書香XX 算法分析 + 無註冊機

psac · 2003-12-12, 01:00 PM

書香門第 V1.30 Build 1732

軟體大小： 720 KB
軟體語言：簡體中文
軟體類別：大陸開發軟體 / 共享版 / 電子閱讀
套用平台： Win9x/NT/2000/XP
界面預覽：
加入時間： 2003-09-30 09:47:24
下載次數： 12748
推薦等級： ***

聯系人： gentlebreeze@vip.163.com
開發商： http://www.gentle-breeze.com/

軟體介紹：
《書香門第》是一款適合於真正讀書迷的電子小說、文本閱讀軟體，它外表並不花哨，但對於長時間、大量閱讀的讀書迷，卻最舒適、體貼、細緻，因為它具有十二個鮮明特點：1．多達27種各種質感的視窗背景、頁面背景可供選項，總共超過700種背景組合，為讀書迷提供最高舒適度和最大程度的視力保護。2．強大、智能化的自動排版功能，並可以隨意設定字體大小、顏色、行距、標題行。3．極其高速的排版速度：目前主流電腦上排版速度超過一萬頁/秒，所以通常你根本無法感覺到排版程序。
4．高速的DirectDraw圖形引擎，翻頁尋跡流暢自如。5．附帶的html轉換、合成工具能夠迅速依次將一批html文件轉換且合併為一個大的文本文件，方便閱讀。6．寬廣的平台適用性：從486/win95到最新P4/XP都能從容應對。7．體貼的左手鍵操作，使你從此擺脫長期右手操作滑鼠、鍵盤帶來的疲勞。8．與頁面字數成正比的自動翻頁間隔，自然優於呆板的類BIOS翻頁間隔。9．可以選項使用視窗模式（尋跡方便）或全螢幕幕模式（閱讀效果更好）。10．全書遍歷/測試功能，保護你的電腦，節約能源。11．搜尋功能方便讀者在書中搜尋。12．具有強於word和IE的漢字亂碼糾錯功能。

下載位址: http://www.skycn.com/soft/9090.html

輸入一個EMAIL和一個註冊碼(必須是24位,見下),用一般方法很容易找到這裡:

:00403A3B 6A20 push 00000020
:00403A3D 57 push edi <--輸入的EMAIL
:00403A3E 8BCD mov ecx, ebp
:00403A40 E881770100 call 0041B1C6 <--得到長度
:00403A45 8D9E00010000 lea ebx, dword ptr [esi+00000100]
:00403A4B 6A20 push 00000020
:00403A4D 68202C4500 push 00452C20 <--假碼
:00403A52 8BCB mov ecx, ebx
:00403A54 A300204500 mov dword ptr [00452000], eax <--先把EMAIL長度存起來
:00403A59 E868770100 call 0041B1C6 <--得到長度
:00403A5E 83F818 cmp eax, 00000018
:00403A61 0F85C0000000 jne 00403B27 <--長度必須為18h
:00403A67 A100204500 mov eax, dword ptr [00452000] <--讀出EMAIL長度
:00403A6C 83F804 cmp eax, 00000004
:00403A6F 0F8CB2000000 jl 00403B27 <--EMAIL長度不小於4
:00403A75 8364241000 and dword ptr [esp+10], 00000000
:00403A7A EB05 jmp 00403A81

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403A9F(C)
|
:00403A7C A100204500 mov eax, dword ptr [00452000]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403A7A(U)
|
:00403A81 50 push eax
:00403A82 0FAF442414 imul eax, dword ptr [esp+14]
:00403A87 05402C4500 add eax, 00452C40
:00403A8C 57 push edi
:00403A8D 50 push eax
:00403A8E E8BD570000 call 00409250 <--把[EDI]處的記憶體寫入[eax]
:00403A93 83C40C add esp, 0000000C
:00403A96 FF442410 inc [esp+10]
:00403A9A 837C241040 cmp dword ptr [esp+10], 00000040
:00403A9F 7CDB jl 00403A7C <--把EMAIL重寫40次??作者在和我兜圈子?
:00403AA1 BF20244500 mov edi, 00452420

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403ABF(C)
|
:00403AA6 6A20 push 00000020
:00403AA8 68202C4500 push 00452C20
:00403AAD 57 push edi
:00403AAE E89D570000 call 00409250
:00403AB3 83C720 add edi, 00000020
:00403AB6 83C40C add esp, 0000000C
:00403AB9 81FF202C4500 cmp edi, 00452C20
:00403ABF 7CE5 jl 00403AA6 <--又把假碼重寫40次 *_*
:00403AC1 33FF xor edi, edi
:00403AC3 57 push edi
:00403AC4 57 push edi
:00403AC5 6801150000 push 00001501
:00403ACA FF761C push [esi+1C]

* Reference To: USER32.SendMessageA, Ord:0214h
|
:00403ACD FF15F0544200 Call dword ptr [004254F0]
:00403AD3 80BEC000000000 cmp byte ptr [esi+000000C0], 00 <--重要標誌
:00403ADA 742F je 00403B0B <--這裡修改為JNE就成功了

* Possible StringData Ref from Data Obj ->" --------- 祝賀你！ ---------- "
->"

你已經成為了《書香門第》註冊用戶！"
|
:00403ADC 6828D74200 push 0042D728
:00403AE1 893DC83E4500 mov dword ptr [00453EC8], edi
:00403AE7 E8AC220000 call 00405D98

看上去似乎沒什麼時候難的,很傳統的判斷,一個CALL,然後CMP,JE,可是跟進CALL一看,卻是系統的USER32.DLL,
百思不得其解,其它地方也找不到什麼判斷.怎麼辦呢??考慮N分鐘後決定用BPM試一下.不是比較[ESI+C0]處是否為0嗎,如果判斷註冊的話肯定要像這裡寫上0或者其它什麼東西.我們就看看程序什麼時候在這裡寫了東西.

