好友
阅读权限20
听众
最后登录1970-1-1
|
Open Video Capture 1.24.553算法分析
【使用工具】 OD
【破解平台】 XP
【软件名称】 Open Video Capture 1.24.553
【下载地址】 http://www.onlinedown.net/soft/46986.htm
【破解声明】 我是一只小菜鸟,写的不好,请大家原谅
因有错误提示,直接查找字符串,来到关键算法的地方.
00402BD0 > \0FB60D B02042>MOVZX ECX,BYTE PTR DS:[4220B0] ;ECX=用户名第一位的Ascii
00402BD7 .8BC1MOV EAX,ECX;把ECX的值送到EAX
00402BD9 .83C8 57 OR EAX,57;EAX与57进行或运算
00402BDC .99CDQ
00402BDD .BE 0A000000 MOV ESI,0A ; ESI=A
00402BE2 .F7FEIDIV ESI ;EAX与A进行带符号的除法运算
00402BE4 .0FB635 B12042>MOVZX ESI,BYTE PTR DS:[4220B1] ;ESI=用户名第二位的Ascii
00402BEB .8BC6MOV EAX,ESI;把ESI的值送给EAX
00402BED .83C8 45 OR EAX,45;EAX与45进行或运算
00402BF0 .BF 0A000000 MOV EDI,0A ;把OA送到EDI
00402BF5 .33EDXOR EBP,EBP;EBP清零
00402BF7 .885424 20 MOV BYTE PTR SS:[ESP+20],DL; dl=09,送ESP+20
00402BFB .99CDQ
00402BFC .F7FFIDIV EDI ;EAX与EDI进行带符号的除法运算
00402BFE .8BC1MOV EAX,ECX;用户名第一位的Ascii转换成16进制送到EAX
00402C00 .83C8 42 OR EAX,42;EAX=EAX OR 42
00402C03 .8BCFMOV ECX,EDI;EDI=用户名第2位Ascii转16进制送入ECX
00402C05 .885424 24 MOV BYTE PTR SS:[ESP+24],DL;DL=01,送ESP+24
00402C09 .99CDQ
00402C0A .F7F9IDIV ECX ;EAX与A进行带符号的除法运算
00402C0C .8BC6MOV EAX,ESI;ESI=用户名第二位的Ascii送入EAX
00402C0E .83C8 43 OR EAX,43;EAX=EAX OR 43
00402C11 .885424 12 MOV BYTE PTR SS:[ESP+12],DL;DL=04,送到ESP+12
00402C15 .99CDQ
00402C16 .F7F9IDIV ECX ;EAX与A进行带符号的除法运算
00402C18 .B9 B0204200 MOV ECX,openvcap.004220B0;把用户名的值放到ECX
00402C1D .33F6XOR ESI,ESI;ESI清0
00402C1F .8D79 01 LEA EDI,DWORD PTR DS:[ECX+1]
00402C22 .885424 13 MOV BYTE PTR SS:[ESP+13],DL;DL=03ESP+13
00402C26 >8A01MOV AL,BYTE PTR DS:[ECX] ;注册名逐位ascii码送al
00402C28 .41INC ECX
00402C29 .84C0TEST AL,AL
00402C2B .^ 75 F9 JNZ SHORT openvcap.00402C26
00402C2D .2BCFSUB ECX,EDI
00402C2F .894C24 14 MOV DWORD PTR SS:[ESP+14],ECX
00402C33 .74 2A JE SHORT openvcap.00402C5F
00402C35 .EB 09 JMP SHORT openvcap.00402C40
00402C37 .8DA424 000000>LEA ESP,DWORD PTR SS:[ESP]
00402C3E .8BFFMOV EDI,EDI
00402C40 >0FB696 B02042>MOVZX EDX,BYTE PTR DS:[ESI+4220B0]
00402C47 .B9 B0204200 MOV ECX,openvcap.004220B0
00402C4C .03EAADD EBP,EDX
00402C4E .46INC ESI
00402C4F .8D79 01 LEA EDI,DWORD PTR DS:[ECX+1]
00402C52 >8A01MOV AL,BYTE PTR DS:[ECX] ;注册名逐位ascii码送al,进入循环
00402C54 .41INC ECX
00402C55 .84C0TEST AL,AL
00402C57 .^ 75 F9 JNZ SHORT openvcap.00402C52
00402C59 .2BCFSUB ECX,EDI
00402C5B .3BF1CMP ESI,ECX
00402C5D .^ 72 E1 JB SHORT openvcap.00402C40
00402C5F >8A0D 28274200 MOV CL,BYTE PTR DS:[422728];注册码的第1位给CL
00402C65 .0FB67C24 20 MOVZX EDI,BYTE PTR SS:[ESP+20]
00402C6A .8A1D 29274200 MOV BL,BYTE PTR DS:[422729];注册码的第2位给bl
00402C70 .A0 2A274200 MOV AL,BYTE PTR DS:[42272A];注册码的第3位给al
00402C75 .8A15 2B274200 MOV DL,BYTE PTR DS:[42272B];注册码的第4位给dl
00402C7B .0FB6F1MOVZX ESI,CL ;ESI=31
00402C7E .83EE 30 SUB ESI,30 ;ESI-30
00402C81 .3BFECMP EDI,ESI;EDI=9和ESI=1比较,即第一位必须是9
00402C83 .75 48 JNZ SHORT openvcap.00402CCD;不相等就OVER
00402C85 .0FB67C24 24 MOVZX EDI,BYTE PTR SS:[ESP+24]
00402C8A .0FB6F3MOVZX ESI,BL
00402C8D .83EE 30 SUB ESI,30
00402C90 .3BFECMP EDI,ESI;EDI=1和ESI=2比较,即第二位必须是1
00402C92 .75 39 JNZ SHORT openvcap.00402CCD;不相等就OVER
00402C94 .0FB67424 12 MOVZX ESI,BYTE PTR SS:[ESP+12]
00402C99 .0FB6C0MOVZX EAX,AL
00402C9C .83E8 30 SUB EAX,30
