【破解作者】 essorg
【作者邮箱】 essorg@163.com
【作者主页】 没有
【使用工具】 W32ASMpll
【破解平台】 XP
【软件名称】 《LZX规划设计系统》4.0版
【下载地址】 http://Lzx4.nease.net
【软件简介】 《LZX规划设计系统》4.0版是一套功能强大的城市规划、总图、园林设计软件。
操作系统为:中英文Win98/2000/NT/ME/XP(最好为WINXP系统),图形支撑软件:
中英文版AutoCAD 2002,在安装本软件之前,请先安装AutoCAD 2002。
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------------------------
【破解内容】
* Possible StringData Ref from Data Obj ->"Serial"
|
:1C01FFB7 68B8A7041C push 1C04A7B8
:1C01FFBC E87D8B0000 call 1C028B3E
:1C01FFC1 51 push ecx
:1C01FFC2 C645FC07 mov [ebp-04], 07
:1C01FFC6 8BCC mov ecx, esp
:1C01FFC8 8965DC mov dword ptr [ebp-24], esp
:1C01FFCB 6840B0041C push 1C04B040
:1C01FFD0 E88D8B0000 call 1C028B62
:1C01FFD5 6802000080 push 80000002
:1C01FFDA 885DFC mov byte ptr [ebp-04], bl
* Reference To: LzxObj.?M_GetRegStr@@YAHPAUHKEY__@@VCString@@1AAV2@@Z
|
:1C01FFDD E87ECEFFFF call 1C01CE60 //获取注册表中保存输入注册码
:1C01FFE2 83C410 add esp, 00000010
:1C01FFE5 8D45E4 lea eax, dword ptr [ebp-1C]
:1C01FFE8 8D4DE0 lea ecx, dword ptr [ebp-20]
:1C01FFEB 50 push eax
:1C01FFEC 51 push ecx
:1C01FFED 8D55DC lea edx, dword ptr [ebp-24]
:1C01FFF0 52 push edx
:1C01FFF1 E8D28B0000 call 1C028BC8
:1C01FFF6 50 push eax
:1C01FFF7 8D4DEC lea ecx, dword ptr [ebp-14]
:1C01FFFA C645FC08 mov [ebp-04], 08
:1C01FFFE E8598B0000 call 1C028B5C
:1C020003 8D4DDC lea ecx, dword ptr [ebp-24]
:1C020006 885DFC mov byte ptr [ebp-04], bl
:1C020009 E8248B0000 call 1C028B32
:1C02000E 8D45F0 lea eax, dword ptr [ebp-10]
:1C020011 50 push eax
:1C020012 51 push ecx
:1C020013 8BCC mov ecx, esp
:1C020015 8965D8 mov dword ptr [ebp-28], esp
:1C020018 6840B0041C push 1C04B040
:1C02001D E8408B0000 call 1C028B62
:1C020022 51 push ecx
:1C020023 8D55EC lea edx, dword ptr [ebp-14]
:1C020026 8BCC mov ecx, esp
:1C020028 8965D4 mov dword ptr [ebp-2C], esp
:1C02002B 52 push edx
:1C02002C C645FC09 mov [ebp-04], 09
:1C020030 E82D8B0000 call 1C028B62
:1C020035 885DFC mov byte ptr [ebp-04], bl
:1C020038 E893D8FFFF call 1C01D8D0
:1C02003D 8B45E8 mov eax, dword ptr [ebp-18] //输入注册码
:1C020040 8B4DF0 mov ecx, dword ptr [ebp-10] //正确注册码
:1C020043 8B3554C3021C mov esi, dword ptr [1C02C354]
:1C020049 50 push eax
:1C02004A 51 push ecx
:1C02004B FFD6 call esi //比对核心
:1C02004D 83C414 add esp, 00000014
:1C020050 85C0 test eax, eax
:1C020052 7450 je 1C0200A4
。。。
注册码计算过程:
公司名与用户名合并成一字符串M:CTD33,与字符串N:“Software\LzxSoft\lzx4”计算出
一数据,根据次数据计算出注册码。
M 起始地址 edi
N 起始地址 eax
[EBP-0D]~[EBP-15]置0,EAX=0,EBX=0
:1C01D92A 8BC3 mov eax, ebx //M、N相同位置
:1C01D92C 8A0C3B mov cl, byte ptr [ebx+edi]
:1C01D92F 99 cdq //EAX符号扩展
:1C01D930 F77DE0 idiv [ebp-20] //EAX除以15H,商给EAX,余数给EDX
:1C01D933 8B450C mov eax, dword ptr [ebp+0C] //字符串N地址
:1C01D936 8A1402 mov dl, byte ptr [edx+eax]
:1C01D939 8AC2 mov al, dl
:1C01D93B 02D1 add dl, cl
:1C01D93D 8855EB mov byte ptr [ebp-15], dl
:1C01D940 8A55F3 mov dl, byte ptr [ebp-0D]
:1C01D943 02D1 add dl, cl
:1C01D945 32C1 xor al, cl
:1C01D947 8855F3 mov byte ptr [ebp-0D], dl
:1C01D94A 8A55F0 mov dl, byte ptr [ebp-10]
:1C01D94D 32D1 xor dl, cl
:1C01D94F 8855F0 mov byte ptr [ebp-10], dl
:1C01D952 8A55F2 mov dl, byte ptr [ebp-0E]
:1C01D955 02D0 add dl, al
:1C01D957 8855F2 mov byte ptr [ebp-0E], dl
:1C01D95A 8A55F1 mov dl, byte ptr [ebp-0F]
:1C01D95D 32D0 xor dl, al
:1C01D95F 8A45EF mov al, byte ptr [ebp-11]
:1C01D962 8855F1 mov byte ptr [ebp-0F], dl
:1C01D965 8AD3 mov dl, bl
:1C01D967 02D1 add dl, cl
:1C01D969 02C2 add al, dl
:1C01D96B 8A55EE mov dl, byte ptr [ebp-12]
:1C01D96E 8845EF mov byte ptr [ebp-11], al
:1C01D971 8AC3 mov al, bl
:1C01D973 32C1 xor al, cl
:1C01D975 8A4DED mov cl, byte ptr [ebp-13]
:1C01D978 02D0 add dl, al
:1C01D97A 8A45EB mov al, byte ptr [ebp-15]
:1C01D97D 8855EE mov byte ptr [ebp-12], dl
:1C01D980 8A55EC mov dl, byte ptr [ebp-14]
:1C01D983 02C8 add cl, al
:1C01D985 32D0 xor dl, al
:1C01D987 43 inc ebx
:1C01D988 884DED mov byte ptr [ebp-13], cl
:1C01D98B 3BDE cmp ebx, esi //比较当前位置与M长度
:1C01D98D 8855EC mov byte ptr [ebp-14], dl
:1C01D990 7C98 jl 1C01D92A
以上计算过程为:
(1)M各位累加放到[EBP-0D]中;
(2)M各位与N对应位异或值累加放到[EBP-0E]中;
(3)M、N对应位异或结果异或[EBP-0F]放到[EBP-0F]中;
(4)M各位异或[EBP-10]放到[EBP-10]中;
(5)M各位值加所在位数累加,即各位累加与位数累加的和放到[EBP-11]中;
(6)M各位位数与值异或结果累加放到[EBP-12]中;
(7)M各位与N对应位累加放到[EBP-13]中;
(8)M各位与N对应位和异或[EBP-14]放到[EBP-14]中。
以下内容即为根据已得8字节计算注册码。
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C01D928(C)
|
:1C01D992 8A4DF3 mov cl, byte ptr [ebp-0D]
:1C01D995 8A55F2 mov dl, byte ptr [ebp-0E]
:1C01D998 8A45F1 mov al, byte ptr [ebp-0F]
:1C01D99B 884DD4 mov byte ptr [ebp-2C], cl
:1C01D99E 8A4DF0 mov cl, byte ptr [ebp-10]
:1C01D9A1 8855D5 mov byte ptr [ebp-2B], dl
:1C01D9A4 8A55EF mov dl, byte ptr [ebp-11]
