【破解软件】One Click Ringtone Converter 1.4
【下载地址】http://www.onlinedown.net/soft/46780.htm
【运行环境】Win9x/Me/NT/2000/XP/2003
【软件类别】国外软件/共享版/音频工具
【保护方式】注册码
【作者声明】初学Crack,只是感兴趣,消遣业余时间,错误之处敬请诸位前辈不吝赐教。
【调试环境】Winxp、OllyDBD、PEiD
【软件介绍】一款手机铃声制作软件,只需要点一下鼠标就可以将所有的音乐变成你的手机和弦铃声。支持由WAV,MP3,WMA, OGG, APE, FLAC音频文件到WAV, MP3和MMF格式的压缩铃声的转换。可以整个文件或部分转换,支持批处理。
一、追码
该软件安装后有4个EXE文件,其中unlock.exe是注册程序,PEiD检查无壳,是:Microsoft Visual C++ 7.0 Method2。OD载入查找字串参考,找到:“you registration data is incorrect.error” 双击来到代码窗口,向上在04046F3处下断,F9运行程序,弹出注册框填入用户名:wzwgp 组织:icbc Unlock code: 12345678 点击“ok”
004046F3 /$ 55 PUSH EBP ; 断下
004046F4 |. 8BEC MOV EBP,ESP
004046F6 |. 81EC 34080000 SUB ESP,834
004046FC |. 53 PUSH EBX
004046FD |. 56 PUSH ESI
004046FE |. 57 PUSH EDI
004046FF |. 33DB XOR EBX,EBX
00404701 |. 53 PUSH EBX
00404702 |. 8BF0 MOV ESI,EAX
00404704 |. 53 PUSH EBX
00404705 |. 6A 01 PUSH 1
00404707 |. 8D7E 20 LEA EDI,DWORD PTR DS:[ESI+20]
0040470A |. 8D46 28 LEA EAX,DWORD PTR DS:[ESI+28] ; 用户名地址入EAX
0040470D |. 68 EA030000 PUSH 3EA
00404712 |. 8BCF MOV ECX,EDI
00404714 |. E8 5DCCFFFF CALL unlock.00401376
00404719 |. 85C0 TEST EAX,EAX
0040471B |. 74 2A JE SHORT unlock.00404747
0040471D |. 53 PUSH EBX
0040471E |. 53 PUSH EBX
0040471F |. 6A 01 PUSH 1
00404721 |. 8D46 2C LEA EAX,DWORD PTR DS:[ESI+2C] ; 组织名地址入EAX
00404724 |. 68 EB030000 PUSH 3EB
00404729 |. 8BCF MOV ECX,EDI
0040472B |. E8 46CCFFFF CALL unlock.00401376
00404730 |. 85C0 TEST EAX,EAX
00404732 |. 74 13 JE SHORT unlock.00404747
00404734 |. 53 PUSH EBX
00404735 |. 53 PUSH EBX
00404736 |. 6A 01 PUSH 1
00404738 |. 8D46 30 LEA EAX,DWORD PTR DS:[ESI+30] ; 假码地址入EAX
0040473B |. 68 EC030000 PUSH 3EC
00404740 |. 8BCF MOV ECX,EDI
00404742 |. E8 2FCCFFFF CALL unlock.00401376
00404747 |> 8D7E 30 LEA EDI,DWORD PTR DS:[ESI+30] ; 假码地址入EDI
0040474A |. 8BC7 MOV EAX,EDI
0040474C |. E8 2FCDFFFF CALL unlock.00401480
00404751 |. FF37 PUSH DWORD PTR DS:[EDI]
00404753 |. FF15 CC514000 CALL NEAR DWORD PTR DS:[<&USER32.CharUpp>; 假码字符小写转大写
00404759 |. 8B46 28 MOV EAX,DWORD PTR DS:[ESI+28]
0040475C |. 3958 F8 CMP DWORD PTR DS:[EAX-8],EBX
0040475F |. 0F84 A2010000 JE unlock.00404907
