Power Video Converter 2.2.1 算法分析
Power Video Converter 2.2.1 算法分析Power Video Converter 2.2.1 算法分析
【破文标题】Power Video Converter 2.2.1算法分析
【破文作者】creantan
【作者邮箱】[email protected]
【破解工具】PEiD,OD
【破解平台】Windows XP
【软件名称】Power Video Converter 2.2.1
【软件大小】6231KB
【软件类别】国外软件/视频转换
【软件授权】共享版
【软件语言】英文
【运行环境】Win9x/Me/NT/2000/XP/2003
【更新时间】2009-1-6
【原版下载】http://www.newhua.com/soft/29607.htm
【保护方式】注册码
【软件简介】 Power Video Converter可以在AVi, MPEG1, MPEG2, VCD, SVCD, DVD, WMV, ASF, DAT, VOB文件格式之间进行转换,同时具有很快的转换速度和友好的使用界面。
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------
【破解内容】
--------------------------------------------------------------
PEID上显示Microsoft Visual C++ 6.0
试着注册有错误提示。。。下断 bp MessageBoxA
断点后回到用户代码,向上找到关键算法。。。。
00423750/$53 push ebx
00423751|.55 push ebp ;
00423752|.8B6C24 0C mov ebp, dword ptr
00423756|.56 push esi
00423757|.57 push edi
00423758|.BE ECD24300 mov esi, 0043D2EC
0042375D|.8BC5 mov eax, ebp
0042375F|>8A10 /mov dl, byte ptr ;判断用户名是否为空
00423761|.8A1E |mov bl, byte ptr
00423763|.8ACA |mov cl, dl
00423765|.3AD3 |cmp dl, bl
00423767|.75 1E |jnz short 00423787
00423769|.84C9 |test cl, cl
0042376B|.74 16 |je short 00423783
0042376D|.8A50 01 |mov dl, byte ptr
00423770|.8A5E 01 |mov bl, byte ptr
00423773|.8ACA |mov cl, dl
00423775|.3AD3 |cmp dl, bl
00423777|.75 0E |jnz short 00423787
00423779|.83C0 02 |add eax, 2
0042377C|.83C6 02 |add esi, 2
0042377F|.84C9 |test cl, cl
00423781|.^ 75 DC \jnz short 0042375F
00423783|>33C0 xor eax, eax
00423785|.EB 05 jmp short 0042378C
00423787|>1BC0 sbb eax, eax
00423789|.83D8 FF sbb eax, -1
0042378C|>85C0 test eax, eax
0042378E|.74 51 je short 004237E1
00423790|.8B7C24 18 mov edi, dword ptr
00423794|.BE ECD24300 mov esi, 0043D2EC
00423799|.8BC7 mov eax, edi
0042379B|>8A10 /mov dl, byte ptr ;判断假码是否为空
0042379D|.8A1E |mov bl, byte ptr
0042379F|.8ACA |mov cl, dl
004237A1|.3AD3 |cmp dl, bl
004237A3|.75 1E |jnz short 004237C3
004237A5|.84C9 |test cl, cl
004237A7|.74 16 |je short 004237BF
004237A9|.8A50 01 |mov dl, byte ptr
004237AC|.8A5E 01 |mov bl, byte ptr
004237AF|.8ACA |mov cl, dl
004237B1|.3AD3 |cmp dl, bl
004237B3|.75 0E |jnz short 004237C3
004237B5|.83C0 02 |add eax, 2
004237B8|.83C6 02 |add esi, 2
004237BB|.84C9 |test cl, cl
004237BD|.^ 75 DC \jnz short 0042379B
004237BF|>33C0 xor eax, eax
004237C1|.EB 05 jmp short 004237C8
004237C3|>1BC0 sbb eax, eax
004237C5|.83D8 FF sbb eax, -1
004237C8|>85C0 test eax, eax
004237CA|.74 15 je short 004237E1
004237CC|.57 push edi ;假码入栈
004237CD|.55 push ebp ;用户名入栈
004237CE|.E8 3DFDFFFF call 00423510 ;关键算法
{
00423510/$6A FF push -1
00423512|.68 D0EE4200 push 0042EED0 ;SE 处理程序安装
