Easy CD-DA Extractor V4.3.2
by 6767 [BCG]
工具:SoftIce, Wd32asm(写过程),UPX(用于解压缩)
用途:音乐CD的数据库及操作管理
地址:http://xt.onlinedown.net/down/ezcddax432.exe (4M多)
保护:20次使用限制;输入的注册信息不正确则UNLOCK不激活。
本想FOOL这个东东,没想到被FOOL了。安装后,运行,出现一个NAG,告诉你还可以用19次,上面还有KEY、KEY1,但随便输入信息,UNLOCK按纽不被激活,有一点麻烦。退出,观察注册表
-- [HKEY_CURRENT_USER\Software\Poikosoft\Easy CD-DA Extractor 4.3],好象没有记录使用次数的。那么就有可能是在文件中,是不是在它的目录下呢?按日期排序,列在最前面的有一个
Lame.dll(很有意思的名字)。再运行一次,回来看看,果然是它。将它备份,运行一次再履盖回来会不会有帮助呢?结果一试之下,好嘛,直接就告诉你使用次数用完!(也省得点20次NAG和退出了)。让我们开始吧
^_^
运行,在KEY中输入:6767 [BCG],KEY1:JA88EUGPA。^D到SI,下Bpx hmemcpy(越来越喜欢这个万能中断),F5返回,在KEY1中再输入一个‘A’,立刻被拦到。按一次F5,再下
Bd *阻断。由于不是TRW,需要几次F12返回程序领空,你会返回到下面的程序段中:
* Referenced by a CALL at Addresses:
|:004630D9 , :004631E9
|
:00463210 55
push ebp
:00463211 8BEC
mov ebp, esp
:00463213 83C4C8
add esp, FFFFFFC8
:00463216 53
push ebx
:00463217 8BD8
mov ebx, eax
:00463219 B898F35600 mov eax,
0056F398
:0046321E E86D840C00 call 0052B690
:00463223 66C745D81400 mov [ebp-28],
0014
:00463229 33D2
xor edx, edx
:0046322B 8955F0
mov dword ptr [ebp-10], edx
:0046322E 8D55F0
lea edx, dword ptr [ebp-10]
:00463231 FF45E4
inc [ebp-1C]
:00463234 8B83EC020000 mov eax, dword
ptr [ebx+000002EC]
:0046323A E8FDC90700 call 004DFC3C
:0046323F 8D45F0
lea eax, dword ptr [ebp-10] <- 返回到这里,F10向下追踪
:00463242 33D2
xor edx, edx
:00463244 8955FC
mov dword ptr [ebp-04], edx
:00463247 8D55FC
lea edx, dword ptr [ebp-04]
:0046324A FF45E4
inc [ebp-1C]
:0046324D E8CAAC0E00 call 0054DF1C
:00463252 FF4DE4
dec [ebp-1C]
:00463255 8D45F0
lea eax, dword ptr [ebp-10]
:00463258 BA02000000 mov edx,
00000002
:0046325D E8CAA90E00 call 0054DC2C
:00463262 66C745D80800 mov [ebp-28],
0008
:00463268 66C745D82000 mov [ebp-28],
0020
:0046326E 33C0
xor eax, eax
:00463270 8945EC
mov dword ptr [ebp-14], eax
:00463273 8D55EC
lea edx, dword ptr [ebp-14]
:00463276 FF45E4
inc [ebp-1C]
:00463279 8B83E0020000 mov eax, dword
ptr [ebx+000002E0]
:0046327F E8B8C90700 call 004DFC3C
:00463284 8D45EC
lea eax, dword ptr [ebp-14]
:00463287 33D2
xor edx, edx
:00463289 8955F8
mov dword ptr [ebp-08], edx
:0046328C 8D55F8
lea edx, dword ptr [ebp-08]
:0046328F FF45E4
inc [ebp-1C]
:00463292 E885AC0E00 call 0054DF1C
:00463297 FF4DE4
dec [ebp-1C]
:0046329A 8D45EC
lea eax, dword ptr [ebp-14]
:0046329D BA02000000 mov edx,
00000002
:004632A2 E885A90E00 call 0054DC2C
:004632A7 66C745D80800 mov [ebp-28],
0008
:004632AD 66C745D82C00 mov [ebp-28],
002C
:004632B3 8B45FC
mov eax, dword ptr [ebp-04] <- 名字在[Eax]
:004632B6 85C0
test eax, eax
:004632B8 7405
je 004632BF <-
BadGuy
:004632BA 8B4DFC
mov ecx, dword ptr [ebp-04]
:004632BD EB05
jmp 004632C4
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004632B8(C)
|
:004632BF B976EC5600 mov ecx,
0056EC76 <- 这里放的是‘0x00’
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004632BD(U)
|
:004632C4 51
push ecx
:004632C5 8B45F8
mov eax, dword ptr [ebp-08] <- 输入的注册码(Irc)到Eax
:004632C8 85C0
test eax, eax
:004632CA 7405
je 004632D1 <-
BadGuy
:004632CC 8B55F8
mov edx, dword ptr [ebp-08]
:004632CF EB05
jmp 004632D6
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004632CA(C)
|
:004632D1 BA76EC5600 mov edx,
0056EC76
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004632CF(U)
|
:004632D6 52
push edx
:004632D7 E818040000 call 004636F4
<- !!! 计算注册码(Rc)的核心 !!!
