信息来源:N.C.P.H
【软件简介】:
Open Video Converter is an easy-to-use tool for video conversion, splitting and editing. It can convert many video formats such as MPG, AVI, ASF, WMV to AVI file. The video converter changes the frame size, frame rate, video compression codec and audio compression codec. The key features include: Convert MPEG to AVI, WMV to AVI, ASF to AVI, MPG to AVI, VCD to AVI, OGM to AVI, DAT to AVI, SVCD to AVI, etc. Encode AVI with DIVX, XVID, etc. Split video file into smaller piece. Change the frame size, and adjust the video aspect ratio. Change clip file size with choosing the different encoding bitrate. Change video and audio compression codec for avi file. Open compression system for video and audio.
【保护方式】:注册码 + 启动NAG + 功能限制
【编译语言】:Microsoft Visual C++ 7.0
【调试环境】:WinXP、PEiD、Ollydbg
【破解日期】:2005-11-20
【破解目的】:研究算法分析
【作者声明】:初学Crack,只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
—————————————————————————————————
【破解过程】:
侦测:用PEiD查壳,无壳,Microsoft Visual C++ 7.0 编译。
试探:运行主程序注册,输入试炼码,确认!程序提示:"Registration failed!"
对症下药:Ollydbg载入主程序,用查找字符串插件查找 "Registration failed!" 这个信息!双击来到 00424C55 处,向上来到 00424980 处下断,F9运行,输入试炼信息:
************ 试炼信息 *************
User Name:KuNgBiM
Registration Code:9876543210
***********************************
00424980 55 push ebp ; 在这F2下断,F9运行!
00424981 8BEC mov ebp,esp
00424983 83EC 20 sub esp,20
00424986 894D E0 mov dword ptr ss:[ebp-20],ecx
00424989 6A 01 push 1
0042498B 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
0042498E E8 CA230200 call VideoCon.00446D5D
00424993 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
00424996 83C1 70 add ecx,70
00424999 E8 B270FEFF call VideoCon.0040BA50
0042499E 83F8 02 cmp eax,2 ; 用户名必须大于2位
004249A1 7D 13 jge short VideoCon.004249B6
004249A3 6A 00 push 0
004249A5 6A 00 push 0
004249A7 68 2C034600 push VideoCon.0046032C ; please input correct user name!
004249AC E8 BEC10200 call VideoCon.00450B6F
004249B1 E9 A9020000 jmp VideoCon.00424C5F
004249B6 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
004249B9 83C1 74 add ecx,74
004249BC E8 8F70FEFF call VideoCon.0040BA50
004249C1 83F8 08 cmp eax,8 ; 注册码必须大于8位
004249C4 7D 13 jge short VideoCon.004249D9
004249C6 6A 00 push 0
004249C8 6A 00 push 0
004249CA 68 4C034600 push VideoCon.0046034C ; please input correct registration code!
004249CF E8 9BC10200 call VideoCon.00450B6F
004249D4 E9 86020000 jmp VideoCon.00424C5F
004249D9 6A 00 push 0
004249DB 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
004249DE 83C1 70 add ecx,70
004249E1 E8 AAF5FFFF call VideoCon.00423F90
004249E6 8845 EF mov byte ptr ss:[ebp-11],al
004249E9 6A 01 push 1
004249EB 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
004249EE 83C1 70 add ecx,70
004249F1 E8 9AF5FFFF call VideoCon.00423F90
004249F6 8845 F8 mov byte ptr ss:[ebp-8],al
004249F9 6A 00 push 0
004249FB 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
004249FE 83C1 70 add ecx,70
00424A01 E8 8AF5FFFF call VideoCon.00423F90
00424A06 8845 FF mov byte ptr ss:[ebp-1],al
00424A09 6A 01 push 1
00424A0B 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
00424A0E 83C1 70 add ecx,70
00424A11 E8 7AF5FFFF call VideoCon.00423F90
00424A16 8845 FA mov byte ptr ss:[ebp-6],al
00424A19 0FB645 EF movzx eax,byte ptr ss:[ebp-11] ; 第一个字符(K)送到EAX里
00424A1D 83C8 41 or eax,41 ; EAX=EAX or 0x41
