屏幕录像专家20041209版的破解思路
屏幕录像专家20041209版的破解思路软件:屏幕录像专家20041209 版
功能:屏幕录像,制作录像教程
破解:魔羯猪猪
主程序没有加壳
用 OD 载入,停在了软件的入口
00437D20 /.55 push ebp
00437D21 |.8BEC mov ebp,esp
00437D23 |.81C4 CCFEFFFF add esp,-134
00437D29 |.53 push ebx
00437D2A |.8995 44FFFFFF mov dword ptr ss:,edx
00437D30 |.8985 48FFFFFF mov dword ptr ss:,eax
00437D36 |.B8 FCBA5000 mov eax,屏录专家.0050BAFC
00437D3B |.E8 60440A00 call <屏录专家.@__InitExceptBlockLDTC>
00437D40 |.66:C785 5CFFFFFF 0800mov word ptr ss:,8
00437D49 |.8D45 FC lea eax,dword ptr ss:
00437D4C |.E8 BF9BFCFF call <屏录专家.unknown_libname_37>
00437D51 |.8BD0 mov edx,eax
00437D53 |.FF85 68FFFFFF inc dword ptr ss:
00437D59 |.8B8D 48FFFFFF mov ecx,dword ptr ss:
00437D5F |.8B81 E4020000 mov eax,dword ptr ds:
00437D65 |.E8 1E860500 call <屏录专家.@TControl@GetText$qqrv>;取注册码
00437D6A |.8D55 FC lea edx,dword ptr ss: ;**edx->注册码
00437D6D |.FF32 push dword ptr ds:
00437D6F |.8D45 F8 lea eax,dword ptr ss:
00437D72 |.E8 999BFCFF call <屏录专家.unknown_libname_37>
00437D77 |.8BD0 mov edx,eax
00437D79 |.FF85 68FFFFFF inc dword ptr ss:
00437D7F |.8B8D 48FFFFFF mov ecx,dword ptr ss:
00437D85 |.8B81 DC020000 mov eax,dword ptr ds:
00437D8B |.E8 F8850500 call <屏录专家.@TControl@GetText$qqrv>;取注册名
00437D90 |.8D55 F8 lea edx,dword ptr ss: ;**edx->注册名
00437D93 |.FF32 push dword ptr ds:
00437D95 |.FFB5 48FFFFFF push dword ptr ss:
00437D9B |.E8 180C0000 call <屏录专家.old_ver> ;关于老版本
00437DA0 |.83C4 0C add esp,0C
00437DA3 |.3C 01 cmp al,1
00437DA5 |.0F94C1 sete cl
00437DA8 |.83E1 01 and ecx,1
00437DAB |.51 push ecx
00437DAC |.FF8D 68FFFFFF dec dword ptr ss:
00437DB2 |.8D45 F8 lea eax,dword ptr ss:
00437DB5 |.BA 02000000 mov edx,2
00437DBA |.E8 11F70A00 call <屏录专家.@System@AnsiString@$bdtr$qqrv>
00437DBF |.FF8D 68FFFFFF dec dword ptr ss:
00437DC5 |.8D45 FC lea eax,dword ptr ss:
00437DC8 |.BA 02000000 mov edx,2
00437DCD |.E8 FEF60A00 call <屏录专家.@System@AnsiString@$bdtr$qqrv>
00437DD2 |.59 pop ecx
00437DD3 |.84C9 test cl,cl
00437DD5 |.74 48 je short 屏录专家.00437E1F;不是老版本
00437DD7 |.66:C785 5CFFFFFF 1400mov word ptr ss:,14 ;注册码是老版本
00437DE0 |.BA DCB75000 mov edx,屏录专家.0050B7DC
00437DE5 |.8D45 F4 lea eax,dword ptr ss:
00437DE8 |.E8 ABF40A00 call <屏录专家.sub_4E7298>
00437DED |.FF85 68FFFFFF inc dword ptr ss:
00437DF3 |.8B00 mov eax,dword ptr ds:
00437DF5 |.E8 46310500 call <屏录专家.@Dialogs@ShowMessage$qqrx17System@AnsiString>
00437DFA |.FF8D 68FFFFFF dec dword ptr ss:
00437E00 |.8D45 F4 lea eax,dword ptr ss:
00437E03 |.BA 02000000 mov edx,2
00437E08 |.E8 C3F60A00 call <屏录专家.@System@AnsiString@$bdtr$qqrv>
00437E0D |.8B8D 4CFFFFFF mov ecx,dword ptr ss:
00437E13 |.64:890D 00000000 mov dword ptr fs:,ecx
00437E1A |.E9 7E0B0000 jmp 屏录专家.0043899D ;返回 不是老版本:
00437E1F |>6A 14 push 14
00437E21 |.6A 00 push 0
00437E23 |.8D85 00FFFFFF lea eax,dword ptr ss:
00437E29 |.50 push eax
00437E2A |.E8 A13F0A00 call <屏录专家._memset>
00437E2F |.83C4 0C add esp,0C
00437E32 |.33D2 xor edx,edx
00437E34 |.8995 40FFFFFF mov dword ptr ss:,edx
00437E3A |.6A 14 push 14
00437E3C |.6A 00 push 0
00437E3E |.8D8D 18FFFFFF lea ecx,dword ptr ss:
00437E44 |.51 push ecx
00437E45 |.E8 863F0A00 call <屏录专家._memset>
00437E4A |.83C4 0C add esp,0C
00437E4D |.6A 14 push 14
00437E4F |.6A 00 push 0
00437E51 |.8D85 E8FEFFFF lea eax,dword ptr ss:
00437E57 |.50 push eax
00437E58 |.E8 733F0A00 call <屏录专家._memset>
00437E5D |.83C4 0C add esp,0C
00437E60 |.66:C785 5CFFFFFF 2000mov word ptr ss:,20
00437E69 |.8D45 F0 lea eax,dword ptr ss:
00437E6C |.E8 9F9AFCFF call <屏录专家.unknown_libname_37>
00437E71 |.8BD0 mov edx,eax
00437E73 |.FF85 68FFFFFF inc dword ptr ss:
00437E79 |.8B8D 48FFFFFF mov ecx,dword ptr ss:
00437E7F |.8B81 DC020000 mov eax,dword ptr ds:
00437E85 |.E8 FE840500 call <屏录专家.@TControl@GetText$qqrv>;取注册名
00437E8A |.8D45 F0 lea eax,dword ptr ss:
**eax->取注册名
00437E8D |.E8 46DEFCFF call <屏录专家.@System@AnsiString@c_str$xqqrv>
00437E92 |.50 push eax
00437E93 |.8D95 E8FEFFFF lea edx,dword ptr ss:
00437E99 |.52 push edx
00437E9A |.E8 5D400A00 call <屏录专家._strcpy> ;copy 注册名
00437E9F |.83C4 08 add esp,8
00437EA2 |.FF8D 68FFFFFF dec dword ptr ss:
00437EA8 |.8D45 F0 lea eax,dword ptr ss:
00437EAB |.BA 02000000 mov edx,2
00437EB0 |.E8 1BF60A00 call <屏录专家.@System@AnsiString@$bdtr$qqrv>
00437EB5 |.66:C785 5CFFFFFF 2C00mov word ptr ss:,2C
00437EBE |.8D45 EC lea eax,dword ptr ss:
00437EC1 |.E8 4A9AFCFF call <屏录专家.unknown_libname_37>
00437EC6 |.8BD0 mov edx,eax
00437EC8 |.FF85 68FFFFFF inc dword ptr ss:
00437ECE |.8B8D 48FFFFFF mov ecx,dword ptr ss:
00437ED4 |.8B81 F0020000 mov eax,dword ptr ds:
00437EDA |.E8 A9840500 call <屏录专家.@TControl@GetText$qqrv>;取机器码
00437EDF |.8D45 EC lea eax,dword ptr ss:
;**eax->机器码
00437EE2 |.E8 F1DDFCFF call <屏录专家.@System@AnsiString@c_str$xqqrv>
00437EE7 |.50 push eax
00437EE8 |.8D95 00FFFFFF lea edx,dword ptr ss:
00437EEE |.52 push edx
00437EEF |.E8 08400A00 call <屏录专家._strcpy> ;copy 机器码
00437EF4 |.83C4 08 add esp,8
