Cooolsoft MP3 Cutter 去处注册窗+60秒限制
今天截取个MP3做手机铃声下载了这软件`软件被汉化过的`是老外的东西
居然还要注册`
我就分析了下`注册流程搞不懂
爆破了下
去处了注册窗口可60秒限制
本人很菜
大牛不要见笑哈`
Cooolsoft MP3 Cutter 是一个功能强大的音频格式处理软件,程序可以帮你从
MP3 和 WAV 文件中截取任何一段音频并直接保存为 MP3 或者 WAV 格式,时间可
以精确到毫秒!并支持对 MP3 以不同的比特率重新进行压缩!非常实用!
Cooolsoft MP3 Cutter 还自带了一个批量输出器,帮助你按照设定好的选取方式
批量输出要截取的文件。
软件下载地址 thunder://QUFodHRwOi8vOS5nZGR4My5jcnNreS5jb20vMjAwOTA5L01QM1NvdW5kQ3V0dGVyMTQxX09GQS5yYXJaWg==
查壳
Borland Delphi 4.0 - 5.0
OD载入分析
F9运行软件`
然后F12暂停
调用堆栈 , 项目 3
地址=0151FDC0
堆栈=0044AD78
程序过程 / 参数=mp3cutte.0044DA8C
调用来自=mp3cutte.0044AD73
结构=0151FE10
显示调用
跟踪到这
0047724C/.55 PUSH EBP
0047724D|.8BEC MOV EBP,ESP
0047724F|.83C4 F8 ADD ESP,-8
00477252|.8955 F8 MOV DWORD PTR SS:,EDX
00477255|.8945 FC MOV DWORD PTR SS:,EAX
00477258|.8B45 FC MOV EAX,DWORD PTR SS:
0047725B|.E8 F8FEFFFF CALL mp3cutte.00477158
00477260|.8B15 286A4C00 MOV EDX,DWORD PTR DS:
00477266|.8B45 FC MOV EAX,DWORD PTR SS:
00477269|.8B80 48030000 MOV EAX,DWORD PTR DS:
0047726F|.E8 5096FEFF CALL mp3cutte.004608C4
00477274|.8B45 FC MOV EAX,DWORD PTR SS:
00477277|.E8 9C180000 CALL mp3cutte.00478B18
0047727C|.8B45 FC MOV EAX,DWORD PTR SS:
0047727F|.8A90 8D040200 MOV DL,BYTE PTR DS:
00477285|.8B45 FC MOV EAX,DWORD PTR SS:
00477288|.8B80 F0030000 MOV EAX,DWORD PTR DS:
0047728E|.8B08 MOV ECX,DWORD PTR DS:
00477290|.FF91 B8000000 CALL DWORD PTR DS:
00477296|.8B45 FC MOV EAX,DWORD PTR SS:
00477299|.8A90 8E040200 MOV DL,BYTE PTR DS:
0047729F|.8B45 FC MOV EAX,DWORD PTR SS:
004772A2|.8B80 F4030000 MOV EAX,DWORD PTR DS:
004772A8|.8B08 MOV ECX,DWORD PTR DS:
004772AA|.FF91 B8000000 CALL DWORD PTR DS:
004772B0|.8B45 FC MOV EAX,DWORD PTR SS:
004772B3|.8A90 8D040200 MOV DL,BYTE PTR DS:
004772B9|.8B45 FC MOV EAX,DWORD PTR SS:
004772BC|.8B80 94030000 MOV EAX,DWORD PTR DS:
004772C2|.E8 418CFCFF CALL mp3cutte.0043FF08
004772C7|.8B45 FC MOV EAX,DWORD PTR SS:
004772CA|.8A90 8E040200 MOV DL,BYTE PTR DS:
004772D0|.8B45 FC MOV EAX,DWORD PTR SS:
004772D3|.8B80 98030000 MOV EAX,DWORD PTR DS:
004772D9|.E8 2A8CFCFF CALL mp3cutte.0043FF08
004772DE|.E8 A572FEFF CALL mp3cutte.0045E588
004772E3|.84C0 TEST AL,AL
004772E5 75 31 JNZ SHORT mp3cutte.00477318 不跳就弹出注册框
所以这里我们改JMP
004772E7|.33C9 XOR ECX,ECX
004772E9|.B2 01 MOV DL,1
004772EB|.A1 90C74600 MOV EAX,DWORD PTR DS:
004772F0|.E8 EFF8FCFF CALL mp3cutte.00446BE4
这样就可以跳过注册框了
但还是有60秒的限制
我们再来看下
上面的代码就不做分析了`
因为我也不懂得分析
各位不要笑哈`
经过字符串分析
找到了这里
00477558/$55 PUSH EBP
00477559|.8BEC MOV EBP,ESP