00424A20 8845 EF mov byte ptr ss:[ebp-11],al ; 把第一次或运算结果先保存起来
00424A23 0FB64D F8 movzx ecx,byte ptr ss:[ebp-8] ; 第二个字符(u)送到ECX里
00424A27 83C9 56 or ecx,56 ; ECX=ECX or 0x56
00424A2A 884D F8 mov byte ptr ss:[ebp-8],cl ; 把第二次或运算结果先保存起来
00424A2D 0FB655 FF movzx edx,byte ptr ss:[ebp-1] ; 再次把第一个字符(K)送到EDX里
00424A31 83CA 49 or edx,49 ; EDX=EDX or 0x49
00424A34 8855 FF mov byte ptr ss:[ebp-1],dl ; 把第三次或运算结果先保存起来
00424A37 0FB645 FA movzx eax,byte ptr ss:[ebp-6] ; 再次把第二个字符(u)送到EAX里
00424A3B 83C8 43 or eax,43 ; EAX=EAX or 0x43
00424A3E 8845 FA mov byte ptr ss:[ebp-6],al ; 把第四次或运算结果先保存起来
00424A41 0FB645 EF movzx eax,byte ptr ss:[ebp-11] ; 把第一次或运算结果送到EAX里
00424A45 99 cdq
00424A46 B9 0A000000 mov ecx,0A
00424A4B F7F9 idiv ecx ; EAX=EAX mod ECX(0A),余数为5
00424A4D 8855 EF mov byte ptr ss:[ebp-11],dl
00424A50 0FB645 F8 movzx eax,byte ptr ss:[ebp-8] ; 把第二次或运算结果送到EAX里
00424A54 99 cdq
00424A55 B9 0A000000 mov ecx,0A
00424A5A F7F9 idiv ecx ; EAX=EAX mod ECX(0A),余数为9
00424A5C 8855 F8 mov byte ptr ss:[ebp-8],dl
00424A5F 0FB645 FF movzx eax,byte ptr ss:[ebp-1] ; 把第三次或运算结果送到EAX里
00424A63 99 cdq
00424A64 B9 0A000000 mov ecx,0A
00424A69 F7F9 idiv ecx ; EAX=EAX mod ECX(0A),余数为5
00424A6B 8855 FF mov byte ptr ss:[ebp-1],dl
00424A6E 0FB645 FA movzx eax,byte ptr ss:[ebp-6] ; 把第四次或运算结果送到EAX里
00424A72 99 cdq
00424A73 B9 0A000000 mov ecx,0A
00424A78 F7F9 idiv ecx ; EAX=EAX mod ECX(0A),余数为9
00424A7A 8855 FA mov byte ptr ss:[ebp-6],dl
00424A7D C745 F0 0000000>mov dword ptr ss:[ebp-10],0
00424A84 C745 E8 0000000>mov dword ptr ss:[ebp-18],0
00424A8B EB 09 jmp short VideoCon.00424A96
00424A8D 8B55 E8 mov edx,dword ptr ss:[ebp-18]
00424A90 83C2 01 add edx,1
00424A93 8955 E8 mov dword ptr ss:[ebp-18],edx
00424A96 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
00424A99 83C1 70 add ecx,70
00424A9C E8 AF6FFEFF call VideoCon.0040BA50
00424AA1 3945 E8 cmp dword ptr ss:[ebp-18],eax
00424AA4 7D 1E jge short VideoCon.00424AC4
00424AA6 8B45 E8 mov eax,dword ptr ss:[ebp-18]
00424AA9 50 push eax
00424AAA 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
00424AAD 83C1 70 add ecx,70
00424AB0 E8 DBF4FFFF call VideoCon.00423F90
00424AB5 8845 E7 mov byte ptr ss:[ebp-19],al
00424AB8 0FB64D E7 movzx ecx,byte ptr ss:[ebp-19]
00424ABC 034D F0 add ecx,dword ptr ss:[ebp-10]
00424ABF 894D F0 mov dword ptr ss:[ebp-10],ecx
00424AC2 ^ EB C9 jmp short VideoCon.00424A8D
00424AC4 8B45 F0 mov eax,dword ptr ss:[ebp-10] ; 这部分是用户名的ASCII累加值(即:KuNgBiM-->EAX=0x26D)
00424AC7 99 cdq
00424AC8 B9 0A000000 mov ecx,0A
00424ACD F7F9 idiv ecx ; EAX=EAX mod ECX(0A),余数为9
00424ACF 8855 F4 mov byte ptr ss:[ebp-C],dl
00424AD2 6A 00 push 0
00424AD4 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
00424AD7 83C1 74 add ecx,74
00424ADA E8 B1F4FFFF call VideoCon.00423F90
00424ADF 8845 FC mov byte ptr ss:[ebp-4],al ; 取假注册码第一位ASCII值,al=39 ('9')
00424AE2 6A 01 push 1
00424AE4 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
00424AE7 83C1 74 add ecx,74
00424AEA E8 A1F4FFFF call VideoCon.00423F90
00424AEF 8845 FD mov byte ptr ss:[ebp-3],al ; 取假注册码第二位ASCII值,al=38 ('8')
00424AF2 6A 02 push 2
00424AF4 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
00424AF7 83C1 74 add ecx,74
00424AFA E8 91F4FFFF call VideoCon.00423F90
00424AFF 8845 F6 mov byte ptr ss:[ebp-A],al ; 取假注册码第三位ASCII值,al=37 ('7')
00424B02 6A 03 push 3
00424B04 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
