Leo MP4 Video Covnerter 1.40 简单算法分析
【破文标题】 Leo MP4 Video Covnerter 1.40 简单算法分析【破文作者】杨家将
【破解工具】PEiD,OD
【破解平台】Windows XP SP3
【原版下载】http://www.onlinedown.net/soft/61354.htm
【软件简介】Leo MP4 Video Converter是一款视频转换软件,他支持DivX, XviD, MOV, MPEG-4,MPEG, WMV, H.263,AVI,WMV,ASF 转换成MP4的格式。简单的界面使用起来非常的方便快捷
【破解内容】
一、PEiD查壳,无壳, Borland Delphi 6.0 - 7.0。
二、运行程序,输入注册信息, 提示错误。 error registrion code!
三、OD载入,超找字符串:error registrion code!,回到
00502934|.55 push ebp ;//F2下断点
00502935|.68 2E2A5000 push leoMP4Vi.00502A2E
0050293A|.64:FF30 push dword ptr fs:
0050293D|.64:8920 mov dword ptr fs:,esp
00502940|.A1 9C205100 mov eax,dword ptr ds:
00502945|.8B00 mov eax,dword ptr ds:
00502947|.8B48 10 mov ecx,dword ptr ds:
0050294A|.B2 01 mov dl,1
0050294C|.A1 74CE4300 mov eax,dword ptr ds:
00502951|.E8 CEA5F3FF call leoMP4Vi.0043CF24
00502956|.8BF0 mov esi,eax
00502958|.8D55 F4 lea edx,
0050295B|.8B83 08030000 mov eax,dword ptr ds:
00502961|.E8 4A20F6FF call leoMP4Vi.004649B0 ;//取用户名长度
00502966|.8B45 F4 mov eax, ;//用户名到EAX
00502969|.8D55 FC lea edx,
0050296C|.E8 1F60F0FF call leoMP4Vi.00408990
00502971|.8D55 F0 lea edx,
00502974|.8B83 0C030000 mov eax,dword ptr ds:
0050297A|.E8 3120F6FF call leoMP4Vi.004649B0 ;//取注册码长度
0050297F|.8B45 F0 mov eax, ;//注册码到EAX
00502982|.8D55 F8 lea edx,
00502985|.E8 0660F0FF call leoMP4Vi.00408990
0050298A|.8B4D F8 mov ecx, ;//注册码到ECX
0050298D|.8B55 FC mov edx, ;//用户名到EDX
00502990|.8BC3 mov eax,ebx
00502992|.E8 B5FDFFFF call leoMP4Vi.0050274C ;//关键CALL,F7进去
00502997|.84C0 test al,al ;//标志位比较
00502999|.74 4F je short leoMP4Vi.005029EA ;//关键跳,这个不能跳
0050299B|.8B45 FC mov eax,
0050299E|.50 push eax
0050299F|.B9 442A5000 mov ecx,leoMP4Vi.00502A44 ;name
005029A4|.BA 542A5000 mov edx,leoMP4Vi.00502A54 ;settings
005029A9|.8BC6 mov eax,esi
005029AB|.8B38 mov edi,dword ptr ds:
005029AD|.FF57 04 call dword ptr ds:
005029B0|.8B45 F8 mov eax,
005029B3|.50 push eax
005029B4|.B9 682A5000 mov ecx,leoMP4Vi.00502A68 ;code
005029B9|.BA 542A5000 mov edx,leoMP4Vi.00502A54 ;settings
005029BE|.8BC6 mov eax,esi
005029C0|.8B38 mov edi,dword ptr ds:
005029C2|.FF57 04 call dword ptr ds:
005029C5|.6A 00 push 0 ; /Arg1 = 00000000
005029C7|.66:8B0D 702A5>mov cx,word ptr ds: ; |
005029CE|.B2 02 mov dl,2 ; |
005029D0|.B8 7C2A5000 mov eax,leoMP4Vi.00502A7C ; |register successfully!
005029D5|.E8 D645F3FF call leoMP4Vi.00436FB0 ; \leoMP4Vi.00436FB0
005029DA|.8BC6 mov eax,esi
005029DC|.E8 C70AF0FF call leoMP4Vi.004034A8
005029E1|.8BC3 mov eax,ebx
005029E3|.E8 58E9F7FF call leoMP4Vi.00481340
005029E8|.EB 1C jmp short leoMP4Vi.00502A06
005029EA|>6A 00 push 0 ; /Arg1 = 00000000
005029EC|.66:8B0D 702A5>mov cx,word ptr ds: ; |
005029F3|.B2 02 mov dl,2 ; |
005029F5|.B8 9C2A5000 mov eax,leoMP4Vi.00502A9C ; |error registrion code!
