【破解作者】 yijun
【作者邮箱】 yijun8354@sina.com
【使用工具】 OD(二哥版),PEID
【破解平台】 WinXP
【软件名称】 速写大师
【软件简介】 一个能把照片转化成素描速写的软件!!!!!!!!!!
【软件大小】 991K
【加壳方式】 无
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------------------------
【破解内容】
PEID查知道该软件无壳,Borland C++ 1999编写!OD载入,通过查找关键字很容易来到以下关键处^ -^
00405294 /. 55
push ebp //在此下断
00405295 |. 8BEC
mov ebp,
esp
00405297 |. 81C4 60FDFFFF
add esp,-2A0
0040529D |. 8995 74FFFFFF
mov dword ptr ss:[
ebp-8C],
edx
004052A3 |. 8985 78FFFFFF
mov dword ptr ss:[
ebp-88],
eax
004052A9 |. B8 4C8B4800
mov eax,sxds.00488B4C
004052AE |. E8 D5410600
call sxds.00469488
004052B3 |. 66:C745 8C 1400
mov word ptr ss:[
ebp-74],14
004052B9 |. BA C4864800
mov edx,sxds.004886C4
; ASCII "software\ahao's softwares\wenku\mhj"
004052BE |. 8D45 F8
lea eax,
dword ptr ss:[
ebp-8]
004052C1 |. E8 E6E00600
call sxds.004733AC
004052C6 |. FF45 98
inc dword ptr ss:[
ebp-68]
004052C9 |. 8B08
mov ecx,
dword ptr ds:[
eax]
004052CB |. B2 01
mov dl,1
004052CD |. A1 30484100
mov eax,
dword ptr ds:[414830]
004052D2 |. E8 41FC0000
call sxds.00414F18
004052D7 |. 8985 70FFFFFF
mov dword ptr ss:[
ebp-90],
eax
004052DD |. FF4D 98
dec dword ptr ss:[
ebp-68]
004052E0 |. 8D45 F8
lea eax,
dword ptr ss:[
ebp-8]
004052E3 |. BA 02000000
mov edx,2
004052E8 |. E8 77E10600
call sxds.00473464
004052ED |. 66:C745 8C 0800
mov word ptr ss:[
ebp-74],8
004052F3 |. 8D8D 60FDFFFF
lea ecx,
dword ptr ss:[
ebp-2A0]
004052F9 |. 51
push ecx ; /Arg1
004052FA |. E8 45E5FFFF
call sxds.00403844
; \sxds.00403844
004052FF |. 59
pop ecx
00405300 |. 66:C745 8C 2000
mov word ptr ss:[
ebp-74],20
00405306 |. 8D45 F4
lea eax,
dword ptr ss:[
ebp-C]
00405309 |. E8 92C7FFFF
call sxds.00401AA0
0040530E |. 8BD0
mov edx,
eax
00405310 |. FF45 98
inc dword ptr ss:[
ebp-68]
00405313 |. 8B8D 78FFFFFF
mov ecx,
dword ptr ss:[
ebp-88]
00405319 |. 8B81 F4020000
mov eax,
dword ptr ds:[
ecx+2F4]
0040531F |. E8 2C460500
call sxds.00459950 //取得一字符串mhds
00405324 |. 8D45 F4
lea eax,
dword ptr ss:[
ebp-C]
00405327 |. E8 54E5FFFF
call sxds.00403880
0040532C |. 50
push eax
0040532D |. 8D45 F0
lea eax,
dword ptr ss:[
ebp-10]
00405330 |. E8 6BC7FFFF
call sxds.00401AA0
00405335 |. 8BD0
mov edx,
eax
00405337 |. FF45 98
inc dword ptr ss:[
ebp-68]
0040533A |. 8B8D 78FFFFFF
mov ecx,
dword ptr ss:[
ebp-88]
00405340 |. 8B81 F0020000
mov eax,
dword ptr ds:[
ecx+2F0]
00405346 |. E8 05460500
call sxds.00459950
; 计算用户名长度
0040534B |. 8D45 F0
lea eax,
dword ptr ss:[
ebp-10]
0040534E |. E8 2DE5FFFF
call sxds.00403880
; 取用户名
00405353 |. 50
push eax ; |Arg2
00405354 |. 8D95 60FDFFFF
lea edx,
dword ptr ss:[
ebp-2A0]
; |
0040535A |. 52
push edx ; |Arg1
0040535B |. E8 40E5FFFF
call sxds.004038A0
; \处理用户名字和字符 串,跟进。
00405360 |. 83C4 0C
add esp,0C
00405363 |. FF4D 98
dec dword ptr ss:[
ebp-68]
00405366 |. 8D45 F0
lea eax,
dword ptr ss:[
ebp-10]
00405369 |. BA 02000000
mov edx,2
0040536E |. E8 F1E00600
call sxds.00473464
00405373 |. FF4D 98
dec dword ptr ss:[
ebp-68]
00405376 |. 8D45 F4
lea eax,
dword ptr ss:[
ebp-C]
00405379 |. BA 02000000
mov edx,2
0040537E |. E8 E1E00600
call sxds.00473464
00405383 |. 8D8D 60FDFFFF
lea ecx,
dword ptr ss:[
ebp-2A0]
00405389 |. 51
push ecx ; /Arg1
0040538A |. E8 F9E5FFFF
call sxds.00403988
; \跟进
0040538F |. 59
pop ecx
00405390 |. 8D85 60FDFFFF
lea eax,
