Joboshare系列软件爆破、追码、算法及注册机

expasy · 发表于 2015-12-1 23:14:06

【文章标题】: Joboshare系列软件爆破、追码、算法及注册机
【文章作者】: expasy
【作者邮箱】: [email protected]
【作者主页】: 无
【作者QQ号】: 无
【软件名称】: Joboshare DVD Copy等
【软件大小】: 6m
【下载地址】: http://www.joboshare.com/downloads.html
【加壳方式】: 无
【保护方式】: 序列号
【编写语言】: Microsoft Visual C++ 7.0 Method2
【使用工具】: OD等
【操作平台】: win7sp1 x86
【软件介绍】: Joboshare系列软件，包括各种工具
【作者声明】: 学习而已
--------------------------------------------------------------------------------
【详细过程】
这个作者的软件算法基本是一样的，选择了其中的Joboshare DVD Copy作为讲解的吧
1、PEID查壳，无壳，Microsoft Visual C++ 7.0 Method2的
2、OD载入：

[Asm] 纯文本查看 复制代码

 004422FE > $  6A 74           push 0x74
  00442300   .  68 388B4700     push dvdcopy.00478B38
  00442305   .  E8 F6010000     call dvdcopy.00442500
  0044230A   .  33DB            xor ebx,ebx
  0044230C   .  895D E0         mov dword ptr ss:[ebp-0x20],ebx
  0044230F   .  53              push ebx                                                ; /pModule = ""
  00442310   .  8B3D 2C214700   mov edi,dword ptr ds:[<&KERNEL32.GetModuleHandleA>]     ; |kernel32.GetModuleHandleA
  00442316   .  FFD7            call near edi                                           ; \GetModuleHandleA

  3、查找字符串“invalid”、"unregistered"都没有。（做完后发现用C32asm能找到，汗！但是不用字符串也可以继续）
  4、F9直接运行，注册，填入假码
用户名：expasy
密码：98765432
弹出错误信息，先别点确定，F12暂停、查看堆栈调用（Alt+K），  然后如图返回到00451303这行

5、返回到00451303这行，段首下段，这个关键跳太明显了，上面两个call，一般来说很可能有个是关键的算法，分别进去看看发现第一个call 0044F800是将注册信息加密并存入注册表的，第二个call 0044F9D0是关键的call，包含了解密注册表信息、计算sn、比较真假码的功能，并且其返回的eax的值决定了注册是否成功。

[Asm] 纯文本查看 复制代码

004512B0   .  64:A1 00000000  mov eax,dword ptr fs:[0]
  004512B6   .  6A FF           push -0x1
  004512B8   .  68 22024700     push dvdcopy.00470222                                   ;
  004512BD   .  50              push eax                                                ;  dvdcopy.0047CEF8
  004512BE   .  64:8925 0000000>mov dword ptr fs:[0],esp
  004512C5   .  83EC 08         sub esp,0x8
  004512C8   .  56              push esi                                                ;  mfc71.7C1473CC
  004512C9   .  8BF1            mov esi,ecx
  004512CB   .  E8 30E5FFFF     call dvdcopy.0044F800                                   ;  call 将注册信息加密存入注册表
  004512D0   .  E8 FBE6FFFF     call dvdcopy.0044F9D0                                   ;  call 计算sn、比较
  004512D5   .  85C0            test eax,eax                                            ;  dvdcopy.0047CEF8
  004512D7   .  75 49           jnz short dvdcopy.00451322                              ;  关键跳
  004512D9   .  8B0D B4E04800   mov ecx,dword ptr ds:[0x48E0B4]                         ;  dvdcopy.0048DDE0
  004512DF > .  68 442F0000     push 0x2F44                                             ;  失败
  004512E4   .  8D4424 08       lea eax,dword ptr ss:[esp+0x8]
  004512E8   .  50              push eax                                                ;  dvdcopy.0047CEF8
  004512E9   .  E8 7244FFFF     call dvdcopy.00445760
  004512EE   .  6A 00           push 0x0
  004512F0   .  6A 30           push 0x30
  004512F2   .  8BC8            mov ecx,eax                                             ;  dvdcopy.0047CEF8
  004512F4   .  C74424 1C 00000>mov dword ptr ss:[esp+0x1C],0x0
  004512FC   .  FF15 1C274700   call near dword ptr ds:[<&MFC71.#876>]                  ;  mfc71.#3397
  00451302   .  50              push eax                                                ;  dvdcopy.0047CEF8
  00451303   .  E8 3CAA0100     call <jmp.&MFC71.#1123>                                 ;  错误提示
  00451308   .  8D4C24 04       lea ecx,dword ptr ss:[esp+0x4]
  0045130C   .  FF15 68274700   call near dword ptr ds:[<&MFC71.#578>]                  ;  mfc71.#578
  00451312   .  5E              pop esi                                                 ;  mfc71.7C1B0F91
  00451313   .  8B4C24 08       mov ecx,dword ptr ss:[esp+0x8]
  00451317   .  64:890D 0000000>mov dword ptr fs:[0],ecx
  0045131E   .  83C4 14         add esp,0x14

