您的位置:首页精文荟萃破解文章 → 世纪葵花--桌面直播录像机系统5.2

世纪葵花--桌面直播录像机系统5.2

时间:2004/10/15 1:03:00来源:本站整理作者:蓝点我要评论(0)

 





 

 








【前    言】:这个软件有很多地方不明白,所以发出来和大家探讨一下!(在这里也要谢谢安靖)
【下载页面】http://www.softreg.com.cn/shareware_view.asp?id=/3E781F2B-1927-46BD-BB4E-567A2FE09680/
【文章作者】:辉仔Yock[DFCG][YCG]
【作者声明】:本人发表这篇文章只是为了学习和研究!!!请不用于商业用途或是将本文方法制作的注册机任意传播,读者看了文章后所做的事情与我无关,我也不会负责,请读者看了文章后三思而后行!最后希望大家在经济基础好的时候,支持共享软件!
【破解工具】:OLLYDBG  W32Dasm  

—————————————————————————————————  
【过    程】:
主程序SFCAPCaster.exe没有加壳,事用Microsoft Visual C++ 6.0编写的!
用W32dasm反汇编,根据参考字串很快找到关键!
用OLLYDBG加载SFCAPCaster.exe

选择帮助-->注册-->输入用户名Yock196(用户名要大于5位)-->邮箱地址(可以不填,下面不做运算!-->输入20位的假注册码KHSC-987654321ABCDEF(开头五位一定要是"KHSC-")

下断点004147D4来到下面:

:004147BF E83AE40100              call 00432BFE
                                 //这里事取得用户名位数

:004147C4 8B07                    mov eax, dword ptr [edi]
:004147C6 C744242000000000        mov [esp+20], 00000000
:004147CE 8B40F8                  mov eax, dword ptr [eax-08]
:004147D1 83F805                  cmp eax, 00000005
                                 //比较用户名是否小于5位

:004147D4 7D13                    jge 004147E9
:004147D6 6A00                    push 00000000
:004147D8 6A10                    push 00000010

* Possible StringData Ref from Data Obj ->"请输入长度大于5的用户名称"
                                 |
:004147DA 68A05B4500              push 00455BA0
:004147DF E8CF410200              call 004389B3
:004147E4 E91E010000              jmp 00414907

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004147D4(C)
|
:004147E9 8D4C2410                lea ecx, dword ptr [esp+10]
:004147ED 8D7E5C                  lea edi, dword ptr [esi+5C]
:004147F0 6A05                    push 00000005
:004147F2 51                      push ecx
:004147F3 8BCF                    mov ecx, edi
:004147F5 E8B18A0100              call 0042D2AB
:004147FA 8B00                    mov eax, dword ptr [eax]

* Possible StringData Ref from Data Obj ->"KHSC-"
                                 |
:004147FC 68985B4500              push 00455B98
:00414801 50                      push eax
:00414802 E8F59E0000              call 0041E6FC
                                 //比较注册码的前面五位是否"KHSC-"

:00414807 83C408                  add esp, 00000008
:0041480A 85C0                    test eax, eax
:0041480C 7511                    jne 0041481F
                                 //不是就跳下去出错

:0041480E 8B17                    mov edx, dword ptr [edi]
:00414810 837AF814                cmp dword ptr [edx-08], 00000014
                                 //比较注册码是否等于20位

:00414814 0F95C0                  setne al
:00414817 84C0                    test al, al
:00414819 7504                    jne 0041481F
                                 //不是的话跳下去出错

:0041481B 32DB                    xor bl, bl
:0041481D EB02                    jmp 00414821

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0041480C(C), :00414819(C)
|
:0041481F B301                    mov bl, 01

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041481D(U)
|
:00414821 8D4C2410                lea ecx, dword ptr [esp+10]
:00414825 E85FE60100              call 00432E89
:0041482A 84DB                    test bl, bl
:0041482C 7413                    je 00414841
                                 //输入的注册码如果不符合上面的条件就不跳走!
                                 //符合反之
                                 //这里可以说是一个暗桩,我第一次以为这样注册成功了!
                                 //其实不是的,符合上面的条件,但不是真的注册码一样是未注册!

:0041482E 6A00                    push 00000000
:00414830 6A10                    push 00000010

* Possible StringData Ref from Data Obj ->"注册失败!"
                                 |
:00414832 688C5B4500              push 00455B8C
:00414837 E877410200              call 004389B3
:0041483C E9C6000000              jmp 00414907

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041482C(C)                     //上面来到这里!

