文章作者: qduwg
题目:注册“豪杰视频通HeroVideoConvertv2.0”
软件功能:支持直接从DVD光盘转为VCD格式的视频文件;支持目前常见的视频格式的相互转化,支持格式包括MPGE1,MPEG2,MPEG4,AVI,DAT,VOB,RM等;支持把以上视频格式转化为GIF动画;可以播放和转化同时进行;支持最新的超线程技术(Hyper-Thread)。
工具:softice
引子:没有想到在2003电脑爱好者光盘上包括大部分豪杰的东西,今天连续作战搞定这一系列东西。注册码算法思路基本一样,但是具体每个软件都有不同的注册码生成算法。下面开始分析。启动程序,输入用户名和注册码。比如wanggang,1111-2222-3333-4444。打开SOFTICE,下断点bpxgetwindowtexta,F5退出,点击确定被拦住。按1次F12来到下面代码处:
:0040248083EC40subesp,00000040
:004024838B0D38CC4000movecx,dwordptr[0040CC38]
:0040248956pushesi
*ReferenceTo:USER32.GetWindowTextA,Ord:015Eh
|
:0040248A8B3598914000movesi,dwordptr[00409198]
:004024908D442404leaeax,dwordptr[esp+04]
:004024946A08push00000008
:0040249650pusheax
:0040249751pushecx
:00402498FFD6callesi//读取注册码第一段
:0040249AA134CC4000moveax,dwordptr[0040CC34]//我们停在这里。
:0040249F8D542409leaedx,dwordptr[esp+09]
:004024A36A08push00000008
:004024A552pushedx
:004024A650pusheax
:004024A7FFD6callesi//读取注册码第二段
:004024A98B1540CC4000movedx,dwordptr[0040CC40]
:004024AF8D4C240Eleaecx,dwordptr[esp+0E]
:004024B36A08push00000008
:004024B551pushecx
:004024B652pushedx
:004024B7FFD6callesi//读取注册码第三段
:004024B98B0D3CCC4000movecx,dwordptr[0040CC3C]
:004024BF8D442413leaeax,dwordptr[esp+13]
:004024C36A08push00000008
:004024C550pusheax
:004024C651pushecx
:004024C7FFD6callesi//读取注册码第四段
:004024C98B1530CC4000movedx,dwordptr[0040CC30]
:004024CF6800010000push00000100
:004024D4B02Dmoval,2D
:004024D66880CD4000push0040CD80
:004024DB52pushedx
:004024DC8844241Emovbyteptr[esp+1E],al//下面三行每隔4位插入"-"号
:004024E088442419movbyteptr[esp+19],al
:004024E488442414movbyteptr[esp+14],al
:004024E8C644242300mov[esp+23],00
:004024EDFFD6callesi//读取用户名。
:004024EFA158C74000moveax,dwordptr[0040C758]
:004024F45Epopesi
:004024F585C0testeax,eax
:004024F7740Eje00402507
:004024F98D4C2400leaecx,dwordptr[esp]
:004024FD51pushecx
:004024FE6880CD4000push0040CD80
:00402503FFD0calleax//跟入这个CALL。计算注册码的地方。EAX值为100010A0。
:00402505EB0Fjmp00402516
*Referencedbya(U)nconditionalor(C)onditionalJumpatAddress:
|:004024F7(C)
|
:004025078D542400leaedx,dwordptr[esp]
:0040250B52pushedx
:0040250C6880CD4000push0040CD80
:00402511E8DA140000call004039F0
*Referencedbya(U)nconditionalor(C)onditionalJumpatAddress:
|:00402505(U)
|
:0040251633C9xorecx,ecx
:004025188D542400leaedx,dwordptr[esp]
:0040251C85C0testeax,eax
:0040251E0F95C1setnecl//注册码正确则置CL为1。
:0040252152pushedx
:004025226880CD4000push0040CD80
:00402527890D40F84000movdwordptr[0040F840],ecx
:0040252DE82E000000call00402560
:004025328B4C244Cmovecx,dwordptr[esp+4C]
:004025368B1564CD4000movedx,dwordptr[0040CD64]
:0040253C83C408addesp,00000008
:0040253F8D442400leaeax,dwordptr[esp]
:0040254350pusheax
:0040254468E0234000push004023E0
:0040254951pushecx
*PossibleReferencetoDialog:DialogID_0069
|
:0040254A6A69push00000069
:0040254C52pushedx
*ReferenceTo:USER32.DialogBoxParamA,Ord:0093h
|
:0040254DFF15C4914000Calldwordptr[004091C4]//成功信息。
:00402553A140F84000moveax,dwordptr[0040F840]
:0040255883C440addesp,00000040
:0040255BC3ret
============================================================
下面分析:00402503处的函数:
:100010A083EC20subesp,00000020
:100010A333C0xoreax,eax
:100010A5B908000000movecx,00000008
:100010AA53pushebx
:100010AB56pushesi
:100010AC57pushedi