  第一个call：

[Asm] 纯文本查看 复制代码

0044F800  /$  64:A1 00000000  mov eax,dword ptr fs:[0]                     ;  输入的假码加密、写入注册表
  0044F806  |.  6A FF           push -0x1
  0044F808  |.  68 0A004700     push dvdcopy.0047000A
  0044F80D  |.  50              push eax                                     ;  dvdcopy.0047CEF8
  0044F80E  |.  64:8925 0000000>mov dword ptr fs:[0],esp
  0044F815  |.  83EC 44         sub esp,0x44
  0044F818  |.  53              push ebx
  0044F819  |.  56              push esi                                     ;  mfc71.7C1473CC
  0044F81A  |.  57              push edi
  0044F81B  |.  6A 01           push 0x1
  0044F81D  |.  8BF9            mov edi,ecx
  0044F81F  |.  E8 DA21FFFF     call <jmp.&MFC71.#6236>
  0044F824  |.  68 00020000     push 0x200
  0044F829  |.  8DB7 BC060000   lea esi,dword ptr ds:[edi+0x6BC]
  0044F82F  |.  68 00020000     push 0x200
  0044F834  |.  8BCE            mov ecx,esi                                  ;  mfc71.7C1473CC
  0044F836  |.  FF15 54254700   call near dword ptr ds:[<&MFC71.#2468>]      ;  mfc71.#5154
  0044F83C  |.  50              push eax                                     ;  dvdcopy.0047CEF8
  0044F83D  |.  8D8F BC050000   lea ecx,dword ptr ds:[edi+0x5BC]
  0044F843  |.  E8 F6C40100     call <jmp.&MFC71.#3760>
  0044F848  |.  6A FF           push -0x1
  0044F84A  |.  8BCE            mov ecx,esi                                  ;  mfc71.7C1473CC
  0044F84C  |.  FF15 84234700   call near dword ptr ds:[<&MFC71.#5403>]      ;  mfc71.#5403
  0044F852  |.  68 00020000     push 0x200
  0044F857  |.  8D9F B8060000   lea ebx,dword ptr ds:[edi+0x6B8]
  0044F85D  |.  68 00020000     push 0x200
  0044F862  |.  8BCB            mov ecx,ebx
  0044F864  |.  FF15 54254700   call near dword ptr ds:[<&MFC71.#2468>]      ;  mfc71.#5154
  0044F86A  |.  50              push eax                                     ;  dvdcopy.0047CEF8
  0044F86B  |.  8D8F 64060000   lea ecx,dword ptr ds:[edi+0x664]
  0044F871  |.  E8 C8C40100     call <jmp.&MFC71.#3760>
  0044F876  |.  6A FF           push -0x1
  0044F878  |.  8BCB            mov ecx,ebx
  0044F87A  |.  FF15 84234700   call near dword ptr ds:[<&MFC71.#5403>]      ;  mfc71.#5403
  0044F880  |.  8BCE            mov ecx,esi                                  ;  mfc71.7C1473CC
  0044F882  |.  FF15 D4274700   call near dword ptr ds:[<&MFC71.#6168>]      ;  mfc71.#6168
  0044F888  |.  8BCB            mov ecx,ebx
  0044F88A  |.  FF15 D4274700   call near dword ptr ds:[<&MFC71.#6168>]      ;  mfc71.#6168
  0044F890  |.  8BCE            mov ecx,esi                                  ;  mfc71.7C1473CC
  0044F892  |.  FF15 64234700   call near dword ptr ds:[<&MFC71.#3934>]      ;  mfc71.#3934
  0044F898  |.  84C0            test al,al
  0044F89A  |.  0F85 1C010000   jnz dvdcopy.0044F9BC
  0044F8A0  |.  8BCB            mov ecx,ebx
  0044F8A2  |.  FF15 64234700   call near dword ptr ds:[<&MFC71.#3934>]      ;  mfc71.#3934
  0044F8A8  |.  84C0            test al,al
  0044F8AA  |.  0F85 0C010000   jnz dvdcopy.0044F9BC
  0044F8B0  |.  53              push ebx
  0044F8B1  |.  8D4C24 10       lea ecx,dword ptr ss:[esp+0x10]
  0044F8B5  |.  FF15 E8264700   call near dword ptr ds:[<&MFC71.#297>]       ;  mfc71.#297
  0044F8BB  |.  33DB            xor ebx,ebx
  0044F8BD  |.  8D4C24 18       lea ecx,dword ptr ss:[esp+0x18]
  0044F8C1  |.  895C24 58       mov dword ptr ss:[esp+0x58],ebx
  0044F8C5  |.  E8 36F20000     call dvdcopy.0045EB00                        ;  call加密解密用到的常数
  0044F8CA  |.  8D4C24 0C       lea ecx,dword ptr ss:[esp+0xC]
  0044F8CE  |.  C64424 58 01    mov byte ptr ss:[esp+0x58],0x1
  0044F8D3  |.  FF15 58254700   call near dword ptr ds:[<&MFC71.#2469>]      ;  mfc71.#2469
  0044F8D9  |.  50              push eax                                     ;  dvdcopy.0047CEF8
  0044F8DA  |.  8BCE            mov ecx,esi                                  ;  mfc71.7C1473CC
  0044F8DC  |.  FF15 1C274700   call near dword ptr ds:[<&MFC71.#876>]       ;  mfc71.#3397
  0044F8E2  |.  50              push eax                                     ;  dvdcopy.0047CEF8
  0044F8E3  |.  8D4C24 20       lea ecx,dword ptr ss:[esp+0x20]
  0044F8E7  |.  E8 24F70000     call dvdcopy.0045F010                        ;  call 加密注册码
  0044F8EC  |.  6A FF           push -0x1
  0044F8EE  |.  8D4C24 10       lea ecx,dword ptr ss:[esp+0x10]
  0044F8F2  |.  FF15 84234700   call near dword ptr ds:[<&MFC71.#5403>]      ;  mfc71.#5403
  0044F8F8  |.  8D4C24 0C       lea ecx,dword ptr ss:[esp+0xC]
  0044F8FC  |.  FF15 1C274700   call near dword ptr ds:[<&MFC71.#876>]       ;  mfc71.#3397
  0044F902  |.  50              push eax                                     ;  dvdcopy.0047CEF8
  0044F903  |.  8D4424 18       lea eax,dword ptr ss:[esp+0x18]
  0044F907  |.  50              push eax                                     ;  dvdcopy.0047CEF8
  0044F908  |.  E8 23F9FFFF     call dvdcopy.0044F230                        ;  call 16进制字符形式
  0044F90D  |.  83C4 08         add esp,0x8
  0044F910  |.  8D4C24 10       lea ecx,dword ptr ss:[esp+0x10]
  0044F914  |.  51              push ecx
  0044F915  |.  8B0D B8E04800   mov ecx,dword ptr ds:[0x48E0B8]              ;  dvdcopy.0048DEA0
  0044F91B  |.  C64424 5C 02    mov byte ptr ss:[esp+0x5C],0x2
  0044F920  |.  E8 5B36FFFF     call dvdcopy.00442F80
  0044F925  |.  8BC8            mov ecx,eax                                  ;  dvdcopy.0047CEF8
  0044F927  |.  83C1 2C         add ecx,0x2C
  0044F92A  |.  FF15 1C274700   call near dword ptr ds:[<&MFC71.#876>]       ;  mfc71.#3397
  0044F930  |.  50              push eax                                     ; |Subkey = "RD"
  0044F931  |.  68 01000080     push 0x80000001                              ; |hKey = HKEY_CURRENT_USER
  0044F936  |.  FF15 24204700   call near dword ptr ds:[<&ADVAPI32.RegCreate>; \RegCreateKeyA
  0044F93C  |.  85C0            test eax,eax                                 ;  dvdcopy.0047CEF8
  0044F93E  |.  75 5B           jnz short dvdcopy.0044F99B
  0044F940  |.  8BCE            mov ecx,esi                                  ;  mfc71.7C1473CC
  0044F942  |.  FF15 1C274700   call near dword ptr ds:[<&MFC71.#876>]       ;  mfc71.#3397
  0044F948  |.  8BCE            mov ecx,esi                                  ;  mfc71.7C1473CC
  0044F94A  |.  8BF8            mov edi,eax                                  ;  dvdcopy.0047CEF8
  0044F94C  |.  FF15 20274700   call near dword ptr ds:[<&MFC71.#2902>]      ;  mfc71.#2902
  0044F952  |.  8B5424 10       mov edx,dword ptr ss:[esp+0x10]              ;  mfc71.7C1B1176
  0044F956  |.  8B35 1C204700   mov esi,dword ptr ds:[<&ADVAPI32.RegSetValue>;  advapi32.RegSetValueExA
  0044F95C  |.  50              push eax                                     ; /BufSize = 47CEF8 (4706040.)
  0044F95D  |.  57              push edi                                     ; |Buffer = 00000001
  0044F95E  |.  6A 01           push 0x1                                     ; |ValueType = REG_SZ
  0044F960  |.  53              push ebx                                     ; |Reserved = 0x111
  0044F961  |.  68 8C8E4700     push dvdcopy.00478E8C                        ; |Name
  0044F966  |.  52              push edx                                     ; |hKey = 0x0
  0044F967  |.  FFD6            call near esi                                ; \RegSetValueExA
  0044F969  |.  8D4C24 14       lea ecx,dword ptr ss:[esp+0x14]              ;  写入注册表
  0044F96D  |.  FF15 1C274700   call near dword ptr ds:[<&MFC71.#876>]       ;  mfc71.#3397
  0044F973  |.  8D4C24 14       lea ecx,dword ptr ss:[esp+0x14]
  0044F977  |.  8BF8            mov edi,eax                                  ;  dvdcopy.0047CEF8
  0044F979  |.  FF15 20274700   call near dword ptr ds:[<&MFC71.#2902>]      ;  mfc71.#2902
  0044F97F  |.  50              push eax                                     ;  dvdcopy.0047CEF8
  0044F980  |.  8B4424 14       mov eax,dword ptr ss:[esp+0x14]
  0044F984  |.  57              push edi
  0044F985  |.  6A 01           push 0x1
  0044F987  |.  53              push ebx
  0044F988  |.  68 90C54700     push dvdcopy.0047C590                        ;  Code
  0044F98D  |.  50              push eax                                     ;  dvdcopy.0047CEF8
  0044F98E  |.  FFD6            call near esi                                ;  mfc71.7C1473CC
  0044F990  |.  8B4C24 10       mov ecx,dword ptr ss:[esp+0x10]              ;  mfc71.7C1B1176
  0044F994  |.  51              push ecx                                     ; /hKey = 0011ACB8
  0044F995  |.  FF15 28204700   call near dword ptr ds:[<&ADVAPI32.RegCloseK>; \RegCloseKey
  0044F99B  |>  8D4C24 14       lea ecx,dword ptr ss:[esp+0x14]
  0044F99F  |.  FF15 68274700   call near dword ptr ds:[<&MFC71.#578>]       ;  mfc71.#578
  0044F9A5  |.  8D4C24 18       lea ecx,dword ptr ss:[esp+0x18]
  0044F9A9  |.  885C24 58       mov byte ptr ss:[esp+0x58],bl
  0044F9AD  |.  E8 BEF10000     call dvdcopy.0045EB70
  0044F9B2  |.  8D4C24 0C       lea ecx,dword ptr ss:[esp+0xC]
  0044F9B6  |.  FF15 68274700   call near dword ptr ds:[<&MFC71.#578>]       ;  mfc71.#578
  0044F9BC  |>  8B4C24 50       mov ecx,dword ptr ss:[esp+0x50]
  0044F9C0  |.  5F              pop edi                                      ;  mfc71.7C1B0F91
  0044F9C1  |.  5E              pop esi                                      ;  mfc71.7C1B0F91
  0044F9C2  |.  5B              pop ebx                                      ;  mfc71.7C1B0F91
  0044F9C3  |.  64:890D 0000000>mov dword ptr fs:[0],ecx
  0044F9CA  |.  83C4 50         add esp,0x50
  0044F9CD  \.  C3              retn

