FastStone Capture（截图工具）破解过程

海浪SeaWave · 发表于 2013-7-28 13:02

本帖最后由海浪SeaWave 于 2013-7-28 13:06 编辑

【文章标题】: FastStone Capture 破解过程

【文章作者】: 海浪SeaWave

【软件名称】: FastStone Capture

【下载地址】: http://faststone-capture.en.softonic.com/ （官网）

【加壳方式】: UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo

【编写语言】: Borland Delphi 6.0 - 7.0

【使用工具】: OD、PEid

【操作平台】: Windows XP SP3

【软件介绍】: 截图工具

【作者声明】: 只是感兴趣，没有其他目的。失误之处敬请诸位大侠赐教!第一次写破文，很简略，失误之处请大神指教！！

--------------------------------------------------------------------------------

【详细过程】

今天去网上，发现了这个好捏的软柿子。大家自己下载吧。
破解后：

FSCapture(破解).rar (1.18 MB, 下载次数: 463)

解压后将文件覆盖即可。

1、查壳

UPX的壳，太简单了。脱壳过程就不用说了。

脱壳后，显示是Delphi写的。

2、破解

双击打开，显示需要注册。点击输入注册码，随便输入，弹出“Invalid User Name or Registration Code!”。好的，搜一下字符串，居然搜到了！好，我们来破解（请看注释）：

0062FFDF 90 nop

0062FFE0 . 55 push ebp

0062FFE1 . 8BEC mov ebp,esp

0062FFE3 . B9 08000000 mov ecx,0x8

0062FFE8 > 6A 00 push 0x0

0062FFEA . 6A 00 push 0x0

0062FFEC . 49 dec ecx

0062FFED .^ 75 F9 jnz XFSCaptur.0062FFE8

0062FFEF . 51 push ecx

0062FFF0 . 53 push ebx

0062FFF1 . 56 push esi

0062FFF2 . 57 push edi

0062FFF3 . 8945 FC mov dword ptr ss:[ebp-0x4],eax

0062FFF6 . 33C0 xor eax,eax

0062FFF8 . 55 push ebp

0062FFF9 . 68 B6036300 push FSCaptur.006303B6

0062FFFE . 64:FF30 push dword ptr fs:[eax]

00630001 . 64:8920 mov dword ptr fs:[eax],esp

00630004 . 33C0 xor eax,eax

00630006 . 55 push ebp

00630007 . 68 6C036300 push FSCaptur.0063036C

0063000C . 64:FF30 push dword ptr fs:[eax]

0063000F . 64:8920 mov dword ptr fs:[eax],esp

00630012 . 8D55 E8 lea edx,dword ptr ss:[ebp-0x18]

00630015 . 8B45 FC mov eax,dword ptr ss:[ebp-0x4]

00630018 . 8B80 04030000 mov eax,dword ptr ds:[eax+0x304]

0063001E . E8 4DB2E1FF call FSCaptur.0044B270

00630023 . 8B45 E8 mov eax,dword ptr ss:[ebp-0x18]

00630026 . 8D55 F8 lea edx,dword ptr ss:[ebp-0x8]

00630029 . E8 7E93DDFF call FSCaptur.004093AC

0063002E . 8D55 E0 lea edx,dword ptr ss:[ebp-0x20]

00630031 . 8B45 FC mov eax,dword ptr ss:[ebp-0x4]

00630034 . 8B80 0C030000 mov eax,dword ptr ds:[eax+0x30C]

0063003A . E8 31B2E1FF call FSCaptur.0044B270

0063003F . 8B45 E0 mov eax,dword ptr ss:[ebp-0x20]

00630042 . 8D55 E4 lea edx,dword ptr ss:[ebp-0x1C]

00630045 . E8 6293DDFF call FSCaptur.004093AC

0063004A . 8B45 E4 mov eax,dword ptr ss:[ebp-0x1C]

0063004D . 8D55 F0 lea edx,dword ptr ss:[ebp-0x10]

00630050 . E8 0791DDFF call FSCaptur.0040915C

00630055 . 8D45 EC lea eax,dword ptr ss:[ebp-0x14]

00630058 . E8 FF47DDFF call FSCaptur.0040485C

0063005D . 8B45 F0 mov eax,dword ptr ss:[ebp-0x10]

