录音专家 V1.0 算法分析
-
算法分析——录音专家 V1.0
下载地址: http://www.skycn.com/soft/10643.html
软件大小: 955 KB
软件语言: 简体中文
软件类别: 国产软件 / 共享版 / 音频处理
应用平台: Win9x/NT/2000/XP
加入时间: 2003-02-01 00:33:07
下载次数: 2253
推荐等级: * * *
开 发 商: http://www.lanysoft.com/
【软件简介】:将您的声音保存在硬盘上,并直接转换保存成MP3格式,速度极快,是您录音的最佳选择。优点:速度快,免去您把wav转换成mp3的麻烦。如果您想把自己的声音通过网络传给远方的朋友,这也是最佳的选择。
【软件限制】:20天试用
【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:TRW2000娃娃修改版、RegMon、W32Dasm8.93黄金版
—————————————————————————————
【过 程】:
录音专家1.0.exe 无壳。DELPHI编写。呵呵,我等菜鸟喜欢的类型。
机器码:7DX0WFAY
试炼码:13572468
软件重启验证。用RegMon监测其启动过程,呵呵,发现其在注册表中露出的“马脚”。
于是在反汇编代码里查找:Passwd,找到2处,其中的00471BEC就是我们所需要的地方!
TRW载入程序,先下断点BPX 471BEC,F5返回,拦下!
—————————————————————————————
* Possible StringData Ref from Code Obj ->"Passwd"
:00471BEC BA381E4700 mov edx, 00471E38
====>我们在这儿!
:00471BEC BA381E4700 mov edx, 00471E38
:00471BF1 A15C5C4700 mov eax, dword ptr [00475C5C]
…… …… 省 略 …… ……
F10走,呵呵,很快的,我们就到达了核心!
:00471C9C 8D55E4 lea edx, dword ptr [ebp-1C]
:00471C9F A14C5C4700 mov eax, dword ptr [00475C4C]
====>D EAX=7DX0WFAY
:00471CA4 E883FAFFFF call 0047172C
====>算法CALL!F8进入!
:00471CA9 8B55E4 mov edx, dword ptr [ebp-1C]
====>最后的运算结果入 EDX
====>D EDX=1093-1732-1694-1235-
:00471CAC B86C5C4700 mov eax, 00475C6C
:00471CB1 E82A29F9FF call 004045E0
:00471CB6 8B15645C4700 mov edx, dword ptr [00475C64]
:00471CBC A16C5C4700 mov eax, dword ptr [00475C6C]
:00471CC1 E80E66F9FF call 004082D4
:00471CC6 A3705C4700 mov dword ptr [00475C70], eax
:00471CCB 833D685C470000 cmp dword ptr [00475C68], 00000000
:00471CD2 7410 je 00471CE4
--------------------------------------------------------
F8进入算法CALL:00471CA4 call 0047172C
* Referenced by a CALL at Addresses:
|:00471CA4 , :00472913 , :0047298D
|
:0047172C 55 push ebp
:0047172D 8BEC mov ebp, esp
:0047172F 33C9 xor ecx, ecx
:00471731 51 push ecx
:00471732 51 push ecx
:00471733 51 push ecx
:00471734 51 push ecx
:00471735 53 push ebx
:00471736 56 push esi
:00471737 57 push edi
:00471738 8BFA mov edi, edx
:0047173A 8945FC mov dword ptr [ebp-04], eax
:0047173D 8B45FC mov eax, dword ptr [ebp-04]
:00471740 E8F732F9FF call 00404A3C
:00471745 33C0 xor eax, eax
:00471747 55 push ebp
:00471748 6824184700 push 00471824
:0047174D 64FF30 push dword ptr fs:[eax]
:00471750 648920 mov dword ptr fs:[eax], esp
:00471753 8D45F8 lea eax, dword ptr [ebp-08]
:00471756 E8312EF9FF call 0040458C
:0047175B 8B45FC mov eax, dword ptr [ebp-04]
:0047175E E8E930F9FF call 0040484C
:00471763 8BF0 mov esi, eax
:00471765 85F6 test esi, esi
:00471767 7E5B jle 004717C4
:00471769 BB01000000 mov ebx, 00000001
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
呵呵,循环开始了!共循环机器码的位数次!
注意:1、2、3、……是表示循环的次序!
