解決自校驗 + 註冊爆破――超級屏捕(SuperCapture) V4.01 專業版

看雪資料發表於2015-11-15

解決自校驗 + 註冊爆破――超級屏捕(SuperCapture) V4.01 專業版
 

 
下載頁面:  http://www.skycn.com/soft/9511.html
軟體大小:  1108 KB
軟體語言:  簡體中文
軟體類別:  國產軟體 / 共享版 / 影像捕捉
應用平臺:  Win9x/NT/2000/XP
加入時間:  2002-10-17 11:40:01
下載次數:  28765
推薦等級:  ****
開 發 商:  http://www.SuperCapture.com/

【軟體簡介】:SuperCapture 是一款非常強大的專業影像捕捉軟體。它是中國首屆共享軟體大賽優秀軟體。SuperCapture專業版 4.0 包含了標準版的所有功能,同時它還有很多專業的功能:例如從網頁捕捉所有 Flash;播放Flash;將桌面活動影像捕捉為AVI影片檔案(提供多種壓縮方式);輕鬆地從您的電腦上捕捉您想要的任何圖示Icon. 例如從一個檔案中,或者一個資料夾中,甚至是您機器的整個硬碟;它可以輕鬆捕捉全屏(包括DirectX,Direct3D遊戲螢幕)、視窗、控制元件、區域、固定區域、不規則區域。輕鬆抓取特殊選單、滑鼠、超長螢幕、網頁、網頁影像(可將網頁內圖片一次全部抓取);支援定時捕捉、自定義熱鍵、縮圖方式瀏覽;支援BMP/JPEG/TIF/PNG/GIF等17種圖形格式的瀏覽與轉換。可將捕捉後的圖形直接傳送到Microsoft Office文件(如Word,Excel,PowerPoint);支援多語言。它適用於任何需要對螢幕影像處理的使用者。使用SuperCapture超級屏捕能極大節省您處理螢幕影像的時間,提高工作效率。

【軟體限制】:NAG、45天試用

【作者宣告】:初學Crack,只是感興趣,沒有其它目的。失誤之處敬請諸位大俠賜教!

【破解工具】:TRW2000娃娃修改版、PE-Scan、W32Dasm 9.0白金版、Hiew

――――――――――――――――――――――――――――――――― 
【過    程】:
          
       

SuperCap.exe 是PECompact 1.68 - 1.84殼,用PE-Scan脫之。531K->1.35M。 VC++ 6.0 編寫。


《看雪論壇精華4》裡有好幾篇 超級屏捕 以前的版本的破解,雖然這個 V4.01 專業版已經發布很長時間了,卻沒看見破解筆記。[FCG]的 pLayAr 兄曾經做過破解版,這次特別感謝 pLayAr 兄的指點和 fxyang 兄的測試!:-)

呵呵,10-1到了,響應 DarkNess0ut 老大的號召,算是送給大家的國慶小禮吧! :-)
―――――――――――――――――――――――――――――――――
一、反跟蹤:


程式呼叫IsDebuggerPresent()來檢測是否有偵錯程式存在,啟動時在00418C1F呼叫IsDebuggerPresent()檢測,註冊時在0040DDF0、0040DED6、0040E208呼叫IsDebuggerPresent()檢測。但是奇怪的是程式還使用了另種方法檢測偵錯程式,使Ollydbg除錯時失去響應!

脫殼後的程式碰上屠龍刀TRW就變乖了。:-) 如果除錯原程式,在原程式執行1分鐘後再用TRW下斷!

――――――――――――――――――――――――
* Referenced by a CALL at Addresses:
|:0040DDF0   , :0040DED6   , :0040E208   , :00418C1F   
|
:0043F0C0 81EC94000000            sub esp, 00000094
:0043F0C6 8D442400                lea eaxdword ptr [esp]
:0043F0CA C744240094000000        mov [esp], 00000094
:0043F0D2 50                      push eax

* Reference To: KERNEL32.GetVersionExA, Ord:0000h
                                  |
:0043F0D3 FF159C444D00            Call dword ptr [004D449C]
:0043F0D9 85C0                    test eaxeax
:0043F0DB 7427                    je 0043F104
:0043F0DD 837C241001              cmp dword ptr [esp+10], 00000001
:0043F0E2 7520                    jne 0043F104
:0043F0E4 8B442404                mov eaxdword ptr [esp+04]
:0043F0E8 83F804                  cmp eax, 00000004
:0043F0EB 770A                    ja 0043F0F7
:0043F0ED 7515                    jne 0043F104
:0043F0EF 8B442408                mov eaxdword ptr [esp+08]
:0043F0F3 85C0                    test eaxeax
:0043F0F5 760D                    jbe 0043F104

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043F0EB(C)
|

* Reference To: KERNEL32.IsDebuggerPresent, Ord:0000h
                                  |
:0043F0F7 FF1530444D00            Call dword ptr [004D4430]
                                  ====>這裡呼叫IsDebuggerPresent檢測!

