DVD to VCD AVI DivX Converter 破解筆記

[psac]

DVD to VCD AVI DivX Converter 破解筆記
======================================
Version 3.1 (build 0043)
2003-12-13, Sunrix

近日欲作DVDRip，尋得此軟體，試之覺得頗為方便，然未註冊只能rip 1/3，
且網上其crack芳蹤難覓。余未crack久矣，日見老朽之態，今日重作馮婦，
既為自給自足，亦有舒莇活骨，不甘沉淪之意。功力未有提高，不免水文之嫌，
貽笑大方。
--------------------------------------------------------------------
PEID 0.9報告：
UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
直接用upx脫殼失敗。用LordPE恢復UPX!標誌和section名為UPX0，UPX1，再upx -d脫殼成功！
用peid查脫殼後的程序，發現是borland c++寫的。

0040BA30 CMP BYTE PTR [5F299C],1
0040BA37 JNZ SHORT 0040BAA2
0040BA39 MOV EAX,[69E9BC]
0040BA3E PUSH EAX
0040BA3F CALL <JMP.&KERNEL32.lstrlenA>
0040BA44 MOV EDX,EAX
0040BA46 ADD EDX,EDX
0040BA48 LEA EDX,[EDX+EDX*2]
0040BA4B CMP EDX,400
0040BA51 JB SHORT 0040BAA2
0040BA53 MOV ECX,[EBP-8]
0040BA56 PUSH ECX
0040BA57 PUSH EAX
0040BA58 MOV EAX,[69E9BC]
0040BA5D PUSH EAX
0040BA5E CALL 0040DA88
0040BA63 ADD ESP,0C
0040BA66 CMP AL,1
0040BA68 JNZ SHORT 0040BAA2
0040BA6A MOV EDX,[5F29A0]
0040BA70 LEA ECX,[EBP-18]
0040BA73 PUSH EDX
0040BA74 PUSH 005F2890
0040BA79 PUSH ECX
0040BA7A PUSH 80
0040BA7F MOV EAX,[EBP-8]
0040BA82 PUSH EAX
0040BA83 CALL 005EF174
0040BA88 ADD ESP,14
0040BA8B MOV EDX,[69E9B0]
0040BA91 PUSH EDX
0040BA92 MOV ECX,[EBP-14]
0040BA95 INC ECX
0040BA96 PUSH ECX
0040BA97 CALL <JMP.&KERNEL32.lstrcmpA>
0040BA9C TEST EAX,EAX
0040BA9E JNZ SHORT 0040BAA2
0040BAA0 MOV BL,1 // 置已註冊標誌

0040BB16 CMP BL,1 // 註冊否？
0040BB19 JNZ SHORT 0040BB50 // 未註冊，轉去顯示NAG Screen
0040BB1B XOR EDX,EDX
0040BB1D MOV EAX,[EBP-60]
0040BB20 MOV EAX,[EAX+448]
0040BB26 CALL 0055C554
0040BB2B XOR EDX,EDX
0040BB2D MOV ECX,[EBP-60]
0040BB30 MOV EAX,[ECX+44C]
0040BB36 CALL 0055C554
0040BB3B XOR EDX,EDX
0040BB3D MOV ECX,[EBP-60]
0040BB40 MOV EAX,[ECX+450]
0040BB46 CALL 0055C554
0040BB4B JMP 0040BD32

// 新增NagScreen表單對像
0040BB50 MOV ECX,[EBP-60]
0040BB53 MOV DL,1
0040BB55 MOV EAX,[5F5ED8]
0040BB5A CALL 00410650
// 顯示NagScreen
0040BB5F MOV ESI,EAX
0040BB61 MOV EAX,ESI
0040BB63 MOV EDX,[EAX]
0040BB65 CALL [EDX+E8]

