好友
阅读权限30
听众
最后登录1970-1-1
|
本帖最后由 speedboy 于 2023-11-6 10:22 编辑
0day放出的补丁都是加VMP壳的,不利于我们这样的小白对比学习呀!所以在这里做一个简易的破解记录,此方法不是最完美的,但可以供大家共同探讨。
第一步:运行软件会出现注册窗口,任意输入注册码确认后会出现 "Invalid registration code. Please try again - ……"字符串,所以我们打开X64DBG,加载运行程序。
第二步:在X64DBG中查找字符串"Invalid registration code.",找到后在其上双击来到反汇编窗口
[Asm] 纯文本查看 复制代码 00007FF747D1EA1 | 40:55 | PUSH RBP |
00007FF747D1EA1 | 53 | PUSH RBX |
00007FF747D1EA1 | 56 | PUSH RSI |
00007FF747D1EA1 | 57 | PUSH RDI |
00007FF747D1EA1 | 41:56 | PUSH R14 |
00007FF747D1EA1 | 41:57 | PUSH R15 |
00007FF747D1EA1 | 48:8BEC | MOV RBP,RSP |
00007FF747D1EA1 | 48:83EC 38 | SUB RSP,0x38 |
00007FF747D1EA2 | 48:8BF9 | MOV RDI,RCX |
00007FF747D1EA2 | 0F297C24 20 | MOVAPS XMMWORD PTR SS:[RSP+0x20] |
00007FF747D1EA2 | 48:8D4D 38 | LEA RCX,QWORD PTR SS:[RBP+0x38] |
00007FF747D1EA2 | FF15 AE003000 | CALL QWORD PTR DS:[<public: __cd |
00007FF747D1EA3 | 48:8B87 80000000 | MOV RAX,QWORD PTR DS:[RDI+0x80] |
00007FF747D1EA3 | 45:32FF | XOR R15B,R15B |
00007FF747D1EA3 | 8B98 F0000000 | MOV EBX,DWORD PTR DS:[RAX+0xF0] |
00007FF747D1EA4 | 83FB 06 | CMP EBX,0x6 |
00007FF747D1EA4 | 74 1C | JE camerabag pro.7FF747D1EA63 |
00007FF747D1EA4 | 44:38B8 18010000 | CMP BYTE PTR DS:[RAX+0x118],R15B |
00007FF747D1EA4 | 75 13 | JNE camerabag pro.7FF747D1EA63 |
00007FF747D1EA5 | 48:8B4F 58 | MOV RCX,QWORD PTR DS:[RDI+0x58] |
00007FF747D1EA5 | 48:8D97 C0000000 | LEA RDX,QWORD PTR DS:[RDI+0xC0] |
00007FF747D1EA5 | FF15 670A3000 | CALL QWORD PTR DS:[<public: void |
00007FF747D1EA6 | EB 14 | JMP camerabag pro.7FF747D1EA77 |
00007FF747D1EA6 | 48:8B4F 58 | MOV RCX,QWORD PTR DS:[RDI+0x58] |
00007FF747D1EA6 | 48:8D97 C8000000 | LEA RDX,QWORD PTR DS:[RDI+0xC8] |
00007FF747D1EA6 | FF15 540A3000 | CALL QWORD PTR DS:[<public: void |
00007FF747D1EA7 | 41:B7 01 | MOV R15B,0x1 |
00007FF747D1EA7 | 48:8B87 80000000 | MOV RAX,QWORD PTR DS:[RDI+0x80] |
00007FF747D1EA7 | 0F57C0 | XORPS XMM0,XMM0 |
00007FF747D1EA8 | F248:0F2A40 78 | CVTSI2SD XMM0,QWORD PTR DS:[RAX+ |
00007FF747D1EA8 | 48:8D90 20010000 | LEA RDX,QWORD PTR DS:[RAX+0x120] |
00007FF747D1EA8 | F2:0F5905 FAF2A201 | MULSD XMM0,QWORD PTR DS:[0x7FF74 |
00007FF747D1EA9 | 66:0F5AC0 | CVTPD2PS XMM0,XMM0 |
