好友 阅读权限 30
听众 最后登录 1970-1-1
【文章标题】: Xara Photo & Graphic Designer 18.0.0.61670(X64)分析爆破[Asm] 纯文本查看 复制代码
000000014063341D lea rcx,qword ptr ds:[1414BA620] L"After CheckSerialRegistration\n" 2、在此行双击来到反汇编区,发现上一行的Call是检测注册的,在此行F2下断 [Asm] 纯文本查看 复制代码
00000001406333F6 | 49:8B8F C8020000 | mov rcx,qword ptr ds:[r15+2C8] |
00000001406333FD | 48:85C9 | test rcx,rcx |
0000000140633400 | 0F84 D30A0000 | je photographicdesigner.140633ED9 |
0000000140633406 | BA 01000000 | mov edx,1 |
000000014063340B | E8 708A1300 | call <photographicdesigner.public: int __cdecl CopyProtectionVPL::IsRunable(int) __ptr64> |
0000000140633410 | 85C0 | test eax,eax |
0000000140633412 | 0F84 C10A0000 | je photographicdesigner.140633ED9 |
0000000140633418 | E8 13450100 | call <photographicdesigner.public: static void __cdecl InternetManager::CheckSerialRegistration(void)> |
000000014063341D | 48:8D0D FC71E800 | lea rcx,qword ptr ds:[1414BA620] | 00000001414BA620:L"After CheckSerialRegistration\n"
0000000140633424 | E8 87020100 | call <photographicdesigner.public: static void __cdecl Error::ReleaseTrace(wchar_t const * __ptr64,...) | 3、运行程序,没有断下而是出现“欢迎”提示窗口,说明前面有调用执行了,经分析,call <photographicdesigner.public: int __cdecl CopyProtectionVPL::IsRunable(int) __ptr64>调用了“欢迎”提示窗口,那就在此处下断,跟进分析,依次来到 [Asm] 纯文本查看 复制代码
000000014076BE80 | E9 EB080000 | jmp <photographicdesigner.private: int __cdecl CopyProtectionVPL::InitialCheck(int) __ptr64> [Asm] 纯文本查看 复制代码
000000014076C770 | 40:57 | push rdi |
000000014076C772 | 48:83EC 30 | sub rsp,30 |
000000014076C776 | 48:C74424 20 FEFFFFFF | mov qword ptr ss:[rsp+20],FFFFFFFFFFFFFFFE |
000000014076C77F | 48:895C24 48 | mov qword ptr ss:[rsp+48],rbx |
000000014076C784 | 48:897424 50 | mov qword ptr ss:[rsp+50],rsi |
000000014076C789 | 8BF2 | mov esi,edx |
000000014076C78B | 48:8BD9 | mov rbx,rcx |
000000014076C78E | 48:8D4C24 40 | lea rcx,qword ptr ss:[rsp+40] |
000000014076C793 | E8 B850ECFF | call <photographicdesigner.public: __cdecl DisableFPExceptions::DisableFPExceptions(void) __ptr64> |
000000014076C798 | 90 | nop |
000000014076C799 | 33FF | xor edi,edi |
000000014076C79B | 48:39BB 30380000 | cmp qword ptr ds:[rbx+3830],rdi |
000000014076C7A2 | 75 18 | jne photographicdesigner.14076C7BC |
000000014076C7A4 | 48:8BCB | mov rcx,rbx |
000000014076C7A7 | E8 D4AA3900 | call <photographicdesigner.class IConsumerLibraryAdapter * __ptr64 __cdecl CreateConsumerLibraryAdapter |
000000014076C7AC | 48:8983 30380000 | mov qword ptr ds:[rbx+3830],rax |
000000014076C7B3 | 48:85C0 | test rax,rax |
000000014076C7B6 | 75 04 | jne photographicdesigner.14076C7BC |
000000014076C7B8 | 8BDF | mov ebx,edi |
000000014076C7BA | EB 17 | jmp photographicdesigner.14076C7D3 |
000000014076C7BC | 48:8B8B 30380000 | mov rcx,qword ptr ds:[rbx+3830] |
