【破文标题】AVI Splitter V1.0.86破解分析
【破文作者】gg1211[CZG][PYG][PCG][D.4s]
【破解平台】WinXp
【作者邮箱】QIBINLEI@YAHOO.COM.CN
【破解工具】PEiD 、OD
【保护方式】用户名+序列号
【破解目的】学习简单算法破解
【破解声明】我乃小菜鸟一只,偶得一点心得,愿与大家分享:)
【软件名称】AVI Splitter V1.0.86
【下载地址】http://www3.skycn.com/soft/19877.html
【软件简介】AVI 影片分割工具AVI Splitter,能够将2GB以下的单一AVI影片档分割成多个AVI影片档,不用重新压缩就可以直接产生分割文件,程序还可以用来压缩/解压缩内建的VFW编码(如:MPEG-4 或 DivX)。
【破解步骤】先用PEiD 侦测,发现为Microsoft Visual C++ 7.0,无壳
试着运行软件,实验码gg1211
12345678
有错误提示,“registration failed",od载入根据提示信息来到这里下断
00407010 /. 55 push ebp \\下断
00407011 |. 8BEC mov ebp, esp
00407013 |. 83EC 20 sub esp, 20
00407016 |. 894D E0 mov [ebp-20], ecx
00407019 |. 6A 01 push 1
0040701B |. 8B4D E0 mov ecx, [ebp-20]
0040701E |. E8 869C0100 call 00420CA9
00407023 |. 8B4D E0 mov ecx, [ebp-20]
00407026 |. 83C1 70 add ecx, 70
00407029 |. E8 02F5FFFF call 00406530 \\这里计算用户名位数
0040702E |. 83F8 02 cmp eax, 2 \\是超过两位
00407031 |. 7D 13 jge short 00407046 \\不跳则死
00407033 |. 6A 00 push 0
00407035 |. 6A 00 push 0
00407037 |. 68 5CE24200 push 0042E25C ; please input correct user name!
0040703C |. E8 B7F70100 call 004267F8
00407041 |. E9 A9020000 jmp 004072EF
00407046 |> 8B4D E0 mov ecx, [ebp-20]
00407049 |. 83C1 74 add ecx, 74
0040704C |. E8 DFF4FFFF call 00406530 \\计算注册码位数(都是调用406530)
00407051 |. 83F8 08 cmp eax, 8 \\小于8为
00407054 |. 7D 13 jge short 00407069 \\不跳则死
00407056 |. 6A 00 push 0
00407058 |. 6A 00 push 0
0040705A |. 68 7CE24200 push 0042E27C ; please input correct registration code!
0040705F |. E8 94F70100 call 004267F8
00407064 |. E9 86020000 jmp 004072EF
00407069 |> 6A 00 push 0 \\从这里开始,逐个取
0040706B |. 8B4D E0 mov ecx, [ebp-20] \\ 注册码两位两次我的名字较
0040706E |. 83C1 70 add ecx, 70 \\特殊就是gggg,正常格式应该是
00407071 |. E8 BAEBFFFF call 00405C30 \\abab这个样
00407076 |. 8845 EF mov [ebp-11], al
00407079 |. 6A 01 push 1 ; /Arg1 = 00000001
0040707B |. 8B4D E0 mov ecx, [ebp-20] ; |
0040707E |. 83C1 70 add ecx, 70 ; |
00407081 |. E8 AAEBFFFF call 00405C30 ; \AVISplit.00405C30
00407086 |. 8845 F8 mov [ebp-8], al
00407089 |. 6A 00 push 0 ; /Arg1 = 00000000
0040708B |. 8B4D E0 mov ecx, [ebp-20] ; |
0040708E |. 83C1 70 add ecx, 70 ; |
00407091 |. E8 9AEBFFFF call 00405C30 ; \AVISplit.00405C30
00407096 |. 8845 FF mov [ebp-1], al
00407099 |. 6A 01 push 1 ; /Arg1 = 00000001
0040709B |. 8B4D E0 mov ecx, [ebp-20] ; |
0040709E |. 83C1 70 add ecx, 70 ; |
004070A1 |. E8 8AEBFFFF call 00405C30 \\到这里取字符就借宿了
004070A6 |. 8845 FA mov [ebp-6], al \\这里开始就用所取的字符开始计算
004070A9 |. 0FB645 EF movzx eax, byte ptr [ebp-11]
