Easun Studio Windows系统切换工具 -pc6资讯

您的位置：首页 → 精文荟萃 → 破解文章 → Easun Studio Windows系统切换工具

Easun Studio Windows系统切换工具 时间：2004/10/15 0:56:00来源：本站整理作者：蓝点我要评论(0): 　下载地址： http://easun.yeah.net(路杨工作室)www.softreg.com

软件说明：Easun Studio Windows系统切换工具是是安装多Windows系统的用户的福音。不知道您是否有这种体会，为了工作需要，安装了多个Windows（比如中文Win98、英文Win98及Win2000）,可是切换起来却太是困难，Windows 2000 还提供了启动菜单，而多Win95/98/Me根本上就没有这种菜单供您选择，就只有自己在DOS下用批处理进行切换。网上进行多系统切换的工具也可谓多也，但是几乎都是用自己的模块替换BOOT区来完成的，而且都是在DOS（字符界面）下进行切换选择，既麻烦有不安全，而且界面操作复杂，那能不能有一种界面友好，安全，方便在Windows界面下进行操作的系统切换工具呢？路杨就是本着
这个原因开发这个软件的，该软件界面大方美观，操作上手，不用自身模块覆盖BOOT区，安全可靠，工作在Windows95/98/Me/2000/Xp 环境下，让您彻底抛开DOS界面和字符界面！另外，本软件还有设置系统和恢复IE设定的功能，当然，这就是附加功能了。本软件完美支持Window 95OR2, windows98 & Windows NT/2000/Xp。

破解：该软件是用aspack v2.11加的壳，轻松脱壳反汇编后：

:00407032 68A4924100 push 004192A4
:00407037 51 push ecx

* Reference To: MFC42.Ordinal:0B02, Ord:0B02h
|
:00407038 E8B78D0000 Call 0040FDF4----------------->获取用户名长度
:0040703D 8B54241C mov edx, dword ptr [esp+1C]
:00407041 83C40C add esp, 0000000C
:00407044 8B42F8 mov eax, dword ptr [edx-08]
:00407047 83F803 cmp eax, 00000003------------->比较用户名长度和3
:0040704A 7D0E jge 0040705A------------------>大于则跳
:0040704C 6AFF push FFFFFFFF
:0040704E 6A00 push 00000000

* Possible Reference to String Resource ID=61491: "You name should at lest be 3 characters."
|
:00407050 6833F00000 push 0000F033
:00407055 E9B5010000 jmp 0040720F

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040704A(C)
|
:0040705A 53 push ebx
:0040705B 6A00 push 00000000
:0040705D 6874040000 push 00000474
:00407062 8BCF mov ecx, edi

* Reference To: MFC42.Ordinal:0C17, Ord:0C17h
|
:00407064 E8978D0000 Call 0040FE00------------------>将输入的注册码变成十六进制设为SN16
:00407069 8BF0 mov esi, eax------------------->ESI=EAX
:0040706B 8D442410 lea eax, dword ptr [esp+10]
:0040706F 56 push esi
:00407070 51 push ecx
:00407071 8BCC mov ecx, esp
:00407073 8964241C mov dword ptr [esp+1C], esp
:00407077 50 push eax

* Reference To: MFC42.Ordinal:0217, Ord:0217h
|
:00407078 E8CD8E0000 Call 0040FF4A
:0040707D 8BCF mov ecx, edi
:0040707F E83C020000 call 004072C0 ------------------>关键CALL1->F8
:00407084 85C0 test eax, eax ---->测试eax=0吗？注册标记!
:00407086 0F847A010000 je 00407206 ---->等于0则跳,跳就死
:0040708C 56 push esi
:0040708D 8D4C241C lea ecx, dword ptr [esp+1C]

* Possible Reference to Dialog:
|
:00407091 68AC904100 push 004190AC
:00407096 51 push ecx

* Reference To: MFC42.Ordinal:0B02, Ord:0B02h
|
:00407097 E8588D0000 Call 0040FDF4
:0040709C 8B542424 mov edx, dword ptr [esp+24]
:004070A0 8D442424 lea eax, dword ptr [esp+24]
:004070A4 52 push edx

* Possible StringData Ref from Data Obj ->"%s"
|
:004070A5 68A4924100 push 004192A4
:004070AA 50 push eax

* Reference To: MFC42.Ordinal:0B02, Ord:0B02h
|
:004070AB E8448D0000 Call 0040FDF4
:004070B0 8B4764 mov eax, dword ptr [edi+64]
:004070B3 8B4C2428 mov ecx, dword ptr [esp+28]

