申请会员ID:Kylin
1、申请ID:Kylin2、个人邮箱:digicount@qq.com
3、原创技术文章:
Navicat Premium移除试用时间限制
本次破解使用Windows平台Navicat Premium英文64位版,版本号12.0.23。Navicat程序启动时会有一个弹框,询问“试用”还是“注册”,而且这里的“试用”是有14天时间限制的,时限超过之后就变成灰色不可点击,届时只能选择“注册”,否则程序就会退出。因为试用版没有功能上的限制,所以我们只需要移除时间限制就可以了。首先要做的就是修改程序将这个弹框以及相应的检测逻辑屏蔽掉,用WinDBG加载navicat.exe然后运行程序,直到看到弹出框之后按“Ctrl+Break”中断程序,然后切换到0号线程,一般情况下的GUI线程,因为当前的对话框正在等待用户输入,所以可以看到线程在win32u!NtUserWaitMessage函数中等待:
Microsoft (R) Windows Debugger Version 10.0.14321.1024 AMD64Copyright (c) Microsoft Corporation. All rights reserved.CommandLine: "C:\Program Files\PremiumSoft\Navicat Premium 12\navicat2.exe"************* Symbol Path validation summary **************Response Time (ms) LocationDeferred srv*D:\Symbols*http://msdl.microsoft.com/download/symbolsSymbol search path is: srv*D:\Symbols*http://msdl.microsoft.com/download/symbolsExecutable search path is: ModLoad: 00000000`00400000 00000000`0391b000 image00000000`00400000ModLoad: 00007fff`00fb0000 00007fff`01190000 ntdll.dllModLoad: 00007fff`00d10000 00007fff`00dbe000 C:\WINDOWS\System32\KERNEL32.DLLModLoad: 00007ffe`fe210000 00007ffe`fe476000 C:\WINDOWS\System32\KERNELBASE.dllModLoad: 00007fff`000f0000 00007fff`001b5000 C:\WINDOWS\System32\oleaut32.dllModLoad: 00007ffe`fd4b0000 00007ffe`fd54b000 C:\WINDOWS\System32\msvcp_win.dllModLoad: 00007ffe`fd3b0000 00007ffe`fd4a6000 C:\WINDOWS\System32\ucrtbase.dllModLoad: 00007fff`00a00000 00007fff`00d08000 C:\WINDOWS\System32\combase.dllModLoad: 00007fff`00670000 00007fff`0078f000 C:\WINDOWS\System32\RPCRT4.dllModLoad: 00007ffe`fdf60000 00007ffe`fdfd2000 C:\WINDOWS\System32\bcryptPrimitives.dllModLoad: 00007fff`008b0000 00007fff`00951000 C:\WINDOWS\System32\advapi32.dllModLoad: 00007fff`00960000 00007fff`009fd000 C:\WINDOWS\System32\msvcrt.dllModLoad: 00007ffe`fe580000 00007ffe`fe5db000 C:\WINDOWS\System32\sechost.dllModLoad: 00007fff`00220000 00007fff`003af000 C:\WINDOWS\System32\user32.dllModLoad: 00007ffe`fd7a0000 00007ffe`fd7c0000 C:\WINDOWS\System32\win32u.dllModLoad: 00007fff`00450000 00007fff`00478000 C:\WINDOWS\System32\GDI32.dllModLoad: 00007ffe`fd550000 00007ffe`fd6e3000 C:\WINDOWS\System32\gdi32full.dllModLoad: 00007fff`00dc0000 00007fff`00f09000 C:\WINDOWS\System32\ole32.dllModLoad: 00007ffe`f6bb0000 00007ffe`f6bba000 C:\WINDOWS\SYSTEM32\version.dllModLoad: 00007ffe`e2bf0000 00007ffe`e2bf7000 C:\WINDOWS\SYSTEM32\SHFolder.dllModLoad: 00000000`05e60000 00000000`07296000 C:\WINDOWS\System32\SHELL32.dllModLoad: 00007ffe`fe5e0000 00007ffe`ffa16000 C:\WINDOWS\System32\shell32.dllModLoad: 00007ffe`f4500000 00007ffe`f4769000 C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.16299.192_none_15c8cdae9364c23b\comctl32.dllModLoad: 00007fff`007a0000 00007fff`008aa000 C:\WINDOWS\System32\comdlg32.dllModLoad: 00007ffe`e6fe0000 00007ffe`e7314000 C:\WINDOWS\SYSTEM32\wininet.dllModLoad: 00007ffe`fdf10000 00007ffe`fdf5a000 C:\WINDOWS\System32\cfgmgr32.dllModLoad: 00007ffe`fe4d0000 00007ffe`fe576000 C:\WINDOWS\System32\shcore.dllModLoad: 00007ffe`fd7c0000 00007ffe`fdf07000 C:\WINDOWS\System32\windows.storage.dllModLoad: 00007fff`00f20000 00007fff`00f71000 C:\WINDOWS\System32\SHLWAPI.dllModLoad: 00007ffe`fd300000 00007ffe`fd311000 C:\WINDOWS\System32\kernel.appcore.dllModLoad: 00007ffe`fd320000 00007ffe`fd36c000 C:\WINDOWS\System32\powrprof.dllModLoad: 00007ffe`f7950000 00007ffe`f79d6000 C:\WINDOWS\SYSTEM32\winspool.drvModLoad: 00000000`072a0000 00000000`07326000 C:\WINDOWS\SYSTEM32\winspool.drvModLoad: 00007ffe`f6850000 00007ffe`f68be000 C:\WINDOWS\SYSTEM32\oleacc.dllModLoad: 00007ffe`fd370000 00007ffe`fd38b000 C:\WINDOWS\System32\profapi.dllModLoad: 00007ffe`fb180000 00007ffe`fb1a3000 C:\WINDOWS\SYSTEM32\winmm.dllModLoad: 00007ffe`f6950000 00007ffe`f6aec000 C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.16299.192_none_46b3c093edf73c09\gdiplus.dllModLoad: 00007ffe`f8dd0000 00007ffe`f8dd9000 C:\WINDOWS\SYSTEM32\wsock32.dllModLoad: 00007ffe`fb620000 00007ffe`fb6b5000 C:\WINDOWS\SYSTEM32\uxtheme.dllModLoad: 