XX输入法 V8.8版 注册算法分析
日期:2005年7月13日 破解人:Baby2008
-------------------------------------------------------------------------------------------------------------------------
『软件名称』:XX输入法 V8.8版
『软件大小』:1.50MB
『下载地址』:自己找找
『软件介绍』:让13亿中国人学会打字
『保护方式』:注册码保护
『破解工具』:OllyDbg.V1.10 聆风听雨汉化第二版
『破解过程』:
OD载入记事本(Notepad.exe),F9运行,切换到目标输入法,输入注册信息;切换到OD,查看->执行模块,双击*.ime,查找“注册码不对……”,向上来到1000D6A3处下断,点击注册按钮,OD中断在:
1000D6A3 FF15 64D70410 call dword ptr ds:[<&USER32.GetDlgItemTextA>] ; USER32.GetDlgItemTextA
1000D6A9 3BF4 cmp esi,esp
1000D6AB E8 100B0000 call DZT.1000E1C0
1000D6B0 8D55 A0 lea edx,dword ptr ss:[ebp-60]
1000D6B3 52 push edx
1000D6B4 8D45 B4 lea eax,dword ptr ss:[ebp-4C] ; 注册名
1000D6B7 50 push eax
1000D6B8 8D4D DC lea ecx,dword ptr ss:[ebp-24] ; 机器码
1000D6BB 51 push ecx
1000D6BC E8 F839FFFF call DZT.100010B9 ; SN
1000D6C1 83C4 0C add esp,0C
1000D6C4 8D55 8C lea edx,dword ptr ss:[ebp-74] ; 试炼码
1000D6C7 52 push edx
1000D6C8 8D45 A0 lea eax,dword ptr ss:[ebp-60] ; 注册码
1000D6CB 50 push eax
1000D6CC E8 FF160000 call DZT.1000EDD0 ; 比较函数
1000D6D1 83C4 08 add esp,8
1000D6D4 85C0 test eax,eax
1000D6D6 75 1C jnz short DZT.1000D6F4 ; 爆破点
1000D6D8 E8 E139FFFF call DZT.100010BE
1000D6DD 8BF4 mov esi,esp
1000D6DF 6A 01 push 1
1000D6E1 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
1000D6E4 51 push ecx
1000D6E5 FF15 E8D70410 call dword ptr ds:[<&USER32.EndDialog>] ; USER32.EndDialog
1000D6EB 3BF4 cmp esi,esp
1000D6ED E8 CE0A0000 call DZT.1000E1C0
1000D6F2 EB 1D jmp short DZT.1000D711
1000D6F4 8BF4 mov esi,esp
1000D6F6 6A 00 push 0
1000D6F8 68 84020410 push DZT.10040284
1000D6FD 68 4C020410 push DZT.1004024C ; 注册码不对
1000D702 6A 00 push 0
1000D704 FF15 F4D70410 call dword ptr ds:[<&USER32.MessageBoxA>] ; USER32.MessageBoxA
1000D70A 3BF4 cmp esi,esp
1000D70C E8 AF0A0000 call DZT.1000E1C0
1000D711 E9 9F000000 jmp DZT.1000D7B5
-----------------------------------------------------------------------------------------------------------------
跟进关键函数:
-----------------------------------------------------------------------------------------------------------------
1000DB60 55 push ebp
1000DB61 8BEC mov ebp,esp
1000DB63 81EC 88000000 sub esp,88
1000DB69 53 push ebx
1000DB6A 56 push esi
1000DB6B 57 push edi
1000DB6C 8DBD 78FFFFFF lea edi,dword ptr ss:[ebp-88]
1000DB72 B9 22000000 mov ecx,22
1000DB77 B8 CCCCCCCC mov eax,CCCCCCCC