000000014076C7C3 | 48:8B01 | mov rax,qword ptr ds:[rcx] |
000000014076C7C6 | 85F6 | test esi,esi | 》【1】修改为 xor
000000014076C7C8 | 0F95C2 | setne dl | 》此处使dl=0时,不出现欢迎提示窗口
000000014076C7CB | FF90 88000000 | call qword ptr ds:[rax+88] | 》调用欢迎窗口
000000014076C7D1 | 8BD8 | mov ebx,eax |
000000014076C7D3 | 45:33C9 | xor r9d,r9d |
000000014076C7D6 | 45:33C0 | xor r8d,r8d |
000000014076C7D9 | 33D2 | xor edx,edx |
000000014076C7DB | B9 02000010 | mov ecx,10000002 |
000000014076C7E0 | E8 BFCD3000 | call <photographicdesigner.UrlMkSetSessionOption> |
000000014076C7E5 | B8 01000000 | mov eax,1 |
000000014076C7EA | 83FB 02 | cmp ebx,2 |
000000014076C7ED | 0F44F8 | cmove edi,eax |
000000014076C7F0 | 48:8D4C24 40 | lea rcx,qword ptr ss:[rsp+40] |
000000014076C7F5 | E8 9650ECFF | call <photographicdesigner.public: __cdecl DisableFPExceptions::~DisableFPExceptions(void) __ptr64> |
000000014076C7FA | 8BC7 | mov eax,edi |
000000014076C7FC | 48:8B5C24 48 | mov rbx,qword ptr ss:[rsp+48] |
000000014076C801 | 48:8B7424 50 | mov rsi,qword ptr ss:[rsp+50] |
000000014076C806 | 48:83C4 30 | add rsp,30 |
000000014076C80A | 5F | pop rdi |
000000014076C80B | C3 | ret 4、经分析 此处000000014076C7CB call qword ptr ds:[rax+88] 调用欢迎窗口,下断跟进发现与dl的值有关,当dl=0时,不出现欢迎提示窗口,在函数的上一行恰是一个dl置值语句,当test esi,esi中的esi=0时,dl=0,所以只要把test esi,esi改为xor esi,esi即可实现 破解 。 [Asm] 纯文本查看 复制代码
000000014076C7C6 | 85F6 | test esi,esi | 》【1】修改为 xor
000000014076C7C8 | 0F95C2 | setne dl | 》此处使dl=0时,不出现欢迎提示窗口
000000014076C7CB | FF90 88000000 | call qword ptr ds:[rax+88] | 》调用欢迎窗口 5、到此在调试器下运行程序正常,但运行保存修改文件时会出现“重新启动程序错误提示窗口”,看来有暗桩,在分析过程中会发现包含IsTrialVersion的处理函数,所以Ctrl+N调出符号窗口,搜索IsTrialVersion,得到以下信息 [Asm] 纯文本查看 复制代码
000000013F7B99B0 符号 ?IsTrialVersion@Application@@QEAAHXZ public: int __cdecl Application::IsTrialVersion(void) __ptr64
000000014030EDA0 符号 ?IsTrialVersion@CCamApp@@QEAAHXZ public: int __cdecl CCamApp::IsTrialVersion(void) __ptr64
0000000140A05000 符号 ?IsTrialVersion@CMX_ProteinLib@ProtectionEnvironment@@QEBA_NXZ public: bool __cdecl ProtectionEnvironment::CMX_ProteinLib::IsTrialVersion(void)const __ptr64
0000000140A067D0 符号 ?IsTrialVersion@MXProtectionWrapper@@SA_NXZ public: static bool __cdecl MXProtectionWrapper::IsTrialVersion(void)
0000000140B920C6 符号 `CCamApp::IsTrialVersion'::`1'::dtor$0
0000000140B920D2 符号 `CCamApp::IsTrialVersion'::`1'::dtor$1
0000000140B920DE 符号 `CCamApp::IsTrialVersion'::`1'::dtor$2
0000000140B920EA 符号 `CCamApp::IsTrialVersion'::`1'::dtor$3
0000000140B920F6 符号 `CCamApp::IsTrialVersion'::`1'::dtor$4
0000000140B92102 符号 `CCamApp::IsTrialVersion'::`1'::dtor$5
0000000140B9210E 符号 `CCamApp::IsTrialVersion'::`1'::dtor$6
0000000140B9211A 符号 `CCamApp::IsTrialVersion'::`1'::dtor$8
