加密狗软件破解复制T-GOU工作室
RSS

视频音频转换工具注册算法分析

来源:未知 作者:admin 时间:2010-12-26 22:27 浏览:

注册算法还是比较简单的。注册算法计算过程放在UTLib8***.dll中。注册函数名称为ImRegUserInfo::IsValidRegInfo_private

复制内容到剪贴板
代码:
首先判断了注册码长度,为27h也就是39位

00476DF3         8D8D 78FFFFFF   lea     ecx, dword ptr [ebp-88]
00476DF9         FF15 44064D00   call    dword ptr [<&MFC71U.#2895_ATL>; GetLength,获取注册码长度
00476DFF         83F8 27         cmp     eax, 27                       ; 比较长度是否为27h位
00476E02         74 42           je      short 00476E46
00476E04         C785 1CFFFFFF 0>mov     dword ptr [ebp-E4], 0
复制内容到剪贴板
代码:
然后取软件的信息

00476E9E         8B0D 182C4F00   mov     ecx, dword ptr [g_Pref]
00476EA4         E8 07D0FFFF     call    ImAppPref::GetAppInfo
00476EA9         83C0 38         add     eax, 38                //+38h,取00E161D0    UNICODE "Xilisoftvideotoaudioconverter5"

信息列表
00E16198    UNICODE "Xilisoft"
00E1619C    UNICODE "Xilisoft Corporation"
00E161A0    UNICODE "http://www.xilisoft.com.cn"
00E161A4    UNICODE "Software\Xilisoft"
00E161A8    UNICODE "Xilisoft Video to Audio Converter"
00E161AC    UNICODE "Video to Audio Converter"
00E161B0    UNICODE "x-video-to-audio-converter-standard"
00E161B4    UNICODE "Xilisoft Video to Audio Converter"
00E161B8    UNICODE "http://www.xilisoft.com.cn/video-to-audio-converter.html"
00E161BC    UNICODE "http://www.xilisoft.com.cn/video-to-audio-converter.html"
00E161C0    UNICODE "Software\Xilisoft\Video to Audio Converter"
00E161C4    UNICODE "Software\Xilisoft\Video to Audio Converter\RegInfo"
00E161C8    UNICODE "Software\Xilisoft\Video to Audio Converter\Affiliate"
00E161CC    UNICODE "Software\Xilisoft\Video to Audio Converter\Settings"
00E161D0    UNICODE "Xilisoftvideotoaudioconverter5"
00E161D4    UNICODE "support@xilisoft.com"
00E161D8    UNICODE "http://www.xilisoft.com.cn/support.html"
00E161DC    UNICODE "Copyright (C) 2008 Xilisoft Corporation, ImTOO Software Studio"
00E161E0    MFC71U.7C32EA74
00E161E4    UNICODE "Software\Classes\CLSID\{9F51E651-A668-485d-82C7-4408D6403A98}"
00E161E8    UNICODE "https://online.xilisoft.com/ols.soap.php"

这里取出来的信息为
"Xilisoftvideotoaudioconverter5"
复制内容到剪贴板
代码:
00476F4F         C785 30FFFFFF 0>mov     dword ptr [ebp-D0], 0
00476F59         EB 0F           jmp     short 00476F6A
00476F5B         8B8D 30FFFFFF   mov     ecx, dword ptr [ebp-D0]
00476F61         83C1 01         add     ecx, 1
00476F64         898D 30FFFFFF   mov     dword ptr [ebp-D0], ecx
00476F6A         8D4D E0         lea     ecx, dword ptr [ebp-20]       ; "Xilisoftvideotoaudioconverter5"
00476F6D         FF15 7C034D00   call    dword ptr [<&MFC71U.#2896_ATL>; GetLength
00476F73         3985 30FFFFFF   cmp     dword ptr [ebp-D0], eax
00476F79         7D 6E           jge     short 00476FE9
00476F7B         8B95 30FFFFFF   mov     edx, dword ptr [ebp-D0]
00476F81         81E2 01000080   and     edx, 80000001
00476F87         79 05           jns     short 00476F8E
00476F89         4A              dec     edx
00476F8A         83CA FE         or      edx, FFFFFFFE
00476F8D         42              inc     edx
00476F8E         85D2            test    edx, edx
00476F90         75 52           jnz     short 00476FE4
00476F92         8B85 30FFFFFF   mov     eax, dword ptr [ebp-D0]
00476F98         50              push    eax
00476F99         8D4D E0         lea     ecx, dword ptr [ebp-20]
00476F9C         FF15 78034D00   call    dword ptr [<&MFC71U.#861_ATL:>; []
00476FA2         50              push    eax
00476FA3         8D8D 74FFFFFF   lea     ecx, dword ptr [ebp-8C]
00476FA9         FF15 74034D00   call    dword ptr [<&MFC71U.#904_ATL:>; +=
00476FAF         8B85 30FFFFFF   mov     eax, dword ptr [ebp-D0]
00476FB5         83C0 01         add     eax, 1
00476FB8         99              cdq
00476FB9         B9 FF000000     mov     ecx, 0FF
00476FBE         F7F9            idiv    ecx
00476FC0         8895 2FFFFFFF   mov     byte ptr [ebp-D1], dl
00476FC6         0FBE95 2FFFFFFF movsx   edx, byte ptr [ebp-D1]
00476FCD         85D2            test    edx, edx
00476FCF         74 13           je      short 00476FE4
00476FD1         8A85 2FFFFFFF   mov     al, byte ptr [ebp-D1]
00476FD7         50              push    eax
00476FD8         8D8D 74FFFFFF   lea     ecx, dword ptr [ebp-8C]
00476FDE         FF15 74034D00   call    dword ptr [<&MFC71U.#904_ATL:>; MFC71U.7C29B289
00476FE4       ^ E9 72FFFFFF     jmp     00476F5B

