好友
阅读权限40
听众
最后登录1970-1-1
|
小糊涂虫
发表于 2010-12-8 13:28
==================================================================================
【软件名称】超级Flv视频转换器1.65
[url=]【下载地址】百度里搜索[/url](http://www.mp4soft.cn)
【所受限制】转换时间只有20%
【加壳保护】无
【软件介绍】下载地址处应该有介绍的!
==================================================================================
【系统平台】WINDOWS XP sp2
【调试工具】OD
【破文作者】小糊涂虫
==================================================================================
一、爆破分析
下载安装后运行,随便输入用户名、注册码,弹出错误提示框,
有了提示框,就好办了,因为无壳嘛,其它限制提示应该也是可以看到的,直接od载入搜索相关提示
来到
004C0AF9 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
004C0AFC 80B8 B1040000 0>cmp byte ptr ds:[eax+4B1],0
004C0B03 . 74 4D je short flv.004C0B52
004C0B05 . 6A 24 push 24
004C0B07 . 68 040E4C00 push flv.004C0E04 ; 提示
004C0B0C . 68 0C0E4C00 push flv.004C0E0C ; 您现在使用的是试用版,只能转换视频文件的20%,您确定要购买正式版吗?
004C0B11 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
004C0B14 . E8 B7CDFAFF call flv.0046D8D0
004C0B19 . 50 push eax ; |hOwner
004C0B1A . E8 3167F4FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004C0B1F . 83F8 06 cmp eax,6
004C0B22 . 75 2E jnz short flv.004C0B52
可以看出这个试用版提示也就是这么一个限制,004C0B03可以跳过这个限制的,改jmp也是可以的,上面那条指令改cmp byte ptr ds:[eax+4B1],1也是可以的,
这样改之后应该是没有限制了,不过还是提示要注册的。现在在把那个要注册的提示也搞掉,也同样搜索字符可以找到:
004C02A2 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
004C02A5 . 8B80 BC040000 mov eax,dword ptr ds:[eax+4BC]
004C02AB . E8 8844F4FF call flv.00404738
004C02B0 75 0C jnz short flv.004C02BE ?????????????
004C02B2 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
004C02B5 . C680 B0040000 0>mov byte ptr ds:[eax+4B0],0
004C02BC . EB 31 jmp short flv.004C02EF
004C02BE > 8B45 FC mov eax,dword ptr ss:[ebp-4]
004C02C1 . C680 B0040000 0>mov byte ptr ds:[eax+4B0],1
004C02C8 . 8D55 B0 lea edx,dword ptr ss:[ebp-50]
004C02CB . A1 247E4C00 mov eax,dword ptr ds:[4C7E24]
004C02D0 . E8 136EFAFF call flv.004670E8
004C02D5 . 8D45 B0 lea eax,dword ptr ss:[ebp-50]
004C02D8 . BA 28084C00 mov edx,flv.004C0828 ; (试用版只能转换源文件20%的时间!)
004C02DD . E8 1243F4FF call flv.004045F4
可以看到比较是否为试用版的提示是由上面004C02B0来的,nop就可以了,现在改好后,保存出来不会有任何要注册的提示了也没有转换限制了。
二、算法分析
在od中搜索的字符可以看到,注册码保存在注册表中software\mp4soft\flvconverter,
004BCC1D . E8 B2FEFFFF call flv.004BCAD4
004BCC22 84C0 test al,al
004BCC24 . 0F84 DB000000 je flv.004BCD05 ?????????????
004BCC2A . 33C0 xor eax,eax
004BCC2C . 55 push ebp
004BCC2D . 68 E9CC4B00 push flv.004BCCE9
004BCC32 . 64:FF30 push dword ptr fs:[eax]
004BCC35 . 64:8920 mov dword ptr fs:[eax],esp
004BCC38 . B2 01 mov dl,1
004BCC3A . A1 E8B34300 mov eax,dword ptr ds:[43B3E8]
004BCC3F . E8 A4E8F7FF call flv.0043B4E8
004BCC44 . 8BD8 mov ebx,eax
004BCC46 . BA 02000080 mov edx,80000002
004BCC4B . 8BC3 mov eax,ebx
004BCC4D . E8 36E9F7FF call flv.0043B588
004BCC52 . B1 01 mov cl,1
004BCC54 . BA 64CD4B00 mov edx,flv.004BCD64 ; software\mp4soft\flvconverter
004BCC59 . 8BC3 mov eax,ebx