下指令: BPM ESI+C0 中斷在下面:

:00403B4D 817C240401150000 cmp dword ptr [esp+04], 00001501
:00403B55 56 push esi
:00403B56 8BF1 mov esi, ecx
:00403B58 750B jne 00403B65
:00403B5A E81D000000 call 00403B7C <--很明顯是關鍵的CALL
:00403B5F 8886C0000000 mov byte ptr [esi+000000C0], al <--呵呵,中斷在這裡

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403B58(C)
|
:00403B65 FF742410 push [esp+10]
:00403B69 8BCE mov ecx, esi
:00403B6B FF742410 push [esp+10]
:00403B6F FF742410 push [esp+10]
:00403B73 E8B7540100 call 0041902F
:00403B78 5E pop esi
:00403B79 C20C00 ret 000C

跟進403B5A處的關鍵CALL:

* Referenced by a CALL at Addresses:
|:004017E2 , :00402135 , :004030B9 , :00403B5A , :00404DA0
|
:00403B7C 55 push ebp
:00403B7D 8BEC mov ebp, esp
:00403B7F 81EC00010000 sub esp, 00000100
:00403B85 56 push esi
:00403B86 6A20 push 00000020
:00403B88 E8DE5B0000 call 0040976B
:00403B8D 6A40 push 00000040
:00403B8F BE20234500 mov esi, 00452320
:00403B94 99 cdq
:00403B95 59 pop ecx
:00403B96 F7F9 idiv ecx
:00403B98 C1E205 shl edx, 05
:00403B9B 81C220244500 add edx, 00452420
:00403BA1 52 push edx
:00403BA2 56 push esi
:00403BA3 E8A8560000 call 00409250
:00403BA8 68FF000000 push 000000FF
:00403BAD 8D8500FFFFFF lea eax, dword ptr [ebp+FFFFFF00]
:00403BB3 6A00 push 00000000
:00403BB5 50 push eax
:00403BB6 E8555A0000 call 00409610
:00403BBB 83C418 add esp, 00000018
:00403BBE FF3500204500 push dword ptr [00452000]
:00403BC4 E8A25B0000 call 0040976B
:00403BC9 6A40 push 00000040
:00403BCB 99 cdq
:00403BCC 59 pop ecx
:00403BCD F7F9 idiv ecx
:00403BCF 8D8500FFFFFF lea eax, dword ptr [ebp+FFFFFF00]
:00403BD5 0FAF1500204500 imul edx, dword ptr [00452000]
:00403BDC 81C2402C4500 add edx, 00452C40
:00403BE2 52 push edx
:00403BE3 50 push eax
:00403BE4 E867560000 call 00409250
:00403BE9 6A0C push 0000000C
:00403BEB 56 push esi
:00403BEC 68A0224500 push 004522A0
:00403BF1 E85A560000 call 00409250
:00403BF6 6A0C push 0000000C
:00403BF8 682C234500 push 0045232C
:00403BFD 6820224500 push 00452220
:00403C02 E849560000 call 00409250
:00403C07 A100204500 mov eax, dword ptr [00452000]
:00403C0C 80252C22450000 and byte ptr [0045222C], 00
:00403C13 8025AC22450000 and byte ptr [004522AC], 00
:00403C1A 83C424 add esp, 00000024
:00403C1D 33D2 xor edx, edx
:00403C1F 85C0 test eax, eax
:00403C21 7E2E jle 00403C51
:00403C23 53 push ebx
:00403C24 57 push edi
:00403C25 8D58FF lea ebx, dword ptr [eax-01]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403C4D(C)
|
:00403C28 8DBC1500FFFFFF lea edi, dword ptr [ebp+edx-00000100]
:00403C2F 8A0F mov cl, byte ptr [edi] <-依次取EMAIL的字串
:00403C31 80F940 cmp cl, 40
:00403C34 7405 je 00403C3B <--是否為'@'
:00403C36 80F92E cmp cl, 2E
:00403C39 750F jne 00403C4A<--是否為'.'

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403C34(C)
|
:00403C3B 3BD3 cmp edx, ebx
:00403C3D 7D09 jge 00403C48
:00403C3F 8BCB mov ecx, ebx
:00403C41 8D7701 lea esi, dword ptr [edi+01]
:00403C44 2BCA sub ecx, edx
:00403C46 F3 repz
:00403C47 A4 movsb

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403C3D(C)
|
:00403C48 48 dec eax
:00403C49 4B dec ebx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403C39(C)
|
:00403C4A 42 inc edx
:00403C4B 3BD0 cmp edx, eax
:00403C4D 7CD9 jl 00403C28 <--上面的一段是對EMAIL的處理,去掉@,在後面補齊等
:00403C4F 5F pop edi
:00403C50 5B pop ebx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403C21(C)
|
:00403C51 83F80C cmp eax, 0000000C
:00403C54 5E pop esi
:00403C55 7D18 jge 00403C6F
:00403C57 6A0C push 0000000C
:00403C59 59 pop ecx
:00403C5A 2BC8 sub ecx, eax
:00403C5C 8D840500FFFFFF lea eax, dword ptr [ebp+eax-00000100]
:00403C63 51 push ecx
:00403C64 6A30 push 00000030
:00403C66 50 push eax
:00403C67 E8A4590000 call 00409610
:00403C6C 83C40C add esp, 0000000C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403C55(C)
|
:00403C6F 80A50CFFFFFF00 and byte ptr [ebp+FFFFFF0C], 00
:00403C76 E847000000 call 00403CC2 <--關鍵的CALL
:00403C7B 6A0C push 0000000C
:00403C7D 8D8500FFFFFF lea eax, dword ptr [ebp+FFFFFF00]
:00403C83 68A0234500 push 004523A0
:00403C88 50 push eax
:00403C89 E8D2600000 call 00409D60 <--這裡就是比較了
:00403C8E 83C40C add esp, 0000000C
:00403C91 85C0 test eax, eax
:00403C93 751B jne 00403CB0
:00403C95 2005FB1C4500 and byte ptr [00451CFB], al
:00403C9B 2005FA1C4500 and byte ptr [00451CFA], al
:00403CA1 2005F91C4500 and byte ptr [00451CF9], al
:00403CA7 2005F81C4500 and byte ptr [00451CF8], al
:00403CAD 40 inc eax
:00403CAE C9 leave
:00403CAF C3 ret

