- UID
- 26372
注册时间2006-12-3
阅读权限30
最后登录1970-1-1
龙战于野
该用户从未签到
|
兄弟们,昨晚发生一件事,偶不小心到论坛游乐场转了一圈,三级会员变二级会员,积分也全部搞没了!!!
哎,晕啊,谁知道那里会拿积分当赌注,偶从小到大,逢赌必输!!!!!!!!!!
为加入申请PYG,增加更多的学习和交流的机会,偶在半天之内连续写了三篇破文,所以有写的不清楚的地方,还请兄弟们谅解,有不对的地方,请兄弟们指正。
写给飘云老大的话:兄弟接触破解时间较短,在算法方面一直是笨鸟,所以有关于算法部份,还请老大将就着看!!兄弟以后一定加倍努力学习的!!还望老大给个机会!!!
在此谢过!!!
【破文标题】PYG破文一MP3 audio reocrder joiner简单算法分析及CRACK
【破文作者】神猪
【作者邮箱】[email protected]
【作者主页】
【破解工具】peid,od
【破解平台】xp
【软件名称】MP3 audio reocrder joiner
【软件大小】1.15M
【原版下载】http://www.newhua.com/soft/55291.htm
【保护方式】注册码+NAG窗口
【软件简介】可以通过任何外部的音源直接录制成高质量的mp3和WAV,录制过程中不会产生临时文件,你可以用它轻松转录出高质量的mp3到您的mp3播放器。
【破解声明】旨在学习交流,无任何商业目的!为加入PYG,更好学习CRACK技术
------------------------------------------------------------------------
【破解过程】首先PEID查壳:无壳,程序由Borland Delphi 6.0 - 7.0编写。
程序运行有NAG窗口,输入假码NAME:shenzhu id:123456789 有错误提示 invalid register code!please retry!
直接OD载入,查找错误提示,发现多处错误提示。找到最上面一处,来到如下代码:
004A1878 /. 55 push ebp ; 注册按钮开始下断点位置
004A1879 |. 8BEC mov ebp, esp
004A187B |. 33C9 xor ecx, ecx
004A187D |. 51 push ecx ; 清0
004A187E |. 51 push ecx
004A187F |. 51 push ecx
004A1880 |. 51 push ecx
004A1881 |. 51 push ecx
004A1882 |. 51 push ecx
004A1883 |. 51 push ecx
004A1884 |. 53 push ebx ; 清0
004A1885 |. 56 push esi
004A1886 |. 57 push edi
004A1887 |. 8945 FC mov dword ptr [ebp-4], eax
004A188A |. 33C0 xor eax, eax ; 异或运算
004A188C |. 55 push ebp
004A188D |. 68 A21A4A00 push 004A1AA2
004A1892 |. 64:FF30 push dword ptr fs:[eax]
004A1895 |. 64:8920 mov dword ptr fs:[eax], esp
004A1898 |. B3 01 mov bl, 1
004A189A |. FF05 2CAE4B00 inc dword ptr [4BAE2C] ; +1
004A18A0 |. 833D 2CAE4B00>cmp dword ptr [4BAE2C], 3 ; 大于3跳
004A18A7 |. 7E 1D jle short 004A18C6 ; 用户名大于三,否则出错
004A18A9 |. 6A 00 push 0 ; /Arg1 = 00000000
004A18AB |. 66:8B0D B01A4>mov cx, word ptr [4A1AB0] ; |
004A18B2 |. B2 02 mov dl, 2 ; |
004A18B4 |. B8 BC1A4A00 mov eax, 004A1ABC ; |invalid register code! please retry!
