-
您的位置:首页 → 精文荟萃 → 破解文章 → 《穷和麻将》共享版2.11注册码及算法分析
《穷和麻将》共享版2.11注册码及算法分析
时间:2004/10/15 0:55:00来源:本站整理作者:蓝点我要评论(1)
-
软件名:《穷和麻将》共享版2.11
软件简介:
穷和麻将广泛流传于我国北方地区。和牌规则是开门、不缺门、有么九、有横、有顺。穷和麻将广泛流传于我国北方地区。和牌规则是开门、不缺门、有么九、有横、有顺。
下载地址: http://bmzhao.wx-e.com/mjexe.zip
软件大小:1.22MB
难度:非明码比较,但难度简单
破解者:青锋剑客[DFCG][FCG]
破解工具:FI
W32Dasm V10增强版
Ollydbg v1.07b 汉化版
MASM7
以下是破解过程,不对的地方请批评指正:
1、使用FI查一下,发现没有加壳,这下又省了一步。
2、用W32Dsm V10增强版反编译,工具栏 → “参考” → “字串符数据参考”
发现串式"注册失败",双击他:
双击他后来到这里
|
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408B55(C) ;记下此地址00408B55
|
:00408BB7 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"注册失败"
|
:00408BB9 6844D64200 push 0042D644
* Possible StringData Ref from Data Obj ->"注册码不对!"
|
:00408BBE 6838D64200 push 0042D638
:00408BC3 8BCE mov ecx, esi
:00408BC5 E817550100 call 0041E0E1
:00408BCA 8BCE mov ecx, esi
:00408BCC E8453A0100 call 0041C616
3.现在开始动态跟踪并追出注册码来。启动Ollydbg v1.07b 汉化版。F3键打开mj.exe。在代码窗口找到00408B55,F2键在此下断点。
4.按F9键运行,启动程序后会弹出注册窗口,点"马上注册" → 我的机器码为"607852289" →在注册码处输入"87654321" → 点注册 → 程序中断于刚才我们所设的断点004BB730处,F7跟进,来到如下:
00408B14 . 6A 0A PUSH 0A ; /pFileSystemNameSize = 0000000A
00408B16 . 8BF8 MOV EDI,EAX ; |
00408B18 . 6A 00 PUSH 0 ; |pFileSystemNameBuffer = NULL
00408B1A . 6A 00 PUSH 0 ; |pFileSystemFlags = NULL
00408B1C . 8D4424 1C LEA EAX,DWORD PTR SS:[ESP+1C] ; |
00408B20 . 6A 00 PUSH 0 ; |pMaxFilenameLength = NULL
00408B22 . 50 PUSH EAX ; |pVolumeSerialNumber
00408B23 . 6A 0C PUSH 0C ; |MaxVolumeNameSize = C (12.)
00408B25 . 6A 00 PUSH 0 ; |VolumeNameBuffer = NULL
00408B27 . 68 88D54200 PUSH MJ.0042D588 ; |RootPathName = "c:\"
00408B2C . FF15 F4614200 CALL DWORD PTR DS:[<&KERNEL32.GetVolumeI>; \GetVolumeInformationA
00408B32 . 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10]
00408B36 . 85C9 TEST ECX,ECX ;硬盘序列号为0出错
00408B38 . 74 2F JE SHORT MJ.00408B69
00408B3A > 8BC1 MOV EAX,ECX
00408B3C . 33D2 XOR EDX,EDX
00408B3E . BD 1A000000 MOV EBP,1A
00408B43 . F7F5 DIV EBP ;硬盘序列号(机器码)maccode除以1A
00408B45 . 0FBE07 MOVSX EAX,BYTE PTR DS:[EDI] ;假注册码送EAX
00408B48 . 8B1495 78D1420>MOV EDX,DWORD PTR DS:[EDX*4+42D178] ;据上述运算的余数查表
00408B4F . 83C2 41 ADD EDX,41 ;加41H
00408B52 . 47 INC EDI ;调整假注册码指针
00408B53 . 3BD0 CMP EDX,EAX ;真假注册码逐字符比较
00408B55 . 75 60 JNZ SHORT MJ.00408BB7 ;关键跳转,不相等跳则死
00408B57 . B8 4FECC44E MOV EAX,4EC4EC4F
00408B5C . F7E1 MUL ECX ;常数4EC4EC4F乘maccode
00408B5E . C1EA 03 SHR EDX,3
00408B61 . 8BCA MOV ECX,EDX ;maccode=上述结果高位除8
00408B63 . 894C24 10 MOV DWORD PTR SS:[ESP+10],ECX ;保存maccode
00408B67 .^75 D1 JNZ SHORT MJ.00408B3A ; 未完继续
26个索引表为:
地 址 内 容 ASCII码
0042D178 10 00 00 00 05 00 00 00 02 00 00 00 17 00 00 00 ............
0042D188 00 00 00 00 04 00 00 00 0E 00 00 00 19 00 00 00 .............
0042D198 09 00 00 00 03 00 00 00 0F 00 00 00 0B 00 00 00 .......... ...
0042D1A8 18 00 00 00 0A 00 00 00 08 00 00 00 01 00 00 00 .............
0042D1B8 0D 00 00 00 14 00 00 00 11 00 00 00 06 00 00 00 .............
0042D1C8 15 00 00 00 13 00 00 00 07 00 00 00 0C 00 00 00 .............
0042D1D8 16 00 00 00 12 00 00 00 ......