:004632DC 83C408
add esp, 00000008
:004632DF 8BD0
mov edx, eax
:004632E1 8D45F4
lea eax, dword ptr [ebp-0C]
:004632E4 E89FA70E00 call 0054DA88
<- 将Rc复制到[ebp-0c]
:004632E9 FF45E4
inc [ebp-1C]
:004632EC 8D55F8
lea edx, dword ptr [ebp-08] <- Irc
:004632EF 66C745D80800 mov [ebp-28],
0008 <- 被这个0008骗的好惨,正确的Rc是10个字符!
:004632F5 8D45F4
lea eax, dword ptr [ebp-0C] <- Rc
:004632F8 E813AA0E00 call 0054DD10
<- 真假码比较!!
:004632FD 84C0
test al, al <-
出口 al=0 则比较失败
:004632FF 7440
je 00463341
:00463301 B001
mov al, 01 <-
准备激活UNNLOCK按纽
:00463303 BA02000000 mov edx,
00000002
:00463308 50
push eax
:00463309 8D45F4
lea eax, dword ptr [ebp-0C]
:0046330C FF4DE4
dec [ebp-1C]
:0046330F E818A90E00 call 0054DC2C
?.........
<- 不重要,省略。
:00463383 C3
ret
*****************************************
这里是对核心CALL的分析:
*****************************************
* Referenced by a CALL at Addresses:
|:00429AB5 , :0044F9BF , :004632D7
|
:004636F4 55
push ebp
:004636F5 8BEC
mov ebp, esp
:004636F7 8B4508
mov eax, dword ptr [ebp+08] <- Irc放入Eax
:004636FA 8A5008
mov dl, byte ptr [eax+08] <- 第9个
:004636FD 8A4009
mov al, byte ptr [eax+09] <- 第10个
:00463700 80F2AA
xor dl, AA <- 0xAA
是魔术字
:00463703 34AA
xor al, AA
:00463705 0FBEC8
movsx ecx, al
:00463708 0FBED2
movsx edx, dl
:0046370B 8BC1
mov eax, ecx
:0046370D 50
push eax <-
**
:0046370E 52
push edx <-
**
:0046370F 8B450C
mov eax, dword ptr [ebp+0C]
:00463712 50
push eax
:00463713 E878FDFFFF call 00463490
<- 跟踪追击!