Nag Screen的register按鈕click事件處理函數：
00410730 PUSH EBP
00410731 MOV EBP,ESP
00410733 ADD ESP,-68
00410736 PUSH EBX
00410737 PUSH ESI
00410738 PUSH EDI
00410739 MOV ESI,EAX
0041073B MOV EAX,005F5E28
00410740 CALL 005BF150
00410745 MOV WORD PTR [EBP-54],8
0041074B MOV EBX,400
00410750 PUSH 1
00410752 CALL 004028DC
00410757 MOV EDI,EAX
00410759 POP ECX
0041075A MOV [EBP-C],EDI
0041075D TEST EBX,EBX
0041075F MOV DWORD PTR [EDI],1
00410765 JG SHORT 00410772
00410767 XOR EAX,EAX
00410769 MOV [EBP-8],EAX
0041076C XOR EDX,EDX
0041076E MOV EBX,EDX
00410770 JMP SHORT 0041077C
00410772 PUSH EBX
00410773 CALL 004028F0
00410778 POP ECX
00410779 MOV [EBP-8],EAX
0041077C MOV [EBP-4],EBX
0041077F MOV EBX,400
00410784 INC DWORD PTR [EBP-48]
00410787 MOV WORD PTR [EBP-54],14
0041078D MOV WORD PTR [EBP-54],20
00410793 PUSH 1
00410795 CALL 004028DC
0041079A MOV EDI,EAX
0041079C POP ECX
0041079D MOV [EBP-18],EDI
004107A0 TEST EBX,EBX
004107A2 MOV DWORD PTR [EDI],1
004107A8 JG SHORT 004107B5
004107AA XOR EAX,EAX
004107AC MOV [EBP-14],EAX
004107AF XOR EDX,EDX
004107B1 MOV EBX,EDX
004107B3 JMP SHORT 004107BF
004107B5 PUSH EBX
004107B6 CALL 004028F0
004107BB POP ECX
004107BC MOV [EBP-14],EAX
004107BF MOV [EBP-10],EBX
004107C2 MOV ECX,ESI
004107C4 INC DWORD PTR [EBP-48]
004107C7 MOV DL,1
004107C9 MOV WORD PTR [EBP-54],14
004107CF MOV EAX,[5F58C0] // TNPRegForm *
004107D4 CALL 004104D8 // 新增註冊框表單對像
004107D9 MOV EBX,EAX
004107DB MOV EAX,EBX
004107DD MOV EDX,[EAX]
004107DF CALL [EDX+E8] // 顯示註冊框表單

// 按下Register鈕返回EAX=1，按Cancel鈕返回EAX＝2
004107E5 DEC EAX
004107E6 JNZ 00410A20

// 按下了register鈕

// 取輸入的用戶名
004107EC MOV WORD PTR [EBP-54],2C
004107F2 XOR ECX,ECX
004107F4 MOV [EBP-1C],ECX
004107F7 LEA EDX,[EBP-1C]
004107FA INC DWORD PTR [EBP-48]
004107FD MOV EAX,[EBX+2F0]
00410803 CALL 0058B2B8 // 取用戶名
00410808 CMP DWORD PTR [EBP-1C],0 // 用戶名為空？
0041080C JE SHORT 00410813

0041080E MOV ECX,[EBP-1C] // 用戶名
00410811 JMP SHORT 00410818
00410813 MOV ECX,005F5CBC // 空字串串

// 用戶名拷貝到一塊動態申請的記憶體
00410818 PUSH ECX
00410819 MOV EAX,[EBP-8]
0041081C PUSH EAX
0041081D CALL <JMP.&KERNEL32.lstrcpyA>
00410822 DEC DWORD PTR [EBP-48]
00410825 LEA EAX,[EBP-1C]
00410828 MOV EDX,2
0041082D CALL 005CEA68

// 取輸入的註冊碼
00410832 MOV WORD PTR [EBP-54],38
00410838 XOR ECX,ECX
0041083A MOV [EBP-20],ECX
0041083D LEA EDX,[EBP-20]
00410840 INC DWORD PTR [EBP-48]
00410843 MOV EAX,[EBX+2F4]
00410849 CALL 0058B2B8 // 取註冊碼
0041084E CMP DWORD PTR [EBP-20],0 // 註冊碼為空？
00410852 JE SHORT 00410859
00410854 MOV ECX,[EBP-20]
00410857 JMP SHORT 0041085E
00410859 MOV ECX,005F5CBD // 空字串串

