【破文标题】:Open Video Converter 3.0.1 注册算法分析 + C 注册机
【破文作者】:KuNgBiM[DFCG]
【作者邮箱】:kungbim@163.com
【软件名称】:Open Video Converter 3.0.1
【软件大小】:541 KB
【开 发 商】:http://www.008soft.com
【下载地址】:http://www.008soft.com/products/OVideoConverter.exe
【作者声明】:初学Crack,只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
—————————————————————————————————
【破解过程】:
侦测:用PEiD查壳,无壳,Microsoft Visual C++ 7.0 编译。
试探:运行主程序注册,输入试炼码,确认!程序提示:"Registration failed!"
对症下药:Ollydbg载入主程序,用查找字符串插件查找 "Registration failed!" 这个信息!双击来到 00424C55 处,向上来到 00424980 处下断,F9运行,输入试炼信息:
************ 试炼信息 *************
User Name:KuNgBiM
Registration Code:9876543210
***********************************
00424980 55 push ebp ; 在这F2下断,F9运行!
00424981 8BEC mov ebp,esp
00424983 83EC 20 sub esp,20
00424986 894D E0 mov dword ptr ss:[ebp-20],ecx
00424989 6A 01 push 1
0042498B 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
0042498E E8 CA230200 call VideoCon.00446D5D
00424993 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
00424996 83C1 70 add ecx,70
00424999 E8 B270FEFF call VideoCon.0040BA50
0042499E 83F8 02 cmp eax,2 ; 用户名必须大于2位
004249A1 7D 13 jge short VideoCon.004249B6
004249A3 6A 00 push 0
004249A5 6A 00 push 0
004249A7 68 2C034600 push VideoCon.0046032C ; please input correct user name!
004249AC E8 BEC10200 call VideoCon.00450B6F
004249B1 E9 A9020000 jmp VideoCon.00424C5F
004249B6 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
004249B9 83C1 74 add ecx,74
004249BC E8 8F70FEFF call VideoCon.0040BA50
004249C1 83F8 08 cmp eax,8 ; 注册码必须大于8位
004249C4 7D 13 jge short VideoCon.004249D9
004249C6 6A 00 push 0
004249C8 6A 00 push 0
004249CA 68 4C034600 push VideoCon.0046034C ; please input correct registration code!
004249CF E8 9BC10200 call VideoCon.00450B6F
004249D4 E9 86020000 jmp VideoCon.00424C5F
004249D9 6A 00 push 0
004249DB 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
004249DE 83C1 70 add ecx,70
004249E1 E8 AAF5FFFF call VideoCon.00423F90
004249E6 8845 EF mov byte ptr ss:[ebp-11],al
004249E9 6A 01 push 1
004249EB 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
004249EE 83C1 70 add ecx,70
004249F1 E8 9AF5FFFF call VideoCon.00423F90
004249F6 8845 F8 mov byte ptr ss:[ebp-8],al
004249F9 6A 00 push 0
004249FB 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
004249FE 83C1 70 add ecx,70
00424A01 E8 8AF5FFFF call VideoCon.00423F90
00424A06 8845 FF mov byte ptr ss:[ebp-1],al
00424A09 6A 01 push 1
00424A0B 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
00424A0E 83C1 70 add ecx,70
00424A11 E8 7AF5FFFF call VideoCon.00423F90
00424A16 8845 FA mov byte ptr ss:[ebp-6],al
00424A19 0FB645 EF movzx eax,byte ptr ss:[ebp-11] ; 第一个字符(K)送到EAX里
00424A1D 83C8 41 or eax,41 ; EAX=EAX or 0x41
00424A20 8845 EF mov byte ptr ss:[ebp-11],al ; 把第一次或运算结果先保存起来
00424A23 0FB64D F8 movzx ecx,byte ptr ss:[ebp-8] ; 第二个字符(u)送到ECX里
00424A27 83C9 56 or ecx,56 ; ECX=ECX or 0x56
00424A2A 884D F8 mov byte ptr ss:[ebp-8],cl ; 把第二次或运算结果先保存起来
00424A2D 0FB655 FF movzx edx,byte ptr ss:[ebp-1] ; 再次把第一个字符(K)送到EDX里
00424A31 83CA 49 or edx,49 ; EDX=EDX or 0x49
00424A34 8855 FF mov byte ptr ss:[ebp-1],dl ; 把第三次或运算结果先保存起来