......
......
                                 //省略一部分用处不大的代码

:0041488D 8D442418                lea eax, dword ptr [esp+18]
:00414891 50                      push eax
                                 //用户名

:00414892 E829090000              call 004151C0
                                 //来到这里是把我的用户名经过运算后得出一串数字"298103222272636"
                                 //但是感觉上用处不大,我认为根本就没有!

:00414897 83C40C                  add esp, 0000000C
:0041489A 50                      push eax
:0041489B 8D4C2410                lea ecx, dword ptr [esp+10]
:0041489F C644242402              mov [esp+24], 02
:004148A4 E819E70100              call 00432FC2
:004148A9 8D4C2410                lea ecx, dword ptr [esp+10]
:004148AD C644242000              mov [esp+20], 00
:004148B2 E8D2E50100              call 00432E89
:004148B7 51                      push ecx
:004148B8 8D542410                lea edx, dword ptr [esp+10]
:004148BC 8BCC                    mov ecx, esp
:004148BE 89642418                mov dword ptr [esp+18], esp
:004148C2 52                      push edx
:004148C3 E836E30100              call 00432BFE
:004148C8 8BCE                    mov ecx, esi
:004148CA E861000000              call 00414930
:004148CF 6A00                    push 00000000
:004148D1 8BCE                    mov ecx, esi
:004148D3 E838010000              call 00414A10
:004148D8 8BCE                    mov ecx, esi
:004148DA E8E1030000              call 00414CC0
                                 //根据W32Dasm的提示得知这个CALL里面是注册成功但出的窗口!
                                 //跟进去!

:004148DF 8BCE                    mov ecx, esi
:004148E1 E87A030000              call 00414C60
                                 //根据W32Dasm的提示得知这个CALL里面是注册成功但出的窗口!
                                 //跟进去!

:004148E6 8B461C                  mov eax, dword ptr [esi+1C]
:004148E9 6A00                    push 00000000
:004148EB 6A00                    push 00000000
:004148ED 6892040000              push 00000492
:004148F2 50                      push eax

* Reference To: USER32.SendMessageA, Ord:0214h
                                 |
:004148F3 FF1574654400            Call dword ptr [00446574]
                                 //这个地方是最不明白的了!
                                 //用"安靖"的注册码注册就在这里但出成功的窗口!
                                 //用我自己追出来的注册码,这里是没有反映的!但也能注册成功!
                                 //还请高手指点!

:004148F9 8BCE                    mov ecx, esi
:004148FB E86DE00100              call 0043296D
:00414900 8BCE                    mov ecx, esi
:00414902 E81EF60100              call 00433F25
------------------------------------------------------------------
上面004148DA的CALL来到这里:
* Referenced by a CALL at Address:
|:004148DA   
|
:00414CC0 51                      push ecx
:00414CC1 56                      push esi
:00414CC2 8BF1                    mov esi, ecx
:00414CC4 57                      push edi
:00414CC5 8D442408                lea eax, dword ptr [esp+08]
:00414CC9 6A05                    push 00000005
:00414CCB 50                      push eax
:00414CCC 8D8EF4010000            lea ecx, dword ptr [esi+000001F4]
:00414CD2 E8D4850100              call 0042D2AB
:00414CD7 8B00                    mov eax, dword ptr [eax]
:00414CD9 50                      push eax
:00414CDA E8129A0000              call 0041E6F1
:00414CDF 83C404                  add esp, 00000004
:00414CE2 8D4C2408                lea ecx, dword ptr [esp+08]
:00414CE6 8BF8                    mov edi, eax
:00414CE8 E89CE10100              call 00432E89
:00414CED 8B8EE8010000            mov ecx, dword ptr [esi+000001E8]
:00414CF3 51                      push ecx
:00414CF4 E887020000              call 00414F80
:00414CF9 83C404                  add esp, 00000004
:00414CFC 3BF8                    cmp edi, eax
                                 //关键比较...
                                 //EDI和EAX寄存器分别存着真假注册码的前五位数的十六进制值!

:00414CFE 8986E8010000            mov dword ptr [esi+000001E8], eax
:00414D04 7509                    jne 00414D0F
                                 //这里跳走的话就...

:00414D06 6A01                    push 00000001
:00414D08 8BCE                    mov ecx, esi
:00414D0A E8B1FEFFFF              call 00414BC0
                                 //这里进去有三个跳转,这三个跳转不跳的话就出现注册成功窗口!

