http://www.softreg.com.cn/shareware_view.asp?id=/3E781F2B-1927-46BD-BB4E-567A2FE09680/ 【文章作者】:辉仔Yock[DFCG][YCG] 【作者声明】:本人发表这篇文章只是为了学习和研究!!!请不用于商业用途或是将本文方法制作的注册机任意传播,读者看了文章后所做的事情与我无关,我也不会负责,请读者看了文章后三思而后行!最后希望大家在经济基础好的时候,支持共享软件! 【破解工具】:OLLYDBG W32Dasm ————————————————————————————————— 【过 程】: 主程序SFCAPCaster.exe没有加壳,事用Microsoft Visual C++ 6.0编写的! 用W32dasm反汇编,根据参考字串很快找到关键! 用OLLYDBG加载SFCAPCaster.exe 选择帮助-->注册-->输入用户名Yock196(用户名要大于5位)-->邮箱地址(可以不填,下面不做运算!-->输入20位的假注册码KHSC-987654321ABCDEF(开头五位一定要是"KHSC-") 下断点004147D4来到下面: :004147BF E83AE40100 call 00432BFE //这里事取得用户名位数 :004147C4 8B07 mov eax, dword ptr [edi] :004147C6 C744242000000000 mov [esp+20], 00000000 :004147CE 8B40F8 mov eax, dword ptr [eax-08] :004147D1 83F805 cmp eax, 00000005 //比较用户名是否小于5位 :004147D4 7D13 jge 004147E9 :004147D6 6A00 push 00000000 :004147D8 6A10 push 00000010 * Possible StringData Ref from Data Obj ->"请输入长度大于5的用户名称" | :004147DA 68A05B4500 push 00455BA0 :004147DF E8CF410200 call 004389B3 :004147E4 E91E010000 jmp 00414907 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004147D4(C) | :004147E9 8D4C2410 lea ecx, dword ptr [esp+10] :004147ED 8D7E5C lea edi, dword ptr [esi+5C] :004147F0 6A05 push 00000005 :004147F2 51 push ecx :004147F3 8BCF mov ecx, edi :004147F5 E8B18A0100 call 0042D2AB :004147FA 8B00 mov eax, dword ptr [eax] * Possible StringData Ref from Data Obj ->"KHSC-" | :004147FC 68985B4500 push 00455B98 :00414801 50 push eax :00414802 E8F59E0000 call 0041E6FC //比较注册码的前面五位是否"KHSC-" :00414807 83C408 add esp, 00000008 :0041480A 85C0 test eax, eax :0041480C 7511 jne 0041481F //不是就跳下去出错 :0041480E 8B17 mov edx, dword ptr [edi] :00414810 837AF814 cmp dword ptr [edx-08], 00000014 //比较注册码是否等于20位 :00414814 0F95C0 setne al :00414817 84C0 test al, al :00414819 7504 jne 0041481F //不是的话跳下去出错 :0041481B 32DB xor bl, bl :0041481D EB02 jmp 00414821 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0041480C(C), :00414819(C) | :0041481F B301 mov bl, 01 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0041481D(U) | :00414821 8D4C2410 lea ecx, dword ptr [esp+10] :00414825 E85FE60100 call 00432E89 :0041482A 84DB test bl, bl :0041482C 7413 je 00414841 //输入的注册码如果不符合上面的条件就不跳走! //符合反之 //这里可以说是一个暗桩,我第一次以为这样注册成功了! //其实不是的,符合上面的条件,但不是真的注册码一样是未注册! :0041482E 6A00 push 00000000 :00414830 6A10 push 00000010 * Possible StringData Ref from Data Obj ->"注册失败!" | :00414832 688C5B4500 push 00455B8C :00414837 E877410200 call 004389B3 :0041483C E9C6000000 jmp 00414907 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0041482C(C) //上面来到这里! ...... ...... //省略一部分用处不大的代码 :0041488D 8D442418 lea eax, dword ptr [esp+18] :00414891 50 push eax //用户名 :00414892 E829090000 call 004151C0 //来到这里是把我的用户名经过运算后得出一串数字"298103222272636" //但是感觉上用处不大,我认为根本就没有! :00414897 83C40C add esp, 0000000C :0041489A 50 push eax :0041489B 8D4C2410 lea ecx, dword ptr [esp+10] :0041489F C644242402 mov [esp+24], 02 :004148A4 E819E70100 call 00432FC2 :004148A9 8D4C2410 lea ecx, dword ptr [esp+10] :004148AD C644242000 mov [esp+20], 00 :004148B2 E8D2E50100 call 00432E89 :004148B7 51 push ecx :004148B8 8D542410 lea edx, dword ptr [esp+10] :004148BC 8BCC mov ecx, esp :004148BE 89642418 mov dword ptr [esp+18], esp :004148C2 52 push edx :004148C3 E836E30100 call 00432BFE :004148C8 8BCE mov ecx, esi :004148CA E861000000 call 00414930 :004148CF 6A00 push 00000000 :004148D1 8BCE mov ecx, esi :004148D3 E838010000 call 00414A10 :004148D8 8BCE mov ecx, esi :004148DA E8E1030000 call 00414CC0 //根据W32Dasm的提示得知这个CALL里面是注册成功但出的窗口! //跟进去! :004148DF 8BCE mov ecx, esi :004148E1 E87A030000 call 00414C60 //根据W32Dasm的提示得知这个CALL里面是注册成功但出的窗口! //跟进去! :004148E6 8B461C mov eax, dword ptr [esi+1C] :004148E9 6A00 push 00000000 :004148EB 6A00 push 00000000 :004148ED 6892040000 push 00000492 :004148F2 50 push eax * Reference To: USER32.SendMessageA, Ord:0214h | :004148F3 FF1574654400 Call dword ptr [00446574] //这个地方是最不明白的了! //用"安靖"的注册码注册就在这里但出成功的窗口! //用我自己追出来的注册码,这里是没有反映的!但也能注册成功! //还请高手指点! :004148F9 8BCE mov ecx, esi :004148FB E86DE00100 call 0043296D :00414900 8BCE mov ecx, esi :00414902 E81EF60100 call 00433F25 ------------------------------------------------------------------ 上面004148DA的CALL来到这里: * Referenced by a CALL at Address: |:004148DA | :00414CC0 51 push ecx :00414CC1 56 push esi :00414CC2 8BF1 mov esi, ecx :00414CC4 57 push edi :00414CC5 8D442408 lea eax, dword ptr [esp+08] :00414CC9 6A05 push 00000005 :00414CCB 50 push eax :00414CCC 8D8EF4010000 lea ecx, dword ptr [esi+000001F4] :00414CD2 E8D4850100 call 0042D2AB :00414CD7 8B00 mov eax, dword ptr [eax] :00414CD9 50 push eax :00414CDA E8129A0000 call 0041E6F1 :00414CDF 83C404 add esp, 00000004 :00414CE2 8D4C2408 lea ecx, dword ptr [esp+08] :00414CE6 8BF8 mov edi, eax :00414CE8 E89CE10100 call 00432E89 :00414CED 8B8EE8010000 mov ecx, dword ptr [esi+000001E8] :00414CF3 51 push ecx :00414CF4 E887020000 call 00414F80 :00414CF9 83C404 add esp, 00000004 :00414CFC 3BF8 cmp edi, eax //关键比较... //EDI和EAX寄存器分别存着真假注册码的前五位数的十六进制值! :00414CFE 8986E8010000 mov dword ptr [esi+000001E8], eax :00414D04 7509 jne 00414D0F //这里跳走的话就... :00414D06 6A01 push 00000001 :00414D08 8BCE mov ecx, esi :00414D0A E8B1FEFFFF call 00414BC0 //这里进去有三个跳转,这三个跳转不跳的话就出现注册成功窗口! * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00414D04(C) | :00414D0F 5F pop edi :00414D10 5E pop esi :00414D11 59 pop ecx :00414D12 C3 ret ------------------------------------------------------------------ 上面004148E1的CALL来到这里: * Referenced by a CALL at Address: |:004148E1 | :00414C60 51 push ecx :00414C61 56 push esi :00414C62 57 push edi :00414C63 8BF1 mov esi, ecx :00414C65 6A05 push 00000005 :00414C67 8D44240C lea eax, dword ptr [esp+0C] :00414C6B 6A05 push 00000005 :00414C6D 50 push eax :00414C6E 8D8EF4010000 lea ecx, dword ptr [esi+000001F4] :00414C74 E820850100 call 0042D199 :00414C79 8B00 mov eax, dword ptr [eax] :00414C7B 50 push eax :00414C7C E8709A0000 call 0041E6F1 :00414C81 83C404 add esp, 00000004 :00414C84 8D4C2408 lea ecx, dword ptr [esp+08] :00414C88 8BF8 mov edi, eax :00414C8A E8FAE10100 call 00432E89 :00414C8F 8B8EEC010000 mov ecx, dword ptr [esi+000001EC] :00414C95 51 push ecx :00414C96 E8B5030000 call 00415050 :00414C9B 83C404 add esp, 00000004 :00414C9E 3BF8 cmp edi, eax //和上面一样,关键比较... //EDI和EAX寄存器分别存着真假注册码的前五位数的十六进制值! :00414CA0 8986EC010000 mov dword ptr [esi+000001EC], eax :00414CA6 7509 jne 00414CB1 :00414CA8 6A02 push 00000002 :00414CAA 8BCE mov ecx, esi :00414CAC E80FFFFFFF call 00414BC0 //和上面一样 //这里进去有三个跳转,这三个跳转不跳的话就出现注册成功窗口! * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00414CA6(C) | :00414CB1 5F pop edi :00414CB2 5E pop esi :00414CB3 59 pop ecx :00414CB4 C3 ret ------------------------------------------------------------------ 这里就是00414CAC和00414D0A的CALL来到的地方: * Referenced by a CALL at Addresses: |:00414586 , :00414CAC , :00414D0A | :00414BC0 56 push esi :00414BC1 8BF1 mov esi, ecx :00414BC3 E8CCA20200 call 0043EE94 :00414BC8 8B5004 mov edx, dword ptr [eax+04] :00414BCB 8B442408 mov eax, dword ptr [esp+08] :00414BCF 48 dec eax :00414BD0 7452 je 00414C24 :00414BD2 48 dec eax :00414BD3 7436 je 00414C0B //我追出来的正确注册码和"安靖"的注册码在这里都跳走了! :00414BD5 48 dec eax :00414BD6 0F8580000000 jne 00414C5C :00414BDC 6A00 push 00000000 :00414BDE 6A01 push 00000001 :00414BE0 8BCA mov ecx, edx :00414BE2 C7825802000001000000 mov dword ptr [ebx+00000258], 00000001 :00414BEC E8AFFFFEFF call 00404BA0 :00414BF1 6A00 push 00000000 :00414BF3 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"注册成功, 请重新启动程序!" | :00414BF5 68C05B4500 push 00455BC0 :00414BFA E8B43D0200 call 004389B3 :00414BFF 6A00 push 00000000 * Reference To: USER32.PostQuitMessage, Ord:01E0h | :00414C01 FF1564644400 Call dword ptr [00446464] :00414C07 5E pop esi :00414C08 C20400 ret 0004 ------------------------------------------------------------------ 【总 结】: 我追出的注册码(邮箱不填也可以): Yock196 KHSC-3518239909*****(后面五位随便) 安靖兄的注册码: anjing KHSC-351821842415032 注册信息保存在C:\WINDOWS\SYSTEM\SysXCasterDrv.sys 用我追出来的注册码按注册后没有反应(但也能成功!) 用安靖兄的注册码按注册后会弹出"注册成功, 请重新启动程序!"的框! 我想可能是我没有追到核心,所以想和大家探讨一下! 我问过安靖了,可是没有解决问题!好没头绪,希望又朋友能帮我看看! 最后在这里真心感谢你花了那么多时间看这篇文章!谢谢了... 世纪葵花--桌面直播录像机系统5.2
世纪葵花--桌面直播录像机系统5.2 【前 言】:这个软件有很多地方不明白,所以发出来和大家探讨一下!(在这里也要谢谢安靖) 【下载页面】http://www.softreg.com.cn/shareware_view.asp?id=/3E781F2B-1927-46BD-BB4E-567A2FE09680/ 【文章作者】:辉仔Yock[DFCG][YCG] 【作者声明】:本人发表这篇文章只是为了学习和研究!!!请不用于商业用途或是将本文方法制作的注册机任意传播,读者看了文章后所做的事情与我无关,我也不会负责,请读者看了文章后三思而后行!最后希望大家在经济基础好的时候,支持共享软件! 【破解工具】:OLLYDBG W32Dasm ————————————————————————————————— 【过 程】: 主程序SFCAPCaster.exe没有加壳,事用Microsoft Visual C++ 6.0编写的! 用W32dasm反汇编,根据参考字串很快找到关键! 用OLLYDBG加载SFCAPCaster.exe 选择帮助-->注册-->输入用户名Yock196(用户名要大于5位)-->邮箱地址(可以不填,下面不做运算!-->输入20位的假注册码KHSC-987654321ABCDEF(开头五位一定要是"KHSC-") 下断点004147D4来到下面: :004147BF E83AE40100 call 00432BFE //这里事取得用户名位数 :004147C4 8B07 mov eax, dword ptr [edi] :004147C6 C744242000000000 mov [esp+20], 00000000 :004147CE 8B40F8 mov eax, dword ptr [eax-08] :004147D1 83F805 cmp eax, 00000005 //比较用户名是否小于5位 :004147D4 7D13 jge 004147E9 :004147D6 6A00 push 00000000 :004147D8 6A10 push 00000010 * Possible StringData Ref from Data Obj ->"请输入长度大于5的用户名称" | :004147DA 68A05B4500 push 00455BA0 :004147DF E8CF410200 