00423517|.64:A1 0000000>mov eax, dword ptr fs:
0042351D|.50 push eax
0042351E|.64:8925 00000>mov dword ptr fs:, esp
00423525|.83EC 14 sub esp, 14
00423528|.8B4424 24 mov eax, dword ptr
0042352C|.53 push ebx
0042352D|.55 push ebp
0042352E|.56 push esi
0042352F|.57 push edi
00423530|.50 push eax
00423531|.8D4C24 18 lea ecx, dword ptr
00423535|.E8 0E690000 call <jmp.&MFC42.#537>
0042353A|.33F6 xor esi, esi
0042353C|.8D4C24 14 lea ecx, dword ptr
00423540|.897424 2C mov dword ptr , esi
00423544|.E8 C56C0000 call <jmp.&MFC42.#6282>
00423549|.8D4C24 14 lea ecx, dword ptr
0042354D|.E8 B66C0000 call <jmp.&MFC42.#6283>
00423552|.6A 20 push 20
00423554|.8D4C24 18 lea ecx, dword ptr
00423558|.E8 A96B0000 call <jmp.&MFC42.#2915>
0042355D|.8B4C24 38 mov ecx, dword ptr ;取假码
00423561|.8BD8 mov ebx, eax
00423563|.51 push ecx
00423564|.8D4C24 14 lea ecx, dword ptr
00423568|.E8 DB680000 call <jmp.&MFC42.#537>
0042356D|.8D4C24 10 lea ecx, dword ptr
00423571|.C64424 2C 01mov byte ptr , 1
00423576|.E8 936C0000 call <jmp.&MFC42.#6282>
0042357B|.8D4C24 10 lea ecx, dword ptr
0042357F|.E8 846C0000 call <jmp.&MFC42.#6283>
00423584|.6A 20 push 20
00423586|.8D4C24 14 lea ecx, dword ptr
0042358A|.E8 776B0000 call <jmp.&MFC42.#2915> ;取假码
0042358F|.8BD0 mov edx, eax
00423591|.83C9 FF or ecx, FFFFFFFF
00423594|.8BFA mov edi, edx
00423596|.33C0 xor eax, eax
00423598|.F2:AE repne scas byte ptr es:
0042359A|.F7D1 not ecx
0042359C|.49 dec ecx ;取假码长度
0042359D|.8BFB mov edi, ebx
0042359F|.8BE9 mov ebp, ecx
004235A1|.83C9 FF or ecx, FFFFFFFF
004235A4|.F2:AE repne scas byte ptr es:
004235A6|.F7D1 not ecx
004235A8|.49 dec ecx ;取用户名长度
004235A9|.895424 20 mov dword ptr , edx
004235AD|.3BCD cmp ecx, ebp
004235AF|.0F87 64010000 ja 00423719 ;用户名长度与假码长度比较
004235B5|.8BFB mov edi, ebx ;假码长度不能小于用户名
004235B7|.83C9 FF or ecx, FFFFFFFF
004235BA|.F2:AE repne scas byte ptr es:
004235BC|.F7D1 not ecx
004235BE|.49 dec ecx ;用户名长度
004235BF|.0F84 54010000 je 00423719 ;判断长度是否为0
004235C5|.8BFA mov edi, edx
004235C7|.83C9 FF or ecx, FFFFFFFF
004235CA|.F2:AE repne scas byte ptr es:
004235CC|.F7D1 not ecx
004235CE|.49 dec ecx ;假码长度
004235CF|.0F84 44010000 je 00423719 ;判断假码长度是否为00的话就跳向失败
004235D5|.897424 38 mov dword ptr , esi
004235D9|>8B5424 38 /mov edx, dword ptr ;edx赋值
004235DD|.8D4C24 34 |lea ecx, dword ptr
004235E1|.8A82 CCCD4300 |mov al, byte ptr
004235E7|.884424 18 |mov byte ptr , al
004235EB|.E8 A6650000 |call <jmp.&MFC42.#540>
004235F0|.8BFB |mov edi, ebx
004235F2|.83C9 FF |or ecx, FFFFFFFF ;//////////////////////////////////////
004235F5|.33C0 |xor eax, eax ;★注册码第一部分关键点★
004235F7|.33ED |xor ebp, ebp
004235F9|.F2:AE |repne scas byte ptr es:
004235FB|.F7D1 |not ecx ;取用户名长度
004235FD|.49 |dec ecx ;
004235FE|.C64424 2C 02|mov byte ptr , 2
00423603|.74 50 |je short 00423655
00423605|>8A0C2B |/mov cl, byte ptr ; 逐个取用户名
00423608|.33F6 ||xor esi, esi
0042360A|.B8 64CD4300 ||mov eax, 0043CD64 ;固定字符串
0042360F|>3A08 ||/cmp cl, byte ptr ;在字符串中查找
00423611|.74 0D |||je short 00423620 ;相等跳出
00423613|.83C0 02 |||add eax, 2 ;eax+=2
00423616|.46 |||inc esi ;esi++ 下面取字符串用
00423617|.3D CCCD4300 |||cmp eax, 0043CDCC ;ASCII "vMw"
0042361C|.^ 7C F1 ||\jl short 0042360F
0042361E|.EB 11 ||jmp short 00423631
00423620|>8A0C75 65CD43>||mov cl, byte ptr ;取字符
00423627|.51 ||push ecx
00423628|.8D4C24 38 ||lea ecx, dword ptr
0042362C|.E8 F3670000 ||call <jmp.&MFC42.#940> ;取字符后连接字符串
00423631|>83FE 34 ||cmp esi, 34
00423634|.75 0E ||jnz short 00423644
00423636|.8B5424 18 ||mov edx, dword ptr
0042363A|.8D4C24 34 ||lea ecx, dword ptr
0042363E|.52 ||push edx
0042363F|.E8 E0670000 ||call <jmp.&MFC42.#940>
00423644|>8BFB ||mov edi, ebx
00423646|.83C9 FF ||or ecx, FFFFFFFF
00423649|.33C0 ||xor eax, eax
0042364B|.45 ||inc ebp
0042364C|.F2:AE ||repne scas byte ptr es: ;取字符串长度
0042364E|.F7D1 ||not ecx
00423650|.49 ||dec ecx
00423651|.3BE9 ||cmp ebp, ecx
00423653|.^ 72 B0 |\jb short 00423605
00423655|>8B4424 34 |mov eax, dword ptr
00423659|.8B48 F8 |mov ecx, dword ptr
0042365C|.83F9 10 |cmp ecx, 10
0042365F|.7D 3A |jge short 0042369B
00423661|.8BC1 |mov eax, ecx
00423663|.B9 10000000 |mov ecx, 10
00423668|.2BC8 |sub ecx, eax
0042366A|.8D5424 1C |lea edx, dword ptr
0042366E|.51 |push ecx ;★注册码第二部分关键点★
0042366F|.52 |push edx
00423670|.B9 40D64300 |mov ecx, 0043D640 ;固定字串ESqNCdaYoDciekuS
00423675|.E8 AC650000 |call <jmp.&MFC42.#4129> ;用用户名长度取字符串
0042367A|.50 |push eax
0042367B|.8D4C24 38 |lea ecx, dword ptr
0042367F|.C64424 30 03|mov byte ptr , 3
00423684|.E8 95670000 |call <jmp.&MFC42.#939> ;两部分连接
00423689|.8D4C24 1C |lea ecx, dword ptr
0042368D|.C64424 2C 02|mov byte ptr , 2
00423692|.E8 F3640000 |call <jmp.&MFC42.#800>
00423697|.8B4424 34 |mov eax, dword ptr
0042369B|>8B4C24 20 |mov ecx, dword ptr
0042369F|.51 |push ecx ; /假码
004236A0|.50 |push eax ; |连接后的字符串
004236A1|.FF15 AC064300 |call dword ptr [<&MSVCRT._mbscmp>] ; \比较字符串
004236A7|.83C4 08 |add esp, 8
004236AA|.85C0 |test eax, eax
004236AC|.74 24 |je short 004236D2
004236AE|.8D4C24 34 |lea ecx, dword ptr
004236B2|.33F6 |xor esi, esi
004236B4|.C64424 2C 01|mov byte ptr , 1
004236B9|.E8 CC640000 |call <jmp.&MFC42.#800>
004236BE|.8B4424 38 |mov eax, dword ptr
004236C2|.40 |inc eax
004236C3|.83F8 03 |cmp eax, 3
004236C6|.894424 38 |mov dword ptr , eax
004236CA|.^ 0F8C 09FFFFFF \jl 004235D9
004236D0|.EB 13 jmp short 004236E5
