家庭卡拉OK V2.2
作者:GoOdLeiSuRe
时间:2004/11/12
注:此文此供学习,本人水平很菜,错误难免,肯请指正。
在分析算法的时候,看到了令人气愤的字符串“CrackersDead”。
软件说明:家庭卡拉OK(KTV@Home)是一款及多媒体播放,音频消原唱,麦克风演唱,音频录制与合成于一体的大众化软件。如果你想在自己的电脑上过把KTV瘾,伴着字幕的滚动高歌一曲,那么本软件将实现你的愿望。只需你硬盘中的MP3或一盘卡拉OK伴奏带,一个话筒,一切轻松搞定。无须复杂的设置,即刻让你感受到家庭卡拉OK的氛围。愿这款软件给你的生活带来一种新的乐趣。
软件特色:
1.播放多种音频文件(*.mp3,*.wma,*.wav,*.mid)和视频文件(*.dat,*.avi,*.mpg,*.asf),
并能打开和保存M3U格式的MP3清单。
2.LRC歌词同步显示。免费版内含6000多首LRC歌词,支持多行滚动和双行轮换两种显示模式。
并能自设歌词字体,颜色,和选择颜色主题。显示流畅,屏幕无闪烁。
3.MP3和VCD消原唱功能。轻松制作MP3消原唱伴奏,实时消去VCD原唱。
4.麦克风演唱功能。用户只需将麦克风线连上电脑,即能立即同声演唱,无须复杂的设置。
用户也可调整麦克风的各种参数,达到最佳的演唱效果。
5.录音功能。简单的操作便能录制自己的MP3,无时间长度限制。
6.MP3合成功能,轻松将你的歌声和伴奏进行合成完整的MP3。
7.人性化的界面。软件力求操作简单,实用方便,您几乎可以不看帮助,便能运用自如,尽情体验多媒体娱乐世界。
软件的窗口可以随心所欲的进行个性化配置。
下载地址:
http://davidsoft.27h.com/KTVSetup.exe
//验证注册码的过程
00442CD0 /$ 6A FF
PUSH -1
00442CD2 |. 68 18F54400
PUSH 家庭卡拉.0044F518
; SE handler installation
00442CD7 |. 64:A1 00000000
MOV EAX,
DWORD PTR FS:[0]
00442CDD |. 50
PUSH EAX
00442CDE |. 64:8925 00000000
MOV DWORD PTR FS:[0],
ESP
00442CE5 |. 83EC 78
SUB ESP,78
00442CE8 |. 53
PUSH EBX
00442CE9 |. 56
PUSH ESI
00442CEA |. 57
PUSH EDI
00442CEB |. 6A 00
PUSH 0
; /Arg4 = 00000000
00442CED |. 6A 00
PUSH 0
; |Arg3 = 00000000
00442CEF |. 68 D04D4600
PUSH 家庭卡拉.00464DD0
; |Arg2 = 00464DD0 ASCII "AppCode"
00442CF4 |. 68 40454600
PUSH 家庭卡拉.00464540
; |Arg1 = 00464540 ASCII "App"
00442CF9 |. B9 40614600
MOV ECX,家庭卡拉.00466140
; |ASCII "lGE"
00442CFE |. E8 AD92FFFF
CALL 家庭卡拉.0043BFB0
; \家庭卡拉.0043BFB0
00442D03 |. DD5424 2C
FST QWORD PTR SS:[
ESP+2C]
; 输入的AppCode (一串数字 输在DSMiniOK.ini的[App]下)
00442D07 |. DC1D 90264500
FCOMP QWORD PTR DS:[452690]
00442D0D |. BB 04000000
MOV EBX,4
00442D12 |. DFE0
FSTSW AX
00442D14 |. F6C4 40
TEST AH,40
00442D17 |. 0F85 F4000000
JNZ 家庭卡拉.00442E11
; 不跳验证AppCode,跳则验证AppWord
//此软件可以设置AppCode或AppWord
//AppCode是一串数字,AppWOrd是一串中文字符
//不知是中文版用中文注册、其它版用数字注册?我没有分析
00442D1D |. 6A 00
PUSH 0
; /pFileSystemNameSize = NULL
00442D1F |. 6A 00
PUSH 0
; |pFileSystemNameBuffer = NULL
00442D21 |. 6A 00
PUSH 0
; |pFileSystemFlags = NULL
00442D23 |. 8D4424 24
LEA EAX,
DWORD PTR SS:[
ESP+24]
; |
00442D27 |. 6A 00
PUSH 0
; |pMaxFilenameLength = NULL
00442D29 |. 50
PUSH EAX ; |pVolumeSerialNumber
00442D2A |. 6A 00
PUSH 0
; |MaxVolumeNameSize = 0
00442D2C |. 6A 00
PUSH 0
; |VolumeNameBuffer = NULL
00442D2E |. 68 CC4D4600
PUSH 家庭卡拉.00464DCC
; |RootPathName = "C:\"
00442D33 |. C74424 38 00000000
MOV DWORD PTR SS:[
ESP+38],0
; |
00442D3B |. FF15 94014500
CALL DWORD PTR DS:[<&KERNEL32.GetVolumeInformationA>>
