超級屏捕 v3.30

标题：超級屏捕 v3.30 破解過程 (16千字)
作者：夢幻紫雲
时间：2002-1-20 18:09:51
链接：http://bbs.pediy.com

破解後，只要輸入24位註冊碼，就可以註冊成功囉~~
抗crack工具, 這次我先說這裡,和V3.20有點不同
* Reference To: USER32.SetTimer, Ord:0239h
|
:00401B1E 8B3DFCE74B00 mov edi, dword ptr [004BE7FC]
:00401B24 85C0 test eax, eax
:00401B26 740F je 00401B37 這裡一定要跳,建議改這裡直接跳過去
把 74 0F ==>> EB 3F
也就是 JMP 00401B67
:00401B28 8B4E1C mov ecx, dword ptr [esi+1C]
:00401B2B 6A00 push 00000000
:00401B2D 6830750000 push 00007530
:00401B32 6A04 push 00000004
:00401B34 51 push ecx
:00401B35 FFD7 call edi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401B26(C)
|
:00401B37 E844960200 call 0042B180 這裡是CRACK工具檢測,去看有那些工具
:00401B3C 85C0 test eax, eax
:00401B3E 740F je 00401B4F 這裡一定要跳
:00401B40 8B561C mov edx, dword ptr [esi+1C]
:00401B43 6A00 push 00000000
:00401B45 6830750000 push 00007530
:00401B4A 6A04 push 00000004
:00401B4C 52 push edx
:00401B4D FFD7 call edi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401B3E(C)
|
* Reference To: KERNEL32.IsDebuggerPresent, Ord:021Bh
調用IsDebuggerPresent()來檢測是否有調試器存在。
這個函數只能檢查使用 Debug API 來跟蹤程序的調試器。
:00401B4F E8DC950200 Call 0042B130
:00401B54 85C0 test eax, eax
:00401B56 740F je 00401B67 這裡一定要跳
:00401B58 8B461C mov eax, dword ptr [esi+1C]
:00401B5B 6A00 push 00000000
:00401B5D 6830750000 push 00007530
:00401B62 6A04 push 00000004
:00401B64 50 push eax
:00401B65 FFD7 call edi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401B56(C)
|
:00401B67 8B4E1C mov ecx, dword ptr [esi+1C]
:00401B6A 6A00 push 00000000
:00401B6C 6860EA0000 push 0000EA60
:00401B71 6A05 push 00000005
:00401B73 51 push ecx
:00401B74 FFD7 call edi
:00401B76 5F pop edi
:00401B77 5E pop esi
:00401B78 33C0 xor eax, eax
:00401B7A 5B pop ebx
:00401B7B 83C440 add esp, 00000040
:00401B7E C20400 ret 0004

