软件简介:变速精灵是一个可以改变Windows 软件速度的神奇软件。
您可以使用变速精灵加快或者减慢软件的运行速度,例如您的游戏软件。
变速精灵XP是目前最新最好用的一个版本
破解过程:
1、用W32Dasm反编该软件后,查找到字符串“变速精灵-未注册板”。
双击后我们就可以来到下面这里:
* Possible StringData Ref from Data Obj ->"变速精灵 - 未注册版"
|
:00403762 68B4B14000 push 0040B1B4
:00403767 8BCF mov ecx, edi
2、向上来到:
:004036B0 64A100000000 mov eax, dword ptr fs:[00000000]
:004036B6 6AFF push FFFFFFFF
:004036B8 6841734000 push 00407341
:004036BD 50 push eax
:004036BE 8B442410 mov eax, dword ptr [esp+10] ;? eax 显示189993728(计算后的机器码)
:004036C2 64892500000000 mov dword ptr fs:[00000000], esp ;我的机器码是189-728-1015-993
:004036C9 81EC10040000 sub esp, 00000410 ;是机器码的1,4,2部分相连
:004036CF 57 push edi
:004036D0 8BF9 mov edi, ecx
:004036D2 50 push eax
:004036D3 C7476001000000 mov [edi+60], 00000001
:004036DA E8D1D9FFFF call 004010B0 ;进入
:004036DF 8B8C242C040000 mov ecx, dword ptr [esp+0000042C]
:004036E6 83C404 add esp, 00000004
:004036E9 3BC1 cmp eax, ecx ;判断真假注册码
:004036EB 0F8484010000 je 00403875 ;相等则跳
:004036F1 56 push esi
:004036F2 8D4C2410 lea ecx, dword ptr [esp+10]
:004036F6 C7476000000000 mov [edi+60], 00000000
3、进入后来到:
* Referenced by a CALL at Address:
|:004036DA
|
:004010B0 55 push ebp
:004010B1 8BEC mov ebp, esp
:004010B3 56 push esi
:004010B4 8B7508 mov esi, dword ptr [ebp+08]
:004010B7 C1EE0A shr esi, 0A ;将计算后的机器码右移10位
:004010BA 8D05D0104000 lea eax, dword ptr [004010D0]
:004010C0 50 push eax
:004010C1 E8CAFFFFFF call 00401090 ;再进入
:004010C6 C3 ret
4、进入后来到:
:00401090 55 push ebp
:00401091 8BEC mov ebp, esp
:00401093 51 push ecx
:00401094 E800000000 call 00401099 ;再进入
* Referenced by a CALL at Address:
|:00401094
|
:00401099 58 pop eax ;来到这
:0040109A 83E819 sub eax, 00000019
:0040109D 8945FC mov dword ptr [ebp-04], eax
:004010A0 8B45FC mov eax, dword ptr [ebp-04]
:004010A3 8BE5 mov esp, ebp
:004010A5 5D pop ebp
:004010A6 C3 ret
5、最后来到:
:004010D0 C14D080F ror dword ptr [ebp+08], 0F ;机器码循环右移15位
:004010D4 8B4508 mov eax, dword ptr [ebp+08] ;存入eax
:004010D7 33C9 xor ecx, ecx ;计数器ecx清零
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004010EA(C)
|
:004010D9 8BD0 mov edx, eax ;存入edx
:004010DB D3EA shr edx, cl ;右移cl位
:004010DD 83E203 and edx, 00000003 ;与3
:004010E0 03D6 add edx, esi ;加上esi(esi初值为计算后的机器码右移10位的值)
:004010E2 D1E2 shl edx, 1 ;左移1位
:004010E4 41 inc ecx ;计数器加1
:004010E5 8BF2 mov esi, edx ;再存入esi中
:004010E7 83F91F cmp ecx, 0000001F ;比较计数器是否为31
:004010EA 7CED jl 004010D9 ;小于再次计算
:004010EC 8BC6 mov eax, esi ;最后存入eax,也就是真注册码
:004010EE 5E pop esi
:004010EF 5D pop ebp
:004010F0 C3 ret
机器码:189-728-1015-993
注册码:4211606004
用真注册码重新注册后,成功!
内存注册机免写,太简单了!
注册机免写,能力不足,有人帮忙么。
没人破过吧!
13.
超级Ping V1.0算法分析
超级Ping V1.0
超级Ping1.0(PingPlus V1.0)是一个可以实现对多个主机网络状态的实时监测,并有自动记录分析结果、断网自动告警等功能的网络监测软件。监测的结果可以记录在以IP地址为文件名的文本文件中,也可以记录在Acess数据库中,由用户自由选择。PingPlus的使用非常简便、功能强大且稳定,可以极大地方便网管人员的工作...