00630060 . E8 AF4ADDFF call FSCaptur.00404B14

00630065 . 8BF8 mov edi,eax

00630067 . 4F dec edi

00630068 . 85FF test edi,edi

0063006A . 7C 66 jl XFSCaptur.006300D2

0063006C . 47 inc edi

0063006D . 33F6 xor esi,esi

0063006F > 8B45 F0 mov eax,dword ptr ss:[ebp-0x10]

00630072 . 8A1C30 mov bl,byte ptr ds:[eax+esi]

00630075 . 80FB 41 cmp bl,0x41

00630078 . 72 20 jb XFSCaptur.0063009A

0063007A . 8B45 F0 mov eax,dword ptr ss:[ebp-0x10]

0063007D . 80FB 5A cmp bl,0x5A

00630080 . 77 18 ja XFSCaptur.0063009A

00630082 . 8D45 DC lea eax,dword ptr ss:[ebp-0x24]

00630085 . 8B55 F0 mov edx,dword ptr ss:[ebp-0x10]

00630088 . 8BD3 mov edx,ebx

0063008A . E8 AD49DDFF call FSCaptur.00404A3C

0063008F . 8B55 DC mov edx,dword ptr ss:[ebp-0x24]

00630092 . 8D45 EC lea eax,dword ptr ss:[ebp-0x14]

00630095 . E8 824ADDFF call FSCaptur.00404B1C

0063009A > 8B45 EC mov eax,dword ptr ss:[ebp-0x14]

0063009D . E8 724ADDFF call FSCaptur.00404B14

006300A2 . 83F8 05 cmp eax,0x5

006300A5 . 74 1A je XFSCaptur.006300C1

006300A7 . 8B45 EC mov eax,dword ptr ss:[ebp-0x14]

006300AA . E8 654ADDFF call FSCaptur.00404B14

006300AF . 83F8 0B cmp eax,0xB

006300B2 . 74 0D je XFSCaptur.006300C1

006300B4 . 8B45 EC mov eax,dword ptr ss:[ebp-0x14]

006300B7 . E8 584ADDFF call FSCaptur.00404B14

006300BC . 83F8 11 cmp eax,0x11

006300BF . 75 0D jnz XFSCaptur.006300CE

006300C1 > 8D45 EC lea eax,dword ptr ss:[ebp-0x14]

006300C4 . BA CC036300 mov edx,FSCaptur.006303CC ; -

006300C9 . E8 4E4ADDFF call FSCaptur.00404B1C

006300CE > 46 inc esi

006300CF . 4F dec edi

006300D0 .^ 75 9D jnz XFSCaptur.0063006F

006300D2 > 8D45 F4 lea eax,dword ptr ss:[ebp-0xC]

006300D5 . 8B55 EC mov edx,dword ptr ss:[ebp-0x14]

006300D8 . E8 1748DDFF call FSCaptur.004048F4

006300DD . 837D F8 00 cmp dword ptr ss:[ebp-0x8],0x0

006300E1 75 33 jnz XFSCaptur.00630116 ; 验证用户名称是否为空，此处JMP掉。

006300E3 . 6A 00 push 0x0

006300E5 . 66:8B0D D0036>mov cx,word ptr ds:[0x6303D0]

006300EC . B2 02 mov dl,0x2

006300EE . B8 DC036300 mov eax,FSCaptur.006303DC ; User Name cannot be empty.

006300F3 . E8 203DE1FF call FSCaptur.00443E18 ; 用户名称不能为空。

006300F8 . 8B45 FC mov eax,dword ptr ss:[ebp-0x4]

006300FB . 8B80 04030000 mov eax,dword ptr ds:[eax+0x304]

00630101 . 8B10 mov edx,dword ptr ds:[eax]

00630103 . FF92 C0000000 call dword ptr ds:[edx+0xC0]

00630109 . 33C0 xor eax,eax

0063010B . 5A pop edx

0063010C . 59 pop ecx

0063010D . 59 pop ecx

0063010E . 64:8910 mov dword ptr fs:[eax],edx

00630111 . E9 60020000 jmp FSCaptur.00630376

00630116 > 8B55 F4 mov edx,dword ptr ss:[ebp-0xC]

00630119 . 8B45 FC mov eax,dword ptr ss:[ebp-0x4]

