[原创]视频文件的密码找寻过程-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[原创]视频文件的密码找寻过程

发表于: 2009-7-26 21:32 11779

[原创]视频文件的密码找寻过程

blackants

2009-7-26 21:32

11779

某exe视频文件的密码找寻过程

自己花了很长时间才分析出来的，走了很多弯路。

初级水平，请批评指正。

先用PEID查壳，MoleBox v2.0 [Overlay] *的壳。按照黑鹰的“轻松解被MoleBox打包了的程序”视频教程，脱壳。得到源程序是Borland Delphi写的。拿出dede，得到注册按钮的地址：00494dd8。
用OllyICE加载未脱壳的exe视频文件，运行，再shift+f9忽略异常n次，直到出现注册对话框。在调试器OllyICE中找到00494dd8地址处，下断点，可能会提示此处是数据段，确认下断点吗？按“是”。
输入假注册码，确定后停在这里：
00494DD8 55             PUSH EBP
00494DD9 8BEC          MOV EBP,ESP
00494DDB B9 52000000    MOV ECX,52
00494DE0 6A 00          PUSH 0
00494DE2 6A 00          PUSH 0
00494DE4 49             DEC ECX
00494DE5  ^ 75 F9          JNZ SHORT 00494DE0
00494DE7 53             PUSH EBX
00494DE8 56             PUSH ESI
00494DE9 57             PUSH EDI
00494DEA 8BD8          MOV EBX,EAX
00494DEC 33C0          XOR EAX,EAX
00494DEE 55             PUSH EBP
00494DEF 68 33564900    PUSH 00495633
00494DF4 64:FF30       PUSH DWORD PTR FS:[EAX]
00494DF7 64:8920       MOV DWORD PTR FS:[EAX],ESP
00494DFA 8D95 04FEFFFF LEA EDX,DWORD PTR SS:[EBP-1FC]
00494E00 8B83 00030000 MOV EAX,DWORD PTR DS:[EBX+300]
00494E06 E8 598CFAFF    CALL 0043DA64
00494E0B 8B85 04FEFFFF MOV EAX,DWORD PTR SS:[EBP-1FC]
00494E11 8D55 FC       LEA EDX,DWORD PTR SS:[EBP-4]
00494E14 E8 973BF7FF    CALL 004089B0
00494E19 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00494E1C E8 47FCF6FF    CALL 00404A68
00494E21 83F8 08       CMP EAX,8
00494E24 75 0C          JNZ SHORT 00494E32
00494E26 A1 2CDC4900    MOV EAX,DWORD PTR DS:[49DC2C]
00494E2B 8B00          MOV EAX,DWORD PTR DS:[EAX]
00494E2D E8 4E4DFCFF    CALL 00459B80
00494E32 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00494E35 E8 2EFCF6FF    CALL 00404A68
00494E3A 83F8 20       CMP EAX,20                               ‘’检查密码是不是32位。要32位才行。
00494E3D 0F85 C8000000 JNZ 00494F0B
00494E43 8D4D D8       LEA ECX,DWORD PTR SS:[EBP-28]
00494E46 BA 08000000    MOV EDX,8
00494E4B 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00494E4E E8 71ABF9FF    CALL 0042F9C4
00494E53 8D4D D4       LEA ECX,DWORD PTR SS:[EBP-2C]
00494E56 BA 18000000    MOV EDX,18
00494E5B 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00494E5E E8 D1ABF9FF    CALL 0042FA34
00494E63 8D95 ECFDFFFF LEA EDX,DWORD PTR SS:[EBP-214]
00494E69 8B45 D8       MOV EAX,DWORD PTR SS:[EBP-28]          ; ''取得密码前8位
00494E6C E8 B737FDFF    CALL 00468628
00494E71 8D85 ECFDFFFF LEA EAX,DWORD PTR SS:[EBP-214]
00494E77 8D95 FCFDFFFF LEA EDX,DWORD PTR SS:[EBP-204]
00494E7D E8 1A38FDFF    CALL 0046869C                         ; ''通过密码前8位算出后16位+8位
00494E82 8B85 FCFDFFFF MOV EAX,DWORD PTR SS:[EBP-204]
00494E88 8D8D 00FEFFFF LEA ECX,DWORD PTR SS:[EBP-200]
00494E8E BA 18000000    MOV EDX,18
00494E93 E8 2CABF9FF    CALL 0042F9C4                         ; ’‘取出前面算出的前16位  ------------ ①
00494E98 8B95 00FEFFFF MOV EDX,DWORD PTR SS:[EBP-200]
00494E9E 8D45 D8       LEA EAX,DWORD PTR SS:[EBP-28]
00494EA1 E8 9AF9F6FF    CALL 00404840
00494EA6 8B45 D8       MOV EAX,DWORD PTR SS:[EBP-28]
00494EA9 8B55 D4       MOV EDX,DWORD PTR SS:[EBP-2C]
00494EAC E8 03FDF6FF    CALL 00404BB4
00494EB1 0F95C0       SETNE AL
00494EB4 84C0          TEST AL,AL                            ; ''eax=1  要等于0才行
00494EB6 74 0F          JE SHORT 00494EC7                      ; ''no jmp 要跳才行
00494EB8 B8 4C564900    MOV EAX,0049564C
00494EBD E8 9E7BF9FF    CALL 0042CA60                         ; '''出现播放密码格式不正确的提示。结论：密码格式应该是假密码的前8位+①
00494EC2 E9 F0060000    JMP 004955B7
00494EC7 8B45 D8       MOV EAX,DWORD PTR SS:[EBP-28]
00494ECA 8B55 D4       MOV EDX,DWORD PTR SS:[EBP-2C]
00494ECD E8 E2FCF6FF    CALL 00404BB4
00494ED2 0F95C0       SETNE AL
00494ED5 84C0          TEST AL,AL
00494ED7 0F85 DA060000 JNZ 004955B7
00494EDD 8B45 D8       MOV EAX,DWORD PTR SS:[EBP-28]
00494EE0 8B55 D4       MOV EDX,DWORD PTR SS:[EBP-2C]
00494EE3 E8 CCFCF6FF    CALL 00404BB4
00494EE8 75 21          JNZ SHORT 00494F0B
00494EEA 8D8D E8FDFFFF LEA ECX,DWORD PTR SS:[EBP-218]
00494EF0 BA 08000000    MOV EDX,8
00494EF5 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00494EF8 E8 C7AAF9FF    CALL 0042F9C4
00494EFD 8B95 E8FDFFFF MOV EDX,DWORD PTR SS:[EBP-218]
00494F03 8D45 FC       LEA EAX,DWORD PTR SS:[EBP-4]
00494F06 E8 35F9F6FF    CALL 00404840
00494F0B 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00494F0E E8 55FBF6FF    CALL 00404A68
00494F13 83F8 08       CMP EAX,8
00494F16 75 12          JNZ SHORT 00494F2A
00494F18 B8 E0FD4900    MOV EAX,0049FDE0
00494F1D 8B55 FC       MOV EDX,DWORD PTR SS:[EBP-4]
00494F20 E8 D7F8F6FF    CALL 004047FC
00494F25 E9 50010000    JMP 0049507A
00494F2A 8D95 E4FDFFFF LEA EDX,DWORD PTR SS:[EBP-21C]
00494F30 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00494F33 E8 EC350000    CALL 00498524
00494F38 8B85 E4FDFFFF MOV EAX,DWORD PTR SS:[EBP-21C]
00494F3E BA 68564900    MOV EDX,00495668
00494F43 E8 54430000    CALL 0049929C
00494F48 8BF0          MOV ESI,EAX
00494F4A 8BC6          MOV EAX,ESI
00494F4C 8B10          MOV EDX,DWORD PTR DS:[EAX]
00494F4E FF52 14       CALL DWORD PTR DS:[EDX+14]
00494F51 83F8 04       CMP EAX,4
00494F54 0F85 0A010000 JNZ 00495064
00494F5A 8D8D E0FDFFFF LEA ECX,DWORD PTR SS:[EBP-220]
00494F60 33D2          XOR EDX,EDX
00494F62 8BC6          MOV EAX,ESI
00494F64 8B38          MOV EDI,DWORD PTR DS:[EAX]
00494F66 FF57 0C       CALL DWORD PTR DS:[EDI+C]
00494F69 8B95 E0FDFFFF MOV EDX,DWORD PTR SS:[EBP-220]
00494F6F B8 E0FD4900    MOV EAX,0049FDE0
00494F74 E8 83F8F6FF    CALL 004047FC
00494F79 8D4D E8       LEA ECX,DWORD PTR SS:[EBP-18]
00494F7C BA 01000000    MOV EDX,1
00494F81 8BC6          MOV EAX,ESI
00494F83 8B38          MOV EDI,DWORD PTR DS:[EAX]
00494F85 FF57 0C       CALL DWORD PTR DS:[EDI+C]
00494F88 8D4D E0       LEA ECX,DWORD PTR SS:[EBP-20]
00494F8B BA 02000000    MOV EDX,2
00494F90 8BC6          MOV EAX,ESI
00494F92 8B38          MOV EDI,DWORD PTR DS:[EAX]
00494F94 FF57 0C       CALL DWORD PTR DS:[EDI+C]
00494F97 8D4D E4       LEA ECX,DWORD PTR SS:[EBP-1C]
00494F9A BA 03000000    MOV EDX,3
00494F9F 8BC6          MOV EAX,ESI
00494FA1 8B38          MOV EDI,DWORD PTR DS:[EAX]
00494FA3 FF57 0C       CALL DWORD PTR DS:[EDI+C]
00494FA6 8D4D DC       LEA ECX,DWORD PTR SS:[EBP-24]
00494FA9 BA 04000000    MOV EDX,4
00494FAE 8B45 E4       MOV EAX,DWORD PTR SS:[EBP-1C]
00494FB1 E8 7EAAF9FF    CALL 0042FA34
00494FB6 8B45 E4       MOV EAX,DWORD PTR SS:[EBP-1C]
00494FB9 E8 AAFAF6FF    CALL 00404A68
00494FBE 8BD0          MOV EDX,EAX
00494FC0 83EA 04       SUB EDX,4
00494FC3 8D8D DCFDFFFF LEA ECX,DWORD PTR SS:[EBP-224]
00494FC9 8B45 E4       MOV EAX,DWORD PTR SS:[EBP-1C]
00494FCC E8 F3A9F9FF    CALL 0042F9C4
00494FD1 8B95 DCFDFFFF MOV EDX,DWORD PTR SS:[EBP-224]
00494FD7 8D45 E4       LEA EAX,DWORD PTR SS:[EBP-1C]
00494FDA E8 61F8F6FF    CALL 00404840
00494FDF FF35 E0FD4900 PUSH DWORD PTR DS:[49FDE0]
00494FE5 68 68564900    PUSH 00495668
00494FEA FF75 E8       PUSH DWORD PTR SS:[EBP-18]
00494FED 68 68564900    PUSH 00495668
00494FF2 FF75 E0       PUSH DWORD PTR SS:[EBP-20]
00494FF5 68 68564900    PUSH 00495668
00494FFA FF75 E4       PUSH DWORD PTR SS:[EBP-1C]
00494FFD 8D85 D0FDFFFF LEA EAX,DWORD PTR SS:[EBP-230]
00495003 BA 07000000    MOV EDX,7
00495008 E8 1BFBF6FF    CALL 00404B28
0049500D 8B85 D0FDFFFF MOV EAX,DWORD PTR SS:[EBP-230]
00495013 8D95 ECFDFFFF LEA EDX,DWORD PTR SS:[EBP-214]
00495019 E8 0A36FDFF    CALL 00468628
0049501E 8D85 ECFDFFFF LEA EAX,DWORD PTR SS:[EBP-214]
00495024 8D95 D4FDFFFF LEA EDX,DWORD PTR SS:[EBP-22C]
0049502A E8 6D36FDFF    CALL 0046869C
0049502F 8B85 D4FDFFFF MOV EAX,DWORD PTR SS:[EBP-22C]
00495035 8D8D D8FDFFFF LEA ECX,DWORD PTR SS:[EBP-228]
0049503B BA 04000000    MOV EDX,4
00495040 E8 7FA9F9FF    CALL 0042F9C4
00495045 8B85 D8FDFFFF MOV EAX,DWORD PTR SS:[EBP-228]
0049504B 8B55 DC       MOV EDX,DWORD PTR SS:[EBP-24]
0049504E E8 61FBF6FF    CALL 00404BB4
00495053 74 1E          JE SHORT 00495073
00495055 B8 74564900    MOV EAX,00495674
0049505A E8 017AF9FF    CALL 0042CA60
0049505F E9 53050000    JMP 004955B7
00495064 B8 90564900    MOV EAX,00495690
00495069 E8 F279F9FF    CALL 0042CA60                         ; ''播放授权不正确
0049506E E9 44050000    JMP 004955B7
00495073 8BC6          MOV EAX,ESI
00495075 E8 DEE9F6FF    CALL 00403A58
0049507A 8D95 C4FDFFFF LEA EDX,DWORD PTR SS:[EBP-23C]
00495080 A1 BCDA4900    MOV EAX,DWORD PTR DS:[49DABC]
00495085 8B00          MOV EAX,DWORD PTR DS:[EAX]
00495087 E8 98340000    CALL 00498524
0049508C FFB5 C4FDFFFF PUSH DWORD PTR SS:[EBP-23C]
00495092 8D95 C0FDFFFF LEA EDX,DWORD PTR SS:[EBP-240]
00495098 8B83 FC020000 MOV EAX,DWORD PTR DS:[EBX+2FC]
0049509E E8 C189FAFF    CALL 0043DA64
004950A3 FFB5 C0FDFFFF PUSH DWORD PTR SS:[EBP-240]
004950A9 68 AC564900    PUSH 004956AC
004950AE 68 B8564900    PUSH 004956B8
004950B3 68 C4564900    PUSH 004956C4
004950B8 68 D0564900    PUSH 004956D0
004950BD 68 DC564900    PUSH 004956DC
004950C2 68 E8564900    PUSH 004956E8
004950C7 68 C4564900    PUSH 004956C4
004950CC 68 F4564900    PUSH 004956F4
004950D1 68 B8564900    PUSH 004956B8
004950D6 68 00574900    PUSH 00495700
004950DB 68 0C574900    PUSH 0049570C
004950E0 68 18574900    PUSH 00495718
004950E5 68 B8564900    PUSH 004956B8
004950EA 68 AC564900    PUSH 004956AC
004950EF 68 0C574900    PUSH 0049570C
004950F4 68 C4564900    PUSH 004956C4
004950F9 68 DC564900    PUSH 004956DC
004950FE 68 24574900    PUSH 00495724
00495103 68 18574900    PUSH 00495718
00495108 68 DC564900    PUSH 004956DC
0049510D 68 30574900    PUSH 00495730
00495112 68 D0564900    PUSH 004956D0
00495117 8D85 C8FDFFFF LEA EAX,DWORD PTR SS:[EBP-238]
0049511D BA 18000000    MOV EDX,18
00495122 E8 01FAF6FF    CALL 00404B28
00495127 8B85 C8FDFFFF MOV EAX,DWORD PTR SS:[EBP-238]
0049512D 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-234]
00495133 E8 6436F7FF    CALL 0040879C
00495138 8B85 CCFDFFFF MOV EAX,DWORD PTR SS:[EBP-234]
0049513E 8D55 F8       LEA EDX,DWORD PTR SS:[EBP-8]
00495141 E8 CA340000    CALL 00498610
00495146 8D95 A8FDFFFF LEA EDX,DWORD PTR SS:[EBP-258]
0049514C 8B45 F8       MOV EAX,DWORD PTR SS:[EBP-8]
0049514F E8 D0330000    CALL 00498524
00495154 FFB5 A8FDFFFF PUSH DWORD PTR SS:[EBP-258]
0049515A 68 3C574900    PUSH 0049573C                         ; ASCII "yaomediakj1jf"
0049515F 68 54574900    PUSH 00495754
00495164 68 60574900    PUSH 00495760                         ; ASCII "ly"
00495169 68 6C574900    PUSH 0049576C                         ; ASCII "12.1a.4"
0049516E 68 7C574900    PUSH 0049577C                         ; ASCII "25"
00495173 68 B8564900    PUSH 004956B8
00495178 68 C4564900    PUSH 004956C4
0049517D 68 D0564900    PUSH 004956D0
00495182 68 DC564900    PUSH 004956DC
00495187 68 E8564900    PUSH 004956E8
0049518C 68 C4564900    PUSH 004956C4
00495191 68 F4564900    PUSH 004956F4
00495196 68 B8564900    PUSH 004956B8
0049519B 68 00574900    PUSH 00495700
004951A0 68 0C574900    PUSH 0049570C
004951A5 68 0C574900    PUSH 0049570C
004951AA 68 18574900    PUSH 00495718
004951AF 68 B8564900    PUSH 004956B8
004951B4 68 AC564900    PUSH 004956AC
004951B9 68 0C574900    PUSH 0049570C
004951BE 68 C4564900    PUSH 004956C4
004951C3 68 DC564900    PUSH 004956DC
004951C8 68 24574900    PUSH 00495724
004951CD 68 18574900    PUSH 00495718
004951D2 68 DC564900    PUSH 004956DC
004951D7 68 30574900    PUSH 00495730
004951DC 68 D0564900    PUSH 004956D0
004951E1 8D85 ACFDFFFF LEA EAX,DWORD PTR SS:[EBP-254]
004951E7 BA 1C000000    MOV EDX,1C
004951EC E8 37F9F6FF    CALL 00404B28
004951F1 8B85 ACFDFFFF MOV EAX,DWORD PTR SS:[EBP-254]
004951F7 8D95 B0FDFFFF LEA EDX,DWORD PTR SS:[EBP-250]
004951FD E8 0E340000    CALL 00498610
00495202 8B85 B0FDFFFF MOV EAX,DWORD PTR SS:[EBP-250]
00495208 8D95 B4FDFFFF LEA EDX,DWORD PTR SS:[EBP-24C]
0049520E E8 8935F7FF    CALL 0040879C
00495213 8B85 B4FDFFFF MOV EAX,DWORD PTR SS:[EBP-24C]
00495219 8D95 ECFDFFFF LEA EDX,DWORD PTR SS:[EBP-214]
0049521F E8 0434FDFF    CALL 00468628                         ; '''mediaplayer
00495224 8D85 ECFDFFFF LEA EAX,DWORD PTR SS:[EBP-214]
0049522A 8D95 B8FDFFFF LEA EDX,DWORD PTR SS:[EBP-248]
00495230 E8 6734FDFF    CALL 0046869C                         ; '''根据电脑标识等算出一堆字符。--------②
00495235 8B85 B8FDFFFF MOV EAX,DWORD PTR SS:[EBP-248]
0049523B 8D8D BCFDFFFF LEA ECX,DWORD PTR SS:[EBP-244]
00495241 BA 02000000    MOV EDX,2
00495246 E8 79A7F9FF    CALL 0042F9C4                         ‘’取出②的前2位字符，我这里是“b1”
0049524B 8B85 BCFDFFFF MOV EAX,DWORD PTR SS:[EBP-244]
00495251 8D95 ECFDFFFF LEA EDX,DWORD PTR SS:[EBP-214]
00495257 E8 CC33FDFF    CALL 00468628                         ; '''mediaplayer
0049525C 8D85 ECFDFFFF LEA EAX,DWORD PTR SS:[EBP-214]
00495262 8D55 F0       LEA EDX,DWORD PTR SS:[EBP-10]
00495265 E8 3234FDFF    CALL 0046869C                         ; '''mediaplayer 要进
0049526A 8D8D A4FDFFFF LEA ECX,DWORD PTR SS:[EBP-25C]
00495270 BA 02000000    MOV EDX,2
00495275 A1 E0FD4900    MOV EAX,DWORD PTR DS:[49FDE0]
0049527A E8 45A7F9FF    CALL 0042F9C4                         ‘’取出假密码的前2位字符，我这里是“c3”
0049527F 8B85 A4FDFFFF MOV EAX,DWORD PTR SS:[EBP-25C]
00495285 8D95 ECFDFFFF LEA EDX,DWORD PTR SS:[EBP-214]
0049528B E8 9833FDFF    CALL 00468628
00495290 8D85 ECFDFFFF LEA EAX,DWORD PTR SS:[EBP-214]
00495296 8D55 EC       LEA EDX,DWORD PTR SS:[EBP-14]
00495299 E8 FE33FDFF    CALL 0046869C
0049529E 8B45 F0       MOV EAX,DWORD PTR SS:[EBP-10]
004952A1 8B55 EC       MOV EDX,DWORD PTR SS:[EBP-14]
004952A4 E8 0BF9F6FF    CALL 00404BB4                         ; '''要看,也是一个cmp
004952A9 74 0F          JE SHORT 004952BA
004952AB B8 88574900    MOV EAX,00495788
004952B0 E8 AB77F9FF    CALL 0042CA60                         ; ''播放密码不正确。结论：正确密码的前两位应该是②的前2位.将密码的前两位改过来（还需要重新进行第一步算出后16位，然后再用算出的8位+16位密码往下进行），
004952B5 E9 FD020000    JMP 004955B7
004952BA 8B83 10030000 MOV EAX,DWORD PTR DS:[EBX+310]
004952C0 8B10          MOV EDX,DWORD PTR DS:[EAX]
004952C2 FF92 C8000000 CALL DWORD PTR DS:[EDX+C8]
004952C8 84C0          TEST AL,AL
004952CA 0F84 F1000000 JE 004953C1
004952D0 68 A0574900    PUSH 004957A0                         ; ASCII "c:\china-drm\"
004952D5 8D95 9CFDFFFF LEA EDX,DWORD PTR SS:[EBP-264]
004952DB A1 18DB4900    MOV EAX,DWORD PTR DS:[49DB18]
004952E0 8B00          MOV EAX,DWORD PTR DS:[EAX]
004952E2 E8 D185FCFF    CALL 0045D8B8
004952E7 8B85 9CFDFFFF MOV EAX,DWORD PTR SS:[EBP-264]
004952ED 8D95 ECFDFFFF LEA EDX,DWORD PTR SS:[EBP-214]
004952F3 E8 3033FDFF    CALL 00468628
004952F8 8D85 ECFDFFFF LEA EAX,DWORD PTR SS:[EBP-214]
004952FE 8D95 A0FDFFFF LEA EDX,DWORD PTR SS:[EBP-260]
00495304 E8 9333FDFF    CALL 0046869C
00495309 FFB5 A0FDFFFF PUSH DWORD PTR SS:[EBP-260]
0049530F 68 B8574900    PUSH 004957B8                         ; ASCII ".ini"
00495314 8D45 F4       LEA EAX,DWORD PTR SS:[EBP-C]
00495317 BA 03000000    MOV EDX,3
0049531C E8 07F8F6FF    CALL 00404B28
00495321 8B45 F4       MOV EAX,DWORD PTR SS:[EBP-C]
00495324 E8 F73DF7FF    CALL 00409120
00495329 84C0          TEST AL,AL
0049532B 75 0D          JNZ SHORT 0049533A
0049532D 8B45 F4       MOV EAX,DWORD PTR SS:[EBP-C]
00495330 E8 BF3CF7FF    CALL 00408FF4
00495335 E8 763DF7FF    CALL 004090B0
0049533A 8B55 F4       MOV EDX,DWORD PTR SS:[EBP-C]
0049533D 8D85 08FEFFFF LEA EAX,DWORD PTR SS:[EBP-1F8]
00495343 E8 74DBF6FF    CALL 00402EBC
00495348 8D85 08FEFFFF LEA EAX,DWORD PTR SS:[EBP-1F8]
0049534E E8 05D9F6FF    CALL 00402C58
00495353 E8 E4D5F6FF    CALL 0040293C
00495358 8D95 94FDFFFF LEA EDX,DWORD PTR SS:[EBP-26C]
0049535E 8B83 00030000 MOV EAX,DWORD PTR DS:[EBX+300]
00495364 E8 FB86FAFF    CALL 0043DA64
00495369 8B85 94FDFFFF MOV EAX,DWORD PTR SS:[EBP-26C]
0049536F 8D95 98FDFFFF LEA EDX,DWORD PTR SS:[EBP-268]
00495375 E8 96320000    CALL 00498610
0049537A 8B95 98FDFFFF MOV EDX,DWORD PTR SS:[EBP-268]
00495380 8D85 08FEFFFF LEA EAX,DWORD PTR SS:[EBP-1F8]
00495386 E8 F9FAF6FF    CALL 00404E84
0049538B E8 88E1F6FF    CALL 00403518
00495390 E8 A7D5F6FF    CALL 0040293C
00495395 8D85 08FEFFFF LEA EAX,DWORD PTR SS:[EBP-1F8]
0049539B E8 E4DBF6FF    CALL 00402F84
004953A0 E8 97D5F6FF    CALL 0040293C
004953A5 8B45 F0       MOV EAX,DWORD PTR SS:[EBP-10]
004953A8 8B55 EC       MOV EDX,DWORD PTR SS:[EBP-14]
004953AB E8 04F8F6FF    CALL 00404BB4                         ; ‘’‘又要比较，要跳！
004953B0 74 0F          JE SHORT 004953C1
004953B2 B8 88574900    MOV EAX,00495788
004953B7 E8 A476F9FF    CALL 0042CA60
004953BC E9 F6010000    JMP 004955B7
004953C1 8B45 F0       MOV EAX,DWORD PTR SS:[EBP-10]
004953C4 8B55 EC       MOV EDX,DWORD PTR SS:[EBP-14]
004953C7 E8 E8F7F6FF    CALL 00404BB4
004953CC 0F85 E5010000 JNZ 004955B7
004953D2 8D95 78FDFFFF LEA EDX,DWORD PTR SS:[EBP-288]
004953D8 8B45 F8       MOV EAX,DWORD PTR SS:[EBP-8]
004953DB E8 44310000    CALL 00498524
004953E0 FFB5 78FDFFFF PUSH DWORD PTR SS:[EBP-288]
004953E6 68 C8574900    PUSH 004957C8                         ; ASCII "yaomediakj2jf"
004953EB 68 E0574900    PUSH 004957E0                         ; ASCII "mm"
004953F0 68 60574900    PUSH 00495760                         ; ASCII "ly"
004953F5 68 6C574900    PUSH 0049576C                         ; ASCII "12.1a.4"
004953FA 68 7C574900    PUSH 0049577C                         ; ASCII "25"
004953FF 68 B8564900    PUSH 004956B8
00495404 68 C4564900    PUSH 004956C4
00495409 68 D0564900    PUSH 004956D0
0049540E 68 DC564900    PUSH 004956DC
00495413 68 E8564900    PUSH 004956E8
00495418 68 C4564900    PUSH 004956C4
0049541D 68 F4564900    PUSH 004956F4
00495422 68 B8564900    PUSH 004956B8
00495427 68 00574900    PUSH 00495700
0049542C 68 0C574900    PUSH 0049570C
00495431 68 0C574900    PUSH 0049570C
00495436 68 0C574900    PUSH 0049570C
0049543B 68 18574900    PUSH 00495718
00495440 68 B8564900    PUSH 004956B8
00495445 68 AC564900    PUSH 004956AC
0049544A 68 0C574900    PUSH 0049570C
0049544F 68 C4564900    PUSH 004956C4
00495454 68 DC564900    PUSH 004956DC
00495459 68 24574900    PUSH 00495724
0049545E 68 18574900    PUSH 00495718
00495463 68 DC564900    PUSH 004956DC
00495468 68 30574900    PUSH 00495730
0049546D 68 D0564900    PUSH 004956D0
00495472 8D85 7CFDFFFF LEA EAX,DWORD PTR SS:[EBP-284]
00495478 BA 1D000000    MOV EDX,1D
0049547D E8 A6F6F6FF    CALL 00404B28
00495482 8B85 7CFDFFFF MOV EAX,DWORD PTR SS:[EBP-284]
00495488 8D95 80FDFFFF LEA EDX,DWORD PTR SS:[EBP-280]
0049548E E8 7D310000    CALL 00498610
00495493 8B85 80FDFFFF MOV EAX,DWORD PTR SS:[EBP-280]
00495499 8D95 84FDFFFF LEA EDX,DWORD PTR SS:[EBP-27C]
0049549F E8 F832F7FF    CALL 0040879C
004954A4 8B85 84FDFFFF MOV EAX,DWORD PTR SS:[EBP-27C]
004954AA 8D95 ECFDFFFF LEA EDX,DWORD PTR SS:[EBP-214]
004954B0 E8 7331FDFF    CALL 00468628
004954B5 8D85 ECFDFFFF LEA EAX,DWORD PTR SS:[EBP-214]
004954BB 8D95 88FDFFFF LEA EDX,DWORD PTR SS:[EBP-278]
004954C1 E8 D631FDFF    CALL 0046869C                         ; ’‘计算
004954C6 8B85 88FDFFFF MOV EAX,DWORD PTR SS:[EBP-278]
004954CC 8D8D 8CFDFFFF LEA ECX,DWORD PTR SS:[EBP-274]
004954D2 BA 0E000000    MOV EDX,0E
004954D7 E8 E8A4F9FF    CALL 0042F9C4
004954DC 8B85 8CFDFFFF MOV EAX,DWORD PTR SS:[EBP-274]          ; ’‘取出前面算出的前14位
004954E2 8D8D 90FDFFFF LEA ECX,DWORD PTR SS:[EBP-270]
004954E8 BA 04000000    MOV EDX,4
004954ED E8 42A5F9FF    CALL 0042FA34                         ; ’‘取出前面取出的前14位的最后4位 --------③
004954F2 8B85 90FDFFFF MOV EAX,DWORD PTR SS:[EBP-270]
004954F8 8D95 ECFDFFFF LEA EDX,DWORD PTR SS:[EBP-214]
004954FE E8 2531FDFF    CALL 00468628
00495503 8D85 ECFDFFFF LEA EAX,DWORD PTR SS:[EBP-214]
00495509 8D55 F0       LEA EDX,DWORD PTR SS:[EBP-10]
0049550C E8 8B31FDFF    CALL 0046869C                         ; ’‘计算
00495511 8D8D 70FDFFFF LEA ECX,DWORD PTR SS:[EBP-290]
00495517 BA 06000000    MOV EDX,6
0049551C A1 E0FD4900    MOV EAX,DWORD PTR DS:[49FDE0]
00495521 E8 9EA4F9FF    CALL 0042F9C4                         ; ’‘取出假密码的前6位
00495526 8B85 70FDFFFF MOV EAX,DWORD PTR SS:[EBP-290]
0049552C 8D8D 74FDFFFF LEA ECX,DWORD PTR SS:[EBP-28C]
00495532 BA 04000000    MOV EDX,4
00495537 E8 F8A4F9FF    CALL 0042FA34                         ; ’‘取出假密码的前6位的最后4位 -----------------④
0049553C 8B85 74FDFFFF MOV EAX,DWORD PTR SS:[EBP-28C]
00495542 8D95 ECFDFFFF LEA EDX,DWORD PTR SS:[EBP-214]
00495548 E8 DB30FDFF    CALL 00468628
0049554D 8D85 ECFDFFFF LEA EAX,DWORD PTR SS:[EBP-214]
00495553 8D55 EC       LEA EDX,DWORD PTR SS:[EBP-14]
00495556 E8 4131FDFF    CALL 0046869C                         ; ’‘计算
0049555B 8B45 F0       MOV EAX,DWORD PTR SS:[EBP-10]
0049555E 8B55 EC       MOV EDX,DWORD PTR SS:[EBP-14]
00495561 E8 4EF6F6FF    CALL 00404BB4
00495566 74 0C          JE SHORT 00495574                      ; ‘’这个也要跳
00495568 B8 88574900    MOV EAX,00495788
0049556D E8 EE74F9FF    CALL 0042CA60                      ''播放密码不正确。结论：正确密码的前两位应该是②的前2位，第5-8位应该是③.将密码改过来重复第一步。
00495572 EB 43          JMP SHORT 004955B7
00495574 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00495577 E8 ECF4F6FF    CALL 00404A68
0049557C 83F8 08       CMP EAX,8
0049557F 7E 0E          JLE SHORT 0049558F
00495581 8B4D E0       MOV ECX,DWORD PTR SS:[EBP-20]
00495584 8B55 E4       MOV EDX,DWORD PTR SS:[EBP-1C]
00495587 8B45 E8       MOV EAX,DWORD PTR SS:[EBP-18]
0049558A E8 FD070000    CALL 00495D8C
0049558F A1 60D84900    MOV EAX,DWORD PTR DS:[49D860]
00495594 BA EC574900    MOV EDX,004957EC                      ; ASCII "ok"
00495599 E8 5EF2F6FF    CALL 004047FC
0049559E 8B55 EC       MOV EDX,DWORD PTR SS:[EBP-14]
004955A1 8B45 F0       MOV EAX,DWORD PTR SS:[EBP-10]
004955A4 E8 2F32F7FF    CALL 004087D8
004955A9 85C0          TEST EAX,EAX
004955AB 75 0A          JNZ SHORT 004955B7                      ; ‘’不能跳
004955AD A1 D0FD4900    MOV EAX,DWORD PTR DS:[49FDD0]
004955B2 E8 C945FCFF    CALL 00459B80
004955B7 33C0          XOR EAX,EAX
004955B9 5A             POP EDX
004955BA 59             POP ECX
004955BB 59             POP ECX
004955BC 64:8910       MOV DWORD PTR FS:[EAX],EDX
004955BF 68 3A564900    PUSH 0049563A
004955C4 8D85 70FDFFFF LEA EAX,DWORD PTR SS:[EBP-290]
004955CA BA 09000000    MOV EDX,9
004955CF E8 F8F1F6FF    CALL 004047CC
004955D4 8D85 94FDFFFF LEA EAX,DWORD PTR SS:[EBP-26C]
004955DA E8 C9F1F6FF    CALL 004047A8
004955DF 8D85 98FDFFFF LEA EAX,DWORD PTR SS:[EBP-268]
004955E5 BA 0A000000    MOV EDX,0A
004955EA E8 DDF1F6FF    CALL 004047CC
004955EF 8D85 C0FDFFFF LEA EAX,DWORD PTR SS:[EBP-240]
004955F5 E8 AEF1F6FF    CALL 004047A8
004955FA 8D85 C4FDFFFF LEA EAX,DWORD PTR SS:[EBP-23C]
00495600 BA 0A000000    MOV EDX,0A
00495605 E8 C2F1F6FF    CALL 004047CC
0049560A 8D85 FCFDFFFF LEA EAX,DWORD PTR SS:[EBP-204]
00495610 BA 02000000    MOV EDX,2
00495615 E8 B2F1F6FF    CALL 004047CC
0049561A 8D85 04FEFFFF LEA EAX,DWORD PTR SS:[EBP-1FC]
00495620 E8 83F1F6FF    CALL 004047A8
00495625 8D45 D4       LEA EAX,DWORD PTR SS:[EBP-2C]
00495628 BA 0B000000    MOV EDX,0B
0049562D E8 9AF1F6FF    CALL 004047CC
00495632 C3             RET                                        到这里，确定按钮的程序就走完了。按F9，程序一闪就退出了？怎么回事？
                                                                        想起dede反编译的本窗口关闭的地址：004957f0。重新运行程序，在004957f0下断点。

004957F0 55             PUSH EBP
004957F1 8BEC          MOV EBP,ESP
004957F3 51             PUSH ECX
004957F4 B9 0C000000    MOV ECX,0C
004957F9 6A 00          PUSH 0
004957FB 6A 00          PUSH 0
004957FD 49             DEC ECX
004957FE  ^ 75 F9          JNZ SHORT 004957F9
00495800 874D FC       XCHG DWORD PTR SS:[EBP-4],ECX
00495803 53             PUSH EBX
00495804 56             PUSH ESI
00495805 57             PUSH EDI
00495806 8BD8          MOV EBX,EAX
00495808 33C0          XOR EAX,EAX
0049580A 55             PUSH EBP
0049580B 68 F95B4900    PUSH 00495BF9
00495810 64:FF30       PUSH DWORD PTR FS:[EAX]
00495813 64:8920       MOV DWORD PTR FS:[EAX],ESP
00495816 8D55 E4       LEA EDX,DWORD PTR SS:[EBP-1C]
00495819 A1 BCDA4900    MOV EAX,DWORD PTR DS:[49DABC]
0049581E 8B00          MOV EAX,DWORD PTR DS:[EAX]
00495820 E8 FF2C0000    CALL 00498524
00495825 FF75 E4       PUSH DWORD PTR SS:[EBP-1C]
00495828 8D55 E0       LEA EDX,DWORD PTR SS:[EBP-20]
0049582B 8B83 FC020000 MOV EAX,DWORD PTR DS:[EBX+2FC]
00495831 E8 2E82FAFF    CALL 0043DA64
00495836 FF75 E0       PUSH DWORD PTR SS:[EBP-20]
00495839 68 105C4900    PUSH 00495C10
0049583E 68 1C5C4900    PUSH 00495C1C
00495843 68 285C4900    PUSH 00495C28
00495848 68 345C4900    PUSH 00495C34
0049584D 68 405C4900    PUSH 00495C40
00495852 68 4C5C4900    PUSH 00495C4C
00495857 68 285C4900    PUSH 00495C28
0049585C 68 585C4900    PUSH 00495C58
00495861 68 1C5C4900    PUSH 00495C1C
00495866 68 645C4900    PUSH 00495C64
0049586B 68 705C4900    PUSH 00495C70
00495870 68 7C5C4900    PUSH 00495C7C
00495875 68 1C5C4900    PUSH 00495C1C
0049587A 68 105C4900    PUSH 00495C10
0049587F 68 705C4900    PUSH 00495C70
00495884 68 285C4900    PUSH 00495C28
00495889 68 405C4900    PUSH 00495C40
0049588E 68 885C4900    PUSH 00495C88
00495893 68 7C5C4900    PUSH 00495C7C
00495898 68 405C4900    PUSH 00495C40
0049589D 68 945C4900    PUSH 00495C94
004958A2 68 345C4900    PUSH 00495C34
004958A7 8D45 E8       LEA EAX,DWORD PTR SS:[EBP-18]
004958AA BA 18000000    MOV EDX,18
004958AF E8 74F2F6FF    CALL 00404B28
004958B4 8B45 E8       MOV EAX,DWORD PTR SS:[EBP-18]
004958B7 8D55 EC       LEA EDX,DWORD PTR SS:[EBP-14]
004958BA E8 DD2EF7FF    CALL 0040879C
004958BF 8B45 EC       MOV EAX,DWORD PTR SS:[EBP-14]
004958C2 8D55 F4       LEA EDX,DWORD PTR SS:[EBP-C]
004958C5 E8 462D0000    CALL 00498610
004958CA 8D55 B4       LEA EDX,DWORD PTR SS:[EBP-4C]
004958CD 8B45 F4       MOV EAX,DWORD PTR SS:[EBP-C]
004958D0 E8 4F2C0000    CALL 00498524
004958D5 FF75 B4       PUSH DWORD PTR SS:[EBP-4C]
004958D8 68 A05C4900    PUSH 00495CA0                         ; ASCII "yaomediakj3jf"
004958DD 68 B85C4900    PUSH 00495CB8                         ; ASCII "mmm"
004958E2 68 C45C4900    PUSH 00495CC4                         ; ASCII "ly"
004958E7 68 D05C4900    PUSH 00495CD0                         ; ASCII "12.1a.4"
004958EC 68 E05C4900    PUSH 00495CE0                         ; ASCII "25"
004958F1 68 1C5C4900    PUSH 00495C1C
004958F6 68 285C4900    PUSH 00495C28
004958FB 68 345C4900    PUSH 00495C34
00495900 68 405C4900    PUSH 00495C40
00495905 68 4C5C4900    PUSH 00495C4C
0049590A 68 285C4900    PUSH 00495C28
0049590F 68 585C4900    PUSH 00495C58
00495914 68 1C5C4900    PUSH 00495C1C
00495919 68 645C4900    PUSH 00495C64
0049591E 68 705C4900    PUSH 00495C70
00495923 68 705C4900    PUSH 00495C70
00495928 68 705C4900    PUSH 00495C70
0049592D 68 705C4900    PUSH 00495C70
00495932 68 7C5C4900    PUSH 00495C7C
00495937 68 1C5C4900    PUSH 00495C1C
0049593C 68 105C4900    PUSH 00495C10
00495941 68 705C4900    PUSH 00495C70
00495946 68 285C4900    PUSH 00495C28
0049594B 68 405C4900    PUSH 00495C40
00495950 68 885C4900    PUSH 00495C88
00495955 68 7C5C4900    PUSH 00495C7C
0049595A 68 405C4900    PUSH 00495C40
0049595F 68 945C4900    PUSH 00495C94
00495964 68 345C4900    PUSH 00495C34
00495969 8D45 B8       LEA EAX,DWORD PTR SS:[EBP-48]
0049596C BA 1E000000    MOV EDX,1E
00495971 E8 B2F1F6FF    CALL 00404B28
00495976 8B45 B8       MOV EAX,DWORD PTR SS:[EBP-48]
00495979 8D55 BC       LEA EDX,DWORD PTR SS:[EBP-44]
0049597C E8 8F2C0000    CALL 00498610
00495981 8B45 BC       MOV EAX,DWORD PTR SS:[EBP-44]
00495984 8D55 C0       LEA EDX,DWORD PTR SS:[EBP-40]
00495987 E8 102EF7FF    CALL 0040879C
0049598C 8B45 C0       MOV EAX,DWORD PTR SS:[EBP-40]
0049598F 8D55 D0       LEA EDX,DWORD PTR SS:[EBP-30]
00495992 E8 912CFDFF    CALL 00468628
00495997 8D45 D0       LEA EAX,DWORD PTR SS:[EBP-30]
0049599A 8D55 C4       LEA EDX,DWORD PTR SS:[EBP-3C]
0049599D E8 FA2CFDFF    CALL 0046869C                         ; 计算出一堆字符
004959A2 8B45 C4       MOV EAX,DWORD PTR SS:[EBP-3C]
004959A5 8D4D C8       LEA ECX,DWORD PTR SS:[EBP-38]
004959A8 BA 18000000    MOV EDX,18
004959AD E8 12A0F9FF    CALL 0042F9C4
004959B2 8B45 C8       MOV EAX,DWORD PTR SS:[EBP-38]
004959B5 8D4D CC       LEA ECX,DWORD PTR SS:[EBP-34]
004959B8 BA 02000000    MOV EDX,2
004959BD E8 72A0F9FF    CALL 0042FA34                         ; 取出两位字符-----------------------⑤
004959C2 8B45 CC       MOV EAX,DWORD PTR SS:[EBP-34]
004959C5 8D55 D0       LEA EDX,DWORD PTR SS:[EBP-30]
004959C8 E8 5B2CFDFF    CALL 00468628
004959CD 8D45 D0       LEA EAX,DWORD PTR SS:[EBP-30]
004959D0 8D55 FC       LEA EDX,DWORD PTR SS:[EBP-4]
004959D3 E8 C42CFDFF    CALL 0046869C
004959D8 8D4D B0       LEA ECX,DWORD PTR SS:[EBP-50]
004959DB BA 02000000    MOV EDX,2
004959E0 A1 E0FD4900    MOV EAX,DWORD PTR DS:[49FDE0]
004959E5 E8 4AA0F9FF    CALL 0042FA34                         ; 取出假注册码的7、8位
004959EA 8B45 B0       MOV EAX,DWORD PTR SS:[EBP-50]
004959ED 8D55 D0       LEA EDX,DWORD PTR SS:[EBP-30]
004959F0 E8 332CFDFF    CALL 00468628
004959F5 8D45 D0       LEA EAX,DWORD PTR SS:[EBP-30]
004959F8 8D55 F8       LEA EDX,DWORD PTR SS:[EBP-8]
004959FB E8 9C2CFDFF    CALL 0046869C
00495A00 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00495A03 8B55 F8       MOV EDX,DWORD PTR SS:[EBP-8]
00495A06 E8 A9F1F6FF    CALL 00404BB4                         ; 作对比，相等则跳，显然要跳。结论：真注册码的7、8位应该是⑤
00495A0B 74 11          JE SHORT 00495A1E
00495A0D A1 2CDC4900    MOV EAX,DWORD PTR DS:[49DC2C]
00495A12 8B00          MOV EAX,DWORD PTR DS:[EAX]
00495A14 E8 6741FCFF    CALL 00459B80
00495A19 E9 A3010000    JMP 00495BC1
00495A1E 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00495A21 8B55 F8       MOV EDX,DWORD PTR SS:[EBP-8]
00495A24 E8 8BF1F6FF    CALL 00404BB4
00495A29 74 11          JE SHORT 00495A3C
00495A2B A1 2CDC4900    MOV EAX,DWORD PTR DS:[49DC2C]
00495A30 8B00          MOV EAX,DWORD PTR DS:[EAX]
00495A32 E8 4941FCFF    CALL 00459B80
00495A37 E9 85010000    JMP 00495BC1
00495A3C A1 D8D94900    MOV EAX,DWORD PTR DS:[49D9D8]
00495A41 E8 62EDF6FF    CALL 004047A8
00495A46 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00495A49 8B55 F8       MOV EDX,DWORD PTR SS:[EBP-8]
00495A4C E8 63F1F6FF    CALL 00404BB4
00495A51 74 11          JE SHORT 00495A64
00495A53 A1 2CDC4900    MOV EAX,DWORD PTR DS:[49DC2C]
00495A58 8B00          MOV EAX,DWORD PTR DS:[EAX]
00495A5A E8 2141FCFF    CALL 00459B80
00495A5F E9 5D010000    JMP 00495BC1
00495A64 A1 98DA4900    MOV EAX,DWORD PTR DS:[49DA98]
00495A69 8B55 FC       MOV EDX,DWORD PTR SS:[EBP-4]
00495A6C E8 8BEDF6FF    CALL 004047FC
00495A71 A1 C0DA4900    MOV EAX,DWORD PTR DS:[49DAC0]
00495A76 8B55 F8       MOV EDX,DWORD PTR SS:[EBP-8]
00495A79 E8 7EEDF6FF    CALL 004047FC
00495A7E A1 BCDC4900    MOV EAX,DWORD PTR DS:[49DCBC]
00495A83 8B00          MOV EAX,DWORD PTR DS:[EAX]
00495A85 BA 7C5C4900    MOV EDX,00495C7C
00495A8A E8 25F1F6FF    CALL 00404BB4
00495A8F 75 7F          JNZ SHORT 00495B10
00495A91 68 EC5C4900    PUSH 00495CEC                         ; ASCII "c:\china-drm\"
00495A96 A1 84D84900    MOV EAX,DWORD PTR DS:[49D884]
00495A9B FF30          PUSH DWORD PTR DS:[EAX]
00495A9D 8D55 A4       LEA EDX,DWORD PTR SS:[EBP-5C]
00495AA0 A1 BCDA4900    MOV EAX,DWORD PTR DS:[49DABC]
00495AA5 8B00          MOV EAX,DWORD PTR DS:[EAX]
00495AA7 E8 782A0000    CALL 00498524
00495AAC FF75 A4       PUSH DWORD PTR SS:[EBP-5C]
00495AAF 8D45 A0       LEA EAX,DWORD PTR SS:[EBP-60]
00495AB2 E8 9DECFFFF    CALL 00494754
00495AB7 FF75 A0       PUSH DWORD PTR SS:[EBP-60]
00495ABA 68 045D4900    PUSH 00495D04                         ; ASCII "mediakjjf"
00495ABF 8D45 A8       LEA EAX,DWORD PTR SS:[EBP-58]
00495AC2 BA 04000000    MOV EDX,4
00495AC7 E8 5CF0F6FF    CALL 00404B28
00495ACC 8B45 A8       MOV EAX,DWORD PTR SS:[EBP-58]
00495ACF 8D55 D0       LEA EDX,DWORD PTR SS:[EBP-30]
00495AD2 E8 512BFDFF    CALL 00468628
00495AD7 8D45 D0       LEA EAX,DWORD PTR SS:[EBP-30]
00495ADA 8D55 AC       LEA EDX,DWORD PTR SS:[EBP-54]
00495ADD E8 BA2BFDFF    CALL 0046869C
00495AE2 FF75 AC       PUSH DWORD PTR SS:[EBP-54]
00495AE5 68 185D4900    PUSH 00495D18                         ; ASCII ".config"
00495AEA 8D45 F0       LEA EAX,DWORD PTR SS:[EBP-10]
00495AED BA 03000000    MOV EDX,3
00495AF2 E8 31F0F6FF    CALL 00404B28
00495AF7 8B45 F0       MOV EAX,DWORD PTR SS:[EBP-10]
00495AFA E8 2136F7FF    CALL 00409120
00495AFF 84C0          TEST AL,AL
00495B01 75 0D          JNZ SHORT 00495B10
00495B03 8B45 F0       MOV EAX,DWORD PTR SS:[EBP-10]
00495B06 E8 E934F7FF    CALL 00408FF4
00495B0B E8 A035F7FF    CALL 004090B0
00495B10 A1 C4D94900    MOV EAX,DWORD PTR DS:[49D9C4]
00495B15 8B00          MOV EAX,DWORD PTR DS:[EAX]
00495B17 BA 1C5C4900    MOV EDX,00495C1C
00495B1C E8 93F0F6FF    CALL 00404BB4
00495B21 74 52          JE SHORT 00495B75
00495B23 8D55 9C       LEA EDX,DWORD PTR SS:[EBP-64]
00495B26 A1 2CDC4900    MOV EAX,DWORD PTR DS:[49DC2C]
00495B2B 8B00          MOV EAX,DWORD PTR DS:[EAX]
00495B2D 8B80 00030000 MOV EAX,DWORD PTR DS:[EAX+300]
00495B33 E8 141FFDFF    CALL 00467A4C
00495B38 8B45 9C       MOV EAX,DWORD PTR SS:[EBP-64]
00495B3B 50             PUSH EAX
00495B3C 8B00          MOV EAX,DWORD PTR DS:[EAX]
00495B3E FF50 20       CALL DWORD PTR DS:[EAX+20]
00495B41 E8 B606F7FF    CALL 004061FC
00495B46 A1 2CDC4900    MOV EAX,DWORD PTR DS:[49DC2C]
00495B4B 8B00          MOV EAX,DWORD PTR DS:[EAX]
00495B4D 8B80 F8020000 MOV EAX,DWORD PTR DS:[EAX+2F8]
00495B53 B2 01          MOV DL,1
00495B55 E8 1A90F9FF    CALL 0042EB74
00495B5A 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00495B5D 8B55 F8       MOV EDX,DWORD PTR SS:[EBP-8]
00495B60 E8 4FF0F6FF    CALL 00404BB4
00495B65 74 13          JE SHORT 00495B7A
00495B67 A1 2CDC4900    MOV EAX,DWORD PTR DS:[49DC2C]
00495B6C 8B00          MOV EAX,DWORD PTR DS:[EAX]
00495B6E E8 0D40FCFF    CALL 00459B80
00495B73 EB 4C          JMP SHORT 00495BC1
00495B75 E8 0A340000    CALL 00498F84
00495B7A 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00495B7D 8B55 F8       MOV EDX,DWORD PTR SS:[EBP-8]
00495B80 E8 2FF0F6FF    CALL 00404BB4
00495B85 74 0E          JE SHORT 00495B95
00495B87 A1 2CDC4900    MOV EAX,DWORD PTR DS:[49DC2C]
00495B8C 8B00          MOV EAX,DWORD PTR DS:[EAX]
00495B8E E8 ED3FFCFF    CALL 00459B80
00495B93 EB 2C          JMP SHORT 00495BC1
00495B95 33C0          XOR EAX,EAX
00495B97 55             PUSH EBP
00495B98 68 B75B4900    PUSH 00495BB7
00495B9D 64:FF30       PUSH DWORD PTR FS:[EAX]
00495BA0 64:8920       MOV DWORD PTR FS:[EAX],ESP
00495BA3 E8 D89CF9FF    CALL 0042F880
00495BA8 8B10          MOV EDX,DWORD PTR DS:[EAX]
00495BAA FF52 18       CALL DWORD PTR DS:[EDX+18]
00495BAD 33C0          XOR EAX,EAX
00495BAF 5A             POP EDX
00495BB0 59             POP ECX
00495BB1 59             POP ECX
00495BB2 64:8910       MOV DWORD PTR FS:[EAX],EDX
00495BB5 EB 0A          JMP SHORT 00495BC1
00495BB7  - E9 3CE3F6FF    JMP 00403EF8
00495BBC E8 9FE6F6FF    CALL 00404260
00495BC1 33C0          XOR EAX,EAX
00495BC3 5A             POP EDX
00495BC4 59             POP ECX
00495BC5 59             POP ECX
00495BC6 64:8910       MOV DWORD PTR FS:[EAX],EDX
00495BC9 68 005C4900    PUSH 00495C00
00495BCE 8D45 9C       LEA EAX,DWORD PTR SS:[EBP-64]
00495BD1 E8 1605F7FF    CALL 004060EC
00495BD6 8D45 A0       LEA EAX,DWORD PTR SS:[EBP-60]
00495BD9 BA 0C000000    MOV EDX,0C
00495BDE E8 E9EBF6FF    CALL 004047CC
00495BE3 8D45 E0       LEA EAX,DWORD PTR SS:[EBP-20]
00495BE6 E8 BDEBF6FF    CALL 004047A8
00495BEB 8D45 E4       LEA EAX,DWORD PTR SS:[EBP-1C]
00495BEE BA 07000000    MOV EDX,7
00495BF3 E8 D4EBF6FF    CALL 004047CC
00495BF8 C3             RET

最后结论：密码校验机制是：其实只对前8位分三次进行校验，后24位只是校验前8位。首先用后24位校验前8位，然后校验1、2位，然后校验3、4、5、6位，最后校验7、8位。

想分离出视频文件，没成功。请高手指点。

登录后可查看完整内容

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

#调试逆向

收藏・2

免费・7

支持

最新回复 (8)
logkiller 雪币： 8179 活跃值： (3331) 能力值： ( LV2，RANK：10 ) 在线值：发帖 16 回帖 777 粉丝 1 关注私信	logkiller 2 楼分析的很详细啊，前8位的据说是在内存中播放解码用的。。。。。。而且最新的已经不是用这个打包方式了，如果你这个视频不大的话我帮你试试搞搞 2009-7-27 02:25 0
我是土匪雪币： 546 活跃值： (1627) 能力值： ( LV12，RANK：210 ) 在线值：发帖 75 回帖 787 粉丝 7 关注私信	我是土匪 4 3 楼最新版的是asp的壳。飓风的翻录很容易，只要对屏幕录像大师进行处理就可以了。飓风的anti 是枚举系统进程。发现 sph.exe ，ly.exe ，屏录的进程，一律干死。所以，只要稍微对屏幕录像进行改动就可以了。 2009-7-27 10:29 0
ikea 雪币： 33 能力值： (RANK：10 ) 在线值：发帖 4 回帖 40 粉丝 0 关注私信	ikea 4 楼 8位的视频解码我已经跟踪出来了问题是把这8位码放到内存的哪个位置？这个位置是怎么找的？ 2009-7-27 16:41 0
zhy_qie 雪币： 226 活跃值： (10) 能力值： ( LV4，RANK：50 ) 在线值：发帖 8 回帖 63 粉丝 0 关注私信	zhy_qie 1 5 楼关注中。。。。。。。 2009-9-25 21:10 0
hongsun 雪币： 203 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 5 粉丝 0 关注私信	hongsun 6 楼高手们继续啊！关注！ 2009-10-4 08:40 0
lifa 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 11 粉丝 0 关注私信	lifa 7 楼来学习一下。。。 2009-10-4 08:58 0
一六八雪币： 203 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 32 粉丝 0 关注私信	一六八 8 楼吾爱破解那个论坛有一个做破解内存补丁的方法 2009-12-13 09:15 0
chinacs 雪币： 203 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 19 粉丝 0 关注私信	chinacs 9 楼楼主厉害，这个算法思路不错啊。哈哈提取相当简单的您找个script脚本就OK了相信对你这样的高手不是什么难题 2010-1-13 10:22 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

blackants

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (8)
logkiller 雪币： 8179 活跃值： (3331) 能力值： ( LV2，RANK：10 ) 在线值：发帖 16 回帖 777 粉丝 1 关注私信	logkiller 2 楼分析的很详细啊，前8位的据说是在内存中播放解码用的。。。。。。而且最新的已经不是用这个打包方式了，如果你这个视频不大的话我帮你试试搞搞 2009-7-27 02:25 0
我是土匪雪币： 546 活跃值： (1627) 能力值： ( LV12，RANK：210 ) 在线值：发帖 75 回帖 787 粉丝 7 关注私信	我是土匪 4 3 楼最新版的是asp的壳。飓风的翻录很容易，只要对屏幕录像大师进行处理就可以了。飓风的anti 是枚举系统进程。发现 sph.exe ，ly.exe ，屏录的进程，一律干死。所以，只要稍微对屏幕录像进行改动就可以了。 2009-7-27 10:29 0
ikea 雪币： 33 能力值： (RANK：10 ) 在线值：发帖 4 回帖 40 粉丝 0 关注私信	ikea 4 楼 8位的视频解码我已经跟踪出来了问题是把这8位码放到内存的哪个位置？这个位置是怎么找的？ 2009-7-27 16:41 0
zhy_qie 雪币： 226 活跃值： (10) 能力值： ( LV4，RANK：50 ) 在线值：发帖 8 回帖 63 粉丝 0 关注私信	zhy_qie 1 5 楼关注中。。。。。。。 2009-9-25 21:10 0
hongsun 雪币： 203 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 5 粉丝 0 关注私信	hongsun 6 楼高手们继续啊！关注！ 2009-10-4 08:40 0
lifa 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 11 粉丝 0 关注私信	lifa 7 楼来学习一下。。。 2009-10-4 08:58 0
一六八雪币： 203 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 32 粉丝 0 关注私信	一六八 8 楼吾爱破解那个论坛有一个做破解内存补丁的方法 2009-12-13 09:15 0
chinacs 雪币： 203 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 19 粉丝 0 关注私信	chinacs 9 楼楼主厉害，这个算法思路不错啊。哈哈提取相当简单的您找个script脚本就OK了相信对你这样的高手不是什么难题 2010-1-13 10:22 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复