:100010AD8D7C240Cleaedi,dwordptr[esp+0C]
:100010B1F3repz
:100010B2ABstosd
:100010B38B442430moveax,dwordptr[esp+30]
:100010B733FFxoredi,edi
:100010B950pusheax
:100010BAE8E1010000call100012A0//用户名变换后,把用户名每4位累加起来。
:100010BF89442410movdwordptr[esp+10],eax
:100010C383C404addesp,00000004
*Referencedbya(U)nconditionalor(C)onditionalJumpatAddress:
|:100010E9(C)
|
:100010C68D743C0Cleaesi,dwordptr[esp+edi+0C]//变换后的用户名地址送ESI。
:100010CA0FBE06movsxeax,byteptr[esi]//逐位取出送EAX。
:100010CD83F841cmpeax,00000041
:100010D07C08jl100010DA
:100010D283F85Acmpeax,0000005A
:100010D57F03jg100010DA
:100010D783C020addeax,00000020
*Referencedbya(U)nconditionalor(C)onditionalJumpatAddresses:
|:100010D0(C),:100010D5(C)
|
:100010DA50pusheax
:100010DB47incedi
:100010DCE88F040000call10001570//对变换后的用户名进一步变换。
:100010E183C404addesp,00000004
:100010E48806movbyteptr[esi],al
:100010E683FF04cmpedi,00000004
:100010E97CDBjl100010C6
:100010EB33C9xorecx,ecx
:100010ED8B742434movesi,dwordptr[esp+34]
*Referencedbya(U)nconditionalor(C)onditionalJumpatAddress:
|:10001113(C)
|
:100010F10FBE040Emovsxeax,byteptr[esi+ecx]
:100010F583F841cmpeax,00000041
:100010F87C08jl10001102
:100010FA83F85Acmpeax,0000005A
:100010FD7F03jg10001102
:100010FF83C020addeax,00000020
*Referencedbya(U)nconditionalor(C)onditionalJumpatAddresses:
|:100010F8(C),:100010FD(C)
|
:100011020FBE540C0Cmovsxedx,byteptr[esp+ecx+0C]//第一段真码字符依次送EDX。
:100011073BD0cmpedx,eax//比较
:100011090F8540010000jne1000124F
:1000110F41incecx
:1000111083F904cmpecx,00000004
:100011137CDCjl100010F1//未完则继续。
:100011158B44240Cmoveax,dwordptr[esp+0C]//EAX=第一段注册码
:100011198D0C80leaecx,dwordptr[eax+4*eax]//ECX=5*EAX
:1000111C8D0489leaeax,dwordptr[ecx+4*ecx]//EAX=5*ECX
:1000111F8B4C240Cmovecx,dwordptr[esp+0C]//ECX=第一段注册码。
:100011238BD1movedx,ecx
:1000112533DBxorebx,ebx
:10001127C1E105shlecx,05//ECX左移5次
:1000112A03CAaddecx,edx//ECX=ECX+EDX
:1000112C33C1xoreax,ecx//EAX=EAX与ECX异或。
:1000112E89442410movdwordptr[esp+10],eax//保存结果。
*Referencedbya(U)nconditionalor(C)onditionalJumpatAddress:
|:10001155(C)
|
:100011328D7C1C10leaedi,dwordptr[esp+ebx+10]//下面把得到的第二段注册码码变换为1-9或者a-z之间的字符。
:100011368A07moval,byteptr[edi]
:1000113850pusheax
:1000113953pushebx
:1000113A43incebx
:1000113BE840010000call10001280//变换函数。
:1000114083C408addesp,00000008
:1000114333C9xorecx,ecx
:100011458AC8movcl,al
:1000114751pushecx
:10001148E823040000call10001570//变换函数
:1000114D83C404addesp,00000004
:100011508807movbyteptr[edi],al
:1000115283FB04cmpebx,00000004
:100011557CDBjl10001132
:1000115733C9xorecx,ecx
*Referencedbya(U)nconditionalor(C)onditionalJumpatAddress:
|:1000117C(C)
|
:100011590FBE440E05movsxeax,byteptr[esi+ecx+05]//取假码。
:1000115E83F841cmpeax,00000041
:100011617C08jl1000116B
:1000116383F85Acmpeax,0000005A
:100011667F03jg1000116B
:1000116883C020addeax,00000020
*Referencedbya(U)nconditionalor(C)onditionalJumpatAddresses:
|:10001161(C),:10001166(C)
|
:1000116B0FBE540C10movsxedx,byteptr[esp+ecx+10]//取真码。
:100011703BD0cmpedx,eax//比较。
:100011720F85E2000000jne1000125A
:1000117841incecx
:1000117983F904cmpecx,00000004
:1000117C7CDBjl10001159//循环。
:1000117E8B442410moveax,dwordptr[esp+10]//EAX=第二段注册码。
:100011828B4C240Cmovecx,dwordptr[esp+0C]//ECX=第一段注册码
