PilotEdit_x64_19.7.0 补丁问题

shieep · 发表于 2025-3-22 23:04

PilotEdit_x64_19.7.0
破解很容易，在x64dbg中改了代码，软件破解成功后，可以正常运行，打开文件
把程序直接补丁，或者创建劫持DLL，可以正常运行，打开文件就会报错。
但是如果创建个loader，，可以正常运行，打开文件。很奇怪。
使用baymax工具创建的，第一次见这种的

爱飞的猫 · 发表于 2025-3-23 02:40

本帖最后由爱飞的猫于 2025-3-23 03:43 编辑

程序有自校验，也会检查程序目录下是否存在 winmm.dll。校验不通过就会触发暗桩。你可以试着分析一下（提示：后者断 GetFileAttributesW 看 rcx）。

解决方案：换个 dll 来劫持，或干掉检测。

或者直接硬刚文件自校验，对 exe 打补丁。

首先在 exe 替换公钥（PilotEdit.exe+811CE0 处）：

30819D300D06092A864886F70D010101050003818B00308187028181008BF8E3EB435F355159AEB633867A53454EDC4A9D4409976E465155D713DE8E32BF1B839ED0C28C11B4A3853E881D359E42A48FF61C1EE28EC3C9511603A710478561E8FECA6637E663F0E6150F23926C2066F23181A6AD734DB6CE2A8CB6A739C70C83D07CE8062FBB1625618C363B6A0BBB1D2EAFD13B70665F8A3EBAF7839B020111

※ 这个新的公钥不会触发文件校验暗桩

然后使用下述信息注册：

用户名: afdm@52pojie
序列号:
  695A4C6B944C6CD7761AF49EFFD15970D91A9E2D
  C381361AB222FABFFCC20AB78BFEF6041FC249D6
  68872F1FE998CEA0D3A2D3D6842B8766386142A8
  D17D50EB5624ECAC2384C84278F6ECA3B0633293
  4AF33AB0ACE4F99119CCCF3BE5F5BBB40036E154
  3E98FA7D9951C1CAF2638EBAECD37DBB7DE67515
  88552264895120E6

没测试有没有别的暗桩，只看了下能正常打开文件。

zixuan203344 · 发表于 2025-3-23 11:17

替换成功，感谢版主

chishingchan · 发表于 2025-3-23 12:34

编辑器，我还是首先 EditPlus。因为这个软件的宏（键盘记录操作）太好用了！

chishingchan · 发表于 2025-3-23 13:27

本帖最后由 chishingchan 于 2025-3-23 13:31 编辑

爱飞的猫发表于 2025-3-23 02:40
[md]程序有自校验，也会检查程序目录下是否存在 `winmm.dll`。校验不通过就会触发暗桩。你可以试着分析一下 ...

PilotEdit-Pro.vbs

[Visual Basic] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

Set ado_stream = CreateObject("ADODB.Stream")
        ado_stream.Type = 1
        ado_stream.open
        ado_stream.LoadFromFile "PilotEdit.exe"
        ado_stream.position = 8461536
        ado_stream.Write HexToByte("30819D300D06092A864886F70D010101050003818B00308187028181008BF8E3EB435F355159AEB633867A53454EDC4A9D4409976E465155D713DE8E32BF1B839ED0C28C11B4A3853E881D359E42A48FF61C1EE28EC3C9511603A710478561E8FECA6637E663F0E6150F23926C2066F23181A6AD734DB6CE2A8CB6A739C70C83D07CE8062FBB1625618C363B6A0BBB1D2EAFD13B70665F8A3EBAF7839B020111")
        ado_stream.SaveToFile "PilotEdit.exe", 2
        ado_stream.Close
Set ado_stream = Nothing
 
