-
-
[旧帖] [邀请码已发]用6种方法追出Audio Edit Magic的注册码(申请邀请码) 0.00雪花
-
发表于: 2010-5-31 11:17
-
1.工具。OD DEDE PEID PE Explorer2.软件是Audio Edit Magic
首先运行程看看注册一下出现错误提示!!!!!!!!!!!!
我们这应想用什么方法了吧!!对这用F12堆栈调用法当然也可以用查找字符串的方法也可以用bp MessageBoxExA下断 来找到错误提
示调用的CALL,
1.F12法。
用OD载入程序F9运行出现注册提示输入注册信息按确定。出现错误提示框就可以按F12暂停,在按K就出现了堆栈调用框,双击
ae.005763E8就可以来到005763E8 . E8 F37AF0FF call ae.0047DEE0 错误提示,只要找这分段首005761B0 . 55
push ebp下断就可以了。按F8就可以找到注册码了。
2。查找字符串法
用OD载入程序直接查找错误提示框中的字符串就可以了,找到字串双击就可以来了005763E8 . E8 F37AF0FF call
ae.0047DEE0是不是和F12堆栈调法找到一样,只要找这分段首005761B0 . 55 push ebp下断就可以了。按F8就可以找
到注册码了。
3。可以用中断API中的MessageBoxExA法,在命令行中输入bp MessageBoxExA按ENRER。在F9运行程序输入注册信息在按确定就可以中断在
77D5085C > 8BFF mov edi,edi 断下来了
77D5085E 55 push ebp
77D5085F 8BEC mov ebp,esp
77D50861 6A FF push -1
77D50863 FF75 18 push dword ptr ss:[ebp+18]
77D50866 FF75 14 push dword ptr ss:[ebp+14]
77D50869 FF75 10 push dword ptr ss:[ebp+10]
77D5086C FF75 0C push dword ptr ss:[ebp+C]
77D5086F FF75 08 push dword ptr ss:[ebp+8]
77D50872 E8 8F5B0100 call user32.MessageBoxTimeoutA
77D50877 5D pop ebp
77D50878 C2 1400 retn 14
在堆栈窗口0012EB2C 77D5082F /CALL 到 MessageBoxExA 来自 user32.77D5082A反汇编跟随来到
77D5082A E8 2D000000 call user32.MessageBoxExA ; ??????
77D5082F 5D pop ebp
在找段首77D507EC 55 push ebp下断
在堆栈窗口0012EB48 0047DFCB 返回到 ae.0047DFCB 来自 <jmp.&user32.MessageBoxA>在反汇编跟随来到
0047DFC6 |. E8 5D91F8FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
0047DFCB |. 8945 F8 mov [local.2],eax
在找段首0047DEE0 /$ 55 push ebp下断
在堆栈窗口0012EBCC 005763ED 返回到 ae.005763ED 来自 ae.0047DEE0反汇编跟随来到
005763E8 . E8 F37AF0FF call ae.0047DEE0 ; 错误提示
005763ED . 8B45 FC mov eax,dword ptr ss:[ebp-4]
005763F0 . 8B80 0C030000 mov eax,dword ptr ds:[eax+30C]
005763F6 . 8B10 mov edx,dword ptr ds:[eax]
005763F8 . FF92 C4000000 call dword ptr ds:[edx+C4]
005763FE > 33C0 xor eax,eax
00576400 . 5A pop edx
00576401 . 59 pop ecx
00576402 . 59 pop ecx
00576403 . 64:8910 mov dword ptr fs:[eax],edx
00576406 . 68 52645700 push ae.00576452
是不是好像看过啊找段首005761B0 . 55 push ebp呵呵这不是刚用上面2种方法找的段首地址一样吗
4。用PEID查到的是Delphi也可以用PE Explorer,DEDE找按键事件的方法找到段首77D507EC 55 push ebp。
5。可以用下bp GetWindowTextA方法找注册码
6。还可以用能断法找注册码
这就软件注册模块的段首了
005761B0 . 55 push ebp
005761B1 . 8BEC mov ebp,esp
005761B3 . B9 08000000 mov ecx,8
005761B8 > 6A 00 push
005761BA . 6A 00 push 0
005761BC . 49 dec ecx
005761BD .^ 75 F9 jnz short ae.005761B8
005761BF . 53 push ebx
005761C0 . 8945 FC mov dword ptr ss:[ebp-4],eax
005761C3 . 33C0 xor eax,eax
005761C5 . 55 push ebp
005761C6 . 68 4B645700 push ae.0057644B
005761CB . 64:FF30 push dword ptr fs:[eax]
005761CE . 64:8920 mov dword ptr fs:[eax],esp
005761D1 . 8D55 E8 lea edx,dword ptr ss:[ebp-18]
005761D4 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