:0043F0FD 81C494000000            add esp, 00000094
:0043F103 C3                      ret



―――――――――――――――――――――――――――――――――
二、CRC自校驗暗樁分析:


程式脫殼或hook.dll修改後有自校驗,沒有提示,而是3分鐘後程式自動退出,這算是這個東東最大的特色吧。

呵呵,作者挺精明的,不給你明確的提示,讓Cracker們慢慢找吧!:-D  
為了找這個暗樁可真是費了不少功夫,下BPX CreateFilea,程式不斷中斷,作者佈置了迷魂陣。:-(
原來作者設定了3分鐘的定時器,如果校驗錯誤則自動退出,正確則取消定時器!自校驗和註冊碼的驗證均在主程式和同目錄下的hook.dll裡面進行!

――――――――――――――――――――――――
:0041BF35 E826820100              call 00434160
                                  ====>關鍵CALL!進去看看! :-)
                                  ====> 在這裡動手去除2個自校驗!爆破點①  :-)  

:0041BF3A 8B461C                  mov eaxdword ptr [esi+1C]
:0041BF3D 6A05                    push 00000005
:0041BF3F 50                      push eax

* Reference To: USER32.KillTimer, Ord:0000h
                                  |
:0041BF40 FF1578484D00            Call dword ptr [004D4878]
                                  ====>取消 3分鐘 的定時器

:0041BF46 E9A4060000              jmp 0041C5EF

 
――――――――――――――――――――――――
進入關鍵CALL:0041BF35  call 00434160


* Referenced by a CALL at Address:
|:0041BF35   
|
:00434160 A18CE85100              mov eaxdword ptr [0051E88C]
:00434165 81EC00040000            sub esp, 00000400
:0043416B 56                      push esi
:0043416C 57                      push edi
:0043416D 33FF                    xor ediedi
:0043416F 8BF1                    mov esiecx
:00434171 85C0                    test eaxeax
:00434173 7418                    je 0043418D
:00434175 E8B42B0900              call 004C6D2E
:0043417A 8B4008                  mov eaxdword ptr [eax+08]
:0043417D 50                      push eax
:0043417E FF158CE85100            call dword ptr [0051E88C]
                                  ====>呼叫hook.dll進行校驗主程式!錯誤則退出!

:00434184 85C0                    test eaxeax
:00434186 7505                    jne 0043418D
                                  ====>不跳則OVER!

:00434188 BF01000000              mov edi, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00434173(C), :00434186(C)
|
:0043418D E81EB20000              call 0043F3B0
                                  ====>在主程式內進行校驗hook.dll!錯誤則提示程式未正確安裝!
                                  ====>限於篇幅,這個就沒記錄了,跟進去就看到啦。  :-)

:00434192 85C0                    test eaxeax
:00434194 7408                    je 0043419E
                                  ====>跳則OVER!

:00434196 85FF                    test ediedi
:00434198 0F8489000000            je 00434227
                                  ====>不跳則OVER!

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00434194(C)
|
:0043419E 8B461C                  mov eaxdword ptr [esi+1C]
:004341A1 6A05                    push 00000005
:004341A3 50                      push eax

* Reference To: USER32.KillTimer, Ord:0000h
                                  |
:004341A4 FF1578484D00            Call dword ptr [004D4878]
                                  ====>呵呵,迷惑 Cracker! :-)

:004341AA 8D4C2408                lea ecxdword ptr [esp+08]
:004341AE 6800010000              push 00000100
:004341B3 51                      push ecx
:004341B4 8B8EAE080000            mov ecxdword ptr [esi+000008AE]
:004341BA 6854B25000              push 0050B254
:004341BF E83CA50000              call 0043E700
:004341C4 8B8EAE080000            mov ecxdword ptr [esi+000008AE]
:004341CA 8D942408010000          lea edxdword ptr [esp+00000108]
:004341D1 6800010000              push 00000100
:004341D6 52                      push edx
:004341D7 680CB25000              push 0050B20C
:004341DC E81FA50000              call 0043E700
:004341E1 8D842408010000          lea eaxdword ptr [esp+00000108]
:004341E8 8D4C2408                lea ecxdword ptr [esp+08]
:004341EC 50                      push eax
:004341ED 51                      push ecx
:004341EE 8D942410020000          lea edxdword ptr [esp+00000210]
:004341F5 68E8B15000              push 0050B1E8
:004341FA 52                      push edx
:004341FB E8A56A0600              call 0049ACA5
:00434200 83C410                  add esp, 00000010
:00434203 8D842408020000          lea eaxdword ptr [esp+00000208]
:0043420A 6A00                    push 00000000
:0043420C 6A10                    push 00000010
:0043420E 50                      push eax
:0043420F E89E7E0800              call 004BC0B2
:00434214 8B4E1C                  mov ecxdword ptr [esi+1C]
:00434217 6A00                    push 00000000
:00434219 6A00                    push 00000000
:0043421B 6836050000              push 00000536
:00434220 51                      push ecx

