|
 | 作者: yongmin [yongmin]
 论坛用户 |
登录 |
| 作者:小子贼野 转贴自:一蓑烟雨 【文章标题】: Apollo PSP Video Converter标志位爆破 【文章作者】: 小子贼野(MayDay) 【作者主页】: http://mayday.unpack.cn 【软件名称】: Apollo PSP Video Converter 3.1.9 【下载地址】: http://www.onlinedown.net/soft/46619.htm 【加壳方式】: 无 【保护方式】: name,code 【编写语言】: Microsoft Visual C++ 6.0 【使用工具】: OD 【操作平台】: 纯D版Wixp 【软件简介】:是一款功能强大的 MP4 视频转换工具,它可以帮助你将视频文件转换为 SONY PSP 游戏机支 持的视频文件(比如 .MP4 文件)。它能够将几乎所有的流行视频格式如:AVI, Divx, Xvid, MPEG, WMV, ASF, RM, RMVB, SVCD, VCD, MOV。另外,软件还支持将视频文件的音频 部分或 WMA, AAC, M4A, AC3, OGG 等音频文件转换为 PSP MP3。 【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教! -------------------------------------------------------------------------------- 【详细过程】 -------------------------------------------------------------------------------- 通过字符串,可以找到关键位置: 超级字串参考, 项目 17 地址=00402871 反汇编=PUSH Apollo_P.004C5298 文本字串=invalid user name or registeration code 找到后代码如下: 00402840 . 81EC 00020000 SUB ESP,200 00402846 . 56 PUSH ESI 00402847 . 6A 01 PUSH 1 00402849 . 8BF1 MOV ESI,ECX 0040284B . E8 30E60800 CALL <JMP.&MFC42.#6334_CWnd::UpdateData> 00402850 . 8B86 34010000 MOV EAX,DWORD PTR DS:[ESI+134] 00402856 . 8B8E 38010000 MOV ECX,DWORD PTR DS:[ESI+138] 0040285C . 50 PUSH EAX 0040285D . 51 PUSH ECX 0040285E . E8 9DCF0000 CALL Apollo_P.0040F800 ; 算法Call 00402863 . 83C4 08 ADD ESP,8 00402866 . 85C0 TEST EAX,EAX 00402868 75 1B JNZ SHORT Apollo_P.00402885 ; 这里是关键跳,但是软件是重启验证,改了也白搭:) 0040286A . 6A 40 PUSH 40 0040286C . 68 C0524C00 PUSH Apollo_P.004C52C0 ; ASCII "Sorry" 00402871 . 68 98524C00 PUSH Apollo_P.004C5298 ; invalid user name or registeration code 00402876 . 8BCE MOV ECX,ESI 00402878 . E8 FDE50800 CALL <JMP.&MFC42.#4224_CWnd::MessageBoxA> 0040287D . 5E POP ESI 0040287E . 81C4 00020000 ADD ESP,200 00402884 . C3 RETN 00402885 > 8B86 38010000 MOV EAX,DWORD PTR DS:[ESI+138] 0040288B . 8D8C24 040100>LEA ECX,DWORD PTR SS:[ESP+104] 00402892 . 50 PUSH EAX ; /<%s> 00402893 . 68 6C524C00 PUSH Apollo_P.004C526C ; |This copy is licensed to:%s 00402898 . 51 PUSH ECX ; |s 00402899 . FF15 549D4900 CALL DWORD PTR DS:[<&MSVCRT.sprintf>] ; \sprintf 0040289F . 83C4 0C ADD ESP,0C 004028A2 . 8D9424 040100>LEA EDX,DWORD PTR SS:[ESP+104] 004028A9 . 8BCE MOV ECX,ESI 004028AB . 6A 40 PUSH 40 004028AD . 68 60524C00 PUSH Apollo_P.004C5260 ; Thank you 004028B2 . 52 PUSH EDX 004028B3 . E8 C2E50800 CALL <JMP.&MFC42.#4224_CWnd::MessageBoxA> 004028B8 . 8B8E 38010000 MOV ECX,DWORD PTR DS:[ESI+138] 004028BE . BA 10844D00 MOV EDX,Apollo_P.004D8410 004028C3 > 8A01 MOV AL,BYTE PTR DS:[ECX] 004028C5 . 41 INC ECX 004028C6 . 8802 MOV BYTE PTR DS:[EDX],AL 004028C8 . 42 INC EDX 004028C9 . 84C0 TEST AL,AL 004028CB .^ 75 F6 JNZ SHORT Apollo_P.004028C3 004028CD . 8B8E 34010000 MOV ECX,DWORD PTR DS:[ESI+134] 004028D3 . BA 08834D00 MOV EDX,Apollo_P.004D8308 004028D8 > 8A01 MOV AL,BYTE PTR DS:[ECX] 004028DA . 