印章大师 9.5 破解注册全过程
从官方网上下下来的是9.5版的,是要
Microsoft .NET Framework库才能运行的.所以安装时可能会比较久些
装好后
试练运行,提示要注册,并弹出网页
0040E356 |. E8 F1A30400 call <jmp.&MFC80U.#2012> 0040E35B |. 83F8 01 cmp eax, 1 ; 判断是否覆盖原文件 0040E35E |. 75 34 jnz short 0040E394 ; 如果否则跳过,如果是则继续往下运行 0040E360 |. 8B7B 74 mov edi, dword ptr [ebx+74] 0040E363 |. 85FF test edi, edi ; 判断是否注册 0040E365 |. 74 05 je short 0040E36C ; 注册了则跳,否则则不跳 0040E367 |. E8 E4F9FFFF call 0040DD50 ; 加入未注册标志 0040E36C |> 51 push ecx 0040E36D |. 8BC4 mov eax, esp ;======================================= 0040483A |. E8 D1F8FFFF call 00404110 ; 读取注册表信息 0040483F |. 85C0 test eax, eax 00404841 |. 74 5B je short 0040489E ; 这里跳,如果注册表里有文件,则不跳 00404843 |. E8 C8040000 call 00404D10 ; 这里就是关键CALL 00404848 83F8 01 cmp eax, 1 ; 判断注册信息是否正确 0040484B |. 75 08 jnz short 00404855 ; 不正确则跳,跳到删除注册表信息模块 0040484D |. 8985 20010000 mov dword ptr [ebp+120], eax ; 这里是一个关键地方,要使EAX为1 00404853 |. EB 49 jmp short 0040489E 00404855 |> 8D5424 14 lea edx, dword ptr [esp+14] 00404859 |. 52 push edx ; /pHandle 0040485A |. 68 3F000F00 push 0F003F ; |Access = KEY_ALL_ACCESS 0040485F |. 6A 00 push 0 ; |Reserved = 0 00404861 |. 68 903D4600 push 00463D90 ; |s 00404866 |. 68 02000080 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE 0040486B |. FF15 1C204600 call dword ptr [<&ADVAPI32.RegOpenK>; \RegOpenKeyExW 00404871 |. 85C0 test eax, eax 00404873 |. 75 29 jnz short 0040489E 00404875 |. 8B4424 14 mov eax, dword ptr [esp+14] 00404879 |. 8B35 10204600 mov esi, dword ptr [<&ADVAPI32.Reg>; ADVAPI32.RegDeleteValueW 0040487F |. 68 CC3D4600 push 00463DCC ; /m 00404884 |. 50 push eax ; |hKey 00404885 |. FFD6 call esi ; \RegDeleteValueW 00404887 |. 8B4C24 14 mov ecx, dword ptr [esp+14] 0040488B |. 68 C03D4600 push 00463DC0 ; /r 00404890 |. 51 push ecx ; |hKey 00404891 |. FFD6 call esi ; \RegDeleteValueW 00404893 |. 8B5424 14 mov edx, dword ptr [esp+14] 00404897 |. 52 push edx ; /hKey 00404898 |. FF15 14204600 call dword ptr [<&ADVAPI32.RegClose>; \RegCloseKey 0040489E |> 8D7424 4C lea esi, dword ptr [esp+4C] 004048A2 |. E8 19770400 call 0044BFC0 ; 写出机器码 004048A7 |. C68424 380200>mov byte ptr [esp+238], 6 004048AF |. 83BD 20010000>cmp dword ptr [ebp+120], 0 ; 判断是否注册正确,以便弹出注册提示 004048B6 75 40 jnz short 004048F8 ; 在这里要让他跳, 004048B8 |. 6A 00 push 0 004048BA |. 6A 04 push 4 004048BC |. 68 343E4600 push 00463E34 004048C1 |. E8 703F0500 call <jmp.&MFC80U.#1118> ; 提示未注册,问是否要注册 004048C6 |. 83F8 06 cmp eax, 6 004048C9 |. 