【破文标题】Crystal MP3 Recorder 1.00算法分析
【破文作者】tianxj
【作者邮箱】tianxj_2007@126.com
【作者主页】www.chinapyg.com
【破解工具】PEiD,OD
【破解平台】Windows XP
【软件名称】Crystal MP3 Recorder 1.00(2008-5-5版)
【软件大小】3372KB
【软件类别】国外软件/媒体管理
【软件授权】共享版
【软件语言】英文
【原版下载】华军软件园
【保护方式】注册码
【软件简介】是一个易于使用和高品质的软件,一个完整的记录。与此你可以录制自己的声音,通过麦克风和音频从您的计算机(所发挥的在线研讨会从互联网上, Winamp中, Windows Media Player中,快速的时间,真正的播放器,闪存,游戏) ,以及健全从外部(转台,随
身听,磁带播放器, DVD等) 。
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------
【破解内容】
--------------------------------------------------------------
**************************************************************
一、运行程序,进行注册,输入错误的注册信息进行检测,有提示信息
"invalid register code! please retry!"
**************************************************************
二、用PEiD对Crystal MP3 Recorder查壳,为Borland Delphi 6.0 - 7.0
**************************************************************
三、用PE Explorer和DeDe查找按钮事件
004D921C /. 55 PUSH EBP
==============================================================
运行OD,打开Crystal MP3 Recorder,来到
004D921C /. 55 PUSH EBP
004D921D |. 8BEC MOV EBP,ESP
004D921F |. 33C9 XOR ECX,ECX
004D9221 |. 51 PUSH ECX
004D9222 |. 51 PUSH ECX
004D9223 |. 51 PUSH ECX
004D9224 |. 51 PUSH ECX
004D9225 |. 51 PUSH ECX
004D9226 |. 51 PUSH ECX
004D9227 |. 53 PUSH EBX
004D9228 |. 56 PUSH ESI
004D9229 |. 57 PUSH EDI
004D922A |. 8BF8 MOV EDI,EAX
004D922C |. 33C0 XOR EAX,EAX
004D922E |. 55 PUSH EBP
004D922F |. 68 23944D00 PUSH Crystal_.004D9423
004D9234 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
004D9237 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
004D923A |. C605 504E4E00>MOV BYTE PTR DS:[4E4E50],1
004D9241 |. 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
004D9244 |. 8B87 AC030000 MOV EAX,DWORD PTR DS:[EDI+3AC]
004D924A |. E8 A9A3F6FF CALL Crystal_.004435F8
004D924F |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] ; //用户名
004D9252 |. 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
004D9255 |. E8 02FBF2FF CALL Crystal_.00408D5C
004D925A |. 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
004D925D |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; //用户名
004D9260 |. E8 2BFBF2FF CALL Crystal_.00408D90
004D9265 |. 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10]
004D9268 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
004D926B |. E8 F0B4F2FF CALL Crystal_.00404760
004D9270 |. BB 15000000 MOV EBX,15
004D9275 |. BE 14344E00 MOV ESI,Crystal_.004E3414 ; @om
004D927A |> 8B45 FC /MOV EAX,DWORD PTR SS:[EBP-4] ; //用户名
004D927D |. 8B16 |MOV EDX,DWORD PTR DS:[ESI] ; //"VS88T6-Vs86"
004D927F |. E8 40B8F2FF |CALL Crystal_.00404AC4 ; //比较CALL
004D9284 |. 75 09 |JNZ SHORT Crystal_.004D928F ; //不等则跳
004D9286 |. C605 504E4E00>|MOV BYTE PTR DS:[4E4E50],0 ; //标志位赋值
004D928D |. EB 06 |JMP SHORT Crystal_.004D9295
004D928F |> 83C6 04 |ADD ESI,4
004D9292 |. 4B |DEC EBX
004D9293 |.^ 75 E5 \JNZ SHORT Crystal_.004D927A ; //循环,和内置用户名比较
004D9295 |> 803D 504E4E00>CMP BYTE PTR DS:[4E4E50],0 ; //关键比较
004D929C |. 74 1A JE SHORT Crystal_.004D92B8 ; //相等则跳
004D929E |. 6A 00 PUSH 0 ; /Arg1 = 00000000
004D92A0 |. 66:8B0D 34944>MOV CX,WORD PTR DS:[4D9434] ; |
004D92A7 |. B2 02 MOV DL,2 ; |
004D92A9 |. B8 40944D00 MOV EAX,Crystal_.004D9440 ; |invalid register code! please retry!
