SnagIt! v5.2.1. (一) (10千字)
; -----------------------------------------------------------
; author: arbiter
; target: SnagIt! v5.2.1
; tools: SoftIce v4.05 for win2k ( only )
; time: 2001-6-24 2:37
; -----------------------------------------------------------
not say more than is needed, we are go into particulars.
firstly, fire up your SoftIce, and set the break point on GetWindowTextA,
go back into the SnagIt's register dialogbox,fill in some information at will,
then click the 'ok' button,SoftIce'll pop up as it hook at the api we set
just now. out of the api by pushing F10 about times. you can easyly find the
address ( offset: 47b01a ), here is the snippet of code over the offset: 47b01a
Possible StringData Ref from Data Obj ->""
|
0047AFDE A168264F00 mov
eax, dword ptr [004F2668]
0047AFE3 8944240C
mov dword ptr [esp+0C], eax
0047AFE7 C744241C00000000 mov [esp+1C], 00000000
0047AFEF 89442408
mov dword ptr [esp+08], eax
0047AFF3 8D44240C
lea eax, dword ptr [esp+0C]
0047AFF7 8BCE
mov ecx, esi
0047AFF9 50
push eax
0047AFFA 68ED270000 push
000027ED
0047AFFF C644242401 mov
[esp+24], 01
0047B004 E85F1C0200 call
0049CC68
0047B009 8D4C2408
lea ecx, dword ptr [esp+08]
0047B00D 51
push ecx
0047B00E 68EE270000 push
000027EE
0047B013 8BCE
mov ecx, esi
0047B015 E84E1C0200 call
0049CC68
0047B01A 8B8E94000000 mov ecx,
dword ptr [esi+00000094]
0047B020 8D542408
lea edx, dword ptr [esp+08]
0047B024 8D44240C
lea eax, dword ptr [esp+0C]
0047B028 52
push edx
0047B029 50
push eax
0047B02A 56
push esi
0047B02B E800E5FFFF call
00479530 <--- @ main routine here! @
0047B030 8BD8
mov ebx, eax
0047B032 8B868C000000 mov eax,
dword ptr [esi+0000008C]
0047B038 85C0
test eax, eax
0047B03A 0F85B7000000 jne 0047B0F7
0047B040 8B8E94000000 mov ecx,
dword ptr [esi+00000094]
0047B046 53
push ebx
0047B047 E8D4E2FFFF call
00479320
0047B04C 85C0
test eax, eax
0047B04E 0F84A3000000 je 0047B0F7
.
.
.
before the call 47b02b, it pushed your 'userName', 'userCode', that you
entered
for the inner checking routine. so we need go into the call. i ignore the slim
length
check for the entered name. after that we are here: 47955c
0047955C 8B7C2418
mov edi, dword ptr [esp+18]
00479560 8BCF
mov ecx, edi
00479562 E89CEB0100 call
00498103
00479567 8B07
mov eax, dword ptr [edi]
00479569 8B58F8
mov ebx, dword ptr [eax-08]
0047956C 83FB0E
cmp ebx, 0000000E
0047956F 0F8CB9000000 jl 0047962E
Possible StringData Ref from Data Obj ->"0123456789ABCDEF-"
|
00479575 6844204F00 push
004F2044
0047957A 50
push eax
0047957B E840DD0000 call
004872C0
00479580 83C408
add esp, 00000008
00479583 3BC3
cmp eax, ebx
00479585 0F85A3000000 jne 0047962E
Possible StringData Ref from Data Obj ->""
|
0047958B 6864664F00 push
004F6664
Possible StringData Ref from Data Obj ->"-"
|
00479590 6840204F00 push
004F2040
00479595 8BCF
mov ecx, edi
00479597 E853E40100 call
004979EF
0047959C 8B07
mov eax, dword ptr [edi]
0047959E 8B4D00
mov ecx, dword ptr [ebp+00]
004795A1 8B16
mov edx, dword ptr [esi]
004795A3 50
push eax
004795A4 51
push ecx
004795A5 8BCE
mov ecx, esi
004795A7 FF520C
call [edx+0C]
004795AA 8BD8
mov ebx, eax
004795AC 80FB01
cmp bl, 01
004795AF 7545
jne 004795F6
we'll be warned with the nag and kicked off from the code, if bl got
0 from above call. and that call is most important call for calculate
the real RegCode and use it to compare with our fake key. so you should
know how to do with your brute forcing way. whereas out purpose was to
find out the scheme that the SnagIt use to generate the real RegCode and
got one of certified informations by ourself. so go on. we're more and
more closer with our final goal from now on.
go into the most important call at address 4795a7 that mentioned above.
and you'll get a little confusion about the code below, and do not be
worry about that. i'll nevigate you throughout it.
