PilotEdit_x64_19.7.0 补丁问题

shieep

PilotEdit_x64_19.7.0
破解很容易，在x64dbg中改了代码，软件破解成功后，可以正常运行，打开文件
把程序直接补丁，或者创建劫持DLL，可以正常运行，打开文件就会报错。
但是如果创建个loader，，可以正常运行，打开文件。很奇怪。
使用baymax工具创建的，第一次见这种的

爱飞的猫

程序有自校验，也会检查程序目录下是否存在 winmm.dll。校验不通过就会触发暗桩。你可以试着分析一下（提示：后者断 GetFileAttributesW 看 rcx）。

解决方案：换个 dll 来劫持，或干掉检测。

---

或者直接硬刚文件自校验，对 exe 打补丁。

首先在 exe 替换公钥（PilotEdit.exe+811CE0 处）：

30819D300D06092A864886F70D010101050003818B00308187028181008BF8E3EB435F355159AEB633867A53454EDC4A9D4409976E465155D713DE8E32BF1B839ED0C28C11B4A3853E881D359E42A48FF61C1EE28EC3C9511603A710478561E8FECA6637E663F0E6150F23926C2066F23181A6AD734DB6CE2A8CB6A739C70C83D07CE8062FBB1625618C363B6A0BBB1D2EAFD13B70665F8A3EBAF7839B020111

※ 这个新的公钥不会触发文件校验暗桩

然后使用下述信息注册：

用户名: afdm@52pojie
序列号:
  695A4C6B944C6CD7761AF49EFFD15970D91A9E2D
  C381361AB222FABFFCC20AB78BFEF6041FC249D6
  68872F1FE998CEA0D3A2D3D6842B8766386142A8
  D17D50EB5624ECAC2384C84278F6ECA3B0633293
  4AF33AB0ACE4F99119CCCF3BE5F5BBB40036E154
  3E98FA7D9951C1CAF2638EBAECD37DBB7DE67515
  88552264895120E6

没测试有没有别的暗桩，只看了下能正常打开文件。

zixuan203344

替换成功，感谢版主

chishingchan

编辑器，我还是首先 EditPlus。因为这个软件的 宏（键盘记录操作） 太好用了！

chishingchan

爱飞的猫 发表于 2025-3-23 02:40
[md]程序有自校验，也会检查程序目录下是否存在 `winmm.dll`。校验不通过就会触发暗桩。你可以试着分析一下 ...

PilotEdit-Pro.vbs

[Visual Basic] 纯文本查看 复制代码

Set ado_stream = CreateObject("ADODB.Stream")
        ado_stream.Type = 1
        ado_stream.open
        ado_stream.LoadFromFile "PilotEdit.exe"
        ado_stream.position = 8461536
        ado_stream.Write HexToByte("30819D300D06092A864886F70D010101050003818B00308187028181008BF8E3EB435F355159AEB633867A53454EDC4A9D4409976E465155D713DE8E32BF1B839ED0C28C11B4A3853E881D359E42A48FF61C1EE28EC3C9511603A710478561E8FECA6637E663F0E6150F23926C2066F23181A6AD734DB6CE2A8CB6A739C70C83D07CE8062FBB1625618C363B6A0BBB1D2EAFD13B70665F8A3EBAF7839B020111")
        ado_stream.SaveToFile "PilotEdit.exe", 2
        ado_stream.Close
Set ado_stream = Nothing

Function HexToByte(hexStr)
        Set xmldom = Wscript.CreateObject("Microsoft.XMLDOM")
        Set byteObj= xmldom.createElement("byteObj")
        byteObj.dataType = "bin.hex"
        byteObj.nodeTypedValue = hexStr
        HexToByte=byteObj.nodeTypedValue
End Function

