-
-
[转帖]寻找 Ultra RM Converter 3.5.0411 注册码
-
发表于: 2008-4-25 15:13 8922
-
寻找 Ultra RM Converter 3.5.0411 注册码
版权声明:转载时请以超链接形式标明文章原始出处和作者信息及本声明
http://gleisure.blogbus.com/logs/19493598.html
【破解作者】GoOdLeiSuRe
【作者邮箱】zhmwf@sohu.com
【作者主页】http://gleisure.blogbus.com/
【破解日期】2008年4月21日 22:00
【软件名称】Ultra RM Converter
【软件大小】6.2MB
【下载地址】http://www.aone-soft.com/rmconverter.htm
【软件简介】强大易用的 RealMedia(*.RM,*.RMVB) 转换器,可将输入文件转为
AVI, DivX, Xvid, MPEG1, MPEG2, VCD, SVCD, DVD 等等格式,内置 RealMedia
解码器,无需安装 RealPlayer/RealOne,支持批量转换和视频分割。支持输出
DVD 目录结构(VIDEO_TS, AUDIO_TS)及 DVD/SVCD/VCD 盘片映像,以便您使用
第三方刻录软件刻录到盘片上。
【加壳方式】未知
【使用工具】OllyICE
【破解平台】Windows XP
【破解声明】我水平很菜,偶得一点心得,愿与大家分享,错误难免,肯请指正。
【破解过程】
(1)用OllyICE加载“Ultra RM Converter.exe”
0044FB23 > $ E8 00000000 call 0044FB28
0044FB28 $ 60 pushad
0044FB29 . E8 4F000000 call 0044FB7D
0044FB2E . C4AB 61B126B3 les ebp, [ebx+B326B161]
F7进入Call 0044FB7D
0044FB7D $ E8 6EFBFFFF call 0044F6F0
0044FB82 . 7E 04 jle short 0044FB88
F7进入Call 0044F6F0
0044F6F0 $ E8 EBFBFFFF call 0044F2E0
0044F6F5 . 58 pop eax
0044F6F6 . E8 55070000 call 0044FE50
0044F6FB . 58 pop eax
0044F6FC . 894424 24 mov [esp+24], eax
0044F700 . 61 popad
0044F701 . 58 pop eax
0044F702 . 58 pop eax
0044F703 . FFD0 call eax
0044F705 . E8 B0C50000 call 0045BCBA
F7进入Call eax,到达OEP
(2)以上把壳脱了,现在寻找软件注册过程
004260E8 55 push ebp ; 开始
004260E9 8BEC mov ebp, esp
004260EB 6A FF push -1
004260ED 68 A0D94200 push 0042D9A0
004260F2 68 74624200 push 00426274 ; jmp 到 msvcrt._except_handler3
……
00426210 FF15 88A14200 call [42A188] ; Ultra_RM.0045CA0F
00426216 50 push eax
00426217 E8 70000000 call 0042628C ; 进入
0042621C 8945 98 mov [ebp-68], eax
0042621F 50 push eax
00426220 FF15 ACA64200 call [42A6AC] ; msvcrt.exit
F7进入call 0042628C
0042628C FF7424 10 push dword ptr [esp+10]
00426290 FF7424 10 push dword ptr [esp+10]
00426294 FF7424 10 push dword ptr [esp+10]
00426298 FF7424 10 push dword ptr [esp+10]
0042629C E8 43000000 call 004262E4 ; jmp 到 MFC42.#1576_AfxWinMain
004262A1 C2 1000 retn 10
……
004262E4 - FF25 44A44200 jmp [42A444] ; MFC42.#1576_AfxWinMain
F7进入call 004262E4,再跳向[42A444]
73D3CF2D 53 push ebx
73D3CF2E 56 push esi
73D3CF2F 57 push edi
73D3CF30 83CB FF or ebx, FFFFFFFF
73D3CF33 E8 CD40FFFF call #1175_AfxGetThread
73D3CF38 8BF0 mov esi, eax
73D3CF3A E8 97B30800 call #1168_AfxGetModuleState
73D3CF3F FF7424 1C push dword ptr [esp+1C]
73D3CF43 8B78 04 mov edi, [eax+4]
73D3CF46 FF7424 1C push dword ptr [esp+1C]
73D3CF4A FF7424 1C push dword ptr [esp+1C]
73D3CF4E FF7424 1C push dword ptr [esp+1C]
73D3CF52 E8 C1CC0800 call #1575_AfxWinInit
73D3CF57 85C0 test eax, eax
73D3CF59 74 3C je short 73D3CF97
73D3CF5B 85FF test edi, edi
73D3CF5D 74 0E je short 73D3CF6D
73D3CF5F 8B07 mov eax, [edi]
73D3CF61 8BCF mov ecx, edi
73D3CF63 FF90 8C000000 call [eax+8C]
73D3CF69 85C0 test eax, eax
73D3CF6B 74 2A je short 73D3CF97
73D3CF6D 8B06 mov eax, [esi]
73D3CF6F 8BCE mov ecx, esi
73D3CF71 FF50 58 call [eax+58] ; Ultra_RM.0041A9B0
F7进入call [eax+58]
0041A9B0 6A FF push -1
0041A9B2 64:A1 00000000 mov eax, fs:[0]
0041A9B8 68 548B4200 push 00428B54
0041A9BD 50 push eax
0041A9BE B8 C4530000 mov eax, 53C4
0041A9C3 64:8925 00000000 mov fs:[0], esp
0041A9CA E8 C1B60000 call 00426090
0041A9CF 53 push ebx
0041A9D0 55 push ebp
0041A9D1 56 push esi
0041A9D2 57 push edi
0041A9D3 8BE9 mov ebp, ecx
0041A9D5 E8 D6B50000 call 00425FB0 ; jmp 到 MFC42.#2621_CWinApp::Enable3dControls
0041A9DA 6A 02 push 2
0041A9DC FF15 68A14200 call [42A168] ; kernel32.SetErrorMode
0041A9E2 B9 40000000 mov ecx, 40
0041A9E7 33C0 xor eax, eax
0041A9E9 BF F8724300 mov edi, 004372F8
0041A9EE F3:AB rep stos dword ptr es:[edi]
0041A9F0 B9 40000000 mov ecx, 40
0041A9F5 BF F8714300 mov edi, 004371F8
0041A9FA F3:AB rep stos dword ptr es:[edi]
0041A9FC 8D4424 1C lea eax, [esp+1C]
0041AA00 50 push eax
0041AA01 E8 CACCFFFF call 004176D0
0041AA06 83C4 04 add esp, 4
0041AA09 68 C4534300 push 004353C4 ; ASCII "app.ini"
0041AA0E 8D4C24 20 lea ecx, [esp+20]
0041AA12 C78424 E0530000 0>mov dword ptr [esp+53E0], 0
0041AA1D E8 A6B20000 call 00425CC8 ; jmp 到 MFC42.#941_CString::operator+=
0041AA22 8B4C24 1C mov ecx, [esp+1C] ; ASCII "……\Ultra RM Converter\app.ini"
0041AA26 8B1D 1CA14200 mov ebx, [42A11C] ; Ultra_RM.0045C6E9
0041AA2C 51 push ecx
0041AA2D 68 00010000 push 100
0041AA32 68 F8724300 push 004372F8
0041AA37 68 B8534300 push 004353B8 ; ASCII "ErrorApp"
0041AA3C 68 B0534300 push 004353B0 ; ASCII "AppName"
0041AA41 68 A8534300 push 004353A8 ; ASCII "main"
0041AA46 FFD3 call ebx
0041AA48 BF F8724300 mov edi, 004372F8
0041AA4D 83C9 FF or ecx, FFFFFFFF
0041AA50 33C0 xor eax, eax
0041AA52 F2:AE repne scas byte ptr es:[edi]
0041AA54 F7D1 not ecx
0041AA56 2BF9 sub edi, ecx
0041AA58 8BD1 mov edx, ecx
0041AA5A 8BF7 mov esi, edi
0041AA5C BF F8714300 mov edi, 004371F8
0041AA61 C1E9 02 shr ecx, 2
0041AA64 F3:A5 rep movs dword ptr es:[edi], dword p>
0041AA66 8BCA mov ecx, edx
0041AA68 83E1 03 and ecx, 3
0041AA6B F3:A4 rep movs byte ptr es:[edi], byte ptr>
0041AA6D A0 F8714300 mov al, [4371F8]
0041AA72 84C0 test al, al
0041AA74 74 15 je short 0041AA8B
0041AA76 B8 F8714300 mov eax, 004371F8
