解決自校驗 + 註冊爆破――超級屏捕(SuperCapture) V4.01 專業版
解決自校驗 + 註冊爆破――超級屏捕(SuperCapture) V4.01 專業版
下載頁面: http://www.skycn.com/soft/9511.html
軟體大小: 1108 KB
軟體語言: 簡體中文
軟體類別: 國產軟體 / 共享版 / 影像捕捉
應用平臺: Win9x/NT/2000/XP
加入時間: 2002-10-17 11:40:01
下載次數: 28765
推薦等級: ****
開 發 商: http://www.SuperCapture.com/
【軟體簡介】:SuperCapture 是一款非常強大的專業影像捕捉軟體。它是中國首屆共享軟體大賽優秀軟體。SuperCapture專業版 4.0 包含了標準版的所有功能,同時它還有很多專業的功能:例如從網頁捕捉所有 Flash;播放Flash;將桌面活動影像捕捉為AVI影片檔案(提供多種壓縮方式);輕鬆地從您的電腦上捕捉您想要的任何圖示Icon. 例如從一個檔案中,或者一個資料夾中,甚至是您機器的整個硬碟;它可以輕鬆捕捉全屏(包括DirectX,Direct3D遊戲螢幕)、視窗、控制元件、區域、固定區域、不規則區域。輕鬆抓取特殊選單、滑鼠、超長螢幕、網頁、網頁影像(可將網頁內圖片一次全部抓取);支援定時捕捉、自定義熱鍵、縮圖方式瀏覽;支援BMP/JPEG/TIF/PNG/GIF等17種圖形格式的瀏覽與轉換。可將捕捉後的圖形直接傳送到Microsoft Office文件(如Word,Excel,PowerPoint);支援多語言。它適用於任何需要對螢幕影像處理的使用者。使用SuperCapture超級屏捕能極大節省您處理螢幕影像的時間,提高工作效率。
【軟體限制】:NAG、45天試用
【作者宣告】:初學Crack,只是感興趣,沒有其它目的。失誤之處敬請諸位大俠賜教!
【破解工具】:TRW2000娃娃修改版、PE-Scan、W32Dasm 9.0白金版、Hiew
―――――――――――――――――――――――――――――――――
【過 程】:
SuperCap.exe 是PECompact 1.68 - 1.84殼,用PE-Scan脫之。531K->1.35M。 VC++ 6.0 編寫。
《看雪論壇精華4》裡有好幾篇 超級屏捕 以前的版本的破解,雖然這個 V4.01 專業版已經發布很長時間了,卻沒看見破解筆記。[FCG]的 pLayAr 兄曾經做過破解版,這次特別感謝 pLayAr 兄的指點和 fxyang 兄的測試!:-)
呵呵,10-1到了,響應 DarkNess0ut 老大的號召,算是送給大家的國慶小禮吧! :-)
―――――――――――――――――――――――――――――――――
一、反跟蹤:
程式呼叫IsDebuggerPresent()來檢測是否有偵錯程式存在,啟動時在00418C1F呼叫IsDebuggerPresent()檢測,註冊時在0040DDF0、0040DED6、0040E208呼叫IsDebuggerPresent()檢測。但是奇怪的是程式還使用了另種方法檢測偵錯程式,使Ollydbg除錯時失去響應!
脫殼後的程式碰上屠龍刀TRW就變乖了。:-) 如果除錯原程式,在原程式執行1分鐘後再用TRW下斷!
――――――――――――――――――――――――
* Referenced by a CALL at Addresses:
|:0040DDF0 , :0040DED6 , :0040E208 , :00418C1F
|
:0043F0C0 81EC94000000 sub esp, 00000094
:0043F0C6 8D442400 lea eax, dword ptr [esp]
:0043F0CA C744240094000000 mov [esp], 00000094
:0043F0D2 50 push eax
* Reference To: KERNEL32.GetVersionExA, Ord:0000h
|
:0043F0D3 FF159C444D00 Call dword ptr [004D449C]
:0043F0D9 85C0 test eax, eax
:0043F0DB 7427 je 0043F104
:0043F0DD 837C241001 cmp dword ptr [esp+10], 00000001
:0043F0E2 7520 jne 0043F104
:0043F0E4 8B442404 mov eax, dword ptr [esp+04]
:0043F0E8 83F804 cmp eax, 00000004
:0043F0EB 770A ja 0043F0F7
:0043F0ED 7515 jne 0043F104
:0043F0EF 8B442408 mov eax, dword ptr [esp+08]
:0043F0F3 85C0 test eax, eax
:0043F0F5 760D jbe 0043F104
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043F0EB(C)
|
* Reference To: KERNEL32.IsDebuggerPresent, Ord:0000h
|
:0043F0F7 FF1530444D00 Call dword ptr [004D4430]
====>這裡呼叫IsDebuggerPresent檢測!
