【破文标题】GIF Movie Gear 4.2算法分析
【破文作者】tianxj
【作者邮箱】tianxj_2007@126.com
【作者主页】www.chinapyg.com
【破解工具】PEiD,OD
【破解平台】Windows XP
【软件名称】GIF Movie Gear 4.2(2008-3-21版)
【软件大小】962KB
【软件类别】国外软件/动画制作
【软件授权】共享版
【软件语言】英文
【原版下载】华军软件园
【保护方式】注册码
【软件简介】
GIF动画制作软件,几乎有需要制作GIF动画的编辑功能它都有,无须再用其它的图型软件辅助。它可以处理背景透明化而且做法容易,做好的图片可以做最佳化处理使图片减肥,另外它除了可以把做好的图片存成GIF的动画图外。还可以存成AVI或是ANI的文件格式。
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
初学Crack,只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------
【破解内容】
--------------------------------------------------------------
**************************************************************
一、运行程序,进行注册,输入错误的注册信息进行检测,有提示信息
"The information you have provided is invalid. Please be sure that you typed it exactly as it was given to you."
**************************************************************
二、用PEiD对这个软件查壳,为 Microsoft Visual C++ 7.0
**************************************************************
三、运行OD,打开movgear,F9运行,F12暂停,Alt+K
调用堆栈 , 项目 19
地址=0013F404
堆栈=00433D17
程序过程 / 参数=? movgear.004116E0
调用来自=movgear.00433D12
==============================================================
代码:
00433C1A . 50 PUSH EAX ; |hWnd 00433C1B . FFD3 CALL EBX ; \GetWindowTextA 00433C1D . 6A 64 PUSH 64 ; /Count = 64 (100.) 00433C1F . 8D8424 C80000>LEA EAX,DWORD PTR SS:[ESP+C8] ; | 00433C26 . 50 PUSH EAX ; |Buffer 00433C27 . 68 50040000 PUSH 450 ; |/ControlID = 450 (1104.) 00433C2C . 57 PUSH EDI ; ||hWnd 00433C2D . FFD6 CALL ESI ; |\GetDlgItem 00433C2F . 50 PUSH EAX ; |hWnd 00433C30 . FFD3 CALL EBX ; \GetWindowTextA 00433C32 . 8D8C24 C40000>LEA ECX,DWORD PTR SS:[ESP+C4] ; //注册码 00433C39 . 51 PUSH ECX 00433C3A . 8D5424 64 LEA EDX,DWORD PTR SS:[ESP+64] ; //用户名 00433C3E . 52 PUSH EDX 00433C3F . E8 FCFBFFFF CALL movgear.00433840 ; //关键CALL 00433C44 . 83C4 08 ADD ESP,8 00433C47 . 85C0 TEST EAX,EAX 00433C49 . 0F84 B6000000 JE movgear.00433D05 ; //关键跳转 00433C4F . 8D4424 10 LEA EAX,DWORD PTR SS:[ESP+10] 00433C53 . 50 PUSH EAX ; /pDisposition 00433C54 . 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10] ; | 00433C58 . 51 PUSH ECX ; |pHandle 00433C59 . 6A 00 PUSH 0 ; |pSecurity = NULL 00433C5B . 68 3F000F00 PUSH 0F003F ; |Access = KEY_ALL_ACCESS 00433C60 . 6A 00 PUSH 0 ; |Options = REG_OPTION_NON_VOLATILE 00433C62 . 68 85F64700 PUSH movgear.0047F685 ; |Class = "" 00433C67 . 6A 00 PUSH 0 ; |Reserved = 0 00433C69 . 68 84E44800 PUSH movgear.0048E484 ; |software\gamani\gifmoviegear\2.0 00433C6E . 68 02000080 PUSH 80000002 ; |hKey = HKEY_LOCAL_MACHINE 00433C73 . FF15 0CF04700 CALL DWORD PTR DS:[<&ADVAPI32.RegCreateK>; \RegCreateKeyExA 00433C79 . 8D4424 60 LEA EAX,DWORD PTR SS:[ESP+60] 00433C7D . 8D50 01 LEA EDX,DWORD PTR DS:[EAX+1] 00433C80 > 8A08 MOV CL,BYTE PTR DS:[EAX] 00433C82 . 