wmamp3converter:明码和暴破4U WMA MP3 Converter 5.9.3(图)来源: 发布时间:星期四, 2009年3月12日 浏览:0次 评论:0
软件Software大小:6230KB
软件Software语言:英文 软件Software类别:国外软件Software/共享版/音频工具 运行环境:Win9x/Me/NT/2000/XP/2003 更新时间:2007-4-5 10:56:03 Download:http://bj.onlinedown.net/soft/19155.htm 软件Software详细信息 是套具有强大功能音乐格式转换工具能在MP3、WAV、WMA、OGG 及VOX音乐格式的间互相转换还能将MPC, AVI, MP1, MP2, MPEG, MPG, MPA, g721, g726, g723 or RAW格式转换成MP3, WAV, WMA, OGG, or VOX 格式其他功能包括显示/编辑ID3卷标播放MP3, WMA, WAV, OGG, VOX, MPC, AVI, MP1, MP2, MPEG, MPG, MPA, g721, g726, g723 or RAW等而且非常容易操作轻松透过鼠标右键就可以完成所有动作 我们在0048DA60这里下断. 0048DA60 /$Content$nbsp; 55 push ebp 0048DA61 |. 8BEC mov ebp, esp 0048DA63 |. 6A 00 push 0 0048DA65 |. 6A 00 push 0 0048DA67 |. 6A 00 push 0 0048DA69 |. 6A 00 push 0 0048DA6B |. 6A 00 push 0 0048DA6D |. 53 push ebx 0048DA6E |. 56 push esi 0048DA6F |. 894D F8 mov dword ptr [ebp-8], ecx 0048DA72 |. 8955 FC mov dword ptr [ebp-4], edx 0048DA75 |. 8BF0 mov esi, eax 0048DA77 |. 8B45 FC mov eax, dword ptr [ebp-4] 0048DA7A |. E8 0171F7FF call 00404B80 0048DA7F |. 8B45 F8 mov eax, dword ptr [ebp-8] 0048DA82 |. E8 F970F7FF call 00404B80 0048DA87 |. 33C0 xor eax, eax 0048DA89 |. 55 push ebp 0048DA8A |. 68 57DB4800 push 0048DB57 0048DA8F |. 64:FF30 push dword ptr fs:[eax] 0048DA92 |. 64:8920 mov dword ptr fs:[eax], esp 0048DA95 |. 33DB xor ebx, ebx 0048DA97 |. 33D2 xor edx, edx 0048DA99 |. 8B45 FC mov eax, dword ptr [ebp-4] 0048DA9C |. E8 3372F7FF call 00404CD4 0048DAA1 |. 85C0 test eax, eax 0048DAA3 |. 7E 0B jle 0048DAB0 0048DAA5 |. 8D45 F8 lea eax, dword ptr [ebp-8] 0048DAA8 |. 8B55 FC mov edx, dword ptr [ebp-4] 0048DAAB |. E8 C86CF7FF call 00404778 0048DAB0 |> 8D4D F4 lea ecx, dword ptr [ebp-C] 0048DAB3 |. 8B55 FC mov edx, dword ptr [ebp-4] 0048DAB6 |. 8BC6 mov eax, esi 0048DAB8 |. E8 2F010000 call 0048DBEC ; 算法CALL 跟入可分析算法 0048DABD |. 8B55 F4 mov edx, dword ptr [ebp-C] ; 将真码送EDX中 0048DAC0 |. 8B45 F8 mov eax, dword ptr [ebp-8] ; 将假码送EAX中 0048DAC3 |. E8 DCAFF7FF call 00408AA4 ; 这里可做内存注册机 0048DAC8 |. 85C0 test eax, eax 0048DACA 75 41 jnz 0048DB0D ; 暴破点:将这里NOP掉或是将jnz修改为jz 0048DACC |. 8B55 FC mov edx, dword ptr [ebp-4] 0048DACF |. 8BC6 mov eax, esi 0048DAD1 |. E8 DAF3FFFF call 0048CEB0 ; 这个CALL向注册表些入信息 0048DAD6 |. 84C0 test al, al 0048DAD8 |. 