破解实战-第三站

我是用户

【软件名称】: LukoolRecorder2.7.5cn
【作者邮箱】: 2714608453@qq.com
【下载地址】: 自己搜索下载
【加壳方式】: Microsoft Visual C++ 6.0
【使用工具】: OD
【操作平台】: XP SP2
【作者声明】: 只是感兴趣，没有其他目的。失误之处敬请诸位大侠赐教!

前言:
     前段时间，论坛里有放出LukoolRecorder的注册机，明码比较，我下载下来的时候，注册机已经失效，加入了网络验证，并将其破之，论坛里有最新版本的破解，我在这就说说破解的思路。


1.查壳
用PEID查壳，显示什么都没找到! *,核心扫描的结果是Microsoft Visual C++ v6.0 DLL *。
用OD载入，未显示压缩数据，无壳，不影响我们分析。

2.爆破
未注册版本的限制为录制生成的视频带有水印。
在注册框入输入注册信息，单击确定，弹出错误提示。
如图1：

bp MessageBoxA,程序断下，堆栈回溯，找到按钮事件为00459324，重新输入注册名和假码，具体分析代码如下：

[C] 纯文本查看 复制代码

00459324   > \8B55 0C       mov edx,dword ptr ss:[ebp+0xC]           ; |
00459327   .  C74424 04 270>mov dword ptr ss:[esp+0x4],0x427         ; |
0045932F   .  C785 F4FEFFFF>mov dword ptr ss:[ebp-0x10C],-0x1        ; |
00459339   .  891424        mov dword ptr ss:[esp],edx               ; |
0045933C   .  E8 137A3800   call <jmp.&USER32.GetDlgItem>            ; \GetDlgItem
00459341   .  8D55 D8       lea edx,dword ptr ss:[ebp-0x28]
00459344   .  83EC 08       sub esp,0x8
00459347   .  894424 04     mov dword ptr ss:[esp+0x4],eax
0045934B   .  891424        mov dword ptr ss:[esp],edx
0045934E   .  E8 2DC9FEFF   call LukoolRe.00445C80                   ;  得到注册名
00459353   .  8B5D 0C       mov ebx,dword ptr ss:[ebp+0xC]
00459356   .  C785 F4FEFFFF>mov dword ptr ss:[ebp-0x10C],0x7
00459360   .  83EC 04       sub esp,0x4
00459363   .  C74424 04 280>mov dword ptr ss:[esp+0x4],0x428         ; |
0045936B   .  891C24        mov dword ptr ss:[esp],ebx               ; |
0045936E   .  E8 E1793800   call <jmp.&USER32.GetDlgItem>            ; \GetDlgItem
00459373   .  83EC 08       sub esp,0x8
00459376   .  8D55 D4       lea edx,dword ptr ss:[ebp-0x2C]
00459379   .  894424 04     mov dword ptr ss:[esp+0x4],eax
0045937D   .  891424        mov dword ptr ss:[esp],edx
00459380   .  E8 FBC8FEFF   call LukoolRe.00445C80                   ;  得到假码
00459385   .  8B45 D8       mov eax,dword ptr ss:[ebp-0x28]          ;  ntdll.7C930060
00459388   .  83EC 04       sub esp,0x4
0045938B   .  C785 F4FEFFFF>mov dword ptr ss:[ebp-0x10C],0x6
00459395   .  890424        mov dword ptr ss:[esp],eax
00459398   .  E8 932DFDFF   call LukoolRe.0042C130
0045939D   .  8B55 D8       mov edx,dword ptr ss:[ebp-0x28]          ;  ntdll.7C930060
004593A0   .  8B5A F4       mov ebx,dword ptr ds:[edx-0xC]           ;  LukoolRe.005C006E
004593A3   .  85DB          test ebx,ebx
004593A5   .  74 0E         je short LukoolRe.004593B5               ;  判断注册名长度
004593A7   .  8B45 D4       mov eax,dword ptr ss:[ebp-0x2C]          ;  ntdll.7C92E920
004593AA   .  8B48 F4       mov ecx,dword ptr ds:[eax-0xC]
004593AD   .  85C9          test ecx,ecx
004593AF   .  0F85 DB000000 jnz LukoolRe.00459490                    ;  判断假码长度
004593B5   >  8D45 D0       lea eax,dword ptr ss:[ebp-0x30]
004593B8   .  C74424 08 000>mov dword ptr ss:[esp+0x8],0x0
...省略无关代码
004594DA   >  8B55 D8       mov edx,dword ptr ss:[ebp-0x28]          ;  ntdll.7C930060
004594DD   .  8B45 D4       mov eax,dword ptr ss:[ebp-0x2C]          ;  ntdll.7C92E920
004594E0   .  C785 F4FEFFFF>mov dword ptr ss:[ebp-0x10C],0x6
004594EA   .  891424        mov dword ptr ss:[esp],edx
004594ED   .  894424 04     mov dword ptr ss:[esp+0x4],eax
004594F1   .  E8 FA88FDFF   call LukoolRe.00431DF0                   ;  真假码比较
004594F6   .  84C0          test al,al                               ; |
004594F8   .  0F84 0C010000 je LukoolRe.0045960A                     ; |跳向失败

