00007FF7974B4D41 | 4C:8D05 505B3000 | lea r8,qword ptr ds:[7FF7977BA898] | 00007FF7977BA898:L"initStartup"
跟过去看了一下,发现这里了有很多个跳转,进过我的尝试,发现前面有一堆计算都跳转到了下面的一个CALL中,具体代码见下面:
00007FF7974B4CC9 | 75 23 | jne acad.7FF7974B4CEE |
00007FF7974B4CCB | 40:387424 50 | cmp byte ptr ss:[rsp+50],sil |
00007FF7974B4CD0 | 75 1C | jne acad.7FF7974B4CEE |
00007FF7974B4CD2 | FF15 18D12D00 | call qword ptr ds:[<&?theApp@AcApAppImp@@SAPEAV1@XZ>] |
00007FF7974B4CD8 | 48:8BC8 | mov rcx,rax |
00007FF7974B4CDB | FF15 EFCB2D00 | call qword ptr ds:[<&?initParamsImp@AcApAppImp@@QEAAAEAV |
00007FF7974B4CE1 | 48:8B40 28 | mov rax,qword ptr ds:[rax+28] |
00007FF7974B4CE5 | 66:3930 | cmp word ptr ds:[rax],si |
00007FF7974B4CE8 | 0F84 F44F0600 | je acad.7FF797519CE2 |
00007FF7974B4CEE | 41:38B6 68060000 | cmp byte ptr ds:[r14+668],sil |
00007FF7974B4CF5 | 75 65 | jne acad.7FF7974B4D5C |
00007FF7974B4CF7 | 40:3835 B3BF4600 | cmp byte ptr ds:[7FF797920CB1],sil |
00007FF7974B4CFE | 75 5C | jne acad.7FF7974B4D5C |
00007FF7974B4D00 | 40:387424 54 | cmp byte ptr ss:[rsp+54],sil |
00007FF7974B4D05 | 74 55 | je acad.7FF7974B4D5C |
00007FF7974B4D07 | 48:8D0D BAF62E00 | lea rcx,qword ptr ds:[7FF7977A43C8] | 00007FF7977A43C8:L"AcAutoLoader"
00007FF7974B4D0E | FF15 9CD62D00 | call qword ptr ds:[<&?acrxServiceIsRegistered@@YA_NPEB_W |
00007FF7974B4D14 | 84C0 | test al,al |
00007FF7974B4D16 | 74 44 | je acad.7FF7974B4D5C |
00007FF7974B4D18 | FF15 02972D00 | call qword ptr ds:[<&acrxSysRegistry>] |
00007FF7974B4D1E | 48:8B08 | mov rcx,qword ptr ds:[rax] |
00007FF7974B4D21 | 4C:8B41 40 | mov r8,qword ptr ds:[rcx+40] |
00007FF7974B4D25 | 48:8D15 7CF62E00 | lea rdx,qword ptr ds:[7FF7977A43A8] | 00007FF7977A43A8:L"DynamicLinker"
00007FF7974B4D2C | 48:8BC8 | mov rcx,rax |
00007FF7974B4D2F | 41:FFD0 | call r8 |
00007FF7974B4D32 | 48:8BC8 | mov rcx,rax |
00007FF7974B4D35 | E8 C2010000 | call acad.7FF7974B4EFC |
00007FF7974B4D3A | 48:8B08 | mov rcx,qword ptr ds:[rax] |
00007FF7974B4D3D | 4C:8B49 38 | mov r9,qword ptr ds:[rcx+38] |
00007FF7974B4D41 | 4C:8D05 505B3000 | lea r8,qword ptr ds:[7FF7977BA898] | 00007FF7977BA898:L"initStartup"这里时候我们搜索到的初始化启动位置
00007FF7974B4D48 | 48:8D15 79F62E00 | lea rdx,qword ptr ds:[7FF7977A43C8] | 00007FF7977A43C8:L"AcAutoLoader"
00007FF7974B4D4F | 48:8BC8 | mov rcx,rax |
00007FF7974B4D52 | 41:FFD1 | call r9 |
00007FF7974B4D55 | 48:85C0 | test rax,rax |
00007FF7974B4D58 | 74 02 | je acad.7FF7974B4D5C |
00007FF7974B4D5A | FFD0 | call rax |
00007FF7974B4D5C | 40:3835 79A84600 | cmp byte ptr ds:[7FF79791F5DC],sil |
00007FF7974B4D63 | 75 27 | jne acad.7FF7974B4D8C |
00007FF7974B4D65 | 48:8D0D 7C483000 | lea rcx,qword ptr ds:[7FF7977B95E8] | 00007FF7977B95E8:L"WM_AcSendWBHMessage"
00007FF7974B4D6C | FF15 5E8C2D00 | call qword ptr ds:[<&RegisterClipboardFormatW>] |
00007FF7974B4D72 | 8905 60A84600 | mov dword ptr ds:[7FF79791F5D8],eax |
00007FF7974B4D78 | 48:8D0D 61150200 | lea rcx,qword ptr ds:[7FF7974D62E0] |
00007FF7974B4D7F | FF15 B3B82D00 | call qword ptr ds:[<&?acedRegisterFilterWinMsg@@YA_NQ6A_ |
