破文标题 ] 屏幕键盘监控专家 2.288 Build 1318 破解版(内存注册机)
[ 破文作者 ] Eddy
[ 作者邮箱 ] [url=mailto:860822214@qq.com]860822214@qq.com[/url]
[ 作者主页 ] www.rrgod.com
[ 破解工具 ] PEiD、OD、KeyMake
[ 破解平台 ] Windows XP SP2
[ 软件名称 ] 屏幕键盘监控专家
[ 软件大小 ] 2.21 M
[ 原版下载 ] http://tele.skycn.com/soft/52200.html
[ 保护方式 ] 无壳、序列号
[ 软件简介 ] 《屏幕键盘监控专家》是一款操作简单、功能实用的记录屏幕内容及按键内容的系统监控软件,界面设计友好,能让您在几分钟内即完全学会使用本软件。
[ 破解声明 ] 纯个人爱好^_无任何其他目的
-----------------------------------------------------
[ 破解过程 ]-----------------------------------------
1、试用软件
破解软件前我们最好先用用这个软件,看看有什么可用信息。本软件试用版只能监控20分钟,且不能使用软件设置。注册错误会弹出对话框,我们就从该提示字符串入手。
2、查壳
老规矩,首先用PEID查壳,显示结果:Microsoft Visual Basic 5.0 / 6.0。软件未加壳。
3.定位程序注册的关键代码
用C32Asm载入主程序,查找字符串,记得要用Unicode分析字符串(因为是VB程序)。我们找到刚才的错误提示处,copy下该地址——0043297D
4.动态分析
OD载入主程序,Ctrl+G,输入刚才的地址0043297D,回车来带此地址处,向上翻,找到该段的段首,也即00432680处,在此F2下好断点。
Shift+F9运行程序,输入假码11111111111111,点注册程序便中断在此
00432680 > \55 push ebp
00432681 . 8BEC mov ebp,esp
00432683 . 83EC 0C sub esp,0C
00432686 . 68 561F4000 push <jmp.&MSVBVM60.__vbaExceptHandler> ; SE handler installation
0043268B . 64:A1 0000000>mov eax,dword ptr fs:[0]
00432691 . 50 push eax
00432692 . 64:8925 00000>mov dword ptr fs:[0],esp
00432699 . 83EC 58 sub esp,58
0043269C . 53 push ebx
0043269D . 56 push esi
0043269E . 57 push edi
0043269F . 8965 F4 mov dword ptr ss:[ebp-C],esp
004326A2 . C745 F8 201E4>mov dword ptr ss:[ebp-8],HSPCSC.00401E20
004326A9 . 8B75 08 mov esi,dword ptr ss:[ebp+8]
004326AC . 8BC6 mov eax,esi
004326AE . 83E0 01 and eax,1
004326B1 . 8945 FC mov dword ptr ss:[ebp-4],eax
004326B4 . 83E6 FE and esi,FFFFFFFE
004326B7 . 56 push esi
004326B8 . 8975 08 mov dword ptr ss:[ebp+8],esi
004326BB . 8B0E mov ecx,dword ptr ds:[esi]
004326BD . FF51 04 call dword ptr ds:[ecx+4]
004326C0 . 8B16 mov edx,dword ptr ds:[esi]
004326C2 . 33DB xor ebx,ebx
004326C4 . 56 push esi
004326C5 . 895D E8 mov dword ptr ss:[ebp-18],ebx
004326C8 . 895D E4 mov dword ptr ss:[ebp-1C],ebx
004326CB . 895D E0 mov dword ptr ss:[ebp-20],ebx
004326CE . 895D DC mov dword ptr ss:[ebp-24],ebx
004326D1 . 895D CC mov dword ptr ss:[ebp-34],ebx
004326D4 . FF92 14030000 call dword ptr ds:[edx+314]
004326DA . 50 push eax
004326DB . 8D45 DC lea eax,dword ptr ss:[ebp-24]
004326DE . 50 push eax
004326DF . FF15 9C104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet
004326E5 . 8BF8 mov edi,eax
004326E7 . 8D55 E4 lea edx,dword ptr ss:[ebp-1C]
004326EA . 52 push edx
004326EB . 57 push edi
004326EC . 8B0F mov ecx,dword ptr ds:[edi]
004326EE . FF91 A0000000 call dword ptr ds:[ecx+A0] ; 取机器码
004326F4 . 3BC3 cmp eax,ebx
004326F6 . DBE2 fclex
004326F8 . 7D 12 jge short HSPCSC.0043270C
004326FA . 68 A0000000 push 0A0
004326FF . 68 30C94000 push HSPCSC.0040C930
00432704 . 57 push edi
00432705 . 50 push eax
00432706 . FF15 78104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckObj>] ; MSVBVM60.__vbaHresultCheckObj
0043270C > 8B4D E4 mov ecx,dword ptr ss:[ebp-1C]
0043270F . 8D45 E8 lea eax,dword ptr ss:[ebp-18]
00432712 . 50 push eax
00432713 . 51 push ecx
00432714 . 68 50054100 push HSPCSC.00410550 ; 5754316565weorq
00432719 . E8 62060000 call HSPCSC.00432D80 ; 算法call
0043271E . 8B3D 7C124000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