這裡是檢測CRACK工具內容
* Referenced by a CALL at Address:
|:00401B37
|
* Possible StringData Ref from Code Obj ->"\\.\SICE" 這是 SoftIce Windows 9x版本
|
:0042B180 6864034F00 push 004F0364
:0042B185 E8B6FFFFFF call 0042B140
:0042B18A 83C404 add esp, 00000004
:0042B18D 85C0 test eax, eax
:0042B18F 7406 je 0042B197
:0042B191 B801000000 mov eax, 00000001
:0042B196 C3 ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042B18F(C)
|
* Possible StringData Ref from Code Obj ->"\\.\NTICE" 這是 SoftIce Windows NT版本
|
:0042B197 6858034F00 push 004F0358
:0042B19C E89FFFFFFF call 0042B140
:0042B1A1 83C404 add esp, 00000004
:0042B1A4 85C0 test eax, eax
:0042B1A6 7406 je 0042B1AE
:0042B1A8 B801000000 mov eax, 00000001
:0042B1AD C3 ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042B1A6(C)
|
* Possible StringData Ref from Code Obj ->"\\.\FILEMON" 這是 File Moniter
|監視系統中各文件讀寫操作，特別適合破解 Key File 保護的軟件
:0042B1AE 684C034F00 push 004F034C
:0042B1B3 E888FFFFFF call 0042B140
:0042B1B8 83C404 add esp, 00000004
:0042B1BB 85C0 test eax, eax
:0042B1BD 7406 je 0042B1C5
:0042B1BF B801000000 mov eax, 00000001
:0042B1C4 C3 ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042B1BD(C)
|
* Possible StringData Ref from Code Obj ->"\\.\REGMON" 這是 Registry Moniter
|監視各軟件對註冊的讀取操作
:0042B1C5 6840034F00 push 004F0340
:0042B1CA E871FFFFFF call 0042B140
:0042B1CF 83C404 add esp, 00000004
:0042B1D2 85C0 test eax, eax
:0042B1D4 7406 je 0042B1DC
:0042B1D6 B801000000 mov eax, 00000001
:0042B1DB C3 ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042B1D4(C)
|
* Possible StringData Ref from Code Obj ->"\\.\TRW" 這是 TRWIN
|
:0042B1DC 6838034F00 push 004F0338
:0042B1E1 E85AFFFFFF call 0042B140
:0042B1E6 83C404 add esp, 00000004
:0042B1E9 85C0 test eax, eax
:0042B1EB 7406 je 0042B1F3
:0042B1ED B801000000 mov eax, 00000001
:0042B1F2 C3 ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042B1EB(C)
|
* Possible StringData Ref from Code Obj ->"\\.\TRWDEBUG" 這是 TRWIN
|
:0042B1F3 6828034F00 push 004F0328
:0042B1F8 E843FFFFFF call 0042B140
:0042B1FD 83C404 add esp, 00000004
:0042B200 85C0 test eax, eax
:0042B202 7406 je 0042B20A
:0042B204 B801000000 mov eax, 00000001
:0042B209 C3 ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042B202(C)
|
* Possible StringData Ref from Code Obj ->"\\.\ICEDUMP"
|
:0042B20A 681C034F00 push 004F031C
:0042B20F E82CFFFFFF call 0042B140
:0042B214 83C404 add esp, 00000004
:0042B217 F7D8 neg eax
:0042B219 1BC0 sbb eax, eax
:0042B21B F7D8 neg eax
:0042B21D C3 ret

:00424F7C 50 push eax
:00424F7D 688D040000 push 0000048D
:00424F82 E8D9880700 call 0049D860
:00424F87 83F818 cmp eax, 00000018 這裡是判斷你輸入的註冊碼是否有24位
:00424F8A 741A je 00424FA6
:00424F8C 8B8EA8020000 mov ecx, dword ptr [esi+000002A8]
:00424F92 6A00 push 00000000
:00424F94 6A10 push 00000010

* Possible StringData Ref from Code Obj ->"Incomplete or incorrect Registration-Number. "
->"Please input again!"
|
:00424F96 6894EE4E00 push 004EEE94
:00424F9B E8309BFFFF call 0041EAD0
:00424FA0 5F pop edi
:00424FA1 5E pop esi
:00424FA2 83C424 add esp, 00000024
:00424FA5 C3 ret

