Mp3 to All Convertor 1.22的注册陷井
by Fpc[CCG] & 6767 [BCG] @2001/08
tools: SI, icedump, wdasm, ti, fi, peditor, dede (几乎都是老外写的工具)
软件名称:Mp3 To All Converter
整理日期:2001.8.16
最新版本:1.22
文件大小:1707KB
软件授权:共享软件
使用平台:Win9x/Me/NT/2000
发布公司:Home page
软件简介:Mp3To All Converter可将MP3音乐转换成MP3、WMA、VQF格式的工具,且使用上相当简单快速、只需点选MP3音乐、利用鼠标右键快显功能即可。
下 载:http://gt.onlinedown.net/down/mp32all_inst.exe
作者(好象是国人)不知出于什么目的,这个版本的注册蛮有意思,可以说是设下个小圈套,记得以前的一个版本是cmp esi, eax比较了事,这个版本改掉了。是不是以后用keyfile保护有待观察。
[Begin]
下面的步骤中,脱壳不是必须的,只是为了静态分析使用。
1、安装后运行,出现注册窗口,有Name、Key和Code项,随便填入注册信息,注册,得到出错信息。用SI下bpx hmemcpy粗粗跟了一下,还是出错,不过知道了这是个delphi程序。静态分析看一下;
2、用fi检查发现是petite 2.1的壳,很旧的一个壳,完全可手动。但procdump没这个脚本,脱不了。用ti看一下入口点RVA:6B638,再用peditor看Size
of Image:91000,记下来。
3、运行icedump,用Symble Loader载入主文件,停在入口处,用G指令:g 46B638直接到原始入口,下:/dump 400000 91000
d:abc.exe。这样得到脱壳文件;
4、运行peditor编辑这个文件,改入口为:6B638,再段编辑,选dumpfixer修复脱壳文件,保存后运行它,没有问题;
5、用dede载入这个abc.exe,在Procedures找到TRegForm,在右边双击BRegClick,这就是注册按纽的相关代码,在下面:
0046791C 55
push ebp
... ...
0046793D 8D55FC
lea edx, [ebp-$04]
* Reference to control EName : N.A.
|
00467940 8B8308030000 mov
eax, [ebx+$0308]
* Reference to: Controls.TControl.GetText()
|
00467946 E8DD21FCFF call
00429B28 <- 读Name的内容
|
0046794B E834F9FFFF call
00467284 <- 与dll相关,不用管
00467950 8BF0
mov esi, eax
00467952 89B314030000 mov
[ebx+$0314], esi
00467958 8D952CFEFFFF lea
edx, [ebp+$FFFFFE2C]
* Reference to control EKey : N.A.
|
0046795E 8B8310030000 mov
eax, [ebx+$0310]
* Reference to: Controls.TControl.GetText()
|
00467964 E8BF21FCFF call
00429B28 <- 读Key
00467969 8B852CFEFFFF mov
eax, [ebp+$FFFFFE2C]
* Reference to: System..DynArrayLength()
| or: System..LStrLen()
|
0046796F E8E4C3F9FF call
00403D58 <- 取Key的长度
00467974 50
push eax
00467975 8D9528FEFFFF lea
edx, [ebp+$FFFFFE28]
* Reference to control EKey : N.A.
|
0046797B 8B8310030000 mov
eax, [ebx+$0310]
* Reference to: Controls.TControl.GetText()
|
00467981 E8A221FCFF call
00429B28
00467986 8B8528FEFFFF mov
eax, [ebp+$FFFFFE28]
* Reference to: System..LStrToPChar()
|
0046798C E88BC5F9FF call
00403F1C <- 什么也不作
00467991 50
push eax
00467992 56
push esi
00467993 8B06
mov eax, [esi]
00467995 FF5004
call dword ptr [eax+$04] <- 对dll函数的调用,不管它
|
打断,前面提到注册中的陷井就在下面这个call中,我们注意到它检查出口的eax是否为0,如果是0紧接着就是注册失败的信息。进入这个call(见之后的代码),会发现它只是在处理dll中的函数(与注册无关),但所有的出口前都有xor
eax, eax。就是说eax的返回值一定为0,你的注册注定失败!! 我是第一见到这种情况的。
继续看:
00467998 E837FAFFFF call
004673D4
0046799D 8BF0
mov esi, eax
0046799F 85F6
test esi, esi
004679A1 753F
jnz 004679E2 <- 不为0跳下去继续处理
004679A3 6A10
push $10 <-
为0就出错了
* Possible String Reference to: 'Error!'