:0043F0FD 81C494000000 add esp, 00000094
:0043F103 C3 ret
―――――――――――――――――――――――――――――――――
二、CRC自校驗暗樁分析:
程式脫殼或hook.dll修改後有自校驗,沒有提示,而是3分鐘後程式自動退出,這算是這個東東最大的特色吧。
呵呵,作者挺精明的,不給你明確的提示,讓Cracker們慢慢找吧!:-D
為了找這個暗樁可真是費了不少功夫,下BPX CreateFilea,程式不斷中斷,作者佈置了迷魂陣。:-(
原來作者設定了3分鐘的定時器,如果校驗錯誤則自動退出,正確則取消定時器!自校驗和註冊碼的驗證均在主程式和同目錄下的hook.dll裡面進行!
――――――――――――――――――――――――
:0041BF35 E826820100 call 00434160
====>關鍵CALL!進去看看! :-)
====> 在這裡動手去除2個自校驗!爆破點① :-)
:0041BF3A 8B461C mov eax, dword ptr [esi+1C]
:0041BF3D 6A05 push 00000005
:0041BF3F 50 push eax
* Reference To: USER32.KillTimer, Ord:0000h
|
:0041BF40 FF1578484D00 Call dword ptr [004D4878]
====>取消 3分鐘 的定時器
:0041BF46 E9A4060000 jmp 0041C5EF
――――――――――――――――――――――――
進入關鍵CALL:0041BF35 call 00434160
* Referenced by a CALL at Address:
|:0041BF35
|
:00434160 A18CE85100 mov eax, dword ptr [0051E88C]
:00434165 81EC00040000 sub esp, 00000400
:0043416B 56 push esi
:0043416C 57 push edi
:0043416D 33FF xor edi, edi
:0043416F 8BF1 mov esi, ecx
:00434171 85C0 test eax, eax
:00434173 7418 je 0043418D
:00434175 E8B42B0900 call 004C6D2E
:0043417A 8B4008 mov eax, dword ptr [eax+08]
:0043417D 50 push eax
:0043417E FF158CE85100 call dword ptr [0051E88C]
====>呼叫hook.dll進行校驗主程式!錯誤則退出!
:00434184 85C0 test eax, eax
:00434186 7505 jne 0043418D
====>不跳則OVER!
:00434188 BF01000000 mov edi, 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00434173(C), :00434186(C)
|
:0043418D E81EB20000 call 0043F3B0
====>在主程式內進行校驗hook.dll!錯誤則提示程式未正確安裝!
====>限於篇幅,這個就沒記錄了,跟進去就看到啦。 :-)
:00434192 85C0 test eax, eax
:00434194 7408 je 0043419E
====>跳則OVER!
:00434196 85FF test edi, edi
:00434198 0F8489000000 je 00434227
====>不跳則OVER!
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00434194(C)
|
:0043419E 8B461C mov eax, dword ptr [esi+1C]
:004341A1 6A05 push 00000005
:004341A3 50 push eax
* Reference To: USER32.KillTimer, Ord:0000h
|
:004341A4 FF1578484D00 Call dword ptr [004D4878]
====>呵呵,迷惑 Cracker! :-)
:004341AA 8D4C2408 lea ecx, dword ptr [esp+08]
:004341AE 6800010000 push 00000100
:004341B3 51 push ecx
:004341B4 8B8EAE080000 mov ecx, dword ptr [esi+000008AE]
:004341BA 6854B25000 push 0050B254
:004341BF E83CA50000 call 0043E700
:004341C4 8B8EAE080000 mov ecx, dword ptr [esi+000008AE]
:004341CA 8D942408010000 lea edx, dword ptr [esp+00000108]
:004341D1 6800010000 push 00000100
:004341D6 52 push edx
:004341D7 680CB25000 push 0050B20C
:004341DC E81FA50000 call 0043E700
:004341E1 8D842408010000 lea eax, dword ptr [esp+00000108]
:004341E8 8D4C2408 lea ecx, dword ptr [esp+08]
:004341EC 50 push eax
:004341ED 51 push ecx
:004341EE 8D942410020000 lea edx, dword ptr [esp+00000210]
:004341F5 68E8B15000 push 0050B1E8
:004341FA 52 push edx
:004341FB E8A56A0600 call 0049ACA5
:00434200 83C410 add esp, 00000010
:00434203 8D842408020000 lea eax, dword ptr [esp+00000208]
:0043420A 6A00 push 00000000
:0043420C 6A10 push 00000010
:0043420E 50 push eax
:0043420F E89E7E0800 call 004BC0B2
:00434214 8B4E1C mov ecx, dword ptr [esi+1C]
:00434217 6A00 push 00000000
:00434219 6A00 push 00000000
:0043421B 6836050000 push 00000536
:00434220 51 push ecx
* Reference To: USER32.PostMessageA, Ord:0000h
|
:00434221 FF155C484D00 Call dword ptr [004D485C]
====>BAD BOY! 未完全安裝等等提示 :-(
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00434198(C)
|
:00434227 5F pop edi
:00434228 5E pop esi
:00434229 81C400040000 add esp, 00000400