40 INC EAX 00433C83 . 84C9 TEST CL,CL 00433C85 .^ 75 F9 JNZ SHORT movgear.00433C80 00433C87 . 8B35 00F04700 MOV ESI,DWORD PTR DS:[<&ADVAPI32.RegSetV>; ADVAPI32.RegSetValueExA 00433C8D . 2BC2 SUB EAX,EDX 00433C8F . 40 INC EAX 00433C90 . 50 PUSH EAX ; /BufSize 00433C91 . 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10] ; | 00433C95 . 8D5424 64 LEA EDX,DWORD PTR SS:[ESP+64] ; | 00433C99 . 52 PUSH EDX ; |Buffer 00433C9A . 6A 01 PUSH 1 ; |ValueType = REG_SZ 00433C9C . 6A 00 PUSH 0 ; |Reserved = 0 00433C9E . 68 C8F34800 PUSH movgear.0048F3C8 ; |regname3 00433CA3 . 50 PUSH EAX ; |hKey 00433CA4 . FFD6 CALL ESI ; \RegSetValueExA 00433CA6 . 8D8424 C40000>LEA EAX,DWORD PTR SS:[ESP+C4] 00433CAD . 8D48 01 LEA ECX,DWORD PTR DS:[EAX+1] 00433CB0 > 8A10 MOV DL,BYTE PTR DS:[EAX] 00433CB2 . 40 INC EAX 00433CB3 . 84D2 TEST DL,DL 00433CB5 .^ 75 F9 JNZ SHORT movgear.00433CB0 00433CB7 . 8B5424 0C MOV EDX,DWORD PTR SS:[ESP+C] 00433CBB . 2BC1 SUB EAX,ECX 00433CBD . 40 INC EAX 00433CBE . 50 PUSH EAX 00433CBF . 8D8C24 C80000>LEA ECX,DWORD PTR SS:[ESP+C8] 00433CC6 . 51 PUSH ECX 00433CC7 . 6A 01 PUSH 1 00433CC9 . 6A 00 PUSH 0 00433CCB . 68 D4F34800 PUSH movgear.0048F3D4 ; regcode3 00433CD0 . 52 PUSH EDX 00433CD1 . FFD6 CALL ESI 00433CD3 . 8B4424 0C MOV EAX,DWORD PTR SS:[ESP+C] 00433CD7 . 50 PUSH EAX ; /hKey 00433CD8 . FF15 18F04700 CALL DWORD PTR DS:[<&ADVAPI32.RegCloseKe>; \RegCloseKey 00433CDE . 68 E0F34800 PUSH movgear.0048F3E0 ; /software\loani\mg4 00433CE3 . 68 02000080 PUSH 80000002 ; |hKey = HKEY_LOCAL_MACHINE 00433CE8 . FF15 14F04700 CALL DWORD PTR DS:[<&ADVAPI32.RegDeleteK>; \RegDeleteKeyA 00433CEE . 6A 01 PUSH 1 ; /Result = 1 00433CF0 . 57 PUSH EDI ; |hWnd 00433CF1 . FF15 A4F34700 CALL DWORD PTR DS:[<&USER32.EndDialog>] ; \EndDialog 00433CF7 . 5F POP EDI 00433CF8 . 5E POP ESI 00433CF9 . 33C0 XOR EAX,EAX 00433CFB . 5B POP EBX 00433CFC . 81C4 1C010000 ADD ESP,11C 00433D02 . C2 1000 RETN 10 00433D05 > 6A 30 PUSH 30 00433D07 . 68 159D0000 PUSH 9D15 00433D0C . 68 149D0000 PUSH 9D14 00433D11 . 57 PUSH EDI 00433D12 . E8 C9D9FDFF CALL movgear.004116E0 ; //错误提示 00433D17 . 83C4 10 ADD ESP,10 00433D1A . 68 4F040000 PUSH 44F 00433D1F . 57 PUSH EDI 00433D20 . FFD6 CALL ESI 00433D22 . 50 PUSH EAX ; /hWnd 00433D23 . FF15 A4F44700 CALL DWORD PTR DS:[<&USER32.SetFocus>] ; \SetFocus 00433D29 . 5F POP EDI 00433D2A . 5E POP ESI 00433D2B . 33C0 XOR EAX,EAX 00433D2D . 5B POP EBX 00433D2E . 81C4 1C010000 ADD ESP,11C 00433D34 . C2 1000 RETN 10 00433D37 > 2D 35010000 SUB EAX,135 00433D3C . 74 43 JE SHORT movgear.00433D81 00433D3E . 83E8 03 SUB EAX,3 00433D41 . 74 0E JE SHORT movgear.00433D51 00433D43 > 5F POP EDI ; Default case of switch 00433BD0 00433D44 . 