【破解作者】 ftts[BCG]
【作者主页】 http://www.techsmith.com
【使用工具】 ollydbg
【破解平台】 Win9x/NT/2000/XP
【软件名称】 Camtasia Studio Version 2.1
【下载地址】 http://www.techsmith.com/download/studiodefault.asp?lid=DownloadCamtasiaStudio
【软件简介】 Camtasia Studio 2 screen recordings enable you to create tutorials and demonstrations with ease. With is a
full range of recording, editing and publishing options, including Flash and streaming video formats, Camtasia Studio
helps you reach every user in their preferred format
【软件大小】 27.2 MB
【加壳方式】 无壳
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:
--------------------------------------------------------------------------------
【破解内容】 声明:这是Camtasia Studio 目前最新的版本,它提供了两种类型的注册码
一种是18位的注册码,一种是25位的注册码,这里的18位的用了md5算法,
之于这里的代码我就没给出了,因为它是与snagit 相同,感兴趣的朋友可以去
参考我写的snagit v7.01的破解教程,之于那计算25位的注册码是什么算法
我就不知道了,反正是很复杂的,我算法好久还是没找出什么来。
下面开始吧!
-----------------------------
我们现在有了破解snagit的经验了,我们可以直接找ascll "RegisteredTo" 来到下面这里
断下点 ,输入用户名:ftts[BCG] 注册码:123456789012615678 点注册马上就被断在这里了
005543EE . 50 push eax
005543EF . 68 ED270000 push 27ED
005543F4 . 8BCE mov ecx,esi
005543F6 . C64424 24 01 mov byte ptr ss:[esp+24],1
005543FB . E8 BE5F0100 call <jmp.&MFC71.#2662> ; 取注册码
00554400 . 8D4C24 0C lea ecx,dword ptr ss:[esp+C]
00554404 . 51 push ecx
00554405 . 68 EE270000 push 27EE
0055440A . 8BCE mov ecx,esi
0055440C . E8 AD5F0100 call <jmp.&MFC71.#2662> ; 取用户名
00554411 . 8B8E 90000000 mov ecx,dword ptr ds:[esi+90]
00554417 . 8B41 30 mov eax,dword ptr ds:[ecx+30]
0055441A . 85C0 test eax,eax
0055441C . 75 68 jnz short Camtasia.00554486
0055441E . 8B81 B8000000 mov eax,dword ptr ds:[ecx+B8]
00554424 . 85C0 test eax,eax
00554426 . 74 5E je short Camtasia.00554486 ; 跳转
00554428 . E8 73D3FFFF call Camtasia.005517A0
0055442D . 85C0 test eax,eax
0055442F . 75 55 jnz short Camtasia.00554486
00554431 . 68 78CE5A00 push Camtasia.005ACE78 ; ASCII "reset"
00554436 . 8D4C24 0C lea ecx,dword ptr ss:[esp+C]
0055443A . FF15 1C755800 call dword ptr ds:[<&MFC71.#1486>] ; MFC71.7C188CD7
00554440 . 85C0 test eax,eax
00554442 . 75 42 jnz short Camtasia.00554486
00554444 . 8B8E 90000000 mov ecx,dword ptr ds:[esi+90]
0055444A . 50 push eax ; /Arg2
0055444B . 6A 01 push 1 ; |Arg1 = 00000001
0055444D . E8 DED9FFFF call Camtasia.00551E30 ; \Camtasia.00551E30
00554452 > 8D4C24 0C lea ecx,dword ptr ss:[esp+C]
00554456 . FF15 5C805800 call dword ptr ds:[<&MFC71.#578>] ; MFC71.7C1771B1
0055445C . 8D4C24 08 lea ecx,dword ptr ss:[esp+8]
00554460 . C74424 1C FFFFFFFF mov dword ptr ss:[esp+1C],-1
00554468 . FF15 5C805800 call dword ptr ds:[<&MFC71.#578>] ; MFC71.7C1771B1
0055446E > 8BCE mov ecx,esi
00554470 . E8 095D0100 call <jmp.&MFC71.#5071>
00554475 . 5E pop esi
00554476 . 5B pop ebx
00554477 . 8B4C24 0C mov ecx,dword ptr ss:[esp+C]
0055447B . 64:890D 00000000 mov dword ptr fs:[0],ecx
00554482 . 83C4 18 add esp,18
00554485 . C3 retn
00554486 > 8B8E 90000000 mov ecx,dword ptr ds:[esi+90]
0055448C . 8D5424 0C lea edx,dword ptr ss:[esp+C]
00554490 . 52 push edx
00554491 . 8D4424 0C lea eax,dword ptr ss:[esp+C]
00554495 . 50 push eax
00554496 . 56 push esi
00554497 . E8 84DDFFFF call Camtasia.00552220 ; 注册算法,跟进去吧!
