《德语助手》 权威的德汉词典版 彻底汇编 除时间限制 破解日志：

004627CC /$ 55 push ebp ;断在这里可以看到我们的假码！

004627CD |. 8BEC mov ebp, esp

004627CF |. 81C4 14FFFFFF add esp, -0xEC

004627D5 |. 53 push ebx

004627D6 |. 56 push esi

004627D7 |. 57 push edi

004627D8 |. 8955 FC mov dword ptr [ebp-0x4], edx

004627DB |. 8985 3CFFFFFF mov dword ptr [ebp-0xC4], eax

004627E1 |. 8DB5 40FFFFFF lea esi, dword ptr [ebp-0xC0]

004627E7 |. B8 D48EB500 mov eax, 00B58ED4

004627EC |. E8 A3406800 call 00AE6894

004627F1 |. C746 1C 01000>mov dword ptr [esi+0x1C], 0x1

004627F8 |. 8D55 FC lea edx, dword ptr [ebp-0x4]

004627FB |. 8D45 FC lea eax, dword ptr [ebp-0x4]

004627FE |. E8 E96D6900 call 00AF95EC

00462803 |. FF46 1C inc dword ptr [esi+0x1C]

00462806 |. 66:C746 10 0C>mov word ptr [esi+0x10], 0xC

0046280C |. 66:C746 10 18>mov word ptr [esi+0x10], 0x18

00462812 |. E8 A9B9FAFF call 0040E1C0

00462817 |. 50 push eax

00462818 |. 8D55 D4 lea edx, dword ptr [ebp-0x2C]

0046281B |. 52 push edx

0046281C |. E8 331AFBFF call 00414254

00462821 |. 83C4 08 add esp, 0x8

00462824 |. FF46 1C inc dword ptr [esi+0x1C]

00462827 |. 66:C746 10 0C>mov word ptr [esi+0x10], 0xC

0046282D |. 66:C746 10 24>mov word ptr [esi+0x10], 0x24

00462833 |. 8D45 D0 lea eax, dword ptr [ebp-0x30]

00462836 |. E8 C516FAFF call 00403F00

0046283B |. 8BD0 mov edx, eax

0046283D |. FF46 1C inc dword ptr [esi+0x1C]

00462840 |. 8B8D 3CFFFFFF mov ecx, dword ptr [ebp-0xC4]

00462846 |. 8B81 B4030000 mov eax, dword ptr [ecx+0x3B4]

0046284C |. E8 67012300 call 006929B8

00462851 |. 8D45 D0 lea eax, dword ptr [ebp-0x30]

00462854 |. E8 1FCDFAFF call 0040F578

00462859 |. 50 push eax

0046285A |. 8D55 A8 lea edx, dword ptr [ebp-0x58]

0046285D |. 52 push edx

0046285E |. E8 11CBFAFF call 0040F374

00462863 |. 83C4 08 add esp, 0x8

00462866 |. FF46 1C inc dword ptr [esi+0x1C]

00462869 |. 8D4D A8 lea ecx, dword ptr [ebp-0x58]

0046286C |. 51 push ecx

0046286D |. 8D7D 80 lea edi, dword ptr [ebp-0x80]

00462870 |. 57 push edi

00462871 |. E8 4A1D5B00 call 00A145C0

00462876 |. 83C4 08 add esp, 0x8

00462879 |. 8D45 80 lea eax, dword ptr [ebp-0x80]

0046287C |. 50 push eax

0046287D |. FF46 1C inc dword ptr [esi+0x1C]

00462880 |. E8 1B78FAFF call 0040A0A0

00462885 |. 59 pop ecx

00462886 |. 50 push eax

00462887 |. 8D55 D4 lea edx, dword ptr [ebp-0x2C]

