GiliSoft Video Editor 7.4.0算法分析
本帖最后由 东海浪子 于 2016-6-12 20:07 编辑本人由于时间不固定,很遗憾没有加入第十三轮培训学习,只好自己平时在论坛自学。有空余时间也跟着做习题。由于不能在学员区交作业,只好在这里练习一下了。本人本想爆破该软件功能的,感觉挺繁琐的,于是第一次有耐心坚持分析了算法,写的不好不足之处请多见谅。
【破文标题】GiliSoft Video Editor 7.4.0算法分析
【破文作者】东海浪子
【作者邮箱】
【作者主页】
【破解工具】OD
【破解平台】虚拟机WINXP SP3
【软件名称】Gilisoft Video Editor7.4.0视频编辑软件
【软件大小】
【原版下载】http://gilisoft.com/product-video-cutter-joiner.htm
【补丁工具】
【阅读对象】爱好破解的初学者,大牛大神们飘过勿视
【破解声明】本文仅做研究所用,供破解技术爱好者学习研究讨论。如喜欢该软件,建议购买正版。
------------------------------------------------------------------------
【破解过程】1.查壳Borland Delphi v6.0 - v7.0
2.通过按钮事件脚本,或者F12暂停堆栈法,或字符串查找法都很容易定位到注册call,来到下面这段
004AC8CC/$55 push ebp
004AC8CD|.8BEC mov ebp,esp
004AC8CF|.B9 11000000 mov ecx,0x11
004AC8D4|>6A 00 /push 0x0
004AC8D6|.6A 00 |push 0x0
004AC8D8|.49 |dec ecx
004AC8D9|.^ 75 F9 \jnz short videoedi.004AC8D4
004AC8DB|.51 push ecx
004AC8DC|.53 push ebx
004AC8DD|.56 push esi
004AC8DE|.8BD8 mov ebx,eax ;msls31.74645000
004AC8E0|.8B35 B8974B00 mov esi,dword ptr ds: ;videoedi.004BD70C
004AC8E6|.33C0 xor eax,eax ;msls31.74645000
004AC8E8|.55 push ebp
004AC8E9|.68 56CF4A00 push videoedi.004ACF56
004AC8EE|.64:FF30 push dword ptr fs:
004AC8F1|.64:8920 mov dword ptr fs:,esp
004AC8F4|.8D55 E8 lea edx,
004AC8F7|.8B83 74030000 mov eax,dword ptr ds:
004AC8FD|.E8 B2D1F9FF call videoedi.00449AB4
004AC902|.8B45 E8 mov eax, ; 输入邮箱
004AC905|.8D55 F8 lea edx,
004AC908|.E8 53C8F5FF call videoedi.00409160
004AC90D|.837D F8 00 cmp ,0x0
004AC911|.75 50 jnz short videoedi.004AC963
004AC913|.6A 40 push 0x40
004AC915|.8D55 E4 lea edx,
004AC918|.A1 38964B00 mov eax,dword ptr ds: ;凑K
004AC91D|.8B00 mov eax,dword ptr ds:
004AC91F|.E8 409BFBFF call videoedi.00466464
004AC924|.8B45 E4 mov eax, ;ntdll.7C93621B
004AC927|.E8 4485F5FF call videoedi.00404E70
004AC92C|.50 push eax ;msls31.74645000
004AC92D|.8D45 E0 lea eax,
004AC930|.50 push eax ;msls31.74645000
004AC931|.A1 C0934B00 mov eax,dword ptr ds:
004AC936|.8B00 mov eax,dword ptr ds:
004AC938|.B9 6CCF4A00 mov ecx,videoedi.004ACF6C ;strNoName
004AC93D|.8B93 C4030000 mov edx,dword ptr ds:
004AC943|.E8 AC89FFFF call videoedi.004A52F4
004AC948|.8B45 E0 mov eax, ;ntdll.7C935F8C
004AC94B|.E8 2085F5FF call videoedi.00404E70
004AC950|.50 push eax ;msls31.74645000
004AC951|.8BC3 mov eax,ebx
004AC953|.E8 944CFAFF call videoedi.004515EC
004AC958|.50 push eax ; |hOwner = 74645000
