文章标题: 天天音频转换专家贵宾版V5.61算法分析
破解作者: 云枫
作者邮箱: jfsc2004@163.com
破解工具: PEID,OD
破解声明: 初学CrAck,偶的一点心得,跟大家分享^_^
软件介绍: 『天天音频转换专家』是一款专业的音频转换工具。 支持MP2, MP3, AAC, AC3, WMA, OGG, AMR, WAV( PCM, DSP, GSM, ADPCM
), G721, G723, G726, G729, VOX, ALAW, ULAW等常见的音频格式之间的转换。 可以批量转换文件而不必理会它们的源文件格式和目标文件格
式。 内置播放器支持多种格式的播放功能。
-------------------------------------------------------------------------------------------
[破解过程]
PEiD查壳为Microsoft Visual Basic 5.0 / 6.0
分析知道注册信息放在安装目录\tt.ini文件中,OD载入查找字符来到这里
[system]
user=yunfeng //用户名
pass=78787878 //我输入的假码
004124EA . 68 50514000 PUSH tt.00405150 ; UNICODE "\tt.ini"
004124EF . FF15 48104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCa>; MSVBVM60.__vbaStrCat
004124F5 . 8BD0 MOV EDX,EAX
004124F7 . 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
004124FA . FF15 7C114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
00412500 . 8B1D 34114000 MOV EBX,DWORD PTR DS:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrCopy
00412506 . 8BD0 MOV EDX,EAX
00412508 . 8D4E 68 LEA ECX,DWORD PTR DS:[ESI+68]
0041250B . FFD3 CALL EBX ; <&MSVBVM60.__vbaStrCopy>
0041250D . 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
00412510 . 8D4D E4 LEA ECX,DWORD PTR SS:[EBP-1C]
00412513 . 50 PUSH EAX
00412514 . 51 PUSH ECX
00412515 . 6A 02 PUSH 2
00412517 . FF15 3C114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStrList
0041251D . 83C4 0C ADD ESP,0C
00412520 . 8D4D D8 LEA ECX,DWORD PTR SS:[EBP-28]
00412523 . FF15 A8114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
00412529 . BA 7C514000 MOV EDX,tt.0040517C ; UNICODE "user"
0041252E . 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
00412531 . C745 AC 640000>MOV DWORD PTR SS:[EBP-54],64
00412538 . FFD3 CALL EBX
0041253A . BA 68514000 MOV EDX,tt.00405168 ; UNICODE "system"
0041253F . 8D4D E4 LEA ECX,DWORD PTR SS:[EBP-1C]
```省略部分代码```
0041256F > 8B55 DC MOV EDX,DWORD PTR SS:[EBP-24] ; //用户名feng出来
00412572 . 8D4E 60 LEA ECX,DWORD PTR DS:[ESI+60]
00412575 . FFD3 CALL EBX
00412577 . 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24]
0041257A . 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
0041257D . 52 PUSH EDX
0041257E . 8D4D E4 LEA ECX,DWORD PTR SS:[EBP-1C]
00412581 . 50 PUSH EAX
00412582 . 51 PUSH ECX
00412583 . 6A 03 PUSH 3
00412585 . FF15 3C114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStrList
0041258B . 83C4 10 ADD ESP,10
0041258E . BA 8C514000 MOV EDX,tt.0040518C ; UNICODE "pass"
00412593 . 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
00412596 . C745 AC 640000>MOV DWORD PTR SS:[EBP-54],64
0041259D . FFD3 CALL EBX
0041259F . BA 68514000 MOV EDX,tt.00405168 ; UNICODE "system"
004125A4 . 8D4D E4 LEA ECX,DWORD PTR SS:[EBP-1C]
```省略部分代码```
004125D1 . 50 PUSH EAX
004125D2 . FFD7 CALL EDI
004125D4 > 8B55 DC MOV EDX,DWORD PTR SS:[EBP-24] ; //假码78787878出来
004125D7 . 8D4E 64 LEA ECX,DWORD PTR DS:[ESI+64]
004125DA . FFD3 CALL EBX
004125DC . 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24]