004070AD |. 83C8 53 or eax, 53 \\ 67 or 53 ->77
004070B0 |. 8845 EF mov [ebp-11], al
004070B3 |. 0FB64D F8 movzx ecx, byte ptr [ebp-8]
004070B7 |. 83C9 41 or ecx, 41 \\67 or 41->67
004070BA |. 884D F8 mov [ebp-8], cl
004070BD |. 0FB655 FF movzx edx, byte ptr [ebp-1]
004070C1 |. 83CA 56 or edx, 56 \\67 or 56->77
004070C4 |. 8855 FF mov [ebp-1], dl
004070C7 |. 0FB645 FA movzx eax, byte ptr [ebp-6]
004070CB |. 83C8 49 or eax, 49 \\67 or 49->6f
004070CE |. 8845 FA mov [ebp-6], al
004070D1 |. 0FB645 EF movzx eax, byte ptr [ebp-11] \\这里开始用上面得到
004070D5 |. 99 cdq \\的数据进行带符号数除法除oa
004070D6 |. B9 0A000000 mov ecx, 0A \\我们需要的是他的余数并记录004070DB |. F7F9 idiv ecx
004070DD |. 8855 EF mov [ebp-11], dl \\dl=09
004070E0 |. 0FB645 F8 movzx eax, byte ptr [ebp-8]
004070E4 |. 99 cdq
004070E5 |. B9 0A000000 mov ecx, 0A
004070EA |. F7F9 idiv ecx
004070EC |. 8855 F8 mov [ebp-8], dl \\dl =01
004070EF |. 0FB645 FF movzx eax, byte ptr [ebp-1]
004070F3 |. 99 cdq
004070F4 |. B9 0A000000 mov ecx, 0A
004070F9 |. F7F9 idiv ecx
004070FB |. 8855 FF mov [ebp-1], dl \\dl=03
004070FE |. 0FB645 FA movzx eax, byte ptr [ebp-6]
00407102 |. 99 cdq
00407103 |. B9 0A000000 mov ecx, 0A
00407108 |. F7F9 idiv ecx
0040710A |. 8855 FA mov [ebp-6], dl \\dl=09
0040710D |. C745 F0 00000>mov dword ptr [ebp-10], 0
00407114 |. C745 E8 00000>mov dword ptr [ebp-18], 0
0040711B |. EB 09 jmp short 00407126
0040711D |> 8B55 E8 /mov edx, [ebp-18] \\ 用户名asc累加
00407120 |. 83C2 01 |add edx, 1
00407123 |. 8955 E8 |mov [ebp-18], edx
00407126 |> 8B4D E0 mov ecx, [ebp-20]
00407129 |. 83C1 70 |add ecx, 70
0040712C |. E8 FFF3FFFF |call 00406530
00407131 |. 3945 E8 |cmp [ebp-18], eax
00407134 |. 7D 1E |jge short 00407154
00407136 |. 8B45 E8 |mov eax, [ebp-18]
00407139 |. 50 |push eax ; /Arg1
0040713A |. 8B4D E0 |mov ecx, [ebp-20] ; |
0040713D |. 83C1 70 |add ecx, 70 ; |
00407140 |. E8 EBEAFFFF |call 00405C30 ; \AVISplit.00405C30
00407145 |. 8845 E7 |mov [ebp-19], al
00407148 |. 0FB64D E7 |movzx ecx, byte ptr [ebp-19]
0040714C |. 034D F0 |add ecx, [ebp-10]
0040714F |. 894D F0 |mov [ebp-10], ecx
00407152 |.^ EB C9 \jmp short 0040711D \\累加结果193
00407154 |> 8B45 F0 mov eax, [ebp-10] \\带符号数除法除oa
00407157 |. 99 cdq
00407158 |. B9 0A000000 mov ecx, 0A
0040715D |. F7F9 idiv ecx
0040715F |. 8855 F4 mov [ebp-C], dl \\dl=03
00407162 |. 6A 00 push 0 \\就下来就是读取假码
00407164 |. 8B4D E0 mov ecx, [ebp-20] ; |
00407167 |. 83C1 74 add ecx, 74 ; |
0040716A |. E8 C1EAFFFF call 00405C30 ; \AVISplit.00405C30
