Aiseesoft Video Repair v1.0.20 破解简单分析

speedboy · 发表于 2023-11-18 20:33

1、首先运行程序，发现在窗口标题会显示 “Unregistered“；
2、退出程序，在X64DBG加载程序并运行，直到出现引导界面：

3、在反汇编区右键——搜索范围——所有用户模块——字符串应用，并查找"Unregistered"，得到一处，双击来到反汇编区：

[Asm] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

00007FFC4479A62 | 40:53                  | PUSH RBX                                    | 》此为代码段首，在此 右键——查找引用——选定的地址，得到5处调用
00007FFC4479A62 | 48:83EC 30             | SUB RSP,0x30                                |
00007FFC4479A62 | 48:8BD9                | MOV RBX,RCX                                 |
00007FFC4479A62 | C74424 20 FFFFFFFF     | MOV DWORD PTR SS:[RSP+0x20],0xFFFFFFFF      |
00007FFC4479A63 | 45:33C9                | XOR R9D,R9D                                 |
00007FFC4479A63 | 48:8D0D 85BF1100       | LEA RCX,QWORD PTR DS:[<public: static struc |
00007FFC4479A63 | 83FA 01                | CMP EDX,0x1                                 | 》如果 EDX=1，下面的 je 跳转实现。往上分析发现EDX的赋值来自Call调用之前。
00007FFC4479A63 | 4C:8D05 BB500A00       | LEA R8,QWORD PTR DS:[0x7FFC4483F700]        | ds:[00007FFC4483F700]:"Registered"
00007FFC4479A64 | 48:8BD3                | MOV RDX,RBX                                 |
00007FFC4479A64 | 74 07                  | JE framework.7FFC4479A651                   | 》跳转，跳过“Unregistered”标题
00007FFC4479A64 | 4C:8D05 BF500A00       | LEA R8,QWORD PTR DS:[0x7FFC4483F710]        | ds:[00007FFC4483F710]:"Unregistered"
00007FFC4479A65 | FF15 C9D10900          | CALL QWORD PTR DS:[<public: class QString _ |
00007FFC4479A65 | 48:8BC3                | MOV RAX,RBX                                 |
00007FFC4479A65 | 48:83C4 30             | ADD RSP,0x30                                |
00007FFC4479A65 | 5B                     | POP RBX                                     |
00007FFC4479A65 | C3                     | RET                                         |

（看关键代码注释，我都做出了分析）
4、五处调用为：

[Asm] 纯文本查看 复制代码

1

2

3

4

5

00007FFC447864AB call <framework.public: static class QString __cdecl AkClientAuthorization::stateDescription(int)>
00007FFC447865A6 call <framework.public: static class QString __cdecl AkClientAuthorization::stateDescription(int)>
00007FFC447BA560 call <framework.public: static class QString __cdecl AkClientAuthorization::stateDescription(int)>
00007FFC447C0B30 call <framework.public: static class QString __cdecl AkClientAuthorization::stateDescription(int)>
00007FFC447D2760 call <framework.public: static class QString __cdecl AkClientAuthorization::stateDescription(int)>

选择第一个双击来到反汇编区：

[Asm] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

00007FFC4478648 | E8 7BCD0000            | CALL <framework.public: enum AkClientAuthor | 》此为关键Call，F7跟进返回的EAX=1即可
00007FFC4478648 | 8BF0                   | MOV ESI,EAX                                 | 》在这呢，ESI=EAX
00007FFC4478648 | 83F8 01                | CMP EAX,0x1                                 |
00007FFC4478648 | 0F84 9E010000          | JE framework.7FFC4478662E                   |
00007FFC4478649 | 33D2                   | XOR EDX,EDX                                 |
00007FFC4478649 | 48:8D0D 5F390B00       | LEA RCX,QWORD PTR DS:[0x7FFC44839DF8]       |
00007FFC4478649 | FF15 71130B00          | CALL QWORD PTR DS:[<private: static struct  |
00007FFC4478649 | 48:894424 58           | MOV QWORD PTR SS:[RSP+0x58],RAX             |
00007FFC447864A | 8BD6                   | MOV EDX,ESI                                 | 》此处 EDX=ESI，向上查找何处给 ESI赋值
00007FFC447864A | 48:8D4C24 48           | LEA RCX,QWORD PTR SS:[RSP+0x48]             |
00007FFC447864A | E8 70410100            | CALL <framework.public: static class QStrin |
00007FFC447864B | 48:8BD8                | MOV RBX,RAX                                 |

