[求助]三耳复读机不能爆破彻底-付费问答-看雪-安全社区|安全招聘|kanxue.com

最新回复 (20)
斜阳残雪雪币： 228 活跃值： (11) 能力值： ( LV8，RANK：130 ) 在线值：发帖 6 回帖 92 粉丝 0 关注私信	斜阳残雪 3 2 楼那就是程序后面又对注册进行了检查，标志位之类的。 2007-6-23 12:17 0
菜鸟求学雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 33 回帖 137 粉丝 0 关注私信	菜鸟求学 3 楼 00405A54 . E8 075C0100 call VoiceWri.0041B660 00405A59 . 8BCE mov ecx,esi 00405A5B . E8 30520100 call VoiceWri.0041AC90 关键Call 一共有5个地方调用这个Call，在这个Call后面的判断下手看看 00405A60 . 84C0 test al,al 比较 00405A62 74 17 je short VoiceWri.00405A7B 关键跳 00405A64 . 6A 00 push 0 00405A66 . 68 8C684300 push VoiceWri.0043688C 00405A6B . 68 7C684300 push VoiceWri.0043687C 您已成功注册! 00405A70 . 8BCF mov ecx,edi 00405A72 . E8 9F350200 call <jmp.&MFC42.#4224> 不会用这个软件，不知道那里有限制，没测试，不知道对不对，你弄弄看吧 2007-6-23 13:29 0
斜阳残雪雪币： 228 活跃值： (11) 能力值： ( LV8，RANK：130 ) 在线值：发帖 6 回帖 92 粉丝 0 关注私信	斜阳残雪 3 4 楼 OD载入，下bp MessageBoxA，然后F9，输入注册码，按“确定”，断在这里： 00405A89 . E8 02C3FFFF call 00401D90 ; 弹出注册窗口 00405A8E . 8BCE mov ecx, esi 00405A90 . E8 CB5B0100 call 0041B660 00405A95 . 8BCE mov ecx, esi 00405A97 . E8 F4510100 call 0041AC90 ;关键Call 00405A9C 84C0 test al, al ;标志位比较（但是单纯修改这个还是不行） 00405A9E . 6A 00 push 0 00405AA0 . 68 8C684300 push 0043688C 00405AA5 75 10 jnz short 00405AB7 ;跳走则成功我们跟入关键Call： 0041AC90 /$ 51 push ecx 0041AC91 \|. 53 push ebx 0041AC92 \|. 55 push ebp 0041AC93 \|. 56 push esi 0041AC94 \|. 57 push edi 0041AC95 \|. 8BF9 mov edi, ecx 0041AC97 \|. E8 240F0000 call 0041BBC0 ;利用Reg.dll取得硬盘信息并加以处理 0041AC9C \|. 8BCF mov ecx, edi 0041AC9E \|. E8 0D0F0000 call 0041BBB0 0041ACA3 \|. 8BCF mov ecx, edi 0041ACA5 \|. E8 A6080000 call 0041B550 0041ACAA \|. 8B47 14 mov eax, dword ptr [edi+14] 0041ACAD \|. 8D5F 14 lea ebx, dword ptr [edi+14] 0041ACB0 \|. 8378 F8 08 cmp dword ptr [eax-8], 8 ;第一处比较 0041ACB4 74 08 je short 0041ACBE ;跳不走则失败 0041ACB6 \|. 5F pop edi 0041ACB7 \|. 5E pop esi 0041ACB8 \|. 5D pop ebp 0041ACB9 \|. 32C0 xor al, al 0041ACBB \|. 5B pop ebx 0041ACBC \|. 59 pop ecx 0041ACBD \|. C3 retn 0041ACBE \|> 8BCB mov ecx, ebx 0041ACC0 \|. E8 59E40000 call <jmp.&MFC42.#4202_CString::MakeL> 0041ACC5 \|. 8B77 18 mov esi, dword ptr [edi+18] 0041ACC8 \|. 8B2B mov ebp, dword ptr [ebx] 0041ACCA \|. 0FBE46 05 movsx eax, byte ptr [esi+5] 0041ACCE \|. 0FBE16 movsx edx, byte ptr [esi] 0041ACD1 \|. 8D0C40 lea ecx, dword ptr [eax+eax2] 0041ACD4 \|. 8D0488 lea eax, dword ptr [eax+ecx4] 0041ACD7 \|. 8BCA mov ecx, edx 0041ACD9 \|. C1E1 05 shl ecx, 5 0041ACDC \|. 03CA add ecx, edx 0041ACDE \|. 8D0C49 lea ecx, dword ptr [ecx+ecx2] 0041ACE1 \|. 8D144A lea edx, dword ptr [edx+ecx2] 0041ACE4 \|. B9 24000000 mov ecx, 24 0041ACE9 \|. 03C2 add eax, edx 0041ACEB \|. 33D2 xor edx, edx 0041ACED \|. F7F1 div ecx 0041ACEF \|. 0FBE4D 00 movsx ecx, byte ptr [ebp] 0041ACF3 \|. 8D41 D0 lea eax, dword ptr [ecx-30] ; Switch (cases 30..7A) 0041ACF6 \|. 83F8 4A cmp eax, 4A 0041ACF9 \|. 895424 10 mov dword ptr [esp+10], edx 0041ACFD \|. 0F87 34010000 ja 0041AE37 0041AD03 \|. 33D2 xor edx, edx 0041AD05 \|. 8A90 F8B14100 mov dl, byte ptr [eax+41B1F8] 0041AD0B \|. FF2495 64B141>jmp dword ptr [edx4+41B164] 0041AD12 \|> B8 13000000 mov eax, 13 ; Case 31 ('1') of switch 0041ACF3 0041AD17 \|. E9 20010000 jmp 0041AE3C 0041AD1C \|> B8 02000000 mov eax, 2 ; Case 32 ('2') of switch 0041ACF3 0041AD21 \|. E9 16010000 jmp 0041AE3C 0041AD26 \|> B8 01000000 mov eax, 1 ; Case 33 ('3') of switch 0041ACF3 0041AD2B \|. E9 0C010000 jmp 0041AE3C 0041AD30 \|> B8 07000000 mov eax, 7 ; Case 34 ('4') of switch 0041ACF3 0041AD35 \|. E9 02010000 jmp 0041AE3C 0041AD3A \|> B8 22000000 mov eax, 22 ; Case 35 ('5') of switch 0041ACF3 0041AD3F \|. E9 F8000000 jmp 0041AE3C 0041AD44 \|> B8 05000000 mov eax, 5 ; Case 36 ('6') of switch 0041ACF3 0041AD49 \|. E9 EE000000 jmp 0041AE3C 0041AD4E \|> B8 04000000 mov eax, 4 ; Case 37 ('7') of switch 0041ACF3 0041AD53 \|. E9 E4000000 jmp 0041AE3C 0041AD58 \|> B8 10000000 mov eax, 10 ; Case 38 ('8') of switch 0041ACF3 0041AD5D \|. E9 DA000000 jmp 0041AE3C 0041AD62 \|> 33C0 xor eax, eax ; Case 39 ('9') of switch 0041ACF3 0041AD64 \|. E9 D3000000 jmp 0041AE3C 0041AD69 \|> B8 11000000 mov eax, 11 ; Case 30 ('0') of switch 0041ACF3 0041AD6E \|. E9 C9000000 jmp 0041AE3C 0041AD73 \|> B8 1C000000 mov eax, 1C ; Case 61 ('a') of switch 0041ACF3 0041AD78 \|. E9 BF000000 jmp 0041AE3C 0041AD7D \|> B8 0C000000 mov eax, 0C ; Case 62 ('b') of switch 0041ACF3 0041AD82 \|. E9 B5000000 jmp 0041AE3C 0041AD87 \|> B8 14000000 mov eax, 14 ; Case 63 ('c') of switch 0041ACF3 0041AD8C \|. E9 AB000000 jmp 0041AE3C 0041AD91 \|> B8 0E000000 mov eax, 0E ; Case 64 ('d') of switch 0041ACF3 0041AD96 \|. E9 A1000000 jmp 0041AE3C 0041AD9B \|> B8 0D000000 mov eax, 0D ; Case 65 ('e') of switch 0041ACF3 0041ADA0 \|. E9 97000000 jmp 0041AE3C 0041ADA5 \|> B8 08000000 mov eax, 8 ; Case 66 ('f') of switch 0041ACF3 0041ADAA \|. E9 8D000000 jmp 0041AE3C 0041ADAF \|> B8 09000000 mov eax, 9 ; Case 67 ('g') of switch 0041ACF3 0041ADB4 \|. E9 83000000 jmp 0041AE3C 0041ADB9 \|> B8 12000000 mov eax, 12 ; Case 68 ('h') of switch 0041ACF3 0041ADBE \|. EB 7C jmp short 0041AE3C 0041ADC0 \|> B8 03000000 mov eax, 3 ; Case 69 ('i') of switch 0041ACF3 0041ADC5 \|. EB 75 jmp short 0041AE3C 0041ADC7 \|> B8 0F000000 mov eax, 0F ; Case 6A ('j') of switch 0041ACF3 0041ADCC \|. EB 6E jmp short 0041AE3C 0041ADCE \|> B8 15000000 mov eax, 15 ; Case 6B ('k') of switch 0041ACF3 0041ADD3 \|. EB 67 jmp short 0041AE3C 0041ADD5 \|> B8 1B000000 mov eax, 1B ; Case 6C ('l') of switch 0041ACF3 0041ADDA \|. EB 60 jmp short 0041AE3C 0041ADDC \|> B8 18000000 mov eax, 18 ; Case 6D ('m') of switch 0041ACF3 0041ADE1 \|. EB 59 jmp short 0041AE3C 0041ADE3 \|> B8 17000000 mov eax, 17 ; Case 6E ('n') of switch 0041ACF3 0041ADE8 \|. EB 52 jmp short 0041AE3C 0041ADEA \|> B8 21000000 mov eax, 21 ; Case 6F ('o') of switch 0041ACF3 0041ADEF \|. EB 4B jmp short 0041AE3C 0041ADF1 \|> B8 1A000000 mov eax, 1A ; Case 70 ('p') of switch 0041ACF3 0041ADF6 \|. EB 44 jmp short 0041AE3C 0041ADF8 \|> B8 16000000 mov eax, 16 ; Case 72 ('r') of switch 0041ACF3 0041ADFD \|. EB 3D jmp short 0041AE3C 0041ADFF \|> B8 1D000000 mov eax, 1D ; Case 73 ('s') of switch 0041ACF3 0041AE04 \|. EB 36 jmp short 0041AE3C 0041AE06 \|> B8 1E000000 mov eax, 1E ; Case 74 ('t') of switch 0041ACF3 0041AE0B \|. EB 2F jmp short 0041AE3C 0041AE0D \|> B8 23000000 mov eax, 23 ; Case 75 ('u') of switch 0041ACF3 0041AE12 \|. EB 28 jmp short 0041AE3C 0041AE14 \|> B8 20000000 mov eax, 20 ; Case 76 ('v') of switch 0041ACF3 0041AE19 \|. EB 21 jmp short 0041AE3C 0041AE1B \|> B8 19000000 mov eax, 19 ; Case 77 ('w') of switch 0041ACF3 0041AE20 \|. EB 1A jmp short 0041AE3C 0041AE22 \|> B8 06000000 mov eax, 6 ; Case 78 ('x') of switch 0041ACF3 0041AE27 \|. EB 13 jmp short 0041AE3C 0041AE29 \|> B8 1F000000 mov eax, 1F ; Case 79 ('y') of switch 0041ACF3 0041AE2E \|. EB 0C jmp short 0041AE3C 0041AE30 \|> B8 0A000000 mov eax, 0A ; Case 7A ('z') of switch 0041ACF3 0041AE35 \|. EB 05 jmp short 0041AE3C 0041AE37 \|> B8 0B000000 mov eax, 0B ; Default case of switch 0041ACF3 0041AE3C \|> 394424 10 cmp dword ptr [esp+10], eax 0041AE40 74 0C je short 0041AE4E ;跳不走则失败 0041AE42 \|. C647 0F 10 mov byte ptr [edi+F], 10 0041AE46 \|. 5F pop edi 0041AE47 \|. 5E pop esi 0041AE48 \|. 5D pop ebp 0041AE49 \|. 32C0 xor al, al 0041AE4B \|. 5B pop ebx 0041AE4C \|. 59 pop ecx 0041AE4D \|. C3 retn 0041AE4E \|> 0FBE46 01 movsx eax, byte ptr [esi+1] 0041AE52 \|. 8D1440 lea edx, dword ptr [eax+eax2] 0041AE55 \|. 8D14D0 lea edx, dword ptr [eax+edx8] 0041AE58 \|. 8D1490 lea edx, dword ptr [eax+edx4] 0041AE5B \|. 8D0450 lea eax, dword ptr [eax+edx2] 0041AE5E \|. 8D1489 lea edx, dword ptr [ecx+ecx4] 0041AE61 \|. 8D0C51 lea ecx, dword ptr [ecx+edx2] 0041AE64 \|. 33D2 xor edx, edx 0041AE66 \|. 03C1 add eax, ecx 0041AE68 \|. B9 24000000 mov ecx, 24 0041AE6D \|. F7F1 div ecx 0041AE6F \|. 