0000000140B92126 符号 `CCamApp::IsTrialVersion'::`1'::dtor$9
0000000140B92132 符号 `CCamApp::IsTrialVersion'::`1'::dtor$10 6、经分析 0000000140A067D0 public: static bool __cdecl MXProtectionWrapper::IsTrialVersion(void) 是关键信息,双击此行来到反汇编区 [Asm] 纯文本查看 复制代码
0000000140A067D0 | 48:8D0D D1821001 | lea rcx,qword ptr ds:[<class ProtectionEnvironment::CMX_ProteinLib s_proteinLib>] 7、在此行的地址处“右键-查找引用-选定的地址”,会得到三个调用函数 [Asm] 纯文本查看 复制代码
00000001409ECAE6 call <photographicdesigner.public: static bool __cdecl MXProtectionWrapper::IsTrialVersion(void)>
00000001409EDE21 call <photographicdesigner.public: static bool __cdecl MXProtectionWrapper::IsTrialVersion(void)>
00000001409EDE60 call <photographicdesigner.public: static bool __cdecl MXProtectionWrapper::IsTrialVersion(void)> 8、在第一个上面双击来到反汇编区,看到了吗?原来这里是检测程序版本的,上溯分析使得je photographicdesigner.1409ECAD3不跳转(至于为什么,你亲身调试一下看看,体会一下就会明白,跳转的话就会到试用版本那结束),再往上看到 CheckMuMaPatchFile (检查木马补丁文件?是不是我搞错了?嘻嘻)好直白呀,进入此Call,直接在段首ret返回试试(检测个毛哇) [Asm] 纯文本查看 复制代码
00000001409ECAB0 | 48:83EC 28 | sub rsp,28 |
00000001409ECAB4 | 45:33C0 | xor r8d,r8d |
00000001409ECAB7 | 41:8D50 01 | lea edx,qword ptr ds:[r8+1] |
00000001409ECABB | E8 E0F0FFFF | call <photographicdesigner.public: int __cdecl CProductInterchangeAdapterForMumaEasy::invoke_CheckMuMaPatchFile |
00000001409ECAC0 | E8 7B9C0100 | call <photographicdesigner.public: static bool __cdecl MXProtectionWrapper::IsConsumerBoxVersion(void)> |
00000001409ECAC5 | 84C0 | test al,al |
00000001409ECAC7 | 74 0A | je photographicdesigner.1409ECAD3 | 》【2】不跳,修改为nop
00000001409ECAC9 | B8 01000000 | mov eax,1 |
00000001409ECACE | 48:83C4 28 | add rsp,28 |
00000001409ECAD2 | C3 | ret |
00000001409ECAD3 | E8 C89C0100 | call <photographicdesigner.public: static bool __cdecl MXProtectionWrapper::IsProfessionalBoxVersion(void)> |
00000001409ECAD8 | 84C0 | test al,al |
00000001409ECADA | 74 0A | je photographicdesigner.1409ECAE6 |
00000001409ECADC | B8 02000000 | mov eax,2 |
00000001409ECAE1 | 48:83C4 28 | add rsp,28 |
00000001409ECAE5 | C3 | ret |
00000001409ECAE6 | E8 E59C0100 | call <photographicdesigner.public: static bool __cdecl MXProtectionWrapper::IsTrialVersion(void)> |
00000001409ECAEB | 84C0 | test al,al |
00000001409ECAED | 74 0A | je photographicdesigner.1409ECAF9 |
00000001409ECAEF | B8 04000000 | mov eax,4 |
00000001409ECAF4 | 48:83C4 28 | add rsp,28 |
00000001409ECAF8 | C3 | ret |
00000001409ECAF9 | E8 729C0100 | call <photographicdesigner.public: static bool __cdecl MXProtectionWrapper::IsNonextensibleDemoVersion(void)> |
00000001409ECAFE | 84C0 | test al,al |
00000001409ECB00 | 74 0A | je photographicdesigner.1409ECB0C |
00000001409ECB02 | B8 08000000 | mov eax,8 |
00000001409ECB07 | 48:83C4 28 | add rsp,28 |
00000001409ECB0B | C3 | ret |
