好長時間沒有向這裡貼文章了，今天寫一個比較簡單的，難度不在，不過沒有下載地址。 (18千字)

DubIt V2.01
類別：影片工具
版本：2.01
檔案大小：1897KB
授權：共享軟體
執行平臺：Win95/98/NT
作者網站：http://programhunter.126.com
軟體簡介：可在觀看Image或Movie的時候，實時加入語音，然後生成標準的.AVI檔案。
追蹤：name：dahuilang
RN：01234567
這個軟體是同著名的snagit32圖象捕捉軟體是同一個公司出口的軟體。所以在破解它時同破解snigit的軟體是相同的。現在開始破解，在輸入註冊碼前，你一定要寫一個表格後，才能輸入註冊碼。記得一定要是公司的名字才是有效的。
:0040DCFA 8BD8 mov ebx, eax <-從這裡出來
:0040DCFC 83FB12 cmp ebx, 00000012
:0040DCFF 0F8C4B010000 jl 0040DE50
程式在這裡比較你的註冊碼是否小於18位，所以在這裡可以設RN：01234567890123456789，向下追蹤：
:0040DD05 8D4760 lea eax, dword ptr [edi+60]

* Possible StringData Ref from Data Obj ->"0123456789ABCDEF-"
|
:0040DD08 6854CD4500 push 0045CD54
:0040DD0D 50 push eax
:0040DD0E E8ED4F0100 call 00422D00
:0040DD13 59 pop ecx
:0040DD14 3BC3 cmp eax, ebx
:0040DD16 59 pop ecx
:0040DD17 0F8533010000 jne 0040DE50
:0040DD1D 8D4F60 lea ecx, dword ptr [edi+60]
:0040DD20 8D5C3B60 lea ebx, dword ptr [ebx+edi+60]
:0040DD24 3BCB cmp ecx, ebx
:0040DD26 8BC1 mov eax, ecx
:0040DD28 7312 jnb 0040DD3C

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040DD30(U), :0040DD3A(C)
|
:0040DD2A 80392D cmp byte ptr [ecx], 2D
:0040DD2D 7503 jne 0040DD32
:0040DD2F 41 inc ecx
:0040DD30 EBF8 jmp 0040DD2A

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040DD2D(C)
|
:0040DD32 8A11 mov dl, byte ptr [ecx]
:0040DD34 8810 mov byte ptr [eax], dl
:0040DD36 40 inc eax
:0040DD37 41 inc ecx
:0040DD38 3BC3 cmp eax, ebx
:0040DD3A 72EE jb 0040DD2A

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040DD28(C)
|
:0040DD3C 802000 and byte ptr [eax], 00
:0040DD3F 8D4760 lea eax, dword ptr [edi+60]
:0040DD42 50 push eax
:0040DD43 8D4DFC lea ecx, dword ptr [ebp-04]
:0040DD46 E8CD4C0200 call 00432A18
:0040DD4B 8D45F8 lea eax, dword ptr [ebp-08]

* Possible Reference to Dialog: DialogID_0095, CONTROL_ID:0004, "Open"
|
:0040DD4E 6A04 push 00000004
:0040DD50 50 push eax
:0040DD51 8D4DFC lea ecx, dword ptr [ebp-04]
:0040DD54 8D5F5C lea ebx, dword ptr [edi+5C]
:0040DD57 E8DC1E0200 call 0042FC38
:0040DD5C 50 push eax
:0040DD5D 8BCB mov ecx, ebx
:0040DD5F E8334D0200 call 00432A97
:0040DD64 8D4DF8 lea ecx, dword ptr [ebp-08]
:0040DD67 E83E4C0200 call 004329AA
:0040DD6C 8B45FC mov eax, dword ptr [ebp-04]
:0040DD6F 8D4DFC lea ecx, dword ptr [ebp-04]
:0040DD72 8B40F8 mov eax, dword ptr [eax-08]
:0040DD75 83C0FC add eax, FFFFFFFC
:0040DD78 50 push eax
:0040DD79 8D45F8 lea eax, dword ptr [ebp-08]
:0040DD7C 50 push eax
:0040DD7D E8321F0200 call 0042FCB4
:0040DD82 50 push eax
:0040DD83 8D4DFC lea ecx, dword ptr [ebp-04]
:0040DD86 E80C4D0200 call 00432A97
:0040DD8B 8D4DF8 lea ecx, dword ptr [ebp-08]
:0040DD8E E8174C0200 call 004329AA
:0040DD93 8B1B mov ebx, dword ptr [ebx]
:0040DD95 6A10 push 00000010
:0040DD97 6A05 push 00000005
:0040DD99 8BCE mov ecx, esi
:0040DD9B FF75FC push [ebp-04]
:0040DD9E 53 push ebx
:0040DD9F E864190000 call 0040F708
:0040DDA4 6A01 push 00000001
:0040DDA6 8BD8 mov ebx, eax
:0040DDA8 58 pop eax
:0040DDA9 3AD8 cmp bl, al *******
:0040DDAB 0F8583000000 jne 0040DE34
:0040DDB1 83A6D000000000 and dword ptr [esi+000000D0], 00000000
:0040DDB8 8986C4000000 mov dword ptr [esi+000000C4], eax
:0040DDBE 8D4760 lea eax, dword ptr [edi+60]
:0040DDC1 8BCE mov ecx, esi
:0040DDC3 50 push eax

