破解後,只要輸入24位註冊碼,就可以註冊成功囉~~
抗crack工具, 這次我先說這裡,和V3.20有點不同
* Reference To: USER32.SetTimer, Ord:0239h
|
:00401B1E 8B3DFCE74B00 mov edi, dword
ptr [004BE7FC]
:00401B24 85C0
test eax, eax
:00401B26 740F
je 00401B37 這裡一定要跳,建議改這裡直接跳過去
把 74 0F ==>> EB 3F
也就是 JMP 00401B67
:00401B28 8B4E1C
mov ecx, dword ptr [esi+1C]
:00401B2B 6A00
push 00000000
:00401B2D 6830750000 push 00007530
:00401B32 6A04
push 00000004
:00401B34 51
push ecx
:00401B35 FFD7
call edi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401B26(C)
|
:00401B37 E844960200 call 0042B180
這裡是CRACK工具檢測,去看有那些工具
:00401B3C 85C0
test eax, eax
:00401B3E 740F
je 00401B4F 這裡一定要跳
:00401B40 8B561C
mov edx, dword ptr [esi+1C]
:00401B43 6A00
push 00000000
:00401B45 6830750000 push 00007530
:00401B4A 6A04
push 00000004
:00401B4C 52
push edx
:00401B4D FFD7
call edi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401B3E(C)
|
* Reference To: KERNEL32.IsDebuggerPresent, Ord:021Bh
調用IsDebuggerPresent()來檢測是否有調試器存在。
這個函數只能檢查使用 Debug API 來跟蹤程序的調試器。
:00401B4F E8DC950200 Call 0042B130
:00401B54 85C0
test eax, eax
:00401B56 740F
je 00401B67 這裡一定要跳
:00401B58 8B461C
mov eax, dword ptr [esi+1C]
:00401B5B 6A00
push 00000000
:00401B5D 6830750000 push 00007530
:00401B62 6A04
push 00000004
:00401B64 50
push eax
:00401B65 FFD7
call edi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401B56(C)
|
:00401B67 8B4E1C
mov ecx, dword ptr [esi+1C]
:00401B6A 6A00
push 00000000
:00401B6C 6860EA0000 push 0000EA60
:00401B71 6A05
push 00000005
:00401B73 51
push ecx
:00401B74 FFD7
call edi
:00401B76 5F
pop edi
:00401B77 5E
pop esi
:00401B78 33C0
xor eax, eax
:00401B7A 5B
pop ebx
:00401B7B 83C440
add esp, 00000040
:00401B7E C20400
ret 0004
這裡是檢測CRACK工具內容
* Referenced by a CALL at Address:
|:00401B37
|
* Possible StringData Ref from Code Obj ->"\\.\SICE" 這是 SoftIce Windows
9x版本
|
:0042B180 6864034F00 push 004F0364
:0042B185 E8B6FFFFFF call 0042B140
:0042B18A 83C404
add esp, 00000004
:0042B18D 85C0
test eax, eax
:0042B18F 7406
je 0042B197
:0042B191 B801000000 mov eax,
00000001
:0042B196 C3
ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042B18F(C)
|
* Possible StringData Ref from Code Obj ->"\\.\NTICE" 這是 SoftIce Windows
NT版本
|
:0042B197 6858034F00 push 004F0358
:0042B19C E89FFFFFFF call 0042B140
:0042B1A1 83C404
add esp, 00000004
:0042B1A4 85C0
test eax, eax
:0042B1A6 7406
je 0042B1AE
:0042B1A8 B801000000 mov eax,
00000001
:0042B1AD C3
ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042B1A6(C)
|
* Possible StringData Ref from Code Obj ->"\\.\FILEMON" 這是 File Moniter
|監視系統中各文件讀寫操作,特別適合破解 Key File 保護的軟件
:0042B1AE 684C034F00 push 004F034C
:0042B1B3 E888FFFFFF call 0042B140
:0042B1B8 83C404
add esp, 00000004
:0042B1BB 85C0