004AC959|.E8 62ACF5FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004AC95E|.E9 9E050000 jmp videoedi.004ACF01
004AC963|>833E 04 cmp dword ptr ds:,0x4
004AC966|.74 5C je short videoedi.004AC9C4
004AC968|.8B45 F8 mov eax, ;邮箱移到eax
004AC96B|.E8 A083FFFF call videoedi.004A4D10
004AC970|.85C0 test eax,eax ;msls31.74645000
004AC972|.75 50 jnz short videoedi.004AC9C4
004AC974|.6A 40 push 0x40
004AC976|.8D55 DC lea edx,
004AC979|.A1 38964B00 mov eax,dword ptr ds: ;凑K
004AC97E|.8B00 mov eax,dword ptr ds:
004AC980|.E8 DF9AFBFF call videoedi.00466464
004AC985|.8B45 DC mov eax,
004AC988|.E8 E384F5FF call videoedi.00404E70
004AC98D|.50 push eax ;msls31.74645000
004AC98E|.8D45 D8 lea eax,
004AC991|.50 push eax ;msls31.74645000
004AC992|.A1 C0934B00 mov eax,dword ptr ds:
004AC997|.8B00 mov eax,dword ptr ds:
004AC999|.B9 80CF4A00 mov ecx,videoedi.004ACF80 ;strErrorEmail
004AC99E|.8B93 C4030000 mov edx,dword ptr ds:
004AC9A4|.E8 4B89FFFF call videoedi.004A52F4
004AC9A9|.8B45 D8 mov eax, ;ntdll.7C935F90
004AC9AC|.E8 BF84F5FF call videoedi.00404E70
004AC9B1|.50 push eax ;msls31.74645000
004AC9B2|.8BC3 mov eax,ebx
004AC9B4|.E8 334CFAFF call videoedi.004515EC
004AC9B9|.50 push eax ; |hOwner = 74645000
004AC9BA|.E8 01ACF5FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004AC9BF|.E9 3D050000 jmp videoedi.004ACF01
004AC9C4|>8D55 D4 lea edx,
004AC9C7|.8B83 70030000 mov eax,dword ptr ds:
004AC9CD|.E8 E2D0F9FF call videoedi.00449AB4
004AC9D2|.8B45 D4 mov eax, ;输入假码
004AC9D5|.8D55 FC lea edx,
004AC9D8|.E8 83C7F5FF call videoedi.00409160
004AC9DD|.837D FC 00 cmp ,0x0 ;假码不为0
004AC9E1|.75 50 jnz short videoedi.004ACA33
004AC9E3|.6A 40 push 0x40
004AC9E5|.8D55 D0 lea edx,
004AC9E8|.A1 38964B00 mov eax,dword ptr ds: ;凑K
004AC9ED|.8B00 mov eax,dword ptr ds:
004AC9EF|.E8 709AFBFF call videoedi.00466464
004AC9F4|.8B45 D0 mov eax,
004AC9F7|.E8 7484F5FF call videoedi.00404E70
004AC9FC|.50 push eax ;msls31.74645000
004AC9FD|.8D45 CC lea eax,
004ACA00|.50 push eax ;msls31.74645000
004ACA01|.A1 C0934B00 mov eax,dword ptr ds:
004ACA06|.8B00 mov eax,dword ptr ds:
004ACA08|.B9 98CF4A00 mov ecx,videoedi.004ACF98 ;strNoKey
004ACA0D|.8B93 C4030000 mov edx,dword ptr ds:
004ACA13|.E8 DC88FFFF call videoedi.004A52F4
004ACA18|.8B45 CC mov eax,
004ACA1B|.E8 5084F5FF call videoedi.00404E70
004ACA20|.50 push eax ;msls31.74645000
004ACA21|.8BC3 mov eax,ebx
004ACA23|.E8 C44BFAFF call videoedi.004515EC
004ACA28|.50 push eax ; |hOwner = 74645000
