TextAloudMp3

发布者：Editor

发布于：2015-11-15 18:41

标题:TextAloudMp3

发信人:ShenGe

时间:2003/08/01 00:08am

详细信息：

〖软件大小〗：4525KB
〖软件语言〗：英文
〖软件类别〗：国外软件/共享版/音频工具
〖运行环境〗：Win9x/Me/NT/2000/XP
〖加入时间〗：2003-7-30 17:30:44
〖下载地址〗：http://http://www.getafile.com/cgi-bin/merlot/get/nextup/TxAl1452.exe
〖软件评级〗：☆☆☆☆

【软件介绍】：

　　TextAloud MP3是一个相当新颖的应用程序，它可以转换任何应用程序中的文字成为声音或MP3文件(很可惜的，目前并不支持中文字的发声)。平常是常驻在Windows系统列中，随时等待使用者利用它来读取Email、Web page或其它文件中的文字。TextAloud MP3是利用监视剪贴簿的方式来抓取所要发声的文字(所以使用者可以直接利用复制文字的方式来启动TextAloud MP3)，而使用者可以决定是要马上聆听，还是转存成MP3、WAV文件，等到有空闲时再利用喜欢的MP3播放程序来收听。除了TextAloud MP3内附的声音之外，使用者还可以到作者网页去下载其它的声音，让使用者可以随自己的喜好来变换发声的人喔！

〖破解工具〗:TRW1.22娃娃修改版,OllyDbgV1.09,WdasmV10.0,Guw
〖作者声明〗:初学破解,仅作学习交流之用,失误之处敬请大侠赐教.

【简要过程】:

试验码:2234567865148455

好久没来论坛了，发觉鲜有破文，大概大家都太忙了,抽空找了两个简单的软件，把过程
放上来顶顶人气，高手莫见笑！
用Pe-scan检测是aspack2.12的壳,用pe-scan的脱壳功能脱壳成功,但是不能运行!
请求GUW搞定,621K-->1578K.照例是用TRW找断点(bpx hmemcpy),OD载入分析!
..........(略)
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00497BDE(C)
|
:00497C23 8D55FC lea edx, dword ptr [ebp-04]
:00497C26 8B835C030000 mov eax, dword ptr [ebx+0000035C]
:00497C2C E82BF5F9FF call 0043715C
:00497C31 689999F13F push 3FF19999
:00497C36 689A999999 push 9999999A
:00497C3B 8B55FC mov edx, dword ptr [ebp-04]
<===edx="2234567865148455",假码!
:00497C3E 8B837C030000 mov eax, dword ptr [ebx+0000037C]
:00497C44 E803E6FFFF call 0049624C
<===关键的Call,追算法就跟进吧!
:00497C49 3C01 cmp al, 01
:00497C4B 7543 jne 00497C90

* Possible StringData Ref from Code Obj ->"Thank you for your purchase."
|
:00497C4D B80C7D4900 mov eax, 00497D0C
:00497C52 E8714AFCFF call 0045C6C8
<===是不是很有成就感!
:00497C57 8B837C030000 mov eax, dword ptr [ebx+0000037C]
:00497C5D 8B10 mov edx, dword ptr [eax]
:00497C5F FF12 call dword ptr [edx]
:00497C61 84C0 test al, al
:00497C63 7409 je 00497C6E
:00497C65 B201 mov dl, 01
:00497C67 8BC3 mov eax, ebx
:00497C69 E8F2F3FFFF call 00497060

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00497C63(C)
|
:00497C6E 8B45FC mov eax, dword ptr [ebp-04]

* Possible StringData Ref from Code Obj ->"1234123412341234"
|
:00497C71 BA347D4900 mov edx, 00497D34
:00497C76 E815C6F6FF call 00404290
:00497C7B 751D jne 00497C9A
:00497C7D C7833402000001000000 mov dword ptr [ebx+00000234], 00000001
:00497C87 8BC3 mov eax, ebx
:00497C89 E802AAFBFF call 00452690
:00497C8E EB0A jmp 00497C9A

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00497C4B(C)
|

* Possible StringData Ref from Code Obj ->"Invalid Registration Code."
|
:00497C90 B8507D4900 mov eax, 00497D50
:00497C95 E82E4AFCFF call 0045C6C8
<===:(!真是讨人厌!