00437EF7 |.FF8D 68FFFFFF dec dword ptr ss:
00437EFD |.8D45 EC lea eax,dword ptr ss:
00437F00 |.BA 02000000 mov edx,2
00437F05 |.E8 C6F50A00 call <屏录专家.@System@AnsiString@$bdtr$qqrv>
00437F0A |.33C9 xor ecx,ecx
00437F0C |.898D 3CFFFFFF mov dword ptr ss:,ecx
;*********************************************************************************************************
00437F12 |>8B85 3CFFFFFF /mov eax,dword ptr ss:
00437F18 |.8A9405 E8FEFFFF |mov dl,byte ptr ss:;=注册名
00437F1F |.8B8D 3CFFFFFF |mov ecx,dword ptr ss:
00437F25 |.32940D 00FFFFFF |xor dl,byte ptr ss:;=机器码
00437F2C |.8B85 3CFFFFFF |mov eax,dword ptr ss:
00437F32 |.889405 18FFFFFF |mov byte ptr ss:,dl
00437F39 |.8B95 3CFFFFFF |mov edx,dword ptr ss:
00437F3F |.0FBE8C15 18FFFFFF |movsx ecx,byte ptr ss:
00437F47 |.898D CCFEFFFF |mov dword ptr ss:,ecx
00437F4D |.DB85 CCFEFFFF |fild dword ptr ss:
00437F53 |.83C4 F8 |add esp,-8
00437F56 |.DD1C24 |fstp qword ptr ss:
00437F59 |.E8 02840A00 |call <屏录专家._fabs> ;st=||
00437F5E |.83C4 08 |add esp,8
00437F61 |.DB85 3CFFFFFF |fild dword ptr ss: ;st=
00437F67 |.DEC9 |fmulp st(1),st ; st=||*
00437F69 |.DB85 40FFFFFF |fild dword ptr ss: ;st=
00437F6F |.DEC1 |faddp st(1),st ; st=||*+
00437F71 |.E8 12840A00 |call <屏录专家.@_ftol$qv> ; eax=st
00437F76 |.8985 40FFFFFF |mov dword ptr ss:,eax
00437F7C |.FF85 3CFFFFFF |inc dword ptr ss:
00437F82 |.83BD 3CFFFFFF 14 |cmp dword ptr ss:,14;20位
00437F89 |.^ 7C 87 \jl short 屏录专家.00437F12
;假设这段程序输出为temp_H
static char n="123"//注册名
static char m="38289378"//机器码
int count;
int temp_H;
temp_H=0;
for count=0 to 14h do
{
temp_H=|n xor m|*count+temp_H
}
;*********************************************************************************************************
00437F8B |.8185 40FFFFFF 39300000 add dword ptr ss:,3039
00437F95 |.FFB5 40FFFFFF push dword ptr ss:
00437F9B |.68 57B85000 push 屏录专家.0050B857
00437FA0 |.8D95 18FFFFFF lea edx,dword ptr ss:
00437FA6 |.52 push edx
00437FA7 |.E8 F8690A00 call <屏录专家._sprintf>;把temp_H转为十进制temp_D
(十六进)temp_H------->(十进制)temp_D
;********************************************************************************************************* 00437FAC |.83C4 0C add esp,0C
00437FAF |.66:C785 5CFFFFFF 3800mov word ptr ss:,38
00437FB8 |.8D45 E8 lea eax,dword ptr ss:
00437FBB |.E8 5099FCFF call <屏录专家.unknown_libname_37>
00437FC0 |.8BD0 mov edx,eax
00437FC2 |.FF85 68FFFFFF inc dword ptr ss:
00437FC8 |.8B8D 48FFFFFF mov ecx,dword ptr ss:
00437FCE |.8B81 E4020000 mov eax,dword ptr ds:
00437FD4 |.E8 AF830500 call <屏录专家.@TControl@GetText$qqrv> ;取注册码
00437FD9 |.8D45 E8 lea eax,dword ptr ss:
;**EAX-> 注册码
00437FDC |.E8 F7DCFCFF call <屏录专家.@System@AnsiString@c_str$xqqrv>
00437FE1 |.50 push eax
00437FE2 |.8D95 D0FEFFFF lea edx,dword ptr ss:
00437FE8 |.52 push edx
00437FE9 |.E8 0E3F0A00 call <屏录专家._strcpy> ;COPY取注册码
00437FEE |.83C4 08 add esp,8
00437FF1 |.FF8D 68FFFFFF dec dword ptr ss:
00437FF7 |.8D45 E8 lea eax,dword ptr ss:
00437FFA |.BA 02000000 mov edx,2
00437FFF |.E8 CCF40A00 call <屏录专家.@System@AnsiString@$bdtr$qqrv>
00438004 |.33C9 xor ecx,ecx
00438006 |.898D 3CFFFFFF mov dword ptr ss:,ecx
0043800C |>8B85 3CFFFFFF /mov eax,dword ptr ss:
00438012 |.0FBE9405 18FFFFFF |movsx edx,byte ptr ss:;=temp_D
0043801A |.8B8D 3CFFFFFF |mov ecx,dword ptr ss:
00438020 |.0FBE840D D0FEFFFF |movsx eax,byte ptr ss:;=注册码
00438028 |.83C0 EC |add eax,-14
0043802B |.3BD0 |cmp edx,eax
0043802D |.75 5D |jnz short 屏录专家.0043808C
| |
0043802F |.83BD 3CFFFFFF 03 |cmp dword ptr ss:,3;是不是第5位
00438036 |.75 45 |jnz short 屏录专家.0043807D;不是第5位
| |
00438038 |.8B95 40FFFFFF |mov edx,dword ptr ss:;=temp_H
0043803E |.81C2 444D0000 |add edx,4D44
00438044 |.8995 CCFEFFFF |mov dword ptr ss:,edx
0043804A |.DB85 CCFEFFFF |fild dword ptr ss:
00438050 |.DC0D A4894300 |fmul qword ptr ds:;3.14
00438056 |.DB2D AC894300 |fld tbyte ptr ds:;1.59489633173843711e-1
0043805C |.DEC9 |fmulp st(1),st
0043805E |.E8 25830A00 |call <屏录专家.@_ftol$qv> ;eax=st
00438063 |.8985 40FFFFFF |mov dword ptr ss:,eax
00438069 |.8B85 40FFFFFF |mov eax,dword ptr ss:
0043806F |.B9 A0860100 |mov ecx,186A0
00438074 |.99 |cdq
00438075 |.F7F9 |idiv ecx
00438077 |.8995 40FFFFFF |mov dword ptr ss:,edx ;edx:余数
| |
0043807D |>FF85 3CFFFFFF |inc dword ptr ss:
00438083 |.83BD 3CFFFFFF 05 |cmp dword ptr ss:,5;loop 5 次
0043808A |.^ 7C 80 \jl short 屏录专家.0043800C
0043808C |>83BD 3CFFFFFF 05 cmp dword ptr ss:,5;是不是第5位
00438093 |.0F8C AD080000 jl 屏录专家.00438946 ;小于5失败 以下检查第5位:
00438099 |.8B85 40FFFFFF mov eax,dword ptr ss:
0043809F |.B9 0A000000 mov ecx,0A
004380A4 |.99 cdq
004380A5 |.F7F9 idiv ecx
004380A7 |.8B85 3CFFFFFF mov eax,dword ptr ss:
004380AD |.0FBE8C05 D0FEFFFF movsx ecx,byte ptr ss:;=第5位注册码
004380B5 |.83C1 BF add ecx,-41
004380B8 |.2BCA sub ecx,edx ;edx通过对temp_H计算得到
004380BA |.898D 38FFFFFF mov dword ptr ss:,ecx
004380C0 |.83BD 38FFFFFF 00 cmp dword ptr ss:,0
004380C7 |.74 0D je short 屏录专家.004380D6;成功