test eax, eax
:0042B1BD 7406
je 0042B1C5
:0042B1BF B801000000 mov eax,
00000001
:0042B1C4 C3
ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042B1BD(C)
|
* Possible StringData Ref from Code Obj ->"\\.\REGMON" 這是 Registry Moniter
|監視各軟件對註冊的讀取操作
:0042B1C5 6840034F00 push 004F0340
:0042B1CA E871FFFFFF call 0042B140
:0042B1CF 83C404
add esp, 00000004
:0042B1D2 85C0
test eax, eax
:0042B1D4 7406
je 0042B1DC
:0042B1D6 B801000000 mov eax,
00000001
:0042B1DB C3
ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042B1D4(C)
|
* Possible StringData Ref from Code Obj ->"\\.\TRW" 這是 TRWIN
|
:0042B1DC 6838034F00 push 004F0338
:0042B1E1 E85AFFFFFF call 0042B140
:0042B1E6 83C404
add esp, 00000004
:0042B1E9 85C0
test eax, eax
:0042B1EB 7406
je 0042B1F3
:0042B1ED B801000000 mov eax,
00000001
:0042B1F2 C3
ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042B1EB(C)
|
* Possible StringData Ref from Code Obj ->"\\.\TRWDEBUG" 這是 TRWIN
|
:0042B1F3 6828034F00 push 004F0328
:0042B1F8 E843FFFFFF call 0042B140
:0042B1FD 83C404
add esp, 00000004
:0042B200 85C0
test eax, eax
:0042B202 7406
je 0042B20A
:0042B204 B801000000 mov eax,
00000001
:0042B209 C3
ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042B202(C)
|
* Possible StringData Ref from Code Obj ->"\\.\ICEDUMP"
|
:0042B20A 681C034F00 push 004F031C
:0042B20F E82CFFFFFF call 0042B140
:0042B214 83C404
add esp, 00000004
:0042B217 F7D8
neg eax
:0042B219 1BC0
sbb eax, eax
:0042B21B F7D8
neg eax
:0042B21D C3
ret
:00424F7C 50
push eax
:00424F7D 688D040000 push 0000048D
:00424F82 E8D9880700 call 0049D860
:00424F87 83F818
cmp eax, 00000018 這裡是判斷你輸入的註冊碼是否有24位
:00424F8A 741A
je 00424FA6
:00424F8C 8B8EA8020000 mov ecx, dword
ptr [esi+000002A8]
:00424F92 6A00
push 00000000
:00424F94 6A10
push 00000010
* Possible StringData Ref from Code Obj ->"Incomplete or incorrect Registration-Number.
"
->"Please input
again!"
|
:00424F96 6894EE4E00 push 004EEE94
:00424F9B E8309BFFFF call 0041EAD0
:00424FA0 5F
pop edi
:00424FA1 5E
pop esi
:00424FA2 83C424
add esp, 00000024
:00424FA5 C3
ret
* Reference To: USER32.KillTimer, Ord:0196h
|
:004252BD FF15C8E74B00 Call dword ptr
[004BE7C8]
:004252C3 6A00
push 00000000
:004252C5 E8B4020600 call 0048557E
:004252CA 8B15B8165000 mov edx, dword
ptr [005016B8]
:004252D0 83C404
add esp, 00000004
:004252D3 2BC2
sub eax, edx
:004252D5 83F805
cmp eax, 00000005
:004252D8 0F83BC000000 jnb 0042539A
:004252DE A1B4165000 mov eax,
dword ptr [005016B4] 這裡是取出註冊標誌
:004252E3 85C0
test eax, eax eax=1 註冊成功 eax=0 註冊失敗
:004252E5 0F849F000000 je 0042538A
就是這裡~不可跳~但不建議改這
:004252EB 8B13
mov edx, dword ptr [ebx]
:004252ED 57
push edi
:004252EE 8BCB
mov ecx, ebx
:004252F0 FF92C8000000 call dword ptr
