好友
阅读权限40
听众
最后登录1970-1-1
|
本帖最后由 冥界3大法王 于 2021-2-14 11:03 编辑
软件介绍:文件搜索四大利器之一,快速搜索索引内容和预览结果,作为爆破之必备四大神器。30天全功能试用版本。
========================================================
先用RegWorkshop搜索下键值【已脱敏保密】,大约485个左右
全删除,毫无作用。
来到文件夹下,用星君眼快速洞察下有哪些可疑的?
果然发现regkey.xml
等什么?删除,又是30天。
X64dbg打开主程序
Ctrl+N,左面过滤搜索configlib.dll
右面搜索下trial
果然有4个函数与试用、加载KEY有关的
?LoadTrialRegKeyConfiguration@CONFIGLIB@@YAJPEAV?$shared_ptr@UIConfigDataMgr@INTERNAL_IFC@@@boost@@AEBV23@_N@Z
?LoadTrialRegKeyConfiguration_ReadOnly@CONFIGLIB@@YAJPEAV?$shared_ptr@UIConfigDataMgr@INTERNAL_IFC@@@boost@@_N@Z
?LoadRegKeyConfiguration@CONFIGLIB@@YAJPEAV?$shared_ptr@UIConfigDataMgr@INTERNAL_IFC@@@boost@@@Z
?LoadRegKeyConfigurationPath@CONFIGLIB@@YAJAEBV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@PEAV?
再搜索下Write(写INI配置的),主要有下面3个
WriteFile
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
fwrite
========================================================
regkey.xml删除又是30天全功能试用!
=========================内容如下=========================
<?xml version="1.0"?>
-<cfg ver="2">
-<section name="【已脱敏保密】">
<InstallationOptions n="241a87fcba94f5dd"/>
<LiteApp t="3">pro</LiteApp>
</section>
</cfg>
========================================================
(A)
========================================================
启动时该死的等待框的美化:(正在为第一次进行准备)
(B)
=======================================================
帮助-关于 和 顶部 trial 字样的美化:(C)
上面已经简单的归纳和分析了重点,下面就来一个一个来解决吧。
这个程序是64位的,所以必须上x64dbg了。
论坛还不会的同学可以看一下楼主导演的视频:x32dbg/x64dbg命令快速入门系列视频教学
然后,我们还是先让程序跑起来吧,但你发现刚刚运行,就来了个异常。
那就Shift+F9伺候,然后我们使用 【F12加Alt-K】堆栈暂停大法。
列表有一堆,我也懒得看了。直接复制全表到自制的工具OllyDbg/x64dbg贴心伴侣中去过滤,F1全设断。
或者不怕辛苦一个个分析下吧。
通过分析,你能发现能有一个有意思的地方,第三个不远上面就有个英文异常的字样
( call qword ptr ds:[<&RtlRaiseException>] )
[Asm] 纯文本查看 复制代码 00007FF6 | FF15 F0FA2200 | call qword ptr ds:[<&SystemTimeToVariantTime>]
|这句是不是很有意思?