004236D2|>8D4C24 34 lea ecx, dword ptr
004236D6|.BE 01000000 mov esi, 1
004236DB|.C64424 2C 01mov byte ptr , 1
004236E0|.E8 A5640000 call <jmp.&MFC42.#800>
004236E5|>8D4C24 10 lea ecx, dword ptr
004236E9|.C64424 2C 00mov byte ptr , 0
004236EE|.E8 97640000 call <jmp.&MFC42.#800>
004236F3|.8D4C24 14 lea ecx, dword ptr
004236F7|.C74424 2C FFF>mov dword ptr , -1
004236FF|.E8 86640000 call <jmp.&MFC42.#800>
00423704|.8BC6 mov eax, esi
00423706|.5F pop edi
00423707|.5E pop esi
00423708|.5D pop ebp
00423709|.5B pop ebx
0042370A|.8B4C24 14 mov ecx, dword ptr
0042370E|.64:890D 00000>mov dword ptr fs:, ecx
00423715|.83C4 20 add esp, 20
00423718|.C3 retn
00423719|>8D4C24 10 lea ecx, dword ptr
0042371D|.C64424 2C 00mov byte ptr , 0
00423722|.E8 63640000 call <jmp.&MFC42.#800>
00423727|.8D4C24 14 lea ecx, dword ptr
0042372B|.C74424 2C FFF>mov dword ptr , -1
00423733|.E8 52640000 call <jmp.&MFC42.#800>
00423738|.8B4C24 24 mov ecx, dword ptr
0042373C|.5F pop edi
0042373D|.5E pop esi
0042373E|.5D pop ebp
0042373F|.33C0 xor eax, eax
00423741|.5B pop ebx
00423742|.64:890D 00000>mov dword ptr fs:, ecx
00423749|.83C4 20 add esp, 20
0042374C\.C3 retn
}
004237D3|.83C4 08 add esp, 8
004237D6|.F7D8 neg eax
004237D8|.5F pop edi
004237D9|.5E pop esi
004237DA|.1BC0 sbb eax, eax
004237DC|.5D pop ebp
004237DD|.F7D8 neg eax
004237DF|.5B pop ebx
004237E0|.C3 retn
004237E1|>5F pop edi
004237E2|.5E pop esi
004237E3|.5D pop ebp
004237E4|.33C0 xor eax, eax
004237E6|.5B pop ebx
004237E7\.C3 retn
【破解总结】
--------------------------------------------------------------
【算法总结】
将"aGbmcldSemfkgEhcixjsktlYmbnkoDptqarfswtlujvDwIxPyZzXAPBoCKDgEyFmGtHaIrJqKNLQMUNuOGPJQLRnSbTCUFVHWoXwYEZpvMw"和"ESqNCdaYoDciekuS"与用户名运算得到注册码
--------------------------------------------------------------
【算法注册机】
void CKeyGenVideoDlg::OnKeyGen()
{
// TODO: Add your control notification handler code here
CString str="aGbmcldSemfkgEhcixjsktlYmbnkoDptqarfswtlujvDwIxPyZzXAPBoCKDgEyFmGtHaIrJqKNLQMUNuOGPJQLRnSbTCUFVHWoXwYEZpvMw";
CString str1="ESqNCdaYoDciekuS";
CString serial;
int nameLen,strLen;
UpdateData(true);
nameLen=m_name.GetLength();
strLen=str.GetLength();
for(int i=0;i<nameLen;i++)
{
for(int j=0;j<strLen;j+=2)
{
if(m_name.GetAt(i)==str.GetAt(j))
{
serial.Insert(serial.GetLength(),str.GetAt(j+1));
break;
}
}
}
m_serial=serial+str1.Mid(0,16-nameLen);
UpdateData(false);
}
【注册信息】
用户名:creantan
注册码:lfmGklGkESqNCdaY
--------------------------------------------------------------
【版权声明】本破文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢! 不错,支持一下 支持楼主,要是能分析出这个商的注册码就好了。
http://www.嘻嘻嘻嘻嘻嘻嘻嘻嘻嘻.com/ 学习一下 感谢楼主分享 ~~ 向楼主学习了
页:
[1]