0055449C . 8BD8 mov ebx,eax
0055449E . 8B86 88000000 mov eax,dword ptr ds:[esi+88]
005544A4 . 85C0 test eax,eax
005544A6 . 0F85 BD000000 jnz Camtasia.00554569
005544AC . 8B8E 90000000 mov ecx,dword ptr ds:[esi+90]
005544B2 . 53 push ebx
005544B3 . E8 B8CEFFFF call Camtasia.00551370
005544B8 . 85C0 test eax,eax
005544BA . 0F84 A9000000 je Camtasia.00554569
005544C0 . 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
005544C4 . FF15 B8735800 call dword ptr ds:[<&MFC71.#310>] ; MFC71.7C173199
005544CA . 8D4C24 08 lea ecx,dword ptr ss:[esp+8]
005544CE . C64424 1C 02 mov byte ptr ss:[esp+1C],2
005544D3 . FF15 D4805800 call dword ptr ds:[<&MFC71.#876>] ; MFC71.7C158BCD
005544D9 . 8B8E 90000000 mov ecx,dword ptr ds:[esi+90]
005544DF . 50 push eax ; /Arg2
005544E0 . 68 30BD5A00 push Camtasia.005ABD30 ; |Arg1 = 005ABD30 ASCII "RegistrationKey"
005544E5 . E8 A6CEFFFF call Camtasia.00551390 ; \Camtasia.00551390
005544EA . 8D4C24 0C lea ecx,dword ptr ss:[esp+C]
005544EE . FF15 D4805800 call dword ptr ds:[<&MFC71.#876>] ; MFC71.7C158BCD
005544F4 . 8B8E 90000000 mov ecx,dword ptr ds:[esi+90]
005544FA . 50 push eax ; /Arg2
005544FB . 68 40BD5A00 push Camtasia.005ABD40 ; |Arg1 = 005ABD40 ASCII "RegisteredTo"
00554500 . E8 8BCEFFFF call Camtasia.00551390 ; \Camtasia.00551390
00554505 . 6A 1D push 1D ; /Arg3 = 0000001D
00554507 . 8D4C24 14 lea ecx,dword ptr ss:[esp+14] ; |
0055450B . 51 push ecx ; |Arg2
0055450C . 8B8E 90000000 mov ecx,dword ptr ds:[esi+90] ; |
00554512 . 68 30BD5A00 push Camtasia.005ABD30 ; |Arg1 = 005ABD30 ASCII "RegistrationKey"
00554517 . E8 04CFFFFF call Camtasia.00551420 ; \Camtasia.00551420
0055451C . 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
----------------------------------------跟进注册算法
00552220 /$ 53 push ebx ; 向下看看吧!会发现些什么
00552221 |. 8B5C24 08 mov ebx,dword ptr ss:[esp+8]
00552225 |. 85DB test ebx,ebx
00552227 |. 55 push ebp
00552228 |. 56 push esi
00552229 |. 8BF1 mov esi,ecx
0055222B |. 75 1A jnz short Camtasia.00552247
0055222D |. E8 56820100 call <jmp.&MFC71.#1091>
00552232 |. 85C0 test eax,eax
00552234 |. 74 0B je short Camtasia.00552241
00552236 |. 8B10 mov edx,dword ptr ds:[eax]
00552238 |. 8BC8 mov ecx,eax
0055223A |. FF52 7C call dword ptr ds:[edx+7C]
0055223D |. 8BD8 mov ebx,eax
0055223F |. EB 02 jmp short Camtasia.00552243
00552241 |> 33DB xor ebx,ebx
00552243 |> 895C24 10 mov dword ptr ss:[esp+10],ebx
00552247 |> 8B6C24 18 mov ebp,dword ptr ss:[esp+18]
0055224B |. 8BCD mov ecx,ebp
0055224D |. FF15 9C805800 call dword ptr ds:[<&MFC71.#3934>] ; MFC71.7C1501A3
00552253 |. 84C0 test al,al
00552255 |. 74 47 je short Camtasia.0055229E ; 这里是要跳的,不然就ret了
00552257 |. 68 3E280000 push 283E
0055225C |. 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
00552260 |. FF15 D8735800 call dword ptr ds:[<&MFC71.#304>] ; MFC71.7C16A59C
00552266 |. 85DB test ebx,ebx
00552268 |. 74 03 je short Camtasia.0055226D
0055226A |. 8B5B 20 mov ebx,dword ptr ds:[ebx+20]
0055226D |> 6A 00 push 0
0055226F |. 8D4E 44 lea ecx,dword ptr ds:[esi+44]
00552272 |. FF15 D4805800 call dword ptr ds:[<&MFC71.#876>] ; MFC71.7C158BCD
00552278 |. 50 push eax
00552279 |. 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
0055227D |. FF15 D4805800 call dword ptr ds:[<&MFC71.#876>] ; MFC71.7C158BCD
00552283 |. 50 push eax ; |Text
00552284 |. 53 push ebx ; |hOwner
00552285 |. FF15 24855800 call dword ptr ds:[<&USER32.Messag>; \MessageBoxA
0055228B |. 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