[Asm] 纯文本查看 复制代码
00007FF68FE66013 | E8 2835F7FF | call 原版.7FF68FDD9540 |通过前后关系推测,如果这里al=1 会如何呢? F7进入后修改下
00007FF68FE66018 | 8B4424 5C | mov eax,dword ptr ss:[rsp+5C] |
00007FF68FE6601C | 0FB6C8 | movzx ecx,al |
00007FF68FE6601F | 80E1 01 | and cl,1 |
00007FF68FE66022 | 75 10 | jne 原版.7FF68FE66034 |
00007FF68FE66024 | A8 02 | test al,2 |
00007FF68FE66026 | 0F85 B1000000 | jne 原版.7FF68FE660DD |
00007FF68FE6602C | A8 04 | test al,4 |
00007FF68FE6602E | 0F85 A9000000 | jne 原版.7FF68FE660DD |
00007FF68FE66034 | 40:84FF | test dil,dil |
00007FF68FE66037 | 75 46 | jne 原版.7FF68FE6607F |
00007FF68FE66039 | 48:8B0D 98393A00 | mov rcx,qword ptr ds:[7FF6902099D8] |
00007FF68FE66040 | 48:85C9 | test rcx,rcx |
00007FF68FE66043 | 74 0D | je 原版.7FF68FE66052 |
00007FF68FE66045 | 48:8B01 | mov rax,qword ptr ds:[rcx] |
00007FF68FE66048 | BA A7000000 | mov edx,A7 |
00007FF68FE6604D | FF50 58 | call qword ptr ds:[rax+58] |
00007FF68FE66050 | EB 07 | jmp 原版.7FF68FE66059 |
00007FF68FE66052 | 48:8D05 EFCA2400 | lea rax,qword ptr ds:[7FF6900B2B48] | 00007FF6900B2B48:L"<no language>"
00007FF68FE66059 | 33D2 | xor edx,edx |
00007FF68FE6605B | 48:8BC8 | mov rcx,rax |
00007FF68FE6605E | E8 DDEBF5FF | call 原版.7FF68FDC4C40 |
00007FF68FE66063 | 48:8D5424 60 | lea rdx,qword ptr ss:[rsp+60] |
00007FF68FE66068 | 48:8BCB | mov rcx,rbx |
00007FF68FE6606B | E8 D034F7FF | call 原版.7FF68FDD9540 |
00007FF68FE66070 | 8B5424 60 | mov edx,dword ptr ss:[rsp+60] |
00007FF68FE66074 | 83E2 F8 | and edx,FFFFFFF8 |
00007FF68FE66077 | 48:8BCB | mov rcx,rbx |
00007FF68FE6607A | E8 F1BAF7FF | call 原版.7FF68FDE1B70 |
00007FF68FE6607F | 48:8D5424 64 | lea rdx,qword ptr ss:[rsp+64] |
00007FF68FE66084 | 48:8BCB | mov rcx,rbx |
00007FF68FE66087 | E8 B434F7FF | call 原版.7FF68FDD9540 |
00007FF68FE6608C | 8B4424 64 | mov eax,dword ptr ss:[rsp+64] |
00007FF68FE66090 | 0FB6C8 | movzx ecx,al |
00007FF68FE66093 | 80E1 01 | and cl,1 |
00007FF68FE66096 | 75 45 | jne 原版.7FF68FE660DD |
00007FF68FE66098 | A8 02 | test al,2 |
00007FF68FE6609A | 75 41 | jne 原版.7FF68FE660DD |
00007FF68FE6609C | A8 04 | test al,4 |
00007FF68FE6609E | 75 3D | jne 原版.7FF68FE660DD |
00007FF68FE660A0 | 40:0FB6D7 | movzx edx,dil |
00007FF68FE660A4 | 83F2 01 | xor edx,1 |
00007FF68FE660A7 | 8D1455 01000000 | lea edx,qword ptr ds:[rdx*2+1] |
00007FF68FE660AE | 48:8BCB | mov rcx,rbx |
00007FF68FE660B1 | E8 4AB2F7FF | call 原版.7FF68FDE1300 |
00007FF68FE660B6 | 41:B1 01 | mov r9b,1 |
00007FF68FE660B9 | 4D:8BC4 | mov r8,r12 |
00007FF68FE660BC | 48:8BD3 | mov rdx,rbx |
00007FF68FE660BF | 48:8D4D B0 | lea rcx,qword ptr ss:[rbp-50] |
00007FF68FE660C3 | E8 78BCF7FF | call 原版.7FF68FDE1D40 |
00007FF68FE660C8 | 90 | nop |
00007FF68FE660C9 | 48:8D4D B0 | lea rcx,qword ptr ss:[rbp-50] |
00007FF68FE660CD | FF15 B52C2300 | call qword ptr ds:[<&Ordinal#3951>] | 堆栈列表+CtrlF8定位到这里!
