DubIt V2.01
类别:视频工具
版本:2.01
文件大小:1897KB
授权:共享软件
运行平台:Win95/98/NT
作者网站:http://programhunter.126.com
软件简介: 可在观看Image或Movie的时候,实时加入语音,然后生成标准的.AVI文件。
追踪:name:dahuilang
RN:01234567
这个软件是同著名的snagit32图象捕捉软件是同一个公司出口的软件。所以在破解它时同破解snigit的软件是相同的。现在开始破解,在输入注册码前,你一定要写一个表格后,才能输入注册码。记得一定要是公司的名字才是有效的。
:0040DCFA 8BD8
mov ebx, eax <-从这里出来
:0040DCFC 83FB12
cmp ebx, 00000012
:0040DCFF 0F8C4B010000 jl 0040DE50
程序在这里比较你的注册码是否小于18位,所以在这里可以设RN:01234567890123456789,向下追踪:
:0040DD05 8D4760
lea eax, dword ptr [edi+60]
* Possible StringData Ref from Data Obj ->"0123456789ABCDEF-"
|
:0040DD08 6854CD4500 push
0045CD54
:0040DD0D 50
push eax
:0040DD0E E8ED4F0100 call
00422D00
:0040DD13 59
pop ecx
:0040DD14 3BC3
cmp eax, ebx
:0040DD16 59
pop ecx
:0040DD17 0F8533010000 jne 0040DE50
:0040DD1D 8D4F60
lea ecx, dword ptr [edi+60]
:0040DD20 8D5C3B60
lea ebx, dword ptr [ebx+edi+60]
:0040DD24 3BCB
cmp ecx, ebx
:0040DD26 8BC1
mov eax, ecx
:0040DD28 7312
jnb 0040DD3C
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040DD30(U), :0040DD3A(C)
|
:0040DD2A 80392D
cmp byte ptr [ecx], 2D
:0040DD2D 7503
jne 0040DD32
:0040DD2F 41
inc ecx
:0040DD30 EBF8
jmp 0040DD2A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040DD2D(C)
|
:0040DD32 8A11
mov dl, byte ptr [ecx]
:0040DD34 8810
mov byte ptr [eax], dl
:0040DD36 40
inc eax
:0040DD37 41
inc ecx
:0040DD38 3BC3
cmp eax, ebx
:0040DD3A 72EE
jb 0040DD2A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040DD28(C)
|
:0040DD3C 802000
and byte ptr [eax], 00
:0040DD3F 8D4760
lea eax, dword ptr [edi+60]
:0040DD42 50
push eax
:0040DD43 8D4DFC
lea ecx, dword ptr [ebp-04]
:0040DD46 E8CD4C0200 call
00432A18
:0040DD4B 8D45F8
lea eax, dword ptr [ebp-08]
* Possible Reference to Dialog: DialogID_0095, CONTROL_ID:0004, "Open"
|
:0040DD4E 6A04
push 00000004
:0040DD50 50
push eax
:0040DD51 8D4DFC
lea ecx, dword ptr [ebp-04]
:0040DD54 8D5F5C
lea ebx, dword ptr [edi+5C]
:0040DD57 E8DC1E0200 call
0042FC38
:0040DD5C 50
push eax
:0040DD5D 8BCB
mov ecx, ebx
:0040DD5F E8334D0200 call
00432A97
:0040DD64 8D4DF8
lea ecx, dword ptr [ebp-08]
:0040DD67 E83E4C0200 call
004329AA
:0040DD6C 8B45FC
mov eax, dword ptr [ebp-04]
:0040DD6F 8D4DFC
lea ecx, dword ptr [ebp-04]
:0040DD72 8B40F8
mov eax, dword ptr [eax-08]
:0040DD75 83C0FC
add eax, FFFFFFFC
:0040DD78 50
push eax
:0040DD79 8D45F8
lea eax, dword ptr [ebp-08]
:0040DD7C 50
push eax
:0040DD7D E8321F0200 call
0042FCB4
:0040DD82 50
push eax
:0040DD83 8D4DFC
lea ecx, dword ptr [ebp-04]
:0040DD86 E80C4D0200 call
00432A97
:0040DD8B 8D4DF8
lea ecx, dword ptr [ebp-08]
:0040DD8E E8174C0200 call
004329AA
:0040DD93 8B1B
mov ebx, dword ptr [ebx]
:0040DD95 6A10
push 00000010
:0040DD97 6A05
push 00000005
:0040DD99 8BCE
mov ecx, esi
:0040DD9B FF75FC
push [ebp-04]
:0040DD9E 53
push ebx
:0040DD9F E864190000 call
0040F708
:0040DDA4 6A01
push 00000001
:0040DDA6 8BD8
mov ebx, eax
:0040DDA8 58
pop eax
:0040DDA9 3AD8
cmp bl, al *******
:0040DDAB 0F8583000000 jne 0040DE34
