好友
阅读权限35
听众
最后登录1970-1-1
|
KaQqi
发表于 2016-12-24 19:35
视频旋转器我挺需要的,比如正着转侧着,等等。以前一直想用flash修改,后来发现这软件。
今天我们来分析分析。先熟悉流程
然后就退出了。
通过字符串找到关键位置。因为有退出,所以f12法不能很好的使用(对,就字符串)
vb搜索Unicode。
很明显有两处。不管怎样,进第一个看看。
[Asm] 纯文本查看 复制代码 00496634 . /0F84 AD000000 je VideoRot.004966E7
0049663A . |C745 FC 0C000>mov dword ptr ss:[ebp-0x4],0xC
00496641 . |C745 80 04000>mov dword ptr ss:[ebp-0x80],0x80020004
00496648 . |C785 78FFFFFF>mov dword ptr ss:[ebp-0x88],0xA
00496652 . |C745 90 04000>mov dword ptr ss:[ebp-0x70],0x80020004
00496659 . |C745 88 0A000>mov dword ptr ss:[ebp-0x78],0xA
00496660 . |C785 50FFFFFF>mov dword ptr ss:[ebp-0xB0],VideoRot.004>; 失败
0049666A . |C785 48FFFFFF>mov dword ptr ss:[ebp-0xB8],0x8
00496674 . |8D95 48FFFFFF lea edx,dword ptr ss:[ebp-0xB8]
0049667A . |8D4D 98 lea ecx,dword ptr ss:[ebp-0x68]
0049667D . |E8 CECDF6FF call <jmp.&MSVBVM60.__vbaVarDup>
00496682 . |C785 60FFFFFF>mov dword ptr ss:[ebp-0xA0],VideoRot.004>; 错误的注册码.
0049668C . |C785 58FFFFFF>mov dword ptr ss:[ebp-0xA8],0x8
00496696 . |8D95 58FFFFFF lea edx,dword ptr ss:[ebp-0xA8]
0049669C . |8D4D A8 lea ecx,dword ptr ss:[ebp-0x58]
0049669F . |E8 ACCDF6FF call <jmp.&MSVBVM60.__vbaVarDup>
004966A4 . |8D85 78FFFFFF lea eax,dword ptr ss:[ebp-0x88]
只有一个失败。莫非是判断注册码是否为空?管他呢,就jmp。
[Asm] 纯文本查看 复制代码 00496B81 . C745 FC 1B000>mov dword ptr ss:[ebp-0x4],0x1B
00496B88 . C745 80 04000>mov dword ptr ss:[ebp-0x80],0x80020004
00496B8F . C785 78FFFFFF>mov dword ptr ss:[ebp-0x88],0xA
00496B99 . C745 90 04000>mov dword ptr ss:[ebp-0x70],0x80020004
00496BA0 . C745 88 0A000>mov dword ptr ss:[ebp-0x78],0xA
00496BA7 . C785 50FFFFFF>mov dword ptr ss:[ebp-0xB0],VideoRot.004>; 成功
00496BB1 . C785 48FFFFFF>mov dword ptr ss:[ebp-0xB8],0x8
00496BBB . 8D95 48FFFFFF lea edx,dword ptr ss:[ebp-0xB8]
00496BC1 . 8D4D 98 lea ecx,dword ptr ss:[ebp-0x68]
00496BC4 . E8 87C8F6FF call <jmp.&MSVBVM60.__vbaVarDup>
00496BC9 . C785 60FFFFFF>mov dword ptr ss:[ebp-0xA0],VideoRot.004>; 注册成功,请重新启动程序。
00496BD3 . C785 58FFFFFF>mov dword ptr ss:[ebp-0xA8],0x8
00496BDD . 8D95 58FFFFFF lea edx,dword ptr ss:[ebp-0xA8]
其实只要走过那,就到成功了。那就是一个爆破位置。
由于不清楚第一个jnz是干嘛的,所以在第一个上面就下段跟踪。
[Asm] 纯文本查看 复制代码 004963E3 > \8B45 C0 mov eax,dword ptr ss:[ebp-0x40]
004963E6 . 8985 D0FEFFFF mov dword ptr ss:[ebp-0x130],eax
004963EC . 8365 C0 00 and dword ptr ss:[ebp-0x40],0x0
004963F0 . 8B85 D0FEFFFF mov eax,dword ptr ss:[ebp-0x130]
004963F6 . 8945 90 mov dword ptr ss:[ebp-0x70],eax
004963F9 . C745 88 08000>mov dword ptr ss:[ebp-0x78],0x8
00496400 . 8D45 88 lea eax,dword ptr ss:[ebp-0x78]
此处初始化循环指针并读取假码。从此以后需要注意。
寄存器中总有一些奇怪的十六进制ascci。这些大家不要管他,注意这是vb程序。
[Asm] 纯文本查看 复制代码
堆栈 ss:[0012E75C]=0020BE6C, (UNICODE "VRSAGK852WD")
这块需要注意了。
之后我们会进入算法循环。
[Asm] 纯文本查看 复制代码 004962BC . E8 E3D1F6FF call <jmp.&MSVBVM60.__vbaFreeObj>
004962C1 . E9 CD010000 jmp VideoRot.00496493
004962C6 > C745 FC 05000>mov dword ptr ss:[ebp-0x4],0x5
004962CD . 8B45 08 mov eax,dword ptr ss:[ebp+0x8]