* Reference To: USER32.PostMessageA, Ord:0000h
                                  |
:00434221 FF155C484D00            Call dword ptr [004D485C]
                                  ====>BAD BOY! 未完全安裝等等提示  :-(

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00434198(C)
|
:00434227 5F                      pop edi
:00434228 5E                      pop esi
:00434229 81C400040000            add esp, 00000400
:0043422F C3                      ret


――――――――――――――――――――――――
進入0043417E  call dword ptr [0051E88C]       呼叫hook.dll進行校驗主程式


Exported fn(): SCAPI_SetHook_WinXP - Ord:0007h
:1C001294 55                      push ebp
:1C001295 8BEC                    mov ebpesp
:1C001297 81EC60020000            sub esp, 00000260
:1C00129D C745FCFFFFFFFF          mov [ebp-04], FFFFFFFF
:1C0012A4 C785A8FDFFFF00000000    mov dword ptr [ebp+FFFFFDA8], 00000000
:1C0012AE C785A4FDFFFF00000000    mov dword ptr [ebp+FFFFFDA4], 00000000
:1C0012B8 C785F4FEFFFF00000000    mov dword ptr [ebp+FFFFFEF4], 00000000
:1C0012C2 6804010000              push 00000104
:1C0012C7 6A00                    push 00000000
:1C0012C9 8D85F8FEFFFF            lea eaxdword ptr [ebp+FFFFFEF8]
:1C0012CF 50                      push eax

* Reference To: MSVCRT.memset, Ord:0299h
                                  |
:1C0012D0 E8E50E0000              Call 1C0021BA
:1C0012D5 83C40C                  add esp, 0000000C
:1C0012D8 6804010000              push 00000104
:1C0012DD 8D8DF8FEFFFF            lea ecxdword ptr [ebp+FFFFFEF8]
:1C0012E3 51                      push ecx
:1C0012E4 8B5508                  mov edxdword ptr [ebp+08]
:1C0012E7 52                      push edx

* Reference To: KERNEL32.GetModuleFileNameA, Ord:0124h
                                  |
:1C0012E8 FF150C30001C            Call dword ptr [1C00300C]
:1C0012EE 8D85B0FDFFFF            lea eaxdword ptr [ebp+FFFFFDB0]
:1C0012F4 50                      push eax
:1C0012F5 8D8DF8FEFFFF            lea ecxdword ptr [ebp+FFFFFEF8]
:1C0012FB 51                      push ecx

* Reference To: KERNEL32.FindFirstFileA, Ord:0094h
                                  |
:1C0012FC FF151030001C            Call dword ptr [1C003010]
:1C001302 8945FC                  mov dword ptr [ebp-04], eax
:1C001305 837DFCFF                cmp dword ptr [ebp-04], FFFFFFFF
:1C001309 7507                    jne 1C001312
:1C00130B 33C0                    xor eaxeax
:1C00130D E924010000              jmp 1C001436

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C001309(C)
|
:1C001312 8B95D0FDFFFF            mov edxdword ptr [ebp+FFFFFDD0]
:1C001318 8995F0FEFFFF            mov dword ptr [ebp+FFFFFEF0], edx

* Possible StringData Ref from Data Obj ->"rb"
                                  |
:1C00131E 684444001C              push 1C004444
:1C001323 8D85F8FEFFFF            lea eaxdword ptr [ebp+FFFFFEF8]
:1C001329 50                      push eax

* Reference To: MSVCRT.fopen, Ord:0257h
                                  |
:1C00132A FF154830001C            Call dword ptr [1C003048]
:1C001330 83C408                  add esp, 00000008
:1C001333 8985A4FDFFFF            mov dword ptr [ebp+FFFFFDA4], eax
:1C001339 83BDA4FDFFFF00          cmp dword ptr [ebp+FFFFFDA4], 00000000
:1C001340 7505                    jne 1C001347
:1C001342 E9ED000000              jmp 1C001434

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C001340(C)
|
:1C001347 8B8DF0FEFFFF            mov ecxdword ptr [ebp+FFFFFEF0]
:1C00134D 51                      push ecx