0055228F |. FF15 5C805800 call dword ptr ds:[<&MFC71.#578>] ; MFC71.7C1771B1
00552295 |. 5E pop esi
00552296 |. 5D pop ebp
00552297 |. 66:33C0 xor ax,ax
0055229A |. 5B pop ebx
0055229B |. C2 0C00 retn 0C
0055229E |> 57 push edi
0055229F |. 8B7C24 18 mov edi,dword ptr ss:[esp+18]
005522A3 |. 8BCF mov ecx,edi
005522A5 |. FF15 AC765800 call dword ptr ds:[<&MFC71.#6180>] ; MFC71.7C18A010
005522AB |. 8B06 mov eax,dword ptr ds:[esi]
005522AD |. 55 push ebp
005522AE |. 57 push edi
005522AF |. 8BCE mov ecx,esi
005522B1 |. FF50 18 call dword ptr ds:[eax+18]
005522B4 |. 84C0 test al,al
005522B6 |. 75 12 jnz short Camtasia.005522CA ; 要跳
005522B8 |. 8B16 mov edx,dword ptr ds:[esi]
005522BA |. 53 push ebx
005522BB |. 8BCE mov ecx,esi
005522BD |. FF52 1C call dword ptr ds:[edx+1C]
005522C0 |. 5F pop edi
005522C1 |. 5E pop esi
005522C2 |. 5D pop ebp
005522C3 |. 66:33C0 xor ax,ax
005522C6 |. 5B pop ebx
005522C7 |. C2 0C00 retn 0C
005522CA |> 68 D5A05800 push Camtasia.0058A0D5
005522CF |. 68 00BD5A00 push Camtasia.005ABD00
005522D4 |. 8BCF mov ecx,edi
005522D6 |. FF15 2C755800 call dword ptr ds:[<&MFC71.#5491>] ; MFC71.7C189DD6
005522DC |. 8B1E mov ebx,dword ptr ds:[esi]
005522DE |. 8BCF mov ecx,edi
005522E0 |. FF15 D4805800 call dword ptr ds:[<&MFC71.#876>] ; MFC71.7C158BCD
005522E6 |. 50 push eax
005522E7 |. 8BCD mov ecx,ebp
005522E9 |. FF15 D4805800 call dword ptr ds:[<&MFC71.#876>] ; MFC71.7C158BCD
005522EF |. 50 push eax
005522F0 |. 8BCE mov ecx,esi
005522F2 |. FF53 24 call dword ptr ds:[ebx+24] ; 注册算法跟进去
005522F5 |. 8BD8 mov ebx,eax
005522F7 |. 80FB 01 cmp bl,1
005522FA |. 75 53 jnz short Camtasia.0055234F
005522FC |. 8BCF mov ecx,edi
005522FE |. C746 30 01000000 mov dword ptr ds:[esi+30],1
00552305 |. C786 B8000000 00000>mov dword ptr ds:[esi+B8],0
0055230F |. FF15 D4805800 call dword ptr ds:[<&MFC71.#876>] ; MFC71.7C158BCD
00552315 |. 50 push eax ; /Arg2
00552316 |. 68 30BD5A00 push Camtasia.005ABD30 ; |Arg1 = 005ABD30 ASCII "RegistrationKey"
0055231B |. 8BCE mov ecx,esi ; |
0055231D |. E8 6EF0FFFF call Camtasia.00551390 ; \Camtasia.00551390
00552322 |. 8BCD mov ecx,ebp
00552324 |. FF15 D4805800 call dword ptr ds:[<&MFC71.#876>] ; MFC71.7C158BCD
0055232A |. 50 push eax ; /Arg2
0055232B |. 68 40BD5A00 push Camtasia.005ABD40 ; |Arg1 = 005ABD40 ASCII "RegisteredTo"
00552330 |. 8BCE mov ecx,esi ; |
00552332 |. E8 59F0FFFF call Camtasia.00551390 ; \Camtasia.00551390
00552337 |. 8B4424 14 mov eax,dword ptr ss:[esp+14]
0055233B |. 57 push edi ; /Arg3
0055233C |. 55 push ebp ; |Arg2
0055233D |. 50 push eax ; |Arg1
0055233E |. 8BCE mov ecx,esi ; |
00552340 |. E8 BBF8FFFF call Camtasia.00551C00 ; \Camtasia.00551C00
---------------------------------------跟进注册算法
0054A030 . 6A FF push -1 ; 这里是注册算法
0054A032 . 68 9B385800 push Camtasia.0058389B ; SE handler installation
0054A037 . 64:A1 00000000 mov eax,dword ptr fs:[0]
0054A03D . 50 push eax
0054A03E . 64:8925 00000000 mov dword ptr fs:[0],esp
0054A045 . 81EC 84000000 sub esp,84
0054A04B . 8B8424 98000000 mov eax,dword ptr ss:[esp+98]
0054A052 . 53 push ebx
0054A053 . 55 push ebp
0054A054 . 56 push esi
0054A055 . 57 push edi
0054A056 . 33F6 xor esi,esi
0054A058 . 8BE9 mov ebp,ecx
0054A05A . 897424 14 mov dword ptr ss:[esp+14],esi
0054A05E . BF 08000000 mov edi,8
0054A063 . 50 push eax
0054A064 . 8D4C24 24 lea ecx,dword ptr ss:[esp+24]
0054A068 . 897424 2C mov dword ptr ss:[esp+2C],esi
0054A06C . 897C24 38 mov dword ptr ss:[esp+38],edi
0054A070 . 32DB xor bl,bl
