TA的每日心情 | 无聊
2018-7-9 18:21 |
|---|
签到天数: 948 天 [LV.10]以坛为家III
|
本帖最后由 东海浪子 于 2016-6-12 20:07 编辑
本人由于时间不固定,很遗憾没有加入第十三轮培训学习,只好自己平时在论坛自学。有空余时间也跟着做习题。由于不能在学员区交作业,只好在这里练习一下了。本人本想爆破该软件功能的,感觉挺繁琐的,于是第一次有耐心坚持分析了算法,写的不好不足之处请多见谅。
【破文标题】GiliSoft Video Editor 7.4.0算法分析
【破文作者】东海浪子
【作者邮箱】
【作者主页】
【破解工具】OD
【破解平台】虚拟机WINXP SP3
【软件名称】Gilisoft Video Editor7.4.0视频编辑软件
【软件大小】
【原版下载】http://gilisoft.com/product-video-cutter-joiner.htm
【补丁工具】
【阅读对象】爱好破解的初学者,大牛大神们飘过勿视
【破解声明】本文仅做研究所用,供破解技术爱好者学习研究讨论。如喜欢该软件,建议购买正版。
------------------------------------------------------------------------
【破解过程】1.查壳Borland Delphi v6.0 - v7.0
2.通过按钮事件脚本,或者F12暂停堆栈法,或字符串查找法都很容易定位到注册call,来到下面这段
004AC8CC /$ 55 push ebp
004AC8CD |. 8BEC mov ebp,esp
004AC8CF |. B9 11000000 mov ecx,0x11
004AC8D4 |> 6A 00 /push 0x0
004AC8D6 |. 6A 00 |push 0x0
004AC8D8 |. 49 |dec ecx
004AC8D9 |.^ 75 F9 \jnz short videoedi.004AC8D4
004AC8DB |. 51 push ecx
004AC8DC |. 53 push ebx
004AC8DD |. 56 push esi
004AC8DE |. 8BD8 mov ebx,eax ; msls31.74645000
004AC8E0 |. 8B35 B8974B00 mov esi,dword ptr ds:[0x4B97B8] ; videoedi.004BD70C
004AC8E6 |. 33C0 xor eax,eax ; msls31.74645000
004AC8E8 |. 55 push ebp
004AC8E9 |. 68 56CF4A00 push videoedi.004ACF56
004AC8EE |. 64:FF30 push dword ptr fs:[eax]
004AC8F1 |. 64:8920 mov dword ptr fs:[eax],esp
004AC8F4 |. 8D55 E8 lea edx,[local.6]
004AC8F7 |. 8B83 74030000 mov eax,dword ptr ds:[ebx+0x374]
004AC8FD |. E8 B2D1F9FF call videoedi.00449AB4
004AC902 |. 8B45 E8 mov eax,[local.6] ; 输入邮箱
004AC905 |. 8D55 F8 lea edx,[local.2]
004AC908 |. E8 53C8F5FF call videoedi.00409160
004AC90D |. 837D F8 00 cmp [local.2],0x0
004AC911 |. 75 50 jnz short videoedi.004AC963
004AC913 |. 6A 40 push 0x40
004AC915 |. 8D55 E4 lea edx,[local.7]
004AC918 |. A1 38964B00 mov eax,dword ptr ds:[0x4B9638] ; 凑K
004AC91D |. 8B00 mov eax,dword ptr ds:[eax]
004AC91F |. E8 409BFBFF call videoedi.00466464
004AC924 |. 8B45 E4 mov eax,[local.7] ; ntdll.7C93621B
004AC927 |. E8 4485F5FF call videoedi.00404E70
004AC92C |. 50 push eax ; msls31.74645000
004AC92D |. 8D45 E0 lea eax,[local.8]
004AC930 |. 50 push eax ; msls31.74645000
004AC931 |. A1 C0934B00 mov eax,dword ptr ds:[0x4B93C0]
004AC936 |. 8B00 mov eax,dword ptr ds:[eax]
004AC938 |. B9 6CCF4A00 mov ecx,videoedi.004ACF6C ; strNoName
004AC93D |. 8B93 C4030000 mov edx,dword ptr ds:[ebx+0x3C4]
004AC943 |. E8 AC89FFFF call videoedi.004A52F4
004AC948 |. 8B45 E0 mov eax,[local.8] ; ntdll.7C935F8C
004AC94B |. E8 2085F5FF call videoedi.00404E70
004AC950 |. 50 push eax ; msls31.74645000
004AC951 |. 8BC3 mov eax,ebx
004AC953 |. E8 944CFAFF call videoedi.004515EC
004AC958 |. 50 push eax ; |hOwner = 74645000
004AC959 |. E8 62ACF5FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004AC95E |. E9 9E050000 jmp videoedi.004ACF01
