【文章标题】: Acon Digital Acoustica Premium 7.3.0 x64分析爆破
【文章作者】: speedboy
【软件名称】: Acon Digital Acoustica Premium
【下载地址】:
【加壳方式】: 无
【编写语言】: Microsoft Visual C++
【使用工具】: x64dbg
【操作平台】: win7
【软件介绍】: Acon Digital Media Acoustica Premium is an ideal solution for audio editing and mastering. The program contains everything you need to create great sounding recordings and audio CDs, including professional tools for recording, analysis, editing and CD burning. The Acoustica user interface was designed with speed, accuracy and ease of use in mind. The support for audio resolutions up to 32 bit and sampling rates up to 192 kHz allows you to record and edit in an amazing audio quality.
【作者声明】: 只做学习、交流
--------------------------------------------------------------------------------
【详细过程】
1、运行程序,会出现一个提示窗口,有可用信息"Your trial version has expired.",所以我们搜索"Your trial version has expired."得到如下信息:
[Asm] 纯文本查看 复制代码 000000014075BE5E lea rdx,qword ptr ds:[141119018] "Your trial version has expired."
2、双击此行来到反汇编区,上溯分析来到代码段首。
[Asm] 纯文本查看 复制代码 0000000140759320 | 48:894C24 08 | mov qword ptr ss:[rsp+8],rcx |
0000000140759325 | 55 | push rbp |
0000000140759326 | 53 | push rbx |
0000000140759327 | 56 | push rsi |
0000000140759328 | 57 | push rdi |
0000000140759329 | 41:54 | push r12 |
000000014075932B | 41:55 | push r13 |
000000014075932D | 41:56 | push r14 |
000000014075932F | 41:57 | push r15 |
0000000140759331 | 48:8DAC24 28FDFFFF | lea rbp,qword ptr ss:[rsp-2D8] |
0000000140759339 | 48:81EC D8030000 | sub rsp,3D8 |
0000000140759340 | 0F29B424 C0030000 | movaps xmmword ptr ss:[rsp+3C0],xmm6 |
0000000140759348 | 48:8BF9 | mov rdi,rcx |
000000014075934B | 33C9 | xor ecx,ecx |
000000014075934D | 898D 28030000 | mov dword ptr ss:[rbp+328],ecx |
0000000140759353 | 898D 30030000 | mov dword ptr ss:[rbp+330],ecx |
0000000140759359 | 4C:8D35 E8FDB400 | lea r14,qword ptr ds:[1412A9148] |
0000000140759360 | 4C:8977 08 | mov qword ptr ds:[rdi+8],r14 |
………………
………………
………………
000000014075BE4E | 0F85 CF000000 | jne acoustica.14075BF23 |
000000014075BE54 | E8 BBCCC3FF | call acoustica.140398B14 |
000000014075BE59 | E9 C5000000 | jmp acoustica.14075BF23 |
000000014075BE5E | 48:8D15 B3D19B00 | lea rdx,qword ptr ds:[141119018] | rdx:EntryPoint, 0000000141119018:"Your trial version has expired."
000000014075BE65 | 48:8D8D 08020000 | lea rcx,qword ptr ss:[rbp+208] |
000000014075BE6C | E8 5F35B8FF | call acoustica.1402DF3D0 |
000000014075BE71 | 90 | nop |
3、在段首地址处“右键——查找引用——选定的地址”,得到如下信息:
[Asm] 纯文本查看 复制代码 00000001407D9A1C call acoustica.140759320
4、在此行双击来到反汇编区。
[Asm] 纯文本查看 复制代码 00000001407D9A00 | 48:895C24 10 | mov qword ptr ss:[rsp+10],rbx |
00000001407D9A05 | 57 | push rdi |
00000001407D9A06 | 48:81EC 90010000 | sub rsp,190 |
00000001407D9A0D | 48:8BD9 | mov rbx,rcx |
00000001407D9A10 | 48:8B91 F0000000 | mov rdx,qword ptr ds:[rcx+F0] | rdx:EntryPoint
00000001407D9A17 | 48:8D4C24 40 | lea rcx,qword ptr ss:[rsp+40] |
00000001407D9A1C | E8 FFF8F7FF | call acoustica.140759320 | 》2.调用试用过期窗口
00000001407D9A21 | 90 | nop |
00000001407D9A22 | 0FB68424 E8000000 | movzx eax,byte ptr ss:[rsp+E8] |
00000001407D9A2A | 33FF | xor edi,edi |
5、上溯到代码段首,在段首地址处“右键——查找引用——选定的地址”,得到如下信息:
[Asm] 纯文本查看 复制代码 00000001407D945E call acoustica.1407D9A00
