好長時間沒有向這裡貼文章了,今天寫一個比較簡單的,難度不在,不過沒有下載地址。 (18千字)
DubIt V2.01
類別:影片工具
版本:2.01
檔案大小:1897KB
授權:共享軟體
執行平臺:Win95/98/NT
作者網站:http://programhunter.126.com
軟體簡介: 可在觀看Image或Movie的時候,實時加入語音,然後生成標準的.AVI檔案。
追蹤:name:dahuilang
RN:01234567
這個軟體是同著名的snagit32圖象捕捉軟體是同一個公司出口的軟體。所以在破解它時同破解snigit的軟體是相同的。現在開始破解,在輸入註冊碼前,你一定要寫一個表格後,才能輸入註冊碼。記得一定要是公司的名字才是有效的。
:0040DCFA 8BD8
mov ebx, eax <-從這裡出來
:0040DCFC 83FB12
cmp ebx, 00000012
:0040DCFF 0F8C4B010000 jl 0040DE50
程式在這裡比較你的註冊碼是否小於18位,所以在這裡可以設RN:01234567890123456789,向下追蹤:
:0040DD05 8D4760
lea eax, dword ptr [edi+60]
* Possible StringData Ref from Data Obj ->"0123456789ABCDEF-"
|
:0040DD08 6854CD4500 push
0045CD54
:0040DD0D 50
push eax
:0040DD0E E8ED4F0100 call
00422D00
:0040DD13 59
pop ecx
:0040DD14 3BC3
cmp eax, ebx
:0040DD16 59
pop ecx
:0040DD17 0F8533010000 jne 0040DE50
:0040DD1D 8D4F60
lea ecx, dword ptr [edi+60]
:0040DD20 8D5C3B60
lea ebx, dword ptr [ebx+edi+60]
:0040DD24 3BCB
cmp ecx, ebx
:0040DD26 8BC1
mov eax, ecx
:0040DD28 7312
jnb 0040DD3C
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040DD30(U), :0040DD3A(C)
|
:0040DD2A 80392D
cmp byte ptr [ecx], 2D
:0040DD2D 7503
jne 0040DD32
:0040DD2F 41
inc ecx
:0040DD30 EBF8
jmp 0040DD2A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040DD2D(C)
|
:0040DD32 8A11
mov dl, byte ptr [ecx]
:0040DD34 8810
mov byte ptr [eax], dl
:0040DD36 40
inc eax
:0040DD37 41
inc ecx
:0040DD38 3BC3
cmp eax, ebx
:0040DD3A 72EE
jb 0040DD2A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040DD28(C)
|
:0040DD3C 802000
and byte ptr [eax], 00
:0040DD3F 8D4760
lea eax, dword ptr [edi+60]
:0040DD42 50
push eax
:0040DD43 8D4DFC
lea ecx, dword ptr [ebp-04]
:0040DD46 E8CD4C0200 call
00432A18
:0040DD4B 8D45F8
lea eax, dword ptr [ebp-08]
* Possible Reference to Dialog: DialogID_0095, CONTROL_ID:0004, "Open"
|
:0040DD4E 6A04
push 00000004
:0040DD50 50
push eax
:0040DD51 8D4DFC
lea ecx, dword ptr [ebp-04]
:0040DD54 8D5F5C
lea ebx, dword ptr [edi+5C]
:0040DD57 E8DC1E0200 call
0042FC38
:0040DD5C 50
push eax
:0040DD5D 8BCB
mov ecx, ebx
:0040DD5F E8334D0200 call
00432A97
:0040DD64 8D4DF8
lea ecx, dword ptr [ebp-08]
:0040DD67 E83E4C0200 call
004329AA
:0040DD6C 8B45FC
mov eax, dword ptr [ebp-04]
:0040DD6F 8D4DFC
lea ecx, dword ptr [ebp-04]
:0040DD72 8B40F8
mov eax, dword ptr [eax-08]
:0040DD75 83C0FC
add eax, FFFFFFFC
:0040DD78 50
push eax
:0040DD79 8D45F8
lea eax, dword ptr [ebp-08]
:0040DD7C 50
push eax
:0040DD7D E8321F0200 call
0042FCB4
:0040DD82 50
push eax
:0040DD83 8D4DFC
lea ecx, dword ptr [ebp-04]
:0040DD86 E80C4D0200 call
00432A97
:0040DD8B 8D4DF8
lea ecx, dword ptr [ebp-08]
:0040DD8E E8174C0200 call
004329AA
:0040DD93 8B1B
mov ebx, dword ptr [ebx]
:0040DD95 6A10
