[转载]注册“豪杰视频通Hero Video Convert v2.0”
<P><STRONG>文章作者: qduwg</STRONG></P><P><FONT face=宋体>题目:注册“豪杰视频通HeroVideoConvertv2.0”<BR>软件功能:支持直接从DVD光盘转为VCD格式的视频文件;支持目前常见的视频格式的相互转化,支持格式包括MPGE1,MPEG2,MPEG4,AVI,DAT,VOB,RM等;支持把以上视频格式转化为GIF动画;可以播放和转化同时进行;支持最新的超线程技术(Hyper-Thread)。<BR>工具:softice<BR><BR>引子:没有想到在2003电脑爱好者光盘上包括大部分豪杰的东西,今天连续作战搞定这一系列东西。注册码算法思路基本一样,但是具体每个软件都有不同的注册码生成算法。下面开始分析。启动程序,输入用户名和注册码。比如wanggang,1111-2222-3333-4444。打开SOFTICE,下断点bpxgetwindowtexta,F5退出,点击确定被拦住。按1次F12来到下面代码处:<BR>:0040248083EC40subesp,00000040<BR>:004024838B0D38CC4000movecx,dwordptr[0040CC38]<BR>:0040248956pushesi<BR>*ReferenceTo:USER32.GetWindowTextA,Ord:015Eh<BR>|<BR>:0040248A8B3598914000movesi,dwordptr[00409198]<BR>:004024908D442404leaeax,dwordptr[esp+04]<BR>:004024946A08push00000008<BR>:0040249650pusheax<BR>:0040249751pushecx<BR>:00402498FFD6callesi//读取注册码第一段<BR>:0040249AA134CC4000moveax,dwordptr[0040CC34]//我们停在这里。<BR>:0040249F8D542409leaedx,dwordptr[esp+09]<BR>:004024A36A08push00000008<BR>:004024A552pushedx<BR>:004024A650pusheax<BR>:004024A7FFD6callesi//读取注册码第二段<BR>:004024A98B1540CC4000movedx,dwordptr[0040CC40]<BR>:004024AF8D4C240Eleaecx,dwordptr[esp+0E]<BR>:004024B36A08push00000008<BR>:004024B551pushecx<BR>:004024B652pushedx<BR>:004024B7FFD6callesi//读取注册码第三段<BR>:004024B98B0D3CCC4000movecx,dwordptr[0040CC3C]<BR>:004024BF8D442413leaeax,dwordptr[esp+13]<BR>:004024C36A08push00000008<BR>:004024C550pusheax<BR>:004024C651pushecx<BR>:004024C7FFD6callesi//读取注册码第四段<BR>:004024C98B1530CC4000movedx,dwordptr[0040CC30]<BR>:004024CF6800010000push00000100<BR>:004024D4B02Dmoval,2D<BR>:004024D66880CD4000push0040CD80<BR>:004024DB52pushedx<BR>:004024DC8844241Emovbyteptr[esp+1E],al//下面三行每隔4位插入"-"号<BR>:004024E088442419movbyteptr[esp+19],al<BR>:004024E488442414movbyteptr[esp+14],al<BR>:004024E8C644242300mov[esp+23],00<BR>:004024EDFFD6callesi//读取用户名。<BR>:004024EFA158C74000moveax,dwordptr[0040C758]<BR>:004024F45Epopesi<BR>:004024F585C0testeax,eax<BR>:004024F7740Eje00402507<BR>:004024F98D4C2400leaecx,dwordptr[esp]<BR>:004024FD51pushecx<BR>:004024FE6880CD4000push0040CD80<BR>:00402503FFD0calleax//跟入这个CALL。计算注册码的地方。EAX值为100010A0。<BR>:00402505EB0Fjmp00402516<BR>*Referencedbya(U)nconditionalor(C)onditionalJumpatAddress:<BR>|:004024F7(C)<BR>|<BR>:004025078D542400leaedx,dwordptr[esp]<BR>:0040250B52pushedx<BR>:0040250C6880CD4000push0040CD80<BR>:00402511E8DA140000call004039F0<BR>*Referencedbya(U)nconditionalor(C)onditionalJumpatAddress:<BR>|:00402505(U)<BR>|<BR>:0040251633C9xorecx,ecx<BR>:004025188D542400leaedx,dwordptr[esp]<BR>:0040251C85C0testeax,eax<BR>:0040251E0F95C1setnecl//注册码正确则置CL为1。