GIF动画制作软件破解
一、运行程序,进行注册,输入错误的注册信息进行检测,有提示信息
“The information you have provided is invalid. Please be sure that you typed it exactly as it was given to you.”
**************************************************************
二、用PEiD对这个软件查壳,为 Microsoft Visual C++ 7.0
**************************************************************
三、运行OD,打开movgear,F9运行,F12暂停,Alt+K
调用堆栈 , 项目 19
地址=0013F404
堆栈=00433D17
程序过程 / 参数=? movgear.004116E0
调用来自=movgear.00433D12
==============================================================复制内容到剪贴板
代码:
00433C1A . 50 PUSH EAX ; |hWnd
00433C1B . FFD3 CALL EBX ; \GetWindowTextA
00433C1D . 6A 64 PUSH 64 ; /Count = 64 (100.)
00433C1F . 8D8424 C80000>LEA EAX,DWORD PTR SS:[ESP+C8] ; |
00433C26 . 50 PUSH EAX ; |Buffer
00433C27 . 68 50040000 PUSH 450 ; |/ControlID = 450 (1104.)
00433C2C . 57 PUSH EDI ; ||hWnd
00433C2D . FFD6 CALL ESI ; |\GetDlgItem
00433C2F . 50 PUSH EAX ; |hWnd
00433C30 . FFD3 CALL EBX ; \GetWindowTextA
00433C32 . 8D8C24 C40000>LEA ECX,DWORD PTR SS:[ESP+C4] ; //注册码
00433C39 . 51 PUSH ECX
00433C3A . 8D5424 64 LEA EDX,DWORD PTR SS:[ESP+64] ; //用户名
00433C3E . 52 PUSH EDX
00433C3F . E8 FCFBFFFF CALL movgear.00433840 ; //关键CALL
00433C44 . 83C4 08 ADD ESP,8
00433C47 . 85C0 TEST EAX,EAX
00433C49 . 0F84 B6000000 JE movgear.00433D05 ; //关键跳转
00433C4F . 8D4424 10 LEA EAX,DWORD PTR SS:[ESP+10]
00433C53 . 50 PUSH EAX ; /pDisposition
00433C54 . 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10] ; |
00433C58 . 51 PUSH ECX ; |pHandle
00433C59 . 6A 00 PUSH 0 ; |pSecurity = NULL
00433C5B . 68 3F000F00 PUSH 0F003F ; |Access = KEY_ALL_ACCESS
00433C60 . 6A 00 PUSH 0 ; |Options = REG_OPTION_NON_VOLATILE
00433C62 . 68 85F64700 PUSH movgear.0047F685 ; |Class = ""
00433C67 . 6A 00 PUSH 0 ; |Reserved = 0
00433C69 . 68 84E44800 PUSH movgear.0048E484 ; |software\gamani\gifmoviegear\2.0
00433C6E . 68 02000080 PUSH 80000002 ; |hKey = HKEY_LOCAL_MACHINE
00433C73 . FF15 0CF04700 CALL DWORD PTR DS:[<&ADVAPI32.RegCreateK>; \RegCreateKeyExA
00433C79 . 8D4424 60 LEA EAX,DWORD PTR SS:[ESP+60]
00433C7D . 8D50 01 LEA EDX,DWORD PTR DS:[EAX+1]
00433C80 > 8A08 MOV CL,BYTE PTR DS:[EAX]
00433C82 . 40 INC EAX
00433C83 . 84C9 TEST CL,CL
00433C85 .^ 75 F9 JNZ SHORT movgear.00433C80
00433C87 . 8B35 00F04700 MOV ESI,DWORD PTR DS:[<&ADVAPI32.RegSetV>; ADVAPI32.RegSetValueExA
00433C8D . 2BC2 SUB EAX,EDX
00433C8F . 40 INC EAX
00433C90 . 50 PUSH EAX ; /BufSize
00433C91 . 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10] ; |
00433C95 . 8D5424 64 LEA EDX,DWORD PTR SS:[ESP+64] ; |
00433C99 . 52 PUSH EDX ; |Buffer
