本帖最后由 modao 于 2023-11-05 16:46 编辑
0day放出的补丁都是加VMP壳的,不利于我们这样的小白对比学习呀!所以在这里做一个简易的破解记录,此方法不是最完美的,但可以供大家共同探讨。 第一步:运行软件会出现注册窗口,任意输入注册码确认后会出现 "Invalid registration code. Please try again - ……"字符串,所以我们打开X64DBG,加载运行程序。
第二步:在X64DBG中查找字符串"Invalid registration code.",找到后在其上双击来到反汇编窗口00007FF747D1EA1 | 40:55 | PUSH RBP | 00007FF747D1EA1 | 53 | PUSH RBX | 00007FF747D1EA1 | 56 | PUSH RSI | 00007FF747D1EA1 | 57 | PUSH RDI | 00007FF747D1EA1 | 41:56 | PUSH R14 | 00007FF747D1EA1 | 41:57 | PUSH R15 | 00007FF747D1EA1 | 48:8BEC | MOV RBP,RSP | 00007FF747D1EA1 | 48:83EC 38 | SUB RSP,0x38 | 00007FF747D1EA2 | 48:8BF9 | MOV RDI,RCX | 00007FF747D1EA2 | 0F297C24 20 | MOVAPS XMMWORD PTR SS:[RSP+0x20] | 00007FF747D1EA2 | 48:8D4D 38 | LEA RCX,QWORD PTR SS:[RBP+0x38] | 00007FF747D1EA2 | FF15 AE003000 | CALL QWORD PTR DS:[<public: __cd | 00007FF747D1EA3 | 48:8B87 80000000 | MOV RAX,QWORD PTR DS:[RDI+0x80] | 00007FF747D1EA3 | 45:32FF | XOR R15B,R15B | 00007FF747D1EA3 | 8B98 F0000000 | MOV EBX,DWORD PTR DS:[RAX+0xF0] | 00007FF747D1EA4 | 83FB 06 | CMP EBX,0x6 | 00007FF747D1EA4 | 74 1C | JE camerabag pro.7FF747D1EA63 | 00007FF747D1EA4 | 44:38B8 18010000 | CMP BYTE PTR DS:[RAX+0x118],R15B | 00007FF747D1EA4 | 75 13 | JNE camerabag pro.7FF747D1EA63 | 00007FF747D1EA5 | 48:8B4F 58 | MOV RCX,QWORD PTR DS:[RDI+0x58] | 00007FF747D1EA5 | 48:8D97 C0000000 | LEA RDX,QWORD PTR DS:[RDI+0xC0] | 00007FF747D1EA5 | FF15 670A3000 | CALL QWORD PTR DS:[<public: void | 00007FF747D1EA6 | EB 14 | JMP camerabag pro.7FF747D1EA77 | 00007FF747D1EA6 | 48:8B4F 58 | MOV RCX,QWORD PTR DS:[RDI+0x58] | 00007FF747D1EA6 | 48:8D97 C8000000 | LEA RDX,QWORD PTR DS:[RDI+0xC8] | 00007FF747D1EA6 | FF15 540A3000 | CALL QWORD PTR DS:[<public: void | 00007FF747D1EA7 | 41:B7 01 | MOV R15B,0x1 | 00007FF747D1EA7 | 48:8B87 80000000 | MOV RAX,QWORD PTR DS:[RDI+0x80] | 00007FF747D1EA7 | 0F57C0 | XORPS XMM0,XMM0 | 00007FF747D1EA8 | F248:0F2A40 78 | CVTSI2SD XMM0,QWORD PTR DS:[RAX+ | 00007FF747D1EA8 | 48:8D90 20010000 | LEA RDX,QWORD PTR DS:[RAX+0x120] | 00007FF747D1EA8 | F2:0F5905 FAF2A201 | MULSD XMM0,QWORD PTR DS:[0x7FF74 | 00007FF747D1EA9 | 66:0F5AC0 | CVTPD2PS XMM0,XMM0 | 00007FF747D1EA9 | F3:0F1187 98000000 | MOVSS DWORD PTR DS:[RDI+0x98],XM | 00007FF747D1EAA | 48:837A 18 10 | CMP QWORD PTR DS:[RDX+0x18],0x10 | 00007FF747D1EAA | 72 03 | JB