飘云阁

 找回密码
 加入我们

QQ登录

只需一步,快速开始

查看: 2859|回复: 8

[原创] Aiseesoft Video Repair v1.0.20 破解简单分析

[复制链接]
  • TA的每日心情
    奋斗
    前天 08:25
  • 签到天数: 1692 天

    [LV.Master]伴坛终老

    发表于 2023-11-18 15:52:29 | 显示全部楼层 |阅读模式
    1、首先运行程序,发现在窗口标题会显示 “Unregistered“;
    2、退出程序,在X64DBG加载程序并运行,直到出现引导界面:
    2023-11-18_152121.png


    3、在反汇编区 右键——搜索范围——所有用户模块——字符串应用,并查找"Unregistered",得到一处,双击来到反汇编区:

    [Asm] 纯文本查看 复制代码
    00007FFC4479A62 | 40:53                  | PUSH RBX                                    | 》此为代码段首,在此 右键——查找引用——选定的地址,得到5处调用
    00007FFC4479A62 | 48:83EC 30             | SUB RSP,0x30                                |
    00007FFC4479A62 | 48:8BD9                | MOV RBX,RCX                                 |
    00007FFC4479A62 | C74424 20 FFFFFFFF     | MOV DWORD PTR SS:[RSP+0x20],0xFFFFFFFF      |
    00007FFC4479A63 | 45:33C9                | XOR R9D,R9D                                 |
    00007FFC4479A63 | 48:8D0D 85BF1100       | LEA RCX,QWORD PTR DS:[<public: static struc |
    00007FFC4479A63 | 83FA 01                | CMP EDX,0x1                                 | 》如果 EDX=1,下面的 je 跳转实现。往上分析发现EDX的赋值来自Call调用之前。
    00007FFC4479A63 | 4C:8D05 BB500A00       | LEA R8,QWORD PTR DS:[0x7FFC4483F700]        | ds:[00007FFC4483F700]:"Registered"
    00007FFC4479A64 | 48:8BD3                | MOV RDX,RBX                                 |
    00007FFC4479A64 | 74 07                  | JE framework.7FFC4479A651                   | 》跳转,跳过“Unregistered”标题
    00007FFC4479A64 | 4C:8D05 BF500A00       | LEA R8,QWORD PTR DS:[0x7FFC4483F710]        | ds:[00007FFC4483F710]:"Unregistered"
    00007FFC4479A65 | FF15 C9D10900          | CALL QWORD PTR DS:[<public: class QString _ |
    00007FFC4479A65 | 48:8BC3                | MOV RAX,RBX                                 |
    00007FFC4479A65 | 48:83C4 30             | ADD RSP,0x30                                |
    00007FFC4479A65 | 5B                     | POP RBX                                     |
    00007FFC4479A65 | C3                     | RET                                         |
    


    (看关键代码注释,我都做出了分析)
    4、五处调用为:

    [Asm] 纯文本查看 复制代码
    00007FFC447864AB call <framework.public: static class QString __cdecl AkClientAuthorization::stateDescription(int)>
    00007FFC447865A6 call <framework.public: static class QString __cdecl AkClientAuthorization::stateDescription(int)>
    00007FFC447BA560 call <framework.public: static class QString __cdecl AkClientAuthorization::stateDescription(int)>
    00007FFC447C0B30 call <framework.public: static class QString __cdecl AkClientAuthorization::stateDescription(int)>
    00007FFC447D2760 call <framework.public: static class QString __cdecl AkClientAuthorization::stateDescription(int)>
    


    选择第一个双击来到反汇编区:

    [Asm] 纯文本查看 复制代码
    00007FFC4478648 | E8 7BCD0000            | CALL <framework.public: enum AkClientAuthor | 》此为关键Call,F7跟进返回的EAX=1即可
    00007FFC4478648 | 8BF0                   | MOV ESI,EAX                                 | 》在这呢,ESI=EAX
    00007FFC4478648 | 83F8 01                | CMP EAX,0x1                                 |
    00007FFC4478648 | 0F84 9E010000          | JE framework.7FFC4478662E                   |
    00007FFC4478649 | 33D2                   | XOR EDX,EDX                                 |
    00007FFC4478649 | 48:8D0D 5F390B00       | LEA RCX,QWORD PTR DS:[0x7FFC44839DF8]       |
    00007FFC4478649 | FF15 71130B00          | CALL QWORD PTR DS:[<private: static struct  |
    00007FFC4478649 | 48:894424 58           | MOV QWORD PTR SS:[RSP+0x58],RAX             |
    00007FFC447864A | 8BD6                   | MOV EDX,ESI                                 | 》此处 EDX=ESI,向上查找何处给 ESI赋值
    00007FFC447864A | 48:8D4C24 48           | LEA RCX,QWORD PTR SS:[RSP+0x48]             |
    00007FFC447864A | E8 70410100            | CALL <framework.public: static class QStrin |
    00007FFC447864B | 48:8BD8                | MOV RBX,RAX                                 |
    


    (看关键代码注释,我都做出了分析)
    5、进入关键Call(00007FFC4478648 CALL <framework.public: enum AkClientAuthorization::State __cdecl AkClientAutho)分析,得到【破解处-1】
    把 MOV EAX,DWORD PTR DS:[RCX+0x2C] 修改为:

    [Asm] 纯文本查看 复制代码
    MOV EAX,1
    RET
    


    6、在刚开始我们直接运行程序时提示我们输入邮箱和注册码进行注册,测试后会返回"The registration code is invalid.",接着搜索此字符串得到7处:

    [Asm] 纯文本查看 复制代码
    00007FFC424A2D73 lea r8,qword ptr ds:[7FFC4254F698] 00007FFC4254F698 "The registration code is invalid."
    00007FFC424A3100 lea r8,qword ptr ds:[7FFC4254F698] 00007FFC4254F698 "The registration code is invalid."
    00007FFC424A3941 lea r8,qword ptr ds:[7FFC4254F698] 00007FFC4254F698 "The registration code is invalid."
    00007FFC424A3B09 lea r8,qword ptr ds:[7FFC4254F698] 00007FFC4254F698 "The registration code is invalid."
    00007FFC424A7CEF lea r8,qword ptr ds:[7FFC4254F698] 00007FFC4254F698 "The registration code is invalid."
    00007FFC424A7E2F lea r8,qword ptr ds:[7FFC4254F698] 00007FFC4254F698 "The registration code is invalid."
    00007FFC424E0710 lea r8,qword ptr ds:[7FFC4254F698] 00007FFC4254F698 "The registration code is invalid."
    


    7、在第一个上双击来到反汇编区:(看关键代码注释,我都做出了分析)

