史萊姆論壇 - AVI Splitter V1.0.86註冊破解算法分析

AVI Splitter V1.0.86註冊破解算法分析

【破文標題】AVI Splitter V1.0.86破解分析
【破文作者】gg1211[CZG]
【破解平台】WinXp
【作者郵信箱】QIBINLEI@YAHOO.COM.CN
【破解工具】PEiD 、OD
【保護方式】用戶名＋序列號
【破解目的】學習簡單算法破解
【破解宣告】我乃小菜鳥一隻，偶得一點心得，願與大家分享：）
【軟體名稱】AVI Splitter V1.0.86
【下載位址】http://www3.skycn.com/soft/19877.html
【軟體簡介】AVI 影片分割工具AVI Splitter，能夠將2GB以下的單一AVI影片檔分割成多個AVI影片檔，不用重新壓縮就可以直接產生分割文件，程序還可以用來壓縮/解壓縮內建的VFW編碼(如：MPEG-4 或 DivX)。
【破解步驟】先用PEiD 偵測，發現為Microsoft Visual C++ 7.0，無殼
試著執行軟體，實驗碼gg1211
12345678
有錯誤提示，「registration failed"，od載入根據提示訊息來到這裡下斷
00407010 /. 55 push ebp \\下斷
00407011 |. 8BEC mov ebp, esp
00407013 |. 83EC 20 sub esp, 20
00407016 |. 894D E0 mov [ebp-20], ecx
00407019 |. 6A 01 push 1
0040701B |. 8B4D E0 mov ecx, [ebp-20]
0040701E |. E8 869C0100 call 00420CA9
00407023 |. 8B4D E0 mov ecx, [ebp-20]
00407026 |. 83C1 70 add ecx, 70
00407029 |. E8 02F5FFFF call 00406530 \\這裡計算用戶名位數
0040702E |. 83F8 02 cmp eax, 2 \\是超過兩位
00407031 |. 7D 13 jge short 00407046 \\不跳則死
00407033 |. 6A 00 push 0
00407035 |. 6A 00 push 0
00407037 |. 68 5CE24200 push 0042E25C ; please input correct user name!
0040703C |. E8 B7F70100 call 004267F8
00407041 |. E9 A9020000 jmp 004072EF
00407046 |> 8B4D E0 mov ecx, [ebp-20]
00407049 |. 83C1 74 add ecx, 74
0040704C |. E8 DFF4FFFF call 00406530 \\計算註冊碼位數（都是使用406530）
00407051 |. 83F8 08 cmp eax, 8 \\小於8為
00407054 |. 7D 13 jge short 00407069 \\不跳則死
00407056 |. 6A 00 push 0
00407058 |. 6A 00 push 0
0040705A |. 68 7CE24200 push 0042E27C ; please input correct registration code!
0040705F |. E8 94F70100 call 004267F8
00407064 |. E9 86020000 jmp 004072EF
00407069 |> 6A 00 push 0 \\從這裡開始，逐個取
0040706B |. 8B4D E0 mov ecx, [ebp-20] \\ 註冊碼兩位兩次我的名字較
0040706E |. 83C1 70 add ecx, 70 \\特殊就是gggg,正常格式應該是
00407071 |. E8 BAEBFFFF call 00405C30 \\abab這個樣
00407076 |. 8845 EF mov [ebp-11], al
00407079 |. 6A 01 push 1 ; /Arg1 = 00000001
0040707B |. 8B4D E0 mov ecx, [ebp-20] ; |
0040707E |. 83C1 70 add ecx, 70 ; |
00407081 |. E8 AAEBFFFF call 00405C30 ; \AVISplit.00405C30
00407086 |. 8845 F8 mov [ebp-8], al
00407089 |. 6A 00 push 0 ; /Arg1 = 00000000
0040708B |. 8B4D E0 mov ecx, [ebp-20] ; |
0040708E |. 83C1 70 add ecx, 70 ; |
00407091 |. E8 9AEBFFFF call 00405C30 ; \AVISplit.00405C30
00407096 |. 8845 FF mov [ebp-1], al
00407099 |. 6A 01 push 1 ; /Arg1 = 00000001
0040709B |. 8B4D E0 mov ecx, [ebp-20] ; |
0040709E |. 83C1 70 add ecx, 70 ; |
004070A1 |. E8 8AEBFFFF call 00405C30 \\到這裡取字元就借宿了
004070A6 |. 8845 FA mov [ebp-6], al \\這裡開始就用所取的字元開始計算
