菜鸟爆破mp3剪刀手
破解是一个长期积累的过程,要经常练习,对于爱好者来说,首先要做到爆破,今天中午下了一个共享的小软件爆破经过供初学者借鉴,大牛可飘过。共享版 地址为:thunder://QUFodHRwOi8veGlhemFpLnpvbC5jb20uY24vZG93bi5waHA/c29mdGlkPTQxMzMzMSZzdWJjYXRpZD0xMjY1JnNpdGU9MTBaWg==
首先打开软件,发现未注册字样,点击立即注册弹出网站链接,关闭看到注册对话框:
任意输出注册码,弹出“错误的注册码”
我们就从错误入手。
要破解一个软件必须掌握几种下断的方法,这非常重要,就是就是在关键跳处截断,找对位置才会迅速破解
首先,查一下壳peid提示 无壳
用OD打开程序mp3剪刀器,程序提示有大量压缩数据是否要分析,这是典型加壳的表现,于是重新查看peid
可以看到有压缩数据,这说明软件加壳后进行了伪装,这是现在加壳软件常用的方法。
通常破解软件之前要先脱壳,但是有时可以先试一下不脱壳能否破解掉。
od打开软件,分析点击否我们用最常用的下断方法:字符分析法
单击插件--中文搜索引擎(现在大部分od都有这个插件)选择1,搜索ASCII。。。。
一无所获。。。。别气馁,选择2 搜索UNICODE试试。。。。
ok找到有用信息
选择错误的注册码并回车跟踪定位
找到这里
006601C3 C785 60FFFFFF 0>mov dword ptr ss:,MP3剪切?005A3D>; 错误
006601CD C785 58FFFFFF 0>mov dword ptr ss:,0x8
006601D7 8D95 58FFFFFF lea edx,dword ptr ss:
006601DD 8D4D 98 lea ecx,dword ptr ss:
006601E0 FF15 18124000 call dword ptr ds:[<&MSVBVM60.__vbaVarDu>; MSVBVM60.__vbaVarDup
006601E6 C785 70FFFFFF E>mov dword ptr ss:,MP3剪切?005A3C>; 错误的注册码
这时你的心中应该有这样一个分析:既然有错误的注册码必定有提示正确的注册码,必定有关键的跳转,所以往上找找看,果然
0066010C C785 60FFFFFF E>mov dword ptr ss:,MP3剪切?005A3C>; 成功
00660116 C785 58FFFFFF 0>mov dword ptr ss:,0x8
00660120 8D95 58FFFFFF lea edx,dword ptr ss:
00660126 8D4D 98 lea ecx,dword ptr ss:
00660129 FF15 18124000 call dword ptr ds:[<&MSVBVM60.__vbaVarDu>; MSVBVM60.__vbaVarDup
0066012F C785 70FFFFFF C>mov dword ptr ss:,MP3剪切?005A3C>; 注册成功!请重新启动本程序
这样必然有一个关键跳转,判断注册码然后跳转到注册成功或者失败,这就是关键跳,我们就要找到这个关键跳
往上继续看
0065FE6B C745 FC 0A00000>mov dword ptr ss:,0xA
0065FE72 66:837D CC FF cmp word ptr ss:,0xFFFF
0065FE77 0F85 20030000 jnz MP3剪切?0066019D
0065FE7D C745 FC 0B00000>mov dword ptr ss:,0xB
0065FE84 833D C4896600 0>cmp dword ptr ds:,0x0
0065FE8B 75 1C jnz XMP3剪切?0065FEA9
0065FE8D 68 C4896600 push MP3剪切?006689C4
0065FE92 68 44135A00 push MP3剪切?005A1344
0065FE97 FF15 D0114000 call dword ptr ds:[<&MSVBVM60.__vbaNew2>>; MSVBVM60.__vbaNew2
0065FE9D C785 D8FEFFFF C>mov dword ptr ss:,MP3剪切?00668>
0065FEA7 EB 0A jmp XMP3剪切?0065FEB3
0065FEA9 C785 D8FEFFFF C>mov dword ptr ss:,MP3剪切?00668>
0065FEB3 8B95 D8FEFFFF mov edx,dword ptr ss:
0065FEB9 8B02 mov eax,dword ptr ds:
0065FEBB 8985 30FFFFFF mov dword ptr ss:,eax
0065FEC1 8D4D BC lea ecx,dword ptr ss:
0065FEC4 51 push ecx
0065FEC5 8B95 30FFFFFF mov edx,dword ptr ss:
0065FECB 8B02 mov eax,dword ptr ds:
0065FECD 8B8D 30FFFFFF mov ecx,dword ptr ss:
0065FED3 51 push ecx
0065FED4 FF50 14 call dword ptr ds:
0065FED7 DBE2 fclex
0065FED9 8985 2CFFFFFF mov dword ptr ss:,eax
