【文章标题】: 一个音频转换工具软件的注册分析
【文章作者】: zhy_qie
【作者邮箱】: zhy_qie@163.com
【作者QQ号】: 422166665
【软件名称】: 4U WMA MP3 Converter v5.6.0 汉化版
【软件大小】: 6428 KB
【下载地址】: 自己搜索下载
【加壳方式】: 无
【保护方式】: 注册码
【编写语言】: Borland Delphi 6.0 - 7.0
【使用工具】: OllyICE、PEiD
【操作平台】: WinXP
【软件介绍】: 一款各种不同类型音频文件之间的转换工具
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
在转换一个音频文件时,在网上寻得此软件。未注册时有功能限制,只能转换文件的60%。查壳,无;有注册成功提示,
据此可很容易找到关键地方。此等“软柿子”正好做为偶在论坛上冒个泡泡!还不动手,更待何时?操起OllyICE,开刀。
0048D458 /$ 5>push ebp
0048D459 |. 8>mov ebp, esp
0048D45B |. 6>push 0
0048D45D |. 6>push 0
0048D45F |. 6>push 0
0048D461 |. 6>push 0
0048D463 |. 6>push 0
0048D465 |. 5>push ebx
0048D466 |. 5>push esi
0048D467 |. 8>mov [local.2], ecx
0048D46A |. 8>mov [local.1], edx
0048D46D |. 8>mov esi, eax
0048D46F |. 8>mov eax, [local.1]
0048D472 |. E>call 00404B80 ;
0048D477 |. 8>mov eax, [local.2]
0048D47A |. E>call 00404B80 ;
0048D47F |. 3>xor eax, eax
0048D481 |. 5>push ebp
0048D482 |. 6>push 48D555
0048D487 |. 6>push dword ptr fs:[eax]
0048D48A |. 6>mov fs:[eax], esp
0048D48D |. 3>xor ebx, ebx
0048D48F |. B>mov edx, 48D56C ; ASCII "Megido,share.homedns.org,www.appzplanet.com"
0048D494 |. 8>mov eax, [local.1]
0048D497 |. E>call 00404CD4 ;
0048D49C |. 8>test eax, eax
0048D49E |. 7>jle short 0048D4AB ;
0048D4A0 |. 8>lea eax, [local.2]
0048D4A3 |. 8>mov edx, [local.1]
0048D4A6 |. E>call 00404778 ;
0048D4AB |> 8>lea ecx, [local.3]
0048D4AE |. 8>mov edx, [local.1] ; 用户名
0048D4B1 |. 8>mov eax, esi
0048D4B3 |. E>call 0048D61C ; 关键CALL1
0048D4B8 |. 8>mov edx, [local.3] ; 由用户名生成的正确注册码,此处可作内存注册机
0048D4BB |. 8>mov eax, [local.2] ; 我们输入的假注册码
0048D4BE |. E>call 00408AA4 ; 真假注册码比较
0048D4C3 |. 8>test eax, eax
0048D4C5 |. 7>jnz short 0048D50B ; 不跳则注册成功,爆破点
0048D4C7 |. 8>mov ecx, [local.2]
0048D4CA |. 8>mov edx, [local.1]
0048D4CD |. 8>mov eax, esi
0048D4CF |. E>call 0048CDE8 ;
0048D4D4 |. 8>test al, al
0048D4D6 |. 7>je short 0048D53A ;
0048D4D8 |. B>mov bl, 1
0048D4DA |. 6>push 40
0048D4DC |. 8>lea edx, [local.4]
0048D4DF |. A>mov eax, [4BEFE8]
0048D4E4 |. 8>mov eax, [eax]
0048D4E6 |. E>call 0046718C ;
0048D4EB |. 8>mov eax, [local.4]
0048D4EE |. E>call 00404B90 ;
0048D4F3 |. 5>push eax ; |Title
0048D4F4 |. 6>push 48D598 ; |注册成功,感谢你的注册。
0048D4F9 |. A>mov eax, [4BEFE8] ; |
0048D4FE |. 8>mov eax, [eax] ; |
0048D500 |. 8>mov eax, [eax+30] ; |
0048D503 |. 5>push eax ; |hOwner
0048D504 |. E>call 00407658 ; \MessageBoxA
0048D509 |. E>jmp short 0048D53A ; 0048D53A
0048D50B |> 6>push 10
0048D50D |. 8>lea edx, [local.5]
0048D510 |. A>mov eax, [4BEFE8]
0048D515 |. 8>mov eax, [eax]
0048D517 |. E>call 0046718C ;
0048D51C |. 8>mov eax, [local.5]
0048D51F |. E>call 00404B90 ;
0048D524 |. 5>push eax ; |Title
0048D525 |. 6>push 48D5D0 ; |Text = ""D7,"",A2,"",B2,"崧胛扌? ",CR,LF,"请输入?,BB,"",B8,"鲇行У?,D7,"",A2,"",B2,"崧?,A1,"?
