破解软件:海啸录音机
破解工具:TRW1.22
破解难度:易
软件下载:http://count.skycn.com/softdown.php?id=5071&url=http://on165-down.skycn.net/down/hxrecord.zip
软件说明:“瘟酒吧”中自带的录音机只能录1分钟,而本录音软件无此限制,录音时间取决于你的硬盘大小。操作简便,可以边放音乐边录音。怎么样,够酷吧!未注册版只能使用65秒。
这是用VB编写的,任意填入用户名ShenGe和注册码12345678,自然用__vbastrcomp下断,程序被中断,来到如下代码
0167:6602471F
RET 08
0167:66024722 CMP DWORD
[ESP+04],BYTE +02
0167:66024727 JZ NEAR 660470E0
0167:6602472D
PUSH DWORD 00030001
0167:66024732 PUSH
DWORD [ESP+08]
0167:66024736 PUSH DWORD [ESP+10]
0167:6602473A
PUSH DWORD [ESP+18]
0167:6602473E CALL
`OLEAUT32!VarBstrCmp`
0167:66024744 TEST EAX,EAX
0167:66024746
JL NEAR 660470E7
0167:6602474C DEC
EAX
0167:6602474D RET 0C
你会发现上面的代码只是判断有无输入注册码,按F12跳出,接着按F10,注意看各寄存器的值,来到如下代码:
......
0167:0040D7F1
PUSH EAX
0167:0040D7F2 CALL `MSVBVM60!__vbaHresultCheckObj`
0167:0040D7F8
MOV EDX,[EBP-20]
0167:0040D7FB MOV
EDI,[00401124]
0167:0040D801 LEA ECX,[EBP-24]
0167:0040D804
MOV DWORD [EBP-20],00
0167:0040D80B CALL
EDI
0167:0040D80D MOV ECX,[EBP-1C]
<---取输入的注册码
0167:0040D810 LEA EDX,[EBP-24]
<---取输入的用户名
0167:0040D813 PUSH ECX
0167:0040D814
PUSH EDX
0167:0040D815 CALL 0040CF30
<---此Call为计算正确注册码
0167:0040D81A MOV
EDX,EAX <---D EDX可看到正确注册码
0167:0040D81C
LEA ECX,[EBP-28]
0167:0040D81F CALL
EDI
0167:0040D821 PUSH
EAX
0167:0040D822 CALL `MSVBVM60!__vbaStrCmp`
<---注册码比较
0167:0040D828 MOV EDI,EAX
0167:0040D82A
LEA EAX,[EBP-28]
0167:0040D82D NEG
EDI
0167:0040D82F LEA ECX,[EBP-1C]
0167:0040D832
PUSH EAX
0167:0040D833 SBB EDI,EDI
0167:0040D835
LEA EDX,[EBP-24]
0167:0040D838 PUSH
ECX
0167:0040D839 INC EDI
0167:0040D83A
PUSH EDX
0167:0040D83B PUSH BYTE +03
0167:0040D83D
NEG EDI
0167:0040D83F CALL `MSVBVM60!__vbaFreeStrList`
跟进上面的那个计算注册码的Call,可看到以下代码:
0167:0040CF30
PUSH EBP
0167:0040CF31 MOV EBP,ESP
0167:0040CF33
SUB ESP,BYTE +0C
0167:0040CF36 PUSH
DWORD 00401276
0167:0040CF3B MOV EAX,[FS:00]
0167:0040CF41
PUSH EAX
0167:0040CF42 MOV [FS:00],ESP
0167:0040CF49
SUB ESP,BYTE +78
0167:0040CF4C PUSH
EBX
0167:0040CF4D PUSH ESI
0167:0040CF4E PUSH
EDI
0167:0040CF4F MOV [EBP-0C],ESP
0167:0040CF52
MOV DWORD [EBP-08],00401228
0167:0040CF59 XOR
ESI,ESI
0167:0040CF5B MOV EDX,00406D6C
0167:0040CF60
LEA ECX,[EBP-30]
0167:0040CF63 MOV
[EBP-20],ESI
0167:0040CF66 MOV [EBP-2C],ESI
0167:0040CF69
MOV [EBP-30],ESI
0167:0040CF6C MOV
[EBP-34],ESI
0167:0040CF6F MOV [EBP-44],ESI
0167:0040CF72
MOV [EBP-54],ESI
0167:0040CF75 MOV
[EBP-64],ESI
0167:0040CF78 CALL `MSVBVM60!__vbaStrCopy`
0167:0040CF7E
MOV EDI,[EBP+08]
0167:0040CF81 LEA
EAX,[EBP-64]
0167:0040CF84 PUSH BYTE +0F
0167:0040CF86
LEA ECX,[EBP-44]
0167:0040CF89 PUSH
EAX
0167:0040CF8A PUSH ECX
0167:0040CF8B MOV
[EBP-5C],EDI
0167:0040CF8E MOV DWORD
[EBP-64],4008
0167:0040CF95 CALL `MSVBVM60!rtcLeftCharVar`
