- UID
- 63373
注册时间2009-11-1
阅读权限10
最后登录1970-1-1
周游历练
该用户从未签到
|
今天截取个MP3做手机铃声下载了这软件`
软件被汉化过的`是老外的东西
居然还要注册`
我就分析了下`注册流程搞不懂
爆破了下
去处了注册窗口可60秒限制
本人很菜
大牛不要见笑哈`
Cooolsoft MP3 Cutter 是一个功能强大的音频格式处理软件,程序可以帮你从
MP3 和 WAV 文件中截取任何一段音频并直接保存为 MP3 或者 WAV 格式,时间可
以精确到毫秒!并支持对 MP3 以不同的比特率重新进行压缩!非常实用!
Cooolsoft MP3 Cutter 还自带了一个批量输出器,帮助你按照设定好的选取方式
批量输出要截取的文件。
软件下载地址 thunder://QUFodHRwOi8vOS5nZGR4My5jcnNreS5jb20vMjAwOTA5L01QM1NvdW5kQ3V0dGVyMTQxX09GQS5yYXJaWg==
查壳
Borland Delphi 4.0 - 5.0 [Overlay]
OD载入分析
F9运行软件`
然后F12暂停
调用堆栈 , 项目 3
地址=0151FDC0
堆栈=0044AD78
程序过程 / 参数=mp3cutte.0044DA8C
调用来自=mp3cutte.0044AD73
结构=0151FE10
显示调用
跟踪到这
0047724C /. 55 PUSH EBP
0047724D |. 8BEC MOV EBP,ESP
0047724F |. 83C4 F8 ADD ESP,-8
00477252 |. 8955 F8 MOV DWORD PTR SS:[EBP-8],EDX
00477255 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00477258 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0047725B |. E8 F8FEFFFF CALL mp3cutte.00477158
00477260 |. 8B15 286A4C00 MOV EDX,DWORD PTR DS:[4C6A28]
00477266 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00477269 |. 8B80 48030000 MOV EAX,DWORD PTR DS:[EAX+348]
0047726F |. E8 5096FEFF CALL mp3cutte.004608C4
00477274 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00477277 |. E8 9C180000 CALL mp3cutte.00478B18
0047727C |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0047727F |. 8A90 8D040200 MOV DL,BYTE PTR DS:[EAX+2048D]
00477285 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00477288 |. 8B80 F0030000 MOV EAX,DWORD PTR DS:[EAX+3F0]
0047728E |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
00477290 |. FF91 B8000000 CALL DWORD PTR DS:[ECX+B8]
00477296 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00477299 |. 8A90 8E040200 MOV DL,BYTE PTR DS:[EAX+2048E]
0047729F |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004772A2 |. 8B80 F4030000 MOV EAX,DWORD PTR DS:[EAX+3F4]
004772A8 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
004772AA |. FF91 B8000000 CALL DWORD PTR DS:[ECX+B8]
004772B0 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004772B3 |. 8A90 8D040200 MOV DL,BYTE PTR DS:[EAX+2048D]
004772B9 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004772BC |. 8B80 94030000 MOV EAX,DWORD PTR DS:[EAX+394]
004772C2 |. E8 418CFCFF CALL mp3cutte.0043FF08
004772C7 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004772CA |. 8A90 8E040200 MOV DL,BYTE PTR DS:[EAX+2048E]
004772D0 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004772D3 |. 8B80 98030000 MOV EAX,DWORD PTR DS:[EAX+398]
004772D9 |. E8 2A8CFCFF CALL mp3cutte.0043FF08
004772DE |. E8 A572FEFF CALL mp3cutte.0045E588
004772E3 |. 84C0 TEST AL,AL
004772E5 75 31 JNZ SHORT mp3cutte.00477318 不跳就弹出注册框
所以这里我们改JMP
004772E7 |. 33C9 XOR ECX,ECX
004772E9 |. B2 01 MOV DL,1
004772EB |. A1 90C74600 MOV EAX,DWORD PTR DS:[46C790]
004772F0 |. E8 EFF8FCFF CALL mp3cutte.00446BE4
这样就可以跳过注册框了
但还是有60秒的限制
我们再来看下
上面的代码就不做分析了`
因为我也不懂得分析
各位不要笑哈`
经过字符串分析
找到了这里
00477558 /$ 55 PUSH EBP
00477559 |. 8BEC MOV EBP,ESP