-------------------------------------------------------------------------------------
004A18F3 |. E8 DC2DF6FF call 004046D4
004A18F8 |. BF 15000000 mov edi, 15 ; EDI中写入15
004A18FD |. BE 0C894B00 mov esi, 004B890C ; 下面开始循环了。
004A1902 |> 8B45 F8 /mov eax, dword ptr [ebp-8]
004A1905 |. 8B16 |mov edx, dword ptr [esi]
004A1907 |. E8 2C31F6FF |call 00404A38
004A190C |. 75 04 |jnz short 004A1912
004A190E |. 33DB |xor ebx, ebx
004A1910 |. EB 06 |jmp short 004A1918
004A1912 |> 83C6 04 |add esi, 4
004A1915 |. 4F |dec edi
004A1916 |.^ 75 EA \jnz short 004A1902
004A1918 |> 84DB test bl, bl
004A191A |. 74 1A je short 004A1936 ; 这里开始如果为系统保留注册名,则跳转,否则出错。
---------------------------------
上面标出的代码循环,验证用户名是否为软件内部保留用户:如果不是,则跳向出错。
软件保留注册用户名:
VSjtT6-Vst6
TV96P6-T6T6
S126OP-Sb66
TwR67J-Sp66
TDjEJ6-ErjS
T3R6YS-ST1j
TsfD96-VBJ1
B8sf6p-VB81
B8TDf6-VPW1
BS45fM-VHB1
OsrUSE-HP21
Ofrg88-V771
ESrgSB-1JVG
IUrgD7-V7B1
IUD7T6-B8X1
DUIQT6-t1V1
S1IT6L-D8F1
S7NMS6-DKV1
SNGWS6-T7N1
SNWS8F-MWN3
TDVDS6-MBN3
晕,累死了!!!!!!呵呵,搞这么多名堂。
--------------------------------------------------------------------------------------
用户名验证后,再向下
004A191C |. 6A 00 push 0 ; /Arg1 = 00000000
004A191E |. 66:8B0D B01A4>mov cx, word ptr [4A1AB0] ; |
004A1925 |. B2 02 mov dl, 2 ; |
004A1927 |. B8 BC1A4A00 mov eax, 004A1ABC ; |invalid register code! please retry!
004A192C |. E8 8BA7F9FF call 0043C0BC ; \MP3_audi.0043C0BC
004A1931 |. E9 31010000 jmp 004A1A67
004A1936 |> 8D55 E8 lea edx, dword ptr [ebp-18]
004A1939 |. 8B45 FC mov eax, dword ptr [ebp-4]
004A193C |. 8B80 0C030000 mov eax, dword ptr [eax+30C]
004A1942 |. E8 BD10FAFF call 00442A04 ; 假码入
004A1947 |. 8B45 E8 mov eax, dword ptr [ebp-18]
004A194A |. 8D55 F4 lea edx, dword ptr [ebp-C]
004A194D |. E8 4A72F6FF call 00408B9C
004A1952 |. 8D55 E4 lea edx, dword ptr [ebp-1C]
004A1955 |. 8B45 F4 mov eax, dword ptr [ebp-C]
004A1958 |. E8 7372F6FF call 00408BD0
004A195D |. 8B55 E4 mov edx, dword ptr [ebp-1C]
004A1960 |. 8D45 F4 lea eax, dword ptr [ebp-C]
004A1963 |. E8 6C2DF6FF call 004046D4
004A1968 |. 837D F8 00 cmp dword ptr [ebp-8], 0
004A196C |. 0F84 F5000000 je 004A1A67 ; 为零跳向出错
004A1972 |. 837D F4 00 cmp dword ptr [ebp-C], 0 ; 注册码与零比较
004A1976 |. 0F84 EB000000 je 004A1A67 ; 为零跳向出错
004A197C |. 8B45 F4 mov eax, dword ptr [ebp-C]
004A197F |. E8 702FF6FF call 004048F4 ; 此CALL计算假码位数,
004A1984 |. 85C0 test eax, eax
004A1986 |. 7E 38 jle short 004A19C0 ; 位数小于10跳向正确
004A1988 |. BA 01000000 mov edx, 1
004A198D |> 8B4D F4 /mov ecx, dword ptr [ebp-C]
004A1990 |. 0FB64C11 FF |movzx ecx, byte ptr [ecx+edx-1]
004A1995 |. 83F9 30 |cmp ecx, 30
004A1998 |. 7C 08 |jl short 004A19A2
004A199A |. 8B5D F4 |mov ebx, dword ptr [ebp-C]
004A199D |. 83F9 39 |cmp ecx, 39
004A19A0 |. 7E 1A |jle short 004A19BC
004A19A2 |> 6A 00 |push 0 ; /Arg1 = 00000000
004A19A4 |. 66:8B0D B01A4>|mov cx, word ptr [4A1AB0] ; |
004A19AB |. B2 02 |mov dl, 2 ; |
004A19AD |. B8 BC1A4A00 |mov eax, 004A1ABC ; |invalid register code! please retry!