004125DF . 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
004125E2 . 52 PUSH EDX
004125E3 . 8D4D E4 LEA ECX,DWORD PTR SS:[EBP-1C]
004125E6 . 50 PUSH EAX
004125E7 . 51 PUSH ECX
004125E8 . 6A 03 PUSH 3
004125EA . FF15 3C114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStrList
004125F0 . 8B4E 60 MOV ECX,DWORD PTR DS:[ESI+60]
004125F3 . 8B16 MOV EDX,DWORD PTR DS:[ESI]
004125F5 . 83C4 10 ADD ESP,10
004125F8 . 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
004125FB . 50 PUSH EAX
004125FC . 51 PUSH ECX
004125FD . 68 9C514000 PUSH tt.0040519C ; UNICODE "123456"
00412602 . 56 PUSH ESI
00412603 . FF92 68070000 CALL DWORD PTR DS:[EDX+768] ; //算法CALL,跟进
00412609 . 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18] ; //出来真码
0041260C . 8B46 64 MOV EAX,DWORD PTR DS:[ESI+64] ; //出来假码
0041260F . 52 PUSH EDX
00412610 . 50 PUSH EAX
00412611 . FF15 B8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCm>; MSVBVM60.__vbaStrCmp ; //比较,可做内存注册
00412617 . 85C0 TEST EAX,EAX
00412619 . 0F84 33020000 JE tt.00412852 ; //跳则OVER
-------------------------------------------------------------------------------------------
************** 跟进算法CALL DWORD PTR DS:[EDX+768] 来到这里 **************
00411A60 > 55 PUSH EBP
00411A61 . 8BEC MOV EBP,ESP
00411A63 . 83EC 08 SUB ESP,8
00411A66 . 68 B6174000 PUSH <JMP.&MSVBVM60.__vbaExceptHandler> ; SE handler installation
00411A6B . 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
00411A71 . 50 PUSH EAX
00411A72 . 64:8925 000000>MOV DWORD PTR FS:[0],ESP
00411A79 . 83EC 4C SUB ESP,4C
00411A7C . 53 PUSH EBX
00411A7D . 56 PUSH ESI
00411A7E . 57 PUSH EDI
00411A7F . 8965 F8 MOV DWORD PTR SS:[EBP-8],ESP
00411A82 . C745 FC B81140>MOV DWORD PTR SS:[EBP-4],tt.004011B8
00411A89 . 8B55 0C MOV EDX,DWORD PTR SS:[EBP+C]
00411A8C . 8B35 34114000 MOV ESI,DWORD PTR DS:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrCopy
00411A92 . 33C0 XOR EAX,EAX
00411A94 . 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18]
00411A97 . 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
00411A9A . 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
00411A9D . 8945 DC MOV DWORD PTR SS:[EBP-24],EAX
00411AA0 . 8945 D4 MOV DWORD PTR SS:[EBP-2C],EAX
00411AA3 . 8945 C4 MOV DWORD PTR SS:[EBP-3C],EAX
00411AA6 . 8945 B4 MOV DWORD PTR SS:[EBP-4C],EAX
00411AA9 . 8945 B0 MOV DWORD PTR SS:[EBP-50],EAX
00411AAC . FFD6 CALL ESI ; <&MSVBVM60.__vbaStrCopy>
00411AAE . 8B55 10 MOV EDX,DWORD PTR SS:[EBP+10] ; (UNICODE "yunfeng")
00411AB1 . 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
00411AB4 . FFD6 CALL ESI
00411AB6 . 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00411AB9 . 8D55 B0 LEA EDX,DWORD PTR SS:[EBP-50]
00411ABC . 52 PUSH EDX
00411ABD . 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18] ; (UNICODE "123456")
00411AC0 . 8B08 MOV ECX,DWORD PTR DS:[EAX]
00411AC2 . 52 PUSH EDX
00411AC3 . 50 PUSH EAX
00411AC4 . FF91 70070000 CALL DWORD PTR DS:[ECX+770]
