【破解软件】Batch Image Resizer 2.7.9
【下载地址】http://www.newhua.com/soft/29844.htm
【运行环境】Win9x/Me/NT/2000/XP/2003
【软件类别】国外软件/共享版/图像处理
【保护方式】注册码 + Email
【作者声明】初学Crack,只是感兴趣,消遣业余时间,错误之处敬请诸位前辈不吝赐教。
【编写语言】Microsoft Visual C++ 6.0
【调试工具】OllyDBD、PEiD
【软件信息】批量修改大小,旋转,转换图像的工具,支持的格式有:JPEG, BMP, GIF, PCX, PNG。新版本允许你在编辑GIJ动画文件前查看它。
一、破解过程
输入 Your Email: wzwgp@123.com
Registration Code: 12345678
提示:thanks for registration! please restart batch image resizer
查找所有模块间的调用,在每个调用到_mbscmp上设置断点。F9
00405E37 |. FFD7 CALL NEAR EDI ; 断在此 _mbscmp
00405E39 |. 83C4 08 ADD ESP,8
00405E3C |. 85C0 TEST EAX,EAX
00405E3E |. 75 0E JNZ SHORT BatchIma.00405E4E
00405E40 |. 68 581F4200 PUSH BatchIma.00421F58
00405E45 |. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
00405E49 |. E8 00080100 CALL <JMP.&MFC42.#860>
00405E4E |> 8B4424 14 MOV EAX,DWORD PTR SS:[ESP+14] ; [ESP+14]假码地址
00405E52 |. 68 C0154200 PUSH BatchIma.004215C0 ; 54qekkcherpl6x8q
00405E57 |. 50 PUSH EAX
00405E58 |. FFD7 CALL NEAR EDI
00405E5A |. 83C4 08 ADD ESP,8
00405E5D |. 85C0 TEST EAX,EAX
00405E5F |. 75 0E JNZ SHORT BatchIma.00405E6F
00405E61 |. 68 581F4200 PUSH BatchIma.00421F58
00405E66 |. 8D4C24 18 LEA ECX,DWORD PTR SS:[ESP+18]
00405E6A |. E8 DF070100 CALL <JMP.&MFC42.#860>
00405E6F |> 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10]
00405E73 |. 8379 F8 0B CMP DWORD PTR DS:[ECX-8],0B ; Email长度 > B
00405E77 |. 7D 08 JGE SHORT BatchIma.00405E81
00405E79 |. 899D C8000000 MOV DWORD PTR SS:[EBP+C8],EBX
00405E7F |. EB 6D JMP SHORT BatchIma.00405EEE
00405E81 |> 51 PUSH ECX
00405E82 |. 8D5424 14 LEA EDX,DWORD PTR SS:[ESP+14] ; [ESP+14]=email
00405E86 |. 8BCC MOV ECX,ESP
00405E88 |. 896424 20 MOV DWORD PTR SS:[ESP+20],ESP
00405E8C |. 52 PUSH EDX
00405E8D |. E8 58080100 CALL <JMP.&MFC42.#535>
00405E92 |. 8D4424 1C LEA EAX,DWORD PTR SS:[ESP+1C]
00405E96 |. 8BCE MOV ECX,ESI
00405E98 |. 50 PUSH EAX
00405E99 |. E8 82000000 CALL BatchIma.00405F20 ; 算法Call F7进入
00405E9E |. 8B7424 14 MOV ESI,DWORD PTR SS:[ESP+14] ; 假码
00405EA2 |. 8B4424 18 MOV EAX,DWORD PTR SS:[ESP+18] ; 真码
00405EA6 |> 8A10 /MOV DL,BYTE PTR DS:[EAX]
00405EA8 |. 8ACA |MOV CL,DL
00405EAA |. 3A16 |CMP DL,BYTE PTR DS:[ESI]
00405EAC |. 75 1C |JNZ SHORT BatchIma.00405ECA
00405EAE |. 3ACB |CMP CL,BL
00405EB0 |. 74 14 |JE SHORT BatchIma.00405EC6