0063011C . E8 DFEFFFFF call FSCaptur.0062F100

00630121 . 84C0 test al,al

00630123 0F85 1A020000 jnz FSCaptur.00630343 ; 是否注册成功，NOP。

00630129 8B55 F8 mov edx,dword ptr ss:[ebp-0x8]

0063012C . 8B45 FC mov eax,dword ptr ss:[ebp-0x4]

0063012F . E8 7CF0FFFF call FSCaptur.0062F1B0

00630134 . 84C0 test al,al

00630136 0F85 07020000 jnz FSCaptur.00630343 ; 又验证一次，NOP。

0063013C . 8B4D F4 mov ecx,dword ptr ss:[ebp-0xC]

0063013F . 8B55 F8 mov edx,dword ptr ss:[ebp-0x8]

00630142 . 8B45 FC mov eax,dword ptr ss:[ebp-0x4]

00630145 . E8 5EFBFFFF call FSCaptur.0062FCA8

0063014A . 84C0 test al,al

0063014C 0F84 F1010000 je FSCaptur.00630343 ; 又验证一次，NOP。

00630152 . 8B4D F4 mov ecx,dword ptr ss:[ebp-0xC]

00630155 . 8B55 F8 mov edx,dword ptr ss:[ebp-0x8]

00630158 . 8B45 FC mov eax,dword ptr ss:[ebp-0x4]

0063015B . E8 D8FBFFFF call FSCaptur.0062FD38

00630160 . 84C0 test al,al

00630162 0F84 DB010000 je FSCaptur.00630343 ; 又验证一次，NOP。

00630168 . 8B55 F4 mov edx,dword ptr ss:[ebp-0xC]

0063016B . 8B45 FC mov eax,dword ptr ss:[ebp-0x4]

0063016E . E8 55FCFFFF call FSCaptur.0062FDC8

00630173 . 48 dec eax

00630174 0F8C C9010000 jl FSCaptur.00630343 ; 又验证一次，NOP。

0063017A . 8B55 F4 mov edx,dword ptr ss:[ebp-0xC]

0063017D . 8B45 FC mov eax,dword ptr ss:[ebp-0x4]

00630180 . E8 43FCFFFF call FSCaptur.0062FDC8

00630185 . 8BD8 mov ebx,eax

00630187 . 83FB 01 cmp ebx,0x1 ; Switch (cases 457..1387)

0063018A 7F 2D jg XFSCaptur.006301B9 ; 是否为注册单用户，这个权限低，JMP掉！

0063018C . 6A 00 push 0x0

0063018E . 6A 00 push 0x0

00630190 . 8D45 D8 lea eax,dword ptr ss:[ebp-0x28]

00630193 . 50 push eax

00630194 . 33C9 xor ecx,ecx

00630196 . 8B55 F8 mov edx,dword ptr ss:[ebp-0x8]

00630199 . B8 00046300 mov eax,FSCaptur.00630400 ; Congratulations!\r\rThis program has been registered to: %1% (Single-User License).

0063019E . E8 29790800 call FSCaptur.006B7ACC ; 祝贺你！此程序已注册：% 1%（单用户许可证）。

006301A3 . 8B45 D8 mov eax,dword ptr ss:[ebp-0x28]

006301A6 . 66:8B0D D0036>mov cx,word ptr ds:[0x6303D0]

006301AD . B2 02 mov dl,0x2

006301AF . E8 643CE1FF call FSCaptur.00443E18

006301B4 . E9 36010000 jmp FSCaptur.006302EF

006301B9 > 81FB 57040000 cmp ebx,0x457

006301BF 75 2D jnz XFSCaptur.006301EE ; 这个是家庭许可证，只能注册到5台电脑，权限比较低，JMP！

006301C1 . 6A 00 push 0x0 ; Case 457 of switch 00630187

006301C3 . 6A 00 push 0x0

006301C5 . 8D45 D4 lea eax,dword ptr ss:[ebp-0x2C]

006301C8 . 50 push eax

006301C9 . 33C9 xor ecx,ecx

006301CB . 8B55 F8 mov edx,dword ptr ss:[ebp-0x8]

006301CE . B8 5C046300 mov eax,FSCaptur.0063045C ; Congratulations!\r\rThis program has been registered to: %1% (Family License that covers up to 5 computers).

