【文章标题】: Acala DVD Copy 注册过程
【文章作者】: thdzhqg
【软件名称】: Acala DVD Copy
【软件大小】: 2.55 MB
【下载地址】: 自己搜索下载
【加壳方式】: 无
【保护方式】: 注册码
【编写语言】: Microsoft Visual C++ 6.0
【使用工具】: od,rsatool,BigInt Calculator1.0
【操作平台】: winxp
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
od载入,根据提示‘invalid license name or license code’来到
0042DBDE |. 8B8D FCFDFFFF mov ecx, [ebp-204]
0042DBE4 |. E8 BDF10700 call <jmp.&MFC42.#6334_CWnd::UpdateDa>
0042DBE9 |. 8B8D FCFDFFFF mov ecx, [ebp-204]
0042DBEF |. 81C1 68240000 add ecx, 2468
0042DBF5 |. E8 16620100 call 00443E10
0042DBFA |. 50 push eax
0042DBFB |. 8B8D FCFDFFFF mov ecx, [ebp-204]
0042DC01 |. 81C1 6C240000 add ecx, 246C
0042DC07 |. E8 04620100 call 00443E10
0042DC0C |. 50 push eax ; |Arg1
0042DC0D |. E8 1DFCFFFF call 0042D82F ; \关键calll
0042DC12 |. 83C4 08 add esp, 8
0042DC15 |. 85C0 test eax, eax
0042DC17 |. 75 54 jnz short 0042DC6D ; 关键跳
0042DC19 |. 68 78554E00 push 004E5578 ; /invalid license name or license code
0042DC1E |. 68 A90F0000 push 0FA9 ; |Arg1 = 00000FA9
0042DC23 |. E8 98E4FFFF call 0042C0C0 ; \dvdcopy.0042C0C0
0042DC28 |. 83C4 08 add esp, 8
0042DC2B |. 50 push eax ; /<%s>
0042DC2C |. 68 A0554E00 push 004E55A0 ; |%s
0042DC31 |. 8D85 00FFFFFF lea eax, [ebp-100] ; |
0042DC37 |. 50 push eax ; |s
0042DC38 |. FF15 B0064B00 call [<&MSVCRT.sprintf>] ; \sprintf
0042DC3E |. 83C4 0C add esp, 0C
0042DC41 |. 6A 40 push 40
0042DC43 |. 68 A4554E00 push 004E55A4 ; /sorry
0042DC48 |. 68 A80F0000 push 0FA8 ; |Arg1 = 00000FA8
0042DC4D |. E8 6EE4FFFF call 0042C0C0 ; \dvdcopy.0042C0C0
0042DC52 |. 83C4 08 add esp, 8
0042DC55 |. 50 push eax ; |Arg2
在0042DC0D 处F2,F9运行,需要注册,输入用户名:thdz 注册码:11111111-22222222-33333333-44444444-55555555-
66666666-77777777-88888888断下后进入0042DC0D
0042D82F /$ 55 push ebp
0042D830 |. 8BEC mov ebp, esp
0042D832 |. 6A FF push -1
0042D834 |. 68 ABE24A00 push 004AE2AB ; SE 处理程序安装
0042D839 |. 64:A1 0000000>mov eax, fs:[0]
0042D83F |. 50 push eax
0042D840 |. 64:8925 00000>mov fs:[0], esp
0042D847 |. 81EC A8000000 sub esp, 0A8
0042D84D |. C745 BC 01000>mov dword ptr [ebp-44], 10001 ; //e值
0042D854 C785 70FFFFFF>mov dword ptr [ebp-90], 24E9BFB9 ; n值
0042D85E C785 74FFFFFF>mov dword ptr [ebp-8C], 90B44A16
0042D868 C785 78FFFFFF>mov dword ptr [ebp-88], 47C40632
