Aurora MPEG To DVD Burner Registration Algorithm Analysis

Text/figure zjjtr
Everyone said that software security in China is too poor. Today, I found a good foreign software Aurora MPEG To DVD Burner on the Internet, it can convert MPEG files into DVD-R, DVD + R, and DVD + RW files so that they can be played on the DVD player. It can be used to create a real DVD, not just an MPEG file on the hard disk. Next, let's see how secure it is.
Try to register and find the error message "Sorry, Invalid username or registration code ". PEiD is used to check the shell and no shell is found, and the software is written in Microsoft Visual C ++ 6.0. Use OD to load and search for ASCII, and there are no error prompts. Now that a dialog box is displayed, Use API breakpoint. Run F9, click Register, and enter "zjjtr" in the registration window. Set "Registeration Code" to "123456789 ". In OD, click "bp MessageBoxA" and click "OK". The program is disconnected successfully.
 
77D5058A> 8BFF mov edi, EDI; disconnected here
77D5058C 55 PUSH EBP
77D5058D 8BEC mov ebp, ESP
77D5058F 833D BC04D777 0> cmp dword ptr ds: [77D704BC], 0

Alt + F9 return to the program, click OK, and come here.
 
0045E317/$8B4424 08 mov eax, dword ptr ss: [ESP + 8]
0045E31B |. 56 PUSH ESI
0045E31C |. 85C0 test eax, EAX
0045E31E |. 8BF1 mov esi, ECX
0045E320 |. 75 08 jnz short 1_ra_m.0045e32a
0045E322 |. E8 AEED0000 CALL history ra_m.0046d0d5
0045E327 |. 8B40 10 mov eax, dword ptr ds: [EAX + 10]
0045E32A |> 85F6 test esi, ESI
0045E32C |. 75 04 jnz short 1_ra_m.0045e332
0045E32E |. 33C9 xor ecx, ECX
0045E330 |. EB 03 jmp short 1_ra_m.0045e335
0045E332 |> 8B4E 1C mov ecx, dword ptr ds: [ESI + 1C]
0045E335 |> FF7424 10 push dword ptr ss: [ESP + 10]
0045E339 |. 50 PUSH EAX
0045E33A |. FF7424 10 push dword ptr ss: [ESP + 10]
0045E33E |. 51 PUSH ECX
0045E33F |. FF15 7C764700 call dword ptr ds: [<& USER32.MessageBoxA>
0045E345 |. 5E pop esi; here

Looking forward, we can see 0045E317 and found that "Local calls come from 00422FD7, 00423005". We came to 00422FD7 and 00423005 respectively and analyzed them directly from 00422FD7. Re-load the program and place a breakpoint at 00422F70. The program stops:
 
