软件名称: MP3信息批量处理器
最新版本: 2.1.6
适用平台: Win9x, WinME, WinNT, Win2000, WinXP
作者主页: http://tfct.myrice.com
主要功能:
只要指定好文件夹,她便会将该文件夹中所有MP3文件的Tag资料汇总于一个表格中,包括歌手名称、专辑名称、歌名、备注等等,便于你针对单一文件或是文件群做Tag的浏览与修改.
Mp3信息批量处理器支持高速mp3 tag的信息转换,可以瞬间就将您的mp3文件打上自己的标志。
【软件限制】:30次试用
【难 度】: so简单,适合初学者练手
【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:olldydbg、IDA Pro、PeId 0.9、Aspack Die1.41
—————————————————————————————————
【过 程】:
用peid探测得壳为aspack2.12,用aspack die1.41很容易脱去,delphi程序。
首先注意到未注册标题栏有'-未注册版'字样,于是
IDA中查找,找到其引用之处:
CODE:0049E2BF mov ebx, eax
CODE:0049E2C1 lea edx, [ebp-4]
CODE:0049E2C4 mov eax, ds:dword_4A2CA0
CODE:0049E2C9 call @TControl@GetText$qqrv ; TControl::GetText(void)
CODE:0049E2CE lea eax, [ebp-4]
CODE:0049E2D1 mov edx, offset _str__________.Text
CODE:0049E2D6 call @System@@LStrCat$qqrv ; System::__linkproc__ LStrCat(void)
CODE:0049E2DB mov edx, [ebp-4]
CODE:0049E2DE mov eax, ds:dword_4A2CA0
CODE:0049E2E3 call @Controls@TControl@SetText$qqrx17System@AnsiString ; Controls::TControl::SetText(System::AnsiString)
CODE:0049E2E8
向上看寻找可疑跳转
CODE:0049E271 call sub_49EA20 ; 可疑,进去看看
CODE:0049E276 test al, al
CODE:0049E278 jz short loc_49E2A3
sub_49EA20:
0049EA20 > $ 55 PUSH EBP
0049EA21 . 8BEC MOV EBP, ESP
0049EA23 . 83C4 CC ADD ESP, -34
0049EA26 . 53 PUSH EBX
0049EA27 . 56 PUSH ESI
0049EA28 . 33D2 XOR EDX, EDX
0049EA2A . 8955 CC MOV DWORD PTR SS:[EBP-34], EDX
0049EA2D . 8955 F0 MOV DWORD PTR SS:[EBP-10], EDX
0049EA30 . 8955 EC MOV DWORD PTR SS:[EBP-14], EDX
0049EA33 . 8945 FC MOV DWORD PTR SS:[EBP-4], EAX
0049EA36 . 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4]
0049EA39 . E8 6E60F6FF CALL <unpacked.System::__linkproc__ LStrAddRef(void)>
0049EA3E . 33C0 XOR EAX, EAX
0049EA40 . 55 PUSH EBP
0049EA41 . 68 E1EB4900 PUSH <unpacked.loc_49EBE1>
0049EA46 . 64:FF30 PUSH DWORD PTR FS:[EAX]
0049EA49 . 64:8920 MOV DWORD PTR FS:[EAX], ESP
0049EA4C . C645 FB 00 MOV BYTE PTR SS:[EBP-5], 0
0049EA50 . 33C0 XOR EAX, EAX
0049EA52 . 55 PUSH EBP
0049EA53 . 68 AFEB4900 PUSH <unpacked.loc_49EBAF>
0049EA58 . 64:FF30 PUSH DWORD PTR FS:[EAX]
0049EA5B . 64:8920 MOV DWORD PTR FS:[EAX], ESP
0049EA5E . 8B4D FC MOV ECX, DWORD PTR SS:[EBP-4]
0049EA61 . B2 01 MOV DL, 1
