好久没有进行破解了,今天无聊找了一个软件看看。找了一个国外软件,破解过程如下:
目标软件:MIDI TO MP3 MAKER(下载地址:http://www3.skycn.com/soft/25150.html)
PEid查看无壳,VC程序,刚好练练手啊!!!
OLLdbg载入,字符串查找,找到如下注册部分。
0041BF70 /. 55 PUSH EBP
0041BF71 |. 8BEC MOV EBP, ESP
0041BF73 |. 83EC 20 SUB ESP, 20
0041BF76 |. 894D E0 MOV DWORD PTR SS:[EBP-20], ECX
0041BF79 |. 6A 01 PUSH 1
0041BF7B |. 8B4D E0 MOV ECX, DWORD PTR SS:[EBP-20]
0041BF7E |. E8 43000200 CALL midi2mp3.0043BFC6
0041BF83 |. 8B4D E0 MOV ECX, DWORD PTR SS:[EBP-20]
0041BF86 |. 81C1 B4010000 ADD ECX, 1B4
0041BF8C |. E8 BFDAFEFF CALL midi2mp3.00409A50
0041BF91 |. 83F8 02 CMP EAX, 2 ; 姓名的位数要大于2
0041BF94 |. 7D 13 JGE SHORT midi2mp3.0041BFA9
0041BF96 |. 6A 00 PUSH 0
0041BF98 |. 6A 00 PUSH 0
0041BF9A |. 68 A40A4500 PUSH midi2mp3.00450AA4 ; ASCII "Please input correct User Name!"
0041BF9F |. E8 C3620200 CALL midi2mp3.00442267
0041BFA4 |. E9 DC020000 JMP midi2mp3.0041C285
0041BFA9 |> 8B4D E0 MOV ECX, DWORD PTR SS:[EBP-20]
0041BFAC |. 81C1 B8010000 ADD ECX, 1B8 ; ecx中为假注册码的地址
0041BFB2 |. E8 99DAFEFF CALL midi2mp3.00409A50 ; 测试长度,小于8就over
0041BFB7 |. 83F8 08 CMP EAX, 8
0041BFBA |. 7D 13 JGE SHORT midi2mp3.0041BFCF
0041BFBC |. 6A 00 PUSH 0
0041BFBE |. 6A 00 PUSH 0
0041BFC0 |. 68 C40A4500 PUSH midi2mp3.00450AC4 ; ASCII "Please input correct Registration Code!"
0041BFC5 |. E8 9D620200 CALL midi2mp3.00442267
0041BFCA |. E9 B6020000 JMP midi2mp3.0041C285
0041BFCF |> 6A 00 PUSH 0 ; /Arg1 = 00000000
0041BFD1 |. 8B4D E0 MOV ECX, DWORD PTR SS:[EBP-20] ; |
0041BFD4 |. 81C1 B4010000 ADD ECX, 1B4 ; |用户名的地址给ecx
0041BFDA |. E8 31D1FEFF CALL midi2mp3.00409110 ; \midi2mp3.00409110
0041BFDF |. 8845 EF MOV BYTE PTR SS:[EBP-11], AL ; 用户名的第一位存储
0041BFE2 |. 6A 01 PUSH 1 ; /Arg1 = 00000001
0041BFE4 |. 8B4D E0 MOV ECX, DWORD PTR SS:[EBP-20] ; |
0041BFE7 >|. 81C1 B4010000 ADD ECX, 1B4 ; |用户名的地址给ecx
0041BFED |. E8 1ED1FEFF CALL midi2mp3.00409110 ; \midi2mp3.00409110
0041BFF2 |. 8845 F8 MOV BYTE PTR SS:[EBP-8], AL ; 用户名的第二位存储
0041BFF5 |. 6A 00 PUSH 0 ; /Arg1 = 00000000
0041BFF7 |. 8B4D E0 MOV ECX, DWORD PTR SS:[EBP-20] ; |
0041BFFA |. 81C1 B4010000 ADD ECX, 1B4 ; |
0041C000 |. E8 0BD1FEFF CALL midi2mp3.00409110 ; \midi2mp3.00409110
0041C005 |. 8845 FF MOV BYTE PTR SS:[EBP-1], AL ; 用户名的第一位存储
0041C008 |. 6A 01 PUSH 1 ; /Arg1 = 00000001
0041C00A |. 8B4D E0 MOV ECX, DWORD PTR SS:[EBP-20] ; |