00424A37 0FB645 FA movzx eax,byte ptr ss:[ebp-6] ; 再次把第二个字符(u)送到EAX里
00424A3B 83C8 43 or eax,43 ; EAX=EAX or 0x43
00424A3E 8845 FA mov byte ptr ss:[ebp-6],al ; 把第四次或运算结果先保存起来
00424A41 0FB645 EF movzx eax,byte ptr ss:[ebp-11] ; 把第一次或运算结果送到EAX里
00424A45 99 cdq
00424A46 B9 0A000000 mov ecx,0A
00424A4B F7F9 idiv ecx ; EAX=EAX mod ECX(0A),余数为5
00424A4D 8855 EF mov byte ptr ss:[ebp-11],dl
00424A50 0FB645 F8 movzx eax,byte ptr ss:[ebp-8] ; 把第二次或运算结果送到EAX里
00424A54 99 cdq
00424A55 B9 0A000000 mov ecx,0A
00424A5A F7F9 idiv ecx ; EAX=EAX mod ECX(0A),余数为9
00424A5C 8855 F8 mov byte ptr ss:[ebp-8],dl
00424A5F 0FB645 FF movzx eax,byte ptr ss:[ebp-1] ; 把第三次或运算结果送到EAX里
00424A63 99 cdq
00424A64 B9 0A000000 mov ecx,0A
00424A69 F7F9 idiv ecx ; EAX=EAX mod ECX(0A),余数为5
00424A6B 8855 FF mov byte ptr ss:[ebp-1],dl
00424A6E 0FB645 FA movzx eax,byte ptr ss:[ebp-6] ; 把第四次或运算结果送到EAX里
00424A72 99 cdq
00424A73 B9 0A000000 mov ecx,0A
00424A78 F7F9 idiv ecx ; EAX=EAX mod ECX(0A),余数为9
00424A7A 8855 FA mov byte ptr ss:[ebp-6],dl
00424A7D C745 F0 0000000>mov dword ptr ss:[ebp-10],0
00424A84 C745 E8 0000000>mov dword ptr ss:[ebp-18],0
00424A8B EB 09 jmp short VideoCon.00424A96
00424A8D 8B55 E8 mov edx,dword ptr ss:[ebp-18]
00424A90 83C2 01 add edx,1
00424A93 8955 E8 mov dword ptr ss:[ebp-18],edx
00424A96 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
00424A99 83C1 70 add ecx,70
00424A9C E8 AF6FFEFF call VideoCon.0040BA50
00424AA1 3945 E8 cmp dword ptr ss:[ebp-18],eax
00424AA4 7D 1E jge short VideoCon.00424AC4
00424AA6 8B45 E8 mov eax,dword ptr ss:[ebp-18]
00424AA9 50 push eax
00424AAA 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
00424AAD 83C1 70 add ecx,70
00424AB0 E8 DBF4FFFF call VideoCon.00423F90
00424AB5 8845 E7 mov byte ptr ss:[ebp-19],al
00424AB8 0FB64D E7 movzx ecx,byte ptr ss:[ebp-19]
00424ABC 034D F0 add ecx,dword ptr ss:[ebp-10]
00424ABF 894D F0 mov dword ptr ss:[ebp-10],ecx
00424AC2 ^ EB C9 jmp short VideoCon.00424A8D
00424AC4 8B45 F0 mov eax,dword ptr ss:[ebp-10] ; 这部分是用户名的ASCII累加值(即:KuNgBiM-->EAX=0x26D)
00424AC7 99 cdq
00424AC8 B9 0A000000 mov ecx,0A
00424ACD F7F9 idiv ecx ; EAX=EAX mod ECX(0A),余数为9
00424ACF 8855 F4 mov byte ptr ss:[ebp-C],dl
00424AD2 6A 00 push 0
00424AD4 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
00424AD7 83C1 74 add ecx,74
00424ADA E8 B1F4FFFF call VideoCon.00423F90
00424ADF 8845 FC mov byte ptr ss:[ebp-4],al ; 取假注册码第一位ASCII值,al=39 ('9')
00424AE2 6A 01 push 1
00424AE4 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
00424AE7 83C1 74 add ecx,74
00424AEA E8 A1F4FFFF call VideoCon.00423F90
00424AEF 8845 FD mov byte ptr ss:[ebp-3],al ; 取假注册码第二位ASCII值,al=38 ('8')
00424AF2 6A 02 push 2
00424AF4 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
00424AF7 83C1 74 add ecx,74
00424AFA E8 91F4FFFF call VideoCon.00423F90
00424AFF 8845 F6 mov byte ptr ss:[ebp-A],al ; 取假注册码第三位ASCII值,al=37 ('7')
00424B02 6A 03 push 3
00424B04 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
00424B07 83C1 74 add ecx,74
00424B0A E8 81F4FFFF call VideoCon.00423F90
00424B0F 8845 F5 mov byte ptr ss:[ebp-B],al ; 取假注册码第四位ASCII值,al=36 ('6')
00424B12 6A 04 push 4
