【软件名称】Xilisoft DVD to PSP Converter 4.0.52.0616
【下载地址】http://www.onlinedown.net/soft/46397.htm
【运行环境】Win9x/Me/NT/2000/XP/2003
【软件类别】国外软件/共享版/视频工具
【保护方式】用户名、注册码、MD5
【作者声明】初学Crack,只是感兴趣,消遣业余时间,错误之处敬请诸位前辈不吝赐教。
【调试环境】Winxp、OllyDBD、PEiD
【软件信息】可以帮你把DVD影片,转换成在PSP上可播放的MP4影片文件或是MP3音乐文件。
一、算法跟踪
PEiD检查:Microsoft Visual C++ 7.0 Method2 [调试],注册验证过程是主程序调用安装目录里的UILib71.dll文件来完成。
OD 载入程序查找字串参考,没找到关键信息。输入用户名:wzwgp 假码:123456789223456789323456789423456789123
有“注册码不正确”提示。下断:BP MessageBoxA,在77D5050B处断下。
77D5050B > 8BFF MOV EDI,EDI ; dvdrip.00458328
77D5050D 55 PUSH EBP
77D5050E 8BEC MOV EBP,ESP
77D50510 833D 1C04D777 0>CMP DWORD PTR DS:[77D7041C],0
77D50517 74 24 JE SHORT USER32.77D5053D
77D50519 64:A1 18000000 MOV EAX,DWORD PTR FS:[18]
77D5051F 6A 00 PUSH 0
取消断点,Alt+F9返回到1001B778处,向上在1001B720处下断。
1001B720 >/$ 64:A1 0000000>MOV EAX,DWORD PTR FS:[0] ; 下断
1001B726 |. 6A FF PUSH -1
1001B728 |. 68 02630210 PUSH UILib71.10026302
1001B72D |. 50 PUSH EAX
1001B72E |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP
1001B735 |. 83EC 08 SUB ESP,8
1001B738 |. 56 PUSH ESI
1001B739 |. 8BF1 MOV ESI,ECX
1001B73B |. E8 D0F4FFFF CALL UILib71.?SaveRegInfo@ImRegDlg@@IAEX>; 用户名、加密注册码写入注册表
1001B740 |. E8 BBF8FFFF CALL UILib71.?IsValidRegInfo@ImRegDlg@@S>; 还原注册表信息,验证注册码
1001B745 |. 85C0 TEST EAX,EAX ; EAX=0 注册失败
1001B747 |. 75 49 JNZ SHORT UILib71.1001B792 ; 跳注册成功
1001B749 |. 8B0D CC040410 MOV ECX,DWORD PTR DS:[100404CC]
1001B74F |. 68 442F0000 PUSH 2F44
1001B754 |. 8D4424 08 LEA EAX,DWORD PTR SS:[ESP+8]
1001B758 |. 50 PUSH EAX
1001B759 |. E8 F217FFFF CALL UILib71.?GetString@ImLanguage@@QBE?>
1001B75E |. 6A 00 PUSH 0
1001B760 |. 6A 30 PUSH 30
1001B762 |. 8BC8 MOV ECX,EAX
1001B764 |. C74424 1C 000>MOV DWORD PTR SS:[ESP+1C],0
1001B76C |. FF15 CC770210 CALL NEAR DWORD PTR DS:[<&MFC71.#876>]
1001B772 |. 50 PUSH EAX
1001B773 |. E8 4C820000 CALL <JMP.&MFC71.#1123> ; 注册失败提示
1001B778 |. 8D4C24 04 LEA ECX,DWORD PTR SS:[ESP+4]
1001B77C |. FF15 E8770210 CALL NEAR DWORD PTR DS:[<&MFC71.#578>]
1001B782 |. 5E POP ESI
1001B783 |. 8B4C24 08 MOV ECX,DWORD PTR SS:[ESP+8]
1001B787 |. 64:890D 00000>MOV DWORD PTR FS:[0],ECX
1001B78E |. 83C4 14 ADD ESP,14
1001B791 |. C3 RETN
1001B792 |> 8D8E A4030000 LEA ECX,DWORD PTR DS:[ESI+3A4]
1001B798 |. FF15 7C770210 CALL NEAR DWORD PTR DS:[<&MFC71.#3934>] ; MFC71.7C1501A3
1001B79E |. 84C0 TEST AL,AL
1001B7A0 |. 75 41 JNZ SHORT UILib71.1001B7E3
1001B7A2 |. 68 452F0000 PUSH 2F45
1001B7A7 |. 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C]
1001B7AB |. 51 PUSH ECX
1001B7AC |. 8B0D CC040410 MOV ECX,DWORD PTR DS:[100404CC]
1001B7B2 |. E8 9917FFFF CALL UILib71.?GetString@ImLanguage@@QBE?>
1001B7B7 |. 6A 00 PUSH 0
1001B7B9 |. 6A 30 PUSH 30
1001B7BB |. 8BC8 MOV ECX,EAX
1001B7BD |. C74424 1C 010>MOV DWORD PTR SS:[ESP+1C],1
1001B7C5 |. FF15 CC770210 CALL NEAR DWORD PTR DS:[<&MFC71.#876>] ; 注册成功提示
1001B7CB |. 50 PUSH EAX
