好友 阅读权限 40
听众 最后登录 1970-1-1
本帖最后由 冥界3大法王 于 2020-2-1 23:33 编辑 AB Commander一款类似于TC的资源管理器 多年来非凡论坛有一牛人,但凡这个软件一更新,这哥们就发破解 求助贴,数年来孜孜不倦。
http://files.winability.com/ABCommander-20.1.1-setup.exe martin325 [Asm] 纯文本查看 复制代码
然后注册表里用RegWorkshop随便看看,就发现了以下信息
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\WinAbility\AB Commander\Setup\1]
"Result"="96C44282908B1126413081D9D512D986892C6B091A4B5571CE2FB2EEA33CCCB5CEEC85F46CF438CC69051A6329B8FD23AB30A12F5A4D7A2DEC550D40087E8417520F932B2031B58382BC0DCE983F225AFDF15860F19633F2256B86D47448687CCFEC043446F2162DE41E561E1014194BE8403FEC11A441BA0CE42C55EF8498E2"
"Info"="435549435549-38-53353139393936363839303938373635"
[Asm] 纯文本查看 复制代码
00007FF898DB8E10 <ab | 48: | mov qword ptr ss:[rsp+8],rbx |
00007FF898DB8E15 | 48: | mov qword ptr ss:[rsp+10],rsi |
00007FF898DB8E1A | 57 | push rdi |
00007FF898DB8E1B | 48: | sub rsp,30 |
00007FF898DB8E1F | 48: | mov rbx,rcx | rcx:L"CUICUI"
00007FF898DB8E22 | C74 | mov dword ptr ss:[rsp+28],5471 |
00007FF898DB8E2A | 48: | add rcx,1CC | rcx:L"CUICUI"
00007FF898DB8E31 | C74 | mov dword ptr ss:[rsp+20],5470 |
00007FF898DB8E39 | 41: | mov r9d,546F |
00007FF898DB8E3F | 48: | mov rdx,qword ptr ds:[rbx+8] |
00007FF898DB8E43 | 4C: | lea r8,qword ptr ds:[rbx+1C8] |
00007FF898DB8E4A | E8 | call <abc64.?RCDlg_ProcessEnter@@YAHPEAV |
00007FF898DB8E4F | 83B | cmp dword ptr ds:[rbx+1C8],0 |
00007FF898DB8E56 | 8BF | mov esi,eax |
00007FF898DB8E58 | 74 | je abc64.7FF898DB8E62 |
00007FF898DB8E5A | 48: | mov rcx,rbx | rcx:L"CUICUI"
00007FF898DB8E5D | E8 | call <abc64.sub_7FF898DB9990> |
00007FF898DB8E62 | 85F | test esi,esi |
00007FF898DB8E64 | 75 | jne abc64.7FF898DB8E78 |
00007FF898DB8E66 | 33C | xor eax,eax |
00007FF898DB8E68 | 48: | mov rbx,qword ptr ss:[rsp+40] |
00007FF898DB8E6D | 48: | mov rsi,qword ptr ss:[rsp+48] |
00007FF898DB8E72 | 48: | add rsp,30 |
00007FF898DB8E76 | 5F | pop rdi |
00007FF898DB8E77 | C3 | ret |
00007FF898DB8E78 | 48: | mov rcx,rbx | rcx:L"CUICUI"
00007FF898DB8E7B | C78 | mov dword ptr ds:[rbx+1C8],1 |
00007FF898DB8E85 | 48: | mov rbx,qword ptr ss:[rsp+40] |
00007FF898DB8E8A | 48: | mov rsi,qword ptr ss:[rsp+48] |
00007FF898DB8E8F | 48: | add rsp,30 |
00007FF898DB8E93 | 5F | pop rdi |
00007FF898DB8E94 | E9 | jmp <abc64.?OnOK@CSDlg@@UEAA_JXZ> | [Asm] 纯文本查看 复制代码
00007FF898D9CBD0 <ab | 48: | mov qword ptr ss:[rsp+8],rbx | AAAAAAAAAAAAAAAAAAAAAA
00007FF898D9CBD5 | 48: | mov qword ptr ss:[rsp+10],rsi |
00007FF898D9CBDA | 57 | push rdi |
00007FF898D9CBDB | 48: | sub rsp,20 |
00007FF898D9CBDF | 49: | mov rbx,r8 |
00007FF898D9CBE2 | 8BF | mov edi,edx |
00007FF898D9CBE4 | 48: | mov rsi,rcx |
00007FF898D9CBE7 | 41: | mov eax,r8d |
00007FF898D9CBEA | C1E | shr eax,10 |
00007FF898D9CBED | 66: | dec ax |
