吾爱破解 - 52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

查看: 3389|回复: 22
收起左侧

[原创] Aiseesoft Video Repair v1.0.20 破解简单分析

  [复制链接]
speedboy 发表于 2023-11-18 20:33
1、首先运行程序,发现在窗口标题会显示 “Unregistered“;
2、退出程序,在X64DBG加载程序并运行,直到出现引导界面:
2023-11-18_202856.png
3、在反汇编区 右键——搜索范围——所有用户模块——字符串应用,并查找"Unregistered",得到一处,双击来到反汇编区:
[Asm] 纯文本查看 复制代码
00007FFC4479A62 | 40:53                  | PUSH RBX                                    | 》此为代码段首,在此 右键——查找引用——选定的地址,得到5处调用
00007FFC4479A62 | 48:83EC 30             | SUB RSP,0x30                                |
00007FFC4479A62 | 48:8BD9                | MOV RBX,RCX                                 |
00007FFC4479A62 | C74424 20 FFFFFFFF     | MOV DWORD PTR SS:[RSP+0x20],0xFFFFFFFF      |
00007FFC4479A63 | 45:33C9                | XOR R9D,R9D                                 |
00007FFC4479A63 | 48:8D0D 85BF1100       | LEA RCX,QWORD PTR DS:[<public: static struc |
00007FFC4479A63 | 83FA 01                | CMP EDX,0x1                                 | 》如果 EDX=1,下面的 je 跳转实现。往上分析发现EDX的赋值来自Call调用之前。
00007FFC4479A63 | 4C:8D05 BB500A00       | LEA R8,QWORD PTR DS:[0x7FFC4483F700]        | ds:[00007FFC4483F700]:"Registered"
00007FFC4479A64 | 48:8BD3                | MOV RDX,RBX                                 |
00007FFC4479A64 | 74 07                  | JE framework.7FFC4479A651                   | 》跳转,跳过“Unregistered”标题
00007FFC4479A64 | 4C:8D05 BF500A00       | LEA R8,QWORD PTR DS:[0x7FFC4483F710]        | ds:[00007FFC4483F710]:"Unregistered"
00007FFC4479A65 | FF15 C9D10900          | CALL QWORD PTR DS:[<public: class QString _ |
00007FFC4479A65 | 48:8BC3                | MOV RAX,RBX                                 |
00007FFC4479A65 | 48:83C4 30             | ADD RSP,0x30                                |
00007FFC4479A65 | 5B                     | POP RBX                                     |
00007FFC4479A65 | C3                     | RET                                         |

(看关键代码注释,我都做出了分析)
4、五处调用为:
[Asm] 纯文本查看 复制代码
00007FFC447864AB call <framework.public: static class QString __cdecl AkClientAuthorization::stateDescription(int)>
00007FFC447865A6 call <framework.public: static class QString __cdecl AkClientAuthorization::stateDescription(int)>
00007FFC447BA560 call <framework.public: static class QString __cdecl AkClientAuthorization::stateDescription(int)>
00007FFC447C0B30 call <framework.public: static class QString __cdecl AkClientAuthorization::stateDescription(int)>
00007FFC447D2760 call <framework.public: static class QString __cdecl AkClientAuthorization::stateDescription(int)>

