PHP将汉字转换拼音是程序员们经常需要操作的任务之一,别看这一小功能却能发挥很大的作用,以下是正确的汉字转拼音方法,大家可以借鉴一下
下载页面:http://gaoasp.nease.net/doc/hzbh.htm软件大小:538K运行环境:Windows 9x/NT/2000
【软件简介】:可查找任一汉字或一段汉字的笔画,功能经扩展后可用于教学、娱乐、文字处理等领域,如儿童识字、笔画算命以及需要按笔画排序处理等方面的应用
【软件限制】:NAG
【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:TRW2000娃娃修改版、Ollydbg1.09、PEiD、W32Dasm 9.0白金版
————————————————————————————————— 【过 程】:
hzbh.exe 无壳。Visual C++ 6.0 编写。
用户名:FLY试炼码:13572468
反汇编,根据出错提示很容易就找到核心了。————————————————————————————————— :004025B1 E8D60C0000 Call 0040328C:004025B6 8D442424 lea eax, dword ptr [esp+24]:004025BA 8D4C2418 lea ecx, dword ptr [esp+18]:004025BE 50 push eax:004025BF 51 push ecx:004025C0 57 push edi:004025C1 683F000F00 push 000F003F:004025C6 57 push edi
* Possible StringData Ref from Data Obj ->"REG_SZ" |:004025C7 6814CA4000 push 0040CA14:004025CC 57 push edi
* Possible StringData Ref from Data Obj ->"SOFTWARE\HZBH" |:004025CD 6804CA4000 push 0040CA04:004025D2 6802000080 push 80000002:004025D7 C644245801 mov [esp+58], 01:004025DC C7442448FF000000 mov [esp+48], 000000FF:004025E4 897C2440 mov dword ptr [esp+40], edi
* Reference To: ADVAPI32.RegCreateKeyExA, Ord:015Fh |:004025E8 FF1500404000 Call dword ptr [00404000]:004025EE 3BC7 cmp eax, edi:004025F0 0F854C010000 jne 00402742:004025F6 8D542410 lea edx, dword ptr [esp+10]:004025FA 8BCE mov ecx, esi:004025FC 52 push edx:004025FD 68F1030000 push 000003F1
* Reference To: MFC42.Ordinal:0C19, Ord:0C19h |:00402602 E8E50C0000 Call 004032EC:00402607 8D442414 lea eax, dword ptr [esp+14]:0040260B 8BCE mov ecx, esi:0040260D 50 push eax:0040260E 68F2030000 push 000003F2
* Reference To: MFC42.Ordinal:0C19, Ord:0C19h |:00402613 E8D40C0000 Call 004032EC:00402618 8D4C2410 lea ecx, dword ptr [esp+10]
* Reference To: MFC42.Ordinal:188A, Ord:188Ah |:0040261C E80D0D0000 Call 0040332E:00402621 8D4C2410 lea ecx, dword ptr [esp+10]
* Reference To: MFC42.Ordinal:188B, Ord:188Bh |:00402625 E8FE0C0000 Call 00403328:0040262A 8D4C2414 lea ecx, dword ptr [esp+14]
* Reference To: MFC42.Ordinal:188A, Ord:188Ah |:0040262E E8FB0C0000 Call 0040332E:00402633 8D4C2414 lea ecx, dword ptr [esp+14]
* Reference To: MFC42.Ordinal:188B, Ord:188Bh |:00402637 E8EC0C0000 Call 00403328:0040263C 8D4C2410 lea ecx, dword ptr [esp+10]
* Reference To: MFC42.Ordinal:106A, Ord:106Ah |:00402640 E8DD0C0000 Call 00403322 ====>把用户名转换成小写字母
:00402645 8B4C2410 mov ecx, dword ptr [esp+10] ====>ECX=fly 呵呵,取用户名的小写字母运算
:00402649 8B542414 mov edx, dword ptr [esp+14] ====>EDX=13572468
:0040264D 8B79F8 mov edi, dword ptr [ecx-08] ====>EDI=3 用户名长度
:00402650 8B6AF8 mov ebp, dword ptr [edx-08] ====>EBP=8 试炼码长度
:00402653 47 inc edi:00402654 8D4C2410 lea ecx, dword ptr [esp+10]:00402658 57 push edi:00402659 45 inc ebp
* Reference To: MFC42.Ordinal:0B63, Ord:0B63h |:0040265A E8BD0C0000 Call 0040331C:0040265F 55 push ebp:00402660 8D4C2418 lea ecx, dword ptr [esp+18]:00402664 89442424 mov dword ptr [esp+24], eax
* Reference To: MFC42.Ordinal:0B63, Ord:0B63h |:00402668 E8AF0C0000 Call 0040331C:0040266D 8BD8 mov ebx, eax:0040266F 8D4FFF lea ecx, dword ptr [edi-01]:00402672 33C0 xor eax, eax:00402674 895C2428 mov dword ptr [esp+28], ebx:00402678 85C9 test ecx, ecx:0040267A 761C jbe 00402698
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00402692(C)|:0040267C 8B5C2420 mov ebx, dword ptr [esp+20] ====>EBX=[esp+20]=fly