005761D7 . 8B80 04030000 mov eax,dword ptr ds:[eax+304]
005761DD . E8 3675EEFF call ae.0045D718 ; 输入用户名
005761E2 . 8B45 E8 mov eax,dword ptr ss:[ebp-18]
005761E5 . 8D55 F8 lea edx,dword ptr ss:[ebp-8]
005761E8 . E8 0727E9FF call ae.004088F4
005761ED . 8D55 E4 lea edx,dword ptr ss:[ebp-1C]
005761F0 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
005761F3 . 8B80 08030000 mov eax,dword ptr ds:[eax+308]
005761F9 . E8 1A75EEFF call ae.0045D718 输入UserCompany
005761FE . 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
00576201 . 8D55 F0 lea edx,dword ptr ss:[ebp-10]
00576204 . E8 EB26E9FF call ae.004088F4
00576209 . 8D55 DC lea edx,dword ptr ss:[ebp-24]
0057620C . 8B45 FC mov eax,dword ptr ss:[ebp-4]
0057620F . 8B80 0C030000 mov eax,dword ptr ds:[eax+30C]
00576215 . E8 FE74EEFF call ae.0045D718 ; 输入假码
0057621A . 8B45 DC mov eax,dword ptr ss:[ebp-24]
0057621D . 8D55 E0 lea edx,dword ptr ss:[ebp-20]
00576220 . E8 CF26E9FF call ae.004088F4
00576225 . 8B45 E0 mov eax,dword ptr ss:[ebp-20]
00576228 . 8D55 F4 lea edx,dword ptr ss:[ebp-C]
0057622B . E8 5424E9FF call ae.00408684 ; 判定是输入用户名
00576230 . 837D F8 00 cmp dword ptr ss:[ebp-8],0
00576234 . 75 5F jnz short ae.00576295
00576236 . 6A 40 push 40
00576238 . 8D45 D8 lea eax,dword ptr ss:[ebp-28]
0057623B . 50 push eax
0057623C . A1 D8455800 mov eax,dword ptr ds:[5845D8]
00576241 . 8B00 mov eax,dword ptr ds:[eax]
00576243 . 8945 D0 mov dword ptr ss:[ebp-30],eax
00576246 . C645 D4 0B mov byte ptr ss:[ebp-2C],0B
0057624A . 8D55 D0 lea edx,dword ptr ss:[ebp-30]
0057624D . A1 74425800 mov eax,dword ptr ds:[584274]
00576252 . 8B00 mov eax,dword ptr ds:[eax]
00576254 . 33C9 xor ecx,ecx
00576256 . E8 3939E9FF call ae.00409B94
0057625B . 8B45 D8 mov eax,dword ptr ss:[ebp-28]
0057625E . E8 85E4E8FF call ae.004046E8
00576263 . 50 push eax
00576264 . A1 DC4D5800 mov eax,dword ptr ds:[584DDC]
00576269 . 8B00 mov eax,dword ptr ds:[eax]
0057626B . E8 78E4E8FF call ae.004046E8
00576270 . 8BC8 mov ecx,eax
00576272 . A1 F84A5800 mov eax,dword ptr ds:[584AF8]
00576277 . 8B00 mov eax,dword ptr ds:[eax]
00576279 . 5A pop edx
0057627A . E8 617CF0FF call ae.0047DEE0
0057627F . 8B45 FC mov eax,dword ptr ss:[ebp-4]
00576282 . 8B80 04030000 mov eax,dword ptr ds:[eax+304]
00576288 . 8B10 mov edx,dword ptr ds:[eax]
0057628A . FF92 C4000000 call dword ptr ds:[edx+C4]
00576290 . E9 69010000 jmp ae.005763FE
00576295 > 8B45 F4 mov eax,dword ptr ss:[ebp-C] 把假码放到EAX中
00576298 . BA 60645700 mov edx,ae.00576460 ; AEM59487560这是真码放到EDX中
0057629D . E8 92E3E8FF call ae.00404634 把假码和真码放到这个CALL中比较
005762A2 . 0F85 FC000000 jnz ae.005763A4 这个跳是跳向错误提示的这个跳是不可以实现的
005762A8 . 8D55 C8 lea edx,dword ptr ss:[ebp-38]
005762AB . A1 F84A5800 mov eax,dword ptr ds:[584AF8]
