|
 |
推荐文章 |
|
|
|
|
|
|
|
|
|
|
即时语音提示 & 校对软件InsTalk注册码及注册机 下 |
|
:00404824 8B5500 mov edx, dword ptr [ebp+00]
:00404827 6A00 push 00000000
:00404829 52 push edx
:0040482A 57 push edi
:0040482B E8802A0000 call 004072B0
:00404830 8B4500 mov eax, dword ptr [ebp+00]
:00404833 83C40C add esp, 0000000C
:00404836 43 inc ebx
:00404837 83FB03 cmp ebx, 00000003
:0040483A C6043800 mov byte ptr [eax+edi], 00
:0040483E 0F8C2FFFFFFF jl 00404773
:00404844 8B0D58E74200 mov ecx, dword ptr [0042E758]
:0040484A 8B542430 mov edx, dword ptr [esp+30]
:0040484E 894C2410 mov dword ptr [esp+10], ecx
:00404852 52 push edx
:00404853 8D4C2414 lea ecx, dword ptr [esp+14]
:00404857 E8DB8B0100 call 0041D437
:0040485C 8B442434 mov eax, dword ptr [esp+34]
:00404860 6A19 push 00000019
:00404862 51 push ecx
:00404863 C68424EC04000003 mov byte ptr [esp+000004EC], 03
:0040486B 8BCC mov ecx, esp
:0040486D 89642424 mov dword ptr [esp+24], esp
:00404871 50 push eax
:00404872 E839030000 call 00404BB0
:00404877 8B4C2434 mov ecx, dword ptr [esp+34]
:0040487B C68424EC04000004 mov byte ptr [esp+000004EC], 04
:00404883 51 push ecx
:00404884 8D4C2424 lea ecx, dword ptr [esp+24]
:00404888 E823030000 call 00404BB0
:0040488D 51 push ecx
:0040488E 8D4C241C lea ecx, dword ptr [esp+1C]
:00404892 8BD4 mov edx, esp
:00404894 89642430 mov dword ptr [esp+30], esp
:00404898 51 push ecx
:00404899 50 push eax
:0040489A 52 push edx
:0040489B C68424FC04000005 mov byte ptr [esp+000004FC], 05
:004048A3 E8F48B0100 call 0041D49C
:004048A8 C68424F004000006 mov byte ptr [esp+000004F0], 06
:004048B0 E80B020000 call 00404AC0(这里又调用00404AC0判断注册码,详细代码见上面)
:004048B5 83C40C add esp, 0000000C(经过分析可以知道,如果注册码正确,此出返回eax的值应该是1,如果错误则返回0)
:004048B8 8D4C2418 lea ecx, dword ptr [esp+18]
:004048BC A3EC254300 mov dword ptr [004325EC], eax
:004048C1 C68424E404000003 mov byte ptr [esp+000004E4], 03
:004048C9 E8708A0100 call 0041D33E
:004048CE 8D4C2410 lea ecx, dword ptr [esp+10]
:004048D2 C68424E404000000 mov byte ptr [esp+000004E4], 00
:004048DA E85F8A0100 call 0041D33E
:004048DF 8D7C242C lea edi, dword ptr [esp+2C]
:004048E3 BB03000000 mov ebx, 00000003
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004048F7(C)
|
:004048E8 8B17 mov edx, dword ptr [edi]
:004048EA 52 push edx
:004048EB E8CA570000 call 0040A0BA
:004048F0 83C404 add esp, 00000004
:004048F3 83C704 add edi, 00000004
:004048F6 4B dec ebx
:004048F7 75EF jne 004048E8
:004048F9 E822F5FFFF call 00403E20
:004048FE 8BCE mov ecx, esi
:00404900 E85BF8FFFF call 00404160
:00404905 A1EC254300 mov eax, dword ptr [004325EC]
:0040490A 85C0 test eax, eax
:0040490C 0F8588000000 jne 0040499A
:00404912 8BCE mov ecx, esi
:00404914 E8C7FCFFFF call 004045E0(判断是否已过试用期)
:00404919 85C0 test eax, eax(未过,eax=0;已过,eax=1)
:0040491B 747D je 0040499A
* Possible Reference to String Resource ID=00112: ",o?q玱?▌?�蜥�
倻?�珥(,o?〝?\�鑼�
?1鑼��"
|
:0040491D 6A70 push 00000070
:0040491F 8D4C2418 lea ecx, dword ptr [esp+18]
:00404923 E8FD8C0100 call 0041D625
:00404928 A158E74200 mov eax, dword ptr [0042E758]
