Ease MP3 Recorder 1.50 算法分析
【破文标题】Ease MP3 Recorder 1.50 算法分析【破文作者】tianxj
【作者邮箱】[email protected]
【作者主页】WwW.ChiNaPYG.CoM
【破解工具】PEiD,OD
【破解平台】Windows XP
【软件名称】Ease MP3 Recorder 1.50
【软件大小】4292KB
【软件类别】国外软件/音频处理
【软件授权】共享版
【软件语言】英文
【运行环境】Win9x/Me/NT/2000/XP/2003
【更新时间】2007-9-28
【原版下载】http://www.audiotool.net/download/mp3recorder.exe
【保护方式】注册码
【软件简介】Audiotool Ease MP3 Recorder 可以录制十几种格式的音乐文件,包括:WAV、MP3、OGG、WMA、GSM、ADPCM、VOX、RAW、DSP、GSM、G726、G23等,任何透过声卡播放 ,或是经由麦克风、音源线输入声卡的声音皆可录制。
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------
【破解内容】
--------------------------------------------------------------
**************************************************************
一、运行程序,进行注册,输入错误的注册信息进行检测,有提示信息
**************************************************************
二、用PEiD对EaseMP3Recorder.exe查壳,为 Borland Delphi 6.0 - 7.0
**************************************************************
三、运行OD,打开EaseMP3Recorder.exe,根据DeDe的按钮事件来到关键之处
==============================================================
004985C0/.55 PUSH EBP
004985C1|.8BEC MOV EBP, ESP
004985C3|.33C9 XOR ECX, ECX
004985C5|.51 PUSH ECX
004985C6|.51 PUSH ECX
004985C7|.51 PUSH ECX
004985C8|.51 PUSH ECX
004985C9|.51 PUSH ECX
004985CA|.51 PUSH ECX
004985CB|.53 PUSH EBX
004985CC|.56 PUSH ESI
004985CD|.57 PUSH EDI
004985CE|.8BD8 MOV EBX, EAX
004985D0|.33C0 XOR EAX, EAX
004985D2|.55 PUSH EBP
004985D3|.68 26884900 PUSH EaseMP3R.00498826
004985D8|.64:FF30 PUSH DWORD PTR FS:[EAX]
004985DB|.64:8920 MOV DWORD PTR FS:[EAX], ESP
004985DE|.8D55 F4 LEA EDX, DWORD PTR SS:[EBP-C]
004985E1|.8B83 F8020000 MOV EAX, DWORD PTR DS:[EBX+2F8]
004985E7|.E8 488CFAFF CALL EaseMP3R.00441234
004985EC|.8B45 F4 MOV EAX, DWORD PTR SS:[EBP-C] ;//用户名
004985EF|.8D55 FC LEA EDX, DWORD PTR SS:[EBP-4]
004985F2|.E8 AD04F7FF CALL EaseMP3R.00408AA4
004985F7|.8D55 F0 LEA EDX, DWORD PTR SS:[EBP-10]
004985FA|.8B45 FC MOV EAX, DWORD PTR SS:[EBP-4]
004985FD|.E8 D604F7FF CALL EaseMP3R.00408AD8
00498602|.8B55 F0 MOV EDX, DWORD PTR SS:[EBP-10]
00498605|.8D45 FC LEA EAX, DWORD PTR SS:[EBP-4]
00498608|.E8 2BC0F6FF CALL EaseMP3R.00404638
0049860D|.8D55 EC LEA EDX, DWORD PTR SS:[EBP-14]
00498610|.8B83 FC020000 MOV EAX, DWORD PTR DS:[EBX+2FC]
00498616|.E8 198CFAFF CALL EaseMP3R.00441234
0049861B|.8B45 EC MOV EAX, DWORD PTR SS:[EBP-14] ;//试炼码
0049861E|.8D55 F8 LEA EDX, DWORD PTR SS:[EBP-8]
00498621|.E8 7E04F7FF CALL EaseMP3R.00408AA4
00498626|.8D55 E8 LEA EDX, DWORD PTR SS:[EBP-18]
00498629|.8B45 F8 MOV EAX, DWORD PTR SS:[EBP-8]
0049862C|.E8 A704F7FF CALL EaseMP3R.00408AD8
00498631|.8B55 E8 MOV EDX, DWORD PTR SS:[EBP-18]
00498634|.8D45 F8 LEA EAX, DWORD PTR SS:[EBP-8]
00498637|.E8 FCBFF6FF CALL EaseMP3R.00404638
0049863C|.8B45 FC MOV EAX, DWORD PTR SS:[EBP-4] ;//用户名
0049863F|.E8 14C2F6FF CALL EaseMP3R.00404858 ;//取用户名长度
00498644|.85C0 TEST EAX, EAX
00498646|.0F84 9F010000 JE EaseMP3R.004987EB ;//用户名为空则挂
0049864C|.8B45 F8 MOV EAX, DWORD PTR SS:[EBP-8] ;//试炼码
0049864F|.E8 04C2F6FF CALL EaseMP3R.00404858 ;//取试炼码长度
00498654|.85C0 TEST EAX, EAX
00498656|.75 1A JNZ SHORT EaseMP3R.00498672 ;//试炼码为空则挂
00498658|.6A 00 PUSH 0
0049865A|.66:8B0D 34884>MOV CX, WORD PTR DS:
00498661|.33D2 XOR EDX, EDX
00498663|.B8 40884900 MOV EAX, EaseMP3R.00498840 ;ASCII "Code must not be null."