004AC963 |> 833E 04 cmp dword ptr ds:[esi],0x4
004AC966 |. 74 5C je short videoedi.004AC9C4
004AC968 |. 8B45 F8 mov eax,[local.2] ; 邮箱移到eax
004AC96B |. E8 A083FFFF call videoedi.004A4D10
004AC970 |. 85C0 test eax,eax ; msls31.74645000
004AC972 |. 75 50 jnz short videoedi.004AC9C4
004AC974 |. 6A 40 push 0x40
004AC976 |. 8D55 DC lea edx,[local.9]
004AC979 |. A1 38964B00 mov eax,dword ptr ds:[0x4B9638] ; 凑K
004AC97E |. 8B00 mov eax,dword ptr ds:[eax]
004AC980 |. E8 DF9AFBFF call videoedi.00466464
004AC985 |. 8B45 DC mov eax,[local.9]
004AC988 |. E8 E384F5FF call videoedi.00404E70
004AC98D |. 50 push eax ; msls31.74645000
004AC98E |. 8D45 D8 lea eax,[local.10]
004AC991 |. 50 push eax ; msls31.74645000
004AC992 |. A1 C0934B00 mov eax,dword ptr ds:[0x4B93C0]
004AC997 |. 8B00 mov eax,dword ptr ds:[eax]
004AC999 |. B9 80CF4A00 mov ecx,videoedi.004ACF80 ; strErrorEmail
004AC99E |. 8B93 C4030000 mov edx,dword ptr ds:[ebx+0x3C4]
004AC9A4 |. E8 4B89FFFF call videoedi.004A52F4
004AC9A9 |. 8B45 D8 mov eax,[local.10] ; ntdll.7C935F90
004AC9AC |. E8 BF84F5FF call videoedi.00404E70
004AC9B1 |. 50 push eax ; msls31.74645000
004AC9B2 |. 8BC3 mov eax,ebx
004AC9B4 |. E8 334CFAFF call videoedi.004515EC
004AC9B9 |. 50 push eax ; |hOwner = 74645000
004AC9BA |. E8 01ACF5FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004AC9BF |. E9 3D050000 jmp videoedi.004ACF01
004AC9C4 |> 8D55 D4 lea edx,[local.11]
004AC9C7 |. 8B83 70030000 mov eax,dword ptr ds:[ebx+0x370]
004AC9CD |. E8 E2D0F9FF call videoedi.00449AB4
004AC9D2 |. 8B45 D4 mov eax,[local.11] ; 输入假码
004AC9D5 |. 8D55 FC lea edx,[local.1]
004AC9D8 |. E8 83C7F5FF call videoedi.00409160
004AC9DD |. 837D FC 00 cmp [local.1],0x0 ; 假码不为0
004AC9E1 |. 75 50 jnz short videoedi.004ACA33
004AC9E3 |. 6A 40 push 0x40
004AC9E5 |. 8D55 D0 lea edx,[local.12]
004AC9E8 |. A1 38964B00 mov eax,dword ptr ds:[0x4B9638] ; 凑K
004AC9ED |. 8B00 mov eax,dword ptr ds:[eax]
004AC9EF |. E8 709AFBFF call videoedi.00466464
004AC9F4 |. 8B45 D0 mov eax,[local.12]
004AC9F7 |. E8 7484F5FF call videoedi.00404E70
004AC9FC |. 50 push eax ; msls31.74645000
004AC9FD |. 8D45 CC lea eax,[local.13]
004ACA00 |. 50 push eax ; msls31.74645000
004ACA01 |. A1 C0934B00 mov eax,dword ptr ds:[0x4B93C0]
004ACA06 |. 8B00 mov eax,dword ptr ds:[eax]
004ACA08 |. B9 98CF4A00 mov ecx,videoedi.004ACF98 ; strNoKey
004ACA0D |. 8B93 C4030000 mov edx,dword ptr ds:[ebx+0x3C4]
004ACA13 |. E8 DC88FFFF call videoedi.004A52F4
004ACA18 |. 8B45 CC mov eax,[local.13]
004ACA1B |. E8 5084F5FF call videoedi.00404E70
004ACA20 |. 50 push eax ; msls31.74645000
004ACA21 |. 8BC3 mov eax,ebx
004ACA23 |. E8 C44BFAFF call videoedi.004515EC
004ACA28 |. 50 push eax ; |hOwner = 74645000