* Possible StringData Ref from Data Obj ->"RegistrationKey"
|
:0040DDC4 6844CD4500 push 0045CD44

* Possible StringData Ref from Data Obj ->"Settings"
|
:0040DDC9 6864C64500 push 0045C664
:0040DDCE E8D4100300 call 0043EEA7
:0040DDD3 8B761C mov esi, dword ptr [esi+1C]
:0040DDD6 FF761C push [esi+1C]
程式在***處是一個關鍵的跳躍，因為下面有一個比較明顯的地方，"RegistrationKey"這個地方就是程式將要向登錄檔中寫入資料的鍵值，所以現在應當分析一下那個比較的地方。現在就進入call 0040F708中。
:0040F708 55 push ebp
:0040F709 8BEC mov ebp, esp
:0040F70B 83EC4C sub esp, 0000004C
:0040F70E 8365F800 and dword ptr [ebp-08], 00000000
:0040F712 8065FE00 and byte ptr [ebp-02], 00
:0040F716 53 push ebx
:0040F717 56 push esi
:0040F718 57 push edi
:0040F719 6A0F push 0000000F
:0040F71B 8D45E8 lea eax, dword ptr [ebp-18]
:0040F71E 6A00 push 00000000
:0040F720 8BD9 mov ebx, ecx
:0040F722 50 push eax
:0040F723 C645FF01 mov [ebp-01], 01
:0040F727 E8F4300100 call 00422820
:0040F72C 8B7D0C mov edi, dword ptr [ebp+0C]

* Reference To: KERNEL32.lstrlenA, Ord:0308h
|
:0040F72F 8B35D0C24400 mov esi, dword ptr [0044C2D0]
:0040F735 83C40C add esp, 0000000C
:0040F738 57 push edi
:0040F739 FFD6 call esi
:0040F73B 50 push eax
:0040F73C 8D45E8 lea eax, dword ptr [ebp-18]
:0040F73F 57 push edi
:0040F740 50 push eax
:0040F741 E86A290100 call 004220B0
:0040F746 83C40C add esp, 0000000C
:0040F749 66837D1005 cmp word ptr [ebp+10], 0005
:0040F74E 7413 je 0040F763
:0040F750 66837D1006 cmp word ptr [ebp+10], 0006
:0040F755 740C je 0040F763
:0040F757 FF7508 push [ebp+08]
:0040F75A 8BCB mov ecx, ebx
:0040F75C E8BD000000 call 0040F81E
:0040F761 EB0F jmp 0040F772

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040F74E(C), :0040F755(C)
|
:0040F763 6A10 push 00000010
:0040F765 6A00 push 00000000
:0040F767 FF7508 push [ebp+08]
:0040F76A E890390100 call 004230FF
:0040F76F 83C40C add esp, 0000000C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040F761(U)
|
:0040F772 8945F8 mov dword ptr [ebp-08], eax
:0040F775 8D45B4 lea eax, dword ptr [ebp-4C]
:0040F778 50 push eax
:0040F779 E8B0070100 call 0041FF2E
:0040F77E 85C0 test eax, eax
:0040F780 59 pop ecx
:0040F781 7509 jne 0040F78C

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040F7A0(C), :0040F7B6(C)
|
:0040F783 8065FF00 and byte ptr [ebp-01], 00
:0040F787 E983000000 jmp 0040F80F