    [Asm] 纯文本查看 复制代码
    00007FFC424A28C | 48:8BC4                | MOV RAX,RSP                                |
    00007FFC424A28C | 55                     | PUSH RBP                                   |
    00007FFC424A28C | 41:54                  | PUSH R12                                   |
    00007FFC424A28C | 41:55                  | PUSH R13                                   |
    00007FFC424A28C | 41:56                  | PUSH R14                                   |
    00007FFC424A28C | 41:57                  | PUSH R15                                   |
    00007FFC424A28C | 48:8D68 B1             | LEA RBP,QWORD PTR DS:[RAX-0x4F]            |
    00007FFC424A28D | 48:81EC 90000000       | SUB RSP,0x90                               |
    00007FFC424A28D | 48:C745 1F FEFFFFFF    | MOV QWORD PTR SS:[RBP+0x1F],0xFFFFFFFFFFFF |
    00007FFC424A28D | 48:8958 08             | MOV QWORD PTR DS:[RAX+0x8],RBX             |
    00007FFC424A28E | 48:8970 10             | MOV QWORD PTR DS:[RAX+0x10],RSI            |
    00007FFC424A28E | 48:8978 18             | MOV QWORD PTR DS:[RAX+0x18],RDI            |
    00007FFC424A28E | 4D:8BF1                | MOV R14,R9                                 |
    00007FFC424A28E | 4D:8BE8                | MOV R13,R8                                 |
    00007FFC424A28F | 48:8BDA                | MOV RBX,RDX                                |
    00007FFC424A28F | 48:8BF9                | MOV RDI,RCX                                |
    00007FFC424A28F | E8 C4380700            | CALL <framework.public: static int __cdecl |
    00007FFC424A28F | A8 02                  | TEST AL,0x2                                |
    00007FFC424A28F | 74 0A                  | JE framework.7FFC424A290A                  |
    00007FFC424A290 | B8 02000000            | MOV EAX,0x2                                |
    00007FFC424A290 | E9 21060000            | JMP framework.7FFC424A2F2B                 |
    00007FFC424A290 | 48:8B4F 20             | MOV RCX,QWORD PTR DS:[RDI+0x20]            |
    00007FFC424A290 | 48:85C9                | TEST RCX,RCX                               |
    00007FFC424A291 | 74 10                  | JE framework.7FFC424A2923                  |
    00007FFC424A291 | 807F 28 00             | CMP BYTE PTR DS:[RDI+0x28],0x0             |
    00007FFC424A291 | 74 0A                  | JE framework.7FFC424A2923                  |
    00007FFC424A291 | FF15 D94B0A00          | CALL QWORD PTR DS:[<public: void __cdecl Q |
    00007FFC424A291 | C647 28 00             | MOV BYTE PTR DS:[RDI+0x28],0x0             |
    00007FFC424A292 | 48:8D55 DF             | LEA RDX,QWORD PTR SS:[RBP-0x21]            |
    00007FFC424A292 | 48:8BCB                | MOV RCX,RBX                                |
    00007FFC424A292 | FF15 E84D0A00          | CALL QWORD PTR DS:[<public: class QString  |
    00007FFC424A293 | 90                     | NOP                                        |
    00007FFC424A293 | 48:8D55 D7             | LEA RDX,QWORD PTR SS:[RBP-0x29]            |
    00007FFC424A293 | 49:8BCD                | MOV RCX,R13                                |
    00007FFC424A293 | FF15 DA4D0A00          | CALL QWORD PTR DS:[<public: class QString  |
    00007FFC424A293 | 90                     | NOP                                        |
    00007FFC424A293 | C645 CF 00             | MOV BYTE PTR SS:[RBP-0x31],0x0             |
    00007FFC424A294 | 45:32E4                | XOR R12B,R12B                              |
    00007FFC424A294 | 48:8D15 AB740A00       | LEA RDX,QWORD PTR DS:[0x7FFC42549DF8]      |
    00007FFC424A294 | 49:8BCE                | MOV RCX,R14                                |
    00007FFC424A295 | FF15 8A4D0A00          | CALL QWORD PTR DS:[<public: class QString  |
    00007FFC424A295 | 41:BF 02000000         | MOV R15D,0x2                               | 》【破解处-2】原来兔子都吃窝边草啊,还记得我们想让 ESI≠2吗?因为ESI=R15D,所以R15D≠2即可,这个辩证还合理吧,哈哈,我就喜欢让R15D=1,我任性……
    00007FFC424A295 | 48:8B45 D7             | MOV RAX,QWORD PTR SS:[RBP-0x29]            |
    00007FFC424A296 | 8378 04 00             | CMP DWORD PTR DS:[RAX+0x4],0x0             |
    00007FFC424A296 | 75 08                  | JNE framework.7FFC424A296E                 |
    00007FFC424A296 | 41:8BF7                | MOV ESI,R15D                               | 》*** 看到了吗?这里给 ESI 赋值啦!(此时ESI=R15D)***,那么何处又给 R15D 赋值了呢?
    00007FFC424A296 | E9 7D050000            | JMP framework.7FFC424A2EEB                 | 》这个大跳转就是我们要找的呦,哈哈,还记得那个 Let's go 吗?
    ………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………
    