6、此call调用了过期提示窗口,他的上面有两个跳转je、jmp,分析发现je不跳转即可实现跳过试用过期提示call,所以00000001407D943E call acoustica.140534C80是关键call,只要使返回的al=1即可实现预期。
[Asm] 纯文本查看 复制代码 00000001407D943A | 49:8B4D 00 | mov rcx,qword ptr ds:[r13] |
00000001407D943E | E8 3DB8D5FF | call acoustica.140534C80 | 》F7跟进,使返回al=1
00000001407D9443 | 84C0 | test al,al |
00000001407D9445 | 74 14 | je acoustica.1407D945B | 》不跳
00000001407D9447 | 8B4424 40 | mov eax,dword ptr ss:[rsp+40] |
00000001407D944B | 83F8 03 | cmp eax,3 |
00000001407D944E | 41:0F44C7 | cmove eax,r15d |
00000001407D9452 | 41:8986 B0000000 | mov dword ptr ds:[r14+B0],eax |
00000001407D9459 | EB 2E | jmp acoustica.1407D9489 |
00000001407D945B | 49:8BCE | mov rcx,r14 |
00000001407D945E | E8 9D050000 | call acoustica.1407D9A00 | 》1.调用试用过期窗口
00000001407D9463 | 84C0 | test al,al |
00000001407D9465 | 0F84 2D050000 | je acoustica.1407D9998 |
00000001407D946B | 49:8B4D 00 | mov rcx,qword ptr ds:[r13] |
00000001407D946F | E8 0CC0D5FF | call acoustica.140535480 |
7、F7跟进call acoustica.140534C80来到此,经分析0000000140534CC0 jne acoustica.140535443 跳转实现即可来到0000000140535443 mov al,1语句,实现al=1的目的。
[Asm] 纯文本查看 复制代码 0000000140534C80 | 48:895C24 18 | mov qword ptr ss:[rsp+18],rbx |
0000000140534C85 | 55 | push rbp |
0000000140534C86 | 56 | push rsi |
0000000140534C87 | 57 | push rdi |
0000000140534C88 | 41:54 | push r12 |
0000000140534C8A | 41:55 | push r13 |
0000000140534C8C | 41:56 | push r14 |
0000000140534C8E | 41:57 | push r15 |
0000000140534C90 | 48:8DAC24 50FEFFFF | lea rbp,qword ptr ss:[rsp-1B0] |
0000000140534C98 | 48:81EC B0020000 | sub rsp,2B0 |
0000000140534C9F | 48:8B05 1A89FC00 | mov rax,qword ptr ds:[1414FD5C0] |
0000000140534CA6 | 48:33C4 | xor rax,rsp |
0000000140534CA9 | 48:8985 A0010000 | mov qword ptr ss:[rbp+1A0],rax |
0000000140534CB0 | 4C:8BF2 | mov r14,rdx | rdx:EntryPoint
0000000140534CB3 | 4C:8BE9 | mov r13,rcx |
0000000140534CB6 | 33F6 | xor esi,esi |
0000000140534CB8 | 897424 30 | mov dword ptr ss:[rsp+30],esi |
0000000140534CBC | 40:3871 11 | cmp byte ptr ds:[rcx+11],sil |
0000000140534CC0 | 0F85 7D070000 | jne acoustica.140535443 | 》【1】跳转,修改为jmp即可实现破解
0000000140534CC6 | 8D7E FF | lea edi,qword ptr ds:[rsi-1] |
0000000140534CC9 | 48:3971 08 | cmp qword ptr ds:[rcx+8],rsi |
………………
………………
………………
0000000140535437 | FFCF | dec edi |
0000000140535439 | 83FF FF | cmp edi,FFFFFFFF |
000000014053543C | 75 05 | jne acoustica.140535443 |
000000014053543E | E8 D136E6FF | call acoustica.140398B14 |
0000000140535443 | B0 01 | mov al,1 | 》注册标志 al=1
0000000140535445 | 48:8B8D A0010000 | mov rcx,qword ptr ss:[rbp+1A0] |
000000014053544C | 48:33CC | xor rcx,rsp |
000000014053544F | E8 9C36E6FF | call acoustica.140398AF0 |
0000000140535454 | 48:8B9C24 00030000 | mov rbx,qword ptr ss:[rsp+300] |
000000014053545C | 48:81C4 B0020000 | add rsp,2B0 |
0000000140535463 | 41:5F | pop r15 |
0000000140535465 | 41:5E | pop r14 |
0000000140535467 | 41:5D | pop r13 |
0000000140535469 | 41:5C | pop r12 |
000000014053546B | 5F | pop rdi |
000000014053546C | 5E | pop rsi |
000000014053546D | 5D | pop rbp |
000000014053546E | C3 | ret |
8、破解前后对比
| 
IP卡
发表于 2021-4-14 15:29:49
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2021-4-14 16:16:06