00405EB2 |. 8A50 01 |MOV DL,BYTE PTR DS:[EAX+1]
00405EB5 |. 8ACA |MOV CL,DL
00405EB7 |. 3A56 01 |CMP DL,BYTE PTR DS:[ESI+1]
00405EBA |. 75 0E |JNZ SHORT BatchIma.00405ECA
00405EBC |. 83C0 02 |ADD EAX,2
00405EBF |. 83C6 02 |ADD ESI,2
00405EC2 |. 3ACB |CMP CL,BL
00405EC4 |.^ 75 E0 \JNZ SHORT BatchIma.00405EA6 ; 循环逐位比较真假码
算法Call F7进入
00405F20 /$ 6A FF PUSH -1
00405F22 |. 68 E7774100 PUSH BatchIma.004177E7 ; SE 处理程序安装
00405F27 |. 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
00405F2D |. 50 PUSH EAX
00405F2E |. 64:8925 00000000 MOV DWORD PTR FS:[0],ESP
00405F35 |. 83EC 2C SUB ESP,2C
00405F38 |. 53 PUSH EBX
00405F39 |. 56 PUSH ESI
00405F3A |. C74424 0C 00000000 MOV DWORD PTR SS:[ESP+C],0
00405F42 |. 8D4424 48 LEA EAX,DWORD PTR SS:[ESP+48]
00405F46 |. BB 01000000 MOV EBX,1
00405F4B |. 50 PUSH EAX
00405F4C |. 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C]
00405F50 |. 895C24 40 MOV DWORD PTR SS:[ESP+40],EBX
00405F54 |. E8 91070100 CALL <JMP.&MFC42.#535>
00405F59 |. 8B4C24 08 MOV ECX,DWORD PTR SS:[ESP+8] ; [ESP+8]=email
00405F5D |. C64424 3C 02 MOV BYTE PTR SS:[ESP+3C],2
00405F62 |. 8B41 F8 MOV EAX,DWORD PTR DS:[ECX-8] ; [ECX-8]=email长度
00405F65 |. 83F8 0A CMP EAX,0A
00405F68 |. 0F8E 98010000 JLE BatchIma.00406106 ; 不能小于等于A
00405F6E |. 83F8 10 CMP EAX,10
00405F71 |. 7D 0E JGE SHORT BatchIma.00405F81 ; 大于等于10(H)尾部不加a
00405F73 |. 68 F8154200 PUSH BatchIma.004215F8 ; aaaaaaaa
00405F78 |. 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C]
00405F7C |. E8 63070100 CALL <JMP.&MFC42.#941> ; A<email<10 连接aaaaaaaa
00405F81 |> 8B7424 08 MOV ESI,DWORD PTR SS:[ESP+8]
00405F85 |. 8D4424 20 LEA EAX,DWORD PTR SS:[ESP+20]
00405F89 |. 33D2 XOR EDX,EDX
00405F8B |. 2BF0 SUB ESI,EAX
00405F8D |> 8D4C14 20 /LEA ECX,DWORD PTR SS:[ESP+EDX+20]
00405F91 |. 8A040E |MOV AL,BYTE PTR DS:[ESI+ECX]
00405F94 |. 3C 61 |CMP AL,61 ; a
00405F96 |. 8801 |MOV BYTE PTR DS:[ECX],AL
00405F98 |. 7C 08 |JL SHORT BatchIma.00405FA2
00405F9A |. 3C 66 |CMP AL,66 ; f
00405F9C |. 7F 04 |JG SHORT BatchIma.00405FA2
00405F9E |. 24 CE |AND AL,0CE
00405FA0 |. 8801 |MOV BYTE PTR DS:[ECX],AL
00405FA2 |> 8A01 |MOV AL,BYTE PTR DS:[ECX]
00405FA4 |. 3C 41 |CMP AL,41 ; A
00405FA6 |. 7C 08 |JL SHORT BatchIma.00405FB0
00405FA8 |. 3C 46 |CMP AL,46 ; F
