爆破的无奈
【破文标题】爆破的无奈【破文作者】cao2109
【作者邮箱】[email protected]
【作者主页】http://hi.baidu.com/cao2109
【破解工具】peid0.92,OD
【破解平台】winxpsp2
【软件名称】视频转换专家
【软件大小】30.8M
【原版下载】http://www.flywing.cn/video_converter.htm
【保护方式】无壳+INI重启验证
【软件简介】视频转换专家是一款功能强大的视频转换软件,它支持几乎所有的视频文件格式,包括3gp, 3g2, avi, dv, dif, mov, qt, swf, mp2, mp3, ogg, aac, m4a, nut, ac3, h261, h264, m4v, yuv, mp4, rm, ra, ram, rmvb, wma, wmv, asf, mpg, mpeg, mpa, vob, dat, ape, cue, mkv, wav, aiff, au, cda, avs, psp, smk, nsv等。
【破解声明】只为技术交流,没有其他目的。
------------------------------------------------------------------------
【破解过程】在机房上课,无事翻出一软件,欲使用,让注册,先踩点,码错误。
去根目录查看,看到一registration的INI的文件,保存着我们的注册码。
PEID查壳Borland Delphi 6.0 - 7.0。没加壳更好。载入软件来到这。
搜索字符串‘感谢您注册我们的软件,请关闭本软件并重新运行,以使您的注册生效!’双击
004ECDF8 /.55 push ebp F2下断,CTRL+F2重新运行,F9运行软件,填假注册码。F8
004ECDF9 |.8BEC mov ebp,esp
004ECDFB |.33C9 xor ecx,ecx
004ECDFD |.51 push ecx
004ECDFE |.51 push ecx
004ECDFF |.51 push ecx
004ECE00 |.51 push ecx
004ECE01 |.51 push ecx
004ECE02 |.53 push ebx
004ECE03 |.56 push esi
004ECE04 |.57 push edi
004ECE05 |.8BF0 mov esi,eax
004ECE07 |.33C0 xor eax,eax
004ECE09 |.55 push ebp
004ECE0A |.68 17CF4E00 push CoolVide.004ECF17
004ECE0F |.64:FF30 push dword ptr fs:
004ECE12 |.64:8920 mov dword ptr fs:,esp
004ECE15 |.33DB xor ebx,ebx
004ECE17 |>8D55 FC /lea edx,dword ptr ss:
004ECE1A |.8BC3 |mov eax,ebx
004ECE1C |.E8 87C5F1FF |call CoolVide.004093A8
004ECE21 |.43 |inc ebx
004ECE22 |.81FB 01040000 |cmp ebx,401
004ECE28 |.^ 75 ED \jnz short CoolVide.004ECE17
004ECE2A |.8D55 F0 lea edx,dword ptr ss:
004ECE2D |.8B86 08030000 mov eax,dword ptr ds:
004ECE33 |.E8 3861F8FF call CoolVide.00472F70
004ECE38 |.8B45 F0 mov eax,dword ptr ss: ;计算用户名长度
004ECE3B |.8D55 F8 lea edx,dword ptr ss: ;取用户名
004ECE3E |.E8 65C4F1FF call CoolVide.004092A8
004ECE43 |.8D55 EC lea edx,dword ptr ss:
004ECE46 |.8B86 0C030000 mov eax,dword ptr ds:
004ECE4C |.E8 1F61F8FF call CoolVide.00472F70
004ECE51 |.8B45 EC mov eax,dword ptr ss: ;计算密码长度放EAX
004ECE54 |.8D55 F4 lea edx,dword ptr ss: ;取密码
004ECE57 |.E8 4CC4F1FF call CoolVide.004092A8
004ECE5C |.A1 D0695000 mov eax,dword ptr ds:
004ECE61 |.8B00 mov eax,dword ptr ds:
004ECE63 |.8B4D F4 mov ecx,dword ptr ss:
004ECE66 |.8B55 F8 mov edx,dword ptr ss:
004ECE69 |.E8 BE0E0000 call CoolVide.004EDD2C ;关键CALL, F7进入。
004ECE6E |.84C0 test al,al 明显的标志位
004ECE70 |.74 71 je short CoolVide.004ECEE3 跳向失败(爆破的在这里!重启还是未注册!)
