Gif Movie Gear3.0.2 算法分析 -pc6资讯

您的位置：首页 → 精文荟萃 → 破解文章 → Gif Movie Gear3.0.2 算法分析

Gif Movie Gear3.0.2 算法分析 时间：2004/10/15 0:52:00来源：本站整理作者：蓝点我要评论(0): 　

一个动画制作软件(Gif Movie Gear3.0.2的PJ)的PJ过程与注册码算法。献给初学者。
下载地址：http://www.skycn.com/download.php?id=2418&url=http://ln.skycn.net/down/gmvgr30.exe
此版本的注册与3.0相与有了较大的改进，再也不是3.0的明码比较了，它的注册码与你所所输入的用户名有密切联系，可以通过用户名反推出注册码，当然也可以通过注册码推出用户名。所以要想得出真正的注册码需费一番周折。
软件介绍：它是一个非常优秀的图片处理工具，是对动态gif压缩效果非常满意，是一个图片处理的小精灵。超级动画制作程序。
工具：TRW2000
1、首先运行movgear.exe，填入用户名和注册码。注意注册码的前四位必须为mg37原因你就看下文吧。（最好前五位是mg37s,当然也无所谓了，这是我的习惯。)
2、再运行TRW2000，设置中断　BPX HMEMCPY,
3、回到movgear.exe注册画面，按OK，TRW2000拦截成功后按F12按9次（如果我没记错的话）再按F10就可到达此处。代码比较多，有关注册码的算法我已经注明了，你仔细看下文吧。
:0043197C 6850040000 push 00000450
:00431981 56 push esi
:00431982 FFD7 call edi
:00431984 50 push eax
:00431985 FFD3 call ebx
:00431987 8D8424C4000000 lea eax, dword ptr [esp+000000C4]
:0043198E 8D4C2460 lea ecx, dword ptr [esp+60]
:00431992 50 push eax
:00431993 51 push ecx
:00431994 E8F7FBFFFF call 00431590此处的调用是计算你所输入的注册码的数值以及计算你的用户名的数字，然后进行二者比较。见B处
:00431999 83C408 add esp, 00000008
:0043199C 85C0 test eax, eax
:0043199E 0F84AD000000 je 00431A51失败就跳
下面是成功处。
:004319A4 8D542410 lea edx, dword ptr [esp+10]
:004319A8 8D44240C lea eax, dword ptr [esp+0C]
:004319AC 52 push edx
:004319AD 50 push eax
:004319AE 6A00 push 00000000
:004319B0 683F000F00 push 000F003F
:004319B5 6A00 push 00000000
:004319B7 6814ED4400 push 0044ED14
:004319BC 6A00 push 00000000

* Possible StringData Ref from Data Obj ->"Software\gamani\GIFMovieGear\2.0"
|
:004319BE 68F8B34400 push 0044B3F8
:004319C3 6801000080 push 80000001

* Reference To: ADVAPI32.RegCreateKeyExA, Ord:015Fh
把你正确的用户名和注册码存入注册表中

:004319C8 FF150C804400 Call dword ptr [0044800C]

*******************************
B：
:00431590 53 push ebx
:00431591 55 push ebp
:00431592 8B6C2410 mov ebp, dword ptr [esp+10]你所输入的注册码
:00431596 56 push esi
:00431597 57 push edi
:00431598 807D006D cmp byte ptr [ebp+00], 6D
比较首字节是否为m
:0043159C 0F85A0000000 jne 00431642不等于就跳
:004315A2 807D0167 cmp byte ptr [ebp+01], 67
比较第二字节是否为g
:004315A6 0F8596000000 jne 00431642不等于就跳
:004315AC 807D0233 cmp byte ptr [ebp+02], 33
比较第三字节是否为3
:004315B0 0F858C000000 jne 00431642不等于就跳
:004315B6 807D0337 cmp byte ptr [ebp+03], 37
比较第四字节是否为7
:004315BA 0F8582000000 jne 00431642不等于就跳

* Possible Indirect StringData Ref from Data Obj ->"mvg21951736"
下面是比较字串是否为 mvg21951736 |
:004315C0 BBC4D44400 mov ebx, 0044D4C4