004BCC5B . E8 8CE9F7FF call flv.0043B5EC
004BCC60 . 8D55 F4 lea edx,dword ptr ss:[ebp-C]
004BCC63 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
004BCC66 . 8B80 04030000 mov eax,dword ptr ds:[eax+304]
004BCC6C . E8 77A4FAFF call flv.004670E8
004BCC71 . 8B45 F4 mov eax,dword ptr ss:[ebp-C]
004BCC74 . 8D55 F8 lea edx,dword ptr ss:[ebp-8]
004BCC77 . E8 ECBCF4FF call flv.00408968
004BCC7C . 8B4D F8 mov ecx,dword ptr ss:[ebp-8]
004BCC7F . BA 8CCD4B00 mov edx,flv.004BCD8C ; name
004BCC84 . 8BC3 mov eax,ebx
004BCC86 . E8 FDEAF7FF call flv.0043B788
004BCC8B . 8D55 EC lea edx,dword ptr ss:[ebp-14]
004BCC8E . 8B45 FC mov eax,dword ptr ss:[ebp-4]
004BCC91 . 8B80 08030000 mov eax,dword ptr ds:[eax+308]
004BCC97 . E8 4CA4FAFF call flv.004670E8
004BCC9C . 8B45 EC mov eax,dword ptr ss:[ebp-14]
004BCC9F . 8D55 F0 lea edx,dword ptr ss:[ebp-10]
004BCCA2 . E8 C1BCF4FF call flv.00408968
004BCCA7 . 8B4D F0 mov ecx,dword ptr ss:[ebp-10]
004BCCAA . BA 9CCD4B00 mov edx,flv.004BCD9C ; pass
004BCCAF . 8BC3 mov eax,ebx
004BCCB1 . E8 D2EAF7FF call flv.0043B788
004BCCB6 . 8BC3 mov eax,ebx
004BCCB8 . E8 0368F4FF call flv.004034C0
004BCCBD . 6A 40 push 40
004BCCBF . 68 A4CD4B00 push flv.004BCDA4 ; 软件注册
004BCCC4 . 68 B0CD4B00 push flv.004BCDB0 ; 已保存了注册信息!下次启动本程序时将会对你的注册码进行验证,如注册码正确,本程序所有功能限制将被解除,您成为我们正式版本用户!
004BCCC9 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
004BCCCC . E8 FF0BFBFF call flv.0046D8D0
004BCCD1 . 50 push eax ; |hOwner
004BCCD2 . E8 79A5F4FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004BCCD7 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
在od中调试可以看出,只要004BCC24不跳,就把注册信息写进注册表了;现在把4BCC24 nop掉,填入用户名(www.52pojie.cn)和注册码(111111111)
因为是重启验证的,所重新载入od,来到我们爆破程序地址的段首下断,然后一步步跟,
来到这儿看到:
004C01B4 . 8B45 DC mov eax,dword ptr ss:[ebp-24]
004C01B7 . E8 CCB3F7FF call flv.0043B588
004C01BC . 8D45 F8 lea eax,dword ptr ss:[ebp-8]
004C01BF . BA D0074C00 mov edx,flv.004C07D0 ; software\mp4soft\flvconverter
004C01C4 . E8 DF41F4FF call flv.004043A8
004C01C9 . B1 01 mov cl,1
004C01CB . 8B55 F8 mov edx,dword ptr ss:[ebp-8]
004C01CE . 8B45 DC mov eax,dword ptr ss:[ebp-24]
004C01D1 . E8 16B4F7FF call flv.0043B5EC
004C01D6 84C0 test al,al
004C01D8 . 0F84 84000000 je flv.004C0262
004C01DE . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
004C01E1 . BA F8074C00 mov edx,flv.004C07F8 ; name
在取用户名和注册码,继续跟,
004C0287 . 8D4D B4 lea ecx,dword ptr ss:[ebp-4C]
004C028A . 8B45 FC mov eax,dword ptr ss:[ebp-4]
004C028D . 8B90 B8040000 mov edx,dword ptr ds:[eax+4B8]
004C0293 . A1 645B4C00 mov eax,dword ptr ds:[4C5B64]
004C0298 . 8B00 mov eax,dword ptr ds:[eax]
004C029A . E8 81C5FFFF call flv.004BC820 ; 走过这个call时出现注册码
004C029F . 8B55 B4 mov edx,dword ptr ss:[ebp-4C]
004C02A2 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
004C02A5 . 8B80 BC040000 mov eax,dword ptr ds:[eax+4BC]
4C029A是个算法call跟进来到:
.................