|
004679A5 68487C4600 push
$00467C48
004679AA 8D9524FEFFFF lea
edx, [ebp+$FFFFFE24]
004679B0 A1D0D64600 mov
eax, dword ptr [$46D6D0]
* Reference to: System.LoadResString(System.TResStringRec)
|
004679B5 E822DBF9FF call
004054DC
004679BA 8D8524FEFFFF lea
eax, [ebp+$FFFFFE24]
* Possible String Reference to: ' Click OK to Exit.'
|
004679C0 BA587C4600 mov
edx, $00467C58
* Reference to: System..LStrCat()
|
004679C5 E896C3F9FF call
00403D60
004679CA 8B8524FEFFFF mov
eax, [ebp+$FFFFFE24]
* Reference to: System..LStrToPChar()
|
004679D0 E847C5F9FF call
00403F1C
004679D5 50
push eax
004679D6 6A00
push $00
|
004679D8 E813F2F9FF call
00406BF0
004679DD E9F8010000 jmp
00467BDA <- 之后直接跳走,准备返回了
004679E2 6A08
push $08 <-
向下的这一段不用管
004679E4 8D9520FEFFFF lea
edx, [ebp+$FFFFFE20]
* Reference to control EName : N.A.
|
004679EA 8B8308030000 mov
eax, [ebx+$0308]
* Reference to: Controls.TControl.GetText()
|
004679F0 E83321FCFF call
00429B28
004679F5 8B8520FEFFFF mov
eax, [ebp+$FFFFFE20]
* Reference to: System..LStrToPChar()
|
004679FB E81CC5F9FF call
00403F1C
00467A00 50
push eax
00467A01 8D951CFEFFFF lea
edx, [ebp+$FFFFFE1C]
* Reference to control EKey : N.A.
|
00467A07 8B8310030000 mov
eax, [ebx+$0310]
* Reference to: Controls.TControl.GetText()
|
00467A0D E81621FCFF call
00429B28
00467A12 8B851CFEFFFF mov
eax, [ebp+$FFFFFE1C]
* Reference to: System..LStrToPChar()
|
00467A18 E8FFC4F9FF call
00403F1C
00467A1D 50
push eax
00467A1E 56
push esi
00467A1F 8B06
mov eax, [esi]
00467A21 FF5004
call dword ptr [eax+$04]
00467A24 8BF0
mov esi, eax
00467A26 8D9518FEFFFF lea
edx, [ebp+$FFFFFE18]
* Reference to control ECode : N.A.
|
00467A2C 8B83F0020000 mov
eax, [ebx+$02F0]
* Reference to: Controls.TControl.GetText()
|
00467A32 E8F120FCFF call
00429B28
00467A37 8B8518FEFFFF mov
eax, [ebp+$FFFFFE18]
* Reference to: System..LStrToPChar()
|
00467A3D E8DAC4F9FF call
00403F1C
00467A42 8BD0
mov edx, eax
00467A44 33C0
xor eax, eax
00467A46 8A0C06
mov cl, byte ptr [esi+eax]
00467A49 3A0C02
cmp cl, byte ptr [edx+eax]
00467A4C 744D
jz 00467A9B
00467A4E 6A10
push $10
00467A50 8D9514FEFFFF lea
edx, [ebp+$FFFFFE14]
00467A56 A1B8D84600 mov
eax, dword ptr [$46D8B8]
* Reference to: System.LoadResString(System.TResStringRec)
|
00467A5B E87CDAF9FF call
004054DC
00467A60 8B8514FEFFFF mov
eax, [ebp+$FFFFFE14]
* Reference to: System..LStrToPChar()
|
00467A66 E8B1C4F9FF call
00403F1C
00467A6B 50
push eax
00467A6C 8D9510FEFFFF lea
edx, [ebp+$FFFFFE10]
00467A72 A1D0D64600 mov
eax, dword ptr [$46D6D0]
* Reference to: System.LoadResString(System.TResStringRec)
|
00467A77 E860DAF9FF call
004054DC
00467A7C 8B8510FEFFFF mov
eax, [ebp+$FFFFFE10]
* Reference to: System..LStrToPChar()
|
00467A82 E895C4F9FF call
00403F1C
00467A87 8BD0
mov edx, eax
00467A89 A12CD84600 mov
eax, dword ptr [$46D82C]
00467A8E 8B00
mov eax, [eax]
00467A90 59
pop ecx
* Reference to: Forms.TApplication.MessageBox()
