【下载页面】:http://www.hanzify.org/detail.asp?SOFT_ID=6288
【软件大小】:847K
【应用平台】: WIN9X/WINNT/WIN2K/WINXP
【软件简介】: 只需用鼠标点击 4 次,即可将整盘 CD 音乐转换成您心爱的 MP3 ! AltoMP3 Maker 3.20 应该是目前界面最友好、最方便、最快捷、非常容易而又功能强大的 CD -> MP3 转换(即抓取 CD 音轨)工具。如果您想从音频 CD 制作自己的 MP3,您将体会到她是如何的出色。制作前可编辑 ID3 标签,支持 Freedb、VRB、OGG Vorbis 。通过使用自动同步技术和优秀的 MP3 编码引擎 LAME 3.93 获得高速度、高品质的输出,从而快速压缩出完美品质的 MP3 。同时,AltoMP3 Maker 也是 Win 9X/NT/Me/2000/XP 下理想的 MP3 -> WAV 解码器。AltoMP3 Maker 还能实现完整的 CD 音频播放控制,以及兼具 freedb-aware CD 播放器功能。
【软件限制】:不清楚:-P
【作者声明】:本人发表这篇文章只是希望交流一下!读者看了文章后所做的事情与我无关,我也不会负责,最后希望大家经济基础好的话,请支持共享软件!
【破解工具】:PEiD W32Dasm TRW2K
—————————————————————————————————
【过 程】:
用PEiD侦察出主程序AltoMP3Maker.exe没加壳,是用C++写的!
用W32Dasm反汇编后找不到什么提示,那么只好用TRW2K了!
运行主程序AltoMP3Maker.exe-->帮助-->注册...-->输入用户名Yock和假的注册码78787878-->CTRL+N 呼出TRW2K(真亲切...)-->下断点BPX HMEMCPY-->F5返回-->点击注册按钮拦下,来到了下面这里:
:0042AFFC 6A28
push 00000028
\\点击注册后来到这里!
:0042AFFE 53
push ebx
:0042AFFF 57
push edi
* Reference To: MFC42.Ordinal:08F1,
Ord:08F1h
|
:0042B000 E8AF040300 Call
0045B4B4 \\得到用户名的位数!
:0042B005 81C6E4000000 add esi, 000000E4
:0042B00B 56
push esi
* Possible Reference to Dialog:
DialogID_00CC, CONTROL_ID:0462, ""
|
:0042B00C 6862040000 push
00000462
:0042B011 57
push edi
* Reference To: MFC42.Ordinal:0942,
Ord:0942h
|
:0042B012 E8A3040300 Call
0045B4BA \\得到注册码的位数!
:0042B017 5F
pop edi
:0042B018 5E
pop esi
:0042B019 5B
pop ebx
:0042B01A C20400 ret
0004 \\返回到下面!
-----------------------------------------------------------------------------------------
:0042B060 E8FB000300 Call
0045B160
:0042B065 85C0
test eax, eax \\0042B01A返回到这里!比较是否输入了数据!
:0042B067 7520
jne 0042B089 \\没有输入(EAX=0)就不跳走!一定要跳走啊!!!!
:0042B069 6AFF
push FFFFFFFF
:0042B06B 50
push eax
* Possible Reference to String
Resource ID=57684: "鲹eHpn"\\请输入有效数据!作者有病!
|
:0042B06C 6854E10000 push
0000E154
* Reference To: MFC42.Ordinal:04AF,
Ord:04AFh
|
:0042B071 E828050300 Call
0045B59E \\这里弹出"请输入有效数据!"的框!
:0042B076 8B4C241C mov
ecx, dword ptr [esp+1C]
:0042B07A 64890D00000000 mov dword ptr fs:[00000000],
ecx
:0042B081 5F
pop edi
:0042B082 5E
pop esi
:0042B083 5D
pop ebp
:0042B084 5B
pop ebx
:0042B085 83C418 add
esp, 00000018
:0042B088 C3
ret
-----------------------------------------------------------------------------
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042B067(C)
|
:0042B089 8B83E0000000 mov eax, dword
ptr [ebx+000000E0]\\0042B067跳到这里!
:0042B08F 8DABE0000000 lea ebp, dword
ptr [ebx+000000E0]
:0042B095 8B40F8 mov
eax, dword ptr [eax-08] \\这里是用户名的位数!
:0042B098 85C0
test eax, eax
\\是否有填用户名!
:0042B09A 7528
jne 0042B0C4
\\没填就不跳,一定要跳!!!
:0042B09C 6AFF
push FFFFFFFF
:0042B09E 50
push eax
* Possible Reference to String
Resource ID=57685: "鲹e▉鑼?7
" \\请输入用户名!
|
:0042B09F 6855E10000 push
0000E155
* Reference To: MFC42.Ordinal:04AF,
Ord:04AFh
|
:0042B0A4 E8F5040300 Call
0045B59E \\弹出"请输入用户名!"对话框!