call 004389B3 :004147E4 E91E010000 jmp 00414907 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004147D4(C) | :004147E9 8D4C2410 lea ecx, dword ptr [esp+10] :004147ED 8D7E5C lea edi, dword ptr [esi+5C] :004147F0 6A05 push 00000005 :004147F2 51 push ecx :004147F3 8BCF mov ecx, edi :004147F5 E8B18A0100 call 0042D2AB :004147FA 8B00 mov eax, dword ptr [eax] * Possible StringData Ref from Data Obj ->"KHSC-" | :004147FC 68985B4500 push 00455B98 :00414801 50 push eax :00414802 E8F59E0000 call 0041E6FC //比较注册码的前面五位是否"KHSC-" :00414807 83C408 add esp, 00000008 :0041480A 85C0 test eax, eax :0041480C 7511 jne 0041481F //不是就跳下去出错 :0041480E 8B17 mov edx, dword ptr [edi] :00414810 837AF814 cmp dword ptr [edx-08], 00000014 //比较注册码是否等于20位 :00414814 0F95C0 setne al :00414817 84C0 test al, al :00414819 7504 jne 0041481F //不是的话跳下去出错 :0041481B 32DB xor bl, bl :0041481D EB02 jmp 00414821 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0041480C(C), :00414819(C) | :0041481F B301 mov bl, 01 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0041481D(U) | :00414821 8D4C2410 lea ecx, dword ptr [esp+10] :00414825 E85FE60100 call 00432E89 :0041482A 84DB test bl, bl :0041482C 7413 je 00414841 //输入的注册码如果不符合上面的条件就不跳走! //符合反之 //这里可以说是一个暗桩,我第一次以为这样注册成功了! //其实不是的,符合上面的条件,但不是真的注册码一样是未注册! :0041482E 6A00 push 00000000 :00414830 6A10 push 00000010 * Possible StringData Ref from Data Obj ->"注册失败!" | :00414832 688C5B4500 push 00455B8C :00414837 E877410200 call 004389B3 :0041483C E9C6000000 jmp 00414907 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0041482C(C) //上面来到这里! ...... ...... //省略一部分用处不大的代码 :0041488D 8D442418 lea eax, dword ptr [esp+18] :00414891 50 push eax //用户名 :00414892 E829090000 call 004151C0 //来到这里是把我的用户名经过运算后得出一串数字"298103222272636" //但是感觉上用处不大,我认为根本就没有! :00414897 83C40C add esp, 0000000C :0041489A 50 push eax :0041489B 8D4C2410 lea ecx, dword ptr [esp+10] :0041489F C644242402 mov [esp+24], 02 :004148A4 E819E70100 call 00432FC2 :004148A9 8D4C2410 lea ecx, dword ptr [esp+10] :004148AD C644242000 mov [esp+20], 00 :004148B2 E8D2E50100 call 00432E89 :004148B7 51 push ecx :004148B8 8D542410 lea edx, dword ptr [esp+10] :004148BC 8BCC mov ecx, esp :004148BE 89642418 mov dword ptr [esp+18], esp :004148C2 52 push edx :004148C3 E836E30100 call 00432BFE :004148C8 8BCE mov ecx, esi :004148CA E861000000 call 00414930 :004148CF 6A00 push 00000000 :004148D1 8BCE mov ecx, esi :004148D3 E838010000 call 00414A10 :004148D8 8BCE mov ecx, esi :004148DA E8E1030000 call 00414CC0 //根据W32Dasm的提示得知这个CALL里面是注册成功但出的窗口! //跟进去! :004148DF 8BCE mov ecx, esi :004148E1 E87A030000 call 00414C60 //根据W32Dasm的提示得知这个CALL里面是注册成功但出的窗口! //跟进去! :004148E6 8B461C mov eax, dword ptr [esi+1C] :004148E9 6A00 push 00000000 :004148EB 6A00 push 00000000 :004148ED 6892040000 push 00000492 :004148F2 50 push eax * Reference To: USER32.SendMessageA, Ord:0214h | :004148F3 FF1574654400 Call dword ptr [00446574] //这个地方是最不明白的了! //用"安靖"的注册码注册就在这里但出成功的窗口! //用我自己追出来的注册码,这里是没有反映的!