00007FF747D1EA9 | F3:0F1187 98000000 | MOVSS DWORD PTR DS:[RDI+0x98],XM |
00007FF747D1EAA | 48:837A 18 10 | CMP QWORD PTR DS:[RDX+0x18],0x10 |
00007FF747D1EAA | 72 03 | JB camerabag pro.7FF747D1EAAC |
00007FF747D1EAA | 48:8B12 | MOV RDX,QWORD PTR DS:[RDX] |
00007FF747D1EAA | 41:B8 FFFFFFFF | MOV R8D,0xFFFFFFFF |
00007FF747D1EAB | 48:8D4D 48 | LEA RCX,QWORD PTR SS:[RBP+0x48] |
00007FF747D1EAB | FF15 DCFD2F00 | CALL QWORD PTR DS:[<public: stat |
00007FF747D1EAB | 48:8D55 48 | LEA RDX,QWORD PTR SS:[RBP+0x48] |
00007FF747D1EAC | 48:8D8F 90000000 | LEA RCX,QWORD PTR DS:[RDI+0x90] |
00007FF747D1EAC | FF15 ABFD2F00 | CALL QWORD PTR DS:[<public: clas |
00007FF747D1EAC | 48:8D4D 48 | LEA RCX,QWORD PTR SS:[RBP+0x48] |
00007FF747D1EAD | FF15 99003000 | CALL QWORD PTR DS:[<public: __cd |
00007FF747D1EAD | 80BF EC000000 00 | CMP BYTE PTR DS:[RDI+0xEC],0x0 |
00007FF747D1EAD | 0F57FF | XORPS XMM7,XMM7 |
00007FF747D1EAE | 0F84 9F000000 | JE camerabag pro.7FF747D1EB86 |
00007FF747D1EAE | 83FB 05 | CMP EBX,0x5 |
00007FF747D1EAE | 74 05 | JE camerabag pro.7FF747D1EAF1 |
00007FF747D1EAE | 83FB 02 | CMP EBX,0x2 |
00007FF747D1EAE | 75 11 | JNE camerabag pro.7FF747D1EB02 |
00007FF747D1EAF | 48:8D15 D833A101 | LEA RDX,QWORD PTR DS:[0x7FF74973 | ds:[00007FF749731ED0]:"Registration successful! Enjoy!"
00007FF747D1EAF | 48:8D4D 38 | LEA RCX,QWORD PTR SS:[RBP+0x38] |
00007FF747D1EAF | FF15 9EFD2F00 | CALL QWORD PTR DS:[<public: clas |
00007FF747D1EB0 | 83FB 01 | CMP EBX,0x1 |
00007FF747D1EB0 | 75 16 | JNE camerabag pro.7FF747D1EB1D |
00007FF747D1EB0 | 48:8D15 E233A101 | LEA RDX,QWORD PTR DS:[0x7FF74973 | ds:[00007FF749731EF0]:"Validating registration code..."
00007FF747D1EB0 | 48:8D4D 38 | LEA RCX,QWORD PTR SS:[RBP+0x38] |
00007FF747D1EB1 | FF15 88FD2F00 | CALL QWORD PTR DS:[<public: clas |
00007FF747D1EB1 | E9 F3010000 | JMP camerabag pro.7FF747D1ED10 |
00007FF747D1EB1 | 83FB 06 | CMP EBX,0x6 |
00007FF747D1EB2 | 75 16 | JNE camerabag pro.7FF747D1EB38 |
00007FF747D1EB2 | 48:8D15 E733A101 | LEA RDX,QWORD PTR DS:[0x7FF74973 | ds:[00007FF749731F10]:"This code is only valid for a previous version of this software. Please upgrade your license using the button below in order to use this version."
