好友
阅读权限40
听众
最后登录1970-1-1
|
本帖最后由 冥界3大法王 于 2020-4-8 09:53 编辑
好吧,这个打字练习软件真的好老了。
只是我硬盘的一个收藏而已。
这东西分为两个版本:一个是民用版,一个是商用版。
民用版就是个人的,免费使用,但使用时会弹百度广告
商用版底部没有广告,但需要用户购买和注册才能正常的使用。
我这里说的是2013版,2016版网上似乎没有商用的,只有个人免费加广告的
破解过程就不说了,省得犯规,被红牌。
看到论坛有人发了去广告过程,那好吧,我也说说我的去升级提示的过程吧。
每次程序运行不久或退出时,就会发现位于%temp% ,出现了一个叫TypeEasy_Update.exe的安装文件出现了安装窗口
十分的讨人烦!所以必须得干掉以绝后患。
通过TC搜索+Winhex修改
wps.cn
wps.com
api.51dzt.com(无论acsii ,unicode,utf-8都是不行的)试过好多次,想起来就鼓捣一下,我们发现无济于事。
也曾经怀疑过 index.xml,和 其他的 dll and exe ,但全部不行的;因为修改之后没一点用,还会弹出。
最近前不久,我发现目录里有个叫 bsns.data 的文件十分的可疑
于是就用winhex打开查看了下,发现有个字段 TypeEasy.html 很可能就是了。于是修改为00 打包成单文件版仅25M,之后升级安装再也没有出来过。
于是你或许会问,为啥肯定是这个呢?
我们为两部分来猜测
有可能是TypeEasy
有可能是Update
所以碰巧正好蒙到了,因为它们是间接调用的。
楼主不喜欢修改hosts文件的方法(因为你系统更新了,你还得再修改,累不累?)
所以说玩破解或逆向得学会:
1,大海捞针缩减范围
2,监控安装 或 运行日志;比如火绒,hips类,api monitor,抓包,process monitor,当然还有太多行为检测工具
3,破坏性修改和试探 是最直接简单和暴力的方法
注: 提供破解成品会被关到黑屋反省的。
![]()
前面写得还是有问题!重写!
字符串搜索,checkupdate这个即是检测点1 ,同时也是注册表键值
不断的回溯!来到下面的代码!
[Asm] 纯文本查看 复制代码
0090D9B0 | push ebp 第1次检测ret掉!
0090D9B1 | 8BEC | mov ebp,esp |
0090D9B3 | 6A FF | push FFFFFFFF |
0090D9B5 | 68 F9FD | push <crack.sub_92FDF9> |
0090D9BA | 64:A1 0 | mov eax,dword ptr fs:[0] |
0090D9C0 | 50 | push eax |
0090D9C1 | 51 | push ecx | ecx:sub_942320
0090D9C2 | 56 | push esi |
0090D9C3 | 57 | push edi |
0090D9C4 | A1 6C82 | mov eax,dword ptr ds:[97826C] |
0090D9C9 | 33C5 | xor eax,ebp |
0090D9CB | 50 | push eax |
0090D9CC | 8D45 F4 | lea eax,dword ptr ss:[ebp-C] |
0090D9CF | 64:A3 0 | mov dword ptr fs:[0],eax |
0090D9D5 | 8BF1 | mov esi,ecx | ecx:sub_942320
0090D9D7 | E8 F4D5 | call <crack.sub_90AFD0> |
0090D9DC | 84C0 | test al,al |
0090D9DE | 74 53 | je crack.90DA33 |
0090D9E0 | 8BCE | mov ecx,esi | ecx:sub_942320
0090D9E2 | E8 E9F2 | call <crack.sub_90CCD0> |
0090D9E7 | 84C0 | test al,al |
0090D9E9 | 74 48 | je crack.90DA33 |
0090D9EB | E8 40F8 | call <crack.sub_90D230> |
0090D9F0 | 6A FF | push FFFFFFFF |
0090D9F2 | 68 A01A | push crack.951AA0 | 951AA0:"-mode=download -from=typeeasy"
0090D9F7 | FF15 3C | call dword ptr ds:[<&?fromAscii_helper@QString@@CAPAUD |
0090D9FD | 8945 F0 | mov dword ptr ss:[ebp-10],eax |
0090DA00 | 8D45 F0 | lea eax,dword ptr ss:[ebp-10] |
0090DA03 | 50 | push eax |
0090DA04 | C745 FC | mov dword ptr ss:[ebp-4],0 |
