MP3 Tag Clinic 2.7破解手记--完美爆破 -pc6资讯

您的位置：首页 → 精文荟萃 → 破解文章 → MP3 Tag Clinic 2.7破解手记--完美爆破

MP3 Tag Clinic 2.7破解手记--完美爆破 时间：2004/10/15 0:57:00来源：本站整理作者：蓝点我要评论(0): 　软件名称：MP3 Tag Clinic 2.7(收藏管理)
整理日期：2003.3.16
最新版本：2.7
文件大小：2049KB
软件授权：共享软件
使用平台：Win9x/Me/NT/2000/XP
发布公司： http://www.kevesoft.com/"
软件简介：只要指定好文件夹，MP3Tag Clinic便会将该文件夹中所有MP3文件的Tag资料汇总于一个表格中，包括歌手名称、专辑名称、歌名、备注等等，便于你针对单一文件或是文件群做Tag的浏览与修改。

加密方式：ASPROTECT1.23.b+注册码
功能限制：30次试用
PJ工具：TRW20001.23注册版(加SuperBPM)、W32Dasm8.93黄金版，FI2.5，Import Reconstructor 1.4.2+，fs0-loader
PJ日期：2003-03-27
作者newlaos申明：只是学习，请不用于商业用途或是将本文方法制作的注册机任意传播，造成后果，本人一概不负。水平低，只能找到爆破点，而没有办法找到关键算法，还请高手指点!

1、先用FI2.5看一下主文件“MP3TagClinic.exe”，加了ASPROTECT1.23.b壳，只有手动脱壳了。
a、用fs0_loader找入口点工具,找到入口点。软件提示在4BE858位置DUMP最好，因为这时文件结构表没有损坏。软件再提示入口点在660A7C。好!先记下来。
b、用trw2000初步脱壳，打开SuperBPM，点erase，用trw载入MP3TagClinic.exe，下g 4BE858. 接着下pedump脱出程序为DUMP1.EXE。
C、打开原加壳程序,在Import REConstructor v1.4.2+ 的 Attach to an Active Process 窗口中选取MP3TagClinic.exe的进程,然后在下方的oep处填入rva即260A7C(入口点地址660A7C-40000),点IAT AutoSearch,再点Get Imports,点Auto Trace，然后点Show Invalid,在Imported Functions Found窗口里的无效地址上点鼠标右键，选Trace Leve11(disasm),再点show invaids，发现部分修复。再在无效地址上点鼠标右键，选Trace Leve11(HOOK)，再点show invaids，发现又有几个被修复。同理再选Trace Leve11(Tray Flag),又修复几个。若还有几个没有修复，再次在那几个没有修复的地址上点鼠标右键. 选中Plugin Tracer(Asprotect 1.2X Emul),再点show invaids应发现所有的dll显示 valid:Yes了。
再点Fix Dump,选中你用trw2000 pedump出的文件修复，最后生成完全脱壳程序名称为dump1_.exe。退出一运行，成功!

2、用W32Dasm8.93黄金版对主程序进行静态反汇编，再用串式数据参考，找到"MP3 Tag Clinic v2.7 (UNREGISTERED)",对于那些要在重启后再验证注册码的软件，最好就是找与窗口标题栏上未注册的那一串字符，双击来到下面代码段。这样就很快定位注册码的计算部分。

3、再用TRW20001.23注册版进行动态跟踪，下断BPX 004BED3F(通常在注册成功与否的前面一些下断，这样，才能找到关键部分)，先输入假码78787878
.......
.......
:004BED3F 8B83F0020000 mov eax, dword ptr [ebx+000002F0]
:004BED45 E8626AF7FF call 004357AC
:004BED4A 8D55FC lea edx, dword ptr [ebp-04]
:004BED4D A148846600 mov eax, dword ptr [00668448]
:004BED52 8B00 mov eax, dword ptr [eax]
:004BED54 E8EF71F7FF call 00435F48 <===呵呵，这个CALL会使下面算出下面需要的EAX，F8跟进。
:004BED59 8B45FC mov eax, dword ptr [ebp-04] <===这里要正确，则这里必须为EAX=MP3 Tag Clinic v2.7，而不能是MP3 Tag Clinic v2.7 (UNREGISTERED)

* Possible StringData Ref from Code Obj ->"MP3 Tag Clinic v2.7 (UNREGISTERED)"
|
:004BED5C BAC8F14B00 mov edx, 004BF1C8
:004BED61 E8EA53F4FF call 00404150 <===对比EAX和EDX的值，看是不是未注册模式。
:004BED66 7440 je 004BEDA8 <==相等就从这里跳走，就是不正确的了。针对下面的情况，在这里爆破比较合适，将7440改为9090，即可完美爆破
:004BED68 8D55F8 lea edx, dword ptr [ebp-08]
:004BED6B A148846600 mov eax, dword ptr [00668448]
:004BED70 8B00 mov eax, dword ptr [eax]
:004BED72 E8D171F7FF call 00435F48
:004BED77 8B45F8 mov eax, dword ptr [ebp-08]