:0043422F C3 ret
――――――――――――――――――――――――
進入0043417E call dword ptr [0051E88C] 呼叫hook.dll進行校驗主程式
Exported fn(): SCAPI_SetHook_WinXP - Ord:0007h
:1C001294 55 push ebp
:1C001295 8BEC mov ebp, esp
:1C001297 81EC60020000 sub esp, 00000260
:1C00129D C745FCFFFFFFFF mov [ebp-04], FFFFFFFF
:1C0012A4 C785A8FDFFFF00000000 mov dword ptr [ebp+FFFFFDA8], 00000000
:1C0012AE C785A4FDFFFF00000000 mov dword ptr [ebp+FFFFFDA4], 00000000
:1C0012B8 C785F4FEFFFF00000000 mov dword ptr [ebp+FFFFFEF4], 00000000
:1C0012C2 6804010000 push 00000104
:1C0012C7 6A00 push 00000000
:1C0012C9 8D85F8FEFFFF lea eax, dword ptr [ebp+FFFFFEF8]
:1C0012CF 50 push eax
* Reference To: MSVCRT.memset, Ord:0299h
|
:1C0012D0 E8E50E0000 Call 1C0021BA
:1C0012D5 83C40C add esp, 0000000C
:1C0012D8 6804010000 push 00000104
:1C0012DD 8D8DF8FEFFFF lea ecx, dword ptr [ebp+FFFFFEF8]
:1C0012E3 51 push ecx
:1C0012E4 8B5508 mov edx, dword ptr [ebp+08]
:1C0012E7 52 push edx
* Reference To: KERNEL32.GetModuleFileNameA, Ord:0124h
|
:1C0012E8 FF150C30001C Call dword ptr [1C00300C]
:1C0012EE 8D85B0FDFFFF lea eax, dword ptr [ebp+FFFFFDB0]
:1C0012F4 50 push eax
:1C0012F5 8D8DF8FEFFFF lea ecx, dword ptr [ebp+FFFFFEF8]
:1C0012FB 51 push ecx
* Reference To: KERNEL32.FindFirstFileA, Ord:0094h
|
:1C0012FC FF151030001C Call dword ptr [1C003010]
:1C001302 8945FC mov dword ptr [ebp-04], eax
:1C001305 837DFCFF cmp dword ptr [ebp-04], FFFFFFFF
:1C001309 7507 jne 1C001312
:1C00130B 33C0 xor eax, eax
:1C00130D E924010000 jmp 1C001436
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C001309(C)
|
:1C001312 8B95D0FDFFFF mov edx, dword ptr [ebp+FFFFFDD0]
:1C001318 8995F0FEFFFF mov dword ptr [ebp+FFFFFEF0], edx
* Possible StringData Ref from Data Obj ->"rb"
|
:1C00131E 684444001C push 1C004444
:1C001323 8D85F8FEFFFF lea eax, dword ptr [ebp+FFFFFEF8]
:1C001329 50 push eax
* Reference To: MSVCRT.fopen, Ord:0257h
|
:1C00132A FF154830001C Call dword ptr [1C003048]
:1C001330 83C408 add esp, 00000008
:1C001333 8985A4FDFFFF mov dword ptr [ebp+FFFFFDA4], eax
:1C001339 83BDA4FDFFFF00 cmp dword ptr [ebp+FFFFFDA4], 00000000
:1C001340 7505 jne 1C001347
:1C001342 E9ED000000 jmp 1C001434
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C001340(C)
|
:1C001347 8B8DF0FEFFFF mov ecx, dword ptr [ebp+FFFFFEF0]
:1C00134D 51 push ecx
* Reference To: MSVCRT.malloc, Ord:0291h
|
:1C00134E FF154C30001C Call dword ptr [1C00304C]
:1C001354 83C404 add esp, 00000004
:1C001357 8985A8FDFFFF mov dword ptr [ebp+FFFFFDA8], eax
:1C00135D 83BDA8FDFFFF00 cmp dword ptr [ebp+FFFFFDA8], 00000000
:1C001364 7505 jne 1C00136B
:1C001366 E9C7000000 jmp 1C001432
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C001364(C)
|
:1C00136B 8B95A4FDFFFF mov edx, dword ptr [ebp+FFFFFDA4]
:1C001371 52 push edx
:1C001372 8B85F0FEFFFF mov eax, dword ptr [ebp+FFFFFEF0]
:1C001378 50 push eax
:1C001379 6A01 push 00000001
:1C00137B 8B8DA8FDFFFF mov ecx, dword ptr [ebp+FFFFFDA8]
:1C001381 51 push ecx
* Reference To: MSVCRT.fread, Ord:025Dh
|
:1C001382 FF155030001C Call dword ptr [1C003050]
:1C001388 83C410 add esp, 00000010
:1C00138B 85C0 test eax, eax
:1C00138D 7448 je 1C0013D7
:1C00138F 8B95F0FEFFFF mov edx, dword ptr [ebp+FFFFFEF0]
:1C001395 83EA04 sub edx, 00000004
:1C001398 52 push edx
:1C001399 8B85A8FDFFFF mov eax, dword ptr [ebp+FFFFFDA8]
:1C00139F 50 push eax
:1C0013A0 E88FFEFFFF call 1C001234
====>進行CRC計算!