0090DA0B | E8 90FC | call <crack.sub_90D6A0> |
0090DA10 | 8B4D F0 | mov ecx,dword ptr ss:[ebp-10] | ecx:sub_942320
0090DA13 | 83C4 0C | add esp,C |
0090DA16 | C745 FC | mov dword ptr ss:[ebp-4],FFFFFFFF |
0090DA1D | 83CA FF | or edx,FFFFFFFF |
0090DA20 | F0:0FC1 | lock xadd dword ptr ds:[ecx],edx | ecx:sub_942320
0090DA24 | 75 0D | jne crack.90DA33 |
0090DA26 | 8B45 F0 | mov eax,dword ptr ss:[ebp-10] |
0090DA29 | 50 | push eax |
0090DA2A | FF15 44 | call dword ptr ds:[<&?free@QString@@CAXPAUData@1@@Z>] |
0090DA30 | 83C4 04 | add esp,4 |
0090DA33 | 8D4E 0C | lea ecx,dword ptr ds:[esi+C] | ecx:sub_942320
0090DA36 | FF15 A4 | call dword ptr ds:[<&?lockForWrite@QReadWriteLock@@QAE |
0090DA3C | 8D4E 0C | lea ecx,dword ptr ds:[esi+C] | ecx:sub_942320
0090DA3F | C646 10 | mov byte ptr ds:[esi+10],1 |
0090DA43 | FF15 A0 | call dword ptr ds:[<&?unlock@QReadWriteLock@@QAEXXZ>] |
0090DA49 | 8B4D F4 | mov ecx,dword ptr ss:[ebp-C] | ecx:sub_942320
0090DA4C | 64:890D | mov dword ptr fs:[0],ecx | ecx:sub_942320
0090DA53 | 59 | pop ecx | ecx:sub_942320
0090DA54 | 5F | pop edi |
0090DA55 | 5E | pop esi |
0090DA56 | 8BE5 | mov esp,ebp |
0090DA58 | 5D | pop ebp |
0090DA59 | C3 | ret |
[Asm] 纯文本查看 复制代码
008D2D99 | E8 10 | call <crack.sub_92E2AE> |
008D2D9E | 83C4 | add esp,4 |
008D2DA1 | A1 B4 | mov eax,dword ptr ds:[<&?shared_null@QString@@0UData@ |
008D2DA6 | 8B40 | mov eax,dword ptr ds:[eax+8] |
008D2DA9 | 85C0 | test eax,eax |
008D2DAB | 0F84 | je crack.8D2E70 | 第2处 84改 85
008D2DB1 | 8D4D | lea ecx,dword ptr ss:[ebp-24] | ecx:sub_942320
008D2DB4 | 51 | push ecx | ecx:sub_942320
008D2DB5 | E8 B6 | call <crack.sub_8B2770> |
008D2DBA | 83C4 | add esp,4 |
008D2DBD | 50 | push eax |
008D2DBE | B9 B4 | mov ecx,<crack.&?shared_null@QString@@0UData@1@A> | ecx:sub_942320
008D2DC3 | C745 | mov dword ptr ss:[ebp-4],C | C:'\f'
008D2DCA | FF15 | call dword ptr ds:[<&??4QString@@QAEAAV0@$$QAV0@@Z>] |
008D2DD0 | 8B55 | mov edx,dword ptr ss:[ebp-24] |
008D2DD3 | 897D | mov dword ptr ss:[ebp-4],edi |
008D2DD6 | 8BC7 | mov eax,edi |
008D2DD8 | F0:0F | lock xadd dword ptr ds:[edx],eax |
008D2DDC | 75 09 | jne crack.8D2DE7 |
008D2DDE | 8B4D | mov ecx,dword ptr ss:[ebp-24] | ecx:sub_942320
008D2DE1 | 51 | push ecx | ecx:sub_942320
008D2DE2 | FFD3 | call ebx |