chishingchan

[Visual Basic] 纯文本查看 复制代码

Set ado_stream = CreateObject("ADODB.Stream")
        ado_stream.Type = 1
        ado_stream.open
        ado_stream.LoadFromFile "PilotEdit,2.exe"
        ado_stream.position = 8461536
        ado_stream.Write HexToByte("3330383139443330304430363039324138363438383646373044303130313031303530303033383138423030333038313837303238313831303038424638453345423433354633353531353941454236333338363741353334353445444334413944343430393937364534363531353544373133444538453332424631423833394544304332384331314234413338353345383831443335394534324134384646363143314545323845433343393531313630334137313034373835363145384645434136363337453636334630453631353046323339323643323036364632333138314136414437333444423643453241384342364137333943373043383344303743453830363246424231363235363138433336334236413042424231443245414644313342373036363546384133454241463738333942303230313131")
        ado_stream.SaveToFile "PilotEdit.exe", 2
        ado_stream.Close
Set ado_stream = Nothing

Function HexToByte(hexStr)
        Set xmldom = Wscript.CreateObject("Microsoft.XMLDOM")
        Set byteObj= xmldom.createElement("byteObj")
        byteObj.dataType = "bin.hex"
        byteObj.nodeTypedValue = hexStr
        HexToByte=byteObj.nodeTypedValue
End Function

be1ieveme

居然在这里看到这款软件了，这款编辑器我购买了正版授权

shieep

爱飞的猫 发表于 2025-3-23 02:40
[md]程序有自校验，也会检查程序目录下是否存在 `winmm.dll`。校验不通过就会触发暗桩。你可以试着分析一下 ...

厉害，我最后也发现了，找到检验这个位置 `winmm.dll`，破解掉，用winmm.DLL hijiac破解了。程序的自检验，找了半天没找到。

shieep

爱飞的猫 发表于 2025-3-23 02:40
[md]程序有自校验，也会检查程序目录下是否存在 `winmm.dll`。校验不通过就会触发暗桩。你可以试着分析一下 ...

winmm.dll是拼接起来的，所以直接搜不到。

[Asm] 纯文本查看 复制代码

0000000140534A75 | 4C:8D05 ACD12B00         | lea r8,qword ptr ds:[1407F1C28]                 | 00000001407F1C28:L"\\win"
0000000140534A7C | BA 1A040000              | mov edx,41A                                     |
0000000140534A81 | 48:8D8C24 D0000000       | lea rcx,qword ptr ss:[rsp+D0]                   |
0000000140534A89 | E8 9AC2B7FF              | call pilotedit.1400B0D28                        |
0000000140534A8E | 4C:8D05 A3D12B00         | lea r8,qword ptr ds:[1407F1C38]                 | 00000001407F1C38:L"mm.d"
0000000140534A95 | BA 1A040000              | mov edx,41A                                     |
0000000140534A9A | 48:8D8C24 D0000000       | lea rcx,qword ptr ss:[rsp+D0]                   |
0000000140534AA2 | E8 81C2B7FF              | call pilotedit.1400B0D28                        |
0000000140534AA7 | 4C:8D05 96D12B00         | lea r8,qword ptr ds:[1407F1C44]                 | 00000001407F1C44:L"ll"

move

[Python] 纯文本查看 复制代码

import os
import shutil

def hex_to_bytes(hex_str):
    return bytes.fromhex(hex_str)

def read_binary_file(file_path, offset, size):
    with open(file_path, 'rb') as file:  # 以二进制模式打开文件
        file.seek(offset)  # 定位到指定偏移量
        data = file.read(size)  # 读取指定大小的字节数据
    return data


def backup_file(file_path):
    backup_path = file_path + ".bak"
    shutil.copy2(file_path, backup_path)
    print(f"文件已备份到：{backup_path}")

def modify_binary_file(file_path, offset, original_hex, modified_hex):
    if not os.path.exists(file_path):
        print(f"Didn't find {file_path}, skipping patch generation")
        return

