查找“注册失败”双击到这里:
006DA120/.55 push ebp /这里F2下断。
(然后输入用户名:puti67
假码0123456789012345678900,单击然后注册断下。F8单步)
006DA121|.8BEC mov ebp, esp
006DA123|.81C4 E0FEFFFF add esp, -120
006DA129|.53 push ebx
006DA12A|.56 push esi
006DA12B|.33C9 xor ecx, ecx
006DA12D|.898D E8FEFFFF mov dword ptr , ecx
006DA133|.898D E4FEFFFF mov dword ptr , ecx
006DA139|.898D E0FEFFFF mov dword ptr , ecx
006DA13F|.894D EC mov dword ptr , ecx
006DA142|.894D F0 mov dword ptr , ecx
006DA145|.894D F4 mov dword ptr , ecx
006DA148|.894D FC mov dword ptr , ecx
006DA14B|.894D F8 mov dword ptr , ecx
006DA14E|.8BD8 mov ebx, eax
006DA150|.33C0 xor eax, eax
006DA152|.55 push ebp
006DA153|.68 5CA36D00 push 006DA35C
006DA158|.64:FF30 push dword ptr fs:
006DA15B|.64:8920 mov dword ptr fs:, esp
006DA15E|.8D55 F8 lea edx, dword ptr
006DA161|.8B83 08030000 mov eax, dword ptr
006DA167|.E8 B849DAFF call 0047EB24
006DA16C|.8B45 F8 mov eax, dword ptr
006DA16F|.8D55 FC lea edx, dword ptr
006DA172|.E8 D9F7D2FF call 00409950
006DA177|.8B55 FC mov edx, dword ptr
006DA17A|.8D83 2C030000 lea eax, dword ptr
006DA180|.E8 63ADD2FF call 00404EE8
006DA185|.8B83 2C030000 mov eax, dword ptr
006DA18B|.E8 C4AFD2FF call 00405154
006DA190|.83F8 04 cmp eax, 4 //注册姓名不小于4位
006DA193|.7D 3A jge short 006DA1CF
006DA195|.6A 00 push 0
006DA197|.68 74A36D00 push 006DA374 ;错误:〖注册姓名〗\n
006DA19C|.FFB3 2C030000 push dword ptr
006DA1A2|.68 90A36D00 push 006DA390 ;\n
006DA1A7|.68 9CA36D00 push 006DA39C ;长度太短,无法注册!
006DA1AC|.8D45 F4 lea eax, dword ptr
006DA1AF|.BA 04000000 mov edx, 4
006DA1B4|.E8 5BB0D2FF call 00405214
006DA1B9|.8B45 F4 mov eax, dword ptr
006DA1BC|.66:8B0D B4A36>mov cx, word ptr
006DA1C3|.B2 01 mov dl, 1
006DA1C5|.E8 2EE7D5FF call 004388F8
006DA1CA|.E9 47010000 jmp 006DA316
006DA1CF|>8D55 F0 lea edx, dword ptr
006DA1D2|.8B83 0C030000 mov eax, dword ptr
006DA1D8|.E8 4749DAFF call 0047EB24
006DA1DD|.8B55 F0 mov edx, dword ptr
006DA1E0|.8D83 30030000 lea eax, dword ptr
006DA1E6|.E8 FDACD2FF call 00404EE8
006DA1EB|.8B83 30030000 mov eax, dword ptr
006DA1F1|.E8 5EAFD2FF call 00405154
006DA1F6|.83F8 16 cmp eax, 16 //注册码等于22位
006DA1F9|.74 3A je short 006DA235
006DA1FB|.6A 00 push 0
006DA1FD|.68 C0A36D00 push 006DA3C0 ;错误:〖注册码〗\n
006DA202|.FFB3 30030000 push dword ptr
006DA208|.68 90A36D00 push 006DA390 ;\n
006DA20D|.68 DCA36D00 push 006DA3DC ;长度不符,无法注册!