0041C00D |. 81C1 B4010000 ADD ECX, 1B4 ; |
0041C013 |. E8 F8D0FEFF CALL midi2mp3.00409110 ; \midi2mp3.00409110
0041C018 |. 8845 FA MOV BYTE PTR SS:[EBP-6], AL ; 用户名的第二位存储
0041C01B |. 0FB645 EF MOVZX EAX, BYTE PTR SS:[EBP-11]
0041C01F |. 83C8 4D OR EAX, 4D ; 字符l的ASCII码与4d进行或运算后为m
0041C022 |. 8845 EF MOV BYTE PTR SS:[EBP-11], AL
0041C025 |. 0FB64D F8 MOVZX ECX, BYTE PTR SS:[EBP-8] ; 字符b的ASCII码与44进行或运算后为f
0041C029 |. 83C9 44 OR ECX, 44
0041C02C |. 884D F8 MOV BYTE PTR SS:[EBP-8], CL
0041C02F |. 0FB655 FF MOVZX EDX, BYTE PTR SS:[EBP-1]
0041C033 |. 83CA 32 OR EDX, 32 ; 字符l的ASCII码与4d进行或运算后为~
0041C036 |. 8855 FF MOV BYTE PTR SS:[EBP-1], DL
0041C039 |. 0FB645 FA MOVZX EAX, BYTE PTR SS:[EBP-6]
0041C03D |. 83C8 4D OR EAX, 4D ; 字符b的ASCII码与44进行或运算后为o
0041C040 |. 8845 FA MOV BYTE PTR SS:[EBP-6], AL
0041C043 |. 0FB645 EF MOVZX EAX, BYTE PTR SS:[EBP-11] ; 字符m
0041C047 |. 99 CDQ
0041C048 |. B9 0A000000 MOV ECX, 0A
0041C04D |. F7F9 IDIV ECX
0041C04F |. 8855 EF MOV BYTE PTR SS:[EBP-11], DL ; TAB
0041C052 |. 0FB645 F8 MOVZX EAX, BYTE PTR SS:[EBP-8]
0041C056 |. 99 CDQ
0041C057 |. B9 0A000000 MOV ECX, 0A
0041C05C |. F7F9 IDIV ECX
0041C05E |. 8855 F8 MOV BYTE PTR SS:[EBP-8], DL
0041C061 |. 0FB645 FF MOVZX EAX, BYTE PTR SS:[EBP-1]
0041C065 |. 99 CDQ
0041C066 |. B9 0A000000 MOV ECX, 0A
0041C06B |. F7F9 IDIV ECX
0041C06D |. 8855 FF MOV BYTE PTR SS:[EBP-1], DL
0041C070 |. 0FB645 FA MOVZX EAX, BYTE PTR SS:[EBP-6]
0041C074 |. 99 CDQ
0041C075 |. B9 0A000000 MOV ECX, 0A
0041C07A |. F7F9 IDIV ECX
0041C07C |. 8855 FA MOV BYTE PTR SS:[EBP-6], DL
0041C07F |. C745 F0 00000>MOV DWORD PTR SS:[EBP-10], 0
0041C086 |. C745 E8 00000>MOV DWORD PTR SS:[EBP-18], 0
0041C08D |. EB 09 JMP SHORT midi2mp3.0041C098
0041C08F |> 8B55 E8 /MOV EDX, DWORD PTR SS:[EBP-18] ; 用户名的各位的ASCII码相加
0041C092 |. 83C2 01 |ADD EDX, 1
0041C095 |. 8955 E8 |MOV DWORD PTR SS:[EBP-18], EDX
0041C098 |> 8B4D E0 MOV ECX, DWORD PTR SS:[EBP-20]
0041C09B |. 81C1 B4010000 |ADD ECX, 1B4
0041C0A1 |. E8 AAD9FEFF |CALL midi2mp3.00409A50
0041C0A6 |. 3945 E8 |CMP DWORD PTR SS:[EBP-18], EAX
0041C0A9 |. 7D 21 |JGE SHORT midi2mp3.0041C0CC
0041C0AB |. 8B45 E8 |MOV EAX, DWORD PTR SS:[EBP-18]
0041C0AE |. 50 |PUSH EAX ; /Arg1
0041C0AF |. 8B4D E0 |MOV ECX, DWORD PTR SS:[EBP-20] ; |
0041C0B2 |. 81C1 B4010000 |ADD ECX, 1B4 ; |