00424B14 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
00424B17 83C1 74 add ecx,74
00424B1A E8 71F4FFFF call VideoCon.00423F90
00424B1F 8845 F9 mov byte ptr ss:[ebp-7],al ; 取假注册码第五位ASCII值,al=35 ('5')
00424B22 6A 05 push 5
00424B24 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
00424B27 83C1 74 add ecx,74
00424B2A E8 61F4FFFF call VideoCon.00423F90
00424B2F 8845 F7 mov byte ptr ss:[ebp-9],al ; 取假注册码第六位ASCII值,al=34 ('4')
00424B32 6A 06 push 6
00424B34 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
00424B37 83C1 74 add ecx,74
00424B3A E8 51F4FFFF call VideoCon.00423F90
00424B3F 8845 FE mov byte ptr ss:[ebp-2],al ; 取假注册码第七位ASCII值,al=33 ('3')
00424B42 6A 07 push 7
00424B44 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
00424B47 83C1 74 add ecx,74
00424B4A E8 41F4FFFF call VideoCon.00423F90
00424B4F 8845 FB mov byte ptr ss:[ebp-5],al ; 取假注册码最后一位(第八位)ASCII值,al=32 ('2')
00424B52 0FB655 EF movzx edx,byte ptr ss:[ebp-11] ; (以下是判断注册码的前四前是否是5、9、5、9)
00424B56 0FB645 FC movzx eax,byte ptr ss:[ebp-4]
00424B5A 83E8 30 sub eax,30
00424B5D 3BD0 cmp edx,eax
00424B5F 75 3C jnz short VideoCon.00424B9D ; 若第一位不是“5”则跳死!★爆破点A★
00424B61 0FB64D F8 movzx ecx,byte ptr ss:[ebp-8]
00424B65 0FB655 FD movzx edx,byte ptr ss:[ebp-3]
00424B69 83EA 30 sub edx,30
00424B6C 3BCA cmp ecx,edx
00424B6E 75 2D jnz short VideoCon.00424B9D ; 若第二位不是“9”则跳死!★爆破点B★
00424B70 0FB645 FF movzx eax,byte ptr ss:[ebp-1]
00424B74 0FB64D F6 movzx ecx,byte ptr ss:[ebp-A]
00424B78 83E9 30 sub ecx,30
00424B7B 3BC1 cmp eax,ecx
00424B7D 75 1E jnz short VideoCon.00424B9D ; 若第三位不是“5”则跳死!★爆破点C★
00424B7F 0FB655 FA movzx edx,byte ptr ss:[ebp-6]
00424B83 0FB645 F5 movzx eax,byte ptr ss:[ebp-B]
00424B87 83E8 30 sub eax,30
00424B8A 3BD0 cmp edx,eax
00424B8C 75 0F jnz short VideoCon.00424B9D ; 若第四位不是“9”则跳死!★爆破点D★
00424B8E 0FB64D F4 movzx ecx,byte ptr ss:[ebp-C] ; 判断假注册码的第五位,余数是否为1,不是则OVER了
00424B92 0FB655 F9 movzx edx,byte ptr ss:[ebp-7]
00424B96 83EA 30 sub edx,30
00424B99 3BCA cmp ecx,edx
00424B9B 74 58 je short VideoCon.00424BF5 ; 跳向成功!★爆破点E★
00424B9D 0FB645 FC movzx eax,byte ptr ss:[ebp-4]
00424BA1 83F8 35 cmp eax,35
00424BA4 0F85 A7000000 jnz VideoCon.00424C51
00424BAA 0FB64D FD movzx ecx,byte ptr ss:[ebp-3]
00424BAE 83F9 31 cmp ecx,31
00424BB1 0F85 9A000000 jnz VideoCon.00424C51
00424BB7 0FB655 F6 movzx edx,byte ptr ss:[ebp-A]
00424BBB 83FA 38 cmp edx,38
00424BBE 0F85 8D000000 jnz VideoCon.00424C51
00424BC4 0FB645 F5 movzx eax,byte ptr ss:[ebp-B]
00424BC8 83F8 39 cmp eax,39
00424BCB 0F85 80000000 jnz VideoCon.00424C51
00424BD1 0FB64D F9 movzx ecx,byte ptr ss:[ebp-7]
00424BD5 83F9 37 cmp ecx,37
00424BD8 75 77 jnz short VideoCon.00424C51
00424BDA 0FB655 F7 movzx edx,byte ptr ss:[ebp-9]
00424BDE 83FA 36 cmp edx,36
00424BE1 75 6E jnz short VideoCon.00424C51
00424BE3 0FB645 FE movzx eax,byte ptr ss:[ebp-2]
00424BE7 83F8 32 cmp eax,32
00424BEA 75 65 jnz short VideoCon.00424C51
00424BEC 0FB64D FB movzx ecx,byte ptr ss:[ebp-5]
00424BF0 83F9 39 cmp ecx,39
00424BF3 75 5C jnz short VideoCon.00424C51
00424BF5 6A 00 push 0 ; 注册成功
00424BF7 6A 00 push 0
00424BF9 68 74034600 push VideoCon.00460374 ; registration has succeeded!