004ACA29|.E8 92ABF5FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004ACA2E|.E9 CE040000 jmp videoedi.004ACF01
004ACA33|>833E 04 cmp dword ptr ds:,0x4
004ACA36|.75 0D jnz short videoedi.004ACA45
004ACA38|.8D45 FC lea eax,
004ACA3B|.BA ACCF4A00 mov edx,videoedi.004ACFAC ;-11111
004ACA40|.E8 3382F5FF call videoedi.00404C78
004ACA45|>8B45 FC mov eax, ;假码移到eax
004ACA48|.85C0 test eax,eax ;msls31.74645000
004ACA4A|.74 05 je short videoedi.004ACA51
004ACA4C|.83E8 04 sub eax,0x4
004ACA4F|.8B00 mov eax,dword ptr ds:
004ACA51|>83F8 23 cmp eax,0x23 ;注册码长度与16进制23(35)比较
004ACA54 74 50 je short videoedi.004ACAA6
004ACA56 6A 40 push 0x40
004ACA58 8D55 C8 lea edx,dword ptr ss:
004ACA5B|.A1 38964B00 mov eax,dword ptr ds: ;凑K
004ACA60|.8B00 mov eax,dword ptr ds:
004ACA62|.E8 FD99FBFF call videoedi.00466464
004ACA67|.8B45 C8 mov eax,
004ACA6A|.E8 0184F5FF call videoedi.00404E70
004ACA6F|.50 push eax ;msls31.74645000
004ACA70|.8D45 C4 lea eax,
004ACA73|.50 push eax ;msls31.74645000
004ACA74|.A1 C0934B00 mov eax,dword ptr ds:
004ACA79|.8B00 mov eax,dword ptr ds:
004ACA7B|.B9 BCCF4A00 mov ecx,videoedi.004ACFBC ;strErrorKeyLength
004ACA80|.8B93 C4030000 mov edx,dword ptr ds:
004ACA86|.E8 6988FFFF call videoedi.004A52F4
004ACA8B|.8B45 C4 mov eax,
004ACA8E|.E8 DD83F5FF call videoedi.00404E70
004ACA93|.50 push eax ;msls31.74645000
004ACA94|.8BC3 mov eax,ebx
004ACA96|.E8 514BFAFF call videoedi.004515EC
004ACA9B|.50 push eax ; |hOwner = 74645000
004ACA9C|.E8 1FABF5FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004ACAA1|.E9 5B040000 jmp videoedi.004ACF01
004ACAA6|>8D45 F0 lea eax,
004ACAA9|.50 push eax ;msls31.74645000
004ACAAA|.B9 05000000 mov ecx,0x5
004ACAAF|.BA 0D000000 mov edx,0xD
004ACAB4|.8B45 FC mov eax,
004ACAB7|.E8 1484F5FF call videoedi.00404ED0
004ACABC|.33D2 xor edx,edx
004ACABE|.8B45 F0 mov eax, ;ntdll.7C93663D
004ACAC1|.E8 7EC9F5FF call videoedi.00409444
004ACAC6|.3B83 C8030000 cmp eax,dword ptr ds: ;第3段注册码16进制和555b比较
004ACACC 0F84 A5000000 je videoedi.004ACB77 ;相等跳向成功
004ACAD2|.8D45 C0 lea eax,
004ACAD5|.50 push eax ;msls31.74645000
004ACAD6|.A1 C0934B00 mov eax,dword ptr ds:
004ACADB|.8B00 mov eax,dword ptr ds:
004ACADD|.B9 D8CF4A00 mov ecx,videoedi.004ACFD8 ;strRegFailed
004ACAE2|.8B93 C4030000 mov edx,dword ptr ds:
004ACAE8|.E8 0788FFFF call videoedi.004A52F4
004ACAED|.FF75 C0 push
....................省略一部分代码............................