* Reference To: KERNEL32.WritePrivateProfileStringA, Ord:02E5h
|
:004070B7 8B2DB0304100 mov ebp, dword ptr [004130B0]
:004070BD 83C418 add esp, 00000018
:004070C0 50 push eax
:004070C1 51 push ecx

* Possible StringData Ref from Data Obj ->"User"
|
:004070C2 683C964100 push 0041963C

* Possible StringData Ref from Data Obj ->"Easun"
|
:004070C7 6834964100 push 00419634
:004070CC FFD5 call ebp
:004070CE 8D7760 lea esi, dword ptr [edi+60]

* Possible StringData Ref from Data Obj ->"key.dll" -->注册后，生成此文件->删除又是未注册版
|
:004070D1 682C964100 push 0041962C
:004070D6 8D542418 lea edx, dword ptr [esp+18]
:004070DA 56 push esi
:004070DB 52 push edx
============================================================================================
追入关键call1到这里............
* Referenced by a CALL at Address:
|:0040707F
|
:004072C0 6AFF push FFFFFFFF
:004072C2 68B8114100 push 004111B8
:004072C7 64A100000000 mov eax, dword ptr fs:[00000000]
:004072CD 50 push eax
:004072CE 64892500000000 mov dword ptr fs:[00000000], esp
:004072D5 83EC10 sub esp, 00000010
:004072D8 53 push ebx
:004072D9 55 push ebp
:004072DA 56 push esi
:004072DB 57 push edi
:004072DC 8BF9 mov edi, ecx
:004072DE 51 push ecx
:004072DF 8D442434 lea eax, dword ptr [esp+34]
:004072E3 8BCC mov ecx, esp
:004072E5 8964241C mov dword ptr [esp+1C], esp
:004072E9 50 push eax
:004072EA C744243000000000 mov [esp+30], 00000000

* Reference To: MFC42.Ordinal:0217, Ord:0217h
|
:004072F2 E8538C0000 Call 0040FF4A
:004072F7 8BCF mov ecx, edi
:004072F9 E822010000 call 00407420 -->根据NAME计算-->call(2)
:004072FE 8BF0 mov esi, eax -->把计算后的数值传给esi
:00407300 85F6 test esi, esi
:00407302 0F84F0000000 je 004073F8
:00407308 51 push ecx
:00407309 8BCC mov ecx, esp
:0040730B 8964241C mov dword ptr [esp+1C], esp

* Possible Reference to Dialog:
|
:0040730F 6894964100 push 00419694

* Reference To: MFC42.Ordinal:0219, Ord:0219h
|
:00407314 E8178B0000 Call 0040FE30
:00407319 8BCF mov ecx, edi
:0040731B E800010000 call 00407420--------->根据"EasunLee"进行计算
:00407320 51 push ecx ------------->EBP=0x629B
:00407321 8BD8 mov ebx, eax
:00407323 8BCC mov ecx, esp
:00407325 8964241C mov dword ptr [esp+1C], esp

* Possible Reference to Dialog:
|
:00407329 6894964100 push 00419694

* Reference To: MFC42.Ordinal:0219, Ord:0219h
|
:0040732E E8FD8A0000 Call 0040FE30
:00407333 8BCF mov ecx, edi
:00407335 E8E6000000 call 00407420
:0040733A 51 push ecx
:0040733B 8BE8 mov ebp, eax
:0040733D 8BCC mov ecx, esp
:0040733F 8964241C mov dword ptr [esp+1C], esp

* Possible Reference to Dialog:
|
:00407343 6880964100 push 00419680

* Reference To: MFC42.Ordinal:0219, Ord:0219h
|
:00407348 E8E38A0000 Call 0040FE30
:0040734D 8BCF mov ecx, edi
:0040734F E8CC000000 call 00407420--------->根据"easunlee98meiosys"进行计算
:00407354 51 push ecx-------------->[ESP+14]=0xE69BB
:00407355 89442418 mov dword ptr [esp+18], eax
:00407359 8BCC mov ecx, esp
:0040735B 8964241C mov dword ptr [esp+1C], esp

* Possible Reference to Dialog:
|
:0040735F 6864964100 push 00419664

* Reference To: MFC42.Ordinal:0219, Ord:0219h
|
:00407364 E8C78A0000 Call 0040FE30
:00407369 8BCF mov ecx, edi
:0040736B E8B0000000 call 00407420---------->根据"Luyanghs&&Tsai&&bluebird"进行计算
:00407370 51 push ecx--------------->[ESP+10]=0x682B7762
:00407371 89442414 mov dword ptr [esp+14], eax
:00407375 8BCC mov ecx, esp
:00407377 8964241C mov dword ptr [esp+1C], esp

