1、查找字符串找到004684ECmoveax, 00468A0C播放授权不合法!004684FBmoveax, 00468A28播放授权不正确!00468581push00468A44yaomediakj1jf;在这双击,找到头下硬件执行断点00468650moveax, 00468A5C播放密码不正确00468675push00468A74c:\china-drm\004686B4push00468A8C.ini00468765moveax, 00468A5C播放密码不正确004687DDpush00468A9Cyaomediakj2jf004688D8moveax, 00468A5C播放密码不正确004688E9movedx, 00468AB4ok0046893Bmovedx, 00468AC0000468B3Fpush00468D8Cyaomediakj3jf;在这双击,找到头下硬件执行断点00468C4Amovedx, 00468DA4000468CD1movedx, 00468DB0c00468DBFmoveax, 00468DE8确信要退出吗?00468E02movedx, 00468E1Cok
2、第一个断点0046830B51pushecx; 以防退出下个硬件执行断点0046830C53pushebx0046830D56pushesi0046830E57pushedi第二个断点00468AD753pushebx; 在这F200468AD856pushesi00468AD957pushedi
3、下完这两个断点,F9运行,输入假码111111111111111111,18位,(如果是出现其它错误。把出错CALL,NOP掉,如果前两位是9d的话可能不会出错)确定,断下,F8单步向下走0046830B51pushecx; 第一个断在这里。0046830C53pushebx0046830D56pushesi0046830E57pushedi0046830F8BF0movesi, eax0046831133C0xoreax, eax0046831355pushebp0046831468 DA894600push004689DA0046831964:FF30pushdword ptr fs:[eax]0046831C64:8920movdword ptr fs:[eax], esp0046831F8D45 DCleaeax, dword ptr [ebp-24]00468322E8 99C4F9FFcall004047C0004683278D95 0CFEFFFFleaedx, dword ptr [ebp-1F4]0046832D8B86 08030000moveax, dword ptr [esi+308]00468333E8 0444FDFFcall0043C73C004683388B85 0CFEFFFFmoveax, dword ptr [ebp-1F4]0046833E8D55 FCleaedx, dword ptr [ebp-4]00468341E8 FE05FAFFcall00408944004683468D95 08FEFFFFleaedx, dword ptr [ebp-1F8]0046834C8B45 FCmoveax, dword ptr [ebp-4]0046834FE8 A003FAFFcall004086F4004683548B95 08FEFFFFmovedx, dword ptr [ebp-1F8]0046835A8B45 FCmoveax, dword ptr [ebp-4]0046835DE8 6AC8F9FFcall00404BCC;这个CALL是关键CALL,调用了好多次,看了下里面也没的改。004683620F84 99000000je00468401;这个JE如果不跳,就不管他(根据自己输入的假码,有时不跳但后面有出错的地方),跳的话就NOP掉-------------
4、004683E2FF57 0Ccalldword ptr [edi+C]; 走到这里出错,NOP掉,F8继续004683E58B95 F8FDFFFFmovedx, dword ptr [ebp-208]004683EBB8 7CFC4600moveax, 0046FC7C004683F0E8 1FC4F9FFcall00404814004683F58BC3moveax, ebx004683F7E8 74B6F9FFcall00403A70004683FCE9 10010000jmp00468511-----------------解码的前2位出现的地方00468649E8 7EC5F9FFcall00404BCC; 走到这里看寄存器的,EDX EAX值。0046864E74 0Fjeshort 0046865F00468650B8 5C8A4600moveax, 00468A5C; 播放密码不正确00468655E8 AA3BFCFFcall0042C2040046865AE9 F4020000jmp004689530046865F8B86 04030000moveax, dword ptr [esi+304]
