水印大作战
本帖最后由 冥界3大法王 于 2022-12-12 15:03 编辑如图所示:已知:某款Delphi控件;随便编译一个EXE;输出就会
症状1:全屏都是大水印;
症状2:偶尔弹框Thank you for evaluating the
求证:去掉限制;找到对应的控件相关文件一次给多个版本的所有文件打补丁。
https://static.52pojie.cn/static/image/hrline/2.gif
再到这个EXE文件中用winhex修改1个字节,看是否被调用了?是的。变了吧?
接下来就可调试了。
第1 处的位置没难度,直接爆破JMP跳过就可以了。
注意看红线,默认本次是跳过的,但是有时则不会,所以安全起见jmp伺候
https://static.52pojie.cn/static/image/hrline/2.gif
接下来水印限制就是考你基本功和经验值的问题了。
通常定位到该字符串下个硬件访问断点
注意看成功断下了,但是已经晚了八春了。
为啥会这样呢?
[*]因为产生此水印的文件有好多个(*.bpl ; *.dcu ; *.obj),会产生干扰因素
[*]时机晚了!为啥呢? 因为是动态渲染出来的
https://static.52pojie.cn/static/image/hrline/2.gif
所以正确的解法是:
看到了吧? 水印就是这么来的。
Ctrl+A, Ctrl-
图中的代码很很长很长,只粘最有意义的部分:
007CE66B | E8 F0BCE3FF | call project6.60A360 |
007CE670 | 85C0 | test eax,eax |
007CE672 | EB 5B | jmp project6.7CE6CF | 还得JMP
007CE674 | 8B45 0C | mov eax,dword ptr ss: |
007CE677 | 8B55 EC | mov edx,dword ptr ss: |
007CE67A | 48 | dec eax |
007CE67B | 85D2 | test edx,edx |
007CE67D | 74 05 | je project6.7CE684 |
007CE67F | 3B42 FC | cmp eax,dword ptr ds: |
007CE682 | 72 05 | jb project6.7CE689 |
007CE684 | E8 2799C3FF | call <project6.sub_407FB0> |
007CE689 | 40 | inc eax |
007CE68A | 8D4442 FE | lea eax,dword ptr ds:[edx+eax*2 |
007CE68E | 8945 E8 | mov dword ptr ss:,eax |
007CE691 | 8B45 14 | mov eax,dword ptr ss: |
007CE694 | 8B50 54 | mov edx,dword ptr ds: |
007CE697 | 8B52 04 | mov edx,dword ptr ds: |
007CE69A | 52 | push edx |
007CE69B | 8B55 E4 | mov edx,dword ptr ss: |
007CE69E | 8B92 F0000000 | mov edx,dword ptr ds: |
007CE6A4 | 8B52 04 | mov edx,dword ptr ds: |
007CE6A7 | 52 | push edx |
007CE6A8 | 8D55 F0 | lea edx,dword ptr ss: |
007CE6AB | 52 | push edx |
007CE6AC | 8B40 50 | mov eax,dword ptr ds: |
007CE6AF | 8B40 04 | mov eax,dword ptr ds: |
007CE6B2 | 50 | push eax |
007CE6B3 | 8B45 08 | mov eax,dword ptr ss: |
007CE6B6 | 50 | push eax |
007CE6B7 | 8B45 E8 | mov eax,dword ptr ss: |
007CE6BA | 50 | push eax |
007CE6BB | 8B45 E4 | mov eax,dword ptr ss: |
007CE6BE | 8B80 E8000000 | mov eax,dword ptr ds: |
007CE6C4 | 8B40 04 | mov eax,dword ptr ds: |
007CE6C7 | 50 | push eax |
007CE6C8 | E8 3B87FDFF | call <JMP.&GdipDrawString> |
007CE6CD | EB 07 | jmp project6.7CE6D6 |
007CE6CF | 55 | push ebp |
007CE6D0 | 90 | nop | 从段首出来
007CE6D1 | 90 | nop |
007CE6D2 | 90 | nop |
007CE6D3 | 90 | nop |
007CE6D4 | 90 | nop |
007CE6D5 | 59 | pop ecx |
007CE6D6 | 8B45 14 | mov eax,dword ptr ss: |
007CE6D9 | F640 24 04 | test byte ptr ds:,4 |
007CE6DD | 0F84 EB000000 | je project6.7CE7CE |
007CE6E3 | 33D2 | xor edx,edx |
007CE6E5 | 8B45 E4 | mov eax,dword ptr ss: |
007CE6E8 | 8B08 | mov ecx,dword ptr ds: |
007CE6EA | FF51 74 | call dword ptr ds: |
007CE6ED | 8B45 E0 | mov eax,dword ptr ss: |
007CE6F0 | FF30 | push dword ptr ds: |
007CE6F2 | 8B45 14 | mov eax,dword ptr ss: |
