破解即时语音提示校对软件InsTalk注册码及注册机初学者请看文档格式.docx
《破解即时语音提示校对软件InsTalk注册码及注册机初学者请看文档格式.docx》由会员分享,可在线阅读,更多相关《破解即时语音提示校对软件InsTalk注册码及注册机初学者请看文档格式.docx(17页珍藏版)》请在冰豆网上搜索。
==========================================================================================
1、启动程序,填写注册信息,Ctrl-n,bpxhmemcpy,F5返回,按“注册”按钮,程序拦下。
2、bc*,pmodule。
3、按两次F10,来到下面:
:
004073D08D8C2444010000leaecx,dwordptr[esp+00000144]
004073D76800010000push00000100
004073DC51pushecx
004073DD680D040000push0000040D
004073E28BCEmovecx,esi
004073E48944243Cmovdwordptr[esp+3C],eax
004073E8E8D4540100call0041C8C1
004073ED8BC8movecx,eax
004073EFE815560100call0041CA09
004073F48D942444020000leaedx,dwordptr[esp+00000244]
004073FB6800010000push00000100
0040740052pushedx
00407401680F040000push0000040F
004074068BCEmovecx,esi
0040740889442440movdwordptr[esp+40],eax
0040740CE8B0540100call0041C8C1
004074118BC8movecx,eax
00407413E8F1550100call0041CA09
0040741889442438movdwordptr[esp+38],eax
0040741CE86FB20100call00422690
004074218B6804movebp,dwordptr[eax+04]
00407424A158E74200moveax,dwordptr[0042E758]
004074298D8C2444010000leaecx,dwordptr[esp+00000144]
00407430896C241Cmovdwordptr[esp+1C],ebp
0040743451pushecx
004074358D4C241Cleaecx,dwordptr[esp+1C]
004074398944241Cmovdwordptr[esp+1C],eax
0040743DE8F55F0100call0041D437
004074426A19push00000019
0040744451pushecx
004074458D94244C020000leaedx,dwordptr[esp+0000024C]
0040744C33DBxorebx,ebx
0040744E8BCCmovecx,esp
0040745089642444movdwordptr[esp+44],esp
0040745452pushedx
00407455899C2458030000movdwordptr[esp+00000358],ebx
0040745CE84FD7FFFFcall00404BB0
004074618D44244Cleaeax,dwordptr[esp+4C]
004074658D4C2434leaecx,dwordptr[esp+34]
0040746950pusheax
0040746AC684245803000001movbyteptr[esp+00000358],01
00407472E839D7FFFFcall00404BB0
0040747751pushecx
004074788D542424leaedx,dwordptr[esp+24]
0040747C8BCCmovecx,esp
0040747E8964244Cmovdwordptr[esp+4C],esp
0040748252pushedx
0040748350pusheax
0040748451pushecx
00407485C684246403000002movbyteptr[esp+00000364],02
0040748DE80A600100call0041D49C
00407492C684245803000003movbyteptr[esp+00000358],03
0040749AE821D6FFFFcall00404AC0(此处改变eax的值,说明对注册码进行了判断)
0040749F83C40Caddesp,0000000C
004074A28D4C242Cleaecx,dwordptr[esp+2C]
004074A68BF8movedi,eax(这里将eax的值赋予edi)
004074A8889C244C030000movbyteptr[esp+0000034C],bl
004074AFE88A5E0100call0041D33E
004074B48D4C2418leaecx,dwordptr[esp+18]
004074B8C784244C030000FFFFFFFFmovdwordptr[esp+0000034C],FFFFFFFF
004074C3E8765E0100call0041D33E
004074C83BFBcmpedi,ebx
004074CA0F849C000000je0040756C(此处若不跳,则可将错误的注册信息强制写入注册表)
004074D08D742444leaesi,dwordptr[esp+44]
004074D48D6C2430leaebp,dwordptr[esp+30]
在:
0040749AE821D6FFFFcall00404AC0处按F8进入:
00404AC064A100000000moveax,dwordptrfs:
[00000000]
00404AC66AFFpushFFFFFFFF
00404AC86800414200push00424100
00404ACD50pusheax
00404ACE64892500000000movdwordptrfs:
[00000000],esp
00404AD553pushebx
00404AD656pushesi
00404AD78B442420moveax,dwordptr[esp+20]
00404ADB8D542418leaedx,dwordptr[esp+18]
00404ADF50pusheax
00404AE051pushecx
00404AE18BCCmovecx,esp
00404AE389642428movdwordptr[esp+28],esp
00404AE752pushedx
00404AE8C744241C01000000mov[esp+1C],00000001
00404AF0E8BE850100call0041D0B3
00404AF58D442428leaeax,dwordptr[esp+28]
00404AF950pusheax
00404AFAE801260000call00407100(算注册码)
00404AFF8B742428movesi,dwordptr[esp+28](将错误的注册码赋予esi)
00404B038B00moveax,dwordptr[eax](将正确的注册码赋予eax)
00404B0583C40Caddesp,0000000C(在此处deax看到真正的注册码)
*Referencedbya(U)nconditionalor(C)onditionalJumpatAddress:
|:
00404B2A(C)
|
00404B088A10movdl,byteptr[eax](取真码第一位)
00404B0A8A1Emovbl,byteptr[esi](取假码第一位)
00404B0C8ACAmovcl,dl(将真码第一位赋予cl)
00404B0E3AD3cmpdl,bl(比较两值是否相同)
00404B10751Ejne00404B30(不同就跳到00404B30,比较失败)
00404B1284C9testcl,cl(测试cl是否为空,即判断是否已全部比较完)
00404B147416je00404B2C(如果比较完毕,则跳到00404B2C)
00404B168A5001movdl,byteptr[eax+01](取真码下一位)
00404B198A5E01movbl,byteptr[esi+01](取假码下一位)
00404B1C8ACAmovcl,dl
00404B1E3AD3cmpdl,bl
00404B20750Ejne00404B30(不同就跳到00404B30,比较失败)
00404B2283C002addeax,00000002(去掉真码前两位,为下一轮比较做准备)
00404B2583C602addesi,00000002(去掉假码前两位,为下一轮比较做准备)
00404B2884C9testcl,cl(测试cl是否为空,即判断是否已全部比较完)
00404B2A75DCjne00404B08(返回00404B08继续比较)
00404B14(C)
00404B2C33C0xoreax,eax(注册码正确时,跳到此行)
00404B2EEB05jmp00404B35
*Referencedbya(U)nconditionalor(C)onditionalJumpatAddresses:
00404B10(C),:
00404B20(C)
00404B301BC0sbbeax,eax(注册码错误时,跳到此行)
00404B3283D8FFsbbeax,FFFFFFFF
00404B2E(U)
00404B3585C0testeax,eax
00404B370F94C0seteal
00404B3A25FF000000andeax,000000FF
00404B3F8D4C2420leaecx,dwordptr[esp+20]
00404B438BF0movesi,eax(将eax的值赋予esi)
00404B45E8F4870100call0041D33E
00404B4A8D4C2418leaecx,dwordptr[esp+18]
00404B4EC644241000mov[esp+10],00
00404B53E8E6870100call0041D33E
00404B588D4C241Cleaecx,dwordptr[esp+1C]
00404B5CC7442410FFFFFFFFmov[esp+10],FFFFFFFF
00404B64E8D5870100call0041D33E
00404B698B4C2408movecx,dwordptr[esp+08]
00404B6D8BC6moveax,esi(将esi的值赋予eax)
00404B6F5Epopesi
00404B7064890D00000000movdwordptrfs:
[00000000],ecx
00404B775Bpopebx
00404B7883C40Caddesp,0000000C
00404B7BC3ret
4、以下是对程序重新启动后的一些分析:
程序一开始有个欢迎提示框,提示是共享版还是注册版,可见在此之前已经判断了是否已经注册,所以目的就是找出出现这个提示框的最后一个关键Call。
用trw2000载入InsTalk.exe,结合F10、F9、F6键就可找到这个Call(具体操作方法可参考我写的Acdsee4.0的破解,在看雪论坛以我的注册名搜索就能找到)
0041F76B8B06moveax,dwordptr[esi]
0041F76D8BCEmovecx,esi
0041F76FFF5050call[eax+50](此处是出现提示框,应该快接近核心了。
即使判断错也没关系,可以继续再试嘛!