1001B7CC |. E8 F3810000 CALL <JMP.&MFC71.#1123>
1001B73B 处是将用户名写入注册表,用户名、注册码与常数通过xor shr or 运算加密注册码写入注册表,
与注册码的产生无关(仅验证注册码时还原注册码),因此略过。
1001B740 处F7进入,(还原注册表信息,验证注册码)
1001B000 >/$ 6A FF PUSH -1
1001B002 |. 68 BF620210 PUSH UILib71.100262BF ; SE 处理程序安装
1001B007 |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
1001B00D |. 50 PUSH EAX
1001B00E |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP
1001B015 |. 81EC A4000000 SUB ESP,0A4
1001B01B |. A1 70010410 MOV EAX,DWORD PTR DS:[10040170]
1001B020 |. 53 PUSH EBX
1001B021 |. 56 PUSH ESI
1001B022 |. 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
1001B026 |. 898424 A80000>MOV DWORD PTR SS:[ESP+A8],EAX
1001B02D |. FF15 D4770210 CALL NEAR DWORD PTR DS:[<&MFC71.#31>; MFC71.7C173199
1001B033 |. 8D4C24 18 LEA ECX,DWORD PTR SS:[ESP+18]
1001B037 |. C78424 B40000>MOV DWORD PTR SS:[ESP+B4],0
1001B042 |. FF15 D4770210 CALL NEAR DWORD PTR DS:[<&MFC71.#31>; MFC71.7C173199
1001B048 |. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
1001B04C |. FF15 D4770210 CALL NEAR DWORD PTR DS:[<&MFC71.#31>; MFC71.7C173199
1001B052 |. 8B0D D0040410 MOV ECX,DWORD PTR DS:[100404D0] ; UILib71.?g_pref@@3VImAppPref@@A
1001B058 |. 8D4424 20 LEA EAX,DWORD PTR SS:[ESP+20]
1001B05C |. 50 PUSH EAX
1001B05D |. C68424 B80000>MOV BYTE PTR SS:[ESP+B8],2
1001B065 |. E8 F6A6FEFF CALL UILib71.?GetAppInfo@ImAppPref@>
1001B06A |. 8BC8 MOV ECX,EAX
1001B06C |. 83C1 2C ADD ECX,2C
1001B06F |. FF15 CC770210 CALL NEAR DWORD PTR DS:[<&MFC71.#87>; 读注册表信息
1001B075 |. 50 PUSH EAX ; |Subkey
1001B076 |. 68 01000080 PUSH 80000001 ; |hKey = HKEY_CURRENT_USER
1001B07B |. FF15 04700210 CALL NEAR DWORD PTR DS:[<&ADVAPI32.>; \RegCreateKeyA
1001B081 |. 85C0 TEST EAX,EAX
1001B083 |. 0F85 B1000000 JNZ UILib71.1001B13A
1001B089 |. 8D4C24 08 LEA ECX,DWORD PTR SS:[ESP+8]
1001B08D |. 51 PUSH ECX
1001B08E |. 68 00020000 PUSH 200
1001B093 |. 8D4C24 18 LEA ECX,DWORD PTR SS:[ESP+18]
1001B097 |. C74424 10 000>MOV DWORD PTR SS:[ESP+10],200
1001B09F |. FF15 40720210 CALL NEAR DWORD PTR DS:[<&MFC71.#24>; MFC71.7C15102A
1001B0A5 |. 8B5424 24 MOV EDX,DWORD PTR SS:[ESP+24] ; |
1001B0A9 |. 8B35 10700210 MOV ESI,DWORD PTR DS:[<&ADVAPI32.Re>; |ADVAPI32.RegQueryValueExA
1001B0AF |. 50 PUSH EAX ; |Buffer
1001B0B0 |. 6A 00 PUSH 0 ; |pValueType = NULL
1001B0B2 |. 6A 00 PUSH 0 ; |Reserved = NULL
1001B0B4 |. 68 3C810210 PUSH UILib71.1002813C ; |name
1001B0B9 |. 52 PUSH EDX ; |hKey
1001B0BA |. FFD6 CALL NEAR ESI ; \RegQueryValueExA
1001B0BC |. 6A FF PUSH -1
1001B0BE |. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
1001B0C2 |. FF15 3C720210 CALL NEAR DWORD PTR DS:[<&MFC71.#54>; 取用户名长度
1001B0C8 |. 8D4424 08 LEA EAX,DWORD PTR SS:[ESP+8]
1001B0CC |. 50 PUSH EAX
1001B0CD |. 68 00020000 PUSH 200
1001B0D2 |. 8D4C24 20 LEA ECX,DWORD PTR SS:[ESP+20]
1001B0D6 |. C74424 10 000>MOV DWORD PTR SS:[ESP+10],200
1001B0DE |. FF15 40720210 CALL NEAR DWORD PTR DS:[<&MFC71.#24>