8BCF mov ecx, edi 0041AE71 \|. 8BF2 mov esi, edx 0041AE73 \|. 8A55 01 mov dl, byte ptr [ebp+1] 0041AE76 \|. 885424 10 mov byte ptr [esp+10], dl 0041AE7A \|. 8B4424 10 mov eax, dword ptr [esp+10] 0041AE7E \|. 50 push eax 0041AE7F \|. E8 DC080000 call 0041B760 0041AE84 \|. 3BF0 cmp esi, eax 0041AE86 74 0C je short 0041AE94 ;跳不走则失败 0041AE88 \|. C647 0F 10 mov byte ptr [edi+F], 10 0041AE8C \|. 5F pop edi 0041AE8D \|. 5E pop esi 0041AE8E \|. 5D pop ebp 0041AE8F \|. 32C0 xor al, al 0041AE91 \|. 5B pop ebx 0041AE92 \|. 59 pop ecx 0041AE93 \|. C3 retn 0041AE94 \|> 8B4F 18 mov ecx, dword ptr [edi+18] 0041AE97 \|. 8B33 mov esi, dword ptr [ebx] 0041AE99 \|. 0FBE49 02 movsx ecx, byte ptr [ecx+2] 0041AE9D \|. 0FBE56 01 movsx edx, byte ptr [esi+1] 0041AEA1 \|. 8BC1 mov eax, ecx 0041AEA3 \|. C1E0 05 shl eax, 5 0041AEA6 \|. 03C1 add eax, ecx 0041AEA8 \|. 8BCA mov ecx, edx 0041AEAA \|. C1E1 05 shl ecx, 5 0041AEAD \|. 03CA add ecx, edx 0041AEAF \|. 8D0440 lea eax, dword ptr [eax+eax2] 0041AEB2 \|. 8D0C49 lea ecx, dword ptr [ecx+ecx2] 0041AEB5 \|. 8D144A lea edx, dword ptr [edx+ecx2] 0041AEB8 \|. B9 24000000 mov ecx, 24 0041AEBD \|. 03C2 add eax, edx 0041AEBF \|. 33D2 xor edx, edx 0041AEC1 \|. F7F1 div ecx 0041AEC3 \|. 8BCF mov ecx, edi 0041AEC5 \|. 8BEA mov ebp, edx 0041AEC7 \|. 8A56 02 mov dl, byte ptr [esi+2] 0041AECA \|. 885424 10 mov byte ptr [esp+10], dl 0041AECE \|. 8B4424 10 mov eax, dword ptr [esp+10] 0041AED2 \|. 50 push eax 0041AED3 \|. E8 A80A0000 call 0041B980 0041AED8 \|. 3BE8 cmp ebp, eax 0041AEDA 74 0C je short 0041AEE8 ;跳不走则失败 0041AEDC \|. C647 0F 10 mov byte ptr [edi+F], 10 0041AEE0 \|. 5F pop edi 0041AEE1 \|. 5E pop esi 0041AEE2 \|. 5D pop ebp 0041AEE3 \|. 32C0 xor al, al 0041AEE5 \|. 5B pop ebx 0041AEE6 \|. 59 pop ecx 0041AEE7 \|. C3 retn 0041AEE8 \|> 8B77 18 mov esi, dword ptr [edi+18] 0041AEEB \|. 8B2B mov ebp, dword ptr [ebx] 0041AEED \|. 0FBE46 03 movsx eax, byte ptr [esi+3] 0041AEF1 \|. 8D0CC0 lea ecx, dword ptr [eax+eax8] 0041AEF4 \|. 8D0448 lea eax, dword ptr [eax+ecx2] 0041AEF7 \|. 0FBE4D 02 movsx ecx, byte ptr [ebp+2] 0041AEFB \|. 8BD1 mov edx, ecx 0041AEFD \|. C1E2 05 shl edx, 5 0041AF00 \|. 03D1 add edx, ecx 0041AF02 \|. B9 24000000 mov ecx, 24 0041AF07 \|. 03C2 add eax, edx 0041AF09 \|. 33D2 xor edx, edx 0041AF0B \|. F7F1 div ecx 0041AF0D \|. 0FBE45 03 movsx eax, byte ptr [ebp+3] 0041AF11 \|. 83C0 D0 add eax, -30 ; Switch (cases 30..7A) 0041AF14 \|. 83F8 4A cmp eax, 4A 0041AF17 \|. 0F87 34010000 ja 0041B051 0041AF1D \|. 33C9 xor ecx, ecx 0041AF1F \|. 8A88 D8B24100 mov cl, byte ptr [eax+41B2D8] 0041AF25 \|. FF248D 44B241>jmp dword ptr [ecx4+41B244] 0041AF2C \|> B8 02000000 mov eax, 2 ; Case 31 ('1') of switch 0041AF11 0041AF31 \|. E9 20010000 jmp 0041B056 0041AF36 \|> B8 13000000 mov eax, 13 ; Case 32 ('2') of switch 0041AF11 0041AF3B \|. E9 16010000 jmp 0041B056 0041AF40 \|> B8 07000000 mov eax, 7 ; Case 33 ('3') of switch 0041AF11 0041AF45 \|. E9 0C010000 jmp 0041B056 0041AF4A \|> B8 01000000 mov eax, 1 ; Case 34 ('4') of switch 0041AF11 0041AF4F \|. E9 02010000 jmp 0041B056 0041AF54 \|> B8 05000000 mov eax, 5 ; Case 35 ('5') of switch 0041AF11 0041AF59 \|. E9 F8000000 jmp 0041B056 0041AF5E \|> B8 22000000 mov eax, 22 ; Case 36 ('6') of switch 0041AF11 0041AF63 \|. E9 EE000000 jmp 0041B056 0041AF68 \|> B8 10000000 mov eax, 10 ; Case 37 ('7') of switch 0041AF11 0041AF6D \|. E9 E4000000 jmp 0041B056 0041AF72 \|> B8 04000000 mov eax, 4 ; Case 38 ('8') of switch 0041AF11 0041AF77 \|. E9 DA000000 jmp 0041B056 0041AF7C \|> B8 11000000 mov eax, 11 ; Case 39 ('9') of switch 0041AF11 0041AF81 \|. E9 D0000000 jmp 0041B056 0041AF86 \|> 33C0 xor eax, eax ; Case 30 ('0') of switch 0041AF11 0041AF88 \|. E9 C9000000 jmp 0041B056 0041AF8D \|> B8 0C000000 mov eax, 0C ; Case 61 ('a') of switch 0041AF11 0041AF92 \|. E9 BF000000 jmp 0041B056 0041AF97 \|> B8 1C000000 mov eax, 1C ; Case 62 ('b') of switch 0041AF11 0041AF9C \|. E9 B5000000 jmp 0041B056 0041AFA1 \|> B8 0E000000 mov eax, 0E ; Case 63 ('c') of switch 0041AF11 0041AFA6 \|. E9 AB000000 jmp 0041B056 0041AFAB \|> B8 14000000 mov eax, 14 ; Case 64 ('d') of switch 0041AF11 0041AFB0 \|. E9 A1000000 jmp 0041B056 0041AFB5 \|> B8 08000000 mov eax, 8 ; Case 65 ('e') of switch 0041AF11 0041AFBA \|. E9 97000000 jmp 0041B056 0041AFBF \|> B8 0D000000 mov eax, 0D ; Case 66 ('f') of switch 0041AF11 0041AFC4 \|. E9 8D000000 jmp 0041B056 0041AFC9 \|> B8 12000000 mov eax, 12 ; Case 67 ('g') of switch 0041AF11 0041AFCE \|. E9 83000000 jmp 0041B056 0041AFD3 \|> B8 09000000 mov eax, 9 ; Case 68 ('h') of switch 0041AF11 0041AFD8 \|. EB 7C jmp short 0041B056 0041AFDA \|> B8 0F000000 mov eax, 0F ; Case 69 ('i') of switch 0041AF11 0041AFDF \|. EB 75 jmp short 0041B056 0041AFE1 \|> B8 03000000 mov eax, 3 ; Case 6A ('j') of switch 0041AF11 0041AFE6 \|. EB 6E jmp short 0041B056 0041AFE8 \|> B8 1B000000 mov eax, 1B ; Case 6B ('k') of switch 0041AF11 0041AFED \|. EB 67 jmp short 0041B056 0041AFEF \|> B8 15000000 mov eax, 15 ; Case 6C ('l') of switch 0041AF11 0041AFF4 \|. EB 60 jmp short 0041B056 0041AFF6 \|> B8 17000000 mov eax, 17 ; Case 6D ('m') of switch 0041AF11 0041AFFB \|. EB 59 jmp short 0041B056 0041AFFD \|> B8 18000000 mov eax, 18 ; Case 6E ('n') of switch 0041AF11 0041B002 \|. EB 52 jmp short 0041B056 0041B004 \|> B8 1A000000 mov eax, 1A ; Case 6F ('o') of switch 0041AF11 0041B009 \|. EB 4B jmp short 0041B056 0041B00B \|> B8 21000000 mov eax, 21 ; Case 70 ('p') of switch 0041AF11 0041B010 \|. EB 44 jmp short 0041B056 0041B012 \|> B8 16000000 mov eax, 16 ; Case 71 ('q') of switch 0041AF11 0041B017 \|. EB 3D jmp short 0041B056 0041B019 \|> B8 1E000000 mov eax, 1E ; Case 73 ('s') of switch 0041AF11 0041B01E \|. EB 36 jmp short 0041B056 0041B020 \|> B8 1D000000 mov eax, 1D ; Case 74 ('t') of switch 0041AF11 0041B025 \|. EB 2F jmp short 0041B056 0041B027 \|> B8 20000000 mov eax, 20 ; Case 75 ('u') of switch 0041AF11 0041B02C \|. EB 28 jmp short 0041B056 0041B02E \|> B8 23000000 mov eax, 23 ; Case 76 ('v') of switch 0041AF11 0041B033 \|. EB 21 jmp short 0041B056 0041B035 \|> B8 06000000 mov eax, 6 ; Case 77 ('w') of switch 0041AF11 0041B03A \|. EB 1A jmp short 0041B056 0041B03C \|> B8 19000000 mov eax, 19 ; Case 78 ('x') of switch 0041AF11 0041B041 \|. EB 13 jmp short 0041B056 0041B043 \|> B8 0A000000 mov eax, 0A ; Case 79 ('y') of switch 0041AF11 0041B048 \|. EB 0C jmp short 0041B056 0041B04A \|> B8 1F000000 mov eax, 1F ; Case 7A ('z') of switch 0041AF11 0041B04F \|. EB 05 jmp short 0041B056 0041B051 \|> B8 0B000000 mov eax, 0B ; Default case of switch 0041AF11 0041B056 \|> 3BD0 cmp edx, eax 0041B058 74 0C je short 0041B066 ;跳不走则失败 0041B05A \|. C647 0F 10 mov byte ptr [edi+F], 10 0041B05E \|. 5F pop edi 0041B05F \|. 5E pop esi 0041B060 \|. 5D pop ebp 0041B061 \|. 32C0 xor al, al 0041B063 \|. 5B pop ebx 0041B064 \|. 59 pop ecx 0041B065 \|. C3 retn 0041B066 \|> 0FBE46 01 movsx eax, byte ptr [esi+1] 0041B06A \|. 8D1440 lea edx, dword ptr [eax+eax2] 0041B06D \|. 8D0CD0 lea ecx, dword ptr [eax+edx8] 0041B070 \|. 8D1488 lea edx, dword ptr [eax+ecx4] 0041B073 \|. 0FBE4E 02 movsx ecx, byte ptr [esi+2] 0041B077 \|. 8D0450 lea eax, dword ptr [eax+edx2] 0041B07A \|. 8D1489 lea edx, dword ptr [ecx+ecx4] 0041B07D \|. 8D0C51 lea ecx, dword ptr [ecx+edx2] 0041B080 \|. 33D2 xor edx, edx 0041B082 \|. 03C1 add eax, ecx 0041B084 \|. B9 24000000 mov ecx, 24 0041B089 \|. F7F1 div ecx 0041B08B \|. 8BCF mov ecx, edi 0041B08D \|. 8BF2 mov esi, edx 0041B08F \|. 8A55 05 mov dl, byte ptr [ebp+5] 0041B092 \|. 885424 10 mov byte ptr [esp+10], dl 0041B096 \|. 8B4424 10 mov eax, dword ptr [esp+10] 0041B09A \|. 50 push eax 0041B09B \|. E8 C0060000 call 0041B760 0041B0A0 \|. 3BF0 cmp esi, eax 0041B0A2 74 0C je short 0041B0B0 ;跳不走则失败 0041B0A4 \|. C647 0F 10 mov byte ptr [edi+F], 10 0041B0A8 \|. 