0041C0B8 |. E8 53D0FEFF |CALL midi2mp3.00409110 ; \midi2mp3.00409110
0041C0BD |. 8845 E7 |MOV BYTE PTR SS:[EBP-19], AL
0041C0C0 |. 0FB64D E7 |MOVZX ECX, BYTE PTR SS:[EBP-19]
0041C0C4 |. 034D F0 |ADD ECX, DWORD PTR SS:[EBP-10]
0041C0C7 |. 894D F0 |MOV DWORD PTR SS:[EBP-10], ECX
0041C0CA |.^ EB C3 \JMP SHORT midi2mp3.0041C08F
0041C0CC |> 8B45 F0 MOV EAX, DWORD PTR SS:[EBP-10] ; 结果为729
0041C0CF |. 99 CDQ
0041C0D0 |. B9 0A000000 MOV ECX, 0A
0041C0D5 |. F7F9 IDIV ECX ; eax为整数部分72,edx为余数9
0041C0D7 |. 8855 F4 MOV BYTE PTR SS:[EBP-C], DL
0041C0DA |. 6A 00 PUSH 0 ; /Arg1 = 00000000
0041C0DC |. 8B4D E0 MOV ECX, DWORD PTR SS:[EBP-20] ; |
0041C0DF |. 81C1 B8010000 ADD ECX, 1B8 ; |注册码的地址
0041C0E5 |. E8 26D0FEFF CALL midi2mp3.00409110 ; \midi2mp3.00409110
0041C0EA |. 8845 FC MOV BYTE PTR SS:[EBP-4], AL ; 将注册码的第一位存储
0041C0ED |. 6A 01 PUSH 1 ; /Arg1 = 00000001
0041C0EF |. 8B4D E0 MOV ECX, DWORD PTR SS:[EBP-20] ; |
0041C0F2 |. 81C1 B8010000 ADD ECX, 1B8 ; |
0041C0F8 |. E8 13D0FEFF CALL midi2mp3.00409110 ; \midi2mp3.00409110
0041C0FD |. 8845 FD MOV BYTE PTR SS:[EBP-3], AL ; 将注册码的第二位存储
0041C100 |. 6A 02 PUSH 2 ; /Arg1 = 00000002
0041C102 |. 8B4D E0 MOV ECX, DWORD PTR SS:[EBP-20] ; |
0041C105 |. 81C1 B8010000 ADD ECX, 1B8 ; |
0041C10B |. E8 00D0FEFF CALL midi2mp3.00409110 ; \midi2mp3.00409110
0041C110 |. 8845 F6 MOV BYTE PTR SS:[EBP-A], AL ; 将注册码的第三位存储
0041C113 |. 6A 03 PUSH 3 ; /Arg1 = 00000003
0041C115 |. 8B4D E0 MOV ECX, DWORD PTR SS:[EBP-20] ; |
0041C118 |. 81C1 B8010000 ADD ECX, 1B8 ; |
0041C11E |. E8 EDCFFEFF CALL midi2mp3.00409110 ; \midi2mp3.00409110
0041C123 |. 8845 F5 MOV BYTE PTR SS:[EBP-B], AL ; 将注册码的第四位存储
0041C126 |. 6A 04 PUSH 4 ; /Arg1 = 00000004
0041C128 |. 8B4D E0 MOV ECX, DWORD PTR SS:[EBP-20] ; |
0041C12B |. 81C1 B8010000 ADD ECX, 1B8 ; |
0041C131 |. E8 DACFFEFF CALL midi2mp3.00409110 ; \midi2mp3.00409110
0041C136 |. 8845 F9 MOV BYTE PTR SS:[EBP-7], AL ; 将注册码的第五位存储
0041C139 |. 6A 05 PUSH 5 ; /Arg1 = 00000005
0041C13B |. 8B4D E0 MOV ECX, DWORD PTR SS:[EBP-20] ; |
0041C13E |. 81C1 B8010000 ADD ECX, 1B8 ; |
0041C144 |. E8 C7CFFEFF CALL midi2mp3.00409110 ; \midi2mp3.00409110
0041C149 |. 8845 F7 MOV BYTE PTR SS:[EBP-9], AL ; 将注册码的第六位存储
0041C14C |. 6A 06 PUSH 6 ; /Arg1 = 00000006
0041C14E |. 8B4D E0 MOV ECX, DWORD PTR SS:[EBP-20] ; |
