XNview 1.96 Full attack notes

[Break text title] XNview 1.96 Full cracking notes
[Author] Xiao Huang ye
[Author's email]
[Author's homepage]
[Cracking tool] OllyICE, PEiD v0.94
[Cracking platform] WinXP
[Software name] XNview 1.96 Full
[Software size] 14.92 M
[Original download] http://www1.skycn.com/soft/2717.html
[Updated on]
[Software category] foreign software/Image Browsing
[Software language] English
[Software category] foreign software/Image Browsing
[Application Platform] Win9x/WinNT/Win2000/WinXP
[Protection method]
[Software Overview] supports graphics browsing, conversion, and editing software in up to 70 formats, as well as Slide Show. ACDSEE

Too many features? XNVIEW can solve problems well. It has the functions of capturing images, editing images, and adding special effects. It supports what you know.

All formats and formats you do not know (including movies and MP3 files ). Supports Simplified Chinese language.
[Cracking statement] please visit ~~~
------------------------------------------------------------------------
[Cracking process] First Run and check the registration failure prompt. the dialog box is displayed: illegal registration
I. Shell Exploration
PEiD v0.94: Microsoft Visual C +++ 6.0
Ii. OllyICE Analysis
After the program is loaded, it stops here:
005A7A81>/$55 PUSH EBP
005A7A82 |. 8BEC mov ebp, ESP
005A7A84 |. 6A ff push-1

Run the program in F9, register it with your favorite name, fill in the false code, and click the GetDlgItemTextA breakpoint before confirmation. After confirmation, the program is disconnected:
77D6B05E> 8BFF mov edi, EDI;

USER32.GetDlgItemTextA
77D6B060 55 PUSH EBP
77D6B061 8BEC mov ebp, ESP

Clear the breakpoint, and slowly return to F8 here:
00575F44. 56 push esi; | hWnd
00575F45. FFD7 call edi; GetDlgItemTextA
00575F47. 8D4C24 10 lea ecx, dword ptr ss: [ESP + 10]; return here.
00575F4B. 6A 20 PUSH 20;/Count = 20 (32 .)
00575F4D. 51 push ecx; | Buffer
00575F4E. 68 D1070000 PUSH 7D1; | ControlID = 7D1

(2001 .)
00575F53. 56 push esi; | hWnd
00575F54. FFD7 call edi; GetDlgItemTextA
00575F56. 8A4424 70 mov al, byte ptr ss: [ESP + 70]; obtain

The length of the name and registration code
00575F5A. 84C0 test al, AL
00575F5C. 0F84 3A010000 JE xnview.0057609C.

Skip.
00575F62. 8A4424 10 mov al, byte ptr ss: [ESP + 10]
00575F66. 84C0 test al, AL
00575F68. 0F84 2E010000 JE xnview.0057609C; if the registration code is not entered

Then I jumped away.
00575F6E. 8D5424 08 lea edx, dword ptr ss: [ESP + 8]
00575F72. 8D4424 70 lea eax, dword ptr ss: [ESP + 70]
00575F76. 52 PUSH EDX
00575F77. 50 PUSH EAX
00575F78. E8 035DF9FF CALL xnview.0050BC80; key CALL, follow up!
00575F7D. 8D4C24 18 lea ecx, dword ptr ss: [ESP + 18]
00575F81. 51 PUSH ECX
00575F82. E8 6CCE0200 CALL xnview.005A2DF3
00575F87. 8B4C24 14 mov ecx, dword ptr ss: [ESP + 14]
00575F8B. 83C4 0C add esp, 0C
00575F8E. 3BC8 cmp ecx, EAX
00575F90 74 5D je short xnview.00575FEF; key hop, one hop to death!
00575F92. A1 40317600 mov eax, dword ptr ds: [763140]

Follow up on the key CALL0050BC80 as follows:
The first is the first loop:
0050BCA9 |./74 21 je short xnview.0050BCCC
0050 BCAB |> | 8A0C16/mov cl, byte ptr ds: [ESI + EDX]; the first cycle starts from here

Ring computing.
0050 BCAE |. | 8AD9 | mov bl, CL; name each word in turn

Put the ASCII code of the symbol on BL
0050BCB0 |. | 3298 B8CF7500 | xor bl, byte ptr ds: [EAX + 75CFB8]; Name ASCII code and

EAX + 75CFB8 is used as an exclusive or operation. EAX = number of cycles.
0050BCB6 |. | 40 | INC EAX
0050BCB7 |. | 83F8 05 | cmp eax, 5
0050 BCBA |. | 881C16