DubIt V2.01

标题：好长时间没有向这里贴文章了，今天写一个比较简单的，难度不在，不过没有下载地址。 (18千字)
作者：程式猎人
时间：2000-10-10 20:48:14
链接：http://bbs.pediy.com

DubIt V2.01
类别：视频工具
版本：2.01
文件大小：1897KB
授权：共享软件
运行平台：Win95/98/NT
作者网站：http://programhunter.126.com
软件简介：可在观看Image或Movie的时候，实时加入语音，然后生成标准的.AVI文件。
追踪：name：dahuilang
RN：01234567
这个软件是同著名的snagit32图象捕捉软件是同一个公司出口的软件。所以在破解它时同破解snigit的软件是相同的。现在开始破解，在输入注册码前，你一定要写一个表格后，才能输入注册码。记得一定要是公司的名字才是有效的。
:0040DCFA 8BD8 mov ebx, eax <-从这里出来
:0040DCFC 83FB12 cmp ebx, 00000012
:0040DCFF 0F8C4B010000 jl 0040DE50
程序在这里比较你的注册码是否小于18位，所以在这里可以设RN：01234567890123456789，向下追踪：
:0040DD05 8D4760 lea eax, dword ptr [edi+60]

* Possible StringData Ref from Data Obj ->"0123456789ABCDEF-"
|
:0040DD08 6854CD4500 push 0045CD54
:0040DD0D 50 push eax
:0040DD0E E8ED4F0100 call 00422D00
:0040DD13 59 pop ecx
:0040DD14 3BC3 cmp eax, ebx
:0040DD16 59 pop ecx
:0040DD17 0F8533010000 jne 0040DE50
:0040DD1D 8D4F60 lea ecx, dword ptr [edi+60]
:0040DD20 8D5C3B60 lea ebx, dword ptr [ebx+edi+60]
:0040DD24 3BCB cmp ecx, ebx
:0040DD26 8BC1 mov eax, ecx
:0040DD28 7312 jnb 0040DD3C

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040DD30(U), :0040DD3A(C)
|
:0040DD2A 80392D cmp byte ptr [ecx], 2D
:0040DD2D 7503 jne 0040DD32
:0040DD2F 41 inc ecx
:0040DD30 EBF8 jmp 0040DD2A

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040DD2D(C)
|
:0040DD32 8A11 mov dl, byte ptr [ecx]
:0040DD34 8810 mov byte ptr [eax], dl
:0040DD36 40 inc eax
:0040DD37 41 inc ecx
:0040DD38 3BC3 cmp eax, ebx
:0040DD3A 72EE jb 0040DD2A

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040DD28(C)
|
:0040DD3C 802000 and byte ptr [eax], 00
:0040DD3F 8D4760 lea eax, dword ptr [edi+60]
:0040DD42 50 push eax
:0040DD43 8D4DFC lea ecx, dword ptr [ebp-04]
:0040DD46 E8CD4C0200 call 00432A18
:0040DD4B 8D45F8 lea eax, dword ptr [ebp-08]

* Possible Reference to Dialog: DialogID_0095, CONTROL_ID:0004, "Open"
|
:0040DD4E 6A04 push 00000004
:0040DD50 50 push eax
:0040DD51 8D4DFC lea ecx, dword ptr [ebp-04]
:0040DD54 8D5F5C lea ebx, dword ptr [edi+5C]
:0040DD57 E8DC1E0200 call 0042FC38
:0040DD5C 50 push eax
:0040DD5D 8BCB mov ecx, ebx
:0040DD5F E8334D0200 call 00432A97
:0040DD64 8D4DF8 lea ecx, dword ptr [ebp-08]
:0040DD67 E83E4C0200 call 004329AA
:0040DD6C 8B45FC mov eax, dword ptr [ebp-04]
:0040DD6F 8D4DFC lea ecx, dword ptr [ebp-04]
:0040DD72 8B40F8 mov eax, dword ptr [eax-08]
:0040DD75 83C0FC add eax, FFFFFFFC
:0040DD78 50 push eax
:0040DD79 8D45F8 lea eax, dword ptr [ebp-08]
:0040DD7C 50 push eax
:0040DD7D E8321F0200 call 0042FCB4
:0040DD82 50 push eax
:0040DD83 8D4DFC lea ecx, dword ptr [ebp-04]
:0040DD86 E80C4D0200 call 00432A97
:0040DD8B 8D4DF8 lea ecx, dword ptr [ebp-08]
:0040DD8E E8174C0200 call 004329AA
:0040DD93 8B1B mov ebx, dword ptr [ebx]
:0040DD95 6A10 push 00000010
:0040DD97 6A05 push 00000005
:0040DD99 8BCE mov ecx, esi
:0040DD9B FF75FC push [ebp-04]
:0040DD9E 53 push ebx
:0040DD9F E864190000 call 0040F708
:0040DDA4 6A01 push 00000001
:0040DDA6 8BD8 mov ebx, eax
:0040DDA8 58 pop eax
:0040DDA9 3AD8 cmp bl, al *******
:0040DDAB 0F8583000000 jne 0040DE34
:0040DDB1 83A6D000000000 and dword ptr [esi+000000D0], 00000000
:0040DDB8 8986C4000000 mov dword ptr [esi+000000C4], eax
:0040DDBE 8D4760 lea eax, dword ptr [edi+60]
:0040DDC1 8BCE mov ecx, esi
:0040DDC3 50 push eax

