[转载]注册宇宙图象创作大师Universe Image Creator v1.6
<P>文章作者: qduwg</P><P><FONT face=宋体>题目:注册宇宙图象创作大师UniverseImageCreatorv1.6<BR>软件介绍:经过试用,发现这个美国人开发的软件可以使用各种现成的模板创作出令人目眩的宇宙空间图象,不用3分钟,一个<BR><BR>神秘的宇宙美景就出现在您的眼前了,太令人惊奇了。未注册版本无法使用一些太空物体图象,比如旋涡,行星,镜头眩光效<BR><BR>果,银河系等等。还有许多太空现象可以用来创建一个适当的完美的太空景象,比如星云,各种颜色的星星,星际气团,球状<BR><BR>星团等等。非常棒的软件。<BR><BR>破解目的:分析注册码算法逻辑,找出注册码。<BR>破解工具:SoftICE,PEID。<BR><BR>引子:今天安装了这个软件试用一下,发现软件虽小,功能强大。可是没有注册的版本无法使用好几个比较关键的图象模板,<BR><BR>比如银河系等,如果没有这些关键素材,制作的图象效果就差远了。所以,我们还是把它注册了吧。否则无法使用这些漂亮的<BR><BR>模板元素,真是一个不小的遗憾呢!!下面开始。拿出PEID查看是否加壳。发现没有加壳,用VC++开发。运行软件,点击help<BR><BR>,然后点击Register,输入UserName是wanggang,UserKey是654321。调出SOFTICE,下断点bpxgetwindowtexta,按一次F11来<BR><BR>到主程序。<BR><BR>00462C8B|.FF15A8854700CALLDWORDPTRDS:[<&USER32.GetWindowTextA>]<BR>00462C91|.8D4518LEAEAX,DWORDPTRSS:[EBP+18]//我们来到这里<BR>00462C94|.50PUSHEAX<BR>00462C95|.8D45E0LEAEAX,DWORDPTRSS:[EBP-20]<BR>00462C98|.FF7510PUSHDWORDPTRSS:[EBP+10]<BR>00462C9B|.50PUSHEAX<BR>00462C9C|.E822FFFFFFCALLUNIVERSE.00462BC3//我们看看这个函数干什么。<BR>00462CA1|.85C0TESTEAX,EAX<BR>00462CA3|.752FJNZSHORTUNIVERSE.00462CD4<BR>============================================================<BR>00462BC3/$55PUSHEBP<BR>00462BC4|.8BECMOVEBP,ESP<BR>*省去多行<BR>00462C01|.E8C602FEFFCALLUNIVERSE.00442ECC//F8跟入这个函数<BR>00462C06|.EB11JMPSHORTUNIVERSE.00462C19<BR>00462C08|>80FB2DCMPBL,2D<BR>00462C0B|.743DJESHORTUNIVERSE.00462C4A<BR>00462C0D|.8D4508LEAEAX,DWORDPTRSS:[EBP+8]<BR>============================================================<BR>00442ECC/$6A00PUSH0<BR>00442ECE|.FF742410PUSHDWORDPTRSS:[ESP+10]<BR>00442ED2|.FF742410PUSHDWORDPTRSS:[ESP+10]<BR>00442ED6|.FF742410PUSHDWORDPTRSS:[ESP+10]<BR>00442EDA|.E804000000CALLUNIVERSE.00442EE3//F8跟入这个函数<BR>00442EDF|.83C410ADDESP,10<BR>00442EE2\.C3RETN<BR>============================================================<BR>00442ECC/$6A00PUSH0<BR>*省去多行<BR>00442EF3|.8A1FMOVBL,BYTEPTRDS:[EDI]//第一位注册码送BL。<BR>00442EF5|.8D7701LEAESI,DWORDPTRDS:[EDI+1]//第二位假码地址送ESI。