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040F781(C)
|
:0040F78C 8D4510 lea eax, dword ptr [ebp+10]
:0040F78F 6A02 push 00000002
:0040F791 50 push eax
:0040F792 8D45B4 lea eax, dword ptr [ebp-4C]
:0040F795 50 push eax
:0040F796 E89F070100 call 0041FF3A
:0040F79B 83C40C add esp, 0000000C
:0040F79E 85C0 test eax, eax
:0040F7A0 74E1 je 0040F783
:0040F7A2 8D45F8 lea eax, dword ptr [ebp-08]
:0040F7A5 6A02 push 00000002
:0040F7A7 50 push eax
:0040F7A8 8D45B4 lea eax, dword ptr [ebp-4C]
:0040F7AB 50 push eax
:0040F7AC E889070100 call 0041FF3A
:0040F7B1 83C40C add esp, 0000000C
:0040F7B4 85C0 test eax, eax
:0040F7B6 74CB je 0040F783
:0040F7B8 8D45E8 lea eax, dword ptr [ebp-18]
:0040F7BB 50 push eax
:0040F7BC 8D45B4 lea eax, dword ptr [ebp-4C]
:0040F7BF 50 push eax
:0040F7C0 E823080100 call 0041FFE8
:0040F7C5 59 pop ecx
:0040F7C6 85C0 test eax, eax
:0040F7C8 59 pop ecx
:0040F7C9 7509 jne 0040F7D4
:0040F7CB 2045FF and byte ptr [ebp-01], al *****
:0040F7CE C645FE0A mov [ebp-02], 0A
:0040F7D2 EB3B jmp 0040F80F

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040F7C9(C)
|
:0040F7D4 0FB75D14 movzx ebx, word ptr [ebp+14]
:0040F7D8 57 push edi
:0040F7D9 FFD6 call esi
:0040F7DB 83F80E cmp eax, 0000000E
:0040F7DE 7C27 jl 0040F807
:0040F7E0 83C70C add edi, 0000000C
:0040F7E3 6A02 push 00000002
:0040F7E5 57 push edi
:0040F7E6 E886070100 call 0041FF71 /*/*/*/*/*
:0040F7EB 59 pop ecx
:0040F7EC 83F841 cmp eax, 00000041
:0040F7EF 59 pop ecx
:0040F7F0 7304 jnb 0040F7F6
:0040F7F2 33C0 xor eax, eax
:0040F7F4 EB03 jmp 0040F7F9

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040F7F0(C)
|
:0040F7F6 83E841 sub eax, 00000041

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040F7F4(U)
|
:0040F7F9 3BC3 cmp eax, ebx
:0040F7FB 7312 jnb 0040F80F
:0040F7FD 8065FF00 and byte ptr [ebp-01], 00
:0040F801 C645FE0B mov [ebp-02], 0B
:0040F805 EB08 jmp 0040F80F

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040F7DE(C)
|
:0040F807 8065FF00 and byte ptr [ebp-01], 00
:0040F80B C645FE0C mov [ebp-02], 0C

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040F787(U), :0040F7D2(U), :0040F7FB(C), :0040F805(U)
|
:0040F80F 33C0 xor eax, eax
:0040F811 5F pop edi
:0040F812 8A65FE mov ah, byte ptr [ebp-02]
:0040F815 5E pop esi
:0040F816 8A45FF mov al, byte ptr [ebp-01]
:0040F819 5B pop ebx
:0040F81A C9 leave
:0040F81B C21000 ret 0010
現在進入後分析一下，我們將要得到什麼值才能在外面的那個比較的地方不跳躍，應當是al值，所以這裡將先看一看al返回前那個值是由什麼決定的。現在先從後面來看一看，發現程式將使用[ebp-01]來決定al值，那麼就先分析[ebp-01]的的值在什麼地方可以變化。因為在外面的比較地方只有當al=1時，才能註冊成功，所以看一看在哪裡可以得到[ebp-01]=1。我們發現在*****處可以使用[ebp-01]=al，當al=1時就滿足條件的。所以進入call 0041FFE8中
:0041FFE8 55 push ebp
:0041FFE9 8BEC mov ebp, esp
:0041FFEB 83EC7C sub esp, 0000007C
:0041FFEE 6A30 push 00000030
:0041FFF0 33C9 xor ecx, ecx
:0041FFF2 58 pop eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00420000(C)
|
:0041FFF3 0FB7D1 movzx edx, cx
:0041FFF6 41 inc ecx
:0041FFF7 884415EC mov byte ptr [ebp+edx-14], al
:0041FFFB 40 inc eax
:0041FFFC 663D3900 cmp ax, 0039
:00420000 76F1 jbe 0041FFF3
:00420002 6A41 push 00000041
:00420004 58 pop eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00420012(C)
|
:00420005 0FB7D1 movzx edx, cx
:00420008 41 inc ecx
:00420009 884415EC mov byte ptr [ebp+edx-14], al
:0042000D 40 inc eax
:0042000E 663D4600 cmp ax, 0046
:00420012 76F1 jbe 00420005
:00420014 53 push ebx
:00420015 56 push esi
:00420016 57 push edi
:00420017 8B7D0C mov edi, dword ptr [ebp+0C]
:0042001A 6A02 push 00000002
:0042001C 894DFC mov dword ptr [ebp-04], ecx
:0042001F 8D470C lea eax, dword ptr [edi+0C]
:00420022 50 push eax
:00420023 E849FFFFFF call 0041FF71
:00420028 8B7508 mov esi, dword ptr [ebp+08]
:0042002B 8945FC mov dword ptr [ebp-04], eax
:0042002E 8D45FC lea eax, dword ptr [ebp-04]
:00420031 6A02 push 00000002
:00420033 50 push eax
:00420034 56 push esi
:00420035 E800FFFFFF call 0041FF3A
:0042003A 8D4708 lea eax, dword ptr [edi+08]

