[明码和暴破]CD to MP3 Ripper 5.20 注册分析

Nisy · 发表于 2007-4-11 09:47:17

软件名称:CD to MP3 Ripper 5.20
软件介绍:Advanced CD Ripper Pro
   Advanced CD Ripper Pro is a powerful software for ripping audio CD tracks to files of audio formats MP3, WAV, WMA, and OGG Vorbis on-the-fly. It uses Lame encoder of newest version(3.9.31) that supports full MP3 options with VBR properties. also is a support WMA v9 encode(VBR also supported). Free CDDB is supported, and you may even set proxy for submitting or querying free CDDB. As to MP3 ID3 tag, it supports both V1 and V2. It also supports normalize function when ripping. And it's also a good CD player, highlight each list to play it, or save the CD tracks to output playlist of formats PLS, HTML, M3U, or XML. Easily rename every track's title in the list, and support powerful local CD database. also support cue file output.
官方下载:http://www.mp3-ripper.net/

我们打开软件,随意输入注册信息,点确定,弹出错误对话窗口:Your serial number have not been accept.please try again!

PEiD查壳:ASPack 2.12 -> Alexey Solodovnikov
我们带壳调试,ESP定律到OEP.删除内存断点.

从OEP入口可以得出软件Delphi所写,我们搜索ASCII,找到关键字符串.
00554ED8=00554ED8 (ASCII "Your serial number have not been accept.",LF,CR,"please try again!")

双击来到CUP面版.我们往上走一点,看到一个明显的标志位比较,故在此下断.

00554E45 E8 5A160000    call 005564A4                      ; 算法CALL 我们在这里下断我们F7跟进.
00554E4A 84C0          test al, al                         ; 标志位比较
00554E4C 74 0E          je    short 00554E5C
00554E4E A1 EC8F5600    mov    eax, dword ptr [568FEC]
00554E53 8B00          mov    eax, dword ptr [eax]
00554E55 E8 021C0000    call 00556A5C                      ; 这里弹出注册成功对话框
00554E5A EB 46          jmp    short 00554EA2

关键CALL  F7跟进后:

005564A9 51             push ecx
005564AA 51             push ecx
005564AB 51             push ecx
005564AC 51             push ecx
005564AD 53             push ebx
005564AE 33C0          xor    eax, eax
005564B0 55             push ebp
005564B1 68 7C655500    push 0055657C
005564B6 64:FF30       push dword ptr fs:[eax]
005564B9 64:8920       mov    dword ptr fs:[eax], esp
005564BC 8D55 FC       lea    edx, dword ptr [ebp-4]
005564BF A1 AC8E5600    mov    eax, dword ptr [568EAC]
005564C4 8B00          mov    eax, dword ptr [eax]
005564C6 8B80 00030000 mov    eax, dword ptr [eax+300]
005564CC E8 C756F6FF    call 004BBB98
005564D1 68 F8C35600    push 0056C3F8
005564D6 8D45 F4       lea    eax, dword ptr [ebp-C]
005564D9 50             push eax
005564DA B1 01          mov    cl, 1
005564DC BA 94655500    mov    edx, 00556594                   ; ripper
005564E1 B8 A4655500    mov    eax, 005565A4                   ; 06000000000000004172a854bd9fc967dfb8252b86611bd8
005564E6 E8 EDE3FFFF    call 005548D8                      ; 跟进该CALL 我们得到一个固定值 kingqc
005564EB 8B45 F4       mov    eax, dword ptr [ebp-C]          ; 固定值kingqc进EAX
005564EE B9 06000000    mov    ecx, 6
005564F3 33D2          xor    edx, edx
005564F5 E8 F2E9EAFF    call 00404EEC
005564FA 68 E0655500    push 005565E0                      ; acrp26-
005564FF FF35 F8C35600 push dword ptr [56C3F8]
00556505 68 F0655500    push 005565F0                      ; -2006
0055650A 8D45 F8       lea    eax, dword ptr [ebp-8]
0055650D BA 03000000    mov    edx, 3
00556512 E8 3DE8EAFF    call 00404D54                      ; 这里将上方的三个固定值连接形成注册码
00556517 8D55 F0       lea    edx, dword ptr [ebp-10]
0055651A A1 AC8E5600    mov    eax, dword ptr [568EAC]
0055651F 8B00          mov    eax, dword ptr [eax]
00556521 8B80 04030000 mov    eax, dword ptr [eax+304]
00556527 E8 6C56F6FF    call 004BBB98
0055652C 8B45 F0       mov    eax, dword ptr [ebp-10]
0055652F 8B55 F8       mov    edx, dword ptr [ebp-8]
00556532 E8 A1E8EAFF    call 00404DD8                      ; 这里真假码出现比较
00556537 75 1E          jnz    short 00556557                ; 不相等则跳走这里如果暴破则向系统写入正确信息
00556539 B3 01          mov    bl, 1                         ; 若不跳走为标志位BL赋值为1
0055653B B8 F0C35600    mov    eax, 0056C3F0
00556540 8B55 FC       mov    edx, dword ptr [ebp-4]
00556543 E8 D8E4EAFF    call 00404A20
00556548 B8 F4C35600    mov    eax, 0056C3F4
0055654D 8B55 F8       mov    edx, dword ptr [ebp-8]
00556550 E8 CBE4EAFF    call 00404A20
00556555 EB 02          jmp    short 00556559
00556557 33DB          xor    ebx, ebx                      ; 若跳走 XOR异或清零EBX
00556559 33C0          xor    eax, eax                      ; 上方JMP跳到这里清零EAX
0055655B 5A             pop    edx
0055655C 59             pop    ecx
0055655D 59             pop    ecx
0055655E 64:8910       mov    dword ptr fs:[eax], edx
00556561 68 83655500    push 00556583
00556566 8D45 F0       lea    eax, dword ptr [ebp-10]
00556569 E8 5EE4EAFF    call 004049CC
0055656E 8D45 F4       lea    eax, dword ptr [ebp-C]
00556571 BA 03000000    mov    edx, 3
00556576 E8 75E4EAFF    call 004049F0
0055657B C3             retn
0055657C  ^ E9 EFDDEAFF    jmp    00404370
00556581  ^ EB E3          jmp    short 00556566
00556583 8BC3          mov    eax, ebx                      ; 这里将上方赋予BL标志位的数值1传递给EAX
00556585 5B             pop    ebx
00556586 8BE5          mov    esp, ebp
00556588 5D             pop    ebp
00556589 C3             retn

注册文件保存在软件的安装文件夹ripper.cfg文件中，我们用记事本打开：
[reg]
Name=Nisy
Pass=acrp26-kingqc-2006
check=kingqc

总结一下:
00556532 E8 A1E8EAFF    call 00404DD8                      ; 这里真假码出现比较这里可写内存注册机(固定KEY无需写)
00556537 75 1E          jnz    short 00556557                   ; 不相等则跳走这里如果暴破则向系统写入正确信息

软件验证思路设计中的败笔:
1.算法没有可研究性,几个固定值的拼接.并且软件为单一注册码.
2.修改关键跳转后向系统写入正确注册信息.

菜儿 · 发表于 2007-4-11 10:34:56

兄弟强...偶来学习下...

官方下载地址:http://www.mp3-ripper.net/mp3ripper.exe

[ 本帖最后由菜儿于 2007-4-11 10:39 编辑 ]

Nisy · 发表于 2007-4-11 19:51:21

原帖由菜儿于 2007-4-11 10:34 发表
兄弟强...偶来学习下...

官方下载地址:http://www.mp3-ripper.net/mp3ripper.exe

这样简单的软件菜儿没必要去研究的有时间了先办正事~~

		自动登录	找回密码
密码			加入我们

[07版] [明码和暴破]CD to MP3 Ripper 5.20 注册分析

本帖子中包含更多资源