软件大小: 1053KB
软件版本: V3.0
软件语言: 英文
软件性质: 共享软件/国外
所属分类: 图形图像 > GIF 动画类
应用平台: win9x/winNT
开 发 商: gamani productions.
软件介绍:
GIF 动画制作软件,几乎有需要制作 GIF 动画的编辑功能它都有,无须再用其它的图型软件辅助。它可以处理背景透明化而且做法容易,做好的图片可以做最佳化处理使图片减肥,另外它除了可以把做好的图片存成
GIF 的动画图外。还可以存成 AVI 或是 ANI 的文件格式。
第二篇,大家多多指导!^-^
工具:trw 2000 娃娃版,w32dasm,windows 计算器,regmon.
运行注册对话框,输入 happycreator,注册码: 123456789
在trw 2000 中下断点bpx hmemcpy
点“确定”中断
来到004317d2
向下看:
:004317EE 8D4C2460
lea ecx, dword ptr [esp+60]
:004317F2 50
push eax
:004317F3 51
push ecx
:004317F4 E8F7FBFFFF call
004313F0 <-----关键call!
:004317F9 83C408 add
esp, 00000008
:004317FC 85C0
test eax, eax
:004317FE 0F84AD000000 je 004318B1
:00431804 8D542410 lea
edx, dword ptr [esp+10]
:00431808 8D44240C lea
eax, dword ptr [esp+0C]
:0043180C 52
push edx
:0043180D 50
push eax
:0043180E 6A00
push 00000000
:00431810 683F000F00 push
000F003F
:00431815 6A00
push 00000000
:00431817 6814ED4400 push
0044ED14
:0043181C 6A00
push 00000000
* Possible StringData Ref from
Data Obj ->"Software\gamani\GIFMovieGear\2.0"
|
:0043181E 68B8B34400 push
0044B3B8
:00431823 6801000080 push
80000001
* Reference To: ADVAPI32.RegCreateKeyExA,
Ord:015Fh
|
:00431828 FF1514804400 Call dword
ptr [00448014]
:0043182E 8D7C2460 lea
edi, dword ptr [esp+60]
:00431832 83C9FF or
ecx, FFFFFFFF
:00431835 33C0
xor eax, eax
:00431837 8B54240C mov
edx, dword ptr [esp+0C]
:0043183B F2
repnz
:0043183C AE
scasb
:0043183D F7D1
not ecx
* Reference To: ADVAPI32.RegSetvalueExA,
Ord:0186h
|
:0043183F 8B1D08804400 mov ebx, dword
ptr [00448008]
:00431845 51
push ecx
:00431846 8D4C2464 lea
ecx, dword ptr [esp+64]
:0043184A 51
push ecx
:0043184B 6A01
push 00000001
:0043184D 50
push eax
* Possible StringData Ref from
Data Obj ->"RegName3"
|
:0043184E 6890D44400 push
0044D490
:00431853 52
push edx
:00431854 FFD3
call ebx
:00431856 8DBC24C4000000 lea edi, dword
ptr [esp+000000C4]
:0043185D 83C9FF or
ecx, FFFFFFFF
:00431860 33C0
xor eax, eax
:00431862 F2
repnz
:00431863 AE
scasb
:00431864 F7D1
not ecx
:00431866 8D8424C4000000 lea eax, dword
ptr [esp+000000C4]
:0043186D 51
push ecx
:0043186E 8B4C2410 mov
ecx, dword ptr [esp+10]
:00431872 50
push eax
:00431873 6A01
push 00000001
:00431875 6A00
push 00000000
* Possible StringData Ref from
Data Obj ->"RegCode3"
|
:00431877 689CD44400 push
0044D49C
:0043187C 51
push ecx
:0043187D FFD3
call ebx
:0043187F 8B54240C mov
edx, dword ptr [esp+0C]
:00431883 52
push edx
* Reference To: ADVAPI32.RegCloseKey,
Ord:015Bh
|
:00431884 FF1518804400 Call dword
ptr [00448018]
* Possible StringData Ref from
Data Obj ->"Software\Loani\MG3t"
|
:0043188A 68A8D44400 push
0044D4A8
:0043188F 6802000080 push
80000002
* Reference To: ADVAPI32.RegDeleteKeyA,
Ord:0162h
|
:00431894 FF1510804400 Call dword
ptr [00448010]
:0043189A 6A01
push 00000001
:0043189C 56
push esi
:004313F0 53
push ebx
:004313F1 55
push ebp
:004313F2 8B6C2410 mov
ebp, dword ptr [esp+10]
:004313F6 56
push esi
:004313F7 57
push edi
:004313F8 807D006D cmp
byte ptr [ebp+00], 6D<----首位为"m"否则失败
:004313FC 0F85A0000000 jne 004314A2
:00431402 807D0167 cmp
byte ptr [ebp+01], 67<------第二位为"g"
:00431406 0F8596000000 jne 004314A2
:0043140C 807D0233 cmp
byte ptr [ebp+02], 33<-----第三位为“3”
:00431410 0F858C000000 jne 004314A2
:00431416 807D0337 cmp
byte ptr [ebp+03], 37<-----第四位为“7”
:0043141A 0F8582000000 jne 004314A2
<---改过来,再试。
* Possible Indirect StringData Ref from Data Obj ->"mvg21951736"<---不知道是不是从前的非法注册码?