; \GetVolumeInformationA
00442D41 |. 8B4424 18
MOV EAX,
DWORD PTR SS:[
ESP+18]
00442D45 |. BA 09000000
MOV EDX,9
00442D4A |. DD4424 2C
FLD QWORD PTR SS:[
ESP+2C]
; 输入的AppCode
00442D4E |. 35 CCDA2912
XOR EAX,1229DACC
00442D53 |. B9 07000000
MOV ECX,7
00442D58 |. 894424 18
MOV DWORD PTR SS:[
ESP+18],
EAX
00442D5C |. B8 03000000
MOV EAX,3
00442D61 |. BE 08000000
MOV ESI,8
00442D66 |. BF 02000000
MOV EDI,2
00442D6B |. 895424 34
MOV DWORD PTR SS:[
ESP+34],
EDX ; 9
00442D6F |. 894C24 3C
MOV DWORD PTR SS:[
ESP+3C],
ECX ; 7
00442D73 |. 894424 4C
MOV DWORD PTR SS:[
ESP+4C],
EAX ; 3
00442D77 |. 894424 60
MOV DWORD PTR SS:[
ESP+60],
EAX ; 3
00442D7B |. 894C24 68
MOV DWORD PTR SS:[
ESP+68],
ECX ; 7
00442D7F |. 895424 6C
MOV DWORD PTR SS:[
ESP+6C],
EDX ; 9
00442D83 |. 897424 38
MOV DWORD PTR SS:[
ESP+38],
ESI ; 8
00442D87 |. C74424 40 06000000
MOV DWORD PTR SS:[
ESP+40],6
00442D8F |. C74424 44 05000000
MOV DWORD PTR SS:[
ESP+44],5
00442D97 |. 895C24 48
MOV DWORD PTR SS:[
ESP+48],
EBX ; 4
00442D9B |. 897C24 50
MOV DWORD PTR SS:[
ESP+50],
EDI ; 2
00442D9F |. C74424 54 01000000
MOV DWORD PTR SS:[
ESP+54],1
00442DA7 |. C74424 58 00000000
MOV DWORD PTR SS:[
ESP+58],0
00442DAF |. C74424 5C 01000000
MOV DWORD PTR SS:[
ESP+5C],1
00442DB7 |. C74424 64 05000000
MOV DWORD PTR SS:[
ESP+64],5
00442DBF |. 897C24 70
MOV DWORD PTR SS:[
ESP+70],
EDI ; 2
00442DC3 |. 895C24 74
MOV DWORD PTR SS:[
ESP+74],
EBX ; 4
00442DC7 |. C74424 78 06000000
MOV DWORD PTR SS:[
ESP+78],6
00442DCF |. 897424 7C
MOV DWORD PTR SS:[
ESP+7C],
ESI ; 8
00442DD3 |. C78424 80000000 0A000000
MOV DWORD PTR SS:[
ESP+80],0A
00442DDE |. 8D4C24 44
LEA ECX,
DWORD PTR SS:[
ESP+44]
; 5
00442DE2 |. 8D4424 58
LEA EAX,
DWORD PTR SS:[
ESP+58]
; 0
00442DE6 |. BA 05000000
MOV EDX,5
00442DEB |> 8B38 /
MOV EDI,
DWORD PTR DS:[
EAX]
00442DED |. 2BC6 |
SUB EAX,
ESI
00442DEF |. DA64BC 5C |
FISUB DWORD PTR SS:[
ESP+
EDI*4+5C]
; 输入的AppCode
00442DF3 |. 8B39 |
MOV EDI,
DWORD PTR DS:[
ECX]
; 5
00442DF5 |. 2BCB |
SUB ECX,
EBX
00442DF7 |. 4A |
DEC EDX
00442DF8 |. DA74BC 5C |
FIDIV DWORD PTR SS:[
ESP+
EDI*4+5C]
; 输入的AppCode
00442DFC |.^ 75 ED \JNZ SHORT 家庭卡拉.00442DEB
//对输入的AppCode的计算:
//F1(AppCode)=(((((AppCode-1)/2-5)/4-9)/6-4)/8-8)/10
00442DFE |. DB4424 18
FILD DWORD PTR SS:[
ESP+18]
00442E02 |. D9C9
FXCH ST(1)
00442E04 |. DED9
FCOMPP ; 比较换算后的数值是否为:712523422
//F1(AppCode)=712523422
//所以:(((((AppCode-1)/2-5)/4-9)/6-4)/8-8)/10=712523422
//AppCode=2736089943827
00442E06 |. DFE0