1001B0E4 |. 8B4C24 24 MOV ECX,DWORD PTR SS:[ESP+24]
1001B0E8 |. 50 PUSH EAX
1001B0E9 |. 6A 00 PUSH 0
1001B0EB |. 6A 00 PUSH 0
1001B0ED |. 68 30E10210 PUSH UILib71.1002E130
1001B0F2 |. 51 PUSH ECX
1001B0F3 |. FFD6 CALL NEAR ESI
1001B0F5 |. 6A FF PUSH -1
1001B0F7 |. 8D4C24 1C LEA ECX,DWORD PTR SS:[ESP+1C]
1001B0FB |. FF15 3C720210 CALL NEAR DWORD PTR DS:[<&MFC71.#54>
1001B101 |. 8D5424 08 LEA EDX,DWORD PTR SS:[ESP+8]
1001B105 |. 52 PUSH EDX
1001B106 |. 68 00020000 PUSH 200
1001B10B |. 8D4C24 1C LEA ECX,DWORD PTR SS:[ESP+1C]
1001B10F |. C74424 10 000>MOV DWORD PTR SS:[ESP+10],200
1001B117 |. FF15 40720210 CALL NEAR DWORD PTR DS:[<&MFC71.#24>
1001B11D |. 50 PUSH EAX
1001B11E |. 8B4424 28 MOV EAX,DWORD PTR SS:[ESP+28]
1001B122 |. 6A 00 PUSH 0
1001B124 |. 6A 00 PUSH 0
1001B126 |. 68 38E10210 PUSH UILib71.1002E138
1001B12B |. 50 PUSH EAX
1001B12C |. FFD6 CALL NEAR ESI ; 取保存在注册表中的计算结果
1001B12E |. 6A FF PUSH -1
1001B130 |. 8D4C24 18 LEA ECX,DWORD PTR SS:[ESP+18]
1001B134 |. FF15 3C720210 CALL NEAR DWORD PTR DS:[<&MFC71.#54>
1001B13A |> 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
1001B13E |. FF15 7C770210 CALL NEAR DWORD PTR DS:[<&MFC71.#39>
1001B144 |. 84C0 TEST AL,AL
1001B146 |. 0F85 8E000000 JNZ UILib71.1001B1DA
1001B14C |. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
1001B150 |. FF15 CC770210 CALL NEAR DWORD PTR DS:[<&MFC71.#87>
1001B156 |. 50 PUSH EAX
1001B157 |. 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C]
1001B15B |. 51 PUSH ECX
1001B15C |. E8 CFF3FFFF CALL UILib71.?Hex2StringA@ImRegDlg@>
1001B161 |. 83C4 08 ADD ESP,8
1001B164 |. B3 03 MOV BL,3
1001B166 |. 8D4C24 34 LEA ECX,DWORD PTR SS:[ESP+34]
1001B16A |. 889C24 B40000>MOV BYTE PTR SS:[ESP+B4],BL
1001B171 |. E8 DA700000 CALL UILib71.10022250 ; 处理常数(加密注册码写入注册表用)
1001B176 |. 8D4C24 08 LEA ECX,DWORD PTR SS:[ESP+8]
1001B17A |. C68424 B40000>MOV BYTE PTR SS:[ESP+B4],4
1001B182 |. FF15 78750210 CALL NEAR DWORD PTR DS:[<&MFC71.#24>
1001B188 |. 50 PUSH EAX
1001B189 |. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
1001B18D |. FF15 CC770210 CALL NEAR DWORD PTR DS:[<&MFC71.#87>
1001B193 |. 50 PUSH EAX
1001B194 |. 8D4C24 3C LEA ECX,DWORD PTR SS:[ESP+3C]
1001B198 |. E8 C3750000 CALL UILib71.10022760 ; 还原(解密)保存在注册表中的假码
1001B19D |. 6A FF PUSH -1
1001B19F |. 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C]
1001B1A3 |. FF15 3C720210 CALL NEAR DWORD PTR DS:[<&MFC71.#54>; 取假码位数
1001B1A9 |. 8D5424 08 LEA EDX,DWORD PTR SS:[ESP+8]
1001B1AD |. 52 PUSH EDX
1001B1AE |. 8D4C24 18 LEA ECX,DWORD PTR SS:[ESP+18]
1001B1B2 |. FF15 70770210 CALL NEAR DWORD PTR DS:[<&MFC71.#78>
1001B1B8 |. 8D4C24 34 LEA ECX,DWORD PTR SS:[ESP+34]
1001B1BC |. 889C24 B40000>MOV BYTE PTR SS:[ESP+B4],BL
1001B1C3 |. E8 F8700000 CALL UILib71.100222C0
1001B1C8 |. 8D4C24 08 LEA ECX,DWORD PTR SS:[ESP+8]
1001B1CC |. C68424 B40000>MOV BYTE PTR SS:[ESP+B4],2
