-
-
[原创]破解Quick Screen Recorder
-
发表于:
2005-7-23 15:32
8964
-
[原创]破解Quick Screen Recorder
【破解作者】 yijun
【作者邮箱】 yijun8354@sina.com
【使用工具】 OD,PEID
【破解平台】 WinXP
【软件名称】 Quick Screen Recorder
【下载地址】 天空
【软件简介】 Etrusoft Quick Screen Recorder is a tool used for recording screen activity into standard AVI video files. If you move the cursor, launch a new program, type some text, click a few buttons, or select some menus -- anything that you see on your screen -- Quick Screen Recorder will be able to record all these and allow you to play them back later on.
【软件大小】 540K
【加壳方式】 无
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------------------------
【破解内容】
PEID查壳知该软件无壳Microsoft Visual C++ 6.0编写。OD载入很容易来到以下地方:
00404C69 55
push ebp //在此下断
00404C6A 56
push esi
00404C6B 57
push edi
00404C6C 8BE9
mov ebp,
ecx
00404C6E 6A 01
push 1
00404C70 E8 7C910200
call qsr.0042DDF1
; 取用户名
00404C75 8D7D 60
lea edi,
dword ptr ss:[
ebp+60]
00404C78 8BCF
mov ecx,
edi
00404C7A E8 FA3E0200
call qsr.00428B79
; 取注册码
00404C7F 8BCF
mov ecx,
edi
00404C81 E8 A73E0200
call qsr.00428B2D
00404C86 8D75 64
lea esi,
dword ptr ss:[
ebp+64]
00404C89 8BCE
mov ecx,
esi
00404C8B E8 E93E0200
call qsr.00428B79
; 用户名送EAX
00404C90 8BCE
mov ecx,
esi
00404C92 E8 963E0200
call qsr.00428B2D
00404C97 8B06
mov eax,
dword ptr ds:[
esi]
00404C99 8378 F8 02
cmp dword ptr ds:[
eax-8],2
00404C9D 7D 26
jge short qsr.00404CC5
00404C9F 6A 40
push 40
00404CA1 68 3CE54500
push qsr.0045E53C
; ASCII "Quick Screen Recorder"
00404CA6 68 24E54500
push qsr.0045E524
; ASCII "Please input your name."
00404CAB 8BCD
mov ecx,
ebp
00404CAD E8 C3840200
call qsr.0042D175
00404CB2 8B4C24 1C
mov ecx,
dword ptr ss:[
esp+1C]
00404CB6 64:890D 0000000>
mov dword ptr fs:[0],
ecx
00404CBD 5F
pop edi
00404CBE 5E
pop esi
00404CBF 5D
pop ebp
00404CC0 5B
pop ebx
00404CC1 83C4 18
add esp,18
00404CC4 C3
retn
00404CC5 8A45 5C
mov al,
byte ptr ss:[
ebp+5C]
00404CC8 84C0
test al,
al
00404CCA 0F85 1C010000
jnz qsr.00404DEC
00404CD0 8D4C24 14
lea ecx,
dword ptr ss:[
esp+14]
00404CD4 E8 87E3FFFF
call qsr.00403060
00404CD9 51
push ecx
00404CDA C74424 28 00000>
mov dword ptr ss:[
esp+28],0
00404CE2 8BCC
mov ecx,
esp
00404CE4 896424 14
mov dword ptr ss:[
esp+14],
esp
00404CE8 56
push esi
00404CE9 E8 12A50200
call qsr.0042F200
; 测试用户名是否是0
00404CEE 51
push ecx
00404CEF C64424 2C 01
mov byte ptr ss:[
esp+2C],1
00404CF4 8BCC
mov ecx,
esp
00404CF6 896424 20
mov dword ptr ss:[
esp+20],
esp
00404CFA 57
push edi
00404CFB E8 00A50200
call qsr.0042F200
; 测试注册码是否是0
00404D00 8D4C24 1C
lea ecx,
dword ptr ss:[
esp+1C]
00404D04 C64424 2C 00
mov byte ptr ss:[
esp+2C],0
00404D09 E8 92E3FFFF
call qsr.004030A0
; 关键CALL,跟进~~~~~~~~~~~
00404D0E 84C0
test al,
al ; 刚才那两处都等就注册成功,此时AL=1~~~
00404D10 75 37
jnz short qsr.00404D49
; AL=1就注册成功~~~~
00404D12 6A 40
push 40
00404D14 68 3CE54500
push qsr.0045E53C
; ASCII "Quick Screen Recorder"
00404D19 68 DCE44500
push qsr.0045E4DC
; ASCII "Sorry, your registration key is wrong. Please check it and try again."
