- UID
- 55012
注册时间2008-9-1
阅读权限90
最后登录1970-1-1
版主
 
TA的每日心情 | 奋斗
2015-10-29 08:08 |
|---|
签到天数: 3 天 [LV.2]偶尔看看I
|
Power Video Converter 2.2.1 算法分析
Power Video Converter 2.2.1 算法分析
【破文标题】Power Video Converter 2.2.1算法分析
【破文作者】creantan
【作者邮箱】[email protected]
【破解工具】PEiD,OD
【破解平台】Windows XP
【软件名称】Power Video Converter 2.2.1
【软件大小】6231KB
【软件类别】国外软件/视频转换
【软件授权】共享版
【软件语言】英文
【运行环境】Win9x/Me/NT/2000/XP/2003
【更新时间】2009-1-6
【原版下载】http://www.newhua.com/soft/29607.htm
【保护方式】注册码
【软件简介】 Power Video Converter可以在AVi, MPEG1, MPEG2, VCD, SVCD, DVD, WMV, ASF, DAT, VOB文件格式之间进行转换,同时具有很快的转换速度和友好的使用界面。
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------
【破解内容】
--------------------------------------------------------------
PEID上显示Microsoft Visual C++ 6.0
试着注册有错误提示。。。下断 bp MessageBoxA
断点后回到用户代码,向上找到关键算法。。。。
- 00423750 /$ 53 push ebx
- 00423751 |. 55 push ebp ;
- 00423752 |. 8B6C24 0C mov ebp, dword ptr [esp+C]
- 00423756 |. 56 push esi
- 00423757 |. 57 push edi
- 00423758 |. BE ECD24300 mov esi, 0043D2EC
- 0042375D |. 8BC5 mov eax, ebp
- 0042375F |> 8A10 /mov dl, byte ptr [eax] ; 判断用户名是否为空
- 00423761 |. 8A1E |mov bl, byte ptr [esi]
- 00423763 |. 8ACA |mov cl, dl
- 00423765 |. 3AD3 |cmp dl, bl
- 00423767 |. 75 1E |jnz short 00423787
- 00423769 |. 84C9 |test cl, cl
- 0042376B |. 74 16 |je short 00423783
- 0042376D |. 8A50 01 |mov dl, byte ptr [eax+1]
- 00423770 |. 8A5E 01 |mov bl, byte ptr [esi+1]
- 00423773 |. 8ACA |mov cl, dl
- 00423775 |. 3AD3 |cmp dl, bl
- 00423777 |. 75 0E |jnz short 00423787
- 00423779 |. 83C0 02 |add eax, 2
- 0042377C |. 83C6 02 |add esi, 2
- 0042377F |. 84C9 |test cl, cl
- 00423781 |.^ 75 DC \jnz short 0042375F
- 00423783 |> 33C0 xor eax, eax
- 00423785 |. EB 05 jmp short 0042378C
- 00423787 |> 1BC0 sbb eax, eax
- 00423789 |. 83D8 FF sbb eax, -1
- 0042378C |> 85C0 test eax, eax
- 0042378E |. 74 51 je short 004237E1
- 00423790 |. 8B7C24 18 mov edi, dword ptr [esp+18]
- 00423794 |. BE ECD24300 mov esi, 0043D2EC
- 00423799 |. 8BC7 mov eax, edi
- 0042379B |> 8A10 /mov dl, byte ptr [eax] ; 判断假码是否为空
- 0042379D |. 8A1E |mov bl, byte ptr [esi]
- 0042379F |. 8ACA |mov cl, dl
- 004237A1 |. 3AD3 |cmp dl, bl
- 004237A3 |. 75 1E |jnz short 004237C3
- 004237A5 |. 84C9 |test cl, cl
- 004237A7 |. 74 16 |je short 004237BF
- 004237A9 |. 8A50 01 |mov dl, byte ptr [eax+1]
- 004237AC |. 8A5E 01 |mov bl, byte ptr [esi+1]
- 004237AF |. 8ACA |mov cl, dl
- 004237B1 |. 3AD3 |cmp dl, bl
- 004237B3 |. 75 0E |jnz short 004237C3
