即時語音提示 & 校對軟體InsTalk註冊碼及序號產生器-初學者請看 (24千字)
即時語音提示 & 校對軟體InsTalk註冊碼及序號產生器-初學者請看
軟體說明:即時語音提示&校對軟體 InsTalk 是面向
Windows 9x/NT 的工具軟體。利用它使用者可以讓電腦說漢語普通話。它有兩種工作狀態。一種是在使用鍵盤輸入數字和英文字元時,可以跟隨錄入的字元即時發出相應的語音提示。另一種是讓電腦朗讀中文。
使用工具:TRW2000、PW32Dasm9b.EXE、KeyMaker。
由於受軟體提示資訊的影響,整個破解過程走了不少彎路:輸入註冊資訊後,軟體提示關閉並重新啟動軟體以驗證註冊碼,但重新啟動時,試了很多斷點還是找不到註冊碼(其實可以找到,但此註冊碼並非你所輸入的註冊名和單位生成,而是註冊名和單位為空時的註冊碼),後來透過對登錄檔的監視,當軟體註冊碼錯誤時,程式根本就不往登錄檔裡寫入。所以,判斷註冊碼的工作應該在輸入註冊資訊的時候就已經進行了,作者給我們開了個大玩笑?!!
==========================================================================================
1、啟動程式,填寫註冊資訊,Ctrl-n,bpx hmemcpy,F5返回,按“註冊”按鈕,程式攔下。
2、bc *,pmodule。
3、按兩次F10,來到下面:
:004073D0 8D8C2444010000
lea ecx, dword ptr [esp+00000144]
:004073D7 6800010000
push 00000100
:004073DC 51
push ecx
:004073DD
680D040000 push 0000040D
:004073E2 8BCE
mov ecx, esi
:004073E4 8944243C
mov dword ptr [esp+3C], eax
:004073E8 E8D4540100
call 0041C8C1
:004073ED 8BC8
mov ecx, eax
:004073EF
E815560100 call 0041CA09
:004073F4 8D942444020000 lea edx, dword ptr
[esp+00000244]
:004073FB 6800010000
push 00000100
:00407400 52
push edx
:00407401 680F040000
push 0000040F
:00407406 8BCE
mov ecx, esi
:00407408
89442440 mov dword ptr
[esp+40], eax
:0040740C E8B0540100
call 0041C8C1
:00407411 8BC8
mov ecx, eax
:00407413 E8F1550100
call 0041CA09
:00407418 89442438
mov dword ptr [esp+38], eax
:0040741C E86FB20100 call 00422690
:00407421 8B6804
mov ebp, dword ptr [eax+04]
:00407424 A158E74200
mov eax, dword ptr [0042E758]
:00407429 8D8C2444010000
lea ecx, dword ptr [esp+00000144]
:00407430 896C241C
mov dword ptr [esp+1C], ebp
:00407434 51
push ecx
:00407435 8D4C241C
lea ecx, dword ptr [esp+1C]
:00407439 8944241C
mov dword ptr [esp+1C], eax
:0040743D
E8F55F0100 call 0041D437
:00407442 6A19
push 00000019
:00407444 51
push ecx
:00407445 8D94244C020000
lea edx, dword ptr [esp+0000024C]
:0040744C 33DB
xor ebx, ebx
:0040744E 8BCC
mov ecx, esp
:00407450 89642444
mov dword ptr [esp+44], esp
:00407454 52
push edx
:00407455
899C2458030000 mov dword ptr [esp+00000358],
ebx
:0040745C E84FD7FFFF
call 00404BB0
:00407461 8D44244C
lea eax, dword ptr [esp+4C]
:00407465 8D4C2434
lea ecx, dword ptr [esp+34]
:00407469
50
push eax
:0040746A C684245803000001 mov byte ptr
[esp+00000358], 01
:00407472 E839D7FFFF
call 00404BB0
:00407477 51
push ecx
:00407478 8D542424
lea edx, dword ptr [esp+24]
:0040747C 8BCC
mov ecx, esp
:0040747E 8964244C
mov dword ptr [esp+4C], esp
:00407482 52
push edx
:00407483
50
push eax
:00407484 51
push ecx
:00407485 C684246403000002
mov byte ptr [esp+00000364], 02
:0040748D E80A600100
call 0041D49C
:00407492 C684245803000003
mov byte ptr [esp+00000358], 03
:0040749A E821D6FFFF
call 00404AC0(此處改變eax的值,說明對註冊碼進行了判斷)
:0040749F 83C40C
add esp, 0000000C
:004074A2 8D4C242C
lea ecx, dword ptr [esp+2C]
:004074A6 8BF8
mov edi, eax(這裡將eax的值賦予edi)
:004074A8 889C244C030000 mov byte ptr [esp+0000034C],