00007fff`00080000 00007fff`000ec000 C:\WINDOWS\System32\WS2_32.dllModLoad: 00007ffe`e73a0000 00007ffe`e73b9000 C:\WINDOWS\SYSTEM32\usp10.dllModLoad: 00007ffe`de3b0000 00007ffe`de3d1000 C:\WINDOWS\SYSTEM32\FONTSUB.dllModLoad: 00000001`80000000 00000001`80136000 C:\Program Files\PremiumSoft\Navicat Premium 12\FreeImage.dllModLoad: 00007ffe`fc920000 00007ffe`fc959000 C:\WINDOWS\SYSTEM32\iphlpapi.dllModLoad: 00007ffe`fce60000 00007ffe`fce85000 C:\WINDOWS\SYSTEM32\bcrypt.dllModLoad: 00000000`00180000 00000000`001b9000 C:\WINDOWS\SYSTEM32\IPHLPAPI.DLLModLoad: 00007ffe`fb110000 00007ffe`fb13a000 C:\WINDOWS\SYSTEM32\winmmbase.dllModLoad: 00000000`00180000 00000000`001aa000 C:\WINDOWS\SYSTEM32\WINMMBASE.dllModLoad: 00000000`56f30000 00000000`56f4b000 C:\Program Files\PremiumSoft\Navicat Premium 12\zlib1.dllModLoad: 00007ffe`decb0000 00007ffe`decc7000 C:\Program Files\PremiumSoft\Navicat Premium 12\VCRUNTIME140.dll(4e3c.5238): Break instruction exception - code 80000003 (first chance)ntdll!LdrpDoDebuggerBreak+0x30:00007fff`01082ebc cc int 30:000> gModLoad: 00007ffe`fe480000 00007ffe`fe4ad000 C:\WINDOWS\System32\IMM32.DLLModLoad: 00007fff`00480000 00007fff`005e7000 C:\WINDOWS\System32\MSCTF.dllModLoad: 00007ffe`fb8e0000 00007ffe`fb90a000 C:\WINDOWS\SYSTEM32\dwmapi.dllModLoad: 00007ffe`f9350000 00007ffe`f9363000 C:\WINDOWS\SYSTEM32\wtsapi32.dllModLoad: 00007ffe`fc4b0000 00007ffe`fc505000 C:\WINDOWS\SYSTEM32\WINSTA.dllModLoad: 00007ffe`d2fd0000 00007ffe`d302d000 C:\Program Files\PremiumSoft\Navicat Premium 12\libcurl.dllModLoad: 00007ffe`ffa30000 00007ffe`ffa8e000 C:\WINDOWS\System32\WLDAP32.dllModLoad: 00007ffe`ffa20000 00007ffe`ffa28000 C:\WINDOWS\System32\Normaliz.dllModLoad: 00007ffe`d2f70000 00007ffe`d2fcc000 C:\Program Files\PremiumSoft\Navicat Premium 12\SSLEAY32.dllModLoad: 00007ffe`bb9a0000 00007ffe`bbba8000 C:\Program Files\PremiumSoft\Navicat Premium 12\LIBEAY32.dllModLoad: 00000000`09310000 00000000`09518000 C:\Program Files\PremiumSoft\Navicat Premium 12\LIBEAY32.dllModLoad: 00007ffe`dd590000 00007ffe`dd59c000 C:\WINDOWS\SYSTEM32\secur32.dllModLoad: 00007ffe`fd200000 00007ffe`fd230000 C:\WINDOWS\SYSTEM32\SSPICLI.DLLModLoad: 00007ffe`fcb90000 00007ffe`fcbf6000 C:\WINDOWS\system32\mswsock.dllModLoad: 00007ffe`ad7b0000 00007ffe`b04d9000 C:\Program Files\PremiumSoft\Navicat Premium 12\libcc.dllModLoad: 00007fff`00790000 00007fff`00798000 C:\WINDOWS\System32\PSAPI.DLLModLoad: 00007ffe`ec9c0000 00007ffe`ecb88000 C:\WINDOWS\SYSTEM32\dbghelp.dllModLoad: 00007ffe`d2ef0000 00007ffe`d2f66000 C:\Program Files\PremiumSoft\Navicat Premium 12\libssh.dllModLoad: 00007ffe`b9e80000 00007ffe`ba027000 C:\Program Files\PremiumSoft\Navicat Premium 12\libnsy.dllModLoad: 00000000`09310000 00000000`09c4c000 C:\Program Files\PremiumSoft\Navicat Premium 12\libxl.dllModLoad: 00007ffe`b9d30000 00007ffe`b9e7b000 C:\Program Files\PremiumSoft\Navicat Premium 12\libxml2.dllModLoad: 00000000`09310000 00000000`0939a000 C:\Program Files\PremiumSoft\Navicat Premium 12\libetpan.dllModLoad: 00007ffe`b9920000 00007ffe`b9d22000 C:\Program Files\PremiumSoft\Navicat Premium 12\libmariadb.dllModLoad: 00000000`08a40000 00000000`08a8a000 C:\Program Files\PremiumSoft\Navicat Premium 12\LIBPQ.dllModLoad: 00007ffe`e53c0000 00007ffe`e53d1000 C:\WINDOWS\SYSTEM32\credui.dllModLoad: 00007ffe`d07c0000 00007ffe`d085d000 C:\Program Files\PremiumSoft\Navicat Premium 12\MSVCP140.dllModLoad: 00000000`66000000 00000000`66179000 C:\Program Files\PremiumSoft\Navicat Premium 12\libiconv-2.dllModLoad: 00000000`09310000 00000000`09c4c000 C:\Program Files\PremiumSoft\Navicat Premium 12\libxl.dllModLoad: 00000000`08a40000 00000000`08a8a000 C:\Program Files\PremiumSoft\Navicat Premium 12\LIBPQ.dllModLoad: 00000000`09c50000 00000000`09cda000 C:\Program Files\PremiumSoft\Navicat Premium 12\libetpan.dllModLoad: 00007ffe`d11b0000 00007ffe`d11f6000 C:\Program Files\PremiumSoft\Navicat Premium 12\libsasl2.dllModLoad: 00000000`56eb0000 00000000`56f29000 