- UID
- 26554
注册时间2007-1-1
阅读权限20
最后登录1970-1-1
以武会友
 
TA的每日心情 | 开心
2023-2-21 15:52 |
|---|
签到天数: 30 天 [LV.5]常住居民I
|
【破文标题】《Wave Corrector pro 3.31》算法简单分析
【破文作者】水中花
【作者邮箱】
【作者主页】
【破解工具】OD
【破解平台】sp2
【软件名称】Wave Corrector pro 3.31
【软件大小】
【原版下载】http://www.newhua.com/soft/19853.htm
【保护方式】序列号
【软件简介】可以将录音文件保存为WAV格式。然后,Wave Corrector会显示一张音频曲线图,里面会显示原始声音曲线和经过修正后的声音曲线。你可以放大曲线图来添加或者删除修正。
【破解声明】新手写得不好,请指教。
------------------------------------------------------------------------
【破解过程】用字符串参考查找可下断,到此
.
.
.
004137F6 . 03C7 add eax, edi
004137F8 . 41 inc ecx
004137F9 . 3BCE cmp ecx, esi
004137FB .^ 7C E5 jl short WaveCor.004137E2
004137FD > 99 cdq
004137FE . B9 1A000000 mov ecx, 1A
00413803 . F7F9 idiv ecx
00413805 . 8BCD mov ecx, ebp
00413807 . 8BFA mov edi, edx
00413809 . 83C7 41 add edi, 41
0041380C . E8 9FFAFFFF call WaveCor.004132B0 ; 算法关键call,跟进
00413811 . 8B95 C0000000 mov edx, dword ptr [ebp+C0]
00413817 . 8982 FC000000 mov dword ptr [edx+FC], eax
0041381D . 8B85 C0000000 mov eax, dword ptr [ebp+C0]
00413823 . 8B88 FC000000 mov ecx, dword ptr [eax+FC]
00413829 . 85C9 test ecx, ecx
0041382B . 74 21 je short WaveCor.0041384E 是个关键跳转,跳向出错处
0041382D . 83FB 08 cmp ebx, 8
00413830 . 0F84 8A000000 je WaveCor.004138C0 此处更改标志位也可破解成功
00413836 . 85F6 test esi, esi
00413838 . 7C 7C jl short WaveCor.004138B6
0041383A . 8B8424 900000>mov eax, dword ptr [esp+90]
00413841 . 3B70 F4 cmp esi, dword ptr [eax-C]
00413844 . 7F 70 jg short WaveCor.004138B6
00413846 . 0FBE0C06 movsx ecx, byte ptr [esi+eax]
0041384A . 3BF9 cmp edi, ecx
0041384C . 74 72 je short WaveCor.004138C0
0041384E > 8B15 FC7A5B00 mov edx, dword ptr [5B7AFC]
00413854 . 68 84384B00 push WaveCor.004B3884 ; /Arg3 = 004B3884
00413859 . 68 A85F4B00 push WaveCor.004B5FA8 ; |Arg2 = 004B5FA8 ASCII "UserName"
0041385E . 52 push edx ; |Arg1 => 00C72608 ASCII "Settings"
0041385F . 8BCD mov ecx, ebp ; |
00413861 . E8 164C0800 call WaveCor.0049847C ; \WaveCor.0049847C
00413866 . 6A 00 push 0
00413868 . 6A 00 push 0
0041386A . 68 B8624B00 push WaveCor.004B62B8 ; ASCII "You User Name or Key is invalid. Try Again."
0041386F . E8 024B0800 call WaveCor.00498376
00413874 . 8B4424 10 mov eax, dword ptr [esp+10]
00413878 . 83C0 F0 add eax, -10
0041387B . C68424 A00000>mov byte ptr [esp+A0], 0
00413883 . 8D48 0C lea ecx, dword ptr [eax+C]
00413886 . 83CA FF or edx, FFFFFFFF
00413889 . F0:0FC111 lock xadd dword ptr [ecx], edx
0041388D . 4A dec edx
0041388E . 85D2 test edx, edx
00413890 . 7F 08 jg short WaveCor.0041389A
00413892 . 8B08 mov ecx, dword ptr [eax]
00413894 . 8B11 mov edx, dword ptr [ecx]
00413896 . 50 push eax
00413897 . FF52 04 call dword ptr [edx+4]
0041389A > 8D4C24 20 lea ecx, dword ptr [esp+20]
0041389E . E8 89690700 call WaveCor.0048A22C
004138A3 . 83F8 01 cmp eax, 1
004138A6 .^ 0F84 84FEFFFF je WaveCor.00413730
004138AC . E9 68010000 jmp WaveCor.00413A19
004138B1 >^ E9 6AD8FEFF jmp WaveCor.00401120
004138B6 > 68 57000780 push 80070057
004138BB . E8 90D7FEFF call WaveCor.00401050
004138C0 > 6A 00 push 0
004138C2 . 6A 40 push 40
004138C4 . 68 60624B00 push WaveCor.004B6260 ; ASCII "Your Copy of Wave Corrector is now registered.",LF,"Thank You for registering this product."