但也能注册成功! //还请高手指点! :004148F9 8BCE mov ecx, esi :004148FB E86DE00100 call 0043296D :00414900 8BCE mov ecx, esi :00414902 E81EF60100 call 00433F25 ------------------------------------------------------------------ 上面004148DA的CALL来到这里: * Referenced by a CALL at Address: |:004148DA | :00414CC0 51 push ecx :00414CC1 56 push esi :00414CC2 8BF1 mov esi, ecx :00414CC4 57 push edi :00414CC5 8D442408 lea eax, dword ptr [esp+08] :00414CC9 6A05 push 00000005 :00414CCB 50 push eax :00414CCC 8D8EF4010000 lea ecx, dword ptr [esi+000001F4] :00414CD2 E8D4850100 call 0042D2AB :00414CD7 8B00 mov eax, dword ptr [eax] :00414CD9 50 push eax :00414CDA E8129A0000 call 0041E6F1 :00414CDF 83C404 add esp, 00000004 :00414CE2 8D4C2408 lea ecx, dword ptr [esp+08] :00414CE6 8BF8 mov edi, eax :00414CE8 E89CE10100 call 00432E89 :00414CED 8B8EE8010000 mov ecx, dword ptr [esi+000001E8] :00414CF3 51 push ecx :00414CF4 E887020000 call 00414F80 :00414CF9 83C404 add esp, 00000004 :00414CFC 3BF8 cmp edi, eax //关键比较... //EDI和EAX寄存器分别存着真假注册码的前五位数的十六进制值! :00414CFE 8986E8010000 mov dword ptr [esi+000001E8], eax :00414D04 7509 jne 00414D0F //这里跳走的话就... :00414D06 6A01 push 00000001 :00414D08 8BCE mov ecx, esi :00414D0A E8B1FEFFFF call 00414BC0 //这里进去有三个跳转,这三个跳转不跳的话就出现注册成功窗口! * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00414D04(C) | :00414D0F 5F pop edi :00414D10 5E pop esi :00414D11 59 pop ecx :00414D12 C3 ret ------------------------------------------------------------------ 上面004148E1的CALL来到这里: * Referenced by a CALL at Address: |:004148E1 | :00414C60 51 push ecx :00414C61 56 push esi :00414C62 57 push edi :00414C63 8BF1 mov esi, ecx :00414C65 6A05 push 00000005 :00414C67 8D44240C lea eax, dword ptr [esp+0C] :00414C6B 6A05 push 00000005 :00414C6D 50 push eax :00414C6E 8D8EF4010000 lea ecx, dword ptr [esi+000001F4] :00414C74 E820850100 call 0042D199 :00414C79 8B00 mov eax, dword ptr [eax] :00414C7B 50 push eax :00414C7C E8709A0000 call 0041E6F1 :00414C81 83C404 add esp, 00000004 :00414C84 8D4C2408 lea ecx, dword ptr [esp+08] :00414C88 8BF8 mov edi, eax :00414C8A E8FAE10100 call 00432E89 :00414C8F 8B8EEC010000 mov ecx, dword ptr [esi+000001EC] :00414C95 51 push ecx :00414C96 E8B5030000 call 00415050 :00414C9B 83C404 add esp, 00000004 :00414C9E 3BF8 cmp edi, eax //和上面一样,关键比较... //EDI和EAX寄存器分别存着真假注册码的前五位数的十六进制值! :00414CA0 8986EC010000 mov dword ptr [esi+000001EC], eax :00414CA6 7509 jne 00414CB1 :00414CA8 6A02 push 00000002 :00414CAA 8BCE mov ecx, esi :00414CAC E80FFFFFFF call 00414BC0 //和上面一样 //这里进去有三个跳转,这三个跳转不跳的话就出现注册成功窗口! * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00414CA6(C) | :00414CB1 5F pop edi :00414CB2 5E pop esi :00414CB3 59 pop ecx :00414CB4 C3 ret ------------------------------------------------------------------ 这里就是00414CAC和00414D0A的CALL来到的地方: * Referenced by a CALL at Addresses: |:00414586 , :00414CAC , :00414D0A | :00414BC0 56 push esi :00414BC1 8BF1 mov esi, ecx :00414BC3 E8CCA20200 call 0043EE94 :00414BC8 8B5004 mov edx, dword ptr [eax+04] :00414BCB 8B442408 mov eax, dword ptr [esp+08] :00414BCF 48 dec eax :00414BD0 7452 je 00414C24 :00414BD2 48 dec eax :00414BD3 7436 je 00414C0B //我追出来的正确注册码和"安靖"的注册码在这里都跳走了! :00414BD5 48 dec eax :00414BD6 0F8580000000 jne 00414C5C :00414BDC 6A00 push 00000000 :00414BDE 6A01 push 00000001 :00414BE0 8BCA mov ecx, edx :00414BE2 C7825802000001000000 mov dword ptr [ebx+00000258], 00000001 :00414BEC E8AFFFFEFF call 00404BA0 :00414BF1 6A00 push 00000000 :00414BF3 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"注册成功, 请重新启动程序!" | :00414BF5 68C05B4500 push 00455BC0 :00414BFA E8B43D0200 call 004389B3 :00414BFF 6A00 push 00000000 * Reference To: USER32.PostQuitMessage, Ord:01E0h | :00414C01 FF1564644400 Call dword ptr [00446464] :00414C07 5E pop esi :00414C08 C20400 ret 0004 ------------------------------------------------------------------ 【总 结】: 我追出的注册码(邮箱不填也可以): Yock196 KHSC-3518239909*****(后面五位随便) 安靖兄的注册码: anjing KHSC-351821842415032 注册信息保存在C:\WINDOWS\SYSTEM\SysXCasterDrv.sys 用我追出来的注册码按注册后没有反应(但也能成功!) 用安靖兄的注册码按注册后会弹出"注册成功, 请重新启动程序!"的框! 我想可能是我没有追到核心,所以想和大家探讨一下! 我问过安靖了,可是没有解决问题!好没头绪,希望又朋友能帮我看看! 最后在这里真心感谢你花了那么多时间看这篇文章!谢谢了...
http://www.softreg.com.cn/shareware_view.asp?id=/3E781F2B-1927-46BD-BB4E-567A2FE09680/ 【文章作者】:辉仔Yock[DFCG][YCG] 【作者声明】:本人发表这篇文章只是为了学习和研究!!!请不用于商业用途或是将本文方法制作的注册机任意传播,读者看了文章后所做的事情与我无关,我也不会负责,请读者看了文章后三思而后行!最后希望大家在经济基础好的时候,支持共享软件! 【破解工具】:OLLYDBG W32Dasm ————————————————————————————————— 【过 程】: 主程序SFCAPCaster.exe没有加壳,事用Microsoft Visual C++ 6.0编写的! 用W32dasm反汇编,根据参考字串很快找到关键! 用OLLYDBG加载SFCAPCaster.exe 选择帮助-->注册-->输入用户名Yock196(用户名要大于5位)-->邮箱地址(可以不填,下面不做运算!-->输入20位的假注册码KHSC-987654321ABCDEF(开头五位一定要是"KHSC-") 下断点004147D4来到下面: :004147BF E83AE40100 call 00432BFE //这里事取得用户名位数 :004147C4 8B07 mov eax, dword ptr [edi] :004147C6 C744242000000000 mov [esp+20], 00000000 :004147CE 8B40F8 mov eax, dword ptr [eax-08] :004147D1 83F805 cmp eax, 00000005 //比较用户名是否小于5位 :004147D4 7D13 jge 004147E9 :004147D6 6A00 push 00000000 :004147D8 6A10 push 00000010 * Possible StringData Ref from Data Obj ->"请输入长度大于5的用户名称" | :004147DA 68A05B4500 push 00455BA0 :004147DF E8CF410200 call 004389B3 :004147E4 E91E010000 jmp 00414907 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004147D4(C) | :004147E9 8D4C2410 lea ecx, dword ptr [esp+10] :004147ED 8D7E5C lea edi, dword ptr [esi+5C] :004147F0 6A05 push 00000005 :004147F2 51 push ecx :004147F3 8BCF mov ecx, edi :004147F5 E8B18A0100 call 0042D2AB :004147FA 8B00 mov eax, dword ptr [eax] * Possible StringData Ref from Data Obj ->"KHSC-" | :004147FC 68985B4500 push 00455B98 :00414801 50 push eax :00414802 E8F59E0000 call 0041E6FC //比较注册码的前面五位是否"KHSC-" :00414807 83C408 add esp, 00000008 :0041480A 85C0 test eax, eax :0041480C 7511 jne 0041481F //不是就跳下去出错 :0041480E 8B17 mov edx, dword ptr [edi] :00414810 837AF814 cmp dword ptr [edx-08], 00000014 //比较注册码是否等于20位 :00414814 0F95C0 setne al :00414817 84C0 test al, al :00414819 7504 jne 0041481F //不是的话跳下去出错 :0041481B 32DB xor bl, bl :0041481D EB02 jmp 00414821 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0041480C(C), :00414819(C) | :0041481F B301 mov bl, 01 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0041481D(U) | :00414821 