    此处省略若干行
    ………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………
    00007FFC424A2D6 | E9 83010000            | JMP framework.7FFC424A2EEB                 |
    00007FFC424A2D6 | C74424 20 FFFFFFFF     | MOV DWORD PTR SS:[RSP+0x20],0xFFFFFFFF     |
    00007FFC424A2D7 | 45:33C9                | XOR R9D,R9D                                |
    00007FFC424A2D7 | 4C:8D05 1EC90A00       | LEA R8,QWORD PTR DS:[0x7FFC4254F698]       | ds:[00007FFC4254F698]:"The registration code is invalid."
    00007FFC424A2D7 | 48:8D55 C7             | LEA RDX,QWORD PTR SS:[RBP-0x39]            |
    00007FFC424A2D7 | 48:8D0D 3B381200       | LEA RCX,QWORD PTR DS:[<public: static stru |
    00007FFC424A2D8 | FF15 954A0A00          | CALL QWORD PTR DS:[<public: class QString  |
    00007FFC424A2D8 | 48:8D55 C7             | LEA RDX,QWORD PTR SS:[RBP-0x39]            |
    00007FFC424A2D8 | 49:8BCE                | MOV RCX,R14                                |
    00007FFC424A2D9 | FF15 484A0A00          | CALL QWORD PTR DS:[<public: class QString  |
    00007FFC424A2D9 | 48:8D4D C7             | LEA RCX,QWORD PTR SS:[RBP-0x39]            |
    00007FFC424A2D9 | FF15 56350A00          | CALL QWORD PTR DS:[<public: __cdecl QStrin |
    00007FFC424A2DA | 8B47 48                | MOV EAX,DWORD PTR DS:[RDI+0x48]            |
    00007FFC424A2DA | 83F8 04                | CMP EAX,0x4                                |
    00007FFC424A2DA | 75 09                  | JNE framework.7FFC424A2DB3                 |
    00007FFC424A2DA | 4C:8D05 C7C80A00       | LEA R8,QWORD PTR DS:[0x7FFC4254F678]       | ds:[00007FFC7409F678]:"The registration code expired."
    00007FFC424A2DB | EB 0C                  | JMP framework.7FFC424A2DBF                 |
    00007FFC424A2DB | 83F8 03                | CMP EAX,0x3                                |
    00007FFC424A2DB | 75 3A                  | JNE framework.7FFC424A2DF2                 |
    00007FFC424A2DB | 4C:8D05 01C90A00       | LEA R8,QWORD PTR DS:[0x7FFC4254F6C0]       | ds:[00007FFC4254F6C0]:"The registration code is forbidden."
    00007FFC424A2DB | C74424 20 FFFFFFFF     | MOV DWORD PTR SS:[RSP+0x20],0xFFFFFFFF     |
    ………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………
    
    此处省略若干行
    ………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………
    00007FFC424A2EE | C647 28 01             | MOV BYTE PTR DS:[RDI+0x28],0x1             |
    00007FFC424A2EE | 807D 7F 00             | CMP BYTE PTR SS:[RBP+0x7F],0x0             | 》经分析发现 有个大跳转 jmp 会到访这里呦,Let's go 我们到 jmp 那去看看吧!
    00007FFC424A2EE | 75 15                  | JNE framework.7FFC424A2F06                 |
    00007FFC424A2EF | 83FE 02                | CMP ESI,0x2                                | 》ESI≠2时,下面jnz跳转实现。接着向上找何处给ESI赋值。
    00007FFC424A2EF | 75 10                  | JNE framework.7FFC424A2F06                 | 》此处跳转时程序界面不会出现购物车和激活钥匙图标
    00007FFC424A2EF | 4D:8BC6                | MOV R8,R14                                 |
    00007FFC424A2EF | 41:8BD7                | MOV EDX,R15D                               |
    00007FFC424A2EF | 48:8BCF                | MOV RCX,RDI                                |
    00007FFC424A2EF | E8 FC300000            | CALL <framework.protected: void __cdecl Ak | 》此调用即为版权激活等
    00007FFC424A2F0 | EB 0E                  | JMP framework.7FFC424A2F14                 |
    00007FFC424A2F0 | 4D:8BC6                | MOV R8,R14                                 |
    00007FFC424A2F0 | 8BD6                   | MOV EDX,ESI                                |
    00007FFC424A2F0 | 48:8BCF                | MOV RCX,RDI                                |
    00007FFC424A2F0 | E8 BD550700            | CALL <framework.public: void __cdecl AkCli |
    00007FFC424A2F1 | 90                     | NOP                                        |
    00007FFC424A2F1 | 48:8D4D D7             | LEA RCX,QWORD PTR SS:[RBP-0x29]            |
    00007FFC424A2F1 | FF15 DA330A00          | CALL QWORD PTR DS:[<public: __cdecl QStrin |
    00007FFC424A2F1 | 90                     | NOP                                        |
    00007FFC424A2F1 | 48:8D4D DF             | LEA RCX,QWORD PTR SS:[RBP-0x21]            |
    00007FFC424A2F2 | FF15 CF330A00          | CALL QWORD PTR DS:[<public: __cdecl QStrin |
    00007FFC424A2F2 | 8BC6                   | MOV EAX,ESI                                |
    00007FFC424A2F2 | 4C:8D9C24 90000000     | LEA R11,QWORD PTR SS:[RSP+0x90]            |
    00007FFC424A2F3 | 49:8B5B 30             | MOV RBX,QWORD PTR DS:[R11+0x30]            |
    00007FFC424A2F3 | 49:8B73 38             | MOV RSI,QWORD PTR DS:[R11+0x38]            |
    00007FFC424A2F3 | 49:8B7B 40             | MOV RDI,QWORD PTR DS:[R11+0x40]            |
    00007FFC424A2F3 | 49:8BE3                | MOV RSP,R11                                |
    00007FFC424A2F4 | 41:5F                  | POP R15                                    |
    00007FFC424A2F4 | 41:5E                  | POP R14                                    |
    00007FFC424A2F4 | 41:5D                  | POP R13                                    |
    00007FFC424A2F4 | 41:5C                  | POP R12                                    |
    00007FFC424A2F4 | 5D                     | POP RBP                                    |
    00007FFC424A2F4 | C3                     | RET                                        |
    