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00497BF6(C), :00497C11(C), :00497C21(U), :00497C7B(C), :00497C8E(U)
|
:00497C9A 33C0 xor eax, eax
:00497C9C 5A pop edx
:00497C9D 59 pop ecx
:00497C9E 59 pop ecx
:00497C9F 648910 mov dword ptr fs:[eax], edx
:00497CA2 68C77C4900 push 00497CC7

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00497CC5(U)
|
:00497CA7 8D45EC lea eax, dword ptr [ebp-14]
:00497CAA E835C2F6FF call 00403EE4
:00497CAF 8D45F0 lea eax, dword ptr [ebp-10]
:00497CB2 E82DC2F6FF call 00403EE4
:00497CB7 8D45FC lea eax, dword ptr [ebp-04]
:00497CBA E825C2F6FF call 00403EE4
:00497CBF C3 ret

★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★
①跟进上面的那个关键的Call,来到如下代码:
:0049624C 55 push ebp
:0049624D 8BEC mov ebp, esp
-------------------------------------------------------
:0049624F B910000000 mov ecx, 00000010

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00496259(C)
|
:00496254 6A00 push 00000000
:00496256 6A00 push 00000000
:00496258 49 dec ecx
:00496259 75F9 jne 00496254
-------------------------------------------------------
清16个堆栈单元0
:0049625B 51 push ecx
:0049625C 53 push ebx
:0049625D 56 push esi
:0049625E 57 push edi
:0049625F 8955FC mov dword ptr [ebp-04], edx
:00496262 8BF0 mov esi, eax
:00496264 8B45FC mov eax, dword ptr [ebp-04]
:00496267 E8C8E0F6FF call 00404334
:0049626C 33C0 xor eax, eax
:0049626E 55 push ebp
:0049626F 687D644900 push 0049647D
:00496274 64FF30 push dword ptr fs:[eax]
:00496277 648920 mov dword ptr fs:[eax], esp
:0049627A 8BC6 mov eax, esi
:0049627C E82FF5FFFF call 004957B0
:00496281 33DB xor ebx, ebx
:00496283 8D55E4 lea edx, dword ptr [ebp-1C]
:00496286 8B45FC mov eax, dword ptr [ebp-04]
:00496289 E85E33F7FF call 004095EC
:0049628E 8B55E4 mov edx, dword ptr [ebp-1C]
:00496291 8D45FC lea eax, dword ptr [ebp-04]
:00496294 E8E3DCF6FF call 00403F7C
:00496299 8B45FC mov eax, dword ptr [ebp-04]
<===eax="2234567865148455"

* Possible StringData Ref from Code Obj ->"2234123412341234"
|
:0049629C BA98644900 mov edx, 00496498
<===edx="1234123412341234"
猜一下,注册码应该是16位
:004962A1 E8EADFF6FF call 00404290
:004962A6 7510 jne 004962B8
:004962A8 B201 mov dl, 01
:004962AA 8BC6 mov eax, esi
:004962AC E82BFBFFFF call 00495DDC
:004962B1 8BD8 mov ebx, eax
:004962B3 E961010000 jmp 00496419

