Aiseesoft Video Repair v1.0.20 破解简单分析

speedboy

1、首先运行程序，发现在窗口标题会显示 “Unregistered“；
2、退出程序，在X64DBG加载程序并运行，直到出现引导界面：



3、在反汇编区 右键——搜索范围——所有用户模块——字符串应用，并查找"Unregistered"，得到一处，双击来到反汇编区：

[Asm] 纯文本查看 复制代码

00007FFC4479A62 | 40:53                  | PUSH RBX                                    | 》此为代码段首，在此 右键——查找引用——选定的地址，得到5处调用
00007FFC4479A62 | 48:83EC 30             | SUB RSP,0x30                                |
00007FFC4479A62 | 48:8BD9                | MOV RBX,RCX                                 |
00007FFC4479A62 | C74424 20 FFFFFFFF     | MOV DWORD PTR SS:[RSP+0x20],0xFFFFFFFF      |
00007FFC4479A63 | 45:33C9                | XOR R9D,R9D                                 |
00007FFC4479A63 | 48:8D0D 85BF1100       | LEA RCX,QWORD PTR DS:[<public: static struc |
00007FFC4479A63 | 83FA 01                | CMP EDX,0x1                                 | 》如果 EDX=1，下面的 je 跳转实现。往上分析发现EDX的赋值来自Call调用之前。
00007FFC4479A63 | 4C:8D05 BB500A00       | LEA R8,QWORD PTR DS:[0x7FFC4483F700]        | ds:[00007FFC4483F700]:"Registered"
00007FFC4479A64 | 48:8BD3                | MOV RDX,RBX                                 |
00007FFC4479A64 | 74 07                  | JE framework.7FFC4479A651                   | 》跳转，跳过“Unregistered”标题
00007FFC4479A64 | 4C:8D05 BF500A00       | LEA R8,QWORD PTR DS:[0x7FFC4483F710]        | ds:[00007FFC4483F710]:"Unregistered"
00007FFC4479A65 | FF15 C9D10900          | CALL QWORD PTR DS:[<public: class QString _ |
00007FFC4479A65 | 48:8BC3                | MOV RAX,RBX                                 |
00007FFC4479A65 | 48:83C4 30             | ADD RSP,0x30                                |
00007FFC4479A65 | 5B                     | POP RBX                                     |
00007FFC4479A65 | C3                     | RET                                         |

（看关键代码注释，我都做出了分析）
4、五处调用为：

[Asm] 纯文本查看 复制代码

00007FFC447864AB call <framework.public: static class QString __cdecl AkClientAuthorization::stateDescription(int)>
00007FFC447865A6 call <framework.public: static class QString __cdecl AkClientAuthorization::stateDescription(int)>
00007FFC447BA560 call <framework.public: static class QString __cdecl AkClientAuthorization::stateDescription(int)>
00007FFC447C0B30 call <framework.public: static class QString __cdecl AkClientAuthorization::stateDescription(int)>
00007FFC447D2760 call <framework.public: static class QString __cdecl AkClientAuthorization::stateDescription(int)>

选择第一个双击来到反汇编区：

[Asm] 纯文本查看 复制代码

00007FFC4478648 | E8 7BCD0000            | CALL <framework.public: enum AkClientAuthor | 》此为关键Call，F7跟进返回的EAX=1即可
00007FFC4478648 | 8BF0                   | MOV ESI,EAX                                 | 》在这呢，ESI=EAX
00007FFC4478648 | 83F8 01                | CMP EAX,0x1                                 |
00007FFC4478648 | 0F84 9E010000          | JE framework.7FFC4478662E                   |
00007FFC4478649 | 33D2                   | XOR EDX,EDX                                 |
00007FFC4478649 | 48:8D0D 5F390B00       | LEA RCX,QWORD PTR DS:[0x7FFC44839DF8]       |
00007FFC4478649 | FF15 71130B00          | CALL QWORD PTR DS:[<private: static struct  |
00007FFC4478649 | 48:894424 58           | MOV QWORD PTR SS:[RSP+0x58],RAX             |
00007FFC447864A | 8BD6                   | MOV EDX,ESI                                 | 》此处 EDX=ESI，向上查找何处给 ESI赋值
00007FFC447864A | 48:8D4C24 48           | LEA RCX,QWORD PTR SS:[RSP+0x48]             |
00007FFC447864A | E8 70410100            | CALL <framework.public: static class QStrin |
00007FFC447864B | 48:8BD8                | MOV RBX,RAX                                 |