选择第一个双击来到反汇编区:
[Asm] 纯文本查看 复制代码
00007FFC4478648 | E8 7BCD0000            | CALL <framework.public: enum AkClientAuthor | 》此为关键Call,F7跟进返回的EAX=1即可
00007FFC4478648 | 8BF0                   | MOV ESI,EAX                                 | 》在这呢,ESI=EAX
00007FFC4478648 | 83F8 01                | CMP EAX,0x1                                 |
00007FFC4478648 | 0F84 9E010000          | JE framework.7FFC4478662E                   |
00007FFC4478649 | 33D2                   | XOR EDX,EDX                                 |
00007FFC4478649 | 48:8D0D 5F390B00       | LEA RCX,QWORD PTR DS:[0x7FFC44839DF8]       |
00007FFC4478649 | FF15 71130B00          | CALL QWORD PTR DS:[<private: static struct  |
00007FFC4478649 | 48:894424 58           | MOV QWORD PTR SS:[RSP+0x58],RAX             |
00007FFC447864A | 8BD6                   | MOV EDX,ESI                                 | 》此处 EDX=ESI,向上查找何处给 ESI赋值
00007FFC447864A | 48:8D4C24 48           | LEA RCX,QWORD PTR SS:[RSP+0x48]             |
00007FFC447864A | E8 70410100            | CALL <framework.public: static class QStrin |
00007FFC447864B | 48:8BD8                | MOV RBX,RAX                                 |

(看关键代码注释,我都做出了分析)
5、进入关键Call(00007FFC4478648 CALL <framework.public: enum AkClientAuthorization::State __cdecl AkClientAutho)分析,得到【破解处-1】
把 MOV EAX,DWORD PTR DS:[RCX+0x2C] 修改为:
[Asm] 纯文本查看 复制代码
MOV EAX,1
RET

6、在刚开始我们直接运行程序时提示我们输入邮箱和注册码进行注册,测试后会返回"The registration code is invalid.",接着搜索此字符串得到7处:
[Asm] 纯文本查看 复制代码
00007FFC424A2D73 lea r8,qword ptr ds:[7FFC4254F698] 00007FFC4254F698 "The registration code is invalid."
00007FFC424A3100 lea r8,qword ptr ds:[7FFC4254F698] 00007FFC4254F698 "The registration code is invalid."
00007FFC424A3941 lea r8,qword ptr ds:[7FFC4254F698] 00007FFC4254F698 "The registration code is invalid."
00007FFC424A3B09 lea r8,qword ptr ds:[7FFC4254F698] 00007FFC4254F698 "The registration code is invalid."
00007FFC424A7CEF lea r8,qword ptr ds:[7FFC4254F698] 00007FFC4254F698 "The registration code is invalid."
00007FFC424A7E2F lea r8,qword ptr ds:[7FFC4254F698] 00007FFC4254F698 "The registration code is invalid."
00007FFC424E0710 lea r8,qword ptr ds:[7FFC4254F698] 00007FFC4254F698 "The registration code is invalid."

