【文章标题】: Ease Audio TO RM Converter 3.00注册分析
【文章作者】: fhtingtian
【软件名称】: Ease Audio TO RM Converter 3.00
【下载地址】: http://www.newhua.com/soft/76360.htm
【加壳方式】: 无壳
【编写语言】: delphi
【使用工具】: OD
【软件介绍】: Ease Audio TO RM Converter是一款音频转换器。易于使用的工具,转换MP3 , MP2 ,WAV, WMA和OGG格式的音频产品(实时音频)格式,它速度快。它支持批量转换,批量转换直接播放MP3 , MP2 ,WMA, OGG, WAV to RM等. 需要安装.
【作者声明】: 第一篇破文,希望大家支持,有什么错误之处,请指正.
学习crack有一小段时间,今天没事,想下了软件试试。
在华军下载了之后,用peid一查没壳,心里一阵激动。
安装后,随便试着注册一下,弹出错误invalid register code! please retry! 用OD载入,超级字符串搜索,找到该字符串,直接来到如下代码处.在004B7062处下断,输入注册码,来到下面
过程如下:
004B7007 |. /7E 1D JLE SHORT Audio_TO.004B7026 ; 应跳出
004B7009 |. |6A 00 PUSH 0 ; /Arg1 = 00000000
004B700B |. |66:8B0D 10724>MOV CX,WORD PTR DS:[4B7210] ; |
004B7012 |. |B2 02 MOV DL,2 ; |
004B7014 |. |B8 1C724B00 MOV EAX,Audio_TO.004B721C ; |invalid register code! please retry!
004B7019 |. |E8 DAECF7FF CALL Audio_TO.00435CF8 ; \Audio_TO.00435CF8
004B701E |. |8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004B7021 |. |E8 D2DDFCFF CALL Audio_TO.00484DF8
004B7026 |> \8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
004B7029 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004B702C |. 8B80 10030000 MOV EAX,DWORD PTR DS:[EAX+310]
004B7032 |. E8 5916FBFF CALL Audio_TO.00468690
004B7037 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
004B703A |. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
004B703D |. E8 CA18F5FF CALL Audio_TO.0040890C
004B7042 |. 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
004B7045 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004B7048 |. E8 F318F5FF CALL Audio_TO.00408940
004B704D |. 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14]
004B7050 |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
004B7053 |. E8 98D2F4FF CALL Audio_TO.004042F0
004B7058 |. BF 15000000 MOV EDI,15 ;内置用户名的个数
004B705D |. BE 1CEF4B00 MOV ESI,Audio_TO.004BEF1C
;下段是将输入的用户名与内置的用户名(21个)比较,若均不等,退出
004B7062 |> 8B45 F8 /MOV EAX,DWORD PTR SS:[EBP-8] ; 用户名
004B7065 |. 8B16 |MOV EDX,DWORD PTR DS:[ESI]
004B7067 |. E8 F8D5F4FF |CALL Audio_TO.00404664 ; 比较用户名
004B706C |. 75 04 |JNZ SHORT Audio_TO.004B7072
004B706E |. 33DB |XOR EBX,EBX
004B7070 |. EB 06 |JMP SHORT Audio_TO.004B7078
004B7072 |> 83C6 04 |ADD ESI,4
004B7075 |. 4F |DEC EDI
004B7076 |.^ 75 EA \JNZ SHORT Audio_TO.004B7062
004B7078 |> 84DB TEST BL,BL
004B707A |. 74 1A JE SHORT Audio_TO.004B7096 ;
004B707C |. 6A 00 PUSH 0 ; /Arg1 = 00000000
004B707E |. 66:8B0D 10724>MOV CX,WORD PTR DS:[4B7210] ; |
004B7085 |. B2 02 MOV DL,2 ; |
004B7087 |. B8 1C724B00 MOV EAX,Audio_TO.004B721C ; |invalid register code! please retry!