00498668|.E8 EF22FAFF CALL EaseMP3R.0043A95C
0049866D|.E9 79010000 JMP EaseMP3R.004987EB
00498672|>8B45 F8 MOV EAX, DWORD PTR SS:[EBP-8]
00498675|.E8 DEC1F6FF CALL EaseMP3R.00404858
0049867A|.85C0 TEST EAX, EAX
0049867C|.7E 38 JLE SHORT EaseMP3R.004986B6
0049867E|.BA 01000000 MOV EDX, 1
00498683|>8B4D F8 /MOV ECX, DWORD PTR SS:[EBP-8]
00498686|.0FB67411 FF |MOVZX ESI, BYTE PTR DS:[ECX+EDX-1]
0049868B|.83FE 30 |CMP ESI, 30
0049868E|.7C 08 |JL SHORT EaseMP3R.00498698
00498690|.8B4D F8 |MOV ECX, DWORD PTR SS:[EBP-8]
00498693|.83FE 39 |CMP ESI, 39
00498696|.7E 1A |JLE SHORT EaseMP3R.004986B2
00498698|>6A 00 |PUSH 0
0049869A|.66:8B0D 34884>|MOV CX, WORD PTR DS:
004986A1|.33D2 |XOR EDX, EDX
004986A3|.B8 60884900 |MOV EAX, EaseMP3R.00498860 ;ASCII "The code must be integer!"
004986A8|.E8 AF22FAFF |CALL EaseMP3R.0043A95C
004986AD|.E9 39010000 |JMP EaseMP3R.004987EB
004986B2|>42 |INC EDX
004986B3|.48 |DEC EAX
004986B4|.^ 75 CD \JNZ SHORT EaseMP3R.00498683 ;//循环,检测试炼码是否为纯数字
004986B6|>BE 01000000 MOV ESI, 1 ;//ESI=1
004986BB|.8B45 FC MOV EAX, DWORD PTR SS:[EBP-4] ;//用户名
004986BE|.E8 95C1F6FF CALL EaseMP3R.00404858 ;//取用户名长度
004986C3|.85C0 TEST EAX, EAX ;//EAX=用户名长度
004986C5|.7E 13 JLE SHORT EaseMP3R.004986DA
004986C7|.BA 01000000 MOV EDX, 1
004986CC|>8B4D FC /MOV ECX, DWORD PTR SS:[EBP-4] ;//用户名
004986CF|.0FB64C11 FF |MOVZX ECX, BYTE PTR DS:[ECX+EDX-1] ;//逐位取用户名ASCII码
004986D4|.03F1 |ADD ESI, ECX ;//ESI=ESI+ECX
004986D6|.42 |INC EDX
004986D7|.48 |DEC EAX
004986D8|.^ 75 F2 \JNZ SHORT EaseMP3R.004986CC ;//循环
004986DA|>69C6 98050000 IMUL EAX, ESI, 598 ;//EAX=ESI*598
004986E0|.05 155E0100 ADD EAX, 15E15 ;//EAX=EAX+15E15
004986E5|.8BF0 MOV ESI, EAX
004986E7|.8B45 F8 MOV EAX, DWORD PTR SS:[EBP-8] ;//试炼码
004986EA|.E8 69C1F6FF CALL EaseMP3R.00404858 ;//取试炼码长度
004986EF|.83F8 0A CMP EAX, 0A
004986F2|.0F8F DE000000 JG EaseMP3R.004987D6 ;//试炼码长度大于Ah则挂
004986F8|.8B45 F8 MOV EAX, DWORD PTR SS:[EBP-8]
004986FB|.E8 6419F7FF CALL EaseMP3R.0040A064
00498700|.DB2D 7C884900 FLD TBYTE PTR DS:
00498706|.DED9 FCOMPP
00498708|.DFE0 FSTSW AX
0049870A|.9E SAHF