FSTSW AX
00442E08 |. F6C4 40
TEST AH,40
00442E0B |. 0F85 5A040000
JNZ 家庭卡拉.0044326B
; 跳则注册成功
00442E11 |> 68 D45B4600
PUSH 家庭卡拉.00465BD4
00442E16 |. 68 44454600
PUSH 家庭卡拉.00464544
; ASCII "AppWord"
00442E1B |. 8D4C24 18
LEA ECX,
DWORD PTR SS:[
ESP+18]
00442E1F |. 68 40454600
PUSH 家庭卡拉.00464540
; ASCII "App"
00442E24 |. 51
PUSH ECX
00442E25 |. B9 40614600
MOV ECX,家庭卡拉.00466140
; ASCII "lGE"
00442E2A |. E8 918CFFFF
CALL 家庭卡拉.0043BAC0
00442E2F |. 8B5424 10
MOV EDX,
DWORD PTR SS:[
ESP+10]
; 输入的注册码
00442E33 |. 8B35 100C4500
MOV ESI,
DWORD PTR DS:[<&MSVCRT._mbscmp>]
; msvcrt._mbscmp
00442E39 |. 68 D45B4600
PUSH 家庭卡拉.00465BD4
; /s2 = ""
00442E3E |. 52
PUSH EDX ; |s1
00442E3F |. C78424 94000000 00000000
MOV DWORD PTR SS:[
ESP+94],0
; |
00442E4A |. FFD6
CALL ESI ; \_mbscmp
00442E4C |. 83C4 08
ADD ESP,8
00442E4F |. 85C0
TEST EAX,
EAX
00442E51 |. 0F84 C1030000
JE 家庭卡拉.00443218
00442E57 |. 8B4424 10
MOV EAX,
DWORD PTR SS:[
ESP+10]
00442E5B |. 68 E8594600
PUSH 家庭卡拉.004659E8
; ASCII "CrackersDead"
//设置无效验证,若AppWord=CrackersDead,则直接注册失败
//
竟然在软件中“攻击”我们Crackers,:(
00442E60 |. 50
PUSH EAX
00442E61 |. FFD6
CALL ESI
00442E63 |. 83C4 08
ADD ESP,8
00442E66 |. 85C0
TEST EAX,
EAX
00442E68 |. 0F84 E9030000
JE 家庭卡拉.00443257
00442E6E |. 6A 02
PUSH 2
00442E70 |. 8D4C24 24
LEA ECX,
DWORD PTR SS:[
ESP+24]
00442E74 |. 6A 00
PUSH 0
00442E76 |. 51
PUSH ECX
00442E77 |. 8D4C24 1C
LEA ECX,
DWORD PTR SS:[
ESP+1C]
00442E7B |. E8 30670000
CALL <JMP.&MFC42.#4278_?Mid@CString@@QBE?AV1@HH@Z>
00442E80 |. 8B00
MOV EAX,
DWORD PTR DS:[
EAX]
; 注册码第一个汉字
00442E82 |. 68 E4594600
PUSH 家庭卡拉.004659E4
; "支"
00442E87 |. 50
PUSH EAX
00442E88 |. FFD6
CALL ESI
00442E8A |. 83C4 08
ADD ESP,8
00442E8D |. 8D4C24 20
LEA ECX,
DWORD PTR SS:[
ESP+20]
00442E91 |. 85C0
TEST EAX,
EAX
00442E93 |. 0F954424 0F
SETNE BYTE PTR SS:[
ESP+F]
00442E98 |. E8 1F5E0000
CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00442E9D |. 8A4424 0F
MOV AL,
BYTE PTR SS:[
ESP+F]
00442EA1 |. 84C0
TEST AL,
AL
00442EA3 |. 0F85 6F030000
JNZ 家庭卡拉.00443218
00442EA9 |. 68 DC594600
PUSH 家庭卡拉.004659DC
00442EAE |. 8D4C24 18
LEA ECX,
DWORD PTR SS:[
ESP+18]
00442EB2 |. E8 3B5E0000
CALL <JMP.&MFC42.#537_??0CString@@QAE@PBD@Z>
00442EB7 |. 6A 02
PUSH 2
00442EB9 |. 8D5424 30
LEA EDX,
DWORD PTR SS:[
ESP+30]
00442EBD |. 6A 00
PUSH 0
00442EBF |. 52
PUSH EDX
00442EC0 |. 8D4C24 20
LEA ECX,
DWORD PTR SS:[
ESP+20]
00442EC4 |. C68424 98000000 01
MOV BYTE PTR SS:[
ESP+98],1
00442ECC |. E8 DF660000
