Soundop Audio Editor 1.7.10.0分析爆破

speedboy

1、搜索“trial”，得到如下信息。

[Asm] 纯文本查看 复制代码

00663955  push Soundop.008A3490  ?ref=trial

2、双击此行来到反汇编区。

[Asm] 纯文本查看 复制代码

006638A0  /$  55                     push ebp
006638A1  |.  8BEC                   mov ebp,esp
006638A3  |.  6A FF                  push -0x1
006638A5  |.  68 886E8500            push Soundop.00856E88
006638AA  |.  64:A1 00000000         mov eax,dword ptr fs:[0]
006638B0  |.  50                     push eax                                 ;  kernel32.BaseThreadInitThunk
006638B1  |.  83EC 08                sub esp,0x8
006638B4  |.  56                     push esi
006638B5  |.  57                     push edi
006638B6  |.  A1 58759000            mov eax,dword ptr ds:[0x907558]
006638BB  |.  33C5                   xor eax,ebp
006638BD  |.  50                     push eax                                 ;  kernel32.BaseThreadInitThunk
006638BE  |.  8D45 F4                lea eax,[local.3]
006638C1  |.  64:A3 00000000         mov dword ptr fs:[0],eax                 ;  kernel32.BaseThreadInitThunk
006638C7  |.  E8 5B151700            call Soundop.007D4E27
006638CC  |.  8B70 04                mov esi,dword ptr ds:[eax+0x4]
006638CF  |.  66:83BE D8000000 01    cmp word ptr ds:[esi+0xD8],0x1
006638D7  |.  0F84 69010000          je Soundop.00663A46
006638DD  |.  E8 BE071700            call Soundop.007D40A0
006638E2  |.  8BC8                   mov ecx,eax                              ;  kernel32.BaseThreadInitThunk
006638E4  |.  85C9                   test ecx,ecx
006638E6  |.  0F84 6B010000          je Soundop.00663A57
006638EC  |.  8B01                   mov eax,dword ptr ds:[ecx]
006638EE  |.  8B50 0C                mov edx,dword ptr ds:[eax+0xC]
006638F1  |.  3D FCC08600            cmp eax,Soundop.0086C0FC
006638F6  |.  0F85 65010000          jnz Soundop.00663A61
006638FC  |.  F0:FF41 14             lock inc dword ptr ds:[ecx+0x14]
00663900  |.  8D41 08                lea eax,dword ptr ds:[ecx+0x8]
00663903  |>  83C0 10                add eax,0x10
00663906  |.  8945 F0                mov [local.4],eax                        ;  kernel32.BaseThreadInitThunk
00663909  |.  B8 EC338A00            mov eax,Soundop.008A33EC                 ;  [url]https://ivosight.com/purchase/[/url]
0066390E  |.  C745 FC 00000000       mov [local.1],0x0
00663915  |.  8D4D F0                lea ecx,[local.4]
00663918  |.  A9 0000FFFF            test eax,0xFFFF0000
0066391D  |.  75 0B                  jnz short Soundop.0066392A
0066391F  |.  0FB7C0                 movzx eax,ax
00663922  |.  50                     push eax                                 ;  kernel32.BaseThreadInitThunk
00663923  |.  E8 1883DAFF            call Soundop.0040BC40
00663928  |.  EB 0C                  jmp short Soundop.00663936
0066392A  |>  6A 1E                  push 0x1E
0066392C  |.  68 EC338A00            push Soundop.008A33EC                    ;  [url]https://ivosight.com/purchase/[/url]
00663931  |.  E8 4A87DAFF            call Soundop.0040C080
00663936  |>  C745 FC 01000000       mov [local.1],0x1
0066393D  |.  8D4D F0                lea ecx,[local.4]
00663940  |.  66:83BE F0000000 00    cmp word ptr ds:[esi+0xF0],0x0
00663948  |.  74 09                  je short Soundop.00663953
0066394A  |.  6A 09                  push 0x9
0066394C  |.  68 2C348A00            push Soundop.008A342C                    ;  ?ref=demo
00663951  |.  EB 07                  jmp short Soundop.0066395A
00663953  |>  6A 0A                  push 0xA
00663955  |.  68 90348A00            push Soundop.008A3490                    ;  ?ref=trial