004A19B2 |. E8 05A7F9FF |call 0043C0BC ; \MP3_audi.0043C0BC
004A19B7 |. E9 AB000000 |jmp 004A1A67
004A19BC |> 42 |inc edx
004A19BD |. 48 |dec eax
004A19BE |.^ 75 CD \jnz short 004A198D
004A19C0 |> 33DB xor ebx, ebx
004A19C2 |. 8B45 F8 mov eax, dword ptr [ebp-8]
004A19C5 |. E8 2A2FF6FF call 004048F4 ; 此CALL计算用户名位数
004A19CA |. 85C0 test eax, eax
004A19CC |. 7E 13 jle short 004A19E1
004A19CE |. BF 01000000 mov edi, 1
004A19D3 |> 8B55 F8 /mov edx, dword ptr [ebp-8]
004A19D6 |. 0FB6543A FF |movzx edx, byte ptr [edx+edi-1] ; 先零扩展,再传送
004A19DB |. 03DA |add ebx, edx ; 加
004A19DD |. 47 |inc edi ; 加 1
004A19DE |. 48 |dec eax ; 减 1
004A19DF |.^ 75 F2 \jnz short 004A19D3
004A19E1 |> 69C3 24410D00 imul eax, ebx, 0D4124 ; 整数乘
004A19E7 |. 83C0 56 add eax, 56 ; 加
004A19EA |. D1F8 sar eax, 1 ; 算术右移.(=SHR)
004A19EC |. 79 03 jns short 004A19F1
004A19EE |. 83D0 00 adc eax, 0
004A19F1 |> 8BD8 mov ebx, eax
004A19F3 |. 8B45 F4 mov eax, dword ptr [ebp-C]
004A19F6 |. E8 3974F6FF call 00408E34 ; 关键CALL
004A19FB |. 3BD8 cmp ebx, eax 比较并不验证注册真码和假码
004A19FD 75 53 jnz short 004A1A52 ; 关键跳转
004A19FF |. 6A 00 push 0 ; /Arg1 = 00000000
004A1A01 |. 66:8B0D B01A4>mov cx, word ptr [4A1AB0] ; |
004A1A08 |. B2 02 mov dl, 2 ; |
004A1A0A |. B8 EC1A4A00 mov eax, 004A1AEC 这里注册成功 ; |congratuation! you have successfully registered!
004A1A0F |. E8 A8A6F9FF call 0043C0BC ; \MP3_audi.0043C0BC
004A1A14 |. A1 3C8D4B00 mov eax, dword ptr [4B8D3C]
004A1A19 |. C600 01 mov byte ptr [eax], 1
004A1A1C |. A1 108E4B00 mov eax, dword ptr [4B8E10]
004A1A21 |. 8B00 mov eax, dword ptr [eax]
004A1A23 |. 33C9 xor ecx, ecx
004A1A25 |. BA 04000000 mov edx, 4
004A1A2A |. 8B18 mov ebx, dword ptr [eax]
004A1A2C |. FF53 10 call dword ptr [ebx+10]
004A1A2F |. 8B15 3C8D4B00 mov edx, dword ptr [4B8D3C] ; MP3_audi.004BAEA8
004A1A35 |. A1 108E4B00 mov eax, dword ptr [4B8E10]
004A1A3A |. 8B00 mov eax, dword ptr [eax]
004A1A3C |. B9 01000000 mov ecx, 1
004A1A41 |. E8 B294F7FF call 0041AEF8
004A1A46 |. A1 28AE4B00 mov eax, dword ptr [4BAE28]
004A1A4B |. E8 D8D7FBFF call 0045F228
004A1A50 |. EB 15 jmp short 004A1A67
004A1A52 |> 6A 00 push 0 ; /Arg1 = 00000000
004A1A54 |. 66:8B0D B01A4>mov cx, word ptr [4A1AB0] ; |
004A1A5B |. B2 02 mov dl, 2 ; |
004A1A5D |. B8 BC1A4A00 mov eax, 004A1ABC ; |invalid register code! please retry!