* Reference To: MSVCRT.malloc, Ord:0291h
                                  |
:1C00134E FF154C30001C            Call dword ptr [1C00304C]
:1C001354 83C404                  add esp, 00000004
:1C001357 8985A8FDFFFF            mov dword ptr [ebp+FFFFFDA8], eax
:1C00135D 83BDA8FDFFFF00          cmp dword ptr [ebp+FFFFFDA8], 00000000
:1C001364 7505                    jne 1C00136B
:1C001366 E9C7000000              jmp 1C001432

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C001364(C)
|
:1C00136B 8B95A4FDFFFF            mov edxdword ptr [ebp+FFFFFDA4]
:1C001371 52                      push edx
:1C001372 8B85F0FEFFFF            mov eaxdword ptr [ebp+FFFFFEF0]
:1C001378 50                      push eax
:1C001379 6A01                    push 00000001
:1C00137B 8B8DA8FDFFFF            mov ecxdword ptr [ebp+FFFFFDA8]
:1C001381 51                      push ecx

* Reference To: MSVCRT.fread, Ord:025Dh
                                  |
:1C001382 FF155030001C            Call dword ptr [1C003050]
:1C001388 83C410                  add esp, 00000010
:1C00138B 85C0                    test eaxeax
:1C00138D 7448                    je 1C0013D7
:1C00138F 8B95F0FEFFFF            mov edxdword ptr [ebp+FFFFFEF0]
:1C001395 83EA04                  sub edx, 00000004
:1C001398 52                      push edx
:1C001399 8B85A8FDFFFF            mov eaxdword ptr [ebp+FFFFFDA8]
:1C00139F 50                      push eax
:1C0013A0 E88FFEFFFF              call 1C001234
                                  ====>進行CRC計算!

:1C0013A5 8985ACFDFFFF            mov dword ptr [ebp+FFFFFDAC], eax
:1C0013AB 8B8DA8FDFFFF            mov ecxdword ptr [ebp+FFFFFDA8]
:1C0013B1 038DF0FEFFFF            add ecxdword ptr [ebp+FFFFFEF0]
:1C0013B7 8B51FC                  mov edxdword ptr [ecx-04]
:1C0013BA 8995A0FDFFFF            mov dword ptr [ebp+FFFFFDA0], edx
:1C0013C0 8B85ACFDFFFF            mov eaxdword ptr [ebp+FFFFFDAC]
                                  ====>這裡爆破可以去除對主程式的校驗   :-)

:1C0013C6 33C9                    xor ecxecx
:1C0013C8 3B85A0FDFFFF            cmp eaxdword ptr [ebp+FFFFFDA0]
                                  ====>比較!

:1C0013CE 0F94C1                  sete cl
                                  ====>根據結果設定CL值!正確則CL=1

:1C0013D1 898DF4FEFFFF            mov dword ptr [ebp+FFFFFEF4], ecx

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:1C00138D(C), :1C001432(U), :1C001434(U)
|
:1C0013D7 83BDA4FDFFFF00          cmp dword ptr [ebp+FFFFFDA4], 00000000
:1C0013DE 7410                    je 1C0013F0
:1C0013E0 8B95A4FDFFFF            mov edxdword ptr [ebp+FFFFFDA4]
:1C0013E6 52                      push edx

* Reference To: MSVCRT.fclose, Ord:024Ch
                                  |
:1C0013E7 FF155430001C            Call dword ptr [1C003054]
:1C0013ED 83C404                  add esp, 00000004

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C0013DE(C)
|
:1C0013F0 837DFCFF                cmp dword ptr [ebp-04], FFFFFFFF
:1C0013F4 740A                    je 1C001400
:1C0013F6 8B45FC                  mov eaxdword ptr [ebp-04]
:1C0013F9 50                      push eax

* Reference To: KERNEL32.FindClose, Ord:0090h
                                  |
:1C0013FA FF151430001C            Call dword ptr [1C003014]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C0013F4(C)
|
:1C001400 83BDA8FDFFFF00          cmp dword ptr [ebp+FFFFFDA8], 00000000
:1C001407 7410                    je 1C001419
:1C001409 8B8DA8FDFFFF            mov ecxdword ptr [ebp+FFFFFDA8]
:1C00140F 51                      push ecx

* Reference To: MSVCRT.free, Ord:025Eh
                                  |
:1C001410 FF155830001C            Call dword ptr [1C003058]
:1C001416 83C404                  add esp, 00000004

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C001407(C)
|
:1C001419 83BDF4FEFFFF00          cmp dword ptr [ebp+FFFFFEF4], 00000000
:1C001420 7508                    jne 1C00142A
:1C001422 6A01                    push 00000001

* Reference To: MSVCRT.exit, Ord:0249h
                                  |
:1C001424 FF156030001C            Call dword ptr [1C003060]
                                  ====>這裡退出!不打聲招呼就走  :-(