004070A9 |. 0FB645 EF movzx eax, byte ptr [ebp-11]
004070AD |. 83C8 53 or eax, 53 \\ 67 or 53 ->77
004070B0 |. 8845 EF mov [ebp-11], al
004070B3 |. 0FB64D F8 movzx ecx, byte ptr [ebp-8]
004070B7 |. 83C9 41 or ecx, 41 \\67 or 41->67
004070BA |. 884D F8 mov [ebp-8], cl
004070BD |. 0FB655 FF movzx edx, byte ptr [ebp-1]
004070C1 |. 83CA 56 or edx, 56 \\67 or 56->77
004070C4 |. 8855 FF mov [ebp-1], dl
004070C7 |. 0FB645 FA movzx eax, byte ptr [ebp-6]
004070CB |. 83C8 49 or eax, 49 \\67 or 49->6f
004070CE |. 8845 FA mov [ebp-6], al
004070D1 |. 0FB645 EF movzx eax, byte ptr [ebp-11] \\這裡開始用上面得到
004070D5 |. 99 cdq \\的資料進行帶符號數除法除oa
004070D6 |. B9 0A000000 mov ecx, 0A \\我們需要的是他的餘數並記錄004070DB |. F7F9 idiv ecx
004070DD |. 8855 EF mov [ebp-11], dl \\dl=09
004070E0 |. 0FB645 F8 movzx eax, byte ptr [ebp-8]
004070E4 |. 99 cdq
004070E5 |. B9 0A000000 mov ecx, 0A
004070EA |. F7F9 idiv ecx
004070EC |. 8855 F8 mov [ebp-8], dl \\dl =01
004070EF |. 0FB645 FF movzx eax, byte ptr [ebp-1]
004070F3 |. 99 cdq
004070F4 |. B9 0A000000 mov ecx, 0A
004070F9 |. F7F9 idiv ecx
004070FB |. 8855 FF mov [ebp-1], dl \\dl=03
004070FE |. 0FB645 FA movzx eax, byte ptr [ebp-6]
00407102 |. 99 cdq
00407103 |. B9 0A000000 mov ecx, 0A
00407108 |. F7F9 idiv ecx
0040710A |. 8855 FA mov [ebp-6], dl \\dl=09
0040710D |. C745 F0 00000>mov dword ptr [ebp-10], 0
00407114 |. C745 E8 00000>mov dword ptr [ebp-18], 0
0040711B |. EB 09 jmp short 00407126
0040711D |> 8B55 E8 /mov edx, [ebp-18] \\ 用戶名asc累加
00407120 |. 83C2 01 |add edx, 1
00407123 |. 8955 E8 |mov [ebp-18], edx
00407126 |> 8B4D E0 mov ecx, [ebp-20]
00407129 |. 83C1 70 |add ecx, 70
0040712C |. E8 FFF3FFFF |call 00406530
00407131 |. 3945 E8 |cmp [ebp-18], eax
00407134 |. 7D 1E |jge short 00407154
00407136 |. 8B45 E8 |mov eax, [ebp-18]
00407139 |. 50 |push eax ; /Arg1
0040713A |. 8B4D E0 |mov ecx, [ebp-20] ; |
0040713D |. 83C1 70 |add ecx, 70 ; |
00407140 |. E8 EBEAFFFF |call 00405C30 ; \AVISplit.00405C30
00407145 |. 8845 E7 |mov [ebp-19], al
00407148 |. 0FB64D E7 |movzx ecx, byte ptr [ebp-19]
0040714C |. 034D F0 |add ecx, [ebp-10]
0040714F |. 894D F0 |mov [ebp-10], ecx
00407152 |.^ EB C9 \jmp short 0040711D \\累加結果193
00407154 |> 8B45 F0 mov eax, [ebp-10] \\帶符號數除法除oa
00407157 |. 99 cdq
00407158 |. B9 0A000000 mov ecx, 0A
0040715D |. F7F9 idiv ecx
0040715F |. 8855 F4 mov [ebp-C], dl \\dl=03
00407162 |. 6A 00 push 0 \\就下來就是讀取假碼
00407164 |. 8B4D E0 mov ecx, [ebp-20] ; |
00407167 |. 83C1 74 add ecx, 74 ; |