00007FF68FE660D3 | 90 | nop |
00007FF68FE660D4 | 48:8D4D B0 | lea rcx,qword ptr ss:[rbp-50] |
00007FF68FE660D8 | E8 63BEF7FF | call 原版.7FF68FDE1F40 |
00007FF68FE660DD | 45:33E4 | xor r12d,r12d |
00007FF68FE660E0 | 4C:89A5 C8060000 | mov qword ptr ss:[rbp+6C8],r12 |
00007FF68FE660E7 | 4C:89A5 D0060000 | mov qword ptr ss:[rbp+6D0],r12 |
00007FF68FE660EE | 4C:89A5 C8060000 | mov qword ptr ss:[rbp+6C8],r12 |
00007FF68FE660F5 | 48:C785 D0060000 07000000 | mov qword ptr ss:[rbp+6D0],7 |
00007FF68FE66100 | 6644:89A5 B8060000 | mov word ptr ss:[rbp+6B8],r12w |
00007FF68FE66108 | 45:8D4424 07 | lea r8d,qword ptr ds:[r12+7] |
00007FF68FE6610D | 48:8D15 5CCD2700 | lea rdx,qword ptr ds:[7FF6900E2E70] | 00007FF6900E2E70:L"Version"
00007FF68FE66114 | 48:8D8D B8060000 | lea rcx,qword ptr ss:[rbp+6B8] |
00007FF68FE6611B | E8 00E6F5FF | call 原版.7FF68FDC4720 |
00007FF68FE66120 | 90 | nop |
00007FF68FE66121 | 4C:89A5 90060000 | mov qword ptr ss:[rbp+690],r12 |
00007FF68FE66128 | 4C:89A5 98060000 | mov qword ptr ss:[rbp+698],r12 |
00007FF68FE6612F | 4C:89A5 90060000 | mov qword ptr ss:[rbp+690],r12 |
00007FF68FE66136 | 48:C785 98060000 07000000 | mov qword ptr ss:[rbp+698],7 |
00007FF68FE66141 | 6644:89A5 80060000 | mov word ptr ss:[rbp+680],r12w |
00007FF68FE66149 | 45:8D4424 07 | lea r8d,qword ptr ds:[r12+7] |
00007FF68FE6614E | 48:8D15 83392600 | lea rdx,qword ptr ds:[7FF6900C9AD8] | 00007FF6900C9AD8:L"Options"
00007FF68FE66155 | 48:8D8D 80060000 | lea rcx,qword ptr ss:[rbp+680] |
00007FF68FE6615C | E8 BFE5F5FF | call 原版.7FF68FDC4720 |
00007FF68FE66161 | 90 | nop |
00007FF68FE66162 | 48:8B4D 88 | mov rcx,qword ptr ss:[rbp-78] |
00007FF68FE66166 | 48:8B01 | mov rax,qword ptr ds:[rcx] |
00007FF68FE66169 | 4C:8D85 B8060000 | lea r8,qword ptr ss:[rbp+6B8] |
00007FF68FE66170 | 48:8D95 80060000 | lea rdx,qword ptr ss:[rbp+680] |
00007FF68FE66177 | FF90 B0000000 | call qword ptr ds:[rax+B0] |
00007FF68FE6617D | 0FB6F8 | movzx edi,al |
00007FF68FE66180 | 48:8B95 98060000 | mov rdx,qword ptr ss:[rbp+698] |
00007FF68FE66187 | 48:83FA 08 | cmp rdx,8 |
00007FF68FE6618B | 72 14 | jb 原版.7FF68FE661A1 |
00007FF68FE6618D | 48:8D1455 02000000 | lea rdx,qword ptr ds:[rdx*2+2] |
00007FF68FE66195 | 48:8B8D 80060000 | mov rcx,qword ptr ss:[rbp+680] |
00007FF68FE6619C | E8 FFE7F5FF | call 原版.7FF68FDC49A0 |
00007FF68FE661A1 | 4C:89A5 90060000 | mov qword ptr ss:[rbp+690],r12 |
00007FF68FE661A8 | 48:C785 98060000 07000000 | mov qword ptr ss:[rbp+698],7 |
00007FF68FE661B3 | 6644:89A5 80060000 | mov word ptr ss:[rbp+680],r12w |
00007FF68FE661BB | 48:8B95 D0060000 | mov rdx,qword ptr ss:[rbp+6D0] |
00007FF68FE661C2 | 48:83FA 08 | cmp rdx,8 |
00007FF68FE661C6 | 72 14 | jb 原版.7FF68FE661DC |
00007FF68FE661C8 | 48:8D1455 02000000 | lea rdx,qword ptr ds:[rdx*2+2] |
00007FF68FE661D0 | 48:8B8D B8060000 | mov rcx,qword ptr ss:[rbp+6B8] |
00007FF68FE661D7 | E8 C4E7F5FF | call 原版.7FF68FDC49A0 |
00007FF68FE661DC | 4C:89A5 C8060000 | mov qword ptr ss:[rbp+6C8],r12 |