:00402680 33D2 xor edx, edx:00402682 8A1418 mov dl, byte ptr [eax+ebx] ====>依次取fly字符的HEX值 1、 ====>DL=66 2、 ====>DL=6C 3、 ====>DL=79
:00402685 8B5C241C mov ebx, dword ptr [esp+1C]:00402689 03DA add ebx, edx 1、 ====>EDX=66 + 00=66 2、 ====>EDX=6C + 66=D2 3、 ====>EDX=79 + D2=14B
:0040268B 40 inc eax:0040268C 3BC1 cmp eax, ecx:0040268E 895C241C mov dword ptr [esp+1C], ebx:00402692 72E8 jb 0040267C ====>循环累加用户名字符的HEX值
:00402694 8B5C2428 mov ebx, dword ptr [esp+28] ====>EBX=13572468
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:0040267A(C)|:00402698 53 push ebx
* Reference To: MSVCRT.atol, Ord:023Eh |:00402699 FF1578424000 Call dword ptr [00404278] ====>求13572468的16进制值:EAX=00CF1974
:0040269F 8B4C2420 mov ecx, dword ptr [esp+20] ====>ECX=0000014B
:004026A3 83C404 add esp, 00000004:004026A6 3BC8 cmp ecx, eax ====>比较了! ====>ECX=0000014B 用户名字符HEX值累加的结果 ====>EAX=00CF1974 试炼码的16进制值
:004026A8 7577 jne 00402721 ====>跳则OVER! 爆破点 ①
:004026AA 83FF01 cmp edi, 00000001 ====>用户名长度要至少1位
:004026AD 7672 jbe 00402721 ====>跳则OVER! 爆破点 ②
:004026AF 83FD01 cmp ebp, 00000001 ====>注册码长度要至少1位
:004026B2 766D jbe 00402721 ====>跳则OVER! 爆破点 ②
:004026B4 8B442420 mov eax, dword ptr [esp+20]:004026B8 8B4C2418 mov ecx, dword ptr [esp+18]:004026BC 57 push edi
* Reference To: ADVAPI32.RegSetvalueExA, Ord:0186h |:004026BD 8B3D08404000 mov edi, dword ptr [00404008]:004026C3 50 push eax:004026C4 6A01 push 00000001:004026C6 6A00 push 00000000
====>下面保存注册信息* Possible StringData Ref from Data Obj ->"UserName" |:004026C8 68F8C94000 push 0040C9F8:004026CD 51 push ecx:004026CE FFD7 call edi:004026D0 8B542418 mov edx, dword ptr [esp+18]:004026D4 55 push ebp:004026D5 53 push ebx:004026D6 6A01 push 00000001:004026D8 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"PassWord" |:004026DA 68ECC94000 push 0040C9EC:004026DF 52 push edx:004026E0 FFD7 call edi:004026E2 8B442418 mov eax, dword ptr [esp+18]:004026E6 50 push eax
* Reference To: ADVAPI32.RegCloseKey, Ord:015Bh |:004026E7 FF150C404000 Call dword ptr [0040400C]:004026ED 8B4E20 mov ecx, dword ptr [esi+20]:004026F0 6A01 push 00000001:004026F2 51 push ecx
* Reference To: USER32.KillTimer, Ord:0195h |:004026F3 FF15DC424000 Call dword ptr [004042DC]:004026F9 6840100000 push 00001040
* Possible StringData Ref from Data Obj ->"注册信息" |:004026FE 6854CB4000 push 0040CB54
* Possible StringData Ref from Data Obj ->"您成功注册!" ====>呵呵,胜利女神!
:00402703 6844CB4000 push 0040CB44:00402708 8BCE mov ecx, esi
* Reference To: MFC42.Ordinal:1080, Ord:1080h |:0040270A E8010C0000 Call 00403310:0040270F 8B15ACCC4000 mov edx, dword ptr [0040CCAC]:00402715 6A00 push 00000000:00402717 8D4A64 lea ecx, dword ptr [edx+64]
* Reference To: MFC42.Ordinal:0A52, Ord:0A52h |:0040271A E8910B0000 Call 004032B0:0040271F EB21 jmp 00402742
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:|:004026A8(C), :004026AD(C), :004026B2(C)|:00402721 8B442418 mov eax, dword ptr [esp+18]:00402725 50 push eax
* Reference To: ADVAPI32.RegCloseKey, Ord:015Bh |:00402726 FF150C404000 Call dword ptr [0040400C]:0040272C 6810100000 push 00001010
* Possible StringData Ref from Data Obj ->"注册信息" |:00402731 6854CB4000 push 0040CB54
* Possible StringData Ref from Data Obj ->"注册失败!" ====>BAD BOY!
