Audiotool net Ease DVD Ripper 1.20 算法分析

tianxj 发表于 2009-2-22 19:59

【破文标题】Audiotool net Ease DVD Ripper 1.20 算法分析
【破文作者】tianxj
【作者邮箱】tianxj_2007@126.com
【作者主页】WwW.ChiNaPYG.CoM
【破解工具】PEiD,OD
【破解平台】Windows XP
【软件名称】Audiotool net Ease DVD Ripper 1.20
【软件大小】934 K
【更新时间】2009-02-21
【软件类别】国外软件 / 视频转换
【软件语言】英文
【应用平台】Win9x/WinNT/Win2000/WinXP
【软件性质】共享(收费)软件
【原版下载】http://www.audiotool.net/download/easedvdripper.exe
【保护方式】注册码
【软件简介】功能强大，简单易用的DVD压制工具，将DVD转换为VCD, DivX, MPEG, SVCD, AVI等视频文件，转换快速、图像和声音质量高。
【破解声明】我是一只小菜鸟，偶得一点心得，愿与大家分享：）
--------------------------------------------------------------
【破解内容】
--------------------------------------------------------------
**************************************************************
一、运行程序，进行注册，输入错误的注册信息进行检测，有提示信息
"failed register!"
**************************************************************
二、用PEiD对EaseDVDRipper.exe查壳，为 Microsoft Visual C++ 6.0
**************************************************************
三、运行OD，打开EaseDVDRipper.exe，下断点bp MessageBoxA
==============================================================
004125E8 55          push ebp
004125E9 56          push esi
004125EA 57          push edi
004125EB 6A 01       push 1
004125ED 8BF1          mov esi,ecx
004125EF E8 2A5A0000 call <jmp.&MFC42.#6334>
004125F4 8D4C24 14    lea ecx,dword ptr ss:
004125F8 E8 13030000 call EaseDVDR.00412910
004125FD 51          push ecx
004125FE 8DBE 1C010000 lea edi,dword ptr ds:
00412604 8BCC          mov ecx,esp
00412606 896424 10    mov dword ptr ss:,esp
0041260A 57          push edi
0041260B C74424 30 00000>mov dword ptr ss:,0
00412613 E8 02580000 call <jmp.&MFC42.#535>
00412618 51          push ecx
00412619 8DAE 18010000 lea ebp,dword ptr ds:
0041261F 8BCC          mov ecx,esp
00412621 896424 18    mov dword ptr ss:,esp
00412625 55          push ebp
00412626 C64424 34 01 mov byte ptr ss:,1
0041262B E8 EA570000 call <jmp.&MFC42.#535>
00412630 8D4C24 1C    lea ecx,dword ptr ss:
00412634 C64424 30 00 mov byte ptr ss:,0
00412639 E8 42090000 call EaseDVDR.00412F80
0041263E 8D4424 18    lea eax,dword ptr ss:
00412642 8BCD          mov ecx,ebp
00412644 50          push eax
00412645 E8 36550000 call <jmp.&MFC42.#858>
0041264A 8D4C24 1C    lea ecx,dword ptr ss:
0041264E 51          push ecx
0041264F 8BCF          mov ecx,edi
00412651 E8 2A550000 call <jmp.&MFC42.#858>
00412656 51          push ecx
00412657 8BCC          mov ecx,esp
00412659 896424 14    mov dword ptr ss:,esp
0041265D 57          push edi
0041265E E8 B7570000 call <jmp.&MFC42.#535>
00412663 51          push ecx
00412664 C64424 30 02 mov byte ptr ss:,2
00412669 8BCC          mov ecx,esp
0041266B 896424 14    mov dword ptr ss:,esp
0041266F 55          push ebp
00412670 E8 A5570000 call <jmp.&MFC42.#535>
00412675 8D4C24 1C    lea ecx,dword ptr ss:
00412679 C64424 30 00 mov byte ptr ss:,0
0041267E E8 1D050000 call EaseDVDR.00412BA0                ; //关键CALL
00412683 84C0          test al,al
00412685 74 40       je short EaseDVDR.004126C7             ; //关键跳转
00412687 8D4C24 14    lea ecx,dword ptr ss:
0041268B E8 50030000 call EaseDVDR.004129E0
00412690 84C0          test al,al
00412692 75 40       jnz short EaseDVDR.004126D4
00412694 8D4C24 14    lea ecx,dword ptr ss:
00412698 E8 73090000 call EaseDVDR.00413010
0041269D 84C0          test al,al
0041269F 75 33       jnz short EaseDVDR.004126D4
004126A1 8D4C24 14    lea ecx,dword ptr ss:
004126A5 E8 16060000 call EaseDVDR.00412CC0
004126AA 84C0          test al,al
004126AC 74 19       je short EaseDVDR.004126C7
004126AE 68 B0144200 push EaseDVDR.004214B0                ; ASCII "Success register!"
004126B3 E8 E804FFFF call EaseDVDR.00402BA0
004126B8 8B16          mov edx,dword ptr ds:
004126BA 83C4 04       add esp,4
004126BD 8BCE          mov ecx,esi
004126BF FF92 CC000000 call dword ptr ds:
004126C5 EB 0D       jmp short EaseDVDR.004126D4
004126C7 68 9C144200 push EaseDVDR.0042149C                ; ASCII "failed register!"
004126CC E8 4F02FFFF call EaseDVDR.00402920
004126D1 83C4 04       add esp,4                            ; //返回到这里
004126D4 8D4C24 14    lea ecx,dword ptr ss:
004126D8 C74424 28 FFFFF>mov dword ptr ss:,-1
004126E0 E8 9B020000 call EaseDVDR.00412980
004126E5 8B4C24 20    mov ecx,dword ptr ss:
004126E9 5F          pop edi
004126EA 5E          pop esi
004126EB 64:890D 0000000>mov dword ptr fs:,ecx
004126F2 5D          pop ebp
004126F3 83C4 20       add esp,20