006DA212|.8D45 EC lea eax, dword ptr
006DA215|.BA 04000000 mov edx, 4
006DA21A|.E8 F5AFD2FF call 00405214
006DA21F|.8B45 EC mov eax, dword ptr
006DA222|.66:8B0D B4A36>mov cx, word ptr
006DA229|.B2 01 mov dl, 1
006DA22B|.E8 C8E6D5FF call 004388F8
006DA230|.E9 E1000000 jmp 006DA316
006DA235|>8BC3 mov eax, ebx
006DA237|.E8 88FCFFFF call 006D9EC4 //这里F7进入
006DA23C|.84C0 test al, al
006DA23E|.0F84 BD000000 je 006DA301
006DA244|.8BC3 mov eax, ebx
006DA246|.E8 51FBFFFF call 006D9D9C
006DA24B|.33F6 xor esi, esi
006DA24D|>8D85 E4FEFFFF /lea eax, dword ptr
006DA253|.50 |push eax
006DA254|.8BD6 |mov edx, esi
006DA256|.03D2 |add edx, edx
006DA258|.A1 FCF07500 |mov eax, dword ptr
006DA25D|.8B00 |mov eax, dword ptr
006DA25F|.B9 04000000 |mov ecx, 4
006DA264|.E8 4BB1D2FF |call 004053B4
006DA269|.8B85 E4FEFFFF |mov eax, dword ptr
006DA26F|.50 |push eax
006DA270|.8D85 E0FEFFFF |lea eax, dword ptr
006DA276|.50 |push eax
006DA277|.B9 08000000 |mov ecx, 8
006DA27C|.BA 0B000000 |mov edx, 0B
006DA281|.8B83 30030000 |mov eax, dword ptr
006DA287|.E8 28B1D2FF |call 004053B4
006DA28C|.8B85 E0FEFFFF |mov eax, dword ptr
006DA292|.8D8D E8FEFFFF |lea ecx, dword ptr
006DA298|.5A |pop edx
006DA299|.E8 C63BF7FF |call 0064DE64
006DA29E|.8B95 E8FEFFFF |mov edx, dword ptr
006DA2A4|.8D85 ECFEFFFF |lea eax, dword ptr
006DA2AA|.B9 FF000000 |mov ecx, 0FF
006DA2AF|.E8 7CAED2FF |call 00405130
006DA2B4|.8D95 ECFEFFFF |lea edx, dword ptr
006DA2BA|.8BC6 |mov eax, esi
006DA2BC|.C1E0 05 |shl eax, 5
006DA2BF|.2BC6 |sub eax, esi
006DA2C1|.8B0D CCE97500 |mov ecx, dword ptr ;111_.0078A930
006DA2C7|.8B09 |mov ecx, dword ptr
006DA2C9|.8D8401 110B00>|lea eax, dword ptr
006DA2D0|.B1 1E |mov cl, 1E
006DA2D2|.E8 ED90D2FF |call 004033C4
006DA2D7|.46 |inc esi
006DA2D8|.83FE 03 |cmp esi, 3
006DA2DB|.^ 0F85 6CFFFFFF \jnz 006DA24D
006DA2E1|.B2 01 mov dl, 1
006DA2E3|.8BC3 mov eax, ebx
006DA2E5|.E8 82F8FFFF call 006D9B6C
006DA2EA|.6A 00 push 0
006DA2EC|.66:8B0D B4A36>mov cx, word ptr
006DA2F3|.B2 02 mov dl, 2
006DA2F5|.B8 FCA36D00 mov eax, 006DA3FC ;成功注册!感谢您的支
持!请重新启动软件。
006DA2FA|.E8 F9E5D5FF call 004388F8
006DA2FF|.EB 15 jmp short 006DA316
006DA301|>6A 00 push 0
006DA303|.66:8B0D B4A36>mov cx, word ptr
006DA30A|.B2 01 mov dl, 1
006DA30C|.B8 30A46D00 mov eax, 006DA430 //(双击来到了这里)注册失败:注册码无效!
