AB Commander+爆破+过网络+自校验+大白补丁的综合运用
本帖最后由 冥界3大法王 于 2020-2-1 23:33 编辑AB Commander一款类似于TC的资源管理器
多年来非凡论坛有一牛人,但凡这个软件一更新,这哥们就发破解求助贴,数年来孜孜不倦。
或许是作者也了解到了这一情况,于是乎就有了下面的故事。
在其官方鼗其下载回来:http://files.winability.com/ABCommander-20.1.1-setup.exe
软件会根据系统不同,安装不同的版本x86/x64 所对应的EXE/DLL
网上搜索下不难发现该软件的注册机。
经一坛友 martin325说,该软件有假注册行为+联网+退出暗桩(具体表现为command->split->Cancel , View>option>save 就会弹出一个框)
点是,让你联网注册; 点否,直接退出。
先用注册机注册下:
然后注册表里用RegWorkshop随便看看,就发现了以下信息
Windows Registry Editor Version 5.00
"Result"="96C44282908B1126413081D9D512D986892C6B091A4B5571CE2FB2EEA33CCCB5CEEC85F46CF438CC69051A6329B8FD23AB30A12F5A4D7A2DEC550D40087E8417520F932B2031B58382BC0DCE983F225AFDF15860F19633F2256B86D47448687CCFEC043446F2162DE41E561E1014194BE8403FEC11A441BA0CE42C55EF8498E2"
"Info"="435549435549-38-53353139393936363839303938373635"
接下来打开X64dbg战斗开始:
首先,我们点关于,注册,触发!成功断下!来到下面!
点到这里!
出来之后,来到这里
看看前后走势,不难发现位于注册码读取区间
00007FF898DB8E10 <ab | 48: | mov qword ptr ss:,rbx |
00007FF898DB8E15 | 48: | mov qword ptr ss:,rsi |
00007FF898DB8E1A | 57| push rdi |
00007FF898DB8E1B | 48: | sub rsp,30 |
00007FF898DB8E1F | 48: | mov rbx,rcx | rcx:L"CUICUI"
00007FF898DB8E22 | C74 | mov dword ptr ss:,5471 |
00007FF898DB8E2A | 48: | add rcx,1CC | rcx:L"CUICUI"
00007FF898DB8E31 | C74 | mov dword ptr ss:,5470 |
00007FF898DB8E39 | 41: | mov r9d,546F |
00007FF898DB8E3F | 48: | mov rdx,qword ptr ds: |
00007FF898DB8E43 | 4C: | lea r8,qword ptr ds: |
00007FF898DB8E4A | E8| call <abc64.?RCDlg_ProcessEnter@@YAHPEAV |
00007FF898DB8E4F | 83B | cmp dword ptr ds:,0 |
00007FF898DB8E56 | 8BF | mov esi,eax |
00007FF898DB8E58 | 74| je abc64.7FF898DB8E62 |
00007FF898DB8E5A | 48: | mov rcx,rbx | rcx:L"CUICUI"
00007FF898DB8E5D | E8| call <abc64.sub_7FF898DB9990> |
00007FF898DB8E62 | 85F | test esi,esi |
00007FF898DB8E64 | 75| jne abc64.7FF898DB8E78 |
00007FF898DB8E66 | 33C | xor eax,eax |
00007FF898DB8E68 | 48: | mov rbx,qword ptr ss: |
00007FF898DB8E6D | 48: | mov rsi,qword ptr ss: |
00007FF898DB8E72 | 48: | add rsp,30 |
00007FF898DB8E76 | 5F| pop rdi |
00007FF898DB8E77 | C3| ret |
00007FF898DB8E78 | 48: | mov rcx,rbx | rcx:L"CUICUI"
00007FF898DB8E7B | C78 | mov dword ptr ds:,1 |
00007FF898DB8E85 | 48: | mov rbx,qword ptr ss: |
00007FF898DB8E8A | 48: | mov rsi,qword ptr ss: |
00007FF898DB8E8F | 48: | add rsp,30 |
00007FF898DB8E93 | 5F| pop rdi |
00007FF898DB8E94 | E9| jmp <abc64.?OnOK@CSDlg@@UEAA_JXZ> |
00007FF898D9CBD0 <ab | 48: | mov qword ptr ss:,rbx | AAAAAAAAAAAAAAAAAAAAAA
00007FF898D9CBD5 | 48: | mov qword ptr ss:,rsi |
00007FF898D9CBDA | 57| push rdi |
00007FF898D9CBDB | 48: | sub rsp,20 |
00007FF898D9CBDF | 49: | mov rbx,r8 |
00007FF898D9CBE2 | 8BF | mov edi,edx |
00007FF898D9CBE4 | 48: | mov rsi,rcx |
