下载地址:http://www.onlinedown.net/gifmoviegear.htm
-----------------------------------------------------------------------
破解工具:OLLYDBG V1.07
TC2.0
破解者:青锋剑客
破解目的:加入DFCG,找注册码,算法简单分析,作出相应注册机。
破解过程:
一、ollydbg1.07载入“movgear.exe”,按F9键运行,点"help"-->"Register Now...",name填入shifeng
Code填入87654321,填好后按“OK”,弹出错误"The information you have provided is invalid. Please be sure that you typed it exactly as it was given to you.",此时不要点确定,看下一步。
二、回到ollydbg窗口,在左上角CPU点右键-->search for-->All referenced text strings,打开了Text strings referenced in MOVGEAR:.text, 按Page Up键查找"The information you have provided is invalid. Please be sure that you typed it exactly as it was given to you."有两行,双击任一个,
会来到这里:
0040EE60 /$ 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]
0040EE64 |. 8B0D 68854600 MOV ECX,DWORD PTR DS:[468568] ; MOVGEAR.00400000
0040EE6A |. 68 00020000 PUSH 200 ; /Count = 200 (512.)
0040EE6F |. 68 40834600 PUSH MOVGEAR.00468340 ; |Buffer = MOVGEAR.00468340
0040EE74 |. 50 PUSH EAX ; |RsrcID
0040EE75 |. 51 PUSH ECX ; |hInst => 00400000
0040EE76 |. FF15 64844400 CALL DWORD PTR DS:[<&USER32.LoadStringA>>; \LoadStringA
0040EE7C |. 85C0 TEST EAX,EAX
0040EE7E |. 74 0D JE SHORT MOVGEAR.0040EE8D
0040EE80 |. 3D 00020000 CMP EAX,200
0040EE85 |. 7D 06 JGE SHORT MOVGEAR.0040EE8D
0040EE87 |. B8 40834600 MOV EAX,MOVGEAR.00468340 ; ASCII "The information you have provided is invalid. Please be sure that you typed it exactly as it was given to you."
0040EE8C |. C3 RETN
0040EE8D |> 33C0 XOR EAX,EAX
0040EE8F \. C3 RETN
三、在0040EE60行按F2下断点,重新运行,中断到此处,此时在右下方的堆栈区会看到
006BF224 0040EECC RETURN to MOVGEAR.0040EECC from MOVGEAR.0040EE60
四、看一下0040EECC行上下代码如下:
0040EE90 /$ 8B4C24 0C MOV ECX,DWORD PTR SS:[ESP+C]
0040EE94 |. 8B15 68854600 MOV EDX,DWORD PTR DS:[468568] ; MOVGEAR.00400000
0040EE9A |. 81EC 00010000 SUB ESP,100
0040EEA0 |. 8D4424 00 LEA EAX,DWORD PTR SS:[ESP]
0040EEA4 |. 68 FF000000 PUSH 0FF ; /Count = FF (255.)