0049EA63 . A1 68A14300 MOV EAX, DWORD PTR DS:[<dword_43A168>]
0049EA68 . E8 ABB7F9FF CALL <unpacked.unknown_libname_239>
0049EA6D . 8945 F4 MOV DWORD PTR SS:[EBP-C], EAX
0049EA70 . B2 01 MOV DL, 1
0049EA72 . A1 B4B04300 MOV EAX, DWORD PTR DS:[<dword_43B0B4>]
0049EA77 . E8 38C7F9FF CALL <unpacked.Registry::TRegistry::TRegistry(void)>
0049EA7C . 8945 E8 MOV DWORD PTR SS:[EBP-18], EAX
0049EA7F . BA 01000080 MOV EDX, 80000001
0049EA84 . 8B45 E8 MOV EAX, DWORD PTR SS:[EBP-18]
0049EA87 . E8 C8C7F9FF CALL <unpacked.Registry::TRegistry::SetRootKey(uint)>
0049EA8C . B1 01 MOV CL, 1
0049EA8E . BA FCEB4900 MOV EDX, unpacked.0049EBFC ; ASCII "SOFTWARERunTimes"
0049EA93 . 8B45 E8 MOV EAX, DWORD PTR SS:[EBP-18]
0049EA96 . E8 1DC8F9FF CALL <unpacked.Registry::TRegistry::OpenKey(System::AnsiStri>
0049EA9B . 6A 00 PUSH 0
0049EA9D . 8D45 F0 LEA EAX, DWORD PTR SS:[EBP-10]
0049EAA0 . 50 PUSH EAX
0049EAA1 . B9 18EC4900 MOV ECX, unpacked.0049EC18 ; ASCII "Name"
0049EAA6 . BA 28EC4900 MOV EDX, unpacked.0049EC28 ; ASCII "Register"
0049EAAB . 8B45 F4 MOV EAX, DWORD PTR SS:[EBP-C]
0049EAAE . 8B18 MOV EBX, DWORD PTR DS:[EAX]
0049EAB0 . FF13 CALL DWORD PTR DS:[EBX]
0049EAB2 . C745 D8 00000>MOV DWORD PTR SS:[EBP-28], 0
0049EAB9 . C745 DC 00000>MOV DWORD PTR SS:[EBP-24], 0
0049EAC0 . 837D F0 00 CMP DWORD PTR SS:[EBP-10], 0 ; 从ini文件读出的用户名,不过最后注册码与用户名无关
0049EAC4 . 0F84 C7000000 JE <unpacked.loc_49EB91>
0049EACA . 6A 00 PUSH 0
0049EACC . 8D45 EC LEA EAX, DWORD PTR SS:[EBP-14]
0049EACF . 50 PUSH EAX
0049EAD0 . B9 3CEC4900 MOV ECX, unpacked.0049EC3C ; ASCII "RegNum"
0049EAD5 . BA 28EC4900 MOV EDX, unpacked.0049EC28 ; ASCII "Register"
0049EADA . 8B45 F4 MOV EAX, DWORD PTR SS:[EBP-C]
0049EADD . 8B18 MOV EBX, DWORD PTR DS:[EAX]
0049EADF . FF13 CALL DWORD PTR DS:[EBX]
0049EAE1 . 837D EC 00 CMP DWORD PTR SS:[EBP-14], 0 ; 从ini文件读出的注册码
0049EAE5 . 0F84 A6000000 JE <unpacked.loc_49EB91>
0049EAEB . 8D4D F0 LEA ECX, DWORD PTR SS:[EBP-10]
0049EAEE . BA 4CEC4900 MOV EDX, unpacked.0049EC4C ; ASCII "Serial"
0049EAF3 . 8B45 E8 MOV EAX, DWORD PTR SS:[EBP-18]
0049EAF6 . E8 85C9F9FF CALL <unpacked.TRegistry::ReadString(AnsiString)>
0049EAFB . 8B45 F0 MOV EAX, DWORD PTR SS:[EBP-10] ; 从注册表中文件读出的用户序列号
0049EAFE . E8 B95DF6FF CALL <unpacked.System::_16823>