004B708C |. E8 67ECF7FF CALL Audio_TO.00435CF8 ; \Audio_TO.00435CF8
004B7091 |. E9 30010000 JMP Audio_TO.004B71C6
004B7096 |> 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
004B7099 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004B709C |. 8B80 14030000 MOV EAX,DWORD PTR DS:[EAX+314]
004B70A2 |. E8 E915FBFF CALL Audio_TO.00468690
004B70A7 |. 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
004B70AA |. 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
004B70AD |. E8 5A18F5FF CALL Audio_TO.0040890C
004B70B2 |. 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
004B70B5 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
004B70B8 |. E8 8318F5FF CALL Audio_TO.00408940
004B70BD |. 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C]
004B70C0 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
004B70C3 |. E8 28D2F4FF CALL Audio_TO.004042F0
004B70C8 |. 837D F8 00 CMP DWORD PTR SS:[EBP-8],0 ; 用户名与0比较,为0则直接退出
004B70CC |. 0F84 F4000000 JE Audio_TO.004B71C6 ;
004B70D2 |. 837D F4 00 CMP DWORD PTR SS:[EBP-C],0 ; 注册码与0比较
004B70D6 |. 0F84 EA000000 JE Audio_TO.004B71C6 ;
004B70DC |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
004B70DF |. E8 34D4F4FF CALL Audio_TO.00404518 ; 得到注册码长度
004B70E4 |. 85C0 TEST EAX,EAX
004B70E6 |. 7E 35 JLE SHORT Audio_TO.004B711D ;
004B70E8 |. BA 01000000 MOV EDX,1
;以下段逐位查看注册码是否为数字,出现非数字退出
004B70ED |> 8B4D F4 /MOV ECX,DWORD PTR SS:[EBP-C] ; 注册码
004B70F0 |. 0FB64C11 FF |MOVZX ECX,BYTE PTR DS:[ECX+EDX-1]
004B70F5 |. 83F9 30 |CMP ECX,30 ; 非数字则跳出
004B70F8 |. 7C 05 |JL SHORT Audio_TO.004B70FF
004B70FA |. 83F9 39 |CMP ECX,39
004B70FD |. 7E 1A |JLE SHORT Audio_TO.004B7119
004B70FF |> 6A 00 |PUSH 0 ; /Arg1 = 00000000
004B7101 |. 66:8B0D 10724>|MOV CX,WORD PTR DS:[4B7210] ; |
004B7108 |. B2 02 |MOV DL,2 ; |
004B710A |. B8 1C724B00 |MOV EAX,Audio_TO.004B721C ; |invalid register code! please retry!
004B710F |. E8 E4EBF7FF |CALL Audio_TO.00435CF8 ; \Audio_TO.00435CF8
004B7114 |. E9 AD000000 |JMP Audio_TO.004B71C6
004B7119 |> 42 |INC EDX ; 操作的为注册码的第edx位
004B711A |. 48 |DEC EAX ; 注册码长度
004B711B |.^ 75 D0 \JNZ SHORT Audio_TO.004B70ED
004B711D |> 33DB XOR EBX,EBX
004B711F |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; 用户名
004B7122 |. E8 F1D3F4FF CALL Audio_TO.00404518
004B7127 |. 85C0 TEST EAX,EAX
004B7129 |. 7E 13 JLE SHORT Audio_TO.004B713E
004B712B |. BF 01000000 MOV EDI,1
;下段将用户名中的各字符的ASCII码相加,存入ebx中