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004962A6(C)
|
:004962B8 8B55FC mov edx, dword ptr [ebp-04]
<===edx="2234567865148455"
:004962BB 8BC6 mov eax, esi
:004962BD E8CAFCFFFF call 00495F8C
<====此Call当然也要跟进的!②
:004962C2 84C0 test al, al
:004962C4 0F844F010000 je 00496419
<===关键跳转!why?因为00496419距现在的代码
位置004962C4有很大一段嘛!接跟着后面的大概
是注册表操作了
:004962CA 8B55FC mov edx, dword ptr [ebp-04]
:004962CD 8BC6 mov eax, esi
:004962CF E880F3FFFF call 00495654
:004962D4 3C01 cmp al, 01
:004962D6 0F843D010000 je 00496419
:004962DC B301 mov bl, 01
:004962DE E8194FF7FF call 0040B1FC
:004962E3 DD5DF0 fstp qword ptr [ebp-10]
:004962E6 9B wait
:004962E7 FF75F4 push [ebp-0C]
:004962EA FF75F0 push [ebp-10]
:004962ED 8D45E8 lea eax, dword ptr [ebp-18]
:004962F0 E81F4AF7FF call 0040AD14
:004962F5 33C9 xor ecx, ecx
:004962F7 B201 mov dl, 01

* Possible StringData Ref from Code Obj ->"?A"
|
:004962F9 A184D74700 mov eax, dword ptr [0047D784]
:004962FE E8D975FEFF call 0047D8DC
:00496303 8BF8 mov edi, eax
:00496305 C6472D00 mov [edi+2D], 00
:00496309 8D4728 lea eax, dword ptr [edi+28]
:0049630C 8B4E14 mov ecx, dword ptr [esi+14]

* Possible StringData Ref from Code Obj ->"Software\Microsof\"
|
:0049630F BAB4644900 mov edx, 004964B4
:00496314 E8B3DEF6FF call 004041CC
:00496319 8D45D4 lea eax, dword ptr [ebp-2C]
:0049631C 8B55FC mov edx, dword ptr [ebp-04]
:0049631F E844F2F6FF call 00405568
:00496324 8D4DD4 lea ecx, dword ptr [ebp-2C]

* Possible StringData Ref from Code Obj ->"SerNum"
|
:00496327 BAD0644900 mov edx, 004964D0
:0049632C 8BC7 mov eax, edi
:0049632E E8C978FEFF call 0047DBFC
:00496333 C6472D02 mov [edi+2D], 02
:00496337 8D4728 lea eax, dword ptr [edi+28]
:0049633A 8B4E14 mov ecx, dword ptr [esi+14]

* Possible StringData Ref from Code Obj ->"Software\Microsof\"
|
:0049633D BAB4644900 mov edx, 004964B4
:00496342 E885DEF6FF call 004041CC
:00496347 8D45C4 lea eax, dword ptr [ebp-3C]
:0049634A 8B55FC mov edx, dword ptr [ebp-04]
:0049634D E816F2F6FF call 00405568
:00496352 8D4DC4 lea ecx, dword ptr [ebp-3C]

* Possible StringData Ref from Code Obj ->"SerNum"
|
:00496355 BAD0644900 mov edx, 004964D0
:0049635A 8BC7 mov eax, edi
:0049635C E89B78FEFF call 0047DBFC
:00496361 C6472D00 mov [edi+2D], 00
:00496365 DD4508 fld qword ptr [ebp+08]
:00496368 83C4F4 add esp, FFFFFFF4
:0049636B DB3C24 fstp tbyte ptr [esp]
:0049636E 9B wait
:0049636F 8D45B0 lea eax, dword ptr [ebp-50]
:00496372 E8F948F7FF call 0040AC70
:00496377 8B55B0 mov edx, dword ptr [ebp-50]
:0049637A 8D45B4 lea eax, dword ptr [ebp-4C]
:0049637D E8E6F1F6FF call 00405568
:00496382 8D4DB4 lea ecx, dword ptr [ebp-4C]

* Possible StringData Ref from Code Obj ->"RegVersion"
|
:00496385 BAE0644900 mov edx, 004964E0
:0049638A 8BC7 mov eax, edi
:0049638C E86B78FEFF call 0047DBFC
:00496391 8D55F8 lea edx, dword ptr [ebp-08]
:00496394 8B75EC mov esi, dword ptr [ebp-14]
:00496397 8BC6 mov eax, esi
:00496399 E8F235F7FF call 00409990
:0049639E 8D45A0 lea eax, dword ptr [ebp-60]
:004963A1 8B55F8 mov edx, dword ptr [ebp-08]
:004963A4 E8BFF1F6FF call 00405568
:004963A9 8D4DA0 lea ecx, dword ptr [ebp-60]
..........(略)