007CE6F5 | D940 14 | fld st(0),dword ptr ds: |
007CE6F8 | D9E1 | fabs |
007CE6FA | D835 F4E77C00 | fdiv st(0),dword ptr ds:[7CE7F4 |
007CE700 | 83C4 F4 | add esp,FFFFFFF4 |
007CE703 | DB3C24 | fstp tword ptr ss:,st(0) |
007CE706 | 9B | fwait |
007CE707 | E8 C4A8C7FF | call <project6.sub_448FD0> |
007CE70C | 8945 D4 | mov dword ptr ss:,eax |
007CE70F | DB45 D4 | fild st(0),dword ptr ss:[ebp-2C |
007CE712 | 8B45 14 | mov eax,dword ptr ss: |
007CE715 | D840 14 | fadd st(0),dword ptr ds:[eax+14 |
007CE718 | 83C4 F4 | add esp,FFFFFFF4 |
007CE71B | DB3C24 | fstp tword ptr ss:,st(0) |
007CE71E | 9B | fwait |
007CE71F | 8B45 14 | mov eax,dword ptr ss: |
007CE722 | D940 14 | fld st(0),dword ptr ds: |
007CE725 | D9E1 | fabs |
007CE727 | D835 F8E77C00 | fdiv st(0),dword ptr ds:[<sub_7 |
007CE72D | E8 2293C3FF | call <project6.sub_407A54> |
007CE732 | 8945 D8 | mov dword ptr ss:,eax |
007CE735 | 8955 DC | mov dword ptr ss:,edx |
007CE738 | DF6D D8 | fild st(0),qword ptr ss:[ebp-28 |
007CE73B | D835 FCE77C00 | fdiv st(0),dword ptr ds:[7CE7FC |
007CE741 | 8B45 14 | mov eax,dword ptr ss: |
007CE744 | D940 48 | fld st(0),dword ptr ds: |
007CE747 | D835 FCE77C00 | fdiv st(0),dword ptr ds:[7CE7FC |
007CE74D | 8B45 14 | mov eax,dword ptr ss: |
007CE750 | D840 44 | fadd st(0),dword ptr ds:[eax+44 |
007CE753 | DEE1 | fsubrp st(1),st(0) |
007CE755 | 83C4 F4 | add esp,FFFFFFF4 |
007CE758 | DB3C24 | fstp tword ptr ss:,st(0) |
007CE75B | 9B | fwait |
007CE75C | E8 BFA9C7FF | call <project6.sub_449120> |
007CE761 | D845 F4 | fadd st(0),dword ptr ss: |
007CE764 | D95D D4 | fstp dword ptr ss:,st(0 |
007CE767 | 9B | fwait |
007CE768 | FF75 D4 | push dword ptr ss: |
007CE76B | 8B45 E4 | mov eax,dword ptr ss: |
007CE76E | E8 0D0E0000 | call <project6.sub_7CF580> |
007CE773 | 83C4 FC | add esp,FFFFFFFC |
007CE776 | D91C24 | fstp dword ptr ss:,st(0) |
007CE779 | 9B | fwait |
007CE77A | 8B45 E0 | mov eax,dword ptr ss: |
007CE77D | E8 5625E4FF | call <project6.sub_610CD8> |
007CE782 | 83C4 FC | add esp,FFFFFFFC |
007CE785 | D91C24 | fstp dword ptr ss:,st(0) |
007CE788 | 9B | fwait |
007CE789 | 8B45 14 | mov eax,dword ptr ss: |
007CE78C | D940 14 | fld st(0),dword ptr ds: |
007CE78F | D9E1 | fabs |
007CE791 | D835 F8E77C00 | fdiv st(0),dword ptr ds:[<sub_7 |
007CE797 | 83C4 F4 | add esp,FFFFFFF4 |
007CE79A | DB3C24 | fstp tword ptr ss:,st(0) |
007CE79D | 9B | fwait |
007CE79E | E8 2DA8C7FF | call <project6.sub_448FD0> |
007CE7A3 | 8945 D4 | mov dword ptr ss:,eax |
007CE7A6 | DB45 D4 | fild st(0),dword ptr ss:[ebp-2C |
007CE7A9 | D95D D0 | fstp dword ptr ss:,st(0 |
007CE7AC | 9B | fwait |
007CE7AD | FF75 D0 | push dword ptr ss: |
007CE7B0 | 8B45 14 | mov eax,dword ptr ss: |
007CE7B3 | 8B50 54 | mov edx,dword ptr ds: |
007CE7B6 | 8B45 E4 | mov eax,dword ptr ss: |
