CSDN博客

img RoBaggio269

Windows系统切换工具 算法分析+注册机

发表于2004/10/28 21:13:00  1510人阅读

分类: 注册算法

Windows系统切换工具 算法分析+注册机

下载地址: http://www4.skycn.com/soft/8306.html

Windows系统切换工具 V1.09.1208 

软件大小:  1312 KB
软件语言:  简体中文
软件类别:  国产软件 / 共享版 / 系统其它
应用平台:  Win9x/NT/2000/XP
界面预览:  
加入时间:  2002-12-10 10:07:34
下载次数:  11796
推荐等级:  
在线注册:  点击这里成为正版用户==>

联 系 人:  easunlee@21cn.com  
开 发 商:  http://easunlee.diy.163.com/

软件介绍:   

    Easun Studio Windows 系统切换工具是是安装多Windows系统的用户的福音。不知道您是否有这种体会,为了工作需要,安装了多个Windows(比如中文Win98、英文Win98及Win2000),可是切换起来却太是困难,Windows 2000 还提供了启动菜单,而多Win95/98/Me根本上就没有这种菜单供您选择,就只有自己在DOS下用批处理进行切换。网上进行多系统切换的工具也可谓多也,但是几乎都是用自己的模块替换BOOT区来完成的,而且都是在DOS(字符界面)下进行切换选择,既麻烦有不安全,而且界面操作复杂,那能不能有一种界面友好,安全,方便在Windows界面下进行操作的系统切换工具呢?路杨就是本着这个原因开发这个软件的,该软件界面大方美观,操作上手,不用自身模块覆盖BOOT区,安全可靠,工作在Windows95/98/Me/2000/Xp 环境下,让您彻底抛开DOS界面和字符界面!另外,本软件还有设置系统和恢复IE设定的功能,当然,这就是附加功能了。

=========================================================================================
前两天我的机子上boot.ini被我搞得一团糟,下了这个东东来整理一下,顺便把它破了,挺简单的,现在这样的很难找了。

先检查,AsPack的壳,脱了,是我最喜欢的VC :D ,很容易找到下面:

代码:
:0040715B 50                      push eax * Possible StringData Ref from Data Obj ->"%s"                                   | :0040715C 68A4A24100              push 0041A2A4 :00407161 51                      push ecx * Reference To: MFC42.Ordinal:0B02, Ord:0B02h                                   | :00407162 E8B5970000              Call 0041091C    ;这个CALL是GetWindowText(MFC写的东东用IDA很容易明白) :00407167 8B542420                mov edx, dword ptr [esp+20] :0040716B 83C40C                  add esp, 0000000C :0040716E 8B42F8                  mov eax, dword ptr [edx-08] :00407171 85C0                    test eax, eax    ;用户名长度不能为0 :00407173 750E                    jne 00407183 .......... :004071AA 50                      push eax * Possible StringData Ref from Data Obj ->"%s"                                   | :004071AB 68A4A24100              push 0041A2A4 :004071B0 51                      push ecx * Reference To: MFC42.Ordinal:0B02, Ord:0B02h                                   | :004071B1 E866970000              Call 0041091C    ;GetWindowText,得到注册名 :004071B6 8B4C241C                mov ecx, dword ptr [esp+1C] :004071BA BB03000000              mov ebx, 00000003  ;EBX=3 :004071BF 83C40C                  add esp, 0000000C :004071C2 8B41F8                  mov eax, dword ptr [ecx-08] :004071C5 3BC3                    cmp eax, ebx :004071C7 7D0E                    jge 004071D7    ;注册名长度必须大于等于3 :004071C9 6AFF                    push FFFFFFFF :004071CB 6A00                    push 00000000 :004071CD 6833F00000              push 0000F033 :004071D2 E997020000              jmp 0040746E    ;不然就有你好看 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004071C7(C) | * Reference To: MSVCRT._mbsicmp, Ord:015Fh                                   | :004071D7 8B3580444100            mov esi, dword ptr [00414480] * Possible StringData Ref from Data Obj ->"白山破解网"    ;黑名单                                   | :004071DD 6898A64100              push 0041A698 :004071E2 51                      push ecx :004071E3 FFD6                    call esi :004071E5 83C408                  add esp, 00000008 :004071E8 85C0                    test eax, eax :004071EA 0F8475020000            je 00407465 :004071F0 8B542410                mov edx, dword ptr [esp+10] * Possible StringData Ref from Data Obj ->"Zhenlong[BCG]"  ;BCG的一位老兄进黑名单了:D                                   | :004071F4 6888A64100              push 0041A688 :004071F9 52                      push edx :004071FA FFD6                    call esi :004071FC 83C408                  add esp, 00000008 :004071FF 85C0                    test eax, eax :00407201 0F845E020000            je 00407465     :00407207 6A01                    push 00000001 :00407209 6A00                    push 00000000 :0040720B 6874040000              push 00000474 :00407210 8BCD                    mov ecx, ebp * Reference To: MFC42.Ordinal:0C17, Ord:0C17h                                   | :00407212 E811970000              Call 00410928 :00407217 8BF0                    mov esi, eax :00407219 8D442410                lea eax, dword ptr [esp+10] :0040721D 56                      push esi :0040721E 51                      push ecx :0040721F 8BCC                    mov ecx, esp :00407221 89642420                mov dword ptr [esp+20], esp :00407225 50                      push eax * Reference To: MFC42.Ordinal:0217, Ord:0217h                                   | :00407226 E847980000              Call 00410A72 :0040722B 8BCD                    mov ecx, ebp :0040722D E80E030000              call 00407540    ;这个CALL有鬼 :00407232 85C0                    test eax, eax :00407234 0F842B020000            je 00407465    ;关键跳转,跳下去就OVER 跟进上面CALL: * Referenced by a CALL at Address: |:0040722D    | :00407540 6AFF                    push FFFFFFFF :00407542 68581D4100              push 00411D58 :00407547 64A100000000            mov eax, dword ptr fs:[00000000] :0040754D 50                      push eax :0040754E 64892500000000          mov dword ptr fs:[00000000], esp :00407555 83EC10                  sub esp, 00000010 :00407558 53                      push ebx :00407559 55                      push ebp :0040755A 56                      push esi :0040755B 57                      push edi :0040755C 8BF9                    mov edi, ecx :0040755E 51                      push ecx :0040755F 8D442434                lea eax, dword ptr [esp+34] :00407563 8BCC                    mov ecx, esp :00407565 8964241C                mov dword ptr [esp+1C], esp :00407569 50                      push eax :0040756A C744243000000000        mov [esp+30], 00000000 * Reference To: MFC42.Ordinal:0217, Ord:0217h                                   | :00407572 E8FB940000              Call 00410A72 :00407577 8BCF                    mov ecx, edi  ;此处D *EAX可以看到输入的注册名,作CALL的参数 :00407579 E822010000              call 004076A0  ;这个CALL很重要,下面多次出现(分析见下) :0040757E 8BF0                    mov esi, eax  ;EAX是返回的值,放进ESI :00407580 85F6                    test esi, esi :00407582 0F84F0000000            je 00407678     :00407588 51                      push ecx :00407589 8BCC                    mov ecx, esp :0040758B 8964241C                mov dword ptr [esp+1C], esp * Possible StringData Ref from Data Obj ->"EasunLee"                                    | :0040758F 68F4A64100              push 0041A6F4 * Reference To: MFC42.Ordinal:0219, Ord:0219h                                   | :00407594 E8BF930000              Call 00410958 :00407599 8BCF                    mov ecx, edi :0040759B E800010000              call 004076A0  ;把字串"EasunLee"作同样计算 :004075A0 51                      push ecx :004075A1 8BD8                    mov ebx, eax  ;结果1放在EBX :004075A3 8BCC                    mov ecx, esp :004075A5 8964241C                mov dword ptr [esp+1C], esp * Possible StringData Ref from Data Obj ->"EasunLee"                                   | :004075A9 68F4A64100              push 0041A6F4 * Reference To: MFC42.Ordinal:0219, Ord:0219h                                   | :004075AE E8A5930000              Call 00410958 :004075B3 8BCF                    mov ecx, edi :004075B5 E8E6000000              call 004076A0 :004075BA 51                      push ecx :004075BB 8BE8                    mov ebp, eax  ;结果1放在EBP :004075BD 8BCC                    mov ecx, esp :004075BF 8964241C                mov dword ptr [esp+1C], esp * Possible StringData Ref from Data Obj ->"easunlee98meiosys"                                   | :004075C3 68E0A64100              push 0041A6E0 * Reference To: MFC42.Ordinal:0219, Ord:0219h                                   | :004075C8 E88B930000              Call 00410958 :004075CD 8BCF                    mov ecx, edi :004075CF E8CC000000              call 004076A0  ;字串"easunlee98meiosys"同样的计算 :004075D4 51                      push ecx :004075D5 89442418                mov dword ptr [esp+18], eax  ;结果2在[ESP+18] :004075D9 8BCC                    mov ecx, esp :004075DB 8964241C                mov dword ptr [esp+1C], esp * Possible StringData Ref from Data Obj ->"Luyanghs&&Tsai&&bluebird"                                   | :004075DF 68C4A64100              push 0041A6C4 * Reference To: MFC42.Ordinal:0219, Ord:0219h                                   | :004075E4 E86F930000              Call 00410958 :004075E9 8BCF                    mov ecx, edi :004075EB E8B0000000              call 004076A0  ;字串"Luyanghs&&Tsai&&bluebird" :004075F0 51                      push ecx :004075F1 89442414                mov dword ptr [esp+14], eax  ;结果3在[ESP+14] :004075F5 8BCC                    mov ecx, esp :004075F7 8964241C                mov dword ptr [esp+1C], esp * Possible StringData Ref from Data Obj ->"heshengwssu1091119"                                   | :004075FB 68B0A64100              push 0041A6B0 * Reference To: MFC42.Ordinal:0219, Ord:0219h                                   | :00407600 E853930000              Call 00410958 :00407605 8BCF                    mov ecx, edi :00407607 E894000000              call 004076A0  ;字串"heshengwssu1091119" :0040760C 51                      push ecx :0040760D 8944241C                mov dword ptr [esp+1C], eax  ;结果4在[ESP+1C] :00407611 8BCC                    mov ecx, esp :00407613 89642420                mov dword ptr [esp+20], esp * Possible StringData Ref from Data Obj ->"200970878"                                   | :00407617 68A4A64100              push 0041A6A4 * Reference To: MFC42.Ordinal:0219, Ord:0219h                                   | :0040761C E837930000              Call 00410958 :00407621 8BCF                    mov ecx, edi :00407623 E878000000              call 004076A0    ;字串"200970878"同样的计算,结果5在EAX :00407628 81F678EE0220            xor esi, 2002EE78  ;ESI是注册名经运算的结果,与2002EE78异或 :0040762E 8B7C2414                mov edi, dword ptr [esp+14]  ;把结果2放入EDI   :00407632 81EE21050E20            sub esi, 200E0521  ;再减200E0521 :00407638 8B542418                mov edx, dword ptr [esp+18]  ;把结果4放在EDX :0040763C 81F678563472            xor esi, 72345678  ;再与72345678异或 :00407642 81EE88F76877            sub esi, 7768F788  ;再减7768F788 :00407648 33F3                    xor esi, ebx    ;再与结果1异或 :0040764A 8B5C2410                mov ebx, dword ptr [esp+10]  ;把结果3放入EBX :0040764E 03F5                    add esi, ebp    ;再加结果1 :00407650 33F3                    xor esi, ebx    ;与结果3异或 :00407652 