004ACA29 |. E8 92ABF5FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004ACA2E |. E9 CE040000 jmp videoedi.004ACF01
004ACA33 |> 833E 04 cmp dword ptr ds:[esi],0x4
004ACA36 |. 75 0D jnz short videoedi.004ACA45
004ACA38 |. 8D45 FC lea eax,[local.1]
004ACA3B |. BA ACCF4A00 mov edx,videoedi.004ACFAC ; -11111
004ACA40 |. E8 3382F5FF call videoedi.00404C78
004ACA45 |> 8B45 FC mov eax,[local.1] ; 假码移到eax
004ACA48 |. 85C0 test eax,eax ; msls31.74645000
004ACA4A |. 74 05 je short videoedi.004ACA51
004ACA4C |. 83E8 04 sub eax,0x4
004ACA4F |. 8B00 mov eax,dword ptr ds:[eax]
004ACA51 |> 83F8 23 cmp eax,0x23 ; 注册码长度与16进制23(35)比较
004ACA54 74 50 je short videoedi.004ACAA6
004ACA56 6A 40 push 0x40
004ACA58 8D55 C8 lea edx,dword ptr ss:[ebp-0x38]
004ACA5B |. A1 38964B00 mov eax,dword ptr ds:[0x4B9638] ; 凑K
004ACA60 |. 8B00 mov eax,dword ptr ds:[eax]
004ACA62 |. E8 FD99FBFF call videoedi.00466464
004ACA67 |. 8B45 C8 mov eax,[local.14]
004ACA6A |. E8 0184F5FF call videoedi.00404E70
004ACA6F |. 50 push eax ; msls31.74645000
004ACA70 |. 8D45 C4 lea eax,[local.15]
004ACA73 |. 50 push eax ; msls31.74645000
004ACA74 |. A1 C0934B00 mov eax,dword ptr ds:[0x4B93C0]
004ACA79 |. 8B00 mov eax,dword ptr ds:[eax]
004ACA7B |. B9 BCCF4A00 mov ecx,videoedi.004ACFBC ; strErrorKeyLength
004ACA80 |. 8B93 C4030000 mov edx,dword ptr ds:[ebx+0x3C4]
004ACA86 |. E8 6988FFFF call videoedi.004A52F4
004ACA8B |. 8B45 C4 mov eax,[local.15]
004ACA8E |. E8 DD83F5FF call videoedi.00404E70
004ACA93 |. 50 push eax ; msls31.74645000
004ACA94 |. 8BC3 mov eax,ebx
004ACA96 |. E8 514BFAFF call videoedi.004515EC
004ACA9B |. 50 push eax ; |hOwner = 74645000
004ACA9C |. E8 1FABF5FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004ACAA1 |. E9 5B040000 jmp videoedi.004ACF01
004ACAA6 |> 8D45 F0 lea eax,[local.4]
004ACAA9 |. 50 push eax ; msls31.74645000
004ACAAA |. B9 05000000 mov ecx,0x5
004ACAAF |. BA 0D000000 mov edx,0xD
004ACAB4 |. 8B45 FC mov eax,[local.1]
004ACAB7 |. E8 1484F5FF call videoedi.00404ED0
004ACABC |. 33D2 xor edx,edx
004ACABE |. 8B45 F0 mov eax,[local.4] ; ntdll.7C93663D
004ACAC1 |. E8 7EC9F5FF call videoedi.00409444
004ACAC6 |. 3B83 C8030000 cmp eax,dword ptr ds:[ebx+0x3C8] ; 第3段注册码16进制和555b比较
004ACACC 0F84 A5000000 je videoedi.004ACB77 ; 相等跳向成功
004ACAD2 |. 8D45 C0 lea eax,[local.16]
004ACAD5 |. 50 push eax ; msls31.74645000
004ACAD6 |. A1 C0934B00 mov eax,dword ptr ds:[0x4B93C0]
004ACADB |. 8B00 mov eax,dword ptr ds:[eax]
004ACADD |. B9 D8CF4A00 mov ecx,videoedi.004ACFD8 ; strRegFailed
004ACAE2 |. 8B93 C4030000 mov edx,dword ptr ds:[ebx+0x3C4]
004ACAE8 |. E8 0788FFFF call videoedi.004A52F4
004ACAED |. FF75 C0 push [local.16]
....................省略一部分代码............................