5F pop edi 0041B0A9 \|. 5E pop esi 0041B0AA \|. 5D pop ebp 0041B0AB \|. 32C0 xor al, al 0041B0AD \|. 5B pop ebx 0041B0AE \|. 59 pop ecx 0041B0AF \|. C3 retn 0041B0B0 \|> 8B57 18 mov edx, dword ptr [edi+18] 0041B0B3 \|. C647 0C 01 mov byte ptr [edi+C], 1 0041B0B7 \|. 0FBE4A 03 movsx ecx, byte ptr [edx+3] 0041B0BB \|. 0FBE52 02 movsx edx, byte ptr [edx+2] 0041B0BF \|. 8BC1 mov eax, ecx 0041B0C1 \|. C1E0 05 shl eax, 5 0041B0C4 \|. 03C1 add eax, ecx 0041B0C6 \|. 8D0440 lea eax, dword ptr [eax+eax2] 0041B0C9 \|. 8D0441 lea eax, dword ptr [ecx+eax2] 0041B0CC \|. 8BCA mov ecx, edx 0041B0CE \|. C1E1 05 shl ecx, 5 0041B0D1 \|. 03CA add ecx, edx 0041B0D3 \|. 33D2 xor edx, edx 0041B0D5 \|. 8D0C49 lea ecx, dword ptr [ecx+ecx2] 0041B0D8 \|. 03C1 add eax, ecx 0041B0DA \|. B9 24000000 mov ecx, 24 0041B0DF \|. F7F1 div ecx 0041B0E1 \|. 8BF2 mov esi, edx 0041B0E3 \|. 8B13 mov edx, dword ptr [ebx] 0041B0E5 \|. 8A42 06 mov al, byte ptr [edx+6] 0041B0E8 \|. 884424 10 mov byte ptr [esp+10], al 0041B0EC \|. 8B4C24 10 mov ecx, dword ptr [esp+10] 0041B0F0 \|. 51 push ecx 0041B0F1 \|. 8BCF mov ecx, edi 0041B0F3 \|. E8 88080000 call 0041B980 0041B0F8 \|. 3BF0 cmp esi, eax 0041B0FA 74 0C je short 0041B108 ;跳不走则失败 0041B0FC \|. C647 0F 10 mov byte ptr [edi+F], 10 0041B100 \|. 5F pop edi 0041B101 \|. 5E pop esi 0041B102 \|. 5D pop ebp 0041B103 \|. 32C0 xor al, al 0041B105 \|. 5B pop ebx 0041B106 \|. 59 pop ecx 0041B107 \|. C3 retn 0041B108 \|> 8B4F 18 mov ecx, dword ptr [edi+18] 0041B10B \|. C647 0D 01 mov byte ptr [edi+D], 1 0041B10F \|. 0FBE51 05 movsx edx, byte ptr [ecx+5] 0041B113 \|. 0FBE49 04 movsx ecx, byte ptr [ecx+4] 0041B117 \|. 8BC2 mov eax, edx 0041B119 \|. C1E0 05 shl eax, 5 0041B11C \|. 03C2 add eax, edx 0041B11E \|. 8D14C9 lea edx, dword ptr [ecx+ecx8] 0041B121 \|. 8D0C51 lea ecx, dword ptr [ecx+edx2] 0041B124 \|. 33D2 xor edx, edx 0041B126 \|. 03C1 add eax, ecx 0041B128 \|. B9 24000000 mov ecx, 24 0041B12D \|. F7F1 div ecx 0041B12F \|. 8BF2 mov esi, edx 0041B131 \|. 8B13 mov edx, dword ptr [ebx] 0041B133 \|. 8A42 07 mov al, byte ptr [edx+7] 0041B136 \|. 884424 10 mov byte ptr [esp+10], al 0041B13A \|. 8B4C24 10 mov ecx, dword ptr [esp+10] 0041B13E \|. 51 push ecx 0041B13F \|. 8BCF mov ecx, edi 0041B141 \|. E8 EA010000 call 0041B330 0041B146 \|. 3BF0 cmp esi, eax 0041B148 74 0C je short 0041B156 ;跳不走则失败 0041B14A \|. C647 0F 10 mov byte ptr [edi+F], 10 0041B14E \|. 5F pop edi 0041B14F \|. 5E pop esi 0041B150 \|. 5D pop ebp 0041B151 \|. 32C0 xor al, al 0041B153 \|. 5B pop ebx 0041B154 \|. 59 pop ecx 0041B155 \|. C3 retn 0041B156 \|> C647 0F 13 mov byte ptr [edi+F], 13 ;这里是成功的标志位 0041B15A \|. 5F pop edi 0041B15B \|. 5E pop esi 0041B15C \|. 5D pop ebp 0041B15D \|. B0 01 mov al, 1 ;这里的al值用于关键Call后面的跳转 0041B15F \|. 5B pop ebx 0041B160 \|. 59 pop ecx 0041B161 \. C3 retn 经过分析，对判断流程大致了解，把所有带注释的je改成jmp即可完成爆破。也可把关键Call的开头0041AC90那里改为 mov byte ptr [edi+F],13 mov al,1 retn 也可完成爆破。我还是不能发附件，郁闷…… 你就到我网盘去下载破好了的主程序文件吧。网盘地址：http://www.edisk.org/?zlm324 文件名：VoiceWriter_crack.rar 2007-6-23 13:33 0
菜鸟求学雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 33 回帖 137 粉丝 0 关注私信	菜鸟求学 5 楼比我强，我是没那个能力和耐心去跟哈哈 2007-6-23 13:44 0
qianyicy 雪币： 228 活跃值： (10) 能力值： ( LV8，RANK：130 ) 在线值：发帖 18 回帖 95 粉丝 0 关注私信	qianyicy 3 6 楼我载入后不能用F8了,没去跟,呵 2007-6-23 14:33 0
斜阳残雪雪币： 228 活跃值： (11) 能力值： ( LV8，RANK：130 ) 在线值：发帖 6 回帖 92 粉丝 0 关注私信	斜阳残雪 3 7 楼哈哈，这个软件会占用F2、F7、F8这三个快捷键:) 你在软件的快捷键设置里面把这三个给空出来就行了。 2007-6-23 18:36 0
btlelite 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 5 粉丝 0 关注私信	btlelite 8 楼谢谢斜阳残雪的帮助,辛苦了! 按照这种思路,我一路跟随各跳转进行分析和修改,最终成功的突破一分钟限制收获很多,好像注册码也就是在这里面计算,等什么时候算出注册码了,再来答谢:) (不过残雪兄修订好的执行文件,显示的是注册版本,但是还是没有突破一分钟限制,但是按照这个思路一定是成功的:)) 2007-6-25 16:53 0
斜阳残雪雪币： 228 活跃值： (11) 能力值： ( LV8，RANK：130 ) 在线值：发帖 6 回帖 92 粉丝 0 关注私信	斜阳残雪 3 9 楼这个程序还有一分钟的限制？没注意到……是我粗心了，不好意思不过楼主终于能突破还是值得恭喜的 2007-6-26 01:14 0
斜阳残雪雪币： 228 活跃值： (11) 能力值： ( LV8，RANK：130 ) 在线值：发帖 6 回帖 92 粉丝 0 关注私信	斜阳残雪 3 10 楼另外，一分钟的限制那里能贴一块代码出来看看吗？ 2007-6-26 01:15 0
lianxishen 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 3 粉丝 0 关注私信	lianxishen 11 楼试用了一下, 软件似乎不错, 楼主成功后可否共享一下. 我还是新手, 自己搞不定还想请教各位, 为什么我用OD载入后, F9, 软件进程是有了, 但是界面却不弹出来. 先运行软件, 再用OD附加的话, 一按注册, od就出错关闭. 2007-6-26 19:42 0
斜阳残雪雪币： 228 活跃值： (11) 能力值： ( LV8，RANK：130 ) 在线值：发帖 6 回帖 92 粉丝 0 关注私信	斜阳残雪 3 12 楼我忘了这个软件有没有加壳了，你自己查一下，有的话脱一下就成。 2007-6-27 13:42 0
lianxishen 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 3 粉丝 0 关注私信	lianxishen 13 楼用PEID查了一下, 除了外部扫描显示为"armadillo 1.71*"之外, 其他的都显示成vc++6. 这个算是加壳了吗? 还是伪装过了? 2007-6-27 17:39 0
斜阳残雪雪币： 228 活跃值： (11) 能力值： ( LV8，RANK：130 ) 在线值：发帖 6 回帖 92 粉丝 0 关注私信	斜阳残雪 3 14 楼我不记得有没有壳了，如果真的有的话，我一定就是用dilloDIE 1.6脱掉的，因为我对付壳的能力为0，所以能脱掉的话就一定是脱壳机干的:) 2007-6-27 21:32 0
lianxishen 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 3 粉丝 0 关注私信	lianxishen 15 楼谢谢斜阳残雪, 软件已经被我卸了. 准备先把基础的弄弄熟再来搞 2007-6-29 17:50 0
syzlsyf 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 2 粉丝 0 关注私信	syzlsyf 16 楼 VoiceWriter_crack.rar 在您的网盘里没有找到。 2007-8-13 11:37 0
fenghui 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 1 粉丝 0 关注私信	fenghui 17 楼楼主没有回来吗，成功后可否共享一下？ 2007-8-16 10:15 0
digital 雪币： 200 活跃值： (16) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 5 粉丝 0 关注私信	digital 18 楼能不能从新上传一次 2007-8-16 11:23 0
digital 雪币： 200 活跃值： (16) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 5 粉丝 0 关注私信	digital 19 楼昨天回家试了一下，这个软件很好用，在斜阳残雪的网盘中没有找到VoiceWriter_crack.rar于是根据斜阳残雪的方法进行了爆破过程如下：用winhex将VoiceWriter.exe下面8处地址的74该为EB即可 1ACB4: 74->EB 1AE40: 74->EB 1AE86: 74->EB 1AEDA: 74->EB 1B058: 74->EB 1B0A2: 74->EB 1B0FA: 74->EB 1B148: 74->EB 2007-8-17 08:01 0
heihu 雪币： 1136 活跃值： (683) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 187 粉丝 0 关注私信	heihu 20 楼 00405A40 . 51 push ecx 00405A41 . 56 push esi 00405A42 . 57 push edi 00405A43 . 8BF9 mov edi, ecx 00405A45 . 8DB7 244D0000 lea esi, dword ptr [edi+4D24] 00405A4B . 8BCE mov ecx, esi 00405A4D . E8 0E4F0100 call 0041A960 00405A52 . 8BCE mov ecx, esi 00405A54 . E8 075C0100 call 0041B660 00405A59 . 8BCE mov ecx, esi 00405A5B . E8 30520100 call 0041AC90 00405A60 . 84C0 test al, al 00405A62 . 74 17 je short 00405A7B 00405A64 . 6A 00 push 0 00405A66 . 68 8C684300 push 0043688C ; 三耳软件 00405A6B . 68 7C684300 push 0043687C ; 您已成功注册! 00405A70 . 8BCF mov ecx, edi 00405A72 . E8 9F350200 call <jmp.&MFC42.#4224> 00405A77 . 5F pop edi 00405A78 . 5E pop esi 00405A79 . 59 pop ecx 00405A7A . C3 retn 00405A7B > 8D4424 08 lea eax, dword ptr [esp+8] 00405A7F . 8BCE mov ecx, esi 00405A81 . 50 push eax 00405A82 . E8 795C0100 call 0041B700 00405A87 . 8BCF mov ecx, edi 00405A89 . E8 02C3FFFF call 00401D90 00405A8E . 8BCE mov ecx, esi 00405A90 . E8 CB5B0100 call 0041B660 00405A95 . 8BCE mov ecx, esi 00405A97 . E8 F4510100 call 0041AC90 00405A9C . 84C0 test al, al 00405A9E . 6A 00 push 0 00405AA0 . 68 8C684300 push 0043688C ; 三耳软件 00405AA5 . 75 10 jnz short 00405AB7 00405AA7 . 68 68684300 push 00436868 ; 对不起,密码不正确! 00405AAC . 8BCF mov ecx, edi 00405AAE . E8 63350200 call <jmp.&MFC42.#4224> 00405AB3 . 5F pop edi 00405AB4 . 5E pop esi 00405AB5 . 59 pop ecx 00405AB6 . C3 retn 00405AB7 > 68 5C684300 push 0043685C ; 成功注册! 00405ABC . 8BCF mov ecx, edi 00405ABE . E8 53350200 call <jmp.&MFC42.#4224> 00405AC3 . 5F pop edi 00405AC4 . 5E pop esi 00405AC5 . 59 pop ecx 00405AC6 . C3 retn 字符串查找“对不起,密码不正确!”然后网上找，找到注册成功这个提示框，这个就是跳转关键了！00405A60 . 84C0 test al, al 00405A62 . 74 17 je short 00405A7B 这个跳转就是关键！在这个跳转上面有个关键Call我们按Enter键进入Call打入汇编代码mov al,1; retn;然后选择保存就可以完全破解这个软件了！这个软件是使用了标志位来判断的！如果改跳转有那么多跳转难道一个一个改啊！累死人了！只要找到这个关键标志位判断的地方修改一下就OK了！不用那么麻烦的去改那么多的跳转！本人也是菜鸟一只！感谢Pediy让我学到了好多！ 2007-8-17 09:05 0
syzlsyf 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 2 粉丝 0 关注私信	syzlsyf 21 楼 digital你的办法非常棒！！！ 2007-8-22 15:22 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