7、在第一个上双击来到反汇编区:(看关键代码注释,我都做出了分析)
[Asm] 纯文本查看 复制代码
00007FFC424A28C | 48:8BC4                | MOV RAX,RSP                                |
00007FFC424A28C | 55                     | PUSH RBP                                   |
00007FFC424A28C | 41:54                  | PUSH R12                                   |
00007FFC424A28C | 41:55                  | PUSH R13                                   |
00007FFC424A28C | 41:56                  | PUSH R14                                   |
00007FFC424A28C | 41:57                  | PUSH R15                                   |
00007FFC424A28C | 48:8D68 B1             | LEA RBP,QWORD PTR DS:[RAX-0x4F]            |
00007FFC424A28D | 48:81EC 90000000       | SUB RSP,0x90                               |
00007FFC424A28D | 48:C745 1F FEFFFFFF    | MOV QWORD PTR SS:[RBP+0x1F],0xFFFFFFFFFFFF |
00007FFC424A28D | 48:8958 08             | MOV QWORD PTR DS:[RAX+0x8],RBX             |
00007FFC424A28E | 48:8970 10             | MOV QWORD PTR DS:[RAX+0x10],RSI            |
00007FFC424A28E | 48:8978 18             | MOV QWORD PTR DS:[RAX+0x18],RDI            |
00007FFC424A28E | 4D:8BF1                | MOV R14,R9                                 |
00007FFC424A28E | 4D:8BE8                | MOV R13,R8                                 |
00007FFC424A28F | 48:8BDA                | MOV RBX,RDX                                |
00007FFC424A28F | 48:8BF9                | MOV RDI,RCX                                |
00007FFC424A28F | E8 C4380700            | CALL <framework.public: static int __cdecl |
00007FFC424A28F | A8 02                  | TEST AL,0x2                                |
00007FFC424A28F | 74 0A                  | JE framework.7FFC424A290A                  |
00007FFC424A290 | B8 02000000            | MOV EAX,0x2                                |
00007FFC424A290 | E9 21060000            | JMP framework.7FFC424A2F2B                 |
00007FFC424A290 | 48:8B4F 20             | MOV RCX,QWORD PTR DS:[RDI+0x20]            |
00007FFC424A290 | 48:85C9                | TEST RCX,RCX                               |
00007FFC424A291 | 74 10                  | JE framework.7FFC424A2923                  |
00007FFC424A291 | 807F 28 00             | CMP BYTE PTR DS:[RDI+0x28],0x0             |
00007FFC424A291 | 74 0A                  | JE framework.7FFC424A2923                  |
00007FFC424A291 | FF15 D94B0A00          | CALL QWORD PTR DS:[<public: void __cdecl Q |
00007FFC424A291 | C647 28 00             | MOV BYTE PTR DS:[RDI+0x28],0x0             |
00007FFC424A292 | 48:8D55 DF             | LEA RDX,QWORD PTR SS:[RBP-0x21]            |
00007FFC424A292 | 48:8BCB                | MOV RCX,RBX                                |
00007FFC424A292 | FF15 E84D0A00          | CALL QWORD PTR DS:[<public: class QString  |
00007FFC424A293 | 90                     | NOP                                        |
00007FFC424A293 | 48:8D55 D7             | LEA RDX,QWORD PTR SS:[RBP-0x29]            |
00007FFC424A293 | 49:8BCD                | MOV RCX,R13                                |
00007FFC424A293 | FF15 DA4D0A00          | CALL QWORD PTR DS:[<public: class QString  |
00007FFC424A293 | 90                     | NOP                                        |
00007FFC424A293 | C645 CF 00             | MOV BYTE PTR SS:[RBP-0x31],0x0             |
00007FFC424A294 | 45:32E4                | XOR R12B,R12B                              |
00007FFC424A294 | 48:8D15 AB740A00       | LEA RDX,QWORD PTR DS:[0x7FFC42549DF8]      |
00007FFC424A294 | 49:8BCE                | MOV RCX,R14                                |
00007FFC424A295 | FF15 8A4D0A00          | CALL QWORD PTR DS:[<public: class QString  |
00007FFC424A295 | 41:BF 02000000         | MOV R15D,0x2                               | 》【破解处-2】原来兔子都吃窝边草啊,还记得我们想让 ESI≠2吗?因为ESI=R15D,所以R15D≠2即可,这个辩证还合理吧,哈哈,我就喜欢让R15D=1,我任性……
00007FFC424A295 | 48:8B45 D7             | MOV RAX,QWORD PTR SS:[RBP-0x29]            |
00007FFC424A296 | 8378 04 00             | CMP DWORD PTR DS:[RAX+0x4],0x0             |
00007FFC424A296 | 75 08                  | JNE framework.7FFC424A296E                 |
00007FFC424A296 | 41:8BF7                | MOV ESI,R15D                               | 》*** 看到了吗?这里给 ESI 赋值啦!(此时ESI=R15D)***,那么何处又给 R15D 赋值了呢?
00007FFC424A296 | E9 7D050000            | JMP framework.7FFC424A2EEB                 | 》这个大跳转就是我们要找的呦,哈哈,还记得那个 Let's go 吗?
………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………
 