C:\Program Files\PremiumSoft\Navicat Premium 12\gssapi64.dllModLoad: 00000000`56d40000 00000000`56ea9000 C:\Program Files\PremiumSoft\Navicat Premium 12\krb5_64.dllModLoad: 00000000`56d30000 00000000`56d39000 C:\Program Files\PremiumSoft\Navicat Premium 12\comerr64.dllModLoad: 00000000`56d10000 00000000`56d23000 C:\Program Files\PremiumSoft\Navicat Premium 12\k5sprt64.dllModLoad: 00000000`56c30000 00000000`56d02000 C:\Program Files\PremiumSoft\Navicat Premium 12\MSVCR100.dllModLoad: 00000000`09ce0000 00000000`09db2000 C:\Program Files\PremiumSoft\Navicat Premium 12\MSVCR100.dllModLoad: 00000000`09dc0000 00000000`09e92000 C:\Program Files\PremiumSoft\Navicat Premium 12\MSVCR100.dllModLoad: 00007ffe`f1a20000 00007ffe`f1a2f000 C:\Program Files\PremiumSoft\Navicat Premium 12\WSHELP64.dllModLoad: 00007ffe`fc960000 00007ffe`fca16000 C:\WINDOWS\SYSTEM32\DNSAPI.dllModLoad: 00007fff`00f10000 00007fff`00f18000 C:\WINDOWS\System32\NSI.dllModLoad: 00007ffe`fcd50000 00007ffe`fcd67000 C:\WINDOWS\SYSTEM32\CRYPTSP.dllModLoad: 00007ffe`fc7a0000 00007ffe`fc7d3000 C:\WINDOWS\system32\rsaenh.dllModLoad: 00007ffe`fcd70000 00007ffe`fcd7b000 C:\WINDOWS\SYSTEM32\CRYPTBASE.dllModLoad: 00007ffe`b9750000 00007ffe`b9914000 C:\Program Files\PremiumSoft\Navicat Premium 12\libee.dllModLoad: 00007ffe`f6af0000 00007ffe`f6af7000 C:\WINDOWS\SYSTEM32\Msimg32.DLLModLoad: 00007ffe`f8db0000 00007ffe`f8dc6000 C:\WINDOWS\system32\napinsp.dllModLoad: 00007ffe`f8d90000 00007ffe`f8daa000 C:\WINDOWS\system32\pnrpnsp.dllModLoad: 00007ffe`fae70000 00007ffe`fae88000 C:\WINDOWS\system32\NLAapi.dllModLoad: 00007ffe`f8d80000 00007ffe`f8d8e000 C:\WINDOWS\System32\winrnr.dllModLoad: 00007ffe`e94c0000 00007ffe`e94d5000 C:\WINDOWS\System32\wshbth.dllModLoad: 00000000`594d0000 00000000`594f6000 C:\Program Files\Bonjour\mdnsNSP.dllModLoad: 00007ffe`f3550000 00007ffe`f355a000 C:\Windows\System32\rasadhlp.dllModLoad: 00007ffe`b9650000 00007ffe`b974f000 C:\Program Files\PremiumSoft\Navicat Premium 12\sqlite3.dllModLoad: 00007ffe`d0760000 00007ffe`d07ba000 C:\Program Files\PremiumSoft\Navicat Premium 12\sqlite.dllModLoad: 00007ffe`d05e0000 00007ffe`d0695000 C:\WINDOWS\SYSTEM32\odbc32.dllModLoad: 00007ffe`fe040000 00007ffe`fe20e000 C:\WINDOWS\System32\CRYPT32.dllModLoad: 00007ffe`fd390000 00007ffe`fd3a2000 C:\WINDOWS\System32\MSASN1.dllModLoad: 00007ffe`fc7e0000 00007ffe`fc7ea000 C:\WINDOWS\SYSTEM32\DPAPI.DLLModLoad: 00007ffe`b8cd0000 00007ffe`b9104000 C:\Program Files\PremiumSoft\Navicat Premium 12\libdd.dllModLoad: 00000000`6d4c0000 00000000`6d4e2000 C:\Program Files\PremiumSoft\Navicat Premium 12\libpangocairo-1.0-0.dllModLoad: 00000000`68dc0000 00000000`68ed8000 C:\Program Files\PremiumSoft\Navicat Premium 12\libcairo-2.dllModLoad: 00000000`63a40000 00000000`63a98000 C:\Program Files\PremiumSoft\Navicat Premium 12\libgobject-2.0-0.dllModLoad: 00000000`65580000 00000000`655e0000 C:\Program Files\PremiumSoft\Navicat Premium 12\libpango-1.0-0.dllModLoad: 00007ffe`d0fd0000 00007ffe`d101b000 C:\Program Files\PremiumSoft\Navicat Premium 12\DParser.dllModLoad: 00000000`61a00000 00000000`61a44000 C:\Program Files\PremiumSoft\Navicat Premium 12\libpng14-14.dllModLoad: 00000000`685c0000 00000000`68708000 C:\Program Files\PremiumSoft\Navicat Premium 12\libglib-2.0-0.dllModLoad: 00000000`6b740000 00000000`6b75e000 C:\Program Files\PremiumSoft\Navicat Premium 12\libffi-6.dllModLoad: 00000000`64f80000 00000000`64fce000 C:\Program Files\PremiumSoft\Navicat Premium 12\libfontconfig-1.dllModLoad: 00000000`6d700000 00000000`6d80b000 C:\Program Files\PremiumSoft\Navicat Premium 12\libpangoft2-1.0-0.dllModLoad: 00000000`6c580000 00000000`6c62f000 C:\Program Files\PremiumSoft\Navicat Premium 12\libfreetype-6.dllModLoad: 00000000`6b280000 00000000`6b2a5000 C:\Program Files\PremiumSoft\Navicat Premium 12\libpangowin32-1.0-0.dllModLoad: 00000000`6dd00000 00000000`6dd19000 C:\Program Files\PremiumSoft\Navicat Premium 12\libgmodule-2.0-0.dllModLoad: 00000000`61cc0000 