進入403C89處的CALL:

* Referenced by a CALL at Addresses:
|:00403C76 , :004044A5
|
:00403CC2 6A0C push 0000000C
:00403CC4 E802000000 call 00403CCB <--進入
:00403CC9 59 pop ecx
:00403CCA C3 ret

* Referenced by a CALL at Address:
|:00403CC4
|
:00403CCB 56 push esi
:00403CCC 8B742408 mov esi, dword ptr [esp+08]
:00403CD0 33C9 xor ecx, ecx
:00403CD2 57 push edi
:00403CD3 85F6 test esi, esi
:00403CD5 7E20 jle 00403CF7

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403CF5(C) <--第一處循環計算
|
:00403CD7 8D0431 lea eax, dword ptr [ecx+esi]
:00403CDA 6A09 push 00000009
:00403CDC 99 cdq
:00403CDD 5F pop edi
:00403CDE F7FF idiv edi
:00403CE0 B008 mov al, 08
:00403CE2 2AC2 sub al, dl
:00403CE4 88144D20234500 mov byte ptr [2*ecx+00452320], dl
:00403CEB 88044D21234500 mov byte ptr [2*ecx+00452321], al
:00403CF2 41 inc ecx
:00403CF3 3BCE cmp ecx, esi
:00403CF5 7CE0 jl 00403CD7 <--上面的計算挺熱鬧,但結果都是常數,所以只要知道結果就行了

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403CD5(C)
|
:00403CF7 8024752023450000 and byte ptr [2*esi+00452320], 00
:00403CFF 53 push ebx
:00403D00 55 push ebp
:00403D01 8DBE20234500 lea edi, dword ptr [esi+00452320]
:00403D07 56 push esi
:00403D08 BD20214500 mov ebp, 00452120
:00403D0D 57 push edi
:00403D0E 55 push ebp
:00403D0F E83C550000 call 00409250
:00403D14 BB20234500 mov ebx, 00452320
:00403D19 56 push esi
:00403D1A 53 push ebx
:00403D1B 57 push edi
:00403D1C E82F550000 call 00409250
:00403D21 56 push esi
:00403D22 55 push ebp
:00403D23 53 push ebx
:00403D24 E827550000 call 00409250 <--頻繁使用這個CALL(上面提到過),目的是把上面的計算結果前半段和後半段對調一下
:00403D29 83C424 add esp, 00000024
:00403D2C 33DB xor ebx, ebx
:00403D2E 85F6 test esi, esi
:00403D30 7E51 jle 00403D83

計算至此後記憶體中的情況:[00452320]
__________________________________________________________________

016F:00452320 00 08 01 07 02 06 03 05-04 04 05 03 03 05 04 04
016F:00452330 05 03 06 02 07 01 08 00-00 00 00 00 00 00 00 00
__________________________________________________________________

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403D81(C) <--第二處循環計算
|
:00403D32 8AC3 mov al, bl
:00403D34 8A8BA0224500 mov cl, byte ptr [ebx+004522A0] <-依次取出假碼前半段的字串ch1
:00403D3A FEC0 inc al
:00403D3C 8A9320224500 mov dl, byte ptr [ebx+00452220] <-依次取出假碼後半段的字串ch2
:00403D42 F6EB imul bl <-ch1=ch1*循環變數N (由０遞增)
:00403D44 8D3C1B lea edi, dword ptr [ebx+ebx]
:00403D47 FEC0 inc al
:00403D49 240F and al, 0F
:00403D4B 2A8F20234500 sub cl, byte ptr [edi+00452320]<-ch1=ch1-從[452320]處依次取的值
:00403D51 2A9721234500 sub dl, byte ptr [edi+00452321]<-ch2=ch2-從[452320]處倣傚取的值
:00403D57 A218214500 mov byte ptr [00452118], al
:00403D5C 80E941 sub cl, 41 <-ch1=ch1-41
:00403D5F 80EA41 sub dl, 41 <-ch2=ch2-41
:00403D62 32C8 xor cl, al <-ch1=ch1 xor 循環變數N
:00403D64 32D0 xor dl, al <-ch2=ch2 xor 循環變數N
:00403D66 888BA0224500 mov byte ptr [ebx+004522A0], cl
:00403D6C 889320224500 mov byte ptr [ebx+00452220], dl <-把結果寫在[4522A0]
:00403D72 43 inc ebx
:00403D73 888F20214500 mov byte ptr [edi+00452120], cl
:00403D79 3BDE cmp ebx, esi
:00403D7B 889721214500 mov byte ptr [edi+00452121], dl <-再寫在[452120]
:00403D81 7CAF jl 00403D32

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403D30(C)
|
:00403D83 56 pus
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403D30(C)
|
:00403D83 56 push esi
:00403D84 55 push ebp
:00403D85 6820224500 push 00452220
:00403D8A E8C1540000 call 00409250
:00403D8F 8DBE20214500 lea edi, dword ptr [esi+00452120]
:00403D95 56 push esi
:00403D96 BBA0224500 mov ebx, 004522A0
:00403D9B 57 push edi
:00403D9C 53 push ebx
:00403D9D E8AE540000 call 00409250
:00403DA2 56 push esi
:00403DA3 53 push ebx
:00403DA4 55 push ebp
:00403DA5 E8A6540000 call 00409250
:00403DAA 56 push esi
:00403DAB 6820224500 push 00452220
:00403DB0 57 push edi
:00403DB1 E89A540000 call 00409250 <--又是同樣的方法把前半段ch1和後半段ch2再調換
:00403DB6 83C430 add esp, 00000030
:00403DB9 33C0 xor eax, eax
:00403DBB 85F6 test esi, esi
:00403DBD 5D pop ebp
:00403DBE 5B pop ebx
:00403DBF 7E1C jle 00403DDD