（看关键代码注释，我都做出了分析）
5、进入关键Call（00007FFC4478648 CALL <framework.public: enum AkClientAuthorization::State __cdecl AkClientAutho）分析，得到【破解处-1】
把 MOV EAX,DWORD PTR DS:[RCX+0x2C] 修改为：

[Asm] 纯文本查看 复制代码

MOV EAX,1
RET

6、在刚开始我们直接运行程序时提示我们输入邮箱和注册码进行注册，测试后会返回"The registration code is invalid."，接着搜索此字符串得到7处：

[Asm] 纯文本查看 复制代码

00007FFC424A2D73 lea r8,qword ptr ds:[7FFC4254F698] 00007FFC4254F698 "The registration code is invalid."
00007FFC424A3100 lea r8,qword ptr ds:[7FFC4254F698] 00007FFC4254F698 "The registration code is invalid."
00007FFC424A3941 lea r8,qword ptr ds:[7FFC4254F698] 00007FFC4254F698 "The registration code is invalid."
00007FFC424A3B09 lea r8,qword ptr ds:[7FFC4254F698] 00007FFC4254F698 "The registration code is invalid."
00007FFC424A7CEF lea r8,qword ptr ds:[7FFC4254F698] 00007FFC4254F698 "The registration code is invalid."
00007FFC424A7E2F lea r8,qword ptr ds:[7FFC4254F698] 00007FFC4254F698 "The registration code is invalid."
00007FFC424E0710 lea r8,qword ptr ds:[7FFC4254F698] 00007FFC4254F698 "The registration code is invalid."

7、在第一个上双击来到反汇编区:(看关键代码注释，我都做出了分析)

[Asm] 纯文本查看 复制代码

00007FFC424A28C | 48:8BC4                | MOV RAX,RSP                                |
00007FFC424A28C | 55                     | PUSH RBP                                   |
00007FFC424A28C | 41:54                  | PUSH R12                                   |
00007FFC424A28C | 41:55                  | PUSH R13                                   |
00007FFC424A28C | 41:56                  | PUSH R14                                   |
00007FFC424A28C | 41:57                  | PUSH R15                                   |
00007FFC424A28C | 48:8D68 B1             | LEA RBP,QWORD PTR DS:[RAX-0x4F]            |
00007FFC424A28D | 48:81EC 90000000       | SUB RSP,0x90                               |
00007FFC424A28D | 48:C745 1F FEFFFFFF    | MOV QWORD PTR SS:[RBP+0x1F],0xFFFFFFFFFFFF |
00007FFC424A28D | 48:8958 08             | MOV QWORD PTR DS:[RAX+0x8],RBX             |
00007FFC424A28E | 48:8970 10             | MOV QWORD PTR DS:[RAX+0x10],RSI            |
00007FFC424A28E | 48:8978 18             | MOV QWORD PTR DS:[RAX+0x18],RDI            |
00007FFC424A28E | 4D:8BF1                | MOV R14,R9                                 |
00007FFC424A28E | 4D:8BE8                | MOV R13,R8                                 |
00007FFC424A28F | 48:8BDA                | MOV RBX,RDX                                |
00007FFC424A28F | 48:8BF9                | MOV RDI,RCX                                |
00007FFC424A28F | E8 C4380700            | CALL <framework.public: static int __cdecl |
00007FFC424A28F | A8 02                  | TEST AL,0x2                                |
00007FFC424A28F | 74 0A                  | JE framework.7FFC424A290A                  |
00007FFC424A290 | B8 02000000            | MOV EAX,0x2                                |
00007FFC424A290 | E9 21060000            | JMP framework.7FFC424A2F2B                 |
00007FFC424A290 | 48:8B4F 20             | MOV RCX,QWORD PTR DS:[RDI+0x20]            |
00007FFC424A290 | 48:85C9                | TEST RCX,RCX                               |
00007FFC424A291 | 74 10                  | JE framework.7FFC424A2923                  |
00007FFC424A291 | 807F 28 00             | CMP BYTE PTR DS:[RDI+0x28],0x0             |
00007FFC424A291 | 74 0A                  | JE framework.7FFC424A2923                  |
00007FFC424A291 | FF15 D94B0A00          | CALL QWORD PTR DS:[<public: void __cdecl Q |
00007FFC424A291 | C647 28 00             | MOV BYTE PTR DS:[RDI+0x28],0x0             |
00007FFC424A292 | 48:8D55 DF             | LEA RDX,QWORD PTR SS:[RBP-0x21]            |
00007FFC424A292 | 48:8BCB                | MOV RCX,RBX                                |
00007FFC424A292 | FF15 E84D0A00          | CALL QWORD PTR DS:[<public: class QString  |
00007FFC424A293 | 90                     | NOP                                        |
00007FFC424A293 | 48:8D55 D7             | LEA RDX,QWORD PTR SS:[RBP-0x29]            |
00007FFC424A293 | 49:8BCD                | MOV RCX,R13                                |
00007FFC424A293 | FF15 DA4D0A00          | CALL QWORD PTR DS:[<public: class QString  |
00007FFC424A293 | 90                     | NOP                                        |
00007FFC424A293 | C645 CF 00             | MOV BYTE PTR SS:[RBP-0x31],0x0             |
00007FFC424A294 | 45:32E4                | XOR R12B,R12B                              |
00007FFC424A294 | 48:8D15 AB740A00       | LEA RDX,QWORD PTR DS:[0x7FFC42549DF8]      |
00007FFC424A294 | 49:8BCE                | MOV RCX,R14                                |
00007FFC424A295 | FF15 8A4D0A00          | CALL QWORD PTR DS:[<public: class QString  |
00007FFC424A295 | 41:BF 02000000         | MOV R15D,0x2                               | 》【破解处-2】原来兔子都吃窝边草啊，还记得我们想让 ESI≠2吗？因为ESI=R15D，所以R15D≠2即可，这个辩证还合理吧，哈哈，我就喜欢让R15D=1，我任性……
00007FFC424A295 | 48:8B45 D7             | MOV RAX,QWORD PTR SS:[RBP-0x29]            |
00007FFC424A296 | 8378 04 00             | CMP DWORD PTR DS:[RAX+0x4],0x0             |
00007FFC424A296 | 75 08                  | JNE framework.7FFC424A296E                 |
00007FFC424A296 | 41:8BF7                | MOV ESI,R15D                               | 》*** 看到了吗？这里给 ESI 赋值啦！(此时ESI=R15D)***，那么何处又给 R15D 赋值了呢？
00007FFC424A296 | E9 7D050000            | JMP framework.7FFC424A2EEB                 | 》这个大跳转就是我们要找的呦，哈哈，还记得那个 Let's go 吗？
………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………