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C001420(C)
|
:1C00142A 8B85F4FEFFFF            mov eaxdword ptr [ebp+FFFFFEF4]
:1C001430 EB04                    jmp 1C001436



――――――――――――――――――――――――
進入CRC計算CALL:1C0013A0  call 1C001234


* Referenced by a CALL at Addresses:
|:1C0013A0   , :1C001972   , :1C001991   
|
:1C001234 55                      push ebp
:1C001235 8BEC                    mov ebpesp
:1C001237 83EC08                  sub esp, 00000008
:1C00123A C745F8FFFFFFFF          mov [ebp-08], FFFFFFFF
:1C001241 8B4508                  mov eaxdword ptr [ebp+08]
:1C001244 8945FC                  mov dword ptr [ebp-04], eax
:1C001247 EB09                    jmp 1C001252

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C001286(U)
|
:1C001249 8B4D0C                  mov ecxdword ptr [ebp+0C]
:1C00124C 83E901                  sub ecx, 00000001
:1C00124F 894D0C                  mov dword ptr [ebp+0C], ecx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C001247(U)
|
:1C001252 837D0C00                cmp dword ptr [ebp+0C], 00000000
:1C001256 7E30                    jle 1C001288
:1C001258 8B55F8                  mov edxdword ptr [ebp-08]
:1C00125B C1EA08                  shr edx, 08
:1C00125E 8B45F8                  mov eaxdword ptr [ebp-08]
:1C001261 25FF000000              and eax, 000000FF
:1C001266 8B4DFC                  mov ecxdword ptr [ebp-04]
:1C001269 0FBE09                  movsx ecxbyte ptr [ecx]
:1C00126C 33C1                    xor eaxecx
:1C00126E 25FF000000              and eax, 000000FF
:1C001273 3314851C40001C          xor edxdword ptr [4*eax+1C00401C]
                                  ====>[1C00401C]記憶體中是一張CRC32資料表!:-)

☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
              :-)     CRC-32 Table  共有256個數   :-)

77073096 EE0E612C 990951BA 076DC419 706AF48F E963A535 9E6495A3 0EDB8832 
79DCB8A4 E0D5E91E 97D2D988 09B64C2B 7EB17CBD E7B82D07 90BF1D91 00000000 
6AB020F2 F3B97148 84BE41DE 1ADAD47D 6DDDE4EB F4D4B551 83D385C7 136C9856 
646BA8C0 FD62F97A 8A65C9EC 14015C4F 63066CD9 FA0F3D63 8D080DF5 3B6E20C8 
4C69105E D56041E4 A2677172 3C03E4D1 4B04D447 D20D85FD A50AB56B 35B5A8FA 
42B2986C DBBBC9D6 ACBCF940 32D86CE3 45DF5C75 DCD60DCF ABD13D59 26D930AC 
51DE003A C8D75180 BFD06116 21B4F4B5 56B3C423 CFBA9599 B8BDA50F 2802B89E 
5F058808 C60CD9B2 B10BE924 2F6F7C87 58684C11 C1611DAB B6662D3D 76DC4190 
01DB7106 98D220BC EFD5102A 71B18589 06B6B51F 9FBFE4A5 E8B8D433 7807C9A2 
0F00F934 9609A88E E10E9818 7F6A0DBB 086D3D2D 91646C97 E6635C01 6B6B51F4 
1C6C6162 856530D8 F262004E 6C0695ED 1B01A57B 8208F4C1 F50FC457 65B0D9C6 
12B7E950 8BBEB8EA FCB9887C 62DD1DDF 15DA2D49 8CD37CF3 FBD44C65 4DB26158 
3AB551CE A3BC0074 D4BB30E2 4ADFA541 3DD895D7 A4D1C46D D3D6F4FB 4369E96A 
346ED9FC AD678846 DA60B8D0 44042D73 33031DE5 AA0A4C5F DD0D7CC9 5005713C 
270241AA BE0B1010 C90C2086 5768B525 206F85B3 B966D409 CE61E49F 5EDEF90E 
29D9C998 B0D09822 C7D7A8B4 59B33D17 2EB40D81 B7BD5C3B C0BA6CAD EDB88320 
9ABFB3B6 03B6E20C 74B1D29A EAD54739 9DD277AF 04DB2615 73DC1683 E3630B12 
94643B84 0D6D6A3E 7A6A5AA8 E40ECF0B 9309FF9D 0A00AE27 7D079EB1 F00F9344 
8708A3D2 1E01F268 6906C2FE F762575D 806567CB 196C3671 6E6B06E7 FED41B76 
89D32BE0 10DA7A5A 67DD4ACC F9B9DF6F 8EBEEFF9 17B7BE43 60B08ED5 D6D6A3E8 
A1D1937E 38D8C2C4 4FDFF252 D1BB67F1 A6BC5767 3FB506DD 48B2364B D80D2BDA 
AF0A1B4C 36034AF6 41047A60 DF60EFC3 A867DF55 316E8EEF 4669BE79 CB61B38C 
BC66831A 256FD2A0 5268E236 CC0C7795 BB0B4703 220216B9 5505262F C5BA3BBE 
B2BD0B28 2BB45A92 5CB36A04 C2D7FFA7 B5D0CF31 2CD99E8B 5BDEAE1D 9B64C2B0 
EC63F226 756AA39C 026D930A 9C0906A9 EB0E363F 72076785 05005713 95BF4A82 
E2B87A14 7BB12BAE 0CB61B38 92D28E9B E5D5BE0D 7CDCEFB7 0BDBDF21 86D3D2D4 
F1D4E242 68DDB3F8 1FDA836E 81BE16CD F6B9265B 6FB077E1 18B74777 88085AE6 
FF0F6A70 66063BCA 11010B5C 8F659EFF F862AE69 616BFFD3 166CCF45 A00AE278 
D70DD2EE 4E048354 3903B3C2 A7672661 D06016F7 4969474D 3E6E77DB AED16A4A 
D9D65ADC 40DF0B66 37D83BF0 A9BCAE53 DEBB9EC5 47B2CF7F 30B5FFE9 BDBDF21C
CABAC28A 53B39330 24B4A3A6 BAD03605 CDD70693 54DE5729 23D967BF B3667A2E 
C4614AB8 5D681B02 2A6F2B94 B40BBE37 C30C8EA1 5A05DF1B 2D02EF8D 004C3E50 


☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆

:1C00127A 8955F8                  mov dword ptr [ebp-08], edx
:1C00127D 8B55FC                  mov edxdword ptr [ebp-04]
:1C001280 83C201                  add edx, 00000001
:1C001283 8955FC                  mov dword ptr [ebp-04], edx
:1C001286 EBC1                    jmp 1C001249

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C001256(C)
|
:1C001288 8B45F8                  mov eaxdword ptr [ebp-08]
:1C00128B 83F0FF                  xor eax, FFFFFFFF
:1C00128E 8BE5                    mov espebp
:1C001290 5D                      pop ebp
:1C001291 C20800                  ret 0008



――――――――――――――――――――――――――――――――― 
三、註冊碼驗證、爆破


這部分是 pLayAr[FCG] 兄的成果!:-D  謝謝老兄指點!

程式的演算法保護的挺好,共36位註冊碼,每框9位。程式對註冊碼有很多要求,並且分別在幾個地方驗證!參照 pLayAr[FCG] 兄的成果在特定的條件下進行爆破!

―――――――――――――――――――――――――――――――――
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00434A93(U)
|
:00434A9A 85C0                    test eaxeax
:00434A9C 0F8410010000            je 00434BB2
:00434AA2 8DBDD0030000            lea edidword ptr [ebp+000003D0]
:00434AA8 83C9FF                  or ecx, FFFFFFFF
:00434AAB 33C0                    xor eaxeax
:00434AAD F2                      repnz
:00434AAE AE                      scasb
:00434AAF F7D1                    not ecx
:00434AB1 49                      dec ecx
:00434AB2 83F909                  cmp ecx, 00000009
                                  ====>9位?

:00434AB5 0F85F7000000            jne 00434BB2
:00434ABB 8DBD14050000            lea edidword ptr [ebp+00000514]
:00434AC1 83C9FF                  or ecx, FFFFFFFF
:00434AC4 F2                      repnz
:00434AC5 AE                      scasb
:00434AC6 F7D1                    not ecx
:00434AC8 49                      dec ecx
:00434AC9 83F909                  cmp ecx, 00000009
                                  ====>9位?

:00434ACC 0F85E0000000            jne 00434BB2
:00434AD2 8DBD58060000            lea edidword ptr [ebp+00000658]
:00434AD8 83C9FF                  or ecx, FFFFFFFF
:00434ADB F2                      repnz
:00434ADC AE                      scasb
:00434ADD F7D1                    not ecx
:00434ADF 49                      dec ecx
:00434AE0 83F909                  cmp ecx, 00000009
                                  ====>9位?

:00434AE3 0F85C9000000            jne 00434BB2
:00434AE9 8DBD9C070000            lea edidword ptr [ebp+0000079C]
:00434AEF 83C9FF                  or ecx, FFFFFFFF
:00434AF2 F2                      repnz
:00434AF3 AE                      scasb
:00434AF4 F7D1                    not ecx
:00434AF6 49                      dec ecx
:00434AF7 83F909                  cmp ecx, 00000009
                                  ====>9位?