1000DB7C F3:AB rep stos dword ptr es:[edi]
1000DB7E C645 E4 00 mov byte ptr ss:[ebp-1C],0
1000DB82 8A45 E4 mov al,byte ptr ss:[ebp-1C]
1000DB85 8845 E8 mov byte ptr ss:[ebp-18],al
1000DB88 8A4D E8 mov cl,byte ptr ss:[ebp-18]
1000DB8B 884D EC mov byte ptr ss:[ebp-14],cl
1000DB8E 6A 08 push 8 ; 8
1000DB90 8B55 08 mov edx,dword ptr ss:[ebp+8] ; 机器码
1000DB93 52 push edx ; 0
1000DB94 8D45 D0 lea eax,dword ptr ss:[ebp-30] ; 存放机器码前面部分,记为M1
1000DB97 50 push eax
1000DB98 E8 E3060000 call DZT.1000E280 ; 取机器码前面部分M1
1000DB9D 83C4 0C add esp,0C
1000DBA0 C745 FC 00000000 mov dword ptr ss:[ebp-4],0
1000DBA7 EB 09 jmp short DZT.1000DBB2
1000DBA9 8B4D FC mov ecx,dword ptr ss:[ebp-4]
1000DBAC 83C1 01 add ecx,1
1000DBAF 894D FC mov dword ptr ss:[ebp-4],ecx
1000DBB2 837D FC 08 cmp dword ptr ss:[ebp-4],8
1000DBB6 7D 0F jge short DZT.1000DBC7
1000DBB8 8B55 FC mov edx,dword ptr ss:[ebp-4]
1000DBBB 8A45 EC mov al,byte ptr ss:[ebp-14]
1000DBBE 024415 D0 add al,byte ptr ss:[ebp+edx-30]
1000DBC2 8845 EC mov byte ptr ss:[ebp-14],al
1000DBC5 ^ EB E2 jmp short DZT.1000DBA9
1000DBC7 8B4D EC mov ecx,dword ptr ss:[ebp-14] ; ASCII循环累加结果,SUM1
1000DBCA 81E1 FF000000 and ecx,0FF
1000DBD0 F7D1 not ecx
1000DBD2 884D EC mov byte ptr ss:[ebp-14],cl ; Not (SUM1 AND FF)
1000DBD5 6A 08 push 8 ; 8
1000DBD7 8B55 08 mov edx,dword ptr ss:[ebp+8] ; 机器码
1000DBDA 83C2 09 add edx,9 ; 9
1000DBDD 52 push edx
1000DBDE 8D45 D0 lea eax,dword ptr ss:[ebp-30] ; 存放机器码后面部分,记为M2
1000DBE1 50 push eax
1000DBE2 E8 99060000 call DZT.1000E280 ; Subst(机器码,9,8)取机器码后面部分
1000DBE7 83C4 0C add esp,0C
1000DBEA C745 FC 00000000 mov dword ptr ss:[ebp-4],0
1000DBF1 EB 09 jmp short DZT.1000DBFC
1000DBF3 8B4D FC mov ecx,dword ptr ss:[ebp-4]
1000DBF6 83C1 01 add ecx,1
1000DBF9 894D FC mov dword ptr ss:[ebp-4],ecx
1000DBFC 837D FC 08 cmp dword ptr ss:[ebp-4],8
1000DC00 7D 0F jge short DZT.1000DC11
1000DC02 8B55 FC mov edx,dword ptr ss:[ebp-4]
1000DC05 8A45 E8 mov al,byte ptr ss:[ebp-18]
1000DC08 024415 D0 add al,byte ptr ss:[ebp+edx-30]
1000DC0C 8845 E8 mov byte ptr ss:[ebp-18],al
1000DC0F ^ EB E2 jmp short DZT.1000DBF3 ; 循环累加
1000DC11 8B4D E8 mov ecx,dword ptr ss:[ebp-18] ; 结果记为SUM2
1000DC14 81E1 FF000000 and ecx,0FF
1000DC1A F7D1 not ecx
1000DC1C 884D E8 mov byte ptr ss:[ebp-18],cl ; NOT (M2 AND FF)
1000DC1F 8B55 0C mov edx,dword ptr ss:[ebp+C] ; 注册名
1000DC22 52 push edx
