'日期转换星座函数,参数是日期型 function astro(birth) astro= if birth= or not isdate(birth) Then exit function
函数图像能直观地反映函数的性质,用手工方法来绘制函数图像效果不太好,而用Excel绘制函数图像非常简便,所作图像非常标准、漂亮
下载页面:http://www.380000.com/download/show.asp?id=fgm软件分类:数学研究 运行平台:Win98/ME/2000/XP 软件大小:359KB 软件授权:共享软件 注册方式:用户名-注册码 软件作者:Moonsoft 出品日期:2003-1-21
【软件简介】:函数图像大师V4.5是一款基于函数、方程和不等式(组)的开放式数学研究平台。它能画出任意函数(Y=型函数、X=型函数)、方程(一般方程、自由方程、参数方程)和不等式(组)的图像,支持辅助工具、程序插件和软件换肤。函数图像大师V4.5中:可以绘制任意方程和任意不等式(组)的图像;添加了大量实用的标准函数,包括高斯函数[]和{};重写了3.x版本的核心,使计算更加稳定;每一个函数、方程和不等式都有自己的名字,这使得你可以在运算中就想调用标准函数一样调用自己定义的函数;随时可以改变当前坐标的极限;可以自己定义参加运算的常量;可以利用辅助工具和程序插件添加功能,而你所需要做的,只是从作者网站上免费下载最新的部件复制到主程序所在文件夹;支持软件换肤更能适合你的口味和习惯。函数图像大师V4.5必将成为你的数学得力助手 。
【软件限制】:试用30天。
【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:TRW2000娃娃修改版、Ollydbg1.09、PEiD、W32Dasm 10修改版
————————————————————————————————— 【过 程】:
既然已经分析了它的同门软件,索性再看看这个吧。趁着还没忘记算法流程,方便点。呵呵。
虽然注册码很长,但算法基本的流程是一样的,变换了参数而得到其它几组注册码,所以我只是记录了第一组的算法过程。
函数图像大师IV.exe 无壳。VC++ 6.0编写。
用户名:fly试炼码:12345-67890-ABCDE-FGHIJ-KLMNO
反汇编,看看参考,很容易就能找到下面的核心。————————————————————————————————— * Referenced by a (U)nconditional or (C)onditional Jump at Address:|:0040A657(C)|:0040A66B 8B8E08010000 mov ecx, dword ptr [esi+00000108]:0040A671 8D54240C lea edx, dword ptr [esp+0C] ====>EDX=12345-67890-ABCDE-FGHIJ-KLMNO
:0040A675 8D44242C lea eax, dword ptr [esp+2C] ====>EAX=fly 用户名
:0040A679 52 push edx:0040A67A 50 push eax:0040A67B E81070FFFF call 00401690:0040A680 8B8E08010000 mov ecx, dword ptr [esi+00000108]:0040A686 E8456EFFFF call 004014D0 ====>关键CALL!进入!
:0040A68B 84C0 test al, al:0040A68D 6A40 push 00000040:0040A68F 7410 je 0040A6A1 ====>跳则OVER!
:0040A691 8B4E0C mov ecx, dword ptr [esi+0C]
* Possible Reference to Dialog: |:0040A694 687CC54100 push 0041C57C
* Possible StringData Ref from Data Obj ->"注册将在程序重启后生效。" ====>呵呵,胜利女神! :0040A699 6860C54100 push 0041C560:0040A69E 51 push ecx:0040A69F EB0E jmp 0040A6AF
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:0040A68F(C)|
* Possible StringData Ref from Data Obj ->"失败" |:0040A6A1 6858C54100 push 0041C558
* Possible StringData Ref from Data Obj ->"非法注册码!" ====>BAD BOY!
:0040A6A6 6848C54100 push 0041C548
—————————————————————————————————进入关键CALL:40A686 call 004014D0
* Referenced by a CALL at Addresses:|:00405A69 , :00407C6E , :0040876D , :0040907B , :0040A553 |:0040A650 , :0040A686 …… ……省 略…… ……
:00401583 8A4C2425 mov cl, byte ptr [esp+25]:00401587 B02D mov al, 2D ====>AL=2D 即:-
:00401589 3AC8 cmp cl, al ====>比较注册码第6个字符是否是 -
:0040158B 7572 jne 004015FF:0040158D 3844242B cmp byte ptr [esp+2B], al ====>比较注册码第12个字符是否是 -
:00401591 756C jne 004015FF:00401593 38442431 cmp byte ptr [esp+31], al ====>比较注册码第18个字符是否是 -
:00401597 7566 jne 004015FF:00401599 38442437 cmp byte ptr [esp+37], al ====>比较注册码第24个字符是否是 -
:0040159D 7560 jne 004015FF:0040159F 33FF xor edi, edi:004015A1 8D742422 lea esi, dword ptr [esp+22]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:004015F4(C)|:004015A5 8D4C2418 lea ecx, dword ptr [esp+18]:004015A9 8D542440 lea edx, dword ptr [esp+40] ====>EDX=fly
:004015AD 51 push ecx:004015AE 57 push edi:004015AF 52 push edx:004015B0 8BCD mov ecx, ebp:004015B2 E859000000 call 00401610 ====>算法CALL!进入!