00433C9A . 6A 01 PUSH 1 ; |ValueType = REG_SZ
00433C9C . 6A 00 PUSH 0 ; |Reserved = 0
00433C9E . 68 C8F34800 PUSH movgear.0048F3C8 ; |regname3
00433CA3 . 50 PUSH EAX ; |hKey
00433CA4 . FFD6 CALL ESI ; \RegSetValueExA
00433CA6 . 8D8424 C40000>LEA EAX,DWORD PTR SS:[ESP+C4]
00433CAD . 8D48 01 LEA ECX,DWORD PTR DS:[EAX+1]
00433CB0 > 8A10 MOV DL,BYTE PTR DS:[EAX]
00433CB2 . 40 INC EAX
00433CB3 . 84D2 TEST DL,DL
00433CB5 .^ 75 F9 JNZ SHORT movgear.00433CB0
00433CB7 . 8B5424 0C MOV EDX,DWORD PTR SS:[ESP+C]
00433CBB . 2BC1 SUB EAX,ECX
00433CBD . 40 INC EAX
00433CBE . 50 PUSH EAX
00433CBF . 8D8C24 C80000>LEA ECX,DWORD PTR SS:[ESP+C8]
00433CC6 . 51 PUSH ECX
00433CC7 . 6A 01 PUSH 1
00433CC9 . 6A 00 PUSH 0
00433CCB . 68 D4F34800 PUSH movgear.0048F3D4 ; regcode3
00433CD0 . 52 PUSH EDX
00433CD1 . FFD6 CALL ESI
00433CD3 . 8B4424 0C MOV EAX,DWORD PTR SS:[ESP+C]
00433CD7 . 50 PUSH EAX ; /hKey
00433CD8 . FF15 18F04700 CALL DWORD PTR DS:[<&ADVAPI32.RegCloseKe>; \RegCloseKey
00433CDE . 68 E0F34800 PUSH movgear.0048F3E0 ; /software\loani\mg4
00433CE3 . 68 02000080 PUSH 80000002 ; |hKey = HKEY_LOCAL_MACHINE
00433CE8 . FF15 14F04700 CALL DWORD PTR DS:[<&ADVAPI32.RegDeleteK>; \RegDeleteKeyA
00433CEE . 6A 01 PUSH 1 ; /Result = 1
00433CF0 . 57 PUSH EDI ; |hWnd
00433CF1 . FF15 A4F34700 CALL DWORD PTR DS:[<&USER32.EndDialog>] ; \EndDialog
00433CF7 . 5F POP EDI
00433CF8 . 5E POP ESI
00433CF9 . 33C0 XOR EAX,EAX
00433CFB . 5B POP EBX
00433CFC . 81C4 1C010000 ADD ESP,11C
00433D02 . C2 1000 RETN 10
00433D05 > 6A 30 PUSH 30
00433D07 . 68 159D0000 PUSH 9D15
00433D0C . 68 149D0000 PUSH 9D14
00433D11 . 57 PUSH EDI
00433D12 . E8 C9D9FDFF CALL movgear.004116E0 ; //错误提示
00433D17 . 83C4 10 ADD ESP,10
00433D1A . 68 4F040000 PUSH 44F
00433D1F . 57 PUSH EDI
00433D20 . FFD6 CALL ESI
00433D22 . 50 PUSH EAX ; /hWnd
00433D23 . FF15 A4F44700 CALL DWORD PTR DS:[<&USER32.SetFocus>] ; \SetFocus
00433D29 . 5F POP EDI
00433D2A . 5E POP ESI
00433D2B . 33C0 XOR EAX,EAX
00433D2D . 5B POP EBX
00433D2E . 81C4 1C010000 ADD ESP,11C
00433D34 . C2 1000 RETN 10
00433D37 > 2D 35010000 SUB EAX,135
00433D3C . 74 43 JE SHORT movgear.00433D81
00433D3E . 83E8 03 SUB EAX,3
00433D41 . 74 0E JE SHORT movgear.00433D51
00433D43 > 5F POP EDI ; Default case of switch 00433BD0
00433D44 . 5E POP ESI
00433D45 . 33C0 XOR EAX,EAX
00433D47 . 5B POP EBX
00433D48 . 81C4 1C010000 ADD ESP,11C
00433D4E . C2 1000 RETN 10
00433D51 > 8BB424 340100>MOV ESI,DWORD PTR SS:[ESP+134] ; Case 138 (WM_CTLCOLORSTATIC) of switch 00433A4A
00433D58 . 68 FFFFFF00 PUSH 0FFFFFF ; /Color = <WHITE>