:1C0013A5 8985ACFDFFFF mov dword ptr [ebp+FFFFFDAC], eax
:1C0013AB 8B8DA8FDFFFF mov ecx, dword ptr [ebp+FFFFFDA8]
:1C0013B1 038DF0FEFFFF add ecx, dword ptr [ebp+FFFFFEF0]
:1C0013B7 8B51FC mov edx, dword ptr [ecx-04]
:1C0013BA 8995A0FDFFFF mov dword ptr [ebp+FFFFFDA0], edx
:1C0013C0 8B85ACFDFFFF mov eax, dword ptr [ebp+FFFFFDAC]
====>這裡爆破可以去除對主程式的校驗 :-)
:1C0013C6 33C9 xor ecx, ecx
:1C0013C8 3B85A0FDFFFF cmp eax, dword ptr [ebp+FFFFFDA0]
====>比較!
:1C0013CE 0F94C1 sete cl
====>根據結果設定CL值!正確則CL=1
:1C0013D1 898DF4FEFFFF mov dword ptr [ebp+FFFFFEF4], ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:1C00138D(C), :1C001432(U), :1C001434(U)
|
:1C0013D7 83BDA4FDFFFF00 cmp dword ptr [ebp+FFFFFDA4], 00000000
:1C0013DE 7410 je 1C0013F0
:1C0013E0 8B95A4FDFFFF mov edx, dword ptr [ebp+FFFFFDA4]
:1C0013E6 52 push edx
* Reference To: MSVCRT.fclose, Ord:024Ch
|
:1C0013E7 FF155430001C Call dword ptr [1C003054]
:1C0013ED 83C404 add esp, 00000004
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C0013DE(C)
|
:1C0013F0 837DFCFF cmp dword ptr [ebp-04], FFFFFFFF
:1C0013F4 740A je 1C001400
:1C0013F6 8B45FC mov eax, dword ptr [ebp-04]
:1C0013F9 50 push eax
* Reference To: KERNEL32.FindClose, Ord:0090h
|
:1C0013FA FF151430001C Call dword ptr [1C003014]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C0013F4(C)
|
:1C001400 83BDA8FDFFFF00 cmp dword ptr [ebp+FFFFFDA8], 00000000
:1C001407 7410 je 1C001419
:1C001409 8B8DA8FDFFFF mov ecx, dword ptr [ebp+FFFFFDA8]
:1C00140F 51 push ecx
* Reference To: MSVCRT.free, Ord:025Eh
|
:1C001410 FF155830001C Call dword ptr [1C003058]
:1C001416 83C404 add esp, 00000004
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C001407(C)
|
:1C001419 83BDF4FEFFFF00 cmp dword ptr [ebp+FFFFFEF4], 00000000
:1C001420 7508 jne 1C00142A
:1C001422 6A01 push 00000001
* Reference To: MSVCRT.exit, Ord:0249h
|
:1C001424 FF156030001C Call dword ptr [1C003060]
====>這裡退出!不打聲招呼就走 :-(
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C001420(C)
|
:1C00142A 8B85F4FEFFFF mov eax, dword ptr [ebp+FFFFFEF4]
:1C001430 EB04 jmp 1C001436
――――――――――――――――――――――――
進入CRC計算CALL:1C0013A0 call 1C001234
* Referenced by a CALL at Addresses:
|:1C0013A0 , :1C001972 , :1C001991
|
:1C001234 55 push ebp
:1C001235 8BEC mov ebp, esp
:1C001237 83EC08 sub esp, 00000008
:1C00123A C745F8FFFFFFFF mov [ebp-08], FFFFFFFF
:1C001241 8B4508 mov eax, dword ptr [ebp+08]
:1C001244 8945FC mov dword ptr [ebp-04], eax
:1C001247 EB09 jmp 1C001252
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C001286(U)
|
:1C001249 8B4D0C mov ecx, dword ptr [ebp+0C]
:1C00124C 83E901 sub ecx, 00000001
:1C00124F 894D0C mov dword ptr [ebp+0C], ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C001247(U)
|
:1C001252 837D0C00 cmp dword ptr [ebp+0C], 00000000
:1C001256 7E30 jle 1C001288
:1C001258 8B55F8 mov edx, dword ptr [ebp-08]
:1C00125B C1EA08 shr edx, 08
:1C00125E 8B45F8 mov eax, dword ptr [ebp-08]
:1C001261 25FF000000 and eax, 000000FF
:1C001266 8B4DFC mov ecx, dword ptr [ebp-04]
:1C001269 0FBE09 movsx ecx, byte ptr [ecx]
:1C00126C 33C1 xor eax, ecx