bl
:004074AF E88A5E0100 call
0041D33E
:004074B4 8D4C2418
lea ecx, dword ptr [esp+18]
:004074B8 C784244C030000FFFFFFFF
mov dword ptr [esp+0000034C], FFFFFFFF
:004074C3 E8765E0100
call 0041D33E
:004074C8 3BFB
cmp edi, ebx
:004074CA
0F849C000000 je 0040756C(此處若不跳,則可將錯誤的註冊資訊強制寫入登錄檔)
:004074D0 8D742444
lea esi, dword ptr [esp+44]
:004074D4 8D6C2430
lea ebp, dword ptr [esp+30]
==========================================================================================
在:0040749A E821D6FFFF call
00404AC0處按F8進入:
:00404AC0 64A100000000
mov eax, dword ptr fs:[00000000]
:00404AC6 6AFF
push FFFFFFFF
:00404AC8
6800414200 push 00424100
:00404ACD 50
push eax
:00404ACE 64892500000000
mov dword ptr fs:[00000000], esp
:00404AD5 53
push ebx
:00404AD6 56
push esi
:00404AD7 8B442420
mov eax, dword ptr [esp+20]
:00404ADB 8D542418
lea edx, dword ptr [esp+18]
:00404ADF 50
push eax
:00404AE0 51
push ecx
:00404AE1 8BCC
mov ecx, esp
:00404AE3 89642428
mov dword ptr [esp+28], esp
:00404AE7
52
push edx
:00404AE8 C744241C01000000 mov [esp+1C],
00000001
:00404AF0 E8BE850100
call 0041D0B3
:00404AF5 8D442428
lea eax, dword ptr [esp+28]
:00404AF9 50
push eax
:00404AFA
E801260000 call 00407100(算註冊碼)
:00404AFF 8B742428
mov esi, dword ptr [esp+28](將錯誤的註冊碼賦予esi)
:00404B03 8B00
mov eax, dword ptr [eax](將正確的註冊碼賦予eax)
:00404B05 83C40C
add esp, 0000000C(在此處d eax看到真正的註冊碼)
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00404B2A(C)
|
:00404B08 8A10
mov dl, byte ptr
[eax](取真碼第一位)
:00404B0A 8A1E
mov bl, byte ptr [esi](取假碼第一位)
:00404B0C 8ACA
mov cl, dl(將真碼第一位賦予cl)
:00404B0E 3AD3
cmp dl, bl(比較兩值是否相同)
:00404B10 751E
jne 00404B30(不同就跳到00404B30,比較失敗)
:00404B12
84C9 test
cl, cl(測試cl是否為空,即判斷是否已全部比較完)
:00404B14 7416
je 00404B2C(如果比較完畢,則跳到00404B2C)
:00404B16
8A5001 mov dl, byte
ptr [eax+01](取真碼下一位)
:00404B19 8A5E01
mov bl, byte ptr [esi+01](取假碼下一位)
:00404B1C 8ACA
mov cl, dl
:00404B1E 3AD3
cmp dl, bl
:00404B20 750E
jne 00404B30(不同就跳到00404B30,比較失敗)
:00404B22 83C002
add eax, 00000002(去掉真碼前兩位,為下一輪比較做準備)
:00404B25 83C602
add esi, 00000002(去掉假碼前兩位,為下一輪比較做準備)
:00404B28 84C9
test cl, cl(測試cl是否為空,即判斷是否已全部比較完)
:00404B2A 75DC
jne 00404B08(返回00404B08繼續比較)
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:00404B14(C)
|
:00404B2C 33C0
xor eax, eax(註冊碼正確時,跳到此行)
:00404B2E EB05
jmp 00404B35
* Referenced by a (U)nconditional or (C)onditional Jump
at Addresses:
|:00404B10(C), :00404B20(C)
|
:00404B30 1BC0
sbb eax, eax(註冊碼錯誤時,跳到此行)
:00404B32 83D8FF
sbb eax, FFFFFFFF
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:00404B2E(U)
|
:00404B35 85C0
test eax, eax
:00404B37
0F94C0 sete al
:00404B3A 25FF000000 and eax,
000000FF
:00404B3F 8D4C2420
lea ecx, dword ptr [esp+20]
:00404B43 8BF0
mov esi, eax(將eax的值賦予esi)
:00404B45
E8F4870100 call 0041D33E
:00404B4A 8D4C2418 lea
ecx, dword ptr [esp+18]
:00404B4E C644241000
mov [esp+10], 00
:00404B53 E8E6870100