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004315E6(C)
|
:004315C5 8B13 mov edx, dword ptr [ebx]
:004315C7 83C9FF or ecx, FFFFFFFF
:004315CA 8BFA mov edi, edx
:004315CC 33C0 xor eax, eax
:004315CE F2 repnz
:004315CF AE scasb
:004315D0 F7D1 not ecx
:004315D2 49 dec ecx
:004315D3 8BFA mov edi, edx
:004315D5 8BF5 mov esi, ebp
:004315D7 33C0 xor eax, eax
:004315D9 F3 repz
:004315DA A6 cmpsb
:004315DB 7465 je 00431642
:004315DD 83C304 add ebx, 00000004
:004315E0 81FBC8D44400 cmp ebx, 0044D4C8
:004315E6 7CDD jl 004315C5
:004315E8 807D0473 cmp byte ptr [ebp+04], 73
比较第五字节是否为s
:004315EC 7501 jne 004315EF不等于就跳
:004315EE 45 inc ebp如果等于ebp加1，也就是取你所输入的注册码第八位以后的字符，如果不等于就是取你所输入的注册码第七位以后的字符。
:004315EF 83C507 add ebp, 00000007
:004315F2 55 push ebp
:004315F3 E8D0DD0000 call 0043F3C8此处调用的作用是计算你所输入的注册码。见A处。
:004315F8 8B542418 mov edx, dword ptr [esp+18]你所输入的用户名。
:004315FC 83C404 add esp, 00000004
:004315FF 8BFA mov edi, edx
:00431601 33C9 xor ecx, ecx为零
:00431603 8A12 mov dl, byte ptr [edx]
:00431605 BEDF0B0000 mov esi, 00000BDF设ESI的初始值为BDF。
:0043160A 84D2 test dl, dl测试用户名是否为空
:0043160C 7426 je 00431634

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00431632(C)
|
:0043160E 0FBED2 movsx edx, dl取用户名的一个字节ASCII值给EDX
:00431611 41 inc ecx第几个字节
:00431612 0FAFD1 imul edx, ecx二者相乘。
:00431615 03F2 add esi, edx乘积的高位字与ESI相加
:00431617 81FEBE170000 cmp esi, 000017BE比较ESI是否大于17BE
:0043161D 7E06 jle 00431625低于或等于就跳
:0043161F 81EEBE170000 sub esi, 000017BE大于就减去17BE

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043161D(C)
|
:00431625 83F90A cmp ecx, 0000000A比较循环数是否大于A
:00431628 7E02 jle 0043162C低于或等于就跳
:0043162A 33C9 xor ecx, ecx　ECX为零

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00431628(C)
|
:0043162C 8A5701 mov dl, byte ptr [edi+01]取用户名的一个字节。
:0043162F 47 inc edi
:00431630 84D2 test dl, dl比较用户名是否为空
:00431632 75DA jne 0043160E不等于就继续循环。
循环完毕比较计算出来的你所输入的注册码的数值以及用户名的数值。
:00431634 3BF0 cmp esi, eax
:00431636 750A jne 00431642二者不等于就跳
:00431638 5F pop edi
:00431639 5E pop esi
:0043163A 5D pop ebp
:0043163B B801000000 mov eax, 00000001如果相等就设置成功标志EAX＝1
:00431640 5B pop ebx
:00431641 C3 ret

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0043159C(C), :004315A6(C), :004315B0(C), :004315BA(C), :004315DB(C)
|:00431636(C)
|
:00431642 5F pop edi
:00431643 5E pop esi
:00431644 5D pop ebp
:00431645 33C0 xor eax, eax如果不相等就设置失败标志EAX＝0
:00431647 5B pop ebx
:00431648 C3 ret
＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊
A：:0043F3C8 FF742404 push [esp+04]
:0043F3CC E86CFFFFFF call 0043F33D此处调用的作用是计算你所输入的注册码。见下文。
:0043F3D1 59 pop ecx
:0043F3D2 C3 ret
下文是计算你所输入的注册码。
:0043F33D 53 push ebx
:0043F33E 55 push ebp
:0043F33F 56 push esi
:0043F340 57 push edi
:0043F341 8B7C2414 mov edi, dword ptr [esp+14]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043F371(U)
|
:0043F345 833D4CE2440001 cmp dword ptr [0044E24C], 00000001
:0043F34C 7E0F jle 0043F35D
:0043F34E 0FB607 movzx eax, byte ptr [edi]
:0043F351 6A08 push 00000008
:0043F353 50 push eax
:0043F354 E816230000 call 0044166F
:0043F359 59 pop ecx
:0043F35A 59 pop ecx
:0043F35B EB0F jmp 0043F36C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043F34C(C)
|
:0043F35D 0FB607 movzx eax, byte ptr [edi]

