【文章标题】: video Mp3 Extractor PRO 2.1.20算法分析
【文章作者】: elance
【作者邮箱】: liupengnpu@163.com
【作者主页】: http://elance.ys168.com
【作者QQ号】: 275199621
【软件名称】: video Mp3 Extractor PRO 2.1.20
【加壳方式】: 无
【保护方式】: 注册码,写注册表保护
【使用工具】: ,peid094,Ollydbg110
【操作平台】: winxp sp2
【作者声明】: 初学破解,只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
---------------------------------------------------------------------
【详细过程】
用OD载入,调用字符串插件,来到:
0040857F |. 68 3CFB4000 |PUSH Video2Mp.0040FB3C ; |%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x
在往上看代码,知其注册码形式应为xx-xx-xx-xx-xx-xx-xx-xx-xx-xx
往上到
004084B8 |. E8 C5350000 |CALL <JMP.&CommonDialogs.InvokeRegistrationDia> //在此下断,输入注册码:11-22-33-44-55-66-77-88-99-00
004084BD |. 8B8424 840000>|MOV EAX,DWORD PTR SS:[ESP+84]
004084C4 |. 83F8 02 |CMP EAX,2
004084C7 |. 0F84 EF020000 |JE Video2Mp.004087BC
004084CD |. 83F8 01 |CMP EAX,1
004084D0 |.^ 75 A0 |JNZ SHORT Video2Mp.00408472
004084D2 |. 8D8424 880400>|LEA EAX,DWORD PTR SS:[ESP+488]
004084D9 |. 8D50 01 |LEA EDX,DWORD PTR DS:[EAX+1]
004084DC |. 8D6424 00 |LEA ESP,DWORD PTR SS:[ESP]
004084E0 |> 8A08 |/MOV CL,BYTE PTR DS:[EAX]
004084E2 |. 40 ||INC EAX
004084E3 |. 3ACB ||CMP CL,BL
004084E5 |.^ 75 F9 |\JNZ SHORT Video2Mp.004084E0
004084E7 |. 2BC2 |SUB EAX,EDX
004084E9 |. 40 |INC EAX
004084EA |. 50 |PUSH EAX
004084EB |. E8 263B0000 |CALL <JMP.&MFC71.#265_??_U@YAPAXI@Z>
004084F0 |. 8BD0 |MOV EDX,EAX
004084F2 |. 8D8424 8C0400>|LEA EAX,DWORD PTR SS:[ESP+48C]
..........................
..........................
.......................... //部分代码省略
0040857F |. 68 3CFB4000 |PUSH Video2Mp.0040FB3C ; |%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x
00408584 |. 52 |PUSH EDX ; |s
00408585 |. FF15 48E74000 |CALL DWORD PTR DS:[<&MSVCR71.sscanf>] ; \sscanf
0040858B |. 83C4 30 |ADD ESP,30
0040858E |. 83F8 0A |CMP EAX,0A
00408591 |.^ 0F85 DBFEFFFF |JNZ Video2Mp.00408472
00408597 |. 8B5424 18 |MOV EDX,DWORD PTR SS:[ESP+18] //edx=00000011
0040859B |. 8B7C24 1C |MOV EDI,DWORD PTR SS:[ESP+1C] //edi=00000022
0040859F |. C1E2 08 |SHL EDX,8 //edx左移8位
004085A2 |. 03D7 |ADD EDX,EDI //edx=edi+edx=00001122
004085A4 |. 81E2 FFFF0080 |AND EDX,8000FFFF //edx与8000ffff
004085AA |. /79 08 |JNS SHORT Video2Mp.004085B4 //符号位为 "0" 时转移
004085AC |. 4A |DEC EDX
004085AD |. 81CA 0000FFFF |OR EDX,FFFF0000
004085B3 |. 42 |INC EDX
004085B4 |> 8B4424 20 |MOV EAX,DWORD PTR SS:[ESP+20] //eax=00000033
004085B8 |. 8B4C24 24 |MOV ECX,DWORD PTR SS:[ESP+24] //ecx=00000044
004085BC |. C1E0 08 |SHL EAX,8 //eax左移8位=00003300
004085BF |. 03D1 |ADD EDX,ECX //edx=ecx+edx=00001166
004085C1 |. 03C2 |ADD EAX,EDX //eax=edx+eax=00004466
004085C3 |. 25 FFFF0080 |AND EAX,8000FFFF //eax与8000ffff
004085C8 |. 79 07 |JNS SHORT Video2Mp.004085D1 //符号位为 "0" 时转移
004085CA |. 48 |DEC EAX
004085CB |. 0D 0000FFFF |OR EAX,FFFF0000
004085D0 |. 40 |INC EAX
004085D1 |> 8B4C24 28 |MOV ECX,DWORD PTR SS:[ESP+28] //ecx=00000055
