- UID
- 80533
注册时间2014-11-30
阅读权限95
最后登录1970-1-1
超级版主
  
TA的每日心情 | 开心
2016-11-3 14:57 |
|---|
签到天数: 1 天 [LV.1]初来乍到
|
本帖最后由 PYG官方论坛 于 2015-4-11 00:30 编辑
YouTube Video Downloader
官网:http://www.tomabo.com/
该工具现改名为:MP4 Downloader
Version 3.8.29, 11.5 MB
首先要让其把注册信息保存,注册后保存在这里:
HKEY_CURRENT_USER\Software\Classes\CLSID\{D72EB4CA-9F4B-4cb6-95EA-A931FC23A730}
程序启动的时候会解密保存在注册表的数据:
- 00411C2F |. 68 10E34E00 PUSH MP4Downl.004EE310 ; 3.8.27
- 00411C34 |. 68 240E4F00 PUSH MP4Downl.004F0E24 ; {D72EB4CA-9F4B-4cb6-95EA-A931FC23A730}
- 00411C39 |. 6A 00 PUSH 0
- 00411C3B |. 8D8D E8FEFFFF LEA ECX, DWORD PTR SS:[EBP-118]
- 00411C41 |. C745 E0 9C040000 MOV DWORD PTR SS:[EBP-20], 49C
- 00411C48 |. C745 E8 580D4F00 MOV DWORD PTR SS:[EBP-18], MP4Downl.>; ASCII "DH43Ydl65IZsIncKnCukuUZgGk8lLSBiC9JlaO5pxiiOSXtl5iLTQEU1tnJMBYYUrjePIG9E6J210QFgWwjuRdsc2aw53GqaZ8NZ"
- 00411C4F |. C745 EC 540D4F00 MOV DWORD PTR SS:[EBP-14], MP4Downl.>; ASCII "O2x"
- ... ...
- 004108E8 |. E8 39070000 CALL MP4Downl.00411026 ; 取数据 ....
- ===============>
- 00411064 |. 50 PUSH EAX ; /pDisposition = 0018EFD4
- 00411065 |. 8D45 F8 LEA EAX, DWORD PTR SS:[EBP-8] ; |
- 00411068 |. 50 PUSH EAX ; |pHandle = 0018EFD4
- 00411069 |. 56 PUSH ESI ; |pSecurity = 0018EFF8
- 0041106A |. 6A 01 PUSH 1 ; |Access = KEY_QUERY_VALUE
- 0041106C |. 56 PUSH ESI ; |Options = 18EFF8
- 0041106D |. 56 PUSH ESI ; |Class = "柘L"
- 0041106E |. 56 PUSH ESI ; |Reserved = 18EFF8
- 0041106F |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |Subkey = NULL
- 00411072 |. 8975 F4 MOV DWORD PTR SS:[EBP-C], ESI ; |
- 00411075 |. 68 01000080 PUSH 80000001 ; |hKey = HKEY_CURRENT_USER
- 0041107A |. FF15 04404C00 CALL NEAR DWORD PTR DS:[<&ADVAPI32.Re>; \RegCreateKeyExW
- 00411080 |. 85C0 TEST EAX, EAX
- 00411082 |. 74 05 JE SHORT MP4Downl.00411089
- 00411084 |> 83C8 FF OR EAX, FFFFFFFF
- 00411087 |. EB 5A JMP SHORT MP4Downl.004110E3
- 00411089 |> 8D45 FC LEA EAX, DWORD PTR SS:[EBP-4]
- 0041108C |. C745 FC 01100000 MOV DWORD PTR SS:[EBP-4], 1001
- 00411093 |. 50 PUSH EAX ; /pBufSize = 0018EFD4
- 00411094 |. 8D85 F0EFFFFF LEA EAX, DWORD PTR SS:[EBP-1010] ; |
- 0041109A |. 50 PUSH EAX ; |Buffer = 0018EFD4
- 0041109B |. 8D45 08 LEA EAX, DWORD PTR SS:[EBP+8] ; |
- 0041109E |. 50 PUSH EAX ; |pValueType = 0018EFD4
- 0041109F |. 56 PUSH ESI ; |Reserved = 0018EFF8
- 004110A0 |. 56 PUSH ESI ; |ValueName = "柘L"
- 004110A1 |. C745 08 03000000 MOV DWORD PTR SS:[EBP+8], 3 ; |
- 004110A8 |. FF75 F8 PUSH DWORD PTR SS:[EBP-8] ; |hKey = 4B6874