CALL <JMP.&MFC42.#4278_?Mid@CString@@QBE?AV1@HH@Z>
00442ED1 |. 8BF8
MOV EDI,
EAX
00442ED3 |. 6A 02
PUSH 2
00442ED5 |. 8D4424 2C
LEA EAX,
DWORD PTR SS:[
ESP+2C]
00442ED9 |. 53
PUSH EBX
00442EDA |. 50
PUSH EAX
00442EDB |. 8D4C24 1C
LEA ECX,
DWORD PTR SS:[
ESP+1C]
00442EDF |. C68424 98000000 02
MOV BYTE PTR SS:[
ESP+98],2
00442EE7 |. E8 C4660000
CALL <JMP.&MFC42.#4278_?Mid@CString@@QBE?AV1@HH@Z>
00442EEC |. 8B3F
MOV EDI,
DWORD PTR DS:[
EDI]
; "正"
00442EEE |. 8B00
MOV EAX,
DWORD PTR DS:[
EAX]
; 注册码的第三个汉字
00442EF0 |. 57
PUSH EDI
00442EF1 |. 50
PUSH EAX
00442EF2 |. C68424 94000000 03
MOV BYTE PTR SS:[
ESP+94],3
00442EFA |. FFD6
CALL ESI
00442EFC |. 83C4 08
ADD ESP,8
00442EFF |. 85C0
TEST EAX,
EAX
00442F01 |. 75 5B
JNZ SHORT 家庭卡拉.00442F5E
00442F03 |. 6A 02
PUSH 2
00442F05 |. 8D4C24 28
LEA ECX,
DWORD PTR SS:[
ESP+28]
00442F09 |. 6A 02
PUSH 2
00442F0B |. 51
PUSH ECX
00442F0C |. 8D4C24 20
LEA ECX,
DWORD PTR SS:[
ESP+20]
00442F10 |. E8 9B660000
CALL <JMP.&MFC42.#4278_?Mid@CString@@QBE?AV1@HH@Z>
00442F15 |. 8BF8
MOV EDI,
EAX
00442F17 |. 6A 02
PUSH 2
00442F19 |. 8D5424 24
LEA EDX,
DWORD PTR SS:[
ESP+24]
00442F1D |. 6A 02
PUSH 2
00442F1F |. 52
PUSH EDX
00442F20 |. 8D4C24 1C
LEA ECX,
DWORD PTR SS:[
ESP+1C]
00442F24 |. 889C24 98000000
MOV BYTE PTR SS:[
ESP+98],
BL
00442F2B |. E8 80660000
CALL <JMP.&MFC42.#4278_?Mid@CString@@QBE?AV1@HH@Z>
00442F30 |. 8B3F
MOV EDI,
DWORD PTR DS:[
EDI]
; "持"
00442F32 |. 8B00
MOV EAX,
DWORD PTR DS:[
EAX]
; 注册码的第二个汉字
00442F34 |. 57
PUSH EDI
00442F35 |. 50
PUSH EAX
00442F36 |. FFD6
CALL ESI
00442F38 |. 83C4 08
ADD ESP,8
00442F3B |. 8D4C24 20
LEA ECX,
DWORD PTR SS:[
ESP+20]
00442F3F |. 85C0
TEST EAX,
EAX
00442F41 |. 0F95C3
SETNE BL
00442F44 |. E8 735D0000
CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00442F49 |. 8D4C24 24
LEA ECX,
DWORD PTR SS:[
ESP+24]
00442F4D |. C68424 8C000000 03
MOV BYTE PTR SS:[
ESP+8C],3
00442F55 |. E8 625D0000
CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00442F5A |. 84DB
TEST BL,
BL
00442F5C |. 74 02
JE SHORT 家庭卡拉.00442F60
; 要跳
00442F5E |> B3 01
MOV BL,1
00442F60 |> 8D4C24 28
LEA ECX,
DWORD PTR SS:[
ESP+28]
00442F64 |. C68424 8C000000 02
MOV BYTE PTR SS:[
ESP+8C],2
00442F6C |. E8 4B5D0000
CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00442F71 |. 8D4C24 2C
LEA ECX,
DWORD PTR SS:[
ESP+2C]
00442F75 |. C68424 8C000000 01
MOV BYTE PTR SS:[
ESP+8C],1
00442F7D |. E8 3A5D0000
CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00442F82 |. 84DB
TEST BL,
BL
00442F84 |. 0F85 7D020000