00404765 |. 8B17 MOV EDX,DWORD PTR DS:[EDI]
00404767 |. 395A F8 CMP DWORD PTR DS:[EDX-8],EBX
0040476A |. 0F84 97010000 JE unlock.00404907
00404770 |. 6A 07 PUSH 7
00404772 |. 59 POP ECX
00404773 |. 33C0 XOR EAX,EAX
00404775 |. 8D7D D0 LEA EDI,DWORD PTR SS:[EBP-30]
00404778 |. 895D CC MOV DWORD PTR SS:[EBP-34],EBX
0040477B |. F3:AB REP STOS DWORD PTR ES:[EDI]
0040477D |. B9 00010000 MOV ECX,100
00404782 |. 8DBD CCFBFFFF LEA EDI,DWORD PTR SS:[EBP-434]
00404788 |. 68 FF030000 PUSH 3FF
0040478D |. F3:AB REP STOS DWORD PTR ES:[EDI]
0040478F |. 52 PUSH EDX
00404790 |. 8D85 CCFBFFFF LEA EAX,DWORD PTR SS:[EBP-434]
00404796 |. 50 PUSH EAX
00404797 |. FF15 64514000 CALL NEAR DWORD PTR DS:[<&MSVCR71._mbsnb>; 假码16进制数入堆栈
0040479D |. 8D85 CCFBFFFF LEA EAX,DWORD PTR SS:[EBP-434]
004047A3 |. E8 E6FEFFFF CALL unlock.0040468E ; 检查假码是否有R、T、U…有将被替换
004047A8 |. 8D85 CCFBFFFF LEA EAX,DWORD PTR SS:[EBP-434]
004047AE |. 68 D8524000 PUSH unlock.004052D8 ; 2D (-) 入栈
004047B3 |. 50 PUSH EAX
004047B4 |. FF15 60514000 CALL NEAR DWORD PTR DS:[<&MSVCR71._mbsto>; 取检查后假码
004047BA |. 83C4 14 ADD ESP,14
004047BD |. 85C0 TEST EAX,EAX
004047BF |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
004047C2 |. 0F84 F1000000 JE unlock.004048B9 ; 未输入注册码跳到注册失败提示窗
004047C8 |> 83FB 08 /CMP EBX,8 ; 注册码取完没有?
004047CB |. 0F83 B3000000 |JNB unlock.00404884
004047D1 |. 8B45 FC |MOV EAX,DWORD PTR SS:[EBP-4]
004047D4 |. 8D50 01 |LEA EDX,DWORD PTR DS:[EAX+1]
004047D7 |> 8A08 |/MOV CL,BYTE PTR DS:[EAX]
004047D9 |. 40 ||INC EAX
004047DA |. 84C9 ||TEST CL,CL
004047DC |.^ 75 F9 |\JNZ SHORT unlock.004047D7
004047DE |. 2BC2 |SUB EAX,EDX ; 计算每组注册码位数
004047E0 |. 83F8 06 |CMP EAX,6
004047E3 |. 77 12 |JA SHORT unlock.004047F7 ; 组注册码位数大于6跳到下面计算
004047E5 |. 6A 1A |PUSH 1A
004047E7 |. 6A 00 |PUSH 0
004047E9 |. FF75 FC |PUSH DWORD PTR SS:[EBP-4]
004047EC |. FF15 5C514000 |CALL NEAR DWORD PTR DS:[<&MSVCR71.strto>; 算法Call
004047F2 |. 83C4 0C |ADD ESP,0C
004047F5 |. EB 6E |JMP SHORT unlock.00404865
004047F7 |> 8B45 FC |MOV EAX,DWORD PTR SS:[EBP-4]
004047FA |. 8D50 01 |LEA EDX,DWORD PTR DS:[EAX+1]
004047FD |> 8A08 |/MOV CL,BYTE PTR DS:[EAX]