008D2DE4 | 83C4 | add esp,4 |
008D2DE7 | 68 9C | push crack.947B9C | 947B9C:"/TypeEasyData/download"
008D2DEC | B9 B4 | mov ecx,<crack.&?shared_null@QString@@0UData@1@A> | ecx:sub_942320
008D2DF1 | FF15 | call dword ptr ds:[<&??YQString@@QAEAAV0@PBD@Z>] |
008D2DF7 | A1 40 | mov eax,dword ptr ds:[<&?shared_null@QString@@0UData@ |
008D2DFC | 8945 | mov dword ptr ss:[ebp-20],eax |
008D2DFF | BA 01 | mov edx,1 |
008D2E04 | F0:0F | lock xadd dword ptr ds:[eax],edx |
008D2E08 | 8D45 | lea eax,dword ptr ss:[ebp-20] |
008D2E0B | 50 | push eax |
008D2E0C | 8D4D | lea ecx,dword ptr ss:[ebp-1C] | ecx:sub_942320
008D2E0F | C745 | mov dword ptr ss:[ebp-4],D | D:'\r'
008D2E16 | FF15 | call dword ptr ds:[<&??0QDir@@QAE@ABVQString@@@Z>] |
008D2E1C | 8B4D | mov ecx,dword ptr ss:[ebp-20] | ecx:sub_942320
008D2E1F | C645 | mov byte ptr ss:[ebp-4],F |
008D2E23 | 8BD7 | mov edx,edi |
008D2E25 | F0:0F | lock xadd dword ptr ds:[ecx],edx | ecx:sub_942320
F8顺序向下执行,结果,又被断下
008D2EEE | EB 47 | jmp crack.8D2F37 |
008D2EF0 | 8D45 | lea eax,dword ptr ss:[ebp-24] |
008D2EF3 | 50 | push eax |
008D2EF4 | FF15 | call dword ptr ds:[<&?applicationDirPath@QCoreApplica |
008D2EFA | 83C4 | add esp,4 |
008D2EFD | 50 | push eax |
008D2EFE | B9 B4 | mov ecx,<crack.&?shared_null@QString@@0UData@1@A> |
008D2F03 | C745 | mov dword ptr ss:[ebp-4],12 |
008D2F0A | FF15 | call dword ptr ds:[<&??4QString@@QAEAAV0@$$QAV0@@Z>] |
008D2F10 | 8B4D | mov ecx,dword ptr ss:[ebp-24] |
008D2F13 | 897D | mov dword ptr ss:[ebp-4],edi |
008D2F16 | 8BD7 | mov edx,edi |
008D2F18 | F0:0F | lock xadd dword ptr ds:[ecx],edx |
008D2F1C | 75 09 | jne crack.8D2F27 |
008D2F1E | 8B45 | mov eax,dword ptr ss:[ebp-24] |
008D2F21 | 50 | push eax |
008D2F22 | FFD3 | call ebx |
008D2F24 | 83C4 | add esp,4 |
008D2F27 | 68 90 | push crack.947B90 | 947B90:"/uplive.exe"
008D2F2C | B9 B4 | mov ecx,<crack.&?shared_null@QString@@0UData@1@A> |
008D2F31 | FF15 | call dword ptr ds:[<&??YQString@@QAEAAV0@PBD@Z>] |
008D2F37 | A1 68 | mov eax,dword ptr ds:[<&?shared_null@QListData@@2UDat |
008D2F44 | F0:0F | lock xadd dword ptr ds:[eax],ecx |
008D2F48 | 57 | push edi |
008D2F49 | BB 13 | mov ebx,13 |
008D2F4E | 68 80 | push crack.947B80 | 947B80:"-mode=update"
[Asm] 纯文本查看 复制代码
0090D891 | E9 D4 | jmp crack.90D96A |===>JMP掉!