第二个call：

[Asm] 纯文本查看 复制代码

 0044F9D0  /$  6A FF           push -0x1                                    ;  算法2=算法1？同样的算法写了两遍？这是填写注册信息后
  0044F9D2  |.  68 CF004700     push dvdcopy.004700CF                        ;  辅qH; SE 处理程序安装
  0044F9D7  |.  64:A1 00000000  mov eax,dword ptr fs:[0]
  0044F9DD  |.  50              push eax                                     ;  dvdcopy.0047CEF8
  0044F9DE  |.  64:8925 0000000>mov dword ptr fs:[0],esp
  0044F9E5  |.  81EC A4000000   sub esp,0xA4
  0044F9EB  |.  A1 B0D44800     mov eax,dword ptr ds:[0x48D4B0]
  0044F9F0  |.  53              push ebx
  0044F9F1  |.  56              push esi                                     ;  mfc71.7C1473CC
  0044F9F2  |.  8D4C24 10       lea ecx,dword ptr ss:[esp+0x10]
  0044F9F6  |.  898424 A8000000 mov dword ptr ss:[esp+0xA8],eax              ;  dvdcopy.0047CEF8
  0044F9FD  |.  FF15 14274700   call near dword ptr ds:[<&MFC71.#310>]       ;  mfc71.#310
  0044FA03  |.  8D4C24 18       lea ecx,dword ptr ss:[esp+0x18]
  0044FA07  |.  C78424 B4000000>mov dword ptr ss:[esp+0xB4],0x0
  0044FA12  |.  FF15 14274700   call near dword ptr ds:[<&MFC71.#310>]       ;  mfc71.#310
  0044FA18  |.  8D4C24 14       lea ecx,dword ptr ss:[esp+0x14]
  0044FA1C  |.  FF15 14274700   call near dword ptr ds:[<&MFC71.#310>]       ;  mfc71.#310
  0044FA22  |.  8B0D B8E04800   mov ecx,dword ptr ds:[0x48E0B8]              ;  dvdcopy.0048DEA0
  0044FA28  |.  8D4424 20       lea eax,dword ptr ss:[esp+0x20]
  0044FA2C  |.  50              push eax                                     ;  dvdcopy.0047CEF8
  0044FA2D  |.  C68424 B8000000>mov byte ptr ss:[esp+0xB8],0x2
  0044FA35  |.  E8 4635FFFF     call dvdcopy.00442F80
  0044FA3A  |.  8BC8            mov ecx,eax                                  ;  dvdcopy.0047CEF8
  0044FA3C  |.  83C1 2C         add ecx,0x2C
  0044FA3F  |.  FF15 1C274700   call near dword ptr ds:[<&MFC71.#876>]       ;  mfc71.#3397
  0044FA45  |.  50              push eax                                     ; |Subkey = "RD"
  0044FA46  |.  68 01000080     push 0x80000001                              ; |hKey = HKEY_CURRENT_USER
  0044FA4B  |.  FF15 24204700   call near dword ptr ds:[<&ADVAPI32.RegCreate>; \RegCreateKeyA
  0044FA51  |.  85C0            test eax,eax                                 ;  dvdcopy.0047CEF8
  0044FA53  |.  0F85 B1000000   jnz dvdcopy.0044FB0A
  0044FA59  |.  8D4C24 08       lea ecx,dword ptr ss:[esp+0x8]
  0044FA5D  |.  51              push ecx
  0044FA5E  |.  68 00020000     push 0x200
  0044FA63  |.  8D4C24 18       lea ecx,dword ptr ss:[esp+0x18]
  0044FA67  |.  C74424 10 00020>mov dword ptr ss:[esp+0x10],0x200
  0044FA6F  |.  FF15 54254700   call near dword ptr ds:[<&MFC71.#2468>]      ;  mfc71.#5154
  0044FA75  |.  8B5424 24       mov edx,dword ptr ss:[esp+0x24]              ; |
  0044FA79  |.  8B35 2C204700   mov esi,dword ptr ds:[<&ADVAPI32.RegQueryVal>; |advapi32.RegQueryValueExA
  0044FA7F  |.  50              push eax                                     ; |Buffer = dvdcopy.0047CEF8
  0044FA80  |.  6A 00           push 0x0                                     ; |pValueType = NULL
  0044FA82  |.  6A 00           push 0x0                                     ; |Reserved = NULL
  0044FA84  |.  68 8C8E4700     push dvdcopy.00478E8C                        ; |Name
  0044FA89  |.  52              push edx                                     ; |hKey = 0x0
  0044FA8A  |.  FFD6            call near esi                                ; \RegQueryValueExA
  0044FA8C  |.  6A FF           push -0x1
  0044FA8E  |.  8D4C24 14       lea ecx,dword ptr ss:[esp+0x14]
  0044FA92  |.  FF15 84234700   call near dword ptr ds:[<&MFC71.#5403>]      ;  mfc71.#5403
  0044FA98  |.  8D4424 08       lea eax,dword ptr ss:[esp+0x8]
  0044FA9C  |.  50              push eax                                     ;  dvdcopy.0047CEF8
  0044FA9D  |.  68 00020000     push 0x200
  0044FAA2  |.  8D4C24 20       lea ecx,dword ptr ss:[esp+0x20]
  0044FAA6  |.  C74424 10 00020>mov dword ptr ss:[esp+0x10],0x200
  0044FAAE  |.  FF15 54254700   call near dword ptr ds:[<&MFC71.#2468>]      ;  mfc71.#5154
  0044FAB4  |.  8B4C24 24       mov ecx,dword ptr ss:[esp+0x24]
  0044FAB8  |.  50              push eax                                     ;  dvdcopy.0047CEF8
  0044FAB9  |.  6A 00           push 0x0
  0044FABB  |.  6A 00           push 0x0
  0044FABD  |.  68 88C54700     push dvdcopy.0047C588                        ;  Serial
  0044FAC2  |.  51              push ecx
  0044FAC3  |.  FFD6            call near esi                                ;  mfc71.7C1473CC
  0044FAC5  |.  6A FF           push -0x1
  0044FAC7  |.  8D4C24 1C       lea ecx,dword ptr ss:[esp+0x1C]
  0044FACB  |.  FF15 84234700   call near dword ptr ds:[<&MFC71.#5403>]      ;  mfc71.#5403
  0044FAD1  |.  8D5424 08       lea edx,dword ptr ss:[esp+0x8]
  0044FAD5  |.  52              push edx
  0044FAD6  |.  68 00020000     push 0x200
  0044FADB  |.  8D4C24 1C       lea ecx,dword ptr ss:[esp+0x1C]
  0044FADF  |.  C74424 10 00020>mov dword ptr ss:[esp+0x10],0x200
  0044FAE7  |.  FF15 54254700   call near dword ptr ds:[<&MFC71.#2468>]      ;  mfc71.#5154
  0044FAED  |.  50              push eax                                     ;  dvdcopy.0047CEF8
  0044FAEE  |.  8B4424 28       mov eax,dword ptr ss:[esp+0x28]
  0044FAF2  |.  6A 00           push 0x0
  0044FAF4  |.  6A 00           push 0x0
  0044FAF6  |.  68 90C54700     push dvdcopy.0047C590                        ;  Code
  0044FAFB  |.  50              push eax                                     ;  dvdcopy.0047CEF8
  0044FAFC  |.  FFD6            call near esi                                ;  mfc71.7C1473CC
  0044FAFE  |.  6A FF           push -0x1
  0044FB00  |.  8D4C24 18       lea ecx,dword ptr ss:[esp+0x18]
  0044FB04  |.  FF15 84234700   call near dword ptr ds:[<&MFC71.#5403>]      ;  mfc71.#5403
  0044FB0A  |>  8D4C24 14       lea ecx,dword ptr ss:[esp+0x14]
  0044FB0E  |.  FF15 64234700   call near dword ptr ds:[<&MFC71.#3934>]      ;  mfc71.#3934
  0044FB14  |.  84C0            test al,al
  0044FB16  |.  BB 03000000     mov ebx,0x3
  0044FB1B  |.  0F85 8C000000   jnz dvdcopy.0044FBAD
  0044FB21  |.  8D4C24 14       lea ecx,dword ptr ss:[esp+0x14]
  0044FB25  |.  FF15 1C274700   call near dword ptr ds:[<&MFC71.#876>]       ;  mfc71.#3397
  0044FB2B  |.  50              push eax                                     ;  dvdcopy.0047CEF8
  0044FB2C  |.  8D4C24 0C       lea ecx,dword ptr ss:[esp+0xC]
  0044FB30  |.  51              push ecx
  0044FB31  |.  E8 FAF5FFFF     call dvdcopy.0044F130                        ;  解密2(解密为中间码)
  0044FB36  |.  83C4 08         add esp,0x8
  0044FB39  |.  8D4C24 34       lea ecx,dword ptr ss:[esp+0x34]
  0044FB3D  |.  889C24 B4000000 mov byte ptr ss:[esp+0xB4],bl
  0044FB44  |.  E8 B7EF0000     call dvdcopy.0045EB00                        ;  初始化一段变量？
  0044FB49  |.  8D4C24 08       lea ecx,dword ptr ss:[esp+0x8]
  0044FB4D  |.  C68424 B4000000>mov byte ptr ss:[esp+0xB4],0x4
  0044FB55  |.  FF15 58254700   call near dword ptr ds:[<&MFC71.#2469>]      ;  mfc71.#2469
  0044FB5B  |.  50              push eax                                     ;  dvdcopy.0047CEF8
  0044FB5C  |.  8D4C24 14       lea ecx,dword ptr ss:[esp+0x14]
  0044FB60  |.  FF15 1C274700   call near dword ptr ds:[<&MFC71.#876>]       ;  mfc71.#3397