（看关键代码注释，我都做出了分析）
5、进入关键Call（00007FFC4478648 CALL <framework.public: enum AkClientAuthorization::State __cdecl AkClientAutho）分析，得到【破解处-1】
把 MOV EAX,DWORD PTR DS:[RCX+0x2C] 修改为：

[Asm] 纯文本查看 复制代码

1 2	`MOV` `EAX,1` `RET`

6、在刚开始我们直接运行程序时提示我们输入邮箱和注册码进行注册，测试后会返回"The registration code is invalid."，接着搜索此字符串得到7处：

[Asm] 纯文本查看 复制代码

1

2

3

4

5

6

7

00007FFC424A2D73 lea r8,qword ptr ds:[7FFC4254F698] 00007FFC4254F698 "The registration code is invalid."
00007FFC424A3100 lea r8,qword ptr ds:[7FFC4254F698] 00007FFC4254F698 "The registration code is invalid."
00007FFC424A3941 lea r8,qword ptr ds:[7FFC4254F698] 00007FFC4254F698 "The registration code is invalid."
00007FFC424A3B09 lea r8,qword ptr ds:[7FFC4254F698] 00007FFC4254F698 "The registration code is invalid."
00007FFC424A7CEF lea r8,qword ptr ds:[7FFC4254F698] 00007FFC4254F698 "The registration code is invalid."
00007FFC424A7E2F lea r8,qword ptr ds:[7FFC4254F698] 00007FFC4254F698 "The registration code is invalid."
00007FFC424E0710 lea r8,qword ptr ds:[7FFC4254F698] 00007FFC4254F698 "The registration code is invalid."

7、在第一个上双击来到反汇编区:(看关键代码注释，我都做出了分析)