0048D52A |. A>mov eax, [4BEFE8] ; |
0048D52F |. 8>mov eax, [eax] ; |
0048D531 |. 8>mov eax, [eax+30] ; |
0048D534 |. 5>push eax ; |hOwner
0048D535 |. E>call 00407658 ; \MessageBoxA 注册失败提示
0048D53A |> 3>xor eax, eax
0048D53C |. 5>pop edx
0048D53D |. 5>pop ecx
0048D53E |. 5>pop ecx
0048D53F |. 6>mov fs:[eax], edx
0048D542 |. 6>push 48D55C
0048D547 |> 8>lea eax, [local.5]
0048D54A |. B>mov edx, 5
0048D54F |. E>call 00404704 ;
0048D554 \. C>retn
进入关键Call1
0048D61C /$ 5>push ebp
0048D61D |. 8>mov ebp, esp
0048D61F |. 5>push ecx
0048D620 |. B>mov ecx, 4
0048D625 |> 6>/push 0
0048D627 |. 6>|push 0
0048D629 |. 4>|dec ecx
0048D62A |.^ 7>\jnz short 0048D625 ;
0048D62C |. 5>push ecx
0048D62D |. 8>xchg [local.1], ecx
0048D630 |. 5>push ebx
0048D631 |. 5>push esi
0048D632 |. 5>push edi
0048D633 |. 8>mov ebx, ecx
0048D635 |. 8>mov [local.1], edx
0048D638 |. 8>mov edi, eax
0048D63A |. 8>mov eax, [local.1]
0048D63D |. E>call 00404B80 ;
0048D642 |. 3>xor eax, eax
0048D644 |. 5>push ebp
0048D645 |. 6>push 48D7B2
0048D64A |. 6>push dword ptr fs:[eax]
0048D64D |. 6>mov fs:[eax], esp
0048D650 |. 8>lea eax, [local.1] ; 我们输入的用户名
0048D653 |. B>mov edx, 48D7C8 ; 固定字符串"Jt^S0Mvx5C1"
0048D658 |. E>call 004049A0 ; 将输入的用户名和固定字符串连接生成新的字符串,记为S
0048D65D |. 8>mov eax, [local.1]
0048D660 |. E>call 00404998 ; 取得字符串S的位数
0048D665 |. 8>mov esi, eax
0048D667 |. D>sar esi, 1 ; S的位数除以2
0048D669 |. 7>jns short 0048D66E ;
0048D66B |. 8>adc esi, 0
0048D66E |> 8>lea eax, [local.4]
0048D671 |. 5>push eax
0048D672 |. 8>mov ecx, esi
0048D674 |. B>mov edx, 1
0048D679 |. 8>mov eax, [local.1]
0048D67C |. E>call 00404BF0 ; 取S的前S/2位生成S1
0048D681 |. 8>mov eax, [local.4] ; S1
0048D684 |. 5>push eax
0048D685 |. 8>lea eax, [local.5]
0048D688 |. 5>push eax
0048D689 |. 8>mov eax, [local.1]
0048D68C |. E>call 00404998 ; 取得注册名、码位数
0048D691 |. 8>mov ecx, eax
0048D693 |. 8>lea edx, [esi+1]
0048D696 |. 8>mov eax, [local.1]
0048D699 |. E>call 00404BF0 ; 取S的其余部分生成S2
0048D69E |. 8>mov edx, [local.5]
0048D6A1 |. 8>lea eax, [local.1]
0048D6A4 |. 5>pop ecx
0048D6A5 |. E>call 004049E4 ; 联结S2、S1生成新字符串S3=S2S1
0048D6AA |. 8>lea eax, [local.2]
