工具:TRW 2000 v1.23註冊版、w32dasm黃金版、Hiew v6.76註冊版
破解後,只要輸入24位註冊碼,就可以註冊成功囉~~
程式進入點是 004865889 所以用trw把程式載入後下 bpx 486588、一次F5
下 makepe 、下 suspend、運行 Revirgin 選SUPERCAP.EXE 在OEP填00486588 點選 FetchIAT
點選IAT Resolyer、接下來右邊RVA 填00002000 (我是這樣填)、點選generte、選擇剛剝殼後的檔案
這樣就可運行了~寫的好亂
* Referenced by a CALL at Addresses:
|:00401C09 , :004254E6 , :00425749
|這裡會來三次~這和v3.20、v3.30不同,和v3.40相同
這裡是檢測CRACK工具
* Possible StringData Ref from Code Obj ->"\\.\SICE" 這是 SoftIce Windows
9x版本
|
:0042B430 6858064F00 push 004F0658
:0042B435 E8B6FFFFFF call 0042B3F0
:0042B43A 83C404
add esp, 00000004
:0042B43D 85C0
test eax, eax
:0042B43F 7406
je 0042B447
:0042B441 B801000000 mov eax,
00000001
:0042B446 C3
ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042B43F(C)
* Possible StringData Ref from Code Obj ->"\\.\NTICE" 這是 SoftIce Windows
NT版本
|
:0042B447 684C064F00 push 004F064C
:0042B44C E89FFFFFFF call 0042B3F0
:0042B451 83C404
add esp, 00000004
:0042B454 85C0
test eax, eax
:0042B456 7406
je 0042B45E
:0042B458 B801000000 mov eax,
00000001
:0042B45D C3
ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042B456(C)
* Possible StringData Ref from Code Obj ->"\\.\TRW" 這是 TRWIN
|
:0042B45E 6844064F00 push 004F0644
:0042B463 E888FFFFFF call 0042B3F0
:0042B468 83C404
add esp, 00000004
:0042B46B 85C0
test eax, eax
:0042B46D 7406
je 0042B475
:0042B46F B801000000 mov eax,
00000001
:0042B474 C3
ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042B46D(C)
* Possible StringData Ref from Code Obj ->"\\.\TRWDEBUG" 這是 TRWIN
|
:0042B475 6834064F00 push 004F0634
:0042B47A E871FFFFFF call 0042B3F0
:0042B47F 83C404
add esp, 00000004
:0042B482 85C0
test eax, eax
:0042B484 7406
je 0042B48C
:0042B486 B801000000 mov eax,
00000001
:0042B48B C3
ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042B484(C)
* Possible StringData Ref from Code Obj ->"\\.\ICEDUMP"
|
:0042B48C 6828064F00 push 004F0628
:0042B491 E85AFFFFFF call 0042B3F0
:0042B496 83C404
add esp, 00000004
:0042B499 F7D8
neg eax
:0042B49B 1BC0
sbb eax, eax
:0042B49D F7D8
neg eax
:0042B49F C3
ret
關鍵一
* Reference To: USER32.SetTimer, Ord:0239h
|
:00401BE1 8B3DF8E74B00 mov edi, dword
ptr [004BE7F8]
:00401BE7 8B88CC020000 mov ecx, dword
ptr [eax+000002CC]
:00401BED 85C9
test ecx, ecx
:00401BEF 7548
jne 00401C39
:00401BF1 E82A940200 call 0042B020
:00401BF6 85C0
test eax, eax
:00401BF8 740F
je 00401C09 這裡一定要跳,建議改這裡直接跳過去
把 74 0F ==>> EB 3F
也就是 JMP 00401C39
:00401BFA 8B4E1C
mov ecx, dword ptr [esi+1C]
:00401BFD 6A00
push 00000000
:00401BFF 68D0070000 push 000007D0
:00401C04 6A04
push 00000004
:00401C06 51
push ecx
:00401C07 FFD7
call edi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401BF8(C)
:00401C09 E822980200 call 0042B430
檢測CRACK工具
:00401C0E 85C0
test eax, eax
:00401C10 740F
je 00401C21
:00401C12 8B561C
mov edx, dword ptr [esi+1C]
:00401C15 6A00
push 00000000
:00401C17 68D0070000 push 000007D0
:00401C1C 6A04
push 00000004
:00401C1E 52
push edx
:00401C1F FFD7
call edi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401C10(C)
* Reference To: KERNEL32.IsDebuggerPresent, Ord:021Bh
調用IsDebuggerPresent()來檢測是否有調試器存在。
這個函數只能檢查使用 Debug API 來跟蹤程序的調試器。
:00401C21 E8BA970200 Call 0042B3E0
:00401C26 85C0
test eax, eax
:00401C28 740F
je 00401C39