[edx+000000C8]
:004252F6 8D44240C lea
eax, dword ptr [esp+0C]
:004252FA 50
push eax
:004252FB E83075FFFF call 0041C830
:00425300 BF84165000 mov edi,
00501684
:00425305 83C9FF
or ecx, FFFFFFFF
:00425308 33C0
xor eax, eax
:0042530A 8D9424B0030000 lea edx, dword ptr
[esp+000003B0]
:00425311 F2
repnz
:00425312 AE
scasb
:00425313 F7D1
not ecx
:00425315 2BF9
sub edi, ecx
:00425317 8BC1
mov eax, ecx
:00425319 8BF7
mov esi, edi
:0042531B 8BFA
mov edi, edx
:0042531D C1E902
shr ecx, 02
:00425320 F3
repz
:00425321 A5
movsd
:00425322 8BC8
mov ecx, eax
:00425324 83E103
and ecx, 00000003
:00425327 F3
repz
:00425328 A4
movsb
:00425329 8D4C2410 lea
ecx, dword ptr [esp+10]
:0042532D 51
push ecx
:0042532E E83D75FFFF call 0041C870
:00425333 8B8BA8020000 mov ecx, dword
ptr [ebx+000002A8]
:00425339 83C408
add esp, 00000008
:0042533C 6A00
push 00000000
:0042533E 6A10
push 00000010
* Possible StringData Ref from Code Obj ->"Registe Ok!" 這裡就是註冊成功的訊息囉~往上看
|
:00425340 68D8EE4E00 push 004EEED8
:00425345 E88697FFFF call 0041EAD0
:0042534A 8B1588DE4F00 mov edx, dword
ptr [004FDE88]
* Reference To: USER32.PostMessageA, Ord:01D9h
|
:00425350 8B35F8E74B00 mov esi, dword
ptr [004BE7F8]
:00425356 6A00
push 00000000
:00425358 6A00
push 00000000
:0042535A 6853050000 push 00000553
:0042535F 52
push edx
:00425360 FFD6
call esi
:00425362 A17C165000 mov eax,
dword ptr [0050167C]
:00425367 5F
pop edi
:00425368 85C0
test eax, eax
:0042536A 742E
je 0042539A
:0042536C 6A00
push 00000000
:0042536E 6A00
push 00000000
:00425370 6853050000 push 00000553
:00425375 50
push eax
:00425376 FFD6
call esi
:00425378 8BCB
mov ecx, ebx
:0042537A E880550700 call 0049A8FF
:0042537F 5E
pop esi
:00425380 5B
pop ebx
:00425381 81C4BC0A0000 add esp, 00000ABC
:00425387 C20400
ret 0004
找那裡存 [005016B4] 註冊標誌
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042377D(C)
|
:0042373C 8B47F8
mov eax, dword ptr [edi-08]
:0042373F 8B57FC
mov edx, dword ptr [edi-04]
:00423742 8B4F04
mov ecx, dword ptr [edi+04]
:00423745 03C2
add eax, edx
:00423747 8B17
mov edx, dword ptr [edi]
:00423749 03C1
add eax, ecx
:0042374B 03C2
add eax, edx
:0042374D 33D2
xor edx, edx
:0042374F B91A000000 mov ecx,
0000001A
:00423754 F7F1
div ecx
:00423756 8B442410 mov
eax, dword ptr [esp+10]
:0042375A 8910
mov dword ptr [eax], edx
:0042375C 8B942448050000 mov edx, dword ptr
[esp+00000548]
:00423763 8A0C2A
mov cl, byte ptr [edx+ebp]
:00423766 33D2
xor edx, edx
:00423768 3A08
cmp cl, byte ptr [eax]
:0042376A 0F94C2
sete dl 當相等,dl=1
就改這~ 0F 94 C2 ==>> 42 90 90
就是 INC EDX
NOP
NOP
:0042376D 23F2
and esi, edx 這裡是關鍵
:0042376F 45
inc ebp
:00423770 83C710
add edi, 00000010
:00423773 83C004
add eax, 00000004
:00423776 83FD10
cmp ebp, 00000010
