查找字符串找到004684EC mov eax, 00468A0C 播放授权不合法!004684FB mov eax, 00468A28 播放授权不正确! push 00468A44 yaomediakj1jf ;在这双击,找到头下硬件执行断点 mov eax, 00468A5C 播放密码不正确 push 00468A74 c:\china-drm\004686B4 push 00468A8C .ini mov eax, 00468A5C 播放密码不正确004687DD push 00468A9C yaomediakj2jf004688D8 mov eax, 00468A5C 播放密码不正确004688E9 mov edx, 00468AB4 ok0046893B mov edx, 00468AC0 000468B3F push 00468D8C yaomediakj3jf ;在这双击,找到头下硬件执行断点00468C4A mov edx, 00468DA4 000468CD1 mov edx, 00468DB0 c00468DBF mov eax, 00468DE8 确信要退出吗?00468E02 mov edx, 00468E1C ok
第一个断点0046830B 51 push ecx ; 以防退出下个硬件执行断点0046830C 53 push ebx0046830D 56 push esi0046830E 57 push edi第二个断点00468AD7 53 push ebx ; 在这F200468AD8 56 push esi00468AD9 57 push edi
下完这两个断点,F9运行,输入假码111111111111111111,18位,(如果是出现其它错误。把出错CALL,NOP掉,如果前两位是9d的话可能不会出错)确定,断下,F8单步向下走0046830B 51 push ecx ; 第一个断在这里。0046830C 53 push ebx0046830D 56 push esi0046830E 57 push edi0046830F 8BF0 mov esi, eax 33C0 xor eax, eax 55 push ebp 68 DA894600 push 004689DA 64:FF30 push dword ptr fs:[eax]0046831C 64:8920 mov dword ptr fs:[eax], esp0046831F 8D45 DC lea eax, dword ptr [ebp-24] E8 99C4F9FF call 004047C 8D95 0CFEFFFF lea edx, dword ptr [ebp-1F4]0046832D 8B86 mov eax, dword ptr [esi+308] E8 0444FDFF call 0043C73C 8B85 0CFEFFFF mov eax, dword ptr [ebp-1F4]0046833E 8D55 FC lea edx, dword ptr [ebp-4] E8 FE05FAFF call 8346 8D95 08FEFFFF lea edx, dword ptr [ebp-1F8]0046834C 8B45 FC mov eax, dword ptr [ebp-4]0046834F E8 A003FAFF call 004086F4 8B95 08FEFFFF mov edx, dword ptr [ebp-1F8]0046835A 8B45 FC mov eax, dword ptr [ebp-4]0046835D E8 6AC8F9FF call 00404BCC ;这个CALL是关键CALL,调用了好多次,看了下里面也没的改。 0F84 99000000 je ;这个JE如果不跳,就不管他(根据自己输入的假码,有时不跳但后面有出错的地方),跳的话就NOP掉-------------
004683E2 FF57 0C call dword ptr [edi+C] ; 走到这里出错,NOP掉,F8继续004683E5 8B95 F8FDFFFF mov edx, dword ptr [ebp-208]004683EB B8 7CFC4600 mov eax, 0046FC7C004683F0 E8 1FC4F9FF call 83F5 8BC3 mov eax, ebx004683F7 E8 74B6F9FF call 00403A70004683FC E9 10010000 jmp -----------------解码的前2位出现的地方 E8 7EC5F9FF call 00404BCC ; 走到这里看寄存器的,EDX EAX值。0046864E 74 0F je short 0046865F B8 5C8A4600 mov eax, 00468A5C ; 播放密码不正确 E8 AA3BFCFF call 0042C2A E9 F4020000 jmp 865F 8B86 mov eax, dword ptr [esi+304]