5E POP ESI 00433D45 . 33C0 XOR EAX,EAX 00433D47 . 5B POP EBX 00433D48 . 81C4 1C010000 ADD ESP,11C 00433D4E . C2 1000 RETN 10 00433D51 > 8BB424 340100>MOV ESI,DWORD PTR SS:[ESP+134] ; Case 138 (WM_CTLCOLORSTATIC) of switch 00433A4A 00433D58 . 68 FFFFFF00 PUSH 0FFFFFF ; /Color = <WHITE> 00433D5D . 56 PUSH ESI ; |hDC 00433D5E . FF15 CCF04700 CALL DWORD PTR DS:[<&GDI32.SetBkColor>] ; \SetBkColor 00433D64 . 6A 00 PUSH 0 ; /Color = <BLACK> 00433D66 . 56 PUSH ESI ; |hDC 00433D67 . FF15 C8F04700 CALL DWORD PTR DS:[<&GDI32.SetTextColor>>; \SetTextColor 00433D6D . 6A 00 PUSH 0 ; /ObjType = WHITE_BRUSH 00433D6F . FF15 D0F04700 CALL DWORD PTR DS:[<&GDI32.GetStockObjec>; \GetStockObject 00433D75 . 5F POP EDI 00433D76 . 5E POP ESI 00433D77 . 5B POP EBX 00433D78 . 81C4 1C010000 ADD ESP,11C 00433D7E . C2 1000 RETN 10 00433D81 > 6A 05 PUSH 5 ; /ObjType = NULL_BRUSH; Case 135 (WM_CTLCOLORBTN) of switch 00433A4A 00433D83 . FF15 D0F04700 CALL DWORD PTR DS:[<&GDI32.GetStockObjec>; \GetStockObject 00433D89 . 5F POP EDI 00433D8A . 5E POP ESI 00433D8B . 5B POP EBX 00433D8C . 81C4 1C010000 ADD ESP,11C 00433D92 . C2 1000 RETN 10 ============================================================== 00433840 /$ 53 PUSH EBX 00433841 |. 55 PUSH EBP 00433842 |. 8B6C24 10 MOV EBP,DWORD PTR SS:[ESP+10] 00433846 |. 807D 00 6D CMP BYTE PTR SS:[EBP],6D ; //注册码第1个字母与6D即"m"比较 0043384A |. 56 PUSH ESI 0043384B |. 57 PUSH EDI 0043384C |. 0F85 AD000000 JNZ movgear.004338FF ; //不等则跳 00433852 |. 807D 01 67 CMP BYTE PTR SS:[EBP+1],67 ; //注册码第2个字母与67即"g"比较 00433856 |. 0F85 A3000000 JNZ movgear.004338FF ; //不等则跳 0043385C |. 807D 02 33 CMP BYTE PTR SS:[EBP+2],33 ; //注册码第3个字母与33即"3"比较 00433860 |. 0F85 99000000 JNZ movgear.004338FF ; //不等则跳 00433866 |. 807D 03 37 CMP BYTE PTR SS:[EBP+3],37 ; //注册码第4个字母与37即"7"比较 0043386A |. 0F85 8F000000 JNZ movgear.004338FF ; //不等则跳 00433870 |. 33DB XOR EBX,EBX ; //EBX=0 00433872 |> 8BBB F8F34800 /MOV EDI,DWORD PTR DS:[EBX+48F3F8] ; //"mvg21951736" 00433878 |. 8BC7 |MOV EAX,EDI 0043387A |. 8D50 01 |LEA EDX,DWORD PTR DS:[EAX+1] 0043387D |. 8D49 00 |LEA ECX,DWORD PTR DS:[ECX] 00433880 |> 8A08 |/MOV CL,BYTE PTR DS:[EAX] 00433882 |. 40 ||INC EAX 00433883 |. 84C9 ||TEST CL,CL 00433885 |.^ 75 F9 |\JNZ SHORT movgear.00433880 00433887 |. 2BC2 |SUB EAX,EDX ; //EAX=EAX-EDX 00433889 |. 8BC8 |MOV ECX,EAX 0043388B |. 8BF5 |MOV ESI,EBP 0043388D |. 33C0 |XOR EAX,EAX ; //EAX=0 0043388F |. F3:A6 |REPE CMPS BYTE PTR ES:[EDI],BYTE PTR DS> 00433891 |. 74 65 |JE SHORT movgear.004338F8 00433893 |. 83C3 04 |ADD EBX,4 00433896 |. 81FB 80000000 |CMP EBX,80 0043389C |.^ 72 D4 \JB SHORT movgear.00433872 ; //注册码是否在黑名单 0043389E |. 