算法分析——录音专家 V1.0
下载地址:
http://www.skycn.com/soft/10643.html
软件大小:
955 KB
软件语言: 简体中文
软件类别: 国产软件 / 共享版 / 音频处理
应用平台: Win9x/NT/2000/XP
加入时间:
2003-02-01 00:33:07
下载次数: 2253
推荐等级: * * *
开 发 商:
http://www.lanysoft.com/
【软件简介】:将您的声音保存在硬盘上,并直接转换保存成MP3格式,速度极快,是您录音的最佳选择。优点:速度快,免去您把wav转换成mp3的麻烦。如果您想把自己的声音通过网络传给远方的朋友,这也是最佳的选择。
【软件限制】:20天试用
【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:TRW2000娃娃修改版、RegMon、W32Dasm8.93黄金版
—————————————————————————————
【过
程】:
录音专家1.0.exe 无壳。DELPHI编写。呵呵,我等菜鸟喜欢的类型。
机器码:7DX0WFAY
试炼码:13572468
软件重启验证。用RegMon监测其启动过程,呵呵,发现其在注册表中露出的“马脚”。
于是在反汇编代码里查找:Passwd,找到2处,其中的00471BEC就是我们所需要的地方!
TRW载入程序,先下断点BPX 471BEC,F5返回,拦下!
—————————————————————————————
*
Possible StringData Ref from Code Obj ->"Passwd"
:00471BEC BA381E4700
mov edx, 00471E38
====>我们在这儿!
:00471BEC
BA381E4700 mov edx, 00471E38
:00471BF1
A15C5C4700 mov eax, dword ptr
[00475C5C]
…… …… 省 略 …… ……
F10走,呵呵,很快的,我们就到达了核心!
:00471C9C
8D55E4 lea edx,
dword ptr [ebp-1C]
:00471C9F A14C5C4700
mov eax, dword ptr [00475C4C]
====>D
EAX=7DX0WFAY
:00471CA4
E883FAFFFF call 0047172C
====>算法CALL!F8进入!
:00471CA9
8B55E4 mov edx,
dword ptr [ebp-1C]
====>最后的运算结果入
EDX
====>D EDX=1093-1732-1694-1235-
:00471CAC
B86C5C4700 mov eax, 00475C6C
:00471CB1
E82A29F9FF call 004045E0
:00471CB6
8B15645C4700 mov edx, dword ptr [00475C64]
:00471CBC
A16C5C4700 mov eax, dword ptr
[00475C6C]
:00471CC1 E80E66F9FF call
004082D4
:00471CC6 A3705C4700
mov dword ptr [00475C70], eax
:00471CCB
833D685C470000 cmp dword ptr [00475C68], 00000000
:00471CD2
7410 je 00471CE4
--------------------------------------------------------
F8进入算法CALL:00471CA4
call 0047172C
*
Referenced by a CALL at Addresses:
|:00471CA4 , :00472913 , :0047298D
|
:0047172C 55
push ebp
:0047172D 8BEC
mov ebp, esp
:0047172F 33C9
xor ecx, ecx
:00471731
51 push
ecx
:00471732 51
push ecx
:00471733 51
push ecx
:00471734 51
push ecx
:00471735 53
push
ebx
:00471736 56
push esi
:00471737 57
push edi
:00471738 8BFA
mov edi, edx
:0047173A 8945FC
mov dword ptr [ebp-04],
eax
:0047173D 8B45FC
mov eax, dword ptr [ebp-04]
:00471740 E8F732F9FF
call 00404A3C
:00471745 33C0
xor eax, eax
:00471747 55
push ebp
:00471748
6824184700 push 00471824
:0047174D
64FF30 push dword
ptr fs:[eax]
:00471750 648920
mov dword ptr fs:[eax], esp
:00471753 8D45F8
lea eax, dword ptr [ebp-08]
:00471756
E8312EF9FF call 0040458C
:0047175B
8B45FC mov eax,
dword ptr [ebp-04]
:0047175E E8E930F9FF
call 0040484C
:00471763 8BF0
mov esi, eax
:00471765 85F6
test esi, esi
:00471767
7E5B jle
004717C4
:00471769 BB01000000 mov
ebx, 00000001
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
呵呵,循环开始了!共循环机器码的位数次!
注意:1、2、3、……是表示循环的次序!