- 004237B5 |. 83C0 02 |add eax, 2
- 004237B8 |. 83C6 02 |add esi, 2
- 004237BB |. 84C9 |test cl, cl
- 004237BD |.^ 75 DC \jnz short 0042379B
- 004237BF |> 33C0 xor eax, eax
- 004237C1 |. EB 05 jmp short 004237C8
- 004237C3 |> 1BC0 sbb eax, eax
- 004237C5 |. 83D8 FF sbb eax, -1
- 004237C8 |> 85C0 test eax, eax
- 004237CA |. 74 15 je short 004237E1
- 004237CC |. 57 push edi ; 假码入栈
- 004237CD |. 55 push ebp ; 用户名入栈
- 004237CE |. E8 3DFDFFFF call 00423510 ;关键算法
- {
- 00423510 /$ 6A FF push -1
- 00423512 |. 68 D0EE4200 push 0042EED0 ; SE 处理程序安装
- 00423517 |. 64:A1 0000000>mov eax, dword ptr fs:[0]
- 0042351D |. 50 push eax
- 0042351E |. 64:8925 00000>mov dword ptr fs:[0], esp
- 00423525 |. 83EC 14 sub esp, 14
- 00423528 |. 8B4424 24 mov eax, dword ptr [esp+24]
- 0042352C |. 53 push ebx
- 0042352D |. 55 push ebp
- 0042352E |. 56 push esi
- 0042352F |. 57 push edi
- 00423530 |. 50 push eax
- 00423531 |. 8D4C24 18 lea ecx, dword ptr [esp+18]
- 00423535 |. E8 0E690000 call <jmp.&MFC42.#537>
- 0042353A |. 33F6 xor esi, esi
- 0042353C |. 8D4C24 14 lea ecx, dword ptr [esp+14]
- 00423540 |. 897424 2C mov dword ptr [esp+2C], esi
- 00423544 |. E8 C56C0000 call <jmp.&MFC42.#6282>
- 00423549 |. 8D4C24 14 lea ecx, dword ptr [esp+14]
- 0042354D |. E8 B66C0000 call <jmp.&MFC42.#6283>
- 00423552 |. 6A 20 push 20
- 00423554 |. 8D4C24 18 lea ecx, dword ptr [esp+18]
- 00423558 |. E8 A96B0000 call <jmp.&MFC42.#2915>
- 0042355D |. 8B4C24 38 mov ecx, dword ptr [esp+38] ; 取假码
- 00423561 |. 8BD8 mov ebx, eax
- 00423563 |. 51 push ecx
- 00423564 |. 8D4C24 14 lea ecx, dword ptr [esp+14]
- 00423568 |. E8 DB680000 call <jmp.&MFC42.#537>
- 0042356D |. 8D4C24 10 lea ecx, dword ptr [esp+10]
- 00423571 |. C64424 2C 01 mov byte ptr [esp+2C], 1
- 00423576 |. E8 936C0000 call <jmp.&MFC42.#6282>
- 0042357B |. 8D4C24 10 lea ecx, dword ptr [esp+10]
- 0042357F |. E8 846C0000 call <jmp.&MFC42.#6283>
- 00423584 |. 6A 20 push 20
- 00423586 |. 8D4C24 14 lea ecx, dword ptr [esp+14]
- 0042358A |. E8 776B0000 call <jmp.&MFC42.#2915> ; 取假码
- 0042358F |. 8BD0 mov edx, eax
- 00423591 |. 83C9 FF or ecx, FFFFFFFF
- 00423594 |. 8BFA mov edi, edx
- 00423596 |. 33C0 xor eax, eax
- 00423598 |. F2:AE repne scas byte ptr es:[edi]
- 0042359A |. F7D1 not ecx
- 0042359C |. 49 dec ecx ; 取假码长度
- 0042359D |. 8BFB mov edi, ebx
- 0042359F |. 8BE9 mov ebp, ecx
- 004235A1 |. 83C9 FF or ecx, FFFFFFFF
- 004235A4 |. F2:AE repne scas byte ptr es:[edi]
- 004235A6 |. F7D1 not ecx
- 004235A8 |. 49 dec ecx ; 取用户名长度
