破解作者】 pmma
【作者邮箱】 lyzhu110@163.com
【使用工具】 OLLYDBG1.10汉化版
【破解平台】 Win9x/NT/2000/XP
【软件名称】 SnagIt v6.21零售版
【软件简介】
软件简介: 一个强大的屏幕捕捉程序,不仅能捕捉 Windows 下的屏幕,也能捕捉 DOS 的。
存盘支持的图形格式也很多。SnagIt对于系统并不会要求太高,凡Windows 98/95/NT 皆可使用,
而且只要有Windows 支持的打印机,就可以设定打印机输出,若有设定32位的MAPI,
还可以以电子邮件方式来输出。
【破解声明】 只是对Crack感兴趣,失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【破解内容】
任意注册,会有一个破框。反汇编,找提示,在这里
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BE553(C)
|
* Possible Reference to String Resource ID=10301: "You must enter a valid software key." ***********看见了吧
|
:004BE569 683D280000 push 0000283D
:004BE56E E80C610300 call 004F467F
:004BE573 5F pop edi
:004BE574 668BC3 mov ax, bx
:004BE577 5B pop ebx
:004BE578 5E pop esi
:004BE579 5D pop ebp
:004BE57A C20C00 ret 000C
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004BE4BD(C), :004BE4D3(C)
|
* Possible Reference to Dialog: DialogID_0098, CONTROL_ID:00FF, ""
|
:004BE57D 6AFF push FFFFFFFF
:004BE57F 6A00 push 00000000
* Possible Reference to String Resource ID=10301: "You must enter a valid software key." ***********看见了吧
|
:004BE581 683D280000 push 0000283D
:004BE586 E8F4600300 call 004F467F
:004BE58B 5F pop edi
:004BE58C 5B pop ebx
:004BE58D 5E pop esi
:004BE58E 6633C0 xor ax, ax
:004BE591 5D pop ebp
:004BE592 C20C00 ret 000C
分别设断,结果是2处断了,看调用,设断,重新注册,看下面
004BE4BA |. 83FB 0E CMP EBX,0E ;注册码必须不小于14位
004BE4BD |. 0F8C BA000000 JL SnagIt32.004BE57D
004BE4C3 |. 68 E06B5300 PUSH SnagIt32.00536BE0 ; ASCII ,假码
004BE4C8 |. 50 PUSH EAX
004BE4C9 |. E8 42720100 CALL SnagIt32.004D5710
004BE4CE |. 83C4 08 ADD ESP,8
004BE4D1 |. 3BC3 CMP EAX,EBX ;错2的跳2,好像没有什么用?
004BE4D3 |. 0F85 A4000000 JNZ SnagIt32.004BE57D
------------------------------------------------------------------------------------------
步过F8,到004BE4EF跳就挂定了,看看代码
004BE4EA |. 8B07 MOV EAX,DWORD PTR DS:[EDI]
004BE4EC |. 8B4D 00 MOV ECX,DWORD PTR SS:[EBP]
004BE4EF |. 8B16 MOV EDX,DWORD PTR DS:[ESI]
004BE4F1 |. 50 PUSH EAX
004BE4F2 |. 51 PUSH ECX
004BE4F3 |. 8BCE MOV ECX,ESI
004BE4F5 |. FF52 10 CALL DWORD PTR DS:[EDX+10] **********跟进
004BE4F8 |. 8BCE MOV ECX,ESI
004BE4FA |. 8BD8 MOV EBX,EAX
004BE4FC |. 80FB 01 CMP BL,1
004BE4FF |. 75 46 JNZ SHORT SnagIt32.004BE547 按F2设断
------------------------------------------------------------------------------------
重来,注册码1234567890123456,断在004BE4EF,上面的跟进。
00467C6F . B8 C9045100 MOV EAX,SnagIt32.005104C9
00467C74 . E8 47A30600 CALL SnagIt32.004D1FC0
00467C79 . 83EC 58 SUB ESP,58
00467C7C . 53 PUSH EBX
00467C7D . FF75 0C PUSH DWORD PTR SS:[EBP+C]
00467C80 . 894D E4 MOV DWORD PTR SS:[EBP-1C],ECX
00467C83 . 33DB XOR EBX,EBX