:00463718 83C40C
add esp, 0000000C
:0046371B B850525900 mov eax,
00595250
:00463720 5D
pop ebp
:00463721 C3
ret
它的注册算法有点变态:
* Referenced by a CALL at Address:
|:00463713
|
:00463490 55
push ebp
:00463491 8BEC
mov ebp, esp
:00463493 83C4E8
add esp, FFFFFFE8
:00463496 53
push ebx
:00463497 56
push esi
:00463498 57
push edi
:00463499 8B5D08
mov ebx, dword ptr [ebp+08]
:0046349C 53
push ebx
:0046349D E87E7E0C00 call 0052B320
<- 里面转半天,只是为取名字长度到 Eax
:004634A2 59
pop ecx
:004634A3 83F87F
cmp eax, 0000007F <- 是否大于 7F
:004634A6 7604
jbe 004634AC
:004634A8 C6437F00 mov
[ebx+7F], 00
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004634A6(C)
|
:004634AC 33C0
xor eax, eax
:004634AE 8BFB
mov edi, ebx
:004634B0 83C9FF
or ecx, FFFFFFFF
:004634B3 BE5B525900 mov esi,
0059525B <-
:004634B8 F2
repnz
:004634B9 AE
scasb
:004634BA F7D1
not ecx
:004634BC 2BF9
sub edi, ecx
:004634BE 8BD1
mov edx, ecx
:004634C0 87F7
xchg edi, esi <-
:004634C2 C1E902
shr ecx, 02
:004634C5 8BC7
mov eax, edi
:004634C7 F3
repz
:004634C8 A5
movsd
<-
:004634C9 8BCA
mov ecx, edx
:004634CB 83E103
and ecx, 00000003
:004634CE F3
repz
:004634CF A4
movsb
<- 将名字移到 0059525B
:004634D0 685B525900 push 0059525B
:004634D5 E892EB0C00 call 0053206C
<- 验证,作无用功
:004634DA 59
pop ecx
:004634DB 685B525900 push 0059525B
:004634E0 E83B7E0C00 call 0052B320
<- 取名字长到 Eax
:004634E5 59
pop ecx
****************** 这里开始初始化 ***************
:004634E6 8945FC
mov dword ptr [ebp-04], eax
:004634E9 33FF
xor edi, edi
:004634EB 33C0
xor eax, eax
:004634ED 8945F8
mov dword ptr [ebp-08], eax
:004634F0 33D2
xor edx, edx
:004634F2 8955F4
mov dword ptr [ebp-0C], edx
:004634F5 33C9
xor ecx, ecx
:004634F7 894DF0
mov dword ptr [ebp-10], ecx
:004634FA 8B5D0C
mov ebx, dword ptr [ebp+0C] <-
:004634FD 8B7510
mov esi, dword ptr [ebp+10] <- 见调用前的两次入栈 **
:00463500 33C0
xor eax, eax
:00463502 8945EC
mov dword ptr [ebp-14], eax
:00463505 C745E85B525900 mov [ebp-18], 0059525B
:0046350C 8B55EC
mov edx, dword ptr [ebp-14]
:0046350F 8B4DFC
mov ecx, dword ptr [ebp-04]
:00463512 3BD1
cmp edx, ecx <-
是否处理完名字,搞不懂
:00463514 0F8D15010000 jnl 0046362F
**************** 一个大循环生成中间注册码 ******************
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00463629(C)
|
:0046351A 8B45E8
mov eax, dword ptr [ebp-18]
:0046351D 8A10
mov dl, byte ptr [eax] <- 顺次取名字中字符
:0046351F 52
push edx
:00463520 E8CBFEFFFF call 004633F0
<- 结果到 Eax,保证谁都认不出
>>>>>>>>>>>>>>>>>
* Referenced by a CALL at Address:
|:00463520
|
:004633F0 55
push ebp
:004633F1 8BEC
mov ebp, esp
:004633F3 53
push ebx
:004633F4 33C0
xor eax, eax
:004633F6 8B4D08
mov ecx, dword ptr [ebp+08] <- 名字
:004633F9 BA94F65600
mov edx, 0056F694
******************************
[0056F694]处是一个码表,与 0xAA异或可还原(还会用到):
******************************
FA 98 F0 9E FD 9C E6 9D - F9 E8 E9 F3 EF 9F
ED E2
E0 E1 F8 FE 92 E7 E4 EC - EB F2 FF 99 EE 93
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:0046340C(C)
<- 这个循环找 Bl 在码表中的位置|
:004633FE 8BD9
mov ebx, ecx
:00463400 80F3AA
xor bl, AA
:00463403 3A1A
cmp bl, byte ptr [edx]
:00463405 7407
je 0046340E
:00463407 40
inc eax
:00463408 42
inc edx
:00463409 83F81E