:00401C2A 8B461C
mov eax, dword ptr [esi+1C]
:00401C2D 6A00
push 00000000
:00401C2F 68D0070000 push 000007D0
:00401C34 6A04
push 00000004
:00401C36 50
push eax
:00401C37 FFD7
call edi
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00401BEF(C), :00401C28(C)
|
:00401C39 8B4E1C
mov ecx, dword ptr [esi+1C]
:00401C3C 6A00
push 00000000
:00401C3E 6860EA0000 push 0000EA60
:00401C43 6A05
push 00000005
:00401C45 51
push ecx
:00401C46 FFD7
call edi
:00401C48 5F
pop edi
:00401C49 5E
pop esi
:00401C4A 33C0
xor eax, eax
:00401C4C 5B
pop ebx
:00401C4D 83C440
add esp, 00000040
:00401C50 C20400
ret 0004
關鍵二
* Reference To: USER32.KillTimer, Ord:0196h
|
:0042549D FF15C4E74B00 Call dword ptr
[004BE7C4]
:004254A3 6A00
push 00000000
:004254A5 E804040600 call 004858AE
:004254AA 8B15B8195000 mov edx, dword
ptr [005019B8]
:004254B0 83C404
add esp, 00000004
:004254B3 2BC2
sub eax, edx
:004254B5 83F805
cmp eax, 00000005
:004254B8 0F830E010000 jnb 004255CC
:004254BE A1B4195000 mov eax,
dword ptr [005019B4] 這裡是取出註冊標誌
:004254C3 85C0
test eax, eax eax=1 註冊成功 eax=0 註冊失敗
:004254C5 0F84F1000000 je 004255BC
:004254CB E8EBB20800 call 004B07BB
:004254D0 8B4004
mov eax, dword ptr [eax+04]
:004254D3 8B88CC020000 mov ecx, dword
ptr [eax+000002CC] 可疑?
:004254D9 85C9
test ecx, ecx
:004254DB 7540
jne 0042551D
:004254DD E83E5B0000 call 0042B020
:004254E2 85C0
test eax, eax
:004254E4 7512
jne 004254F8 這裡一定要跳,建議改這裡直接跳過去
把 75 12 ==>> EB 37
也就是 JMP 0042551D
:004254E6 E8455F0000 call 0042B430
檢測CRACK工具
:004254EB 85C0
test eax, eax
:004254ED 7509
jne 004254F8
* Reference To: KERNEL32.IsDebuggerPresent, Ord:021Bh
調用IsDebuggerPresent()來檢測是否有調試器存在。
這個函數只能檢查使用 Debug API 來跟蹤程序的調試器。
:004254EF E8EC5E0000 Call 0042B3E0
:004254F4 85C0
test eax, eax
:004254F6 7425
je 0042551D
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004254E4(C), :004254ED(C)
|
:004254F8 8B4B1C
mov ecx, dword ptr [ebx+1C]
:004254FB 6A00
push 00000000
:004254FD 6A00
push 00000000
:004254FF 6854050000 push 00000554
:00425504 51
push ecx
* Reference To: USER32.PostMessageA, Ord:01D9h
|
:00425505 FF15F4E74B00 Call dword ptr
[004BE7F4]
:0042550B 8BCB
mov ecx, ebx
:0042550D E829570700 call 0049AC3B
:00425512 5E
pop esi
:00425513 5B
pop ebx
:00425514 81C4C00A0000 add esp, 00000AC0
:0042551A C20400
ret 0004
關鍵三
:00425739 33F6
xor esi, esi
:0042573B E8E0580000 call 0042B020
:00425740 85C0
test eax, eax
:00425742 7405
je 00425749 把 74 05 ==>> EB 33
也就是 JMP 00425777
:00425744 BE01000000 mov esi,
00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00425742(C)
:00425749 E8E25C0000 call 0042B430
檢測CRACK工具
:0042574E 85C0
test eax, eax
:00425750 7405
je 00425757
:00425752 BE01000000 mov esi,
00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00425750(C)
* Reference To: KERNEL32.IsDebuggerPresent, Ord:021Bh
調用IsDebuggerPresent()來檢測是否有調試器存在。
這個函數只能檢查使用 Debug API 來跟蹤程序的調試器。
:00425757 E8845C0000 Call 0042B3E0
:0042575C 85C0
test eax, eax
:0042575E 7504
jne 00425764
:00425760 85F6
test esi, esi
:00425762 7413
je 00425777
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042575E(C)
:00425764 8B531C
mov edx, dword ptr [ebx+1C]
:00425767 6A00
push 00000000
:00425769 6A00
push 00000000
:0042576B 6854050000 push 00000554
:00425770 52