  0044FB66  |.  50              push eax                                     ;  dvdcopy.0047CEF8
  0044FB67  |.  8D4C24 3C       lea ecx,dword ptr ss:[esp+0x3C]
  0044FB6B  |.  E8 A0F40000     call dvdcopy.0045F010                        ;  解密1(解密为明码)
  0044FB70  |.  6A FF           push -0x1
  0044FB72  |.  8D4C24 0C       lea ecx,dword ptr ss:[esp+0xC]
  0044FB76  |.  FF15 84234700   call near dword ptr ds:[<&MFC71.#5403>]      ;  mfc71.#5403
  0044FB7C  |.  8D5424 08       lea edx,dword ptr ss:[esp+0x8]
  0044FB80  |.  52              push edx
  0044FB81  |.  8D4C24 18       lea ecx,dword ptr ss:[esp+0x18]
  0044FB85  |.  FF15 E4264700   call near dword ptr ds:[<&MFC71.#781>]       ;  mfc71.#781
  0044FB8B  |.  8D4C24 34       lea ecx,dword ptr ss:[esp+0x34]
  0044FB8F  |.  889C24 B4000000 mov byte ptr ss:[esp+0xB4],bl
  0044FB96  |.  E8 D5EF0000     call dvdcopy.0045EB70
  0044FB9B  |.  8D4C24 08       lea ecx,dword ptr ss:[esp+0x8]
  0044FB9F  |.  C68424 B4000000>mov byte ptr ss:[esp+0xB4],0x2
  0044FBA7  |.  FF15 68274700   call near dword ptr ds:[<&MFC71.#578>]       ;  mfc71.#578
  0044FBAD  |>  6A 14           push 0x14
  0044FBAF  |.  8D4424 0C       lea eax,dword ptr ss:[esp+0xC]
  0044FBB3  |.  50              push eax                                     ;  dvdcopy.0047CEF8
  0044FBB4  |.  8D4C24 1C       lea ecx,dword ptr ss:[esp+0x1C]
  0044FBB8  |.  FF15 E0264700   call near dword ptr ds:[<&MFC71.#3997>]      ;  mfc71.#3997
  0044FBBE  |.  50              push eax                                     ;  取0x14(20)位SN，左边开始取得吧
  0044FBBF  |.  8D4C24 1C       lea ecx,dword ptr ss:[esp+0x1C]
  0044FBC3  |.  C68424 B8000000>mov byte ptr ss:[esp+0xB8],0x5
  0044FBCB  |.  FF15 E4264700   call near dword ptr ds:[<&MFC71.#781>]       ;  mfc71.#781
  0044FBD1  |.  8D4C24 08       lea ecx,dword ptr ss:[esp+0x8]
  0044FBD5  |.  C68424 B4000000>mov byte ptr ss:[esp+0xB4],0x2
  0044FBDD  |.  FF15 68274700   call near dword ptr ds:[<&MFC71.#578>]       ;  mfc71.#578
  0044FBE3  |.  8D4C24 10       lea ecx,dword ptr ss:[esp+0x10]
  0044FBE7  |.  FF15 64234700   call near dword ptr ds:[<&MFC71.#3934>]      ;  mfc71.#3934
  0044FBED  |.  84C0            test al,al
  0044FBEF  |.  0F85 C0030000   jnz dvdcopy.0044FFB5
  0044FBF5  |.  8D4C24 14       lea ecx,dword ptr ss:[esp+0x14]
  0044FBF9  |.  FF15 64234700   call near dword ptr ds:[<&MFC71.#3934>]      ;  mfc71.#3934
  0044FBFF  |.  84C0            test al,al
  0044FC01  |.  0F85 AE030000   jnz dvdcopy.0044FFB5
  0044FC07  |.  8D4C24 14       lea ecx,dword ptr ss:[esp+0x14]
  0044FC0B  |.  FF15 20274700   call near dword ptr ds:[<&MFC71.#2902>]      ;  mfc71.#2902
  0044FC11  |.  83F8 27         cmp eax,0x27                                 ;  Sn长度为0x27(39)位
  0044FC14  |.  0F85 9B030000   jnz dvdcopy.0044FFB5
  0044FC1A  |.  8D4C24 18       lea ecx,dword ptr ss:[esp+0x18]
  0044FC1E  |.  FF15 1C274700   call near dword ptr ds:[<&MFC71.#876>]       ;  mfc71.#3397
  0044FC24  |.  8B0D B8E04800   mov ecx,dword ptr ds:[0x48E0B8]              ;  dvdcopy.0048DEA0
  0044FC2A  |.  E8 5133FFFF     call dvdcopy.00442F80
  0044FC2F  |.  83C0 38         add eax,0x38
  0044FC32  |.  50              push eax                                     ;  dvdcopy.0047CEF8
  0044FC33  |.  8D4C24 14       lea ecx,dword ptr ss:[esp+0x14]
  0044FC37  |.  FF15 E4264700   call near dword ptr ds:[<&MFC71.#781>]       ;  mfc71.#781
  0044FC3D  |.  8D4C24 0C       lea ecx,dword ptr ss:[esp+0xC]
  0044FC41  |.  FF15 14274700   call near dword ptr ds:[<&MFC71.#310>]       ;  mfc71.#310
  0044FC47  |.  8D4C24 10       lea ecx,dword ptr ss:[esp+0x10]
  0044FC4B  |.  C68424 B4000000>mov byte ptr ss:[esp+0xB4],0x6
  0044FC53  |.  33F6            xor esi,esi                                  ;  mfc71.7C1473CC
  0044FC55  |.  FF15 20274700   call near dword ptr ds:[<&MFC71.#2902>]      ;  mfc71.#2902
  0044FC5B  |.  85C0            test eax,eax                                 ;  dvdcopy.0047CEF8
  0044FC5D  |.  7E 53           jle short dvdcopy.0044FCB2                   ;  软件字符串="Jobosharedvdcopydvdcss2008.07.28"
  0044FC5F  |.  90              nop                                          ;  eax=0x20(32)=软件字符串长度
  0044FC60  |>  8BC6            /mov eax,esi                                 ;  for(int esi=0;esi<0x20;esi++){
  0044FC62  |.  99              |cdq                                         ;  edx=0;ebx=0x3;
  0044FC63  |.  8BCB            |mov ecx,ebx
  0044FC65  |.  F7F9            |idiv ecx
  0044FC67  |.  85D2            |test edx,edx                                ;  edx=esi%ebx;
  0044FC69  |.  75 38           |jnz short dvdcopy.0044FCA3                  ;  if(edx==0){
  0044FC6B  |.  56              |push esi                                    ;  mfc71.7C1473CC
  0044FC6C  |.  8D4C24 14       |lea ecx,dword ptr ss:[esp+0x14]
  0044FC70  |.  FF15 58264700   |call near dword ptr ds:[<&MFC71.#865>]      ;  mfc71.#2451
  0044FC76  |.  8D4C24 0C       |lea ecx,dword ptr ss:[esp+0xC]
  0044FC7A  |.  50              |push eax                                    ;  dvdcopy.0047CEF8
  0044FC7B  |.  FF15 7C234700   |call near dword ptr ds:[<&MFC71.#908>]      ;  mfc71.#909
  0044FC81  |.  8D46 01         |lea eax,dword ptr ds:[esi+0x1]              ;  eax=esi+1
  0044FC84  |.  99              |cdq                                         ;  edx=0
  0044FC85  |.  B9 FF000000     |mov ecx,0xFF
  0044FC8A  |.  F7F9            |idiv ecx
  0044FC8C  |.  84D2            |test dl,dl                                  ;  dl=eax%0xff; //(=eax)
  0044FC8E  |.  885424 08       |mov byte ptr ss:[esp+0x8],dl
  0044FC92  |.  74 0F           |je short dvdcopy.0044FCA3                   ;  if(dl!=0){
  0044FC94  |.  8B5424 08       |mov edx,dword ptr ss:[esp+0x8]
  0044FC98  |.  52              |push edx
  0044FC99  |.  8D4C24 10       |lea ecx,dword ptr ss:[esp+0x10]
  0044FC9D  |.  FF15 7C234700   |call near dword ptr ds:[<&MFC71.#908>]      ;  }}  //endif
  0044FCA3  |>  8D4C24 10       |lea ecx,dword ptr ss:[esp+0x10]
  0044FCA7  |.  46              |inc esi                                     ;  mfc71.7C1473CC
  0044FCA8  |.  FF15 20274700   |call near dword ptr ds:[<&MFC71.#2902>]     ;  eax=0x20
  0044FCAE  |.  3BF0            |cmp esi,eax                                 ;  dvdcopy.0047CEF8
  0044FCB0  |.^ 7C AE           \jl short dvdcopy.0044FC60                   ;  } //endfor，这个循环处理了软件字符串的每个（3n+1）位
  0044FCB2  |>  8D4C24 10       lea ecx,dword ptr ss:[esp+0x10]
  0044FCB6  |.  33F6            xor esi,esi                                  ;  mfc71.7C1473CC
  0044FCB8  |.  FF15 20274700   call near dword ptr ds:[<&MFC71.#2902>]      ;  mfc71.#2902
  0044FCBE  |.  85C0            test eax,eax                                 ;  eax=0x20(32)=软件字符串长度
  0044FCC0  |.  7E 52           jle short dvdcopy.0044FD14                   ;  for(int esi=0;esi<eax;esi++){
  0044FCC2  |>  8BC6            /mov eax,esi                                 ;  /////这个和上面的基本一样，处理的是剩下的
  0044FCC4  |.  99              |cdq                                         ;  edx=0;ebx=0x3;
  0044FCC5  |.  8BCB            |mov ecx,ebx
  0044FCC7  |.  F7F9            |idiv ecx
  0044FCC9  |.  85D2            |test edx,edx                                ;  edx=esi%3;
  0044FCCB  |.  74 38           |je short dvdcopy.0044FD05                   ;  if(edx!=0) ///不一样，这两个就是一个非要写成两个
