破文标题】Joy RingTone Converter算法分析
【破文作者】小娃崽[DFCG]
【作者邮箱】
【作者主页】
【破解工具】
【破解平台】
【软件名称】Joy RingTone Converter
【软件大小】
【原版下载】http://www.skycn.com/soft/31717.html
【保护方式】序列号
【软件简介】 让你可以将来自MP3、WAVE或者CD的音频当作自己的铃声。根据手机的空间情况,可以选择音质优先或者文件大小优先。它还提供了自动将
MP3或WAVE转为铃声的功能。
------------------------------------------------------------------------
004B7FC6 > \8B55 E8 mov edx, dword ptr [ebp-18]
004B7FC9 . 8D8D 54FFFFFF lea ecx, dword ptr [ebp-AC]
004B7FCF . 51 push ecx
004B7FD0 . 52 push edx
004B7FD1 . E8 EA1A0000 call 004B9AC0 ;关键call
004B7FD6 . 8BD0 mov edx, eax
004B7FD8 . 8D4D E0 lea ecx, dword ptr [ebp-20]
004B7FDB . FF15 08134000 call dword ptr [<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
004B7FE1 . 50 push eax
004B7FE2 . 8B45 E4 mov eax, dword ptr [ebp-1C]
004B7FE5 . 50 push eax
004B7FE6 . FF15 54114000 call dword ptr [<&MSVBVM60.__vbaStrCm>; MSVBVM60.__vbaStrCmp
004B9AC0 $ 55 push ebp
004B9AC1 . 8BEC mov ebp, esp
004B9AC3 . 83EC 0C sub esp, 0C
004B9AC6 . 68 F65B4000 push ; SE 处理程序安装
004B9ACB . 64:A1 0000000>mov eax, dword ptr fs:[0]
004B9AD1 . 50 push eax
004B9AD2 . 64:8925 00000>mov dword ptr fs:[0], esp
004B9AD9 . 83EC 64 sub esp, 64
004B9ADC . 53 push ebx
004B9ADD . 56 push esi
004B9ADE . 57 push edi
004B9ADF . 8965 F4 mov dword ptr [ebp-C], esp
004B9AE2 . C745 F8 D85B4>mov dword ptr [ebp-8], 00405BD8
004B9AE9 . 8B55 08 mov edx, dword ptr [ebp+8]
004B9AEC . 33FF xor edi, edi
004B9AEE . 8D4D E4 lea ecx, dword ptr [ebp-1C]
004B9AF1 . 897D E4 mov dword ptr [ebp-1C], edi
004B9AF4 . 897D DC mov dword ptr [ebp-24], edi
004B9AF7 . 897D D4 mov dword ptr [ebp-2C], edi
004B9AFA . 897D D0 mov dword ptr [ebp-30], edi
004B9AFD . 897D CC mov dword ptr [ebp-34], edi
004B9B00 . 897D BC mov dword ptr [ebp-44], edi
004B9B03 . 897D B8 mov dword ptr [ebp-48], edi
004B9B06 . 897D A8 mov dword ptr [ebp-58], edi
004B9B09 . FF15 80124000 call dword ptr [<&MSVBVM60.__vbaStrCo>; MSVBVM60.__vbaStrCopy
004B9B0F . 8D45 E4 lea eax, dword ptr [ebp-1C]
004B9B12 . 50 push eax
004B9B13 . E8 B8F8FFFF call 004B93D0 ;取一固定字符串
004B9B18 . 8B1D 08134000 mov ebx, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaStrMove
004B9B1E . 8BD0 mov edx, eax ; eax="02468ACEE3C2959097F00DE5ECA86420"
004B9B20 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
004B9B23 . FFD3 call ebx ; <&MSVBVM60.__vbaStrMove>
004B9B25 . 57 push edi
004B9B26 . 68 80000000 push 80