00424B07 83C1 74 add ecx,74
00424B0A E8 81F4FFFF call VideoCon.00423F90
00424B0F 8845 F5 mov byte ptr ss:[ebp-B],al ; 取假注册码第四位ASCII值,al=36 ('6')
00424B12 6A 04 push 4
00424B14 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
00424B17 83C1 74 add ecx,74
00424B1A E8 71F4FFFF call VideoCon.00423F90
00424B1F 8845 F9 mov byte ptr ss:[ebp-7],al ; 取假注册码第五位ASCII值,al=35 ('5')
00424B22 6A 05 push 5
00424B24 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
00424B27 83C1 74 add ecx,74
00424B2A E8 61F4FFFF call VideoCon.00423F90
00424B2F 8845 F7 mov byte ptr ss:[ebp-9],al ; 取假注册码第六位ASCII值,al=34 ('4')
00424B32 6A 06 push 6
00424B34 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
00424B37 83C1 74 add ecx,74
00424B3A E8 51F4FFFF call VideoCon.00423F90
00424B3F 8845 FE mov byte ptr ss:[ebp-2],al ; 取假注册码第七位ASCII值,al=33 ('3')
00424B42 6A 07 push 7
00424B44 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
00424B47 83C1 74 add ecx,74
00424B4A E8 41F4FFFF call VideoCon.00423F90
00424B4F 8845 FB mov byte ptr ss:[ebp-5],al ; 取假注册码最后一位(第八位)ASCII值,al=32 ('2')
00424B52 0FB655 EF movzx edx,byte ptr ss:[ebp-11] ; (以下是判断注册码的前四前是否是5、9、5、9)
00424B56 0FB645 FC movzx eax,byte ptr ss:[ebp-4]
00424B5A 83E8 30 sub eax,30
00424B5D 3BD0 cmp edx,eax
00424B5F 75 3C jnz short VideoCon.00424B9D ; 若第一位不是“5”则跳死!★爆破点A★
00424B61 0FB64D F8 movzx ecx,byte ptr ss:[ebp-8]
00424B65 0FB655 FD movzx edx,byte ptr ss:[ebp-3]
00424B69 83EA 30 sub edx,30
00424B6C 3BCA cmp ecx,edx
00424B6E 75 2D jnz short VideoCon.00424B9D ; 若第二位不是“9”则跳死!★爆破点B★
00424B70 0FB645 FF movzx eax,byte ptr ss:[ebp-1]
00424B74 0FB64D F6 movzx ecx,byte ptr ss:[ebp-A]
00424B78 83E9 30 sub ecx,30
00424B7B 3BC1 cmp eax,ecx
00424B7D 75 1E jnz short VideoCon.00424B9D ; 若第三位不是“5”则跳死!★爆破点C★
00424B7F 0FB655 FA movzx edx,byte ptr ss:[ebp-6]
00424B83 0FB645 F5 movzx eax,byte ptr ss:[ebp-B]
00424B87 83E8 30 sub eax,30
00424B8A 3BD0 cmp edx,eax
00424B8C 75 0F jnz short VideoCon.00424B9D ; 若第四位不是“9”则跳死!★爆破点D★
00424B8E 0FB64D F4 movzx ecx,byte ptr ss:[ebp-C] ; 判断假注册码的第五位,余数是否为1,不是则OVER了
00424B92 0FB655 F9 movzx edx,byte ptr ss:[ebp-7]
00424B96 83EA 30 sub edx,30
00424B99 3BCA cmp ecx,edx
00424B9B 74 58 je short VideoCon.00424BF5 ; 跳向成功!★爆破点E★
00424B9D 0FB645 FC movzx eax,byte ptr ss:[ebp-4]
00424BA1 83F8 35 cmp eax,35
00424BA4 0F85 A7000000 jnz VideoCon.00424C51
00424BAA 0FB64D FD movzx ecx,byte ptr ss:[ebp-3]
00424BAE 83F9 31 cmp ecx,31
00424BB1 0F85 9A000000 jnz VideoCon.00424C51
00424BB7 0FB655 F6 movzx edx,byte ptr ss:[ebp-A]
00424BBB 83FA 38 cmp edx,38
00424BBE 0F85 8D000000 jnz VideoCon.00424C51
00424BC4 0FB645 F5 movzx eax,byte ptr ss:[ebp-B]
00424BC8 83F8 39 cmp eax,39
00424BCB 0F85 80000000 jnz VideoCon.00424C51
00424BD1 0FB64D F9 movzx ecx,byte ptr ss:[ebp-7]
00424BD5 83F9 37 cmp ecx,37
00424BD8 75 77 jnz short VideoCon.00424C51
00424BDA 0FB655 F7 movzx edx,byte ptr ss:[ebp-9]
00424BDE 83FA 36 cmp edx,36
00424BE1 75 6E jnz short VideoCon.00424C51
00424BE3 0FB645 FE movzx eax,byte ptr ss:[ebp-2]
00424BE7 83F8 32 cmp eax,32
00424BEA 75 65 jnz short VideoCon.00424C51
00424BEC 0FB64D FB movzx ecx,byte ptr ss:[ebp-5]
00424BF0 83F9 39 cmp ecx,39
00424BF3 75 5C jnz short VideoCon.00424C51
00424BF5 6A 00 push 0 ; 注册成功
00424BF7 6A 00 push 0
00424BF9 68 74034600 push VideoCon.00460374 ; registration has succeeded!