75 07 jnz short 004048D2 ; 选是则不跳,选否则跳 004048CB |. 8BCE mov ecx, esi 004048CD |. E8 A03F0500 call <jmp.&MFC80U.#2011> 004048D2 |> 8D8424 C40000>lea eax, dword ptr [esp+C4] 004048D9 |. 50 push eax 004048DA |. B9 64B94700 mov ecx, 0047B964 ; ㄙ: 004048DF |. FF15 D0224600 call dword ptr [<&MFC80U.#774>] ; MFC80U.78305C20 004048E5 |. 8D8C24 C80000>lea ecx, dword ptr [esp+C8] 004048EC |. 51 push ecx 004048ED |. B9 68B94700 mov ecx, 0047B968 ; 疬: 004048F2 |. FF15 D0224600 call dword ptr [<&MFC80U.#774>] ; MFC80U.78305C20 004048F8 |> 8D7424 14 lea esi, dword ptr [esp+14] 004048FC |. E8 FFFBFFFF call 00404500 00404901 |. C68424 380200>mov byte ptr [esp+238], 7 00404909 |. 50 push eax 0040490A |. 8D5424 20 lea edx, dword ptr [esp+20] 0040490E |. 52 push edx 0040490F |. BF 543E4600 mov edi, 00463E54 00404914 |. E8 37EDFFFF call 00403650 00404919 |. 83C4 08 add esp, 8 0040491C |. B3 09 mov bl, 9 0040491E |. 889C24 380200>mov byte ptr [esp+238], bl 00404925 |. 8BCE mov ecx, esi 00404927 |. FF15 00224600 call dword ptr [<&MFC80U.#577>] ; MFC80U.7834DD87 0040492D |. 8D4C24 28 lea ecx, dword ptr [esp+28] 00404931 |. E8 423F0500 call <jmp.&MFC80U.#334> 00404936 |. C68424 380200>mov byte ptr [esp+238], 0A 0040493E |. 8D4424 28 lea eax, dword ptr [esp+28] 00404942 |. 50 push eax 00404943 |. 8BCD mov ecx, ebp 00404945 |. E8 3A3F0500 call <jmp.&MFC80U.#5113> 0040494A |. 83CF FF or edi, FFFFFFFF 0040494D |. 83BD 20010000>cmp dword ptr [ebp+120], 0 ; 判断是否注册,如果没有则弹出作者主页 00404954 |. 75 20 jnz short 00404976 ; 要让他跳 00404956 |. 8D4C24 1C lea ecx, dword ptr [esp+1C] 0040495A |. 51 push ecx 0040495B |. 8D4C24 40 lea ecx, dword ptr [esp+40] 0040495F |. C74424 3C 010>mov dword ptr [esp+3C], 1 00404967 |. FF15 D0224600 call dword ptr [<&MFC80U.#774>] ; MFC80U.78305C20 0040496D |. 8BCD mov ecx, ebp 0040496F |. E8 AC190400 call 00446320 ; 弹出网页 00404974 |. EB 2A jmp short 004049A0 00404976 |> 837C24 38 00 cmp dword ptr [esp+38], 0 0040497B |. 75 04 jnz short 00404981 0040497D |. 897C24 38 mov dword ptr [esp+38], edi ;=============关键 CALL 00404D10========================= 00404D10 $ 55 push ebp ; 关键位破解 00404D11 . 8BEC mov ebp, esp 00404D13 . 6A FF push -1 00404D15 . 68 10AA4500 push 0045AA10 00404D1A . 64:A1 0000000>mov eax, dword ptr fs:[0] 00404D20 . 50 push eax 00404D21 . 83EC 60 sub esp, 60 00404D24 . A1 28904700 mov eax, dword ptr [479028] 00404D29 . 33C5 xor eax, ebp 00404D2B . 8945 EC mov dword ptr [ebp-14], eax 00404D2E . 