Windows system switching tool algorithm analysis registration machine
Download address: http://www4.skycn.com/soft/8306.htmlWindows System Switching Tools V1.09.1208 Software Size: 1312 KB Software Language: Simplified Chinese Software Category: Domestic Software / Shared Edition / System Other Application Platform: Win9x / NT / 2000 / XP Interface Preview: Add Time: 2002-12-10 10:07:34 Downloads: 11796 Recommended Level: Online Registration: Click here to become genuine users ==> Contact: EasunleE@21cn.com Business: http://easunlee.diy.163.com/ Software introduction: Easun Studio Windows system switching tool is the gospel of the user who installs the multi-Windows system. I don't know if you have this experience. For the need, you have installed multiple Windows (such as Chinese Win98, English WIN98 and WIN2000), but it is too difficult to switch, and Windows 2000 also provides a startup menu, and more Win95 / 98 / Me only doesn't have this menu for you to choose from, just switch on DOS. The tools for multi-system switching online can also be described as many, but almost all the Boot districts are replaced with their modules, and they are all handover in the DOS (character interface), which is not in safe, and interface operations Complex, can there be a user-friendly, safe, and convenient system switching tool for operating under the Windows interface? Lu Yang is based in this reason. This software interface is beautiful, operates, without your module covering the Boot area, safe and reliable, working in a Windows95 / 98 / me / 2000 / XP environment, let you completely thoroughly DOS interface and character interface! In addition, the software also has the function of setting the system and restoring IE settings, of course, this is additional function. ============================================================================================================================================================================================================= ======================================= before two days, my machine is boot.ini I made a mess, I got this Dongdong to organize it, and I broke it, it was very simple, it's hard to find now. First check, Aspack's shell, take off, is my favorite VC: D, it is easy to find below:
Code:
: 0040715B 50 Push EAX
* Possible StringData Ref from Data Obj -> "% s" |
: 0040715C 68A4A24100 PUSH 0041A2A4
00407161 51 PUSH ECX
* Reference to: mfc42.ordinal: 0B02, ORD: 0B02H
|
: 00407162 E8B5970000 Call 0041091c; This Call is getWindowText (MFC written in Dongdong is easy to understand)
: 00407167 8B542420 MOV EDX, DWORD PTR [ESP 20]
: 0040716B 83C40C Add ESP, 0000000C
: 0040716E 8B42F8 MOV EAX, DWORD PTR [EDX-08]
: 00407171 85C0 Test Eax, Eax; Username Length cannot be 0
00407177707183
........
: 004071AA 50 Push EAX
* Possible StringData Ref from data obj -> "% s"
|
004071AB 68A4A24100 PUSH 0041A2A4
004071B0 51 PUSH ECX
* Reference to: mfc42.ordinal: 0B02, ORD: 0B02H
|
: 004071B1 E866970000 Call 0041091c; getWindowText, get registered name
: 004071B6 8B4C241C MOV ECX, DWORD PTR [ESP 1C]
: 004071BA BB03000000 MOV EBX, 00000003; EBX = 3
: 004071BF 83C40C Add ESP, 0000000C
: 004071C2 8B41F8 MOV EAX, DWORD PTR [ECX-08]
: 004071C5 3BC3 CMP EAX, EBX
: 004071C7 7D0E JGE 004071D7; Registered length must be greater than or equal to 3
: 004071C9 6AFF PUSH FFFFFFFF