0046288A |. 52 push edx

0046288B |. E8 1078FAFF call 0040A0A0

00462890 |. 59 pop ecx

00462891 |. 50 push eax

00462892 |. E8 09A06600 call 00ACC8A0

00462897 |. 83C4 08 add esp, 0x8

0046289A |. 8BD8 mov ebx, eax

0046289C |. FF4E 1C dec dword ptr [esi+0x1C]

0046289F |. 8D45 80 lea eax, dword ptr [ebp-0x80]

004628A2 |. 6A 02 push 0x2

004628A4 |. 50 push eax

004628A5 |. E8 760FFAFF call 00403820

004628AA |. 83C4 08 add esp, 0x8

004628AD |. FF4E 1C dec dword ptr [esi+0x1C]

004628B0 |. 6A 02 push 0x2

004628B2 |. 8D55 A8 lea edx, dword ptr [ebp-0x58]

004628B5 |. 52 push edx

004628B6 |. E8 8D0FFAFF call 00403848

004628BB |. 83C4 08 add esp, 0x8

004628BE |. FF4E 1C dec dword ptr [esi+0x1C]

004628C1 |. 8D45 D0 lea eax, dword ptr [ebp-0x30]

004628C4 |. BA 02000000 mov edx, 0x2

004628C9 |. E8 466F6900 call 00AF9814

004628CE |. 66:C746 10 0C>mov word ptr [esi+0x10], 0xC

004628D4 |. 84DB test bl, bl

004628D6 |. 0F84 43010000 je 00462A1F ; 跳走了，肯定不能让它走~~~ NOP了

004628DC |. B2 01 mov dl, 0x1

004628DE |. A1 58955700 mov eax, dword ptr [0x579558]

004628E3 |. E8 BC7D1100 call 0057A6A4

004628E8 |. 66:C746 10 30>mov word ptr [esi+0x10], 0x30

004628EE |. 8BF8 mov edi, eax

004628F0 |. 8D85 7CFFFFFF lea eax, dword ptr [ebp-0x84]

004628F6 |. BA 4486B500 mov edx, 00B58644 ; Software\Francophonie\Dehelper\Customer Info

004628FB |. E8 246E6900 call 00AF9724

00462900 |. FF46 1C inc dword ptr [esi+0x1C]

00462903 |. 8B10 mov edx, dword ptr [eax]

00462905 |. B1 01 mov cl, 0x1

00462907 |. 8BC7 mov eax, edi

00462909 |. E8 6E801100 call 0057A97C

0046290E |. FF4E 1C dec dword ptr [esi+0x1C]

00462911 |. 8D85 7CFFFFFF lea eax, dword ptr [ebp-0x84]

00462917 |. BA 02000000 mov edx, 0x2

0046291C |. E8 F36E6900 call 00AF9814

00462921 |. 66:C746 10 0C>mov word ptr [esi+0x10], 0xC

00462927 |. 33DB xor ebx, ebx ; 要清，到底要不要让它清？ 结果尝试NOP 成功

00462929 |> 66:C746 10 48>/mov word ptr [esi+0x10], 0x48

0046292F |. BA 9E86B500 |mov edx, 00B5869E ; 确实是注册表键值 SerialCode

00462934 |. 8D85 78FFFFFF |lea eax, dword ptr [ebp-0x88]

0046293A |. E8 6D6C6900 |call 00AF95AC

0046293F |. FF46 1C |inc dword ptr [esi+0x1C]

00462942 |. 66:C746 10 3C>|mov word ptr [esi+0x10], 0x3C

00462948 |. 85DB |test ebx, ebx

0046294A |. 7E 3A |jle short 00462986

0046294C |. 66:C746 10 54>|mov word ptr [esi+0x10], 0x54

00462952 |. 8D85 74FFFFFF |lea eax, dword ptr [ebp-0x8C]

00462958 |. 8BD3 |mov edx, ebx

0046295A |. E8 E915FBFF |call 00413F48

0046295F |. FF46 1C |inc dword ptr [esi+0x1C]

00462962 |. 8D95 74FFFFFF |lea edx, dword ptr [ebp-0x8C]