0090D896 | 008B | add byte ptr ds:[ebx-28CD1732],cl |
0090D89C | FF | ??? |
0090D89D | FF84C | inc dword ptr ds:[eax+eax*8+C4840F] |
0090D8A4 | 0000 | add byte ptr ds:[eax],al |
0090D8A6 | 8BCE | mov ecx,esi |
0090D8A8 | E8 23 | call <crack.sub_90CCD0> |
0090D8AD | 84C0 | test al,al |
0090D8AF | 0F84 | je crack.90D96A |
0090D8B5 | 8B3D | mov edi,dword ptr ds:[<&?fromAscii_helper@QString@@CA |
0090D8BB | 6A FF | push FFFFFFFF |
0090D8BD | 68 74 | push crack.951A74 | 951A74:"-mode=update -trigging=exit -from=typeeasy"
0090D8C2 | FFD7 | call edi |
0090D8C4 | 8945 | mov dword ptr ss:[ebp-10],eax |
0090D8C7 | 8D45 | lea eax,dword ptr ss:[ebp-10] |
0090D8CA | 50 | push eax |
0090D8CB | C645 | mov byte ptr ss:[ebp-4],3 |
0090D8CF | E8 CC | call <crack.sub_90D6A0> |
0090D8D4 | 8B4D | mov ecx,dword ptr ss:[ebp-10] |
0090D8D7 | 83C4 | add esp,C |
0090D8DA | C645 | mov byte ptr ss:[ebp-4],2 |
0090D8DE | 83CA | or edx,FFFFFFFF |
0090D8E1 | F0:0F | lock xadd dword ptr ds:[ecx],edx |
0090D8E5 | 75 0D | jne crack.90D8F4 |
0090D8E7 | 8B45 | mov eax,dword ptr ss:[ebp-10] |
0090D8EA | 50 | push eax |
0090D8EB | FF15 | call dword ptr ds:[<&?free@QString@@CAXPAUData@1@@Z>] |
0090D8F1 | 83C4 | add esp,4 |
0090D8F4 | 6A FF | push FFFFFFFF |
0090D8F6 | 68 4C | push crack.94E34C | 94E34C:"yyyy-MM-dd"
0090D8FB | FFD7 | call edi |
0090D8FD | 83C4 | add esp,8 |
0090D900 | 8945 | mov dword ptr ss:[ebp-10],eax |
0090D903 | 8D4D | lea ecx,dword ptr ss:[ebp-10] |
0090D906 | 51 | push ecx |
0090D907 | 8D55 | lea edx,dword ptr ss:[ebp-14] |
0090D90A | 52 | push edx |
0090D90B | 8D45 | lea eax,dword ptr ss:[ebp-1C] |
0090D90E | 50 | push eax |
0090D90F | C645 | mov byte ptr ss:[ebp-4],4 |
0090D913 | FF15 | call dword ptr ds:[<&?currentDate@QDate@@SA?AV1@XZ>] |
0090D919 | 83C4 | add esp,4 |
0090D91C | 8BC8 | mov ecx,eax |
0090D91E | FF15 | call dword ptr ds:[<&?toString@QDate@@QBE?AVQString@@ |
0090D924 | 50 | push eax |
0090D925 | 8BCE | mov ecx,esi |
0090D927 | C645 | mov byte ptr ss:[ebp-4],5 |
0090D92B | E8 E0 | call <crack.sub_90B210> |
0090D930 | 8B4D | mov ecx,dword ptr ss:[ebp-14] |
0090D933 | C645 | mov byte ptr ss:[ebp-4],4 |
0090D937 | 83CA | or edx,FFFFFFFF |
0090D93A | F0:0F | lock xadd dword ptr ds:[ecx],edx |
0090D93E | 75 0D | jne crack.90D94D |
0090D940 | 8B45 | mov eax,dword ptr ss:[ebp-14] |
0090D943 | 50 | push eax |
0090D944 | FF15 | call dword ptr ds:[<&?free@QString@@CAXPAUData@1@@Z>] |
