超级Flv视频转换器爆破分析以及注册码分析[适合菜鸟级别看]
==================================================================================【软件名称】超级Flv视频转换器1.65
【下载地址】百度里搜索(http://www.mp4soft.cn)
【所受限制】转换时间只有20%
【加壳保护】无
【软件介绍】下载地址处应该有介绍的!
==================================================================================
【系统平台】WINDOWS XP sp2
【调试工具】OD
【破文作者】小糊涂虫
==================================================================================
一、爆破分析
下载安装后运行,随便输入用户名、注册码,弹出错误提示框,
有了提示框,就好办了,因为无壳嘛,其它限制提示应该也是可以看到的,直接od载入搜索相关提示
来到
004C0AF9 .8B45 FC mov eax,dword ptr ss:
004C0AFC 80B8 B1040000 0>cmp byte ptr ds:,0
004C0B03 .74 4D je short flv.004C0B52
004C0B05 .6A 24 push 24
004C0B07 .68 040E4C00 push flv.004C0E04 ;提示
004C0B0C .68 0C0E4C00 push flv.004C0E0C ;您现在使用的是试用版,只能转换视频文件的20%,您确定要购买正式版吗?
004C0B11 .8B45 FC mov eax,dword ptr ss:
004C0B14 .E8 B7CDFAFF call flv.0046D8D0
004C0B19 .50 push eax ; |hOwner
004C0B1A .E8 3167F4FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004C0B1F .83F8 06 cmp eax,6
004C0B22 .75 2E jnz short flv.004C0B52
可以看出这个试用版提示也就是这么一个限制,004C0B03可以跳过这个限制的,改jmp也是可以的,上面那条指令改cmp byte ptr ds:,1也是可以的,
这样改之后应该是没有限制了,不过还是提示要注册的。现在在把那个要注册的提示也搞掉,也同样搜索字符可以找到:
004C02A2 .8B45 FC mov eax,dword ptr ss:
004C02A5 .8B80 BC040000 mov eax,dword ptr ds:
004C02AB .E8 8844F4FF call flv.00404738
004C02B0 75 0C jnz short flv.004C02BE ?????????????
004C02B2 .8B45 FC mov eax,dword ptr ss:
004C02B5 .C680 B0040000 0>mov byte ptr ds:,0
004C02BC .EB 31 jmp short flv.004C02EF
004C02BE >8B45 FC mov eax,dword ptr ss:
004C02C1 .C680 B0040000 0>mov byte ptr ds:,1
004C02C8 .8D55 B0 lea edx,dword ptr ss:
004C02CB .A1 247E4C00 mov eax,dword ptr ds:
004C02D0 .E8 136EFAFF call flv.004670E8
004C02D5 .8D45 B0 lea eax,dword ptr ss:
004C02D8 .BA 28084C00 mov edx,flv.004C0828 ;(试用版只能转换源文件20%的时间!)
004C02DD .E8 1243F4FF call flv.004045F4
可以看到比较是否为试用版的提示是由上面004C02B0来的,nop就可以了,现在改好后,保存出来不会有任何要注册的提示了也没有转换限制了。
二、算法分析
在od中搜索的字符可以看到,注册码保存在注册表中software\mp4soft\flvconverter,
004BCC1D .E8 B2FEFFFF call flv.004BCAD4
004BCC22 84C0 test al,al
004BCC24 .0F84 DB000000 je flv.004BCD05 ?????????????