dword ptr ss:[
ebp-2A0]
00405396 |. 50
push eax ; /Arg1
00405397 |. E8 84E9FFFF
call sxds.00403D20
; \EAX等于刚才最后那段 计算的取值,记为N
0040539C |. 59
pop ecx
0040539D |. 8985 6CFFFFFF
mov dword ptr ss:[
ebp-94],
eax
004053A3 |. 66:C745 8C 0800
mov word ptr ss:[
ebp-74],8
004053A9 |. 66:C745 8C 2C00
mov word ptr ss:[
ebp-74],2C
004053AF |. 8D45 FC
lea eax,
dword ptr ss:[
ebp-4]
004053B2 |. 8B95 6CFFFFFF
mov edx,
dword ptr ss:[
ebp-94]
; N送EDX
004053B8 |. E8 EFDF0600
call sxds.004733AC
004053BD |. FF45 98
inc dword ptr ss:[
ebp-68]
004053C0 |. 66:C745 8C 0800
mov word ptr ss:[
ebp-74],8
004053C6 |. 66:C745 8C 3800
mov word ptr ss:[
ebp-74],38
004053CC |. 8D45 EC
lea eax,
dword ptr ss:[
ebp-14]
004053CF |. E8 CCC6FFFF
call sxds.00401AA0
004053D4 |. 8BD0
mov edx,
eax
004053D6 |. FF45 98
inc dword ptr ss:[
ebp-68]
004053D9 |. 8B8D 78FFFFFF
mov ecx,
dword ptr ss:[
ebp-88]
004053DF |. 8B81 F8020000
mov eax,
dword ptr ds:[
ecx+2F8]
004053E5 |. E8 66450500
call sxds.00459950
; 计算假码长度
004053EA |. 8D45 EC
lea eax,
dword ptr ss:[
ebp-14]
004053ED |. 8D55 FC
lea edx,
dword ptr ss:[
ebp-4]
004053F0 |. E8 3FE10600
call sxds.00473534
; 跟进
004053F5 |. 50
push eax ; /Arg1
004053F6 |. FF4D 98
dec dword ptr ss:[
ebp-68]
; |
004053F9 |. 8D45 EC
lea eax,
dword ptr ss:[
ebp-14]
; |
004053FC |. BA 02000000
mov edx,2
; |
00405401 |. E8 5EE00600
call sxds.00473464
; \sxds.00473464
00405406 |. 59
pop ecx
00405407 |. 84C9
test cl,
cl
00405409 |. 0F84 15030000
je sxds.00405724
; 关键跳,跳就挂!! !!!!!
0040540F |. 6A 01
push 1
00405411 |. BA ED864800
mov edx,sxds.004886ED
; ASCII "registed"
00405416 |. 8D45 E4
lea eax,
dword ptr ss:[
ebp-1C]
00405419 |. E8 8EDF0600
call sxds.004733AC
0040541E |. FF45 98
inc dword ptr ss:[
ebp-68]
00405421 |. FF30
push dword ptr ds:[
eax]
00405423 |. 66:C745 8C 4400
mov word ptr ss:[
ebp-74],44
00405429 |. BA E8864800
mov edx,sxds.004886E8
; ASCII "smtp"
******************************************************************************************** *************************************************************
跟进0040535B处CALL来到:
004038A0 /$ 55
push ebp
004038A1 |. 8BEC
mov ebp,
esp
004038A3 |. 51
push ecx
004038A4 |. 8B45 08
mov eax,
dword ptr ss:[
ebp+8]
004038A7 |. C640 04 01
mov byte ptr ds:[
eax+4],1
004038AB |. 33D2
xor edx,
edx
004038AD |. 8955 FC
mov dword ptr ss:[
ebp-4],
edx
004038B0 |> 8B4D 0C /
mov ecx,
dword ptr ss:[
ebp+C]
; 以下处理用户名
004038B3 |. 8B45 FC |
mov eax,
dword ptr ss:[
ebp-4]
004038B6 |. 8A1401 |
mov dl,
byte ptr ds:[
ecx+
eax]
; 逐位取用户名
004038B9 |. 8B4D FC |
mov ecx,
dword ptr ss:[
ebp-4]
004038BC |. 8B45 08 |
mov eax,
dword ptr ss:[
ebp+8]
004038BF |. 885408 0C |
mov byte ptr ds:[
eax+
ecx+C],
dl ; 该位用户名送 [eax+ecx+C]
004038C3 |. EB 0B |
jmp short sxds.004038D0
004038C5 |> 8B55 FC |/
mov edx,
dword ptr ss:[
ebp-4]
004038C8 |. 8B4D 08 ||
mov ecx,
dword ptr ss:[
ebp+8]
004038CB |. 804411 0C E0 ||
add byte ptr ds:[
ecx+
edx+C],0E0
004038D0 |> 8B45 FC |
mov eax,
dword ptr ss:[
ebp-4]
004038D3 |. 8B55 08 ||
mov edx,
dword ptr ss:[
ebp+8]
004038D6 |. 0FBE4C02 0C ||
movsx ecx,
byte ptr ds:[
edx+
eax+C]
; [edx+eax+C]送ECX
004038DB |. 83F9 7E ||
cmp ecx,7E
; 和7E比较
004038DE |.^ 7F E5 |\jg short sxds.004038C5
; 大于就跳
004038E0 |. EB 0B |
jmp short sxds.004038ED
004038E2 |> 8B45 FC |/
mov eax,
dword ptr ss:[