006301D3 . E8 F4780800 call FSCaptur.006B7ACC ; 祝贺你！此程序已注册：%1%（家庭的许可证，注册5台电脑）。

006301D8 . 8B45 D4 mov eax,dword ptr ss:[ebp-0x2C]

006301DB . 66:8B0D D0036>mov cx,word ptr ds:[0x6303D0]

006301E2 . B2 02 mov dl,0x2

006301E4 . E8 2F3CE1FF call FSCaptur.00443E18

006301E9 . E9 01010000 jmp FSCaptur.006302EF

006301EE > 81FB 85130000 cmp ebx,0x1385

006301F4 75 2D jnz XFSCaptur.00630223 ; 教育站点许可证，JMP！

006301F6 . 6A 00 push 0x0 ; Case 1385 of switch 00630187

006301F8 . 6A 00 push 0x0

006301FA . 8D45 D0 lea eax,dword ptr ss:[ebp-0x30]

006301FD . 50 push eax

006301FE . 33C9 xor ecx,ecx

00630200 . 8B55 F8 mov edx,dword ptr ss:[ebp-0x8]

00630203 . B8 D0046300 mov eax,FSCaptur.006304D0 ; Congratulations!\r\rThis program has been registered to: %1% (Educational Site License).

00630208 . E8 BF780800 call FSCaptur.006B7ACC ; 祝贺你！此程序已注册：% 1%（教育站点许可证）。

0063020D . 8B45 D0 mov eax,dword ptr ss:[ebp-0x30]

00630210 . 66:8B0D D0036>mov cx,word ptr ds:[0x6303D0]

00630217 . B2 02 mov dl,0x2

00630219 . E8 FA3BE1FF call FSCaptur.00443E18

0063021E . E9 CC000000 jmp FSCaptur.006302EF

00630223 > 81FB 86130000 cmp ebx,0x1386

00630229 . 75 2D jnz XFSCaptur.00630258 ; 教育全球许可，JMP！

0063022B . 6A 00 push 0x0 ; Case 1386 of switch 00630187

0063022D . 6A 00 push 0x0

0063022F . 8D45 CC lea eax,dword ptr ss:[ebp-0x34]

00630232 . 50 push eax

00630233 . 33C9 xor ecx,ecx

00630235 . 8B55 F8 mov edx,dword ptr ss:[ebp-0x8]

00630238 . B8 30056300 mov eax,FSCaptur.00630530 ; Congratulations!\r\rThis program has been registered to: %1% (Educational Worldwide License).

0063023D . E8 8A780800 call FSCaptur.006B7ACC ; 祝贺你！本程序已注册到：%1%（教育全球许可）。

00630242 . 8B45 CC mov eax,dword ptr ss:[ebp-0x34]

00630245 . 66:8B0D D0036>mov cx,word ptr ds:[0x6303D0]

0063024C . B2 02 mov dl,0x2

0063024E . E8 C53BE1FF call FSCaptur.00443E18

00630253 . E9 97000000 jmp FSCaptur.006302EF

00630258 > 81FB 87130000 cmp ebx,0x1387

0063025E . 75 2A jnz XFSCaptur.0063028A ; 公司站点许可证，JMP！

00630260 . 6A 00 push 0x0 ; Case 1387 of switch 00630187

00630262 . 6A 00 push 0x0

00630264 . 8D45 C8 lea eax,dword ptr ss:[ebp-0x38]

00630267 . 50 push eax

00630268 . 33C9 xor ecx,ecx

0063026A . 8B55 F8 mov edx,dword ptr ss:[ebp-0x8]

0063026D . B8 94056300 mov eax,FSCaptur.00630594 ; Congratulations!\r\rThis program has been registered to: %1% (Corporate Site License).