camerabag pro.7FF747D1EAAC | 00007FF747D1EAA | 48:8B12 | MOV RDX,QWORD PTR DS:[RDX] | 00007FF747D1EAA | 41:B8 FFFFFFFF | MOV R8D,0xFFFFFFFF | 00007FF747D1EAB | 48:8D4D 48 | LEA RCX,QWORD PTR SS:[RBP+0x48] | 00007FF747D1EAB | FF15 DCFD2F00 | CALL QWORD PTR DS:[<public: stat | 00007FF747D1EAB | 48:8D55 48 | LEA RDX,QWORD PTR SS:[RBP+0x48] | 00007FF747D1EAC | 48:8D8F 90000000 | LEA RCX,QWORD PTR DS:[RDI+0x90] | 00007FF747D1EAC | FF15 ABFD2F00 | CALL QWORD PTR DS:[<public: clas | 00007FF747D1EAC | 48:8D4D 48 | LEA RCX,QWORD PTR SS:[RBP+0x48] | 00007FF747D1EAD | FF15 99003000 | CALL QWORD PTR DS:[<public: __cd | 00007FF747D1EAD | 80BF EC000000 00 | CMP BYTE PTR DS:[RDI+0xEC],0x0 | 00007FF747D1EAD | 0F57FF | XORPS XMM7,XMM7 | 00007FF747D1EAE | 0F84 9F000000 | JE camerabag pro.7FF747D1EB86 | 00007FF747D1EAE | 83FB 05 | CMP EBX,0x5 | 00007FF747D1EAE | 74 05 | JE camerabag pro.7FF747D1EAF1 | 00007FF747D1EAE | 83FB 02 | CMP EBX,0x2 | 00007FF747D1EAE | 75 11 | JNE camerabag pro.7FF747D1EB02 | 00007FF747D1EAF | 48:8D15 D833A101 | LEA RDX,QWORD PTR DS:[0x7FF74973 | ds:[00007FF749731ED0]:"Registration successful! Enjoy!" 00007FF747D1EAF | 48:8D4D 38 | LEA RCX,QWORD PTR SS:[RBP+0x38] | 00007FF747D1EAF | FF15 9EFD2F00 | CALL QWORD PTR DS:[<public: clas | 00007FF747D1EB0 | 83FB 01 | CMP EBX,0x1 | 00007FF747D1EB0 | 75 16 | JNE camerabag pro.7FF747D1EB1D | 00007FF747D1EB0 | 48:8D15 E233A101 | LEA RDX,QWORD PTR DS:[0x7FF74973 | ds:[00007FF749731EF0]:"Validating registration code..." 00007FF747D1EB0 | 48:8D4D 38 | LEA RCX,QWORD PTR SS:[RBP+0x38] | 00007FF747D1EB1 | FF15 88FD2F00 | CALL QWORD PTR DS:[<public: clas | 00007FF747D1EB1 | E9 F3010000 | JMP camerabag pro.7FF747D1ED10 | 00007FF747D1EB1 | 83FB 06 | CMP EBX,0x6 | 00007FF747D1EB2 | 75 16 | JNE camerabag pro.7FF747D1EB38 | 00007FF747D1EB2 | 48:8D15 E733A101 | LEA RDX,QWORD PTR DS:[0x7FF74973 | ds:[00007FF749731F10]:"This code is only valid for a previous version of this software. Please upgrade your license using the button below in order to use this version." 