- 004235A9 |. 895424 20 mov dword ptr [esp+20], edx
- 004235AD |. 3BCD cmp ecx, ebp
- 004235AF |. 0F87 64010000 ja 00423719 ; 用户名长度与假码长度比较
- 004235B5 |. 8BFB mov edi, ebx ; 假码长度不能小于用户名
- 004235B7 |. 83C9 FF or ecx, FFFFFFFF
- 004235BA |. F2:AE repne scas byte ptr es:[edi]
- 004235BC |. F7D1 not ecx
- 004235BE |. 49 dec ecx ; 用户名长度
- 004235BF |. 0F84 54010000 je 00423719 ; 判断长度是否为0
- 004235C5 |. 8BFA mov edi, edx
- 004235C7 |. 83C9 FF or ecx, FFFFFFFF
- 004235CA |. F2:AE repne scas byte ptr es:[edi]
- 004235CC |. F7D1 not ecx
- 004235CE |. 49 dec ecx ; 假码长度
- 004235CF |. 0F84 44010000 je 00423719 ; 判断假码长度是否为0 0的话就跳向失败
- 004235D5 |. 897424 38 mov dword ptr [esp+38], esi
- 004235D9 |> 8B5424 38 /mov edx, dword ptr [esp+38] ; edx赋值
- 004235DD |. 8D4C24 34 |lea ecx, dword ptr [esp+34]
- 004235E1 |. 8A82 CCCD4300 |mov al, byte ptr [edx+43CDCC]
- 004235E7 |. 884424 18 |mov byte ptr [esp+18], al
- 004235EB |. E8 A6650000 |call <jmp.&MFC42.#540>
- 004235F0 |. 8BFB |mov edi, ebx
- 004235F2 |. 83C9 FF |or ecx, FFFFFFFF ; //////////////////////////////////////
- 004235F5 |. 33C0 |xor eax, eax ; ★注册码第一部分关键点★
- 004235F7 |. 33ED |xor ebp, ebp
- 004235F9 |. F2:AE |repne scas byte ptr es:[edi]
- 004235FB |. F7D1 |not ecx ; 取用户名长度
- 004235FD |. 49 |dec ecx ;
- 004235FE |. C64424 2C 02 |mov byte ptr [esp+2C], 2
- 00423603 |. 74 50 |je short 00423655
- 00423605 |> 8A0C2B |/mov cl, byte ptr [ebx+ebp] ; 逐个取用户名
- 00423608 |. 33F6 ||xor esi, esi
- 0042360A |. B8 64CD4300 ||mov eax, 0043CD64 ; 固定字符串
- 0042360F |> 3A08 ||/cmp cl, byte ptr [eax] ; 在字符串中查找
- 00423611 |. 74 0D |||je short 00423620 ; 相等跳出
- 00423613 |. 83C0 02 |||add eax, 2 ; eax+=2
- 00423616 |. 46 |||inc esi ; esi++ 下面取字符串用
- 00423617 |. 3D CCCD4300 |||cmp eax, 0043CDCC ; ASCII "vMw"
- 0042361C |.^ 7C F1 ||\jl short 0042360F
- 0042361E |. EB 11 ||jmp short 00423631
- 00423620 |> 8A0C75 65CD43>||mov cl, byte ptr [esi*2+43CD65] ; [esi*2]取字符
- 00423627 |. 51 ||push ecx
- 00423628 |. 8D4C24 38 ||lea ecx, dword ptr [esp+38]
- 0042362C |. E8 F3670000 ||call <jmp.&MFC42.#940> ; 取字符后连接字符串
- 00423631 |> 83FE 34 ||cmp esi, 34
- 00423634 |. 75 0E ||jnz short 00423644
- 00423636 |. 8B5424 18 ||mov edx, dword ptr [esp+18]
- 0042363A |. 8D4C24 34 ||lea ecx, dword ptr [esp+34]
- 0042363E |. 52 ||push edx
- 0042363F |. E8 E0670000 ||call <jmp.&MFC42.#940>
- 00423644 |> 8BFB ||mov edi, ebx
- 00423646 |. 83C9 FF ||or ecx, FFFFFFFF
- 00423649 |. 33C0 ||xor eax, eax