:1C00126E 25FF000000 and eax, 000000FF
:1C001273 3314851C40001C xor edx, dword ptr [4*eax+1C00401C]
====>[1C00401C]記憶體中是一張CRC32資料表!:-)
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
:-) CRC-32 Table 共有256個數 :-)
77073096 EE0E612C 990951BA 076DC419 706AF48F E963A535 9E6495A3 0EDB8832
79DCB8A4 E0D5E91E 97D2D988 09B64C2B 7EB17CBD E7B82D07 90BF1D91 00000000
6AB020F2 F3B97148 84BE41DE 1ADAD47D 6DDDE4EB F4D4B551 83D385C7 136C9856
646BA8C0 FD62F97A 8A65C9EC 14015C4F 63066CD9 FA0F3D63 8D080DF5 3B6E20C8
4C69105E D56041E4 A2677172 3C03E4D1 4B04D447 D20D85FD A50AB56B 35B5A8FA
42B2986C DBBBC9D6 ACBCF940 32D86CE3 45DF5C75 DCD60DCF ABD13D59 26D930AC
51DE003A C8D75180 BFD06116 21B4F4B5 56B3C423 CFBA9599 B8BDA50F 2802B89E
5F058808 C60CD9B2 B10BE924 2F6F7C87 58684C11 C1611DAB B6662D3D 76DC4190
01DB7106 98D220BC EFD5102A 71B18589 06B6B51F 9FBFE4A5 E8B8D433 7807C9A2
0F00F934 9609A88E E10E9818 7F6A0DBB 086D3D2D 91646C97 E6635C01 6B6B51F4
1C6C6162 856530D8 F262004E 6C0695ED 1B01A57B 8208F4C1 F50FC457 65B0D9C6
12B7E950 8BBEB8EA FCB9887C 62DD1DDF 15DA2D49 8CD37CF3 FBD44C65 4DB26158
3AB551CE A3BC0074 D4BB30E2 4ADFA541 3DD895D7 A4D1C46D D3D6F4FB 4369E96A
346ED9FC AD678846 DA60B8D0 44042D73 33031DE5 AA0A4C5F DD0D7CC9 5005713C
270241AA BE0B1010 C90C2086 5768B525 206F85B3 B966D409 CE61E49F 5EDEF90E
29D9C998 B0D09822 C7D7A8B4 59B33D17 2EB40D81 B7BD5C3B C0BA6CAD EDB88320
9ABFB3B6 03B6E20C 74B1D29A EAD54739 9DD277AF 04DB2615 73DC1683 E3630B12
94643B84 0D6D6A3E 7A6A5AA8 E40ECF0B 9309FF9D 0A00AE27 7D079EB1 F00F9344
8708A3D2 1E01F268 6906C2FE F762575D 806567CB 196C3671 6E6B06E7 FED41B76
89D32BE0 10DA7A5A 67DD4ACC F9B9DF6F 8EBEEFF9 17B7BE43 60B08ED5 D6D6A3E8
A1D1937E 38D8C2C4 4FDFF252 D1BB67F1 A6BC5767 3FB506DD 48B2364B D80D2BDA
AF0A1B4C 36034AF6 41047A60 DF60EFC3 A867DF55 316E8EEF 4669BE79 CB61B38C
BC66831A 256FD2A0 5268E236 CC0C7795 BB0B4703 220216B9 5505262F C5BA3BBE
B2BD0B28 2BB45A92 5CB36A04 C2D7FFA7 B5D0CF31 2CD99E8B 5BDEAE1D 9B64C2B0
EC63F226 756AA39C 026D930A 9C0906A9 EB0E363F 72076785 05005713 95BF4A82
E2B87A14 7BB12BAE 0CB61B38 92D28E9B E5D5BE0D 7CDCEFB7 0BDBDF21 86D3D2D4
F1D4E242 68DDB3F8 1FDA836E 81BE16CD F6B9265B 6FB077E1 18B74777 88085AE6
FF0F6A70 66063BCA 11010B5C 8F659EFF F862AE69 616BFFD3 166CCF45 A00AE278
D70DD2EE 4E048354 3903B3C2 A7672661 D06016F7 4969474D 3E6E77DB AED16A4A
D9D65ADC 40DF0B66 37D83BF0 A9BCAE53 DEBB9EC5 47B2CF7F 30B5FFE9 BDBDF21C
CABAC28A 53B39330 24B4A3A6 BAD03605 CDD70693 54DE5729 23D967BF B3667A2E
C4614AB8 5D681B02 2A6F2B94 B40BBE37 C30C8EA1 5A05DF1B 2D02EF8D 004C3E50
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
:1C00127A 8955F8 mov dword ptr [ebp-08], edx
:1C00127D 8B55FC mov edx, dword ptr [ebp-04]
:1C001280 83C201 add edx, 00000001
:1C001283 8955FC mov dword ptr [ebp-04], edx
:1C001286 EBC1 jmp 1C001249
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C001256(C)
|
:1C001288 8B45F8 mov eax, dword ptr [ebp-08]
:1C00128B 83F0FF xor eax, FFFFFFFF
:1C00128E 8BE5 mov esp, ebp
:1C001290 5D pop ebp
:1C001291 C20800 ret 0008
―――――――――――――――――――――――――――――――――
三、註冊碼驗證、爆破
這部分是 pLayAr[FCG] 兄的成果!:-D 謝謝老兄指點!