41 INC ECX 004028DB . 8802 MOV BYTE PTR DS:[EDX],AL 004028DD . 42 INC EDX 004028DE . 84C0 TEST AL,AL 004028E0 .^ 75 F6 JNZ SHORT Apollo_P.004028D8 004028E2 . 8D4424 04 LEA EAX,DWORD PTR SS:[ESP+4] 004028E6 . 57 PUSH EDI 004028E7 . 50 PUSH EAX 004028E8 . C705 10854D00>MOV DWORD PTR DS:[4D8510],1 004028F2 . E8 A9D70000 CALL Apollo_P.004100A0 004028F7 . 8D7C24 0C LEA EDI,DWORD PTR SS:[ESP+C] 004028FB . 83C9 FF OR ECX,FFFFFFFF 004028FE . 33C0 XOR EAX,EAX 00402900 . 83C4 04 ADD ESP,4 00402903 . F2:AE REPNE SCAS BYTE PTR ES:[EDI] 00402905 . F7D1 NOT ECX 00402907 . 49 DEC ECX 00402908 . BA 50524C00 MOV EDX,Apollo_P.004C5250 ; register.ini 0040290D . 8D4C0C 08 LEA ECX,DWORD PTR SS:[ESP+ECX+8] 00402911 . 2BCA SUB ECX,EDX 00402913 > 8A02 MOV AL,BYTE PTR DS:[EDX] 00402915 . 880411 MOV BYTE PTR DS:[ECX+EDX],AL 00402918 . 42 INC EDX 00402919 . 84C0 TEST AL,AL 0040291B .^ 75 F6 JNZ SHORT Apollo_P.00402913 0040291D . 8B3D E8914900 MOV EDI,DWORD PTR DS:[<&KERNEL32.WritePr>; kernel32.WritePrivateProfileStringA 00402923 . 8D4C24 08 LEA ECX,DWORD PTR SS:[ESP+8] 00402927 . 51 PUSH ECX ; /FileName 00402928 . 68 10844D00 PUSH Apollo_P.004D8410 ; |String = "" 0040292D . 68 44524C00 PUSH Apollo_P.004C5244 ; |User name 00402932 . 68 38524C00 PUSH Apollo_P.004C5238 ; |Register 00402937 . FFD7 CALL EDI ; \WritePrivateProfileStringA 00402939 . 8D5424 08 LEA EDX,DWORD PTR SS:[ESP+8] 0040293D . 52 PUSH EDX ; /FileName 0040293E . 68 08834D00 PUSH Apollo_P.004D8308 ; |String = "" 00402943 . 68 24524C00 PUSH Apollo_P.004C5224 ; |Registration code 00402948 . 68 38524C00 PUSH Apollo_P.004C5238 ; |Register 0040294D . FFD7 CALL EDI ; \WritePrivateProfileStringA 0040294F . 8BCE MOV ECX,ESI 00402951 . E8 40E40800 CALL <JMP.&MFC42.#4853_CDialog::OnOK> 00402956 . 5F POP EDI 00402957 . 5E POP ESI 00402958 . 81C4 00020000 ADD ESP,200 0040295E . C3 RETN -------------------------------------------------------------------------------- 我们在算法call上F2,运行以后,跟进算法call,代码如下: PS:因为是爆破,所以省略N行代码:) 0040F800 6A FF PUSH -1 0040F802 68 99504900 PUSH Apollo_P.00495099 ; 入口地址 0040F807 |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0] 0040F80D |. 50 PUSH EAX 0040F80E |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP 0040F815 |. 81EC 94000000 SUB ESP,94 0040F81B |. 8B8424 A40000>MOV EAX,DWORD PTR SS:[ESP+A4] 0040F822 |. 53 PUSH EBX 0040F823 |. 56 PUSH ESI 0040F824 |. 50 PUSH EAX 0040F825 |. 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10] 0040F829 |. C74424 60 01F>MOV DWORD PTR SS:[ESP+60],33CAFC01 0040F831 |. C74424 64 3FD>MOV DWORD PTR SS:[ESP+64],2D93DC3F 0040F839 |. C74424 68 9C0>MOV DWORD PTR SS:[ESP+68],D08B019C 0040F841 |. C74424 6C A34>MOV DWORD PTR SS:[ESP+6C],A0C642A3 0040F849 |. C74424 70 F43>MOV DWORD PTR SS:[ESP+70],886F37F4 0040F851 |. C74424 74 87F>MOV DWORD PTR SS:[ESP+74],520EF687 0040F859 |. C74424 78 A5F>MOV DWORD PTR SS:[ESP+78],BB86F4A5 0040F861 |. C74424 7C D29>MOV DWORD PTR SS:[ESP+7C],4B7697D2 0040F869 |. E8 A6150800 CALL <JMP.