00007FF898D9CBF0 | B9 | mov ecx,FFFD |
00007FF898D9CBF5 | 66: | cmp ax,cx |
00007FF898D9CBF8 | 77 | ja abc64.7FF898D9CC11 |
00007FF898D9CBFA | 48: | mov rcx,rsi |
00007FF898D9CBFD | 48: | mov rbx,qword ptr ss:[rsp+30] |
00007FF898D9CC02 | 48: | mov rsi,qword ptr ss:[rsp+38] |
00007FF898D9CC07 | 48: | add rsp,20 |
00007FF898D9CC0B | 5F | pop rdi |
00007FF898D9CC0C | E9 | jmp <abc64.sub_7FF898D9CC70> |
00007FF898D9CC11 | 33D | xor edx,edx |
00007FF898D9CC13 | 44: | lea r9d,qword ptr ds:[rdx+1] |
00007FF898D9CC17 | 45: | xor r8d,r8d |
00007FF898D9CC1A | 48: | lea rcx,qword ptr ss:[rsp+40] |
00007FF898D9CC1F | E8 | call <abc64.??0ResStr@@QEAA@FPEAU |
00007FF898D9CC24 | 90 | nop |
00007FF898D9CC25 | 41: | mov r9d,1 |
00007FF898D9CC2B | 45: | xor r8d,r8d |
00007FF898D9CC2E | 0FB | movzx edx,bx |
00007FF898D9CC31 | 48: | lea rcx,qword ptr ss:[rsp+40] |
00007FF898D9CC36 | E8 | call <abc64.?Load@ResStr@@QEAAPEB |
00007FF898D9CC3B | 48: | lea rcx,qword ptr ss:[rsp+40] |
00007FF898D9CC40 | E8 | call <abc64.??BResStr@@QEAAPEB_WX |
00007FF898D9CC45 | 4C: | mov r8,rax |
00007FF898D9CC48 | 8BD | mov edx,edi |
00007FF898D9CC4A | 48: | mov rcx,rsi |
00007FF898D9CC4D | E8 | call <abc64.sub_7FF898D9CC70> | 调用【此许可证密钥仅供家庭使用,非商业用途】
00007FF898D9CC52 | 8BD | mov ebx,eax |
00007FF898D9CC54 | 48: | lea rcx,qword ptr ss:[rsp+40] |
00007FF898D9CC59 | E8 | call <abc64.?Empty@ResStr@@QEAAXX |
00007FF898D9CC5E | 8BC | mov eax,ebx |
00007FF898D9CC60 | 48: | mov rbx,qword ptr ss:[rsp+30] |
00007FF898D9CC65 | 48: | mov rsi,qword ptr ss:[rsp+38] |
00007FF898D9CC6A | 48: | add rsp,20 |
00007FF898D9CC6E | 5F | pop rdi |
00007FF898D9CC6F | C3 | ret | [Asm] 纯文本查看 复制代码
00007FF898D9CC70 <ab | 48: | mov qword ptr ss:[rsp+10],rbx |
00007FF898D9CC75 | 48: | mov qword ptr ss:[rsp+18],rbp |
00007FF898D9CC7A | 48: | mov qword ptr ss:[rsp+20],rsi |
00007FF898D9CC7F | 57 | push rdi |
00007FF898D9CC80 | 48: | sub rsp,20 |
00007FF898D9CC84 | 48: | mov rdi,rcx |
00007FF898D9CC87 | 48: | mov qword ptr ss:[rsp+30],8 | [rsp+30]:sub_7FF898DB9A00+31C
00007FF898D9CC90 | 48: | lea rcx,qword ptr ss:[rsp+30] | [rsp+30]:sub_7FF898DB9A00+31C
00007FF898D9CC95 | C74 | mov dword ptr ss:[rsp+34],4000 |
00007FF898D9CC9D | 49: | mov rbp,r8 |
00007FF898D9CCA0 | 8BF | mov esi,edx |
00007FF898D9CCA2 | FF1 | call qword ptr ds:[<&InitCommonCo |
00007FF898D9CCA8 | 48: | test rdi,rdi |
00007FF898D9CCAB | 75 | jne abc64.7FF898D9CCB6 |
00007FF898D9CCAD | FF1 | call qword ptr ds:[<&GetActiveWin |
00007FF898D9CCB3 | 48: | mov rdi,rax | rax:L"Thank you!\n\nPlease keep your licensing information in a safe place, since you will need to enter it again if you decide to reinstall the software.\n\nA processing fee will be charged for a replacement copy of your license key."
