您的位置:首页精文荟萃破解文章 → P-CODE算法分析----幼儿学语言

P-CODE算法分析----幼儿学语言

时间:2004/10/15 0:57:00来源:本站整理作者:蓝点我要评论(0)

 

用WKT载入程序,打开form manager.找到regist窗体,有两个COMMAND控件,我们在第二个
COMMAND2处BPX(第一个是取机器码的),F5运行,注册,先生成机器码,在注册框中输入78787878-1234,点确定,程序很
快就断了下来在00441744处.
441744: 04 FLdRfVar local_00C0
441747: 04 FLdRfVar local_00BC
44174A: 05 ImpAdLdRf: 442974
44174D: 24 NewIfNullPr 4097b8
441750: 0d VCallHresult CVBApplication::get_App
441755: 08 FLdPr local_00BC
441758: 0d VCallHresult CVBApplication::geBC$?餵
44175D: 6c ILdRf local_00C0
441760: 1b LitStr: \ldk.pas
441763: 2a ConcatStr
441764: 31 FStStr local_00B4
441767: 2f FFree1Str local_00C0
44176A: 1a FFree1Ad local_00BC
44176D: 27 LitVar_Missing
441770: 0b ImpAdCallI2 rtcFreeFile
441775: 70 FStI2 local_0090
441778: 35 FFree1Var local_00E0
44177B: f5 LitI4: 0x0 0 (....)
441780: 04 FLdRfVar local_00B4
441783: 4d CVarRef: ( local_00D0 ) 4008
441788: 0b ImpAdCallI2 rtcDir
44178D: 31 FStStr local_0094
441790: 6c ILdRf local_0094
441793: f5 LitI4: 0x0 0 (....)
441798: Lead0/3d NeStr
用F8跟踪,可发现它先是把输入的假注册码写入到ldk.pas中,继续F8.
44189E: 6b FLdI2 local_0090
4418A1: Lead2/3d Close
4418A3: f5 LitI4: 0x1 1 (....)
4418A8: 6c ILdRf local_0094
4418AB: 1b LitStr: - 字符"-"
4418AE: f5 LitI4: 0x0 0 (....)
4418B3: Lead3/fd FnInStr4 ,在输入的注册码中查找"-",如果没有,呵呵.
4418B5: f5 LitI4: 0x0 0 (....)
4418BA: c7 EqI4
4418BB: 1c BranchF: 4418C6 ,有"-"则到4418C6
4418BE: f4 LitI2_Byte: 0x0 0 (.)
4418C0: 7a ImpAdStI2 local_param_000F
4418C3: 1e Branch: 44198e ,如果假注册码中没有"-",GAME OVER,注册失败
4418C6: f5 LitI4: 0x1 1 (....)
4418CB: 6c ILdRf local_0094
4418CE: 1b LitStr: -
4418D1: f5 LitI4: 0x0 0 (....)
4418D6: Lead3/fd FnInStr4
4418D8: e4 CI2I4
4418D9: 70 FStI2 local_008E
4418DC: 6b FLdI2 local_008E
4418DF: f4 LitI2_Byte: 0x1 1 (.)
4418E1: ad SubI2
4418E2: e7 CI4UI1
4418E3: 04 FLdRfVar local_0094
4418E6: 4d CVarRef: ( local_00D0 ) 4008
4418EB: 04 FLdRfVar local_00E0
4418EE: 0a ImpAdCallFPR4: rtcLeftCh,取左边的,也就是78787878
4418F3: 04 FLdRfVar local_00E0
4418F6: 04 FLdRfVar local_00F4
4418F9: 0a ImpAdCallFPR4: rtcTrimVar
4418FE: 04 FLdRfVar local_00F4
441901: 60 CStrVarTmp
441902: 23 FStStrNoPop local_00C0
441905: f5 LitI4: 0x0 0 (....)
44190A: 04 FLdRfVar local_00AC
44190D: 3b Ary1StStrCopy
44190E: 2f FFree1Str local_00C0
441911: 36 FFreeVar
441918: 27 LitVar_Missing
44191B: 6b FLdI2 local_008E
44191E: f4 LitI2_Byte: 0x1 1 (.)
441920: a9 AddI2
441921: e7 CI4UI1
441922: 04 FLdRfVar local_0094
441925: 4d CVarRef: ( local_00D0 ) 4008
44192A: 04 FLdRfVar local_00F4
44192D: 0a ImpAdCallFPR4: rtcMidCharVar ,到后面的,1234
441932: 04 FLdRfVar local_00F4
441935: 04 FLdRfVar local_0114
441938: 0a ImpAdCallFPR4: rtcTrimVar
44193D: 04 FLdRfVar local_0114
441940: 60 CStrVarTmp
441941: 23 FStStrNoPop local_00C0
441944: f5 LitI4: 0x1 1 (....)
441949: 04 FLdRfVar local_00AC
44194C: 3b Ary1StStrCopy
44194D: 2f FFree1Str local_00C0


继续,注意要慢慢跟啊.