    书读百遍其义自见,仔细看呗!

    评分

    参与人数 4威望 +4 飘云币 +4 收起 理由
    scmy0816 + 1 + 1 感谢发布原创作品,PYG有你更精彩!
    wgz001 + 1 + 1 感谢发布原创作品,PYG有你更精彩!
    LuckyClover + 1 + 1 PYG有你更精彩!
    3yu3 + 1 + 1 PYG有你更精彩!

    查看全部评分

    PYG19周年生日快乐!
  • TA的每日心情
    奋斗
    前天 08:25
  • 签到天数: 1692 天

    [LV.Master]伴坛终老

     楼主| 发表于 2023-11-18 15:53:53 | 显示全部楼层
    本帖最后由 speedboy 于 2023-11-19 11:18 编辑

    完成后的程序:

    这是 64位程序的分析,32位的稍有不同。


    2023-11-18_152303.png
    PYG19周年生日快乐!
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    开心
    2019-2-26 11:14
  • 签到天数: 459 天

    [LV.9]以坛为家II

    发表于 2023-11-19 08:07:45 | 显示全部楼层
    表哥最近高产啊,带带我

    点评

    感谢公子支持  详情 回复 发表于 2023-11-19 11:19
    PYG19周年生日快乐!
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    奋斗
    前天 08:25
  • 签到天数: 1692 天

    [LV.Master]伴坛终老

     楼主| 发表于 2023-11-19 11:19:23 | 显示全部楼层
    wgz001 发表于 2023-11-19 08:07
    表哥最近高产啊,带带我

    感谢公子支持
    PYG19周年生日快乐!
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    开心
    3 天前
  • 签到天数: 477 天

    [LV.9]以坛为家II

    发表于 2023-11-19 14:58:13 | 显示全部楼层

    大佬最近确实高产,厉害。能否试试 wifipr 这款 WiFi 跑包软件?目前官网最新版是 v 8.8.6, 更加强大,官网下载地址:https://www.passcape.com/download/wifipr.zip
    PYG19周年生日快乐!
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    奋斗
    昨天 21:02
  • 签到天数: 263 天

    [LV.8]以坛为家I

    发表于 2023-11-20 12:01:46 来自手机 | 显示全部楼层
    很详细的分析
    PYG19周年生日快乐!
    回复 支持 反对

    使用道具 举报

  • TA的每日心情

    昨天 09:01
  • 签到天数: 153 天

    [LV.7]常住居民III

    发表于 2023-11-24 10:52:47 | 显示全部楼层
    大佬厉害,感谢发布
    PYG19周年生日快乐!
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    擦汗
    4 天前
  • 签到天数: 307 天

    [LV.8]以坛为家I

    发表于 2023-12-2 18:30:38 | 显示全部楼层
    这个是视频修复工具,最近才知道就是不知道功能怎么样
    PYG19周年生日快乐!
    回复 支持 反对

    使用道具 举报

    您需要登录后才可以回帖 登录 | 加入我们

    本版积分规则

    快速回复 返回顶部 返回列表