004ACD8A|.E8 31A8F5FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004ACD8F|.E9 6D010000 jmp videoedi.004ACF01
004ACD94|>8B45 FC mov eax,
004ACD97|.E8 D480F5FF call videoedi.00404E70
004ACD9C|.50 push eax ;msls31.74645000
004ACD9D|.8B06 mov eax,dword ptr ds:
004ACD9F|.50 push eax ;msls31.74645000
004ACDA0|.E8 37C2FFFF call <jmp.&MagicSkin.MS_Regx> ; 算法call
004ACDA5 85C0 test eax,eax ;msls31.74645000
004ACDA7 0F84 C4000000 je videoedi.004ACE71 ;跳向激活失败失败
004ACDAD|.8D45 94 lea eax,
004ACDB0|.50 push eax ;msls31.74645000
004ACDB1|.A1 C0934B00 mov eax,dword ptr ds:
004ACDB6|.8B00 mov eax,dword ptr ds:
004ACDB8|.B9 D0D04A00 mov ecx,videoedi.004AD0D0 ;strRegSuccess激活成功
004ACDBD|.8B93 C4030000 mov edx,dword ptr ds:
004ACDC3|.E8 2C85FFFF call videoedi.004A52F4
004ACDC8|.FF75 94 push ;ntdll.7C93540B
004ACDCB|.68 F0CF4A00 push videoedi.004ACFF0 ;\n
004ACDD0|.8D45 90 lea eax,
004ACDD3|.50 push eax ;msls31.74645000
004ACDD4|.8D45 8C lea eax,
004ACDD7|.50 push eax ;msls31.74645000
经过这段分析,我们知道了注册码35位数,分6段。格式为XXXXX-XXXXX-XXXXX-XXXXX-XXXXX-XXXXX。其中第三段注册码为21851。在004ACDA0 进入算法call,来到下面这段
10003A99 >55 push ebp
10003A9A 8BEC mov ebp,esp
10003A9C 83EC 44 sub esp,0x44
10003A9F E8 C90C0000 call magicski.1000476D
10003AA4 50 push eax ; msls31.74645000
10003AA5 8D4D EC lea ecx,dword ptr ss:
10003AA8 E8 D70B0000 call <jmp.&MFC42.#??0AFX_MAINTAIN_STATE2>
10003AAD 8B45 0C mov eax,dword ptr ss:
10003AB0 50 push eax ; msls31.74645000
10003AB1 8D4D F4 lea ecx,dword ptr ss:
10003AB4 E8 D70B0000 call <jmp.&MFC42.#??0CString@@QAE@PBD@Z_>
10003AB9 8D4D F4 lea ecx,dword ptr ss:
10003ABC E8 2F070000 call magicski.100041F0
10003AC1 83F8 23 cmp eax,0x23
10003AC4 7D 1F jge short magicski.10003AE5
10003AC6 C745 D8 0000000>mov dword ptr ss:,0x0
10003ACD 8D4D F4 lea ecx,dword ptr ss:
10003AD0 E8 A90B0000 call <jmp.&MFC42.#??1CString@@QAE@XZ_800>
10003AD5 8D4D EC lea ecx,dword ptr ss:
10003AD8 E8 63080000 call magicski.10004340
10003ADD 8B45 D8 mov eax,dword ptr ss: ; ntdll.7C935F90
10003AE0 E9 42010000 jmp magicski.10003C27
10003AE5 6A 05 push 0x5
10003AE7 6A 00 push 0x0
10003AE9 8D4D D4 lea ecx,dword ptr ss:
10003AEC 51 push ecx
10003AED 8D4D F4 lea ecx,dword ptr ss:
10003AF0 E8 950B0000 call <jmp.&MFC42.#?Mid@CString@@QBE?AV1@>
10003AF5 8BC8 mov ecx,eax ; msls31.74645000
10003AF7 E8 34070000 call magicski.10004230
10003AFC 50 push eax ; msls31.74645000
10003AFD FF15 48510010 call dword ptr ds:[<&MSVCRT.atoi>] ; 算法1第一段注册码换16进制
10003B03 83C4 04 add esp,0x4
10003B06 8945 FC mov dword ptr ss:,eax ; msls31.74645000
