批量缩略图工具 2.95版的破解
本帖最后由 yanghan19911 于 2013-2-16 23:51 编辑其他论坛看到有人爆破成功,不过重启后还需要重新输入一次注册码,重启验证没爆破,就自己试着捡软柿子捏一捏
载入OD,通过下bp GetPrivateProfileStringA得知程序在启动时查找软件安装目录下是否有BatchPic.ini文件,读取里面的注册码
右键查找字符串,有注册失败的提示
004AB568/.55 push ebp
004AB569|.8BEC mov ebp,esp
004AB56B|.33C9 xor ecx,ecx
004AB56D|.51 push ecx
004AB56E|.51 push ecx
004AB56F|.51 push ecx
004AB570|.51 push ecx
004AB571|.51 push ecx
004AB572|.51 push ecx
004AB573|.51 push ecx
004AB574|.51 push ecx
004AB575|.53 push ebx
004AB576|.56 push esi
004AB577|.8BD8 mov ebx,eax
004AB579|.33C0 xor eax,eax
004AB57B|.55 push ebp
004AB57C|.68 22B74A00 push BatchPic.004AB722
004AB581|.64:FF30 push dword ptr fs:
004AB584|.64:8920 mov dword ptr fs:,esp
004AB587|.8D55 FC lea edx,
004AB58A|.8B83 28030000 mov eax,dword ptr ds:
004AB590|.E8 0787FBFF call BatchPic.00463C9C
004AB595|.8B45 FC mov eax,
004AB598|.E8 4F93F5FF call BatchPic.004048EC
004AB59D|.83F8 08 cmp eax,0x8 //比较注册码是不是8位,否则提示注册码错误
004AB5A0 74 3F je short BatchPic.004AB5E1
004AB5A2|.6A 10 push 0x10
004AB5A4|.8D55 F8 lea edx,
004AB5A7|.A1 8CA14B00 mov eax,dword ptr ds:
004AB5AC|.8B00 mov eax,dword ptr ds:
004AB5AE|.E8 9D81FDFF call BatchPic.00483750
004AB5B3|.8B45 F8 mov eax,
004AB5B6|.E8 3195F5FF call BatchPic.00404AEC
004AB5BB|.50 push eax
004AB5BC|.68 30B74A00 push BatchPic.004AB730 ;注册码错误!
004AB5C1|.8BC3 mov eax,ebx
004AB5C3|.E8 F4EEFBFF call BatchPic.0046A4BC
004AB5C8|.50 push eax ; |hOwner
004AB5C9|.E8 06BEF5FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004AB5CE|.8B83 28030000 mov eax,dword ptr ds:
004AB5D4|.8B10 mov edx,dword ptr ds:
004AB5D6|.FF92 C4000000 call dword ptr ds:
004AB5DC|.E9 F9000000 jmp BatchPic.004AB6DA
004AB5E1|>8D55 F4 lea edx,
004AB5E4|.8B83 28030000 mov eax,dword ptr ds:
004AB5EA|.E8 AD86FBFF call BatchPic.00463C9C
004AB5EF|.8B45 F4 mov eax,
004AB5F2|.50 push eax
004AB5F3|.8D45 F0 lea eax,
004AB5F6|.E8 711B0000 call BatchPic.004AD16C
004AB5FB|.8B45 F0 mov eax,
004AB5FE|.5A pop edx
004AB5FF|.E8 28190000 call BatchPic.004ACF2C //下面是注册成功,证明是关键call,F7步入,下面是test al,al,如果al为零,则注册错误,所以步入后需要修改al不为0
004AB604|.84C0 test al,al
004AB606 0F84 94000000 je BatchPic.004AB6A0
004AB60C|.A1 B49E4B00 mov eax,dword ptr ds:
004AB611|.C600 01 mov byte ptr ds:,0x1
004AB614|.8D55 EC lea edx,
004AB617|.8B83 28030000 mov eax,dword ptr ds:
004AB61D|.E8 7A86FBFF call BatchPic.00463C9C
004AB622|.8B55 EC mov edx,
004AB625|.A1 DC9E4B00 mov eax,dword ptr ds:
004AB62A|.E8 5190F5FF call BatchPic.00404680
004AB62F|.8D55 E8 lea edx,
004AB632|.8B83 28030000 mov eax,dword ptr ds:
004AB638|.E8 5F86FBFF call BatchPic.00463C9C
004AB63D|.8B45 E8 mov eax,
004AB640|.50 push eax
004AB641|.A1 9CA14B00 mov eax,dword ptr ds:
004AB646|.8B00 mov eax,dword ptr ds:
004AB648|.B9 48B74A00 mov ecx,BatchPic.004AB748 ;KEY
004AB64D|.BA 54B74A00 mov edx,BatchPic.004AB754 ;REGCODE
004AB652|.8B30 mov esi,dword ptr ds:
004AB654|.FF56 04 call dword ptr ds:
004AB657|.6A 40 push 0x40
004AB659|.8D55 E4 lea edx,
004AB65C|.A1 8CA14B00 mov eax,dword ptr ds:
004AB661|.8B00 mov eax,dword ptr ds:
004AB663|.E8 E880FDFF call BatchPic.00483750
004AB668|.8B45 E4 mov eax,
004AB66B|.E8 7C94F5FF call BatchPic.00404AEC
004AB670|.50 push eax
004AB671|.68 5CB74A00 push BatchPic.004AB75C ;注册成功!