1001B1D4 |. FF15 E8770210 CALL NEAR DWORD PTR DS:[<&MFC71.#57>
1001B1DA |> 6A 14 PUSH 14
1001B1DC |. 8D4424 0C LEA EAX,DWORD PTR SS:[ESP+C]
1001B1E0 |. 50 PUSH EAX
1001B1E1 |. 8D4C24 1C LEA ECX,DWORD PTR SS:[ESP+1C]
1001B1E5 |. FF15 8C770210 CALL NEAR DWORD PTR DS:[<&MFC71.#39>
1001B1EB |. 50 PUSH EAX
1001B1EC |. 8D4C24 1C LEA ECX,DWORD PTR SS:[ESP+1C]
1001B1F0 |. C68424 B80000>MOV BYTE PTR SS:[ESP+B8],5
1001B1F8 |. FF15 70770210 CALL NEAR DWORD PTR DS:[<&MFC71.#78>; 取假码前20位地址
1001B1FE |. 8D4C24 08 LEA ECX,DWORD PTR SS:[ESP+8]
1001B202 |. C68424 B40000>MOV BYTE PTR SS:[ESP+B4],2
1001B20A |. FF15 E8770210 CALL NEAR DWORD PTR DS:[<&MFC71.#57>
1001B210 |. 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
1001B214 |. FF15 7C770210 CALL NEAR DWORD PTR DS:[<&MFC71.#39>
1001B21A |. 84C0 TEST AL,AL
1001B21C |. 0F85 D3030000 JNZ UILib71.1001B5F5
1001B222 |. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
1001B226 |. FF15 7C770210 CALL NEAR DWORD PTR DS:[<&MFC71.#39>
1001B22C |. 84C0 TEST AL,AL
1001B22E |. 0F85 C1030000 JNZ UILib71.1001B5F5
1001B234 |. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
1001B238 |. FF15 C8770210 CALL NEAR DWORD PTR DS:[<&MFC71.#29>; 取假码位数
1001B23E |. 83F8 27 CMP EAX,27 ; 注册码位数=27
1001B241 |. 0F85 AE030000 JNZ UILib71.1001B5F5
1001B247 |. 8D4C24 18 LEA ECX,DWORD PTR SS:[ESP+18] ; [ESP+18]=假码前20位地址
1001B24B |. FF15 CC770210 CALL NEAR DWORD PTR DS:[<&MFC71.#87>
1001B251 |. 8B0D D0040410 MOV ECX,DWORD PTR DS:[100404D0] ; UILib71.?g_pref@@3VImAppPref@@A
1001B257 |. E8 04A5FEFF CALL UILib71.?GetAppInfo@ImAppPref@>
1001B25C |. 83C0 38 ADD EAX,38
1001B25F |. 50 PUSH EAX
1001B260 |. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14] ; [ESP+14]用户名地址
1001B264 |. FF15 70770210 CALL NEAR DWORD PTR DS:[<&MFC71.#78>; EAX= "Xilisoftdvdtopspconverter4"
1001B26A |. 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C]
1001B26E |. FF15 D4770210 CALL NEAR DWORD PTR DS:[<&MFC71.#31>; MFC71.7C173199
1001B274 |. 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
1001B278 |. C68424 B40000>MOV BYTE PTR SS:[ESP+B4],6
1001B280 |. 33F6 XOR ESI,ESI
1001B282 |. FF15 C8770210 CALL NEAR DWORD PTR DS:[<&MFC71.#29>; 取"Xilisoftdvdtopspconverter4"长度
1001B288 |. 85C0 TEST EAX,EAX
1001B28A |. 7E 5C JLE SHORT UILib71.1001B2E8
1001B28C |. 8D6424 00 LEA ESP,DWORD PTR SS:[ESP]
1001B290 |> 8BCE /MOV ECX,ESI
1001B292 |. 81E1 01000080 |AND ECX,80000001
1001B298 |. 79 05 |JNS SHORT UILib71.1001B29F
1001B29A |. 49 |DEC ECX
1001B29B |. 83C9 FE |OR ECX,FFFFFFFE
1001B29E |. 41 |INC ECX
1001B29F |> 75 38 |JNZ SHORT UILib71.1001B2D9
1001B2A1 |. 56 |PUSH ESI
1001B2A2 |. 8D4C24 14 |LEA ECX,DWORD PTR SS:[ESP+14] ; [ESP+14]=ASCII "Xilisoftdvdtopspconverter4"
1001B2A6 |. FF15 B8770210 |CALL NEAR DWORD PTR DS:[<&MFC71.#8>; AL=58(X)取[ESP+14]中的奇数位Ascii码
1001B2AC |. 8D4C24 0C |LEA ECX,DWORD PTR SS:[ESP+C]
1001B2B0 |. 50 |PUSH EAX