====>下面是逐位比较!有一处不同就OVER了!:004015B7 8A46FE mov al, byte ptr [esi-02] ====>[esi-02]=12345
:004015BA 8A4C2418 mov cl, byte ptr [esp+18] ====>[esp+18]=SKI00
第一个大循环得出:SKI00 第二个大循环得出:A3000第三个大循环得出:3D000第四个大循环得出:10000第五个大循环得出:1Z13G
至此得出我的完整的5部分注册码:SKI00-A3000-3D000-10000-1Z13G
:004015BE 3AC1 cmp al, cl:004015C0 753D jne 004015FF:004015C2 8A4EFF mov cl, byte ptr [esi-01]:004015C5 8A442419 mov al, byte ptr [esp+19]:004015C9 3AC8 cmp cl, al:004015CB 7532 jne 004015FF:004015CD 8A16 mov dl, byte ptr [esi]:004015CF 8A44241A mov al, byte ptr [esp+1A]:004015D3 3AD0 cmp dl, al:004015D5 7528 jne 004015FF:004015D7 8A4601 mov al, byte ptr [esi+01]:004015DA 8A4C241B mov cl, byte ptr [esp+1B]:004015DE 3AC1 cmp al, cl:004015E0 751D jne 004015FF:004015E2 8A4E02 mov cl, byte ptr [esi+02]:004015E5 8A44241C mov al, byte ptr [esp+1C]:004015E9 3AC8 cmp cl, al:004015EB 7512 jne 004015FF:004015ED 47 inc edi:004015EE 83C606 add esi, 00000006:004015F1 83FF05 cmp edi, 00000005:004015F4 7CAF jl 004015A5:004015F6 5F pop edi:004015F7 5E pop esi:004015F8 B001 mov al, 01 ====>置1则OK!
:004015FA 5D pop ebp:004015FB 83C454 add esp, 00000054:004015FE C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:|:00401581(C), :0040158B(C), :00401591(C), :00401597(C), :0040159D(C)|:004015C0(C), :004015CB(C), :004015D5(C), :004015E0(C), :004015EB(C)|:004015FF 5F pop edi:00401600 5E pop esi:00401601 32C0 xor al, al ====>清0则OVER!
:00401603 5D pop ebp:00401604 83C454 add esp, 00000054:00401607 C3 ret
—————————————————————————————————进入算法CALL:4015B2 call 00401610
* Referenced by a CALL at Address:|:004015B2 |:00401610 8B442404 mov eax, dword ptr [esp+04] ====>EAX=fly
:00401614 8B542408 mov edx, dword ptr [esp+08] ====>EDX=00000000
:00401618 03D0 add edx, eax:0040161A 83EC0C sub esp, 0000000C:0040161D B901000000 mov ecx, 00000001:00401622 8A02 mov al, byte ptr [edx]:00401624 84C0 test al, al:00401626 740E je 00401636
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00401634(C)|:00401628 0FBEC0 movsx eax, al:0040162B 0FAFC8 imul ecx, eax 1、 ====>ECX=66 * 01=66 2、 ====>ECX=66 * 6C=2B08 3、 ====>ECX=2B08 * 79=1456C8
:0040162E 8A4201 mov al, byte ptr [edx+01] ====>依次取fly字符的HEX值
:00401631 42 inc edx:00401632 84C0 test al, al:00401634 75F2 jne 00401628
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00401626(C)|:00401636 56 push esi:00401637 8B74241C mov esi, dword ptr [esp+1C]:0040163B 8BC6 mov eax, esi:0040163D 33D2 xor edx, edx:0040163F 6A24 push 00000024:00401641 8910 mov dword ptr [eax], edx:00401643 66895004 mov word ptr [eax+04], dx:00401647 8D542408 lea edx, dword ptr [esp+08]:0040164B 52 push edx:0040164C 51 push ecx:0040164D E83D680100 call 00417E8F ====>又是一个子运算CALL!得出下面[esp+10]处的值。进入!
:00401652 8D442410 lea eax, dword ptr [esp+10] ====>EAX=[esp+10]=ski0
:00401656 50 push eax
* Possible Reference to Dialog: |:00401657 687CC04100 push 0041C07C:0040165C 56 push esi:0040165D E859C70000 call 0040DDBB ====>此CALL将上面所得字符截取前5位! ====>ESI=ski0
:00401662 83C418 add esp, 00000018:00401665 33C9 xor ecx, ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00401685(C)|:00401667 8A0431 mov al, byte ptr [ecx+esi]:0040166A 3C61 cmp al, 61:0040166C 7C0B jl 00401679:0040166E 3C7A cmp al, 7A:00401670 7F07 jg 00401679:00401672 2C20 sub al, 20:00401674 880431 mov byte ptr [ecx+esi], al:00401677 EB08 jmp 00401681
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:|:0040166C(C), :00401670(C)|:00401679 84C0 test al, al:0040167B 7504 jne 00401681:0040167D C6043130 mov byte ptr [ecx+esi], 30
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:|:00401677(U), :0040167B(C)|:00401681 41 inc ecx:00401682 83F905 cmp ecx, 00000005:00401685 7CE0 jl 00401667 ====>上面这个小循环是将1e9tt中的小写字母转换为大写字母! ====>ESI=ski00 转换为 SKI00 不够5位的后面补0!