00433D5D . 56 PUSH ESI ; |hDC
00433D5E . FF15 CCF04700 CALL DWORD PTR DS:[<&GDI32.SetBkColor>] ; \SetBkColor
00433D64 . 6A 00 PUSH 0 ; /Color = <BLACK>
00433D66 . 56 PUSH ESI ; |hDC
00433D67 . FF15 C8F04700 CALL DWORD PTR DS:[<&GDI32.SetTextColor>>; \SetTextColor
00433D6D . 6A 00 PUSH 0 ; /ObjType = WHITE_BRUSH
00433D6F . FF15 D0F04700 CALL DWORD PTR DS:[<&GDI32.GetStockObjec>; \GetStockObject
00433D75 . 5F POP EDI
00433D76 . 5E POP ESI
00433D77 . 5B POP EBX
00433D78 . 81C4 1C010000 ADD ESP,11C
00433D7E . C2 1000 RETN 10
00433D81 > 6A 05 PUSH 5 ; /ObjType = NULL_BRUSH; Case 135 (WM_CTLCOLORBTN) of switch 00433A4A
00433D83 . FF15 D0F04700 CALL DWORD PTR DS:[<&GDI32.GetStockObjec>; \GetStockObject
00433D89 . 5F POP EDI
00433D8A . 5E POP ESI
00433D8B . 5B POP EBX
00433D8C . 81C4 1C010000 ADD ESP,11C
00433D92 . C2 1000 RETN 10
==============================================================
00433840 /$ 53 PUSH EBX
00433841 |. 55 PUSH EBP
00433842 |. 8B6C24 10 MOV EBP,DWORD PTR SS:[ESP+10]
00433846 |. 807D 00 6D CMP BYTE PTR SS:[EBP],6D ; //注册码第1个字母与6D即"m"比较
0043384A |. 56 PUSH ESI
0043384B |. 57 PUSH EDI
0043384C |. 0F85 AD000000 JNZ movgear.004338FF ; //不等则跳
00433852 |. 807D 01 67 CMP BYTE PTR SS:[EBP+1],67 ; //注册码第2个字母与67即"g"比较
00433856 |. 0F85 A3000000 JNZ movgear.004338FF ; //不等则跳
0043385C |. 807D 02 33 CMP BYTE PTR SS:[EBP+2],33 ; //注册码第3个字母与33即"3"比较
00433860 |. 0F85 99000000 JNZ movgear.004338FF ; //不等则跳
00433866 |. 807D 03 37 CMP BYTE PTR SS:[EBP+3],37 ; //注册码第4个字母与37即"7"比较
0043386A |. 0F85 8F000000 JNZ movgear.004338FF ; //不等则跳
00433870 |. 33DB XOR EBX,EBX ; //EBX=0
00433872 |> 8BBB F8F34800 /MOV EDI,DWORD PTR DS:[EBX+48F3F8] ; //"mvg21951736"
00433878 |. 8BC7 |MOV EAX,EDI
0043387A |. 8D50 01 |LEA EDX,DWORD PTR DS:[EAX+1]
0043387D |. 8D49 00 |LEA ECX,DWORD PTR DS:[ECX]
00433880 |> 8A08 |/MOV CL,BYTE PTR DS:[EAX]
00433882 |. 40 ||INC EAX
00433883 |. 84C9 ||TEST CL,CL
00433885 |.^ 75 F9 |\JNZ SHORT movgear.00433880
00433887 |. 2BC2 |SUB EAX,EDX ; //EAX=EAX-EDX
00433889 |. 8BC8 |MOV ECX,EAX
0043388B |. 8BF5 |MOV ESI,EBP
0043388D |. 33C0 |XOR EAX,EAX ; //EAX=0
0043388F |. F3:A6 |REPE CMPS BYTE PTR ES:[EDI],BYTE PTR DS>
00433891 |. 74 65 |JE SHORT movgear.004338F8
00433893 |. 83C3 04 |ADD EBX,4
00433896 |. 81FB 80000000 |CMP EBX,80
0043389C |.^ 72 D4 \JB SHORT movgear.00433872 ; //注册码是否在黑名单
0043389E |. 807D 04 73 CMP BYTE PTR SS:[EBP+4],73 ; //注册码第5个字母与73即"s"比较
004338A2 |. 75 01 JNZ SHORT movgear.004338A5 ; //不等则跳
004338A4 |. 45 INC EBP
004338A5 |> 8D4D 07 LEA ECX,DWORD PTR SS:[EBP+7]
004338A8 |. 51 PUSH ECX