00007FF747D1EB2 | 48:8D4D 38 | LEA RCX,QWORD PTR SS:[RBP+0x38] | 00007FF747D1EB2 | FF15 6DFD2F00 | CALL QWORD PTR DS:[<public: clas | 00007FF747D1EB3 | E9 D8010000 | JMP camerabag pro.7FF747D1ED10 | 00007FF747D1EB3 | 83FB 03 | CMP EBX,0x3 | 00007FF747D1EB3 | 75 16 | JNE camerabag pro.7FF747D1EB53 | 00007FF747D1EB3 | 48:8D15 2C36A101 | LEA RDX,QWORD PTR DS:[0x7FF74973 | ds:[00007FF749732170]:"Unable to validate registration. Please make sure your computer is connected to the internet. If the problem persists please contact us at [url=mailto:support@nevercenter.com]support@nevercenter.com[/url]" 00007FF747D1EB4 | 48:8D4D 38 | LEA RCX,QWORD PTR SS:[RBP+0x38] | 00007FF747D1EB4 | FF15 52FD2F00 | CALL QWORD PTR DS:[<public: clas | 00007FF747D1EB4 | E9 BD010000 | JMP camerabag pro.7FF747D1ED10 | 00007FF747D1EB5 | 83FB 04 | CMP EBX,0x4 | 00007FF747D1EB5 | 0F85 B4010000 | JNE camerabag pro.7FF747D1ED10 | 00007FF747D1EB5 | 48:8D15 0DA23B00 | LEA RDX,QWORD PTR DS:[0x7FF7480D | 00007FF747D1EB6 | 48:8D8F 90000000 | LEA RCX,QWORD PTR DS:[RDI+0x90] | 00007FF747D1EB6 | FF15 30FD2F00 | CALL QWORD PTR DS:[<public: clas | 00007FF747D1EB7 | 48:8D15 A936A101 | LEA RDX,QWORD PTR DS:[0x7FF74973 | ds:[00007FF749732220]:"Invalid registration code. Please try again - copy and paste the code from your registration email to ensure accuracy. If the problem persists please contact us at [url=mailto:support@nevercenter.com]support@nevercenter.com[/url]"
往上分析,可以见到 "Registration successful! Enjoy!",这不就是注册成功提示吗!,在其上一行有个jne,只要不跳转就会出现注册成功提示,再往上是一个比较 CMP EBX,0x2,这两行的意思是:只要使EBX=2,jne就不会实现跳转,好了,下面我们接着往上分析看何处给EBX赋值了,很快发现这个 MOV EBX,DWORD PTR DS:[RAX+0xF0],也就是说只要把此处修改为 MOV EBX,2 就行了(此处可视为破解点-1)。
第三步:还是在本程序段,在“CMP EBX,0x2“上面还有两个je及cmp比较,关键是最上面的这个“CMP BYTE PTR DS:[RDI+0xEC],0x0“,当数据段DS:[RDI+0xEC]中的值为 1 时,其下面的je不跳转,所以我们在其上右键——查找引用——常量,找给DS:[XXX+0xEC]赋值为0的地方,得到3处: 00007FF747D1DE07 mov byte ptr ds:[rcx+EC],0 00007FF747D1E1AF mov byte ptr ds:[rcx+EC],0 00007FF747D1E270 mov byte ptr ds:[rcx+EC],0
把三处赋值的0分别修改为1(此处可视为破解点-2)
第四步:以上完成后运行破解完的程序,在启动界面点击"Dismiss",程序终止,看来还有关键位置。重新开始分析,在00007FF6B8C2DE0 MOV BYTE PTR DS:[RCX+0xEC],0x0处往下分析,发现有一个退出函数调用 00007FF6B8C2DE3 CALL QWORD PTR DS:[<exit>],上面有一个je,在上面使cmp比较语句,00007FF6B8C2DE2 CMP BYTE PTR DS:[RCX+0x9C],0x0 很显然只要DS:[RCX+0x9C]=0,je跳转实现,所以在此cmp上 右键——查找引用——常量,找给DS:[XXX+0x9C]赋值为1的语句,得到4处: MOV BYTE PTR DS:[RCX+0x9C],0x1 MOV BYTE PTR DS:[RAX+0x9C],0x1 MOV BYTE PTR DS:[RBX+0x9C],0x1 MOV DWORD PTR DS:[RAX+0x9C],0x1
经逐步分析,MOV BYTE PTR DS:[RAX+0x9C],0x1是我们所要的,在此处赋值为1(此处视为破解点-3),有兴趣的可以逐个试一下就明白了。
完成以后的程序:
注:若转载请注明大神论坛来源(本贴地址)与作者信息。
|