好友
阅读权限40
听众
最后登录1970-1-1
|
Power Video Converter 2.2.1 算法分析
【破文标题】Power Video Converter 2.2.1算法分析
【破文作者】creantan
【作者邮箱】creantan@126.com
【破解工具】PEiD,OD
【破解平台】Windows XP
【软件名称】Power Video Converter 2.2.1
【软件大小】6231KB
【软件类别】国外软件/视频转换
【软件授权】共享版
【软件语言】英文
【运行环境】Win9x/Me/NT/2000/XP/2003
【更新时间】2009-1-6
【原版下载】http://www.newhua.com/soft/29607.htm
【保护方式】注册码
【软件简介】 Power Video Converter可以在AVi, MPEG1, MPEG2, VCD, SVCD, DVD, WMV, ASF, DAT, VOB文件格式之间进行转换,同时具有很快的转换速度和友好的使用界面。
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------
【破解内容】
--------------------------------------------------------------
PEID上显示Microsoft Visual C++ 6.0
试着注册有错误提示。。。下断 bp MessageBoxA
断点后回到用户代码,向上找到关键算法。。。。
代码:00423750 /$ 53 push ebx
00423751 |. 55 push ebp ;
00423752 |. 8B6C24 0C mov ebp, dword ptr [esp+C]
00423756 |. 56 push esi
00423757 |. 57 push edi
00423758 |. BE ECD24300 mov esi, 0043D2EC
0042375D |. 8BC5 mov eax, ebp
0042375F |> 8A10 /mov dl, byte ptr [eax] ; 判断用户名是否为空
00423761 |. 8A1E |mov bl, byte ptr [esi]
00423763 |. 8ACA |mov cl, dl
00423765 |. 3AD3 |cmp dl, bl
00423767 |. 75 1E |jnz short 00423787
00423769 |. 84C9 |test cl, cl
0042376B |. 74 16 |je short 00423783
0042376D |. 8A50 01 |mov dl, byte ptr [eax+1]
00423770 |. 8A5E 01 |mov bl, byte ptr [esi+1]
00423773 |. 8ACA |mov cl, dl
00423775 |. 3AD3 |cmp dl, bl
00423777 |. 75 0E |jnz short 00423787
00423779 |. 83C0 02 |add eax, 2
0042377C |. 83C6 02 |add esi, 2
0042377F |. 84C9 |test cl, cl
00423781 |.^ 75 DC \jnz short 0042375F
00423783 |> 33C0 xor eax, eax
00423785 |. EB 05 jmp short 0042378C
00423787 |> 1BC0 sbb eax, eax
00423789 |. 83D8 FF sbb eax, -1
0042378C |> 85C0 test eax, eax
0042378E |. 74 51 je short 004237E1
00423790 |. 8B7C24 18 mov edi, dword ptr [esp+18]
00423794 |. BE ECD24300 mov esi, 0043D2EC
00423799 |. 8BC7 mov eax, edi
0042379B |> 8A10 /mov dl, byte ptr [eax] ; 判断假码是否为空
0042379D |. 8A1E |mov bl, byte ptr [esi]
0042379F |. 8ACA |mov cl, dl
004237A1 |. 3AD3 |cmp dl, bl
004237A3 |. 75 1E |jnz short 004237C3
004237A5 |. 84C9 |test cl, cl
004237A7 |. 74 16 |je short 004237BF
004237A9 |. 8A50 01 |mov dl, byte ptr [eax+1]
004237AC |. 8A5E 01 |mov bl, byte ptr [esi+1]
004237AF |. 8ACA |mov cl, dl
004237B1 |. 3AD3 |cmp dl, bl
004237B3 |. 75 0E |jnz short 004237C3
004237B5 |. 83C0 02 |add eax, 2
004237B8 |. 83C6 02 |add esi, 2
004237BB |. 84C9 |test cl, cl
004237BD |.^ 75 DC \jnz short 0042379B
004237BF |> 33C0 xor eax, eax
004237C1 |. EB 05 jmp short 004237C8
004237C3 |> 1BC0 sbb eax, eax
004237C5 |. 83D8 FF sbb eax, -1
004237C8 |> 85C0 test eax, eax
004237CA |. 74 15 je short 004237E1
004237CC |. 57 push edi ; 假码入栈
004237CD |. 55 push ebp ; 用户名入栈
004237CE |. E8 3DFDFFFF call 00423510 ;关键算法
{
00423510 /$ 6A FF push -1
00423512 |. 68 D0EE4200 push 0042EED0 ; SE 处理程序安装
00423517 |. 64:A1 0000000>mov eax, dword ptr fs:[0]
0042351D |. 50 push eax
0042351E |. 64:8925 00000>mov dword ptr fs:[0], esp