:0040492D 89442410 mov dword ptr [esp+10], eax
* Possible Reference to String Resource ID=00125: "鑼"
|
:00404931 6A7D push 0000007D
:00404933 8D4C2414 lea ecx, dword ptr [esp+14]
:00404937 C68424E804000007 mov byte ptr [esp+000004E8], 07
:0040493F E8E18C0100 call 0041D625
:00404944 8B4C2410 mov ecx, dword ptr [esp+10]
:00404948 8B542414 mov edx, dword ptr [esp+14]
:0040494C 6A34 push 00000034
:0040494E 51 push ecx
:0040494F 52 push edx
:00404950 6A00 push 00000000
* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:00404952 FF1544544200 Call dword ptr [00425444](过期提示)
:00404958 83F806 cmp eax, 00000006
:0040495B 7511 jne 0040496E
:0040495D B940234300 mov ecx, 00432340
:00404962 C7461C40234300 mov [esi+1C], 00432340
:00404969 E8E04F0100 call 0041994E
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040495B(C)
|
:0040496E 8D4C2410 lea ecx, dword ptr [esp+10]
:00404972 C68424E404000000 mov byte ptr [esp+000004E4], 00
:0040497A E8BF890100 call 0041D33E
:0040497F 8D4C2414 lea ecx, dword ptr [esp+14]
:00404983 C78424E4040000FFFFFFFF mov dword ptr [esp+000004E4], FFFFFFFF
:0040498E E8AB890100 call 0041D33E
:00404993 33C0 xor eax, eax
:00404995 E90A010000 jmp 00404AA4
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040490C(C), :0040491B(C)
|
:0040499A 8D442444 lea eax, dword ptr [esp+44]
:0040499E C744244494000000 mov [esp+44], 00000094
:004049A6 50 push eax
* Reference To: KERNEL32.GetVersionExA, Ord:0175h
|
:004049A7 FF1598514200 Call dword ptr [00425198]
:004049AD 8B6C2454 mov ebp, dword ptr [esp+54]
:004049B1 33C9 xor ecx, ecx
:004049B3 83FD02 cmp ebp, 00000002
* Possible Reference to String Resource ID=00114: "InsTalk ?b"
|
:004049B6 6A72 push 00000072
:004049B8 0F94C1 sete cl
:004049BB 890D0C1F4300 mov dword ptr [00431F0C], ecx
:004049C1 8D4C2418 lea ecx, dword ptr [esp+18]
:004049C5 E85B8C0100 call 0041D625
:004049CA 8B542414 mov edx, dword ptr [esp+14]
:004049CE 52 push edx
:004049CF 6A00 push 00000000
* Reference To: USER32.FindWindowA, Ord:00D5h
|
:004049D1 FF1548544200 Call dword ptr [00425448]
:004049D7 85C0 test eax, eax
:004049D9 741B je 004049F6
:004049DB 8D4C2414 lea ecx, dword ptr [esp+14]
:004049DF C78424E4040000FFFFFFFF mov dword ptr [esp+000004E4], FFFFFFFF
:004049EA E84F890100 call 0041D33E
:004049EF 33C0 xor eax, eax
:004049F1 E9AE000000 jmp 00404AA4
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004049D9(C)
|
:004049F6 E895DC0100 call 00422690
:004049FB 8B400C mov eax, dword ptr [eax+0C]
:004049FE 6891000000 push 00000091
:00404A03 50 push eax
* Reference To: USER32.LoadCursorA, Ord:019Ah
|
:00404A04 FF15C0544200 Call dword ptr [004254C0]
:00404A0A 68681C4300 push 00431C68
:00404A0F A330204300 mov dword ptr [00432030], eax
:00404A14 E8C7F2FFFF call 00403CE0
:00404A19 83C404 add esp, 00000004
:00404A1C 85C0 test eax, eax
:00404A1E 7556 jne 00404A76
:00404A20 A18C1E4300 mov eax, dword ptr [00431E8C]
:00404A25 85C0 test eax, eax
:00404A27 7534 jne 00404A5D
* Possible Reference to String Resource ID=00115: "~
0眢搰?
