AltoMP3Maker3.20

标题：AltoMP3Maker3.20
作者：鸡鸡
时间：2003/05/14 01:14am　
链接：http://bbs.pediy.com

【下载页面】：http://www.hanzify.org/detail.asp?SOFT_ID=6288

【软件大小】：847K

【应用平台】: WIN9X/WINNT/WIN2K/WINXP

【软件简介】：只需用鼠标点击 4 次，即可将整盘 CD 音乐转换成您心爱的 MP3 ！ AltoMP3 Maker 3.20 应该是目前界面最友好、最方便、最快捷、非常容易而又功能强大的 CD -> MP3 转换(即抓取 CD 音轨)工具。如果您想从音频 CD 制作自己的 MP3，您将体会到她是如何的出色。制作前可编辑 ID3 标签，支持 Freedb、VRB、OGG Vorbis 。通过使用自动同步技术和优秀的 MP3 编码引擎 LAME 3.93 获得高速度、高品质的输出，从而快速压缩出完美品质的 MP3 。同时，AltoMP3 Maker 也是 Win 9X/NT/Me/2000/XP 下理想的 MP3 -> WAV 解码器。AltoMP3 Maker 还能实现完整的 CD 音频播放控制，以及兼具 freedb-aware CD 播放器功能。

【软件限制】：不清楚:-P

【作者声明】：本人发表这篇文章只是希望交流一下!读者看了文章后所做的事情与我无关,我也不会负责,最后希望大家经济基础好的话,请支持共享软件!

【破解工具】：PEiD W32Dasm TRW2K

—————————————————————————————————
【过程】：
用PEiD侦察出主程序AltoMP3Maker.exe没加壳,是用C++写的!

用W32Dasm反汇编后找不到什么提示,那么只好用TRW2K了!

运行主程序AltoMP3Maker.exe-->帮助-->注册...-->输入用户名Yock和假的注册码78787878-->CTRL+N 呼出TRW2K(真亲切...)-->下断点BPX HMEMCPY-->F5返回-->点击注册按钮拦下,来到了下面这里:

:0042AFFC 6A28 push 00000028 \\点击注册后来到这里!
:0042AFFE 53 push ebx
:0042AFFF 57 push edi

* Reference To: MFC42.Ordinal:08F1, Ord:08F1h
|
:0042B000 E8AF040300 Call 0045B4B4 \\得到用户名的位数!
:0042B005 81C6E4000000 add esi, 000000E4
:0042B00B 56 push esi

* Possible Reference to Dialog: DialogID_00CC, CONTROL_ID:0462, ""
|
:0042B00C 6862040000 push 00000462
:0042B011 57 push edi

* Reference To: MFC42.Ordinal:0942, Ord:0942h
|
:0042B012 E8A3040300 Call 0045B4BA \\得到注册码的位数!
:0042B017 5F pop edi
:0042B018 5E pop esi
:0042B019 5B pop ebx
:0042B01A C20400 ret 0004 \\返回到下面!

-----------------------------------------------------------------------------------------
:0042B060 E8FB000300 Call 0045B160
:0042B065 85C0 test eax, eax \\0042B01A返回到这里!比较是否输入了数据!
:0042B067 7520 jne 0042B089 \\没有输入(EAX=0)就不跳走!一定要跳走啊!!!!
:0042B069 6AFF push FFFFFFFF
:0042B06B 50 push eax

* Possible Reference to String Resource ID=57684: "鲹eHpn"\\请输入有效数据!作者有病!
|
:0042B06C 6854E10000 push 0000E154

* Reference To: MFC42.Ordinal:04AF, Ord:04AFh
|
:0042B071 E828050300 Call 0045B59E \\这里弹出"请输入有效数据!"的框!
:0042B076 8B4C241C mov ecx, dword ptr [esp+1C]
:0042B07A 64890D00000000 mov dword ptr fs:[00000000], ecx
:0042B081 5F pop edi
:0042B082 5E pop esi
:0042B083 5D pop ebp
:0042B084 5B pop ebx
:0042B085 83C418 add esp, 00000018
:0042B088 C3 ret

-----------------------------------------------------------------------------
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042B067(C)
|
:0042B089 8B83E0000000 mov eax, dword ptr [ebx+000000E0]\\0042B067跳到这里!
:0042B08F 8DABE0000000 lea ebp, dword ptr [ebx+000000E0]
:0042B095 8B40F8 mov eax, dword ptr [eax-08] \\这里是用户名的位数!
:0042B098 85C0 test eax, eax \\是否有填用户名!
:0042B09A 7528 jne 0042B0C4 \\没填就不跳,一定要跳!!!
:0042B09C 6AFF push FFFFFFFF
:0042B09E 50 push eax

* Possible Reference to String Resource ID=57685: "鲹e▉鑼?7
" \\请输入用户名!
|
:0042B09F 6855E10000 push 0000E155

* Reference To: MFC42.Ordinal:04AF, Ord:04AFh
|
:0042B0A4 E8F5040300 Call 0045B59E \\弹出"请输入用户名!"对话框!