00411ACA . 8B45 B0 MOV EAX,DWORD PTR SS:[EBP-50] ; //跟进去知道根据字符123456运算得到一个值
00411ACD . 8D4D C4 LEA ECX,DWORD PTR SS:[EBP-3C] ; //得到1B8FF08存入EAX
00411AD0 . 51 PUSH ECX
00411AD1 . 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX ; [ebp-1c] <- eax=1B8FF08=十进制28901128
00411AD4 . C745 CC FFFFFF>MOV DWORD PTR SS:[EBP-34],-1
00411ADB . C745 C4 020000>MOV DWORD PTR SS:[EBP-3C],2
00411AE2 . FF15 64104000 CALL DWORD PTR DS:[<&MSVBVM60.#593>] ; MSVBVM60.rtcRandomNext
00411AE8 . 8B1D 1C104000 MOV EBX,DWORD PTR DS:[<&MSVBVM60.__vbaFr>; MSVBVM60.__vbaFreeVar
00411AEE . 8D4D C4 LEA ECX,DWORD PTR SS:[EBP-3C]
00411AF1 . D95D B0 FSTP DWORD PTR SS:[EBP-50] ; //相当于Rnd(-1)=ST=0.2240070104598999024
00411AF4 . FFD3 CALL EBX ; <&MSVBVM60.__vbaFreeVar>
00411AF6 . 8D45 B4 LEA EAX,DWORD PTR SS:[EBP-4C]
00411AF9 . 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
00411AFC . 50 PUSH EAX
00411AFD . 8955 BC MOV DWORD PTR SS:[EBP-44],EDX
00411B00 . C745 B4 034000>MOV DWORD PTR SS:[EBP-4C],4003
00411B07 . FF15 6C104000 CALL DWORD PTR DS:[<&MSVBVM60.#594>] ; MSVBVM60.rtcRandomize
00411B0D . 8B4D DC MOV ECX,DWORD PTR SS:[EBP-24] ; (UNICODE "yunfeng")
00411B10 . 51 PUSH ECX
00411B11 . FF15 20104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>; MSVBVM60.__vbaLenBstr //获取用户名长度
00411B17 . 8BC8 MOV ECX,EAX
00411B19 . FF15 C0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI2I4>>; MSVBVM60.__vbaI2I4
00411B1F . 8B3D 7C114000 MOV EDI,DWORD PTR DS:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrMove
00411B25 . 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX
00411B28 . B8 01000000 MOV EAX,1
00411B2D . 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
00411B30 > 66:3B45 E0 CMP AX,WORD PTR SS:[EBP-20]
00411B34 . 0F8F 00010000 JG tt.00411C3A
00411B3A . 8B4D DC MOV ECX,DWORD PTR SS:[EBP-24] ; (UNICODE "yunfeng")
00411B3D . 8D55 C4 LEA EDX,DWORD PTR SS:[EBP-3C]
00411B40 . 0FBFC0 MOVSX EAX,AX
00411B43 . 52 PUSH EDX
00411B44 . 50 PUSH EAX
00411B45 . 51 PUSH ECX
00411B46 . C745 CC 010000>MOV DWORD PTR SS:[EBP-34],1
00411B4D . C745 C4 020000>MOV DWORD PTR SS:[EBP-3C],2
00411B54 . FF15 A4104000 CALL DWORD PTR DS:[<&MSVBVM60.#631>] ; MSVBVM60.rtcMidCharBstr
00411B5A . 8BD0 MOV EDX,EAX
00411B5C . 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00411B5F . FFD7 CALL EDI
00411B61 . 50 PUSH EAX
00411B62 . FF15 3C104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ; MSVBVM60.rtcAnsiValueBstr
00411B68 . 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00411B6B . 8BF0 MOV ESI,EAX ; // 转为ASCII码->esi
00411B6D . FF15 A4114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
00411B73 . 8D4D C4 LEA ECX,DWORD PTR SS:[EBP-3C]
00411B76 . FFD3 CALL EBX
00411B78 . 66:83FE 20 CMP SI,20 ; //小于20则跳到下面
00411B7C . 0F8C A5000000 JL tt.00411C27
00411B82 . 66:83FE 7E CMP SI,7E ; //大于7E则跳到下面
00411B86 . 0F8F 9B000000 JG tt.00411C27 ; //即32至126 标准ASCII范围
00411B8C . 8D55 C4 LEA EDX,DWORD PTR SS:[EBP-3C]
00411B8F . 66:83EE 20 SUB SI,20 减20