0090D94A | 83C4 | add esp,4 |
0090D94D | 8B4D | mov ecx,dword ptr ss:[ebp-10] |
0090D950 | C645 | mov byte ptr ss:[ebp-4],2 |
0090D954 | 83CA | or edx,FFFFFFFF |
0090D957 | F0:0F | lock xadd dword ptr ds:[ecx],edx |
0090D95B | 75 0D | jne crack.90D96A |
0090D95D | 8B45 | mov eax,dword ptr ss:[ebp-10] |
0090D960 | 50 | push eax |
0090D961 | FF15 | call dword ptr ds:[<&?free@QString@@CAXPAUData@1@@Z>] |
0090D967 | 83C4 | add esp,4 |
0090D96A | 8D4E | lea ecx,dword ptr ds:[esi+C] |
0090D96D | C645 | mov byte ptr ss:[ebp-4],1 |
0090D971 | FF15 | call dword ptr ds:[<&??1QReadWriteLock@@QAE@XZ>] |
0090D977 | 8D4E | lea ecx,dword ptr ds:[esi+8] |
0090D97A | C645 | mov byte ptr ss:[ebp-4],0 |
0090D97E | FF15 | call dword ptr ds:[<&??1QMutex@@QAE@XZ>] |
0090D984 | 8BCE | mov ecx,esi |
0090D986 | C745 | mov dword ptr ss:[ebp-4],FFFFFFFF |
0090D98D | FF15 | call dword ptr ds:[<&??1QThread@@UAE@XZ>] |
0090D993 | 8B4D | mov ecx,dword ptr ss:[ebp-C] |
0090D996 | 64:89 | mov dword ptr fs:[0],ecx |
0090D99D | 59 | pop ecx |
0090D99E | 5F | pop edi |
0090D99F | 5E | pop esi |
0090D9A0 | 8BE5 | mov esp,ebp |
0090D9A2 | 5D | pop ebp |
0090D9A3 | C3 | ret |
终极打补丁方案:我们需要打四次补丁方可解决。
00422DAB: 0F85BF000000 jne 00422E70h | 00422DAB: E9C0000000 jmp 00422E70h
| 00422DB0: 008D4DDC51E8 add byte ptr [ebp-17AE23B3h], cl
00422DB1: 8D4DDC lea ecx, dword ptr [ebp-24h] |
00422DB4: 51 push ecx |
00422DB5: E8B6F9FDFF call 00402770h |
| 00422DB6: B6F9 mov dh, F9h
| 00422DB8: FD std
| 00422DB9: FF83C40450B9 inc dword ptr [ebx-46AFFB3Ch]
00422DBA: 83C404 add esp, 04h |
00422DBD: 50 push eax |
00422DBE: B9B48F4C00 mov ecx, 004C8FB4h |
| 00422DBF: B48F mov ah, 8Fh
| 00422DC1: 4C dec esp
| 00422DC2: 00C7 add bh, al
00422DC3: C745FC0C000000 mov dword ptr [ebp-04h], 0000000Ch |
| 00422DC4: 45 inc ebp
| 00422DC5: FC cld
| 00422DC6: 0C00 or al, 00000000h
| 00422DC8: 0000 add byte ptr [eax], al
------------------------------------------------------------------------------------------------------------------------------------------
00422EEE: 7547 jne 00422F37h | 00422EEE: EB47 jmp 00422F37h
------------------------------------------------------------------------------------------------------------------------------------------
0045D891: 0F84D3000000 je 0045D96Ah | 0045D891: E9D4000000 jmp 0045D96Ah
| 0045D896: 008BCEE832D7 add byte ptr [ebx-28CD1732h], cl
0045D897: 8BCE mov ecx, esi |
0045D899: E832D7FFFF call 0045AFD0h |
| 0045D89C FFFF ???