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004717C2(C)
|
:0047176E
8BC3 mov
eax, ebx
:00471770 2501000080 and
eax, 80000001
:00471775 7905
jns 0047177C
:00471777 48
dec eax
:00471778 83C8FE
or eax, FFFFFFFE
:0047177B
40 inc
eax
* Referenced by
a (U)nconditional or (C)onditional Jump at Address:
|:00471775(C)
|
:0047177C
85C0 test
eax, eax
:0047177E 7521
jne 004717A1
:00471780 8D55F4
lea edx, dword ptr [ebp-0C]
:00471783 8B45FC
mov eax, dword ptr [ebp-04]
====>7DX0WFAY 入 EAX
:00471786 0FB64418FF
movzx eax, byte ptr [eax+ebx-01]
====>从7DX0WFAY中取字符!
====>2、EAX=44
====>4、EAX=30
====>6、EAX=46
====>8、EAX=59
:0047178B
D1E8 shr
eax, 1
====>EAX右移1位!
====>2、EAX=22
====>4、EAX=18
====>6、EAX=23
====>8、EAX=2C
:0047178D 03C3
add eax, ebx
====>2、EAX=22+2=24
====>4、EAX=18+4=1C
====>6、EAX=23+6=29
====>8、EAX=2C+8=34
:0047178F
E8306FF9FF call 004086C4
====>F8进入!记作CALL 1!
:00471794
8B55F4 mov edx,
dword ptr [ebp-0C]
:00471797 8D45F8
lea eax, dword ptr [ebp-08]
:0047179A E8B530F9FF
call 00404854
:0047179F EB1F
jmp 004717C0
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047177E(C)
|
:004717A1
8D55F0 lea edx,
dword ptr [ebp-10]
:004717A4 8B45FC
mov eax, dword ptr [ebp-04]
====>7DX0WFAY 入 EAX
:004717A7 0FB64418FF
movzx eax, byte ptr [eax+ebx-01]
====>从7DX0WFAY中取字符!
====>1、EAX=37
====>3、EAX=44
====>5、EAX=57
====>7、EAX=41
:004717AC
03C0 add
eax, eax
====>1、EAX=37+37=6E
====>3、EDI=58+58=B0
====>5、EDI=57+57=AE
====>7、EAX=41+41=82
:004717AE
2BC3 sub
eax, ebx
====>1、EAX=6E-1=6D
====>3、EAX=B0-3=AD
====>5、EAX=AE-5=A9
====>7、EAX=82-7=7B
:004717B0
E80F6FF9FF call 004086C4
====>F8进入!记作CALL 2!
:004717B5 8B55F0 mov edx, dword ptr [ebp-10]
:004717B8
8D45F8 lea eax,
dword ptr [ebp-08]
:004717BB E89430F9FF
call 00404854
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047179F(U)
|
:004717C0
43 inc
ebx
====>EBX逐次增一,作计数器
:004717C1
4E dec
esi
:004717C2 75AA
jne 0047176E
====>循环?
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00471767(C)
|
:004717C4
8B45F8 mov eax,
dword ptr [ebp-08]
====>结果入EAX!
循环最后EAX=10936173281694112352
:004717C7
E88030F9FF call 0040484C
:004717CC
8BF0 mov
esi, eax
:004717CE 85F6
test esi, esi
:004717D0 7E24
jle 004717F6
:004717D2 BB01000000
mov ebx, 00000001
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
下面小循环的作用是将上面得到的10936173281694112352字符串中,
每间隔5位的数字替换成
-
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:004717F4(C)
|
:004717D7
8BC3 mov
eax, ebx
:004717D9 B905000000 mov
ecx, 00000005
:004717DE 99
cdq
:004717DF F7F9
idiv ecx
:004717E1 85D2
test edx, edx
:004717E3 750D
jne 004717F2
:004717E5
8D45F8 lea eax,
dword ptr [ebp-08]
:004717E8 E8B732F9FF
call 00404AA4
:004717ED C64418FF2D
mov [eax+ebx-01], 2D
====>加入2D,即-
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004717E3(C)
|
:004717F2
43 inc
ebx
:004717F3 4E
dec esi
:004717F4 75E1
jne 004717D7
10936173281694112352====>1093-1732-1694-1235-
呵呵,真码!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004717D0(C)
|
:004717F6
57 push
edi
:004717F7 B918000000 mov
ecx, 00000018
:004717FC BA01000000
mov edx, 00000001
:00471801 8B45F8
mov eax, dword ptr [ebp-08]
====>D EAX=1093-1732-1694-1235-
:00471804
E8A332F9FF call 00404AAC
:00471809
33C0 xor
eax, eax
:0047180B 5A
pop edx
:0047180C 59
pop ecx
:0047180D 59
pop ecx
:0047180E
648910 mov dword
ptr fs:[eax], edx
:00471811 682B184700
push 0047182B
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00471829(U)
|
:00471816
8D45F0 lea eax,
dword ptr [ebp-10]
:00471819 BA04000000
mov edx, 00000004
:0047181E E88D2DF9FF
call 004045B0
:00471823 C3
ret
—————————————————————————————
F8进入CALL
1:0047178F call 004086C4
F8进入CALL 2:004717B0 call 004086C4
:004086C4
56 push
esi
:004086C5 89E6
mov esi, esp
:004086C7 83EC10
sub esp, 00000010
:004086CA 31C9
xor ecx, ecx
:004086CC 52
push edx
:004086CD
31D2 xor
edx, edx
:004086CF E8A4FFFFFF call
00408678
====>F8进入!