0042D872 C785 7CFFFFFF>mov dword ptr [ebp-84], B0AD66E5
0042D87C C745 80 C5148>mov dword ptr [ebp-80], A58C14C5
0042D883 C745 84 0CC16>mov dword ptr [ebp-7C], 706BC10C
0042D88A C745 88 ECE41>mov dword ptr [ebp-78], 271EE4EC
0042D891 C745 8C D7DA2>mov dword ptr [ebp-74], 7220DAD7
0042D898 |. 8B45 08 mov eax, [ebp+8] ; 用户名送eax
0042D89B |. 50 push eax
0042D89C |. 8D4D F0 lea ecx, [ebp-10]
0042D89F |. E8 30F40700 call <jmp.&MFC42.#537_CString::CStrin>
0042D8A4 |. C745 FC 00000>mov dword ptr [ebp-4], 0
0042D8AB |. 8B4D 0C mov ecx, [ebp+C] ; 注册码送ecx
0042D8AE |. 51 push ecx
0042D8AF |. 8D4D C4 lea ecx, [ebp-3C]
0042D8B2 |. E8 1DF40700 call <jmp.&MFC42.#537_CString::CStrin>
0042D8B7 |. C645 FC 01 mov byte ptr [ebp-4], 1
0042D8BB |. 68 3C554E00 push 004E553C
0042D8C0 |. 8D4D F0 lea ecx, [ebp-10]
0042D8C3 |. E8 7AF50700 call <jmp.&MFC42.#6928_CString::TrimL>; 去掉用户名左右空格
0042D8C8 |. 68 3E554E00 push 004E553E
0042D8CD |. 8D4D F0 lea ecx, [ebp-10]
0042D8D0 |. E8 67F50700 call <jmp.&MFC42.#6930_CString::TrimR>
0042D8D5 |. 68 40554E00 push 004E5540
0042D8DA |. 8D4D C4 lea ecx, [ebp-3C]
0042D8DD |. E8 60F50700 call <jmp.&MFC42.#6928_CString::TrimL>; 去掉注册码左右空格
0042D8E2 |. 68 42554E00 push 004E5542
0042D8E7 |. 8D4D C4 lea ecx, [ebp-3C]
0042D8EA |. E8 4DF50700 call <jmp.&MFC42.#6930_CString::TrimR>
0042D8EF |. 68 DE1C5000 push 00501CDE ; /Arg2 = 00501CDE
0042D8F4 |. 8D55 F0 lea edx, [ebp-10] ; |
0042D8F7 |. 52 push edx ; |Arg1
0042D8F8 |. E8 53070000 call 0042E050 ; \检测用户名是不是空
0042D8FD |. 25 FF000000 and eax, 0FF
0042D902 |. 85C0 test eax, eax ; 用户名是不是空
0042D904 |. 75 17 jnz short 0042D91D
0042D906 |. 68 DF1C5000 push 00501CDF ; /Arg2 = 00501CDF
0042D90B |. 8D45 C4 lea eax, [ebp-3C] ; |
0042D90E |. 50 push eax ; |Arg1
0042D90F |. E8 3C070000 call 0042E050 ; \注册码是不是空
0042D914 |. 25 FF000000 and eax, 0FF
0042D919 |. 85C0 test eax, eax ; 不为空跳
0042D91B |. 74 30 je short 0042D94D ; 跳
0042D91D |> C785 5CFFFFFF>mov dword ptr [ebp-A4], 0
0042D927 |. C645 FC 00 mov byte ptr [ebp-4], 0
0042D92B |. 8D4D C4 lea ecx, [ebp-3C]
0042D92E |. E8 CDF10700 call <jmp.&MFC42.#800_CString::~CStri>
0042D933 |. C745 FC FFFFF>mov dword ptr [ebp-4], -1
0042D93A |. 8D4D F0 lea ecx, [ebp-10]
0042D93D |. E8 BEF10700 call <jmp.&MFC42.#800_CString::~CStri>