0054A072 . C64424 17 0A mov byte ptr ss:[esp+17],0A
0054A077 . FF15 D8735800 call dword ptr ds:[<&MFC71.#304>] ; MFC71.7C16A59C
0054A07D . 8D4C24 20 lea ecx,dword ptr ss:[esp+20]
0054A081 . 89B424 9C000000 mov dword ptr ss:[esp+9C],esi
0054A088 . FF15 D0805800 call dword ptr ds:[<&MFC71.#2902>] ; MFC71.7C146AB0
0054A08E . 83F8 1D cmp eax,1D
0054A091 . 0F84 1E020000 je Camtasia.0054A2B5 ;
0054A097 . 8D4C24 20 lea ecx,dword ptr ss:[esp+20]
0054A09B . FF15 D0805800 call dword ptr ds:[<&MFC71.#2902>] ; MFC71.7C146AB0
0054A0A1 . 83F8 19 cmp eax,19---->>看这里 这里跳下去是注册码25位的算法它不是md5
0054A0A4 . 0F84 0B020000 je Camtasia.0054A2B5 ;
0054A0AA . 8D4C24 20 lea ecx,dword ptr ss:[esp+20]
0054A0AE . FF15 D0805800 call dword ptr ds:[<&MFC71.#2902>] ; MFC71.7C146AB0
0054A0B4 . 83F8 0E cmp eax,0E
0054A0B7 . 74 19 je short Camtasia.0054A0D2
0054A0B9 . 8D4C24 20 lea ecx,dword ptr ss:[esp+20]
0054A0BD . FF15 D0805800 call dword ptr ds:[<&MFC71.#2902>] ; MFC71.7C146AB0
0054A0C3 . 83F8 12 cmp eax,12------------> 这里下去是注册码18位的算法(md5)
0054A0C6 . 74 0A je short Camtasia.0054A0D2
0054A0C8 . C64424 13 0C mov byte ptr ss:[esp+13],0C
0054A0CD . E9 17030000 jmp Camtasia.0054A3E9 ; 不能到这里
0054A0D2 > 8D4C24 20 lea ecx,dword ptr ss:[esp+20]
0054A0D6 . 51 push ecx
0054A0D7 . 8D4C24 20 lea ecx,dword ptr ss:[esp+20]
0054A0DB . FF15 8C805800 call dword ptr ds:[<&MFC71.#297>] ; MFC71.7C14E575
0054A0E1 . 8D4C24 24 lea ecx,dword ptr ss:[esp+24]
0054A0E5 . FF15 B8735800 call dword ptr ds:[<&MFC71.#310>] ; MFC71.7C173199
0054A0EB . 6A 04 push 4
0054A0ED . 8D5424 18 lea edx,dword ptr ss:[esp+18]
0054A0F1 . B3 06 mov bl,6
0054A0F3 . 52 push edx
0054A0F4 . 8D4C24 24 lea ecx,dword ptr ss:[esp+24]
0054A0F8 . 889C24 A4000000 mov byte ptr ss:[esp+A4],bl
0054A0FF . FF15 84765800 call dword ptr ds:[<&MFC71.#5563>] ; MFC71.7C188DED
0054A105 . 50 push eax
0054A106 . 8D4C24 28 lea ecx,dword ptr ss:[esp+28]
0054A10A . C68424 A0000000 07 mov byte ptr ss:[esp+A0],7
0054A112 . FF15 58805800 call dword ptr ds:[<&MFC71.#781>] ; MFC71.7C150F15
0054A118 . 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
0054A11C . 889C24 9C000000 mov byte ptr ss:[esp+9C],bl
0054A123 . FF15 5C805800 call dword ptr ds:[<&MFC71.#578>] ; MFC71.7C1771B1
0054A129 . 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
0054A12D . FF15 D0805800 call dword ptr ds:[<&MFC71.#2902>] ; MFC71.7C146AB0
0054A133 . 83E8 04 sub eax,4 ; eax=12
0054A136 . 50 push eax
0054A137 . 8D4424 18 lea eax,dword ptr ss:[esp+18]
0054A13B . 50 push eax
0054A13C . 8D4C24 24 lea ecx,dword ptr ss:[esp+24]
0054A140 . FF15 4C755800 call dword ptr ds:[<&MFC71.#3997>] ; MFC71.7C188E36
0054A146 . 50 push eax
0054A147 . 8D4C24 20 lea ecx,dword ptr ss:[esp+20]
0054A14B . C68424 A0000000 08 mov byte ptr ss:[esp+A0],8
0054A153 . FF15 58805800 call dword ptr ds:[<&MFC71.#781>] ; MFC71.7C150F15
0054A159 . 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
0054A15D . 889C24 9C000000 mov byte ptr ss:[esp+9C],bl
0054A164 . FF15 5C805800 call dword ptr ds:[<&MFC71.#578>] ; MFC71.7C1771B1
0054A16A . 33C9 xor ecx,ecx
0054A16C . 894C24 38 mov dword ptr ss:[esp+38],ecx
0054A170 . 894C24 3C mov dword ptr ss:[esp+3C],ecx
0054A174 . 894C24 40 mov dword ptr ss:[esp+40],ecx
0054A178 . 66:894C24 44 mov word ptr ss:[esp+44],cx
0054A17D . 884C24 46 mov byte ptr ss:[esp+46],cl
0054A181 . 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
0054A185 . FF15 D0805800 call dword ptr ds:[<&MFC71.#2902>] ; MFC71.7C146AB0
0054A18B . 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