ebp-4]
004038E5 |. 8B55 08 ||
mov edx,
dword ptr ss:[
ebp+8]
004038E8 |. 804402 0C 20 ||
add byte ptr ds:[
edx+
eax+C],20
004038ED |> 8B4D FC |
mov ecx,
dword ptr ss:[
ebp-4]
004038F0 |. 8B45 08 ||
mov eax,
dword ptr ss:[
ebp+8]
004038F3 |. 0FBE5408 0C ||
movsx edx,
byte ptr ds:[
eax+
ecx+C]
; [eax+ecx+C]送EDX
004038F8 |. 83FA 20 ||
cmp edx,20
; 和20比较
004038FB |.^ 7C E5 |\jl short sxds.004038E2
; 小于就跳
004038FD |. FF45 FC |
inc dword ptr ss:[
ebp-4]
; [ebp-4]加一([ebp- 4]用来存放已处理用户名位数)
00403900 |. 8B4D 0C |
mov ecx,
dword ptr ss:[
ebp+C]
; [ebp+C]送ECX ([ebp+C]中放用户名)
00403903 |. 8B45 FC |
mov eax,
dword ptr ss:[
ebp-4]
00403906 |. 803C01 00 |
cmp byte ptr ds:[
ecx+
eax],0
; 取完没有
0040390A |.^ 75 A4 \jnz short sxds.004038B0
; 没有就跳回去继续, 处理完后,EAX存放用户名长度
0040390C |. 8B55 FC
mov edx,
dword ptr ss:[
ebp-4]
; 长度送EDX
0040390F |. 8B4D 08
mov ecx,
dword ptr ss:[
ebp+8]
00403912 |. C64411 0C 00
mov byte ptr ds:[
ecx+
edx+C],0
00403917 |. 33C0
xor eax,
eax ; EAX清0
00403919 |. 8945 FC
mov dword ptr ss:[
ebp-4],
eax ; [ebp-4]=0
0040391C |> 8B55 10 /
mov edx,
dword ptr ss:[
ebp+10]
; 用同样的方法处理字 符串“mhds”(不包括引号)
0040391F |. 8B4D FC |
mov ecx,
dword ptr ss:[
ebp-4]
00403922 |. 8A040A |
mov al,
byte ptr ds:[
edx+
ecx]
00403925 |. 8B55 FC |
mov edx,
dword ptr ss:[
ebp-4]
00403928 |. 8B4D 08 |
mov ecx,
dword ptr ss:[
ebp+8]
0040392B |. 884411 3E |
mov byte ptr ds:[
ecx+
edx+3E],
al
0040392F |. EB 0B |
jmp short sxds.0040393C
00403931 |> 8B45 FC |/
mov eax,
dword ptr ss:[
ebp-4]
00403934 |. 8B55 08 ||
mov edx,
dword ptr ss:[
ebp+8]
00403937 |. 804402 3E E0 ||
add byte ptr ds:[
edx+
eax+3E],0E0
0040393C |> 8B4D FC |
mov ecx,
dword ptr ss:[
ebp-4]
0040393F |. 8B45 08 ||
mov eax,
dword ptr ss:[
ebp+8]
00403942 |. 0FBE5408 3E ||
movsx edx,
byte ptr ds:[
eax+
ecx+3E]
00403947 |. 83FA 7E ||
cmp edx,7E
0040394A |.^ 7F E5 |\jg short sxds.00403931
0040394C |. EB 0B |
jmp short sxds.00403959
0040394E |> 8B4D FC |/
mov ecx,
dword ptr ss:[
ebp-4]
00403951 |. 8B45 08 ||
mov eax,
dword ptr ss:[
ebp+8]
00403954 |. 804408 3E 20 ||
add byte ptr ds:[
eax+
ecx+3E],20
00403959 |> 8B55 FC |
mov edx,
dword ptr ss:[
ebp-4]
0040395C |. 8B4D 08 ||
mov ecx,
dword ptr ss:[
ebp+8]
0040395F |. 0FBE4411 3E ||
movsx eax,
byte ptr ds:[
ecx+
edx+3E]
00403964 |. 83F8 20 ||
cmp eax,20
00403967 |.^ 7C E5 |\jl short sxds.0040394E
00403969 |. FF45 FC |
inc dword ptr ss:[
ebp-4]
0040396C |. 8B55 10 |
mov edx,
dword ptr ss:[
ebp+10]
0040396F |. 8B4D FC |
mov ecx,
dword ptr ss:[
ebp-4]
00403972 |. 803C0A 00 |
cmp byte ptr ds:[
edx+
ecx],0
00403976 |.^ 75 A4 \jnz short sxds.0040391C
; 处理完后ECX放长度
00403978 |. 8B45 FC
mov eax,
dword ptr ss:[
ebp-4]
0040397B |. 8B55 08
mov edx,
dword ptr ss:[
ebp+8]
0040397E |. C64402 3E 00
mov byte ptr ds:[
edx+
eax+3E],0
00403983 |. 59
pop ecx
00403984 |. 5D
pop ebp
00403985 \. C3
retn //返回
******************************************************************************************** *************************************************************
跟进0040538A处CALL来到:
00403988 /$ 55
push ebp
00403989 |. 8BEC
mov ebp,
esp
0040398B |. 83C4 B8
add esp,-48
0040398E |. 8B45 08
mov eax,
dword ptr ss:[
ebp+8]
00403991 |. 8078 04 00
cmp byte ptr ds:[
eax+4],0
00403995 |. 0F85 2F010000
jnz sxds.00403ACA
0040399B |. 33D2
xor edx,
edx