- 0042364B |. 45 ||inc ebp
- 0042364C |. F2:AE ||repne scas byte ptr es:[edi] ; 取字符串长度
- 0042364E |. F7D1 ||not ecx
- 00423650 |. 49 ||dec ecx
- 00423651 |. 3BE9 ||cmp ebp, ecx
- 00423653 |.^ 72 B0 |\jb short 00423605
- 00423655 |> 8B4424 34 |mov eax, dword ptr [esp+34]
- 00423659 |. 8B48 F8 |mov ecx, dword ptr [eax-8]
- 0042365C |. 83F9 10 |cmp ecx, 10
- 0042365F |. 7D 3A |jge short 0042369B
- 00423661 |. 8BC1 |mov eax, ecx
- 00423663 |. B9 10000000 |mov ecx, 10
- 00423668 |. 2BC8 |sub ecx, eax
- 0042366A |. 8D5424 1C |lea edx, dword ptr [esp+1C]
- 0042366E |. 51 |push ecx ; ★注册码第二部分关键点★
- 0042366F |. 52 |push edx
- 00423670 |. B9 40D64300 |mov ecx, 0043D640 ; 固定字串ESqNCdaYoDciekuS
- 00423675 |. E8 AC650000 |call <jmp.&MFC42.#4129> ; 用用户名长度取字符串
- 0042367A |. 50 |push eax
- 0042367B |. 8D4C24 38 |lea ecx, dword ptr [esp+38]
- 0042367F |. C64424 30 03 |mov byte ptr [esp+30], 3
- 00423684 |. E8 95670000 |call <jmp.&MFC42.#939> ; 两部分连接
- 00423689 |. 8D4C24 1C |lea ecx, dword ptr [esp+1C]
- 0042368D |. C64424 2C 02 |mov byte ptr [esp+2C], 2
- 00423692 |. E8 F3640000 |call <jmp.&MFC42.#800>
- 00423697 |. 8B4424 34 |mov eax, dword ptr [esp+34]
- 0042369B |> 8B4C24 20 |mov ecx, dword ptr [esp+20]
- 0042369F |. 51 |push ecx ; /假码
- 004236A0 |. 50 |push eax ; |连接后的字符串
- 004236A1 |. FF15 AC064300 |call dword ptr [<&MSVCRT._mbscmp>] ; \比较字符串
- 004236A7 |. 83C4 08 |add esp, 8
- 004236AA |. 85C0 |test eax, eax
- 004236AC |. 74 24 |je short 004236D2
- 004236AE |. 8D4C24 34 |lea ecx, dword ptr [esp+34]
- 004236B2 |. 33F6 |xor esi, esi
- 004236B4 |. C64424 2C 01 |mov byte ptr [esp+2C], 1
- 004236B9 |. E8 CC640000 |call <jmp.&MFC42.#800>
- 004236BE |. 8B4424 38 |mov eax, dword ptr [esp+38]
- 004236C2 |. 40 |inc eax
- 004236C3 |. 83F8 03 |cmp eax, 3
- 004236C6 |. 894424 38 |mov dword ptr [esp+38], eax
- 004236CA |.^ 0F8C 09FFFFFF \jl 004235D9
- 004236D0 |. EB 13 jmp short 004236E5
- 004236D2 |> 8D4C24 34 lea ecx, dword ptr [esp+34]
- 004236D6 |. BE 01000000 mov esi, 1
- 004236DB |. C64424 2C 01 mov byte ptr [esp+2C], 1
- 004236E0 |. E8 A5640000 call <jmp.&MFC42.#800>
- 004236E5 |> 8D4C24 10 lea ecx, dword ptr [esp+10]
- 004236E9 |. C64424 2C 00 mov byte ptr [esp+2C], 0
- 004236EE |. E8 97640000 call <jmp.&MFC42.#800>
- 004236F3 |. 8D4C24 14 lea ecx, dword ptr [esp+14]
- 004236F7 |. C74424 2C FFF>mov dword ptr [esp+2C], -1
- 004236FF |. E8 86640000 call <jmp.&MFC42.#800>
- 00423704 |. 8BC6 mov eax, esi
- 00423706 |. 5F pop edi
- 00423707 |. 5E pop esi
