Joboshare系列软件爆破、追码、算法及注册机
【文章标题】: Joboshare系列软件爆破、追码、算法及注册机【文章作者】: expasy
【作者邮箱】: expasy@sina.com
【作者主页】: 无
【作者QQ号】: 无
【软件名称】: Joboshare DVD Copy等
【软件大小】: 6m
【下载地址】: http://www.joboshare.com/downloads.html
【加壳方式】: 无
【保护方式】: 序列号
【编写语言】: Microsoft Visual C++ 7.0 Method2
【使用工具】: OD等
【操作平台】: win7sp1 x86
【软件介绍】: Joboshare系列软件,包括各种工具
【作者声明】: 学习而已
--------------------------------------------------------------------------------
【详细过程】
这个作者的软件算法基本是一样的,选择了其中的Joboshare DVD Copy作为讲解的吧
1、PEID查壳,无壳,Microsoft Visual C++ 7.0 Method2的
2、OD载入:
004422FE > $6A 74 push 0x74
00442300 .68 388B4700 push dvdcopy.00478B38
00442305 .E8 F6010000 call dvdcopy.00442500
0044230A .33DB xor ebx,ebx
0044230C .895D E0 mov dword ptr ss:,ebx
0044230F .53 push ebx ; /pModule = ""
00442310 .8B3D 2C214700 mov edi,dword ptr ds:[<&KERNEL32.GetModuleHandleA>] ; |kernel32.GetModuleHandleA
00442316 .FFD7 call near edi ; \GetModuleHandleA
3、查找字符串“invalid”、"unregistered"都没有。(做完后发现用C32asm能找到,汗!但是不用字符串也可以继续)
4、F9直接运行,注册,填入假码
用户名:expasy
密码:98765432
弹出错误信息,先别点确定,F12暂停、查看堆栈调用(Alt+K),然后如图返回到00451303这行
5、返回到00451303这行,段首下段,这个关键跳太明显了,上面两个call,一般来说很可能有个是关键的算法,分别进去看看发现第一个call 0044F800是将注册信息加密并存入注册表的,第二个call 0044F9D0是关键的call,包含了解密注册表信息、计算sn、比较真假码的功能,并且其返回的eax的值决定了注册是否成功。
004512B0 .64:A1 00000000mov eax,dword ptr fs:
004512B6 .6A FF push -0x1
004512B8 .68 22024700 push dvdcopy.00470222 ;
004512BD .50 push eax ;dvdcopy.0047CEF8
004512BE .64:8925 0000000>mov dword ptr fs:,esp
004512C5 .83EC 08 sub esp,0x8
004512C8 .56 push esi ;mfc71.7C1473CC
004512C9 .8BF1 mov esi,ecx
004512CB .E8 30E5FFFF call dvdcopy.0044F800 ;call 将注册信息加密存入注册表
004512D0 .E8 FBE6FFFF call dvdcopy.0044F9D0 ;call 计算sn、比较
004512D5 .85C0 test eax,eax ;dvdcopy.0047CEF8
004512D7 .75 49 jnz short dvdcopy.00451322 ;关键跳
004512D9 .8B0D B4E04800 mov ecx,dword ptr ds: ;dvdcopy.0048DDE0
004512DF > .68 442F0000 push 0x2F44 ;失败
004512E4 .8D4424 08 lea eax,dword ptr ss:
004512E8 .50 push eax ;dvdcopy.0047CEF8
004512E9 .E8 7244FFFF call dvdcopy.00445760
004512EE .6A 00 push 0x0
004512F0 .6A 30 push 0x30
004512F2 .8BC8 mov ecx,eax ;dvdcopy.0047CEF8
004512F4 .C74424 1C 00000>mov dword ptr ss:,0x0
004512FC .FF15 1C274700 call near dword ptr ds:[<&MFC71.#876>] ;mfc71.#3397
00451302 .50 push eax ;dvdcopy.0047CEF8
00451303 .E8 3CAA0100 call <jmp.&MFC71.#1123> ;错误提示
00451308 .8D4C24 04 lea ecx,dword ptr ss:
0045130C .FF15 68274700 call near dword ptr ds:[<&MFC71.#578>] ;mfc71.#578
00451312 .5E pop esi ;mfc71.7C1B0F91
00451313 .8B4C24 08 mov ecx,dword ptr ss:
00451317 .64:890D 0000000>mov dword ptr fs:,ecx
0045131E .83C4 14 add esp,0x14
第一个call:
0044F800/$64:A1 00000000mov eax,dword ptr fs: ;输入的假码加密、写入注册表
0044F806|.6A FF push -0x1
0044F808|.68 0A004700 push dvdcopy.0047000A
0044F80D|.50 push eax ;dvdcopy.0047CEF8
0044F80E|.64:8925 0000000>mov dword ptr fs:,esp
0044F815|.83EC 44 sub esp,0x44
0044F818|.53 push ebx
0044F819|.56 push esi ;mfc71.7C1473CC
0044F81A|.57 push edi
0044F81B|.6A 01 push 0x1
0044F81D|.8BF9 mov edi,ecx
0044F81F|.E8 DA21FFFF call <jmp.&MFC71.#6236>
0044F824|.68 00020000 push 0x200
0044F829|.8DB7 BC060000 lea esi,dword ptr ds:
0044F82F|.68 00020000 push 0x200
0044F834|.8BCE mov ecx,esi ;mfc71.7C1473CC
0044F836|.FF15 54254700 call near dword ptr ds:[<&MFC71.#2468>] ;mfc71.#5154
0044F83C|.50 push eax ;dvdcopy.0047CEF8
0044F83D|.8D8F BC050000 lea ecx,dword ptr ds:
0044F843|.E8 F6C40100 call <jmp.&MFC71.#3760>
0044F848|.6A FF push -0x1
0044F84A|.8BCE mov ecx,esi ;mfc71.7C1473CC
0044F84C|.FF15 84234700 call near dword ptr ds:[<&MFC71.#5403>] ;mfc71.#5403
0044F852|.68 00020000 push 0x200
0044F857|.8D9F B8060000 lea ebx,dword ptr ds:
0044F85D|.68 00020000 push 0x200
0044F862|.8BCB mov ecx,ebx
0044F864|.FF15 54254700 call near dword ptr ds:[<&MFC71.#2468>] ;mfc71.#5154
0044F86A|.50 push eax ;dvdcopy.0047CEF8
0044F86B|.8D8F 64060000 lea ecx,dword ptr ds:
0044F871|.E8 C8C40100 call <jmp.&MFC71.#3760>
0044F876|.6A FF push -0x1
0044F878|.8BCB mov ecx,ebx
0044F87A|.FF15 84234700 call near dword ptr ds:[<&MFC71.#5403>] ;mfc71.#5403
0044F880|.8BCE mov ecx,esi ;mfc71.7C1473CC
0044F882|.FF15 D4274700 call near dword ptr ds:[<&MFC71.#6168>] ;mfc71.#6168
0044F888|.8BCB mov ecx,ebx
0044F88A|.FF15 D4274700 call near dword ptr ds:[<&MFC71.#6168>] ;mfc71.#6168
0044F890|.8BCE mov ecx,esi ;mfc71.7C1473CC
0044F892|.FF15 64234700 call near dword ptr ds:[<&MFC71.#3934>] ;mfc71.#3934
