好友
阅读权限 40
听众
最后登录 1970-1-1
本帖最后由 我是用户 于 2013-6-23 13:49 编辑
【软件名称】: LukoolRecorder2.7.5cn
【作者邮箱】: 2714608453@qq.com
【下载地址】: 自己搜索下载
【加壳方式】: Microsoft Visual C++ 6.0
【使用工具】: OD
【操作平台】: XP SP2
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
前言:
前段时间,论坛里有放出LukoolRecorder的注册机,明码比较,我下载下来的时候,注册机已经失效,加入了网络验证,并将其破之,论坛里有最新版本的破解 ,我在这就说说破解的思路。
1.查壳
用PEID查壳,显示什么都没找到! *,核心扫描的结果是Microsoft Visual C++ v6.0 DLL *。
用OD载入,未显示压缩数据,无壳,不影响我们分析。
2.爆破
未注册版本的限制为录制生成的视频带有水印。
在注册框入输入注册信息,单击确定,弹出错误提示。
如图1:
bp MessageBoxA,程序断下,堆栈回溯,找到按钮事件为00459324,重新输入注册名和假码,具体分析代码如下:
[C] 纯文本查看 复制代码
00459324 > \8B55 0C mov edx,dword ptr ss:[ebp+0xC] ; |
00459327 . C74424 04 270>mov dword ptr ss:[esp+0x4],0x427 ; |
0045932F . C785 F4FEFFFF>mov dword ptr ss:[ebp-0x10C],-0x1 ; |
00459339 . 891424 mov dword ptr ss:[esp],edx ; |
0045933C . E8 137A3800 call <jmp.&USER32.GetDlgItem> ; \GetDlgItem
00459341 . 8D55 D8 lea edx,dword ptr ss:[ebp-0x28]
00459344 . 83EC 08 sub esp,0x8
00459347 . 894424 04 mov dword ptr ss:[esp+0x4],eax
0045934B . 891424 mov dword ptr ss:[esp],edx
0045934E . E8 2DC9FEFF call LukoolRe.00445C80 ; 得到注册名
00459353 . 8B5D 0C mov ebx,dword ptr ss:[ebp+0xC]
00459356 . C785 F4FEFFFF>mov dword ptr ss:[ebp-0x10C],0x7
00459360 . 83EC 04 sub esp,0x4
00459363 . C74424 04 280>mov dword ptr ss:[esp+0x4],0x428 ; |
0045936B . 891C24 mov dword ptr ss:[esp],ebx ; |
0045936E . E8 E1793800 call <jmp.&USER32.GetDlgItem> ; \GetDlgItem
00459373 . 83EC 08 sub esp,0x8
00459376 . 8D55 D4 lea edx,dword ptr ss:[ebp-0x2C]
00459379 . 894424 04 mov dword ptr ss:[esp+0x4],eax
0045937D . 891424 mov dword ptr ss:[esp],edx
00459380 . E8 FBC8FEFF call LukoolRe.00445C80 ; 得到假码
00459385 . 8B45 D8 mov eax,dword ptr ss:[ebp-0x28] ; ntdll.7C930060
00459388 . 83EC 04 sub esp,0x4
0045938B . C785 F4FEFFFF>mov dword ptr ss:[ebp-0x10C],0x6
00459395 . 890424 mov dword ptr ss:[esp],eax
00459398 . E8 932DFDFF call LukoolRe.0042C130
0045939D . 8B55 D8 mov edx,dword ptr ss:[ebp-0x28] ; ntdll.7C930060
004593A0 . 8B5A F4 mov ebx,dword ptr ds:[edx-0xC] ; LukoolRe.005C006E
004593A3 . 85DB test ebx,ebx
004593A5 . 74 0E je short LukoolRe.004593B5 ; 判断注册名长度
004593A7 . 8B45 D4 mov eax,dword ptr ss:[ebp-0x2C] ; ntdll.7C92E920
004593AA . 8B48 F4 mov ecx,dword ptr ds:[eax-0xC]
004593AD . 85C9 test ecx,ecx
004593AF . 0F85 DB000000 jnz LukoolRe.00459490 ; 判断假码长度
004593B5 > 8D45 D0 lea eax,dword ptr ss:[ebp-0x30]
004593B8 . C74424 08 000>mov dword ptr ss:[esp+0x8],0x0
...省略无关代码
004594DA > 8B55 D8 mov edx,dword ptr ss:[ebp-0x28] ; ntdll.7C930060
004594DD . 8B45 D4 mov eax,dword ptr ss:[ebp-0x2C] ; ntdll.7C92E920
004594E0 . C785 F4FEFFFF>mov dword ptr ss:[ebp-0x10C],0x6
004594EA . 891424 mov dword ptr ss:[esp],edx
004594ED . 894424 04 mov dword ptr ss:[esp+0x4],eax