53 push ebx 00404D2F . 56 push esi 00404D30 . 57 push edi 00404D31 . 50 push eax 00404D32 . 8D45 F4 lea eax, dword ptr [ebp-C] 00404D35 . 64:A3 0000000>mov dword ptr fs:[0], eax 00404D3B . 8965 F0 mov dword ptr [ebp-10], esp 00404D3E . 33F6 xor esi, esi 00404D40 . 8975 B0 mov dword ptr [ebp-50], esi 00404D43 . 68 103F4600 push 00463F10 ; /c 00404D48 . FF15 30214600 call dword ptr [<&KERNEL32.LoadLibr>; \LoadLibraryW 00404D4E 8BF8 mov edi, eax 00404D50 . 897D A8 mov dword ptr [ebp-58], edi 00404D53 . 3BFE cmp edi, esi 00404D55 . 0F84 C1010000 je 00404F1C 00404D5B . 68 243F4600 push 00463F24 ; /check 00404D60 . 57 push edi ; |hModule 00404D61 . FF15 28214600 call dword ptr [<&KERNEL32.GetProcA>; \GetProcAddress 00404D67 . 8945 9C mov dword ptr [ebp-64], eax 00404D6A . 3BC6 cmp eax, esi 00404D6C . 0F84 9E010000 je 00404F10 00404D72 . B0 EB mov al, 0EB 00404D74 . 8845 E0 mov byte ptr [ebp-20], al 00404D77 . C645 E1 08 mov byte ptr [ebp-1F], 8 00404D7B . 8845 E2 mov byte ptr [ebp-1E], al 00404D7E . C645 E3 05 mov byte ptr [ebp-1D], 5 00404D82 . B0 90 mov al, 90 00404D84 . 8845 E4 mov byte ptr [ebp-1C], al 00404D87 . 8845 E5 mov byte ptr [ebp-1B], al 00404D8A . 8845 E6 mov byte ptr [ebp-1A], al 00404D8D . 8845 E7 mov byte ptr [ebp-19], al 00404D90 . C645 E8 89 mov byte ptr [ebp-18], 89 00404D94 . C645 E9 01 mov byte ptr [ebp-17], 1 00404D98 . FF15 20214600 call dword ptr [<&KERNEL32.GetCurre>; [GetCurrentProcessId 00404D9E . 50 push eax ; /ProcessId 00404D9F . 6A 01 push 1 ; |Inheritable = TRUE 00404DA1 . 6A 28 push 28 ; |Access = VM_OPERATION|VM_WRITE 00404DA3 . FF15 24214600 call dword ptr [<&KERNEL32.OpenProc>; \OpenProcess 00404DA9 . 8945 A0 mov dword ptr [ebp-60], eax 00404DAC . 8B47 3C mov eax, dword ptr [edi+3C] 00404DAF . 0FB64C38 FC movzx ecx, byte ptr [eax+edi-4] 00404DB4 . 894D A4 mov dword ptr [ebp-5C], ecx 00404DB7 33C0 xor eax, eax 00404DB9 8975 AC mov dword ptr [ebp-54], esi 00404DBC . 8BDF mov ebx, edi 00404DBE > 837D AC 00 cmp dword ptr [ebp-54], 0 00404DC2 . 75 20 jnz short 00404DE4 00404DC4 . 8A13 mov dl, byte ptr [ebx] 00404DC6 . 3A5435 E0 cmp dl, byte ptr [ebp+esi-20] 00404DCA . 75 05 jnz short 00404DD1 00404DCC . 83C6 01 add esi, 1 00404DCF . EB 65 jmp short 00404E36 00404DD1 > 83FE 0A cmp esi, 0A 00404DD4 . 7C 07 jl short 00404DDD 00404DD6 . C745 AC 01000>mov dword ptr [ebp-54], 1 00404DDD > 33F6 xor esi, esi 00404DDF . 3975 AC cmp dword ptr [ebp-54], esi 00404DE2 . 