: 004071CB 6A00 Push 00000000
004071CD 6833F00000 Push 0000F033
: 004071D2 E997020000 JMP 0040746E; Otherwise you have a good look
* Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS:
|: 004071C7 (C)
|
* Reference to: msvcrt._mbsicmp, ord: 015fh
|
: 004071D7 8B358044100 MOV ESI, DWORD PTR [00414480]
* Possible StringData Ref from data obj -> "Bai Mountain Crack Network"; Blacklist |
004071DD 6898A64100 PUSH 0041A698
00407112 51 PUSH ECX
: 004071E3 FFD6 Call ESI
00407115 83C408 Add ESP 00000008
: 004071E8 85c0 Test Eax, EAX
0040711 0F8475020000 JE 00407465
004071F0 8B542410 MOV EDX, DWORD PTR [ESP 10]
* Possible StringData Ref from data obj -> "zhenlong [bcg]"; a bitch of BCG is in blacklist: d
|
004071F4 6888A64100 PUSH 0041A688
: 004071F9 52 Push EDX
: 004071FA FFD6 CALL ESI
: 004071FC 83C408 Add ESP, 00000008
: 004071FF 85C0 Test Eax, EAX
0040701 0F845E020000 JE 00407465
00407207 6A01 PUSH 00000001
00407209 6A00 Push 00000000
004040000, China: 0000-00-00 PUSH 00000474
: 00407210 8BCD MOV ECX, EBP
* Reference to: mfc42.ordinal: 0C17, ORD: 0C17H
|
00407212 E811970000 Call 00410928
: 00407217 8BF0 MOV ESI, EAX
: 00407219 8D442410 LEA Eax, DWORD PTR [ESP 10]
: 0040721D 56 Push ESI
: 0040721E 51 PUSH ECX
: 0040721F 8BCC MOV ECX, ESP
: 00407221 89642420 MOV DWORD PTR [ESP 20], ESP
00407225 50 PUSH EAX
* Reference to: mfc42.ordinal: 0217, ORD: 0217H
|
00407226 E847980000 Call 00410A72
: 0040722B 8BCD MOV ECX, EBP
: 0040722D E80E030000 Call 00407540; This Call has a ghost
00407232 85C0 Test Eax, EAX
: 00407234 0F842B020000 JE 00407465; Key jump, jumping down over the top of Call:
* REFERENECED by A Call at address:
| 0040722D
|
: 00407540 6AFF PUSH FFFFFFFFF
00407542 68581D4100 PUSH 00411D58
00407547 64A100000000 MOV Eax, DWORD PTR fs: [00000000]
: 0040754D 50 Push EAX
: 0040754E 648925000000 Mov DWORD PTR FS: [00000000], ESP
0040755 83ec10 SUB ESP, 00000010
0040755 53 PUSH EBX
0040755 55 PUSH EBP
: 0040755A 56 PUSH ESI
: 0040755B 57 Push EDI
: 0040755C 8BF9 MOV EDI, ECX
0040755E 51 PUSH ECX
: 0040755F 8D442434 LEA Eax, DWORD PTR [ESP 34]
: 00407563 8BCC MOV ECX, ESP
: 00407565 8964241C MOV DWORD PTR [ESP 1C], ESP
00407569 50 Push EAX
0040756A C744243000000000 MOV [ESP 30] 00000000
* Reference to: mfc42.ordinal: 0217, ORD: 0217H
|
00407572 E8fb940000 Call 00410A72
: 00407577 8BCF MOV ECX, EDI; Here D * Eax can see the input registration name, made of call parameters
: 00407579 E822010000 Call 004076A0; This Call is very important, the following appears (analysis is seen)
: 0040757E 8BF0 MOV ESI, EAX; Eax is the return value, put it in ESI
: 00407580 85F6 Test ESI, ESI
00407582 0F84F0000000 JE 00407678
00407588 51 PUSH ECX
: 00407589 8BCC MOV ECX, ESP
: 0040758B 8964241C MOV DWORD PTR [ESP 1C], ESP
* Possible stringdata ref from data obj -> "easyunlee"
|
: 0040758F 68F4A64100 PUSH 0041A6F4
* Reference to: mfc42.ordinal: 0219, ORD: 0219H
|
: 00407594 E8BF930000 CALL 00410958
: 00407599 8BCF MOV ECX, EDI
: 0040759B E800010000 Call 004076A0; Take the string "EASUNLEE" as the same calculation
004075A0 51 PUSH ECX
: 004075A1 8BD8 MOV EBX, EAX; Result 1 Put in EBX
: 004075A3 8BCC MOV ECX, ESP
: 004075A5 8964241C MOV DWORD PTR [ESP 1C], ESP
* Possible stringdata ref from data obj -> "easyunlee"
|
004075A9 68F4A64100 PUSH 0041A6F4
* Reference to: mfc42.ordinal: 0219, ORD: 0219H
|
004075AE E8A5930000 Call 00410958