004594F1 . E8 FA88FDFF call LukoolRe.00431DF0 ; 真假码比较
004594F6 . 84C0 test al,al ; |
004594F8 . 0F84 0C010000 je LukoolRe.0045960A ; |跳向失败
进入00431DF0可以看见真码,上一个版本,只需要做个内存注册机便可实现完美注册。
[C] 纯文本查看 复制代码
00431DF0 $ 55 push ebp
00431DF1 . B8 CC110000 mov eax,0x11CC
00431DF6 . 89E5 mov ebp,esp
00431DF8 . 57 push edi
00431DF9 . 56 push esi
00431DFA . 53 push ebx
...省略无关代码
00431EB1 . 85DB test ebx,ebx
00431EB3 . 0F85 B7020000 jnz LukoolRe.00432170
00431EB9 > 8B55 D8 mov edx,dword ptr ss:[ebp-0x28]
00431EBC . C785 40EEFFFF>mov dword ptr ss:[ebp-0x11C0],0x0
00431EC6 . 83EA 0C sub edx,0xC
00431EC9 > B9 4C6D8500 mov ecx,LukoolRe.00856D4C ; 出现真码
00431ECE . 39D1 cmp ecx,edx
00431ED0 . 0F85 D7070000 jnz LukoolRe.004326AD
00431ED6 > 8B55 DC mov edx,dword ptr ss:[ebp-0x24]
00431ED9 . BB 4C6D8500 mov ebx,LukoolRe.00856D4C
00431EDE . 83EA 0C sub edx,0xC
00431EE1 . 39D3 cmp ebx,edx
00431EE3 . 0F85 93070000 jnz LukoolRe.0043267C
00431EE9 > 8D85 80EEFFFF lea eax,dword ptr ss:[ebp-0x1180]
00431EEF . 890424 mov dword ptr ss:[esp],eax
00431EF2 . E8 A94E3A00 call LukoolRe.007D6DA0
00431EF7 . 8B85 40EEFFFF mov eax,dword ptr ss:[ebp-0x11C0]
00431EFD . 8D65 F4 lea esp,dword ptr ss:[ebp-0xC]
00431F00 . 5B pop ebx ; 02BB0A78
00431F01 . 5E pop esi ; 02BB0A78
00431F02 . 5F pop edi ; 02BB0A78
00431F03 . 5D pop ebp ; 02BB0A78
00431F04 . C3 retn
00431EC9处的寄存器信息如下:
[C] 纯文本查看 复制代码
EAX 00000001
ECX 77BFC2E3 msvcrt.77BFC2E3
EDX 02BB0EB0
EBX 02BB0A78
ESP 0022DEEC
EBP 0022F0C4
ESI 02BB0A85 ASCII "VTEX-YAGCD-BFZHV-TUWUU"
EDI 02BB0EBD ASCII "234567890"
EIP 00431EC9 LukoolRe.00431EC9
可见,[ESI-1]处显示的就是所谓的真码TVTEX-YAGCD-BFZHV-TUWUU
重新输入注册名和真码,进入下一次验证。
[C] 纯文本查看 复制代码
004594FE . 8B5D 0C mov ebx,dword ptr ss:[ebp+0xC] ; |
00459501 . C74424 04 010>mov dword ptr ss:[esp+0x4],0x1 ; |
00459509 . C785 F4FEFFFF>mov dword ptr ss:[ebp-0x10C],0x6 ; |
00459513 . 891C24 mov dword ptr ss:[esp],ebx ; |
00459516 . E8 39783800 call <jmp.&USER32.GetDlgItem> ; \GetDlgItem
0045951B . 83EC 08 sub esp,0x8
0045951E . C74424 04 000>mov dword ptr ss:[esp+0x4],0x0 ; |
00459526 . 890424 mov dword ptr ss:[esp],eax ; |
00459529 . E8 B6773800 call <jmp.&USER32.EnableWindow> ; \EnableWindow
0045952E . 83EC 08 sub esp,0x8
00459531 . C74424 04 020>mov dword ptr ss:[esp+0x4],0x2 ; |
00459539 . 891C24 mov dword ptr ss:[esp],ebx ; |
0045953C . E8 13783800 call <jmp.&USER32.GetDlgItem> ; \GetDlgItem
00459541 . 83EC 08 sub esp,0x8
00459544 . C74424 04 000>mov dword ptr ss:[esp+0x4],0x0 ; |
0045954C . 890424 mov dword ptr ss:[esp],eax ; |
0045954F . E8 90773800 call <jmp.&USER32.EnableWindow> ; \EnableWindow
00459554 . 83EC 08 sub esp,0x8
00459557 . C74424 04 2A0>mov dword ptr ss:[esp+0x4],0x42A ; |
0045955F . 891C24 mov dword ptr ss:[esp],ebx ; |
