[原创]****转换专家V5.61算法分析-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[原创]****转换专家V5.61算法分析

发表于: 2005-12-26 22:44 5033

[原创]****转换专家V5.61算法分析

yunfeng

2005-12-26 22:44

5033

文章标题：  天天音频转换专家贵宾版V5.61算法分析
破解作者：  云枫
作者邮箱：  jfsc2004@163.com
破解工具：  PEID，OD
破解声明：  初学CrAck,偶的一点心得，跟大家分享^_^
软件介绍：  『天天音频转换专家』是一款专业的音频转换工具。支持MP2, MP3, AAC, AC3, WMA, OGG, AMR, WAV( PCM, DSP, GSM, ADPCM

), G721, G723, G726, G729, VOX, ALAW, ULAW等常见的音频格式之间的转换。可以批量转换文件而不必理会它们的源文件格式和目标文件格

式。内置播放器支持多种格式的播放功能。
-------------------------------------------------------------------------------------------
[破解过程]

PEiD查壳为Microsoft Visual Basic 5.0 / 6.0
分析知道注册信息放在安装目录\tt.ini文件中，OD载入查找字符来到这里
[system]
user=yunfeng    //用户名
pass=78787878 //我输入的假码
004124EA . 68 50514000 PUSH tt.00405150                      ;  UNICODE "\tt.ini"
004124EF . FF15 48104000  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCa>;  MSVBVM60.__vbaStrCat
004124F5 . 8BD0          MOV EDX,EAX
004124F7 . 8D4D E0       LEA ECX,DWORD PTR SS:[EBP-20]
004124FA . FF15 7C114000  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMo>;  MSVBVM60.__vbaStrMove
00412500 . 8B1D 34114000  MOV EBX,DWORD PTR DS:[<&MSVBVM60.__vbaSt>;  MSVBVM60.__vbaStrCopy
00412506 . 8BD0          MOV EDX,EAX
00412508 . 8D4E 68       LEA ECX,DWORD PTR DS:[ESI+68]
0041250B . FFD3          CALL EBX                               ;  <&MSVBVM60.__vbaStrCopy>
0041250D . 8D45 E0       LEA EAX,DWORD PTR SS:[EBP-20]
00412510 . 8D4D E4       LEA ECX,DWORD PTR SS:[EBP-1C]
00412513 . 50          PUSH EAX
00412514 . 51          PUSH ECX
00412515 . 6A 02       PUSH 2
00412517 . FF15 3C114000  CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>;  MSVBVM60.__vbaFreeStrList
0041251D . 83C4 0C       ADD ESP,0C
00412520 . 8D4D D8       LEA ECX,DWORD PTR SS:[EBP-28]
00412523 . FF15 A8114000  CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>;  MSVBVM60.__vbaFreeObj
00412529 . BA 7C514000 MOV EDX,tt.0040517C                   ;  UNICODE "user"
0041252E . 8D4D E0       LEA ECX,DWORD PTR SS:[EBP-20]
00412531 . C745 AC 640000>MOV DWORD PTR SS:[EBP-54],64
00412538 . FFD3          CALL EBX
0041253A . BA 68514000 MOV EDX,tt.00405168                   ;  UNICODE "system"
0041253F . 8D4D E4       LEA ECX,DWORD PTR SS:[EBP-1C]
```省略部分代码```

0041256F > 8B55 DC       MOV EDX,DWORD PTR SS:[EBP-24]          ; //用户名feng出来
00412572 . 8D4E 60       LEA ECX,DWORD PTR DS:[ESI+60]
00412575 . FFD3          CALL EBX
00412577 . 8D55 DC       LEA EDX,DWORD PTR SS:[EBP-24]
0041257A . 8D45 E0       LEA EAX,DWORD PTR SS:[EBP-20]
0041257D . 52          PUSH EDX
0041257E . 8D4D E4       LEA ECX,DWORD PTR SS:[EBP-1C]
00412581 . 50          PUSH EAX
00412582 . 51          PUSH ECX
00412583 . 6A 03       PUSH 3
00412585 . FF15 3C114000  CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>;  MSVBVM60.__vbaFreeStrList
0041258B . 83C4 10       ADD ESP,10
0041258E . BA 8C514000 MOV EDX,tt.0040518C                   ;  UNICODE "pass"
00412593 . 8D4D E0       LEA ECX,DWORD PTR SS:[EBP-20]
00412596 . C745 AC 640000>MOV DWORD PTR SS:[EBP-54],64
0041259D . FFD3          CALL EBX
0041259F . BA 68514000 MOV EDX,tt.00405168                   ;  UNICODE "system"
004125A4 . 8D4D E4       LEA ECX,DWORD PTR SS:[EBP-1C]
```省略部分代码```
004125D1 . 50          PUSH EAX
004125D2 . FFD7          CALL EDI
004125D4 > 8B55 DC       MOV EDX,DWORD PTR SS:[EBP-24]          ; //假码78787878出来
004125D7 . 8D4E 64       LEA ECX,DWORD PTR DS:[ESI+64]
004125DA . FFD3          CALL EBX
004125DC . 8D55 DC       LEA EDX,DWORD PTR SS:[EBP-24]
004125DF . 8D45 E0       LEA EAX,DWORD PTR SS:[EBP-20]
004125E2 . 52          PUSH EDX
004125E3 . 8D4D E4       LEA ECX,DWORD PTR SS:[EBP-1C]
004125E6 . 50          PUSH EAX
004125E7 . 51          PUSH ECX
004125E8 . 6A 03       PUSH 3
004125EA . FF15 3C114000  CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>;  MSVBVM60.__vbaFreeStrList
004125F0 . 8B4E 60       MOV ECX,DWORD PTR DS:[ESI+60]
004125F3 . 8B16          MOV EDX,DWORD PTR DS:[ESI]
004125F5 . 83C4 10       ADD ESP,10
004125F8 . 8D45 E8       LEA EAX,DWORD PTR SS:[EBP-18]
004125FB . 50          PUSH EAX
004125FC . 51          PUSH ECX
004125FD . 68 9C514000 PUSH tt.0040519C                      ;  UNICODE "123456"
00412602 . 56          PUSH ESI
00412603 . FF92 68070000  CALL DWORD PTR DS:[EDX+768]             ; //算法CALL，跟进
00412609 . 8B55 E8       MOV EDX,DWORD PTR SS:[EBP-18]          ; //出来真码
0041260C . 8B46 64       MOV EAX,DWORD PTR DS:[ESI+64]          ; //出来假码
0041260F . 52          PUSH EDX
00412610 . 50          PUSH EAX
00412611 . FF15 B8104000  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCm>;  MSVBVM60.__vbaStrCmp ; //比较，可做内存注册
00412617 . 85C0          TEST EAX,EAX
00412619 . 0F84 33020000  JE tt.00412852                         ; //跳则OVER