<BR>:0040252152pushedx<BR>:004025226880CD4000push0040CD80<BR>:00402527890D40F84000movdwordptr[0040F840],ecx<BR>:0040252DE82E000000call00402560<BR>:004025328B4C244Cmovecx,dwordptr[esp+4C]<BR>:004025368B1564CD4000movedx,dwordptr[0040CD64]<BR>:0040253C83C408addesp,00000008<BR>:0040253F8D442400leaeax,dwordptr[esp]<BR>:0040254350pusheax<BR>:0040254468E0234000push004023E0<BR>:0040254951pushecx<BR>*PossibleReferencetoDialog:DialogID_0069<BR>|<BR>:0040254A6A69push00000069<BR>:0040254C52pushedx<BR>*ReferenceTo:USER32.DialogBoxParamA,Ord:0093h<BR>|<BR>:0040254DFF15C4914000Calldwordptr[004091C4]//成功信息。<BR>:00402553A140F84000moveax,dwordptr[0040F840]<BR>:0040255883C440addesp,00000040<BR>:0040255BC3ret<BR>============================================================<BR>下面分析:00402503处的函数:<BR>:100010A083EC20subesp,00000020<BR>:100010A333C0xoreax,eax<BR>:100010A5B908000000movecx,00000008<BR>:100010AA53pushebx<BR>:100010AB56pushesi<BR>:100010AC57pushedi<BR>:100010AD8D7C240Cleaedi,dwordptr[esp+0C]<BR>:100010B1F3repz<BR>:100010B2ABstosd<BR>:100010B38B442430moveax,dwordptr[esp+30]<BR>:100010B733FFxoredi,edi<BR>:100010B950pusheax<BR>:100010BAE8E1010000call100012A0//用户名变换后,把用户名每4位累加起来。<BR>:100010BF89442410movdwordptr[esp+10],eax<BR>:100010C383C404addesp,00000004<BR>*Referencedbya(U)nconditionalor(C)onditionalJumpatAddress:<BR>|:100010E9(C)<BR>|<BR>:100010C68D743C0Cleaesi,dwordptr[esp+edi+0C]//变换后的用户名地址送ESI。<BR>:100010CA0FBE06movsxeax,byteptr[esi]//逐位取出送EAX。<BR>:100010CD83F841cmpeax,00000041<BR>:100010D07C08jl100010DA<BR>:100010D283F85Acmpeax,0000005A<BR>:100010D57F03jg100010DA<BR>:100010D783C020addeax,00000020<BR>*Referencedbya(U)nconditionalor(C)onditionalJumpatAddresses:<BR>|:100010D0(C),:100010D5(C)<BR>|<BR>:100010DA50pusheax<BR>:100010DB47incedi<BR>:100010DCE88F040000call10001570//对变换后的用户名进一步变换。<BR>:100010E183C404addesp,00000004<BR>:100010E48806movbyteptr[esi],al<BR>:100010E683FF04cmpedi,00000004<BR>:100010E97CDBjl100010C6<BR>:100010EB33C9xorecx,ecx<BR>:100010ED8B742434movesi,dwordptr[esp+34]<BR><BR>*Referencedbya(U)nconditionalor(C)onditionalJumpatAddress:<BR>|:10001113(C)<BR>|<BR>:100010F10FBE040Emovsxeax,byteptr[esi+ecx]<BR>:100010F583F841cmpeax,00000041<BR>:100010F87C08jl10001102<BR>:100010FA83F85Acmpeax,0000005A<BR>:100010FD7F03jg10001102<BR>:100010FF83C020addeax,00000020<BR>*Referencedbya(U)nconditionalor(C)onditionalJumpatAddresses:<BR>|:100010F8(C),:100010FD(C)<BR>|<BR>:100011020FBE540C0Cmovsxedx,byteptr[esp+ecx+0C]//第一段真码字符依次送EDX。<BR>:100011073BD0cmpedx,eax//比较<BR>:100011090F8540010000jne1000124F<BR>:1000110F41incecx<BR>:1000111083F904cmpecx,00000004<BR>:100011137CDCjl100010F1//未完则继续。