破解工具:language2k
Wdsm32 v.10
Keymake1.73版
下面是破解过程,各位慢看:
一、先用language2k侦测发现软件没加壳,并知道是Delphi的编写程序。
二、用Wdsm32 v.10增强版载入软件,按Ctrl+G再点“加载”,打开后,在工具栏找到“参考”,点选“串式数据参考”。在串式参考中发现“多谢你的支持,软件已成功注册,请重启软件!”,双击看到如下代码:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BCD30(C)
|
:004BCD4C 8D55EC lea edx, dword ptr [ebp-14]
:004BCD4F 8B8328030000 mov eax, dword ptr [ebx+00000328]
:004BCD55 E8E23BF7FF call 0043093C
:004BCD5A 8B45EC mov eax, dword ptr [ebp-14]
:004BCD5D 8D55F8 lea edx, dword ptr [ebp-08]
:004BCD60 E80BBCF4FF call 00408970
:004BCD65 8D55E8 lea edx, dword ptr [ebp-18]
:004BCD68 8B83D4020000 mov eax, dword ptr [ebx+000002D4]
:004BCD6E E8C93BF7FF call 0043093C
:004BCD73 8B45E8 mov eax, dword ptr [ebp-18]
:004BCD76 8D55F4 lea edx, dword ptr [ebp-0C]
:004BCD79 E8F2BBF4FF call 00408970
:004BCD7E 8D55E4 lea edx, dword ptr [ebp-1C]
:004BCD81 8B45F8 mov eax, dword ptr [ebp-08]
:004BCD84 E867130200 call 004DE00
:004BCD89 8B45E4 mov eax, dword ptr [ebp-1C]
:004BCD8C 8B55F4 mov edx, dword ptr [ebp-0C]
:004BCD8F E8A471F4FF call 00403F38 ← 关键CALL
:004BCD94 0F8588000000 jne 004BCE22 ← 关键跳转
:004BCD9A B201 mov dl, 01
:004BCD9C A1B0944700 mov eax, dword ptr [004794B0]
:004BCDA1 E80AC8FBFF call 004795B0
:004BCDA6 8BF0 mov esi, eax
:004BCDA8 BA02000080 mov edx, 80000002
:004BCDAD 8BC6 mov eax, esi
:004BCDAF E89CC8FBFF call 00479650
:004BCDB4 B101 mov cl, 01
* Possible StringData Ref from Code Obj ->"SOFTWARE\LuRen\Lottery"
|
:004BCDB6 BAC8CE4B00 mov edx, 004BCEC8
:004BCDBB 8BC6 mov eax, esi
:004BCDBD E8F6C8FBFF call 004796B8
:004BCDC2 84C0 test al, al
:004BCDC4 7471 je 004BCE37
:004BCDC6 8D55DC lea edx, dword ptr [ebp-24]
:004BCDC9 8B8318030000 mov eax, dword ptr [ebx+00000318]
:004BCDCF E8683BF7FF call 0043093C
:004BCDD4 8B45DC mov eax, dword ptr [ebp-24]
:004BCDD7 8D55E0 lea edx, dword ptr [ebp-20]
:004BCDDA E891BBF4FF call 00408970
:004BCDDF 8B4DE0 mov ecx, dword ptr [ebp-20]
* Possible StringData Ref from Code Obj ->"Email"
|
:004BCDE2 BAE8CE4B00 mov edx, 004BCEE8
:004BCDE7 8BC6 mov eax, esi
:004BCDE9 E80ECDFBFF call 00479AC
:004BCDEE 8B4DF4 mov ecx, dword ptr [ebp-0C]
* Possible StringData Ref from Code Obj ->"Register No"
|
:004BCDF1 BAF8CE4B00 mov edx, 004BCE8
:004BCDF6 8BC6 mov eax, esi
:004BCDF8 E8FFCCFBFF call 00479AC
:004BCDFD 8BC6 mov eax, esi
:004BCDFF E81CC8FBFF call 00479620
:004BCE04 6A00 push 00000000
:004BCE06 668B0D9CCE4B00 mov cx, word ptr [004BCE9C]
:004BCE0D B202 mov dl, 02
* Possible StringData Ref from Code Obj ->"多谢你的支持,软件已成功注册,请重启软件!"
|
:004BCE0F B80CCF4B00 mov eax, 004BCF0C ← 点亮行在这里!
四、光标放004BCD8F点一下,然后按F2下断点,再按F9运行软件,在注册窗口,注册邮箱?A HREF="mailto:12345@163.com,点一下“生成序号”键,软件即生成一个软件序号,我的是:01-3070396-3-261580-13,注册用码输入:1212121212,点“软件注册”键,程序被拦下。">12345@163.com,点一下“生成序号”键,软件即生成一个软件序号,我的是:01-3070396-3-261580-13,注册用码输入:1212121212,点“软件注册”键,程序被拦下。
五、在“数据显示源窗口”,点一下eax看小窗口里有什么,真的注册码就在那放着了,我的是:w>]_INNXYdahrsnxvmtr=C>>EJ`,再点一下edx看看,这是输入的假注册码:1212121212。
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法