0042D942 |. 8B85 5CFFFFFF mov eax, [ebp-A4]
0042D948 |. E9 72020000 jmp 0042DBBF ; 跳到失败
0042D94D |> 8D8D 60FFFFFF lea ecx, [ebp-A0]
0042D953 |. E8 48060000 call 0042DFA0
0042D958 |. C645 FC 02 mov byte ptr [ebp-4], 2
0042D95C |. 8B4D BC mov ecx, [ebp-44]
0042D95F |. 51 push ecx ; /Arg1
0042D960 |. 8D8D 54FFFFFF lea ecx, [ebp-AC] ; |
0042D966 |. E8 3FE90100 call 0044C2AA ; \dvdcopy.0044C2AA
0042D96B |. C645 FC 03 mov byte ptr [ebp-4], 3
0042D96F |. 8D95 54FFFFFF lea edx, [ebp-AC]
0042D975 |. 52 push edx ; /Arg1
0042D976 |. 8D8D 68FFFFFF lea ecx, [ebp-98] ; |
0042D97C |. E8 EEE90100 call 0044C36F ; \dvdcopy.0044C36F
0042D981 |. C645 FC 02 mov byte ptr [ebp-4], 2
0042D985 |. 8D8D 54FFFFFF lea ecx, [ebp-AC]
0042D98B |. E8 64EA0100 call 0044C3F4
0042D990 |. 6A 08 push 8 ; /Arg2 = 00000008
0042D992 |. 8D85 70FFFFFF lea eax, [ebp-90] ; |
0042D998 |. 50 push eax ; |Arg1
0042D999 |. 8D8D 60FFFFFF lea ecx, [ebp-A0] ; |
0042D99F |. E8 CBE60100 call 0044C06F ; \dvdcopy.0044C06F
0042D9A4 |. 6A 20 push 20 ; /n = 20 (32.)
0042D9A6 |. 6A 00 push 0 ; |c = 00
0042D9A8 |. 8D4D D0 lea ecx, [ebp-30] ; |
0042D9AB |. 51 push ecx ; |s
0042D9AC |. E8 4BED0700 call <jmp.&MSVCRT.memset> ; \memset
0042D9B1 |. 83C4 0C add esp, 0C
0042D9B4 |. 8D55 EC lea edx, [ebp-14]
0042D9B7 |. 52 push edx
0042D9B8 |. 8D45 E8 lea eax, [ebp-18]
0042D9BB |. 50 push eax
0042D9BC |. 8D4D E4 lea ecx, [ebp-1C]
0042D9BF |. 51 push ecx
0042D9C0 |. 8D55 E0 lea edx, [ebp-20]
0042D9C3 |. 52 push edx
0042D9C4 |. 8D45 DC lea eax, [ebp-24]
0042D9C7 |. 50 push eax
0042D9C8 |. 8D4D D8 lea ecx, [ebp-28]
0042D9CB |. 51 push ecx
0042D9CC |. 8D55 D4 lea edx, [ebp-2C]
0042D9CF |. 52 push edx
0042D9D0 |. 8D45 D0 lea eax, [ebp-30] ; 注册码格式
0042D9D3 |. 50 push eax
0042D9D4 |. 68 44554E00 push 004E5544 ; %08lx-%08lx-%08lx-%08lx-%08lx-%08lx-%08lx-%08lx\n
0042D9D9 |. 8D4D C4 lea ecx, [ebp-3C]
0042D9DC |. E8 2F640100 call 00443E10
0042D9E1 |. 50 push eax ; |s
0042D9E2 |. FF15 28064B00 call [<&MSVCRT.sscanf>] ; \sscanf
0042D9E8 |. 83C4 28 add esp, 28
0042D9EB |. 8B4D D4 mov ecx, [ebp-2C] ; s2
0042D9EE |. 034D D8 add ecx, [ebp-28] ; s2+s3
0042D9F1 |. 034D DC add ecx, [ebp-24] ; s2+s3+s4
0042D9F4 |. 034D E0 add ecx, [ebp-20] ; s2+s3+s4+s5
