菜鸟学习算法,破解DVD Copy Express 5.5 BY:wzwgp
菜鸟学习算法,破解DVD Copy Express 5.5发表于: 2006-7-27 21:25 BY:wzwgp
--------------------------------------------------------------------------------
【破解软件】DVD Copy Express 5.5
【下载地址】http://www.onlinedown.net/soft/7021.htm
【运行环境】Win9x/Me/NT/2000/XP/2003
【软件类别】国外软件/共享版/视频工具
【保护方式】注册码、重启验证
【作者声明】初学Crack,只是感兴趣,消遣业余时间,错误之处敬请诸位前辈不吝赐教。
【调试工具】OllyDBD、PEiD
【软件信息】将DVD电影拷贝制成VCD, SVCD, 和 AVI文件。
一、算法跟踪
PEiD分析:Microsoft Visual C++ 6.0
OD 载入程序查找字串参考,找到有用信息二处:
第一处地址=00407740 “please input correct registration code first!”
第二处地址=0041730F “you have registered!”
第一处
00407739 .83F9 14 CMP ECX,14 ;比较注册码位数
0040773C .74 13 JE SHORT dce.00407751
0040773E .56 PUSH ESI
0040773F .56 PUSH ESI
00407740 .68 A49A4D00 PUSH dce.004D9AA4 ;please input correct registration code first!
第二处
004172CE .E8 3D99FFFF CALL dce.00410C10 ; 关键地址
004172D3 .85C0 TEST EAX,EAX
004172D5 .0F84 C0000000 JE dce.0041739B
004172DB .6A 00 PUSH 0
004172DD .8D4C24 08 LEA ECX,DWORD PTR SS:
004172E1 .E8 BA93FFFF CALL dce.004106A0
004172E6 .8B8E 0CD90000 MOV ECX,DWORD PTR DS:
004172EC .8B86 08D90000 MOV EAX,DWORD PTR DS:
004172F2 .898C24 180100>MOV DWORD PTR SS:,ECX
004172F9 .8D4C24 04 LEA ECX,DWORD PTR SS:
004172FD .C78424 100200>MOV DWORD PTR SS:,0
00417308 .898424 140100>MOV DWORD PTR SS:,EAX
0041730F .C78424 1C0100>MOV DWORD PTR SS:,dce.004DA5D4;you have registered!
在第一处知道注册码位数需要20位。假码:12345678902234567890
由于重启验证,注册成功也无提示,在第二处断不下来。直接Ctrl+Go 到处。
00410C10/$64:A1 0000000>MOV EAX,DWORD PTR FS: ; 在此下断
00410C16|.6A FF PUSH -1
00410C18|.68 FC334A00 PUSH dce.004A33FC
00410C1D|.50 PUSH EAX
00410C1E|.B8 3C140000 MOV EAX,143C
00410C23|.64:8925 00000>MOV DWORD PTR FS:,ESP
00410C2A|.E8 C17B0600 CALL dce.004787F0
00410C2F|.53 PUSH EBX
00410C30|.56 PUSH ESI
00410C31|.33DB XOR EBX,EBX
00410C33|.57 PUSH EDI
00410C34|.33FF XOR EDI,EDI
00410C36|.895C24 38 MOV DWORD PTR SS:,EBX
00410C3A|.8D4424 48 LEA EAX,DWORD PTR SS:
00410C3E|.68 7C9A4D00 PUSH dce.004D9A7C ;software\dvd copy express\adrsetting
00410C43|.50 PUSH EAX
00410C44|.89BC24 581400>MOV DWORD PTR SS:,EDI
00410C4B|.E8 C3730600 CALL dce.00478013
---------------------中间省略----------------------
00410D7E|.50 PUSH EAX
00410D7F|.C68424 541400>MOV BYTE PTR SS:,3
00410D87|.E8 B92C0800 CALL dce.00493A45
00410D8C|.8B5424 18 MOV EDX,DWORD PTR SS:
00410D90|.83C9 FF OR ECX,FFFFFFFF
00410D93|.8BFA MOV EDI,EDX
00410D95|.33C0 XOR EAX,EAX
00410D97|.F2:AE REPNE SCAS BYTE PTR ES:
00410D99|.F7D1 NOT ECX ;ECX=FFFFFFEA not =15
00410D9B|.49 DEC ECX