-------------------------------------------------------------------------------------------

************** 跟进算法CALL DWORD PTR DS:[EDX+768]    来到这里 **************
00411A60 > 55          PUSH EBP
00411A61 . 8BEC          MOV EBP,ESP
00411A63 . 83EC 08       SUB ESP,8
00411A66 . 68 B6174000 PUSH <JMP.&MSVBVM60.__vbaExceptHandler>  ;  SE handler installation
00411A6B . 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
00411A71 . 50          PUSH EAX
00411A72 . 64:8925 000000>MOV DWORD PTR FS:[0],ESP
00411A79 . 83EC 4C       SUB ESP,4C
00411A7C . 53          PUSH EBX
00411A7D . 56          PUSH ESI
00411A7E . 57          PUSH EDI
00411A7F . 8965 F8       MOV DWORD PTR SS:[EBP-8],ESP
00411A82 . C745 FC B81140>MOV DWORD PTR SS:[EBP-4],tt.004011B8
00411A89 . 8B55 0C       MOV EDX,DWORD PTR SS:[EBP+C]
00411A8C . 8B35 34114000  MOV ESI,DWORD PTR DS:[<&MSVBVM60.__vbaSt>;  MSVBVM60.__vbaStrCopy
00411A92 . 33C0          XOR EAX,EAX
00411A94 . 8D4D E8       LEA ECX,DWORD PTR SS:[EBP-18]
00411A97 . 8945 E8       MOV DWORD PTR SS:[EBP-18],EAX
00411A9A . 8945 E4       MOV DWORD PTR SS:[EBP-1C],EAX
00411A9D . 8945 DC       MOV DWORD PTR SS:[EBP-24],EAX
00411AA0 . 8945 D4       MOV DWORD PTR SS:[EBP-2C],EAX
00411AA3 . 8945 C4       MOV DWORD PTR SS:[EBP-3C],EAX
00411AA6 . 8945 B4       MOV DWORD PTR SS:[EBP-4C],EAX
00411AA9 . 8945 B0       MOV DWORD PTR SS:[EBP-50],EAX
00411AAC . FFD6          CALL ESI                               ;  <&MSVBVM60.__vbaStrCopy>
00411AAE . 8B55 10       MOV EDX,DWORD PTR SS:[EBP+10]          ; (UNICODE "yunfeng")
00411AB1 . 8D4D DC       LEA ECX,DWORD PTR SS:[EBP-24]
00411AB4 . FFD6          CALL ESI
00411AB6 . 8B45 08       MOV EAX,DWORD PTR SS:[EBP+8]
00411AB9 . 8D55 B0       LEA EDX,DWORD PTR SS:[EBP-50]
00411ABC . 52          PUSH EDX
00411ABD . 8B55 E8       MOV EDX,DWORD PTR SS:[EBP-18]       ; (UNICODE "123456")