call 0041D33E
:00404B58 8D4C241C
lea ecx, dword ptr [esp+1C]
:00404B5C
C7442410FFFFFFFF mov [esp+10], FFFFFFFF
:00404B64
E8D5870100 call 0041D33E
:00404B69 8B4C2408 mov
ecx, dword ptr [esp+08]
:00404B6D 8BC6
mov eax, esi(將esi的值賦予eax)
:00404B6F 5E
pop esi
:00404B70 64890D00000000 mov dword ptr
fs:[00000000], ecx
:00404B77 5B
pop ebx
:00404B78 83C40C
add esp, 0000000C
:00404B7B
C3
ret
==========================================================================================
4、以下是對程式重新啟動後的一些分析:
程式一開始有個歡迎提示框,提示是共享版還是註冊版,可見在此之前已經判斷了是否已經註冊,所以目的就是找出出現這個提示框的最後一個關鍵Call。
用trw2000載入InsTalk.exe,結合F10、F9、F6鍵就可找到這個Call(具體操作方法可參考我寫的Acdsee4.0的破解,在看雪論壇以我的註冊名esoft2001.51.net搜尋就能找到)
:0041F76B 8B06
mov eax, dword ptr [esi]
:0041F76D 8BCE
mov ecx, esi
:0041F76F FF5050
call [eax+50](此處是出現提示框,應該快接近核心了。即使判斷錯也沒關係,可以繼續再試嘛!)
:0041F772 85C0
test eax, eax
:0041F774 7515
jne 0041F78B
==========================================================================================
F8進入上面的Call,看到下面程式碼:
:004046D0 6AFF
push FFFFFFFF
:004046D2 68DD404200
push 004240DD
:004046D7 64A100000000
mov eax, dword ptr fs:[00000000]
……………………略去一些程式碼
* Possible Reference to Dialog:
|
:004047A7 68D0E04200
push 0042E0D0
:004047AC 8BCE
mov ecx, esi
:004047AE C68424F404000002
mov byte ptr [esp+000004F4], 02
:004047B6 E8DBDA0100
call 00422296
:004047BB 8D4C2424
lea ecx, dword ptr [esp+24]
:004047BF C68424E404000001 mov byte ptr [esp+000004E4],
01
:004047C7 E8728B0100 call
0041D33E
:004047CC 8D4C241C
lea ecx, dword ptr [esp+1C]
:004047D0 C68424E404000000
mov byte ptr [esp+000004E4], 00
:004047D8 E8618B0100
call 0041D33E
:004047DD 8B5500
mov edx, dword ptr [ebp+00]
:004047E0 42
inc edx
:004047E1 52
push edx
:004047E2 E8BC590000
call 0040A1A3
:004047E7 8BF8
mov edi, eax
:004047E9
8B442414 mov eax, dword
ptr [esp+14]
:004047ED 83C404
add esp, 00000004
:004047F0 897C2418
mov dword ptr [esp+18], edi
:004047F4 85C0
test eax, eax(判斷是否將註冊資訊寫入登錄檔,若無則eax=0)
:004047F6 897C9C2C
mov dword ptr [esp+4*ebx+2C], edi
:004047FA 7428
je 00404824
:004047FC 8B4D00
mov ecx, dword ptr [ebp+00]
:004047FF 8BF0
mov esi, eax
:00404801 8BC1
mov eax, ecx
:00404803 C1E902
shr ecx, 02
:00404806 F3
repz
:00404807 A5
movsd
:00404808 8BC8
mov ecx, eax
:0040480A 83E103
and ecx, 00000003
:0040480D F3
repz
:0040480E
A4
movsb
:0040480F 8B4C2410
mov ecx, dword ptr [esp+10]
:00404813 51
push ecx
:00404814 E88F880100
call 0041D0A8
:00404819 8B7C241C
mov edi, dword ptr [esp+1C]
:0040481D 8B742424 mov
esi, dword ptr [esp+24]
:00404821 83C404
add esp, 00000004
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:004047FA(C)
|
:00404824 8B5500
mov edx, dword ptr [ebp+00]
:00404827 6A00
push 00000000
:00404829 52
push edx
:0040482A 57
push edi
:0040482B
E8802A0000 call 004072B0
:00404830 8B4500
mov eax, dword ptr [ebp+00]
:00404833 83C40C
add esp, 0000000C
:00404836 43
inc ebx