:100011863344240Cxoreax,dwordptr[esp+0C]//EAX与第一段注册码异或
:1000118A8BD1movedx,ecx
:1000118C0FAF44240Cimuleax,dwordptr[esp+0C]//EAX=EAX*第一段注册码
:1000119103442410addeax,dwordptr[esp+10]//EAX=EAX+第二段注册码。
:100011958D0C49leaecx,dwordptr[ecx+2*ecx]//ECX=3*ECX
:10001198C1E103shlecx,03//ECX左移3次。
:1000119B33DBxorebx,ebx
:1000119D2BCAsubecx,edx//ECX与EDX异或,送ECX。
:1000119F33C1xoreax,ecx//EAX与ECX异或,送EAX。
:100011A189442414movdwordptr[esp+14],eax//结果保存。
*Referencedbya(U)nconditionalor(C)onditionalJumpatAddress:
|:100011BB(C)
|
:100011A58D7C1C14leaedi,dwordptr[esp+ebx+14]//下面对得到第三段进行变换。
:100011A943incebx
:100011AA0FBE07movsxeax,byteptr[edi]
:100011AD50pusheax
:100011AEE8BD030000call10001570//变换函数。
:100011B383C404addesp,00000004
:100011B68807movbyteptr[edi],al
:100011B883FB04cmpebx,00000004
:100011BB7CE8jl100011A5
:100011BD33C9xorecx,ecx
*Referencedbya(U)nconditionalor(C)onditionalJumpatAddress:
|:100011E2(C)
|
:100011BF0FBE440E0Amovsxeax,byteptr[esi+ecx+0A]//取假码
:100011C483F841cmpeax,00000041
:100011C77C08jl100011D1
:100011C983F85Acmpeax,0000005A
:100011CC7F03jg100011D1
:100011CE83C020addeax,00000020
*Referencedbya(U)nconditionalor(C)onditionalJumpatAddresses:
|:100011C7(C),:100011CC(C)
|
:100011D10FBE540C14movsxedx,byteptr[esp+ecx+14]//取真码
:100011D63BD0cmpedx,eax//比较。
:100011D80F8587000000jne10001265
:100011DE41incecx
:100011DF83F904cmpecx,00000004
:100011E27CDBjl100011BF//未完继续。
:100011E48B4C2410movecx,dwordptr[esp+10]//ECX=第二段注册码。
:100011E88B442414moveax,dwordptr[esp+14]//EAX=第三段注册码。
:100011EC41incecx//ECX加1。
:100011ED0FAF4C240Cimulecx,dwordptr[esp+0C]//ECX=ECX*第一段注册码
:100011F233FFxoredi,edi
:100011F48D1489leaedx,dwordptr[ecx+4*ecx]//EDX=5*ECX。
:100011F78D0C91leaecx,dwordptr[ecx+4*edx]//ECX=4*EDX+ECX。
:100011FA8D1440leaedx,dwordptr[eax+2*eax]//EDX=3*EAX。
:100011FD8D1CD2leaebx,dwordptr[edx+8*edx]//EBX=9*EDX
:1000120003CBaddecx,ebx//ECX=ECX+EBX。
:10001202894C2418movdwordptr[esp+18],ecx//保存结果。
*Referencedbya(U)nconditionalor(C)onditionalJumpatAddress:
|:1000121C(C)
|
:100012068D5C3C18leaebx,dwordptr[esp+edi+18]//下面对得到的第四段进行变换。
:1000120A47incedi
:1000120B0FBE03movsxeax,byteptr[ebx]
:1000120E50pusheax
:1000120FE85C030000call10001570//变换函数
:1000121483C404addesp,00000004
:100012178803movbyteptr[ebx],al
:1000121983FF04cmpedi,00000004
:1000121C7CE8jl10001206//未完继续。
:1000121E33C9xorecx,ecx
*Referencedbya(U)nconditionalor(C)onditionalJumpatAddress:
|:1000123F(C)
|
:100012200FBE440E0Fmovsxeax,byteptr[esi+ecx+0F]//取假码。
:1000122583F841cmpeax,00000041
:100012287C08jl10001232
:1000122A83F85Acmpeax,0000005A
:1000122D7F03jg10001232
:1000122F83C020addeax,00000020
*Referencedbya(U)nconditionalor(C)onditionalJumpatAddresses:
|:10001228(C),:1000122D(C)
|
:100012320FBE540C18movsxedx,byteptr[esp+ecx+18]//取真码。
:100012373BD0cmpedx,eax//比较。
:100012397535jne10001270
:1000123B41incecx
:1000123C83F904cmpecx,00000004
:1000123F7CDFjl10001220//未完则继续。
:10001241B801000000moveax,00000001//如果正确则EAX=1。
:100012465Fpopedi
:100012475Epopesi
:100012485Bpopebx
:1000124983C420addesp,00000020
:1000124CC20800ret0008
============================================================
后记:大部分的豪杰软件都一个模式下来的。所以相对比较简单。为了节省篇幅,把里面的几个函数内容分析略掉,请参考其他豪杰破文即可。感谢您的阅读!
结论:
用户名:wanggang
注册码:7zq3-59m4-rha2-7155
