超级RM转换大师 V1.10破解教程

樊盟 · 发表于 2009-3-25 20:38:56

超级RM转换大师 V1.10破解教程

下载地址：http://www.skycn.com/soft/53413.html

查壳:Borland Delphi 6.0 - 7.0

对话框错误提示:注册失败，请检查用户名与注册码!

查找ASCII：注册失败，请检查用户名与注册码!

双击来到：

004BFB14 $  55          push ebp
004BFB15 .  8BEC       mov    ebp, esp
004BFB17 .  33C9       xor    ecx, ecx
004BFB19 .  51          push ecx
004BFB1A .  51          push ecx
004BFB1B .  51          push ecx
004BFB1C .  51          push ecx
004BFB1D .  51          push ecx
004BFB1E .  53          push ebx
004BFB1F .  56          push esi
004BFB20 .  57          push edi
004BFB21 .  8945 FC    mov    dword ptr [ebp-4], eax
004BFB24 .  33C0       xor    eax, eax
004BFB26 .  55          push ebp
004BFB27 .  68 65FC4B00 push 004BFC65
004BFB2C .  64:FF30    push dword ptr fs:[eax]
004BFB2F .  64:8920    mov    dword ptr fs:[eax], esp
004BFB32 .  8B45 FC    mov    eax, dword ptr [ebp-4]
004BFB35 .  E8 92020000 call 004BFDCC                      ;  关键CALL，F7跟进》》》》》》》》》》》》》》》》》》》》
004BFB3A .  84C0       test al, al
004BFB3C    0F84 DB000000 je    004BFC1D                      ;  关键跳
004BFB42 .  33C0       xor    eax, eax
004BFB44 .  55          push ebp
004BFB45 .  68 01FC4B00 push 004BFC01
004BFB4A .  64:FF30    push dword ptr fs:[eax]
004BFB4D .  64:8920    mov    dword ptr fs:[eax], esp
004BFB50 .  B2 01       mov    dl, 1
004BFB52 .  A1 00B84300 mov    eax, dword ptr [43B800]
004BFB57 .  E8 A4BDF7FF call 0043B900
004BFB5C .  8BD8       mov    ebx, eax
004BFB5E .  BA 02000080 mov    edx, 80000002
004BFB63 .  8BC3       mov    eax, ebx
004BFB65 .  E8 36BEF7FF call 0043B9A0
004BFB6A .  B1 01       mov    cl, 1
004BFB6C .  BA 7CFC4B00 mov    edx, 004BFC7C                   ;  software\zy\conver
004BFB71 .  8BC3       mov    eax, ebx
004BFB73 .  E8 8CBEF7FF call 0043BA04
004BFB78 .  8D55 F4    lea    edx, dword ptr [ebp-C]
004BFB7B .  8B45 FC    mov    eax, dword ptr [ebp-4]
004BFB7E .  8B80 20030000 mov    eax, dword ptr [eax+320]
004BFB84 .  E8 4349FAFF call 004644CC
004BFB89 .  8B45 F4    mov    eax, dword ptr [ebp-C]
004BFB8C .  8D55 F8    lea    edx, dword ptr [ebp-8]
004BFB8F .  E8 F08BF4FF call 00408784
004BFB94 .  8B4D F8    mov    ecx, dword ptr [ebp-8]
004BFB97 .  BA 98FC4B00 mov    edx, 004BFC98                   ;  name
004BFB9C .  8BC3       mov    eax, ebx
004BFB9E .  E8 FDBFF7FF call 0043BBA0
004BFBA3 .  8D55 EC    lea    edx, dword ptr [ebp-14]
004BFBA6 .  8B45 FC    mov    eax, dword ptr [ebp-4]
004BFBA9 .  8B80 24030000 mov    eax, dword ptr [eax+324]
004BFBAF .  E8 1849FAFF call 004644CC
004BFBB4 .  8B45 EC    mov    eax, dword ptr [ebp-14]
004BFBB7 .  8D55 F0    lea    edx, dword ptr [ebp-10]
004BFBBA .  E8 C58BF4FF call 00408784