* Reference To: USER32.KillTimer, Ord:0196h
|
:004252BD FF15C8E74B00 Call dword ptr [004BE7C8]
:004252C3 6A00 push 00000000
:004252C5 E8B4020600 call 0048557E
:004252CA 8B15B8165000 mov edx, dword ptr [005016B8]
:004252D0 83C404 add esp, 00000004
:004252D3 2BC2 sub eax, edx
:004252D5 83F805 cmp eax, 00000005
:004252D8 0F83BC000000 jnb 0042539A
:004252DE A1B4165000 mov eax, dword ptr [005016B4] 這裡是取出註冊標誌
:004252E3 85C0 test eax, eax eax=1 註冊成功 eax=0 註冊失敗
:004252E5 0F849F000000 je 0042538A 就是這裡~不可跳~但不建議改這
:004252EB 8B13 mov edx, dword ptr [ebx]
:004252ED 57 push edi
:004252EE 8BCB mov ecx, ebx
:004252F0 FF92C8000000 call dword ptr [edx+000000C8]
:004252F6 8D44240C lea eax, dword ptr [esp+0C]
:004252FA 50 push eax
:004252FB E83075FFFF call 0041C830
:00425300 BF84165000 mov edi, 00501684
:00425305 83C9FF or ecx, FFFFFFFF
:00425308 33C0 xor eax, eax
:0042530A 8D9424B0030000 lea edx, dword ptr [esp+000003B0]
:00425311 F2 repnz
:00425312 AE scasb
:00425313 F7D1 not ecx
:00425315 2BF9 sub edi, ecx
:00425317 8BC1 mov eax, ecx
:00425319 8BF7 mov esi, edi
:0042531B 8BFA mov edi, edx
:0042531D C1E902 shr ecx, 02
:00425320 F3 repz
:00425321 A5 movsd
:00425322 8BC8 mov ecx, eax
:00425324 83E103 and ecx, 00000003
:00425327 F3 repz
:00425328 A4 movsb
:00425329 8D4C2410 lea ecx, dword ptr [esp+10]
:0042532D 51 push ecx
:0042532E E83D75FFFF call 0041C870
:00425333 8B8BA8020000 mov ecx, dword ptr [ebx+000002A8]
:00425339 83C408 add esp, 00000008
:0042533C 6A00 push 00000000
:0042533E 6A10 push 00000010

* Possible StringData Ref from Code Obj ->"Registe Ok!" 這裡就是註冊成功的訊息囉~往上看
|
:00425340 68D8EE4E00 push 004EEED8
:00425345 E88697FFFF call 0041EAD0
:0042534A 8B1588DE4F00 mov edx, dword ptr [004FDE88]

* Reference To: USER32.PostMessageA, Ord:01D9h
|
:00425350 8B35F8E74B00 mov esi, dword ptr [004BE7F8]
:00425356 6A00 push 00000000
:00425358 6A00 push 00000000
:0042535A 6853050000 push 00000553
:0042535F 52 push edx
:00425360 FFD6 call esi
:00425362 A17C165000 mov eax, dword ptr [0050167C]
:00425367 5F pop edi
:00425368 85C0 test eax, eax
:0042536A 742E je 0042539A
:0042536C 6A00 push 00000000
:0042536E 6A00 push 00000000
:00425370 6853050000 push 00000553
:00425375 50 push eax
:00425376 FFD6 call esi
:00425378 8BCB mov ecx, ebx
:0042537A E880550700 call 0049A8FF
:0042537F 5E pop esi
:00425380 5B pop ebx
:00425381 81C4BC0A0000 add esp, 00000ABC
:00425387 C20400 ret 0004