00007FF898D9CCB6 | 33D | xor ebx,ebx |
00007FF898D9CCB8 | 48: | cmp rdi,1 |
00007FF898D9CCBC | 48: | cmovne rbx,rdi |
00007FF898D9CCC0 | 48: | test rbx,rbx |
00007FF898D9CCC3 | 74 | je abc64.7FF898D9CCD1 |
00007FF898D9CCC5 | 48: | mov rcx,rbx |
00007FF898D9CCC8 | FF1 | call qword ptr ds:[<&GetLastActiv |
00007FF898D9CCCE | 48: | mov rbx,rax | rax:L"Thank you!\n\nPlease keep your licensing information in a safe place, since you will need to enter it again if you decide to reinstall the software.\n\nA processing fee will be charged for a replacement copy of your license key."
00007FF898D9CCD1 | 48: | mov rax,qword ptr ds:[7FF898E62C5 | rax:L"Thank you!\n\nPlease keep your licensing information in a safe place, since you will need to enter it again if you decide to reinstall the software.\n\nA processing fee will be charged for a replacement copy of your license key."
00007FF898D9CCD8 | 48: | test rax,rax | rax:L"Thank you!\n\nPlease keep your licensing information in a safe place, since you will need to enter it again if you decide to reinstall the software.\n\nA processing fee will be charged for a replacement copy of your license key."
00007FF898D9CCDB | 74 | je abc64.7FF898D9CCE1 |
00007FF898D9CCDD | 33C | xor ecx,ecx |
00007FF898D9CCDF | FFD | call rax |
00007FF898D9CCE1 | E8 | call <abc64.?GetMyProductInfo@@YA |
00007FF898D9CCE6 | 48: | mov rcx,rax | rax:L"Thank you!\n\nPlease keep your licensing information in a safe place, since you will need to enter it again if you decide to reinstall the software.\n\nA processing fee will be charged for a replacement copy of your license key."
00007FF898D9CCE9 | 0FB | bts esi,10 |
00007FF898D9CCED | 48: | mov rdx,qword ptr ds:[rax] | rax:L"Thank you!\n\nPlease keep your licensing information in a safe place, since you will need to enter it again if you decide to reinstall the software.\n\nA processing fee will be charged for a replacement copy of your license key." [Asm] 纯文本查看 复制代码
以下内容,感兴趣的可以参考下。
Ctrl+N, GetLicense
暂停堆栈等入手
软件断点
00007FF898D51000 <abc64.dll.sub_7FF898D51000> 已启用 sub rsp,28 0
00007FF898D73051 abc64.dll 已启用 call <abc64.?Msg@@YAHPEAUHWND__@@IPEB_W@Z> 0
00007FF898D9CBD0 <abc64.dll.?Msg@@YAHPEAUHWND__@@IPEB_W@Z> 已启用 mov qword ptr ss:[rsp+8],rbx 10 AAAAAAAAAAAAAAAAAAAAAA
00007FF898D9CC70 <abc64.dll.sub_7FF898D9CC70> 已启用 mov qword ptr ss:[rsp+10],rbx 16
00007FF898D9CCDB abc64.dll 已启用 je abc64.7FF898D9CCE1 16
00007FF898D9CCF0 abc64.dll 已启用 nop 16 此许可证密钥仅供家庭使用,非商业用途 (B1 这里NOP)
00007FF898D9CCFF abc64.dll 已启用 call qword ptr ds:[<&MessageBoxW>] 16
00007FF898DB9270 <abc64.dll.?RCDlg_ProcessEnter@@YAHPEAVri2@@PEAUHWND__@@PEAHIII@Z> 已启用 mov al,1 16 B3(mov al,1;ret) 这里显示rcdlg_processEnter@@yahpeavri2@@peauhwnd
00007FF898DB92C0 abc64.dll 已启用 call <abc64.?RCDlg_GetUserName@@YAHPEAUHWND__@@HPEA_WH@Z> 12 得到用户名,这里该是最开始的地方!