004126F6 C3          retn
==============================================================
00412BA0 6A FF       push -1
00412BA2 68 80964100 push EaseDVDR.00419680
00412BA7 64:A1 00000000mov eax,dword ptr fs:
00412BAD 50          push eax
00412BAE 64:8925 0000000>mov dword ptr fs:,esp
00412BB5 51          push ecx
00412BB6 53          push ebx
00412BB7 55          push ebp
00412BB8 56          push esi
00412BB9 57          push edi
00412BBA 8BF9          mov edi,ecx
00412BBC 8B5424 28    mov edx,dword ptr ss:
00412BC0 33DB          xor ebx,ebx
00412BC2 33C9          xor ecx,ecx
00412BC4 C74424 1C 01000>mov dword ptr ss:,1
00412BCC 8B72 F8       mov esi,dword ptr ds:
00412BCF 3BF3          cmp esi,ebx
00412BD1 7E 18       jle short EaseDVDR.00412BEB
00412BD3 8A0411       mov al,byte ptr ds:
00412BD6 3C 30       cmp al,30
00412BD8 0F8C 9E000000 jl EaseDVDR.00412C7C
00412BDE 3C 39       cmp al,39
00412BE0 0F8F 96000000 jg EaseDVDR.00412C7C
00412BE6 41          inc ecx
00412BE7 3BCE          cmp ecx,esi
00412BE9 ^ 7C E8       jl short EaseDVDR.00412BD3             ; //循环,注册码必须全为数字
00412BEB 8B4424 24    mov eax,dword ptr ss:
00412BEF 3958 F8       cmp dword ptr ds:,ebx
00412BF2 0F84 84000000 je EaseDVDR.00412C7C                   ; //用户名不能为空
00412BF8 EB 04       jmp short EaseDVDR.00412BFE
00412BFA EB 05       jmp short EaseDVDR.00412C01
00412BFC 3919          cmp dword ptr ds:,ebx
00412BFE 8B7424 24    mov esi,dword ptr ss:
00412C02 33C9          xor ecx,ecx
00412C04 33C0          xor eax,eax
00412C06 8B56 F8       mov edx,dword ptr ds:
00412C09 3BD3          cmp edx,ebx
00412C0B 7E 0B       jle short EaseDVDR.00412C18
00412C0D 0FBE2C30    movsx ebp,byte ptr ds:
00412C11 03CD          add ecx,ebp
00412C13 40          inc eax
00412C14 3BC2          cmp eax,edx
00412C16 ^ 7C F5       jl short EaseDVDR.00412C0D             ; //循环,逐一将用户名ASCII值累加至ECX
00412C18 8BC1          mov eax,ecx                            ; //EAX=ECX
00412C1A C1E0 05       shl eax,5                            ; //EAX左移5位
00412C1D 03C1          add eax,ecx                            ; //EAX=EAX+ECX
00412C1F 8D1440       lea edx,dword ptr ds:       ; //EDX=EAX*3
00412C22 8D0491       lea eax,dword ptr ds:       ; //EAX=ECX+EDX*4
00412C25 8B4C24 28    mov ecx,dword ptr ss:
00412C29 51          push ecx                               ; //假码
00412C2A 8D3485 E8EA0700 lea esi,dword ptr ds:    ; //ESI=EAX*4+7EAE8
00412C31 FF15 34A64100 call dword ptr ds:[<&MSVCRT.atol>]    ; //将假码转16进制送EAX
00412C37 83C4 04       add esp,4
00412C3A 3BC6          cmp eax,esi                            ; //真假码比较
00412C3C 75 3E       jnz short EaseDVDR.00412C7C          ; //关键跳转
00412C3E 51          push ecx
00412C3F 8D5424 28    lea edx,dword ptr ss:
00412C43 8BCC          mov ecx,esp
00412C45 896424 14    mov dword ptr ss:,esp
00412C49 52          push edx
00412C4A E8 CB510000 call <jmp.&MFC42.#535>
00412C4F 8BCF          mov ecx,edi
00412C51 E8 2A020000 call EaseDVDR.00412E80
00412C56 3AC3          cmp al,bl
00412C58 75 22       jnz short EaseDVDR.00412C7C
00412C5A 8D4C24 24    lea ecx,dword ptr ss:
00412C5E 885C24 1C    mov byte ptr ss:,bl
00412C62 E8 114E0000 call <jmp.&MFC42.#800>
00412C67 8D4C24 28    lea ecx,dword ptr ss:
00412C6B C74424 1C FFFFF>mov dword ptr ss:,-1
00412C73 E8 004E0000 call <jmp.&MFC42.#800>
00412C78 B0 01       mov al,1
00412C7A EB 20       jmp short EaseDVDR.00412C9C
00412C7C 8D4C24 24    lea ecx,dword ptr ss:
00412C80 885C24 1C    mov byte ptr ss:,bl
00412C84 E8 EF4D0000 call <jmp.&MFC42.#800>
00412C89 8D4C24 28    lea ecx,dword ptr ss:
00412C8D C74424 1C FFFFF>mov dword ptr ss:,-1
00412C95 E8 DE4D0000 call <jmp.&MFC42.#800>
00412C9A 32C0          xor al,al                            ; //关键赋值
00412C9C 8B4C24 14    mov ecx,dword ptr ss:
00412CA0 5F          pop edi
00412CA1 5E          pop esi
00412CA2 5D          pop ebp
00412CA3 64:890D 0000000>mov dword ptr fs:,ecx
00412CAA 5B          pop ebx
00412CAB 83C4 10       add esp,10
00412CAE C2 0800       retn 8
**************************************************************
【破解总结】
简单算法而且没加壳，这样的软件很少见了
--------------------------------------------------------------
【算法总结】
--------------------------------------------------------------
【算法注册机】
KeyGen.rek
.const
.data
szHomePage db "http://www.huacolor.com",0
szEmail db "mailto:tianxj_2007@126.com",0
szErrMessdb "请输入用户名！",0
szFMT db "%u",0
szBuffer db 50 dup (0)

