Master PDF Editor 5.7.40 64位程序分析爆破
【文章标题】: Master PDF Editor 5.7.40 64位程序分析爆破【文章作者】: speedboy
【软件名称】: Master PDF Editor
【下载地址】: https://code-industry.net/public/MasterPDFEditor-setup.exe
【加壳方式】: 无
【编写语言】: Microsoft Visual C++
【使用工具】: x64dbg
【操作平台】: win7
【软件介绍】: 强大的多功能PDF编辑器,轻松查看,创建,修改,批注,签名,扫描,OCR和打印PDF文档。高级注释工具,可以添加任意便笺指示对象突出显示,加下划线和删除,而无需更改源PDF文件。
【作者声明】: 只做学习、交流
--------------------------------------------------------------------------------
【详细过程】
1、 用x64dbg加载程序并运行,搜索“NOT REGISTERED”,并上溯到代码段首
000000013FA984F0 | 48:895424 10 | mov qword ptr ss:,rdx | rdx:EntryPoint
000000013FA984F5 | 57 | push rdi |
000000013FA984F6 | 48:83EC 30 | sub rsp,30 |
000000013FA984FA | 48:C74424 28 FEFFFFFF | mov qword ptr ss:,FFFFFFFFFFFFFFFE |
000000013FA98503 | 48:895C24 40 | mov qword ptr ss:,rbx |
000000013FA98508 | 48:8BFA | mov rdi,rdx | rdx:EntryPoint
000000013FA9850B | 48:8BD9 | mov rbx,rcx |
000000013FA9850E | C74424 20 00000000 | mov dword ptr ss:,0 |
000000013FA98516 | 48:8D15 A3AABD00 | lea rdx,qword ptr ds: | rdx:EntryPoint, 0000000140672FC0:"ru_ru"==L"畲牟u"
000000013FA9851D | 48:8BCF | mov rcx,rdi |
000000013FA98520 | FF15 4AF9BC00 | call qword ptr ds:[<&??8QString@@QEBA_NPEBD@Z>] |
000000013FA98526 | 84C0 | test al,al |
000000013FA98528 | 74 16 | je masterpdfeditor.13FA98540 |
000000013FA9852A | 41:83C8 FF | or r8d,FFFFFFFF |
000000013FA9852E | 48:8D15 9307C100 | lea rdx,qword ptr ds: | rdx:EntryPoint
000000013FA98535 | 48:8BCB | mov rcx,rbx |
000000013FA98538 | FF15 4AF9BC00 | call qword ptr ds:[<&?fromUtf8@QString@@SA?AV1@PEBDH@Z>] |
000000013FA9853E | EB 15 | jmp masterpdfeditor.13FA98555 |
000000013FA98540 | BA 11000000 | mov edx,11 |
000000013FA98545 | 48:8D0D BC07C100 | lea rcx,qword ptr ds: | 00000001406A8D08:" (NOT REGISTERED)"
000000013FA9854C | FF15 06F9BC00 | call qword ptr ds:[<&?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z>] |
000000013FA98552 | 48:8903 | mov qword ptr ds:,rax |
000000013FA98555 | 48:8BCF | mov rcx,rdi |
000000013FA98558 | FF15 7AF9BC00 | call qword ptr ds:[<&??1QString@@QEAA@XZ>] |
000000013FA9855E | 48:8BC3 | mov rax,rbx |
000000013FA98561 | 48:8B5C24 40 | mov rbx,qword ptr ss: |
000000013FA98566 | 48:83C4 30 | add rsp,30 |
000000013FA9856A | 5F | pop rdi |
000000013FA9856B | C3 | ret
2、在段首地址处“右键——查找引用——选定的地址”,会得到调用函数(此函数即为调用未注册信息函数),逐条分析
3、选择第一个调用函数分析
000000013F9250F0 | 48:894C24 08 | mov qword ptr ss:,rcx |
000000013F9250F5 | 55 | push rbp |
………………
………………
………………
000000013F9253E4 | 49:8BCE | mov rcx,r14 |
000000013F9253E7 | E8 D4730000 | call masterpdfeditor.13F92C7C0 | 》关键Call,使返回的al=1
000000013F9253EC | 41:8846 49 | mov byte ptr ds:,al |
………………
………………
………………
000000013F925B58 | 41:385E 49 | cmp byte ptr ds:,bl | 》此处为关键比较
000000013F925B5C | 75 42 | jne masterpdfeditor.13F925BA0 | 》跳转实现即可跳过调用未注册处理函数
000000013F925B5E | 41:389E 2E010000 | cmp byte ptr ds:,bl |