此处省略若干行
………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………
00007FFC424A2D6 | E9 83010000            | JMP framework.7FFC424A2EEB                 |
00007FFC424A2D6 | C74424 20 FFFFFFFF     | MOV DWORD PTR SS:[RSP+0x20],0xFFFFFFFF     |
00007FFC424A2D7 | 45:33C9                | XOR R9D,R9D                                |
00007FFC424A2D7 | 4C:8D05 1EC90A00       | LEA R8,QWORD PTR DS:[0x7FFC4254F698]       | ds:[00007FFC4254F698]:"The registration code is invalid."
00007FFC424A2D7 | 48:8D55 C7             | LEA RDX,QWORD PTR SS:[RBP-0x39]            |
00007FFC424A2D7 | 48:8D0D 3B381200       | LEA RCX,QWORD PTR DS:[<public: static stru |
00007FFC424A2D8 | FF15 954A0A00          | CALL QWORD PTR DS:[<public: class QString  |
00007FFC424A2D8 | 48:8D55 C7             | LEA RDX,QWORD PTR SS:[RBP-0x39]            |
00007FFC424A2D8 | 49:8BCE                | MOV RCX,R14                                |
00007FFC424A2D9 | FF15 484A0A00          | CALL QWORD PTR DS:[<public: class QString  |
00007FFC424A2D9 | 48:8D4D C7             | LEA RCX,QWORD PTR SS:[RBP-0x39]            |
00007FFC424A2D9 | FF15 56350A00          | CALL QWORD PTR DS:[<public: __cdecl QStrin |
00007FFC424A2DA | 8B47 48                | MOV EAX,DWORD PTR DS:[RDI+0x48]            |
00007FFC424A2DA | 83F8 04                | CMP EAX,0x4                                |
00007FFC424A2DA | 75 09                  | JNE framework.7FFC424A2DB3                 |
00007FFC424A2DA | 4C:8D05 C7C80A00       | LEA R8,QWORD PTR DS:[0x7FFC4254F678]       | ds:[00007FFC7409F678]:"The registration code expired."
00007FFC424A2DB | EB 0C                  | JMP framework.7FFC424A2DBF                 |
00007FFC424A2DB | 83F8 03                | CMP EAX,0x3                                |
00007FFC424A2DB | 75 3A                  | JNE framework.7FFC424A2DF2                 |
00007FFC424A2DB | 4C:8D05 01C90A00       | LEA R8,QWORD PTR DS:[0x7FFC4254F6C0]       | ds:[00007FFC4254F6C0]:"The registration code is forbidden."
00007FFC424A2DB | C74424 20 FFFFFFFF     | MOV DWORD PTR SS:[RSP+0x20],0xFFFFFFFF     |
………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………