006DA311|.E8 E2E5D5FF call 004388F8
006DA316|>33C0 xor eax, eax
006DA318|.5A pop edx
006DA319|.59 pop ecx
006DA31A|.59 pop ecx
006DA31B|.64:8910 mov dword ptr fs:, edx
006DA31E|.68 63A36D00 push 006DA363
006DA323|>8D85 E0FEFFFF lea eax, dword ptr
006DA329|.BA 03000000 mov edx, 3
006DA32E|.E8 85ABD2FF call 00404EB8
006DA333|.8D45 EC lea eax, dword ptr
006DA336|.E8 59ABD2FF call 00404E94
006DA33B|.8D45 F0 lea eax, dword ptr
006DA33E|.E8 51ABD2FF call 00404E94
006DA343|.8D45 F4 lea eax, dword ptr
006DA346|.E8 49ABD2FF call 00404E94
006DA34B|.8D45 F8 lea eax, dword ptr
006DA34E|.E8 41ABD2FF call 00404E94
006DA353|.8D45 FC lea eax, dword ptr
006DA356|.E8 39ABD2FF call 00404E94
006DA35B\.C3 retn
F7进入到这里:F8单步
0064DE64/$55 push ebp
0064DE65|.8BEC mov ebp, esp
0064DE67|.83C4 F0 add esp, -10
0064DE6A|.53 push ebx
0064DE6B|.56 push esi
0064DE6C|.57 push edi
0064DE6D|.894D F4 mov dword ptr , ecx
0064DE70|.8955 F8 mov dword ptr , edx
0064DE73|.8945 FC mov dword ptr , eax
0064DE76|.8B45 FC mov eax, dword ptr
0064DE79|.E8 C674DBFF call 00405344
0064DE7E|.8B45 F8 mov eax, dword ptr
0064DE81|.E8 BE74DBFF call 00405344
0064DE86|.33C0 xor eax, eax
0064DE88|.55 push ebp
0064DE89|.68 2EDF6400 push 0064DF2E
0064DE8E|.64:FF30 push dword ptr fs:
0064DE91|.64:8920 mov dword ptr fs:, esp
0064DE94|.837D F8 00 cmp dword ptr , 0
0064DE98|.75 0D jnz short 0064DEA7
0064DE9A|.8D45 F8 lea eax, dword ptr
0064DE9D|.BA 44DF6400 mov edx, 0064DF44 ;neo imaging
0064DEA2|.E8 8570DBFF call 00404F2C
0064DEA7|>BE 01000000 mov esi, 1
0064DEAC|.8B45 FC mov eax, dword ptr
0064DEAF|.E8 A072DBFF call 00405154
0064DEB4|.8BF8 mov edi, eax
0064DEB6|.85FF test edi, edi
0064DEB8|.7E 4E jle short 0064DF08
0064DEBA|.BB 01000000 mov ebx, 1
0064DEBF|>8B45 FC /mov eax, dword ptr
0064DEC2|.8A4418 FF |mov al, byte ptr
0064DEC6|.24 0F |and al, 0F
0064DEC8|.8B55 F8 |mov edx, dword ptr
0064DECB|.8A5432 FF |mov dl, byte ptr
0064DECF|.80E2 0F |and dl, 0F
0064DED2|.32C2 |xor al, dl
0064DED4|.8845 F3 |mov byte ptr , al
0064DED7|.8D45 FC |lea eax, dword ptr
0064DEDA|.E8 CD74DBFF |call 004053AC
0064DEDF|.8B55 FC |mov edx, dword ptr
0064DEE2|.8A541A FF |mov dl, byte ptr
0064DEE6|.80E2 F0 |and dl, 0F0
0064DEE9|.8A4D F3 |mov cl, byte ptr
0064DEEC|.02D1 |add dl, cl
0064DEEE|.885418 FF |mov byte ptr , dl
0064DEF2|.46 |inc esi
0064DEF3|.8B45 F8 |mov eax, dword ptr
0064DEF6|.E8 5972DBFF |call 00405154
0064DEFB|.3BF0 |cmp esi, eax
0064DEFD|.7E 05 |jle short 0064DF04
0064DEFF|.BE 01000000 |mov esi, 1
0064DF04|>43 |inc ebx
0064DF05|.4F |dec edi
0064DF06|.^ 75 B7 \jnz short 0064DEBF
0064DF08|>8B45 F4 mov eax, dword ptr
0064DF0B|.8B55 FC mov edx, dword ptr
0064DF0E|.E8 D56FDBFF call 00404EE8
0064DF13|.33C0 xor eax, eax
0064DF15|.5A pop edx
0064DF16|.59 pop ecx
0064DF17|.59 pop ecx
0064DF18|.64:8910 mov dword ptr fs:, edx
0064DF1B|.68 35DF6400 push 0064DF35
0064DF20|>8D45 F8 lea eax, dword ptr
0064DF23|.BA 02000000 mov edx, 2
0064DF28|.E8 8B6FDBFF call 00404EB8