10003B09 8D4D D4 lea ecx,dword ptr ss:
10003B0C E8 6D0B0000 call <jmp.&MFC42.#??1CString@@QAE@XZ_800>
10003B11 6A 05 push 0x5
10003B13 6A 06 push 0x6
10003B15 8D55 D0 lea edx,dword ptr ss:
10003B18 52 push edx
10003B19 8D4D F4 lea ecx,dword ptr ss:
10003B1C E8 690B0000 call <jmp.&MFC42.#?Mid@CString@@QBE?AV1@>
10003B21 8BC8 mov ecx,eax ; msls31.74645000
10003B23 E8 08070000 call magicski.10004230
10003B28 50 push eax ; msls31.74645000
10003B29 FF15 48510010 call dword ptr ds:[<&MSVCRT.atoi>] ; 算法2第二段注册码换16进制
10003B2F 83C4 04 add esp,0x4
10003B32 8945 F8 mov dword ptr ss:,eax ; msls31.74645000
10003B35 8D4D D0 lea ecx,dword ptr ss:
10003B38 E8 410B0000 call <jmp.&MFC42.#??1CString@@QAE@XZ_800>
10003B3D 6A 05 push 0x5
10003B3F 6A 0C push 0xC
10003B41 8D45 CC lea eax,dword ptr ss:
10003B44 50 push eax ; msls31.74645000
10003B45 8D4D F4 lea ecx,dword ptr ss:
10003B48 E8 3D0B0000 call <jmp.&MFC42.#?Mid@CString@@QBE?AV1@>
10003B4D 8BC8 mov ecx,eax ; msls31.74645000
10003B4F E8 DC060000 call magicski.10004230
10003B54 50 push eax ; msls31.74645000
10003B55 >FF15 48510010 call dword ptr ds:[<&MSVCRT.atoi>] ; 算法3第三段注册码换16进制
10003B5B 83C4 04 add esp,0x4
10003B5E 8945 E4 mov dword ptr ss:,eax ; msls31.74645000
10003B61 8D4D CC lea ecx,dword ptr ss:
10003B64 E8 150B0000 call <jmp.&MFC42.#??1CString@@QAE@XZ_800>
10003B69 6A 05 push 0x5
10003B6B 6A 12 push 0x12
10003B6D 8D4D C8 lea ecx,dword ptr ss:
10003B70 51 push ecx
10003B71 8D4D F4 lea ecx,dword ptr ss:
10003B74 E8 110B0000 call <jmp.&MFC42.#?Mid@CString@@QBE?AV1@>
10003B79 8BC8 mov ecx,eax ; msls31.74645000
10003B7B E8 B0060000 call magicski.10004230
10003B80 50 push eax ; msls31.74645000
10003B81 FF15 48510010 call dword ptr ds:[<&MSVCRT.atoi>] ; 算法4第四段注册码换16进制
10003B87 83C4 04 add esp,0x4
10003B8A 8945 E0 mov dword ptr ss:,eax ; msls31.74645000
10003B8D 8D4D C8 lea ecx,dword ptr ss:
10003B90 E8 E90A0000 call <jmp.&MFC42.#??1CString@@QAE@XZ_800>
10003B95 6A 05 push 0x5
10003B97 6A 18 push 0x18
10003B99 8D55 C4 lea edx,dword ptr ss:
10003B9C 52 push edx
10003B9D 8D4D F4 lea ecx,dword ptr ss:
10003BA0 E8 E50A0000 call <jmp.&MFC42.#?Mid@CString@@QBE?AV1@>
10003BA5 8BC8 mov ecx,eax ; msls31.74645000
10003BA7 E8 84060000 call magicski.10004230
10003BAC 50 push eax ; msls31.74645000
10003BAD FF15 48510010 call dword ptr ds:[<&MSVCRT.atoi>] ; 算法5第五段注册码换16进制
10003BB3 83C4 04 add esp,0x4
10003BB6 8945 E8 mov dword ptr ss:,eax ; msls31.74645000
10003BB9 8D4D C4 lea ecx,dword ptr ss:
10003BBC E8 BD0A0000 call <jmp.&MFC42.#??1CString@@QAE@XZ_800>
