屏幕录像专家V7.5 build 2009 0710 追码A
【文章标题】: 屏幕录像专家V7.5 Build20090710 追注册码【文章作者】: fghtiger
【作者邮箱】: [email protected]
【作者QQ号】: 28011309
【软件名称】: 屏幕录像专家V7.5
【下载地址】: 自己搜索下载
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
先用C32ASM查找字符串,找到一些有用的信息:如下:
本软件已授权给 004241F1
还未注册 004241A6
注册成功 0045D1DD
注册失败 0045CD04
0045CE6A
0045DB84
0045DAFD
用DEDE找到注册窗口Tregisterform的确定按钮事件 0045CBD0
0045CBD0/.55 push ebp ;确定的按钮事件
0045CBD1|.8BEC mov ebp, esp
0045CBD3|.81C4 A0FAFFFF add esp, -560
0045CBD9|.53 push ebx
0045CBDA|.56 push esi
0045CBDB|.57 push edi
0045CBDC|.8985 30FFFFFF mov dword ptr , eax
0045CBE2|.B8 B0755700 mov eax, 005775B0
0045CBE7|.E8 EC5F0D00 call 00532BD8
0045CC8F|.8D45 F0 lea eax, dword ptr
0045CC92|.BA 02000000 mov edx, 2
0045CC97|.E8 F4450E00 call 00541290 ;取假码到EDX
0045CC9C|.66:C785 44FFF>mov word ptr , 44
0045CCA5|.8D45 F4 lea eax, dword ptr
0045CCA8|.E8 FF53FAFF call 004020AC
0045CCAD|.50 push eax ;假码入栈
0045CCAE|.8D45 EC lea eax, dword ptr
0045CCB1|.8B95 30FFFFFF mov edx, dword ptr
0045CCB7|.52 push edx
0045CCB8|.E8 9B4CFAFF call 00401958
0045CCEA|.8D45 F4 lea eax, dword ptr
0045CCED|.E8 B295FFFF call 004562A4
0045CCF2|.83F8 32 cmp eax, 32 ;注册码位数是否大于50
0045CCF5|.0F8D 81000000 jge 0045CD7C
0045CCFB|.66:C785 44FFF>mov word ptr , 50
0045CD04|.BA 1C705700 mov edx, 0057701C ;注册失败
0045CD09|.8D45 E8 lea eax, dword ptr
0045CD0C|.E8 D3420E00 call 00540FE4
0045CE3C|.A1 D4D65900 mov eax, dword ptr
0045CE41|.8B10 mov edx, dword ptr
0045CE43|.52 push edx
0045CE44|.E8 6398FFFF call 004566AC ;把假码的前45位转换成一个十进制数 要写注册机的话就要跟入
0045CE49|.0FB7C8 movzx ecx, ax ;AX就是这个十进制数
0045CE4C|.8D45 F8 lea eax, dword ptr
0045CE4F|.8BF1 mov esi, ecx
0045CE51|.83C4 0C add esp, 0C
0045CE54|.E8 47470E00 call 005415A0
0045CE59|.3BF0 cmp esi, eax ;把先前获得的AX十进制数与假码后五位数十进制数比较
0045CE5B|.0F84 81000000 je 0045CEE2
0045CE61|.66:C785 44FFF>mov word ptr , 68
0045CE6A|.BA 3D705700 mov edx, 0057703D ;注册失败
0045CE6F|.8D45 E0 lea eax, dword ptr
跟入 call 004566AC 这个是前45位转换成一个十进制数的算法, 可惜我看不懂。
004566AC/$55 push ebp
004566AD|.8BEC mov ebp, esp
004566AF|.56 push esi
004566B0|.57 push edi
004566B1|.8B75 0C mov esi, dword ptr
004566B4|.33C0 xor eax, eax
004566B6|.33C9 xor ecx, ecx
004566B8|>81F9 6DB20000 /cmp ecx, 0B26D
004566BE|.75 30 |jnz short 004566F0
004566C0|.33FF |xor edi, edi
004566C2|.3B7D 10 |cmp edi, dword ptr ;45位与0比较
004566C5|.7D 29 |jge short 004566F0
004566C7|>41 |/inc ecx
004566C8|.B2 80 ||mov dl, 80
004566CA|>F6C4 80 ||/test ah, 80 ;小于80 跳
004566CD|.74 09 |||je short 004566D8
004566CF|.03C0 |||add eax, eax
004566D1|.66:35 2110 |||xor ax, 1021
004566D5|.41 |||inc ecx
004566D6|.EB 02 |||jmp short 004566DA
004566D8|>03C0 |||add eax, eax
004566DA|>41 |||inc ecx
004566DB|.8416 |||test byte ptr , dl
004566DD|.74 04 |||je short 004566E3
