Open more programs. I use more open programs.

Text/figure December
Online worms are used to running QQ, MSN, FlashGet, and other programs every day. Do you think it is troublesome to repeat the same action day after day? Therefore, using a program to enable multiple processors is definitely a good choice, which can save a lot of time and choose how many seconds to run. It is really good. However, this tool is a shared software. If you do not register it, you can only run it several times. Therefore, if you do not use it in a restricted manner, you can only try to crack it.
Compared with MySQL 2.1, MySQL 2.0 supports modifying the title of MYPTC 1.1.0.7 and enabling it in turn. The running program registers it in an attempt and finds no errors or other prompts. It is estimated that it may be a restart verification. Go to the Registry and check that the registration information is written into HKEY_LOCAL_MACHINESOFTWAREAutoSoftMultRun2. In this case, we can first search for a string to obtain a suitable breakpoint. If the software is not shelled, We will directly drop it into the OD to search for strings. Will anyone who will crack it know this? You can view the two information shown in 1. Let's take a look at the code.

Figure 1

004035D2 E8 23730100 open multiple call program. 0041A8FA
004035D7 A1 0C234300 mov eax, dword ptr ds: [43230C]
004035DC 85C0 test eax, eax
004035DE 74 37 je short program open more. 00403617
004035E0 68 E8004300 push program multiple open. 004300E8; you can use this program without limit!
004035E5 68 0A040000 push 40A
004035EA 8BCE mov ecx, esi
004035EC E8 3FA70100 call Program Multi-open. 0041DD30
004035F1 68 DC004300 push program more open. 004300DC; thank you for registering!

If you break a breakpoint at 004035D2, it cannot be interrupted. Although these lines of code prompt thanks for registration, it is not interrupted, and it is troublesome for dynamic debugging. Even at E7, this address can be interrupted, but for registration verification, this is not the key. Do you just give up? Of course not. Let's go back to the searched string and find out what else has been missed. After reading it several times, we found what was shown in 2.

Figure 2
Here there is another "Thank You For registration", and the above is just the key value of the registry, the bottom line "you can still use this program % d ". In fact, this is the number of times you can use it. There should be a calculator here, but you don't have to worry about it. first go to the code and find a suitable place for breakpoint.

004017DA 68 00014300 multi-open push program. 00430100
; SOFTWAREAutoSoftMultRun2
004017DF 68 02000080 push 80000002
004017E4 FF15 0C604200 call dword ptr ds: [<& ADVAPI32.RegOpenKe>; ADVAPI32.RegOpenKeyA
......
004017FE FF15 08604200 call dword ptr ds: [<& ADVAPI32.RegQueryV>; ADVAPI32.RegQueryValueA
00401804 8B4C24 10 mov ecx, dword ptr ss: [esp + 10]
00401808 51 push ecx
00401809 FF15 04604200 call dword ptr ds: [<& ADVAPI32.RegCloseK>; ADVAPI32.RegCloseKey

Here are several API functions about the registry.

0040180F 837C24 18 08 cmp dword ptr ss: [esp + 18], 8
; Compare machine code digits
00401814 7D 0C jge short program multi-open. 00401822
......
00401852 51 push ecx
00401853 E8 58240000 open multiple call program. 00403CB0
; Key call
00401858 8B5424 14 mov edx, dword ptr ss: [esp + 14]
0040185C 8B00 mov eax, dword ptr ds: [eax]
; Eax save registration code
0040185E 52 push edx
0040185F 50 push eax
00401860 E8 A9A50000 call program multiple open. 0040BE0E
; Registration code comparison

Here we can do the memory registration machine. If you don't want to do the algorithm, you can end it here.

00401865 83C4 10 add esp, 10
00401868 8D4C24 1C lea ecx, dword ptr ss: [esp + 1C]
0040186C 85C0 test eax, eax
0040186E 0F95C3 setne bl; flag bit judgment
00401871 E8 D1C10100 call Program Multi-open. 0041DA47
00401876 33C0 xor eax, eax
00401878 8D4C24 0C lea ecx, dword ptr ss: [esp + C]
0040187C 84DB test bl, bl
0040187E 0F94C0 sete al
00401881 A3 0C234300 mov dword ptr ds: [43230C], eax
00401886 C78424 8C04000> mov dword ptr ss: [esp + 48C],-1
00401891 E8 B1C10100 call Program Multi-open. 0041DA47
00401896 A1 0C234300 mov eax, dword ptr ds: [43230C]
0040189B 85C0 test eax, eax
0040189D 75 17 jnz short program multi-open. 004018B6; explosion point 1
0040189F 8BCE mov ecx, esi
004018A1 E8 EA190000 call program open more. 00403290
004018A6 8BCE mov ecx, esi
004018A8 E8 831B0000 call program open more. 00403430
004018AD A1 0C234300 mov eax, dword ptr ds: [43230C]
004018B2 85C0 test eax, eax
004018B4 74 3C je short program multi-open. 004018F2; explosion point 2

Of course, if you want to crack it, you can also blow it up here.