004B7130 |> 8B55 F8 /MOV EDX,DWORD PTR SS:[EBP-8] ; 将用户名各位相加放入ebx中
004B7133 |. 0FB6543A FF |MOVZX EDX,BYTE PTR DS:[EDX+EDI-1]
004B7138 |. 03DA |ADD EBX,EDX
004B713A |. 47 |INC EDI
004B713B |. 48 |DEC EAX
004B713C |.^ 75 F2 \JNZ SHORT Audio_TO.004B7130
004B713E |> 69C3 7F500000 IMUL EAX,EBX,507F ; 将ebx中的值与507F相乘,结果放入eax中
004B7144 |. 05 53623201 ADD EAX,1326253 ; 与1326253相加
004B7149 |. D1F8 SAR EAX,1 ; 右移一位(除2)
004B714B |. 79 03 JNS SHORT Audio_TO.004B7150
004B714D |. 83D0 00 ADC EAX,0
004B7150 |> 8BD8 MOV EBX,EAX ; 将上面得到的结果放入ebx中
004B7152 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] ; 输入的注册码
004B7155 |. E8 6E1BF5FF CALL Audio_TO.00408CC8 ; 对注册码处理,处理后的值放入eax中,若eax=ebx,注册成功
//对注册码处理的过程其实就是把输入的字符转换为整数,如字符串“78787878”转换为整数78787878
;调用子程序1
00408CC8 /$ 53 PUSH EBX
00408CC9 |. 56 PUSH ESI
00408CCA |. 83C4 F4 ADD ESP,-0C
00408CCD |. 8BD8 MOV EBX,EAX
00408CCF |. 8BD4 MOV EDX,ESP
00408CD1 |. 8BC3 MOV EAX,EBX
00408CD3 |. E8 0CA1FFFF CALL Audio_TO.00402DE4 ; 对输入注册码运算,结果存入eax中
;调用子程序2
00402DE4 /$ 53 PUSH EBX ; 注册码入栈
00402DE5 |. 56 PUSH ESI
00402DE6 |. 57 PUSH EDI
00402DE7 |. 89C6 MOV ESI,EAX
00402DE9 |. 50 PUSH EAX ; 输入注册码
00402DEA |. 85C0 TEST EAX,EAX
00402DEC |. 74 6C JE SHORT Audio_TO.00402E5A
00402DEE |. 31C0 XOR EAX,EAX ;eax,ebx清零
00402DF0 |. 31DB XOR EBX,EBX
00402DF2 |. BF CCCCCC0C MOV EDI,0CCCCCCC
00402DF7 |> 8A1E /MOV BL,BYTE PTR DS:[ESI] ;注册码首位放入bl
00402DF9 |. 46 |INC ESI
;下段测试注册码的首位,若为以下字符,退出
00402DFA |. 80FB 20 |CMP BL,20
00402DFD |.^ 74 F8 \JE SHORT Audio_TO.00402DF7
00402DFF |. B5 00 MOV CH,0
00402E01 |. 80FB 2D CMP BL,2D
00402E04 |. 74 62 JE SHORT Audio_TO.00402E68
00402E06 |. 80FB 2B CMP BL,2B
00402E09 |. 74 5F JE SHORT Audio_TO.00402E6A
00402E0B |> 80FB 24 CMP BL,24
00402E0E |. 74 5F JE SHORT Audio_TO.00402E6F
00402E10 |. 80FB 78 CMP BL,78
00402E13 |. 74 5A JE SHORT Audio_TO.00402E6F
00402E15 |. 80FB 58 CMP BL,58
00402E18 |. 74 55 JE SHORT Audio_TO.00402E6F
00402E1A |. 80FB 30 CMP BL,30
00402E1D |. 75 13 JNZ SHORT Audio_TO.00402E32
00402E1F |. 8A1E MOV BL,BYTE PTR DS:[ESI]
00402E21 |. 46 INC ESI
00402E22 |. 80FB 78 CMP BL,78
00402E25 |. 74 48 JE SHORT Audio_TO.00402E6F
00402E27 |. 80FB 58 CMP BL,58
00402E2A |. 74 43 JE SHORT Audio_TO.00402E6F
00402E2C |. 84DB TEST BL,BL
00402E2E |. 74 20 JE SHORT Audio_TO.00402E50
00402E30 |. EB 04 JMP SHORT Audio_TO.00402E36
00402E32 |> 84DB TEST BL,BL
00402E34 |. 74 2D JE SHORT Audio_TO.00402E63