1000DC23 E8 D8050000 call DZT.1000E200 ; Length(注册名)
1000DC28 83C4 04 add esp,4
1000DC2B 8945 F4 mov dword ptr ss:[ebp-C],eax ; 注册名长度
1000DC2E C745 FC 00000000 mov dword ptr ss:[ebp-4],0
1000DC35 EB 09 jmp short DZT.1000DC40
1000DC37 8B45 FC mov eax,dword ptr ss:[ebp-4]
1000DC3A 83C0 01 add eax,1
1000DC3D 8945 FC mov dword ptr ss:[ebp-4],eax
1000DC40 8B4D FC mov ecx,dword ptr ss:[ebp-4]
1000DC43 3B4D F4 cmp ecx,dword ptr ss:[ebp-C]
1000DC46 7D 10 jge short DZT.1000DC58
1000DC48 8B55 0C mov edx,dword ptr ss:[ebp+C] ; 注册名
1000DC4B 0355 FC add edx,dword ptr ss:[ebp-4]
1000DC4E 8A45 E4 mov al,byte ptr ss:[ebp-1C]
1000DC51 0202 add al,byte ptr ds:[edx] ; Name[i]
1000DC53 8845 E4 mov byte ptr ss:[ebp-1C],al
1000DC56 ^ EB DF jmp short DZT.1000DC37 ; 循环注册名累加
1000DC58 8B4D E4 mov ecx,dword ptr ss:[ebp-1C] ; 注册名累加结果SUM_Name
1000DC5B 81E1 FF000000 and ecx,0FF
1000DC61 F7D1 not ecx
1000DC63 884D E4 mov byte ptr ss:[ebp-1C],cl ; NOT (SUM_Name AND FF)
1000DC66 C745 FC 00000000 mov dword ptr ss:[ebp-4],0
1000DC6D EB 09 jmp short DZT.1000DC78
1000DC6F 8B55 FC mov edx,dword ptr ss:[ebp-4]
1000DC72 83C2 01 add edx,1
1000DC75 8955 FC mov dword ptr ss:[ebp-4],edx
1000DC78 837D FC 08 cmp dword ptr ss:[ebp-4],8
1000DC7C 0F8D D8000000 jge DZT.1000DD5A
1000DC82 8B45 FC mov eax,dword ptr ss:[ebp-4]
1000DC85 83C0 11 add eax,11
1000DC88 8945 B8 mov dword ptr ss:[ebp-48],eax
1000DC8B DB45 B8 fild dword ptr ss:[ebp-48]
1000DC8E 83EC 08 sub esp,8
1000DC91 DD1C24 fstp qword ptr ss:[esp]
1000DC94 E8 6B160000 call DZT.1000F304
1000DC99 83C4 08 add esp,8
1000DC9C DD5D D8 fstp qword ptr ss:[ebp-28]
1000DC9F 8B4D DC mov ecx,dword ptr ss:[ebp-24]
1000DCA2 51 push ecx
1000DCA3 8B55 D8 mov edx,dword ptr ss:[ebp-28]
1000DCA6 52 push edx
1000DCA7 68 70030410 push DZT.10040370 ; ASCII "%f"
1000DCAC 8D45 BC lea eax,dword ptr ss:[ebp-44]
1000DCAF 50 push eax
1000DCB0 E8 BB0A0000 call DZT.1000E770
1000DCB5 83C4 10 add esp,10
1000DCB8 C645 E0 00 mov byte ptr ss:[ebp-20],0
1000DCBC C745 F8 00000000 mov dword ptr ss:[ebp-8],0
1000DCC3 EB 09 jmp short DZT.1000DCCE
1000DCC5 8B4D F8 mov ecx,dword ptr ss:[ebp-8]
1000DCC8 83C1 01 add ecx,1
1000DCCB 894D F8 mov dword ptr ss:[ebp-8],ecx
1000DCCE 8D55 BC lea edx,dword ptr ss:[ebp-44]
1000DCD1 52 push edx
1000DCD2 E8 29050000 call DZT.1000E200
1000DCD7 83C4 04 add esp,4
1000DCDA 3945 F8 cmp dword ptr ss:[ebp-8],eax
