Novice hack tutorial: Winaudiorecorder hack (with keygen)

(Don't ask me why I don't write articles in 52, don't ask me!) ）

The article finally comes with this tutorial Winaudiorecorder software official version and register machine, for everyone to learn to communicate use

0x00. Breaking information

"Software name": Winaudio Recorder

"Version Info": 2.2.2.0

"Writing language": Microsoft Visual C + + 7.0 (Peid recognition)

"Software Introduction": An easy-to-use high-quality sound recording software. The ability to record audio information played by various Windows applications with complete CD quality. Audio signals are also supported from the microphone/cassette/videotape or other input devices.

"Cracked content": the software is not registered in the normal use, but the recording function can only record 1 minutes of audio files, registration will cancel this limit.

"Hack tool": Peid, ollydbg

0x01. Prepare before cracking

First open the Setup program to install properly

After the installation is complete, go to the software home directory and run the main program.

The following interface appears, stating that the trial version can only record audio files that generate less than 1 minutes, or click "Buy Now" to jump to a page to purchase a registration code:

Purchase page

(Hehe,25usd=161rmb Ah, but can only record 1 minutes of audio, not as much as other free software ...) ）

Then we can only crack it, we use Peid to check the shell:

Is the language of the Microsoft Visual C + + 7.0 , which is not shell, and is relatively simple.

Then run the validation process and look for the contents of the relevant echo string, as follows:

" Please inputcorrect User name! "

" Please Inputcorrect registration code! "

These two strings will serve as a starting point for our hack work.

This is the end of the preparation work, and then we begin to crack the username and registration code.

0x02. Cracking process

Using ollydbg to load the software main program, click F9 once to enter the program entrance

Find a string using the Ultra string Reference plug-in (no self-downloading installation), you can search "please" and find the two strings we saw earlier.

Double-click on the corresponding code snippet, this should be the code part of the Verification registration code, first in this add a breakpoint, rerun, enter an easy to observe test user name:123456, registration code:qwerty (Do not know whether the registration code is digital or English, first try), came to the location of the breakpoint just now

I went through it. found that the user name is greater than or equal to 2 bytes , and the registration code is greater than or equal to 8 bytes , the condition of the user name is satisfied, But the registration code length is not enough to jump to the registration failed, early end of the verification.

Second attempt, enter test user name:12345678, registration code:QWERTYUIOP

Successfully enter the verification section, follow the F7 step, observe each step of the assembly code and register changes

The mechanism for checking the user name is as follows: Starting with the 1th byte of the user name, a series of operations are performed in bytes, and the results are saved, and the result is estimated as a real registration code, which is explained in detail later .

Let's go through the steps and make the necessary comments to record the actions that are performed at each step.

After the user name check is complete, the registration code is then verified.

For the registration code verification is relatively simple, the first is to determine whether the registration code reached 8 bits, this code is very redundant, a judge until 8, and then walk here, only to start comparing the registration code

Compared to the first bit obviously wrong, reached a farther jump "0040f38e", arrived here

should be jumping to register failed code, but again the first bit of the registration code comparison , continue to follow, found the following situation:

Registration Code 1th and 0x33 (' 8 ') comparison

Registration code 2nd and 0x33 (' 3 ') comparison

Registration Code 3rd and 0x36 (' 6 ') comparison

Registration Code 4th and 0x36 (' 6 ') comparison

Registration Code 5th and 0x36 (' 6 ') comparison

Registration code 6th and 0x31 (' 1 ') comparison

Number 7th of the registration code compared to 0x34 (' 4 ')

Registration code 8th and 0x36 (' 6 ') comparison

This is obviously a dead hard code "83666146", did so long tracking results but get a fixed registration code (is not the front of so many comparisons is too redundant?). What's the use of a user name? ）

It can be registered for the moment, but this looks like a developer test with a Universal registration code .

Maybe the facts are not that simple.

Recall the previous steps, there has been the first comparison to jump out of the situation (that is, the farther jump), then speculate that this paragraph is the Real registration code Verification , we change the registration code to go again

This position begins to write edx corresponding to the registration code corresponding to the true value, step by step to get the final registration code, this confirms the speculation just now, the next need to understand the source of truth, that is, the calculation method of the registration code .

We go back to the user name of the inspection code snippet, can be a single step into the way, tracking each user name of the operation method, this time reflects the benefits of each step of the note , as follows:

eax= Section 1 -bit user name

eax=eax|0x52

eax=eax%0x0a

Section 1 bit Registration Code =eax

eax= Section 2 -bit user name

eax=eax|0x45

eax=eax%0x0a

Section 2 bit Registration Code =eax

eax= Section 1 -bit user name

eax=eax|0x43

eax=eax%0x0a

Section 3 bit Registration Code =eax

eax= Section 2 -bit user name

eax=eax|0x4f

eax=eax%0x0a

Section 4 bit Registration Code =eax

eax= loop for each user name ASCII sum

eax=eax%0x0a

Section 5 bit Registration Code =eax

After that, the registration code is generated, but the initial registration code must not be less than 8 , so we have to randomly fill in a paragraph, for simplicity we only add the last 3, of course, we can add more bits.

At this point the cracking process is over, and then we can write the registration machine algorithm.

0x03. Register machine algorithm

According to the assembly code above, we write the algorithm of the registration code:

char[] key = new Char[9];key[0] = (char) ((name[0] | 0x52)% + 0x30); key[1] = (char) ((name[1] | 0x45)% + 0x30); key[2 ] = (char) ((name[0] | 0x43)% + 0x30) key[3] = (char) ((name[1] | 0x4f)% + 0x30); key[4] = (char) (value% + 0x30); Value is a bitwise user-name ASCII summation//6th, 7, 8 bits are generated in the form of the first 5-bit checksum, ensuring different user names are generated, but generating the same key[5] = (char) (((char) (key[0]+key[1]+key[2]) for the same user name -0x30)% + 0x30) key[6] = (char) (((char) (key[0] + key[2] + key[4])-0x30)% + 0x30); key[7] = (char) (((char) (key[ 1] + key[3] + key[4])-0x30)% + 0x30); key[8] = ' 0x30 ';//The reason for the reduction is only to convert the input string to an int type and then perform the operation

0x04. Write a registration machine

"Writing language": C #. Net

"Build Environment": vs2015

"Language framework":. Net Framework4.5.2

The above algorithm is added to the function, encapsulated in the program, convenient and quick interaction to provide a good registration algorithm calculation.

Registration Machine Interface:

Operating conditions:

Enter 12345678 in the "User Name" box and click the "Generate" button

This will get the user name 12345678 The Real registration code 59570562

Registration Successful!

WinAudioRecorder2.2.2 (official version): http://download.csdn.net/detail/kalbertlee/9496545 winaudiorecorder keygen:/http download.csdn.net/detail/kalbertlee/9496556

Novice hack tutorial: Winaudiorecorder hack (with keygen)