0064DF2D\.C3 retn
0064DF2E .^ E9 C168DBFF jmp 004047F4
0064DF33 .^ EB EB jmp short 0064DF20
0064DF35 .5F pop edi
0064DF36 .5E pop esi
0064DF37 .5B pop ebx
0064DF38 .8BE5 mov esp, ebp
0064DF3A .5D pop ebp
0064DF3B .C3 retn //F8到这里(这里返回到006DF1D)
006D9F07|>8D4D FC lea ecx, dword ptr
006D9F0A|.8B15 FCF07500 mov edx, dword ptr ;111_.0078A80C
006D9F10|.8B12 mov edx, dword ptr
006D9F12|.8B83 2C030000 mov eax, dword ptr
006D9F18|.E8 473FF7FF call 0064DE64
006D9F1D|.8D45 F8 lea eax, dword ptr //返回到了这里,继续F8
006D9F20|.50 push eax
006D9F21|.8B83 30030000 mov eax, dword ptr
006D9F27|.B9 04000000 mov ecx, 4
006D9F2C|.BA 13000000 mov edx, 13
006D9F31|.E8 7EB4D2FF call 004053B4
006D9F36|.8B45 FC mov eax, dword ptr
006D9F39|.E8 16B2D2FF call 00405154
006D9F3E|.8BC8 mov ecx, eax
006D9F40|.33DB xor ebx, ebx
006D9F42|.8BC1 mov eax, ecx
006D9F44|.48 dec eax
006D9F45|.85C0 test eax, eax
006D9F47|.7C 14 jl short 006D9F5D
006D9F49|.40 inc eax
006D9F4A|.33D2 xor edx, edx
006D9F4C|>8B75 FC /mov esi, dword ptr
006D9F4F|.0FB67416 FF |movzx esi, byte ptr
006D9F54|.0FAFF1 |imul esi, ecx
006D9F57|.03DE |add ebx, esi
006D9F59|.42 |inc edx
006D9F5A|.48 |dec eax
006D9F5B|.^ 75 EF \jnz short 006D9F4C
006D9F5D|>81FB 0F270000 cmp ebx, 270F
006D9F63|.7E 0E jle short 006D9F73
006D9F65|.8BC3 mov eax, ebx
006D9F67|.B9 10270000 mov ecx, 2710
006D9F6C|.99 cdq
006D9F6D|.F7F9 idiv ecx
006D9F6F|.8BDA mov ebx, edx
006D9F71|.EB 0E jmp short 006D9F81
006D9F73|>81FB 28230000 cmp ebx, 2328
006D9F79|.7D 06 jge short 006D9F81
006D9F7B|.81C3 E8030000 add ebx, 3E8
006D9F81|>8D45 F4 lea eax, dword ptr
006D9F84|.50 push eax
006D9F85|.895D EC mov dword ptr , ebx
006D9F88|.C645 F0 00 mov byte ptr , 0
006D9F8C|.8D55 EC lea edx, dword ptr
006D9F8F|.33C9 xor ecx, ecx
006D9F91|.B8 E09F6D00 mov eax, 006D9FE0 ;%4d
006D9F96|.E8 8912D3FF call 0040B224
006D9F9B|.8B45 F8 mov eax, dword ptr
006D9F9E|.8B55 F4 mov edx, dword ptr
006D9FA1|.E8 FAB2D2FF call 004052A0 //F8到这里(这里寄存器提示:
EAX 012D5044 ASCII "7778"
ECX 00000000
EDX 012D7FE4 ASCII "4090")
22位注册码的后四位应该是:4090
006D9FA6|.0F94C0 sete al
006D9FA9|>8BD8 mov ebx, eax
006D9FAB|.33C0 xor eax, eax
006D9FAD|.5A pop edx
006D9FAE|.59 pop ecx
006D9FAF|.59 pop ecx
006D9FB0|.64:8910 mov dword ptr fs:, edx
006D9FB3|.68 CD9F6D00 push 006D9FCD
006D9FB8|>8D45 F4 lea eax, dword ptr
006D9FBB|.BA 03000000 mov edx, 3
006D9FC0|.E8 F3AED2FF call 00404EB8
006D9FC5\.C3 retn
注册码共22位,根据用户名算出注册码的后四位,前面的18位可以随意写。我不会分析算法,只是胡乱找到了注册码,请各位大侠批评指正!谢谢!!!
[ 本帖最后由 puti67 于 2008-3-11 01:09 编辑 ]
时也一~ 屑惴?
,煤酶,峥次
,
煤酶,
峥次
不行啊楼主!/:L /:L
用我说的方法能注册成功,请测试一下。
呵呵 来晚了学习学习
,学习,惜液芏肟
大家继续努力哦软件启动时还有一处验证 如果哪里没有处理 爆破则不完全
当然 软件是明码比较 简单跟一下使用明码也可
启动时:
0070A814 |.8B45 F0 mov eax,dword ptr ss:
0070A817 |.8B55 EC mov edx,dword ptr ss:
0070A8148B45 F0为 8B45 EC
----------------------------------------------------------------------------
注册时:
006D9F9B |.8B45 F8 mov eax,dword ptr ss:
006D9F9E |.8B55 F4 mov edx,dword ptr ss:
006D9F9B8B45 F8为 8B45 F4