0044F898|.84C0 test al,al
0044F89A|.0F85 1C010000 jnz dvdcopy.0044F9BC
0044F8A0|.8BCB mov ecx,ebx
0044F8A2|.FF15 64234700 call near dword ptr ds:[<&MFC71.#3934>] ;mfc71.#3934
0044F8A8|.84C0 test al,al
0044F8AA|.0F85 0C010000 jnz dvdcopy.0044F9BC
0044F8B0|.53 push ebx
0044F8B1|.8D4C24 10 lea ecx,dword ptr ss:
0044F8B5|.FF15 E8264700 call near dword ptr ds:[<&MFC71.#297>] ;mfc71.#297
0044F8BB|.33DB xor ebx,ebx
0044F8BD|.8D4C24 18 lea ecx,dword ptr ss:
0044F8C1|.895C24 58 mov dword ptr ss:,ebx
0044F8C5|.E8 36F20000 call dvdcopy.0045EB00 ;call加密解密用到的常数
0044F8CA|.8D4C24 0C lea ecx,dword ptr ss:
0044F8CE|.C64424 58 01 mov byte ptr ss:,0x1
0044F8D3|.FF15 58254700 call near dword ptr ds:[<&MFC71.#2469>] ;mfc71.#2469
0044F8D9|.50 push eax ;dvdcopy.0047CEF8
0044F8DA|.8BCE mov ecx,esi ;mfc71.7C1473CC
0044F8DC|.FF15 1C274700 call near dword ptr ds:[<&MFC71.#876>] ;mfc71.#3397
0044F8E2|.50 push eax ;dvdcopy.0047CEF8
0044F8E3|.8D4C24 20 lea ecx,dword ptr ss:
0044F8E7|.E8 24F70000 call dvdcopy.0045F010 ;call 加密注册码
0044F8EC|.6A FF push -0x1
0044F8EE|.8D4C24 10 lea ecx,dword ptr ss:
0044F8F2|.FF15 84234700 call near dword ptr ds:[<&MFC71.#5403>] ;mfc71.#5403
0044F8F8|.8D4C24 0C lea ecx,dword ptr ss:
0044F8FC|.FF15 1C274700 call near dword ptr ds:[<&MFC71.#876>] ;mfc71.#3397
0044F902|.50 push eax ;dvdcopy.0047CEF8
0044F903|.8D4424 18 lea eax,dword ptr ss:
0044F907|.50 push eax ;dvdcopy.0047CEF8
0044F908|.E8 23F9FFFF call dvdcopy.0044F230 ;call 16进制字符形式
0044F90D|.83C4 08 add esp,0x8
0044F910|.8D4C24 10 lea ecx,dword ptr ss:
0044F914|.51 push ecx
0044F915|.8B0D B8E04800 mov ecx,dword ptr ds: ;dvdcopy.0048DEA0
0044F91B|.C64424 5C 02 mov byte ptr ss:,0x2
0044F920|.E8 5B36FFFF call dvdcopy.00442F80
0044F925|.8BC8 mov ecx,eax ;dvdcopy.0047CEF8
0044F927|.83C1 2C add ecx,0x2C
0044F92A|.FF15 1C274700 call near dword ptr ds:[<&MFC71.#876>] ;mfc71.#3397
0044F930|.50 push eax ; |Subkey = "RD"
0044F931|.68 01000080 push 0x80000001 ; |hKey = HKEY_CURRENT_USER
0044F936|.FF15 24204700 call near dword ptr ds:[<&ADVAPI32.RegCreate>; \RegCreateKeyA
0044F93C|.85C0 test eax,eax ;dvdcopy.0047CEF8
0044F93E|.75 5B jnz short dvdcopy.0044F99B
0044F940|.8BCE mov ecx,esi ;mfc71.7C1473CC
0044F942|.FF15 1C274700 call near dword ptr ds:[<&MFC71.#876>] ;mfc71.#3397
0044F948|.8BCE mov ecx,esi ;mfc71.7C1473CC
0044F94A|.8BF8 mov edi,eax ;dvdcopy.0047CEF8
0044F94C|.FF15 20274700 call near dword ptr ds:[<&MFC71.#2902>] ;mfc71.#2902
0044F952|.8B5424 10 mov edx,dword ptr ss: ;mfc71.7C1B1176
0044F956|.8B35 1C204700 mov esi,dword ptr ds:[<&ADVAPI32.RegSetValue>;advapi32.RegSetValueExA
0044F95C|.50 push eax ; /BufSize = 47CEF8 (4706040.)
0044F95D|.57 push edi ; |Buffer = 00000001
0044F95E|.6A 01 push 0x1 ; |ValueType = REG_SZ
0044F960|.53 push ebx ; |Reserved = 0x111
0044F961|.68 8C8E4700 push dvdcopy.00478E8C ; |Name
0044F966|.52 push edx ; |hKey = 0x0
0044F967|.FFD6 call near esi ; \RegSetValueExA
0044F969|.8D4C24 14 lea ecx,dword ptr ss: ;写入注册表
0044F96D|.FF15 1C274700 call near dword ptr ds:[<&MFC71.#876>] ;mfc71.#3397
0044F973|.8D4C24 14 lea ecx,dword ptr ss:
0044F977|.8BF8 mov edi,eax ;dvdcopy.0047CEF8
0044F979|.FF15 20274700 call near dword ptr ds:[<&MFC71.#2902>] ;mfc71.#2902
0044F97F|.50 push eax ;dvdcopy.0047CEF8
0044F980|.8B4424 14 mov eax,dword ptr ss:
0044F984|.57 push edi
0044F985|.6A 01 push 0x1
0044F987|.53 push ebx
0044F988|.68 90C54700 push dvdcopy.0047C590 ;Code
0044F98D|.50 push eax ;dvdcopy.0047CEF8
0044F98E|.FFD6 call near esi ;mfc71.7C1473CC
0044F990|.8B4C24 10 mov ecx,dword ptr ss: ;mfc71.7C1B1176
0044F994|.51 push ecx ; /hKey = 0011ACB8
0044F995|.FF15 28204700 call near dword ptr ds:[<&ADVAPI32.RegCloseK>; \RegCloseKey
0044F99B|>8D4C24 14 lea ecx,dword ptr ss:
0044F99F|.FF15 68274700 call near dword ptr ds:[<&MFC71.#578>] ;mfc71.#578
0044F9A5|.8D4C24 18 lea ecx,dword ptr ss:
0044F9A9|.885C24 58 mov byte ptr ss:,bl
0044F9AD|.E8 BEF10000 call dvdcopy.0045EB70
0044F9B2|.8D4C24 0C lea ecx,dword ptr ss:
0044F9B6|.FF15 68274700 call near dword ptr ds:[<&MFC71.#578>] ;mfc71.#578
0044F9BC|>8B4C24 50 mov ecx,dword ptr ss:
0044F9C0|.5F pop edi ;mfc71.7C1B0F91
0044F9C1|.5E pop esi ;mfc71.7C1B0F91
0044F9C2|.5B pop ebx ;mfc71.7C1B0F91
0044F9C3|.64:890D 0000000>mov dword ptr fs:,ecx
0044F9CA|.83C4 50 add esp,0x50
0044F9CD\.C3 retn
第二个call:
0044F9D0/$6A FF push -0x1 ;算法2=算法1?同样的算法写了两遍?这是填写注册信息后
