[暴破入门]Amadis DVD Ripper 暴破分析
Amadis 这个公司的软件,暴破后向注册表写入某数值代表已注册.所以采取暴破的方式更快速直接.并且可任意修改软件注册给谁.Amadis公司官方网站:
http://www.amadis-soft.com/
00402E30/.55 push ebp
00402E31|.8BEC mov ebp, esp
00402E33|.64:A1 0000000>mov eax, dword ptr fs:
00402E39|.6A FF push -1
00402E3B|.68 93B44A00 push 004AB493
00402E40|.50 push eax
00402E41|.B8 34110000 mov eax, 1134
00402E46|.64:8925 00000>mov dword ptr fs:, esp
00402E4D|.E8 0E360700 call 00476460
00402E52|.53 push ebx
00402E53|.56 push esi
00402E54|.8BD9 mov ebx, ecx
00402E56|.8D45 D0 lea eax, dword ptr
00402E59|.57 push edi
00402E5A|.8D8D C0EEFFFF lea ecx, dword ptr
00402E60|.50 push eax ; /pValueSize
00402E61|.51 push ecx ; |Value
00402E62|.68 98F44C00 push 004CF498 ; |Subkey = "Software\Amadis Software\DVDVIDEO\register"
00402E67|.68 01000080 push 80000001 ; |hKey = HKEY_CURRENT_USER
00402E6C|.C745 D0 00020>mov dword ptr , 200 ; |
00402E73|.FF15 00204B00 call dword ptr [<&ADVAPI32.RegQueryVa>; \RegQueryValueA
00402E79|.85C0 test eax, eax
00402E7B|.75 23 jnz short 00402EA0 ;查看是否向注册表写入过信息 没有则跳走
00402E7D|.8D95 C0EEFFFF lea edx, dword ptr
00402E83|.52 push edx
00402E84|.E8 CA350700 call 00476453 ;查看注册表中register键值是否为1,是则表示已注册.
00402E89|.83C4 04 add esp, 4
00402E8C|.83F8 01 cmp eax, 1
00402E8F|.75 0F jnz short 00402EA0
00402E91|.8B03 mov eax, dword ptr
00402E93|.8BCB mov ecx, ebx
00402E95|.FF90 C4000000 call dword ptr
00402E9B|.E9 9A030000 jmp 0040323A
00402EA0|>A1 80784D00 mov eax, dword ptr
00402EA5|.8945 D4 mov dword ptr , eax
00402EA8|.C745 FC 00000>mov dword ptr , 0
00402EAF|.8945 E4 mov dword ptr , eax
00402EB2|.8D55 D4 lea edx, dword ptr
00402EB5|.8D8B A0000000 lea ecx, dword ptr
00402EBB|.52 push edx
00402EBC|.C645 FC 01 mov byte ptr , 1
00402EC0|.E8 48840900 call 0049B30D
00402EC5|.8B45 D4 mov eax, dword ptr
00402EC8|.68 00CA4D00 push 004DCA00 ; /Arg2 = 004DCA00
00402ECD|.50 push eax ; |Arg1
00402ECE|.E8 38320700 call 0047610B ; \Amadis_D.0047610B
00402ED3|.83C4 08 add esp, 8
00402ED6|.85C0 test eax, eax
00402ED8|.0F84 2E030000 je 0040320C
00402EDE|.8B4D D4 mov ecx, dword ptr
00402EE1|.8379 F8 12 cmp dword ptr , 12 ;KEY应该大于12H即18位
00402EE5 0F8E 21030000 jle 0040320C
00402EEB|.8D4D E4 lea ecx, dword ptr
00402EEE|.C645 FC 00 mov byte ptr , 0
00402EF2|.E8 C3B70900 call 0049E6BA
00402EF7|.8D4D D4 lea ecx, dword ptr
00402EFA|.C745 FC FFFFF>mov dword ptr , -1
00402F01|.E8 B4B70900 call 0049E6BA
00402F06|.68 F4F54C00 push 004CF5F4 ;ASCII "DVDVIDEO"
00402F0B|.8D4D D8 lea ecx, dword ptr
00402F0E|.E8 15B80900 call 0049E728
00402F13|.A1 80784D00 mov eax, dword ptr
00402F18|.C745 FC 02000>mov dword ptr , 2
00402F1F|.8945 EC mov dword ptr , eax
00402F22|.8945 E8 mov dword ptr , eax