00410D9C|.83F9 14 CMP ECX,14 ;比较注册码位数
00410D9F|.0F85 2C010000 JNZ dce.00410ED1
00410DA5|.33C9 XOR ECX,ECX
00410DA7|>8A044A /MOV AL,BYTE PTR DS: ;取假码奇数位
00410DAA|.3C 61 |CMP AL,61
00410DAC|.7C 06 |JL SHORT dce.00410DB4
00410DAE|.3C 66 |CMP AL,66
00410DB0|.7F 02 |JG SHORT dce.00410DB4
00410DB2|.2C 07 |SUB AL,7 ;(a…f)-7后逻辑左移
00410DB4|>C0E0 04 |SHL AL,4 ;AL=31 shl 4=10
00410DB7|.88440C 3C |MOV BYTE PTR SS:,AL
00410DBB|.8A444A 01 |MOV AL,BYTE PTR DS: ;取假码偶数位
00410DBF|.3C 61 |CMP AL,61
00410DC1|.7C 08 |JL SHORT dce.00410DCB
00410DC3|.3C 66 |CMP AL,66
00410DC5|.7F 04 |JG SHORT dce.00410DCB
00410DC7|.2C 57 |SUB AL,57 ;(a…f)-57
00410DC9|.EB 02 |JMP SHORT dce.00410DCD
00410DCB|>2C 30 |SUB AL,30 ;AL=32 -30=2
00410DCD|>00440C 3C |ADD BYTE PTR SS:,AL ;10+2=12(变形后奇偶位相加)
00410DD1|.41 |INC ECX ;ECX 计数器
00410DD2|.83F9 0A |CMP ECX,0A ;A 循环次数
00410DD5|.^ 7C D0 \JL SHORT dce.00410DA7 ; 结果记为s1
00410DD7|.6A 00 PUSH 0
00410DD9|.68 30A24D00 PUSH dce.004DA230 ;字符串(advdripper)
00410DDE|.8D4C24 24 LEA ECX,DWORD PTR SS:
00410DE2|.6A 0A PUSH 0A
00410DE4|.8D5424 48 LEA EDX,DWORD PTR SS:
00410DE8|.51 PUSH ECX
00410DE9|.52 PUSH EDX
00410DEA|.E8 0157FFFF CALL dce.004064F0 ;F7进入
00410DEF|.8A4424 30 MOV AL,BYTE PTR SS: ;sn(1)
00410DF3|.83C4 14 ADD ESP,14
00410DF6|.3C 72 CMP AL,72
00410DF8|.0F85 D3000000 JNZ dce.00410ED1
00410DFE|.807C24 1D 67CMP BYTE PTR SS:,67 ;sn(2)
00410E03|.0F85 C8000000 JNZ dce.00410ED1
00410E09|.807C24 24 63CMP BYTE PTR SS:,63 ;sn(9)
00410E0E|.0F85 BD000000 JNZ dce.00410ED1
00410E14|.807C24 25 78CMP BYTE PTR SS:,78 ;sn(10)
00410E19|.0F85 B2000000 JNZ dce.00410ED1
00410E1F|.8A4C24 1F MOV CL,BYTE PTR SS: ;sn(4)
00410E23|.8A4424 1E MOV AL,BYTE PTR SS: ;sn(3)
00410E27|.8A5424 20 MOV DL,BYTE PTR SS: ;sn(5)
00410E2B|.884C24 29 MOV BYTE PTR SS:,CL
00410E2F|.884424 28 MOV BYTE PTR SS:,AL
00410E33|.8A4424 21 MOV AL,BYTE PTR SS: ;sn(6)
00410E37|.8D4C24 28 LEA ECX,DWORD PTR SS:
00410E3B|.885424 2A MOV BYTE PTR SS:,DL
00410E3F|.51 PUSH ECX ;ECX=sn(3、4、5、6)地址
00410E40|.884424 2F MOV BYTE PTR SS:,AL
00410E44|.C64424 30 00MOV BYTE PTR SS:,0
00410E49|.E8 96790600 CALL dce.004787E4
00410E4E|.8A5424 26 MOV DL,BYTE PTR SS: ;sn(7)
00410E52|.8BF0 MOV ESI,EAX
00410E54|.8A4424 27 MOV AL,BYTE PTR SS: ;sn(8)
00410E58|.8D4C24 2C LEA ECX,DWORD PTR SS:
00410E5C|.51 PUSH ECX
00410E5D|.885424 30 MOV BYTE PTR SS:,DL
00410E61|.884424 31 MOV BYTE PTR SS:,AL
00410E65|.C64424 32 00MOV BYTE PTR SS:,0
---------------------中间省略----------------------
00410F18|.5F POP EDI
00410F19|.5E POP ESI
00410F1A|.5B POP EBX