0048D6AD |. 5>push eax
0048D6AE |. B>mov ecx, 0A
0048D6B3 |. B>mov edx, 1
0048D6B8 |. 8>mov eax, [local.1]
0048D6BB |. E>call 00404BF0 ; 从第一位始取S3的前10位生成串S4
0048D6C0 |. 8>lea eax, [local.3]
0048D6C3 |. 5>push eax
0048D6C4 |. 8>mov eax, [local.1]
0048D6C7 |. E>call 00404998 ;
0048D6CC |. 8>mov ecx, eax
0048D6CE |. B>mov edx, 6
0048D6D3 |. 8>mov eax, [local.1]
0048D6D6 |. E>call 00404BF0 ; 从第6位始取S3的后部分生成串S5
0048D6DB |. 8>cmp [local.3], 0
0048D6DF |. 7>jnz short 0048D6F1 ;
0048D6E1 |. 8>lea eax, [local.3]
0048D6E4 |. B>mov edx, 48D7C8 ;
0048D6E9 |. 8>mov ecx, [local.2]
0048D6EC |. E>call 004049E4 ;
0048D6F1 |> 5>push ebx
0048D6F2 |. 8>mov ecx, [local.3] ; S5
0048D6F5 |. 8>mov edx, [local.2] ; S4
0048D6F8 |. 8>mov eax, edi
0048D6FA |. E>call 0048CC94 ; 关键CALL2
0048D6FF |. 8>lea eax, [local.6]
0048D702 |. 5>push eax
0048D703 |. 8>mov eax, [ebx] ; [ebx]中是由48cc94的Call生成的注册变码reg
0048D705 |. B>mov ecx, 5
0048D70A |. B>mov edx, 1
0048D70F |. E>call 00404BF0 ; 以下将上述生成的注册变码reg每五位用"-"分隔,共取20位
0048D714 |. F>push [local.6]
0048D717 |. 6>push 48D7DC ; -
0048D71C |. 8>lea eax, [local.7]
0048D71F |. 5>push eax
0048D720 |. 8>mov eax, [ebx]
0048D722 |. B>mov ecx, 5
0048D727 |. B>mov edx, 6
0048D72C |. E>call 00404BF0 ;
0048D731 |. F>push [local.7]
0048D734 |. 6>push 48D7DC ; -
0048D739 |. 8>lea eax, [local.8]
0048D73C |. 5>push eax
0048D73D |. 8>mov eax, [ebx]
0048D73F |. B>mov ecx, 5
0048D744 |. B>mov edx, 0B
0048D749 |. E>call 00404BF0 ;
0048D74E |. F>push [local.8]
0048D751 |. 6>push 48D7DC ; -
0048D756 |. 8>lea eax, [local.9]
0048D759 |. 5>push eax
0048D75A |. 8>mov eax, [ebx]
0048D75C |. B>mov ecx, 5
0048D761 |. B>mov edx, 0F
0048D766 |. E>call 00404BF0 ;
0048D76B |. F>push [local.9]
0048D76E |. 6>push 48D7DC ; -
0048D773 |. 8>lea eax, [local.10]
0048D776 |. 5>push eax
0048D777 |. 8>mov eax, [ebx]
0048D779 |. B>mov ecx, 5
0048D77E |. B>mov edx, 3
0048D783 |. E>call 00404BF0 ;
0048D788 |. F>push [local.10]
0048D78B |. 8>mov eax, ebx
0048D78D |. B>mov edx, 9
0048D792 |. E>call 00404A58 ;
0048D797 |. 3>xor eax, eax
0048D799 |. 5>pop edx
0048D79A |. 5>pop ecx
0048D79B |. 5>pop ecx