004ECE72 |.A1 D0695000 mov eax,dword ptr ds:
004ECE77 |.8B00 mov eax,dword ptr ds:
004ECE79 |.8B88 08030000 mov ecx,dword ptr ds:
004ECE7F |.B2 01 mov dl,1
004ECE81 |.A1 8CE64300 mov eax,dword ptr ds:
004ECE86 |.E8 B118F5FF call CoolVide.0043E73C
004ECE8B |.8BD8 mov ebx,eax
004ECE8D |.8B45 F8 mov eax,dword ptr ss:
004ECE90 |.50 push eax
004ECE91 |.B9 30CF4E00 mov ecx,CoolVide.004ECF30 ;ASCII "username"
004ECE96 |.BA 44CF4E00 mov edx,CoolVide.004ECF44 ;ASCII "user_info"
004ECE9B |.8BC3 mov eax,ebx
004ECE9D |.8B38 mov edi,dword ptr ds:
004ECE9F |.FF57 04 call dword ptr ds:
004ECEA2 |.8B45 F4 mov eax,dword ptr ss:
004ECEA5 |.50 push eax
004ECEA6 |.B9 58CF4E00 mov ecx,CoolVide.004ECF58 ;ASCII "regcode"
004ECEAB |.BA 44CF4E00 mov edx,CoolVide.004ECF44 ;ASCII "user_info"
004ECEB0 |.8BC3 mov eax,ebx
004ECEB2 |.8B38 mov edi,dword ptr ds:
004ECEB4 |.FF57 04 call dword ptr ds:
004ECEB7 |.8BC3 mov eax,ebx
004ECEB9 |.E8 EE6DF1FF call CoolVide.00403CAC
004ECEBE |.A1 D0695000 mov eax,dword ptr ds:
004ECEC3 |.8B00 mov eax,dword ptr ds:
004ECEC5 |.8B4D F4 mov ecx,dword ptr ss:
004ECEC8 |.8B55 F8 mov edx,dword ptr ss:
004ECECB |.E8 7C2C0000 call CoolVide.004EFB4C
004ECED0 |.B8 68CF4E00 mov eax,CoolVide.004ECF68 ;<-----------双击来到这里,向上找到段首。
004ECED5 |.E8 7EA7F4FF call CoolVide.00437658
004ECEDA |.8BC6 mov eax,esi
004ECEDC |.E8 0B4BFAFF call CoolVide.004919EC
004ECEE1 |.EB 0C jmp short CoolVide.004ECEEF
F7来到这里。
004EDD2C $55 push ebp
004EDD2D .8BEC mov ebp,esp
004EDD2F .6A 00 push 0
004EDD31 .6A 00 push 0
004EDD33 .6A 00 push 0
004EDD35 .6A 00 push 0
004EDD37 .6A 00 push 0
004EDD39 .53 push ebx
004EDD3A .56 push esi
004EDD3B .57 push edi
004EDD3C .894D F8 mov dword ptr ss:,ecx
004EDD3F .8955 FC mov dword ptr ss:,edx
004EDD42 .8B45 FC mov eax,dword ptr ss:
004EDD45 .E8 4672F1FF call CoolVide.00404F90
004EDD4A .8B45 F8 mov eax,dword ptr ss:
004EDD4D .E8 3E72F1FF call CoolVide.00404F90
004EDD52 .33C0 xor eax,eax
004EDD54 .55 push ebp
004EDD55 .68 69DE4E00 push CoolVide.004EDE69
004EDD5A .64:FF30 push dword ptr fs:
004EDD5D .64:8920 mov dword ptr fs:,esp
004EDD60 .8D45 F0 lea eax,dword ptr ss:
004EDD63 .BA 84DE4E00 mov edx,CoolVide.004EDE84 ;ASCII "cvc3_user54,cvc3_user113,"
004EDD68 .E8 0B6EF1FF call CoolVide.00404B78
004EDD6D .837D FC 00 cmp dword ptr ss:,0 判断用户名是否为空