004ACD8A |. E8 31A8F5FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004ACD8F |. E9 6D010000 jmp videoedi.004ACF01
004ACD94 |> 8B45 FC mov eax,[local.1]
004ACD97 |. E8 D480F5FF call videoedi.00404E70
004ACD9C |. 50 push eax ; msls31.74645000
004ACD9D |. 8B06 mov eax,dword ptr ds:[esi]
004ACD9F |. 50 push eax ; msls31.74645000
004ACDA0 |. E8 37C2FFFF call <jmp.&MagicSkin.MS_Regx> ; 算法call
004ACDA5 85C0 test eax,eax ; msls31.74645000
004ACDA7 0F84 C4000000 je videoedi.004ACE71 ; 跳向激活失败失败
004ACDAD |. 8D45 94 lea eax,[local.27]
004ACDB0 |. 50 push eax ; msls31.74645000
004ACDB1 |. A1 C0934B00 mov eax,dword ptr ds:[0x4B93C0]
004ACDB6 |. 8B00 mov eax,dword ptr ds:[eax]
004ACDB8 |. B9 D0D04A00 mov ecx,videoedi.004AD0D0 ; strRegSuccess 激活成功
004ACDBD |. 8B93 C4030000 mov edx,dword ptr ds:[ebx+0x3C4]
004ACDC3 |. E8 2C85FFFF call videoedi.004A52F4
004ACDC8 |. FF75 94 push [local.27] ; ntdll.7C93540B
004ACDCB |. 68 F0CF4A00 push videoedi.004ACFF0 ; \n
004ACDD0 |. 8D45 90 lea eax,[local.28]
004ACDD3 |. 50 push eax ; msls31.74645000
004ACDD4 |. 8D45 8C lea eax,[local.29]
004ACDD7 |. 50 push eax ; msls31.74645000
经过这段分析,我们知道了注册码35位数,分6段。格式为XXXXX-XXXXX-XXXXX-XXXXX-XXXXX-XXXXX。其中第三段注册码为21851。在004ACDA0 进入算法call,来到下面这段
10003A99 > 55 push ebp
10003A9A 8BEC mov ebp,esp
10003A9C 83EC 44 sub esp,0x44
10003A9F E8 C90C0000 call magicski.1000476D
10003AA4 50 push eax ; msls31.74645000
10003AA5 8D4D EC lea ecx,dword ptr ss:[ebp-0x14]
10003AA8 E8 D70B0000 call <jmp.&MFC42.#??0AFX_MAINTAIN_STATE2>
10003AAD 8B45 0C mov eax,dword ptr ss:[ebp+0xC]
10003AB0 50 push eax ; msls31.74645000
10003AB1 8D4D F4 lea ecx,dword ptr ss:[ebp-0xC]
10003AB4 E8 D70B0000 call <jmp.&MFC42.#??0CString@@QAE@PBD@Z_>
10003AB9 8D4D F4 lea ecx,dword ptr ss:[ebp-0xC]
10003ABC E8 2F070000 call magicski.100041F0
10003AC1 83F8 23 cmp eax,0x23
10003AC4 7D 1F jge short magicski.10003AE5
10003AC6 C745 D8 0000000>mov dword ptr ss:[ebp-0x28],0x0
10003ACD 8D4D F4 lea ecx,dword ptr ss:[ebp-0xC]
10003AD0 E8 A90B0000 call <jmp.&MFC42.#??1CString@@QAE@XZ_800>
10003AD5 8D4D EC lea ecx,dword ptr ss:[ebp-0x14]
10003AD8 E8 63080000 call magicski.10004340
10003ADD 8B45 D8 mov eax,dword ptr ss:[ebp-0x28] ; ntdll.7C935F90
10003AE0 E9 42010000 jmp magicski.10003C27
10003AE5 6A 05 push 0x5
10003AE7 6A 00 push 0x0
10003AE9 8D4D D4 lea ecx,dword ptr ss:[ebp-0x2C]
10003AEC 51 push ecx
10003AED 8D4D F4 lea ecx,dword ptr ss:[ebp-0xC]
10003AF0 E8 950B0000 call <jmp.&MFC42.#?Mid@CString@@QBE?AV1@>
10003AF5 8BC8 mov ecx,eax ; msls31.74645000
