ACS Capture 专业屏捕软件(md5) 2.11注册算法分析
【破文标题】 ACS Capture 专业屏捕软件 2.11 破解分析
【破文作者】 kyc[czg][Dfcg]
【使用工具】 Peid,Ollydbg
【破解平台】 WinXP
【下载地址】 http://www4.skycn.com/soft/17565.html
【软件简介】 ACS Capture 是一个功能强大的、专业的屏幕捕捉和屏幕录制软件。ACS Capture 提供多种屏幕捕捉模式
(包括全屏幕、矩形区域、圆形区域、椭圆形区域、任意多边形区域、菜单对象、按钮对象等),你可以轻松的捕捉屏幕
上的任意形状或区域的图像,并能够将捕捉获得的图像保存未 BMP、JPG、TIFF、PNG多种不同格式。ACS Capture 可
以使您轻松、高效的完成屏幕快照以及区域图像捕捉,还可以为您节约大量的时间,提高您的工作效率。
【保护方式】 NAG,CRC32*2+MD5+尾部加密数据保护。
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:
--------------------------------------------------------------------------------
【破解内容】:我记得这个软件是去年加入DFCG时写过内存注册机,不过对它的注册算法没有搞懂,今天没事
看了一下其注册算法。
0042C703 . 6A 01 push 1
0042C705 . E8 BC280900 call <jmp.&MFC42.#6334_CWnd::UpdateData>//OD载入程序,下断点
0042C70A . 8B46 60 mov eax,dword ptr ds:[esi+60]
0042C70D . 8B4E 64 mov ecx,dword ptr ds:[esi+64]
0042C710 . 50 push eax
0042C711 . 51 push ecx
0042C712 . E8 993BFEFF call capture.004102B0 //f7
0042C717 . 59 pop ecx
0042C718 . 85C0 test eax,eax
0042C71A . 59 pop ecx
////////call capture.004102B0///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
004102B0 /$ B8 D85C5700 mov eax,capture.00575CD8
004102B5 |. E8 66F30A00 call capture.004BF620
004102BA |. 81EC 24010000 sub esp,124
004102C0 |. 53 push ebx
004102C1 |. 56 push esi
004102C2 |. 57 push edi
004102C3 |. 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
004102C6 |. E8 91ED0A00 call <jmp.&MFC42.#540_CString::CString>
004102CB |. FF75 0C push dword ptr ss:[ebp+C]
004102CE |. 33DB xor ebx,ebx
004102D0 |. 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
004102D3 |. 895D FC mov dword ptr ss:[ebp-4],ebx
004102D6 |. E8 C3ED0A00 call <jmp.&MFC42.#537_CString::CString>
004102DB |. FF75 08 push dword ptr ss:[ebp+8] ; /s
004102DE |. C645 FC 01 mov byte ptr ss:[ebp-4],1 ; |
004102E2 |. E8 5FF40A00 call <jmp.&MSVCRT.strlen> ; \strlen
004102E7 |. 50 push eax ; 用户名长度
004102E8 |. 8D45 EC lea eax,dword ptr ss:[ebp-14]
004102EB |. FF75 08 push dword ptr ss:[ebp+8]
004102EE |. 50 push eax
004102EF |. E8 3F750100 call capture.00427833 ; MD5(用户名)
/////////////////////////call capture.00427833 //////////////////////////////////////////////////////
00427833 /$ B8 E8755700 mov eax,capture.005775E8
00427838 |. E8 E37D0900 call capture.004BF620
0042783D |. 83EC 60 sub esp,60
