Windows系统切换工具 算法分析+注册机
来源:互联网 发布:网络短篇小说如何投稿 编辑:程序博客网 时间:2024/05/01 03:56
Windows系统切换工具 算法分析+注册机
整理一下思路:设F()为上面计算的CALL
则 注册码=(((F(用户名) XOR 2002EE78 - 200E0521)XOR 72345678 - 7768F788) XOR F("EasunLee") + F("EasunLee")) XOR F("Luyanghs&&Tsai&&bluebird") XOR F("easunlee98meiosys") - F("heshengwssu1091119") + F("200970878")
注册机:
下载地址: http://www4.skycn.com/soft/8306.html
Windows系统切换工具 V1.09.1208
软件大小: 1312 KB
软件语言: 简体中文
软件类别: 国产软件 / 共享版 / 系统其它
应用平台: Win9x/NT/2000/XP
界面预览:
加入时间: 2002-12-10 10:07:34
下载次数: 11796
推荐等级:
在线注册: 点击这里成为正版用户==>
联 系 人: easunlee@21cn.com
开 发 商: http://easunlee.diy.163.com/
软件介绍:
Easun Studio Windows 系统切换工具是是安装多Windows系统的用户的福音。不知道您是否有这种体会,为了工作需要,安装了多个Windows(比如中文Win98、英文Win98及Win2000),可是切换起来却太是困难,Windows 2000 还提供了启动菜单,而多Win95/98/Me根本上就没有这种菜单供您选择,就只有自己在DOS下用批处理进行切换。网上进行多系统切换的工具也可谓多也,但是几乎都是用自己的模块替换BOOT区来完成的,而且都是在DOS(字符界面)下进行切换选择,既麻烦有不安全,而且界面操作复杂,那能不能有一种界面友好,安全,方便在Windows界面下进行操作的系统切换工具呢?路杨就是本着这个原因开发这个软件的,该软件界面大方美观,操作上手,不用自身模块覆盖BOOT区,安全可靠,工作在Windows95/98/Me/2000/Xp 环境下,让您彻底抛开DOS界面和字符界面!另外,本软件还有设置系统和恢复IE设定的功能,当然,这就是附加功能了。
=========================================================================================
前两天我的机子上boot.ini被我搞得一团糟,下了这个东东来整理一下,顺便把它破了,挺简单的,现在这样的很难找了。
先检查,AsPack的壳,脱了,是我最喜欢的VC :D ,很容易找到下面:
代码:
:0040715B 50 push eax* Possible StringData Ref from Data Obj ->"%s" |:0040715C 68A4A24100 push 0041A2A4:00407161 51 push ecx* Reference To: MFC42.Ordinal:0B02, Ord:0B02h |:00407162 E8B5970000 Call 0041091C ;这个CALL是GetWindowText(MFC写的东东用IDA很容易明白):00407167 8B542420 mov edx, dword ptr [esp+20]:0040716B 83C40C add esp, 0000000C:0040716E 8B42F8 mov eax, dword ptr [edx-08]:00407171 85C0 test eax, eax ;用户名长度不能为0:00407173 750E jne 00407183..........:004071AA 50 push eax* Possible StringData Ref from Data Obj ->"%s" |:004071AB 68A4A24100 push 0041A2A4:004071B0 51 push ecx* Reference To: MFC42.Ordinal:0B02, Ord:0B02h |:004071B1 E866970000 Call 0041091C ;GetWindowText,得到注册名:004071B6 8B4C241C mov ecx, dword ptr [esp+1C]:004071BA BB03000000 mov ebx, 00000003 ;EBX=3:004071BF 83C40C add esp, 0000000C:004071C2 8B41F8 mov eax, dword ptr [ecx-08]:004071C5 3BC3 cmp eax, ebx:004071C7 7D0E jge 004071D7 ;注册名长度必须大于等于3:004071C9 6AFF push FFFFFFFF:004071CB 6A00 push 00000000:004071CD 6833F00000 push 0000F033:004071D2 E997020000 jmp 0040746E ;不然就有你好看* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:004071C7(C)|* Reference To: MSVCRT._mbsicmp, Ord:015Fh |:004071D7 8B3580444100 mov esi, dword ptr [00414480]* Possible StringData Ref from Data Obj ->"白山破解网" ;黑名单 |:004071DD 6898A64100 push 0041A698:004071E2 51 push ecx:004071E3 FFD6 call esi:004071E5 83C408 add esp, 00000008:004071E8 85C0 test eax, eax:004071EA 0F8475020000 je 00407465:004071F0 8B542410 mov edx, dword ptr [esp+10]* Possible StringData Ref from Data Obj ->"Zhenlong[BCG]" ;BCG的一位老兄进黑名单了:D |:004071F4 6888A64100 push 0041A688:004071F9 52 push edx:004071FA FFD6 call