10003BC1 6A 05 push 0x5
10003BC3 6A 1E push 0x1E
10003BC5 8D45 C0 lea eax,dword ptr ss:
10003BC8 50 push eax ; msls31.74645000
10003BC9 8D4D F4 lea ecx,dword ptr ss:
10003BCC E8 B90A0000 call <jmp.&MFC42.#?Mid@CString@@QBE?AV1@>
10003BD1 8BC8 mov ecx,eax ; msls31.74645000
10003BD3 E8 58060000 call magicski.10004230
10003BD8 50 push eax ; msls31.74645000
10003BD9 FF15 48510010 call dword ptr ds:[<&MSVCRT.atoi>] ; 算法6第六段注册码换16进制
10003BDF 83C4 04 add esp,0x4
10003BE2 8945 DC mov dword ptr ss:,eax ; msls31.74645000
10003BE5 8D4D C0 lea ecx,dword ptr ss:
10003BE8 E8 910A0000 call <jmp.&MFC42.#??1CString@@QAE@XZ_800>
10003BED 8B4D DC mov ecx,dword ptr ss:
10003BF0 51 push ecx
10003BF1 8B55 E8 mov edx,dword ptr ss:
10003BF4 52 push edx
10003BF5 8B45 E0 mov eax,dword ptr ss: ; ntdll.7C935F8C
10003BF8 50 push eax ; msls31.74645000
10003BF9 8B4D E4 mov ecx,dword ptr ss: ; ntdll.7C93621B
10003BFC 51 push ecx
10003BFD 8B55 F8 mov edx,dword ptr ss: ; ntdll.7C93639B
10003C00 52 push edx
10003C01 8B45 FC mov eax,dword ptr ss:
10003C04 50 push eax ; msls31.74645000
10003C05 8B4D 08 mov ecx,dword ptr ss:
10003C08 51 push ecx
10003C09 E8 D7FDFFFF call magicski.100039E5 ; 算法call
10003C0E 83C4 1C add esp,0x1C
10003C11 8945 BC mov dword ptr ss:,eax ; msls31.74645000
10003C14 8D4D F4 lea ecx,dword ptr ss:
10003C17 E8 620A0000 call <jmp.&MFC42.#??1CString@@QAE@XZ_800>
10003C1C 8D4D EC lea ecx,dword ptr ss:
10003C1F E8 1C070000 call magicski.10004340
10003C24 8B45 BC mov eax,dword ptr ss: ; ntdll.7C9357A1
10003C27 8BE5 mov esp,ebp
10003C29 5D pop ebp
10003C2A C2 0800 retn 0x8
在这段里,经过6个算法call,把每段的注册码换算成16进制数字。然后在10003C0E,再进入下一层算法call。来到下面这段。
100039E5 55 push ebp
100039E6 8BEC mov ebp,esp
100039E8 6A FF push -0x1
100039EA 68 204D0010 push magicski.10004D20
100039EF 64:A1 00000000mov eax,dword ptr fs:
100039F5 50 push eax ; msls31.74645000
100039F6 64:8925 0000000>mov dword ptr fs:,esp
100039FD 83EC 10 sub esp,0x10
10003A00 E8 680D0000 call magicski.1000476D
10003A05 50 push eax ; msls31.74645000
10003A06 8D4D E8 lea ecx,dword ptr ss:
10003A09 E8 760C0000 call <jmp.&MFC42.#??0AFX_MAINTAIN_STATE2>
10003A0E C745 FC 0000000>mov dword ptr ss:,0x0
10003A15 8B45 20 mov eax,dword ptr ss:
10003A18 50 push eax ; msls31.74645000
10003A19 8B4D 1C mov ecx,dword ptr ss: ; ntdll.7C9355CD
10003A1C 51 push ecx
10003A1D 8B55 18 mov edx,dword ptr ss:
10003A20 52 push edx
10003A21 8B45 14 mov eax,dword ptr ss:
10003A24 50 push eax ; msls31.74645000
10003A25 8B4D 10 mov ecx,dword ptr ss:
10003A28 51 push ecx
10003A29 8B55 0C mov edx,dword ptr ss:
10003A2C 52 push edx
10003A2D 8B45 08 mov eax,dword ptr ss:
10003A30 50 push eax ; msls31.74645000
10003A31 68 02000080 push 0x80000002
10003A36 E8 62F3FFFF call magicski.10002D9D
10003A3B 83C4 20 add esp,0x20
10003A3E 8945 F0 mov dword ptr ss:,eax ; msls31.74645000
10003A41 837D F0 00 cmp dword ptr ss:,0x0
10003A45 75 2C jnz short magicski.10003A73
10003A47 8B4D 20 mov ecx,dword ptr ss:
10003A4A 51 push ecx
10003A4B 8B55 1C mov edx,dword ptr ss: ; ntdll.7C9355CD
10003A4E 52 push edx
10003A4F 8B45 18 mov eax,dword ptr ss:
10003A52 50 push eax ; msls31.74645000
10003A53 8B4D 14 mov ecx,dword ptr ss:
10003A56 51 push ecx
10003A57 8B55 10 mov edx,dword ptr ss:
10003A5A 52 push edx
10003A5B 8B45 0C mov eax,dword ptr ss:
10003A5E 50 push eax ; msls31.74645000
10003A5F 8B4D 08 mov ecx,dword ptr ss:
10003A62 51 push ecx
10003A63 68 01000080 push 0x80000001
10003A68 E8 30F3FFFF call magicski.10002D9D ; 算法CALL
10003A6D 83C4 20 add esp,0x20
10003A70 8945 F0 mov dword ptr ss:,eax ; msls31.74645000
10003A73 8B55 F0 mov edx,dword ptr ss: ; ntdll.7C93663D
10003A76 8955 E4 mov dword ptr ss:,edx
10003A79 C745 FC FFFFFFF>mov dword ptr ss:,-0x1
10003A80 8D4D E8 lea ecx,dword ptr ss:
10003A83 E8 B8080000 call magicski.10004340
10003A88 8B45 E4 mov eax,dword ptr ss: ; ntdll.7C93621B
10003A8B 8B4D F4 mov ecx,dword ptr ss: ; ntdll.7C99B178
10003A8E 64:890D 0000000>mov dword ptr fs:,ecx
10003A95 8BE5 mov esp,ebp
10003A97 5D pop ebp
10003A98 C3 retn
在这段里,把每段16进制注册码放进各地址里,在10003A68进入下一层算法call。来到下面这段
10002D9D 55 push ebp
10002D9E 8BEC mov ebp,esp
10002DA0 6A FF push -0x1
10002DA2 68 0D4D0010 push magicski.10004D0D
10002DA7 64:A1 00000000mov eax,dword ptr fs:
10002DAD 50 push eax ; msls31.74645000
10002DAE 64:8925 0000000>mov dword ptr fs:,esp
10002DB5 81EC C4000000 sub esp,0xC4
10002DBB E8 AD190000 call magicski.1000476D
10002DC0 50 push eax ; msls31.74645000
10002DC1 8D4D E0 lea ecx,dword ptr ss:
10002DC4 E8 BB180000 call <jmp.&MFC42.#??0AFX_MAINTAIN_STATE2>
10002DC9 C745 FC 0000000>mov dword ptr ss:,0x0
10002DD0 8B45 0C mov eax,dword ptr ss:
10002DD3 50 push eax ; msls31.74645000
10002DD4 E8 D3120000 call magicski.100040AC
10002DD9 83C4 04 add esp,0x4
10002DDC 8945 D4 mov dword ptr ss:,eax ; msls31.74645000
10002DDF C745 E8 0000000>mov dword ptr ss:,0x0
10002DE6 8B45 14 mov eax,dword ptr ss: 第二段注册码放入eax
10002DE9 0345 D4 add eax,dword ptr ss: ; ntdll.7C92E900 第二段注册码+常量c3bc
10002DEC 33D2 xor edx,edx edx清零
10002DEE B9 9F860100 mov ecx,0x1869F 1869f放入ecx
10002DF3 F7F1 div ecx 除以ecx