0054A18F . 8BD8 mov ebx,eax
0054A191 . FF15 D4805800 call dword ptr ds:[<&MFC71.#876>] ; MFC71.7C158BCD
0054A197 . 8BCB mov ecx,ebx
0054A199 . 8BD1 mov edx,ecx
0054A19B . C1E9 02 shr ecx,2
0054A19E . 8BF0 mov esi,eax
0054A1A0 . 8D7C24 38 lea edi,dword ptr ss:[esp+38]
0054A1A4 . F3:A5 rep movs dword ptr es:[edi],dword >
0054A1A6 . 8BCA mov ecx,edx
0054A1A8 . 83E1 03 and ecx,3
0054A1AB . 6A 10 push 10
0054A1AD . F3:A4 rep movs byte ptr es:[edi],byte pt>
0054A1AF . 6A 00 push 0
0054A1B1 . 8D4C24 2C lea ecx,dword ptr ss:[esp+2C]
0054A1B5 . FF15 D4805800 call dword ptr ds:[<&MFC71.#876>] ; MFC71.7C158BCD
0054A1BB . 8B35 C0815800 mov esi,dword ptr ds:[<&MSVCR71.st>; |MSVCR71.strtoul
0054A1C1 . 50 push eax ; |s
0054A1C2 . FFD6 call esi ; \strtoul
0054A1C4 . 894424 34 mov dword ptr ss:[esp+34],eax
0054A1C8 . 8D4424 6C lea eax,dword ptr ss:[esp+6C]
0054A1CC . 50 push eax
0054A1CD . E8 2E940000 call Camtasia.00553600 ; 跟进去
0054A1D2 . 83C4 10 add esp,10
0054A1D5 . 85C0 test eax,eax
0054A1D7 . 74 46 je short Camtasia.0054A21F
0054A1D9 . 6A 02 push 2
0054A1DB . 8D4C24 38 lea ecx,dword ptr ss:[esp+38]
0054A1DF . 51 push ecx
0054A1E0 . 8D5424 68 lea edx,dword ptr ss:[esp+68]
0054A1E4 . 52 push edx
0054A1E5 . E8 26940000 call Camtasia.00553610
0054A1EA . 83C4 0C add esp,0C
0054A1ED . 85C0 test eax,eax
0054A1EF . 74 2E je short Camtasia.0054A21F
0054A1F1 . 6A 02 push 2
0054A1F3 . 8D4424 2C lea eax,dword ptr ss:[esp+2C]
0054A1F7 . 50 push eax
0054A1F8 . 8D4C24 68 lea ecx,dword ptr ss:[esp+68]
0054A1FC . 51 push ecx
0054A1FD . E8 0E940000 call Camtasia.00553610
0054A202 . 83C4 0C add esp,0C
0054A205 . 85C0 test eax,eax
0054A207 . 74 16 je short Camtasia.0054A21F
0054A209 . 8D5424 38 lea edx,dword ptr ss:[esp+38]
0054A20D . 52 push edx
0054A20E . 8D4424 64 lea eax,dword ptr ss:[esp+64]
0054A212 . 50 push eax
0054A213 . E8 B8940000 call Camtasia.005536D0--->这里面进去是注册码比较 18位的
0054A218 . 83C4 08 add esp,8
0054A21B . 85C0 test eax,eax 这里比较要跳 eax=1
0054A21D . 75 07 jnz short Camtasia.0054A226
0054A21F > C64424 13 0A mov byte ptr ss:[esp+13],0A
0054A224 . EB 74 jmp short Camtasia.0054A29A
0054A226 > 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
0054A22A . FF15 D0805800 call dword ptr ds:[<&MFC71.#2902>] ; MFC71.7C146AB0
0054A230 . 83F8 0E cmp eax,0E
0054A233 . 7C 60 jl short Camtasia.0054A295 ; 这里要跳的
0054A235 . 6A 02 push 2
0054A237 . 6A 0C push 0C
0054A239 . 8D4C24 34 lea ecx,dword ptr ss:[esp+34]
0054A23D . 51 push ecx
0054A23E . 8D4C24 28 lea ecx,dword ptr ss:[esp+28]
0054A242 . FF15 587D5800 call dword ptr ds:[<&MFC71.#4109>] ; MFC71.7C188D88
0054A248 . 6A 10 push 10
0054A24A . 6A 00 push 0
0054A24C . 8BC8 mov ecx,eax
0054A24E . FF15 D4805800 call dword ptr ds:[<&MFC71.#876>] ; MFC71.7C158BCD
0054A254 . 50 push eax
0054A255 . FFD6 call esi
0054A257 . 83C4 0C add esp,0C
0054A25A . 8D4C24 2C lea ecx,dword ptr ss:[esp+2C]
0054A25E . 8BF0 mov esi,eax
0054A260 . FF15 5C805800 call dword ptr ds:[<&MFC71.#578>] ; MFC71.7C1771B1
0054A266 . 83FE 41 cmp esi,41 ; Switch (cases 41..61) 这里esi=61
0054A269 . 72 2A jb short Camtasia.0054A295 ; 不能跳
0054A26B . 83EE 41 sub esi,41 ---这里,esi-41= 20
0054A26E . 83FE 20 cmp esi,20 --->这里要跳
0054A271 . 73 07 jnb short Camtasia.0054A27A
0054A273 . C64424 13 0B mov byte ptr ss:[esp+13],0B
0054A278 . EB 20 jmp short Camtasia.0054A29A
0054A27A > 83FE 21 cmp esi,21---->这里esi不能大于21 所以这里 13 和14位注册码只能为61了
它是确定版本信息的
0054A27D . 73 16 jnb short Camtasia.0054A295 ; 这里不能跳
