题目:注册多媒体开发工具Multimedia Builder 4.9
软件简介:使用这个多媒体开发工具,可以创建以CDROM为媒介的多媒体应用,教学,展示,展览,MP3播放器等。
引子:今天安装了这个软件,看看有没有文章做,结果不太有文章做。安装完毕软件,用PEID查看,没有加壳,是VC开发的。启动软件,打开Help菜单,单击About菜单,出现对话框,单击Enter Reg Code 按钮,出现第二个对话框,输入Name,注意这里的Name串必须包含'@'符号,然后输入Code,比如654321,最后输入MP3 unlock码7878。调出SOFTICE,下断点bpx hmemcpy,7次F12来到主程序处,换F10跟踪到如下代码:
004BF744 . E8 EF811300 CALL MMBUILDE.005F7938
004BF749 . 8D75 5C LEA ESI,DWORD PTR SS:[EBP+5C]
004BF74C . 68 98BC6A00 PUSH MMBUILDE.006ABC98
004BF751 . 8BCE MOV ECX,ESI
004BF753 . E8 41111300 CALL MMBUILDE.005F0899 //这个CALL判断用户名是否包括'@',不包括则错。
004BF758 . 83F8 FF CMP EAX,-1
004BF75B . 75 21 JNZ SHORT MMBUILDE.004BF77E
004BF75D . 6A 00 PUSH 0 ; /Arg3 = 00000000
004BF75F . 6A 00 PUSH 0 ; |Arg2 = 00000000
004BF761 . 68 C0146B00 PUSH MMBUILDE.006B14C0 ; |Arg1 = 006B14C0 ASCII "Please enter the Name exactly as it is stated
in the registration e-mail you received."
004BF766 . E8 2A271400 CALL MMBUILDE.00601E95 ; \MMBUILDE.00601E95
004BF76B . 8B4C24 24 MOV ECX,DWORD PTR SS:[ESP+24]
004BF76F . 64:890D 000000>MOV DWORD PTR FS:[0],ECX
004BF776 . 5F POP EDI
004BF777 . 5E POP ESI
004BF778 . 5D POP EBP
004BF779 . 5B POP EBX
004BF77A . 83C4 20 ADD ESP,20
004BF77D . C3 RETN
004BF77E > A1 5CD96C00 MOV EAX,DWORD PTR DS:[6CD95C]
004BF783 . 894424 14 MOV DWORD PTR SS:[ESP+14],EAX
004BF787 . 68 B4146B00 PUSH MMBUILDE.006B14B4 ; ASCII "obarbeht"
004BF78C . 8D4C24 18 LEA ECX,DWORD PTR SS:[ESP+18]
004BF790 . C74424 30 0000>MOV DWORD PTR SS:[ESP+30],0
004BF798 . E8 FA991300 CALL MMBUILDE.005F9197 //处理MP3 解锁码,取得长度。
004BF79D . 56 PUSH ESI
004BF79E . 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
004BF7A2 . E8 DC951300 CALL MMBUILDE.005F8D83
004BF7A7 . 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
004BF7AB . 885C24 2C MOV BYTE PTR SS:[ESP+2C],BL
004BF7AF . E8 C79D1300 CALL MMBUILDE.005F957B
004BF7B4 . 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10] //颠倒顺序的用户名地址送ECX。
004BF7B8 . E8 AC9D1300 CALL MMBUILDE.005F9569
004BF7BD . 8B4C24 14 MOV ECX,DWORD PTR SS:[ESP+14]
004BF7C1 . 51 PUSH ECX
004BF7C2 . 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
004BF7C6 . E8 CE101300 CALL MMBUILDE.005F0899
004BF7CB . 83F8 FF CMP EAX,-1
004BF7CE . 7E 2A JLE SHORT MMBUILDE.004BF7FA //这里跳走。
*省去多行*
004BF7FA > 68 AC146B00 PUSH MMBUILDE.006B14AC ; ASCII "obekoc"
004BF7FF . 8D4C24 18 LEA ECX,DWORD PTR SS:[ESP+18] //MP3解锁码的地址送ECX。
004BF803 . E8 8F991300 CALL MMBUILDE.005F9197 //与 "obekoc"比较。
004BF808 . 8B4424 14 MOV EAX,DWORD PTR SS:[ESP+14]
004BF80C . 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