00007FF68FE661E3 | 48:C785 D0060000 07000000 | mov qword ptr ss:[rbp+6D0],7 |
00007FF68FE661EE | 6644:89A5 B8060000 | mov word ptr ss:[rbp+6B8],r12w |
00007FF68FE661F6 | 48:8D5424 68 | lea rdx,qword ptr ss:[rsp+68] |
00007FF68FE661FB | 48:8BCB | mov rcx,rbx |
00007FF68FE661FE | E8 3D33F7FF | call 原版.7FF68FDD9540 |
00007FF68FE66203 | 8B4424 68 | mov eax,dword ptr ss:[rsp+68] |
00007FF68FE66207 | 0FB6C8 | movzx ecx,al |
00007FF68FE6620A | 80E1 01 | and cl,1 |
00007FF68FE6620D | 74 07 | je 原版.7FF68FE66216 |
00007FF68FE6620F | B8 01000000 | mov eax,1 |
00007FF68FE66214 | EB 14 | jmp 原版.7FF68FE6622A |
00007FF68FE66216 | A8 02 | test al,2 |
00007FF68FE66218 | 74 07 | je 原版.7FF68FE66221 |
00007FF68FE6621A | B8 02000000 | mov eax,2 |
00007FF68FE6621F | EB 09 | jmp 原版.7FF68FE6622A |
00007FF68FE66221 | 24 04 | and al,4 |
00007FF68FE66223 | F6D8 | neg al |
00007FF68FE66225 | 1BC0 | sbb eax,eax |
00007FF68FE66227 | 83E0 03 | and eax,3 |
00007FF68FE6622A | 83F8 01 | cmp eax,1 |
00007FF68FE6622D | 0F94C0 | sete al |
00007FF68FE66230 | 41:8885 70030000 | mov byte ptr ds:[r13+370],al |
00007FF68FE66237 | 45:84FF | test r15b,r15b |
00007FF68FE6623A | 74 1C | je 原版.7FF68FE66258 |
00007FF68FE6623C | 40:84FF | test dil,dil |
00007FF68FE6623F | 74 17 | je 原版.7FF68FE66258 |
00007FF68FE66241 | 807C24 50 00 | cmp byte ptr ss:[rsp+50],0 |
00007FF68FE66246 | 75 10 | jne 原版.7FF68FE66258 |
00007FF68FE66248 | 41:B0 01 | mov r8b,1 |
00007FF68FE6624B | BA 03000000 | mov edx,3 |
00007FF68FE66250 | 48:8BCB | mov rcx,rbx |
00007FF68FE66253 | E8 98B8F7FF | call 原版.7FF68FDE1AF0 |
00007FF68FE66258 | 48:8B4B 58 | mov rcx,qword ptr ds:[rbx+58] |
00007FF68FE6625C | 48:8B01 | mov rax,qword ptr ds:[rcx] |
00007FF68FE6625F | FF50 30 | call qword ptr ds:[rax+30] |
00007FF68FE66262 | B9 08000000 | mov ecx,8 |
00007FF68FE66267 | FF15 23242300 | call qword ptr ds:[<&Ordinal#1489>] |
00007FF68FE6626D | 48:8BD8 | mov rbx,rax |
00007FF68FE66270 | 48:8945 80 | mov qword ptr ss:[rbp-80],rax |
00007FF68FE66274 | 48:85C0 | test rax,rax |
00007FF68FE66277 | 74 16 | je 原版.7FF68FE6628F |
00007FF68FE66279 | 48:8D05 10E92700 | lea rax,qword ptr ds:[<&JMP.&_purecall>] |
竟然A与B全部跳过了
这里定位时,需要注意的是Shift+F9 跳过异常 与 Ctrl+F8 单步跳过的配合使用。马步兵的协同作战。
最笨的方法就是多试几次。我们Ctrl+P补丁,先存个档 【原版加跳过了注册框和启动等待提示.exe】
接下来,我们再把regkey.xml写入的call搞死,前面说过,可以利用ctrl+N,config xxx.dll ,搜索write这个搞起来需要耐心+细心。
最终来到上面不远的地方,显然这是在写入regkey.xml的过程中,在调试过程中,你会发现准备文件内存中的缓冲区,创建空文件,写入全文件等过程
最终NOP掉 00007FF87F0F33F3就好了。
最后,再来解决下顶部标题 【trial】字样
然后我们利用字符串来定位下,并下好断点
然后我们来到下面的地方:
[Asm] 纯文本查看 复制代码 00007FF796441500 <原版fil | 48:895C24 18 | mov qword ptr ss:[rsp+18],rbx |
00007FF796441505 | 48:897424 20 | mov qword ptr ss:[rsp+20],rsi |
00007FF79644150A | 55 | push rbp |
00007FF79644150B | 57 | push rdi |
00007FF79644150C | 41:56 | push r14 |
00007FF79644150E | 48:8D6C24 90 | lea rbp,qword ptr ss:[rsp-70] | [rsp-70]:L"Crash handler was already installed for current thread."