00404D1E 8BCD
mov ecx,
ebp
00404D20 E8 50840200
call qsr.0042D175
00404D25 8D4C24 14
lea ecx,
dword ptr ss:[
esp+14]
00404D29 C74424 24 FFFFF>
mov dword ptr ss:[
esp+24],-1
00404D31 E8 5AE3FFFF
call qsr.00403090
00404D36 8B4C24 1C
mov ecx,
dword ptr ss:[
esp+1C]
00404D3A 64:890D 0000000>
mov dword ptr fs:[0],
ecx
00404D41 5F
pop edi
00404D42 5E
pop esi
00404D43 5D
pop ebp
00404D44 5B
pop ebx
00404D45 83C4 18
add esp,18
00404D48 C3
retn
*********************************************************************************************************************************************************
跟进00404D09处CALL来到:
004030A0 6A FF
push -1 //一路F8下去~~~~
004030A2 68 C88F4400
push qsr.00448FC8
004030A7 64:A1 00000000
mov eax,
dword ptr fs:[0]
004030AD 50
push eax
004030AE 64:8925 0000000>
mov dword ptr fs:[0],
esp
004030B5 83EC 24
sub esp,24
004030B8 53
push ebx
004030B9 55
push ebp
004030BA 56
push esi
004030BB 57
push edi
004030BC 68 28E24500
push qsr.0045E228
; ASCII "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890"
004030C1 8D4C24 24
lea ecx,
dword ptr ss:[
esp+24]
004030C5 C74424 40 01000>
mov dword ptr ss:[
esp+40],1
004030CD E8 27C40200
call qsr.0042F4F9
004030D2 A1 38F44500
mov eax,
dword ptr ds:[45F438]
004030D7 894424 2C
mov dword ptr ss:[
esp+2C],
eax
004030DB 8D4C24 48
lea ecx,
dword ptr ss:[
esp+48]
004030DF C64424 3C 03
mov byte ptr ss:[
esp+3C],3
004030E4 E8 905A0200
call qsr.00428B79
004030E9 8D4C24 48
lea ecx,
dword ptr ss:[
esp+48]
004030ED E8 3B5A0200
call qsr.00428B2D
004030F2 8D4C24 44
lea ecx,
dword ptr ss:[
esp+44]
004030F6 E8 7E5A0200
call qsr.00428B79
004030FB 8D4C24 44
lea ecx,
dword ptr ss:[
esp+44]
004030FF E8 295A0200
call qsr.00428B2D
00403104 8B4C24 48
mov ecx,
dword ptr ss:[
esp+48]
00403108 8B41 F8
mov eax,
dword ptr ds:[
ecx-8]
0040310B 83F8 02
cmp eax,2
0040310E 0F8C 4F030000
jl qsr.00403463
; 用户名小于2就跳
00403114 8B5424 44
mov edx,
dword ptr ss:[
esp+44]
00403118 837A F8 18
cmp dword ptr ds:[
edx-8],18
0040311C 0F85 41030000
jnz qsr.00403463
; 注册码不等于18(16进制)就跳
00403122 8D4424 30
lea eax,
dword ptr ss:[
esp+30]
00403126 6A 01
push 1
00403128 50
push eax
00403129 8D4C24 50
lea ecx,
dword ptr ss:[
esp+50]
0040312D E8 C4550200
call qsr.004286F6
00403132 8B00
mov eax,
dword ptr ds:[
eax]
00403134 8D4C24 20
lea ecx,
dword ptr ss:[
esp+20]
00403138 50
push eax
00403139 C64424 40 04
mov byte ptr ss:[
esp+40],4
0040313E E8 4D560200
call qsr.00428790
00403143 8D4C24 30
lea ecx,
dword ptr ss:[
esp+30]
00403147 8BF0
mov esi,