004BFBBF .  8B4D F0    mov    ecx, dword ptr [ebp-10]
004BFBC2 .  BA A8FC4B00 mov    edx, 004BFCA8                   ;  pass
004BFBC7 .  8BC3       mov    eax, ebx
004BFBC9 .  E8 D2BFF7FF call 0043BBA0
004BFBCE .  8BC3       mov    eax, ebx
004BFBD0 .  E8 CB38F4FF call 004034A0
004BFBD5 .  6A 40       push 40
004BFBD7 .  68 B0FC4B00 push 004BFCB0                      ;  软件注册
004BFBDC .  68 BCFC4B00 push 004BFCBC                      ;  注册成功，下次启动本软件将解除所有限制功能!
004BFBE1 .  8B45 FC    mov    eax, dword ptr [ebp-4]
004BFBE4 .  E8 CBB0FAFF call 0046ACB4
004BFBE9 .  50          push eax                            ; |hOwner
004BFBEA .  E8 A574F4FF call <jmp.&user32.MessageBoxA>       ; \调用注册成功对话框
004BFBEF .  8B45 FC    mov    eax, dword ptr [ebp-4]
004BFBF2 .  E8 590FFCFF call 00480B50
004BFBF7 .  33C0       xor    eax, eax
004BFBF9 .  5A          pop    edx
004BFBFA .  59          pop    ecx
004BFBFB .  59          pop    ecx
004BFBFC .  64:8910    mov    dword ptr fs:[eax], edx
004BFBFF .  EB 36       jmp    short 004BFC37
004BFC01 .^ E9 7A3DF4FF jmp    00403980
004BFC06 .  8B45 FC    mov    eax, dword ptr [ebp-4]
004BFC09 .  E8 420FFCFF call 00480B50
004BFC0E .  8B45 FC    mov    eax, dword ptr [ebp-4]
004BFC11 .  E8 F6000000 call 004BFD0C
004BFC16 .  E8 CD40F4FF call 00403CE8
004BFC1B .  EB 1A       jmp    short 004BFC37
004BFC1D >  6A 40       push 40
004BFC1F .  68 B0FC4B00 push 004BFCB0                      ;  软件注册
004BFC24 .  68 ECFC4B00 push 004BFCEC                      ;  注册失败，请检查用户名与注册码!
004BFC29 .  8B45 FC    mov    eax, dword ptr [ebp-4]
004BFC2C .  E8 83B0FAFF call 0046ACB4
004BFC31 .  50          push eax                            ; |hOwner
004BFC32 .  E8 5D74F4FF call <jmp.&user32.MessageBoxA>       ; \MessageBoxA
004BFC37 >  33C0       xor    eax, eax
004BFC39 .  5A          pop    edx
004BFC3A .  59          pop    ecx
004BFC3B .  59          pop    ecx
004BFC3C .  64:8910    mov    dword ptr fs:[eax], edx
004BFC3F .  68 6CFC4B00 push 004BFC6C
004BFC44 >  8D45 EC    lea    eax, dword ptr [ebp-14]
004BFC47 .  E8 8846F4FF call 004042D4
004BFC4C .  8D45 F0    lea    eax, dword ptr [ebp-10]
004BFC4F .  E8 8046F4FF call 004042D4
004BFC54 .  8D45 F4    lea    eax, dword ptr [ebp-C]
004BFC57 .  E8 7846F4FF call 004042D4
004BFC5C .  8D45 F8    lea    eax, dword ptr [ebp-8]
004BFC5F .  E8 7046F4FF call 004042D4
004BFC64 .  C3          retn
004BFC65 .^ E9 CA3FF4FF jmp    00403C34
004BFC6A .^ EB D8       jmp    short 004BFC44
004BFC6C .  5F          pop    edi
004BFC6D .  5E          pop    esi
004BFC6E .  5B          pop    ebx
004BFC6F .  8BE5       mov    esp, ebp
004BFC71 .  5D          pop    ebp
004BFC72 .  C3          retn

