ripper(CD转MP3格式转换器) 爆破、追码 by cqr2287
本帖最后由 cqr2287 于 2016-11-18 17:13 编辑秋游回来了,之前举行了篝火晚会,结果不知道谁把车点着了。吓死我了。镇定镇定
static/image/hrline/2.gif
打开软件,先熟悉流程。
、
靠,没光驱怎么办。
左下角有个立即注册。点进去看看。
好的,不错,可以破解了。
static/image/hrline/2.gif
中文搜索引擎搜索未注册。标题上显示呢,如果修改已注册,是否为注册版?
0043237C43 00 44 00 6C 8F 4D 00 50 00 33 00 3C 68 0F 5FCD转MP3格式
0043238C6C 8F 62 63 68 56 20 00 2D 00 20 00 F2 5D E8 6C转换器 - 已注
0043239C8C 51 00 00 F9 4E 册.仹
还没搜索,就发现已注册了。从这附近看看吧。
0043B5B9 FF15 B8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTs>; msvbvm60.__vbaVarTstEq
0043B5BF 0FBFC8 movsx ecx,ax
0043B5C2 85C9 test ecx,ecx
0043B5C4 0F84 CC000000 je ripper.0043B696
0043B5CA C745 FC 1000000>mov dword ptr ss:,0x10
0043B5D1 66:C705 2830440>mov word ptr ds:,0xFFFF
0043B5DA C745 FC 1100000>mov dword ptr ss:,0x11
0043B5E1 68 7C234300 push ripper.0043237C ; CD转MP3格式转换器 - 已注册
理论上说,je跳转是关键。nop掉即可。由于我需要追码,所以在此不能附图。
0043B5C4 90 nop
0043B5C5 90 nop
0043B5C6 90 nop
0043B5C7 90 nop
0043B5C8 90 nop
0043B5C9 90 nop
Patches, 条目 0
地址=0043B5C4
大小=6.
状态=激活
旧=je ripper.0043B696
新=nop
爆破位置:0043B5C6 9090909090
static/image/hrline/2.gif
下面开始追码。
运行起来,vb程序。按照惯例,在段首下段。
因为此处是程序开头判断,所以重新载入才能断下。。。
断下f8跟踪。
文件路径。这里估计是判断是否注册了。
后来发现,自己逻辑有问题。开头只是判断是否注册,不是判断注册码的地方。。
还是下按钮事件吧,,
004411D9 > \C745 FC 22000>mov dword ptr ss:,0x22
004411E0 .C785 58FFFFFF>mov dword ptr ss:,0x80020004
004411EA .C785 50FFFFFF>mov dword ptr ss:,0xA
004411F4 .C785 68FFFFFF>mov dword ptr ss:,0x80020004
004411FE .C785 60FFFFFF>mov dword ptr ss:,0xA
00441208 .C785 38FFFFFF>mov dword ptr ss:,ripper.00432>;错误
00441212 .C785 30FFFFFF>mov dword ptr ss:,0x8
0044121C .8D95 30FFFFFF lea edx,dword ptr ss:
00441222 .8D8D 70FFFFFF lea ecx,dword ptr ss:
00441228 .FF15 88114000 call dword ptr ds:[<&MSVBVM60.__vbaVarDu>;msvbvm60.__vbaVarDup
0044122E .C785 48FFFFFF>mov dword ptr ss:,ripper.00432>;错误的注册码.
00441238 .C785 40FFFFFF>mov dword ptr ss:,0x8
跟踪到关键位置。追踪跳转。
00440DD1 . /0F85 02040000 jnz ripper.004411D9
00440DD7 . |66:837D CC FF cmp word ptr ss:,0xFFFF
00440DDC . |0F85 F7030000 jnz ripper.004411D9
00440DE2 . |66:837D C0 FF cmp word ptr ss:,0xFFFF
00440DE7 . |0F85 EC030000 jnz ripper.004411D9
00440DED . |66:837D C8 FF cmp word ptr ss:,0xFFFF
00440DF2 . |0F85 E1030000 jnz ripper.004411D9
00440DF8 . |C745 FC 17000>mov dword ptr ss:,0x17
00440DFF . |833D 48354400>cmp dword ptr ds:,0x0
00440E06 . |75 1C jnz short ripper.00440E24
有四个到失败的地方。
段首下段,动态跟踪。
00440A46 > \C785 C0FEFFFF>mov dword ptr ss:,0x0
00440A50 >8B45 A8 mov eax,dword ptr ss:
此处提取假码。下段标记。
大意了走过头了从来。
0022782C31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 0011111111
0022783C31 00 31 00 31 00 31 00 31 00 31 00 31 00 00 001111111.