:00434AFA 0F85B2000000            jne 00434BB2
:00434B00 E829220900              call 004C6D2E
:00434B05 8B7008                  mov esidword ptr [eax+08]
:00434B08 A1D4E85100              mov eaxdword ptr [0051E8D4]
:00434B0D 8D889C070000            lea ecxdword ptr [eax+0000079C]
:00434B13 8D9058060000            lea edxdword ptr [eax+00000658]
:00434B19 51                      push ecx
:00434B1A 8D8814050000            lea ecxdword ptr [eax+00000514]
:00434B20 52                      push edx
:00434B21 05D0030000              add eax, 000003D0
:00434B26 51                      push ecx
:00434B27 50                      push eax
:00434B28 8D542420                lea edxdword ptr [esp+20]
:00434B2C 68C0635000              push 005063C0
:00434B31 52                      push edx
:00434B32 E86E610600              call 0049ACA5
:00434B37 8B0D78C65100            mov ecxdword ptr [0051C678]
:00434B3D 8B15D4E85100            mov edxdword ptr [0051E8D4]
:00434B43 B05A                    mov al, 5A
:00434B45 8974244D                mov dword ptr [esp+4D], esi
:00434B49 8844244C                mov byte ptr [esp+4C], al
:00434B4D 894C2451                mov dword ptr [esp+51], ecx
:00434B51 8B4A1C                  mov ecxdword ptr [edx+1C]
:00434B54 83C418                  add esp, 00000018
:00434B57 894C243D                mov dword ptr [esp+3D], ecx
:00434B5B 8A4C2433                mov clbyte ptr [esp+33]
:00434B5F 3AC8                    cmp clal
                                  ====>最後1位是Z?下面呼叫hook.dll驗證!

:00434B61 754F                    jne 00434BB2
:00434B63 68108B5000              push 00508B10

* Reference To: KERNEL32.LoadLibraryA, Ord:0000h
                                  |
:00434B68 FF15B8424D00            Call dword ptr [004D42B8]
:00434B6E 8BF0                    mov esieax
:00434B70 85F6                    test esiesi
:00434B72 743E                    je 00434BB2
:00434B74 8D542410                lea edxdword ptr [esp+10]
:00434B78 6A24                    push 00000024
:00434B7A 52                      push edx
:00434B7B E880960000              call 0043E200
:00434B80 83C408                  add esp, 00000008
:00434B83 8D442410                lea eaxdword ptr [esp+10]
:00434B87 50                      push eax
:00434B88 68F48A5000              push 00508AF4
:00434B8D 56                      push esi

* Reference To: KERNEL32.GetProcAddress, Ord:0000h
                                  |
:00434B8E FF1594434D00            Call dword ptr [004D4394]
:00434B94 50                      push eax

* Reference To: USER32.EnumWindows, Ord:0000h
                                  |
:00434B95 FF1514474D00            Call dword ptr [004D4714]
:00434B9B 56                      push esi

* Reference To: KERNEL32.FreeLibrary, Ord:0000h
                                  |
:00434B9C FF15B4424D00            Call dword ptr [004D42B4]
:00434BA2 B909000000              mov ecx, 00000009
:00434BA7 8D742410                lea esidword ptr [esp+10]
:00434BAB BFA0E85100              mov edi, 0051E8A0
:00434BB0 F3                      repz
:00434BB1 A5                      movsd

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00434A2D(C), :00434A3A(C), :00434A44(C), :00434A52(C), :00434A60(C)
|:00434A9C(C), :00434AB5(C), :00434ACC(C), :00434AE3(C), :00434AFA(C)
|:00434B61(C), :00434B72(C)
|
:00434BB2 8B4C244C                mov ecxdword ptr [esp+4C]
:00434BB6 8B542448                mov edxdword ptr [esp+48]
:00434BBA A1D8E85100              mov eaxdword ptr [0051E8D8]
:00434BBF 53                      push ebx
:00434BC0 51                      push ecx
:00434BC1 52                      push edx
:00434BC2 50                      push eax

* Reference To: USER32.CallNextHookEx, Ord:0000h
                                  |
:00434BC3 FF1580474D00            Call dword ptr [004D4780]
:00434BC9 5F                      pop edi
:00434BCA 5E                      pop esi
:00434BCB 5D                      pop ebp
:00434BCC 5B                      pop ebx
:00434BCD 83C434                  add esp, 00000034
:00434BD0 C20C00                  ret 000C


――――――――――――――――――――――――
值得注意的是程式並不是僅有上面一處如此驗證!下面也是:


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D8FC(C)

