DVDRecode 1.14 注册码破解
作者:ratarice
工具:OllyDbg v1.10、PEiD v0.93.476
环境:WIN XP
软件介绍:
大小:513KB
语言:英文
类别:国外软件/共享版/备份工具
简介:一款dvd备份软件。可以将D9的重新编码以刻录到DVDR上并保持原来的质量。
序:
自从大学毕业就再没碰过破解,时间过得真快,已经快两个年头了。但是我始终忘不了那时的快乐,论坛中的
气氛,最重要的是那种感觉。趁着春节放假终于又有时间回到看雪,打算重新来过,但是很多的知识都忘记。
看来只能从最基本的来了。
过程:
一、 这个软件每次启动都要提示注册,输入
email:ratarice@sina.com
regsiter code: 01234567890123456789
点register按钮,当然了,结果是弹出一个对话框“Invalid register code!”
一、 用PEiD检查软件,发现没有加壳,报告是Microsoft Visual C++ 7.0,正和我意。
二、 启动OllyDbg,加载DVDRecode,给每个GetDlgItem函数引用下断点,经过简单跟踪,找到
0040C179 LEA EAX,DWORD PTR DS:[EBX+2C] ; |
0040C17C PUSH EAX ; |Arg2
0040C17D PUSH 416 ; |Arg1 = 00000416
0040C182 MOV ECX,ESI ; |
0040C184 CALL DVDRecod.0040BE30 ; \DVDRecod.0040BE30
0040C189 MOV ESI,DWORD PTR DS:[EBX+2C]
0040C18C LEA ECX,DWORD PTR SS:[ESP+18]
0040C190 PUSH ECX
0040C191 MOV ECX,DWORD PTR SS:[EBP]
0040C194 CALL DVDRecod.0040B450-----------》很典型的模式,这就是关键所在,F7!
0040C199 ADD ESP,4
0040C19C MOV ECX,8
0040C1A1 LEA EDI,DWORD PTR SS:[ESP+18]
0040C1A5 XOR EDX,EDX
0040C1A7 REPE CMPS DWORD PTR ES:[EDI],DWORD PTR D>
0040C1A9 JE SHORT DVDRecod.0040C1D6
0040C1AB MOV EAX,DWORD PTR DS:[EBX+4]
0040C1AE PUSH 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
0040C1B0 PUSH DVDRecod.00452D80 ; |Title = "Register failed"
0040C1B5 PUSH DVDRecod.00452D68 ; |Text = "Invalid register code!"
0040C1BA PUSH EAX ; |hOwner
0040C1BB CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; \MessageBoxA
0040C1C1 POP EDI
0040C1C2 POP ESI
0040C1C3 POP EBP
0040C1C4 XOR EAX,EAX
0040C1C6 POP EBX
0040C1C7 MOV ECX,DWORD PTR SS:[ESP+48]
0040C1CB CALL DVDRecod.0043F2E2
0040C1D0 ADD ESP,4C
0040C1D3 RETN 10
0040C1D6 MOV ECX,DWORD PTR DS:[EBX+4]
0040C1D9 PUSH 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
0040C1DB PUSH DVDRecod.00452D54 ; |Title = "Register succeeded"
0040C1E0 PUSH DVDRecod.00452D34 ; |Text = "Thank you for buying DVDREcode!"
0040C1E5 PUSH ECX ; |hOwner
0040C1E6 CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; \MessageBoxA
0040C1EC LEA EDX,DWORD PTR SS:[ESP+14]
0040C1F0 PUSH EDX
0040C1F1 XOR ESI,ESI
0040C1F3 LEA EAX,DWORD PTR SS:[ESP+14]
0040C1F7 PUSH EAX
0040C1F8 PUSH ESI
0040C1F9 PUSH 2001F
0040C1FE PUSH ESI
0040C1FF PUSH ESI
0040C200 PUSH ESI
0040C201 PUSH DVDRecod.00452784
0040C206 PUSH 80000001
0040C20B MOV DWORD PTR SS:[ESP+34],ESI
0040C20F CALL DWORD PTR DS:[<&ADVAPI32.RegCreateK>; \RegCreateKeyExA(看到这个就知道它还要写注册
表)
二、 函数不大,都贴出来。
0040B450 SUB ESP,58
0040B453 MOV EAX,DWORD PTR DS:[48BE4C]
0040B458 MOV EDX,DWORD PTR DS:[4526D8]
0040B45E MOV DWORD PTR SS:[ESP+54],EAX
0040B462 MOV EAX,DWORD PTR DS:[4526D0]
0040B467 PUSH ESI
0040B468 MOV ESI,ECX
0040B46A MOV ECX,DWORD PTR DS:[4526D4]
0040B470 MOV DWORD PTR SS:[ESP+4],EAX
0040B474 MOV EAX,DWORD PTR DS:[4526DC]
0040B479 MOV DWORD PTR SS:[ESP+8],ECX
0040B47D MOV CL,BYTE PTR DS:[4526E0]
0040B483 MOV DWORD PTR SS:[ESP+10],EAX
0040B487 MOV EAX,ESI
0040B489 MOV DWORD PTR SS:[ESP+C],EDX
0040B48D MOV BYTE PTR SS:[ESP+14],CL
0040B491 LEA EDX,DWORD PTR DS:[EAX+1]
0040B494 /MOV CL,BYTE PTR DS:[EAX]------------
0040B496 |INC EAX |----》计算email的长度
0040B497 |TEST CL,CL |