00424BFE E8 6CBF0200 call VideoCon.00450B6F
00424C03 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
00424C06 83C1 70 add ecx,70
00424C09 E8 62F4FFFF call VideoCon.00424070
00424C0E 50 push eax ; 用户名写入注册表
00424C0F 68 90034600 push VideoCon.00460390 ; username
00424C14 68 9C034600 push VideoCon.0046039C ; option
00424C19 E8 A295FEFF call VideoCon.0040E1C0
00424C1E 8BC8 mov ecx,eax
00424C20 E8 AABC0200 call VideoCon.004508CF
00424C25 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
00424C28 83C1 74 add ecx,74
00424C2B E8 40F4FFFF call VideoCon.00424070
00424C30 50 push eax ; 注册码写入注册表
00424C31 68 A4034600 push VideoCon.004603A4 ; registration_code
00424C36 68 B8034600 push VideoCon.004603B8 ; option
00424C3B E8 8095FEFF call VideoCon.0040E1C0
00424C40 8BC8 mov ecx,eax
00424C42 E8 88BC0200 call VideoCon.004508CF
00424C47 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
00424C4A E8 87620200 call VideoCon.0044AED6
00424C4F EB 0E jmp short VideoCon.00424C5F
00424C51 6A 00 push 0 ; 注册失败
00424C53 6A 00 push 0
00424C55 68 C0034600 push VideoCon.004603C0 ; registration failed!
00424C5A E8 10BF0200 call VideoCon.00450B6F
00424C5F 8BE5 mov esp,ebp
00424C61 5D pop ebp
00424C62 C3 retn
........
-------------------------------------------------------------------------------------------
【算法总结】
注册验证非常简单:
1、注册码和用户名有关,长度必须大于等于2位。
2、注册码必须大于等于8位。
3、8位里只有前5位起作用,后面N位不参与计算。
【完美爆破点】
★爆破点A★ ; nop掉
★爆破点B★ ; nop掉
★爆破点C★ ; nop掉
★爆破点D★ ; nop掉
★爆破点E★ ; 改为jmp
【算法注册机代码】
#include "stdio.h"
int main()
{ int i,n,n1,n2,n3,n4,n5=0;
char name[255]={0};
printf("////////////////////////////////////////////////////\n");
printf("// Open Video Converter 3.0.1 - Keygen //\n");
printf("// //\n");
printf("// Author: KuNgBiM[DFCG] //\n");
printf("// //\n");
printf("// E-mail: kungbim@163.com //\n");
printf("// //\n");
printf("// OS : WinXP, PEiD, Ollydbg, Turbo C //\n");
printf("// //\n");
printf("// Date : 2005-07-04 //\n");
printf("////////////////////////////////////////////////////\n\n");
printf("Please Input User Name[User Name>= 2]: ");
scanf("%s",&name);
n=strlen(name);
for (i=0;i<n;i++)
n5+=name[i];
n5%=0xA;
n1=name[0]|0x41;
n1%=0xA;
n2=name[1]|0x56;
n2%=0xA;
n3=name[0]|0x49;
n3%=0xA;
n4=name[1]|0x43;
n4%=0xA;
printf("\nYour Registration Code is : %d%d%d%d%d888",n1,n2,n3,n4,n5);
getch();
return 0;
}
============================================================================================
【注册信息】:
User Name:KuNgBiM
Registration Code:59591888
--------------------------------------------------------------------------
版权所有(C)2005 KuNgBiM[DFCG] Copyright (C) 2005 KuNgBiM[DFCG]
--------------------------------------------------------------------------
Cracked By KuNgBiM[DFCG]
2005-11-20
5:00:00 AM