* Possible StringData Ref from Data Obj ->" ((((( "
->" H"
|
:0043F360 8B0D40E04400 mov ecx, dword ptr [0044E040]
:0043F366 8A0441 mov al, byte ptr [ecx+2*eax]
:0043F369 83E008 and eax, 00000008

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043F35B(U)
|
:0043F36C 85C0 test eax, eax
:0043F36E 7403 je 0043F373
:0043F370 47 inc edi
:0043F371 EBD2 jmp 0043F345

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043F36E(C)
|
:0043F373 0FB637 movzx esi, byte ptr [edi]
:0043F376 47 inc edi
:0043F377 83FE2D cmp esi, 0000002D
:0043F37A 8BEE mov ebp, esi
:0043F37C 7405 je 0043F383
:0043F37E 83FE2B cmp esi, 0000002B
:0043F381 7504 jne 0043F387
＊＊＊＊＊＊＊下面是重点。
:0043F383 0FB637 movzx esi, byte ptr [edi]
:0043F386 47 inc edi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043F381(C)
|
:0043F387 33DB xor ebx, ebx设置EBX的初始值为零

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043F3B8(U)
|
:0043F389 833D4CE2440001 cmp dword ptr [0044E24C], 00000001
:0043F390 7E0C jle 0043F39E
:0043F392 6A04 push 00000004
:0043F394 56 push esi
:0043F395 E8D5220000 call 0044166F
:0043F39A 59 pop ecx
:0043F39B 59 pop ecx
:0043F39C EB0B jmp 0043F3A9

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043F390(C)
|

* Possible StringData Ref from Data Obj ->" ((((( "
->" H"
|
:0043F39E A140E04400 mov eax, dword ptr [0044E040]
:0043F3A3 8A0470 mov al, byte ptr [eax+2*esi]
:0043F3A6 83E004 and eax, 00000004

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043F39C(U)
|
:0043F3A9 85C0 test eax, eax测试是否循环完毕。
:0043F3AB 740D je 0043F3BA相等就跳出循环。
下面就是计算你所输入的注册码的数值。
:0043F3AD 8D049B lea eax, dword ptr [ebx+4*ebx]
eax=ebx+4*ebx
:0043F3B0 8D5C46D0 lea ebx, dword ptr [esi+2*eax-30]
ebx=esi+2*eax-30
:0043F3B4 0FB637 movzx esi, byte ptr [edi]取注册码的一个数值(ASCII值)给ESI。
:0043F3B7 47 inc edi加1
:0043F3B8 EBCF jmp 0043F389

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043F3AB(C)
|
:0043F3BA 83FD2D cmp ebp, 0000002D
:0043F3BD 8BC3 mov eax, ebx把计算出的数值传给EAX。
:0043F3BF 7502 jne 0043F3C3
:0043F3C1 F7D8 neg eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043F3BF(C)
|
:0043F3C3 5F pop edi
:0043F3C4 5E pop esi
:0043F3C5 5D pop ebp
:0043F3C6 5B pop ebx
:0043F3C7 C3 ret

＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊
总结：此软件的注册码的可以是12位。形式如下。mg37s***abcd也可以是mg37***abcd其中*处可以是任意字符，而abcd所计算的数值必须与用户名的数值相等。
如：
用户名：飞狐
注册码：mg37s1112630
飞狐的数值为A46而2630数值也为A46，二者相等，注册成功。

文章评论

查看所有0条评论>>

热门文章 去除winrar注册框方法