00410F1B|.64:890D 00000>MOV DWORD PTR FS:,ECX
00410F22|.81C4 48140000 ADD ESP,1448
00410F28\.C3 RETN ;返回到 00412495
00410DEA 处F7进入来到下面:
004064F0/$81EC 04010000 SUB ESP,104
004064F6|.53 PUSH EBX
004064F7|.8B9C24 180100>MOV EBX,DWORD PTR SS: ;="ADVDRipper"
004064FE|.55 PUSH EBP
004064FF|.56 PUSH ESI
00406500|.57 PUSH EDI
00406501|.8BFB MOV EDI,EBX
00406503|.83C9 FF OR ECX,FFFFFFFF
00406506|.33C0 XOR EAX,EAX
00406508|.F2:AE REPNE SCAS BYTE PTR ES:
0040650A|.F7D1 NOT ECX ;ECX=4 not=B
0040650C|.49 DEC ECX ;ECX=B-1=A
---------------------中间省略----------------------
0040662B|.8BC3 MOV EAX,EBX
0040662D|.2BF3 SUB ESI,EBX
0040662F|.8D5F 01 LEA EBX,DWORD PTR DS: ;=B
00406632|>8A08 /MOV CL,BYTE PTR DS:
00406634|.880C02 |MOV BYTE PTR DS:,CL ;CL=41 ('A')
00406637|.880C06 |MOV BYTE PTR DS:,CL
0040663A|.40 |INC EAX
0040663B|.4B |DEC EBX
0040663C|.^ 75 F4 \JNZ SHORT dce.00406632 ;复制二份字符串
0040663E|>33DB XOR EBX,EBX
00406640|.33C9 XOR ECX,ECX
00406642|.33C0 XOR EAX,EAX
00406644|.3BFB CMP EDI,EBX ;EDI=A
00406646|.7E 12 JLE SHORT dce.0040665A
00406648|>33D2 /XOR EDX,EDX
0040664A|.8A9404 DC0000>|MOV DL,BYTE PTR SS: ;取字符串(ADVDRipper)
00406651|.03D0 |ADD EDX,EAX ;EDX=(41..72) + EAX=(0..9)
00406653|.33CA |XOR ECX,EDX ;ECX=0.41.4…34
00406655|.40 |INC EAX
00406656|.3BC7 |CMP EAX,EDI
00406658|.^ 7C EE \JL SHORT dce.00406648 ;循环计算得到: 34
0040665A|>33C0 XOR EAX,EAX
0040665C|.3BFB CMP EDI,EBX
0040665E|.7E 10 JLE SHORT dce.00406670
00406660|>8A5404 6C /MOV DL,BYTE PTR SS: ;取字符串(ADVDRipper)
00406664|.32D1 |XOR DL,CL ;DL=41 xor 34= 75
00406666|.41 |INC ECX ;34+(1…A)=35…3E
00406667|.885404 6C |MOV BYTE PTR SS:,DL ;保存计算结果
0040666B|.40 |INC EAX
0040666C|.3BC7 |CMP EAX,EDI
0040666E|.^ 7C F0 \JL SHORT dce.00406660 ;结果记为s2(75 ..4F)
00406670|>33F6 XOR ESI,ESI
00406672|.3BFB CMP EDI,EBX
00406674|.7E 1A JLE SHORT dce.00406690
00406676|>33C0 /XOR EAX,EAX
00406678|.BD 35000000 |MOV EBP,35
0040667D|.8A4434 6C |MOV AL,BYTE PTR SS:
00406681|.99 |CDQ
00406682|.F7FD |IDIV EBP
00406684|.46 |INC ESI
00406685|.3BF7 |CMP ESI,EDI
00406687|.889434 A30000>|MOV BYTE PTR SS:,DL
0040668E|.^ 7C E6 \JL SHORT dce.00406676
00406690|>8BC1 MOV EAX,ECX
00406692|.B9 35000000 MOV ECX,35
00406697|.99 CDQ
00406698|.F7F9 IDIV ECX
0040669A|.8B8424 1C0100>MOV EAX,DWORD PTR SS:
004066A1|.33F6 XOR ESI,ESI
004066A3|.32C9 XOR CL,CL
004066A5|.885C24 13 MOV BYTE PTR SS:,BL
004066A9|.884C24 18 MOV BYTE PTR SS:,CL
004066AD|.885C24 14 MOV BYTE PTR SS:,BL
004066B1|.895C24 54 MOV DWORD PTR SS:,EBX
004066B5|.894424 58 MOV DWORD PTR SS:,EAX