004566DF|.66:35 2110 |||xor ax, 1021
004566E3|>D0EA |||shr dl, 1
004566E5|.84D2 |||test dl, dl
004566E7|.^ 75 E1 ||\jnz short 004566CA
004566E9|.46 ||inc esi
004566EA|.47 ||inc edi
004566EB|.3B7D 10 ||cmp edi, dword ptr
004566EE|.^ 7C D7 |\jl short 004566C7
004566F0|>41 |inc ecx
004566F1|.81F9 A0860100 |cmp ecx, 186A0
004566F7|.^ 7C BF \jl short 004566B8
004566F9|.5F pop edi
004566FA|.5E pop esi
004566FB|.5D pop ebp
004566FC\.C3 retn /////// 回到 0045CE49
0045CEE2|> \66:C785 44FFF>mov word ptr , 74
0045CEEB|.8B15 D4D65900 mov edx, dword ptr ;屏录专家._MainForm
0045CEF1|.8D85 ACFAFFFF lea eax, dword ptr
0045CEF7|.50 push eax
0045CEF8|.8D45 DC lea eax, dword ptr
0045CEFB|.8B0A mov ecx, dword ptr
0045CEFD|.51 push ecx
0045CEFE|.E8 554AFAFF call 00401958
0045CF03|.50 push eax ; |Arg1
0045CF04|.FF85 50FFFFFF inc dword ptr ; |
0045CF0A|.E8 1D78FBFF call 0041472C ; \关键算法,跟进去(取得一个字符串)
0045CF0F|.83C4 0C add esp, 0C
跟入 call 0041472C
0041472C/$55 push ebp ////// 这里就是将假码的前40位转换成一个20位的字符串
0041472D|.8BEC mov ebp, esp
0041472F|.81C4 08FFFFFF add esp, -0F8
00414735|.53 push ebx
00414736|.56 push esi
00414737|.B8 3CFA5600 mov eax, 0056FA3C
0041473C|.E8 97E41100 call 00532BD8
00414741|.66:C745 E0 08>mov word ptr , 8
00414747|.8D45 FC lea eax, dword ptr
0041474A|.E8 09D2FEFF call 00401958
0041474F|.FF45 EC inc dword ptr
00414752|.66:C745 E0 14>mov word ptr , 14
00414758|.6A 28 push 28
0041475A|.8B55 10 mov edx, dword ptr
0041475D|.52 push edx
0041475E|.8D8D 6CFFFFFF lea ecx, dword ptr
00414764|.51 push ecx
00414765|.E8 CADF1100 call 00532734
0041476A|.8A85 6EFFFFFF mov al, byte ptr ;下面这段在将假码前40位互换
00414770|.8A55 92 mov dl, byte ptr
00414773|.8895 6EFFFFFF mov byte ptr , dl ;第3位和第39位互换
00414779|.8845 92 mov byte ptr , al
0041477C|.8A85 70FFFFFF mov al, byte ptr
00414782|.8A55 85 mov dl, byte ptr
00414785|.8895 70FFFFFF mov byte ptr , dl ;第5位和第26位互换
0041478B|.8845 85 mov byte ptr , al
0041478E|.8A85 75FFFFFF mov al, byte ptr ;AL=假码第10位
00414794|.8A55 8B mov dl, byte ptr ;DL=假码第32位
00414797|.8895 75FFFFFF mov byte ptr , dl ;32位换10位
0041479D|.83C4 0C add esp, 0C
004147A0|.33DB xor ebx, ebx
004147A2|.8845 8B mov byte ptr , al ;10位换到32位
004147A5|.8DB5 6CFFFFFF lea esi, dword ptr
004147AB|>8A06 /mov al, byte ptr
004147AD|.43 |inc ebx
004147AE|.46 |inc esi
004147AF|.8885 08FFFFFF |mov byte ptr , al
004147B5|.8D45 F8 |lea eax, dword ptr
004147B8|.8A16 |mov dl, byte ptr
004147BA|.8895 09FFFFFF |mov byte ptr , dl
004147C0|.8D95 08FFFFFF |lea edx, dword ptr
004147C6|.C685 0AFFFFFF>|mov byte ptr , 0
004147CD|.66:C745 E0 20>|mov word ptr , 20
004147D3|.E8 0CC81200 |call 00540FE4
004147D8|.8BD0 |mov edx, eax
004147DA|.FF45 EC |inc dword ptr
004147DD|.8D45 FC |lea eax, dword ptr
004147E0|.E8 DBCA1200 |call 005412C0