1001B2B1 |. FF15 6C750210 |CALL NEAR DWORD PTR DS:[<&MFC71.#9>; 保存58(X)
1001B2B7 |. 8D46 01 |LEA EAX,DWORD PTR DS:[ESI+1] ; [ESI+1]=已取到第几位字符+1
1001B2BA |. 99 |CDQ
1001B2BB |. B9 FF000000 |MOV ECX,0FF
1001B2C0 |. F7F9 |IDIV ECX
1001B2C2 |. 84D2 |TEST DL,DL
1001B2C4 |. 885424 08 |MOV BYTE PTR SS:[ESP+8],DL ; DL=01、03(偶数位)
1001B2C8 |. 74 0F |JE SHORT UILib71.1001B2D9
1001B2CA |. 8B5424 08 |MOV EDX,DWORD PTR SS:[ESP+8]
1001B2CE |. 52 |PUSH EDX
1001B2CF |. 8D4C24 10 |LEA ECX,DWORD PTR SS:[ESP+10]
1001B2D3 |. FF15 6C750210 |CALL NEAR DWORD PTR DS:[<&MFC71.#9>; 保存DL
1001B2D9 |> 8D4C24 10 |LEA ECX,DWORD PTR SS:[ESP+10]
1001B2DD |. 46 |INC ESI ; ESI 计数器
1001B2DE |. FF15 C8770210 |CALL NEAR DWORD PTR DS:[<&MFC71.#2>; MFC71.7C146AB0
1001B2E4 |. 3BF0 |CMP ESI,EAX ; EAX=1A(字符串长度)
1001B2E6 |.^ 7C A8 \JL SHORT UILib71.1001B290
1001B2E8 |> 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
1001B2EC |. 33F6 XOR ESI,ESI
1001B2EE |. FF15 C8770210 CALL NEAR DWORD PTR DS:[<&MFC71.#29>; MFC71.7C146AB0
1001B2F4 |. 85C0 TEST EAX,EAX
1001B2F6 |. 7E 5F JLE SHORT UILib71.1001B357
1001B2F8 |. EB 06 JMP SHORT UILib71.1001B300
1001B2FA | 8D9B 00000000 LEA EBX,DWORD PTR DS:[EBX]
1001B300 |> 8BC6 /MOV EAX,ESI
1001B302 |. 25 01000080 |AND EAX,80000001
1001B307 |. 79 05 |JNS SHORT UILib71.1001B30E
1001B309 |. 48 |DEC EAX
1001B30A |. 83C8 FE |OR EAX,FFFFFFFE
1001B30D |. 40 |INC EAX
1001B30E |> 74 38 |JE SHORT UILib71.1001B348
1001B310 |. 56 |PUSH ESI
1001B311 |. 8D4C24 14 |LEA ECX,DWORD PTR SS:[ESP+14] ; [ESP+14]=ASCII "Xilisoftdvdtopspconverter4"
1001B315 |. FF15 B8770210 |CALL NEAR DWORD PTR DS:[<&MFC71.#8>; AL=58(i)取[ESP+14]中的偶数位Ascii码
1001B31B |. 8D4C24 0C |LEA ECX,DWORD PTR SS:[ESP+C]
1001B31F |. 50 |PUSH EAX
1001B320 |. FF15 6C750210 |CALL NEAR DWORD PTR DS:[<&MFC71.#9>; 保存58(i)
1001B326 |. 8D46 01 |LEA EAX,DWORD PTR DS:[ESI+1] ; [ESI+1]=已取到第几位字符+1
1001B329 |. 99 |CDQ
1001B32A |. B9 FF000000 |MOV ECX,0FF
1001B32F |. F7F9 |IDIV ECX
1001B331 |. 84D2 |TEST DL,DL
1001B333 |. 885424 08 |MOV BYTE PTR SS:[ESP+8],DL ; DL=2、4
1001B337 |. 74 0F |JE SHORT UILib71.1001B348
1001B339 |. 8B5424 08 |MOV EDX,DWORD PTR SS:[ESP+8]
1001B33D |. 52 |PUSH EDX
1001B33E |. 8D4C24 10 |LEA ECX,DWORD PTR SS:[ESP+10]
1001B342 |. FF15 6C750210 |CALL NEAR DWORD PTR DS:[<&MFC71.#9>; 保存DL
1001B348 |> 8D4C24 10 |LEA ECX,DWORD PTR SS:[ESP+10]
1001B34C |. 46 |INC ESI ; ESI 计数器
1001B34D |. FF15 C8770210 |CALL NEAR DWORD PTR DS:[<&MFC71.#2>; MFC71.7C146AB0
1001B353 |. 3BF0 |CMP ESI,EAX
1001B355 |.^ 7C A9 \JL SHORT UILib71.1001B300 ; EAX=1A(字符串长度)
1001B357 |> 8D4C24 24 LEA ECX,DWORD PTR SS:[ESP+24]
1001B35B |. FF15 D4770210 CALL NEAR DWORD PTR DS:[<&MFC71.#31>
1001B361 |. 6A 01 PUSH 1
1001B363 |. 8D4424 28 LEA EAX,DWORD PTR SS:[ESP+28]
1001B367 |. 68 50E10210 PUSH UILib71.1002E150
1001B36C |. 50 PUSH EAX
1001B36D |. C68424 C00000>MOV BYTE PTR SS:[ESP+C0],7