004047FF |. 40 ||INC EAX
00404800 |. 84C9 ||TEST CL,CL
00404802 |.^ 75 F9 |\JNZ SHORT unlock.004047FD
00404804 |. 2BC2 |SUB EAX,EDX
00404806 |. 83F8 08 |CMP EAX,8
00404809 |. 75 5F |JNZ SHORT unlock.0040486A ; 不等于8跳走
0040480B |. 33C0 |XOR EAX,EAX
0040480D |. 884D EC |MOV BYTE PTR SS:[EBP-14],CL
00404810 |. 8D7D ED |LEA EDI,DWORD PTR SS:[EBP-13]
00404813 |. AB |STOS DWORD PTR ES:[EDI]
00404814 |. 66:AB |STOS WORD PTR ES:[EDI]
00404816 |. AA |STOS BYTE PTR ES:[EDI]
00404817 |. 33C0 |XOR EAX,EAX
00404819 |. 884D F4 |MOV BYTE PTR SS:[EBP-C],CL
0040481C |. 8D7D F5 |LEA EDI,DWORD PTR SS:[EBP-B]
0040481F |. AB |STOS DWORD PTR ES:[EDI]
00404820 |. 66:AB |STOS WORD PTR ES:[EDI]
00404822 |. 6A 06 |PUSH 6
00404824 |. FF75 FC |PUSH DWORD PTR SS:[EBP-4]
00404827 |. AA |STOS BYTE PTR ES:[EDI]
00404828 |. 8B3D 64514000 |MOV EDI,DWORD PTR DS:[<&MSVCR71._mbsnbc>
0040482E |. 8D45 EC |LEA EAX,DWORD PTR SS:[EBP-14]
00404831 |. 50 |PUSH EAX
00404832 |. FFD7 |CALL NEAR EDI ; 取位数等于8的假码的前6位保存
00404834 |. 8B45 FC |MOV EAX,DWORD PTR SS:[EBP-4] ; 取位数等于8的假码
00404837 |. 83C0 06 |ADD EAX,6
0040483A |. 6A 02 |PUSH 2
0040483C |. 50 |PUSH EAX ; 保存后2位
0040483D |. 8D45 F4 |LEA EAX,DWORD PTR SS:[EBP-C]
00404840 |. 50 |PUSH EAX
00404841 |. FFD7 |CALL NEAR EDI
00404843 |. 8B3D 5C514000 |MOV EDI,DWORD PTR DS:[<&MSVCR71.strtoul>
00404849 |. 6A 1A |PUSH 1A
0040484B |. 8D45 EC |LEA EAX,DWORD PTR SS:[EBP-14] ; 前6位地址入EAX
0040484E |. 6A 00 |PUSH 0
00404850 |. 50 |PUSH EAX
00404851 |. FFD7 |CALL NEAR EDI ; 计算前6位
00404853 |. 89449D CC |MOV DWORD PTR SS:[EBP+EBX*4-34],EAX ; 保存前6位计算结果
00404857 |. 6A 1A |PUSH 1A
00404859 |. 8D45 F4 |LEA EAX,DWORD PTR SS:[EBP-C]
0040485C |. 6A 00 |PUSH 0
0040485E |. 50 |PUSH EAX
0040485F |. 43 |INC EBX ; 计数器
00404860 |. FFD7 |CALL NEAR EDI ; 计算后2位
00404862 |. 83C4 30 |ADD ESP,30
00404865 |> 89449D CC |MOV DWORD PTR SS:[EBP+EBX*4-34],EAX ; 保存计算结果(跳转来自 004047F5)
00404869 |. 43 |INC EBX ; 计数器
0040486A |> 68 D8524000 |PUSH unlock.004052D8 ; 2D (-) 入栈
0040486F |. 6A 00 |PUSH 0
00404871 |. FF15 60514000 |CALL NEAR DWORD PTR DS:[<&MSVCR71._mbst>; 逐组取注册码
00404877 |. 85C0 |TEST EAX,EAX ; 是否取完?