004B9B2B . 8D55 A8 lea edx, dword ptr [ebp-58]
004B9B2E . 52 push edx
004B9B2F . 8D45 BC lea eax, dword ptr [ebp-44]
004B9B32 . 8D4D E4 lea ecx, dword ptr [ebp-1C]
004B9B35 . 50 push eax
004B9B36 . 894D B0 mov dword ptr [ebp-50], ecx
004B9B39 . C745 A8 08400>mov dword ptr [ebp-58], 4008
004B9B40 . FF15 20124000 call dword ptr [<&MSVBVM60.#717>] ; MSVBVM60.rtcStrConvVar2
004B9B46 . 8D4D BC lea ecx, dword ptr [ebp-44]
004B9B49 . 51 push ecx
004B9B4A . 8D55 B8 lea edx, dword ptr [ebp-48]
004B9B4D . 52 push edx
004B9B4E . FF15 5C124000 call dword ptr [<&MSVBVM60.__vbaVar2V>; MSVBVM60.__vbaVar2Vec
004B9B54 . 8D45 B8 lea eax, dword ptr [ebp-48]
004B9B57 . 50 push eax
004B9B58 . 8D4D DC lea ecx, dword ptr [ebp-24]
004B9B5B . 51 push ecx
004B9B5C . FF15 30104000 call dword ptr [<&MSVBVM60.__vbaAryMo>; MSVBVM60.__vbaAryMove
004B9B62 . 8D4D BC lea ecx, dword ptr [ebp-44]
004B9B65 . FF15 38104000 call dword ptr [<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVar
004B9B6B . 8B55 DC mov edx, dword ptr [ebp-24]
004B9B6E . 52 push edx
004B9B6F . 6A 01 push 1
004B9B71 . FF15 2C124000 call dword ptr [<&MSVBVM60.__vbaUboun>; MSVBVM60.__vbaUbound
004B9B77 . 8945 98 mov dword ptr [ebp-68], eax ;用户名长度到[EBP-68]
004B9B7A . 33F6 xor esi, esi ;ESX被清零了
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
004B9B7C > 3B75 98 cmp esi, dword ptr [ebp-68]
004B9B7F . 0F8F B0000000 jg 004B9C35 ;大于用户名长度就跳出这个循环
004B9B85 . 8B45 DC mov eax, dword ptr [ebp-24]
004B9B88 . 3BC7 cmp eax, edi
004B9B8A . 74 21 je short 004B9BAD
004B9B8C . 66:8338 01 cmp word ptr [eax], 1
004B9B90 . 75 1B jnz short 004B9BAD
004B9B92 . 8B50 14 mov edx, dword ptr [eax+14]
004B9B95 . 8B48 10 mov ecx, dword ptr [eax+10]
004B9B98 . 8BFE mov edi, esi
004B9B9A . 2BFA sub edi, edx
004B9B9C . 3BF9 cmp edi, ecx
004B9B9E . 72 09 jb short 004B9BA9
004B9BA0 . FF15 50114000 call dword ptr [<&MSVBVM60.__vbaGener>; MSVBVM60.__vbaGenerateBoundsError
004B9BA6 . 8B45 DC mov eax, dword ptr [ebp-24]
004B9BA9 > 8BDF mov ebx, edi
004B9BAB . EB 0B jmp short 004B9BB8
004B9BAD > FF15 50114000 call dword ptr [<&MSVBVM60.__vbaGener>; MSVBVM60.__vbaGenerateBoundsError
004B9BB3 . 8BD8 mov ebx, eax
004B9BB5 . 8B45 DC mov eax, dword ptr [ebp-24]
004B9BB8 > 85C0 test eax, eax
004B9BBA . 74 1C je short 004B9BD8
004B9BBC . 66:8338 01 cmp word ptr [eax], 1
004B9BC0 . 75 16 jnz short 004B9BD8
004B9BC2 . 8B50 14 mov edx, dword ptr [eax+14]