|
00467A91 E862FEFDFF call
004478F8
00467A96 E93F010000 jmp
00467BDA
00467A9B 40
inc eax
00467A9C 83F821
cmp eax, +$21
00467A9F 75A5
jnz 00467A46
00467AA1 6A00
push $00
00467AA3 8D950CFEFFFF lea
edx, [ebp+$FFFFFE0C]
00467AA9 A134D64600 mov
eax, dword ptr [$46D634]
* Reference to: System.LoadResString(System.TResStringRec)
|
00467AAE E829DAF9FF call
004054DC
00467AB3 8B850CFEFFFF mov
eax, [ebp+$FFFFFE0C]
* Reference to: System..LStrToPChar()
|
00467AB9 E85EC4F9FF call
00403F1C
00467ABE 50
push eax
00467ABF 8D9508FEFFFF lea
edx, [ebp+$FFFFFE08]
00467AC5 A1C4D84600 mov
eax, dword ptr [$46D8C4]
* Reference to: System.LoadResString(System.TResStringRec)
|
00467ACA E80DDAF9FF call
004054DC
00467ACF 8B8508FEFFFF mov
eax, [ebp+$FFFFFE08]
* Reference to: System..LStrToPChar()
|
00467AD5 E842C4F9FF call
00403F1C
00467ADA 8BD0
mov edx, eax
00467ADC A12CD84600 mov
eax, dword ptr [$46D82C]
00467AE1 8B00
mov eax, [eax]
00467AE3 59
pop ecx
* Reference to: Forms.TApplication.MessageBox()
|
00467AE4 E80FFEFDFF call
004478F8
00467AE9 8B15F8D84600 mov
edx, [$46D8F8]
00467AEF 8B12
mov edx, [edx]
00467AF1 8D8504FEFFFF lea
eax, [ebp+$FFFFFE04]
* Possible String Reference to: '\reg.txt'
<- 这个是什么显然值得怀疑
|
00467AF7 B9747C4600 mov
ecx, $00467C74
* Reference to: System..LStrCat3()
|
00467AFC E8A3C2F9FF call
00403DA4
00467B01 8B9504FEFFFF mov
edx, [ebp+$FFFFFE04]
00467B07 8D8530FEFFFF lea
eax, [ebp+$FFFFFE30]
|
00467B0D E8FCDCF9FF call
0040580E
00467B12 8D8530FEFFFF lea
eax, [ebp+$FFFFFE30]
|
00467B18 E845DFF9FF call
00405A62
* Reference to: System.._IOTest()
|
00467B1D E8A2ACF9FF call
004027C4 <- 向下的一段是写文件操作
00467B22 8D9500FEFFFF lea
edx, [ebp+$FFFFFE00]
* Reference to control EName : N.A.
|
00467B28 8B8308030000 mov
eax, [ebx+$0308]
* Reference to: Controls.TControl.GetText()
|
00467B2E E8F51FFCFF call
00429B28
00467B33 8B8500FEFFFF mov
eax, [ebp+$FFFFFE00]
* Reference to: System..LStrToPChar()
|
00467B39 E8DEC3F9FF call
00403F1C
00467B3E 8BD0
mov edx, eax
00467B40 8D8530FEFFFF lea
eax, [ebp+$FFFFFE30]
|
00467B46 E86DE0F9FF call
00405BB8
* Reference to: System..WriteLn()
|
00467B4B E8EBDFF9FF call
00405B3B
* Reference to: System.._IOTest()
|
00467B50 E86FACF9FF call
004027C4
00467B55 8D95FCFDFFFF lea
edx, [ebp+$FFFFFDFC]
* Reference to control ECode : N.A.
|
00467B5B 8B83F0020000 mov
eax, [ebx+$02F0]
* Reference to: Controls.TControl.GetText()
|
00467B61 E8C21FFCFF call
00429B28
00467B66 8B85FCFDFFFF mov
eax, [ebp+$FFFFFDFC]
* Reference to: System..LStrToPChar()
|
00467B6C E8ABC3F9FF call
00403F1C
00467B71 8BD0
mov edx, eax
00467B73 8D8530FEFFFF lea
eax, [ebp+$FFFFFE30]
|
00467B79 E83AE0F9FF call
00405BB8
* Reference to: System..WriteLn()
|
00467B7E E8B8DFF9FF call
00405B3B
* Reference to: System.._IOTest()
|
00467B83 E83CACF9FF call
004027C4
00467B88 8D95F8FDFFFF lea
edx, [ebp+$FFFFFDF8]
* Reference to control EKey : N.A.
