好友
阅读权限40
听众
最后登录1970-1-1
|
【破文标题】Audiotool net Ease DVD Ripper 1.20 算法分析
【破文作者】tianxj
【作者邮箱】tianxj_2007@126.com
【作者主页】WwW.ChiNaPYG.CoM
【破解工具】PEiD,OD
【破解平台】Windows XP
【软件名称】Audiotool net Ease DVD Ripper 1.20
【软件大小】934 K
【更新时间】2009-02-21
【软件类别】国外软件 / 视频转换
【软件语言】英文
【应用平台】Win9x/WinNT/Win2000/WinXP
【软件性质】共享(收费)软件
【原版下载】http://www.audiotool.net/download/easedvdripper.exe
【保护方式】注册码
【软件简介】功能强大,简单易用的DVD压制工具, 将DVD转换为VCD, DivX, MPEG, SVCD, AVI等视频文件,转换快速、图像和声音质量高。
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------
【破解内容】
--------------------------------------------------------------
**************************************************************
一、运行程序,进行注册,输入错误的注册信息进行检测,有提示信息
"failed register!"
**************************************************************
二、用PEiD对EaseDVDRipper.exe查壳,为 Microsoft Visual C++ 6.0
**************************************************************
三、运行OD,打开EaseDVDRipper.exe,下断点bp MessageBoxA
==============================================================
004125E8 55 push ebp
004125E9 56 push esi
004125EA 57 push edi
004125EB 6A 01 push 1
004125ED 8BF1 mov esi,ecx
004125EF E8 2A5A0000 call <jmp.&MFC42.#6334>
004125F4 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
004125F8 E8 13030000 call EaseDVDR.00412910
004125FD 51 push ecx
004125FE 8DBE 1C010000 lea edi,dword ptr ds:[esi+11C]
00412604 8BCC mov ecx,esp
00412606 896424 10 mov dword ptr ss:[esp+10],esp
0041260A 57 push edi
0041260B C74424 30 00000>mov dword ptr ss:[esp+30],0
00412613 E8 02580000 call <jmp.&MFC42.#535>
00412618 51 push ecx
00412619 8DAE 18010000 lea ebp,dword ptr ds:[esi+118]
0041261F 8BCC mov ecx,esp
00412621 896424 18 mov dword ptr ss:[esp+18],esp
00412625 55 push ebp
00412626 C64424 34 01 mov byte ptr ss:[esp+34],1
0041262B E8 EA570000 call <jmp.&MFC42.#535>
00412630 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
00412634 C64424 30 00 mov byte ptr ss:[esp+30],0
00412639 E8 42090000 call EaseDVDR.00412F80
0041263E 8D4424 18 lea eax,dword ptr ss:[esp+18]
00412642 8BCD mov ecx,ebp
00412644 50 push eax
00412645 E8 36550000 call <jmp.&MFC42.#858>
0041264A 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
0041264E 51 push ecx
0041264F 8BCF mov ecx,edi
00412651 E8 2A550000 call <jmp.&MFC42.#858>
00412656 51 push ecx
00412657 8BCC mov ecx,esp
00412659 896424 14 mov dword ptr ss:[esp+14],esp
0041265D 57 push edi
0041265E E8 B7570000 call <jmp.&MFC42.#535>
00412663 51 push ecx
00412664 C64424 30 02 mov byte ptr ss:[esp+30],2
00412669 8BCC mov ecx,esp
0041266B 896424 14 mov dword ptr ss:[esp+14],esp
0041266F 55 push ebp
00412670 E8 A5570000 call <jmp.&MFC42.#535>
00412675 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
00412679 C64424 30 00 mov byte ptr ss:[esp+30],0
0041267E E8 1D050000 call EaseDVDR.00412BA0 ; //关键CALL
00412683 84C0 test al,al
00412685 74 40 je short EaseDVDR.004126C7 ; //关键跳转
00412687 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
0041268B E8 50030000 call EaseDVDR.004129E0
00412690 84C0 test al,al
00412692 75 40 jnz short EaseDVDR.004126D4
00412694 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
00412698 E8 73090000 call EaseDVDR.00413010
0041269D 84C0 test al,al
0041269F 75 33 jnz short EaseDVDR.004126D4
004126A1 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
004126A5 E8 16060000 call EaseDVDR.00412CC0
004126AA 84C0 test al,al
004126AC 74 19 je short EaseDVDR.004126C7
004126AE 68 B0144200 push EaseDVDR.004214B0 ; ASCII "Success register!"