00000000`61ce4000 C:\Program Files\PremiumSoft\Navicat Premium 12\libintl-8.dllModLoad: 00000000`68f40000 00000000`68f83000 C:\Program Files\PremiumSoft\Navicat Premium 12\libexpat-1.dllModLoad: 00007ffe`ee700000 00007ffe`ee717000 C:\WINDOWS\SYSTEM32\netapi32.dllModLoad: 00007ffe`fca20000 00007ffe`fca2e000 C:\WINDOWS\SYSTEM32\NETUTILS.DLLModLoad: 00007ffe`b7640000 00007ffe`b83c3000 C:\Program Files\PremiumSoft\Navicat Premium 12\NParser.dllModLoad: 00007ffe`ce4b0000 00007ffe`ce584000 C:\Program Files\PremiumSoft\Navicat Premium 12\MSVCR110.dllModLoad: 00007ffe`bfeb0000 00007ffe`bff57000 C:\Program Files\PremiumSoft\Navicat Premium 12\MSVCP110.dllModLoad: 00007ffe`ba880000 00007ffe`ba930000 C:\Program Files\PremiumSoft\Navicat Premium 12\scilexer.dllModLoad: 00007ffe`cfe10000 00007ffe`cfe52000 C:\Program Files\PremiumSoft\Navicat Premium 12\updater.dllModLoad: 00000000`10000000 00000000`10088000 C:\Program Files\PremiumSoft\Navicat Premium 12\instantclient_10_2\oci.dllModLoad: 00007ffe`efc90000 00007ffe`efd28000 C:\WINDOWS\System32\TextInputFramework.dllModLoad: 00007ffe`f6bc0000 00007ffe`f6eae000 C:\WINDOWS\System32\CoreUIComponents.dllModLoad: 00007ffe`fa330000 00007ffe`fa40c000 C:\WINDOWS\System32\CoreMessaging.dllModLoad: 00007ffe`fc440000 00007ffe`fc471000 C:\WINDOWS\SYSTEM32\ntmarta.dllModLoad: 00007ffe`f93c0000 00007ffe`f94f6000 C:\WINDOWS\SYSTEM32\wintypes.dllModLoad: 00000000`0d9b0000 00000000`0dae6000 C:\WINDOWS\SYSTEM32\wintypes.dllModLoad: 00000000`0daf0000 00000000`0dc26000 C:\WINDOWS\SYSTEM32\wintypes.dll(4e3c.4c9c): Break instruction exception - code 80000003 (first chance)ntdll!DbgBreakPoint:00007fff`01053800 cc int 30:005> ~0s*** ERROR: Module load completed but symbols could not be loaded for image00000000`00400000win32u!NtUserWaitMessage+0x14:00007ffe`fd7a1204 c3 ret0:000> k # Child-SP RetAddr Call Site00 00000000`0014fba8 00000000`0078f727 win32u!NtUserWaitMessage+0x1401 00000000`0014fbb0 00000000`0078e198 image00000000_00400000+0x38f72702 00000000`0014fc20 00000000`0078719d image00000000_00400000+0x38e19803 00000000`0014fc90 00000000`0236631b image00000000_00400000+0x38719d04 00000000`0014fd30 00000000`0240ad05 image00000000_00400000+0x1f6631b05 00000000`0014fe70 00007fff`00d21fe4 image00000000_00400000+0x200ad0506 00000000`0014ff60 00007fff`0101efb1 KERNEL32!BaseThreadInitThunk+0x1407 00000000`0014ff90 00000000`00000000 ntdll!RtlUserThreadStart+0x21查看当前线程的调用栈,然后在IDA中逐个分析这些函数,因为反编译过的代码可读性不能与源码相比,想要一击即中的找出适合的修改位置自然相当困难,所以其中少不了“修改、运行、调试”的循环尝试,最终找到合适的修改位置:
__int64 __fastcall sub_2365C50(char a1, __int64 a2){__int64 v2; // rdx__int64 v3; // r8__int64 v4; // r8int v5; // eax__int64 v6; // r8__int64 v7; // r8__int64 v8; // r8int v9; // eax__int64 _0; // __int64 vars28; // __int64 vars30; // __int64 vars38; // __int64 vars40; // char *__ptr32 *vars48; // char vars50; // __int64 vars58; // void **vars60; // char vars68; // __int64 vars70; // char vars78; // __int64 vars80; // __int64 *vars88; // __int64 vars98; // __int64 varsA0; // __int64 varsA8; // __int64 varsB0; // __int64 varsB8; // __int64 varsC0; // __int64 varsC8; // __int64 varsD0; // __int64 varsD8; // __int64 varsE0; // __int64 varsE8; // __int64 varsF0; // __int64 varsF8; // __int64 vars100; // __int64 vars108; // __int64 vars110; // _QWORD *vars118; // vars40 = 0i64;vars58 = 0i64;vars80 = 0i64;vars110 = 0i64;vars108 = 0i64;varsF8 = 0i64;varsF0 = 0i64;varsE0 = 0i64;varsD8 = 0i64;varsC8 = 0i64;varsC0 = 0i64;varsB0 = 0i64;varsA8 = 0i64;vars98 = 0i64;vars88 = &_0;if ( a1 ){ if ( a1 == 1 ) { LOBYTE(a2) = 1; vars118 = (_QWORD *)sub_233D1D0(off_23604F0, a2, 0i64); sub_4110F0(&varsF0, &off_2366558); varsE8 = qword_2662700; sub_4424E0(&varsE0, varsF0, v4, off_264C1C0); vars60 = &off_2366758; vars68 = 17; vars70 = varsE0; vars78 = 17; sub_43B220(&vars80, &off_236670C, &vars60, 1i64); sub_412D00(&vars110, 3i64, vars80, L"\r\n", &off_2366788, vars28, vars30, vars38); sub_411070(vars118 + 243, vars110); sub_2366B40(vars118, 