0047755B |. 33C9 XOR ECX,ECX
0047755D |. 51 PUSH ECX
0047755E |. 51 PUSH ECX
0047755F |. 51 PUSH ECX
00477560 |. 51 PUSH ECX
00477561 |. 51 PUSH ECX
00477562 |. 51 PUSH ECX
00477563 |. 8955 F8 MOV DWORD PTR SS:[EBP-8],EDX
00477566 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00477569 |. 33C0 XOR EAX,EAX
0047756B |. 55 PUSH EBP
0047756C |. 68 7E764700 PUSH mp3cutte.0047767E
00477571 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
00477574 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00477577 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0047757A |. 83B8 28040000>CMP DWORD PTR DS:[EAX+428],0
00477581 |. 75 1F JNZ SHORT mp3cutte.004775A2
00477583 |. 6A 10 PUSH 10
00477585 |. 68 8C764700 PUSH mp3cutte.0047768C ; 错误
0047758A |. 68 94764700 PUSH mp3cutte.00477694 ; 未打开文件
0047758F |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00477592 |. E8 95E4FBFF CALL mp3cutte.00435A2C
00477597 |. 50 PUSH EAX ; |hOwner
00477598 |. E8 03F9F8FF CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
0047759D |. E9 C1000000 JMP mp3cutte.00477663
004775A2 |> 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004775A5 |. 8B80 54040000 MOV EAX,DWORD PTR DS:[EAX+454]
004775AB |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
004775AE |. 8982 58040000 MOV DWORD PTR DS:[EDX+458],EAX
004775B4 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004775B7 |. E8 F0140000 CALL mp3cutte.00478AAC
004775BC |. 84C0 TEST AL,AL
004775BE |. 75 17 JNZ SHORT mp3cutte.004775D7
004775C0 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004775C3 |. 8B80 5C040000 MOV EAX,DWORD PTR DS:[EAX+45C]
004775C9 |. 2D 60EA0000 SUB EAX,0EA60
004775CE |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
004775D1 |. 8982 58040000 MOV DWORD PTR DS:[EDX+458],EAX
004775D7 |> 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004775DA |. 80B8 8D040200>CMP BYTE PTR DS:[EAX+2048D],0
004775E1 |. 74 3C JE SHORT mp3cutte.0047761F
004775E3 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004775E6 |. 8B80 54040000 MOV EAX,DWORD PTR DS:[EAX+454]
004775EC |. B9 E8030000 MOV ECX,3E8
004775F1 |. 99 CDQ
004775F2 |. F7F9 IDIV ECX
004775F4 |. 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
004775F7 |. E8 70F8FEFF CALL mp3cutte.00466E6C
004775FC |. 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10]
004775FF |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
00477602 |. BA AC764700 MOV EDX,mp3cutte.004776AC ; 起始位置:
00477607 |. E8 04C8F8FF CALL mp3cutte.00403E10
0047760C |. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
0047760F |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00477612 |. 8B80 F8020000 MOV EAX,DWORD PTR DS:[EAX+2F8]
00477618 |. E8 6783FBFF CALL mp3cutte.0042F984
0047761D |. EB 3C JMP SHORT mp3cutte.0047765B
0047761F |> 68 AC764700 PUSH mp3cutte.004776AC ; 起始位置:
00477624 |. 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
00477627 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0047762A |. 8B80 54040000 MOV EAX,DWORD PTR DS:[EAX+454]