00404879 |. 59 |POP ECX
0040487A |. 59 |POP ECX
0040487B |. 8945 FC |MOV DWORD PTR SS:[EBP-4],EAX
0040487E |.^ 0F85 44FFFFFF \JNZ unlock.004047C8 ; 未取完循环
00404884 |> 83FB 07 CMP EBX,7 ; 注册码是否是7组?
00404887 |. 75 30 JNZ SHORT unlock.004048B9 ; 注册码不是7组跳到注册失败提示窗
00404889 |. 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C] ; S7入EAX
0040488C |. 2B45 D0 SUB EAX,DWORD PTR SS:[EBP-30] ; EAX=S7-S2
0040488F |. 2B45 CC SUB EAX,DWORD PTR SS:[EBP-34] ; EAX=S7-S2-S1
00404892 |. 3D 54B2D700 CMP EAX,0D7B254 ; EAX=0D7B254 ?
00404897 |. 75 20 JNZ SHORT unlock.004048B9 ; 不相等注册失败
00404899 |. 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20] ; S6入EAX
0040489C |. 8B4D DC MOV ECX,DWORD PTR SS:[EBP-24] ; S5入ECX
0040489F |. 03C1 ADD EAX,ECX ; EAX=S6+S5
004048A1 |. 0345 D8 ADD EAX,DWORD PTR SS:[EBP-28] ; EAX=S6+S5+S4
004048A4 |. 0345 D4 ADD EAX,DWORD PTR SS:[EBP-2C] ; EAX=S6+S5+S4+S3
004048A7 |. 3D D74B4E30 CMP EAX,304E4BD7 ; EAX=304E4BD7 ?
004048AC |. 75 0B JNZ SHORT unlock.004048B9 ; 不相等注册失败
004048AE |. 8D46 24 LEA EAX,DWORD PTR DS:[ESI+24]
004048B1 |. C700 01000000 MOV DWORD PTR DS:[EAX],1
004048B7 |. EB 06 JMP SHORT unlock.004048BF
004048B9 |> 8D46 24 LEA EAX,DWORD PTR DS:[ESI+24]
004048BC |. 8320 00 AND DWORD PTR DS:[EAX],0
004048BF |> 8338 00 CMP DWORD PTR DS:[EAX],0
004048C2 75 1C JNZ SHORT unlock.004048E0
004048C4 |. 6A 10 PUSH 10
004048C6 |. 68 D0524000 PUSH unlock.004052D0 ; error
004048CB |. 68 AC524000 PUSH unlock.004052AC ; you registration data is incorrect.error
004048D0 |> FF76 04 PUSH DWORD PTR DS:[ESI+4]
004048D3 |. FF15 D4514000 CALL NEAR DWORD PTR DS:[<&USER32.Message>; MessageBoxA
004048D9 |. 6A 02 PUSH 2
004048DB |. FF76 04 PUSH DWORD PTR DS:[ESI+4]
004048DE |. EB 1F JMP SHORT unlock.004048FF
004048E0 |> E8 D8C9FFFF CALL unlock.004012BD
004048E5 |. 85C0 TEST EAX,EAX
004048E7 75 0E JNZ SHORT unlock.004048F7
004048E9 |. 6A 10 PUSH 10
004048EB |. 68 D0524000 PUSH unlock.004052D0 ; error
004048F0 |. 68 7C524000 PUSH unlock.0040527C ; error. unable to save registration
information.you registration data is incorrect.error
004048F5 |.^ EB D9 JMP SHORT unlock.004048D0
004048F7 |> 0FB745 08 MOVZX EAX,WORD PTR SS:[EBP+8]
004047EC 00404851 00404860 处Call F7来到下面:
7C35543D > 6A 01 PUSH 1
7C35543F FF7424 10 PUSH DWORD PTR SS:[ESP+10]