:00404837
83FB03 cmp ebx,
00000003
:0040483A C6043800
mov byte ptr [eax+edi], 00
:0040483E 0F8C2FFFFFFF
jl 00404773
:00404844 8B0D58E74200
mov ecx, dword ptr [0042E758]
:0040484A 8B542430
mov edx, dword ptr [esp+30]
:0040484E 894C2410 mov
dword ptr [esp+10], ecx
:00404852 52
push edx
:00404853 8D4C2414
lea ecx, dword ptr [esp+14]
:00404857
E8DB8B0100 call 0041D437
:0040485C 8B442434 mov
eax, dword ptr [esp+34]
:00404860 6A19
push 00000019
:00404862 51
push ecx
:00404863
C68424EC04000003 mov byte ptr [esp+000004EC], 03
:0040486B 8BCC
mov ecx, esp
:0040486D 89642424
mov dword ptr [esp+24], esp
:00404871 50
push eax
:00404872
E839030000 call 00404BB0
:00404877 8B4C2434 mov
ecx, dword ptr [esp+34]
:0040487B C68424EC04000004
mov byte ptr [esp+000004EC], 04
:00404883 51
push ecx
:00404884 8D4C2424
lea ecx, dword ptr [esp+24]
:00404888 E823030000 call 00404BB0
:0040488D 51
push ecx
:0040488E 8D4C241C
lea ecx, dword ptr [esp+1C]
:00404892 8BD4
mov edx, esp
:00404894
89642430 mov dword ptr
[esp+30], esp
:00404898 51
push ecx
:00404899 50
push eax
:0040489A 52
push edx
:0040489B C68424FC04000005 mov byte ptr [esp+000004FC],
05
:004048A3 E8F48B0100 call
0041D49C
:004048A8 C68424F004000006 mov byte ptr
[esp+000004F0], 06
:004048B0 E80B020000
call 00404AC0(這裡又呼叫00404AC0判斷註冊碼,詳細程式碼見上面)
:004048B5 83C40C
add esp, 0000000C(經過分析可以知道,如果註冊碼正確,此出返回eax的值應該是1,如果錯誤則返回0)
:004048B8 8D4C2418
lea ecx, dword ptr [esp+18]
:004048BC A3EC254300
mov dword ptr [004325EC], eax
:004048C1 C68424E404000003
mov byte ptr [esp+000004E4], 03
:004048C9 E8708A0100
call 0041D33E
:004048CE 8D4C2410
lea ecx, dword ptr [esp+10]
:004048D2 C68424E404000000 mov byte ptr [esp+000004E4],
00
:004048DA E85F8A0100 call
0041D33E
:004048DF 8D7C242C
lea edi, dword ptr [esp+2C]
:004048E3 BB03000000
mov ebx, 00000003
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:004048F7(C)
|
:004048E8 8B17
mov edx, dword
ptr [edi]
:004048EA 52
push edx
:004048EB E8CA570000
call 0040A0BA
:004048F0 83C404
add esp, 00000004
:004048F3 83C704
add edi, 00000004
:004048F6 4B
dec ebx
:004048F7 75EF
jne 004048E8
:004048F9 E822F5FFFF
call 00403E20
:004048FE 8BCE
mov ecx, esi
:00404900 E85BF8FFFF
call 00404160
:00404905 A1EC254300
mov eax, dword ptr [004325EC]
:0040490A
85C0 test
eax, eax
:0040490C 0F8588000000
jne 0040499A
:00404912 8BCE
mov ecx, esi
:00404914 E8C7FCFFFF
call 004045E0(判斷是否已過試用期)
:00404919 85C0
test eax, eax(未過,eax=0;已過,eax=1)
:0040491B 747D
je 0040499A
* Possible Reference to String Resource ID=00112:
",o?qo??蜥
?珥(,o??\
?1"
|
:0040491D 6A70
push 00000070
:0040491F 8D4C2418
lea ecx, dword ptr [esp+18]
:00404923
E8FD8C0100 call 0041D625
:00404928 A158E74200 mov eax,
dword ptr [0042E758]
:0040492D 89442410
mov dword ptr [esp+10], eax
* Possible Reference
to String Resource ID=00125: ""
|
:00404931 6A7D
push 0000007D
:00404933 8D4C2414