    # 计算需要读取的字节数
    size = len(original_hex) // 2

    # 读取文件的指定偏移量数据
    data = read_binary_file(file_path, offset, size)
    print(f"读取到的数据（原始字节）：{data}")    
    print(f"读取到的数据（原始十六进制）：{data.hex()}")
    
    text = data.decode('utf-8')

    if data.find(bytes.fromhex(modified_hex)) != -1:
        print(f"{file_path} 已经修补了：)")
        print(f"偏移地址：0x{offset} 大小：{size}")
        return
    
    if data.find(bytes.fromhex(original_hex)) == -1:
        print(f"{file_path} 无法匹配到数据：)")
        print(f"偏移地址：0x{offset} 大小：{size}")
        return
    

    print(f"原始字节匹配成功，正在修补文件...")
    print(f"偏移地址：0x{offset} 大小：{size}")
        
    # 备份文件
    backup_file(file_path)
    
    # 修改数据
    # 将十六进制字符串转换为字节数据
    byte_data = hex_to_bytes(modified_hex)

    # 打开文件并修改指定位置
    with open(file_path, 'r+b') as file:
        file.seek(offset)  # 定位到指定偏移量
        file.write(byte_data)  # 写入字节数据

    print(f"修改后的数据（字节）：{modified_hex}")
    print(f"文件修改完成！")      
        

# 文件路径
file_path = "PilotEdit.exe"
# 偏移量
offset = int("811CE0", 16)  # 将十六进制偏移量转换为十进制

# 原始字节和修改字节
original_str = "30819D300D06092A864886F70D010101050003818B0030818702818100B163741C37A823BC53F624DCCBD465554FACAEAE91D640FE7BB4642124E92613C1FD4B930A7A386F062E5A42DBE4425AA18E1ABA301CD9550C59787387745C8569FC7F4114DE5E209BAB232FAC903CB1832497214DCE43E2AC91289AACE353C370C9C8598B6D1DFB6A5038444254D6280B490770B637C63E5346FD9837775955020111"
original_hex = "3330383139443330304430363039324138363438383646373044303130313031303530303033383138423030333038313837303238313831303042313633373431433337413832334243353346363234444343424434363535353446414341454145393144363430464537424234363432313234453932363133433146443442393330413741333836463036324535413432444245343432354141313845314142413330314344393535304335393738373338373734354338353639464337463431313444453545323039424142323332464143393033434231383332343937323134444345343345324143393132383941414345333533433337304339433835393842364431444642364135303338343434323534443632383042343930373730423633374336334535333436464439383337373735393535303230313131"
modified_str = "30819D300D06092A864886F70D010101050003818B00308187028181008BF8E3EB435F355159AEB633867A53454EDC4A9D4409976E465155D713DE8E32BF1B839ED0C28C11B4A3853E881D359E42A48FF61C1EE28EC3C9511603A710478561E8FECA6637E663F0E6150F23926C2066F23181A6AD734DB6CE2A8CB6A739C70C83D07CE8062FBB1625618C363B6A0BBB1D2EAFD13B70665F8A3EBAF7839B020111"
modified_hex = "3330383139443330304430363039324138363438383646373044303130313031303530303033383138423030333038313837303238313831303038424638453345423433354633353531353941454236333338363741353334353445444334413944343430393937364534363531353544373133444538453332424631423833394544304332384331314234413338353345383831443335394534324134384646363143314545323845433343393531313630334137313034373835363145384645434136363337453636334630453631353046323339323643323036364632333138314136414437333444423643453241384342364137333943373043383344303743453830363246424231363235363138433336334236413042424231443245414644313342373036363546384133454241463738333942303230313131"

print(f"/================================")
print(f"用户名: afdm@52pojie")
print(f"序列号: 695A4C6B944C6CD7761AF49EFFD15970D91A9E2DC381361AB222FABFFCC20AB78BFEF6041FC249D668872F1FE998CEA0D3A2D3D6842B8766386142A8D17D50EB5624ECAC2384C84278F6ECA3B06332934AF33AB0ACE4F99119CCCF3BE5F5BBB40036E1543E98FA7D9951C1CAF2638EBAECD37DBB7DE6751588552264895120E6")      
print(f"/================================")

# 修补文件
modify_binary_file(file_path, offset, original_hex, modified_hex)