004BF810 . 50 PUSH EAX
004BF811 . E8 83101300 CALL MMBUILDE.005F0899
004BF816 . 83F8 FF CMP EAX,-1
004BF819 . 7E 2A JLE SHORT MMBUILDE.004BF845 //此处跳走。
*省去多行*
004BF845 > 51 PUSH ECX
004BF846 . 8D7D 60 LEA EDI,DWORD PTR SS:[EBP+60] //注册码地址送EDI
004BF849 . 8BCC MOV ECX,ESP
004BF84B . 896424 20 MOV DWORD PTR SS:[ESP+20],ESP
004BF84F . 57 PUSH EDI
004BF850 . E8 2E951300 CALL MMBUILDE.005F8D83
004BF855 . 51 PUSH ECX
004BF856 . C64424 34 04 MOV BYTE PTR SS:[ESP+34],4
004BF85B . 8BCC MOV ECX,ESP
004BF85D . 896424 28 MOV DWORD PTR SS:[ESP+28],ESP
004BF861 . 56 PUSH ESI
004BF862 . E8 1C951300 CALL MMBUILDE.005F8D83
004BF867 . 8BCD MOV ECX,EBP
004BF869 . 885C24 34 MOV BYTE PTR SS:[ESP+34],BL
004BF86D . E8 2E010000 CALL MMBUILDE.004BF9A0 //这个CALL是关键啦!我们后面分析。
004BF872 . 85C0 TEST EAX,EAX
004BF874 . 74 67 JE SHORT MMBUILDE.004BF8DD //这里如果跳说明注册码错误。
004BF876 . 8B36 MOV ESI,DWORD PTR DS:[ESI]
004BF878 . E8 19291500 CALL MMBUILDE.00612196
004BF87D . 8B40 04 MOV EAX,DWORD PTR DS:[EAX+4]
004BF880 . 56 PUSH ESI ; /Arg3 = 8172D704
004BF881 . 68 8CB26A00 PUSH MMBUILDE.006AB28C ; |Arg2 = 006AB28C ASCII "Name"
004BF886 . 68 84B16A00 PUSH MMBUILDE.006AB184 ; |Arg1 = 006AB184 ASCII "Reg"
004BF88B . 8BC8 MOV ECX,EAX
004BF88D . E8 B1271400 CALL MMBUILDE.00602043
004BF892 . 8B3F MOV EDI,DWORD PTR DS:[EDI]
004BF894 . E8 FD281500 CALL MMBUILDE.00612196
004BF899 . 8B40 04 MOV EAX,DWORD PTR DS:[EAX+4]
004BF89C . 57 PUSH EDI ; /Arg3 = 00000000
004BF89D . 68 A8BC6A00 PUSH MMBUILDE.006ABCA8 ; |Arg2 = 006ABCA8 ASCII "Num"
004BF8A2 . 68 84B16A00 PUSH MMBUILDE.006AB184 ; |Arg1 = 006AB184 ASCII "Reg"
004BF8A7 . 8BC8 MOV ECX,EAX
004BF8A9 . E8 95271400 CALL MMBUILDE.00602043
004BF8AE . 8B75 64 MOV ESI,DWORD PTR SS:[EBP+64]
004BF8B1 . E8 E0281500 CALL MMBUILDE.00612196
004BF8B6 . 8B40 04 MOV EAX,DWORD PTR DS:[EAX+4]
004BF8B9 . 56 PUSH ESI ; /Arg3 = 8172D704
004BF8BA . 68 7C146B00 PUSH MMBUILDE.006B147C ; |Arg2 = 006B147C ASCII "Mp3"
004BF8BF . 68 84B16A00 PUSH MMBUILDE.006AB184 ; |Arg1 = 006AB184 ASCII "Reg"
004BF8C4 . 8BC8 MOV ECX,EAX ; |MMBUILDE.<ModuleEntryPoint>
004BF8C6 . E8 78271400 CALL MMBUILDE.00602043 ; \MMBUILDE.00602043
004BF8CB . E8 C6281500 CALL MMBUILDE.00612196
004BF8D0 . 8B48 04 MOV ECX,DWORD PTR DS:[EAX+4]
004BF8D3 . E8 287BF6FF CALL MMBUILDE.00427400
004BF8D8 . E9 89000000 JMP MMBUILDE.004BF966
004BF8DD > 6A 00 PUSH 0 ; /Arg3 = 00000000
004BF8DF . 6A 00 PUSH 0 ; |Arg2 = 00000000
004BF8E1 . 68 90146B00 PUSH MMBUILDE.006B1490 ; |Arg1 = 006B1490 ASCII "The reg. code is invalid."
