好友
阅读权限20
听众
最后登录1970-1-1
|
[ 破文标题 ] HiFi MP3 WMA Converter 3.00 算法分析[ 破文作者 ] 絕戀de煩神[ 作者邮箱 ] [email]sos_ftp@yahoo.com.cn[/email][ 作者主页 ] [url]http://hi.baidu.com/[/url]天蝎型男[ 破解工具 ] Peid,OllyDbg[ 破解平台 ] WinXp SP2[ 软件名称 ] HiFi MP3 WMA Converter 3.00[ 软件大小 ] 2481KB[ 原版下载 ] [url]http://www.newhua.com/soft/25824.htm[/url][ 保护方式 ] 用户名+注册码[ 软件简介 ] 一款简单实用的MP3和WMA的转换工具, 在转换的过程中,你可以进行重新采样,也可以重新选择音频的比特率和频率,支持VBR和CBR。 如果有大量的音乐需要转换,你可以选择适用它的批量转换功能。[ 破解声明 ] 小菜鳥一只,興趣所至,若有錯誤之處,請老鳥們多加指點。-----------------------------------------------------
首先咱们来运行一下程序,假注册一下。发现有错误提示:Invalid register code! Please retry!再来用PEID来查一下壳,发现程序没加壳:Borland Delphi 6.0 - 7.0 幸运啊。嘻嘻最后,就到我们的主角出场了。嘻嘻。。用OD载入分析:先来查找错误提示-Invalid register code! Please retry! 一共找到4处。我们来双击最上面的那一个错误提示字符串。就会来到下面的代码段了。在段首这里按F2下断后F9运行程序,假注册一下后就会停在这里,就可以继续往下分析了。
00495918 |. 55 PUSH EBP ;F2下断,F9运行00495919 |. 68 2B5B4900 PUSH HiFi_MP3.00495B2B0049591E |. 64:FF30 PUSH DWORD PTR FS:[EAX]00495921 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP00495924 |. B3 01 MOV BL,100495926 |. FF05 8CCD4A00 INC DWORD PTR DS:[4ACD8C]0049592C |. 833D 8CCD4A00>CMP DWORD PTR DS:[4ACD8C],300495933 |. 7E 1D JLE SHORT HiFi_MP3.0049595200495935 |. 6A 00 PUSH 0 ; /Arg1 = 0000000000495937 |. 66:8B0D 3C5B4>MOV CX,WORD PTR DS:[495B3C] ; |0049593E |. B2 02 MOV DL,2 ; |00495940 |. B8 485B4900 MOV EAX,HiFi_MP3.00495B48 ; |Invalid register code! Please retry!00495945 |. E8 0AF6F9FF CALL HiFi_MP3.00434F54 ; \HiFi_MP3.00434F540049594A |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]0049594D |. E8 BA79FEFF CALL HiFi_MP3.0047D30C00495952 |> 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]00495955 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]00495958 |. 8B80 10030000 MOV EAX,DWORD PTR DS:[EAX+310]0049595E |. E8 41B2FCFF CALL HiFi_MP3.00460BA4 ; 取用户名长度00495963 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10] ; 把用户名送给EAX00495966 |. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]00495969 |. E8 DE2EF7FF CALL HiFi_MP3.0040884C0049596E |. 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]00495971 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; 把用户名送给EAX00495974 |. E8 072FF7FF CALL HiFi_MP3.0040888000495979 |. 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14] ; 把用户名送给EDX0049597C |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]0049597F |. E8 04E9F6FF CALL HiFi_MP3.0040428800495984 |. BF 15000000 MOV EDI,15 ; --------------------------00495989 |. BE C8A74A00 MOV ESI,HiFi_MP3.004AA7C8 ; TDVDS6-MBN30049598E |> 8B45 F8 /MOV EAX,DWORD PTR SS:[EBP-8] ; 把用户名送给EAX00495991 |. 