:0040DDB1 83A6D000000000 and dword ptr [esi+000000D0],
00000000
:0040DDB8 8986C4000000 mov dword
ptr [esi+000000C4], eax
:0040DDBE 8D4760
lea eax, dword ptr [edi+60]
:0040DDC1 8BCE
mov ecx, esi
:0040DDC3 50
push eax
* Possible StringData Ref from Data Obj ->"RegistrationKey"
|
:0040DDC4 6844CD4500 push
0045CD44
* Possible StringData Ref from Data Obj ->"Settings"
|
:0040DDC9 6864C64500 push
0045C664
:0040DDCE E8D4100300 call
0043EEA7
:0040DDD3 8B761C
mov esi, dword ptr [esi+1C]
:0040DDD6 FF761C
push [esi+1C]
程序在***处是一个关键的跳跃,因为下面有一个比较明显的地方,"RegistrationKey"这个地方就是程序将要向注册表中写入数据的键值,所以现在应当分析一下那个比较的地方。现在就进入call
0040F708中。
:0040F708 55
push ebp
:0040F709 8BEC
mov ebp, esp
:0040F70B 83EC4C
sub esp, 0000004C
:0040F70E 8365F800
and dword ptr [ebp-08], 00000000
:0040F712 8065FE00
and byte ptr [ebp-02], 00
:0040F716 53
push ebx
:0040F717 56
push esi
:0040F718 57
push edi
:0040F719 6A0F
push 0000000F
:0040F71B 8D45E8
lea eax, dword ptr [ebp-18]
:0040F71E 6A00
push 00000000
:0040F720 8BD9
mov ebx, ecx
:0040F722 50
push eax
:0040F723 C645FF01
mov [ebp-01], 01
:0040F727 E8F4300100 call
00422820
:0040F72C 8B7D0C
mov edi, dword ptr [ebp+0C]
* Reference To: KERNEL32.lstrlenA, Ord:0308h
|
:0040F72F 8B35D0C24400 mov esi, dword
ptr [0044C2D0]
:0040F735 83C40C
add esp, 0000000C
:0040F738 57
push edi
:0040F739 FFD6
call esi
:0040F73B 50
push eax
:0040F73C 8D45E8
lea eax, dword ptr [ebp-18]
:0040F73F 57
push edi
:0040F740 50
push eax
:0040F741 E86A290100 call
004220B0
:0040F746 83C40C
add esp, 0000000C
:0040F749 66837D1005 cmp word
ptr [ebp+10], 0005
:0040F74E 7413
je 0040F763
:0040F750 66837D1006 cmp word
ptr [ebp+10], 0006
:0040F755 740C
je 0040F763
:0040F757 FF7508
push [ebp+08]
:0040F75A 8BCB
mov ecx, ebx
:0040F75C E8BD000000 call
0040F81E
:0040F761 EB0F
jmp 0040F772
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040F74E(C), :0040F755(C)
|
:0040F763 6A10
push 00000010
:0040F765 6A00
push 00000000
:0040F767 FF7508
push [ebp+08]
:0040F76A E890390100 call
004230FF
:0040F76F 83C40C
add esp, 0000000C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040F761(U)
|
:0040F772 8945F8
mov dword ptr [ebp-08], eax
:0040F775 8D45B4
lea eax, dword ptr [ebp-4C]
:0040F778 50
push eax
:0040F779 E8B0070100 call
0041FF2E
:0040F77E 85C0
test eax, eax
:0040F780 59
pop ecx
:0040F781 7509
jne 0040F78C
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040F7A0(C), :0040F7B6(C)
|
:0040F783 8065FF00
and byte ptr [ebp-01], 00
:0040F787 E983000000 jmp 0040F80F
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040F781(C)
|
:0040F78C 8D4510
lea eax, dword ptr [ebp+10]
:0040F78F 6A02
push 00000002
:0040F791 50
push eax
:0040F792 8D45B4
lea eax, dword ptr [ebp-4C]
:0040F795 50
push eax
:0040F796 E89F070100 call
0041FF3A
:0040F79B 83C40C
add esp, 0000000C
:0040F79E 85C0
test eax, eax
:0040F7A0 74E1
je 0040F783
:0040F7A2 8D45F8
lea eax, dword ptr [ebp-08]
:0040F7A5 6A02
push 00000002
:0040F7A7 50
push eax
:0040F7A8 8D45B4
lea eax, dword ptr [ebp-4C]
:0040F7AB 50