此处省略若干行
………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………
00007FFC424A2D6 | E9 83010000            | JMP framework.7FFC424A2EEB                 |
00007FFC424A2D6 | C74424 20 FFFFFFFF     | MOV DWORD PTR SS:[RSP+0x20],0xFFFFFFFF     |
00007FFC424A2D7 | 45:33C9                | XOR R9D,R9D                                |
00007FFC424A2D7 | 4C:8D05 1EC90A00       | LEA R8,QWORD PTR DS:[0x7FFC4254F698]       | ds:[00007FFC4254F698]:"The registration code is invalid."
00007FFC424A2D7 | 48:8D55 C7             | LEA RDX,QWORD PTR SS:[RBP-0x39]            |
00007FFC424A2D7 | 48:8D0D 3B381200       | LEA RCX,QWORD PTR DS:[<public: static stru |
00007FFC424A2D8 | FF15 954A0A00          | CALL QWORD PTR DS:[<public: class QString  |
00007FFC424A2D8 | 48:8D55 C7             | LEA RDX,QWORD PTR SS:[RBP-0x39]            |
00007FFC424A2D8 | 49:8BCE                | MOV RCX,R14                                |
00007FFC424A2D9 | FF15 484A0A00          | CALL QWORD PTR DS:[<public: class QString  |
00007FFC424A2D9 | 48:8D4D C7             | LEA RCX,QWORD PTR SS:[RBP-0x39]            |
00007FFC424A2D9 | FF15 56350A00          | CALL QWORD PTR DS:[<public: __cdecl QStrin |
00007FFC424A2DA | 8B47 48                | MOV EAX,DWORD PTR DS:[RDI+0x48]            |
00007FFC424A2DA | 83F8 04                | CMP EAX,0x4                                |
00007FFC424A2DA | 75 09                  | JNE framework.7FFC424A2DB3                 |
00007FFC424A2DA | 4C:8D05 C7C80A00       | LEA R8,QWORD PTR DS:[0x7FFC4254F678]       | ds:[00007FFC7409F678]:"The registration code expired."
00007FFC424A2DB | EB 0C                  | JMP framework.7FFC424A2DBF                 |
00007FFC424A2DB | 83F8 03                | CMP EAX,0x3                                |
00007FFC424A2DB | 75 3A                  | JNE framework.7FFC424A2DF2                 |
00007FFC424A2DB | 4C:8D05 01C90A00       | LEA R8,QWORD PTR DS:[0x7FFC4254F6C0]       | ds:[00007FFC4254F6C0]:"The registration code is forbidden."
00007FFC424A2DB | C74424 20 FFFFFFFF     | MOV DWORD PTR SS:[RSP+0x20],0xFFFFFFFF     |
………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………
 
