Text/figure Hokkien
==========================================
It is undeniable that algorithm analysis is a torment of endurance and confidence. The time for the author to perform algorithm analysis is not short. In the face of all kinds of algorithms, it is good to be able to survive, not to survive, but to be forced to give up halfway. This article is a typical example of my thinking from the perspective of adversity. I believe you will have some gains after reading this article.
Understanding Software
#1 Video Converter is a Video format conversion software that supports conversion of all formats. It is easy to use and feels quite good. It is a pity that a shared software can only convert part of the file when it is not registered. We will unban it today.
The software shell check shows that the software is compiled using VC ++, the overall perception, and the software is compiled using MFC, which makes the analysis software more difficult. The software can be cracked, but it is not our topic.
Tracking Process
Open the registration window and enter the false information tentatively, as shown in 1. Of course, an error will be returned. Following the error prompt, we can easily locate the following code.
Figure 1
0041D2E8. 68 98A64300 PUSH # export video.0043a698
; Sorry
0041D2ED. 68 6CA64300 PUSH # export video.0043a66c
; Invalid username or registration code sorry
Place a breakpoint at any position above, re-debug, and the software is broken in the following places.
0041D291. E8 FABA0000 CALL <JMP. & MFC42. #540 _?? 0CString QAE @ XZ>
0041D296. 6A 01 PUSH 1
0041D298. 8BCE mov ecx, ESI
0041D29A. C74424 20 000> mov dword ptr ss: [ESP + 20], 0
0041D2A2 E869BF0000
CALL <JMP. & MFC42. #6334 _? UpdateData @ CWnd @ QAEHH @ Z>
0041D2A7 E8B2BF0000
CALL <JMP. & MFC42. #1168 _? AfxGetModuleState @ YGPAVAFX_MODULE _>
As you can see, we should know that the software is written in MFC, which makes tracking much more difficult. Click F8 to go to the following code.
0041D2D8. 50 push eax; registration code
0041D2D9. 51 push ecx; User Name
0041D2DA. E8 81 faffff call # paivideo.0041cd60
0041D2DF. 83C4 08 add esp, 8
0041D2E2. 85C0 test eax, EAX
0041D2E4. 75 18 jnz short # export video.0041d2fe
0041D2E6. 6A 40 PUSH 40
0041D2E8. 68 98A64300 PUSH # export video.0043a698
; Sorry
0041D2ED. 68 6CA64300 PUSH # export video.0043a66c
; Invalid username or registration code sorry
Obviously, "CALL # video.0041cd60" is the key. I thought it would be almost the same to locate the key function, but it was not as simple as I expected. When we step into cd60, we will find that the code is really massive. It seems that there is not much useful information, but we can still find the following numbers. I don't know if it is useful information.
0041CD89 |. C74424 60 73C> mov dword ptr ss: [ESP + 60], 3C49C573
0041CD91 |. C74424 64 0C4> mov dword ptr ss: [ESP + 64], 7A5A460C
0041CD99 |. C74424 68 388> mov dword ptr ss: [ESP + 68], 79768038
0041CDA1 |. C74424 6C 67B> mov dword ptr ss: [ESP + 6C], 8E8DBE67
0041CDA9 |. C74424 70 A62> mov dword ptr ss: [ESP + 70], 723026A6
0041CDB1 |. C74424 74 2E8> mov dword ptr ss: [ESP + 74], 96C1812E
0041CDB9 |. C74424 78 07C> mov dword ptr ss: [ESP + 78], 602C507
0041CDC1 |. C74424 7C 571> mov dword ptr ss: [ESP + 7C], 230D1157
What is a special encryption algorithm? Baidu, unfortunately, there is no information. From this we can infer that these numbers are not constants of specialized encryption algorithms. When we try to continue tracking, we will find that the software process is very messy and unclear, and the key location for generating the registration code is not clear. Due to limited time and manpower, we are in a deadlock ...... Give up? Or continue?
Liu yinghuaming
We continued to follow up and came to the following key points.
0041 CFBB |. 50 push eax; Key location
0041 CFBC |. 51 push ecx; username address
0041 CFBD |. FFD6 call esi; Comparison
0041 CFBF |. 83C4 08 add esp, 8
0041CFC2 |. 8D4C24 10 lea ecx, dword ptr ss: [ESP + 10]
0041CFC6 |. 85C0 test eax, EAX
0041CFC8 |. C68424 A40000> mov byte ptr ss: [ESP + A4], 6
0041CFD0 0F84 86000000 JE # export video.0041d05c
Here there is a jump, which is to assign different values to EAX, that is, the flag bit. Based on experience, this is the key to success or failure. By the way, changing "JE" to "JNE" can be cracked, but this is not our topic. Here, the user name is compared with a string, so we know that the registration model used by the software is: "F (entered registration code )? = Input username ". Now that we know how to register the model, go to the corresponding EAX address, as shown in figure 2. No. The username corresponding to the registration code "12345abcde" cannot be printed. Therefore, if we try to enter any registration code to obtain the user name, it will be a great deal of trouble! Again in a deadlock ......
Figure 2
I thought for a while! Write a memory registration machine and enter the registration code at will to interrupt it to read the corresponding value at the corresponding place. Can the corresponding user name be displayed? But can we get the user name after Pasting and copying it? Well, let's have KeyMake. If it is disconnected under cfbb, read the content of the corresponding EAX address at this time. Configuration 3 is shown in. After the registration machine is generated, put it in the same directory as the software, enter the user name and registration code in the INI file, and run the registration machine, as shown in figure 4.
Figure 3
Figure 4
It's a strange character. But it doesn't matter. copy it and paste it in the username column of the registration window. Then, enter "12345abcde" as the registration code, as shown in Figure 5. Click OK. Let's take a look at our masterpiece, as shown in figure 6!
Figure 5
Figure 6
Summary
In the face of many restrictions, if we can crack it with another way of thinking, we can breathe a little while in the torment of algorithms. Due to time and manpower constraints, I did not perform algorithm analysis well. But fortunately, I have cracked the software from another point of view. I hope this small experience will be helpful to you.