004126B3 E8 E804FFFF call EaseDVDR.00402BA0
004126B8 8B16 mov edx,dword ptr ds:[esi]
004126BA 83C4 04 add esp,4
004126BD 8BCE mov ecx,esi
004126BF FF92 CC000000 call dword ptr ds:[edx+CC]
004126C5 EB 0D jmp short EaseDVDR.004126D4
004126C7 68 9C144200 push EaseDVDR.0042149C ; ASCII "failed register!"
004126CC E8 4F02FFFF call EaseDVDR.00402920
004126D1 83C4 04 add esp,4 ; //返回到这里
004126D4 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
004126D8 C74424 28 FFFFF>mov dword ptr ss:[esp+28],-1
004126E0 E8 9B020000 call EaseDVDR.00412980
004126E5 8B4C24 20 mov ecx,dword ptr ss:[esp+20]
004126E9 5F pop edi
004126EA 5E pop esi
004126EB 64:890D 0000000>mov dword ptr fs:[0],ecx
004126F2 5D pop ebp
004126F3 83C4 20 add esp,20
004126F6 C3 retn
==============================================================
00412BA0 6A FF push -1
00412BA2 68 80964100 push EaseDVDR.00419680
00412BA7 64:A1 00000000 mov eax,dword ptr fs:[0]
00412BAD 50 push eax
00412BAE 64:8925 0000000>mov dword ptr fs:[0],esp
00412BB5 51 push ecx
00412BB6 53 push ebx
00412BB7 55 push ebp
00412BB8 56 push esi
00412BB9 57 push edi
00412BBA 8BF9 mov edi,ecx
00412BBC 8B5424 28 mov edx,dword ptr ss:[esp+28]
00412BC0 33DB xor ebx,ebx
00412BC2 33C9 xor ecx,ecx
00412BC4 C74424 1C 01000>mov dword ptr ss:[esp+1C],1
00412BCC 8B72 F8 mov esi,dword ptr ds:[edx-8]
00412BCF 3BF3 cmp esi,ebx
00412BD1 7E 18 jle short EaseDVDR.00412BEB
00412BD3 8A0411 mov al,byte ptr ds:[ecx+edx]
00412BD6 3C 30 cmp al,30
00412BD8 0F8C 9E000000 jl EaseDVDR.00412C7C
00412BDE 3C 39 cmp al,39
00412BE0 0F8F 96000000 jg EaseDVDR.00412C7C
00412BE6 41 inc ecx
00412BE7 3BCE cmp ecx,esi
00412BE9 ^ 7C E8 jl short EaseDVDR.00412BD3 ; //循环,注册码必须全为数字
00412BEB 8B4424 24 mov eax,dword ptr ss:[esp+24]
00412BEF 3958 F8 cmp dword ptr ds:[eax-8],ebx
00412BF2 0F84 84000000 je EaseDVDR.00412C7C ; //用户名不能为空
00412BF8 EB 04 jmp short EaseDVDR.00412BFE
00412BFA EB 05 jmp short EaseDVDR.00412C01
00412BFC 3919 cmp dword ptr ds:[ecx],ebx
00412BFE 8B7424 24 mov esi,dword ptr ss:[esp+24]
00412C02 33C9 xor ecx,ecx
00412C04 33C0 xor eax,eax
00412C06 8B56 F8 mov edx,dword ptr ds:[esi-8]
00412C09 3BD3 cmp edx,ebx
00412C0B 7E 0B jle short EaseDVDR.00412C18
00412C0D 0FBE2C30 movsx ebp,byte ptr ds:[eax+esi]
00412C11 03CD add ecx,ebp
00412C13 40 inc eax
00412C14 3BC2 cmp eax,edx
00412C16 ^ 7C F5 jl short EaseDVDR.00412C0D ; //循环,逐一将用户名ASCII值累加至ECX
00412C18 8BC1 mov eax,ecx ; //EAX=ECX
00412C1A C1E0 05 shl eax,5 ; //EAX左移5位
00412C1D 03C1 add eax,ecx ; //EAX=EAX+ECX
00412C1F 8D1440 lea edx,dword ptr ds:[eax+eax*2] ; //EDX=EAX*3
00412C22 8D0491 lea eax,dword ptr ds:[ecx+edx*4] ; //EAX=ECX+EDX*4
00412C25 8B4C24 28 mov ecx,dword ptr ss:[esp+28]
00412C29 51 push ecx ; //假码