0i64); sub_5FC500(vars118, *(unsigned int *)(vars118 + 128i64)); v5 = sub_233D890(vars118, 108i64); sub_5FC500(vars118, (unsigned int)(*(_DWORD *)(vars118 + 128i64) - v5)); sub_5FD640(vars118, &off_23667D0); sub_5FD640(vars118, &off_23667F4); sub_5FD640(vars118, &off_2366820); sub_7835B0(vars118, vars118); (*(void (__fastcall **)(_QWORD *))(*vars118 + 592i64))(vars118); sub_40D530(vars118); } else if ( a1 == 2 ) { LOBYTE(a2) = 1; vars118 = (_QWORD *)sub_233D1D0(off_23604F0, a2, 0i64); sub_4110F0(&varsD8, &off_2366558); varsD0 = qword_2662700; sub_4424E0(&varsC8, varsD8, v6, off_264C1C0); sub_412BE0(&vars110, &off_236657C, varsC8); if ( byte_26626F4 == 73 ) { sub_4110F0(&varsC0, &off_2366558); varsB8 = qword_2662700; sub_4424E0(&varsB0, varsC0, v7, off_264C1C0); vars48 = &off_2366934; vars50 = 17; sub_43B220(&vars58, &off_23668A0, &vars48, 0i64); sub_412D00(&vars110, 6i64, &off_2366848, vars58, L"\n\n", &off_236697C, L": ", varsB0); } else if ( byte_26626F4 == 74 ) { sub_4110F0(&varsA8, &off_2366558); varsA0 = qword_2662700; sub_4424E0(&vars98, varsA8, v8, off_264C1C0); vars48 = &off_2366934; vars50 = 17; sub_43B220(&vars40, &off_2366A08, &vars48, 0i64); sub_412D00(&vars110, 6i64, &off_23669BC, vars40, L"\n\n", &off_236697C, L": ", vars98); } sub_411070(vars118 + 243, vars110); sub_2366B40(vars118, 0i64); (*(void (__fastcall **)(_QWORD, _QWORD))(*(_QWORD *)vars118 + 256i64))(vars118, 0i64); if ( byte_26626F4 == 73 ) { sub_5FC500(vars118, *(unsigned int *)(vars118 + 128i64)); v9 = sub_233D890(vars118, 108i64); sub_5FC500(vars118, (unsigned int)(*(_DWORD *)(vars118 + 128i64) - v9)); sub_5FD640(vars118, &off_23667D0); sub_5FD640(vars118, &off_23667F4); sub_5FD640(vars118, &off_2366820); sub_7835B0(vars118, vars118); } (*(void (__fastcall **)(_QWORD *))(*vars118 + 592i64))(vars118); sub_40D530(vars118); }}else if ( (signed int)sub_408F10() <= 0 ){ LOBYTE(v2) = 1; vars118 = (_QWORD *)sub_233D1D0(off_23604F0, v2, 0i64); sub_4110F0(&vars108, &off_2366558); vars100 = qword_2662700; sub_4424E0(&varsF8, vars108, v3, off_264C1C0); sub_412BE0(&vars110, &off_236657C, varsF8); sub_411070(vars118 + 243, vars110); sub_2366B40(vars118, 0i64); sub_7835B0(vars118, vars118); (*(void (__fastcall **)(_QWORD *))(*vars118 + 592i64))(vars118); sub_40D530(vars118);}sub_410A20(&vars40);sub_410A20(&vars58);sub_410A20(&vars80);sub_410A20(&vars98);sub_410B00(&varsA8, 2i64);sub_410B00(&varsC0, 2i64);sub_410B00(&varsD8, 2i64);sub_410B00(&varsF0, 2i64);return sub_410B00(&vars108, 2i64);}通过分析与修改尝试,能够确定上面这个函数中的整个if语句中的任何一个分支都会弹框,只不过内容不太相同。如果让函数在入口处直接返回,应用程序又不能正常初始化。所以要做的就是跳过上面的if语句,直接执行最后的几个sub。
.text:0000000002365CFE cmp , 0.text:0000000002365D05 jnz loc_2365DFA.text:0000000002365D0B call sub_408F10.text:0000000002365D10 test eax, eax.text:0000000002365D12 jg loc_2366328通过查看汇编指令,决定将2365D0B地址处的call指令改成一条无条件跳转指令,跳转到2366328地址处,
.text:0000000002366328 loc_2366328: ; CODE XREF: sub_2365C50+C2↑j.text:0000000002366328 ; sub_2365C50+1A5↑j ....text:0000000002366328 nop.text:0000000002366329 lea rcx, .text:000000000236632D call sub_410A20也就是将2365D0B地址处的16进制码E800320AFE改成E918060000,使用WinHex进行修改。屏蔽掉上面的试用时间弹框后,还会有一个“激活”弹框,因为我们是无法激活程序的,所以也要把这个弹框和相应的逻辑屏蔽掉,按照上面的思路还是先使用WinDGB确定调用栈,然后分析伪代码。最终确定的修改位置:
__int64 __fastcall sub_23654B0(__int64 a1, _BYTE *a2, _DWORD *a3, _QWORD *a4, char *a5, unsigned int *a6, int *a7){__int64 v7; // rax__int64 v8; // rax__int64 v9; // rax__int64 v10; // rdx__int64 v11; // rbx__int64 v12; // rax__int64 v13; // raxint v14; // eaxunsigned __int8 v15; // clbool v16; // albool v17; // alint v18; // edx__int64 v19; // raxbool v20; // alint v21; // eaxbool v22; // al__int64 _0; // char vars20; // bool vars28; // __int64 vars30; // __int64 vars38; // __int64 vars40; // __int64 *vars48; // __int64 vars58; // __int64 vars60; // bool vars6B; // int vars6C; // unsigned int vars70; // unsigned int vars74; // char *vars78; // unsigned int vars84; // char *vars88; // bool vars97; // _QWORD *vars98; // unsigned __int8 varsA7; // char