HiFi MP3 WMA Converter 3.00 算法分析
[ 破文标题 ] HiFi MP3 WMA Converter 3.00 算法分析[ 破文作者 ] 絕戀de煩神
[ 作者邮箱 ] [email protected]
[ 作者主页 ] http://hi.baidu.com/天蝎型男
[ 破解工具 ] Peid,OllyDBG
[ 破解平台 ] WinXp SP2
[ 软件名称 ] HiFi MP3 WMA Converter 3.00
[ 软件大小 ] 2481KB
[ 原版下载 ] http://www.newhua.com/soft/25824.htm
[ 保护方式 ] 用户名+注册码
[ 软件简介 ] 一款简单实用的MP3和WMA的转换工具, 在转换的过程中,你可以进行重新采样,也可以重新选择音频的比特率和频率,支持VBR和CBR。 如果有大量的音乐需要转换,你可以选择适用它的批量转换功能。
[ 破解声明 ] 小菜鳥一只,興趣所至,若有錯誤之處,請老鳥們多加指點。
-----------------------------------------------------[ 破解过程 ]-----------------------------------------首先咱们来运行一下程序,假注册一下。发现有错误提示:Invalid register code! Please retry!
再来用PEID来查一下壳,发现程序没加壳:Borland Delphi 6.0 - 7.0 幸运啊。嘻嘻
最后,就到我们的主角出场了。嘻嘻。。用OD载入分析:先来查找错误提示-Invalid register code! Please retry! 一共找到4处。我们来双击最上面的那一个错误提示字符串。就会来到下面的代码段了。在段首这里按F2下断后F9运行程序,假注册一下后就会停在这里,就可以继续往下分析了。00495918|.55 PUSH EBP ;F2下断,F9运行
00495919|.68 2B5B4900 PUSH HiFi_MP3.00495B2B
0049591E|.64:FF30 PUSH DWORD PTR FS:
00495921|.64:8920 MOV DWORD PTR FS:,ESP
00495924|.B3 01 MOV BL,1
00495926|.FF05 8CCD4A00 INC DWORD PTR DS:
0049592C|.833D 8CCD4A00>CMP DWORD PTR DS:,3
00495933|.7E 1D JLE SHORT HiFi_MP3.00495952
00495935|.6A 00 PUSH 0 ; /Arg1 = 00000000
00495937|.66:8B0D 3C5B4>MOV CX,WORD PTR DS: ; |
0049593E|.B2 02 MOV DL,2 ; |
00495940|.B8 485B4900 MOV EAX,HiFi_MP3.00495B48 ; |Invalid register code! Please retry!
00495945|.E8 0AF6F9FF CALL HiFi_MP3.00434F54 ; \HiFi_MP3.00434F54
0049594A|.8B45 FC MOV EAX,DWORD PTR SS:
0049594D|.E8 BA79FEFF CALL HiFi_MP3.0047D30C
00495952|>8D55 F0 LEA EDX,DWORD PTR SS:
00495955|.8B45 FC MOV EAX,DWORD PTR SS:
00495958|.8B80 10030000 MOV EAX,DWORD PTR DS:
0049595E|.E8 41B2FCFF CALL HiFi_MP3.00460BA4 ;取用户名长度
00495963|.8B45 F0 MOV EAX,DWORD PTR SS: ;把用户名送给EAX
00495966|.8D55 F8 LEA EDX,DWORD PTR SS:
00495969|.E8 DE2EF7FF CALL HiFi_MP3.0040884C
0049596E|.8D55 EC LEA EDX,DWORD PTR SS:
00495971|.8B45 F8 MOV EAX,DWORD PTR SS: ;把用户名送给EAX
00495974|.E8 072FF7FF CALL HiFi_MP3.00408880
00495979|.8B55 EC MOV EDX,DWORD PTR SS: ;把用户名送给EDX
0049597C|.8D45 F8 LEA EAX,DWORD PTR SS:
0049597F|.E8 04E9F6FF CALL HiFi_MP3.00404288
00495984|.BF 15000000 MOV EDI,15 ;--------------------------
00495989|.BE C8A74A00 MOV ESI,HiFi_MP3.004AA7C8 ;TDVDS6-MBN3
0049598E|>8B45 F8 /MOV EAX,DWORD PTR SS: ;把用户名送给EAX
00495991|.8B16 |MOV EDX,DWORD PTR DS: ;把固定的用户名送给EDX
00495993|.E8 64ECF6FF |CALL HiFi_MP3.004045FC ;這里真假用户名比较
00495998|.75 04 |JNZ SHORT HiFi_MP3.0049599E ;不相等就跳
0049599A|.33DB |XOR EBX,EBX ;EBX清零
0049599C|.EB 06 |JMP SHORT HiFi_MP3.004959A4
0049599E|>83C6 04 |ADD ESI,4 ;ESI+4
004959A1|.4F |DEC EDI ;EDI-1
004959A2|.^ 75 EA \JNZ SHORT HiFi_MP3.0049598E ;--------循环比较---------
004959A4|>84DB TEST BL,BL
004959A6 74 1A JE SHORT HiFi_MP3.004959C2
004959A8|.6A 00 PUSH 0 ; /Arg1 = 00000000
004959AA|.66:8B0D 3C5B4>MOV CX,WORD PTR DS: ; |
004959B1|.B2 02 MOV DL,2 ; |
004959B3|.B8 485B4900 MOV EAX,HiFi_MP3.00495B48 ; |Invalid register code! Please retry!