0047755B|.33C9 XOR ECX,ECX
0047755D|.51 PUSH ECX
0047755E|.51 PUSH ECX
0047755F|.51 PUSH ECX
00477560|.51 PUSH ECX
00477561|.51 PUSH ECX
00477562|.51 PUSH ECX
00477563|.8955 F8 MOV DWORD PTR SS:,EDX
00477566|.8945 FC MOV DWORD PTR SS:,EAX
00477569|.33C0 XOR EAX,EAX
0047756B|.55 PUSH EBP
0047756C|.68 7E764700 PUSH mp3cutte.0047767E
00477571|.64:FF30 PUSH DWORD PTR FS:
00477574|.64:8920 MOV DWORD PTR FS:,ESP
00477577|.8B45 FC MOV EAX,DWORD PTR SS:
0047757A|.83B8 28040000>CMP DWORD PTR DS:,0
00477581|.75 1F JNZ SHORT mp3cutte.004775A2
00477583|.6A 10 PUSH 10
00477585|.68 8C764700 PUSH mp3cutte.0047768C ;错误
0047758A|.68 94764700 PUSH mp3cutte.00477694 ;未打开文件
0047758F|.8B45 FC MOV EAX,DWORD PTR SS:
00477592|.E8 95E4FBFF CALL mp3cutte.00435A2C
00477597|.50 PUSH EAX ; |hOwner
00477598|.E8 03F9F8FF CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
0047759D|.E9 C1000000 JMP mp3cutte.00477663
004775A2|>8B45 FC MOV EAX,DWORD PTR SS:
004775A5|.8B80 54040000 MOV EAX,DWORD PTR DS:
004775AB|.8B55 FC MOV EDX,DWORD PTR SS:
004775AE|.8982 58040000 MOV DWORD PTR DS:,EAX
004775B4|.8B45 FC MOV EAX,DWORD PTR SS:
004775B7|.E8 F0140000 CALL mp3cutte.00478AAC
004775BC|.84C0 TEST AL,AL
004775BE|.75 17 JNZ SHORT mp3cutte.004775D7
004775C0|.8B45 FC MOV EAX,DWORD PTR SS:
004775C3|.8B80 5C040000 MOV EAX,DWORD PTR DS:
004775C9|.2D 60EA0000 SUB EAX,0EA60
004775CE|.8B55 FC MOV EDX,DWORD PTR SS:
004775D1|.8982 58040000 MOV DWORD PTR DS:,EAX
004775D7|>8B45 FC MOV EAX,DWORD PTR SS:
004775DA|.80B8 8D040200>CMP BYTE PTR DS:,0
004775E1|.74 3C JE SHORT mp3cutte.0047761F
004775E3|.8B45 FC MOV EAX,DWORD PTR SS:
004775E6|.8B80 54040000 MOV EAX,DWORD PTR DS:
004775EC|.B9 E8030000 MOV ECX,3E8
004775F1|.99 CDQ
004775F2|.F7F9 IDIV ECX
004775F4|.8D55 F0 LEA EDX,DWORD PTR SS:
004775F7|.E8 70F8FEFF CALL mp3cutte.00466E6C
004775FC|.8B4D F0 MOV ECX,DWORD PTR SS:
004775FF|.8D45 F4 LEA EAX,DWORD PTR SS:
00477602|.BA AC764700 MOV EDX,mp3cutte.004776AC ;起始位置:
00477607|.E8 04C8F8FF CALL mp3cutte.00403E10
0047760C|.8B55 F4 MOV EDX,DWORD PTR SS:
0047760F|.8B45 FC MOV EAX,DWORD PTR SS:
00477612|.8B80 F8020000 MOV EAX,DWORD PTR DS:
00477618|.E8 6783FBFF CALL mp3cutte.0042F984
0047761D|.EB 3C JMP SHORT mp3cutte.0047765B
0047761F|>68 AC764700 PUSH mp3cutte.004776AC ;起始位置:
00477624|.8D55 E8 LEA EDX,DWORD PTR SS:
00477627|.8B45 FC MOV EAX,DWORD PTR SS:
0047762A|.8B80 54040000 MOV EAX,DWORD PTR DS:
00477630|.E8 0F0FF9FF CALL mp3cutte.00408544
00477635|.FF75 E8 PUSH DWORD PTR SS:
00477638|.68 C2764700 PUSH mp3cutte.004776C2 ; 毫秒
0047763D|.8D45 EC LEA EAX,DWORD PTR SS:
00477640|.BA 03000000 MOV EDX,3
00477645|.E8 3AC8F8FF CALL mp3cutte.00403E84
0047764A|.8B55 EC MOV EDX,DWORD PTR SS:
0047764D|.8B45 FC MOV EAX,DWORD PTR SS:
00477650|.8B80 F8020000 MOV EAX,DWORD PTR DS:
00477656|.E8 2983FBFF CALL mp3cutte.0042F984
0047765B|>8B45 FC MOV EAX,DWORD PTR SS:
0047765E|.E8 E5030000 CALL mp3cutte.00477A48
00477663|>33C0 XOR EAX,EAX
00477665|.5A POP EDX
00477666|.59 POP ECX
00477667|.59 POP ECX
00477668|.64:8910 MOV DWORD PTR FS:,EDX
0047766B|.68 85764700 PUSH mp3cutte.00477685
00477670|>8D45 E8 LEA EAX,DWORD PTR SS:
00477673|.BA 04000000 MOV EDX,4
00477678|.E8 EBC4F8FF CALL mp3cutte.00403B68
0047767D\.C3 RETN
我们短下文件头 再分析下
载入一首歌曲
我们来分析下004775A5|.8B80 54040000 MOV EAX,DWORD PTR DS:
004775AB|.8B55 FC MOV EDX,DWORD PTR SS:
004775AE|.8982 58040000 MOV DWORD PTR DS:,EAX
004775B4|.8B45 FC MOV EAX,DWORD PTR SS:
004775B7|.E8 F0140000 CALL mp3cutte.00478AAC
分析到这CALL
下个断点
00478AAC/$55 PUSH EBP
00478AAD|.8BEC MOV EBP,ESP
00478AAF|.83C4 F8 ADD ESP,-8
00478AB2|.8945 FC MOV DWORD PTR SS:,EAX
00478AB5|.C645 FB 01 MOV BYTE PTR SS:,1
00478AB9|.A1 60DA4700 MOV EAX,DWORD PTR DS:
00478ABE|.8038 00 CMP BYTE PTR DS:,0
00478AC1 75 4E JNZ SHORT mp3cutte.00478B11 经过几次测试后60秒前跳 60秒后不跳` 我们直接改跳
00478AC3|.8B45 FC MOV EAX,DWORD PTR SS:
00478AC6|.8B80 5C040000 MOV EAX,DWORD PTR DS:
00478ACC|.8B55 FC MOV EDX,DWORD PTR SS:
00478ACF|.2B82 58040000 SUB EAX,DWORD PTR DS:
00478AD5|.3D 60EA0000 CMP EAX,0EA60
00478ADA|.7E 35 JLE SHORT mp3cutte.00478B11
00478ADC|.C645 FB 00 MOV BYTE PTR SS:,0
00478AE0|.33C9 XOR ECX,ECX
00478AE2|.B2 01 MOV DL,1
00478AE4|.A1 90C74600 MOV EAX,DWORD PTR DS:
00478AE9|.E8 F6E0FCFF CALL mp3cutte.00446BE4
00478AEE|.8B15 5CDA4700 MOV EDX,DWORD PTR DS: ;mp3cutte.0047E958
00478AF4|.8902 MOV DWORD PTR DS:,EAX
00478AF6|.A1 5CDA4700 MOV EAX,DWORD PTR DS:
00478AFB|.8B00 MOV EAX,DWORD PTR DS:
00478AFD|.8B10 MOV EDX,DWORD PTR DS:
00478AFF|.FF92 D8000000 CALL DWORD PTR DS:
00478B05|.A1 5CDA4700 MOV EAX,DWORD PTR DS:
00478B0A|.8B00 MOV EAX,DWORD PTR DS:
00478B0C|.E8 4FA3F8FF CALL mp3cutte.00402E60
OK 这软件就没限制了`
本人菜`
如有地方不对请大家不要见笑
希望大牛们可以分析下注册流程` 比LZ还菜
进来看各路大侠来点评 查表db 4d639c DES_Spbox.
明文地址 0047CD80
0
0
0
0
0
0
1
0
4
4
1
1
4
4
1
0
.
.
.
最好暴破成这样子...
[ 本帖最后由 Luckly 于 2009-11-20 14:42 编辑 ] 感谢LUCKLY老大的分析`
页:
[1]