JNZ 家庭卡拉.00443207
; 不能跳
00442F8A |. 6A 02
PUSH 2
00442F8C |. 8D4424 2C
LEA EAX,
DWORD PTR SS:[
ESP+2C]
00442F90 |. 6A 1C
PUSH 1C
00442F92 |. 50
PUSH EAX
00442F93 |. 8D4C24 1C
LEA ECX,
DWORD PTR SS:[
ESP+1C]
00442F97 |. E8 14660000
CALL <JMP.&MFC42.#4278_?Mid@CString@@QBE?AV1@HH@Z>
00442F9C |. 8BF8
MOV EDI,
EAX
00442F9E |. 6A 02
PUSH 2
00442FA0 |. 8D4C24 30
LEA ECX,
DWORD PTR SS:[
ESP+30]
00442FA4 |. 6A 06
PUSH 6
00442FA6 |. 51
PUSH ECX
00442FA7 |. 8D4C24 1C
LEA ECX,
DWORD PTR SS:[
ESP+1C]
00442FAB |. C68424 98000000 05
MOV BYTE PTR SS:[
ESP+98],5
00442FB3 |. E8 F8650000
CALL <JMP.&MFC42.#4278_?Mid@CString@@QBE?AV1@HH@Z>
00442FB8 |. 8B3F
MOV EDI,
DWORD PTR DS:[
EDI]
; "版"
00442FBA |. 8B00
MOV EAX,
DWORD PTR DS:[
EAX]
; 注册码的第四个字符
00442FBC |. 57
PUSH EDI
00442FBD |. 50
PUSH EAX
00442FBE |. FFD6
CALL ESI
00442FC0 |. 83C4 08
ADD ESP,8
00442FC3 |. 8D4C24 2C
LEA ECX,
DWORD PTR SS:[
ESP+2C]
00442FC7 |. 85C0
TEST EAX,
EAX
00442FC9 |. 0F95C3
SETNE BL
00442FCC |. E8 EB5C0000
CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00442FD1 |. 8D4C24 28
LEA ECX,
DWORD PTR SS:[
ESP+28]
00442FD5 |. C68424 8C000000 01
MOV BYTE PTR SS:[
ESP+8C],1
00442FDD |. E8 DA5C0000
CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00442FE2 |. 84DB
TEST BL,
BL
00442FE4 |. 0F85 1D020000
JNZ 家庭卡拉.00443207
; 不能跳
00442FEA |. 8D4C24 18
LEA ECX,
DWORD PTR SS:[
ESP+18]
00442FEE |. E8 DB5C0000
CALL <JMP.&MFC42.#540_??0CString@@QAE@XZ>
00442FF3 |. 6A 19
PUSH 19
00442FF5 |. 8D4C24 1C
LEA ECX,
DWORD PTR SS:[
ESP+1C]
00442FF9 |. C68424 90000000 06
MOV BYTE PTR SS:[
ESP+90],6
00443001 |. E8 C25C0000
CALL <JMP.&MFC42.#4160_?LoadStringA@CString@@QAEHI@Z>
00443006 |. 6A 0A
PUSH 0A
00443008 |. 8D5424 30
LEA EDX,
DWORD PTR SS:[
ESP+30]
0044300C |. 6A 08
PUSH 8
0044300E |. 52
PUSH EDX
0044300F |. 8D4C24 1C
LEA ECX,
DWORD PTR SS:[
ESP+1C]
00443013 |. E8 98650000
CALL <JMP.&MFC42.#4278_?Mid@CString@@QBE?AV1@HH@Z>
00443018 |. 8B4C24 18
MOV ECX,
DWORD PTR SS:[
ESP+18]
; "家庭卡拉OK"
0044301C |. 8B00
MOV EAX,
DWORD PTR DS:[
EAX]
0044301E |. 51
PUSH ECX
0044301F |. 50
PUSH EAX
00443020 |. FFD6
CALL ESI
00443022 |. 83C4 08
ADD ESP,8
00443025 |. 8D4C24 2C
LEA ECX,
DWORD PTR SS:[
ESP+2C]
00443029 |. 85C0
TEST EAX,
EAX
0044302B |. 0F95C3
SETNE BL
0044302E |. E8 895C0000
CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00443033 |. 84DB
TEST BL,
BL
00443035 |. 0F85 BB010000
JNZ 家庭卡拉.004431F6
; 不能跳
0044303B |. 8B5424 10
MOV EDX,
DWORD PTR SS:[
ESP+10]
0044303F |. 33C0