00462968 |. 8D85 78FFFFFF |lea eax, dword ptr [ebp-0x88]

0046296E |. E8 DD6E6900 |call 00AF9850

00462973 |. FF4E 1C |dec dword ptr [esi+0x1C]

00462976 |. 8D85 74FFFFFF |lea eax, dword ptr [ebp-0x8C]

0046297C |. BA 02000000 |mov edx, 0x2

00462981 |. E8 8E6E6900 |call 00AF9814

00462986 |> 8B95 78FFFFFF |mov edx, dword ptr [ebp-0x88]

0046298C |. 8BC7 |mov eax, edi

0046298E |. E8 318F1100 |call 0057B8C4

00462993 |. 84C0 |test al, al

00462995 |. 75 25 |jnz short 004629BC

00462997 |. 8B4D FC |mov ecx, dword ptr [ebp-0x4]

0046299A |. 8B95 78FFFFFF |mov edx, dword ptr [ebp-0x88]

004629A0 |. 8BC7 |mov eax, edi

004629A2 |. E8 29891100 |call 0057B2D0

004629A7 |. FF4E 1C |dec dword ptr [esi+0x1C]

004629AA |. 8D85 78FFFFFF |lea eax, dword ptr [ebp-0x88]

004629B0 |. BA 02000000 |mov edx, 0x2

004629B5 |. E8 5A6E6900 |call 00AF9814

004629BA |. EB 23 |jmp short 004629DF

004629BC |> FF4E 1C |dec dword ptr [esi+0x1C]

004629BF |. 8D85 78FFFFFF |lea eax, dword ptr [ebp-0x88]

004629C5 |. BA 02000000 |mov edx, 0x2

004629CA |. E8 456E6900 |call 00AF9814

004629CF |. 66:C746 10 0C>|mov word ptr [esi+0x10], 0xC

004629D5 |. 43 |inc ebx

004629D6 |. 83FB 64 |cmp ebx, 0x64

004629D9 |.^ 0F8C 4AFFFFFF \jl 00462929

004629DF |> 8BDF mov ebx, edi

004629E1 |. 899D 6CFFFFFF mov dword ptr [ebp-0x94], ebx

004629E7 |. 85DB test ebx, ebx

004629E9 |. 74 24 je short 00462A0F ; 这里又一个不知如何处理？不用理会

004629EB |. 8B03 mov eax, dword ptr [ebx]

004629ED |. 8985 70FFFFFF mov dword ptr [ebp-0x90], eax

004629F3 |. 66:C746 10 78>mov word ptr [esi+0x10], 0x78

004629F9 |. BA 03000000 mov edx, 0x3

004629FE |. 8B85 6CFFFFFF mov eax, dword ptr [ebp-0x94]

00462A04 |. 8B08 mov ecx, dword ptr [eax]

00462A06 |. FF51 FC call dword ptr [ecx-0x4]

00462A09 |. 66:C746 10 60>mov word ptr [esi+0x10], 0x60

00462A0F |> 8B85 3CFFFFFF mov eax, dword ptr [ebp-0xC4]

00462A15 |. E8 76070000 call 00463190

00462A1A |. E9 89000000 jmp 00462AA8

00462A1F |> 6A 30 push 0x30

00462A21 |. 8D85 64FFFFFF lea eax, dword ptr [ebp-0x9C]

00462A27 |. E8 D414FAFF call 00403F00

00462A2C |. 8BD0 mov edx, eax

00462A2E |. FF46 1C inc dword ptr [esi+0x1C]

00462A31 |. A1 5C83C800 mov eax, dword ptr [0xC8835C]

00462A36 |. E8 395C6900 call 00AF8674

00462A3B |. 8D85 64FFFFFF lea eax, dword ptr [ebp-0x9C]

00462A41 |. E8 42CBFAFF call 0040F588

00462A46 |. 50 push eax

00462A47 |. 66:C746 10 84>mov word ptr [esi+0x10], 0x84

00462A4D |. 8D85 68FFFFFF lea eax, dword ptr [ebp-0x98]