004BF8E6 . E8 AA251400 CALL MMBUILDE.00601E95 ; \MMBUILDE.00601E95
004BF8EB . 68 94B26A00 PUSH MMBUILDE.006AB294 ; ASCII "Unregistred"
004BF8F0 . 8BCE MOV ECX,ESI
004BF8F2 . E8 A0981300 CALL MMBUILDE.005F9197
004BF8F7 . 68 80146B00 PUSH MMBUILDE.006B1480 ; ASCII "Invalid Code"
004BF8FC . 8BCF MOV ECX,EDI
004BF8FE . E8 94981300 CALL MMBUILDE.005F9197
004BF903 . 8D5D 64 LEA EBX,DWORD PTR SS:[EBP+64]
004BF906 . 68 80146B00 PUSH MMBUILDE.006B1480 ; ASCII "Invalid Code"
004BF90B . 8BCB MOV ECX,EBX
004BF90D . E8 85981300 CALL MMBUILDE.005F9197
004BF912 . 8B36 MOV ESI,DWORD PTR DS:[ESI]
004BF914 . E8 7D281500 CALL MMBUILDE.00612196
004BF919 . 8B40 04 MOV EAX,DWORD PTR DS:[EAX+4]
004BF91C . 56 PUSH ESI ; /Arg3 = 8172D704
004BF91D . 68 8CB26A00 PUSH MMBUILDE.006AB28C ; |Arg2 = 006AB28C ASCII "Name"
004BF922 . 68 84B16A00 PUSH MMBUILDE.006AB184 ; |Arg1 = 006AB184 ASCII "Reg"
004BF927 . 8BC8 MOV ECX,EAX ; |MMBUILDE.<ModuleEntryPoint>
004BF929 . E8 15271400 CALL MMBUILDE.00602043 ; \MMBUILDE.00602043
004BF92E . 8B3F MOV EDI,DWORD PTR DS:[EDI]
004BF930 . E8 61281500 CALL MMBUILDE.00612196
004BF935 . 8B40 04 MOV EAX,DWORD PTR DS:[EAX+4]
004BF938 . 57 PUSH EDI ; /Arg3 = 00000000
004BF939 . 68 A8BC6A00 PUSH MMBUILDE.006ABCA8 ; |Arg2 = 006ABCA8 ASCII "Num"
004BF93E . 68 84B16A00 PUSH MMBUILDE.006AB184 ; |Arg1 = 006AB184 ASCII "Reg"
004BF943 . 8BC8 MOV ECX,EAX ; |MMBUILDE.<ModuleEntryPoint>
004BF945 . E8 F9261400 CALL MMBUILDE.00602043 ; \MMBUILDE.00602043
004BF94A . 8B1B MOV EBX,DWORD PTR DS:[EBX]
004BF94C . E8 45281500 CALL MMBUILDE.00612196
004BF951 . 8B40 04 MOV EAX,DWORD PTR DS:[EAX+4]
004BF954 . 53 PUSH EBX ; /Arg3 = 008C0000
004BF955 . 68 7C146B00 PUSH MMBUILDE.006B147C ; |Arg2 = 006B147C ASCII "Mp3"
004BF95A . 68 84B16A00 PUSH MMBUILDE.006AB184 ; |Arg1 = 006AB184 ASCII "Reg"
004BF95F . 8BC8 MOV ECX,EAX ; |MMBUILDE.<ModuleEntryPoint>
004BF961 . E8 DD261400 CALL MMBUILDE.00602043 ; \MMBUILDE.00602043
004BF966 > 8BCD MOV ECX,EBP
004BF968 . E8 80551300 CALL MMBUILDE.005F4EED
004BF96D . 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
004BF971 . C64424 2C 00 MOV BYTE PTR SS:[ESP+2C],0
004BF976 . E8 93961300 CALL MMBUILDE.005F900E
004BF97B . 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
004BF97F . C74424 2C FFFF>MOV DWORD PTR SS:[ESP+2C],-1
004BF987 . E8 82961300 CALL MMBUILDE.005F900E
004BF98C . 8B4C24 24 MOV ECX,DWORD PTR SS:[ESP+24]
004BF990 . 5F POP EDI ; KERNEL32.BFF8B86C
