好友
阅读权限30
听众
最后登录1970-1-1
|
1、首先运行程序,发现在窗口标题会显示 “Unregistered“;
2、退出程序,在X64DBG加载程序并运行,直到出现引导界面:
3、在反汇编区 右键——搜索范围——所有用户模块——字符串应用,并查找"Unregistered",得到一处,双击来到反汇编区:
[Asm] 纯文本查看 复制代码 00007FFC4479A62 | 40:53 | PUSH RBX | 》此为代码段首,在此 右键——查找引用——选定的地址,得到5处调用
00007FFC4479A62 | 48:83EC 30 | SUB RSP,0x30 |
00007FFC4479A62 | 48:8BD9 | MOV RBX,RCX |
00007FFC4479A62 | C74424 20 FFFFFFFF | MOV DWORD PTR SS:[RSP+0x20],0xFFFFFFFF |
00007FFC4479A63 | 45:33C9 | XOR R9D,R9D |
00007FFC4479A63 | 48:8D0D 85BF1100 | LEA RCX,QWORD PTR DS:[<public: static struc |
00007FFC4479A63 | 83FA 01 | CMP EDX,0x1 | 》如果 EDX=1,下面的 je 跳转实现。往上分析发现EDX的赋值来自Call调用之前。
00007FFC4479A63 | 4C:8D05 BB500A00 | LEA R8,QWORD PTR DS:[0x7FFC4483F700] | ds:[00007FFC4483F700]:"Registered"
00007FFC4479A64 | 48:8BD3 | MOV RDX,RBX |
00007FFC4479A64 | 74 07 | JE framework.7FFC4479A651 | 》跳转,跳过“Unregistered”标题
00007FFC4479A64 | 4C:8D05 BF500A00 | LEA R8,QWORD PTR DS:[0x7FFC4483F710] | ds:[00007FFC4483F710]:"Unregistered"
00007FFC4479A65 | FF15 C9D10900 | CALL QWORD PTR DS:[<public: class QString _ |
00007FFC4479A65 | 48:8BC3 | MOV RAX,RBX |
00007FFC4479A65 | 48:83C4 30 | ADD RSP,0x30 |
00007FFC4479A65 | 5B | POP RBX |
00007FFC4479A65 | C3 | RET |
(看关键代码注释,我都做出了分析)
4、五处调用为:
[Asm] 纯文本查看 复制代码 00007FFC447864AB call <framework.public: static class QString __cdecl AkClientAuthorization::stateDescription(int)>
00007FFC447865A6 call <framework.public: static class QString __cdecl AkClientAuthorization::stateDescription(int)>
00007FFC447BA560 call <framework.public: static class QString __cdecl AkClientAuthorization::stateDescription(int)>
00007FFC447C0B30 call <framework.public: static class QString __cdecl AkClientAuthorization::stateDescription(int)>
00007FFC447D2760 call <framework.public: static class QString __cdecl AkClientAuthorization::stateDescription(int)>
选择第一个双击来到反汇编区:
[Asm] 纯文本查看 复制代码 00007FFC4478648 | E8 7BCD0000 | CALL <framework.public: enum AkClientAuthor | 》此为关键Call,F7跟进返回的EAX=1即可
00007FFC4478648 | 8BF0 | MOV ESI,EAX | 》在这呢,ESI=EAX
00007FFC4478648 | 83F8 01 | CMP EAX,0x1 |
00007FFC4478648 | 0F84 9E010000 | JE framework.7FFC4478662E |
00007FFC4478649 | 33D2 | XOR EDX,EDX |
00007FFC4478649 | 48:8D0D 5F390B00 | LEA RCX,QWORD PTR DS:[0x7FFC44839DF8] |
00007FFC4478649 | FF15 71130B00 | CALL QWORD PTR DS:[<private: static struct |
00007FFC4478649 | 48:894424 58 | MOV QWORD PTR SS:[RSP+0x58],RAX |
00007FFC447864A | 8BD6 | MOV EDX,ESI | 》此处 EDX=ESI,向上查找何处给 ESI赋值
00007FFC447864A | 48:8D4C24 48 | LEA RCX,QWORD PTR SS:[RSP+0x48] |
00007FFC447864A | E8 70410100 | CALL <framework.public: static class QStrin |
00007FFC447864B | 48:8BD8 | MOV RBX,RAX |
(看关键代码注释,我都做出了分析)
5、进入关键Call(00007FFC4478648 CALL <framework.public: enum AkClientAuthorization::State __cdecl AkClientAutho)分析,得到【破解处-1】
把 MOV EAX,DWORD PTR DS:[RCX+0x2C] 修改为:
[Asm] 纯文本查看 复制代码 MOV EAX,1
RET
6、在刚开始我们直接运行程序时提示我们输入邮箱和注册码进行注册,测试后会返回"The registration code is invalid.",接着搜索此字符串得到7处:
[Asm] 纯文本查看 复制代码 00007FFC424A2D73 lea r8,qword ptr ds:[7FFC4254F698] 00007FFC4254F698 "The registration code is invalid."