00405FAA |. 7F 04 |JG SHORT BatchIma.00405FB0
00405FAC |. 2C 42 |SUB AL,42 ; [a..f] [A..F] (先和$CE与运算 再减42)
00405FAE |. EB 02 |JMP SHORT BatchIma.00405FB2
00405FB0 |> 2C 32 |SUB AL,32 ; 其余 减32
00405FB2 |> 42 |INC EDX
00405FB3 |. 8801 |MOV BYTE PTR DS:[ECX],AL ; 保存AL
00405FB5 |. 83FA 10 |CMP EDX,10 ; 循环次数=10
00405FB8 |.^ 7C D3 \JL SHORT BatchIma.00405F8D ; 设Email处理后的字符串为S
00405FBA |. 55 PUSH EBP
00405FBB |. 8D6C24 14 LEA EBP,DWORD PTR SS:[ESP+14] ; [ESP+14]处理后Email字符串地址
00405FBF |. 57 PUSH EDI
00405FC0 |. B8 06000000 MOV EAX,6 ; EAX赋初值
00405FC5 |. 83ED 06 SUB EBP,6
00405FC8 |> 8D70 FA /LEA ESI,DWORD PTR DS:[EAX-6] ; [EAX-6]=0、1 …
00405FCB |. 8BD8 |MOV EBX,EAX
00405FCD |. 8BCE |MOV ECX,ESI
00405FCF |. 83E3 0F |AND EBX,0F
00405FD2 |. 83E1 0F |AND ECX,0F
00405FD5 |. 8D78 01 |LEA EDI,DWORD PTR DS:[EAX+1] ; [EAX+1]=7、8 …
00405FD8 |. 0FBE5C1C 28 |MOVSX EBX,BYTE PTR SS:[ESP+EBX+28] ; s7、s8
00405FDD |. 0FBE540C 28 |MOVSX EDX,BYTE PTR SS:[ESP+ECX+28] ; s1、s2
00405FE2 |. 8D48 FC |LEA ECX,DWORD PTR DS:[EAX-4]
00405FE5 |. 03D6 |ADD EDX,ESI ; 加循环次数(0、1…)
00405FE7 |. 83E1 0F |AND ECX,0F
00405FEA |. 0FBE4C0C 28 |MOVSX ECX,BYTE PTR SS:[ESP+ECX+28] ; s3、s4
00405FEF |. 0FAFD1 |IMUL EDX,ECX ; EDX=s1*s3
00405FF2 |. 8D48 FD |LEA ECX,DWORD PTR DS:[EAX-3]
00405FF5 |. 83E1 0F |AND ECX,0F
00405FF8 |. 0FBE4C0C 28 |MOVSX ECX,BYTE PTR SS:[ESP+ECX+28] ; s4、s5
00405FFD |. 03CE |ADD ECX,ESI ; 加循环次数
00405FFF |. 0FAFCB |IMUL ECX,EBX ; ECX=s4*s7
00406002 |. 03D1 |ADD EDX,ECX ; 相加 EDX=1264
00406004 |. 8D48 FB |LEA ECX,DWORD PTR DS:[EAX-5]
00406007 |. 8D58 FF |LEA EBX,DWORD PTR DS:[EAX-1]
0040600A |. 83E1 0F |AND ECX,0F
0040600D |. 83E3 0F |AND EBX,0F
00406010 |. 0FBE4C0C 28 |MOVSX ECX,BYTE PTR SS:[ESP+ECX+28] ; s2
00406015 |. 0FBE5C1C 28 |MOVSX EBX,BYTE PTR SS:[ESP+EBX+28] ; s6
0040601A |. 0FAFCB |IMUL ECX,EBX ; ECX=s2*s6
0040601D |. 03D1 |ADD EDX,ECX ; 相加 EDX=EDX+ECX
0040601F |. 8D48 FE |LEA ECX,DWORD PTR DS:[EAX-2]
00406022 |. 8BDF |MOV EBX,EDI
00406024 |. 83E1 0F |AND ECX,0F
00406027 |. 83E3 0F |AND EBX,0F
0040602A |. 0FBE4C0C 28 |MOVSX ECX,BYTE PTR SS:[ESP+ECX+28] ; s5
0040602F |. 0FBE5C1C 28 |MOVSX EBX,BYTE PTR SS:[ESP+EBX+28] ; s8
00406034 |. 0FAFCB |IMUL ECX,EBX ; ECX=s5*s8
00406037 |. 03D1 |ADD EDX,ECX ; 相加 EDX=EDX+ECX
00406039 |. 8D48 03 |LEA ECX,DWORD PTR DS:[EAX+3]