00423525 |. 83EC 14 sub esp, 14
00423528 |. 8B4424 24 mov eax, dword ptr [esp+24]
0042352C |. 53 push ebx
0042352D |. 55 push ebp
0042352E |. 56 push esi
0042352F |. 57 push edi
00423530 |. 50 push eax
00423531 |. 8D4C24 18 lea ecx, dword ptr [esp+18]
00423535 |. E8 0E690000 call <jmp.&MFC42.#537>
0042353A |. 33F6 xor esi, esi
0042353C |. 8D4C24 14 lea ecx, dword ptr [esp+14]
00423540 |. 897424 2C mov dword ptr [esp+2C], esi
00423544 |. E8 C56C0000 call <jmp.&MFC42.#6282>
00423549 |. 8D4C24 14 lea ecx, dword ptr [esp+14]
0042354D |. E8 B66C0000 call <jmp.&MFC42.#6283>
00423552 |. 6A 20 push 20
00423554 |. 8D4C24 18 lea ecx, dword ptr [esp+18]
00423558 |. E8 A96B0000 call <jmp.&MFC42.#2915>
0042355D |. 8B4C24 38 mov ecx, dword ptr [esp+38] ; 取假码
00423561 |. 8BD8 mov ebx, eax
00423563 |. 51 push ecx
00423564 |. 8D4C24 14 lea ecx, dword ptr [esp+14]
00423568 |. E8 DB680000 call <jmp.&MFC42.#537>
0042356D |. 8D4C24 10 lea ecx, dword ptr [esp+10]
00423571 |. C64424 2C 01 mov byte ptr [esp+2C], 1
00423576 |. E8 936C0000 call <jmp.&MFC42.#6282>
0042357B |. 8D4C24 10 lea ecx, dword ptr [esp+10]
0042357F |. E8 846C0000 call <jmp.&MFC42.#6283>
00423584 |. 6A 20 push 20
00423586 |. 8D4C24 14 lea ecx, dword ptr [esp+14]
0042358A |. E8 776B0000 call <jmp.&MFC42.#2915> ; 取假码
0042358F |. 8BD0 mov edx, eax
00423591 |. 83C9 FF or ecx, FFFFFFFF
00423594 |. 8BFA mov edi, edx
00423596 |. 33C0 xor eax, eax
00423598 |. F2:AE repne scas byte ptr es:[edi]
0042359A |. F7D1 not ecx
0042359C |. 49 dec ecx ; 取假码长度
0042359D |. 8BFB mov edi, ebx
0042359F |. 8BE9 mov ebp, ecx
004235A1 |. 83C9 FF or ecx, FFFFFFFF
004235A4 |. F2:AE repne scas byte ptr es:[edi]
004235A6 |. F7D1 not ecx
004235A8 |. 49 dec ecx ; 取用户名长度
004235A9 |. 895424 20 mov dword ptr [esp+20], edx
004235AD |. 3BCD cmp ecx, ebp
004235AF |. 0F87 64010000 ja 00423719 ; 用户名长度与假码长度比较
004235B5 |. 8BFB mov edi, ebx ; 假码长度不能小于用户名
004235B7 |. 83C9 FF or ecx, FFFFFFFF
004235BA |. F2:AE repne scas byte ptr es:[edi]
004235BC |. F7D1 not ecx
004235BE |. 49 dec ecx ; 用户名长度
004235BF |. 0F84 54010000 je 00423719 ; 判断长度是否为0
004235C5 |. 8BFA mov edi, edx
004235C7 |. 83C9 FF or ecx, FFFFFFFF
004235CA |. F2:AE repne scas byte ptr es:[edi]
004235CC |. F7D1 not ecx
004235CE |. 49 dec ecx ; 假码长度
004235CF |. 0F84 44010000 je 00423719 ; 判断假码长度是否为0 0的话就跳向失败
004235D5 |. 897424 38 mov dword ptr [esp+38], esi
004235D9 |> 8B5424 38 /mov edx, dword ptr [esp+38] ; edx赋值
004235DD |. 8D4C24 34 |lea ecx, dword ptr [esp+34]
004235E1 |. 8A82 CCCD4300 |mov al, byte ptr [edx+43CDCC]
004235E7 |. 884424 18 |mov byte ptr [esp+18], al
004235EB |. E8 A6650000 |call <jmp.&MFC42.#540>
004235F0 |. 8BFB |mov edi, ebx
004235F2 |. 83C9 FF |or ecx, FFFFFFFF ; //////////////////////////////////////
004235F5 |. 33C0 |xor eax, eax ; ★注册码第一部分关键点★
004235F7 |. 33ED |xor ebp, ebp
004235F9 |. F2:AE |repne scas byte ptr es:[edi]