1001B375 |. FF15 D8770210 CALL NEAR DWORD PTR DS:[<&MFC71.#23>
1001B37B |. 83C4 0C ADD ESP,0C
1001B37E |. 8D4C24 24 LEA ECX,DWORD PTR SS:[ESP+24]
1001B382 |. FF15 CC770210 CALL NEAR DWORD PTR DS:[<&MFC71.#87>
1001B388 |. 50 PUSH EAX
1001B389 |. 6A 00 PUSH 0
1001B38B |. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
1001B38F |. FF15 84750210 CALL NEAR DWORD PTR DS:[<&MFC71.#38>; 字符串头部加上1
1001B395 |. 8D4C24 28 LEA ECX,DWORD PTR SS:[ESP+28]
1001B399 |. FF15 D4770210 CALL NEAR DWORD PTR DS:[<&MFC71.#31>
1001B39F |. 8D4C24 2C LEA ECX,DWORD PTR SS:[ESP+2C]
1001B3A3 |. FF15 D4770210 CALL NEAR DWORD PTR DS:[<&MFC71.#31>
1001B3A9 |. 6A 00 PUSH 0
1001B3AB |. 8D4C24 2C LEA ECX,DWORD PTR SS:[ESP+2C]
1001B3AF |. 68 50E10210 PUSH UILib71.1002E150
1001B3B4 |. B3 09 MOV BL,9
1001B3B6 |. 51 PUSH ECX
1001B3B7 |. 889C24 C00000>MOV BYTE PTR SS:[ESP+C0],BL
1001B3BE |. FF15 D8770210 CALL NEAR DWORD PTR DS:[<&MFC71.#23>
1001B3C4 |. 6A 00 PUSH 0
1001B3C6 |. 8D5424 3C LEA EDX,DWORD PTR SS:[ESP+3C]
1001B3CA |. 68 50E10210 PUSH UILib71.1002E150
1001B3CF |. 52 PUSH EDX
1001B3D0 |. FF15 D8770210 CALL NEAR DWORD PTR DS:[<&MFC71.#23>
1001B3D6 |. 8D4424 44 LEA EAX,DWORD PTR SS:[ESP+44]
1001B3DA |. 50 PUSH EAX
1001B3DB |. 8D4C24 44 LEA ECX,DWORD PTR SS:[ESP+44]
1001B3DF |. 51 PUSH ECX
1001B3E0 |. 8D5424 28 LEA EDX,DWORD PTR SS:[ESP+28]
1001B3E4 |. 52 PUSH EDX
1001B3E5 |. E8 E66DFEFF CALL UILib71.100021D0
1001B3EA |. 83C4 24 ADD ESP,24
1001B3ED |. 50 PUSH EAX
1001B3EE |. 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
1001B3F2 |. C68424 B80000>MOV BYTE PTR SS:[ESP+B8],0A
1001B3FA |. FF15 80770210 CALL NEAR DWORD PTR DS:[<&MFC71.#90>; 字符串尾部加上00
1001B400 |. 8D4C24 08 LEA ECX,DWORD PTR SS:[ESP+8]
1001B404 |. 889C24 B40000>MOV BYTE PTR SS:[ESP+B4],BL
1001B40B |. FF15 E8770210 CALL NEAR DWORD PTR DS:[<&MFC71.#57>
1001B411 |. 8D4424 18 LEA EAX,DWORD PTR SS:[ESP+18]
1001B415 |. 50 PUSH EAX
1001B416 |. 8D4C24 20 LEA ECX,DWORD PTR SS:[ESP+20]
1001B41A |. FF15 E4770210 CALL NEAR DWORD PTR DS:[<&MFC71.#29>
1001B420 |. B3 0B MOV BL,0B
1001B422 |. 8D4C24 1C LEA ECX,DWORD PTR SS:[ESP+1C]
1001B426 |. 889C24 B40000>MOV BYTE PTR SS:[ESP+B4],BL
1001B42D |. FF15 80750210 CALL NEAR DWORD PTR DS:[<&MFC71.#40>; [取假码前20位]
1001B433 |. 8D4C24 1C LEA ECX,DWORD PTR SS:[ESP+1C]
1001B437 |. FF15 5C740210 CALL NEAR DWORD PTR DS:[<&MFC71.#61>
1001B43D |. 8D4C24 1C LEA ECX,DWORD PTR SS:[ESP+1C]
1001B441 |. FF15 58740210 CALL NEAR DWORD PTR DS:[<&MFC71.#61>
1001B447 |. 8D4C24 1C LEA ECX,DWORD PTR SS:[ESP+1C]
1001B44B |. FF15 7C770210 CALL NEAR DWORD PTR DS:[<&MFC71.#39>
1001B451 |. 84C0 TEST AL,AL
1001B453 |. 74 0F JE SHORT UILib71.1001B464
1001B455 |. 68 44E10210 PUSH UILib71.1002E144
1001B45A |. 8D4C24 20 LEA ECX,DWORD PTR SS:[ESP+20]
1001B45E |. FF15 78770210 CALL NEAR DWORD PTR DS:[<&MFC71.#78>
1001B464 |> 8B0D D0040410 MOV ECX,DWORD PTR DS:[100404D0] ; UILib71.?g_pref@@3VImAppPref@@A