.code
mov esi,eax
invoke lstrlen,esi
mov edx,eax
xor ecx,ecx
xor eax,eax
n1:
movsx ebp,byte ptr ds:
add ecx,ebp
inc eax
cmp eax,edx
jl n1
mov eax,ecx
shl eax,5
add eax,ecx
lea edx,dword ptr ds:
lea eax,dword ptr ds:
lea esi,dword ptr ds:
invoke wsprintf,addr szBuffer,addr szFMT,esi
lea eax,szBuffer
--------------------------------------------------------------
【注册信息】
保存在ease.ini
--------------------------------------------------------------
感谢飘云老大、猫老大、Nisy老大以及很多前辈们的学习教程以及王者之剑、云龙等所有帮助过我的论坛兄弟姐妹们！谢谢
--------------------------------------------------------------
【版权声明】破文是学习的手记，兴趣是成功的源泉；本破文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!

iawen 发表于 2009-2-22 20:06

T大的注册机实在是精彩：
从ASM到VB
从Delphi到易……

只能膜拜:L

tianxj 发表于 2009-2-22 20:22

你还没教我C++呢:'(

cokago 发表于 2009-2-22 21:02

的确是好文章，算法分析的也好

页: [1]

吾爱破解 - 52pojie.cn's Archiver

Audiotool net Ease DVD Ripper 1.20 算法分析