【文章标题】: Allok Video Splitter 2.2.0726汉化版脱壳加爆破
【文章作者】: edigar
【下载地址】: google搜索
【操作系统】:VMWare+Windows2000
【保护方式】: 双层壳NsPacK V3.7 +MoleBox v2.0+RSA(貌似)
【使用工具】: OllyICE,PEID0.94,LoadPE,ImportRec,WinHex
【软件介绍】: 分割视频文件用
【作者声明】: 菜鸟练手,老鸟就不用看了。只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
【文章简介】:软件之前分割视频时下的,现在拿来练手用,双层壳,全部照看雪旧教程脱掉的,注册部分论坛上有大牛之前分析过1.x版的,是rsa,大概看了下这个版本也有类似的部分,判断大概还是RSA,并且N很长,用工具解的时候死机了所以放弃用爆破解决。本文是解掉后补的,算作破解笔记,写下来与大家共享,与众菜鸟共勉。
----------------------------------------------------------------------------------------------------------
1.脱壳NsPacK V3.7
软件安装后用Peid查壳 NsPacK V3.7 -> LiuXingPing [Overlay] *
Od载入来到
004A8198 > 9C pushfd
004A8199 60 pushad
004A819A E8 00000000 call 004A819F ; F8到这里hr esp
004A819F 5D pop ebp
004A81A0 83ED 07 sub ebp, 7
004A81A3 8D8D E4FEFFFF lea ecx, dword ptr [ebp-11C]
f8到004A819A用esp定律下hr esp ,f9后来到这里
004A83F4 B8 00000000 mov eax, 0
004A83F9 83F8 00 cmp eax, 0
004A83FC 74 0A je short 004A8408
004A83FE 61 popad
004A83FF 9D popfd
004A8400 B8 01000000 mov eax, 1
004A8405 C2 0C00 retn 0C
004A8408 61 popad
004A8409 9D popfd
004A840A - E9 C457FEFF jmp 0048DBD3 ; 跳到OEP
004A840F 8BB5 70FEFFFF mov esi, dword ptr [ebp-190]
004A8415 0BF6 or esi, esi
也可以在入口点向下拉找到上面这里,在jmp上面的popad,popfd处下断来到入口
0048DBD3 E8 00000000 call 0048DBD8 ; 入口
0048DBD8 60 pushad
0048DBD9 E8 4F000000 call 0048DC2D
0048DBDE AA stos byte ptr es:[edi]
0048DBDF 59 pop ecx
0048DBE0 2399 E8A2EF3B and ebx, dword ptr [ecx+3BEFA2E8]
来到入口点,用LoadPE完整转存,打开IpmortRec,OEP填0008DBD3,IAT AutoSearch,Get Imports无错,Fix前面dump的文件,运行后出错,提示BOXFILE CORRUPTED,想到前面查壳时候有附加数据,LoadPE打开原文件,查看区段最后一个段大小RO=2AA00,RS=6A00,用WinHex复制原文件从RO+RS=31400处到末尾复制,然后粘贴在新文件之后,运行成功。
2.脱壳MoleBox
脱壳后的文件用Peid查壳MoleBox v2.0 [Overlay] *。查看雪论坛精华,有很多文章,MoleBox的壳可以捆绑文件,还会加密输入表。为什么这么脱不是很明白,照着做了。
查看捆绑文件:
Od载入
0048DBD3 > $ E8 00000000 call 0048DBD8 ;停在这里
0048DBD8 $ 60 pushad
0048DBD9 . E8 4F000000 call 0048DC2D
0048DBDE . AA stos byte ptr es:[edi]
0048DBDF . 59 pop ecx
0048DBE0 . 2399 E8A2EF3B and ebx, dword ptr [ecx+3BEFA2E8]
下断BP GetFileTime Shift+F9,中断后取消断点Alt+F9返回
00494221 . FF15 98174A00 call dword ptr [4A1798] ; \GetFileTime 返回这里
00494227 . 8B45 E0 mov eax, dword ptr [ebp-20]
0049422A . 8378 20 00 cmp dword ptr [eax+20], 0
0049422E . 75 16 jnz short 00494246
00494230 . 8B4D E0 mov ecx, dword ptr [ebp-20]
00494233 . 8379 1C 00 cmp dword ptr [ecx+1C], 0
00494237 . 75 0D jnz short 00494246
00494239 . 8B55 E0 mov edx, dword ptr [ebp-20]
0049423C . 83C2 1C add edx, 1C
0049423F . 52 push edx ; /pFileTime
00494240 . FF15 C0174A00 call dword ptr [4A17C0] ; \GetSystemTimeAsFileTime
00494246 > C745 A4 00000>mov dword ptr [ebp-5C], 0
0049424D . EB 09 jmp short 00494258
0049424F > 8B45 A4 mov eax, dword ptr [ebp-5C]
00494252 . 83C0 01 add eax, 1
00494255 . 8945 A4 mov dword ptr [ebp-5C], eax
00494258 > 8B4D A4 mov ecx, dword ptr [ebp-5C]
0049425B . 3B4D 94 cmp ecx, dword ptr [ebp-6C] ; 捆绑文件数[ebp-6C]=1
0049425E . 0F83 E3000000 jnb 00494347
00494264 . 8B55 A4 mov edx, dword ptr [ebp-5C]
00494267 . C1E2 04 shl edx, 4
0049426A . 8B45 E0 mov eax, dword ptr [ebp-20] ; 查看文件名
0049426D . 8B48 04 mov ecx, dword ptr [eax+4]
00494270 . 8B45 DC mov eax, dword ptr [ebp-24]
00494273 . 030411 add eax, dword ptr [ecx+edx]
0049425B 处的dword ptr [ebp-6C]存放捆绑文件数,这里等于1
0049426A 处数据窗口中跟随[ebp-20] 向上翻可以看到捆绑的文件aveData.dll
脱主程序:
OD载入
0048DBD3 > $ E8 00000000 call 0048DBD8 ;停在这里
0048DBD8 $ 60 pushad
0048DBD9 . E8 4F000000 call 0048DC2D ;这里下hr esp
0048DBDE . AA stos byte ptr es:[edi]
F9后断在这里
0048D7B1 . 58 pop eax ; ttttt_.0048DBD8
0048D7B2 . 58 pop eax
0048D7B3 . FFD0 call eax ; 到OEP
F7跟进0048D7B3
0041A0E8 /. 55 push ebp
0041A0E9 |. 8BEC mov ebp, esp
0041A0EB |. 6A FF push -1
0041A0ED |. 68 00FC4100 push 0041FC00
0041A0F2 |. 68 74A24100 push 0041A274 ; jmp 到 MSVCRT._except_handler3; SE 处理程序安装
记下OEP RVA=1A0E8,在OEP处用ImportRec查看输入表,有很多错误,要修复才行
选中0041A115 这行,右键,数据窗口中跟随内存地址。设置显示长型->地址,向上翻一段看到
0041D0E4 77E6A869 kernel32.WritePrivateProfileStringA
0041D0E8 0049AFFF ttttt_.0049AFFF
0041D0EC 0049AF59 ttttt_.0049AF59
0041D0F0 77E75813 kernel32.GetCurrentDirectoryA
0041D0F4 77E839D8 kernel32.CreateDirectoryA
0041D0F8 0049B6C8 ttttt_.0049B6C8
0041D0FC 0049B84E ttttt_.0049B84E
0041D100 0049B80F ttttt_.0049B80F
怀疑这些ttttt_.0049AFFF就是替换掉的输入表内容,随便选一个
0041D0E8 0049AFFF ttttt_.0049AFFF
设置断点,硬件写(不知道为什么我用内存写断不下来,哪位大大知道麻烦告诉我下。)
重启动程序,Crtl+G 0041D0E8 看数据窗口,F9运行,之前的esp断点不要删除,还有用。断下
0041D0DC 77E69C1D kernel32.WinExec
0041D0E0 77E7DF5C kernel32.lstrcatA
0041D0E4 77E6A869 kernel32.WritePrivateProfileStringA
0041D0E8 77E6ACAE kernel32.GetPrivateProfileIntA
0041D0EC 00022E70
0041D0F0 00022E8C
上面可以看到0041D0E8 这里填上了GetPrivateProfileIntA 而且下面还没填,说明正在填IAT表而且还没破坏,既然后面要破坏说明还要改一次这里,继续F9,断下在这里
0049567A |> \8B4D 08 mov ecx, dword ptr [ebp+8]
0049567D |. 8B55 F8 mov edx, dword ptr [ebp-8]
00495680 |. 8B02 mov eax, dword ptr [edx]
00495682 8901 mov dword ptr [ecx], eax ;这里就是改的语句,要想办法跳过去,在这里下F2
00495684 |. 8D4D F4 lea ecx, dword ptr [ebp-C] ;断在这里
00495687 |. 51 push ecx ; /pOldProtect
00495688 |. 8B55 F0 mov edx, dword ptr [ebp-10] ; |
0049568B |. 52 push edx ; |NewProtect
0049568C |. 6A 04 push 4 ; |Size = 4
0049568E |. 8B45 08 mov eax, dword ptr [ebp+8] ; |
00495691 |. 50 push eax ; |Address
00495692 |. FF15 40184A00 call dword ptr [4A1840] ; \VirtualProtect
看数据窗口
0041D0E8 0049AFFF ttttt_.0049AFFF
已经被改过了,在00495682 下F2,重启程序,2个硬件断点不动,提示某些断点屏蔽了,不管,F9继续,断在第一次修改0041D0E8 的地方,Alt+B打开断点窗口,打开刚才的那个断点,F9继续断在上面
00495682 8901 mov dword ptr [ecx], eax ;这次断这里nop掉,
改完为
0049567A |> \8B4D 08 mov ecx, dword ptr [ebp+8]
0049567D |. 8B55 F8 mov edx, dword ptr [ebp-8]
00495680 |. 8B02 mov eax, dword ptr [edx]
00495682 90 nop
00495683 90 nop
00495684 |. 8D4D F4 lea ecx, dword ptr [ebp-C]
00495687 |. 51 push ecx ; /pOldProtect
00495688 |. 8B55 F0 mov edx, dword ptr [ebp-10] ; |
0049568B |. 52 push edx ; |NewProtect
0049568C |. 6A 04 push 4 ; |Size = 4
取消这个断点然后继续F9,然后来到程序入口处,用ImportRec查看输入表发现还有错误,打开错误的dll,查看没有识别的函数0001D0B4,OD中内存中crtl+G查找0041D0B4,发现果然被替换掉了,继续下硬件写断点,重启程序,F9,会先断在对0041D0B4修改中,向0041D0B4填
0041D0B4 77E6E6A9 kernel32.GetProcAddress
F9断在上面修改输入表的地方。看来是先填一部分IAT然后替换掉几个,继续填下面的,再替换这样一个流程。刚才找的那个函数是在这批函数之后才填入IAT的。
现在按照上面那个修改,取消这个断点F9,最后到入口点用ImportRec看全部Yes,用LoadPe工具Dump,ImportRec修复。
运行提示少动态运行库mbx@438@933140.###,应该是那个捆绑的dll文件。要把文件名改过来。
再次重新加载程序,下断bp CreateFileA,F9断在CreateFileA,看堆栈窗口继续F9直到出现
0012FC24 0049714E /CALL 到 CreateFileA 来自 ttttt_.00497148
0012FC28 009B1570 |FileName = "C:\DOCUME~1\EDIGAR\LOCALS~1\TEMP\MBX@354@933140.###"
0012FC2C 40000000 |Access = GENERIC_WRITE
0012FC30 00000000 |ShareMode = 0
0012FC34 00000000 |pSecurity = NULL
0012FC38 00000002 |Mode = CREATE_ALWAYS
0012FC3C 00000000 |Attributes = 0
0012FC40 00000000 \hTemplateFile = NULL
在堆栈0012FC28 上右键数据窗口中跟随,把文件名改掉改成上面记下的dll名称aveData.dll,多余的填0,取消CreateFileA 断点,F9继续会断在上面那里,按照上面步骤操作,最后dump,fix,主程序脱壳完成。
提取dll文件
用CCDebuger这个帖子http://bbs.pediy.com/showthread.php?t=44400 的方法
重新加载程序,下断BP VirtualProtect ,F9断下后返回
搜索
ADD EAX,DWORD PTR DS:[ECX+CONST]
MOV ECX,DWORD PTR SS:[EBP-CONST]
CMP EAX,DWORD PTR DS:[ECX]
找到这个
00496B50 . 0341 10 add eax, dword ptr [ecx+10] ;根据例文,由下面的VirtualAlloc 定位
00496B53 . 8B8D 70FFFFFF mov ecx, dword ptr [ebp-90]
00496B59 . 3B01 cmp eax, dword ptr [ecx]
00496B5B . 0F86 03030000 jbe 00496E64
00496B61 . 83A5 50FFFFFF>and dword ptr [ebp-B0], 0
00496B68 . C745 FC 01000>mov dword ptr [ebp-4], 1
00496B6F . 6A 04 push 4 ; /Protect = PAGE_READWRITE
00496B71 . 68 00100000 push 1000 ; |AllocationType = MEM_COMMIT
00496B76 . 8B85 68FFFFFF mov eax, dword ptr [ebp-98] ; |
00496B7C . FF70 10 push dword ptr [eax+10] ; |Size
00496B7F . 6A 00 push 0 ; |Address = NULL
00496B81 . FF15 38184A00 call dword ptr [4A1838] ; \VirtualAlloc
00496B87 . 8985 50FFFFFF mov dword ptr [ebp-B0], eax
在00496B50 处下断,F9断到这里数据窗口中跟随地址,在数据窗口中可以找到dll的PE头
009B1888 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ?........
009B1898 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ?......@.......
009B18A8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
009B18B8 00 00 00 00 00 00 00 00 00 00 00 00 D8 00 00 00 ............?..
009B18C8 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ?.???L?Th
009B18D8 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno
009B18E8 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS
009B18F8 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$.......
009B1908 F3 5E 59 EB B7 3F 37 B8 B7 3F 37 B8 B7 3F 37 B8 骬Y敕?7阜?7阜?7
009B1918 D8 20 3C B8 BF 3F 37 B8 34 23 39 B8 A1 3F 37 B8 ?<缚?7?#9浮?7
009B1928 D8 20 3D B8 E4 3F 37 B8 D5 20 24 B8 B2 3F 37 B8 ?=镐?7刚 $覆?7
009B1938 B7 3F 36 B8 E7 3F 37 B8 E3 1C 06 B8 B2 3F 37 B8 ?6哥?7搞覆?7
009B1948 48 1F 33 B8 B6 3F 37 B8 52 69 63 68 B7 3F 37 B8 H3付?7窻ich?7
009B1958 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 04 00 ........PE..L.
009B1968 85 44 75 45 00 00 00 00 00 00 00 00 E0 00 0E 21 匘uE........?!
009B1978 0B 01 06 00 00 00 00 00 00 00 00 00 00 00 00 00 .............
009B1988 EC 43 00 00 00 10 00 00 00 C0 00 00 00 00 00 10 霤......?....
009B1998 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 .............
009B19A8 04 00 00 00 00 00 00 00 00 50 01 00 00 10 00 00 ........P....
009B19B8 1B D9 01 00 02 00 00 00 00 00 10 00 00 10 00 00 ?..........
009B19C8 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 .............
009B19D8 10 D3 00 00 9C 01 00 00 18 CD 00 00 3C 00 00 00 ?.?..?.<...
009B19E8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
009B19F8 00 00 00 00 00 00 00 00 00 30 01 00 64 09 00 00 .........0.d...
009B1A08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
009B1A18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
009B1A28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
009B1A38 00 C0 00 00 0C 01 00 00 00 00 00 00 00 00 00 00 .?............
009B1A48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
009B1A58 2E 74 65 78 74 00 00 00 6E A4 00 00 00 10 00 00 .text...n?....
009B1A68 00 B0 00 00 00 10 00 00 00 00 00 00 00 00 00 00 .?............
009B1A78 00 00 00 00 20 00 00 60 2E 72 64 61 74 61 00 00 .... ..`.rdata..
009B1A88 AC 14 00 00 00 C0 00 00 00 20 00 00 00 C0 00 00 ?...?.. ...?.
009B1A98 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 ............@..@
009B1AA8 2E 64 61 74 61 00 00 00 A4 49 00 00 00 E0 00 00 .data......?.
009B1AB8 00 50 00 00 00 E0 00 00 00 00 00 00 00 00 00 00 .P...?.........
009B1AC8 00 00 00 00 40 00 00 C0 2E 72 65 6C 6F 63 00 00 ....@..?reloc..
009B1AD8 E0 13 00 00 00 30 01 00 00 20 00 00 00 30 01 00 ?...0.. ...0.
009B1AE8 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 ............@..B
009B1AF8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
009B1B08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
用LoadPE部分转存,开始009B1888 长度300保存备用。
重新启动程序,下断BP CreateFileA,继续到创建dll文件的地方,改名。
然后下断BP GetModuleHandleA,断下后返回dump aveData.dll进程,用LoadPE删除最后一个区段“_BOX_”。把刚才文件头用WinHex拷贝到aveData.dll文件里面,保存。运行程序成功运行,至此,脱壳全部完成。
3,破解。
程序运行,弹出对话框,填姓名注册码注册,出错有错误提示。
OD载入,F9运行,填入用户名edigar,密码12345678注册断下,返回程序领空,弹出对话框确定后返回在下面:
004120F5 . 50 push eax ;这里下断
004120F6 . 51 push ecx
004120F7 . E8 58780000 call <jmp.&avedata.ge_check>
004120FC . 83C4 08 add esp, 8
004120FF . 85C0 test eax, eax
00412101 . 75 2B jnz short 0041212E
00412103 . 6A 40 push 40
00412105 . 68 E44E4200 push 00424EE4
0041210A . 68 BC4E4200 push 00424EBC
0041210F . 8BCB mov ecx, ebx
00412111 . E8 E47D0000 call <jmp.&mfc42.#4224_CWnd::MessageBoxA>
00412116 . 68 F0030000 push 3F0 ;停在这里
0041211B . 8BCB mov ecx, ebx
0041211D . E8 E8790000 call <jmp.&mfc42.#3092_CWnd::GetDlgItem>
00412122 . 8BC8 mov ecx, eax
00412124 . E8 877C0000 call <jmp.&mfc42.#5981_CWnd::SetFocus>
看这段程序00412101 的跳似乎为关键跳,004120F7 的call似乎为关键call,在004120F5 下断,重新运行程序,输入用户密码后断下,果然eaxecx为用户密码,跟进004120F7 来到
10001B20 > 6A FF push -1
10001B22 68 8AAF0010 push 1000AF8A
10001B27 64:A1 00000000 mov eax, dword ptr fs:[0]
10001B2D 50 push eax
10001B2E 64:8925 0000000>mov dword ptr fs:[0], esp
10001B35 81EC B8020000 sub esp, 2B8
10001B3B 6A 00 push 0
10001B3D 8D4C24 04 lea ecx, dword ptr [esp+4]
10001B41 C74424 5C 716A6>mov dword ptr [esp+5C], AE6E6A71
10001B49 C74424 60 98C87>mov dword ptr [esp+60], E37CC898
10001B51 C74424 64 5CC46>mov dword ptr [esp+64], 446FC45C
10001B59 C74424 68 E64B6>mov dword ptr [esp+68], 646F4BE6
10001B61 C74424 6C 61CE7>mov dword ptr [esp+6C], 5075CE61
10001B69 C74424 70 4DB38>mov dword ptr [esp+70], B58FB34D
10001B71 C74424 74 AFBAB>mov dword ptr [esp+74], 53BABAAF
10001B79 C74424 78 78E74>mov dword ptr [esp+78], E64BE778
10001B81 C74424 7C D1422>mov dword ptr [esp+7C], E72242D1
10001B89 C78424 80000000>mov dword ptr [esp+80], 5BF1EED
10001B94 C78424 84000000>mov dword ptr [esp+84], C13A930A
10001B9F C78424 88000000>mov dword ptr [esp+88], E1F6051B
10001BAA C78424 8C000000>mov dword ptr [esp+8C], 4E63A75B
10001BB5 C78424 90000000>mov dword ptr [esp+90], 841FD5C6
10001BC0 C78424 94000000>mov dword ptr [esp+94], C0742A91
10001BCB C78424 98000000>mov dword ptr [esp+98], 5A59C59B
10001BD6 E8 E5120000 call 10002EC0
10001BDB 6A 00 push 0
10001BDD 8D4C24 0C lea ecx, dword ptr [esp+C]
10001BE1 C78424 C4020000>mov dword ptr [esp+2C4], 0
10001BEC E8 CF120000 call 10002EC0
10001BF1 8B8424 C8020000 mov eax, dword ptr [esp+2C8]
10001BF8 8D9424 B8000000 lea edx, dword ptr [esp+B8]
10001BFF C68424 C0020000>mov byte ptr [esp+2C0], 1
10001C07 2BD0 sub edx, eax
10001C09 8A08 mov cl, byte ptr [eax]
10001C0B 880C02 mov byte ptr [edx+eax], cl
看到一个很大的数字怀疑为RSA算法,查看论坛精华中之前这个软件的破解教程,也是RSA,尝试分解这个N,死机Orz。放弃,RSA果然不是我这个菜鸟搞得定的。决定爆破。
爆破
首先是上面那个疑似爆破点,改跳转后提示注册成功,进入软件看关于,显示注册成功,重新打开程序,还是提示注册,看来启动的时候有检查是否注册正确。
OD重新启动程序,猜测判断注册程序还是avedata.ge_check函数,其中avedata.ll就是解包解出来的那个。下断 bp ge_check,F9断下,来到上面那个函数,F8单步运行。一直到最后
10001E5E 6A 08 push 8
10001E60 52 push edx ; 假码
10001E61 50 push eax ; 真码
10001E62 E8 09240000 call 10004270 ; 关键比较,明码的。。
10001E67 83C4 18 add esp, 18
10001E6A 85C0 test eax, eax
10001E6C 5F pop edi
10001E6D 5E pop esi
10001E6E 5D pop ebp
10001E6F 5B pop ebx
10001E70 0F85 83000000 jnz 10001EF9 ; 关键跳转,直接改这里,nop掉
10001E76 8D4C24 30 lea ecx, dword ptr [esp+30]
10001E7A C68424 C0020000>mov byte ptr [esp+2C0], 9
10001E82 E8 E9100000 call 10002F70
10001E87 8D4C24 28 lea ecx, dword ptr [esp+28]
10001E8B C68424 C0020000>mov byte ptr [esp+2C0], 8
10001E93 E8 D8100000 call 10002F70
10001E98 8D4C24 20 lea ecx, dword ptr [esp+20]
10001E9C C68424 C0020000>mov byte ptr [esp+2C0], 0A
10001EA4 E8 C7100000 call 10002F70
10001EA9 8D4C24 18 lea ecx, dword ptr [esp+18]
10001EAD C68424 C0020000>mov byte ptr [esp+2C0], 1
10001EB5 E8 B6100000 call 10002F70
10001EBA 8D4C24 08 lea ecx, dword ptr [esp+8]
10001EBE C68424 C0020000>mov byte ptr [esp+2C0], 0
10001EC6 E8 A5100000 call 10002F70
10001ECB 8D4C24 00 lea ecx, dword ptr [esp]
10001ECF C78424 C0020000>mov dword ptr [esp+2C0], -1
10001EDA E8 91100000 call 10002F70
10001EDF B8 01000000 mov eax, 1
10001EE4 8B8C24 B8020000 mov ecx, dword ptr [esp+2B8]
10001EEB 64:890D 0000000>mov dword ptr fs:[0], ecx
10001EF2 81C4 C4020000 add esp, 2C4
10001EF8 C3 retn ;这里返回成功
10001EF9 8D4C24 30 lea ecx, dword ptr [esp+30]
10001EFD C68424 C0020000>mov byte ptr [esp+2C0], 0C
10001F05 E8 66100000 call 10002F70
10001F0A 8D4C24 28 lea ecx, dword ptr [esp+28]
10001F0E C68424 C0020000>mov byte ptr [esp+2C0], 0B
10001F16 E8 55100000 call 10002F70
10001F1B 8D4C24 20 lea ecx, dword ptr [esp+20]
10001F1F C68424 C0020000>mov byte ptr [esp+2C0], 0D
10001F27 E8 44100000 call 10002F70
10001F2C 8D4C24 18 lea ecx, dword ptr [esp+18]
10001F30 C68424 C0020000>mov byte ptr [esp+2C0], 1
10001F38 E8 33100000 call 10002F70
10001F3D 8D4C24 08 lea ecx, dword ptr [esp+8]
10001F41 C68424 C0020000>mov byte ptr [esp+2C0], 0
10001F49 E8 22100000 call 10002F70
10001F4E 8D4C24 00 lea ecx, dword ptr [esp]
10001F52 C78424 C0020000>mov dword ptr [esp+2C0], -1
10001F5D E8 0E100000 call 10002F70
10001F62 8B8C24 B8020000 mov ecx, dword ptr [esp+2B8]
10001F69 33C0 xor eax, eax
10001F6B 64:890D 0000000>mov dword ptr fs:[0], ecx
10001F72 81C4 C4020000 add esp, 2C4
10001F78 C3 retn ;这里返回失败
10001E70 0F85 83000000 jnz 10001EF9 ; 关键跳转
将上面这句nop掉,然后在反汇编窗口右键,保存到可执行文件,弹出窗口后右键,复制-全选,保存到可执行文件,保存,名字改为avedata.dll,运行程序程序,没有弹出提示注册,进程序看关于,提示注册成功。
破解完成。
总结,搞了2天时间搞定,还是学到很多东西,果然大牛们就是厉害,感谢大牛们的优秀文章,不然连硬啃也无从下手。
自己完成的部分没太大技术含量,纯粹学习而已。
edigar
; 2008.08.11,03:27
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)