0049EB03 . 8BD8 MOV EBX, EAX
0049EB05 . 85DB TEST EBX, EBX
0049EB07 . 7E 44 JLE SHORT <unpacked.loc_49EB4D>
0049EB09 . BE 01000000 MOV ESI, 1
0049EB0E > > 8D45 CC LEA EAX, DWORD PTR SS:[EBP-34]
0049EB11 . 50 PUSH EAX
0049EB12 . B9 01000000 MOV ECX, 1
0049EB17 . 8BD6 MOV EDX, ESI
0049EB19 . 8B45 F0 MOV EAX, DWORD PTR SS:[EBP-10]
0049EB1C . E8 1B7CF9FF CALL <unpacked.sub_43673C> ; * Reference to: StrUtils.MidStr(AnsiString;Integer;Integer):AnsiString;overload;
0049EB21 . 8B45 CC MOV EAX, DWORD PTR SS:[EBP-34] ; 读取用户序列号一字节
0049EB24 . 8D55 E4 LEA EDX, DWORD PTR SS:[EBP-1C]
0049EB27 . E8 00A2F6FF CALL <unpacked.sub_408D2C> ; * Reference to: SysUtils.TryStrToInt(AnsiString;Integer;Integer):Boolean;
0049EB2C . 84C0 TEST AL, AL
0049EB2E . 74 19 JE SHORT <unpacked.loc_49EB49>
0049EB30 . 6A 00 PUSH 0
0049EB32 . 6A 05 PUSH 5
0049EB34 . 8B45 E4 MOV EAX, DWORD PTR SS:[EBP-1C]
0049EB37 . 99 CDQ
0049EB38 . 0345 D8 ADD EAX, DWORD PTR SS:[EBP-28]
0049EB3B . 1355 DC ADC EDX, DWORD PTR SS:[EBP-24]
0049EB3E . E8 3569F6FF CALL <unpacked.sub_405478> ; * Reference to: System.@_llmul; or System.@_llmulo;
0049EB43 . 8945 D8 MOV DWORD PTR SS:[EBP-28], EAX
0049EB46 . 8955 DC MOV DWORD PTR SS:[EBP-24], EDX
0049EB49 > > 46 INC ESI
0049EB4A . 4B DEC EBX
0049EB4B .^ 75 C1 JNZ SHORT <unpacked.loc_49EB0E>
0049EB4D > > 8B45 EC MOV EAX, DWORD PTR SS:[EBP-14]
0049EB50 . E8 83A1F6FF CALL <unpacked.Sysutils::StrToInt(System::AnsiString)>
0049EB55 . 85C0 TEST EAX, EAX
0049EB57 . 79 03 JNS SHORT <unpacked.loc_49EB5C>
0049EB59 . 83C0 07 ADD EAX, 7
0049EB5C > > C1F8 03 SAR EAX, 3 ; 用户输入值转为int后除以8
0049EB5F . 99 CDQ ; 扩展为64位整数
0049EB60 . 8945 D0 MOV DWORD PTR SS:[EBP-30], EAX ; 取低32位
0049EB63 . 8955 D4 MOV DWORD PTR SS:[EBP-2C], EDX ; 取高32位
0049EB66 . 8B45 D8 MOV EAX, DWORD PTR SS:[EBP-28]
0049EB69 . 8B55 DC MOV EDX, DWORD PTR SS:[EBP-24]
0049EB6C . 3B55 D4 CMP EDX, DWORD PTR SS:[EBP-2C] ; 比较高32位
0049EB6F . 75 03 JNZ SHORT <unpacked.loc_49EB74>
0049EB71 . 3B45 D0 CMP EAX, DWORD PTR SS:[EBP-30] ; 比较低32位
0049EB74 > > 74 07 JE SHORT <unpacked.loc_49EB7D>
0049EB76 . E8 E554F6FF CALL <unpacked.System::__linkproc__ TryFinallyExit(void)>
0049EB7B . EB 39 JMP SHORT <unpacked.loc_49EBB6>
...