5、寄存器:EAX 00B6A6E4 ASCII "d645920e395fedad7bbbed0eca3fe2e0"真码ECX 00000000EDX 00B64358 ASCII "d41d8cd98f00b204e9800998ecf8427e"假码1、真码用MD5计算器算出,或是到www.cmd5.com去查,2、不用查也行啦,看堆栈0012EC70000000000012EC7400B6AFECASCII "4f09d333e6e79c871b7f00623c13cef3d215212a8d-0ba3423d7a-798b840ed0"0012EC7800B67174ASCII "4f09d333e6e79c871b7f00623c13cef3d215212a8d-0ba3423d7a-798b840ed0cyaomediakj1jf"0012EC7C00B642ACASCII "8564936DF050B172D434C663AD00BA7680609432A453B47382619267F706E472D5309261A652B02089668E64F602B1758331C763F54EB57889609B60A406E671D27BC23BF906E628D069C965FE05"0012EC8000B6A7C0ASCII "8564936df050b172d434c663ad00ba7680609432a453b47382619267f706e472d5309261a652b02089668e64f602b1758331c763f54eb57889609b60a406e671d27bc23bf906e628d069c965fe05"0012EC8400B6A884ASCII "402418d21ca661ebe3e512fe2d30dfe6"0012EC8800B6A8B4ASCII "40";这个40就是8位授权码的前2位了。0012EC8C00B6AC40ASCII "d215212a8d-0ba3423d7a-798b840ed0"0012EC9000B6AC70ASCII "4f09d333e6e79c871b7f00623c13cef3d215212a8d-0ba3423d7a-798b840ed0"0012EC9400B6ACC0ASCII "4f09d333e6e79c871b7f00623c13cef3d215212a8d-0ba3423d7a-798b840ed0"
6、8位的前2位解码40------------------F8一步,这个JE要跳过错误。0046864E74 0Fjeshort 0046865F;JMP00468650B8 5C8A4600moveax, 00468A5C; 播放密码不正确00468655E8 AA3BFCFFcall0042C2040046865AE9 F4020000jmp004689530046865F8B86 04030000moveax, dword ptr [esi+304]------------F8,继续004687748B45 F0moveax, dword ptr [ebp-10]004687778B55 ECmovedx, dword ptr [ebp-14]0046877AE8 4DC4F9FFcall00404BCC0046877F0F85 CE010000jnz00468953; 不能跳,NOP掉004687858D95 84FDFFFFleaedx, dword ptr [ebp-27C]0046878B8B45 F8moveax, dword ptr [ebp-8]0046878EE8 CD210000call0046A960-----------
7、004688D1E8 F6C2F9FFcall00404BCC; 方法和前2位的找法一样。004688D674 0Cjeshort 004688E4;JMP跳过错误004688D8B8 5C8A4600moveax, 00468A5C; 播放密码不正确004688DDE8 2239FCFFcall0042C204004688E2EB 6Fjmpshort 00468953004688E4A1 C0E04600moveax, dword ptr [46E0C0]004688E9BA B48A4600movedx, 00468AB4; ok
8、看堆栈最直接0012EC4800B681A0ASCII "4f09d333e6e79c871b7f00623c13cef3d215212a8d-0ba3423d7a-798b840ed0"0012EC4C00B68230ASCII "4f09d333e6e79c871b7f00623c13cef3d215212a8d-0ba3423d7a-798b840ed0cyaomediakj2jf"0012EC5000B690DCASCII "8564936DF050B172D434C663AD00BA7680609432A453B47382619267F706E472D5309261A652B02089668E64F602B1758331C763F54EB57889609B60A406E671D27BC23BF906E628D069C966FE05"0012EC5400B68618ASCII "8564936df050b172d434c663ad00ba7680609432a453b47382619267f706e472d5309261a652b02089668e64f602b1758331c763f54eb57889609b60a406e671d27bc23bf906e628d069c966fe05"0012EC5800B6828CASCII "8babcd01dfe29a30096c15c5fe813506"0012EC5C00B60874ASCII "8babcd01dfe29a"0012EC6000B6A714ASCII "e29a"3-6位e29a
