qq中毒了怎么办-cf手动更新
2023年4月3日发(作者:刷机大师pc版)
标题:即时语音提示&校对软件InsTalk注册码及注册机-初学者请看(24千字)
发信人:
时间:2002-4-137:50:29
详细信息:
即时语音提示&校对软件InsTalk注册码及注册机-初学者请看
软件说明:即时语音提示&校对软件InsTalk是面向Windows9x/NT的工具软件。利用它用户可以让电脑
说汉语普通话。它有两种工作状态。一种是在使用键盘输入数字和英文字符时,可以跟随录入的字符即时
发出相应的语音提示。另一种是让电脑朗读中文。
使用工具:TRW2000、、KeyMaker。
由于受软件提示信息的影响,整个破解过程走了不少弯路:输入注册信息后,软件提示关闭并重新启动软
件以验证注册码,但重新启动时,试了很多断点还是找不到注册码(其实可以找到,但此注册码并非你所
输入的注册名和单位生成,而是注册名和单位为空时的注册码),后来通过对注册表的监视,当软件注册码
错误时,程序根本就不往注册表里写入。所以,判断注册码的工作应该在输入注册信息的时候就已经进行
了,作者给我们开了个大玩笑?!!
=================================================================================
=========
1、启动程序,填写注册信息,Ctrl-n,bpxhmemcpy,F5返回,按“注册”按钮,程序拦下。
2、bc*,pmodule。
3、按两次F10,来到下面:
:004073D08D8C2444010000leaecx,dwordptr[esp+00000144]
:004073D76800010000push00000100
:004073DC51pushecx
:004073DD680D040000push0000040D
:004073E28BCEmovecx,esi
:004073E48944243Cmovdwordptr[esp+3C],eax
:004073E8E8D4540100call0041C8C1
:004073ED8BC8movecx,eax
:004073EFE815560100call0041CA09
:004073F48D942444020000leaedx,dwordptr[esp+00000244]
:004073FB6800010000push00000100
:pushedx
:F040000push0000040F
:004074068BCEmovecx,esi
:2440movdwordptr[esp+40],eax
:0040740CE8B0540100call0041C8C1
:004074118BC8movecx,eax
:00407413E8F1550100call0041CA09
:2438movdwordptr[esp+38],eax
:0040741CE86FB20100call00422690
:004074218B6804movebp,dwordptr[eax+04]
:00407424A158E74200moveax,dwordptr[0042E758]
:004074298D8C2444010000leaecx,dwordptr[esp+00000144]
:C241Cmovdwordptr[esp+1C],ebp
:pushecx
:004074358D4C241Cleaecx,dwordptr[esp+1C]
:241Cmovdwordptr[esp+1C],eax
:0040743DE8F55F0100call0041D437
:004074426A19push00000019
:pushecx
:004074458D94244C020000leaedx,dwordptr[esp+0000024C]
:0040744C33DBxorebx,ebx
:0040744E8BCCmovecx,esp
:2444movdwordptr[esp+44],esp
:pushedx
:C2458030000movdwordptr[esp+00000358],ebx
:0040745CE84FD7FFFFcall00404BB0
:004074618D44244Cleaeax,dwordptr[esp+4C]
:004074658D4C2434leaecx,dwordptr[esp+34]
:pusheax
:0040746AC684245803000001movbyteptr[esp+00000358],01
:00407472E839D7FFFFcall00404BB0
:pushecx
:004074788D542424leaedx,dwordptr[esp+24]
:0040747C8BCCmovecx,esp
:0040747E8964244Cmovdwordptr[esp+4C],esp
:pushedx
:pusheax
:pushecx
:00407485C684246403000002movbyteptr[esp+00000364],02
:0040748DE80A600100call0041D49C
:00407492C684245803000003movbyteptr[esp+00000358],03
:0040749AE821D6FFFFcall00404AC0(此处改变eax的值,说明对注册码进行了判断)
:0040749F83C40Caddesp,0000000C
:004074A28D4C242Cleaecx,dwordptr[esp+2C]
:004074A68BF8movedi,eax(这里将eax的值赋予edi)