004D92AE |. E8 453AF6FF CALL Crystal_.0043CCF8 ; \Crystal_.0043CCF8
004D92B3 |. E9 30010000 JMP Crystal_.004D93E8
004D92B8 |> 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
004D92BB |. 8B87 B0030000 MOV EAX,DWORD PTR DS:[EDI+3B0]
004D92C1 |. E8 32A3F6FF CALL Crystal_.004435F8
004D92C6 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14] ; //试练码
004D92C9 |. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
004D92CC |. E8 8BFAF2FF CALL Crystal_.00408D5C
004D92D1 |. 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
004D92D4 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; //试练码
004D92D7 |. E8 B4FAF2FF CALL Crystal_.00408D90
004D92DC |. 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18] ; //试练码
004D92DF |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
004D92E2 |. E8 79B4F2FF CALL Crystal_.00404760
004D92E7 |. 837D FC 00 CMP DWORD PTR SS:[EBP-4],0
004D92EB |. 0F84 F7000000 JE Crystal_.004D93E8 ; //用户名为空则跳
004D92F1 |. 837D F8 00 CMP DWORD PTR SS:[EBP-8],0
004D92F5 |. 0F84 ED000000 JE Crystal_.004D93E8 ; //注册码为空则跳
004D92FB |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; //试练码
004D92FE |. E8 7DB6F2FF CALL Crystal_.00404980 ; //取试练码长度
004D9303 |. 85C0 TEST EAX,EAX
004D9305 |. 7E 38 JLE SHORT Crystal_.004D933F ; //小于等于则跳
004D9307 |. BA 01000000 MOV EDX,1 ; //EDX=1
004D930C |> 8B4D F8 /MOV ECX,DWORD PTR SS:[EBP-8] ; //试练码
004D930F |. 0FB64C11 FF |MOVZX ECX,BYTE PTR DS:[ECX+EDX-1] ; //依次取试练码ASC值
004D9314 |. 83F9 30 |CMP ECX,30 ; //与30即"0"比较
004D9317 |. 7C 08 |JL SHORT Crystal_.004D9321 ; //小于则跳
004D9319 |. 8B5D F8 |MOV EBX,DWORD PTR SS:[EBP-8]
004D931C |. 83F9 39 |CMP ECX,39 ; //与39即"9"比较
004D931F |. 7E 1A |JLE SHORT Crystal_.004D933B ; //小于等于则跳
004D9321 |> 6A 00 |PUSH 0 ; /Arg1 = 00000000
004D9323 |. 66:8B0D 34944>|MOV CX,WORD PTR DS:[4D9434] ; |
004D932A |. B2 02 |MOV DL,2 ; |
004D932C |. B8 40944D00 |MOV EAX,Crystal_.004D9440 ; |invalid register code! please retry!
004D9331 |. E8 C239F6FF |CALL Crystal_.0043CCF8 ; \Crystal_.0043CCF8
004D9336 |. E9 AD000000 |JMP Crystal_.004D93E8
004D933B |> 42 |INC EDX
004D933C |. 48 |DEC EAX
004D933D |.^ 75 CD \JNZ SHORT Crystal_.004D930C ; //循环,试练码是否在0~9之间
004D933F |> 33F6 XOR ESI,ESI ; //ESI=0
004D9341 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; //用户名
004D9344 |. E8 37B6F2FF CALL Crystal_.00404980 ; //取用户名长度
004D9349 |. 85C0 TEST EAX,EAX
004D934B |. 7E 13 JLE SHORT Crystal_.004D9360 ; //小于等于则跳
004D934D |. BB 01000000 MOV EBX,1 ; //EBX=1
004D9352 |> 8B55 FC /MOV EDX,DWORD PTR SS:[EBP-4] ; //用户名
004D9355 |. 0FB6541A FF |MOVZX EDX,BYTE PTR DS:[EDX+EBX-1] ; //依次取用户名ASC值
004D935A |. 03F2 |ADD ESI,EDX ; //ESI=ESI+EDX
004D935C |. 43 |INC EBX ; //EBX=EBX+1
004D935D |. 48 |DEC EAX ; //EAX=EAX-1
004D935E |.^ 75 F2 \JNZ SHORT Crystal_.004D9352 ; //不等则跳
004D9360 |> 69C6 958D0900 IMUL EAX,ESI,98D95 ; //EAX=ESI*98D95
004D9366 |. 83C0 20 ADD EAX,20 ; //EAX=EAX+20
004D9369 |. D1F8 SAR EAX,1 ; //EAX右移1位
004D936B |. 79 03 JNS SHORT Crystal_.004D9370
004D936D |. 83D0 00 ADC EAX,0
004D9370 |> 8BF0 MOV ESI,EAX ; //ESI=EAX
004D9372 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; //试练码
004D9375 |. E8 7AFCF2FF CALL Crystal_.00408FF4 ; //试练码转16进制送入EAX
004D937A |. 3BF0 CMP ESI,EAX ; //ESI与EAX比较
004D937C |. 75 55 JNZ SHORT Crystal_.004D93D3 ; //不等则跳
004D937E |. 6A 00 PUSH 0 ; /Arg1 = 00000000
004D9380 |. 66:8B0D 34944>MOV CX,WORD PTR DS:[4D9434] ; |
004D9387 |. B2 02 MOV DL,2 ; |
004D9389 |. B8 70944D00 MOV EAX,Crystal_.004D9470 ; |congratuation! you have successfully registered!