004EDD71 .74 06 je short CoolVide.004EDD79
004EDD73 .837D F8 00 cmp dword ptr ss:,0 ;判断密码是否为空
004EDD77 .75 07 jnz short CoolVide.004EDD80
004EDD79 >33DB xor ebx,ebx
004EDD7B .E9 CE000000 jmp CoolVide.004EDE4E
004EDD80 >8D45 EC lea eax,dword ptr ss:
004EDD83 .B9 A8DE4E00 mov ecx,CoolVide.004EDEA8
004EDD88 .8B55 FC mov edx,dword ptr ss:
004EDD8B .E8 5C70F1FF call CoolVide.00404DEC
004EDD90 .8B45 EC mov eax,dword ptr ss:
004EDD93 .8B55 F0 mov edx,dword ptr ss:
004EDD96 .E8 4973F1FF call CoolVide.004050E4 <------算法CALL,F7进入
004EDD9B .85C0 test eax,eax
004EDD9D .7E 07 jle short CoolVide.004EDDA6
004EDD9F .33DB xor ebx,ebx
004EDDA1 .E9 A8000000 jmp CoolVide.004EDE4E
004EDDA6 >A1 4C825000 mov eax,dword ptr ds:
004EDDAB .8B80 F8020000 mov eax,dword ptr ds:
004EDDB1 .8B40 40 mov eax,dword ptr ds:
004EDDB4 .BA B4DE4E00 mov edx,CoolVide.004EDEB4 ;ASCII "EB0E0838DCB2B1968C04426B0BDE283929F3E07CD581FEF337B4D412C74D9652"
004EDDB9 .E8 4A00FEFF call CoolVide.004CDE08
004EDDBE .A1 4C825000 mov eax,dword ptr ds:
004EDDC3 .8B80 F8020000 mov eax,dword ptr ds:
004EDDC9 .8B40 40 mov eax,dword ptr ds:
004EDDCC .BA 00DF4E00 mov edx,CoolVide.004EDF00 ;ASCII "4B3A32106A21DD650581E4EF69CE9E6917A72980D3B6875473257BFBD7B6FF07"
004EDDD1 .E8 CE00FEFF call CoolVide.004CDEA4
004EDDD6 .33D2 xor edx,edx
004EDDD8 .55 push ebp
004EDDD9 .68 04DE4E00 push CoolVide.004EDE04
004EDDDE .64:FF32 push dword ptr fs:
004EDDE1 .64:8922 mov dword ptr fs:,esp
004EDDE4 .8D4D F4 lea ecx,dword ptr ss:
004EDDE7 .A1 4C825000 mov eax,dword ptr ds:
004EDDEC .8B80 F8020000 mov eax,dword ptr ds:
004EDDF2 .8B55 F8 mov edx,dword ptr ss:
004EDDF5 .8B18 mov ebx,dword ptr ds:
004EDDF7 .FF53 38 call dword ptr ds:
004EDDFA .33C0 xor eax,eax
004EDDFC .5A pop edx
004EDDFD .59 pop ecx
004EDDFE .59 pop ecx
004EDDFF .64:8910 mov dword ptr fs:,edx
004EDE02 .EB 1F jmp short CoolVide.004EDE23
关键算法在这里:
004050E4 /$85C0 test eax,eax
004050E6 |.74 40 je short CoolVide.00405128
004050E8 |.85D2 test edx,edx
004050EA |.74 31 je short CoolVide.0040511D
004050EC |.53 push ebx
004050ED |.56 push esi
004050EE |.57 push edi
004050EF |.89C6 mov esi,eax
004050F1 |.89D7 mov edi,edx
004050F3 |.8B4F FC mov ecx,dword ptr ds:
004050F6 |.57 push edi
004050F7 |.8B56 FC mov edx,dword ptr ds:
004050FA |.4A dec edx
004050FB |.78 1B js short CoolVide.00405118