0040EEA9 |. 50 PUSH EAX ; |Buffer
0040EEAA |. 51 PUSH ECX ; |RsrcID
0040EEAB |. 52 PUSH EDX ; |hInst => 00400000
0040EEAC |. FF15 64844400 CALL DWORD PTR DS:[<&USER32.LoadStringA>>; \LoadStringA
0040EEB2 |. 8B8424 1001000>MOV EAX,DWORD PTR SS:[ESP+110]
0040EEB9 |. 8B9424 0801000>MOV EDX,DWORD PTR SS:[ESP+108]
0040EEC0 |. 8D4C24 00 LEA ECX,DWORD PTR SS:[ESP]
0040EEC4 |. 50 PUSH EAX
0040EEC5 |. 51 PUSH ECX
0040EEC6 |. 52 PUSH EDX
0040EEC7 |. E8 94FFFFFF CALL MOVGEAR.0040EE60
0040EECC |. 83C4 04 ADD ESP,4
0040EECF |. 50 PUSH EAX ; |Text
0040EED0 |. 8B8424 1001000>MOV EAX,DWORD PTR SS:[ESP+110] ; |
0040EED7 |. 50 PUSH EAX ; |hOwner
0040EED8 |. FF15 68844400 CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; \MessageBoxA
0040EEDE |. 81C4 00010000 ADD ESP,100
0040EEE4 \. C3 RETN
清除0040EE60处的断点,在0040EE90行按F2下断点,重新运行,中断后在右下方的堆栈区会看到:
006BF334 00431A63 RETURN to MOVGEAR.00431A63 from MOVGEAR.0040EE90
五、如上清除0040EE90处的断点,看00431A63行上下代码:
00431A51 > 6A 30 PUSH 30
00431A53 . 68 159D0000 PUSH 9D15
00431A58 . 68 149D0000 PUSH 9D14
00431A5D . 56 PUSH ESI
00431A5E . E8 2DD4FDFF CALL MOVGEAR.0040EE90
00431A63 . 83C4 10 ADD ESP,10
00431A66 . 68 4F040000 PUSH 44F
00431A6B . 56 PUSH ESI
00431A6C . FFD7 CALL EDI
00431A6E . 50 PUSH EAX ; /hWnd
00431A6F . FF15 B4834400 CALL DWORD PTR DS:[<&USER32.SetFocus>] ; \SetFocus
00431A75 > 5F POP EDI ; Default case of switch
00431A76 . 5E POP ESI
00431A77 . 33C0 XOR EAX,EAX
00431A79 . 5B POP EBX
00431A7A . 81C4 1C010000 ADD ESP,11C
00431A80 . C2 1000 RETN 10
六、注意00431A51右面的>,向上看是哪里跳到这里。
0043194D > 8BB424 2C01000>MOV ESI,DWORD PTR SS:[ESP+12C] ; Case 1 of switch 00431925
00431954 . 8B3D 7C844400 MOV EDI,DWORD PTR DS:[<&USER32.GetDlgIte>
0043195A . 8D4C24 60 LEA ECX,DWORD PTR SS:[ESP+60]
0043195E . 6A 64 PUSH 64 ; /Count = 64 (100.)
00431960 . 51 PUSH ECX ; |Buffer
00431961 . 68 4F040000 PUSH 44F ; |/ControlID = 44F (1103.)
00431966 . 56 PUSH ESI ; ||hWnd
00431967 . FFD7 CALL EDI ; |\GetDlgItem
00431969 . 8B1D 48834400 MOV EBX,DWORD PTR DS:[<&USER32.GetWindow>; |
0043196F . 50 PUSH EAX ; |hWnd
00431970 . FFD3 CALL EBX ; \GetWindowTextA
00431972 . 8D9424 C400000>LEA EDX,DWORD PTR SS:[ESP+C4]
00431979 . 6A 64 PUSH 64 ; /Count = 64 (100.)
0043197B . 52 PUSH EDX ; |Buffer
0043197C . 68 50040000 PUSH 450 ; |/ControlID = 450 (1104.)