关于试用期:在文件中查找"date"项,容易找到这里
0049EEE3 |. B1 01 MOV CL, 1
0049EEE5 |. BA E4EF4900 MOV EDX, unpacked.0049EFE4 ; ASCII "SOFTWARERunTimes"
0049EEEA |. 8B45 F8 MOV EAX, DWORD PTR SS:[EBP-8]
0049EEED |. E8 C6C3F9FF CALL <unpacked.Registry::TRegistry::OpenKey(System::AnsiStri>
0049EEF2 |. 8D4D F4 LEA ECX, DWORD PTR SS:[EBP-C]
0049EEF5 |. BA 00F04900 MOV EDX, unpacked.0049F000 ; ASCII "Date"
0049EEFA |. 8B45 F8 MOV EAX, DWORD PTR SS:[EBP-8]
0049EEFD |. E8 7EC5F9FF CALL <unpacked.TRegistry::ReadString(AnsiString)>
0049EF02 |. 33C0 XOR EAX, EAX
0049EF04 |. 8945 FC MOV DWORD PTR SS:[EBP-4], EAX
0049EF07 |. 8D55 F0 LEA EDX, DWORD PTR SS:[EBP-10]
0049EF0A |. 8B45 F4 MOV EAX, DWORD PTR SS:[EBP-C]
0049EF0D |. E8 AAFAFFFF CALL <unpacked.unknown_libname_577>
0049EF12 |. 8B45 F0 MOV EAX, DWORD PTR SS:[EBP-10]
0049EF15 |. E8 BE9DF6FF CALL <unpacked.Sysutils::StrToInt(System::AnsiString)>
0049EF1A |. 83E8 1E SUB EAX, 1E ; 是否到30次了?
0049EF1D |. 85C0 TEST EAX, EAX
0049EF1F |. 7E 0E JLE SHORT <unpacked.loc_49EF2F>
0049EF21 |. C745 FC 01000>MOV DWORD PTR SS:[EBP-4], 1
0049EF28 |. 33C0 XOR EAX, EAX
0049EF2A |. A3 A82C4A00 MOV DWORD PTR DS:[4A2CA8], EAX
0049EF2F >|> 8B45 F0 MOV EAX, DWORD PTR SS:[EBP-10]
0049EF32 |. E8 A19DF6FF CALL <unpacked.Sysutils::StrToInt(System::AnsiString)>
0049EF37 |. 83E8 1E SUB EAX, 1E
0049EF3A |. 79 57 JNS SHORT <unpacked.loc_49EF93>
0049EF3C |. 8B45 F0 MOV EAX, DWORD PTR SS:[EBP-10]
0049EF3F |. E8 949DF6FF CALL <unpacked.Sysutils::StrToInt(System::AnsiString)>
0049EF44 |. 40 INC EAX ; 若未到则使用次数加1
0049EF45 |. 8D55 EC LEA EDX, DWORD PTR SS:[EBP-14]
0049EF48 |. E8 4F9CF6FF CALL <unpacked.sub_408B9C>
0049EF4D |. 8B55 EC MOV EDX, DWORD PTR SS:[EBP-14]
0049EF50 |. 8D45 F0 LEA EAX, DWORD PTR SS:[EBP-10]
0049EF53 |. E8 3C57F6FF CALL <unpacked.System::__linkproc__ LStrLAsg(void)>
0049EF58 |. 8B45 F0 MOV EAX, DWORD PTR SS:[EBP-10]
0049EF5B |. E8 789DF6FF CALL <unpacked.Sysutils::StrToInt(System::AnsiString)>
0049EF60 |. BA 1E000000 MOV EDX, 1E
0049EF65 |. 2BD0 SUB EDX, EAX
0049EF67 |. 8915 A82C4A00 MOV DWORD PTR DS:[4A2CA8], EDX
0049EF6D |. 8D55 E8 LEA EDX, DWORD PTR SS:[EBP-18]
0049EF70 |. 8B45 F0 MOV EAX, DWORD PTR SS:[EBP-10]
0049EF73 |. E8 C8FEFFFF CALL <unpacked.unknown_libname_578>
0049EF78 |. 8B55 E8 MOV EDX, DWORD PTR SS:[EBP-18]
0049EF7B |. 8D45 F0 LEA EAX, DWORD PTR SS:[EBP-10]
0049EF7E |. E8 1157F6FF CALL <unpacked.System::__linkproc__ LStrLAsg(void)>
0049EF83 |. 8B4D F0 MOV ECX, DWORD PTR SS:[EBP-10]
0049EF86 |. BA 00F04900 MOV EDX, unpacked.0049F000 ; ASCII "Date"
0049EF8B |. 8B45 F8 MOV EAX, DWORD PTR SS:[EBP-8]
0049EF8E |. E8 C1C4F9FF CALL <unpacked.sub_43B454> ; 重新写注册表"date"项
0049EF93 >|> 33C0 XOR EAX, EAX
...
