- UID
- 58584
注册时间2009-1-25
阅读权限30
最后登录1970-1-1
龙战于野
TA的每日心情 | 慵懒
2015-10-9 11:25 |
|---|
签到天数: 1 天 [LV.1]初来乍到
|
【文章标题】:Shine PPT To Video Converter version 2.0.0的算法分析
【文章作者】: 老万
【作者主页】: 无
【作者QQ号】: 1229097686
【软件名称】: Shine PPT To Video Converter version 2.0.0
【下载地址】: http://www.audiotoolsfactory.com/ppt-video.html
【使用工具】: OD PEid
【操作平台】: XP SP3
【软件介绍】:
Help You Convert PowerPoint Presentations to AVI, MPEG, WMV, etc. Video Formats
Shine PPT to Video Converter is the best choice for converting PowerPoint to Video. Just only few clicks, you can convert the
PowerPoint presentations(PPT) to various video formats such as AVI, MPEG, WMV, MP4, MOV, FLV, 3GP, etc..
Convert with High quality and Screaming Speed
With Shine PPT Converter, you can convert your PPT to Video with high quality and screaming speed. When the conversion is
completed, it can automatically shut down your PC, and you can view the PowerPoint presentations like a movie
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
查壳:Borland Delphi 6.0 - 7.0,无壳
软件流程:软件运行,出现一个要求注册的窗口,输入假的注册码,点击Register按钮,出现错误提示。
破解过程:
OD载入,F9运行,输入用户名:laowan 和假注册码:123456789,点击Register按钮,出现错误提示,点击F12,点击K按钮,看堆栈:
调用堆栈
地址 堆栈 函数例程 / 参数 调用来自 框架
0012F348 77D19418 包含 ntdll.KiFastSystemCallRet user32.77D19416 0012F378
0012F34C 00488C65 <JMP.&user32.WaitMessage> Shine_PP.00488C60 0012F378
0012F37C 004882AC ? Shine_PP.00488B70 Shine_PP.004882A7 0012F378
0012F3A0 00485026 Shine_PP.00488290 Shine_PP.00485021 0012F3FC
在0012F3A0这行双击,看堆栈:
0012F444 |004B3BCB 返回到 Shine_PP.004B3BCB 来自 Shine_PP.0043737C。。。。。。。。。。。右键单击,反汇编窗口跟随
0012F448 |00000000
0012F44C |0012F4A4 指针到下一个 SEH 记录
0012F450 |004B3C0B SE 句柄
0012F454 |0012F49C
0012F458 |00FD57D0
0012F45C |00FE27C0 ASCII "Invalid register code! Please retry!"
0012F460 |00000000
0012F464 |00000000
0012F468 |00000000
0012F46C |00FE26DC ASCII "123456789"
0012F470 |00FE26AC ASCII "123456789"
0012F474 |00FD1ABC ASCII "laowan"
0012F478 |00FD84AC ASCII "laowan"
0012F47C |F3F9C3B2
来到下面地方
004B3BCB |> \33C0 XOR EAX,EAX
向上来到段首,下F2断点,重新载入,F9运行,输入用户名:laowan 和假注册码:123456789,点击Register按钮,断下来后,F8单步向下
004B395C /$ 55 PUSH EBP
004B395D |. 8BEC MOV EBP,ESP
004B395F |. B9 08000000 MOV ECX,8
004B3964 |> 6A 00 /PUSH 0
004B3966 |. 6A 00 |PUSH 0
004B3968 |. 49 |DEC ECX
004B3969 |.^ 75 F9 \JNZ SHORT Shine_PP.004B3964
004B396B |. 53 PUSH EBX
004B396C |. 8BD8 MOV EBX,EAX
004B396E |. 33C0 XOR EAX,EAX
004B3970 |. 55 PUSH EBP
004B3971 |. 68 0B3C4B00 PUSH Shine_PP.004B3C0B
004B3976 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
004B3979 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
004B397C |. C605 445E5000>MOV BYTE PTR DS:[505E44],1
004B3983 |. 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24]
004B3986 |. 8B83 F8020000 MOV EAX,DWORD PTR DS:[EBX+2F8]
004B398C |. E8 B349FBFF CALL Shine_PP.00468344
004B3991 |. 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