005762B0 . 8B00 mov eax,dword ptr ds:[eax]
005762B2 . E8 A980F0FF call ae.0047E360
005762B7 . 8B45 C8 mov eax,dword ptr ss:[ebp-38]
005762BA . 8D55 CC lea edx,dword ptr ss:[ebp-34]
005762BD . E8 0630E9FF call ae.004092C8
005762C2 . 8D45 CC lea eax,dword ptr ss:[ebp-34]
005762C5 . BA 74645700 mov edx,ae.00576474 ; Set.dll注册码是真这建这DLL
005762CA . E8 21E2E8FF call ae.004044F0
005762CF . 8B4D CC mov ecx,dword ptr ss:[ebp-34] C:\Program Files\Audio Edit Magic\Set.dll
005762D2 . B2 01 mov dl,1
005762D4 . A1 30E54300 mov eax,dword ptr ds:[43E530]
005762D9 . E8 0283ECFF call ae.0043E5E0
005762DE . 8945 EC mov dword ptr ss:[ebp-14],eax
005762E1 . 33C0 xor eax,eax
005762E3 . 55 push ebp
005762E4 . 68 45635700 push ae.00576345
005762E9 . 64:FF30 push dword ptr fs:[eax]
005762EC . 64:8920 mov dword ptr fs:[eax],esp
005762EF . 6A 01 push 1
005762F1 . B9 84645700 mov ecx,ae.00576484 ; IsRegistered
005762F6 . BA 9C645700 mov edx,ae.0057649C ; RegisterSec
005762FB . 8B45 EC mov eax,dword ptr ss:[ebp-14]
005762FE . 8B18 mov ebx,dword ptr ds:[eax]
00576300 . FF53 14 call dword ptr ds:[ebx+14] 把注册信息写入Set.dll
00576303 . 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00576306 . 50 push eax
00576307 . BA 9C645700 mov edx,ae.0057649C ; RegisterSec
0057630C . B9 B0645700 mov ecx,ae.005764B0 ; UserName
00576311 . 8B45 EC mov eax,dword ptr ss:[ebp-14]
00576314 . 8B18 mov ebx,dword ptr ds:[eax]
00576316 . FF53 04 call dword ptr ds:[ebx+4] 把注册信息写入Set.dll
00576319 . 8B45 F0 mov eax,dword ptr ss:[ebp-10]
0057631C . 50 push eax
0057631D . BA 9C645700 mov edx,ae.0057649C ; RegisterSec
00576322 . B9 C4645700 mov ecx,ae.005764C4 ; UserCompany
00576327 . 8B45 EC mov eax,dword ptr ss:[ebp-14]
0057632A . 8B18 mov ebx,dword ptr ds:[eax]
0057632C . FF53 04 call dword ptr ds:[ebx+4] 把注册信息写入Set.dll
0057632F . 33C0 xor eax,eax
00576331 . 5A pop edx
00576332 . 59 pop ecx
00576333 . 59 pop ecx
00576334 . 64:8910 mov dword ptr fs:[eax],edx
00576337 . 68 4C635700 push ae.0057634C
0057633C > 8B45 EC mov eax,dword ptr ss:[ebp-14]
0057633F . E8 8CD0E8FF call ae.004033D0
00576344 . C3 retn
00576345 .^ E9 1AD8E8FF jmp ae.00403B64
0057634A .^ EB F0 jmp short ae.0057633C
0057634C . 6A 40 push 40
0057634E . 8D45 C4 lea eax,dword ptr ss:[ebp-3C]
00576351 . 50 push eax
00576352 . A1 044B5800 mov eax,dword ptr ds:[584B04]
00576357 . 8B00 mov eax,dword ptr ds:[eax]
00576359 . 8945 D0 mov dword ptr ss:[ebp-30],eax
0057635C . C645 D4 0B mov byte ptr ss:[ebp-2C],0B
00576360 . 8D55 D0 lea edx,dword ptr ss:[ebp-30]
00576363 . A1 DC4E5800 mov eax,dword ptr ds:[584EDC]
00576368 . 8B00 mov eax,dword ptr ds:[eax]
0057636A . 33C9 xor ecx,ecx
0057636C . E8 2338E9FF call ae.00409B94
