简单算法——Roaring Falls Screensaver下载页面:http://www.pjsoft.com/ 软件大小:1.28M
【软件简介】:瀑布屏保。
【软件限制】:30 Day Trial
【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:TRW2000娃娃修改版、Ollydbg1.09、PEiD、W32Dasm 9.0白金版
————————————————————————————————— 【过 程】:
呵呵,不知道这个东东是否还可以下载。晕,在我60M的Geforce显卡上居然无法流畅运行。
Roaring Falls.exe 无壳。Borland Delphi 编写。
User Name:fly试 炼 码 :13572468————————————————————————————————— :00460ECD E87EE0FFFF call 0045EF50:00460ED2 8BB3F0020000 mov esi, dword ptr [ebx+000002F0]:00460ED8 837E3800 cmp dword ptr [esi+38], 00000000 ====>没填名字?
:00460EDC 0F8454010000 je 00461036 ====>跳则OVER!
:00460EE2 837E3C00 cmp dword ptr [esi+3C], 00000000 ====>没有注册码?
:00460EE6 0F844A010000 je 00461036 ====>跳则OVER!
:00460EEC 6A01 push 00000001:00460EEE 8D45FC lea eax, dword ptr [ebp-04]:00460EF1 50 push eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00460E8B(C)|
* Possible StringData Ref from Code Obj ->"235" |:00460EF2 B860104600 mov eax, 00461060 ====>EAX=235
:00460EF7 E84C6CFAFF call 00407B48 ====>取235的16进制值
:00460EFC 8BC8 mov ecx, eax ====>ECX=EAX=EB(H)=235(D) 运算参数
:00460EFE 8B83F0020000 mov eax, dword ptr [ebx+000002F0]:00460F04 8B4038 mov eax, dword ptr [eax+38] ====>EAX=fly
* Possible StringData Ref from Code Obj ->"RfaLLs1" |:00460F07 BA6C104600 mov edx, 0046106C ====>EDX=RfaLLs1 运算参数
:00460F0C E80BE5FFFF call 0045F41C ====>算法CALL!进入!
:00460F11 8B55FC mov edx, dword ptr [ebp-04] ====>EDX=EB000AE2 注册码
:00460F14 A1B4394600 mov eax, dword ptr [004639B4]:00460F19 E82E2AFAFF call 0040394C:00460F1E A1B4394600 mov eax, dword ptr [004639B4]:00460F23 8B00 mov eax, dword ptr [eax]:00460F25 8B93F0020000 mov edx, dword ptr [ebx+000002F0]:00460F2B 8B523C mov edx, dword ptr [edx+3C] ====>EDX=13572468 试炼码
:00460F2E E8512DFAFF call 00403C84 ====>比较CALL!:00460F33 743C je 00460F71:00460F35 8B83F0020000 mov eax, dword ptr [ebx+000002F0]:00460F3B FF703C push [eax+3C]
* Possible StringData Ref from Code Obj ->" is not the correct password!" ====>BAD BOY! :00460F3E 687C104600 push 0046107C:00460F43 68A4104600 push 004610A4
* Possible StringData Ref from Code Obj ->" Please contact the author at:" |:00460F48 68B0104600 push 004610B0:00460F4D 68A4104600 push 004610A4
* Possible StringData Ref from Code Obj ->"[email protected]" |:00460F52 68D8104600 push 004610D8:00460F57 8D45FC lea eax, dword ptr [ebp-04]:00460F5A BA06000000 mov edx, 00000006:00460F5F E8D02CFAFF call 00403C34:00460F64 8B45FC mov eax, dword ptr [ebp-04]:00460F67 E8CC55FEFF call 00446538:00460F6C E9C5000000 jmp 00461036
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00460F33(C)|:00460F71 A1303A4600 mov eax, dword ptr [00463A30]:00460F76 C60001 mov byte ptr [eax], 01:00460F79 33D2 xor edx, edx:00460F7B 8B83E4020000 mov eax, dword ptr [ebx+000002E4]:00460F81 E8CE53FCFF call 00426354