★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★

☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
②将跟踪进行到底,接着跟进:

:00495F8C 55 push ebp
:00495F8D 8BEC mov ebp, esp
------------------------------------------------------
:00495F8F B906000000 mov ecx, 00000006

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00495F99(C)
|
:00495F94 6A00 push 00000000
:00495F96 6A00 push 00000000
:00495F98 49 dec ecx
:00495F99 75F9 jne 00495F94
------------------------------------------------------
:00495F9B 53 push ebx
:00495F9C 56 push esi
:00495F9D 57 push edi
:00495F9E 8955FC mov dword ptr [ebp-04], edx
:00495FA1 8BD8 mov ebx, eax
:00495FA3 8B45FC mov eax, dword ptr [ebp-04]
:00495FA6 E889E3F6FF call 00404334
:00495FAB 33C0 xor eax, eax
:00495FAD 55 push ebp
:00495FAE 6827624900 push 00496227
:00495FB3 64FF30 push dword ptr fs:[eax]
:00495FB6 648920 mov dword ptr fs:[eax], esp
:00495FB9 8BC3 mov eax, ebx
:00495FBB E8F0F7FFFF call 004957B0
:00495FC0 C645FB00 mov [ebp-05], 00

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00495F4B(C)
|
:00495FC4 8D55E4 lea edx, dword ptr [ebp-1C]
:00495FC7 8B45FC mov eax, dword ptr [ebp-04]
:00495FCA E81D36F7FF call 004095EC
:00495FCF 8B55E4 mov edx, dword ptr [ebp-1C]
:00495FD2 8D45FC lea eax, dword ptr [ebp-04]
:00495FD5 E8A2DFF6FF call 00403F7C
:00495FDA 807B1C00 cmp byte ptr [ebx+1C], 00
:00495FDE 7456 je 00496036
:00495FE0 8B55FC mov edx, dword ptr [ebp-04]
:00495FE3 B840624900 mov eax, 00496240
:00495FE8 E87FE4F6FF call 0040446C
:00495FED 8BF0 mov esi, eax
:00495FEF 85F6 test esi, esi
:00495FF1 0F8400020000 je 004961F7
:00495FF7 8D45E8 lea eax, dword ptr [ebp-18]
:00495FFA 50 push eax
:00495FFB 8D5601 lea edx, dword ptr [esi+01]
:00495FFE B9FFFFFF7F mov ecx, 7FFFFFFF
:00496003 8B45FC mov eax, dword ptr [ebp-04]
:00496006 E87DE3F6FF call 00404388
:0049600B 8B55E8 mov edx, dword ptr [ebp-18]
:0049600E B840624900 mov eax, 00496240
:00496013 E854E4F6FF call 0040446C
:00496018 8BF0 mov esi, eax
:0049601A 85F6 test esi, esi
:0049601C 0F84D5010000 je 004961F7
:00496022 8D45FC lea eax, dword ptr [ebp-04]
:00496025 50 push eax
:00496026 8D5601 lea edx, dword ptr [esi+01]
:00496029 B9FFFFFF7F mov ecx, 7FFFFFFF
:0049602E 8B45E8 mov eax, dword ptr [ebp-18]
:00496031 E852E3F6FF call 00404388