00402F25|.8B43 60 mov eax, dword ptr
00402F28|.C645 FC 04 mov byte ptr , 4
00402F2C|.85C0 test eax, eax
00402F2E|.75 7D jnz short 00402FAD
00402F30|.6A 40 push 40
00402F32|.E8 ACAB0900 call 0049DAE3
00402F37|.83C4 04 add esp, 4
00402F3A|.8945 E4 mov dword ptr , eax
00402F3D|.85C0 test eax, eax
00402F3F|.C645 FC 05 mov byte ptr , 5
00402F43|.74 0B je short 00402F50
00402F45|.8BC8 mov ecx, eax
00402F47|.E8 D4710100 call 0041A120
00402F4C|.8BF0 mov esi, eax
00402F4E|.EB 02 jmp short 00402F52
00402F50|>33F6 xor esi, esi
00402F52|>85F6 test esi, esi
00402F54|.0F95C0 setne al
00402F57|.8845 E0 mov byte ptr , al
00402F5A|.8975 E4 mov dword ptr , esi
00402F5D|.8D7B 5C lea edi, dword ptr
00402F60|.8D55 E0 lea edx, dword ptr
00402F63|.3BFA cmp edi, edx
00402F65|.C645 FC 06 mov byte ptr , 6
00402F69|.74 2E je short 00402F99
00402F6B|.8B4F 04 mov ecx, dword ptr
00402F6E|.3BCE cmp ecx, esi
00402F70|.74 16 je short 00402F88
00402F72|.803F 00 cmp byte ptr , 0
00402F75|.74 0D je short 00402F84
00402F77|.85C9 test ecx, ecx
00402F79|.74 09 je short 00402F84
00402F7B|.8B01 mov eax, dword ptr
00402F7D|.6A 01 push 1
00402F7F|.FF10 call dword ptr
00402F81|.8A45 E0 mov al, byte ptr
00402F84|>8807 mov byte ptr , al
00402F86|.EB 07 jmp short 00402F8F
00402F88|>84C0 test al, al
00402F8A|.74 03 je short 00402F8F
00402F8C|.C607 01 mov byte ptr , 1
00402F8F|>C645 E0 00 mov byte ptr , 0
00402F93|.8A45 E0 mov al, byte ptr
00402F96|.8977 04 mov dword ptr , esi
00402F99|>84C0 test al, al
00402F9B|.C645 FC 04 mov byte ptr , 4
00402F9F|.74 0C je short 00402FAD
00402FA1|.85F6 test esi, esi
00402FA3|.74 08 je short 00402FAD
00402FA5|.8B16 mov edx, dword ptr
00402FA7|.6A 01 push 1
00402FA9|.8BCE mov ecx, esi
00402FAB|.FF12 call dword ptr
00402FAD|>8B45 D8 mov eax, dword ptr
00402FB0|.6A 10 push 10
00402FB2|.8D4D C0 lea ecx, dword ptr
00402FB5|.50 push eax
00402FB6|.51 push ecx
00402FB7|.E8 D4340700 call 00476490
00402FBC|.8B4B 60 mov ecx, dword ptr
00402FBF|.83C4 0C add esp, 0C
00402FC2|.8D55 C0 lea edx, dword ptr
00402FC5|.6A 00 push 0
00402FC7|.6A 00 push 0
00402FC9|.68 20684B00 push 004B6820
00402FCE|.6A 10 push 10
00402FD0|.52 push edx
00402FD1|.E8 FA710100 call 0041A1D0
00402FD6|.A1 80784D00 mov eax, dword ptr
00402FDB|.8B7B 60 mov edi, dword ptr
00402FDE|.8945 F0 mov dword ptr , eax
00402FE1|.8D4D F0 lea ecx, dword ptr
00402FE4|.C645 FC 07 mov byte ptr , 7
00402FE8|.51 push ecx
00402FE9|.8D8B A0000000 lea ecx, dword ptr
00402FEF|.E8 19830900 call 0049B30D
00402FF4|.8D4D F0 lea ecx, dword ptr
00402FF7|.E8 8A4A0900 call 00497A86
00402FFC|.8D4D F0 lea ecx, dword ptr
00402FFF|.E8 364A0900 call 00497A3A
00403004|.6A 04 push 4
00403006|.8D55 E4 lea edx, dword ptr