005029FA|.E8 B145F3FF call leoMP4Vi.00436FB0 ; \leoMP4Vi.00436FB0
005029FF|.8BC6 mov eax,esi
00502A01|.E8 A20AF0FF call leoMP4Vi.004034A8
00502A06|>33C0 xor eax,eax
00502A08|.5A pop edx
00502A09|.59 pop ecx
00502A0A|.59 pop ecx
00502A0B|.64:8910 mov dword ptr fs:,edx
00502A0E|.68 352A5000 push leoMP4Vi.00502A35
00502A13|>8D45 F0 lea eax,
00502A16|.BA 02000000 mov edx,2
00502A1B|.E8 E018F0FF call leoMP4Vi.00404300
00502A20|.8D45 F8 lea eax,
00502A23|.BA 02000000 mov edx,2
00502A28|.E8 D318F0FF call leoMP4Vi.00404300
00502A2D\.C3 retn
================================================
0050274C/$55 push ebp
0050274D|.8BEC mov ebp,esp
0050274F|.83C4 E4 add esp,-1C
00502752|.53 push ebx
00502753|.56 push esi
00502754|.33DB xor ebx,ebx ;//EBX清零
00502756|.895D E4 mov ,ebx
00502759|.895D E8 mov ,ebx
0050275C|.895D EC mov ,ebx
0050275F|.894D FC mov ,ecx ;//注册码到EAX
00502762|.8BDA mov ebx,edx ;//用户名到EBX
00502764|.33C0 xor eax,eax ;//EAX清零
00502766|.55 push ebp
00502767|.68 22285000 push leoMP4Vi.00502822
0050276C|.64:FF30 push dword ptr fs:
0050276F|.64:8920 mov dword ptr fs:,esp
00502772|.8D55 EC lea edx,
00502775|.8BC3 mov eax,ebx ;//用户名给EAX
00502777|.E8 1462F0FF call leoMP4Vi.00408990
0050277C|.8B45 EC mov eax, ;//用户名到EAX
0050277F|.E8 181EF0FF call leoMP4Vi.0040459C
00502784|.85C0 test eax,eax ;//比较EAX是否为零
00502786|.7E 7F jle short leoMP4Vi.00502807 ;//小于或等于零测跳
00502788|.8D55 E8 lea edx,
0050278B|.8B45 FC mov eax, ;//注册码到EAX
0050278E|.E8 FD61F0FF call leoMP4Vi.00408990
00502793|.8B45 E8 mov eax,
00502796|.E8 011EF0FF call leoMP4Vi.0040459C ;//取注册码长度
0050279B|.85C0 test eax,eax ;//比较注册码长度是否为零
0050279D|.7E 68 jle short leoMP4Vi.00502807 ;//小于或等于零测跳
0050279F|.33F6 xor esi,esi ;//ESI清零
005027A1|.8BC3 mov eax,ebx
005027A3|.E8 F41DF0FF call leoMP4Vi.0040459C ;//取用户名长度
005027A8|.85C0 test eax,eax ;//比较用户名长度是否为零
005027AA|.7E 11 jle short leoMP4Vi.005027BD ;//小于或等于零测跳
005027AC|.BA 01000000 mov edx,1 ;//EDX=1
005027B1|>33C9 /xor ecx,ecx ;//ECX清零
005027B3|.8A4C13 FF |mov cl,byte ptr ds: ;//取用户名ASCII值
005027B7|.03F1 |add esi,ecx ;//ESI=ESI+ECX
005027B9|.42 |inc edx ;//EDX+1
005027BA|.48 |dec eax ;//EAX-1
005027BB|.^ 75 F4 \jnz short leoMP4Vi.005027B1 ;//这里循环累加用户名ASCII
005027BD|>69C6 47F90800 imul eax,esi,8F947 ;//EAX=ESI*8F947
005027C3|.05 4D178600 add eax,86174D ;//EAX=EAX+86174D
005027C8|.99 cdq ;//EDX清零
005027C9|.8945 F0 mov ,eax ;//把计算结果到EAX
005027CC|.8955 F4 mov ,edx
005027CF|.8B45 FC mov eax, ;//假码到EAX
005027D2|.E8 C51DF0FF call leoMP4Vi.0040459C ;//取假码长度
005027D7|.83F8 13 cmp eax,13 ;//假码长度和13比较
005027DA|.7F 27 jg short leoMP4Vi.00502803 ;//大于13测跳
005027DC|.FF75 F4 push ; ///
005027DF|.FF75 F0 push ; |//压入刚才计算的结果
005027E2|.8D45 E4 lea eax, ; |
005027E5|.E8 FA64F0FF call leoMP4Vi.00408CE4 ; \//把计算结果转为10进制
005027EA|.8B55 E4 mov edx, ;//真码到EDX
005027ED|.8B45 FC mov eax, ;//假码到EAX
005027F0|.E8 F31EF0FF call leoMP4Vi.004046E8 ;//真假比较,可做内存注册机
005027F5|.75 06 jnz short leoMP4Vi.005027FD ;//爆破点
005027F7|.C645 FB 01 mov byte ptr ss:,1
005027FB|.EB 0A jmp short leoMP4Vi.00502807
005027FD|>C645 FB 00 mov byte ptr ss:,0
00502801|.EB 04 jmp short leoMP4Vi.00502807
00502803|>C645 FB 00 mov byte ptr ss:,0
00502807|>33C0 xor eax,eax
00502809|.5A pop edx
0050280A|.59 pop ecx
0050280B|.59 pop ecx
0050280C|.64:8910 mov dword ptr fs:,edx
0050280F|.68 29285000 push leoMP4Vi.00502829
00502814|>8D45 E4 lea eax,
00502817|.BA 03000000 mov edx,3
0050281C|.E8 DF1AF0FF call leoMP4Vi.00404300
00502821\.C3 retn
=====================================================
【总结】首先逐位取用户名的ASCII值,再乘以8F947,结果再加上86174D,最后得到的就是注册码。
注册信息保存在软件安装目下的leoMP4videoconverter.ini中。
用户名:yangjiajang 注册码:749797569 杨哥的学习了 /:good 支持一下啊!/:012 /:012 /:012 把你的精华 破"处"了... 学习下算法。。。。 我好像还保留着处/:017
页:
[1]