这段代码是取"Xilisoftvideotoaudioconverter5" 这个字符串的偶数位并且连接起来,中间插入了字符的序号。
执行完结果如下
01148D70  58 01 6C 03 73 05 66 07 76 09 64 0B 6F 0D 6F 0F  Xlsfv.do.o
01148D80  75 11 69 13 63 15 6E 17 65 19 74 1B 72 1D 00 01  uicnetr.
复制内容到剪贴板
代码:
00476FE9         C785 30FFFFFF 0>mov     dword ptr [ebp-D0], 0
00476FF3         EB 0F           jmp     short 00477004
00476FF5         8B8D 30FFFFFF   mov     ecx, dword ptr [ebp-D0]
00476FFB         83C1 01         add     ecx, 1
00476FFE         898D 30FFFFFF   mov     dword ptr [ebp-D0], ecx
00477004         8D4D E0         lea     ecx, dword ptr [ebp-20]
00477007         FF15 7C034D00   call    dword ptr [<&MFC71U.#2896_ATL>; GetLength
0047700D         3985 30FFFFFF   cmp     dword ptr [ebp-D0], eax
00477013         7D 6E           jge     short 00477083
00477015         8B95 30FFFFFF   mov     edx, dword ptr [ebp-D0]
0047701B         81E2 01000080   and     edx, 80000001
00477021         79 05           jns     short 00477028
00477023         4A              dec     edx
00477024         83CA FE         or      edx, FFFFFFFE
00477027         42              inc     edx
00477028         85D2            test    edx, edx
0047702A         74 52           je      short 0047707E
0047702C         8B85 30FFFFFF   mov     eax, dword ptr [ebp-D0]
00477032         50              push    eax
00477033         8D4D E0         lea     ecx, dword ptr [ebp-20]
00477036         FF15 78034D00   call    dword ptr [<&MFC71U.#861_ATL:>; []
0047703C         50              push    eax
0047703D         8D8D 74FFFFFF   lea     ecx, dword ptr [ebp-8C]
00477043         FF15 74034D00   call    dword ptr [<&MFC71U.#904_ATL:>; +=
00477049         8B85 30FFFFFF   mov     eax, dword ptr [ebp-D0]
0047704F         83C0 01         add     eax, 1
00477052         99              cdq
00477053         B9 FF000000     mov     ecx, 0FF
00477058         F7F9            idiv    ecx
0047705A         8895 2EFFFFFF   mov     byte ptr [ebp-D2], dl
00477060         0FBE95 2EFFFFFF movsx   edx, byte ptr [ebp-D2]
00477067         85D2            test    edx, edx
00477069         74 13           je      short 0047707E
0047706B         8A85 2EFFFFFF   mov     al, byte ptr [ebp-D2]
00477071         50              push    eax
00477072         8D8D 74FFFFFF   lea     ecx, dword ptr [ebp-8C]
00477078         FF15 74034D00   call    dword ptr [<&MFC71U.#904_ATL:>; MFC71U.7C29B289
0047707E       ^ E9 72FFFFFF     jmp     00476FF5

这段代码是处理的计数位,与上面那段类似。结果如下
01148D90  69 04 6F 06 74 08 69 0A 65 0C 74 0E 61 10 64 12  ioti.e.tad
01148DA0  6F 14 6F 16 76 18 72 1A 65 1C 35 1E              oovre5

