菜鸟学习算法,破解Batch Image Resizer(简单)
【破解软件】Batch Image Resizer 2.7.9【下载地址】http://www.newhua.com/soft/29844.htm
【运行环境】Win9x/Me/NT/2000/XP/2003
【软件类别】国外软件/共享版/图像处理
【保护方式】注册码 + Email
【作者声明】初学Crack,只是感兴趣,消遣业余时间,错误之处敬请诸位前辈不吝赐教。
【编写语言】Microsoft Visual C++ 6.0
【调试工具】OllyDBD、PEiD
【软件信息】批量修改大小,旋转,转换图像的工具,支持的格式有:JPEG, BMP, GIF, PCX, PNG。新版本允许你在编辑GIJ动画文件前查看它。
一、破解过程
输入 Your Email: [email protected]
Registration Code: 12345678
提示:thanks for registration! please restart batch image resizer
查找所有模块间的调用,在每个调用到_mbscmp上设置断点。F9
00405E37|.FFD7 CALL NEAR EDI ; 断在此 _mbscmp
00405E39|.83C4 08 ADD ESP,8
00405E3C|.85C0 TEST EAX,EAX
00405E3E|.75 0E JNZ SHORT BatchIma.00405E4E
00405E40|.68 581F4200 PUSH BatchIma.00421F58
00405E45|.8D4C24 14 LEA ECX,DWORD PTR SS:
00405E49|.E8 00080100 CALL <JMP.&MFC42.#860>
00405E4E|>8B4424 14 MOV EAX,DWORD PTR SS: ;假码地址
00405E52|.68 C0154200 PUSH BatchIma.004215C0 ;54qekkcherpl6x8q
00405E57|.50 PUSH EAX
00405E58|.FFD7 CALL NEAR EDI
00405E5A|.83C4 08 ADD ESP,8
00405E5D|.85C0 TEST EAX,EAX
00405E5F|.75 0E JNZ SHORT BatchIma.00405E6F
00405E61|.68 581F4200 PUSH BatchIma.00421F58
00405E66|.8D4C24 18 LEA ECX,DWORD PTR SS:
00405E6A|.E8 DF070100 CALL <JMP.&MFC42.#860>
00405E6F|>8B4C24 10 MOV ECX,DWORD PTR SS:
00405E73|.8379 F8 0B CMP DWORD PTR DS:,0B ;Email长度 > B
00405E77|.7D 08 JGE SHORT BatchIma.00405E81
00405E79|.899D C8000000 MOV DWORD PTR SS:,EBX
00405E7F|.EB 6D JMP SHORT BatchIma.00405EEE
00405E81|>51 PUSH ECX
00405E82|.8D5424 14 LEA EDX,DWORD PTR SS: ;=email
00405E86|.8BCC MOV ECX,ESP
00405E88|.896424 20 MOV DWORD PTR SS:,ESP
00405E8C|.52 PUSH EDX
00405E8D|.E8 58080100 CALL <JMP.&MFC42.#535>
00405E92|.8D4424 1C LEA EAX,DWORD PTR SS:
00405E96|.8BCE MOV ECX,ESI
00405E98|.50 PUSH EAX
00405E99|.E8 82000000 CALL BatchIma.00405F20 ;算法Call F7进入
00405E9E|.8B7424 14 MOV ESI,DWORD PTR SS: ;假码
00405EA2|.8B4424 18 MOV EAX,DWORD PTR SS: ;真码
00405EA6|>8A10 /MOV DL,BYTE PTR DS:
00405EA8|.8ACA |MOV CL,DL
00405EAA|.3A16 |CMP DL,BYTE PTR DS:
00405EAC|.75 1C |JNZ SHORT BatchIma.00405ECA
00405EAE|.3ACB |CMP CL,BL
00405EB0|.74 14 |JE SHORT BatchIma.00405EC6
00405EB2|.8A50 01 |MOV DL,BYTE PTR DS:
00405EB5|.8ACA |MOV CL,DL
00405EB7|.3A56 01 |CMP DL,BYTE PTR DS:
00405EBA|.75 0E |JNZ SHORT BatchIma.00405ECA
00405EBC|.83C0 02 |ADD EAX,2
00405EBF|.83C6 02 |ADD ESI,2
00405EC2|.3ACB |CMP CL,BL
00405EC4|.^ 75 E0 \JNZ SHORT BatchIma.00405EA6 ;循环逐位比较真假码
算法Call F7进入
00405F20/$6A FF PUSH -1
00405F22|.68 E7774100 PUSH BatchIma.004177E7 ;SE 处理程序安装
00405F27|.64:A1 00000000 MOV EAX,DWORD PTR FS:
00405F2D|.50 PUSH EAX
00405F2E|.64:8925 00000000 MOV DWORD PTR FS:,ESP
00405F35|.83EC 2C SUB ESP,2C
00405F38|.53 PUSH EBX
00405F39|.56 PUSH ESI
00405F3A|.C74424 0C 00000000 MOV DWORD PTR SS:,0
00405F42|.8D4424 48 LEA EAX,DWORD PTR SS:
00405F46|.BB 01000000 MOV EBX,1
00405F4B|.50 PUSH EAX
00405F4C|.8D4C24 0C LEA ECX,DWORD PTR SS:
00405F50|.895C24 40 MOV DWORD PTR SS:,EBX
00405F54|.E8 91070100 CALL <JMP.&MFC42.#535>
00405F59|.8B4C24 08 MOV ECX,DWORD PTR SS: ;=email
00405F5D|.C64424 3C 02 MOV BYTE PTR SS:,2
00405F62|.8B41 F8 MOV EAX,DWORD PTR DS: ;=email长度
00405F65|.83F8 0A CMP EAX,0A
00405F68|.0F8E 98010000 JLE BatchIma.00406106 ;不能小于等于A
00405F6E|.83F8 10 CMP EAX,10
00405F71|.7D 0E JGE SHORT BatchIma.00405F81 ;大于等于10(H)尾部不加a
00405F73|.68 F8154200 PUSH BatchIma.004215F8 ;aaaaaaaa
00405F78|.8D4C24 0C LEA ECX,DWORD PTR SS:
00405F7C|.E8 63070100 CALL <JMP.&MFC42.#941> ;A<email<10 连接aaaaaaaa
00405F81|>8B7424 08 MOV ESI,DWORD PTR SS:
00405F85|.8D4424 20 LEA EAX,DWORD PTR SS:
00405F89|.33D2 XOR EDX,EDX
00405F8B|.2BF0 SUB ESI,EAX
00405F8D|>8D4C14 20 /LEA ECX,DWORD PTR SS:
00405F91|.8A040E |MOV AL,BYTE PTR DS:
00405F94|.3C 61 |CMP AL,61 ;a
00405F96|.8801 |MOV BYTE PTR DS:,AL
00405F98|.7C 08 |JL SHORT BatchIma.00405FA2
00405F9A|.3C 66 |CMP AL,66 ;f
00405F9C|.7F 04 |JG SHORT BatchIma.00405FA2
00405F9E|.24 CE |AND AL,0CE
00405FA0|.8801 |MOV BYTE PTR DS:,AL
00405FA2|>8A01 |MOV AL,BYTE PTR DS:
00405FA4|.3C 41 |CMP AL,41 ;A
00405FA6|.7C 08 |JL SHORT BatchIma.00405FB0
00405FA8|.3C 46 |CMP AL,46 ;F
00405FAA|.7F 04 |JG SHORT BatchIma.00405FB0
00405FAC|.2C 42 |SUB AL,42 ; (先和$CE与运算 再减42)
00405FAE|.EB 02 |JMP SHORT BatchIma.00405FB2
00405FB0|>2C 32 |SUB AL,32 ;其余 减32
00405FB2|>42 |INC EDX
00405FB3|.8801 |MOV BYTE PTR DS:,AL ;保存AL
00405FB5|.83FA 10 |CMP EDX,10 ;循环次数=10
00405FB8|.^ 7C D3 \JL SHORT BatchIma.00405F8D ;设Email处理后的字符串为S
00405FBA|.55 PUSH EBP
00405FBB|.8D6C24 14 LEA EBP,DWORD PTR SS: ;处理后Email字符串地址
00405FBF|.57 PUSH EDI
00405FC0|.B8 06000000 MOV EAX,6 ;EAX赋初值
00405FC5|.83ED 06 SUB EBP,6
00405FC8|>8D70 FA /LEA ESI,DWORD PTR DS: ;=0、1 …
00405FCB|.8BD8 |MOV EBX,EAX
00405FCD|.8BCE |MOV ECX,ESI
00405FCF|.83E3 0F |AND EBX,0F
00405FD2|.83E1 0F |AND ECX,0F
00405FD5|.8D78 01 |LEA EDI,DWORD PTR DS: ;=7、8 …
00405FD8|.0FBE5C1C 28 |MOVSX EBX,BYTE PTR SS: ;s7、s8
00405FDD|.0FBE540C 28 |MOVSX EDX,BYTE PTR SS: ;s1、s2
00405FE2|.8D48 FC |LEA ECX,DWORD PTR DS:
00405FE5|.03D6 |ADD EDX,ESI ;加循环次数(0、1…)
00405FE7|.83E1 0F |AND ECX,0F
00405FEA|.0FBE4C0C 28 |MOVSX ECX,BYTE PTR SS: ;s3、s4
