【破文标题】:Ease Audio Converter 1.81 破解浅析
【破文作者】:KuNgBiM[DFCG]
【作者邮箱】:gb_1227@163.com
【软件名称】:Ease Audio Converter 1.81
【软件大小】:4450 KB
【软件类别】:国外软件/共享版/音频工具
【下载地址】:http://www.audiotool.net/
【软件简介】:是一个用于音频文件格式转换的软件,可以实现MP3与WAV文件间的相互转换。将MP3转换成WAV文件,这样如果您有一个CD-R,您就可以制作自己的CD。转换文件格式只需要点击一下按钮。这个程序具有友好的用户界面,使用它,您将很快成为一个这方面的专家。
【保护方式】:注册码 + 启动NAG
【编译语言】:Borland Delphi 6.0 - 7.0
【调试环境】:WinXP、PEiD、Ollydbg
【破解日期】:2005-06-17
【作者声明】:初学Crack,只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
—————————————————————————————————
【破解过程】:
侦测:用PEiD查壳,无壳,Borland Delphi 6.0 - 7.0 编译。
对症下药:Ollydbg载入主程序,加载完毕后,搜索--->所有的参考文本字符串"Invalid register code!Please retry!",
双击来到004D3C46,向上来到 004D3A6C 处下断,F9运行,输入试炼注册信息:
//////// 试炼注册信息 ////////
Register Name:KuNgBiM
Register Code:5201314
//////////////////////////////
点击确定OD中断在:
004D3A6C 6A 00 push 0
004D3A6E 6A 00 push 0
004D3A70 49 dec ecx ;ecx=4
004D3A71 ^ 75 F9 jnz short AudioCon.004D3A6C ;向上循环检测4次
004D3A73 51 push ecx ;ecx=0
004D3A74 53 push ebx
004D3A75 8945 FC mov dword ptr ss:[ebp-4],eax
004D3A78 33C0 xor eax,eax
004D3A7A 55 push ebp
004D3A7B 68 C13C4D00 push AudioCon.004D3CC1
004D3A80 64:FF30 push dword ptr fs:[eax]
004D3A83 64:8920 mov dword ptr fs:[eax],esp
004D3A86 8D55 F0 lea edx,dword ptr ss:[ebp-10]
004D3A89 8B45 FC mov eax,dword ptr ss:[ebp-4]
004D3A8C 8B80 08030000 mov eax,dword ptr ds:[eax+308]
004D3A92 E8 95F5F6FF call AudioCon.0044302C ;取用户名,并计算用户名长度
004D3A97 8B45 F0 mov eax,dword ptr ss:[ebp-10] ;ASCII "KuNgBiM",eax=7
004D3A9A 8D55 F8 lea edx,dword ptr ss:[ebp-8]
004D3A9D E8 7254F3FF call AudioCon.00408F14
004D3AA2 8D55 EC lea edx,dword ptr ss:[ebp-14]
004D3AA5 8B45 F8 mov eax,dword ptr ss:[ebp-8] ;用户名赋值给eax
004D3AA8 E8 9B54F3FF call AudioCon.00408F48
004D3AAD 8B55 EC mov edx,dword ptr ss:[ebp-14]
004D3AB0 8D45 F8 lea eax,dword ptr ss:[ebp-8]
004D3AB3 E8 680EF3FF call AudioCon.00404920
004D3AB8 8D55 E8 lea edx,dword ptr ss:[ebp-18]
004D3ABB 8B45 FC mov eax,dword ptr ss:[ebp-4]
004D3ABE 8B80 10030000 mov eax,dword ptr ds:[eax+310]
004D3AC4 E8 63F5F6FF call AudioCon.0044302C ;取试炼码,并计算试炼码长度
004D3AC9 8B45 E8 mov eax,dword ptr ss:[ebp-18] ;ASCII "5201314",eax=7
004D3ACC 8D55 F4 lea edx,dword ptr ss:[ebp-C]
004D3ACF E8 4054F3FF call AudioCon.00408F14
004D3AD4 8D55 E4 lea edx,dword ptr ss:[ebp-1C]
004D3AD7 8B45 F4 mov eax,dword ptr ss:[ebp-C] ;试炼码赋值给eax
004D3ADA E8 6954F3FF call AudioCon.00408F48
004D3ADF 8B55 E4 mov edx,dword ptr ss:[ebp-1C]
004D3AE2 8D45 F4 lea eax,dword ptr ss:[ebp-C]
004D3AE5 E8 360EF3FF call AudioCon.00404920
004D3AEA 8B45 F8 mov eax,dword ptr ss:[ebp-8]
004D3AED E8 4E10F3FF call AudioCon.00404B40 ;验证试炼码是否为经典组合型字符★
004D3AF2 85C0 test eax,eax
004D3AF4 0F84 84010000 je AudioCon.004D3C7E ;跳则必死无疑!^__^
004D3AFA 8B45 F4 mov eax,dword ptr ss:[ebp-C]
004D3AFD E8 3E10F3FF call AudioCon.00404B40 ;验证试炼码长度是否为0
004D3B02 85C0 test eax,eax
004D3B04 75 1A jnz short AudioCon.004D3B20 ;必需跳走,不跳则死!