| 0045D89E: 84C0 test al, al
| 0045D8A0: 0F84C4000000 je 0045D96Ah
0045D89E: 84C0 test al, al |
0045D8A0: 0F84C4000000 je 0045D96Ah |
| 0045D8A6: 8BCE mov ecx, esi
| 0045D8A8: E823F4FFFF call 0045CCD0h
0045D8A6: 8BCE mov ecx, esi |
0045D8A8: E823F4FFFF call 0045CCD0h |
| 0045D8AD: 84C0 test al, al
| 0045D8AF: 0F84B5000000 je 0045D96Ah
0045D8AD: 84C0 test al, al |
0045D8AF: 0F84B5000000 je 0045D96Ah |
| 0045D8B5: 8B3D3C354900 mov edi, dword ptr [0049353Ch]
0045D8B5: 8B3D3C354900 mov edi, dword ptr [0049353Ch] |
| 0045D8BB: 6AFF push FFFFFFFFh
| 0045D8BD: 68741A4A00 push 004A1A74h
0045D8BB: 6AFF push FFFFFFFFh |
0045D8BD: 68741A4A00 push 004A1A74h |
| 0045D8C2: FFD7 call edi
| 0045D8C4: 8945F0 mov dword ptr [ebp-10h], eax
0045D8C2: FFD7 call edi |
0045D8C4: 8945F0 mov dword ptr [ebp-10h], eax | 0045D8C7: 8D45F0 lea eax, dword ptr [ebp-10h]
0045D8C7: 8D45F0 lea eax, dword ptr [ebp-10h] | 0045D8CA: 50 push eax
| 0045D8CB: C645FC03 mov byte ptr [ebp-04h], 00000003h
0045D8CA: 50 push eax |
0045D8CB: C645FC03 mov byte ptr [ebp-04h], 00000003h |
| 0045D8CF: E8CCFDFFFF call 0045D6A0h
0045D8CF: E8CCFDFFFF call 0045D6A0h |
| 0045D8D4: 8B4DF0 mov ecx, dword ptr [ebp-10h]
0045D8D4: 8B4DF0 mov ecx, dword ptr [ebp-10h] | 0045D8D7: 83C40C add esp, 0Ch
0045D8D7: 83C40C add esp, 0Ch | 0045D8DA: C645FC02 mov byte ptr [ebp-04h], 00000002h
0045D8DA: C645FC02 mov byte ptr [ebp-04h], 00000002h |
| 0045D8DE: 83CAFF or edx, FFFFFFFFh
0045D8DE: 83CAFF or edx, FFFFFFFFh | 0045D8E1: F00FC111 lock xadd dword ptr [ecx], edx
0045D8E1: F00FC111 lock xadd dword ptr [ecx], edx |
| 0045D8E5: 750D jne 0045D8F4h
| 0045D8E7: 8B45F0 mov eax, dword ptr [ebp-10h]
0045D8E5: 750D jne 0045D8F4h |
0045D8E7: 8B45F0 mov eax, dword ptr [ebp-10h] | 0045D8EA: 50 push eax
| 0045D8EB: FF1544354900 call dword ptr [00493544h]
0045D8EA: 50 push eax |
0045D8EB: FF1544354900 call dword ptr [00493544h] |
| 0045D8F1: 83C404 add esp, 04h
0045D8F1: 83C404 add esp, 04h | 0045D8F4: 6AFF push FFFFFFFFh
| 0045D8F6: 684CE34900 push 0049E34Ch
0045D8F4: 6AFF push FFFFFFFFh |
------------------------------------------------------------------------------------------------------------------------------------------
0045D968: C4048D4E0CC645 les eax, fword ptr [45C60C4Eh+ecx*4] |
| 0045D968: C4048D4E0CC645 les eax, fword ptr [45C60C4Eh+ecx*4]
0045D96F: FC cld |
0045D970: 01FF add edi, edi |