00459562 . E8 ED773800 call <jmp.&USER32.GetDlgItem> ; \GetDlgItem
00459567 . 83EC 08 sub esp,0x8
0045956A . C74424 04 050>mov dword ptr ss:[esp+0x4],0x5 ; |
00459572 . 890424 mov dword ptr ss:[esp],eax ; |
00459575 . E8 12773800 call <jmp.&USER32.ShowWindow> ; \ShowWindow
0045957A . 83EC 08 sub esp,0x8
0045957D . 8D45 D8 lea eax,dword ptr ss:[ebp-0x28]
00459580 . 894424 04 mov dword ptr ss:[esp+0x4],eax
00459584 . C70424 A84F1A>mov dword ptr ss:[esp],LukoolRe.011A4FA8
0045958B . E8 00403C00 call LukoolRe.0081D590
00459590 . 8D45 D4 lea eax,dword ptr ss:[ebp-0x2C]
00459593 . 894424 04 mov dword ptr ss:[esp+0x4],eax
00459597 . C70424 B84F1A>mov dword ptr ss:[esp],LukoolRe.011A4FB8
0045959E . E8 ED3F3C00 call LukoolRe.0081D590
004595A3 . 891D C84F1A01 mov dword ptr ds:[0x11A4FC8],ebx ; ||
004595A9 . C74424 14 000>mov dword ptr ss:[esp+0x14],0x0 ; ||
004595B1 . C74424 10 000>mov dword ptr ss:[esp+0x10],0x0 ; ||
004595B9 . C74424 0C 000>mov dword ptr ss:[esp+0xC],0x0 ; ||
004595C1 . C74424 08 A08>mov dword ptr ss:[esp+0x8],LukoolRe.0045>; ||
004595C9 . C74424 04 000>mov dword ptr ss:[esp+0x4],0x0 ; ||
004595D1 . C70424 000000>mov dword ptr ss:[esp],0x0 ; ||
004595D8 . E8 4B733800 call <jmp.&msvcrt._beginthreadex> ; |\_beginthreadex //建立线程,进行网络验证
004595DD . 8B55 08 mov edx,dword ptr ss:[ebp+0x8] ; |
004595E0 . 8902 mov dword ptr ds:[edx],eax ; |
004595E2 . C74424 0C 000>mov dword ptr ss:[esp+0xC],0x0 ; |
004595EA . C74424 08 102>mov dword ptr ss:[esp+0x8],0x2710 ; |
004595F2 . C74424 04 010>mov dword ptr ss:[esp+0x4],0x1 ; |
004595FA . 891C24 mov dword ptr ss:[esp],ebx ; |
004595FD . E8 4A773800 call <jmp.&USER32.SetTimer> ; \SetTimer
00459602 . 83EC 10 sub esp,0x10
00459605 .^ E9 1AFEFFFF jmp LukoolRe.00459424
在004595D8处下CC断点,堆栈信息如下所示:
[C] 纯文本查看 复制代码
0022F0CC 00000000 |security = NULL
0022F0D0 00000000 |stksize = 0x0
0022F0D4 004587A0 |start = LukoolRe.004587A0
0022F0D8 00000000 |arg = NULL
0022F0DC 00000000 |flags = 0
0022F0E0 00000000 \pID = NULL
可知,线程函数为004587A0,下断,然后F9运行,程序断下。
[C] 纯文本查看 复制代码
004587A0 /. 55 push ebp
004587A1 |. 89E5 mov ebp,esp
004587A3 |. 83EC 18 sub esp,0x18
004587A6 |. A1 B84F1A01 mov eax,dword ptr ds:[0x11A4FB8]
004587AB |. 894424 04 mov dword ptr ss:[esp+0x4],eax ; msvcrt.77C1BA52
004587AF |. A1 A84F1A01 mov eax,dword ptr ds:[0x11A4FA8]
004587B4 |. 890424 mov dword ptr ss:[esp],eax ; msvcrt.77C1BA52
004587B7 |. E8 3491FDFF call LukoolRe.004318F0 //网络验证CALL
004587BC |. C74424 0C 000>mov dword ptr ss:[esp+0xC],0x0 ; |
004587C4 |. C74424 04 000>mov dword ptr ss:[esp+0x4],0x500 ; |
004587CC |. 894424 08 mov dword ptr ss:[esp+0x8],eax ; |msvcrt.77C1BA52
004587D0 |. A1 C84F1A01 mov eax,dword ptr ds:[0x11A4FC8] ; |
004587D5 |. 890424 mov dword ptr ss:[esp],eax ; |msvcrt.77C1BA52