004D3B06 6A 00 push 0
004D3B08 66:8B0D D03C4D0>mov cx,word ptr ds:[4D3CD0]
004D3B0F 33D2 xor edx,edx
004D3B11 B8 DC3C4D00 mov eax,AudioCon.004D3CDC ; ASCII "Code must not be null."
004D3B16 E8 298CF6FF call AudioCon.0043C744
004D3B1B E9 5E010000 jmp AudioCon.004D3C7E
004D3B20 8B45 F4 mov eax,dword ptr ss:[ebp-C] ;ASCII "5201314",eax=7
004D3B23 E8 1810F3FF call AudioCon.00404B40 ;取试炼码的字符特征(ASCII值)
004D3B28 85C0 test eax,eax ;eax=7
004D3B2A 7E 38 jle short AudioCon.004D3B64 ;跳过则不检测试炼码的合法性
004D3B2C BA 01000000 mov edx,1
004D3B31 8B4D F4 mov ecx,dword ptr ss:[ebp-C] ;分别取试炼码的HEX值
004D3B34 0FB64C11 FF movzx ecx,byte ptr ds:[ecx+edx-1] ;('5')35
;('2')32
;('0')30
;('1')31
;('3')33
;('1')31
;('4')34
;
004D3B39 83F9 30 cmp ecx,30 ;HEX值分别与30比较
004D3B3C 7C 08 jl short AudioCon.004D3B46 ;值小于则跳死!
004D3B3E 8B5D F4 mov ebx,dword ptr ss:[ebp-C]
004D3B41 83F9 39 cmp ecx,39 ;HEX值分别与39比较
004D3B44 7E 1A jle short AudioCon.004D3B60 ;值大于则跳死!
004D3B46 6A 00 push 0
004D3B48 66:8B0D D03C4D0>mov cx,word ptr ds:[4D3CD0]
004D3B4F 33D2 xor edx,edx
004D3B51 B8 FC3C4D00 mov eax,AudioCon.004D3CFC ; ASCII "The code must be integer!"
004D3B56 E8 E98BF6FF call AudioCon.0043C744
004D3B5B E9 1E010000 jmp AudioCon.004D3C7E
004D3B60 42 inc edx ;edx自加1,指向下一位
004D3B61 48 dec eax ;eax自减1,保证取位正确性
004D3B62 ^ 75 CD jnz short AudioCon.004D3B31 ;向上试炼码检测循环
004D3B64 BB 01000000 mov ebx,1 ;试炼码合法ebx记为1
004D3B69 8B45 F8 mov eax,dword ptr ss:[ebp-8] ;eax清零,然后把用户名赋值给eax,准备下一轮检测
004D3B6C E8 CF0FF3FF call AudioCon.00404B40
004D3B71 85C0 test eax,eax ;eax=7
004D3B73 7E 13 jle short AudioCon.004D3B88 ;跳过则不检测用户名的合法性
004D3B75 BA 01000000 mov edx,1 ;edx=8
004D3B7A 8B4D F8 mov ecx,dword ptr ss:[ebp-8] ;分别取试炼码的HEX值,ecx=34
004D3B7D 0FB64C11 FF movzx ecx,byte ptr ds:[ecx+edx-1] ;ebx初始值为1
004D3B82 03D9 add ebx,ecx ;ebx=ecx+ebx
;ecx=4B,ebx=1
;ecx=75,ebx=4C
;ecx=4E,ebx=C1
;ecx=67,ebx=10F
;ecx=42,ebx=176
;ecx=69,ebx=1B8
;ecx=4D,ebx=221
;
004D3B84 42 inc edx ;edx自加1,指向下一位
004D3B85 48 dec eax ;eax自减1,保证取位正确性
004D3B86 ^ 75 F2 jnz short AudioCon.004D3B7A ;向上用户名检测循环
004D3B88 69C3 2C050000 imul eax,ebx,52C ;eax=ebx*52C,ebx=26E(最后一次结果),整数乘法
;
004D3B8E 05 9A310000 add eax,319A ;eax=eax+319A,eax=C90E8
004D3B93 8BD8 mov ebx,eax ;把eax的值重新赋值给ebx,eax=CC282
004D3B95 8B45 F4 mov eax,dword ptr ss:[ebp-C] ;ASCII "5201314",eax=CC282
004D3B98 E8 A30FF3FF call AudioCon.00404B40
004D3B9D 83F8 0A cmp eax,0A ;取试炼码长度与10比较
004D3BA0 0F8F C3000000 jg AudioCon.004D3C69 ;大于则跳死!