* Possible StringData Ref from Data Obj ->"RegistrationKey"
|
:0040DDC4 6844CD4500 push 0045CD44

* Possible StringData Ref from Data Obj ->"Settings"
|
:0040DDC9 6864C64500 push 0045C664
:0040DDCE E8D4100300 call 0043EEA7
:0040DDD3 8B761C mov esi, dword ptr [esi+1C]
:0040DDD6 FF761C push [esi+1C]
程序在***处是一个关键的跳跃，因为下面有一个比较明显的地方，"RegistrationKey"这个地方就是程序将要向注册表中写入数据的键值，所以现在应当分析一下那个比较的地方。现在就进入call 0040F708中。
:0040F708 55 push ebp
:0040F709 8BEC mov ebp, esp
:0040F70B 83EC4C sub esp, 0000004C
:0040F70E 8365F800 and dword ptr [ebp-08], 00000000
:0040F712 8065FE00 and byte ptr [ebp-02], 00
:0040F716 53 push ebx
:0040F717 56 push esi
:0040F718 57 push edi
:0040F719 6A0F push 0000000F
:0040F71B 8D45E8 lea eax, dword ptr [ebp-18]
:0040F71E 6A00 push 00000000
:0040F720 8BD9 mov ebx, ecx
:0040F722 50 push eax
:0040F723 C645FF01 mov [ebp-01], 01
:0040F727 E8F4300100 call 00422820
:0040F72C 8B7D0C mov edi, dword ptr [ebp+0C]

* Reference To: KERNEL32.lstrlenA, Ord:0308h
|
:0040F72F 8B35D0C24400 mov esi, dword ptr [0044C2D0]
:0040F735 83C40C add esp, 0000000C
:0040F738 57 push edi
:0040F739 FFD6 call esi
:0040F73B 50 push eax
:0040F73C 8D45E8 lea eax, dword ptr [ebp-18]
:0040F73F 57 push edi
:0040F740 50 push eax
:0040F741 E86A290100 call 004220B0
:0040F746 83C40C add esp, 0000000C
:0040F749 66837D1005 cmp word ptr [ebp+10], 0005
:0040F74E 7413 je 0040F763
:0040F750 66837D1006 cmp word ptr [ebp+10], 0006
:0040F755 740C je 0040F763
:0040F757 FF7508 push [ebp+08]
:0040F75A 8BCB mov ecx, ebx
:0040F75C E8BD000000 call 0040F81E
:0040F761 EB0F jmp 0040F772

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040F74E(C), :0040F755(C)
|
:0040F763 6A10 push 00000010
:0040F765 6A00 push 00000000
:0040F767 FF7508 push [ebp+08]
:0040F76A E890390100 call 004230FF
:0040F76F 83C40C add esp, 0000000C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040F761(U)
|
:0040F772 8945F8 mov dword ptr [ebp-08], eax
:0040F775 8D45B4 lea eax, dword ptr [ebp-4C]
:0040F778 50 push eax
:0040F779 E8B0070100 call 0041FF2E
:0040F77E 85C0 test eax, eax
:0040F780 59 pop ecx
:0040F781 7509 jne 0040F78C

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040F7A0(C), :0040F7B6(C)
|
:0040F783 8065FF00 and byte ptr [ebp-01], 00
:0040F787 E983000000 jmp 0040F80F