cmp eax, 0000001E
:0046340C 7CF0
jl 004633FE
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:00463405(C)
|
:0046340E 83F81E
cmp eax, 0000001E
:00463411 7508
jne 0046341B
:00463413 B813000000
mov eax, 00000013 <- 找不到则 Eax=13
:00463418 5B
pop ebx
:00463419 5D
pop ebp
:0046341A C3
ret
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:00463411(C)
|
:0046341B 0FBE9094F65600
movsx edx, byte ptr [eax+0056F694]
:00463422 8BC2
mov eax, edx
:00463424 8BC8
mov ecx, eax
:00463426 C1E104
shl ecx, 04
:00463429 03C8
add ecx, eax
:0046342B C1E106
shl ecx, 06
:0046342E 2BC8
sub ecx, eax
:00463430 C1E107
shl ecx, 07
:00463433 2BC8
sub ecx, eax
:00463435 C1E105
shl ecx, 05
:00463438 2BC8
sub ecx, eax
:0046343A 89C8
mov eax, ecx
:0046343C 05FB300000
add eax, 000030FB <- 结果在 Eax
中
:00463441 5B
pop ebx
:00463442 5D
pop ebp
:00463443 C3
ret
<<<<<<<<<<<<<<<<<<<<<<<<
看下面的运算,我说不明白,自己看吧:
:00463525 59
pop ecx
:00463526 0531270403 add eax,
03042731
:0046352B 35AABBAABB xor eax,
BBAABBAA
:00463530 85FF
test edi, edi
:00463532 750F
jne 00463543
:00463534 8B7D0C
mov edi, dword ptr [ebp+0C]
:00463537 0FAFF8
imul edi, eax
:0046353A 0FAFF8
imul edi, eax
:0046353D 0FAFF8
imul edi, eax
:00463540 0FAFF8
imul edi, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00463532(C)
|
:00463543 8B55F8
mov edx, dword ptr [ebp-08]
:00463546 85D2
test edx, edx
:00463548 7518
jne 00463562
:0046354A 8B4D10
mov ecx, dword ptr [ebp+10]
:0046354D 0FAFC8
imul ecx, eax
:00463550 0FAFC8
imul ecx, eax
:00463553 0FAFC8
imul ecx, eax
:00463556 0FAFC8
imul ecx, eax
:00463559 0FAFC8
imul ecx, eax
:0046355C 0FAFC8
imul ecx, eax
:0046355F 894DF8
mov dword ptr [ebp-08], ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00463548(C)
|
:00463562 8B55F4
mov edx, dword ptr [ebp-0C]
:00463565 85D2
test edx, edx
:00463567 750C
jne 00463575
:00463569 8B4D0C
mov ecx, dword ptr [ebp+0C]
:0046356C 0FAFC8
imul ecx, eax
:0046356F 0FAFC8
imul ecx, eax
:00463572 894DF4
mov dword ptr [ebp-0C], ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00463567(C)
|
:00463575 8B55F0
mov edx, dword ptr [ebp-10]
:00463578 85D2
test edx, edx
:0046357A 7515
jne 00463591
:0046357C 8B4D10
mov ecx, dword ptr [ebp+10]
:0046357F 0FAFC8
imul ecx, eax
:00463582 0FAFC8
imul ecx, eax
:00463585 0FAFC8
imul ecx, eax
:00463588 0FAFC8
imul ecx, eax
:0046358B 0FAFC8
imul ecx, eax
:0046358E 894DF0
mov dword ptr [ebp-10], ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046357A(C)
|
:00463591 85C0
test eax, eax
:00463593 7505
jne 0046359A
:00463595 05CC0C0000 add eax,
00000CCC
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00463593(C)
|
:0046359A 8BD0
mov edx, eax
:0046359C 8B4DF0
mov ecx, dword ptr [ebp-10]
:0046359F 0FAFD7
imul edx, edi
:004635A2 03D1
add edx, ecx
:004635A4 8B4DF4
mov ecx, dword ptr [ebp-0C]
:004635A7 33D3
xor edx, ebx
:004635A9 03D2
add edx, edx
:004635AB 03D3
add edx, ebx
:004635AD 8BFA
mov edi, edx
:004635AF 8BD0
mov edx, eax
:004635B1 0FAF55F8 imul
edx, dword ptr [ebp-08]
:004635B5 03D1
add edx
- 标 题:注册 Easy CD-DA Extractor V4.3.2 (23千字)
- 作 者:6767[BCG]
- 时 间:2001-5-27 13:20:10
- 链 接:http://bbs.pediy.com