大哈:简易爆破攻略:
本帖最后由 冥界3大法王 于 2021-2-14 11:03 编辑软件介绍:文件搜索四大利器之一,快速搜索索引内容和预览结果,作为爆破之必备四大神器。30天全功能试用版本。
========================================================
先用RegWorkshop搜索下键值【已脱敏保密】,大约485个左右
全删除,毫无作用。
来到文件夹下,用星君眼快速洞察下有哪些可疑的?
果然发现regkey.xml
等什么?删除,又是30天。
X64dbg打开主程序
Ctrl+N,左面过滤搜索configlib.dll
右面搜索下trial
果然有4个函数与试用、加载KEY有关的
?LoadTrialRegKeyConfiguration@CONFIGLIB@@YAJPEAV?$shared_ptr@UIConfigDataMgr@INTERNAL_IFC@@@boost@@AEBV23@_N@Z
?LoadTrialRegKeyConfiguration_ReadOnly@CONFIGLIB@@YAJPEAV?$shared_ptr@UIConfigDataMgr@INTERNAL_IFC@@@boost@@_N@Z
?LoadRegKeyConfiguration@CONFIGLIB@@YAJPEAV?$shared_ptr@UIConfigDataMgr@INTERNAL_IFC@@@boost@@@Z
?LoadRegKeyConfigurationPath@CONFIGLIB@@YAJAEBV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@PEAV?
再搜索下Write(写INI配置的),主要有下面3个
WriteFile
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
fwrite
========================================================
regkey.xml删除又是30天全功能试用!
=========================内容如下=========================
<?xml version="1.0"?>
-<cfg ver="2">
-<section name="【已脱敏保密】">
<InstallationOptions n="241a87fcba94f5dd"/>
<LiteApp t="3">pro</LiteApp>
</section>
</cfg>
========================================================
(A)
========================================================
启动时该死的等待框的美化:(正在为第一次进行准备)
(B)
=======================================================
帮助-关于和顶部trial 字样的美化:(C)
上面已经简单的归纳和分析了重点,下面就来一个一个来解决吧。
这个程序是64位的,所以必须上x64dbg了。
论坛还不会的同学可以看一下楼主导演的视频:x32dbg/x64dbg命令快速入门系列视频教学
然后,我们还是先让程序跑起来吧,但你发现刚刚运行,就来了个异常。
那就Shift+F9伺候,然后我们使用 【F12加Alt-K】堆栈暂停大法。
列表有一堆,我也懒得看了。直接复制全表到自制的工具Ollydbg/x64dbg贴心伴侣中去过滤,F1全设断。
或者不怕辛苦一个个分析下吧。
通过分析,你能发现能有一个有意思的地方,第三个不远上面就有个英文异常的字样
(call qword ptr ds:[<&RtlRaiseException>])
00007FF6 | FF15 F0FA2200 | call qword ptr ds:[<&SystemTimeToVariantTime>]
|这句是不是很有意思?
00007FF68FE66013 | E8 2835F7FF | call 原版.7FF68FDD9540 |通过前后关系推测,如果这里al=1 会如何呢? F7进入后修改下
00007FF68FE66018 | 8B4424 5C | mov eax,dword ptr ss: |
00007FF68FE6601C | 0FB6C8 | movzx ecx,al |
00007FF68FE6601F | 80E1 01 | and cl,1 |
00007FF68FE66022 | 75 10 | jne 原版.7FF68FE66034 |
00007FF68FE66024 | A8 02 | test al,2 |
00007FF68FE66026 | 0F85 B1000000 | jne 原版.7FF68FE660DD |
00007FF68FE6602C | A8 04 | test al,4 |
00007FF68FE6602E | 0F85 A9000000 | jne 原版.7FF68FE660DD |