这个处理结果放到上面那个结果下面,连接在一起
复制内容到剪贴板
代码:
00477089         8D8D 74FFFFFF   lea     ecx, dword ptr [ebp-8C]
0047708F         FF15 70034D00   call    dword ptr [<&MFC71U.#781_ATL:>; MFC71U.7C29B0D9
00477095         8D4D D8         lea     ecx, dword ptr [ebp-28]
00477098         FF15 68054D00   call    dword ptr [<&MFC71U.#310_ATL:>; MFC71U.7C274E6D
0047709E         C645 FC 0A      mov     byte ptr [ebp-4], 0A
004770A2         8B95 7CFFFFFF   mov     edx, dword ptr [ebp-84]
004770A8         52              push    edx
004770A9         68 BC254D00     push    004D25BC                      ; ASCII "%d"
004770AE         8D45 D8         lea     eax, dword ptr [ebp-28]
004770B1         50              push    eax
004770B2         FF15 34034D00   call    dword ptr [<&MFC71U.#2313_ATL>; Format
004770B8         83C4 0C         add     esp, 0C
004770BB         8D4D D8         lea     ecx, dword ptr [ebp-28]
004770BE         FF15 5C054D00   call    dword ptr [<&MFC71U.#872_ATL:>; *
004770C4         50              push    eax
004770C5         6A 00           push    0
004770C7         8D8D 74FFFFFF   lea     ecx, dword ptr [ebp-8C]
004770CD         FF15 6C034D00   call    dword ptr [<&MFC71U.#3844_ATL>; Insert
004770D3         8D4D EC         lea     ecx, dword ptr [ebp-14]
004770D6         FF15 68054D00   call    dword ptr [<&MFC71U.#310_ATL:>; CString
004770DC         C645 FC 0B      mov     byte ptr [ebp-4], 0B
004770E0         8D4D F0         lea     ecx, dword ptr [ebp-10]
004770E3         FF15 68054D00   call    dword ptr [<&MFC71U.#310_ATL:>; CString
004770E9         C645 FC 0C      mov     byte ptr [ebp-4], 0C
004770ED         6A 00           push    0
004770EF         68 C0254D00     push    004D25C0                      ; ASCII "%d"
004770F4         8D4D EC         lea     ecx, dword ptr [ebp-14]
004770F7         51              push    ecx
004770F8         FF15 34034D00   call    dword ptr [<&MFC71U.#2313_ATL>; Format
004770FE         83C4 0C         add     esp, 0C
00477101         6A 00           push    0
00477103         68 C4254D00     push    004D25C4                      ; ASCII "%d"
00477108         8D55 F0         lea     edx, dword ptr [ebp-10]
0047710B         52              push    edx
0047710C         FF15 34034D00   call    dword ptr [<&MFC71U.#2313_ATL>; Format
00477112         83C4 0C         add     esp, 0C
00477112         83C4 0C         add     esp, 0C
00477115         8D45 F0         lea     eax, dword ptr [ebp-10]
00477118         50              push    eax
00477119         8D4D EC         lea     ecx, dword ptr [ebp-14]
0047711C         51              push    ecx
0047711D         8D95 14FFFFFF   lea     edx, dword ptr [ebp-EC]
00477123         52              push    edx
00477124         E8 B7330000     call    0047A4E0   
00477129         83C4 0C         add     esp, 0C
0047712C         8985 FCFEFFFF   mov     dword ptr [ebp-104], eax
00477132         8B85 FCFEFFFF   mov     eax, dword ptr [ebp-104]
00477138         8985 F8FEFFFF   mov     dword ptr [ebp-108], eax
0047713E         C645 FC 0D      mov     byte ptr [ebp-4], 0D
00477142         8B8D F8FEFFFF   mov     ecx, dword ptr [ebp-108]
00477148         51              push    ecx
00477149         8D8D 74FFFFFF   lea     ecx, dword ptr [ebp-8C]
0047714F         FF15 30034D00   call    dword ptr [<&MFC71U.#903_ATL:>; MFC71U.7C29B383

在上面结果前面插入'1',后面接上两个'0'
复制内容到剪贴板
代码:
004771F0         8D55 84         lea     edx, dword ptr [ebp-7C]
004771F3         52              push    edx                           ; str2
004771F4         8D45 DC         lea     eax, dword ptr [ebp-24]
004771F7         50              push    eax                           ; str1
004771F8         8D8D 10FFFFFF   lea     ecx, dword ptr [ebp-F0]
004771FE         51              push    ecx                           ; pOutBuf
004771FF         E8 DC320000     call    0047A4E0                      ; 将两个字符串连接起来