进入00431DF0可以看见真码，上一个版本，只需要做个内存注册机便可实现完美注册。

[C] 纯文本查看 复制代码

00431DF0   $  55            push ebp
00431DF1   .  B8 CC110000   mov eax,0x11CC
00431DF6   .  89E5          mov ebp,esp
00431DF8   .  57            push edi
00431DF9   .  56            push esi
00431DFA   .  53            push ebx
...省略无关代码
00431EB1   .  85DB          test ebx,ebx
00431EB3   .  0F85 B7020000 jnz LukoolRe.00432170
00431EB9   >  8B55 D8       mov edx,dword ptr ss:[ebp-0x28]
00431EBC   .  C785 40EEFFFF>mov dword ptr ss:[ebp-0x11C0],0x0
00431EC6   .  83EA 0C       sub edx,0xC
00431EC9   >  B9 4C6D8500   mov ecx,LukoolRe.00856D4C                ;  出现真码
00431ECE   .  39D1          cmp ecx,edx
00431ED0   .  0F85 D7070000 jnz LukoolRe.004326AD
00431ED6   >  8B55 DC       mov edx,dword ptr ss:[ebp-0x24]
00431ED9   .  BB 4C6D8500   mov ebx,LukoolRe.00856D4C
00431EDE   .  83EA 0C       sub edx,0xC
00431EE1   .  39D3          cmp ebx,edx
00431EE3   .  0F85 93070000 jnz LukoolRe.0043267C
00431EE9   >  8D85 80EEFFFF lea eax,dword ptr ss:[ebp-0x1180]
00431EEF   .  890424        mov dword ptr ss:[esp],eax
00431EF2   .  E8 A94E3A00   call LukoolRe.007D6DA0
00431EF7   .  8B85 40EEFFFF mov eax,dword ptr ss:[ebp-0x11C0]
00431EFD   .  8D65 F4       lea esp,dword ptr ss:[ebp-0xC]
00431F00   .  5B            pop ebx                                  ;  02BB0A78
00431F01   .  5E            pop esi                                  ;  02BB0A78
00431F02   .  5F            pop edi                                  ;  02BB0A78
00431F03   .  5D            pop ebp                                  ;  02BB0A78
00431F04   .  C3            retn

00431EC9处的寄存器信息如下：

[C] 纯文本查看 复制代码

EAX 00000001
ECX 77BFC2E3 msvcrt.77BFC2E3
EDX 02BB0EB0
EBX 02BB0A78
ESP 0022DEEC
EBP 0022F0C4
ESI 02BB0A85 ASCII "VTEX-YAGCD-BFZHV-TUWUU"
EDI 02BB0EBD ASCII "234567890"
EIP 00431EC9 LukoolRe.00431EC9