007CE7B9 | 8B80 E8000000 | mov eax,dword ptr ds: |
007CE7BF | E8 30D8FEFF | call project6.7BBFF4 |
007CE7C4 | B2 01 | mov dl,1 |
007CE7C6 | 8B45 E4 | mov eax,dword ptr ss: |
007CE7C9 | 8B08 | mov ecx,dword ptr ds: |
007CE7CB | FF51 74 | call dword ptr ds: |
007CE7CE | 80FB 01 | cmp bl,1 |
007CE7D1 | 75 10 | jne project6.7CE7E3 |
007CE7D3 | 8B45 E4 | mov eax,dword ptr ss: |
007CE7D6 | 8B80 F0000000 | mov eax,dword ptr ds: |
007CE7DC | 33D2 | xor edx,edx |
007CE7DE | E8 2D8AFEFF | call <project6.sub_7B7210> |
007CE7E3 | 5F | pop edi |
007CE7E4 | 5E | pop esi |
007CE7E5 | 5B | pop ebx |
007CE7E6 | 8BE5 | mov esp,ebp |
007CE7E8 | 5D | pop ebp |
007CE7E9 | C2 1000 | ret 10 |
为啥产生了水印呢? 因为下面的两个call
第1次:007CE6C8 | E8 3B87FDFF | call <JMP.&GdipDrawString> 这个之后进入我们刚才上面分析的的那个代码不远处
第2次 GdipSetStringFormatT
所以明白了原因 问题就简单了。
007CE672 | 75 5B | jne project6.7CE6CF 如果不实现那么下面的jmp就会自己跳过
但当你这么做之后,发现修改之后程序还会再执行到,所以下面的那个call直接NOP掉
下面还有一个007CE7D1 | 75 10 | jne project6.7CE7E3
程序自己会自己跳过GdipSetStringFormatT所以就没必要修改了。
然后再F8向下
发现
007CE672 | 75 5B | jne project6.7CE6CF | 这句又回来了。。。所以呢,此处还得JMP掉
007CE674 | 8B45 0C | mov eax,dword ptr ss: |
007CE677 | 8B55 EC | mov edx,dword ptr ss: | :L"Trial version, please register"
这样就不会有水印产生了。
https://static.52pojie.cn/static/image/hrline/2.gif接着TC搜索下字符串所在的插件目录;就会得到一大波相关的文件;然后用WinHEX把可疑的若干文件修改掉
https://static.52pojie.cn/static/image/hrline/2.gif
批量打补丁与命令行一劳永逸制作:可以参考
:::Change display text
sfk replace -binary "/4500760061006C0075006100740069006F006E002000760065007200730069006F006E002E00200057006F0072006B00730020006F006E006C007900200069006E002000490044004500/43007200610063006B00650064002000760065007200730069006F006E002E002000200068007400740070003A002F002F00350031007800690061007A00610069002E0063006F006D00/" -dir "%cd%" -yes -file *.dcu
:::Disable RED message on splash screen
sfk replace -binary "/536A016840/536A006840/" -dir "%cd%" -yes -file Splash.dcu
:::Delete wateremark
:sfk replace -binary "/FFFFFFFF3E000000450068004C00690062002000/FFFFFFFF00000000450068004C00690062002000/" -dir "%cd%" -yes -file Gh.dcu
:sfk replace -binary "/FFFFFFFF3E00000045684C696220/FFFFFFFF0000000045684C696220/" -dir "%cd%" -yes -file Gh.dcu
:sfk replace -binary "/FFFFFFFF3F000000450068004C00690062002000/FFFFFFFF00000000450068004C00690062002000/" -dir "%cd%" -yes -file Gh.dcu
:sfk replace -binary "/FFFFFFFF3F00000045684C696220/FFFFFFFF0000000045684C696220/" -dir "%cd%" -yes -file Gh.dcu
sfk replace -binary "/3F00000045/0000000045/" -dir "%cd%" -yes -file Gh.dcu
danshiyuan 发表于 2022-12-14 12:39
这个有专门的软件来去除,度娘搜搜
我之前搜过,都是去除短视频的,麻烦你给推荐下软件名字呗,给你开悬赏 msz920403 发表于 2022-12-12 14:36
下载的视频教程,被添加过水印的,怎么去除啊
这个有专门的软件来去除,度娘搜搜 感谢楼主分享啊 dongjing520 发表于 2022-12-12 14:35
感谢楼主分享啊
下载的视频教程,被添加过水印的,怎么去除啊
谢谢楼主分享,分析得很细 谢谢分享! 技术贴,感谢分享{:1_893:} 感谢分享辛苦了 学习了,谢谢传授 多谢分享,学习了