004050FD |.8A06 mov al,byte ptr ds:
004050FF |.46 inc esi
00405100 |.29D1 sub ecx,edx
00405102 |.7E 14 jle short CoolVide.00405118
00405104 |>F2:AE /repne scas byte ptr es: <-------------从这里开始循环比较,看不懂~~~~~~
00405106 |.75 10 |jnz short CoolVide.00405118 <-----------循环完了,就OVER了。
00405108 |.89CB |mov ebx,ecx
0040510A |.56 |push esi
0040510B |.57 |push edi
0040510C |.89D1 |mov ecx,edx
0040510E |.F3:A6 |repe cmps byte ptr es:,byte ptr d>
00405110 |.5F |pop edi
00405111 |.5E |pop esi
00405112 |.74 0C |je short CoolVide.00405120
00405114 |.89D9 |mov ecx,ebx
00405116 |.^ EB EC \jmp short CoolVide.00405104
00405118 |>5A pop edx
00405119 |.31C0 xor eax,eax
0040511B |.EB 08 jmp short CoolVide.00405125
0040511D |>31C0 xor eax,eax
0040511F |.C3 retn
------------------------------------------------------------------------
【破解总结】关键码比较完全看不懂,等高手明示!~~~~~
------------------------------------------------------------------------
【版权声明】飞翼软件所有。
[ 本帖最后由 cao2109 于 2008-9-27 10:43 编辑 ] 004EDDFA .33C0 xor eax,eax改为:or eax,eax,爆破成功,注册界面再用pe修改一下。见:
http://www.52pojie.cn/read.php?tid-10524.html#139167 看不懂,进来学习的 挺好的教程的软件也简单 呵呵 0050A89D|.55 PUSH EBP
0050A89E|.68 B7A95000 PUSH CoolVide.0050A9B7
0050A8A3|.64:FF30 PUSH DWORD PTR FS:
0050A8A6|.64:8920 MOV DWORD PTR FS:,ESP
0050A8A9|.33DB XOR EBX,EBX
0050A8AB|>8D55 FC /LEA EDX,DWORD PTR SS:
0050A8AE|.8BC3 |MOV EAX,EBX
0050A8B0|.E8 EBEFEFFF |CALL CoolVide.004098A0
0050A8B5|.43 |INC EBX
0050A8B6|.81FB 01040000 |CMP EBX,401
0050A8BC|.^ 75 ED \JNZ SHORT CoolVide.0050A8AB
0050A8BE|.8D55 F0 LEA EDX,DWORD PTR SS:
0050A8C1|.8B86 08030000 MOV EAX,DWORD PTR DS:
0050A8C7|.E8 10DCF6FF CALL CoolVide.004784DC
0050A8CC|.8B45 F0 MOV EAX,DWORD PTR SS:
0050A8CF|.8D55 F8 LEA EDX,DWORD PTR SS:
0050A8D2|.E8 F9EBEFFF CALL CoolVide.004094D0
0050A8D7|.8D55 EC LEA EDX,DWORD PTR SS:
0050A8DA|.8B86 0C030000 MOV EAX,DWORD PTR DS:
0050A8E0|.E8 F7DBF6FF CALL CoolVide.004784DC
0050A8E5|.8B45 EC MOV EAX,DWORD PTR SS:
0050A8E8|.8D55 F4 LEA EDX,DWORD PTR SS:
0050A8EB|.E8 E0EBEFFF CALL CoolVide.004094D0
0050A8F0|.A1 E8645200 MOV EAX,DWORD PTR DS:
0050A8F5|.8B00 MOV EAX,DWORD PTR DS:
0050A8F7|.8B4D F4 MOV ECX,DWORD PTR SS:
0050A8FA|.8B55 F8 MOV EDX,DWORD PTR SS:
0050A8FD|.E8 FE100000 CALL CoolVide.0050BA00 F7进入~~更改标志位
0050A902|.84C0 TEST AL,AL