00467C85 . 8D4D 0C LEA ECX,DWORD PTR SS:[EBP+C]
00467C88 . 895D EC MOV DWORD PTR SS:[EBP-14],EBX
00467C8B . C745 E0 01000>MOV DWORD PTR SS:[EBP-20],1
00467C92 . C645 F3 0A MOV BYTE PTR SS:[EBP-D],0A
00467C96 . 885D F2 MOV BYTE PTR SS:[EBP-E],BL
00467C99 . E8 23FDF9FF CALL SnagIt32.004079C1
00467C9E . 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
00467CA1 . 8B40 F4 MOV EAX,DWORD PTR DS:[EAX-C]
00467CA4 . 83F8 0E CMP EAX,0E ; 这里的注册码要求是14位是假的,后面说明
00467CA7 . 895D FC MOV DWORD PTR SS:[EBP-4],EBX
00467CAA . 74 0E JE SHORT SnagIt32.00467CBA
00467CAC . 83F8 12 CMP EAX,12 ; 一定是18位
00467CAF . 74 09 JE SHORT SnagIt32.00467CBA ; 一定要跳
00467CB1 . C645 F3 0C MOV BYTE PTR SS:[EBP-D],0C
00467CB5 . E9 7C010000 JMP SnagIt32.00467E36
00467CBA > 57 PUSH EDI
00467CBB . 6A 02 PUSH 2
00467CBD . 6A 0C PUSH 0C
00467CBF . 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
00467CC2 . 50 PUSH EAX
00467CC3 . 8D4D 0C LEA ECX,DWORD PTR SS:[EBP+C]
00467CC6 . E8 43C6FAFF CALL SnagIt32.0041430E
00467CCB . 8B00 MOV EAX,DWORD PTR DS:[EAX] ; 13,14位
00467CCD . 6A 10 PUSH 10
00467CCF . 53 PUSH EBX
00467CD0 . 50 PUSH EAX
00467CD1 . E8 4AAD0600 CALL SnagIt32.004D2A20
00467CD6 . 8B4D E8 MOV ECX,DWORD PTR SS:[EBP-18] ; 13,14位
00467CD9 . 83C4 0C ADD ESP,0C
00467CDC . 83C1 F0 ADD ECX,-10
00467CDF . 8BF8 MOV EDI,EAX
00467CE1 . E8 FA94F9FF CALL SnagIt32.004011E0
00467CE6 . 66:83FF 41 CMP DI,41 ; 最后2位>41,设99
00467CEA . 0F82 41010000 JB SnagIt32.00467E31
00467CF0 . 81C7 BFFF0000 ADD EDI,0FFBF ; 最后2位+FFBF(65741)>50(hex)
00467CF6 . 66:83FF 50 CMP DI,50
00467CFA . 72 6A JB SHORT SnagIt32.00467D66
00467CFC . 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
00467CFF . 8378 F4 12 CMP DWORD PTR DS:[EAX-C],12 ; 注册码位数一定是18位,否则挂
00467D03 . 0F85 81000000 JNZ SnagIt32.00467D8A
00467D09 . 6A 04 PUSH 4
00467D0B . 8D45 08 LEA EAX,DWORD PTR SS:[EBP+8]
00467D0E . 50 PUSH EAX
00467D0F . 8D4D 0C LEA ECX,DWORD PTR SS:[EBP+C]
00467D12 . E8 15E1F9FF CALL SnagIt32.00405E2C
00467D17 . 8B00 MOV EAX,DWORD PTR DS:[EAX] ; 最后4位
00467D19 . 6A 10 PUSH 10
00467D1B . 53 PUSH EBX
00467D1C . 50 PUSH EAX
00467D1D . E8 FEAC0600 CALL SnagIt32.004D2A20
00467D22 . 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] ; 最后4位
00467D25 . 83C4 0C ADD ESP,0C
00467D28 . 83C1 F0 ADD ECX,-10
00467D2B . 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
00467D2E . E8 AD94F9FF CALL SnagIt32.004011E0
00467D33 . 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
00467D36 . 8B40 F4 MOV EAX,DWORD PTR DS:[EAX-C]
00467D39 . 83C0 FC ADD EAX,-4
00467D3C . 50 PUSH EAX
00467D3D . 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