004587D8 |. E8 DF843800 call <jmp.&USER32.PostMessageA> ; \PostMessageA
004587DD |. 83EC 10 sub esp,0x10
004587E0 |. C9 leave
004587E1 \. C2 0400 retn 0x4
进入004318F0处
[C] 纯文本查看 复制代码
004318F0 $ 55 push ebp
004318F1 . 89E5 mov ebp,esp
004318F3 . 57 push edi
004318F4 . 56 push esi
004318F5 . 53 push ebx
004318F6 . 8D45 F4 lea eax,dword ptr ss:[ebp-0xC]
004318F9 . 83EC 7C sub esp,0x7C
004318FC . 8945 C0 mov dword ptr ss:[ebp-0x40],eax
004318FF . 8D45 A0 lea eax,dword ptr ss:[ebp-0x60]
00431902 . 890424 mov dword ptr ss:[esp],eax
00431905 . C745 B8 B80A7>mov dword ptr ss:[ebp-0x48],LukoolRe.007>
0043190C . C745 BC FEF28>mov dword ptr ss:[ebp-0x44],LukoolRe.008>
00431913 . C745 C4 741C4>mov dword ptr ss:[ebp-0x3C],LukoolRe.004>
0043191A . 8965 C8 mov dword ptr ss:[ebp-0x38],esp
0043191D . E8 0E573A00 call LukoolRe.007D7030
00431922 . C745 A4 FFFFF>mov dword ptr ss:[ebp-0x5C],-0x1
00431929 . E8 029FFDFF call LukoolRe.0040B830
0043192E . 890424 mov dword ptr ss:[esp],eax
00431931 . E8 CA8DFDFF call LukoolRe.0040A700
00431936 . C745 E8 586D8>mov dword ptr ss:[ebp-0x18],LukoolRe.008>
0043193D . 8945 8C mov dword ptr ss:[ebp-0x74],eax
00431940 . 8B80 C4000000 mov eax,dword ptr ds:[eax+0xC4]
00431946 . C745 A4 04000>mov dword ptr ss:[ebp-0x5C],0x4
0043194D . 890424 mov dword ptr ss:[esp],eax
00431950 . E8 DBA7FFFF call LukoolRe.0042C130
00431955 . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
00431958 . C745 E4 586D8>mov dword ptr ss:[ebp-0x1C],LukoolRe.008>
0043195F . C74424 08 090>mov dword ptr ss:[esp+0x8],0x9
00431967 . C74424 04 0E9>mov dword ptr ss:[esp+0x4],LukoolRe.0085>; ASCII "reg_name="
0043196F . 890C24 mov dword ptr ss:[esp],ecx
00431972 . C745 A4 03000>mov dword ptr ss:[ebp-0x5C],0x3
00431979 . E8 32BB3E00 call LukoolRe.0081D4B0
0043197E . 8B45 08 mov eax,dword ptr ss:[ebp+0x8]
00431981 . 894424 04 mov dword ptr ss:[esp+0x4],eax
00431985 . 8D45 E0 lea eax,dword ptr ss:[ebp-0x20]
00431988 . 890424 mov dword ptr ss:[esp],eax
0043198B . E8 50E4FFFF call LukoolRe.0042FDE0
00431990 . 83EC 04 sub esp,0x4
00431993 . 8D55 E0 lea edx,dword ptr ss:[ebp-0x20]
00431996 . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
00431999 . 895424 04 mov dword ptr ss:[esp+0x4],edx
0043199D . 890C24 mov dword ptr ss:[esp],ecx
004319A0 . C745 A4 02000>mov dword ptr ss:[ebp-0x5C],0x2
004319A7 . E8 A4B83E00 call LukoolRe.0081D250 ; 加密注册名
004319AC . 8B55 E0 mov edx,dword ptr ss:[ebp-0x20]
004319AF . B8 4C6D8500 mov eax,LukoolRe.00856D4C
004319B4 . 83EA 0C sub edx,0xC
004319B7 . 39D0 cmp eax,edx
004319B9 . 0F85 E4010000 jnz LukoolRe.00431BA3
004319BF > 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
004319C2 . C74424 08 090>mov dword ptr ss:[esp+0x8],0x9