004959B8|.E8 97F5F9FF CALL HiFi_MP3.00434F54 ; \HiFi_MP3.00434F54
004959BD|.E9 2E010000 JMP HiFi_MP3.00495AF0
004959C2|>8D55 E8 LEA EDX,DWORD PTR SS:
004959C5|.8B45 FC MOV EAX,DWORD PTR SS:
004959C8|.8B80 14030000 MOV EAX,DWORD PTR DS:
004959CE|.E8 D1B1FCFF CALL HiFi_MP3.00460BA4 ;取假码长度
004959D3|.8B45 E8 MOV EAX,DWORD PTR SS: ;把假码送给EAX
004959D6|.8D55 F4 LEA EDX,DWORD PTR SS:
004959D9|.E8 6E2EF7FF CALL HiFi_MP3.0040884C
004959DE|.8D55 E4 LEA EDX,DWORD PTR SS:
004959E1|.8B45 F4 MOV EAX,DWORD PTR SS: ;把假码送给EAX
004959E4|.E8 972EF7FF CALL HiFi_MP3.00408880
004959E9|.8B55 E4 MOV EDX,DWORD PTR SS: ;把假码送给EDX
004959EC|.8D45 F4 LEA EAX,DWORD PTR SS:
004959EF|.E8 94E8F6FF CALL HiFi_MP3.00404288
004959F4|.837D F8 00 CMP DWORD PTR SS:,0 ;用户名和0比较
004959F8|.0F84 F2000000 JE HiFi_MP3.00495AF0
004959FE|.837D F4 00 CMP DWORD PTR SS:,0 ;假码和0比较
00495A02|.0F84 E8000000 JE HiFi_MP3.00495AF0
00495A08|.8B45 F4 MOV EAX,DWORD PTR SS: ;把假码送给EAX
00495A0B|.E8 A0EAF6FF CALL HiFi_MP3.004044B0 ;取假码长度
00495A10|.85C0 TEST EAX,EAX ;看有没有输入注册码
00495A12|.7E 35 JLE SHORT HiFi_MP3.00495A49 ;没有输入就跳
00495A14|.BA 01000000 MOV EDX,1 ;EDX=1
00495A19|>8B4D F4 /MOV ECX,DWORD PTR SS: ;把假码送给ECX
00495A1C|.0FB64C11 FF |MOVZX ECX,BYTE PTR DS: ;逐位取假码的ASCII值给ECX
00495A21|.83F9 30 |CMP ECX,30 ;和16进制的30比较
00495A24|.7C 05 |JL SHORT HiFi_MP3.00495A2B ;小于就跳
00495A26|.83F9 39 |CMP ECX,39 ;和16进制的39比较
00495A29|.7E 1A |JLE SHORT HiFi_MP3.00495A45 ;小于或者等于就跳
00495A2B|>6A 00 |PUSH 0 ; /Arg1 = 00000000
00495A2D|.66:8B0D 3C5B4>|MOV CX,WORD PTR DS: ; |
00495A34|.B2 02 |MOV DL,2 ; |
00495A36|.B8 485B4900 |MOV EAX,HiFi_MP3.00495B48 ; |Invalid register code! Please retry!