00405FEF|.0FAFD1 |IMUL EDX,ECX ;EDX=s1*s3
00405FF2|.8D48 FD |LEA ECX,DWORD PTR DS:
00405FF5|.83E1 0F |AND ECX,0F
00405FF8|.0FBE4C0C 28 |MOVSX ECX,BYTE PTR SS: ;s4、s5
00405FFD|.03CE |ADD ECX,ESI ;加循环次数
00405FFF|.0FAFCB |IMUL ECX,EBX ;ECX=s4*s7
00406002|.03D1 |ADD EDX,ECX ;相加 EDX=1264
00406004|.8D48 FB |LEA ECX,DWORD PTR DS:
00406007|.8D58 FF |LEA EBX,DWORD PTR DS:
0040600A|.83E1 0F |AND ECX,0F
0040600D|.83E3 0F |AND EBX,0F
00406010|.0FBE4C0C 28 |MOVSX ECX,BYTE PTR SS: ;s2
00406015|.0FBE5C1C 28 |MOVSX EBX,BYTE PTR SS: ;s6
0040601A|.0FAFCB |IMUL ECX,EBX ;ECX=s2*s6
0040601D|.03D1 |ADD EDX,ECX ;相加 EDX=EDX+ECX
0040601F|.8D48 FE |LEA ECX,DWORD PTR DS:
00406022|.8BDF |MOV EBX,EDI
00406024|.83E1 0F |AND ECX,0F
00406027|.83E3 0F |AND EBX,0F
0040602A|.0FBE4C0C 28 |MOVSX ECX,BYTE PTR SS: ;s5
0040602F|.0FBE5C1C 28 |MOVSX EBX,BYTE PTR SS: ;s8
00406034|.0FAFCB |IMUL ECX,EBX ;ECX=s5*s8
00406037|.03D1 |ADD EDX,ECX ;相加 EDX=EDX+ECX
00406039|.8D48 03 |LEA ECX,DWORD PTR DS:
0040603C|.83E1 0F |AND ECX,0F
0040603F|.8D58 07 |LEA EBX,DWORD PTR DS:
00406042|.83E3 0F |AND EBX,0F
00406045|.0FBE4C0C 28 |MOVSX ECX,BYTE PTR SS: ;s10
0040604A|.0FBE5C1C 28 |MOVSX EBX,BYTE PTR SS: ;s14
0040604F|.03CE |ADD ECX,ESI ;加循环次数
00406051|.0FAFCB |IMUL ECX,EBX ;ECX=s10*s14
00406054|.8D58 02 |LEA EBX,DWORD PTR DS:
00406057|.83E3 0F |AND EBX,0F
0040605A|.0FBE5C1C 28 |MOVSX EBX,BYTE PTR SS: ;s9
0040605F|.03DE |ADD EBX,ESI ;加循环次数
00406061|.8D70 04 |LEA ESI,DWORD PTR DS: ;=A
00406064|.83E6 0F |AND ESI,0F
00406067|.0FBE7434 28 |MOVSX ESI,BYTE PTR SS: ;s11
0040606C|.0FAFDE |IMUL EBX,ESI ;EBX=s9*s11
0040606F|.03CB |ADD ECX,EBX ;相加ECX=ECX+EBX
00406071|.8D70 F8 |LEA ESI,DWORD PTR DS:
00406074|.8D58 06 |LEA EBX,DWORD PTR DS:
00406077|.83E6 0F |AND ESI,0F
0040607A|.83E3 0F |AND EBX,0F
0040607D|.0FBE7434 28 |MOVSX ESI,BYTE PTR SS: ;s15
00406082|.0FBE5C1C 28 |MOVSX EBX,BYTE PTR SS: ;s13
00406087|.0FAFF3 |IMUL ESI,EBX ;ESI=s15*s13
0040608A|.03CE |ADD ECX,ESI ;相加
0040608C|.8D70 F9 |LEA ESI,DWORD PTR DS:
0040608F|.8D58 05 |LEA EBX,DWORD PTR DS:
00406092|.83E6 0F |AND ESI,0F
00406095|.83E3 0F |AND EBX,0F
00406098|.0FBE7434 28 |MOVSX ESI,BYTE PTR SS: ;s16
0040609D|.0FBE5C1C 28 |MOVSX EBX,BYTE PTR SS: ;s12
004060A2|.0FAFF3 |IMUL ESI,EBX ;ESI=s16*s12
004060A5|.03CE |ADD ECX,ESI ;相加 ECX=658
004060A7|.0FAFCA |IMUL ECX,EDX ;ECX=8DA4E0
004060AA|.C1F9 03 |SAR ECX,3
004060AD|.83E1 1F |AND ECX,1F ;ECX=and 1F
004060B0|.83F9 0A |CMP ECX,0A ;设计算结果为C
004060B3|.7D 05 |JGE SHORT BatchIma.004060BA
004060B5|.83C1 50 |ADD ECX,50 ;c(i) < A + 50