.相应MASM注册机:
(1)下面是KeyGen.asm的内容
.386
.model flat,stdcall
option casemap:none
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
_ProcDlg proto :DWORD,:DWORD,:DWORD,:DWORD
;->>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>data seg
.const
BUFF_SIZE equ 36
ID_MAKE equ 1002
ID_ABOUT equ 1003
ID_CLOSE equ 1004
IDC_MECHINE equ 1010
IDC_CODE equ 1011
IDC_STATUS equ 1015
DLG_MAIN equ 1000
.data
szMechine db BUFF_SIZE dup (0) ;mechine code
szCode db BUFF_SIZE dup (0) ;legal code for input :)
szrootpath db 'c:\',0
MsgTitle db "FCG", 0
MsgContend db "《穷和麻将》共享版2.11 注册机", 0dh, 0ah, 0dh, 0ah
db "破解者: 青锋剑客[DFCG][FCG]", 0dh, 0ah
db "完成时间: 2003-03-10", 0dh, 0ah
db "站点: fcgchina.126.com", 0dh, 0ah, 0dh, 0ah
db " 本软件受版权法保护,请合法使用。", 0
szSucceed db "完毕:)", 0
szNoInput db "请输入机器码", 0
table dd 10h,05h,02h,17h,0,4,0eh,19h,09,03,0Fh,0Bh,18h,0Ah,08,01,0Dh,14h,11h,06,15h,13h,07,0Ch,16h,12h
.data?
hInstance HANDLE ?
lpVolumeSerialNumber dd ?
.code
start:
invoke GetModuleHandle,NULL
mov hInstance,eax
invoke DialogBoxParam,hInstance,DLG_MAIN,NULL,offset _ProcDlg,0
invoke ExitProcess,NULL
_ProcDlg proc uses ebx edi esi, \
hWnd:DWORD,wMsg:DWORD,wParam:DWORD,lParam:DWORD
mov eax,wMsg
.if eax == WM_CLOSE
invoke EndDialog,hWnd,NULL
.elseif eax==WM_INITDIALOG
invoke GetVolumeInformation,addr szrootpath,NULL,12,addr lpVolumeSerialNumber,NULL,NULL,NULL,10
mov ecx,lpVolumeSerialNumber
invoke SetDlgItemInt,hWnd,IDC_MECHINE,ecx,FALSE
.elseif eax == WM_COMMAND
mov eax,wParam
.IF lParam!=0
.if ax==ID_MAKE
invoke RtlZeroMemory, addr szMechine, BUFF_SIZE
invoke RtlZeroMemory, addr szCode, BUFF_SIZE
invoke GetDlgItemText,hWnd,IDC_MECHINE,addr szMechine, BUFF_SIZE
.if eax == 0
invoke SetDlgItemText,hWnd,IDC_STATUS,addr szNoInput
ret
.else
invoke GetDlgItemInt,hWnd,IDC_MECHINE,NULL,FALSE
mov ecx,eax
push ebp
push edi
lea edi,szCode
@@:
mov eax,ecx
XOR EDX,EDX
MOV EBP,1Ah
DIV EBP
MOV EDX,DWORD PTR DS:[EDX*4+table]
ADD EDX,41h
mov [edi],dl
INC EDI
MOV EAX,4EC4EC4Fh
MUL ECX
SHR EDX,3
MOV ECX,EDX
JNZ @b
pop edi
pop ebp
invoke SetDlgItemText,hWnd,IDC_CODE,addr szCode
invoke SetDlgItemText,hWnd,IDC_STATUS,addr szSucceed
ret
.endif
.elseif ax==ID_CLOSE
invoke EndDialog,hWnd,NULL
.elseif ax==ID_ABOUT
invoke MessageBox, hWnd, Addr MsgContend, Addr MsgTitle, MB_OK
.endif
.ENDIF
.else
mov eax,FALSE
ret
.endif
mov eax,TRUE
ret
_ProcDlg ENDP
2)下面是KeyGen.rc的内容
#include
#define ID_MAKE 1002
#define ID_ABOUT 1003
#define ID_CLOSE 1004
#define IDC_MECHINE 1010
#define IDC_CODE 1011
#define IDC_STATUS 1015
#define MyIcon 1020
#define MyBmp 1025
#define DLG_MAIN 1000
MyIcon ICON MOVEABLE PURE DISCARDABLE "FCG.ico"
DLG_MAIN DIALOG 108, 90, 175, 98
STYLE DS_MODALFRAME | WS_POPUP | WS_VISIBLE | WS_CAPTION | WS_SYSMENU | DS_CENTER | DS_3DLOOK
CAPTION "《穷和麻将》共享版2.11 注册机"
FONT 8, "Fixedsys"
{
CONTROL "BIT_FCG",MyBmp,"Static",SS_BITMAP,4,3,11,11
DEFPUSHBUTTON "生成", ID_MAKE,35,70,30,14, BS_FLAT
PUSHBUTTON "关于", ID_ABOUT, 85,70,30,14, BS_FLAT
PUSHBUTTON "退出", ID_CLOSE,135,70,30,14, BS_FLAT
LTEXT "机器码:", -1,14,37,30,8
LTEXT "注册码:", -1,14,53,30,8
LTEXT "就绪", IDC_STATUS,4,86,92,10, WS_DISABLED
LTEXT "青锋剑客[FCG][DFCG]", -1,96,87,77,8 , WS_DISABLED
EDITTEXT IDC_MECHINE,46,36,120,12, WS_BORDER | WS_TABSTOP,
EDITTEXT IDC_CODE, 46,52,120,12, ES_READONLY | WS_BORDER | WS_TABSTOP,
}
|
相关阅读
Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么
-
热门文章
去除winrar注册框方法
最新文章
比特币病毒怎么破解 比去除winrar注册框方法
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据
人气排行
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程
查看所有1条评论>>