0040716A |. E8 C1EAFFFF call 00405C30 ; \AVISplit.00405C30
0040716F |. 8845 FC mov [ebp-4], al
00407172 |. 6A 01 push 1 ; /Arg1 = 00000001
00407174 |. 8B4D E0 mov ecx, [ebp-20] ; |
00407177 |. 83C1 74 add ecx, 74 ; |
0040717A |. E8 B1EAFFFF call 00405C30 ; \AVISplit.00405C30
0040717F |. 8845 FD mov [ebp-3], al
00407182 |. 6A 02 push 2 ; /Arg1 = 00000002
00407184 |. 8B4D E0 mov ecx, [ebp-20] ; |
00407187 |. 83C1 74 add ecx, 74 ; |
0040718A |. E8 A1EAFFFF call 00405C30 ; \AVISplit.00405C30
0040718F |. 8845 F6 mov [ebp-A], al
00407192 |. 6A 03 push 3 ; /Arg1 = 00000003
00407194 |. 8B4D E0 mov ecx, [ebp-20] ; |
00407197 |. 83C1 74 add ecx, 74 ; |
0040719A |. E8 91EAFFFF call 00405C30 ; \AVISplit.00405C30
0040719F |. 8845 F5 mov [ebp-B], al
004071A2 |. 6A 04 push 4 ; /Arg1 = 00000004
004071A4 |. 8B4D E0 mov ecx, [ebp-20] ; |
004071A7 |. 83C1 74 add ecx, 74 ; |
004071AA |. E8 81EAFFFF call 00405C30 ; \AVISplit.00405C30
004071AF |. 8845 F9 mov [ebp-7], al
004071B2 |. 6A 05 push 5 ; /Arg1 = 00000005
004071B4 |. 8B4D E0 mov ecx, [ebp-20] ; |
004071B7 |. 83C1 74 add ecx, 74 ; |
004071BA |. E8 71EAFFFF call 00405C30 ; \AVISplit.00405C30
004071BF |. 8845 F7 mov [ebp-9], al
004071C2 |. 6A 06 push 6 ; /Arg1 = 00000006
004071C4 |. 8B4D E0 mov ecx, [ebp-20] ; |
004071C7 |. 83C1 74 add ecx, 74 ; |
004071CA |. E8 61EAFFFF call 00405C30 ; \AVISplit.00405C30
004071CF |. 8845 FE mov [ebp-2], al
004071D2 |. 6A 07 push 7 ; /Arg1 = 00000007
004071D4 |. 8B4D E0 mov ecx, [ebp-20] ; |
004071D7 |. 83C1 74 add ecx, 74 ; |
004071DA |. E8 51EAFFFF call 00405C30 ; \AVISplit.00405C30
004071DF |. 8845 FB mov [ebp-5], al
004071E2 |. 0FB655 EF movzx edx, byte ptr [ebp-11]
004071E6 |. 0FB645 FC movzx eax, byte ptr [ebp-4]
004071EA |. 83E8 30 sub eax, 30 ; \\判斷第一位註冊碼
004071ED |. 3BD0 cmp edx, eax
004071EF |. 75 3C jnz short 0040722D \\跳則死
004071F1 |. 0FB64D F8 movzx ecx, byte ptr [ebp-8] \\後面的判斷是一樣的，
004071F5 |. 0FB655 FD movzx edx, byte ptr [ebp-3] \\他只檢查前五位
004071F9 |. 83EA 30 sub edx, 30
004071FC |. 3BCA cmp ecx, edx
004071FE |. 75 2D jnz short 0040722D
00407200 |. 0FB645 FF movzx eax, byte ptr [ebp-1]
00407204 |. 0FB64D F6 movzx ecx, byte ptr [ebp-A]
00407208 |. 83E9 30 sub ecx, 30
0040720B |. 3BC1 cmp eax, ecx
0040720D |. 75 1E jnz short 0040722D
0040720F |. 0FB655 FA movzx edx, byte ptr [ebp-6]
00407213 |. 0FB645 F5 movzx eax, byte ptr [ebp-B]
00407217 |. 83E8 30 sub eax, 30
0040721A |. 3BD0 cmp edx, eax
0040721C |. 75 0F jnz short 0040722D \\到這裡前5位檢查結束