:00401687 5E pop esi:00401688 83C40C add esp, 0000000C:0040168B C20C00 ret 000C
—————————————————————————————————进入子运算CALL:0040164D call 00417E8F 再进入:00417EAC call 00417E33
* Referenced by a CALL at Addresses:|:00417E26 , :00417EAC |:00417E33 55 push ebp:00417E34 8BEC mov ebp, esp:00417E36 837D1400 cmp dword ptr [ebp+14], 00000000:00417E3A 8B4D0C mov ecx, dword ptr [ebp+0C]:00417E3D 53 push ebx:00417E3E 56 push esi:00417E3F 57 push edi:00417E40 740B je 00417E4D:00417E42 8B7508 mov esi, dword ptr [ebp+08]:00417E45 C6012D mov byte ptr [ecx], 2D:00417E48 41 inc ecx:00417E49 F7DE neg esi:00417E4B EB03 jmp 00417E50
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00417E40(C)|:00417E4D 8B7508 mov esi, dword ptr [ebp+08] ====>ESI=001456C8
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00417E4B(U)|:00417E50 8BF9 mov edi, ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00417E76(C)|:00417E52 8BC6 mov eax, esi:00417E54 33D2 xor edx, edx:00417E56 F77510 div [ebp+10] ====>[ebp+10]=24 1、 ====>EDX=001456C8 % 24=00 2、 ====>EDX=000090A2 % 24=12 3、 ====>EDX=00000404 % 24=14 4、 ====>EDX=0000001C % 24=1C
:00417E59 8BC6 mov eax, esi:00417E5B 8BDA mov ebx, edx:00417E5D 33D2 xor edx, edx:00417E5F F77510 div [ebp+10] 1、 ====>EAX=001456C8 / 24=000090A2 2、 ====>EAX=000090A2 / 24=00000404 3、 ====>EAX=00000404 / 24=0000001C 4、 ====>EAX=0000001C / 24=00000000
:00417E62 83FB09 cmp ebx, 00000009:00417E65 8BF0 mov esi, eax:00417E67 7605 jbe 00417E6E:00417E69 80C357 add bl, 57 2、 ====>BL=12 + 57=69 即字符:i 3、 ====>BL=14 + 57=6B 即字符:k 4、 ====>BL=1C + 57=73 即字符:s
:00417E6C EB03 jmp 00417E71
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00417E67(C)|:00417E6E 80C330 add bl, 30 1、 ====>BL=00 + 30=30 即字符:0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00417E6C(U)|:00417E71 8819 mov byte ptr [ecx], bl:00417E73 41 inc ecx:00417E74 85F6 test esi, esi:00417E76 77DA ja 00417E52 ====>循环!
:00417E78 802100 and byte ptr [ecx], 00:00417E7B 49 dec ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00417E88(C)|:00417E7C 8A17 mov dl, byte ptr [edi]:00417E7E 8A01 mov al, byte ptr [ecx]:00417E80 8811 mov byte ptr [ecx], dl:00417E82 8807 mov byte ptr [edi], al:00417E84 49 dec ecx:00417E85 47 inc edi:00417E86 3BF9 cmp edi, ecx:00417E88 72F2 jb 00417E7C ====>这个小循环是将0iks倒序为:ski0
:00417E8A 5F pop edi:00417E8B 5E pop esi:00417E8C 5B pop ebx:00417E8D 5D pop ebp:00417E8E C3 ret
————————————————————————————————— 【完 美 爆 破】:
呵呵,完美爆破很简单。
00401601 32C0 xor al, al 改为: B001 mov al, 01 就OK了!与4015F8处相映成趣!
————————————————————————————————— 【注册信息保存】:
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\FgmIV]"User Name"=hex:66,6c,79,00,34,fb,6d,00,68,fb,6d,00,62,00,00,00,86,01,00,00,7d,\ 03,00,00,d0,01,00,00,d7,03"Register Code"=hex:53,4b,49,30,30,2d,41,33,30,30,30,2d,33,44,30,30,30,2d,31,\ 30,30,30,30,2d,31,5a,31,33,47,00
————————————————————————————————— 【整 理】:
用户名:fly注册码:SKI00-A3000-3D000-10000-1Z13G
—————————————————————————————————
Cracked By 巢水工作坊——fly【OCN】
2003-4-12 2:00