* Possible Reference to Dialog:
|
:0040737B 685C964100 push 0041965C

* Reference To: MFC42.Ordinal:0219, Ord:0219h
|
:00407380 E8AB8A0000 Call 0040FE30
:00407385 8BCF mov ecx, edi
:00407387 E894000000 call 00407420---------->根据"hesheng"进行计算
:0040738C 51 push ecx--------------->EDX=0x340E
:0040738D 8944241C mov dword ptr [esp+1C], eax
:00407391 8BCC mov ecx, esp
:00407393 89642420 mov dword ptr [esp+20], esp

* Possible Reference to Dialog:
|
:00407397 6850964100 push 00419650

* Reference To: MFC42.Ordinal:0219, Ord:0219h
|
:0040739C E88F8A0000 Call 0040FE30
:004073A1 8BCF mov ecx, edi
:004073A3 E878000000 call 00407420---------->根据"200970878"进行计算得EAX=0x6E0A

EAX=0x6E0A ; EDX=0x340E ; EBP=0x629B ; [ESP+14]=0xE69BBB ; [ESP+18]=0x340E ; [ESP+10]=0x682B7762;
ESI=NAME16=0x71F2 "powerboy"经过计算所得 //// [ESP+34]=SN十六进制

:004073A8 81F678EE0220 xor esi, 2002EE78------------->ESI=ESI XOR 0x2002EE78
:004073AE 8B7C2414 mov edi, dword ptr [esp+14]--->EDI=[ESP+14]=0xE69BB
:004073B2 81EE21050E20 sub esi, 200E0521------------->ESI=ESI-0x200E0521
:004073B8 8B542418 mov edx, dword ptr [esp+18]--->EDX=[ESP+18]=0x340E
:004073BC 81F678563472 xor esi, 72345678------------->ESI=ESI XOR 0x72345678
:004073C2 81EE88F76877 sub esi, 7768F788------------->ESI=ESI-0x7768F788
:004073C8 33F3 xor esi, ebx------------------>ESI=ESI XOR EBX =ESI XOR 0x629B
:004073CA 8B5C2410 mov ebx, dword ptr [esp+10]--->EBX=[ESP+10]=0x682B7762
:004073CE 03F5 add esi, ebp------------------>ESI=ESI+EBP=ESI+0x629B
:004073D0 33F3 xor esi, ebx------------------>ESI=ESI XOR EBX=ESI XOR 0x682B7762
:004073D2 33F7 xor esi, edi------------------>ESI=ESI XOR EDI=ESI XOR 0xE69BBB
:004073D4 2BF2 sub esi, edx------------------>ESI=ESI-EBX=ESI-0x340E
:004073D6 03F0 add esi, eax------------------>ESI=ESI+EAX=ESI+0x6E0A
:004073D8 8B442434 mov eax, dword ptr [esp+34]--->EAX=SN16
:004073DC 3BF0 cmp esi, eax------------------>比较EAX和ESI
:004073DE 7518 jne 004073F8------------------>不相等则跳
:004073E0 8D4C2430 lea ecx, dword ptr [esp+30]
:004073E4 C7442428FFFFFFFF mov [esp+28], FFFFFFFF

* Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:004073EC E8F1890000 Call 0040FDE2
:004073F1 B801000000 mov eax, 00000001 -->如果esi与eax相等就把注册标记传给eax
:004073F6 EB13 jmp 0040740B

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00407302(C), :004073DE(C)
|
:004073F8 8D4C2430 lea ecx, dword ptr [esp+30]
:004073FC C7442428FFFFFFFF mov [esp+28], FFFFFFFF

* Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:00407404 E8D9890000 Call 0040FDE2
:00407409 33C0 xor eax, eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004073F6(U)
|
:0040740B 8B4C2420 mov ecx, dword ptr [esp+20]
:0040740F 5F pop edi
:00407410 5E pop esi
:00407411 5D pop ebp
:00407412 64890D00000000 mov dword ptr fs:[00000000], ecx
:00407419 5B pop ebx
:0040741A 83C41C add esp, 0000001C
:0040741D C20800 ret 0008
================================================================================
跟进call2来到这里 ...............