0042D9F7 |. 8B55 EC mov edx, [ebp-14]
0042D9FA |. 33D1 xor edx, ecx ; s8=(s2+s3+s4+s5)xor s8
0042D9FC |. 8955 EC mov [ebp-14], edx
0042D9FF |. 8B45 D0 mov eax, [ebp-30] ; s1
0042DA02 |. 0345 E4 add eax, [ebp-1C] ; s1+s6
0042DA05 |. 8B4D E8 mov ecx, [ebp-18] ; s7
0042DA08 |. 33C8 xor ecx, eax ; s7=(s1+s6)xor s7
0042DA0A |. 894D E8 mov [ebp-18], ecx
0042DA0D |. 6A 00 push 0 ; /Arg1 = 00000000
0042DA0F |. 8D4D 90 lea ecx, [ebp-70] ; |
0042DA12 |. E8 93E80100 call 0044C2AA ; \dvdcopy.0044C2AA
0042DA17 |. C645 FC 04 mov byte ptr [ebp-4], 4
0042DA1B |. 6A 08 push 8 ; /Arg2 = 00000008
0042DA1D |. 8D55 D0 lea edx, [ebp-30] ; |
0042DA20 |. 52 push edx ; |这里计算出的结果入栈sx
0042DA21 |. 8D4D 90 lea ecx, [ebp-70] ; |
0042DA24 |. E8 46E60100 call 0044C06F ; \dvdcopy.0044C06F
0042DA29 |. 8D45 90 lea eax, [ebp-70]
0042DA2C |. 50 push eax ; /Arg2
0042DA2D |. 8D4D C8 lea ecx, [ebp-38] ; |
0042DA30 |. 51 push ecx ; |Arg1
0042DA31 |. 8D8D 60FFFFFF lea ecx, [ebp-A0] ; |
0042DA37 |. E8 E5D30100 call 0044AE21 ; \rsa计算c =sx ^ 10001 (mod n)
0042DA3C |. C645 FC 05 mov byte ptr [ebp-4], 5
0042DA40 |. 6A 20 push 20 ; /n = 20 (32.)
0042DA42 |. 6A 00 push 0 ; |c = 00
0042DA44 |. 8D55 D0 lea edx, [ebp-30] ; |
0042DA47 |. 52 push edx ; |s
0042DA48 |. E8 AFEC0700 call <jmp.&MSVCRT.memset> ; \memset
0042DA4D |. 83C4 0C add esp, 0C
0042DA50 |. 6A 08 push 8 ; /Arg2 = 00000008
0042DA52 |. 8D45 D0 lea eax, [ebp-30] ; |
0042DA55 |. 50 push eax ; |Arg1
0042DA56 |. 8D4D C8 lea ecx, [ebp-38] ; |
0042DA59 |. E8 66E60100 call 0044C0C4 ; \dvdcopy.0044C0C4
0042DA5E |. 6A 20 push 20 ; /n = 20 (32.)
0042DA60 |. 6A 00 push 0 ; |c = 00
0042DA62 |. 8D4D 98 lea ecx, [ebp-68] ; |
0042DA65 |. 51 push ecx ; |s
0042DA66 |. E8 91EC0700 call <jmp.&MSVCRT.memset> ; \memset
0042DA6B |. 83C4 0C add esp, 0C
0042DA6E |. C745 B8 00000>mov dword ptr [ebp-48], 0
0042DA75 |. EB 09 jmp short 0042DA80
0042DA77 |> 8B55 B8 /mov edx, [ebp-48] ; 下面这个循环把计算结果反写入堆栈
0042DA7A |. 83C2 01 |add edx, 1
0042DA7D |. 8955 B8 |mov [ebp-48], edx ; edx=循环的次数
0042DA80 |> 837D B8 08 cmp dword ptr [ebp-48], 8
0042DA84 |. 7D 55 |jge short 0042DADB ; 小于等于8次跳出
0042DA86 |. 8B45 B8 |mov eax, [ebp-48]
0042DA89 |. 8B4C85 D0 |mov ecx, [ebp+eax*4-30]
0042DA8D |. C1E9 18 |shr ecx, 18 ; 右移18h位