00424BFE E8 6CBF0200 call VideoCon.00450B6F
00424C03 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
00424C06 83C1 70 add ecx,70
00424C09 E8 62F4FFFF call VideoCon.00424070
00424C0E 50 push eax ; 用户名写入注册表
00424C0F 68 90034600 push VideoCon.00460390 ; username
00424C14 68 9C034600 push VideoCon.0046039C ; option
00424C19 E8 A295FEFF call VideoCon.0040E1C0
00424C1E 8BC8 mov ecx,eax
00424C20 E8 AABC0200 call VideoCon.004508CF
00424C25 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
00424C28 83C1 74 add ecx,74
00424C2B E8 40F4FFFF call VideoCon.00424070
00424C30 50 push eax ; 注册码写入注册表
00424C31 68 A4034600 push VideoCon.004603A4 ; registration_code
00424C36 68 B8034600 push VideoCon.004603B8 ; option
00424C3B E8 8095FEFF call VideoCon.0040E1C0
00424C40 8BC8 mov ecx,eax
00424C42 E8 88BC0200 call VideoCon.004508CF
00424C47 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
00424C4A E8 87620200 call VideoCon.0044AED6
00424C4F EB 0E jmp short VideoCon.00424C5F
00424C51 6A 00 push 0 ; 注册失败
00424C53 6A 00 push 0
00424C55 68 C0034600 push VideoCon.004603C0 ; registration failed!
00424C5A E8 10BF0200 call VideoCon.00450B6F
00424C5F 8BE5 mov esp,ebp
00424C61 5D pop ebp
00424C62 C3 retn
........
-------------------------------------------------------------------------------------------
【算法总结】
注册验证非常简单:
1、注册码和用户名有关,长度必须大于等于2位。
2、注册码必须大于等于8位。
3、8位里只有前5位起作用,后面N位不参与计算。
【完美爆破点】
★爆破点A★ ; nop掉
★爆破点B★ ; nop掉
★爆破点C★ ; nop掉
★爆破点D★ ; nop掉
★爆破点E★ ; 改为jmp
【算法注册机代码】
#include "stdio.h"
int main()
{ int i,n,n1,n2,n3,n4,n5=0;
char name[255]={0};
printf("////////////////////////////////////////////////////\n");
printf("// Open Video Converter 3.0.1 - Keygen //\n");
printf("// //\n");
printf("// Author: KuNgBiM[DFCG] //\n");
printf("// //\n");
printf("// E-mail:
kungbim@163.com //\n");
printf("// //\n");
printf("// OS : WinXP, PEiD, Ollydbg, Turbo C //\n");
printf("// //\n");
printf("// Date : 2005-07-04 //\n");
printf("////////////////////////////////////////////////////\n\n");
printf("Please Input User Name[User Name>= 2]: ");
scanf("%s",&name);
n=strlen(name);
for (i=0;i<n;i++)
n5+=name
;
n5%=0xA;
n1=name[0]|0x41;
n1%=0xA;
n2=name[1]|0x56;
n2%=0xA;
n3=name[0]|0x49;
n3%=0xA;
n4=name[1]|0x43;
n4%=0xA;
printf("\nYour Registration Code is : %d%d%d%d%d888",n1,n2,n3,n4,n5);
getch();
return 0;
}
============================================================================================
【注册信息】:
User Name:KuNgBiM
Registration Code:59591888