00007FF68FE66034 | 40:84FF | test dil,dil |
00007FF68FE66037 | 75 46 | jne 原版.7FF68FE6607F |
00007FF68FE66039 | 48:8B0D 98393A00 | mov rcx,qword ptr ds: |
00007FF68FE66040 | 48:85C9 | test rcx,rcx |
00007FF68FE66043 | 74 0D | je 原版.7FF68FE66052 |
00007FF68FE66045 | 48:8B01 | mov rax,qword ptr ds: |
00007FF68FE66048 | BA A7000000 | mov edx,A7 |
00007FF68FE6604D | FF50 58 | call qword ptr ds: |
00007FF68FE66050 | EB 07 | jmp 原版.7FF68FE66059 |
00007FF68FE66052 | 48:8D05 EFCA2400 | lea rax,qword ptr ds: | 00007FF6900B2B48:L"<no language>"
00007FF68FE66059 | 33D2 | xor edx,edx |
00007FF68FE6605B | 48:8BC8 | mov rcx,rax |
00007FF68FE6605E | E8 DDEBF5FF | call 原版.7FF68FDC4C40 |
00007FF68FE66063 | 48:8D5424 60 | lea rdx,qword ptr ss: |
00007FF68FE66068 | 48:8BCB | mov rcx,rbx |
00007FF68FE6606B | E8 D034F7FF | call 原版.7FF68FDD9540 |
00007FF68FE66070 | 8B5424 60 | mov edx,dword ptr ss: |
00007FF68FE66074 | 83E2 F8 | and edx,FFFFFFF8 |
00007FF68FE66077 | 48:8BCB | mov rcx,rbx |
00007FF68FE6607A | E8 F1BAF7FF | call 原版.7FF68FDE1B70 |
00007FF68FE6607F | 48:8D5424 64 | lea rdx,qword ptr ss: |
00007FF68FE66084 | 48:8BCB | mov rcx,rbx |
00007FF68FE66087 | E8 B434F7FF | call 原版.7FF68FDD9540 |
00007FF68FE6608C | 8B4424 64 | mov eax,dword ptr ss: |
00007FF68FE66090 | 0FB6C8 | movzx ecx,al |
00007FF68FE66093 | 80E1 01 | and cl,1 |
00007FF68FE66096 | 75 45 | jne 原版.7FF68FE660DD |
00007FF68FE66098 | A8 02 | test al,2 |
00007FF68FE6609A | 75 41 | jne 原版.7FF68FE660DD |
00007FF68FE6609C | A8 04 | test al,4 |
00007FF68FE6609E | 75 3D | jne 原版.7FF68FE660DD |
00007FF68FE660A0 | 40:0FB6D7 | movzx edx,dil |
00007FF68FE660A4 | 83F2 01 | xor edx,1 |
00007FF68FE660A7 | 8D1455 01000000 | lea edx,qword ptr ds: |
00007FF68FE660AE | 48:8BCB | mov rcx,rbx |
00007FF68FE660B1 | E8 4AB2F7FF | call 原版.7FF68FDE1300 |
00007FF68FE660B6 | 41:B1 01 | mov r9b,1 |
00007FF68FE660B9 | 4D:8BC4 | mov r8,r12 |
00007FF68FE660BC | 48:8BD3 | mov rdx,rbx |
00007FF68FE660BF | 48:8D4D B0 | lea rcx,qword ptr ss: |
00007FF68FE660C3 | E8 78BCF7FF | call 原版.7FF68FDE1D40 |
00007FF68FE660C8 | 90 | nop |
00007FF68FE660C9 | 48:8D4D B0 | lea rcx,qword ptr ss: |
00007FF68FE660CD | FF15 B52C2300 | call qword ptr ds:[<&Ordinal#3951>] | 堆栈列表+CtrlF8定位到这里!