…… …… 省 略 …… ……

:0040D965 83F909                  cmp ecx, 00000009
:0040D968 0F854F010000            jne 0040DABD
…… …… 省 略 …… ……
:0040DA3C B959000000              mov ecx, 00000059

…… …… 省 略 …… ……


――――――――――――――――――――――――
進入 hook.dll 的驗證:


* Referenced by a CALL at Addresses:
|:1C0013A0   , :1C001972   , :1C001991   
                                  ====>這個CALL外面還有其它複雜的檢測  :-(

:1C001234 55                      push ebp
:1C001235 8BEC                    mov ebpesp
:1C001237 83EC08                  sub esp, 00000008
:1C00123A C745F8FFFFFFFF          mov [ebp-08], FFFFFFFF
:1C001241 8B4508                  mov eaxdword ptr [ebp+08]
:1C001244 8945FC                  mov dword ptr [ebp-04], eax
:1C001247 EB09                    jmp 1C001252

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C001286(U)
|
:1C001249 8B4D0C                  mov ecxdword ptr [ebp+0C]
:1C00124C 83E901                  sub ecx, 00000001
:1C00124F 894D0C                  mov dword ptr [ebp+0C], ecx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C001247(U)
|
:1C001252 837D0C00                cmp dword ptr [ebp+0C], 00000000
:1C001256 7E30                    jle 1C001288
:1C001258 8B55F8                  mov edxdword ptr [ebp-08]
:1C00125B C1EA08                  shr edx, 08
:1C00125E 8B45F8                  mov eaxdword ptr [ebp-08]
:1C001261 25FF000000              and eax, 000000FF
:1C001266 8B4DFC                  mov ecxdword ptr [ebp-04]
:1C001269 0FBE09                  movsx ecxbyte ptr [ecx]
:1C00126C 33C1                    xor eaxecx
:1C00126E 25FF000000              and eax, 000000FF
:1C001273 3314851C40001C          xor edxdword ptr [4*eax+1C00401C]
:1C00127A 8955F8                  mov dword ptr [ebp-08], edx
:1C00127D 8B55FC                  mov edxdword ptr [ebp-04]
:1C001280 83C201                  add edx, 00000001
:1C001283 8955FC                  mov dword ptr [ebp-04], edx
:1C001286 EBC1                    jmp 1C001249

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C001256(C)
|
:1C001288 8B45F8                  mov eaxdword ptr [ebp-08]
:1C00128B 83F0FF                  xor eax, FFFFFFFF
                                  ====>爆破點 ②

:1C00128E 8BE5                    mov espebp
:1C001290 5D                      pop ebp
:1C001291 C20800                  ret 0008



――――――――――――――――――――――――――――――――― 
【爆        破】:


1、0041BF35 E826820100              call 00434160
      改為:9090909090              NOP 掉!
沒辦法呀,程式很狡猾,在hook.dll內進行校驗SuperCap.exe,在SuperCap.exe內進行校驗hook.dll
省點勁,直接在外面改了。如果有問題則只好深入校驗核心修改了。

2、1C00128B 83F0FF                  xor eax, FFFFFFFF
      改為:33CO90                  xor eax,eax  
程式對註冊碼的要求挺高呀,:-) 這裡爆破後還需要配合特定的註冊碼才能註冊成功  :-(


BTW:據 fxyang 兄測試在WIN2003下程式會異常出錯,這也難怪,這個東東很久沒升級了,釋出當時還沒有WIN2003


――――――――――――――――――――――――――――――――― 
【註冊資訊儲存】:


同目錄下的 SuperCapture.drv 檔案

――――――――――――――――――――――――――――――――― 
【整        理】:


由於功力低微,未能完美解決。:-( 解除自校驗爆破後還須輸入以下注冊碼才能驗證成功!
希望能有大俠研究出演算法。   或者能夠得到一個可用的Key ……  呵呵  :-)

姓  名:fly          (Random)
單  位:[OCN][FCG]   (Random)
註冊碼:AAAAAAAAA-AAAAAAAAA-AAAAAAAAA-AAAAAAHHZ

―――――――――――――――――――――――――――――――――
    
                                
         ,     _/ 
        /| _.-~/            _     ,        青春都一餉  :o 
       ( /~   /              ~-._ |
       `\  _/                   ~ )          忍把浮名    :shock: 
   _-~~~-.)  )__/;;,.          _  //'
  /'_,   --~    ~~~-  ,;;___(  (.-~~~-.        換了破解輕狂   :wink: 
 `~ _( ,_..-- (     ,;'' /    ~--   /._` 
  /~~//'   /' `~         ) /--.._, )_  `~
  "  `~"  "      `"      /~'`    `\~~   
                         "     "   "~'  ""

    

               Cracked By 巢水工作坊――fly [OCN][FCG]

                       2003-09-29   9:00

相關文章