004D938E |. E8 6539F6FF CALL Crystal_.0043CCF8 ; \Crystal_.0043CCF8
004D9393 |. A1 783A4E00 MOV EAX,DWORD PTR DS:[4E3A78]
004D9398 |. C600 01 MOV BYTE PTR DS:[EAX],1
004D939B |. A1 843B4E00 MOV EAX,DWORD PTR DS:[4E3B84]
004D93A0 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004D93A2 |. 33C9 XOR ECX,ECX
004D93A4 |. BA 04000000 MOV EDX,4
004D93A9 |. 8B18 MOV EBX,DWORD PTR DS:[EAX]
004D93AB |. FF53 10 CALL DWORD PTR DS:[EBX+10]
004D93AE |. 8B15 783A4E00 MOV EDX,DWORD PTR DS:[4E3A78] ; Crystal_.004E4E80
004D93B4 |. A1 843B4E00 MOV EAX,DWORD PTR DS:[4E3B84]
004D93B9 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004D93BB |. B9 01000000 MOV ECX,1
004D93C0 |. E8 EF23F4FF CALL Crystal_.0041B7B4
004D93C5 |. A1 08384E00 MOV EAX,DWORD PTR DS:[4E3808]
004D93CA |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004D93CC |. E8 B36AF8FF CALL Crystal_.0045FE84
004D93D1 |. EB 15 JMP SHORT Crystal_.004D93E8
004D93D3 |> 6A 00 PUSH 0 ; /Arg1 = 00000000
004D93D5 |. 66:8B0D 34944>MOV CX,WORD PTR DS:[4D9434] ; |
004D93DC |. B2 02 MOV DL,2 ; |
004D93DE |. B8 40944D00 MOV EAX,Crystal_.004D9440 ; |invalid register code! please retry!
004D93E3 |. E8 1039F6FF CALL Crystal_.0043CCF8 ; \Crystal_.0043CCF8
004D93E8 |> 33C0 XOR EAX,EAX
004D93EA |. 5A POP EDX
004D93EB |. 59 POP ECX
004D93EC |. 59 POP ECX
004D93ED |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
004D93F0 |. 68 2A944D00 PUSH Crystal_.004D942A
004D93F5 |> 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
004D93F8 |. E8 CBB2F2FF CALL Crystal_.004046C8
004D93FD |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
004D9400 |. E8 C3B2F2FF CALL Crystal_.004046C8
004D9405 |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
004D9408 |. E8 BBB2F2FF CALL Crystal_.004046C8
004D940D |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
004D9410 |. E8 B3B2F2FF CALL Crystal_.004046C8
004D9415 |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
004D9418 |. BA 02000000 MOV EDX,2
004D941D |. E8 CAB2F2FF CALL Crystal_.004046EC
004D9422 \. C3 RETN
004D9423 .^ E9 24ACF2FF JMP Crystal_.0040404C
004D9428 .^ EB CB JMP SHORT Crystal_.004D93F5
004D942A . 5F POP EDI
004D942B . 5E POP ESI
004D942C . 5B POP EBX
004D942D . 8BE5 MOV ESP,EBP
004D942F . 5D POP EBP
004D9430 . C3 RETN
==============================================================
【内置用户名】
004D6F40 56 53 38 38 54 36 2D 56 73 38 36 00 FF FF FF FF VS88T6-Vs86.
004D6F50 0B 00 00 00 54 56 36 36 50 36 2D 54 56 36 36 00 ...TV66P6-TV66.
004D6F60 FF FF FF FF 0B 00 00 00 53 31 52 36 50 36 2D 53 ...S1R6P6-S
004D6F70 56 36 36 00 FF FF FF FF 0B 00 00 00 54 44 52 36 V66....TDR6
004D6F80 70 36 2D 53 56 36 36 00 FF FF FF FF 0A 00 00 00 p6-SV66.....
004D6F90 54 44 52 36 70 36 2D 45 56 53 00 00 FF FF FF FF TDR6p6-EVS..
004D6FA0 0A 00 00 00 54 44 52 36 70 36 2D 53 54 31 00 00 ....TDR6p6-ST1..