74 52 je short 00404E36 00404DE4 > 33F6 xor esi, esi 00404DE6 . 33FF xor edi, edi 00404DE8 . 397D A4 cmp dword ptr [ebp-5C], edi 00404DEB . 76 41 jbe short 00404E2E 00404DED . 8D49 00 lea ecx, dword ptr [ecx] 00404DF0 > 8D04B6 lea eax, dword ptr [esi+esi*4] 00404DF3 . 50 push eax 00404DF4 . B9 68B94700 mov ecx, 0047B968 ; 疬: 00404DF9 . FF15 EC234600 call dword ptr [<&MFC80U.#2444>] ; MFC80U.783053F6 00404DFF . 8D0C3B lea ecx, dword ptr [ebx+edi] 00404E02 . 8A11 mov dl, byte ptr [ecx] 00404E04 . 32D0 xor dl, al 00404E06 . 8855 B7 mov byte ptr [ebp-49], dl 00404E09 . 6A 00 push 0 ; /pBytesWritten = NULL 00404E0B . 6A 01 push 1 ; |BytesToWrite = 1 00404E0D . 8D45 B7 lea eax, dword ptr [ebp-49] ; | 00404E10 . 50 push eax ; |Buffer 00404E11 . 51 push ecx ; |Address 00404E12 . 8B4D A0 mov ecx, dword ptr [ebp-60] ; | 00404E15 . 51 push ecx ; |hProcess 00404E16 . FF15 1C214600 call dword ptr [<&KERNEL32.WritePro>; \WriteProcessMemory 00404E1C . 83C6 01 add esi, 1 00404E1F . 83FE 04 cmp esi, 4 00404E22 . 7E 02 jle short 00404E26 00404E24 . 33F6 xor esi, esi 00404E26 > 83C7 01 add edi, 1 00404E29 . 3B7D A4 cmp edi, dword ptr [ebp-5C] 00404E2C .^ 72 C2 jb short 00404DF0 00404E2E > B8 01000000 mov eax, 1 00404E33 . 8B7D A8 mov edi, dword ptr [ebp-58] 00404E36 > 83C3 01 add ebx, 1 00404E39 . 85C0 test eax, eax 00404E3B .^ 74 81 je short 00404DBE 00404E3D . 8B55 A0 mov edx, dword ptr [ebp-60] 00404E40 . 52 push edx ; /hObject 00404E41 . FF15 18214600 call dword ptr [<&KERNEL32.CloseHan>; \CloseHandle 00404E47 . C745 FC 00000>mov dword ptr [ebp-4], 0 00404E4E . 33F6 xor esi, esi 00404E50 > 8975 94 mov dword ptr [ebp-6C], esi 00404E53 . 8B0D 64B94700 mov ecx, dword ptr [47B964] ; 机器码 00404E59 . 8B41 F4 mov eax, dword ptr [ecx-C] ; 机器码长度 00404E5C . 83F8 14 cmp eax, 14 00404E5F . 7E 05 jle short 00404E66 00404E61 . B8 14000000 mov eax, 14 00404E66 > 3BF0 cmp esi, eax 00404E68 . 7D 15 jge short 00404E7F 00404E6A . 56 push esi 00404E6B . B9 64B94700 mov ecx, 0047B964 ; ㄙ: 00404E70 . FF15 EC234600 call dword ptr [<&MFC80U.#2444>] ; MFC80U.783053F6 00404E76 . 884435 D8 mov byte ptr [ebp+esi-28], al 00404E7A . 83C6 01 add esi, 1 00404E7D .^ EB D1 jmp short 00404E50 00404E7F > 8B41 F4 mov eax, dword ptr [ecx-C] 00404E82 . 83F8 14 cmp eax, 14 00404E85 . 7E 05 jle short 00404E8C 00404E87 . B8 14000000 mov eax, 14 00404E8C > C64405 D8 00 mov byte ptr [ebp+eax-28], 0 00404E91 . 