-------------------------------------------------------------------------------
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042B09A(C)
|
:0042B0C4 8B8BE4000000 mov ecx, dword
ptr [ebx+000000E4]\\0042B09A跳到这里!!
:0042B0CA 8DBBE4000000 lea edi, dword
ptr [ebx+000000E4]
:0042B0D0 8B41F8 mov
eax, dword ptr [ecx-08] \\这里是输入假注册码的位数!
:0042B0D3 85C0
test eax, eax
\\是否有输入注册码!
:0042B0D5 7552
jne 0042B129
\\没有输入就不跳!!一定要跳!!
:0042B0D7 6AFF
push FFFFFFFF
:0042B0D9 6A00
push 00000000
* Possible Reference to String
Resource ID=57686: "鲹e▌鑼" \\请输入注册码!
|
:0042B0DB 6856E10000 push
0000E156
* Reference To: MFC42.Ordinal:04AF,
Ord:04AFh
|
:0042B0E0 E8B9040300 Call
0045B59E \\弹出"请输入注册码!"的对话框!
--------------------------------------------------------------------------------
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042B0D5(C)
|
:0042B129 8D4C2410 lea
ecx, dword ptr [esp+10]\\0042B0D5跳到这里!!
* Reference To: MFC42.Ordinal:021C,
Ord:021Ch
|
:0042B12D E85E000300 Call
0045B190
:0042B132 8D4C2414 lea
ecx, dword ptr [esp+14]
:0042B136 C744242400000000 mov [esp+24], 00000000
* Reference To: MFC42.Ordinal:021C,
Ord:021Ch
|
:0042B13E E84D000300 Call
0045B190
:0042B143 51
push ecx
:0042B144 C644242801 mov [esp+28],
01
:0042B149 8BCC
mov ecx, esp
:0042B14B 8964241C mov
dword ptr [esp+1C], esp
:0042B14F 55
push ebp
* Reference To: MFC42.Ordinal:0217,
Ord:0217h
|
:0042B150 E829000300 Call
0045B17E
:0042B155 8D4C241C lea
ecx, dword ptr [esp+1C]
:0042B159 51
push ecx
:0042B15A E8D194FEFF call
00414630 \\这里是把用户名计算得出正确注册码的CALL!!
\\我追进去后发现有很多地方看不懂,所以就放弃了!:-P
:0042B15F 83C408 add
esp, 00000008
:0042B162 50
push eax
:0042B163 8D4C2414 lea
ecx, dword ptr [esp+14]
:0042B167 C644242802 mov [esp+28],
02
* Reference To: MFC42.Ordinal:035A,
Ord:035Ah
|
:0042B16C E8C1000300 Call
0045B232
:0042B171 8D4C2418 lea
ecx, dword ptr [esp+18]
:0042B175 C644242401 mov [esp+24],
01
* Reference To: MFC42.Ordinal:0320,
Ord:0320h
|
:0042B17A E8F9FF0200 Call
0045B178
:0042B17F 8B37
mov esi, dword ptr [edi] \\这里DESI可以看到假的注册码!
:0042B181 8B442410 mov
eax, dword ptr [esp+10] \\这里DEAX可以看到真的注册码!
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0042B1A3(C) \\从这里开始到0042B1A3是把真假注册码的ASCII码逐位比较!有一个错误就死掉!
|
:0042B185 8A10
mov dl, byte ptr [eax] \\真注册码第一位的ASCII码值放入EBX低位!
:0042B187 8ACA
mov cl, dl
\\DL=CL
:0042B189 3A16
cmp dl, byte ptr [esi] \\比较真假注册码第一位的ASCII码值是否相等!
:0042B18B 751C
jne 0042B1A9
\\跳下去死!!一定不能跳!
:0042B18D 84C9
test cl, cl
\\比较是否取完了!
:0042B18F 7414
je 0042B1A5
\\取完就跳下去!
:0042B191 8A5001 mov
dl, byte ptr [eax+01] \\真注册码第二位的ASCII码值放入EDX低位!
:0042B194 8ACA
mov cl, dl
\\CL=DL
:0042B196 3A5601 cmp
dl, byte ptr [esi+01] \\比较真假注册码第二位的ASCII码值是否相等!
:0042B199 750E
jne 0042B1A9
\\跳下去死!!一定不能跳!
:0042B19B 83C002 add
eax, 00000002 \\eax加二
:0042B19E 83C602 add
esi, 00000002 \\esi加二
:0042B1A1 84C9
test cl, cl
\\比较是否取完了!
:0042B1A3 75E0
jne 0042B185
\\没有取完就跳回去!