0065FEDF 83BD 2CFFFFFF 0>cmp dword ptr ss:,0x0
0065FEE6 7D 23 jge XMP3剪切?0065FF0B
0065FEE8 6A 14 push 0x14
0065FEEA 68 34135A00 push MP3剪切?005A1334
0065FEEF 8B95 30FFFFFF mov edx,dword ptr ss:
0065FEF5 52 push edx
0065FEF6 8B85 2CFFFFFF mov eax,dword ptr ss:
0065FEFC 50 push eax
0065FEFD FF15 78104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
0065FF03 8985 D4FEFFFF mov dword ptr ss:,eax
0065FF09 EB 0A jmp XMP3剪切?0065FF15
0065FF0B C785 D4FEFFFF 0>mov dword ptr ss:,0x0
0065FF15 8B4D BC mov ecx,dword ptr ss:
0065FF18 898D 28FFFFFF mov dword ptr ss:,ecx
0065FF1E 8D55 C4 lea edx,dword ptr ss:
0065FF21 52 push edx
0065FF22 8B85 28FFFFFF mov eax,dword ptr ss:
0065FF28 8B08 mov ecx,dword ptr ds:
0065FF2A 8B95 28FFFFFF mov edx,dword ptr ss:
0065FF30 52 push edx
0065FF31 FF51 50 call dword ptr ds:
0065FF34 DBE2 fclex
0065FF36 8985 24FFFFFF mov dword ptr ss:,eax
0065FF3C 83BD 24FFFFFF 0>cmp dword ptr ss:,0x0
0065FF43 7D 23 jge XMP3剪切?0065FF68
0065FF45 6A 50 push 0x50
0065FF47 68 54135A00 push MP3剪切?005A1354
0065FF4C 8B85 28FFFFFF mov eax,dword ptr ss:
0065FF52 50 push eax
0065FF53 8B8D 24FFFFFF mov ecx,dword ptr ss:
0065FF59 51 push ecx
0065FF5A FF15 78104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
0065FF60 8985 D0FEFFFF mov dword ptr ss:,eax
0065FF66 EB 0A jmp XMP3剪切?0065FF72
0065FF68 C785 D0FEFFFF 0>mov dword ptr ss:,0x0
0065FF72 8B55 C4 mov edx,dword ptr ss:
0065FF75 52 push edx
0065FF76 68 68135A00 push MP3剪切?005A1368 ; \sound.dll
0065FF7B FF15 64104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCa>; MSVBVM60.__vbaStrCat
0065FF81 8BD0 mov edx,eax
0065FF83 8D4D C0 lea ecx,dword ptr ss:
0065FF86 FF15 44124000 call dword ptr ds:[<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
0065FF8C 50 push eax
0065FF8D 6A 01 push 0x1
0065FF8F 6A FF push -0x1
0065FF91 6A 02 push 0x2
0065FF93 FF15 C8114000 call dword ptr ds:[<&MSVBVM60.__vbaFileO>; MSVBVM60.__vbaFileOpen
0065FF99 8D45 C0 lea eax,dword ptr ss:
0065FF9C 50 push eax
0065FF9D 8D4D C4 lea ecx,dword ptr ss:
0065FFA0 51 push ecx
0065FFA1 6A 02 push 0x2
0065FFA3 FF15 EC114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStrList
0065FFA9 83C4 0C add esp,0xC
0065FFAC 8D4D BC lea ecx,dword ptr ss:
0065FFAF FF15 7C124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
0065FFB5 C745 FC 0C00000>mov dword ptr ss:,0xC
0065FFBC 833D 10806600 0>cmp dword ptr ds:,0x0
0065FFC3 75 1C jnz XMP3剪切?0065FFE1