lea ecx, dword ptr [esp+14]
:00404937 C68424E804000007
mov byte ptr [esp+000004E8], 07
:0040493F E8E18C0100
call 0041D625
:00404944 8B4C2410
mov ecx, dword ptr [esp+10]
:00404948 8B542414 mov
edx, dword ptr [esp+14]
:0040494C 6A34
push 00000034
:0040494E 51
push ecx
:0040494F
52
push edx
:00404950 6A00
push 00000000
* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:00404952 FF1544544200
Call dword ptr [00425444](過期提示)
:00404958
83F806 cmp eax,
00000006
:0040495B 7511
jne 0040496E
:0040495D B940234300
mov ecx, 00432340
:00404962 C7461C40234300
mov [esi+1C], 00432340
:00404969 E8E04F0100
call 0041994E
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0040495B(C)
|
:0040496E 8D4C2410
lea ecx, dword ptr [esp+10]
:00404972 C68424E404000000 mov byte ptr [esp+000004E4],
00
:0040497A E8BF890100 call
0041D33E
:0040497F 8D4C2414
lea ecx, dword ptr [esp+14]
:00404983 C78424E4040000FFFFFFFF
mov dword ptr [esp+000004E4], FFFFFFFF
:0040498E E8AB890100
call 0041D33E
:00404993 33C0
xor eax, eax
:00404995
E90A010000 jmp 00404AA4
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040490C(C),
:0040491B(C)
|
:0040499A 8D442444
lea eax, dword ptr [esp+44]
:0040499E C744244494000000
mov [esp+44], 00000094
:004049A6 50
push eax
* Reference
To: KERNEL32.GetVersionExA, Ord:0175h
|
:004049A7 FF1598514200 Call dword
ptr [00425198]
:004049AD 8B6C2454
mov ebp, dword ptr [esp+54]
:004049B1 33C9
xor ecx, ecx
:004049B3 83FD02
cmp ebp, 00000002
* Possible Reference to String Resource ID=00114: "InsTalk ?b"
|
:004049B6 6A72
push 00000072
:004049B8 0F94C1
sete cl
:004049BB 890D0C1F4300
mov dword ptr [00431F0C], ecx
:004049C1
8D4C2418 lea ecx, dword
ptr [esp+18]
:004049C5 E85B8C0100
call 0041D625
:004049CA 8B542414
mov edx, dword ptr [esp+14]
:004049CE 52
push edx
:004049CF
6A00 push
00000000
* Reference To: USER32.FindWindowA, Ord:00D5h
|
:004049D1 FF1548544200
Call dword ptr [00425448]
:004049D7 85C0
test eax, eax
:004049D9
741B je 004049F6
:004049DB 8D4C2414
lea ecx, dword ptr [esp+14]
:004049DF C78424E4040000FFFFFFFF mov dword
ptr [esp+000004E4], FFFFFFFF
:004049EA E84F890100
call 0041D33E
:004049EF 33C0
xor eax, eax
:004049F1 E9AE000000
jmp 00404AA4
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:004049D9(C)
|
:004049F6 E895DC0100 call
00422690
:004049FB 8B400C
mov eax, dword ptr [eax+0C]
:004049FE 6891000000
push 00000091
:00404A03 50
push eax
* Reference To: USER32.LoadCursorA, Ord:019Ah
|
:00404A04 FF15C0544200
Call dword ptr [004254C0]
:00404A0A 68681C4300
push 00431C68
:00404A0F A330204300
mov dword ptr [00432030], eax
:00404A14 E8C7F2FFFF
call 00403CE0
:00404A19 83C404
add esp, 00000004
:00404A1C 85C0
test eax, eax
:00404A1E 7556
jne 00404A76
:00404A20 A18C1E4300
mov eax, dword ptr [00431E8C]
:00404A25 85C0
test eax, eax
:00404A27 7534
jne 00404A5D
* Possible Reference to String Resource ID=00115: "~
0眢?