XOR EAX,
EAX
00443041 |> 8A4C02 12 /
MOV CL,
BYTE PTR DS:[
EDX+
EAX+12]
; "破解盗版"
00443045 |. 884C04 2C |
MOV BYTE PTR SS:[
ESP+
EAX+2C],
CL
00443049 |. 40 |
INC EAX
0044304A |. 83F8 05 |
CMP EAX,5
0044304D |.^ 7C F2 \JL SHORT 家庭卡拉.00443041
; 未取完二个汉字向上跳
0044304F |. 8D5424 2C
LEA EDX,
DWORD PTR SS:[
ESP+2C]
00443053 |. 81FA D8F91200
CMP EDX,12F9D8
00443059 |. 74 3D
JE SHORT 家庭卡拉.00443098
; 要跳
0044305B |. 8D4C24 18
LEA ECX,
DWORD PTR SS:[
ESP+18]
0044305F |. C68424 8C000000 01
MOV BYTE PTR SS:[
ESP+8C],1
00443067 |. E8 505C0000
CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
0044306C |. 8D4C24 14
LEA ECX,
DWORD PTR SS:[
ESP+14]
00443070 |. C68424 8C000000 00
MOV BYTE PTR SS:[
ESP+8C],0
00443078 |. E8 3F5C0000
CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
0044307D |. 8D4C24 10
LEA ECX,
DWORD PTR SS:[
ESP+10]
00443081 |. C78424 8C000000 FFFFFFFF
MOV DWORD PTR SS:[
ESP+8C],-1
0044308C |. E8 2B5C0000
CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00443091 |. 33C0
XOR EAX,
EAX
00443093 |. E9 D8010000
JMP 家庭卡拉.00443270
00443098 |> 6A 08
PUSH 8
0044309A |. 8D4424 30
LEA EAX,
DWORD PTR SS:[
ESP+30]
0044309E |. 6A 16
PUSH 16
004430A0 |. 50
PUSH EAX
004430A1 |. 8D4C24 1C
LEA ECX,
DWORD PTR SS:[
ESP+1C]
004430A5 |. E8 06650000
CALL <JMP.&MFC42.#4278_?Mid@CString@@QBE?AV1@HH@Z>
004430AA |. 8B00
MOV EAX,
DWORD PTR DS:[
EAX]
; 注册码的第十个汉字(OK为一个汉字)
004430AC |. 68 D0594600
PUSH 家庭卡拉.004659D0
; "破解盗版"
004430B1 |. 50
PUSH EAX
004430B2 |. FFD6
CALL ESI
004430B4 |. 83C4 08
ADD ESP,8
004430B7 |. 8D4C24 2C
LEA ECX,
DWORD PTR SS:[
ESP+2C]
004430BB |. 85C0
TEST EAX,
EAX
004430BD |. 0F95C3
SETNE BL
004430C0 |. E8 F75B0000
CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
004430C5 |. 84DB
TEST BL,
BL
004430C7 |. 74 3D
JE SHORT 家庭卡拉.00443106
; 要跳
004430C9 |. 8D4C24 18
LEA ECX,
DWORD PTR SS:[
ESP+18]
004430CD |. C68424 8C000000 01
MOV BYTE PTR SS:[
ESP+8C],1
004430D5 |. E8 E25B0000
CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
004430DA |. 8D4C24 14
LEA ECX,
DWORD PTR SS:[
ESP+14]
004430DE |. C68424 8C000000 00
MOV BYTE PTR SS:[
ESP+8C],0
004430E6 |. E8 D15B0000
CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
004430EB |. 8D4C24 10
LEA ECX,
DWORD PTR SS:[
ESP+10]
004430EF |. C78424 8C000000 FFFFFFFF
MOV DWORD PTR SS:[
ESP+8C],-1
004430FA |. E8 BD5B0000
CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
004430FF |. 33C0
XOR EAX,
EAX
00443101 |. E9 6A010000
JMP 家庭卡拉.00443270
00443106 |> 68 C8594600