00431981 . 56 PUSH ESI ; ||hWnd
00431982 . FFD7 CALL EDI ; |\GetDlgItem
00431984 . 50 PUSH EAX ; |hWnd
00431985 . FFD3 CALL EBX ; \GetWindowTextA
00431987 . 8D8424 C400000>LEA EAX,DWORD PTR SS:[ESP+C4]
0043198E . 8D4C24 60 LEA ECX,DWORD PTR SS:[ESP+60]
00431992 . 50 PUSH EAX
00431993 . 51 PUSH ECX
00431994 . E8 F7FBFFFF CALL MOVGEAR.00431590 当然怀疑这里有问题了。计算注册码并比较
00431999 . 83C4 08 ADD ESP,8
0043199C . 85C0 TEST EAX,EAX
0043199E . 0F84 AD000000 JE MOVGEAR.00431A51 就是在这里跳到上面所说的,跳则死
004319A4 . 8D5424 10 LEA EDX,DWORD PTR SS:[ESP+10]
004319A8 . 8D4424 0C LEA EAX,DWORD PTR SS:[ESP+C]
004319AC . 52 PUSH EDX ; /pDisposition
004319AD . 50 PUSH EAX ; |pHandle
004319AE . 6A 00 PUSH 0 ; |pSecurity = NULL
004319B0 . 68 3F000F00 PUSH 0F003F ; |Access = KEY_ALL_ACCESS
004319B5 . 6A 00 PUSH 0 ; |Options = REG_OPTION_NON_VOLATILE
004319B7 . 68 14ED4400 PUSH MOVGEAR.0044ED14 ; |Class = ""
004319BC . 6A 00 PUSH 0 ; |Reserved = 0
004319BE . 68 F8B34400 PUSH MOVGEAR.0044B3F8 ; |Subkey = "Software\gamani\GIFMovieGear\2.0"
004319C3 . 68 01000080 PUSH 80000001 ; |hKey = HKEY_CURRENT_USER
004319C8 . FF15 0C804400 CALL DWORD PTR DS:[<&ADVAPI32.RegCreateK>; \RegCreateKeyExA
004319CE . 8D7C24 60 LEA EDI,DWORD PTR SS:[ESP+60]
004319D2 . 83C9 FF OR ECX,FFFFFFFF
004319D5 . 33C0 XOR EAX,EAX
004319D7 . 8B5424 0C MOV EDX,DWORD PTR SS:[ESP+C]
004319DB . F2:AE REPNE SCAS BYTE PTR ES:[EDI]
004319DD . F7D1 NOT ECX
004319DF . 8B1D 18804400 MOV EBX,DWORD PTR DS:[<&ADVAPI32.RegSetV>
004319E5 . 51 PUSH ECX ; /BufSize
004319E6 . 8D4C24 64 LEA ECX,DWORD PTR SS:[ESP+64] ; |
004319EA . 51 PUSH ECX ; |Buffer
004319EB . 6A 01 PUSH 1 ; |valueType = REG_SZ
004319ED . 50 PUSH EAX ; |Reserved => 0
004319EE . 68 98D44400 PUSH MOVGEAR.0044D498 ; |valueName = "RegName3"
004319F3 . 52 PUSH EDX ; |hKey
004319F4 . FFD3 CALL EBX ; \RegSetvalueExA
004319F6 . 8DBC24 C400000>LEA EDI,DWORD PTR SS:[ESP+C4]
004319FD . 83C9 FF OR ECX,FFFFFFFF
00431A00 . 33C0 XOR EAX,EAX
00431A02 . F2:AE REPNE SCAS BYTE PTR ES:[EDI]
00431A04 . F7D1 NOT ECX
00431A06 . 8D8424 C400000>LEA EAX,DWORD PTR SS:[ESP+C4]
00431A0D . 51 PUSH ECX ; /BufSize
00431A0E . 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10] ; |
00431A12 . 50 PUSH EAX ; |Buffer
00431A13 . 6A 01 PUSH 1 ; |valueType = REG_SZ
00431A15 . 6A 00 PUSH 0 ; |Reserved = 0
00431A17 . 68 A4D44400 PUSH MOVGEAR.0044D4A4 ; |valueName = "RegCode3"
00431A1C . 51 PUSH ECX ; |hKey
00431A1D . FFD3 CALL EBX ; \RegSetvalueExA