  0044FCCD  |.  56              |push esi                                    ;  mfc71.7C1473CC
  0044FCCE  |.  8D4C24 14       |lea ecx,dword ptr ss:[esp+0x14]
  0044FCD2  |.  FF15 58264700   |call near dword ptr ds:[<&MFC71.#865>]      ;  mfc71.#2451
  0044FCD8  |.  8D4C24 0C       |lea ecx,dword ptr ss:[esp+0xC]
  0044FCDC  |.  50              |push eax                                    ;  dvdcopy.0047CEF8
  0044FCDD  |.  FF15 7C234700   |call near dword ptr ds:[<&MFC71.#908>]      ;  mfc71.#909
  0044FCE3  |.  8D46 01         |lea eax,dword ptr ds:[esi+0x1]
  0044FCE6  |.  99              |cdq
  0044FCE7  |.  B9 FF000000     |mov ecx,0xFF
  0044FCEC  |.  F7F9            |idiv ecx
  0044FCEE  |.  84D2            |test dl,dl
  0044FCF0  |.  885424 08       |mov byte ptr ss:[esp+0x8],dl
  0044FCF4  |.  74 0F           |je short dvdcopy.0044FD05
  0044FCF6  |.  8B5424 08       |mov edx,dword ptr ss:[esp+0x8]
  0044FCFA  |.  52              |push edx
  0044FCFB  |.  8D4C24 10       |lea ecx,dword ptr ss:[esp+0x10]
  0044FCFF  |.  FF15 7C234700   |call near dword ptr ds:[<&MFC71.#908>]      ;  mfc71.#909
  0044FD05  |>  8D4C24 10       |lea ecx,dword ptr ss:[esp+0x10]
  0044FD09  |.  46              |inc esi                                     ;  mfc71.7C1473CC
  0044FD0A  |.  FF15 20274700   |call near dword ptr ds:[<&MFC71.#2902>]     ;  mfc71.#2902
  0044FD10  |.  3BF0            |cmp esi,eax                                 ;  dvdcopy.0047CEF8
  0044FD12  |.^ 7C AE           \jl short dvdcopy.0044FCC2
  0044FD14  |>  8D4C24 24       lea ecx,dword ptr ss:[esp+0x24]
  0044FD18  |.  FF15 14274700   call near dword ptr ds:[<&MFC71.#310>]       ;  mfc71.#310
  0044FD1E  |.  6A 01           push 0x1
  0044FD20  |.  8D4424 28       lea eax,dword ptr ss:[esp+0x28]
  0044FD24  |.  68 A8C54700     push dvdcopy.0047C5A8                        ;  %d
  0044FD29  |.  50              push eax                                     ;  dvdcopy.0047CEF8
  0044FD2A  |.  C68424 C0000000>mov byte ptr ss:[esp+0xC0],0x7
  0044FD32  |.  FF15 A8264700   call near dword ptr ds:[<&MFC71.#2322>]      ;  按照"%d"这种格式输出字符吧
  0044FD38  |.  83C4 0C         add esp,0xC
  0044FD3B  |.  8D4C24 24       lea ecx,dword ptr ss:[esp+0x24]
  0044FD3F  |.  FF15 1C274700   call near dword ptr ds:[<&MFC71.#876>]       ;  mfc71.#3397
  0044FD45  |.  50              push eax                                     ;  dvdcopy.0047CEF8
  0044FD46  |.  6A 00           push 0x0
  0044FD48  |.  8D4C24 14       lea ecx,dword ptr ss:[esp+0x14]
  0044FD4C  |.  FF15 40264700   call near dword ptr ds:[<&MFC71.#3850>]      ;  这里将两个循环弄出来的结果存放到了[01399758]，还在前面加了一位
  0044FD52  |.  8D4C24 28       lea ecx,dword ptr ss:[esp+0x28]
  0044FD56  |.  FF15 14274700   call near dword ptr ds:[<&MFC71.#310>]       ;  mfc71.#310
  0044FD5C  |.  8D4C24 2C       lea ecx,dword ptr ss:[esp+0x2C]
  0044FD60  |.  FF15 14274700   call near dword ptr ds:[<&MFC71.#310>]       ;  mfc71.#310
  0044FD66  |.  6A 00           push 0x0
  0044FD68  |.  8D4C24 2C       lea ecx,dword ptr ss:[esp+0x2C]
  0044FD6C  |.  68 A8C54700     push dvdcopy.0047C5A8                        ;  %d
  0044FD71  |.  B3 09           mov bl,0x9
  0044FD73  |.  51              push ecx
  0044FD74  |.  889C24 C0000000 mov byte ptr ss:[esp+0xC0],bl
  0044FD7B  |.  FF15 A8264700   call near dword ptr ds:[<&MFC71.#2322>]      ;  mfc71.#2322
  0044FD81  |.  6A 00           push 0x0
  0044FD83  |.  8D5424 3C       lea edx,dword ptr ss:[esp+0x3C]
  0044FD87  |.  68 A8C54700     push dvdcopy.0047C5A8                        ;  %d
  0044FD8C  |.  52              push edx
  0044FD8D  |.  FF15 A8264700   call near dword ptr ds:[<&MFC71.#2322>]      ;  mfc71.#2322
  0044FD93  |.  8D4424 44       lea eax,dword ptr ss:[esp+0x44]
  0044FD97  |.  50              push eax                                     ;  dvdcopy.0047CEF8
  0044FD98  |.  8D4C24 44       lea ecx,dword ptr ss:[esp+0x44]
  0044FD9C  |.  51              push ecx
  0044FD9D  |.  8D5424 28       lea edx,dword ptr ss:[esp+0x28]
  0044FDA1  |.  52              push edx
  0044FDA2  |.  E8 7900FDFF     call dvdcopy.0041FE20
  0044FDA7  |.  83C4 24         add esp,0x24
  0044FDAA  |.  50              push eax                                     ;  dvdcopy.0047CEF8
  0044FDAB  |.  8D4C24 10       lea ecx,dword ptr ss:[esp+0x10]
  0044FDAF  |.  C68424 B8000000>mov byte ptr ss:[esp+0xB8],0xA
  0044FDB7  |.  FF15 B0264700   call near dword ptr ds:[<&MFC71.#907>]       ;  mfc71.#907
  0044FDBD  |.  8D4C24 08       lea ecx,dword ptr ss:[esp+0x8]
  0044FDC1  |.  889C24 B4000000 mov byte ptr ss:[esp+0xB4],bl
  0044FDC8  |.  FF15 68274700   call near dword ptr ds:[<&MFC71.#578>]       ;  mfc71.#578
  0044FDCE  |.  8D4424 18       lea eax,dword ptr ss:[esp+0x18]
  0044FDD2  |.  50              push eax                                     ;  dvdcopy.0047CEF8
  0044FDD3  |.  8D4C24 20       lea ecx,dword ptr ss:[esp+0x20]
  0044FDD7  |.  FF15 E8264700   call near dword ptr ds:[<&MFC71.#297>]       ;  mfc71.#297
  0044FDDD  |.  B3 0B           mov bl,0xB
  0044FDDF  |.  8D4C24 1C       lea ecx,dword ptr ss:[esp+0x1C]
  0044FDE3  |.  889C24 B4000000 mov byte ptr ss:[esp+0xB4],bl
  0044FDEA  |.  FF15 44264700   call near dword ptr ds:[<&MFC71.#4085>]      ;  mfc71.#4085
  0044FDF0  |.  8D4C24 1C       lea ecx,dword ptr ss:[esp+0x1C]
  0044FDF4  |.  FF15 D8274700   call near dword ptr ds:[<&MFC71.#6174>]      ;  mfc71.#6174
  0044FDFA  |.  8D4C24 1C       lea ecx,dword ptr ss:[esp+0x1C]
  0044FDFE  |.  FF15 A8234700   call near dword ptr ds:[<&MFC71.#6180>]      ;  mfc71.#6180
  0044FE04  |.  8D4C24 1C       lea ecx,dword ptr ss:[esp+0x1C]
  0044FE08  |.  FF15 64234700   call near dword ptr ds:[<&MFC71.#3934>]      ;  mfc71.#3934
  0044FE0E  |.  84C0            test al,al
  0044FE10  |.  74 0F           je short dvdcopy.0044FE21
  0044FE12  |.  68 9CC54700     push dvdcopy.0047C59C                        ;  joboshare
  0044FE17  |.  8D4C24 20       lea ecx,dword ptr ss:[esp+0x20]
  0044FE1B  |.  FF15 24274700   call near dword ptr ds:[<&MFC71.#784>]       ;  mfc71.#785
  0044FE21  |>  8B0D B8E04800   mov ecx,dword ptr ds:[0x48E0B8]              ;  dvdcopy.0048DEA0
  0044FE27  |.  E8 5431FFFF     call dvdcopy.00442F80
  0044FE2C  |.  83C0 38         add eax,0x38
  0044FE2F  |.  50              push eax                                     ;  dvdcopy.0047CEF8
  0044FE30  |.  8D4C24 20       lea ecx,dword ptr ss:[esp+0x20]
  0044FE34  |.  51              push ecx
  0044FE35  |.  8D5424 10       lea edx,dword ptr ss:[esp+0x10]
  0044FE39  |.  52              push edx
  0044FE3A  |.  E8 E1FFFCFF     call dvdcopy.0041FE20                        ;  将sn的前20位与软件字符串连起来了
  0044FE3F  |.  83C4 0C         add esp,0xC
  0044FE42  |.  50              push eax                                     ;  dvdcopy.0047CEF8
  0044FE43  |.  8D4C24 10       lea ecx,dword ptr ss:[esp+0x10]
  0044FE47  |.  C68424 B8000000>mov byte ptr ss:[esp+0xB8],0xC
  0044FE4F  |.  FF15 B0264700   call near dword ptr ds:[<&MFC71.#907>]       ;  这个将连起来的字符串放到结果后面，中间还有几个字" 00"不知道哪里来的
  0044FE55  |.  8D4C24 08       lea ecx,dword ptr ss:[esp+0x8]               ;  要md5加密的字符串形成，位置在ecx
  0044FE59  |.  889C24 B4000000 mov byte ptr ss:[esp+0xB4],bl
  0044FE60  |.  FF15 68274700   call near dword ptr ds:[<&MFC71.#578>]       ;  mfc71.#578
  0044FE66  |.  8D4C24 0C       lea ecx,dword ptr ss:[esp+0xC]