来看看使用次数编码函数
<unpacked.unknown_libname_578>
0049EE40 >/$ 55 PUSH EBP
0049EE41 |. 8BEC MOV EBP, ESP
0049EE43 |. 51 PUSH ECX
0049EE44 |. 53 PUSH EBX
0049EE45 |. 56 PUSH ESI
0049EE46 |. 8BF2 MOV ESI, EDX
0049EE48 |. 8945 FC MOV DWORD PTR SS:[EBP-4], EAX
0049EE4B |. 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4]
0049EE4E |. E8 595CF6FF CALL <unpacked.System::__linkproc__ LStrAddRef(void)>
0049EE53 |. 33C0 XOR EAX, EAX
0049EE55 |. 55 PUSH EBP
0049EE56 |. 68 91EE4900 PUSH <unpacked.loc_49EE91>
0049EE5B |. 64:FF30 PUSH DWORD PTR FS:[EAX]
0049EE5E |. 64:8920 MOV DWORD PTR FS:[EAX], ESP
0049EE61 |. 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4]
0049EE64 |. E8 6F9EF6FF CALL <unpacked.Sysutils::StrToInt(System::AnsiString)> ; 已使用次数
0049EE69 |. 69D8 7CB20000 IMUL EBX, EAX, 0B27C ; 经简单算法运算
0049EE6F |. 83F3 08 XOR EBX, 8 ;
0049EE72 |. 8BD6 MOV EDX, ESI
0049EE74 |. 8BC3 MOV EAX, EBX
0049EE76 |. E8 219DF6FF CALL <unpacked.sub_408B9C> ; 转为字符串
0049EE7B |. 33C0 XOR EAX, EAX
0049EE7D |. 5A POP EDX
0049EE7E |. 59 POP ECX
0049EE7F |. 59 POP ECX
0049EE80 |. 64:8910 MOV DWORD PTR FS:[EAX], EDX
0049EE83 |. 68 98EE4900 PUSH <unpacked.loc_49EE98>
0049EE88 >|> 8D45 FC LEA EAX, DWORD PTR SS:[EBP-4]
0049EE8B |. E8 6C57F6FF CALL <unpacked.System::__linkproc__ LStrClr(System::AnsiStri>
0049EE90 . C3 RETN
注册算法十分简单,第一次运行先调用ole32.dll 的CoCreateGuid来生成用户码,保存在注册表HKCUSOFTWARERunTimes下Serial项,
注册码就是用户Serial中所有数字项从左向右,RegNum = 5*(上一次的RegNum + 此次数字值)迭代而得。
使用次数经简单编码后也放在HKCUSOFTWARERunTimes下的date项中。
用户名和注册码保存在同一目录下的MP3TAG.ini文件中,类似
[Register]
Name=sky
RegNum=17617160
初学delphi,用delphi写个注册机练练:
procedure TForm1.Button1Click(Sender: TObject);
var
strSerial:string;
I:Integer;
J:Integer;
intRegNum : Int64;
strRegNum:String;
begin
J:= 0;
intRegNum := 0;
strSerial := Edit1.text;
for I:=1 to length(strSerial) do
begin
if (ord(strSerial[I])>=48)and(ord(strSerial[I])<=57) then
begin
J := ord(strSerial[I])-48;
intRegNum := 5*(intRegNum + J);
end;
end;
intRegNum := intRegNum * 8 ;
strRegNum := intTostr(intRegNum);
label3.Caption := strRegNum;
end;
end.