<BR>00442EF8|.8975FCMOVDWORDPTRSS:[EBP-4],ESI<BR>00442EFB|>833D60154900>/CMPDWORDPTRDS:[491560],1<BR>*省去几行<BR>00442F13|>8B0D54134900|MOVECX,DWORDPTRDS:[491354]<BR>00442F19|.0FB6C3|MOVZXEAX,BL//第一位假码扩展后送EAX。<BR>00442F1C|.8A0441|MOVAL,BYTEPTRDS:[ECX+EAX*2]//参与地址计算,找到一个值84h送AL。<BR>00442F1F|.83E008|ANDEAX,8//与8相与。<BR>00442F22|>85C0|TESTEAX,EAX<BR>00442F24|.7405|JESHORTUNIVERSE.00442F2B//此处顺其自然跳。<BR>00442F26|.8A1E|MOVBL,BYTEPTRDS:[ESI]<BR>00442F28|.46|INCESI<BR>00442F29|.^EBD0\JMPSHORTUNIVERSE.00442EFB<BR>00442F2B|>80FB2DCMPBL,2D//第一位假码与2D比较。<BR>00442F2E|.8975FCMOVDWORDPTRSS:[EBP-4],ESI<BR>00442F31|.7506JNZSHORTUNIVERSE.00442F39//此处顺其自然跳。<BR>00442F33|.834D1402ORDWORDPTRSS:[EBP+14],2<BR>00442F37|.EB05JMPSHORTUNIVERSE.00442F3E<BR>00442F39|>80FB2BCMPBL,2B//第一位假码与2B比较。<BR>00442F3C|.7506JNZSHORTUNIVERSE.00442F44//此处顺其自然跳。<BR>00442F3E|>8A1EMOVBL,BYTEPTRDS:[ESI]<BR>00442F40|.46INCESI<BR>00442F41|.8975FCMOVDWORDPTRSS:[EBP-4],ESI<BR>00442F44|>8B4510MOVEAX,DWORDPTRSS:[EBP+10]//把一个常量'A'送EAX<BR>00442F47|.85C0TESTEAX,EAX<BR>00442F49|.0F8C89010000JLUNIVERSE.004430D8<BR>00442F4F|.83F801CMPEAX,1<BR>00442F52|.0F8480010000JEUNIVERSE.004430D8<BR>00442F58|.83F824CMPEAX,24<BR>00442F5B|.0F8F77010000JGUNIVERSE.004430D8//如果EAX大于24H则跳。<BR>00442F61|.6A10PUSH10<BR>00442F63|.85C0TESTEAX,EAX<BR>00442F65|.59POPECX<BR>00442F66|.7524JNZSHORTUNIVERSE.00442F8C//此处跳。<BR>*省略几行<BR>00442F8C|>394D10CMPDWORDPTRSS:[EBP+10],ECX//常量'A'与16h比较。<BR>00442F8F|.7517JNZSHORTUNIVERSE.00442FA8//不等则跳走。<BR>*省略几行<BR>00442FA8|>83C8FFOREAX,FFFFFFFF//'A'与常量-1或运算。<BR>00442FAB|.33D2XOREDX,EDX<BR>00442FAD|.F77510DIVDWORDPTRSS:[EBP+10]//EAX=EAX/A<BR>00442FB0|.BF03010000MOVEDI,103<BR>00442FB5|.8945F4MOVDWORDPTRSS:[EBP-C],EAX//EAX=19999999h<BR>00442FB8|>833D60154900>/CMPDWORDPTRDS:[491560],1<BR>00442FBF|.0FB6F3|MOVZXESI,BL<BR>00442FC2|.7E0C|JLESHORTUNIVERSE.00442FD0//自然跳走。<BR>*****<BR>00442FD0|>A154134900|MOVEAX,DWORDPTRDS:[491354]//一地址送EAX。<BR>00442FD5|.8A0470|MOVAL,BYTEPTRDS:[EAX+ESI*2]//取出一个84h送AL。