varsA8; // char varsAB; // char varsAC; // char varsAD; // unsigned __int8 varsAE; // unsigned __int8 varsAF; // __int64 varsB0; // __int64 varsB8; // _BYTE *varsC0; // __int64 varsC8; // __int64 varsD0; // __int64 varsD8; // __int64 v55; // _BYTE *v56; // _DWORD *v57; // _QWORD *v58; // vars30 = 0i64;vars38 = 0i64;vars40 = 0i64;varsC0 = 0i64;varsB8 = 0i64;varsB0 = 0i64;vars60 = 0i64;vars58 = 0i64;vars48 = &_0;v55 = a1;v56 = a2;v57 = a3;v58 = a4;sub_410BD0(a1);*v56 = 71;*v57 = 0;*v58 = 0i64;*a6 = 0;*a7 = 0;vars88 = off_263FD18;vars84 = 0;if ( off_263FD18 ) vars84 = *((_DWORD *)vars88 - 1);v7 = sub_411D00(off_263FD18);sub_2364650(&varsB8, v7, vars84);vars78 = off_263FD20;vars74 = 0;if ( off_263FD20 ) vars74 = *((_DWORD *)vars78 - 1);v8 = sub_411D00(off_263FD20);sub_2364650(&varsB0, v8, vars74);vars70 = 0;if ( v55 ) vars70 = *(_DWORD *)(v55 - 4);v9 = sub_411D00(v55);sub_23648D0(&varsC0, v9, vars70);vars6C = 0;if ( varsC0 ) vars6C = *((_DWORD *)varsC0 - 1);if ( vars6C == 10 ) vars6B = *varsC0 == 104;else vars6B = 0;if ( vars6B && varsC0 == 42 ){ LOBYTE(v10) = 1; varsC8 = sub_9146A0(off_235D410, v10, 0i64); v11 = sub_411390(&varsB8); v12 = sub_411390(&varsB0); (*(void (__fastcall **)(__int64, __int64, signed __int64, __int64))(*(_QWORD *)varsC8 + 160i64))( varsC8, v11, 64i64, v12); v13 = sub_411390(&varsC0); (*(void (__fastcall **)(__int64, __int64, char *))(*(_QWORD *)varsC8 + 272i64))(varsC8, v13 + 2, &varsA8); sub_40D530(varsC8); if ( varsAB == -84 && varsAC == -120 && varsAF && (unsigned int)varsAE >> 4 >= 0xC ) { if ( varsAD == 101 ) { *v56 = 67; } else if ( varsAD == 102 ) { *v56 = 69; } else { *v56 = 71; } *v57 = varsAF; *a6 = (unsigned int)varsAE >> 4; *a7 = varsAE & 0xF; }}*a5 = 0;v14 = (signed int)v56;v15 = *v56 - 64;if ( v15 > 7u ){ v16 = 0;}else{ LOBYTE(v14) = 1; v16 = ((v14 << v15) & 0x78) != 0;}if ( v16 ){ switch ( *v57 ) { case 0xFF: *a5 = 1; break; case 0xFE: *a5 = 1; break; case 0xFD: *a5 = 2; break; case 0xFC: *a5 = 3; break; case 0xFB: *a5 = 4; break; default: if ( *v57 < 201 ) *a5 = 1; break; }}LOBYTE(v10) = 1;varsD8 = sub_40D470(off_4E8FC8, v10);vars98 = 0i64;sub_4128D0(&vars40, v55);if ( (unsigned __int8)sub_23632B0(vars40, (unsigned __int8)*a5, varsD8) ) vars98 = (_QWORD *)sub_2362B70(varsD8);sub_40D530(varsD8);v17 = 0;if ( vars98 ){ sub_4128D0(&vars38, v55); if ( !(unsigned int)sub_412DE0(vars98, vars38) ) v17 = 1;}vars97 = v17;byte_2662708 = v17;if ( v17 ) sub_4110F0(&vars60, vars98);else sub_410A20(&vars60);sub_411070(&unk_2662710, vars60);if ( vars97 ) sub_4110F0(&vars58, vars98);else sub_410A20(&vars58);sub_411070(&unk_2662718, vars58);if ( *a5 != 1 || !vars97 ){ sub_4128D0(&vars30, v55); LOBYTE(v18) = 1; vars20 = *a5; vars28 = vars97; varsD0 = sub_2363B50((unsigned __int64)off_2360C08, v18, 0); v19 = sub_2363C60(varsD0, &varsA7, v58); if ( varsA7 > 7u ) { v20 = 0; } else { LOBYTE(v19) = 1; v20 = (((_DWORD)v19 << varsA7) & 0x4E) != 0; } if ( v20 ) { if ( *a5 ) { if ( *a5 == 1 ) { *v56 = 73; } else if ( *a5 == 4 ) { *v56 = 74; } else { v21 = (signed int)a5; if ( (unsigned __int8)*a5 > 7u ) { v22 = 0; } else { LOBYTE(v21) = 1; v22 = ((v21 << *a5) & 0xC) != 0; } if ( v22 ) { if ( vars97 ) *v56 = 74; else *v56 = 73; } } } else { *v56 = 72; } } sub_40D530(varsD0);}sub_410B00(&vars30, 3i64);sub_410B00(&vars58, 2i64);sub_410B30(&varsB0, 3i64);return sub_410A70(&v55);}这里需要跳过if ( *a5 != 1 || !vars97 )开头的整个if语句,汇编代码如下:
.text:00000000023659DE call sub_411070.text:00000000023659E3 mov rax, .text:00000000023659EA cmp byte ptr , 1.text:00000000023659ED jnz short loc_23659FC.text:00000000023659EF cmp , 0将23659EA地址处的cmp指令修改为一条无条件跳转指令,跳转到2365B28地址处:
.text:0000000002365B28.text:0000000002365B28 loc_2365B28: ; CODE XREF: sub_23654B0+546↑j.text:0000000002365B28 lea rcx, .text:0000000002365B2C mov edx, 3.text:0000000002365B32 call sub_410B00也就是将23659EA地址处的16进制码803801750D修改为E939010000。这样就可以不受试用时间的限制了,Navicat的试用版没有功能上的限制,所以只要能一直试用就可以了。最后搞点小幽默,搜索到字符串“Unregistered”,将其改成“Free Version”。
关于Mac OS X版的破解