0040399D |. 8955 FC
mov dword ptr ss:[
ebp-4],
edx
004039A0 |. EB 17
jmp short sxds.004039B9
004039A2 |> 8B4D FC /
mov ecx,
dword ptr ss:[
ebp-4]
004039A5 |. 8B45 08 |
mov eax,
dword ptr ss:[
ebp+8]
004039A8 |. 8A5408 0C |
mov dl,
byte ptr ds:[
eax+
ecx+C]
004039AC |. 8B4D FC |
mov ecx,
dword ptr ss:[
ebp-4]
004039AF |. 8B45 08 |
mov eax,
dword ptr ss:[
ebp+8]
004039B2 |. 885408 7B |
mov byte ptr ds:[
eax+
ecx+7B],
dl
004039B6 |. FF45 FC |
inc dword ptr ss:[
ebp-4]
004039B9 |> 8B55 FC
mov edx,
dword ptr ss:[
ebp-4]
004039BC |. 8B4D 08 |
mov ecx,
dword ptr ss:[
ebp+8]
004039BF |. 807C11 0C 00 |
cmp byte ptr ds:[
ecx+
edx+C],0
004039C4 |.^ 75 DC \jnz short sxds.004039A2
004039C6 |. 8B45 FC
mov eax,
dword ptr ss:[
ebp-4]
004039C9 |. 83C0 FE
add eax,-2
004039CC |. 8945 F8
mov dword ptr ss:[
ebp-8],
eax
004039CF |. 817D FC 90010000
cmp dword ptr ss:[
ebp-4],190
004039D6 |. 7D 22
jge short sxds.004039FA
004039D8 |> 8B55 08 /
mov edx,
dword ptr ss:[
ebp+8]
004039DB |. 8B4A 08 |
mov ecx,
dword ptr ds:[
edx+8]
004039DE |. 8B45 FC |
mov eax,
dword ptr ss:[
ebp-4]
004039E1 |. 8A1401 |
mov dl,
byte ptr ds:[
ecx+
eax]
004039E4 |. 8B4D FC |
mov ecx,
dword ptr ss:[
ebp-4]
004039E7 |. 8B45 08 |
mov eax,
dword ptr ss:[
ebp+8]
004039EA |. 885408 7B |
mov byte ptr ds:[
eax+
ecx+7B],
dl
004039EE |. FF45 FC |
inc dword ptr ss:[
ebp-4]
004039F1 |. 817D FC 90010000 |
cmp dword ptr ss:[
ebp-4],190
004039F8 |.^ 7C DE \jl short sxds.004039D8
004039FA |> 8B55 F8
mov edx,
dword ptr ss:[
ebp-8]
004039FD |. 8955 F4
mov dword ptr ss:[
ebp-C],
edx
00403A00 |. 837D F4 32
cmp dword ptr ss:[
ebp-C],32
00403A04 |. 7D 1F
jge short sxds.00403A25
00403A06 |> 8B4D 08 /
mov ecx,
dword ptr ss:[
ebp+8]
00403A09 |. 8B41 08 |
mov eax,
dword ptr ds:[
ecx+8]
00403A0C |. 8B55 F4 |
mov edx,
dword ptr ss:[
ebp-C]
00403A0F |. 8A0C10 |
mov cl,
byte ptr ds:[
eax+
edx]
00403A12 |. 8B45 F4 |
mov eax,
dword ptr ss:[
ebp-C]
00403A15 |. 8B55 08 |
mov edx,
dword ptr ss:[
ebp+8]
00403A18 |. 884C02 0C |
mov byte ptr ds:[
edx+
eax+C],
cl
00403A1C |. FF45 F4 |
inc dword ptr ss:[
ebp-C]
00403A1F |. 837D F4 32 |
cmp dword ptr ss:[
ebp-C],32
00403A23 |.^ 7C E1 \jl short sxds.00403A06
00403A25 |> 33C9
xor ecx,
ecx
00403A27 |. 894D F0
mov dword ptr ss:[
ebp-10],
ecx
00403A2A |> 33C0 /
xor eax,
eax
00403A2C |. 8945 FC |
mov dword ptr ss:[
ebp-4],
eax
00403A2F |. EB 6A |
jmp short sxds.00403A9B
00403A31 |> 8B55 F0 |/
mov edx,
dword ptr ss:[
ebp-10]
00403A34 |. 8B4D 08 ||
mov ecx,
dword ptr ss:[
ebp+8]
00403A37 |. 0FBE4411 0C ||
movsx eax,
byte ptr ds:[
ecx+
edx+C]
00403A3C |. B9 05000000 ||
mov ecx,5
00403A41 |. 99 ||
cdq
00403A42 |. F7F9 ||
idiv ecx
00403A44 |. 8955 E8 ||
mov dword ptr ss:[
ebp-18],
edx
00403A47 |. 8B45 FC ||
mov eax,
dword ptr ss:[
ebp-4]
00403A4A |. 8B55 08 ||
mov edx,
dword ptr ss:[
ebp+8]
00403A4D |. 8A4C02 7B ||
mov cl,
byte ptr ds:[
edx+
eax+7B]
00403A51 |. 884D EF ||
mov byte ptr ss:[
ebp-11],
cl
00403A54 |. 8B45 F0 ||
mov eax,
dword ptr ss:[
ebp-10]
00403A57 |. 8B55 08 ||
mov edx,
dword ptr ss:[
ebp+8]
00403A5A |. 0FBE4C02 0C ||
movsx ecx,
byte ptr ds:[
edx+
eax+C]
00403A5F |. 8B45 FC ||
mov eax,
dword ptr ss:[
ebp-4]
00403A62 |. 8B55 08 ||
mov edx,
dword ptr ss:[
ebp+8]
00403A65 |. 8D0402 ||
lea eax,
dword ptr ds:[
edx+
eax]