* Possible StringData Ref from Code Obj ->"MP3 Tag Clinic v2.7 (registration "
->"pending)"
|
:004BED7A BAF4F14B00 mov edx, 004BF1F4
:004BED7F E8CC53F4FF call 00404150 <===对比EAX和EDX的值，看是不是注册待验证模式。
:004BED84 7422 je 004BEDA8 <===是，就跳走!
:004BED86 8D55F4 lea edx, dword ptr [ebp-0C]
:004BED89 A148846600 mov eax, dword ptr [00668448]
:004BED8E 8B00 mov eax, dword ptr [eax]
:004BED90 E8B371F7FF call 00435F48
:004BED95 8B45F4 mov eax, dword ptr [ebp-0C]

* Possible StringData Ref from Code Obj ->"MP3 Tag Clinic v2.7 (DEBUG MODE)"
|
:004BED98 BA28F24B00 mov edx, 004BF228
:004BED9D E8AE53F4FF call 00404150 <===对比EAX和EDX的值，看是不是调试模式。
:004BEDA2 0F856E010000 jne 004BEF16
<===如果不是上面三种模式任一种，则这里就跳向胜利。呵呵!

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004BED66(C), :004BED84(C)
|
:004BEDA8 8D55F0 lea edx, dword ptr [ebp-10]
<===如果是三种模式任一种，都会来到这里，也就意味着不是正式注册用户了
:004BEDAB A148846600 mov eax, dword ptr [00668448]
:004BEDB0 8B00 mov eax, dword ptr [eax]
:004BEDB2 E89171F7FF call 00435F48
:004BEDB7 8B45F0 mov eax, dword ptr [ebp-10]

* Possible StringData Ref from Code Obj ->"MP3 Tag Clinic v2.7 (registration "
->"pending)"
|
:004BEDBA BAF4F14B00 mov edx, 004BF1F4
:004BEDBF E88C53F4FF call 00404150
:004BEDC4 0F84B7000000 je 004BEE81
:004BEDCA 8BC3 mov eax, ebx
:004BEDCC E8FF0A0000 call 004BF8D0
:004BEDD1 833D6871660000 cmp dword ptr [00667168], 00000000
:004BEDD8 7E37 jle 004BEE11
:004BEDDA 8D55E8 lea edx, dword ptr [ebp-18]
:004BEDDD A168716600 mov eax, dword ptr [00667168]
:004BEDE2 83E801 sub eax, 00000001
:004BEDE5 7105 jno 004BEDEC
:004BEDE7 E89041F4FF call 00402F7C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BEDE5(C)
|
:004BEDEC E8DFA6F4FF call 004094D0
:004BEDF1 8B4DE8 mov ecx, dword ptr [ebp-18]
:004BEDF4 8D45EC lea eax, dword ptr [ebp-14]

* Possible StringData Ref from Code Obj ->"Trial runs remaining: "
|
:004BEDF7 BA54F24B00 mov edx, 004BF254
:004BEDFC E88B52F4FF call 0040408C
:004BEE01 8B55EC mov edx, dword ptr [ebp-14]
:004BEE04 8B83E8020000 mov eax, dword ptr [ebx+000002E8]
:004BEE0A E86971F7FF call 00435F78
:004BEE0F EB51 jmp 004BEE62

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BEDD8(C)
|
:004BEE11 8D55E4 lea edx, dword ptr [ebp-1C]
:004BEE14 A148846600 mov eax, dword ptr [00668448]
:004BEE19 8B00 mov eax, dword ptr [eax]
:004BEE1B E82871F7FF call 00435F48
:004BEE20 8B45E4 mov eax, dword ptr [ebp-1C]

* Possible StringData Ref from Code Obj ->"MP3 Tag Clinic v2.7 (DEBUG MODE)"
|
:004BEE23 BA28F24B00 mov edx, 004BF228
:004BEE28 E82353F4FF call 00404150
:004BEE2D 7512 jne 004BEE41

* Possible StringData Ref from Code Obj ->"- DEBUG MODE -"
|
:004BEE2F BA74F24B00 mov edx, 004BF274
:004BEE34 8B83E8020000 mov eax, dword ptr [ebx+000002E8]
:004BEE3A E83971F7FF call 00435F78
:004BEE3F EB21 jmp 004BEE62

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BEE2D(C)
|
:004BEE41 A148846600 mov eax, dword ptr [00668448]
:004BEE46 8B00 mov eax, dword ptr [eax]