8B16 |MOV EDX,DWORD PTR DS:[ESI] ; 把固定的用户名送给EDX00495993 |. E8 64ECF6FF |CALL HiFi_MP3.004045FC ; 這里真假用户名比较00495998 |. 75 04 |JNZ SHORT HiFi_MP3.0049599E ; 不相等就跳0049599A |. 33DB |XOR EBX,EBX ; EBX清零0049599C |. EB 06 |JMP SHORT HiFi_MP3.004959A40049599E |> 83C6 04 |ADD ESI,4 ; ESI+4004959A1 |. 4F |DEC EDI ; EDI-1004959A2 |.^ 75 EA \JNZ SHORT HiFi_MP3.0049598E ; --------循环比较---------004959A4 |> 84DB TEST BL,BL004959A6 74 1A JE SHORT HiFi_MP3.004959C2004959A8 |. 6A 00 PUSH 0 ; /Arg1 = 00000000004959AA |. 66:8B0D 3C5B4>MOV CX,WORD PTR DS:[495B3C] ; |004959B1 |. B2 02 MOV DL,2 ; |004959B3 |. B8 485B4900 MOV EAX,HiFi_MP3.00495B48 ; |Invalid register code! Please retry!004959B8 |. E8 97F5F9FF CALL HiFi_MP3.00434F54 ; \HiFi_MP3.00434F54004959BD |. E9 2E010000 JMP HiFi_MP3.00495AF0004959C2 |> 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]004959C5 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]004959C8 |. 8B80 14030000 MOV EAX,DWORD PTR DS:[EAX+314]004959CE |. E8 D1B1FCFF CALL HiFi_MP3.00460BA4 ; 取假码长度004959D3 |. 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18] ; 把假码送给EAX004959D6 |. 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]004959D9 |. E8 6E2EF7FF CALL HiFi_MP3.0040884C004959DE |. 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]004959E1 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] ; 把假码送给EAX004959E4 |. E8 972EF7FF CALL HiFi_MP3.00408880004959E9 |. 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C] ; 把假码送给EDX004959EC |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]004959EF |. E8 94E8F6FF CALL HiFi_MP3.00404288004959F4 |. 837D F8 00 CMP DWORD PTR SS:[EBP-8],0 ; 用户名和0比较004959F8 |. 0F84 F2000000 JE HiFi_MP3.00495AF0004959FE |. 837D F4 00 CMP DWORD PTR SS:[EBP-C],0 ; 假码和0比较00495A02 |. 0F84 E8000000 JE HiFi_MP3.00495AF000495A08 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] ; 把假码送给EAX00495A0B |. E8 A0EAF6FF CALL HiFi_MP3.004044B0 ; 取假码长度00495A10 |. 85C0 TEST EAX,EAX ; 看有没有输入注册码00495A12 |. 7E 35 JLE SHORT HiFi_MP3.00495A49 ; 没有输入就跳00495A14 |. BA 01000000 MOV EDX,1 ; EDX=100495A19 |> 8B4D F4 /MOV ECX,DWORD PTR SS:[EBP-C] ; 把假码送给ECX00495A1C |. 0FB64C11 FF |MOVZX ECX,BYTE PTR DS:[ECX+EDX-1] ; 逐位取假码的ASCII值给ECX00495A21 |. 83F9 30 |CMP ECX,30 ; 和16进制的30比较00495A24 |. 7C 05 |JL SHORT HiFi_MP3.00495A2B ; 小于就跳00495A26 |. 