004138C9 . E8 A84A0800 call WaveCor.00498376
004138CE . A1 FC7A5B00 mov eax, dword ptr [5B7AFC]
004138D3 . 6A 00 push 0
004138D5 . 68 A85F4B00 push WaveCor.004B5FA8 ; ASCII "UserName"
004138DA . 50 push eax
004138DB . 8D4C24 24 lea ecx, dword ptr [esp+24]
004138DF . 51 push ecx
004138E0 . 8BCD mov ecx, ebp
004138E2 . E8 601C0900 call WaveCor.004A5547
004138E7 . 50 push eax
004138E8 . 8D5424 18 lea edx, dword ptr [esp+18]
004138EC . 68 50624B00 push WaveCor.004B6250 ; ASCII "Registered to "
004138F1 . 52 push edx
004138F2 . C68424 AC0000>mov byte ptr [esp+AC], 2
004138FA . E8 41F4FEFF call WaveCor.00402D40
004138FF . 83C4 0C add esp, 0C
00413902 . 8B08 mov ecx, dword ptr [eax]
00413904 . 8BB5 BC000000 mov esi, dword ptr [ebp+BC]
0041390A . 8DBD BC000000 lea edi, dword ptr [ebp+BC]
00413910 . 8D41 F0 lea eax, dword ptr [ecx-10]
00413913 . 83EE 10 sub esi, 10
00413916 . 3BC6 cmp eax, esi
00413918 . C68424 A00000>mov byte ptr [esp+A0], 3
00413920 . 74 48 je short WaveCor.0041396A
.
.
.
算法关键call:
004132B0 $ 6A FF push -1
004132B2 . 68 10E24A00 push WaveCor.004AE210 ; SE 处理程序安装
004132B7 . 64:A1 0000000>mov eax, dword ptr fs:[0]
004132BD . 50 push eax
004132BE . 64:8925 00000>mov dword ptr fs:[0], esp
004132C5 . 83EC 18 sub esp, 18
004132C8 . A1 FC7A5B00 mov eax, dword ptr [5B7AFC]
004132CD . 53 push ebx
004132CE . 55 push ebp
004132CF . 56 push esi
004132D0 . 57 push edi
004132D1 . 33DB xor ebx, ebx
004132D3 . 53 push ebx
004132D4 . 8BF1 mov esi, ecx
004132D6 . 68 A85F4B00 push WaveCor.004B5FA8 ; ASCII "UserName"
004132DB . 50 push eax
004132DC . 8D4C24 24 lea ecx, dword ptr [esp+24]
004132E0 . 51 push ecx
004132E1 . 8BCE mov ecx, esi
004132E3 . 897424 34 mov dword ptr [esp+34], esi
004132E7 . E8 5B220900 call WaveCor.004A5547
004132EC . 8B15 FC7A5B00 mov edx, dword ptr [5B7AFC]
004132F2 . 53 push ebx
004132F3 . 68 4C624B00 push WaveCor.004B624C ; ASCII "Key"
004132F8 . 52 push edx
004132F9 . 8D4424 20 lea eax, dword ptr [esp+20]
004132FD . 50 push eax
004132FE . 8BCE mov ecx, esi
00413300 . 895C24 40 mov dword ptr [esp+40], ebx
00413304 . E8 3E220900 call WaveCor.004A5547
00413309 . 6A 08 push 8
0041330B . 8D4C24 24 lea ecx, dword ptr [esp+24]
0041330F . 51 push ecx
00413310 . 8D4C24 1C lea ecx, dword ptr [esp+1C]
00413314 . C64424 38 01 mov byte ptr [esp+38], 1
00413319 . E8 E2F5FEFF call WaveCor.00402900
0041331E . 50 push eax
0041331F . 8D4C24 18 lea ecx, dword ptr [esp+18]
00413323 . C64424 34 02 mov byte ptr [esp+34], 2
00413328 . E8 03F8FEFF call WaveCor.00402B30 ; 获取假注册码
0041332D . 8B4424 20 mov eax, dword ptr [esp+20]
00413331 . 83C0 F0 add eax, -10
00413334 . C64424 30 01 mov byte ptr [esp+30], 1
00413339 . 8D50 0C lea edx, dword ptr [eax+C]
0041333C . 83C9 FF or ecx, FFFFFFFF
0041333F . F0:0FC10A lock xadd dword ptr [edx], ecx
00413343 . 49 dec ecx