004962D0 . 8B00 mov eax,dword ptr ds:[eax]
004962D2 . FF75 08 push dword ptr ss:[ebp+0x8]
004962D5 . FF90 04030000 call dword ptr ds:[eax+0x304]
004962DB . 50 push eax
004962DC . 8D45 BC lea eax,dword ptr ss:[ebp-0x44]
004962DF . 50 push eax
004962E0 . E8 D1D1F6FF call <jmp.&MSVBVM60.__vbaObjSet>
004962E5 . 8985 20FFFFFF mov dword ptr ss:[ebp-0xE0],eax
004962EB . 8D45 C4 lea eax,dword ptr ss:[ebp-0x3C]
004962EE . 50 push eax
004962EF . 8D45 D0 lea eax,dword ptr ss:[ebp-0x30]
004962F2 . 50 push eax
004962F3 . E8 98D0F6FF call <jmp.&MSVBVM60.__vbaI2Var>
004962F8 . 50 push eax
004962F9 . 8B85 20FFFFFF mov eax,dword ptr ss:[ebp-0xE0]
004962FF . 8B00 mov eax,dword ptr ds:[eax]
00496301 . FFB5 20FFFFFF push dword ptr ss:[ebp-0xE0]
00496307 . FF90 F8000000 call dword ptr ds:[eax+0xF8]
0049630D . DBE2 fclex
0049630F . 8985 1CFFFFFF mov dword ptr ss:[ebp-0xE4],eax
00496315 . 83BD 1CFFFFFF>cmp dword ptr ss:[ebp-0xE4],0x0
0049631C . 7D 23 jge short VideoRot.00496341
0049631E . 68 F8000000 push 0xF8
00496323 . 68 C8CF4600 push VideoRot.0046CFC8
00496328 . FFB5 20FFFFFF push dword ptr ss:[ebp-0xE0]
0049632E . FFB5 1CFFFFFF push dword ptr ss:[ebp-0xE4]
00496334 . E8 77D1F6FF call <jmp.&MSVBVM60.__vbaHresultCheckObj>
00496339 . 8985 C0FEFFFF mov dword ptr ss:[ebp-0x140],eax
0049633F . EB 07 jmp short VideoRot.00496348
00496341 > 83A5 C0FEFFFF>and dword ptr ss:[ebp-0x140],0x0
00496348 > 8B45 C4 mov eax,dword ptr ss:[ebp-0x3C]
0049634B . 8985 D4FEFFFF mov dword ptr ss:[ebp-0x12C],eax
00496351 . 8365 C4 00 and dword ptr ss:[ebp-0x3C],0x0
00496355 . 8B85 D4FEFFFF mov eax,dword ptr ss:[ebp-0x12C]
0049635B . 8945 B0 mov dword ptr ss:[ebp-0x50],eax
0049635E . C745 A8 08000>mov dword ptr ss:[ebp-0x58],0x8
00496365 . 8D45 A8 lea eax,dword ptr ss:[ebp-0x58]
00496368 . 50 push eax
00496369 . 8D45 98 lea eax,dword ptr ss:[ebp-0x68]
0049636C . 50 push eax
0049636D . E8 E2CFF6FF call <jmp.&MSVBVM60.#rtcTrimVar_520>
00496372 . 8B45 08 mov eax,dword ptr ss:[ebp+0x8]
00496375 . 8B00 mov eax,dword ptr ds:[eax]
00496377 . FF75 08 push dword ptr ss:[ebp+0x8]
0049637A . FF90 08030000 call dword ptr ds:[eax+0x308]
00496380 . 50 push eax
00496381 . 8D45 B8 lea eax,dword ptr ss:[ebp-0x48]
00496384 . 50 push eax
00496385 . E8 2CD1F6FF call <jmp.&MSVBVM60.__vbaObjSet>
0049638A . 8985 18FFFFFF mov dword ptr ss:[ebp-0xE8],eax
00496390 . 8D45 C0 lea eax,dword ptr ss:[ebp-0x40]
00496393 . 50 push eax
00496394 . 8B85 18FFFFFF mov eax,dword ptr ss:[ebp-0xE8]
0049639A . 8B00 mov eax,dword ptr ds:[eax]
0049639C . FFB5 18FFFFFF push dword ptr ss:[ebp-0xE8]
004963A2 . FF90 A0000000 call dword ptr ds:[eax+0xA0]
004963A8 . DBE2 fclex
004963AA . 8985 14FFFFFF mov dword ptr ss:[ebp-0xEC],eax
004963B0 . 83BD 14FFFFFF>cmp dword ptr ss:[ebp-0xEC],0x0
004963B7 . 7D 23 jge short VideoRot.004963DC
004963B9 . 68 A0000000 push 0xA0
004963BE . 68 64D54600 push VideoRot.0046D564
004963C3 . FFB5 18FFFFFF push dword ptr ss:[ebp-0xE8]