00007FFC424A3100 lea r8,qword ptr ds:[7FFC4254F698] 00007FFC4254F698 "The registration code is invalid."
00007FFC424A3941 lea r8,qword ptr ds:[7FFC4254F698] 00007FFC4254F698 "The registration code is invalid."
00007FFC424A3B09 lea r8,qword ptr ds:[7FFC4254F698] 00007FFC4254F698 "The registration code is invalid."
00007FFC424A7CEF lea r8,qword ptr ds:[7FFC4254F698] 00007FFC4254F698 "The registration code is invalid."
00007FFC424A7E2F lea r8,qword ptr ds:[7FFC4254F698] 00007FFC4254F698 "The registration code is invalid."
00007FFC424E0710 lea r8,qword ptr ds:[7FFC4254F698] 00007FFC4254F698 "The registration code is invalid."
7、在第一个上双击来到反汇编区:(看关键代码注释,我都做出了分析)
[Asm] 纯文本查看 复制代码 00007FFC424A28C | 48:8BC4 | MOV RAX,RSP |
00007FFC424A28C | 55 | PUSH RBP |
00007FFC424A28C | 41:54 | PUSH R12 |
00007FFC424A28C | 41:55 | PUSH R13 |
00007FFC424A28C | 41:56 | PUSH R14 |
00007FFC424A28C | 41:57 | PUSH R15 |
00007FFC424A28C | 48:8D68 B1 | LEA RBP,QWORD PTR DS:[RAX-0x4F] |
00007FFC424A28D | 48:81EC 90000000 | SUB RSP,0x90 |
00007FFC424A28D | 48:C745 1F FEFFFFFF | MOV QWORD PTR SS:[RBP+0x1F],0xFFFFFFFFFFFF |
00007FFC424A28D | 48:8958 08 | MOV QWORD PTR DS:[RAX+0x8],RBX |
00007FFC424A28E | 48:8970 10 | MOV QWORD PTR DS:[RAX+0x10],RSI |
00007FFC424A28E | 48:8978 18 | MOV QWORD PTR DS:[RAX+0x18],RDI |
00007FFC424A28E | 4D:8BF1 | MOV R14,R9 |
00007FFC424A28E | 4D:8BE8 | MOV R13,R8 |
00007FFC424A28F | 48:8BDA | MOV RBX,RDX |
00007FFC424A28F | 48:8BF9 | MOV RDI,RCX |
00007FFC424A28F | E8 C4380700 | CALL <framework.public: static int __cdecl |
00007FFC424A28F | A8 02 | TEST AL,0x2 |
00007FFC424A28F | 74 0A | JE framework.7FFC424A290A |
00007FFC424A290 | B8 02000000 | MOV EAX,0x2 |
00007FFC424A290 | E9 21060000 | JMP framework.7FFC424A2F2B |
00007FFC424A290 | 48:8B4F 20 | MOV RCX,QWORD PTR DS:[RDI+0x20] |
00007FFC424A290 | 48:85C9 | TEST RCX,RCX |
00007FFC424A291 | 74 10 | JE framework.7FFC424A2923 |
00007FFC424A291 | 807F 28 00 | CMP BYTE PTR DS:[RDI+0x28],0x0 |
00007FFC424A291 | 74 0A | JE framework.7FFC424A2923 |
00007FFC424A291 | FF15 D94B0A00 | CALL QWORD PTR DS:[<public: void __cdecl Q |
00007FFC424A291 | C647 28 00 | MOV BYTE PTR DS:[RDI+0x28],0x0 |
00007FFC424A292 | 48:8D55 DF | LEA RDX,QWORD PTR SS:[RBP-0x21] |
00007FFC424A292 | 48:8BCB | MOV RCX,RBX |
00007FFC424A292 | FF15 E84D0A00 | CALL QWORD PTR DS:[<public: class QString |
00007FFC424A293 | 90 | NOP |
00007FFC424A293 | 48:8D55 D7 | LEA RDX,QWORD PTR SS:[RBP-0x29] |
00007FFC424A293 | 49:8BCD | MOV RCX,R13 |