)
0041F77285C0testeax,eax
0041F7747515jne0041F78B
F8进入上面的Call,看到下面代码:
004046D06AFFpushFFFFFFFF
004046D268DD404200push004240DD
004046D764A100000000moveax,dwordptrfs:
……………………略去一些代码
*PossibleReferencetoDialog:
|
004047A768D0E04200push0042E0D0
004047AC8BCEmovecx,esi
004047AEC68424F404000002movbyteptr[esp+000004F4],02
004047B6E8DBDA0100call00422296
004047BB8D4C2424leaecx,dwordptr[esp+24]
004047BFC68424E404000001movbyteptr[esp+000004E4],01
004047C7E8728B0100call0041D33E
004047CC8D4C241Cleaecx,dwordptr[esp+1C]
004047D0C68424E404000000movbyteptr[esp+000004E4],00
004047D8E8618B0100call0041D33E
004047DD8B5500movedx,dwordptr[ebp+00]
004047E042incedx
004047E152pushedx
004047E2E8BC590000call0040A1A3
004047E78BF8movedi,eax
004047E98B442414moveax,dwordptr[esp+14]
004047ED83C404addesp,00000004
004047F0897C2418movdwordptr[esp+18],edi
004047F485C0testeax,eax(判断是否将注册信息写入注册表,若无则eax=0)
004047F6897C9C2Cmovdwordptr[esp+4*ebx+2C],edi
004047FA7428je00404824
004047FC8B4D00movecx,dwordptr[ebp+00]
004047FF8BF0movesi,eax
004048018BC1moveax,ecx
00404803C1E902shrecx,02
00404806F3repz
00404807A5movsd
004048088BC8movecx,eax
0040480A83E103andecx,00000003
0040480DF3repz
0040480EA4movsb
0040480F8B4C2410movecx,dwordptr[esp+10]
0040481351pushecx
00404814E88F880100call0041D0A8
004048198B7C241Cmovedi,dwordptr[esp+1C]
0040481D8B742424movesi,dwordptr[esp+24]
0040482183C404addesp,00000004
004047FA(C)
004048248B5500movedx,dwordptr[ebp+00]
004048276A00push00000000
0040482952pushedx
0040482A57pushedi
0040482BE8802A0000call004072B0
004048308B4500moveax,dwordptr[ebp+00]
0040483383C40Caddesp,0000000C
0040483643incebx
0040483783FB03cmpebx,00000003
0040483AC6043800movbyteptr[eax+edi],00
0040483E0F8C2FFFFFFFjl00404773
004048448B0D58E74200movecx,dwordptr[0042E758]
0040484A8B542430movedx,dwordptr[esp+30]
0040484E894C2410movdwordptr[esp+10],ecx
0040485252pushedx
004048538D4C2414leaecx,dwordptr[esp+14]
00404857E8DB8B0100call0041D437
0040485C8B442434moveax,dwordptr[esp+34]
004048606A19push00000019
0040486251pushecx
00404863C68424EC04000003movbyteptr[esp+000004EC],03
0040486B8BCCmovecx,esp
0040486D89642424movdwordptr[esp+24],esp
0040487150pusheax
00404872E839030000call00404BB0
004048778B4C2434movecx,dwordptr[esp+34]
0040487BC68424EC04000004movbyteptr[esp+000004EC],04
0040488351pushecx
004048848D4C2424leaecx,dwordptr[esp+24]
00404888E823030000call00404BB0
0040488D5