斜阳残雪

雪币： 228

活跃值： (11)

能力值：

( LV8，RANK：130 )

在线值：

发帖

6

回帖

92

粉丝

0

关注

私信

斜阳残雪 3: 2 楼

那就是程序后面又对注册进行了检查，标志位之类的。

2007-6-23 12:17

0

菜鸟求学

雪币： 200

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

33

回帖

137

粉丝

0

关注

私信

菜鸟求学: 3 楼

00405A54 .  E8 075C0100 call VoiceWri.0041B660
00405A59 .  8BCE       mov ecx,esi
00405A5B .  E8 30520100 call VoiceWri.0041AC90 关键Call 一共有5个地方调用这个Call，在这个Call后面的判断下手看看
00405A60 .  84C0       test al,al                            比较
00405A62    74 17       je short VoiceWri.00405A7B 关键跳
00405A64 .  6A 00       push 0
00405A66 .  68 8C684300 push VoiceWri.0043688C
00405A6B .  68 7C684300 push VoiceWri.0043687C 您已成功注册!
00405A70 .  8BCF       mov ecx,edi
00405A72 .  E8 9F350200 call <jmp.&MFC42.#4224>

不会用这个软件，不知道那里有限制，没测试，不知道对不对，你弄弄看吧

2007-6-23 13:29

0

斜阳残雪

雪币： 228

活跃值： (11)

能力值：

( LV8，RANK：130 )

在线值：

发帖

6

回帖

92

粉丝

0

关注

私信

斜阳残雪 3: 4 楼

OD载入，下bp MessageBoxA，然后F9，输入注册码，按“确定”，断在这里：

00405A89 .  E8 02C3FFFF call 00401D90                      ;  弹出注册窗口
00405A8E .  8BCE       mov    ecx, esi
00405A90 .  E8 CB5B0100 call 0041B660
00405A95 .  8BCE       mov    ecx, esi
00405A97 .  E8 F4510100 call 0041AC90 ;关键Call
00405A9C    84C0       test al, al ;标志位比较（但是单纯修改这个还是不行）
00405A9E .  6A 00       push 0
00405AA0 .  68 8C684300 push 0043688C
00405AA5    75 10       jnz    short 00405AB7 ;跳走则成功