<BR>00442FD8|.83E004|ANDEAX,4<BR>00442FDB|>85C0|TESTEAX,EAX<BR>00442FDD|.7408|JESHORTUNIVERSE.00442FE7<BR>00442FDF|.0FBECB|MOVSXECX,BL//第一位假码符号扩展后送ECX。<BR>00442FE2|.83E930|SUBECX,30//减去30h,变成16进制数。<BR>00442FE5|.EB32|JMPSHORTUNIVERSE.00443019//跳走。<BR>*****<BR>00443019|>3B4D10|CMPECX,DWORDPTRSS:[EBP+10]//ECX与常量'A'比较。ECX=6。<BR>0044301C|.7336|JNBSHORTUNIVERSE.00443054<BR>0044301E|.8B75F8|MOVESI,DWORDPTRSS:[EBP-8]<BR>00443021|.834D1408|ORDWORDPTRSS:[EBP+14],8<BR>00443025|.3B75F4|CMPESI,DWORDPTRSS:[EBP-C]//ESI与19999999h比较。<BR>00443028|.7214|JBSHORTUNIVERSE.0044303E//跳走。<BR>*****<BR>0044303E|>0FAF7510|IMULESI,DWORDPTRSS:[EBP+10]//ESI与常量'A'相乘,就是扩大10倍。<BR>00443042|.03F1|ADDESI,ECX//把ECX加到ESI<BR>00443044|.8975F8|MOVDWORDPTRSS:[EBP-8],ESI//保存累加和<BR>00443047|>8B45FC|MOVEAX,DWORDPTRSS:[EBP-4]//下一位假码的地址送EAX。<BR>0044304A|.FF45FC|INCDWORDPTRSS:[EBP-4]//假码地址增1。<BR>0044304D|.8A18|MOVBL,BYTEPTRDS:[EAX]//下位假码送BL。<BR>0044304F|.^E964FFFFFF\JMPUNIVERSE.00442FB8//循环到上面。<BR>注:上面这个循环就是把你的假码换算为16进制。比如654321被转换为9FBF1h。下面继续;<BR>00443090|.3975F8CMPDWORDPTRSS:[EBP-8],ESI//ESI与7FFFFFFF比较。<BR>00443093|.7627JBESHORTUNIVERSE.004430BC//当然ESI不大于7FFFFFFF则跳走。<BR>*****<BR>004430BC|>85DBTESTEBX,EBX<BR>004430BE|.7405JESHORTUNIVERSE.004430C5<BR>004430C0|.8B45FCMOVEAX,DWORDPTRSS:[EBP-4]<BR>004430C3|.8903MOVDWORDPTRDS:[EBX],EAX<BR>004430C5|>F6451402TESTBYTEPTRSS:[EBP+14],2<BR>004430C9|.7408JESHORTUNIVERSE.004430D3<BR>004430CB|.8B45F8MOVEAX,DWORDPTRSS:[EBP-8]<BR>004430CE|.F7D8NEGEAX<BR>004430D0|.8945F8MOVDWORDPTRSS:[EBP-8],EAX<BR>004430D3|>8B45F8MOVEAX,DWORDPTRSS:[EBP-8]//EAX=假码十六进制的结果。<BR>============================================================<BR>下面返回到下面代码处:<BR>0040AC80|.8B8898000000MOVECX,DWORDPTRDS:[EAX+98]<BR>0040AC86|.51PUSHECX<BR>0040AC87|.8B55F4MOVEDX,DWORDPTRSS:[EBP-C]<BR>0040AC8A|.81C29C000000ADDEDX,9C<BR>0040AC90|.52PUSHEDX<BR>0040AC91|.B950794900MOVECX,UNIVERSE.00497950<BR>0040AC96|.E8F3C00000CALLUNIVERSE.00416D8E//F8跟入这个CALL。