使用中文12.0.26版进行分析。Mac版本使用OC开发,函数名都以明文显示,更加便于分析,首先是屏蔽程序启动时的注册验证:
__text:00000001006A7A05 ; void __cdecl -(AppDelegate *self, SEL, id)
__text:00000001006A7A05 __AppDelegate_applicationDidFinishLaunching__ proc near
__text:00000001006A7A05
__text:00000001006A7A05 var_290 = xmmword ptr -290h
__text:00000001006A7A05 var_280 = xmmword ptr -280h
__text:00000001006A7A05 var_270 = xmmword ptr -270h
__text:00000001006A7A05 var_260 = xmmword ptr -260h
__text:00000001006A7A05 var_250 = xmmword ptr -250h
__text:00000001006A7A05 var_240 = xmmword ptr -240h
__text:00000001006A7A05 var_230 = xmmword ptr -230h
__text:00000001006A7A05 var_220 = xmmword ptr -220h
__text:00000001006A7A05 var_210 = qword ptr -210h
__text:00000001006A7A05 var_208 = qword ptr -208h
__text:00000001006A7A05 var_200 = qword ptr -200h
__text:00000001006A7A05 var_1F8 = qword ptr -1F8h
__text:00000001006A7A05 var_1F0 = qword ptr -1F0h
__text:00000001006A7A05 var_1E8 = qword ptr -1E8h
__text:00000001006A7A05 var_1E0 = qword ptr -1E0h
__text:00000001006A7A05 var_1D8 = qword ptr -1D8h
__text:00000001006A7A05 var_1D0 = qword ptr -1D0h
__text:00000001006A7A05 var_1C8 = qword ptr -1C8h
__text:00000001006A7A05 var_1C0 = qword ptr -1C0h
__text:00000001006A7A05 var_1B8 = qword ptr -1B8h
__text:00000001006A7A05 var_1B0 = qword ptr -1B0h
__text:00000001006A7A05 var_1A8 = qword ptr -1A8h
__text:00000001006A7A05 var_1A0 = xmmword ptr -1A0h
__text:00000001006A7A05 var_190 = qword ptr -190h
__text:00000001006A7A05 var_180 = qword ptr -180h
__text:00000001006A7A05 var_178 = qword ptr -178h
__text:00000001006A7A05 var_170 = qword ptr -170h
__text:00000001006A7A05 var_168 = qword ptr -168h
__text:00000001006A7A05 var_160 = qword ptr -160h
__text:00000001006A7A05 var_158 = qword ptr -158h
__text:00000001006A7A05 var_150 = qword ptr -150h
__text:00000001006A7A05 var_148 = qword ptr -148h
__text:00000001006A7A05 var_140 = qword ptr -140h
__text:00000001006A7A05 var_138 = qword ptr -138h
__text:00000001006A7A05 var_130 = byte ptr -130h
__text:00000001006A7A05 var_B0 = byte ptr -0B0h
__text:00000001006A7A05 var_30 = qword ptr -30h
__text:00000001006A7A05
__text:00000001006A7A05 push rbp
__text:00000001006A7A06 mov rbp, rsp
__text:00000001006A7A09 push r15
__text:00000001006A7A0B push r14
__text:00000001006A7A0D push r13
__text:00000001006A7A0F push r12
__text:00000001006A7A11 push rbx
__text:00000001006A7A12 sub rsp, 268h
__text:00000001006A7A19 mov , rdi
__text:00000001006A7A20 mov rax, cs:___stack_chk_guard_ptr
__text:00000001006A7A27 mov rax,
__text:00000001006A7A2A mov , rax
__text:00000001006A7A2E mov rdi, rdx
__text:00000001006A7A31 call cs:_objc_retain_ptr
__text:00000001006A7A37 mov , rax
__text:00000001006A7A3E mov rdi, cs:classRef_NAVMainMenuManager
__text:00000001006A7A45 mov rsi, cs:selRef_defaultManager
__text:00000001006A7A4C call cs:_objc_msgSend_ptr
__text:00000001006A7A52 mov rdi, rax
__text:00000001006A7A55 call _objc_retainAutoreleasedReturnValue
__text:00000001006A7A5A mov rbx, rax
__text:00000001006A7A5D mov rsi, cs:selRef_reloadMainMenu
__text:00000001006A7A64 mov rdi, rbx
__text:00000001006A7A67 call cs:_objc_msgSend_ptr
__text:00000001006A7A6D mov rdi, rbx
__text:00000001006A7A70 call cs:_objc_release_ptr
__text:00000001006A7A76 mov r14, cs:classRef_Registration
__text:00000001006A7A7D mov rcx, cs:_OBJC_IVAR_$_AppDelegate__mainWinCtrl ; MainWindowController *_mainWinCtrl;
__text:00000001006A7A84 mov rax,
__text:00000001006A7A8B mov rdi,
__text:00000001006A7A8F mov rsi, cs:selRef_window
__text:00000001006A7A96 call cs:_objc_msgSend_ptr
__text:00000001006A7A9C mov rdi, rax
__text:00000001006A7A9F call _objc_retainAutoreleasedReturnValue
__text:00000001006A7AA4 mov rbx, rax
__text:00000001006A7AA7 mov rsi, cs:selRef_ApplicationChecking_isLaunch_
__text:00000001006A7AAE mov ecx, 1
__text:00000001006A7AB3 mov rdi, r14
__text:00000001006A7AB6 mov rdx, rbx
__text:00000001006A7AB9 call cs:_objc_msgSend_ptr
__text:00000001006A7ABF mov