0041AA7B 8038 20 cmp byte ptr [eax], 20
0041AA7E 75 03 jnz short 0041AA83
0041AA80 C600 5F mov byte ptr [eax], 5F
0041AA83 8A48 01 mov cl, [eax+1]
0041AA86 40 inc eax
0041AA87 84C9 test cl, cl
0041AA89 ^ 75 F0 jnz short 0041AA7B
0041AA8B 68 F8724300 push 004372F8
0041AA90 6A 00 push 0
0041AA92 68 01001F00 push 1F0001
0041AA97 FF15 64A14200 call [42A164] ; kernel32.OpenMutexA
0041AA9D 85C0 test eax, eax
0041AA9F 8985 D4000000 mov [ebp+D4], eax
0041AAA5 0F85 81060000 jnz 0041B12C
0041AAAB 68 F8724300 push 004372F8
0041AAB0 6A 01 push 1
0041AAB2 50 push eax
0041AAB3 FF15 60A14200 call [42A160] ; kernel32.CreateMutexA
0041AAB9 8985 D4000000 mov [ebp+D4], eax
0041AABF E8 2CAE0000 call 004258F0
0041AAC4 68 9C534300 push 0043539C ; ASCII "aveData.dll"
0041AAC9 FF15 08A14200 call [42A108] ; Ultra_RM.0045C906
0041AACF 85C0 test eax, eax
0041AAD1 A3 107D4300 mov [437D10], eax
0041AAD6 74 39 je short 0041AB11
0041AAD8 8B35 5CA14200 mov esi, [42A15C] ; Ultra_RM.0045CAF9
0041AADE 68 8C534300 push 0043538C ; ASCII "?ge_init@@YAXXZ"
0041AAE3 50 push eax
0041AAE4 FFD6 call esi
0041AAE6 85C0 test eax, eax
0041AAE8 74 27 je short 0041AB11
0041AAEA FFD0 call eax
0041AAEC A1 107D4300 mov eax, [437D10]
0041AAF1 68 74534300 push 00435374 ; ASCII "?ge_check@@YAHPBD0@Z"
0041AAF6 50 push eax
0041AAF7 FFD6 call esi
0041AAF9 8B0D 107D4300 mov ecx, [437D10]
0041AAFF 68 60534300 push 00435360 ; ASCII "?ge_check_ok@@YAHXZ"
0041AB04 51 push ecx
0041AB05 A3 F4714300 mov [4371F4], eax
0041AB0A FFD6 call esi
0041AB0C A3 F0714300 mov [4371F0], eax
0041AB11 E8 6AD5FFFF call 00418080
0041AB16 85C0 test eax, eax
0041AB18 0F85 AE000000 jnz 0041ABCC
0041AB1E 8D5424 10 lea edx, [esp+10]
0041AB22 52 push edx
0041AB23 E8 28CDFFFF call 00417850
0041AB28 83C4 04 add esp, 4
0041AB2B 68 54534300 push 00435354 ; ASCII "\AVERM.dll"
0041AB30 50 push eax
0041AB31 8D4424 20 lea eax, [esp+20]
0041AB35 C68424 E4530000 0>mov byte ptr [esp+53E4], 1
0041AB3D 50 push eax
0041AB3E E8 1DB30000 call 00425E60 ; jmp 到 MFC42.#924_operator+
0041AB43 50 push eax
0041AB44 8BCD mov ecx, ebp
0041AB46 C68424 E0530000 0>mov byte ptr [esp+53E0], 2
0041AB4E E8 DD080000 call 0041B430
0041AB53 8D4C24 18 lea ecx, [esp+18]
0041AB57 C68424 DC530000 0>mov byte ptr [esp+53DC], 1
0041AB5F E8 66AF0000 call 00425ACA ; jmp 到 MFC42.#800_CString::~CString
0041AB64 8D4C24 10 lea ecx, [esp+10]
0041AB68 C68424 DC530000 0>mov byte ptr [esp+53DC], 0
0041AB70 E8 55AF0000 call 00425ACA ; jmp 到 MFC42.#800_CString::~CString
0041AB75 8D4C24 18 lea ecx, [esp+18]
0041AB79 51 push ecx
0041AB7A E8 D1CCFFFF call 00417850
0041AB7F 83C4 04 add esp, 4
0041AB82 68 48534300 push 00435348 ; ASCII "\AVEQT.dll"
0041AB87 8D5424 14 lea edx, [esp+14]
0041AB8B 50 push eax
0041AB8C 52 push edx
0041AB8D C68424 E8530000 0>mov byte ptr [esp+53E8], 3
0041AB95 E8 C6B20000 call 00425E60 ; jmp 到 MFC42.#924_operator+
0041AB9A 50 push eax
0041AB9B 8BCD mov ecx, ebp
0041AB9D C68424 E0530000 0>mov byte ptr [esp+53E0], 4
0041ABA5 E8 86080000 call 0041B430
0041ABAA 8D4C24 10 lea ecx, [esp+10]
0041ABAE C68424 DC530000 0>mov byte ptr [esp+53DC], 3
0041ABB6 E8 0FAF0000 call 00425ACA ; jmp 到 MFC42.#800_CString::~CString
0041ABBB 8D4C24 18 lea ecx, [esp+18]
0041ABBF C68424 DC530000 0>mov byte ptr [esp+53DC], 0
0041ABC7 E8 FEAE0000 call 00425ACA ; jmp 到 MFC42.#800_CString::~CString
0041ABCC B9 10000000 mov ecx, 10
0041ABD1 33C0 xor eax, eax
0041ABD3 8DBC24 88000000 lea edi, [esp+88]
0041ABDA F3:AB rep stos dword ptr es:[edi]
0041ABDC B9 20000000 mov ecx, 20
0041ABE1 8DBC24 C8000000 lea edi, [esp+C8]
0041ABE8 F3:AB rep stos dword ptr es:[edi]
0041ABEA 8D4C24 14 lea ecx, [esp+14]
0041ABEE E8 F5AE0000 call 00425AE8 ; jmp 到 MFC42.#540_CString::CString
0041ABF3 8D4424 10 lea eax, [esp+10]
0041ABF7 C68424 DC530000 0>mov byte ptr [esp+53DC], 5
0041ABFF 50 push eax
0041AC00 E8 CBCAFFFF call 004176D0
0041AC05 83C4 04 add esp, 4
0041AC08 50 push eax
0041AC09 8D4C24 18 lea ecx, [esp+18]
0041AC0D C68424 E0530000 0>mov byte ptr [esp+53E0], 6
0041AC15 E8 9EAE0000 call 00425AB8 ; jmp 到 MFC42.#858_CString::operator=
0041AC1A 8D4C24 10 lea ecx, [esp+10]
0041AC1E C68424 DC530000 0>mov byte ptr [esp+53DC], 5
0041AC26 E8 9FAE0000 call 00425ACA ; jmp 到 MFC42.#800_CString::~CString
0041AC2B 8D4C24 14 lea ecx, [esp+14]
0041AC2F 68 C8434300 push 004343C8 ; ASCII "data.ini"
//从“app.ini”段执行过程,得知“data.ini”用来存储软件注册信息
0041AC34 8D5424 14 lea edx, [esp+14]
0041AC38 51 push ecx
0041AC39 52 push edx
0041AC3A E8 21B20000 call 00425E60 ; jmp 到 MFC42.#924_operator+
0041AC3F 50 push eax
0041AC40 8D4C24 18 lea ecx, [esp+18]
0041AC44 C68424 E0530000 0>mov byte ptr [esp+53E0], 7
0041AC4C E8 67AE0000 call 00425AB8 ; jmp 到 MFC42.#858_CString::operator=
0041AC51 8D4C24 10 lea ecx, [esp+10]
0041AC55 C68424 DC530000 0>mov byte ptr [esp+53DC], 5
0041AC5D E8 68AE0000 call 00425ACA ; jmp 到 MFC42.#800_CString::~CString
0041AC62 8B4424 14 mov eax, [esp+14]
0041AC66 8D8C24 88000000 lea ecx, [esp+88]
0041AC6D 50 push eax ; 开始读取注册码
0041AC6E 6A 3F push 3F
0041AC70 51 push ecx
0041AC71 68 80714300 push 00437180