004B9BC5 . 8B48 10 mov ecx, dword ptr [eax+10]
004B9BC8 . 8BFE mov edi, esi
004B9BCA . 2BFA sub edi, edx
004B9BCC . 3BF9 cmp edi, ecx
004B9BCE . 72 13 jb short 004B9BE3
004B9BD0 . FF15 50114000 call dword ptr [<&MSVBVM60.__vbaGener>; MSVBVM60.__vbaGenerateBoundsError
004B9BD6 . EB 08 jmp short 004B9BE0
004B9BD8 > FF15 50114000 call dword ptr [<&MSVBVM60.__vbaGener>; MSVBVM60.__vbaGenerateBoundsError
004B9BDE . 8BF8 mov edi, eax
004B9BE0 > 8B45 DC mov eax, dword ptr [ebp-24]
004B9BE3 > 8B40 0C mov eax, dword ptr [eax+C]
004B9BE6 . 8A0C18 mov cl, byte ptr [eax+ebx] ;用户名依次到cl
004B9BE9 . 8B55 0C mov edx, dword ptr [ebp+C]
004B9BEC . 320A xor cl, byte ptr [edx] ;和2进行xor运算
004B9BEE . 66:0FB6C9 movzx cx, cl ;扩展到cx
004B9BF2 . 66:83E1 1F and cx, 1F ;CX=CX and 1F
004B9BF6 . 79 08 jns short 004B9C00 ;为正跳
004B9BF8 . 66:49 dec cx ;为负--
004B9BFA . 66:83C9 E0 or cx, 0FFE0 ;再or 0FFE0
004B9BFE . 66:41 inc cx ;++
004B9C00 > 66:83C1 01 add cx, 1 ;CX=CX+1,正值直接跳到这里
004B9C04 . 0F80 8F010000 jo 004B9D99 ;不要缢出哦
004B9C0A . FF15 BC114000 call dword ptr [<&MSVBVM60.__vbaUI1I2>; MSVBVM60.__vbaUI1I2
004B9C10 . 8B4D DC mov ecx, dword ptr [ebp-24]
004B9C13 . 8B51 0C mov edx, dword ptr [ecx+C]
004B9C16 . 8B1D 08134000 mov ebx, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaStrMove
004B9C1C . 88043A mov byte ptr [edx+edi], al ;结果保存到[EDX+EDI]
004B9C1F . B8 01000000 mov eax, 1
004B9C24 . 03C6 add eax, esi ;EAX=1+ESI
004B9C26 . 0F80 6D010000 jo 004B9D99
004B9C2C . 8BF0 mov esi, eax ;ESI=EAX
004B9C2E . 33FF xor edi, edi
004B9C30 .^ E9 47FFFFFF jmp 004B9B7C
总结一下,我输入的是xwz,那么
(asc(x) xor 2) and 1f=78 xor 2 and 1f=1A 为正值,1A+1=1B
(asc(w) xor 2) and 1f=77 xor 2 and 1f=15 为正值,1A+1=16
(asc(z) xor 2) and 1f=7A xor 2 and 1f=18 为正值,1A+1=19
记住结果,下面有用!
///////////////////////////////////////////////////////////////////////////////////////////////////
004B9C35 > BF 01000000 mov edi, 1 ;EDI置1
004B9C3A > B8 08000000 mov eax, 8 ;这里告诉我们注册码8位
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
004B9C3F . 3BF8 cmp edi, eax
004B9C41 . 0F8F EA000000 jg 004B9D31 ;大于跳出这个循环
004B9C47 . 8B45 DC mov eax, dword ptr [ebp-24]
004B9C4A . 50 push eax ;数组名,其实是指向用户名
004B9C4B . BE 01000000 mov esi, 1
004B9C50 . 56 push esi ;维数1
004B9C51 . FF15 2C124000 call dword ptr [<&MSVBVM60.__vbaUboun>; MSVBVM60.__vbaUbound
004B9C57 . 03C6 add eax, esi ;__vbaUbound是求数组的最大下标,EAX与用户名长度符合!