000000013F925B65 | 75 39 | jne masterpdfeditor.13F925BA0 |
000000013F925B67 | 49:8D96 28030000 | lea rdx,qword ptr ds: | rdx:EntryPoint
000000013F925B6E | 48:8D4D 58 | lea rcx,qword ptr ss: |
000000013F925B72 | FF15 6823D400 | call qword ptr ds:[<&??0QBitArray@@QEAA@AEBV0@@Z>] |
000000013F925B78 | 48:8BD0 | mov rdx,rax | rdx:EntryPoint
000000013F925B7B | 48:8D4D F0 | lea rcx,qword ptr ss: |
000000013F925B7F | E8 6C291700 | call masterpdfeditor.13FA984F0 | 》调用未注册处理函数
000000013F925B84 | 90 | nop |
000000013F925B85 | 48:8BD0 | mov rdx,rax | rdx:EntryPoint
000000013F925B88 | 49:8D8E 20030000 | lea rcx,qword ptr ds: |
000000013F925B8F | FF15 0323D400 | call qword ptr ds:[<&?append@QString@@QEAAAEAV1@AEBV1@@Z>] |
000000013F925B95 | 90 | nop |
000000013F925B96 | 48:8D4D F0 | lea rcx,qword ptr ss: |
000000013F925B9A | FF15 3823D400 | call qword ptr ds:[<&??1QString@@QEAA@XZ>] |
000000013F925BA0 | 49:8D96 20030000 | lea rdx,qword ptr ds: | rdx:EntryPoint
4、经过分析“cmp byte ptr ds:,bl”为关键比较(未注册时,经过运行分析此时bl=0,ds:=0,如果ds:=1,其下一行跳转实现,就会跳过调用未注册处理函数),在此语句上右键——查找引用——常数
000000013FF92A20 mov dword ptr ds:,49
000000013FFD53EC mov byte ptr ds:,al
000000013FFD5569 movzx r8d,byte ptr ds:
000000013FFD5AC3 movzx edx,byte ptr ds:
000000013FFD5B58 cmp byte ptr ds:,bl
000000013FFDEF42 movzx r8d,byte ptr ds:
000000013FFDF97F cmp byte ptr ds:,r15b
5、双击“000000013FFD53EC mov byte ptr ds:,al”来到反汇编区
000000013F9253E4 | 49:8BCE | mov rcx,r14 |
000000013F9253E7 | E8 D4730000 | call masterpdfeditor.13F92C7C0 | 》关键Call,使返回的al=1
000000013F9253EC | 41:8846 49 | mov byte ptr ds:,al |
000000013F9253F0 | 8D4B 30 | lea ecx,qword ptr ds: |
6、在call masterpdfeditor.13F92C7C0处F7跟进,使返回的al=1,这样 ds:就会被赋值为1
000000013F5384F0| 48:895424 10 | mov qword ptr ss:,rdx | rdx:EntryPoint
000000013F5384F5| 57 | push rdi |
000000013F5384F6| 48:83EC 30 | sub rsp,30 |
……………………
……………………
……………………
000000013FFDCADB | E9 EE000000 | jmp masterpdfeditor.13FFDCBCE |
000000013FFDCAE0 | 49:8B87 30030000 | mov rax,qword ptr ds: |
000000013FFDCAE7 | 8378 04 12 | cmp dword ptr ds:,12 |
000000013FFDCAEB | 0F8C D2000000 | jl masterpdfeditor.13FFDCBC3 | 》【1】不跳
000000013FFDCAF1 | 49:8B87 38030000 | mov rax,qword ptr ds: |
000000013FFDCAF8 | 8378 04 28 | cmp dword ptr ds:,28 | 28:'('
000000013FFDCAFC | 0F8C C1000000 | jl masterpdfeditor.13FFDCBC3 | 》【2】不跳
000000013FFDCB02 | 49:8D97 48030000 | lea rdx,qword ptr ds: | rdx:EntryPoint
000000013FFDCB09 | 48:8D4D 58 | lea rcx,qword ptr ss: |
000000013FFDCB0D | FF15 CDB3D300 | call qword ptr ds:[<&??0QBitArray@@QEAA@AEBV0@@Z>] |
000000013FFDCB13 | 48:8BD8 | mov rbx,rax |
000000013FFDCB16 | 49:8D97 30030000 | lea rdx,qword ptr ds: | rdx:EntryPoint
000000013FFDCB1D | 48:8D4D 60 | lea rcx,qword ptr ss: |
000000013FFDCB21 | FF15 B9B3D300 | call qword ptr ds:[<&??0QBitArray@@QEAA@AEBV0@@Z>] |
000000013FFDCB27 | 4C:8BC3 | mov r8,rbx |