10003AF7 E8 34070000 call magicski.10004230
10003AFC 50 push eax ; msls31.74645000
10003AFD FF15 48510010 call dword ptr ds:[<&MSVCRT.atoi>] ; 算法1第一段注册码换16进制
10003B03 83C4 04 add esp,0x4
10003B06 8945 FC mov dword ptr ss:[ebp-0x4],eax ; msls31.74645000
10003B09 8D4D D4 lea ecx,dword ptr ss:[ebp-0x2C]
10003B0C E8 6D0B0000 call <jmp.&MFC42.#??1CString@@QAE@XZ_800>
10003B11 6A 05 push 0x5
10003B13 6A 06 push 0x6
10003B15 8D55 D0 lea edx,dword ptr ss:[ebp-0x30]
10003B18 52 push edx
10003B19 8D4D F4 lea ecx,dword ptr ss:[ebp-0xC]
10003B1C E8 690B0000 call <jmp.&MFC42.#?Mid@CString@@QBE?AV1@>
10003B21 8BC8 mov ecx,eax ; msls31.74645000
10003B23 E8 08070000 call magicski.10004230
10003B28 50 push eax ; msls31.74645000
10003B29 FF15 48510010 call dword ptr ds:[<&MSVCRT.atoi>] ; 算法2第二段注册码换16进制
10003B2F 83C4 04 add esp,0x4
10003B32 8945 F8 mov dword ptr ss:[ebp-0x8],eax ; msls31.74645000
10003B35 8D4D D0 lea ecx,dword ptr ss:[ebp-0x30]
10003B38 E8 410B0000 call <jmp.&MFC42.#??1CString@@QAE@XZ_800>
10003B3D 6A 05 push 0x5
10003B3F 6A 0C push 0xC
10003B41 8D45 CC lea eax,dword ptr ss:[ebp-0x34]
10003B44 50 push eax ; msls31.74645000
10003B45 8D4D F4 lea ecx,dword ptr ss:[ebp-0xC]
10003B48 E8 3D0B0000 call <jmp.&MFC42.#?Mid@CString@@QBE?AV1@>
10003B4D 8BC8 mov ecx,eax ; msls31.74645000
10003B4F E8 DC060000 call magicski.10004230
10003B54 50 push eax ; msls31.74645000
10003B55 > FF15 48510010 call dword ptr ds:[<&MSVCRT.atoi>] ; 算法3第三段注册码换16进制
10003B5B 83C4 04 add esp,0x4
10003B5E 8945 E4 mov dword ptr ss:[ebp-0x1C],eax ; msls31.74645000
10003B61 8D4D CC lea ecx,dword ptr ss:[ebp-0x34]
10003B64 E8 150B0000 call <jmp.&MFC42.#??1CString@@QAE@XZ_800>
10003B69 6A 05 push 0x5
10003B6B 6A 12 push 0x12
10003B6D 8D4D C8 lea ecx,dword ptr ss:[ebp-0x38]
10003B70 51 push ecx
10003B71 8D4D F4 lea ecx,dword ptr ss:[ebp-0xC]
10003B74 E8 110B0000 call <jmp.&MFC42.#?Mid@CString@@QBE?AV1@>
10003B79 8BC8 mov ecx,eax ; msls31.74645000
10003B7B E8 B0060000 call magicski.10004230
10003B80 50 push eax ; msls31.74645000
10003B81 FF15 48510010 call dword ptr ds:[<&MSVCRT.atoi>] ; 算法4第四段注册码换16进制
10003B87 83C4 04 add esp,0x4
10003B8A 8945 E0 mov dword ptr ss:[ebp-0x20],eax ; msls31.74645000
10003B8D 8D4D C8 lea ecx,dword ptr ss:[ebp-0x38]
10003B90 E8 E90A0000 call <jmp.&MFC42.#??1CString@@QAE@XZ_800>
10003B95 6A 05 push 0x5
10003B97 6A 18 push 0x18
10003B99 8D55 C4 lea edx,dword ptr ss:[ebp-0x3C]
10003B9C 52 push edx
10003B9D 8D4D F4 lea ecx,dword ptr ss:[ebp-0xC]
10003BA0 E8 E50A0000 call <jmp.&MFC42.#?Mid@CString@@QBE?AV1@>