nろ,o?"
|
:00404A29
6A73 push
00000073
:00404A2B 8D4C2418
lea ecx, dword ptr [esp+18]
:00404A2F E8F18B0100
call 0041D625
:00404A34 8B442414
mov eax, dword ptr [esp+14]
:00404A38
6A30 push
00000030
:00404A3A 6A00
push 00000000
:00404A3C 50
push eax
:00404A3D 6A00
push 00000000
* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:00404A3F FF1544544200
Call dword ptr [00425444]
:00404A45 8D4C2414
lea ecx, dword ptr [esp+14]
:00404A49 C78424E4040000FFFFFFFF
mov dword ptr [esp+000004E4], FFFFFFFF
:00404A54 E8E5880100
call 0041D33E
:00404A59 33C0
xor eax, eax
:00404A5B
EB47 jmp
00404AA4
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:00404A27(C)
|
:00404A5D 8B15841E4300
mov edx, dword ptr [00431E84]
:00404A63 B986000000
mov ecx, 00000086
* Possible
Reference to Dialog:
|
:00404A68
BF681C4300 mov edi, 00431C68
:00404A6D 8B7208
mov esi, dword ptr [edx+08]
:00404A70 F3
repz
:00404A71 A5
movsd
:00404A72
8B742420 mov esi, dword
ptr [esp+20]
* Referenced by a (U)nconditional or (C)onditional Jump
at Address:
|:00404A1E(C)
|
:00404A76 6A00
push 00000000
* Possible
Reference to String Resource ID=00102: "A?仨笮:"
|
:00404A78 6A66
push 00000066
:00404A7A B9C0244300
mov ecx, 004324C0
:00404A7F C7461CC0244300
mov [esi+1C], 004324C0
:00404A86 E8424B0100
call 004195CD(這裡出現歡迎提示框)
:00404A8B 8D4C2414
lea ecx, dword ptr [esp+14]
:00404A8F C78424E4040000FFFFFFFF mov dword ptr [esp+000004E4], FFFFFFFF
:00404A9A E89F880100 call
0041D33E
:00404A9F B801000000
mov eax, 00000001
* Referenced by a (U)nconditional or (C)onditional
Jump at Addresses:
|:00404995(U), :004049F1(U), :00404A5B(U)
|
:00404AA4 8B8C24DC040000 mov ecx, dword ptr
[esp+000004DC]
:00404AAB 5F
pop edi
:00404AAC 5E
pop esi
:00404AAD 5D
pop ebp
:00404AAE 64890D00000000 mov dword ptr
fs:[00000000], ecx
:00404AB5 5B
pop ebx
:00404AB6 81C4D8040000
add esp, 000004D8
:00404ABC C3
ret
其實透過分析我們已經可以看出,整個程式不論是註冊時還是重新啟動時都是在call
00404AC0裡面進行核心的註冊碼判斷,我們只要修改其中的一處就可變成註冊版。並且從程式分析可知,全部比較完畢並且註冊碼正確時將跳到00404B2C,所以修改方法如下:
:00404B0E 3AD3
cmp dl, bl(這裡改成cmp dl,dl即3AD3改為3AD2,自己比自己當然是一樣的)
:00404B10 751E
jne 00404B30(這裡我們改成je
00404B2C,即將751E改成741A)
用二進位制編輯工具開啟InsTalk.exe檔案,
查詢:83C40C8A108A1E8ACA3AD3751E84C9
修改:------------------3AD2741A----
==========================================================================================
5、該軟體的註冊資訊儲存在登錄檔的以下位置:
HKEY_CURRENT_USER\Software\Happy Studio\INSTALK\Registration
HKEY_USERS\.DEFAULT\Software\Happy Studio\INSTALK\Registration
兩個鍵下的四個二進位制值(已加密變換)下:
Date:軟體第一次執行的時間;試用期過後刪除該二進位制值可繼續使用。
Date0:註冊使用者名稱稱;
Date1:註冊使用者單位;
Date2:註冊碼。
使用者註冊後,刪除Date0、Date1、Date2三個二進位制值可重新註冊。
==========================================================================================
6、編寫序號產生器
使用“序號產生器編寫器(Keymaker)”之“另類序號產生器”功能
(1)程式名稱:InsTalk.exe
(2)新增資料:
中斷地址:40749A
中斷次數:1
第一位元組:E8
指令長度:5
中斷地址:404B05
中斷次數:1
第一位元組:83
指令長度:3
(3)選擇記憶體方式EAX。
=======================================THE
END=============================================
這個教程我作了一些註釋,初學破解的朋友可以看一看,其中不對之處也請各位多多指教!