eax
00403149 C64424 3C 03
mov byte ptr ss:[
esp+3C],3
0040314E E8 38C30200
call qsr.0042F48B
00403153 8D46 0A
lea eax,
dword ptr ds:[
esi+A]
00403156 B9 3E000000
mov ecx,3E
0040315B 99
cdq
0040315C F7F9
idiv ecx
0040315E 6A 01
push 1
00403160 8D4C24 4C
lea ecx,
dword ptr ss:[
esp+4C]
00403164 8BF2
mov esi,
edx
00403166 8D5424 34
lea edx,
dword ptr ss:[
esp+34]
0040316A 52
push edx
0040316B E8 0A550200
call qsr.0042867A
00403170 8B00
mov eax,
dword ptr ds:[
eax]
00403172 8D4C24 20
lea ecx,
dword ptr ss:[
esp+20]
00403176 50
push eax
00403177 C64424 40 05
mov byte ptr ss:[
esp+40],5
0040317C E8 0F560200
call qsr.00428790
00403181 8D4C24 30
lea ecx,
dword ptr ss:[
esp+30]
00403185 8BF8
mov edi,
eax
00403187 C64424 3C 03
mov byte ptr ss:[
esp+3C],3
0040318C E8 FAC20200
call qsr.0042F48B
00403191 8D47 0A
lea eax,
dword ptr ds:[
edi+A]
00403194 B9 3E000000
mov ecx,3E
00403199 99
cdq
0040319A F7F9
idiv ecx
0040319C A1 38F44500
mov eax,
dword ptr ds:[45F438]
004031A1 894424 28
mov dword ptr ss:[
esp+28],
eax
004031A5 8BCA
mov ecx,
edx
004031A7 894424 24
mov dword ptr ss:[
esp+24],
eax
004031AB 894424 1C
mov dword ptr ss:[
esp+1C],
eax
004031AF 894424 18
mov dword ptr ss:[
esp+18],
eax
004031B3 894424 14
mov dword ptr ss:[
esp+14],
eax
004031B7 894424 10
mov dword ptr ss:[
esp+10],
eax
004031BB 8BC1
mov eax,
ecx
004031BD BF 0A000000
mov edi,0A
004031C2 99
cdq
004031C3 F7FF
idiv edi
004031C5 8BC1
mov eax,
ecx
004031C7 B3 0B
mov bl,0B
004031C9 0FAFC1
imul eax,
ecx
004031CC 8BCF
mov ecx,
edi
004031CE 885C24 3C
mov byte ptr ss:[
esp+3C],
bl
004031D2 52
push edx
004031D3 99
cdq
004031D4 F7F9
idiv ecx
004031D6 8D04F5 00000000
lea eax,
dword ptr ds:[
esi*8]
004031DD 2BC6
sub eax,
esi
004031DF 52
push edx
004031E0 99
cdq
004031E1 F7F9
idiv ecx
004031E3 8BC6
mov eax,
esi
004031E5 52
push edx
004031E6 99
cdq
004031E7 F7F9
idiv ecx
004031E9 52
push edx
004031EA 8D5424 38
lea edx,
dword ptr ss:[
esp+38]
004031EE 68 1CE24500
push qsr.0045E21C
; ASCII "%d%d%d%d"
004031F3 52
push edx
004031F4 E8 D8580200
call qsr.00428AD1 //由我们的用户名得到一个4位数,我的是4893
004031F9 83C4 18
add esp,18
004031FC 6A 04
push 4
004031FE 8D4424 34
lea eax,
dword ptr ss:[
esp+34]
00403202 6A 00
push 0
00403204 50
push eax
00403205 8D4C24 50
lea ecx,
dword ptr ss:[
esp+50]
00403209 E8 D6530200
call qsr.004285E4
0040320E 50
push eax
0040320F 8D4C24 28
lea ecx,
dword ptr ss:[
esp+28]
00403213 C64424 40 0C
mov byte ptr ss:[
esp+40],0C
00403218 E8 A7C30200
call qsr.0042F5C4
0040321D 8D4C24 30
lea ecx,