: 004075B3 8BCF MOV ECX, EDI
: 004075B5 E8E6000000 CALL 004076A0
: 004075BA 51 PUSH ECX
: 004075BB 8BE8 MOV EBP, EAX; Result 1 Put in EBP
: 004075BD 8BCC MOV ECX, ESP
: 004075BF 8964241C MOV DWORD PTR [ESP 1C], ESP
* Possible StringData Ref from data obj -> "easy98meiosys"
|
: 004075C3 68E0A64100 PUSH 0041A6E0
* Reference to: mfc42.ordinal: 0219, ORD: 0219H
|
: 004075C8 E88B930000 CALL 00410958
: 004075CD 8BCF MOV ECX, EDI
: 004075CF E8CC000000 Call 004076A0; String "EasunleE98meiosys" same calculation
: 004075D4 51 PUSH ECX
: 004075D5 89442418 MOV DWORD PTR [ESP 18], EAX; Result 2 in [ESP 18]
: 004075D9 8BCC MOV ECX, ESP
: 004075DB 8964241C MOV DWORD PTR [ESP 1C], ESP
* Possible StringData Ref from Data Obj -> "LuyangHS && Tsai && Bluebird"
|
: 004075DF 68C4A64100 PUSH 0041A6C4
* Reference to: mfc42.ordinal: 0219, ORD: 0219H
|
004075E4 E86F930000 Call 00410958: 004075E9 8BCF MOV ECX, EDI
: 004075EB E8B0000000 Call 004076A0; String "LuyangHS && Tsai && Bluebird"
004075F0 51 PUSH ECX
: 004075F1 89442414 MOV DWORD PTR [ESP 14], EAX; Results 3 in [ESP 14]
: 004075F5 8BCC MOV ECX, ESP
: 004075F7 8964241C MOV DWORD PTR [ESP 1C], ESP
* Possible stringData ref from data obj -> "heshengwssu1091119"
|
: 004075FB 68B0A64100 PUSH 0041A6B0
* Reference to: mfc42.ordinal: 0219, ORD: 0219H
|
00407600 E853930000 Call 00410958
: 00407605 8BCF MOV ECX, EDI
: 00407607 E894000000 Call 004076A0; String "heshengwssu1091119"
: 0040760C 51 Push ECX
: 0040760D 8944241C MOV DWORD PTR [ESP 1C], EAX; Result 4 in [ESP 1C]
: 00407611 8BCC MOV ECX, ESP
: 00407613 89642420 MOV DWORD PTR [ESP 20], ESP
* Possible stringdata ref from data obj -> "200970878"
|
00407617 68A4A64100 PUSH 0041A6A4
* Reference to: mfc42.ordinal: 0219, ORD: 0219H
|
: 0040761C E837930000 CALL 00410958
: 00407621 8BCF MOV ECX, EDI
: 00407623 E878000000 Call 004076A0; String "200970878" The same calculation, result 5 in EAX
: 00407628 81F678EE0220 XOR ESI, 2002EE78; ESI is the result of registering a famous computing, with 2002EE78 different or
: 0040762E 8B7C2414 MOV EDI, DWORD PTR [ESP 14]; put the result 2 into EDI
: 00407632 81EE21050E20 SUB ESI, 200E0521; Reissue 200E0521
: 00407638 8B542418 MOV EDX, DWORD PTR [ESP 18]; put the result 4 in EDX
: 0040763C 81F678563472 xor ESI, 72345678; 1,72345,678 different or: 00407642 81EE88F76877 SUB ESI, 7768F788; Redugation 7768F788
: 00407648 33F3 XOR ESI, EBX; 1 no
: 0040764A 8B5C2410 MOV EBX, DWORD PTR [ESP 10]; put the result 3 into EBX
: 0040764E 03F5 Add ESI, EBP; Add Result 1
: 00407650 33f3 xor ESI, EBX; 3 varying results
: 00407652 33F7 XOR ESI, EDI; 2 different from the results or
: 00407654 2BF2 SUB ESI, EDX; minus results 4
: 00407656 03F0 Add ESI, EAX; Plus results 5
: 00407658 8B442434 MOV EAX, DWORD PTR [ESP 34]; EAX is the number of registration code we entered
: 0040765C 3BF0 CMP ESI, EAX; the result of the above set must be equal to the input registration code
: 0040765E 7518 JNE 00407678; I don't wait to jump
: 00407660 8D4C2430 LEA ECX, DWORD PTR [ESP 30]
: 00407664 C7442428ffffffff MOV [ESP 28], fffffff
* Reference to: mfc42.ordinal: 0320, ORD: 0320H
|
: 0040766C E899920000 CALL 0041090A
00407671 B801000000 MOV Eax, 00000001; If equally come here Eax = 1, success
: 00407676 EB13 JMP 0040768B
* Reference by A (u) Nconditional OR (C) OONDitional Jump At Addresses:
|: 00407582 (C),: 0040765E (C)
|
: 00407678 8D4C2430 LEA ECX, DWORD PTR [ESP 30]
: 0040767C C7442428ffffffff MOV [ESP 28], Fffffffff
* Reference to: mfc42.ordinal: 0320, ORD: 0320H
|
00407684 E881920000 Call 0041090A
: 00407689 33C0 XOR EAX, Eax; if Eax is already killed here
* Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS:
|: 00407676 (U)
|
: 0040768B 8B4C2420 MOV ECX, DWORD PTR [ESP 20]
: 0040768F 5F POP EDI
00407690 5E POP ESI: 00407691 5D POP EBP
: 00407692 64890D00000000 MOV DWORD PTR fs: [00000000] ECX
: 00407699 5B POP EBX
: 0040769A 83C41C Add ESP, 0000001C
: 0040769D C20800 RET 0008
That multiple involved Call:
* Reference by a call at addresses:
| 0407579,: 0040759B,: 004075B5,: 004075CF ,:004075EB
| 0407607 ,: 00407623
|
: 004076A0 64A100000000 MOV Eax, DWORD PTR fs: [00000000]
: 004076A6 6AFF PUSH FFFFFFFFF
: 004076A8 68781D4100 PUSH 00411D78
: 004076AD 50 Push EAX
: 004076AE 64892500000000 MOV DWORD PTR FS: [00000000] ESP
004076B5 56 Push ESI
: 004076B6 57 Push EDI
: 004076B7 8B7C2418 MOV EDI, DWORD PTR [ESP 18]
: 004076BB 8B57F8 MOV EDX, DWORD PTR [EDI-08]
: 004076BE 83FA03 CMP EDX, 00000003
: 004076C1 7D26 JGE 004076E9; string length must be greater than or equal to 3
: 004076C3 8D4C2418 LEA ECX, DWORD PTR [ESP 18]
: 004076C7 C7442410ffffffff MOV [ESP 10], Ffffffffff
..........
* Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS:
|: 004076C1 (c)
|
: 004076E9 33F6 XOR ESI, ESI
: 004076EB 33c9 xor ECX, ECX
: 004076ED 85D2 Test EDX, EDX
: 004076EF 7E0D JLE 004076FE
* Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS:
|: 004076FC (c)
|
: 004076F1 0FBE0439 MOVSX EAX, Byte PTR [ECX EDI]; Circulation, take out each character session
: 004076F5 D3E0 SHL EAX, Cl; ECX is a cyclic variable I, the removed character left shift I bits
: 004076F7 03F0 Add ESI, EAX; Tired: 004076F9 41 Inc ECX
: 004076FA 3BCA CMP ECX, EDX; if ECX is greater than the string length
: 004076FC 7CF3 JL 004076F1; Cycle Number
* Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS:
|: 004076EF (c)
|
: 004076FE 8D4C2418 LEA ECX, DWORD PTR [ESP 18]
: 0040702 C7442410ffffffff MOV [ESP 10], fffffffffffff
* Reference to: mfc42.ordinal: 0320, ORD: 0320H
|
: 0040770A E8FB910000 Call 0041090A
: 0040770F 8B4C2408 MOV ECX, DWORD PTR [ESP 08]
: 00407713 8BC6 MOV EAX, ESI; give accumulation results to Eax, as return value
00407715 5F POP EDI
: 00407716 64890D00000000 MOV DWORD PTR FS: [00000000], ECX
: 0040771D 5E POP ESI
: 0040771E 83C40C Add ESP, 0000000C
00407721 C20400 RET 0004
To finish the idea: set f () for the Call calculated by the above registration code = ((f (username) xor 2002ee78 - 200E0521) XOR 72345678 - 7768F788) XOR F ("Easunlee") f ("Easunlee") XOR F ("LuyangHS && Tsai && Bluebird") XOR F ("EasunleE98meiosys") - F ("HeshengWssu1091119) F (" 200970878 ") registration machine:
Code:
#include
#include
Int f (char ST [])
{
INT LEN = Strlen (ST);
INT S = 0;
For (int i = 0; i S = S (ST [i] << i); Return S; } void main () { Char Name [20]; Int code; COUT << "please input your name:"; CIN >> Name; Code = f (Name); Code = (CODE ^ 0x2002ee78) -0x200e0521; Code = (Code ^ 0x72345678) -0x7768f788; Code = (Code ^ f ("Easunlee")) f ("Easunlee"); Code = Code ^ f ("LuyangHS && Tsai && Bluebird") ^ f ("easy98meiosys"); code = code-f ("heshengwssu1091119) f (" 200970878 "); COUT << "Your seiral number is" << code << endl; }