33F6 xor esi, esi 00404E93 > 8975 98 mov dword ptr [ebp-68], esi 00404E96 . 8B0D 68B94700 mov ecx, dword ptr [47B968] 00404E9C . 8B41 F4 mov eax, dword ptr [ecx-C] 00404E9F . 83F8 1E cmp eax, 1E 00404EA2 . 7E 05 jle short 00404EA9 00404EA4 . B8 1E000000 mov eax, 1E 00404EA9 > 3BF0 cmp esi, eax 00404EAB . 7D 15 jge short 00404EC2 00404EAD . 56 push esi 00404EAE . B9 68B94700 mov ecx, 0047B968 ; 疬: 00404EB3 . FF15 EC234600 call dword ptr [<&MFC80U.#2444>] ; MFC80U.783053F6 00404EB9 . 884435 B8 mov byte ptr [ebp+esi-48], al 00404EBD . 83C6 01 add esi, 1 00404EC0 .^ EB D1 jmp short 00404E93 00404EC2 > 8B41 F4 mov eax, dword ptr [ecx-C] 00404EC5 . 83F8 1E cmp eax, 1E 00404EC8 . 7E 05 jle short 00404ECF 00404ECA . B8 1E000000 mov eax, 1E 00404ECF > C64405 B8 00 mov byte ptr [ebp+eax-48], 0 00404ED4 . 8D45 B8 lea eax, dword ptr [ebp-48] 00404ED7 . 50 push eax ; 读取试练码 00404ED8 . 8D4D D8 lea ecx, dword ptr [ebp-28] 00404EDB . 51 push ecx ; 机器吗 00404EDC . FF55 9C call dword ptr [ebp-64] 00404EDF . 83C4 08 add esp, 8 00404EE2 . 85C0 test eax, eax 00404EE4 . 74 07 je short 00404EED 00404EE6 . C745 B0 01000>mov dword ptr [ebp-50], 1 00404EED > C745 FC FFFFF>mov dword ptr [ebp-4], -1 00404EF4 . 57 push edi ; /hLibModule 00404EF5 . FF15 2C214600 call dword ptr [<&KERNEL32.FreeLibr>; \FreeLibrary 00404EFB . 8B45 B0 mov eax, dword ptr [ebp-50] 00404EFE . EB 1E jmp short 00404F1E 00404F00 C745 B0 00000>mov dword ptr [ebp-50], 0 ; 关键位破解,把它改成1 00404F07 . B8 0D4F4000 mov eax, 00404F0D 00404F0C . C3 retn 00404F0D . 8B7D A8 mov edi, dword ptr [ebp-58] 00404F10 > 57 push edi ; /hLibModule 00404F11 . FF15 2C214600 call dword ptr [<&KERNEL32.FreeLibr>; \FreeLibrary 00404F17 8B45 B0 mov eax, dword ptr [ebp-50] 00404F1A EB 02 jmp short 00404F1E 00404F1C > 8BC6 mov eax, esi 00404F1E > 8B4D F4 mov ecx, dword ptr [ebp-C] 00404F21 . 64:890D 00000>mov dword ptr fs:[0], ecx 00404F28 . 59 pop ecx 00404F29 . 5F pop edi 00404F2A . 5E pop esi 00404F2B . 5B pop ebx 00404F2C . 8B4D EC mov ecx, dword ptr [ebp-14] 00404F2F . 33CD xor ecx, ebp 00404F31 . E8 75450500 call 004594AB 00404F36 . 8BE5 mov esp, ebp 00404F38 . 5D pop ebp 00404F39 . C3 retn ; 返回 ;=========================
重新启动,OK,大功告成!
不过有个前提,必须要输入注册码,也就是说注册表里必须要有信息才可以,否则一样是没有用的,呵呵!
破解分析总结:
首先判断注册表是否有信息,不管是正确与否,通过标志准进行判断是否注册,如果不正确自动将其清除,并恢复到初始状态,标记为未注册.
======================
申明:此文只为技术交流,如果你觉得好用,请支持国产,向作者购买。
并不作为商业用途,所有一切因破解引起的后果自负与本人无关。
上一篇: 一个乞丐的市场营销学[转]
下一篇:
目前这篇文章还没有评论(Rss)