0040603C |. 83E1 0F |AND ECX,0F
0040603F |. 8D58 07 |LEA EBX,DWORD PTR DS:[EAX+7]
00406042 |. 83E3 0F |AND EBX,0F
00406045 |. 0FBE4C0C 28 |MOVSX ECX,BYTE PTR SS:[ESP+ECX+28] ; s10
0040604A |. 0FBE5C1C 28 |MOVSX EBX,BYTE PTR SS:[ESP+EBX+28] ; s14
0040604F |. 03CE |ADD ECX,ESI ; 加循环次数
00406051 |. 0FAFCB |IMUL ECX,EBX ; ECX=s10*s14
00406054 |. 8D58 02 |LEA EBX,DWORD PTR DS:[EAX+2]
00406057 |. 83E3 0F |AND EBX,0F
0040605A |. 0FBE5C1C 28 |MOVSX EBX,BYTE PTR SS:[ESP+EBX+28] ; s9
0040605F |. 03DE |ADD EBX,ESI ; 加循环次数
00406061 |. 8D70 04 |LEA ESI,DWORD PTR DS:[EAX+4] ; [EAX+4]=A
00406064 |. 83E6 0F |AND ESI,0F
00406067 |. 0FBE7434 28 |MOVSX ESI,BYTE PTR SS:[ESP+ESI+28] ; s11
0040606C |. 0FAFDE |IMUL EBX,ESI ; EBX=s9*s11
0040606F |. 03CB |ADD ECX,EBX ; 相加 ECX=ECX+EBX
00406071 |. 8D70 F8 |LEA ESI,DWORD PTR DS:[EAX-8]
00406074 |. 8D58 06 |LEA EBX,DWORD PTR DS:[EAX+6]
00406077 |. 83E6 0F |AND ESI,0F
0040607A |. 83E3 0F |AND EBX,0F
0040607D |. 0FBE7434 28 |MOVSX ESI,BYTE PTR SS:[ESP+ESI+28] ; s15
00406082 |. 0FBE5C1C 28 |MOVSX EBX,BYTE PTR SS:[ESP+EBX+28] ; s13
00406087 |. 0FAFF3 |IMUL ESI,EBX ; ESI=s15*s13
0040608A |. 03CE |ADD ECX,ESI ; 相加
0040608C |. 8D70 F9 |LEA ESI,DWORD PTR DS:[EAX-7]
0040608F |. 8D58 05 |LEA EBX,DWORD PTR DS:[EAX+5]
00406092 |. 83E6 0F |AND ESI,0F
00406095 |. 83E3 0F |AND EBX,0F
00406098 |. 0FBE7434 28 |MOVSX ESI,BYTE PTR SS:[ESP+ESI+28] ; s16
0040609D |. 0FBE5C1C 28 |MOVSX EBX,BYTE PTR SS:[ESP+EBX+28] ; s12
004060A2 |. 0FAFF3 |IMUL ESI,EBX ; ESI=s16*s12
004060A5 |. 03CE |ADD ECX,ESI ; 相加 ECX=658
004060A7 |. 0FAFCA |IMUL ECX,EDX ; ECX=8DA4E0
004060AA |. C1F9 03 |SAR ECX,3
004060AD |. 83E1 1F |AND ECX,1F ; ECX=and 1F
004060B0 |. 83F9 0A |CMP ECX,0A ; 设计算结果为C
004060B3 |. 7D 05 |JGE SHORT BatchIma.004060BA
004060B5 |. 83C1 50 |ADD ECX,50 ; c(i) < A + 50
004060B8 |. EB 0D |JMP SHORT BatchIma.004060C7
004060BA |> 83F9 12 |CMP ECX,12
004060BD |. 7D 05 |JGE SHORT BatchIma.004060C4
004060BF |. 83C1 28 |ADD ECX,28 ; A=< c(i) <12 + 28
004060C2 |. EB 03 |JMP SHORT BatchIma.004060C7
004060C4 |> 83C1 2F |ADD ECX,2F ; 12 =< c(i) + 2F
004060C7 |> 880C28 |MOV BYTE PTR DS:[EAX+EBP],CL ; 保存CL
004060CA |. 8BC7 |MOV EAX,EDI
004060CC |. 8D50 FA |LEA EDX,DWORD PTR DS:[EAX-6]
004060CF |. 83FA 10 |CMP EDX,10 ; 循环次数=10