0044F9D2|.68 CF004700 push dvdcopy.004700CF ;辅qH; SE 处理程序安装
0044F9D7|.64:A1 00000000mov eax,dword ptr fs:
0044F9DD|.50 push eax ;dvdcopy.0047CEF8
0044F9DE|.64:8925 0000000>mov dword ptr fs:,esp
0044F9E5|.81EC A4000000 sub esp,0xA4
0044F9EB|.A1 B0D44800 mov eax,dword ptr ds:
0044F9F0|.53 push ebx
0044F9F1|.56 push esi ;mfc71.7C1473CC
0044F9F2|.8D4C24 10 lea ecx,dword ptr ss:
0044F9F6|.898424 A8000000 mov dword ptr ss:,eax ;dvdcopy.0047CEF8
0044F9FD|.FF15 14274700 call near dword ptr ds:[<&MFC71.#310>] ;mfc71.#310
0044FA03|.8D4C24 18 lea ecx,dword ptr ss:
0044FA07|.C78424 B4000000>mov dword ptr ss:,0x0
0044FA12|.FF15 14274700 call near dword ptr ds:[<&MFC71.#310>] ;mfc71.#310
0044FA18|.8D4C24 14 lea ecx,dword ptr ss:
0044FA1C|.FF15 14274700 call near dword ptr ds:[<&MFC71.#310>] ;mfc71.#310
0044FA22|.8B0D B8E04800 mov ecx,dword ptr ds: ;dvdcopy.0048DEA0
0044FA28|.8D4424 20 lea eax,dword ptr ss:
0044FA2C|.50 push eax ;dvdcopy.0047CEF8
0044FA2D|.C68424 B8000000>mov byte ptr ss:,0x2
0044FA35|.E8 4635FFFF call dvdcopy.00442F80
0044FA3A|.8BC8 mov ecx,eax ;dvdcopy.0047CEF8
0044FA3C|.83C1 2C add ecx,0x2C
0044FA3F|.FF15 1C274700 call near dword ptr ds:[<&MFC71.#876>] ;mfc71.#3397
0044FA45|.50 push eax ; |Subkey = "RD"
0044FA46|.68 01000080 push 0x80000001 ; |hKey = HKEY_CURRENT_USER
0044FA4B|.FF15 24204700 call near dword ptr ds:[<&ADVAPI32.RegCreate>; \RegCreateKeyA
0044FA51|.85C0 test eax,eax ;dvdcopy.0047CEF8
0044FA53|.0F85 B1000000 jnz dvdcopy.0044FB0A
0044FA59|.8D4C24 08 lea ecx,dword ptr ss:
0044FA5D|.51 push ecx
0044FA5E|.68 00020000 push 0x200
0044FA63|.8D4C24 18 lea ecx,dword ptr ss:
0044FA67|.C74424 10 00020>mov dword ptr ss:,0x200
0044FA6F|.FF15 54254700 call near dword ptr ds:[<&MFC71.#2468>] ;mfc71.#5154
0044FA75|.8B5424 24 mov edx,dword ptr ss: ; |
0044FA79|.8B35 2C204700 mov esi,dword ptr ds:[<&ADVAPI32.RegQueryVal>; |advapi32.RegQueryValueExA
0044FA7F|.50 push eax ; |Buffer = dvdcopy.0047CEF8
0044FA80|.6A 00 push 0x0 ; |pValueType = NULL
0044FA82|.6A 00 push 0x0 ; |Reserved = NULL
0044FA84|.68 8C8E4700 push dvdcopy.00478E8C ; |Name
0044FA89|.52 push edx ; |hKey = 0x0
0044FA8A|.FFD6 call near esi ; \RegQueryValueExA
0044FA8C|.6A FF push -0x1
0044FA8E|.8D4C24 14 lea ecx,dword ptr ss:
0044FA92|.FF15 84234700 call near dword ptr ds:[<&MFC71.#5403>] ;mfc71.#5403
0044FA98|.8D4424 08 lea eax,dword ptr ss:
0044FA9C|.50 push eax ;dvdcopy.0047CEF8
0044FA9D|.68 00020000 push 0x200
0044FAA2|.8D4C24 20 lea ecx,dword ptr ss:
0044FAA6|.C74424 10 00020>mov dword ptr ss:,0x200
0044FAAE|.FF15 54254700 call near dword ptr ds:[<&MFC71.#2468>] ;mfc71.#5154
0044FAB4|.8B4C24 24 mov ecx,dword ptr ss:
0044FAB8|.50 push eax ;dvdcopy.0047CEF8
0044FAB9|.6A 00 push 0x0
0044FABB|.6A 00 push 0x0
0044FABD|.68 88C54700 push dvdcopy.0047C588 ;Serial
0044FAC2|.51 push ecx
0044FAC3|.FFD6 call near esi ;mfc71.7C1473CC
0044FAC5|.6A FF push -0x1
0044FAC7|.8D4C24 1C lea ecx,dword ptr ss:
0044FACB|.FF15 84234700 call near dword ptr ds:[<&MFC71.#5403>] ;mfc71.#5403
0044FAD1|.8D5424 08 lea edx,dword ptr ss:
0044FAD5|.52 push edx
0044FAD6|.68 00020000 push 0x200
0044FADB|.8D4C24 1C lea ecx,dword ptr ss:
0044FADF|.C74424 10 00020>mov dword ptr ss:,0x200
0044FAE7|.FF15 54254700 call near dword ptr ds:[<&MFC71.#2468>] ;mfc71.#5154
0044FAED|.50 push eax ;dvdcopy.0047CEF8
0044FAEE|.8B4424 28 mov eax,dword ptr ss:
0044FAF2|.6A 00 push 0x0
0044FAF4|.6A 00 push 0x0
0044FAF6|.68 90C54700 push dvdcopy.0047C590 ;Code
0044FAFB|.50 push eax ;dvdcopy.0047CEF8
0044FAFC|.FFD6 call near esi ;mfc71.7C1473CC
0044FAFE|.6A FF push -0x1
0044FB00|.8D4C24 18 lea ecx,dword ptr ss:
0044FB04|.FF15 84234700 call near dword ptr ds:[<&MFC71.#5403>] ;mfc71.#5403
0044FB0A|>8D4C24 14 lea ecx,dword ptr ss:
0044FB0E|.FF15 64234700 call near dword ptr ds:[<&MFC71.#3934>] ;mfc71.#3934
0044FB14|.84C0 test al,al
0044FB16|.BB 03000000 mov ebx,0x3
0044FB1B|.0F85 8C000000 jnz dvdcopy.0044FBAD
0044FB21|.8D4C24 14 lea ecx,dword ptr ss:
0044FB25|.FF15 1C274700 call near dword ptr ds:[<&MFC71.#876>] ;mfc71.#3397
0044FB2B|.50 push eax ;dvdcopy.0047CEF8
0044FB2C|.8D4C24 0C lea ecx,dword ptr ss:
0044FB30|.51 push ecx
0044FB31|.E8 FAF5FFFF call dvdcopy.0044F130 ;解密2(解密为中间码)
0044FB36|.83C4 08 add esp,0x8
0044FB39|.8D4C24 34 lea ecx,dword ptr ss:
0044FB3D|.889C24 B4000000 mov byte ptr ss:,bl
0044FB44|.E8 B7EF0000 call dvdcopy.0045EB00 ;初始化一段变量?