004235FB |. F7D1 |not ecx ; 取用户名长度
004235FD |. 49 |dec ecx ;
004235FE |. C64424 2C 02 |mov byte ptr [esp+2C], 2
00423603 |. 74 50 |je short 00423655
00423605 |> 8A0C2B |/mov cl, byte ptr [ebx+ebp] ; 逐个取用户名
00423608 |. 33F6 ||xor esi, esi
0042360A |. B8 64CD4300 ||mov eax, 0043CD64 ; 固定字符串
0042360F |> 3A08 ||/cmp cl, byte ptr [eax] ; 在字符串中查找
00423611 |. 74 0D |||je short 00423620 ; 相等跳出
00423613 |. 83C0 02 |||add eax, 2 ; eax+=2
00423616 |. 46 |||inc esi ; esi++ 下面取字符串用
00423617 |. 3D CCCD4300 |||cmp eax, 0043CDCC ; ASCII "vMw"
0042361C |.^ 7C F1 ||\jl short 0042360F
0042361E |. EB 11 ||jmp short 00423631
00423620 |> 8A0C75 65CD43>||mov cl, byte ptr [esi*2+43CD65] ; [esi*2]取字符
00423627 |. 51 ||push ecx
00423628 |. 8D4C24 38 ||lea ecx, dword ptr [esp+38]
0042362C |. E8 F3670000 ||call <jmp.&MFC42.#940> ; 取字符后连接字符串
00423631 |> 83FE 34 ||cmp esi, 34
00423634 |. 75 0E ||jnz short 00423644
00423636 |. 8B5424 18 ||mov edx, dword ptr [esp+18]
0042363A |. 8D4C24 34 ||lea ecx, dword ptr [esp+34]
0042363E |. 52 ||push edx
0042363F |. E8 E0670000 ||call <jmp.&MFC42.#940>
00423644 |> 8BFB ||mov edi, ebx
00423646 |. 83C9 FF ||or ecx, FFFFFFFF
00423649 |. 33C0 ||xor eax, eax
0042364B |. 45 ||inc ebp
0042364C |. F2:AE ||repne scas byte ptr es:[edi] ; 取字符串长度
0042364E |. F7D1 ||not ecx
00423650 |. 49 ||dec ecx
00423651 |. 3BE9 ||cmp ebp, ecx
00423653 |.^ 72 B0 |\jb short 00423605
00423655 |> 8B4424 34 |mov eax, dword ptr [esp+34]
00423659 |. 8B48 F8 |mov ecx, dword ptr [eax-8]
0042365C |. 83F9 10 |cmp ecx, 10
0042365F |. 7D 3A |jge short 0042369B
00423661 |. 8BC1 |mov eax, ecx
00423663 |. B9 10000000 |mov ecx, 10
00423668 |. 2BC8 |sub ecx, eax
0042366A |. 8D5424 1C |lea edx, dword ptr [esp+1C]
0042366E |. 51 |push ecx ; ★注册码第二部分关键点★
0042366F |. 52 |push edx
00423670 |. B9 40D64300 |mov ecx, 0043D640 ; 固定字串ESqNCdaYoDciekuS
00423675 |. E8 AC650000 |call <jmp.&MFC42.#4129> ; 用用户名长度取字符串
0042367A |. 50 |push eax
0042367B |. 8D4C24 38 |lea ecx, dword ptr [esp+38]
0042367F |. C64424 30 03 |mov byte ptr [esp+30], 3
00423684 |. E8 95670000 |call <jmp.&MFC42.#939> ; 两部分连接
00423689 |. 8D4C24 1C |lea ecx, dword ptr [esp+1C]
0042368D |. C64424 2C 02 |mov byte ptr [esp+2C], 2
00423692 |. E8 F3640000 |call <jmp.&MFC42.#800>
00423697 |. 8B4424 34 |mov eax, dword ptr [esp+34]
0042369B |> 8B4C24 20 |mov ecx, dword ptr [esp+20]
0042369F |. 51 |push ecx ; /假码
004236A0 |. 50 |push eax ; |连接后的字符串
004236A1 |. FF15 AC064300 |call dword ptr [<&MSVCRT._mbscmp>] ; \比较字符串
004236A7 |. 83C4 08 |add esp, 8
004236AA |. 85C0 |test eax, eax
004236AC |. 74 24 |je short 004236D2
004236AE |. 8D4C24 34 |lea ecx, dword ptr [esp+34]
004236B2 |. 33F6 |xor esi, esi
004236B4 |. C64424 2C 01 |mov byte ptr [esp+2C], 1
004236B9 |. E8 CC640000 |call <jmp.&MFC42.#800>
004236BE |. 8B4424 38 |mov eax, dword ptr [esp+38]
004236C2 |. 40 |inc eax
004236C3 |. 83F8 03 |cmp eax, 3
004236C6 |. 894424 38 |mov dword ptr [esp+38], eax