// 註冊碼拷貝到一塊動態申請的記憶體
0041085E PUSH ECX
0041085F MOV EAX,[EBP-14]
00410862 PUSH EAX
00410863 CALL <JMP.&KERNEL32.lstrcpyA>
00410868 DEC DWORD PTR [EBP-48]
0041086B LEA EAX,[EBP-20]
0041086E MOV EDX,2
00410873 CALL 005CEA68

// 儲存用戶名和註冊碼到註冊表
// 註冊碼必須要滿足一定的條件：
// 1. 註冊碼的長度＊6 >= 1024
// 2. 註冊碼的字串必須是一些特定的字串
00410878 MOV ECX,[EBP-14] // 註冊碼
0041087B PUSH ECX
0041087C MOV EAX,[EBP-8] // 用戶名
0041087F PUSH EAX
00410880 CALL 0040D5C0
00410885 ADD ESP,8

// 從註冊表中讀入用戶名和註冊碼，並作初步的檢查
// 讀入並檢查成功返回AL=1，否則返回0
00410888 PUSH 0069E9B8 // [69E9B8+4]存放註冊碼游標
0041088D PUSH 0069E9AC // [69E9AC+4]存放用戶名游標
00410892 CALL 0040D65C
00410897 ADD ESP,8
0041089A MOV [5F299C],AL // 這個標誌很重要！

0041089F MOV WORD PTR [EBP-54],44
004108A5 MOV EDI,400
004108AA PUSH 1
004108AC CALL 004028DC
004108B1 POP ECX
004108B2 MOV [EBP-2C],EAX
004108B5 MOV EAX,[EBP-2C]
004108B8 TEST EDI,EDI
004108BA MOV DWORD PTR [EAX],1
004108C0 JG SHORT 004108CD
004108C2 XOR EDX,EDX
004108C4 MOV [EBP-28],EDX
004108C7 XOR ECX,ECX
004108C9 MOV EDI,ECX
004108CB JMP SHORT 004108D7
004108CD PUSH EDI
004108CE CALL 004028F0
004108D3 POP ECX
004108D4 MOV [EBP-28],EAX
004108D7 MOV [EBP-24],EDI
004108DA INC DWORD PTR [EBP-48]
004108DD XOR EDI,EDI
004108DF MOV WORD PTR [EBP-54],50
004108E5 MOV WORD PTR [EBP-54],5C
004108EB PUSH 1
004108ED CALL 004028DC
004108F2 POP ECX
004108F3 MOV [EBP-38],EAX
004108F6 MOV EAX,[EBP-38]
004108F9 TEST EDI,EDI
004108FB MOV DWORD PTR [EAX],1
00410901 JG SHORT 0041090E
00410903 XOR EDX,EDX
00410905 MOV [EBP-34],EDX
00410908 XOR ECX,ECX
0041090A MOV EDI,ECX
0041090C JMP SHORT 00410918
0041090E PUSH EDI
0041090F CALL 004028F0
00410914 POP ECX
00410915 MOV [EBP-34],EAX
00410918 MOV [EBP-30],EDI
0041091B INC DWORD PTR [EBP-48]
0041091E MOV WORD PTR [EBP-54],50
00410924 MOV BYTE PTR [EBP-65],0
00410928 CMP BYTE PTR [5F299C],1
0041092F JNZ SHORT 0041099C
00410931 MOV EAX,[69E9BC] // 註冊碼
00410936 PUSH EAX
00410937 CALL <JMP.&KERNEL32.lstrlenA>
0041093C MOV EDX,EAX
0041093E ADD EDX,EDX
00410940 LEA EDX,[EDX+EDX*2] // 註冊碼長度＊6 必須 >= 1024
00410943 CMP EDX,400
00410949 JB SHORT 0041099C
0041094B MOV ECX,[EBP-28]
0041094E PUSH ECX
0041094F PUSH EAX
00410950 MOV EAX,[69E9BC] // 註冊碼
00410955 PUSH EAX
00410956 CALL 0040DA88
0041095B ADD ESP,0C
0041095E CMP AL,1
00410960 JNZ SHORT 0041099C
00410962 MOV EDX,[5F29A0]
00410968 LEA ECX,[EBP-38]
0041096B PUSH EDX
0041096C PUSH 005F2890
00410971 PUSH ECX
00410972 PUSH 80
00410977 MOV EAX,[EBP-28]
0041097A PUSH EAX
0041097B CALL 005EF174
00410980 ADD ESP,14