;下段对注册码进行运算
00402E36 |> 80EB 30 /SUB BL,30
00402E39 |. 80FB 09 |CMP BL,9
00402E3C |. 77 25 |JA SHORT Audio_TO.00402E63 ; 是否小于9
00402E3E |. 39F8 |CMP EAX,EDI ; 若eax大于edi,退出
00402E40 |. 77 21 |JA SHORT Audio_TO.00402E63
00402E42 |. 8D0480 |LEA EAX,DWORD PTR DS:[EAX+EAX*4] ;eax中的值乘以5
00402E45 |. 01C0 |ADD EAX,EAX ;再乘以2
00402E47 |. 01D8 |ADD EAX,EBX ;与ebx中的值相加,即注册码的下一位
00402E49 |. 8A1E |MOV BL,BYTE PTR DS:[ESI]
00402E4B |. 46 |INC ESI
00402E4C |. 84DB |TEST BL,BL ;
00402E4E |.^ 75 E6 \JNZ SHORT Audio_TO.00402E36
00402E50 |> FECD DEC CH
00402E52 |. 74 09 JE SHORT Audio_TO.00402E5D
00402E54 |. 85C0 TEST EAX,EAX
00402E56 |. 7D 54 JGE SHORT Audio_TO.00402EAC
00402E58 |. EB 09 JMP SHORT Audio_TO.00402E63
00402E5A |> 46 INC ESI
00402E5B |. EB 06 JMP SHORT Audio_TO.00402E63
00402E5D |> F7D8 NEG EAX
00402E5F |. 7E 4B JLE SHORT Audio_TO.00402EAC
00402E61 |. 78 49 JS SHORT Audio_TO.00402EAC
00402E63 |> 5B POP EBX ; Default case of switch 00402E83
00402E64 |. 29DE SUB ESI,EBX ;
00402E66 |. EB 47 JMP SHORT Audio_TO.00402EAF
00402E68 |> FEC5 INC CH
00402E6A |> 8A1E MOV BL,BYTE PTR DS:[ESI]
00402E6C |. 46 INC ESI
00402E6D |.^ EB 9C JMP SHORT Audio_TO.00402E0B
00402E6F |> BF FFFFFF0F MOV EDI,0FFFFFFF
00402E74 |. 8A1E MOV BL,BYTE PTR DS:[ESI]
00402E76 |. 46 INC ESI
00402E77 |. 84DB TEST BL,BL
00402E79 |.^ 74 DF JE SHORT Audio_TO.00402E5A
00402E7B |> 80FB 61 /CMP BL,61
00402E7E |. 72 03 |JB SHORT Audio_TO.00402E83
00402E80 |. 80EB 20 |SUB BL,20
00402E83 |> 80EB 30 |SUB BL,30 ; Switch (cases 30..46)
00402E86 |. 80FB 09 |CMP BL,9
00402E89 |. 76 0B |JBE SHORT Audio_TO.00402E96
00402E8B |. 80EB 11 |SUB BL,11
00402E8E |. 80FB 05 |CMP BL,5
00402E91 |.^ 77 D0 |JA SHORT Audio_TO.00402E63
00402E93 |. 80C3 0A |ADD BL,0A ; Cases 41 ('A'),42 ('B'),43 ('C'),44 ('D'),45 ('E'),46 ('F') of switch 00402E83
00402E96 |> 39F8 |CMP EAX,EDI ; Cases 30 ('0'),31 ('1'),32 ('2'),33 ('3'),34 ('4'),35 ('5'),36 ('6'),37 ('7'),38 ('8'),39 ('9') of switch 00402E83
00402E98 |.^ 77 C9 |JA SHORT Audio_TO.00402E63
00402E9A |. C1E0 04 |SHL EAX,4
00402E9D |. 01D8 |ADD EAX,EBX
00402E9F |. 8A1E |MOV BL,BYTE PTR DS:[ESI]
00402EA1 |. 46 |INC ESI
00402EA2 |. 84DB |TEST BL,BL
00402EA4 |.^ 75 D5 \JNZ SHORT Audio_TO.00402E7B
00402EA6 |. FECD DEC CH
00402EA8 |. 75 02 JNZ SHORT Audio_TO.00402EAC
00402EAA |. F7D8 NEG EAX
00402EAC |> 59 POP ECX
00402EAD |. 31F6 XOR ESI,ESI
00402EAF |> 8932 MOV DWORD PTR DS:[EDX],ESI