0041C151 |. 81C1 B8010000 ADD ECX, 1B8 ; |
0041C157 |. E8 B4CFFEFF CALL midi2mp3.00409110 ; \midi2mp3.00409110
0041C15C |. 8845 FE MOV BYTE PTR SS:[EBP-2], AL ; 将注册码的第七位存储
0041C15F |. 6A 07 PUSH 7 ; /Arg1 = 00000007
0041C161 |. 8B4D E0 MOV ECX, DWORD PTR SS:[EBP-20] ; |
0041C164 |. 81C1 B8010000 ADD ECX, 1B8 ; |
0041C16A |. E8 A1CFFEFF CALL midi2mp3.00409110 ; \midi2mp3.00409110
0041C16F |. 8845 FB MOV BYTE PTR SS:[EBP-5], AL ; 将注册码的第八位存储
0041C172 |. 0FB655 EF MOVZX EDX, BYTE PTR SS:[EBP-11] ; 用户名的第一位或4d后除A的余数
0041C176 |. 0FB645 FC MOVZX EAX, BYTE PTR SS:[EBP-4]
0041C17A |. 83E8 30 SUB EAX, 30 ; 转换第一位字符为数字
0041C17D |. 3BD0 CMP EDX, EAX
0041C17F |. 75 3C JNZ SHORT midi2mp3.0041C1BD
0041C181 |. 0FB64D F8 MOVZX ECX, BYTE PTR SS:[EBP-8] ; 用户名的第二位或44后除A的余数
0041C185 |. 0FB655 FD MOVZX EDX, BYTE PTR SS:[EBP-3]
0041C189 |. 83EA 30 SUB EDX, 30 ; 转换第二位字符为数字
0041C18C |. 3BCA CMP ECX, EDX
0041C18E |. 75 2D JNZ SHORT midi2mp3.0041C1BD
0041C190 |. 0FB645 FF MOVZX EAX, BYTE PTR SS:[EBP-1] ; 用户名的第一位或32后除A的余数
0041C194 |. 0FB64D F6 MOVZX ECX, BYTE PTR SS:[EBP-A]
0041C198 |. 83E9 30 SUB ECX, 30
0041C19B |. 3BC1 CMP EAX, ECX ; 转换第三位字符为数字
0041C19D |. 75 1E JNZ SHORT midi2mp3.0041C1BD
0041C19F |. 0FB655 FA MOVZX EDX, BYTE PTR SS:[EBP-6] ; 用户名的第二位或4d后除A的余数
0041C1A3 |. 0FB645 F5 MOVZX EAX, BYTE PTR SS:[EBP-B]
0041C1A7 |. 83E8 30 SUB EAX, 30
0041C1AA |. 3BD0 CMP EDX, EAX ; 转换第四位字符为数字
0041C1AC |. 75 0F JNZ SHORT midi2mp3.0041C1BD
0041C1AE |. 0FB64D F4 MOVZX ECX, BYTE PTR SS:[EBP-C] ; 用户名的各位的ASCII码的和除A后的余数
0041C1B2 |. 0FB655 F9 MOVZX EDX, BYTE PTR SS:[EBP-7]
0041C1B6 |. 83EA 30 SUB EDX, 30
0041C1B9 |. 3BCA CMP ECX, EDX ; 转换第五位字符为数字,并比较,相等就OK
0041C1BB |. 74 58 JE SHORT midi2mp3.0041C215 ; 相等就注册成功
0041C1BD |> 0FB645 FC MOVZX EAX, BYTE PTR SS:[EBP-4]
0041C1C1 |. 83F8 33 CMP EAX, 33 ; 第一位与33进行比较,不等就over
0041C1C4 |. 0F85 AD000000 JNZ midi2mp3.0041C277
0041C1CA |. 0FB64D FD MOVZX ECX, BYTE PTR SS:[EBP-3]
0041C1CE |. 83F9 33 CMP ECX, 33 ; 第二位与33进行比较,不等就over
0041C1D1 |. 0F85 A0000000 JNZ midi2mp3.0041C277
0041C1D7 |. 0FB655 F6 MOVZX EDX, BYTE PTR SS:[EBP-A]
0041C1DB |. 83FA 33 CMP EDX, 33 ; 第三位与33进行比较,不等就over
0041C1DE |. 0F85 93000000 JNZ midi2mp3.0041C277
0041C1E4 |. 0FB645 F5 MOVZX EAX, BYTE PTR SS:[EBP-B] ; 第四位与36进行比较,不等就over
0041C1E8 |. 83F8 36 CMP EAX, 36
0041C1EB |. 0F85 86000000 JNZ midi2mp3.0041C277