00462A53 |. E8 A814FAFF call 00403F00

00462A58 |. 8BD0 mov edx, eax

00462A5A |. FF46 1C inc dword ptr [esi+0x1C]

00462A5D |. A1 6482C800 mov eax, dword ptr [0xC88264]

00462A62 |. E8 0D5C6900 call 00AF8674

00462A67 |. 8D85 68FFFFFF lea eax, dword ptr [ebp-0x98]

00462A6D |. E8 16CBFAFF call 0040F588

00462A72 |. 8BD0 mov edx, eax

00462A74 |. 8B0D DC87C800 mov ecx, dword ptr [0xC887DC] ; dehelper.00CE4350

00462A7A |. 8B01 mov eax, dword ptr [ecx]

00462A7C |. 59 pop ecx

00462A7D |. E8 56556900 call 00AF7FD8 ; 出来注册错误对话框！1111111

00462A82 |. FF4E 1C dec dword ptr [esi+0x1C]

00462A85 |. 8D85 64FFFFFF lea eax, dword ptr [ebp-0x9C]

00462A8B |. BA 02000000 mov edx, 0x2

00462A90 |. E8 7F6D6900 call 00AF9814

00462A95 |. FF4E 1C dec dword ptr [esi+0x1C]

00462A98 |. 8D85 68FFFFFF lea eax, dword ptr [ebp-0x98]

00462A9E |. BA 02000000 mov edx, 0x2

00462AA3 |. E8 6C6D6900 call 00AF9814

00462AA8 |> FF4E 1C dec dword ptr [esi+0x1C]

＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝

006CF849 |. E8 5EE8FFFF call 006CE0AC

ds:[00CF37B8]=76AEFECF (user32.MessageBoxW)

本地调用来自 005AA088, 006CF86D, 006F4356

00414017 . BA 52B5B000 mov edx, 00B0B552 ; regDate

0044E0D0 . /7F 7F jg short 0044E151

以TimeLeft3为切入点

00413423 . 8B4D C0 mov ecx, dword ptr [ebp-0x40]

可以看到信息窗口中

堆栈 ss:[0018FD0C]=00000032 准备写入50次了，实际上写入49次

ecx=056002DC, (UNICODE "TimesLeft3")

0041340D . BA 74B3B000 mov edx, 00B0B374 ; TimesLeft3

00413412 . 8D45 F0 lea eax, dword ptr [ebp-0x10]

00413415 . E8 92616E00 call 00AF95AC

0041341A . FF45 E0 inc dword ptr [ebp-0x20]

0041341D . 8B08 mov ecx, dword ptr [eax]

0041341F . 8D45 B8 lea eax, dword ptr [ebp-0x48]

00413422 . 51 push ecx

00413423 . 8B4D C0 mov ecx, dword ptr [ebp-0x40] ; 实际上写入49次

00413426 . 49 dec ecx ; 这句上是减1，故此注册表键值实际写入是49,我们娱乐改成INC +1,破法1

0044E0D0 . /7F 7F jg short 0044E151 破法2

00413441 . E8 62811600 call 0057B5A8

00413446 . FF4D E0 dec dword ptr [ebp-0x20] 这句F8时，可看到regworkshop中键值被写入 ，破法3

0041414C . BA B4B5B000 mov edx, 00B0B5B4 ; LicenseCode 显然这句很重要，启动时拦下！！

009AB0E2 . 68 8ED9BA00 push 00BAD98E ; @local_timestamp

0057B375 |. 8BC6 mov eax, esi 可能重要，下一句看到任务栏出现程序图标了，说明该下手了

：403cad call jmp .kernel32.isdebuggerpresent 反调试信息出现

若想完全注册也不难，代码不贴了，

直接上内存补丁

下载地址：http://ref.so/240z之后 就是注册版本了~~

RAR解包密码：爱你的人