用W32DASM破解JPEG Optimizer 4.0 (8千字)

用W32DASM破解JPEG Optimizer 4.0 （轉載希望保持完整）
作者：丁丁蝦又名：DDXia

軟體簡介：
　　該軟體能對JPG圖形檔案壓縮 50% 而不損失畫質，自定壓縮比，能即時顯現壓縮後的圖片，讓你比較差異，效果相當不錯。
http://www.newhua.com.cn/down/jpopt3.exe
HI！各位早上好！由於自己的一點大意，折磨我一夜又未眠，本想放棄的，結果是
它是它給我光陰和靈魂------http://astalavista.box.sk---查不到這個軟體的4.0
版，最高只有3.02，真的來勁了，一邊吃著餅乾，一邊喝著娃哈哈，一邊請我細細講來：

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00429579(U)
|
:00429580 52 push edx
:00429581 E88E0B0000 call 0042A114
^^^^^^^^^^^^^---->為了這一CALL，耗了我半瓶的Wahaha，5555，這是進入比較註冊碼的子程式

:00429586 59 pop ecx
:00429587 84C0 test al, al
:00429589 7504 jne 0042958F
^^^^^^^^^^^^----->不對，就過了，EASY了。
開始改為je 0042958F,只要輸入任意8位數，就認為
註冊碼為正確，但每次都要進入都要輸入一便，真是
繁它，繼續加油哦！那為什麼要八位呢？？？別急 :)
下面會說到的。嘻......
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042956E(C)
|
:0042958B 33C0 xor eax, eax
:0042958D EB05 jmp 00429594

接著我們再看一看它的註冊碼的子程式，不看不知道，看了就下了一跳（一個晚上
就載在它的手裡，本以為初學者不用探討它的註冊碼生成，唉。說來口水多），言
歸正傳，看好了，看好了。。。。。
* Referenced by a CALL at Addresses:
|:004047FF , :00429581
|
:0042A114 55 push ebp
:0042A115 8BEC mov ebp, esp
:0042A117 83C4F4 add esp, FFFFFFF4
:0042A11A 53 push ebx
:0042A11B 8B4508 mov eax, dword ptr [ebp+08]
:0042A11E 8D5DF4 lea ebx, dword ptr [ebp-0C]
:0042A121 8A10 mov dl, byte ptr [eax]
:0042A123 8813 mov byte ptr [ebx], dl
:0042A125 8A4801 mov cl, byte ptr [eax+01]
:0042A128 884B01 mov byte ptr [ebx+01], cl
:0042A12B 8A5002 mov dl, byte ptr [eax+02]
:0042A12E 885302 mov byte ptr [ebx+02], dl
:0042A131 8A4803 mov cl, byte ptr [eax+03]
:0042A134 884B03 mov byte ptr [ebx+03], cl
:0042A137 8A5004 mov dl, byte ptr [eax+04]
:0042A13A 885304 mov byte ptr [ebx+04], dl
:0042A13D 8A4805 mov cl, byte ptr [eax+05]
:0042A140 884B05 mov byte ptr [ebx+05], cl
:0042A143 8A5006 mov dl, byte ptr [eax+06]
:0042A146 885306 mov byte ptr [ebx+06], dl
:0042A149 8A4807 mov cl, byte ptr [eax+07]
:0042A14C 884B07 mov byte ptr [ebx+07], cl
:0042A14F 8A4008 mov al, byte ptr [eax+08]
:0042A152 884308 mov byte ptr [ebx+08], al
:0042A155 C6430900 mov [ebx+09], 00
:0042A159 0FBE03 movsx eax, byte ptr [ebx]
:0042A15C 50 push eax
:0042A15D E8228C0400 call 00472D84
:0042A162 59 pop ecx
:0042A163 83F84A cmp eax, 0000004A
:0042A166 7559 jne 0042A1C1
:0042A168 0FBE5301 movsx edx, byte ptr [ebx+01]
:0042A16C 52 push edx
:0042A16D E8128C0400 call 00472D84
:0042A172 59 pop ecx
:0042A173 83F853 cmp eax, 00000053
^^^^^^^^^^^^^^^^^---->
:0042A176 7549 jne 0042A1C1
:0042A178 0FBE4B02 movsx ecx, byte ptr [ebx+02]
:0042A17C 83F924 cmp ecx, 00000024
^^^^^^^^^^^^^^^^^---->
:0042A17F 7540 jne 0042A1C1
:0042A181 0FBE4303 movsx eax, byte ptr [ebx+03]
:0042A185 83F832 cmp eax, 00000032
^^^^^^^^^^^^^^^^^---->
:0042A188 7537 jne 0042A1C1
:0042A18A 0FBE5304 movsx edx, byte ptr [ebx+04]
:0042A18E 83FA38 cmp edx, 00000038
^^^^^^^^^^^^^^^^^---->
:0042A191 752E jne 0042A1C1
:0042A193 0FBE4B05 movsx ecx, byte ptr [ebx+05]
:0042A197 83F939 cmp ecx, 00000039
^^^^^^^^^^^^^^^^^---->
:0042A19A 7525 jne 0042A1C1
:0042A19C 0FBE4306 movsx eax, byte ptr [ebx+06]
:0042A1A0 83F832 cmp eax, 00000032
^^^^^^^^^^^^^^^^^---->
:0042A1A3 751C jne 0042A1C1
:0042A1A5 0FBE5307 movsx edx, byte ptr [ebx+07]
:0042A1A9 83FA31 cmp edx, 00000031
^^^^^^^^^^^^^^^^^---->
仰天長笑，得來全不費工夫，哈。哈。哈。。。比較了八次，然後看到
53，24，32，38，39，32，31，-----很熟，猜一猜，原來是JS$28921--註冊碼（可能每臺機生成的不一樣哦）
如果懶的化，可以把第一句jne 0042A1C1---->jmp 0042A1AE,OK！功德圓滿。
:0042A1AC 7513 jne 0042A1C1
:0042A1AE C70554A448001443FC69 mov dword ptr [0048A454], 69FC4314
:0042A1B8 E8CFA7FDFF call 0040498C
:0042A1BD B001 mov al, 01
:0042A1BF EB1B jmp 0042A1DC

