- UID
- 34440
注册时间2007-8-16
阅读权限40
最后登录1970-1-1
独步武林
 
该用户从未签到
|
【破文标题】 Leo MP4 Video Covnerter 1.40 简单算法分析
【破文作者】杨家将
【破解工具】PEiD,OD
【破解平台】Windows XP SP3
【原版下载】http://www.onlinedown.net/soft/61354.htm
【软件简介】Leo MP4 Video Converter是一款视频转换软件,他支持DivX, XviD, MOV, MPEG-4,MPEG, WMV, H.263,AVI,WMV,ASF 转换成MP4的格式。简单的界面使用起来非常的方便快捷
【破解内容】
一、PEiD查壳,无壳, Borland Delphi 6.0 - 7.0。
二、运行程序,输入注册信息, 提示错误。 error registrion code!
三、OD载入,超找字符串:error registrion code!,回到
00502934 |. 55 push ebp ; //F2下断点
00502935 |. 68 2E2A5000 push leoMP4Vi.00502A2E
0050293A |. 64:FF30 push dword ptr fs:[eax]
0050293D |. 64:8920 mov dword ptr fs:[eax],esp
00502940 |. A1 9C205100 mov eax,dword ptr ds:[51209C]
00502945 |. 8B00 mov eax,dword ptr ds:[eax]
00502947 |. 8B48 10 mov ecx,dword ptr ds:[eax+10]
0050294A |. B2 01 mov dl,1
0050294C |. A1 74CE4300 mov eax,dword ptr ds:[43CE74]
00502951 |. E8 CEA5F3FF call leoMP4Vi.0043CF24
00502956 |. 8BF0 mov esi,eax
00502958 |. 8D55 F4 lea edx,[local.3]
0050295B |. 8B83 08030000 mov eax,dword ptr ds:[ebx+308]
00502961 |. E8 4A20F6FF call leoMP4Vi.004649B0 ; //取用户名长度
00502966 |. 8B45 F4 mov eax,[local.3] ; //用户名到EAX
00502969 |. 8D55 FC lea edx,[local.1]
0050296C |. E8 1F60F0FF call leoMP4Vi.00408990
00502971 |. 8D55 F0 lea edx,[local.4]
00502974 |. 8B83 0C030000 mov eax,dword ptr ds:[ebx+30C]
0050297A |. E8 3120F6FF call leoMP4Vi.004649B0 ; //取注册码长度
0050297F |. 8B45 F0 mov eax,[local.4] ; //注册码到EAX
00502982 |. 8D55 F8 lea edx,[local.2]
00502985 |. E8 0660F0FF call leoMP4Vi.00408990
0050298A |. 8B4D F8 mov ecx,[local.2] ; //注册码到ECX
0050298D |. 8B55 FC mov edx,[local.1] ; //用户名到EDX
00502990 |. 8BC3 mov eax,ebx
00502992 |. E8 B5FDFFFF call leoMP4Vi.0050274C ; //关键CALL,F7进去
00502997 |. 84C0 test al,al ; //标志位比较
00502999 |. 74 4F je short leoMP4Vi.005029EA ; //关键跳,这个不能跳
0050299B |. 8B45 FC mov eax,[local.1]
0050299E |. 50 push eax
0050299F |. B9 442A5000 mov ecx,leoMP4Vi.00502A44 ; name
005029A4 |. BA 542A5000 mov edx,leoMP4Vi.00502A54 ; settings
005029A9 |. 8BC6 mov eax,esi
005029AB |. 8B38 mov edi,dword ptr ds:[eax]
005029AD |. FF57 04 call dword ptr ds:[edi+4]
005029B0 |. 8B45 F8 mov eax,[local.2]
005029B3 |. 50 push eax
005029B4 |. B9 682A5000 mov ecx,leoMP4Vi.00502A68 ; code
005029B9 |. BA 542A5000 mov edx,leoMP4Vi.00502A54 ; settings
005029BE |. 8BC6 mov eax,esi
005029C0 |. 8B38 mov edi,dword ptr ds:[eax]
005029C2 |. FF57 04 call dword ptr ds:[edi+4]
005029C5 |. 6A 00 push 0 ; /Arg1 = 00000000
005029C7 |. 66:8B0D 702A5>mov cx,word ptr ds:[502A70] ; |
005029CE |. B2 02 mov dl,2 ; |
005029D0 |. B8 7C2A5000 mov eax,leoMP4Vi.00502A7C ; |register successfully!