0048D79C |. 6>mov fs:[eax], edx
0048D79F |. 6>push 48D7B9
0048D7A4 |> 8>lea eax, [local.10]
0048D7A7 |. B>mov edx, 0A
0048D7AC |. E>call 00404704 ;
0048D7B1 \. C>retn
0048D7B2 .^ E>jmp 00404064 ;
0048D7B7 .^ E>jmp short 0048D7A4 ;
0048D7B9 . 5>pop edi
0048D7BA . 5>pop esi
0048D7BB . 5>pop ebx
0048D7BC . 8>mov esp, ebp
0048D7BE . 5>pop ebp
0048D7BF . C>retn
进入关键Call2
0048CC94 /$ 5>push ebp
0048CC95 |. 8>mov ebp, esp
0048CC97 |. 8>add esp, -20
0048CC9A |. 5>push ebx
0048CC9B |. 5>push esi
0048CC9C |. 5>push edi
0048CC9D |. 3>xor ebx, ebx
0048CC9F |. 8>mov [local.8], ebx
0048CCA2 |. 8>mov [local.4], ebx
0048CCA5 |. 8>mov [local.2], ecx
0048CCA8 |. 8>mov [local.1], edx
0048CCAB |. 8>mov eax, [local.1]
0048CCAE |. E>call 00404B80 ;
0048CCB3 |. 8>mov eax, [local.2]
0048CCB6 |. E>call 00404B80 ;
0048CCBB |. 3>xor eax, eax
0048CCBD |. 5>push ebp
0048CCBE |. 6>push 48CDB4
0048CCC3 |. 6>push dword ptr fs:[eax]
0048CCC6 |. 6>mov fs:[eax], esp
0048CCC9 |. 8>mov eax, [local.2]
0048CCCC |. E>call 00404998 ; 取得串S5的位数
0048CCD1 |. 8>mov [local.3], eax
0048CCD4 |. 8>cmp [local.3], 0
0048CCD8 |. 7>jnz short 0048CCE7 ;
0048CCDA |. 8>lea eax, [local.2]
0048CCDD |. B>mov edx, 48CDCC ; ASCII "Think Space"
0048CCE2 |. E>call 00404778 ;
0048CCE7 |> 3>xor esi, esi
0048CCE9 |. B>mov ebx, 100
0048CCEE |. 8>lea eax, [local.4]
0048CCF1 |. 5>push eax
0048CCF2 |. 8>mov eax, [local.2]
0048CCF5 |. E>call 00404998 ; 取得注册名、码位数
0048CCFA |. 8>mov [local.7], eax ; |
0048CCFD |. C>mov byte ptr [ebp-18], 0 ; |
0048CD01 |. 8>lea edx, [local.7] ; |
0048CD04 |. 3>xor ecx, ecx ; |
0048CD06 |. B>mov eax, 48CDE0 ; |%1.2x
0048CD0B |. E>call 00409C9C ; \WMAMP3Co.00409C9C 将S5的位数转化为2位备用
0048CD10 |. 8>mov eax, [local.1]
0048CD13 |. E>call 00404998 ;
0048CD18 |. 8>mov edi, eax
0048CD1A |. 8>test edi, edi
0048CD1C |. 7>jle short 0048CD7E ;
0048CD1E |. C>mov [local.5], 1
0048CD25 |> 8>/mov eax, [local.1] ; 进入循环,由S4、S5计算生成注册码。先取S4
0048CD28 |. 8>|mov edx, [local.5]
0048CD2B |. 0>|movzx eax, byte ptr [eax+edx-1] ; 依次取S4的每一位的Asc码值
0048CD30 |. 0>|add eax, ebx ; 上步码值与EBX的值相加。EBX的初始值为0x100,第一轮循环
0048CD32 |. B>|mov ecx, 0FF 后为上轮循环求得的轮变码值reg3