寄存器:EAX 00B6A6E4 ASCII 'd645920e395fedad7bbbed0eca3fe2e0' 真码ECX EDX 00B64358 ASCII 'd41d8cd98f00b204e9800998ecf8427e' 假码1、真码用MD5计算器算出,或是到www.cmd5.com去查,2、不用查也行啦,看堆栈0012EC70 EC74 00B6AFEC ASCII '4f09d333e6e79c871b7f00623c13cef3d215212a8d-0ba3423d7a-798b840ed0'0012EC78 00B67174 ASCII '4f09d333e6e79c871b7f00623c13cef3d215212a8d-0ba3423d7a-798b840ed0cyaomediakj1jf'0012EC7C 00B642AC ASCII '8564936DF050B172D434C663AD00BA7680609432A453B47382619267F706E472D5309261A652BE64F602B1758331C763F54EB57889609B60A406E671D27BC23BF906E628D069C965FE05'0012EC80 00B6A7C0 ASCII '8564936df050b172d434c663ad00ba7680609432a453b47382619267f706e472d5309261a652be64f602b1758331c763f54eb57889609b60a406e671d27bc23bf906e628d069c965fe05'0012EC84 00B6A884 ASCII '402418d21ca661ebe3e512fe2d30dfe6'0012EC88 00B6A8B4 ASCII '40' ;这个40就是8位授权码的前2位了。0012EC8C 00B6AC40 ASCII 'd215212a8d-0ba3423d7a-798b840ed0'0012EC90 00B6AC70 ASCII '4f09d333e6e79c871b7f00623c13cef3d215212a8d-0ba3423d7a-798b840ed0'0012EC94 00B6ACC0 ASCII '4f09d333e6e79c871b7f00623c13cef3d215212a8d-0ba3423d7a-798b840ed0'
8位的前2位解码40------------------F8一步,这个JE要跳过错误。0046864E 74 0F je short 0046865F ;JMP B8 5C8A4600 mov eax, 00468A5C ; 播放密码不正确 E8 AA3BFCFF call 0042C2A E9 F4020000 jmp 865F 8B86 mov eax, dword ptr [esi+304]------------F8,继续 8B45 F0 mov eax, dword ptr [ebp-10] 8B55 EC mov edx, dword ptr [ebp-14]0046877A E8 4DC4F9FF call 00404BCC0046877F 0F85 CE010000 jnz ; 不能跳,NOP掉 8D95 84FDFFFF lea edx, dword ptr [ebp-27C]0046878B 8B45 F8 mov eax, dword ptr [ebp-8]0046878E E8 CD210000 call 0046A960-----------
004688D1 E8 F6C2F9FF call 00404BCC ; 方法和前2位的找法一样。004688D6 74 0C je short 004688E4 ;JMP跳过错误004688D8 B8 5C8A4600 mov eax, 00468A5C ; 播放密码不正确004688DD E8 2239FCFF call 0042C2E2 EB 6F jmp short 88E4 A1 C0E04600 mov eax, dword ptr [46E0C0]004688E9 BA B48A4600 mov edx, 00468AB4 ; ok
看堆栈最直接0012EC48 00B681A0 ASCII '4f09d333e6e79c871b7f00623c13cef3d215212a8d-0ba3423d7a-798b840ed0'0012EC4C 00B68230 ASCII '4f09d333e6e79c871b7f00623c13cef3d215212a8d-0ba3423d7a-798b840ed0cyaomediakj2jf'0012EC50 00B690DC ASCII '8564936DF050B172D434C663AD00BA7680609432A453B47382619267F706E472D5309261A652BE64F602B1758331C763F54EB57889609B60A406E671D27BC23BF906E628D069C966FE05'0012EC54 00B68618 ASCII '8564936df050b172d434c663ad00ba7680609432a453b47382619267f706e472d5309261a652be64f602b1758331c763f54eb57889609b60a406e671d27bc23bf906e628d069c966fe05'0012EC58 00B6828C ASCII '8babcd01dfe29a30096c15c5fe813506'0012EC5C 00B60874 ASCII '8babcd01dfe29a'0012EC60 00B6A714 ASCII 'e29a'3-6位e29a