0042DA90 |. 8B55 B8 |mov edx, [ebp-48]
0042DA93 |. 884C95 98 |mov [ebp+edx*4-68], cl
0042DA97 |. 8B45 B8 |mov eax, [ebp-48]
0042DA9A |. 8B4C85 D0 |mov ecx, [ebp+eax*4-30]
0042DA9E |. 81E1 FFFFFF00 |and ecx, 0FFFFFF 保留前面两位
0042DAA4 |. C1E9 10 |shr ecx, 10
0042DAA7 |. 8B55 B8 |mov edx, [ebp-48]
0042DAAA |. 884C95 99 |mov [ebp+edx*4-67], cl
0042DAAE |. 8B45 B8 |mov eax, [ebp-48]
0042DAB1 |. 8B4C85 D0 |mov ecx, [ebp+eax*4-30]
0042DAB5 |. 81E1 FFFF0000 |and ecx, 0FFFF 保留四位
0042DABB |. C1E9 08 |shr ecx, 8
0042DABE |. 8B55 B8 |mov edx, [ebp-48]
0042DAC1 |. 884C95 9A |mov [ebp+edx*4-66], cl
0042DAC5 |. 8B45 B8 |mov eax, [ebp-48]
0042DAC8 |. 8B4C85 D0 |mov ecx, [ebp+eax*4-30]
0042DACC |. 81E1 FF000000 |and ecx, 0FF 保留六位
0042DAD2 |. 8B55 B8 |mov edx, [ebp-48]
0042DAD5 |. 884C95 9B |mov [ebp+edx*4-65], cl
0042DAD9 |.^ EB 9C \jmp short 0042DA77
0042DADB |> 8D45 98 lea eax, [ebp-68]
0042DADE |. 50 push eax
0042DADF |. 8D4D C0 lea ecx, [ebp-40]
0042DAE2 |. E8 EDF10700 call <jmp.&MFC42.#537_CString::CStrin>
0042DAE7 |. C645 FC 06 mov byte ptr [ebp-4], 6
0042DAEB |. 8D4D C0 lea ecx, [ebp-40]
0042DAEE |. 51 push ecx ; /Arg2
0042DAEF |. 8D55 F0 lea edx, [ebp-10] ; |
0042DAF2 |. 52 push edx ; |Arg1
0042DAF3 |. E8 78050000 call 0042E070 ; \关键比较 用户名和c值比较
0042DAF8 |. 25 FF000000 and eax, 0FF
0042DAFD |. 85C0 test eax, eax
0042DAFF |. 74 60 je short 0042DB61 ; 跳就成功
0042DB01 |. C785 50FFFFFF>mov dword ptr [ebp-B0], 0
0042DB0B |. C645 FC 05 mov byte ptr [ebp-4], 5
0042DB0F |. 8D4D C0 lea ecx, [ebp-40]
0042DB12 |. E8 E9EF0700 call <jmp.&MFC42.#800_CString::~CStri>
0042DB17 |. C645 FC 04 mov byte ptr [ebp-4], 4
0042DB1B |. 8D4D C8 lea ecx, [ebp-38]
0042DB1E |. E8 D1E80100 call 0044C3F4
0042DB23 |. C645 FC 02 mov byte ptr [ebp-4], 2
0042DB27 |. 8D4D 90 lea ecx, [ebp-70]
0042DB2A |. E8 C5E80100 call 0044C3F4
0042DB2F |. C645 FC 01 mov byte ptr [ebp-4], 1
0042DB33 |. 8D8D 60FFFFFF lea ecx, [ebp-A0]
0042DB39 |. E8 C2040000 call 0042E000
0042DB3E |. C645 FC 00 mov byte ptr [ebp-4], 0
0042DB42 |. 8D4D C4 lea ecx, [ebp-3C]
0042DB45 |. E8 B6EF0700 call <jmp.&MFC42.#800_CString::~CStri>
0042DB4A |. C745 FC FFFFF>mov dword ptr [ebp-4], -1
0042DB51 |. 8D4D F0 lea ecx, [ebp-10]
0042DB54 |. E8 A7EF0700 call <jmp.&MFC42.#800_CString::~CStri>