找那裡存 [005016B4] 註冊標誌
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042377D(C)
|
:0042373C 8B47F8 mov eax, dword ptr [edi-08]
:0042373F 8B57FC mov edx, dword ptr [edi-04]
:00423742 8B4F04 mov ecx, dword ptr [edi+04]
:00423745 03C2 add eax, edx
:00423747 8B17 mov edx, dword ptr [edi]
:00423749 03C1 add eax, ecx
:0042374B 03C2 add eax, edx
:0042374D 33D2 xor edx, edx
:0042374F B91A000000 mov ecx, 0000001A
:00423754 F7F1 div ecx
:00423756 8B442410 mov eax, dword ptr [esp+10]
:0042375A 8910 mov dword ptr [eax], edx
:0042375C 8B942448050000 mov edx, dword ptr [esp+00000548]
:00423763 8A0C2A mov cl, byte ptr [edx+ebp]
:00423766 33D2 xor edx, edx
:00423768 3A08 cmp cl, byte ptr [eax]
:0042376A 0F94C2 sete dl 當相等，dl=1
就改這~ 0F 94 C2 ==>> 42 90 90
就是 INC EDX
NOP
NOP
:0042376D 23F2 and esi, edx 這裡是關鍵
:0042376F 45 inc ebp
:00423770 83C710 add edi, 00000010
:00423773 83C004 add eax, 00000004
:00423776 83FD10 cmp ebp, 00000010
:00423779 89442410 mov dword ptr [esp+10], eax
:0042377D 72BD jb 0042373C
:0042377F 6A00 push 00000000
:00423781 89B424AC000000 mov dword ptr [esp+000000AC], esi
:00423788 E8F11D0600 call 0048557E
:0042378D 8B7C2460 mov edi, dword ptr [esp+60]
:00423791 83C404 add esp, 00000004
:00423794 2BC7 sub eax, edi
:00423796 83F802 cmp eax, 00000002
:00423799 0F87BB030000 ja 00423B5A
:0042379F 6A00 push 00000000
:004237A1 E8D81D0600 call 0048557E
:004237A6 2BC7 sub eax, edi
:004237A8 83C404 add esp, 00000004
:004237AB 83F802 cmp eax, 00000002
:004237AE 0F87A6030000 ja 00423B5A
:004237B4 33C0 xor eax, eax
:004237B6 8D8C24BC010000 lea ecx, dword ptr [esp+000001BC]
:004237BD 89442444 mov dword ptr [esp+44], eax
:004237C1 894C241C mov dword ptr [esp+1C], ecx
:004237C5 EB07 jmp 004237CE 由這往向上看

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00423B44(C)
|
:004237C7 8BB424A8000000 mov esi, dword ptr [esp+000000A8]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004237C5(U) 由004237C5來到這
|
:004237CE 8B54241C mov edx, dword ptr [esp+1C]
:004237D2 8D8C843C040000 lea ecx, dword ptr [esp+4*eax+0000043C]
:004237D9 894C244C mov dword ptr [esp+4C], ecx
:004237DD 83E00F and eax, 0000000F
:004237E0 0FBF12 movsx edx, word ptr [edx]
:004237E3 8911 mov dword ptr [ecx], edx
:004237E5 8935B4165000 mov dword ptr [005016B4], esi 這裡就是存註冊標誌的地方,向上看
:004237EB 0FBE4B07 movsx ecx, byte ptr [ebx+07]
:004237EF 0FBE7301 movsx esi, byte ptr [ebx+01]

CRC校驗
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0041D32D(C), :0041D340(C)
|
:0041D347 E814DF0000 call 0042B260
:0041D34C 85C0 test eax, eax
:0041D34E 7404 je 0041D354 改這比較好~ 74 04 ==>> EB 31
也就是 JMP 0041D381
:0041D350 85F6 test esi, esi
:0041D352 742D je 0041D381 這裡就可以跳過去囉~但不改這

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041D34E(C)
|
:0041D354 8B471C mov eax, dword ptr [edi+1C]
:0041D357 6A05 push 00000005
:0041D359 50 push eax

* Reference To: USER32.KillTimer, Ord:0196h
|
:0041D35A FF15C8E74B00 Call dword ptr [004BE7C8]
:0041D360 6A00 push 00000000
:0041D362 6A00 push 00000000

* Possible StringData Ref from Code Obj ->"SuperCapture not properly installed "
->"! Please download new version "
->"at: http://www.SueprCapture.com "
->"and reinstall SuperCapture!"
| 看到上面的訊息~所以往上看
:0041D364 6830E44E00 push 004EE430
:0041D369 E88CB30800 call 004A86FA
:0041D36E 8B4F1C mov ecx, dword ptr [edi+1C]
:0041D371 6A00 push 00000000
:0041D373 6A00 push 00000000
:0041D375 6854050000 push 00000554
:0041D37A 51 push ecx

* Reference To: USER32.PostMessageA, Ord:01D9h
|
:0041D37B FF15F8E74B00 Call dword ptr [004BE7F8]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041D352(C)
|
:0041D381 5F pop edi
:0041D382 5E pop esi
:0041D383 C3 ret