807D 04 73 CMP BYTE PTR SS:[EBP+4],73 ; //注册码第5个字母与73即"s"比较 004338A2 |. 75 01 JNZ SHORT movgear.004338A5 ; //不等则跳 004338A4 |. 45 INC EBP 004338A5 |> 8D4D 07 LEA ECX,DWORD PTR SS:[EBP+7] 004338A8 |. 51 PUSH ECX 004338A9 |. E8 26BD0300 CALL movgear.0046F5D4 ; //将注册码第8位以后的数字转16进制送入EAX(如果第5个 字母为"s",则将注册码第9位以后的数字转16进制送入EAX),否则EAX=0 004338AE |. 8B5C24 18 MOV EBX,DWORD PTR SS:[ESP+18] ; //用户名 004338B2 |. 8A13 MOV DL,BYTE PTR DS:[EBX] ; //用户名第1个字母ASC值 004338B4 |. 83C4 04 ADD ESP,4 004338B7 |. 33C9 XOR ECX,ECX ; //ECX=0 004338B9 |. 84D2 TEST DL,DL 004338BB |. 8BFB MOV EDI,EBX ; (初始 cpu 选择) 004338BD |. BE DF0B0000 MOV ESI,0BDF ; //ESI=0BDF 004338C2 |. 74 26 JE SHORT movgear.004338EA 004338C4 |> 0FBED2 /MOVSX EDX,DL 004338C7 |. 41 |INC ECX ; //ECX=ECX+1 004338C8 |. 0FAFD1 |IMUL EDX,ECX ; //EDX=EDX*ECX 004338CB |. 03F2 |ADD ESI,EDX ; //ESI=ESI+EDX 004338CD |. 81FE BE170000 |CMP ESI,17BE ; //ESI与17BE比较 004338D3 |. 7E 06 |JLE SHORT movgear.004338DB ; //小于等于则跳 004338D5 |. 81EE BE170000 |SUB ESI,17BE ; //ESI=ESI-17BE 004338DB |> 83F9 0A |CMP ECX,0A ; //ECX与0A比较 004338DE |. 7E 02 |JLE SHORT movgear.004338E2 ; //小于等于则跳 004338E0 |. 33C9 |XOR ECX,ECX ; //ECX=0 004338E2 |> 8A57 01 |MOV DL,BYTE PTR DS:[EDI+1] ; //依次取用户名ASC值 004338E5 |. 47 |INC EDI ; //EDI=EDI+1 004338E6 |. 84D2 |TEST DL,DL 004338E8 |.^ 75 DA \JNZ SHORT movgear.004338C4 ; //循环 004338EA |> 3BF0 CMP ESI,EAX ; //比较ESI与EAX 004338EC |. 75 15 JNZ SHORT movgear.00433903 ; //不等则跳,爆破点 004338EE |. 5F POP EDI 004338EF |. 5E POP ESI 004338F0 |. 5D POP EBP 004338F1 |. B8 01000000 MOV EAX,1 ; //标志位赋值 004338F6 |. 5B POP EBX 004338F7 |. C3 RETN 004338F8 |> 5F POP EDI 004338F9 |. 5E POP ESI 004338FA |. 5D POP EBP 004338FB |. 33C0 XOR EAX,EAX 004338FD |. 5B POP EBX 004338FE |. C3 RETN 004338FF |> 8B5C24 14 MOV EBX,DWORD PTR SS:[ESP+14] 00433903 |> 55 PUSH EBP 00433904 |. 53 PUSH EBX 00433905 |. E8 16FCFFFF CALL movgear.00433520 0043390A |. 83C4 08 ADD ESP,8 0043390D |. 5F POP EDI 0043390E |. 5E POP ESI 0043390F |. 5D POP EBP 00433910 |. 5B POP EBX 00433911 \. C3 RETN
【黑名单】
0047FE18 6D 67 33 37 34 33 34 34 37 37 37 00 6D 67 33 37 mg374344777.mg37
0047FE28 39 33 34 32 36 38 39 00 6D 67 33 37 37 37 35 33 9342689.mg377753
0047FE38 39 33 31 00 6D 67 33 37 37 36 34 33 38 36 33 00 931.mg377643863.
0047FE48 6D 67 33 37 30 37 30 34 37 38 38 00 6D 67 33 37 mg370704788.mg37
0047FE58 36 38 37 31 34 33 34 00 6D 67 33 37 36 34 38 34 6871434.mg376484
0047FE68 30 33 39 00 6D 67 33 37 30 33 34 32 36 39 32 00 039.mg370342692.
0047FE78 6D 67 33 37 36 34 34 39 35 37 00 00 6D 67 33 37 mg37644957..mg37
0047FE88 37 35 38 33 34 35 34 00 6D 67 33 37 33 32 32 33 7583454.mg373223
0047FE98 35 35 34 00 6D 67 33 37 31 38 39 35 32 36 36 00 554.mg371895266.