0044FB49|.8D4C24 08 lea ecx,dword ptr ss:
0044FB4D|.C68424 B4000000>mov byte ptr ss:,0x4
0044FB55|.FF15 58254700 call near dword ptr ds:[<&MFC71.#2469>] ;mfc71.#2469
0044FB5B|.50 push eax ;dvdcopy.0047CEF8
0044FB5C|.8D4C24 14 lea ecx,dword ptr ss:
0044FB60|.FF15 1C274700 call near dword ptr ds:[<&MFC71.#876>] ;mfc71.#3397
0044FB66|.50 push eax ;dvdcopy.0047CEF8
0044FB67|.8D4C24 3C lea ecx,dword ptr ss:
0044FB6B|.E8 A0F40000 call dvdcopy.0045F010 ;解密1(解密为明码)
0044FB70|.6A FF push -0x1
0044FB72|.8D4C24 0C lea ecx,dword ptr ss:
0044FB76|.FF15 84234700 call near dword ptr ds:[<&MFC71.#5403>] ;mfc71.#5403
0044FB7C|.8D5424 08 lea edx,dword ptr ss:
0044FB80|.52 push edx
0044FB81|.8D4C24 18 lea ecx,dword ptr ss:
0044FB85|.FF15 E4264700 call near dword ptr ds:[<&MFC71.#781>] ;mfc71.#781
0044FB8B|.8D4C24 34 lea ecx,dword ptr ss:
0044FB8F|.889C24 B4000000 mov byte ptr ss:,bl
0044FB96|.E8 D5EF0000 call dvdcopy.0045EB70
0044FB9B|.8D4C24 08 lea ecx,dword ptr ss:
0044FB9F|.C68424 B4000000>mov byte ptr ss:,0x2
0044FBA7|.FF15 68274700 call near dword ptr ds:[<&MFC71.#578>] ;mfc71.#578
0044FBAD|>6A 14 push 0x14
0044FBAF|.8D4424 0C lea eax,dword ptr ss:
0044FBB3|.50 push eax ;dvdcopy.0047CEF8
0044FBB4|.8D4C24 1C lea ecx,dword ptr ss:
0044FBB8|.FF15 E0264700 call near dword ptr ds:[<&MFC71.#3997>] ;mfc71.#3997
0044FBBE|.50 push eax ;取0x14(20)位SN,左边开始取得吧
0044FBBF|.8D4C24 1C lea ecx,dword ptr ss:
0044FBC3|.C68424 B8000000>mov byte ptr ss:,0x5
0044FBCB|.FF15 E4264700 call near dword ptr ds:[<&MFC71.#781>] ;mfc71.#781
0044FBD1|.8D4C24 08 lea ecx,dword ptr ss:
0044FBD5|.C68424 B4000000>mov byte ptr ss:,0x2
0044FBDD|.FF15 68274700 call near dword ptr ds:[<&MFC71.#578>] ;mfc71.#578
0044FBE3|.8D4C24 10 lea ecx,dword ptr ss:
0044FBE7|.FF15 64234700 call near dword ptr ds:[<&MFC71.#3934>] ;mfc71.#3934
0044FBED|.84C0 test al,al
0044FBEF|.0F85 C0030000 jnz dvdcopy.0044FFB5
0044FBF5|.8D4C24 14 lea ecx,dword ptr ss:
0044FBF9|.FF15 64234700 call near dword ptr ds:[<&MFC71.#3934>] ;mfc71.#3934
0044FBFF|.84C0 test al,al
0044FC01|.0F85 AE030000 jnz dvdcopy.0044FFB5
0044FC07|.8D4C24 14 lea ecx,dword ptr ss:
0044FC0B|.FF15 20274700 call near dword ptr ds:[<&MFC71.#2902>] ;mfc71.#2902
0044FC11|.83F8 27 cmp eax,0x27 ;Sn长度为0x27(39)位
0044FC14|.0F85 9B030000 jnz dvdcopy.0044FFB5
0044FC1A|.8D4C24 18 lea ecx,dword ptr ss:
0044FC1E|.FF15 1C274700 call near dword ptr ds:[<&MFC71.#876>] ;mfc71.#3397
0044FC24|.8B0D B8E04800 mov ecx,dword ptr ds: ;dvdcopy.0048DEA0
0044FC2A|.E8 5133FFFF call dvdcopy.00442F80
0044FC2F|.83C0 38 add eax,0x38
0044FC32|.50 push eax ;dvdcopy.0047CEF8
0044FC33|.8D4C24 14 lea ecx,dword ptr ss:
0044FC37|.FF15 E4264700 call near dword ptr ds:[<&MFC71.#781>] ;mfc71.#781
0044FC3D|.8D4C24 0C lea ecx,dword ptr ss:
0044FC41|.FF15 14274700 call near dword ptr ds:[<&MFC71.#310>] ;mfc71.#310
0044FC47|.8D4C24 10 lea ecx,dword ptr ss:
0044FC4B|.C68424 B4000000>mov byte ptr ss:,0x6
0044FC53|.33F6 xor esi,esi ;mfc71.7C1473CC
0044FC55|.FF15 20274700 call near dword ptr ds:[<&MFC71.#2902>] ;mfc71.#2902
0044FC5B|.85C0 test eax,eax ;dvdcopy.0047CEF8
0044FC5D|.7E 53 jle short dvdcopy.0044FCB2 ;软件字符串="Jobosharedvdcopydvdcss2008.07.28"
0044FC5F|.90 nop ;eax=0x20(32)=软件字符串长度
0044FC60|>8BC6 /mov eax,esi ;for(int esi=0;esi<0x20;esi++){
0044FC62|.99 |cdq ;edx=0;ebx=0x3;
0044FC63|.8BCB |mov ecx,ebx
0044FC65|.F7F9 |idiv ecx
0044FC67|.85D2 |test edx,edx ;edx=esi%ebx;
0044FC69|.75 38 |jnz short dvdcopy.0044FCA3 ;if(edx==0){
0044FC6B|.56 |push esi ;mfc71.7C1473CC
0044FC6C|.8D4C24 14 |lea ecx,dword ptr ss:
0044FC70|.FF15 58264700 |call near dword ptr ds:[<&MFC71.#865>] ;mfc71.#2451
0044FC76|.8D4C24 0C |lea ecx,dword ptr ss:
0044FC7A|.50 |push eax ;dvdcopy.0047CEF8
0044FC7B|.FF15 7C234700 |call near dword ptr ds:[<&MFC71.#908>] ;mfc71.#909
0044FC81|.8D46 01 |lea eax,dword ptr ds: ;eax=esi+1
0044FC84|.99 |cdq ;edx=0
0044FC85|.B9 FF000000 |mov ecx,0xFF
0044FC8A|.F7F9 |idiv ecx
0044FC8C|.84D2 |test dl,dl ;dl=eax%0xff; //(=eax)
0044FC8E|.885424 08 |mov byte ptr ss:,dl
0044FC92|.74 0F |je short dvdcopy.0044FCA3 ;if(dl!=0){
0044FC94|.8B5424 08 |mov edx,dword ptr ss:
0044FC98|.52 |push edx
0044FC99|.8D4C24 10 |lea ecx,dword ptr ss:
0044FC9D|.FF15 7C234700 |call near dword ptr ds:[<&MFC71.#908>] ;}}//endif
0044FCA3|>8D4C24 10 |lea ecx,dword ptr ss:
0044FCA7|.46 |inc esi ;mfc71.7C1473CC
0044FCA8|.FF15 20274700 |call near dword ptr ds:[<&MFC71.#2902>] ;eax=0x20
0044FCAE|.3BF0 |cmp esi,eax ;dvdcopy.0047CEF8
0044FCB0|.^ 7C AE \jl short dvdcopy.0044FC60 ;} //endfor,这个循环处理了软件字符串的每个(3n+1)位
0044FCB2|>8D4C24 10 lea ecx,dword ptr ss:
0044FCB6|.33F6 xor esi,esi ;mfc71.7C1473CC
0044FCB8|.FF15 20274700 call near dword ptr ds:[<&MFC71.#2902>] ;mfc71.#2902