0012F744  ASCII "ZXQMLZRLJBTTDMEGJUGJ"
0012F748  ASCII "Xilisoftvideotoaudioconverter5"

ZXQMLZRLJBTTDMEGJUGJ为输入的注册码的前20位,与Xilisoftvideotoaudioconverter5连接起来后字符串为
"ZXQMLZRLJBTTDMEGJUGJXilisoftvideotoaudioconverter5"

之后将这个字符串连接到前面形成的串上
01148EB0  31 58 01 6C 03 73 05 66 07 76 09 64 0B 6F 0D 6F  1Xlsfv.do.o
01148EC0  0F 75 11 69 13 63 15 6E 17 65 19 74 1B 72 1D 69  uicnetri
01148ED0  02 69 04 6F 06 74 08 69 0A 65 0C 74 0E 61 10 64  ioti.e.tad
01148EE0  12 6F 14 6F 16 76 18 72 1A 65 1C 35 1E 30 30 5A  oovre500Z
01148EF0  58 51 4D 4C 5A 52 4C 4A 42 54 54 44 4D 45 47 4A  XQMLZRLJBTTDMEGJ
01148F00  55 47 4A 58 69 6C 69 73 6F 66 74 76 69 64 65 6F  UGJXilisoftvideo
01148F10  74 6F 61 75 64 69 6F 63 6F 6E 76 65 72 74 65 72  toaudioconverter
01148F20  35 00                                            5.
复制内容到剪贴板
代码:
接下来是一个函数,跟进去看到这里
004BD080         55              push    ebp
004BD081         8BEC            mov     ebp, esp
004BD083         8B45 08         mov     eax, dword ptr [ebp+8]
004BD086         C740 14 0000000>mov     dword ptr [eax+14], 0
004BD08D         8B4D 08         mov     ecx, dword ptr [ebp+8]
004BD090         C741 10 0000000>mov     dword ptr [ecx+10], 0
004BD097         8B55 08         mov     edx, dword ptr [ebp+8]
004BD09A         C702 01234567   mov     dword ptr [edx], 67452301
004BD0A0         8B45 08         mov     eax, dword ptr [ebp+8]
004BD0A3         C740 04 89ABCDE>mov     dword ptr [eax+4], EFCDAB89
004BD0AA         8B4D 08         mov     ecx, dword ptr [ebp+8]
004BD0AD         C741 08 FEDCBA9>mov     dword ptr [ecx+8], 98BADCFE
004BD0B4         8B55 08         mov     edx, dword ptr [ebp+8]
004BD0B7         C742 0C 7654321>mov     dword ptr [edx+C], 10325476
004BD0BE         5D              pop     ebp
004BD0BF         C3              retn

明眼的人一看就知道是MD5算法
所以下面这段代码便是对上面的串取MD5了
0047724C         50              push    eax
0047724D         8D4D 90         lea     ecx, dword ptr [ebp-70]
00477250         E8 CB570400     call    004BCA20                      ; 取MD5
00477255         C645 FC 12      mov     byte ptr [ebp-4], 12
00477259         8D4D 90         lea     ecx, dword ptr [ebp-70]
0047725C         E8 2F580400     call    004BCA90                      ; MD5?

MD5结果为
ff94d22f565336afadd4200a61ad
复制内容到剪贴板
代码:
接下来这段代码是对MD5结果取偶数位并连接
0047737B         8B95 28FFFFFF   mov     edx, dword ptr [ebp-D8]
00477381         83C2 02         add     edx, 2
00477384         8995 28FFFFFF   mov     dword ptr [ebp-D8], edx
0047738A         83BD 28FFFFFF 2>cmp     dword ptr [ebp-D8], 20
00477391         7D 4E           jge     short 004773E1
00477393         8B85 28FFFFFF   mov     eax, dword ptr [ebp-D8]
00477399         50              push    eax
0047739A         8D4D E4         lea     ecx, dword ptr [ebp-1C]
0047739D         FF15 78034D00   call    dword ptr [<&MFC71U.#861_ATL:>; MFC71U.7C29986D
004773A3         50              push    eax
004773A4         8D8D 74FFFFFF   lea     ecx, dword ptr [ebp-8C]
004773AA         FF15 74034D00   call    dword ptr [<&MFC71U.#904_ATL:>; MFC71U.7C29B289
004773B0         8B85 28FFFFFF   mov     eax, dword ptr [ebp-D8]
004773B6         99              cdq
004773B7         2BC2            sub     eax, edx
004773B9         D1F8            sar     eax, 1
004773BB         83C0 01         add     eax, 1
004773BE         25 03000080     and     eax, 80000003
004773C3         79 05           jns     short 004773CA
004773C5         48              dec     eax
004773C6         83C8 FC         or      eax, FFFFFFFC
004773C9         40              inc     eax
004773CA         85C0            test    eax, eax
004773CC         75 11           jnz     short 004773DF
004773CE         68 D4254D00     push    004D25D4
004773D3         8D8D 74FFFFFF   lea     ecx, dword ptr [ebp-8C]
004773D9         FF15 50034D00   call    dword ptr [<&MFC71U.#907_ATL:>; MFC71U.7C29B867
004773DF       ^ EB 9A           jmp     short 0047737B