00007FF68FE660D3 | 90 | nop |
00007FF68FE660D4 | 48:8D4D B0 | lea rcx,qword ptr ss: |
00007FF68FE660D8 | E8 63BEF7FF | call 原版.7FF68FDE1F40 |
00007FF68FE660DD | 45:33E4 | xor r12d,r12d |
00007FF68FE660E0 | 4C:89A5 C8060000 | mov qword ptr ss:,r12 |
00007FF68FE660E7 | 4C:89A5 D0060000 | mov qword ptr ss:,r12 |
00007FF68FE660EE | 4C:89A5 C8060000 | mov qword ptr ss:,r12 |
00007FF68FE660F5 | 48:C785 D0060000 07000000| mov qword ptr ss:,7 |
00007FF68FE66100 | 6644:89A5 B8060000 | mov word ptr ss:,r12w |
00007FF68FE66108 | 45:8D4424 07 | lea r8d,qword ptr ds: |
00007FF68FE6610D | 48:8D15 5CCD2700 | lea rdx,qword ptr ds: | 00007FF6900E2E70:L"Version"
00007FF68FE66114 | 48:8D8D B8060000 | lea rcx,qword ptr ss: |
00007FF68FE6611B | E8 00E6F5FF | call 原版.7FF68FDC4720 |
00007FF68FE66120 | 90 | nop |
00007FF68FE66121 | 4C:89A5 90060000 | mov qword ptr ss:,r12 |
00007FF68FE66128 | 4C:89A5 98060000 | mov qword ptr ss:,r12 |
00007FF68FE6612F | 4C:89A5 90060000 | mov qword ptr ss:,r12 |
00007FF68FE66136 | 48:C785 98060000 07000000| mov qword ptr ss:,7 |
00007FF68FE66141 | 6644:89A5 80060000 | mov word ptr ss:,r12w |
00007FF68FE66149 | 45:8D4424 07 | lea r8d,qword ptr ds: |
00007FF68FE6614E | 48:8D15 83392600 | lea rdx,qword ptr ds: | 00007FF6900C9AD8:L"Options"
00007FF68FE66155 | 48:8D8D 80060000 | lea rcx,qword ptr ss: |
00007FF68FE6615C | E8 BFE5F5FF | call 原版.7FF68FDC4720 |
00007FF68FE66161 | 90 | nop |
00007FF68FE66162 | 48:8B4D 88 | mov rcx,qword ptr ss: |
00007FF68FE66166 | 48:8B01 | mov rax,qword ptr ds: |
00007FF68FE66169 | 4C:8D85 B8060000 | lea r8,qword ptr ss: |
00007FF68FE66170 | 48:8D95 80060000 | lea rdx,qword ptr ss: |
00007FF68FE66177 | FF90 B0000000 | call qword ptr ds: |
00007FF68FE6617D | 0FB6F8 | movzx edi,al |
00007FF68FE66180 | 48:8B95 98060000 | mov rdx,qword ptr ss: |
00007FF68FE66187 | 48:83FA 08 | cmp rdx,8 |
00007FF68FE6618B | 72 14 | jb 原版.7FF68FE661A1 |
00007FF68FE6618D | 48:8D1455 02000000 | lea rdx,qword ptr ds: |
00007FF68FE66195 | 48:8B8D 80060000 | mov rcx,qword ptr ss: |
00007FF68FE6619C | E8 FFE7F5FF | call 原版.7FF68FDC49A0 |
00007FF68FE661A1 | 4C:89A5 90060000 | mov qword ptr ss:,r12 |
00007FF68FE661A8 | 48:C785 98060000 07000000| mov qword ptr ss:,7 |
00007FF68FE661B3 | 6644:89A5 80060000 | mov word ptr ss:,r12w |
00007FF68FE661BB | 48:8B95 D0060000 | mov rdx,qword ptr ss: |
00007FF68FE661C2 | 48:83FA 08 | cmp rdx,8 |
00007FF68FE661C6 | 72 14 | jb 原版.7FF68FE661DC |
00007FF68FE661C8 | 48:8D1455 02000000 | lea rdx,qword ptr ds: |
00007FF68FE661D0 | 48:8B8D B8060000 | mov rcx,qword ptr ss: |
00007FF68FE661D7 | E8 C4E7F5FF | call 原版.7FF68FDC49A0 |
00007FF68FE661DC | 4C:89A5 C8060000 | mov qword ptr ss:,r12 |
00007FF68FE661E3 | 48:C785 D0060000 07000000| mov qword ptr ss:,7 |
00007FF68FE661EE | 6644:89A5 B8060000 | mov word ptr ss:,r12w |