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403DDB(C) <--第三處循環計算
|
:00403DC1 8A0C4521214500 mov cl, byte ptr [2*eax+00452121] <--從[452120]處每次取兩個值
:00403DC8 C0E104 shl cl, 04 即第二次計算的結果,把後一值
:00403DCB 0A0C4520214500 or cl, byte ptr [2*eax+00452120] 左移四位後與前值進行OR運算,
:00403DD2 40 inc eax 結果寫在[4523A0]
:00403DD3 3BC6 cmp eax, esi
:00403DD5 88889F234500 mov byte ptr [eax+0045239F], cl
:00403DDB 7CE4 jl 00403DC1

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403DBF(C)
|
:00403DDD 80A6A023450000 and byte ptr [esi+004523A0], 00
:00403DE4 5F pop edi
:00403DE5 5E pop esi
:00403DE6 C3 ret

進行比較的那個CALL我就不寫了(因為這篇文章太長了),但它好像只比較前四位,也就是說只要你的EMAIL前四位與[4523A0]處的結果一致就可以.可我隨意填的假碼經反算後根本不是可顯示字串,要想寫出註冊機必須把算法逆回去,我想了好半天也不知道這個算法怎樣逆運算,看著清清楚楚的程式碼就是寫不出註冊機,痛苦中.....

哪位大哥幫我分析一下,我的數學太爛了...
程序判斷註冊的思路:

1.先將EMAIL中的'@','.'字串去掉,如果小於12個字串就在後面補'0'.然後把前六位和後六位顛倒過來.

2.取註冊碼(24位)按下表計算: (假設輸入的是ABCDEFGHIJKLMNOPQRSTUVWX)

+----+---+---+---+---+---+---+---+---+---+---+---+---+
|假碼| A | B | C | D | E | F | G | H | I | J | K | L |
|Num | 0 | 1 | 2 | 3 | 4 | 5 | 3 | 4 | 5 | 6 | 7 | 8 |
+----+---+---+---+---+---+---+---+---+---+---+---+---+
|假碼| M | N | O | P | Q | R | S | T | U | V | W | X |
|Num | 8 | 7 | 6 | 5 | 4 | 3 | 5 | 4 | 3 | 2 | 1 | 0 |
+----+---+---+---+---+---+---+---+---+---+---+---+---+
|Nxor| 1 | 3 | 7 | D | 5 | F | B | 9 | 9 | B | F | 5 |
+----+---+---+---+---+---+---+---+---+---+---+---+---+

其中第N列的Nxor值計算方法是((N-1)*N+1) mod 10h

判斷時將每列上一格裡的(註冊碼-Num-41h) xor 該格對應列的Nxor值,記結果為S1,用同樣方法算出該列下一格的值S2,計算(S2 SHR 4) OR S1. 12列的結果組成的字串如果和EMAIL經處理後的字串一致就成功.

因為程序將註冊碼反算,所以註冊機要求它的逆運算.逆運算的關鍵是如何把EMAIL中的一個值拆分成S1和S2,因為這個逆運算產生的結果不惟一,但要保證計算出的註冊碼是可顯示字串.不妨把一個兩位的十六進位值拆成高位和低位元.如字母'R'=52h,可拆成S1=2,S2=5,這樣計算出來的註冊碼在'A'-'X'之間,完全符合要求.

註冊機: (Borland Pascal 7.0)

Program CrackZbook;
var fmail,mail,code,temp:string;
p,p1,s1,s2,s :integer;
Num:array[1..24] of integer;
Nxor:array[1..12] of integer;
begin
Num[1]:=0; Num[2]:=1; Num[3]:=2; Num[4]:=3;
Num[5]:=4; Num[6]:=5; Num[7]:=3; Num[8]:=4;
Num[9]:=5; Num[10]:=6; Num[11]:=7; Num[12]:=8;
Num[13]:=8; Num[14]:=7; Num[15]:=6; Num[16]:=5;
Num[17]:=4; Num[18]:=3; Num[19]:=5; Num[20]:=4;
Num[21]:=3; Num[22]:=2; Num[23]:=1; Num[24]:=0;
Nxor[1]:=1;Nxor[2]:=3;Nxor[3]:=7;Nxor[4]:=13;
Nxor[5]:=5;Nxor[6]:=15;Nxor[7]:=11;Nxor[8]:=9;
Nxor[9]:=9;Nxor[10]:=11;Nxor[11]:=15;Nxor[12]:=5; //啟始化計算表
p1:=1;
repeat
write('Please input your Email:');
readln(fmail);
until length(fmail)>=4;
for p:=1 to length(fmail) do
if (fmail[p]<>'.') and (fmail[p]<>'@') then
begin
mail[p1]:=fmail[p];
inc(p1);
end;
for p:=p1 to 12 do mail[p]:='0';
for p:=1 to 6 do temp[p]:=mail[p];
for p:=7 to 12 do mail[p-6]:=mail[p];
for p:=7 to 12 do mail[p]:=temp[p-6]; //對EMAIL的處理
for p:=1 to 12 do
begin
s:=ord(mail[p]);
s1:=s mod 16;
s2:=s div 16;
s1:=s1 xor Nxor[p];
s2:=s2 xor Nxor[p];
s1:=s1+$41+Num[p];
s2:=s2+$41+Num[p+12];
code[p]:=chr(s1);
code[p+12]:=chr(s2);
end;
for p:=1 to 24 do write(code[p]);
writeln;
writeln('Crack by RoBa Thank you');
end.