F8一步,JE要跳过错误。和前2位的改法一样。----------F8,004688E9 BA B48A4600 mov edx, 00468AB4 ; ok004688EE E8 21BFF9FF call 88F3 8B55 EC mov edx, dword ptr [ebp-14]004688F6 8B45 F0 mov eax, dword ptr [ebp-10]004688F9 E8 6EFEF9FF call 0040876C004688FE 85C0 test eax, eax 75 51 jnz short ; 不让他跳,NOP A1 6CFC4600 mov eax, dword ptr [46FC6C] E8 90FFFEFF call 0045889C----------------F9运行一下,中断在我们下的第二个断点,F8单步向下走00468BE1 E8 E6BFF9FF call 00404BCC ; 到这里,看堆栈,和前面一样的找法,这是最后2位00468BE6 0F95C3 setne bl00468BE9 84DB test bl, bl00468BEB 74 11 je short 00468BFE
堆栈0012F838 F83C 00B67174 ASCII '4f09d333e6e79c871b7f00623c13cef3d215212a8d-0ba3423d7a-798b840ed0'0012F840 00B6ADA0 ASCII '4f09d333e6e79c871b7f00623c13cef3d215212a8d-0ba3423d7a-798b840ed0cyaomediakj3jf'0012F844 00B6ADFC ASCII '8564936DF050B172D434C663AD00BA7680609432A453B47382619267F706E472D5309261A652BE64F602B1758331C763F54EB57889609B60A406E671D27BC23BF906E628D069C967FE05'0012F848 00B6AEA8 ASCII '8564936df050b172d434c663ad00ba7680609432a453b47382619267f706e472d5309261a652be64f602b1758331c763f54eb57889609b60a406e671d27bc23bf906e628d069c967fe05'0012F84C 00B6AF54 ASCII '272fad6cb26d70ee21ece79d68daa0b4'0012F850 00B6A768 ASCII '272fad6cb26d70ee21ece79d'0012F854 00B6AD00 ASCII '9d'7-8位9d---------------40e29a9d这就是视频解码用的,不是要输入的播放密码。
下面我们把他放入内存让他解码播放,关键是地方,这个地方也是我在用正确注册码跟的时候发现的,才想到用这个方法(前段时间没想到)重新载入程序,输入假码,确定后中断在第一个断点上。F8单步0046835D E8 6AC8F9FF call 00404BCC 0F84 99000000 je ; 不能跳,nop掉 8D95 00FEFFFF lea edx, dword ptr [ebp-200]0046836E 8B45 FC mov eax, dword ptr [ebp-4] E8 7E03FAFF call 004086F4---------F8,要注意了,读授权码解码的地方快到了
0046835D E8 6AC8F9FF call 00404BCC 90 nop ; 不能跳,nop掉 90 nop 90 nop 90 nop 90 nop 90 nop 8D95 00FEFFFF lea edx, dword ptr [ebp-200]0046836E 8B45 FC mov eax, dword ptr [ebp-4] E8 7E03FAFF call 004086F4 8B85 00FEFFFF mov eax, dword ptr [ebp-200]0046837C 8D95 04FEFFFF lea edx, dword ptr [ebp-1FC] E8 D9250000 call 0046A960 ;走到这里要注意了 8B95 04FEFFFF mov edx, dword ptr [ebp-1FC] ;过了上面的CALL,这就是解码的地方0046838D B8 7CFC4600 mov eax, 0046FC7C E8 7DC4F9FF call 8397 B2 01 mov dl, 1 A1 64604100 mov eax, dword ptr [416064]0046839E E8 9DB6F9FF call 00403A40004683A3 BA F4894600 mov edx, 004689F4 ;004683A8 A1 7CFC4600 mov eax, dword ptr [46FC7C]004683AD E8 EA350000 call 0046B99C把00B682EC的值?睧卹揚?改为 40e29a9d00B682DC 00 00 00 00 1A 00 00 00 01 00 00 00 09 00 00 00 ..............00B682EC 2C 34 30 65 32 39 61 39 64 00 00 00 1A 00 00 00 ,40e29a9d......00B682FC 01 00 00 00 0B 00 00 00 53 74 61 74 69 63 54 65 ... ...StaticTe00B6830C 78 74 31 00 1E 02 00 00 54 34 43 00 D0 46 B6 00 xt1...T4C.蠪?00B6831C 04 83 B6 00 00 兌...F9运行,程序开始解码播放。OK了。