esi:004071FC 83C408 add esp, 00000008:004071FF 85C0 test eax, eax:00407201 0F845E020000 je 00407465 :00407207 6A01 push 00000001:00407209 6A00 push 00000000:0040720B 6874040000 push 00000474:00407210 8BCD mov ecx, ebp* Reference To: MFC42.Ordinal:0C17, Ord:0C17h |:00407212 E811970000 Call 00410928:00407217 8BF0 mov esi, eax:00407219 8D442410 lea eax, dword ptr [esp+10]:0040721D 56 push esi:0040721E 51 push ecx:0040721F 8BCC mov ecx, esp:00407221 89642420 mov dword ptr [esp+20], esp:00407225 50 push eax* Reference To: MFC42.Ordinal:0217, Ord:0217h |:00407226 E847980000 Call 00410A72:0040722B 8BCD mov ecx, ebp:0040722D E80E030000 call 00407540 ;这个CALL有鬼:00407232 85C0 test eax, eax:00407234 0F842B020000 je 00407465 ;关键跳转,跳下去就OVER跟进上面CALL:* Referenced by a CALL at Address:|:0040722D |:00407540 6AFF push FFFFFFFF:00407542 68581D4100 push 00411D58:00407547 64A100000000 mov eax, dword ptr fs:[00000000]:0040754D 50 push eax:0040754E 64892500000000 mov dword ptr fs:[00000000], esp:00407555 83EC10 sub esp, 00000010:00407558 53 push ebx:00407559 55 push ebp:0040755A 56 push esi:0040755B 57 push edi:0040755C 8BF9 mov edi, ecx:0040755E 51 push ecx:0040755F 8D442434 lea eax, dword ptr [esp+34]:00407563 8BCC mov ecx, esp:00407565 8964241C mov dword ptr [esp+1C], esp:00407569 50 push eax:0040756A C744243000000000 mov [esp+30], 00000000* Reference To: MFC42.Ordinal:0217, Ord:0217h |:00407572 E8FB940000 Call 00410A72:00407577 8BCF mov ecx, edi ;此处D *EAX可以看到输入的注册名,作CALL的参数:00407579 E822010000 call 004076A0 ;这个CALL很重要,下面多次出现(分析见下):0040757E 8BF0 mov esi, eax ;EAX是返回的值,放进ESI:00407580 85F6 test esi, esi:00407582 0F84F0000000 je 00407678 :00407588 51 push ecx:00407589 8BCC mov ecx, esp:0040758B 8964241C mov dword ptr [esp+1C], esp* Possible StringData Ref from Data Obj ->"EasunLee" |:0040758F 68F4A64100 push 0041A6F4* Reference To: MFC42.Ordinal:0219, Ord:0219h |:00407594 E8BF930000 Call 00410958:00407599 8BCF mov ecx, edi:0040759B E800010000 call 004076A0 ;把字串"EasunLee"作同样计算:004075A0 51 push ecx:004075A1 8BD8 mov ebx, eax ;结果1放在EBX:004075A3 8BCC mov ecx, esp:004075A5 8964241C mov dword ptr [esp+1C], esp* Possible StringData Ref from Data Obj ->"EasunLee" |:004075A9 68F4A64100 push 0041A6F4* Reference To: MFC42.Ordinal:0219, Ord:0219h |:004075AE E8A5930000 Call 00410958:004075B3 8BCF mov ecx, edi:004075B5 E8E6000000 call 004076A0:004075BA 51 push ecx:004075BB 8BE8 mov ebp, eax ;结果1放在EBP:004075BD 8BCC mov ecx, esp:004075BF 8964241C mov dword ptr [esp+1C], esp* Possible StringData Ref from Data Obj ->"easunlee98meiosys" |:004075C3 68E0A64100 push 0041A6E0* Reference To: MFC42.Ordinal:0219, Ord:0219h |:004075C8 E88B930000 Call 00410958:004075CD 8BCF mov ecx, edi:004075CF E8CC000000 call 004076A0 ;字串"easunlee98meiosys"同样的计算:004075D4 51 push ecx:004075D5 89442418 mov dword ptr [esp+18], eax ;结果2在[ESP+18]:004075D9 8BCC mov ecx, esp:004075DB 8964241C