00007FF796441513 | 48:81EC 70010000 | sub rsp,170 |
00007FF79644151A | 48:8B05 FF0A4100 | mov rax,qword ptr ds:[7FF796852020] |
00007FF796441521 | 48:33C4 | xor rax,rsp |
00007FF796441524 | 48:8945 60 | mov qword ptr ss:[rbp+60],rax |
00007FF796441528 | 48:8BDA | mov rbx,rdx |
00007FF79644152B | 48:8BF9 | mov rdi,rcx |
00007FF79644152E | 48:895424 30 | mov qword ptr ss:[rsp+30],rdx |
00007FF796441533 | 45:33F6 | xor r14d,r14d |
00007FF796441536 | 44:897424 20 | mov dword ptr ss:[rsp+20],r14d |
00007FF79644153B | 4C:8975 50 | mov qword ptr ss:[rbp+50],r14 |
00007FF79644153F | 4C:8975 58 | mov qword ptr ss:[rbp+58],r14 |
00007FF796441543 | 4C:8975 50 | mov qword ptr ss:[rbp+50],r14 |
00007FF796441547 | 48:C745 58 07000000 | mov qword ptr ss:[rbp+58],7 |
00007FF79644154F | 6644:8975 40 | mov word ptr ss:[rbp+40],r14w |
00007FF796441554 | 48:8D5424 28 | lea rdx,qword ptr ss:[rsp+28] |
00007FF796441559 | E8 E27FFFFF | call <原版加跳过了注册框和启动等待提示.sub_7FF7964395 |
00007FF79644155E | 8B4424 28 | mov eax,dword ptr ss:[rsp+28] |
00007FF796441562 | 0FB6C8 | movzx ecx,al |
00007FF796441565 | 41:8D76 04 | lea esi,qword ptr ds:[r14+4] |
00007FF796441569 | 80E1 01 | and cl,1 |
00007FF79644156C | 75 15 | jne 原版加跳过了注册框和启动等待提示.7FF796441583 |
00007FF79644156E | A8 02 | test al,2 |
00007FF796441570 | 75 27 | jne 原版加跳过了注册框和启动等待提示.7FF796441599 |
00007FF796441572 | 40:84C6 | test sil,al |
00007FF796441575 | 74 22 | je 原版加跳过了注册框和启动等待提示.7FF796441599 |
00007FF796441577 | 44:8BC6 | mov r8d,esi |
00007FF79644157A | 48:8D15 777C2E00 | lea rdx,qword ptr ds:[7FF7967291F8] | 00007FF7967291F8:L"LITE"
00007FF796441581 | EB 0D | jmp 原版加跳过了注册框和启动等待提示.7FF796441590 |
00007FF796441583 | 41:B8 05000000 | mov r8d,5 |
00007FF796441589 | 48:8D15 787C2E00 | lea rdx,qword ptr ds:[7FF796729208] | 00007FF796729208:L"TRIAL"
来到段首,发现上面的调用点!