004963C9 . FFB5 14FFFFFF push dword ptr ss:[ebp-0xEC]
004963CF . E8 DCD0F6FF call <jmp.&MSVBVM60.__vbaHresultCheckObj>
004963D4 . 8985 BCFEFFFF mov dword ptr ss:[ebp-0x144],eax
004963DA . EB 07 jmp short VideoRot.004963E3
004963DC > 83A5 BCFEFFFF>and dword ptr ss:[ebp-0x144],0x0
004963E3 > 8B45 C0 mov eax,dword ptr ss:[ebp-0x40]
004963E6 . 8985 D0FEFFFF mov dword ptr ss:[ebp-0x130],eax
004963EC . 8365 C0 00 and dword ptr ss:[ebp-0x40],0x0
004963F0 . 8B85 D0FEFFFF mov eax,dword ptr ss:[ebp-0x130]
004963F6 . 8945 90 mov dword ptr ss:[ebp-0x70],eax
004963F9 . C745 88 08000>mov dword ptr ss:[ebp-0x78],0x8
00496400 . 8D45 88 lea eax,dword ptr ss:[ebp-0x78]
00496403 . 50 push eax
00496404 . 8D85 78FFFFFF lea eax,dword ptr ss:[ebp-0x88]
0049640A . 50 push eax
0049640B . E8 44CFF6FF call <jmp.&MSVBVM60.#rtcTrimVar_520>
00496410 . 8D45 98 lea eax,dword ptr ss:[ebp-0x68]
00496413 . 50 push eax ; /var18 = 00000001
00496414 . 8D85 78FFFFFF lea eax,dword ptr ss:[ebp-0x88] ; |
0049641A . 50 push eax ; |var28 = 00000001
0049641B . E8 A2D0F6FF call <jmp.&MSVBVM60.__vbaVarTstEq> ; \__vbaVarTstEq
00496420 . 66:8985 10FFF>mov word ptr ss:[ebp-0xF0],ax
00496427 . 8D45 B8 lea eax,dword ptr ss:[ebp-0x48]
0049642A . 50 push eax
0049642B . 8D45 BC lea eax,dword ptr ss:[ebp-0x44]
0049642E . 50 push eax
0049642F . 6A 02 push 0x2
00496431 . E8 DECFF6FF call <jmp.&MSVBVM60.__vbaFreeObjList>
00496436 . 83C4 0C add esp,0xC
00496439 . 8D85 78FFFFFF lea eax,dword ptr ss:[ebp-0x88]
0049643F . 50 push eax
00496440 . 8D45 98 lea eax,dword ptr ss:[ebp-0x68]
00496443 . 50 push eax
00496444 . 8D45 88 lea eax,dword ptr ss:[ebp-0x78]
00496447 . 50 push eax
00496448 . 8D45 A8 lea eax,dword ptr ss:[ebp-0x58]
0049644B . 50 push eax
0049644C . 6A 04 push 0x4
0049644E . E8 75D0F6FF call <jmp.&MSVBVM60.__vbaFreeVarList>
00496453 . 83C4 14 add esp,0x14
00496456 . 0FBF85 10FFFF>movsx eax,word ptr ss:[ebp-0xF0]
0049645D . 85C0 test eax,eax
0049645F . 74 0E je short VideoRot.0049646F
00496461 . C745 FC 06000>mov dword ptr ss:[ebp-0x4],0x6
00496468 . 66:834D CC FF or word ptr ss:[ebp-0x34],0xFFFF
0049646D . EB 31 jmp short VideoRot.004964A0
0049646F > C745 FC 09000>mov dword ptr ss:[ebp-0x4],0x9
00496476 . 8D85 F0FEFFFF lea eax,dword ptr ss:[ebp-0x110]
0049647C . 50 push eax ; /TMPend8 = 00000001
0049647D . 8D85 00FFFFFF lea eax,dword ptr ss:[ebp-0x100] ; |
00496483 . 50 push eax ; |TMPstep8 = 00000001
00496484 . 8D45 D0 lea eax,dword ptr ss:[ebp-0x30] ; |
00496487 . 50 push eax ; |Counter8 = 00000001
00496488 . E8 FDCEF6FF call <jmp.&MSVBVM60.__vbaVarForNext> ; \__vbaVarForNext
0049648D . 8985 D8FEFFFF mov dword ptr ss:[ebp-0x128],eax
00496493 > 83BD D8FEFFFF>cmp dword ptr ss:[ebp-0x128],0x0
0049649A .^ 0F85 26FEFFFF jnz VideoRot.004962C6
是吧。
好的,初步确定真马出现。VRSAGK852WD
496634
00496634 /E9 AE000000 jmp VideoRot.004966E7
00496639 |90 nop
好,爆破位置都给了,具体不需要我说了吧
@Sound 指导下
|
免费评分
-
查看全部评分
|