00403A68 |. 8A5408 5C ||
mov dl,
byte ptr ds:[
eax+
ecx+5C]
00403A6C |. 8B4D FC ||
mov ecx,
dword ptr ss:[
ebp-4]
00403A6F |. 8B45 08 ||
mov eax,
dword ptr ss:[
ebp+8]
00403A72 |. 885408 7B ||
mov byte ptr ds:[
eax+
ecx+7B],
dl
00403A76 |. 8B55 F0 ||
mov edx,
dword ptr ss:[
ebp-10]
00403A79 |. 8B4D 08 ||
mov ecx,
dword ptr ss:[
ebp+8]
00403A7C |. 0FBE4411 0C ||
movsx eax,
byte ptr ds:[
ecx+
edx+C]
00403A81 |. 8B55 FC ||
mov edx,
dword ptr ss:[
ebp-4]
00403A84 |. 8B4D 08 ||
mov ecx,
dword ptr ss:[
ebp+8]
00403A87 |. 8D1411 ||
lea edx,
dword ptr ds:[
ecx+
edx]
00403A8A |. 8A4D EF ||
mov cl,
byte ptr ss:[
ebp-11]
00403A8D |. 884C02 5C ||
mov byte ptr ds:[
edx+
eax+5C],
cl
00403A91 |. 8B45 FC ||
mov eax,
dword ptr ss:[
ebp-4]
00403A94 |. 0345 E8 ||
add eax,
dword ptr ss:[
ebp-18]
00403A97 |. 40 ||
inc eax
00403A98 |. 8945 FC ||
mov dword ptr ss:[
ebp-4],
eax
00403A9B |> 8B45 F0 |
mov eax,
dword ptr ss:[
ebp-10]
00403A9E |. 8B55 08 ||
mov edx,
dword ptr ss:[
ebp+8]
00403AA1 |. 0FBE4C02 0C ||
movsx ecx,
byte ptr ds:[
edx+
eax+C]
00403AA6 |. 034D FC ||
add ecx,
dword ptr ss:[
ebp-4]
00403AA9 |. 83C1 E1 ||
add ecx,-1F
00403AAC |. 81F9 90010000 ||
cmp ecx,190
00403AB2 |.^ 0F8C 79FFFFFF |\jl sxds.00403A31
00403AB8 |. FF45 F0 |
inc dword ptr ss:[
ebp-10]
00403ABB |. 837D F0 32 |
cmp dword ptr ss:[
ebp-10],32
00403ABF |.^ 0F8C 65FFFFFF \jl sxds.00403A2A
00403AC5 |. E9 27020000
jmp sxds.00403CF1
00403ACA |> 33C0
xor eax,
eax
00403ACC |. 8945 E4
mov dword ptr ss:[
ebp-1C],
eax
00403ACF |. EB 17
jmp short sxds.00403AE8
00403AD1 |> 8B55 E4 /
mov edx,
dword ptr ss:[
ebp-1C]
; 这段计算用户名长度 ,结果存EDX
00403AD4 |. 8B4D 08 |
mov ecx,
dword ptr ss:[
ebp+8]
00403AD7 |. 8A4411 0C |
mov al,
byte ptr ds:[
ecx+
edx+C]
00403ADB |. 8B55 E4 |
mov edx,
dword ptr ss:[
ebp-1C]
00403ADE |. 8B4D 08 |
mov ecx,
dword ptr ss:[
ebp+8]
00403AE1 |. 884411 7B |
mov byte ptr ds:[
ecx+
edx+7B],
al
00403AE5 |. FF45 E4 |
inc dword ptr ss:[
ebp-1C]
00403AE8 |> 8B45 E4
mov eax,
dword ptr ss:[
ebp-1C]
00403AEB |. 8B55 08 |
mov edx,
dword ptr ss:[
ebp+8]
00403AEE |. 807C02 0C 00 |
cmp byte ptr ds:[
edx+
eax+C],0
00403AF3 |.^ 75 DC \jnz short sxds.00403AD1
00403AF5 |. 8B4D E4
mov ecx,
dword ptr ss:[
ebp-1C]
00403AF8 |. 894D E0
mov dword ptr ss:[
ebp-20],
ecx
00403AFB |. 8B45 E0
mov eax,
dword ptr ss:[
ebp-20]
00403AFE |. 8945 DC
mov dword ptr ss:[
ebp-24],
eax
00403B01 |. 837D DC 32
cmp dword ptr ss:[
ebp-24],32
00403B05 |. 7D 3B
jge short sxds.00403B42
00403B07 |> 8B55 08 /
mov edx,
dword ptr ss:[
ebp+8]
; [ebp+8]送EDX
00403B0A |. 8B4A 08 |
mov ecx,
dword ptr ds:[
edx+8]
; [edx+8]为一固定字符 串记为S ("Thislicenseappliestoanysoftwarecontaininganoticeplacedbythecopyrightholdersayingthatitmay bedistributedunderthetermsoftheQtNon- CommercialLicenseversion1.0.SuchsoftwareishereinreferredtoastheSoftware.Thislicensecoversdis tribut)送ECX
00403B0D |. 8B45 DC |
mov eax,
dword ptr ss:[
ebp-24]
; [ebp-24]送EAX
00403B10 |. 8A1401 |
mov dl,
byte ptr ds:[
ecx+
eax]
; [ecx+eax]送DL
00403B13 |. 8B4D DC |
mov ecx,
dword ptr ss:[
ebp-24]
; [ebp-24]送ECX
00403B16 |. 8B45 08 |
mov eax,
dword ptr ss:[
ebp+8]
00403B19 |. 885408 0C |
mov byte ptr ds:[
eax+
ecx+C],
dl ; DL送[eax+ecx+C]
00403B1D |. FF45 DC |
inc dword ptr ss:[
ebp-24]
; [ebp-24]加一
00403B20 |. 837D DC 32 |
cmp dword ptr ss:[