程式的演算法保護的挺好,共36位註冊碼,每框9位。程式對註冊碼有很多要求,並且分別在幾個地方驗證!參照 pLayAr[FCG] 兄的成果在特定的條件下進行爆破!
―――――――――――――――――――――――――――――――――
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00434A93(U)
|
:00434A9A 85C0 test eax, eax
:00434A9C 0F8410010000 je 00434BB2
:00434AA2 8DBDD0030000 lea edi, dword ptr [ebp+000003D0]
:00434AA8 83C9FF or ecx, FFFFFFFF
:00434AAB 33C0 xor eax, eax
:00434AAD F2 repnz
:00434AAE AE scasb
:00434AAF F7D1 not ecx
:00434AB1 49 dec ecx
:00434AB2 83F909 cmp ecx, 00000009
====>9位?
:00434AB5 0F85F7000000 jne 00434BB2
:00434ABB 8DBD14050000 lea edi, dword ptr [ebp+00000514]
:00434AC1 83C9FF or ecx, FFFFFFFF
:00434AC4 F2 repnz
:00434AC5 AE scasb
:00434AC6 F7D1 not ecx
:00434AC8 49 dec ecx
:00434AC9 83F909 cmp ecx, 00000009
====>9位?
:00434ACC 0F85E0000000 jne 00434BB2
:00434AD2 8DBD58060000 lea edi, dword ptr [ebp+00000658]
:00434AD8 83C9FF or ecx, FFFFFFFF
:00434ADB F2 repnz
:00434ADC AE scasb
:00434ADD F7D1 not ecx
:00434ADF 49 dec ecx
:00434AE0 83F909 cmp ecx, 00000009
====>9位?
:00434AE3 0F85C9000000 jne 00434BB2
:00434AE9 8DBD9C070000 lea edi, dword ptr [ebp+0000079C]
:00434AEF 83C9FF or ecx, FFFFFFFF
:00434AF2 F2 repnz
:00434AF3 AE scasb
:00434AF4 F7D1 not ecx
:00434AF6 49 dec ecx
:00434AF7 83F909 cmp ecx, 00000009
====>9位?
:00434AFA 0F85B2000000 jne 00434BB2
:00434B00 E829220900 call 004C6D2E
:00434B05 8B7008 mov esi, dword ptr [eax+08]
:00434B08 A1D4E85100 mov eax, dword ptr [0051E8D4]
:00434B0D 8D889C070000 lea ecx, dword ptr [eax+0000079C]
:00434B13 8D9058060000 lea edx, dword ptr [eax+00000658]
:00434B19 51 push ecx
:00434B1A 8D8814050000 lea ecx, dword ptr [eax+00000514]
:00434B20 52 push edx
:00434B21 05D0030000 add eax, 000003D0
:00434B26 51 push ecx
:00434B27 50 push eax
:00434B28 8D542420 lea edx, dword ptr [esp+20]
:00434B2C 68C0635000 push 005063C0
:00434B31 52 push edx
:00434B32 E86E610600 call 0049ACA5
:00434B37 8B0D78C65100 mov ecx, dword ptr [0051C678]
:00434B3D 8B15D4E85100 mov edx, dword ptr [0051E8D4]
:00434B43 B05A mov al, 5A
:00434B45 8974244D mov dword ptr [esp+4D], esi
:00434B49 8844244C mov byte ptr [esp+4C], al
:00434B4D 894C2451 mov dword ptr [esp+51], ecx
:00434B51 8B4A1C mov ecx, dword ptr [edx+1C]
:00434B54 83C418 add esp, 00000018
:00434B57 894C243D mov dword ptr [esp+3D], ecx
:00434B5B 8A4C2433 mov cl, byte ptr [esp+33]
:00434B5F 3AC8 cmp cl, al
====>最後1位是Z?下面呼叫hook.dll驗證!