00411AC0 . 8B08          MOV ECX,DWORD PTR DS:[EAX]
00411AC2 . 52          PUSH EDX
00411AC3 . 50          PUSH EAX
00411AC4 . FF91 70070000  CALL DWORD PTR DS:[ECX+770]
00411ACA . 8B45 B0       MOV EAX,DWORD PTR SS:[EBP-50]       ; //跟进去知道根据字符123456运算得到一个值
00411ACD . 8D4D C4       LEA ECX,DWORD PTR SS:[EBP-3C]       ; //得到1B8FF08存入EAX
00411AD0 . 51          PUSH ECX
00411AD1 . 8945 E4       MOV DWORD PTR SS:[EBP-1C],EAX       ; [ebp-1c] <- eax=1B8FF08=十进制28901128
00411AD4 . C745 CC FFFFFF>MOV DWORD PTR SS:[EBP-34],-1
00411ADB . C745 C4 020000>MOV DWORD PTR SS:[EBP-3C],2
00411AE2 . FF15 64104000  CALL DWORD PTR DS:[<&MSVBVM60.#593>]    ;  MSVBVM60.rtcRandomNext
00411AE8 . 8B1D 1C104000  MOV EBX,DWORD PTR DS:[<&MSVBVM60.__vbaFr>;  MSVBVM60.__vbaFreeVar
00411AEE . 8D4D C4       LEA ECX,DWORD PTR SS:[EBP-3C]
00411AF1 . D95D B0       FSTP DWORD PTR SS:[EBP-50]             ; //相当于Rnd(-1)=ST=0.2240070104598999024
00411AF4 . FFD3          CALL EBX                               ;  <&MSVBVM60.__vbaFreeVar>
00411AF6 . 8D45 B4       LEA EAX,DWORD PTR SS:[EBP-4C]
00411AF9 . 8D55 E4       LEA EDX,DWORD PTR SS:[EBP-1C]
00411AFC . 50          PUSH EAX
00411AFD . 8955 BC       MOV DWORD PTR SS:[EBP-44],EDX
00411B00 . C745 B4 034000>MOV DWORD PTR SS:[EBP-4C],4003
00411B07 . FF15 6C104000  CALL DWORD PTR DS:[<&MSVBVM60.#594>]    ;  MSVBVM60.rtcRandomize
00411B0D . 8B4D DC       MOV ECX,DWORD PTR SS:[EBP-24]          ; (UNICODE "yunfeng")
00411B10 . 51          PUSH ECX
00411B11 . FF15 20104000  CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>;  MSVBVM60.__vbaLenBstr //获取用户名长度
00411B17 . 8BC8          MOV ECX,EAX
00411B19 . FF15 C0104000  CALL DWORD PTR DS:[<&MSVBVM60.__vbaI2I4>>;  MSVBVM60.__vbaI2I4
00411B1F . 8B3D 7C114000  MOV EDI,DWORD PTR DS:[<&MSVBVM60.__vbaSt>;  MSVBVM60.__vbaStrMove
00411B25 . 8945 E0       MOV DWORD PTR SS:[EBP-20],EAX
00411B28 . B8 01000000 MOV EAX,1
00411B2D . 8945 EC       MOV DWORD PTR SS:[EBP-14],EAX
00411B30 > 66:3B45 E0    CMP AX,WORD PTR SS:[EBP-20]
00411B34 . 0F8F 00010000  JG tt.00411C3A
00411B3A . 8B4D DC       MOV ECX,DWORD PTR SS:[EBP-24]          ; (UNICODE "yunfeng")
00411B3D . 8D55 C4       LEA EDX,DWORD PTR SS:[EBP-3C]
00411B40 . 0FBFC0       MOVSX EAX,AX
00411B43 . 52          PUSH EDX
00411B44 . 50          PUSH EAX
00411B45 . 51          PUSH ECX
00411B46 . C745 CC 010000>MOV DWORD PTR SS:[EBP-34],1
00411B4D . C745 C4 020000>MOV DWORD PTR SS:[EBP-3C],2
00411B54 . FF15 A4104000  CALL DWORD PTR DS:[<&MSVBVM60.#631>]    ;  MSVBVM60.rtcMidCharBstr