005029D5 |. E8 D645F3FF call leoMP4Vi.00436FB0 ; \leoMP4Vi.00436FB0
005029DA |. 8BC6 mov eax,esi
005029DC |. E8 C70AF0FF call leoMP4Vi.004034A8
005029E1 |. 8BC3 mov eax,ebx
005029E3 |. E8 58E9F7FF call leoMP4Vi.00481340
005029E8 |. EB 1C jmp short leoMP4Vi.00502A06
005029EA |> 6A 00 push 0 ; /Arg1 = 00000000
005029EC |. 66:8B0D 702A5>mov cx,word ptr ds:[502A70] ; |
005029F3 |. B2 02 mov dl,2 ; |
005029F5 |. B8 9C2A5000 mov eax,leoMP4Vi.00502A9C ; |error registrion code!
005029FA |. E8 B145F3FF call leoMP4Vi.00436FB0 ; \leoMP4Vi.00436FB0
005029FF |. 8BC6 mov eax,esi
00502A01 |. E8 A20AF0FF call leoMP4Vi.004034A8
00502A06 |> 33C0 xor eax,eax
00502A08 |. 5A pop edx
00502A09 |. 59 pop ecx
00502A0A |. 59 pop ecx
00502A0B |. 64:8910 mov dword ptr fs:[eax],edx
00502A0E |. 68 352A5000 push leoMP4Vi.00502A35
00502A13 |> 8D45 F0 lea eax,[local.4]
00502A16 |. BA 02000000 mov edx,2
00502A1B |. E8 E018F0FF call leoMP4Vi.00404300
00502A20 |. 8D45 F8 lea eax,[local.2]
00502A23 |. BA 02000000 mov edx,2
00502A28 |. E8 D318F0FF call leoMP4Vi.00404300
00502A2D \. C3 retn
================================================
0050274C /$ 55 push ebp
0050274D |. 8BEC mov ebp,esp
0050274F |. 83C4 E4 add esp,-1C
00502752 |. 53 push ebx
00502753 |. 56 push esi
00502754 |. 33DB xor ebx,ebx ; //EBX清零
00502756 |. 895D E4 mov [local.7],ebx
00502759 |. 895D E8 mov [local.6],ebx
0050275C |. 895D EC mov [local.5],ebx
0050275F |. 894D FC mov [local.1],ecx ; //注册码到EAX
00502762 |. 8BDA mov ebx,edx ; //用户名到EBX
00502764 |. 33C0 xor eax,eax ; //EAX清零
00502766 |. 55 push ebp
00502767 |. 68 22285000 push leoMP4Vi.00502822
0050276C |. 64:FF30 push dword ptr fs:[eax]
0050276F |. 64:8920 mov dword ptr fs:[eax],esp
00502772 |. 8D55 EC lea edx,[local.5]
00502775 |. 8BC3 mov eax,ebx ; //用户名给EAX
00502777 |. E8 1462F0FF call leoMP4Vi.00408990
0050277C |. 8B45 EC mov eax,[local.5] ; //用户名到EAX
0050277F |. E8 181EF0FF call leoMP4Vi.0040459C
00502784 |. 85C0 test eax,eax ; //比较EAX是否为零
00502786 |. 7E 7F jle short leoMP4Vi.00502807 ; //小于或等于零测跳
00502788 |. 8D55 E8 lea edx,[local.6]
0050278B |. 8B45 FC mov eax,[local.1] ; //注册码到EAX
0050278E |. E8 FD61F0FF call leoMP4Vi.00408990
00502793 |. 8B45 E8 mov eax,[local.6]
00502796 |. E8 011EF0FF call leoMP4Vi.0040459C ; //取注册码长度
0050279B |. 85C0 test eax,eax ; //比较注册码长度是否为零
0050279D |. 7E 68 jle short leoMP4Vi.00502807 ; //小于或等于零测跳