esoft2001.51.net
2002年4月11日
相關文章
- 音樂處理acoustica2.0註冊碼破解及序號產生器 (8千字)2002-04-06
- Audio compositor註冊碼及序號產生器 (5千字)2002-04-06
- 一個PostScript(RoPS)序號產生器分析。初學者看。 (21千字)2001-07-08
- Universe 1.63註冊碼生成分析及序號產生器原碼(上) (2千字)2001-11-12
- 《中華壓縮 6.01》註冊碼破解及序號產生器 (14千字)2001-08-19
- 初學者請進,看far.exe的註冊碼! (7千字)2001-04-24
- ePublisher Gold v1.3 的註冊碼及序號產生器2000-12-03Go
- 製作mIRC6.02序號產生器(給別人寫的初學者序號產生器教材) (14千字)2015-11-15
- 守財奴1.9註冊分析+序號產生器原始碼2015-11-15原始碼
- 申請加入BCG破文3--加密精靈EncryptGenie22註冊碼破解及序號產生器制作 (5千字)2001-10-28加密
- NetTerm 4.2.c註冊過程分析及序號產生器制作SBS (6千字)2015-11-15
- 進位專家註冊演算法分析及序號產生器C原始碼2004-08-19演算法原始碼
- 影音神探V2.02 bY E語言 (註冊碼與爆破附記憶體序號產生器) (8千字)2015-11-15記憶體
- IrfanView 序號產生器分析(初級版)
(13千字)2015-11-15View
- 初學者請看! (2千字)2000-12-28
- 如何製作VB程式記憶體序號產生器--國內某軟體的序號產生器(隱去軟體資訊)
(14千字)2002-08-04記憶體
- Quickness 3.1
註冊演算法分析 + 序號產生器原始碼(tc2) (15千字)2003-04-13UI演算法原始碼
- 社群遊戲伴侶
V1.0註冊碼的計算,序號產生器 (30千字)2003-05-09遊戲
- 橋牌軟體Deep Finesse的序號產生器 (1千字)2015-11-15
- CMailServer V3.2 註冊碼演算法及CrackCode
2000 的序號產生器 (4千字)2001-08-18AIServer演算法
- 怎樣才能讓軟體成為自身的序號產生器-讓軟體自動輸出註冊碼的一種方法 (10千字)2015-11-15
- Beyond Compare 1.9f註冊演算法&序號產生器 (8千字)2002-04-28演算法
- winzip序號產生器 (1千字)2001-04-12
- 美萍安全衛士V8.45序號產生器制作分析過程,及序號產生器! (11千字)2001-10-28
- 製作自己的記憶體序號產生器--------檔案隱藏精靈註冊碼獲取 (4千字)2015-11-15記憶體
- 鬥地主4.0註冊演算法,序號產生器在OCG論壇
(22千字)2015-11-15演算法
- AntiSpy PRO 1.02
註冊演算法分析 + 序號產生器原始碼(tc2) (12千字)2003-04-11演算法原始碼
- WinAmp V2.11的序號產生器制分析(一)(初學者必讀) (12千字)2001-04-08
- 時間到了 v1.5 簡單註冊演算法分析
+ 序號產生器原始碼(tc2) (9千字)2003-04-12演算法原始碼
- 序號產生器制分析: (1千字)2001-11-19
- 密碼學-軟體加密技術和序號產生器制2020-04-06密碼學加密
- MobileSearch(手機號碼歸屬地查詢) v2.0註冊演算法,附序號產生器~~~~~~
(30千字)2002-03-29演算法
- 印表機監控王
V3.08註冊演算法分析及序號產生器原始碼2015-11-15演算法原始碼
- Lc3&Lc4
註冊演算法分析及序號產生器的製作2004-06-18演算法
- AddRemove 4GOOD 註冊演算法+序號產生器2003-07-25REMGo演算法
- 蒼鷹象棋1.0
註冊演算法分析和序號產生器2004-05-16演算法
- Flash Cam 1.79註冊演算法分析與序號產生器制作以及爆破方法
(7千字)2015-11-15演算法
- winzip的通用序號產生器 (2千字)2001-12-10