004BCC2A .33C0 xor eax,eax
004BCC2C .55 push ebp
004BCC2D .68 E9CC4B00 push flv.004BCCE9
004BCC32 .64:FF30 push dword ptr fs:
004BCC35 .64:8920 mov dword ptr fs:,esp
004BCC38 .B2 01 mov dl,1
004BCC3A .A1 E8B34300 mov eax,dword ptr ds:
004BCC3F .E8 A4E8F7FF call flv.0043B4E8
004BCC44 .8BD8 mov ebx,eax
004BCC46 .BA 02000080 mov edx,80000002
004BCC4B .8BC3 mov eax,ebx
004BCC4D .E8 36E9F7FF call flv.0043B588
004BCC52 .B1 01 mov cl,1
004BCC54 .BA 64CD4B00 mov edx,flv.004BCD64 ;software\mp4soft\flvconverter
004BCC59 .8BC3 mov eax,ebx
004BCC5B .E8 8CE9F7FF call flv.0043B5EC
004BCC60 .8D55 F4 lea edx,dword ptr ss:
004BCC63 .8B45 FC mov eax,dword ptr ss:
004BCC66 .8B80 04030000 mov eax,dword ptr ds:
004BCC6C .E8 77A4FAFF call flv.004670E8
004BCC71 .8B45 F4 mov eax,dword ptr ss:
004BCC74 .8D55 F8 lea edx,dword ptr ss:
004BCC77 .E8 ECBCF4FF call flv.00408968
004BCC7C .8B4D F8 mov ecx,dword ptr ss:
004BCC7F .BA 8CCD4B00 mov edx,flv.004BCD8C ;name
004BCC84 .8BC3 mov eax,ebx
004BCC86 .E8 FDEAF7FF call flv.0043B788
004BCC8B .8D55 EC lea edx,dword ptr ss:
004BCC8E .8B45 FC mov eax,dword ptr ss:
004BCC91 .8B80 08030000 mov eax,dword ptr ds:
004BCC97 .E8 4CA4FAFF call flv.004670E8
004BCC9C .8B45 EC mov eax,dword ptr ss:
004BCC9F .8D55 F0 lea edx,dword ptr ss:
004BCCA2 .E8 C1BCF4FF call flv.00408968
004BCCA7 .8B4D F0 mov ecx,dword ptr ss:
004BCCAA .BA 9CCD4B00 mov edx,flv.004BCD9C ;pass
004BCCAF .8BC3 mov eax,ebx
004BCCB1 .E8 D2EAF7FF call flv.0043B788
004BCCB6 .8BC3 mov eax,ebx
004BCCB8 .E8 0368F4FF call flv.004034C0
004BCCBD .6A 40 push 40
004BCCBF .68 A4CD4B00 push flv.004BCDA4 ;软件注册
004BCCC4 .68 B0CD4B00 push flv.004BCDB0 ;已保存了注册信息!下次启动本程序时将会对你的注册码进行验证,如注册码正确,本程序所有功能限制将被解除,您成为我们正式版本用户!
004BCCC9 .8B45 FC mov eax,dword ptr ss:
004BCCCC .E8 FF0BFBFF call flv.0046D8D0
004BCCD1 .50 push eax ; |hOwner
004BCCD2 .E8 79A5F4FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004BCCD7 .8B45 FC mov eax,dword ptr ss:
在od中调试可以看出,只要004BCC24不跳,就把注册信息写进注册表了;现在把4BCC24 nop掉,填入用户名(www.52pojie.cn)和注册码(111111111)
因为是重启验证的,所重新载入od,来到我们爆破程序地址的段首下断,然后一步步跟,
来到这儿看到:
004C01B4 .8B45 DC mov eax,dword ptr ss:
004C01B7 .E8 CCB3F7FF call flv.0043B588
004C01BC .8D45 F8 lea eax,dword ptr ss:
004C01BF .BA D0074C00 mov edx,flv.004C07D0 ;software\mp4soft\flvconverter
004C01C4 .E8 DF41F4FF call flv.004043A8
004C01C9 .B1 01 mov cl,1
004C01CB .8B55 F8 mov edx,dword ptr ss:
004C01CE .8B45 DC mov eax,dword ptr ss:
004C01D1 .E8 16B4F7FF call flv.0043B5EC
004C01D6 84C0 test al,al
004C01D8 .0F84 84000000 je flv.004C0262
004C01DE .8D4D BC lea ecx,dword ptr ss:
004C01E1 .BA F8074C00 mov edx,flv.004C07F8 ;name
在取用户名和注册码,继续跟,
004C0287 .8D4D B4 lea ecx,dword ptr ss:
004C028A .8B45 FC mov eax,dword ptr ss:
004C028D .8B90 B8040000 mov edx,dword ptr ds:
004C0293 .A1 645B4C00 mov eax,dword ptr ds:
004C0298 .8B00 mov eax,dword ptr ds:
004C029A .E8 81C5FFFF call flv.004BC820 ;走过这个call时出现注册码
004C029F .8B55 B4 mov edx,dword ptr ss:
004C02A2 .8B45 FC mov eax,dword ptr ss:
004C02A5 .8B80 BC040000 mov eax,dword ptr ds:
4C029A是个算法call跟进来到:
.................