00432724 . 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
00432727 . FFD7 call edi ; <&MSVBVM60.__vbaFreeStr>
00432729 . 8B1D 78124000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
0043272F . 8D4D DC lea ecx,dword ptr ss:[ebp-24]
00432732 . FFD3 call ebx ; <&MSVBVM60.__vbaFreeObj>
00432734 . 8B16 mov edx,dword ptr ds:[esi]
00432736 . 56 push esi
00432737 . FF92 10030000 call dword ptr ds:[edx+310]
0043273D . 50 push eax
0043273E . 8D45 DC lea eax,dword ptr ss:[ebp-24]
00432741 . 50 push eax
00432742 . FF15 9C104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet
00432748 . 8BF0 mov esi,eax
0043274A . 8D55 E4 lea edx,dword ptr ss:[ebp-1C]
0043274D . 52 push edx
0043274E . 56 push esi
0043274F . 8B0E mov ecx,dword ptr ds:[esi]
00432751 . FF91 A0000000 call dword ptr ds:[ecx+A0]
00432757 . 85C0 test eax,eax
00432759 . DBE2 fclex
0043275B . 7D 12 jge short HSPCSC.0043276F
0043275D . 68 A0000000 push 0A0
00432762 . 68 30C94000 push HSPCSC.0040C930
00432767 . 56 push esi
00432768 . 50 push eax
00432769 . FF15 78104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckObj>] ; MSVBVM60.__vbaHresultCheckObj
0043276F > 8B45 E4 mov eax,dword ptr ss:[ebp-1C] ; 假码送eax
00432772 . 8B4D E8 mov ecx,dword ptr ss:[ebp-18] ; 真码送ecx
00432775 . 50 push eax
00432776 . 51 push ecx
00432777 . FF15 FC104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>] ; 上面两参数入栈后进行比较
0043277D . 8BF0 mov esi,eax
0043277F . 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
00432782 . F7DE neg esi
00432784 . 1BF6 sbb esi,esi
00432786 . 46 inc esi
00432787 . F7DE neg esi
00432789 . FFD7 call edi
0043278B . 8D4D DC lea ecx,dword ptr ss:[ebp-24]
0043278E . FFD3 call ebx
00432790 . 66:85F6 test si,si
00432793 . 8B35 D4114000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaStrCopy>] ; MSVBVM60.__vbaStrCopy
00432799 . BA 34FF4000 mov edx,HSPCSC.0040FF34
0043279E . B9 6C514300 mov ecx,HSPCSC.0043516C
004327A3 . 0F84 D2010000 je HSPCSC.0043297B ; 关键跳转 跳则over
004327A9 . FFD6 call esi ; <&MSVBVM60.__vbaStrCopy>
004327AB . BA 74054100 mov edx,HSPCSC.00410574
004327B0 . B9 70514300 mov ecx,HSPCSC.00435170
004327B5 . FFD6 call esi
004327B7 . A1 C4534300 mov eax,dword ptr ds:[4353C4]
004327BC . 85C0 test eax,eax
004327BE . 75 10 jnz short HSPCSC.004327D0
004327C0 . 68 C4534300 push HSPCSC.004353C4
004327C5 . 68 F82D4000 push HSPCSC.00402DF8
004327CA . FF15 B8114000 call dword ptr ds:[<&MSVBVM60.__vbaNew2>] ; MSVBVM60.__vbaNew2
004327D0 > 83EC 10 sub esp,10
004327D3 . B9 0A000000 mov ecx,0A
004327D8 . 8BDC mov ebx,esp
004327DA . 894D BC mov dword ptr ss:[ebp-44],ecx
004327DD . B8 04000280 mov eax,80020004
004327E2 . 83EC 10 sub esp,10
004327E5 . 890B mov dword ptr ds:[ebx],ecx
004327E7 . 8B4D B0 mov ecx,dword ptr ss:[ebp-50]
004327EA . 8BD0 mov edx,eax
004327EC . 8B35 C4534300 mov esi,dword ptr ds:[4353C4]
004327F2 . 894B 04 mov dword ptr ds:[ebx+4],ecx
004327F5 . 8BCC mov ecx,esp
004327F7 . 8B3E mov edi,dword ptr ds:[esi]
004327F9 . 56 push esi
004327FA . 8943 08 mov dword ptr ds:[ebx+8],eax
004327FD . 8B45 B8 mov eax,dword ptr ss:[ebp-48]
