- UID
- 26439
注册时间2007-1-1
阅读权限40
最后登录1970-1-1
独步武林
 
该用户从未签到
|
【破文标题】wuhanqi申请加入PYG之4
【破文作者】wuhanqi
【作者邮箱】[email protected]
【作者主页】暂无
【破解工具】OD peid
【破解平台】XP
【软件名称】网页照相机2.0
【软件大小】443KB
【原版下载】http://www.onlinedown.net/soft/735.htm
【保护方式】ASPACK
【软件简介】 一款强大的网页快照工具。能将指定的网页快速保存为jpg图片,您不妨下载试试。使用方法:先指定所要截图的URL地址,浏览定位后点击“动态截图”或“静态截图”按钮即可。
【破解声明】偶是一个小小的算法菜鸟~~~~
------------------------------------------------------------------------
【破解过程】1.试运行注册过程,看关键字符
2.首先脱壳,随便用个脱壳机脱掉
3.od载入,搜索关键字符,双击进入
004C6978 /. 55 PUSH EBP
004C6979 |. 8BEC MOV EBP,ESP
004C697B |. 6A 00 PUSH 0
004C697D |. 6A 00 PUSH 0
004C697F |. 53 PUSH EBX
004C6980 |. 56 PUSH ESI
004C6981 |. 8BF0 MOV ESI,EAX
004C6983 |. 33C0 XOR EAX,EAX
004C6985 |. 55 PUSH EBP
004C6986 |. 68 396A4C00 PUSH _UnPacke.004C6A39
004C698B |. 64:FF30 PUSH DWORD PTR FS:[EAX]
004C698E |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
004C6991 |. B2 01 MOV DL,1
004C6993 |. A1 24E64700 MOV EAX,DWORD PTR DS:[47E624]
004C6998 |. E8 877DFBFF CALL _UnPacke.0047E724
004C699D |. 8BD8 MOV EBX,EAX
004C699F |. BA 01000080 MOV EDX,80000001
004C69A4 |. 8BC3 MOV EAX,EBX
004C69A6 |. E8 197EFBFF CALL _UnPacke.0047E7C4
004C69AB |. B1 01 MOV CL,1
004C69AD |. BA 506A4C00 MOV EDX,_UnPacke.004C6A50 ; software\netsnap
004C69B2 |. 8BC3 MOV EAX,EBX
004C69B4 |. E8 6F7EFBFF CALL _UnPacke.0047E828
004C69B9 |. 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
004C69BC |. 8B86 38030000 MOV EAX,DWORD PTR DS:[ESI+338]
004C69C2 |. E8 2982F7FF CALL _UnPacke.0043EBF0
004C69C7 |. 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
004C69CA |. BA 6C6A4C00 MOV EDX,_UnPacke.004C6A6C ; reguser
004C69CF |. 8BC3 MOV EAX,EBX
004C69D1 |. E8 EE7FFBFF CALL _UnPacke.0047E9C4
004C69D6 |. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
004C69D9 |. 8B86 3C030000 MOV EAX,DWORD PTR DS:[ESI+33C]
004C69DF |. E8 0C82F7FF CALL _UnPacke.0043EBF0
004C69E4 |. 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8]
004C69E7 |. BA 7C6A4C00 MOV EDX,_UnPacke.004C6A7C ; regno
004C69EC |. 8BC3 MOV EAX,EBX
004C69EE |. E8 D17FFBFF CALL _UnPacke.0047E9C4
004C69F3 |. 8BC3 MOV EAX,EBX
004C69F5 |. E8 42CDF3FF CALL _UnPacke.0040373C
004C69FA |. 6A 40 PUSH 40
004C69FC |. B9 846A4C00 MOV ECX,_UnPacke.004C6A84 ; 提示
004C6A01 |. BA 8C6A4C00 MOV EDX,_UnPacke.004C6A8C ; 注册完成,请重新运行程序!