处理后结果
"03f9-d255-3aad-206a-"
复制内容到剪贴板
代码:
后面这段代码是将注册码的前20位和这个md5处理的结果连接起来形成注册码
004773F5         FF15 7C034D00   call    dword ptr [<&MFC71U.#2896_ATL>; MFC71U.7C256550
004773FB         83E8 01         sub     eax, 1
004773FE         50              push    eax
004773FF         8D8D 74FFFFFF   lea     ecx, dword ptr [ebp-8C]
00477405         FF15 4C034D00   call    dword ptr [<&MFC71U.#1907_ATL>; MFC71U.7C299932
0047740B         8D4D D4         lea     ecx, dword ptr [ebp-2C]
0047740E         FF15 5C054D00   call    dword ptr [<&MFC71U.#872_ATL:>; MFC71U.7C268F59
00477414         50              push    eax
00477415         6A 00           push    0
00477417         8D8D 74FFFFFF   lea     ecx, dword ptr [ebp-8C]
0047741D         FF15 6C034D00   call    dword ptr [<&MFC71U.#3844_ATL>; Insert
00477423         8D4D E8         lea     ecx, dword ptr [ebp-18]
00477426         51              push    ecx


"ZXQMLZRLJBTTDMEGJUGJ03F9-D255-3AAD-206A"
到此注册码校验过程就结束了,非常之简单
写个简单的注册算法

复制内容到剪贴板
代码:
int _tmain(int argc, _TCHAR* argv[])
{
    int i = 0;
    int j = 0;
    int n = 0;
    char szVersion[] = "Xilisoftvideoconverterstandard5";
    BYTE byBuf[500] = {0};
    char szSN[100] = {0};
    char szMD5[20] = {0};

    //偶数处理
    for (i = 0; i < strlen(szVersion); i += 2)
    {
        byBuf[1 + i] = szVersion[i];
        byBuf[2 + i] = i + 1;
    }

    //奇数处理
    for (j = 0; j < strlen(szVersion) + 1; j += 2)
    {
        byBuf[1 + j + i] = szVersion[j + 1];
        byBuf[2 + j + i] = j + 2;
    }

    byBuf[0] = 0x31;
    byBuf[i + j - 1] = 0x30;
    byBuf[i + j] = 0x30;
    n = i + j + 1;
   
    srand(GetTickCount());
    for (i = 0; i < 20; i++)
    {
        szSN[i] = 'A' + rand() % 26;  //随便什么都行,就选大写字母吧
    }

    memcpy(byBuf + n, szSN, strlen(szSN));
    n += 20;
   
    memcpy(byBuf + n, szVersion, strlen(szVersion));
    n += strlen(szVersion);

    MD5_CTX ctx;
    MD5Init(&ctx);
    MD5Update(&ctx, byBuf, n);
    MD5Final((BYTE *)szMD5, &ctx);

    char sztmp[10] = {0};
    char sztmp2[20] = {0};
    for (i = 0, j = 0; i < strlen(szMD5); i++, j++)
    {
        memset(sztmp, 0, sizeof(sztmp));
        sprintf(sztmp, "%02X", BYTE(szMD5[i]));
        sztmp2[j] = sztmp[0];
        if (j % 5 == 3)
        {
            j++;
            sztmp2[j] = '-';
        }
    }
    memcpy(szSN + 20, sztmp2, 19);
    printf("%s\n", szSN);
    system("pause");
    return 0;
}


Tags:
最新评论共有 位网友发表了评论
发表评论
评论内容:不能超过250字,需审核,请自觉遵守互联网相关政策法规。
用户名: 密码:
匿名评论
立即注册账号