33F7                    xor esi, edi    ;与结果2异或 :00407654 2BF2                    sub esi, edx    ;减去结果4 :00407656 03F0                    add esi, eax    ;加上结果5 :00407658 8B442434                mov eax, dword ptr [esp+34]  ;EAX是我们输入的注册码数值 :0040765C 3BF0                    cmp esi, eax    ;上面一堆运算的结果必须与输入的注册码相等 :0040765E 7518                    jne 00407678    ;不等就跳 :00407660 8D4C2430                lea ecx, dword ptr [esp+30] :00407664 C7442428FFFFFFFF        mov [esp+28], FFFFFFFF * Reference To: MFC42.Ordinal:0320, Ord:0320h                                   | :0040766C E899920000              Call 0041090A :00407671 B801000000              mov eax, 00000001  ;如果相等来到这里EAX=1,成功 :00407676 EB13                    jmp 0040768B * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00407582(C), :0040765E(C) | :00407678 8D4C2430                lea ecx, dword ptr [esp+30] :0040767C C7442428FFFFFFFF        mov [esp+28], FFFFFFFF * Reference To: MFC42.Ordinal:0320, Ord:0320h                                   | :00407684 E881920000              Call 0041090A :00407689 33C0                    xor eax, eax    ;如果不等EAX在这里被干掉了 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00407676(U) | :0040768B 8B4C2420                mov ecx, dword ptr [esp+20] :0040768F 5F                      pop edi :00407690 5E                      pop esi :00407691 5D                      pop ebp :00407692 64890D00000000          mov dword ptr fs:[00000000], ecx :00407699 5B                      pop ebx :0040769A 83C41C                  add esp, 0000001C :0040769D C20800                  ret 0008 那个多次涉及的CALL: * Referenced by a CALL at Addresses: |:00407579   , :0040759B   , :004075B5   , :004075CF   , :004075EB    |:00407607   , :00407623    | :004076A0 64A100000000            mov eax, dword ptr fs:[00000000] :004076A6 6AFF                    push FFFFFFFF :004076A8 68781D4100              push 00411D78 :004076AD 50                      push eax :004076AE 64892500000000          mov dword ptr fs:[00000000], esp :004076B5 56                      push esi :004076B6 57                      push edi :004076B7 8B7C2418                mov edi, dword ptr [esp+18] :004076BB 8B57F8                  mov edx, dword ptr [edi-08] :004076BE 83FA03                  cmp edx, 00000003 :004076C1 7D26                    jge 004076E9    ;字串长度必须大于等于3 :004076C3 8D4C2418                lea ecx, dword ptr [esp+18] :004076C7 C7442410FFFFFFFF        mov [esp+10], FFFFFFFF ............ * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004076C1(C) | :004076E9 33F6                    xor esi, esi :004076EB 33C9                    xor ecx, ecx :004076ED 85D2                    test edx, edx :004076EF 7E0D                    jle 004076FE * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004076FC(C) | :004076F1 0FBE0439                movsx eax, byte ptr [ecx+edi]  ;循环,依次取出每一个字符 :004076F5 D3E0                    shl eax, cl  ;ECX为循环变量i,取出的字符左移i位 :004076F7 03F0                    add esi, eax  ;累加起来 :004076F9 41                      inc ecx :004076FA 3BCA                    cmp ecx, edx  ;ECX是否大于字串长度 :004076FC 7CF3                    jl 004076F1   ;循环取数 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004076EF(C) | :004076FE 8D4C2418                lea ecx, dword ptr [esp+18] :00407702 C7442410FFFFFFFF        mov [esp+10], FFFFFFFF * Reference To: MFC42.Ordinal:0320, Ord:0320h                                   | :0040770A E8FB910000              Call 0041090A :0040770F 8B4C2408                mov ecx, dword ptr [esp+08] :00407713 8BC6                    mov eax, esi  ;把累加结果给EAX,作为返回值 :00407715 5F                      pop edi :00407716 64890D00000000          mov dword ptr fs:[00000000], ecx :0040771D 5E                      pop esi :0040771E 83C40C                  add esp, 0000000C :00407721 C20400                  ret 0004

整理一下思路:设F()为上面计算的CALL
则 注册码=(((F(用户名) XOR 2002EE78 - 200E0521)XOR 72345678 - 7768F788) XOR F("EasunLee") + F("EasunLee")) XOR F("Luyanghs&&Tsai&&bluebird") XOR F("easunlee98meiosys") - F("heshengwssu1091119") + F("200970878")

注册机:
代码:
#include <iostream.h> #include <string.h> int F(char st[]) {   int len=strlen(st);   int s=0;   for (int i=0;i<len;i++)     s=s+(st[i]<<i);   return s; } void main() {   char name[20];   int code;   cout<<"Please input your name : ";   cin>>name;   code=F(name);   code=(code^0x2002EE78)-0x200E0521;   code=(code^0x72345678)-0x7768F788;   code=(code^F("EasunLee"))+F("EasunLee");   code=code^F("Luyanghs&&Tsai&&bluebird")^F("easunlee98meiosys");   code=code-F("heshengwssu1091119")+F("200970878");   cout<<"Your seiral number is "<<code<<endl; }
阅读全文
0 0

相关文章推荐

img
取 消
img