004C6A06 |. A1 1CC04C00 MOV EAX,DWORD PTR DS:[4CC01C]
004C6A0B |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004C6A0D |. E8 2284F9FF CALL _UnPacke.0045EE34
004C6A12 |. A1 1CC04C00 MOV EAX,DWORD PTR DS:[4CC01C]
004C6A17 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004C6A19 |. E8 7283F9FF CALL _UnPacke.0045ED90
004C6A1E |. 33C0 XOR EAX,EAX
004C6A20 |. 5A POP EDX
004C6A21 |. 59 POP ECX
004C6A22 |. 59 POP ECX
004C6A23 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
004C6A26 |. 68 406A4C00 PUSH _UnPacke.004C6A40
004C6A2B |> 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
004C6A2E |. BA 02000000 MOV EDX,2
004C6A33 |. E8 B4DAF3FF CALL _UnPacke.004044EC
004C6A38 \. C3 RETN
不是吧什么跳转都没有~~~~~~
不过一想,他是重启验证软件,而从software\netsnap等字符来看,应该是注册表的,那我们就再搜索regno把!
找到两处,第一处便是上边的代码,下面是第二处:
004C8234 /. 55 PUSH EBP
004C8235 |. 8BEC MOV EBP,ESP
004C8237 |. 6A 00 PUSH 0
004C8239 |. 6A 00 PUSH 0
004C823B |. 6A 00 PUSH 0
004C823D |. 53 PUSH EBX
004C823E |. 33C0 XOR EAX,EAX
004C8240 |. 55 PUSH EBP
004C8241 |. 68 F0824C00 PUSH _UnPacke.004C82F0
004C8246 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
004C8249 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
004C824C |. C605 80E14C00>MOV BYTE PTR DS:[4CE180],0
004C8253 |. B2 01 MOV DL,1
004C8255 |. A1 24E64700 MOV EAX,DWORD PTR DS:[47E624]
004C825A |. E8 C564FBFF CALL _UnPacke.0047E724
004C825F |. 8BD8 MOV EBX,EAX
004C8261 |. BA 01000080 MOV EDX,80000001
004C8266 |. 8BC3 MOV EAX,EBX
004C8268 |. E8 5765FBFF CALL _UnPacke.0047E7C4
004C826D |. B1 01 MOV CL,1
004C826F |. BA 04834C00 MOV EDX,_UnPacke.004C8304 ; software\netsnap
004C8274 |. 8BC3 MOV EAX,EBX
004C8276 |. E8 AD65FBFF CALL _UnPacke.0047E828
004C827B |. 8D4D FC LEA ECX,DWORD PTR SS:[EBP-4]
004C827E |. BA 20834C00 MOV EDX,_UnPacke.004C8320 ; reguser
004C8283 |. 8BC3 MOV EAX,EBX
004C8285 |. E8 6667FBFF CALL _UnPacke.0047E9F0
004C828A |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4] EAX ASCII "wuhanqi" 注册名
004C828D |. B8 84E14C00 MOV EAX,_UnPacke.004CE184 注册名入EDX
004C8292 |. E8 85C2F3FF CALL _UnPacke.0040451C
004C8297 |. 8D4D F8 LEA ECX,DWORD PTR SS:[EBP-8]
004C829A |. BA 30834C00 MOV EDX,_UnPacke.004C8330 ; regno
004C829F |. 8BC3 MOV EAX,EBX
004C82A1 |. E8 4A67FBFF CALL _UnPacke.0047E9F0
004C82A6 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] EAX ASCII "111111111111111111111" 试炼码
004C82A9 |. 50 PUSH EAX 保存EAX
004C82AA |. 8D4D F4 LEA ECX,DWORD PTR SS:[EBP-C]
004C82AD |. BA 40834C00 MOV EDX,_UnPacke.004C8340 netsnapchina入EDX
004C82B2 |. A1 84E14C00 MOV EAX,DWORD PTR DS:[4CE184] 用户名wuhanqi入EAX
004C82B7 |. E8 2CF5FCFF CALL _UnPacke.004977E8 关键CALL 算法 F7入!