004BF991 . 5E POP ESI ; KERNEL32.BFF8B86C
004BF992 . 5D POP EBP ; KERNEL32.BFF8B86C
004BF993 . 64:890D 000000>MOV DWORD PTR FS:[0],ECX
004BF99A . 5B POP EBX ; KERNEL32.BFF8B86C
004BF99B . 83C4 20 ADD ESP,20
004BF99E . C3 RETN
004BF99F 90 NOP
================================================================================
分析注册码比较的函数:
004BF9A0 /$ 6A FF PUSH -1
004BF9A2 |. 68 70BA6300 PUSH MMBUILDE.0063BA70 ; SE handler installation
004BF9A7 |. 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
004BF9AD |. 50 PUSH EAX ; MMBUILDE.<ModuleEntryPoint>
004BF9AE |. 64:8925 000000>MOV DWORD PTR FS:[0],ESP
004BF9B5 |. 83EC 10 SUB ESP,10
004BF9B8 |. 68 F0BD6A00 PUSH MMBUILDE.006ABDF0 ; ASCII "1-" //这个其实就是关键了。但这个不是直接的注册码。
004BF9BD |. 8D4C24 28 LEA ECX,DWORD PTR SS:[ESP+28]
004BF9C1 |. C74424 1C 0100>MOV DWORD PTR SS:[ESP+1C],1
004BF9C9 |. E8 CB0E1300 CALL MMBUILDE.005F0899 //注册码与上面这个串比较。
004BF9CE |. 85C0 TEST EAX,EAX
004BF9D0 |. 75 2D JNZ SHORT MMBUILDE.004BF9FF
*省去多行*
004BF9FF |> 55 PUSH EBP
004BFA00 |. 56 PUSH ESI
004BFA01 |. 57 PUSH EDI
004BFA02 |. 68 ECBD6A00 PUSH MMBUILDE.006ABDEC
004BFA07 |. 8D4C24 34 LEA ECX,DWORD PTR SS:[ESP+34]
004BFA0B |. E8 890E1300 CALL MMBUILDE.005F0899 //把输入的注册码转换为16进制数。
004BFA10 |. 8B0D 5CD96C00 MOV ECX,DWORD PTR DS:[6CD95C]
004BFA16 |. 8BF0 MOV ESI,EAX
004BFA18 |. 894C24 10 MOV DWORD PTR SS:[ESP+10],ECX
004BFA1C |. 83FE FF CMP ESI,-1
004BFA1F |. C64424 24 03 MOV BYTE PTR SS:[ESP+24],3
004BFA24 |. 7E 59 JLE SHORT MMBUILDE.004BFA7F
004BFA26 |. 8D5424 14 LEA EDX,DWORD PTR SS:[ESP+14]
004BFA2A |. 56 PUSH ESI
004BFA2B |. 52 PUSH EDX
004BFA2C |. 8D4C24 38 LEA ECX,DWORD PTR SS:[ESP+38]
004BFA30 |. E8 9F0D1300 CALL MMBUILDE.005F07D4
004BFA35 |. 50 PUSH EAX
004BFA36 |. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
004BFA3A |. C64424 28 04 MOV BYTE PTR SS:[ESP+28],4
004BFA3F |. E8 03971300 CALL MMBUILDE.005F9147
004BFA44 |. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
004BFA48 |. C64424 24 03 MOV BYTE PTR SS:[ESP+24],3
004BFA4D |. E8 BC951300 CALL MMBUILDE.005F900E
004BFA52 |. 46 INC ESI
004BFA53 |. 8D4424 14 LEA EAX,DWORD PTR SS:[ESP+14]
004BFA57 |. 56 PUSH ESI
004BFA58 |. 50 PUSH EAX
004BFA59 |. 8D4C24 38 LEA ECX,DWORD PTR SS:[ESP+38]
004BFA5D |. E8 3D0C1300 CALL MMBUILDE.005F069F
004BFA62 |. 50 PUSH EAX
004BFA63 |. 8D4C24 34 LEA ECX,DWORD PTR SS:[ESP+34]
004BFA67 |. C64424 28 05 MOV BYTE PTR SS:[ESP+28],5
004BFA6C |. E8 D6961300 CALL MMBUILDE.005F9147