  0044FE6A  |.  FF15 1C274700   call near dword ptr ds:[<&MFC71.#876>]       ;  mfc71.#3397
  0044FE70  |.  50              push eax                                     ;  dvdcopy.0047CEF8
  0044FE71  |.  8D4C24 70       lea ecx,dword ptr ss:[esp+0x70]
  0044FE75  |.  E8 F6F20000     call dvdcopy.0045F170                        ;  这个有点意思，md5
  0044FE7A  |.  8D4C24 6C       lea ecx,dword ptr ss:[esp+0x6C]
  0044FE7E  |.  C68424 B4000000>mov byte ptr ss:[esp+0xB4],0xD
  0044FE86  |.  E8 25F20000     call dvdcopy.0045F0B0
  0044FE8B  |.  50              push eax                                     ;  dvdcopy.0047CEF8
  0044FE8C  |.  8D4C24 34       lea ecx,dword ptr ss:[esp+0x34]
  0044FE90  |.  FF15 64274700   call near dword ptr ds:[<&MFC71.#304>]       ;  mfc71.#304
  0044FE96  |.  8D4C24 0C       lea ecx,dword ptr ss:[esp+0xC]
  0044FE9A  |.  C68424 B4000000>mov byte ptr ss:[esp+0xB4],0xE
  0044FEA2  |.  FF15 98264700   call near dword ptr ds:[<&MFC71.#2131>]      ;  mfc71.#2131
  0044FEA8  |.  33F6            xor esi,esi                                  ;  mfc71.7C1473CC
  0044FEAA  |.  8D9B 00000000   lea ebx,dword ptr ds:[ebx]
  0044FEB0  |>  56              /push esi                                    ;  mfc71.7C1473CC
  0044FEB1  |.  8D4C24 34       |lea ecx,dword ptr ss:[esp+0x34]
  0044FEB5  |.  FF15 58264700   |call near dword ptr ds:[<&MFC71.#865>]      ;  mfc71.#2451
  0044FEBB  |.  8D4C24 0C       |lea ecx,dword ptr ss:[esp+0xC]
  0044FEBF  |.  50              |push eax                                    ;  dvdcopy.0047CEF8
  0044FEC0  |.  FF15 7C234700   |call near dword ptr ds:[<&MFC71.#908>]      ;  mfc71.#909
  0044FEC6  |.  8BC6            |mov eax,esi                                 ;  从第一位开始隔位取
  0044FEC8  |.  D1E8            |shr eax,1
  0044FECA  |.  40              |inc eax                                     ;  dvdcopy.0047CEF8
  0044FECB  |.  25 03000080     |and eax,0x80000003
  0044FED0  |.  79 05           |jns short dvdcopy.0044FED7
  0044FED2  |.  48              |dec eax                                     ;  dvdcopy.0047CEF8
  0044FED3  |.  83C8 FC         |or eax,-0x4                                 ;  取出来的每4位就加个'-'
  0044FED6  |.  40              |inc eax                                     ;  dvdcopy.0047CEF8
  0044FED7  |>  75 0F           |jnz short dvdcopy.0044FEE8
  0044FED9  |.  68 98C54700     |push dvdcopy.0047C598                       ;  -
  0044FEDE  |.  8D4C24 10       |lea ecx,dword ptr ss:[esp+0x10]
  0044FEE2  |.  FF15 AC264700   |call near dword ptr ds:[<&MFC71.#911>]      ;  连接字符串
  0044FEE8  |>  83C6 02         |add esi,0x2
  0044FEEB  |.  83FE 20         |cmp esi,0x20                                ;  总共20位，最后一位是'-'符号
  0044FEEE  |.^ 7C C0           \jl short dvdcopy.0044FEB0
  0044FEF0  |.  8D4C24 0C       lea ecx,dword ptr ss:[esp+0xC]
  0044FEF4  |.  FF15 44264700   call near dword ptr ds:[<&MFC71.#4085>]      ;  转大写
  0044FEFA  |.  6A 01           push 0x1
  0044FEFC  |.  8D4C24 10       lea ecx,dword ptr ss:[esp+0x10]
  0044FF00  |.  FF15 20274700   call near dword ptr ds:[<&MFC71.#2902>]      ;  去掉最后一位('-')
  0044FF06  |.  48              dec eax                                      ;  dvdcopy.0047CEF8
  0044FF07  |.  50              push eax                                     ;  dvdcopy.0047CEF8
  0044FF08  |.  8D4C24 14       lea ecx,dword ptr ss:[esp+0x14]
  0044FF0C  |.  FF15 48264700   call near dword ptr ds:[<&MFC71.#1916>]      ;  mfc71.#1916
  0044FF12  |.  8D4C24 18       lea ecx,dword ptr ss:[esp+0x18]
  0044FF16  |.  FF15 1C274700   call near dword ptr ds:[<&MFC71.#876>]       ;  mfc71.#3397
  0044FF1C  |.  50              push eax                                     ;  dvdcopy.0047CEF8
  0044FF1D  |.  6A 00           push 0x0
  0044FF1F  |.  8D4C24 14       lea ecx,dword ptr ss:[esp+0x14]
  0044FF23  |.  FF15 40264700   call near dword ptr ds:[<&MFC71.#3850>]      ;  mfc71.#3850
  0044FF29  |.  8D4C24 14       lea ecx,dword ptr ss:[esp+0x14]              ;  将sn连起来，共39位，这里开始出现真码
  0044FF2D  |.  FF15 1C274700   call near dword ptr ds:[<&MFC71.#876>]       ;  mfc71.#3397
  0044FF33  |.  50              push eax                                     ;  dvdcopy.0047CEF8
  0044FF34  |.  8D4C24 10       lea ecx,dword ptr ss:[esp+0x10]
  0044FF38  |.  FF15 78234700   call near dword ptr ds:[<&MFC71.#1482>]      ;  mfc71.#1482
  0044FF3E  |.  F7D8            neg eax                                      ;  dvdcopy.0047CEF8
  0044FF40  |.  1AC0            sbb al,al
  0044FF42  |.  FEC0            inc al
  0044FF44  |.  8D4C24 30       lea ecx,dword ptr ss:[esp+0x30]
  0044FF48  |.  0FB6F0          movzx esi,al
  0044FF4B  |.  FF15 68274700   call near dword ptr ds:[<&MFC71.#578>]       ;  mfc71.#578
  0044FF51  |.  8D4C24 6C       lea ecx,dword ptr ss:[esp+0x6C]
  0044FF55  |.  889C24 B4000000 mov byte ptr ss:[esp+0xB4],bl
  0044FF5C  |.  E8 3FF10000     call dvdcopy.0045F0A0
  0044FF61  |.  8D4C24 1C       lea ecx,dword ptr ss:[esp+0x1C]
  0044FF65  |.  FF15 68274700   call near dword ptr ds:[<&MFC71.#578>]       ;  mfc71.#578
  0044FF6B  |.  8D4C24 2C       lea ecx,dword ptr ss:[esp+0x2C]
  0044FF6F  |.  FF15 68274700   call near dword ptr ds:[<&MFC71.#578>]       ;  mfc71.#578
  0044FF75  |.  8D4C24 28       lea ecx,dword ptr ss:[esp+0x28]
  0044FF79  |.  FF15 68274700   call near dword ptr ds:[<&MFC71.#578>]       ;  mfc71.#578
  0044FF7F  |.  8D4C24 24       lea ecx,dword ptr ss:[esp+0x24]
  0044FF83  |.  FF15 68274700   call near dword ptr ds:[<&MFC71.#578>]       ;  mfc71.#578
  0044FF89  |.  8D4C24 0C       lea ecx,dword ptr ss:[esp+0xC]
  0044FF8D  |.  FF15 68274700   call near dword ptr ds:[<&MFC71.#578>]       ;  mfc71.#578
  0044FF93  |.  8D4C24 14       lea ecx,dword ptr ss:[esp+0x14]
  0044FF97  |.  FF15 68274700   call near dword ptr ds:[<&MFC71.#578>]       ;  mfc71.#578
  0044FF9D  |.  8D4C24 18       lea ecx,dword ptr ss:[esp+0x18]
  0044FFA1  |.  FF15 68274700   call near dword ptr ds:[<&MFC71.#578>]       ;  mfc71.#578
  0044FFA7  |.  8D4C24 10       lea ecx,dword ptr ss:[esp+0x10]
  0044FFAB  |.  FF15 68274700   call near dword ptr ds:[<&MFC71.#578>]       ;  mfc71.#578
  0044FFB1  |.  8BC6            mov eax,esi                                  ;  mfc71.7C1473CC
  0044FFB3  |.  EB 20           jmp short dvdcopy.0044FFD5
  0044FFB5  |>  8D4C24 14       lea ecx,dword ptr ss:[esp+0x14]
  0044FFB9  |.  FF15 68274700   call near dword ptr ds:[<&MFC71.#578>]       ;  mfc71.#578
  0044FFBF  |.  8D4C24 18       lea ecx,dword ptr ss:[esp+0x18]
  0044FFC3  |.  FF15 68274700   call near dword ptr ds:[<&MFC71.#578>]       ;  mfc71.#578
  0044FFC9  |.  8D4C24 10       lea ecx,dword ptr ss:[esp+0x10]
  0044FFCD  |.  FF15 68274700   call near dword ptr ds:[<&MFC71.#578>]       ;  mfc71.#578
  0044FFD3  |.  33C0            xor eax,eax                                  ;  dvdcopy.0047CEF8
  0044FFD5  |>  8B8C24 AC000000 mov ecx,dword ptr ss:[esp+0xAC]
  0044FFDC  |.  5E              pop esi                                      ;  mfc71.7C1B0F91
  0044FFDD  |.  64:890D 0000000>mov dword ptr fs:[0],ecx
  0044FFE4  |.  8B8C24 A4000000 mov ecx,dword ptr ss:[esp+0xA4]
  0044FFEB  |.  5B              pop ebx                                      ;  mfc71.7C1B0F91
  0044FFEC  |.  E8 8C25FFFF     call dvdcopy.0044257D
  0044FFF1  |.  81C4 B0000000   add esp,0xB0
  0044FFF7  \.  C3              retn

