-
-
[原创]菜鸟maomaoma的算法练习破文四
-
发表于: 2006-12-9 22:14 5895
-
【破文标题】菜鸟maomaoma的算法练习破文四
【破文作者】maomaoma
【作者邮箱】
【作者主页】无
【破解工具】OD、PEiD
【破解平台】winxp
【软件名称】Magic DVD Ripper 4.3
【软件大小】2075KB
【原版下载】http://86516.onlinedown.net/soft/24198.htm
【保护方式】无
【软件简介】Magic DVD Ripper 是一款DVD 电影抓取工具,支持 DVD to VCD,DVD to SVCD 转换,抓取后的DVD已经去除了区位码保护和MacroVision 保护,支持抓取或者转换完成后自动关机的功能,完整的支持市面上各种流行的DVD和VCD刻录机和盘片!
【破解声明】我是菜鸟,学写破文,还请大侠多多指教:)
------------------------------------------------------------------------
【破解过程】
1、PEiD查主程序无壳,Borland C++ 1999编译
2、OD载入,根据注册错误提示字符串“register code is not correct!\n\nplease copy and paste your user name and register code.”(该字符串出现次数多,我是分别试验过去,笨办法:),可用dede反编译,再下断)下断点
3、F9运行,输入用户名:maomaoma,注册码:1234567801234567891(注:注册码位数通过后面分析得知),OD断下
4、具体分析过程及代码注释如下:
004182E0 . 55 push ebp ; OD断在此处
004182E1 . 8BEC mov ebp, esp
004182E3 . 83C4 AC add esp, -54
004182E6 . 53 push ebx
004182E7 . 56 push esi
004182E8 . 57 push edi
004182E9 . 8945 B8 mov [ebp-48], eax
004182EC . B8 782A5000 mov eax, 00502A78
004182F1 . E8 AEE40B00 call 004D67A4
004182F6 . 66:C745 CC 08>mov word ptr [ebp-34], 8
004182FC . 66:C745 CC 08>mov word ptr [ebp-34], 8
00418302 . 66:C745 CC 20>mov word ptr [ebp-34], 20
00418308 . 33C0 xor eax, eax
0041830A . 33F6 xor esi, esi
0041830C . 8945 F4 mov [ebp-C], eax
0041830F . 8D55 F4 lea edx, [ebp-C]
00418312 . FF45 D8 inc dword ptr [ebp-28]
00418315 . 8B4D B8 mov ecx, [ebp-48]
00418318 . 8B81 F8020000 mov eax, [ecx+2F8]
0041831E . E8 8DFD0800 call 004A80B0 ; 取用户名
00418323 . 8D45 F4 lea eax, [ebp-C]
00418326 . 8B00 mov eax, [eax]
00418328 . 33D2 xor edx, edx
0041832A . 8955 FC mov [ebp-4], edx
0041832D . 8D55 FC lea edx, [ebp-4]
00418330 . FF45 D8 inc dword ptr [ebp-28]
00418333 . E8 DC2E0300 call 0044B214 ; 用户名入堆栈
00418338 . FF4D D8 dec dword ptr [ebp-28]
0041833B . 8D45 F4 lea eax, [ebp-C]
0041833E . BA 02000000 mov edx, 2
00418343 . E8 E0B20C00 call 004E3628
00418348 . 66:C745 CC 14>mov word ptr [ebp-34], 14
0041834E . 837D FC 00 cmp dword ptr [ebp-4], 0
00418352 . 74 05 je short 00418359
00418354 . 8B45 FC mov eax, [ebp-4]
00418357 . EB 05 jmp short 0041835E
00418359 > B8 ED285000 mov eax, 005028ED
0041835E > 8945 B4 mov [ebp-4C], eax
00418361 . 33FF xor edi, edi
00418363 . 8B45 B4 mov eax, [ebp-4C]
00418366 . 8BD8 mov ebx, eax
00418368 . EB 08 jmp short 00418372
0041836A > 33C0 xor eax, eax
0041836C . 8A03 mov al, [ebx]
0041836E . 03F0 add esi, eax ; esi等于用户名各字符ASCII值相加(我这里为348)
00418370 . 47 inc edi
00418371 . 43 inc ebx
00418372 > 8B55 B4 mov edx, [ebp-4C]
00418375 . 52 push edx
00418376 . E8 8DE10B00 call 004D6508
0041837B . 59 pop ecx
0041837C . 3BF8 cmp edi, eax
0041837E .^ 72 EA jb short 0041836A
00418380 . 81E6 FFFF0080 and esi, 8000FFFF
00418386 . 79 08 jns short 00418390
00418388 . 4E dec esi
00418389 . 81CE 0000FFFF or esi, FFFF0000
0041838F . 46 inc esi
00418390 > 56 push esi ; /Arg3
00418391 . 68 EE285000 push 005028EE ; |%04x
00418396 . 8D4D AC lea ecx, [ebp-54] ; |
00418399 . 51 push ecx ; |Arg1
0041839A . E8 B1090C00 call 004D8D50 ; \格式化esi(我这里348扩展为0348)记着A
0041839F . 66:C745 CC 2C>mov word ptr [ebp-34], 2C
004183A5 . 33C0 xor eax, eax
004183A7 . 83C4 0C add esp, 0C
004183AA . 8945 F0 mov [ebp-10], eax