3、上溯分析，关键跳转为 je Soundop.00663A46，所以上一行的比较 cmp word ptr ds:[esi+0xD8],0x1 中ds:[esi+0xD8]=1时，跳转实现，在cmp word ptr ds:[esi+0xD8],0x1上 右键——查找参考——地址常量 找到给ds:[esi+0xD8]赋值的语句。

[Asm] 纯文本查看 复制代码

000000D8  00663018  mov word ptr ds:[esi+0xD8],ax

4、在赋值语句上双击来到反汇编区，发现mov word ptr ds:[esi+0xD8],ax的上一行是一个Call，F7跟进分析。

[Asm] 纯文本查看 复制代码

00662FD0   .  55                     push ebp
00662FD1   .  8BEC                   mov ebp,esp
00662FD3   .  6A FF                  push -0x1
00662FD5   .  68 406E8500            push Soundop.00856E40
00662FDA   .  64:A1 00000000         mov eax,dword ptr fs:[0]
00662FE0   .  50                     push eax                                 ;  kernel32.BaseThreadInitThunk
00662FE1   .  81EC B8030000          sub esp,0x3B8
00662FE7   .  A1 58759000            mov eax,dword ptr ds:[0x907558]
00662FEC   .  33C5                   xor eax,ebp
00662FEE   .  8945 F0                mov dword ptr ss:[ebp-0x10],eax          ;  kernel32.BaseThreadInitThunk
00662FF1   .  56                     push esi
00662FF2   .  57                     push edi
00662FF3   .  50                     push eax                                 ;  kernel32.BaseThreadInitThunk
00662FF4   .  8D45 F4                lea eax,dword ptr ss:[ebp-0xC]
00662FF7   .  64:A3 00000000         mov dword ptr fs:[0],eax                 ;  kernel32.BaseThreadInitThunk
00662FFD   .  8BF1                   mov esi,ecx
00662FFF   .  89B5 84FCFFFF          mov dword ptr ss:[ebp-0x37C],esi
00663005   .  E8 C6110000            call Soundop.006641D0
0066300A   .  85C0                   test eax,eax                             ;  kernel32.BaseThreadInitThunk
0066300C   .  74 77                  je short Soundop.00663085
0066300E   .  E8 3D8DF5FF            call Soundop.005BBD50
00663013   .  E8 5891F5FF            call Soundop.005BC170                    ;  》关键Call，F7跟进分析，使返回的ax=1
00663018   .  66:8986 D8000000       mov word ptr ds:[esi+0xD8],ax
0066301F   .  8D85 7CFCFFFF          lea eax,dword ptr ss:[ebp-0x384]