0044FCBE|.85C0 test eax,eax ;eax=0x20(32)=软件字符串长度
0044FCC0|.7E 52 jle short dvdcopy.0044FD14 ;for(int esi=0;esi<eax;esi++){
0044FCC2|>8BC6 /mov eax,esi ;/////这个和上面的基本一样,处理的是剩下的
0044FCC4|.99 |cdq ;edx=0;ebx=0x3;
0044FCC5|.8BCB |mov ecx,ebx
0044FCC7|.F7F9 |idiv ecx
0044FCC9|.85D2 |test edx,edx ;edx=esi%3;
0044FCCB|.74 38 |je short dvdcopy.0044FD05 ;if(edx!=0) ///不一样,这两个就是一个非要写成两个
0044FCCD|.56 |push esi ;mfc71.7C1473CC
0044FCCE|.8D4C24 14 |lea ecx,dword ptr ss:
0044FCD2|.FF15 58264700 |call near dword ptr ds:[<&MFC71.#865>] ;mfc71.#2451
0044FCD8|.8D4C24 0C |lea ecx,dword ptr ss:
0044FCDC|.50 |push eax ;dvdcopy.0047CEF8
0044FCDD|.FF15 7C234700 |call near dword ptr ds:[<&MFC71.#908>] ;mfc71.#909
0044FCE3|.8D46 01 |lea eax,dword ptr ds:
0044FCE6|.99 |cdq
0044FCE7|.B9 FF000000 |mov ecx,0xFF
0044FCEC|.F7F9 |idiv ecx
0044FCEE|.84D2 |test dl,dl
0044FCF0|.885424 08 |mov byte ptr ss:,dl
0044FCF4|.74 0F |je short dvdcopy.0044FD05
0044FCF6|.8B5424 08 |mov edx,dword ptr ss:
0044FCFA|.52 |push edx
0044FCFB|.8D4C24 10 |lea ecx,dword ptr ss:
0044FCFF|.FF15 7C234700 |call near dword ptr ds:[<&MFC71.#908>] ;mfc71.#909
0044FD05|>8D4C24 10 |lea ecx,dword ptr ss:
0044FD09|.46 |inc esi ;mfc71.7C1473CC
0044FD0A|.FF15 20274700 |call near dword ptr ds:[<&MFC71.#2902>] ;mfc71.#2902
0044FD10|.3BF0 |cmp esi,eax ;dvdcopy.0047CEF8
0044FD12|.^ 7C AE \jl short dvdcopy.0044FCC2
0044FD14|>8D4C24 24 lea ecx,dword ptr ss:
0044FD18|.FF15 14274700 call near dword ptr ds:[<&MFC71.#310>] ;mfc71.#310
0044FD1E|.6A 01 push 0x1
0044FD20|.8D4424 28 lea eax,dword ptr ss:
0044FD24|.68 A8C54700 push dvdcopy.0047C5A8 ;%d
0044FD29|.50 push eax ;dvdcopy.0047CEF8
0044FD2A|.C68424 C0000000>mov byte ptr ss:,0x7
0044FD32|.FF15 A8264700 call near dword ptr ds:[<&MFC71.#2322>] ;按照"%d"这种格式输出字符吧
0044FD38|.83C4 0C add esp,0xC
0044FD3B|.8D4C24 24 lea ecx,dword ptr ss:
0044FD3F|.FF15 1C274700 call near dword ptr ds:[<&MFC71.#876>] ;mfc71.#3397
0044FD45|.50 push eax ;dvdcopy.0047CEF8
0044FD46|.6A 00 push 0x0
0044FD48|.8D4C24 14 lea ecx,dword ptr ss:
0044FD4C|.FF15 40264700 call near dword ptr ds:[<&MFC71.#3850>] ;这里将两个循环弄出来的结果存放到了,还在前面加了一位
0044FD52|.8D4C24 28 lea ecx,dword ptr ss:
0044FD56|.FF15 14274700 call near dword ptr ds:[<&MFC71.#310>] ;mfc71.#310
0044FD5C|.8D4C24 2C lea ecx,dword ptr ss:
0044FD60|.FF15 14274700 call near dword ptr ds:[<&MFC71.#310>] ;mfc71.#310
0044FD66|.6A 00 push 0x0
0044FD68|.8D4C24 2C lea ecx,dword ptr ss:
0044FD6C|.68 A8C54700 push dvdcopy.0047C5A8 ;%d
0044FD71|.B3 09 mov bl,0x9
0044FD73|.51 push ecx
0044FD74|.889C24 C0000000 mov byte ptr ss:,bl
0044FD7B|.FF15 A8264700 call near dword ptr ds:[<&MFC71.#2322>] ;mfc71.#2322
0044FD81|.6A 00 push 0x0
0044FD83|.8D5424 3C lea edx,dword ptr ss:
0044FD87|.68 A8C54700 push dvdcopy.0047C5A8 ;%d
0044FD8C|.52 push edx
0044FD8D|.FF15 A8264700 call near dword ptr ds:[<&MFC71.#2322>] ;mfc71.#2322
0044FD93|.8D4424 44 lea eax,dword ptr ss:
0044FD97|.50 push eax ;dvdcopy.0047CEF8
0044FD98|.8D4C24 44 lea ecx,dword ptr ss:
0044FD9C|.51 push ecx
0044FD9D|.8D5424 28 lea edx,dword ptr ss:
0044FDA1|.52 push edx
0044FDA2|.E8 7900FDFF call dvdcopy.0041FE20
0044FDA7|.83C4 24 add esp,0x24
0044FDAA|.50 push eax ;dvdcopy.0047CEF8
0044FDAB|.8D4C24 10 lea ecx,dword ptr ss:
0044FDAF|.C68424 B8000000>mov byte ptr ss:,0xA
0044FDB7|.FF15 B0264700 call near dword ptr ds:[<&MFC71.#907>] ;mfc71.#907
0044FDBD|.8D4C24 08 lea ecx,dword ptr ss:
0044FDC1|.889C24 B4000000 mov byte ptr ss:,bl
0044FDC8|.FF15 68274700 call near dword ptr ds:[<&MFC71.#578>] ;mfc71.#578
0044FDCE|.8D4424 18 lea eax,dword ptr ss:
0044FDD2|.50 push eax ;dvdcopy.0047CEF8
0044FDD3|.8D4C24 20 lea ecx,dword ptr ss:
0044FDD7|.FF15 E8264700 call near dword ptr ds:[<&MFC71.#297>] ;mfc71.#297
0044FDDD|.B3 0B mov bl,0xB
0044FDDF|.8D4C24 1C lea ecx,dword ptr ss:
0044FDE3|.889C24 B4000000 mov byte ptr ss:,bl
0044FDEA|.FF15 44264700 call near dword ptr ds:[<&MFC71.#4085>] ;mfc71.#4085
0044FDF0|.8D4C24 1C lea ecx,dword ptr ss:
0044FDF4|.FF15 D8274700 call near dword ptr ds:[<&MFC71.#6174>] ;mfc71.#6174
0044FDFA|.8D4C24 1C lea ecx,dword ptr ss:
0044FDFE|.FF15 A8234700 call near dword ptr ds:[<&MFC71.#6180>] ;mfc71.#6180
0044FE04|.8D4C24 1C lea ecx,dword ptr ss:
0044FE08|.FF15 64234700 call near dword ptr ds:[<&MFC71.#3934>] ;mfc71.#3934
0044FE0E|.84C0 test al,al
0044FE10|.74 0F je short dvdcopy.0044FE21
0044FE12|.68 9CC54700 push dvdcopy.0047C59C ;joboshare
0044FE17|.8D4C24 20 lea ecx,dword ptr ss:
0044FE1B|.FF15 24274700 call near dword ptr ds:[<&MFC71.#784>] ;mfc71.#785
0044FE21|>8B0D B8E04800 mov ecx,dword ptr ds: ;dvdcopy.0048DEA0
0044FE27|.E8 5431FFFF call dvdcopy.00442F80