-------------------------------------------------------------------------------
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042B09A(C)
|
:0042B0C4 8B8BE4000000 mov ecx, dword ptr [ebx+000000E4]\\0042B09A跳到这里!!
:0042B0CA 8DBBE4000000 lea edi, dword ptr [ebx+000000E4]
:0042B0D0 8B41F8 mov eax, dword ptr [ecx-08] \\这里是输入假注册码的位数!
:0042B0D3 85C0 test eax, eax \\是否有输入注册码!
:0042B0D5 7552 jne 0042B129 \\没有输入就不跳!!一定要跳!!
:0042B0D7 6AFF push FFFFFFFF
:0042B0D9 6A00 push 00000000

* Possible Reference to String Resource ID=57686: "鲹e▌鑼" \\请输入注册码!
|
:0042B0DB 6856E10000 push 0000E156

* Reference To: MFC42.Ordinal:04AF, Ord:04AFh
|
:0042B0E0 E8B9040300 Call 0045B59E \\弹出"请输入注册码!"的对话框!

--------------------------------------------------------------------------------
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042B0D5(C)
|
:0042B129 8D4C2410 lea ecx, dword ptr [esp+10]\\0042B0D5跳到这里!!

* Reference To: MFC42.Ordinal:021C, Ord:021Ch
|
:0042B12D E85E000300 Call 0045B190
:0042B132 8D4C2414 lea ecx, dword ptr [esp+14]
:0042B136 C744242400000000 mov [esp+24], 00000000

* Reference To: MFC42.Ordinal:021C, Ord:021Ch
|
:0042B13E E84D000300 Call 0045B190
:0042B143 51 push ecx
:0042B144 C644242801 mov [esp+28], 01
:0042B149 8BCC mov ecx, esp
:0042B14B 8964241C mov dword ptr [esp+1C], esp
:0042B14F 55 push ebp

* Reference To: MFC42.Ordinal:0217, Ord:0217h
|
:0042B150 E829000300 Call 0045B17E
:0042B155 8D4C241C lea ecx, dword ptr [esp+1C]
:0042B159 51 push ecx
:0042B15A E8D194FEFF call 00414630 \\这里是把用户名计算得出正确注册码的CALL!!
\\我追进去后发现有很多地方看不懂,所以就放弃了!:-P
:0042B15F 83C408 add esp, 00000008
:0042B162 50 push eax
:0042B163 8D4C2414 lea ecx, dword ptr [esp+14]
:0042B167 C644242802 mov [esp+28], 02

* Reference To: MFC42.Ordinal:035A, Ord:035Ah
|
:0042B16C E8C1000300 Call 0045B232
:0042B171 8D4C2418 lea ecx, dword ptr [esp+18]
:0042B175 C644242401 mov [esp+24], 01

* Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:0042B17A E8F9FF0200 Call 0045B178
:0042B17F 8B37 mov esi, dword ptr [edi] \\这里DESI可以看到假的注册码!
:0042B181 8B442410 mov eax, dword ptr [esp+10] \\这里DEAX可以看到真的注册码!

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042B1A3(C) \\从这里开始到0042B1A3是把真假注册码的ASCII码逐位比较!有一个错误就死掉!
|
:0042B185 8A10 mov dl, byte ptr [eax] \\真注册码第一位的ASCII码值放入EBX低位!
:0042B187 8ACA mov cl, dl \\DL=CL
:0042B189 3A16 cmp dl, byte ptr [esi] \\比较真假注册码第一位的ASCII码值是否相等!
:0042B18B 751C jne 0042B1A9 \\跳下去死!!一定不能跳!
:0042B18D 84C9 test cl, cl \\比较是否取完了!
:0042B18F 7414 je 0042B1A5 \\取完就跳下去!
:0042B191 8A5001 mov dl, byte ptr [eax+01] \\真注册码第二位的ASCII码值放入EDX低位!
:0042B194 8ACA mov cl, dl \\CL=DL
:0042B196 3A5601 cmp dl, byte ptr [esi+01] \\比较真假注册码第二位的ASCII码值是否相等!
:0042B199 750E jne 0042B1A9 \\跳下去死!!一定不能跳!
:0042B19B 83C002 add eax, 00000002 \\eax加二
:0042B19E 83C602 add esi, 00000002 \\esi加二
:0042B1A1 84C9 test cl, cl \\比较是否取完了!
:0042B1A3 75E0 jne 0042B185 \\没有取完就跳回去!