004C82BC |. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
004C82BF |. 58 POP EAX
004C82C0 |. E8 FFC5F3FF CALL _UnPacke.004048C4
004C82C5 |. 75 07 JNZ SHORT _UnPacke.004C82CE
004C82C7 |. C605 80E14C00>MOV BYTE PTR DS:[4CE180],1
004C82CE |> 8BC3 MOV EAX,EBX
004C82D0 |. E8 67B4F3FF CALL _UnPacke.0040373C
004C82D5 |. 33C0 XOR EAX,EAX
004C82D7 |. 5A POP EDX
004C82D8 |. 59 POP ECX
004C82D9 |. 59 POP ECX
004C82DA |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
004C82DD |. 68 F7824C00 PUSH _UnPacke.004C82F7
004C82E2 |> 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
004C82E5 |. BA 03000000 MOV EDX,3
004C82EA |. E8 FDC1F3FF CALL _UnPacke.004044EC
004C82EF \. C3 RETN
========================================F7跟入的地方======================================
004977E8 /$ 55 PUSH EBP
004977E9 |. 8BEC MOV EBP,ESP
004977EB |. 83C4 D0 ADD ESP,-30
004977EE |. 53 PUSH EBX
004977EF |. 56 PUSH ESI
004977F0 |. 57 PUSH EDI
004977F1 |. 33DB XOR EBX,EBX
004977F3 |. 895D D0 MOV DWORD PTR SS:[EBP-30],EBX
004977F6 |. 895D D4 MOV DWORD PTR SS:[EBP-2C],EBX
004977F9 |. 8BF9 MOV EDI,ECX
004977FB |. 8955 F8 MOV DWORD PTR SS:[EBP-8],EDX
004977FE |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00497801 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00497804 |. E8 5FD1F6FF CALL _UnPacke.00404968
00497809 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0049780C |. E8 57D1F6FF CALL _UnPacke.00404968 netsnapchina入EAX
00497811 |. 33C0 XOR EAX,EAX
00497813 |. 55 PUSH EBP 压入EBP
00497814 |. 68 04794900 PUSH _UnPacke.00497904
00497819 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
0049781C |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
0049781F |. 8BC7 MOV EAX,EDI
00497821 |. E8 A2CCF6FF CALL _UnPacke.004044C8
00497826 |. 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20]
00497829 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0049782C |. E8 23FFFFFF CALL _UnPacke.00497754
00497831 |. B2 01 MOV DL,1
00497833 |. 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
00497836 |. E8 29F2FFFF CALL _UnPacke.00496A64
0049783B |. C745 D8 01000>MOV DWORD PTR SS:[EBP-28],1
00497842 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00497845 |. E8 36CFF6FF CALL _UnPacke.00404780
0049784A |. 8945 DC MOV DWORD PTR SS:[EBP-24],EAX
0049784D |> 8D45 D4 /LEA EAX,DWORD PTR SS:[EBP-2C]
00497850 |. 50 |PUSH EAX
00497851 |. B9 08000000 |MOV ECX,8
00497856 |. 8B55 D8 |MOV EDX,DWORD PTR SS:[EBP-28]
00497859 |. 8B45 FC |MOV EAX,DWORD PTR SS:[EBP-4] 用户名入 EAX
0049785C |. E8 77D1F6FF |CALL _UnPacke.004049D8
00497861 |. 8D45 F0 |LEA EAX,DWORD PTR SS:[EBP-10]
00497864 |. 33C9 |XOR ECX,ECX
00497866 |. BA 08000000 |MOV EDX,8
0049786B |. E8 80B7F6FF |CALL _UnPacke.00402FF0
00497870 |. 8B45 D4 |MOV EAX,DWORD PTR SS:[EBP-2C] 用户名入EAX