0044FE2C|.83C0 38 add eax,0x38
0044FE2F|.50 push eax ;dvdcopy.0047CEF8
0044FE30|.8D4C24 20 lea ecx,dword ptr ss:
0044FE34|.51 push ecx
0044FE35|.8D5424 10 lea edx,dword ptr ss:
0044FE39|.52 push edx
0044FE3A|.E8 E1FFFCFF call dvdcopy.0041FE20 ;将sn的前20位与软件字符串连起来了
0044FE3F|.83C4 0C add esp,0xC
0044FE42|.50 push eax ;dvdcopy.0047CEF8
0044FE43|.8D4C24 10 lea ecx,dword ptr ss:
0044FE47|.C68424 B8000000>mov byte ptr ss:,0xC
0044FE4F|.FF15 B0264700 call near dword ptr ds:[<&MFC71.#907>] ;这个将连起来的字符串放到结果后面,中间还有几个字" 00"不知道哪里来的
0044FE55|.8D4C24 08 lea ecx,dword ptr ss: ;要md5加密的字符串形成,位置在ecx
0044FE59|.889C24 B4000000 mov byte ptr ss:,bl
0044FE60|.FF15 68274700 call near dword ptr ds:[<&MFC71.#578>] ;mfc71.#578
0044FE66|.8D4C24 0C lea ecx,dword ptr ss:
0044FE6A|.FF15 1C274700 call near dword ptr ds:[<&MFC71.#876>] ;mfc71.#3397
0044FE70|.50 push eax ;dvdcopy.0047CEF8
0044FE71|.8D4C24 70 lea ecx,dword ptr ss:
0044FE75|.E8 F6F20000 call dvdcopy.0045F170 ;这个有点意思,md5
0044FE7A|.8D4C24 6C lea ecx,dword ptr ss:
0044FE7E|.C68424 B4000000>mov byte ptr ss:,0xD
0044FE86|.E8 25F20000 call dvdcopy.0045F0B0
0044FE8B|.50 push eax ;dvdcopy.0047CEF8
0044FE8C|.8D4C24 34 lea ecx,dword ptr ss:
0044FE90|.FF15 64274700 call near dword ptr ds:[<&MFC71.#304>] ;mfc71.#304
0044FE96|.8D4C24 0C lea ecx,dword ptr ss:
0044FE9A|.C68424 B4000000>mov byte ptr ss:,0xE
0044FEA2|.FF15 98264700 call near dword ptr ds:[<&MFC71.#2131>] ;mfc71.#2131
0044FEA8|.33F6 xor esi,esi ;mfc71.7C1473CC
0044FEAA|.8D9B 00000000 lea ebx,dword ptr ds:
0044FEB0|>56 /push esi ;mfc71.7C1473CC
0044FEB1|.8D4C24 34 |lea ecx,dword ptr ss:
0044FEB5|.FF15 58264700 |call near dword ptr ds:[<&MFC71.#865>] ;mfc71.#2451
0044FEBB|.8D4C24 0C |lea ecx,dword ptr ss:
0044FEBF|.50 |push eax ;dvdcopy.0047CEF8
0044FEC0|.FF15 7C234700 |call near dword ptr ds:[<&MFC71.#908>] ;mfc71.#909
0044FEC6|.8BC6 |mov eax,esi ;从第一位开始隔位取
0044FEC8|.D1E8 |shr eax,1
0044FECA|.40 |inc eax ;dvdcopy.0047CEF8
0044FECB|.25 03000080 |and eax,0x80000003
0044FED0|.79 05 |jns short dvdcopy.0044FED7
0044FED2|.48 |dec eax ;dvdcopy.0047CEF8
0044FED3|.83C8 FC |or eax,-0x4 ;取出来的每4位就加个'-'
0044FED6|.40 |inc eax ;dvdcopy.0047CEF8
0044FED7|>75 0F |jnz short dvdcopy.0044FEE8
0044FED9|.68 98C54700 |push dvdcopy.0047C598 ;-
0044FEDE|.8D4C24 10 |lea ecx,dword ptr ss:
0044FEE2|.FF15 AC264700 |call near dword ptr ds:[<&MFC71.#911>] ;连接字符串
0044FEE8|>83C6 02 |add esi,0x2
0044FEEB|.83FE 20 |cmp esi,0x20 ;总共20位,最后一位是'-'符号
0044FEEE|.^ 7C C0 \jl short dvdcopy.0044FEB0
0044FEF0|.8D4C24 0C lea ecx,dword ptr ss:
0044FEF4|.FF15 44264700 call near dword ptr ds:[<&MFC71.#4085>] ;转大写
0044FEFA|.6A 01 push 0x1
0044FEFC|.8D4C24 10 lea ecx,dword ptr ss:
0044FF00|.FF15 20274700 call near dword ptr ds:[<&MFC71.#2902>] ;去掉最后一位('-')
0044FF06|.48 dec eax ;dvdcopy.0047CEF8
0044FF07|.50 push eax ;dvdcopy.0047CEF8
0044FF08|.8D4C24 14 lea ecx,dword ptr ss:
0044FF0C|.FF15 48264700 call near dword ptr ds:[<&MFC71.#1916>] ;mfc71.#1916
0044FF12|.8D4C24 18 lea ecx,dword ptr ss:
0044FF16|.FF15 1C274700 call near dword ptr ds:[<&MFC71.#876>] ;mfc71.#3397
0044FF1C|.50 push eax ;dvdcopy.0047CEF8
0044FF1D|.6A 00 push 0x0
0044FF1F|.8D4C24 14 lea ecx,dword ptr ss:
0044FF23|.FF15 40264700 call near dword ptr ds:[<&MFC71.#3850>] ;mfc71.#3850
0044FF29|.8D4C24 14 lea ecx,dword ptr ss: ;将sn连起来,共39位,这里开始出现真码
0044FF2D|.FF15 1C274700 call near dword ptr ds:[<&MFC71.#876>] ;mfc71.#3397
0044FF33|.50 push eax ;dvdcopy.0047CEF8
0044FF34|.8D4C24 10 lea ecx,dword ptr ss:
0044FF38|.FF15 78234700 call near dword ptr ds:[<&MFC71.#1482>] ;mfc71.#1482
0044FF3E|.F7D8 neg eax ;dvdcopy.0047CEF8
0044FF40|.1AC0 sbb al,al
0044FF42|.FEC0 inc al
0044FF44|.8D4C24 30 lea ecx,dword ptr ss:
0044FF48|.0FB6F0 movzx esi,al
0044FF4B|.FF15 68274700 call near dword ptr ds:[<&MFC71.#578>] ;mfc71.#578
0044FF51|.8D4C24 6C lea ecx,dword ptr ss:
0044FF55|.889C24 B4000000 mov byte ptr ss:,bl
0044FF5C|.E8 3FF10000 call dvdcopy.0045F0A0
0044FF61|.8D4C24 1C lea ecx,dword ptr ss:
0044FF65|.FF15 68274700 call near dword ptr ds:[<&MFC71.#578>] ;mfc71.#578
0044FF6B|.8D4C24 2C lea ecx,dword ptr ss:
0044FF6F|.FF15 68274700 call near dword ptr ds:[<&MFC71.#578>] ;mfc71.#578
0044FF75|.8D4C24 28 lea ecx,dword ptr ss:
0044FF79|.FF15 68274700 call near dword ptr ds:[<&MFC71.#578>] ;mfc71.#578
0044FF7F|.8D4C24 24 lea ecx,dword ptr ss:
0044FF83|.FF15 68274700 call near dword ptr ds:[<&MFC71.#578>] ;mfc71.#578
0044FF89|.8D4C24 0C lea ecx,dword ptr ss:
0044FF8D|.FF15 68274700 call near dword ptr ds:[<&MFC71.#578>] ;mfc71.#578
0044FF93|.8D4C24 14 lea ecx,dword ptr ss:
0044FF97|.FF15 68274700 call near dword ptr ds:[<&MFC71.#578>] ;mfc71.#578