00467D40 . 50 PUSH EAX
00467D41 . 8D4D 0C LEA ECX,DWORD PTR SS:[EBP+C]
00467D44 . E8 25E1F9FF CALL SnagIt32.00405E6E
00467D49 . 50 PUSH EAX
00467D4A . 8D4D 0C LEA ECX,DWORD PTR SS:[EBP+C]
00467D4D . C645 FC 01 MOV BYTE PTR SS:[EBP-4],1
00467D51 . E8 A3A7F9FF CALL SnagIt32.004024F9
00467D56 . 8B4D E8 MOV ECX,DWORD PTR SS:[EBP-18]
00467D59 . 83C1 F0 ADD ECX,-10
00467D5C . 885D FC MOV BYTE PTR SS:[EBP-4],BL
00467D5F . E8 7C94F9FF CALL SnagIt32.004011E0
00467D64 . EB 24 JMP SHORT SnagIt32.00467D8A
00467D66 > 56 PUSH ESI
00467D67 . FF75 08 PUSH DWORD PTR SS:[EBP+8]
00467D6A . E8 E7D90600 CALL SnagIt32.004D5756
00467D6F . 8BF0 MOV ESI,EAX
00467D71 . 3BF3 CMP ESI,EBX
00467D73 . 59 POP ECX
00467D74 . 74 13 JE SHORT SnagIt32.00467D89
00467D76 . 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C]
00467D79 . 56 PUSH ESI ; /Arg1
00467D7A . E8 11500500 CALL SnagIt32.004BCD90 ; \SnagIt32.004BCD90
00467D7F . 56 PUSH ESI
00467D80 . 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
00467D83 . E8 15B30600 CALL SnagIt32.004D309D
00467D88 . 59 POP ECX
00467D89 > 5E POP ESI
00467D8A > 66:395D EC CMP WORD PTR SS:[EBP-14],BX ; 最后4位不能空
00467D8E . 0F84 A1000000 JE SnagIt32.00467E35
00467D94 . 6A 0F PUSH 0F
00467D96 . 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
00467D99 . 53 PUSH EBX
00467D9A . 50 PUSH EAX
00467D9B . E8 E0A60600 CALL SnagIt32.004D2480
00467DA0 . 83C4 0C ADD ESP,0C
00467DA3 . 6A 0E PUSH 0E
00467DA5 . 6A 0E PUSH 0E
00467DA7 . 8D4D 0C LEA ECX,DWORD PTR SS:[EBP+C]
00467DAA . E8 75A2F9FF CALL SnagIt32.00402024
00467DAF . 50 PUSH EAX
00467DB0 . 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
00467DB3 . 50 PUSH EAX
00467DB4 . E8 37970600 CALL SnagIt32.004D14F0
00467DB9 . 83C4 0C ADD ESP,0C
00467DBC . 6A FF PUSH -1
00467DBE . 8D4D 0C LEA ECX,DWORD PTR SS:[EBP+C]
00467DC1 . E8 00D4F9FF CALL SnagIt32.004051C6
00467DC6 . 8D45 9C LEA EAX,DWORD PTR SS:[EBP-64]
00467DC9 . 50 PUSH EAX
00467DCA . E8 81680500 CALL SnagIt32.004BE650
00467DCF . 85C0 TEST EAX,EAX
00467DD1 . 59 POP ECX
00467DD2 . 74 61 JE SHORT SnagIt32.00467E35
00467DD4 . 6A 02 PUSH 2
00467DD6 . 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
00467DD9 . 50 PUSH EAX
00467DDA . 8D45 9C LEA EAX,DWORD PTR SS:[EBP-64]
00467DDD . 50 PUSH EAX
00467DDE . E8 7D680500 CALL SnagIt32.004BE660
00467DE3 . 83C4 0C ADD ESP,0C
00467DE6 . 85C0 TEST EAX,EAX
00467DE8 . 74 4B JE SHORT SnagIt32.00467E35
00467DEA . 6A 02 PUSH 2
00467DEC . 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
00467DEF . 50 PUSH EAX
00467DF0 . 8D45 9C LEA EAX,DWORD PTR SS:[EBP-64]