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0042B18F(C)
|
:0042B1A5 33C0
xor eax, eax
\\清零!
:0042B1A7 EB05
jmp 0042B1AE
\\跳下去!
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:0042B18B(C), :0042B199(C)
|
:0042B1A9 1BC0
sbb eax, eax
\\相减!清零!
:0042B1AB 83D8FF sbb
eax, FFFFFFFF \\摆明去死!!!
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0042B1A7(U)
|
:0042B1AE 85C0
test eax, eax \\是否等于零,等于就跳,不等于就死了!
:0042B1B0 7441
je 0042B1F3 \\不跳就死了!!
:0042B1B2 6AFF
push FFFFFFFF
:0042B1B4 6A00
push 00000000
* Possible Reference to String
Resource ID=57687: "盜鑼?"\\注册码错误!
|
:0042B1B6 6857E10000 push
0000E157 \\要是把这里改成push dword
ptr [esp+10]的话,程序本身就变成注册机了!!
\\可惜我试了,失败了...
\\希望大哥哥们可以教教我怎么做!!
* Reference To: MFC42.Ordinal:04AF, Ord:04AFh
|
:0042B1BB E8DE030300 Call
0045B59E \\弹出"注册码错误!"的对话框!!
:0042B1C0 8DB3A0000000 lea esi, dword
ptr [ebx+000000A0]
:0042B1C6 8BCE
mov ecx, esi
* Reference To: MFC42.Ordinal:175D,
Ord:175Dh
|
:0042B1C8 E811030300 Call
0045B4DE
:0042B1CD 8B4620 mov
eax, dword ptr [esi+20]
* Reference To: USER32.SendMessageA,
Ord:0214h
|
:0042B1D0 8B3D04184600 mov edi, dword
ptr [00461804]
:0042B1D6 6AFF
push FFFFFFFF
:0042B1D8 6A00
push 00000000
:0042B1DA 68B1000000 push
000000B1
:0042B1DF 50
push eax
:0042B1E0 FFD7
call edi
:0042B1E2 8B4E20 mov
ecx, dword ptr [esi+20]
:0042B1E5 6A00
push 00000000
:0042B1E7 6A00
push 00000000
:0042B1E9 68B7000000 push
000000B7
:0042B1EE 51
push ecx
:0042B1EF FFD7
call edi
:0042B1F1 EB4C
jmp 0042B23F
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0042B1B0(C)
|
:0042B1F3 55
push ebp
:0042B1F4 B9CC1F4F00 mov ecx,
004F1FCC
* Reference To: MFC42.Ordinal:035A,
Ord:035Ah
|
:0042B1F9 E834000300 Call
0045B232
:0042B1FE 57
push edi
:0042B1FF B9D01F4F00 mov ecx,
004F1FD0
* Reference To: MFC42.Ordinal:035A,
Ord:035Ah
|
:0042B204 E829000300 Call
0045B232
:0042B209 8B4500 mov
eax, dword ptr [ebp+00]
* Reference To: KERNEL32.WritePrivateProfileStringA,
Ord:02E5h
|
:0042B20C 8B35D8104600 mov esi, dword
ptr [004610D8]
* Possible StringData Ref from
Data Obj ->"REGKEYCR.INI"
|
:0042B212 6834074700 push
00470734
:0042B217 50
push eax
* Possible StringData Ref from
Data Obj ->"NAME"
|
:0042B218 682C074700 push
0047072C
* Possible StringData Ref from
Data Obj ->"REGISTRATION"
|
:0042B21D 681C074700 push
0047071C
:0042B222 FFD6
call esi
\\这个CALL是把注册信息保存在C:\WINDOWS\REGKEYCR.INI文件里面的!
:0042B224 8B07
mov eax, dword ptr [edi]
------------------------------------------------------------------------
内存注册机:
中断地址:0042B185
中断次数:1
字节长度:2
第一字符:8A
注册码:内存方式-->EAX
注册信息保存在C:\WINDOWS\REGKEYCR.INI
把C:\WINDOWS\的REGKEYCR.INI文件删除掉就变成未注册版本了!
一组可以用的注册码!
Yock
9733352626
------------------------------------------------------------------------
总结:
由于可以用做内存注册机,所以在0042B15A的那个根据用户名计算注册码的CALL,我追了一下,很多地方看不懂,就放弃了!:-P
我个人认为把
0042B1B4 6A00
push 00000000
0042B1B6 6857E10000 push 0000E157
改成
0042B1B4 8B442410 mov
eax, dword ptr [esp+10]
0042B1B8 90
NOP
0042B1B9 50
push eax
0042B1BA 90
NOP
让程序自己变成注册机的!可惜失败了!指大哥哥指点我错在哪里!希望大哥哥们可以教教我怎么做!!
最后谢谢您看这篇文章!谢谢...
2003.05.14晚于清远