004319CA . C74424 04 189>mov dword ptr ss:[esp+0x4],LukoolRe.0085>; ASCII "®_key="
004319D2 . 890C24 mov dword ptr ss:[esp],ecx
004319D5 . C745 A4 03000>mov dword ptr ss:[ebp-0x5C],0x3
004319DC . E8 7FB73E00 call LukoolRe.0081D160
004319E1 . 8B45 0C mov eax,dword ptr ss:[ebp+0xC]
004319E4 . 894424 04 mov dword ptr ss:[esp+0x4],eax
004319E8 . 8D45 DC lea eax,dword ptr ss:[ebp-0x24]
004319EB . 890424 mov dword ptr ss:[esp],eax
004319EE . E8 EDE3FFFF call LukoolRe.0042FDE0
004319F3 . 83EC 04 sub esp,0x4
004319F6 . 8D55 DC lea edx,dword ptr ss:[ebp-0x24]
004319F9 . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
004319FC . 895424 04 mov dword ptr ss:[esp+0x4],edx
00431A00 . 890C24 mov dword ptr ss:[esp],ecx
00431A03 . C745 A4 01000>mov dword ptr ss:[ebp-0x5C],0x1
00431A0A . E8 41B83E00 call LukoolRe.0081D250 ; 加密真码
00431A0F . 8B55 DC mov edx,dword ptr ss:[ebp-0x24]
00431A12 . B8 4C6D8500 mov eax,LukoolRe.00856D4C
00431A17 . 83EA 0C sub edx,0xC
00431A1A . 39D0 cmp eax,edx
00431A1C . 0F85 4B010000 jnz LukoolRe.00431B6D
00431A22 > 8B4D 8C mov ecx,dword ptr ss:[ebp-0x74] ; LukoolRe.008A1018
00431A25 . 8B45 E4 mov eax,dword ptr ss:[ebp-0x1C]
00431A28 . 8B91 C4000000 mov edx,dword ptr ds:[ecx+0xC4]
00431A2E . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
00431A31 . 894C24 08 mov dword ptr ss:[esp+0x8],ecx
00431A35 . 894424 04 mov dword ptr ss:[esp+0x4],eax
00431A39 . C745 A4 03000>mov dword ptr ss:[ebp-0x5C],0x3
00431A40 . 891424 mov dword ptr ss:[esp],edx
00431A43 . E8 C855FFFF call LukoolRe.00427010 ; 网络验证CALL
进入00427010
[C] 纯文本查看 复制代码
00427010 /$ 55 push ebp
00427011 |. 89E5 mov ebp,esp
00427013 |. 57 push edi
00427014 |. 56 push esi
00427015 |. 53 push ebx
...省略无关代码
004270C4 |. C74424 04 010>mov dword ptr ss:[esp+0x4],0x1
004270CC |. 891424 mov dword ptr ss:[esp],edx
004270CF |. C785 94FBFFFF>mov [local.283],0x2
004270D9 |. E8 C25D2500 call <jmp.&WININET.InternetOpenA> //进入
004270DE |. 83EC 14 sub esp,0x14
004270E1 |. 85C0 test eax,eax
004270E3 |. 8985 68FBFFFF mov [local.294],eax
004270E9 |. 0F84 E1020000 je LukoolRe.004273D0
我虚拟机 里是无网络的,所以显示网络连接错误.
如图2:
下断MesageBoxA,然后堆栈回溯,找到响应代码处为
[C] 纯文本查看 复制代码
00459210 > \8B45 0C mov eax,dword ptr ss:[ebp+0xC] ; |
00459213 . C74424 04 010>mov dword ptr ss:[esp+0x4],0x1 ; |
0045921B . C785 F4FEFFFF>mov dword ptr ss:[ebp-0x10C],-0x1 ; |
00459225 . 890424 mov dword ptr ss:[esp],eax ; |
00459228 . E8 F77A3800 call <jmp.&USER32.KillTimer> ; \KillTimer //取消定时器
0045922D . 8B55 08 mov edx,dword ptr ss:[ebp+0x8]
00459230 . 8B02 mov eax,dword ptr ds:[edx]
00459232 . 83EC 08 sub esp,0x8
00459235 . 85C0 test eax,eax
00459237 .^ 0F84 A9FCFFFF je LukoolRe.00458EE6
0045923D . C70424 51B485>mov dword ptr ss:[esp],LukoolRe.0085B451 ; Activate timeout...