004BC863 |. 85F6 test esi,esi
004BC865 |. 7E 26 jle short flv.004BC88D
004BC867 |. BB 01000000 mov ebx,1
004BC86C |> 8D4D EC /lea ecx,dword ptr ss:[ebp-14]
004BC86F |. 8B45 FC |mov eax,dword ptr ss:[ebp-4]
004BC872 |. 0FB64418 FF |movzx eax,byte ptr ds:[eax+ebx-1]
004BC877 |. 33D2 |xor edx,edx
004BC879 |. E8 66C4F4FF |call flv.00408CE4
004BC87E |. 8B55 EC |mov edx,dword ptr ss:[ebp-14]
004BC881 |. 8D45 F8 |lea eax,dword ptr ss:[ebp-8]
004BC884 |. E8 6B7DF4FF |call flv.004045F4
004BC889 |. 43 |inc ebx
004BC88A |. 4E |dec esi
004BC88B |.^ 75 DF \jnz short flv.004BC86C
004BC88D |> 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; 用户名转16进制
上面这段是将用户名转换成16进制 , (ASCII "7777772E3532706F6A69652E636E")
然后在往下跟来到下面一处算法:
004BC899 |. /7E 2C jle short flv.004BC8C7
004BC89B |. |BB 01000000 mov ebx,1
004BC8A0 |> |8B45 F8 /mov eax,dword ptr ss:[ebp-8]
004BC8A3 |. |E8 447DF4FF |call flv.004045EC
004BC8A8 |. |2BC3 |sub eax,ebx
004BC8AA |. |8B55 F8 |mov edx,dword ptr ss:[ebp-8]
004BC8AD |. |8A1402 |mov dl,byte ptr ds:[edx+eax]
004BC8B0 |. |8D45 E8 |lea eax,dword ptr ss:[ebp-18]
004BC8B3 |. |E8 407CF4FF |call flv.004044F8
004BC8B8 |. |8B55 E8 |mov edx,dword ptr ss:[ebp-18]
004BC8BB |. |8D45 F4 |lea eax,dword ptr ss:[ebp-C]
004BC8BE |. |E8 317DF4FF |call flv.004045F4
004BC8C3 |. |43 |inc ebx
004BC8C4 |. |4E |dec esi
004BC8C5 |.^|75 D9 \jnz short flv.004BC8A0 ;
004BC8C7 |> \8D45 F8 lea eax,dword ptr ss:[ebp-8]
这是就是把用户名的16进制取反的过程: (ASCII "E636E25696A6F6072353E2777777")
在往下跟,
004BC8E0 |. 50 push eax
004BC8E1 |. B9 04000000 mov ecx,4
004BC8E6 |. BA 05000000 mov edx,5
004BC8EB |. 8B45 F4 mov eax,dword ptr ss:[ebp-C] ;取16进制前4位.
004BC8EE |. E8 597FF4FF call flv.0040484C ;
004BC8F3 |. 8B45 F8 mov eax,dword ptr ss:[ebp-8]
004BC8F6 |. E8 F17CF4FF call flv.004045EC
004BC8FB |. 83F8 04 cmp eax,4
004BC8FE |. 7D 2F jge short flv.004BC92F
.....................
004BC92A |. 83FB 04 |cmp ebx,4
004BC92D |.^ 75 E0 \jnz short flv.004BC90F
004BC92F |> 8B45 F4 mov eax,dword ptr ss:[ebp-C] ; 取第5-8位
004BC932 |. E8 B57CF4FF call flv.004045EC
004BC937 |. 83F8 04 cmp eax,4
......................
004BC96B |> \8D45 F0 lea eax,dword ptr ss:[ebp-10] ; 固定字符
004BC96E |. BA F8C94B00 mov edx,flv.004BC9F8 ; flv67u986e
004BC973 |. E8 307AF4FF call flv.004043A8
004BC978 |. 8D45 DC lea eax,dword ptr ss:[ebp-24]
004BC97B |. 50 push eax
004BC97C |. B9 04000000 mov ecx,4
004BC981 |. BA 01000000 mov edx,1
004BC986 |. 8B45 F0 mov eax,dword ptr ss:[ebp-10]
004BC989 |. E8 BE7EF4FF call flv.0040484C
004BC98E |. FF75 DC push dword ptr ss:[ebp-24]
004BC991 |. 68 0CCA4B00 push flv.004BCA0C ; -
004BC996 |. FF75 F8 push dword ptr ss:[ebp-8]
004BC999 |. 8D45 D8 lea eax,dword ptr ss:[ebp-28]
004BC99C |. 50 push eax
004BC99D |. B9 05000000 mov ecx,5
004BC9A2 |. BA 05000000 mov edx,5
004BC9A7 |. 8B45 F0 mov eax,dword ptr ss:[ebp-10]
004BC9AA |. E8 9D7EF4FF call flv.0040484C
004BC9AF |. FF75 D8 push dword ptr ss:[ebp-28]
004BC9B2 |. 68 0CCA4B00 push flv.004BCA0C ; -
004BC9B7 |. FF75 F4 push dword ptr ss:[ebp-C]
004BC9BA |. 8BC7 mov eax,edi
004BC9BC |. BA 06000000 mov edx,6
004BC9C1 |. E8 E67CF4FF call flv.004046AC
004BC9C6 |. 33C0 xor eax,eax
004BC9C8 |. 5A pop edx
现在可以很明显看出算法了:
1.将用户名转为16进制
2.用户名16进制取反
3.固定字符flv67u986e
4.按一定的顺序连接起来就是注册码。flv6-前四位7u986-第5到8位
用户名:www.52pojie.cn
注册码flv6-E6367u986-E256
其实破解这个是很简单的,有什么限制就爆什么限制,关键是要破解的思路清晰。
ps:本文只适合新手看的,高手就别看了。 |
免费评分
-
| 参与人数 4 | 威望 +1 |
热心值 +4 |
收起
理由
|
 cwq
| |
+ 1 |
还是只能转换百分之20啊,希望楼主完善下啊! |
 CHHSun
| + 1 |
+ 1 |
感谢发布原创作品,[吾爱破解]因你更精彩! |
 tanhua
| |
+ 1 |
思路清晰 很好 适合菜鸟入门 |
 老道
| |
+ 1 |
经典! |
查看全部评分
|
[复制链接]
发表于 2010-12-8 21:46
