作者:朱永哲
目标:AudioRight production(Recorder,Converter,Ripper,Burner) V2.0
使用工具:softice for win2000,wdasm8.9
破解方法:暴力
难度:中级
开始了,打开softice设断点为 bpx messageboxa,再运行AudioRight Recorder 2.0。
程序运行完以后,它会让你注册,不注册会限制你的录音时间(1分钟)。
长话短说,它是用ARServiceBar.dll来判断你是否注册。
而且使用过程当中有4次检查,都是调用call 1000c220子程序。
如果你输入错eax=00000000,你输入对eax=00000001。
所以在1000c220子程序里面把eax强行转换成00000001就搞定了。
1次检查-------------------------------------------------------------------------------------
:1000BBC7 8B0DC09E0510 mov ecx, dword ptr [10059EC0]
:1000BBCD 894C2404 mov dword ptr [esp+04], ecx
:1000BBD1 8B96FC1D0000 mov edx, dword ptr [esi+00001DFC]
:1000BBD7 8BCE mov ecx, esi
:1000BBD9 52 push edx
:1000BBDA C744242C00000000 mov [esp+2C], 00000000
:1000BBE2 E839060000 call 1000C220 ***************
:1000BBE7 85C0 test eax, eax
:1000BBE9 7466 je 1000BC51
* Possible Reference to String Resource ID=00205: "This product is licensed to:"
|
:1000BBEB 68CD000000 push 000000CD
:1000BBF0 8D4C2408 lea ecx, dword ptr [esp+08]
:1000BBF4 E880890200 call 10034579
:1000BBF9 8D442404 lea eax, dword ptr [esp+04]
:1000BBFD 68849A0510 push 10059A84
:1000BC02 8D4C2410 lea ecx, dword ptr [esp+10]
..................................
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000BBE9(C)
|
:1000BC51 8B86FC1D0000 mov eax, dword ptr [esi+00001DFC]
:1000BC57 48 dec eax
:1000BC58 83F803 cmp eax, 00000003
:1000BC5B 772A ja 1000BC87
:1000BC5D FF2485C0BC0010 jmp dword ptr [4*eax+1000BCC0]
* Possible Reference to String Resource ID=00202: "This is a trial version of AudioRight Converter. You only ca"
|
:1000BC64 68CA000000 push 000000CA
:1000BC69 EB13 jmp 1000BC7E
2次检查--------------------------------------------------------------------------------------
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:1000C196(C), :1000C1B7(C)
|
:1000C1BC 8B442448 mov eax, dword ptr [esp+48]
:1000C1C0 8BCF mov ecx, edi
:1000C1C2 50 push eax
:1000C1C3 E858000000 call 1000C220 *******************
:1000C1C8 8D4C2414 lea ecx, dword ptr [esp+14]
:1000C1CC 8BF0 mov esi, eax
:1000C1CE C644243802 mov [esp+38], 02
:1000C1D3 E8743C0200 call 1002FE4C
:1000C1D8 6801000080 push 80000001
3次检查---------------------------------------------------------------------------------------
:1000E69D 0FBF8694150000 movsx eax, word ptr [esi+00001594]
:1000E6A4 50 push eax
:1000E6A5 8D4C2408 lea ecx, dword ptr [esp+08]
:1000E6A9 C78424181E000000000000 mov dword ptr [esp+00001E18], 00000000
:1000E6B4 E867DBFFFF call 1000C220 *******************
:1000E6B9 8BF0 mov esi, eax
:1000E6BB 8D8C24081E0000 lea ecx, dword ptr [esp+00001E08]
:1000E6C2 C78424141E000008000000 mov dword ptr [esp+00001E14], 00000008
:1000E6CD E87A170200 call 1002FE4C
:1000E6D2 8D8C24041E0000 lea ecx, dword ptr [esp+00001E04]
:1000E6D9 C68424141E000007 mov byte ptr [esp+00001E14], 07