00459244 . E8 E72EFDFF call LukoolRe.0042C130
00459249 . 8B5D 08 mov ebx,dword ptr ss:[ebp+0x8] ; |
0045924C . 8B03 mov eax,dword ptr ds:[ebx] ; |
0045924E . C74424 04 000>mov dword ptr ss:[esp+0x4],0x0 ; |
00459256 . 890424 mov dword ptr ss:[esp],eax ; |
00459259 . E8 A67D3800 call <jmp.&KERNEL32.TerminateThread> ; \TerminateThread //结束网络验证线程
0045925E . 8B03 mov eax,dword ptr ds:[ebx]
00459260 . 83EC 08 sub esp,0x8
00459263 . 890424 mov dword ptr ss:[esp],eax ; |
00459266 . E8 C97C3800 call <jmp.&KERNEL32.CloseHandle> ; \CloseHandle
0045926B . 8B45 0C mov eax,dword ptr ss:[ebp+0xC]
0045926E . C703 00000000 mov dword ptr ds:[ebx],0x0
00459274 . 83EC 04 sub esp,0x4
00459277 . C74424 08 FFF>mov dword ptr ss:[esp+0x8],-0x1
0045927F . 894424 04 mov dword ptr ss:[esp+0x4],eax
00459283 . 891C24 mov dword ptr ss:[esp],ebx
00459286 . E8 75F6FFFF call LukoolRe.00458900 //进入,重要。
0045928B . C785 B8FEFFFF>mov dword ptr ss:[ebp-0x148],0x0
00459295 .^ E9 56FCFFFF jmp LukoolRe.00458EF0
00459228处取消定时器,00459259处结束网络验证线程,所以你会发现如果你下断了线程中InternetOpenA函数的下一句会直接跑飞,因为线程早已经被结束了。
进入00458900处
[C] 纯文本查看 复制代码
00458900 /$ 55 push ebp
00458901 |. 89E5 mov ebp,esp
00458903 |. 57 push edi
00458904 |. 56 push esi ; LukoolRe.00459E40
00458905 |. 53 push ebx
00458906 |. 8D45 F4 lea eax,[local.3]
00458909 |. 81EC 8C000000 sub esp,0x8C
0045890F |. 8945 C0 mov [local.16],eax
00458912 |. 8D45 A0 lea eax,[local.24]
00458915 |. 8965 C8 mov [local.14],esp
00458918 |. 890424 mov dword ptr ss:[esp],eax
0045891B |. C745 B8 B80A7>mov [local.18],LukoolRe.007C0AB8
00458922 |. C745 BC 1CF88>mov [local.17],LukoolRe.0084F81C
00458929 |. C745 C4 BC8C4>mov [local.15],LukoolRe.00458CBC
00458930 |. E8 FBE63700 call LukoolRe.007D7030
00458935 |. 8B5D 0C mov ebx,[arg.2] ; |
00458938 |. C74424 04 010>mov dword ptr ss:[esp+0x4],0x1 ; |
00458940 |. C745 A4 FFFFF>mov [local.23],-0x1 ; |
00458947 |. 891C24 mov dword ptr ss:[esp],ebx ; |
0045894A |. E8 05843800 call <jmp.&USER32.GetDlgItem> ; \GetDlgItem
0045894F |. 83EC 08 sub esp,0x8
00458952 |. C74424 04 010>mov dword ptr ss:[esp+0x4],0x1 ; |
0045895A |. 890424 mov dword ptr ss:[esp],eax ; |
0045895D |. E8 82833800 call <jmp.&USER32.EnableWindow> ; \EnableWindow
00458962 |. 83EC 08 sub esp,0x8
00458965 |. C74424 04 020>mov dword ptr ss:[esp+0x4],0x2 ; |
0045896D |. 891C24 mov dword ptr ss:[esp],ebx ; |
00458970 |. E8 DF833800 call <jmp.&USER32.GetDlgItem> ; \GetDlgItem
00458975 |. 83EC 08 sub esp,0x8
00458978 |. C74424 04 010>mov dword ptr ss:[esp+0x4],0x1 ; |
00458980 |. 890424 mov dword ptr ss:[esp],eax ; |
00458983 |. E8 5C833800 call <jmp.&USER32.EnableWindow> ; \EnableWindow
00458988 |. 83EC 08 sub esp,0x8
0045898B |. C74424 04 2A0>mov dword ptr ss:[esp+0x4],0x42A ; |
