视频旋转器爆破、追码 by cqr2287
视频旋转器我挺需要的,比如正着转侧着,等等。以前一直想用flash修改,后来发现这软件。今天我们来分析分析。先熟悉流程
然后就退出了。
static/image/hrline/2.gif
通过字符串找到关键位置。因为有退出,所以f12法不能很好的使用(对,就字符串)
vb搜索Unicode。
很明显有两处。不管怎样,进第一个看看。
00496634 . /0F84 AD000000 je VideoRot.004966E7
0049663A . |C745 FC 0C000>mov dword ptr ss:,0xC
00496641 . |C745 80 04000>mov dword ptr ss:,0x80020004
00496648 . |C785 78FFFFFF>mov dword ptr ss:,0xA
00496652 . |C745 90 04000>mov dword ptr ss:,0x80020004
00496659 . |C745 88 0A000>mov dword ptr ss:,0xA
00496660 . |C785 50FFFFFF>mov dword ptr ss:,VideoRot.004>;失败
0049666A . |C785 48FFFFFF>mov dword ptr ss:,0x8
00496674 . |8D95 48FFFFFF lea edx,dword ptr ss:
0049667A . |8D4D 98 lea ecx,dword ptr ss:
0049667D . |E8 CECDF6FF call <jmp.&MSVBVM60.__vbaVarDup>
00496682 . |C785 60FFFFFF>mov dword ptr ss:,VideoRot.004>;错误的注册码.
0049668C . |C785 58FFFFFF>mov dword ptr ss:,0x8
00496696 . |8D95 58FFFFFF lea edx,dword ptr ss:
0049669C . |8D4D A8 lea ecx,dword ptr ss:
0049669F . |E8 ACCDF6FF call <jmp.&MSVBVM60.__vbaVarDup>
004966A4 . |8D85 78FFFFFF lea eax,dword ptr ss:
只有一个失败。莫非是判断注册码是否为空?管他呢,就jmp。
00496B81 .C745 FC 1B000>mov dword ptr ss:,0x1B
00496B88 .C745 80 04000>mov dword ptr ss:,0x80020004
00496B8F .C785 78FFFFFF>mov dword ptr ss:,0xA
00496B99 .C745 90 04000>mov dword ptr ss:,0x80020004
00496BA0 .C745 88 0A000>mov dword ptr ss:,0xA
00496BA7 .C785 50FFFFFF>mov dword ptr ss:,VideoRot.004>;成功
00496BB1 .C785 48FFFFFF>mov dword ptr ss:,0x8
00496BBB .8D95 48FFFFFF lea edx,dword ptr ss:
00496BC1 .8D4D 98 lea ecx,dword ptr ss:
00496BC4 .E8 87C8F6FF call <jmp.&MSVBVM60.__vbaVarDup>
00496BC9 .C785 60FFFFFF>mov dword ptr ss:,VideoRot.004>;注册成功,请重新启动程序。
00496BD3 .C785 58FFFFFF>mov dword ptr ss:,0x8
00496BDD .8D95 58FFFFFF lea edx,dword ptr ss:
其实只要走过那,就到成功了。那就是一个爆破位置。
static/image/hrline/2.gif
由于不清楚第一个jnz是干嘛的,所以在第一个上面就下段跟踪。
004963E3 > \8B45 C0 mov eax,dword ptr ss:
004963E6 .8985 D0FEFFFF mov dword ptr ss:,eax
004963EC .8365 C0 00 and dword ptr ss:,0x0
004963F0 .8B85 D0FEFFFF mov eax,dword ptr ss:
004963F6 .8945 90 mov dword ptr ss:,eax
004963F9 .C745 88 08000>mov dword ptr ss:,0x8
00496400 .8D45 88 lea eax,dword ptr ss:
此处初始化循环指针并读取假码。从此以后需要注意。
寄存器中总有一些奇怪的十六进制ascci。这些大家不要管他,注意这是vb程序。
堆栈 ss:=0020BE6C, (UNICODE "VRSAGK852WD")
这块需要注意了。
之后我们会进入算法循环。
004962BC .E8 E3D1F6FF call <jmp.&MSVBVM60.__vbaFreeObj>
004962C1 .E9 CD010000 jmp VideoRot.00496493
004962C6 >C745 FC 05000>mov dword ptr ss:,0x5
004962CD .8B45 08 mov eax,dword ptr ss:
004962D0 .8B00 mov eax,dword ptr ds:
004962D2 .FF75 08 push dword ptr ss:
004962D5 .FF90 04030000 call dword ptr ds:
004962DB .50 push eax
004962DC .8D45 BC lea eax,dword ptr ss:
004962DF .50 push eax
004962E0 .E8 D1D1F6FF call <jmp.&MSVBVM60.__vbaObjSet>
004962E5 .8985 20FFFFFF mov dword ptr ss:,eax
004962EB .8D45 C4 lea eax,dword ptr ss:
004962EE .50 push eax
004962EF .8D45 D0 lea eax,dword ptr ss:
004962F2 .50 push eax
004962F3 .E8 98D0F6FF call <jmp.&MSVBVM60.__vbaI2Var>
004962F8 .50 push eax
004962F9 .8B85 20FFFFFF mov eax,dword ptr ss:
004962FF .8B00 mov eax,dword ptr ds:
00496301 .FFB5 20FFFFFF push dword ptr ss:
00496307 .FF90 F8000000 call dword ptr ds:
0049630D .DBE2 fclex
0049630F .8985 1CFFFFFF mov dword ptr ss:,eax
00496315 .83BD 1CFFFFFF>cmp dword ptr ss:,0x0
0049631C .7D 23 jge short VideoRot.00496341
0049631E .68 F8000000 push 0xF8
00496323 .68 C8CF4600 push VideoRot.0046CFC8
00496328 .FFB5 20FFFFFF push dword ptr ss:
0049632E .FFB5 1CFFFFFF push dword ptr ss:
00496334 .E8 77D1F6FF call <jmp.&MSVBVM60.__vbaHresultCheckObj>
00496339 .8985 C0FEFFFF mov dword ptr ss:,eax
0049633F .EB 07 jmp short VideoRot.00496348
00496341 >83A5 C0FEFFFF>and dword ptr ss:,0x0
00496348 >8B45 C4 mov eax,dword ptr ss:
0049634B .8985 D4FEFFFF mov dword ptr ss:,eax
00496351 .8365 C4 00 and dword ptr ss:,0x0
00496355 .8B85 D4FEFFFF mov eax,dword ptr ss:
0049635B .8945 B0 mov dword ptr ss:,eax
0049635E .C745 A8 08000>mov dword ptr ss:,0x8
00496365 .8D45 A8 lea eax,dword ptr ss:
00496368 .50 push eax
00496369 .8D45 98 lea eax,dword ptr ss:
0049636C .50 push eax
0049636D .E8 E2CFF6FF call <jmp.&MSVBVM60.#rtcTrimVar_520>
00496372 .8B45 08 mov eax,dword ptr ss:
00496375 .8B00 mov eax,dword ptr ds:
00496377 .FF75 08 push dword ptr ss:
0049637A .FF90 08030000 call dword ptr ds:
00496380 .50 push eax
00496381 .8D45 B8 lea eax,dword ptr ss:
00496384 .50 push eax
00496385 .E8 2CD1F6FF call <jmp.&MSVBVM60.__vbaObjSet>
0049638A .8985 18FFFFFF mov dword ptr ss:,eax
00496390 .8D45 C0 lea eax,dword ptr ss:
00496393 .50 push eax
00496394 .8B85 18FFFFFF mov eax,dword ptr ss:
0049639A .8B00 mov eax,dword ptr ds:
0049639C .FFB5 18FFFFFF push dword ptr ss:
004963A2 .FF90 A0000000 call dword ptr ds:
004963A8 .DBE2 fclex
004963AA .8985 14FFFFFF mov dword ptr ss:,eax
004963B0 .83BD 14FFFFFF>cmp dword ptr ss:,0x0
004963B7 .7D 23 jge short VideoRot.004963DC
004963B9 .68 A0000000 push 0xA0
004963BE .68 64D54600 push VideoRot.0046D564
004963C3 .FFB5 18FFFFFF push dword ptr ss:
004963C9 .FFB5 14FFFFFF push dword ptr ss:
004963CF .E8 DCD0F6FF call <jmp.&MSVBVM60.__vbaHresultCheckObj>
004963D4 .8985 BCFEFFFF mov dword ptr ss:,eax