00495A3B|.E8 14F5F9FF |CALL HiFi_MP3.00434F54 ; \HiFi_MP3.00434F54
00495A40|.E9 AB000000 |JMP HiFi_MP3.00495AF0
00495A45|>42 |INC EDX ;EDX+1
00495A46|.48 |DEC EAX ;EAX-1
00495A47|.^ 75 D0 \JNZ SHORT HiFi_MP3.00495A19 ;开始循环,验证注册码是否为纯数字
00495A49|>33DB XOR EBX,EBX ;EBX清零
00495A4B|.8B45 F8 MOV EAX,DWORD PTR SS: ;把用户名送给EAX
00495A4E|.E8 5DEAF6FF CALL HiFi_MP3.004044B0 ;取用户名长度
00495A53|.85C0 TEST EAX,EAX ;看有没有输入用户名
00495A55|.7E 13 JLE SHORT HiFi_MP3.00495A6A ;没有输入就跳
00495A57|.BF 01000000 MOV EDI,1 ;EDI=1
00495A5C|>8B55 F8 /MOV EDX,DWORD PTR SS: ;把用户名送给EDX
00495A5F|.0FB6543A FF |MOVZX EDX,BYTE PTR DS: ;逐位取用户名的ASCII值给EDX
00495A64|.03DA |ADD EBX,EDX ;EBX=EBX+EDX
00495A66|.47 |INC EDI ;EDI+1
00495A67|.48 |DEC EAX ;EAX-1
00495A68|.^ 75 F2 \JNZ SHORT HiFi_MP3.00495A5C ;开始循环, 累加用户名的ASCII值
00495A6A|>69C3 F38B0B00 IMUL EAX,EBX,0B8BF3 ;EBX的值乘以固定值0B8BF3,结果存放在EAX里
00495A70|.83C0 57 ADD EAX,57 ;EAX+57
00495A73|.D1F8 SAR EAX,1 ;EAX算术右移一位
00495A75|.79 03 JNS SHORT HiFi_MP3.00495A7A ;符号位为0时就跳
00495A77|.83D0 00 ADC EAX,0
00495A7A|>8BD8 MOV EBX,EAX ;把右移一位后的结果送给EBX
00495A7C|.8B45 F4 MOV EAX,DWORD PTR SS: ;把假码送给EAX
00495A7F|.E8 8431F7FF CALL HiFi_MP3.00408C08 ;关键CALL,F7跟進
00495A84|.3BD8 CMP EBX,EAX ;EBX跟EAX比较
00495A86|.75 53 JNZ SHORT HiFi_MP3.00495ADB ;不相等就GAME OVER!
00495A88|.6A 00 PUSH 0 ; /Arg1 = 00000000
00495A8A|.66:8B0D 3C5B4>MOV CX,WORD PTR DS: ; |
00495A91|.B2 02 MOV DL,2 ; |
00495A93|.B8 785B4900 MOV EAX,HiFi_MP3.00495B78 ; |Congratuation! You have successfully registered!
00495A98|.E8 B7F4F9FF CALL HiFi_MP3.00434F54 ; \HiFi_MP3.00434F54
00495A9D|.A1 24AE4A00 MOV EAX,DWORD PTR DS:
00495AA2|.C600 01 MOV BYTE PTR DS:,1
00495AA5|.A1 30AF4A00 MOV EAX,DWORD PTR DS:
00495AAA|.8B00 MOV EAX,DWORD PTR DS:
00495AAC|.33C9 XOR ECX,ECX
00495AAE|.BA 04000000 MOV EDX,4
00495AB3|.8B18 MOV EBX,DWORD PTR DS:
00495AB5|.FF53 14 CALL DWORD PTR DS:
00495AB8|.8B15 24AE4A00 MOV EDX,DWORD PTR DS: ;HiFi_MP3.004ACDFB
00495ABE|.A1 30AF4A00 MOV EAX,DWORD PTR DS:
00495AC3|.8B00 MOV EAX,DWORD PTR DS:
00495AC5|.B9 01000000 MOV ECX,1
00495ACA|.E8 1591F8FF CALL HiFi_MP3.0041EBE4
00495ACF|.A1 88CD4A00 MOV EAX,DWORD PTR DS:
00495AD4|.E8 3378FEFF CALL HiFi_MP3.0047D30C
00495AD9|.EB 15 JMP SHORT HiFi_MP3.00495AF0
00495ADB|>6A 00 PUSH 0 ; /Arg1 = 00000000
00495ADD|.66:8B0D 3C5B4>MOV CX,WORD PTR DS: ; |
00495AE4|.B2 02 MOV DL,2 ; |
00495AE6|.B8 485B4900 MOV EAX,HiFi_MP3.00495B48 ; |Invalid register code! Please retry!