004066B9|.895424 5C MOV DWORD PTR SS:,EDX
004066BD|.8B9424 180100>MOV EDX,DWORD PTR SS:
004066C4|.2BD0 SUB EDX,EAX
004066C6|.895424 60 MOV DWORD PTR SS:,EDX ;EDX=20
004066CA|>8B5424 60 /MOV EDX,DWORD PTR SS: ;=20
004066CE|.8B4424 58 |MOV EAX,DWORD PTR SS:
004066D2|.8BBC24 200100>|MOV EDI,DWORD PTR SS: ;=A
004066D9|.0FBE0402 |MOVSX EAX,BYTE PTR DS: ;逐位取s1
004066DD|.8B5424 54 |MOV EDX,DWORD PTR SS: ;=0、1
004066E1|.3BD7 |CMP EDX,EDI
004066E3|.0F83 11010000 |JNB dce.004067FA
004066E9|.8A5C34 6C |MOV BL,BYTE PTR SS: ;逐位取s2
004066ED|.8B9424 280100>|MOV EDX,DWORD PTR SS:
004066F4|.8BEB |MOV EBP,EBX
004066F6|.81E5 FF000000 |AND EBP,0FF
004066FC|.85D2 |TEST EDX,EDX ;EDX=0
004066FE|.8A9434 DC0000>|MOV DL,BYTE PTR SS: ;逐位取字符串
00406705|.8BFA |MOV EDI,EDX
00406707|.74 2A |JE SHORT dce.00406733 ;跳
00406709|.81E7 FF000000 |AND EDI,0FF
0040670F|.33FD |XOR EDI,EBP
00406711|.8B6C24 14 |MOV EBP,DWORD PTR SS:
00406715|.81E5 FF000000 |AND EBP,0FF
0040671B|.884C24 14 |MOV BYTE PTR SS:,CL
0040671F|.33FD |XOR EDI,EBP
00406721|.8B6C24 18 |MOV EBP,DWORD PTR SS:
00406725|.81E5 FF000000 |AND EBP,0FF
0040672B|.33FD |XOR EDI,EBP
0040672D|.33C7 |XOR EAX,EDI
0040672F|.8AC8 |MOV CL,AL
00406731|.EB 2E |JMP SHORT dce.00406761
00406733|>81E7 FF000000 |AND EDI,0FF
00406739|.894424 68 |MOV DWORD PTR SS:,EAX ;EAX=00000012(s1)
0040673D|.33FD |XOR EDI,EBP ;EDI=41(字符串) xor 75(s2)=34
0040673F|.8B6C24 14 |MOV EBP,DWORD PTR SS: ;=0、0、s1(1-8)
00406743|.81E5 FF000000 |AND EBP,0FF
00406749|.884C24 14 |MOV BYTE PTR SS:,CL
0040674D|.8A4C24 68 |MOV CL,BYTE PTR SS: ;=12(s1)
00406751|.33FD |XOR EDI,EBP ;34 xor 0 =34
00406753|.8B6C24 18 |MOV EBP,DWORD PTR SS: ;=0
00406757|.81E5 FF000000 |AND EBP,0FF
0040675D|.33FD |XOR EDI,EBP ;EBP=0、s1(1-9)
0040675F|.33C7 |XOR EAX,EDI ;EAX=12(s1) xor 34=26
00406761|>8B7C24 58 |MOV EDI,DWORD PTR SS:
00406765|.8B6C24 64 |MOV EBP,DWORD PTR SS: ;=A
00406769|.884C24 18 |MOV BYTE PTR SS:,CL
0040676D|.8807 |MOV BYTE PTR DS:,AL ;保存AL记为sn
0040676F|.8B4424 54 |MOV EAX,DWORD PTR SS: ;=0、1…9
00406773|.40 |INC EAX
00406774|.47 |INC EDI
00406775|.894424 54 |MOV DWORD PTR SS:,EAX
00406779|.33C0 |XOR EAX,EAX
0040677B|.8A8434 A40000>|MOV AL,BYTE PTR SS:
00406782|.897C24 58 |MOV DWORD PTR SS:,EDI
00406786|.8B7C24 5C |MOV EDI,DWORD PTR SS:
0040678A|.8A4404 1C |MOV AL,BYTE PTR SS:
0040678E|.02C2 |ADD AL,DL
00406790|.8A543C 1C |MOV DL,BYTE PTR SS:
00406794|.02D3 |ADD DL,BL
00406796|.888434 DC0000>|MOV BYTE PTR SS:,AL
0040679D|.885434 6C |MOV BYTE PTR SS:,DL