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004717C2(C)
|
:0047176E 8BC3 mov eax, ebx
:00471770 2501000080 and eax, 80000001
:00471775 7905 jns 0047177C
:00471777 48 dec eax
:00471778 83C8FE or eax, FFFFFFFE
:0047177B 40 inc eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00471775(C)
|
:0047177C 85C0 test eax, eax
:0047177E 7521 jne 004717A1
:00471780 8D55F4 lea edx, dword ptr [ebp-0C]
:00471783 8B45FC mov eax, dword ptr [ebp-04]
====>7DX0WFAY 入 EAX
:00471786 0FB64418FF movzx eax, byte ptr [eax+ebx-01]
====>从7DX0WFAY中取字符!
====>2、EAX=44
====>4、EAX=30
====>6、EAX=46
====>8、EAX=59
:0047178B D1E8 shr eax, 1
====>EAX右移1位!
====>2、EAX=22
====>4、EAX=18
====>6、EAX=23
====>8、EAX=2C
:0047178D 03C3 add eax, ebx
====>2、EAX=22+2=24
====>4、EAX=18+4=1C
====>6、EAX=23+6=29
====>8、EAX=2C+8=34
:0047178F E8306FF9FF call 004086C4
====>F8进入!记作CALL 1!
:00471794 8B55F4 mov edx, dword ptr [ebp-0C]
:00471797 8D45F8 lea eax, dword ptr [ebp-08]
:0047179A E8B530F9FF call 00404854
:0047179F EB1F jmp 004717C0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047177E(C)
|
:004717A1 8D55F0 lea edx, dword ptr [ebp-10]
:004717A4 8B45FC mov eax, dword ptr [ebp-04]
====>7DX0WFAY 入 EAX
:004717A7 0FB64418FF movzx eax, byte ptr [eax+ebx-01]
====>从7DX0WFAY中取字符!
====>1、EAX=37
====>3、EAX=44
====>5、EAX=57
====>7、EAX=41
:004717AC 03C0 add eax, eax
====>1、EAX=37+37=6E
====>3、EDI=58+58=B0
====>5、EDI=57+57=AE
====>7、EAX=41+41=82
:004717AE 2BC3 sub eax, ebx
====>1、EAX=6E-1=6D
====>3、EAX=B0-3=AD
====>5、EAX=AE-5=A9
====>7、EAX=82-7=7B
:004717B0 E80F6FF9FF call 004086C4
====>F8进入!记作CALL 2!
:004717B5 8B55F0 mov edx, dword ptr [ebp-10]
:004717B8 8D45F8 lea eax, dword ptr [ebp-08]
:004717BB E89430F9FF call 00404854
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047179F(U)
|
:004717C0 43 inc ebx
====>EBX逐次增一,作计数器
:004717C1 4E dec esi
:004717C2 75AA jne 0047176E
====>循环?
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00471767(C)
|
:004717C4 8B45F8 mov eax, dword ptr [ebp-08]
====>结果入EAX!
循环最后EAX=10936173281694112352
:004717C7 E88030F9FF call 0040484C
:004717CC 8BF0 mov esi, eax
:004717CE 85F6 test esi, esi
:004717D0 7E24 jle 004717F6
:004717D2 BB01000000 mov ebx, 00000001
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
下面小循环的作用是将上面得到的10936173281694112352字符串中,
每间隔5位的数字替换成 -
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004717F4(C)
|
:004717D7 8BC3 mov eax, ebx
:004717D9 B905000000 mov ecx, 00000005
:004717DE 99 cdq
:004717DF F7F9 idiv ecx
:004717E1 85D2 test edx, edx
:004717E3 750D jne 004717F2
:004717E5 8D45F8 lea eax, dword ptr [ebp-08]
:004717E8 E8B732F9FF call 00404AA4
:004717ED C64418FF2D mov [eax+ebx-01], 2D
====>加入2D,即-
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004717E3(C)
|
:004717F2 43 inc ebx
:004717F3 4E dec esi
:004717F4 75E1 jne 004717D7
10936173281694112352====>1093-1732-1694-1235- 呵呵,真码!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004717D0(C)
|
:004717F6 57 push edi
:004717F7 B918000000 mov ecx, 00000018
:004717FC BA01000000 mov edx, 00000001
:00471801 8B45F8 mov eax, dword ptr [ebp-08]
====>D EAX=1093-1732-1694-1235-
:00471804 E8A332F9FF call 00404AAC
:00471809 33C0 xor eax, eax
:0047180B 5A pop edx
:0047180C 59 pop ecx
:0047180D 59 pop ecx
:0047180E 648910 mov dword ptr fs:[eax], edx
:00471811 682B184700 push 0047182B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00471829(U)
|
:00471816 8D45F0 lea eax, dword ptr [ebp-10]
:00471819 BA04000000 mov edx, 00000004
:0047181E E88D2DF9FF call 004045B0
:00471823 C3 ret
—————————————————————————————
F8进入CALL 1:0047178F call 004086C4
F8进入CALL 2:004717B0 call 004086C4
:004086C4 56 push esi
:004086C5 89E6 mov esi, esp
:004086C7 83EC10 sub esp, 00000010
:004086CA 31C9 xor ecx, ecx
:004086CC 52 push edx
:004086CD 31D2 xor edx, edx
:004086CF E8A4FFFFFF call 00408678
====>F8进入!