rdi, rbx
__text:00000001006A7AC2 call cs:_objc_release_ptr
__text:00000001006A7AC8 mov rdi, cs:classRef_VersionMigrateManager
__text:00000001006A7ACF mov rsi, cs:selRef_defaultManager
__text:00000001006A7AD6 call cs:_objc_msgSend_ptr
__text:00000001006A7ADC mov rdi, rax
__text:00000001006A7ADF call _objc_retainAutoreleasedReturnValue
__text:00000001006A7AE4 mov rbx, rax
__text:00000001006A7AE7 mov rsi, cs:selRef_tryMigrate
__text:00000001006A7AEE mov rdi, rbx
__text:00000001006A7AF1 call cs:_objc_msgSend_ptr
__text:00000001006A7AF7 mov rdi, rbx
__text:00000001006A7AFA call cs:_objc_release_ptr
__text:00000001006A7B00 mov rdi, cs:classRef_PlistManager
__text:00000001006A7B07 mov rsi, cs:selRef_defaultManager
__text:00000001006A7B0E call cs:_objc_msgSend_ptr
__text:00000001006A7B14 mov rdi, rax
__text:00000001006A7B17 call _objc_retainAutoreleasedReturnValue
__text:00000001006A7B1C mov rbx, rax
__text:00000001006A7B1F mov rsi, cs:selRef_tryRestore
__text:00000001006A7B26 mov rdi, rbx
__text:00000001006A7B29 call cs:_objc_msgSend_ptr
__text:00000001006A7B2F mov rdi, rbx
__text:00000001006A7B32 call cs:_objc_release_ptr
在中,将00000001006A7A76地址处的16进制码4C8B35B319修改为E94D000000,就是一条跳转指令,跳转到00000001006A7AC8,从而绕过检查。下面的修改主要是为了防止你不小心点了菜单中的“注册”按钮,也会触发检查:
__text:000000010028ED40 ; void __cdecl -(Registration *self, SEL, id, signed __int64, void *)
__text:000000010028ED40 __Registration_sheetDidDismissActivation_returnCode_contextInfo__ proc near
__text:000000010028ED40 push rbp
__text:000000010028ED41 mov rbp, rsp
__text:000000010028ED44 push r15
__text:000000010028ED46 push r14
__text:000000010028ED48 push rbx
__text:000000010028ED49 push rax
__text:000000010028ED4A cmp rcx, 3EAh
__text:000000010028ED51 mov r14, cs:classRef_Registration
__text:000000010028ED58 jnz short loc_10028ED74
__text:000000010028ED5A mov rsi, cs:selRef_LaunchManualActivationForm
__text:000000010028ED61 mov rdi, r14
__text:000000010028ED64 add rsp, 8
__text:000000010028ED68 pop rbx
__text:000000010028ED69 pop r14
__text:000000010028ED6B pop r15
__text:000000010028ED6D pop rbp
__text:000000010028ED6E jmp cs:_objc_msgSend_ptr
__text:000000010028ED74 ; ---------------------------------------------------------------------------
__text:000000010028ED74
__text:000000010028ED74 loc_10028ED74: ; CODE XREF: -+18↑j
__text:000000010028ED74 mov rax, cs:_NSApp_ptr
__text:000000010028ED7B mov rdi,
__text:000000010028ED7E mov rsi, cs:selRef_mainWindow
__text:000000010028ED85 mov r15, cs:_objc_msgSend_ptr
__text:000000010028ED8C call r15 ; _objc_msgSend
__text:000000010028ED8F mov rdi, rax
__text:000000010028ED92 call _objc_retainAutoreleasedReturnValue
__text:000000010028ED97 mov rbx, rax
__text:000000010028ED9A mov rsi, cs:selRef_ApplicationChecking_isLaunch_
__text:000000010028EDA1 xor ecx, ecx
__text:000000010028EDA3 mov rdi, r14
__text:000000010028EDA6 mov rdx, rbx
__text:000000010028EDA9 call r15 ; _objc_msgSend
__text:000000010028EDAC mov rdi, rbx
__text:000000010028EDAF add rsp, 8
__text:000000010028EDB3 pop rbx
__text:000000010028EDB4 pop r14
__text:000000010028EDB6 pop r15
__text:000000010028EDB8 pop rbp
__text:000000010028EDB9 jmp cs:_objc_release_ptr
__text:000000010028EDB9 __Registration_sheetDidDismissActivation_returnCode_contextInfo__ endp
也就是在中,将000000010028ED9A地址处的16进制码488B357F80修改为E90D000000,直接跳转到000000010028EDAC处。需要注意的是Mac上12版本的Navicat将数据库连接密码存在系统钥匙串里,所以破解之后想要正常使用的话,需要使用自签名证书进行重新签名。附件中是当前最新版12.0.26 Mac版和12.0.28 Windows版修改后得到的diff文件,大家可以使用WinHex自行修改。
写的好乱,最后是爆破吗?没看懂 还行吧就是__text:000000010028ED40 ; void __cdecl -(Registration *self, SEL, id, signed __int64, void *) 有点多余了 建议修改 Hmily 发表于 2018-5-17 10:24
写的好乱,最后是爆破吗?没看懂
原本编辑的时候还好好的,提交之后排版乱掉了。
满足自己使用,不想花太多时间。通过修改指令达到屏蔽试用时间限制,应该算是暴力破解,这个软件内嵌了公钥,应该没有不需要Patch的keygen。
只是Mac OS X下因为密码保存在钥匙串中,所以需要重新签名,不过可以把自签名证书一起打包,给别人导入一下就可以了。 阳光丶 发表于 2018-5-17 14:01
还行吧就是__text:000000010028ED40 ; void __cdecl -
有人会去点“注册”菜单,弹框点“取消”后程序会检测License并退出。这是Mac版的行为,Windows版没有。 Kylin这个账号已经被注册过了,申请前先测试好账号可用性。
页:
[1]