一個可用的註冊碼:

EMAIL: RoBa
CODE : BEJQJUMKQQWNKHKTKPTTQPNG

2003-12-12, 01:00 PM	#1
psac 榮譽會員榮譽勳章勳章總數19 UID - 3662 在線等級: 註冊日期: 2002-12-07 住址: 木柵市立動物園文章: 17381 精華: 2 現金: 5253 金幣資產: 33853 金幣	書香XX 算法分析 + 無註冊機書香門第 V1.30 Build 1732 軟體大小： 720 KB 軟體語言：簡體中文軟體類別：大陸開發軟體 / 共享版 / 電子閱讀套用平台： Win9x/NT/2000/XP 界面預覽：加入時間： 2003-09-30 09:47:24 下載次數： 12748 推薦等級： *** 聯系人： gentlebreeze@vip.163.com 開發商： http://www.gentle-breeze.com/ 軟體介紹：《書香門第》是一款適合於真正讀書迷的電子小說、文本閱讀軟體，它外表並不花哨，但對於長時間、大量閱讀的讀書迷，卻最舒適、體貼、細緻，因為它具有十二個鮮明特點：1．多達27種各種質感的視窗背景、頁面背景可供選項，總共超過700種背景組合，為讀書迷提供最高舒適度和最大程度的視力保護。2．強大、智能化的自動排版功能，並可以隨意設定字體大小、顏色、行距、標題行。3．極其高速的排版速度：目前主流電腦上排版速度超過一萬頁/秒，所以通常你根本無法感覺到排版程序。 4．高速的DirectDraw圖形引擎，翻頁尋跡流暢自如。5．附帶的html轉換、合成工具能夠迅速依次將一批html文件轉換且合併為一個大的文本文件，方便閱讀。6．寬廣的平台適用性：從486/win95到最新P4/XP都能從容應對。7．體貼的左手鍵操作，使你從此擺脫長期右手操作滑鼠、鍵盤帶來的疲勞。8．與頁面字數成正比的自動翻頁間隔，自然優於呆板的類BIOS翻頁間隔。9．可以選項使用視窗模式（尋跡方便）或全螢幕幕模式（閱讀效果更好）。10．全書遍歷/測試功能，保護你的電腦，節約能源。11．搜尋功能方便讀者在書中搜尋。12．具有強於word和IE的漢字亂碼糾錯功能。下載位址: http://www.skycn.com/soft/9090.html 輸入一個EMAIL和一個註冊碼(必須是24位,見下),用一般方法很容易找到這裡: :00403A3B 6A20 push 00000020 :00403A3D 57 push edi <--輸入的EMAIL :00403A3E 8BCD mov ecx, ebp :00403A40 E881770100 call 0041B1C6 <--得到長度 :00403A45 8D9E00010000 lea ebx, dword ptr [esi+00000100] :00403A4B 6A20 push 00000020 :00403A4D 68202C4500 push 00452C20 <--假碼 :00403A52 8BCB mov ecx, ebx :00403A54 A300204500 mov dword ptr [00452000], eax <--先把EMAIL長度存起來 :00403A59 E868770100 call 0041B1C6 <--得到長度 :00403A5E 83F818 cmp eax, 00000018 :00403A61 0F85C0000000 jne 00403B27 <--長度必須為18h :00403A67 A100204500 mov eax, dword ptr [00452000] <--讀出EMAIL長度 :00403A6C 83F804 cmp eax, 00000004 :00403A6F 0F8CB2000000 jl 00403B27 <--EMAIL長度不小於4 :00403A75 8364241000 and dword ptr [esp+10], 00000000 :00403A7A EB05 jmp 00403A81 * Referenced by a (U)nconditional or (C)onditional Jump at Address: \|:00403A9F(C) \| :00403A7C A100204500 mov eax, dword ptr [00452000] * Referenced by a (U)nconditional or (C)onditional Jump at Address: \|:00403A7A(U) \| :00403A81 50 push eax :00403A82 0FAF442414 imul eax, dword ptr [esp+14] :00403A87 05402C4500 add eax, 00452C40 :00403A8C 57 push edi :00403A8D 50 push eax :00403A8E E8BD570000 call 00409250 <--把[EDI]處的記憶體寫入[eax] :00403A93 83C40C add esp, 0000000C :00403A96 FF442410 inc [esp+10] :00403A9A 837C241040 cmp dword ptr [esp+10], 00000040 :00403A9F 7CDB jl 00403A7C <--把EMAIL重寫40次??作者在和我兜圈子? :00403AA1 BF20244500 mov edi, 00452420 * Referenced by a (U)nconditional or (C)onditional Jump at Address: \|:00403ABF(C) \| :00403AA6 6A20 push 00000020 :00403AA8 68202C4500 push 00452C20 :00403AAD 57 push edi :00403AAE E89D570000 call 00409250 :00403AB3 83C720 add edi, 00000020 :00403AB6 83C40C add esp, 0000000C :00403AB9 81FF202C4500 cmp edi, 00452C20 :00403ABF 7CE5 jl 00403AA6 <--又把假碼重寫40次 _ :00403AC1 33FF xor edi, edi :00403AC3 57 push edi :00403AC4 57 push edi :00403AC5 6801150000 push 00001501 :00403ACA FF761C push [esi+1C] * Reference To: USER32.SendMessageA, Ord:0214h \| :00403ACD FF15F0544200 Call dword ptr [004254F0] :00403AD3 80BEC000000000 cmp byte ptr [esi+000000C0], 00 <--重要標誌 :00403ADA 742F je 00403B0B <--這裡修改為JNE就成功了 * Possible StringData Ref from Data Obj ->" --------- 祝賀你！ ---------- " ->" 你已經成為了《書香門第》註冊用戶！" \| :00403ADC 6828D74200 push 0042D728 :00403AE1 893DC83E4500 mov dword ptr [00453EC8], edi :00403AE7 E8AC220000 call 00405D98 看上去似乎沒什麼時候難的,很傳統的判斷,一個CALL,然後CMP,JE,可是跟進CALL一看,卻是系統的USER32.DLL, 百思不得其解,其它地方也找不到什麼判斷.怎麼辦呢??考慮N分鐘後決定用BPM試一下.不是比較[ESI+C0]處是否為0嗎,如果判斷註冊的話肯定要像這裡寫上0或者其它什麼東西.我們就看看程序什麼時候在這裡寫了東西. 