牛刀小试—破解屏幕录像专家生成的exe视频文件 part2
接上篇牛刀小试—破解屏幕录像专家生成的exe视频文件 part1上次说了。软件的注册码没办法算出来。
主要是他把密码分成了几份。视频文件一边播放,一边用注册码来解密。看来做出注册机是没什么希望了
。也可能是我没这个能力。如果有做出来了的。别笑话我。好言归正传,断续来破解它。
经过跟踪发现,机器码分为两段。前面是读取硬盘序列号,后半部份是读取网卡的mac地址来加密得来的
。
用OD载入程序
在命令行下bp CreateFileA断点
第一次断在
0012F4F4 0047F221 /CALL 到 CreateFileA 来自 大水牛鼠.0047F21C
0012F4F8 00A569E8 |FileName = "D:\TEMP\",B4,"笏J蟊闬",B4,"笏J蟊?.exe"
0012F4FC 80000000 |Access = GENERIC_READ
0012F500 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012F504 0012F520 |pSecurity = 0012F520
0012F508 00000003 |Mode = OPEN_EXISTING
0012F50C 00000020 |Attributes = ARCHIVE
0012F510 00000000 \hTemplateFile = NULL
第二次断在
0012E9B0 0040E127 /CALL 到 CreateFileA 来自 大水牛鼠.0040E122
0012E9B4 0012EC24 |FileName = "\\.\PhysicalDrive0"
0012E9B8 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0012E9BC 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012E9C0 00000000 |pSecurity = NULL
0012E9C4 00000003 |Mode = OPEN_EXISTING
0012E9C8 00000000 |Attributes = 0
0012E9CC 00000000 \hTemplateFile = NULL
从这里返回 0040E127
0040E0D8 /$ 55 push ebp
0040E0D9 |. 8BEC mov ebp, esp
0040E0DB |. 81C4 64FDFFFF add esp, -29C
0040E0E1 |. 53 push ebx
0040E0E2 |. 56 push esi
0040E0E3 |. 57 push edi
0040E0E4 |. 8B7D 0C mov edi, dword ptr [ebp+C]
0040E0E7 |. 6A 18 push 18 ; /Arg3 = 00000018
0040E0E9 |. 6A 00 push 0 ; |Arg2 = 00000000
0040E0EB |. 8D45 94 lea eax, dword ptr [ebp-6C] ; |
0040E0EE |. 50 push eax ; |Arg1
0040E0EF |. E8 D0FA0600 call 0047DBC4 ; \大水牛鼠.0047DBC4
0040E0F4 |. 83C4 0C add esp, 0C
0040E0F7 |. 33DB xor ebx, ebx
0040E0F9 |> 33C0 /xor eax, eax
0040E0FB |. 8D55 AC |lea edx, dword ptr [ebp-54]
0040E0FE |. 8AC3 |mov al, bl
0040E100 |. 50 |push eax ; /Arg3
0040E101 |. 68 001E4A00 |push 004A1E00 ; |Arg2 = 004A1E00
ASCII "\\.\PhysicalDrive%d"
0040E106 |. 52 |push edx ; |Arg1
0040E107 |. E8 28320700 |call 00481334 ; \大水牛鼠.00481334
0040E10C |. 83C4 0C |add esp, 0C
0040E10F |. 8D4D AC |lea ecx, dword ptr [ebp-54]
0040E112 |. 6A 00 |push 0 ; /hTemplateFile = NULL
0040E114 |. 6A 00 |push 0 ; |Attributes = 0
0040E116 |. 6A 03 |push 3 ; |Mode = OPEN_EXISTING
0040E118 |. 6A 00 |push 0 ; |pSecurity = NULL
0040E11A |. 6A 03 |push 3 ; |ShareMode =
FILE_SHARE_READ|FILE_SHARE_WRITE
0040E11C |. 68 000000C0 |push C0000000 ; |Access =
GENERIC_READ|GENERIC_WRITE
0040E121 |. 51 |push ecx ; |FileName
0040E122 |. E8 25220900 |call <jmp.&KERNEL32.CreateFileA> ; \CreateFileA
CreateFile返回到这里。
0040E127 |. 8BF0 |mov esi, eax
0040E129 |. 85F6 |test esi, esi
0040E12B |. 0F84 4B010000 |je 0040E27C
0040E131 |. 6A 00 |push 0 ; /pOverlapped = NULL
0040E133 |. 8D45 FC |lea eax, dword ptr [ebp-4] ; |
0040E136 |. 50 |push eax ; |pBytesReturned
0040E137 |. 6A 18 |push 18 ; |OutBufferSize = 18
(24.)