我们跟入关键Call：
0041AC90  /$  51          push ecx
0041AC91  |.  53          push ebx
0041AC92  |.  55          push ebp
0041AC93  |.  56          push esi
0041AC94  |.  57          push edi
0041AC95  |.  8BF9       mov    edi, ecx
0041AC97  |.  E8 240F0000 call 0041BBC0 ;利用Reg.dll取得硬盘信息并加以处理
0041AC9C  |.  8BCF       mov    ecx, edi
0041AC9E  |.  E8 0D0F0000 call 0041BBB0
0041ACA3  |.  8BCF       mov    ecx, edi
0041ACA5  |.  E8 A6080000 call 0041B550
0041ACAA  |.  8B47 14    mov    eax, dword ptr [edi+14]
0041ACAD  |.  8D5F 14    lea    ebx, dword ptr [edi+14]
0041ACB0  |.  8378 F8 08 cmp    dword ptr [eax-8], 8 ;第一处比较
0041ACB4    74 08       je    short 0041ACBE ;跳不走则失败
0041ACB6  |.  5F          pop    edi
0041ACB7  |.  5E          pop    esi
0041ACB8  |.  5D          pop    ebp
0041ACB9  |.  32C0       xor    al, al
0041ACBB  |.  5B          pop    ebx
0041ACBC  |.  59          pop    ecx
0041ACBD  |.  C3          retn
0041ACBE  |>  8BCB       mov    ecx, ebx
0041ACC0  |.  E8 59E40000 call <jmp.&MFC42.#4202_CString::MakeL>
0041ACC5  |.  8B77 18    mov    esi, dword ptr [edi+18]
0041ACC8  |.  8B2B       mov    ebp, dword ptr [ebx]
0041ACCA  |.  0FBE46 05    movsx eax, byte ptr [esi+5]
0041ACCE  |.  0FBE16       movsx edx, byte ptr [esi]
0041ACD1  |.  8D0C40       lea    ecx, dword ptr [eax+eax*2]
0041ACD4  |.  8D0488       lea    eax, dword ptr [eax+ecx*4]
0041ACD7  |.  8BCA       mov    ecx, edx
0041ACD9  |.  C1E1 05    shl    ecx, 5
0041ACDC  |.  03CA       add    ecx, edx
0041ACDE  |.  8D0C49       lea    ecx, dword ptr [ecx+ecx*2]
0041ACE1  |.  8D144A       lea    edx, dword ptr [edx+ecx*2]
0041ACE4  |.  B9 24000000 mov    ecx, 24
0041ACE9  |.  03C2       add    eax, edx
0041ACEB  |.  33D2       xor    edx, edx
0041ACED  |.  F7F1       div    ecx
0041ACEF  |.  0FBE4D 00    movsx ecx, byte ptr [ebp]
0041ACF3  |.  8D41 D0    lea    eax, dword ptr [ecx-30]       ;  Switch (cases 30..7A)
0041ACF6  |.  83F8 4A    cmp    eax, 4A
0041ACF9  |.  895424 10    mov    dword ptr [esp+10], edx
0041ACFD  |.  0F87 34010000 ja    0041AE37
0041AD03  |.  33D2       xor    edx, edx
0041AD05  |.  8A90 F8B14100 mov    dl, byte ptr [eax+41B1F8]
0041AD0B  |.  FF2495 64B141>jmp    dword ptr [edx*4+41B164]
0041AD12  |>  B8 13000000 mov    eax, 13                         ;  Case 31 ('1') of switch 0041ACF3
0041AD17  |.  E9 20010000 jmp    0041AE3C
0041AD1C  |>  B8 02000000 mov    eax, 2                         ;  Case 32 ('2') of switch 0041ACF3
0041AD21  |.  E9 16010000 jmp    0041AE3C
0041AD26  |>  B8 01000000 mov    eax, 1                         ;  Case 33 ('3') of switch 0041ACF3
0041AD2B  |.  E9 0C010000 jmp    0041AE3C
0041AD30  |>  B8 07000000 mov    eax, 7                         ;  Case 34 ('4') of switch 0041ACF3
0041AD35  |.  E9 02010000 jmp    0041AE3C
0041AD3A  |>  B8 22000000 mov    eax, 22                         ;  Case 35 ('5') of switch 0041ACF3
0041AD3F  |.  E9 F8000000 jmp    0041AE3C
0041AD44  |>  B8 05000000 mov    eax, 5                         ;  Case 36 ('6') of switch 0041ACF3
0041AD49  |.  E9 EE000000 jmp    0041AE3C
0041AD4E  |>  B8 04000000 mov    eax, 4                         ;  Case 37 ('7') of switch 0041ACF3
0041AD53  |.  E9 E4000000 jmp    0041AE3C
0041AD58  |>  B8 10000000 mov    eax, 10                         ;  Case 38 ('8') of switch 0041ACF3
0041AD5D  |.  E9 DA000000 jmp    0041AE3C
0041AD62  |>  33C0       xor    eax, eax                      ;  Case 39 ('9') of switch 0041ACF3
0041AD64  |.  E9 D3000000 jmp    0041AE3C
0041AD69  |>  B8 11000000 mov    eax, 11                         ;  Case 30 ('0') of switch 0041ACF3
0041AD6E  |.  E9 C9000000 jmp    0041AE3C
0041AD73  |>  B8 1C000000 mov    eax, 1C                         ;  Case 61 ('a') of switch 0041ACF3
0041AD78  |.  E9 BF000000 jmp    0041AE3C
0041AD7D  |>  B8 0C000000 mov    eax, 0C                         ;  Case 62 ('b') of switch 0041ACF3
0041AD82  |.  E9 B5000000 jmp    0041AE3C
0041AD87  |>  B8 14000000 mov    eax, 14                         ;  Case 63 ('c') of switch 0041ACF3
0041AD8C  |.  E9 AB000000 jmp    0041AE3C
0041AD91  |>  B8 0E000000 mov    eax, 0E                         ;  Case 64 ('d') of switch 0041ACF3
0041AD96  |.  E9 A1000000 jmp    0041AE3C
0041AD9B  |>  B8 0D000000 mov    eax, 0D                         ;  Case 65 ('e') of switch 0041ACF3
0041ADA0  |.  E9 97000000 jmp    0041AE3C
0041ADA5  |>  B8 08000000 mov    eax, 8                         ;  Case 66 ('f') of switch 0041ACF3
0041ADAA  |.  E9 8D000000 jmp    0041AE3C
0041ADAF  |>  B8 09000000 mov    eax, 9                         ;  Case 67 ('g') of switch 0041ACF3
0041ADB4  |.  E9 83000000 jmp    0041AE3C
0041ADB9  |>  B8 12000000 mov    eax, 12                         ;  Case 68 ('h') of switch 0041ACF3
0041ADBE  |.  EB 7C       jmp    short 0041AE3C
0041ADC0  |>  B8 03000000 mov    eax, 3                         ;  Case 69 ('i') of switch 0041ACF3
0041ADC5  |.  EB 75       jmp    short 0041AE3C
0041ADC7  |>  B8 0F000000 mov    eax, 0F                         ;  Case 6A ('j') of switch 0041ACF3
0041ADCC  |.  EB 6E       jmp    short 0041AE3C
0041ADCE  |>  B8 15000000 mov    eax, 15                         ;  Case 6B ('k') of switch 0041ACF3
0041ADD3  |.  EB 67       jmp    short 0041AE3C
0041ADD5  |>  B8 1B000000 mov    eax, 1B                         ;  Case 6C ('l') of switch 0041ACF3
0041ADDA  |.  EB 60       jmp    short 0041AE3C
0041ADDC  |>  B8 18000000 mov    eax, 18                         ;  Case 6D ('m') of switch 0041ACF3
0041ADE1  |.  EB 59       jmp    short 0041AE3C
0041ADE3  |>  B8 17000000 mov    eax, 17                         ;  Case 6E ('n') of switch 0041ACF3
0041ADE8  |.  EB 52       jmp    short 0041AE3C
0041ADEA  |>  B8 21000000 mov    eax, 21                         ;  Case 6F ('o') of switch 0041ACF3
0041ADEF  |.  EB 4B       jmp    short 0041AE3C
0041ADF1  |>  B8 1A000000 mov    eax, 1A                         ;  Case 70 ('p') of switch 0041ACF3
0041ADF6  |.  EB 44       jmp    short 0041AE3C
0041ADF8  |>  B8 16000000 mov    eax, 16                         ;  Case 72 ('r') of switch 0041ACF3
0041ADFD  |.  EB 3D       jmp    short 0041AE3C
0041ADFF  |>  B8 1D000000 mov    eax, 1D                         ;  Case 73 ('s') of switch 0041ACF3
0041AE04  |.  EB 36       jmp    short 0041AE3C
0041AE06  |>  B8 1E000000 mov    eax, 1E                         ;  Case 74 ('t') of switch 0041ACF3
0041AE0B  |.  EB 2F       jmp    short 0041AE3C
0041AE0D  |>  B8 23000000 mov    eax, 23                         ;  Case 75 ('u') of switch 0041ACF3
0041AE12  |.  EB 28       jmp    short 0041AE3C
0041AE14  |>  B8 20000000 mov    eax, 20                         ;  Case 76 ('v') of switch 0041ACF3
0041AE19  |.  EB 21       jmp    short 0041AE3C
0041AE1B  |>  B8 19000000 mov    eax, 19                         ;  Case 77 ('w') of switch 0041ACF3
0041AE20  |.  EB 1A       jmp    short 0041AE3C
0041AE22  |>  B8 06000000 mov    eax, 6                         ;  Case 78 ('x') of switch 0041ACF3
0041AE27  |.  EB 13       jmp    short 0041AE3C
0041AE29  |>  B8 1F000000 mov    eax, 1F                         ;  Case 79 ('y') of switch 0041ACF3
0041AE2E  |.  EB 0C       jmp    short 0041AE3C
0041AE30  |>  B8 0A000000 mov    eax, 0A                         ;  Case 7A ('z') of switch 0041ACF3
0041AE35  |.  EB 05       jmp    short 0041AE3C