004B3994 |. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
004B3997 |. E8 2857F5FF CALL Shine_PP.004090C4
004B399C |. 8D55 D8 LEA EDX,DWORD PTR SS:[EBP-28]
004B399F |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004B39A2 |. E8 5157F5FF CALL Shine_PP.004090F8
004B39A7 |. 8B55 D8 MOV EDX,DWORD PTR SS:[EBP-28] ; 用户名
004B39AA |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
004B39AD |. E8 0E10F5FF CALL Shine_PP.004049C0
004B39B2 |. 8D55 D4 LEA EDX,DWORD PTR SS:[EBP-2C]
004B39B5 |. 8B83 FC020000 MOV EAX,DWORD PTR DS:[EBX+2FC]
004B39BB |. E8 8449FBFF CALL Shine_PP.00468344
004B39C0 |. 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C]
004B39C3 |. 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
004B39C6 |. E8 F956F5FF CALL Shine_PP.004090C4
004B39CB |. 8D55 D0 LEA EDX,DWORD PTR SS:[EBP-30]
004B39CE |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] ; 假注册码
004B39D1 |. E8 2257F5FF CALL Shine_PP.004090F8
004B39D6 |. 8B55 D0 MOV EDX,DWORD PTR SS:[EBP-30]
004B39D9 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
004B39DC |. E8 DF0FF5FF CALL Shine_PP.004049C0
004B39E1 |. 837D F8 00 CMP DWORD PTR SS:[EBP-8],0 ; 判断用户名是否为空
004B39E5 |. 74 06 JE SHORT Shine_PP.004B39ED
004B39E7 |. 837D F4 00 CMP DWORD PTR SS:[EBP-C],0 ; 判断注册码是否为空
004B39EB |. 75 2C JNZ SHORT Shine_PP.004B3A19
004B39ED |> 6A 00 PUSH 0
004B39EF |. 8D4D CC LEA ECX,DWORD PTR SS:[EBP-34]
004B39F2 |. A1 7C4A5000 MOV EAX,DWORD PTR DS:[504A7C]
004B39F7 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004B39F9 |. BA 23000000 MOV EDX,23
004B39FE |. E8 45B40400 CALL Shine_PP.004FEE48
004B3A03 |. 8B45 CC MOV EAX,DWORD PTR SS:[EBP-34] ; |
004B3A06 |. 66:8B0D 183C4>MOV CX,WORD PTR DS:[4B3C18] ; |
004B3A0D |. B2 02 MOV DL,2 ; |
004B3A0F |. E8 6839F8FF CALL Shine_PP.0043737C ; \Shine_PP.0043737C
004B3A14 |. E9 B2010000 JMP Shine_PP.004B3BCB
004B3A19 |> 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
004B3A1C |. E8 C711F5FF CALL Shine_PP.00404BE8 ; 计算长度
004B3A21 |. 8BC8 MOV ECX,EAX
004B3A23 |. 85C9 TEST ECX,ECX
004B3A25 |. 7E 47 JLE SHORT Shine_PP.004B3A6E
004B3A27 |. B8 01000000 MOV EAX,1
004B3A2C |> 8B55 F4 /MOV EDX,DWORD PTR SS:[EBP-C] ; 此循环判断注册码是否为数字
004B3A2F |. 0FB65402 FF |MOVZX EDX,BYTE PTR DS:[EDX+EAX-1]
004B3A34 |. 83FA 30 |CMP EDX,30
004B3A37 |. 7C 05 |JL SHORT Shine_PP.004B3A3E
004B3A39 |. 83FA 39 |CMP EDX,39
004B3A3C |. 7E 2C |JLE SHORT Shine_PP.004B3A6A
004B3A3E |> 6A 00 |PUSH 0
004B3A40 |. 8D4D C8 |LEA ECX,DWORD PTR SS:[EBP-38]
004B3A43 |. A1 7C4A5000 |MOV EAX,DWORD PTR DS:[504A7C]
004B3A48 |. 8B00 |MOV EAX,DWORD PTR DS:[EAX]
004B3A4A |. BA 23000000 |MOV EDX,23
004B3A4F |. E8 F4B30400 |CALL Shine_PP.004FEE48
004B3A54 |. 8B45 C8 |MOV EAX,DWORD PTR SS:[EBP-38] ; |
004B3A57 |. 66:8B0D 183C4>|MOV CX,WORD PTR DS:[4B3C18] ; |
004B3A5E |. B2 02 |MOV DL,2 ; |