push edx
* Reference To: USER32.PostMessageA, Ord:01D9h
|
:00425771 FF15F4E74B00 Call dword ptr
[004BE7F4]
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00425737(C), :00425762(C)
:00425777 5F
pop edi
:00425778 5E
pop esi
:00425779 B801000000 mov eax,
00000001
:0042577E 5B
pop ebx
:0042577F 81C4000B0000 add esp, 00000B00
:00425785 C3
ret
關鍵四
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004254DB(C), :004254F6(C)
:0042551D 8B13
mov edx, dword ptr [ebx]
:0042551F 57
push edi
:00425520 8BCB
mov ecx, ebx
:00425522 FF92C8000000 call dword ptr
[edx+000000C8]
:00425528 8D44240C lea
eax, dword ptr [esp+0C]
:0042552C 50
push eax
:0042552D E8AE76FFFF call 0041CBE0
:00425532 BF84195000 mov edi,
00501984
:00425537 83C9FF
or ecx, FFFFFFFF
:0042553A 33C0
xor eax, eax
:0042553C 8D9424B4030000 lea edx, dword ptr
[esp+000003B4]
:00425543 F2
repnz
:00425544 AE
scasb
:00425545 F7D1
not ecx
:00425547 2BF9
sub edi, ecx
:00425549 8BC1
mov eax, ecx
:0042554B 8BF7
mov esi, edi
:0042554D 8BFA
mov edi, edx
:0042554F C1E902
shr ecx, 02
:00425552 F3
repz
:00425553 A5
movsd
:00425554 8BC8
mov ecx, eax
:00425556 83E103
and ecx, 00000003
:00425559 F3
repz
:0042555A A4
movsb
:0042555B 8D4C2410 lea
ecx, dword ptr [esp+10]
:0042555F 51
push ecx
:00425560 E8BB76FFFF call 0041CC20
:00425565 8B8BA8020000 mov ecx, dword
ptr [ebx+000002A8]
:0042556B 83C408
add esp, 00000008
:0042556E 6A00
push 00000000
:00425570 6A10
push 00000010
* Possible StringData Ref from Code Obj ->"Registe Ok!"
這是註冊成功訊息~所以往上看
:00425572 68E4F14E00 push 004EF1E4
關鍵五
:00423BA8 85F6
test esi, esi
:00423BAA 8917
mov dword ptr [edi], edx
:00423BAC 741B
je 00423BC9 把 74 1B ==>> 90 90
:00423BAE 8B942448050000 mov edx, dword ptr
[esp+00000548]
:00423BB5 8B442440 mov
eax, dword ptr [esp+40]
:00423BB9 8A1410
mov dl, byte ptr [eax+edx]
:00423BBC 8A07
mov al, byte ptr [edi]
:00423BBE 3AD0
cmp dl, al
:00423BC0 7507
jne 00423BC9 把 75 07 ==>> 90 90
:00423BC2 BE01000000 mov esi,
00000001
:00423BC7 EB02
jmp 00423BCB
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00423BAC(C), :00423BC0(C)
:00423BC9 33F6
xor esi, esi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00423BC7(U)
:00423BCB 8B442440 mov
eax, dword ptr [esp+40]
:00423BCF 83C110
add ecx, 00000010
:00423BD2 40
inc eax
:00423BD3 83C704
add edi, 00000004
:00423BD6 83F810
cmp eax, 00000010
:00423BD9 89442440 mov
dword ptr [esp+40], eax
:00423BDD 72AF
jb 00423B8E
:00423BDF 6A00
push 00000000
:00423BE1 89742414 mov
dword ptr [esp+14], esi
:00423BE5 E8C41C0600 call 004858AE
:00423BEA 8B7C2460 mov
edi, dword ptr [esp+60]
:00423BEE 83C404
add esp, 00000004
:00423BF1 2BC7
sub eax, edi
:00423BF3 83F802
cmp eax, 00000002
:00423BF6 0F87B7030000 ja 00423FB3
:00423BFC 6A00
push 00000000
:00423BFE E8AB1C0600 call 004858AE
:00423C03 2BC7
sub eax, edi
:00423C05 83C404
add esp, 00000004
:00423C08 83F802
cmp eax, 00000002
:00423C0B 0F87A2030000 ja 00423FB3
:00423C11 33C0
xor eax, eax
:00423C13 8D8C24BC010000 lea ecx, dword ptr
[esp+000001BC]
:00423C1A 89442440 mov
dword ptr [esp+40], eax
:00423C1E 894C241C mov
dword ptr [esp+1C], ecx
:00423C22 EB04
jmp 00423C28
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00423F9E(C)
:00423C24 8B742410 mov