004B9C59 . 0F80 3A010000 jo 004B9D99
004B9C5F . 3BF8 cmp edi, eax
004B9C61 . 8975 C4 mov dword ptr [ebp-3C], esi
004B9C64 . C745 BC 02000>mov dword ptr [ebp-44], 2
004B9C6B . 7D 50 jge short 004B9CBD ;注意这个,大于等于就跳了
004B9C6D . 8B4D DC mov ecx, dword ptr [ebp-24]
004B9C70 . 85C9 test ecx, ecx
004B9C72 . 74 29 je short 004B9C9D
004B9C74 . 66:3931 cmp word ptr [ecx], si
004B9C77 . 75 24 jnz short 004B9C9D
004B9C79 . 8B51 14 mov edx, dword ptr [ecx+14]
004B9C7C . 8B41 10 mov eax, dword ptr [ecx+10]
004B9C7F . 8BF7 mov esi, edi
004B9C81 . 83EE 01 sub esi, 1
004B9C84 . 0F80 0F010000 jo 004B9D99
004B9C8A . 2BF2 sub esi, edx
004B9C8C . 3BF0 cmp esi, eax
004B9C8E . 72 09 jb short 004B9C99
004B9C90 . FF15 50114000 call dword ptr [<&MSVBVM60.__vbaGener>; MSVBVM60.__vbaGenerateBoundsError
004B9C96 . 8B4D DC mov ecx, dword ptr [ebp-24]
004B9C99 > 8BC6 mov eax, esi
004B9C9B . EB 09 jmp short 004B9CA6
004B9C9D > FF15 50114000 call dword ptr [<&MSVBVM60.__vbaGener>; MSVBVM60.__vbaGenerateBoundsError
004B9CA3 . 8B4D DC mov ecx, dword ptr [ebp-24]
004B9CA6 > 8B55 D0 mov edx, dword ptr [ebp-30]
004B9CA9 . 8B49 0C mov ecx, dword ptr [ecx+C]
004B9CAC . 52 push edx
004B9CAD . 8D55 BC lea edx, dword ptr [ebp-44]
004B9CB0 . 52 push edx ;D一下知道是2;入栈
004B9CB1 . 33D2 xor edx, edx
004B9CB3 . 8A1401 mov dl, byte ptr [ecx+eax] ;[ECX+EAX]依次指向我们前面得到的1B1619
004B9CB6 . 8B45 D4 mov eax, dword ptr [ebp-2C] ;固定字符串到EAX
004B9CB9 . 52 push edx ;入栈
004B9CBA . 50 push eax ;入栈
004B9CBB . EB 37 jmp short 004B9CF4 ;跳到MSVBVM60.rtcMidCharBstr
004B9CBD > 8B4D D0 mov ecx, dword ptr [ebp-30] ;EDI>用户名长度跳到这里
004B9CC0 . 8B45 0C mov eax, dword ptr [ebp+C]
004B9CC3 . 51 push ecx
004B9CC4 . 33C9 xor ecx, ecx
004B9CC6 . 8A08 mov cl, byte ptr [eax]
004B9CC8 . 8D55 BC lea edx, dword ptr [ebp-44]
004B9CCB . 52 push edx
004B9CCC . 03CF add ecx, edi
004B9CCE . 0F80 C5000000 jo 004B9D99
004B9CD4 . 81E1 1F000080 and ecx, 8000001F
004B9CDA . 79 05 jns short 004B9CE1
004B9CDC . 49 dec ecx
004B9CDD . 83C9 E0 or ecx, FFFFFFE0
004B9CE0 . 41 inc ecx
004B9CE1 > FF15 C8104000 call dword ptr [<&MSVBVM60.__vbaI4Abs>; MSVBVM60.__vbaI4Abs,看字面意思是转换成绝对值的
004B9CE7 . 8B4D D4 mov ecx, dword ptr [ebp-2C]
004B9CEA . 03C6 add eax, esi ;EAX=EAX+ESI
004B9CEC . 0F80 A7000000 jo 004B9D99 ;不能益处
004B9CF2 . 50 push eax ;eax入栈
004B9CF3 . 51 push ecx 固定字符串入栈
004B9CF4 > FF15 24114000 call dword ptr [<&MSVBVM60.#631>] ; MSVBVM60.rtcMidCharBstr
{意思很明显了,就是rtcMidCharBstr("02468ACEE3C2959097F00DE5ECA86420",1B,2)
004B9CFA . 8BD0 mov edx, eax
004B9CFC . 8D4D CC lea ecx, dword ptr [ebp-34]
004B9CFF . FFD3 call ebx ;这个是MSVBVM60.__vbaStrMov
004B9D01 . 50 push eax
004B9D02 . FF15 88104000 call dword ptr [<&MSVBVM60.__vbaStrCa>; MSVBVM60.__vbaStrCat
004B9D08 . 8BD0 mov edx, eax ; 连接字符串到EDX
004B9D0A . 8D4D D0 lea ecx, dword ptr [ebp-30]