0047FEA8 6D 67 33 37 39 37 37 33 36 35 31 00 6D 67 33 37 mg379773651.mg37
0047FEB8 31 30 37 33 34 37 38 00 6D 67 33 37 34 33 39 34 1073478.mg374394
0047FEC8 39 38 37 00 6D 67 33 37 38 38 32 32 34 36 39 00 987.mg378822469.
0047FED8 6D 67 33 37 30 36 34 33 34 38 00 00 6D 67 33 37 mg37064348..mg37
0047FEE8 30 34 37 33 37 31 30 00 6D 67 33 37 38 35 34 32 0473710.mg378542
0047FEF8 35 34 34 00 6D 67 33 37 33 34 37 33 37 35 39 00 544.mg373473759.
0047FF08 6D 67 33 37 39 32 32 33 39 35 33 00 6D 67 33 37 mg379223953.mg37
0047FF18 35 39 35 33 32 34 38 00 6D 67 33 37 32 30 32 31 5953248.mg372021
0047FF28 34 32 34 00 6D 67 33 37 30 33 35 33 30 30 38 00 424.mg370353008.
0047FF38 6D 67 33 37 30 31 35 31 33 34 37 00 6D 67 33 37 mg370151347.mg37
0047FF48 39 38 34 33 31 34 39 00 6D 67 33 37 32 35 30 33 9843149.mg372503
0047FF58 39 35 38 00 6D 67 33 37 4E 54 69 00 6D 67 33 37 958.mg37NTi.mg37
0047FF68 33 34 36 35 32 34 31 00 6D 67 33 37 30 35 33 34 3465241.mg370534
0047FF78 30 33 35 00 6D 67 33 37 34 36 30 34 33 34 32 00 035.mg374604342.
0047FF88 6D 76 67 32 31 39 35 31 37 33 36 mvg21951736
**************************************************************
【破解总结】
--------------------------------------------------------------
【算法总结】
分两种算法,1种是8位以上,1种是9位以上,前面分别为"mg37"和"mg37s"
--------------------------------------------------------------
【算法注册机】
注册机1
keygen1.rek
.const
.data
szHomePage db "http://www.chinapyg.com",0
szEmail db "mailto:tianxj_2007@126.com",0
szErrMess db "请输入用户名!",0
szBuffer db 50 dup (0)
szFMT db "mg37***%d",0
.code
MOV EBX,eax
MOV DL,BYTE PTR DS:[EBX]
XOR ECX,ECX
MOV EDI,EBX
MOV ESI,0BDFh
tianxj:
MOVSX EDX,DL
INC ECX
IMUL EDX,ECX
ADD ESI,EDX
CMP ESI,17BEh
JLE n1
SUB ESI,17BEh
n1:
CMP ECX,0Ah
JLE n2
XOR ECX,ECX
n2:
MOV DL,BYTE PTR DS:[EDI+1]
INC EDI
TEST DL,DL
JNZ tianxj
invoke wsprintf,addr szBuffer,addr szFMT,esi
lea eax,szBuffer
注册机2
keygen2.rek
.const
.data
szHomePage db "http://www.chinapyg.com",0
szEmail db "mailto:tianxj_2007@126.com",0
szErrMess db "请输入用户名!",0
szBuffer db 50 dup (0)
szFMT db "mg37s***%d",0
.code
MOV EBX,eax
MOV DL,BYTE PTR DS:[EBX]
XOR ECX,ECX
MOV EDI,EBX
MOV ESI,0BDFh
tianxj:
MOVSX EDX,DL
INC ECX
IMUL EDX,ECX
ADD ESI,EDX
CMP ESI,17BEh
JLE n1
SUB ESI,17BEh
n1:
CMP ECX,0Ah
JLE n2
XOR ECX,ECX
n2:
MOV DL,BYTE PTR DS:[EDI+1]
INC EDI
TEST DL,DL
JNZ tianxj
invoke wsprintf,addr szBuffer,addr szFMT,esi
lea eax,szBuffer
--------------------------------------------------------------
【注册信息】
用户名:tianxj
注册码:mg37***5332 或mg37s***5332 (*为任意字符)
保存在
[HKEY_LOCAL_MACHINE\SOFTWARE\gamani\GIFMovieGear\2.0]
--------------------------------------------------------------
感谢飘云老大、猫老大、Nisy老大以及很多前辈们的学习教程以及所有帮助过我的论坛兄弟姐妹们!谢谢
--------------------------------------------------------------
【版权声明】破文是学习的手记,兴趣是成功的源泉;本破文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!