7C355443 FF7424 10 PUSH DWORD PTR SS:[ESP+10]
7C355447 FF7424 10 PUSH DWORD PTR SS:[ESP+10]
7C35544B E8 17FEFFFF CALL MSVCR71.7C355267 ; F7再进入
7C355450 83C4 10 ADD ESP,10
7C355453 C3 RETN
7C35544B 处Call F7来到下面:
7C355267 55 PUSH EBP
7C355268 8BEC MOV EBP,ESP
7C35526A 51 PUSH ECX
7C35526B 53 PUSH EBX
7C35526C 56 PUSH ESI
7C35526D 57 PUSH EDI
7C35526E E8 C343FFFF CALL MSVCR71.7C349636
7C355273 8B70 64 MOV ESI,DWORD PTR DS:[EAX+64]
7C355276 3B35 44EF387C CMP ESI,DWORD PTR DS:[7C38EF44] ; MSVCR71.7C38EF48
7C35527C 74 07 JE SHORT MSVCR71.7C355285
7C35527E E8 E174FFFF CALL MSVCR71.7C34C764
7C355283 8BF0 MOV ESI,EAX
7C355285 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] ; 假码入ECX
7C355288 8365 FC 00 AND DWORD PTR SS:[EBP-4],0
7C35528C 8A19 MOV BL,BYTE PTR DS:[ECX] ; 逐个取假码
7C35528E 8D79 01 LEA EDI,DWORD PTR DS:[ECX+1]
7C355291 837E 28 01 CMP DWORD PTR DS:[ESI+28],1
7C355295 0FB6C3 MOVZX EAX,BL
7C355298 7E 11 JLE SHORT MSVCR71.7C3552AB ; 小于等于转移
7C35529A 6A 08 PUSH 8
7C35529C 50 PUSH EAX
7C35529D 56 PUSH ESI
7C35529E E8 15D1FFFF CALL MSVCR71.7C3523B8
7C3552A3 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
7C3552A6 83C4 0C ADD ESP,0C
7C3552A9 EB 0A JMP SHORT MSVCR71.7C3552B5
7C3552AB 8B56 48 MOV EDX,DWORD PTR DS:[ESI+48]
7C3552AE 0FB60442 MOVZX EAX,BYTE PTR DS:[EDX+EAX*2] ; [EDX+EAX*2]=1
7C3552B2 83E0 08 AND EAX,8
7C3552B5 85C0 TEST EAX,EAX
7C3552B7 74 05 JE SHORT MSVCR71.7C3552BE
7C3552B9 8A1F MOV BL,BYTE PTR DS:[EDI]
7C3552BB 47 INC EDI
7C3552BC ^ EB D3 JMP SHORT MSVCR71.7C355291
7C3552BE 80FB 2D CMP BL,2D ; 2D (-)
7C3552C1 75 06 JNZ SHORT MSVCR71.7C3552C9
7C3552C3 834D 14 02 OR DWORD PTR SS:[EBP+14],2
7C3552C7 EB 05 JMP SHORT MSVCR71.7C3552CE
7C3552C9 80FB 2B CMP BL,2B ; 2B (+)
7C3552CC 75 03 JNZ SHORT MSVCR71.7C3552D1
7C3552CE 8A1F MOV BL,BYTE PTR DS:[EDI]
7C3552D0 47 INC EDI
7C3552D1 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10] ; [EBP+10]=1A
7C3552D4 85C0 TEST EAX,EAX
7C3552D6 0F8C 3A010000 JL MSVCR71.7C355416
7C3552DC 83F8 01 CMP EAX,1
7C3552DF 0F84 31010000 JE MSVCR71.7C355416
7C3552E5 83F8 24 CMP EAX,24
7C3552E8 0F8F 28010000 JG MSVCR71.7C355416
7C3552EE 85C0 TEST EAX,EAX
7C3552F0 6A 10 PUSH 10
7C3552F2 59 POP ECX ; ECX=10
7C3552F3 75 24 JNZ SHORT MSVCR71.7C355319 ; 跳
7C3552F5 80FB 30 CMP BL,30