* Possible StringData Ref from Code Obj ->"Roaring Waterfalls - Registered" |:00460F86 BAF4104600 mov edx, 004610F4:00460F8B 8BC3 mov eax, ebx:00460F8D E8DA54FCFF call 0042646C:00460F92 B201 mov dl, 01:00460F94 A158A04500 mov eax, dword ptr [0045A058]:00460F99 E8FA91FFFF call 0045A198:00460F9E 8BF0 mov esi, eax:00460FA0 B101 mov cl, 01
====>下面是保存注册信息* Possible StringData Ref from Code Obj ->"##@)(\Roar Falls" |:00460FA2 BA1C114600 mov edx, 0046111C:00460FA7 8BC6 mov eax, esi:00460FA9 E8DA93FFFF call 0045A388:00460FAE 6A01 push 00000001:00460FB0 8D45FC lea eax, dword ptr [ebp-04]:00460FB3 50 push eax
* Possible StringData Ref from Code Obj ->"126" |:00460FB4 B838114600 mov eax, 00461138:00460FB9 E88A6BFAFF call 00407B48:00460FBE 8BC8 mov ecx, eax:00460FC0 8B83F0020000 mov eax, dword ptr [ebx+000002F0]:00460FC6 8B4038 mov eax, dword ptr [eax+38]
* Possible StringData Ref from Code Obj ->"RfaLLs1UsEr" |:00460FC9 BA44114600 mov edx, 00461144:00460FCE E849E4FFFF call 0045F41C:00460FD3 8B55FC mov edx, dword ptr [ebp-04]:00460FD6 A104394600 mov eax, dword ptr [00463904]:00460FDB E86C29FAFF call 0040394C:00460FE0 8B0D04394600 mov ecx, dword ptr [00463904]:00460FE6 8B09 mov ecx, dword ptr [ecx]
* Possible StringData Ref from Code Obj ->"User Name" |:00460FE8 BA58114600 mov edx, 00461158:00460FED 8BC6 mov eax, esi:00460FEF E83095FFFF call 0045A524:00460FF4 8B83F0020000 mov eax, dword ptr [ebx+000002F0]:00460FFA 8B483C mov ecx, dword ptr [eax+3C]
* Possible StringData Ref from Code Obj ->"Registration" |:00460FFD BA6C114600 mov edx, 0046116C:00461002 8BC6 mov eax, esi:00461004 E81B95FFFF call 0045A524:00461009 8B83F0020000 mov eax, dword ptr [ebx+000002F0]:0046100F FF7038 push [eax+38]:00461012 6884114600 push 00461184:00461017 68A4104600 push 004610A4
* Possible StringData Ref from Code Obj ->"Thank you for registering and ->"supporting shareware!" ====>呵呵,胜利女神!
:0046101C 6890114600 push 00461190:00461021 8D45FC lea eax, dword ptr [ebp-04]:00461024 BA04000000 mov edx, 00000004:00461029 E8062CFAFF call 00403C34:0046102E 8B45FC mov eax, dword ptr [ebp-04]:00461031 E80255FEFF call 00446538
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:|:00460EDC(C), :00460EE6(C), :00460F6C(U)|:00461036 33C0 xor eax, eax:00461038 5A pop edx:00461039 59 pop ecx:0046103A 59 pop ecx:0046103B 648910 mov dword ptr fs:[eax], edx:0046103E 6853104600 push 00461053
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00461051(U)|:00461043 8D45FC lea eax, dword ptr [ebp-04]:00461046 E8AD28FAFF call 004038F8:0046104B C3 ret
————————————————————————————————— 进入算法CALL:460F0C call 0045F41C