10003BA5 8BC8 mov ecx,eax ; msls31.74645000
10003BA7 E8 84060000 call magicski.10004230
10003BAC 50 push eax ; msls31.74645000
10003BAD FF15 48510010 call dword ptr ds:[<&MSVCRT.atoi>] ; 算法5第五段注册码换16进制
10003BB3 83C4 04 add esp,0x4
10003BB6 8945 E8 mov dword ptr ss:[ebp-0x18],eax ; msls31.74645000
10003BB9 8D4D C4 lea ecx,dword ptr ss:[ebp-0x3C]
10003BBC E8 BD0A0000 call <jmp.&MFC42.#??1CString@@QAE@XZ_800>
10003BC1 6A 05 push 0x5
10003BC3 6A 1E push 0x1E
10003BC5 8D45 C0 lea eax,dword ptr ss:[ebp-0x40]
10003BC8 50 push eax ; msls31.74645000
10003BC9 8D4D F4 lea ecx,dword ptr ss:[ebp-0xC]
10003BCC E8 B90A0000 call <jmp.&MFC42.#?Mid@CString@@QBE?AV1@>
10003BD1 8BC8 mov ecx,eax ; msls31.74645000
10003BD3 E8 58060000 call magicski.10004230
10003BD8 50 push eax ; msls31.74645000
10003BD9 FF15 48510010 call dword ptr ds:[<&MSVCRT.atoi>] ; 算法6第六段注册码换16进制
10003BDF 83C4 04 add esp,0x4
10003BE2 8945 DC mov dword ptr ss:[ebp-0x24],eax ; msls31.74645000
10003BE5 8D4D C0 lea ecx,dword ptr ss:[ebp-0x40]
10003BE8 E8 910A0000 call <jmp.&MFC42.#??1CString@@QAE@XZ_800>
10003BED 8B4D DC mov ecx,dword ptr ss:[ebp-0x24]
10003BF0 51 push ecx
10003BF1 8B55 E8 mov edx,dword ptr ss:[ebp-0x18]
10003BF4 52 push edx
10003BF5 8B45 E0 mov eax,dword ptr ss:[ebp-0x20] ; ntdll.7C935F8C
10003BF8 50 push eax ; msls31.74645000
10003BF9 8B4D E4 mov ecx,dword ptr ss:[ebp-0x1C] ; ntdll.7C93621B
10003BFC 51 push ecx
10003BFD 8B55 F8 mov edx,dword ptr ss:[ebp-0x8] ; ntdll.7C93639B
10003C00 52 push edx
10003C01 8B45 FC mov eax,dword ptr ss:[ebp-0x4]
10003C04 50 push eax ; msls31.74645000
10003C05 8B4D 08 mov ecx,dword ptr ss:[ebp+0x8]
10003C08 51 push ecx
10003C09 E8 D7FDFFFF call magicski.100039E5 ; 算法call
10003C0E 83C4 1C add esp,0x1C
10003C11 8945 BC mov dword ptr ss:[ebp-0x44],eax ; msls31.74645000
10003C14 8D4D F4 lea ecx,dword ptr ss:[ebp-0xC]
10003C17 E8 620A0000 call <jmp.&MFC42.#??1CString@@QAE@XZ_800>
10003C1C 8D4D EC lea ecx,dword ptr ss:[ebp-0x14]
10003C1F E8 1C070000 call magicski.10004340
10003C24 8B45 BC mov eax,dword ptr ss:[ebp-0x44] ; ntdll.7C9357A1
10003C27 8BE5 mov esp,ebp
10003C29 5D pop ebp
10003C2A C2 0800 retn 0x8
在这段里,经过6个算法call,把每段的注册码换算成16进制数字。然后在10003C0E,再进入下一层算法call。来到下面这段。
100039E5 55 push ebp
100039E6 8BEC mov ebp,esp
100039E8 6A FF push -0x1
100039EA 68 204D0010 push magicski.10004D20
100039EF 64:A1 00000000 mov eax,dword ptr fs:[0]
100039F5 50 push eax ; msls31.74645000
100039F6 64:8925 0000000>mov dword ptr fs:[0],esp
100039FD 83EC 10 sub esp,0x10
10003A00 E8 680D0000 call magicski.1000476D