下指令: BPM ESI+C0 中斷在下面: :00403B4D 817C240401150000 cmp dword ptr [esp+04], 00001501 :00403B55 56 push esi :00403B56 8BF1 mov esi, ecx :00403B58 750B jne 00403B65 :00403B5A E81D000000 call 00403B7C <--很明顯是關鍵的CALL :00403B5F 8886C0000000 mov byte ptr [esi+000000C0], al <--呵呵,中斷在這裡 * Referenced by a (U)nconditional or (C)onditional Jump at Address: \|:00403B58(C) \| :00403B65 FF742410 push [esp+10] :00403B69 8BCE mov ecx, esi :00403B6B FF742410 push [esp+10] :00403B6F FF742410 push [esp+10] :00403B73 E8B7540100 call 0041902F :00403B78 5E pop esi :00403B79 C20C00 ret 000C 跟進403B5A處的關鍵CALL: * Referenced by a CALL at Addresses: \|:004017E2 , :00402135 , :004030B9 , :00403B5A , :00404DA0 \| :00403B7C 55 push ebp :00403B7D 8BEC mov ebp, esp :00403B7F 81EC00010000 sub esp, 00000100 :00403B85 56 push esi :00403B86 6A20 push 00000020 :00403B88 E8DE5B0000 call 0040976B :00403B8D 6A40 push 00000040 :00403B8F BE20234500 mov esi, 00452320 :00403B94 99 cdq :00403B95 59 pop ecx :00403B96 F7F9 idiv ecx :00403B98 C1E205 shl edx, 05 :00403B9B 81C220244500 add edx, 00452420 :00403BA1 52 push edx :00403BA2 56 push esi :00403BA3 E8A8560000 call 00409250 :00403BA8 68FF000000 push 000000FF :00403BAD 8D8500FFFFFF lea eax, dword ptr [ebp+FFFFFF00] :00403BB3 6A00 push 00000000 :00403BB5 50 push eax :00403BB6 E8555A0000 call 00409610 :00403BBB 83C418 add esp, 00000018 :00403BBE FF3500204500 push dword ptr [00452000] :00403BC4 E8A25B0000 call 0040976B :00403BC9 6A40 push 00000040 :00403BCB 99 cdq :00403BCC 59 pop ecx :00403BCD F7F9 idiv ecx :00403BCF 8D8500FFFFFF lea eax, dword ptr [ebp+FFFFFF00] :00403BD5 0FAF1500204500 imul edx, dword ptr [00452000] :00403BDC 81C2402C4500 add edx, 00452C40 :00403BE2 52 push edx :00403BE3 50 push eax :00403BE4 E867560000 call 00409250 :00403BE9 6A0C push 0000000C :00403BEB 56 push esi :00403BEC 68A0224500 push 004522A0 :00403BF1 E85A560000 call 00409250 :00403BF6 6A0C push 0000000C :00403BF8 682C234500 push 0045232C :00403BFD 6820224500 push 00452220 :00403C02 E849560000 call 00409250 :00403C07 A100204500 mov eax, dword ptr [00452000] :00403C0C 80252C22450000 and byte ptr [0045222C], 00 :00403C13 8025AC22450000 and byte ptr [004522AC], 00 :00403C1A 83C424 add esp, 00000024 :00403C1D 33D2 xor edx, edx :00403C1F 85C0 test eax, eax :00403C21 7E2E jle 00403C51 :00403C23 53 push ebx :00403C24 57 push edi :00403C25 8D58FF lea ebx, dword ptr [eax-01] * Referenced by a (U)nconditional or (C)onditional Jump at Address: \|:00403C4D(C) \| :00403C28 8DBC1500FFFFFF lea edi, dword ptr [ebp+edx-00000100] :00403C2F 8A0F mov cl, byte ptr [edi] <-依次取EMAIL的字串 :00403C31 80F940 cmp cl, 40 :00403C34 7405 je 00403C3B <--是否為'@' :00403C36 80F92E cmp cl, 2E :00403C39 750F jne 00403C4A<--是否為'.' * Referenced by a (U)nconditional or (C)onditional Jump at Address: \|:00403C34(C) \| :00403C3B 3BD3 cmp edx, ebx :00403C3D 7D09 jge 00403C48 :00403C3F 8BCB mov ecx, ebx :00403C41 8D7701 lea esi, dword ptr [edi+01] :00403C44 2BCA sub ecx, edx :00403C46 F3 repz :00403C47 A4 movsb * Referenced by a (U)nconditional or (C)onditional Jump at Address: \|:00403C3D(C) \| :00403C48 48 dec eax :00403C49 4B dec ebx * Referenced by a (U)nconditional or (C)onditional Jump at Address: \|:00403C39(C) \| :00403C4A 42 inc edx :00403C4B 3BD0 cmp edx, eax :00403C4D 7CD9 jl 00403C28 <--上面的一段是對EMAIL的處理,去掉@,在後面補齊等 :00403C4F 5F pop edi :00403C50 5B pop ebx * Referenced by a (U)nconditional or (C)onditional Jump at Address: \|:00403C21(C) \| :00403C51 83F80C cmp eax, 0000000C :00403C54 5E pop esi :00403C55 7D18 jge 00403C6F :00403C57 6A0C push 0000000C :00403C59 59 pop ecx :00403C5A 2BC8 sub ecx, eax :00403C5C 8D840500FFFFFF lea eax, dword ptr [ebp+eax-00000100] :00403C63 51 push ecx :00403C64 6A30 push 00000030 :00403C66 50 push eax :00403C67 E8A4590000 call 00409610 :00403C6C 83C40C add esp, 0000000C * Referenced by a (U)nconditional or (C)onditional Jump at Address: \|:00403C55(C) \| :00403C6F 80A50CFFFFFF00 and byte ptr [ebp+FFFFFF0C], 00 :00403C76 E847000000 call 00403CC2 <--關鍵的CALL :00403C7B 6A0C push 0000000C :00403C7D 8D8500FFFFFF lea eax, dword ptr [ebp+FFFFFF00] :00403C83 68A0234500 push 004523A0 :00403C88 50 push eax :00403C89 