0041AC76 68 B8434300 push 004343B8 ; ASCII "License Name"
0041AC7B 68 AC434300 push 004343AC ; ASCII "Register"
0041AC80 FFD3 call ebx
0041AC82 8B5424 14 mov edx, [esp+14]
0041AC86 8D8424 C8000000 lea eax, [esp+C8]
0041AC8D 52 push edx
0041AC8E 6A 7F push 7F
0041AC90 50 push eax
0041AC91 68 80714300 push 00437180
0041AC96 68 9C434300 push 0043439C ; ASCII "License Code"
0041AC9B 68 AC434300 push 004343AC ; ASCII "Register"
0041ACA0 FFD3 call ebx
0041ACA2 8D8C24 88000000 lea ecx, [esp+88]
0041ACA9 8DB5 CC000000 lea esi, [ebp+CC]
0041ACAF 51 push ecx
0041ACB0 68 EC464300 push 004346EC ; ASCII "%s"
0041ACB5 56 push esi
0041ACB6 E8 3FAE0000 call 00425AFA ; jmp 到 MFC42.#2818_CString::Format
0041ACBB 83C4 0C add esp, 0C
0041ACBE 8D9424 C8000000 lea edx, [esp+C8]
0041ACC5 8DBD C8000000 lea edi, [ebp+C8]
0041ACCB 52 push edx
0041ACCC 68 EC464300 push 004346EC ; ASCII "%s"
0041ACD1 57 push edi
0041ACD2 E8 23AE0000 call 00425AFA ; jmp 到 MFC42.#2818_CString::Format
0041ACD7 8B07 mov eax, [edi] ; 注册码
0041ACD9 8B0E mov ecx, [esi] ; 用户名
//从以上得知软件注册文件内容为
//[Register]
//License Name="用户名"
//License Code="注册码"
0041ACDB 50 push eax
0041ACDC 51 push ecx
0041ACDD E8 FCAB0000 call 004258DE ; 判断注册码是否正确过程
(3)分析call 004258DE
004258DE - FF25 24A04200 jmp [42A024] ; MBX@8C0@.00B01640
来到MBX@8C0@领空
00B01640 64:A1 00000000 mov eax, fs:[0]
00B01646 6A FF push -1
00B01648 68 7AAAB000 push 00B0AA7A
00B0164D 50 push eax
00B0164E 64:8925 00000000 mov fs:[0], esp
……
00B01946 68 04D1B000 push 00B0D104 ; ASCII "%08lX"
00B0194B 50 push eax
00B0194C E8 F7200000 call 00B03A48
00B01951 8B9424 B4030000 mov edx, [esp+3B4]
00B01958 8D8C24 94000000 lea ecx, [esp+94]
//以上二行明显能看出注册码是什么了
00B0195F 6A 08 push 8
00B01961 51 push ecx
00B01962 52 push edx
00B01963 E8 A8200000 call 00B03A10 ; 比较注册码是否正确
00B01968 83C4 18 add esp, 18
00B0196B 85C0 test eax, eax
00B0196D 5F pop edi
00B0196E 5E pop esi
00B0196F 5D pop ebp
00B01970 5B pop ebx
00B01971 0F85 83000000 jnz 00B019FA ; 不正确则跳
00B01977 8D4C24 30 lea ecx, [esp+30]
00B0197B C68424 8C030000 0>mov byte ptr [esp+38C], 9
00B01983 E8 48110000 call 00B02AD0
00B01988 8D4C24 28 lea ecx, [esp+28]
00B0198C C68424 8C030000 0>mov byte ptr [esp+38C], 8
00B01994 E8 37110000 call 00B02AD0
00B01999 8D4C24 20 lea ecx, [esp+20]
00B0199D C68424 8C030000 0>mov byte ptr [esp+38C], 0A
00B019A5 E8 26110000 call 00B02AD0
00B019AA 8D4C24 18 lea ecx, [esp+18]
00B019AE C68424 8C030000 0>mov byte ptr [esp+38C], 1
00B019B6 E8 15110000 call 00B02AD0
00B019BB 8D4C24 10 lea ecx, [esp+10]
00B019BF C68424 8C030000 0>mov byte ptr [esp+38C], 0
00B019C7 E8 04110000 call 00B02AD0
00B019CC 8D4C24 00 lea ecx, [esp]
00B019D0 C78424 8C030000 F>mov dword ptr [esp+38C], -1
00B019DB E8 F0100000 call 00B02AD0
00B019E0 B8 01000000 mov eax, 1
00B019E5 8B8C24 84030000 mov ecx, [esp+384]
00B019EC 64:890D 00000000 mov fs:[0], ecx
00B019F3 81C4 90030000 add esp, 390
00B019F9 C3 retn
00B019FA 8D4C24 30 lea ecx, [esp+30]
00B019FE C68424 8C030000 0>mov byte ptr [esp+38C], 0C
00B01A06 E8 C5100000 call 00B02AD0
00B01A0B 8D4C24 28 lea ecx, [esp+28]
00B01A0F C68424 8C030000 0>mov byte ptr [esp+38C], 0B
00B01A17 E8 B4100000 call 00B02AD0
00B01A1C 8D4C24 20 lea ecx, [esp+20]
00B01A20 C68424 8C030000 0>mov byte ptr [esp+38C], 0D
00B01A28 E8 A3100000 call 00B02AD0
00B01A2D 8D4C24 18 lea ecx, [esp+18]
00B01A31 C68424 8C030000 0>mov byte ptr [esp+38C], 1
00B01A39 E8 92100000 call 00B02AD0
00B01A3E 8D4C24 10 lea ecx, [esp+10]
00B01A42 C68424 8C030000 0>mov byte ptr [esp+38C], 0
00B01A4A E8 81100000 call 00B02AD0
00B01A4F 8D4C24 00 lea ecx, [esp]
00B01A53 C78424 8C030000 F>mov dword ptr [esp+38C], -1
00B01A5E E8 6D100000 call 00B02AD0
00B01A63 8B8C24 84030000 mov ecx, [esp+384]
00B01A6A 33C0 xor eax, eax
00B01A6C 64:890D 00000000 mov fs:[0], ecx
00B01A73 81C4 90030000 add esp, 390
00B01A79 C3 retn
(4)回到主模块领空
0041ACE2 BB 01000000 mov ebx, 1
0041ACE7 83C4 14 add esp, 14
0041ACEA 3BC3 cmp eax, ebx
0041ACEC 8985 C4000000 mov [ebp+C4], eax
0041ACF2 75 05 jnz short 0041ACF9
0041ACF4 E8 F1AB0000 call 004258EA
F7进入call 004258EA再次验证
(5)call 004258EA
00B01BA0 83EC 50 sub esp, 50
00B01BA3 53 push ebx
00B01BA4 56 push esi
00B01BA5 57 push edi
00B01BA6 B9 10000000 mov ecx, 10
00B01BAB 33C0 xor eax, eax
00B01BAD 8D7C24 18 lea edi, [esp+18]
00B01BB1 F3:AB rep stos dword ptr es:[edi]
00B01BB3 AA stos byte ptr es:[edi]
00B01BB4 33C0 xor eax, eax
00B01BB6 68 00040000 push 400
00B01BBB 894424 10 mov [esp+10], eax
00B01BBF 894424 14 mov [esp+14], eax
00B01BC3 66:894424 18 mov [esp+18], ax
00B01BC8 E8 091D0000 call 00B038D6
00B01BCD 83C4 04 add esp, 4
00B01BD0 8BD8 mov ebx, eax
00B01BD2 E8 89F6FFFF call 00B01260
00B01BD7 8BF8 mov edi, eax
00B01BD9 83C9 FF or ecx, FFFFFFFF
00B01BDC 33C0 xor eax, eax
00B01BDE 53 push ebx
00B01BDF F2:AE repne scas byte ptr es:[edi]
00B01BE1 F7D1 not ecx
00B01BE3 2BF9 sub edi, ecx
00B01BE5 6A 41 push 41
00B01BE7 8BD1 mov edx, ecx
00B01BE9 8BF7 mov esi, edi
00B01BEB 8BFB mov edi, ebx
00B01BED C1E9 02 shr ecx, 2
00B01BF0 F3:A5 rep movs dword ptr es:[edi], dword p>
00B01BF2 8BCA mov ecx, edx
00B01BF4 83E1 03 and ecx, 3