10003A05 50 push eax ; msls31.74645000
10003A06 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
10003A09 E8 760C0000 call <jmp.&MFC42.#??0AFX_MAINTAIN_STATE2>
10003A0E C745 FC 0000000>mov dword ptr ss:[ebp-0x4],0x0
10003A15 8B45 20 mov eax,dword ptr ss:[ebp+0x20]
10003A18 50 push eax ; msls31.74645000
10003A19 8B4D 1C mov ecx,dword ptr ss:[ebp+0x1C] ; ntdll.7C9355CD
10003A1C 51 push ecx
10003A1D 8B55 18 mov edx,dword ptr ss:[ebp+0x18]
10003A20 52 push edx
10003A21 8B45 14 mov eax,dword ptr ss:[ebp+0x14]
10003A24 50 push eax ; msls31.74645000
10003A25 8B4D 10 mov ecx,dword ptr ss:[ebp+0x10]
10003A28 51 push ecx
10003A29 8B55 0C mov edx,dword ptr ss:[ebp+0xC]
10003A2C 52 push edx
10003A2D 8B45 08 mov eax,dword ptr ss:[ebp+0x8]
10003A30 50 push eax ; msls31.74645000
10003A31 68 02000080 push 0x80000002
10003A36 E8 62F3FFFF call magicski.10002D9D
10003A3B 83C4 20 add esp,0x20
10003A3E 8945 F0 mov dword ptr ss:[ebp-0x10],eax ; msls31.74645000
10003A41 837D F0 00 cmp dword ptr ss:[ebp-0x10],0x0
10003A45 75 2C jnz short magicski.10003A73
10003A47 8B4D 20 mov ecx,dword ptr ss:[ebp+0x20]
10003A4A 51 push ecx
10003A4B 8B55 1C mov edx,dword ptr ss:[ebp+0x1C] ; ntdll.7C9355CD
10003A4E 52 push edx
10003A4F 8B45 18 mov eax,dword ptr ss:[ebp+0x18]
10003A52 50 push eax ; msls31.74645000
10003A53 8B4D 14 mov ecx,dword ptr ss:[ebp+0x14]
10003A56 51 push ecx
10003A57 8B55 10 mov edx,dword ptr ss:[ebp+0x10]
10003A5A 52 push edx
10003A5B 8B45 0C mov eax,dword ptr ss:[ebp+0xC]
10003A5E 50 push eax ; msls31.74645000
10003A5F 8B4D 08 mov ecx,dword ptr ss:[ebp+0x8]
10003A62 51 push ecx
10003A63 68 01000080 push 0x80000001
10003A68 E8 30F3FFFF call magicski.10002D9D ; 算法CALL
10003A6D 83C4 20 add esp,0x20
10003A70 8945 F0 mov dword ptr ss:[ebp-0x10],eax ; msls31.74645000
10003A73 8B55 F0 mov edx,dword ptr ss:[ebp-0x10] ; ntdll.7C93663D
10003A76 8955 E4 mov dword ptr ss:[ebp-0x1C],edx
10003A79 C745 FC FFFFFFF>mov dword ptr ss:[ebp-0x4],-0x1
10003A80 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
10003A83 E8 B8080000 call magicski.10004340
10003A88 8B45 E4 mov eax,dword ptr ss:[ebp-0x1C] ; ntdll.7C93621B
10003A8B 8B4D F4 mov ecx,dword ptr ss:[ebp-0xC] ; ntdll.7C99B178
10003A8E 64:890D 0000000>mov dword ptr fs:[0],ecx
10003A95 8BE5 mov esp,ebp
10003A97 5D pop ebp
10003A98 C3 retn
在这段里,把每段16进制注册码放进各地址里,在10003A68进入下一层算法call。来到下面这段
10002D9D 55 push ebp
10002D9E 8BEC mov ebp,esp
10002DA0 6A FF push -0x1
10002DA2 68 0D4D0010 push magicski.10004D0D
10002DA7 64:A1 00000000 mov eax,dword ptr fs:[0]
10002DAD 50 push eax ; msls31.74645000