004060B8|.EB 0D |JMP SHORT BatchIma.004060C7
004060BA|>83F9 12 |CMP ECX,12
004060BD|.7D 05 |JGE SHORT BatchIma.004060C4
004060BF|.83C1 28 |ADD ECX,28 ;A=< c(i) <12 + 28
004060C2|.EB 03 |JMP SHORT BatchIma.004060C7
004060C4|>83C1 2F |ADD ECX,2F ;12 =< c(i) + 2F
004060C7|>880C28 |MOV BYTE PTR DS:,CL ;保存CL
004060CA|.8BC7 |MOV EAX,EDI
004060CC|.8D50 FA |LEA EDX,DWORD PTR DS:
004060CF|.83FA 10 |CMP EDX,10 ;循环次数=10
004060D2|.^ 0F8C F0FEFFFF \JL BatchIma.00405FC8 ;循环运算出真码
004060D8|.68 E4154200 PUSH BatchIma.004215E4 ;0000000000000000
004060DD|.8D4C24 14 LEA ECX,DWORD PTR SS:
004060E1|.E8 68050100 CALL <JMP.&MFC42.#860>
004060E6|.5F POP EDI
004060E7|.33F6 XOR ESI,ESI
004060E9|.5D POP EBP
004060EA|>8A4434 10 /MOV AL,BYTE PTR SS:
004060EE|.8D4C24 08 |LEA ECX,DWORD PTR SS:
004060F2|.50 |PUSH EAX
004060F3|.56 |PUSH ESI
004060F4|.E8 41070100 |CALL <JMP.&MFC42.#5856>
004060F9|.46 |INC ESI
004060FA|.83FE 10 |CMP ESI,10
004060FD|.^ 7C EB \JL SHORT BatchIma.004060EA
004060FF|.BB 01000000 MOV EBX,1
00406104|.EB 09 JMP SHORT BatchIma.0040610F
00406106|>8D4C24 08 LEA ECX,DWORD PTR SS:
0040610A|.E8 25070100 CALL <JMP.&MFC42.#2614>
0040610F|>8B7424 44 MOV ESI,DWORD PTR SS:
00406113|.8D4C24 08 LEA ECX,DWORD PTR SS:
00406117|.51 PUSH ECX
00406118|.8BCE MOV ECX,ESI
0040611A|.E8 CB050100 CALL <JMP.&MFC42.#535>
0040611F|.895C24 0C MOV DWORD PTR SS:,EBX
00406123|.8D4C24 08 LEA ECX,DWORD PTR SS:
00406127|.885C24 3C MOV BYTE PTR SS:,BL
0040612B|.E8 AA030100 CALL <JMP.&MFC42.#800>
00406130|.8D4C24 48 LEA ECX,DWORD PTR SS:
00406134|.C64424 3C 00 MOV BYTE PTR SS:,0
00406139|.E8 9C030100 CALL <JMP.&MFC42.#800>
0040613E|.8B4C24 34 MOV ECX,DWORD PTR SS:
00406142|.8BC6 MOV EAX,ESI
00406144|.5E POP ESI
00406145|.5B POP EBX
00406146|.64:890D 00000000 MOV DWORD PTR FS:,ECX
0040614D|.83C4 38 ADD ESP,38
00406150\.C2 0800 RETN 8 ;返回到 00405E9E
二、算法小结
1.Email字符位数要大于10位,如果不足16位尾部家8个'a'。
2.预处理Email字符串,在 范围内的,先与'CE'逻辑与运算,再减42。
其余的减32。处理后的字符串长度为16。
3.设处理后Email的字符串为S=(s0,s1,s2 ……s13,s14,s15)
4.C=(c0,c1,c2 ……c13,c14,c15)i S下标大于等于16-16(循环)
C(i)=( (si+i)*s(i+2) + (s(i+3)+i)*s(i+6)+s(i+1)*s(i+5)+ s(i+4)*s(i+7) )*
( (s(i+9)+i)*s(i+13) + (s(i+8)+i)*s(i+10) + s(i+14)*s(i+12) + s(i+15)*s(i+11) )
5. 4.式运算结果 C(i)算术右移(SAR 3 ) 、与运算(AND 1F),再根据运算结果的大小选择不同的加数
if c(i) < A +50
A=< c(i) <12 +28
12=< c(i) +2F
6.运算出的16个数就是注册码。
7. Your Email: [email protected]
Registration Code: KHV9GQS43FL9ITPY
注册信息:HKEY_CURRENT_USER\Software\JKLNSoft\BatchImageResizer\Registration Info 历害,学习~~ 好文,学习 文章不错,学习收藏了。 分析的真棒!! wzwgp 兄卧虎藏龙呀。 学习:victory:
页:
[1]