00495AEB|.E8 64F4F9FF CALL HiFi_MP3.00434F54 ; \HiFi_MP3.00434F54
00495AF0|>33C0 XOR EAX,EAX
00495AF2|.5A POP EDX
00495AF3|.59 POP ECX
00495AF4|.59 POP ECX
00495AF5|.64:8910 MOV DWORD PTR FS:,EDX
00495AF8|.68 325B4900 PUSH HiFi_MP3.00495B32
00495AFD|>8D45 E4 LEA EAX,DWORD PTR SS:
00495B00|.E8 EBE6F6FF CALL HiFi_MP3.004041F0
00495B05|.8D45 E8 LEA EAX,DWORD PTR SS:
00495B08|.E8 E3E6F6FF CALL HiFi_MP3.004041F0
00495B0D|.8D45 EC LEA EAX,DWORD PTR SS:
00495B10|.E8 DBE6F6FF CALL HiFi_MP3.004041F0
00495B15|.8D45 F0 LEA EAX,DWORD PTR SS:
00495B18|.E8 D3E6F6FF CALL HiFi_MP3.004041F0
00495B1D|.8D45 F4 LEA EAX,DWORD PTR SS:
00495B20|.BA 02000000 MOV EDX,2
00495B25|.E8 EAE6F6FF CALL HiFi_MP3.00404214
00495B2A\.C3 RETN第一个关键CALL跟进后来到这里:00408C08/$53 PUSH EBX ;把EBX压入栈
00408C09|.56 PUSH ESI ;把ESI压入栈
00408C0A|.83C4 F4 ADD ESP,-0C ;ESP-0C
00408C0D|.8BD8 MOV EBX,EAX ;把假码送给EBX
00408C0F|.8BD4 MOV EDX,ESP ;EDX=ESP
00408C11|.8BC3 MOV EAX,EBX ;把假码送给EAX
00408C13|.E8 BCA1FFFF CALL HiFi_MP3.00402DD4 ;关键CALL,F7跟进
00408C18|.8BF0 MOV ESI,EAX ;把EAX的值送给ESI
00408C1A|.833C24 00 CMP DWORD PTR SS:,0 ;此时的为0
00408C1E|.74 19 JE SHORT HiFi_MP3.00408C39 ;相等就跳
00408C20|.895C24 04 MOV DWORD PTR SS:,EBX
00408C24|.C64424 08 0BMOV BYTE PTR SS:,0B
00408C29|.8D5424 04 LEA EDX,DWORD PTR SS:
00408C2D|.A1 4CAD4A00 MOV EAX,DWORD PTR DS:
00408C32|.33C9 XOR ECX,ECX
00408C34|.E8 CBF8FFFF CALL HiFi_MP3.00408504
00408C39|>8BC6 MOV EAX,ESI ;把ESI的值送给EAX
00408C3B|.83C4 0C ADD ESP,0C ;ESP+0C
00408C3E|.5E POP ESI ;ESI出栈
00408C3F|.5B POP EBX ;EBX出栈
00408C40\.C3 RETN第二个关键CALL跟进后来到这里:00402DD4/$53 PUSH EBX
00402DD5|.56 PUSH ESI
00402DD6|.57 PUSH EDI
00402DD7|.89C6 MOV ESI,EAX ;把假码送给ESI
00402DD9|.50 PUSH EAX ;假码入栈
00402DDA|.85C0 TEST EAX,EAX ;看EAX是否为0
00402DDC|.74 6C JE SHORT HiFi_MP3.00402E4A ;EAX=0就跳
00402DDE|.31C0 XOR EAX,EAX ;EAX清零
00402DE0|.31DB XOR EBX,EBX ;EBX清零
00402DE2|.BF CCCCCC0C MOV EDI,0CCCCCCC ;把固定值0CCCCCCC送给EDI
00402DE7|>8A1E /MOV BL,BYTE PTR DS: ;取假码第一位的ASCII值给BL
00402DE9|.46 |INC ESI ;ESI+1
00402DEA|.80FB 20 |CMP BL,20 ;BL的值和20比较
00402DED|.^ 74 F8 \JE SHORT HiFi_MP3.00402DE7 ;相等就跳
00402DEF|.B5 00 MOV CH,0 ;CH=0
00402DF1|.80FB 2D CMP BL,2D ;BL的值和2D比较
00402DF4|.74 62 JE SHORT HiFi_MP3.00402E58 ;相等就跳