00431A1F . 8B5424 0C MOV EDX,DWORD PTR SS:[ESP+C]
00431A23 . 52 PUSH EDX ; /hKey
00431A24 . FF15 00804400 CALL DWORD PTR DS:[<&ADVAPI32.RegCloseKe>; \RegCloseKey
00431A2A . 68 B0D44400 PUSH MOVGEAR.0044D4B0 ; /Subkey = "Software\Loani\MG3t"
00431A2F . 68 02000080 PUSH 80000002 ; |hKey = HKEY_LOCAL_MACHINE
00431A34 . FF15 14804400 CALL DWORD PTR DS:[<&ADVAPI32.RegDeleteK>; \RegDeleteKeyA
00431A3A . 6A 01 PUSH 1 ; /Result = 1
00431A3C . 56 PUSH ESI ; |hWnd
00431A3D . FF15 44834400 CALL DWORD PTR DS:[<&USER32.EndDialog>] ; \EndDialog
00431A43 . 5F POP EDI
00431A44 . 5E POP ESI
00431A45 . 33C0 XOR EAX,EAX
00431A47 . 5B POP EBX
00431A48 . 81C4 1C010000 ADD ESP,11C
00431A4E . C2 1000 RETN 10
七、在00431994处按F2下断点,重新来过后F7跟入,来到这里:
00431590 /$ 53 PUSH EBX
00431591 |. 55 PUSH EBP
00431592 |. 8B6C24 10 MOV EBP,DWORD PTR SS:[ESP+10]
00431596 |. 56 PUSH ESI
00431597 |. 57 PUSH EDI
00431598 |. 807D 00 6D CMP BYTE PTR SS:[EBP],6D
0043159C |. 0F85 A0000000 JNZ MOVGEAR.00431642
004315A2 |. 807D 01 67 CMP BYTE PTR SS:[EBP+1],67
004315A6 |. 0F85 96000000 JNZ MOVGEAR.00431642 跳则死
004315AC |. 807D 02 33 CMP BYTE PTR SS:[EBP+2],33
004315B0 |. 0F85 8C000000 JNZ MOVGEAR.00431642
004315B6 |. 807D 03 37 CMP BYTE PTR SS:[EBP+3],37 开头四个字符一定要是"mg37"
004315BA |. 0F85 82000000 JNZ MOVGEAR.00431642
004315C0 |. BB C4D44400 MOV EBX,MOVGEAR.0044D4C4
004315C5 |> 8B13 /MOV EDX,DWORD PTR DS:[EBX]
004315C7 |. 83C9 FF |OR ECX,FFFFFFFF
004315CA |. 8BFA |MOV EDI,EDX
004315CC |. 33C0 |XOR EAX,EAX
004315CE |. F2:AE |REPNE SCAS BYTE PTR ES:[EDI]
004315D0 |. F7D1 |NOT ECX
004315D2 |. 49 |DEC ECX 计算"mvg21951736"的长度
004315D3 |. 8BFA |MOV EDI,EDX
004315D5 |. 8BF5 |MOV ESI,EBP
004315D7 |. 33C0 |XOR EAX,EAX
004315D9 |. F3:A6 |REPE CMPS BYTE PTR ES:[EDI],BYTE PTR DS> 输入的注册号与"mvg21951736"比较
004315DB |. 74 65 |JE SHORT MOVGEAR.00431642 相等则死。我认为肯定不相等,相等的话根本到不这里来,会在前面跳走,这也是我不明白的地方,请各位老师指点。
004315DD |. 83C3 04 |ADD EBX,4
004315E0 |. 81FB C8D44400 |CMP EBX,MOVGEAR.0044D4C8 ; ASCII "mvg21951736"
004315E6 |.^7C DD \JL SHORT MOVGEAR.004315C5
004315E8 |. 807D 04 73 CMP BYTE PTR SS:[EBP+4],73 输入注册号第5位是否是S
004315EC |. 75 01 JNZ SHORT MOVGEAR.004315EF 不是s则跳过第5、6、7位,从第8位开始
004315EE |. 45 INC EBP是S则从第9位开始,注册成功后则为site license
004315EF |> 83C5 07 ADD EBP,7
004315F2 |. 55 PUSH EBP
004315F3 |. E8 D0DD0000 CALL MOVGEAR.0043F3C8 从第8位或第9位开始的ASCII码转到16进制数
004315F8 |. 8B5424 18 MOV EDX,DWORD PTR SS:[ESP+18]
004315FC |. 83C4 04 ADD ESP,4
004315FF |. 8BFA MOV EDI,EDX