00007FF68FE661F6 | 48:8D5424 68 | lea rdx,qword ptr ss: |
00007FF68FE661FB | 48:8BCB | mov rcx,rbx |
00007FF68FE661FE | E8 3D33F7FF | call 原版.7FF68FDD9540 |
00007FF68FE66203 | 8B4424 68 | mov eax,dword ptr ss: |
00007FF68FE66207 | 0FB6C8 | movzx ecx,al |
00007FF68FE6620A | 80E1 01 | and cl,1 |
00007FF68FE6620D | 74 07 | je 原版.7FF68FE66216 |
00007FF68FE6620F | B8 01000000 | mov eax,1 |
00007FF68FE66214 | EB 14 | jmp 原版.7FF68FE6622A |
00007FF68FE66216 | A8 02 | test al,2 |
00007FF68FE66218 | 74 07 | je 原版.7FF68FE66221 |
00007FF68FE6621A | B8 02000000 | mov eax,2 |
00007FF68FE6621F | EB 09 | jmp 原版.7FF68FE6622A |
00007FF68FE66221 | 24 04 | and al,4 |
00007FF68FE66223 | F6D8 | neg al |
00007FF68FE66225 | 1BC0 | sbb eax,eax |
00007FF68FE66227 | 83E0 03 | and eax,3 |
00007FF68FE6622A | 83F8 01 | cmp eax,1 |
00007FF68FE6622D | 0F94C0 | sete al |
00007FF68FE66230 | 41:8885 70030000 | mov byte ptr ds:,al |
00007FF68FE66237 | 45:84FF | test r15b,r15b |
00007FF68FE6623A | 74 1C | je 原版.7FF68FE66258 |
00007FF68FE6623C | 40:84FF | test dil,dil |
00007FF68FE6623F | 74 17 | je 原版.7FF68FE66258 |
00007FF68FE66241 | 807C24 50 00 | cmp byte ptr ss:,0 |
00007FF68FE66246 | 75 10 | jne 原版.7FF68FE66258 |
00007FF68FE66248 | 41:B0 01 | mov r8b,1 |
00007FF68FE6624B | BA 03000000 | mov edx,3 |
00007FF68FE66250 | 48:8BCB | mov rcx,rbx |
00007FF68FE66253 | E8 98B8F7FF | call 原版.7FF68FDE1AF0 |
00007FF68FE66258 | 48:8B4B 58 | mov rcx,qword ptr ds: |
00007FF68FE6625C | 48:8B01 | mov rax,qword ptr ds: |
00007FF68FE6625F | FF50 30 | call qword ptr ds: |
00007FF68FE66262 | B9 08000000 | mov ecx,8 |
00007FF68FE66267 | FF15 23242300 | call qword ptr ds:[<&Ordinal#1489>] |
00007FF68FE6626D | 48:8BD8 | mov rbx,rax |
00007FF68FE66270 | 48:8945 80 | mov qword ptr ss:,rax |
00007FF68FE66274 | 48:85C0 | test rax,rax |
00007FF68FE66277 | 74 16 | je 原版.7FF68FE6628F |
00007FF68FE66279 | 48:8D05 10E92700 | lea rax,qword ptr ds:[<&JMP.&_purecall>] |
竟然A与B全部跳过了{:301_997:}
这里定位时,需要注意的是Shift+F9 跳过异常与 Ctrl+F8 单步跳过的配合使用。马步兵的协同作战。
最笨的方法就是多试几次。我们Ctrl+P补丁,先存个档【原版加跳过了注册框和启动等待提示.exe】
https://static.52pojie.cn/static/image/hrline/2.gif
接下来,我们再把regkey.xml写入的call搞死,前面说过,可以利用ctrl+N,config xxx.dll ,搜索write这个搞起来需要耐心+细心。
最终来到上面不远的地方,显然这是在写入regkey.xml的过程中,在调试过程中,你会发现准备文件内存中的缓冲区,创建空文件,写入全文件等过程
最终NOP掉 00007FF87F0F33F3就好了。{:301_971:}
https://static.52pojie.cn/static/image/hrline/2.gif
最后,再来解决下顶部标题 【trial】字样
然后我们利用字符串来定位下,并下好断点
然后我们来到下面的地方:
00007FF796441500 <原版fil | 48:895C24 18 | mov qword ptr ss:,rbx |
00007FF796441505 | 48:897424 20 | mov qword ptr ss:,rsi |
00007FF79644150A | 55 | push rbp |
00007FF79644150B | 57 | push rdi |
00007FF79644150C | 41:56 | push r14 |
00007FF79644150E | 48:8D6C24 90 | lea rbp,qword ptr ss: | :L"Crash handler was already installed for current thread."