0041C1F1 |. 0FB64D F9 MOVZX ECX, BYTE PTR SS:[EBP-7] ; 第五位与36进行比较,不等就over
0041C1F5 |. 83F9 36 CMP ECX, 36
0041C1F8 |. 75 7D JNZ SHORT midi2mp3.0041C277
0041C1FA |. 0FB655 F7 MOVZX EDX, BYTE PTR SS:[EBP-9] ; 第六位与31进行比较,不等就over
0041C1FE |. 83FA 31 CMP EDX, 31
0041C201 |. 75 74 JNZ SHORT midi2mp3.0041C277
0041C203 |. 0FB645 FE MOVZX EAX, BYTE PTR SS:[EBP-2] ; 第七位与34进行比较,不等就over
0041C207 |. 83F8 34 CMP EAX, 34
0041C20A |. 75 6B JNZ SHORT midi2mp3.0041C277
0041C20C |. 0FB64D FB MOVZX ECX, BYTE PTR SS:[EBP-5] ; 第八位与36进行比较,不等就over
0041C210 |. 83F9 36 CMP ECX, 36
0041C213 |. 75 62 JNZ SHORT midi2mp3.0041C277
0041C215 |> 6A 00 PUSH 0
0041C217 |. 6A 00 PUSH 0
0041C219 |. 68 EC0A4500 PUSH midi2mp3.00450AEC ; ASCII "Registration has succeeded!"
0041C21E |. E8 44600200 CALL midi2mp3.00442267
0041C223 |. 8B4D E0 MOV ECX, DWORD PTR SS:[EBP-20]
0041C226 |. 81C1 B4010000 ADD ECX, 1B4
0041C22C |. E8 DF7EFFFF CALL midi2mp3.00414110
0041C231 |. 50 PUSH EAX
0041C232 |. 68 080B4500 PUSH midi2mp3.00450B08 ; ASCII "username"
0041C237 |. 68 140B4500 PUSH midi2mp3.00450B14 ; ASCII "Option"
0041C23C |. E8 7FC3FEFF CALL midi2mp3.004085C0
0041C241 |. 8BC8 MOV ECX, EAX ; |
0041C243 |. E8 36610200 CALL midi2mp3.0044237E ; \midi2mp3.0044237E
0041C248 |. 8B4D E0 MOV ECX, DWORD PTR SS:[EBP-20]
0041C24B |. 81C1 B8010000 ADD ECX, 1B8
0041C251 |. E8 BA7EFFFF CALL midi2mp3.00414110
0041C256 |. 50 PUSH EAX
0041C257 |. 68 1C0B4500 PUSH midi2mp3.00450B1C ; ASCII "registration_code"
0041C25C |. 68 300B4500 PUSH midi2mp3.00450B30 ; ASCII "Option"
0041C261 |. E8 5AC3FEFF CALL midi2mp3.004085C0
0041C266 |. 8BC8 MOV ECX, EAX ; |
0041C268 |. E8 11610200 CALL midi2mp3.0044237E ; \midi2mp3.0044237E
0041C26D |. 8B4D E0 MOV ECX, DWORD PTR SS:[EBP-20]
0041C270 |. E8 ABE50100 CALL midi2mp3.0043A820
0041C275 |. EB 0E JMP SHORT midi2mp3.0041C285
0041C277 |> 6A 00 PUSH 0
0041C279 |. 6A 00 PUSH 0
0041C27B |. 68 380B4500 PUSH midi2mp3.00450B38 ; ASCII "Registration failed!"
0041C280 |. E8 E25F0200 CALL midi2mp3.00442267
0041C285 |> 8BE5 MOV ESP, EBP
0041C287 |. 5D POP EBP
0041C288 \. C3 RETN
要求:用户名至少两位
注册码:至少8位
注册码的运算过程是这样的:
第一位为:用户名的ASCII码或4D后除以A(即取其余数)
第二位为:用户名的ASCII码或44后除以A
第三位为:用户名的ASCII码或32后除以A
第四位为:用户名的ASCII码或4D后除以A
第五位为:用户名的ASCII码相加后除以A取其余数
第六七八任意
或者是一个固定的注册码:33366146