00007FF7974B4D85 | 44:883D 50A84600 | mov byte ptr ds:[7FF79791F5DC],r15b |
00007FF7974B4D8C | E8 67FB0100 | call acad.7FF7974D48F8 | 登录窗口
00007FF7974B4D91 | E8 D6910300 | call acad.7FF7974EDF6C |
00007FF7974B4D96 | 84C0 | test al,al |
00007FF7974B4D98 | 0F85 4F4F0600 | jne acad.7FF797519CED |
00007FF7974B4D9E | 49:8D8E B8010000 | lea rcx,qword ptr ds:[r14+1B8] |
00007FF7974B4DA5 | FF15 45342E00 | call qword ptr ds:[<&Ordinal#7893>] |
00007FF7974B4DAB | 84C0 | test al,al |
00007FF7974B4DAD | 74 05 | je acad.7FF7974B4DB4 |
00007FF7974B4DAF | E8 B0C80300 | call acad.7FF7974F1664 |
00007FF7974B4DB4 | FF15 7ECF2D00 | call qword ptr ds:[<&?instance@AcInCanvasToolbarUIServic |
00007FF7974B4DBA | 48:8D15 2F524500 | lea rdx,qword ptr ds:[7FF797909FF0] |
00007FF7974B4DC1 | 48:8BC8 | mov rcx,rax |
00007FF7974B4DC4 | FF15 76CF2D00 | call qword ptr ds:[<&?setUIHost@AcInCanvasToolbarUIServi |
00007FF7974B4DCA | 90 | nop |
00007FF7974B4DCB | 48:8D8C24 F8010000 | lea rcx,qword ptr ss:[rsp+1F8] |
00007FF7974B4DD3 | FF15 97FB2D00 | call qword ptr ds:[<&??1CAdUiRegistryDeleteAccess@@UEAA@ |
00007FF7974B4DD9 | 90 | nop |
00007FF7974B4DDA | 48:8D8C24 80010000 | lea rcx,qword ptr ss:[rsp+180] |
感觉代码不好看的,就看截图,有跳转的逻辑要好看一点,
我想着如果不要我输入系列号,不就可以了吗?我就直接把这个CALL给nop掉试试,然后修补文件后运行试试,结果决然可以使用了,没有弹出需要注册的窗口,接下来,我都把工作做完了,也没有什么异常的地方,功能完全正常。我觉得现在大公司的软件注册就是意思意思,不像那些搞辅助的,六亲不认呀。
好了,谢谢大家耐心观看,补丁制作很简单,我就不演示了。
===================================================================================
今天到了公司,立马安装了CAD2025,同样的方法试一下,前面有CAD2023的破解基础,重复的我就不说了,我直接按照上次搜索到的特征字符串“initStartup”这里去看一看。
在上图可以看到,在2025跳转的这里不再是call了,变成了下面的代码:
00007FF7F1967260 | 75 27 | jne acad.7FF7F1967289 |
00007FF7F1967262 | 48:8D0D B7133200 | lea rcx,qword ptr ds:[7FF7F1C88620] | 00007FF7F1C88620:L"WM_AcSendWBHMessage"
00007FF7F1967269 | FF15 017A2F00 | call qword ptr ds:[<&RegisterClipboardFormatW>] |
00007FF7F196726F | 8905 D7084900 | mov dword ptr ds:[7FF7F1DF7B4C],eax |
00007FF7F1967275 | 48:8D0D A0A30100 | lea rcx,qword ptr ds:[7FF7F198161C] |
00007FF7F196727C | FF15 5EA62F00 | call qword ptr ds:[<&?acedRegisterFilterWinMsg@@YA_NQ6A_ |
00007FF7F1967282 | 44:883D C0084900 | mov byte ptr ds:[7FF7F1DF7B49],r15b |
00007FF7F1967289 | 48:8B05 F82C4900 | mov rax,qword ptr ds:[7FF7F1DF9F88] |
00007FF7F1967290 | 48:8B18 | mov rbx,qword ptr ds:[rax] |
00007FF7F1967293 | E8 9CCB0100 | call acad.7FF7F1983E34 |
00007FF7F1967298 | 48:85DB | test rbx,rbx |
这段代码首先从固定地址读取一个64位的值到RAX寄存器,然后通过这个值(作为地址)从内存中读取另一个64位的值到RBX寄存器,最后调用call acad.7FF7F1983E34这个函数,没事,我们跟进去这个CALL中一看究竟。
进来后我们看到,这里有一个“AcGetlicenseUI”,这里就是安装了许可UI,在段首运行call acad.7FF7F19843F0后,接下来有test al, al ,这个汇编语句是主要用于测试和设置标志位,但是不改变 al 的值。既然这样,我们直接把那么我们直接把[backcolor=rgba(27, 31, 35, 0.05)]test al, al修改为xor [backcolor=rgba(27, 31, 35, 0.05)]al, al。
[backcolor=rgba(27, 31, 35, 0.05)]这样一来,我们就把寄存器清零了,接下来的 jne acad.7FF7F19D00AC跳转就不会实现,这样就完成了破解,当然,把JNE修改成JMP也同样能达到效果。当然我是选择修改较少的方案,84→32,下面看运行截图吧,不然又有人说没有成功使用的截图。要做补丁的,直接上数据“>acad.exe 0000000000063E69:84->32”。
其实方法都差不多,大家也可以试一试。好了,开始搬砖了。谢谢大家观看!!
注:若转载请注明大神论坛来源(本贴地址)与作者信息。
发表于 2024-06-15 21:27
评分
顶
踩
扫码赞助