00411B93 . 52 PUSH EDX
00411B94 . C745 CC 040002>MOV DWORD PTR SS:[EBP-34],80020004
00411B9B . 0F80 DF000000 JO tt.00411C80
00411BA1 . C745 C4 0A0000>MOV DWORD PTR SS:[EBP-3C],0A
00411BA8 . FF15 64104000 CALL DWORD PTR DS:[<&MSVBVM60.#593>] ; MSVBVM60.rtcRandomNext ; //随机数 Rnd(10)
00411BAE . D95D B0 FSTP DWORD PTR SS:[EBP-50] ; //随机数=0.8342925
00411BB1 . D945 B0 FLD DWORD PTR SS:[EBP-50] ; *96.0000
00411BB4 . D80D B0114000 FMUL DWORD PTR DS:[4011B0]
00411BBA . DFE0 FSTSW AX
00411BBC . A8 0D TEST AL,0D
00411BBE . 0F85 B7000000 JNZ tt.00411C7B
00411BC4 . FF15 88114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaR8Int>; MSVBVM60.__vbaR8IntI4
00411BCA . 8D4D C4 LEA ECX,DWORD PTR SS:[EBP-3C]
00411BCD . 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
00411BD0 . FFD3 CALL EBX
00411BD2 . 0FBFC6 MOVSX EAX,SI
00411BD5 . 8B75 E4 MOV ESI,DWORD PTR SS:[EBP-1C]
00411BD8 . B9 5F000000 MOV ECX,5F
00411BDD . 03C6 ADD EAX,ESI ; //两者相加
0411BDF . 0F80 9B000000 JO tt.00411C80
00411BE5 . 99 CDQ
00411BE6 . F7F9 IDIV ECX
00411BE8 . 8BCA MOV ECX,EDX ; //余数EDX入ECX
00411BEA . FF15 C0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI2I4>>; MSVBVM60.__vbaI2I4
00411BF0 . 8B75 14 MOV ESI,DWORD PTR SS:[EBP+14]
00411BF3 . 66:05 2000 ADD AX,20 ; 加20
00411BF7 . 0F80 83000000 JO tt.00411C80
00411BFD . 8B16 MOV EDX,DWORD PTR DS:[ESI]
00411BFF . 0FBFC0 MOVSX EAX,AX
00411C02 . 52 PUSH EDX
00411C03 . 50 PUSH EAX
00411C04 . FF15 14114000 CALL DWORD PTR DS:[<&MSVBVM60.#537>] ; MSVBVM60.rtcBstrFromAnsi
00411C0A . 8BD0 MOV EDX,EAX
00411C0C . 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00411C0F . FFD7 CALL EDI
00411C11 . 50 PUSH EAX
00411C12 . FF15 48104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCa>; MSVBVM60.__vbaStrCat
00411C18 . 8BD0 MOV EDX,EAX
00411C1A . 8BCE MOV ECX,ESI
00411C1C . FFD7 CALL EDI
00411C1E . 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00411C21 . FF15 A4114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
00411C27 > B8 01000000 MOV EAX,1 ; //ascii码小于20大于7E的跳到此处
00411C2C . 66:0345 EC ADD AX,WORD PTR SS:[EBP-14]
00411C30 . 70 4E JO SHORT tt.00411C80
00411C32 . 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
00411C35 .^E9 F6FEFFFF JMP tt.00411B30 ; 没取完循环
00411C3A > 9B WAIT
00411C3B . 68 661C4100 PUSH tt.00411C66
00411C40 . EB 13 JMP SHORT tt.00411C55
00411C42 . 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00411C45 . FF15 A4114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
00411C4B . 8D4D C4 LEA ECX,DWORD PTR SS:[EBP-3C]
00411C4E . FF15 1C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVar
00411C54 . C3 RETN
[算法总结]
算法:注册码由用户名运算得来,逐位取用户名的ASCII码值,如果在32-126范围则跟取得随机数进行一系列运算得到注册码
下面是VB算法注册机源码
Private Sub Command1_Click()
Rnd (-1)
Randomize (28901128)
For i = 1 To Len(Text1.Text)
a = Asc(Mid(Text1.Text, i)) - 32
B = Int(Rnd(10) * 96 + a) Mod 95 + 32
sn = sn & Chr(B)
Next i
Text2.Text = sn
End Sub
给一个可用的注册码
用户名:yunfeng
注册码:jy!&/qs
[课程]Android-CTF解题方法汇总!