push eax
:0040F7AC E889070100 call
0041FF3A
:0040F7B1 83C40C
add esp, 0000000C
:0040F7B4 85C0
test eax, eax
:0040F7B6 74CB
je 0040F783
:0040F7B8 8D45E8
lea eax, dword ptr [ebp-18]
:0040F7BB 50
push eax
:0040F7BC 8D45B4
lea eax, dword ptr [ebp-4C]
:0040F7BF 50
push eax
:0040F7C0 E823080100 call
0041FFE8
:0040F7C5 59
pop ecx
:0040F7C6 85C0
test eax, eax
:0040F7C8 59
pop ecx
:0040F7C9 7509
jne 0040F7D4
:0040F7CB 2045FF
and byte ptr [ebp-01], al *****
:0040F7CE C645FE0A
mov [ebp-02], 0A
:0040F7D2 EB3B
jmp 0040F80F
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040F7C9(C)
|
:0040F7D4 0FB75D14
movzx ebx, word ptr [ebp+14]
:0040F7D8 57
push edi
:0040F7D9 FFD6
call esi
:0040F7DB 83F80E
cmp eax, 0000000E
:0040F7DE 7C27
jl 0040F807
:0040F7E0 83C70C
add edi, 0000000C
:0040F7E3 6A02
push 00000002
:0040F7E5 57
push edi
:0040F7E6 E886070100 call
0041FF71 /*/*/*/*/*
:0040F7EB 59
pop ecx
:0040F7EC 83F841
cmp eax, 00000041
:0040F7EF 59
pop ecx
:0040F7F0 7304
jnb 0040F7F6
:0040F7F2 33C0
xor eax, eax
:0040F7F4 EB03
jmp 0040F7F9
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040F7F0(C)
|
:0040F7F6 83E841
sub eax, 00000041
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040F7F4(U)
|
:0040F7F9 3BC3
cmp eax, ebx
:0040F7FB 7312
jnb 0040F80F
:0040F7FD 8065FF00
and byte ptr [ebp-01], 00
:0040F801 C645FE0B
mov [ebp-02], 0B
:0040F805 EB08
jmp 0040F80F
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040F7DE(C)
|
:0040F807 8065FF00
and byte ptr [ebp-01], 00
:0040F80B C645FE0C
mov [ebp-02], 0C
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040F787(U), :0040F7D2(U), :0040F7FB(C), :0040F805(U)
|
:0040F80F 33C0
xor eax, eax
:0040F811 5F
pop edi
:0040F812 8A65FE
mov ah, byte ptr [ebp-02]
:0040F815 5E
pop esi
:0040F816 8A45FF
mov al, byte ptr [ebp-01]
:0040F819 5B
pop ebx
:0040F81A C9
leave
:0040F81B C21000
ret 0010
现在进入后分析一下,我们将要得到什么值才能在外面的那个比较的地方不跳跃,应当是al值,所以这里将先看一看al返回前那个值是由什么决定的。现在先从后面来看一看,发现程序将使用[ebp-01]来决定al值,那么就先分析[ebp-01]的的值在什么地方可以变化。因为在外面的比较地方只有当al=1时,才能注册成功,所以看一看在哪里可以得到[ebp-01]=1。
我们发现在*****处可以使用[ebp-01]=al,当al=1时就满足条件的。所以进入call 0041FFE8中
:0041FFE8 55
push ebp
:0041FFE9 8BEC
mov ebp, esp
:0041FFEB 83EC7C
sub esp, 0000007C
:0041FFEE 6A30
push 00000030
:0041FFF0 33C9
xor ecx, ecx
:0041FFF2 58
pop eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00420000(C)
|
:0041FFF3 0FB7D1
movzx edx, cx
:0041FFF6 41
inc ecx
:0041FFF7 884415EC
mov byte ptr [ebp+edx-14], al
:0041FFFB 40
inc eax
:0041FFFC 663D3900
cmp ax, 0039
:00420000 76F1
jbe 0041FFF3
:00420002 6A41
push 00000041
:00420004 58
pop eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00420012(C)
|
:00420005 0FB7D1
movzx edx, cx
:00420008 41
inc ecx
:00420009 884415EC
mov byte ptr [ebp+edx-14], al
:0042000D 40
inc eax
:0042000E 663D4600
cmp ax, 0046
:00420012 76F1
jbe 00420005
:00420014 53
push ebx
:00420015 56
push esi
:00420016 57
push edi
:00420017 8B7D0C
mov edi, dword ptr [ebp+0C]
:0042001A 6A02
push 00000002
:0042001C 894DFC