原版下载:
http://211.147.192.99/movie/vc/tools/PingPlus_Setup.exe
00406448 . 8D4C24 24 LEA ECX,DWORD PTR SS:[ESP+24]
0040644C . 8D5424 14 LEA EDX,DWORD PTR SS:[ESP+14]
00406450 . 51 PUSH ECX
00406451 . 68 60C14000 PUSH PingPlus.0040C160 ; ASCII "%s"
00406456 . 52 PUSH EDX
00406457 . E8 240C0000 CALL
0040645C . 8B85 E8000000 MOV EAX,DWORD PTR SS:[EBP+E8]
00406462 . 50 PUSH EAX ; /s2
00406463 . 8B4424 24 MOV EAX,DWORD PTR SS:[ESP+24] ; |
00406467 . 50 PUSH EAX ; |s1
00406468 . FF15 90934000 CALL NEAR DWORD PTR DS:[<&MSVCRT._mbscmp>; \_mbscmp====》此CALL为注册码比较处,至此真注册码已计算完成。如果只想找注册码的话在此处下断吧!寄存器里就有了。如想揪出算法就需要继续往上找。真正的算法从406310处开始。
0040646E . 83C4 14 ADD ESP,14
00406471 . 85C0 TEST EAX,EAX
00406473 . 6A 00 PUSH 0
00406475 . 0F85 1B010000 JNZ PingPlus.00406596====》此处跳往出错处。
0040647B . 68 D8C74000 PUSH PingPlus.0040C7D8
00406480 . 68 A4C74000 PUSH PingPlus.0040C7A4
00406485 . 8BCD MOV ECX,EBP
00406487 . E8 B00D0000 CALL
0040648C . 8D4C24 1C LEA ECX,DWORD PTR SS:[ESP+1C]
00406490 . 8D5424 10 LEA EDX,DWORD PTR SS:[ESP+10]
00406494 . 51 PUSH ECX ; /pDisposition
00406495 . 8B35 10904000 MOV ESI,DWORD PTR DS:[<&ADVAPI32.RegCrea>; |ADVAPI32.RegCreateKeyExA
0040649B . 52 PUSH EDX ; |pHandle
0040649C . 6A 00 PUSH 0 ; |pSecurity = NULL
0040649E . 68 06000200 PUSH 20006 ; |Access = KEY_WRITE
004064A3 . 6A 00 PUSH 0 ; |Options = REG_OPTION_NON_VOLATILE
004064A5 . 6A 00 PUSH 0 ; |Class = NULL
004064A7 . 6A 00 PUSH 0 ; |Reserved = 0
004064A9 . 68 88C74000 PUSH PingPlus.0040C788 ; |Subkey = "Software\Microsoft\PInfo"
004064AE . 68 01000080 PUSH 80000001 ; |hKey = HKEY_CURRENT_USER
004064B3 . C74424 3C 1B0>MOV DWORD PTR SS:[ESP+3C],1B ; |
004064BB . FFD6 CALL NEAR ESI ; \RegCreateKeyExA
004064BD . 8B3D 0C904000 MOV EDI,DWORD PTR DS:[<&ADVAPI32.RegSetV>; ADVAPI32.RegSetvalueExA
004064C3 . 8B1D 00904000 MOV EBX,DWORD PTR DS:[<&ADVAPI32.RegClos>; ADVAPI32.RegCloseKey
004064C9 . 85C0 TEST EAX,EAX
004064CB . 75 30 JNZ SHORT PingPlus.004064FD
004064CD . 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10]
004064D1 . 8D4424 18 LEA EAX,DWORD PTR SS:[ESP+18]
004064D5 . 6A 04 PUSH 4 ; /BufSize = 4
004064D7 . 50 PUSH EAX ; |Buffer
004064D8 . 6A 04 PUSH 4 ; |valueType = REG_DWORD
004064DA . 6A 00 PUSH 0 ; |Reserved = 0
004064DC . 68 80C74000 PUSH PingPlus.0040C780 ; |valueName = "State"
004064E1 . 51 PUSH ECX ; |hKey
004064E2 . FFD7 CALL NEAR EDI ; \RegSetvalueExA
004064E4 . 85C0 TEST EAX,EAX
004064E6 . 74 0E JE SHORT PingPlus.004064F6
004064E8 . 6A 00 PUSH 0
004064EA . 6A 00 PUSH 0
004064EC . 68 60C74000 PUSH PingPlus.0040C760
004064F1 . E8 0E0C0000 CALL
004064F6 > 8B5424 10 MOV EDX,DWORD PTR SS:[ESP+10]
004064FA . 52 PUSH EDX
004064FB . FFD3 CALL NEAR EBX
004064FD > 8D4424 1C LEA EAX,DWORD PTR SS:[ESP+1C]
00406501 . 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
00406505 . 50 PUSH EAX
00406506 . 51 PUSH ECX
00406507 . 6A 00 PUSH 0
00406509 . 68 06000200 PUSH 20006
0040650E . 6A 00 PUSH 0
00406510 . 6A 00 PUSH 0
00406512 . 6A 00 PUSH 0
00406514 . 68 28C74000 PUSH PingPlus.0040C728 ; ASCII "Software\PingPlus"
00406519 . 68 01000080 PUSH 80000001
0040651E . FFD6 CALL NEAR ESI