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00495FDE(C)
|
:00496036 8B45FC mov eax, dword ptr [ebp-04]
<===eax="2234567865148455",假码!
:00496039 E842E1F6FF call 00404180
<===取假码位数
:0049603E 83F810 cmp eax, 00000010
<===果然注册码应为16位
:00496041 0F85B0010000 jne 004961F7
:00496047 8D45E8 lea eax, dword ptr [ebp-18]
:0049604A 50 push eax
----------------------------------------------------
:0049604B B903000000 mov ecx, 00000003
:00496050 BA01000000 mov edx, 00000001
:00496055 8B45FC mov eax, dword ptr [ebp-04]
<===eax="2234567865148455"
:00496058 E82BE3F6FF call 00404388
----------------------------------------------------
呵呵,标准的Api调用,从假码的第1位向后取3个字符,[eax]="223"
:0049605D 33C0 xor eax, eax
:0049605F 55 push ebp
:00496060 687F604900 push 0049607F
:00496065 64FF30 push dword ptr fs:[eax]
:00496068 648920 mov dword ptr fs:[eax], esp
:0049606B 8B45E8 mov eax, dword ptr [ebp-18]
<===eax="223"
:0049606E E8BD39F7FF call 00409A30
<===Dec--->Hex,即223(D)-->DF(H)
:00496073 8BF0 mov esi, eax
:00496075 33C0 xor eax, eax
:00496077 5A pop edx
:00496078 59 pop ecx
:00496079 59 pop ecx
:0049607A 648910 mov dword ptr fs:[eax], edx
:0049607D EB14 jmp 00496093
:0049607F E900D5F6FF jmp 00403584
:00496084 E817D9F6FF call 004039A0
:00496089 E969010000 jmp 004961F7
:0049608E E80DD9F6FF call 004039A0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049607D(U)
|
:00496093 837B246F cmp dword ptr [ebx+24], 0000006F
<===[ebx+24]中为定值DF
:00496097 7506 jne 0049609F
:00496099 8B4320 mov eax, dword ptr [ebx+20]
:0049609C 894324 mov dword ptr [ebx+24], eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00496097(C)
|
:0049609F 3B7320 cmp esi, dword ptr [ebx+20]
<===[ebx+20]中为定值DE,esi为DF(H),222的十六进制
:004960A2 7409 je 004960AD
:004960A4 3B7324 cmp esi, dword ptr [ebx+24]
<===[ebx+24]中为定值DF,看来注册码的前3位
应该为223(DF)或222(DE),幸运!
:004960A7 0F854A010000 jne 004961F7