可见，[ESI-1]处显示的就是所谓的真码TVTEX-YAGCD-BFZHV-TUWUU
重新输入注册名和真码，进入下一次验证。

[C] 纯文本查看 复制代码

004594FE   .  8B5D 0C       mov ebx,dword ptr ss:[ebp+0xC]           ; |
00459501   .  C74424 04 010>mov dword ptr ss:[esp+0x4],0x1           ; |
00459509   .  C785 F4FEFFFF>mov dword ptr ss:[ebp-0x10C],0x6         ; |
00459513   .  891C24        mov dword ptr ss:[esp],ebx               ; |
00459516   .  E8 39783800   call <jmp.&USER32.GetDlgItem>            ; \GetDlgItem
0045951B   .  83EC 08       sub esp,0x8
0045951E   .  C74424 04 000>mov dword ptr ss:[esp+0x4],0x0           ; |
00459526   .  890424        mov dword ptr ss:[esp],eax               ; |
00459529   .  E8 B6773800   call <jmp.&USER32.EnableWindow>          ; \EnableWindow
0045952E   .  83EC 08       sub esp,0x8
00459531   .  C74424 04 020>mov dword ptr ss:[esp+0x4],0x2           ; |
00459539   .  891C24        mov dword ptr ss:[esp],ebx               ; |
0045953C   .  E8 13783800   call <jmp.&USER32.GetDlgItem>            ; \GetDlgItem
00459541   .  83EC 08       sub esp,0x8
00459544   .  C74424 04 000>mov dword ptr ss:[esp+0x4],0x0           ; |
0045954C   .  890424        mov dword ptr ss:[esp],eax               ; |
0045954F   .  E8 90773800   call <jmp.&USER32.EnableWindow>          ; \EnableWindow
00459554   .  83EC 08       sub esp,0x8
00459557   .  C74424 04 2A0>mov dword ptr ss:[esp+0x4],0x42A         ; |
0045955F   .  891C24        mov dword ptr ss:[esp],ebx               ; |
00459562   .  E8 ED773800   call <jmp.&USER32.GetDlgItem>            ; \GetDlgItem
00459567   .  83EC 08       sub esp,0x8
0045956A   .  C74424 04 050>mov dword ptr ss:[esp+0x4],0x5           ; |
00459572   .  890424        mov dword ptr ss:[esp],eax               ; |
00459575   .  E8 12773800   call <jmp.&USER32.ShowWindow>            ; \ShowWindow
0045957A   .  83EC 08       sub esp,0x8
0045957D   .  8D45 D8       lea eax,dword ptr ss:[ebp-0x28]
00459580   .  894424 04     mov dword ptr ss:[esp+0x4],eax
00459584   .  C70424 A84F1A>mov dword ptr ss:[esp],LukoolRe.011A4FA8
0045958B   .  E8 00403C00   call LukoolRe.0081D590
00459590   .  8D45 D4       lea eax,dword ptr ss:[ebp-0x2C]
00459593   .  894424 04     mov dword ptr ss:[esp+0x4],eax
00459597   .  C70424 B84F1A>mov dword ptr ss:[esp],LukoolRe.011A4FB8
0045959E   .  E8 ED3F3C00   call LukoolRe.0081D590
004595A3   .  891D C84F1A01 mov dword ptr ds:[0x11A4FC8],ebx         ; ||
004595A9   .  C74424 14 000>mov dword ptr ss:[esp+0x14],0x0          ; ||
004595B1   .  C74424 10 000>mov dword ptr ss:[esp+0x10],0x0          ; ||
004595B9   .  C74424 0C 000>mov dword ptr ss:[esp+0xC],0x0           ; ||
004595C1   .  C74424 08 A08>mov dword ptr ss:[esp+0x8],LukoolRe.0045>; ||
004595C9   .  C74424 04 000>mov dword ptr ss:[esp+0x4],0x0           ; ||
004595D1   .  C70424 000000>mov dword ptr ss:[esp],0x0               ; ||
004595D8   .  E8 4B733800   call <jmp.&msvcrt._beginthreadex>        ; |\_beginthreadex     //建立线程，进行网络验证 
004595DD   .  8B55 08       mov edx,dword ptr ss:[ebp+0x8]           ; |
004595E0   .  8902          mov dword ptr ds:[edx],eax               ; |
004595E2   .  C74424 0C 000>mov dword ptr ss:[esp+0xC],0x0           ; |
004595EA   .  C74424 08 102>mov dword ptr ss:[esp+0x8],0x2710        ; |
004595F2   .  C74424 04 010>mov dword ptr ss:[esp+0x4],0x1           ; |
004595FA   .  891C24        mov dword ptr ss:[esp],ebx               ; |
004595FD   .  E8 4A773800   call <jmp.&USER32.SetTimer>              ; \SetTimer
00459602   .  83EC 10       sub esp,0x10
00459605   .^ E9 1AFEFFFF   jmp LukoolRe.00459424

在004595D8处下CC断点，堆栈信息如下所示：

[C] 纯文本查看 复制代码

0022F0CC   00000000  |security = NULL
0022F0D0   00000000  |stksize = 0x0
0022F0D4   004587A0  |start = LukoolRe.004587A0
0022F0D8   00000000  |arg = NULL
0022F0DC   00000000  |flags = 0
0022F0E0   00000000  \pID = NULL

可知，线程函数为004587A0,下断，然后F9运行，程序断下。

[C] 纯文本查看 复制代码

004587A0  /.  55            push ebp
004587A1  |.  89E5          mov ebp,esp
004587A3  |.  83EC 18       sub esp,0x18
004587A6  |.  A1 B84F1A01   mov eax,dword ptr ds:[0x11A4FB8]
004587AB  |.  894424 04     mov dword ptr ss:[esp+0x4],eax           ;  msvcrt.77C1BA52
004587AF  |.  A1 A84F1A01   mov eax,dword ptr ds:[0x11A4FA8]
004587B4  |.  890424        mov dword ptr ss:[esp],eax               ;  msvcrt.77C1BA52
004587B7  |.  E8 3491FDFF   call LukoolRe.004318F0                   //网络验证CALL
004587BC  |.  C74424 0C 000>mov dword ptr ss:[esp+0xC],0x0           ; |
004587C4  |.  C74424 04 000>mov dword ptr ss:[esp+0x4],0x500         ; |
004587CC  |.  894424 08     mov dword ptr ss:[esp+0x8],eax           ; |msvcrt.77C1BA52
004587D0  |.  A1 C84F1A01   mov eax,dword ptr ds:[0x11A4FC8]         ; |
004587D5  |.  890424        mov dword ptr ss:[esp],eax               ; |msvcrt.77C1BA52
004587D8  |.  E8 DF843800   call <jmp.&USER32.PostMessageA>          ; \PostMessageA
004587DD  |.  83EC 10       sub esp,0x10
004587E0  |.  C9            leave
004587E1  \.  C2 0400       retn 0x4