下面的代码前后关系存在着微妙的关系
[Asm] 纯文本查看 复制代码 00007FF796441500 < | 48:895C24 18 | mov qword ptr ss:[rsp+18],rbx | 返1
00007FF796441505 | 48:897424 20 | mov qword ptr ss:[rsp+20],rsi |
00007FF79644150A | 55 | push rbp |
00007FF79644150B | 57 | push rdi |
00007FF79644150C | 41:56 | push r14 |
00007FF79644150E | 48:8D6C24 90 | lea rbp,qword ptr ss:[rsp-70] | [rsp-70]:"儅@"
00007FF796441513 | 48:81EC 70010000 | sub rsp,170 |
00007FF79644151A | 48:8B05 FF0A4100 | mov rax,qword ptr ds:[7FF796852020] |
00007FF796441521 | 48:33C4 | xor rax,rsp |
00007FF796441524 | 48:8945 60 | mov qword ptr ss:[rbp+60],rax |
00007FF796441528 | 48:8BDA | mov rbx,rdx |
00007FF79644152B | 48:8BF9 | mov rdi,rcx |
00007FF79644152E | 48:895424 30 | mov qword ptr ss:[rsp+30],rdx |
00007FF796441533 | 45:33F6 | xor r14d,r14d |
00007FF796441536 | 44:897424 20 | mov dword ptr ss:[rsp+20],r14d |
00007FF79644153B | 4C:8975 50 | mov qword ptr ss:[rbp+50],r14 |
00007FF79644153F | 4C:8975 58 | mov qword ptr ss:[rbp+58],r14 |
00007FF796441543 | 4C:8975 50 | mov qword ptr ss:[rbp+50],r14 |
00007FF796441547 | 48:C745 58 07000000 | mov qword ptr ss:[rbp+58],7 |
00007FF79644154F | 6644:8975 40 | mov word ptr ss:[rbp+40],r14w |
00007FF796441554 | 48:8D5424 28 | lea rdx,qword ptr ss:[rsp+28] |
00007FF796441559 | E8 E27FFFFF | call <原版.sub_7FF7964 | 这里al返回1会如何?
00007FF79644155E | 8B4424 28 | mov eax,dword ptr ss:[rsp+28] |
00007FF796441562 | 0FB6C8 | movzx ecx,al |
00007FF796441565 | 41:8D76 04 | lea esi,qword ptr ds:[r14+4] |
00007FF796441569 | 80E1 01 | and cl,1 |
00007FF79644156C | 75 15 | jne 原版.7FF796441583 | NOP
00007FF79644156E | A8 02 | test al,2 |
00007FF796441570 | 75 27 | jne 原版.7FF796441599 | nop
00007FF796441572 | 40:84C6 | test sil,al |
00007FF796441575 | 74 22 | je 原版.7FF796441599 | nop
00007FF796441577 | 44:8BC6 | mov r8d,esi |
00007FF79644157A | 48:8D15 777C2E00 | lea rdx,qword ptr ds:[7FF7967291F8] | 00007FF7967291F8:L"LITE"
00007FF796441581 | EB 0D | jmp 原版.7FF796441590 | 这里是试用字样
00007FF796441583 | 41:B8 05000000 | mov r8d,5 |
00007FF796441589 | 48:8D15 787C2E00 | lea rdx,qword ptr ds:[7FF796729208] | 00007FF796729208:L"TRIAL"
00007FF796441590 | 48:8D4D 40 | lea rcx,qword ptr ss:[rbp+40] |
00007FF796441594 | E8 8731FEFF | call 原版.7FF796424720 |
00007FF796441599 | 48:8D5424 28 | lea rdx,qword ptr ss:[rsp+28] |
00007FF79644159E | 48:8BCF | mov rcx,rdi |
00007FF7964415A1 | E8 9A7FFFFF | call <原版.sub_7FF7964 |
00007FF7964415A6 | 8B7C24 28 | mov edi,dword ptr ss:[rsp+28] |
00007FF7964415AA | 83E7 10 | and edi,10 |
00007FF7964415AD | 48:837D 50 00 | cmp qword ptr ss:[rbp+50],0 |
00007FF7964415B2 | 90 | nop |====》NOP
00007FF7964415B3 | 90 | nop |====》NOP
00007FF7964415B4 | 85FF | test edi,edi |