00007FFC424A293 | FF15 DA4D0A00 | CALL QWORD PTR DS:[<public: class QString |
00007FFC424A293 | 90 | NOP |
00007FFC424A293 | C645 CF 00 | MOV BYTE PTR SS:[RBP-0x31],0x0 |
00007FFC424A294 | 45:32E4 | XOR R12B,R12B |
00007FFC424A294 | 48:8D15 AB740A00 | LEA RDX,QWORD PTR DS:[0x7FFC42549DF8] |
00007FFC424A294 | 49:8BCE | MOV RCX,R14 |
00007FFC424A295 | FF15 8A4D0A00 | CALL QWORD PTR DS:[<public: class QString |
00007FFC424A295 | 41:BF 02000000 | MOV R15D,0x2 | 》【破解处-2】原来兔子都吃窝边草啊,还记得我们想让 ESI≠2吗?因为ESI=R15D,所以R15D≠2即可,这个辩证还合理吧,哈哈,我就喜欢让R15D=1,我任性……
00007FFC424A295 | 48:8B45 D7 | MOV RAX,QWORD PTR SS:[RBP-0x29] |
00007FFC424A296 | 8378 04 00 | CMP DWORD PTR DS:[RAX+0x4],0x0 |
00007FFC424A296 | 75 08 | JNE framework.7FFC424A296E |
00007FFC424A296 | 41:8BF7 | MOV ESI,R15D | 》*** 看到了吗?这里给 ESI 赋值啦!(此时ESI=R15D)***,那么何处又给 R15D 赋值了呢?
00007FFC424A296 | E9 7D050000 | JMP framework.7FFC424A2EEB | 》这个大跳转就是我们要找的呦,哈哈,还记得那个 Let's go 吗?
………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………
此处省略若干行
………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………
00007FFC424A2D6 | E9 83010000 | JMP framework.7FFC424A2EEB |
00007FFC424A2D6 | C74424 20 FFFFFFFF | MOV DWORD PTR SS:[RSP+0x20],0xFFFFFFFF |
00007FFC424A2D7 | 45:33C9 | XOR R9D,R9D |
00007FFC424A2D7 | 4C:8D05 1EC90A00 | LEA R8,QWORD PTR DS:[0x7FFC4254F698] | ds:[00007FFC4254F698]:"The registration code is invalid."
00007FFC424A2D7 | 48:8D55 C7 | LEA RDX,QWORD PTR SS:[RBP-0x39] |
00007FFC424A2D7 | 48:8D0D 3B381200 | LEA RCX,QWORD PTR DS:[<public: static stru |
00007FFC424A2D8 | FF15 954A0A00 | CALL QWORD PTR DS:[<public: class QString |
00007FFC424A2D8 | 48:8D55 C7 | LEA RDX,QWORD PTR SS:[RBP-0x39] |
00007FFC424A2D8 | 49:8BCE | MOV RCX,R14 |
00007FFC424A2D9 | FF15 484A0A00 | CALL QWORD PTR DS:[<public: class QString |
00007FFC424A2D9 | 48:8D4D C7 | LEA RCX,QWORD PTR SS:[RBP-0x39] |
00007FFC424A2D9 | FF15 56350A00 | CALL QWORD PTR DS:[<public: __cdecl QStrin |
00007FFC424A2DA | 8B47 48 | MOV EAX,DWORD PTR DS:[RDI+0x48] |
00007FFC424A2DA | 83F8 04 | CMP EAX,0x4 |
00007FFC424A2DA | 75 09 | JNE framework.7FFC424A2DB3 |
00007FFC424A2DA | 4C:8D05 C7C80A00 | LEA R8,QWORD PTR DS:[0x7FFC4254F678] | ds:[00007FFC7409F678]:"The registration code expired."
00007FFC424A2DB | EB 0C | JMP framework.7FFC424A2DBF |
00007FFC424A2DB | 83F8 03 | CMP EAX,0x3 |
00007FFC424A2DB | 75 3A | JNE framework.7FFC424A2DF2 |
00007FFC424A2DB | 4C:8D05 01C90A00 | LEA R8,QWORD PTR DS:[0x7FFC4254F6C0] | ds:[00007FFC4254F6C0]:"The registration code is forbidden."