004A1A62 |. E8 55A6F9FF call 0043C0BC ; \MP3_audi.0043C0BC
004A1A67 |> 33C0 xor eax, eax
004A1A69 |. 5A pop edx
004A1A6A |. 59 pop ecx
004A1A6B |. 59 pop ecx
004A1A6C |. 64:8910 mov dword ptr fs:[eax], edx
004A1A6F |. 68 A91A4A00 push 004A1AA9
004A1A74 |> 8D45 E4 lea eax, dword ptr [ebp-1C]
004A1A77 |. E8 C02BF6FF call 0040463C
004A1A7C |. 8D45 E8 lea eax, dword ptr [ebp-18]
004A1A7F |. E8 B82BF6FF call 0040463C
004A1A84 |. 8D45 EC lea eax, dword ptr [ebp-14]
004A1A87 |. E8 B02BF6FF call 0040463C
004A1A8C |. 8D45 F0 lea eax, dword ptr [ebp-10]
004A1A8F |. E8 A82BF6FF call 0040463C
004A1A94 |. 8D45 F4 lea eax, dword ptr [ebp-C]
004A1A97 |. BA 02000000 mov edx, 2
004A1A9C |. E8 BF2BF6FF call 00404660
004A1AA1 \. C3 retn
004A1AA2 .^ E9 1925F6FF jmp 00403FC0
004A1AA7 .^ EB CB jmp short 004A1A74
004A1AA9 . 5F pop edi
004A1AAA . 5E pop esi
004A1AAB . 5B pop ebx
004A1AAC . 8BE5 mov esp, ebp
004A1AAE . 5D pop ebp
004A1AAF . C3 retn
算法CALL内容
004030D0 /$ 53 push ebx
004030D1 |. 56 push esi
004030D2 |. 57 push edi
004030D3 |. 89C6 mov esi, eax
004030D5 |. 50 push eax
004030D6 |. 85C0 test eax, eax
004030D8 |. 74 6C je short 00403146
004030DA |. 31C0 xor eax, eax
004030DC |. 31DB xor ebx, ebx
004030DE |. BF CCCCCC0C mov edi, 0CCCCCCC
004030E3 |> 8A1E /mov bl, byte ptr [esi]
004030E5 |. 46 |inc esi
004030E6 |. 80FB 20 |cmp bl, 20
004030E9 |.^ 74 F8 \je short 004030E3
004030EB |. B5 00 mov ch, 0
004030ED |. 80FB 2D cmp bl, 2D ; Switch (cases 24..78)
004030F0 |. 74 62 je short 00403154
004030F2 |. 80FB 2B cmp bl, 2B
004030F5 |. 74 5F je short 00403156
004030F7 |. 80FB 24 cmp bl, 24
004030FA |. 74 5F je short 0040315B
004030FC |. 80FB 78 cmp bl, 78
004030FF |. 74 5A je short 0040315B
00403101 |. 80FB 58 cmp bl, 58
00403104 |. 74 55 je short 0040315B
00403106 |. 80FB 30 cmp bl, 30
00403109 |. 75 13 jnz short 0040311E
0040310B |. 8A1E mov bl, byte ptr [esi] ; Case 30 ('0') of switch 004030ED
0040310D |. 46 inc esi
0040310E |. 80FB 78 cmp bl, 78
00403111 |. 74 48 je short 0040315B
00403113 |. 80FB 58 cmp bl, 58
00403116 |. 74 43 je short 0040315B
00403118 |. 84DB test bl, bl
0040311A |. 74 20 je short 0040313C
0040311C |. EB 04 jmp short 00403122
0040311E |> 84DB test bl, bl ; Default case of switch 004030ED
00403120 |. 74 2D je short 0040314F
00403122 |> 80EB 30 /sub bl, 30
00403125 |. 80FB 09 |cmp bl, 9
00403128 |. 77 25 |ja short 0040314F
0040312A |. 39F8 |cmp eax, edi
0040312C |. 77 21 |ja short 0040314F
0040312E |. 8D0480 |lea eax, dword ptr [eax+eax*4]
00403131 |. 01C0 |add eax, eax
00403133 |. 01D8 |add eax, ebx
00403135 |. 8A1E |mov bl, byte ptr [esi]