ebp-24],32
; [ebp-24]和32比较
00403B24 |.^ 7C E1 \jl short sxds.00403B07
; 小于就跳回去继续比 较
00403B26 |. EB 1A
jmp short sxds.00403B42 //此时EDX为一字符串 ganoticeplmhds
00403B28 |> 8B55 E4 /
mov edx,
dword ptr ss:[
ebp-1C]
; [ebp-1C]送EDX
00403B2B |. 2B55 E0 |
sub edx,
dword ptr ss:[
ebp-20]
; EDX-[ebp-20]送EDX
00403B2E |. 8B4D 08 |
mov ecx,
dword ptr ss:[
ebp+8]
00403B31 |. 8A4411 3E |
mov al,
byte ptr ds:[
ecx+
edx+3E]
; [ecx+edx+3E]送AL
00403B35 |. 8B55 E4 |
mov edx,
dword ptr ss:[
ebp-1C]
00403B38 |. 8B4D 08 |
mov ecx,
dword ptr ss:[
ebp+8]
00403B3B |. 884411 7B |
mov byte ptr ds:[
ecx+
edx+7B],
al
00403B3F |. FF45 E4 |
inc dword ptr ss:[
ebp-1C]
; [ebp-1C]加一
00403B42 |> 8B45 E4
mov eax,
dword ptr ss:[
ebp-1C]
00403B45 |. 2B45 E0 |
sub eax,
dword ptr ss:[
ebp-20]
00403B48 |. 8B55 08 |
mov edx,
dword ptr ss:[
ebp+8]
00403B4B |. 807C02 3E 00 |
cmp byte ptr ds:[
edx+
eax+3E],0
00403B50 |.^ 75 D6 \jnz short sxds.00403B28
; 没完继续,这段是处 理mhds
00403B52 |. 8B4D E4
mov ecx,
dword ptr ss:[
ebp-1C]
00403B55 |. 2B4D E0
sub ecx,
dword ptr ss:[
ebp-20]
00403B58 |. 894D D8
mov dword ptr ss:[
ebp-28],
ecx
00403B5B |. 8B45 D8
mov eax,
dword ptr ss:[
ebp-28]
00403B5E |. 8945 D4
mov dword ptr ss:[
ebp-2C],
eax
00403B61 |. 837D D4 32
cmp dword ptr ss:[
ebp-2C],32
00403B65 |. 7D 1F
jge short sxds.00403B86
00403B67 |> 8B55 08 /
mov edx,
dword ptr ss:[
ebp+8]
; ***处理同前***
00403B6A |. 8B4A 08 |
mov ecx,
dword ptr ds:[
edx+8]
00403B6D |. 8B45 D4 |
mov eax,
dword ptr ss:[
ebp-2C]
00403B70 |. 8A1401 |
mov dl,
byte ptr ds:[
ecx+
eax]
00403B73 |. 8B4D D4 |
mov ecx,
dword ptr ss:[
ebp-2C]
00403B76 |. 8B45 08 |
mov eax,
dword ptr ss:[
ebp+8]
00403B79 |. 885408 3E |
mov byte ptr ds:[
eax+
ecx+3E],
dl
00403B7D |. FF45 D4 |
inc dword ptr ss:[
ebp-2C]
00403B80 |. 837D D4 32 |
cmp dword ptr ss:[
ebp-2C],32
00403B84 |.^ 7C E1 \jl short sxds.00403B67
00403B86 |> 817D E4 90010000
cmp dword ptr ss:[
ebp-1C],190
00403B8D |. 7D 22
jge short sxds.00403BB1
00403B8F |> 8B55 08 /
mov edx,
dword ptr ss:[
ebp+8]
00403B92 |. 8B4A 08 |
mov ecx,
dword ptr ds:[
edx+8]
00403B95 |. 8B45 E4 |
mov eax,
dword ptr ss:[
ebp-1C]
00403B98 |. 8A1401 |
mov dl,
byte ptr ds:[
ecx+
eax]
00403B9B |. 8B4D E4 |
mov ecx,
dword ptr ss:[
ebp-1C]
00403B9E |. 8B45 08 |
mov eax,
dword ptr ss:[
ebp+8]
00403BA1 |. 885408 7B |
mov byte ptr ds:[
eax+
ecx+7B],
dl
00403BA5 |. FF45 E4 |
inc dword ptr ss:[
ebp-1C]
00403BA8 |. 817D E4 90010000 |
cmp dword ptr ss:[
ebp-1C],190
00403BAF |.^ 7C DE \jl short sxds.00403B8F
; **********
00403BB1 |> 33D2
xor edx,
edx ; EDX清0
00403BB3 |. 8955 D0
mov dword ptr ss:[
ebp-30],
edx
00403BB6 |> 33C9 /
xor ecx,
ecx ; ECX清0
00403BB8 |. 894D E4 |
mov dword ptr ss:[
ebp-1C],
ecx ; [ebp-1C]=0
00403BBB |. EB 6A |
jmp short sxds.00403C27
00403BBD |> 8B45 D0 |/
mov eax,
dword ptr ss:[
ebp-30] //从00403C3E跳回来,以下 是处理用户名
00403BC0 |. 8B55 08 ||
mov edx,
dword ptr ss:[
ebp+8]
00403BC3 |. 0FBE4402 0C ||
movsx eax,
byte ptr ds:[
edx+
eax+C]
; [edx+eax+C]送EAX
00403BC8 |. B9 05000000 ||
mov ecx,5
; 5送ECX
00403BCD |. 99 ||
cdq ; 扩展
00403BCE |. F7F9 ||
idiv ecx ; 除以ECX
00403BD0 |. 8955 C8 ||
mov dword ptr ss:[
ebp-38],
edx
00403BD3 |. 8B45 E4 ||
mov eax,
dword ptr ss:[
ebp-1C]
00403BD6 |. 8B55 08 ||
mov edx,
dword ptr ss:[
ebp+8]
00403BD9 |. 8A4C02 7B ||
mov cl,
