-
您的位置:首页 → 精文荟萃 → 破解文章 → 简单算法——工会图书管理系统 V1.0
简单算法——工会图书管理系统 V1.0
时间:2004/10/15 0:55:00来源:本站整理作者:蓝点我要评论(0)
-
软件大小: 486K
下载页面: http://www.wtybook.com/GHOSTAR
【软件简介】:图书管理系统
【软件限制】:必须注册,否则无法使用
【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:TRW2000娃娃修改版、FI2.5、CasprGui、W32Dasm8.93黄金版
—————————————————————————————————
【过 程】:
GhBook.exe是ASPROTECT 1.1壳,用CasprGui脱之。485K->1.21M。DELPHI编写。
反汇编,查找关键提示:"对不起, 此软件已被锁定!"在4FC7AB。
向上分析,很容易就找到关键点了。
激活验证代码 :21291120 (程序自给)
激活代码-光盘号:1357-0 (试 炼 码)
—————————————————————————————————
* Possible StringData Ref from Data Obj ->"您的激活验证号码:"
|
:004FC648 BA90C74F00 mov edx, 004FC790
:004FC64D E8267AF0FF call 00404078
:004FC652 8B55F4 mov edx, dword ptr [ebp-0C]
:004FC655 8B83E8020000 mov eax, dword ptr [ebx+000002E8]
:004FC65B E87873F3FF call 004339D8
:004FC660 33C0 xor eax, eax
:004FC662 55 push ebp
:004FC663 6829C74F00 push 004FC729
:004FC668 64FF30 push dword ptr fs:[eax]
:004FC66B 648920 mov dword ptr fs:[eax], esp
:004FC66E 8BC3 mov eax, ebx
:004FC670 8B10 mov edx, dword ptr [eax]
:004FC672 FF92D8000000 call dword ptr [edx+000000D8]
:004FC678 48 dec eax
:004FC679 7559 jne 004FC6D4
:004FC67B 8D55EC lea edx, dword ptr [ebp-14]
:004FC67E 8B83D4020000 mov eax, dword ptr [ebx+000002D4]
:004FC684 E81F73F3FF call 004339A8
:004FC689 8B45EC mov eax, dword ptr [ebp-14]
:004FC68C E8FFFAFFFF call 004FC190
:004FC691 84C0 test al, al
:004FC693 740E je 004FC6A3
:004FC695 8D55FC lea edx, dword ptr [ebp-04]
:004FC698 8B83D4020000 mov eax, dword ptr [ebx+000002D4]
:004FC69E E80573F3FF call 004339A8
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004FC693(C)
|
:004FC6A3 8D55E8 lea edx, dword ptr [ebp-18]
:004FC6A6 8B83D8020000 mov eax, dword ptr [ebx+000002D8]
:004FC6AC E8F772F3FF call 004339A8
:004FC6B1 8B45E8 mov eax, dword ptr [ebp-18]
:004FC6B4 E8D7FAFFFF call 004FC190
:004FC6B9 84C0 test al, al
:004FC6BB 740E je 004FC6CB
:004FC6BD 8D55F8 lea edx, dword ptr [ebp-08]
:004FC6C0 8B83D8020000 mov eax, dword ptr [ebx+000002D8]
:004FC6C6 E8DD72F3FF call 004339A8
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004FC6BB(C)
|
:004FC6CB 8BC3 mov eax, ebx
:004FC6CD E8762CF5FF call 0044F348
:004FC6D2 EB13 jmp 004FC6E7
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004FC679(C)
|
:004FC6D4 A120EB4F00 mov eax, dword ptr [004FEB20]
:004FC6D9 8B00 mov eax, dword ptr [eax]
:004FC6DB E8AC63F5FF call 00452A8C
:004FC6E0 8BC3 mov eax, ebx
:004FC6E2 E8612CF5FF call 0044F348
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004FC6D2(U)
|
:004FC6E7 8B55F8 mov edx, dword ptr [ebp-08]
====>EDX=0 光盘号
:004FC6EA 8B45FC mov eax, dword ptr [ebp-04]
====>EAX=1357 激活代码
:004FC6ED E8BEFBFFFF call 004FC2B0
====>关键CALL!进入!