push 00000010
:0040DD97 6A05
push 00000005
:0040DD99 8BCE
mov ecx, esi
:0040DD9B FF75FC
push [ebp-04]
:0040DD9E 53
push ebx
:0040DD9F E864190000 call
0040F708
:0040DDA4 6A01
push 00000001
:0040DDA6 8BD8
mov ebx, eax
:0040DDA8 58
pop eax
:0040DDA9 3AD8
cmp bl, al *******
:0040DDAB 0F8583000000 jne 0040DE34
:0040DDB1 83A6D000000000 and dword ptr [esi+000000D0],
00000000
:0040DDB8 8986C4000000 mov dword
ptr [esi+000000C4], eax
:0040DDBE 8D4760
lea eax, dword ptr [edi+60]
:0040DDC1 8BCE
mov ecx, esi
:0040DDC3 50
push eax
* Possible StringData Ref from Data Obj ->"RegistrationKey"
|
:0040DDC4 6844CD4500 push
0045CD44
* Possible StringData Ref from Data Obj ->"Settings"
|
:0040DDC9 6864C64500 push
0045C664
:0040DDCE E8D4100300 call
0043EEA7
:0040DDD3 8B761C
mov esi, dword ptr [esi+1C]
:0040DDD6 FF761C
push [esi+1C]
程式在***處是一個關鍵的跳躍,因為下面有一個比較明顯的地方,"RegistrationKey"這個地方就是程式將要向登錄檔中寫入資料的鍵值,所以現在應當分析一下那個比較的地方。現在就進入call
0040F708中。
:0040F708 55
push ebp
:0040F709 8BEC
mov ebp, esp
:0040F70B 83EC4C
sub esp, 0000004C
:0040F70E 8365F800
and dword ptr [ebp-08], 00000000
:0040F712 8065FE00
and byte ptr [ebp-02], 00
:0040F716 53
push ebx
:0040F717 56
push esi
:0040F718 57
push edi
:0040F719 6A0F
push 0000000F
:0040F71B 8D45E8
lea eax, dword ptr [ebp-18]
:0040F71E 6A00
push 00000000
:0040F720 8BD9
mov ebx, ecx
:0040F722 50
push eax
:0040F723 C645FF01
mov [ebp-01], 01
:0040F727 E8F4300100 call
00422820
:0040F72C 8B7D0C
mov edi, dword ptr [ebp+0C]
* Reference To: KERNEL32.lstrlenA, Ord:0308h
|
:0040F72F 8B35D0C24400 mov esi, dword
ptr [0044C2D0]
:0040F735 83C40C
add esp, 0000000C
:0040F738 57
push edi
:0040F739 FFD6
call esi
:0040F73B 50
push eax
:0040F73C 8D45E8
lea eax, dword ptr [ebp-18]
:0040F73F 57
push edi
:0040F740 50
push eax
:0040F741 E86A290100 call
004220B0
:0040F746 83C40C
add esp, 0000000C
:0040F749 66837D1005 cmp word
ptr [ebp+10], 0005
:0040F74E 7413
je 0040F763
:0040F750 66837D1006 cmp word
ptr [ebp+10], 0006
:0040F755 740C
je 0040F763
:0040F757 FF7508
push [ebp+08]
:0040F75A 8BCB
mov ecx, ebx
:0040F75C E8BD000000 call
0040F81E
:0040F761 EB0F
jmp 0040F772
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040F74E(C), :0040F755(C)
|
:0040F763 6A10
push 00000010
:0040F765 6A00
push 00000000
:0040F767 FF7508
push [ebp+08]
:0040F76A E890390100 call
004230FF
:0040F76F 83C40C
add esp, 0000000C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040F761(U)
|
:0040F772 8945F8
mov dword ptr [ebp-08], eax
:0040F775 8D45B4
lea eax, dword ptr [ebp-4C]
:0040F778 50
push eax
:0040F779 E8B0070100 call
0041FF2E
:0040F77E 85C0
test eax, eax
:0040F780 59
pop ecx
:0040F781 7509
jne 0040F78C
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040F7A0(C), :0040F7B6(C)