byte ptr ds:[
edx+
eax+7B]
; [edx+eax+7B]送CL
00403BDD |. 884D CF ||
mov byte ptr ss:[
ebp-31],
cl
00403BE0 |. 8B45 D0 ||
mov eax,
dword ptr ss:[
ebp-30]
00403BE3 |. 8B55 08 ||
mov edx,
dword ptr ss:[
ebp+8]
00403BE6 |. 0FBE4C02 0C ||
movsx ecx,
byte ptr ds:[
edx+
eax+C]
; [edx+eax+C]送ECX
00403BEB |. 8B45 E4 ||
mov eax,
dword ptr ss:[
ebp-1C]
00403BEE |. 8B55 08 ||
mov edx,
dword ptr ss:[
ebp+8]
00403BF1 |. 8D0402 ||
lea eax,
dword ptr ds:[
edx+
eax]
; [edx+eax]送EAX
00403BF4 |. 8A5408 5C ||
mov dl,
byte ptr ds:[
eax+
ecx+5C]
; [eax+ecx+5C]送DL
00403BF8 |. 8B4D E4 ||
mov ecx,
dword ptr ss:[
ebp-1C]
00403BFB |. 8B45 08 ||
mov eax,
dword ptr ss:[
ebp+8]
00403BFE |. 885408 7B ||
mov byte ptr ds:[
eax+
ecx+7B],
dl ; DL送[eax+ecx+7B]
00403C02 |. 8B55 D0 ||
mov edx,
dword ptr ss:[
ebp-30]
00403C05 |. 8B4D 08 ||
mov ecx,
dword ptr ss:[
ebp+8]
00403C08 |. 0FBE4411 0C ||
movsx eax,
byte ptr ds:[
ecx+
edx+C]
; [ecx+edx+C]送EAX
00403C0D |. 8B55 E4 ||
mov edx,
dword ptr ss:[
ebp-1C]
00403C10 |. 8B4D 08 ||
mov ecx,
dword ptr ss:[
ebp+8]
00403C13 |. 8D1411 ||
lea edx,
dword ptr ds:[
ecx+
edx]
00403C16 |. 8A4D CF ||
mov cl,
byte ptr ss:[
ebp-31]
00403C19 |. 884C02 5C ||
mov byte ptr ds:[
edx+
eax+5C],
cl ; CL送[edx+eax+5C]
00403C1D |. 8B45 E4 ||
mov eax,
dword ptr ss:[
ebp-1C]
00403C20 |. 0345 C8 ||
add eax,
dword ptr ss:[
ebp-38]
00403C23 |. 40 ||
inc eax ; EAX加1
00403C24 |. 8945 E4 ||
mov dword ptr ss:[
ebp-1C],
eax
00403C27 |> 8B45 D0 |
mov eax,
dword ptr ss:[
ebp-30]
; 从00403BBB跳来
00403C2A |. 8B55 08 ||
mov edx,
dword ptr ss:[
ebp+8]
00403C2D |. 0FBE4C02 0C ||
movsx ecx,
byte ptr ds:[
edx+
eax+C]
; 逐为将用户名送ECX
00403C32 034D E4
add ecx,
dword ptr ss:[
ebp-1C]
; [ebp-1C]加ECX送ECX
00403C35 |. 83C1 E1 ||
add ecx,-1F
; ECX加-1F
00403C38 |. 81F9 90010000 ||
cmp ecx,190
; 和190比较
00403C3E |.^ 0F8C 79FFFFFF |\jl sxds.00403BBD
; 小就继续
00403C44 |. FF45 D0 |
inc dword ptr ss:[
ebp-30]
; [ebp-30]加1
00403C47 |. 837D D0 32 |
cmp dword ptr ss:[
ebp-30],32
; [ebp-30]和32比较
00403C4B |.^ 0F8C 65FFFFFF \jl sxds.00403BB6
; 小于就跳回去
00403C51 |. 33C0
xor eax,
eax ; EAX清0
00403C53 |. 8945 C4
mov dword ptr ss:[
ebp-3C],
eax
00403C56 |> 33D2 /
xor edx,
edx ; 以下用差不多的方法 处理字符串mhds
00403C58 |. 8955 E4 |
mov dword ptr ss:[
ebp-1C],
edx
00403C5B |. EB 6A |
jmp short sxds.00403CC7
00403C5D |> 8B4D C4 |/
mov ecx,
dword ptr ss:[
ebp-3C]
00403C60 |. 8B45 08 ||
mov eax,
dword ptr ss:[
ebp+8]
00403C63 |. 0FBE4408 3E ||
movsx eax,
byte ptr ds:[
eax+
ecx+3E]
00403C68 |. B9 05000000 ||
mov ecx,5
00403C6D |. 99 ||
cdq
00403C6E |. F7F9 ||
idiv ecx
00403C70 |. 8955 BC ||
mov dword ptr ss:[
ebp-44],
edx
00403C73 |. 8B45 E4 ||
mov eax,
dword ptr ss:[
ebp-1C]
00403C76 |. 8B55 08 ||
mov edx,
dword ptr ss:[
ebp+8]
00403C79 |. 8A4C02 7B ||
mov cl,
byte ptr ds:[
edx+
eax+7B]
00403C7D |. 884D C3 ||
mov byte ptr ss:[
ebp-3D],
cl
00403C80 |. 8B45 C4 ||
mov eax,
dword ptr ss:[
ebp-3C]
00403C83 |. 8B55 08 ||
mov edx,
dword ptr ss:[
ebp+8]
00403C86 |. 0FBE4C02 3E ||
movsx ecx,
byte ptr ds:[
edx+
eax+3E]
00403C8B |. 8B45 E4 ||
mov eax,
dword ptr ss:[
ebp-1C]
00403C8E |. 8B55 08 ||
mov edx,
dword ptr ss:[
ebp+8]
00403C91 |. 8D0402 ||
lea eax,
dword ptr ds:[
edx+
eax]
00403C94 |. 8A5408 5C ||
mov dl,
byte ptr ds:[
eax+
ecx+5C]
00403C98 |. 8B4D E4 ||
mov ecx,
dword ptr ss:[