<BR>******<BR>00416DA5|>8B4DFCMOVECX,DWORDPTRSS:[EBP-4]<BR>00416DA8|.8B5110MOVEDX,DWORDPTRDS:[ECX+10]<BR>00416DAB|.8955F8MOVDWORDPTRSS:[EBP-8],EDX<BR>00416DAE|>8B4508MOVEAX,DWORDPTRSS:[EBP+8]<BR>00416DB1|.50PUSHEAX<BR>00416DB2|.E88DFAFFFFCALLUNIVERSE.00416844//F8跟入这个CALL。<BR>============================================================<BR>我们经过一番周折来到下面:<BR>00416D1F|.E80C9E0200|CALLUNIVERSE.00440B30//这个函数处理一个串Qmvtinn!\QD:8^,返回串长E。<BR>00416D24|.83C404|ADDESP,4<BR>00416D27|.3945E8|CMPDWORDPTRSS:[EBP-18],EAX<BR>00416D2A|.7D25|JGESHORTUNIVERSE.00416D51<BR>00416D2C|.8B550C|MOVEDX,DWORDPTRSS:[EBP+C]<BR>00416D2F|.0355E8|ADDEDX,DWORDPTRSS:[EBP-18]<BR>00416D32|.0FBE02|MOVSXEAX,BYTEPTRDS:[EDX]//依次取上述串每一位送EAX。<BR>00416D35|.83E801|SUBEAX,1//把每一位都统统减1。<BR>00416D38|.50|PUSHEAX<BR>00416D39|.6A00|PUSH0<BR>00416D3B|.8D4DF0|LEAECX,DWORDPTRSS:[EBP-10]<BR>00416D3E|.E8C8F30300|CALLUNIVERSE.0045610B//把减一后的值送指定地址保存。<BR>00416D43|.8D4DF0|LEAECX,DWORDPTRSS:[EBP-10]<BR>00416D46|.51|PUSHECX<BR>00416D47|.8D4DEC|LEAECX,DWORDPTRSS:[EBP-14]<BR>00416D4A|.E8A0F20300|CALLUNIVERSE.00455FEF<BR>00416D4F|.^EBC1\JMPSHORTUNIVERSE.00416D12//如果未完继续循环。最后上述串变为:Plushmm[PC97]<BR>00416D51|>8D55ECLEAEDX,DWORDPTRSS:[EBP-14]//取新串地址。<BR>00416D54|.52PUSHEDX<BR>00416D55|.8B4D08MOVECX,DWORDPTRSS:[EBP+8]<BR>00416D58|.E87CEC0300CALLUNIVERSE.004559D9<BR>00416D5D|.8B45E4MOVEAX,DWORDPTRSS:[EBP-1C]<BR>00416D60|.0C01ORAL,1<BR>00416D62|.8945E4MOVDWORDPTRSS:[EBP-1C],EAX<BR>00416D65|.C645FC01MOVBYTEPTRSS:[EBP-4],1<BR>00416D69|.8D4DF0LEAECX,DWORDPTRSS:[EBP-10]<BR>00416D6C|.E8F3EE0300CALLUNIVERSE.00455C64<BR>00416D71|.C645FC00MOVBYTEPTRSS:[EBP-4],0<BR>============================================================<BR>我们经过一番周折来到下面,也是重头戏:<BR>00416880|.8B55C8MOVEDX,DWORDPTRSS:[EBP-38]//新串地址送EDX<BR>00416883|.52PUSHEDX<BR>00416884|.8B4508MOVEAX,DWORDPTRSS:[EBP+8]//用户名地址送EAX<BR>00416887|.50PUSHEAX<BR>00416888|.E893070000CALLUNIVERSE.00417020//大概进行比较上述串。<BR>****<BR>004168B3|>E8183E0100CALLUNIVERSE.0042A6D0//取用户名串长。