[一起学算法一]图片合成器(Picture To Video Converte) V1.0 算法分析+简单爆破
【破文标题】[一起学算法]图片合成器(Picture To Video Converte) V1.0 算法分析+简单爆破+KeyGen【破文作者】lzover
【破解工具】PEiD,OD
【破解平台】DB.XP SP2
【软件名称】图片合成器(Picture To Video Converte)
【软件大小】992KB
【原版下载】http://www.onlinedown.net/soft/68027.htm
【保护方式】注册码
【软件简介】Picture To Video Converter图片视频转换器的应用被设计为一个易于使用的工具,加入图片一起视频过渡效果。
【破解声明】我是小菜菜,只为学习,高人见谅了!
——————————————————————————————————————————————————————————
今天在群里面看到Tianxj老师叫我们分析一下冰糖老师发在软件仓库的一个软件Picture To Video Converte 1.0,冰糖老师已经发了注册机了,我们也拿来试试吧。PEID查壳,无壳,暗暗高兴一下,嘿嘿(今天碰到2个UPX的壳脱不下,阴影了),好,试着注册一下,发现有错误提示。不知道是否我的OD有问题,如果用OD载入直接运行会使程序很难看,图表全部变形变色,可能也是带了点反调试的吧。OK,既然不让我运行,那我就挂接你,挂接成功就下BPMessageBoxA断点吧,因为有错误提示,好,注册一下,断下了,返回到程序领空,开始分析:
0041E0C0 .55 push ebp
0041E0C1 .8BF1 mov esi, ecx
0041E0C3 .E8 F2E40100 call 0043C5BA ;取注册码
0041E0C8 .8B46 70 mov eax, dword ptr ;取用户名
0041E0CB .8B78 F4 mov edi, dword ptr
0041E0CE .83FF 02 cmp edi, 2 ;用户名位数 < 2 就OVER
0041E0D1 .0F8D E0000000 jge 0041E1B7
0041E0D7 .E8 58240200 call 00440534
0041E0DC .8B10 mov edx, dword ptr
[省略若干代码]
[省略若干代码]
[省略若干代码]
0041E1C0 .53 push ebx
0041E1C1 .0F8D AF000000 jge 0041E276 ;注册码小于8位就OVER
0041E1C7 .E8 68230200 call 00440534
0041E1CC .8B10 mov edx, dword ptr
0041E1CE .8BC8 mov ecx, eax
[省略若干代码]
[省略若干代码]
[省略若干代码]
0041E27C .85C9 test ecx, ecx
0041E27E .7D 0A jge short 0041E28A
0041E280 .68 57000780 push 80070057
0041E285 .E8 7630FEFF call 00401300
0041E28A >8A10 mov dl, byte ptr ;用户名第一位进DL
0041E28C .8B46 70 mov eax, dword ptr
0041E28F .3968 F4 cmp dword ptr , ebp
0041E292 .7D 0A jge short 0041E29E
0041E294 .68 57000780 push 80070057
0041E299 .E8 6230FEFF call 00401300
0041E29E >8A40 01 mov al, byte ptr ;用户名第2位进AL
0041E2A1 .884424 11 mov byte ptr , al ;ASC(X1)存入地址 7A ----y1
0041E2A5 .8B46 70 mov eax, dword ptr
0041E2A8 .8B48 F4 mov ecx, dword ptr
0041E2AB .85C9 test ecx, ecx
0041E2AD .7D 0A jge short 0041E2B9
0041E2AF .68 57000780 push 80070057
0041E2B4 .E8 4730FEFF call 00401300
0041E2B9 >8B4E 70 mov ecx, dword ptr
0041E2BC .8A18 mov bl, byte ptr
0041E2BE .3969 F4 cmp dword ptr , ebp
0041E2C1 .7D 0A jge short 0041E2CD
0041E2C3 .68 57000780 push 80070057
0041E2C8 .E8 3330FEFF call 00401300
0041E2CD >0FB6C2 movzx eax, dl ;用户名第一位ASC扩展给EAX
0041E2D0 .83C8 50 or eax, 50 ;EAX = EAX OR 50
0041E2D3 .99 cdq ;清空EDX
0041E2D4 .BD 0A000000 mov ebp, 0A ;EDP =A
0041E2D9 .F7FD idiv ebp ;EAX = EAX / EBP 整数存EAX 余数在EDX
0041E2DB .0FB64424 11 movzx eax, byte ptr ;第二位进EAX
0041E2E0 .83C8 48 or eax, 48 ;EAX = EAX OR 48