进入004318F0处

[C] 纯文本查看 复制代码

004318F0   $  55            push ebp
004318F1   .  89E5          mov ebp,esp
004318F3   .  57            push edi
004318F4   .  56            push esi
004318F5   .  53            push ebx
004318F6   .  8D45 F4       lea eax,dword ptr ss:[ebp-0xC]
004318F9   .  83EC 7C       sub esp,0x7C
004318FC   .  8945 C0       mov dword ptr ss:[ebp-0x40],eax
004318FF   .  8D45 A0       lea eax,dword ptr ss:[ebp-0x60]
00431902   .  890424        mov dword ptr ss:[esp],eax
00431905   .  C745 B8 B80A7>mov dword ptr ss:[ebp-0x48],LukoolRe.007>
0043190C   .  C745 BC FEF28>mov dword ptr ss:[ebp-0x44],LukoolRe.008>
00431913   .  C745 C4 741C4>mov dword ptr ss:[ebp-0x3C],LukoolRe.004>
0043191A   .  8965 C8       mov dword ptr ss:[ebp-0x38],esp
0043191D   .  E8 0E573A00   call LukoolRe.007D7030
00431922   .  C745 A4 FFFFF>mov dword ptr ss:[ebp-0x5C],-0x1
00431929   .  E8 029FFDFF   call LukoolRe.0040B830
0043192E   .  890424        mov dword ptr ss:[esp],eax
00431931   .  E8 CA8DFDFF   call LukoolRe.0040A700
00431936   .  C745 E8 586D8>mov dword ptr ss:[ebp-0x18],LukoolRe.008>
0043193D   .  8945 8C       mov dword ptr ss:[ebp-0x74],eax
00431940   .  8B80 C4000000 mov eax,dword ptr ds:[eax+0xC4]
00431946   .  C745 A4 04000>mov dword ptr ss:[ebp-0x5C],0x4
0043194D   .  890424        mov dword ptr ss:[esp],eax
00431950   .  E8 DBA7FFFF   call LukoolRe.0042C130
00431955   .  8D4D E4       lea ecx,dword ptr ss:[ebp-0x1C]
00431958   .  C745 E4 586D8>mov dword ptr ss:[ebp-0x1C],LukoolRe.008>
0043195F   .  C74424 08 090>mov dword ptr ss:[esp+0x8],0x9
00431967   .  C74424 04 0E9>mov dword ptr ss:[esp+0x4],LukoolRe.0085>;  ASCII "reg_name="
0043196F   .  890C24        mov dword ptr ss:[esp],ecx
00431972   .  C745 A4 03000>mov dword ptr ss:[ebp-0x5C],0x3
00431979   .  E8 32BB3E00   call LukoolRe.0081D4B0
0043197E   .  8B45 08       mov eax,dword ptr ss:[ebp+0x8]
00431981   .  894424 04     mov dword ptr ss:[esp+0x4],eax
00431985   .  8D45 E0       lea eax,dword ptr ss:[ebp-0x20]
00431988   .  890424        mov dword ptr ss:[esp],eax
0043198B   .  E8 50E4FFFF   call LukoolRe.0042FDE0
00431990   .  83EC 04       sub esp,0x4
00431993   .  8D55 E0       lea edx,dword ptr ss:[ebp-0x20]
00431996   .  8D4D E4       lea ecx,dword ptr ss:[ebp-0x1C]
00431999   .  895424 04     mov dword ptr ss:[esp+0x4],edx
0043199D   .  890C24        mov dword ptr ss:[esp],ecx
004319A0   .  C745 A4 02000>mov dword ptr ss:[ebp-0x5C],0x2
004319A7   .  E8 A4B83E00   call LukoolRe.0081D250                   ;  加密注册名
004319AC   .  8B55 E0       mov edx,dword ptr ss:[ebp-0x20]
004319AF   .  B8 4C6D8500   mov eax,LukoolRe.00856D4C
004319B4   .  83EA 0C       sub edx,0xC
004319B7   .  39D0          cmp eax,edx
004319B9   .  0F85 E4010000 jnz LukoolRe.00431BA3
004319BF   >  8D4D E4       lea ecx,dword ptr ss:[ebp-0x1C]
004319C2   .  C74424 08 090>mov dword ptr ss:[esp+0x8],0x9
004319CA   .  C74424 04 189>mov dword ptr ss:[esp+0x4],LukoolRe.0085>;  ASCII "®_key="
004319D2   .  890C24        mov dword ptr ss:[esp],ecx
004319D5   .  C745 A4 03000>mov dword ptr ss:[ebp-0x5C],0x3
004319DC   .  E8 7FB73E00   call LukoolRe.0081D160
004319E1   .  8B45 0C       mov eax,dword ptr ss:[ebp+0xC]
004319E4   .  894424 04     mov dword ptr ss:[esp+0x4],eax
004319E8   .  8D45 DC       lea eax,dword ptr ss:[ebp-0x24]
004319EB   .  890424        mov dword ptr ss:[esp],eax
004319EE   .  E8 EDE3FFFF   call LukoolRe.0042FDE0
004319F3   .  83EC 04       sub esp,0x4
004319F6   .  8D55 DC       lea edx,dword ptr ss:[ebp-0x24]
004319F9   .  8D4D E4       lea ecx,dword ptr ss:[ebp-0x1C]
004319FC   .  895424 04     mov dword ptr ss:[esp+0x4],edx
00431A00   .  890C24        mov dword ptr ss:[esp],ecx
00431A03   .  C745 A4 01000>mov dword ptr ss:[ebp-0x5C],0x1
00431A0A   .  E8 41B83E00   call LukoolRe.0081D250                   ;  加密真码
00431A0F   .  8B55 DC       mov edx,dword ptr ss:[ebp-0x24]
00431A12   .  B8 4C6D8500   mov eax,LukoolRe.00856D4C
00431A17   .  83EA 0C       sub edx,0xC
00431A1A   .  39D0          cmp eax,edx
00431A1C   .  0F85 4B010000 jnz LukoolRe.00431B6D
00431A22   >  8B4D 8C       mov ecx,dword ptr ss:[ebp-0x74]          ;  LukoolRe.008A1018
00431A25   .  8B45 E4       mov eax,dword ptr ss:[ebp-0x1C]
00431A28   .  8B91 C4000000 mov edx,dword ptr ds:[ecx+0xC4]
00431A2E   .  8D4D E8       lea ecx,dword ptr ss:[ebp-0x18]
00431A31   .  894C24 08     mov dword ptr ss:[esp+0x8],ecx
00431A35   .  894424 04     mov dword ptr ss:[esp+0x4],eax
00431A39   .  C745 A4 03000>mov dword ptr ss:[ebp-0x5C],0x3
00431A40   .  891424        mov dword ptr ss:[esp],edx
00431A43   .  E8 C855FFFF   call LukoolRe.00427010                   ;  网络验证CALL

