MP4 Downloader / YouTube Video Downloader 验证流程分析
本帖最后由 PYG官方论坛 于 2015-4-11 00:30 编辑YouTube Video Downloader
官网:http://www.tomabo.com/
该工具现改名为:MP4 Downloader
Version 3.8.29, 11.5 MB
首先要让其把注册信息保存,注册后保存在这里:
HKEY_CURRENT_USER\Software\Classes\CLSID\{D72EB4CA-9F4B-4cb6-95EA-A931FC23A730}
程序启动的时候会解密保存在注册表的数据:
00411C2F|.68 10E34E00 PUSH MP4Downl.004EE310 ;3.8.27
00411C34|.68 240E4F00 PUSH MP4Downl.004F0E24 ;{D72EB4CA-9F4B-4cb6-95EA-A931FC23A730}
00411C39|.6A 00 PUSH 0
00411C3B|.8D8D E8FEFFFF LEA ECX, DWORD PTR SS:
00411C41|.C745 E0 9C040000 MOV DWORD PTR SS:, 49C
00411C48|.C745 E8 580D4F00 MOV DWORD PTR SS:, MP4Downl.>;ASCII "DH43Ydl65IZsIncKnCukuUZgGk8lLSBiC9JlaO5pxiioSXtl5iLTQEU1tnJMBYYUrjePIG9E6J210QFgWwjuRdsc2aw53GqaZ8NZ"
00411C4F|.C745 EC 540D4F00 MOV DWORD PTR SS:, MP4Downl.>;ASCII "O2x"
... ...
004108E8|.E8 39070000 CALL MP4Downl.00411026 ;取数据 ....
===============>
00411064|.50 PUSH EAX ; /pDisposition = 0018EFD4
00411065|.8D45 F8 LEA EAX, DWORD PTR SS: ; |
00411068|.50 PUSH EAX ; |pHandle = 0018EFD4
00411069|.56 PUSH ESI ; |pSecurity = 0018EFF8
0041106A|.6A 01 PUSH 1 ; |Access = KEY_QUERY_VALUE
0041106C|.56 PUSH ESI ; |Options = 18EFF8
0041106D|.56 PUSH ESI ; |Class = "柘L"
0041106E|.56 PUSH ESI ; |Reserved = 18EFF8
0041106F|.FF75 08 PUSH DWORD PTR SS: ; |Subkey = NULL
00411072|.8975 F4 MOV DWORD PTR SS:, ESI ; |
00411075|.68 01000080 PUSH 80000001 ; |hKey = HKEY_CURRENT_USER
0041107A|.FF15 04404C00 CALL NEAR DWORD PTR DS:[<&ADVAPI32.Re>; \RegCreateKeyExW
00411080|.85C0 TEST EAX, EAX
00411082|.74 05 JE SHORT MP4Downl.00411089
00411084|>83C8 FF OR EAX, FFFFFFFF
00411087|.EB 5A JMP SHORT MP4Downl.004110E3
00411089|>8D45 FC LEA EAX, DWORD PTR SS:
0041108C|.C745 FC 01100000 MOV DWORD PTR SS:, 1001
00411093|.50 PUSH EAX ; /pBufSize = 0018EFD4
00411094|.8D85 F0EFFFFF LEA EAX, DWORD PTR SS: ; |
0041109A|.50 PUSH EAX ; |Buffer = 0018EFD4
0041109B|.8D45 08 LEA EAX, DWORD PTR SS: ; |
0041109E|.50 PUSH EAX ; |pValueType = 0018EFD4
0041109F|.56 PUSH ESI ; |Reserved = 0018EFF8
004110A0|.56 PUSH ESI ; |ValueName = "柘L"
004110A1|.C745 08 03000000 MOV DWORD PTR SS:, 3 ; |
004110A8|.FF75 F8 PUSH DWORD PTR SS: ; |hKey = 4B6874