1001B46A |. E8 F1A2FEFF CALL UILib71.?GetAppInfo@ImAppPref@>
1001B46F |. 83C0 38 ADD EAX,38
1001B472 |. 50 PUSH EAX
1001B473 |. 8D4C24 20 LEA ECX,DWORD PTR SS:[ESP+20]
1001B477 |. 51 PUSH ECX
1001B478 |. 8D5424 10 LEA EDX,DWORD PTR SS:[ESP+10]
1001B47C |. 52 PUSH EDX
1001B47D |. E8 4E6DFEFF CALL UILib71.100021D0 ; 假码前20位与固定字符连接
1001B482 |. 83C4 0C ADD ESP,0C
1001B485 |. 50 PUSH EAX
1001B486 |. 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
1001B48A |. C68424 B80000>MOV BYTE PTR SS:[ESP+B8],0C
1001B492 |. FF15 80770210 CALL NEAR DWORD PTR DS:[<&MFC71.#90>; 最后连接成101位长的字符串
1001B498 |. 8D4C24 08 LEA ECX,DWORD PTR SS:[ESP+8]
1001B49C |. 889C24 B40000>MOV BYTE PTR SS:[ESP+B4],BL
1001B4A3 |. FF15 E8770210 CALL NEAR DWORD PTR DS:[<&MFC71.#57>; MFC71.7C1771B1
1001B4A9 |. 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C]
1001B4AD |. FF15 CC770210 CALL NEAR DWORD PTR DS:[<&MFC71.#87>; MFC71.7C158BCD
1001B4B3 |. 50 PUSH EAX
1001B4B4 |. 8D4C24 70 LEA ECX,DWORD PTR SS:[ESP+70]
1001B4B8 |. E8 03740000 CALL UILib71.100228C0 ; 进入MD5加密运算
1001B4BD |. 8D4C24 6C LEA ECX,DWORD PTR SS:[ESP+6C]
1001B4C1 |. C68424 B40000>MOV BYTE PTR SS:[ESP+B4],0D
1001B4C9 |. E8 32730000 CALL UILib71.10022800 ; EAX=(d96d58a51ae3c1f181c821811c8b751b)
1001B4CE |. 50 PUSH EAX ; 加密数据入栈
1001B4CF |. 8D4C24 34 LEA ECX,DWORD PTR SS:[ESP+34]
1001B4D3 |. FF15 DC770210 CALL NEAR DWORD PTR DS:[<&MFC71.#30>; EAX=加密数据地址
1001B4D9 |. 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C]
1001B4DD |. C68424 B40000>MOV BYTE PTR SS:[ESP+B4],0E
1001B4E5 |. FF15 D0730210 CALL NEAR DWORD PTR DS:[<&MFC71.#21>
1001B4EB |. 33F6 XOR ESI,ESI
1001B4ED |. 8D49 00 LEA ECX,DWORD PTR DS:[ECX]
1001B4F0 |> 56 /PUSH ESI
1001B4F1 |. 8D4C24 34 |LEA ECX,DWORD PTR SS:[ESP+34]
1001B4F5 |. FF15 B8770210 |CALL NEAR DWORD PTR DS:[<&MFC71.#8>; 取计算结果奇数位Ascii码
1001B4FB |. 8D4C24 0C |LEA ECX,DWORD PTR SS:[ESP+C]
1001B4FF |. 50 |PUSH EAX
1001B500 |. FF15 6C750210 |CALL NEAR DWORD PTR DS:[<&MFC71.#9>; 连接取出的Ascii码
1001B506 |. 8BC6 |MOV EAX,ESI
1001B508 |. D1E8 |SHR EAX,1
1001B50A |. 40 |INC EAX
1001B50B |. 25 03000080 |AND EAX,80000003 ; 计算是否要加“-”
1001B510 |. 79 05 |JNS SHORT UILib71.1001B517
1001B512 |. 48 |DEC EAX
1001B513 |. 83C8 FC |OR EAX,FFFFFFFC
1001B516 |. 40 |INC EAX
1001B517 |> 75 0F |JNZ SHORT UILib71.1001B528
1001B519 |. 68 40E10210 |PUSH UILib71.1002E140 ; “-”地址入栈
1001B51E |. 8D4C24 10 |LEA ECX,DWORD PTR SS:[ESP+10]
1001B522 |. FF15 C4730210 |CALL NEAR DWORD PTR DS:[<&MFC71.#9>; 取满4位加“-”连接
1001B528 |> 83C6 02 |ADD ESI,2
1001B52B |. 83FE 20 |CMP ESI,20
1001B52E |.^ 7C C0 \JL SHORT UILib71.1001B4F0
1001B530 |. 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C]
1001B534 |. FF15 80750210 CALL NEAR DWORD PTR DS:[<&MFC71.#40>; 转成大写
1001B53A |. 6A 01 PUSH 1
1001B53C |. 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
1001B540 |. FF15 C8770210 CALL NEAR DWORD PTR DS:[<&MFC71.#29>