00630272 . E8 55780800 call FSCaptur.006B7ACC ; 祝贺你！此程序已注册到：%1%（公司站点许可证）。

00630277 . 8B45 C8 mov eax,dword ptr ss:[ebp-0x38]

0063027A . 66:8B0D D0036>mov cx,word ptr ds:[0x6303D0]

00630281 . B2 02 mov dl,0x2

00630283 . E8 903BE1FF call FSCaptur.00443E18

00630288 . EB 65 jmp XFSCaptur.006302EF

0063028A > 81FB 88130000 cmp ebx,0x1388

00630290 . 7D 35 jge XFSCaptur.006302C7 ; 这个不知道是啥玩意，但应该不如后面，也JMP掉！

00630292 . 6A 00 push 0x0

00630294 . 6A 00 push 0x0

00630296 . 8D45 C4 lea eax,dword ptr ss:[ebp-0x3C]

00630299 . 50 push eax

0063029A . 8D55 C0 lea edx,dword ptr ss:[ebp-0x40]

0063029D . 8BC3 mov eax,ebx

0063029F . E8 8C93DDFF call FSCaptur.00409630

006302A4 . 8B4D C0 mov ecx,dword ptr ss:[ebp-0x40]

006302A7 . 8B55 F8 mov edx,dword ptr ss:[ebp-0x8]

006302AA . B8 F4056300 mov eax,FSCaptur.006305F4 ; Congratulations!\r\rThis program has been registered to: %1% (%2% Licenses).

006302AF . E8 18780800 call FSCaptur.006B7ACC ; 祝贺你！此程序已注册到：%1%（%2%许可证）。

006302B4 . 8B45 C4 mov eax,dword ptr ss:[ebp-0x3C]

006302B7 . 66:8B0D D0036>mov cx,word ptr ds:[0x6303D0]

006302BE . B2 02 mov dl,0x2

006302C0 . E8 533BE1FF call FSCaptur.00443E18

006302C5 . EB 28 jmp XFSCaptur.006302EF

006302C7 > 6A 00 push 0x0

006302C9 . 6A 00 push 0x0

006302CB . 8D45 BC lea eax,dword ptr ss:[ebp-0x44]

006302CE . 50 push eax

006302CF . 33C9 xor ecx,ecx

006302D1 . 8B55 F8 mov edx,dword ptr ss:[ebp-0x8] ; 这个，权限应该是最高的了。

006302D4 . B8 48066300 mov eax,FSCaptur.00630648 ; Congratulations!\r\rThis program has been registered to: %1% (Corporate Worldwide License).

006302D9 . E8 EE770800 call FSCaptur.006B7ACC ; 祝贺你！此程序已注册到：%1%（公司全球许可）。

006302DE . 8B45 BC mov eax,dword ptr ss:[ebp-0x44]

006302E1 . 66:8B0D D0036>mov cx,word ptr ds:[0x6303D0]

006302E8 . B2 02 mov dl,0x2

006302EA . E8 293BE1FF call FSCaptur.00443E18

006302EF > A1 E8126F00 mov eax,dword ptr ds:[0x6F12E8]

006302F4 . 8B00 mov eax,dword ptr ds:[eax]

006302F6 . 8B80 70050000 mov eax,dword ptr ds:[eax+0x570]

006302FC . 83C0 30 add eax,0x30

006302FF . 8B55 F8 mov edx,dword ptr ss:[ebp-0x8]

00630302 . E8 A945DDFF call FSCaptur.004048B0

00630307 . A1 E8126F00 mov eax,dword ptr ds:[0x6F12E8]

0063030C . 8B00 mov eax,dword ptr ds:[eax]

0063030E . 8B80 70050000 mov eax,dword ptr ds:[eax+0x570]

00630314 . 83C0 34 add eax,0x34

00630317 . 8B55 F4 mov edx,dword ptr ss:[ebp-0xC]

0063031A . E8 9145DDFF call FSCaptur.004048B0

0063031F . A1 E8126F00 mov eax,dword ptr ds:[0x6F12E8]

00630324 . 8B00 mov eax,dword ptr ds:[eax]

00630326 . C680 50050000>mov byte ptr ds:[eax+0x550],0x1

0063032D . A1 E8126F00 mov eax,dword ptr ds:[0x6F12E8]

00630332 . 8B00 mov eax,dword ptr ds:[eax]

00630334 . E8 A70F0A00 call FSCaptur.006D12E0

00630339 . 8B45 FC mov eax,dword ptr ss:[ebp-0x4]

0063033C . E8 878EE3FF call FSCaptur.004691C8

00630341 . EB 1F jmp XFSCaptur.00630362

00630343 > 6A 00 push 0x0

00630345 . 66:8B0D D0036>mov cx,word ptr ds:[0x6303D0]

0063034C . B2 02 mov dl,0x2

0063034E . B8 AC066300 mov eax,FSCaptur.006306AC ; Invalid User Name or Registration Code!