| 0045D96F: FC cld
0045D972: 159C344900 adc eax, 0049349Ch | 0045D970: 01FF add edi, edi
| 0045D972: 159C344900 adc eax, 0049349Ch
0045D977: 8D4E08 lea ecx, dword ptr [esi+08h] |
| 0045D977: 8D4E08 lea ecx, dword ptr [esi+08h]
0045D97A: C645FC00 mov byte ptr [ebp-04h], 00000000h |
| 0045D97A: C645FC00 mov byte ptr [ebp-04h], 00000000h
0045D97E: FF1590314900 call dword ptr [00493190h] |
| 0045D97E: FF1590314900 call dword ptr [00493190h]
0045D984: 8BCE mov ecx, esi |
0045D986: C745FCFFFFFFFF mov dword ptr [ebp-04h], FFFFFFFFh | 0045D984: 8BCE mov ecx, esi
| 0045D986: C745FCFFFFFFFF mov dword ptr [ebp-04h], FFFFFFFFh
0045D98D: FF155C344900 call dword ptr [0049345Ch] |
| 0045D98D: FF155C344900 call dword ptr [0049345Ch]
0045D993: 8B4DF4 mov ecx, dword ptr [ebp-0Ch] |
| 0045D993: 8B4DF4 mov ecx, dword ptr [ebp-0Ch]
0045D996: 64890D00000000 mov dword ptr fs:[00000000h], ecx |
| 0045D996: 64890D00000000 mov dword ptr fs:[00000000h], ecx
0045D99D: 59 pop ecx |
0045D99E: 5F pop edi |
0045D99F: 5E pop esi | 0045D99D: 59 pop ecx
0045D9A0: 8BE5 mov esp, ebp | 0045D99E: 5F pop edi
| 0045D99F: 5E pop esi
0045D9A2: 5D pop ebp | 0045D9A0: 8BE5 mov esp, ebp
0045D9A3: C3 ret |
0045D9A4: CC int3 | 0045D9A2: 5D pop ebp
0045D9A5: CC int3 | 0045D9A3: C3 ret
0045D9B0: 55 push ebp | 0045D9AE: CC int3
0045D9B1: 8BEC mov ebp, esp | 0045D9AF: CC int3
| 0045D9B0: C3 ret
0045D9B3: 6AFF push FFFFFFFFh | 0045D9B1: 8BEC mov ebp, esp
0045D9B5: 68F9FD4700 push 0047FDF9h | 0045D9B3: 6AFF push FFFFFFFFh
| 0045D9B5: 68F9FD4700 push 0047FDF9h
0045D9BA: 64A100000000 mov eax, dword ptr fs:[00000000h] |
| 0045D9BA: 64A100000000 mov eax, dword ptr fs:[00000000h]
0045D9C0: 50 push eax |
0045D9C1: 51 push ecx |
0045D9C2: 56 push esi | 0045D9C0: 50 push eax
0045D9C3: 57 push edi | 0045D9C1: 51 push ecx
0045D9C4: A16C824C00 mov eax, dword ptr [004C826Ch] | 0045D9C2: 56 push esi
| 0045D9C3: 57 push edi
| 0045D9C4: A16C824C00 mov eax, dword ptr [004C826Ch]
0045D9C9: 33C5 xor eax, ebp |
0045D9CB: 50 push eax | 0045D9C9: 33C5 xor eax, ebp
0045D9CC: 8D45F4 lea eax, dword ptr [ebp-0Ch] |
| 0045D9CB: 50 push eax
| 0045D9CC: 8D45F4 lea eax, dword ptr [ebp-0Ch]
0045D9CF: 64A300000000 mov dword ptr fs:[00000000h], eax |
| 0045D9CF: 64A300000000 mov dword ptr fs:[00000000h], eax
0045D9D5: 8BF1 mov esi, ecx |
0045D9D7: E8F4D5FFFF call 0045AFD0h | 0045D9D5: 8BF1 mov esi, ecx