00007FF898D9CBE7 | 41: | mov eax,r8d |
00007FF898D9CBEA | C1E | shr eax,10 |
00007FF898D9CBED | 66: | dec ax |
00007FF898D9CBF0 | B9| mov ecx,FFFD |
00007FF898D9CBF5 | 66: | cmp ax,cx |
00007FF898D9CBF8 | 77| ja abc64.7FF898D9CC11 |
00007FF898D9CBFA | 48: | mov rcx,rsi |
00007FF898D9CBFD | 48: | mov rbx,qword ptr ss: |
00007FF898D9CC02 | 48: | mov rsi,qword ptr ss: |
00007FF898D9CC07 | 48: | add rsp,20 |
00007FF898D9CC0B | 5F| pop rdi |
00007FF898D9CC0C | E9| jmp <abc64.sub_7FF898D9CC70> |
00007FF898D9CC11 | 33D | xor edx,edx |
00007FF898D9CC13 | 44: | lea r9d,qword ptr ds: |
00007FF898D9CC17 | 45: | xor r8d,r8d |
00007FF898D9CC1A | 48: | lea rcx,qword ptr ss: |
00007FF898D9CC1F | E8| call <abc64.??0ResStr@@QEAA@FPEAU |
00007FF898D9CC24 | 90| nop |
00007FF898D9CC25 | 41: | mov r9d,1 |
00007FF898D9CC2B | 45: | xor r8d,r8d |
00007FF898D9CC2E | 0FB | movzx edx,bx |
00007FF898D9CC31 | 48: | lea rcx,qword ptr ss: |
00007FF898D9CC36 | E8| call <abc64.?Load@ResStr@@QEAAPEB |
00007FF898D9CC3B | 48: | lea rcx,qword ptr ss: |
00007FF898D9CC40 | E8| call <abc64.??BResStr@@QEAAPEB_WX |
00007FF898D9CC45 | 4C: | mov r8,rax |
00007FF898D9CC48 | 8BD | mov edx,edi |
00007FF898D9CC4A | 48: | mov rcx,rsi |
00007FF898D9CC4D | E8| call <abc64.sub_7FF898D9CC70> | 调用【此许可证密钥仅供家庭使用,非商业用途】
00007FF898D9CC52 | 8BD | mov ebx,eax |
00007FF898D9CC54 | 48: | lea rcx,qword ptr ss: |
00007FF898D9CC59 | E8| call <abc64.?Empty@ResStr@@QEAAXX |
00007FF898D9CC5E | 8BC | mov eax,ebx |
00007FF898D9CC60 | 48: | mov rbx,qword ptr ss: |
00007FF898D9CC65 | 48: | mov rsi,qword ptr ss: |
00007FF898D9CC6A | 48: | add rsp,20 |
00007FF898D9CC6E | 5F| pop rdi |
00007FF898D9CC6F | C3| ret |
接下来,走过上面的地方!
都走完之后,来到了这里!
00007FF898D9CC70 <ab | 48: | mov qword ptr ss:,rbx |
00007FF898D9CC75 | 48: | mov qword ptr ss:,rbp |
00007FF898D9CC7A | 48: | mov qword ptr ss:,rsi |
00007FF898D9CC7F | 57| push rdi |
00007FF898D9CC80 | 48: | sub rsp,20 |
00007FF898D9CC84 | 48: | mov rdi,rcx |
00007FF898D9CC87 | 48: | mov qword ptr ss:,8 | :sub_7FF898DB9A00+31C
00007FF898D9CC90 | 48: | lea rcx,qword ptr ss: | :sub_7FF898DB9A00+31C
00007FF898D9CC95 | C74 | mov dword ptr ss:,4000 |
00007FF898D9CC9D | 49: | mov rbp,r8 |
00007FF898D9CCA0 | 8BF | mov esi,edx |
00007FF898D9CCA2 | FF1 | call qword ptr ds:[<&InitCommonCo |
00007FF898D9CCA8 | 48: | test rdi,rdi |
00007FF898D9CCAB | 75| jne abc64.7FF898D9CCB6 |
00007FF898D9CCAD | FF1 | call qword ptr ds:[<&GetActiveWin |
00007FF898D9CCB3 | 48: | mov rdi,rax | rax:L"Thank you!\n\nPlease keep your licensing information in a safe place, since you will need to enter it again if you decide to reinstall the software.\n\nA processing fee will be charged for a replacement copy of your license key."