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004960A2(C)
|
:004960AD 8D45E8 lea eax, dword ptr [ebp-18]
:004960B0 50 push eax
-----------------------------------------------------------
:004960B1 B905000000 mov ecx, 00000005
:004960B6 BA04000000 mov edx, 00000004
:004960BB 8B45FC mov eax, dword ptr [ebp-04]
:004960BE E8C5E2F6FF call 00404388
-----------------------------------------------------------
不用注释了吧!
:004960C3 33C0 xor eax, eax
:004960C5 55 push ebp
:004960C6 68E5604900 push 004960E5
:004960CB 64FF30 push dword ptr fs:[eax]
:004960CE 648920 mov dword ptr fs:[eax], esp
:004960D1 8B45E8 mov eax, dword ptr [ebp-18]
<===eax="45678",假码4~8位
:004960D4 E85739F7FF call 00409A30
:004960D9 8BF8 mov edi, eax
<===edi=B26E(H)-->45678(D)
:004960DB 33C0 xor eax, eax
:004960DD 5A pop edx
:004960DE 59 pop ecx
:004960DF 59 pop ecx
:004960E0 648910 mov dword ptr fs:[eax], edx
:004960E3 EB14 jmp 004960F9
:004960E5 E99AD4F6FF jmp 00403584
:004960EA E8B1D8F6FF call 004039A0
:004960EF E903010000 jmp 004961F7
:004960F4 E8A7D8F6FF call 004039A0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004960E3(U)
|
:004960F9 81FF10270000 cmp edi, 00002710
<===比较是否小于10000,即判断第4位是否为0
:004960FF 0F8CF2000000 jl 004961F7
:00496105 8D45E8 lea eax, dword ptr [ebp-18]
:00496108 50 push eax
------------------------------------------------------------
:00496109 B908000000 mov ecx, 00000008
:0049610E BA0A000000 mov edx, 0000000A
:00496113 8B45FC mov eax, dword ptr [ebp-04]
:00496116 E86DE2F6FF call 00404388
------------------------------------------------------------
:0049611B 33C0 xor eax, eax
:0049611D 55 push ebp
:0049611E 684A614900 push 0049614A
:00496123 64FF30 push dword ptr fs:[eax]
:00496126 648920 mov dword ptr fs:[eax], esp
:00496129 8D4DE0 lea ecx, dword ptr [ebp-20]
:0049612C 8B55E8 mov edx, dword ptr [ebp-18]
<===edx="5148455",假码后7位
:0049612F 8BC3 mov eax, ebx
:00496131 E8DE040000 call 00496614
:00496136 8B45E0 mov eax, dword ptr [ebp-20]
<===eax="5148455"
:00496139 E89A4BF7FF call 0040ACD8
<===这个Call大概是将字符型转换成整数型
:0049613E DDD8 fstp st(0)
<===FSTP dest
dest <- st(0) (mem32/mem64/mem80)；
然后再执行一次出栈操作
:00496140 33C0 xor eax, eax
:00496142 5A pop edx
:00496143 59 pop ecx
:00496144 59 pop ecx
:00496145 648910 mov dword ptr fs:[eax], edx
:00496148 EB14 jmp 0049615E
:0049614A E935D4F6FF jmp 00403584
:0049614F E84CD8F6FF call 004039A0
:00496154 E99E000000 jmp 004961F7
:00496159 E842D8F6FF call 004039A0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00496148(U)
|
:0049615E 8D0437 lea eax, dword ptr [edi+esi]
<===eax=B26E+DF=B34D(H)-->45901
B26E和DF应该还有印象吧,对应45678和223的Hex
:00496161 8945DC mov dword ptr [ebp-24], eax
:00496164 DB45DC fild dword ptr [ebp-24]
<===FILD src 装入整数到st(0)
st(0) <- src (mem16/mem32/mem64)
即45901装入到st(0)
:00496167 D95DF0 fstp dword ptr [ebp-10]
:0049616A 9B wait
:0049616B DB4328 fild dword ptr [ebx+28]
<===[ebx+28]中为定值5
:0049616E D84DF0 fmul dword ptr [ebp-10]
<===FMUL st(i) 即 st(0) <- st(0) * st(i)
5*45091=229505
:00496171 D95DF0 fstp dword ptr [ebp-10]
<===结果存入[ebp-10]中
:00496174 9B wait
:00496175 EB0A jmp 00496181

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049618D(C)
|
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
:00496177 DB432C fild dword ptr [ebx+2C]
<===[ebx+2c]中为定值8
:0049617A D84DF0 fmul dword ptr [ebp-10]
<===8*229505=1836040
:0049617D D95DF0 fstp dword ptr [ebp-10]
<===结果存入[ebp-10]
:00496180 9B wait

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00496175(U)
|
:00496181 D945F0 fld dword ptr [ebp-10]
<===取上面的计算结果229505
:00496184 D81D44624900 fcomp dword ptr [00496244]
<===FCOM op 实数比较
将标志位设置为 st(0) - op (mem32/mem64)的
结果标志位
比较是否小于10000000,小于的话接着乘8,我最后
得到的值为14688320
:0049618A DFE0 fstsw ax
<===FSTSW dest 保存状态字的值到dest
dest<-MSW (mem16)
:0049618C 9E sahf
:0049618D 72E8 jb 00496177
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
:0049618F 81FF30750000 cmp edi, 00007530
<===比较是否小于30000,记得edi中是什么吗?
B26E(H)--->45678(D),注册码的第4~8位
:00496195 7E0D jle 004961A4
:00496197 D945F0 fld dword ptr [ebp-10]
:0049619A D82548624900 fsub dword ptr [00496248]
<===[00496248]中为定值1
FSUB src即 st(0) <-st(0) - src (reg/mem)
14688320-1=14688319