7C3552F8 74 09 JE SHORT MSVCR71.7C355303
7C3552FA C745 10 0A00000>MOV DWORD PTR SS:[EBP+10],0A
7C355301 EB 2E JMP SHORT MSVCR71.7C355331
7C355303 8A07 MOV AL,BYTE PTR DS:[EDI]
7C355305 3C 78 CMP AL,78
7C355307 74 0D JE SHORT MSVCR71.7C355316
7C355309 3C 58 CMP AL,58
7C35530B 74 09 JE SHORT MSVCR71.7C355316
7C35530D C745 10 0800000>MOV DWORD PTR SS:[EBP+10],8
7C355314 EB 1B JMP SHORT MSVCR71.7C355331
7C355316 894D 10 MOV DWORD PTR SS:[EBP+10],ECX
7C355319 394D 10 CMP DWORD PTR SS:[EBP+10],ECX ; 1A>10
7C35531C 75 13 JNZ SHORT MSVCR71.7C355331
7C35531E 80FB 30 CMP BL,30
7C355321 75 0E JNZ SHORT MSVCR71.7C355331
7C355323 8A07 MOV AL,BYTE PTR DS:[EDI]
7C355325 3C 78 CMP AL,78
7C355327 74 04 JE SHORT MSVCR71.7C35532D
7C355329 3C 58 CMP AL,58
7C35532B 75 04 JNZ SHORT MSVCR71.7C355331
7C35532D 47 INC EDI
7C35532E 8A1F MOV BL,BYTE PTR DS:[EDI]
7C355330 47 INC EDI
7C355331 83C8 FF OR EAX,FFFFFFFF
7C355334 33D2 XOR EDX,EDX
7C355336 F775 10 DIV DWORD PTR SS:[EBP+10] ; EAX=FFFFFFFF div 1A=09D89D89
7C355339 8B35 60B4387C MOV ESI,DWORD PTR DS:[_pctype] ; MSVCR71.7C37A4D8
7C35533F 0FB6CB MOVZX ECX,BL
7C355342 66:8B0C4E MOV CX,WORD PTR DS:[ESI+ECX*2] ; [ESI+ECX*2]=1
7C355346 F6C1 04 TEST CL,4 ; 1 and 4 =0
7C355349 74 08 JE SHORT MSVCR71.7C355353
7C35534B 0FBECB MOVSX ECX,BL
7C35534E 83E9 30 SUB ECX,30 ; 注册码是数字减30
7C355351 EB 1F JMP SHORT MSVCR71.7C355372
7C355353 66:F7C1 0301 TEST CX,103 ; 1 and 103 =1
7C355358 74 43 JE SHORT MSVCR71.7C35539D
7C35535A 80FB 61 CMP BL,61 ; 61 (a)
7C35535D 7C 0D JL SHORT MSVCR71.7C35536C
7C35535F 80FB 7A CMP BL,7A ; 7A (z)
7C355362 7F 08 JG SHORT MSVCR71.7C35536C
7C355364 0FBECB MOVSX ECX,BL
7C355367 83E9 20 SUB ECX,20
7C35536A EB 03 JMP SHORT MSVCR71.7C35536F
7C35536C 0FBECB MOVSX ECX,BL
7C35536F 83C1 C9 ADD ECX,-37 ; 注册码是字符减37
7C355372 3B4D 10 CMP ECX,DWORD PTR SS:[EBP+10] ; [EBP+10]=1A
7C355375 73 26 JNB SHORT MSVCR71.7C35539D ; 注册码减37要小于1A
7C355377 834D 14 08 OR DWORD PTR SS:[EBP+14],8
7C35537B 3945 FC CMP DWORD PTR SS:[EBP-4],EAX ; [EBP-4]=计算结果 < EAX=9D89D89
7C35537E 72 0C JB SHORT MSVCR71.7C35538C
7C355380 75 04 JNZ SHORT MSVCR71.7C355386
7C355382 3BCA CMP ECX,EDX
7C355384 76 06 JBE SHORT MSVCR71.7C35538C
7C355386 834D 14 04 OR DWORD PTR SS:[EBP+14],4
7C35538A EB 0C JMP SHORT MSVCR71.7C355398