* Referenced by a CALL at Addresses:|:0045F6EF , :0045F72E , :0045F7BD , :0045F80E , :0045F87B |:0045F8E6 , :00460F0C , :00460FCE |:0045F41C 55 push ebp:0045F41D 8BEC mov ebp, esp:0045F41F 83C4D4 add esp, FFFFFFD4:0045F422 53 push ebx:0045F423 56 push esi:0045F424 57 push edi:0045F425 33DB xor ebx, ebx:0045F427 895DD8 mov dword ptr [ebp-28], ebx:0045F42A 895DD4 mov dword ptr [ebp-2C], ebx:0045F42D 895DF0 mov dword ptr [ebp-10], ebx:0045F430 8BD9 mov ebx, ecx:0045F432 8955F8 mov dword ptr [ebp-08], edx:0045F435 8945FC mov dword ptr [ebp-04], eax:0045F438 8B45FC mov eax, dword ptr [ebp-04]:0045F43B E8E848FAFF call 00403D28:0045F440 8B45F8 mov eax, dword ptr [ebp-08]:0045F443 E8E048FAFF call 00403D28:0045F448 33C0 xor eax, eax:0045F44A 55 push ebp:0045F44B 6816F64500 push 0045F616:0045F450 64FF30 push dword ptr fs:[eax]:0045F453 648920 mov dword ptr fs:[eax], esp:0045F456 837DF400 cmp dword ptr [ebp-0C], 00000000:0045F45A 750D jne 0045F469:0045F45C 8D45F8 lea eax, dword ptr [ebp-08]
* Possible StringData Ref from Code Obj ->"umbra" |:0045F45F BA30F64500 mov edx, 0045F630:0045F464 E82745FAFF call 00403990
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:0045F45A(C)|:0045F469 8B45F8 mov eax, dword ptr [ebp-08] ====>EAX=RfaLLs1
:0045F46C E80347FAFF call 00403B74 ====>取RfaLLs1的位数
:0045F471 8945F4 mov dword ptr [ebp-0C], eax ====>[ebp-0C]=7
:0045F474 33F6 xor esi, esi:0045F476 807D0C00 cmp byte ptr [ebp+0C], 00:0045F47A 0F8498000000 je 0045F518:0045F480 8BFB mov edi, ebx:0045F482 8D45F0 lea eax, dword ptr [ebp-10]:0045F485 50 push eax:0045F486 897DDC mov dword ptr [ebp-24], edi:0045F489 C645E000 mov [ebp-20], 00:0045F48D 8D55DC lea edx, dword ptr [ebp-24]:0045F490 33C9 xor ecx, ecx
* Possible StringData Ref from Code Obj ->"%1.2x" |:0045F492 B840F64500 mov eax, 0045F640:0045F497 E84891FAFF call 004085E4:0045F49C 8B45FC mov eax, dword ptr [ebp-04] ====>EAX=fly
:0045F49F E8D046FAFF call 00403B74 ====>取fly的位数
:0045F4A4 85C0 test eax, eax ====>EAX=3
:0045F4A6 0F8E2F010000 jle 0045F5DB:0045F4AC 8945E4 mov dword ptr [ebp-1C], eax:0045F4AF C745EC01000000 mov [ebp-14], 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:0045F511(C)|:0045F4B6 8B45FC mov eax, dword ptr [ebp-04] ====>EAX=fly
:0045F4B9 8B55EC mov edx, dword ptr [ebp-14]:0045F4BC 0FB64410FF movzx eax, byte ptr [eax+edx-01] ====>依次取fly字符的HEX值 1、 ====>EAX=66 2、 ====>EAX=6C 3、 ====>EAX=79
:0045F4C1 03C7 add eax, edi 1、 ====>EAX=66 + EB=151 2、 ====>EAX=6C + 00=6C 3、 ====>EAX=79 + 0A=83
:0045F4C3 B9FF000000 mov ecx, 000000FF ====>ECX=000000FF
:0045F4C8 99 cdq:0045F4C9 F7F9 idiv ecx 1、 ====>EDX=151 % FF=52 2、 ====>EDX=6C % FF=6C 3、 ====>EDX=83 % FF=83