00007FF796441513 | 48:81EC 70010000 | sub rsp,170 |
00007FF79644151A | 48:8B05 FF0A4100 | mov rax,qword ptr ds: |
00007FF796441521 | 48:33C4 | xor rax,rsp |
00007FF796441524 | 48:8945 60 | mov qword ptr ss:,rax |
00007FF796441528 | 48:8BDA | mov rbx,rdx |
00007FF79644152B | 48:8BF9 | mov rdi,rcx |
00007FF79644152E | 48:895424 30 | mov qword ptr ss:,rdx |
00007FF796441533 | 45:33F6 | xor r14d,r14d |
00007FF796441536 | 44:897424 20 | mov dword ptr ss:,r14d |
00007FF79644153B | 4C:8975 50 | mov qword ptr ss:,r14 |
00007FF79644153F | 4C:8975 58 | mov qword ptr ss:,r14 |
00007FF796441543 | 4C:8975 50 | mov qword ptr ss:,r14 |
00007FF796441547 | 48:C745 58 07000000 | mov qword ptr ss:,7 |
00007FF79644154F | 6644:8975 40 | mov word ptr ss:,r14w |
00007FF796441554 | 48:8D5424 28 | lea rdx,qword ptr ss: |
00007FF796441559 | E8 E27FFFFF | call <原版加跳过了注册框和启动等待提示.sub_7FF7964395 |
00007FF79644155E | 8B4424 28 | mov eax,dword ptr ss: |
00007FF796441562 | 0FB6C8 | movzx ecx,al |
00007FF796441565 | 41:8D76 04 | lea esi,qword ptr ds: |
00007FF796441569 | 80E1 01 | and cl,1 |
00007FF79644156C | 75 15 | jne 原版加跳过了注册框和启动等待提示.7FF796441583 |
00007FF79644156E | A8 02 | test al,2 |
00007FF796441570 | 75 27 | jne 原版加跳过了注册框和启动等待提示.7FF796441599 |
00007FF796441572 | 40:84C6 | test sil,al |
00007FF796441575 | 74 22 | je 原版加跳过了注册框和启动等待提示.7FF796441599 |
00007FF796441577 | 44:8BC6 | mov r8d,esi |
00007FF79644157A | 48:8D15 777C2E00 | lea rdx,qword ptr ds: | 00007FF7967291F8:L"LITE"
00007FF796441581 | EB 0D | jmp 原版加跳过了注册框和启动等待提示.7FF796441590 |
00007FF796441583 | 41:B8 05000000 | mov r8d,5 |
00007FF796441589 | 48:8D15 787C2E00 | lea rdx,qword ptr ds: | 00007FF796729208:L"TRIAL"
来到段首,发现上面的调用点!
下面的代码前后关系存在着微妙的关系{:301_997:}
00007FF796441500 < | 48:895C24 18 | mov qword ptr ss:,rbx | 返1
00007FF796441505 | 48:897424 20 | mov qword ptr ss:,rsi |
00007FF79644150A | 55 | push rbp |
00007FF79644150B | 57 | push rdi |
00007FF79644150C | 41:56 | push r14 |
00007FF79644150E | 48:8D6C24 90 | lea rbp,qword ptr ss: | :"儅@"
00007FF796441513 | 48:81EC 70010000 | sub rsp,170 |
00007FF79644151A | 48:8B05 FF0A4100 | mov rax,qword ptr ds: |
00007FF796441521 | 48:33C4 | xor rax,rsp |
00007FF796441524 | 48:8945 60 | mov qword ptr ss:,rax |
00007FF796441528 | 48:8BDA | mov rbx,rdx |
00007FF79644152B | 48:8BF9 | mov rdi,rcx |
00007FF79644152E | 48:895424 30 | mov qword ptr ss:,rdx |
00007FF796441533 | 45:33F6 | xor r14d,r14d |
00007FF796441536 | 44:897424 20 | mov dword ptr ss:,r14d |
00007FF79644153B | 4C:8975 50 | mov qword ptr ss:,r14 |
00007FF79644153F | 4C:8975 58 | mov qword ptr ss:,r14 |
00007FF796441543 | 4C:8975 50 | mov qword ptr ss:,r14 |
00007FF796441547 | 48:C745 58 07000000 | mov qword ptr ss:,7 |
00007FF79644154F | 6644:8975 40 | mov word ptr ss:,r14w |
00007FF796441554 | 48:8D5424 28 | lea rdx,qword ptr ss: |
00007FF796441559 | E8 E27FFFFF | call <原版.sub_7FF7964 | 这里al返回1会如何?