004380C9 |.83BD 38FFFFFF 05 cmp dword ptr ss:,5
004380D0 |.0F85 25080000 jnz 屏录专家.004388FB ;失败
static char s="xxxxxx"//注册码
int count
int buffer
for count=0 to 5 do
{cmp temp_D,(s-14)
jnz fail
if count=3 do {
buffer=mod(((temp_H+4d44h)*3.14*1.59489633173843711e-1)/186a0h)
}
}
buffer=s-41-mod(buffer/0ah)
if buffer=0 or buffer=5 jmp succeed
fail:
succeed:
;************************************************************************************************************
成功:
004380D6 |>66:C785 5CFFFFFF 4400mov word ptr ss:,44
004380DF |.BA 5AB85000 mov edx,屏录专家.0050B85A
004380E4 |.8D45 E4 lea eax,dword ptr ss:
004380E7 |.E8 ACF10A00 call <屏录专家.sub_4E7298>
004380EC |.FF85 68FFFFFF inc dword ptr ss:
004380F2 |.8B00 mov eax,dword ptr ds:
004380F4 |.E8 472E0500 call <屏录专家.@Dialogs@ShowMessage$qqrx17System@AnsiString>
004380F9 |.FF8D 68FFFFFF dec dword ptr ss:
004380FF |.8D45 E4 lea eax,dword ptr ss:
00438102 |.BA 02000000 mov edx,2
不建议爆破,因为通过注册后他会把注册明肯注册码保存在pmlxzj.dll文件里,再次起动时会再检查,
C:\windows\pmlxzj.dll
我的机器码为"38289378",输入注册名为“123"
下断点在:
0043800C |>8B85 3CFFFFFF /mov eax,dword ptr ss:
00438012 |.0FBE9405 18FFFFFF |movsx edx,byte ptr ss:;=temp_D
可见指向"31 33 36 33 30 00"
可得:
31h+14h=45h->"E"
33h+14h=49h->"G"
36h+14h=4Ah->"K"
33h+14h=49h->"G"
30h+14h=44h->"D"
"EGKGD"为前5位注册码
再下断点在:
004380AD |.0FBE8C05 D0FEFFFF movsx ecx,byte ptr ss:;=第5位注册码
004380B5 |.83C1 BF add ecx,-41
004380B8 |.2BCA sub ecx,edx
可得到edx=1
所以第5位注册码为:1+41h=44h->"B" 或1+41h+5=49h->"G" 我的注册码为"EGKGDB"或"EGKGDG"
但是,一般用后面的比较好~,因为后面的支持未来版本,
此外,我们用这种方法注册后,我们做出来的所有东西除了.exe 得录像之外都没有问题了,关键还在
play.dat 里面的算法,是这 6位注册码后面的东西,因为我没有调试,所以用 空格填充的话,我们的自定义版权
出不来的,即使出来了也不能改字体,字号~所以我们还要分析一下 play.dat 里面的构造~ 00402DF1|.66:C785 18FFF>mov word ptr ss:, 44
00402DFA|>8D95 FCFEFFFF lea edx, dword ptr ss:
00402E00|.B9 04000000 mov ecx, 4
00402E05|.8B85 04FFFFFF mov eax, dword ptr ss:
00402E0B|.8B80 78140000 mov eax, dword ptr ds:
00402E11|.8B18 mov ebx, dword ptr ds:
00402E13|.FF53 04 call dword ptr ds:
00402E16|>8B85 04FFFFFF mov eax, dword ptr ss:
00402E1C|.80B8 54140000>cmp byte ptr ds:, 0 上面是分析 注册码的,比较后,
00402E23|.0F85 88000000 jnz 复件_Pla.00402EB1 -------------这里要跳,所以改成 jmp play.00402EB1
00402E29|.66:C785 18FFF>mov word ptr ss:, 5C
00402E32|.BA 4A244800 mov edx, 复件_Pla.0048244A
00402E37|.8D45 8C lea eax, dword ptr ss:
00407086 .E8 016E0100 call 复件_Pla.0041DE8C
0040708B .8B8D 68FFFFFF mov ecx, dword ptr ss:
00407091 .8981 70140000 mov dword ptr ds:, eax