:004074A8889C244C030000movbyteptr[esp+0000034C],bl
:004074AFE88A5E0100call0041D33E
:004074B48D4C2418leaecx,dwordptr[esp+18]
:004074B8C784244C030000FFFFFFFFmovdwordptr[esp+0000034C],FFFFFFFF
:004074C3E8765E0100call0041D33E
:004074C83BFBcmpedi,ebx
:004074CA0F849C000000je0040756C(此处若不跳,则可将错误的注册信息强制写入注册表)
:004074D08D742444leaesi,dwordptr[esp+44]
:004074D48D6C2430leaebp,dwordptr[esp+30]
=================================================================================
=========
在:0040749AE821D6FFFFcall00404AC0处按F8进入:
:00404AC064A100000000moveax,dwordptrfs:[00000000]
:00404AC66AFFpushFFFFFFFF
:00404AC86800414200push00424100
:00404ACD50pusheax
:00404ACE64892500000000movdwordptrfs:[00000000],esp
:00404AD553pushebx
:00404AD656pushesi
:00404AD78B442420moveax,dwordptr[esp+20]
:00404ADB8D542418leaedx,dwordptr[esp+18]
:00404ADF50pusheax
:00404AE051pushecx
:00404AE18BCCmovecx,esp
:00404AE389642428movdwordptr[esp+28],esp
:00404AE752pushedx
:00404AE8C744241C01000000mov[esp+1C],00000001
:00404AF0E8BE850100call0041D0B3
:00404AF58D442428leaeax,dwordptr[esp+28]
:00404AF950pusheax
:00404AFAE801260000call00407100(算注册码)
:00404AFF8B742428movesi,dwordptr[esp+28](将错误的注册码赋予esi)
:00404B038B00moveax,dwordptr[eax](将正确的注册码赋予eax)
:00404B0583C40Caddesp,0000000C(在此处deax看到真正的注册码)
*Referencedbya(U)nconditionalor(C)onditionalJumpatAddress:
|:00404B2A(C)
|
:00404B088A10movdl,byteptr[eax](取真码第一位)
:00404B0A8A1Emovbl,byteptr[esi](取假码第一位)
:00404B0C8ACAmovcl,dl(将真码第一位赋予cl)
:00404B0E3AD3cmpdl,bl(比较两值是否相同)
:00404B10751Ejne00404B30(不同就跳到00404B30,比较失败)
:00404B1284C9testcl,cl(测试cl是否为空,即判断是否已全部比较完)
:00404B147416je00404B2C(如果比较完毕,则跳到00404B2C)
:00404B168A5001movdl,byteptr[eax+01](取真码下一位)
:00404B198A5E01movbl,byteptr[esi+01](取假码下一位)
:00404B1C8ACAmovcl,dl
:00404B1E3AD3cmpdl,bl
:00404B20750Ejne00404B30(不同就跳到00404B30,比较失败)
:00404B2283C002addeax,00000002(去掉真码前两位,为下一轮比较做准备)
:00404B2583C602addesi,00000002(去掉假码前两位,为下一轮比较做准备)
:00404B2884C9testcl,cl(测试cl是否为空,即判断是否已全部比较完)
:00404B2A75DCjne00404B08(返回00404B08继续比较)
*Referencedbya(U)nconditionalor(C)onditionalJumpatAddress:
|:00404B14(C)
|
:00404B2C33C0xoreax,eax(注册码正确时,跳到此行)
:00404B2EEB05jmp00404B35
*Referencedbya(U)nconditionalor(C)onditionalJumpatAddresses:
|:00404B10(C),:00404B20(C)
|
:00404B301BC0sbbeax,eax(注册码错误时,跳到此行)
:00404B3283D8FFsbbeax,FFFFFFFF
*Referencedbya(U)nconditionalor(C)onditionalJumpatAddress:
|:00404B2E(U)
|
:00404B3585C0testeax,eax
:00404B370F94C0seteal
:00404B3A25FF000000andeax,000000FF