:1000E6E1 E866170200 call 1002FE4C
4次检查----------------------------------------------------------------------------------------
:1000E7B2 6A00 push 00000000
:1000E7B4 8D4C2408 lea ecx, dword ptr [esp+08]
:1000E7B8 E883D1FFFF call 1000B940
:1000E7BD 0FBF8694150000 movsx eax, word ptr [esi+00001594]
:1000E7C4 50 push eax
:1000E7C5 8D4C2408 lea ecx, dword ptr [esp+08]
:1000E7C9 C78424181E000000000000 mov dword ptr [esp+00001E18], 00000000
:1000E7D4 E847DAFFFF call 1000C220 *******************
:1000E7D9 85C0 test eax, eax
:1000E7DB 0F849C000000 je 1000E87D
:1000E7E1 8D8C24081E0000 lea ecx, dword ptr [esp+00001E08]
:1000E7E8 C78424141E000008000000 mov dword ptr [esp+00001E14], 00000008
:1000E7F3 E854160200 call 1002FE4C
:1000E7F8 8D8C24041E0000 lea ecx, dword ptr [esp+00001E04]
:1000E7FF C68424141E000007 mov byte ptr [esp+00001E14], 07
1000c220子程序---------------------------------------------------------------------------------------
* Referenced by a CALL at Addresses:
|:1000BBE2 , :1000C1C3 , :1000E6B4 , :1000E7D4
|
:1000C220 6AFF push FFFFFFFF
:1000C222 6838590410 push 10045938
:1000C227 64A100000000 mov eax, dword ptr fs:[00000000]
:1000C22D 50 push eax
:1000C22E 64892500000000 mov dword ptr fs:[00000000], esp
:1000C235 83EC20 sub esp, 00000020
:1000C238 56 push esi
:1000C239 57 push edi
:1000C23A 8B7C2438 mov edi, dword ptr [esp+38]
:1000C23E 8BF1 mov esi, ecx
:1000C240 57 push edi
:1000C241 E82A010000 call 1000C370
* Possible StringData Ref from Data Obj ->"SOFTWARE\Mightsoft\AudioRight\Register"
|
:1000C246 68049B0510 push 10059B04
:1000C24B 8D4C243C lea ecx, dword ptr [esp+3C]
:1000C24F C744243400000000 mov [esp+34], 00000000
:1000C257 C744240C01000080 mov [esp+0C], 80000001
:1000C25F E8563C0200 call 1002FEBA
:1000C264 8D4C2418 lea ecx, dword ptr [esp+18]
..................................
:1000C31B E8D0310000 call 1000F4F0
:1000C320 8D4C2418 lea ecx, dword ptr [esp+18]
:1000C324 8BF0 mov esi, eax
:1000C326 C644243001 mov [esp+30], 01
:1000C32B E8D0280000 call 1000EC00
:1000C330 8D4C2438 lea ecx, dword ptr [esp+38]
:1000C334 C644243000 mov [esp+30], 00
:1000C339 E80E3B0200 call 1002FE4C
:1000C33E 6801000080 push 80000001
* Reference To: ADVAPI32.RegCloseKey, Ord:015Bh
|
:1000C343 FF1528800410 Call dword ptr [10048028]
:1000C349 8B4C2428 mov ecx, dword ptr [esp+28]
:1000C34D 8BC6 mov eax, esi **********************
:1000C34F 5F pop edi
:1000C350 64890D00000000 mov dword ptr fs:[00000000], ecx
:1000C357 5E pop esi
:1000C358 83C42C add esp, 0000002C
:1000C35B C20400 ret 0004
------------------------------------------------------------------------------------------
你在1000c220子程序里面可以看到下面代码,
1000C34D 8BC6 mov eax, esi
把8BC6(mov eax,esi)转换成B001(mov al,01)。
手工,喝酒去吧。
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