0041E2E3 .885424 16 mov byte ptr , dl ;余数存入地址 X1 = 4
0041E2E7 .99 cdq ;清空EDX
0041E2E8 .F7FD idiv ebp ;EAX = EAX / EBP 整数存EAX 余数在EDX
0041E2EA .0FB6C3 movzx eax, bl ;第一位进EAX
0041E2ED .83C8 4F or eax, 4F ;EAX = EAX OR 4F
0041E2F0 .8BDD mov ebx, ebp
0041E2F2 .885424 11 mov byte ptr , dl ;余数存入地址 X2= 2
0041E2F6 .99 cdq
0041E2F7 .F7FB idiv ebx
0041E2F9 .0FB641 01 movzx eax, byte ptr ;第二位进EAX
0041E2FD .83C8 54 or eax, 54 ;EAX = EAX OR 54
0041E300 .8BCD mov ecx, ebp
0041E302 .885424 17 mov byte ptr , dl ;余数存入地址 X3 = 1
0041E306 .99 cdq
0041E307 .F7F9 idiv ecx ;除
0041E309 .33C0 xor eax, eax
0041E30B .33C9 xor ecx, ecx
0041E30D .85FF test edi, edi
0041E30F .885424 18 mov byte ptr , dl ;余数存入地址 X4 = 6
0041E313 .7E 1F jle short 0041E334
0041E315 >85C9 test ecx, ecx
0041E317 .0F8C E6000000 jl 0041E403
0041E31D .8B56 70 mov edx, dword ptr
0041E320 .3B4A F4 cmp ecx, dword ptr
0041E323 .0F8F DA000000 jg 0041E403
0041E329 .0FB6140A movzx edx, byte ptr ;逐位进EDX
0041E32D .03C2 add eax, edx ;EAX = EDX + EAX
0041E32F .41 inc ecx ;ECX +1
0041E330 .3BCF cmp ecx, edi
0041E332 .^ 7C E1 jl short 0041E315 ;循环将用户名的ASC码累加 ASC=2A2
0041E334 >99 cdq
0041E335 .B9 0A000000 mov ecx, 0A
0041E33A .F7F9 idiv ecx ;累加后的ASC/A 取余数
0041E33C .8B46 74 mov eax, dword ptr
0041E33F .8B48 F4 mov ecx, dword ptr
0041E342 .85C9 test ecx, ecx
0041E344 .885424 19 mov byte ptr , dl ;余数存进地址 X5 = 4
0041E348 .7D 0A jge short 0041E354
0041E34A .68 57000780 push 80070057
0041E34F .E8 AC2FFEFF call 00401300
0041E354 >8A10 mov dl, byte ptr ;第一位注册码进DL
0041E356 .8B4E 74 mov ecx, dword ptr
0041E359 .8379 F4 01 cmp dword ptr , 1
0041E35D .885424 1A mov byte ptr , dl ;DL 进地址
0041E361 .7D 0A jge short 0041E36D
0041E363 .68 57000780 push 80070057
0041E368 .E8 932FFEFF call 00401300
0041E36D >8A41 01 mov al, byte ptr ;第二位进AL
0041E370 .8B4E 74 mov ecx, dword ptr
0041E373 .884424 12 mov byte ptr , al ;进入地址
0041E377 .8379 F4 02 cmp dword ptr , 2
0041E37B .7D 0A jge short 0041E387
0041E37D .68 57000780 push 80070057
0041E382 .E8 792FFEFF call 00401300
0041E387 >8A49 02 mov cl, byte ptr ;第三位进CL
0041E38A .884C24 13 mov byte ptr , cl ;进地址
0041E38E .8B4E 74 mov ecx, dword ptr
0041E391 .8379 F4 03 cmp dword ptr , 3
0041E395 .7D 0A jge short 0041E3A1
0041E397 .68 57000780 push 80070057
0041E39C .E8 5F2FFEFF call 00401300
0041E3A1 >8A41 03 mov al, byte ptr ;第四位进AL
0041E3A4 .8B4E 74 mov ecx, dword ptr
0041E3A7 .884424 14 mov byte ptr , al ;进地址
0041E3AB .8379 F4 04 cmp dword ptr , 4