dword ptr ss:[
esp+30]
00403221 885C24 3C
mov byte ptr ss:[
esp+3C],
bl
00403225 E8 61C20200
call qsr.0042F48B
0040322A 6A 04
push 4
0040322C 8D4C24 34
lea ecx,
dword ptr ss:[
esp+34]
00403230 6A 05
push 5
00403232 51
push ecx
00403233 8D4C24 50
lea ecx,
dword ptr ss:[
esp+50]
00403237 E8 A8530200
call qsr.004285E4
0040323C 50
push eax
0040323D 8D4C24 20
lea ecx,
dword ptr ss:[
esp+20]
00403241 C64424 40 0D
mov byte ptr ss:[
esp+40],0D
00403246 E8 79C30200
call qsr.0042F5C4
0040324B 8D4C24 30
lea ecx,
dword ptr ss:[
esp+30]
0040324F 885C24 3C
mov byte ptr ss:[
esp+3C],
bl
00403253 E8 33C20200
call qsr.0042F48B
00403258 6A 04
push 4
0040325A 8D5424 34
lea edx,
dword ptr ss:[
esp+34]
0040325E 57
push edi
0040325F 52
push edx
00403260 8D4C24 50
lea ecx,
dword ptr ss:[
esp+50]
00403264 E8 7B530200
call qsr.004285E4
00403269 50
push eax
0040326A 8D4C24 1C
lea ecx,
dword ptr ss:[
esp+1C]
0040326E C64424 40 0E
mov byte ptr ss:[
esp+40],0E
00403273 E8 4CC30200
call qsr.0042F5C4
00403278 8D4C24 30
lea ecx,
dword ptr ss:[
esp+30]
0040327C 885C24 3C
mov byte ptr ss:[
esp+3C],
bl
00403280 E8 06C20200
call qsr.0042F48B
00403285 6A 04
push 4
00403287 8D4424 34
lea eax,
dword ptr ss:[
esp+34]
0040328B 6A 0F
push 0F
0040328D 50
push eax
0040328E 8D4C24 50
lea ecx,
dword ptr ss:[
esp+50]
00403292 E8 4D530200
call qsr.004285E4
00403297 50
push eax
00403298 8D4C24 18
lea ecx,
dword ptr ss:[
esp+18]
0040329C C64424 40 0F
mov byte ptr ss:[
esp+40],0F
004032A1 E8 1EC30200
call qsr.0042F5C4
004032A6 8D4C24 30
lea ecx,
dword ptr ss:[
esp+30]
004032AA 885C24 3C
mov byte ptr ss:[
esp+3C],
bl
004032AE E8 D8C10200
call qsr.0042F48B
004032B3 6A 04
push 4
004032B5 8D4C24 34
lea ecx,
dword ptr ss:[
esp+34]
004032B9 6A 14
push 14
004032BB 51
push ecx
004032BC 8D4C24 50
lea ecx,
dword ptr ss:[
esp+50]
004032C0 E8 1F530200
call qsr.004285E4
004032C5 50
push eax
004032C6 8D4C24 14
lea ecx,
dword ptr ss:[
esp+14]
004032CA C64424 40 10
mov byte ptr ss:[
esp+40],10
004032CF E8 F0C20200
call qsr.0042F5C4
004032D4 8D4C24 30
lea ecx,
dword ptr ss:[
esp+30]
004032D8 885C24 3C
mov byte ptr ss:[
esp+3C],
bl
004032DC E8 AAC10200
call qsr.0042F48B
004032E1 8B7424 24
mov esi,
dword ptr ss:[
esp+24]
; 注册码1到4位送ESI
004032E5 8B4424 28
mov eax,
dword ptr ss:[
esp+28]
; 4893送EAX
004032E9 8A10
mov dl,
byte ptr ds:[
eax]
; [eax]送DL
004032EB 8A1E
mov bl,
byte ptr ds:[
esi]
; [ESI]送BL
004032ED 8ACA
mov cl,
dl ; DL送CL
004032EF 3AD3
cmp dl,
bl ; DL和BL比较
004032F1 75 1E
jnz short qsr.00403311