0065FFC5 68 10806600 push MP3剪切?00668010
0065FFCA 68 C0E05900 push MP3剪切?0059E0C0
0065FFCF FF15 D0114000 call dword ptr ds:[<&MSVBVM60.__vbaNew2>>; MSVBVM60.__vbaNew2
0065FFD5 C785 CCFEFFFF 1>mov dword ptr ss:,MP3剪切?00668>
0065FFDF EB 0A jmp XMP3剪切?0065FFEB
0065FFE1 C785 CCFEFFFF 1>mov dword ptr ss:,MP3剪切?00668>
0065FFEB 8B95 CCFEFFFF mov edx,dword ptr ss:
0065FFF1 8B02 mov eax,dword ptr ds:
0065FFF3 8B8D CCFEFFFF mov ecx,dword ptr ss:
0065FFF9 8B11 mov edx,dword ptr ds:
0065FFFB 8B0A mov ecx,dword ptr ds:
0065FFFD 50 push eax
0065FFFE FF91 FC020000 call dword ptr ds:
00660004 50 push eax
00660005 8D55 BC lea edx,dword ptr ss:
00660008 52 push edx
00660009 FF15 AC104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
0066000F 8985 30FFFFFF mov dword ptr ss:,eax
00660015 8D45 C4 lea eax,dword ptr ss:
00660018 50 push eax
00660019 8B8D 30FFFFFF mov ecx,dword ptr ss:
0066001F 8B11 mov edx,dword ptr ds:
00660021 8B85 30FFFFFF mov eax,dword ptr ss:
00660027 50 push eax
00660028 FF92 A0000000 call dword ptr ds:
0066002E DBE2 fclex
00660030 8985 2CFFFFFF mov dword ptr ss:,eax
00660036 83BD 2CFFFFFF 0>cmp dword ptr ss:,0x0
0066003D 7D 26 jge XMP3剪切?00660065
0066003F 68 A0000000 push 0xA0
00660044 68 FC245A00 push MP3剪切?005A24FC
00660049 8B8D 30FFFFFF mov ecx,dword ptr ss:
0066004F 51 push ecx
00660050 8B95 2CFFFFFF mov edx,dword ptr ss:
00660056 52 push edx
00660057 FF15 78104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
0066005D 8985 C8FEFFFF mov dword ptr ss:,eax
00660063 EB 0A jmp XMP3剪切?0066006F
00660065 C785 C8FEFFFF 0>mov dword ptr ss:,0x0
0066006F 8B45 C4 mov eax,dword ptr ss:
00660072 50 push eax
00660073 68 9C3C5A00 push MP3剪切?005A3C9C ; asdfasdfasdfasw
00660078 FF15 64104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCa>; MSVBVM60.__vbaStrCat
0066007E 8BD0 mov edx,eax
00660080 8D4D C0 lea ecx,dword ptr ss:
00660083 FF15 44124000 call dword ptr ds:[<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
00660089 50 push eax
0066008A 68 44205A00 push MP3剪切?005A2044 ; kk
0066008F FF15 64104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCa>; MSVBVM60.__vbaStrCat
00660095 8BD0 mov edx,eax
00660097 8D4D C8 lea ecx,dword ptr ss:
0066009A FF15 44124000 call dword ptr ds:[<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
006600A0 8D4D C0 lea ecx,dword ptr ss:
006600A3 51 push ecx
006600A4 8D55 C4 lea edx,dword ptr ss:
006600A7 52 push edx