004110AB|.FF15 24404C00 CALL NEAR DWORD PTR DS:[<&ADVAPI32.Re>; \RegQueryValueExW
004110B1|.FF75 F8 PUSH DWORD PTR SS: ; /hKey = 004B6874
004110B4|.85C0 TEST EAX, EAX ; |
004110B6|.74 08 JE SHORT MP4Downl.004110C0 ; |
004110B8|.FF15 00404C00 CALL NEAR DWORD PTR DS:[<&ADVAPI32.Re>; \RegCloseKey
004110BE|.^ EB C4 JMP SHORT MP4Downl.00411084
004110C0|>FF15 00404C00 CALL NEAR DWORD PTR DS:[<&ADVAPI32.Re>; \RegCloseKey
004110C6|.3975 FC CMP DWORD PTR SS:, ESI
004110C9|.^ 74 B9 JE SHORT MP4Downl.00411084
004110CB|.FF75 0C PUSH DWORD PTR SS:
004110CE|.8D85 F0EFFFFF LEA EAX, DWORD PTR SS:
004110D4|.8BCB MOV ECX, EBX
004110D6|.FF75 FC PUSH DWORD PTR SS:
004110D9|.50 PUSH EAX
004110DA|.E8 AC000000 CALL MP4Downl.0041118B ;解码KEY
<===============
004108ED|.3BC7 CMP EAX, EDI
004108EF|.75 11 JNZ SHORT MP4Downl.00410902
004108F1|>53 PUSH EBX
004108F2|.6A 04 PUSH 4
004108F4|.8BCE MOV ECX, ESI
004108F6|.E8 020B0000 CALL MP4Downl.004113FD
004108FB|.8BDF MOV EBX, EDI
004108FD|.E9 12010000 JMP MP4Downl.00410A14
00410902|>83F8 FE CMP EAX, -2
00410905|.0F84 FC000000 JE MP4Downl.00410A07 ;这里开始做处理了....
0041090B|.8B45 F0 MOV EAX, DWORD PTR SS: ;MP4Downl.00541EFC
0041090E|.3958 F8 CMP DWORD PTR DS:, EBX
00410911|.^ 74 DE JE SHORT MP4Downl.004108F1
00410913|.50 PUSH EAX
00410914|.8D4E 70 LEA ECX, DWORD PTR DS:
00410917|.E8 32F7FFFF CALL MP4Downl.0041004E ;解析数据
0041091C|.85C0 TEST EAX, EAX
0041091E|.^ 75 D1 JNZ SHORT MP4Downl.004108F1
00410920 66:837E 74 02 CMP WORD PTR DS:, 2 ;这里是注册标志 02
00410925 0F85 D1000000 JNZ MP4Downl.004109FC
0041092B|.8B46 64 MOV EAX, DWORD PTR DS:
0041092E|.83F8 0A CMP EAX, 0A
00410931|.74 0A JE SHORT MP4Downl.0041093D
解密后数据的格式: UNICODE "\nA0004\[email protected]\nZHUCEMA"
00410995|.52 PUSH EDX
00410996|.50 PUSH EAX
00410997|.51 PUSH ECX
00410998|.8BCE MOV ECX, ESI
0041099A|.E8 30010000 CALL MP4Downl.00410ACF ;这里验证注册码的合法性爆破掉这个算法CALL也OK ...
0041099F|.85C0 TEST EAX, EAX
004109A1|.75 32 JNZ SHORT MP4Downl.004109D5
也就是说如果我们把数据修改为:\n00002\[email protected]\nZHUCEMA" 然后加密保存到注册表,基本就OK了。
在这些地方对数据进行修改就OK,后续还有一次数据的COPY,在哪修改也OK。
爆破的话可以定位到特征码,是可以通杀的。
前排期待! 大师现身了~
膜拜~~ 很期待楼主的分析。
楼主,不论什么情况你一定要hold住!hold住就是胜利! 期待楼主的分析{:soso_e179:} 楼主伟大
页:
[1]