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00414D04(C)
|
:00414D0F 5F                      pop edi
:00414D10 5E                      pop esi
:00414D11 59                      pop ecx
:00414D12 C3                      ret
------------------------------------------------------------------
上面004148E1的CALL来到这里:
* Referenced by a CALL at Address:
|:004148E1   
|
:00414C60 51                      push ecx
:00414C61 56                      push esi
:00414C62 57                      push edi
:00414C63 8BF1                    mov esi, ecx
:00414C65 6A05                    push 00000005
:00414C67 8D44240C                lea eax, dword ptr [esp+0C]
:00414C6B 6A05                    push 00000005
:00414C6D 50                      push eax
:00414C6E 8D8EF4010000            lea ecx, dword ptr [esi+000001F4]
:00414C74 E820850100              call 0042D199
:00414C79 8B00                    mov eax, dword ptr [eax]
:00414C7B 50                      push eax
:00414C7C E8709A0000              call 0041E6F1
:00414C81 83C404                  add esp, 00000004
:00414C84 8D4C2408                lea ecx, dword ptr [esp+08]
:00414C88 8BF8                    mov edi, eax
:00414C8A E8FAE10100              call 00432E89
:00414C8F 8B8EEC010000            mov ecx, dword ptr [esi+000001EC]
:00414C95 51                      push ecx
:00414C96 E8B5030000              call 00415050
:00414C9B 83C404                  add esp, 00000004
:00414C9E 3BF8                    cmp edi, eax
                                 //和上面一样,关键比较...
                                 //EDI和EAX寄存器分别存着真假注册码的前五位数的十六进制值!

:00414CA0 8986EC010000            mov dword ptr [esi+000001EC], eax
:00414CA6 7509                    jne 00414CB1
:00414CA8 6A02                    push 00000002
:00414CAA 8BCE                    mov ecx, esi
:00414CAC E80FFFFFFF              call 00414BC0
                                 //和上面一样
                                 //这里进去有三个跳转,这三个跳转不跳的话就出现注册成功窗口!

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00414CA6(C)
|
:00414CB1 5F                      pop edi
:00414CB2 5E                      pop esi
:00414CB3 59                      pop ecx
:00414CB4 C3                      ret
------------------------------------------------------------------
这里就是00414CAC和00414D0A的CALL来到的地方:

* Referenced by a CALL at Addresses:
|:00414586   , :00414CAC   , :00414D0A   
|
:00414BC0 56                      push esi
:00414BC1 8BF1                    mov esi, ecx
:00414BC3 E8CCA20200              call 0043EE94
:00414BC8 8B5004                  mov edx, dword ptr [eax+04]
:00414BCB 8B442408                mov eax, dword ptr [esp+08]
:00414BCF 48                      dec eax
:00414BD0 7452                    je 00414C24
:00414BD2 48                      dec eax
:00414BD3 7436                    je 00414C0B
                                 //我追出来的正确注册码和"安靖"的注册码在这里都跳走了!

:00414BD5 48                      dec eax
:00414BD6 0F8580000000            jne 00414C5C
:00414BDC 6A00                    push 00000000
:00414BDE 6A01                    push 00000001
:00414BE0 8BCA                    mov ecx, edx
:00414BE2 C7825802000001000000    mov dword ptr [ebx+00000258], 00000001
:00414BEC E8AFFFFEFF              call 00404BA0
:00414BF1 6A00                    push 00000000
:00414BF3 6A00                    push 00000000

* Possible StringData Ref from Data Obj ->"注册成功, 请重新启动程序!"
                                 |
:00414BF5 68C05B4500              push 00455BC0
:00414BFA E8B43D0200              call 004389B3
:00414BFF 6A00                    push 00000000

* Reference To: USER32.PostQuitMessage, Ord:01E0h
                                 |
:00414C01 FF1564644400            Call dword ptr [00446464]
:00414C07 5E                      pop esi
:00414C08 C20400                  ret 0004
------------------------------------------------------------------
【总    结】:
我追出的注册码(邮箱不填也可以):
Yock196
KHSC-3518239909*****(后面五位随便)

安靖兄的注册码:
anjing
KHSC-351821842415032

注册信息保存在C:\WINDOWS\SYSTEM\SysXCasterDrv.sys
用我追出来的注册码按注册后没有反应(但也能成功!)
用安靖兄的注册码按注册后会弹出"注册成功, 请重新启动程序!"的框!
我想可能是我没有追到核心,所以想和大家探讨一下!
我问过安靖了,可是没有解决问题!好没头绪,希望又朋友能帮我看看!
最后在这里真心感谢你花了那么多时间看这篇文章!谢谢了... 
                                         

    
    
     
    
    
     

相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么

文章评论
发表评论

热门文章 去除winrar注册框方法

最新文章 比特币病毒怎么破解 比去除winrar注册框方法 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据

人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程