能力值:
( LV2,RANK:10 )
|
-
-
2 楼
发信人: morgan (morgan), 信区: computer
标 题: GSView 4.6的破解过程(原创)
发信站: 共青森林 BBS 站 (Mon Mar 22 15:51:42 2004) , 站内信件
GSView是一个PostScript浏览器,它可支持PS、PDF、EPS等多种不同类型的PostScript
文档,我们在浏览PostScript文档时所需的搜索、打印、缩放、转换成文本文件、抽取插图
等功能都不在其话下。同时GSView还具有占用磁盘空间少、启动速度快、对系统资源影响小
等优点,实为广大用户在查看PostScript文档时的最佳选择。
应同事的要求,前几天我破解了GSView32 4.6版,得到它的注册码。现将分析过程简单
介绍如下:
用W32Dasm反汇编,根据出错信息来到这里:
0044C141 |. FF15 1C5D4A00 CALL DWORD PTR DS:[<&USER32.GetDlgItemTe>; \GetDlgIt
emTextA
0044C147 |. 837D FC 00 CMP DWORD PTR temp2,0
0044C14B |. 74 70 JE SHORT gsview32.0044C1BD
0044C14D |. 8B55 FC MOV EDX,DWORD PTR temp2
0044C150 |. 52 PUSH EDX
0044C151 |. E8 B44EFBFF CALL gsview32.0040100A
经过跟踪来到这里,这个函数是注册码的计算过程:
这个函数共用到5个堆栈地址,它们的含义分别为:
SS:[EBP-14]->33800 (常数)
SS:[EBP-10]->787878787 ;我输入的注册码
SS:[EBP-C]->计数器(<32)
SS:[EBP-8]->temp1 ;经计算后的返回值
SS:[EBP-4]->temp2
下面是我跟踪2遍后的注解:
004253A0 PUSH EBP
004253A1 MOV EBP,ESP
004253A3 SUB ESP,14
004253A6 MOV DWORD PTR SS:[EBP-14],8408
004253AD MOV EAX,DWORD PTR SS:[EBP+8]
004253B0 MOV DWORD PTR SS:[EBP-10],EAX
004253B3 MOV DWORD PTR SS:[EBP-8],0
004253BA MOV DWORD PTR SS:[EBP-C],0
004253C1 JMP SHORT gsview32.004253CC
004253C3 /MOV ECX,DWORD PTR SS:[EBP-C] ;ECX=0000 0000
004253C6 |ADD ECX,1 ;ECX=0000 0001
004253C9 |MOV DWORD PTR SS:[EBP-C],ECX ;SS:[EBP-C] = ECX
/***************** for(counter=0;counter < 32;counter++) ************/
004253CC CMP DWORD PTR SS:[EBP-C],20
004253D0 |JNB SHORT gsview32.00425407 ;if(ECX <= 0x20)大于则跳走
004253D2 |MOV EDX,DWORD PTR SS:[EBP-8] ;EDX = 0000 0000
004253D5 |AND EDX,1 ;EDX = 0000 0001
004253D8 |MOV DWORD PTR SS:[EBP-4],EDX ;SS:[EBP-4] = 0000 0000
/************************** temp2 = temp1 & 1; ****************************/
004253DB |MOV EAX,DWORD PTR SS:[EBP-8] ;EAX = 0000 8000
004253DE |SHR EAX,1 ;EAX = 0000 4000,0000 6000
004253E0 |MOV ECX,DWORD PTR SS:[EBP-10] ;ECX=787878787,393939393,196969696
004253E3 |AND ECX,1 ;ECX=0000 0001,0000 0001
004253E6 |SHL ECX,0F ;ECX=0000 8000,0000 8000
004253E9 |ADD EAX,ECX ;EAX=0000 8000,0000 C000
004253EB |MOV DWORD PTR SS:[EBP-8],EAX ;SS:[EBP-8] = EAX
/******************** temp1 = (temp1>>1) + ((sn & 1) << 0xf) *************/
004253EE |CMP DWORD PTR SS:[EBP-4],1 ;if(SS:[EBP-8] == 1)
004253F2 |JNZ SHORT gsview32.004253FD ;不等则跳走
004253F4 |MOV EDX,DWORD PTR SS:[EBP-8] ;EDX = 2497
004253F7 |XOR EDX,DWORD PTR SS:[EBP-14] ;SS:[EBP-14] = 0000 8408
004253FA |MOV DWORD PTR SS:[EBP-8],EDX ;EDX = 36297
/********************* temp1 = temp1 ^ CONST; *****************************/
004253FD |MOV EAX,DWORD PTR SS:[EBP-10] ;EAX=787878787,393939393,196969696
00425400 |SHR EAX,1 ;EAX=393939393,196969696,98484848
00425402 |MOV DWORD PTR SS:[EBP-10],EAX ;SS:[EBP-10] = EAX
00425405 \JMP SHORT gsview32.004253C3
00425407 MOV EAX,DWORD PTR SS:[EBP-8]
0042540A MOV ESP,EBP
0042540C POP EBP
0042540D RETN
下面是跟据汇编逆向出的VC计算过程:
m_serial1和m_serial2是两个EDIT控件,m_serial1对应输入的数字,
m_serial2是计算后的结果。整个计算过程与用户名无关。
void CGsView32Dlg::OnCalculate()
{
// TODO: Add your control notification handler code here
UpdateData(true);
const int CNT = 0x8408;
unsigned int sn=787878787, counter=0, temp1=0, temp2=0;
sn = atoi(m_serial1);
for(counter = 0; counter < 32; counter++ )
{
temp2 = temp1 & 1;
temp1 = (temp1 >> 1) + ((sn & 1) << 0xf);
if(temp2 == 1)
{
temp1 ^= CNT;
}
sn >>= 1;
}
m_serial2.Format("%d",temp1);
UpdateData(false);
}
需要注册机的可联系我:acesong#tom.com
下面是一个注册码:
m_serial1=19771215
m_serial2=39294
|
能力值:
( LV8,RANK:130 )
|
-
-
3 楼
会crack就是好:D
|