mov dword ptr [ebp-04], ecx
:0042001F 8D470C
lea eax, dword ptr [edi+0C]
:00420022 50
push eax
:00420023 E849FFFFFF call
0041FF71
:00420028 8B7508
mov esi, dword ptr [ebp+08]
:0042002B 8945FC
mov dword ptr [ebp-04], eax
:0042002E 8D45FC
lea eax, dword ptr [ebp-04]
:00420031 6A02
push 00000002
:00420033 50
push eax
:00420034 56
push esi
:00420035 E800FFFFFF call
0041FF3A
:0042003A 8D4708
lea eax, dword ptr [edi+08]
* Possible Reference to Dialog: DialogID_0095, CONTROL_ID:0004, "Open"
|
:0042003D 6A04
push 00000004
:0042003F 50
push eax
:00420040 E82CFFFFFF call
0041FF71
:00420045 8945FC
mov dword ptr [ebp-04], eax
:00420048 8D45FC
lea eax, dword ptr [ebp-04]
:0042004B 6A02
push 00000002
:0042004D 50
push eax
:0042004E 56
push esi
:0042004F E8E6FEFFFF call
0041FF3A
:00420054 8D4584
lea eax, dword ptr [ebp-7C]
:00420057 50
push eax
:00420058 E825F5FFFF call
0041F582
:0042005D 0FB706
movzx eax, word ptr [esi]
:00420060 8D5E02
lea ebx, dword ptr [esi+02]
:00420063 50
push eax
:00420064 8D4584
lea eax, dword ptr [ebp-7C]
:00420067 53
push ebx
:00420068 50
push eax
:00420069 E83CF5FFFF call
0041F5AA
:0042006E 8D4584
lea eax, dword ptr [ebp-7C]
:00420071 50
push eax
:00420072 8D45DC
lea eax, dword ptr [ebp-24]
:00420075 50
push eax
:00420076 E8CDF5FFFF call
0041F648
:0042007B 83C440
add esp, 00000040
:0042007E 6A32
push 00000032
:00420080 6A00
push 00000000
:00420082 53
push ebx
:00420083 E898270000 call
00422820
:00420088 83C40C
add esp, 0000000C
:0042008B 33DB
xor ebx, ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004200B1(C)
|
:0042008D 0FB7F3
movzx esi, bx
:00420090 8BC6
mov eax, esi
:00420092 D1E8
shr eax, 1
:00420094 8A0438
mov al, byte ptr [eax+edi]
:00420097 50
push eax
:00420098 E834FFFFFF call
0041FFD1
:0042009D 59
pop ecx
:0042009E 8A4C35DC
mov cl, byte ptr [ebp+esi-24]
:004200A2 83E10F
and ecx, 0000000F
:004200A5 38440DEC
cmp byte ptr [ebp+ecx-14], al ***
:004200A9 7510
jne 004200BB
:004200AB 43
inc ebx
:004200AC 43
inc ebx
:004200AD 6683FB10
cmp bx, 0010
:004200B1 72DA
jb 0042008D
:004200B3 6A01
push 00000001
:004200B5 58
pop eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004200BD(U)
|
:004200B6 5F
pop edi
:004200B7 5E
pop esi
:004200B8 5B
pop ebx
:004200B9 C9
leave
:004200BA C3
ret
进入这里后你将发现这里将是比较的关键地方,你可以看到***不断同你输入的注册码进行比较,在这里你就可以得到你的注册码前8位的值,这样就可以得到注册码了。但是象你这样输入的注册码程序提示是以前的注册码,那么如何再分析呢?这个就是一个经验了,因为在以前破解那个snagit时也遇到过这样的问题,如何解决呢?就是程序将在下面将使用得到这样的结论,如下:
:0040F7E3 6A02
push 00000002
:0040F7E5 57
push edi 第13,14位值(如:23)
:0040F7E6 E886070100 call
0041FF71 /*/*/*/*/*
:0040F7EB 59
pop ecx
:0040F7EC 83F841
cmp eax, 00000041 eax=23
:0040F7EF 59
pop ecx
:0040F7F0 7304
jnb 0040F7F6
:0040F7F2 33C0
xor eax, eax
:0040F7F4 EB03
jmp 0040F7F9
这里是程序从上面的call下来后,到达这里,这个edi经分析是第13,14位值,并且在下面使用这两个值同41比较,如果你输入的注册码中第13,14位值合并后小于这个41的话,程序就认为是以前的版本,所以在这里只要先将第13位设大于4的数就可以了。
现在设RN:01234567FFFFFFFFFF
再进行上面的那个验证过程,就可以得到下面的注册码了。
*****************************
*
RN:E20C37EBFFFFFFFFFF *
*****************************