00411B5A . 8BD0          MOV EDX,EAX
00411B5C . 8D4D D4       LEA ECX,DWORD PTR SS:[EBP-2C]
00411B5F . FFD7          CALL EDI
00411B61 . 50          PUSH EAX
00411B62 . FF15 3C104000  CALL DWORD PTR DS:[<&MSVBVM60.#516>]    ;  MSVBVM60.rtcAnsiValueBstr
00411B68 . 8D4D D4       LEA ECX,DWORD PTR SS:[EBP-2C]
00411B6B . 8BF0          MOV ESI,EAX                            ; // 转为ASCII码->esi
00411B6D . FF15 A4114000  CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>;  MSVBVM60.__vbaFreeStr
00411B73 . 8D4D C4       LEA ECX,DWORD PTR SS:[EBP-3C]
00411B76 . FFD3          CALL EBX
00411B78 . 66:83FE 20    CMP SI,20                               ; //小于20则跳到下面
00411B7C . 0F8C A5000000  JL tt.00411C27
00411B82 . 66:83FE 7E    CMP SI,7E                               ; //大于7E则跳到下面
00411B86 . 0F8F 9B000000  JG tt.00411C27                         ; //即32至126 标准ASCII范围
00411B8C . 8D55 C4       LEA EDX,DWORD PTR SS:[EBP-3C]
00411B8F . 66:83EE 20    SUB SI,20                               减20
00411B93 . 52          PUSH EDX
00411B94 . C745 CC 040002>MOV DWORD PTR SS:[EBP-34],80020004
00411B9B . 0F80 DF000000  JO tt.00411C80
00411BA1 . C745 C4 0A0000>MOV DWORD PTR SS:[EBP-3C],0A
00411BA8 . FF15 64104000  CALL DWORD PTR DS:[<&MSVBVM60.#593>]    ;  MSVBVM60.rtcRandomNext  ; //随机数 Rnd(10)
00411BAE . D95D B0       FSTP DWORD PTR SS:[EBP-50]                ; //随机数=0.8342925
00411BB1 . D945 B0       FLD DWORD PTR SS:[EBP-50]                ; *96.0000
00411BB4 . D80D B0114000  FMUL DWORD PTR DS:[4011B0]
00411BBA . DFE0          FSTSW AX
00411BBC . A8 0D       TEST AL,0D
00411BBE . 0F85 B7000000  JNZ tt.00411C7B
00411BC4 . FF15 88114000  CALL DWORD PTR DS:[<&MSVBVM60.__vbaR8Int>;  MSVBVM60.__vbaR8IntI4
00411BCA . 8D4D C4       LEA ECX,DWORD PTR SS:[EBP-3C]
00411BCD . 8945 E4       MOV DWORD PTR SS:[EBP-1C],EAX
00411BD0 . FFD3          CALL EBX
00411BD2 . 0FBFC6       MOVSX EAX,SI
00411BD5 . 8B75 E4       MOV ESI,DWORD PTR SS:[EBP-1C]
00411BD8 . B9 5F000000 MOV ECX,5F
00411BDD . 03C6          ADD EAX,ESI                               ; //两者相加
0411BDF . 0F80 9B000000  JO tt.00411C80
00411BE5 . 99          CDQ
00411BE6 . F7F9          IDIV ECX
00411BE8 . 8BCA          MOV ECX,EDX                               ; //余数EDX入ECX
00411BEA . FF15 C0104000  CALL DWORD PTR DS:[<&MSVBVM60.__vbaI2I4>>;  MSVBVM60.__vbaI2I4
00411BF0 . 8B75 14       MOV ESI,DWORD PTR SS:[EBP+14]
00411BF3 . 66:05 2000    ADD AX,20                                  ; 加20