0040716F |. 8845 FC mov [ebp-4], al
00407172 |. 6A 01 push 1 ; /Arg1 = 00000001
00407174 |. 8B4D E0 mov ecx, [ebp-20] ; |
00407177 |. 83C1 74 add ecx, 74 ; |
0040717A |. E8 B1EAFFFF call 00405C30 ; \AVISplit.00405C30
0040717F |. 8845 FD mov [ebp-3], al
00407182 |. 6A 02 push 2 ; /Arg1 = 00000002
00407184 |. 8B4D E0 mov ecx, [ebp-20] ; |
00407187 |. 83C1 74 add ecx, 74 ; |
0040718A |. E8 A1EAFFFF call 00405C30 ; \AVISplit.00405C30
0040718F |. 8845 F6 mov [ebp-A], al
00407192 |. 6A 03 push 3 ; /Arg1 = 00000003
00407194 |. 8B4D E0 mov ecx, [ebp-20] ; |
00407197 |. 83C1 74 add ecx, 74 ; |
0040719A |. E8 91EAFFFF call 00405C30 ; \AVISplit.00405C30
0040719F |. 8845 F5 mov [ebp-B], al
004071A2 |. 6A 04 push 4 ; /Arg1 = 00000004
004071A4 |. 8B4D E0 mov ecx, [ebp-20] ; |
004071A7 |. 83C1 74 add ecx, 74 ; |
004071AA |. E8 81EAFFFF call 00405C30 ; \AVISplit.00405C30
004071AF |. 8845 F9 mov [ebp-7], al
004071B2 |. 6A 05 push 5 ; /Arg1 = 00000005
004071B4 |. 8B4D E0 mov ecx, [ebp-20] ; |
004071B7 |. 83C1 74 add ecx, 74 ; |
004071BA |. E8 71EAFFFF call 00405C30 ; \AVISplit.00405C30
004071BF |. 8845 F7 mov [ebp-9], al
004071C2 |. 6A 06 push 6 ; /Arg1 = 00000006
004071C4 |. 8B4D E0 mov ecx, [ebp-20] ; |
004071C7 |. 83C1 74 add ecx, 74 ; |
004071CA |. E8 61EAFFFF call 00405C30 ; \AVISplit.00405C30
004071CF |. 8845 FE mov [ebp-2], al
004071D2 |. 6A 07 push 7 ; /Arg1 = 00000007
004071D4 |. 8B4D E0 mov ecx, [ebp-20] ; |
004071D7 |. 83C1 74 add ecx, 74 ; |
004071DA |. E8 51EAFFFF call 00405C30 ; \AVISplit.00405C30
004071DF |. 8845 FB mov [ebp-5], al
004071E2 |. 0FB655 EF movzx edx, byte ptr [ebp-11]
004071E6 |. 0FB645 FC movzx eax, byte ptr [ebp-4]
004071EA |. 83E8 30 sub eax, 30 ; \\判断第一位注册码
004071ED |. 3BD0 cmp edx, eax
004071EF |. 75 3C jnz short 0040722D \\跳则死
004071F1 |. 0FB64D F8 movzx ecx, byte ptr [ebp-8] \\后面的判断是一样的,
004071F5 |. 0FB655 FD movzx edx, byte ptr [ebp-3] \\他只检查前五位
004071F9 |. 83EA 30 sub edx, 30
004071FC |. 3BCA cmp ecx, edx
004071FE |. 75 2D jnz short 0040722D
00407200 |. 0FB645 FF movzx eax, byte ptr [ebp-1]
00407204 |. 0FB64D F6 movzx ecx, byte ptr [ebp-A]
00407208 |. 83E9 30 sub ecx, 30
0040720B |. 3BC1 cmp eax, ecx
0040720D |. 75 1E jnz short 0040722D
0040720F |. 0FB655 FA movzx edx, byte ptr [ebp-6]
00407213 |. 0FB645 F5 movzx eax, byte ptr [ebp-B]
00407217 |. 83E8 30 sub eax, 30
0040721A |. 3BD0 cmp edx, eax
0040721C |. 75 0F jnz short 0040722D \\到这里前5位检查结束
0040721E |. 0FB64D F4 movzx ecx, byte ptr [ebp-C]