006600A8 6A 02 push 0x2
006600AA FF15 EC114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStrList
006600B0 83C4 0C add esp,0xC
006600B3 8D4D BC lea ecx,dword ptr ss:
006600B6 FF15 7C124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
006600BC C745 FC 0D00000>mov dword ptr ss:,0xD
006600C3 8B45 C8 mov eax,dword ptr ss:
006600C6 50 push eax
006600C7 6A 01 push 0x1
006600C9 68 20135A00 push MP3剪切?005A1320
006600CE FF15 6C114000 call dword ptr ds:[<&MSVBVM60.__vbaPrint>; MSVBVM60.__vbaPrintFile
006600D4 83C4 0C add esp,0xC
006600D7 C745 FC 0E00000>mov dword ptr ss:,0xE
006600DE 6A 01 push 0x1
006600E0 FF15 F4104000 call dword ptr ds:[<&MSVBVM60.__vbaFileC>; MSVBVM60.__vbaFileClose
006600E6 C745 FC 0F00000>mov dword ptr ss:,0xF
006600ED C745 80 0400028>mov dword ptr ss:,0x80020004
006600F4 C785 78FFFFFF 0>mov dword ptr ss:,0xA
006600FE C745 90 0400028>mov dword ptr ss:,0x80020004
00660105 C745 88 0A00000>mov dword ptr ss:,0xA
翻了很多都没有发现程序的起始段,我们转换方法找找大的跳转,然后在大的跳跃之前的跳转下断标注:test1
0065FE26 85C9 test ecx,ecx ; test1
0065FE28 74 0F je XMP3剪切?0065FE39
0065FE2A C745 FC 0600000>mov dword ptr ss:,0x6
0065FE31 66:C745 CC FFFF mov word ptr ss:,0xFFFF
0065FE37 EB 32 jmp XMP3剪切?0065FE6B
0065FE39 C745 FC 0900000>mov dword ptr ss:,0x9
0065FE40 8D95 00FFFFFF lea edx,dword ptr ss:
0065FE46 52 push edx
0065FE47 8D85 10FFFFFF lea eax,dword ptr ss:
0065FE4D 50 push eax
0065FE4E 8D4D D0 lea ecx,dword ptr ss:
0065FE51 51 push ecx
0065FE52 FF15 6C124000 call dword ptr ds:[<&MSVBVM60.__vbaVarFo>; MSVBVM60.__vbaVarForNext
0065FE58 8985 E8FEFFFF mov dword ptr ss:,eax
0065FE5E 83BD E8FEFFFF 0>cmp dword ptr ss:,0x0
0065FE65^ 0F85 6CFEFFFF jnz MP3剪切?0065FCD7 ; 大的跳跃
然后按f9运行程序,单击注册,输入注册码x123456,确定,程序被断下,并未跳出错误的注册码对话框,说明我们下的断点是可以用的。
这时我们用手动运行f8往下走
我们发现运行到这里却往回跳了,我们把这里改掉
0065FE65^\0F84 6CFEFFFF je MP3剪切?0065FCD7 ; jnz改jz
然后继续向下运行
这个跳跃直接跳到了错误的注册码处,看来这就是关键跳了,改掉他
0065FE77 /0F84 20030000 je MP3剪切?0066019D jnz改成jz
这时我们保存一下程序,右击复制到可执行文件--所有修改-全部复制,右击保存文件-起名mp3剪刀器破解1,单击保存
关闭od打开mp3剪刀器破解1,点击注册--输入注册码x123456(任意)单击注册这时弹出对话框
提示注册成功,重新启动后发现未注册字样消失,说明已经成功爆破。
沙了发,支持楼主原创分享 , 破问什么的最喜欢了.. 地址:0065FDE0 51 push ecx F2下断
输入假码后点击注册,会被断下,寄存器ECX会出现真码
软件是内置4组真码,假码和4组真码比较。
注册码1:CRM87341658
注册码2:CRM83790019
注册码3:CRM85051051
注册码4:CRM88530130
这4组注册码所有电脑通用。
支持、厉害啊、 板凳 很厉害 ,,不知道板砖能破不 教程很棒我是初学者觉得很好 支持你多出教程 没有想到各位大大这么支持,真是感动啊,特别是大牛的点评让我增长知识。其实这个小软件可以往深里破解,第二就是追注册码,第三还可以跟踪算法写注册机。 C大还是如此的流逼 膜拜了 话说这个重启验证为什么你这样改掉重启以后会是注册呢?按照道理来说应该重启以后还是未注册啊