004AB676|.8BC3 mov eax,ebx
004AB678|.E8 3FEEFBFF call BatchPic.0046A4BC
004AB67D|.50 push eax ; |hOwner
004AB67E|.E8 51BDF5FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004AB683|.A1 78A04B00 mov eax,dword ptr ds:
004AB688|.8B00 mov eax,dword ptr ds:
004AB68A|.8B80 74030000 mov eax,dword ptr ds:
004AB690|.33D2 xor edx,edx
004AB692|.E8 2585FBFF call BatchPic.00463BBC
004AB697|.8BC3 mov eax,ebx
004AB699|.E8 224EFDFF call BatchPic.004804C0
004AB69E|.EB 3A jmp short BatchPic.004AB6DA
004AB6A0|>6A 10 push 0x10
004AB6A2|.8D55 E0 lea edx,
004AB6A5|.A1 8CA14B00 mov eax,dword ptr ds:
004AB6AA|.8B00 mov eax,dword ptr ds:
004AB6AC|.E8 9F80FDFF call BatchPic.00483750
004AB6B1|.8B45 E0 mov eax,
004AB6B4|.E8 3394F5FF call BatchPic.00404AEC
004AB6B9|.50 push eax
004AB6BA|.68 30B74A00 push BatchPic.004AB730 ;注册码错误!
004AB6BF|.8BC3 mov eax,ebx
004AB6C1|.E8 F6EDFBFF call BatchPic.0046A4BC
004AB6C6|.50 push eax ; |hOwner
004AB6C7|.E8 08BDF5FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004AB6CC|.8B83 28030000 mov eax,dword ptr ds:
004AB6D2|.8B10 mov edx,dword ptr ds:
004AB5FF F7步入后的关键代码如下
004AD014 . /75 03 jnz short BatchPic.004AD019
004AD016 . |3B0424 cmp eax,dword ptr ss:
004AD019 > \5A pop edx
004AD01A .58 pop eax
004AD01B 75 04 jnz short BatchPic.004AD021 //从004AD067 .8BC3 mov eax,ebx处知道eax最后由ebx赋值,所以下面bl赋值语句必须执行,nop此处即可
004AD01D .B3 01 mov bl,0x1
004AD01F .EB 02 jmp short BatchPic.004AD023
004AD021 >33DB xor ebx,ebx
004AD023 >33C0 xor eax,eax
004AD025 .5A pop edx
004AD026 .59 pop ecx
004AD027 .59 pop ecx
004AD028 .64:8910 mov dword ptr fs:,edx
004AD02B .EB 18 jmp short BatchPic.004AD045
004AD02D .^ E9 CA6DF5FF jmp BatchPic.00403DFC
004AD032 01 db 01
004AD033 00 db 00
004AD034 00 db 00
004AD035 00 db 00
004AD036 .B47B4000 dd BatchPic.00407BB4
004AD03A .3ED04A00 dd BatchPic.004AD03E
004AD03E .33DB xor ebx,ebx
004AD040 .E8 F36FF5FF call BatchPic.00404038
004AD045 >33C0 xor eax,eax
004AD047 .5A pop edx
004AD048 .59 pop ecx
004AD049 .59 pop ecx
004AD04A .64:8910 mov dword ptr fs:,edx
004AD04D .68 67D04A00 push BatchPic.004AD067
004AD052 >8D45 E4 lea eax,dword ptr ss:
004AD055 .BA 07000000 mov edx,0x7
004AD05A .E8 F175F5FF call BatchPic.00404650
004AD05F .C3 retn
004AD060 .^ E9 1F6FF5FF jmp BatchPic.00403F84
004AD065 .^ EB EB jmp short BatchPic.004AD052
004AD067 .8BC3 mov eax,ebx
004AD069 .5F pop edi
004AD06A .5E pop esi
004AD06B .5B pop ebx
004AD06C .8BE5 mov esp,ebp
004AD06E .5D pop ebp
004AD06F .C3 retn
至此,只要第一次打开程序后,输入的注册码为8位,以后打开就可以正常使用
未破解前图
破解后
文件打包:
{:301_971:}谢谢楼主分享 其实重启验证只需要把握一个值就Ok爆破是没有多大作用的 谢谢楼主分享 这个软件好不好用呢? 谢谢 共享 谢谢,长见识了 注册失败!