Soundop Audio Editor 1.7.10.0分析爆破
1、搜索“trial”,得到如下信息。00663955push Soundop.008A3490?ref=trial
2、双击此行来到反汇编区。
006638A0/$55 push ebp
006638A1|.8BEC mov ebp,esp
006638A3|.6A FF push -0x1
006638A5|.68 886E8500 push Soundop.00856E88
006638AA|.64:A1 00000000 mov eax,dword ptr fs:
006638B0|.50 push eax ;kernel32.BaseThreadInitThunk
006638B1|.83EC 08 sub esp,0x8
006638B4|.56 push esi
006638B5|.57 push edi
006638B6|.A1 58759000 mov eax,dword ptr ds:
006638BB|.33C5 xor eax,ebp
006638BD|.50 push eax ;kernel32.BaseThreadInitThunk
006638BE|.8D45 F4 lea eax,
006638C1|.64:A3 00000000 mov dword ptr fs:,eax ;kernel32.BaseThreadInitThunk
006638C7|.E8 5B151700 call Soundop.007D4E27
006638CC|.8B70 04 mov esi,dword ptr ds:
006638CF|.66:83BE D8000000 01 cmp word ptr ds:,0x1
006638D7|.0F84 69010000 je Soundop.00663A46
006638DD|.E8 BE071700 call Soundop.007D40A0
006638E2|.8BC8 mov ecx,eax ;kernel32.BaseThreadInitThunk
006638E4|.85C9 test ecx,ecx
006638E6|.0F84 6B010000 je Soundop.00663A57
006638EC|.8B01 mov eax,dword ptr ds:
006638EE|.8B50 0C mov edx,dword ptr ds:
006638F1|.3D FCC08600 cmp eax,Soundop.0086C0FC
006638F6|.0F85 65010000 jnz Soundop.00663A61
006638FC|.F0:FF41 14 lock inc dword ptr ds:
00663900|.8D41 08 lea eax,dword ptr ds:
00663903|>83C0 10 add eax,0x10
00663906|.8945 F0 mov ,eax ;kernel32.BaseThreadInitThunk
00663909|.B8 EC338A00 mov eax,Soundop.008A33EC ;https://ivosight.com/purchase/
0066390E|.C745 FC 00000000 mov ,0x0
00663915|.8D4D F0 lea ecx,
00663918|.A9 0000FFFF test eax,0xFFFF0000
0066391D|.75 0B jnz short Soundop.0066392A
0066391F|.0FB7C0 movzx eax,ax
00663922|.50 push eax ;kernel32.BaseThreadInitThunk
00663923|.E8 1883DAFF call Soundop.0040BC40
00663928|.EB 0C jmp short Soundop.00663936
0066392A|>6A 1E push 0x1E
0066392C|.68 EC338A00 push Soundop.008A33EC ;https://ivosight.com/purchase/
00663931|.E8 4A87DAFF call Soundop.0040C080
00663936|>C745 FC 01000000 mov ,0x1
0066393D|.8D4D F0 lea ecx,
00663940|.66:83BE F0000000 00 cmp word ptr ds:,0x0
00663948|.74 09 je short Soundop.00663953
0066394A|.6A 09 push 0x9
0066394C|.68 2C348A00 push Soundop.008A342C ;?ref=demo
00663951|.EB 07 jmp short Soundop.0066395A
00663953|>6A 0A push 0xA
00663955|.68 90348A00 push Soundop.008A3490 ;?ref=trial
3、上溯分析,关键跳转为 je Soundop.00663A46,所以上一行的比较 cmp word ptr ds:,0x1 中ds:=1时,跳转实现,在cmp word ptr ds:,0x1上 右键——查找参考——地址常量 找到给ds:赋值的语句。
000000D800663018mov word ptr ds:,ax
4、在赋值语句上双击来到反汇编区,发现mov word ptr ds:,ax的上一行是一个Call,F7跟进分析。
00662FD0 .55 push ebp
00662FD1 .8BEC mov ebp,esp
00662FD3 .6A FF push -0x1
00662FD5 .68 406E8500 push Soundop.00856E40
00662FDA .64:A1 00000000 mov eax,dword ptr fs:
00662FE0 .50 push eax ;kernel32.BaseThreadInitThunk
00662FE1 .81EC B8030000 sub esp,0x3B8
00662FE7 .A1 58759000 mov eax,dword ptr ds:
00662FEC .33C5 xor eax,ebp
00662FEE .8945 F0 mov dword ptr ss:,eax ;kernel32.BaseThreadInitThunk
00662FF1 .56 push esi
00662FF2 .57 push edi