00007FFC424A2DB | C74424 20 FFFFFFFF | MOV DWORD PTR SS:[RSP+0x20],0xFFFFFFFF |
………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………
此处省略若干行
………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………
00007FFC424A2EE | C647 28 01 | MOV BYTE PTR DS:[RDI+0x28],0x1 |
00007FFC424A2EE | 807D 7F 00 | CMP BYTE PTR SS:[RBP+0x7F],0x0 | 》经分析发现 有个大跳转 jmp 会到访这里呦,Let's go 我们到 jmp 那去看看吧!
00007FFC424A2EE | 75 15 | JNE framework.7FFC424A2F06 |
00007FFC424A2EF | 83FE 02 | CMP ESI,0x2 | 》ESI≠2时,下面jnz跳转实现。接着向上找何处给ESI赋值。
00007FFC424A2EF | 75 10 | JNE framework.7FFC424A2F06 | 》此处跳转时程序界面不会出现购物车和激活钥匙图标
00007FFC424A2EF | 4D:8BC6 | MOV R8,R14 |
00007FFC424A2EF | 41:8BD7 | MOV EDX,R15D |
00007FFC424A2EF | 48:8BCF | MOV RCX,RDI |
00007FFC424A2EF | E8 FC300000 | CALL <framework.protected: void __cdecl Ak | 》此调用即为版权激活等
00007FFC424A2F0 | EB 0E | JMP framework.7FFC424A2F14 |
00007FFC424A2F0 | 4D:8BC6 | MOV R8,R14 |
00007FFC424A2F0 | 8BD6 | MOV EDX,ESI |
00007FFC424A2F0 | 48:8BCF | MOV RCX,RDI |
00007FFC424A2F0 | E8 BD550700 | CALL <framework.public: void __cdecl AkCli |
00007FFC424A2F1 | 90 | NOP |
00007FFC424A2F1 | 48:8D4D D7 | LEA RCX,QWORD PTR SS:[RBP-0x29] |
00007FFC424A2F1 | FF15 DA330A00 | CALL QWORD PTR DS:[<public: __cdecl QStrin |
00007FFC424A2F1 | 90 | NOP |
00007FFC424A2F1 | 48:8D4D DF | LEA RCX,QWORD PTR SS:[RBP-0x21] |
00007FFC424A2F2 | FF15 CF330A00 | CALL QWORD PTR DS:[<public: __cdecl QStrin |
00007FFC424A2F2 | 8BC6 | MOV EAX,ESI |
00007FFC424A2F2 | 4C:8D9C24 90000000 | LEA R11,QWORD PTR SS:[RSP+0x90] |
00007FFC424A2F3 | 49:8B5B 30 | MOV RBX,QWORD PTR DS:[R11+0x30] |
00007FFC424A2F3 | 49:8B73 38 | MOV RSI,QWORD PTR DS:[R11+0x38] |
00007FFC424A2F3 | 49:8B7B 40 | MOV RDI,QWORD PTR DS:[R11+0x40] |
00007FFC424A2F3 | 49:8BE3 | MOV RSP,R11 |
00007FFC424A2F4 | 41:5F | POP R15 |
00007FFC424A2F4 | 41:5E | POP R14 |
00007FFC424A2F4 | 41:5D | POP R13 |
00007FFC424A2F4 | 41:5C | POP R12 |
00007FFC424A2F4 | 5D | POP RBP |
00007FFC424A2F4 | C3 | RET |
书读百遍其义自见,仔细看呗! |
免费评分
-
| 参与人数 9 | 吾爱币 +15 |
热心值 +9 |
收起
理由
|
 Hmily
| + 7 |
+ 1 |
欢迎分析讨论交流,吾爱破解论坛有你更精彩! |
 Zhaofeiyan
| |
+ 1 |
用心讨论,共获提升! |
 ck6102
| + 1 |
+ 1 |
热心回复! |
 bansjs
| + 2 |
+ 1 |
请问第5步如何操作的,是怎么走到了00007FFC4478648这个地址的呢 |
 wgz001
| + 1 |
+ 1 |
感谢发布原创作品,吾爱破解论坛因你更精彩! |
 wanzm
| + 1 |
+ 1 |
我很赞同! |
 雪很冷
| + 1 |
+ 1 |
感谢发布原创作品,吾爱破解论坛因你更精彩! |
 yuehanoo
| + 1 |
+ 1 |
用心讨论,共获提升! |
 3yu3
| + 1 |
+ 1 |
用心讨论,共获提升! |
查看全部评分
|
[复制链接]
发表于 2023-11-18 20:33
|
发表于 2023-11-18 20:34