0041E3AF .7D 0A jge short 0041E3BB
0041E3B1 .68 57000780 push 80070057
0041E3B6 .E8 452FFEFF call 00401300
0041E3BB >8A49 04 mov cl, byte ptr ;第2位进AL
0041E3BE .884C24 15 mov byte ptr , cl //存入地址处
0041E3C2 .8B4E 74 mov ecx, dword ptr
0041E3C5 .8379 F4 05 cmp dword ptr , 5
0041E3C9 .7D 0A jge short 0041E3D5
0041E3CB .68 57000780 push 80070057
0041E3D0 .E8 2B2FFEFF call 00401300
0041E3D5 >8A41 05 mov al, byte ptr
0041E3D8 .8B4E 74 mov ecx, dword ptr
0041E3DB .8B79 F4 mov edi, dword ptr
0041E3DE .83FF 06 cmp edi, 6
0041E3E1 .884424 1B mov byte ptr , al ;6
0041E3E5 .7D 0A jge short 0041E3F1
0041E3E7 .68 57000780 push 80070057
0041E3EC .E8 0F2FFEFF call 00401300
0041E3F1 >8B7E 74 mov edi, dword ptr
0041E3F4 .8B6F F4 mov ebp, dword ptr ;取位数
0041E3F7 .8A41 06 mov al, byte ptr ;第7位
0041E3FA .BB 07000000 mov ebx, 7
0041E3FF .3BEB cmp ebp, ebx
0041E401 .7D 0A jge short 0041E40D
0041E403 >68 57000780 push 80070057
0041E408 .E8 F32EFEFF call 00401300
0041E40D >8A4F 07 mov cl, byte ptr ;取第8位注册码
0041E410 .0FB66C24 16 movzx ebp, byte ptr ;X1出现
0041E415 .0FB6FA movzx edi, dl
0041E418 .83EF 30 sub edi, 30
0041E41B .3BEF cmp ebp, edi ;第一位与X1比较
0041E41D .75 48 jnz short 0041E467
0041E41F .0FB65424 12 movzx edx, byte ptr
0041E424 .0FB67C24 11 movzx edi, byte ptr
0041E429 .83EA 30 sub edx, 30
0041E42C .3BFA cmp edi, edx
0041E42E .75 33 jnz short 0041E463 ;第二位与X2比较
0041E430 .0FB65424 13 movzx edx, byte ptr
0041E435 .0FB67C24 17 movzx edi, byte ptr
0041E43A .83EA 30 sub edx, 30
0041E43D .3BFA cmp edi, edx
0041E43F .75 22 jnz short 0041E463 ;第3位与X3比较
0041E441 .0FB65424 14 movzx edx, byte ptr
0041E446 .0FB67C24 18 movzx edi, byte ptr
0041E44B .83EA 30 sub edx, 30
0041E44E .3BFA cmp edi, edx
0041E450 .75 11 jnz short 0041E463
0041E452 .0FB65424 15 movzx edx, byte ptr ;有一个不等就看下一组对比
0041E457 .0FB67C24 19 movzx edi, byte ptr
0041E45C .83EA 30 sub edx, 30
0041E45F .3BFA cmp edi, edx
0041E461 .74 55 je short 0041E4B8 ;全部相等则成功
0041E463 >8A5424 1A mov dl, byte ptr
0041E467 >80FA 35 cmp dl, 35 ;第一位与5比较
0041E46A .0F85 D7000000 jnz 0041E547
0041E470 .807C24 12 31cmp byte ptr , 31 ;第二位与1比较
0041E475 .0F85 CC000000 jnz 0041E547
0041E47B .807C24 13 38cmp byte ptr , 38 ;8
0041E480 .0F85 C1000000 jnz 0041E547
0041E486 .807C24 14 39cmp byte ptr , 39 ;9
0041E48B .0F85 B6000000 jnz 0041E547
0041E491 .807C24 15 37cmp byte ptr , 37 ;7
0041E496 .0F85 AB000000 jnz 0041E547
0041E49C .807C24 1B 36cmp byte ptr , 36 ;6
0041E4A1 .0F85 A0000000 jnz 0041E547
0041E4A7 .3C 31 cmp al, 31 ;1