00662FF3 .50 push eax ;kernel32.BaseThreadInitThunk
00662FF4 .8D45 F4 lea eax,dword ptr ss:
00662FF7 .64:A3 00000000 mov dword ptr fs:,eax ;kernel32.BaseThreadInitThunk
00662FFD .8BF1 mov esi,ecx
00662FFF .89B5 84FCFFFF mov dword ptr ss:,esi
00663005 .E8 C6110000 call Soundop.006641D0
0066300A .85C0 test eax,eax ;kernel32.BaseThreadInitThunk
0066300C .74 77 je short Soundop.00663085
0066300E .E8 3D8DF5FF call Soundop.005BBD50
00663013 .E8 5891F5FF call Soundop.005BC170 ;》关键Call,F7跟进分析,使返回的ax=1
00663018 .66:8986 D8000000 mov word ptr ds:,ax
0066301F .8D85 7CFCFFFF lea eax,dword ptr ss:
5、经过分析,只要修改【1】处,使得al=1即可实现破解
005BC170/$55 push ebp
005BC171|.8BEC mov ebp,esp
005BC173|.81EC 04010000 sub esp,0x104
005BC179|.A1 58759000 mov eax,dword ptr ds:
………………
………………
………………
005BC191|.85F6 test esi,esi
005BC193|.7F 5A jg short Soundop.005BC1EF
005BC195|.68 00010000 push 0x100
005BC19A|.8D85 FCFEFFFF lea eax,
005BC1A0|.50 push eax ;kernel32.BaseThreadInitThunk
005BC1A1|.68 F09C8900 push Soundop.00899CF0 ;EVAL_CODE
005BC1A6|.FF15 B01A9200 call dword ptr ds:
005BC1AC|.B9 709D8900 mov ecx,Soundop.00899D70 ;1
005BC1B1|.8D85 FCFEFFFF lea eax,
005BC1B7|>8A10 /mov dl,byte ptr ds:
005BC1B9|.3A11 |cmp dl,byte ptr ds:
005BC1BB|.75 1A |jnz short Soundop.005BC1D7
005BC1BD|.84D2 |test dl,dl
005BC1BF|.74 12 |je short Soundop.005BC1D3
005BC1C1|.8A50 01 |mov dl,byte ptr ds:
005BC1C4|.3A51 01 |cmp dl,byte ptr ds:
005BC1C7|.75 0E |jnz short Soundop.005BC1D7
005BC1C9|.83C0 02 |add eax,0x2
005BC1CC|.83C1 02 |add ecx,0x2
005BC1CF|.84D2 |test dl,dl
005BC1D1|.^ 75 E4 \jnz short Soundop.005BC1B7
005BC1D3|>33C0 xor eax,eax ;kernel32.BaseThreadInitThunk
005BC1D5|.EB 05 jmp short Soundop.005BC1DC
005BC1D7|>1BC0 sbb eax,eax ;kernel32.BaseThreadInitThunk
005BC1D9|.83C8 01 or eax,0x1
005BC1DC|>85C0 test eax,eax ;kernel32.BaseThreadInitThunk
005BC1DE|.75 0F jnz short Soundop.005BC1EF
005BC1E0|.5E pop esi ;kernel32.74E0344D
005BC1E1|.8B4D FC mov ecx,
005BC1E4|.33CD xor ecx,ebp
005BC1E6|.E8 210F2500 call Soundop.0080D10C
005BC1EB|.8BE5 mov esp,ebp
005BC1ED|.5D pop ebp ;kernel32.74E0344D
005BC1EE|.C3 retn
005BC1EF|>83FE 04 cmp esi,0x4
005BC1F2|.75 0B jnz short Soundop.005BC1FF
005BC1F4|.68 009D8900 push Soundop.00899D00 ;P0193768-QAB:D58hetVYpTxgAUL6/6ZFG2NzG8I14/XSCK8OXTYkrVbpsM+jqbUadIJbB73gZZNxtu2ajoNw3ff9q1NKYUFwoN
005BC1F9|.FF15 B41A9200 call dword ptr ds:
005BC1FF|>8B4D FC mov ecx,
005BC202|.33C0 xor eax,eax ;
005BC204|.85F6 test esi,esi
005BC206|.5E pop esi ;kernel32.74E0344D
005BC207|.0F9EC0 setle al 》【1】
005BC20A|.33CD xor ecx,ebp
005BC20C|.E8 FB0E2500 call Soundop.0080D10C
005BC211|.8BE5 mov esp,ebp
005BC213|.5D pop ebp ;kernel32.74E0344D
005BC214\.C3 retn
6、破解后
成品下载:https://www.chinapyg.com/thread-138492-1-1.html 谢谢楼主,支持{:lol:} 666,表哥速度太快了 謝謝提供又可以學習了 强大,学习了 wgz001 发表于 2021-3-30 19:24
666,表哥速度太快了
主要是简单{:biggrin:}
谢谢楼主分享,楼主手把手教大家学习破解方法,一定要给楼主点赞! 高手就是高手,厉害,认为简单的,我小白一样听天书,谢谢 高手不用楼主教导,新手表示看不明白!该怎么办?第5条如何修改才使得 al=1?
页:
[1]
2