004BC863 |.85F6 test esi,esi
004BC865 |.7E 26 jle short flv.004BC88D
004BC867 |.BB 01000000 mov ebx,1
004BC86C |>8D4D EC /lea ecx,dword ptr ss:
004BC86F |.8B45 FC |mov eax,dword ptr ss:
004BC872 |.0FB64418 FF |movzx eax,byte ptr ds:
004BC877 |.33D2 |xor edx,edx
004BC879 |.E8 66C4F4FF |call flv.00408CE4
004BC87E |.8B55 EC |mov edx,dword ptr ss:
004BC881 |.8D45 F8 |lea eax,dword ptr ss:
004BC884 |.E8 6B7DF4FF |call flv.004045F4
004BC889 |.43 |inc ebx
004BC88A |.4E |dec esi
004BC88B |.^ 75 DF \jnz short flv.004BC86C
004BC88D |>8B45 F8 mov eax,dword ptr ss: ;用户名转16进制
上面这段是将用户名转换成16进制, (ASCII "7777772E3532706F6A69652E636E")
然后在往下跟来到下面一处算法:
004BC899 |. /7E 2C jle short flv.004BC8C7
004BC89B |. |BB 01000000 mov ebx,1
004BC8A0 |> |8B45 F8 /mov eax,dword ptr ss:
004BC8A3 |. |E8 447DF4FF |call flv.004045EC
004BC8A8 |. |2BC3 |sub eax,ebx
004BC8AA |. |8B55 F8 |mov edx,dword ptr ss:
004BC8AD |. |8A1402 |mov dl,byte ptr ds:
004BC8B0 |. |8D45 E8 |lea eax,dword ptr ss:
004BC8B3 |. |E8 407CF4FF |call flv.004044F8
004BC8B8 |. |8B55 E8 |mov edx,dword ptr ss:
004BC8BB |. |8D45 F4 |lea eax,dword ptr ss:
004BC8BE |. |E8 317DF4FF |call flv.004045F4
004BC8C3 |. |43 |inc ebx
004BC8C4 |. |4E |dec esi
004BC8C5 |.^|75 D9 \jnz short flv.004BC8A0 ;
004BC8C7 |> \8D45 F8 lea eax,dword ptr ss:
这是就是把用户名的16进制取反的过程: (ASCII "E636E25696A6F6072353E2777777")
在往下跟,
004BC8E0 |.50 push eax
004BC8E1 |.B9 04000000 mov ecx,4
004BC8E6 |.BA 05000000 mov edx,5
004BC8EB |.8B45 F4 mov eax,dword ptr ss: ;取16进制前4位.
004BC8EE |.E8 597FF4FF call flv.0040484C ;
004BC8F3 |.8B45 F8 mov eax,dword ptr ss:
004BC8F6 |.E8 F17CF4FF call flv.004045EC
004BC8FB |.83F8 04 cmp eax,4
004BC8FE |.7D 2F jge short flv.004BC92F
.....................
004BC92A |.83FB 04 |cmp ebx,4
004BC92D |.^ 75 E0 \jnz short flv.004BC90F
004BC92F |>8B45 F4 mov eax,dword ptr ss: ;取第5-8位
004BC932 |.E8 B57CF4FF call flv.004045EC
004BC937 |.83F8 04 cmp eax,4
......................
004BC96B |> \8D45 F0 lea eax,dword ptr ss: ;固定字符
004BC96E |.BA F8C94B00 mov edx,flv.004BC9F8 ;flv67u986e
004BC973 |.E8 307AF4FF call flv.004043A8
004BC978 |.8D45 DC lea eax,dword ptr ss:
004BC97B |.50 push eax
004BC97C |.B9 04000000 mov ecx,4
004BC981 |.BA 01000000 mov edx,1
004BC986 |.8B45 F0 mov eax,dword ptr ss:
004BC989 |.E8 BE7EF4FF call flv.0040484C
004BC98E |.FF75 DC push dword ptr ss:
004BC991 |.68 0CCA4B00 push flv.004BCA0C ;-
004BC996 |.FF75 F8 push dword ptr ss:
004BC999 |.8D45 D8 lea eax,dword ptr ss:
004BC99C |.50 push eax
004BC99D |.B9 05000000 mov ecx,5
004BC9A2 |.BA 05000000 mov edx,5
004BC9A7 |.8B45 F0 mov eax,dword ptr ss:
004BC9AA |.E8 9D7EF4FF call flv.0040484C
004BC9AF |.FF75 D8 push dword ptr ss:
004BC9B2 |.68 0CCA4B00 push flv.004BCA0C ;-
004BC9B7 |.FF75 F4 push dword ptr ss:
004BC9BA |.8BC7 mov eax,edi
004BC9BC |.BA 06000000 mov edx,6
004BC9C1 |.E8 E67CF4FF call flv.004046AC
004BC9C6 |.33C0 xor eax,eax
004BC9C8 |.5A pop edx
现在可以很明显看出算法了:
1.将用户名转为16进制
2.用户名16进制取反
3.固定字符flv67u986e
4.按一定的顺序连接起来就是注册码。flv6-前四位7u986-第5到8位
用户名:www.52pojie.cn
注册码flv6-E6367u986-E256
其实破解这个是很简单的,有什么限制就爆什么限制,关键是要破解的思路清晰。
ps:本文只适合新手看的,高手就别看了。 经典我决定有空跟着做一遍。估计跟算法还有点难。{:1_937:} 菜鸟学习了呵呵 文章很不错,支持一下…顺便学习一下,小鸟飞过。 文章很不错,支持一下…顺便学习一下,小鸟飞过。 头痛!!专研学习中! 写的很详细,学习下算法 代码部分用代码框比较好看。 写的很精彩,学习了