00B01BF7 F3:A4 rep movs byte ptr es:[edi], byte ptr>
00B01BF9 BF 18D1B000 mov edi, 00B0D118 ; ASCII "data.ini"
00B01BFE 83C9 FF or ecx, FFFFFFFF
00B01C01 F2:AE repne scas byte ptr es:[edi]
00B01C03 F7D1 not ecx
00B01C05 2BF9 sub edi, ecx
00B01C07 8BF7 mov esi, edi
00B01C09 8BD1 mov edx, ecx
00B01C0B 8BFB mov edi, ebx
00B01C0D 83C9 FF or ecx, FFFFFFFF
00B01C10 F2:AE repne scas byte ptr es:[edi]
00B01C12 8BCA mov ecx, edx
00B01C14 4F dec edi
00B01C15 C1E9 02 shr ecx, 2
00B01C18 F3:A5 rep movs dword ptr es:[edi], dword p>
00B01C1A 8BCA mov ecx, edx
00B01C1C 8D4424 20 lea eax, [esp+20]
00B01C20 83E1 03 and ecx, 3
00B01C23 50 push eax
00B01C24 F3:A4 rep movs byte ptr es:[edi], byte ptr>
00B01C26 8B0D F0FEB000 mov ecx, [B0FEF0]
00B01C2C 8B35 18B0B000 mov esi, [B0B018] ; Ultra_RM.0045C6E9
00B01C32 81C1 400B0000 add ecx, 0B40
00B01C38 68 F40AB100 push 00B10AF4
00B01C3D 51 push ecx
00B01C3E 68 0CD1B000 push 00B0D10C ; ASCII "Register"
00B01C43 FFD6 call esi
00B01C45 A1 F0FEB000 mov eax, [B0FEF0]
00B01C4A 53 push ebx
00B01C4B 8D5424 10 lea edx, [esp+10]
00B01C4F 6A 09 push 9
00B01C51 52 push edx
00B01C52 05 600B0000 add eax, 0B60
00B01C57 68 F40AB100 push 00B10AF4
00B01C5C 50 push eax
00B01C5D 68 0CD1B000 push 00B0D10C ; ASCII "Register"
00B01C62 FFD6 call esi
00B01C64 53 push ebx
00B01C65 E8 831B0000 call 00B037ED
00B01C6A 8A4424 1C mov al, [esp+1C]
00B01C6E 83C4 04 add esp, 4
00B01C71 84C0 test al, al
00B01C73 5F pop edi
00B01C74 5E pop esi
00B01C75 5B pop ebx
00B01C76 74 1E je short 00B01C96
00B01C78 8A4424 00 mov al, [esp]
00B01C7C 84C0 test al, al
00B01C7E 74 16 je short 00B01C96
00B01C80 8D4C24 00 lea ecx, [esp]
00B01C84 8D5424 0C lea edx, [esp+C]
00B01C88 51 push ecx
00B01C89 52 push edx
00B01C8A E8 B1F9FFFF call 00B01640 ; 验证注册码是不正确
00B01C8F 83C4 08 add esp, 8
00B01C92 85C0 test eax, eax
00B01C94 75 0A jnz short 00B01CA0 ; 验证正确必须跳
00B01C96 C705 F0FEB000 000>mov dword ptr [B0FEF0], 0
00B01CA0 83C4 50 add esp, 50
00B01CA3 C3 retn
(6)回到主模块领空
0041ACE2 BB 01000000 mov ebx, 1
0041ACE7 83C4 14 add esp, 14
0041ACEA 3BC3 cmp eax, ebx
0041ACEC 8985 C4000000 mov [ebp+C4], eax
0041ACF2 75 05 jnz short 0041ACF9
0041ACF4 E8 F1AB0000 call 004258EA
0041ACF9 8B85 C4000000 mov eax, [ebp+C4]
0041ACFF 85C0 test eax, eax
0041AD01 75 2E jnz short 0041AD31 ; 正确则跳
0041AD03 A1 107D4300 mov eax, [437D10]
0041AD08 85C0 test eax, eax
0041AD0A 74 25 je short 0041AD31
0041AD0C 8B3F mov edi, [edi]
0041AD0E 8B36 mov esi, [esi]
0041AD10 57 push edi
0041AD11 56 push esi
0041AD12 FF15 F4714300 call [4371F4] ; MBX@D0_1.00B31B70
0041AD18 83C4 08 add esp, 8
0041AD1B 3BC3 cmp eax, ebx
0041AD1D 8985 C4000000 mov [ebp+C4], eax
0041AD23 75 0C jnz short 0041AD31
0041AD25 FF15 F0714300 call [4371F0] ; MBX@D0_1.00B32060
0041AD2B 891D 147D4300 mov [437D14], ebx
0041AD31 E8 4AD3FFFF call 00418080
0041AD36 85C0 test eax, eax
0041AD38 75 31 jnz short 0041AD6B
0041AD3A E8 4BB10000 call 00425E8A ; jmp 到 MFC42.#1168_AfxGetModuleState
0041AD3F 8B40 08 mov eax, [eax+8]
0041AD42 6A 00 push 0
0041AD44 68 34534300 push 00435334 ; ASCII "E5BCA258B21FCA2D"
0041AD49 68 2C534300 push 0043532C ; ASCII "Demo"
0041AD4E 50 push eax
0041AD4F E8 72AB0000 call 004258C6 ; jmp 到 SkinMagi.InitSkinMagicLib
0041AD54 68 1C534300 push 0043531C ; ASCII "RT_SKINMAGIC"
0041AD59 68 89000000 push 89
0041AD5E 6A 00 push 0
0041AD60 E8 5BAB0000 call 004258C0 ; jmp 到 SkinMagi.LoadSkinFromResource
0041AD65 899D D0000000 mov [ebp+D0], ebx
0041AD6B 8B85 C4000000 mov eax, [ebp+C4]
0041AD71 85C0 test eax, eax
0041AD73 75 63 jnz short 0041ADD8 ; 正确则跳
0041AD75 6A 00 push 0
0041AD77 8D4C24 24 lea ecx, [esp+24]
0041AD7B E8 5082FFFF call 00412FD0
0041AD80 8D4C24 20 lea ecx, [esp+20]
0041AD84 C68424 DC530000 0>mov byte ptr [esp+53DC], 8
0041AD8C E8 CBAB0000 call 0042595C ; jmp 到 MFC42.#2514_CDialog::DoModal
0041AD91 E8 EAD2FFFF call 00418080
0041AD96 85C0 test eax, eax
0041AD98 75 05 jnz short 0041AD9F
0041AD9A E8 1BAB0000 call 004258BA ; jmp 到 SkinMagi.RemoveDialogSkin
0041AD9F 8D8C24 84000000 lea ecx, [esp+84]
0041ADA6 C68424 DC530000 0>mov byte ptr [esp+53DC], 0A
0041ADAE E8 17AD0000 call 00425ACA ; jmp 到 MFC42.#800_CString::~CString
0041ADB3 8D8C24 80000000 lea ecx, [esp+80]
0041ADBA C68424 DC530000 0>mov byte ptr [esp+53DC], 9
0041ADC2 E8 03AD0000 call 00425ACA ; jmp 到 MFC42.#800_CString::~CString
0041ADC7 8D4C24 20 lea ecx, [esp+20]
0041ADCB C68424 DC530000 0>mov byte ptr [esp+53DC], 5
0041ADD3 E8 B0AC0000 call 00425A88 ; jmp 到 MFC42.#641_CDialog::~CDialog
0041ADD8 B9 28744300 mov ecx, 00437428
0041ADDD E8 CE55FFFF call 004103B0
0041ADE2 6A 00 push 0
0041ADE4 8D8C24 4C010000 lea ecx, [esp+14C]
0041ADEB E8 A00A0000 call 0041B890
0041ADF0 8D8424 48010000 lea eax, [esp+148]
0041ADF7 8D8C24 48010000 lea ecx, [esp+148]
0041ADFE C68424 DC530000 0>mov byte ptr [esp+53DC], 0B
0041AE06 8945 20 mov [ebp+20], eax ; 下一个CALL 调用界面
0041AE09 E8 4EAB0000 call 0042595C ; jmp 到 MFC42.#2514_CDialog::DoModal
0041AE0E 8D8C24 5C530000 lea ecx, [esp+535C]
(7)call 0042595C 显示程序主界面
(8)注册算法
因时间原因,暂不分析注册码计算过程。
【破解总结】本程序注册码以“明文”显示出来,仅找注册码是不难的。
【版权声明】本文纯属技术交流,转载请注明作者并保持文章的完整,谢谢!