0049870B|.0F82 AE000000 JB EaseMP3R.004987BF ;//试炼码大于2147483647则挂
00498711|.8B45 F8 MOV EAX, DWORD PTR SS:[EBP-8] ;//试炼码
00498714|.E8 BB04F7FF CALL EaseMP3R.00408BD4 ;//将试炼码转16进制送入EAX
00498719|.3BF0 CMP ESI, EAX ;//关键比较,ESI为真码,EAX为假码
0049871B|.0F85 87000000 JNZ EaseMP3R.004987A8 ;//关键跳转
00498721|.B2 01 MOV DL, 1
00498723|.A1 C4144700 MOV EAX, DWORD PTR DS:
00498728|.E8 978EFDFF CALL EaseMP3R.004715C4
0049872D|.8BF8 MOV EDI, EAX
0049872F|.BA 02000080 MOV EDX, 80000002
00498734|.8BC7 MOV EAX, EDI
00498736|.E8 298FFDFF CALL EaseMP3R.00471664
0049873B|.B1 01 MOV CL, 1
0049873D|.BA 90884900 MOV EDX, EaseMP3R.00498890 ;ASCII "\SOFTWARE\EASETECH\EASEMP3RECORDER"
00498742|.8BC7 MOV EAX, EDI
00498744|.E8 5B90FDFF CALL EaseMP3R.004717A4
00498749|.8B4D FC MOV ECX, DWORD PTR SS:[EBP-4]
0049874C|.BA BC884900 MOV EDX, EaseMP3R.004988BC ;ASCII "registry name"
00498751|.8BC7 MOV EAX, EDI
00498753|.E8 E891FDFF CALL EaseMP3R.00471940
00498758|.8BCE MOV ECX, ESI
0049875A|.BA D4884900 MOV EDX, EaseMP3R.004988D4 ;ASCII "registry code"
0049875F|.8BC7 MOV EAX, EDI
00498761|.E8 7E92FDFF CALL EaseMP3R.004719E4
00498766|.B1 01 MOV CL, 1
00498768|.BA EC884900 MOV EDX, EaseMP3R.004988EC ;ASCII "regsuccess"
0049876D|.8BC7 MOV EAX, EDI
0049876F|.E8 B492FDFF CALL EaseMP3R.00471A28
00498774|.8BC7 MOV EAX, EDI
00498776|.E8 B98EFDFF CALL EaseMP3R.00471634
0049877B|.8BC7 MOV EAX, EDI
0049877D|.E8 0EB0F6FF CALL EaseMP3R.00403790
00498782|.6A 00 PUSH 0
00498784|.66:8B0D 34884>MOV CX, WORD PTR DS:
0049878B|.B2 02 MOV DL, 2
0049878D|.B8 00894900 MOV EAX, EaseMP3R.00498900 ;ASCII "Congratuation! You have registered!"
00498792|.E8 C521FAFF CALL EaseMP3R.0043A95C
00498797|.A1 94784A00 MOV EAX, DWORD PTR DS:
0049879C|.C600 01 MOV BYTE PTR DS:[EAX], 1
0049879F|.8BC3 MOV EAX, EBX
004987A1|.E8 C654FCFF CALL EaseMP3R.0045DC6C
004987A6|.EB 43 JMP SHORT EaseMP3R.004987EB
004987A8|>6A 00 PUSH 0
004987AA|.66:8B0D 34884>MOV CX, WORD PTR DS:
004987B1|.B2 02 MOV DL, 2
004987B3|.B8 2C894900 MOV EAX, EaseMP3R.0049892C ;ASCII "Invalid register code!Please retry!"