:00404B3F8D4C2420leaecx,dwordptr[esp+20]
:00404B438BF0movesi,eax(将eax的值赋予esi)
:00404B45E8F4870100call0041D33E
:00404B4A8D4C2418leaecx,dwordptr[esp+18]
:00404B4EC644241000mov[esp+10],00
:00404B53E8E6870100call0041D33E
:00404B588D4C241Cleaecx,dwordptr[esp+1C]
:00404B5CC7442410FFFFFFFFmov[esp+10],FFFFFFFF
:00404B64E8D5870100call0041D33E
:00404B698B4C2408movecx,dwordptr[esp+08]
:00404B6D8BC6moveax,esi(将esi的值赋予eax)
:00404B6F5Epopesi
:00404B7064890D00000000movdwordptrfs:[00000000],ecx
:00404B775Bpopebx
:00404B7883C40Caddesp,0000000C
:00404B7BC3ret
=================================================================================
=========
4、以下是对程序重新启动后的一些分析:
程序一开始有个欢迎提示框,提示是共享版还是注册版,可见在此之前已经判断了是否已经注册,所以目
的就是找出出现这个提示框的最后一个关键Call。
用trw2000载入,结合F10、F9、F6键就可找到这个Call(具体操作方法可参考我写的Acdsee4.0
的破解,在看雪论坛以我的注册名搜索就能找到)
:0041F76B8B06moveax,dwordptr[esi]
:0041F76D8BCEmovecx,esi
:0041F76FFF5050call[eax+50](此处是出现提示框,应该快接近核心了。即使判断错也没关系,可以继续
再试嘛!)
:0041F77285C0testeax,eax
:0041F7747515jne0041F78B
=================================================================================
=========
F8进入上面的Call,看到下面代码:
:004046D06AFFpushFFFFFFFF
:004046D268DD404200push004240DD
:004046D764A100000000moveax,dwordptrfs:[00000000]
……………………略去一些代码
*PossibleReferencetoDialog:
|
:004047A768D0E04200push0042E0D0
:004047AC8BCEmovecx,esi
:004047AEC68424F404000002movbyteptr[esp+000004F4],02
:004047B6E8DBDA0100call00422296
:004047BB8D4C2424leaecx,dwordptr[esp+24]
:004047BFC68424E404000001movbyteptr[esp+000004E4],01
:004047C7E8728B0100call0041D33E
:004047CC8D4C241Cleaecx,dwordptr[esp+1C]
:004047D0C68424E404000000movbyteptr[esp+000004E4],00
:004047D8E8618B0100call0041D33E
:004047DD8B5500movedx,dwordptr[ebp+00]
:004047E042incedx
:004047E152pushedx
:004047E2E8BC590000call0040A1A3
:004047E78BF8movedi,eax
:004047E98B442414moveax,dwordptr[esp+14]
:004047ED83C404addesp,00000004
:004047F0897C2418movdwordptr[esp+18],edi
:004047F485C0testeax,eax(判断是否将注册信息写入注册表,若无则eax=0)
:004047F6897C9C2Cmovdwordptr[esp+4*ebx+2C],edi
:004047FA7428je00404824
:004047FC8B4D00movecx,dwordptr[ebp+00]
:004047FF8BF0movesi,eax
:004048018BC1moveax,ecx
:00404803C1E902shrecx,02
:00404806F3repz
:00404807A5movsd
:004048088BC8movecx,eax
:0040480A83E103andecx,00000003
:0040480DF3repz
:0040480EA4movsb
:0040480F8B4C2410movecx,dwordptr[esp+10]
:pushecx
:00404814E88F880100call0041D0A8
:004048198B7C241Cmovedi,dwordptr[esp+1C]
:0040481D8B742424movesi,dwordptr[esp+24]
:C404addesp,00000004