83F9 39 |CMP ECX,39 ; 和16进制的39比较00495A29 |. 7E 1A |JLE SHORT HiFi_MP3.00495A45 ; 小于或者等于就跳00495A2B |> 6A 00 |PUSH 0 ; /Arg1 = 0000000000495A2D |. 66:8B0D 3C5B4>|MOV CX,WORD PTR DS:[495B3C] ; |00495A34 |. B2 02 |MOV DL,2 ; |00495A36 |. B8 485B4900 |MOV EAX,HiFi_MP3.00495B48 ; |Invalid register code! Please retry!00495A3B |. E8 14F5F9FF |CALL HiFi_MP3.00434F54 ; \HiFi_MP3.00434F5400495A40 |. E9 AB000000 |JMP HiFi_MP3.00495AF000495A45 |> 42 |INC EDX ; EDX+100495A46 |. 48 |DEC EAX ; EAX-100495A47 |.^ 75 D0 \JNZ SHORT HiFi_MP3.00495A19 ; 开始循环,验证注册码是否为纯数字00495A49 |> 33DB XOR EBX,EBX ; EBX清零00495A4B |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; 把用户名送给EAX00495A4E |. E8 5DEAF6FF CALL HiFi_MP3.004044B0 ; 取用户名长度00495A53 |. 85C0 TEST EAX,EAX ; 看有没有输入用户名00495A55 |. 7E 13 JLE SHORT HiFi_MP3.00495A6A ; 没有输入就跳00495A57 |. BF 01000000 MOV EDI,1 ; EDI=100495A5C |> 8B55 F8 /MOV EDX,DWORD PTR SS:[EBP-8] ; 把用户名送给EDX00495A5F |. 0FB6543A FF |MOVZX EDX,BYTE PTR DS:[EDX+EDI-1] ; 逐位取用户名的ASCII值给EDX00495A64 |. 03DA |ADD EBX,EDX ; EBX=EBX+EDX00495A66 |. 47 |INC EDI ; EDI+100495A67 |. 48 |DEC EAX ; EAX-100495A68 |.^ 75 F2 \JNZ SHORT HiFi_MP3.00495A5C ; 开始循环, 累加用户名的ASCII值00495A6A |> 69C3 F38B0B00 IMUL EAX,EBX,0B8BF3 ; EBX的值乘以固定值0B8BF3,结果存放在EAX里00495A70 |. 83C0 57 ADD EAX,57 ; EAX+5700495A73 |. D1F8 SAR EAX,1 ; EAX算术右移一位00495A75 |. 79 03 JNS SHORT HiFi_MP3.00495A7A ; 符号位为0时就跳00495A77 |. 83D0 00 ADC EAX,000495A7A |> 8BD8 MOV EBX,EAX ; 把右移一位后的结果送给EBX00495A7C |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] ; 把假码送给EAX00495A7F |. E8 8431F7FF CALL HiFi_MP3.00408C08 ; 关键CALL,F7跟進00495A84 |. 3BD8 CMP EBX,EAX ; EBX跟EAX比较00495A86 |. 75 53 JNZ SHORT HiFi_MP3.00495ADB ; 不相等就GAME OVER!00495A88 |. 6A 00 PUSH 0 ; /Arg1 = 0000000000495A8A |. 66:8B0D 3C5B4>MOV CX,WORD PTR DS:[495B3C] ; |00495A91 |. B2 02 MOV DL,2 ; |00495A93 |. B8 785B4900 MOV EAX,HiFi_MP3.00495B78 ; |Congratuation! You have successfully registered!00495A98 |. E8 B7F4F9FF CALL HiFi_MP3.00434F54 ; \HiFi_MP3.00434F5400495A9D |. A1 24AE4A00 MOV EAX,DWORD PTR DS:[4AAE24]00495AA2 |. C600 01 MOV BYTE PTR DS:[EAX],100495AA5 |. A1 30AF4A00 MOV EAX,DWORD PTR DS:[4AAF30]00495AAA |. 8B00 MOV EAX,DWORD PTR DS:[EAX]00495AAC |. 33C9 XOR ECX,ECX00495AAE |. BA 04000000 MOV EDX,400495AB3 |. 8B18 MOV EBX,DWORD PTR DS:[EAX]00495AB5 |. FF53 14 CALL DWORD PTR DS:[EBX+14]00495AB8 |. 