鱪ろ髶圅�,o? "
|
:00404A29 6A73 push 00000073
:00404A2B 8D4C2418 lea ecx, dword ptr [esp+18]
:00404A2F E8F18B0100 call 0041D625
:00404A34 8B442414 mov eax, dword ptr [esp+14]
:00404A38 6A30 push 00000030
:00404A3A 6A00 push 00000000
:00404A3C 50 push eax
:00404A3D 6A00 push 00000000
* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:00404A3F FF1544544200 Call dword ptr [00425444]
:00404A45 8D4C2414 lea ecx, dword ptr [esp+14]
:00404A49 C78424E4040000FFFFFFFF mov dword ptr [esp+000004E4], FFFFFFFF
:00404A54 E8E5880100 call 0041D33E
:00404A59 33C0 xor eax, eax
:00404A5B EB47 jmp 00404AA4
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404A27(C)
|
:00404A5D 8B15841E4300 mov edx, dword ptr [00431E84]
:00404A63 B986000000 mov ecx, 00000086
* Possible Reference to Dialog:
|
:00404A68 BF681C4300 mov edi, 00431C68
:00404A6D 8B7208 mov esi, dword ptr [edx+08]
:00404A70 F3 repz
:00404A71 A5 movsd
:00404A72 8B742420 mov esi, dword ptr [esp+20]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404A1E(C)
|
:00404A76 6A00 push 00000000
* Possible Reference to String Resource ID=00102: "A?仨笮:"
|
:00404A78 6A66 push 00000066
:00404A7A B9C0244300 mov ecx, 004324C0
:00404A7F C7461CC0244300 mov [esi+1C], 004324C0
:00404A86 E8424B0100 call 004195CD(这里出现欢迎提示框)
:00404A8B 8D4C2414 lea ecx, dword ptr [esp+14]
:00404A8F C78424E4040000FFFFFFFF mov dword ptr [esp+000004E4], FFFFFFFF
:00404A9A E89F880100 call 0041D33E
:00404A9F B801000000 mov eax, 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00404995(U), :004049F1(U), :00404A5B(U)
|
:00404AA4 8B8C24DC040000 mov ecx, dword ptr [esp+000004DC]
:00404AAB 5F pop edi
:00404AAC 5E pop esi
:00404AAD 5D pop ebp
:00404AAE 64890D00000000 mov dword ptr fs:[00000000], ecx
:00404AB5 5B pop ebx
:00404AB6 81C4D8040000 add esp, 000004D8
:00404ABC C3 ret
其实通过分析我们已经可以看出,整个程序不论是注册时还是重新启动时都是在call 00404AC0里面进行核心的注册码判断,我们只要修改其中的一处就可变成注册版。并且从程序分析可知,全部比较完毕并且注册码正确时将跳到00404B2C,所以修改方法如下:
:00404B0E 3AD3 cmp dl, bl(这里改成cmp dl,dl即3AD3改为3AD2,自己比自己当然是一样的)
:00404B10 751E jne 00404B30(这里我们改成je 00404B2C,即将751E改成741A)
用二进制编辑工具打开InsTalk.exe文件,
查找:83C40C8A108A1E8ACA3AD3751E84C9
修改:------------------3AD2741A----
=======================================================
5、该软件的注册信息保存在注册表的以下位置:
HKEY_CURRENT_USER\Software\Happy Studio\INSTALK\Registration
HKEY_USERS\.DEFAULT\Software\Happy Studio\INSTALK\Registration
两个键下的四个二进制值(已加密变换)下:
Date:软件第一次运行的时间;试用期过后删除该二进制值可继续使用。
Date0:注册用户名称;
Date1:注册用户单位;
Date2:注册码。
用户注册后,删除Date0、Date1、Date2三个二进制值可重新注册。
=======================================================
6、编写注册机
使用“注册机编写器(Keymaker)”之“另类注册机”功能
(1)程序名称:InsTalk.exe
(2)添加数据:
中断地址:40749A
中断次数:1
第一字节:E8
指令长度:5
中断地址:404B05
中断次数:1
第一字节:83
指令长度:3
(3)选择内存方式EAX。
=======================================THE END=============================================
这个教程我作了一些注释,初学破解的朋友可以看一看,其中不对之处也请各位多多指教! |
|
|
|
|
|
特别声明: 本站除部分特别声明禁止转载的专稿外的其他文章可以自由转载,但请务必注明出处和原始作者。文章版权归文章原始作者所有。对于被本站转载文章的个人和网站,我们表示深深的谢意。如果本站转载的文章有版权问题请联系编辑人员,我们尽快予以更正。 |
|
|
|
|
|
责任编辑: 原点 |
投稿作者: 本站收集 |
|
|
信息来源: 网络 |
录入时间: 2005-6-1 |
|
|
|
| |
|
设为首页
加入收藏
总编信箱
投稿或申请专栏请先 [登 陆]