0050A904|.74 7D JE SHORT CoolVide.0050A983
0050A906|.A1 E8645200 MOV EAX,DWORD PTR DS:
0050A90B|.8B00 MOV EAX,DWORD PTR DS:
0050A90D|.8B88 08030000 MOV ECX,DWORD PTR DS:
0050A913|.B2 01 MOV DL,1
0050A915|.A1 C0004400 MOV EAX,DWORD PTR DS:
0050A91A|.E8 5158F3FF CALL CoolVide.00440170
0050A91F|.8BD8 MOV EBX,EAX
0050A921|.8B45 F8 MOV EAX,DWORD PTR SS:
0050A924|.50 PUSH EAX
0050A925|.B9 D0A95000 MOV ECX,CoolVide.0050A9D0 ;username
0050A92A|.BA E4A95000 MOV EDX,CoolVide.0050A9E4 ;user_info
0050A92F|.8BC3 MOV EAX,EBX
0050A931|.8B38 MOV EDI,DWORD PTR DS:
0050A933|.FF57 04 CALL DWORD PTR DS:
0050A936|.8B45 F4 MOV EAX,DWORD PTR SS:
0050A939|.50 PUSH EAX
0050A93A|.B9 F8A95000 MOV ECX,CoolVide.0050A9F8 ;regcode
0050A93F|.BA E4A95000 MOV EDX,CoolVide.0050A9E4 ;user_info
0050A944|.8BC3 MOV EAX,EBX
0050A946|.8B38 MOV EDI,DWORD PTR DS:
0050A948|.FF57 04 CALL DWORD PTR DS:
0050A94B|.8BC3 MOV EAX,EBX
0050A94D|.E8 9E93EFFF CALL CoolVide.00403CF0
0050A952|.A1 E8645200 MOV EAX,DWORD PTR DS:
0050A957|.8B00 MOV EAX,DWORD PTR DS:
0050A959|.8B4D F4 MOV ECX,DWORD PTR SS:
0050A95C|.8B55 F8 MOV EDX,DWORD PTR SS:
0050A95F|.E8 20300000 CALL CoolVide.0050D984
0050A964|.B8 08AA5000 MOV EAX,CoolVide.0050AA08 ;感谢您注册我们的软件,请关闭本软件并重新运行,以使您的注册生效!
0050A969|.E8 06E7F2FF CALL CoolVide.00439074
0050A96E|.A1 E8645200 MOV EAX,DWORD PTR DS:
0050A973|.8B00 MOV EAX,DWORD PTR DS:
0050A975|.E8 B6360000 CALL CoolVide.0050E030
0050A97A|.8BC6 MOV EAX,ESI
0050A97C|.E8 D7C5F8FF CALL CoolVide.00496F58
0050A981|.EB 0C JMP SHORT CoolVide.0050A98F
0050A983|>A1 9C645200 MOV EAX,DWORD PTR DS:
#######################################################################
0050BA00 55 PUSH EBP 改为:mov eax,1
0050BA01 8BEC MOV EBP,ESP 改为:retn
0050BA03 6A 00 PUSH 0
0050BA05 6A 00 PUSH 0
0050BA07 .6A 00 PUSH 0
0050BA09 .6A 00 PUSH 0
0050BA0B .6A 00 PUSH 0
0050BA0D .53 PUSH EBX
0050BA0E .56 PUSH ESI
0050BA0F .57 PUSH EDI
保存 暴破成功 原帖由 jmzhwf 于 2008-9-27 22:22 发表 https://www.chinapyg.com/images/common/back.gif
0050A89D|.55 PUSH EBP
0050A89E|.68 B7A95000 PUSH CoolVide.0050A9B7
0050A8A3|.64:FF30 PUSH DWORD PTR FS:
0050A8A6|.64:8920 MOV DWORD PTR FS:,ESP
0 ...
非常感谢! xor al,al
retn 你应该是标志位暴破才好,只改JNZ是不够的。 原帖由 老海 于 2008-9-29 10:12 发表 https://www.chinapyg.com/images/common/back.gif
你应该是标志位暴破才好,只改JNZ是不够的。
标志位暴破后会有正确的注册码?没有找到注册码还是不爽. 估计没有出现正确的注册码!
页:
[1]
2