74 62 je 0048DB3C ; 标志位比较这里默认不跳转 0048DADA |. B3 01 mov bl, 1 0048DADC |. 6A 40 push 40 0048DADE |. 8D55 F0 lea edx, dword ptr [ebp-10] 0048DAE1 |. A1 ECEF4B00 mov eax, dword ptr [4BEFEC] 0048DAE6 |. 8B00 mov eax, dword ptr [eax] 0048DAE8 |. E8 0B97FDFF call 004671F8 0048DAED |. 8B45 F0 mov eax, dword ptr [ebp-10] 0048DAF0 |. E8 9B70F7FF call 00404B90 0048DAF5 |. 50 push eax ; |Title 0048DAF6 |. 68 68DB4800 push 0048DB68 ; |Text = "Registered successfully, Thanks for your registration." 0048DAFB |. A1 ECEF4B00 mov eax, dword ptr [4BEFEC] ; | 0048DB00 |. 8B00 mov eax, dword ptr [eax] ; | 0048DB02 |. 8B40 30 mov eax, dword ptr [eax+30] ; | 0048DB05 |. 50 push eax ; |hOwner 0048DB06 |. E8 4D9BF7FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA 0048DB0B |. EB 2F jmp 0048DB3C 为何这个软件Software当我们修改关键跳后(0048DACA jnz )即可达到暴破呢?我们跟进关键跳下方0048DAD1 CALL地址来分析下这个CALL向注册表写入个数据:"ConnectionOption"="NYJZCL" CALL中部分代码如下: 0048CEF8 |. E8 5B1AFEFF call 0046E958 0048CEFD |. B1 01 mov cl, 1 0048CEFF |. BA A0CF4800 mov edx, 0048CFA0 ; ASCII "Software\Microsoft\Windows\CurrentVersion\explorer\WMAConvert Options" 0048CF04 |. 8B45 F4 mov eax, dword ptr [ebp-C] 0048CF07 |. E8 B01AFEFF call 0046E9BC 0048CF0C |. 84C0 test al, al 0048CF0E |. 74 3F je 0048CF4F ; 这里软件Software默认不跳 0048CF10 |. 8B4D FC mov ecx, dword ptr [ebp-4] 0048CF13 |. BA F0CF4800 mov edx, 0048CFF0 ; ASCII "ConnectionName" 0048CF18 |. 8B45 F4 mov eax, dword ptr [ebp-C] 0048CF1B |. E8 381CFEFF call 0046EB58 0048CF20 |. B9 08D04800 mov ecx, 0048D008 ; ASCII "NYJZCL" /*这个就是判断软件Software是否注册标志*/ 0048CF25 |. BA 18D04800 mov edx, 0048D018 ; ASCII "ConnectionOption" 0048CF2A |. 8B45 F4 mov eax, dword ptr [ebp-C] 我们打开注册表文件(Win-运行-regedit)搜索“WMAConvert Options”即可定位到软件Software注册信息在注册表中位置 [HKEY_USERS\S-1-5-21-746137067-484061587-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\WMAConvert Options] (“S-1-5-21-746137067-484061587-682003330-500” 这里我们可能区别) "ConnectionOption"="NYJZCL" /*其中这里信息"NYJZCL" 尤为重要若注册表写入该信息则代表软件Software已注册删除这项我们即可继续分析*/ "ConnectionDate"=hex:48,b0,ad,de,bb,1c,e3,40 "LastDate"=hex:9e,63,19,d8,bb,1c,e3,40 "ConnectionName"="Nisy" /*这里用户名的和显示授权给谁有关*/ 软件Software注册后向系统写入某固定数值,是最容易被暴破,或是说这个固定数值本身就是个通用KEY.这点上为简单暴破奠定了基础. 0
相关文章读者评论发表评论 |
|