0022784C20 00 54 00 53 00 2D 00 4C 00 36 00 33 00 33 00 TS-L633
0022785C42 00 00 00 39 00 B.9
堆栈地址=0012E750
eax=0028E9C4, (UNICODE "00AA00389B71")
00440AD0 .8D8D E0FEFFFF lea ecx,dword ptr ss: ; |
00440AD6 .51 push ecx ; |TMPend8 = 0012E660
ecx被置零。
00440AF3 > /C745 FC 09000>mov dword ptr ss:,0x9
00440AFA . |C745 88 01000>mov dword ptr ss:,0x1
00440B01 . |C745 80 02000>mov dword ptr ss:,0x2
00440B08 . |8D4D AC lea ecx,dword ptr ss:
00440B0B . |898D 48FFFFFF mov dword ptr ss:,ecx
00440B11 . |C785 40FFFFFF>mov dword ptr ss:,0x4008
00440B1B . |8D55 80 lea edx,dword ptr ss:
00440B1E . |52 push edx
00440B1F . |8D45 D0 lea eax,dword ptr ss:
00440B22 . |50 push eax
00440B23 . |FF15 7C114000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>;msvbvm60.__vbaI4Var
00440B29 . |50 push eax ; |Start = 0x0
00440B2A . |8D8D 40FFFFFF lea ecx,dword ptr ss: ; |
00440B30 . |51 push ecx ; |dString8 = 00120002
00440B31 . |8D95 70FFFFFF lea edx,dword ptr ss: ; |
00440B37 . |52 push edx ; |RetBUFFER = 00000006
00440B38 . |FF15 9C104000 call dword ptr ds:[<&MSVBVM60.#rtcMidCha>; \rtcMidCharVar
00440B3E . |C785 28FFFFFF>mov dword ptr ss:,ripper.00432>;C
00440B48 . |C785 20FFFFFF>mov dword ptr ss:,0x8008
00440B52 . |8D85 70FFFFFF lea eax,dword ptr ss:
00440B58 . |50 push eax ; /var18 = NULL
00440B59 . |8D8D 20FFFFFF lea ecx,dword ptr ss: ; |
00440B5F . |51 push ecx ; |var28 = 00120002
00440B60 . |FF15 B8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTs>; \__vbaVarTstEq
00440B66 . |66:8985 0CFFF>mov word ptr ss:,ax
00440B6D . |8D95 70FFFFFF lea edx,dword ptr ss:
00440B73 . |52 push edx
00440B74 . |8D45 80 lea eax,dword ptr ss:
00440B77 . |50 push eax
00440B78 . |6A 02 push 0x2
00440B7A . |FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>;msvbvm60.__vbaFreeVarList
00440B80 . |83C4 0C add esp,0xC
00440B83 . |0FBF8D 0CFFFF>movsx ecx,word ptr ss:
00440B8A . |85C9 test ecx,ecx
00440B8C . |74 0D je short ripper.00440B9B
00440B8E . |C745 FC 0A000>mov dword ptr ss:,0xA
00440B95 . |66:C745 C4 FF>mov word ptr ss:,0xFFFF
00440B9B > |C745 FC 0C000>mov dword ptr ss:,0xC
00440BA2 . |C745 88 01000>mov dword ptr ss:,0x1
00440BA9 . |C745 80 02000>mov dword ptr ss:,0x2
00440BB0 . |8D55 AC lea edx,dword ptr ss:
00440BB3 . |8995 48FFFFFF mov dword ptr ss:,edx
00440BB9 . |C785 40FFFFFF>mov dword ptr ss:,0x4008
00440BC3 . |8D45 80 lea eax,dword ptr ss:
00440BC6 . |50 push eax
00440BC7 . |8D4D D0 lea ecx,dword ptr ss:
00440BCA . |51 push ecx
00440BCB . |FF15 7C114000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>;msvbvm60.__vbaI4Var
00440BD1 . |50 push eax ; |Start = 0x0
00440BD2 . |8D95 40FFFFFF lea edx,dword ptr ss: ; |
00440BD8 . |52 push edx ; |dString8 = 00000006
00440BD9 . |8D85 70FFFFFF lea eax,dword ptr ss: ; |