0044FF9D|.8D4C24 18 lea ecx,dword ptr ss:
0044FFA1|.FF15 68274700 call near dword ptr ds:[<&MFC71.#578>] ;mfc71.#578
0044FFA7|.8D4C24 10 lea ecx,dword ptr ss:
0044FFAB|.FF15 68274700 call near dword ptr ds:[<&MFC71.#578>] ;mfc71.#578
0044FFB1|.8BC6 mov eax,esi ;mfc71.7C1473CC
0044FFB3|.EB 20 jmp short dvdcopy.0044FFD5
0044FFB5|>8D4C24 14 lea ecx,dword ptr ss:
0044FFB9|.FF15 68274700 call near dword ptr ds:[<&MFC71.#578>] ;mfc71.#578
0044FFBF|.8D4C24 18 lea ecx,dword ptr ss:
0044FFC3|.FF15 68274700 call near dword ptr ds:[<&MFC71.#578>] ;mfc71.#578
0044FFC9|.8D4C24 10 lea ecx,dword ptr ss:
0044FFCD|.FF15 68274700 call near dword ptr ds:[<&MFC71.#578>] ;mfc71.#578
0044FFD3|.33C0 xor eax,eax ;dvdcopy.0047CEF8
0044FFD5|>8B8C24 AC000000 mov ecx,dword ptr ss:
0044FFDC|.5E pop esi ;mfc71.7C1B0F91
0044FFDD|.64:890D 0000000>mov dword ptr fs:,ecx
0044FFE4|.8B8C24 A4000000 mov ecx,dword ptr ss:
0044FFEB|.5B pop ebx ;mfc71.7C1B0F91
0044FFEC|.E8 8C25FFFF call dvdcopy.0044257D
0044FFF1|.81C4 B0000000 add esp,0xB0
0044FFF7\.C3 retn
其中,注册表中的存储时加密、读取时解密注册码的一段常数:
0045EB00/$8BC1 mov eax,ecx
0045EB02|.C700 9CEB4700 mov dword ptr ds:,dvdcopy.0047EB9C
0045EB08|.C740 08 DF9B571>mov dword ptr ds:,0x13579BDF
0045EB0F|.C740 0C E0AC682>mov dword ptr ds:,0x2468ACE0
0045EB16|.C740 10 3175B9F>mov dword ptr ds:,0xFDB97531
0045EB1D|.C740 14 6200008>mov dword ptr ds:,0x80000062
0045EB24|.C740 18 2000004>mov dword ptr ds:,0x40000020
0045EB2B|.C740 1C 0200001>mov dword ptr ds:,0x10000002
0045EB32|.C740 20 FFFFFF7>mov dword ptr ds:,0x7FFFFFFF
0045EB39|.C740 24 FFFFFF3>mov dword ptr ds:,0x3FFFFFFF
0045EB40|.C740 28 FFFFFF0>mov dword ptr ds:,0xFFFFFFF
0045EB47|.C740 2C 0000008>mov dword ptr ds:,0x80000000
0045EB4E|.C740 30 000000C>mov dword ptr ds:,0xC0000000
0045EB55|.C740 34 000000F>mov dword ptr ds:,0xF0000000
0045EB5C|.C740 04 0000000>mov dword ptr ds:,0x0
加解密的部分
0045F010/$53 push ebx ;加密、解密
0045F011|.55 push ebp
0045F012|.56 push esi ;mfc71.7C1473CC
0045F013|.57 push edi
0045F014|.8BF9 mov edi,ecx
0045F016|.8B4C24 14 mov ecx,dword ptr ss:
0045F01A|.8B07 mov eax,dword ptr ds:
0045F01C|.51 push ecx
0045F01D|.8BCF mov ecx,edi
0045F01F|.FF50 08 call near dword ptr ds: ;dvdcopy.004235A0
0045F022|.8B5C24 18 mov ebx,dword ptr ss:
0045F026|.8BC3 mov eax,ebx
0045F028|.8D50 01 lea edx,dword ptr ds:
0045F02B|.EB 03 jmp short dvdcopy.0045F030
0045F02D| 8D49 00 lea ecx,dword ptr ds:
0045F030|>8A08 /mov cl,byte ptr ds:
0045F032|.40 |inc eax ;dvdcopy.0047CEF8
0045F033|.84C9 |test cl,cl
0045F035|.^ 75 F9 \jnz short dvdcopy.0045F030
0045F037|.2BC2 sub eax,edx
0045F039|.8BE8 mov ebp,eax ;dvdcopy.0047CEF8
0045F03B|.BE 00000000 mov esi,0x0
0045F040|.74 1F je short dvdcopy.0045F061
0045F042|>8A141E /mov dl,byte ptr ds: ;每一位单独加密、解密
0045F045|.8B07 |mov eax,dword ptr ds:
0045F047|.8D4C24 14 |lea ecx,dword ptr ss:
0045F04B|.51 |push ecx
0045F04C|.8BCF |mov ecx,edi
0045F04E|.885424 18 |mov byte ptr ss:,dl
0045F052|.FF50 10 |call near dword ptr ds: ;每一位的加解密
0045F055|.8A5424 14 |mov dl,byte ptr ss:
0045F059|.88141E |mov byte ptr ds:,dl
0045F05C|.46 |inc esi ;mfc71.7C1473CC
0045F05D|.3BF5 |cmp esi,ebp
0045F05F|.^ 72 E1 \jb short dvdcopy.0045F042
0045F061|>5F pop edi ;mfc71.7C1B0F91
0045F062|.5E pop esi ;mfc71.7C1B0F91
0045F063|.5D pop ebp ;mfc71.7C1B0F91
0045F064|.5B pop ebx ;mfc71.7C1B0F91
0045F065\.C2 0800 retn 0x8
6、爆破处理,我爆破的习惯是改跳转,但是这个改跳转的话实在太麻烦,看这个数量的算法调用:
本地调用来自 0041969C, 0041CAA9, 0041FA7A, 0042376D, 00423783, 0045011B, 004501C7, 004512D0, 00451645
共9处,改跳转的话要9个,不划算,所以我直接改算法call使它返回的eax=1
将
0044F9D0/$6A FF push -0x1 ;算法2=算法1?同样的算法写了两遍?这是填写注册信息后
0044F9D2|.68 CF004700 push dvdcopy.004700CF ;SE 处理程序安装
0044F9D7|.64:A1 00000000mov eax,dword ptr fs:
改为
0044F9D0 33C0 xor eax,eax ;
0044F9D2 40 inc eax ;
0044F9D3 C3 retn
0044F9D4 90 nop
0044F9D5 90 nop
0044F9D6 90 nop
0044F9D7|.64:A1 00000000mov eax,dword ptr fs:
保存修改过的为1.exe,测试
倒是显示注册成功了,但是标题栏上面还有显示未注册,看了还有验证,而且不是调用的这个算法,于是接着改
7、因为已经知道了它的注册信息保存在注册表,注册信息保存的地方是:
可以发现,用户名是name,未加密。注册码是code,加密储存的。
所以直接下注册表API断点
BP RegQueryValueExA
BP RegQueryValueExW
ctrl+F2重新运行,断下在注册表API,但是并不是想要的 name,code中的任何一项,F9好像10+次吧,终于堆栈出现了“name”,ok,Alt+F9返回来到0044BCDC这里:
0044BC20/$6A FF push -0x1 ;算法1,启动时候用的
0044BC22|.68 3FFB4600 push dvdcopy.0046FB3F ;SE 处理程序安装
0044BC27|.64:A1 00000000mov eax,dword ptr fs:
0044BC2D|.50 push eax
0044BC2E|.64:8925 0000000>mov dword ptr fs:,esp
0044BC35|.81EC A4000000 sub esp,0xA4
0044BC3B|.A1 B0D44800 mov eax,dword ptr ds:
0044BC40|.53 push ebx
0044BC41|.56 push esi ;advapi32.RegQueryValueExA
0044BC42|.8D4C24 10 lea ecx,dword ptr ss:
0044BC46|.898424 A8000000 mov dword ptr ss:,eax
0044BC4D|.FF15 14274700 call near dword ptr ds:[<&MFC71.#310>] ;mfc71.#310