00007FF7964415B6 | 90 | nop |====》NOP
00007FF7964415B7 | 90 | nop |====》NOP
00007FF7964415B8 | 4C:8973 10 | mov qword ptr ds:[rbx+10],r14 |
00007FF7964415BC | 48:C743 18 07000000 | mov qword ptr ds:[rbx+18],7 |
00007FF7964415C4 | 6644:8933 | mov word ptr ds:[rbx],r14w |
00007FF7964415C8 | 45:33C0 | xor r8d,r8d |
00007FF7964415CB | 48:8D15 06152D00 | lea rdx,qword ptr ds:[7FF796712AD8] |
00007FF7964415D2 | 48:8BCB | mov rcx,rbx |
00007FF7964415D5 | E8 4631FEFF | call 原版.7FF796424720 |
00007FF7964415DA | C74424 20 01000000 | mov dword ptr ss:[rsp+20],1 |
00007FF7964415E2 | E9 5E010000 | jmp 原版.7FF796441745 |
00007FF7964415E7 | 48:8D4C24 40 | lea rcx,qword ptr ss:[rsp+40] |
00007FF7964415EC | E8 3FB1FEFF | call <原版.sub_7FF7964 |
00007FF7964415F1 | 90 | nop |
00007FF7964415F2 | 48:8D15 1B7C2E00 | lea rdx,qword ptr ds:[7FF796729214] | 00007FF796729214:L"["
00007FF7964415F9 | 48:8D4C24 50 | lea rcx,qword ptr ss:[rsp+50] |
00007FF7964415FE | E8 4DC4FEFF | call <原版.sub_7FF7964 |
00007FF796441603 | 48:8BC8 | mov rcx,rax |
00007FF796441606 | 48:8D55 40 | lea rdx,qword ptr ss:[rbp+40] |
00007FF79644160A | E8 F195FEFF | call <原版.sub_7FF7964 |
00007FF79644160F | 85FF | test edi,edi |
00007FF796441611 | 74 3F | je 原版.7FF796441652 |
00007FF796441613 | 48:8B0D BE834200 | mov rcx,qword ptr ds:[7FF7968699D8] |
00007FF79644161A | 48:85C9 | test rcx,rcx |
00007FF79644161D | 74 10 | je 原版.7FF79644162F |
00007FF79644161F | 48:8B01 | mov rax,qword ptr ds:[rcx] |
00007FF796441622 | BA 90030000 | mov edx,390 |
00007FF796441627 | FF50 58 | call qword ptr ds:[rax+58] |
00007FF79644162A | 48:8BF8 | mov rdi,rax |
00007FF79644162D | EB 07 | jmp 原版.7FF796441636 |
00007FF79644162F | 48:8D3D 12152D00 | lea rdi,qword ptr ds:[7FF796712B48] | 00007FF796712B48:L"<no language>"
00007FF796441636 | 48:8D15 DB7B2E00 | lea rdx,qword ptr ds:[7FF796729218] | 00007FF796729218:L" * "
00007FF79644163D | 48:8D4C24 50 | lea rcx,qword ptr ss:[rsp+50] |
00007FF796441642 | E8 09C4FEFF | call <原版.sub_7FF7964 |
00007FF796441647 | 48:8BC8 | mov rcx,rax |
00007FF79644164A | 48:8BD7 | mov rdx,rdi |
00007FF79644164D | E8 FEC3FEFF | call <原版.sub_7FF7964 |
00007FF796441652 | 48:8D15 C77B2E00 | lea rdx,qword ptr ds:[7FF796729220] | 00007FF796729220:L"]"
00007FF796441659 | 48:8D4C24 50 | lea rcx,qword ptr ss:[rsp+50] |
00007FF79644165E | E8 EDC3FEFF | call <原版.sub_7FF7964 |
00007FF796441663 | 90 | nop |
00007FF796441664 | 4C:8973 10 | mov qword ptr ds:[rbx+10],r14 |
00007FF796441668 | 48:C743 18 07000000 | mov qword ptr ds:[rbx+18],7 |
00007FF796441670 | 6644:8933 | mov word ptr ds:[rbx],r14w |
00007FF796441674 | 897424 20 | mov dword ptr ss:[rsp+20],esi |
00007FF796441678 | 48:8B4D C8 | mov rcx,qword ptr ss:[rbp-38] |