00413344 . 85C9 test ecx, ecx
00413346 . 7F 08 jg short WaveCor.00413350
00413348 . 8B08 mov ecx, dword ptr [eax]
0041334A . 8B11 mov edx, dword ptr [ecx]
0041334C . 50 push eax
0041334D . FF52 04 call dword ptr [edx+4]
00413350 > 8B6C24 18 mov ebp, dword ptr [esp+18] ; 取输入的用户名
00413354 . 899E D8000000 mov dword ptr [esi+D8], ebx
0041335A . 8B5D F4 mov ebx, dword ptr [ebp-C] ; 取用户名长度
0041335D . 33C9 xor ecx, ecx
0041335F . 85DB test ebx, ebx
00413361 . BE 01000000 mov esi, 1 ; 赋esi初值为1
00413366 . BF 0F000000 mov edi, 0F ; 赋edi初值为0F
0041336B . 7E 2E jle short WaveCor.0041339B
0041336D . 8D49 00 lea ecx, dword ptr [ecx]
00413370 > 85C9 test ecx, ecx
00413372 . 0F8C D7020000 jl WaveCor.0041364F ; 以下循环取用户名的字符
00413378 . 3BCB cmp ecx, ebx :与用户名长度比较
0041337A . 0F8F CF020000 jg WaveCor.0041364F
00413380 . 0FBE0429 movsx eax, byte ptr [ecx+ebp]
00413384 . 99 cdq
00413385 . F7FF idiv edi ; 各字符的ascII/edi
00413387 . 8BC6 mov eax, esi
00413389 . 0FAFC6 imul eax, esi ; esi*esi
0041338C . 0FAFD7 imul edx, edi ; 余数*edi
0041338F . 03D0 add edx, eax ; edx+eax
00413391 . 41 inc ecx ; 指针加1
00413392 . 83C7 02 add edi, 2 ; edi+2
00413395 . 3BCB cmp ecx, ebx :与用户名升序比较
00413397 . 8BF2 mov esi, edx ; 计算所得的edx值存esi中
00413399 .^ 7C D5 jl short WaveCor.00413370
0041339B > 68 84384B00 push WaveCor.004B3884
004133A0 . 8D4C24 14 lea ecx, dword ptr [esp+14]
004133A4 . E8 F7FBFEFF call WaveCor.00402FA0
004133A9 . C64424 30 03 mov byte ptr [esp+30], 3
004133AE . C74424 1C 000>mov dword ptr [esp+1C], 0
004133B6 > 8B4C24 10 mov ecx, dword ptr [esp+10]
004133BA . 8B41 FC mov eax, dword ptr [ecx-4]
004133BD . 8B69 F4 mov ebp, dword ptr [ecx-C]
004133C0 . BA 01000000 mov edx, 1
004133C5 . 2BD0 sub edx, eax
004133C7 . 8B41 F8 mov eax, dword ptr [ecx-8]
004133CA . 8D7D 01 lea edi, dword ptr [ebp+1]
004133CD . 2BC7 sub eax, edi
004133CF . 0BC2 or eax, edx
004133D1 . 7D 0E jge short WaveCor.004133E1
004133D3 . 57 push edi
004133D4 . 8D4C24 14 lea ecx, dword ptr [esp+14]
004133D8 . E8 53DFFEFF call WaveCor.00401330
004133DD . 8B4C24 10 mov ecx, dword ptr [esp+10]
004133E1 > 33D2 xor edx, edx
004133E3 . 8BC6 mov eax, esi ;第一次为上面计算所得的值a,后面为esi的值
004133E5 . BB 1A000000 mov ebx, 1A :1A赋ebx
004133EA . F7F3 div ebx ; eax 除ebx
004133EC . 80C2 41 add dl, 41 ; 余数+41
004133EF . 85FF test edi, edi
004133F1 . 881429 mov byte ptr [ecx+ebp], dl ;转换为字符,存入[ecx+ebp]单元中,此单元为注册码
004133F4 . 0F8C 55020000 jl WaveCor.0041364F
004133FA . 8B4424 10 mov eax, dword ptr [esp+10]
004133FE . 3B78 F8 cmp edi, dword ptr [eax-8]
00413401 . 0F8F 48020000 jg WaveCor.0041364F
00413407 . 8978 F4 mov dword ptr [eax-C], edi
0041340A . 8B4C24 10 mov ecx, dword ptr [esp+10]
0041340E . B8 25499224 mov eax, 24924925
00413413 . F7E6 mul esi ;24924925*上面计算所得的值a
00413415 . 8B4424 1C mov eax, dword ptr [esp+1C]
00413419 . 2BF2 sub esi, edx ; esi-edx