0040E139 |. 8D55 94 |lea edx, dword ptr [ebp-6C] ; |
0040E13C |. 52 |push edx ; |OutBuffer
0040E13D |. 6A 00 |push 0 ; |InBufferSize = 0
0040E13F |. 6A 00 |push 0 ; |InBuffer = NULL
0040E141 |. 68 80400700 |push 74080 ; |IoControlCode =
SMART_GET_VERSION
0040E146 |. 56 |push esi ; |hDevice
0040E147 |. E8 24220900 |call <jmp.&KERNEL32.DeviceIoControl> ; \DeviceIoControl
调用DeviceIoControl取SMART_GET_VERSION 版本号
0040E14C |. 85C0 |test eax, eax
0040E14E |. 75 23 |jnz short 0040E173
0040E150 |. 56 |push esi ; /hObject
0040E151 |. E8 DE210900 |call <jmp.&KERNEL32.CloseHandle> ; \CloseHandle
0040E156 |. 8B4D 08 |mov ecx, dword ptr [ebp+8]
0040E159 |. 51 |push ecx
0040E15A |. E8 AD010000 |call 0040E30C
0040E15F |. 59 |pop ecx
0040E160 |. 3C 01 |cmp al, 1
0040E162 |. 75 07 |jnz short 0040E16B
0040E164 |. 33C0 |xor eax, eax
0040E166 |. E9 1D010000 |jmp 0040E288
0040E16B |> 83C8 FF |or eax, FFFFFFFF
0040E16E |. E9 15010000 |jmp 0040E288
0040E173 |> F645 98 01 |test byte ptr [ebp-68], 1
0040E177 |. 75 0B |jnz short 0040E184
0040E179 |. 56 |push esi ; /hObject
0040E17A |. E8 B5210900 |call <jmp.&KERNEL32.CloseHandle> ; \CloseHandle
0040E17F |. E9 F8000000 |jmp 0040E27C
0040E184 |> 6A 20 |push 20 ; /Arg3 = 00000020
0040E186 |. 6A 00 |push 0 ; |Arg2 = 00000000
0040E188 |. 8D95 74FFFFFF |lea edx, dword ptr [ebp-8C] ; |
0040E18E |. 52 |push edx ; |Arg1
0040E18F |. E8 30FA0600 |call 0047DBC4 ; \大水牛鼠.0047DBC4
0040E194 |. 83C4 0C |add esp, 0C
0040E197 |. 8D8D 64FDFFFF |lea ecx, dword ptr [ebp-29C]
0040E19D |. 68 10020000 |push 210 ; /Arg3 = 00000210
0040E1A2 |. 6A 00 |push 0 ; |Arg2 = 00000000
0040E1A4 |. 51 |push ecx ; |Arg1
0040E1A5 |. E8 1AFA0600 |call 0047DBC4 ; \大水牛鼠.0047DBC4
0040E1AA |. 83C4 0C |add esp, 0C
0040E1AD |. F6C3 01 |test bl, 1
0040E1B0 |. 74 09 |je short 0040E1BB
0040E1B2 |. C685 7DFFFFFF>|mov byte ptr [ebp-83], 0B0
0040E1B9 |. EB 07 |jmp short 0040E1C2
0040E1BB |> C685 7DFFFFFF>|mov byte ptr [ebp-83], 0A0
0040E1C2 |> 8BCB |mov ecx, ebx
0040E1C4 |. B8 10000000 |mov eax, 10
0040E1C9 |. D3F8 |sar eax, cl
0040E1CB |. 2345 98 |and eax, dword ptr [ebp-68]
0040E1CE |. 74 0B |je short 0040E1DB
0040E1D0 |. 56 |push esi ; /hObject
0040E1D1 |. E8 5E210900 |call <jmp.&KERNEL32.CloseHandle> ; \CloseHandle
0040E1D6 |. E9 A1000000 |jmp 0040E27C
0040E1DB |> C685 7EFFFFFF>|mov byte ptr [ebp-82], 0EC
0040E1E2 |. 885D 80 |mov byte ptr [ebp-80], bl
0040E1E5 |. 8D55 FC |lea edx, dword ptr [ebp-4]
0040E1E8 |. C685 79FFFFFF>|mov byte ptr [ebp-87], 1
0040E1EF |. C685 7AFFFFFF>|mov byte ptr [ebp-86], 1
0040E1F6 |. C785 74FFFFFF>|mov dword ptr [ebp-8C], 200
0040E200 |. 6A 00 |push 0 ; /pOverlapped = NULL
0040E202 |. 52 |push edx ; |pBytesReturned
0040E203 |. 8D85 64FDFFFF |lea eax, dword ptr [ebp-29C] ; |
0040E209 |. 68 10020000 |push 210 ; |OutBufferSize = 210
(528.)