0054A27F . 6A 01 push 1 ; Case 61 ('a') of switch 0054A266
0054A281 . 8D8D F0000000 lea ecx,dword ptr ss:[ebp+F0]
0054A287 . B3 01 mov bl,1 ; ---> 这里也是成功 18位注册码
0054A289 . C64424 17 00 mov byte ptr ss:[esp+17],0
0054A28E . E8 2D590100 call Camtasia.0055FBC0
0054A293 . EB 07 jmp short Camtasia.0054A29C
0054A295 > C64424 13 0C mov byte ptr ss:[esp+13],0C ; Default case of switch 0054A266
0054A29A > 32DB xor bl,bl ; Cases 41 ('A'),42 ('B'),43 ('C'),44 ('D'),45
('E'),46 ('F'),47 ('G'),48 ('H'),49 ('I'),4A ('J'),4B ('K'),4C ('L'),4D ('M'),4E ('N'),4F ('O'),50 ('P'),51 ('Q'),52
('R'),53 ('S'),54 ('T')... of switch 0054A266
0054A29C > 8D4C24 24 lea ecx,dword ptr ss:[esp+24]
0054A2A0 . FF15 5C805800 call dword ptr ds:[<&MFC71.#578>] ; MFC71.7C1771B1
0054A2A6 . 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
0054A2AA . FF15 5C805800 call dword ptr ds:[<&MFC71.#578>] ; MFC71.7C1771B1
0054A2B0 . E9 34010000 jmp Camtasia.0054A3E9 ; 不能到这里
0054A2B5 > 8D4C24 20 lea ecx,dword ptr ss:[esp+20]
0054A2B9 . 8DB5 C8000000 lea esi,dword ptr ss:[ebp+C8]
0054A2BF . FF15 D4805800 call dword ptr ds:[<&MFC71.#876>] ; MFC71.7C158BCD
0054A2C5 . 50 push eax ; /Arg1
0054A2C6 . 8BCE mov ecx,esi ; |
0054A2C8 . E8 738B0000 call Camtasia.00552E40 ; \Camtasia.00552E40
0054A2CD . 84C0 test al,al ; 注意eax
0054A2CF 74 6A je short Camtasia.0054A33B ; 不能跳 重要
0054A2D1 . 39BD CC000000 cmp dword ptr ss:[ebp+CC],edi ; edi=8 , ss[5cf7a4] 000
0054A2D7 75 62 jnz short Camtasia.0054A33B ; 不能跳 重要呀!
0054A2D9 . 8D5424 2C lea edx,dword ptr ss:[esp+2C]
0054A2DD . 52 push edx
0054A2DE . 8BCE mov ecx,esi
0054A2E0 . E8 7BFAFFFF call Camtasia.00549D60
0054A2E5 . 8338 00 cmp dword ptr ds:[eax],0
0054A2E8 . C68424 9C000000 01 mov byte ptr ss:[esp+9C],1
0054A2F0 . C74424 14 01000000 mov dword ptr ss:[esp+14],1
0054A2F8 74 41 je short Camtasia.0054A33B ; 不能跳 重要呀!
0054A2FA . 6A 00 push 0
0054A2FC . 6A 01 push 1
0054A2FE . 6A 02 push 2
0054A300 . 8D4C24 60 lea ecx,dword ptr ss:[esp+60]
0054A304 . E8 F7A00100 call Camtasia.00564400
0054A309 . 8BF8 mov edi,eax
0054A30B . 8D4424 48 lea eax,dword ptr ss:[esp+48]
0054A30F . 50 push eax
0054A310 . 8BCE mov ecx,esi
0054A312 . E8 59F3FFFF call Camtasia.00549670
0054A317 . 57 push edi
0054A318 . 8BC8 mov ecx,eax
0054A31A . C78424 A0000000 030>mov dword ptr ss:[esp+A0],3
0054A325 . C74424 18 07000000 mov dword ptr ss:[esp+18],7
0054A32D . E8 EEA00100 call Camtasia.00564420
0054A332 . 84C0 test al,al
0054A334 . C64424 1B 01 mov byte ptr ss:[esp+1B],1
0054A339 . 75 05 jnz short Camtasia.0054A340
0054A33B > C64424 1B 00 mov byte ptr ss:[esp+1B],0
0054A340 > F64424 14 04 test byte ptr ss:[esp+14],4
0054A345 . C78424 9C000000 020>mov dword ptr ss:[esp+9C],2
0054A350 . 74 14 je short Camtasia.0054A366
0054A352 . 8B4424 14 mov eax,dword ptr ss:[esp+14]
0054A356 . 83E0 FB and eax,FFFFFFFB
0054A359 . 8D4C24 48 lea ecx,dword ptr ss:[esp+48]
0054A35D . 894424 14 mov dword ptr ss:[esp+14],eax
0054A361 . E8 9A4EF8FF call Camtasia.004CF200
0054A366 > F64424 14 02 test byte ptr ss:[esp+14],2
0054A36B . C78424 9C000000 010>mov dword ptr ss:[esp+9C],1
0054A376 . 74 14 je short Camtasia.0054A38C
0054A378 . 8B4424 14 mov eax,dword ptr ss:[esp+14]
0054A37C . 83E0 FD and eax,FFFFFFFD
0054A37F . 8D4C24 54 lea ecx,dword ptr ss:[esp+54]
0054A383 . 894424 14 mov dword ptr ss:[esp+14],eax
0054A387 . E8 744EF8FF call Camtasia.004CF200
0054A38C > F64424 14 01 test byte ptr ss:[esp+14],1
0054A391 . C78424 9C000000 000>mov dword ptr ss:[esp+9C],0
0054A39C . 74 09 je short Camtasia.0054A3A7
0054A39E . 8D4C24 2C lea ecx,dword ptr ss:[esp+2C]
0054A3A2 . E8 F9FEF8FF call Camtasia.004DA2A0
0054A3A7 > 8A4424 1B mov al,byte ptr ss:[esp+1B]
0054A3AB . 84C0 test al,al
0054A3AD 74 3A je short Camtasia.0054A3E9 ; 这里重要,不能跳
0054A3AF . 8D4C24 2C lea ecx,dword ptr ss:[esp+2C]
0054A3B3 . 51 push ecx
0054A3B4 . 8BCE mov ecx,esi
0054A3B6 . B3 01 mov bl,1 ; 这里是成功的标--->25位注册码
0054A3B8 . C64424 17 00 mov byte ptr ss:[esp+17],0
0054A3BD . E8 9EF9FFFF call Camtasia.00549D60
0054A3C2 . 8B00 mov eax,dword ptr ds:[eax]
0054A3C4 . 8D8D F0000000 lea ecx,dword ptr ss:[ebp+F0]
0054A3CA . 50 push eax
0054A3CB . C68424 A0000000 04 mov byte ptr ss:[esp+A0],4
0054A3D3 . E8 E8570100 call Camtasia.0055FBC0
0054A3D8 . 8D4C24 2C lea ecx,dword ptr ss:[esp+2C]
0054A3DC . C68424 9C000000 00 mov byte ptr ss:[esp+9C],0
0054A3E4 . E8 B7FEF8FF call Camtasia.004DA2A0
0054A3E9 > 8D4C24 20 lea ecx,dword ptr ss:[esp+20]
0054A3ED . FF15 5C805800 call dword ptr ds:[<&MFC71.#578>] ; MFC71.7C1771B1
0054A3F3 . 8B8C24 94000000 mov ecx,dword ptr ss:[esp+94]
0054A3FA . 33C0 xor eax,eax
0054A3FC . 8A6424 13 mov ah,byte ptr ss:[esp+13]
0054A400 . 5F pop edi
0054A401 . 5E pop esi
0054A402 . 5D pop ebp
0054A403 . 64:890D 00000000 mov dword ptr fs:[0],ecx
0054A40A . 8AC3 mov al,bl
0054A40C . 5B pop ebx
0054A40D . 81C4 90000000 add esp,90
0054A413 . C2 0800 retn 8
--------------------跟进注册码比较
00553660 /$ 56 push esi
00553661 |. 57 push edi
00553662 |. 66:8B7C24 10 mov di,word ptr ss:[esp+10]
00553667 |. 33C0 xor eax,eax
00553669 |. 33D2 xor edx,edx
0055366B |. 66:85FF test di,di
0055366E |. 76 5D jbe short Camtasia.005536CD
00553670 |. 8B7424 0C mov esi,dword ptr ss:[esp+C]
00553674 |> 0FB7CA /movzx ecx,dx
00553677 |. 8A0C31 |mov cl,byte ptr ds:[ecx+esi]
0055367A |. 80F9 61 |cmp cl,61
0055367D |. 72 0D |jb short Camtasia.0055368C
0055367F |. 80F9 7A |cmp cl,7A
00553682 |. 77 08 |ja short Camtasia.0055368C
00553684 |. 0FB6C9 |movzx ecx,cl
00553687 |. 83E9 20 |sub ecx,20
0055368A |. EB 03 |jmp short Camtasia.0055368F
0055368C |> 0FB6C9 |movzx ecx,cl
0055368F |> 66:0FB6C9 |movzx cx,cl
00553693 |. 66:83F9 30 |cmp cx,30
00553697 |. 72 0E |jb short Camtasia.005536A7
00553699 |. 66:83F9 39 |cmp cx,39
0055369D |. 77 08 |ja short Camtasia.005536A7
0055369F |. 81C1 D0FF0000 |add ecx,0FFD0
005536A5 |. EB 12 |jmp short Camtasia.005536B9
005536A7 |> 66:83F9 41 |cmp cx,41
005536AB |. 72 1D |jb short Camtasia.005536CA
005536AD |. 66:83F9 46 |cmp cx,46
005536B1 |. 77 17 |ja short Camtasia.005536CA
005536B3 |. 81C1 C9FF0000 |add ecx,0FFC9
005536B9 |> C1E0 04 |shl eax,4
005536BC |. 0FB7C9 |movzx ecx,cx
005536BF |. 0BC1 |or eax,ecx
005536C1 |. 42 |inc edx
005536C2 |. 66:3BD7 |cmp dx,di
005536C5 |.^ 72 AD \jb short Camtasia.00553674
005536C7 |. 5F pop edi
005536C8 |. 5E pop esi
005536C9 |. C3 retn
005536CA |> 83C8 FF or eax,FFFFFFFF
005536CD |> 5F pop edi
005536CE |. 5E pop esi
005536CF \. C3 retn
005536D0 /$ 83EC 7C sub esp,7C
005536D3 |. 33C0 xor eax,eax
005536D5 |. B9 30000000 mov ecx,30
005536DA |. 8D9B 00000000 lea ebx,dword ptr ds:[ebx]
005536E0 |> 0FB7D0 /movzx edx,ax
005536E3 |. 40 |inc eax
005536E4 |. 884C14 04 |mov byte ptr ss:[esp+edx+4],cl
005536E8 |. 41 |inc ecx
005536E9 |. 66:83F9 39 |cmp cx,39
005536ED |.^ 76 F1 \jbe short Camtasia.005536E0
005536EF |. B9 41000000 mov ecx,41
005536F4 |> 0FB7D0 /movzx edx,ax
005536F7 |. 40 |inc eax
005536F8 |. 884C14 04 |mov byte ptr ss:[esp+edx+4],cl
005536FC |. 41 |inc ecx