Function HexToByte(hexStr)
        Set xmldom = Wscript.CreateObject("Microsoft.XMLDOM")
        Set byteObj= xmldom.createElement("byteObj")
        byteObj.dataType = "bin.hex"
        byteObj.nodeTypedValue = hexStr
        HexToByte=byteObj.nodeTypedValue
End Function

chishingchan · 发表于 2025-3-23 13:39

[Visual Basic] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

Set ado_stream = CreateObject("ADODB.Stream")
        ado_stream.Type = 1
        ado_stream.open
        ado_stream.LoadFromFile "PilotEdit,2.exe"
        ado_stream.position = 8461536
        ado_stream.Write HexToByte("3330383139443330304430363039324138363438383646373044303130313031303530303033383138423030333038313837303238313831303038424638453345423433354633353531353941454236333338363741353334353445444334413944343430393937364534363531353544373133444538453332424631423833394544304332384331314234413338353345383831443335394534324134384646363143314545323845433343393531313630334137313034373835363145384645434136363337453636334630453631353046323339323643323036364632333138314136414437333444423643453241384342364137333943373043383344303743453830363246424231363235363138433336334236413042424231443245414644313342373036363546384133454241463738333942303230313131")
        ado_stream.SaveToFile "PilotEdit.exe", 2
        ado_stream.Close
Set ado_stream = Nothing
 
Function HexToByte(hexStr)
        Set xmldom = Wscript.CreateObject("Microsoft.XMLDOM")
        Set byteObj= xmldom.createElement("byteObj")
        byteObj.dataType = "bin.hex"
        byteObj.nodeTypedValue = hexStr
        HexToByte=byteObj.nodeTypedValue
End Function

be1ieveme · 发表于 2025-3-23 14:52

居然在这里看到这款软件了，这款编辑器我购买了正版授权

shieep · 发表于 2025-3-23 19:09

爱飞的猫发表于 2025-3-23 02:40
[md]程序有自校验，也会检查程序目录下是否存在 `winmm.dll`。校验不通过就会触发暗桩。你可以试着分析一下 ...

厉害，我最后也发现了，找到检验这个位置 `winmm.dll`，破解掉，用winmm.DLL hijiac破解了。程序的自检验，找了半天没找到。

shieep · 发表于 2025-3-23 19:21

爱飞的猫发表于 2025-3-23 02:40
[md]程序有自校验，也会检查程序目录下是否存在 `winmm.dll`。校验不通过就会触发暗桩。你可以试着分析一下 ...

winmm.dll是拼接起来的，所以直接搜不到。

[Asm] 纯文本查看 复制代码

1

2

3

4

5

6

7

8

9

0000000140534A75 | 4C:8D05 ACD12B00         | lea r8,qword ptr ds:[1407F1C28]                 | 00000001407F1C28:L"\\win"
0000000140534A7C | BA 1A040000              | mov edx,41A                                     |
0000000140534A81 | 48:8D8C24 D0000000       | lea rcx,qword ptr ss:[rsp+D0]                   |
0000000140534A89 | E8 9AC2B7FF              | call pilotedit.1400B0D28                        |
0000000140534A8E | 4C:8D05 A3D12B00         | lea r8,qword ptr ds:[1407F1C38]                 | 00000001407F1C38:L"mm.d"
0000000140534A95 | BA 1A040000              | mov edx,41A                                     |
0000000140534A9A | 48:8D8C24 D0000000       | lea rcx,qword ptr ss:[rsp+D0]                   |
0000000140534AA2 | E8 81C2B7FF              | call pilotedit.1400B0D28                        |
0000000140534AA7 | 4C:8D05 96D12B00         | lea r8,qword ptr ds:[1407F1C44]                 | 00000001407F1C44:L"ll"

move · 发表于 2025-3-23 20:25

[Python] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

import os
import shutil
 
def hex_to_bytes(hex_str):
    return bytes.fromhex(hex_str)
 
def read_binary_file(file_path, offset, size):
    with open(file_path, 'rb') as file:  # 以二进制模式打开文件
        file.seek(offset)  # 定位到指定偏移量
        data = file.read(size)  # 读取指定大小的字节数据
    return data
 
 
def backup_file(file_path):
    backup_path = file_path + ".bak"
    shutil.copy2(file_path, backup_path)
    print(f"文件已备份到：{backup_path}")
 
def modify_binary_file(file_path, offset, original_hex, modified_hex):
    if not os.path.exists(file_path):
        print(f"Didn't find {file_path}, skipping patch generation")
        return
 