0167:0040CF9B
LEA EDX,[EBP-44]
0167:0040CF9E PUSH
EDX
0167:0040CF9F CALL `MSVBVM60!__vbaStrVarMove`
0167:0040CFA5
MOV EBX,[00401124]
0167:0040CFAB MOV
EDX,EAX
0167:0040CFAD MOV ECX,EDI
0167:0040CFAF
CALL EBX
0167:0040CFB1 LEA ECX,[EBP-44]
0167:0040CFB4
CALL `MSVBVM60!__vbaFreeVar`
0167:0040CFBA MOV
EAX,[EDI]
0167:0040CFBC PUSH EAX
0167:0040CFBD
CALL `MSVBVM60!__vbaLenBstr` <---取输入用户名长度
0167:0040CFC3
CMP EAX,BYTE +06
<---比较用户名的长度是否大于6
0167:0040CFC6 MOV [EBP-28],EAX
0167:0040CFC9
JL NEAR 0040D12C
0167:0040CFCF MOV
ECX,01
0167:0040CFD4 MOV [EBP-18],ECX
0167:0040CFD7
CMP ECX,EAX
0167:0040CFD9 JG
NEAR 0040D120
0167:0040CFDF LEA EDX,[EBP-44]
0167:0040CFE2
LEA EAX,[EBP-64]
0167:0040CFE5 PUSH
EDX
0167:0040CFE6 PUSH ECX
0167:0040CFE7 LEA
ECX,[EBP-54]
0167:0040CFEA PUSH EAX
0167:0040CFEB
PUSH ECX
0167:0040CFEC MOV DWORD
[EBP-3C],01
0167:0040CFF3 MOV DWORD [EBP-44],02
0167:0040CFFA
MOV [EBP-5C],EDI
0167:0040CFFD MOV
DWORD [EBP-64],4008
0167:0040D004 CALL `MSVBVM60!rtcMidCharVar`
<---按位取用户名的每个字符
0167:0040D00A LEA EDX,[EBP-54]
0167:0040D00D
PUSH EDX
0167:0040D00E CALL `MSVBVM60!__vbaStrVarMove`
0167:0040D014
MOV EDX,EAX
0167:0040D016 LEA
ECX,[EBP-20]
0167:0040D019 CALL EBX
0167:0040D01B
LEA EAX,[EBP-54]
0167:0040D01E LEA
ECX,[EBP-44]
0167:0040D021 PUSH EAX
0167:0040D022
PUSH ECX
0167:0040D023 PUSH BYTE +02
0167:0040D025
CALL `MSVBVM60!__vbaFreeVarList`
0167:0040D02B MOV
EDX,[EBP-20]
0167:0040D02E ADD ESP,BYTE
+0C
0167:0040D031 PUSH EDX
0167:0040D032 CALL
`MSVBVM60!rtcAnsivalueBstr` <---取得字符的十六进制制值
0167:0040D038
PUSH EAX
0167:0040D039 CALL `MSVBVM60!__vbaStrI2`
<---将字符的16进制值与0AH除取其余数。
1.S 53 ----->8 3
2.h 68 ----->1 0 4
3.e 65 ----->1 0 1
4.n 6E ----->1
1 0
5.G 47 ----->7 1
6.e 65
----->1 0 1
0167:0040D03F MOV EDX,EAX
0167:0040D041
LEA ECX,[EBP-20]
0167:0040D044 CALL
EBX
0167:0040D046 MOV EAX,[EBP-20]
0167:0040D049
PUSH EAX
0167:0040D04A CALL `MSVBVM60!__vbaLenBstr`
0167:0040D050
MOV [EBP+FFFFFF7C],EAX
0167:0040D056 MOV
EDI,01
0167:0040D05B CMP EDI,[EBP+FFFFFF7C]
0167:0040D061
JG 0040D0D0
0167:0040D063 LEA
ECX,[EBP-20]
0167:0040D066 LEA EDX,[EBP-44]
0167:0040D069
MOV [EBP-5C],ECX
0167:0040D06C PUSH
EDX
0167:0040D06D LEA EAX,[EBP-64]
0167:0040D070
PUSH EDI
0167:0040D071 LEA ECX,[EBP-54]
0167:0040D074
PUSH EAX
0167:0040D075 PUSH ECX
0167:0040D076
MOV DWORD [EBP-3C],01
0167:0040D07D MOV
DWORD [EBP-44],02
0167:0040D084 MOV DWORD
[EBP-64],4008
0167:0040D08B CALL `MSVBVM60!rtcMidCharVar`
0167:0040D091
LEA EDX,[EBP-54]
0167:0040D094 PUSH
EDX
0167:0040D095 CALL `MSVBVM60!__vbaI2ErrVar`
<---按位取上面得到的余数值
0167:0040D09B MOVSX EAX,AX
0167:0040D09E
ADD EAX,ESI
<---累加到ESI中
1.8 3 ----->B
2.1 0 4 ----->5
3.1 0
1 ----->2