* Referenced by a CALL at Addresses:
|:004072F9 , :0040731B , :00407335 , :0040734F , :0040736B
|:00407387 , :004073A3
|
:00407420 64A100000000 mov eax, dword ptr fs:[00000000]
:00407426 6AFF push FFFFFFFF
:00407428 68D8114100 push 004111D8
:0040742D 50 push eax
:0040742E 64892500000000 mov dword ptr fs:[00000000], esp
:00407435 56 push esi
:00407436 57 push edi
:00407437 8B7C2418 mov edi, dword ptr [esp+18]
:0040743B 8B57F8 mov edx, dword ptr [edi-08]
:0040743E 83FA03 cmp edx, 00000003
:00407441 7D26 jge 00407469
:00407443 8D4C2418 lea ecx, dword ptr [esp+18]
:00407447 C7442410FFFFFFFF mov [esp+10], FFFFFFFF

* Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:0040744F E88E890000 Call 0040FDE2
:00407454 33C0 xor eax, eax
:00407456 8B4C2408 mov ecx, dword ptr [esp+08]
:0040745A 64890D00000000 mov dword ptr fs:[00000000], ecx
:00407461 5F pop edi
:00407462 5E pop esi
:00407463 83C40C add esp, 0000000C
:00407466 C20400 ret 0004

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407441(C)
|
:00407469 33F6 xor esi, esi
:0040746B 33C9 xor ecx, ecx
:0040746D 85D2 test edx, edx
:0040746F 7E0D jle 0040747E

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040747C(C)
|
:00407471 0FBE0439 movsx eax, byte ptr [ecx+edi]----->依次取注册名
:00407475 D3E0 shl eax, cl ---------------------->EAX=EAX << ECX 逻辑左移ECX
:00407477 03F0 add esi, eax---------------------->ESI=ESI+EAX 把左移后的结果累加
:00407479 41 inc ecx -------------------------->ECX=ECX+1
:0040747A 3BCA cmp ecx, edx---------------------->比较注册名是否取完
:0040747C 7CF3 jl 00407471----------------------->没取完，继续
================================================================================

算法整理:
1.首先把:“NAME”、“EasunLee”、"200970878"、"hesheng"、"Luyanghs&&Tsai&&bluebird"、"easunlee98meiosys"
这6个字符串按照关键CALL2进行计算，所得的值分别存入一下寄存器中：
1.NAME("powerboy")======================ESI=0x71F2;
2."200970878"进行计算得=================EAX=0x6E0A;
3."EasunLee"计算所得====================EBP=0x629B;
4."hesheng"进行计算=====================EDX=[ESP+18]=0x340E;
5."easunlee98meiosys"进行计算所得=======[ESP+14]=0xE69BBB ;
6."Luyanghs&&Tsai&&bluebird"============[ESP+10]=0x682B7762;
7. SN变成十六进制=======================[ESP+34]=SN十六进制;
2.然后进行计算
ESI=ESI XOR 0x2002EE78
EDI=[ESP+14]=0xE69BB
ESI=ESI-0x200E0521
EDX=[ESP+18]=0x340E
>ESI=ESI XOR 0x72345678
>ESI=ESI-0x7768F788
>ESI=ESI XOR EBX =ESI XOR 0x629B
>EBX=[ESP+10]=0x682B7762
>ESI=ESI+EBP=ESI+0x629B
>ESI=ESI XOR EBX=ESI XOR 0x682B7762
>ESI=ESI XOR EDI=ESI XOR 0xE69BBB
>ESI=ESI-EBX=ESI-0x340E
>ESI=ESI+EAX=ESI+0x6E0A
将ESI变成十六进制就是正确的注册码了
以我的用户名为例:
"powerboy"------ESI=0x71F2

>ESI=ESI XOR 0x2002EE78=0x71F2 XOR 0x2002EE78=0x20029F8A
>EDI=[ESP+14]=0xE69BB
>ESI=ESI-0x200E0521=0x20029F8A-0x200E0521=0xFFF49A69
>EDX=[ESP+18]=0x340E
>ESI=ESI XOR 0x72345678=0xFFF49A69 XOR 0x72345678=0x8DC0CC11
>ESI=ESI-0x7768F788=0x8DC0CC11-0x7768F788=0x1657D489
>ESI=ESI XOR EBX =0x1657D489 XOR 0x629B=0x1657B612
>EBX=[ESP+10]=0x682B7762
>ESI=ESI+EBP=0x1657B612+0x629B=0x165818AD
>ESI=ESI XOR EBX=0x165818AD XOR 0x682B7762=0x7E736FCF
>ESI=ESI XOR EDI=0x7E736FCF XOR 0xE69BBB=0x7E95F474
>ESI=ESI-EBX=0x7E95F474-0x340E=0x7E962E70
>ESI=ESI+EAX=0x7E962E70+0x6E0A=0x7E962E70

0x7E962E70=2123771504

文章评论

查看所有0条评论>>

热门文章 去除winrar注册框方法