0041AE37  |>  B8 0B000000 mov    eax, 0B                         ;  Default case of switch 0041ACF3
0041AE3C  |>  394424 10    cmp    dword ptr [esp+10], eax
0041AE40    74 0C       je    short 0041AE4E ;跳不走则失败
0041AE42  |.  C647 0F 10 mov    byte ptr [edi+F], 10
0041AE46  |.  5F          pop    edi
0041AE47  |.  5E          pop    esi
0041AE48  |.  5D          pop    ebp
0041AE49  |.  32C0       xor    al, al
0041AE4B  |.  5B          pop    ebx
0041AE4C  |.  59          pop    ecx
0041AE4D  |.  C3          retn
0041AE4E  |>  0FBE46 01    movsx eax, byte ptr [esi+1]
0041AE52  |.  8D1440       lea    edx, dword ptr [eax+eax*2]
0041AE55  |.  8D14D0       lea    edx, dword ptr [eax+edx*8]
0041AE58  |.  8D1490       lea    edx, dword ptr [eax+edx*4]
0041AE5B  |.  8D0450       lea    eax, dword ptr [eax+edx*2]
0041AE5E  |.  8D1489       lea    edx, dword ptr [ecx+ecx*4]
0041AE61  |.  8D0C51       lea    ecx, dword ptr [ecx+edx*2]
0041AE64  |.  33D2       xor    edx, edx
0041AE66  |.  03C1       add    eax, ecx
0041AE68  |.  B9 24000000 mov    ecx, 24
0041AE6D  |.  F7F1       div    ecx
0041AE6F  |.  8BCF       mov    ecx, edi
0041AE71  |.  8BF2       mov    esi, edx
0041AE73  |.  8A55 01    mov    dl, byte ptr [ebp+1]
0041AE76  |.  885424 10    mov    byte ptr [esp+10], dl
0041AE7A  |.  8B4424 10    mov    eax, dword ptr [esp+10]
0041AE7E  |.  50          push eax
0041AE7F  |.  E8 DC080000 call 0041B760
0041AE84  |.  3BF0       cmp    esi, eax
0041AE86    74 0C       je    short 0041AE94 ;跳不走则失败
0041AE88  |.  C647 0F 10 mov    byte ptr [edi+F], 10
0041AE8C  |.  5F          pop    edi
0041AE8D  |.  5E          pop    esi
0041AE8E  |.  5D          pop    ebp
0041AE8F  |.  32C0       xor    al, al
0041AE91  |.  5B          pop    ebx
0041AE92  |.  59          pop    ecx
0041AE93  |.  C3          retn
0041AE94  |>  8B4F 18    mov    ecx, dword ptr [edi+18]
0041AE97  |.  8B33       mov    esi, dword ptr [ebx]
0041AE99  |.  0FBE49 02    movsx ecx, byte ptr [ecx+2]
0041AE9D  |.  0FBE56 01    movsx edx, byte ptr [esi+1]
0041AEA1  |.  8BC1       mov    eax, ecx
0041AEA3  |.  C1E0 05    shl    eax, 5
0041AEA6  |.  03C1       add    eax, ecx
0041AEA8  |.  8BCA       mov    ecx, edx
0041AEAA  |.  C1E1 05    shl    ecx, 5
0041AEAD  |.  03CA       add    ecx, edx
0041AEAF  |.  8D0440       lea    eax, dword ptr [eax+eax*2]
0041AEB2  |.  8D0C49       lea    ecx, dword ptr [ecx+ecx*2]
0041AEB5  |.  8D144A       lea    edx, dword ptr [edx+ecx*2]
0041AEB8  |.  B9 24000000 mov    ecx, 24
0041AEBD  |.  03C2       add    eax, edx
0041AEBF  |.  33D2       xor    edx, edx
0041AEC1  |.  F7F1       div    ecx
0041AEC3  |.  8BCF       mov    ecx, edi
0041AEC5  |.  8BEA       mov    ebp, edx
0041AEC7  |.  8A56 02    mov    dl, byte ptr [esi+2]
0041AECA  |.  885424 10    mov    byte ptr [esp+10], dl
0041AECE  |.  8B4424 10    mov    eax, dword ptr [esp+10]
0041AED2  |.  50          push eax
0041AED3  |.  E8 A80A0000 call 0041B980
0041AED8  |.  3BE8       cmp    ebp, eax
0041AEDA    74 0C       je    short 0041AEE8 ;跳不走则失败
0041AEDC  |.  C647 0F 10 mov    byte ptr [edi+F], 10
0041AEE0  |.  5F          pop    edi
0041AEE1  |.  5E          pop    esi
0041AEE2  |.  5D          pop    ebp
0041AEE3  |.  32C0       xor    al, al
0041AEE5  |.  5B          pop    ebx
0041AEE6  |.  59          pop    ecx
0041AEE7  |.  C3          retn
0041AEE8  |>  8B77 18    mov    esi, dword ptr [edi+18]
0041AEEB  |.  8B2B       mov    ebp, dword ptr [ebx]
0041AEED  |.  0FBE46 03    movsx eax, byte ptr [esi+3]
0041AEF1  |.  8D0CC0       lea    ecx, dword ptr [eax+eax*8]
0041AEF4  |.  8D0448       lea    eax, dword ptr [eax+ecx*2]
0041AEF7  |.  0FBE4D 02    movsx ecx, byte ptr [ebp+2]
0041AEFB  |.  8BD1       mov    edx, ecx
0041AEFD  |.  C1E2 05    shl    edx, 5
0041AF00  |.  03D1       add    edx, ecx
0041AF02  |.  B9 24000000 mov    ecx, 24
0041AF07  |.  03C2       add    eax, edx
0041AF09  |.  33D2       xor    edx, edx
0041AF0B  |.  F7F1       div    ecx
0041AF0D  |.  0FBE45 03    movsx eax, byte ptr [ebp+3]
0041AF11  |.  83C0 D0    add    eax, -30                      ;  Switch (cases 30..7A)
0041AF14  |.  83F8 4A    cmp    eax, 4A
0041AF17  |.  0F87 34010000 ja    0041B051
0041AF1D  |.  33C9       xor    ecx, ecx
0041AF1F  |.  8A88 D8B24100 mov    cl, byte ptr [eax+41B2D8]
0041AF25  |.  FF248D 44B241>jmp    dword ptr [ecx*4+41B244]
0041AF2C  |>  B8 02000000 mov    eax, 2                         ;  Case 31 ('1') of switch 0041AF11
0041AF31  |.  E9 20010000 jmp    0041B056
0041AF36  |>  B8 13000000 mov    eax, 13                         ;  Case 32 ('2') of switch 0041AF11
0041AF3B  |.  E9 16010000 jmp    0041B056
0041AF40  |>  B8 07000000 mov    eax, 7                         ;  Case 33 ('3') of switch 0041AF11
0041AF45  |.  E9 0C010000 jmp    0041B056
0041AF4A  |>  B8 01000000 mov    eax, 1                         ;  Case 34 ('4') of switch 0041AF11
0041AF4F  |.  E9 02010000 jmp    0041B056
0041AF54  |>  B8 05000000 mov    eax, 5                         ;  Case 35 ('5') of switch 0041AF11
0041AF59  |.  E9 F8000000 jmp    0041B056
0041AF5E  |>  B8 22000000 mov    eax, 22                         ;  Case 36 ('6') of switch 0041AF11
0041AF63  |.  E9 EE000000 jmp    0041B056
0041AF68  |>  B8 10000000 mov    eax, 10                         ;  Case 37 ('7') of switch 0041AF11
0041AF6D  |.  E9 E4000000 jmp    0041B056
0041AF72  |>  B8 04000000 mov    eax, 4                         ;  Case 38 ('8') of switch 0041AF11
0041AF77  |.  E9 DA000000 jmp    0041B056
0041AF7C  |>  B8 11000000 mov    eax, 11                         ;  Case 39 ('9') of switch 0041AF11
0041AF81  |.  E9 D0000000 jmp    0041B056
0041AF86  |>  33C0       xor    eax, eax                      ;  Case 30 ('0') of switch 0041AF11
0041AF88  |.  E9 C9000000 jmp    0041B056
0041AF8D  |>  B8 0C000000 mov    eax, 0C                         ;  Case 61 ('a') of switch 0041AF11
0041AF92  |.  E9 BF000000 jmp    0041B056
0041AF97  |>  B8 1C000000 mov    eax, 1C                         ;  Case 62 ('b') of switch 0041AF11
0041AF9C  |.  E9 B5000000 jmp    0041B056
0041AFA1  |>  B8 0E000000 mov    eax, 0E                         ;  Case 63 ('c') of switch 0041AF11
0041AFA6  |.  E9 AB000000 jmp    0041B056
0041AFAB  |>  B8 14000000 mov    eax, 14                         ;  Case 64 ('d') of switch 0041AF11
0041AFB0  |.  E9 A1000000 jmp    0041B056
0041AFB5  |>  B8 08000000 mov    eax, 8                         ;  Case 65 ('e') of switch 0041AF11
0041AFBA  |.  E9 97000000 jmp    0041B056
0041AFBF  |>  B8 0D000000 mov    eax, 0D                         ;  Case 66 ('f') of switch 0041AF11
0041AFC4  |.  E9 8D000000 jmp    0041B056
0041AFC9  |>  B8 12000000 mov    eax, 12                         ;  Case 67 ('g') of switch 0041AF11
0041AFCE  |.  E9 83000000 jmp    0041B056
0041AFD3  |>  B8 09000000 mov    eax, 9                         ;  Case 68 ('h') of switch 0041AF11
0041AFD8  |.  EB 7C       jmp    short 0041B056
0041AFDA  |>  B8 0F000000 mov    eax, 0F                         ;  Case 69 ('i') of switch 0041AF11
0041AFDF  |.  EB 75       jmp    short 0041B056
0041AFE1  |>  B8 03000000 mov    eax, 3                         ;  Case 6A ('j') of switch 0041AF11
0041AFE6  |.  EB 6E       jmp    short 0041B056
0041AFE8  |>  B8 1B000000 mov    eax, 1B                         ;  Case 6B ('k') of switch 0041AF11