:004FC6F2 84C0 test al, al
:004FC6F4 7424 je 004FC71A
====>跳则OVER!
:004FC6F6 B89CFA4F00 mov eax, 004FFA9C
:004FC6FB 8B55FC mov edx, dword ptr [ebp-04]
:004FC6FE E8FD76F0FF call 00403E00
:004FC703 B8A0FA4F00 mov eax, 004FFAA0
:004FC708 8B55F8 mov edx, dword ptr [ebp-08]
:004FC70B E8F076F0FF call 00403E00
:004FC710 33C0 xor eax, eax
:004FC712 5A pop edx
:004FC713 59 pop ecx
:004FC714 59 pop ecx
:004FC715 648910 mov dword ptr fs:[eax], edx
:004FC718 EB1E jmp 004FC738
====>呵呵,跳向胜利!
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004FC6F4(C)
|
:004FC71A E885000000 call 004FC7A4
:004FC71F 33C0 xor eax, eax
:004FC721 5A pop edx
:004FC722 59 pop ecx
:004FC723 59 pop ecx
:004FC724 648910 mov dword ptr fs:[eax], edx
:004FC727 EB0F jmp 004FC738
:004FC729 E9C26DF0FF jmp 004034F0
:004FC72E E871000000 call 004FC7A4
* Referenced by a CALL at Addresses:
|:004FC71A , :004FC72E
|
:004FC7A4 6A10 push 00000010
:004FC7A6 68C4C74F00 push 004FC7C4
* Possible StringData Ref from Data Obj ->"对不起, 此软件已被锁定!"
====>BAD BOY!
:004FC7AB 68CCC74F00 push 004FC7CC
—————————————————————————————————
F8进入算法CALL:4FC6ED call 004FC2B0
* Referenced by a CALL at Addresses:
|:004FC5B2 , :004FC6ED
|
:004FC2B0 55 push ebp
:004FC2B1 8BEC mov ebp, esp
:004FC2B3 83C4F0 add esp, FFFFFFF0
:004FC2B6 53 push ebx
:004FC2B7 56 push esi
:004FC2B8 33C9 xor ecx, ecx
:004FC2BA 894DF4 mov dword ptr [ebp-0C], ecx
:004FC2BD 894DF0 mov dword ptr [ebp-10], ecx
:004FC2C0 8955F8 mov dword ptr [ebp-08], edx
:004FC2C3 8945FC mov dword ptr [ebp-04], eax
:004FC2C6 8B45FC mov eax, dword ptr [ebp-04]
:004FC2C9 E8127FF0FF call 004041E0
:004FC2CE 8B45F8 mov eax, dword ptr [ebp-08]
:004FC2D1 E80A7FF0FF call 004041E0
:004FC2D6 33C0 xor eax, eax
:004FC2D8 55 push ebp
:004FC2D9 6857C34F00 push 004FC357
:004FC2DE 64FF30 push dword ptr fs:[eax]
:004FC2E1 648920 mov dword ptr fs:[eax], esp
:004FC2E4 8B45FC mov eax, dword ptr [ebp-04]
:004FC2E7 E884DAF0FF call 00409D70
====>把1357转化16进制值
:004FC2EC 8BC8 mov ecx, eax
1、 ====>EAX=54D(H)=1357(D)
:004FC2EE 8BC1 mov eax, ecx
:004FC2F0 2DBF020000 sub eax, 000002BF
2、 ====>EAX=54D-2BF=28E
:004FC2F5 B903000000 mov ecx, 00000003
====>3 入 ECX
:004FC2FA 99 cdq
:004FC2FB F7F9 idiv ecx
3、 ====>EAX=54D/3=DA
:004FC2FD 8BD8 mov ebx, eax
====>EBX=EAX=DA
:004FC2FF 81EB87000000 sub ebx, 00000087
4、 ====>EBX=DA-87=53
:004FC305 D1FB sar ebx, 1
5、 ====>EBX=53 右移1位=29
:004FC307 7903 jns 004FC30C
:004FC309 83D300 adc ebx, 00000000
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004FC307(C)
|
:004FC30C 8B45F8 mov eax, dword ptr [ebp-08]
====>0入EAX,即光盘号
:004FC30F E85CDAF0FF call 00409D70
====>转化成16进制值
:004FC314 8BF0 mov esi, eax
====>ESX=EAX=0
:004FC316 8D55F4 lea edx, dword ptr [ebp-0C]
:004FC319 8BC3 mov eax, ebx
====>EAX=EBX=29
:004FC31B 2BC6 sub eax, esi
6、 ====>EBX=29-0=29
即上面对输入的1357运算后得出的29减去光盘号的16进制值!