<BR>004168B8|.8945DCMOVDWORDPTRSS:[EBP-24],EAX<BR>004168BB|.C745F0000000>MOVDWORDPTRSS:[EBP-10],0<BR>004168C2|.C745E0010000>MOVDWORDPTRSS:[EBP-20],1<BR>004168C9|.C745E4000000>MOVDWORDPTRSS:[EBP-1C],0<BR>004168D0|.EB09JMPSHORTUNIVERSE.004168DB<BR>****<BR>004168EF|.E80C070000|CALLUNIVERSE.00417000//依次取用户名字符,在AL返回。<BR>004168F4|.0FBEC8|MOVSXECX,AL//把字符送ECX。<BR>004168F7|.894DD8|MOVDWORDPTRSS:[EBP-28],ECX//把ECX送内存保存。<BR>004168FA|.8B55F0|MOVEDX,DWORDPTRSS:[EBP-10]//累加和送EDX<BR>004168FD|.0355D8|ADDEDX,DWORDPTRSS:[EBP-28]//EDX=EDX+用户名字符<BR>00416900|.8955F0|MOVDWORDPTRSS:[EBP-10],EDX//送回保存。<BR>00416903|.8B45E4|MOVEAX,DWORDPTRSS:[EBP-1C]//这个值关键,决定后面的运算。<BR>00416906|.2501000080|ANDEAX,80000001<BR>0041690B|.7905|JNSSHORTUNIVERSE.00416912//非负数则跳。<BR>0041690D|.48|DECEAX//否则,EAX减1。<BR>0041690E|.83C8FE|OREAX,FFFFFFFE//EAX与此常量或运算。<BR>00416911|.40|INCEAX//EAX加1。<BR>00416912|>85C0|TESTEAX,EAX<BR>00416914|.7409|JESHORTUNIVERSE.0041691F//若为0则跳。<BR>00416916|.C745E0FFFFFF>|MOVDWORDPTRSS:[EBP-20],-1//根据前面不同情况跳转,设置1或者-1<BR>0041691D|.EB07|JMPSHORTUNIVERSE.00416926<BR>0041691F|>C745E0010000>|MOVDWORDPTRSS:[EBP-20],1<BR>00416926|>8B4DE0|MOVECX,DWORDPTRSS:[EBP-20]//前面设置的1或者-1送ECX。<BR>00416929|.0FAF4DD8|IMULECX,DWORDPTRSS:[EBP-28]//ECX=ECX*每位用户名字符。<BR>0041692D|.8B55F0|MOVEDX,DWORDPTRSS:[EBP-10]//累加和取出送EDX。<BR>00416930|.03D1|ADDEDX,ECX//EDX=EDX+ECX。<BR>00416932|.8955F0|MOVDWORDPTRSS:[EBP-10],EDX//累加结果送回保存。<BR>00416935|.^EB9B\JMPSHORTUNIVERSE.004168D2//没有处理完继续循环。<BR>00416937|>8B45F0MOVEAX,DWORDPTRSS:[EBP-10]//用户名累加结果送EAX。<BR>0041693A|.8945E8MOVDWORDPTRSS:[EBP-18],EAX//用户名累加结果送[EBP-18]保存。<BR>0041693D|.8B4DF0MOVECX,DWORDPTRSS:[EBP-10]//累加和送ECX。<BR>00416940|.0FAF4DF0IMULECX,DWORDPTRSS:[EBP-10]//ECX=ECX*ECX。<BR>00416944|.894DF0MOVDWORDPTRSS:[EBP-10],ECX//乘方结果送回。<BR>00416947|.8B55F0MOVEDX,DWORDPTRSS:[EBP-10]//乘方结果送EDX。<BR>0041694A|.0355E8ADDEDX,DWORDPTRSS:[EBP-18]//EDX=EDX+用户名累加和。<BR>0041694D|.8955F0MOVDWORDPTRSS:[EBP-10],EDX//EDX结果送回保存。<BR>00416950|.8B45F0MOVEAX,DWORDPTRSS:[EBP-10]<BR>00416953|.50PUSHEAX<BR>00416954|.E8673D0100CALLUNIVERSE.0042A6C0//保存EAX到指定单元。