&MFC42.#537_CString::CString> 0040F86E |. 8B8C24 B00000>MOV ECX,DWORD PTR SS:[ESP+B0] 0040F875 |. C78424 A40000>MOV DWORD PTR SS:[ESP+A4],0 0040F880 |. 51 PUSH ECX 0040F881 |. 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C] 0040F885 |. E8 8A150800 CALL <JMP.&MFC42.#537_CString::CString> 0040F88A |. 68 4C5B4C00 PUSH Apollo_P.004C5B4C 0040F88F |. 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10] 0040F893 |. C68424 A80000>MOV BYTE PTR SS:[ESP+A8],1 0040F89B |. E8 BC180800 CALL <JMP.&MFC42.#6928_CString::TrimLeft> 0040F8A0 |. 68 4C5B4C00 PUSH Apollo_P.004C5B4C 0040F8A5 |. 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10] 0040F8A9 |. E8 A8180800 CALL <JMP.&MFC42.#6930_CString::TrimRigh> 0040F8AE |. 68 4C5B4C00 PUSH Apollo_P.004C5B4C 0040F8B3 |. 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C] 0040F8B7 |. E8 A0180800 CALL <JMP.&MFC42.#6928_CString::TrimLeft> 0040F8BC |. 68 4C5B4C00 PUSH Apollo_P.004C5B4C 0040F8C1 |. 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C] 0040F8C5 |. E8 8C180800 CALL <JMP.&MFC42.#6930_CString::TrimRigh> 0040F8CA |. 8B5424 0C MOV EDX,DWORD PTR SS:[ESP+C] 0040F8CE |. 8B35 2C9D4900 MOV ESI,DWORD PTR DS:[<&MSVCRT._mbscmp>] ; msvcrt._mbscmp 0040F8D4 |. 68 E0414D00 PUSH Apollo_P.004D41E0 ; /s2 = "" 0040F8D9 |. 52 PUSH EDX ; |s1 0040F8DA |. FFD6 CALL ESI ; \_mbscmp 0040F8DC |. 83C4 08 ADD ESP,8 0040F8DF |. 85C0 TEST EAX,EAX 0040F8E1 |. 0F84 0F020000 JE Apollo_P.0040FAF6 0040F8E7 |. 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8] 0040F8EB |. 68 E0414D00 PUSH Apollo_P.004D41E0 0040F8F0 |. 50 PUSH EAX 0040F8F1 |. FFD6 CALL ESI 0040F8F3 |. 83C4 08 ADD ESP,8 0040F8F6 |. 85C0 TEST EAX,EAX 0040F8F8 |. 0F84 F8010000 JE Apollo_P.0040FAF6 0040F8FE |. 57 PUSH EDI 0040F8FF |. 6A 00 PUSH 0 0040F901 |. 8D4C24 44 LEA ECX,DWORD PTR SS:[ESP+44] 0040F905 |. E8 161F0000 CALL Apollo_P.00411820 0040F90A |. 6A 00 PUSH 0 -------------------------------------------------------------------------------- 跟进去以后,一看,EAX全是0,又是非0注册成功,咋办呢?很好办,呵呵,我们直接给它改成: mov eax,1 retn -------------------------------------------------------------------------------- 保存文件,运行一下子,OK,爆破完成:) -------------------------------------------------------------------------------- 【破解总结】 又是一个典型的重启验证的软件,这样的软件如果找到了算法call后会非常简单,这里需要注意的是一个注册成功的条件,一般都是非0则注 册成功,所以我们一般修改都是给eax赋1,然后返回,就达到了目的,菜鸟就用菜鸟的方法:) |
| 地主 发表时间: 07-07-27 10:23 |
|
20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon
粤ICP备05087286号
论坛: 编程破解
标题: [转帖]ApolloPSPVideoConverter标志位爆破