0040E20E |. 50 |push eax ; |OutBuffer
0040E20F |. 8D95 74FFFFFF |lea edx, dword ptr [ebp-8C] ; |
0040E215 |. 6A 20 |push 20 ; |InBufferSize = 20
(32.)
0040E217 |. 52 |push edx ; |InBuffer
0040E218 |. 68 88C00700 |push 7C088 ; |IoControlCode =
SMART_RCV_DRIVE_DATA
0040E21D |. 56 |push esi ; |hDevice
0040E21E |. E8 4D210900 |call <jmp.&KERNEL32.DeviceIoControl> ; \DeviceIoControl
F4到此处
调用DeviceIoControl取SMART_RCV_DRIVE_DATA 硬盘序列号
堆栈内容 0012E9DC为保存数据的地址
0012E9B0 000000C4 |hDevice = 000000C4 (window)
0012E9B4 0007C088 |IoControlCode = SMART_RCV_DRIVE_DATA
0012E9B8 0012EBEC |InBuffer = 0012EBEC
0012E9BC 00000020 |InBufferSize = 20 (32.)
0012E9C0 0012E9DC |OutBuffer = 0012E9DC
0012E9C4 00000210 |OutBufferSize = 210 (528.)
0012E9C8 0012EC74 |pBytesReturned = 0012EC74
0012E9CC 00000000 \pOverlapped = NULL
0040E223 |. 85C0 |test eax, eax
0040E225 |. 75 0A |jnz short 0040E231
0040E227 |. 56 |push esi ; /hObject
0040E228 |. E8 07210900 |call <jmp.&KERNEL32.CloseHandle> ; \CloseHandle
0040E22D |. 33C0 |xor eax, eax
0040E22F |. EB 57 |jmp short 0040E288
0040E231 |> 8D9D 74FDFFFF |lea ebx, dword ptr [ebp-28C]
0040E237 |. 6A 15 |push 15 ; /Arg3 = 00000015
0040E239 |. 6A 00 |push 0 ; |Arg2 = 00000000
0040E23B |. 57 |push edi ; |Arg1
0040E23C |. E8 83F90600 |call 0047DBC4 ; \大水牛鼠.0047DBC4
0040E241 |. 83C4 0C |add esp, 0C
0040E244 |. 83C3 14 |add ebx, 14
0040E247 |. 6A 14 |push 14 ; /Arg3 = 00000014
0040E249 |. 53 |push ebx ; |Arg2
0040E24A |. 57 |push edi ; |Arg1
0040E24B |. E8 04F90600 |call 0047DB54 ; \大水牛鼠.0047DB54
0040E250 |. 83C4 0C |add esp, 0C
0040E253 |. C647 14 00 |mov byte ptr [edi+14], 0
0040E257 |. 6A 14 |push 14 ; /Arg3 = 00000014
0040E259 |. 57 |push edi ; |Arg2
0040E25A |. 8B45 08 |mov eax, dword ptr [ebp+8] ; |
0040E25D |. 50 |push eax ; |Arg1
0040E25E |. E8 7D000000 |call 0040E2E0 ; \大水牛鼠.0040E2E0
0040E263 |. 83C4 0C |add esp, 0C
0040E266 |. 56 |push esi ; /hObject
0040E267 |. E8 C8200900 |call <jmp.&KERNEL32.CloseHandle> ; \CloseHandle
0040E26C |. 803F 00 |cmp byte ptr [edi], 0
0040E26F |. 75 04 |jnz short 0040E275
0040E271 |. 33C0 |xor eax, eax
0040E273 |. EB 13 |jmp short 0040E288
0040E275 |> B8 01000000 |mov eax, 1
0040E27A |. EB 0C |jmp short 0040E288
0040E27C |> 43 |inc ebx
0040E27D |. 80FB 04 |cmp bl, 4
0040E280 |.^ 0F82 73FEFFFF \jb 0040E0F9
0040E286 |. 33C0 xor eax, eax
0040E288 |> 5F pop edi
0040E289 |. 5E pop esi
0040E28A |. 5B pop ebx
0040E28B |. 8BE5 mov esp, ebp
0040E28D |. 5D pop ebp
0040E28E \. C3 retn
F4到0040E28E F8返回 看堆栈。