004B9D0D . FFD3 call ebx
004B9D0F . 8D4D CC lea ecx, dword ptr [ebp-34]
004B9D12 . FF15 44134000 call dword ptr [<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
004B9D18 . 8D4D BC lea ecx, dword ptr [ebp-44]
004B9D1B . FF15 38104000 call dword ptr [<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVar
004B9D21 . B8 01000000 mov eax, 1
004B9D26 . 03C7 add eax, edi ; EAX=1+EDI
004B9D28 . 70 6F jo short 004B9D99
004B9D2A . 8BF8 mov edi, eax ;EDI=EAX,相当于EDI++
004B9D2C .^ E9 09FFFFFF jmp 004B9C3A
总结一下:
再第一次循环的时候我们得到1B,16,19
所以注册码第1位=rtcMidCharBstr("02468ACEE3C2959097F00DE5ECA86420",1B,2)=A
注册码第2位=rtcMidCharBstr("02468ACEE3C2959097F00DE5ECA86420",16,2)=D
这个时候EDI>用户名长度了(用户名长度大于8位就不会出现这种情况),所以EAX=EAX+EDI=5+1=6
注册码第3位=rtcMidCharBstr("02468ACEE3C2959097F00DE5ECA86420",6,2)=A
注册码第4位=rtcMidCharBstr("02468ACEE3C2959097F00DE5ECA86420",7,2)=C
注册码第5位=rtcMidCharBstr("02468ACEE3C2959097F00DE5ECA86420",8,2)=E
注册码第6位=rtcMidCharBstr("02468ACEE3C2959097F00DE5ECA86420",9,2)=E
注册码第7位=rtcMidCharBstr("02468ACEE3C2959097F00DE5ECA86420",A,2)=3
注册码第8位=rtcMidCharBstr("02468ACEE3C2959097F00DE5ECA86420",B,2)=C
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
004B9D31 > 68 839D4B00 push 004B9D83
004B9D36 . EB 2E jmp short 004B9D66
004B9D38 . F645 FC 04 test byte ptr [ebp-4], 4
004B9D3C . 74 09 je short 004B9D47
004B9D3E . 8D4D D0 lea ecx, dword ptr [ebp-30]
004B9D41 . FF15 44134000 call dword ptr [<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
004B9D47 > 8D4D CC lea ecx, dword ptr [ebp-34]
004B9D4A . FF15 44134000 call dword ptr [<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
004B9D50 . 8D4D BC lea ecx, dword ptr [ebp-44]
004B9D53 . FF15 38104000 call dword ptr [<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVar
004B9D59 . 8D55 B8 lea edx, dword ptr [ebp-48]
004B9D5C . 52 push edx
004B9D5D . 6A 00 push 0
004B9D5F . FF15 B0104000 call dword ptr [<&MSVBVM60.__vbaAryDe>; MSVBVM60.__vbaAryDestruct
004B9D65 . C3 retn
004B9D66 > 8B35 44134000 mov esi, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaFreeStr
004B9D6C . 8D4D E4 lea ecx, dword ptr [ebp-1C]
004B9D6F . FFD6 call esi ; <&MSVBVM60.__vbaFreeStr>
004B9D71 . 8D45 DC lea eax, dword ptr [ebp-24]
004B9D74 . 50 push eax
004B9D75 . 6A 00 push 0
004B9D77 . FF15 B0104000 call dword ptr [<&MSVBVM60.__vbaAryDe>; MSVBVM60.__vbaAryDestruct
004B9D7D . 8D4D D4 lea ecx, dword ptr [ebp-2C]
004B9D80 . FFD6 call esi
004B9D82 . C3 retn
004B9D83 . 8B4D EC mov ecx, dword ptr [ebp-14]
004B9D86 . 8B45 D0 mov eax, dword ptr [ebp-30] ; ss:[EBP-30]="ADACEE3C";这里出现正确的注册码!
004B9D89 . 5F pop edi
004B9D8A . 5E pop esi
004B9D8B . 64:890D 00000>mov dword ptr fs:[0], ecx
004B9D92 . 5B pop ebx
004B9D93 . 8BE5 mov esp, ebp
004B9D95 . 5D pop ebp
004B9D96 . C2 0800 retn 8
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