|
:0040F783 8065FF00
and byte ptr [ebp-01], 00
:0040F787 E983000000 jmp 0040F80F
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040F781(C)
|
:0040F78C 8D4510
lea eax, dword ptr [ebp+10]
:0040F78F 6A02
push 00000002
:0040F791 50
push eax
:0040F792 8D45B4
lea eax, dword ptr [ebp-4C]
:0040F795 50
push eax
:0040F796 E89F070100 call
0041FF3A
:0040F79B 83C40C
add esp, 0000000C
:0040F79E 85C0
test eax, eax
:0040F7A0 74E1
je 0040F783
:0040F7A2 8D45F8
lea eax, dword ptr [ebp-08]
:0040F7A5 6A02
push 00000002
:0040F7A7 50
push eax
:0040F7A8 8D45B4
lea eax, dword ptr [ebp-4C]
:0040F7AB 50
push eax
:0040F7AC E889070100 call
0041FF3A
:0040F7B1 83C40C
add esp, 0000000C
:0040F7B4 85C0
test eax, eax
:0040F7B6 74CB
je 0040F783
:0040F7B8 8D45E8
lea eax, dword ptr [ebp-18]
:0040F7BB 50
push eax
:0040F7BC 8D45B4
lea eax, dword ptr [ebp-4C]
:0040F7BF 50
push eax
:0040F7C0 E823080100 call
0041FFE8
:0040F7C5 59
pop ecx
:0040F7C6 85C0
test eax, eax
:0040F7C8 59
pop ecx
:0040F7C9 7509
jne 0040F7D4
:0040F7CB 2045FF
and byte ptr [ebp-01], al *****
:0040F7CE C645FE0A
mov [ebp-02], 0A
:0040F7D2 EB3B
jmp 0040F80F
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040F7C9(C)
|
:0040F7D4 0FB75D14
movzx ebx, word ptr [ebp+14]
:0040F7D8 57
push edi
:0040F7D9 FFD6
call esi
:0040F7DB 83F80E
cmp eax, 0000000E
:0040F7DE 7C27
jl 0040F807
:0040F7E0 83C70C
add edi, 0000000C
:0040F7E3 6A02
push 00000002
:0040F7E5 57
push edi
:0040F7E6 E886070100 call
0041FF71 /*/*/*/*/*
:0040F7EB 59
pop ecx
:0040F7EC 83F841
cmp eax, 00000041
:0040F7EF 59
pop ecx
:0040F7F0 7304
jnb 0040F7F6
:0040F7F2 33C0
xor eax, eax
:0040F7F4 EB03
jmp 0040F7F9
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040F7F0(C)
|
:0040F7F6 83E841
sub eax, 00000041
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040F7F4(U)
|
:0040F7F9 3BC3
cmp eax, ebx
:0040F7FB 7312
jnb 0040F80F
:0040F7FD 8065FF00
and byte ptr [ebp-01], 00
:0040F801 C645FE0B
mov [ebp-02], 0B
:0040F805 EB08
jmp 0040F80F
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040F7DE(C)
|
:0040F807 8065FF00
and byte ptr [ebp-01], 00
:0040F80B C645FE0C
mov [ebp-02], 0C
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040F787(U), :0040F7D2(U), :0040F7FB(C), :0040F805(U)
|
:0040F80F 33C0
xor eax, eax
:0040F811 5F
pop edi
:0040F812 8A65FE
mov ah, byte ptr [ebp-02]
:0040F815 5E
pop esi
:0040F816 8A45FF
mov al, byte ptr [ebp-01]
:0040F819 5B
pop ebx
:0040F81A C9
leave
:0040F81B C21000
ret 0010
現在進入後分析一下,我們將要得到什麼值才能在外面的那個比較的地方不跳躍,應當是al值,所以這裡將先看一看al返回前那個值是由什麼決定的。現在先從後面來看一看,發現程式將使用[ebp-01]來決定al值,那麼就先分析[ebp-01]的的值在什麼地方可以變化。因為在外面的比較地方只有當al=1時,才能註冊成功,所以看一看在哪裡可以得到[ebp-01]=1。
我們發現在*****處可以使用[ebp-01]=al,當al=1時就滿足條件的。所以進入call 0041FFE8中