:00402736 6838CB4000 push 0040CB38:0040273B 8BCE mov ecx, esi
* Reference To: MFC42.Ordinal:1080, Ord:1080h |:0040273D E8CE0B0000 Call 00403310
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:|:004025F0(C), :0040271F(U)|:00402742 8BCE mov ecx, esi
* Reference To: MFC42.Ordinal:12F5, Ord:12F5h |:00402744 E8470A0000 Call 00403190:00402749 8D4C2414 lea ecx, dword ptr [esp+14]:0040274D C644243400 mov [esp+34], 00
* Reference To: MFC42.Ordinal:0320, Ord:0320h |:00402752 E8150A0000 Call 0040316C:00402757 8D4C2410 lea ecx, dword ptr [esp+10]:0040275B C7442434FFFFFFFF mov [esp+34], FFFFFFFF
* Reference To: MFC42.Ordinal:0320, Ord:0320h |:00402763 E8040A0000 Call 0040316C:00402768 8B4C242C mov ecx, dword ptr [esp+2C]:0040276C 5F pop edi:0040276D 5E pop esi:0040276E 5D pop ebp:0040276F 5B pop ebx:00402770 64890D00000000 mov dword ptr fs:[00000000], ecx:00402777 83C428 add esp, 00000028:0040277A C3 ret
—————————————————————————————————呵呵,程序在启动时还有校验。爆破顺手也就看看。
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00402238(C)|:0040221F 33C0 xor eax, eax:00402221 8D7C2420 lea edi, dword ptr [esp+20]:00402225 8A441420 mov al, byte ptr [esp+edx+20]:00402229 83C9FF or ecx, FFFFFFFF:0040222C 03F0 add esi, eax:0040222E 33C0 xor eax, eax:00402230 42 inc edx:00402231 F2 repnz:00402232 AE scasb:00402233 F7D1 not ecx:00402235 49 dec ecx:00402236 3BD1 cmp edx, ecx:00402238 72E5 jb 0040221F
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:0040221D(C)|:0040223A 8D4C2454 lea ecx, dword ptr [esp+54]:0040223E 51 push ecx
* Reference To: MSVCRT.atol, Ord:023Eh |:0040223F FF1578424000 Call dword ptr [00404278]:00402245 83C404 add esp, 00000004:00402248 3BF0 cmp esi, eax ====>呵呵,再比较一次!
:0040224A 753A jne 00402286:0040224C 8D7C2420 lea edi, dword ptr [esp+20]:00402250 83C9FF or ecx, FFFFFFFF:00402253 33C0 xor eax, eax:00402255 F2 repnz:00402256 AE scasb:00402257 F7D1 not ecx:00402259 49 dec ecx:0040225A 83F901 cmp ecx, 00000001 ====>呵呵,再比较一次!
:0040225D 7627 jbe 00402286:0040225F 8D7C2454 lea edi, dword ptr [esp+54]:00402263 83C9FF or ecx, FFFFFFFF:00402266 F2 repnz:00402267 AE scasb:00402268 F7D1 not ecx:0040226A 49 dec ecx:0040226B 83F901 cmp ecx, 00000001 ====>呵呵,再比较一次!
:0040226E 7616 jbe 00402286:00402270 8B54240C mov edx, dword ptr [esp+0C]:00402274 B301 mov bl, 01 ====>置1则OK!
:00402276 52 push edx
* Reference To: ADVAPI32.RegCloseKey, Ord:015Bh |:00402277 FF150C404000 Call dword ptr [0040400C]:0040227D 5F pop edi:0040227E 8AC3 mov al, bl:00402280 5E pop esi:00402281 5B pop ebx:00402282 83C47C add esp, 0000007C:00402285 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:|:0040224A(C), :0040225D(C), :0040226E(C)|:00402286 8B54240C mov edx, dword ptr [esp+0C]:0040228A 32DB xor bl, bl ====>清0则OVER!呵呵, 爆破点 ④
:0040228C 52 push edx
* Reference To: ADVAPI32.RegCloseKey, Ord:015Bh |:0040228D FF150C404000 Call dword ptr [0040400C]:00402293 5F pop edi:00402294 8AC3 mov al, bl:00402296 5E pop esi:00402297 5B pop ebx:00402298 83C47C add esp, 0000007C:0040229B C3 ret
—————————————————————————————————【算 法 总 结】:
1、用户名和注册码长度要至少1位。
2、用户名字符HEX值累加的之和应等于注册码数字的HEX值
简单求逆:
fly=66 + 6C + 79=14B14B(H)=331(D)
呵呵,所以我的注册码就是331
————————————————————————————————— 【完 美 爆 破】:
1、004026A8 7577 jne 00402721 改为: 9090 NOP掉
2、004026AD 7672 jbe 00402721 改为: 9090 NOP掉
3、004026B2 766D jbe 00402721 改为: 9090 NOP掉4、0040228A 32DB xor bl, bl 改为: B301 mov bl, 01
————————————————————————————————— 【KeyMake之{64th}内存注册机】:
中断地址:4026A6中断次数:1第一字节:3B指令长度:2
寄存器方式:ECX 十进制
————————————————————————————————— 【注册信息保存】:
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\HZBH]"UserName"="fly""PassWord"="331"
————————————————————————————————— 【整 理】:
用户名:FLY注册码:331
—————————————————————————————————
Cracked By 巢水工作坊——fly [OCN][FCG]
2003-4-18 15:30