00497873 |. E8 08CFF6FF |CALL _UnPacke.00404780
00497878 |. 50 |PUSH EAX 压入EAX
00497879 |. 8D45 D4 |LEA EAX,DWORD PTR SS:[EBP-2C] 入EDX
0049787C |. E8 4FD1F6FF |CALL _UnPacke.004049D0
00497881 |. 8D55 F0 |LEA EDX,DWORD PTR SS:[EBP-10]
00497884 |. 59 |POP ECX 压出
00497885 |. E8 C2B0F6FF |CALL _UnPacke.0040294C
0049788A |. 8D55 E8 |LEA EDX,DWORD PTR SS:[EBP-18] 送到EDX
0049788D |. 8D45 F0 |LEA EAX,DWORD PTR SS:[EBP-10] 送到EAX
00497890 |. E8 A3F4FFFF |CALL _UnPacke.00496D38
00497895 |. BE 08000000 |MOV ESI,8
0049789A |. 8D5D E8 |LEA EBX,DWORD PTR SS:[EBP-18]
0049789D |> 8D4D D0 |/LEA ECX,DWORD PTR SS:[EBP-30]
004978A0 |. 33C0 ||XOR EAX,EAX
004978A2 |. 8A03 ||MOV AL,BYTE PTR DS:[EBX]
004978A4 |. BA 02000000 ||MOV EDX,2
004978A9 |. E8 EA12F7FF ||CALL _UnPacke.00408B98
004978AE |. 8B55 D0 ||MOV EDX,DWORD PTR SS:[EBP-30]
004978B1 |. 8BC7 ||MOV EAX,EDI 这里EDX不断的会出来一个指令长度的注册码
004978B3 |. E8 D0CEF6FF ||CALL _UnPacke.00404788
004978B8 |. 43 ||INC EBX
004978B9 |. 4E ||DEC ESI
004978BA |.^ 75 E1 |\JNZ SHORT _UnPacke.0049789D 循环
004978BC |. 8345 D8 08 |ADD DWORD PTR SS:[EBP-28],8
004978C0 |. 8B45 DC |MOV EAX,DWORD PTR SS:[EBP-24]
004978C3 |. 83C0 07 |ADD EAX,7
004978C6 |. 85C0 |TEST EAX,EAX
004978C8 |. 79 03 |JNS SHORT _UnPacke.004978CD
004978CA |. 83C0 07 |ADD EAX,7
004978CD |> C1F8 03 |SAR EAX,3
004978D0 |. C1E0 03 |SHL EAX,3
004978D3 |. 3B45 D8 |CMP EAX,DWORD PTR SS:[EBP-28]
004978D6 |.^ 0F8D 71FFFFFF \JGE _UnPacke.0049784D
004978DC |. 33C0 XOR EAX,EAX
004978DE |. 5A POP EDX
004978DF |. 59 POP ECX
004978E0 |. 59 POP ECX
004978E1 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
004978E4 |. 68 0B794900 PUSH _UnPacke.0049790B
004978E9 |> 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
004978EC |. BA 02000000 MOV EDX,2
004978F1 |. E8 F6CBF6FF CALL _UnPacke.004044EC
004978F6 |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
004978F9 |. BA 02000000 MOV EDX,2
004978FE |. E8 E9CBF6FF CALL _UnPacke.004044EC
00497903 \. C3 RETN
==================================出来之后=======================================================
004C82BC |. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] 用户名wuhanqi
004C82BF |. 58 POP EAX 真码 得到:91D1F0015BCF7F6
004C82C0 |. E8 FFC5F3FF CALL _UnPacke.004048C4 关键CALL 可作内存注册机
004C82C5 |. 75 07 JNZ SHORT _UnPacke.004C82CE 不等则跳转,可改为NOP或JZ
004C82C7 |. C605 80E14C00>MOV BYTE PTR DS:[4CE180],1
这部分太经典了,应该每人不知道把
------------------------------------------------------------------------
【破解总结】呵呵
注册信息:
用户名:wuhanqi
注册码:91D1F0015BCF7F6
偶第一次很详细的写算法,不对之处或没写道的地方,我恳求各位大侠不要鄙视一下就走,希望能告诉我!!
------------------------------------------------------------------------
【版权声明】PYG独家版权,转载注明出处!!!
[ 本帖最后由 wuhanqi 于 2007-2-22 21:35 编辑 ] |
|
IP卡
发表于 2007-2-22 20:54:26
提升卡
置顶卡
变色卡
千斤顶
显身卡
楼主