PUSH 家庭卡拉.004659C8
0044310B |. 8D4C24 20
LEA ECX,
DWORD PTR SS:[
ESP+20]
0044310F |. E8 DE5B0000
CALL <JMP.&MFC42.#537_??0CString@@QAE@PBD@Z>
00443114 |. 6A 02
PUSH 2
00443116 |. 8D4C24 24
LEA ECX,
DWORD PTR SS:[
ESP+24]
0044311A |. 6A 00
PUSH 0
0044311C |. 51
PUSH ECX
0044311D |. 8D4C24 28
LEA ECX,
DWORD PTR SS:[
ESP+28]
00443121 |. C68424 98000000 07
MOV BYTE PTR SS:[
ESP+98],7
00443129 |. E8 82640000
CALL <JMP.&MFC42.#4278_?Mid@CString@@QBE?AV1@HH@Z>
0044312E |. 8BF8
MOV EDI,
EAX
00443130 |. 6A 02
PUSH 2
00443132 |. 8D5424 28
LEA EDX,
DWORD PTR SS:[
ESP+28]
00443136 |. 6A 20
PUSH 20
00443138 |. 52
PUSH EDX
00443139 |. 8D4C24 1C
LEA ECX,
DWORD PTR SS:[
ESP+1C]
0044313D |. C68424 98000000 08
MOV BYTE PTR SS:[
ESP+98],8
00443145 |. E8 66640000
CALL <JMP.&MFC42.#4278_?Mid@CString@@QBE?AV1@HH@Z>
0044314A |. 8B3F
MOV EDI,
DWORD PTR DS:[
EDI]
; "为"
0044314C |. 8B00
MOV EAX,
DWORD PTR DS:[
EAX]
; 注册码的第十七个汉字
0044314E |. 57
PUSH EDI
0044314F |. 50
PUSH EAX
00443150 |. C68424 94000000 09
MOV BYTE PTR SS:[
ESP+94],9
00443158 |. FFD6
CALL ESI
0044315A |. 83C4 08
ADD ESP,8
0044315D |. 85C0
TEST EAX,
EAX
0044315F |. 75 5C
JNZ SHORT 家庭卡拉.004431BD
; 不能跳
00443161 |. 6A 02
PUSH 2
00443163 |. 8D4424 2C
LEA EAX,
DWORD PTR SS:[
ESP+2C]
00443167 |. 6A 02
PUSH 2
00443169 |. 50
PUSH EAX
0044316A |. 8D4C24 28
LEA ECX,
DWORD PTR SS:[
ESP+28]
0044316E |. E8 3D640000
CALL <JMP.&MFC42.#4278_?Mid@CString@@QBE?AV1@HH@Z>
00443173 |. 8BF8
MOV EDI,
EAX
00443175 |. 6A 02
PUSH 2
00443177 |. 8D4C24 30
LEA ECX,
DWORD PTR SS:[
ESP+30]
0044317B |. 6A 1E
PUSH 1E
0044317D |. 51
PUSH ECX
0044317E |. 8D4C24 1C
LEA ECX,
DWORD PTR SS:[
ESP+1C]
00443182 |. C68424 98000000 0A
MOV BYTE PTR SS:[
ESP+98],0A
0044318A |. E8 21640000
CALL <JMP.&MFC42.#4278_?Mid@CString@@QBE?AV1@HH@Z>
0044318F |. 8B3F
MOV EDI,
DWORD PTR DS:[
EDI]
; "行"
00443191 |. 8B00
MOV EAX,
DWORD PTR DS:[
EAX]
; 注册码的第十七六个汉字
00443193 |. 57
PUSH EDI
00443194 |. 50
PUSH EAX
00443195 |. FFD6
CALL ESI
00443197 |. 83C4 08
ADD ESP,8
0044319A |. 8D4C24 2C
LEA ECX,
DWORD PTR SS:[
ESP+2C]
0044319E |. 85C0
TEST EAX,
EAX
004431A0 |. 0F95C3
SETNE BL
004431A3 |. E8 145B0000
CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
004431A8 |. 8D4C24 28
LEA ECX,
DWORD PTR SS:[
ESP+28]
004431AC |. C68424 8C000000 09
MOV BYTE PTR SS:[
ESP+8C],9
004431B4 |. E8 035B0000
CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
004431B9 |. 84DB
TEST BL,
BL
004431BB |. 74 02
JE SHORT 家庭卡拉.004431BF
; 要跳