004D6FB0 FF FF FF FF 0A 00 00 00 54 73 66 36 70 36 2D 56 ....Tsf6p6-V
004D6FC0 42 31 00 00 FF FF FF FF 0B 00 00 00 42 38 73 66 B1.....B8sf
004D6FD0 36 70 36 2D 56 42 31 00 FF FF FF FF 0C 00 00 00 6p6-VB1.....
004D6FE0 42 38 54 44 66 36 70 36 2D 56 42 31 00 00 00 00 B8TDf6p6-VB1....
004D6FF0 FF FF FF FF 0C 00 00 00 42 53 34 35 66 36 70 36 ....BS45f6p6
004D7000 2D 56 42 31 00 00 00 00 FF FF FF FF 0B 00 00 00 -VB1.......
004D7010 4F 73 72 66 36 70 36 2D 56 42 31 00 FF FF FF FF Osrf6p6-VB1.
004D7020 0B 00 00 00 4F 66 72 67 36 70 36 2D 56 42 31 00 ...Ofrg6p6-VB1.
004D7030 FF FF FF FF 0B 00 00 00 45 53 72 67 36 70 36 2D ...ESrg6p6-
004D7040 56 42 31 00 FF FF FF FF 0B 00 00 00 49 55 72 67 VB1....IUrg
004D7050 36 70 36 2D 56 42 31 00 FF FF FF FF 09 00 00 00 6p6-VB1.....
004D7060 49 55 44 54 36 2D 42 58 31 00 00 00 FF FF FF FF IUDT6-BX1...
004D7070 09 00 00 00 44 55 49 54 36 2D 74 56 31 00 00 00 ....DUIT6-tV1...
004D7080 FF FF FF FF 09 00 00 00 53 31 49 54 36 2D 44 56 ....S1IT6-DV
004D7090 31 00 00 00 FF FF FF FF 09 00 00 00 53 4E 4D 53 1.......SNMS
004D70A0 36 2D 44 56 31 00 00 00 FF FF FF FF 09 00 00 00 6-DV1.......
004D70B0 53 4E 57 53 36 2D 54 4E 31 00 00 00 FF FF FF FF SNWS6-TN1...
004D70C0 09 00 00 00 53 4E 57 53 36 2D 4D 4E 33 00 00 00 ....SNWS6-MN3...
004D70D0 FF FF FF FF 09 00 00 00 54 44 56 53 36 2D 4D 4E ....TDVS6-MN
004D70E0 33 3
**************************************************************
【破解总结】
--------------------------------------------------------------
【算法总结】
用户名必须是内置用户名中的一个,然后经过累加用户名ASC值,乘以98D95,加上20,右移1位后,与注册码16进制比较
--------------------------------------------------------------
【算法注册机】
用keymake 2.0 编写算法注册机:
1、启动keymake,按Ctrl+N打开编辑窗口,将.code源码内容复制进去,然后按F2打开数据区,将.data内容复盖原有信息,再按F9一下,选择方案一(只有一个输入窗口),现在你点“确定”,稍等片刻就会在目录内生成一个算法注册机了!!!
2、算法注册机的源码如下:
keygen.rek
.const
.data
szHomePage db "http://www.chinapyg.com",0
szEmail db "mailto:tianxj_2007@126.com",0
szErrMess db "请输入用户名!",0
szBuffer db 50 dup (0)
szFMT db "%d",0
a dd 0
.code
mov a,eax
invoke lstrlen,a
XOR ESI,ESI
MOV EBX,1h
n1:
MOV EDX,a
MOVZX EDX,BYTE PTR DS:[EDX+EBX-1]
ADD ESI,EDX
INC EBX
DEC EAX
JNZ n1
IMUL EAX,ESI,98D95h
ADD EAX,20h
SAR EAX,1h
JNS n2
ADC EAX,0h
n2:
MOV ESI,EAX
invoke wsprintf,addr szBuffer,addr szFMT,esi
lea eax,szBuffer
--------------------------------------------------------------
【内存注册机】
用Keymake2.0版本 作内存注册机:
一、选择F8 → 内存注册机
1、程序名称:Crystal MP3 Recorder.exe
2、添加数据:
中断地址 4D937A
中断次数 1
第一字节 3B
指令长度 2
二、选择寄存器方式→ ESI→ 十进制 → 点生成就有你乐的了!
--------------------------------------------------------------
感谢飘云老大、猫老大、Nisy老大以及很多前辈们的学习教程以及所有帮助过我的论坛兄弟姐妹们!谢谢
--------------------------------------------------------------
【版权声明】破文是学习的手记,兴趣是成功的源泉;本破文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。