进入00427010   

[C] 纯文本查看 复制代码

00427010  /$  55            push ebp
00427011  |.  89E5          mov ebp,esp
00427013  |.  57            push edi
00427014  |.  56            push esi
00427015  |.  53            push ebx
...省略无关代码 
004270C4  |.  C74424 04 010>mov dword ptr ss:[esp+0x4],0x1
004270CC  |.  891424        mov dword ptr ss:[esp],edx
004270CF  |.  C785 94FBFFFF>mov [local.283],0x2
004270D9  |.  E8 C25D2500   call <jmp.&WININET.InternetOpenA> //进入
004270DE  |.  83EC 14       sub esp,0x14
004270E1  |.  85C0          test eax,eax
004270E3  |.  8985 68FBFFFF mov [local.294],eax
004270E9  |.  0F84 E1020000 je LukoolRe.004273D0

我虚拟机里是无网络的,所以显示网络连接错误.
如图2:


下断MesageBoxA,然后堆栈回溯,找到响应代码处为

[C] 纯文本查看 复制代码

00459210   > \8B45 0C       mov eax,dword ptr ss:[ebp+0xC]           ; |
00459213   .  C74424 04 010>mov dword ptr ss:[esp+0x4],0x1           ; |
0045921B   .  C785 F4FEFFFF>mov dword ptr ss:[ebp-0x10C],-0x1        ; |
00459225   .  890424        mov dword ptr ss:[esp],eax               ; |
00459228   .  E8 F77A3800   call <jmp.&USER32.KillTimer>             ; \KillTimer      //取消定时器
0045922D   .  8B55 08       mov edx,dword ptr ss:[ebp+0x8]
00459230   .  8B02          mov eax,dword ptr ds:[edx]
00459232   .  83EC 08       sub esp,0x8
00459235   .  85C0          test eax,eax
00459237   .^ 0F84 A9FCFFFF je LukoolRe.00458EE6
0045923D   .  C70424 51B485>mov dword ptr ss:[esp],LukoolRe.0085B451 ;  Activate timeout...
00459244   .  E8 E72EFDFF   call LukoolRe.0042C130
00459249   .  8B5D 08       mov ebx,dword ptr ss:[ebp+0x8]           ; |
0045924C   .  8B03          mov eax,dword ptr ds:[ebx]               ; |
0045924E   .  C74424 04 000>mov dword ptr ss:[esp+0x4],0x0           ; |
00459256   .  890424        mov dword ptr ss:[esp],eax               ; |
00459259   .  E8 A67D3800   call <jmp.&KERNEL32.TerminateThread>     ; \TerminateThread //结束网络验证线程
0045925E   .  8B03          mov eax,dword ptr ds:[ebx]
00459260   .  83EC 08       sub esp,0x8
00459263   .  890424        mov dword ptr ss:[esp],eax               ; |
00459266   .  E8 C97C3800   call <jmp.&KERNEL32.CloseHandle>         ; \CloseHandle
0045926B   .  8B45 0C       mov eax,dword ptr ss:[ebp+0xC]
0045926E   .  C703 00000000 mov dword ptr ds:[ebx],0x0
00459274   .  83EC 04       sub esp,0x4
00459277   .  C74424 08 FFF>mov dword ptr ss:[esp+0x8],-0x1
0045927F   .  894424 04     mov dword ptr ss:[esp+0x4],eax
00459283   .  891C24        mov dword ptr ss:[esp],ebx
00459286   .  E8 75F6FFFF   call LukoolRe.00458900                    //进入，重要。
0045928B   .  C785 B8FEFFFF>mov dword ptr ss:[ebp-0x148],0x0
00459295   .^ E9 56FCFFFF   jmp LukoolRe.00458EF0

00459228处取消定时器，00459259处结束网络验证线程，所以你会发现如果你下断了线程中InternetOpenA函数的下一句会直接跑飞，因为线程早已经被结束了。
进入00458900处