7C35538C 8B75 FC MOV ESI,DWORD PTR SS:[EBP-4] ; [EBP-4] 计算结果
7C35538F 0FAF75 10 IMUL ESI,DWORD PTR SS:[EBP+10] ; ESI=0*1A=0
7C355393 03F1 ADD ESI,ECX ; ESI=0+s1+(-37)=s1+(-37)
7C355395 8975 FC MOV DWORD PTR SS:[EBP-4],ESI ; 保存ESI
7C355398 8A1F MOV BL,BYTE PTR DS:[EDI] ; 逐个取1组中的假码
7C35539A 47 INC EDI
7C35539B ^ EB 9C JMP SHORT MSVCR71.7C355339 ; 回跳到7C355339处
7C35539D 8B45 14 MOV EAX,DWORD PTR SS:[EBP+14]
7C3553A0 4F DEC EDI
7C3553A1 A8 08 TEST AL,8
7C3553A3 75 0F JNZ SHORT MSVCR71.7C3553B4
7C3553A5 837D 0C 00 CMP DWORD PTR SS:[EBP+C],0
7C3553A9 74 03 JE SHORT MSVCR71.7C3553AE
7C3553AB 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8]
7C3553AE 8365 FC 00 AND DWORD PTR SS:[EBP-4],0
7C3553B2 EB 4B JMP SHORT MSVCR71.7C3553FF
7C3553B4 A8 04 TEST AL,4
7C3553B6 BE FFFFFF7F MOV ESI,7FFFFFFF
7C3553BB 75 1B JNZ SHORT MSVCR71.7C3553D8
7C3553BD A8 01 TEST AL,1
7C3553BF 75 3E JNZ SHORT MSVCR71.7C3553FF
7C3553C1 83E0 02 AND EAX,2
7C3553C4 74 09 JE SHORT MSVCR71.7C3553CF
7C3553C6 817D FC 0000008>CMP DWORD PTR SS:[EBP-4],80000000
7C3553CD 77 09 JA SHORT MSVCR71.7C3553D8
7C3553CF 85C0 TEST EAX,EAX
7C3553D1 75 2C JNZ SHORT MSVCR71.7C3553FF
7C3553D3 3975 FC CMP DWORD PTR SS:[EBP-4],ESI
7C3553D6 76 27 JBE SHORT MSVCR71.7C3553FF
7C3553D8 E8 F34AFFFF CALL MSVCR71._errno
7C3553DD F645 14 01 TEST BYTE PTR SS:[EBP+14],1
7C3553E1 C700 22000000 MOV DWORD PTR DS:[EAX],22
7C3553E7 74 06 JE SHORT MSVCR71.7C3553EF
7C3553E9 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF
7C3553ED EB 10 JMP SHORT MSVCR71.7C3553FF
7C3553EF 8A45 14 MOV AL,BYTE PTR SS:[EBP+14]
7C3553F2 24 02 AND AL,2
7C3553F4 F6D8 NEG AL
7C3553F6 1BC0 SBB EAX,EAX
7C3553F8 F7D8 NEG EAX
7C3553FA 03C6 ADD EAX,ESI
7C3553FC 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
7C3553FF 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
7C355402 85C0 TEST EAX,EAX
7C355404 74 02 JE SHORT MSVCR71.7C355408
7C355406 8938 MOV DWORD PTR DS:[EAX],EDI
7C355408 F645 14 02 TEST BYTE PTR SS:[EBP+14],2
7C35540C 74 03 JE SHORT MSVCR71.7C355411
7C35540E F75D FC NEG DWORD PTR SS:[EBP-4]
7C355411 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
7C355414 EB 0B JMP SHORT MSVCR71.7C355421
7C355416 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
7C355419 85C0 TEST EAX,EAX