:0041FFE8 55
push ebp
:0041FFE9 8BEC
mov ebp, esp
:0041FFEB 83EC7C
sub esp, 0000007C
:0041FFEE 6A30
push 00000030
:0041FFF0 33C9
xor ecx, ecx
:0041FFF2 58
pop eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00420000(C)
|
:0041FFF3 0FB7D1
movzx edx, cx
:0041FFF6 41
inc ecx
:0041FFF7 884415EC
mov byte ptr [ebp+edx-14], al
:0041FFFB 40
inc eax
:0041FFFC 663D3900
cmp ax, 0039
:00420000 76F1
jbe 0041FFF3
:00420002 6A41
push 00000041
:00420004 58
pop eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00420012(C)
|
:00420005 0FB7D1
movzx edx, cx
:00420008 41
inc ecx
:00420009 884415EC
mov byte ptr [ebp+edx-14], al
:0042000D 40
inc eax
:0042000E 663D4600
cmp ax, 0046
:00420012 76F1
jbe 00420005
:00420014 53
push ebx
:00420015 56
push esi
:00420016 57
push edi
:00420017 8B7D0C
mov edi, dword ptr [ebp+0C]
:0042001A 6A02
push 00000002
:0042001C 894DFC
mov dword ptr [ebp-04], ecx
:0042001F 8D470C
lea eax, dword ptr [edi+0C]
:00420022 50
push eax
:00420023 E849FFFFFF call
0041FF71
:00420028 8B7508
mov esi, dword ptr [ebp+08]
:0042002B 8945FC
mov dword ptr [ebp-04], eax
:0042002E 8D45FC
lea eax, dword ptr [ebp-04]
:00420031 6A02
push 00000002
:00420033 50
push eax
:00420034 56
push esi
:00420035 E800FFFFFF call
0041FF3A
:0042003A 8D4708
lea eax, dword ptr [edi+08]
* Possible Reference to Dialog: DialogID_0095, CONTROL_ID:0004, "Open"
|
:0042003D 6A04
push 00000004
:0042003F 50
push eax
:00420040 E82CFFFFFF call
0041FF71
:00420045 8945FC
mov dword ptr [ebp-04], eax
:00420048 8D45FC
lea eax, dword ptr [ebp-04]
:0042004B 6A02
push 00000002
:0042004D 50
push eax
:0042004E 56
push esi
:0042004F E8E6FEFFFF call
0041FF3A
:00420054 8D4584
lea eax, dword ptr [ebp-7C]
:00420057 50
push eax
:00420058 E825F5FFFF call
0041F582
:0042005D 0FB706
movzx eax, word ptr [esi]
:00420060 8D5E02
lea ebx, dword ptr [esi+02]
:00420063 50
push eax
:00420064 8D4584
lea eax, dword ptr [ebp-7C]
:00420067 53
push ebx
:00420068 50
push eax
:00420069 E83CF5FFFF call
0041F5AA
:0042006E 8D4584
lea eax, dword ptr [ebp-7C]
:00420071 50
push eax
:00420072 8D45DC
lea eax, dword ptr [ebp-24]
:00420075 50
push eax
:00420076 E8CDF5FFFF call
0041F648
:0042007B 83C440
add esp, 00000040
:0042007E 6A32
push 00000032
:00420080 6A00
push 00000000
:00420082 53
push ebx
:00420083 E898270000 call
00422820
:00420088 83C40C
add esp, 0000000C
:0042008B 33DB
xor ebx, ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004200B1(C)
|
:0042008D 0FB7F3
movzx esi, bx
:00420090 8BC6
mov eax, esi
:00420092 D1E8
shr eax, 1
:00420094 8A0438
mov al, byte ptr [eax+edi]
:00420097 50
push eax
:00420098 E834FFFFFF call
0041FFD1
:0042009D 59
pop ecx
:0042009E 8A4C35DC