* Possible StringData Ref from Code Obj ->"MP3 Tag Clinic v2.7 (UNREGISTERED)"
|
:004BEE48 BAC8F14B00 mov edx, 004BF1C8
:004BEE4D E82671F7FF call 00435F78

* Possible StringData Ref from Code Obj ->"- UNREGISTERED -"
|
:004BEE52 BA8CF24B00 mov edx, 004BF28C
:004BEE57 8B83E8020000 mov eax, dword ptr [ebx+000002E8]
:004BEE5D E81671F7FF call 00435F78

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004BEE0F(U), :004BEE3F(U)
|
:004BEE62 BA0F000080 mov edx, 8000000F
:004BEE67 8B83E4020000 mov eax, dword ptr [ebx+000002E4]
:004BEE6D E8B642FFFF call 004B3128
:004BEE72 B201 mov dl, 01
:004BEE74 8B83E4020000 mov eax, dword ptr [ebx+000002E4]
:004BEE7A E8E16FF7FF call 00435E60
:004BEE7F EB66 jmp 004BEEE7

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BEDC4(C)
|

* Possible StringData Ref from Code Obj ->"registration pending"
|
:004BEE81 BAA8F24B00 mov edx, 004BF2A8
:004BEE86 8B83E8020000 mov eax, dword ptr [ebx+000002E8]
:004BEE8C E8E770F7FF call 00435F78
:004BEE91 A148846600 mov eax, dword ptr [00668448]
:004BEE96 8B00 mov eax, dword ptr [eax]
:004BEE98 8B80FC020000 mov eax, dword ptr [eax+000002FC]
:004BEE9E 8B4028 mov eax, dword ptr [eax+28]
:004BEEA1 BA03000000 mov edx, 00000003
:004BEEA6 E8FD78F8FF call 004467A8
:004BEEAB 33D2 xor edx, edx
:004BEEAD E8F678F8FF call 004467A8
:004BEEB2 8B4024 mov eax, dword ptr [eax+24]

* Possible StringData Ref from Code Obj ->"Register"
|
:004BEEB5 BAC8F24B00 mov edx, 004BF2C8
:004BEEBA E89152F4FF call 00404150
:004BEEBF 7526 jne 004BEEE7
:004BEEC1 A148846600 mov eax, dword ptr [00668448]
:004BEEC6 8B00 mov eax, dword ptr [eax]
:004BEEC8 8B80FC020000 mov eax, dword ptr [eax+000002FC]
:004BEECE 8B4028 mov eax, dword ptr [eax+28]
:004BEED1 BA03000000 mov edx, 00000003
:004BEED6 E8CD78F8FF call 004467A8
:004BEEDB 33D2 xor edx, edx
:004BEEDD E8C678F8FF call 004467A8
:004BEEE2 E85541F4FF call 0040303C

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004BEE7F(U), :004BEEBF(C)
|
:004BEEE7 8D8304030000 lea eax, dword ptr [ebx+00000304]

* Possible StringData Ref from Code Obj ->"UNREGISTERED"
|
:004BEEED BADCF24B00 mov edx, 004BF2DC
:004BEEF2 E81D4FF4FF call 00403E14
:004BEEF7 33D2 xor edx, edx
:004BEEF9 8B83F0020000 mov eax, dword ptr [ebx+000002F0]
:004BEEFF E85C6FF7FF call 00435E60
:004BEF04 B201 mov dl, 01
:004BEF06 8B83E8020000 mov eax, dword ptr [ebx+000002E8]
:004BEF0C E84F6FF7FF call 00435E60
:004BEF11 E963010000 jmp 004BF079

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BEDA2(C) <===关键的跳转过来的地方，向上看
|
:004BEF16 8D4DDC lea ecx, dword ptr [ebp-24]
:004BEF19 8B159C826600 mov edx, dword ptr [0066829C]
:004BEF1F 8B12 mov edx, dword ptr [edx]
:004BEF21 8BC3 mov eax, ebx
:004BEF23 E8300E0000 call 004BFD58
:004BEF28 8B4DDC mov ecx, dword ptr [ebp-24]
:004BEF2B 8D45E0 lea eax, dword ptr [ebp-20]

* Possible StringData Ref from Code Obj ->"Registered to: "
|
:004BEF2E BAF4F24B00 mov edx, 004BF2F4
:004BEF33 E85451F4FF call 0040408C
:004BEF38 8B55E0 mov edx, dword ptr [ebp-20]
:004BEF3B 8B83F0020000 mov eax, dword ptr [ebx+000002F0]
:004BEF41 E83270F7FF call 00435F78
:004BEF46 8D55D8 lea edx, dword ptr [ebp-28]
:004BEF49 8B83F0020000 mov eax, dword ptr [ebx+000002F0]
:004BEF4F E8F46FF7FF call 00435F48
:004BEF54 8B45D8 mov eax, dword ptr [ebp-28]