版权声明:转载时请以超链接形式标明文章原始出处和作者信息及本声明
http://gleisure.blogbus.com/logs/19493598.html
【破解作者】GoOdLeiSuRe
【作者邮箱】zhmwf@sohu.com
【作者主页】http://gleisure.blogbus.com/
【破解日期】2008年4月21日 22:00
【软件名称】Ultra RM Converter
【软件大小】6.2MB
【下载地址】http://www.aone-soft.com/rmconverter.htm
【软件简介】强大易用的 RealMedia(*.RM,*.RMVB) 转换器,可将输入文件转为
AVI, DivX, Xvid, MPEG1, MPEG2, VCD, SVCD, DVD 等等格式,内置 RealMedia
解码器,无需安装 RealPlayer/RealOne,支持批量转换和视频分割。支持输出
DVD 目录结构(VIDEO_TS, AUDIO_TS)及 DVD/SVCD/VCD 盘片映像,以便您使用
第三方刻录软件刻录到盘片上。
【加壳方式】未知
【使用工具】OllyICE
【破解平台】Windows XP
【破解声明】我水平很菜,偶得一点心得,愿与大家分享,错误难免,肯请指正。
【破解过程】
(1)用OllyICE加载“Ultra RM Converter.exe”
0044FB23 > $ E8 00000000 call 0044FB28
0044FB28 $ 60 pushad
0044FB29 . E8 4F000000 call 0044FB7D
0044FB2E . C4AB 61B126B3 les ebp, [ebx+B326B161]
F7进入Call 0044FB7D
0044FB7D $ E8 6EFBFFFF call 0044F6F0
0044FB82 . 7E 04 jle short 0044FB88
F7进入Call 0044F6F0
0044F6F0 $ E8 EBFBFFFF call 0044F2E0
0044F6F5 . 58 pop eax
0044F6F6 . E8 55070000 call 0044FE50
0044F6FB . 58 pop eax
0044F6FC . 894424 24 mov [esp+24], eax
0044F700 . 61 popad
0044F701 . 58 pop eax
0044F702 . 58 pop eax
0044F703 . FFD0 call eax
0044F705 . E8 B0C50000 call 0045BCBA
F7进入Call eax,到达OEP
(2)以上把壳脱了,现在寻找软件注册过程
004260E8 55 push ebp ; 开始
004260E9 8BEC mov ebp, esp
004260EB 6A FF push -1
004260ED 68 A0D94200 push 0042D9A0
004260F2 68 74624200 push 00426274 ; jmp 到 msvcrt._except_handler3
……
00426210 FF15 88A14200 call [42A188] ; Ultra_RM.0045CA0F
00426216 50 push eax
00426217 E8 70000000 call 0042628C ; 进入
0042621C 8945 98 mov [ebp-68], eax
0042621F 50 push eax
00426220 FF15 ACA64200 call [42A6AC] ; msvcrt.exit
F7进入call 0042628C
0042628C FF7424 10 push dword ptr [esp+10]
00426290 FF7424 10 push dword ptr [esp+10]
00426294 FF7424 10 push dword ptr [esp+10]
00426298 FF7424 10 push dword ptr [esp+10]
0042629C E8 43000000 call 004262E4 ; jmp 到 MFC42.#1576_AfxWinMain
004262A1 C2 1000 retn 10
……
004262E4 - FF25 44A44200 jmp [42A444] ; MFC42.#1576_AfxWinMain
F7进入call 004262E4,再跳向[42A444]
73D3CF2D 53 push ebx
73D3CF2E 56 push esi
73D3CF2F 57 push edi
73D3CF30 83CB FF or ebx, FFFFFFFF
73D3CF33 E8 CD40FFFF call #1175_AfxGetThread
73D3CF38 8BF0 mov esi, eax
73D3CF3A E8 97B30800 call #1168_AfxGetModuleState
73D3CF3F FF7424 1C push dword ptr [esp+1C]
73D3CF43 8B78 04 mov edi, [eax+4]
73D3CF46 FF7424 1C push dword ptr [esp+1C]
73D3CF4A FF7424 1C push dword ptr [esp+1C]
73D3CF4E FF7424 1C push dword ptr [esp+1C]
73D3CF52 E8 C1CC0800 call #1575_AfxWinInit
73D3CF57 85C0 test eax, eax
73D3CF59 74 3C je short 73D3CF97
73D3CF5B 85FF test edi, edi
73D3CF5D 74 0E je short 73D3CF6D
73D3CF5F 8B07 mov eax, [edi]
73D3CF61 8BCF mov ecx, edi
73D3CF63 FF90 8C000000 call [eax+8C]
73D3CF69 85C0 test eax, eax
73D3CF6B 74 2A je short 73D3CF97
73D3CF6D 8B06 mov eax, [esi]
73D3CF6F 8BCE mov ecx, esi
73D3CF71 FF50 58 call [eax+58] ; Ultra_RM.0041A9B0
F7进入call [eax+58]
0041A9B0 6A FF push -1
0041A9B2 64:A1 00000000 mov eax, fs:[0]
0041A9B8 68 548B4200 push 00428B54
0041A9BD 50 push eax
0041A9BE B8 C4530000 mov eax, 53C4
0041A9C3 64:8925 00000000 mov fs:[0], esp
0041A9CA E8 C1B60000 call 00426090
0041A9CF 53 push ebx
0041A9D0 55 push ebp
0041A9D1 56 push esi
0041A9D2 57 push edi
0041A9D3 8BE9 mov ebp, ecx
0041A9D5 E8 D6B50000 call 00425FB0 ; jmp 到 MFC42.#2621_CWinApp::Enable3dControls
0041A9DA 6A 02 push 2
0041A9DC FF15 68A14200 call [42A168] ; kernel32.SetErrorMode
0041A9E2 B9 40000000 mov ecx, 40
0041A9E7 33C0 xor eax, eax
0041A9E9 BF F8724300 mov edi, 004372F8
0041A9EE F3:AB rep stos dword ptr es:[edi]
0041A9F0 B9 40000000 mov ecx, 40
0041A9F5 BF F8714300 mov edi, 004371F8
0041A9FA F3:AB rep stos dword ptr es:[edi]
0041A9FC 8D4424 1C lea eax, [esp+1C]
0041AA00 50 push eax
0041AA01 E8 CACCFFFF call 004176D0
0041AA06 83C4 04 add esp, 4
0041AA09 68 C4534300 push 004353C4 ; ASCII "app.ini"
0041AA0E 8D4C24 20 lea ecx, [esp+20]
0041AA12 C78424 E0530000 0>mov dword ptr [esp+53E0], 0
0041AA1D E8 A6B20000 call 00425CC8 ; jmp 到 MFC42.#941_CString::operator+=
0041AA22 8B4C24 1C mov ecx, [esp+1C] ; ASCII "……\Ultra RM Converter\app.ini"
0041AA26 8B1D 1CA14200 mov ebx, [42A11C] ; Ultra_RM.0045C6E9
0041AA2C 51 push ecx
0041AA2D 68 00010000 push 100
0041AA32 68 F8724300 push 004372F8
0041AA37 68 B8534300 push 004353B8 ; ASCII "ErrorApp"
0041AA3C 68 B0534300 push 004353B0 ; ASCII "AppName"
0041AA41 68 A8534300 push 004353A8 ; ASCII "main"
0041AA46 FFD3 call ebx
0041AA48 BF F8724300 mov edi, 004372F8
0041AA4D 83C9 FF or ecx, FFFFFFFF
0041AA50 33C0 xor eax, eax
0041AA52 F2:AE repne scas byte ptr es:[edi]
0041AA54 F7D1 not ecx
0041AA56 2BF9 sub edi, ecx
0041AA58 8BD1 mov edx, ecx
0041AA5A 8BF7 mov esi, edi
0041AA5C BF F8714300 mov edi, 004371F8
0041AA61 C1E9 02 shr ecx, 2
0041AA64 F3:A5 rep movs dword ptr es:[edi], dword p>
0041AA66 8BCA mov ecx, edx
0041AA68 83E1 03 and ecx, 3
0041AA6B F3:A4 rep movs byte ptr es:[edi], byte ptr>
0041AA6D A0 F8714300 mov al, [4371F8]
0041AA72 84C0 test al, al
0041AA74 74 15 je short 0041AA8B
0041AA76 B8 F8714300 mov eax, 004371F8
0041AA7B 8038 20 cmp byte ptr [eax], 20
0041AA7E 75 03 jnz short 0041AA83
0041AA80 C600 5F mov byte ptr [eax], 5F