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040F781(C)
|
:0040F78C 8D4510 lea eax, dword ptr [ebp+10]
:0040F78F 6A02 push 00000002
:0040F791 50 push eax
:0040F792 8D45B4 lea eax, dword ptr [ebp-4C]
:0040F795 50 push eax
:0040F796 E89F070100 call 0041FF3A
:0040F79B 83C40C add esp, 0000000C
:0040F79E 85C0 test eax, eax
:0040F7A0 74E1 je 0040F783
:0040F7A2 8D45F8 lea eax, dword ptr [ebp-08]
:0040F7A5 6A02 push 00000002
:0040F7A7 50 push eax
:0040F7A8 8D45B4 lea eax, dword ptr [ebp-4C]
:0040F7AB 50 push eax
:0040F7AC E889070100 call 0041FF3A
:0040F7B1 83C40C add esp, 0000000C
:0040F7B4 85C0 test eax, eax
:0040F7B6 74CB je 0040F783
:0040F7B8 8D45E8 lea eax, dword ptr [ebp-18]
:0040F7BB 50 push eax
:0040F7BC 8D45B4 lea eax, dword ptr [ebp-4C]
:0040F7BF 50 push eax
:0040F7C0 E823080100 call 0041FFE8
:0040F7C5 59 pop ecx
:0040F7C6 85C0 test eax, eax
:0040F7C8 59 pop ecx
:0040F7C9 7509 jne 0040F7D4
:0040F7CB 2045FF and byte ptr [ebp-01], al *****
:0040F7CE C645FE0A mov [ebp-02], 0A
:0040F7D2 EB3B jmp 0040F80F

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040F7C9(C)
|
:0040F7D4 0FB75D14 movzx ebx, word ptr [ebp+14]
:0040F7D8 57 push edi
:0040F7D9 FFD6 call esi
:0040F7DB 83F80E cmp eax, 0000000E
:0040F7DE 7C27 jl 0040F807
:0040F7E0 83C70C add edi, 0000000C
:0040F7E3 6A02 push 00000002
:0040F7E5 57 push edi
:0040F7E6 E886070100 call 0041FF71 /*/*/*/*/*
:0040F7EB 59 pop ecx
:0040F7EC 83F841 cmp eax, 00000041
:0040F7EF 59 pop ecx
:0040F7F0 7304 jnb 0040F7F6
:0040F7F2 33C0 xor eax, eax
:0040F7F4 EB03 jmp 0040F7F9

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040F7F0(C)
|
:0040F7F6 83E841 sub eax, 00000041

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040F7F4(U)
|
:0040F7F9 3BC3 cmp eax, ebx
:0040F7FB 7312 jnb 0040F80F
:0040F7FD 8065FF00 and byte ptr [ebp-01], 00
:0040F801 C645FE0B mov [ebp-02], 0B
:0040F805 EB08 jmp 0040F80F

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040F7DE(C)
|
:0040F807 8065FF00 and byte ptr [ebp-01], 00
:0040F80B C645FE0C mov [ebp-02], 0C

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040F787(U), :0040F7D2(U), :0040F7FB(C), :0040F805(U)
|
:0040F80F 33C0 xor eax, eax
:0040F811 5F pop edi
:0040F812 8A65FE mov ah, byte ptr [ebp-02]
:0040F815 5E pop esi
:0040F816 8A45FF mov al, byte ptr [ebp-01]
:0040F819 5B pop ebx
:0040F81A C9 leave
:0040F81B C21000 ret 0010
现在进入后分析一下，我们将要得到什么值才能在外面的那个比较的地方不跳跃，应当是al值，所以这里将先看一看al返回前那个值是由什么决定的。现在先从后面来看一看，发现程序将使用[ebp-01]来决定al值，那么就先分析[ebp-01]的的值在什么地方可以变化。因为在外面的比较地方只有当al=1时，才能注册成功，所以看一看在哪里可以得到[ebp-01]=1。我们发现在*****处可以使用[ebp-01]=al，当al=1时就满足条件的。所以进入call 0041FFE8中
:0041FFE8 55 push ebp
:0041FFE9 8BEC mov ebp, esp
:0041FFEB 83EC7C sub esp, 0000007C
:0041FFEE 6A30 push 00000030
:0041FFF0 33C9 xor ecx, ecx
:0041FFF2 58 pop eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00420000(C)
|
:0041FFF3 0FB7D1 movzx edx, cx
:0041FFF6 41 inc ecx
:0041FFF7 884415EC mov byte ptr [ebp+edx-14], al
:0041FFFB 40 inc eax
:0041FFFC 663D3900 cmp ax, 0039
:00420000 76F1 jbe 0041FFF3
:00420002 6A41 push 00000041
:00420004 58 pop eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00420012(C)
|
:00420005 0FB7D1 movzx edx, cx
:00420008 41 inc ecx
:00420009 884415EC mov byte ptr [ebp+edx-14], al
:0042000D 40 inc eax
:0042000E 663D4600 cmp ax, 0046
:00420012 76F1 jbe 00420005
:00420014 53 push ebx
:00420015 56 push esi
:00420016 57 push edi
:00420017 8B7D0C mov edi, dword ptr [ebp+0C]
:0042001A 6A02 push 00000002
:0042001C 894DFC mov dword ptr [ebp-04], ecx
:0042001F 8D470C lea eax, dword ptr [edi+0C]
:00420022 50 push eax
:00420023 E849FFFFFF call 0041FF71
:00420028 8B7508 mov esi, dword ptr [ebp+08]
:0042002B 8945FC mov dword ptr [ebp-04], eax
:0042002E 8D45FC lea eax, dword ptr [ebp-04]
:00420031 6A02 push 00000002
:00420033 50 push eax
:00420034 56 push esi
:00420035 E800FFFFFF call 0041FF3A
:0042003A 8D4708 lea eax, dword ptr [edi+08]