00411BF7 . 0F80 83000000  JO tt.00411C80
00411BFD . 8B16          MOV EDX,DWORD PTR DS:[ESI]
00411BFF . 0FBFC0       MOVSX EAX,AX
00411C02 . 52          PUSH EDX
00411C03 . 50          PUSH EAX
00411C04 . FF15 14114000  CALL DWORD PTR DS:[<&MSVBVM60.#537>]    ;  MSVBVM60.rtcBstrFromAnsi
00411C0A . 8BD0          MOV EDX,EAX
00411C0C . 8D4D D4       LEA ECX,DWORD PTR SS:[EBP-2C]
00411C0F . FFD7          CALL EDI
00411C11 . 50          PUSH EAX
00411C12 . FF15 48104000  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCa>;  MSVBVM60.__vbaStrCat
00411C18 . 8BD0          MOV EDX,EAX
00411C1A . 8BCE          MOV ECX,ESI
00411C1C . FFD7          CALL EDI
00411C1E . 8D4D D4       LEA ECX,DWORD PTR SS:[EBP-2C]
00411C21 . FF15 A4114000  CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>;  MSVBVM60.__vbaFreeStr
00411C27 > B8 01000000 MOV EAX,1                                  ; //ascii码小于20大于7E的跳到此处
00411C2C . 66:0345 EC    ADD AX,WORD PTR SS:[EBP-14]
00411C30 . 70 4E       JO SHORT tt.00411C80
00411C32 . 8945 EC       MOV DWORD PTR SS:[EBP-14],EAX
00411C35 .^E9 F6FEFFFF JMP tt.00411B30                            ; 没取完循环
00411C3A > 9B          WAIT
00411C3B . 68 661C4100 PUSH tt.00411C66
00411C40 . EB 13       JMP SHORT tt.00411C55
00411C42 . 8D4D D4       LEA ECX,DWORD PTR SS:[EBP-2C]
00411C45 . FF15 A4114000  CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>;  MSVBVM60.__vbaFreeStr
00411C4B . 8D4D C4       LEA ECX,DWORD PTR SS:[EBP-3C]
00411C4E . FF15 1C104000  CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>;  MSVBVM60.__vbaFreeVar
00411C54 . C3          RETN
[算法总结]
算法：注册码由用户名运算得来,逐位取用户名的ASCII码值，如果在32-126范围则跟取得随机数进行一系列运算得到注册码
下面是VB算法注册机源码
Private Sub Command1_Click()
Rnd (-1)
Randomize (28901128)
  For i = 1 To Len(Text1.Text)
   a = Asc(Mid(Text1.Text, i)) - 32
   B = Int(Rnd(10) * 96 + a) Mod 95 + 32
   sn = sn & Chr(B)
  Next i
Text2.Text = sn
End Sub
给一个可用的注册码
用户名：yunfeng
注册码：jy!&/qs

登录后可查看完整内容

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入！

收藏・0

免费・7

支持

最新回复 (1)
KuNgBiM 雪币： 817 活跃值： (1927) 能力值： ( LV12，RANK：2670 ) 在线值：发帖 500 回帖 2517 粉丝 22 关注私信	KuNgBiM 66 2 楼过年了yufeng也出来“献艺”了 2005-12-27 01:16 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

yunfeng

发帖

489

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (1)
KuNgBiM 雪币： 817 活跃值： (1927) 能力值： ( LV12，RANK：2670 ) 在线值：发帖 500 回帖 2517 粉丝 22 关注私信	KuNgBiM 66 2 楼过年了yufeng也出来“献艺”了 2005-12-27 01:16 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复