[Asm] 纯文本查看 复制代码

001

002

003

004

005

006

007

008

009

010

011

012

013

014

015

016

017

018

019

020

021

022

023

024

025

026

027

028

029

030

031

032

033

034

035

036

037

038

039

040

041

042

043

044

045

046

047

048

049

050

051

052

053

054

055

056

057

058

059

060

061

062

063

064

065

066

067

068

069

070

071

072

073

074

075

076

077

078

079

080

081

082

083

084

085

086

087

088

089

090

091

092

093

094

095

096

097

098

099

100

101

102

103

104

105

106

107

108

00007FFC424A28C | 48:8BC4                | MOV RAX,RSP                                |
00007FFC424A28C | 55                     | PUSH RBP                                   |
00007FFC424A28C | 41:54                  | PUSH R12                                   |
00007FFC424A28C | 41:55                  | PUSH R13                                   |
00007FFC424A28C | 41:56                  | PUSH R14                                   |
00007FFC424A28C | 41:57                  | PUSH R15                                   |
00007FFC424A28C | 48:8D68 B1             | LEA RBP,QWORD PTR DS:[RAX-0x4F]            |
00007FFC424A28D | 48:81EC 90000000       | SUB RSP,0x90                               |
00007FFC424A28D | 48:C745 1F FEFFFFFF    | MOV QWORD PTR SS:[RBP+0x1F],0xFFFFFFFFFFFF |
00007FFC424A28D | 48:8958 08             | MOV QWORD PTR DS:[RAX+0x8],RBX             |
00007FFC424A28E | 48:8970 10             | MOV QWORD PTR DS:[RAX+0x10],RSI            |
00007FFC424A28E | 48:8978 18             | MOV QWORD PTR DS:[RAX+0x18],RDI            |
00007FFC424A28E | 4D:8BF1                | MOV R14,R9                                 |
00007FFC424A28E | 4D:8BE8                | MOV R13,R8                                 |
00007FFC424A28F | 48:8BDA                | MOV RBX,RDX                                |
00007FFC424A28F | 48:8BF9                | MOV RDI,RCX                                |
00007FFC424A28F | E8 C4380700            | CALL <framework.public: static int __cdecl |
00007FFC424A28F | A8 02                  | TEST AL,0x2                                |
00007FFC424A28F | 74 0A                  | JE framework.7FFC424A290A                  |
00007FFC424A290 | B8 02000000            | MOV EAX,0x2                                |
00007FFC424A290 | E9 21060000            | JMP framework.7FFC424A2F2B                 |
00007FFC424A290 | 48:8B4F 20             | MOV RCX,QWORD PTR DS:[RDI+0x20]            |
00007FFC424A290 | 48:85C9                | TEST RCX,RCX                               |
00007FFC424A291 | 74 10                  | JE framework.7FFC424A2923                  |
00007FFC424A291 | 807F 28 00             | CMP BYTE PTR DS:[RDI+0x28],0x0             |
00007FFC424A291 | 74 0A                  | JE framework.7FFC424A2923                  |
00007FFC424A291 | FF15 D94B0A00          | CALL QWORD PTR DS:[<public: void __cdecl Q |
00007FFC424A291 | C647 28 00             | MOV BYTE PTR DS:[RDI+0x28],0x0             |
00007FFC424A292 | 48:8D55 DF             | LEA RDX,QWORD PTR SS:[RBP-0x21]            |
00007FFC424A292 | 48:8BCB                | MOV RCX,RBX                                |
00007FFC424A292 | FF15 E84D0A00          | CALL QWORD PTR DS:[<public: class QString  |
00007FFC424A293 | 90                     | NOP                                        |
00007FFC424A293 | 48:8D55 D7             | LEA RDX,QWORD PTR SS:[RBP-0x29]            |
00007FFC424A293 | 49:8BCD                | MOV RCX,R13                                |
00007FFC424A293 | FF15 DA4D0A00          | CALL QWORD PTR DS:[<public: class QString  |
00007FFC424A293 | 90                     | NOP                                        |
00007FFC424A293 | C645 CF 00             | MOV BYTE PTR SS:[RBP-0x31],0x0             |
00007FFC424A294 | 45:32E4                | XOR R12B,R12B                              |
00007FFC424A294 | 48:8D15 AB740A00       | LEA RDX,QWORD PTR DS:[0x7FFC42549DF8]      |
00007FFC424A294 | 49:8BCE                | MOV RCX,R14                                |
00007FFC424A295 | FF15 8A4D0A00          | CALL QWORD PTR DS:[<public: class QString  |
00007FFC424A295 | 41:BF 02000000         | MOV R15D,0x2                               | 》【破解处-2】原来兔子都吃窝边草啊，还记得我们想让 ESI≠2吗？因为ESI=R15D，所以R15D≠2即可，这个辩证还合理吧，哈哈，我就喜欢让R15D=1，我任性……
00007FFC424A295 | 48:8B45 D7             | MOV RAX,QWORD PTR SS:[RBP-0x29]            |
00007FFC424A296 | 8378 04 00             | CMP DWORD PTR DS:[RAX+0x4],0x0             |
00007FFC424A296 | 75 08                  | JNE framework.7FFC424A296E                 |
00007FFC424A296 | 41:8BF7                | MOV ESI,R15D                               | 》*** 看到了吗？这里给 ESI 赋值啦！(此时ESI=R15D)***，那么何处又给 R15D 赋值了呢？
00007FFC424A296 | E9 7D050000            | JMP framework.7FFC424A2EEB                 | 》这个大跳转就是我们要找的呦，哈哈，还记得那个 Let's go 吗？
………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………
  