esi, dword ptr [esp+10]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00423C22(U)
:00423C28 8B54241C mov
edx, dword ptr [esp+1C]
:00423C2C 8D8C843C040000 lea ecx, dword ptr
[esp+4*eax+0000043C]
:00423C33 894C2458 mov
dword ptr [esp+58], ecx
:00423C37 83E00F
and eax, 0000000F
:00423C3A 0FBF12
movsx edx, word ptr [edx]
:00423C3D 8911
mov dword ptr [ecx], edx
:00423C3F 8935B4195000 mov dword ptr
[005019B4], esi 這裡存註冊標誌,向上看
關鍵六:自校驗
* Referenced by a CALL at Address:
|:00404C0C
:0041D750 A14C0F5000 mov eax,
dword ptr [00500F4C]
:0041D755 81EC00040000 sub esp, 00000400
:0041D75B 56
push esi
:0041D75C 57
push edi
:0041D75D 33FF
xor edi, edi
:0041D75F 8BF1
mov esi, ecx
:0041D761 85C0
test eax, eax
:0041D763 7418
je 0041D77D
:0041D765 E851300900 call 004B07BB
:0041D76A 8B4008
mov eax, dword ptr [eax+08]
:0041D76D 50
push eax
:0041D76E FF154C0F5000 call dword ptr
[00500F4C]
:0041D774 85C0
test eax, eax
:0041D776 7505
jne 0041D77D
:0041D778 BF01000000 mov edi,
00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0041D763(C), :0041D776(C)
:0041D77D E85EDD0000 call 0042B4E0
:0041D782 85C0 test eax, eax
:0041D784 7408 je 0041D78E 改為 xor edi,edi
就是 74 08 ==>> 33 FF
:0041D786 85FF test edi, edi
:0041D788 0F8489000000 je 0041D817
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041D784(C)
:0041D78E 8B461C mov eax, dword ptr [esi+1C]
:0041D791 6A05 push 00000005
:0041D793 50 push eax
* Reference To: USER32.KillTimer, Ord:0196h
|
:0041D794 FF15C4E74B00 Call dword ptr [004BE7C4]
:0041D79A 8D4C2408 lea ecx, dword ptr [esp+08]
:0041D79E 6800010000 push 00000100
:0041D7A3 51 push ecx
:0041D7A4 8B8E13070000 mov ecx, dword ptr [esi+00000713]
* Possible StringData Ref from Code Obj ->"SuperCapture was not properly "
->"installed !"
看到上面的訊息~所以往上看
:0041D7AA 68C0E74E00 push 004EE7C0
:0041D7AF E8DC150000 call 0041ED90
:0041D7B4 8B8E13070000 mov ecx, dword ptr [esi+00000713]
:0041D7BA 8D942408010000 lea edx, dword ptr [esp+00000108]
:0041D7C1 6800010000 push 00000100
:0041D7C6 52 push edx
* Possible StringData Ref from Code Obj ->"Please download new version and "
->"reinstall SuperCapture! Download "
->"URL:"
:0041D7C7 6878E74E00 push 004EE778
:0041D7CC E8BF150000 call 0041ED90
:0041D7D1 8D842408010000 lea eax, dword ptr [esp+00000108]
:0041D7D8 8D4C2408 lea ecx, dword ptr [esp+08]
:0041D7DC 50 push eax
:0041D7DD 51 push ecx
:0041D7DE 8D942410020000 lea edx, dword ptr [esp+00000210]
* Possible StringData Ref from Code Obj ->"%s %s http://www.SuperCapture.com"
|
:0041D7E5 6854E74E00 push 004EE754
:0041D7EA 52 push edx
:0041D7EB E85C7C0600 call 0048544C
:0041D7F0 83C410 add esp, 00000010
:0041D7F3 8D842408020000 lea eax, dword ptr [esp+00000208]
:0041D7FA 6A00 push 00000000
:0041D7FC 6A00 push 00000000
:0041D7FE 50 push eax
:0041D7FF E836B20800 call 004A8A3A
:0041D804 8B4E1C mov ecx, dword ptr [esi+1C]
:0041D807 6A00 push 00000000
:0041D809 6A00 push 00000000
:0041D80B 6854050000 push 00000554
:0041D810 51 push ecx
* Reference To: USER32.PostMessageA, Ord:01D9h
|
:0041D811 FF15F4E74B00 Call dword ptr [004BE7F4]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041D788(C)
:0041D817 5F pop edi
:0041D818 5E pop esi
:0041D819 81C400040000 add esp, 00000400
:0041D81F C3 ret