00407222 |. 0FB655 F9 movzx edx, byte ptr [ebp-7]
00407226 |. 83EA 30 sub edx, 30
00407229 |. 3BCA cmp ecx, edx
0040722B |. 74 58 je short 00407285
0040722D |> 0FB645 FC movzx eax, byte ptr [ebp-4]
00407231 |. 83F8 39 cmp eax, 39
00407234 |. 0F85 A7000000 jnz 004072E1
0040723A |. 0FB64D FD movzx ecx, byte ptr [ebp-3]
0040723E |. 83F9 33 cmp ecx, 33
00407241 |. 0F85 9A000000 jnz 004072E1
00407247 |. 0FB655 F6 movzx edx, byte ptr [ebp-A]
0040724B |. 83FA 38 cmp edx, 38
0040724E |. 0F85 8D000000 jnz 004072E1
00407254 |. 0FB645 F5 movzx eax, byte ptr [ebp-B]
00407258 |. 83F8 38 cmp eax, 38
0040725B |. 0F85 80000000 jnz 004072E1
00407261 |. 0FB64D F9 movzx ecx, byte ptr [ebp-7]
00407265 |. 83F9 33 cmp ecx, 33
00407268 |. 75 77 jnz short 004072E1
0040726A |. 0FB655 F7 movzx edx, byte ptr [ebp-9]
0040726E |. 83FA 31 cmp edx, 31
00407271 |. 75 6E jnz short 004072E1
00407273 |. 0FB645 FE movzx eax, byte ptr [ebp-2]
00407277 |. 83F8 34 cmp eax, 34
0040727A |. 75 65 jnz short 004072E1
0040727C |. 0FB64D FB movzx ecx, byte ptr [ebp-5]
00407280 |. 83F9 36 cmp ecx, 36
00407283 |. 75 5C jnz short 004072E1
00407285 |> 6A 00 push 0
00407287 |. 6A 00 push 0
00407289 |. 68 A4E24200 push 0042E2A4 ; registration has succeeded!
0040728E |. E8 65F50100 call 004267F8
00407293 |. 8B4D E0 mov ecx, [ebp-20]
00407296 |. 83C1 70 add ecx, 70
00407299 |. E8 62F2FFFF call 00406500
0040729E |. 50 push eax
0040729F |. 68 C0E24200 push 0042E2C0 ; username
004072A4 |. 68 CCE24200 push 0042E2CC ; option
004072A9 |. E8 A2ECFFFF call 00405F50
004072AE |. 8BC8 mov ecx, eax ; |
004072B0 |. E8 7FF60100 call 00426934 ; \AVISplit.00426934
004072B5 |. 8B4D E0 mov ecx, [ebp-20]
004072B8 |. 83C1 74 add ecx, 74
004072BB |. E8 40F2FFFF call 00406500
004072C0 |. 50 push eax
004072C1 |. 68 D4E24200 push 0042E2D4 ; registration_code
004072C6 |. 68 E8E24200 push 0042E2E8 ; option
004072CB |. E8 80ECFFFF call 00405F50
004072D0 |. 8BC8 mov ecx, eax ; |
004072D2 |. E8 5DF60100 call 00426934 ; \AVISplit.00426934
004072D7 |. 8B4D E0 mov ecx, [ebp-20]
004072DA |. E8 7E830100 call 0041F65D
004072DF |. EB 0E jmp short 004072EF
004072E1 |> 6A 00 push 0
004072E3 |. 6A 00 push 0
004072E5 |. 68 F0E24200 push 0042E2F0 ; registration failed!
从上分析可以看出
这个算法很简单,基本上没有什么难度
只是要求用户名2位以上,注册码8位以上,然后
1.取前两位注册码以abab形式排序,分别于53,41,56,49 or运算
2.将计算所得带符号数除法除oa,的到余数序列,假设位a
3.用户名asc累加带符号数除法除oa,的到余数序列,假设位b
4.注册码就是a+b+三位以上任意注册码
最后得到我的注册码是
gg1211
93913888
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