:004FC31D E8AED9F0FF call 00409CD0
====>把29转化成10进制值:41
:004FC322 8B45F4 mov eax, dword ptr [ebp-0C]
====>EAX=41
:004FC325 50 push eax
:004FC326 8D45F0 lea eax, dword ptr [ebp-10]
:004FC329 E80AFFFFFF call 004FC238
:004FC32E 8B55F0 mov edx, dword ptr [ebp-10]
====>EDX=21291120 即:我的激活验证代码
:004FC331 58 pop eax
:004FC332 E8057EF0FF call 0040413C
====>比较CALL!进入!
:004FC337 0F94C0 sete al
====>设置标志位!
:004FC33A 8BD8 mov ebx, eax
:004FC33C 33C0 xor eax, eax
:004FC33E 5A pop edx
:004FC33F 59 pop ecx
:004FC340 59 pop ecx
:004FC341 648910 mov dword ptr fs:[eax], edx
:004FC344 685EC34F00 push 004FC35E
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004FC35C(U)
|
:004FC349 8D45F0 lea eax, dword ptr [ebp-10]
:004FC34C BA04000000 mov edx, 00000004
:004FC351 E87A7AF0FF call 00403DD0
:004FC356 C3 ret
—————————————————————————————————
F8进入比较CALL:4FC332 call 0040413C
* Referenced by a CALL at Addresses:
|:00413C97 , :00418AAB , :00419F4B , :0041F3DD , :00420728
…… …… 省略 …… ……
:0040413C 53 push ebx
:0040413D 56 push esi
:0040413E 57 push edi
:0040413F 89C6 mov esi, eax
:00404141 89D7 mov edi, edx
:00404143 39D0 cmp eax, edx
====>EAX=41
====>EDX=21291120
上面运算的最后结果与激活验证代码比较,相同则OK!
:00404145 0F848F000000 je 004041DA
:0040414B 85F6 test esi, esi
:0040414D 7468 je 004041B7
:0040414F 85FF test edi, edi
:00404151 746B je 004041BE
:00404153 8B46FC mov eax, dword ptr [esi-04]
:00404156 8B57FC mov edx, dword ptr [edi-04]
:00404159 29D0 sub eax, edx
:0040415B 7702 ja 0040415F
—————————————————————————————————
【算 法 总 结】:
算法不复杂,简单求逆即可算出相应的注册码。
设:激活验证代码为S、激活代码为K1、光盘号为K2、对K1运算的结果为KK
1、 KK-K2 = S 成功的条件!
我把K2固定为0(呵呵,省点事),所以KK-0=144E070(H)=21291120(D)
2、逆反第5步的右移1位:144E070*2=289C0E0
3、逆反第4步:289C0E0+87=289C167
4、逆反第3步:289C167*3=79D4435
5、逆反第2步:79D4435+2BF=79D46F4
6、逆反第1步:79D46F4的10进制值=127747828
呵呵,至此,求出我的激活代码 K1=127747828
—————————————————————————————————
【注册信息保存】:
REGEDIT4
[HKEY_CURRENT_USER\Software\GHOStar\Main]
"F1"="127747828"
"F2"="0"
|
相关阅读
Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么
-
热门文章
去除winrar注册框方法
最新文章
比特币病毒怎么破解 比去除winrar注册框方法
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据
人气排行
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程
查看所有0条评论>>