<BR>00416959|.83C404ADDESP,4<BR>0041695C|.C745E4000000>MOVDWORDPTRSS:[EBP-1C],0<BR>00416963|.EB09JMPSHORTUNIVERSE.0041696E<BR>00416965|>8B4DE4/MOVECX,DWORDPTRSS:[EBP-1C]//下面是处理上述运算结果的循环。<BR>00416968|.83C101|ADDECX,1<BR>0041696B|.894DE4|MOVDWORDPTRSS:[EBP-1C],ECX<BR>0041696E|>8B55E4MOVEDX,DWORDPTRSS:[EBP-1C]//循环次数<BR>00416971|.3B1508784900|CMPEDX,DWORDPTRDS:[497808]//是否已经到达次数。<BR>00416977|.7D07|JGESHORTUNIVERSE.00416980//如果循环次数已到,跳出循环。<BR>00416979|.E8623D0100|CALLUNIVERSE.0042A6E0//我们进入这个CALL看看,代码见后面。(*)<BR>0041697E|.^EBE5\JMPSHORTUNIVERSE.00416965//如果没有结束,继续循环。<BR>00416980|>E85B3D0100CALLUNIVERSE.0042A6E0//保存计算结果到指定内存单元[48e7f8],这个就是正确<BR><BR>注册码的16进制数。<BR>00416985|.8945ECMOVDWORDPTRSS:[EBP-14],EAX<BR>00416988|.8B45DCMOVEAX,DWORDPTRSS:[EBP-24]<BR>0041698B|.50PUSHEAX<BR>0041698C|.E82F3D0100CALLUNIVERSE.0042A6C0//保存EAX到指定单元[48e7f8],这个不是正确注册码了。<BR>============================================================<BR>先看(*)处的函数:<BR>0042A6E0/$A1E8E74800MOVEAX,DWORDPTRDS:[48E7E8]<BR>0042A6E5|.68400CB378PUSH78B30C40<BR>0042A6EA|.99CDQ<BR>0042A6EB|.6A00PUSH0<BR>0042A6ED|.680DA4A225PUSH25A2A40D<BR>0042A6F2|.52PUSHEDX<BR>0042A6F3|.50PUSHEAX<BR>0042A6F4|.E877710100CALLUNIVERSE.00441870//F8跟入这个函数,代码在后面。(**)<BR>0042A6F9|.83C001ADDEAX,1//返回的EAX加1。变成了1CE5C035h。<BR>0042A6FC|.83D200ADCEDX,0<BR>0042A6FF|.52PUSHEDX<BR>0042A700|.50PUSHEAX<BR>0042A701|.E85A000000CALLUNIVERSE.0042A760//F8跟入这个函数,代码在后面。(***)<BR>0042A706|.83C40CADDESP,0C<BR>0042A709|.A3E8E74800MOVDWORDPTRDS:[48E7E8],EAX//返回的结果保存在:[48E7E8]内。<BR>0042A70E\.C3RETN<BR>下面是(**)处的函数:<BR>00441870/$8B442408MOVEAX,DWORDPTRSS:[ESP+8]<BR>00441874|.8B4C2410MOVECX,DWORDPTRSS:[ESP+10]<BR>00441878|.0BC8ORECX,EAX<BR>0044187A|.8B4C240CMOVECX,DWORDPTRSS:[ESP+C]//ECX为一常数:25A2A40Dh<BR>0044187E|.7509JNZSHORTUNIVERSE.00441889<BR>00441880|.8B442404MOVEAX,DWORDPTRSS:[ESP+4]//EAX为前面用户名处理后的结果。比如wanggang处理后为<BR><BR>BF004。<BR>00441884|.F7E1MULECX//EAX=EAX*ECX。例如:EAX=25A2A40Dh*BF004=1CE5C034h。<BR>00441886|.C21000RETN10<BR>下面是(***)处的函数:<BR>0042A760/$55PUSHEBP<BR>0042A761|.8BECMOVEBP,ESP<BR>0042A763|.53PUSHEBX<BR>0042A764|.8B4508MOVEAX,DWORDPTRSS:[EBP+8]//EAX=前面得到的结果1CE5C035h。