E8D2600000 call 00409D60 <--這裡就是比較了 :00403C8E 83C40C add esp, 0000000C :00403C91 85C0 test eax, eax :00403C93 751B jne 00403CB0 :00403C95 2005FB1C4500 and byte ptr [00451CFB], al :00403C9B 2005FA1C4500 and byte ptr [00451CFA], al :00403CA1 2005F91C4500 and byte ptr [00451CF9], al :00403CA7 2005F81C4500 and byte ptr [00451CF8], al :00403CAD 40 inc eax :00403CAE C9 leave :00403CAF C3 ret 進入403C89處的CALL: * Referenced by a CALL at Addresses: \|:00403C76 , :004044A5 \| :00403CC2 6A0C push 0000000C :00403CC4 E802000000 call 00403CCB <--進入 :00403CC9 59 pop ecx :00403CCA C3 ret * Referenced by a CALL at Address: \|:00403CC4 \| :00403CCB 56 push esi :00403CCC 8B742408 mov esi, dword ptr [esp+08] :00403CD0 33C9 xor ecx, ecx :00403CD2 57 push edi :00403CD3 85F6 test esi, esi :00403CD5 7E20 jle 00403CF7 * Referenced by a (U)nconditional or (C)onditional Jump at Address: \|:00403CF5(C) <--第一處循環計算 \| :00403CD7 8D0431 lea eax, dword ptr [ecx+esi] :00403CDA 6A09 push 00000009 :00403CDC 99 cdq :00403CDD 5F pop edi :00403CDE F7FF idiv edi :00403CE0 B008 mov al, 08 :00403CE2 2AC2 sub al, dl :00403CE4 88144D20234500 mov byte ptr [2ecx+00452320], dl :00403CEB 88044D21234500 mov byte ptr [2ecx+00452321], al :00403CF2 41 inc ecx :00403CF3 3BCE cmp ecx, esi :00403CF5 7CE0 jl 00403CD7 <--上面的計算挺熱鬧,但結果都是常數,所以只要知道結果就行了 * Referenced by a (U)nconditional or (C)onditional Jump at Address: \|:00403CD5(C) \| :00403CF7 8024752023450000 and byte ptr [2esi+00452320], 00 :00403CFF 53 push ebx :00403D00 55 push ebp :00403D01 8DBE20234500 lea edi, dword ptr [esi+00452320] :00403D07 56 push esi :00403D08 BD20214500 mov ebp, 00452120 :00403D0D 57 push edi :00403D0E 55 push ebp :00403D0F E83C550000 call 00409250 :00403D14 BB20234500 mov ebx, 00452320 :00403D19 56 push esi :00403D1A 53 push ebx :00403D1B 57 push edi :00403D1C E82F550000 call 00409250 :00403D21 56 push esi :00403D22 55 push ebp :00403D23 53 push ebx :00403D24 E827550000 call 00409250 <--頻繁使用這個CALL(上面提到過),目的是把上面的計算結果前半段和後半段對調一下 :00403D29 83C424 add esp, 00000024 :00403D2C 33DB xor ebx, ebx :00403D2E 85F6 test esi, esi :00403D30 7E51 jle 00403D83 計算至此後記憶體中的情況:[00452320] __________________________________________________________________ 016F:00452320 00 08 01 07 02 06 03 05-04 04 05 03 03 05 04 04 016F:00452330 05 03 06 02 07 01 08 00-00 00 00 00 00 00 00 00 __________________________________________________________________ Referenced by a (U)nconditional or (C)onditional Jump at Address: \|:00403D81(C) <--第二處循環計算 \| :00403D32 8AC3 mov al, bl :00403D34 8A8BA0224500 mov cl, byte ptr [ebx+004522A0] <-依次取出假碼前半段的字串ch1 :00403D3A FEC0 inc al :00403D3C 8A9320224500 mov dl, byte ptr [ebx+00452220] <-依次取出假碼後半段的字串ch2 :00403D42 F6EB imul bl <-ch1=ch1循環變數N (由０遞增) :00403D44 8D3C1B lea edi, dword ptr [ebx+ebx] :00403D47 FEC0 inc al :00403D49 240F and al, 0F :00403D4B 2A8F20234500 sub cl, byte ptr [edi+00452320]<-ch1=ch1-從[452320]處依次取的值 :00403D51 2A9721234500 sub dl, byte ptr [edi+00452321]<-ch2=ch2-從[452320]處倣傚取的值 :00403D57 A218214500 mov byte ptr [00452118], al :00403D5C 80E941 sub cl, 41 <-ch1=ch1-41 :00403D5F 80EA41 sub dl, 41 <-ch2=ch2-41 :00403D62 32C8 xor cl, al <-ch1=ch1 xor 循環變數N :00403D64 32D0 xor dl, al <-ch2=ch2 xor 循環變數N :00403D66 888BA0224500 mov byte ptr [ebx+004522A0], cl :00403D6C 889320224500 mov byte ptr [ebx+00452220], dl <-把結果寫在[4522A0] :00403D72 43 inc ebx :00403D73 888F20214500 mov byte ptr [edi+00452120], cl :00403D79 3BDE cmp ebx, esi :00403D7B 889721214500 mov byte ptr [edi+00452121], dl <-再寫在[452120] :00403D81 7CAF jl 00403D32 Referenced by a (U)nconditional or (C)onditional Jump at Address: \|:00403D30(C) \| :00403D83 56 pus * Referenced by a (U)nconditional or (C)onditional Jump at Address: \|:00403D30(C) \| :00403D83 56 push esi :00403D84 55 push ebp :00403D85 6820224500 push 00452220 :00403D8A E8C1540000 