:00434B61 754F jne 00434BB2
:00434B63 68108B5000 push 00508B10
* Reference To: KERNEL32.LoadLibraryA, Ord:0000h
|
:00434B68 FF15B8424D00 Call dword ptr [004D42B8]
:00434B6E 8BF0 mov esi, eax
:00434B70 85F6 test esi, esi
:00434B72 743E je 00434BB2
:00434B74 8D542410 lea edx, dword ptr [esp+10]
:00434B78 6A24 push 00000024
:00434B7A 52 push edx
:00434B7B E880960000 call 0043E200
:00434B80 83C408 add esp, 00000008
:00434B83 8D442410 lea eax, dword ptr [esp+10]
:00434B87 50 push eax
:00434B88 68F48A5000 push 00508AF4
:00434B8D 56 push esi
* Reference To: KERNEL32.GetProcAddress, Ord:0000h
|
:00434B8E FF1594434D00 Call dword ptr [004D4394]
:00434B94 50 push eax
* Reference To: USER32.EnumWindows, Ord:0000h
|
:00434B95 FF1514474D00 Call dword ptr [004D4714]
:00434B9B 56 push esi
* Reference To: KERNEL32.FreeLibrary, Ord:0000h
|
:00434B9C FF15B4424D00 Call dword ptr [004D42B4]
:00434BA2 B909000000 mov ecx, 00000009
:00434BA7 8D742410 lea esi, dword ptr [esp+10]
:00434BAB BFA0E85100 mov edi, 0051E8A0
:00434BB0 F3 repz
:00434BB1 A5 movsd
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00434A2D(C), :00434A3A(C), :00434A44(C), :00434A52(C), :00434A60(C)
|:00434A9C(C), :00434AB5(C), :00434ACC(C), :00434AE3(C), :00434AFA(C)
|:00434B61(C), :00434B72(C)
|
:00434BB2 8B4C244C mov ecx, dword ptr [esp+4C]
:00434BB6 8B542448 mov edx, dword ptr [esp+48]
:00434BBA A1D8E85100 mov eax, dword ptr [0051E8D8]
:00434BBF 53 push ebx
:00434BC0 51 push ecx
:00434BC1 52 push edx
:00434BC2 50 push eax
* Reference To: USER32.CallNextHookEx, Ord:0000h
|
:00434BC3 FF1580474D00 Call dword ptr [004D4780]
:00434BC9 5F pop edi
:00434BCA 5E pop esi
:00434BCB 5D pop ebp
:00434BCC 5B pop ebx
:00434BCD 83C434 add esp, 00000034
:00434BD0 C20C00 ret 000C
――――――――――――――――――――――――
值得注意的是程式並不是僅有上面一處如此驗證!下面也是:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D8FC(C)
…… …… 省 略 …… ……
:0040D965 83F909 cmp ecx, 00000009
:0040D968 0F854F010000 jne 0040DABD
…… …… 省 略 …… ……
:0040DA3C B959000000 mov ecx, 00000059
…… …… 省 略 …… ……
――――――――――――――――――――――――
進入 hook.dll 的驗證:
* Referenced by a CALL at Addresses:
|:1C0013A0 , :1C001972 , :1C001991
====>這個CALL外面還有其它複雜的檢測 :-(
:1C001234 55 push ebp
:1C001235 8BEC mov ebp, esp
:1C001237 83EC08 sub esp, 00000008
:1C00123A C745F8FFFFFFFF mov [ebp-08], FFFFFFFF
:1C001241 8B4508 mov eax, dword ptr [ebp+08]
:1C001244 8945FC mov dword ptr [ebp-04], eax
:1C001247 EB09 jmp 1C001252
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C001286(U)
|
:1C001249 8B4D0C mov ecx, dword ptr [ebp+0C]
:1C00124C 83E901 sub ecx, 00000001
:1C00124F 894D0C mov dword ptr [ebp+0C], ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C001247(U)
|
:1C001252 837D0C00 cmp dword ptr [ebp+0C], 00000000
:1C001256 7E30 jle 1C001288
:1C001258 8B55F8 mov edx, dword ptr [ebp-08]
:1C00125B C1EA08 shr edx, 08
:1C00125E 8B45F8 mov eax, dword ptr [ebp-08]
:1C001261 25FF000000 and eax, 000000FF
:1C001266 8B4DFC mov ecx, dword ptr [ebp-04]
:1C001269 0FBE09 movsx ecx, byte ptr [ecx]
:1C00126C 33C1 xor eax, ecx
:1C00126E 25FF000000 and eax, 000000FF
:1C001273 3314851C40001C xor edx, dword ptr [4*eax+1C00401C]
:1C00127A 8955F8 mov dword ptr [ebp-08], edx
:1C00127D 8B55FC mov edx, dword ptr [ebp-04]
:1C001280 83C201 add edx, 00000001
:1C001283 8955FC mov dword ptr [ebp-04], edx
:1C001286 EBC1 jmp 1C001249
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C001256(C)
|
:1C001288 8B45F8 mov eax, dword ptr [ebp-08]
:1C00128B 83F0FF xor eax, FFFFFFFF
====>爆破點 ②
:1C00128E 8BE5 mov esp, ebp
:1C001290 5D pop ebp
:1C001291 C20800 ret 0008
―――――――――――――――――――――――――――――――――
【爆 破】:
1、0041BF35 E826820100 call 00434160
改為:9090909090 NOP 掉!
沒辦法呀,程式很狡猾,在hook.dll內進行校驗SuperCap.exe,在SuperCap.exe內進行校驗hook.dll
省點勁,直接在外面改了。如果有問題則只好深入校驗核心修改了。
2、1C00128B 83F0FF xor eax, FFFFFFFF
改為:33CO90 xor eax,eax
程式對註冊碼的要求挺高呀,:-) 這裡爆破後還需要配合特定的註冊碼才能註冊成功 :-(
BTW:據 fxyang 兄測試在WIN2003下程式會異常出錯,這也難怪,這個東東很久沒升級了,釋出當時還沒有WIN2003
―――――――――――――――――――――――――――――――――
【註冊資訊儲存】:
同目錄下的 SuperCapture.drv 檔案
―――――――――――――――――――――――――――――――――
【整 理】:
由於功力低微,未能完美解決。:-( 解除自校驗爆破後還須輸入以下注冊碼才能驗證成功!