004060D2 |.^ 0F8C F0FEFFFF \JL BatchIma.00405FC8 ; 循环运算出真码
004060D8 |. 68 E4154200 PUSH BatchIma.004215E4 ; 0000000000000000
004060DD |. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
004060E1 |. E8 68050100 CALL <JMP.&MFC42.#860>
004060E6 |. 5F POP EDI
004060E7 |. 33F6 XOR ESI,ESI
004060E9 |. 5D POP EBP
004060EA |> 8A4434 10 /MOV AL,BYTE PTR SS:[ESP+ESI+10]
004060EE |. 8D4C24 08 |LEA ECX,DWORD PTR SS:[ESP+8]
004060F2 |. 50 |PUSH EAX
004060F3 |. 56 |PUSH ESI
004060F4 |. E8 41070100 |CALL <JMP.&MFC42.#5856>
004060F9 |. 46 |INC ESI
004060FA |. 83FE 10 |CMP ESI,10
004060FD |.^ 7C EB \JL SHORT BatchIma.004060EA
004060FF |. BB 01000000 MOV EBX,1
00406104 |. EB 09 JMP SHORT BatchIma.0040610F
00406106 |> 8D4C24 08 LEA ECX,DWORD PTR SS:[ESP+8]
0040610A |. E8 25070100 CALL <JMP.&MFC42.#2614>
0040610F |> 8B7424 44 MOV ESI,DWORD PTR SS:[ESP+44]
00406113 |. 8D4C24 08 LEA ECX,DWORD PTR SS:[ESP+8]
00406117 |. 51 PUSH ECX
00406118 |. 8BCE MOV ECX,ESI
0040611A |. E8 CB050100 CALL <JMP.&MFC42.#535>
0040611F |. 895C24 0C MOV DWORD PTR SS:[ESP+C],EBX
00406123 |. 8D4C24 08 LEA ECX,DWORD PTR SS:[ESP+8]
00406127 |. 885C24 3C MOV BYTE PTR SS:[ESP+3C],BL
0040612B |. E8 AA030100 CALL <JMP.&MFC42.#800>
00406130 |. 8D4C24 48 LEA ECX,DWORD PTR SS:[ESP+48]
00406134 |. C64424 3C 00 MOV BYTE PTR SS:[ESP+3C],0
00406139 |. E8 9C030100 CALL <JMP.&MFC42.#800>
0040613E |. 8B4C24 34 MOV ECX,DWORD PTR SS:[ESP+34]
00406142 |. 8BC6 MOV EAX,ESI
00406144 |. 5E POP ESI
00406145 |. 5B POP EBX
00406146 |. 64:890D 00000000 MOV DWORD PTR FS:[0],ECX
0040614D |. 83C4 38 ADD ESP,38
00406150 \. C2 0800 RETN 8 ; 返回到 00405E9E
二、算法小结
1.Email字符位数要大于10位,如果不足16位尾部家8个'a'。
2.预处理Email字符串,在[a..f] [A..F]范围内的,先与'CE'逻辑与运算,再减42。
其余的减32。处理后的字符串长度为16。
3.设处理后Email的字符串为S=(s0,s1,s2 ……s13,s14,s15)
4.C=(c0,c1,c2 ……c13,c14,c15) i [0..15] S下标大于等于16-16(循环)
C(i)=( (si+i)*s(i+2) + (s(i+3)+i)*s(i+6) + s(i+1)*s(i+5) + s(i+4)*s(i+7) ) *
( (s(i+9)+i)*s(i+13) + (s(i+8)+i)*s(i+10) + s(i+14)*s(i+12) + s(i+15)*s(i+11) )
5. 4.式运算结果 C(i)算术右移(SAR 3 ) 、与运算(AND 1F),再根据运算结果的大小选择不同的加数
if c(i) < A +50
A=< c(i) <12 +28
12=< c(i) +2F
6.运算出的16个数就是注册码。
7. Your Email: wzwgp@123.com
Registration Code: KHV9GQS43FL9ITPY
注册信息:HKEY_CURRENT_USER\Software\JKLNSoft\BatchImageResizer\Registration Info
[招生]系统0day安全班,企业级设备固件漏洞挖掘,Linux平台漏洞挖掘!