9、F8一步,JE要跳过错误。和前2位的改法一样。----------F8,004688E9BA B48A4600movedx, 00468AB4; ok004688EEE8 21BFF9FFcall00404814004688F38B55 ECmovedx, dword ptr [ebp-14]004688F68B45 F0moveax, dword ptr [ebp-10]004688F9E8 6EFEF9FFcall0040876C004688FE85C0testeax, eax0046890075 51jnzshort 00468953; 不让他跳,NOP00468902A1 6CFC4600moveax, dword ptr [46FC6C]00468907E8 90FFFEFFcall0045889C----------------F9运行一下,中断在我们下的第二个断点,F8单步向下走00468BE1E8 E6BFF9FFcall00404BCC; 到这里,看堆栈,和前面一样的找法,这是最后2位00468BE60F95C3setnebl00468BE984DBtestbl, bl00468BEB74 11jeshort 00468BFE
10、堆栈0012F838000000000012F83C00B67174ASCII "4f09d333e6e79c871b7f00623c13cef3d215212a8d-0ba3423d7a-798b840ed0"0012F84000B6ADA0ASCII "4f09d333e6e79c871b7f00623c13cef3d215212a8d-0ba3423d7a-798b840ed0cyaomediakj3jf"0012F84400B6ADFCASCII "8564936DF050B172D434C663AD00BA7680609432A453B47382619267F706E472D5309261A652B02089668E64F602B1758331C763F54EB57889609B60A406E671D27BC23BF906E628D069C967FE05"0012F84800B6AEA8ASCII "8564936df050b172d434c663ad00ba7680609432a453b47382619267f706e472d5309261a652b02089668e64f602b1758331c763f54eb57889609b60a406e671d27bc23bf906e628d069c967fe05"0012F84C00B6AF54ASCII "272fad6cb26d70ee21ece79d68daa0b4"0012F85000B6A768ASCII "272fad6cb26d70ee21ece79d"0012F85400B6AD00ASCII "9d"7-8位9d---------------40e29a9d这就是视频解码用的,不是要输入的播放密码。
11、下面我们把他放入内存让他解码播放,关键是地方,这个地方也是我在用正确注册码跟的时候发现的,才想到用这个方法(前段时间没想到)重新载入程序,输入假码,确定后中断在第一个断点上。F8单步0046835DE8 6AC8F9FFcall00404BCC004683620F84 99000000je00468401; 不能跳,nop掉004683688D95 00FEFFFFleaedx, dword ptr [ebp-200]0046836E8B45 FCmoveax, dword ptr [ebp-4]00468371E8 7E03FAFFcall004086F4---------F8,要注意了,读授权码解码的地方快到了
12、0046835DE8 6AC8F9FFcall00404BCC0046836290nop; 不能跳,nop掉0046836390nop0046836490nop0046836590nop0046836690nop0046836790nop004683688D95 00FEFFFFleaedx, dword ptr [ebp-200]0046836E8B45 FCmoveax, dword ptr [ebp-4]00468371E8 7E03FAFFcall004086F4004683768B85 00FEFFFFmoveax, dword ptr [ebp-200]0046837C8D95 04FEFFFFleaedx, dword ptr [ebp-1FC]00468382E8 D9250000call0046A960;走到这里要注意了004683878B95 04FEFFFFmovedx, dword ptr [ebp-1FC];过了上面的CALL,这就是解码的地方0046838DB8 7CFC4600moveax, 0046FC7C00468392E8 7DC4F9FFcall0040481400468397B2 01movdl, 100468399A1 64604100moveax, dword ptr [416064]0046839EE8 9DB6F9FFcall00403A40004683A3BA F4894600movedx, 004689F4;004683A8A1 7CFC4600moveax, dword ptr [46FC7C]004683ADE8 EA350000call0046B99C把00B682EC的值?睧卹揚?改为40e29a9d00B682DC00 00 00 00 1A 00 00 00 01 00 00 00 09 00 00 00..............00B682EC2C 34 30 65 32 39 61 39 64 00 00 00 1A 00 00 00,40e29a9d......00B682FC01 00 00 00 0B 00 00 00 53 74 61 74 69 63 54 65... ...StaticTe00B6830C78 74 31 00 1E 02 00 00 54 34 43 00 D0 46 B6 00xt1...T4C.蠪?00B6831C04 83 B6 00 00兌...F9运行,程序开始解码播放。OK了。