00007FF898D9CCB6 | 33D | xor ebx,ebx |
00007FF898D9CCB8 | 48: | cmp rdi,1 |
00007FF898D9CCBC | 48: | cmovne rbx,rdi |
00007FF898D9CCC0 | 48: | test rbx,rbx |
00007FF898D9CCC3 | 74| je abc64.7FF898D9CCD1 |
00007FF898D9CCC5 | 48: | mov rcx,rbx |
00007FF898D9CCC8 | FF1 | call qword ptr ds:[<&GetLastActiv |
00007FF898D9CCCE | 48: | mov rbx,rax | rax:L"Thank you!\n\nPlease keep your licensing information in a safe place, since you will need to enter it again if you decide to reinstall the software.\n\nA processing fee will be charged for a replacement copy of your license key."
00007FF898D9CCD1 | 48: | mov rax,qword ptr ds:[7FF898E62C5 | rax:L"Thank you!\n\nPlease keep your licensing information in a safe place, since you will need to enter it again if you decide to reinstall the software.\n\nA processing fee will be charged for a replacement copy of your license key."
00007FF898D9CCD8 | 48: | test rax,rax | rax:L"Thank you!\n\nPlease keep your licensing information in a safe place, since you will need to enter it again if you decide to reinstall the software.\n\nA processing fee will be charged for a replacement copy of your license key."
00007FF898D9CCDB | 74| je abc64.7FF898D9CCE1 |
00007FF898D9CCDD | 33C | xor ecx,ecx |
00007FF898D9CCDF | FFD | call rax |
00007FF898D9CCE1 | E8| call <abc64.?GetMyProductInfo@@YA |
00007FF898D9CCE6 | 48: | mov rcx,rax | rax:L"Thank you!\n\nPlease keep your licensing information in a safe place, since you will need to enter it again if you decide to reinstall the software.\n\nA processing fee will be charged for a replacement copy of your license key."
00007FF898D9CCE9 | 0FB | bts esi,10 |
00007FF898D9CCED | 48: | mov rdx,qword ptr ds: | rax:L"Thank you!\n\nPlease keep your licensing information in a safe place, since you will need to enter it again if you decide to reinstall the software.\n\nA processing fee will be charged for a replacement copy of your license key."
以下内容,感兴趣的可以参考下。
Ctrl+N, GetLicense
暂停堆栈等入手
软件断点
00007FF898D51000 <abc64.dll.sub_7FF898D51000> 已启用 sub rsp,28 0
00007FF898D73051 abc64.dll 已启用 call <abc64.?Msg@@YAHPEAUHWND__@@IPEB_W@Z> 0
00007FF898D9CBD0 <abc64.dll.?Msg@@YAHPEAUHWND__@@IPEB_W@Z> 已启用 mov qword ptr ss:,rbx 10 AAAAAAAAAAAAAAAAAAAAAA
00007FF898D9CC70 <abc64.dll.sub_7FF898D9CC70> 已启用 mov qword ptr ss:,rbx 16
00007FF898D9CCDB abc64.dll 已启用 je abc64.7FF898D9CCE1 16
00007FF898D9CCF0 abc64.dll 已启用 nop 16 此许可证密钥仅供家庭使用,非商业用途 (B1 这里NOP)
00007FF898D9CCFF abc64.dll 已启用 call qword ptr ds:[<&MessageBoxW>] 16
00007FF898DB9270 <abc64.dll.?RCDlg_ProcessEnter@@YAHPEAVri2@@PEAUHWND__@@PEAHIII@Z> 已启用 mov al,1 16 B3(mov al,1;ret) 这里显示rcdlg_processEnter@@yahpeavri2@@peauhwnd
00007FF898DB92C0 abc64.dll 已启用 call <abc64.?RCDlg_GetUserName@@YAHPEAUHWND__@@HPEA_WH@Z> 12 得到用户名,这里该是最开始的地方!