004963DA .EB 07 jmp short VideoRot.004963E3
004963DC >83A5 BCFEFFFF>and dword ptr ss:,0x0
004963E3 >8B45 C0 mov eax,dword ptr ss:
004963E6 .8985 D0FEFFFF mov dword ptr ss:,eax
004963EC .8365 C0 00 and dword ptr ss:,0x0
004963F0 .8B85 D0FEFFFF mov eax,dword ptr ss:
004963F6 .8945 90 mov dword ptr ss:,eax
004963F9 .C745 88 08000>mov dword ptr ss:,0x8
00496400 .8D45 88 lea eax,dword ptr ss:
00496403 .50 push eax
00496404 .8D85 78FFFFFF lea eax,dword ptr ss:
0049640A .50 push eax
0049640B .E8 44CFF6FF call <jmp.&MSVBVM60.#rtcTrimVar_520>
00496410 .8D45 98 lea eax,dword ptr ss:
00496413 .50 push eax ; /var18 = 00000001
00496414 .8D85 78FFFFFF lea eax,dword ptr ss: ; |
0049641A .50 push eax ; |var28 = 00000001
0049641B .E8 A2D0F6FF call <jmp.&MSVBVM60.__vbaVarTstEq> ; \__vbaVarTstEq
00496420 .66:8985 10FFF>mov word ptr ss:,ax
00496427 .8D45 B8 lea eax,dword ptr ss:
0049642A .50 push eax
0049642B .8D45 BC lea eax,dword ptr ss:
0049642E .50 push eax
0049642F .6A 02 push 0x2
00496431 .E8 DECFF6FF call <jmp.&MSVBVM60.__vbaFreeObjList>
00496436 .83C4 0C add esp,0xC
00496439 .8D85 78FFFFFF lea eax,dword ptr ss:
0049643F .50 push eax
00496440 .8D45 98 lea eax,dword ptr ss:
00496443 .50 push eax
00496444 .8D45 88 lea eax,dword ptr ss:
00496447 .50 push eax
00496448 .8D45 A8 lea eax,dword ptr ss:
0049644B .50 push eax
0049644C .6A 04 push 0x4
0049644E .E8 75D0F6FF call <jmp.&MSVBVM60.__vbaFreeVarList>
00496453 .83C4 14 add esp,0x14
00496456 .0FBF85 10FFFF>movsx eax,word ptr ss:
0049645D .85C0 test eax,eax
0049645F .74 0E je short VideoRot.0049646F
00496461 .C745 FC 06000>mov dword ptr ss:,0x6
00496468 .66:834D CC FF or word ptr ss:,0xFFFF
0049646D .EB 31 jmp short VideoRot.004964A0
0049646F >C745 FC 09000>mov dword ptr ss:,0x9
00496476 .8D85 F0FEFFFF lea eax,dword ptr ss:
0049647C .50 push eax ; /TMPend8 = 00000001
0049647D .8D85 00FFFFFF lea eax,dword ptr ss: ; |
00496483 .50 push eax ; |TMPstep8 = 00000001
00496484 .8D45 D0 lea eax,dword ptr ss: ; |
00496487 .50 push eax ; |Counter8 = 00000001
00496488 .E8 FDCEF6FF call <jmp.&MSVBVM60.__vbaVarForNext> ; \__vbaVarForNext
0049648D .8985 D8FEFFFF mov dword ptr ss:,eax
00496493 >83BD D8FEFFFF>cmp dword ptr ss:,0x0
0049649A .^ 0F85 26FEFFFF jnz VideoRot.004962C6
是吧。
好的,初步确定真马出现。VRSAGK852WD
static/image/hrline/2.gif
496634
00496634 /E9 AE000000 jmp VideoRot.004966E7
00496639 |90 nop
好,爆破位置都给了,具体不需要我说了吧
@Sound 指导下
好久不见 感谢分享,支持下{:1_921:} 为什么有的重启验证的软件我找到的注册码,第一次重启标题显示正版,第二次重启又没有了? 本人认为是最强的回帖用语!无论从文采,意境上都堪称最佳!一语双关! 看看大神的操作{:1_919:} 好久不见 好久没人发这样的帖子了 学习了。感谢! 学习楼主的破解方法,谢谢分享。
页:
[1]
2