00412C2A 8D3485 E8EA0700 lea esi,dword ptr ds:[eax*4+7EAE8] ; //ESI=EAX*4+7EAE8
00412C31 FF15 34A64100 call dword ptr ds:[<&MSVCRT.atol>] ; //将假码转16进制送EAX
00412C37 83C4 04 add esp,4
00412C3A 3BC6 cmp eax,esi ; //真假码比较
00412C3C 75 3E jnz short EaseDVDR.00412C7C ; //关键跳转
00412C3E 51 push ecx
00412C3F 8D5424 28 lea edx,dword ptr ss:[esp+28]
00412C43 8BCC mov ecx,esp
00412C45 896424 14 mov dword ptr ss:[esp+14],esp
00412C49 52 push edx
00412C4A E8 CB510000 call <jmp.&MFC42.#535>
00412C4F 8BCF mov ecx,edi
00412C51 E8 2A020000 call EaseDVDR.00412E80
00412C56 3AC3 cmp al,bl
00412C58 75 22 jnz short EaseDVDR.00412C7C
00412C5A 8D4C24 24 lea ecx,dword ptr ss:[esp+24]
00412C5E 885C24 1C mov byte ptr ss:[esp+1C],bl
00412C62 E8 114E0000 call <jmp.&MFC42.#800>
00412C67 8D4C24 28 lea ecx,dword ptr ss:[esp+28]
00412C6B C74424 1C FFFFF>mov dword ptr ss:[esp+1C],-1
00412C73 E8 004E0000 call <jmp.&MFC42.#800>
00412C78 B0 01 mov al,1
00412C7A EB 20 jmp short EaseDVDR.00412C9C
00412C7C 8D4C24 24 lea ecx,dword ptr ss:[esp+24]
00412C80 885C24 1C mov byte ptr ss:[esp+1C],bl
00412C84 E8 EF4D0000 call <jmp.&MFC42.#800>
00412C89 8D4C24 28 lea ecx,dword ptr ss:[esp+28]
00412C8D C74424 1C FFFFF>mov dword ptr ss:[esp+1C],-1
00412C95 E8 DE4D0000 call <jmp.&MFC42.#800>
00412C9A 32C0 xor al,al ; //关键赋值
00412C9C 8B4C24 14 mov ecx,dword ptr ss:[esp+14]
00412CA0 5F pop edi
00412CA1 5E pop esi
00412CA2 5D pop ebp
00412CA3 64:890D 0000000>mov dword ptr fs:[0],ecx
00412CAA 5B pop ebx
00412CAB 83C4 10 add esp,10
00412CAE C2 0800 retn 8
**************************************************************
【破解总结】
简单算法而且没加壳,这样的软件很少见了
--------------------------------------------------------------
【算法总结】
--------------------------------------------------------------
【算法注册机】
KeyGen.rek
.const
.data
szHomePage db "http://www.huacolor.com",0
szEmail db "mailto:tianxj_2007@126.com",0
szErrMess db "请输入用户名!",0
szFMT db "%u",0
szBuffer db 50 dup (0)
.code
mov esi,eax
invoke lstrlen,esi
mov edx,eax
xor ecx,ecx
xor eax,eax
n1:
movsx ebp,byte ptr ds:[eax+esi]
add ecx,ebp
inc eax
cmp eax,edx
jl n1
mov eax,ecx
shl eax,5
add eax,ecx
lea edx,dword ptr ds:[eax+eax*2]
lea eax,dword ptr ds:[ecx+edx*4]
lea esi,dword ptr ds:[eax*4+7EAE8h]
invoke wsprintf,addr szBuffer,addr szFMT,esi
lea eax,szBuffer
--------------------------------------------------------------
【注册信息】
保存在ease.ini
--------------------------------------------------------------
感谢飘云老大、猫老大、Nisy老大以及很多前辈们的学习教程以及王者之剑、云龙等所有帮助过我的论坛兄弟姐妹们!谢谢
--------------------------------------------------------------
【版权声明】破文是学习的手记,兴趣是成功的源泉;本破文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢! |
免费评分
-
查看全部评分
|
发表于 2009-2-22 19:59
|
发表于 2009-2-22 20:22