7C35541B 74 02 JE SHORT MSVCR71.7C35541F
7C35541D 8908 MOV DWORD PTR DS:[EAX],ECX
7C35541F 33C0 XOR EAX,EAX
7C355421 5F POP EDI ; 0012F958
7C355422 5E POP ESI
7C355423 5B POP EBX
7C355424 C9 LEAVE
7C355425 C3 RETN ; 返回到 7C355450
004047A3 处 CALL unlock.0040468E 检查假码中如有以下字符将被替换。
0040468E /$ /EB 39 JMP SHORT unlock.004046C9
00404690 |> |0FBE08 /MOVSX ECX,BYTE PTR DS:[EAX]
00404693 |. |83C1 AE |ADD ECX,-52 ; Switch (cases 52..5A)
00404696 |. |83F9 08 |CMP ECX,8
00404699 |. |77 2D |JA SHORT unlock.004046C8
0040469B |. |FF248D CF4640>|JMP NEAR DWORD PTR DS:[ECX*4+4046CF]
004046A2 |> |C600 30 |MOV BYTE PTR DS:[EAX],30 ; Case 52 ('R') of switch 00404693
004046A5 |. |EB 21 |JMP SHORT unlock.004046C8
004046A7 |> |C600 4F |MOV BYTE PTR DS:[EAX],4F ; Case 54 ('T') of switch 00404693
004046AA |. |EB 1C |JMP SHORT unlock.004046C8
004046AC |> |C600 31 |MOV BYTE PTR DS:[EAX],31 ; Case 55 ('U') of switch 00404693
004046AF |. |EB 17 |JMP SHORT unlock.004046C8
004046B1 |> |C600 49 |MOV BYTE PTR DS:[EAX],49 ; Case 56 ('V') of switch 00404693
004046B4 |. |EB 12 |JMP SHORT unlock.004046C8
004046B6 |> |C600 4C |MOV BYTE PTR DS:[EAX],4C ; Case 57 ('W') of switch 00404693
004046B9 |. |EB 0D |JMP SHORT unlock.004046C8
004046BB |> |C600 38 |MOV BYTE PTR DS:[EAX],38 ; Case 58 ('X') of switch 00404693
004046BE |. |EB 08 |JMP SHORT unlock.004046C8
004046C0 |> |C600 42 |MOV BYTE PTR DS:[EAX],42 ; Case 59 ('Y') of switch 00404693
004046C3 |. |EB 03 |JMP SHORT unlock.004046C8
004046C5 |> |C600 35 |MOV BYTE PTR DS:[EAX],35 ; Case 5A ('Z') of switch 00404693
004046C8 |> |40 |INC EAX ; Default case of switch 00404693
004046C9 |> \8038 00 CMP BYTE PTR DS:[EAX],0
004046CC |.^ 75 C2 \JNZ SHORT unlock.00404690
004046CE \. C3 RETN
二、追码分析
1.注册码有7组(S1、S2、S3、S4、S5、S6、S7)ASSIC码(0-9、a-z)组成,如有R、T等将被替换(详见上),不被替换的
字符S(53-37=1C>1A)、Q(51-37=1A)及其余ASSIC码组成的注册码与排在其后的该组字符将忽略不参与运算。
2.每组注册码可以是1-6位或8位,如是其他位数,该组注册码计算结果为0。8位组注册码将被分成前6位和后2位2组,
产生2组计算结果。
3.每组注册码进行如下运算:S(s1…s6)
(1) 0*1A+s1
(2) (1)*1A+s2
(3) (2)*1A+s3
(4) (3)*1A+s4
(5) (4)*1A+s5
(6)S=(5)*1A+s6
4.如果满足下列等式:
S7-S2-S1=0D7B254
S6+S5+S4+S3=304E4BD7
注册成功。
注册码:2LB2J2A4-N47F8D-1B8LIA-KOBLH4-MHA5CE-409A5A
注册信息保存在HKEY_CURRENT_USER\Software\Streamware Development\ringconv,重启时验证注册信息。
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