0041AFED  |.  EB 67       jmp    short 0041B056
0041AFEF  |>  B8 15000000 mov    eax, 15                         ;  Case 6C ('l') of switch 0041AF11
0041AFF4  |.  EB 60       jmp    short 0041B056
0041AFF6  |>  B8 17000000 mov    eax, 17                         ;  Case 6D ('m') of switch 0041AF11
0041AFFB  |.  EB 59       jmp    short 0041B056
0041AFFD  |>  B8 18000000 mov    eax, 18                         ;  Case 6E ('n') of switch 0041AF11
0041B002  |.  EB 52       jmp    short 0041B056
0041B004  |>  B8 1A000000 mov    eax, 1A                         ;  Case 6F ('o') of switch 0041AF11
0041B009  |.  EB 4B       jmp    short 0041B056
0041B00B  |>  B8 21000000 mov    eax, 21                         ;  Case 70 ('p') of switch 0041AF11
0041B010  |.  EB 44       jmp    short 0041B056
0041B012  |>  B8 16000000 mov    eax, 16                         ;  Case 71 ('q') of switch 0041AF11
0041B017  |.  EB 3D       jmp    short 0041B056
0041B019  |>  B8 1E000000 mov    eax, 1E                         ;  Case 73 ('s') of switch 0041AF11
0041B01E  |.  EB 36       jmp    short 0041B056
0041B020  |>  B8 1D000000 mov    eax, 1D                         ;  Case 74 ('t') of switch 0041AF11
0041B025  |.  EB 2F       jmp    short 0041B056
0041B027  |>  B8 20000000 mov    eax, 20                         ;  Case 75 ('u') of switch 0041AF11
0041B02C  |.  EB 28       jmp    short 0041B056
0041B02E  |>  B8 23000000 mov    eax, 23                         ;  Case 76 ('v') of switch 0041AF11
0041B033  |.  EB 21       jmp    short 0041B056
0041B035  |>  B8 06000000 mov    eax, 6                         ;  Case 77 ('w') of switch 0041AF11
0041B03A  |.  EB 1A       jmp    short 0041B056
0041B03C  |>  B8 19000000 mov    eax, 19                         ;  Case 78 ('x') of switch 0041AF11
0041B041  |.  EB 13       jmp    short 0041B056
0041B043  |>  B8 0A000000 mov    eax, 0A                         ;  Case 79 ('y') of switch 0041AF11
0041B048  |.  EB 0C       jmp    short 0041B056
0041B04A  |>  B8 1F000000 mov    eax, 1F                         ;  Case 7A ('z') of switch 0041AF11
0041B04F  |.  EB 05       jmp    short 0041B056
0041B051  |>  B8 0B000000 mov    eax, 0B                         ;  Default case of switch 0041AF11
0041B056  |>  3BD0       cmp    edx, eax
0041B058    74 0C       je    short 0041B066 ;跳不走则失败
0041B05A  |.  C647 0F 10 mov    byte ptr [edi+F], 10
0041B05E  |.  5F          pop    edi
0041B05F  |.  5E          pop    esi
0041B060  |.  5D          pop    ebp
0041B061  |.  32C0       xor    al, al
0041B063  |.  5B          pop    ebx
0041B064  |.  59          pop    ecx
0041B065  |.  C3          retn
0041B066  |>  0FBE46 01    movsx eax, byte ptr [esi+1]
0041B06A  |.  8D1440       lea    edx, dword ptr [eax+eax*2]
0041B06D  |.  8D0CD0       lea    ecx, dword ptr [eax+edx*8]
0041B070  |.  8D1488       lea    edx, dword ptr [eax+ecx*4]
0041B073  |.  0FBE4E 02    movsx ecx, byte ptr [esi+2]
0041B077  |.  8D0450       lea    eax, dword ptr [eax+edx*2]
0041B07A  |.  8D1489       lea    edx, dword ptr [ecx+ecx*4]
0041B07D  |.  8D0C51       lea    ecx, dword ptr [ecx+edx*2]
0041B080  |.  33D2       xor    edx, edx
0041B082  |.  03C1       add    eax, ecx
0041B084  |.  B9 24000000 mov    ecx, 24
0041B089  |.  F7F1       div    ecx
0041B08B  |.  8BCF       mov    ecx, edi
0041B08D  |.  8BF2       mov    esi, edx
0041B08F  |.  8A55 05    mov    dl, byte ptr [ebp+5]
0041B092  |.  885424 10    mov    byte ptr [esp+10], dl
0041B096  |.  8B4424 10    mov    eax, dword ptr [esp+10]
0041B09A  |.  50          push eax
0041B09B  |.  E8 C0060000 call 0041B760
0041B0A0  |.  3BF0       cmp    esi, eax
0041B0A2    74 0C       je    short 0041B0B0 ;跳不走则失败
0041B0A4  |.  C647 0F 10 mov    byte ptr [edi+F], 10
0041B0A8  |.  5F          pop    edi
0041B0A9  |.  5E          pop    esi
0041B0AA  |.  5D          pop    ebp
0041B0AB  |.  32C0       xor    al, al
0041B0AD  |.  5B          pop    ebx
0041B0AE  |.  59          pop    ecx
0041B0AF  |.  C3          retn
0041B0B0  |>  8B57 18    mov    edx, dword ptr [edi+18]
0041B0B3  |.  C647 0C 01 mov    byte ptr [edi+C], 1
0041B0B7  |.  0FBE4A 03    movsx ecx, byte ptr [edx+3]
0041B0BB  |.  0FBE52 02    movsx edx, byte ptr [edx+2]
0041B0BF  |.  8BC1       mov    eax, ecx
0041B0C1  |.  C1E0 05    shl    eax, 5
0041B0C4  |.  03C1       add    eax, ecx
0041B0C6  |.  8D0440       lea    eax, dword ptr [eax+eax*2]
0041B0C9  |.  8D0441       lea    eax, dword ptr [ecx+eax*2]
0041B0CC  |.  8BCA       mov    ecx, edx
0041B0CE  |.  C1E1 05    shl    ecx, 5
0041B0D1  |.  03CA       add    ecx, edx
0041B0D3  |.  33D2       xor    edx, edx
0041B0D5  |.  8D0C49       lea    ecx, dword ptr [ecx+ecx*2]
0041B0D8  |.  03C1       add    eax, ecx
0041B0DA  |.  B9 24000000 mov    ecx, 24
0041B0DF  |.  F7F1       div    ecx
0041B0E1  |.  8BF2       mov    esi, edx
0041B0E3  |.  8B13       mov    edx, dword ptr [ebx]
0041B0E5  |.  8A42 06    mov    al, byte ptr [edx+6]
0041B0E8  |.  884424 10    mov    byte ptr [esp+10], al
0041B0EC  |.  8B4C24 10    mov    ecx, dword ptr [esp+10]
0041B0F0  |.  51          push ecx
0041B0F1  |.  8BCF       mov    ecx, edi
0041B0F3  |.  E8 88080000 call 0041B980
0041B0F8  |.  3BF0       cmp    esi, eax
0041B0FA    74 0C       je    short 0041B108 ;跳不走则失败
0041B0FC  |.  C647 0F 10 mov    byte ptr [edi+F], 10
0041B100  |.  5F          pop    edi
0041B101  |.  5E          pop    esi
0041B102  |.  5D          pop    ebp
0041B103  |.  32C0       xor    al, al
0041B105  |.  5B          pop    ebx
0041B106  |.  59          pop    ecx
0041B107  |.  C3          retn
0041B108  |>  8B4F 18    mov    ecx, dword ptr [edi+18]
0041B10B  |.  C647 0D 01 mov    byte ptr [edi+D], 1
0041B10F  |.  0FBE51 05    movsx edx, byte ptr [ecx+5]
0041B113  |.  0FBE49 04    movsx ecx, byte ptr [ecx+4]
0041B117  |.  8BC2       mov    eax, edx
0041B119  |.  C1E0 05    shl    eax, 5
0041B11C  |.  03C2       add    eax, edx
0041B11E  |.  8D14C9       lea    edx, dword ptr [ecx+ecx*8]
0041B121  |.  8D0C51       lea    ecx, dword ptr [ecx+edx*2]
0041B124  |.  33D2       xor    edx, edx
0041B126  |.  03C1       add    eax, ecx
0041B128  |.  B9 24000000 mov    ecx, 24
0041B12D  |.  F7F1       div    ecx
0041B12F  |.  8BF2       mov    esi, edx
0041B131  |.  8B13       mov    edx, dword ptr [ebx]
0041B133  |.  8A42 07    mov    al, byte ptr [edx+7]
0041B136  |.  884424 10    mov    byte ptr [esp+10], al
0041B13A  |.  8B4C24 10    mov    ecx, dword ptr [esp+10]
0041B13E  |.  51          push ecx
0041B13F  |.  8BCF       mov    ecx, edi
0041B141  |.  E8 EA010000 call 0041B330
0041B146  |.  3BF0       cmp    esi, eax
0041B148    74 0C       je    short 0041B156 ;跳不走则失败
0041B14A  |.  C647 0F 10 mov    byte ptr [edi+F], 10
0041B14E  |.  5F          pop    edi
0041B14F  |.  5E          pop    esi
0041B150  |.  5D          pop    ebp
0041B151  |.  32C0       xor    al, al
0041B153  |.  5B          pop    ebx
0041B154  |.  59          pop    ecx
0041B155  |.  C3          retn
0041B156  |>  C647 0F 13 mov    byte ptr [edi+F], 13 ;这里是成功的标志位
0041B15A  |.  5F          pop    edi
0041B15B  |.  5E          pop    esi
0041B15C  |.  5D          pop    ebp
0041B15D  |.  B0 01       mov    al, 1 ;这里的al值用于关键Call后面的跳转
0041B15F  |.  5B          pop    ebx
0041B160  |.  59          pop    ecx
0041B161  \.  C3          retn