8D4C2410 lea ecx, dword ptr [esp+10] :00414825 E85FE60100 call 00432E89 :0041482A 84DB test bl, bl :0041482C 7413 je 00414841 //输入的注册码如果不符合上面的条件就不跳走! //符合反之 //这里可以说是一个暗桩,我第一次以为这样注册成功了! //其实不是的,符合上面的条件,但不是真的注册码一样是未注册! :0041482E 6A00 push 00000000 :00414830 6A10 push 00000010 * Possible StringData Ref from Data Obj ->"注册失败!" | :00414832 688C5B4500 push 00455B8C :00414837 E877410200 call 004389B3 :0041483C E9C6000000 jmp 00414907 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0041482C(C) //上面来到这里! ...... ...... //省略一部分用处不大的代码 :0041488D 8D442418 lea eax, dword ptr [esp+18] :00414891 50 push eax //用户名 :00414892 E829090000 call 004151C0 //来到这里是把我的用户名经过运算后得出一串数字"298103222272636" //但是感觉上用处不大,我认为根本就没有! :00414897 83C40C add esp, 0000000C :0041489A 50 push eax :0041489B 8D4C2410 lea ecx, dword ptr [esp+10] :0041489F C644242402 mov [esp+24], 02 :004148A4 E819E70100 call 00432FC2 :004148A9 8D4C2410 lea ecx, dword ptr [esp+10] :004148AD C644242000 mov [esp+20], 00 :004148B2 E8D2E50100 call 00432E89 :004148B7 51 push ecx :004148B8 8D542410 lea edx, dword ptr [esp+10] :004148BC 8BCC mov ecx, esp :004148BE 89642418 mov dword ptr [esp+18], esp :004148C2 52 push edx :004148C3 E836E30100 call 00432BFE :004148C8 8BCE mov ecx, esi :004148CA E861000000 call 00414930 :004148CF 6A00 push 00000000 :004148D1 8BCE mov ecx, esi :004148D3 E838010000 call 00414A10 :004148D8 8BCE mov ecx, esi :004148DA E8E1030000 call 00414CC0 //根据W32Dasm的提示得知这个CALL里面是注册成功但出的窗口! //跟进去! :004148DF 8BCE mov ecx, esi :004148E1 E87A030000 call 00414C60 //根据W32Dasm的提示得知这个CALL里面是注册成功但出的窗口! //跟进去! :004148E6 8B461C mov eax, dword ptr [esi+1C] :004148E9 6A00 push 00000000 :004148EB 6A00 push 00000000 :004148ED 6892040000 push 00000492 :004148F2 50 push eax * Reference To: USER32.SendMessageA, Ord:0214h | :004148F3 FF1574654400 Call dword ptr [00446574] //这个地方是最不明白的了! //用"安靖"的注册码注册就在这里但出成功的窗口! //用我自己追出来的注册码,这里是没有反映的!但也能注册成功! //还请高手指点! :004148F9 8BCE mov ecx, esi :004148FB E86DE00100 call 0043296D :00414900 8BCE mov ecx, esi :00414902 E81EF60100 call 00433F25 ------------------------------------------------------------------ 上面004148DA的CALL来到这里: * Referenced by a CALL at Address: |:004148DA | :00414CC0 51 push ecx :00414CC1 56 push esi :00414CC2 8BF1 mov esi, ecx :00414CC4 57 push edi :00414CC5 8D442408 lea eax, dword ptr [esp+08] :00414CC9 6A05 push 00000005 :00414CCB 50 push eax :00414CCC 8D8EF4010000 lea ecx, dword ptr [esi+000001F4] :00414CD2 E8D4850100 call 0042D2AB :00414CD7 8B00 mov eax, dword ptr [eax] :00414CD9 50 push eax :00414CDA E8129A0000 call 0041E6F1 :00414CDF 83C404 add esp, 00000004 :00414CE2 8D4C2408 lea ecx, dword ptr [esp+08] :00414CE6 8BF8 mov edi, eax :00414CE8 E89CE10100 call 00432E89 :00414CED 8B8EE8010000 mov ecx, dword ptr [esi+000001E8] :00414CF3 51 push ecx :00414CF4 E887020000 call 00414F80 :00414CF9 83C404 add esp, 00000004 :00414CFC 3BF8 cmp edi, eax //关键比较... //EDI和EAX寄存器分别存着真假注册码的前五位数的十六进制值! :00414CFE 8986E8010000 mov dword ptr [esi+000001E8], eax :00414D04 