0012EC80 00A524B4
0012EC84 0012F13C ASCII "Y29GCFWC " 硬盘序列号注意里面带空格 在后面计算机器码
的时候也有空格
0012EC88 00A524B4
0012EC8C 00000094
0012EC90 00000005
按F12返回0040A9D5 |. 83C4 08 add esp, 8
0040A96C /$ 55 push ebp
0040A96D |. 8BEC mov ebp, esp
0040A96F |. 81C4 CCF7FFFF add esp, -834
0040A975 |. B8 DC334A00 mov eax, 004A33DC
0040A97A |. 53 push ebx
0040A97B |. 56 push esi
0040A97C |. 57 push edi
0040A97D |. 8B75 0C mov esi, dword ptr [ebp+C]
0040A980 |. E8 73360700 call 0047DFF8
0040A985 |. 68 00040000 push 400 ; /Arg3 = 00000400
0040A98A |. 6A 00 push 0 ; |Arg2 = 00000000
0040A98C |. 8D95 CCFBFFFF lea edx, dword ptr [ebp-434] ; |
0040A992 |. 52 push edx ; |Arg1
0040A993 |. E8 2C320700 call 0047DBC4 ; \大水牛鼠.0047DBC4
0040A998 |. 83C4 0C add esp, 0C
0040A99B |. 8D8D CCF7FFFF lea ecx, dword ptr [ebp-834]
0040A9A1 |. 68 00040000 push 400 ; /Arg3 = 00000400
0040A9A6 |. 6A 00 push 0 ; |Arg2 = 00000000
0040A9A8 |. 51 push ecx ; |Arg1
0040A9A9 |. E8 16320700 call 0047DBC4 ; \大水牛鼠.0047DBC4
0040A9AE |. 83C4 0C add esp, 0C
0040A9B1 |. C786 88160000>mov dword ptr [esi+1688], -1
0040A9BB |. 80BE BD040000>cmp byte ptr [esi+4BD], 1
0040A9C2 |. 0F85 FA000000 jnz 0040AAC2
0040A9C8 |. 8D85 CCFBFFFF lea eax, dword ptr [ebp-434]
0040A9CE |. 50 push eax ; /Arg2
0040A9CF |. 56 push esi ; |Arg1
0040A9D0 |. E8 0B2F0000 call 0040D8E0 ; \大水牛鼠.0040D8E0
0040A9D5 |. 83C4 08 add esp, 8
0040A9D8 |. 83F8 FF cmp eax, -1 ; Switch (cases
0..FFFFFFFF)
0040A9DB |. 75 53 jnz short 0040AA30
0040A9DD |. 66:C745 E0 08>mov word ptr [ebp-20], 8 ; Case FFFFFFFF of
switch 0040A9D8
0040A9E3 |. BA 3E1D4A00 mov edx, 004A1D3E
0040A9E8 |. 8D45 FC lea eax, dword ptr [ebp-4]
0040A9EB |. E8 64120800 call 0048BC54
0040A9F0 |. FF45 EC inc dword ptr [ebp-14]
0040A9F3 |. 8D55 FC lea edx, dword ptr [ebp-4]
0040A9F6 |. 8B45 08 mov eax, dword ptr [ebp+8]
0040A9F9 |. E8 3E130800 call 0048BD3C
0040A9FE |. 8B45 08 mov eax, dword ptr [ebp+8]
0040AA01 |. BA 02000000 mov edx, 2
0040AA06 |. 66:C745 E0 14>mov word ptr [ebp-20], 14
0040AA0C |. 50 push eax
0040AA0D |. 8D45 FC lea eax, dword ptr [ebp-4]
0040AA10 |. FF4D EC dec dword ptr [ebp-14]
0040AA13 |. E8 F4120800 call 0048BD0C
0040AA18 |. 58 pop eax
0040AA19 |. 66:C745 E0 08>mov word ptr [ebp-20], 8
0040AA1F |. FF45 EC inc dword ptr [ebp-14]
0040AA22 |. 8B55 D0 mov edx, dword ptr [ebp-30]
0040AA25 |. 64:67:8916 00>mov dword ptr fs:[0], edx
0040AA2B |. E9 D8010000 jmp 0040AC08
0040AA30 |> 83F8 FE cmp eax, -2
0040AA33 |. 75 53 jnz short 0040AA88