004B3A60 |. E8 1739F8FF |CALL Shine_PP.0043737C ; \Shine_PP.0043737C
004B3A65 |. E9 61010000 |JMP Shine_PP.004B3BCB
004B3A6A |> 40 |INC EAX
004B3A6B |. 49 |DEC ECX
004B3A6C |.^ 75 BE \JNZ SHORT Shine_PP.004B3A2C
004B3A6E |> C745 E0 00000>MOV DWORD PTR SS:[EBP-20],0
004B3A75 |. C745 E4 00000>MOV DWORD PTR SS:[EBP-1C],0
004B3A7C |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; 用户名送入EAX
004B3A7F |. E8 6411F5FF CALL Shine_PP.00404BE8 ; 计算长度
004B3A84 |. 8BC8 MOV ECX,EAX
004B3A86 |. 85C9 TEST ECX,ECX
004B3A88 |. 7E 1E JLE SHORT Shine_PP.004B3AA8
004B3A8A |. BB 01000000 MOV EBX,1
004B3A8F |> 8B45 F8 /MOV EAX,DWORD PTR SS:[EBP-8]
004B3A92 |. 0FB64418 FF |MOVZX EAX,BYTE PTR DS:[EAX+EBX-1]
004B3A97 |. 99 |CDQ
004B3A98 |. 0345 E0 |ADD EAX,DWORD PTR SS:[EBP-20] ; 此循环计算用户名的ASCII码累加值,存放入[eb-20]
004B3A9B |. 1355 E4 |ADC EDX,DWORD PTR SS:[EBP-1C]
004B3A9E |. 8945 E0 |MOV DWORD PTR SS:[EBP-20],EAX
004B3AA1 |. 8955 E4 |MOV DWORD PTR SS:[EBP-1C],EDX
004B3AA4 |. 43 |INC EBX
004B3AA5 |. 49 |DEC ECX
004B3AA6 |.^ 75 E7 \JNZ SHORT Shine_PP.004B3A8F
004B3AA8 |> 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
004B3AAB |. 50 PUSH EAX
004B3AAC |. A1 7C4E5000 MOV EAX,DWORD PTR DS:[504E7C]
004B3AB1 |. 8B00 MOV EAX,DWORD PTR DS:[EAX] ; "Shine PPT To Video Converter.exe"
004B3AB3 |. E8 3011F5FF CALL Shine_PP.00404BE8 ; 计算长度
004B3AB8 |. 8BC8 MOV ECX,EAX
004B3ABA |. 83E9 04 SUB ECX,4
004B3ABD |. A1 7C4E5000 MOV EAX,DWORD PTR DS:[504E7C]
004B3AC2 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004B3AC4 |. BA 01000000 MOV EDX,1
004B3AC9 |. E8 7A13F5FF CALL Shine_PP.00404E48
004B3ACE |. C745 E8 00000>MOV DWORD PTR SS:[EBP-18],0
004B3AD5 |. C745 EC 00000>MOV DWORD PTR SS:[EBP-14],0
004B3ADC |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004B3ADF |. E8 0411F5FF CALL Shine_PP.00404BE8 ; 计算长度
004B3AE4 |. 8BC8 MOV ECX,EAX
004B3AE6 |. 85C9 TEST ECX,ECX
004B3AE8 |. 7E 1E JLE SHORT Shine_PP.004B3B08
004B3AEA |. BB 01000000 MOV EBX,1
004B3AEF |> 8B45 FC /MOV EAX,DWORD PTR SS:[EBP-4] ; 此循环计算"Shine PPT To Video Converter"的ASCII码累加
值
004B3AF2 |. 0FB64418 FF |MOVZX EAX,BYTE PTR DS:[EAX+EBX-1]
004B3AF7 |. 99 |CDQ
004B3AF8 |. 0345 E8 |ADD EAX,DWORD PTR SS:[EBP-18]
004B3AFB |. 1355 EC |ADC EDX,DWORD PTR SS:[EBP-14]
004B3AFE |. 8945 E8 |MOV DWORD PTR SS:[EBP-18],EAX
004B3B01 |. 8955 EC |MOV DWORD PTR SS:[EBP-14],EDX
004B3B04 |. 43 |INC EBX
004B3B05 |. 49 |DEC ECX
004B3B06 |.^ 75 E7 \JNZ SHORT Shine_PP.004B3AEF
004B3B08 |> FF75 EC PUSH DWORD PTR SS:[EBP-14]
004B3B0B |. FF75 E8 PUSH DWORD PTR SS:[EBP-18]
004B3B0E |. FF75 E4 PUSH DWORD PTR SS:[EBP-1C]
004B3B11 |. FF75 E0 PUSH DWORD PTR SS:[EBP-20]
004B3B14 |. 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
004B3B17 |. 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14]
004B3B1A |. E8 FD1DF5FF CALL Shine_PP.0040591C ; 用户名的ASCII码累加值与计算的"Shine PPT To Video
Converter"的ASCII码累加值相乘