:0045F4CB 8BDA mov ebx, edx ====>EBX=EDX
:0045F4CD 3B75F4 cmp esi, dword ptr [ebp-0C]:0045F4D0 7D03 jge 0045F4D5:0045F4D2 46 inc esi:0045F4D3 EB05 jmp 0045F4DA
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:0045F4D0(C)|:0045F4D5 BE01000000 mov esi, 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:0045F4D3(U)|:0045F4DA 8B45F8 mov eax, dword ptr [ebp-08] ====>EAX=RfaLLs1
:0045F4DD 0FB64430FF movzx eax, byte ptr [eax+esi-01] ====>依次取RfaLLs1字符的HEX值 共取与用户名相同位数 1、 ====>EAX=52 2、 ====>EAX=66 3、 ====>EAX=61
:0045F4E2 33D8 xor ebx, eax 1、 ====>EBX=52 XOR 52=00 2、 ====>EBX=6C XOR 66=0A 3、 ====>EBX=61 XOR 83=E2
:0045F4E4 8D45D8 lea eax, dword ptr [ebp-28]:0045F4E7 50 push eax:0045F4E8 895DDC mov dword ptr [ebp-24], ebx:0045F4EB C645E000 mov [ebp-20], 00:0045F4EF 8D55DC lea edx, dword ptr [ebp-24]:0045F4F2 33C9 xor ecx, ecx
* Possible StringData Ref from Code Obj ->"%1.2x" |:0045F4F4 B840F64500 mov eax, 0045F640:0045F4F9 E8E690FAFF call 004085E4 ====>将以上所得直接转成字符
:0045F4FE 8B55D8 mov edx, dword ptr [ebp-28] 1、 ====>EDX=00 2、 ====>EDX=0A 3、 ====>EDX=E2
:0045F501 8D45F0 lea eax, dword ptr [ebp-10]:0045F504 E87346FAFF call 00403B7C ====>将以上所得字符依次连接在 EB 后面
:0045F509 8BFB mov edi, ebx:0045F50B FF45EC inc [ebp-14]:0045F50E FF4DE4 dec [ebp-1C]:0045F511 75A3 jne 0045F4B6 ====>循环用户名位数次
:0045F513 E9C3000000 jmp 0045F5DB
…… ……省 略…… ……
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:|:0045F4A6(C), :0045F513(U)|:0045F5DB 8B4508 mov eax, dword ptr [ebp+08]:0045F5DE 8B55F0 mov edx, dword ptr [ebp-10] ====>EDX=EB000AE2 这就是注册码了!
:0045F5E1 E8AA43FAFF call 00403990:0045F5E6 33C0 xor eax, eax:0045F5E8 5A pop edx:0045F5E9 59 pop ecx:0045F5EA 59 pop ecx:0045F5EB 648910 mov dword ptr fs:[eax], edx:0045F5EE 681DF64500 push 0045F61D
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:0045F61B(U)|:0045F5F3 8D45D4 lea eax, dword ptr [ebp-2C]:0045F5F6 BA02000000 mov edx, 00000002:0045F5FB E81C43FAFF call 0040391C:0045F600 8D45F0 lea eax, dword ptr [ebp-10]:0045F603 E8F042FAFF call 004038F8:0045F608 8D45F8 lea eax, dword ptr [ebp-08]:0045F60B BA02000000 mov edx, 00000002:0045F610 E80743FAFF call 0040391C:0045F615 C3 ret ————————————————————————————————— 【注册信息保存】:
REGEDIT4
[HKEY_CURRENT_USER\##@)(\Roar Falls]
"User Name"="7EB645DF""Registered"=dword:00000000"Registration"="EB000AE2"
————————————————————————————————— 【整 理】:
User Name:flyPassword :EB000AE2
————————————————————————————————— , _/ /| _.-~/ \_ , 青春都一饷 ( /~ / \~-._ |\ `\\ _/ \ ~\ ) 忍把浮名 _-~~~-.) )__/;;,. \_ //' /'_,\ --~ \ ~~~- ,;;\___( (.-~~~-. 换了破解轻狂`~ _( ,_..--\ ( ,;'' / ~-- /._`\ /~~//' /' `~\ ) /--.._, )_ `~ " `~" " `" /~'`\ `\\~~\ ~' ""
Cracked By 巢水工作坊——fly [OCN][FCG]
2003-04-25 1:44