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0042A166(C), :0042A176(C), :0042A17F(C), :0042A188(C), :0042A191(C)
|:0042A19A(C), :0042A1A3(C), :0042A1AC(C)
|
:0042A1C1 53 push ebx
:0042A1C2 E8D1280000 call 0042CA98
:0042A1C7 59 pop ecx
:0042A1C8 84C0 test al, al
:0042A1CA 7404 je 0042A1D0
:0042A1CC B001 mov al, 01
:0042A1CE EB0C jmp 0042A1DC

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042A1CA(C)
|
:0042A1D0 C70554A44800EBBC0396 mov dword ptr [0048A454], 9603BCEB
:0042A1DA 33C0 xor eax, eax

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0042A1BF(U), :0042A1CE(U)
|
:0042A1DC 5B pop ebx
:0042A1DD 8BE5 mov esp, ebp
:0042A1DF 5D pop ebp
:0042A1E0 C3 ret

對了，剛剛想金盆洗手，還有一個事沒有交代呢？關於為什麼要輸入八位的事，（說
起來，就要記起臺灣78787878大師和中國的12121212新生代，八字先生）瞎貓逮著個死老鼠！
讓我找一下程式碼，我的紙上有N個地址，see...see.......找了21分鐘...OK!
Let us see 一 see.
:00429533 FF461C inc [esi+1C]
:00429536 8B83C8010000 mov eax, dword ptr [ebx+000001C8]
:0042953C E83BC30100 call 0044587C
:00429541 66C746100800 mov [esi+10], 0008
:00429547 66C746103800 mov [esi+10], 0038
:0042954D 33C9 xor ecx, ecx
:0042954F 894DEC mov dword ptr [ebp-14], ecx
:00429552 8D55EC lea edx, dword ptr [ebp-14]
:00429555 FF461C inc [esi+1C]
:00429558 8B83C8010000 mov eax, dword ptr [ebx+000001C8]
:0042955E E819C30100 call 0044587C
:00429563 8D45EC lea eax, dword ptr [ebp-14]
:00429566 E863320200 call 0044C7CE
:0042956B 83F808 cmp eax, 00000008
^^^^^^^^^^^^^^^^^---->eax-->為輸入碼長度
:0042956E 751B jne 0042958B
^^^^^^^^^^^^--------->不等於8就BaiByby
:00429570 837DF800 cmp dword ptr [ebp-08], 00000000
:00429574 7405 je 0042957B
:00429576 8B55F8 mov edx, dword ptr [ebp-08]
:00429579 EB05 jmp 00429580
對了對了，還有一點
\HKEY_CURRENT_USER\Software\XA Tech\Jpeg0pt中code值儲存註冊碼。
完成時間
2000.2.18.7:22
歷時6個小時零51分鐘（包括2個小時的睡眠）^_^

用W32DASM破解JPEG Optimizer 4.0 (8千字)

相關文章