00477630 |. E8 0F0FF9FF CALL mp3cutte.00408544
00477635 |. FF75 E8 PUSH DWORD PTR SS:[EBP-18]
00477638 |. 68 C2764700 PUSH mp3cutte.004776C2 ; 毫秒
0047763D |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
00477640 |. BA 03000000 MOV EDX,3
00477645 |. E8 3AC8F8FF CALL mp3cutte.00403E84
0047764A |. 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14]
0047764D |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00477650 |. 8B80 F8020000 MOV EAX,DWORD PTR DS:[EAX+2F8]
00477656 |. E8 2983FBFF CALL mp3cutte.0042F984
0047765B |> 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0047765E |. E8 E5030000 CALL mp3cutte.00477A48
00477663 |> 33C0 XOR EAX,EAX
00477665 |. 5A POP EDX
00477666 |. 59 POP ECX
00477667 |. 59 POP ECX
00477668 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
0047766B |. 68 85764700 PUSH mp3cutte.00477685
00477670 |> 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
00477673 |. BA 04000000 MOV EDX,4
00477678 |. E8 EBC4F8FF CALL mp3cutte.00403B68
0047767D \. C3 RETN
我们短下文件头 再分析下
载入一首歌曲
我们来分析下004775A5 |. 8B80 54040000 MOV EAX,DWORD PTR DS:[EAX+454]
004775AB |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
004775AE |. 8982 58040000 MOV DWORD PTR DS:[EDX+458],EAX
004775B4 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004775B7 |. E8 F0140000 CALL mp3cutte.00478AAC
分析到这CALL
下个断点
00478AAC /$ 55 PUSH EBP
00478AAD |. 8BEC MOV EBP,ESP
00478AAF |. 83C4 F8 ADD ESP,-8
00478AB2 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00478AB5 |. C645 FB 01 MOV BYTE PTR SS:[EBP-5],1
00478AB9 |. A1 60DA4700 MOV EAX,DWORD PTR DS:[47DA60]
00478ABE |. 8038 00 CMP BYTE PTR DS:[EAX],0
00478AC1 75 4E JNZ SHORT mp3cutte.00478B11 经过几次测试后60秒前跳 60秒后不跳` 我们直接改跳
00478AC3 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00478AC6 |. 8B80 5C040000 MOV EAX,DWORD PTR DS:[EAX+45C]
00478ACC |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
00478ACF |. 2B82 58040000 SUB EAX,DWORD PTR DS:[EDX+458]
00478AD5 |. 3D 60EA0000 CMP EAX,0EA60
00478ADA |. 7E 35 JLE SHORT mp3cutte.00478B11
00478ADC |. C645 FB 00 MOV BYTE PTR SS:[EBP-5],0
00478AE0 |. 33C9 XOR ECX,ECX
00478AE2 |. B2 01 MOV DL,1
00478AE4 |. A1 90C74600 MOV EAX,DWORD PTR DS:[46C790]
00478AE9 |. E8 F6E0FCFF CALL mp3cutte.00446BE4
00478AEE |. 8B15 5CDA4700 MOV EDX,DWORD PTR DS:[47DA5C] ; mp3cutte.0047E958
00478AF4 |. 8902 MOV DWORD PTR DS:[EDX],EAX
00478AF6 |. A1 5CDA4700 MOV EAX,DWORD PTR DS:[47DA5C]
00478AFB |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
00478AFD |. 8B10 MOV EDX,DWORD PTR DS:[EAX]
00478AFF |. FF92 D8000000 CALL DWORD PTR DS:[EDX+D8]
00478B05 |. A1 5CDA4700 MOV EAX,DWORD PTR DS:[47DA5C]
00478B0A |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
00478B0C |. E8 4FA3F8FF CALL mp3cutte.00402E60
OK 这软件就没限制了`
本人菜`
如有地方不对请大家不要见笑
希望大牛们可以分析下注册流程` |
评分
-
查看全部评分
|
IP卡
发表于 2009-11-18 01:13:19
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2009-11-20 11:21:00
发表于 2009-11-20 13:04:28
楼主