此文来自于:百家学院 (http://www.9php.com),获取更多同类文章请访问以上网站.