00576371 . 8B45 C4 mov eax,dword ptr ss:[ebp-3C]
00576374 . E8 6FE3E8FF call ae.004046E8
00576379 . 50 push eax
0057637A . A1 30485800 mov eax,dword ptr ds:[584830]
0057637F . 8B00 mov eax,dword ptr ds:[eax]
00576381 . E8 62E3E8FF call ae.004046E8
00576386 . 8BC8 mov ecx,eax
00576388 . A1 F84A5800 mov eax,dword ptr ds:[584AF8]
0057638D . 8B00 mov eax,dword ptr ds:[eax]
0057638F . 5A pop edx
00576390 . E8 4B7BF0FF call ae.0047DEE0
00576395 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
00576398 . C780 4C020000>mov dword ptr ds:[eax+24C],1
005763A2 . EB 5A jmp short ae.005763FE
005763A4 > 6A 40 push 40
005763A6 . 8D45 C0 lea eax,dword ptr ss:[ebp-40]
005763A9 . 50 push eax
005763AA . A1 D8455800 mov eax,dword ptr ds:[5845D8]
005763AF . 8B00 mov eax,dword ptr ds:[eax]
005763B1 . 8945 D0 mov dword ptr ss:[ebp-30],eax
005763B4 . C645 D4 0B mov byte ptr ss:[ebp-2C],0B
005763B8 . 8D55 D0 lea edx,dword ptr ss:[ebp-30]
005763BB . A1 74425800 mov eax,dword ptr ds:[584274]
005763C0 . 8B00 mov eax,dword ptr ds:[eax]
005763C2 . 33C9 xor ecx,ecx
005763C4 . E8 CB37E9FF call ae.00409B94
005763C9 . 8B45 C0 mov eax,dword ptr ss:[ebp-40]
005763CC . E8 17E3E8FF call ae.004046E8
005763D1 . 50 push eax
005763D2 . A1 DC4D5800 mov eax,dword ptr ds:[584DDC]
005763D7 . 8B00 mov eax,dword ptr ds:[eax]
005763D9 . E8 0AE3E8FF call ae.004046E8
005763DE . 8BC8 mov ecx,eax
005763E0 . A1 F84A5800 mov eax,dword ptr ds:[584AF8]
005763E5 . 8B00 mov eax,dword ptr ds:[eax]
005763E7 . 5A pop edx
005763E8 . E8 F37AF0FF call ae.0047DEE0 ; 错误提示
005763ED . 8B45 FC mov eax,dword ptr ss:[ebp-4]
005763F0 . 8B80 0C030000 mov eax,dword ptr ds:[eax+30C]
005763F6 . 8B10 mov edx,dword ptr ds:[eax]
005763F8 . FF92 C4000000 call dword ptr ds:[edx+C4]
005763FE > 33C0 xor eax,eax
00576400 . 5A pop edx
00576401 . 59 pop ecx
00576402 . 59 pop ecx
00576403 . 64:8910 mov dword ptr fs:[eax],edx
00576406 . 68 52645700 push ae.00576452
0057640B > 8D45 C0 lea eax,dword ptr ss:[ebp-40]
0057640E . BA 04000000 mov edx,4
00576413 . E8 24DEE8FF call ae.0040423C
00576418 . 8D45 D8 lea eax,dword ptr ss:[ebp-28]
0057641B . E8 F8DDE8FF call ae.00404218
00576420 . 8D45 DC lea eax,dword ptr ss:[ebp-24]
00576423 . E8 F0DDE8FF call ae.00404218
00576428 . 8D45 E0 lea eax,dword ptr ss:[ebp-20]
0057642B . E8 E8DDE8FF call ae.00404218
00576430 . 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
00576433 . BA 02000000 mov edx,2
00576438 . E8 FFDDE8FF call ae.0040423C
0057643D . 8D45 F0 lea eax,dword ptr ss:[ebp-10]
00576440 . BA 03000000 mov edx,3
00576445 . E8 F2DDE8FF call ae.0040423C
0057644A . C3 retn
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
 自已顶个
|
|
|
|
|
|
~~~~~~~~
|
|
|
 谢了~~~~~~~~~ 今天拿到了邀请码~~~~~~~ |