004147E5|.FF4D EC |dec dword ptr
004147E8|.8D45 F8 |lea eax, dword ptr
004147EB|.BA 02000000 |mov edx, 2
004147F0|.E8 9BCA1200 |call 00541290
004147F5|.8D45 FC |lea eax, dword ptr
004147F8|.E8 A3CD1200 |call 005415A0 ;EAX=置位后假码的前40位每两位一组转换成数字
004147FD|.8BD3 |mov edx, ebx
004147FF|.D1FA |sar edx, 1 ;位数\2
00414801|.79 03 |jns short 00414806
00414803|.83D2 00 |adc edx, 0
00414806|>03C2 |add eax, edx
00414808|.43 |inc ebx
00414809|.83C0 09 |add eax, 9
0041480C|.46 |inc esi
0041480D|.83FB 28 |cmp ebx, 28 ;与45比较
00414810|.888415 6CFFFF>|mov byte ptr , al ;用每两位得到的数值填入置位后假码所在的位置
00414817|.^ 7C 92 \jl short 004147AB
0045CF90|.E8 3F010A00 call 004FD0D4
0045CF95|.8D45 D8 lea eax, dword ptr
0045CF98|.E8 0F51FAFF call 004020AC ;取用户名
0045CF9D|.57 push edi
0045CF9E|.8BF8 mov edi, eax
0045CFA0|.33C0 xor eax, eax
0045CFD7|.C685 D7FEFFFF>mov byte ptr , 0
0045CFDE|.8B85 30FFFFFF mov eax, dword ptr
0045CFE4|.05 00030000 add eax, 300
0045CFE9|.E8 BE50FAFF call 004020AC ;注意EAX里面出来一组数据就是取机器码的前20位并置位(5与26,9与12)得到的
0045CFEE|.57 push edi
0045CFEF|.8BF8 mov edi, eax
0045CFF1|.33C0 xor eax, eax
0045D033|.33DB xor ebx, ebx
0045D035|>8B8D 24FFFFFF /mov ecx, dword ptr ;注册名
0045D03B|.8B95 20FFFFFF |mov edx, dword ptr ;前面提到的变换后的机器码
0045D041|.8A01 |mov al, byte ptr
0045D043|.3202 |xor al, byte ptr
0045D045|.83C4 F8 |add esp, -8
0045D048|.8806 |mov byte ptr , al ; |
0045D04A|.0FBE0E |movsx ecx, byte ptr ; |
0045D04D|.898D A8FAFFFF |mov dword ptr , ecx; |
0045D053|.DB85 A8FAFFFF |fild dword ptr ; | 装载ECX到ST0
0045D059|.DD1C24 |fstp qword ptr ; |
0045D05C|.E8 8BC80D00 |call 005398EC ; \屏录专家.005398EC
0045D061|.83C4 08 |add esp, 8
0045D064|.899D A4FAFFFF |mov dword ptr , ebx;压入计数器
0045D06A|.DB85 A4FAFFFF |fild dword ptr
0045D070|.DEC9 |fmulp st(1), st(0) ;ST0=ST0*ST1=ECX*计数器
0045D072|.89BD A0FAFFFF |mov dword ptr , edi
0045D078|.DB85 A0FAFFFF |fild dword ptr ;压入
0045D07E|.DEC1 |faddp st(1), st(0) ;ST1=ST1+ST0
0045D080|.E8 8FC80D00 |call 00539914 ;保存ST0的16进制到EAX
0045D085|.8BF8 |mov edi, eax
0045D087|.43 |inc ebx
0045D088|.46 |inc esi
0045D089|.FF85 20FFFFFF |inc dword ptr
0045D08F|.FF85 24FFFFFF |inc dword ptr
0045D095|.83FB 14 |cmp ebx, 14
0045D098|.^ 7C 9B \jl short 0045D035
0045D09A|.81C7 39300000 add edi, 3039 ;用户名与变换后的机器码计算得数+3039H
0045D0A0|.8D95 08FFFFFF lea edx, dword ptr ;经过与注册名处理后的字符串
0045D0A6|.57 push edi ; /Arg3
0045D0A7|.68 5E705700 push 0057705E ; |Arg2 = 0057705E ASCII "%d"
0045D0AC|.52 push edx ; |Arg1
0045D0AD|.E8 4A8E0D00 call 00535EFC ; \屏录专家.00535EFC
0045D0B2|.83C4 0C add esp, 0C
0045D0B5|.8D45 FC lea eax, dword ptr
0045D0B8|.E8 EF4FFAFF call 004020AC ;把用户名与变换后的机器码计算得数+3039H的数值转换成字符串
0045D0BD|.57 push edi
0045D0BE|.8BF8 mov edi, eax
0045D0F8|> /8B95 20FFFFFF /mov edx, dword ptr