00407097 .8B85 68FFFFFF mov eax, dword ptr ss:
0040709D .80B8 54140000>cmp byte ptr ds:, 0 上面又是分析 注册码的,比较后
004070A4 .0F85 42010000 jnz 复件_Pla.004071EC ------------ 这里也要跳,改成 jnz play.004071EC
004070AA .8B95 68FFFFFF mov edx, dword ptr ss:
004070B0 .8B82 70140000 mov eax, dword ptr ds:
004070B6 .BA 14000000 mov edx, 14
004070BB .E8 40720100 call 复件_Pla.0041E300
004070C0 .8D85 27FFFFFF lea eax, dword ptr ss:
004070C6 .E8 99A6FFFF call 复件_Pla.00401764
004070CB .33D2 xor edx, edx
004070CD .E8 26200000 call 复件_Pla.004090F8
004070D2 .8A10 mov dl, byte ptr ds:
004070D4 .8B85 68FFFFFF mov eax, dword ptr ss:
004070DA .8B80 70140000 mov eax, dword ptr ds:
004070E0 .E8 47720100 call 复件_Pla.0041E32C
004070E5 .66:C785 7CFFF>mov word ptr ss:, 0C8
004070EE .BA DB244800 mov edx, 复件_Pla.004824DB
004070F3 .8D45 B4 lea eax, dword ptr ss:
004070F6 .E8 19670600 call 复件_Pla.0046D814
004070FB .FF45 88 inc dword ptr ss:
004070FE .8B10 mov edx, dword ptr ds:
00407100 .8B8D 68FFFFFF mov ecx, dword ptr ss:
00407106 .8B81 70140000 mov eax, dword ptr ds:
0040710C .E8 77710100 call 复件_Pla.0041E288
00407111 .FF4D 88 dec dword ptr ss:
00407114 .8D45 B4 lea eax, dword ptr ss:
00407117 .BA 02000000 mov edx, 2
0040711C .E8 AB670600 call 复件_Pla.0046D8CC
00407121 .8B8D 68FFFFFF mov ecx, dword ptr ss:
00407127 .8B81 70140000 mov eax, dword ptr ds:
0040712D .BA FF000000 mov edx, 0FF
00407132 .E8 296F0100 call 复件_Pla.0041E060
00407137 .8B8D 68FFFFFF mov ecx, dword ptr ss:
0040713D .8B81 60140000 mov eax, dword ptr ds:
00407143 .E8 BCC20100 call 复件_Pla.00423404
00407148 .83C0 0C add eax, 0C
0040714B .8985 20FFFFFF mov dword ptr ss:, eax
00407151 .8B95 68FFFFFF mov edx, dword ptr ss:
00407157 .8B92 70140000 mov edx, dword ptr ds:
0040715D .8B85 20FFFFFF mov eax, dword ptr ss:
00407163 .8B00 mov eax, dword ptr ds:
00407165 .8B08 mov ecx, dword ptr ds:
00407167 .FF51 08 call dword ptr ds:
0040716A .66:C785 7CFFF>mov word ptr ss:, 0D4
00407173 .BA E0244800 mov edx, 复件_Pla.004824E0
00407178 .8D45 B0 lea eax, dword ptr ss:
说了这么多,相信朋友们都应该知道 天狼星 这个 变态 的注册码
校验方式了吧~ 利用上面的主程序 注册码 计算方式,做出来个
伪注册机,因为算出来的注册码,只能用在主程序上面,做出来的
.EXE 的录像 还是有 未注册的 标志,所以我觉得爆了他比较不错,
一个原因是 去掉了 未注册的标志,还有一个原因就是 如果 把
PLAY.DAT 里面的 未注册用空格覆盖,我们的 自定义 信息就不可以
改字体,字号,颜色等等~~~
说了这么多,还是那句话,破解就是条条大路通罗马,怎么都可以
达到目的,这个软件的破解建议就是利用本人制作的算号器
再加上 play.dat 的爆破,看看,是不是 100% 的正版阿~ 龙族的渔歌子? 支持,好文。
感谢分享,收藏 谢楼主的分享,支持 追梦人456 发表于 2016-6-1 15:32
谢楼主的分享,支持
你是挖坟高手。。。
页:
[1]