004B3B1F |. 83C0 20 ADD EAX,20 ; 加上20(16进制)
004B3B22 |. 83D2 00 ADC EDX,0
004B3B25 |. E8 F21DF5FF CALL Shine_PP.0040591C ; 上面计算的和与计算"Shine PPT To Video Converter"的
ASCII码累加值相乘,积的10进制就是真注册码
004B3B2A |. 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX
004B3B2D |. 8955 E4 MOV DWORD PTR SS:[EBP-1C],EDX
004B3B30 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
004B3B33 |. E8 E05AF5FF CALL Shine_PP.00409618 ; 十进制转换为十六进制
004B3B38 |. 3B55 E4 CMP EDX,DWORD PTR SS:[EBP-1C]
004B3B3B |. 75 67 JNZ SHORT Shine_PP.004B3BA4
004B3B3D |. 3B45 E0 CMP EAX,DWORD PTR SS:[EBP-20] ; 真假注册码的16进制进行比较
004B3B40 |. 75 62 JNZ SHORT Shine_PP.004B3BA4
004B3B42 |. 6A 00 PUSH 0
004B3B44 |. 8D4D C4 LEA ECX,DWORD PTR SS:[EBP-3C]
004B3B47 |. A1 7C4A5000 MOV EAX,DWORD PTR DS:[504A7C]
004B3B4C |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004B3B4E |. BA 24000000 MOV EDX,24
004B3B53 |. E8 F0B20400 CALL Shine_PP.004FEE48
004B3B58 |. 8B45 C4 MOV EAX,DWORD PTR SS:[EBP-3C] ; |
004B3B5B |. 66:8B0D 183C4>MOV CX,WORD PTR DS:[4B3C18] ; |
004B3B62 |. B2 02 MOV DL,2 ; |
004B3B64 |. E8 1338F8FF CALL Shine_PP.0043737C ; \显示注册成功
004B3B69 |. A1 504B5000 MOV EAX,DWORD PTR DS:[504B50]
004B3B6E |. C600 01 MOV BYTE PTR DS:[EAX],1
004B3B71 |. A1 C84C5000 MOV EAX,DWORD PTR DS:[504CC8]
004B3B76 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004B3B78 |. 33C9 XOR ECX,ECX
004B3B7A |. 33D2 XOR EDX,EDX
004B3B7C |. 8B18 MOV EBX,DWORD PTR DS:[EAX]
004B3B7E |. FF53 14 CALL DWORD PTR DS:[EBX+14]
004B3B81 |. 8B15 504B5000 MOV EDX,DWORD PTR DS:[504B50] ; Shine_PP.00506517
004B3B87 |. A1 C84C5000 MOV EAX,DWORD PTR DS:[504CC8]
004B3B8C |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004B3B8E |. B9 01000000 MOV ECX,1
004B3B93 |. E8 DCC0F6FF CALL Shine_PP.0041FC74
004B3B98 |. A1 405E5000 MOV EAX,DWORD PTR DS:[505E40]
004B3B9D |. E8 CA10FDFF CALL Shine_PP.00484C6C
004B3BA2 |. EB 27 JMP SHORT Shine_PP.004B3BCB
004B3BA4 |> 6A 00 PUSH 0
004B3BA6 |. 8D4D C0 LEA ECX,DWORD PTR SS:[EBP-40]
004B3BA9 |. A1 7C4A5000 MOV EAX,DWORD PTR DS:[504A7C]
004B3BAE |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004B3BB0 |. BA 23000000 MOV EDX,23
004B3BB5 |. E8 8EB20400 CALL Shine_PP.004FEE48
004B3BBA |. 8B45 C0 MOV EAX,DWORD PTR SS:[EBP-40] ; |
004B3BBD |. 66:8B0D 183C4>MOV CX,WORD PTR DS:[4B3C18] ; |
004B3BC4 |. B2 02 MOV DL,2 ; |
004B3BC6 |. E8 B137F8FF CALL Shine_PP.0043737C ; \显示注册错误
004B3BCB |> 33C0 XOR EAX,EAX
算法总结:
1.计算用户名的ASCII码累加值,记为Sname.
2.计算程序名"Shine PPT To Video Converter"的ASCII码累加值,记为Sproname.
3.用户名的ASCII码累加值Sname与计算的"Shine PPT To Video Converter"的ASCII码累加值Sproname相乘,积记为Smul.
4.上面计算的积Smul 加上20(16进制),它们的和与"Shine PPT To Video Converter"的ASCII码累加值相乘,积的10进制就是真注册码.
提供一组可用的注册码:laowan 与 4093232050
【版权声明】: 本文原创于飘云阁论坛,转载请注明作者并保持文章的完整, 谢谢! |
评分
-
查看全部评分
|
IP卡
发表于 2010-2-15 13:47:49
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2010-2-16 09:10:53