// 這個算法很鬼，利用註冊碼來反算用戶名
00410983 MOV EDX,[69E9B0] // 用戶名
00410989 PUSH EDX
0041098A MOV ECX,[EBP-34] // 由註冊碼反算出來的用戶名
0041098D INC ECX
0041098E PUSH ECX
0041098F CALL <JMP.&KERNEL32.lstrcmpA> // 比較
00410994 TEST EAX,EAX
00410996 JNZ SHORT 0041099C
00410998 MOV BYTE PTR [EBP-65],1

如果未註冊，則在開始轉換的時候，程序會提示："Trial version can only rip 1/3..."

// 計算需要rip的總長度
004072CB PUSH DWORD PTR [EBX+65C]
004072D1 PUSH DWORD PTR [EBX+658]
004072D7 PUSH EBX
004072D8 CALL 00401C6C
004072DD ADD ESP,0C
004072E0 MOV [EBP-88],EAX

00407379 CMP BYTE PTR [5F299C],1
00407380 JNZ SHORT 004073EC
00407382 MOV ECX,[69E9BC]
00407388 PUSH ECX
00407389 CALL <JMP.&KERNEL32.lstrlenA>
0040738E MOV EDX,EAX
00407390 ADD EDX,EDX
00407392 LEA EDX,[EDX+EDX*2]
00407395 CMP EDX,400
0040739B JB SHORT 004073EC
0040739D MOV ECX,[EBP-14]
004073A0 PUSH ECX
004073A1 PUSH EAX
004073A2 MOV EAX,[69E9BC]
004073A7 PUSH EAX
004073A8 CALL 0040DA88
004073AD ADD ESP,0C
004073B0 CMP AL,1
004073B2 JNZ SHORT 004073EC
004073B4 MOV EAX,[5F29A0]
004073B9 LEA EDX,[EBP-24]
004073BC PUSH EAX
004073BD PUSH 005F2890
004073C2 PUSH EDX
004073C3 PUSH 80
004073C8 MOV ECX,[EBP-14]
004073CB PUSH ECX
004073CC CALL 005EF174
004073D1 ADD ESP,14
004073D4 MOV EAX,[69E9B0]
004073D9 PUSH EAX
004073DA MOV EDX,[EBP-20]
004073DD INC EDX
004073DE PUSH EDX
004073DF CALL <JMP.&KERNEL32.lstrcmpA>
004073E4 TEST EAX,EAX
004073E6 JNZ SHORT 004073EC
004073E8 MOV BYTE PTR [EBP-7D],1 // 置已註冊標誌

00407460 CMP BYTE PTR [EBP-7D],0 // 註冊否？
00407464 JNZ 004075FB // 已註冊，轉
0040746A MOV WORD PTR [EBP-50],68
00407470 MOV ESI,400
00407475 PUSH 1
00407477 CALL 004028DC
0040747C MOV EDI,EAX
0040747E POP ECX
0040747F MOV [EBP-30],EDI
00407482 TEST ESI,ESI
00407484 MOV DWORD PTR [EDI],1
0040748A JG SHORT 00407497
0040748C XOR EAX,EAX
0040748E MOV [EBP-2C],EAX
00407491 XOR EDX,EDX
00407493 MOV ESI,EDX
00407495 JMP SHORT 004074A1
00407497 PUSH ESI
00407498 CALL 004028F0
0040749D POP ECX
0040749E MOV [EBP-2C],EAX
004074A1 MOV [EBP-28],ESI
004074A4 MOV EAX,EBX
004074A6 INC DWORD PTR [EBP-44]
004074A9 MOV WORD PTR [EBP-50],74
004074AF PUSH 0
004074B1 PUSH 0
004074B3 PUSH 501
004074B8 CALL 00591994
004074BD PUSH EAX
004074BE CALL <JMP.&USER32.PostMessageA>