00427840 |. 8365 F0 00 and dword ptr ss:[ebp-10],0
00427844 |. 8D4D 94 lea ecx,dword ptr ss:[ebp-6C]
00427847 |. E8 81090000 call capture.004281CD ; void MDInit( DWORD *pMD )
0042784C |. FF75 10 push dword ptr ss:[ebp+10] ; /Arg2
0042784F |. 8365 FC 00 and dword ptr ss:[ebp-4],0 ; |
00427853 |. 8D4D 94 lea ecx,dword ptr ss:[ebp-6C] ; |
00427856 |. FF75 0C push dword ptr ss:[ebp+C] ; |Arg1
00427859 |. E8 130B0000 call capture.00428371 ; \capture.00428371
0042785E |. FF75 08 push dword ptr ss:[ebp+8]
00427861 |. 8D4D 94 lea ecx,dword ptr ss:[ebp-6C]
00427864 |. E8 EC090000 call capture.00428255
00427869 |. 8B4D F4 mov ecx,dword ptr ss:[ebp-C]
0042786C |. 8B45 08 mov eax,dword ptr ss:[ebp+8]
0042786F |. 64:890D 00000000 mov dword ptr fs:[0],ecx
00427876 |. C9 leave
没有变形所以不用跟了。。。。。。。。。。。。。。。。。。。。。
////////////////////////////////////////////////////////////////////////////////////////////////////////
004102F4 |. 83C4 10 add esp,10
004102F7 |. 50 push eax
004102F8 |. 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
004102FB |. C645 FC 02 mov byte ptr ss:[ebp-4],2
004102FF |. E8 88ED0A00 call <jmp.&MFC42.#858_CString::operator>
00410304 |. 8D4D EC lea ecx,dword ptr ss:[ebp-14]
00410307 |. C645 FC 01 mov byte ptr ss:[ebp-4],1
0041030B |. E8 3AED0A00 call <jmp.&MFC42.#800_CString::~CString>
00410310 |. 8B75 F0 mov esi,dword ptr ss:[ebp-10]
00410313 |. 8D85 D0FEFFFF lea eax,dword ptr ss:[ebp-130]
00410319 |. 68 04010000 push 104 ; /BufSize = 104 (260.)
0041031E |. 50 push eax ; |PathBuffer
0041031F |. 53 push ebx ; |hModule => NULL
00410320 |. C745 D8 01040000 mov dword ptr ss:[ebp-28],401 ; |[ebp-28]=0x401
00410327 |. C745 DC D4080000 mov dword ptr ss:[ebp-24],8D4 ; |
0041032E |. C745 E0 830A0000 mov dword ptr ss:[ebp-20],0A83 ; |
00410335 |. FF15 6C325800 call dword ptr ds:[<&KERNEL32.GetModule>; \GetModuleFileNameA
0041033B |. 8D85 D0FEFFFF lea eax,dword ptr ss:[ebp-130]
00410341 |. 68 F4655D00 push capture.005D65F4 ; /mode = "rb"
00410346 |. 50 push eax ; |path
00410347 |. FF15 7C405800 call dword ptr ds:[<&MSVCRT.fopen>] ; \fopen
0041034D |. 8BF8 mov edi,eax
0041034F |. 59 pop ecx
00410350 |. 3BFB cmp edi,ebx
00410352 |. 59 pop ecx
00410353 |. 0F84 E6000000 je capture.0041043F
00410359 |. 6A 02 push 2 ; /whence = SEEK_END
0041035B |. 6A FF push -1 ; |offset = FFFFFFFF (-1.)