00402C9F .3BF0CMP ESI,EAX;EAX=3和ESI=4比较,即第三位必须是4
00402CA1 .75 2A JNZ SHORT openvcap.00402CCD;不相等就OVER
00402CA3 .0FB64424 13 MOVZX EAX,BYTE PTR SS:[ESP+13]
00402CA8 .0FB6D2MOVZX EDX,DL
00402CAB .83EA 30 SUB EDX,30
00402CAE .3BC2CMP EAX,EDX;EAX=3和EDX=4比较,即第四位必须是3
00402CB0 .75 1B JNZ SHORT openvcap.00402CCD;不相等就OVER
00402CB2 .8BC5MOV EAX,EBP
00402CB4 .99CDQ
00402CB5 .BE 0A000000 MOV ESI,0A ;ESI=4
00402CBA .F7FEIDIV ESI;EAX=354与A 进行带符号 的除法运算
00402CBC .0FB605 2C2742>MOVZX EAX,BYTE PTR DS:[42272C] ;把35放入EAX
00402CC3 .83E8 30 SUB EAX,30 ;EAX-30
00402CC6 .0FB6D2MOVZX EDX,DL
00402CC9 .3BD0CMP EDX,EAX ; EDX和EAX比较第五位必须为2
00402CCB .74 4B JE SHORT openvcap.00402D18 ;跳向光明之颠
00402CCD >80F9 32 CMP CL,32
00402CD0 .0F85 99000000 JNZ openvcap.00402D6F;不相等就OVER
00402CD6 .80FB 33 CMP BL,33
00402CD9 .0F85 90000000 JNZ openvcap.00402D6F;不相等就OVER
00402CDF .803D 2A274200>CMP BYTE PTR DS:[42272A],39
00402CE6 .0F85 83000000 JNZ openvcap.00402D6F;不相等就OVER
00402CEC .803D 2B274200>CMP BYTE PTR DS:[42272B],31
00402CF3 .75 7A JNZ SHORT openvcap.00402D6F;不相等就OVER
00402CF5 .381D 2C274200 CMP BYTE PTR DS:[42272C],BL
00402CFB .75 72 JNZ SHORT openvcap.00402D6F;不相等就OVER
00402CFD .803D 2D274200>CMP BYTE PTR DS:[42272D],31
00402D04 .75 69 JNZ SHORT openvcap.00402D6F;不相等就OVER
00402D06 .803D 2E274200>CMP BYTE PTR DS:[42272E],34
00402D0D .75 60 JNZ SHORT openvcap.00402D6F;不相等就OVER
00402D0F .803D 2F274200>CMP BYTE PTR DS:[42272F],36
00402D16 .75 57 JNZ SHORT openvcap.00402D6F;不相等就OVER
00402D18 >8B7C24 1C MOV EDI,DWORD PTR SS:[ESP+1C]
00402D1C .6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
00402D1E .68 60C74100 PUSH openvcap.0041C760 ; |Message
00402D23 .68 44C74100 PUSH openvcap.0041C744 ; |Registration has succeeded!
00402D28 .57PUSH EDI ; |hOwner
00402D29 .FF15 68C24100 CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; \光明之颠
00402D2F .8B35 A0C04100 MOV ESI,DWORD PTR DS:[<&KERNEL32.WritePr>;kernel32.WriteProfileStringA
00402D35 .68 B0204200 PUSH openvcap.004220B0 ; /String = ""
00402D3A .68 38C74100 PUSH openvcap.0041C738 ; |username
00402D3F .68 ECC64100 PUSH openvcap.0041C6EC ; |openvideocapture
00402D44 .FFD6CALL ESI ; \WriteProfileStringA
00402D46 .68 28274200 PUSH openvcap.00422728 ; /String = ""
00402D4B .68 24C74100 PUSH openvcap.0041C724 ; |registration_code
00402D50 .68 ECC64100 PUSH openvcap.0041C6EC ; |openvideocapture
00402D55 .FFD6CALL ESI ; \WriteProfileStringA
00402D57 .6A 01 PUSH 1 ; /Result = 1
00402D59 .57PUSH EDI ; |hWnd
00402D5A .FF15 18C34100 CALL DWORD PTR DS:[<&USER32.EndDialog>]; \EndDialog
00402D60 .5FPOP EDI
00402D61 .5EPOP ESI
00402D62 .5DPOP EBP
00402D63 .B8 01000000 MOV EAX,1
00402D68 .5BPOP EBX
00402D69 .83C4 08 ADD ESP,8
00402D6C .C2 1000 RETN 10
用户名:pengpeng
注册码:91642后面的随便但必须是8位以上
分析:
注册名须不小于两位,注册码位数为8位以上,主要思路如下:
1.注册名第一位的ascii码与57做or运算,再与A进行除法运算,余数“7”为注册码第一位;
2.注册名第二位的ascii码与45做or运算,再与A进行除法运算,余数“1”为注册码第二位;
3.注册名第一位的ascii码与42做or运算,再与A进行除法运算,余数“1”为注册码第三位;
4.注册名第二位的ascii码与43做or运算,再与A进行除法运算,余数“9”为注册码第四位;
5.此时ebp=$285(用户名的Ascii),与A进行idiv运算,余数“5”为注册码第五位;
6.第六位以后任意
破解过程我就不写了。大家一看就应该知道改那里。 |
|
发表于 2008-9-25 21:02
发表于 2008-9-25 22:21
|
发表于 2008-9-26 13:21