00007FF747D1EB2 | 48:8D4D 38 | LEA RCX,QWORD PTR SS:[RBP+0x38] |
00007FF747D1EB2 | FF15 6DFD2F00 | CALL QWORD PTR DS:[<public: clas |
00007FF747D1EB3 | E9 D8010000 | JMP camerabag pro.7FF747D1ED10 |
00007FF747D1EB3 | 83FB 03 | CMP EBX,0x3 |
00007FF747D1EB3 | 75 16 | JNE camerabag pro.7FF747D1EB53 |
00007FF747D1EB3 | 48:8D15 2C36A101 | LEA RDX,QWORD PTR DS:[0x7FF74973 | ds:[00007FF749732170]:"Unable to validate registration. Please make sure your computer is connected to the internet. If the problem persists please contact us at [url=mailto:support@nevercenter.com]support@nevercenter.com[/url]"
00007FF747D1EB4 | 48:8D4D 38 | LEA RCX,QWORD PTR SS:[RBP+0x38] |
00007FF747D1EB4 | FF15 52FD2F00 | CALL QWORD PTR DS:[<public: clas |
00007FF747D1EB4 | E9 BD010000 | JMP camerabag pro.7FF747D1ED10 |
00007FF747D1EB5 | 83FB 04 | CMP EBX,0x4 |
00007FF747D1EB5 | 0F85 B4010000 | JNE camerabag pro.7FF747D1ED10 |
00007FF747D1EB5 | 48:8D15 0DA23B00 | LEA RDX,QWORD PTR DS:[0x7FF7480D |
00007FF747D1EB6 | 48:8D8F 90000000 | LEA RCX,QWORD PTR DS:[RDI+0x90] |
00007FF747D1EB6 | FF15 30FD2F00 | CALL QWORD PTR DS:[<public: clas |
00007FF747D1EB7 | 48:8D15 A936A101 | LEA RDX,QWORD PTR DS:[0x7FF74973 | ds:[00007FF749732220]:"Invalid registration code. Please try again - copy and paste the code from your registration email to ensure accuracy. If the problem persists please contact us at [url=mailto:support@nevercenter.com]support@nevercenter.com[/url]"
往上分析,可以见到 "Registration successful! Enjoy!",这不就是注册成功提示吗!,在其上一行有个jne,只要不跳转就会出现注册成功提示,再往上是一个比较 CMP EBX,0x2,这两行的意思是:只要使EBX=2,jne就不会实现跳转,好了,下面我们接着往上分析看何处给EBX赋值了,很快发现这个 MOV EBX,DWORD PTR DS:[RAX+0xF0],也就是说只要把此处修改为 MOV EBX,2 就行了(此处可视为破解点-1)。
第三步:还是在本程序段,在“CMP EBX,0x2“上面还有两个je及cmp比较,关键是最上面的这个“CMP BYTE PTR DS:[RDI+0xEC],0x0“,当数据段DS:[RDI+0xEC]中的值为 1 时,其下面的je不跳转,所以我们在其上右键——查找引用——常量,找给DS:[XXX+0xEC]赋值为0的地方,得到3处:
[Asm] 纯文本查看 复制代码 00007FF747D1DE07 mov byte ptr ds:[rcx+EC],0
00007FF747D1E1AF mov byte ptr ds:[rcx+EC],0
00007FF747D1E270 mov byte ptr ds:[rcx+EC],0
把三处赋值的0分别修改为1(此处可视为破解点-2)
第四步:以上完成后运行破解完的程序,在启动界面点击"Dismiss",程序终止,看来还有关键位置。重新开始分析,在00007FF6B8C2DE0 MOV BYTE PTR DS:[RCX+0xEC],0x0处往下分析,发现有一个退出函数调用 00007FF6B8C2DE3 CALL QWORD PTR DS:[<exit>],上面有一个je,在上面使cmp比较语句,00007FF6B8C2DE2 CMP BYTE PTR DS:[RCX+0x9C],0x0 很显然只要DS:[RCX+0x9C]=0,je跳转实现,所以在此cmp上 右键——查找引用——常量,找给DS:[XXX+0x9C]赋值为1的语句,得到4处:
[Asm] 纯文本查看 复制代码 MOV BYTE PTR DS:[RCX+0x9C],0x1
MOV BYTE PTR DS:[RAX+0x9C],0x1
MOV BYTE PTR DS:[RBX+0x9C],0x1
MOV DWORD PTR DS:[RAX+0x9C],0x1
经逐步分析,MOV BYTE PTR DS:[RAX+0x9C],0x1是我们所要的,在此处赋值为0(此处视为破解点-3),有兴趣的可以逐个试一下就明白了。 |
免费评分
-
查看全部评分
|
发表于 2023-11-5 15:01
|
发表于 2023-11-5 15:02