- 004110AB |. FF15 24404C00 CALL NEAR DWORD PTR DS:[<&ADVAPI32.Re>; \RegQueryValueExW
- 004110B1 |. FF75 F8 PUSH DWORD PTR SS:[EBP-8] ; /hKey = 004B6874
- 004110B4 |. 85C0 TEST EAX, EAX ; |
- 004110B6 |. 74 08 JE SHORT MP4Downl.004110C0 ; |
- 004110B8 |. FF15 00404C00 CALL NEAR DWORD PTR DS:[<&ADVAPI32.Re>; \RegCloseKey
- 004110BE |.^ EB C4 JMP SHORT MP4Downl.00411084
- 004110C0 |> FF15 00404C00 CALL NEAR DWORD PTR DS:[<&ADVAPI32.Re>; \RegCloseKey
- 004110C6 |. 3975 FC CMP DWORD PTR SS:[EBP-4], ESI
- 004110C9 |.^ 74 B9 JE SHORT MP4Downl.00411084
- 004110CB |. FF75 0C PUSH DWORD PTR SS:[EBP+C]
- 004110CE |. 8D85 F0EFFFFF LEA EAX, DWORD PTR SS:[EBP-1010]
- 004110D4 |. 8BCB MOV ECX, EBX
- 004110D6 |. FF75 FC PUSH DWORD PTR SS:[EBP-4]
- 004110D9 |. 50 PUSH EAX
- 004110DA |. E8 AC000000 CALL MP4Downl.0041118B ; 解码KEY
- <===============
- 004108ED |. 3BC7 CMP EAX, EDI
- 004108EF |. 75 11 JNZ SHORT MP4Downl.00410902
- 004108F1 |> 53 PUSH EBX
- 004108F2 |. 6A 04 PUSH 4
- 004108F4 |. 8BCE MOV ECX, ESI
- 004108F6 |. E8 020B0000 CALL MP4Downl.004113FD
- 004108FB |. 8BDF MOV EBX, EDI
- 004108FD |. E9 12010000 JMP MP4Downl.00410A14
- 00410902 |> 83F8 FE CMP EAX, -2
- 00410905 |. 0F84 FC000000 JE MP4Downl.00410A07 ; 这里开始做处理了 ....
- 0041090B |. 8B45 F0 MOV EAX, DWORD PTR SS:[EBP-10] ; MP4Downl.00541EFC
- 0041090E |. 3958 F8 CMP DWORD PTR DS:[EAX-8], EBX
- 00410911 |.^ 74 DE JE SHORT MP4Downl.004108F1
- 00410913 |. 50 PUSH EAX
- 00410914 |. 8D4E 70 LEA ECX, DWORD PTR DS:[ESI+70]
- 00410917 |. E8 32F7FFFF CALL MP4Downl.0041004E ; 解析数据
- 0041091C |. 85C0 TEST EAX, EAX
- 0041091E |.^ 75 D1 JNZ SHORT MP4Downl.004108F1
- 00410920 66:837E 74 02 CMP WORD PTR DS:[ESI+74], 2 ; 这里是注册标志 02
- 00410925 0F85 D1000000 JNZ MP4Downl.004109FC
- 0041092B |. 8B46 64 MOV EAX, DWORD PTR DS:[ESI+64]
- 0041092E |. 83F8 0A CMP EAX, 0A
- 00410931 |. 74 0A JE SHORT MP4Downl.0041093D
解密后数据的格式: UNICODE "\nA0004\[email protected]\nZHUCEMA"
- 00410995 |. 52 PUSH EDX
- 00410996 |. 50 PUSH EAX
- 00410997 |. 51 PUSH ECX
- 00410998 |. 8BCE MOV ECX, ESI
- 0041099A |. E8 30010000 CALL MP4Downl.00410ACF ; 这里验证注册码的合法性 爆破掉这个算法CALL也OK ...
- 0041099F |. 85C0 TEST EAX, EAX
- 004109A1 |. 75 32 JNZ SHORT MP4Downl.004109D5
也就是说如果我们把数据修改为:\n00002\[email protected]\nZHUCEMA" 然后加密保存到注册表,基本就OK了。
在这些地方对数据进行修改就OK,后续还有一次数据的COPY,在哪修改也OK。
爆破的话可以定位到特征码,是可以通杀的。
|
|
IP卡
发表于 2015-3-20 18:55:23
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2015-3-20 19:54:04
发表于 2015-3-20 20:15:11
发表于 2015-3-20 22:10:08
发表于 2015-3-22 12:41:19
发表于 2019-12-16 09:49:14