希望能有大俠研究出演算法。 或者能夠得到一個可用的Key …… 呵呵 :-)
姓 名:fly (Random)
單 位:[OCN][FCG] (Random)
註冊碼:AAAAAAAAA-AAAAAAAAA-AAAAAAAAA-AAAAAAHHZ
―――――――――――――――――――――――――――――――――
, _/
/| _.-~/ _ , 青春都一餉 :o
( /~ / ~-._ |
`\ _/ ~ ) 忍把浮名 :shock:
_-~~~-.) )__/;;,. _ //'
/'_, --~ ~~~- ,;;___( (.-~~~-. 換了破解輕狂 :wink:
`~ _( ,_..-- ( ,;'' / ~-- /._`
/~~//' /' `~ ) /--.._, )_ `~
" `~" " `" /~'` `\~~
" " "~' ""
Cracked By 巢水工作坊――fly [OCN][FCG]
2003-09-29 9:00
相關文章
- 超級右鍵專業版2021-09-29
- SpringBoot分組校驗及自定義校驗註解2020-09-26Spring Boot
- 高效數字化辦公體驗 企業級掃描捕獲解決方案解析2018-11-30
- Capture One 23:專業級影像捕獲與處理 mac/win版2023-11-27APTMac
- SpringBoot自定義校驗註解2022-03-03Spring Boot
- 錢鹿鎖屏APP註冊方法 錢鹿鎖屏怎麼註冊?2016-12-01APP
- 註冊,人人都有一臺超級計算機2011-07-02計算機
- win10專業版升級失敗如何修復_win10專業版升級不瞭解決方法2020-06-05Win10
- 自定義校驗註解ConstraintValidator2021-03-13AI
- 超級魔法兔子設定
V4.0破 解(得到完全註冊碼)2002-01-14
- 用mvp模式實現登入註冊的統一校驗2016-11-21MVP模式
- 《超級小精靈》Ver 1.00共享版的註冊分析 (15千字)2001-02-10
- Kubernetes slave節點升級至1.3版本註冊失敗問題解決2016-12-28
- 原始碼分析 — Activity的清單註冊校驗及動態注入2018-03-20原始碼
- “正在註冊字型”問題解決2017-10-17
- Java註解最全詳解(超級詳細)2022-08-16Java
- 分析家v4.01註冊核心程式碼---幻影的殼 (635字)2001-11-02
- 輕鬆解決國內無法【註冊ChatGPT】,快速【體驗ChatGPT】2023-02-10ChatGPT
- JSR303自定義校驗註解,自定義註解校驗字串是否是JSON字串,可擴充套件2020-10-09字串JSON套件
- SecureCRT for Mac最新註冊啟用版下載 (專業終端SSH工具)2023-11-16SecurecrtMac
- 入門習作2:HOSTMONITOR 1.31 執行自校驗及註冊破解過程 (11千字)2001-06-27
- Affinity Photo for Mac(專業修圖軟體)v1.10.2.266註冊版2021-10-13Mac
- 爆破經驗談2015-11-15
- win10專業版如何升級到企業版_win10專業版升級到企業版教程2019-12-11Win10
- 使用者註冊資料合法性校驗外掛能否實現2019-05-11
- Android需求之RxJava2實現表單校驗(註冊登入)2020-11-13AndroidRxJava
- win10專業版藍屏如何處理_win10專業版頻繁藍屏怎麼辦2020-05-07Win10
- BBEdit for Mac(專業HTML文字編輯器)附註冊碼14.6.8啟用版2023-11-05MacHTML
- 專業HTML文字編輯器:BBEdit for Mac 附註冊碼 14.6.5啟用版2023-04-06HTMLMac
- 網路校驗――王牌超級工具組合箱 V3.4 (VB)2015-11-15
- 超屏捕 v3.30 破解^程 (16千字)2002-01-20
- django專案基於鉤子驗證的註冊功能2019-08-16Django
- 關於谷歌賬號註冊手機號無法驗證的解決方法2020-11-21谷歌
- BetterZip 5 for Mac(蘋果專用解壓縮軟體)5.3.4中文註冊版2023-11-24Mac蘋果
- 建立一個簡單的初級SpringMVC專案(非註解版)2020-10-01SpringMVC
- 解決超級模型部署難題2020-02-27模型
- ExpressBurn Plus for Mac(專業DVD光碟燒錄工具) v9.22註冊啟用版2020-12-19ExpressMac
- DataSpell for mac完 美註冊版下載(專業資料科學家的IDE)2023-11-15Mac資料科學IDE