004236CA |.^ 0F8C 09FFFFFF \jl 004235D9
004236D0 |. EB 13 jmp short 004236E5
004236D2 |> 8D4C24 34 lea ecx, dword ptr [esp+34]
004236D6 |. BE 01000000 mov esi, 1
004236DB |. C64424 2C 01 mov byte ptr [esp+2C], 1
004236E0 |. E8 A5640000 call <jmp.&MFC42.#800>
004236E5 |> 8D4C24 10 lea ecx, dword ptr [esp+10]
004236E9 |. C64424 2C 00 mov byte ptr [esp+2C], 0
004236EE |. E8 97640000 call <jmp.&MFC42.#800>
004236F3 |. 8D4C24 14 lea ecx, dword ptr [esp+14]
004236F7 |. C74424 2C FFF>mov dword ptr [esp+2C], -1
004236FF |. E8 86640000 call <jmp.&MFC42.#800>
00423704 |. 8BC6 mov eax, esi
00423706 |. 5F pop edi
00423707 |. 5E pop esi
00423708 |. 5D pop ebp
00423709 |. 5B pop ebx
0042370A |. 8B4C24 14 mov ecx, dword ptr [esp+14]
0042370E |. 64:890D 00000>mov dword ptr fs:[0], ecx
00423715 |. 83C4 20 add esp, 20
00423718 |. C3 retn
00423719 |> 8D4C24 10 lea ecx, dword ptr [esp+10]
0042371D |. C64424 2C 00 mov byte ptr [esp+2C], 0
00423722 |. E8 63640000 call <jmp.&MFC42.#800>
00423727 |. 8D4C24 14 lea ecx, dword ptr [esp+14]
0042372B |. C74424 2C FFF>mov dword ptr [esp+2C], -1
00423733 |. E8 52640000 call <jmp.&MFC42.#800>
00423738 |. 8B4C24 24 mov ecx, dword ptr [esp+24]
0042373C |. 5F pop edi
0042373D |. 5E pop esi
0042373E |. 5D pop ebp
0042373F |. 33C0 xor eax, eax
00423741 |. 5B pop ebx
00423742 |. 64:890D 00000>mov dword ptr fs:[0], ecx
00423749 |. 83C4 20 add esp, 20
0042374C \. C3 retn
}
004237D3 |. 83C4 08 add esp, 8
004237D6 |. F7D8 neg eax
004237D8 |. 5F pop edi
004237D9 |. 5E pop esi
004237DA |. 1BC0 sbb eax, eax
004237DC |. 5D pop ebp
004237DD |. F7D8 neg eax
004237DF |. 5B pop ebx
004237E0 |. C3 retn
004237E1 |> 5F pop edi
004237E2 |. 5E pop esi
004237E3 |. 5D pop ebp
004237E4 |. 33C0 xor eax, eax
004237E6 |. 5B pop ebx
004237E7 \. C3 retn
【破解总结】
--------------------------------------------------------------
【算法总结】
将"aGbmcldSemfkgEhcixjsktlYmbnkoDptqarfswtlujvDwIxPyZzXAPBoCKDgEyFmGtHaIrJqKNLQMUNuOGPJQLRnSbTCUFVHWoXwYEZpvMw"和"ESqNCdaYoDciekuS"与用户名运算得到注册码
--------------------------------------------------------------
【算法注册机】void CKeyGenVideoDlg::OnKeyGen()
{
// TODO: Add your control notification handler code here
CString str="aGbmcldSemfkgEhcixjsktlYmbnkoDptqarfswtlujvDwIxPyZzXAPBoCKDgEyFmGtHaIrJqKNLQMUNuOGPJQLRnSbTCUFVHWoXwYEZpvMw";
CString str1="ESqNCdaYoDciekuS";
CString serial;
int nameLen,strLen;
UpdateData(true);
nameLen=m_name.GetLength();
strLen=str.GetLength();
for(int i=0;i<nameLen;i++)
{
for(int j=0;j<strLen;j+=2)
{
if(m_name.GetAt(i)==str.GetAt(j))
{
serial.Insert(serial.GetLength(),str.GetAt(j+1));
break;
}
}
}
m_serial=serial+str1.Mid(0,16-nameLen);
UpdateData(false);
}
用户名:creantan
注册码:lfmGklGkESqNCdaY
--------------------------------------------------------------
【版权声明】本破文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢! |
免费评分
-
查看全部评分
|
发表于 2009-1-14 15:22
发表于 2009-1-15 06:21