004067A1|.46 |INC ESI ;ESI 计数器
004067A2|.3BF5 |CMP ESI,EBP ;EBP=A 循环次数
004067A4|.^ 0F85 20FFFFFF |JNZ dce.004066CA ;
004067AA|.8A4424 13 |MOV AL,BYTE PTR SS:
004067AE|.FEC0 |INC AL
004067B0|.884424 13 |MOV BYTE PTR SS:,AL ;AL=1
004067B4|.75 3D |JNZ SHORT dce.004067F3 ;跳
004067B6|.33D2 |XOR EDX,EDX
004067B8|.33C0 |XOR EAX,EAX
004067BA|.3BEA |CMP EBP,EDX
004067BC|.7E 35 |JLE SHORT dce.004067F3
004067BE|>8A9C04 A40000>|/MOV BL,BYTE PTR SS:
004067C5|.FEC3 ||INC BL
004067C7|.80FB 35 ||CMP BL,35
004067CA|.889C04 A40000>||MOV BYTE PTR SS:,BL
004067D1|.75 07 ||JNZ SHORT dce.004067DA
004067D3|.889404 A40000>||MOV BYTE PTR SS:,DL
004067DA|>8A5C04 1C ||MOV BL,BYTE PTR SS:
004067DE|.005C04 6C ||ADD BYTE PTR SS:,BL
004067E2|.47 ||INC EDI
004067E3|.83FF 35 ||CMP EDI,35
004067E6|.75 02 ||JNZ SHORT dce.004067EA
004067E8|.33FF ||XOR EDI,EDI
004067EA|>40 ||INC EAX
004067EB|.3BC5 ||CMP EAX,EBP
004067ED|.^ 7C CF |\JL SHORT dce.004067BE
004067EF|.897C24 5C |MOV DWORD PTR SS:,EDI
004067F3|>33F6 |XOR ESI,ESI
004067F5|.^ E9 D0FEFFFF \JMP dce.004066CA
004067FA|>8B8424 1C0100>MOV EAX,DWORD PTR SS: ;=sn
00406801|.5F POP EDI
00406802|.5E POP ESI
00406803|.5D POP EBP
00406804|.C60402 00 MOV BYTE PTR DS:,0
00406808|.33C0 XOR EAX,EAX
0040680A|.5B POP EBX
0040680B|.81C4 04010000 ADD ESP,104
00406811\.C3 RETN ;返回到 00410DEF
二、算法小结
注册码必须是20位,用户名与注册码无关。
1.预处理注册码
奇数位 shl4若是先减7
偶数位 若是 sub 57 否则 sub30
奇、偶数位相加得到: s1
2. 字符串(ADVDRipper)(0x41445644526970706572)
0 xor (41+0) =41
41 xor (44+1)=4
4 xor (56+2) =5C
……
循环得到: 34
3. 字符串(ADVDRipper)
41 xor 34=75
44 xor 35=71
……
循环得到: s2=75 71 60 73 6A 50 4A 4B 59 4F
4.
字符串 xor s2 得到s3
s3xor (0 0 s1) 得到s4
s4xor (0 s1 得到s5
s1xor s5得到的结果如果第1、2、9、10位,等于72、67、63、78注册成功。
三、算法验证
1.注册码:46142df8758703683419
奇数位:412f780631 -->401020F0708000603010
偶数位:64d8573849--> 6 4 D 8 5 7 3 8 4 9
s1 = 46142DF8758703683419
2.四次异或运算
(1)
字符串 41445644526970706572
s2 757160736A504A4B594F
--------------------------------------------------
s3 3435363738393A3B3C3D
(2)
s3 3435363738393A3B3C3D
000046142DF875870368
--------------------------------------------------
s4 3435702315C14FBC3F55
(3)
s4 3435702315C14FBC3F55
0046142DF87587036834
---------------------------------------------------------
s5 3473640EEDB4C8BF5761
4.
s1 46142DF8758703683419
s5 3473640EEDB4C8BF5761
----------------------------------------------------------
726749F69833CBD76378
结果第1、2、9、10位,等于72、67、63、78注册成功。
注册信息保存在:
HKEY_LOCAL_MACHINE\SOFTWARE\DVD COPY EXPRESS\ADRSETTING 真是够长的破解o(∩_∩)o...。。。。。学习。支持下 好东西支持一下/:L
页:
[1]