0041E4A9 .0F85 98000000 jnz 0041E547
0041E4AF .80F9 38 cmp cl, 38 ;8
0041E4B2 .0F85 8F000000 jnz 0041E547
0041E4B8 >6A 6A push 6A ;全部相等则注册成功
0041E4BA .8D4424 24 lea eax, dword ptr
0041E4BE .50 push eax
0041E4BF .B9 081F4900 mov ecx, 00491F08
0041E4C4 .E8 5719FFFF call 0040FE20
0041E4C9 .8B00 mov eax, dword ptr
0041E4CB .6A 00 push 0
0041E4CD .68 805D4500 push 00455D80 ;ASCII "OK"
0041E4D2 .50 push eax
0041E4D3 .8BCE mov ecx, esi
0041E4D5 .C74424 3C 060>mov dword ptr , 6
0041E4DD .E8 7AE00100 call 0043C55C ;注册成功
0041E4E2 .8D4C24 20 lea ecx, dword ptr
0041E4E6 .C74424 30 FFF>mov dword ptr , -1
0041E4EE .E8 BD52FEFF call 004037B0
0041E4F3 .8B7E 70 mov edi, dword ptr
0041E4F6 .E8 8BBF0200 call 0044A486 ;写进注册表
0041E4FB .8B40 04 mov eax, dword ptr
0041E4FE .57 push edi
0041E4FF .68 B8524500 push 004552B8 ;ASCII "username"
0041E504 .68 103C4500 push 00453C10 ;ASCII "Option"
0041E509 .8BC8 mov ecx, eax
0041E50B .E8 75800200 call 00446585
0041E510 .8B7E 74 mov edi, dword ptr
0041E513 .E8 6EBF0200 call 0044A486
0041E518 .8B40 04 mov eax, dword ptr
0041E51B .57 push edi
0041E51C .68 A4524500 push 004552A4 ;ASCII "registration_code"
0041E521 .68 103C4500 push 00453C10 ;ASCII "Option"
OK,到这里已经可以分析出来了,软件通过用户输入用户名、注册码来进行授权验证,以用户名为基础进行计算。这个算法太过简单,首先判断用户名位数是否小于2,如果大于等于2则合法,那么算法部分就被局限了,只能取用户名的1\2位进行计算,虽然还有个循环累加用户名ASCII码的,但是也相对过于简单了些,呵呵。而且根据后面的对比可以看出,居然存在一组万能注册码,能注册成功,注册成功则将注册信息写如注册表。不知道这组完能注册码能否通过重起验证,OK,下面来试试。
=================================================================================================================
前面已经看到有一组固定的注册码能够注册成功,那是否会通过重起验证呢,这里我下的是BP RegQueryValueExA断点来拦截软件读取注册表时候的API函数,然后看到启动部分的验证:
注册表地址:HKEY_CURRENT_USER\Software\WEQSOFT\pic2video\Option
0041AAC0|> \8A4F 07 mov cl, byte ptr
0041AAC3|.0FB67C24 1A movzx edi, byte ptr
0041AAC8|.0FB6F3 movzx esi, bl
0041AACB|.83EE 30 sub esi, 30
0041AACE|.3BFE cmp edi, esi
0041AAD0|.75 46 jnz short 0041AB18
0041AAD2|.0FB67424 13 movzx esi, byte ptr
0041AAD7|.0FB67C24 12 movzx edi, byte ptr
0041AADC|.83EE 30 sub esi, 30
0041AADF|.3BFE cmp edi, esi
0041AAE1|.75 31 jnz short 0041AB14
0041AAE3|.0FB67424 14 movzx esi, byte ptr
0041AAE8|.0FB67C24 18 movzx edi, byte ptr
0041AAED|.83EE 30 sub esi, 30
0041AAF0|.3BFE cmp edi, esi
0041AAF2|.75 20 jnz short 0041AB14
0041AAF4|.0FB67424 15 movzx esi, byte ptr
0041AAF9|.0FB67C24 16 movzx edi, byte ptr
0041AAFE|.83EE 30 sub esi, 30
0041AB01|.3BFE cmp edi, esi
0041AB03|.75 0F jnz short 0041AB14
0041AB05|.0FB67C24 1B movzx edi, byte ptr