|
00467B8E 8B8310030000 mov
eax, [ebx+$0310]
* Reference to: Controls.TControl.GetText()
|
00467B94 E88F1FFCFF call
00429B28
00467B99 8B85F8FDFFFF mov
eax, [ebp+$FFFFFDF8]
* Reference to: System..LStrToPChar()
|
00467B9F E878C3F9FF call
00403F1C
00467BA4 8BD0
mov edx, eax
00467BA6 8D8530FEFFFF lea
eax, [ebp+$FFFFFE30]
|
00467BAC E807E0F9FF call
00405BB8
* Reference to: System..WriteLn()
|
00467BB1 E885DFF9FF call
00405B3B
* Reference to: System.._IOTest()
|
00467BB6 E809ACF9FF call
004027C4
00467BBB 8D8530FEFFFF lea
eax, [ebp+$FFFFFE30]
* Reference to: System..Close()
|
00467BC1 E8EADCF9FF call
004058B0
* Reference to: System.._IOTest()
|
00467BC6 E8F9ABF9FF call
004027C4
00467BCB A12CD84600 mov
eax, dword ptr [$46D82C]
00467BD0 8B00
mov eax, [eax]
00467BD2 8B4038
mov eax, [eax+$38]
* Reference to: Forms.TCustomForm.Close()
|
00467BD5 E8AAC8FDFF call
00444484
00467BDA 33C0
xor eax, eax
00467BDC 5A
pop edx
00467BDD 59
pop ecx
00467BDE 59
pop ecx
00467BDF 648910
mov fs:[eax], edx
****** FINALLY
|
* Possible String Reference to: '^[嬪]肊rror!'
|
00467BE2 68427C4600 push
$00467C42
00467BE7 8D85F8FDFFFF lea
eax, [ebp+$FFFFFDF8]
00467BED BA03000000 mov
edx, $00000003
* Reference to: System..LStrArrayClr()
|
00467BF2 E805BFF9FF call
00403AFC
00467BF7 8D8504FEFFFF lea
eax, [ebp+$FFFFFE04]
00467BFD BA05000000 mov
edx, $00000005
* Reference to: System..LStrArrayClr()
|
00467C02 E8F5BEF9FF call
00403AFC
00467C07 8D8518FEFFFF lea
eax, [ebp+$FFFFFE18]
00467C0D BA03000000 mov
edx, $00000003
* Reference to: System..LStrArrayClr()
|
00467C12 E8E5BEF9FF call
00403AFC
00467C17 8D8524FEFFFF lea
eax, [ebp+$FFFFFE24]
* Reference to: System..LStrClr(System.AnsiString)
|
00467C1D E8B6BEF9FF call
00403AD8
00467C22 8D8528FEFFFF lea
eax, [ebp+$FFFFFE28]
00467C28 BA02000000 mov
edx, $00000002
* Reference to: System..LStrArrayClr()
|
00467C2D E8CABEF9FF call
00403AFC
00467C32 8D45FC
lea eax, [ebp-$04]
* Reference to: System..LStrClr(System.AnsiString)
|
00467C35 E89EBEF9FF call
00403AD8
00467C3A C3
ret
00467C3B E9ACB8F9FF jmp
004034EC
00467C40 EBA5
jmp 00467BE7
****** END
|
00467C42 5E
pop esi
00467C43 5B
pop ebx
00467C44 8BE5
mov esp, ebp
00467C46 5D
pop ebp
00467C47 C3
ret <- 返回了
显然大家想知道在00467998处 call 004673D4里面的内容,贴出来,我不作解释,注意看xor eax, eax语句:
004673D4 55
push ebp
004673D5 8BEC
mov ebp, esp
004673D7 33C9
xor ecx, ecx
004673D9 51
push ecx
004673DA 51
push ecx
004673DB 51
push ecx
004673DC 51
push ecx
004673DD 51
push ecx
004673DE 53
push ebx
004673DF 56
push esi
004673E0 57
push edi
004673E1 33C0
xor eax, eax
004673E3 55
push ebp
* Possible String Reference to: '闈岿腚嬅_^[嬪]?
|
004673E4 684A754600 push
$0046754A
***** TRY
|
004673E9 64FF30
push dword ptr fs:[eax]
004673EC 648920
mov fs:[eax], esp
004673EF 8D45FC
lea eax, [ebp-$04]
* Possible String Reference to: '\Mp3Converter.dll'
|
004673F2 BA64754600 mov
edx, $00467564
* Reference to: System..LStrLAsg()
|
- 标 题:Mp3 to All Convertor 1.22的注册陷井 (28千字)
- 作 者:6767[BCG]
- 时 间:2001-8-17 2:17:26
- 链 接:http://bbs.pediy.com