|
:00431420 BBBCD44400 mov ebx,
0044D4BC
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00431446(C)
|
:00431425 8B13
mov edx, dword ptr [ebx]
:00431427 83C9FF or
ecx, FFFFFFFF
:0043142A 8BFA
mov edi, edx
:0043142C 33C0
xor eax, eax
:0043142E F2
repnz
:0043142F AE
scasb
:00431430 F7D1
not ecx
:00431432 49
dec ecx
:00431433 8BFA
mov edi, edx
:00431435 8BF5
mov esi, ebp
:00431437 33C0
xor eax, eax
:00431439 F3
repz
:0043143A A6
cmpsb
:0043143B 7465
je 004314A2
:0043143D 83C304 add
ebx, 00000004
:00431440 81FBC0D44400 cmp ebx, 0044D4C0
:00431446 7CDD
jl 00431425
:00431448 807D0473 cmp
byte ptr [ebp+04], 73<----第五位是否为"s",改之,试一下。
:0043144C 7501
jne 0043144F
:0043144E 45
inc ebp
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0043144C(C)
|
:0043144F 83C507 add
ebp, 00000007
:00431452 55
push ebp
:00431453 E8C4DD0000 call
0043F21C<-------对注册码的关键运算!
:00431458 8B542418 mov
edx, dword ptr [esp+18]
:0043145C 83C404 add
esp, 00000004
:0043145F 8BFA
mov edi, edx<----对注册名开始运算!
:00431461 33C9
xor ecx, ecx
:00431463 8A12
mov dl, byte ptr [edx]
:00431465 BEDF0B0000 mov esi,
00000BDF<---esi的初始值。
:0043146A 84D2
test dl, dl
:0043146C 7426
je 00431494
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00431492(C)
|
:0043146E 0FBED2 movsx
edx, dl 注册名各字符进edx
:00431471 41
inc ecx<------ecx计数
:00431472 0FAFD1 imul
edx, ecx<------位数与注册名ASC码相乘。
:00431475 03F2
add esi, edx<-----和加入esi
:00431477 81FEBE170000 cmp esi, 000017BE
:0043147D 7E06
jle 00431485
:0043147F 81EEBE170000 sub esi, 000017BE<---最后取esi除17be的余数。
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0043147D(C)
|
:00431485 83F90A cmp
ecx, 0000000A<----ecx以十为一组。
:00431488 7E02
jle 0043148C
:0043148A 33C9
xor ecx, ecx
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00431488(C)
|
:0043148C 8A5701 mov
dl, byte ptr [edi+01]
:0043148F 47
inc edi
:00431490 84D2
test dl, dl<----直到取尽注册名。
:00431492 75DA
jne 0043146E
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0043146C(C)
|
:00431494 3BF0
cmp esi, eax<----与注册码计算结果比较,不等则失败!
:00431496 750A
jne 004314A2
:00431498 5F
pop edi
:00431499 5E
pop esi
:0043149A 5D
pop ebp
:0043149B B801000000 mov eax,
00000001
:004314A0 5B
pop ebx
:004314A1 C3
ret
:0043F21C FF742404
push [esp+04]
:0043F220 E86CFFFFFF call
0043F191<-----跟进!