004338A9 |. E8 26BD0300 CALL movgear.0046F5D4 ; //将注册码第8位以后的数字转16进制送入EAX(如果第5个字母为"s",则将注册码第9位以后的数字转16进制送入EAX),否则EAX=0
004338AE |. 8B5C24 18 MOV EBX,DWORD PTR SS:[ESP+18] ; //用户名
004338B2 |. 8A13 MOV DL,BYTE PTR DS:[EBX] ; //用户名第1个字母ASC值
004338B4 |. 83C4 04 ADD ESP,4
004338B7 |. 33C9 XOR ECX,ECX ; //ECX=0
004338B9 |. 84D2 TEST DL,DL
004338BB |. 8BFB MOV EDI,EBX ; (初始 cpu 选择)
004338BD |. BE DF0B0000 MOV ESI,0BDF ; //ESI=0BDF
004338C2 |. 74 26 JE SHORT movgear.004338EA
004338C4 |> 0FBED2 /MOVSX EDX,DL
004338C7 |. 41 |INC ECX ; //ECX=ECX+1
004338C8 |. 0FAFD1 |IMUL EDX,ECX ; //EDX=EDX*ECX
004338CB |. 03F2 |ADD ESI,EDX ; //ESI=ESI+EDX
004338CD |. 81FE BE170000 |CMP ESI,17BE ; //ESI与17BE比较
004338D3 |. 7E 06 |JLE SHORT movgear.004338DB ; //小于等于则跳
004338D5 |. 81EE BE170000 |SUB ESI,17BE ; //ESI=ESI-17BE
004338DB |> 83F9 0A |CMP ECX,0A ; //ECX与0A比较
004338DE |. 7E 02 |JLE SHORT movgear.004338E2 ; //小于等于则跳
004338E0 |. 33C9 |XOR ECX,ECX ; //ECX=0
004338E2 |> 8A57 01 |MOV DL,BYTE PTR DS:[EDI+1] ; //依次取用户名ASC值
004338E5 |. 47 |INC EDI ; //EDI=EDI+1
004338E6 |. 84D2 |TEST DL,DL
004338E8 |.^ 75 DA \JNZ SHORT movgear.004338C4 ; //循环
004338EA |> 3BF0 CMP ESI,EAX ; //比较ESI与EAX
004338EC |. 75 15 JNZ SHORT movgear.00433903 ; //不等则跳,爆破点
004338EE |. 5F POP EDI
004338EF |. 5E POP ESI
004338F0 |. 5D POP EBP
004338F1 |. B8 01000000 MOV EAX,1 ; //标志位赋值
004338F6 |. 5B POP EBX
004338F7 |. C3 RETN
004338F8 |> 5F POP EDI
004338F9 |. 5E POP ESI
004338FA |. 5D POP EBP
004338FB |. 33C0 XOR EAX,EAX
004338FD |. 5B POP EBX
004338FE |. C3 RETN
004338FF |> 8B5C24 14 MOV EBX,DWORD PTR SS:[ESP+14]
00433903 |> 55 PUSH EBP
00433904 |. 53 PUSH EBX
00433905 |. E8 16FCFFFF CALL movgear.00433520
0043390A |. 83C4 08 ADD ESP,8
0043390D |. 5F POP EDI
0043390E |. 5E POP ESI
0043390F |. 5D POP EBP
00433910 |. 5B POP EBX
00433911 \. C3 RETN
==============================================================
【黑名单】
0047FE18 6D 67 33 37 34 33 34 34 37 37 37 00 6D 67 33 37 mg374344777.mg37
0047FE28 39 33 34 32 36 38 39 00 6D 67 33 37 37 37 35 33 9342689.mg377753
0047FE38 39 33 31 00 6D 67 33 37 37 36 34 33 38 36 33 00 931.mg377643863.
0047FE48 6D 67 33 37 30 37 30 34 37 38 38 00 6D 67 33 37 mg370704788.mg37
0047FE58 36 38 37 31 34 33 34 00 6D 67 33 37 36 34 38 34 6871434.mg376484
0047FE68 30 33 39 00 6D 67 33 37 30 33 34 32 36 39 32 00 039.mg370342692.
0047FE78 6D 67 33 37 36 34 34 39 35 37 00 00 6D 67 33 37 mg37644957..mg37
0047FE88 37 35 38 33 34 35 34 00 6D 67 33 37 33 32 32 33 7583454.mg373223
0047FE98 35 35 34 00 6D 67 33 37 31 38 39 35 32 36 36 00 554.mg371895266.