[C] 纯文本查看 复制代码

00458900  /$  55            push ebp
00458901  |.  89E5          mov ebp,esp
00458903  |.  57            push edi
00458904  |.  56            push esi                                 ;  LukoolRe.00459E40
00458905  |.  53            push ebx
00458906  |.  8D45 F4       lea eax,[local.3]
00458909  |.  81EC 8C000000 sub esp,0x8C
0045890F  |.  8945 C0       mov [local.16],eax
00458912  |.  8D45 A0       lea eax,[local.24]
00458915  |.  8965 C8       mov [local.14],esp
00458918  |.  890424        mov dword ptr ss:[esp],eax
0045891B  |.  C745 B8 B80A7>mov [local.18],LukoolRe.007C0AB8
00458922  |.  C745 BC 1CF88>mov [local.17],LukoolRe.0084F81C
00458929  |.  C745 C4 BC8C4>mov [local.15],LukoolRe.00458CBC
00458930  |.  E8 FBE63700   call LukoolRe.007D7030
00458935  |.  8B5D 0C       mov ebx,[arg.2]                          ; |
00458938  |.  C74424 04 010>mov dword ptr ss:[esp+0x4],0x1           ; |
00458940  |.  C745 A4 FFFFF>mov [local.23],-0x1                      ; |
00458947  |.  891C24        mov dword ptr ss:[esp],ebx               ; |
0045894A  |.  E8 05843800   call <jmp.&USER32.GetDlgItem>            ; \GetDlgItem
0045894F  |.  83EC 08       sub esp,0x8
00458952  |.  C74424 04 010>mov dword ptr ss:[esp+0x4],0x1           ; |
0045895A  |.  890424        mov dword ptr ss:[esp],eax               ; |
0045895D  |.  E8 82833800   call <jmp.&USER32.EnableWindow>          ; \EnableWindow
00458962  |.  83EC 08       sub esp,0x8
00458965  |.  C74424 04 020>mov dword ptr ss:[esp+0x4],0x2           ; |
0045896D  |.  891C24        mov dword ptr ss:[esp],ebx               ; |
00458970  |.  E8 DF833800   call <jmp.&USER32.GetDlgItem>            ; \GetDlgItem
00458975  |.  83EC 08       sub esp,0x8
00458978  |.  C74424 04 010>mov dword ptr ss:[esp+0x4],0x1           ; |
00458980  |.  890424        mov dword ptr ss:[esp],eax               ; |
00458983  |.  E8 5C833800   call <jmp.&USER32.EnableWindow>          ; \EnableWindow
00458988  |.  83EC 08       sub esp,0x8
0045898B  |.  C74424 04 2A0>mov dword ptr ss:[esp+0x4],0x42A         ; |
00458993  |.  891C24        mov dword ptr ss:[esp],ebx               ; |
00458996  |.  E8 B9833800   call <jmp.&USER32.GetDlgItem>            ; \GetDlgItem
0045899B  |.  83EC 08       sub esp,0x8
0045899E  |.  C74424 04 000>mov dword ptr ss:[esp+0x4],0x0           ; |
004589A6  |.  890424        mov dword ptr ss:[esp],eax               ; |
004589A9  |.  E8 DE823800   call <jmp.&USER32.ShowWindow>            ; \ShowWindow
004589AE  |.  8B45 10       mov eax,[arg.3]
004589B1  |.  83EC 08       sub esp,0x8
004589B4  |.  85C0          test eax,eax  
004589B6  |.  0F84 8A000000 je LukoolRe.00458A46                      //注册成功
004589BC  |.  837D 10 01    cmp [arg.3],0x1
004589C0  |.  0F84 AF010000 je LukoolRe.00458B75                      //注册码激活次数太多
004589C6  |.  837D 10 FF    cmp [arg.3],-0x1