00007FF79644155E | 8B4424 28 | mov eax,dword ptr ss: |
00007FF796441562 | 0FB6C8 | movzx ecx,al |
00007FF796441565 | 41:8D76 04 | lea esi,qword ptr ds: |
00007FF796441569 | 80E1 01 | and cl,1 |
00007FF79644156C | 75 15 | jne 原版.7FF796441583| NOP
00007FF79644156E | A8 02 | test al,2 |
00007FF796441570 | 75 27 | jne 原版.7FF796441599| nop
00007FF796441572 | 40:84C6 | test sil,al |
00007FF796441575 | 74 22 | je 原版.7FF796441599 | nop
00007FF796441577 | 44:8BC6 | mov r8d,esi |
00007FF79644157A | 48:8D15 777C2E00 | lea rdx,qword ptr ds: | 00007FF7967291F8:L"LITE"
00007FF796441581 | EB 0D | jmp 原版.7FF796441590| 这里是试用字样
00007FF796441583 | 41:B8 05000000 | mov r8d,5 |
00007FF796441589 | 48:8D15 787C2E00 | lea rdx,qword ptr ds: | 00007FF796729208:L"TRIAL"
00007FF796441590 | 48:8D4D 40 | lea rcx,qword ptr ss: |
00007FF796441594 | E8 8731FEFF | call 原版.7FF796424720 |
00007FF796441599 | 48:8D5424 28 | lea rdx,qword ptr ss: |
00007FF79644159E | 48:8BCF | mov rcx,rdi |
00007FF7964415A1 | E8 9A7FFFFF | call <原版.sub_7FF7964 |
00007FF7964415A6 | 8B7C24 28 | mov edi,dword ptr ss: |
00007FF7964415AA | 83E7 10 | and edi,10 |
00007FF7964415AD | 48:837D 50 00 | cmp qword ptr ss:,0 |
00007FF7964415B2 | 90 | nop |====》NOP
00007FF7964415B3 | 90 | nop |====》NOP
00007FF7964415B4 | 85FF | test edi,edi |
00007FF7964415B6 | 90 | nop |====》NOP
00007FF7964415B7 | 90 | nop |====》NOP
00007FF7964415B8 | 4C:8973 10 | mov qword ptr ds:,r14 |
00007FF7964415BC | 48:C743 18 07000000 | mov qword ptr ds:,7 |
00007FF7964415C4 | 6644:8933 | mov word ptr ds:,r14w |
00007FF7964415C8 | 45:33C0 | xor r8d,r8d |
00007FF7964415CB | 48:8D15 06152D00 | lea rdx,qword ptr ds: |
00007FF7964415D2 | 48:8BCB | mov rcx,rbx |
00007FF7964415D5 | E8 4631FEFF | call 原版.7FF796424720 |
00007FF7964415DA | C74424 20 01000000 | mov dword ptr ss:,1 |
00007FF7964415E2 | E9 5E010000 | jmp 原版.7FF796441745|
00007FF7964415E7 | 48:8D4C24 40 | lea rcx,qword ptr ss: |
00007FF7964415EC | E8 3FB1FEFF | call <原版.sub_7FF7964 |
00007FF7964415F1 | 90 | nop |
00007FF7964415F2 | 48:8D15 1B7C2E00 | lea rdx,qword ptr ds: | 00007FF796729214:L"["
00007FF7964415F9 | 48:8D4C24 50 | lea rcx,qword ptr ss: |
00007FF7964415FE | E8 4DC4FEFF | call <原版.sub_7FF7964 |
00007FF796441603 | 48:8BC8 | mov rcx,rax |
00007FF796441606 | 48:8D55 40 | lea rdx,qword ptr ss: |
00007FF79644160A | E8 F195FEFF | call <原版.sub_7FF7964 |
00007FF79644160F | 85FF | test edi,edi |
00007FF796441611 | 74 3F | je 原版.7FF796441652 |
00007FF796441613 | 48:8B0D BE834200 | mov rcx,qword ptr ds: |
00007FF79644161A | 48:85C9 | test rcx,rcx |
00007FF79644161D | 74 10 | je 原版.7FF79644162F |
00007FF79644161F | 48:8B01 | mov rax,qword ptr ds: |
00007FF796441622 | BA 90030000 | mov edx,390 |
00007FF796441627 | FF50 58 | call qword ptr ds: |
00007FF79644162A | 48:8BF8 | mov rdi,rax |