此处省略若干行
………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………
00007FFC424A2D6 | E9 83010000            | JMP framework.7FFC424A2EEB                 |
00007FFC424A2D6 | C74424 20 FFFFFFFF     | MOV DWORD PTR SS:[RSP+0x20],0xFFFFFFFF     |
00007FFC424A2D7 | 45:33C9                | XOR R9D,R9D                                |
00007FFC424A2D7 | 4C:8D05 1EC90A00       | LEA R8,QWORD PTR DS:[0x7FFC4254F698]       | ds:[00007FFC4254F698]:"The registration code is invalid."
00007FFC424A2D7 | 48:8D55 C7             | LEA RDX,QWORD PTR SS:[RBP-0x39]            |
00007FFC424A2D7 | 48:8D0D 3B381200       | LEA RCX,QWORD PTR DS:[<public: static stru |
00007FFC424A2D8 | FF15 954A0A00          | CALL QWORD PTR DS:[<public: class QString  |
00007FFC424A2D8 | 48:8D55 C7             | LEA RDX,QWORD PTR SS:[RBP-0x39]            |
00007FFC424A2D8 | 49:8BCE                | MOV RCX,R14                                |
00007FFC424A2D9 | FF15 484A0A00          | CALL QWORD PTR DS:[<public: class QString  |
00007FFC424A2D9 | 48:8D4D C7             | LEA RCX,QWORD PTR SS:[RBP-0x39]            |
00007FFC424A2D9 | FF15 56350A00          | CALL QWORD PTR DS:[<public: __cdecl QStrin |
00007FFC424A2DA | 8B47 48                | MOV EAX,DWORD PTR DS:[RDI+0x48]            |
00007FFC424A2DA | 83F8 04                | CMP EAX,0x4                                |
00007FFC424A2DA | 75 09                  | JNE framework.7FFC424A2DB3                 |
00007FFC424A2DA | 4C:8D05 C7C80A00       | LEA R8,QWORD PTR DS:[0x7FFC4254F678]       | ds:[00007FFC7409F678]:"The registration code expired."
00007FFC424A2DB | EB 0C                  | JMP framework.7FFC424A2DBF                 |
00007FFC424A2DB | 83F8 03                | CMP EAX,0x3                                |
00007FFC424A2DB | 75 3A                  | JNE framework.7FFC424A2DF2                 |
00007FFC424A2DB | 4C:8D05 01C90A00       | LEA R8,QWORD PTR DS:[0x7FFC4254F6C0]       | ds:[00007FFC4254F6C0]:"The registration code is forbidden."
00007FFC424A2DB | C74424 20 FFFFFFFF     | MOV DWORD PTR SS:[RSP+0x20],0xFFFFFFFF     |
………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………
  