call 00409250 :00403D8F 8DBE20214500 lea edi, dword ptr [esi+00452120] :00403D95 56 push esi :00403D96 BBA0224500 mov ebx, 004522A0 :00403D9B 57 push edi :00403D9C 53 push ebx :00403D9D E8AE540000 call 00409250 :00403DA2 56 push esi :00403DA3 53 push ebx :00403DA4 55 push ebp :00403DA5 E8A6540000 call 00409250 :00403DAA 56 push esi :00403DAB 6820224500 push 00452220 :00403DB0 57 push edi :00403DB1 E89A540000 call 00409250 <--又是同樣的方法把前半段ch1和後半段ch2再調換 :00403DB6 83C430 add esp, 00000030 :00403DB9 33C0 xor eax, eax :00403DBB 85F6 test esi, esi :00403DBD 5D pop ebp :00403DBE 5B pop ebx :00403DBF 7E1C jle 00403DDD * Referenced by a (U)nconditional or (C)onditional Jump at Address: \|:00403DDB(C) <--第三處循環計算 \| :00403DC1 8A0C4521214500 mov cl, byte ptr [2eax+00452121] <--從[452120]處每次取兩個值 :00403DC8 C0E104 shl cl, 04 即第二次計算的結果,把後一值 :00403DCB 0A0C4520214500 or cl, byte ptr [2eax+00452120] 左移四位後與前值進行OR運算, :00403DD2 40 inc eax 結果寫在[4523A0] :00403DD3 3BC6 cmp eax, esi :00403DD5 88889F234500 mov byte ptr [eax+0045239F], cl :00403DDB 7CE4 jl 00403DC1 * Referenced by a (U)nconditional or (C)onditional Jump at Address: \|:00403DBF(C) \| :00403DDD 80A6A023450000 and byte ptr [esi+004523A0], 00 :00403DE4 5F pop edi :00403DE5 5E pop esi :00403DE6 C3 ret 進行比較的那個CALL我就不寫了(因為這篇文章太長了),但它好像只比較前四位,也就是說只要你的EMAIL前四位與[4523A0]處的結果一致就可以.可我隨意填的假碼經反算後根本不是可顯示字串,要想寫出註冊機必須把算法逆回去,我想了好半天也不知道這個算法怎樣逆運算,看著清清楚楚的程式碼就是寫不出註冊機,痛苦中..... 哪位大哥幫我分析一下,我的數學太爛了... 程序判斷註冊的思路: 1.先將EMAIL中的'@','.'字串去掉,如果小於12個字串就在後面補'0'.然後把前六位和後六位顛倒過來. 2.取註冊碼(24位)按下表計算: (假設輸入的是ABCDEFGHIJKLMNOPQRSTUVWX) +----+---+---+---+---+---+---+---+---+---+---+---+---+ \|假碼\| A \| B \| C \| D \| E \| F \| G \| H \| I \| J \| K \| L \| \|Num \| 0 \| 1 \| 2 \| 3 \| 4 \| 5 \| 3 \| 4 \| 5 \| 6 \| 7 \| 8 \| +----+---+---+---+---+---+---+---+---+---+---+---+---+ \|假碼\| M \| N \| O \| P \| Q \| R \| S \| T \| U \| V \| W \| X \| \|Num \| 8 \| 7 \| 6 \| 5 \| 4 \| 3 \| 5 \| 4 \| 3 \| 2 \| 1 \| 0 \| +----+---+---+---+---+---+---+---+---+---+---+---+---+ \|Nxor\| 1 \| 3 \| 7 \| D \| 5 \| F \| B \| 9 \| 9 \| B \| F \| 5 \| +----+---+---+---+---+---+---+---+---+---+---+---+---+ 其中第N列的Nxor值計算方法是((N-1)*N+1) mod 10h 判斷時將每列上一格裡的(註冊碼-Num-41h) xor 該格對應列的Nxor值,記結果為S1,用同樣方法算出該列下一格的值S2,計算(S2 SHR 4) OR S1. 12列的結果組成的字串如果和EMAIL經處理後的字串一致就成功. 因為程序將註冊碼反算,所以註冊機要求它的逆運算.逆運算的關鍵是如何把EMAIL中的一個值拆分成S1和S2,因為這個逆運算產生的結果不惟一,但要保證計算出的註冊碼是可顯示字串.不妨把一個兩位的十六進位值拆成高位和低位元.如字母'R'=52h,可拆成S1=2,S2=5,這樣計算出來的註冊碼在'A'-'X'之間,完全符合要求. 註冊機: (Borland Pascal 7.0) Program CrackZbook; var fmail,mail,code,temp:string; p,p1,s1,s2,s :integer; Num:array[1..24] of integer; Nxor:array[1..12] of integer; begin Num[1]:=0; Num[2]:=1; Num[3]:=2; Num[4]:=3; Num[5]:=4; Num[6]:=5; Num[7]:=3; Num[8]:=4; Num[9]:=5; Num[10]:=6; Num[11]:=7; Num[12]:=8; Num[13]:=8; Num[14]:=7; Num[15]:=6; Num[16]:=5; Num[17]:=4; Num[18]:=3; Num[19]:=5; Num[20]:=4; Num[21]:=3; Num[22]:=2; Num[23]:=1; Num[24]:=0; Nxor[1]:=1;Nxor[2]:=3;Nxor[3]:=7;Nxor[4]:=13; Nxor[5]:=5;Nxor[6]:=15;Nxor[7]:=11;Nxor[8]:=9; Nxor[9]:=9;Nxor[10]:=11;Nxor[11]:=15;Nxor[12]:=5; //啟始化計算表 p1:=1; repeat write('Please input your Email:'); readln(fmail); until length(fmail)>=4; for p:=1 to length(fmail) do if (fmail[p]<>'.') and (fmail[p]<>'@') then begin mail[p1]:=fmail[p]; inc(p1); end; for p:=p1 to 12 do mail[p]:='0'; for p:=1 to 6 do temp[p]:=mail[p]; for p:=7 to 12 do mail[p-6]:=mail[p]; for p:=7 to 12 do mail[p]:=temp[p-6]; //對EMAIL的處理 for p:=1 to 12 do begin s:=ord(mail[p]); s1:=s mod 16; s2:=s div 16; s1:=s1 xor Nxor[p]; s2:=s2 xor Nxor[p]; s1:=s1+$41+Num[p]; s2:=s2+$41+Num[p+12]; code[p]:=chr(s1); code[p+12]:=chr(s2); end; for p:=1 to 24 do write(code[p]); writeln; writeln('Crack by RoBa Thank you'); end. 一個可用的註冊碼: EMAIL: RoBa CODE : BEJQJUMKQQWNKHKTKPTTQPNG

	送花文章: 3, 收花文章: 1631 篇, 收花: 3205 次

主題工具
顯示可列印版本郵寄本頁給好友
顯示模式
平板模式切換到混合模式切換到樹形模式

Google 提供的廣告