    # 计算需要读取的字节数
    size = len(original_hex) // 2
 
    # 读取文件的指定偏移量数据
    data = read_binary_file(file_path, offset, size)
    print(f"读取到的数据（原始字节）：{data}")    
    print(f"读取到的数据（原始十六进制）：{data.hex()}")
     
    text = data.decode('utf-8')
 
    if data.find(bytes.fromhex(modified_hex)) != -1:
        print(f"{file_path} 已经修补了：)")
        print(f"偏移地址：0x{offset} 大小：{size}")
        return
     
    if data.find(bytes.fromhex(original_hex)) == -1:
        print(f"{file_path} 无法匹配到数据：)")
        print(f"偏移地址：0x{offset} 大小：{size}")
        return
     
 
    print(f"原始字节匹配成功，正在修补文件...")
    print(f"偏移地址：0x{offset} 大小：{size}")
         
    # 备份文件
    backup_file(file_path)
     
    # 修改数据
    # 将十六进制字符串转换为字节数据
    byte_data = hex_to_bytes(modified_hex)
 
    # 打开文件并修改指定位置
    with open(file_path, 'r+b') as file:
        file.seek(offset)  # 定位到指定偏移量
        file.write(byte_data)  # 写入字节数据
 
    print(f"修改后的数据（字节）：{modified_hex}")
    print(f"文件修改完成！")      
         
 
# 文件路径
file_path = "PilotEdit.exe"
# 偏移量
offset = int("811CE0", 16)  # 将十六进制偏移量转换为十进制
 
# 原始字节和修改字节
original_str = "30819D300D06092A864886F70D010101050003818B0030818702818100B163741C37A823BC53F624DCCBD465554FACAEAE91D640FE7BB4642124E92613C1FD4B930A7A386F062E5A42DBE4425AA18E1ABA301CD9550C59787387745C8569FC7F4114DE5E209BAB232FAC903CB1832497214DCE43E2AC91289AACE353C370C9C8598B6D1DFB6A5038444254D6280B490770B637C63E5346FD9837775955020111"
original_hex = "3330383139443330304430363039324138363438383646373044303130313031303530303033383138423030333038313837303238313831303042313633373431433337413832334243353346363234444343424434363535353446414341454145393144363430464537424234363432313234453932363133433146443442393330413741333836463036324535413432444245343432354141313845314142413330314344393535304335393738373338373734354338353639464337463431313444453545323039424142323332464143393033434231383332343937323134444345343345324143393132383941414345333533433337304339433835393842364431444642364135303338343434323534443632383042343930373730423633374336334535333436464439383337373735393535303230313131"
modified_str = "30819D300D06092A864886F70D010101050003818B00308187028181008BF8E3EB435F355159AEB633867A53454EDC4A9D4409976E465155D713DE8E32BF1B839ED0C28C11B4A3853E881D359E42A48FF61C1EE28EC3C9511603A710478561E8FECA6637E663F0E6150F23926C2066F23181A6AD734DB6CE2A8CB6A739C70C83D07CE8062FBB1625618C363B6A0BBB1D2EAFD13B70665F8A3EBAF7839B020111"
modified_hex = "3330383139443330304430363039324138363438383646373044303130313031303530303033383138423030333038313837303238313831303038424638453345423433354633353531353941454236333338363741353334353445444334413944343430393937364534363531353544373133444538453332424631423833394544304332384331314234413338353345383831443335394534324134384646363143314545323845433343393531313630334137313034373835363145384645434136363337453636334630453631353046323339323643323036364632333138314136414437333444423643453241384342364137333943373043383344303743453830363246424231363235363138433336334236413042424231443245414644313342373036363546384133454241463738333942303230313131"
 
print(f"/================================")
print(f"用户名: afdm@52pojie")
print(f"序列号: 695A4C6B944C6CD7761AF49EFFD15970D91A9E2DC381361AB222FABFFCC20AB78BFEF6041FC249D668872F1FE998CEA0D3A2D3D6842B8766386142A8D17D50EB5624ECAC2384C84278F6ECA3B06332934AF33AB0ACE4F99119CCCF3BE5F5BBB40036E1543E98FA7D9951C1CAF2638EBAECD37DBB7DE6751588552264895120E6")      
print(f"/================================")
 
# 修补文件
modify_binary_file(file_path, offset, original_hex, modified_hex)

帐号		自动登录	找回密码
密码			注册[Register]

[求助] PilotEdit_x64_19.7.0 补丁问题

免费评分

免费评分