004BFA71 |. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
004BFA75 |. C64424 24 03 MOV BYTE PTR SS:[ESP+24],3
004BFA7A |. E8 8F951300 CALL MMBUILDE.005F900E
004BFA7F |> 8B4C24 30 MOV ECX,DWORD PTR SS:[ESP+30]
004BFA83 |. 51 PUSH ECX
004BFA84 |. E8 25840C00 CALL MMBUILDE.00587EAE
004BFA89 |. 8B15 5CD96C00 MOV EDX,DWORD PTR DS:[6CD95C]
004BFA8F |. 83C4 04 ADD ESP,4
004BFA92 |. 8BE8 MOV EBP,EAX
004BFA94 |. 895424 0C MOV DWORD PTR SS:[ESP+C],EDX
004BFA98 |. 8D4424 10 LEA EAX,DWORD PTR SS:[ESP+10]
004BFA9C |. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
004BFAA0 |. 50 PUSH EAX
004BFAA1 |. 68 F0BD6A00 PUSH MMBUILDE.006ABDF0 ; ASCII "1-"
004BFAA6 |. 51 PUSH ECX
004BFAA7 |. C64424 30 06 MOV BYTE PTR SS:[ESP+30],6
004BFAAC |. E8 66981300 CALL MMBUILDE.005F9317 //把 "1-"复制到另一个地方。
004BFAB1 |. 50 PUSH EAX
004BFAB2 |. 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
004BFAB6 |. C64424 28 07 MOV BYTE PTR SS:[ESP+28],7
004BFABB |. E8 87961300 CALL MMBUILDE.005F9147
004BFAC0 |. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
004BFAC4 |. C64424 24 06 MOV BYTE PTR SS:[ESP+24],6
004BFAC9 |. E8 40951300 CALL MMBUILDE.005F900E
004BFACE |. 8B7C24 0C MOV EDI,DWORD PTR SS:[ESP+C]
004BFAD2 |. 33F6 XOR ESI,ESI
004BFAD4 |. 33C0 XOR EAX,EAX
004BFAD6 |. 8B4F F8 MOV ECX,DWORD PTR DS:[EDI-8]
004BFAD9 |. 85C9 TEST ECX,ECX
004BFADB |. 7E 18 JLE SHORT MMBUILDE.004BFAF5
004BFADD |> 8A1438 /MOV DL,BYTE PTR DS:[EAX+EDI] //下面这个循环把 "1-"串的ASSIC码累加起来得5Eh。
004BFAE0 |. 885424 18 |MOV BYTE PTR SS:[ESP+18],DL
004BFAE4 |. 8B5424 18 |MOV EDX,DWORD PTR SS:[ESP+18]
004BFAE8 |. 81E2 FF000000 |AND EDX,0FF
004BFAEE |. 03F2 |ADD ESI,EDX
004BFAF0 |. 40 |INC EAX
004BFAF1 |. 3BC1 |CMP EAX,ECX
004BFAF3 |.^7C E8 \JL SHORT MMBUILDE.004BFADD
004BFAF5 |> 5F POP EDI
004BFAF6 |. 3BF5 CMP ESI,EBP //ESI放真注册码ASSIC码累加和,EBP内放的是你的假码的16进制形式。
004BFAF8 |. 5E POP ESI
004BFAF9 |. 5D POP EBP
004BFAFA |. C64424 18 03 MOV BYTE PTR SS:[ESP+18],3
004BFAFF |. 8D4C24 00 LEA ECX,DWORD PTR SS:[ESP]
004BFB03 |. 75 48 JNZ SHORT MMBUILDE.004BFB4D //如果不同则OVER。反之则OK 。
================================================================================
后记:
输入5E的10进制形式,即94即可注册成功。MP3解锁码可以输入任意值。这个软件在H.C.U\Software\MMBuilder\Reg键内写入用户名和注册码(明码)。
这个软件真是奇怪,比较了那么多运算,最后只要注册码正确,则MP3码可以是任意值了。我没有试验这个MP3解锁码是什么用处。而且这个软件即使这样注册了,在产生的多媒体文件上还是有未注册字样。怎么办呢?高手指点!
qduwg@163.com
qduwg
2006/1/27
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