0041AA83 8A48 01 mov cl, [eax+1]
0041AA86 40 inc eax
0041AA87 84C9 test cl, cl
0041AA89 ^ 75 F0 jnz short 0041AA7B
0041AA8B 68 F8724300 push 004372F8
0041AA90 6A 00 push 0
0041AA92 68 01001F00 push 1F0001
0041AA97 FF15 64A14200 call [42A164] ; kernel32.OpenMutexA
0041AA9D 85C0 test eax, eax
0041AA9F 8985 D4000000 mov [ebp+D4], eax
0041AAA5 0F85 81060000 jnz 0041B12C
0041AAAB 68 F8724300 push 004372F8
0041AAB0 6A 01 push 1
0041AAB2 50 push eax
0041AAB3 FF15 60A14200 call [42A160] ; kernel32.CreateMutexA
0041AAB9 8985 D4000000 mov [ebp+D4], eax
0041AABF E8 2CAE0000 call 004258F0
0041AAC4 68 9C534300 push 0043539C ; ASCII "aveData.dll"
0041AAC9 FF15 08A14200 call [42A108] ; Ultra_RM.0045C906
0041AACF 85C0 test eax, eax
0041AAD1 A3 107D4300 mov [437D10], eax
0041AAD6 74 39 je short 0041AB11
0041AAD8 8B35 5CA14200 mov esi, [42A15C] ; Ultra_RM.0045CAF9
0041AADE 68 8C534300 push 0043538C ; ASCII "?ge_init@@YAXXZ"
0041AAE3 50 push eax
0041AAE4 FFD6 call esi
0041AAE6 85C0 test eax, eax
0041AAE8 74 27 je short 0041AB11
0041AAEA FFD0 call eax
0041AAEC A1 107D4300 mov eax, [437D10]
0041AAF1 68 74534300 push 00435374 ; ASCII "?ge_check@@YAHPBD0@Z"
0041AAF6 50 push eax
0041AAF7 FFD6 call esi
0041AAF9 8B0D 107D4300 mov ecx, [437D10]
0041AAFF 68 60534300 push 00435360 ; ASCII "?ge_check_ok@@YAHXZ"
0041AB04 51 push ecx
0041AB05 A3 F4714300 mov [4371F4], eax
0041AB0A FFD6 call esi
0041AB0C A3 F0714300 mov [4371F0], eax
0041AB11 E8 6AD5FFFF call 00418080
0041AB16 85C0 test eax, eax
0041AB18 0F85 AE000000 jnz 0041ABCC
0041AB1E 8D5424 10 lea edx, [esp+10]
0041AB22 52 push edx
0041AB23 E8 28CDFFFF call 00417850
0041AB28 83C4 04 add esp, 4
0041AB2B 68 54534300 push 00435354 ; ASCII "\AVERM.dll"
0041AB30 50 push eax
0041AB31 8D4424 20 lea eax, [esp+20]
0041AB35 C68424 E4530000 0>mov byte ptr [esp+53E4], 1
0041AB3D 50 push eax
0041AB3E E8 1DB30000 call 00425E60 ; jmp 到 MFC42.#924_operator+
0041AB43 50 push eax
0041AB44 8BCD mov ecx, ebp
0041AB46 C68424 E0530000 0>mov byte ptr [esp+53E0], 2
0041AB4E E8 DD080000 call 0041B430
0041AB53 8D4C24 18 lea ecx, [esp+18]
0041AB57 C68424 DC530000 0>mov byte ptr [esp+53DC], 1
0041AB5F E8 66AF0000 call 00425ACA ; jmp 到 MFC42.#800_CString::~CString
0041AB64 8D4C24 10 lea ecx, [esp+10]
0041AB68 C68424 DC530000 0>mov byte ptr [esp+53DC], 0
0041AB70 E8 55AF0000 call 00425ACA ; jmp 到 MFC42.#800_CString::~CString
0041AB75 8D4C24 18 lea ecx, [esp+18]
0041AB79 51 push ecx
0041AB7A E8 D1CCFFFF call 00417850
0041AB7F 83C4 04 add esp, 4
0041AB82 68 48534300 push 00435348 ; ASCII "\AVEQT.dll"
0041AB87 8D5424 14 lea edx, [esp+14]
0041AB8B 50 push eax
0041AB8C 52 push edx
0041AB8D C68424 E8530000 0>mov byte ptr [esp+53E8], 3
0041AB95 E8 C6B20000 call 00425E60 ; jmp 到 MFC42.#924_operator+
0041AB9A 50 push eax
0041AB9B 8BCD mov ecx, ebp
0041AB9D C68424 E0530000 0>mov byte ptr [esp+53E0], 4
0041ABA5 E8 86080000 call 0041B430
0041ABAA 8D4C24 10 lea ecx, [esp+10]
0041ABAE C68424 DC530000 0>mov byte ptr [esp+53DC], 3
0041ABB6 E8 0FAF0000 call 00425ACA ; jmp 到 MFC42.#800_CString::~CString
0041ABBB 8D4C24 18 lea ecx, [esp+18]
0041ABBF C68424 DC530000 0>mov byte ptr [esp+53DC], 0
0041ABC7 E8 FEAE0000 call 00425ACA ; jmp 到 MFC42.#800_CString::~CString
0041ABCC B9 10000000 mov ecx, 10
0041ABD1 33C0 xor eax, eax
0041ABD3 8DBC24 88000000 lea edi, [esp+88]
0041ABDA F3:AB rep stos dword ptr es:[edi]
0041ABDC B9 20000000 mov ecx, 20
0041ABE1 8DBC24 C8000000 lea edi, [esp+C8]
0041ABE8 F3:AB rep stos dword ptr es:[edi]
0041ABEA 8D4C24 14 lea ecx, [esp+14]
0041ABEE E8 F5AE0000 call 00425AE8 ; jmp 到 MFC42.#540_CString::CString
0041ABF3 8D4424 10 lea eax, [esp+10]
0041ABF7 C68424 DC530000 0>mov byte ptr [esp+53DC], 5
0041ABFF 50 push eax
0041AC00 E8 CBCAFFFF call 004176D0
0041AC05 83C4 04 add esp, 4
0041AC08 50 push eax
0041AC09 8D4C24 18 lea ecx, [esp+18]
0041AC0D C68424 E0530000 0>mov byte ptr [esp+53E0], 6
0041AC15 E8 9EAE0000 call 00425AB8 ; jmp 到 MFC42.#858_CString::operator=
0041AC1A 8D4C24 10 lea ecx, [esp+10]
0041AC1E C68424 DC530000 0>mov byte ptr [esp+53DC], 5
0041AC26 E8 9FAE0000 call 00425ACA ; jmp 到 MFC42.#800_CString::~CString
0041AC2B 8D4C24 14 lea ecx, [esp+14]
0041AC2F 68 C8434300 push 004343C8 ; ASCII "data.ini"
//从“app.ini”段执行过程,得知“data.ini”用来存储软件注册信息
0041AC34 8D5424 14 lea edx, [esp+14]
0041AC38 51 push ecx
0041AC39 52 push edx
0041AC3A E8 21B20000 call 00425E60 ; jmp 到 MFC42.#924_operator+
0041AC3F 50 push eax
0041AC40 8D4C24 18 lea ecx, [esp+18]
0041AC44 C68424 E0530000 0>mov byte ptr [esp+53E0], 7
0041AC4C E8 67AE0000 call 00425AB8 ; jmp 到 MFC42.#858_CString::operator=
0041AC51 8D4C24 10 lea ecx, [esp+10]
0041AC55 C68424 DC530000 0>mov byte ptr [esp+53DC], 5
0041AC5D E8 68AE0000 call 00425ACA ; jmp 到 MFC42.#800_CString::~CString
0041AC62 8B4424 14 mov eax, [esp+14]
0041AC66 8D8C24 88000000 lea ecx, [esp+88]
0041AC6D 50 push eax ; 开始读取注册码
0041AC6E 6A 3F push 3F
0041AC70 51 push ecx
0041AC71 68 80714300 push 00437180
0041AC76 68 B8434300 push 004343B8 ; ASCII "License Name"
0041AC7B 68 AC434300 push 004343AC ; ASCII "Register"
0041AC80 FFD3 call ebx