:0043F225 59
pop ecx
:0043F226 C3
ret
* Referenced by a CALL at Addresses:
|:0043F220 , :004463E3 , :00446411 , :0044643C
|
:0043F191 53
push ebx
:0043F192 55
push ebp
:0043F193 56
push esi
:0043F194 57
push edi
:0043F195 8B7C2414 mov
edi, dword ptr [esp+14]<---edi指向第九位。
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0043F1C5(U)
|
:0043F199 833D4CE2440001 cmp dword ptr [0044E24C],
00000001<---查看是否取尽
:0043F1A0 7E0F
jle 0043F1B1
:0043F1A2 0FB607 movzx
eax, byte ptr [edi]
:0043F1A5 6A08
push 00000008
:0043F1A7 50
push eax
:0043F1A8 E812230000 call
004414BF
:0043F1AD 59
pop ecx
:0043F1AE 59
pop ecx
:0043F1AF EB0F
jmp 0043F1C0
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0043F1A0(C)
|
:0043F1B1 0FB607 movzx
eax, byte ptr [edi]
* Possible StringData Ref from
Data Obj ->" (((((
"
->"
H"
|
:0043F1B4 8B0D40E04400 mov ecx, dword
ptr [0044E040]
:0043F1BA 8A0441 mov
al, byte ptr [ecx+2*eax]
:0043F1BD 83E008 and
eax, 00000008
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0043F1AF(U)
|
:0043F1C0 85C0
test eax, eax
:0043F1C2 7403
je 0043F1C7
:0043F1C4 47
inc edi
:0043F1C5 EBD2
jmp 0043F199
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0043F1C2(C)
|
:0043F1C7 0FB637 movzx
esi, byte ptr [edi]
:0043F1CA 47
inc edi
:0043F1CB 83FE2D cmp
esi, 0000002D<---第九位是否为"-"
:0043F1CE 8BEE
mov ebp, esi
:0043F1D0 7405
je 0043F1D7<-----是则有另一种算法,最后取eax的补码。
:0043F1D2 83FE2B cmp
esi, 0000002B<----第九位是不是"+"?
:0043F1D5 7504
jne 0043F1DB<---不是则跳!
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0043F1D0(C)
|
:0043F1D7 0FB637 movzx
esi, byte ptr [edi] <-对于第九位“-”或“+”的对其后数
字进行计算。
:0043F1DA 47 inc edi
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0043F1D5(C)
|
:0043F1DB 33DB
xor ebx, ebx<--否则直接进行计算。
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0043F20C(U)
|
:0043F1DD 833D4CE2440001 cmp dword ptr [0044E24C],
00000001<--以下好像是在验证是否取完数码。
:0043F1E4 7E0C
jle 0043F1F2
:0043F1E6 6A04
push 00000004
:0043F1E8 56
push esi
:0043F1E9 E8D1220000 call
004414BF
:0043F1EE 59
pop ecx
:0043F1EF 59
pop ecx
:0043F1F0 EB0B
jmp 0043F1FD
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0043F1E4(C)
|
* Possible StringData Ref from
Data Obj ->" (((((
"
->"
H"
|
:0043F1F2 A140E04400 mov eax,
dword ptr [0044E040]
:0043F1F7 8A0470 mov
al, byte ptr [eax+2*esi]
:0043F1FA 83E004 and
eax, 00000004
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0043F1F0(U)
|
:0043F1FD 85C0
test eax, eax
:0043F1FF 740D
je 0043F20E
:0043F201 8D049B lea
eax, dword ptr [ebx+4*ebx]<---对eax取值!
:0043F204 8D5C46D0 lea
ebx, dword ptr [esi+2*eax-30]<---对ebx取值!!
:0043F208 0FB637 movzx
esi, byte ptr [edi] <----esi为相应数字的ASC码。
:0043F20B 47
inc edi<-- 下一位
:0043F20C EBCF
jmp 0043F1DD
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0043F1FF(C)
|
:0043F20E 83FD2D cmp
ebp, 0000002D<--算法选择。
:0043F211 8BC3
mov eax, ebx <----返回eax的值!
:0043F213 7502
jne 0043F217
:0043F215 F7D8
neg eax <--是否取反,视有无"-"而定。
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0043F213(C)
|
:0043F217 5F
pop edi
:0043F218 5E
pop esi
:0043F219 5D
pop ebp
:0043F21A 5B
pop ebx
:0043F21B C3
ret
在00431494处的比较决定了注册成功与否。相等既大功告成!
在对注册码的计算中实际上是对输入的九至n位数字转化为十六进制,而在对注册名的算法中是在esi的初始值
上再加上各位字符和位数的积的和除17be的余数。两者相等既可成功。在前面还有一个对第五位的测试,时间原因就不能再分析了
我的结果:注册名:happycreator
注册码:mg37s6784216
注册后信息会保存在注册表中:HKCU\Software\gamani\GIFMovieGear\2.0
删除相关信息后又变为未注册。注册码第6、7、8三位无关。