// 計算可以rip的長度
004074C3 FLD TBYTE PTR [407B28] // 10-byte(80bit)float: 0.333333..(1/3)
004074C9 FMUL QWORD PTR [EBX+658]
004074CF ADD ESP,-8
004074D2 FSTP QWORD PTR [ESP]
004074D5 PUSH EBX
004074D6 CALL 00401C6C
004074DB ADD ESP,0C
004074DE MOV ESI,EAX

004074E0 MOV EAX,[EBP-88] // 總長度
004074E6 PUSH EAX
004074E7 PUSH ESI // 可以rip的長度
004074E8 PUSH 005F121F ; ASCII "Trial version can only rip 1/3 of entire DVD movie length. %d(you can rip)/%d(the length that you want to rip)
do you want to continue rip it?"
004074ED MOV EDX,[EBP-2C]
004074F0 PUSH EDX
004074F1 CALL <JMP.&USER32.wsprintfA>
004074F6 ADD ESP,10
004074F9 MOV [EBP-88],ESI // 總長度設為可以rip的長度！！！
004074FF PUSH 1
00407501 PUSH 005F12AE ; ASCII "warning"
00407506 MOV ECX,[EBP-2C]
00407509 PUSH ECX
0040750A MOV EAX,EBX
0040750C CALL 00591994
00407511 PUSH EAX
00407512 CALL <JMP.&USER32.MessageBoxA> // 顯示提示框
00407517 CMP EAX,2
0040751A JNZ 004075BE

------------------------------------------------------------------------------
余一懶人爾，註冊算法留待高手解決，還是Patch省事。
Patch：
1、修改函數0040D5C0，使得在註冊框裡輸入的信息可以儲存到註冊表。
0040D5DC 84C0 TEST AL,AL
0040D5DE 75 04 JNZ SHORT 0040D5E4 --> 改為 EB 04 JMP 40D5E4
0040D5E0 33C0 XOR EAX,EAX
0040D5E2 EB 73 JMP SHORT 0040D657

2、修改從註冊表裡讀用戶和註冊碼並進行初步檢查的函數0040D65C。
0040D8F8 8BC3 MOV EAX,EBX --> 改為 B0 01 MOV AL,1　返回AL=1

3、修改註冊檢查程式碼，這部分在程序裡有好幾處：

A. 0040739B 72 4F JB SHORT 004073EC --> NOP NOP 跳過註冊碼長度檢查
004073E6 75 04 JNZ SHORT 004073EC --> NOP NOP
B. 004081CE 72 5B JB SHORT 0040822B --> NOP NOP 跳過註冊碼長度檢查
00408222 75 07 JNZ SHORT 0040822B --> NOP NOP
C. 0040BA51 72 4F JB SHORT 0040BAA2 --> NOP NOP 跳過註冊碼長度檢查
0040BA9E 75 02 JNZ SHORT 0040BAA2 --> NOP NOP
D. 0040BC38 72 4F JB SHORT 0040BC89 --> NOP NOP 跳過註冊碼長度檢查
0040BC85 75 02 JNZ SHORT 0040BC89 --> NOP NOP
E. 0040DDAA 72 51 JB SHORT 0040DDFD --> NOP NOP 跳過註冊碼長度檢查
0040DDF7 75 04 JNZ SHORT 0040DDFD --> NOP NOP
F. 004102DF 72 4F JB SHORT 00410330 --> NOP NOP 跳過註冊碼長度檢查
0041032C 75 02 JNZ SHORT 00410330 --> NOP NOP
G. 00410949 72 51 JB SHORT 0041099C --> NOP NOP 跳過註冊碼長度檢查
00410996 75 04 JNZ SHORT 0041099C --> NOP NOP