0040AA35 |. 66:C745 E0 20>mov word ptr [ebp-20], 20 ; Case FFFFFFFE of
switch 0040A9D8
0040AA3B |. BA 511D4A00 mov edx, 004A1D51
0040AA40 |. 8D45 F8 lea eax, dword ptr [ebp-8]
0040AA43 |. E8 0C120800 call 0048BC54
0040AA48 |. FF45 EC inc dword ptr [ebp-14]
0040AA4B |. 8D55 F8 lea edx, dword ptr [ebp-8]
0040AA4E |. 8B45 08 mov eax, dword ptr [ebp+8]
0040AA51 |. E8 E6120800 call 0048BD3C
0040AA56 |. 8B45 08 mov eax, dword ptr [ebp+8]
0040AA59 |. BA 02000000 mov edx, 2
0040AA5E |. 66:C745 E0 2C>mov word ptr [ebp-20], 2C
0040AA64 |. 50 push eax
0040AA65 |. 8D45 F8 lea eax, dword ptr [ebp-8]
0040AA68 |. FF4D EC dec dword ptr [ebp-14]
0040AA6B |. E8 9C120800 call 0048BD0C
0040AA70 |. 58 pop eax
0040AA71 |. 66:C745 E0 20>mov word ptr [ebp-20], 20
0040AA77 |. FF45 EC inc dword ptr [ebp-14]
0040AA7A |. 8B55 D0 mov edx, dword ptr [ebp-30]
0040AA7D |. 64:67:8916 00>mov dword ptr fs:[0], edx
0040AA83 |. E9 80010000 jmp 0040AC08
0040AA88 |> 85C0 test eax, eax
0040AA8A |. 75 09 jnz short 0040AA95
0040AA8C |. C686 BD040000>mov byte ptr [esi+4BD], 0 ; Case 0 of switch
0040A9D8
0040AA93 |. EB 2D jmp short 0040AAC2
单步跟踪到此处
0040AA95 |> 33C9 xor ecx, ecx ; Default case of
switch 0040A9D8
0040AA97 |. 8D9D CCFBFFFF lea ebx, dword ptr [ebp-434] 取注册码的内存地址到ebx
0040AA9D |> 0FBE03 /movsx eax, byte ptr [ebx] 读取数据到eax
0040AAA0 |. F7E9 |imul ecx eax=eax*ecx
0040AAA2 |. 99 |cdq 扩展为64位为除法做准备
0040AAA3 |. BF 09000000 |mov edi, 9 edi=9
0040AAA8 |. 41 |inc ecx ecx+1
0040AAA9 |. F7FF |idiv edi 除法运算
0040AAAB |. 8BC2 |mov eax, edx 取余数到eax
0040AAAD |. 83C0 30 |add eax, 30 eax+30
0040AAB0 |. 8803 |mov byte ptr [ebx], al 保存数据
0040AAB2 |. 43 |inc ebx
0040AAB3 |. C786 88160000>|mov dword ptr [esi+1688], 64
0040AABD |. 83F9 14 |cmp ecx, 14
0040AAC0 |.^ 7C DB \jl short 0040AA9D
经过这段代码计算后,Y29GCFWC 硬盘序列号变成了
0012F13C 30 35 36 36 37 38 30 31 34 30 35 31 36 32 37 33 0566780140516273
0012F14C 38 34 30 35 8405
0040AAC2 |> 80BE BD040000>cmp byte ptr [esi+4BD], 0
0040AAC9 |. 0F85 D8000000 jnz 0040ABA7
0040AACF |. 8D95 CCF7FFFF lea edx, dword ptr [ebp-834]
0040AAD5 |. 68 00040000 push 400 ; /pFileSystemNameSize
= 00000400
0040AADA |. 52 push edx ;
|pFileSystemNameBuffer
0040AADB |. 6A 00 push 0 ; |pFileSystemFlags =
NULL
0040AADD |. 8D4D CC lea ecx, dword ptr [ebp-34] ; |
0040AAE0 |. 6A 00 push 0 ; |pMaxFilenameLength =
NULL
0040AAE2 |. 51 push ecx ; |pVolumeSerialNumber
0040AAE3 |. 8D85 CCFBFFFF lea eax, dword ptr [ebp-434] ; |
0040AAE9 |. 68 00040000 push 400 ; |MaxVolumeNameSize =
400 (1024.)