- 00423708 |. 5D pop ebp
- 00423709 |. 5B pop ebx
- 0042370A |. 8B4C24 14 mov ecx, dword ptr [esp+14]
- 0042370E |. 64:890D 00000>mov dword ptr fs:[0], ecx
- 00423715 |. 83C4 20 add esp, 20
- 00423718 |. C3 retn
- 00423719 |> 8D4C24 10 lea ecx, dword ptr [esp+10]
- 0042371D |. C64424 2C 00 mov byte ptr [esp+2C], 0
- 00423722 |. E8 63640000 call <jmp.&MFC42.#800>
- 00423727 |. 8D4C24 14 lea ecx, dword ptr [esp+14]
- 0042372B |. C74424 2C FFF>mov dword ptr [esp+2C], -1
- 00423733 |. E8 52640000 call <jmp.&MFC42.#800>
- 00423738 |. 8B4C24 24 mov ecx, dword ptr [esp+24]
- 0042373C |. 5F pop edi
- 0042373D |. 5E pop esi
- 0042373E |. 5D pop ebp
- 0042373F |. 33C0 xor eax, eax
- 00423741 |. 5B pop ebx
- 00423742 |. 64:890D 00000>mov dword ptr fs:[0], ecx
- 00423749 |. 83C4 20 add esp, 20
- 0042374C \. C3 retn
- }
- 004237D3 |. 83C4 08 add esp, 8
- 004237D6 |. F7D8 neg eax
- 004237D8 |. 5F pop edi
- 004237D9 |. 5E pop esi
- 004237DA |. 1BC0 sbb eax, eax
- 004237DC |. 5D pop ebp
- 004237DD |. F7D8 neg eax
- 004237DF |. 5B pop ebx
- 004237E0 |. C3 retn
- 004237E1 |> 5F pop edi
- 004237E2 |. 5E pop esi
- 004237E3 |. 5D pop ebp
- 004237E4 |. 33C0 xor eax, eax
- 004237E6 |. 5B pop ebx
- 004237E7 \. C3 retn
--------------------------------------------------------------
【算法总结】
将"aGbmcldSemfkgEhcixjsktlYmbnkoDptqarfswtlujvDwIxPyZzXAPBoCKDgEyFmGtHaIrJqKNLQMUNuOGPJQLRnSbTCUFVHWoXwYEZpvMw"和"ESqNCdaYoDciekuS"与用户名运算得到注册码
--------------------------------------------------------------
【算法注册机】
- void CKeyGenVideoDlg::OnKeyGen()
- {
- // TODO: Add your control notification handler code here
- CString str="aGbmcldSemfkgEhcixjsktlYmbnkoDptqarfswtlujvDwIxPyZzXAPBoCKDgEyFmGtHaIrJqKNLQMUNuOGPJQLRnSbTCUFVHWoXwYEZpvMw";
- CString str1="ESqNCdaYoDciekuS";
- CString serial;
- int nameLen,strLen;
- UpdateData(true);
- nameLen=m_name.GetLength();
- strLen=str.GetLength();
- for(int i=0;i<nameLen;i++)
- {
- for(int j=0;j<strLen;j+=2)
- {
- if(m_name.GetAt(i)==str.GetAt(j))
- {
- serial.Insert(serial.GetLength(),str.GetAt(j+1));
- break;
- }
- }
- }
- m_serial=serial+str1.Mid(0,16-nameLen);
- UpdateData(false);
- }
用户名:creantan
注册码:lfmGklGkESqNCdaY
--------------------------------------------------------------
【版权声明】本破文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢! |
|
IP卡
发表于 2009-1-20 12:16:16
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2009-1-21 19:17:04
发表于 2009-1-21 19:30:59
发表于 2009-1-21 20:10:05
发表于 2009-1-21 22:21:05