00432800 . 8943 0C mov dword ptr ds:[ebx+C],eax
00432803 . 8B45 BC mov eax,dword ptr ss:[ebp-44]
00432806 . 8901 mov dword ptr ds:[ecx],eax
00432808 . 8B45 C0 mov eax,dword ptr ss:[ebp-40]
0043280B . 8941 04 mov dword ptr ds:[ecx+4],eax
0043280E . 8951 08 mov dword ptr ds:[ecx+8],edx
00432811 . 8B55 C8 mov edx,dword ptr ss:[ebp-38]
00432814 . 8951 0C mov dword ptr ds:[ecx+C],edx
00432817 . FF97 B0020000 call dword ptr ds:[edi+2B0]
0043281D . 85C0 test eax,eax
0043281F . DBE2 fclex
00432821 . 7D 16 jge short HSPCSC.00432839
00432823 . 8B3D 78104000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaHresultCheckObj>>; MSVBVM60.__vbaHresultCheckObj
00432829 . 68 B0020000 push 2B0
0043282E . 68 64FF4000 push HSPCSC.0040FF64
00432833 . 56 push esi
00432834 . 50 push eax
00432835 . FFD7 call edi ; <&MSVBVM60.__vbaHresultCheckObj>
00432837 . EB 06 jmp short HSPCSC.0043283F
00432839 > 8B3D 78104000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaHresultCheckObj>>; MSVBVM60.__vbaHresultCheckObj
0043283F > 68 9CDC4000 push HSPCSC.0040DC9C ; /1
00432844 . 68 F0DD4000 push HSPCSC.0040DDF0 ; |ishttporwww
00432849 . 68 C0CB4000 push HSPCSC.0040CBC0 ; |set
0043284E . 68 A4CB4000 push HSPCSC.0040CBA4 ; |HSsoftPCSC
00432853 . FF15 08104000 call dword ptr ds:[<&MSVBVM60.#690>] ; \rtcSaveSetting
00432859 . A1 0C614300 mov eax,dword ptr ds:[43610C]
0043285E . 85C0 test eax,eax
00432860 . 75 10 jnz short HSPCSC.00432872
00432862 . 68 0C614300 push HSPCSC.0043610C
00432867 . 68 B4D64000 push HSPCSC.0040D6B4
0043286C . FF15 B8114000 call dword ptr ds:[<&MSVBVM60.__vbaNew2>] ; MSVBVM60.__vbaNew2
00432872 > 8B35 0C614300 mov esi,dword ptr ds:[43610C]
00432878 . 8D4D DC lea ecx,dword ptr ss:[ebp-24]
0043287B . 51 push ecx
0043287C . 56 push esi
0043287D . 8B06 mov eax,dword ptr ds:[esi]
0043287F . FF50 14 call dword ptr ds:[eax+14]
00432882 . 85C0 test eax,eax
00432884 . DBE2 fclex
00432886 . 7D 0B jge short HSPCSC.00432893
00432888 . 6A 14 push 14
0043288A . 68 A4D64000 push HSPCSC.0040D6A4
0043288F . 56 push esi
00432890 . 50 push eax
00432891 . FFD7 call edi
00432893 > 8B45 DC mov eax,dword ptr ss:[ebp-24]
00432896 . 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
00432899 . 51 push ecx
0043289A . 50 push eax
0043289B . 8B10 mov edx,dword ptr ds:[eax]
0043289D . 8BF0 mov esi,eax
0043289F . FF52 50 call dword ptr ds:[edx+50]
004328A2 . 85C0 test eax,eax
004328A4 . DBE2 fclex
004328A6 . 7D 0B jge short HSPCSC.004328B3
004328A8 . 6A 50 push 50
004328AA . 68 C4D64000 push HSPCSC.0040D6C4
004328AF . 56 push esi
004328B0 . 50 push eax
004328B1 . FFD7 call edi
004328B3 > 8B55 E4 mov edx,dword ptr ss:[ebp-1C]
004328B6 . 52 push edx
004328B7 . 68 0CDE4000 push HSPCSC.0040DE0C ; /\dllloadlog.dat
004328BC . FF15 5C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCat>] ; \__vbaStrCat
004328C2 . 8BD0 mov edx,eax
004328C4 . 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
004328C7 . FF15 4C124000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
004328CD . 50 push eax
004328CE . 6A 01 push 1
004328D0 . 6A FF push -1
004328D2 . 68 02400000 push 4002
004328D7 . FF15 B4114000 call dword ptr ds:[<&MSVBVM60.__vbaFileOpen>] ; MSVBVM60.__vbaFileOpen