005536FD |. 66:83F9 46 |cmp cx,46
00553701 |.^ 76 F1 \jbe short Camtasia.005536F4
00553703 |. 55 push ebp
00553704 |. 8BAC24 88000000 mov ebp,dword ptr ss:[esp+88]
0055370B |. 56 push esi
0055370C |. 8D45 0C lea eax,dword ptr ss:[ebp+C]
0055370F |. 6A 02 push 2
00553711 |. 50 push eax
00553712 |. E8 49FFFFFF call Camtasia.00553660
00553717 |. 8BB424 90000000 mov esi,dword ptr ss:[esp+90]
0055371E |. 894424 10 mov dword ptr ss:[esp+10],eax
00553722 |. 0FB706 movzx eax,word ptr ds:[esi]
00553725 |. 8D48 02 lea ecx,dword ptr ds:[eax+2]
00553728 |. 83C4 08 add esp,8
0055372B |. 83F9 32 cmp ecx,32
0055372E |. 7F 0E jg short Camtasia.0055373E
00553730 |. 66:8B5424 08 mov dx,word ptr ss:[esp+8]
00553735 |. 66:895430 02 mov word ptr ds:[eax+esi+2],dx
0055373A |. 66:8306 02 add word ptr ds:[esi],2
0055373E |> 8D45 08 lea eax,dword ptr ss:[ebp+8]
00553741 |. 6A 04 push 4
00553743 |. 50 push eax
00553744 |. E8 17FFFFFF call Camtasia.00553660
00553749 |. 894424 10 mov dword ptr ss:[esp+10],eax
0055374D |. 0FB706 movzx eax,word ptr ds:[esi]
00553750 |. 8D48 02 lea ecx,dword ptr ds:[eax+2]
00553753 |. 83C4 08 add esp,8
00553756 |. 83F9 32 cmp ecx,32
00553759 |. 7F 0E jg short Camtasia.00553769
0055375B |. 66:8B5424 08 mov dx,word ptr ss:[esp+8]
00553760 |. 66:895430 02 mov word ptr ds:[eax+esi+2],dx
00553765 |. 66:8306 02 add word ptr ds:[esi],2
00553769 |> 8D4424 2C lea eax,dword ptr ss:[esp+2C]
0055376D |. 57 push edi
0055376E |. 50 push eax
0055376F |. E8 8C000000 call Camtasia.00553800
00553774 |. 0FB70E movzx ecx,word ptr ds:[esi]
00553777 |. 51 push ecx
00553778 |. 8D7E 02 lea edi,dword ptr ds:[esi+2]
0055377B |. 8D5424 38 lea edx,dword ptr ss:[esp+38]
0055377F |. 57 push edi
00553780 |. 52 push edx
00553781 |. E8 8A090000 call Camtasia.00554110
00553786 |. 8D4424 40 lea eax,dword ptr ss:[esp+40]
0055378A |. 50 push eax
0055378B |. 8D4C24 34 lea ecx,dword ptr ss:[esp+34]
0055378F |. 51 push ecx
00553790 |. E8 3B0A0000 call Camtasia.005541D0
00553795 |. 33C0 xor eax,eax
00553797 |. B9 0C000000 mov ecx,0C
0055379C |. F3:AB rep stos dword ptr es:[edi]
0055379E |. 83C4 18 add esp,18
005537A1 |. 66:AB stos word ptr es:[edi]
005537A3 |. 33D2 xor edx,edx
005537A5 |. 5F pop edi
005537A6 |> 0FB7CA /movzx ecx,dx
005537A9 |. 8BC1 |mov eax,ecx
005537AB |. D1E8 |shr eax,1
005537AD |. 8A0428 |mov al,byte ptr ds:[eax+ebp]
005537B0 |. 3C 61 |cmp al,61
005537B2 |. 72 0C |jb short Camtasia.005537C0
005537B4 |. 3C 7A |cmp al,7A
005537B6 |. 77 08 |ja short Camtasia.005537C0
005537B8 |. 0FB6C0 |movzx eax,al
005537BB |. 83E8 20 |sub eax,20
005537BE |. EB 03 |jmp short Camtasia.005537C3
005537C0 |> 0FB6C0 |movzx eax,al
005537C3 |> 0FB64C0C 1C |movzx ecx,byte ptr ss:[esp+ecx+1C>
005537C8 |. 83E1 0F |and ecx,0F
005537CB |. 0FBE4C0C 0C |movsx ecx,byte ptr ss:[esp+ecx+C]
005537D0 |. 0FB6C0 |movzx eax,al
005537D3 |. 3BC8 |cmp ecx,eax--->在这里可以读出前8位注册码了5BFD9EA0
005537D5 |. 75 14 |jnz short Camtasia.005537EB
005537D7 |. 83C2 02 |add edx,2
005537DA |. 66:83FA 10 |cmp dx,10
005537DE |.^ 72 C6 \jb short Camtasia.005537A6
005537E0 |. 5E pop esi
005537E1 |. B8 01000000 mov eax,1
005537E6 |. 5D pop ebp
005537E7 |. 83C4 7C add esp,7C
005537EA |. C3 retn
005537EB |> 5E pop esi
005537EC |. 33C0 xor eax,eax
005537EE |. 5D pop ebp
005537EF |. 83C4 7C add esp,7C
--->完。。。。
可用的注册码:
用户名:ftts[BCG]
注册码:5BFD9EA09012615678
--------------------------------------------------------------------------------
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)