00630353 . E8 C03AE1FF call FSCaptur.00443E18 ; 无效的用户名和注册码！

00630358 . 33C0 xor eax,eax

0063035A . 5A pop edx

0063035B . 59 pop ecx

0063035C . 59 pop ecx

0063035D . 64:8910 mov dword ptr fs:[eax],edx

00630360 . EB 14 jmp XFSCaptur.00630376

00630362 > 33C0 xor eax,eax

00630364 . 5A pop edx

00630365 . 59 pop ecx

00630366 . 59 pop ecx

00630367 . 64:8910 mov dword ptr fs:[eax],edx

0063036A . EB 0A jmp XFSCaptur.00630376

0063036C .^ E9 DB3BDDFF jmp FSCaptur.00403F4C

00630371 . E8 3E3FDDFF call FSCaptur.004042B4

00630376 > 33C0 xor eax,eax

00630378 . 5A pop edx

00630379 . 59 pop ecx

0063037A . 59 pop ecx

0063037B . 64:8910 mov dword ptr fs:[eax],edx

0063037E . 68 BD036300 push FSCaptur.006303BD

00630383 > 8D45 BC lea eax,dword ptr ss:[ebp-0x44]

00630386 . BA 09000000 mov edx,0x9

0063038B . E8 F044DDFF call FSCaptur.00404880

00630390 . 8D45 E0 lea eax,dword ptr ss:[ebp-0x20]

00630393 . E8 C444DDFF call FSCaptur.0040485C

00630398 . 8D45 E4 lea eax,dword ptr ss:[ebp-0x1C]

0063039B . E8 BC44DDFF call FSCaptur.0040485C

006303A0 . 8D45 E8 lea eax,dword ptr ss:[ebp-0x18]

006303A3 . E8 B444DDFF call FSCaptur.0040485C

006303A8 . 8D45 EC lea eax,dword ptr ss:[ebp-0x14]

006303AB . BA 04000000 mov edx,0x4

006303B0 . E8 CB44DDFF call FSCaptur.00404880

006303B5 . C3 retn

修改完成，全部保存。

3、测试

打开破解之后的程序，随便输入，弹出注册成功！

--------------------------------------------------------------------------------

Dlan · 发表于 2013-7-28 13:16

不错，但是怎么知道它又是一个验证呢》最好能详细点

强悍啊 · 发表于 2013-7-28 13:13

建议楼主做成动画的更号看点

小淫仙 · 发表于 2013-7-28 13:21

不会破解的小白来过

轉瞬即逝~的愛 · 发表于 2013-7-28 13:23

虽然这是一个适合新手的帖子，但还是支持楼主，顶一下

wz2796 · 发表于 2013-7-28 13:23

提示: 作者被禁止或删除内容自动屏蔽

庚琰1001 · 发表于 2013-7-28 13:24

说实话，我看不出来哪里是验证哪里不是。。。。。。。

海浪SeaWave · 发表于 2013-7-28 13:51

Dlan 发表于 2013-7-28 13:16
不错，但是怎么知道它又是一个验证呢》最好能详细点

在OD里就能看了，因为有箭头。

wjl · 发表于 2013-7-28 14:19

谢谢楼主分享。简单几分钟就能讲明白的建议楼主录制成gif动画格式，方便新手观摩

amulin · 发表于 2013-7-28 14:58

Dlan 发表于 2013-7-28 13:16
不错，但是怎么知道它又是一个验证呢》最好能详细点

跳到注册码错误，肯定是验证啊

帐号		自动登录	找回密码
密码			注册[Register]

[原创] FastStone Capture（截图工具）破解过程

免费评分

浏览过的版块

wz2796 wz2796 当前离线好友阅读权限 0 听众最后登录 1970-1-1 头像被屏蔽	6^# wz2796 发表于 2013-7-28 13:23 提示: 作者被禁止或删除内容自动屏蔽

	回复支持举报

[原创] FastStone Capture（截图工具） 破解过程

免费评分

浏览过的版块

[原创] FastStone Capture（截图工具）破解过程