00007FF898DB92C7 abc64.dll 已启用 je abc64.7FF898DB9409 12
00007FF898DB92D1 abc64.dll 已启用 jne abc64.7FF898DB9300 13
00007FF898DB92E9 abc64.dll 已启用 je abc64.7FF898DB93C5 0
00007FF898DB9309 abc64.dll 已启用 je abc64.7FF898DB9327 13
00007FF898DB9321 abc64.dll 已启用 je abc64.7FF898DB93C5 12
00007FF898DB9330 abc64.dll 已启用 je abc64.7FF898DB9358 13
00007FF898DB9345 abc64.dll 已启用 jne abc64.7FF898DB9358 12
00007FF898DB9360 abc64.dll 已启用 call <abc64.?il2@ri2@@QEAAHXZ> 13 或这里A
00007FF898DB9367 abc64.dll 已启用 jne abc64.7FF898DB9385 13 我赌 可能改这里
00007FF898DB9385 abc64.dll 已启用 call <abc64.?WinServer@@YAHXZ> 5 这个是服务器验证,调用了微软的,把以该 eax=1
00007FF898DB938C abc64.dll 已启用 je abc64.7FF898DB93CC 13
00007FF898DB9398 abc64.dll 已启用 je abc64.7FF898DB93CC 12
00007FF898DB93E0 abc64.dll 已启用 call <abc64.?v@ri2@@QEAAHPEAUHWND__@@H@Z> 8 上一级校验窗口
00007FF898DB9BB2 abc64.dll 已启用 lea r9,qword ptr ds:[7FF898E0C088] 0
00007FF898DB9C2B abc64.dll 已启用 je abc64.7FF898DB9D5D 0
00007FF898DB9C9E abc64.dll 已启用 je abc64.7FF898DB9CC3 2
00007FF898DB9CBA abc64.dll 已启用 call <abc64.?RCDlg_ProcessEnter@@YAHPEAVri2@@PEAUHWND__@@PEAHIII@Z> 0
00007FF898DC0F00 <abc64.dll.?v@ri2@@QEAAHPEAUHWND__@@H@Z> 已启用 mov qword ptr ss:[rsp+20],rbx 8
00007FF898DC0F6E abc64.dll 已启用 ja abc64.7FF898DC1423 6
00007FF898DC0F8E abc64.dll 已启用 ja abc64.7FF898DC1423 6 必须跳2
00007FF898DC1017 abc64.dll 已启用 mov rcx,r13 9
00007FF898DC103F abc64.dll 已启用 call <abc64.sub_7FF898DB80A0> 9 可疑点1 出来那个该死的提示!
00007FF898DC1046 abc64.dll 已启用 jne abc64.7FF898DC1423 9 B5 84改85
00007FF898DC1053 abc64.dll 已启用 jne abc64.7FF898DC10FD 6 可疑点3
00007FF898DC10DD abc64.dll 已启用 call <abc64.?Msg@@YAHPEAUHWND__@@IPEB_W@Z> 6
00007FF898DC10E5 abc64.dll 已启用 je abc64.7FF898DC1423 0
00007FF8B6BBB3E2 cryptsp.dll 已启用 je cryptsp.7FF8B6BBB41B 0
00007FF8B6BBB3E7 cryptsp.dll 已启用 je cryptsp.7FF8B6BBB413 0
00007FF8B6BBB3FB cryptsp.dll 已启用 lea rax,qword ptr ds:[7FF8B6BBE8B8] 0
00007FF8B6BBB41B cryptsp.dll 已启用 lea rax,qword ptr ds:[7FF8B6BBE8C8] 0
00007FF8B6F1BC80 <kernel32.dll.FormatMessageW> 已启用 jmp qword ptr ds:[<&FormatMessageW>] 0
00007FF8B7F2B050 <user32.dll.PostQuitMessage> 已启用 movsxd rcx,ecx 0
00007FF8B7F7D410 <user32.dll.MessageBeep> 已启用 mov ecx,ecx 0
===========================================================================
[Asm] 纯文本查看 复制代码
00007FF68CEC77E0 | 40: | push rbx |
00007FF68CEC77E2 | 48: | sub rsp,20 |
00007FF68CEC77E6 | 48: | mov rbx,rcx |
00007FF68CEC77E9 | 48: | lea rcx,qword ptr ds:[7FF68CFD731 |
00007FF68CEC77F0 | E8 | call abcmdr64.7FF68CEB24E0 | 所以这里F7进入修改吧
00007FF68CEC77F5 | 85C | test eax,eax |
00007FF68CEC77F7 | 0F8 | jne abcmdr64.7FF68CEC78D1 | 暗桩调用点跳过处,果然需要修改eax返回值