00007FF79644162D | EB 07 | jmp 原版.7FF796441636|
00007FF79644162F | 48:8D3D 12152D00 | lea rdi,qword ptr ds: | 00007FF796712B48:L"<no language>"
00007FF796441636 | 48:8D15 DB7B2E00 | lea rdx,qword ptr ds: | 00007FF796729218:L" * "
00007FF79644163D | 48:8D4C24 50 | lea rcx,qword ptr ss: |
00007FF796441642 | E8 09C4FEFF | call <原版.sub_7FF7964 |
00007FF796441647 | 48:8BC8 | mov rcx,rax |
00007FF79644164A | 48:8BD7 | mov rdx,rdi |
00007FF79644164D | E8 FEC3FEFF | call <原版.sub_7FF7964 |
00007FF796441652 | 48:8D15 C77B2E00 | lea rdx,qword ptr ds: | 00007FF796729220:L"]"
00007FF796441659 | 48:8D4C24 50 | lea rcx,qword ptr ss: |
00007FF79644165E | E8 EDC3FEFF | call <原版.sub_7FF7964 |
00007FF796441663 | 90 | nop |
00007FF796441664 | 4C:8973 10 | mov qword ptr ds:,r14 |
00007FF796441668 | 48:C743 18 07000000 | mov qword ptr ds:,7 |
00007FF796441670 | 6644:8933 | mov word ptr ds:,r14w |
00007FF796441674 | 897424 20 | mov dword ptr ss:,esi |
00007FF796441678 | 48:8B4D C8 | mov rcx,qword ptr ss: |
00007FF79644167C | F6C1 02 | test cl,2 |
00007FF79644167F | 75 22 | jne 原版.7FF7964416A3|
00007FF796441681 | 48:8B45 98 | mov rax,qword ptr ss: |
00007FF796441685 | 4C:8B00 | mov r8,qword ptr ds: |
00007FF796441688 | 4D:85C0 | test r8,r8 |
00007FF79644168B | 74 16 | je 原版.7FF7964416A3 |
00007FF79644168D | 48:8B4424 78 | mov rax,qword ptr ss: |
00007FF796441692 | 48:8B10 | mov rdx,qword ptr ds: |
00007FF796441695 | 4C:3B45 C0 | cmp r8,qword ptr ss: |
00007FF796441699 | 4C:0F4245 C0 | cmovb r8,qword ptr ss: |
00007FF79644169E | 4C:2BC2 | sub r8,rdx |
00007FF7964416A1 | EB 29 | jmp 原版.7FF7964416CC|
00007FF7964416A3 | F6C1 04 | test cl,4 |
00007FF7964416A6 | 75 2F | jne 原版.7FF7964416D7|
00007FF7964416A8 | 48:8B45 90 | mov rax,qword ptr ss: |
00007FF7964416AC | 48:8B08 | mov rcx,qword ptr ds: |
00007FF7964416AF | 48:85C9 | test rcx,rcx |
00007FF7964416B2 | 74 23 | je 原版.7FF7964416D7 |
00007FF7964416B4 | 48:8B4424 70 | mov rax,qword ptr ss: |
00007FF7964416B9 | 48:8B10 | mov rdx,qword ptr ds: |
00007FF7964416BC | 48:8B45 A8 | mov rax,qword ptr ss: |
00007FF7964416C0 | 4C:6300 | movsxd r8,dword ptr ds: |
00007FF7964416C3 | 4D:03C0 | add r8,r8 |
00007FF7964416C6 | 4C:2BC2 | sub r8,rdx |
00007FF7964416C9 | 4C:03C1 | add r8,rcx |
00007FF7964416CC | 49:D1F8 | sar r8,1 |
00007FF7964416CF | 48:8BCB | mov rcx,rbx |
00007FF7964416D2 | E8 4930FEFF | call 原版.7FF796424720 |
00007FF7964416D7 | 83E6 FB | and esi,FFFFFFFB |
00007FF7964416DA | 897424 20 | mov dword ptr ss:,esi |
00007FF7964416DE | 83CE 02 | or esi,2 |
00007FF7964416E1 | 897424 20 | mov dword ptr ss:,esi |
00007FF7964416E5 | 83E6 FD | and esi,FFFFFFFD |
00007FF7964416E8 | 897424 20 | mov dword ptr ss:,esi |
00007FF7964416EC | 83CE 01 | or esi,1 |
00007FF7964416EF | 897424 20 | mov dword ptr ss:,esi |