00007FF898DB92C7 abc64.dll 已启用 je abc64.7FF898DB9409 12
00007FF898DB92D1 abc64.dll 已启用 jne abc64.7FF898DB9300 13
00007FF898DB92E9 abc64.dll 已启用 je abc64.7FF898DB93C5 0
00007FF898DB9309 abc64.dll 已启用 je abc64.7FF898DB9327 13
00007FF898DB9321 abc64.dll 已启用 je abc64.7FF898DB93C5 12
00007FF898DB9330 abc64.dll 已启用 je abc64.7FF898DB9358 13
00007FF898DB9345 abc64.dll 已启用 jne abc64.7FF898DB9358 12
00007FF898DB9360 abc64.dll 已启用 call <abc64.?il2@ri2@@QEAAHXZ> 13 或这里A
00007FF898DB9367 abc64.dll 已启用 jne abc64.7FF898DB9385 13 我赌 可能改这里
00007FF898DB9385 abc64.dll 已启用 call <abc64.?WinServer@@YAHXZ> 5这个是服务器验证,调用了微软的,把以该eax=1
00007FF898DB938C abc64.dll 已启用 je abc64.7FF898DB93CC 13
00007FF898DB9398 abc64.dll 已启用 je abc64.7FF898DB93CC 12
00007FF898DB93E0 abc64.dll 已启用 call <abc64.?v@ri2@@QEAAHPEAUHWND__@@H@Z> 8上一级校验窗口
00007FF898DB9BB2 abc64.dll 已启用 lea r9,qword ptr ds: 0
00007FF898DB9C2B abc64.dll 已启用 je abc64.7FF898DB9D5D 0
00007FF898DB9C9E abc64.dll 已启用 je abc64.7FF898DB9CC3 2
00007FF898DB9CBA abc64.dll 已启用 call <abc64.?RCDlg_ProcessEnter@@YAHPEAVri2@@PEAUHWND__@@PEAHIII@Z> 0
00007FF898DC0F00 <abc64.dll.?v@ri2@@QEAAHPEAUHWND__@@H@Z> 已启用 mov qword ptr ss:,rbx 8
00007FF898DC0F6E abc64.dll 已启用 ja abc64.7FF898DC1423 6
00007FF898DC0F8E abc64.dll 已启用 ja abc64.7FF898DC1423 6必须跳2
00007FF898DC1017 abc64.dll 已启用 mov rcx,r13 9
00007FF898DC103F abc64.dll 已启用 call <abc64.sub_7FF898DB80A0> 9可疑点1 出来那个该死的提示!
00007FF898DC1046 abc64.dll 已启用 jne abc64.7FF898DC1423 9B584改85
00007FF898DC1053 abc64.dll 已启用 jne abc64.7FF898DC10FD 6可疑点3
00007FF898DC10DD abc64.dll 已启用 call <abc64.?Msg@@YAHPEAUHWND__@@IPEB_W@Z> 6
00007FF898DC10E5 abc64.dll 已启用 je abc64.7FF898DC1423 0
00007FF8B6BBB3E2 cryptsp.dll 已启用 je cryptsp.7FF8B6BBB41B 0
00007FF8B6BBB3E7 cryptsp.dll 已启用 je cryptsp.7FF8B6BBB413 0
00007FF8B6BBB3FB cryptsp.dll 已启用 lea rax,qword ptr ds: 0
00007FF8B6BBB41B cryptsp.dll 已启用 lea rax,qword ptr ds: 0
00007FF8B6F1BC80 <kernel32.dll.FormatMessageW> 已启用 jmp qword ptr ds:[<&FormatMessageW>] 0
00007FF8B7F2B050 <user32.dll.PostQuitMessage> 已启用 movsxd rcx,ecx 0
00007FF8B7F7D410 <user32.dll.MessageBeep> 已启用 mov ecx,ecx 0
===========================================================================
这样我们就注册成功了,同时暗桩也没有触发,但是文件自校验的问题还得处理,不然保存出的文件,就会接茬弹窗!