:004086D4
89F2 mov
edx, esi
:004086D6 58
pop eax
:004086D7 E8A0BFFFFF
call 0040467C
:004086DC 83C410
add esp, 00000010
:004086DF 5E
pop esi
:004086E0
C3 ret
——————————————————————————————
F8进入:004086CF call 00408678
:00408678
08C9 or cl,
cl
:0040867A 7517
jne 00408693
:0040867C 09C0
or eax, eax
:0040867E 790E
jns 0040868E
:00408680 F7D8
neg eax
:00408682
E807000000 call 0040868E
====>F8进入!
:00408687
B02D mov
al, 2D
:00408689 41
inc ecx
:0040868A 4E
dec esi
:0040868B 8806
mov byte ptr [esi], al
:0040868D
C3 ret
———————————————————————————
F8进入00408682
call 0040868E
*
Referenced by a CALL at Address:
|:00408682
|
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040867E(C)
|
:0040868E
B90A000000 mov ecx, 0000000A
====>A 入 ECX!
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040867A(C)
|
:00408693
52 push
edx
:00408694 56
push esi
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
对EAX进行循环求模,直至EAX不够除!
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004086A9(C)
|
:00408695
31D2 xor
edx, edx
:00408697 F7F1
div ecx
====>EAX值与A循环求模!
====>1、EAX=6D
% A
====>2、EAX=24 % A
====>3、EAX=AD % A
====>4、EAX=1C % A
====>5、EAX=A9
% A
====>6、EAX=AD % A
====>7、EAX=7B % A
====>8、EAX=34 % A
:00408699
4E dec
esi
:0040869A 80C230
add dl, 30
====>余数+30
:0040869D
80FA3A cmp dl, 3A
====>余数<3A则跳
:004086A0 7203
jb 004086A5
:004086A2
80C207 add dl, 07
====>否则+7
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:004086A0(C)
|
:004086A5 8816
mov byte ptr [esi],
dl
====>循环后余数入[ESI]
====>1、D ESI=109
====>2、D
ESI=36
====>3、D ESI=173
====>4、D ESI=28
====>5、D ESI=169
====>6、D
ESI=41
====>7、D ESI=123
====>8、D ESI=52
:004086A7
09C0 or eax,
eax
:004086A9 75EA
jne 00408695
====>继续循环?
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
—————————————————————————————
【KeyMake之内存注册机】:
中断地址:471CA9
中断次数:1
第一字节:8B
指令长度:3
内存方式:EBP
偏移:-1C
地址指针:1层
—————————————————————————————
【其
它 断 点】:
不重启软件,注册码很容易就能看到:
:00472913
E814EEFFFF call 0047172C
====>算法CALL!
:00472918
8B55F4 mov edx,
dword ptr [ebp-0C]
====>过此 D EDX=真码!
:0047291B
58 pop
eax
:0047291C E87720F9FF call
00404998
====>比较CALL!
当然也可在这儿做内存注册机!
:00472921
740F je 00472932
====>不跳则OVER!
爆破时改此处。或者R FL Z,呵呵,真码自动就保存在注册表里了!
*
Possible StringData Ref from Code Obj ->"注册码输入错误,请检查!"
—————————————————————————————
【注册信息保存】:
[HKEY_LOCAL_MACHINE\Software\蓝拟软件\录音专家]
"Passwd"="1093-1732-1694-1235-"
"UsrName"="7DX0WFAY"
—————————————————————————————
【整
理】:
机器码:7DX0WFAY
注册码:1093-1732-1694-1235-
—————————————————————————————
Cracked By 巢水工作坊——fly【OCN】
2003-2-16 23:56