星空网络电视1.0
【破解作者】 encoder
【作者邮箱】 [email]encoder2004@263.net[/email]
【使用工具】 od,w32asm,peid,LordPE,Import.Reconstructor.v1.6.Fanal
【破解平台】 Win9x/NT/2000/XP
【下载地址】 华军软件园
【软件简介】
《星空网络电视》是一款功能强大的网络电影电视播放软件。软件中内置了国内、港台、国外近300个精彩电视频道(包含精彩的凤
凰卫视、阳光卫视,TVB8,TVB星河、ChannelV、日本、韩国、美国等几百个精彩电视频道),还有上百个国内外精彩电台的广播,让
您24小时在线免费看电视电影,免费听音乐。软件操作极为简单,只要用鼠标点击就可以享受网络在线实时电视和广播了节目了,
并且支持在线升级。全面支持Windows9x/ME/NT/2000/XP/2003。新增加港台流行音乐专辑和体育频道,马上在线收看。
【脱壳内容】
用peid查看发现是:FSG 2.0 -> bart/xt
1.寻找OEP和dump
OD载入后停在这里:
0040015A 61 popad
0040015B 94 xchg eax,esp
0040015C 55 push ebp
0040015D A4 movs byte ptr es:[edi],byte ptr d>
0040015E B6 80 mov dh,80
00400160 FF13 call dword ptr ds:[ebx]
00400162 ^ 73 F9 jnb short iTVstar.0040015D
00400164 33C9 xor ecx,ecx
00400166 FF13 call dword ptr ds:[ebx]
00400168 73 16 jnb short iTVstar.00400180
0040016A 33C0 xor eax,eax
0040016C FF13 call dword ptr ds:[ebx]
0040016E 73 1F jnb short iTVstar.0040018F
00400170 B6 80 mov dh,80
00400172 41 inc ecx
00400173 B0 10 mov al,10
00400175 FF13 call dword ptr ds:[ebx]
00400177 12C0 adc al,al
00400179 ^ 73 FA jnb short iTVstar.00400175
0040017B 75 3A jnz short iTVstar.004001B7
0040017D AA stos byte ptr es:[edi]
0040017E ^ EB E0 jmp short iTVstar.00400160
00400180 FF53 08 call dword ptr ds:[ebx+8]
00400183 02F6 add dh,dh
00400185 83D9 01 sbb ecx,1
00400188 75 0E jnz short iTVstar.00400198
0040018A FF53 04 call dword ptr ds:[ebx+4]
0040018D EB 24 jmp short iTVstar.004001B3
0040018F AC lods byte ptr ds:[esi]
00400190 D1E8 shr eax,1
00400192 74 2D je short iTVstar.004001C1
00400194 13C9 adc ecx,ecx
00400196 EB 18 jmp short iTVstar.004001B0
00400198 91 xchg eax,ecx
00400199 48 dec eax
0040019A C1E0 08 shl eax,8
0040019D AC lods byte ptr ds:[esi]
0040019E FF53 04 call dword ptr ds:[ebx+4]
004001A1 3B43 F8 cmp eax,dword ptr ds:[ebx-8]
004001A4 73 0A jnb short iTVstar.004001B0
004001A6 80FC 05 cmp ah,5
004001A9 73 06 jnb short iTVstar.004001B1
004001AB 83F8 7F cmp eax,7F
004001AE 77 02 ja short iTVstar.004001B2
004001B0 41 inc ecx
004001B1 41 inc ecx
004001B2 95 xchg eax,ebp
004001B3 8BC5 mov eax,ebp
004001B5 B6 00 mov dh,0
004001B7 56 push esi
004001B8 8BF7 mov esi,edi
004001BA 2BF0 sub esi,eax
004001BC F3:A4 rep movs byte ptr es:[edi],byte p>
004001BE 5E pop esi
004001BF ^ EB 9F jmp short iTVstar.00400160
004001C1 5E pop esi
004001C2 AD lods dword ptr ds:[esi]
004001C3 97 xchg eax,edi
004001C4 AD lods dword ptr ds:[esi]
004001C5 50 push eax
004001C6 FF53 10 call dword ptr ds:[ebx+10] ; kernel32.LoadLibraryA
004001C9 95 xchg eax,ebp
004001CA 8B07 mov eax,dword ptr ds:[edi]
004001CC 40 inc eax
004001CD ^ 78 F3 js short iTVstar.004001C2
004001CF 75 03 jnz short iTVstar.004001D4
004001D1 FF63 0C jmp dword ptr ds:[ebx+C] ;// ***注意这里***FSG的特征码,从这里跳向OEP
004001D4 50 push eax
004001D5 55 push ebp
004001D6 FF53 14 call dword ptr ds:[ebx+14]
004001D9 AB stos dword ptr es:[edi]
004001DA ^ EB EE jmp short iTVstar.004001CA
004001DC 33C9 xor ecx,ecx
004001DE 41 inc ecx
004001DF FF13 call dword ptr ds:[ebx]
004001E1 13C9 adc ecx,ecx
004001E3 FF13 call dword ptr ds:[ebx]
004001E5 ^ 72 F8 jb short iTVstar.004001DF
004001E7 C3 retn
直接将鼠标点到这一行,F4!!经过一会的运算,停下来了!!
004001D1 FF63 0C jmp dword ptr ds:[ebx+C] ;iTVstar.004C1418
OEP处的代码:
004C1418 55 db 55 ; CHAR 'U'
004C1419 8B db 8B
004C141A EC db EC
004C141B 83 db 83
004C141C C4 db C4
004C141D F0 db F0
004C141E B8 db B8
004C141F 40 db 40 ; CHAR '@'
004C1420 10 db 10
004C1421 4C db 4C ; CHAR 'L'
004C1422 00 db 00
004C1423 E8 db E8
004C1424 3C db 3C ; CHAR '<'
004C1425 4E db 4E ; CHAR 'N'
004C1426 F4 db F4
004C1427 FF db FF
004C1428 A1 db A1
004C1429 E8 db E8
004C142A 39 db 39 ; CHAR '9'
004C142B 4C db 4C ; CHAR 'L'
.......
点删除分析成为:
004C1418 55 push ebp ;用LORDPE直接脱壳
004C1419 8BEC mov ebp,esp
004C141B 83C4 F0 add esp,-10
004C141E B8 40104C00 mov eax,iTVstar.004C1040
004C1423 E8 3C4EF4FF call iTVstar.00406264
004C1428 A1 E8394C00 mov eax,dword ptr ds:[4C39E8]
004C142D 8B00 mov eax,dword ptr ds:[eax]
004C142F E8 A490F9FF call iTVstar.0045A4D8
004C1434 8B0D C0374C00 mov ecx,dword ptr ds:[4C37C0] ; iTVstar.004C72F8
004C143A A1 E8394C00 mov eax,dword ptr ds:[4C39E8]
004C143F 8B00 mov eax,dword ptr ds:[eax]
004C1441 8B15 F87E4B00 mov edx,dword ptr ds:[4B7EF8] ; iTVstar.004B7F44
004C1447 E8 A490F9FF call iTVstar.0045A4F0
004C144C 8B0D CC364C00 mov ecx,dword ptr ds:[4C36CC] ; iTVstar.004C72F0
004C1452 A1 E8394C00 mov eax,dword ptr ds:[4C39E8]
004C1457 8B00 mov eax,dword ptr ds:[eax]
004C1459 8B15 94654B00 mov edx,dword ptr ds:[4B6594] ; iTVstar.004B65E0
004C145F E8 8C90F9FF call iTVstar.0045A4F0
004C1464 A1 E8394C00 mov eax,dword ptr ds:[4C39E8]
004C1469 8B00 mov eax,dword ptr ds:[eax]
004C146B E8 0091F9FF call iTVstar.0045A570
004C1470 E8 632AF4FF call iTVstar.00403ED8
2.IAT修复
运行Import.Reconstructor.v1.6.Fanal,填上OEP=000C1418,点IAT自动搜索,获得输入表,全部都是有效的,“修复抓取文件”。
运行出错。
看看Import.Reconstructor.v1.6.Fanal里面的输入函数,只有3个.
RVA=000D2284 mod:kernel32.dll ord:0348 名称:TlsSetValue
RVA=000D2288 mod:kernel32.dll ord:0347 名称:TlsGetValue
RVA=000D228C mod:kernel32.dll ord:0241 名称:LocalALLoc
而RVA=000D2284,大小=0000000C,不可能一个这么大的软件(431K)
必须重新查找正确IAT的大小.
OD重新载入脱壳程序:
下dd 004D2284 (000D2284是Import.Rec里面的RVA,加上基址得到004D2284)
004D2284 77E5AA4F kernel32.TlsSetValue
004D2288 77E5ABF1 kernel32.TlsGetValue
004D228C 77E5A682 kernel32.LocalAlloc
004D2290 77E5AD86 kernel32.GetModuleHandleA
004D2294 7FFFFFFF //应该为00000000
004D2298 77DA2410 ADVAPI32.RegQueryValueExA
004D229C 77DA229A ADVAPI32.RegOpenKeyExA
004D22A0 77DA17D8 ADVAPI32.RegCloseKey
004D22A4 7FFFFFFF //应该为00000000
004D22A8 77E54E0A kernel32.lstrcpyA
004D22AC 77E55DEC kernel32.lstrcmpA
004D22B0 77E48D7E kernel32.WritePrivateProfileStringA
004D22B4 77E5F13A kernel32.WriteFile
004D22B8 77E5AC12 kernel32.WaitForSingleObject
004D22BC 77E57F44 kernel32.VirtualQuery
这就是传说中的IAT了,向上找找,在向下找找,就可以确定IAT的大小了!IAT大小=4d2930-4d21a4=78c
Import.Rec重新载入程序,将大小改为78c,就是真正的IAT。直接点获取输入表,然后显示无效指针,看
看什么东西是无效的,原来是 ptr:7FFFFFFF。不就是因为Import.Rec在读去内存中的004D2294,004D22A4
这些地址时误认为是一个API函数吗?!剪掉该指针,修复抓取文件,脱壳后的程序正常运行。
二。注册码的寻找
脱壳的程序为Borland Delphi 6.0-7.0,用w32Dasm反编译为
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B68D8(C)
|
* Possible StringData Ref from Data Obj ->"警告"
|
:004B7CC1 BA2C7E4B00 mov edx, 004B7E2C
* Possible StringData Ref from Data Obj ->" 错误的注册码! "
|
:004B7CC6 B8347E4B00 mov eax, 004B7E34
........................................................................
往上
:004B6800 6A00 push 00000000
:004B6802 6A00 push 00000000
:004B6804 49 dec ecx
:004B6805 75F9 jne 004B6800 ///OD断点
:004B6807 51 push ecx
:004B6808 53 push ebx
:004B6809 56 push esi
:004B680A 57 push edi
:004B680B 8945FC mov dword ptr [ebp-04], eax
:004B680E 33C0 xor eax, eax
:004B6810 55 push ebp
:004B6811 68227D4B00 push 004B7D22
:004B6816 64FF30 push dword ptr fs:[eax]
:004B6819 648920 mov dword ptr fs:[eax], esp
:004B681C 8D55F0 lea edx, dword ptr [ebp-10]
:004B681F 8B45FC mov eax, dword ptr [ebp-04]
:004B6822 8B8004030000 mov eax, dword ptr [eax+00000304]
:004B6828 E82341F8FF call 0043A950
:004B682D 8B45F0 mov eax, dword ptr [ebp-10]
:004B6830 8D55F4 lea edx, dword ptr [ebp-0C]
:004B6833 E8881CF5FF call 004084C0
:004B6838 837DF400 cmp dword ptr [ebp-0C], 00000000 ////判断注册是否为空
:004B683C 7519 jne 004B6857
:004B683E BA307D4B00 mov edx, 004B7D30
* Possible StringData Ref from Data Obj ->" 姓名不能为空! "
|
:004B6843 B8387D4B00 mov eax, 004B7D38
:004B6848 B930000000 mov ecx, 00000030
:004B684D E89E94FFFF call 004AFCF0
:004B6852 E97E140000 jmp 004B7CD5
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B683C(C)
|
:004B6857 8D45EC lea eax, dword ptr [ebp-14]
:004B685A 50 push eax
:004B685B 8D55E4 lea edx, dword ptr [ebp-1C]
:004B685E 8B45FC mov eax, dword ptr [ebp-04]
:004B6861 8B8010030000 mov eax, dword ptr [eax+00000310]
:004B6867 E8E440F8FF call 0043A950
:004B686C 8B45E4 mov eax, dword ptr [ebp-1C]
:004B686F 8D55E8 lea edx, dword ptr [ebp-18]
:004B6872 E8491CF5FF call 004084C0
:004B6877 8B45E8 mov eax, dword ptr [ebp-18]
:004B687A B90C000000 mov ecx, 0000000C
:004B687F BA01000000 mov edx, 00000001
:004B6884 E8FBDCF4FF call 00404584
:004B6889 8B45EC mov eax, dword ptr [ebp-14]
:004B688C 50 push eax
:004B688D 8D45E0 lea eax, dword ptr [ebp-20]
:004B6890 50 push eax
:004B6891 8D55D4 lea edx, dword ptr [ebp-2C]
:004B6894 8B45FC mov eax, dword ptr [ebp-04]
:004B6897 8B8004030000 mov eax, dword ptr [eax+00000304]
:004B689D E8AE40F8FF call 0043A950
:004B68A2 8B45D4 mov eax, dword ptr [ebp-2C]
:004B68A5 8D55D8 lea edx, dword ptr [ebp-28]
:004B68A8 E8131CF5FF call 004084C0
:004B68AD 8B45D8 mov eax, dword ptr [ebp-28]
:004B68B0 8D4DDC lea ecx, dword ptr [ebp-24]
* Possible StringData Ref from Data Obj ->"星空网络电视"
|
:004B68B3 BA547D4B00 mov edx, 004B7D54
:004B68B8 E88794FFFF call 004AFD44 ////算法核心
:004B68BD 8B45DC mov eax, dword ptr [ebp-24]
:004B68C0 B90C000000 mov ecx, 0000000C
:004B68C5 BA01000000 mov edx, 00000001
:004B68CA E8B5DCF4FF call 0040458
:004B68CF 8B55E0 mov edx, dword ptr [ebp-20] ////真注册码
:004B68D2 58 pop eax ////假注册码
:004B68D3 E898DBF4FF call 00404470 ////经典比较
:004B68D8 0F85E3130000 jne 004B7CC1
附一个可用的注册码
name:encoder
code:212124212126952
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