0040721E |. 0FB64D F4 movzx ecx, byte ptr [ebp-C]
00407222 |. 0FB655 F9 movzx edx, byte ptr [ebp-7]
00407226 |. 83EA 30 sub edx, 30
00407229 |. 3BCA cmp ecx, edx
0040722B |. 74 58 je short 00407285
0040722D |> 0FB645 FC movzx eax, byte ptr [ebp-4]
00407231 |. 83F8 39 cmp eax, 39
00407234 |. 0F85 A7000000 jnz 004072E1
0040723A |. 0FB64D FD movzx ecx, byte ptr [ebp-3]
0040723E |. 83F9 33 cmp ecx, 33
00407241 |. 0F85 9A000000 jnz 004072E1
00407247 |. 0FB655 F6 movzx edx, byte ptr [ebp-A]
0040724B |. 83FA 38 cmp edx, 38
0040724E |. 0F85 8D000000 jnz 004072E1
00407254 |. 0FB645 F5 movzx eax, byte ptr [ebp-B]
00407258 |. 83F8 38 cmp eax, 38
0040725B |. 0F85 80000000 jnz 004072E1
00407261 |. 0FB64D F9 movzx ecx, byte ptr [ebp-7]
00407265 |. 83F9 33 cmp ecx, 33
00407268 |. 75 77 jnz short 004072E1
0040726A |. 0FB655 F7 movzx edx, byte ptr [ebp-9]
0040726E |. 83FA 31 cmp edx, 31
00407271 |. 75 6E jnz short 004072E1
00407273 |. 0FB645 FE movzx eax, byte ptr [ebp-2]
00407277 |. 83F8 34 cmp eax, 34
0040727A |. 75 65 jnz short 004072E1
0040727C |. 0FB64D FB movzx ecx, byte ptr [ebp-5]
00407280 |. 83F9 36 cmp ecx, 36
00407283 |. 75 5C jnz short 004072E1
00407285 |> 6A 00 push 0
00407287 |. 6A 00 push 0
00407289 |. 68 A4E24200 push 0042E2A4 ; registration has succeeded!
0040728E |. E8 65F50100 call 004267F8
00407293 |. 8B4D E0 mov ecx, [ebp-20]
00407296 |. 83C1 70 add ecx, 70
00407299 |. E8 62F2FFFF call 00406500
0040729E |. 50 push eax
0040729F |. 68 C0E24200 push 0042E2C0 ; username
004072A4 |. 68 CCE24200 push 0042E2CC ; option
004072A9 |. E8 A2ECFFFF call 00405F50
004072AE |. 8BC8 mov ecx, eax ; |
004072B0 |. E8 7FF60100 call 00426934 ; \AVISplit.00426934
004072B5 |. 8B4D E0 mov ecx, [ebp-20]
004072B8 |. 83C1 74 add ecx, 74
004072BB |. E8 40F2FFFF call 00406500
004072C0 |. 50 push eax
004072C1 |. 68 D4E24200 push 0042E2D4 ; registration_code
004072C6 |. 68 E8E24200 push 0042E2E8 ; option
004072CB |. E8 80ECFFFF call 00405F50
004072D0 |. 8BC8 mov ecx, eax ; |
004072D2 |. E8 5DF60100 call 00426934 ; \AVISplit.00426934
004072D7 |. 8B4D E0 mov ecx, [ebp-20]
004072DA |. E8 7E830100 call 0041F65D
004072DF |. EB 0E jmp short 004072EF
004072E1 |> 6A 00 push 0
004072E3 |. 6A 00 push 0
004072E5 |. 68 F0E24200 push 0042E2F0 ; registration failed!

從上分析可以看出
這個算法很簡單，基本上沒有什麼難度
只是要求用戶名2位以上，註冊碼8位以上，然後
1.取前兩位註冊碼以abab形式排序，分別於53，41，56，49 or運算
2.將計算所得帶符號數除法除oa，的到餘數序列，假設位a
3.用戶名asc累加帶符號數除法除oa，的到餘數序列，假設位b
4.註冊碼就是a＋b＋三位以上任意註冊碼
最後得到我的註冊碼是
gg1211
93913888