10002DF5 3955 1C cmp dword ptr ss:,edx ; 余数=第四段注册码
10002DF8 75 18 jnz short magicski.10002E12
10002DFA 8B45 10 mov eax,dword ptr ss: 第一段注册码放入eax
10002DFD 0345 D4 add eax,dword ptr ss: ; ntdll.7C92E900 第一段注册码+常量c3bc
10002E00 33D2 xor edx,edx edx清零
10002E02 B9 9F860100 mov ecx,0x1869F 1869f放入ecx
10002E07 F7F1 div ecx 除以ecx
10002E09 3955 20 cmp dword ptr ss:,edx ; 余数=第五段注册码
10002E0C 0F84 DB080000 je magicski.100036ED
10002E12 837D 0C 00 cmp dword ptr ss:,0x0
10002E16 0F85 D5000000 jnz magicski.10002EF1
10002E1C 817D 18 4555000>cmp dword ptr ss:,0x5545
10002E23 0F85 C8000000 jnz magicski.10002EF1
10002E29 8D4D D0 lea ecx,dword ptr ss:
10002E2C E8 6B180000 call <jmp.&MFC42.#??0CString@@QAE@XZ_540>
【破解总结】
经过这段分析,我们知道了,注册码的算法过程很简单。就是(第一段注册码+常量c3bc)/1869F的余数=第五段注册码,(第二段注册码+常量c3bc)/1869F的余数=第四段注册码,第三段注册码为555b(21851),第六段注册码不参与运算。邮箱不参与计算。注册码拿个计算器就能搞定。X--Y--21851--(Y+50108)--(X+50108)-Z或者X--Y--21851--(Y+50108-99999)--(X+50108-99999)-Z。X,Y,Z为任意5位数,X也可以等于Y给个可用的注册码11111-22222-21851-72330-61219-55555。本菜鸟对编程一窍不通,只好乱编了一个易语言注册机源码
.计次循环首 (5, n)
注册码1 = 注册码1 + 到文本 (取随机数 (0, 9))
.计次循环尾 ()
.计次循环首 (5, n)
注册码2 = 注册码2 + 到文本 (取随机数 (0, 9))
.计次循环尾 ()
.计次循环首 (5, n)
注册码6 = 注册码6 + 到文本 (取随机数 (0, 9))
.计次循环尾 ()
注册码4 = 到文本 ((到整数 (注册码2) + 50108) % 99999)
注册码5 = 到文本 ((到整数 (注册码1) + 50108) % 99999)
注册码3 = “21850”
结果 = 注册码1 + “-” + 注册码2 + “-” + 注册码3 + “-” + 注册码4 + “-” + 注册码5 + “-” + 注册码6
编辑框1.内容 = 到文本 (结果)
希望哪位大神,高手,给个算法注册机的源码。让本菜鸟学习一下 多多测试哦,有坑在等着跳入~~~ 注册机很容易写,但是:72330=11A8A,与“把每段的注册码换算成16进制的四位数”矛盾。所以你得算法分析不清。 tree_fly 发表于 2016-5-16 22:58
多多测试哦,有坑在等着跳入~~~
啊,还有暗桩啊?我只测试了一下,裁剪功能,没有水印。去除试用,重启不删除注册信息,点“关于”等各按钮没有注册弹窗出现,以为成功了。明天再多试试。
DaShanRen 发表于 2016-5-16 23:03
注册机很容易写,但是:72330=11A8A,与“把每段的注册码换算成16进制的四位数”矛盾。所以你得算法分析不 ...
哦,谢谢指正。刚才写错了,我测试的时候,用了11111-22222-21851-33333-44444-55555,转换后都是4位数的,所以脑子还没转过来,我去更正一下 cmp eax,dword ptr ds: 这里我卡住了,直接mov eax,dword ptr ds:
后面也正确,就是没去跟算法
004ACDA0|.E8 37C2FFFF call <jmp.&MagicSkin.MS_Regx> ;
004ACDA5 85C0 test eax,eax ;msls31.74645000
004ACDA7 0F84 C4000000 je videoedi.004ACE71 ;跳向激活失败失败
004ACDAD|.8D45 94 lea eax,
004ACDB0|.50 push eax ;msls31.74645000
004ACDB1|.A1 C0934B00 mov eax,dword ptr ds:
004ACDB6|.8B00 mov eax,dword ptr ds:
004ACDB8|.B9 D0D04A00 mov ecx,videoedi.004AD0D0 ;strRegSuccess激活成功 好复杂啊,新人看不懂 只要你没错,我这就可行:
Private Sub Command1_Click()
Dim SN As String, Ltmp As Long
Ltmp = Int(39891 * Rnd + 10000)
SN = Ltmp & "-" & 21851 & "-" & Ltmp + 50108
Ltmp = Int(39891 * Rnd + 10000)
SN = Ltmp & "-" & SN & "-" & Ltmp + 50108
Ltmp = Int(89999 * Rnd + 10000)
SN = SN & "-" & Ltmp
Text1 = SN
End Sub
如果你第一段和第2段都用99999看看