00458993 |. 891C24 mov dword ptr ss:[esp],ebx ; |
00458996 |. E8 B9833800 call <jmp.&USER32.GetDlgItem> ; \GetDlgItem
0045899B |. 83EC 08 sub esp,0x8
0045899E |. C74424 04 000>mov dword ptr ss:[esp+0x4],0x0 ; |
004589A6 |. 890424 mov dword ptr ss:[esp],eax ; |
004589A9 |. E8 DE823800 call <jmp.&USER32.ShowWindow> ; \ShowWindow
004589AE |. 8B45 10 mov eax,[arg.3]
004589B1 |. 83EC 08 sub esp,0x8
004589B4 |. 85C0 test eax,eax
004589B6 |. 0F84 8A000000 je LukoolRe.00458A46 //注册成功
004589BC |. 837D 10 01 cmp [arg.3],0x1
004589C0 |. 0F84 AF010000 je LukoolRe.00458B75 //注册码激活次数太多
004589C6 |. 837D 10 FF cmp [arg.3],-0x1
004589CA |. 0F84 07010000 je LukoolRe.00458AD7 //注册失败,网络连接错误
004589D0 |. 8D45 DC lea eax,[local.9]
004589D3 |. 890424 mov dword ptr ss:[esp],eax
004589D6 |. C74424 08 000>mov dword ptr ss:[esp+0x8],0x0
004589DE |. C74424 04 9B0>mov dword ptr ss:[esp+0x4],0x9B
004589E6 |. C745 A4 FFFFF>mov [local.23],-0x1
004589ED |. E8 0ED1FEFF call LukoolRe.00445B00
004589F2 |. 8B45 DC mov eax,[local.9]
004589F5 |. 8B5D 0C mov ebx,[arg.2]
004589F8 |. C745 A4 01000>mov [local.23],0x1
004589FF |. 8945 9C mov [local.25],eax
00458A02 |. 83EC 04 sub esp,0x4
00458A05 |. 894424 0C mov dword ptr ss:[esp+0xC],eax
00458A09 |. C74424 08 000>mov dword ptr ss:[esp+0x8],0x0
00458A11 |. C74424 04 000>mov dword ptr ss:[esp+0x4],0x0
00458A19 |. 891C24 mov dword ptr ss:[esp],ebx
00458A1C |. E8 DFD3FEFF call LukoolRe.00445E00
00458A21 |. 8B55 9C mov edx,[local.25] ; USER32.77D2C228
00458A24 |. 83EA 0C sub edx,0xC
00458A27 |. 81FA 4C6D8500 cmp edx,LukoolRe.00856D4C
00458A2D |. 0F85 E0010000 jnz LukoolRe.00458C13
00458A33 |> 8D45 A0 lea eax,[local.24]
00458A36 |. 890424 mov dword ptr ss:[esp],eax
00458A39 |. E8 62E33700 call LukoolRe.007D6DA0
00458A3E |. 8D65 F4 lea esp,[local.3]
00458A41 |. 5B pop ebx ; LukoolRe.0045928B
00458A42 |. 5E pop esi ; LukoolRe.0045928B
00458A43 |. 5F pop edi ; LukoolRe.0045928B
00458A44 |. 5D pop ebp ; LukoolRe.0045928B
00458A45 |. C3 retn
00458A46 |> A1 B84F1A01 mov eax,dword ptr ds:[0x11A4FB8]
00458A4B |. 894424 04 mov dword ptr ss:[esp+0x4],eax
00458A4F |. A1 A84F1A01 mov eax,dword ptr ds:[0x11A4FA8]
00458A54 |. 890424 mov dword ptr ss:[esp],eax
00458A57 |. E8 94A2FDFF call LukoolRe.00432CF0 ; 存入user.dat
00458A5C |. 8D45 E8 lea eax,[local.6]
00458A5F |. 890424 mov dword ptr ss:[esp],eax
00458A62 |. C74424 08 000>mov dword ptr ss:[esp+0x8],0x0
00458A6A |. C74424 04 970>mov dword ptr ss:[esp+0x4],0x97
00458A72 |. E8 89D0FEFF call LukoolRe.00445B00
00458A77 |. 8B45 E8 mov eax,[local.6] ; UxTheme.5ADF1688
我们将004589B6处改为jmp,即可实现注册,注册后注册名和真码保存在C:\Documents and Settings\Administrator\Application Data\LukoolRecorder\user.dat中。
如图3所示:
很明显这是个重启验证,但是我们重启后,软件显示已注册,注册按钮已消失,录像也无水印.