0047FEA8 6D 67 33 37 39 37 37 33 36 35 31 00 6D 67 33 37 mg379773651.mg37
0047FEB8 31 30 37 33 34 37 38 00 6D 67 33 37 34 33 39 34 1073478.mg374394
0047FEC8 39 38 37 00 6D 67 33 37 38 38 32 32 34 36 39 00 987.mg378822469.
0047FED8 6D 67 33 37 30 36 34 33 34 38 00 00 6D 67 33 37 mg37064348..mg37
0047FEE8 30 34 37 33 37 31 30 00 6D 67 33 37 38 35 34 32 0473710.mg378542
0047FEF8 35 34 34 00 6D 67 33 37 33 34 37 33 37 35 39 00 544.mg373473759.
0047FF08 6D 67 33 37 39 32 32 33 39 35 33 00 6D 67 33 37 mg379223953.mg37
0047FF18 35 39 35 33 32 34 38 00 6D 67 33 37 32 30 32 31 5953248.mg372021
0047FF28 34 32 34 00 6D 67 33 37 30 33 35 33 30 30 38 00 424.mg370353008.
0047FF38 6D 67 33 37 30 31 35 31 33 34 37 00 6D 67 33 37 mg370151347.mg37
0047FF48 39 38 34 33 31 34 39 00 6D 67 33 37 32 35 30 33 9843149.mg372503
0047FF58 39 35 38 00 6D 67 33 37 4E 54 69 00 6D 67 33 37 958.mg37NTi.mg37
0047FF68 33 34 36 35 32 34 31 00 6D 67 33 37 30 35 33 34 3465241.mg370534
0047FF78 30 33 35 00 6D 67 33 37 34 36 30 34 33 34 32 00 035.mg374604342.
0047FF88 6D 76 67 32 31 39 35 31 37 33 36 mvg21951736
**************************************************************
【破解总结】
————————————————————–
【算法总结】
分两种算法,1种是8位以上,1种是9位以上,前面分别为”mg37″和”mg37s”
————————————————————–
【算法注册机】
注册机1
keygen1.rek
.const
.data
szHomePage db “http://www.chinapyg.com”,0
szEmail db “mailto:tianxj_2007@126.com”,0
szErrMess db “请输入用户名!”,0
szBuffer db 50 dup (0)
szFMT db “mg37***%d”,0
.code
MOV EBX,eax
MOV DL,BYTE PTR DS:[EBX]
XOR ECX,ECX
MOV EDI,EBX
MOV ESI,0BDFh
tianxj:
MOVSX EDX,DL
INC ECX
IMUL EDX,ECX
ADD ESI,EDX
CMP ESI,17BEh
JLE n1
SUB ESI,17BEh
n1:
CMP ECX,0Ah
JLE n2
XOR ECX,ECX
n2:
MOV DL,BYTE PTR DS:[EDI+1]
INC EDI
TEST DL,DL
JNZ tianxj
invoke wsprintf,addr szBuffer,addr szFMT,esi
lea eax,szBuffer
注册机2
keygen2.rek
.const
.data
szHomePage db “http://www.chinapyg.com”,0
szEmail db “mailto:tianxj_2007@126.com”,0
szErrMess db “请输入用户名!”,0
szBuffer db 50 dup (0)
szFMT db “mg37s***%d”,0
.code
MOV EBX,eax
MOV DL,BYTE PTR DS:[EBX]
XOR ECX,ECX
MOV EDI,EBX
MOV ESI,0BDFh
tianxj:
MOVSX EDX,DL
INC ECX
IMUL EDX,ECX
ADD ESI,EDX
CMP ESI,17BEh
JLE n1
SUB ESI,17BEh
n1:
CMP ECX,0Ah
JLE n2
XOR ECX,ECX
n2:
MOV DL,BYTE PTR DS:[EDI+1]
INC EDI
TEST DL,DL
JNZ tianxj
invoke wsprintf,addr szBuffer,addr szFMT,esi
lea eax,szBuffer
————————————————————–
【注册信息】
用户名:tianxj
注册码:mg37***5332 或mg37s***5332 (*为任意字符)
保存在
[HKEY_LOCAL_MACHINE\SOFTWARE\gamani\GIFMovieGear\2.0]