:00423779 89442410 mov
dword ptr [esp+10], eax
:0042377D 72BD
jb 0042373C
:0042377F 6A00
push 00000000
:00423781 89B424AC000000 mov dword ptr [esp+000000AC],
esi
:00423788 E8F11D0600 call 0048557E
:0042378D 8B7C2460 mov
edi, dword ptr [esp+60]
:00423791 83C404
add esp, 00000004
:00423794 2BC7
sub eax, edi
:00423796 83F802
cmp eax, 00000002
:00423799 0F87BB030000 ja 00423B5A
:0042379F 6A00
push 00000000
:004237A1 E8D81D0600 call 0048557E
:004237A6 2BC7
sub eax, edi
:004237A8 83C404
add esp, 00000004
:004237AB 83F802
cmp eax, 00000002
:004237AE 0F87A6030000 ja 00423B5A
:004237B4 33C0
xor eax, eax
:004237B6 8D8C24BC010000 lea ecx, dword ptr
[esp+000001BC]
:004237BD 89442444 mov
dword ptr [esp+44], eax
:004237C1 894C241C mov
dword ptr [esp+1C], ecx
:004237C5 EB07
jmp 004237CE
由這往向上看
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00423B44(C)
|
:004237C7 8BB424A8000000 mov esi, dword ptr
[esp+000000A8]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004237C5(U)
由004237C5來到這
|
:004237CE 8B54241C mov
edx, dword ptr [esp+1C]
:004237D2 8D8C843C040000 lea ecx, dword ptr
[esp+4*eax+0000043C]
:004237D9 894C244C mov
dword ptr [esp+4C], ecx
:004237DD 83E00F
and eax, 0000000F
:004237E0 0FBF12
movsx edx, word ptr [edx]
:004237E3 8911
mov dword ptr [ecx], edx
:004237E5 8935B4165000 mov dword ptr
[005016B4], esi 這裡就是存註冊標誌的地方,向上看
:004237EB 0FBE4B07 movsx
ecx, byte ptr [ebx+07]
:004237EF 0FBE7301 movsx
esi, byte ptr [ebx+01]
CRC校驗
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0041D32D(C), :0041D340(C)
|
:0041D347 E814DF0000 call 0042B260
:0041D34C 85C0
test eax, eax
:0041D34E 7404
je 0041D354 改這比較好~ 74 04 ==>> EB 31
也就是 JMP 0041D381
:0041D350 85F6
test esi, esi
:0041D352 742D
je 0041D381 這裡就可以跳過去囉~但不改這
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041D34E(C)
|
:0041D354 8B471C
mov eax, dword ptr [edi+1C]
:0041D357 6A05
push 00000005
:0041D359 50
push eax
* Reference To: USER32.KillTimer, Ord:0196h
|
:0041D35A FF15C8E74B00 Call dword ptr
[004BE7C8]
:0041D360 6A00
push 00000000
:0041D362 6A00
push 00000000
* Possible StringData Ref from Code Obj ->"SuperCapture not properly installed
"
->"! Please download
new version "
->"at: http://www.SueprCapture.com
"
->"and reinstall
SuperCapture!"
| 看到上面的訊息~所以往上看
:0041D364 6830E44E00 push 004EE430
:0041D369 E88CB30800 call 004A86FA
:0041D36E 8B4F1C
mov ecx, dword ptr [edi+1C]
:0041D371 6A00
push 00000000
:0041D373 6A00
push 00000000
:0041D375 6854050000 push 00000554
:0041D37A 51
push ecx
* Reference To: USER32.PostMessageA, Ord:01D9h
|
:0041D37B FF15F8E74B00 Call dword ptr
[004BE7F8]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041D352(C)
|
:0041D381 5F pop edi
:0041D382 5E pop esi
:0041D383 C3 ret