0041341B . D1EE shr esi, 1 ; 右移1位
0041341D . 03F2 add esi, edx ; esi+edx
0041341F . C1EE 03 shr esi, 3 ; 右移3位
00413422 . 40 inc eax ; eax加1
00413423 . 83F8 08 cmp eax, 8 :循环8次,注册码为8位
00413426 . C6040F 00 mov byte ptr [edi+ecx], 0
0041342A . 894424 1C mov dword ptr [esp+1C], eax
0041342E .^ 7C 86 jl short WaveCor.004133B6
00413430 . 8B5424 14 mov edx, dword ptr [esp+14] :假码
00413434 . 8B4424 10 mov eax, dword ptr [esp+10] :真码
00413438 . 52 push edx
00413439 . 50 push eax
0041343A . E8 F9290600 call WaveCor.00475E38 ; 比较注册码
0041343F . 83C4 08 add esp, 8
00413442 . 85C0 test eax, eax
00413444 . 0F85 84000000 jnz WaveCor.004134CE ; 不等跳
0041344A . 8B4424 10 mov eax, dword ptr [esp+10]
0041344E . 83C0 F0 add eax, -10
00413451 . C64424 30 01 mov byte ptr [esp+30], 1
00413456 . 8D48 0C lea ecx, dword ptr [eax+C]
00413459 . 83CA FF or edx, FFFFFFFF
0041345C . F0:0FC111 lock xadd dword ptr [ecx], edx
00413460 . 4A dec edx
00413461 . 85D2 test edx, edx
00413463 . 7F 08 jg short WaveCor.0041346D
00413465 . 8B08 mov ecx, dword ptr [eax]
00413467 . 8B11 mov edx, dword ptr [ecx]
00413469 . 50 push eax
0041346A . FF52 04 call dword ptr [edx+4]
0041346D > 8B4424 14 mov eax, dword ptr [esp+14]
00413471 . 83C0 F0 add eax, -10
00413474 . C64424 30 00 mov byte ptr [esp+30], 0
00413479 . 8D48 0C lea ecx, dword ptr [eax+C]
0041347C . 83CA FF or edx, FFFFFFFF
0041347F . F0:0FC111 lock xadd dword ptr [ecx], edx
00413483 . 4A dec edx
00413484 . 85D2 test edx, edx
00413486 . 7F 08 jg short WaveCor.00413490
00413488 . 8B08 mov ecx, dword ptr [eax]
0041348A . 8B11 mov edx, dword ptr [ecx]
0041348C . 50 push eax
0041348D . FF52 04 call dword ptr [edx+4]
00413490 > 8B4424 18 mov eax, dword ptr [esp+18]
00413494 . 83C0 F0 add eax, -10
00413497 . C74424 30 FFF>mov dword ptr [esp+30], -1
0041349F . 8D48 0C lea ecx, dword ptr [eax+C]
004134A2 . 83CA FF or edx, FFFFFFFF
004134A5 . F0:0FC111 lock xadd dword ptr [ecx], edx
004134A9 . 4A dec edx
004134AA . 85D2 test edx, edx
004134AC . 7F 08 jg short WaveCor.004134B6
004134AE . 8B08 mov ecx, dword ptr [eax]
004134B0 . 8B11 mov edx, dword ptr [ecx]
004134B2 . 50 push eax
004134B3 . FF52 04 call dword ptr [edx+4]
004134B6 > 5F pop edi
004134B7 . 5E pop esi
004134B8 . 5D pop ebp
004134B9 . B8 01000000 mov eax, 1
004134BE . 5B pop ebx
004134BF . 8B4C24 18 mov ecx, dword ptr [esp+18]
004134C3 . 64:890D 00000>mov dword ptr fs:[0], ecx
004134CA . 83C4 24 add esp, 24
004134CD . C3 retn
------------------------------------------------------------------------
【破解总结】新手只能粗浅分析,软件的大概算法就如上面所分析的,什么时候做个VB注册机!
------------------------------------------------------------------------
[ 本帖最后由 水中花 于 2007-2-7 18:10 编辑 ] |
|
IP卡
发表于 2007-2-7 18:00:26
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2007-2-7 18:03:19
发表于 2007-2-7 18:43:34