0041AC82 8B5424 14 mov edx, [esp+14]
0041AC86 8D8424 C8000000 lea eax, [esp+C8]
0041AC8D 52 push edx
0041AC8E 6A 7F push 7F
0041AC90 50 push eax
0041AC91 68 80714300 push 00437180
0041AC96 68 9C434300 push 0043439C ; ASCII "License Code"
0041AC9B 68 AC434300 push 004343AC ; ASCII "Register"
0041ACA0 FFD3 call ebx
0041ACA2 8D8C24 88000000 lea ecx, [esp+88]
0041ACA9 8DB5 CC000000 lea esi, [ebp+CC]
0041ACAF 51 push ecx
0041ACB0 68 EC464300 push 004346EC ; ASCII "%s"
0041ACB5 56 push esi
0041ACB6 E8 3FAE0000 call 00425AFA ; jmp 到 MFC42.#2818_CString::Format
0041ACBB 83C4 0C add esp, 0C
0041ACBE 8D9424 C8000000 lea edx, [esp+C8]
0041ACC5 8DBD C8000000 lea edi, [ebp+C8]
0041ACCB 52 push edx
0041ACCC 68 EC464300 push 004346EC ; ASCII "%s"
0041ACD1 57 push edi
0041ACD2 E8 23AE0000 call 00425AFA ; jmp 到 MFC42.#2818_CString::Format
0041ACD7 8B07 mov eax, [edi] ; 注册码
0041ACD9 8B0E mov ecx, [esi] ; 用户名
//从以上得知软件注册文件内容为
//[Register]
//License Name="用户名"
//License Code="注册码"
0041ACDB 50 push eax
0041ACDC 51 push ecx
0041ACDD E8 FCAB0000 call 004258DE ; 判断注册码是否正确过程
(3)分析call 004258DE
004258DE - FF25 24A04200 jmp [42A024] ; MBX@8C0@.00B01640
来到MBX@8C0@领空
00B01640 64:A1 00000000 mov eax, fs:[0]
00B01646 6A FF push -1
00B01648 68 7AAAB000 push 00B0AA7A
00B0164D 50 push eax
00B0164E 64:8925 00000000 mov fs:[0], esp
……
00B01946 68 04D1B000 push 00B0D104 ; ASCII "%08lX"
00B0194B 50 push eax
00B0194C E8 F7200000 call 00B03A48
00B01951 8B9424 B4030000 mov edx, [esp+3B4]
00B01958 8D8C24 94000000 lea ecx, [esp+94]
//以上二行明显能看出注册码是什么了
00B0195F 6A 08 push 8
00B01961 51 push ecx
00B01962 52 push edx
00B01963 E8 A8200000 call 00B03A10 ; 比较注册码是否正确
00B01968 83C4 18 add esp, 18
00B0196B 85C0 test eax, eax
00B0196D 5F pop edi
00B0196E 5E pop esi
00B0196F 5D pop ebp
00B01970 5B pop ebx
00B01971 0F85 83000000 jnz 00B019FA ; 不正确则跳
00B01977 8D4C24 30 lea ecx, [esp+30]
00B0197B C68424 8C030000 0>mov byte ptr [esp+38C], 9
00B01983 E8 48110000 call 00B02AD0
00B01988 8D4C24 28 lea ecx, [esp+28]
00B0198C C68424 8C030000 0>mov byte ptr [esp+38C], 8
00B01994 E8 37110000 call 00B02AD0
00B01999 8D4C24 20 lea ecx, [esp+20]
00B0199D C68424 8C030000 0>mov byte ptr [esp+38C], 0A
00B019A5 E8 26110000 call 00B02AD0
00B019AA 8D4C24 18 lea ecx, [esp+18]
00B019AE C68424 8C030000 0>mov byte ptr [esp+38C], 1
00B019B6 E8 15110000 call 00B02AD0
00B019BB 8D4C24 10 lea ecx, [esp+10]
00B019BF C68424 8C030000 0>mov byte ptr [esp+38C], 0
00B019C7 E8 04110000 call 00B02AD0
00B019CC 8D4C24 00 lea ecx, [esp]
00B019D0 C78424 8C030000 F>mov dword ptr [esp+38C], -1
00B019DB E8 F0100000 call 00B02AD0
00B019E0 B8 01000000 mov eax, 1
00B019E5 8B8C24 84030000 mov ecx, [esp+384]
00B019EC 64:890D 00000000 mov fs:[0], ecx
00B019F3 81C4 90030000 add esp, 390
00B019F9 C3 retn
00B019FA 8D4C24 30 lea ecx, [esp+30]
00B019FE C68424 8C030000 0>mov byte ptr [esp+38C], 0C
00B01A06 E8 C5100000 call 00B02AD0
00B01A0B 8D4C24 28 lea ecx, [esp+28]
00B01A0F C68424 8C030000 0>mov byte ptr [esp+38C], 0B
00B01A17 E8 B4100000 call 00B02AD0
00B01A1C 8D4C24 20 lea ecx, [esp+20]
00B01A20 C68424 8C030000 0>mov byte ptr [esp+38C], 0D
00B01A28 E8 A3100000 call 00B02AD0
00B01A2D 8D4C24 18 lea ecx, [esp+18]
00B01A31 C68424 8C030000 0>mov byte ptr [esp+38C], 1
00B01A39 E8 92100000 call 00B02AD0
00B01A3E 8D4C24 10 lea ecx, [esp+10]
00B01A42 C68424 8C030000 0>mov byte ptr [esp+38C], 0
00B01A4A E8 81100000 call 00B02AD0
00B01A4F 8D4C24 00 lea ecx, [esp]
00B01A53 C78424 8C030000 F>mov dword ptr [esp+38C], -1
00B01A5E E8 6D100000 call 00B02AD0
00B01A63 8B8C24 84030000 mov ecx, [esp+384]
00B01A6A 33C0 xor eax, eax
00B01A6C 64:890D 00000000 mov fs:[0], ecx
00B01A73 81C4 90030000 add esp, 390
00B01A79 C3 retn
(4)回到主模块领空
0041ACE2 BB 01000000 mov ebx, 1
0041ACE7 83C4 14 add esp, 14
0041ACEA 3BC3 cmp eax, ebx
0041ACEC 8985 C4000000 mov [ebp+C4], eax
0041ACF2 75 05 jnz short 0041ACF9
0041ACF4 E8 F1AB0000 call 004258EA
F7进入call 004258EA再次验证
(5)call 004258EA
00B01BA0 83EC 50 sub esp, 50
00B01BA3 53 push ebx
00B01BA4 56 push esi
00B01BA5 57 push edi
00B01BA6 B9 10000000 mov ecx, 10
00B01BAB 33C0 xor eax, eax
00B01BAD 8D7C24 18 lea edi, [esp+18]
00B01BB1 F3:AB rep stos dword ptr es:[edi]
00B01BB3 AA stos byte ptr es:[edi]
00B01BB4 33C0 xor eax, eax
00B01BB6 68 00040000 push 400
00B01BBB 894424 10 mov [esp+10], eax
00B01BBF 894424 14 mov [esp+14], eax
00B01BC3 66:894424 18 mov [esp+18], ax
00B01BC8 E8 091D0000 call 00B038D6
00B01BCD 83C4 04 add esp, 4
00B01BD0 8BD8 mov ebx, eax
00B01BD2 E8 89F6FFFF call 00B01260
00B01BD7 8BF8 mov edi, eax
00B01BD9 83C9 FF or ecx, FFFFFFFF
00B01BDC 33C0 xor eax, eax
00B01BDE 53 push ebx
00B01BDF F2:AE repne scas byte ptr es:[edi]
00B01BE1 F7D1 not ecx
00B01BE3 2BF9 sub edi, ecx
00B01BE5 6A 41 push 41
00B01BE7 8BD1 mov edx, ecx
00B01BE9 8BF7 mov esi, edi
00B01BEB 8BFB mov edi, ebx
00B01BED C1E9 02 shr ecx, 2
00B01BF0 F3:A5 rep movs dword ptr es:[edi], dword p>
00B01BF2 8BCA mov ecx, edx
00B01BF4 83E1 03 and ecx, 3
00B01BF7 F3:A4 rep movs byte ptr es:[edi], byte ptr>
00B01BF9 BF 18D1B000 mov edi, 00B0D118 ; ASCII "data.ini"
00B01BFE 83C9 FF or ecx, FFFFFFFF