如图4所示:
这说明我们的真码是没有错的,网络验证只是在写入注册信息中下了个坎,所以我们只需自己自己在C:\Documents and Settings\Administrator\Application Data\LukoolRecorder\user.dat中写入注册信息即可。不过注册信息是通过加密的,
有兴趣的朋友可以跟一下,自己构照自己信息,不难。
现在我们从源头上去爆破他,右键搜索字符串,找到user.dat,然后右键跟随。堆栈回溯,慢慢找,代码比较长,要有耐心,我这里就不贴完整的代码了
[C] 纯文本查看 复制代码
00432222 . 8B7D D8 mov edi,dword ptr ss:[ebp-0x28]
00432225 . FC cld
00432226 . 39C9 cmp ecx,ecx
00432228 . F3:A6 repe cmps byte ptr es:[edi],byte ptr ds:>; 真码比较
0043222A . 75 0C jnz short LukoolRe.00432238
0043222C . 399D 74EEFFFF cmp dword ptr ss:[ebp-0x118C],ebx ; 真码长度比较
00432232 . 0F84 FB030000 je LukoolRe.00432633 //跳向成功
00432238 > C785 40EEFFFF>mov dword ptr ss:[ebp-0x11C0],0x0
00432242 > BA 4C6D8500 mov edx,LukoolRe.00856D4C
00432247 . 3B95 78EEFFFF cmp edx,dword ptr ss:[ebp-0x1188]
0043224D . 0F85 D5040000 jnz LukoolRe.00432728
00432253 > 8B55 D8 mov edx,dword ptr ss:[ebp-0x28]
00432256 . 83EA 0C sub edx,0xC
...省略代码
00432633 > \8D45 DC lea eax,dword ptr ss:[ebp-0x24]
00432636 . 894424 04 mov dword ptr ss:[esp+0x4],eax
0043263A . C70424 38281A>mov dword ptr ss:[esp],LukoolRe.011A2838
00432641 . C785 84EEFFFF>mov dword ptr ss:[ebp-0x117C],0x5
0043264B . E8 40AF3E00 call LukoolRe.0081D590
00432650 . C785 40EEFFFF>mov dword ptr ss:[ebp-0x11C0],0x1 ; 标志位
标志位赋值有以下几种情况:
[C] 纯文本查看 复制代码
user.dat未存在:
00432159 C785 40EEFFFF>mov dword ptr ss:[ebp-0x11C0],0x0
user.dat存在
00432650 . C785 40EEFFFF>mov dword ptr ss:[ebp-0x11C0],0x1 真码正确
00432238 > \C785 40EEFFFF>mov dword ptr ss:[ebp-0x11C0],0x0 假码错误
未知:
00432173 . C785 40EEFFFF>mov dword ptr ss:[ebp-0x11C0],0x0
00431EBC . C785 40EEFFFF>mov dword ptr ss:[ebp-0x11C0],0x0
我们将0x0都改为0x1,不管是什么情况,我们都能注册成功。
测试过的系统:win7 64bit ,XP 32 bit。
=================================================================
传送门:
破解实战-第一战:http://www.52pojie.cn/thread-197281-1-1.html
破解实战-第二战:http://www.52pojie.cn/thread-197598-1-1.html
破解实战-第三站:http://www.52pojie.cn/thread-197957-1-1.html
破解实战-第四站:http://www.52pojie.cn/thread-198203-1-1.html
破解实战-第五战:http://www.52pojie.cn/thread-198365-1-1.html
破解实战-第六战:http://www.52pojie.cn/thread-198930-1-1.html
破解实战-第七战:http://www.52pojie.cn/thread-199459-1-1.html
破解实战-第八战:http://www.52pojie.cn/thread-199834-1-1.html
破解实战-第九战:http://www.52pojie.cn/thread-200655-1-1.html
破解实战-第十战:http://www.52pojie.cn/thread-200798-1-1.html
免费评分
查看全部评分
本帖被以下淘专辑推荐:
· 破解教程 | 主题: 126, 订阅: 213
· 教程 | 主题: 123, 订阅: 88