:004961A0 D95DF0 fstp dword ptr [ebp-10]
:004961A3 9B wait

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00496195(C)
|
:004961A4 8D55D8 lea edx, dword ptr [ebp-28]
:004961A7 8BC6 mov eax, esi
<===eax=7B
:004961A9 E8E237F7FF call 00409990
<===十六进制--->十进制
:004961AE FF75D8 push [ebp-28]
:004961B1 8D55D4 lea edx, dword ptr [ebp-2C]
:004961B4 8BC7 mov eax, edi
<===eax=B26E(H)-->45678(D)
:004961B6 E8D537F7FF call 00409990
:004961BB FF75D4 push [ebp-2C]
:004961BE D945F0 fld dword ptr [ebp-10]
<===取上面的计算结果14688319
:004961C1 83C4F4 add esp, FFFFFFF4
:004961C4 DB3C24 fstp tbyte ptr [esp]
:004961C7 9B wait
:004961C8 8D45D0 lea eax, dword ptr [ebp-30]
:004961CB E8A04AF7FF call 0040AC70
:004961D0 FF75D0 push [ebp-30]
:004961D3 8D45EC lea eax, dword ptr [ebp-14]
:004961D6 BA03000000 mov edx, 00000003
:004961DB E860E0F6FF call 00404240
:004961E0 8B45EC mov eax, dword ptr [ebp-14]
<===eax="2234567814688319"
:004961E3 8B55FC mov edx, dword ptr [ebp-04]
<===edx="2234567865148455"
:004961E6 E8A5E0F6FF call 00404290
<===不用说是比对的Call了
:004961EB 7406 je 004961F3
:004961ED C645FB00 mov [ebp-05], 00
<===置标志位0,失败!
:004961F1 EB04 jmp 004961F7

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004961EB(C)
|
:004961F3 C645FB01 mov [ebp-05], 01
<===置标志位1,成功!

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00495FF1(C), :0049601C(C), :00496041(C), :00496089(U), :004960A7(C)
|:004960EF(U), :004960FF(C), :00496154(U), :004961F1(U)
|
:004961F7 33C0 xor eax, eax
:004961F9 5A pop edx
:004961FA 59 pop ecx
:004961FB 59 pop ecx
:004961FC 648910 mov dword ptr fs:[eax], edx
:004961FF 682E624900 push 0049622E

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049622C(U)
|
:00496204 8D45D0 lea eax, dword ptr [ebp-30]
:00496207 BA03000000 mov edx, 00000003
:0049620C E8F7DCF6FF call 00403F08
:00496211 8D45E0 lea eax, dword ptr [ebp-20]
:00496214 BA04000000 mov edx, 00000004
:00496219 E8EADCF6FF call 00403F08
:0049621E 8D45FC lea eax, dword ptr [ebp-04]
:00496221 E8BEDCF6FF call 00403EE4
:00496226 C3 ret

:00496227 E90CD6F6FF jmp 00403838
:0049622C EBD6 jmp 00496204
:0049622E 8A45FB mov al, byte ptr [ebp-05]
:00496231 5F pop edi
:00496232 5E pop esi
:00496233 5B pop ebx
:00496234 8BE5 mov esp, ebp
:00496236 5D pop ebp
:00496237 C3 ret

【总结】:这个软件的算法也很简单，同样有浮点运算。

注册码必须为16位,前3位须为222或223,设为a；设后5位为b(须大于10000),
则注册码的最后8位c为:
c=(a+b)*5*8,若c<10000000,则c再乘8,依此往后类推直至c>10000000为止
如果b>30000,则注册码的后8位为c-1,若b<30000,则注册码的后8位为c

软件注册成功后将注册信息保存在注册表的
HKEY_CURRENT_USER\Software\Microsof\TATrialLoc下.

放上1个可用的注册码:2234567814688319

Cracked By ShenGe[BCG] 2003.7.31

声明：该文观点仅代表作者本人，转载请注明来自看雪