<BR>:100011158B44240Cmoveax,dwordptr[esp+0C]//EAX=第一段注册码<BR>:100011198D0C80leaecx,dwordptr[eax+4*eax]//ECX=5*EAX<BR>:1000111C8D0489leaeax,dwordptr[ecx+4*ecx]//EAX=5*ECX<BR>:1000111F8B4C240Cmovecx,dwordptr[esp+0C]//ECX=第一段注册码。<BR>:100011238BD1movedx,ecx<BR>:1000112533DBxorebx,ebx<BR>:10001127C1E105shlecx,05//ECX左移5次<BR>:1000112A03CAaddecx,edx//ECX=ECX+EDX<BR>:1000112C33C1xoreax,ecx//EAX=EAX与ECX异或。<BR>:1000112E89442410movdwordptr[esp+10],eax//保存结果。<BR>*Referencedbya(U)nconditionalor(C)onditionalJumpatAddress:<BR>|:10001155(C)<BR>|<BR>:100011328D7C1C10leaedi,dwordptr[esp+ebx+10]//下面把得到的第二段注册码码变换为1-9或者a-z之间的字符。<BR>:100011368A07moval,byteptr[edi]<BR>:1000113850pusheax<BR>:1000113953pushebx<BR>:1000113A43incebx<BR>:1000113BE840010000call10001280//变换函数。<BR>:1000114083C408addesp,00000008<BR>:1000114333C9xorecx,ecx<BR>:100011458AC8movcl,al<BR>:1000114751pushecx<BR>:10001148E823040000call10001570//变换函数<BR>:1000114D83C404addesp,00000004<BR>:100011508807movbyteptr[edi],al<BR>:1000115283FB04cmpebx,00000004<BR>:100011557CDBjl10001132<BR>:1000115733C9xorecx,ecx<BR>*Referencedbya(U)nconditionalor(C)onditionalJumpatAddress:<BR>|:1000117C(C)<BR>|<BR>:100011590FBE440E05movsxeax,byteptr[esi+ecx+05]//取假码。<BR>:1000115E83F841cmpeax,00000041<BR>:100011617C08jl1000116B<BR>:1000116383F85Acmpeax,0000005A<BR>:100011667F03jg1000116B<BR>:1000116883C020addeax,00000020<BR>*Referencedbya(U)nconditionalor(C)onditionalJumpatAddresses:<BR>|:10001161(C),:10001166(C)<BR>|<BR>:1000116B0FBE540C10movsxedx,byteptr[esp+ecx+10]//取真码。<BR>:100011703BD0cmpedx,eax//比较。<BR>:100011720F85E2000000jne1000125A<BR>:1000117841incecx<BR>:1000117983F904cmpecx,00000004<BR>:1000117C7CDBjl10001159//循环。<BR>:1000117E8B442410moveax,dwordptr[esp+10]//EAX=第二段注册码。<BR>:100011828B4C240Cmovecx,dwordptr[esp+0C]//ECX=第一段注册码<BR>:100011863344240Cxoreax,dwordptr[esp+0C]//EAX与第一段注册码异或<BR>:1000118A8BD1movedx,ecx<BR>:1000118C0FAF44240Cimuleax,dwordptr[esp+0C]//EAX=EAX*第一段注册码<BR>:1000119103442410addeax,dwordptr[esp+10]//EAX=EAX+第二段注册码。<BR>:100011958D0C49leaecx,dwordptr[ecx+2*ecx]//ECX=3*ECX<BR>:10001198C1E103shlecx,03//ECX左移3次。<BR>:1000119B33DBxorebx,ebx<BR>:1000119D2BCAsubecx,edx//ECX与EDX异或,送ECX。<BR>:1000119F33C1xoreax,ecx//EAX与ECX异或,送EAX。<BR>:100011A189442414movdwordptr[esp+14],eax//结果保存。<BR>*Referencedbya(U)nconditionalor(C)onditionalJumpatAddress:<BR>|:100011BB(C)<BR>|<BR>:100011A58D7C1C14leaedi,dwordptr[esp+ebx+14]//下面对得到第三段进行变换。<BR>:100011A943incebx<BR>:100011AA0FBE07movsxeax,byteptr[edi]<BR>:100011AD50pusheax<BR>:100011AEE8BD030000call10001570//变换函数。