0050279F |. 33F6 xor esi,esi ; //ESI清零
005027A1 |. 8BC3 mov eax,ebx
005027A3 |. E8 F41DF0FF call leoMP4Vi.0040459C ; //取用户名长度
005027A8 |. 85C0 test eax,eax ; //比较用户名长度是否为零
005027AA |. 7E 11 jle short leoMP4Vi.005027BD ; //小于或等于零测跳
005027AC |. BA 01000000 mov edx,1 ; //EDX=1
005027B1 |> 33C9 /xor ecx,ecx ; //ECX清零
005027B3 |. 8A4C13 FF |mov cl,byte ptr ds:[ebx+edx-1] ; //取用户名ASCII值
005027B7 |. 03F1 |add esi,ecx ; //ESI=ESI+ECX
005027B9 |. 42 |inc edx ; //EDX+1
005027BA |. 48 |dec eax ; //EAX-1
005027BB |.^ 75 F4 \jnz short leoMP4Vi.005027B1 ; //这里循环累加用户名ASCII
005027BD |> 69C6 47F90800 imul eax,esi,8F947 ; //EAX=ESI*8F947
005027C3 |. 05 4D178600 add eax,86174D ; //EAX=EAX+86174D
005027C8 |. 99 cdq ; //EDX清零
005027C9 |. 8945 F0 mov [local.4],eax ; //把计算结果到EAX
005027CC |. 8955 F4 mov [local.3],edx
005027CF |. 8B45 FC mov eax,[local.1] ; //假码到EAX
005027D2 |. E8 C51DF0FF call leoMP4Vi.0040459C ; //取假码长度
005027D7 |. 83F8 13 cmp eax,13 ; //假码长度和13比较
005027DA |. 7F 27 jg short leoMP4Vi.00502803 ; //大于13测跳
005027DC |. FF75 F4 push [local.3] ; ///
005027DF |. FF75 F0 push [local.4] ; |//压入刚才计算的结果
005027E2 |. 8D45 E4 lea eax,[local.7] ; |
005027E5 |. E8 FA64F0FF call leoMP4Vi.00408CE4 ; \//把计算结果转为10进制
005027EA |. 8B55 E4 mov edx,[local.7] ; //真码到EDX
005027ED |. 8B45 FC mov eax,[local.1] ; //假码到EAX
005027F0 |. E8 F31EF0FF call leoMP4Vi.004046E8 ; //真假比较,可做内存注册机
005027F5 |. 75 06 jnz short leoMP4Vi.005027FD ; //爆破点
005027F7 |. C645 FB 01 mov byte ptr ss:[ebp-5],1
005027FB |. EB 0A jmp short leoMP4Vi.00502807
005027FD |> C645 FB 00 mov byte ptr ss:[ebp-5],0
00502801 |. EB 04 jmp short leoMP4Vi.00502807
00502803 |> C645 FB 00 mov byte ptr ss:[ebp-5],0
00502807 |> 33C0 xor eax,eax
00502809 |. 5A pop edx
0050280A |. 59 pop ecx
0050280B |. 59 pop ecx
0050280C |. 64:8910 mov dword ptr fs:[eax],edx
0050280F |. 68 29285000 push leoMP4Vi.00502829
00502814 |> 8D45 E4 lea eax,[local.7]
00502817 |. BA 03000000 mov edx,3
0050281C |. E8 DF1AF0FF call leoMP4Vi.00404300
00502821 \. C3 retn
=====================================================
【总结】首先逐位取用户名的ASCII值,再乘以8F947,结果再加上86174D,最后得到的就是注册码。
注册信息保存在软件安装目下的leoMP4videoconverter.ini中。
用户名:yangjiajang 注册码:749797569 |
-
-
keygen.rar
936.06 KB, 下载次数: 9, 下载积分: 飘云币 -2 枚
算法注册机
|
IP卡
发表于 2009-6-6 11:44:42
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2009-6-6 17:49:25
发表于 2009-6-9 16:41:00
发表于 2009-6-9 21:18:39