0044BC53|.8D4C24 18 lea ecx,dword ptr ss:
0044BC57|.C78424 B4000000>mov dword ptr ss:,0x0
0044BC62|.FF15 14274700 call near dword ptr ds:[<&MFC71.#310>] ;mfc71.#310
0044BC68|.8D4C24 14 lea ecx,dword ptr ss:
0044BC6C|.FF15 14274700 call near dword ptr ds:[<&MFC71.#310>] ;mfc71.#310
0044BC72|.8B0D B8E04800 mov ecx,dword ptr ds: ;dvdcopy.0048DEA0
0044BC78|.8D4424 20 lea eax,dword ptr ss:
0044BC7C|.50 push eax
0044BC7D|.C68424 B8000000>mov byte ptr ss:,0x2
0044BC85|.E8 F672FFFF call dvdcopy.00442F80
0044BC8A|.8BC8 mov ecx,eax
0044BC8C|.83C1 2C add ecx,0x2C
0044BC8F|.FF15 1C274700 call near dword ptr ds:[<&MFC71.#876>] ;mfc71.#3397
0044BC95|.50 push eax ; |Subkey = ""
0044BC96|.68 01000080 push 0x80000001 ; |hKey = HKEY_CURRENT_USER
0044BC9B|.FF15 24204700 call near dword ptr ds:[<&ADVAPI32.RegCreate>; \RegCreateKeyA
0044BCA1|.85C0 test eax,eax
0044BCA3|.0F85 B1000000 jnz dvdcopy.0044BD5A
0044BCA9|.8D4C24 08 lea ecx,dword ptr ss:
0044BCAD|.51 push ecx ;mfc71.7C2238D0
0044BCAE|.68 00020000 push 0x200
0044BCB3|.8D4C24 18 lea ecx,dword ptr ss:
0044BCB7|.C74424 10 00020>mov dword ptr ss:,0x200
0044BCBF|.FF15 54254700 call near dword ptr ds:[<&MFC71.#2468>] ;mfc71.#5154
0044BCC5|.8B5424 24 mov edx,dword ptr ss: ; |
0044BCC9|.8B35 2C204700 mov esi,dword ptr ds:[<&ADVAPI32.RegQueryVal>; |advapi32.RegQueryValueExA
0044BCCF|.50 push eax ; |Buffer = 0130C340
0044BCD0|.6A 00 push 0x0 ; |pValueType = NULL
0044BCD2|.6A 00 push 0x0 ; |Reserved = NULL
0044BCD4|.68 8C8E4700 push dvdcopy.00478E8C ; |Name
0044BCD9|.52 push edx ; |hKey = 0x1D4
0044BCDA|.FFD6 call near esi ; \RegQueryValueExA
0044BCDC|.6A FF push -0x1 ;返回到的地方
0044BCDE|.8D4C24 14 lea ecx,dword ptr ss:
0044BCE2|.FF15 84234700 call near dword ptr ds:[<&MFC71.#5403>] ;mfc71.#5403
找到段首,本来该再分析一段的,然而因为软件作者太懒了吧,这段好像和第一个的算法一模一样的???我直接把段首改了
0044BC20/$6A FF push -0x1 ;算法1,启动时候用的
0044BC22|.68 3FFB4600 push dvdcopy.0046FB3F ;SE 处理程序安装
0044BC27|.64:A1 00000000mov eax,dword ptr fs:
改成
0044BC20 33C0 xor eax,eax ;算法1,启动时候用的
0044BC22 40 inc eax
0044BC23 C3 retn
0044BC24 90 nop
0044BC25 90 nop
0044BC26 90 nop
0044BC27|.64:A1 00000000mov eax,dword ptr fs:
修改保存为2.exe,测试发现爆破成功(因为没有DVD,所以我测试的是这个joboshare的另外一个软件Video Converter,算法和这个都一样的,那个爆破后功能完全正常的,当然希望有DVD的测试下这个爆破是否完全)。
爆破修改的地方总共两个:0044F9D0 和0044BC20
8、制作补丁,用了PYG的补丁工具,设置如下,分别都测试了,可以用
测试
9、追码:在0044FF29或者0044C179都可以追到真码,在ecx及edx中
内存注册机可以这样设置:(此内存注册机的限制:必须先假注册一次再使用内存注册机,并且假注册码必须输入39位才能得到真码)
中断:0044FF29或者0044C179,首字节8D,长度4,中断1次,内存方式、寄存器ecx。如图
10、算法:算法的那个call代码刚才贴了(就是0044F9D0开始的那段),也比较完整的注释了,我再文字描述一下:
Sn好像和用户名没有关系
Sn长度39位(不是39位它连真码都不计算了)
Sn的后面19位是根据前20位以及一个字符串“Jobosharedvdcopydvdcss2008.07.28”通过一定的变化,然后取MD5值,最后将md5值取奇数位连起来,每4位插入一个’-‘符号形成的
比如我输入的注册码是”888888888888888888888888888888888888888“
软件的字符串是“Jobosharedvdcopydvdcss2008.07.28”
处理字符串“Jobosharedvdcopydvdcss2008.07.28”共32位
取出它的第(3*i+1) 位(i=0,1,2,3.....,字符串长度)位,总共取出了11位
“Jobosharedvdcopydvdcss2008.07.28”=
4A 6F 62 6F 73 68 61 72 65 64 76 64 63 6F 70 79 64 76 64 63 73 73 32 30 30 38 2E 30 37 2E 32 38
取出它的第(3*i+1) 位(i=0,1,2,3.....,字符串长度)位就是
4A6F616463796473303032
剩下的是
6F62736872657664 6F706476 63733230382E372E38
连起来就是
4A6F61 6463 7964 73303032 6F62736872
657664 6F70 6476 63733230 382E372E38
然后在每位后面插入数字,该数字是这些字符在原始字符串中的位置序号,结果如下面(hex):
4A 01 6F 04 61 07 76 0A 65 0D 6F 10 65 13 65 16 30 19 2E 1C 2E 1F 6F 02 62 03 73 05 68 06 72 08
65 09 69 0B 64 0C 6F 0E 63 0F 6E 11 76 12 72 14 74 15 72 17 32 18 30 1A 38 1B 30 1D 37 1E 32 20
38 21
然后这一窜东西,前面插入个0x31,后面插入两个0x30,这个也是算出来的,变成这样:
31 4A 01 6F 04 61 07 76 0A 65 0D 6F 10 65 13 65 16 30 19 2E 1C 2E 1F 6F 02 62 03 73 05 68 06 72
08 65 09 69 0B 64 0C 6F 0E 63 0F 6E 11 76 12 72 14 74 15 72 17 32 18 30 1A 38 1B 30 1D 37 1E 32
20 38 21 30 30
后面在连接上sn前20位=“88888888888888888888”与软件字符串“Jobosharedvdcopydvdcss2008.07.28”,就是(hex):
31 4A 01 6F 04 61 07 76 0A 65 0D 6F 10 65 13 65 16 30 19 2E 1C 2E 1F 6F 02 62 03 73 05 68 06 72
08 65 09 69 0B 64 0C 6F 0E 63 0F 6E 11 76 12 72 14 74 15 72 17 32 18 30 1A 38 1B 30 1D 37 1E 32
20 38 21 30 30 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 4A 6F 62 6F 73 68 61
72 65 76 69 64 65 6F 63 6F 6E 76 65 72 74 65 72 32 30 30 38 2E 30 37 2E 32 38
后面就简单了,这窜hex的字符串,取md5,就是
5d5a90af00b3947773425ec2e7d90e8f
最后将md5值取奇数位连起来,每4位插入一个’-‘符号就是Sn的后19位,对了要转大写字母。
SN= "88888888888888888888559A-0B97-745C-ED08"
11、注册机,使用VB6写的,改成了PYG的算法注册机生成器写的,可以算Joboshare好几个软件的注册码,我只添加了自己测试过的几个的计算功能,其它的没写吧
测试如下:
12、下载:仅提供注册机及源码吧,PYG的注册机是边看教程边百度写出来的,写得不好大家将就看吧
--------------------------------------------------------------------------------
2015年12月01日 22:25:20
来支持楼主原创。 写得很详细,不错的算法帝,谢谢在生日之际发出来!! 好长,追码好有耐心, 为你的耐心和文章点个大大大赞!👍 点评:采用了各种手段进行破解分析,熟练本论坛各种工具使用,纳入1等精华! 好文章,果断加分! 能看懂算法并写注册机的都不得了. 破解教程写得很祥细,支持楼主分享 NB顶起