0040B499 \JNZ SHORT DVDRecod.0040B494----------
0040B49B SUB EAX,EDX
0040B49D CMP EAX,20
0040B4A0 JLE SHORT DVDRecod.0040B4A7---------------》只计算小于等于20位的email
0040B4A2 MOV EAX,20
0040B4A7 PUSH EDI--------------------
0040B4A8 MOV ECX,EAX |
0040B4AA MOV EDX,ECX |
0040B4AC SHR ECX,2 |
0040B4AF LEA EDI,DWORD PTR SS:[ESP+1C] |
0040B4B3 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] |
0040B4B5 MOV ECX,EDX |
0040B4B7 AND ECX,3 |
0040B4BA REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] |
0040B4BC MOV ECX,20 |
0040B4C1 SUB ECX,EAX |
0040B4C3 LEA EDI,DWORD PTR SS:[ESP+EAX+1C] |
0040B4C7 MOV EAX,ECX |
0040B4C9 SHR ECX,2 |
0040B4CC MOV ESI,DVDRecod.0045E16C |---》再email结尾添加">.N"字符串
0040B4D1 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] | 凑成四字节对齐
0040B4D3 MOV ECX,EAX |
0040B4D5 AND ECX,3 |
0040B4D8 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] |
0040B4DA MOV ESI,0B |
0040B4DF POP EDI--------------------
0040B4E0 /LEA ECX,DWORD PTR SS:[ESP+18]---------
0040B4E4 |PUSH ECX |
0040B4E5 |MOV EDX,ECX |
0040B4E7 |PUSH 20 |
0040B4E9 |PUSH EDX |
0040B4EA |CALL DVDRecod.0042A0B0------------ |---》循环0xB次处理email
0040B4EF |ADD ESP,0C | 处理后的数据放在[ESP+18]
0040B4F2 |DEC ESI |
0040B4F3 \JNZ SHORT DVDRecod.0040B4E0----------
0040B4F5 MOV EAX,DWORD PTR SS:[ESP+60]----------
0040B4F9 XOR ESI,ESI |
0040B4FB JMP SHORT DVDRecod.0040B500 |
0040B4FD LEA ECX,DWORD PTR DS:[ECX] |
0040B500 MOVZX ECX,BYTE PTR SS:[ESP+ESI+18] |
0040B505 MOV EDX,ECX |
0040B507 SHR EDX,4 |
0040B50A MOV DL,BYTE PTR SS:[ESP+EDX+4] |
0040B50E MOV BYTE PTR DS:[EAX],DL |
0040B510 AND ECX,0F |
0040B513 MOV CL,BYTE PTR SS:[ESP+ECX+4] |
0040B517 MOV BYTE PTR DS:[EAX+1],CL |
0040B51A MOVZX ECX,BYTE PTR SS:[ESP+ESI+19] |
0040B51F INC EAX |
0040B520 MOV EDX,ECX |
0040B522 SHR EDX,4 |
0040B525 MOV DL,BYTE PTR SS:[ESP+EDX+4] |---》计算注册码并写到[ESP+60]处
0040B529 MOV BYTE PTR DS:[EAX+1],DL | 依次取处理后的数据,分别以
0040B52C AND ECX,0F | 高、低4位形成索引,查
0040B52F MOV CL,BYTE PTR SS:[ESP+ECX+4] | 0123456789ABCDEF,查到的数
0040B533 INC EAX | 就是注册码
0040B534 MOV BYTE PTR DS:[EAX+1],CL |
0040B537 MOVZX ECX,BYTE PTR SS:[ESP+ESI+1A] |
0040B53C INC EAX |
0040B53D MOV EDX,ECX |
0040B53F SHR EDX,4 |
0040B542 MOV DL,BYTE PTR SS:[ESP+EDX+4] |
0040B546 MOV BYTE PTR DS:[EAX+1],DL |
0040B549 AND ECX,0F |
0040B54C MOV CL,BYTE PTR SS:[ESP+ECX+4] |
0040B550 INC EAX |
0040B551 MOV BYTE PTR DS:[EAX+1],CL |
0040B554 MOVZX ECX,BYTE PTR SS:[ESP+ESI+1B] |
0040B559 INC EAX |
0040B55A MOV EDX,ECX |
0040B55C SHR EDX,4 |
0040B55F MOV DL,BYTE PTR SS:[ESP+EDX+4] |
0040B563 INC EAX |
0040B564 AND ECX,0F |
0040B567 MOV CL,BYTE PTR SS:[ESP+ECX+4] |
0040B56B MOV BYTE PTR DS:[EAX],DL |
0040B56D INC EAX |
0040B56E MOV BYTE PTR DS:[EAX],CL |
0040B570 ADD ESI,4 |
0040B573 INC EAX |
0040B574 CMP ESI,10 |
0040B577 JL SHORT DVDRecod.0040B500 |
0040B579 MOV ECX,DWORD PTR SS:[ESP+58] |---》在这里查看[ESP+60]的内存
0040B57D POP ESI---------------------
0040B57E CALL DVDRecod.0043F2E2-----------------》比较输入的注册码
0040B583 ADD ESP,58
0040B586 RETN
四、 我的注册码是:
email:ratarice@sina.com
register code:7AB5D0B91C341D08C9A5F0A3985A3B45