004D3BA6 8B45 F4 mov eax,dword ptr ss:[ebp-C]
004D3BA9 E8 F66CF3FF call AudioCon.0040A8A4 ;算法CALL跟进
004D3BAE DB2D 183D4D00 fld tbyte ptr ds:[4D3D18] ;ds:[004D3D18]=2147483647.0000000000
004D3BB4 DED9 fcompp ;浮点数比较,st(1)=5201314.0000000000000
; st=2147483647.0000000000
004D3BB6 DFE0 fstsw ax ;ax=4001
004D3BB8 9E sahf ;AH=00 (S0 Z0 A0 P0 C0)
;FL=12
004D3BB9 0F82 93000000 jb AudioCon.004D3C52 ;小于则跳
004D3BBF 8D55 E0 lea edx,dword ptr ss:[ebp-20] ;edx清零
004D3BC2 8B45 FC mov eax,dword ptr ss:[ebp-4] ;eax清零
004D3BC5 8B80 10030000 mov eax,dword ptr ds:[eax+310] ;ds:[00E5708C]=E5AE50,eax=E56D7C
004D3BCB E8 5CF4F6FF call AudioCon.0044302C
004D3BD0 8B45 E0 mov eax,dword ptr ss:[ebp-20]
004D3BD3 E8 CC6CF3FF call AudioCon.0040A8A4
004D3BD8 895D DC mov dword ptr ss:[ebp-24],ebx ;ebx=CC282
004D3BDB DB45 DC fild dword ptr ss:[ebp-24] ;浮点数转十进制数,836226
004D3BDE DED9 fcompp ;浮点数比较,st(1)=5201314.0000000000000
; st=836226.00000000000000
004D3BE0 DFE0 fstsw ax ;ax=0001
004D3BE2 9E sahf ;AH=01 (S0 Z0 A0 P0 C1)
;FL=12
004D3BE3 75 56 jnz short AudioCon.004D3C3B ;不相等则跳死!★爆破点★
004D3BE5 6A 00 push 0
004D3BE7 66:8B0D D03C4D0>mov cx,word ptr ds:[4D3CD0]
004D3BEE B2 02 mov dl,2
004D3BF0 B8 2C3D4D00 mov eax,AudioCon.004D3D2C ; ASCII "Congratulation!You have registered."
004D3BF5 E8 4A8BF6FF call AudioCon.0043C744
004D3BFA 8B45 FC mov eax,dword ptr ss:[ebp-4]
004D3BFD C680 28030000 0>mov byte ptr ds:[eax+328],1
004D3C04 A1 746D4D00 mov eax,dword ptr ds:[4D6D74]
004D3C09 8B00 mov eax,dword ptr ds:[eax]
004D3C0B 33C9 xor ecx,ecx
004D3C0D BA 04000000 mov edx,4
004D3C12 8B18 mov ebx,dword ptr ds:[eax]
004D3C14 FF53 10 call dword ptr ds:[ebx+10]
004D3C17 8B45 FC mov eax,dword ptr ss:[ebp-4]
004D3C1A 8D90 28030000 lea edx,dword ptr ds:[eax+328]
004D3C20 A1 746D4D00 mov eax,dword ptr ds:[4D6D74]
004D3C25 8B00 mov eax,dword ptr ds:[eax]
004D3C27 B9 01000000 mov ecx,1
004D3C2C E8 DF7AF4FF call AudioCon.0041B710
004D3C31 8B45 FC mov eax,dword ptr ss:[ebp-4]
004D3C34 E8 A7BEF8FF call AudioCon.0045FAE0
004D3C39 EB 43 jmp short AudioCon.004D3C7E
004D3C3B 6A 00 push 0 ;跳到这里就完啦~~~
004D3C3D 66:8B0D D03C4D0>mov cx,word ptr ds:[4D3CD0]
004D3C44 33D2 xor edx,edx
004D3C46 B8 583D4D00 mov eax,AudioCon.004D3D58 ; ASCII "Invalid register code!Please retry!"
004D3C4B E8 F48AF6FF call AudioCon.0043C744
004D3C50 EB 2C jmp short AudioCon.004D3C7E
004D3C52 6A 00 push 0
004D3C54 66:8B0D D03C4D0>mov cx,word ptr ds:[4D3CD0]
004D3C5B 33D2 xor edx,edx
004D3C5D B8 843D4D00 mov eax,AudioCon.004D3D84 ; ASCII "The code is overload!Please retry!"