<BR>:100011B383C404addesp,00000004<BR>:100011B68807movbyteptr[edi],al<BR>:100011B883FB04cmpebx,00000004<BR>:100011BB7CE8jl100011A5<BR>:100011BD33C9xorecx,ecx<BR>*Referencedbya(U)nconditionalor(C)onditionalJumpatAddress:<BR>|:100011E2(C)<BR>|<BR>:100011BF0FBE440E0Amovsxeax,byteptr[esi+ecx+0A]//取假码<BR>:100011C483F841cmpeax,00000041<BR>:100011C77C08jl100011D1<BR>:100011C983F85Acmpeax,0000005A<BR>:100011CC7F03jg100011D1<BR>:100011CE83C020addeax,00000020<BR>*Referencedbya(U)nconditionalor(C)onditionalJumpatAddresses:<BR>|:100011C7(C),:100011CC(C)<BR>|<BR>:100011D10FBE540C14movsxedx,byteptr[esp+ecx+14]//取真码<BR>:100011D63BD0cmpedx,eax//比较。<BR>:100011D80F8587000000jne10001265<BR>:100011DE41incecx<BR>:100011DF83F904cmpecx,00000004<BR>:100011E27CDBjl100011BF//未完继续。<BR>:100011E48B4C2410movecx,dwordptr[esp+10]//ECX=第二段注册码。<BR>:100011E88B442414moveax,dwordptr[esp+14]//EAX=第三段注册码。<BR>:100011EC41incecx//ECX加1。<BR>:100011ED0FAF4C240Cimulecx,dwordptr[esp+0C]//ECX=ECX*第一段注册码<BR>:100011F233FFxoredi,edi<BR>:100011F48D1489leaedx,dwordptr[ecx+4*ecx]//EDX=5*ECX。<BR>:100011F78D0C91leaecx,dwordptr[ecx+4*edx]//ECX=4*EDX+ECX。<BR>:100011FA8D1440leaedx,dwordptr[eax+2*eax]//EDX=3*EAX。<BR>:100011FD8D1CD2leaebx,dwordptr[edx+8*edx]//EBX=9*EDX<BR>:1000120003CBaddecx,ebx//ECX=ECX+EBX。<BR>:10001202894C2418movdwordptr[esp+18],ecx//保存结果。<BR>*Referencedbya(U)nconditionalor(C)onditionalJumpatAddress:<BR>|:1000121C(C)<BR>|<BR>:100012068D5C3C18leaebx,dwordptr[esp+edi+18]//下面对得到的第四段进行变换。<BR>:1000120A47incedi<BR>:1000120B0FBE03movsxeax,byteptr[ebx]<BR>:1000120E50pusheax<BR>:1000120FE85C030000call10001570//变换函数<BR>:1000121483C404addesp,00000004<BR>:100012178803movbyteptr[ebx],al<BR>:1000121983FF04cmpedi,00000004<BR>:1000121C7CE8jl10001206//未完继续。<BR>:1000121E33C9xorecx,ecx<BR>*Referencedbya(U)nconditionalor(C)onditionalJumpatAddress:<BR>|:1000123F(C)<BR>|<BR>:100012200FBE440E0Fmovsxeax,byteptr[esi+ecx+0F]//取假码。<BR>:1000122583F841cmpeax,00000041<BR>:100012287C08jl10001232<BR>:1000122A83F85Acmpeax,0000005A<BR>:1000122D7F03jg10001232<BR>:1000122F83C020addeax,00000020<BR><BR>*Referencedbya(U)nconditionalor(C)onditionalJumpatAddresses:<BR>|:10001228(C),:1000122D(C)<BR>|<BR>:100012320FBE540C18movsxedx,byteptr[esp+ecx+18]//取真码。<BR>:100012373BD0cmpedx,eax//比较。<BR>:100012397535jne10001270<BR>:1000123B41incecx<BR>:1000123C83F904cmpecx,00000004<BR>:1000123F7CDFjl10001220//未完则继续。<BR>:10001241B801000000moveax,00000001//如果正确则EAX=1。<BR>:100012465Fpopedi<BR>:100012475Epopesi<BR>:100012485Bpopebx<BR>:1000124983C420addesp,00000020<BR>:1000124CC20800ret0008<BR>============================================================<BR>后记:大部分的豪杰软件都一个模式下来的。所以相对比较简单。为了节省篇幅,把里面的几个函数内容分析略掉,请参考其他豪杰破文即可。感谢您的阅读!<BR><BR><BR>结论:<BR>用户名:wanggang<BR>注册码:7zq3-59m4-rha2-7155</FONT><BR></P>
页:
[1]