00467DF3 . 50 PUSH EAX
00467DF4 . E8 67680500 CALL SnagIt32.004BE660
00467DF9 . 83C4 0C ADD ESP,0C
00467DFC . 85C0 TEST EAX,EAX
00467DFE . 74 35 JE SHORT SnagIt32.00467E35
00467E00 . 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
00467E03 . 50 PUSH EAX
00467E04 . 8D45 9C LEA EAX,DWORD PTR SS:[EBP-64]
00467E07 . 50 PUSH EAX
00467E08 . E8 33690500 CALL SnagIt32.004BE740 ; 关键call2,要跟进
00467E0D . 85C0 TEST EAX,EAX
00467E0F . 59 POP ECX
00467E10 . 59 POP ECX
00467E11 . 74 22 JE SHORT SnagIt32.00467E35 ; 不能跳
00467E13 . 66:83FF 60 CMP DI,60
00467E17 . 73 0F JNB SHORT SnagIt32.00467E28
00467E19 . 83C7 0D ADD EDI,0D
00467E1C . 66:83FF 60 CMP DI,60
00467E20 . 73 06 JNB SHORT SnagIt32.00467E28
00467E22 . C645 F3 0B MOV BYTE PTR SS:[EBP-D],0B
00467E26 . EB 0D JMP SHORT SnagIt32.00467E35
00467E28 > 885D F3 MOV BYTE PTR SS:[EBP-D],BL
00467E2B . C645 F2 01 MOV BYTE PTR SS:[EBP-E],1
00467E2F . EB 04 JMP SHORT SnagIt32.00467E35
00467E31 > C645 F3 0C MOV BYTE PTR SS:[EBP-D],0C
00467E35 > 5F POP EDI
00467E36 > 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C]
00467E39 . 83C1 F0 ADD ECX,-10
00467E3C . E8 9F93F9FF CALL SnagIt32.004011E0
00467E41 . 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
00467E44 . 33C0 XOR EAX,EAX
00467E46 . 8A65 F3 MOV AH,BYTE PTR SS:[EBP-D]
00467E49 . 5B POP EBX
00467E4A . 64:890D 00000>MOV DWORD PTR FS:[0],ECX
00467E51 . 8A45 F2 MOV AL,BYTE PTR SS:[EBP-E]
00467E54 . C9 LEAVE
00467E55 . C2 0800 RETN 8
------------------------------------------------------------------------------------
跟进关键call2
004BE740 /$ 83EC 7C SUB ESP,7C
004BE743 |. 33C0 XOR EAX,EAX
004BE745 |. B9 30000000 MOV ECX,30
004BE74A |. 8D9B 00000000 LEA EBX,DWORD PTR DS:[EBX]
004BE750 |> 0FB7D0 /MOVZX EDX,AX
004BE753 |. 40 |INC EAX
004BE754 |. 884C14 04 |MOV BYTE PTR SS:[ESP+EDX+4],CL
004BE758 |. 41 |INC ECX
004BE759 |. 66:83F9 39 |CMP CX,39
004BE75D |.^ 76 F1 \JBE SHORT SnagIt32.004BE750
004BE75F |. B9 41000000 MOV ECX,41
004BE764 |> 0FB7D0 /MOVZX EDX,AX
004BE767 |. 40 |INC EAX
004BE768 |. 884C14 04 |MOV BYTE PTR SS:[ESP+EDX+4],CL
004BE76C |. 41 |INC ECX
004BE76D |. 66:83F9 46 |CMP CX,46
004BE771 |.^ 76 F1 \JBE SHORT SnagIt32.004BE764
004BE773 |. 53 PUSH EBX
004BE774 |. 8B9C24 880000>MOV EBX,DWORD PTR SS:[ESP+88]
004BE77B |. 56 PUSH ESI
004BE77C |. 57 PUSH EDI
004BE77D |. 8D43 0C LEA EAX,DWORD PTR DS:[EBX+C]
004BE780 |. 6A 02 PUSH 2
004BE782 |. 50 PUSH EAX
004BE783 |. E8 48FFFFFF CALL SnagIt32.004BE6D0
004BE788 |. 8BB424 940000>MOV ESI,DWORD PTR SS:[ESP+94]
004BE78F |. 6A 02 PUSH 2
004BE791 |. 8D4C24 18 LEA ECX,DWORD PTR SS:[ESP+18]