004589CA  |.  0F84 07010000 je LukoolRe.00458AD7                      //注册失败,网络连接错误
004589D0  |.  8D45 DC       lea eax,[local.9]
004589D3  |.  890424        mov dword ptr ss:[esp],eax
004589D6  |.  C74424 08 000>mov dword ptr ss:[esp+0x8],0x0
004589DE  |.  C74424 04 9B0>mov dword ptr ss:[esp+0x4],0x9B
004589E6  |.  C745 A4 FFFFF>mov [local.23],-0x1
004589ED  |.  E8 0ED1FEFF   call LukoolRe.00445B00
004589F2  |.  8B45 DC       mov eax,[local.9]
004589F5  |.  8B5D 0C       mov ebx,[arg.2]
004589F8  |.  C745 A4 01000>mov [local.23],0x1
004589FF  |.  8945 9C       mov [local.25],eax
00458A02  |.  83EC 04       sub esp,0x4
00458A05  |.  894424 0C     mov dword ptr ss:[esp+0xC],eax
00458A09  |.  C74424 08 000>mov dword ptr ss:[esp+0x8],0x0
00458A11  |.  C74424 04 000>mov dword ptr ss:[esp+0x4],0x0
00458A19  |.  891C24        mov dword ptr ss:[esp],ebx
00458A1C  |.  E8 DFD3FEFF   call LukoolRe.00445E00
00458A21  |.  8B55 9C       mov edx,[local.25]                       ;  USER32.77D2C228
00458A24  |.  83EA 0C       sub edx,0xC
00458A27  |.  81FA 4C6D8500 cmp edx,LukoolRe.00856D4C
00458A2D  |.  0F85 E0010000 jnz LukoolRe.00458C13
00458A33  |>  8D45 A0       lea eax,[local.24]
00458A36  |.  890424        mov dword ptr ss:[esp],eax
00458A39  |.  E8 62E33700   call LukoolRe.007D6DA0
00458A3E  |.  8D65 F4       lea esp,[local.3]
00458A41  |.  5B            pop ebx                                  ;  LukoolRe.0045928B
00458A42  |.  5E            pop esi                                  ;  LukoolRe.0045928B
00458A43  |.  5F            pop edi                                  ;  LukoolRe.0045928B
00458A44  |.  5D            pop ebp                                  ;  LukoolRe.0045928B
00458A45  |.  C3            retn
00458A46  |>  A1 B84F1A01   mov eax,dword ptr ds:[0x11A4FB8]
00458A4B  |.  894424 04     mov dword ptr ss:[esp+0x4],eax
00458A4F  |.  A1 A84F1A01   mov eax,dword ptr ds:[0x11A4FA8]
00458A54  |.  890424        mov dword ptr ss:[esp],eax
00458A57  |.  E8 94A2FDFF   call LukoolRe.00432CF0                   ;  存入user.dat
00458A5C  |.  8D45 E8       lea eax,[local.6]
00458A5F  |.  890424        mov dword ptr ss:[esp],eax
00458A62  |.  C74424 08 000>mov dword ptr ss:[esp+0x8],0x0
00458A6A  |.  C74424 04 970>mov dword ptr ss:[esp+0x4],0x97
00458A72  |.  E8 89D0FEFF   call LukoolRe.00445B00
00458A77  |.  8B45 E8       mov eax,[local.6]                        ;  UxTheme.5ADF1688

我们将004589B6处改为jmp，即可实现注册，注册后注册名和真码保存在C:\Documents and Settings\Administrator\Application Data\LukoolRecorder\user.dat中。
如图3所示：


很明显这是个重启验证，但是我们重启后，软件显示已注册，注册按钮已消失,录像也无水印.
如图4所示:


这说明我们的真码是没有错的,网络验证只是在写入注册信息中下了个坎,所以我们只需自己自己在C:\Documents and Settings\Administrator\Application Data\LukoolRecorder\user.dat中写入注册信息即可。不过注册信息是通过加密的，
有兴趣的朋友可以跟一下，自己构照自己信息，不难。
现在我们从源头上去爆破他，右键搜索字符串，找到user.dat，然后右键跟随。堆栈回溯，慢慢找，代码比较长，要有耐心，我这里就不贴完整的代码了