0041035D |. 57 push edi ; |stream
0041035E |. FF15 A03F5800 call dword ptr ds:[<&MSVCRT.fseek>] ; \fseek
00410364 |. 57 push edi ; /stream
00410365 |. 6A 01 push 1 ; |n = 1
00410367 |. 8D45 E0 lea eax,dword ptr ss:[ebp-20] ; |
0041036A |. 6A 04 push 4 ; |size = 4
0041036C |. 50 push eax ; |ptr
0041036D |. FF15 983F5800 call dword ptr ds:[<&MSVCRT.fread>] ; \fread
00410373 |. 57 push edi ; /stream
00410374 |. FF15 943F5800 call dword ptr ds:[<&MSVCRT.fclose>] ; \fclose
0041037A |. 56 push esi ; /s
0041037B |. E8 C6F30A00 call <jmp.&MSVCRT.strlen> ; \strlen
00410380 |. 83C4 24 add esp,24 ; STRLEN(MD5(用户名))
00410383 |. 33C9 xor ecx,ecx ; ecx=0
00410385 |. 3BC3 cmp eax,ebx
00410387 |. 8945 D4 mov dword ptr ss:[ebp-2C],eax ; 保存
0041038A |. 7E 37 jle short capture.004103C3
0041038C |. 8D45 D8 lea eax,dword ptr ss:[ebp-28] ; eax=[ebp-28]=401
0041038F |. 8945 08 mov dword ptr ss:[ebp+8],eax ; [EBP+8]=EAX
00410392 |> 83F9 03 /cmp ecx,3 ; 这个循环是对MD5(用户名)的值进行计算
00410395 |. 7D 0B |jge short capture.004103A2
00410397 |. 0FB61431 |movzx edx,byte ptr ds:[ecx+esi]
0041039B |. 0FAF10 |imul edx,dword ptr ds:[eax]
0041039E |. 8910 |mov dword ptr ds:[eax],edx
004103A0 |. EB 15 |jmp short capture.004103B7
004103A2 |> 8BC1 |mov eax,ecx
004103A4 |. 6A 03 |push 3
004103A6 |. 99 |cdq
004103A7 |. 5F |pop edi ; edi=3
004103A8 |. F7FF |idiv edi
004103AA |. 8D4495 D8 |lea eax,dword ptr ss:[ebp+edx*4-28]
004103AE |. 0FB61431 |movzx edx,byte ptr ds:[ecx+esi]
004103B2 |. 0110 |add dword ptr ds:[eax],edx
004103B4 |. 8B45 08 |mov eax,dword ptr ss:[ebp+8]
004103B7 |> 41 |inc ecx ; ecx++
004103B8 |. 83C0 04 |add eax,4
004103BB |. 3B4D D4 |cmp ecx,dword ptr ss:[ebp-2C] ; IF(ECX==STRLEN(MD5(用户名)))
004103BE |. 8945 08 |mov dword ptr ss:[ebp+8],eax ; 保存结果 TMP[3]={}数组[EBP+8]
004103C1 |.^ 7C CF \jl short capture.00410392
004103C3 |> 6A 18 push 18
004103C5 |. 5F pop edi
004103C6 |. 57 push edi ; edi=18
004103C7 |. E8 F0EC0A00 call <jmp.&MFC42.#823_operator new>
004103CC |. 8BF0 mov esi,eax
004103CE |. 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
004103D1 |. 53 push ebx
004103D2 |. 50 push eax
004103D3 |. 56 push esi
004103D4 |. 8D45 D8 lea eax,dword ptr ss:[ebp-28]
004103D7 |. 6A 0C push 0C
004103D9 |. 50 push eax
004103DA |. 897D E4 mov dword ptr ss:[ebp-1C],edi ; EBP-1C=18
004103DD |. E8 85000000 call capture.00410467 ; 生成注册码 f7
004103E2 |. 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
004103E5 |. 83C4 18 add esp,18
004103E8 |. 8D4D EC lea ecx,dword ptr ss:[ebp-14]
004103EB |. 56 push esi
004103EC |. 881C30 mov byte ptr ds:[eax+esi],bl
004103EF |. E8 AAEC0A00 call <jmp.&MFC42.#537_CString::CString>
004103F4 |. FF75 0C push dword ptr ss:[ebp+C] ; /s2
004103F7 |. C645 FC 03 mov byte ptr ss:[ebp-4],3 ; |
004103FB |. FF75 EC push dword ptr ss:[ebp-14] ; |s1
004103FE |. FF15 8C405800 call dword ptr ds:[<&MSVCRT._mbsicmp>] ; \关键比较函数