00402EB1 |. 5F POP EDI
00402EB2 |. 5E POP ESI
00402EB3 |. 5B POP EBX
00402EB4 \. C3 RETN
00408CD8 |. 8BF0 MOV ESI,EAX
00408CDA |. 833C24 00 CMP DWORD PTR SS:[ESP],0 ; 注册码长度非0
00408CDE |. 74 19 JE SHORT Audio_TO.00408CF9 ; 这里要跳转
00408CE0 |. 895C24 04 MOV DWORD PTR SS:[ESP+4],EBX
00408CE4 |. C64424 08 0B MOV BYTE PTR SS:[ESP+8],0B
00408CE9 |. 8D5424 04 LEA EDX,DWORD PTR SS:[ESP+4] ;
00408CED |. A1 DCF14B00 MOV EAX,DWORD PTR DS:[4BF1DC]
00408CF2 |. 33C9 XOR ECX,ECX
00408CF4 |. E8 CBF8FFFF CALL Audio_TO.004085C4
00408CF9 |> 8BC6 MOV EAX,ESI
00408CFB |. 83C4 0C ADD ESP,0C
00408CFE |. 5E POP ESI
00408CFF |. 5B POP EBX
00408D00 \. C3 RETN
返回到主程序
004B715A |. 3BD8 CMP EBX,EAX
004B715C |. 75 53 JNZ SHORT Audio_TO.004B71B1 ; 爆破点
004B715E |. 6A 00 PUSH 0 ; /Arg1 = 00000000
004B7160 |. 66:8B0D 10724>MOV CX,WORD PTR DS:[4B7210] ; |
004B7167 |. B2 02 MOV DL,2 ; |
004B7169 |. B8 4C724B00 MOV EAX,Audio_TO.004B724C ; |congratuation! you have successfully registered!
004B716E |. E8 85EBF7FF CALL Audio_TO.00435CF8 ; \Audio_TO.00435CF8
004B7173 |. A1 B0F24B00 MOV EAX,DWORD PTR DS:[4BF2B0]
004B7178 |. C600 01 MOV BYTE PTR DS:[EAX],1
004B717B |. A1 C4F34B00 MOV EAX,DWORD PTR DS:[4BF3C4]
004B7180 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004B7182 |. 33C9 XOR ECX,ECX
004B7184 |. BA 04000000 MOV EDX,4
004B7189 |. 8B18 MOV EBX,DWORD PTR DS:[EAX]
004B718B |. FF53 14 CALL DWORD PTR DS:[EBX+14]
004B718E |. 8B15 B0F24B00 MOV EDX,DWORD PTR DS:[4BF2B0] ; Audio_TO.004C11D4
004B7194 |. A1 C4F34B00 MOV EAX,DWORD PTR DS:[4BF3C4]
004B7199 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004B719B |. B9 01000000 MOV ECX,1
004B71A0 |. E8 B77CF6FF CALL Audio_TO.0041EE5C
004B71A5 |. A1 F80D4C00 MOV EAX,DWORD PTR DS:[4C0DF8]
004B71AA |. E8 49DCFCFF CALL Audio_TO.00484DF8
004B71AF |. EB 15 JMP SHORT Audio_TO.004B71C6
004B71B1 |> 6A 00 PUSH 0 ; /Arg1 = 00000000
004B71B3 |. 66:8B0D 10724>MOV CX,WORD PTR DS:[4B7210] ; |
004B71BA |. B2 02 MOV DL,2 ; |
004B71BC |. B8 1C724B00 MOV EAX,Audio_TO.004B721C ; |invalid register code! please retry!
004B71C1 |. E8 32EBF7FF CALL Audio_TO.00435CF8 ; \Audio_TO.00435CF8
004B71C6 |> 33C0 XOR EAX,EAX
这个软件的注册过程很简单,只要找到了内置的用户名就可以,也没什么复杂的算法。只是想试下,高手不要bs我。因为用户名是内置的,所以没办法写出注册机,有一个注册码如下:
用户名:VS8x8T6-Vsw6 注册码:19910346
- 标 题:Ease Audio TO RM Converter 3.00注册分析
- 作 者:fhtingtian
- 时 间:2008-11-05 20:39
- 链 接:http://bbs.pediy.com/showthread.php?t=76119