0040AAEE |. 50 push eax ; |VolumeNameBuffer
0040AAEF |. 68 5C1D4A00 push 004A1D5C ; |RootPathName = "c:/"
0040AAF4 |. E8 73590900 call <jmp.&KERNEL32.GetVolumeInformat>;
\GetVolumeInformationA
0040AAF9 |. C786 88160000>mov dword ptr [esi+1688], 64
0040AB03 |. 8B45 CC mov eax, dword ptr [ebp-34]
0040AB06 |. 33D2 xor edx, edx
0040AB08 |. B9 2C000000 mov ecx, 2C
0040AB0D |. F7F1 div ecx
0040AB0F |. 8B45 CC mov eax, dword ptr [ebp-34]
0040AB12 |. 8D8D CCFBFFFF lea ecx, dword ptr [ebp-434]
0040AB18 |. D1E8 shr eax, 1
0040AB1A |. 03D0 add edx, eax
0040AB1C |. 81C2 4654BC00 add edx, 0BC5446
0040AB22 |. 8955 CC mov dword ptr [ebp-34], edx
0040AB25 |. 8B55 CC mov edx, dword ptr [ebp-34]
0040AB28 |. 52 push edx ; /Arg3
0040AB29 |. 68 601D4A00 push 004A1D60 ; |Arg2 = 004A1D60
ASCII "%u"
0040AB2E |. 51 push ecx ; |Arg1
0040AB2F |. E8 00680700 call 00481334 ; \大水牛鼠.00481334
0040AB34 |. 83C4 0C add esp, 0C
0040AB37 |. 8D85 CCFBFFFF lea eax, dword ptr [ebp-434]
0040AB3D |. 50 push eax
0040AB3E |. E8 B5310700 call 0047DCF8
0040AB43 |. 59 pop ecx
0040AB44 |. 83F8 03 cmp eax, 3
0040AB47 |. 7C 18 jl short 0040AB61
0040AB49 |. 8A95 CEFBFFFF mov dl, byte ptr [ebp-432]
0040AB4F |. 8A8D CCFBFFFF mov cl, byte ptr [ebp-434]
0040AB55 |. 888D CEFBFFFF mov byte ptr [ebp-432], cl
0040AB5B |. 8895 CCFBFFFF mov byte ptr [ebp-434], dl
0040AB61 |> 8BC8 mov ecx, eax
0040AB63 |. 8D9C0D CCFBFF>lea ebx, dword ptr [ebp+ecx-434]
0040AB6A |. 83F9 11 cmp ecx, 11
0040AB6D |. 7D 1C jge short 0040AB8B
0040AB6F |> 8B45 CC /mov eax, dword ptr [ebp-34]
0040AB72 |. 33D2 |xor edx, edx
0040AB74 |. F7F1 |div ecx
0040AB76 |. 33D2 |xor edx, edx
0040AB78 |. BE 0A000000 |mov esi, 0A
0040AB7D |. F7F6 |div esi
0040AB7F |. 80C2 30 |add dl, 30
0040AB82 |. 41 |inc ecx
0040AB83 |. 8813 |mov byte ptr [ebx], dl
0040AB85 |. 43 |inc ebx
0040AB86 |. 83F9 11 |cmp ecx, 11
0040AB89 |.^ 7C E4 \jl short 0040AB6F
0040AB8B |> C685 DDFBFFFF>mov byte ptr [ebp-423], 39
0040AB92 |. C685 DEFBFFFF>mov byte ptr [ebp-422], 39
0040AB99 |. C685 DFFBFFFF>mov byte ptr [ebp-421], 39
0040ABA0 |. C685 E0FBFFFF>mov byte ptr [ebp-420], 0
0040ABA7 |> 0FBE85 CCFBFF>movsx eax, byte ptr [ebp-434]
0040ABAE |. 83F8 30 cmp eax, 30
0040ABB1 |. 75 07 jnz short 0040ABBA
继续单步跟踪到此处[ebp-434]=0012F13C
0040ABB3 |. C685 CCFBFFFF>mov byte ptr [ebp-434], 39
将计算过的机器码第一位改为9
0040ABBA |> 66:C745 E0 38>mov word ptr [ebp-20], 38
0040ABC0 |. 8D95 CCFBFFFF lea edx, dword ptr [ebp-434]
0040ABC6 |. 8D45 F4 lea eax, dword ptr [ebp-C]
0040ABC9 |. E8 86100800 call 0048BC54
0040ABCE |. 8BD0 mov edx, eax
0040ABD0 |. FF45 EC inc dword ptr [ebp-14]
0040ABD3 |. 8B45 08 mov eax, dword ptr [ebp+8]
0040ABD6 |. E8 61110800 call 0048BD3C
0040ABDB |. 8B45 08 mov eax, dword ptr [ebp+8]
0040ABDE |. BA 02000000 mov edx, 2
0040ABE3 |. 66:C745 E0 44>mov word ptr [ebp-20], 44
0040ABE9 |. 50 push eax
0040ABEA |. 8D45 F4 lea eax, dword ptr [ebp-C]
0040ABED |. FF4D EC dec dword ptr [ebp-14]
0040ABF0 |. E8 17110800 call 0048BD0C
0040ABF5 |. 58 pop eax
0040ABF6 |. 66:C745 E0 38>mov word ptr [ebp-20], 38
0040ABFC |. FF45 EC inc dword ptr [ebp-14]
0040ABFF |. 8B55 D0 mov edx, dword ptr [ebp-30]
0040AC02 |. 64:67:8916 00>mov dword ptr fs:[0], edx
0040AC08 |> 5F pop edi
0040AC09 |. 5E pop esi
0040AC0A |. 5B pop ebx
0040AC0B |. 8BE5 mov esp, ebp
0040AC0D |. 5D pop ebp
0040AC0E \. C3 retn
注册窗口显示的注册码为956678014051627384056293092011
刚才计算完的数据为95667801405162738405这是机器码的前半部份
接着看后半部份。6293092011这是从哪里算来的呢。我前面说过是读网卡的mac地址
程序是怎么读网卡的地址呢。我们用OD加载程序。下个CoInitialize断点,不要问我为什么要下这个断点
。问我也不说。
769D85D3 > 8BFF mov edi, edi
769D85D5 55 push ebp
769D85D6 8BEC mov ebp, esp
769D85D8 6A 02 push 2
769D85DA FF75 08 push dword ptr [ebp+8]
769D85DD E8 11BDFCFF call CoInitializeEx
769D85E2 5D pop ebp
769D85E3 C2 0400 retn 4
第一次断下按F9
第二次断下的时候,看堆栈。
0012F4E4 00401DFC 返回到 大水牛鼠.00401DFC 来自 <jmp.&OLE32.CoInitialize>
0012F4E8 00000000
0012F4EC 00A52952
0012F4F0 00A5293D ASCII "95667801405162738405"
看到了什么呢。用硬盘序列号算出来的前半部份机器码
我们按F12返回
00401DFC . 6A 00 push 0
00401DFE . 6A 00 push 0
00401E00 . 6A 00 push 0
00401E02 . 6A 03 push 3
00401E04 . 6A 04 push 4
00401E06 . 6A 00 push 0
00401E08 . 6A 00 push 0
00401E0A . 6A FF push -1
00401E0C . 6A 00 push 0
00401E0E . E8 0DEE0900 call <jmp.&OLE32.CoInitializeSecurity>
00401E13 . 85C0 test eax, eax
00401E15 . 74 60 je short 00401E77
00401E17 . 66:C745 C0 2C>mov word ptr [ebp-40], 2C
00401E1D . BA 841A4A00 mov edx, 004A1A84 ; ASCII
"0000000000"
00401E22 . 8D45 F8 lea eax, dword ptr [ebp-8]
00401E25 . E8 2A9E0800 call 0048BC54
00401E2A . FF45 CC inc dword ptr [ebp-34]
00401E2D . 8D55 F8 lea edx, dword ptr [ebp-8]
00401E30 . 8B45 08 mov eax, dword ptr [ebp+8]
00401E33 . E8 049F0800 call 0048BD3C
00401E38 . 8B45 08 mov eax, dword ptr [ebp+8]