00403009|.6A 0E push 0E
0040300B|.52 push edx
0040300C|.8D4D F0 lea ecx, dword ptr
0040300F|.E8 E1440900 call 004974F5
00403014|.50 push eax
00403015|.8D4D E8 lea ecx, dword ptr
00403018|.C645 FC 08 mov byte ptr , 8
0040301C|.E8 D2B70900 call 0049E7F3
00403021|.8D4D E4 lea ecx, dword ptr
00403024|.C645 FC 07 mov byte ptr , 7
00403028|.E8 8DB60900 call 0049E6BA
0040302D|.8B45 F0 mov eax, dword ptr
00403030|.8D4D E4 lea ecx, dword ptr
00403033|.8B40 F8 mov eax, dword ptr
00403036|.83C0 EE add eax, -12
00403039|.50 push eax
0040303A|.51 push ecx
0040303B|.8D4D F0 lea ecx, dword ptr
0040303E|.E8 48450900 call 0049758B
00403043|.50 push eax
00403044|.8D4D EC lea ecx, dword ptr
00403047|.C645 FC 09 mov byte ptr , 9
0040304B|.E8 A3B70900 call 0049E7F3
00403050|.8D4D E4 lea ecx, dword ptr
00403053|.C645 FC 07 mov byte ptr , 7
00403057|.E8 5EB60900 call 0049E6BA
0040305C|.8B55 EC mov edx, dword ptr
0040305F|.8B42 F8 mov eax, dword ptr
00403062|.99 cdq
00403063|.2BC2 sub eax, edx
00403065|.8BF0 mov esi, eax
00403067|.D1FE sar esi, 1
00403069|.8BC6 mov eax, esi
0040306B|.83C0 03 add eax, 3
0040306E|.24 FC and al, 0FC
00403070|.E8 EB330700 call 00476460
00403075|.8BC4 mov eax, esp
00403077|.56 push esi
00403078|.8945 E4 mov dword ptr , eax
0040307B|.50 push eax
0040307C|.8B45 EC mov eax, dword ptr
0040307F|.50 push eax
00403080|.E8 3B9D0100 call 0041CDC0
00403085|.8D46 01 lea eax, dword ptr
00403088|.83C4 0C add esp, 0C
0040308B|.83C0 03 add eax, 3
0040308E|.24 FC and al, 0FC
00403090|.E8 CB330700 call 00476460
00403095|.8965 DC mov dword ptr , esp
00403098|.8B17 mov edx, dword ptr
0040309A|.8BCF mov ecx, edi
0040309C|.FF52 18 call dword ptr
0040309F|.85C0 test eax, eax
004030A1|.0F84 29010000 je 004031D0
004030A7|.8B4D DC mov ecx, dword ptr
004030AA|.8B55 E4 mov edx, dword ptr
004030AD|.8B07 mov eax, dword ptr
004030AF|.56 push esi
004030B0|.51 push ecx
004030B1|.52 push edx
004030B2|.8BCF mov ecx, edi
004030B4|.FF50 0C call dword ptr
004030B7|.85C0 test eax, eax
004030B9|.0F84 11010000 je 004031D0 ;这里要NOP掉 暴破点1
004030BF|.8B45 DC mov eax, dword ptr
004030C2|.50 push eax
004030C3|.C60430 00 mov byte ptr , 0
004030C7|.8B45 E8 mov eax, dword ptr
004030CA|.50 push eax
004030CB|.E8 63310700 call 00476233
004030D0|.83C4 08 add esp, 8
004030D3|.8BCB mov ecx, ebx
004030D5|.85C0 test eax, eax
004030D7|.6A 40 push 40
004030D9 0F85 F5000000 jnz 004031D4 ;这样修改为NOP NOP掉弹出注册成功对话框
004030DF|.68 E4F54C00 push 004CF5E4 ;ASCII "Congratulate"
004030E4|.68 A4F54C00 push 004CF5A4 ;ASCII "Succeed to register!",LF,"You get all features and free supports!"
004030E9|.E8 DE8E0900 call 0049BFCC
004030EE|.8D4D DC lea ecx, dword ptr ;以下代码开始向注册表写入信息.