此处省略若干行
………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………
00007FFC424A2EE | C647 28 01             | MOV BYTE PTR DS:[RDI+0x28],0x1             |
00007FFC424A2EE | 807D 7F 00             | CMP BYTE PTR SS:[RBP+0x7F],0x0             | 》经分析发现 有个大跳转 jmp 会到访这里呦，Let's go 我们到 jmp 那去看看吧！
00007FFC424A2EE | 75 15                  | JNE framework.7FFC424A2F06                 |
00007FFC424A2EF | 83FE 02                | CMP ESI,0x2                                | 》ESI≠2时，下面jnz跳转实现。接着向上找何处给ESI赋值。
00007FFC424A2EF | 75 10                  | JNE framework.7FFC424A2F06                 | 》此处跳转时程序界面不会出现购物车和激活钥匙图标
00007FFC424A2EF | 4D:8BC6                | MOV R8,R14                                 |
00007FFC424A2EF | 41:8BD7                | MOV EDX,R15D                               |
00007FFC424A2EF | 48:8BCF                | MOV RCX,RDI                                |
00007FFC424A2EF | E8 FC300000            | CALL <framework.protected: void __cdecl Ak | 》此调用即为版权激活等
00007FFC424A2F0 | EB 0E                  | JMP framework.7FFC424A2F14                 |
00007FFC424A2F0 | 4D:8BC6                | MOV R8,R14                                 |
00007FFC424A2F0 | 8BD6                   | MOV EDX,ESI                                |
00007FFC424A2F0 | 48:8BCF                | MOV RCX,RDI                                |
00007FFC424A2F0 | E8 BD550700            | CALL <framework.public: void __cdecl AkCli |
00007FFC424A2F1 | 90                     | NOP                                        |
00007FFC424A2F1 | 48:8D4D D7             | LEA RCX,QWORD PTR SS:[RBP-0x29]            |
00007FFC424A2F1 | FF15 DA330A00          | CALL QWORD PTR DS:[<public: __cdecl QStrin |
00007FFC424A2F1 | 90                     | NOP                                        |
00007FFC424A2F1 | 48:8D4D DF             | LEA RCX,QWORD PTR SS:[RBP-0x21]            |
00007FFC424A2F2 | FF15 CF330A00          | CALL QWORD PTR DS:[<public: __cdecl QStrin |
00007FFC424A2F2 | 8BC6                   | MOV EAX,ESI                                |
00007FFC424A2F2 | 4C:8D9C24 90000000     | LEA R11,QWORD PTR SS:[RSP+0x90]            |
00007FFC424A2F3 | 49:8B5B 30             | MOV RBX,QWORD PTR DS:[R11+0x30]            |
00007FFC424A2F3 | 49:8B73 38             | MOV RSI,QWORD PTR DS:[R11+0x38]            |
00007FFC424A2F3 | 49:8B7B 40             | MOV RDI,QWORD PTR DS:[R11+0x40]            |
00007FFC424A2F3 | 49:8BE3                | MOV RSP,R11                                |
00007FFC424A2F4 | 41:5F                  | POP R15                                    |
00007FFC424A2F4 | 41:5E                  | POP R14                                    |
00007FFC424A2F4 | 41:5D                  | POP R13                                    |
00007FFC424A2F4 | 41:5C                  | POP R12                                    |
00007FFC424A2F4 | 5D                     | POP RBP                                    |
00007FFC424A2F4 | C3                     | RET                                        |

书读百遍其义自见，仔细看呗！

speedboy

完成后的程序：

这是 64位程序的分析，32位的稍有不同。

wgz001

表哥最近高产啊，带带我

speedboy

wgz001 发表于 2023-11-19 08:07
表哥最近高产啊，带带我

感谢公子支持

duhe

speedboy 发表于 2023-11-19 11:19
感谢公子支持

大佬最近确实高产，厉害。能否试试 wifipr 这款 WiFi 跑包软件？目前官网最新版是 v 8.8.6， 更加强大，官网下载地址：https://www.passcape.com/download/wifipr.zip

温柔

很详细的分析

少马石

高人，高产。

李靖

大佬厉害，感谢发布

fxiaojie124

这个是视频修复工具，最近才知道就是不知道功能怎么样