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042B18F(C)
|
:0042B1A5 33C0 xor eax, eax \\清零!
:0042B1A7 EB05 jmp 0042B1AE \\跳下去!

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0042B18B(C), :0042B199(C)
|
:0042B1A9 1BC0 sbb eax, eax \\相减!清零!
:0042B1AB 83D8FF sbb eax, FFFFFFFF \\摆明去死!!!

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042B1A7(U)
|
:0042B1AE 85C0 test eax, eax \\是否等于零,等于就跳,不等于就死了!
:0042B1B0 7441 je 0042B1F3 \\不跳就死了!!
:0042B1B2 6AFF push FFFFFFFF
:0042B1B4 6A00 push 00000000

* Possible Reference to String Resource ID=57687: "盜鑼?"\\注册码错误!
|
:0042B1B6 6857E10000 push 0000E157 \\要是把这里改成push dword ptr [esp+10]的话,程序本身就变成注册机了!!
\\可惜我试了,失败了...
\\希望大哥哥们可以教教我怎么做!!
* Reference To: MFC42.Ordinal:04AF, Ord:04AFh
|
:0042B1BB E8DE030300 Call 0045B59E \\弹出"注册码错误!"的对话框!!
:0042B1C0 8DB3A0000000 lea esi, dword ptr [ebx+000000A0]
:0042B1C6 8BCE mov ecx, esi

* Reference To: MFC42.Ordinal:175D, Ord:175Dh
|
:0042B1C8 E811030300 Call 0045B4DE
:0042B1CD 8B4620 mov eax, dword ptr [esi+20]

* Reference To: USER32.SendMessageA, Ord:0214h
|
:0042B1D0 8B3D04184600 mov edi, dword ptr [00461804]
:0042B1D6 6AFF push FFFFFFFF
:0042B1D8 6A00 push 00000000
:0042B1DA 68B1000000 push 000000B1
:0042B1DF 50 push eax
:0042B1E0 FFD7 call edi
:0042B1E2 8B4E20 mov ecx, dword ptr [esi+20]
:0042B1E5 6A00 push 00000000
:0042B1E7 6A00 push 00000000
:0042B1E9 68B7000000 push 000000B7
:0042B1EE 51 push ecx
:0042B1EF FFD7 call edi
:0042B1F1 EB4C jmp 0042B23F

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042B1B0(C)
|
:0042B1F3 55 push ebp
:0042B1F4 B9CC1F4F00 mov ecx, 004F1FCC

* Reference To: MFC42.Ordinal:035A, Ord:035Ah
|
:0042B1F9 E834000300 Call 0045B232
:0042B1FE 57 push edi
:0042B1FF B9D01F4F00 mov ecx, 004F1FD0

* Reference To: MFC42.Ordinal:035A, Ord:035Ah
|
:0042B204 E829000300 Call 0045B232
:0042B209 8B4500 mov eax, dword ptr [ebp+00]

* Reference To: KERNEL32.WritePrivateProfileStringA, Ord:02E5h
|
:0042B20C 8B35D8104600 mov esi, dword ptr [004610D8]

* Possible StringData Ref from Data Obj ->"REGKEYCR.INI"
|
:0042B212 6834074700 push 00470734
:0042B217 50 push eax

* Possible StringData Ref from Data Obj ->"NAME"
|
:0042B218 682C074700 push 0047072C

* Possible StringData Ref from Data Obj ->"REGISTRATION"
|
:0042B21D 681C074700 push 0047071C
:0042B222 FFD6 call esi \\这个CALL是把注册信息保存在C:\WINDOWS\REGKEYCR.INI文件里面的!
:0042B224 8B07 mov eax, dword ptr [edi]

------------------------------------------------------------------------
内存注册机:
中断地址:0042B185
中断次数:1
字节长度:2
第一字符:8A
注册码:内存方式-->EAX

注册信息保存在C:\WINDOWS\REGKEYCR.INI
把C:\WINDOWS\的REGKEYCR.INI文件删除掉就变成未注册版本了!

一组可以用的注册码!
Yock
9733352626
------------------------------------------------------------------------
总结:
由于可以用做内存注册机,所以在0042B15A的那个根据用户名计算注册码的CALL,我追了一下,很多地方看不懂,就放弃了!:-P

我个人认为把
0042B1B4 6A00 push 00000000
0042B1B6 6857E10000 push 0000E157
改成
0042B1B4 8B442410 mov eax, dword ptr [esp+10]
0042B1B8 90 NOP
0042B1B9 50 push eax
0042B1BA 90 NOP

让程序自己变成注册机的!可惜失败了!指大哥哥指点我错在哪里!希望大哥哥们可以教教我怎么做!!

最后谢谢您看这篇文章!谢谢...

2003.05.14晚于清远