mov dword ptr [esp+1C], esp* Possible StringData Ref from Data Obj ->"Luyanghs&&Tsai&&bluebird" |:004075DF 68C4A64100 push 0041A6C4* Reference To: MFC42.Ordinal:0219, Ord:0219h |:004075E4 E86F930000 Call 00410958:004075E9 8BCF mov ecx, edi:004075EB E8B0000000 call 004076A0 ;字串"Luyanghs&&Tsai&&bluebird":004075F0 51 push ecx:004075F1 89442414 mov dword ptr [esp+14], eax ;结果3在[ESP+14]:004075F5 8BCC mov ecx, esp:004075F7 8964241C mov dword ptr [esp+1C], esp* Possible StringData Ref from Data Obj ->"heshengwssu1091119" |:004075FB 68B0A64100 push 0041A6B0* Reference To: MFC42.Ordinal:0219, Ord:0219h |:00407600 E853930000 Call 00410958:00407605 8BCF mov ecx, edi:00407607 E894000000 call 004076A0 ;字串"heshengwssu1091119":0040760C 51 push ecx:0040760D 8944241C mov dword ptr [esp+1C], eax ;结果4在[ESP+1C]:00407611 8BCC mov ecx, esp:00407613 89642420 mov dword ptr [esp+20], esp* Possible StringData Ref from Data Obj ->"200970878" |:00407617 68A4A64100 push 0041A6A4* Reference To: MFC42.Ordinal:0219, Ord:0219h |:0040761C E837930000 Call 00410958:00407621 8BCF mov ecx, edi:00407623 E878000000 call 004076A0 ;字串"200970878"同样的计算,结果5在EAX:00407628 81F678EE0220 xor esi, 2002EE78 ;ESI是注册名经运算的结果,与2002EE78异或:0040762E 8B7C2414 mov edi, dword ptr [esp+14] ;把结果2放入EDI :00407632 81EE21050E20 sub esi, 200E0521 ;再减200E0521:00407638 8B542418 mov edx, dword ptr [esp+18] ;把结果4放在EDX:0040763C 81F678563472 xor esi, 72345678 ;再与72345678异或:00407642 81EE88F76877 sub esi, 7768F788 ;再减7768F788:00407648 33F3 xor esi, ebx ;再与结果1异或:0040764A 8B5C2410 mov ebx, dword ptr [esp+10] ;把结果3放入EBX:0040764E 03F5 add esi, ebp ;再加结果1:00407650 33F3 xor esi, ebx ;与结果3异或:00407652 33F7 xor esi, edi ;与结果2异或:00407654 2BF2 sub esi, edx ;减去结果4:00407656 03F0 add esi, eax ;加上结果5:00407658 8B442434 mov eax, dword ptr [esp+34] ;EAX是我们输入的注册码数值:0040765C 3BF0 cmp esi, eax ;上面一堆运算的结果必须与输入的注册码相等:0040765E 7518 jne 00407678 ;不等就跳:00407660 8D4C2430 lea ecx, dword ptr [esp+30]:00407664 C7442428FFFFFFFF mov [esp+28], FFFFFFFF* Reference To: MFC42.Ordinal:0320, Ord:0320h |:0040766C E899920000 Call 0041090A:00407671 B801000000 mov eax, 00000001 ;如果相等来到这里EAX=1,成功:00407676 EB13 jmp 0040768B* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:|:00407582(C), :0040765E(C)|:00407678 8D4C2430 lea ecx, dword ptr [esp+30]:0040767C C7442428FFFFFFFF mov [esp+28], FFFFFFFF* Reference To: MFC42.Ordinal:0320, Ord:0320h |:00407684 E881920000 Call 0041090A:00407689 33C0 xor eax, eax ;如果不等EAX在这里被干掉了* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00407676(U)|:0040768B 8B4C2420 mov ecx, dword ptr [esp+20]:0040768F 5F pop edi:00407690 5E pop esi:00407691 5D pop ebp:00407692 64890D00000000 mov dword ptr fs:[00000000], ecx:00407699 5B pop ebx:0040769A 83C41C add esp, 0000001C:0040769D C20800 ret 0008那个多次涉及的CALL:* Referenced by a CALL at Addresses:|:00407579 , :0040759B , :004075B5 , :004075CF , :004075EB |:00407607 , :00407623 |:004076A0 64A100000000 mov eax, dword ptr fs:[00000000]:004076A6 6AFF push FFFFFFFF:004076A8 68781D4100 push 00411D78:004076AD 50 push eax:004076AE 64892500000000 mov dword ptr fs:[00000000], esp:004076B5 56 push esi:004076B6 57 push edi:004076B7 8B7C2418 mov edi, dword ptr [esp+18]:004076BB 8B57F8 mov edx, dword ptr [edi-08]:004076BE 83FA03 cmp edx, 00000003:004076C1 7D26 jge 004076E9 ;字串长度必须大于等于3:004076C3 8D4C2418 lea ecx, dword ptr [esp+18]:004076C7 C7442410FFFFFFFF mov [esp+10], FFFFFFFF............* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:004076C1(C)|:004076E9 33F6 xor esi, esi:004076EB 33C9 xor ecx, ecx:004076ED 85D2 test edx, edx:004076EF 7E0D jle 004076FE* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:004076FC(C)|:004076F1 0FBE0439 movsx eax, byte ptr [ecx+edi] ;循环,依次取出每一个字符:004076F5 D3E0 shl eax, cl ;ECX为循环变量i,取出的字符左移i位:004076F7 03F0 add esi, eax ;累加起来:004076F9 41 inc ecx:004076FA 3BCA cmp ecx, edx ;ECX是否大于字串长度:004076FC 7CF3 jl 004076F1 ;循环取数* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:004076EF(C)|:004076FE 8D4C2418 lea ecx, dword ptr [esp+18]:00407702 C7442410FFFFFFFF mov [esp+10], FFFFFFFF* Reference To: MFC42.Ordinal:0320, Ord:0320h |:0040770A E8FB910000 Call 0041090A:0040770F 8B4C2408 mov ecx, dword ptr [esp+08]:00407713 8BC6 mov eax, esi ;把累加结果给EAX,作为返回值:00407715 5F pop edi:00407716 64890D00000000 mov dword ptr fs:[00000000], ecx:0040771D 5E pop esi:0040771E 83C40C add esp, 0000000C:00407721 C20400 ret 0004
整理一下思路:设F()为上面计算的CALL
则 注册码=(((F(用户名) XOR 2002EE78 - 200E0521)XOR 72345678 - 7768F788) XOR F("EasunLee") + F("EasunLee")) XOR F("Luyanghs&&Tsai&&bluebird") XOR F("easunlee98meiosys") - F("heshengwssu1091119") + F("200970878")
注册机:
代码:
#include <iostream.h>#include <string.h>int F(char st[]){ int len=strlen(st); int s=0; for (int i=0;i<len;i++) s=s+(st[i]<<i); return s;}void main(){ char name[20]; int code; cout<<"Please input your name : "; cin>>name; code=F(name); code=(code^0x2002EE78)-0x200E0521; code=(code^0x72345678)-0x7768F788; code=(code^F("EasunLee"))+F("EasunLee"); code=code^F("Luyanghs&&Tsai&&bluebird")^F("easunlee98meiosys"); code=code-F("heshengwssu1091119")+F("200970878"); cout<<"Your seiral number is "<<code<<endl;}
- Windows系统切换工具 算法分析+注册机
- WinToHDD Enterprise(Windows系统重装工具)官方中文版V2.8下载 | wintohdd 注册机
- windows注册系统服务
- GIFMovieGear4.2注册码算法分析+注册机
- LibXL 算法分析(附注册机)
- DatabaseTool注册算法分析
- LeapFTP注册算法分析
- 注册算法的分析
- Windows注册服务工具使用
- JBOSS注册Windows系统服务
- windows系统中注册域名
- windows系统注册dll文件
- windows系统下iis注册
- flashtools注册算法分析过程
- 密码监听器注册算法分析
- Windows 系统评估工具
- windows系统迁移工具
- XXX屏幕广播 算法分析 + 注册机代码
- PEDIY 之 我自己的FlashGet
- 请不要做浮躁的人
- --竖表变行表
- 关于VB中数据的存储格式和寻址方式
- 应聘时间安排
- Windows系统切换工具 算法分析+注册机
- BubbleKing V2.63 完全静态破解
- 关于ASP.NET在IIS一些问题的经验总结(zz)
- GhostView 4.2 简单破解
- linux 下C函数部分
- 教菜鸟写注册机——初级篇
- 保险:曾被遗忘的市场
- 2004.10.28,Thu - 流水账
- 上网故障----终结者