经过分析，对判断流程大致了解，把所有带注释的je改成jmp即可完成爆破。
也可把关键Call的开头0041AC90那里改为
mov byte ptr [edi+F],13
mov al,1
retn
也可完成爆破。

我还是不能发附件，郁闷……

你就到我网盘去下载破好了的主程序文件吧。
网盘地址：http://www.edisk.org/?zlm324
文件名：VoiceWriter_crack.rar

2007-6-23 13:33

0

菜鸟求学

雪币： 200

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

33

回帖

137

粉丝

0

关注

私信

菜鸟求学: 5 楼

比我强，我是没那个能力和耐心去跟哈哈

2007-6-23 13:44

0

qianyicy

雪币： 228

活跃值： (10)

能力值：

( LV8，RANK：130 )

在线值：

发帖

18

回帖

95

粉丝

0

关注

私信

qianyicy 3: 6 楼

我载入后不能用F8了,没去跟,呵

2007-6-23 14:33

0

斜阳残雪

雪币： 228

活跃值： (11)

能力值：

( LV8，RANK：130 )

在线值：

发帖

6

回帖

92

粉丝

0

关注

私信

斜阳残雪 3: 7 楼

哈哈，这个软件会占用F2、F7、F8这三个快捷键:)

你在软件的快捷键设置里面把这三个给空出来就行了。

2007-6-23 18:36

0

btlelite

雪币： 200

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

1

回帖

5

粉丝

0

关注

私信

btlelite: 8 楼

谢谢斜阳残雪的帮助,辛苦了!
按照这种思路,我一路跟随各跳转进行分析和修改,最终成功的突破一分钟限制
收获很多,好像注册码也就是在这里面计算,等什么时候算出注册码了,再来答谢:)
(不过残雪兄修订好的执行文件,显示的是注册版本,但是还是没有突破一分钟限制,但是按照这个思路一定是成功的:))

2007-6-25 16:53

0

斜阳残雪

雪币： 228

活跃值： (11)

能力值：

( LV8，RANK：130 )

在线值：

发帖

6

回帖

92

粉丝

0

关注

私信

斜阳残雪 3: 9 楼

这个程序还有一分钟的限制？没注意到……是我粗心了，不好意思

不过楼主终于能突破还是值得恭喜的

2007-6-26 01:14

0

斜阳残雪

雪币： 228

活跃值： (11)

能力值：

( LV8，RANK：130 )

在线值：

发帖

6

回帖

92

粉丝

0

关注

私信

斜阳残雪 3: 10 楼

另外，一分钟的限制那里能贴一块代码出来看看吗？

2007-6-26 01:15

0

lianxishen

雪币： 200

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

0

回帖

3

粉丝

0

关注

私信

lianxishen: 11 楼

试用了一下, 软件似乎不错, 楼主成功后可否共享一下. 我还是新手, 自己搞不定

还想请教各位, 为什么我用OD载入后, F9, 软件进程是有了, 但是界面却不弹出来. 先运行软件, 再用OD附加的话, 一按注册, od就出错关闭.

2007-6-26 19:42

0

斜阳残雪

雪币： 228

活跃值： (11)

能力值：

( LV8，RANK：130 )

在线值：

发帖

6

回帖

92

粉丝

0

关注

私信

斜阳残雪 3: 12 楼

我忘了这个软件有没有加壳了，你自己查一下，有的话脱一下就成。

2007-6-27 13:42

0

lianxishen

雪币： 200

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

0

回帖

3

粉丝

0

关注

私信

lianxishen: 13 楼

用PEID查了一下, 除了外部扫描显示为"armadillo 1.71*"之外, 其他的都显示成vc++6.

这个算是加壳了吗? 还是伪装过了?

2007-6-27 17:39

0

斜阳残雪

雪币： 228

活跃值： (11)

能力值：

( LV8，RANK：130 )

在线值：

发帖

6

回帖

92

粉丝

0

关注

私信

斜阳残雪 3: 14 楼

我不记得有没有壳了，如果真的有的话，我一定就是用dilloDIE 1.6脱掉的，因为我对付壳的能力为0，所以能脱掉的话就一定是脱壳机干的:)

2007-6-27 21:32

0

lianxishen

雪币： 200

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

0

回帖

3

粉丝

0

关注

私信

lianxishen: 15 楼

谢谢斜阳残雪, 软件已经被我卸了. 准备先把基础的弄弄熟再来搞

2007-6-29 17:50

0

syzlsyf

雪币： 200

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

0

回帖

2

粉丝

0

关注

私信

syzlsyf: 16 楼

VoiceWriter_crack.rar 在您的网盘里没有找到。

2007-8-13 11:37

0

fenghui

雪币： 200

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

0

回帖

1

粉丝

0

关注

私信

fenghui: 17 楼

楼主没有回来吗，成功后可否共享一下？

2007-8-16 10:15

0

digital

雪币： 200

活跃值： (16)

能力值：

( LV2，RANK：10 )

在线值：

发帖

0

回帖

5

粉丝

0

关注

私信

digital: 18 楼

能不能从新上传一次

2007-8-16 11:23

0

digital

雪币： 200

活跃值： (16)

能力值：

( LV2，RANK：10 )

在线值：

发帖

0

回帖

5

粉丝

0

关注

私信

digital: 19 楼

昨天回家试了一下，这个软件很好用，在斜阳残雪的网盘中没有找到VoiceWriter_crack.rar于是根据斜阳残雪的方法进行了爆破过程如下：用winhex将VoiceWriter.exe下面8处地址的74该为EB即可
1ACB4: 74->EB
1AE40: 74->EB
1AE86: 74->EB
1AEDA: 74->EB
1B058: 74->EB
1B0A2: 74->EB
1B0FA: 74->EB
1B148: 74->EB

2007-8-17 08:01

0

heihu

雪币： 1136

活跃值： (683)

能力值：

( LV2，RANK：10 )

在线值：

发帖

7

回帖

187

粉丝

0

关注

私信

heihu: 20 楼

00405A40 .  51          push ecx
00405A41 .  56          push esi
00405A42 .  57          push edi
00405A43 .  8BF9       mov    edi, ecx
00405A45 .  8DB7 244D0000 lea    esi, dword ptr [edi+4D24]
00405A4B .  8BCE       mov    ecx, esi
00405A4D .  E8 0E4F0100 call 0041A960
00405A52 .  8BCE       mov    ecx, esi
00405A54 .  E8 075C0100 call 0041B660
00405A59 .  8BCE       mov    ecx, esi
00405A5B .  E8 30520100 call 0041AC90
00405A60 .  84C0       test al, al
00405A62 .  74 17       je    short 00405A7B
00405A64 .  6A 00       push 0
00405A66 .  68 8C684300 push 0043688C                      ;  三耳软件
00405A6B .  68 7C684300 push 0043687C                      ;  您已成功注册!
00405A70 .  8BCF       mov    ecx, edi
00405A72 .  E8 9F350200 call <jmp.&MFC42.#4224>
00405A77 .  5F          pop    edi
00405A78 .  5E          pop    esi
00405A79 .  59          pop    ecx
00405A7A .  C3          retn
00405A7B >  8D4424 08    lea    eax, dword ptr [esp+8]
00405A7F .  8BCE       mov    ecx, esi
00405A81 .  50          push eax
00405A82 .  E8 795C0100 call 0041B700
00405A87 .  8BCF       mov    ecx, edi
00405A89 .  E8 02C3FFFF call 00401D90
00405A8E .  8BCE       mov    ecx, esi
00405A90 .  E8 CB5B0100 call 0041B660
00405A95 .  8BCE       mov    ecx, esi
00405A97 .  E8 F4510100 call 0041AC90
00405A9C .  84C0       test al, al
00405A9E .  6A 00       push 0
00405AA0 .  68 8C684300 push 0043688C                      ;  三耳软件
00405AA5 .  75 10       jnz    short 00405AB7
00405AA7 .  68 68684300 push 00436868                      ;  对不起,密码不正确!
00405AAC .  8BCF       mov    ecx, edi
00405AAE .  E8 63350200 call <jmp.&MFC42.#4224>
00405AB3 .  5F          pop    edi
00405AB4 .  5E          pop    esi
00405AB5 .  59          pop    ecx
00405AB6 .  C3          retn
00405AB7 >  68 5C684300 push 0043685C                      ;  成功注册!
00405ABC .  8BCF       mov    ecx, edi
00405ABE .  E8 53350200 call <jmp.&MFC42.#4224>
00405AC3 .  5F          pop    edi
00405AC4 .  5E          pop    esi
00405AC5 .  59          pop    ecx
00405AC6 .  C3          retn

字符串查找“对不起,密码不正确!”然后网上找，找到注册成功这个提示框，这个就是跳转关键了！00405A60 .  84C0       test al, al
00405A62 .  74 17       je    short 00405A7B

这个跳转就是关键！在这个跳转上面有个关键Call我们按Enter键进入Call打入汇编代码mov al,1;
retn;然后选择保存就可以完全破解这个软件了！这个软件是使用了标志位来判断的！如果改跳转有那么多跳转难道一个一个改啊！累死人了！只要找到这个关键标志位判断的地方修改一下就OK了！不用那么麻烦的去改那么多的跳转！本人也是菜鸟一只！
感谢Pediy让我学到了好多！

2007-8-17 09:05

0