8B15 24AE4A00 MOV EDX,DWORD PTR DS:[4AAE24] ; HiFi_MP3.004ACDFB00495ABE |. A1 30AF4A00 MOV EAX,DWORD PTR DS:[4AAF30]00495AC3 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]00495AC5 |. B9 01000000 MOV ECX,100495ACA |. E8 1591F8FF CALL HiFi_MP3.0041EBE400495ACF |. A1 88CD4A00 MOV EAX,DWORD PTR DS:[4ACD88]00495AD4 |. E8 3378FEFF CALL HiFi_MP3.0047D30C00495AD9 |. EB 15 JMP SHORT HiFi_MP3.00495AF000495ADB |> 6A 00 PUSH 0 ; /Arg1 = 0000000000495ADD |. 66:8B0D 3C5B4>MOV CX,WORD PTR DS:[495B3C] ; |00495AE4 |. B2 02 MOV DL,2 ; |00495AE6 |. B8 485B4900 MOV EAX,HiFi_MP3.00495B48 ; |Invalid register code! Please retry!00495AEB |. E8 64F4F9FF CALL HiFi_MP3.00434F54 ; \HiFi_MP3.00434F5400495AF0 |> 33C0 XOR EAX,EAX00495AF2 |. 5A POP EDX00495AF3 |. 59 POP ECX00495AF4 |. 59 POP ECX00495AF5 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX00495AF8 |. 68 325B4900 PUSH HiFi_MP3.00495B3200495AFD |> 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]00495B00 |. E8 EBE6F6FF CALL HiFi_MP3.004041F000495B05 |. 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]00495B08 |. E8 E3E6F6FF CALL HiFi_MP3.004041F000495B0D |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]00495B10 |. E8 DBE6F6FF CALL HiFi_MP3.004041F000495B15 |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]00495B18 |. E8 D3E6F6FF CALL HiFi_MP3.004041F000495B1D |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]00495B20 |. BA 02000000 MOV EDX,200495B25 |. E8 EAE6F6FF CALL HiFi_MP3.0040421400495B2A \. C3 RETN
00408C08 /$ 53 PUSH EBX ; 把EBX压入栈00408C09 |. 56 PUSH ESI ; 把ESI压入栈00408C0A |. 83C4 F4 ADD ESP,-0C ; ESP-0C00408C0D |. 8BD8 MOV EBX,EAX ; 把假码送给EBX00408C0F |. 8BD4 MOV EDX,ESP ; EDX=ESP00408C11 |. 8BC3 MOV EAX,EBX ; 把假码送给EAX00408C13 |. E8 BCA1FFFF CALL HiFi_MP3.00402DD4 ; 关键CALL,F7跟进00408C18 |. 8BF0 MOV ESI,EAX ; 把EAX的值送给ESI00408C1A |. 833C24 00 CMP DWORD PTR SS:[ESP],0 ; 此时的[ESP]为000408C1E |. 74 19 JE SHORT HiFi_MP3.00408C39 ; 相等就跳00408C20 |. 895C24 04 MOV DWORD PTR SS:[ESP+4],EBX00408C24 |. C64424 08 0B MOV BYTE PTR SS:[ESP+8],0B00408C29 |. 8D5424 04 LEA EDX,DWORD PTR SS:[ESP+4]00408C2D |. A1 4CAD4A00 MOV EAX,DWORD PTR DS:[4AAD4C]00408C32 |. 33C9 XOR ECX,ECX00408C34 |. E8 CBF8FFFF CALL HiFi_MP3.0040850400408C39 |> 8BC6 MOV EAX,ESI ; 把ESI的值送给EAX00408C3B |. 83C4 0C ADD ESP,0C ; ESP+0C00408C3E |. 5E POP ESI ; ESI出栈00408C3F |. 5B POP EBX ; EBX出栈00408C40 \. C3 RETN