00403137 |. 46 |inc esi
00403138 |. 84DB |test bl, bl
0040313A |.^ 75 E6 \jnz short 00403122
0040313C |> FECD dec ch
0040313E |. 74 09 je short 00403149
00403140 |. 85C0 test eax, eax
00403142 |. 7D 4E jge short 00403192
00403144 |. EB 09 jmp short 0040314F
00403146 |> 46 inc esi
00403147 |. EB 06 jmp short 0040314F
00403149 |> F7D8 neg eax
0040314B |. 7E 45 jle short 00403192
0040314D |. 78 43 js short 00403192
0040314F |> 5B pop ebx ; Default case of switch 0040316F
00403150 |. 29DE sub esi, ebx
00403152 |. EB 41 jmp short 00403195
00403154 |> FEC5 inc ch ; Case 2D ('-') of switch 004030ED
00403156 |> 8A1E mov bl, byte ptr [esi] ; Case 2B ('+') of switch 004030ED
00403158 |. 46 inc esi
00403159 |.^ EB C3 jmp short 0040311E
0040315B |> BF FFFFFF0F mov edi, 0FFFFFFF ; Cases 24 ('$'),58 ('X'),78 ('x') of switch 004030ED
00403160 |. 8A1E mov bl, byte ptr [esi]
00403162 |. 46 inc esi
00403163 |. 84DB test bl, bl
00403165 |.^ 74 DF je short 00403146
00403167 |> 80FB 61 /cmp bl, 61
0040316A |. 72 03 |jb short 0040316F
0040316C |. 80EB 20 |sub bl, 20
0040316F |> 80EB 30 |sub bl, 30 ; Switch (cases 30..46)
00403172 |. 80FB 09 |cmp bl, 9
00403175 |. 76 0B |jbe short 00403182
00403177 |. 80EB 11 |sub bl, 11
0040317A |. 80FB 05 |cmp bl, 5
0040317D |.^ 77 D0 |ja short 0040314F
0040317F |. 80C3 0A |add bl, 0A ; Cases 41 ('A'),42 ('B'),43 ('C'),44 ('D'),45 ('E'),46 ('F') of switch 0040316F
00403182 |> 39F8 |cmp eax, edi ; Cases 30 ('0'),31 ('1'),32 ('2'),33 ('3'),34 ('4'),35 ('5'),36 ('6'),37 ('7'),38 ('8'),39 ('9') of switch 0040316F
00403184 |.^ 77 C9 |ja short 0040314F
00403186 |. C1E0 04 |shl eax, 4
00403189 |. 01D8 |add eax, ebx
0040318B |. 8A1E |mov bl, byte ptr [esi]
0040318D |. 46 |inc esi
0040318E |. 84DB |test bl, bl
00403190 |.^ 75 D5 \jnz short 00403167
00403192 |> 59 pop ecx
00403193 |. 31F6 xor esi, esi
00403195 |> 8932 mov dword ptr [edx], esi
00403197 |. 5F pop edi
00403198 |. 5E pop esi
00403199 |. 5B pop ebx
0040319A \. C3 retn
计算比较麻烦,没太细研究,而且这个软件没有验证的地方。所以知道就可以了。
注册只要将
004A19FD 75 53 jnz short 004A1A52 ; 关键跳转
JNZ改为JZ或nop掉可以注册成功,注意注册码要有一定格式,你多试几次就可以。
而且NAG窗口自动消失。
运行正常!!!
------------------------------------------------------------------------
【破解总结】通过软件内部提供的注册名进行注册的软件并不是很常见!对软件的建议,如果采用固定的注册名,应该加上重起验证和复杂的算法。
------------------------------------------------------------------------
【版权声明】本程序由神猪为加入PYG成员而发表,未经允许,不得转贴。 |
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有账号?加入我们
x
|
IP卡
发表于 2007-2-6 21:12:34
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2007-2-7 17:11:49
发表于 2007-2-7 17:24:17
楼主