00402DF6|.80FB 2B CMP BL,2B ;BL的值和2B比较
00402DF9|.74 5F JE SHORT HiFi_MP3.00402E5A ;相等就跳
00402DFB|>80FB 24 CMP BL,24 ;BL的值和24比较
00402DFE|.74 5F JE SHORT HiFi_MP3.00402E5F ;相等就跳
00402E00|.80FB 78 CMP BL,78 ;BL的值和78比较
00402E03|.74 5A JE SHORT HiFi_MP3.00402E5F ;相等就跳
00402E05|.80FB 58 CMP BL,58 ;BL的值和58比较
00402E08|.74 55 JE SHORT HiFi_MP3.00402E5F ;相等就跳
00402E0A|.80FB 30 CMP BL,30 ;BL的值和30比较
00402E0D|.75 13 JNZ SHORT HiFi_MP3.00402E22 ;不相等就跳
00402E0F|.8A1E MOV BL,BYTE PTR DS:
00402E11|.46 INC ESI
00402E12|.80FB 78 CMP BL,78
00402E15|.74 48 JE SHORT HiFi_MP3.00402E5F
00402E17|.80FB 58 CMP BL,58
00402E1A|.74 43 JE SHORT HiFi_MP3.00402E5F
00402E1C|.84DB TEST BL,BL
00402E1E|.74 20 JE SHORT HiFi_MP3.00402E40
00402E20|.EB 04 JMP SHORT HiFi_MP3.00402E26
00402E22|>84DB TEST BL,BL ;BL是否为0
00402E24|.74 2D JE SHORT HiFi_MP3.00402E53 ;BL=0就跳
00402E26|>80EB 30 /SUB BL,30 ;BL-30
00402E29|.80FB 09 |CMP BL,9 ;减后的结果和9比较
00402E2C|.77 25 |JA SHORT HiFi_MP3.00402E53 ;不小于就跳
00402E2E|.39F8 |CMP EAX,EDI ;EAX跟EDI比较
00402E30|.77 21 |JA SHORT HiFi_MP3.00402E53 ;不小于就跳
00402E32|.8D0480 |LEA EAX,DWORD PTR DS: ;EAX=EAX+(EAX*4)
00402E35|.01C0 |ADD EAX,EAX ;EAX=EAX+EAX (或者说是EAX的值乘以2)
00402E37|.01D8 |ADD EAX,EBX ;EAX=EAX+EBX
00402E39|.8A1E |MOV BL,BYTE PTR DS: ;把假码第二位的ASCII值送给BL
00402E3B|.46 |INC ESI ;ESI+1
00402E3C|.84DB |TEST BL,BL ;BL是否为0
00402E3E|.^ 75 E6 \JNZ SHORT HiFi_MP3.00402E26 ;不等于0就跳,开始循环计算
00402E40|>FECD DEC CH ;CH-1
00402E42|.74 09 JE SHORT HiFi_MP3.00402E4D
00402E44|.85C0 TEST EAX,EAX
00402E46|.7D 54 JGE SHORT HiFi_MP3.00402E9C ;这里跳转实现了,结束运算[ 破解总结 ]-----------------------------------------
注册码是根据用户名来计算的,与注册码无关。跟进那两个CALL只是想分析一下他的计算过程而已,貌似不重要的。因为真码在没到关键CALL的时候已经计算出来了。嘻嘻。
算法总结:1.累加用户名的ASCII值
2.累加后的结果IMUL(乘以)0B8BF3
3.得到的结果加上57
4.结果SAR 1
5.把上面得到的结果转换为10进制就是真码。-----------------------------------------------------
[ 版权声明 ] 版权所有:絕戀de煩神未经本人同意请勿转载 嘻嘻
----------------------------------------------------- 鼓励一下。:loveliness: 可以写个注册机嘛 不错,支持一下~~ 原帖由 tianxj 于 2008-5-2 21:30 发表 https://www.chinapyg.com/images/common/back.gif
可以写个注册机嘛
可以啊。不过我不会编程。正常学习中。。嘻嘻。。不过这款软件的用户名是固定的(我没记错大概有十个固定的用户名)。如果想要用自己的名字去注册就要打一个补丁才可以。。。 感谢楼主共享~~~~~~~~~~~~~~~~~/:014 /:014
页:
[1]