004D3C62 E8 DD8AF6FF call AudioCon.0043C744
004D3C67 EB 15 jmp short AudioCon.004D3C7E
004D3C69 6A 00 push 0
004D3C6B 66:8B0D D03C4D0>mov cx,word ptr ds:[4D3CD0]
004D3C72 33D2 xor edx,edx
004D3C74 B8 843D4D00 mov eax,AudioCon.004D3D84 ; ASCII "The code is overload!Please retry!"
004D3C79 E8 C68AF6FF call AudioCon.0043C744
004D3C7E 33C0 xor eax,eax
004D3C80 5A pop edx
004D3C81 59 pop ecx
004D3C82 59 pop ecx
004D3C83 64:8910 mov dword ptr fs:[eax],edx
004D3C86 68 C83C4D00 push AudioCon.004D3CC8
004D3C8B 8D45 E0 lea eax,dword ptr ss:[ebp-20]
004D3C8E E8 F50BF3FF call AudioCon.00404888
004D3C93 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
004D3C96 E8 ED0BF3FF call AudioCon.00404888
004D3C9B 8D45 E8 lea eax,dword ptr ss:[ebp-18]
004D3C9E E8 E50BF3FF call AudioCon.00404888
004D3CA3 8D45 EC lea eax,dword ptr ss:[ebp-14]
004D3CA6 E8 DD0BF3FF call AudioCon.00404888
004D3CAB 8D45 F0 lea eax,dword ptr ss:[ebp-10]
004D3CAE E8 D50BF3FF call AudioCon.00404888
004D3CB3 8D45 F4 lea eax,dword ptr ss:[ebp-C]
004D3CB6 BA 02000000 mov edx,2
004D3CBB E8 EC0BF3FF call AudioCon.004048AC
004D3CC0 C3 retn
004D3CC1 ^ E9 4605F3FF jmp AudioCon.0040420C
004D3CC6 ^ EB C3 jmp short AudioCon.004D3C8B
004D3CC8 5B pop ebx
004D3CC9 8BE5 mov esp,ebp
004D3CCB 5D pop ebp
004D3CCC C3 retn ;返回程序
========== 跟进:004D3BA9 E8 F66CF3FF call AudioCon.0040A8A4 ==========
0040A8A4 53 push ebx ;ebx压栈,ebx=CC282
0040A8A5 83C4 EC add esp,-14 ;esp=esp+(-14),esp=12EEE0
0040A8A8 8BD8 mov ebx,eax ;eax向ebx赋值
0040A8AA 8BC3 mov eax,ebx ;ebx向eax赋值,ebx=E62058
0040A8AC E8 87A4FFFF call AudioCon.00404D38
0040A8B1 8BD4 mov edx,esp ;esp=12EECC,edx=8
0040A8B3 33C9 xor ecx,ecx ;ecx=4D
0040A8B5 E8 56FDFFFF call AudioCon.0040A610 ;取试炼码中的字符
0040A8BA 84C0 test al,al
0040A8BC 75 19 jnz short AudioCon.0040A8D7 ;必须跳
0040A8BE 895C24 0C mov dword ptr ss:[esp+C],ebx
0040A8C2 C64424 10 0B mov byte ptr ss:[esp+10],0B
0040A8C7 8D5424 0C lea edx,dword ptr ss:[esp+C]
0040A8CB A1 646C4D00 mov eax,dword ptr ds:[4D6C64]
0040A8D0 33C9 xor ecx,ecx
0040A8D2 E8 F5E2FFFF call AudioCon.00408BCC
0040A8D7 DB2C24 fld tbyte ptr ss:[esp] ;试炼码转为浮点运算,5201314.0000000000000
0040A8DA 83C4 14 add esp,14
0040A8DD 5B pop ebx
0040A8DE C3 retn ;返回
================================================
【算法小节】:
1.注册码位数不能大于9位。
2.注册码中不能有字符存在。
3.注册码不能为经典格式的,比如:“123456789”“987654321”“111222333”等。
4.(未知)^__^(这个就拜托大侠们的继续研究了,呵呵,小弟先在这里说声谢咯~~)
【破解总结】:
本来是打算跟出该软件算法的,但浮点指令太多,头都大了,转过来转过去,还是没有弄明白是怎么一回事,哎~~~
算了,还是来个TNT的吧~~~(对浮点算法感兴趣的朋友,希望能研究一下,到时PM我哦~~呵呵)
【爆破点】:
004D3BE3 75 56 jnz short AudioCon.004D3C3B ;jnz --> je (75 改 74)
--------------------------------------------------------------------------
(本文完)
版权所有(C)2005 KuNgBiM[DFCG] Copyright (C) 2005 KuNgBiM[DFCG]
--------------------------------------------------------------------------
Cracked By KuNgBiM[DFCG]
2005-06-17
16:41:00 PM