////////////// call capture.00410467 生成注册码 ////////////////////////////////////////////////////////////////////////////////////////////////////////
00410467 /$ 55 push ebp
00410468 |. 8BEC mov ebp,esp
0041046A |. 83EC 10 sub esp,10
0041046D |. 837D 08 00 cmp dword ptr ss:[ebp+8],0 ; [ebp+8]==0
00410471 |. 0F84 5E010000 je capture.004105D5 ; 退出
00410477 |. 837D 10 00 cmp dword ptr ss:[ebp+10],0
0041047B |. 0F84 54010000 je capture.004105D5 ; 退出
00410481 |. 837D 14 00 cmp dword ptr ss:[ebp+14],0
00410485 |. 0F84 4A010000 je capture.004105D5 ; 退出
0041048B |. 8B45 0C mov eax,dword ptr ss:[ebp+C] ; eax=0c
0041048E |. 53 push ebx
0041048F |. 56 push esi
00410490 |. 57 push edi
00410491 |. 6A 03 push 3
00410493 |. 33DB xor ebx,ebx ; ebx=0
00410495 |. 99 cdq
00410496 |. 59 pop ecx ; ecx=3
00410497 |. 215D FC and dword ptr ss:[ebp-4],ebx
0041049A |. F7F9 idiv ecx
0041049C |. 6A 4C push 4C
0041049E |. 895D F8 mov dword ptr ss:[ebp-8],ebx ; [ebp-8]=0
004104A1 |. 5E pop esi ; esi=04c
004104A2 |. 6A 13 push 13
004104A4 |. 8BC8 mov ecx,eax ; ecx=eax
004104A6 |. C1E1 02 shl ecx,2
004104A9 |. 8BC1 mov eax,ecx
004104AB |. 99 cdq
004104AC |. F7FE idiv esi
004104AE |. 5E pop esi
004104AF |. 85C0 test eax,eax
004104B1 |. 8945 F0 mov dword ptr ss:[ebp-10],eax
004104B4 |. 0F8C 92000000 jl capture.0041054C
004104BA |. 3945 FC cmp dword ptr ss:[ebp-4],eax
004104BD |> 75 12 /jnz short capture.004104D1
004104BF |. 8BC1 |mov eax,ecx
004104C1 |. 6A 4C |push 4C
004104C3 |. 99 |cdq
004104C4 |. 5E |pop esi
004104C5 |. F7FE |idiv esi
004104C7 |. 6A 04 |push 4
004104C9 |. 5E |pop esi
004104CA |. 8BC2 |mov eax,edx
004104CC |. 99 |cdq
004104CD |. F7FE |idiv esi
004104CF |. 8BF0 |mov esi,eax
004104D1 |> 85F6 |test esi,esi ; j0:
004104D3 |. 7E 3D |jle short capture.00410512
004104D5 |. 8975 F4 |mov dword ptr ss:[ebp-C],esi ; esi=0x18
004104D8 |> 6A 03 |/push 3
004104DA |. 33D2 ||xor edx,edx ; edx=0
004104DC |. 58 ||pop eax ; eax=3
004104DD |> 8B7D 08 ||/mov edi,dword ptr ss:[ebp+8]
004104E0 |. 0FB63F |||movzx edi,byte ptr ds:[edi]
004104E3 |. 0BD7 |||or edx,edi
004104E5 |. FF45 08 |||inc dword ptr ss:[ebp+8]
004104E8 |. C1E2 08 |||shl edx,8
004104EB |. 48 |||dec eax
004104EC |.^ 75 EF ||\jnz short capture.004104DD
004104EE |. 6A 04 ||push 4
004104F0 |. 5F ||pop edi ; edi=4
004104F1 |> 8B5D 10 ||/mov ebx,dword ptr ss:[ebp+10] ; [ebp+10]是保存注册码的字符串数组
004104F4 |. 8BC2 |||mov eax,edx
004104F6 |. C1E8 1A |||shr eax,1A
004104F9 |. FF45 10 |||inc dword ptr ss:[ebp+10]
004104FC |. 8A80 A8655800 |||mov al,byte ptr ds:[eax+5865A8]
00410502 |. C1E2 06 |||shl edx,6
00410505 |. 4F |||dec edi
00410506 |. 8803 |||mov byte ptr ds:[ebx],al
00410508 |.^ 75 E7 ||\jnz short capture.004104F1
0041050A |. FF4D F4 ||dec dword ptr ss:[ebp-C]
0041050D |.^ 75 C9 |\jnz short capture.004104D8
0041050F |. 8B5D F8 |mov ebx,dword ptr ss:[ebp-8]
00410512 |> F645 18 02 |test byte ptr ss:[ebp+18],2