; 不等就跳(不能跳)
004032F3 84C9
test cl,
cl
004032F5 74 16
je short qsr.0040330D
004032F7 8A50 01
mov dl,
byte ptr ds:[
eax+1]
; [eax+1]送DL
004032FA 8A5E 01
mov bl,
byte ptr ds:[
esi+1]
; [esi+1]送BL
004032FD 8ACA
mov cl,
dl
004032FF 3AD3
cmp dl,
bl ; DL和BL比较
00403301 75 0E
jnz short qsr.00403311
; 不等就跳(不能跳)
00403303 83C0 02
add eax,2
; EAX加2
00403306 83C6 02
add esi,2
; ESI加2
00403309 84C9
test cl,
cl
0040330B ^ 75 DC
jnz short qsr.004032E9
0040330D 33C0
xor eax,
eax
0040330F EB 05
jmp short qsr.00403316
00403311 1BC0
sbb eax,
eax
00403313 83D8 FF
sbb eax,-1
00403316 85C0
test eax,
eax
00403318 74 0E
je short qsr.00403328
0040331A C64424 3C 0A
mov byte ptr ss:[
esp+3C],0A
0040331F 8D4C24 10
lea ecx,
dword ptr ss:[
esp+10]
00403323 E9 F0000000
jmp qsr.00403418
00403328 8B4424 1C
mov eax,
dword ptr ss:[
esp+1C]
; 注册码6到9位送EAX
0040332C 8D4C24 1C
lea ecx,
dword ptr ss:[
esp+1C]
00403330 8B40 F8
mov eax,
dword ptr ds:[
eax-8]
00403333 50
push eax
00403334 E8 82C50200
call qsr.0042F8BB
; 注册码6到9位送EAX
00403339 50
push eax
0040333A E8 466D0100
call qsr.0041A085
; 注册码6到9位转换成16进制送EAX
0040333F 8B4C24 1C
mov ecx,
dword ptr ss:[
esp+1C]
; 注册码11到14位送ECX
00403343 83C4 04
add esp,4
00403346 8BF0
mov esi,
eax ; 注册码6到9位的16进制送ESI
00403348 8B41 F8
mov eax,
dword ptr ds:[
ecx-8]
0040334B 8D4C24 18
lea ecx,
dword ptr ss:[
esp+18]
0040334F 50
push eax
00403350 E8 66C50200
call qsr.0042F8BB
; 注册码11到14位送ECX
00403355 50
push eax
00403356 E8 2A6D0100
call qsr.0041A085
; 注册码11到14位转换为16进制送EAX
0040335B 8B5424 18
mov edx,
dword ptr ss:[
esp+18]
; 注册码16到19位送EDX
0040335F 83C4 04
add esp,4
00403362 8BF8
mov edi,
eax ; 注册码11到14位的16进制送EDI
00403364 8D4C24 14
lea ecx,
dword ptr ss:[
esp+14]
00403368 8B42 F8
mov eax,
dword ptr ds:[
edx-8]
0040336B 50
push eax
0040336C E8 4AC50200
call qsr.0042F8BB
; 注册码16到19位送EDX
00403371 50
push eax
00403372 E8 0E6D0100
call qsr.0041A085
; 注册码16到19位转换成16进制送EAX
00403377 8BD8
mov ebx,
eax ; EAX送EBX
00403379 8B4424 14
mov eax,
dword ptr ss:[
esp+14]
; 注册码21到24位送EAX
0040337D 83C4 04
add esp,4
00403380 8D4C24 10
lea ecx,
dword ptr ss:[
esp+10]
00403384 8B40 F8
mov eax,
dword ptr ds:[
eax-8]
00403387 50
push eax
00403388 E8 2EC50200
call qsr.0042F8BB
; 注册码21到24位送EAX
0040338D 50
push eax
0040338E E8 F26C0100
call qsr.0041A085
; 注册码21到24位转换成16进制送EAX
00403393 83C4 04
add esp,4
00403396 8D4C24 1C
lea ecx,
dword ptr ss:[
esp+1C]
0040339A 8BE8
mov ebp,
eax ; EAX送EBP
0040339C 6A FF
push -1
0040339E E8 67C50200
call qsr.0042F90A
; 注册码6到9位送ECX,长度送EAX
004033A3 6A FF