0048CD37 |. 9>|cdq
0048CD38 |. F>|idiv ecx
0048CD3A |. 8>|mov ebx, edx ; 上步码值除以0xFF的余数,记为reg1
0048CD3C |. 3>|cmp esi, [local.3]
0048CD3F |. 7>|jge short 0048CD44 ;
0048CD41 |. 4>|inc esi
0048CD42 |. E>|jmp short 0048CD49 ;
0048CD44 |> B>|mov esi, 1 ; 若S5的位数不足10位,则循环取串S5
0048CD49 |> 8>|mov eax, [local.2]
0048CD4C |. 0>|movzx eax, byte ptr [eax+esi-1] ; 依次取S5的每一位的Asc码值,记reg2
0048CD51 |. 3>|xor ebx, eax ; 上面由S4和S5生成的变码reg1、reg2异或后的结果,记为reg3
0048CD53 |. 8>|lea eax, [local.8]
0048CD56 |. 5>|push eax ; /Arg1
0048CD57 |. 8>|mov [local.7], ebx ; |
0048CD5A |. C>|mov byte ptr [ebp-18], 0 ; |
0048CD5E |. 8>|lea edx, [local.7] ; |
0048CD61 |. 3>|xor ecx, ecx ; |
0048CD63 |. B>|mov eax, 48CDE0 ; |%1.2x
0048CD68 |. E>|call 00409C9C ; \WMAMP3Co.00409C9C ; 将reg3转为2位整数
0048CD6D |. 8>|mov edx, [local.8] ;
0048CD70 |. 8>|lea eax, [local.4] ; 上轮循环的累计结果,记为reg
0048CD73 |. E>|call 004049A0 ; 将本轮循环结果reg3与上轮循环结果reg联结后保存在[ebp-10]中
也是最终要求得结果reg
0048CD78 |. F>|inc [local.5]
0048CD7B |. 4>|dec edi ; 循环控制变量为10(S4的位数)
0048CD7C |.^ 7>\jnz short 0048CD25 ;
0048CD7E |> 8>mov eax, [arg.1]
0048CD81 |. 8>mov edx, [local.4]
0048CD84 |. E>call 00404734 ;
0048CD89 |. 3>xor eax, eax
0048CD8B |. 5>pop edx
0048CD8C |. 5>pop ecx
0048CD8D |. 5>pop ecx
0048CD8E |. 6>mov fs:[eax], edx
0048CD91 |. 6>push 48CDBB
0048CD96 |> 8>lea eax, [local.8]
0048CD99 |. E>call 004046E0 ;
0048CD9E |. 8>lea eax, [local.4]
0048CDA1 |. E>call 004046E0 ;
0048CDA6 |. 8>lea eax, [local.2]
0048CDA9 |. B>mov edx, 2
0048CDAE |. E>call 00404704 ;
0048CDB3 \. C>retn
0048CDB4 .^ E>jmp 00404064 ;
0048CDB9 .^ E>jmp short 0048CD96 ;
0048CDBB . 5>pop edi
0048CDBC . 5>pop esi
0048CDBD . 5>pop ebx
0048CDBE . 8>mov esp, ebp
0048CDC0 . 5>pop ebp
0048CDC1 . C>retn 4
--------------------------------------------------------------------------------
【算法总结】
先将用户输入的用户名和固定字符串"Jt^S0Mvx5C1"连接后分为前后两部分并前后对调生成新串(即上面的S3),再取新串
的前10位和第6位始的其余部分分别生成两个字符串(即上面的S4和S5),然后对S4和S5逐位变化并异或后连接起来,之后
每5位用“-”分隔,取前20位即为所求的注册码。
此为偶的处女作[(:)处女膜已人工修复多次] ,不对之处,多多批评。
一组可用的注册码
用户名:zhy_qie
注册码:0D274-F3CB8-55A5A-A3B99-274F3
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2006年11月01日 10:27:11