00440BDF . |50 push eax ; |RetBUFFER = NULL
00440BE0 . |FF15 9C104000 call dword ptr ds:[<&MSVBVM60.#rtcMidCha>; \rtcMidCharVar
00440BE6 . |C785 28FFFFFF>mov dword ptr ss:,ripper.00432>;D
00440BF0 . |C785 20FFFFFF>mov dword ptr ss:,0x8008
00440BFA . |8D8D 70FFFFFF lea ecx,dword ptr ss:
00440C00 . |51 push ecx ; /var18 = 00120002
00440C01 . |8D95 20FFFFFF lea edx,dword ptr ss: ; |
00440C07 . |52 push edx ; |var28 = 00000006
00440C08 . |FF15 B8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTs>; \__vbaVarTstEq
00440C0E . |66:8985 0CFFF>mov word ptr ss:,ax
00440C15 . |8D85 70FFFFFF lea eax,dword ptr ss:
00440C1B . |50 push eax
00440C1C . |8D4D 80 lea ecx,dword ptr ss:
00440C1F . |51 push ecx
00440C20 . |6A 02 push 0x2
00440C22 . |FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>;msvbvm60.__vbaFreeVarList
00440C28 . |83C4 0C add esp,0xC
00440C2B . |0FBF95 0CFFFF>movsx edx,word ptr ss:
00440C32 . |85D2 test edx,edx
00440C34 . |74 0D je short ripper.00440C43
00440C36 . |C745 FC 0D000>mov dword ptr ss:,0xD
00440C3D . |66:C745 CC FF>mov word ptr ss:,0xFFFF
00440C43 > |C745 FC 0F000>mov dword ptr ss:,0xF
00440C4A . |C745 88 01000>mov dword ptr ss:,0x1
00440C51 . |C745 80 02000>mov dword ptr ss:,0x2
00440C58 . |8D45 AC lea eax,dword ptr ss:
00440C5B . |8985 48FFFFFF mov dword ptr ss:,eax
00440C61 . |C785 40FFFFFF>mov dword ptr ss:,0x4008
00440C6B . |8D4D 80 lea ecx,dword ptr ss:
00440C6E . |51 push ecx
00440C6F . |8D55 D0 lea edx,dword ptr ss:
00440C72 . |52 push edx
00440C73 . |FF15 7C114000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>;msvbvm60.__vbaI4Var
00440C79 . |50 push eax ; |Start = 0x0
00440C7A . |8D85 40FFFFFF lea eax,dword ptr ss: ; |
00440C80 . |50 push eax ; |dString8 = NULL
00440C81 . |8D8D 70FFFFFF lea ecx,dword ptr ss: ; |
00440C87 . |51 push ecx ; |RetBUFFER = 00120002
00440C88 . |FF15 9C104000 call dword ptr ds:[<&MSVBVM60.#rtcMidCha>; \rtcMidCharVar
00440C8E . |C785 28FFFFFF>mov dword ptr ss:,ripper.00432>;2
00440C98 . |C785 20FFFFFF>mov dword ptr ss:,0x8008
00440CA2 . |8D95 70FFFFFF lea edx,dword ptr ss:
00440CA8 . |52 push edx ; /var18 = 00000006
00440CA9 . |8D85 20FFFFFF lea eax,dword ptr ss: ; |
00440CAF . |50 push eax ; |var28 = NULL
00440CB0 . |FF15 B8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTs>; \__vbaVarTstEq
00440CB6 . |66:8985 0CFFF>mov word ptr ss:,ax
00440CBD . |8D8D 70FFFFFF lea ecx,dword ptr ss:
00440CC3 . |51 push ecx
00440CC4 . |8D55 80 lea edx,dword ptr ss:
00440CC7 . |52 push edx
00440CC8 . |6A 02 push 0x2
00440CCA . |FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>;msvbvm60.__vbaFreeVarList
00440CD0 . |83C4 0C add esp,0xC
00440CD3 . |0FBF85 0CFFFF>movsx eax,word ptr ss:
00440CDA . |85C0 test eax,eax
00440CDC . |74 0D je short ripper.00440CEB