重启后,诱发暗桩发生,我们就到了上面这个地方(记得这次不再是DLL了,而是主程序了哟~~)
00007FF68CEC77E0 | 40: | push rbx |
00007FF68CEC77E2 | 48: | sub rsp,20 |
00007FF68CEC77E6 | 48: | mov rbx,rcx |
00007FF68CEC77E9 | 48: | lea rcx,qword ptr ds:[7FF68CFD731 |
00007FF68CEC77F0 | E8| call abcmdr64.7FF68CEB24E0 | 所以这里F7进入修改吧
00007FF68CEC77F5 | 85C | test eax,eax |
00007FF68CEC77F7 | 0F8 | jne abcmdr64.7FF68CEC78D1 | 暗桩调用点跳过处,果然需要修改eax返回值
00007FF68CEC77FD | 48: | mov rcx,qword ptr ds: |
00007FF68CEC7801 | 8D5 | lea edx,qword ptr ds: |
00007FF68CEC7804 | 41: | mov r8d,7DC |
00007FF68CEC780A | 48: | mov qword ptr ss:,rdi |
00007FF68CEC780F | FF1 | call qword ptr ds:[<&?Msg@@YAHPEA |
00007FF68CEC7815 | 83F | cmp eax,6 |
00007FF68CEC7818 | 75| jne abcmdr64.7FF68CEC782E |
00007FF68CEC781A | 48: | mov rcx,qword ptr ds: |
00007FF68CEC781E | 48: | lea rdx,qword ptr ds:[7FF68CF828E | 00007FF68CF828E0:L"integrity-abc"
00007FF68CEC7825 | 45: | xor r8d,r8d |
00007FF68CEC7828 | FF1 | call qword ptr ds:[<&?GoOnline@@Y |
00007FF68CEC782E | 33F | xor edi,edi |
00007FF68CEC7830 | 48: | lea rdx,qword ptr ss: |
00007FF68CEC7835 | 48: | lea rcx,qword ptr ds:[7FF68CEB96A |
00007FF68CEC783C | 897 | mov dword ptr ss:,edi |
00007FF68CEC7840 | FF1 | call qword ptr ds:[<&EnumWindows> |
00007FF68CEC7846 | 397 | cmp dword ptr ss:,edi |
00007FF68CEC784A | 74| je abcmdr64.7FF68CEC7886 |
00007FF68CEC784C | 0F1 | nop dword ptr ds:,eax |
00007FF68CEC7850 | 48: | mov rcx,qword ptr ds: |
00007FF68CEC7854 | BA| mov edx,35 | 35:'5'
00007FF68CEC7859 | 41: | mov r8d,7F3 |
00007FF68CEC785F | FF1 | call qword ptr ds:[<&?Msg@@YAHPEA |
00007FF68CEC7865 | 83F | cmp eax,4 |
00007FF68CEC7868 | 75| jne abcmdr64.7FF68CEC78CC |
00007FF68CEC786A | 48: | lea rdx,qword ptr ss: |
00007FF68CEC786F | 897 | mov dword ptr ss:,edi |
00007FF68CEC7873 | 48: | lea rcx,qword ptr ds:[7FF68CEB96A |
00007FF68CEC787A | FF1 | call qword ptr ds:[<&EnumWindows> |
00007FF68CEC7880 | 397 | cmp dword ptr ss:,edi |
00007FF68CEC7884 | 75| jne abcmdr64.7FF68CEC7850 |
00007FF68CEC7886 | C78 | mov dword ptr ds:,1 |
00007FF68CEC7890 | FF1 | call qword ptr ds:[<&GetCurrentTh |
00007FF68CEC7896 | 48: | mov rcx,rax |
00007FF68CEC7899 | BA| mov edx,F |
00007FF68CEC789E | FF1 | call qword ptr ds:[<&SetThreadPri |
00007FF68CEC78A4 | FF1 | call qword ptr ds:[<&GetCurrentPr |
00007FF68CEC78AA | 48: | mov rcx,rax |
00007FF68CEC78AD | BA| mov edx,80 |
00007FF68CEC78B2 | FF1 | call qword ptr ds:[<&SetPriorityC |
00007FF68CEC78B8 | 48: | mov rcx,qword ptr ds: |
00007FF68CEC78BC | 45: | xor r9d,r9d |
00007FF68CEC78BF | 45: | xor r8d,r8d |
00007FF68CEC78C2 | 41: | lea edx,qword ptr ds: |
00007FF68CEC78C6 | FF1 | call qword ptr ds:[<&PostMessageW |
00007FF68CEC78CC | 48: | mov rdi,qword ptr ss: |
00007FF68CEC78D1 | 48: | add rsp,20 |
00007FF68CEC78D5 | 5B| pop rbx |
00007FF68CEC78D6 | C3| ret |
这样暗桩问题就解决了。
小伙伴们就可以愉快的玩耍了~~
全凭感觉搞的,凑合看吧~~{:301_998:}
===========================================================
接下来大白补丁 64位版就该上演了。
。。。研究中。。。 我一直用的位移精灵,但是华为运动健康更新到10以后就只能刷步,但同步不到支付宝之类的了。继续用华为运动健康9还可以,不过反应有点慢。老是闪退。另外一个问题,为什么换了支付宝账号再同步的话步数同步不过去呢? badboys 发表于 2020-2-2 12:35
我一直用的位移精灵,但是华为运动健康更新到10以后就只能刷步,但同步不到支付宝之类的了。继续用华为运动 ...
我都是不更 @惮殃 + 1
我是为了上面那个白白的咪咪来的
有老婆的原来这么流氓
真是 男人的本性啊{:301_1008:} 你win10的任务栏好好看,什么主题,快交出来大佬。
{:301_978:} 感谢分享!!!支持一下! 大佬,学习了 支持一下
感谢分享!!!支持一下! 感谢🙏分享,故事讲述不错👍
感谢分享!!!支持一下! 感谢分享
页:
[1]
2