004987B8|.E8 9F21FAFF CALL EaseMP3R.0043A95C
004987BD|.EB 2C JMP SHORT EaseMP3R.004987EB
004987BF|>6A 00 PUSH 0
004987C1|.66:8B0D 34884>MOV CX, WORD PTR DS:
004987C8|.33D2 XOR EDX, EDX
004987CA|.B8 58894900 MOV EAX, EaseMP3R.00498958 ;ASCII "The code is overload!Please retry!"
004987CF|.E8 8821FAFF CALL EaseMP3R.0043A95C
004987D4|.EB 15 JMP SHORT EaseMP3R.004987EB
004987D6|>6A 00 PUSH 0
004987D8|.66:8B0D 34884>MOV CX, WORD PTR DS:
004987DF|.33D2 XOR EDX, EDX
004987E1|.B8 58894900 MOV EAX, EaseMP3R.00498958 ;ASCII "The code is overload!Please retry!"
004987E6|.E8 7121FAFF CALL EaseMP3R.0043A95C
004987EB|>33C0 XOR EAX, EAX
004987ED|.5A POP EDX
004987EE|.59 POP ECX
004987EF|.59 POP ECX
004987F0|.64:8910 MOV DWORD PTR FS:[EAX], EDX
004987F3|.68 2D884900 PUSH EaseMP3R.0049882D
004987F8|>8D45 E8 LEA EAX, DWORD PTR SS:[EBP-18]
004987FB|.E8 A0BDF6FF CALL EaseMP3R.004045A0
00498800|.8D45 EC LEA EAX, DWORD PTR SS:[EBP-14]
00498803|.E8 98BDF6FF CALL EaseMP3R.004045A0
00498808|.8D45 F0 LEA EAX, DWORD PTR SS:[EBP-10]
0049880B|.E8 90BDF6FF CALL EaseMP3R.004045A0
00498810|.8D45 F4 LEA EAX, DWORD PTR SS:[EBP-C]
00498813|.E8 88BDF6FF CALL EaseMP3R.004045A0
00498818|.8D45 F8 LEA EAX, DWORD PTR SS:[EBP-8]
0049881B|.BA 02000000 MOV EDX, 2
00498820|.E8 9FBDF6FF CALL EaseMP3R.004045C4
00498825\.C3 RETN
00498826 .^ E9 F9B6F6FF JMP EaseMP3R.00403F24
0049882B .^ EB CB JMP SHORT EaseMP3R.004987F8
0049882D .5F POP EDI
0049882E .5E POP ESI
0049882F .5B POP EBX
00498830 .8BE5 MOV ESP, EBP
00498832 .5D POP EBP
00498833 .C3 RETN
**************************************************************
【破解总结】
--------------------------------------------------------------
【算法总结】
注册码=(用户名ASCII码累加值+1)*1432+89621
--------------------------------------------------------------
【算法注册机】
KeyGen.rek
.const
.data
szHomePage db "https://www.chinapyg.com",0
szEmail db "mailto:[email protected]",0
szErrMessdb "请输入机器码!",0
szFMT db "%u",0
szBuffer1db 50 dup (0)
.code
invoke lstrlen,eax
MOV ESI, 1
MOV EDX, 1
n1:
LEA ECX, hInput1
MOVZX ECX, BYTE PTR DS:[ECX+EDX-1]
ADD ESI, ECX
INC EDX
DEC EAX
JNZ n1
IMUL EAX, ESI, 598h
ADD EAX, 15E15h
invoke wsprintf,addr szBuffer1,addr szFMT,eax
lea eax,szBuffer1
--------------------------------------------------------------
【内存注册机】
中断地址 00498719
中断次数 1
第一字节 3B
指令长度 2
寄存器方式-ESI
十进制
--------------------------------------------------------------
【注册信息】
保存在
--------------------------------------------------------------
感谢飘云老大、猫老大、Nisy老大以及很多前辈们的学习教程以及王者之剑、云龙等所有帮助过我的论坛兄弟姐妹们!谢谢
--------------------------------------------------------------
【版权声明】破文是学习的手记,兴趣是成功的源泉;本破文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢! 哇,看来是沙发嘛。/:013 /:011 太高深了。啥也米看明白 算神又要出手了!前来膜拜!/:good /:good /:good 大致的了解了`呵呵``刚开始接触算法 学习一下T大的内存注册算法. T大都用汇编写注册机了啊越来越牛了/:good 好好学习学习,争取努力进步
页:
[1]