00007FF68CEC77FD | 48: | mov rcx,qword ptr ds:[rbx+40] |
00007FF68CEC7801 | 8D5 | lea edx,qword ptr ds:[rax+14] |
00007FF68CEC7804 | 41: | mov r8d,7DC |
00007FF68CEC780A | 48: | mov qword ptr ss:[rsp+30],rdi |
00007FF68CEC780F | FF1 | call qword ptr ds:[<&?Msg@@YAHPEA |
00007FF68CEC7815 | 83F | cmp eax,6 |
00007FF68CEC7818 | 75 | jne abcmdr64.7FF68CEC782E |
00007FF68CEC781A | 48: | mov rcx,qword ptr ds:[rbx+40] |
00007FF68CEC781E | 48: | lea rdx,qword ptr ds:[7FF68CF828E | 00007FF68CF828E0:L"integrity-abc"
00007FF68CEC7825 | 45: | xor r8d,r8d |
00007FF68CEC7828 | FF1 | call qword ptr ds:[<&?GoOnline@@Y |
00007FF68CEC782E | 33F | xor edi,edi |
00007FF68CEC7830 | 48: | lea rdx,qword ptr ss:[rsp+38] |
00007FF68CEC7835 | 48: | lea rcx,qword ptr ds:[7FF68CEB96A |
00007FF68CEC783C | 897 | mov dword ptr ss:[rsp+38],edi |
00007FF68CEC7840 | FF1 | call qword ptr ds:[<&EnumWindows> |
00007FF68CEC7846 | 397 | cmp dword ptr ss:[rsp+38],edi |
00007FF68CEC784A | 74 | je abcmdr64.7FF68CEC7886 |
00007FF68CEC784C | 0F1 | nop dword ptr ds:[rax],eax |
00007FF68CEC7850 | 48: | mov rcx,qword ptr ds:[rbx+40] |
00007FF68CEC7854 | BA | mov edx,35 | 35:'5'
00007FF68CEC7859 | 41: | mov r8d,7F3 |
00007FF68CEC785F | FF1 | call qword ptr ds:[<&?Msg@@YAHPEA |
00007FF68CEC7865 | 83F | cmp eax,4 |
00007FF68CEC7868 | 75 | jne abcmdr64.7FF68CEC78CC |
00007FF68CEC786A | 48: | lea rdx,qword ptr ss:[rsp+38] |
00007FF68CEC786F | 897 | mov dword ptr ss:[rsp+38],edi |
00007FF68CEC7873 | 48: | lea rcx,qword ptr ds:[7FF68CEB96A |
00007FF68CEC787A | FF1 | call qword ptr ds:[<&EnumWindows> |
00007FF68CEC7880 | 397 | cmp dword ptr ss:[rsp+38],edi |
00007FF68CEC7884 | 75 | jne abcmdr64.7FF68CEC7850 |
00007FF68CEC7886 | C78 | mov dword ptr ds:[rbx+1378],1 |
00007FF68CEC7890 | FF1 | call qword ptr ds:[<&GetCurrentTh |
00007FF68CEC7896 | 48: | mov rcx,rax |
00007FF68CEC7899 | BA | mov edx,F |
00007FF68CEC789E | FF1 | call qword ptr ds:[<&SetThreadPri |
00007FF68CEC78A4 | FF1 | call qword ptr ds:[<&GetCurrentPr |
00007FF68CEC78AA | 48: | mov rcx,rax |
00007FF68CEC78AD | BA | mov edx,80 |
00007FF68CEC78B2 | FF1 | call qword ptr ds:[<&SetPriorityC |
00007FF68CEC78B8 | 48: | mov rcx,qword ptr ds:[rbx+40] |
00007FF68CEC78BC | 45: | xor r9d,r9d |
00007FF68CEC78BF | 45: | xor r8d,r8d |
00007FF68CEC78C2 | 41: | lea edx,qword ptr ds:[r9+10] |
00007FF68CEC78C6 | FF1 | call qword ptr ds:[<&PostMessageW |
00007FF68CEC78CC | 48: | mov rdi,qword ptr ss:[rsp+30] |
00007FF68CEC78D1 | 48: | add rsp,20 |
00007FF68CEC78D5 | 5B | pop rbx |
00007FF68CEC78D6 | C3 | ret |
查看全部评分
[复制链接]
发表于 2020-2-1 22:39
|
发表于 2020-2-1 23:36