:1C01D9A7 884DD7 mov byte ptr [ebp-29], cl
:1C01D9AA 8A4DED mov cl, byte ptr [ebp-13]
:1C01D9AD 8845D6 mov byte ptr [ebp-2A], al
:1C01D9B0 8A45EE mov al, byte ptr [ebp-12]
:1C01D9B3 8855D8 mov byte ptr [ebp-28], dl
:1C01D9B6 8A55EC mov dl, byte ptr [ebp-14]
:1C01D9B9 884DDA mov byte ptr [ebp-26], cl
:1C01D9BC 6898AF041C push 1C04AF98
:1C01D9C1 8D4DE0 lea ecx, dword ptr [ebp-20]
:1C01D9C4 8845D9 mov byte ptr [ebp-27], al
:1C01D9C7 8855DB mov byte ptr [ebp-25], dl
以上内容为对计算出8字节调整位置
:1C01D9CA E86FB10000 call 1C028B3E
:1C01D9CF B302 mov bl, 02
:1C01D9D1 6898AF041C push 1C04AF98
:1C01D9D6 8D4DE4 lea ecx, dword ptr [ebp-1C]
:1C01D9D9 885DFC mov byte ptr [ebp-04], bl
:1C01D9DC E85DB10000 call 1C028B3E
:1C01D9E1 C645FC03 mov [ebp-04], 03
:1C01D9E5 33F6 xor esi, esi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C01DA40(C)
|
:1C01D9E7 8A4C35D4 mov cl, byte ptr [ebp+esi-2C]
:1C01D9EB 8AC1 mov al, cl
:1C01D9ED 24D5 and al, D5
:1C01D9EF D0E9 shr cl, 1
:1C01D9F1 D0E0 shl al, 1
:1C01D9F3 80E155 and cl, 55
:1C01D9F6 0AC1 or al, cl
:1C01D9F8 8AC8 mov cl, al
:1C01D9FA C0E804 shr al, 04
:1C01D9FD 80E10F and cl, 0F
:1C01DA00 3C09 cmp al, 09
:1C01DA02 7602 jbe 1C01DA06
:1C01DA04 04F7 add al, F7
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C01DA02(C)
|
:1C01DA06 80F909 cmp cl, 09
:1C01DA09 7603 jbe 1C01DA0E
:1C01DA0B 80C1F7 add cl, F7
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C01DA09(C)
|
:1C01DA0E C0E004 shl al, 04
:1C01DA11 02C1 add al, cl
:1C01DA13 8D4DE0 lea ecx, dword ptr [ebp-20]
:1C01DA16 8845DC mov byte ptr [ebp-24], al
:1C01DA19 8B45DC mov eax, dword ptr [ebp-24]
:1C01DA1C 25FF000000 and eax, 000000FF
:1C01DA21 50 push eax
* Possible StringData Ref from Data Obj ->"%02X"
|
:1C01DA22 68B4A6041C push 1C04A6B4
:1C01DA27 51 push ecx
:1C01DA28 E80BB10000 call 1C028B38
:1C01DA2D 83C40C add esp, 0000000C
:1C01DA30 8D55E0 lea edx, dword ptr [ebp-20]
:1C01DA33 8D4DE4 lea ecx, dword ptr [ebp-1C]
:1C01DA36 52 push edx
:1C01DA37 E83EB10000 call 1C028B7A
:1C01DA3C 46 inc esi
:1C01DA3D 83FE08 cmp esi, 00000008
:1C01DA40 7CA5 jl 1C01D9E7
以上内容即为计算注册码的过程。
由此,软件作者说明中使用硬盘参数为注册依据的说法乃是迷惑我等软件爱好者,实际计算
注册码与硬盘无关。 :-) 诱惑!
公司名:CTD
用户名:33
注册码:8264051387811861
--------------------------------------------------------------------------------
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