00406520 . 85C0 TEST EAX,EAX
00406522 . 75 4B JNZ SHORT PingPlus.0040656F
00406524 . 51 PUSH ECX
00406525 . 8DB5 E4000000 LEA ESI,DWORD PTR SS:[EBP+E4]
0040652B . 8BCC MOV ECX,ESP
0040652D . 896424 24 MOV DWORD PTR SS:[ESP+24],ESP
00406531 . 56 PUSH ESI
00406532 . E8 BD0C0000 CALL
00406537 . 8BCD MOV ECX,EBP
00406539 . E8 92000000 CALL PingPlus.004065D0
0040653E . 8B16 MOV EDX,DWORD PTR DS:[ESI]
00406540 . 8B4A F8 MOV ECX,DWORD PTR DS:[EDX-8]
00406543 . 41 INC ECX
00406544 . 51 PUSH ECX
00406545 . 50 PUSH EAX
00406546 . 8B4424 18 MOV EAX,DWORD PTR SS:[ESP+18]
0040654A . 6A 01 PUSH 1
0040654C . 6A 00 PUSH 0
0040654E . 68 1CC74000 PUSH PingPlus.0040C71C ; ASCII "UserName"
00406553 . 50 PUSH EAX
00406554 . FFD7 CALL NEAR EDI
00406556 . 85C0 TEST EAX,EAX
00406558 . 74 0E JE SHORT PingPlus.00406568
0040655A . 6A 00 PUSH 0
0040655C . 6A 00 PUSH 0
0040655E . 68 50C74000 PUSH PingPlus.0040C750
00406563 . E8 9C0B0000 CALL
00406568 > 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10]
0040656C . 51 PUSH ECX
0040656D . FFD3 CALL NEAR EBX
0040656F > E8 D60A0000 CALL
00406574 . 85C0 TEST EAX,EAX
00406576 . 74 09 JE SHORT PingPlus.00406581
00406578 . 8B10 MOV EDX,DWORD PTR DS:[EAX]
0040657A . 8BC8 MOV ECX,EAX
0040657C . FF52 7C CALL NEAR DWORD PTR DS:[EDX+7C]
0040657F . EB 02 JMP SHORT PingPlus.00406583
00406581 > 33C0 XOR EAX,EAX
00406583 > 8BCD MOV ECX,EBP
00406585 . C780 98050000>MOV DWORD PTR DS:[EAX+598],1B
0040658F . E8 C20A0000 CALL
00406594 . EB 11 JMP SHORT PingPlus.004065A7
00406596 > 68 48C74000 PUSH PingPlus.0040C748=====》从何处来?
0040659B . 68 3CC74000 PUSH PingPlus.0040C73C=====》此处为出错提示处。往上查找跳到此处的地方。
004065A0 . 8BCD MOV ECX,EBP
004065A2 . E8 950C0000 CALL
004065A7 > 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
004065AB . C74424 64 FFF>MOV DWORD PTR SS:[ESP+64],-1
004065B3 . E8 1E090000 CALL
004065B8 . 8B4C24 5C MOV ECX,DWORD PTR SS:[ESP+5C]
004065BC . 5F POP EDI
004065BD . 5E POP ESI
004065BE . 5D POP EBP
004065BF . 64:890D 00000>MOV DWORD PTR FS:[0],ECX
004065C6 . 5B POP EBX
004065C7 . 83C4 58 ADD ESP,58
004065CA . C3 RETN
计算注册码的地方到了!
00406310 . 6A FF PUSH -1
00406312 . 68 68814000 PUSH PingPlus.00408168 ; SE handler installation
00406317 . 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
0040631D . 50 PUSH EAX
0040631E . 64:8925 00000>MOV DWORD PTR FS:[0],ESP
00406325 . 83EC 4C SUB ESP,4C
00406328 . 53 PUSH EBX
00406329 . 55 PUSH EBP
0040632A . 8BE9 MOV EBP,ECX
0040632C . 56 PUSH ESI
0040632D . 57 PUSH EDI
0040632E . 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
00406332 . E8 B10B0000 CALL
00406337 . 6A 01 PUSH 1
00406339 . 8BCD MOV ECX,EBP
0040633B . C74424 68 000>MOV DWORD PTR SS:[ESP+68],0
00406343 . E8 260D0000 CALL
00406348 . 8BBD E4000000 MOV EDI,DWORD PTR SS:[EBP+E4]====》将用户名移入EDI。本文:http://www.qqread.com/encrypt/v610187062.html进入讨论组讨论。
相关专题
- 常用电脑密码破解实用技巧! (14811次浏览)
- 深入掌握网络加密及解密方法 (9144次浏览)
- 常见电子书格式及其反编译思路 (6502次浏览)
- 数据加密技术 (6242次浏览)
- openssl的man中文文档 (6192次浏览)
- 电脑中的十二种常用密码破解法 (5190次浏览)
- 详解加密技术概念、加密方法以及应用 (4968次浏览)
- 对称加密算法技术概述 (4666次浏览)
- 网络游戏封包基础 (4077次浏览)
- 加密:让你的文件人间蒸发 (4010次浏览)