7509 jne 00414D0F //这里跳走的话就... :00414D06 6A01 push 00000001 :00414D08 8BCE mov ecx, esi :00414D0A E8B1FEFFFF call 00414BC0 //这里进去有三个跳转,这三个跳转不跳的话就出现注册成功窗口! * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00414D04(C) | :00414D0F 5F pop edi :00414D10 5E pop esi :00414D11 59 pop ecx :00414D12 C3 ret ------------------------------------------------------------------ 上面004148E1的CALL来到这里: * Referenced by a CALL at Address: |:004148E1 | :00414C60 51 push ecx :00414C61 56 push esi :00414C62 57 push edi :00414C63 8BF1 mov esi, ecx :00414C65 6A05 push 00000005 :00414C67 8D44240C lea eax, dword ptr [esp+0C] :00414C6B 6A05 push 00000005 :00414C6D 50 push eax :00414C6E 8D8EF4010000 lea ecx, dword ptr [esi+000001F4] :00414C74 E820850100 call 0042D199 :00414C79 8B00 mov eax, dword ptr [eax] :00414C7B 50 push eax :00414C7C E8709A0000 call 0041E6F1 :00414C81 83C404 add esp, 00000004 :00414C84 8D4C2408 lea ecx, dword ptr [esp+08] :00414C88 8BF8 mov edi, eax :00414C8A E8FAE10100 call 00432E89 :00414C8F 8B8EEC010000 mov ecx, dword ptr [esi+000001EC] :00414C95 51 push ecx :00414C96 E8B5030000 call 00415050 :00414C9B 83C404 add esp, 00000004 :00414C9E 3BF8 cmp edi, eax //和上面一样,关键比较... //EDI和EAX寄存器分别存着真假注册码的前五位数的十六进制值! :00414CA0 8986EC010000 mov dword ptr [esi+000001EC], eax :00414CA6 7509 jne 00414CB1 :00414CA8 6A02 push 00000002 :00414CAA 8BCE mov ecx, esi :00414CAC E80FFFFFFF call 00414BC0 //和上面一样 //这里进去有三个跳转,这三个跳转不跳的话就出现注册成功窗口! * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00414CA6(C) | :00414CB1 5F pop edi :00414CB2 5E pop esi :00414CB3 59 pop ecx :00414CB4 C3 ret ------------------------------------------------------------------ 这里就是00414CAC和00414D0A的CALL来到的地方: * Referenced by a CALL at Addresses: |:00414586 , :00414CAC , :00414D0A | :00414BC0 56 push esi :00414BC1 8BF1 mov esi, ecx :00414BC3 E8CCA20200 call 0043EE94 :00414BC8 8B5004 mov edx, dword ptr [eax+04] :00414BCB 8B442408 mov eax, dword ptr [esp+08] :00414BCF 48 dec eax :00414BD0 7452 je 00414C24 :00414BD2 48 dec eax :00414BD3 7436 je 00414C0B //我追出来的正确注册码和"安靖"的注册码在这里都跳走了! :00414BD5 48 dec eax :00414BD6 0F8580000000 jne 00414C5C :00414BDC 6A00 push 00000000 :00414BDE 6A01 push 00000001 :00414BE0 8BCA mov ecx, edx :00414BE2 C7825802000001000000 mov dword ptr [ebx+00000258], 00000001 :00414BEC E8AFFFFEFF call 00404BA0 :00414BF1 6A00 push 00000000 :00414BF3 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"注册成功, 请重新启动程序!" | :00414BF5 68C05B4500 push 00455BC0 :00414BFA E8B43D0200 call 004389B3 :00414BFF 6A00 push 00000000 * Reference To: USER32.PostQuitMessage, Ord:01E0h | :00414C01 FF1564644400 Call dword ptr [00446464] :00414C07 5E pop esi :00414C08 C20400 ret 0004 ------------------------------------------------------------------ 【总 结】: 我追出的注册码(邮箱不填也可以): Yock196 KHSC-3518239909*****(后面五位随便) 安靖兄的注册码: anjing KHSC-351821842415032 注册信息保存在C:\WINDOWS\SYSTEM\SysXCasterDrv.sys 用我追出来的注册码按注册后没有反应(但也能成功!) 用安靖兄的注册码按注册后会弹出"注册成功, 请重新启动程序!"的框! 我想可能是我没有追到核心,所以想和大家探讨一下! 我问过安靖了,可是没有解决问题!好没头绪,希望又朋友能帮我看看! 最后在这里真心感谢你花了那么多时间看这篇文章!谢谢了...