mov cl, byte ptr [ebp+esi-24]
:004200A2 83E10F
and ecx, 0000000F
:004200A5 38440DEC
cmp byte ptr [ebp+ecx-14], al ***
:004200A9 7510
jne 004200BB
:004200AB 43
inc ebx
:004200AC 43
inc ebx
:004200AD 6683FB10
cmp bx, 0010
:004200B1 72DA
jb 0042008D
:004200B3 6A01
push 00000001
:004200B5 58
pop eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004200BD(U)
|
:004200B6 5F
pop edi
:004200B7 5E
pop esi
:004200B8 5B
pop ebx
:004200B9 C9
leave
:004200BA C3
ret
進入這裡後你將發現這裡將是比較的關鍵地方,你可以看到***不斷同你輸入的註冊碼進行比較,在這裡你就可以得到你的註冊碼前8位的值,這樣就可以得到註冊碼了。但是象你這樣輸入的註冊碼程式提示是以前的註冊碼,那麼如何再分析呢?這個就是一個經驗了,因為在以前破解那個snagit時也遇到過這樣的問題,如何解決呢?就是程式將在下面將使用得到這樣的結論,如下:
:0040F7E3 6A02
push 00000002
:0040F7E5 57
push edi 第13,14位值(如:23)
:0040F7E6 E886070100 call
0041FF71 /*/*/*/*/*
:0040F7EB 59
pop ecx
:0040F7EC 83F841
cmp eax, 00000041 eax=23
:0040F7EF 59
pop ecx
:0040F7F0 7304
jnb 0040F7F6
:0040F7F2 33C0
xor eax, eax
:0040F7F4 EB03
jmp 0040F7F9
這裡是程式從上面的call下來後,到達這裡,這個edi經分析是第13,14位值,並且在下面使用這兩個值同41比較,如果你輸入的註冊碼中第13,14位值合併後小於這個41的話,程式就認為是以前的版本,所以在這裡只要先將第13位設大於4的數就可以了。
現在設RN:01234567FFFFFFFFFF
再進行上面的那個驗證過程,就可以得到下面的註冊碼了。
*****************************
*
RN:E20C37EBFFFFFFFFFF *
*****************************
相關文章
- 很長時間沒有貼文章了,今天沒有什麼事情就寫的關於破解win98屏保密碼的文章,大家共享一下嗎!2000-11-08密碼
- 檔案管理理破解(內有下載地址),好象也沒有來這個論壇了 (1千字)2001-04-01
- 最近有好長一段時間沒有敲程式碼了...2020-04-19
- 有沒有學習Linux比較好的入門書籍2020-04-09Linux
- 寫一篇好的技術文章有多難?2018-05-22
- 新手求助!有沒有好的API專案。想借鑑下寫法。2021-09-10API
- loop迴圈 長時間沒有返回結果2010-04-30OOP
- 馬雲的妻子曝光,沒有她就沒有今天的阿里巴巴.....2018-11-04阿里
- 哈哈,我又上來了,cd-check的文章不知有沒有人看?.......這次改貼一篇有關注冊碼的譯文吧!
(3千字)2000-09-09
- 通過 OData 裡面寫程式碼去檢查有沒有某一個 catalog 的許可權2022-06-30
- 在遊戲裡新增簡單模式,沒有想象中那麼簡單2020-12-24遊戲模式
- golang有沒有好的AI框架?2017-01-13GolangAI框架
- 今天還是沒有具體分配任務,不過估計就這兩天的事兒2009-02-09
- 錄屏為什麼沒有聲音?解決這個問題可簡單了!2021-01-27
- Redis::set()沒有這個方法2021-09-28Redis
- swift沒有了BlocksKit,我忍不住自己寫了個ClosuresKit2016-05-19SwiftBloC
- 有沒有比較好的專案文件管理軟體?2008-07-03
- 閒時看看, 比較有益的文章地址2013-05-07
- ntpdate同步時間沒有反應2007-04-04
- 我編寫得框架,為什麼在併發數量比較多得時候,就沒有響應了。2006-03-05框架
- 那些PHP中沒有全稱的簡寫2016-08-03PHP
- etc/sudoers沒有這個檔案2024-03-05
- 因遊戲分級,整整18年,這個國家沒有一個“成年玩家”2019-03-27遊戲
- appcrawler 專案長時間沒有維護,fork 了一個新版本希望大家踴躍參與2020-08-06APP
- 我面試過沒有上萬人也有十幾個,簡歷要這麼寫才有hr要你2019-03-07面試
- golang有沒有好的開源遊戲框架2016-10-12Golang遊戲框架
- 讓天下沒有難用的搜尋:阿里搜尋如何成長為貼心“暖男”?2018-11-16阿里
- 誰說程式猿沒有時間健身?2013-11-25
- 家裡沒有王位繼承?沒關係,有人用AI打造了一個童話魔法世界2020-11-29繼承AI
- 資料清洗太難了?那是你沒有好工具,讓Smartbi來幫你!2021-12-28
- 邦芒簡歷:這樣寫簡歷 你肯定沒有面試機會2023-11-22面試
- 轉貼:破解時間限制的老文章(一) (2千字)2000-10-23
- 這裡有個偏方,修復資料塊用的,我轉貼一下2009-11-18
- 在模板字串裡寫css,沒有程式碼提示2021-01-03字串CSS
- 有沒有人見過這樣的開發工具?2003-02-20
- 搞了個超級簡單的正好出出氣,呵呵,不知道分析有錯誤沒有!! (6千字)2002-01-04
- android弧形進度條,有詳細註釋的,比較簡單2014-04-06Android
- 這個jive還沒有個性簽名2002-09-24