00422F70. 6A ff push-1; breakpoint
00422F72. 68 F8444700 PUSH Pull ra_m.004744f8
00422F77. 64: A1 0000000> mov eax, dword ptr fs: [0]
00422F7D. 50 PUSH EAX
00422F7E. 64: 8925 00000> mov dword ptr fs: [0], ESP
00422F85. 83EC 08 sub esp, 8
00422F88. A1 34404900 mov eax, dword ptr ds: [494034]
00422F8D. 56 PUSH ESI
00422F8E. 8BF1 mov esi, ECX
00422F90. 894424 04 mov dword ptr ss: [ESP + 4], EAX
00422F94. 6A 01 PUSH 1
00422F96. C74424 18 000> mov dword ptr ss: [ESP + 18], 0
00422F9E. E8 6ABE0300 CALL authorization ra_m.0045ee0d; registration code
00422FA3. E8 2DA10400 CALL history ra_m.0046d0d5
00422FA8. 8B48 04 mov ecx, dword ptr ds: [EAX + 4]; Fixed string "hyG"
00422FAB. E8 D88A0300 CALL Ticket ra_m.0045ba88
00422FB0. 8B46 60 mov eax, dword ptr ds: [ESI + 60]; registration code transferred to EAX
00422FB3. 8B4E 5C mov ecx, dword ptr ds: [ESI + 5C]; username moved to ECX
00422FB6. 50 PUSH EAX
00422FB7. 51 PUSH ECX
00422FB8. C64424 1C 01 mov byte ptr ss: [ESP + 1C], 1
00422FBD. E8 cefcffff call into ra_m.00422c90; algorithm call, F7
00422FC2. 83C4 08 add esp, 8
00422FC5. 85C0 test eax, EAX
00422FC7. 75 18 jnz short logs ra_m.00422fe1; the registration fails without waiting for it. Here, it can be cracked.
00422FC9. 6A 40 PUSH 40
00422FCB. 68 28FC4800 PUSH Pull ra_m.0048fc28
00422FD0. 68 FCFB4800 PUSH Pull ra_m.0048fbfc
00422FD5. 8BCE mov ecx, ESI
00422FD7. E8 3BB30300 CALL history ra_m.0045e317; call the above error message
00422FDC. E9 A0000000 JMP 1_ra_m.00423081
00422FE1> 8B4E 5C mov ecx, dword ptr ds: [ESI + 5C]
00422FE4. 8D5424 04 lea edx, dword ptr ss: [ESP + 4]
00422FE8. 51 PUSH ECX
00422FE9. 68 E0FB4800 PUSH Pull ra_m.0048fbe0; ASCII "License To: % s"
00422133. 52 PUSH EDX
00422FEF. E8 20520300 CALL history ra_m.00458214
00422FF4. 8B4424 10 mov eax, dword ptr ss: [ESP + 10]
00422FF8. 83C4 0C add esp, 0C
00422FFB. 8BCE mov ecx, ESI
00422FFD. 6A 40 PUSH 40
00422FFF. 68 D4FB4800 PUSH into ra_m.0048fbd4; ASCII "Thank you"
00423004. 50 PUSH EAX
00423005. E8 0DB30300 CALL completed ra_m.0045e317; if it runs here, the registration is successful.
0042300A. 8B46 5C mov eax, dword ptr ds: [ESI + 5C]
0042300D. B9 38844900 mov ecx, comment ra_m.00498438
00423012. 50 PUSH EAX
00423013. E8 E83CFFFF CALL =ra_m.00416d00
00423018. 8B46 60 mov eax, dword ptr ds: [ESI + 60]
0042301B. B9 38844900 mov ecx, comment ra_m.00498438
00423020. 50 PUSH EAX
00423021. E8 0A3DFFFF CALL Ticket ra_m.00416d30
00423026. E8 AAA00400 CALL history ra_m.0046d0d5
0042302B. 8B40 04 mov eax, dword ptr ds: [EAX + 4]
0042302E. 8D4C24 04 lea ecx, dword ptr ss: [ESP + 4]
00423032. 51 PUSH ECX
00423033. 8D5424 0C lea edx, dword ptr ss: [ESP + C]
00423037. 68 08D74800 PUSH Pull ra_m.0048d708
0042303C. 52 PUSH EDX
0042303D. C680 c000000> mov byte ptr ds: [EAX + C1], 1
00423044. E8 557D0300 CALL Ticket ra_m.0045ad9e
00423049. 50 PUSH EAX
0042304A. 8D4C24 08 lea ecx, dword ptr ss: [ESP + 8]
0042304E. C64424 18 02 mov byte ptr ss: [ESP + 18], 2
00423053. E8 767B0300 CALL Ticket ra_m.0045abce
00423058. 8D4C24 08 lea ecx, dword ptr ss: [ESP + 8]
0042305C. C64424 14 01 mov byte ptr ss: [ESP + 14], 1
00423061. E8 2F7A0300 CALL Ticket ra_m.0045aa95
00423066. E8 6AA00400 CALL Ticket ra_m.0046d0d5
0042306B. 8B40 04 mov eax, dword ptr ds: [EAX + 4]
0042306E. 8B4C24 04 mov ecx, dword ptr ss: [ESP + 4]
00423072. 51 PUSH ECX
00423073. 8BC8 mov ecx, EAX
00423075. 8B10 mov edx, dword ptr ds: [EAX]
00423077. FF52 74 call dword ptr ds: [EDX + 74]
0042307A. 8BC8 mov ecx, EAX
0042307C. E8 21C90300 CALL Ticket ra_m.0045f9a2
00423081> 8BCE mov ecx, ESI
00423083. E8 3D950300 CALL Ticket ra_m.0045c5c5
00423088. C64424 14 00 mov byte ptr ss: [ESP + 14], 0
0042308D. E8 43A00400 CALL history ra_m.0046d0d5
00423092. 8B48 04 mov ecx, dword ptr ds: [EAX + 4]
00423095. E8 038A0300 CALL Ticket ra_m.0045ba9d
0042309A. 8D4C24 04 lea ecx, dword ptr ss: [ESP + 4]
0042309E. C74424 14 FFF> mov dword ptr ss: [ESP + 14],-1
004230A6. E8 EA790300 CALL Ticket ra_m.0045aa95
004230AB. 8B4C24 0C mov ecx, DWO