004183AD . 8D55 F0 lea edx, [ebp-10]
004183B0 . FF45 D8 inc dword ptr [ebp-28]
004183B3 . 8B4D B8 mov ecx, [ebp-48]
004183B6 . 8B81 FC020000 mov eax, [ecx+2FC]
004183BC . E8 EFFC0800 call 004A80B0 ; 取假码
004183C1 . 8D45 F0 lea eax, [ebp-10]
004183C4 . 8B00 mov eax, [eax]
004183C6 . 33D2 xor edx, edx
004183C8 . 8955 EC mov [ebp-14], edx
004183CB . 8D55 EC lea edx, [ebp-14]
004183CE . FF45 D8 inc dword ptr [ebp-28]
004183D1 . E8 3E2E0300 call 0044B214 ; 假码入堆栈
004183D6 . 8D45 EC lea eax, [ebp-14]
004183D9 . 33C9 xor ecx, ecx
004183DB . 894D F8 mov [ebp-8], ecx
004183DE . 8D55 F8 lea edx, [ebp-8]
004183E1 . FF45 D8 inc dword ptr [ebp-28]
004183E4 . E8 8BB40C00 call 004E3874
004183E9 . FF4D D8 dec dword ptr [ebp-28]
004183EC . 8D45 EC lea eax, [ebp-14]
004183EF . BA 02000000 mov edx, 2
004183F4 . E8 2FB20C00 call 004E3628
004183F9 . FF4D D8 dec dword ptr [ebp-28]
004183FC . 8D45 F0 lea eax, [ebp-10]
004183FF . BA 02000000 mov edx, 2
00418404 . E8 1FB20C00 call 004E3628
00418409 . 66:C745 CC 14>mov word ptr [ebp-34], 14
0041840F . 837D F8 00 cmp dword ptr [ebp-8], 0
00418413 . 74 05 je short 0041841A
00418415 . 8B75 F8 mov esi, [ebp-8]
00418418 . EB 05 jmp short 0041841F
0041841A > BE F3285000 mov esi, 005028F3
0041841F > 33FF xor edi, edi
00418421 . 8BDE mov ebx, esi
00418423 . EB 12 jmp short 00418437
00418425 > 0FBE03 movsx eax, byte ptr [ebx]
00418428 . 83F8 6F cmp eax, 6F ; 跟o比较,防止0与o不分
0041842B . 74 05 je short 00418432
0041842D . 83F8 4F cmp eax, 4F ; 跟O比较,防止0与O不分
00418430 . 75 03 jnz short 00418435
00418432 > C603 30 mov byte ptr [ebx], 30
00418435 > 47 inc edi
00418436 . 43 inc ebx
00418437 > 56 push esi
00418438 . E8 CBE00B00 call 004D6508
0041843D . 59 pop ecx
0041843E . 3BF8 cmp edi, eax
00418440 .^ 72 E3 jb short 00418425
00418442 . 66:C745 CC 38>mov word ptr [ebp-34], 38
00418448 . 8D45 E8 lea eax, [ebp-18]
0041844B . 8BD6 mov edx, esi
0041844D . E8 C2B00C00 call 004E3514
00418452 . FF45 D8 inc dword ptr [ebp-28]
00418455 . 8B10 mov edx, [eax]
00418457 . 8B45 B8 mov eax, [ebp-48]
0041845A . 8B80 FC020000 mov eax, [eax+2FC]
00418460 . E8 7BFC0800 call 004A80E0
00418465 . FF4D D8 dec dword ptr [ebp-28]
00418468 . 8D45 E8 lea eax, [ebp-18]
0041846B . BA 02000000 mov edx, 2
00418470 . E8 B3B10C00 call 004E3628
00418475 . 8A4E 05 mov cl, [esi+5] ; 假码第六位赋给cl
00418478 . 3A4D AC cmp cl, [ebp-54] ; cl跟A第一位比较(我这里是跟0比较)
0041847B . 75 26 jnz short 004184A3 ; 不等则跳
0041847D . 8A46 04 mov al, [esi+4] ; 假码第五位赋给al
00418480 . 3A45 AD cmp al, [ebp-53] ; al跟A第二位比较(我这里是跟3比较)
00418483 . 75 1E jnz short 004184A3 ; 不等则跳
00418485 . 8A56 12 mov dl, [esi+12] ; 假码第十九位赋给dl
00418488 . 3A55 AE cmp dl, [ebp-52] ; dl跟A第三位比较(我这里是跟4比较)
0041848B . 75 16 jnz short 004184A3 ; 不等则跳
0041848D . 8A0E mov cl, [esi] ; 假码第一位赋给cl
0041848F . 3A4D AF cmp cl, [ebp-51] ; cl跟A第四位比较(我这里是跟8比较)
00418492 . 75 0F jnz short 004184A3 ; 不等则跳
00418494 . 8B45 B8 mov eax, [ebp-48]
00418497 . C780 4C020000>mov dword ptr [eax+24C], 1
004184A1 . EB 3E jmp short 004184E1
004184A3 > 66:C745 CC 44>mov word ptr [ebp-34], 44
004184A9 . BA F4285000 mov edx, 005028F4 ; register code is not correct!\n\nplease copy and paste your user name and register code.