ebp-1C]
00403C9B |. 8B45 08 ||
mov eax,
dword ptr ss:[
ebp+8]
00403C9E |. 885408 7B ||
mov byte ptr ds:[
eax+
ecx+7B],
dl
00403CA2 |. 8B55 C4 ||
mov edx,
dword ptr ss:[
ebp-3C]
00403CA5 |. 8B4D 08 ||
mov ecx,
dword ptr ss:[
ebp+8]
00403CA8 |. 0FBE4411 3E ||
movsx eax,
byte ptr ds:[
ecx+
edx+3E]
00403CAD |. 8B55 E4 ||
mov edx,
dword ptr ss:[
ebp-1C]
00403CB0 |. 8B4D 08 ||
mov ecx,
dword ptr ss:[
ebp+8]
00403CB3 |. 8D1411 ||
lea edx,
dword ptr ds:[
ecx+
edx]
00403CB6 |. 8A4D C3 ||
mov cl,
byte ptr ss:[
ebp-3D]
00403CB9 |. 884C02 5C ||
mov byte ptr ds:[
edx+
eax+5C],
cl
00403CBD |. 8B45 E4 ||
mov eax,
dword ptr ss:[
ebp-1C]
00403CC0 |. 0345 BC ||
add eax,
dword ptr ss:[
ebp-44]
00403CC3 |. 40 ||
inc eax
00403CC4 |. 8945 E4 ||
mov dword ptr ss:[
ebp-1C],
eax
00403CC7 |> 8B45 C4 |
mov eax,
dword ptr ss:[
ebp-3C]
00403CCA |. 8B55 08 ||
mov edx,
dword ptr ss:[
ebp+8]
00403CCD |. 0FBE4C02 3E ||
movsx ecx,
byte ptr ds:[
edx+
eax+3E]
00403CD2 |. 034D E4 ||
add ecx,
dword ptr ss:[
ebp-1C]
00403CD5 |. 83C1 E1 ||
add ecx,-1F
00403CD8 |. 81F9 90010000 ||
cmp ecx,190
00403CDE |.^ 0F8C 79FFFFFF |\jl sxds.00403C5D
00403CE4 |. FF45 C4 |
inc dword ptr ss:[
ebp-3C]
00403CE7 |. 837D C4 32 |
cmp dword ptr ss:[
ebp-3C],32
00403CEB |.^ 0F8C 65FFFFFF \jl sxds.00403C56
00403CF1 |> 33C0
xor eax,
eax ; EAX清0
00403CF3 |. 8945 B8
mov dword ptr ss:[
ebp-48],
eax
00403CF6 |> 8B55 B8
mov edx,
dword ptr ss:[
ebp-48] //这个循环出真码^-^
00403CF9 |. 8B4D 08
mov ecx,
dword ptr ss:[
ebp+8]
00403CFC |. 8A4411 7B
mov al,
byte ptr ds:[
ecx+
edx+7B]
; [ecx+edx+7B]送AL
00403D00 |. 8B55 B8
mov edx,
dword ptr ss:[
ebp-48]
00403D03 |. 8B4D 08
mov ecx,
dword ptr ss:[
ebp+8]
00403D06 |. 884411 70
mov byte ptr ds:[
ecx+
edx+70],
al ; AL送[ecx+edx+70]
00403D0A |. FF45 B8
inc dword ptr ss:[
ebp-48]
; [ebp-48]加1
00403D0D |. 837D B8 0A
cmp dword ptr ss:[
ebp-48],0A
; 和0A比较
00403D11 |.^ 7C E3
jl short sxds.00403CF6
; 小就跳到00403CF6继 续
00403D13 |. 8B45 08
mov eax,
dword ptr ss:[
ebp+8]
00403D16 |. C640 7A 00
mov byte ptr ds:[
eax+7A],0
00403D1A |. 8BE5
mov esp,
ebp
00403D1C |. 5D
pop ebp
00403D1D \. C3
retn
******************************************************************************************** *************************************************************
跟进004053F0 处CALL来到:
00473534 /$ 55
push ebp
00473535 |. 8BEC
mov ebp,
esp
00473537 |. 53
push ebx
00473538 |. 8B00
mov eax,
dword ptr ds:[
eax]
; 假码送EAX
0047353A |. 8B12
mov edx,
dword ptr ds:[
edx]
; 通过计算得到的真码N 送EDX
0047353C |. E8 474EFBFF
call sxds.00428388
; 比较CALL
00473541 |. 0F94C0
sete al ; 若输入码真确则AL为 真
00473544 |. 83E0 01
and eax,1
; EAX和1与
00473547 |. 5B
pop ebx
00473548 |. 5D
pop ebp
00473549 \. C3
retn //返回
--------------------------------------------------------------------------------
【破解总结】
这个软件的注册过程是通过计算用名和字符串mhds完成的,二者计算都用到了一个字符串: Thislicenseappliestoanysoftwarecontaininganoticeplacedbythecopyrightholdersayingthatitmaybed istributedunderthetermsoftheQtNon- CommercialLicenseversion1.0.SuchsoftwareishereinreferredtoastheSoftware.Thislicensecoversdis tributionoftheSoftw
具体怎么搞就不说了,时间晚了要睡觉了,哎!!!天都要亮了!!
注册名:yijun
注册码:w'r6ttfron
--------------------------------------------------------------------------------
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
【看雪培训】《Adroid高级研修班》2022年夏季班招生中!