00431601 |. 33C9 XOR ECX,ECX
00431603 |. 8A12 MOV DL,BYTE PTR DS:[EDX]
00431605 |. BE DF0B0000 MOV ESI,0BDF 赋初值,后面会用到
0043160A |. 84D2 TEST DL,DL
0043160C |. 74 26 JE SHORT MOVGEAR.00431634 跳则做最后比较
0043160E |> 0FBED2 /MOVSX EDX,DL 计算正确注册号后面几位
00431611 |. 41 |INC ECX 计数器N加1
00431612 |. 0FAFD1 |IMUL EDX,ECX 用户名第N个字符与计数值相乘
00431615 |. 03F2 |ADD ESI,EDX 加上一次运算结果,初值为0BDF
00431617 |. 81FE BE170000 |CMP ESI,17BE
0043161D |. 7E 06 |JLE SHORT MOVGEAR.00431625
0043161F |. 81EE BE170000 |SUB ESI,17BE 结果大于17BE则减去此值
00431625 |> 83F9 0A |CMP ECX,0A 用户名字符数大于0A则ECX清零(即用户名10个字符为1组)
00431628 |. 7E 02 |JLE SHORT MOVGEAR.0043162C
0043162A |. 33C9 |XOR ECX,ECX
0043162C |> 8A57 01 |MOV DL,BYTE PTR DS:[EDI+1] 指向下一个数
0043162F |. 47 |INC EDI
00431630 |. 84D2 |TEST DL,DL
00431632 |.^75 DA \JNZ SHORT MOVGEAR.0043160E
00431634 |> 3BF0 CMP ESI,EAX 此比较是关键的关键
00431636 |. 75 0A JNZ SHORT MOVGEAR.00431642 跳则死
00431638 |. 5F POP EDI
00431639 |. 5E POP ESI
0043163A |. 5D POP EBP
0043163B |. B8 01000000 MOV EAX,1 到这里使EAX为1,返回后表示注册正确
00431640 |. 5B POP EBX
00431641 |. C3 RETN
00431642 |> 5F POP EDI
00431643 |. 5E POP ESI
00431644 |. 5D POP EBP
00431645 |. 33C0 XOR EAX,EAX 这是关键,一定不要到这来
00431647 |. 5B POP EBX
00431648 \. C3 RETN
八、模拟运算过程:
BDF+73*1+68*2+69*3+66*4+65*5+6E*6+67*7=1753
注:上述运算每一步均不大于17BE
1753转换成10进制数为5971
综合起来用户名shifeng注册码mg37***5971或mg37s***5971
十、注册信息在 相关视频
相关阅读
Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么
热门文章
最新文章
人气排行
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程
九、TC注册机,没考虑用户名大于10个字符。感谢我的C语言教员。
#include
#include
#include
#include
#include
void main(void)
{
char * name="";
int i,randnum;
unsigned int value,len;
clrscr();
printf("\n**********************************************************\n");
printf("Gif Movie Gear V3.0.2 Registration Code Generator\n");
printf("Author: shifeng ( 2002/09/08 )\n");
printf("**********************************************************\n\n");
printf("Input Your Name : ");
scanf("%s",name);
printf("\n");
value=0x0BDF;
for(i=0;i
if(value>=0x17BE) value=value-0x17BE;
}
randomize();
randnum=random(1000);
printf("Registration Code for single user: ");
printf("mg37%d%d\n",randnum,(int)value);
printf("Registration Code for site license: ");
printf("mg37s%d%d\n",randnum,(int)value);
getch();
}
HKEY_CURRENT_USER\Software\gamani\GIFMovieGear\2.0\RegCode3
删除后又变为未注册版本。
去除winrar注册框方法
比特币病毒怎么破解 比去除winrar注册框方法
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据
查看所有0条评论>>