0045D0FE|. |0FBE06 |movsx eax, byte ptr ;按位取上面得到的字符的Ascii码
0045D101|. |0FBE0A |movsx ecx, byte ptr ;由40位假码变换而得20位的字符
0045D104|. |83C1 EC |add ecx, -14
0045D107|. |3BC1 |cmp eax, ecx ;比较
0045D109 |0F85 80000000 |jnz 0045D18F
0045D10F |83FB 03 |cmp ebx, 3
0045D112 |75 6A |jnz short 0045D17E
0045D114|. |81C7 444D0000 |add edi, 4D44 ;将用户名与变换后的机器码计算得数+3039H的数值再加上4D44
0045D11A|. |89BD A8FAFFFF |mov dword ptr , edi
0045D120|. |DB85 A8FAFFFF |fild dword ptr
0045D126|. |DC0D 4CDC4500 |fmul qword ptr ;乘以3.14
0045D12C|. |DB2D 54DC4500 |fld tbyte ptr
0045D132|. |DEC9 |fmulp st(1), st(0) ;ST(1)再乘以0.1594896331738437120
0045D134|. |E8 DBC70D00 |call 00539914
0045D139|. |8BF8 |mov edi, eax
0045D13B|. |8BC7 |mov eax, edi
0045D13D|. |B9 A0860100 |mov ecx, 186A0
0045D142|. |99 |cdq ;将EAX中的数符号扩展为EDX:EAX中的64位数
0045D143|. |F7F9 |idiv ecx
0045D145|. |8BFA |mov edi, edx
0045D147|. |33C0 |xor eax, eax
0045D149|. |8985 2CFFFFFF |mov dword ptr , eax
0045D14F|. |33D2 |xor edx, edx
0045D151|. |8D85 ACFEFFFF |lea eax, dword ptr ;的数据就是假码被处理后的那20位字符串
0045D157|> |0FBE08 |/movsx ecx, byte ptr ;将40位假码换成的20位字符串前19位相加
0045D15A|. |018D 2CFFFFFF ||add dword ptr , ecx
0045D160|. |42 ||inc edx
0045D161|. |40 ||inc eax
0045D162|. |83FA 13 ||cmp edx, 13
0045D165|.^|7C F0 |\jl short 0045D157
0045D167|. |8B85 2CFFFFFF |mov eax, dword ptr ;=上面数据前19位相加
0045D16D|. |B9 0A000000 |mov ecx, 0A
0045D172|. |99 |cdq
0045D173|. |F7F9 |idiv ecx ;EDX=前19位相加得数 mod A
0045D175|. |83C2 30 |add edx, 30 ;EDX=EDX+30
0045D178|. |8995 2CFFFFFF |mov dword ptr , edx
0045D17E|> |43 |inc ebx
0045D17F|. |FF85 20FFFFFF |inc dword ptr
0045D185|. |46 |inc esi
0045D186|. |83FB 05 |cmp ebx, 5
0045D189|.^\0F8C 69FFFFFF \jl 0045D0F8
0045D18F|>83FB 05 cmp ebx, 5
0045D192|.0F8C E3090000 jl 0045DB7B
0045D198|.0FBE85 BFFEFF>movsx eax, byte ptr
0045D19F|.3B85 2CFFFFFF cmp eax, dword ptr ;EDX+30结果与由40位变换而成的20位字符串第20位比较
0045D1A5|.74 09 je short 0045D1B0
0045D1A7|.83F8 41 cmp eax, 41
0045D1AA 0F8C CB090000 jl 0045DB7B
0045D1B0|>8BC7 mov eax, edi
0045D1B2|.B9 0A000000 mov ecx, 0A
0045D1B7|.99 cdq
0045D1B8|.F7F9 idiv ecx ;前面ST(1)得到的数 mod A 余数放入EDX
0045D1BA|.0FBEB41D ACFE>movsx esi, byte ptr
0045D1C2|.83C6 BF add esi, -41 将由假码前40位变换而成的20位的字符串第6位-41
0045D1C5|.2BF2 sub esi, edx
0045D1C7|.85F6 test esi, esi ;关键比较
0045D1C9 74 09 je short 0045D1D4 ;关键跳,跳走就成功
0045D1CB|.83FE 09 cmp esi, 9
0045D1CE|.0F85 20090000 jnz 0045DAF4
0045D1D4|>66:C785 44FFF>mov word ptr , 8C
0045D1DD|.BA 61705700 mov edx, 00577061
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2009年08月22日 8:39:39
[ 本帖最后由 fghtiger 于 2009-9-15 09:05 编辑 ] 我第一个来顶你,学习,研究好久了!/:001 /:001 /:001 看雪好像没有这篇文章 破文很详细,学习一下。 这是个暗桩牛多的程序验证了么 暗桩特别特别的多.想破解完善,不容易啊.
我原来也跟过. fghtiger强啊,呵呵,有待进一步跟进偶,能搞出127位的那就是牛牛啦,嘿嘿 支持下,赶动手就很牛啊 感谢楼主分享,学习一下 支持楼主分享,谢谢