00000001409ECB0C | E8 9F9C0100 | call <photographicdesigner.public: static bool __cdecl MXProtectionWrapper::IsSilverVersion(void)> |
00000001409ECB11 | 84C0 | test al,al |
00000001409ECB13 | 74 0A | je photographicdesigner.1409ECB1F |
00000001409ECB15 | B8 10000000 | mov eax,10 |
00000001409ECB1A | 48:83C4 28 | add rsp,28 |
00000001409ECB1E | C3 | ret |
00000001409ECB1F | E8 5C9C0100 | call <photographicdesigner.public: static bool __cdecl MXProtectionWrapper::IsOEMVersion(void)> |
00000001409ECB24 | 84C0 | test al,al |
00000001409ECB26 | 74 0A | je photographicdesigner.1409ECB32 |
00000001409ECB28 | B8 20000000 | mov eax,20 | 20:' '
00000001409ECB2D | 48:83C4 28 | add rsp,28 |
00000001409ECB31 | C3 | ret 9、进入00000001409ECABB call <photographicdesigner.public: int __cdecl CProductInterchangeAdapterForMumaEasy::invoke_CheckMuMaPatchFile,在段首直接ret [Asm] 纯文本查看 复制代码
00000001409EBBA0 | 40:53 | push rbx |》【3】改为ret
00000001409EBBA2 | 48:83EC 20 | sub rsp,20 |
00000001409EBBA6 | 803D 48271201 00 | cmp byte ptr ds:[141B0E2F5],0 |
00000001409EBBAD | 41:8BD8 | mov ebx,r8d |
00000001409EBBB0 | 75 14 | jne photographicdesigner.1409EBBC6 |
00000001409EBBB2 | E8 99AA0100 | call <photographicdesigner.bool __cdecl InitCopyProtection(void)> |
00000001409EBBB7 | C605 37271201 01 | mov byte ptr ds:[141B0E2F5],1 |
00000001409EBBBE | 8805 3CB0F000 | mov byte ptr ds:[1418F6C00],al |
00000001409EBBC4 | EB 07 | jmp photographicdesigner.1409EBBCD |
00000001409EBBC6 | 0FB605 33B0F000 | movzx eax,byte ptr ds:[1418F6C00] |
00000001409EBBCD | 84C0 | test al,al |
00000001409EBBCF | 74 4E | je photographicdesigner.1409EBC1F |
00000001409EBBD1 | 85DB | test ebx,ebx |
00000001409EBBD3 | 74 2C | je photographicdesigner.1409EBC01 |
00000001409EBBD5 | 48:8D5424 48 | lea rdx,qword ptr ss:[rsp+48] |
00000001409EBBDA | 48:8D0D C72E1201 | lea rcx,qword ptr ds:[<class ProtectionEnvironment::CMX_ProteinLib s_proteinLib>] |
00000001409EBBE1 | C74424 48 00000000 | mov dword ptr ss:[rsp+48],0 |
00000001409EBBE9 | E8 229D0100 | call <photographicdesigner.public: virtual enum ProtectionEnvironment::t_proteinResult __cdecl ProtectionEnviro |
00000001409EBBEE | 8B4C24 48 | mov ecx,dword ptr ss:[rsp+48] |
00000001409EBBF2 | 85C0 | test eax,eax |
00000001409EBBF4 | 74 1A | je photographicdesigner.1409EBC10 |
00000001409EBBF6 | 85C9 | test ecx,ecx |
00000001409EBBF8 | 74 16 | je photographicdesigner.1409EBC10 |
00000001409EBBFA | 0FB605 FFAFF000 | movzx eax,byte ptr ds:[1418F6C00] |
00000001409EBC01 | 84C0 | test al,al |
00000001409EBC03 | 74 1A | je photographicdesigner.1409EBC1F |
00000001409EBC05 | B8 01000000 | mov eax,1 |
00000001409EBC0A | 48:83C4 20 | add rsp,20 |
00000001409EBC0E | 5B | pop rbx |
00000001409EBC0F | C3 | ret 10、破解前后对比
查看全部评分
发表于 2021-4-7 19:05