push -1
004033A5 8D4C24 1C
lea ecx,
dword ptr ss:[
esp+1C]
; [esp+1C]送ECX
004033A9 E8 5CC50200
call qsr.0042F90A
; 注册码11到14位送ECX,长度送EAX
004033AE 6A FF
push -1
004033B0 8D4C24 18
lea ecx,
dword ptr ss:[
esp+18]
; [esp+18]送ECX
004033B4 E8 51C50200
call qsr.0042F90A
; 注册码16到19位送ECX,长度送EAX
004033B9 6A FF
push -1
004033BB 8D4C24 14
lea ecx,
dword ptr ss:[
esp+14]
; [esp+14]送ECX
004033BF E8 46C50200
call qsr.0042F90A
; 注册码21到24位送ECX,长度送EAX
004033C4 8D8CB6 04AB0000
lea ecx,
dword ptr ds:[
esi+
esi*4+AB04]
; [esi+esi*4+AB04]送ECX
004033CB 8D844E 34220000
lea eax,
dword ptr ds:[
esi+
ecx*2+2234]
; [esi+ecx*2+2234]送EAX
004033D2 B9 10270000
mov ecx,2710
; 2710(10进制的10000)送ECX
004033D7 D1E0
shl eax,1
; EAX左移1位
004033D9 99
cdq ; EAX扩展
004033DA F7F9
idiv ecx ; EAX除以ECX,商在EAX中,余数在EDX中
004033DC 3BFA
cmp edi,
edx ; EDX和注册码11到14位的16进制比较
004033DE 74 0B
je short qsr.004033EB
; 相等就跳(必须跳)
004033E0 C64424 3C 0A
mov byte ptr ss:[
esp+3C],0A
004033E5 8D4C24 10
lea ecx,
dword ptr ss:[
esp+10]
004033E9 EB 2D
jmp short qsr.00403418
004033EB 8D83 CAEAFFFF
lea eax,
dword ptr ds:[
ebx-1536]
; [ebx-1536]送EAX
004033F1 81C3 E2090000
add ebx,9E2
; 16到19位注册码16进制加9E2
004033F7 99
cdq ; EBX扩展
004033F8 33C2
xor eax,
edx ; EAX和EDX取异或
004033FA B9 10270000
mov ecx,2710
; 2710(10进制的10000)送ECX
004033FF 2BC2
sub eax,
edx ; EAX减去EDX
00403401 C64424 3C 0A
mov byte ptr ss:[
esp+3C],0A
; 0A送[esp+3C]
00403406 0FAFC3
imul eax,
ebx ; EAX乘以EBX
00403409 99
cdq
0040340A F7F9
idiv ecx ; EAX除以ECX,商在EAX中,余数在EDX中
0040340C 8D4C24 10
lea ecx,
dword ptr ss:[
esp+10]
; [esp+10]送ECX
00403410 3BEA
cmp ebp,
edx ; 注册码最后4位和EDX比较
00403412 0F84 8D000000
je qsr.004034A5
; 等就跳(必须跳)
00403418 E8 6EC00200
call qsr.0042F48B
;
0040341D 8D4C24 14
lea ecx,
dword ptr ss:[
esp+14]
00403421 C64424 3C 09
mov byte ptr ss:[
esp+3C],9
00403426 E8 60C00200
call qsr.0042F48B
0040342B 8D4C24 18
lea ecx,
dword ptr ss:[
esp+18]
0040342F C64424 3C 08
mov byte ptr ss:[
esp+3C],8
00403434 E8 52C00200
call qsr.0042F48B
00403439 8D4C24 1C
lea ecx,
dword ptr ss:[
esp+1C]
0040343D C64424 3C 07
mov byte ptr ss:[
esp+3C],7
00403442 E8 44C00200
call qsr.0042F48B
00403447 8D4C24 24
lea ecx,
dword ptr ss:[
esp+24]
0040344B C64424 3C 06
mov byte ptr ss:[
esp+3C],6
00403450 E8 36C00200
call qsr.0042F48B
00403455 8D4C24 28
lea ecx,
dword ptr ss:[
esp+28]
00403459 C64424 3C 03
mov byte ptr ss:[
esp+3C],3
0040345E E8 28C00200
call qsr.0042F48B
00403463 8D4C24 2C
lea ecx,
dword ptr ss:[
esp+2C]
00403467 C64424 3C 02
mov byte ptr ss:[
esp+3C],2