[C] 纯文本查看 复制代码

00432222   .  8B7D D8       mov edi,dword ptr ss:[ebp-0x28]
00432225   .  FC            cld
00432226   .  39C9          cmp ecx,ecx
00432228   .  F3:A6         repe cmps byte ptr es:[edi],byte ptr ds:>;  真码比较
0043222A   .  75 0C         jnz short LukoolRe.00432238
0043222C   .  399D 74EEFFFF cmp dword ptr ss:[ebp-0x118C],ebx        ;  真码长度比较
00432232   .  0F84 FB030000 je LukoolRe.00432633                      //跳向成功
00432238   >  C785 40EEFFFF>mov dword ptr ss:[ebp-0x11C0],0x0
00432242   >  BA 4C6D8500   mov edx,LukoolRe.00856D4C
00432247   .  3B95 78EEFFFF cmp edx,dword ptr ss:[ebp-0x1188]
0043224D   .  0F85 D5040000 jnz LukoolRe.00432728
00432253   >  8B55 D8       mov edx,dword ptr ss:[ebp-0x28]
00432256   .  83EA 0C       sub edx,0xC
...省略代码
00432633   > \8D45 DC       lea eax,dword ptr ss:[ebp-0x24]
00432636   .  894424 04     mov dword ptr ss:[esp+0x4],eax
0043263A   .  C70424 38281A>mov dword ptr ss:[esp],LukoolRe.011A2838
00432641   .  C785 84EEFFFF>mov dword ptr ss:[ebp-0x117C],0x5
0043264B   .  E8 40AF3E00   call LukoolRe.0081D590
00432650   .  C785 40EEFFFF>mov dword ptr ss:[ebp-0x11C0],0x1        ;  标志位

标志位赋值有以下几种情况:

[C] 纯文本查看 复制代码

user.dat未存在：
00432159      C785 40EEFFFF>mov dword ptr ss:[ebp-0x11C0],0x0 
user.dat存在
00432650   .  C785 40EEFFFF>mov dword ptr ss:[ebp-0x11C0],0x1  真码正确
00432238   > \C785 40EEFFFF>mov dword ptr ss:[ebp-0x11C0],0x0  假码错误
未知:
00432173   .  C785 40EEFFFF>mov dword ptr ss:[ebp-0x11C0],0x0
00431EBC   .  C785 40EEFFFF>mov dword ptr ss:[ebp-0x11C0],0x0

我们将0x0都改为0x1，不管是什么情况，我们都能注册成功。

测试过的系统:win7 64bit ，XP 32 bit。


=================================================================

传送门:
           破解实战-第一战:http://www.52pojie.cn/thread-197281-1-1.html
           破解实战-第二战:http://www.52pojie.cn/thread-197598-1-1.html
           破解实战-第三站:http://www.52pojie.cn/thread-197957-1-1.html
           破解实战-第四站:http://www.52pojie.cn/thread-198203-1-1.html
           破解实战-第五战:http://www.52pojie.cn/thread-198365-1-1.html
           破解实战-第六战:http://www.52pojie.cn/thread-198930-1-1.html
           破解实战-第七战:http://www.52pojie.cn/thread-199459-1-1.html
           破解实战-第八战:http://www.52pojie.cn/thread-199834-1-1.html
           破解实战-第九战:http://www.52pojie.cn/thread-200655-1-1.html           
           破解实战-第十战:http://www.52pojie.cn/thread-200798-1-1.html

笑容茹椛

谢谢啦，写的很详细，正好拿来看看

yangenwei

表示楼主的教程虽然写得好，但一般的初学者，看不懂

tony2526

堆栈回溯过程太艰辛了，弄不好就飞的那是那都不知道了

tjl-xky

终于明白“要有耐心”是多么的重要爆破实在跟不到那几个标志位~
感谢楼主的教程~

逍遥枷锁

搞了文字版破解，也希望搞下视频版破解，让我们学习下，支持很不错

wogeshange

学习一下，比较乱的说

窗外的云

好多地方不明白啊……堆栈回溯是什么意思啊？
怎么弄？

☆茗记★

感谢楼主发布这么好的教程，学习了

杯具加杯具

感谢大大分享教程，可是只怪小菜太笨，还是看不懂！所以恳请大大再些详细一点！比如“bp MessageBoxA,程序断下，堆栈回溯，找到按钮事件为00459324”这里，bp MessageBoxA断下后就不知道具体怎么做了，在这里能给小菜再做做堆栈回溯的并找到按钮事件的过程就更好了！顶大大！支持大大！希望大大能出更好的教程！顶起来！

り暮雨今夕っ

强大支持支持支持支持支持支持支持支持支持

yuxiaopc

先收藏了再慢慢研究，感谢楼主，论坛有你更精彩