004328DD . 8D45 E0 lea eax,dword ptr ss:[ebp-20]
004328E0 . 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
004328E3 . 50 push eax
004328E4 . 51 push ecx
004328E5 . 6A 02 push 2
004328E7 . FF15 DC114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ; MSVBVM60.__vbaFreeStrList
004328ED . 83C4 0C add esp,0C
004328F0 . 8D4D DC lea ecx,dword ptr ss:[ebp-24]
004328F3 . FF15 78124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
004328F9 . 8D55 CC lea edx,dword ptr ss:[ebp-34]
004328FC . 52 push edx
004328FD . FF15 68124000 call dword ptr ds:[<&MSVBVM60.#546>] ; MSVBVM60.rtcGetPresentDate
00432903 . 8D45 CC lea eax,dword ptr ss:[ebp-34]
00432906 . 50 push eax
00432907 . 6A 01 push 1
00432909 . 68 3CDD4000 push HSPCSC.0040DD3C
0043290E . FF15 5C114000 call dword ptr ds:[<&MSVBVM60.__vbaPrintFile>] ; MSVBVM60.__vbaPrintFile
00432914 . 83C4 0C add esp,0C
00432917 . 8D4D CC lea ecx,dword ptr ss:[ebp-34]
0043291A . FF15 20104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
00432920 . 6A 01 push 1
00432922 . FF15 EC104000 call dword ptr ds:[<&MSVBVM60.__vbaFileClose>] ; MSVBVM60.__vbaFileClose
00432928 . A1 0C614300 mov eax,dword ptr ds:[43610C]
0043292D . 85C0 test eax,eax
0043292F . 75 10 jnz short HSPCSC.00432941
00432931 . 68 0C614300 push HSPCSC.0043610C
00432936 . 68 B4D64000 push HSPCSC.0040D6B4
0043293B . FF15 B8114000 call dword ptr ds:[<&MSVBVM60.__vbaNew2>] ; MSVBVM60.__vbaNew2
00432941 > 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
00432944 . 8B35 0C614300 mov esi,dword ptr ds:[43610C]
0043294A . 8D55 DC lea edx,dword ptr ss:[ebp-24]
0043294D . 51 push ecx
0043294E . 8B1E mov ebx,dword ptr ds:[esi]
00432950 . 52 push edx
00432951 . FF15 AC104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSetAddref>] ; MSVBVM60.__vbaObjSetAddref
00432957 . 50 push eax
00432958 . 56 push esi
00432959 . FF53 10 call dword ptr ds:[ebx+10]
0043295C . 85C0 test eax,eax
0043295E . DBE2 fclex
00432960 . 7D 0B jge short HSPCSC.0043296D
00432962 . 6A 10 push 10
00432964 . 68 A4D64000 push HSPCSC.0040D6A4
00432969 . 56 push esi
0043296A . 50 push eax
0043296B . FFD7 call edi
0043296D > 8D4D DC lea ecx,dword ptr ss:[ebp-24]
00432970 . FF15 78124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
00432976 . E9 8C000000 jmp HSPCSC.00432A07
0043297B > FFD6 call esi
0043297D . BA A8054100 mov edx,HSPCSC.004105A8 ; 错误提示处
一种方法可以直接修改004327A3处关键跳转,实现爆破(在这就不继续说了)
当然也可用patch的办法制作补丁path程序实现爆破
另外,程序运行只00432775处ECX寄存器中出现真码,因此我们可制作内存注册机,打开keymake
最后生成注册机既可。
来张效果图
OK!收工!
已经有(7)位网友发表了评论,你也评一评吧!
原创文章如转载,请注明:转载自Eddy Blog
原文地址:http://www.rrgod.com/technique/9.html 欢迎订阅Eddy Blog。
厉害
您好,看了这篇文章,初学者想您请教下:
Shift+F9运行程序,输入假码11111111111111,点注册程序便中断在此
为什么我按了shift+F9后,进程里是有HSPCSC这个程序的,但我按Ctrl+Shift+0调不出来程序的界面,也没法输入假码11111111111111,请问是怎么回事??麻烦您了。
而且按shift+f9后运行,到
7594812F C9 LEAVE
处,就停止了,并且我按shif+ctrl+0还是调不出输入假码的界面。
您好,刚才上面的问题解决了,还有个问题:在分析代码的时候,要不要按其它的键,比如单步步入(F7),还是直接打开内存注册器进行填写呢?再次麻烦您了。
额,为什么我解出来的注册码不对啊。
机器码:WD-WCAV96030692
解出来的注册码:|0usxvFG7V2,9P-0
提示:注册错误
额,为什么我解出来的注册码不对啊?
机器码:WD-WCAV96030692
注册码:|0usxvFG7V2,9P-0
您好,太仰慕你了,能给我发一个破解版的么?谢谢。
邮箱 :lijh.szu@163.com