* Possible Reference to Dialog: DialogID_0095, CONTROL_ID:0004, "Open"
|
:0042003D 6A04 push 00000004
:0042003F 50 push eax
:00420040 E82CFFFFFF call 0041FF71
:00420045 8945FC mov dword ptr [ebp-04], eax
:00420048 8D45FC lea eax, dword ptr [ebp-04]
:0042004B 6A02 push 00000002
:0042004D 50 push eax
:0042004E 56 push esi
:0042004F E8E6FEFFFF call 0041FF3A
:00420054 8D4584 lea eax, dword ptr [ebp-7C]
:00420057 50 push eax
:00420058 E825F5FFFF call 0041F582
:0042005D 0FB706 movzx eax, word ptr [esi]
:00420060 8D5E02 lea ebx, dword ptr [esi+02]
:00420063 50 push eax
:00420064 8D4584 lea eax, dword ptr [ebp-7C]
:00420067 53 push ebx
:00420068 50 push eax
:00420069 E83CF5FFFF call 0041F5AA
:0042006E 8D4584 lea eax, dword ptr [ebp-7C]
:00420071 50 push eax
:00420072 8D45DC lea eax, dword ptr [ebp-24]
:00420075 50 push eax
:00420076 E8CDF5FFFF call 0041F648
:0042007B 83C440 add esp, 00000040
:0042007E 6A32 push 00000032
:00420080 6A00 push 00000000
:00420082 53 push ebx
:00420083 E898270000 call 00422820
:00420088 83C40C add esp, 0000000C
:0042008B 33DB xor ebx, ebx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004200B1(C)
|
:0042008D 0FB7F3 movzx esi, bx
:00420090 8BC6 mov eax, esi
:00420092 D1E8 shr eax, 1
:00420094 8A0438 mov al, byte ptr [eax+edi]
:00420097 50 push eax
:00420098 E834FFFFFF call 0041FFD1
:0042009D 59 pop ecx
:0042009E 8A4C35DC mov cl, byte ptr [ebp+esi-24]
:004200A2 83E10F and ecx, 0000000F
:004200A5 38440DEC cmp byte ptr [ebp+ecx-14], al ***
:004200A9 7510 jne 004200BB
:004200AB 43 inc ebx
:004200AC 43 inc ebx
:004200AD 6683FB10 cmp bx, 0010
:004200B1 72DA jb 0042008D
:004200B3 6A01 push 00000001
:004200B5 58 pop eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004200BD(U)
|
:004200B6 5F pop edi
:004200B7 5E pop esi
:004200B8 5B pop ebx
:004200B9 C9 leave
:004200BA C3 ret
進入這裡後你將發現這裡將是比較的關鍵地方，你可以看到***不斷同你輸入的註冊碼進行比較，在這裡你就可以得到你的註冊碼前8位的值，這樣就可以得到註冊碼了。但是象你這樣輸入的註冊碼程式提示是以前的註冊碼，那麼如何再分析呢？這個就是一個經驗了，因為在以前破解那個snagit時也遇到過這樣的問題，如何解決呢？就是程式將在下面將使用得到這樣的結論，如下：
:0040F7E3 6A02 push 00000002
:0040F7E5 57 push edi 第13，14位值（如：23）
:0040F7E6 E886070100 call 0041FF71 /*/*/*/*/*
:0040F7EB 59 pop ecx
:0040F7EC 83F841 cmp eax, 00000041 eax=23
:0040F7EF 59 pop ecx
:0040F7F0 7304 jnb 0040F7F6
:0040F7F2 33C0 xor eax, eax
:0040F7F4 EB03 jmp 0040F7F9
這裡是程式從上面的call下來後，到達這裡，這個edi經分析是第13，14位值，並且在下面使用這兩個值同41比較，如果你輸入的註冊碼中第13，14位值合併後小於這個41的話，程式就認為是以前的版本，所以在這裡只要先將第13位設大於4的數就可以了。
現在設RN：01234567FFFFFFFFFF
再進行上面的那個驗證過程，就可以得到下面的註冊碼了。

*****************************
* RN：E20C37EBFFFFFFFFFF *
*****************************

好長時間沒有向這裡貼文章了，今天寫一個比較簡單的，難度不在，不過沒有下載地址。 (18千字)

相關文章