》》》》》》》》》》》》》》》》》》》》》》》》》》》》》》》》》》》》》》》》》》》》》》

004BFDCC  /$  55          push ebp                            ;  F8
004BFDCD  |.  8BEC       mov    ebp, esp
004BFDCF  |.  B9 04000000 mov    ecx, 4
004BFDD4  |>  6A 00       /push 0
004BFDD6  |.  6A 00       |push 0
004BFDD8  |.  49          |dec    ecx
004BFDD9  |.^ 75 F9       \jnz    short 004BFDD4
004BFDDB  |.  51          push ecx                            ;  F4执行到选定位置
004BFDDC  |.  53          push ebx
004BFDDD  |.  56          push esi
004BFDDE  |.  8BF0       mov    esi, eax
004BFDE0  |.  33C0       xor    eax, eax
004BFDE2  |.  55          push ebp
004BFDE3  |.  68 E1FE4B00 push 004BFEE1
004BFDE8  |.  64:FF30    push dword ptr fs:[eax]
004BFDEB  |.  64:8920    mov    dword ptr fs:[eax], esp
004BFDEE  |.  8D55 F8    lea    edx, dword ptr [ebp-8]
004BFDF1  |.  8B86 24030000 mov    eax, dword ptr [esi+324]
004BFDF7  |.  E8 D046FAFF call 004644CC                      ;  读取假码
004BFDFC  |.  8B45 F8    mov    eax, dword ptr [ebp-8]
004BFDFF  |.  8D55 FC    lea    edx, dword ptr [ebp-4]
004BFE02  |.  E8 7D89F4FF call 00408784
004BFE07  |.  8B45 FC    mov    eax, dword ptr [ebp-4]
004BFE0A  |.  50          push eax
004BFE0B  |.  8D55 EC    lea    edx, dword ptr [ebp-14]
004BFE0E  |.  8B86 20030000 mov    eax, dword ptr [esi+320]
004BFE14  |.  E8 B346FAFF call 004644CC                      ;  读取用户名
004BFE19  |.  8B45 EC    mov    eax, dword ptr [ebp-14]
004BFE1C  |.  8D55 F0    lea    edx, dword ptr [ebp-10]
004BFE1F  |.  E8 6089F4FF call 00408784
004BFE24  |.  8B55 F0    mov    edx, dword ptr [ebp-10]
004BFE27  |.  8D4D F4    lea    ecx, dword ptr [ebp-C]
004BFE2A  |.  8BC6       mov    eax, esi
004BFE2C  |.  E8 03010000 call 004BFF34                      ;  读取机器码
004BFE31  |.  8B55 F4    mov    edx, dword ptr [ebp-C]          ;  注册码出现

破解方法②：

OD载入目标程序，F9运行，输入假码,不要点击确定，在命令行下消息断点：bp MessageBoxA 回车，然后点击确定，断下来后，在OD右下角的堆栈里面就可以找到注册码了，当然断下来的位置是关键CALL，F7跟进也可以找到注册码，方法同上。。。
对话框破解.jpg

注册信息:

用户名：Loader
注册码：RMCo-2756nv268-4616
注册表位置：HKEY_LOCAL_MACHINE\SOFTWARE\zy\Conver
注册成功.jpg

BY：Loader

[ 本帖最后由樊盟于 2009-3-25 20:44 编辑 ]

xuyang886 · 发表于 2009-3-25 21:44:42

好像不难哦``

试下`

sun50 · 发表于 2009-3-25 21:56:13

支持原创，学习了/:001

千江月 · 发表于 2009-3-26 12:13:08

虽然简单，还是顶一下

冬天的雷雨 · 发表于 2009-3-26 15:47:24

写的很详细谢谢~~

老万 · 发表于 2009-3-27 19:34:17

学习了，谢谢。。。。。。。。。

Goder · 发表于 2009-3-28 11:18:29

关键call进去直接 mov al，*
retn
应该更简单

finish · 发表于 2009-3-28 11:47:09

也学习下，好像不是很困难

hkp509 · 发表于 2009-3-28 12:03:10

谢谢了，我终于学会了

wbhing · 发表于 2009-3-31 11:24:50

支持LZ,学习了~

		自动登录	找回密码
密码			加入我们

[原创] 超级RM转换大师 V1.10破解教程

评分

相关帖子