43A260: 1b LitStr: 取"李"的UNICODE值
43A263: 0b ImpAdCallI2 rtcCharvalueBstr
43A268: e7 CI4UI1
43A269: 71 FStR4 local_008C
43A26C: 1b LitStr: 到"滨"的值
43A26F: 0b ImpAdCallI2 rtcCharvalueBstr
43A274: e7 CI4UI1
43A275: 71 FStR4 local_0090
43A278: 6c ILdRf local_008C
43A27B: 6c ILdRf local_0090
43A27E: aa AddI4 ,两值相加
43A27F: 71 FStR4 local_008C 结果为D636H,保存.
43A282: 1b LitStr: "张"
43A285: 0b ImpAdCallI2 rtcCharvalueBstr
43A28A: e7 CI4UI1
43A28B: 71 FStR4 local_0090
43A28E: 1b LitStr: "景"
43A291: 0b ImpAdCallI2 rtcCharvalueBstr
43A296: e7 CI4UI1
43A297: 71 FStR4 local_0094
43A29A: 1b LitStr: "璟"
43A29D: 0b ImpAdCallI2 rtcCharvalueBstr
43A2A2: e7 CI4UI1
43A2A3: 71 FStR4 local_0098
43A2A6: 6c ILdRf local_0090
43A2A9: 6c ILdRf local_0094
43A2AC: aa AddI4
43A2AD: 6c ILdRf local_0098
43A2B0: ae SubI4
43A2B1: 71 FStR4 local_0090 ,数值50F0H保存.
43A2B4: 1b LitStr: "李"
43A2B7: 0b ImpAdCallI2 rtcCharvalueBstr
43A2BC: e7 CI4UI1
43A2BD: 71 FStR4 local_0094
43A2C0: 1b LitStr:  "德"
43A2C3: 0b ImpAdCallI2 rtcCharvalueBstr
43A2C8: e7 CI4UI1
43A2C9: 71 FStR4 local_0098
43A2CC: 1b LitStr: L "凯"
43A2CF: 0b ImpAdCallI2 rtcCharvalueBstr
43A2D4: e7 CI4UI1
43A2D5: 71 FStR4 local_009C
43A2D8: 6c ILdRf local_0094
43A2DB: 6c ILdRf local_0098
43A2DE: aa AddI4
43A2DF: 6c ILdRf local_009C
43A2E2: aa AddI4
43A2E3: 71 FStR4 local_0094 数值118F4H保存
以上是几个字符的UNCODE值的处理(估计是作者和他爹妈的名字),因为是固定的,所以得的值也是固定的.下面就有几个值是用这些字符得出的.
43A2E6: 80 ILdI4: local_param_000C ,注意.取机器码
43A2E9: 6c ILdRf local_008C ,取十六进制数"D636h",用前面的字符运算得出,下同.
43A2EC: c2 ModI4 ,机器码 MOD D636H
43A2ED: 71 FStR4 local_008C ,保存结果
43A2F0: 80 ILdI4: local_param_000C ,机器码
43A2F3: 6c ILdRf local_0090 ,50F0H
43A2F6: c2 ModI4 ,取模运算
43A2F7: 71 FStR4 local_0090,保存结果
43A2FA: 80 ILdI4: local_param_000C ,机器码
43A2FD: 6c ILdRf local_0094,118f4h
43A300: c2 ModI4 ,取模运算
43A301: 71 FStR4 local_0094,保存结果


43A304: 6c ILdRf local_008C 注意前面,值为第一个MOD运算的结果
43A307: 6c ILdRf local_0090 ,第二个运算的结果
43A30A: b2 MulI4 ,两者相乘
43A30B: 71 FStR4 local_008C 保存结果
43A30E: 6c ILdRf local_008C载入刚才的结果
43A311: 80 ILdI4: local_param_0010 输入的注册码的前一部分78787878
43A314: c7 EqI4 比较
43A315: 80 ILdI4: local_param_0014 注册码的后一部分即1234
43A318: 6c ILdRf local_0094,和前面第三次MOD的结果
43A31B: c7 EqI4 ,比较
43A31C: c4 AndI4
43A31D: 1c BranchF: 43A328,不等则走了,完了.失败
43A320: f4 LitI2_Byte: 0xff -1 (.) ,相等则输入TRUE
43A322: 70 FStI2 local_0086
43A325: 1e Branch: 43a32d
43A328: f4 LitI2_Byte: 0x0 0 (.) ,43a31d过来的,FALSE,呵呵,把这里的0改成-1就是爆破版的了.(43A329处把机器码00改成FF),当然现在是注册不是爆破.不用改了.
43A32A: 70 FStI2 local_0086
43A32D: 15 ExitProcI2


感谢各位看到这,相信也已经找到注册码了,总结如下
注册码形式为********-*****,中间有一"-",
"-"前的注册码为:(机器码 MOD D636H) * (机器码 MOD 50F0H)
"-"后的注册码为:(机器码 MOD 118F4H)
OK,收工了,写一篇破文比破解还难啊!!!!


jwh51[就差IPB了]


    
    
     
    
    
     

相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么

文章评论
发表评论

热门文章 去除winrar注册框方法

最新文章 比特币病毒怎么破解 比去除winrar注册框方法 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据

人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程