* Possible StringData Ref from Code Obj ->"Registered to: "
|
:004BEF57 BAF4F24B00 mov edx, 004BF2F4
:004BEF5C E8EF51F4FF call 00404150 <===这个是再进行一次运算，验证注册码的合法性
:004BEF61 754C jne 004BEFAF <===如果这里正确就跳走，如果不跳走就显示注册码的非法性

* Possible StringData Ref from Code Obj ->"Registered to: Unknown"
|
:004BEF63 BA10F34B00 mov edx, 004BF310
:004BEF68 8B83F0020000 mov eax, dword ptr [ebx+000002F0]
:004BEF6E E80570F7FF call 00435F78
:004BEF73 A148846600 mov eax, dword ptr [00668448]
:004BEF78 8B00 mov eax, dword ptr [eax]

* Possible StringData Ref from Code Obj ->"MP3 Tag Clinic v2.7 (UNKNOWN USER)"
|
:004BEF7A BA30F34B00 mov edx, 004BF330
:004BEF7F E8F46FF7FF call 00435F78
:004BEF84 8BC3 mov eax, ebx
:004BEF86 E845090000 call 004BF8D0
:004BEF8B 6A00 push 00000000
:004BEF8D 668B0D54F34B00 mov cx, word ptr [004BF354]
:004BEF94 B201 mov dl, 01

* Possible StringData Ref from Code Obj ->"User unknown; this program must "
->"be reinstalled."
|
:004BEF96 B860F34B00 mov eax, 004BF360
:004BEF9B E8FCCCF9FF call 0045BC9C
:004BEFA0 A1C09D6600 mov eax, dword ptr [00669DC0]
:004BEFA5 E88221F9FF call 0045112C
:004BEFAA E9B8010000 jmp 004BF167 <===程序已经判断出是非法注册，并要求重新安装，从这里跳走了。

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BEF61(C) <===正确跳来的地方，向上看
|
:004BEFAF 33D2 xor edx, edx
:004BEFB1 8B83E4020000 mov eax, dword ptr [ebx+000002E4]
:004BEFB7 E8A46EF7FF call 00435E60
:004BEFBC 33D2 xor edx, edx
:004BEFBE 8B83E8020000 mov eax, dword ptr [ebx+000002E8]
:004BEFC4 E8976EF7FF call 00435E60
:004BEFC9 8B93D0020000 mov edx, dword ptr [ebx+000002D0]
:004BEFCF 8B5238 mov edx, dword ptr [edx+38]
:004BEFD2 8B83D4020000 mov eax, dword ptr [ebx+000002D4]
:004BEFD8 2B5038 sub edx, dword ptr [eax+38]
:004BEFDB 7105 jno 004BEFE2
:004BEFDD E89A3FF4FF call 00402F7C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BEFDB(C)
|
:004BEFE2 D1FA sar edx, 1
:004BEFE4 7903 jns 004BEFE9
:004BEFE6 83D200 adc edx, 00000000

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BEFE4(C)
|
:004BEFE9 E87A67F7FF call 00435768
:004BEFEE 8D8304030000 lea eax, dword ptr [ebx+00000304]

* Possible StringData Ref from Code Obj ->"- REGISTERED -"
|
:004BEFF4 BA98F34B00 mov edx, 004BF398
:004BEFF9 E8164EF4FF call 00403E14

* Possible StringData Ref from Code Obj ->"MP3 Tag Clinic v2.7"
|
:004BEFFE BAB0F34B00 mov edx, 004BF3B0
:004BF003 A1C09D6600 mov eax, dword ptr [00669DC0]
:004BF008 E86B6FF7FF call 00435F78
:004BF00D A148846600 mov eax, dword ptr [00668448]
:004BF012 8B00 mov eax, dword ptr [eax]

* Possible StringData Ref from Code Obj ->"MP3 Tag Clinic v2.7"
|
:004BF014 BAB0F34B00 mov edx, 004BF3B0
:004BF019 E85A6FF7FF call 00435F78
:004BF01E 8D45D4 lea eax, dword ptr [ebp-2C]
.......
.......

4、注册信息保存在注册表里：
[HKEY_CURRENT_USER\Software\MP3TagClinic\Options]
"Key"="newlaos is trying his best to study cracking"

[HKEY_LOCAL_MACHINE\Software\MP3TagClinic\MP3 Tag Clinic v2.7\2.7.0.3]
"Name"="newlaos"
"Company"="newlaos.com"

文章评论

查看所有0条评论>>

热门文章 去除winrar注册框方法