  其中，注册表中的存储时加密、读取时解密注册码的一段常数：

[Asm] 纯文本查看 复制代码

0045EB00  /$  8BC1            mov eax,ecx
  0045EB02  |.  C700 9CEB4700   mov dword ptr ds:[eax],dvdcopy.0047EB9C
  0045EB08  |.  C740 08 DF9B571>mov dword ptr ds:[eax+0x8],0x13579BDF
  0045EB0F  |.  C740 0C E0AC682>mov dword ptr ds:[eax+0xC],0x2468ACE0
  0045EB16  |.  C740 10 3175B9F>mov dword ptr ds:[eax+0x10],0xFDB97531
  0045EB1D  |.  C740 14 6200008>mov dword ptr ds:[eax+0x14],0x80000062
  0045EB24  |.  C740 18 2000004>mov dword ptr ds:[eax+0x18],0x40000020
  0045EB2B  |.  C740 1C 0200001>mov dword ptr ds:[eax+0x1C],0x10000002
  0045EB32  |.  C740 20 FFFFFF7>mov dword ptr ds:[eax+0x20],0x7FFFFFFF
  0045EB39  |.  C740 24 FFFFFF3>mov dword ptr ds:[eax+0x24],0x3FFFFFFF
  0045EB40  |.  C740 28 FFFFFF0>mov dword ptr ds:[eax+0x28],0xFFFFFFF
  0045EB47  |.  C740 2C 0000008>mov dword ptr ds:[eax+0x2C],0x80000000
  0045EB4E  |.  C740 30 000000C>mov dword ptr ds:[eax+0x30],0xC0000000
  0045EB55  |.  C740 34 000000F>mov dword ptr ds:[eax+0x34],0xF0000000
  0045EB5C  |.  C740 04 0000000>mov dword ptr ds:[eax+0x4],0x0

加解密的部分

[Asm] 纯文本查看 复制代码

 0045F010  /$  53              push ebx                                     ;  加密、解密
  0045F011  |.  55              push ebp
  0045F012  |.  56              push esi                                     ;  mfc71.7C1473CC
  0045F013  |.  57              push edi
  0045F014  |.  8BF9            mov edi,ecx
  0045F016  |.  8B4C24 14       mov ecx,dword ptr ss:[esp+0x14]
  0045F01A  |.  8B07            mov eax,dword ptr ds:[edi]
  0045F01C  |.  51              push ecx
  0045F01D  |.  8BCF            mov ecx,edi
  0045F01F  |.  FF50 08         call near dword ptr ds:[eax+0x8]             ;  dvdcopy.004235A0
  0045F022  |.  8B5C24 18       mov ebx,dword ptr ss:[esp+0x18]
  0045F026  |.  8BC3            mov eax,ebx
  0045F028  |.  8D50 01         lea edx,dword ptr ds:[eax+0x1]
  0045F02B  |.  EB 03           jmp short dvdcopy.0045F030
  0045F02D  |   8D49 00         lea ecx,dword ptr ds:[ecx]
  0045F030  |>  8A08            /mov cl,byte ptr ds:[eax]
  0045F032  |.  40              |inc eax                                     ;  dvdcopy.0047CEF8
  0045F033  |.  84C9            |test cl,cl
  0045F035  |.^ 75 F9           \jnz short dvdcopy.0045F030
  0045F037  |.  2BC2            sub eax,edx
  0045F039  |.  8BE8            mov ebp,eax                                  ;  dvdcopy.0047CEF8
  0045F03B  |.  BE 00000000     mov esi,0x0
  0045F040  |.  74 1F           je short dvdcopy.0045F061
  0045F042  |>  8A141E          /mov dl,byte ptr ds:[esi+ebx]                ;  每一位单独加密、解密
  0045F045  |.  8B07            |mov eax,dword ptr ds:[edi]
  0045F047  |.  8D4C24 14       |lea ecx,dword ptr ss:[esp+0x14]
  0045F04B  |.  51              |push ecx
  0045F04C  |.  8BCF            |mov ecx,edi
  0045F04E  |.  885424 18       |mov byte ptr ss:[esp+0x18],dl
  0045F052  |.  FF50 10         |call near dword ptr ds:[eax+0x10]           ;  每一位的加解密
  0045F055  |.  8A5424 14       |mov dl,byte ptr ss:[esp+0x14]
  0045F059  |.  88141E          |mov byte ptr ds:[esi+ebx],dl
  0045F05C  |.  46              |inc esi                                     ;  mfc71.7C1473CC
  0045F05D  |.  3BF5            |cmp esi,ebp
  0045F05F  |.^ 72 E1           \jb short dvdcopy.0045F042
  0045F061  |>  5F              pop edi                                      ;  mfc71.7C1B0F91
  0045F062  |.  5E              pop esi                                      ;  mfc71.7C1B0F91
  0045F063  |.  5D              pop ebp                                      ;  mfc71.7C1B0F91
  0045F064  |.  5B              pop ebx                                      ;  mfc71.7C1B0F91
  0045F065  \.  C2 0800         retn 0x8

  6、爆破处理，我爆破的习惯是改跳转，但是这个改跳转的话实在太麻烦，看这个数量的算法调用：
  本地调用来自 0041969C, 0041CAA9, 0041FA7A, 0042376D, 00423783, 0045011B, 004501C7, 004512D0, 00451645
  共9处，改跳转的话要9个，不划算，所以我直接改算法call使它返回的eax=1
  将

[Asm] 纯文本查看 复制代码

0044F9D0  /$  6A FF           push -0x1                                    ;  算法2=算法1？同样的算法写了两遍？这是填写注册信息后
  0044F9D2  |.  68 CF004700     push dvdcopy.004700CF                        ;  SE 处理程序安装
  0044F9D7  |.  64:A1 00000000  mov eax,dword ptr fs:[0]

改为

[Asm] 纯文本查看 复制代码

  0044F9D0      33C0            xor eax,eax                                  ;
  0044F9D2      40              inc eax                                      ;
  0044F9D3      C3              retn
  0044F9D4      90              nop
  0044F9D5      90              nop
  0044F9D6      90              nop
  0044F9D7  |.  64:A1 00000000  mov eax,dword ptr fs:[0]

  保存修改过的为1.exe，测试
  倒是显示注册成功了，但是标题栏上面还有显示未注册，看了还有验证，而且不是调用的这个算法，于是接着改
  7、因为已经知道了它的注册信息保存在注册表，注册信息保存的地方是：

可以发现，用户名是name，未加密。注册码是code，加密储存的。
所以直接下注册表API断点
  BP RegQueryValueExA
  BP RegQueryValueExW
  ctrl+F2重新运行，断下在注册表API，但是并不是想要的 name，code中的任何一项，F9好像10+次吧，终于堆栈出现了“name”，ok，Alt+F9返回来到0044BCDC这里：