004085D5 |. 8B5424 2C |MOV EDX,DWORD PTR SS:[ESP+2C] //edx=00000066
004085D9 |. C1E1 08 |SHL ECX,8 //ecx左移8位=00005500
004085DC |. 03C2 |ADD EAX,EDX //eax=edx+eax=00005566
004085DE |. 03C8 |ADD ECX,EAX //ecx=eax+ecx=000099cc
004085E0 |. 81E1 FFFF0080 |AND ECX,8000FFFF //符号位为 "0" 时转移
004085E6 |. 79 08 |JNS SHORT Video2Mp.004085F0
004085E8 |. 49 |DEC ECX
004085E9 |. 81C9 0000FFFF |OR ECX,FFFF0000
004085EF |. 41 |INC ECX
004085F0 |> 8B5424 30 |MOV EDX,DWORD PTR SS:[ESP+30]
004085F4 |. 8B4424 34 |MOV EAX,DWORD PTR SS:[ESP+34]
004085F8 |. C1E2 08 |SHL EDX,8
004085FB |. 03C8 |ADD ECX,EAX
004085FD |. 03CA |ADD ECX,EDX
004085FF |. 81E1 FFFF0080 |AND ECX,8000FFFF
00408605 |. 79 08 |JNS SHORT Video2Mp.0040860F
00408607 |. 49 |DEC ECX
00408608 |. 81C9 0000FFFF |OR ECX,FFFF0000
0040860E |. 41 |INC ECX
0040860F |> 8BC1 |MOV EAX,ECX //eax=ecx=00001154
00408611 |. 99 |CDQ //符号扩展 edx=00h
00408612 |. 81E2 FF000000 |AND EDX,0FF
00408618 |. 03C2 |ADD EAX,EDX //eax=00001154
0040861A |. 8B5424 38 |MOV EDX,DWORD PTR SS:[ESP+38] //edx=00000099
0040861E |. C1F8 08 |SAR EAX,8 //eax=00000011
00408621 |. 3BC0 |CMP EAX,EAX
00408623 |. 0F85 7B010000 |JNZ Video2Mp.004087A4 //eax为0则出错
00408629 |. 81E1 FF000080 |AND ECX,800000FF //ecx与800000ff
0040862F |. 79 08 |JNS SHORT Video2Mp.00408639 //符号位为 "0" 时转移
00408631 |. 49 |DEC ECX
00408632 |. 81C9 00FFFFFF |OR ECX,FFFFFF00
00408638 |. 41 |INC ECX
00408639 |> 3B4C24 3C |CMP ECX,DWORD PTR SS:[ESP+3C] //ecx比较,关键比较
0040863D |. 0F85 61010000 |JNE Video2Mp.004087A4 //不等则出错 85改为84则完成爆破!!!
00408643 |. 83EC 1C |SUB ESP,1C //后边开始往注册表里写注册信息,呵呵,前边一片光明!!!
00408646 |. 8D8424 A40000>|LEA EAX,DWORD PTR SS:[ESP+A4]
0040864D |. 8BCC |MOV ECX,ESP
0040864F |. 896424 2C |MOV DWORD PTR SS:[ESP+2C],ESP
00408653 |. 50 |PUSH EAX
00408654 |. FF15 00E74000 |CALL DWORD PTR DS:[<&MSVCP71.??0?$basic_string>;
0040865A |. 8D8C24 800000>|LEA ECX,DWORD PTR SS:[ESP+80]
00408661 |. 51 |PUSH ECX
00408662 |. E8 19FDFFFF |CALL Video2Mp.00408380
00408667 |. 83C4 20 |ADD ESP,20
0040866A |. 8BC8 |MOV ECX,EAX
0040866C |. 899C24 9C0800>|MOV DWORD PTR SS:[ESP+89C],EBX
00408673 |. FF15 F4E64000 |CALL DWORD PTR DS:[<&MSVCP71.?c_str@?$basic_st>;
..................
..................
.................. //省略部分代码
004087A4 |> \6A 40 |PUSH 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
004087A6 |. 68 34FB4000 |PUSH Video2Mp.0040FB34 ; |error
004087AB |. 68 24FB4000 |PUSH Video2Mp.0040FB24 ; |invalid code
004087B0 |. 53 |PUSH EBX ; |hOwner
004087B1 |. FF15 ECE74000 |CALL DWORD PTR DS:[<&USER32.MessageBoxA>] ; \MessageBoxA
004087B7 |.^ E9 B6FCFFFF \JMP Video2Mp.00408472
【总结】:至此注册算法已非常明白了,唉,脖子好疼!!!看看表,从分析到写完此文已三个小时!!!我晕,太差劲了,让大家见笑了。
然而终于完成了自己的第一篇破文,先到关键点爆破了,明天有时间再写注册机吧,脖子已受不了!!!
浪费大家时间了,实在抱歉!!!
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2006年03月03日 22:45:31
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