00402DD4 /$ 53 PUSH EBX00402DD5 |. 56 PUSH ESI00402DD6 |. 57 PUSH EDI00402DD7 |. 89C6 MOV ESI,EAX ; 把假码送给ESI00402DD9 |. 50 PUSH EAX ; 假码入栈00402DDA |. 85C0 TEST EAX,EAX ; 看EAX是否为000402DDC |. 74 6C JE SHORT HiFi_MP3.00402E4A ; EAX=0就跳00402DDE |. 31C0 XOR EAX,EAX ; EAX清零00402DE0 |. 31DB XOR EBX,EBX ; EBX清零00402DE2 |. BF CCCCCC0C MOV EDI,0CCCCCCC ; 把固定值0CCCCCCC送给EDI00402DE7 |> 8A1E /MOV BL,BYTE PTR DS:[ESI] ; 取假码第一位的ASCII值给BL00402DE9 |. 46 |INC ESI ; ESI+100402DEA |. 80FB 20 |CMP BL,20 ; BL的值和20比较00402DED |.^ 74 F8 \JE SHORT HiFi_MP3.00402DE7 ; 相等就跳00402DEF |. B5 00 MOV CH,0 ; CH=000402DF1 |. 80FB 2D CMP BL,2D ; BL的值和2D比较00402DF4 |. 74 62 JE SHORT HiFi_MP3.00402E58 ; 相等就跳00402DF6 |. 80FB 2B CMP BL,2B ; BL的值和2B比较00402DF9 |. 74 5F JE SHORT HiFi_MP3.00402E5A ; 相等就跳00402DFB |> 80FB 24 CMP BL,24 ; BL的值和24比较00402DFE |. 74 5F JE SHORT HiFi_MP3.00402E5F ; 相等就跳00402E00 |. 80FB 78 CMP BL,78 ; BL的值和78比较00402E03 |. 74 5A JE SHORT HiFi_MP3.00402E5F ; 相等就跳00402E05 |. 80FB 58 CMP BL,58 ; BL的值和58比较00402E08 |. 74 55 JE SHORT HiFi_MP3.00402E5F ; 相等就跳00402E0A |. 80FB 30 CMP BL,30 ; BL的值和30比较00402E0D |. 75 13 JNZ SHORT HiFi_MP3.00402E22 ; 不相等就跳00402E0F |. 8A1E MOV BL,BYTE PTR DS:[ESI]00402E11 |. 46 INC ESI00402E12 |. 80FB 78 CMP BL,7800402E15 |. 74 48 JE SHORT HiFi_MP3.00402E5F00402E17 |. 80FB 58 CMP BL,5800402E1A |. 74 43 JE SHORT HiFi_MP3.00402E5F00402E1C |. 84DB TEST BL,BL00402E1E |. 74 20 JE SHORT HiFi_MP3.00402E4000402E20 |. EB 04 JMP SHORT HiFi_MP3.00402E2600402E22 |> 84DB TEST BL,BL ; BL是否为000402E24 |. 74 2D JE SHORT HiFi_MP3.00402E53 ; BL=0就跳00402E26 |> 80EB 30 /SUB BL,30 ; BL-3000402E29 |. 80FB 09 |CMP BL,9 ; 减后的结果和9比较00402E2C |. 77 25 |JA SHORT HiFi_MP3.00402E53 ; 不小于就跳00402E2E |. 39F8 |CMP EAX,EDI ; EAX跟EDI比较00402E30 |. 77 21 |JA SHORT HiFi_MP3.00402E53 ; 不小于就跳00402E32 |. 8D0480 |LEA EAX,DWORD PTR DS:[EAX+EAX*4] ; EAX=EAX+(EAX*4)00402E35 |. 01C0 |ADD EAX,EAX ; EAX=EAX+EAX (或者说是EAX的值乘以2)00402E37 |. 01D8 |ADD EAX,EBX ; EAX=EAX+EBX00402E39 |. 8A1E |MOV BL,BYTE PTR DS:[ESI] ; 把假码第二位的ASCII值送给BL00402E3B |. 46 |INC ESI ; ESI+100402E3C |. 84DB |TEST BL,BL ; BL是否为000402E3E |.^ 75 E6 \JNZ SHORT HiFi_MP3.00402E26 ; 不等于0就跳,开始循环计算00402E40 |> FECD DEC CH ; CH-100402E42 |. 74 09 JE SHORT HiFi_MP3.00402E4D00402E44 |. 85C0 TEST EAX,EAX00402E46 |. 7D 54 JGE SHORT HiFi_MP3.00402E9C ; 这里跳转实现了,结束运算
注册码是根据用户名来计算的,与注册码无关。跟进那两个CALL只是想分析一下他的计算过程而已,貌似不重要的。因为真码在没到关键CALL的时候已经计算出来了。嘻嘻。
算法总结:1.累加用户名的ASCII值2.累加后的结果IMUL(乘以)0B8BF33.得到的结果加上574.结果SAR 15.把上面得到的结果转换为10进制就是真码。
[ 版权声明 ] 版权所有:絕戀de煩神 未经本人同意请勿转载 嘻嘻
----------------------------------------------------- |
|
发表于 2008-5-2 00:36