1001B546 |. 48 DEC EAX
1001B547 |. 50 PUSH EAX
1001B548 |. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
1001B54C |. FF15 7C750210 CALL NEAR DWORD PTR DS:[<&MFC71.#19>; 去掉尾部“-”
1001B552 |. 8D4C24 18 LEA ECX,DWORD PTR SS:[ESP+18]
1001B556 |. FF15 CC770210 CALL NEAR DWORD PTR DS:[<&MFC71.#87>; 假码前20位
1001B55C |. 50 PUSH EAX
1001B55D |. 6A 00 PUSH 0
1001B55F |. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
1001B563 |. FF15 84750210 CALL NEAR DWORD PTR DS:[<&MFC71.#38>; 假码前20位与计算结果连接
1001B569 |. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
1001B56D |. FF15 CC770210 CALL NEAR DWORD PTR DS:[<&MFC71.#87>; MFC71.7C158BCD
1001B573 |. 50 PUSH EAX ; EAX=假码地址
1001B574 |. 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10] ; [ESP+10]=计算结果地址
1001B578 |. FF15 4C740210 CALL NEAR DWORD PTR DS:[<&MFC71.#14>; 验证注册码
1001B57E |. F7D8 NEG EAX ; EAX=1注册验证失败
1001B580 1AC0 SBB AL,AL ; 爆破点(xor al,al)
1001B582 |. FEC0 INC AL
1001B584 |. 8D4C24 30 LEA ECX,DWORD PTR SS:[ESP+30]
1001B588 |. 0FB6F0 MOVZX ESI,AL
1001B58B |. FF15 E8770210 CALL NEAR DWORD PTR DS:[<&MFC71.#57>; MFC71.7C1771B1
二、算法小结
1. 字符串连接
1.1 软件名称奇数位与奇数连接
Xilisoftdvdtopspconverter4 ---> Xlsfddoscnetr ---> X1l3s5f7d9dbodsfc11n13e15t17r19
135 …… 151719
(58 01 6C 03 73 05 66 07 64 09 64 0B 6F 0D 73 0F 63 11 6E 13 65 15 74 17 72 19)
1.2 软件名称偶数位与偶数连接
Xilisoftdvdtopspconverter4 ---> iiotvtppovre4 ---> i2i4o6t8vAtCpEp10o12v14r16e1841A
246 …… 16181A
(69 02 69 04 6F 06 74 08 76 0A 74 0C 70 0E 70 10 6F 12 76 14 72 16 65 18 34 1A)
1.3 头部加1尾部加00
1 + X1l3s5f7d9dbodsfc11n13e15t17r19 + i2i4o6t8vAtCpEp10o12v14r16e1841A + 00
------->
1X1l3s5f7d9dbodsfc11n13e15t17r19i2i4o6t8vAtCpEp10o12v14r16e1841A00
1.4 假码前20位与软件名称连接
12345678922345678932 + Xilisoftdvdtopspconverter4
------->
12345678922345678932Xilisoftdvdtopspconverter4
1.5 形成最后字符串(1.3 + 1.4)
1X1l3s5f7d9dbodsfc11n13e15t17r19i2i4o6t8vAtCpEp10o12v14r16e1841A0012345678922345678932Xilisoftdvdtopspconverter4
(31 58 01 6C 03 73 05 66 07 64 09 64 0B 6F 0D 73 0F 63 11 6E 13 65 15 74 17 72 19 69 02 69 04 6F 06 74 08 76 0A 74 0C
70 0E 70 10 6F 12 76 14 72 16 65 18 34 1A 30 30 31 32 33 34 35 36 37 38 39 32 32 33 34 35 36 37 38 39 33 32 58 69 6C
69 73 6F 66 74 64 76 64 74 6F 70 73 70 63 6F 6E 76 65 72 74 65 72 34)
2. MD5加密字符串
2.1 标准MD5加密字符串前64位
(1X1l3s5f7d9dbodsfc11n13e15t17r19i2i4o6t8vAtCpEp10o12v14r16e1841A00123456789)
得到:(F22B9292)(A1300D51)(66297222)(DF3639B7)
2.2 将2.1得到的4个数字作为MD5常数加密字符串后37位
(22345678932Xilisoftdvdtopspconverter4)
得到:94289881fc09a399b914279409095be1
2.3 取出2.2数字中的奇数位
94289881fc09a399b914279409095be1 ----> 9298f0a9b129005e ----> 9298-F0A9-B129-005E
3 假码前20位与2.3的结果连接得到注册码
注册码=12345678922345678932 + 9298-F0A9-B129-005E
---->
123456789223456789329298-F0A9-B129-005E
4 注册码位数必须是39位(27H)
注册信息保存在:HKEY_CURRENT_USER\Software\Xilisoft\DVD to PSP Converter 4\RegInfo
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)