10002DAE 64:8925 0000000>mov dword ptr fs:[0],esp
10002DB5 81EC C4000000 sub esp,0xC4
10002DBB E8 AD190000 call magicski.1000476D
10002DC0 50 push eax ; msls31.74645000
10002DC1 8D4D E0 lea ecx,dword ptr ss:[ebp-0x20]
10002DC4 E8 BB180000 call <jmp.&MFC42.#??0AFX_MAINTAIN_STATE2>
10002DC9 C745 FC 0000000>mov dword ptr ss:[ebp-0x4],0x0
10002DD0 8B45 0C mov eax,dword ptr ss:[ebp+0xC]
10002DD3 50 push eax ; msls31.74645000
10002DD4 E8 D3120000 call magicski.100040AC
10002DD9 83C4 04 add esp,0x4
10002DDC 8945 D4 mov dword ptr ss:[ebp-0x2C],eax ; msls31.74645000
10002DDF C745 E8 0000000>mov dword ptr ss:[ebp-0x18],0x0
10002DE6 8B45 14 mov eax,dword ptr ss:[ebp+0x14] 第二段注册码放入eax
10002DE9 0345 D4 add eax,dword ptr ss:[ebp-0x2C] ; ntdll.7C92E900 第二段注册码+常量c3bc
10002DEC 33D2 xor edx,edx edx清零
10002DEE B9 9F860100 mov ecx,0x1869F 1869f放入ecx
10002DF3 F7F1 div ecx 除以ecx
10002DF5 3955 1C cmp dword ptr ss:[ebp+0x1C],edx ; 余数=第四段注册码
10002DF8 75 18 jnz short magicski.10002E12
10002DFA 8B45 10 mov eax,dword ptr ss:[ebp+0x10] 第一段注册码放入eax
10002DFD 0345 D4 add eax,dword ptr ss:[ebp-0x2C] ; ntdll.7C92E900 第一段注册码+常量c3bc
10002E00 33D2 xor edx,edx edx清零
10002E02 B9 9F860100 mov ecx,0x1869F 1869f放入ecx
10002E07 F7F1 div ecx 除以ecx
10002E09 3955 20 cmp dword ptr ss:[ebp+0x20],edx ; 余数=第五段注册码
10002E0C 0F84 DB080000 je magicski.100036ED
10002E12 837D 0C 00 cmp dword ptr ss:[ebp+0xC],0x0
10002E16 0F85 D5000000 jnz magicski.10002EF1
10002E1C 817D 18 4555000>cmp dword ptr ss:[ebp+0x18],0x5545
10002E23 0F85 C8000000 jnz magicski.10002EF1
10002E29 8D4D D0 lea ecx,dword ptr ss:[ebp-0x30]
10002E2C E8 6B180000 call <jmp.&MFC42.#??0CString@@QAE@XZ_540>
【破解总结】
经过这段分析,我们知道了,注册码的算法过程很简单。就是(第一段注册码+常量c3bc)/1869F的余数=第五段注册码,(第二段注册码+常量c3bc)/1869F的余数=第四段注册码,第三段注册码为555b(21851),第六段注册码不参与运算。邮箱不参与计算。注册码拿个计算器就能搞定。X--Y--21851--(Y+50108)--(X+50108)-Z或者X--Y--21851--(Y+50108-99999)--(X+50108-99999)-Z。X,Y,Z为任意5位数,X也可以等于Y给个可用的注册码11111-22222-21851-72330-61219-55555。本菜鸟对编程一窍不通,只好乱编了一个易语言注册机源码
.计次循环首 (5, n)
注册码1 = 注册码1 + 到文本 (取随机数 (0, 9))
.计次循环尾 ()
.计次循环首 (5, n)
注册码2 = 注册码2 + 到文本 (取随机数 (0, 9))
.计次循环尾 ()
.计次循环首 (5, n)
注册码6 = 注册码6 + 到文本 (取随机数 (0, 9))
.计次循环尾 ()
注册码4 = 到文本 ((到整数 (注册码2) + 50108) % 99999)
注册码5 = 到文本 ((到整数 (注册码1) + 50108) % 99999)
注册码3 = “21850”
结果 = 注册码1 + “-” + 注册码2 + “-” + 注册码3 + “-” + 注册码4 + “-” + 注册码5 + “-” + 注册码6
编辑框1.内容 = 到文本 (结果)
|
评分
-
查看全部评分
|
IP卡
发表于 2016-5-16 22:00:08
提升卡
置顶卡
变色卡
千斤顶
显身卡
楼主
发表于 2016-5-16 22:58:14
发表于 2016-5-16 23:03:36
发表于 2016-5-16 23:16:21
发表于 2016-5-16 23:46:54
发表于 2016-5-17 08:04:47