004BE795 |. 51 PUSH ECX
004BE796 |. 56 PUSH ESI
004BE797 |. 894424 20 MOV DWORD PTR SS:[ESP+20],EAX
004BE79B |. E8 C0FEFFFF CALL SnagIt32.004BE660
004BE7A0 |. 8D53 08 LEA EDX,DWORD PTR DS:[EBX+8] ; 注册码的第9到第14位
004BE7A3 |. 6A 04 PUSH 4
004BE7A5 |. 52 PUSH EDX
004BE7A6 |. E8 25FFFFFF CALL SnagIt32.004BE6D0
004BE7AB |. 894424 28 MOV DWORD PTR SS:[ESP+28],EAX
004BE7AF |. 6A 02 PUSH 2
004BE7B1 |. 8D4424 2C LEA EAX,DWORD PTR SS:[ESP+2C]
004BE7B5 |. 50 PUSH EAX
004BE7B6 |. 56 PUSH ESI
004BE7B7 |. E8 A4FEFFFF CALL SnagIt32.004BE660
004BE7BC |. 8D4C24 58 LEA ECX,DWORD PTR SS:[ESP+58]
004BE7C0 |. 51 PUSH ECX
004BE7C1 |. E8 7A010000 CALL SnagIt32.004BE940
004BE7C6 |. 0FB716 MOVZX EDX,WORD PTR DS:[ESI]
004BE7C9 |. 52 PUSH EDX
004BE7CA |. 8D7E 02 LEA EDI,DWORD PTR DS:[ESI+2]
004BE7CD |. 8D4424 60 LEA EAX,DWORD PTR SS:[ESP+60]
004BE7D1 |. 57 PUSH EDI
004BE7D2 |. 50 PUSH EAX
004BE7D3 |. E8 180B0000 CALL SnagIt32.004BF2F0
004BE7D8 |. 8D4C24 68 LEA ECX,DWORD PTR SS:[ESP+68]
004BE7DC |. 51 PUSH ECX
004BE7DD |. 8D5424 5C LEA EDX,DWORD PTR SS:[ESP+5C]
004BE7E1 |. 52 PUSH EDX
004BE7E2 |. E8 C90B0000 CALL SnagIt32.004BF3B0
004BE7E7 |. 33C0 XOR EAX,EAX
004BE7E9 |. B9 0C000000 MOV ECX,0C
004BE7EE |. F3:AB REP STOS DWORD PTR ES:[EDI]
004BE7F0 |. 83C4 40 ADD ESP,40
004BE7F3 |. 66:AB STOS WORD PTR ES:[EDI]
004BE7F5 |. 33C9 XOR ECX,ECX ; 主要算法的地方
004BE7F7 |> 0FB7D1 /MOVZX EDX,CX
004BE7FA |. 8BC2 |MOV EAX,EDX
004BE7FC |. D1E8 |SHR EAX,1
004BE7FE |. 8A0418 |MOV AL,BYTE PTR DS:[EAX+EBX] ; 依次取注册码
004BE801 |. E8 AAFEFFFF |CALL SnagIt32.004BE6B0 ; 转成16进制
004BE806 |. 0FB65414 20 |MOVZX EDX,BYTE PTR SS:[ESP+EDX+20] ; 密码表
004BE80B |. 83E2 0F |AND EDX,0F ; 取低字节
004BE80E |. 0FBE5414 10 |MOVSX EDX,BYTE PTR SS:[ESP+EDX+10]
004BE813 |. 0FB6C0 |MOVZX EAX,AL
004BE816 |. 3BD0 |CMP EDX,EAX ; 必须相等
004BE818 |. 75 15 |JNZ SHORT SnagIt32.004BE82F
004BE81A |. 83C1 02 |ADD ECX,2
004BE81D |. 66:83F9 10 |CMP CX,10
004BE821 |.^ 72 D4 \JB SHORT SnagIt32.004BE7F7
004BE823 |. 5F POP EDI ; 从上面看是检测前面8位
004BE824 |. 5E POP ESI
004BE825 |. B8 01000000 MOV EAX,1
004BE82A |. 5B POP EBX
004BE82B |. 83C4 7C ADD ESP,7C
004BE82E |. C3 RETN
004BE82F |> 5F POP EDI
004BE830 |. 5E POP ESI
004BE831 |. 33C0 XOR EAX,EAX
004BE833 |. 5B POP EBX
004BE834 |. 83C4 7C ADD ESP,7C
004BE837 \. C3 RETN
------------------------------------------------------------------------------------
差点忘了说了,不然就误人子弟了,那个密码表根据注册码的后4位计算生成,不固定,
具体怎么生成的没有看,我是用4578,一组可用的注册码
bucktooth
D98E16E19012994578
--------------------------------------------------------------------------------
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!