0045A9B3 B824194C00 mov
eax, 004C1924
0045A9B8 E8CFA60200 call
0048508C
0045A9BD 83EC58
sub esp, 00000058
0045A9C0 53
push ebx
0045A9C1 56
push esi
0045A9C2 57
push edi
0045A9C3 894DE4
mov dword ptr [ebp-1C], ecx
0045A9C6 FF750C
push [ebp+0C]
0045A9C9 33DB
xor ebx, ebx
0045A9CB 8D4D0C
lea ecx, dword ptr [ebp+0C]
0045A9CE 895DEC
mov dword ptr [ebp-14], ebx
0045A9D1 C745E001000000 mov [ebp-20],
00000001
0045A9D8 885DF2
mov byte ptr [ebp-0E], bl
0045A9DB C645F301
mov [ebp-0D], 01
0045A9DF E898530400 call
0049FD7C
0045A9E4 8B450C
mov eax, dword ptr [ebp+0C]
0045A9E7 895DFC
mov dword ptr [ebp-04], ebx
0045A9EA 8B40F8
mov eax, dword ptr [eax-08]
0045A9ED 83F80E
cmp eax, 0000000E
0045A9F0 0F8C65010000 jl 0045AB5B
all of above code do some initializations and the call nearby are checking
if the entered key is illegal by counting the number of the every chars of the
key except for the non-hexadecimal number( legal char is between 0~F ). and
compare the result with 0Eh, game over if they are not equal. so do remember
the legal RegCode is composed with the hexadecimal number.
0045A9F6 6A02
push 00000002
0045A9F8 8D45E8
lea eax, dword ptr [ebp-18]
0045A9FB 6A0C
push 0000000C
0045A9FD 50
push eax
0045A9FE 8D4D0C
lea ecx, dword ptr [ebp+0C]
0045AA01 E86FD10300 call
00497B75 <--- get last two num.
0045AA06 8B00
mov eax, dword ptr [eax]
call at 497b75 fetched the last two numbers of the fake key and store
it
for later use. exp: char num[2];
0045AA08 6A10
push 00000010
0045AA0A 53
push ebx
0045AA0B 50
push eax
0045AA0C E803B80200 call
00486214 <---
this call converted the number from ASCII to hexadecima.
exp: dword
h_num = atoi( num );
0045AA11 83C40C
add esp, 0000000C
0045AA14 8D4DE8
lea ecx, dword ptr [ebp-18]
0045AA17 8BF8
mov edi, eax
0045AA19 E8F0520400 call
0049FD0E
here move the h_num to di and compare it with 041h, if it shy, then
game over. add it with 0ffbf and check the al with 050h, that use to
switch the program from two flows. if the addition result less than 050h
it will involve the userName procedure, else it's simply to cope with.
i forgot commenting some code above, heihei, but it just the simple MD5
HASH digest for the userName. the whole routine mainly use the MD5 HASH
function two times to produce an 128 bit value, finaly picking up bytes
from the result and using it to look up the hex-table to yield the real
RegCode.i assume its name string3. the string1 is yielded by firstly MD5
HASH with the userName. string2 is made up with the string1 and last 6
number of the fake key, use the string2 to do the second MD5 HASH function
to yield the string3. later on i'll explain it in details.
相關文章
- 初學者,不知道有沒有機會進入[CCG]? 附:SNAGIT32 5.10破解。
(5千字)2000-09-28Git
- Snagit好用嗎?Snagit 2022最全快捷鍵指南2022-02-20Git
- Snagit 截圖工具2013-05-14Git
- 轉載一篇破解教程(LeapFTP) (10千字)2001-03-29FTP
- 滾動截圖王:Snagit漢化直裝2022-10-13Git
- Snagit 2022,螢幕錄製2021-12-12Git
- SnagIt
v6.21零售版2004-09-21Git
- 初學者(10) (8千字)2000-05-14
- 最最好用的截圖軟體—Snagit for Mac2020-09-27GitMac
- IPTools 1.10 破解 (5千字)2001-02-11
- 超星PDG轉換(10千字)2015-11-15
- 關於VB P-CODE的一些總結 (10千字)2015-11-15
- 螢幕截圖工具Snagit 2022 mac2022-07-15GitMac
- TechSmith Snagit 2022螢幕截圖工具2022-09-27MITGit
- Snagit 2022 for Mac(螢幕截圖工具)2022-09-07GitMac
- SEH in ASM 研究(一) (7千字)2001-12-29ASM
- Snagit 2023 for Mac(螢幕截圖軟體)2022-10-26GitMac
- 最強大的螢幕截圖軟體:Snagit for mac2024-01-12GitMac
- WinKawaks 1.45脫殼筆記
(10千字)2002-08-12筆記
- 解開硬碟邏輯死鎖的一種有效方法 (轉貼) (10千字)2001-06-10硬碟
- Soundnailsd的破解教程(一) (9千字)2001-10-17AI
- Delphi元件破解教程(一)
(3千字)2015-11-15元件
- Snagit 2019 for Mac 最好用的截圖軟體2022-01-25GitMac
- TechSmith Snagit mac最強大的螢幕截圖軟體2023-04-14MITGitMac
- dbpe2.10的asm SDK (3千字)2002-11-03ASM
- BananaSplitter 1.0破解實戰 (10千字)2000-09-11NaN
- dfx V4.0破解過程 (10千字)2000-09-24
- The Cleaner 3.2 BUILD 3205的破解(10千字)2001-01-27UI
- 脫Flashfxp 1.3 build 780的殼 (10千字)2001-08-15UI
- MD5演算法研究 (10千字)2015-11-15演算法
- Snagit 2022漢化啟用版(mac截圖軟體)2023-10-30GitMac
- 一點脫殼經驗。(7千字)2001-04-20
- MFC 程式的跟蹤 (一) (6千字)2001-05-01
- 一篇破解入門 (7千字)2000-09-04
- Fine Print 2000的破解思路 (10千字)2000-09-26
- CPUCOOL 5.1000註冊碼分析 (6千字)2001-01-19
- Ip tools v1.10破解法 (4千字)2001-02-26
- windows優化大師 v1.0.2.7 (10千字)2001-03-11Windows優化