* Possible Reference to Dialog: DialogID_0095, CONTROL_ID:0004, "Open"
|
:0042003D 6A04 push 00000004
:0042003F 50 push eax
:00420040 E82CFFFFFF call 0041FF71
:00420045 8945FC mov dword ptr [ebp-04], eax
:00420048 8D45FC lea eax, dword ptr [ebp-04]
:0042004B 6A02 push 00000002
:0042004D 50 push eax
:0042004E 56 push esi
:0042004F E8E6FEFFFF call 0041FF3A
:00420054 8D4584 lea eax, dword ptr [ebp-7C]
:00420057 50 push eax
:00420058 E825F5FFFF call 0041F582
:0042005D 0FB706 movzx eax, word ptr [esi]
:00420060 8D5E02 lea ebx, dword ptr [esi+02]
:00420063 50 push eax
:00420064 8D4584 lea eax, dword ptr [ebp-7C]
:00420067 53 push ebx
:00420068 50 push eax
:00420069 E83CF5FFFF call 0041F5AA
:0042006E 8D4584 lea eax, dword ptr [ebp-7C]
:00420071 50 push eax
:00420072 8D45DC lea eax, dword ptr [ebp-24]
:00420075 50 push eax
:00420076 E8CDF5FFFF call 0041F648
:0042007B 83C440 add esp, 00000040
:0042007E 6A32 push 00000032
:00420080 6A00 push 00000000
:00420082 53 push ebx
:00420083 E898270000 call 00422820
:00420088 83C40C add esp, 0000000C
:0042008B 33DB xor ebx, ebx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004200B1(C)
|
:0042008D 0FB7F3 movzx esi, bx
:00420090 8BC6 mov eax, esi
:00420092 D1E8 shr eax, 1
:00420094 8A0438 mov al, byte ptr [eax+edi]
:00420097 50 push eax
:00420098 E834FFFFFF call 0041FFD1
:0042009D 59 pop ecx
:0042009E 8A4C35DC mov cl, byte ptr [ebp+esi-24]
:004200A2 83E10F and ecx, 0000000F
:004200A5 38440DEC cmp byte ptr [ebp+ecx-14], al ***
:004200A9 7510 jne 004200BB
:004200AB 43 inc ebx
:004200AC 43 inc ebx
:004200AD 6683FB10 cmp bx, 0010
:004200B1 72DA jb 0042008D
:004200B3 6A01 push 00000001
:004200B5 58 pop eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004200BD(U)
|
:004200B6 5F pop edi
:004200B7 5E pop esi
:004200B8 5B pop ebx
:004200B9 C9 leave
:004200BA C3 ret
进入这里后你将发现这里将是比较的关键地方，你可以看到***不断同你输入的注册码进行比较，在这里你就可以得到你的注册码前8位的值，这样就可以得到注册码了。但是象你这样输入的注册码程序提示是以前的注册码，那么如何再分析呢？这个就是一个经验了，因为在以前破解那个snagit时也遇到过这样的问题，如何解决呢？就是程序将在下面将使用得到这样的结论，如下：
:0040F7E3 6A02 push 00000002
:0040F7E5 57 push edi 第13，14位值（如：23）
:0040F7E6 E886070100 call 0041FF71 /*/*/*/*/*
:0040F7EB 59 pop ecx
:0040F7EC 83F841 cmp eax, 00000041 eax=23
:0040F7EF 59 pop ecx
:0040F7F0 7304 jnb 0040F7F6
:0040F7F2 33C0 xor eax, eax
:0040F7F4 EB03 jmp 0040F7F9
这里是程序从上面的call下来后，到达这里，这个edi经分析是第13，14位值，并且在下面使用这两个值同41比较，如果你输入的注册码中第13，14位值合并后小于这个41的话，程序就认为是以前的版本，所以在这里只要先将第13位设大于4的数就可以了。
现在设RN：01234567FFFFFFFFFF
再进行上面的那个验证过程，就可以得到下面的注册码了。

*****************************
* RN：E20C37EBFFFFFFFFFF *
*****************************