1000DCDD 7D 0F jge short DZT.1000DCEE
1000DCDF 8B45 F8 mov eax,dword ptr ss:[ebp-8]
1000DCE2 8A4D E0 mov cl,byte ptr ss:[ebp-20]
1000DCE5 024C05 BC add cl,byte ptr ss:[ebp+eax-44]
1000DCE9 884D E0 mov byte ptr ss:[ebp-20],cl
1000DCEC ^ EB D7 jmp short DZT.1000DCC5
1000DCEE 8B55 E0 mov edx,dword ptr ss:[ebp-20]
1000DCF1 81E2 FF000000 and edx,0FF
1000DCF7 8B45 EC mov eax,dword ptr ss:[ebp-14]
1000DCFA 25 FF000000 and eax,0FF
1000DCFF 33D0 xor edx,eax
1000DD01 8B4D E8 mov ecx,dword ptr ss:[ebp-18]
1000DD04 81E1 FF000000 and ecx,0FF
1000DD0A 33D1 xor edx,ecx
1000DD0C 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
1000DD0F 25 FF000000 and eax,0FF
1000DD14 33D0 xor edx,eax
1000DD16 8855 F0 mov byte ptr ss:[ebp-10],dl
1000DD19 8B4D F0 mov ecx,dword ptr ss:[ebp-10]
1000DD1C 81E1 FF000000 and ecx,0FF
1000DD22 83F9 41 cmp ecx,41
1000DD25 7D 0B jge short DZT.1000DD32
1000DD27 8A55 F0 mov dl,byte ptr ss:[ebp-10]
1000DD2A 80C2 1A add dl,1A
1000DD2D 8855 F0 mov byte ptr ss:[ebp-10],dl
1000DD30 ^ EB E7 jmp short DZT.1000DD19
1000DD32 8B45 F0 mov eax,dword ptr ss:[ebp-10]
1000DD35 25 FF000000 and eax,0FF
1000DD3A 83F8 5B cmp eax,5B
1000DD3D 7C 0B jl short DZT.1000DD4A
1000DD3F 8A4D F0 mov cl,byte ptr ss:[ebp-10]
1000DD42 80E9 1A sub cl,1A
1000DD45 884D F0 mov byte ptr ss:[ebp-10],cl
1000DD48 ^ EB E8 jmp short DZT.1000DD32
1000DD4A 8B55 10 mov edx,dword ptr ss:[ebp+10]
1000DD4D 0355 FC add edx,dword ptr ss:[ebp-4]
1000DD50 8A45 F0 mov al,byte ptr ss:[ebp-10]
1000DD53 8802 mov byte ptr ds:[edx],al ; 存放正确注册码
1000DD55 ^ E9 15FFFFFF jmp DZT.1000DC6F ; 循环产生注册码
1000DD5A 8B4D 10 mov ecx,dword ptr ss:[ebp+10]
1000DD5D C641 08 00 mov byte ptr ds:[ecx+8],0
1000DD61 5F pop edi
1000DD62 5E pop esi
1000DD63 5B pop ebx
1000DD64 81C4 88000000 add esp,88
1000DD6A 3BEC cmp ebp,esp
1000DD6C E8 4F040000 call DZT.1000E1C0
1000DD71 8BE5 mov esp,ebp
1000DD73 5D pop ebp
1000DD74 C3 retn
-----------------------------------------------------------------------------------------------------------------
『破解总结』:
注册算法不难,关键是浮点运算,主要目的是学习一下输入法是怎样调试的,不是PJ后自用,我只会拼音输入,丢面子,呵呵。
『注册机源代码』:
支持国产共享软件,不提供注册机源代码。
我的机器码:00000F24-3FEBF9FF
注册名:Baby2008
注册码:GMXQOTPF
注册信息保存在:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WangImage.DcomCtrl.1\Settings
直接在保存位置下建立DWord类型:wang=0 即为注册版本。
<完>
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