00007FF7964416F3 | 48:8D45 D8 | lea rax,qword ptr ss: |
00007FF7964416F7 | 48:894424 28 | mov qword ptr ss:,rax |
00007FF7964416FC | 48:8B4424 40 | mov rax,qword ptr ss: |
00007FF796441701 | 48:6348 04 | movsxd rcx,dword ptr ds: |
00007FF796441705 | 48:8D05 04342D00 | lea rax,qword ptr ds:[<&sub_7FF79642C82C>] |
00007FF79644170C | 48:89440C 40 | mov qword ptr ss:,rax |
00007FF796441711 | 48:8B4424 40 | mov rax,qword ptr ss: |
00007FF796441716 | 48:6348 04 | movsxd rcx,dword ptr ds: |
00007FF79644171A | 8D91 68FFFFFF | lea edx,qword ptr ds: |
00007FF796441720 | 89540C 3C | mov dword ptr ss:,edx |
00007FF796441724 | 48:8D4C24 58 | lea rcx,qword ptr ss: |
00007FF796441729 | E8 72B7FEFF | call <原版.sub_7FF7964 |
00007FF79644172E | 90 | nop |
00007FF79644172F | 48:8D4C24 60 | lea rcx,qword ptr ss: |
00007FF796441734 | FF15 F6402B00 | call qword ptr ds:[<&??1?$basic_iostream@_WU?$ch |
00007FF79644173A | 48:8D4D D8 | lea rcx,qword ptr ss: |
00007FF79644173E | FF15 4C412B00 | call qword ptr ds:[<&??1?$basic_ios@_WU?$char_tr |
00007FF796441744 | 90 | nop |
00007FF796441745 | 48:8B55 58 | mov rdx,qword ptr ss: |
00007FF796441749 | 48:83FA 08 | cmp rdx,8 |
00007FF79644174D | 72 11 | jb 原版.7FF796441760 |
00007FF79644174F | 48:8D1455 02000000 | lea rdx,qword ptr ds: |
00007FF796441757 | 48:8B4D 40 | mov rcx,qword ptr ss: |
00007FF79644175B | E8 4032FEFF | call 原版.7FF7964249A0 |
00007FF796441760 | 4C:8975 50 | mov qword ptr ss:,r14 |
00007FF796441764 | 48:C745 58 07000000 | mov qword ptr ss:,7 |
00007FF79644176C | 6644:8975 40 | mov word ptr ss:,r14w |
00007FF796441771 | 48:8BC3 | mov rax,rbx |
00007FF796441774 | 48:8B4D 60 | mov rcx,qword ptr ss: |
00007FF796441778 | 48:33CC | xor rcx,rsp |
00007FF79644177B | E8 D0021000 | call 原版.7FF796541A50 |
00007FF796441780 | 4C:8D9C24 70010000 | lea r11,qword ptr ss: |
00007FF796441788 | 49:8B5B 30 | mov rbx,qword ptr ds: |
00007FF79644178C | 49:8B73 38 | mov rsi,qword ptr ds: |
00007FF796441790 | 49:8BE3 | mov rsp,r11 |
00007FF796441793 | 41:5E | pop r14 |
00007FF796441795 | 5F | pop rdi |
00007FF796441796 | 5D | pop rbp |
00007FF796441797 | C3 | ret |
最终修改好了,就这个样子吧。这马赛克打的,累死我了。
要想弄个山寨的注册版,就修改上面的文件吧。{:301_998:}
忆往昔我的旧时光都到哪里去了?!
{:301_974:}
八哈春节版之让自动化穷举式爆破为你扫除疑云
七哈逆袭:由一条吊带外露引发的悲剧
六哈逆袭:论坛大屌做心脏移植手术
五哈QT灰按钮的爆破要点总结
四哈爆破之词典类程序爆破要点分享
三哈爆破之旅要点分享
二哈爆破要点分享:32位 and 64位
大哈:简易爆破攻略
x32dbg/x64dbg命令快速入门系列视频教学
Baymax Patch Tools(大白补丁)使用从入门到精通
盖世神器PowerPro使用教程
无闻无问 发表于 2021-1-4 16:27
不知和everything,谁好用?目前在用everything
@无闻无问
鄙视你,xielu关键字
侧重不一样,一个是文件名,一个是对于内容的检索。
统称为四大文件检索神器 冥界3大法王 发表于 2021-1-4 19:51
@无闻无问
鄙视你,xielu关键字
侧重不一样,一个是文件名,一个是对于内容的检索。
楼主无罪…不xielou,别人怎么踩你肩膀往上攀… 前来学习{:1_918:} 学习学习! 本帖最后由 冥界3大法王 于 2021-1-3 12:19 编辑
偶尔平凡 发表于 2021-1-3 12:06
有成品么这是犯罪行为{:301_1006:}
论坛不让伸手党活命{:301_976:} 学习学习看看 学习 有点难度 慢慢学吧 学习,有点难度慢慢学吧d 我就看看, 学习 有点难度 谢谢