*Referencedbya(U)nconditionalor(C)onditionalJumpatAddress:
|:004047FA(C)
|
:004048248B5500movedx,dwordptr[ebp+00]
:004048276A00push00000000
:pushedx
:0040482A57pushedi
:0040482BE8802A0000call004072B0
:004048308B4500moveax,dwordptr[ebp+00]
:C40Caddesp,0000000C
:incebx
:FB03cmpebx,00000003
:0040483AC6043800movbyteptr[eax+edi],00
:0040483E0F8C2FFFFFFFjl00404773
:004048448B0D58E74200movecx,dwordptr[0042E758]
:0040484A8B542430movedx,dwordptr[esp+30]
:0040484E894C2410movdwordptr[esp+10],ecx
:pushedx
:004048538D4C2414leaecx,dwordptr[esp+14]
:00404857E8DB8B0100call0041D437
:0040485C8B442434moveax,dwordptr[esp+34]
:004048606A19push00000019
:pushecx
:00404863C68424EC04000003movbyteptr[esp+000004EC],03
:0040486B8BCCmovecx,esp
:0040486D89642424movdwordptr[esp+24],esp
:pusheax
:00404872E839030000call00404BB0
:004048778B4C2434movecx,dwordptr[esp+34]
:0040487BC68424EC04000004movbyteptr[esp+000004EC],04
:pushecx
:004048848D4C2424leaecx,dwordptr[esp+24]
:00404888E823030000call00404BB0
:0040488D51pushecx
:0040488E8D4C241Cleaecx,dwordptr[esp+1C]
:004048928BD4movedx,esp
:2430movdwordptr[esp+30],esp
:pushecx
:pusheax
:0040489A52pushedx
:0040489BC68424FC04000005movbyteptr[esp+000004FC],05
:004048A3E8F48B0100call0041D49C
:004048A8C68424F004000006movbyteptr[esp+000004F0],06
:004048B0E80B020000call00404AC0(这里又调用00404AC0判断注册码,详细代码见上面)
:004048B583C40Caddesp,0000000C(经过分析可以知道,如果注册码正确,此出返回eax的值应该是1,
如果错误则返回0)
:004048B88D4C2418leaecx,dwordptr[esp+18]
:004048BCA3EC254300movdwordptr[004325EC],eax
:004048C1C68424E404000003movbyteptr[esp+000004E4],03
:004048C9E8708A0100call0041D33E
:004048CE8D4C2410leaecx,dwordptr[esp+10]
:004048D2C68424E404000000movbyteptr[esp+000004E4],00
:004048DAE85F8A0100call0041D33E
:004048DF8D7C242Cleaedi,dwordptr[esp+2C]
:004048E3BB03000000movebx,00000003
*Referencedbya(U)nconditionalor(C)onditionalJumpatAddress:
|:004048F7(C)
|
:004048E88B17movedx,dwordptr[edi]
:004048EA52pushedx
:004048EBE8CA570000call0040A0BA
:004048F083C404addesp,00000004
:004048F383C704addedi,00000004
:004048F64Bdecebx
:004048F775EFjne004048E8
:004048F9E822F5FFFFcall00403E20
:004048FE8BCEmovecx,esi
:00404900E85BF8FFFFcall00404160
:00404905A1EC254300moveax,dwordptr[004325EC]
:0040490A85C0testeax,eax
:0040490C0F8588000000jne0040499A
:004049128BCEmovecx,esi
:00404914E8C7FCFFFFcall004045E0(判断是否已过试用期)
:C0testeax,eax(未过,eax=0;已过,eax=1)
:0040491B747Dje0040499A
*PossibleReferencetoStringResourceID=00112:",o?q玱?▌?蜥
倻?
更多推荐
acdsee 注册码
- 上一篇: intel g2030
- 下一篇: 返回列表
发布评论