00B01C01 F2:AE repne scas byte ptr es:[edi]
00B01C03 F7D1 not ecx
00B01C05 2BF9 sub edi, ecx
00B01C07 8BF7 mov esi, edi
00B01C09 8BD1 mov edx, ecx
00B01C0B 8BFB mov edi, ebx
00B01C0D 83C9 FF or ecx, FFFFFFFF
00B01C10 F2:AE repne scas byte ptr es:[edi]
00B01C12 8BCA mov ecx, edx
00B01C14 4F dec edi
00B01C15 C1E9 02 shr ecx, 2
00B01C18 F3:A5 rep movs dword ptr es:[edi], dword p>
00B01C1A 8BCA mov ecx, edx
00B01C1C 8D4424 20 lea eax, [esp+20]
00B01C20 83E1 03 and ecx, 3
00B01C23 50 push eax
00B01C24 F3:A4 rep movs byte ptr es:[edi], byte ptr>
00B01C26 8B0D F0FEB000 mov ecx, [B0FEF0]
00B01C2C 8B35 18B0B000 mov esi, [B0B018] ; Ultra_RM.0045C6E9
00B01C32 81C1 400B0000 add ecx, 0B40
00B01C38 68 F40AB100 push 00B10AF4
00B01C3D 51 push ecx
00B01C3E 68 0CD1B000 push 00B0D10C ; ASCII "Register"
00B01C43 FFD6 call esi
00B01C45 A1 F0FEB000 mov eax, [B0FEF0]
00B01C4A 53 push ebx
00B01C4B 8D5424 10 lea edx, [esp+10]
00B01C4F 6A 09 push 9
00B01C51 52 push edx
00B01C52 05 600B0000 add eax, 0B60
00B01C57 68 F40AB100 push 00B10AF4
00B01C5C 50 push eax
00B01C5D 68 0CD1B000 push 00B0D10C ; ASCII "Register"
00B01C62 FFD6 call esi
00B01C64 53 push ebx
00B01C65 E8 831B0000 call 00B037ED
00B01C6A 8A4424 1C mov al, [esp+1C]
00B01C6E 83C4 04 add esp, 4
00B01C71 84C0 test al, al
00B01C73 5F pop edi
00B01C74 5E pop esi
00B01C75 5B pop ebx
00B01C76 74 1E je short 00B01C96
00B01C78 8A4424 00 mov al, [esp]
00B01C7C 84C0 test al, al
00B01C7E 74 16 je short 00B01C96
00B01C80 8D4C24 00 lea ecx, [esp]
00B01C84 8D5424 0C lea edx, [esp+C]
00B01C88 51 push ecx
00B01C89 52 push edx
00B01C8A E8 B1F9FFFF call 00B01640 ; 验证注册码是不正确
00B01C8F 83C4 08 add esp, 8
00B01C92 85C0 test eax, eax
00B01C94 75 0A jnz short 00B01CA0 ; 验证正确必须跳
00B01C96 C705 F0FEB000 000>mov dword ptr [B0FEF0], 0
00B01CA0 83C4 50 add esp, 50
00B01CA3 C3 retn
(6)回到主模块领空
0041ACE2 BB 01000000 mov ebx, 1
0041ACE7 83C4 14 add esp, 14
0041ACEA 3BC3 cmp eax, ebx
0041ACEC 8985 C4000000 mov [ebp+C4], eax
0041ACF2 75 05 jnz short 0041ACF9
0041ACF4 E8 F1AB0000 call 004258EA
0041ACF9 8B85 C4000000 mov eax, [ebp+C4]
0041ACFF 85C0 test eax, eax
0041AD01 75 2E jnz short 0041AD31 ; 正确则跳
0041AD03 A1 107D4300 mov eax, [437D10]
0041AD08 85C0 test eax, eax
0041AD0A 74 25 je short 0041AD31
0041AD0C 8B3F mov edi, [edi]
0041AD0E 8B36 mov esi, [esi]
0041AD10 57 push edi
0041AD11 56 push esi
0041AD12 FF15 F4714300 call [4371F4] ; MBX@D0_1.00B31B70
0041AD18 83C4 08 add esp, 8
0041AD1B 3BC3 cmp eax, ebx
0041AD1D 8985 C4000000 mov [ebp+C4], eax
0041AD23 75 0C jnz short 0041AD31
0041AD25 FF15 F0714300 call [4371F0] ; MBX@D0_1.00B32060
0041AD2B 891D 147D4300 mov [437D14], ebx
0041AD31 E8 4AD3FFFF call 00418080
0041AD36 85C0 test eax, eax
0041AD38 75 31 jnz short 0041AD6B
0041AD3A E8 4BB10000 call 00425E8A ; jmp 到 MFC42.#1168_AfxGetModuleState
0041AD3F 8B40 08 mov eax, [eax+8]
0041AD42 6A 00 push 0
0041AD44 68 34534300 push 00435334 ; ASCII "E5BCA258B21FCA2D"
0041AD49 68 2C534300 push 0043532C ; ASCII "Demo"
0041AD4E 50 push eax
0041AD4F E8 72AB0000 call 004258C6 ; jmp 到 SkinMagi.InitSkinMagicLib
0041AD54 68 1C534300 push 0043531C ; ASCII "RT_SKINMAGIC"
0041AD59 68 89000000 push 89
0041AD5E 6A 00 push 0
0041AD60 E8 5BAB0000 call 004258C0 ; jmp 到 SkinMagi.LoadSkinFromResource
0041AD65 899D D0000000 mov [ebp+D0], ebx
0041AD6B 8B85 C4000000 mov eax, [ebp+C4]
0041AD71 85C0 test eax, eax
0041AD73 75 63 jnz short 0041ADD8 ; 正确则跳
0041AD75 6A 00 push 0
0041AD77 8D4C24 24 lea ecx, [esp+24]
0041AD7B E8 5082FFFF call 00412FD0
0041AD80 8D4C24 20 lea ecx, [esp+20]
0041AD84 C68424 DC530000 0>mov byte ptr [esp+53DC], 8
0041AD8C E8 CBAB0000 call 0042595C ; jmp 到 MFC42.#2514_CDialog::DoModal
0041AD91 E8 EAD2FFFF call 00418080
0041AD96 85C0 test eax, eax
0041AD98 75 05 jnz short 0041AD9F
0041AD9A E8 1BAB0000 call 004258BA ; jmp 到 SkinMagi.RemoveDialogSkin
0041AD9F 8D8C24 84000000 lea ecx, [esp+84]
0041ADA6 C68424 DC530000 0>mov byte ptr [esp+53DC], 0A
0041ADAE E8 17AD0000 call 00425ACA ; jmp 到 MFC42.#800_CString::~CString
0041ADB3 8D8C24 80000000 lea ecx, [esp+80]
0041ADBA C68424 DC530000 0>mov byte ptr [esp+53DC], 9
0041ADC2 E8 03AD0000 call 00425ACA ; jmp 到 MFC42.#800_CString::~CString
0041ADC7 8D4C24 20 lea ecx, [esp+20]
0041ADCB C68424 DC530000 0>mov byte ptr [esp+53DC], 5
0041ADD3 E8 B0AC0000 call 00425A88 ; jmp 到 MFC42.#641_CDialog::~CDialog
0041ADD8 B9 28744300 mov ecx, 00437428
0041ADDD E8 CE55FFFF call 004103B0
0041ADE2 6A 00 push 0
0041ADE4 8D8C24 4C010000 lea ecx, [esp+14C]
0041ADEB E8 A00A0000 call 0041B890
0041ADF0 8D8424 48010000 lea eax, [esp+148]
0041ADF7 8D8C24 48010000 lea ecx, [esp+148]
0041ADFE C68424 DC530000 0>mov byte ptr [esp+53DC], 0B
0041AE06 8945 20 mov [ebp+20], eax ; 下一个CALL 调用界面
0041AE09 E8 4EAB0000 call 0042595C ; jmp 到 MFC42.#2514_CDialog::DoModal
0041AE0E 8D8C24 5C530000 lea ecx, [esp+535C]
(7)call 0042595C 显示程序主界面
(8)注册算法
因时间原因,暂不分析注册码计算过程。
【破解总结】本程序注册码以“明文”显示出来,仅找注册码是不难的。
【版权声明】本文纯属技术交流,转载请注明作者并保持文章的完整,谢谢!
赞赏
他的文章
- [分享]防止U盘拷贝我的数据 3800
- [转帖]寻找 Ultra RM Converter 3.5.0411 注册码 8923
- [转帖]超级拖拉机4.02算法分析 3812
- [原创]轻松手动脱壳ASPack 2.12 6548
赞赏
雪币:
留言:
