好友
阅读权限30
听众
最后登录1970-1-1
|
本帖最后由 linholer 于 2009-10-14 19:46 编辑
本人不会写破文,所有只列重点,大家可以慢慢研究。
首先解决二个校验
可下CreateFileA断点通过对比方法得到校验值
主程序屏录专家.exe校验
004562FC /$ 55 push ebp
004562FD |. 8BEC mov ebp, esp
004562FF |. 53 push ebx
00456300 |. 56 push esi
00456301 |. 57 push edi
00456302 |. 8B75 0C mov esi, dword ptr [ebp+C]
00456305 |. 8B7D 08 mov edi, dword ptr [ebp+8]
00456308 |. 33DB xor ebx, ebx
0045630A |. 68 05800000 push 8005
0045630F |. 57 push edi
00456310 |. E8 37340000 call 0045974C
00456315 |. 83C4 08 add esp, 8
00456318 |. 33C0 xor eax, eax
0045631A |. 3B45 10 cmp eax, dword ptr [ebp+10]
0045631D |. 73 23 jnb short 00456342
0045631F |> 0FB7D3 /movzx edx, bx
00456322 |. C1FA 08 |sar edx, 8
00456325 |. 33C9 |xor ecx, ecx
00456327 |. 8A0E |mov cl, byte ptr [esi]
00456329 |. 46 |inc esi
0045632A |. 33D1 |xor edx, ecx
0045632C |. 40 |inc eax
0045632D |. C1E3 08 |shl ebx, 8
00456330 |. 66:8B9497 A00>|mov dx, word ptr [edi+edx*4+8A0]
00456338 |. 66:33D3 |xor dx, bx
0045633B |. 3B45 10 |cmp eax, dword ptr [ebp+10] 修改mov ebx,0A895(0A895为校验值)
0045633E |. 8BDA |mov ebx, edx
00456340 |.^ 72 DD \jb short 0045631F
00456342 |> 0FB7C3 movzx eax, bx
00456345 |. 8987 B00C0000 mov dword ptr [edi+CB0], eax
0045634B |. 8BC3 mov eax, ebx
0045634D |. 5F pop edi
0045634E |. 5E pop esi
0045634F |. 5B pop ebx
00456350 |. 5D pop ebp
00456351 \. C3 retn
MF.EXE文件校验(EXE转换FLASH需要修改它)
00414B62 . 66:C745 DC 10>mov word ptr [ebp-24], 10
00414B68 . E8 71971200 call 0053E2DE
00414B6D > 8BC3 mov eax, ebx
00414B6F . E8 F8791000 call 0051C56C
00414B74 . 50 push eax
00414B75 . E8 2ED61100 call 005321A8
00414B7A . 59 pop ecx
00414B7B . 8BF0 mov esi, eax
00414B7D . 8BC3 mov eax, ebx
00414B7F . E8 E8791000 call 0051C56C
00414B84 . 8BC8 mov ecx, eax
00414B86 . 8BC3 mov eax, ebx
00414B88 . 8BD6 mov edx, esi
00414B8A . 8B38 mov edi, dword ptr [eax]
00414B8C . FF57 04 call dword ptr [edi+4]
00414B8F . 8BC3 mov eax, ebx
00414B91 . E8 D6791000 call 0051C56C
00414B96 . 50 push eax
00414B97 . 56 push esi
00414B98 . 8B55 08 mov edx, dword ptr [ebp+8]
00414B9B . 52 push edx
00414B9C . E8 B3170400 call 00456354 修改mov eax,0A792(0A792为校验值,这CALL还有其它地方调用所以不能进去修改)
00414BA1 . 83C4 0C add esp, 0C
00414BA4 . 0FB7F8 movzx edi, ax
00414BA7 . 56 push esi
00414BA8 . E8 23D41100 call 00531FD0
00414BAD . 59 pop ecx
00414BAE . 8BF3 mov esi, ebx
00414BB0 . 8975 F0 mov dword ptr [ebp-10], esi
00414BB3 . 85F6 test esi, esi
00414BB5 . 74 1E je short 00414BD5
启动时验证后五位注册码
0041DED4 |> \8D7E FB lea edi, dword ptr [esi-5]
0041DED7 |. 8D95 ACFEFFFF lea edx, dword ptr [ebp-154]
0041DEDD |. 2BC7 sub eax, edi
0041DEDF |. C68405 ACFEFF>mov byte ptr [ebp+eax-154], 0
0041DEE7 |. 66:C745 D0 20>mov word ptr [ebp-30], 20
0041DEED |. 8D45 F8 lea eax, dword ptr [ebp-8]
0041DEF0 |. E8 F7321200 call 005411EC
0041DEF5 |. 8BD0 mov edx, eax
0041DEF7 |. FF45 DC inc dword ptr [ebp-24]
0041DEFA |. 8D45 FC lea eax, dword ptr [ebp-4]
0041DEFD |. E8 C6351200 call 005414C8
0041DF02 |. FF4D DC dec dword ptr [ebp-24]
0041DF05 |. 8D45 F8 lea eax, dword ptr [ebp-8]
0041DF08 |. BA 02000000 mov edx, 2
0041DF0D |. E8 86351200 call 00541498
0041DF12 |. 57 push edi
0041DF13 |. 8D8D C0FEFFFF lea ecx, dword ptr [ebp-140]
0041DF19 |. 51 push ecx
0041DF1A |. 53 push ebx
0041DF1B |. E8 8C880300 call 004567AC
0041DF20 |. 0FB7C0 movzx eax, ax
0041DF23 |. 8BF0 mov esi, eax
0041DF25 |. 8D45 FC lea eax, dword ptr [ebp-4]
0041DF28 |. 83C4 0C add esp, 0C
0041DF2B |. E8 78381200 call 005417A8 改 jmp 0041E168 直接跳过
0041DF30 |. 3BF0 cmp esi, eax 比较后五位注册码
0041DF32 |. 74 07 je short 0041DF3B
去随机未注册水印(也就是那个随机跳动的GIF小图片)
0041CEAB |. E8 1C820300 call 004550CC
0041CEB0 |. 33C9 xor ecx, ecx
0041CEB2 |. 8A8B 30150000 mov cl, byte ptr [ebx+1530]
0041CEB8 |. 898B 70080000 mov dword ptr [ebx+870], ecx 改 mov ecx,dword ptr ds:[ebx+870] 值为0
0041CEBE |. A1 28D95900 mov eax, dword ptr [59D928]
0041CEC3 |. 8B10 mov edx, dword ptr [eax]
0041CEC5 |. 8B8A F8020000 mov ecx, dword ptr [edx+2F8]
0041CECB |. 8B93 E4140000 mov edx, dword ptr [ebx+14E4]
0041CED1 |. 8B41 58 mov eax, dword ptr [ecx+58]
0041CED4 |. E8 E3CC0B00 call 004D9BBC
0041CED9 |. 8B0D 28D95900 mov ecx, dword ptr [59D928] ; 屏录专家._InfoForm
输入假码注册50+数字显示注册成功
0045CDED |. E8 B295FFFF call 004563A4
0045CDF2 |. 83F8 32 cmp eax, 32 注册码是否=+50位
0045CDF5 |. 0F8D 81000000 jge 0045CE7C
0045CDFB |. 66:C785 44FFF>mov word ptr [ebp-BC], 50
0045CE04 |. BA A0715700 mov edx, 005771A0
0045CE09 |. 8D45 E8 lea eax, dword ptr [ebp-18]
0045CE0C |. E8 DB430E00 call 005411EC
0045CE11 |. FF85 50FFFFFF inc dword ptr [ebp-B0]
0045CE17 |. 8B00 mov eax, dword ptr [eax]
0045CE19 |. E8 8EB00900 call 004F7EAC
0045CE1E |. FF8D 50FFFFFF dec dword ptr [ebp-B0]
0045CE24 |. 8D45 E8 lea eax, dword ptr [ebp-18]
0045CE27 |. BA 02000000 mov edx, 2
0045CE2C |. E8 67460E00 call 00541498
0045CE31 |. FF8D 50FFFFFF dec dword ptr [ebp-B0]
0045CE37 |. 8D45 F4 lea eax, dword ptr [ebp-C]
0045CE3A |. BA 02000000 mov edx, 2
0045CE3F |. E8 54460E00 call 00541498
0045CE44 |. FF8D 50FFFFFF dec dword ptr [ebp-B0]
0045CE4A |. 8D45 F8 lea eax, dword ptr [ebp-8]
0045CE4D |. BA 02000000 mov edx, 2
0045CE52 |. E8 41460E00 call 00541498
0045CE57 |. FF8D 50FFFFFF dec dword ptr [ebp-B0]
0045CE5D |. 8D45 FC lea eax, dword ptr [ebp-4]
0045CE60 |. BA 02000000 mov edx, 2
0045CE65 |. E8 2E460E00 call 00541498
0045CE6A |. 8B8D 34FFFFFF mov ecx, dword ptr [ebp-CC]
0045CE70 |. 64:890D 00000>mov dword ptr fs:[0], ecx
0045CE77 |. E9 C90E0000 jmp 0045DD45
0045CE7C |> \8D45 F4 lea eax, dword ptr [ebp-C]
0045CE7F |. E8 2852FAFF call 004020AC 改 jmp 0045D2D4 直接跳向成功
点录像时有时验证注册码
0040C29E |. FF57 08 call dword ptr [edi+8]
0040C2A1 |. 8BC6 mov eax, esi
0040C2A3 |. B9 0A000000 mov ecx, 0A 改 jmp 0040C508 直接跳过校验
0040C2A8 |. 99 cdq
0040C2A9 |. F7F9 idiv ecx
0040C2AB |. 83FA 06 cmp edx, 6
0040C2AE |. 0F85 54020000 jnz 0040C508
写入超大文件校验
004BB612 |. E8 550F0600 |call 0051C56C
004BB617 |. 837D E8 00 |cmp dword ptr [ebp-18], 0
004BB61B |. 8BC8 |mov ecx, eax
004BB61D |. 0F85 B2000000 |jnz 004BB6D5
004BB623 |. 8BC1 |mov eax, ecx
004BB625 |. 51 |push ecx
004BB626 |. B9 32000000 |mov ecx, 32
004BB62B |. 99 |cdq
004BB62C |. F7F9 |idiv ecx
004BB62E |. 59 |pop ecx
004BB62F |. 83C2 32 |add edx, 32
004BB632 |. 8B03 |mov eax, dword ptr [ebx]
004BB634 |. 51 |push ecx
004BB635 |. 8BCA |mov ecx, edx
004BB637 |. 99 |cdq
004BB638 |. F7F9 |idiv ecx
004BB63A |. 59 |pop ecx
004BB63B |. 83FA 05 |cmp edx, 5
004BB63E |. 0F85 91000000 |jnz 004BB6D5
004BB644 |. 81E1 01000080 |and ecx, 80000001
004BB64A |. 79 05 |jns short 004BB651
004BB64C |. 49 |dec ecx
004BB64D |. 83C9 FE |or ecx, FFFFFFFE
004BB650 |. 41 |inc ecx
004BB651 |> 83C1 02 |add ecx, 2
004BB654 |. 8B43 04 |mov eax, dword ptr [ebx+4]
004BB657 |. 99 |cdq
004BB658 |. F7F9 |idiv ecx
004BB65A |. 85D2 |test edx, edx
004BB65C |. 75 77 |jnz short 004BB6D5 改 jmp 004BB6D5 不跳的话录制的视频会变成一个几百M或几GM超大的视频文件
使用内核驱动技术校验
004AC7FB |> \294D BC sub dword ptr [ebp-44], ecx
004AC7FE |. 8B45 18 mov eax, dword ptr [ebp+18]
004AC801 |. 2B45 10 sub eax, dword ptr [ebp+10]
004AC804 |. 8945 B8 mov dword ptr [ebp-48], eax
004AC807 |. 8B55 08 mov edx, dword ptr [ebp+8]
004AC80A |. 8B8A 84230000 mov ecx, dword ptr [edx+2384]
004AC810 |. 894D AC mov dword ptr [ebp-54], ecx
004AC813 |. 8B45 08 mov eax, dword ptr [ebp+8]
004AC816 |. 8B90 84230000 mov edx, dword ptr [eax+2384]
004AC81C |. 8955 A4 mov dword ptr [ebp-5C], edx
004AC81F |. 8B4D A4 mov ecx, dword ptr [ebp-5C]
004AC822 |. 8B01 mov eax, dword ptr [ecx]
004AC824 |. 05 28F8FFFF add eax, -7D8
004AC829 |. 8945 A4 mov dword ptr [ebp-5C], eax
004AC82C |. 8B55 A4 mov edx, dword ptr [ebp-5C]
004AC82F |. 8B0A mov ecx, dword ptr [edx]
004AC831 |. 81C1 19FCFFFF add ecx, -3E7
004AC837 |. 894D A4 mov dword ptr [ebp-5C], ecx
004AC83A |. 8B45 A4 mov eax, dword ptr [ebp-5C]
004AC83D |. 8B50 04 mov edx, dword ptr [eax+4]
004AC840 |. 8955 B0 mov dword ptr [ebp-50], edx
004AC843 |. 8B4D AC mov ecx, dword ptr [ebp-54]
004AC846 |. 894D A4 mov dword ptr [ebp-5C], ecx
004AC849 |. 8B45 A4 mov eax, dword ptr [ebp-5C]
004AC84C |. 8B10 mov edx, dword ptr [eax]
004AC84E |. 81C2 28F8FFFF add edx, -7D8
004AC854 |. 8955 A4 mov dword ptr [ebp-5C], edx
004AC857 |. 8B4D A4 mov ecx, dword ptr [ebp-5C]
004AC85A |. 8B41 08 mov eax, dword ptr [ecx+8]
004AC85D |. 05 17FCFFFF add eax, -3E9
004AC862 |. 33D2 xor edx, edx 改 mov edx,edx 即可去掉那个内核校验(这里根据一个地址下断来的)
EXE转换FLASH水印去除(修改目录下的mf.exe文件)
0040F464 |. /75 08 jnz 0040F46E 改 jmp 0040F4B3
0040F466 |. |C706 FFFFFFFF mov dword ptr ds:[esi],-1
0040F46C |. |EB 4B jmp 0040F4B9
0040F46E |> \3C 01 cmp al,1
0040F470 |. 75 47 jnz 0040F4B9
0040F472 |. DB8424 500300>fild dword ptr ss:[esp+350]
0040F479 |. DC0D 30F64100 fmul qword ptr ds:[41F630]
0040F47F |. E8 FC5B0000 call mf.00415080
0040F484 |. 8B0D 00424200 mov ecx,dword ptr ds:[424200]
0040F48A |. 2BC8 sub ecx,eax
0040F48C |. 8B8424 680300>mov eax,dword ptr ss:[esp+368]
0040F493 |. 8BD0 mov edx,eax
0040F495 |. C1E2 06 shl edx,6
0040F498 |. 2BD0 sub edx,eax
0040F49A |. C1E2 05 shl edx,5
0040F49D |. 3BCA cmp ecx,edx
0040F49F |. 74 12 je 0040F4B3
0040F4A1 |. 83BC24 500300>cmp dword ptr ss:[esp+350],5
0040F4A9 |. 7C 08 jl 0040F4B3
0040F4AB |. C706 FFFFFFFF mov dword ptr ds:[esi],-1
0040F4B1 |. EB 06 jmp 0040F4B9
0040F4B3 |> C706 F0D8FFFF mov dword ptr ds:[esi],-2710 赋值-2710即可去除水印
修改方法很多,我修改了九处只是让大家看的更明白而已,此软件难点有三个,超大文件校验、使用驱动加整里的内核驱动校验和EXE转换FLASH的水印去除。 |
免费评分
-
查看全部评分
|
[复制链接]
发表于 2009-10-11 16:32
收藏
淘帖
有用
分享到朋友圈