此处省略若干行
………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………
00007FFC424A2EE | C647 28 01             | MOV BYTE PTR DS:[RDI+0x28],0x1             |
00007FFC424A2EE | 807D 7F 00             | CMP BYTE PTR SS:[RBP+0x7F],0x0             | 》经分析发现 有个大跳转 jmp 会到访这里呦，Let's go 我们到 jmp 那去看看吧！
00007FFC424A2EE | 75 15                  | JNE framework.7FFC424A2F06                 |
00007FFC424A2EF | 83FE 02                | CMP ESI,0x2                                | 》ESI≠2时，下面jnz跳转实现。接着向上找何处给ESI赋值。
00007FFC424A2EF | 75 10                  | JNE framework.7FFC424A2F06                 | 》此处跳转时程序界面不会出现购物车和激活钥匙图标
00007FFC424A2EF | 4D:8BC6                | MOV R8,R14                                 |
00007FFC424A2EF | 41:8BD7                | MOV EDX,R15D                               |
00007FFC424A2EF | 48:8BCF                | MOV RCX,RDI                                |
00007FFC424A2EF | E8 FC300000            | CALL <framework.protected: void __cdecl Ak | 》此调用即为版权激活等
00007FFC424A2F0 | EB 0E                  | JMP framework.7FFC424A2F14                 |
00007FFC424A2F0 | 4D:8BC6                | MOV R8,R14                                 |
00007FFC424A2F0 | 8BD6                   | MOV EDX,ESI                                |
00007FFC424A2F0 | 48:8BCF                | MOV RCX,RDI                                |
00007FFC424A2F0 | E8 BD550700            | CALL <framework.public: void __cdecl AkCli |
00007FFC424A2F1 | 90                     | NOP                                        |
00007FFC424A2F1 | 48:8D4D D7             | LEA RCX,QWORD PTR SS:[RBP-0x29]            |
00007FFC424A2F1 | FF15 DA330A00          | CALL QWORD PTR DS:[<public: __cdecl QStrin |
00007FFC424A2F1 | 90                     | NOP                                        |
00007FFC424A2F1 | 48:8D4D DF             | LEA RCX,QWORD PTR SS:[RBP-0x21]            |
00007FFC424A2F2 | FF15 CF330A00          | CALL QWORD PTR DS:[<public: __cdecl QStrin |
00007FFC424A2F2 | 8BC6                   | MOV EAX,ESI                                |
00007FFC424A2F2 | 4C:8D9C24 90000000     | LEA R11,QWORD PTR SS:[RSP+0x90]            |
00007FFC424A2F3 | 49:8B5B 30             | MOV RBX,QWORD PTR DS:[R11+0x30]            |
00007FFC424A2F3 | 49:8B73 38             | MOV RSI,QWORD PTR DS:[R11+0x38]            |
00007FFC424A2F3 | 49:8B7B 40             | MOV RDI,QWORD PTR DS:[R11+0x40]            |
00007FFC424A2F3 | 49:8BE3                | MOV RSP,R11                                |
00007FFC424A2F4 | 41:5F                  | POP R15                                    |
00007FFC424A2F4 | 41:5E                  | POP R14                                    |
00007FFC424A2F4 | 41:5D                  | POP R13                                    |
00007FFC424A2F4 | 41:5C                  | POP R12                                    |
00007FFC424A2F4 | 5D                     | POP RBP                                    |
00007FFC424A2F4 | C3                     | RET                                        |

书读百遍其义自见，仔细看呗！

yyb1813 · 发表于 2023-11-19 16:54

提示: 作者被禁止或删除内容自动屏蔽

speedboy · 发表于 2023-11-18 20:34

本帖最后由 speedboy 于 2023-11-19 11:20 编辑

完成后的程序：

这是 64位程序的分析，32位的稍有不同。

ggmmr123 · 发表于 2023-11-18 21:22

仰望技术大佬学习了

yycvip · 发表于 2023-11-18 23:14

仰望技术大佬学习了

雾都孤尔 · 发表于 2023-11-18 23:16

这个厉害了，学习。

wanzm · 发表于 2023-11-19 08:42

学习学习

dragontiger · 发表于 2023-11-19 09:18

分析到位，学习了

sam喵喵 · 发表于 2023-11-19 10:12

感谢大佬分享，这个修复之后视频质量和大小有多大提升

dragontiger · 发表于 2023-11-19 11:29

好软件，修复视频试试

longgui0318 · 发表于 2023-11-19 12:20

学习了，感谢分享

帐号		自动登录	找回密码
密码			注册[Register]

yyb1813 yyb1813 当前离线好友阅读权限 0 听众最后登录 1970-1-1 头像被屏蔽	yyb1813 发表于 2023-11-19 16:54 提示: 作者被禁止或删除内容自动屏蔽
	【吾爱破解论坛总版规】 - [让你充分了解吾爱破解论坛行为规则]
	回复支持举报

[原创] Aiseesoft Video Repair v1.0.20 破解简单分析

免费评分

浏览过的版块