4.1 1 0 ----->2
5.7
1 ----->8
6.1 0 1 ----->2
0167:0040D0A0
LEA ECX,[EBP-54]
0167:0040D0A3 JO
NEAR 0040D186
0167:0040D0A9 MOV ESI,EAX
0167:0040D0AB
LEA EDX,[EBP-54]
0167:0040D0AE PUSH
ECX
0167:0040D0AF LEA EAX,[EBP-44]
0167:0040D0B2
PUSH EDX
0167:0040D0B3 PUSH EAX
0167:0040D0B4
PUSH BYTE +03
0167:0040D0B6 CALL `MSVBVM60!__vbaFreeVarList`
0167:0040D0BC
MOV EAX,01
<---EAX=01
0167:0040D0C1 ADD
ESP,BYTE +10
0167:0040D0C4 ADD EAX,EDI
<---上面的累加值再加1
1.B+1 ----->C
2.5+1 ----->6
3.2+1
----->3
4.2+1 ----->3
5.8+1 ----->9
6.2+1 ----->3
0167:0040D0C6
JO NEAR 0040D186
0167:0040D0CC MOV
EDI,EAX
0167:0040D0CE JMP SHORT 0040D05B
0167:0040D0D0
MOV ECX,[EBP-2C]
0167:0040D0D3 ADD
ESI,BYTE +01
0167:0040D0D6 JO NEAR 0040D186
0167:0040D0DC
PUSH ECX
0167:0040D0DD PUSH ESI
0167:0040D0DE
CALL `MSVBVM60!__vbaStrI4` <---此Call同上,用最后的累加和与0AH除取其余数
1.C
----->1 2
2.6 ----->6
3.3 ----->3
4.3
----->3
5.9 ----->9
6.3 ----->3
0167:0040D0E4 MOV EDX,EAX
0167:0040D0E6 LEA
ECX,[EBP-34]
0167:0040D0E9 CALL EBX
0167:0040D0EB
PUSH EAX
0167:0040D0EC CALL `MSVBVM60!__vbaStrCat`<--将得到的各余数连接成注册码,我的正确注册码为:1263393
0167:0040D0F2
MOV EDX,EAX
0167:0040D0F4 LEA
ECX,[EBP-2C]
0167:0040D0F7 CALL EBX
0167:0040D0F9
LEA ECX,[EBP-34]
0167:0040D0FC CALL
`MSVBVM60!__vbaFreeStr`
0167:0040D102 MOV ECX,[EBP-18]
0167:0040D105
MOV EDI,[EBP+08]
0167:0040D108 MOV
EAX,01
0167:0040D10D ADD EAX,ECX
0167:0040D10F
JO 0040D186
0167:0040D111 MOV
[EBP-18],EAX
0167:0040D114 MOV ECX,EAX
0167:0040D116
MOV EAX,[EBP-28]
0167:0040D119 XOR
ESI,ESI
0167:0040D11B JMP 0040CFD7
0167:0040D120
MOV EDX,[EBP-2C]
0167:0040D123 LEA
ECX,[EBP-30]
0167:0040D126 CALL `MSVBVM60!__vbaStrCopy`
0167:0040D12C
PUSH DWORD 0040D170
0167:0040D131 JMP
SHORT 0040D15F
0167:0040D133 TEST BYTE [EBP-04],04
0167:0040D137
JZ 0040D142
0167:0040D139 LEA
ECX,[EBP-30]
0167:0040D13C CALL `MSVBVM60!__vbaFreeStr`
0167:0040D142
LEA ECX,[EBP-34]
0167:0040D145 CALL
`MSVBVM60!__vbaFreeStr`
0167:0040D14B LEA EDX,[EBP-54]
0167:0040D14E
LEA EAX,[EBP-44]
0167:0040D151 PUSH
EDX
0167:0040D152 PUSH EAX
0167:0040D153 PUSH
BYTE +02
0167:0040D155 CALL `MSVBVM60!__vbaFreeVarList`
0167:0040D15B
ADD ESP,BYTE +0C
0167:0040D15E RET
0167:0040D15F MOV ESI,[00401144]
0167:0040D165
LEA ECX,[EBP-20]
0167:0040D168 CALL
ESI
0167:0040D16A LEA ECX,[EBP-2C]
0167:0040D16D
CALL ESI
0167:0040D16F RET
0167:0040D170
MOV ECX,[EBP-14]
0167:0040D173 MOV
EAX,[EBP-30]
0167:0040D176 POP EDI
0167:0040D177
POP ESI
0167:0040D178 MOV [FS:00],ECX
0167:0040D17F
POP EBX
0167:0040D180 MOV ESP,EBP
0167:0040D182
POP EBP
0167:0040D183 RET 04
0167:0040D186
CALL `MSVBVM60!__vbaErrorOverflow`
0167:0040D18C NOP
分析写得有点简单,欢迎指正。
软件注册成功后将注册信息保存在注册表的
“HKEY_LOCAL_MACHINE/Software/HX/HXRecord”中