0042DB59 |. 8B85 50FFFFFF mov eax, [ebp-B0]
0042DB5F |. EB 5E jmp short 0042DBBF ; 跳到失败
0042DB61 |> C785 4CFFFFFF>mov dword ptr [ebp-B4], 1
0042DB6B |. C645 FC 05 mov byte ptr [ebp-4], 5
0042DB6F |. 8D4D C0 lea ecx, [ebp-40]
0042DB72 |. E8 89EF0700 call <jmp.&MFC42.#800_CString::~CStri>
0042DB77 |. C645 FC 04 mov byte ptr [ebp-4], 4
0042DB7B |. 8D4D C8 lea ecx, [ebp-38]
0042DB7E |. E8 71E80100 call 0044C3F4
0042DB83 |. C645 FC 02 mov byte ptr [ebp-4], 2
0042DB87 |. 8D4D 90 lea ecx, [ebp-70]
0042DB8A |. E8 65E80100 call 0044C3F4
0042DB8F |. C645 FC 01 mov byte ptr [ebp-4], 1
0042DB93 |. 8D8D 60FFFFFF lea ecx, [ebp-A0]
0042DB99 |. E8 62040000 call 0042E000
0042DB9E |. C645 FC 00 mov byte ptr [ebp-4], 0
0042DBA2 |. 8D4D C4 lea ecx, [ebp-3C]
0042DBA5 |. E8 56EF0700 call <jmp.&MFC42.#800_CString::~CStri>
0042DBAA |. C745 FC FFFFF>mov dword ptr [ebp-4], -1
0042DBB1 |. 8D4D F0 lea ecx, [ebp-10]
0042DBB4 |. E8 47EF0700 call <jmp.&MFC42.#800_CString::~CStri>
0042DBB9 |. 8B85 4CFFFFFF mov eax, [ebp-B4]
0042DBBF |> 8B4D F4 mov ecx, [ebp-C]
0042DBC2 |. 64:890D 00000>mov fs:[0], ecx
0042DBC9 |. 8BE5 mov esp, ebp
0042DBCB |. 5D pop ebp
0042DBCC \. C3 retn
--------------------------------------------------------------------------------
【经验总结】
1.注册码格式为s1-s2-s3-s4-s5-s6-s7-s8
s7换成(s1+ s6) xor s7
s8换成(s2+s3+s4+s5)xor s8
2.rsa计算
n=7220DAD7271EE4EC706BC10CA58C14C5B0AD66E547C4063290B44A1624E9BFB9
e=10001h
用rsatool算出d、p、q
d=240584ACF5D705702F07839607465063AD1FA36A78BDC726D1EBE311769BF7D5
p=A38CFE9AF7DF69E37BAB803DAC2385F3
q=B2A411FA55EDF1892CBCFC201BD632A3
用户名:thdz 十六进制为:7468647A 如果用户名大于4位例如:thdzhqg 反过来为hqg0thdz
7468647A ^ 240584ACF5D705702F07839607465063AD1FA36A78BDC726D1EBE311769BF7D5 mod
7220DAD7271EE4EC706BC10CA58C14C5B0AD66E547C4063290B44A1624E9BFB9
得到:5828271E7377BEC7B9F29A83A3F901546CEEB9738AAE0DEFFD8AF66508AC640F
反过来后每八位用-分开:
08AC640F-FD8AF665-8AAE0DEF-6CEEB973-A3F90154-B9F29A83-7377BEC7-5828271E
s1 s2 s3 s4 s5 s6 s7 s8
s7换成(s1+ s6) xor s7
s8换成(s2+s3+s4+s5)xor s8 得
08AC640F-FD8AF665-8AAE0DEF-6CEEB973-A3F90154-B9F29A83-B1E94055-C1089805
再提供一组注册码
thdzhqg
8407E4B5-E06403B7-33EFB1AC-1E593BE8-CECA5276-3A42B0D9-D7EC9D60-2AC06172
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