:004086D4 89F2 mov edx, esi
:004086D6 58 pop eax
:004086D7 E8A0BFFFFF call 0040467C
:004086DC 83C410 add esp, 00000010
:004086DF 5E pop esi
:004086E0 C3 ret
——————————————————————————————
F8进入:004086CF call 00408678
:00408678 08C9 or cl, cl
:0040867A 7517 jne 00408693
:0040867C 09C0 or eax, eax
:0040867E 790E jns 0040868E
:00408680 F7D8 neg eax
:00408682 E807000000 call 0040868E
====>F8进入!
:00408687 B02D mov al, 2D
:00408689 41 inc ecx
:0040868A 4E dec esi
:0040868B 8806 mov byte ptr [esi], al
:0040868D C3 ret
———————————————————————————
F8进入00408682 call 0040868E
* Referenced by a CALL at Address:
|:00408682
|
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040867E(C)
|
:0040868E B90A000000 mov ecx, 0000000A
====>A 入 ECX!
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040867A(C)
|
:00408693 52 push edx
:00408694 56 push esi
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
对EAX进行循环求模,直至EAX不够除!
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004086A9(C)
|
:00408695 31D2 xor edx, edx
:00408697 F7F1 div ecx
====>EAX值与A循环求模!
====>1、EAX=6D % A
====>2、EAX=24 % A
====>3、EAX=AD % A
====>4、EAX=1C % A
====>5、EAX=A9 % A
====>6、EAX=AD % A
====>7、EAX=7B % A
====>8、EAX=34 % A
:00408699 4E dec esi
:0040869A 80C230 add dl, 30
====>余数+30
:0040869D 80FA3A cmp dl, 3A
====>余数<3A则跳
:004086A0 7203 jb 004086A5
:004086A2 80C207 add dl, 07
====>否则+7
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004086A0(C)
|
:004086A5 8816 mov byte ptr [esi], dl
====>循环后余数入[ESI]
====>1、D ESI=109
====>2、D ESI=36
====>3、D ESI=173
====>4、D ESI=28
====>5、D ESI=169
====>6、D ESI=41
====>7、D ESI=123
====>8、D ESI=52
:004086A7 09C0 or eax, eax
:004086A9 75EA jne 00408695
====>继续循环?
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
—————————————————————————————
【KeyMake之内存注册机】:
中断地址:471CA9
中断次数:1
第一字节:8B
指令长度:3
内存方式:EBP
偏移:-1C
地址指针:1层
—————————————————————————————
【其 它 断 点】:
不重启软件,注册码很容易就能看到:
:00472913 E814EEFFFF call 0047172C
====>算法CALL!
:00472918 8B55F4 mov edx, dword ptr [ebp-0C]
====>过此 D EDX=真码!
:0047291B 58 pop eax
:0047291C E87720F9FF call 00404998
====>比较CALL!
当然也可在这儿做内存注册机!
:00472921 740F je 00472932
====>不跳则OVER!
爆破时改此处。或者R FL Z,呵呵,真码自动就保存在注册表里了!
* Possible StringData Ref from Code Obj ->"注册码输入错误,请检查!"
—————————————————————————————
【注册信息保存】:
[HKEY_LOCAL_MACHINE\Software\蓝拟软件\录音专家]
"Passwd"="1093-1732-1694-1235-"
"UsrName"="7DX0WFAY"
—————————————————————————————
【整 理】:
机器码:7DX0WFAY
注册码:1093-1732-1694-1235-
—————————————————————————————
Cracked By 巢水工作坊——fly【OCN】
2003-2-16 23:56
相关视频
相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么
- 文章评论
-
热门文章
去除winrar注册框方法
最新文章
比特币病毒怎么破解 比去除winrar注册框方法
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程
查看所有0条评论>>