00401E3B . BA 02000000 mov edx, 2
00401E40 . 66:C745 C0 38>mov word ptr [ebp-40], 38
00401E46 . 50 push eax
00401E47 . 8D45 F8 lea eax, dword ptr [ebp-8]
00401E4A . FF4D CC dec dword ptr [ebp-34]
00401E4D . E8 BA9E0800 call 0048BD0C
00401E52 . FF4D CC dec dword ptr [ebp-34]
00401E55 . 8D45 FC lea eax, dword ptr [ebp-4]
00401E58 . BA 02000000 mov edx, 2
00401E5D . E8 AA9E0800 call 0048BD0C
00401E62 . 58 pop eax
00401E63 . 66:C745 C0 20>mov word ptr [ebp-40], 20
00401E69 . 8B55 B0 mov edx, dword ptr [ebp-50]
00401E6C . 64:67:8916 00>mov dword ptr fs:[0], edx
00401E72 . E9 38030000 jmp 004021AF
00401E77 > B2 01 mov dl, 1
00401E79 . A1 D47B4600 mov eax, dword ptr [467BD4]
00401E7E . E8 BD720000 call 00409140
00401E83 . 8945 AC mov dword ptr [ebp-54], eax
00401E86 . 8B4D AC mov ecx, dword ptr [ebp-54]
00401E89 . 51 push ecx ; /Arg1
00401E8A . E8 89FAFFFF call 00401918 ; \大水牛
鼠.00401918
00401E8F . 59 pop ecx
00401E90 . 8B45 AC mov eax, dword ptr [ebp-54]
00401E93 . 8B10 mov edx, dword ptr [eax]
00401E95 . FF52 14 call dword ptr [edx+14]
00401E98 . 85C0 test eax, eax
00401E9A . 7E 38 jle short 00401ED4
00401E9C . 66:C745 C0 44>mov word ptr [ebp-40], 44
00401EA2 . 33C9 xor ecx, ecx
00401EA4 . 894D F4 mov dword ptr [ebp-C], ecx
00401EA7 . 8D4D F4 lea ecx, dword ptr [ebp-C]
00401EAA . FF45 CC inc dword ptr [ebp-34]
00401EAD . 33D2 xor edx, edx
00401EAF . 8B45 AC mov eax, dword ptr [ebp-54]
00401EB2 . 8B18 mov ebx, dword ptr [eax]
00401EB4 . FF53 0C call dword ptr [ebx+C]
00401EB7 . 8D55 F4 lea edx, dword ptr [ebp-C]
00401EBA . 8D45 FC lea eax, dword ptr [ebp-4]
00401EBD . E8 7A9E0800 call 0048BD3C
00401EC2 . FF4D CC dec dword ptr [ebp-34]
00401EC5 . 8D45 F4 lea eax, dword ptr [ebp-C]
00401EC8 . BA 02000000 mov edx, 2
00401ECD . E8 3A9E0800 call 0048BD0C
00401ED2 . EB 31 jmp short 00401F05
单步F8到此处。看寄存器
EAX 0012F568
ECX 0012F568
EDX 00A56DD0 ASCII "00:00:E8:F1:1C:B8" 这个东西大家都看得明白呢。网卡的MAC地址
EBX 00467C20 大水牛鼠.00467C20
ESP 0012F4EC
EBP 0012F574
ESI 00A5293D ASCII "95667801405162738405"
EDI 00A52952
EIP 00401ED2 大水牛鼠.00401ED2
程序使用这个地址。算出机器码的后半部份。知道了这些东西。我相信,聪明的你。应该知道怎么破解它
了吧。只要有一台机能播放这个视频。修改一下程序。在读硬盘序列号的时候。改成可以运行的硬盘序列
号。读完网卡地址的时候。改成可以运行的电脑的网卡mac地址。经过测试。视频可以正常播放。只是会
出现一个 高度无损解压缩出错 的消息框。我修改了程序。不出现这个框。视频文件可以正常播放完。
就此本文算写完了。这个软件的破解也算完成了。关于如何改程序。别来问我。
谢谢关注 无下文
[培训]科锐逆向工程师培训第53期2025年7月8日开班!