[Asm] 纯文本查看 复制代码

 0044BC20  /$  6A FF           push -0x1                                    ;  算法1，启动时候用的
  0044BC22  |.  68 3FFB4600     push dvdcopy.0046FB3F                        ;  SE 处理程序安装
  0044BC27  |.  64:A1 00000000  mov eax,dword ptr fs:[0]
  0044BC2D  |.  50              push eax
  0044BC2E  |.  64:8925 0000000>mov dword ptr fs:[0],esp
  0044BC35  |.  81EC A4000000   sub esp,0xA4
  0044BC3B  |.  A1 B0D44800     mov eax,dword ptr ds:[0x48D4B0]
  0044BC40  |.  53              push ebx
  0044BC41  |.  56              push esi                                     ;  advapi32.RegQueryValueExA
  0044BC42  |.  8D4C24 10       lea ecx,dword ptr ss:[esp+0x10]
  0044BC46  |.  898424 A8000000 mov dword ptr ss:[esp+0xA8],eax
  0044BC4D  |.  FF15 14274700   call near dword ptr ds:[<&MFC71.#310>]       ;  mfc71.#310
  0044BC53  |.  8D4C24 18       lea ecx,dword ptr ss:[esp+0x18]
  0044BC57  |.  C78424 B4000000>mov dword ptr ss:[esp+0xB4],0x0
  0044BC62  |.  FF15 14274700   call near dword ptr ds:[<&MFC71.#310>]       ;  mfc71.#310
  0044BC68  |.  8D4C24 14       lea ecx,dword ptr ss:[esp+0x14]
  0044BC6C  |.  FF15 14274700   call near dword ptr ds:[<&MFC71.#310>]       ;  mfc71.#310
  0044BC72  |.  8B0D B8E04800   mov ecx,dword ptr ds:[0x48E0B8]              ;  dvdcopy.0048DEA0
  0044BC78  |.  8D4424 20       lea eax,dword ptr ss:[esp+0x20]
  0044BC7C  |.  50              push eax
  0044BC7D  |.  C68424 B8000000>mov byte ptr ss:[esp+0xB8],0x2
  0044BC85  |.  E8 F672FFFF     call dvdcopy.00442F80
  0044BC8A  |.  8BC8            mov ecx,eax
  0044BC8C  |.  83C1 2C         add ecx,0x2C
  0044BC8F  |.  FF15 1C274700   call near dword ptr ds:[<&MFC71.#876>]       ;  mfc71.#3397
  0044BC95  |.  50              push eax                                     ; |Subkey = ""
  0044BC96  |.  68 01000080     push 0x80000001                              ; |hKey = HKEY_CURRENT_USER
  0044BC9B  |.  FF15 24204700   call near dword ptr ds:[<&ADVAPI32.RegCreate>; \RegCreateKeyA
  0044BCA1  |.  85C0            test eax,eax
  0044BCA3  |.  0F85 B1000000   jnz dvdcopy.0044BD5A
  0044BCA9  |.  8D4C24 08       lea ecx,dword ptr ss:[esp+0x8]
  0044BCAD  |.  51              push ecx                                     ;  mfc71.7C2238D0
  0044BCAE  |.  68 00020000     push 0x200
  0044BCB3  |.  8D4C24 18       lea ecx,dword ptr ss:[esp+0x18]
  0044BCB7  |.  C74424 10 00020>mov dword ptr ss:[esp+0x10],0x200
  0044BCBF  |.  FF15 54254700   call near dword ptr ds:[<&MFC71.#2468>]      ;  mfc71.#5154
  0044BCC5  |.  8B5424 24       mov edx,dword ptr ss:[esp+0x24]              ; |
  0044BCC9  |.  8B35 2C204700   mov esi,dword ptr ds:[<&ADVAPI32.RegQueryVal>; |advapi32.RegQueryValueExA
  0044BCCF  |.  50              push eax                                     ; |Buffer = 0130C340
  0044BCD0  |.  6A 00           push 0x0                                     ; |pValueType = NULL
  0044BCD2  |.  6A 00           push 0x0                                     ; |Reserved = NULL
  0044BCD4  |.  68 8C8E4700     push dvdcopy.00478E8C                        ; |Name
  0044BCD9  |.  52              push edx                                     ; |hKey = 0x1D4
  0044BCDA  |.  FFD6            call near esi                                ; \RegQueryValueExA
  0044BCDC  |.  6A FF           push -0x1                                    ;  返回到的地方
  0044BCDE  |.  8D4C24 14       lea ecx,dword ptr ss:[esp+0x14]
  0044BCE2  |.  FF15 84234700   call near dword ptr ds:[<&MFC71.#5403>]      ;  mfc71.#5403

找到段首，本来该再分析一段的，然而因为软件作者太懒了吧，这段好像和第一个的算法一模一样的？？？我直接把段首改了

[Asm] 纯文本查看 复制代码

  0044BC20  /$  6A FF           push -0x1                                    ;  算法1，启动时候用的
  0044BC22  |.  68 3FFB4600     push dvdcopy.0046FB3F                        ;  SE 处理程序安装
  0044BC27  |.  64:A1 00000000  mov eax,dword ptr fs:[0]

改成

[Asm] 纯文本查看 复制代码

  0044BC20      33C0            xor eax,eax                                  ;  算法1，启动时候用的
  0044BC22      40              inc eax
  0044BC23      C3              retn
  0044BC24      90              nop
  0044BC25      90              nop
  0044BC26      90              nop
  0044BC27  |.  64:A1 00000000  mov eax,dword ptr fs:[0]

  修改保存为2.exe，测试发现爆破成功（因为没有DVD，所以我测试的是这个joboshare的另外一个软件Video Converter，算法和这个都一样的，那个爆破后功能完全正常的，当然希望有DVD的测试下这个爆破是否完全）。
  爆破修改的地方总共两个：0044F9D0 和0044BC20
  8、制作补丁，用了PYG的补丁工具，设置如下，分别都测试了，可以用

测试

  9、追码：在0044FF29或者0044C179都可以追到真码，在ecx及edx中
  内存注册机可以这样设置：（此内存注册机的限制：必须先假注册一次再使用内存注册机，并且假注册码必须输入39位才能得到真码）
  中断：0044FF29或者0044C179，首字节8D，长度4，中断1次，内存方式、寄存器ecx。如图

  10、算法：算法的那个call代码刚才贴了（就是0044F9D0开始的那段），也比较完整的注释了，我再文字描述一下：

  Sn好像和用户名没有关系
  Sn长度39位（不是39位它连真码都不计算了）
  Sn的后面19位是根据前20位以及一个字符串“Jobosharedvdcopydvdcss2008.07.28”通过一定的变化，然后取MD5值，最后将md5值取奇数位连起来，每4位插入一个’-‘符号形成的
  比如我输入的注册码是”888888888888888888888888888888888888888“
  软件的字符串是“Jobosharedvdcopydvdcss2008.07.28”

  处理字符串“Jobosharedvdcopydvdcss2008.07.28”共32位
  取出它的第(3*i+1) 位(i=0，1，2，3.....，字符串长度)位，总共取出了11位

  “Jobosharedvdcopydvdcss2008.07.28”=
  4A 6F 62 6F 73 68 61 72 65 64 76 64 63 6F 70 79 64 76 64 63 73 73 32 30 30 38 2E 30 37 2E 32 38
  取出它的第(3*i+1) 位(i=0，1，2，3.....，字符串长度)位就是
  4A  6F  61  64  63  79  64  73  30  30  32
  剩下的是
  6F  62  73  68  72  65  76  64 6F  70  64  76 63  73  32  30  38  2E  37  2E  38
  连起来就是
  4A  6F  61 64  63 79  64 73  30  30  32 6F  62  73  68  72
  65  76  64 6F  70 64  76 63  73  32  30 38  2E  37  2E  38

  然后在每位后面插入数字，该数字是这些字符在原始字符串中的位置序号，结果如下面(hex)：
  4A 01 6F 04 61 07 76 0A 65 0D 6F 10 65 13 65 16 30 19 2E 1C 2E 1F 6F 02 62 03 73 05 68 06 72 08
  65 09 69 0B 64 0C 6F 0E 63 0F 6E 11 76 12 72 14 74 15 72 17 32 18 30 1A 38 1B 30 1D 37 1E 32 20
  38 21

  然后这一窜东西，前面插入个0x31,后面插入两个0x30,这个也是算出来的，变成这样：
  31 4A 01 6F 04 61 07 76 0A 65 0D 6F 10 65 13 65 16 30 19 2E 1C 2E 1F 6F 02 62 03 73 05 68 06 72
  08 65 09 69 0B 64 0C 6F 0E 63 0F 6E 11 76 12 72 14 74 15 72 17 32 18 30 1A 38 1B 30 1D 37 1E 32
  20 38 21 30 30

  后面在连接上sn前20位=“88888888888888888888”与软件字符串“Jobosharedvdcopydvdcss2008.07.28”，就是（hex）：
  31 4A 01 6F 04 61 07 76 0A 65 0D 6F 10 65 13 65 16 30 19 2E 1C 2E 1F 6F 02 62 03 73 05 68 06 72
  08 65 09 69 0B 64 0C 6F 0E 63 0F 6E 11 76 12 72 14 74 15 72 17 32 18 30 1A 38 1B 30 1D 37 1E 32
  20 38 21 30 30 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 4A 6F 62 6F 73 68 61
  72 65 76 69 64 65 6F 63 6F 6E 76 65 72 74 65 72 32 30 30 38 2E 30 37 2E 32 38


  后面就简单了，这窜hex的字符串，取md5，就是
  5d5a90af00b3947773425ec2e7d90e8f
  最后将md5值取奇数位连起来，每4位插入一个’-‘符号就是Sn的后19位，对了要转大写字母。
SN= "88888888888888888888559A-0B97-745C-ED08"

  11、注册机，使用VB6写的，改成了PYG的算法注册机生成器写的，可以算Joboshare好几个软件的注册码，我只添加了自己测试过的几个的计算功能，其它的没写吧
  测试如下：

12、下载：仅提供注册机及源码吧，PYG的注册机是边看教程边百度写出来的，写得不好大家将就看吧

PYG算法注册机生成器.rar (857.24 KB, 下载次数: 82, 售价: 1 枚飘云币)

--------------------------------------------------------------------------------

2015年12月01日 22:25:20

飞天 · 发表于 2015-12-1 23:43:40

来支持楼主原创。

qinccckencn · 发表于 2015-12-1 23:46:10

写得很详细,不错的算法帝,谢谢在生日之际发出来!!

0xcb · 发表于 2015-12-1 23:52:29

好长，追码好有耐心，

tree_fly · 发表于 2015-12-1 23:59:31

为你的耐心和文章点个大大大赞！👍

飘云 · 发表于 2015-12-2 00:12:59

点评：采用了各种手段进行破解分析，熟练本论坛各种工具使用，纳入1等精华！

冷月孤心 · 发表于 2015-12-2 00:22:51

好文章,果断加分!

YoungBai · 发表于 2015-12-2 02:43:51

能看懂算法并写注册机的都不得了.

yunfeng · 发表于 2015-12-2 07:07:53

破解教程写得很祥细，支持楼主分享

wkxq · 发表于 2015-12-2 08:02:48

NB顶起

		自动登录	找回密码
密码			加入我们

[原创] Joboshare系列软件爆破、追码、算法及注册机

评分