<BR>0042A767|.8B550CMOVEDX,DWORDPTRSS:[EBP+C]//EDX=一个常数1C146。<BR>0042A76A|.8B5D10MOVEBX,DWORDPTRSS:[EBP+10]//EBX=一个常数78B30C40。<BR>0042A76D|.F7F3DIVEBX//EAX,EDX联合为一个8字节数,除以EBX。<BR>0042A76F|.8BC2MOVEAX,EDX//余数送EAX保存。<BR>0042A771|.5BPOPEBX<BR>0042A772|.5DPOPEBP<BR>0042A773\.C3RETN<BR>============================================================<BR>上面用户名进行运算完毕,程序流程来到下面:<BR>00416D8E/$55PUSHEBP<BR>00416D8F|.8BECMOVEBP,ESP<BR>00416D91|.83EC08SUBESP,8<BR>00416D94|.894DFCMOVDWORDPTRSS:[EBP-4],ECX<BR>00416D97|.837D0C00CMPDWORDPTRSS:[EBP+C],0<BR>00416D9B|.7E08JLESHORTUNIVERSE.00416DA5<BR>00416D9D|.8B450CMOVEAX,DWORDPTRSS:[EBP+C]<BR>00416DA0|.8945F8MOVDWORDPTRSS:[EBP-8],EAX<BR>00416DA3|.EB09JMPSHORTUNIVERSE.00416DAE<BR>00416DA5|>8B4DFCMOVECX,DWORDPTRSS:[EBP-4]<BR>00416DA8|.8B5110MOVEDX,DWORDPTRDS:[ECX+10]<BR>00416DAB|.8955F8MOVDWORDPTRSS:[EBP-8],EDX<BR>00416DAE|>8B4508MOVEAX,DWORDPTRSS:[EBP+8]<BR>00416DB1|.50PUSHEAX<BR>00416DB2|.E88DFAFFFFCALLUNIVERSE.00416844<BR>00416DB7|.83C404ADDESP,4<BR>00416DBA|.33C9XORECX,ECX<BR>00416DBC|.3945F8CMPDWORDPTRSS:[EBP-8],EAX//在这里用户名计算结果和EAX内的假注册码计算结果进行<BR><BR>比较。<BR>00416DBF|.0F94C1SETECL//相等则让CL=1。<BR>00416DC2|.8BC1MOVEAX,ECX//把ECX送EAX,作为注册成功标志。<BR>00416DC4|.8BE5MOVESP,EBP<BR>00416DC6|.5DPOPEBP<BR>00416DC7\.C20800RETN8<BR>============================================================<BR>后记:<BR>这个软件没有想到搞了那么多弯弯绕在里面,特别是在验证那个字符串Plushmm[PC97]时,感到莫名其妙!最后用户名的计算<BR><BR>是用大数进行乘除运算,进行了3遍。最后得到一个结果与前面注册码16进制值比较,现在已经得到了真码,把最后拿来比较的<BR><BR>那个数转换为10进制,输入就OK啦!比如我这里UserName是wanggang,得到的是830350h,转换为10进制数为8586064。现在输<BR><BR>入正确注册码,注册成功!!所有限制解除!我试用了一下提供的银河系图象还有其他气团图象,效果非常棒!!犹如真的来<BR><BR>到天上一样!!<BR><BR>追踪这个软件的过程比较讨厌,真是如同掉进无底深渊一样!没有边际!因为无论哪个CALL都值得怀疑里面做了什么工作,所<BR><BR>以不得不追进去看看。如果一下子掠过去可能就没戏。经过2个小时艰苦奋战,我终于又可以把我的破文与各位分享了!希望我<BR><BR>们共同进步提高!!:)<BR><BR>另附诗一首,献给各位关注我的坛友:<BR><BR>“宇宙”软件无“银河”,功能限制真是多;如今遇到俺菜鸟,眩目银河失又得!<BR><BR>qduwg<BR><BR><A href="mailto:qduwg@163.com">qduwg@163.com</A></FONT></P>
页:
[1]