004018B6 68 E8004300 push program multiple open. 004300E8
; You can use this program without limit!
004018BB 68 0A040000 push 40A
004018C0 8BCE mov ecx, esi
004018C2 E8 69C40100 call Program Multi-open. 0041DD30
004018C7 68 DC004300 push Program Multi-open. 004300DC
; Thanks for registration!
004018CC 68 09040000 push 409
......
00401907 BB 02000000 mov ebx, 2
00401_c 52 push edx
00400000d 68 C4004300 push Program Multi-open. 004300C4
; You can also use this program % d!

What did I find from the above Code? At least we can know that even if we do not search for strings, we can use the API breakpoint: bp RegOpenKeyA to break down the breakpoint. We can also see that the machine code should have at least eight digits, and there is a flag to judge, after successful registration, you will be prompted to use this program without restrictions. If you have said so much, these are not the main ones. Of course, they are the key calls at location 00401853. Let's take a look.

00403D08 E8 53000000 open multiple call program. 00403D60; algorithm call
00403D0D 8BB424 2804000> mov esi, dword ptr ss: [esp + 428]
00403D14 83C4 0C add esp, 0C

When I came in, I found that the first call was the algorithm call. There was no key information here, so I went in and checked it out.

00403D6D C64424 08 75 mov byte ptr ss: [esp + 8], 75
00403D72 C64424 09 6C mov byte ptr ss: [esp + 9], 6C
00403D77 C64424 0A 6F mov byte ptr ss: [esp + A], 6F
00403D7C C64424 0B 76 mov byte ptr ss: [esp + B], 76
00403D81 C64424 0C 65 mov byte ptr ss: [esp + C], 65
00403D86 C64424 0D 6D mov byte ptr ss: [esp + D], 6D

When I first came in, I saw these lines of code. I checked the ASCII code table and found that 75 6C 6F 76 65 6D corresponds to ulovem. Do you understand all of them? Continue to read the following code.

00403D8D 8B4C24 14 mov ecx, dword ptr ss: [esp + 14]
; Ecx saves the machine code
00403D91 53 push ebx
......
00403D99 8A19 mov bl, byte ptr ds: [ecx]
; Machine code is saved to bl
00403D9B 84DB test bl, bl
00403D9D 74 1A je short program multiple open. 00403DB9
00403D9F 8BC6 mov eax, esi
00403DA1 33D2 xor edx, edx
00403DA3 BD 06000000 mov ebp, 6; ebp = 6
00403DA8 F7F5 div ebp
00403DAA 8B6C24 mov ebp, dword ptr ss: [esp + 24]
00403DAE 8A4414 10 mov al, byte ptr ss: [esp + edx + 10]
; Obtain the SCII value of ulovem
00403DB2 32C3 xor al, bl; Take 6C for exclusive or operation if more than six BITs exist
00403DB4 88040F mov byte ptr ds: [edi + ecx], al
00403DB7 EB 03 jmp short program multi-open. 00403DBC
00403DB9 881C0F mov byte ptr ds: [edi + ecx], bl
00403DBC 46 inc esi; Counter
00403DBD 41 inc ecx
00403DBE 3BF5 cmp esi, ebp; 8 computations
00403DC0 ^ 7C D7 jl short program multi-open. 00403D99; cyclic computing

Perform an exclusive or operation on the machine code and the fixed string ulovem. Because there are less than 8 bits, the second bits will be used for calculation after the number of computation is exceeded. This is very simple. You can see it later, continue to read the code.

00403DC6 85ED test ebp, ebp
00403DC8 7E 1F jle short program multi-open. 00403DE9
00403DCA 8B5424 18 mov edx, dword ptr ss: [esp + 18]
; Edx Save the calculation result
00403DCE BE 0A000000 mov esi, 0A; esi =
00403DD3 0FBE0411 movsx eax, byte ptr ds: [ecx + edx]
00403DD7 99 cdq
00403DD8 F7FE idiv esi;/
00403DDA 8B4424 18 mov eax, dword ptr ss: [esp + 18]
00403DDE 80C2 30 add dl, 30; dl + 30
00403DE1 881401 mov byte ptr ds: [ecx + eax], dl
00403DE4 41 inc ecx; Counter
00403DE5 3BCD cmp ecx, ebp
00403DE7 ^ 7C E1 jl short program multi-open. 00403DCA; cyclic computing

Obviously, after two operations, the program performs an exclusive or operation on the machine code and the fixed string ulovem. Because there are less than 8 bits, the program takes the second bits for calculation after the number of computations is exceeded, after calculation, A result is obtained. After the result is calculated with A modulo, 30 is added, and the registration code is obtained.
To be honest, the registration algorithm is very simple, and it is very easy to write a registration machine. I will not do this, and my programming level is really bad. The algorithm is simple and simple, I hope this will be helpful to my friends who want to get started with algorithms. I hope you can get started with algorithms easily.