004184AE . 8D45 E4 lea eax, [ebp-1C]
004184B1 . E8 5EB00C00 call 004E3514
004184B6 . FF45 D8 inc dword ptr [ebp-28]
004184B9 . 8B00 mov eax, [eax]
004184BB . E8 34A10800 call 004A25F4
004184C0 . FF4D D8 dec dword ptr [ebp-28]
004184C3 . 8D45 E4 lea eax, [ebp-1C]
004184C6 . BA 02000000 mov edx, 2
004184CB . E8 58B10C00 call 004E3628
004184D0 . 8B4D B8 mov ecx, [ebp-48]
004184D3 . 8B81 FC020000 mov eax, [ecx+2FC]
004184D9 . 8B10 mov edx, [eax]
004184DB . FF92 C0000000 call [edx+C0]
004184E1 > FF4D D8 dec dword ptr [ebp-28]
004184E4 . 8D45 F8 lea eax, [ebp-8]
004184E7 . BA 02000000 mov edx, 2
004184EC . E8 37B10C00 call 004E3628
004184F1 . FF4D D8 dec dword ptr [ebp-28]
004184F4 . 8D45 FC lea eax, [ebp-4]
004184F7 . BA 02000000 mov edx, 2
004184FC . E8 27B10C00 call 004E3628
00418501 . 66:C745 CC 08>mov word ptr [ebp-34], 8
00418507 . 66:C745 CC 00>mov word ptr [ebp-34], 0
0041850D . EB 49 jmp short 00418558
0041850F . 66:C745 CC 50>mov word ptr [ebp-34], 50
00418515 . BA 4B295000 mov edx, 0050294B ; register code is not correct!\n\nplease copy and paste your user name and register code.
0041851A . 8D45 E0 lea eax, [ebp-20]
0041851D . E8 F2AF0C00 call 004E3514
00418522 . FF45 D8 inc dword ptr [ebp-28]
00418525 . 8B00 mov eax, [eax]
00418527 . E8 C8A00800 call 004A25F4
0041852C . FF4D D8 dec dword ptr [ebp-28]
0041852F . 8D45 E0 lea eax, [ebp-20]
00418532 . BA 02000000 mov edx, 2
00418537 . E8 ECB00C00 call 004E3628
0041853C . 8B4D B8 mov ecx, [ebp-48]
0041853F . 8B81 FC020000 mov eax, [ecx+2FC]
00418545 . 8B10 mov edx, [eax]
00418547 . FF92 C0000000 call [edx+C0]
0041854D . 66:C745 CC 10>mov word ptr [ebp-34], 10
00418553 . E8 16800C00 call 004E056E
00418558 > 8B4D BC mov ecx, [ebp-44]
0041855B . 64:890D 00000>mov fs:[0], ecx
00418562 . 5F pop edi
00418563 . 5E pop esi
00418564 . 5B pop ebx
00418565 . 8BE5 mov esp, ebp
00418567 . 5D pop ebp
00418568 . C3 retn
------------------------------------------------------------------------
【破解总结】
1、注册码跟用户名有关
2、取用户名各字符ASCII值相加,结果格式化(%04x),记着A
3、注册码第一、第五、第六、第十九位分别与A的第四、第二、第一、第三位比较,相等则注册成功,其余各位任意
4、注册信息保存于MagicDVDRipper.ini
------------------------------------------------------------------------
【版权声明】本文系作者原创, 转载请注明作者并保持文章的完整, 谢谢!
[招生]系统0day安全班,企业级设备固件漏洞挖掘,Linux平台漏洞挖掘!
赞赏
- [原创]一种破解思路 4796
- [原创]菜鸟maomaoma的算法练习破文八 6255
- [原创]菜鸟maomaoma的算法练习破文七 4439
- [原创]菜鸟maomaoma的算法练习破文六 3869
- [原创]菜鸟maomaoma的算法练习破文五 6206