0041AB0A|.0FB6F0 movzx esi, al
0041AB0D|.83EE 30 sub esi, 30
0041AB10|.3BFE cmp edi, esi
0041AB12|.74 33 je short 0041AB47
0041AB14|>8A5C24 19 mov bl, byte ptr
0041AB18|>80FB 35 cmp bl, 35
0041AB1B|.75 39 jnz short 0041AB56
0041AB1D|.807C24 13 31cmp byte ptr , 31
0041AB22|.75 32 jnz short 0041AB56
0041AB24|.807C24 14 38cmp byte ptr , 38
0041AB29|.75 2B jnz short 0041AB56
0041AB2B|.807C24 15 39cmp byte ptr , 39
0041AB30|.75 24 jnz short 0041AB56
0041AB32|.3C 37 cmp al, 37
0041AB34|.75 20 jnz short 0041AB56
0041AB36|.807C24 17 36cmp byte ptr , 36
0041AB3B|.75 19 jnz short 0041AB56
0041AB3D|.80FA 31 cmp dl, 31
0041AB40|.75 14 jnz short 0041AB56
0041AB42|.80F9 38 cmp cl, 38
0041AB45|.75 0F jnz short 0041AB56
0041AB47|>8B4424 20 mov eax, dword ptr
0041AB4B|.89A8 78910400 mov dword ptr , ebp
0041AB51|.E9 97000000 jmp 0041ABED
很明显的看到了,这一段的比较是和注册部分一样的,于是得出:只要用户名位数大于等于2.注册码为同样可以通过重起的验证,呵呵,不知道软件作者搞个万能注册码的意图是为何。
======================================================================================================
下面看看爆破,似乎也不难,两处验证嘛,一处注册部分,一处是重起验证部分,OK,改一下跳转就OK了:
(1)注册部分
0041E46A /0F85 D7000000jnz 0041E547 //改为
0041E46A /EB 4C jmp short 0041E4B8
0041E46C |90 nop
0041E46D |90 nop
0041E46E |90 nop
0041E46F |90 nop
(2)重起部分
0041AB1B|. /75 39 jnz short 0041AB56 //改为
0041AB1B /EB 2A jmp short 0041AB47
OK了,保存一下试运行文件,啊,怎么变英文版了,汗~~ - -!!!!别急,先把原来的文件备份好,然后把修改后的文件改为和原来那个的名字一样,再打开看看,是不是中文版了,呵呵。。。随便输入用户名和注册码,OK了,额~~~不过注册码只能输入数字哈,太晚了我就不改这些先了,睡觉睡觉!
**********************************************************************************************
下面是VB写的注册机原码和KeyGen,大家可以对照着算法看看,简单死了。
Private Sub Command1_Click()
Dim Name As String
Dim L As Integer
Name = CStr(Text1.Text)
L = Len(Name)
If L < 2 Then
MsgBox "请输入2位以上用户名!", , "友情提醒"
Else
X1 = Val(Asc(Mid(Name, 1, 1)))
X1 = X1 Or 80
X1 = X1 Mod 10
X2 = Val(Asc(Mid(Name, 2, 1)))
X2 = X2 Or 72
X2 = X2 Mod 10
X3 = Val(Asc(Mid(Name, 1, 1)))
X3 = X3 Or 79
X3 = X3 Mod 10
X4 = Val(Asc(Mid(Name, 2, 1)))
X4 = X4 Or 84
X4 = X4 Mod 10
For i = 1 To L
NameAsc = NameAsc + Val(Asc(Mid(Name, i, 1)))
Next i
X5 = NameAsc Mod 10
Text2.Text = CStr(X1) + CStr(X2) + CStr(X3) + CStr(X4) + CStr(X5) + "777"
Text3.Text = CStr(51897618)
MsgBox "本KG仅供学习,请勿用于商业利益!", , "友情提醒"
End If
End Sub
Private Sub Command2_Click()
End
End Sub
***************************************************************************************************
[ 本帖最后由 lzover 于 2008-6-20 02:15 编辑 ] 楼主越来越厉害了/:good 、
/:010 都是高手呀,有点看不明白/:L
页:
[1]