00440CDE . |C745 FC 10000>mov dword ptr ss:,0x10
00440CE5 . |66:C745 C0 FF>mov word ptr ss:,0xFFFF
00440CEB > |C745 FC 12000>mov dword ptr ss:,0x12
00440CF2 . |C745 88 01000>mov dword ptr ss:,0x1
00440CF9 . |C745 80 02000>mov dword ptr ss:,0x2
00440D00 . |8D4D AC lea ecx,dword ptr ss:
00440D03 . |898D 48FFFFFF mov dword ptr ss:,ecx
00440D09 . |C785 40FFFFFF>mov dword ptr ss:,0x4008
00440D13 . |8D55 80 lea edx,dword ptr ss:
00440D16 . |52 push edx
00440D17 . |8D45 D0 lea eax,dword ptr ss:
00440D1A . |50 push eax
00440D1B . |FF15 7C114000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>;msvbvm60.__vbaI4Var
00440D21 . |50 push eax ; |Start = 0x0
00440D22 . |8D8D 40FFFFFF lea ecx,dword ptr ss: ; |
00440D28 . |51 push ecx ; |dString8 = 00120002
00440D29 . |8D95 70FFFFFF lea edx,dword ptr ss: ; |
00440D2F . |52 push edx ; |RetBUFFER = 00000006
00440D30 . |FF15 9C104000 call dword ptr ds:[<&MSVBVM60.#rtcMidCha>; \rtcMidCharVar
00440D36 . |C785 28FFFFFF>mov dword ptr ss:,ripper.00432>;3
00440D40 . |C785 20FFFFFF>mov dword ptr ss:,0x8008
00440D4A . |8D85 70FFFFFF lea eax,dword ptr ss:
00440D50 . |50 push eax ; /var18 = NULL
00440D51 . |8D8D 20FFFFFF lea ecx,dword ptr ss: ; |
00440D57 . |51 push ecx ; |var28 = 00120002
00440D58 . |FF15 B8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTs>; \__vbaVarTstEq
00440D5E . |66:8985 0CFFF>mov word ptr ss:,ax
00440D65 . |8D95 70FFFFFF lea edx,dword ptr ss:
00440D6B . |52 push edx
00440D6C . |8D45 80 lea eax,dword ptr ss:
00440D6F . |50 push eax
00440D70 . |6A 02 push 0x2
00440D72 . |FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>;msvbvm60.__vbaFreeVarList
00440D78 . |83C4 0C add esp,0xC
00440D7B . |0FBF8D 0CFFFF>movsx ecx,word ptr ss:
00440D82 . |85C9 test ecx,ecx
00440D84 . |74 0D je short ripper.00440D93
00440D86 . |C745 FC 13000>mov dword ptr ss:,0x13
00440D8D . |66:C745 C8 FF>mov word ptr ss:,0xFFFF
00440D93 > |C745 FC 15000>mov dword ptr ss:,0x15
00440D9A . |8D95 E0FEFFFF lea edx,dword ptr ss:
00440DA0 . |52 push edx ; /TMPend8 = 00000006
00440DA1 . |8D85 F0FEFFFF lea eax,dword ptr ss: ; |
00440DA7 . |50 push eax ; |TMPstep8 = NULL
00440DA8 . |8D4D D0 lea ecx,dword ptr ss: ; |
00440DAB . |51 push ecx ; |Counter8 = 00120002
00440DAC . |FF15 BC114000 call dword ptr ds:[<&MSVBVM60.__vbaVarFo>; \__vbaVarForNext
00440DB2 . |8985 C4FEFFFF mov dword ptr ss:,eax
00440DB8 > |83BD C4FEFFFF>cmp dword ptr ss:,0x0
00440DBF .^\0F85 2EFDFFFF jnz ripper.00440AF3
这里是算法部分。对于他的算法分析,我们第10季课程讲解。
static/image/hrline/2.gif
00440dbf 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 9090 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
好的,谢谢大家观看
把车点着了??、、、、
学习一下 必须支持大神!!! 支持一下 收藏下,这个软件我正需要,等下装一下看看 顶。。。。。。。。。。。。。。。。。 感谢分享,学到很多~
谢谢楼主了,就喜欢这样的 围观加密算法分析,有第十课了再来学习 新手,表示好难的样子,貌似没看懂,看见代码好多!
页:
[1]