5、经过分析，只要修改【1】处，使得al=1即可实现破解

[Asm] 纯文本查看 复制代码

005BC170  /$  55                     push ebp
005BC171  |.  8BEC                   mov ebp,esp
005BC173  |.  81EC 04010000          sub esp,0x104
005BC179  |.  A1 58759000            mov eax,dword ptr ds:[0x907558]
………………
………………
………………
005BC191  |.  85F6                   test esi,esi
005BC193  |.  7F 5A                  jg short Soundop.005BC1EF
005BC195  |.  68 00010000            push 0x100
005BC19A  |.  8D85 FCFEFFFF          lea eax,[local.65]
005BC1A0  |.  50                     push eax                                 ;  kernel32.BaseThreadInitThunk
005BC1A1  |.  68 F09C8900            push Soundop.00899CF0                    ;  EVAL_CODE
005BC1A6  |.  FF15 B01A9200          call dword ptr ds:[0x921AB0]
005BC1AC  |.  B9 709D8900            mov ecx,Soundop.00899D70                 ;  1
005BC1B1  |.  8D85 FCFEFFFF          lea eax,[local.65]
005BC1B7  |>  8A10                   /mov dl,byte ptr ds:[eax]
005BC1B9  |.  3A11                   |cmp dl,byte ptr ds:[ecx]
005BC1BB  |.  75 1A                  |jnz short Soundop.005BC1D7
005BC1BD  |.  84D2                   |test dl,dl
005BC1BF  |.  74 12                  |je short Soundop.005BC1D3
005BC1C1  |.  8A50 01                |mov dl,byte ptr ds:[eax+0x1]
005BC1C4  |.  3A51 01                |cmp dl,byte ptr ds:[ecx+0x1]
005BC1C7  |.  75 0E                  |jnz short Soundop.005BC1D7
005BC1C9  |.  83C0 02                |add eax,0x2
005BC1CC  |.  83C1 02                |add ecx,0x2
005BC1CF  |.  84D2                   |test dl,dl
005BC1D1  |.^ 75 E4                  \jnz short Soundop.005BC1B7
005BC1D3  |>  33C0                   xor eax,eax                              ;  kernel32.BaseThreadInitThunk
005BC1D5  |.  EB 05                  jmp short Soundop.005BC1DC
005BC1D7  |>  1BC0                   sbb eax,eax                              ;  kernel32.BaseThreadInitThunk
005BC1D9  |.  83C8 01                or eax,0x1
005BC1DC  |>  85C0                   test eax,eax                             ;  kernel32.BaseThreadInitThunk
005BC1DE  |.  75 0F                  jnz short Soundop.005BC1EF
005BC1E0  |.  5E                     pop esi                                  ;  kernel32.74E0344D
005BC1E1  |.  8B4D FC                mov ecx,[local.1]
005BC1E4  |.  33CD                   xor ecx,ebp
005BC1E6  |.  E8 210F2500            call Soundop.0080D10C
005BC1EB  |.  8BE5                   mov esp,ebp
005BC1ED  |.  5D                     pop ebp                                  ;  kernel32.74E0344D
005BC1EE  |.  C3                     retn
005BC1EF  |>  83FE 04                cmp esi,0x4
005BC1F2  |.  75 0B                  jnz short Soundop.005BC1FF
005BC1F4  |.  68 009D8900            push Soundop.00899D00                    ;  P0193768-QAB:D58hetVYpTxgAUL6/6ZFG2NzG8I14/XSCK8OXTYkrVbpsM+jqbUadIJbB73gZZNxtu2ajoNw3ff9q1NKYUFwoN
005BC1F9  |.  FF15 B41A9200          call dword ptr ds:[0x921AB4]
005BC1FF  |>  8B4D FC                mov ecx,[local.1]
005BC202  |.  33C0                   xor eax,eax                              ;  
005BC204  |.  85F6                   test esi,esi
005BC206  |.  5E                     pop esi                                  ;  kernel32.74E0344D
005BC207  |.  0F9EC0                 setle al                                 》【1】
005BC20A  |.  33CD                   xor ecx,ebp
005BC20C  |.  E8 FB0E2500            call Soundop.0080D10C
005BC211  |.  8BE5                   mov esp,ebp
005BC213  |.  5D                     pop ebp                                  ;  kernel32.74E0344D
005BC214  \.  C3                     retn

6、破解后

夏520

软件是好，但英文是个伤

lgx20010609

感谢楼主分享

blindcat

学习了，感谢分享

zhuyanxiang

非常棒的学习知识，谢谢大佬

djxding

非常好的教程。
马上去下载软件，然后按大牛的步骤一步一步的操作学习。

感谢分享。

halewandering

总算看明白了，谢谢分享！

youtao6256

大佬，你好，我现在工作需要用到这款软件，挺好用，但是正版太贵了，要699。用了你的破解版，但是发现一些问题，没有破解彻底，下面就发现的现象描述一下。安装此正版软件已经过期，使用破解版保存，或者另存为音频文件，每隔15秒都会有静音。我把测试用到的软件和音频都放在了蓝奏盘里。

测试文件地址：https://wwa.lanzouo.com/ij1gDxg4y8f

官网地址：https://ivosight.com/soundop/download/?ref=updates