【破文标题】 爆破Audio MP3 Maker V 1.0
【破文作者】 aki
【address】D版光盘
【难 度】:简单,献给像我等这样的菜鸟学习
【作者邮箱】 58216365@163com
【使用工具】 Peid,W32Dasm,ollydbg
【破解平台】 Win2000/XP
【软件名称】Audio MP3 Maker
【未注册限制】nag窗口,未注册版只能转换歌曲数目的一半。
【价格】$29.95 USD
【软件简介】Audio MP3 Maker是个音乐CD转换MP3的程式。此程式将从音乐CD中读出数位音乐资料库。采取音轨并储存WAV或MP3。Audio MP3 Maker也可从WAV转换成MP3。
--------------------------------------------
【破解过程】peid查壳,无壳,Microsoft Visual C++ 6.0编写。呵呵,我喜欢。用w32d反汇编,来到这里
* Reference To: KERNEL32.DeleteFileA, Ord:007Dh
|
:00403461 FF1518824300 Call dword ptr [00438218]
:00403467 391D90A04400 cmp dword ptr [0044A090], ebx //注意
:0040346D 7428 je 00403497 //若注册,则跳
:0040346F 53 push ebx
* Possible Reference to String Resource ID=01051: "Buy Audio MP3 Maker online"
|
:00403470 681B040000 push 0000041B
:00403475 8BCD mov ecx, ebp
:00403477 E81C8C0200 call 0042C098
:0040347C 8BC8 mov ecx, eax
:0040347E E83E8E0200 call 0042C2C1
:00403483 53 push ebx
* Possible Reference to String Resource ID=01052: "Register Audio MP3 Maker"
|
:00403484 681C040000 push 0000041C
:00403489 8BCD mov ecx, ebp
:0040348B E8088C0200 call 0042C098
:00403490 8BC8 mov ecx, eax
:00403492 E82A8E0200 call 0042C2C1
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040346D(C)
|
:00403497 8BCD mov ecx, ebp
:00403499 899DD4000000 mov dword ptr [ebp+000000D4], ebx
:0040349F E8BC070000 call 00403C60
:004034A4 85C0 test eax, eax
:004034A6 7519 jne 004034C1 //必须跳
:004034A8 53 push ebx
* Possible StringData Ref from Data Obj ->"Error"
|
:004034A9 6828754400 push 00447528
* Possible StringData Ref from Data Obj ->"Init failed!"
|
:004034AE 6818754400 push 00447518
:004034B3 8BCD mov ecx, ebp
:004034B5 E834720200 call 0042A6EE
:004034BA 53 push ebx
* Reference To: USER32.PostQuitMessage, Ord:0202h
|
:004034BB FF1544854300 Call dword ptr [00438544]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004034A6(C)
|
:004034C1 391D90A04400 cmp dword ptr [0044A090], ebx //注意
:004034C7 7507 jne 004034D0 //若注册,则跳
* Possible StringData Ref from Data Obj ->"Audio MP3 Maker Unregistered version"
|
:004034C9 68F0744400 push 004474F0
:004034CE EB05 jmp 004034D5
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004034C7(C)
|
* Possible StringData Ref from Data Obj ->"Audio MP3 Maker Registered version"
|
:004034D0 68CC744400 push 004474CC
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004034CE(U)
|
:004034D5 8BCD mov ecx, ebp
:004034D7 E8E48C0200 call 0042C1C0
:004034DC 899DD0000000 mov dword ptr [ebp+000000D0], ebx
:004034E2 899D24010000 mov dword ptr [ebp+00000124], ebx
:004034E8 899DCC000000 mov dword ptr [ebp+000000CC], ebx
:004034EE 8D9D24070000 lea ebx, dword ptr [ebp+00000724]
:004034F4 8D542454 lea edx, dword ptr [esp+54]
:004034F8 8BCB mov ecx, ebx
你从上面看出什么了吗?看看0040346D行和004034C7行跳转的前一句是什么。是cmp dword ptr [0044A090], ebx。所以我们怀疑cmp dword ptr [0044A090]是标志位。在w32d中查找mov cmp dword ptr [0044A090]只有一处
|
:00403AE6 FF1550804300 Call dword ptr [00438050]
:00403AEC 8BCE mov ecx, esi
:00403AEE 89866C070000 mov dword ptr [esi+0000076C], eax
:00403AF4 E8D7120000 call 00404DD0
:00403AF9 85C0 test eax, eax //eax=0
:00403AFB A390A04400 mov dword ptr [0044A090], eax //在这儿,eax=1则已注册
:00403B00 7540 jne 00403B42 //若eax=1则跳
:00403B02 50 push eax
:00403B03 8D4C2408 lea ecx, dword ptr [esp+08]
:00403B07 E8649F0000 call 0040DA70
:00403B0C 8D4C2404 lea ecx, dword ptr [esp+04]
:00403B10 C744246800000000 mov [esp+68], 00000000
:00403B18 E878810200 call 0042BC95
:00403B1D 8D4C2404 lea ecx, dword ptr [esp+04]
:00403B21 C7442468FFFFFFFF mov [esp+68], FFFFFFFF
:00403B29 E83A7E0200 call 0042B968
:00403B2E 33C0 xor eax, eax
:00403B30 5E pop esi
:00403B31 8B4C245C mov ecx, dword ptr [esp+5C]
:00403B35 64890D00000000 mov dword ptr fs:[00000000], ecx
:00403B3C 83C468 add esp, 00000068
:00403B3F C20400 ret 0004
-------------------------------------------------------------------------------------------
我们用od载入源程序(amm.exe),把这几行
00403AF9 85C0 test eax, eax
:00403AFB A390A04400 mov dword ptr [0044A090], eax
:00403B00 7540 jne 00403B42
改一改
00403AF9 B8 01000000 MOV EAX,1
00403AFE A3 90A04400 MOV DWORD PTR DS:[44A090],EAX
00403B03 EB 3D JMP SHORT amm_exe_.00403B42
这样改过以后,由于字节数不同(test eax, eax 是2位而 MOV EAX,1是5位),会影响到下面的代码。但这已经不重要了。我们已经jmp了吗^--^
在od反汇编窗口点右键,选择复制到可执行文件->全部修正,保存为amm1.exe,运行一下,怎么样?还不错吧^-^
--------------------------------------------------------------------------------------------------------
我原来以为只要标志位中不是0就可以,所以把test eax,tax 改为了not eax这样做不影响下面的代码,但这样却出现了很多问题,还有,如果源程序是这样
00403AF9 85C0 test eax, eax
:00403AFB A390A04400 mov dword ptr [0044A090], eax
:00403B00 7540 je 00403B42 //这儿有不同
该怎么改?
还望大虾能指教。
[培训]科锐逆向工程师培训第53期2025年7月8日开班!