0040346C E8 1AC00200
call qsr.0042F48B
00403471 8D4C24 20
lea ecx,
dword ptr ss:[
esp+20]
00403475 C64424 3C 01
mov byte ptr ss:[
esp+3C],1
0040347A E8 0CC00200
call qsr.0042F48B
0040347F 8D4C24 44
lea ecx,
dword ptr ss:[
esp+44]
00403483 C64424 3C 00
mov byte ptr ss:[
esp+3C],0
00403488 E8 FEBF0200
call qsr.0042F48B
0040348D 8D4C24 48
lea ecx,
dword ptr ss:[
esp+48]
00403491 C74424 3C FFFFF>
mov dword ptr ss:[
esp+3C],-1
00403499 E8 EDBF0200
call qsr.0042F48B
0040349E 32C0
xor al,
al ; AL清0
004034A0 E9 88000000
jmp qsr.0040352D
004034A5 E8 E1BF0200
call qsr.0042F48B //以上两处均跳则来到这里,F8下去~~~~~~~~
004034AA 8D4C24 14
lea ecx,
dword ptr ss:[
esp+14]
004034AE C64424 3C 09
mov byte ptr ss:[
esp+3C],9
004034B3 E8 D3BF0200
call qsr.0042F48B
004034B8 8D4C24 18
lea ecx,
dword ptr ss:[
esp+18]
004034BC C64424 3C 08
mov byte ptr ss:[
esp+3C],8
004034C1 E8 C5BF0200
call qsr.0042F48B
004034C6 8D4C24 1C
lea ecx,
dword ptr ss:[
esp+1C]
004034CA C64424 3C 07
mov byte ptr ss:[
esp+3C],7
004034CF E8 B7BF0200
call qsr.0042F48B
004034D4 8D4C24 24
lea ecx,
dword ptr ss:[
esp+24]
004034D8 C64424 3C 06
mov byte ptr ss:[
esp+3C],6
004034DD E8 A9BF0200
call qsr.0042F48B
004034E2 8D4C24 28
lea ecx,
dword ptr ss:[
esp+28]
004034E6 C64424 3C 03
mov byte ptr ss:[
esp+3C],3
004034EB E8 9BBF0200
call qsr.0042F48B
004034F0 8D4C24 2C
lea ecx,
dword ptr ss:[
esp+2C]
004034F4 C64424 3C 02
mov byte ptr ss:[
esp+3C],2
004034F9 E8 8DBF0200
call qsr.0042F48B
004034FE 8D4C24 20
lea ecx,
dword ptr ss:[
esp+20]
00403502 C64424 3C 01
mov byte ptr ss:[
esp+3C],1
00403507 E8 7FBF0200
call qsr.0042F48B
0040350C 8D4C24 44
lea ecx,
dword ptr ss:[
esp+44]
00403510 C64424 3C 00
mov byte ptr ss:[
esp+3C],0
00403515 E8 71BF0200
call qsr.0042F48B
0040351A 8D4C24 48
lea ecx,
dword ptr ss:[
esp+48]
0040351E C74424 3C FFFFF>
mov dword ptr ss:[
esp+3C],-1
00403526 E8 60BF0200
call qsr.0042F48B
0040352B B0 01
mov al,1
0040352D 8B4C24 34
mov ecx,
dword ptr ss:[
esp+34]
00403531 5F
pop edi
00403532 5E
pop esi
00403533 5D
pop ebp
00403534 5B
pop ebx
00403535 64:890D 0000000>
mov dword ptr fs:[0],
ecx
0040353C 83C4 30
add esp,30
0040353F C2 0800
retn 8
--------------------------------------------------------------------------------
【破解总结】
用户名必须大于2,注册码必须为24位。注册码前4位由用户名决定,11到14位由6到9位决定,21到24由16到19位决定,5,10,15,20任意^-^
用户名:yijun
注册码:4893*7777*3726*7777*0529
--------------------------------------------------------------------------------
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[课程]Android-CTF解题方法汇总!