000000013FFDCB2A | 48:8BD0 | mov rdx,rax | rdx:EntryPoint
000000013FFDCB2D | 48:8D4D 50 | lea rcx,qword ptr ss: |
000000013FFDCB31 | E8 DA250300 | call masterpdfeditor.14000F110 |
000000013FFDCB36 | 90 | nop |
000000013FFDCB37 | 41:B9 01000000 | mov r9d,1 |
000000013FFDCB3D | 45:33C0 | xor r8d,r8d |
000000013FFDCB40 | 48:8D55 50 | lea rdx,qword ptr ss: | rdx:EntryPoint
000000013FFDCB44 | 49:8D8F 38030000 | lea rcx,qword ptr ds: |
000000013FFDCB4B | FF15 0FADD300 | call qword ptr ds:[<&?indexOf@QString@@QEBAHAEBV1@HW4CaseSensitivity@ |
000000013FFDCB51 | 85C0 | test eax,eax |
000000013FFDCB53 | 78 04 | js masterpdfeditor.13FFDCB59 | 》【3】不跳(eax不是负数就不跳)
000000013FFDCB55 | B3 01 | mov bl,1 | 》此处bl被赋值为1,是为下一步的参数传递做准备
000000013FFDCB57 | EB 60 | jmp masterpdfeditor.13FFDCBB9 |
………………
………………
………………
000000013FFDCBB9 | 48:8D4D 50 | lea rcx,qword ptr ss: |
000000013FFDCBBD | FF15 15B3D300 | call qword ptr ds:[<&??1QString@@QEAA@XZ>] |
000000013FFDCBC3 | 48:8D4D C0 | lea rcx,qword ptr ss: |
000000013FFDCBC7 | FF15 FBAAD300 | call qword ptr ds:[<&?sync@QSettings@@QEAAXXZ>] |
000000013FFDCBCD | 90 | nop |
000000013FFDCBCE | 48:8D4D C0 | lea rcx,qword ptr ss: |
000000013FFDCBD2 | FF15 B8B1D300 | call qword ptr ds:[<&??1QSettings@@UEAA@XZ>] |
000000013FFDCBD8 | 0FB6C3 | movzx eax,bl | 》注册标志为eax=bl=1
7、在【1】、【2】、【3】处手术即可实现破解。
8、破解前后对比
我是一个新手,最想要这样一步一步操作的,对于小白来说,太好太好。感谢帖主。:victory: djxding 发表于 2021-3-19 11:54
在操作第二步:
2、在段首地址处“右键——查找引用——选定的地址”,会得到调用函数...
时,就是一个空 ...
段首地址就是这段代码的第一行,如下标颜色的行!00007FF657BA8FFD| C3 | ret |
00007FF657BA8FFE| CC | int3 |
00007FF657BA8FFF| CC | int3 |
00007FF657BA9000| 48:895424 10 | mov qword ptr ss:,rdx |
00007FF657BA9005| 57 | push rdi |
00007FF657BA9006| 48:83EC 30 | sub rsp,30 |
00007FF657BA900A| 48:C74424 28 FEFFF | mov qword ptr ss:,FFFFFFFFFFFFFFFE |
00007FF657BA9013| 48:895C24 40 | mov qword ptr ss:,rbx |
00007FF657BA9018| 48:8BFA | mov rdi,rdx |
00007FF657BA901B| 48:8BD9 | mov rbx,rcx |
00007FF657BA901E| C74424 20 00000000 | mov dword ptr ss:,0 |
00007FF657BA9026| 48:8D15 07C0BD00 | lea rdx,qword ptr ds: | 00007FF658785034:"ru_ru"==L"畲牟u"
00007FF657BA902D| 48:8BCF | mov rcx,rdi |
00007FF657BA9030| FF15 420EBD00 | call qword ptr ds:[<&??8QString@@QEBA_NPEBD@ |
00007FF657BA9036| 84C0 | test al,al |
00007FF657BA9038| 74 16 | je masterpdfeditor~.7FF657BA9050 |
00007FF657BA903A| 41:83C8 FF | or r8d,FFFFFFFF |
00007FF657BA903E| 48:8D15 131EC100 | lea rdx,qword ptr ds: |
00007FF657BA9045| 48:8BCB | mov rcx,rbx |
00007FF657BA9048| FF15 420EBD00 | call qword ptr ds:[<&?fromUtf8@QString@@SA?A |
00007FF657BA904E| EB 15 | jmp masterpdfeditor~.7FF657BA9065 |
00007FF657BA9050| BA 11000000 | mov edx,11 |
00007FF657BA9055| 48:8D0D 3C1EC100 | lea rcx,qword ptr ds: | 00007FF6587BAE98:" (NOT REGISTERED)" 不懂帮顶 懒得搞这些了 用woders PDF就挺好 不错教程,有时间学习下! 不明觉厉,帮顶一下。 跟着大佬学习了 很赞,向大佬学习! 谢谢教诲,感恩上传! 刚刚开始学Python,还是看不懂