| 0045D9D7: E8F4D5FFFF call 0045AFD0h
0045D9DC: 84C0 test al, al |
0045D9DE: 7453 je 0045DA33h | 0045D9DC: 84C0 test al, al
0045D9E0: 8BCE mov ecx, esi | 0045D9DE: EB53 jmp 0045DA33h
0045D9E2: E8E9F2FFFF call 0045CCD0h | 0045D9E0: 8BCE mov ecx, esi
| 0045D9E2: E8E9F2FFFF call 0045CCD0h
0045D9E7: 84C0 test al, al |
------------------------------------------------------------------------------------------------------------------------------------------
0045D9B0: 55 push ebp | 0045D9B0: C3 ret
0045D9DE: 7453 je 0045DA33h | 0045D9DE: EB53 jmp 0045DA33h
------------------------------------------------------------------------------------------------------------------------------------------
另外,还有一个问题,当点击右上角关闭窗口时,并不会真的退出,好吧,我们顺路也修改下。
因为前边跟到了close ,所以下面的修改代码还是比较好接的。
我们会断到下面这里!
[Asm] 纯文本查看 复制代码 00922AF3 | 68 1466 | push 去升级终极版.996614 | 996614:"close"
00922AF8 | FFD6 | call esi |
00922AFA | 8907 | mov dword ptr ds:[edi],eax |
00922AFC | 8B0D 04 | mov ecx,dword ptr ds:[9C9004] |
00922B02 | 83C4 08 | add esp,8 |
00922B05 | E8 E6F7 | call 去升级终极版.9322F0 |
00922B0A | 6A 00 | push 0 |
00922B0C | E8 1F15 | call 去升级终极版.954030 |
00922B11 | 8BC8 | mov ecx,eax |
00922B13 | E8 D8F3 | call 去升级终极版.951EF0 |
00922B18 | 50 | push eax |
00922B19 | 8D4D C0 | lea ecx,dword ptr ss:[ebp-40] |
00922B1C | E8 DF7D | call 去升级终极版.90A900 |
00922B21 | 8D45 DC | lea eax,dword ptr ss:[ebp-24] |
00922B24 | 50 | push eax |
00922B25 | C745 FC | mov dword ptr ss:[ebp-4],0 |
00922B2C | FF15 14 | call dword ptr ds:[<&?currentTime@QTime |
00922B32 | 6A FF | push FFFFFFFF |
00922B34 | 68 6075 | push 去升级终极版.997560 | 997560:"HH:mm:ss"
还记得这个吗?
[Asm] 纯文本查看 复制代码
0095D891 | E9 D400 | jmp 去升级终极版.95D96A | 我们就用这个地址试一下好吧?
0095D896 | 008B CE | add byte ptr ds:[ebx-28CD1732],cl |
0095D89C | FF | ??? |
0095D89D | FF84C0 | inc dword ptr ds:[eax+eax*8+C4840F] |
0095D8A4 | 0000 | add byte ptr ds:[eax],al |
0095D8A6 | 8BCE | mov ecx,esi |
0095D8A8 | E8 23F4 | call 去升级终极版.95CCD0 |
0095D8AD | 84C0 | test al,al |
0095D8AF | 0F84 B5 | je 去升级终极版.95D96A |
0095D8B5 | 8B3D 3C | mov edi,dword ptr ds:[<&?fromAscii_help |
0095D8BB | 6A FF | push FFFFFFFF |
0095D8BD | 68 741A | push 去升级终极版.9A1A74 | 9A1A74:"-mode=update -trigging=exit -from=typeeasy"
但是跨越幅度太大,程序异常了(但保存出的文件可以的)
|
免费评分
-
查看全部评分
|
[复制链接]
|
发表于 2020-4-7 17:03
|楼主
发表于 2022-4-3 18:32
收藏
淘帖
有用
分享到朋友圈