004431BD |> B3 01
MOV BL,1
004431BF |> 8D4C24 24
LEA ECX,
DWORD PTR SS:[
ESP+24]
004431C3 |. C68424 8C000000 08
MOV BYTE PTR SS:[
ESP+8C],8
004431CB |. E8 EC5A0000
CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
004431D0 |. 8D4C24 20
LEA ECX,
DWORD PTR SS:[
ESP+20]
004431D4 |. C68424 8C000000 07
MOV BYTE PTR SS:[
ESP+8C],7
004431DC |. E8 DB5A0000
CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
004431E1 |. 84DB
TEST BL,
BL
004431E3 |. C68424 8C000000 06
MOV BYTE PTR SS:[
ESP+8C],6
004431EB |. 8D4C24 1C
LEA ECX,
DWORD PTR SS:[
ESP+1C]
004431EF |. 74 3F
JE SHORT 家庭卡拉.00443230
; 要跳
//至此,注册码比较结束
//AppWord=支持正版家庭卡拉OKXX破解盗版行为
//其中XX为任意二个汉字(没有经过比较)
004431F1 |. E8 C65A0000
CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
004431F6 |> 8D4C24 18
LEA ECX,
DWORD PTR SS:[
ESP+18]
004431FA |. C68424 8C000000 01
MOV BYTE PTR SS:[
ESP+8C],1
00443202 |. E8 B55A0000
CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00443207 |> 8D4C24 14
LEA ECX,
DWORD PTR SS:[
ESP+14]
0044320B |. C68424 8C000000 00
MOV BYTE PTR SS:[
ESP+8C],0
00443213 |. E8 A45A0000
CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00443218 |> 8D4C24 10
LEA ECX,
DWORD PTR SS:[
ESP+10]
0044321C |. C78424 8C000000 FFFFFFFF
MOV DWORD PTR SS:[
ESP+8C],-1
00443227 |. E8 905A0000
CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
0044322C |. 33C0
XOR EAX,
EAX
0044322E |. EB 40
JMP SHORT 家庭卡拉.00443270
00443230 |> E8 875A0000
CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00443235 |. 8D4C24 18
LEA ECX,
DWORD PTR SS:[
ESP+18]
00443239 |. C68424 8C000000 01
MOV BYTE PTR SS:[
ESP+8C],1
00443241 |. E8 765A0000
CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00443246 |. 8D4C24 14
LEA ECX,
DWORD PTR SS:[
ESP+14]
0044324A |. C68424 8C000000 00
MOV BYTE PTR SS:[
ESP+8C],0
00443252 |. E8 655A0000
CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00443257 |> 8D4C24 10
LEA ECX,
DWORD PTR SS:[
ESP+10]
0044325B |. C78424 8C000000 FFFFFFFF
MOV DWORD PTR SS:[
ESP+8C],-1
00443266 |. E8 515A0000
CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
0044326B |> B8 01000000
MOV EAX,1
; 注册码正确,设置EAX=1
00443270 |> 8B8C24 84000000
MOV ECX,
DWORD PTR SS:[
ESP+84]
00443277 |. 5F
POP EDI
00443278 |. 5E
POP ESI
00443279 |. 5B
POP EBX
0044327A |. 64:890D 00000000
MOV DWORD PTR FS:[0],
ECX
00443281 |. 81C4 84000000
ADD ESP,84
00443287 \. C3
RETN
AppWord的计算比AppCode稍复杂一点,如果AppWord长度不正确,后面的几个比较可能看不到真实的汉字字符。
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