004030F1|.51 push ecx ; /pHandle
004030F2|.68 80F54C00 push 004CF580 ; |Subkey = "Software\Amadis Software\DVDVIDEO"
004030F7|.68 01000080 push 80000001 ; |hKey = HKEY_CURRENT_USER
004030FC|.FF15 0C204B00 call dword ptr [<&ADVAPI32.RegCreateK>; \RegCreateKeyA
00403102|.8B35 08204B00 mov esi, dword ptr [<&ADVAPI32.RegSe>;ADVAPI32.RegSetValueA
00403108|.85C0 test eax, eax
0040310A|.0F85 95000000 jnz 004031A5
00403110|.6A 01 push 1
00403112|.8D95 C0FEFFFF lea edx, dword ptr
00403118|.68 7CF54C00 push 004CF57C ;ASCII "%d"
0040311D|.52 push edx
0040311E|.E8 D72E0700 call 00475FFA
00403123|.8DBD C0FEFFFF lea edi, dword ptr
00403129|.83C9 FF or ecx, FFFFFFFF
0040312C|.33C0 xor eax, eax
0040312E|.83C4 0C add esp, 0C
00403131|.F2:AE repne scas byte ptr es:
00403133|.F7D1 not ecx
00403135|.49 dec ecx
00403136|.8D85 C0FEFFFF lea eax, dword ptr
0040313C|.51 push ecx
0040313D|.8B4D DC mov ecx, dword ptr
00403140|.50 push eax
00403141|.6A 01 push 1
00403143|.68 70F54C00 push 004CF570 ;ASCII "register"
00403148|.51 push ecx
00403149|.FFD6 call esi
0040314B|.8B55 EC mov edx, dword ptr
0040314E|.8B45 E8 mov eax, dword ptr
00403151|.52 push edx
00403152|.50 push eax
00403153|.68 F4F54C00 push 004CF5F4 ;ASCII "DVDVIDEO"
00403158|.8D8D C0FEFFFF lea ecx, dword ptr
0040315E|.68 60F54C00 push 004CF560 ;ASCII "AMADIS%s%s%s"
00403163|.51 push ecx
00403164|.E8 912E0700 call 00475FFA
00403169|.8DBD C0FEFFFF lea edi, dword ptr
0040316F|.83C9 FF or ecx, FFFFFFFF
00403172|.33C0 xor eax, eax
00403174|.83C4 14 add esp, 14
00403177|.F2:AE repne scas byte ptr es:
00403179|.8B45 DC mov eax, dword ptr
0040317C|.8D95 C0FEFFFF lea edx, dword ptr
00403182|.F7D1 not ecx
00403184|.49 dec ecx
00403185|.51 push ecx
00403186|.52 push edx
00403187|.6A 01 push 1
00403189|.68 5CF54C00 push 004CF55C ;ASCII "key"
0040318E|.50 push eax
0040318F|.FFD6 call esi
00403191|.8B4D DC mov ecx, dword ptr
00403194|.51 push ecx ; /hKey
00403195|.FF15 04204B00 call dword ptr [<&ADVAPI32.RegCloseKe>; \RegCloseKey
0040319B|.C705 44AC4E00>mov dword ptr , 1
004031A5|>6A 02 push 2
004031A7|.68 58F54C00 push 004CF558
004031AC|.6A 01 push 1
004031AE|.68 38F54C00 push 004CF538 ;ASCII "Software\Amadis Software\pro"
004031B3|.68 01000080 push 80000001
004031B8|.FFD6 call esi
004031BA|.C705 4CAC4E00>mov dword ptr , 1
004031C4|.8B13 mov edx, dword ptr
004031C6|.8BCB mov ecx, ebx
004031C8|.FF92 C4000000 call dword ptr
004031CE|.EB 13 jmp short 004031E3
004031D0|>6A 40 push 40
004031D2|.8BCB mov ecx, ebx
004031D4|>68 30F54C00 push 004CF530 ;ASCII "Sorry"
004031D9|.68 14F54C00 push 004CF514 ;ASCII "Invalid Registration Code!"
004031DE|.E8 E98D0900 call 0049BFCC
注册信息保存到这里:
HKEY_CURRENT_USER\Software\Amadis Software\DVDVIDEO\key
其中KEY的键值显示软件注册给谁,可任意修改.
register的键值若为1则代表已注册.
软件对新手来说练手即可,有兴趣的朋友可看下算法.
http://www.chinadforce.com/attachments/day_070531/03_NASUcbptbHYn.gif 很好的啊,谢谢了哦!!
页:
[1]