00410516 |. 8D1CB3 |lea ebx,dword ptr ds:[ebx+esi*4]
00410519 |. 895D F8 |mov dword ptr ss:[ebp-8],ebx
0041051C |. 75 13 |jnz short capture.00410531
0041051E |. 8B45 10 |mov eax,dword ptr ss:[ebp+10]
00410521 |. C600 0D |mov byte ptr ds:[eax],0D
00410524 |. 40 |inc eax
00410525 |. C600 0A |mov byte ptr ds:[eax],0A
00410528 |. 40 |inc eax
00410529 |. 43 |inc ebx
0041052A |. 8945 10 |mov dword ptr ss:[ebp+10],eax
0041052D |. 43 |inc ebx
0041052E |. 895D F8 |mov dword ptr ss:[ebp-8],ebx
00410531 |> FF45 FC |inc dword ptr ss:[ebp-4]
00410534 |. 8B45 F0 |mov eax,dword ptr ss:[ebp-10]
00410537 |. 3945 FC |cmp dword ptr ss:[ebp-4],eax
0041053A |.^ 7E 81 \jle short capture.004104BD
0041053C |. 85DB test ebx,ebx
0041053E |. 74 0C je short capture.0041054C
00410540 |. F645 18 02 test byte ptr ss:[ebp+18],2
00410544 |. 75 06 jnz short capture.0041054C
00410546 |. 836D 10 02 sub dword ptr ss:[ebp+10],2
0041054A |. 4B dec ebx
0041054B |. 4B dec ebx
0041054C |> 8B45 0C mov eax,dword ptr ss:[ebp+C]
0041054F |. 6A 03 push 3
00410551 |. 99 cdq
00410552 |. 59 pop ecx
00410553 |. F7F9 idiv ecx
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
kyc
NY8BAKnWAQBq8wMA
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string>
#include <iostream>
#include "md5.h"
using namespace std;
int main()
{
unsigned char digest[16];
unsigned char name[16] ;
cout<<"请输入用户名:"<<endl;
cin>>name;
int namelen=strlen((char*)name);
char jiami[255]={0};
int i=0;
char strtmp[]="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
char code[20]={0},*pcode=code;
DWORD tmp1[]={0x401,0x8d4,0x0a18},utmp1,utmp2=0,tmp2[3],*ptmp,*ptmp2;
ptmp=tmp2;
MD5_CTX ctx;//MD5Init ();
ctx.MD5Update(name,namelen);//输入密文
ctx.MD5Final(digest);//输出加密文
for (i = 0; i < 16; i++)
{
sprintf(&(jiami[2*i]),"%02x",(unsigned char)digest[i]);//MD5的密文
}
int md5namelen=strlen(jiami);
//算法简单繁琐,直接用其汇编,稍微改动一下。
__asm
{
pushad
lea eax,tmp1
mov ecx,0
l0: cmp ecx,3 // 这个循环是对MD5(用户名)的密文值进行计算
jge short l1
movzx edx,byte ptr ds:[ecx+jiami]
imul edx,dword ptr ds:[eax]
mov dword ptr ds:[eax],edx
jmp short l2
l1: mov eax,ecx
push 3
cdq
pop edi // edi=3
idiv edi
lea eax,dword ptr ss:[tmp1+edx*4]
movzx edx,byte ptr ds:[ecx+jiami]
add dword ptr ds:[eax],edx
mov eax,dword ptr ss:[ptmp]
l2: inc ecx // ecx++
add eax,4
cmp ecx,md5namelen // IF(ECX==STRLEN(MD5(用户名)))
mov dword ptr ss:[ptmp],eax
jl short l0
popad
}
ptmp2=tmp1;//
for(i=0;i<4;i++)
{
__asm{
push 3
xor edx,edx
pop eax
j1: mov edi,[ptmp2]
movzx edi,byte ptr ds:[edi]
or edx,edi
inc dword ptr ss:[ptmp2]
shl edx,8
dec eax
jnz short j1
mov utmp1,edx
push 4
pop edi
j2: mov ebx,dword ptr ss:[pcode] // [ebp+10]是保存注册码的字符串数组
mov eax,edx
shr eax,1Ah
inc dword ptr ss:[pcode]
mov al,byte ptr ds:[eax+strtmp]
shl edx,6
dec edi
mov byte ptr ds:[ebx],al
jnz short j2
}
}
cout<<code<<endl;
system("PAUSE");
return 0;
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