此处省略若干行
………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………
00007FFC424A2EE | C647 28 01             | MOV BYTE PTR DS:[RDI+0x28],0x1             |
00007FFC424A2EE | 807D 7F 00             | CMP BYTE PTR SS:[RBP+0x7F],0x0             | 》经分析发现 有个大跳转 jmp 会到访这里呦,Let's go 我们到 jmp 那去看看吧!
00007FFC424A2EE | 75 15                  | JNE framework.7FFC424A2F06                 |
00007FFC424A2EF | 83FE 02                | CMP ESI,0x2                                | 》ESI≠2时,下面jnz跳转实现。接着向上找何处给ESI赋值。
00007FFC424A2EF | 75 10                  | JNE framework.7FFC424A2F06                 | 》此处跳转时程序界面不会出现购物车和激活钥匙图标
00007FFC424A2EF | 4D:8BC6                | MOV R8,R14                                 |
00007FFC424A2EF | 41:8BD7                | MOV EDX,R15D                               |
00007FFC424A2EF | 48:8BCF                | MOV RCX,RDI                                |
00007FFC424A2EF | E8 FC300000            | CALL <framework.protected: void __cdecl Ak | 》此调用即为版权激活等
00007FFC424A2F0 | EB 0E                  | JMP framework.7FFC424A2F14                 |
00007FFC424A2F0 | 4D:8BC6                | MOV R8,R14                                 |
00007FFC424A2F0 | 8BD6                   | MOV EDX,ESI                                |
00007FFC424A2F0 | 48:8BCF                | MOV RCX,RDI                                |
00007FFC424A2F0 | E8 BD550700            | CALL <framework.public: void __cdecl AkCli |
00007FFC424A2F1 | 90                     | NOP                                        |
00007FFC424A2F1 | 48:8D4D D7             | LEA RCX,QWORD PTR SS:[RBP-0x29]            |
00007FFC424A2F1 | FF15 DA330A00          | CALL QWORD PTR DS:[<public: __cdecl QStrin |
00007FFC424A2F1 | 90                     | NOP                                        |
00007FFC424A2F1 | 48:8D4D DF             | LEA RCX,QWORD PTR SS:[RBP-0x21]            |
00007FFC424A2F2 | FF15 CF330A00          | CALL QWORD PTR DS:[<public: __cdecl QStrin |
00007FFC424A2F2 | 8BC6                   | MOV EAX,ESI                                |
00007FFC424A2F2 | 4C:8D9C24 90000000     | LEA R11,QWORD PTR SS:[RSP+0x90]            |
00007FFC424A2F3 | 49:8B5B 30             | MOV RBX,QWORD PTR DS:[R11+0x30]            |
00007FFC424A2F3 | 49:8B73 38             | MOV RSI,QWORD PTR DS:[R11+0x38]            |
00007FFC424A2F3 | 49:8B7B 40             | MOV RDI,QWORD PTR DS:[R11+0x40]            |
00007FFC424A2F3 | 49:8BE3                | MOV RSP,R11                                |
00007FFC424A2F4 | 41:5F                  | POP R15                                    |
00007FFC424A2F4 | 41:5E                  | POP R14                                    |
00007FFC424A2F4 | 41:5D                  | POP R13                                    |
00007FFC424A2F4 | 41:5C                  | POP R12                                    |
00007FFC424A2F4 | 5D                     | POP RBP                                    |
00007FFC424A2F4 | C3                     | RET                                        |

书读百遍其义自见,仔细看呗!

免费评分

参与人数 9吾爱币 +15 热心值 +9 收起 理由
Hmily + 7 + 1 欢迎分析讨论交流,吾爱破解论坛有你更精彩!
Zhaofeiyan + 1 用心讨论,共获提升!
ck6102 + 1 + 1 热心回复!
bansjs + 2 + 1 请问第5步如何操作的,是怎么走到了00007FFC4478648这个地址的呢
wgz001 + 1 + 1 感谢发布原创作品,吾爱破解论坛因你更精彩!
wanzm + 1 + 1 我很赞同!
雪很冷 + 1 + 1 感谢发布原创作品,吾爱破解论坛因你更精彩!
yuehanoo + 1 + 1 用心讨论,共获提升!
3yu3 + 1 + 1 用心讨论,共获提升!

查看全部评分

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

头像被屏蔽
yyb1813 发表于 2023-11-19 16:54
提示: 作者被禁止或删除 内容自动屏蔽
 楼主| speedboy 发表于 2023-11-18 20:34
本帖最后由 speedboy 于 2023-11-19 11:20 编辑

完成后的程序:


这是 64位程序的分析,32位的稍有不同。
2023-11-18_201825.png
ggmmr123 发表于 2023-11-18 21:22
yycvip 发表于 2023-11-18 23:14
仰望技术大佬  学习了
雾都孤尔 发表于 2023-11-18 23:16
这个厉害了,学习。
wanzm 发表于 2023-11-19 08:42
学习学习
dragontiger 发表于 2023-11-19 09:18
分析到位,学习了
sam喵喵 发表于 2023-11-19 10:12
感谢大佬分享,这个修复之后视频质量和大小有多大提升
dragontiger 发表于 2023-11-19 11:29
好软件,修复视频试试
longgui0318 发表于 2023-11-19 12:20
学习了,感谢分享
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则

返回列表

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2024-11-15 07:34

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表