00007FF79644167C | F6C1 02 | test cl,2 |
00007FF79644167F | 75 22 | jne 原版.7FF7964416A3 |
00007FF796441681 | 48:8B45 98 | mov rax,qword ptr ss:[rbp-68] |
00007FF796441685 | 4C:8B00 | mov r8,qword ptr ds:[rax] |
00007FF796441688 | 4D:85C0 | test r8,r8 |
00007FF79644168B | 74 16 | je 原版.7FF7964416A3 |
00007FF79644168D | 48:8B4424 78 | mov rax,qword ptr ss:[rsp+78] |
00007FF796441692 | 48:8B10 | mov rdx,qword ptr ds:[rax] |
00007FF796441695 | 4C:3B45 C0 | cmp r8,qword ptr ss:[rbp-40] |
00007FF796441699 | 4C:0F4245 C0 | cmovb r8,qword ptr ss:[rbp-40] |
00007FF79644169E | 4C:2BC2 | sub r8,rdx |
00007FF7964416A1 | EB 29 | jmp 原版.7FF7964416CC |
00007FF7964416A3 | F6C1 04 | test cl,4 |
00007FF7964416A6 | 75 2F | jne 原版.7FF7964416D7 |
00007FF7964416A8 | 48:8B45 90 | mov rax,qword ptr ss:[rbp-70] |
00007FF7964416AC | 48:8B08 | mov rcx,qword ptr ds:[rax] |
00007FF7964416AF | 48:85C9 | test rcx,rcx |
00007FF7964416B2 | 74 23 | je 原版.7FF7964416D7 |
00007FF7964416B4 | 48:8B4424 70 | mov rax,qword ptr ss:[rsp+70] |
00007FF7964416B9 | 48:8B10 | mov rdx,qword ptr ds:[rax] |
00007FF7964416BC | 48:8B45 A8 | mov rax,qword ptr ss:[rbp-58] |
00007FF7964416C0 | 4C:6300 | movsxd r8,dword ptr ds:[rax] |
00007FF7964416C3 | 4D:03C0 | add r8,r8 |
00007FF7964416C6 | 4C:2BC2 | sub r8,rdx |
00007FF7964416C9 | 4C:03C1 | add r8,rcx |
00007FF7964416CC | 49:D1F8 | sar r8,1 |
00007FF7964416CF | 48:8BCB | mov rcx,rbx |
00007FF7964416D2 | E8 4930FEFF | call 原版.7FF796424720 |
00007FF7964416D7 | 83E6 FB | and esi,FFFFFFFB |
00007FF7964416DA | 897424 20 | mov dword ptr ss:[rsp+20],esi |
00007FF7964416DE | 83CE 02 | or esi,2 |
00007FF7964416E1 | 897424 20 | mov dword ptr ss:[rsp+20],esi |
00007FF7964416E5 | 83E6 FD | and esi,FFFFFFFD |
00007FF7964416E8 | 897424 20 | mov dword ptr ss:[rsp+20],esi |
00007FF7964416EC | 83CE 01 | or esi,1 |
00007FF7964416EF | 897424 20 | mov dword ptr ss:[rsp+20],esi |
00007FF7964416F3 | 48:8D45 D8 | lea rax,qword ptr ss:[rbp-28] |
00007FF7964416F7 | 48:894424 28 | mov qword ptr ss:[rsp+28],rax |
00007FF7964416FC | 48:8B4424 40 | mov rax,qword ptr ss:[rsp+40] |
00007FF796441701 | 48:6348 04 | movsxd rcx,dword ptr ds:[rax+4] |
00007FF796441705 | 48:8D05 04342D00 | lea rax,qword ptr ds:[<&sub_7FF79642C82C>] |
00007FF79644170C | 48:89440C 40 | mov qword ptr ss:[rsp+rcx+40],rax |
00007FF796441711 | 48:8B4424 40 | mov rax,qword ptr ss:[rsp+40] |
00007FF796441716 | 48:6348 04 | movsxd rcx,dword ptr ds:[rax+4] |
00007FF79644171A | 8D91 68FFFFFF | lea edx,qword ptr ds:[rcx-98] |
00007FF796441720 | 89540C 3C | mov dword ptr ss:[rsp+rcx+3C],edx |
00007FF796441724 | 48:8D4C24 58 | lea rcx,qword ptr ss:[rsp+58] |
00007FF796441729 | E8 72B7FEFF | call <原版.sub_7FF7964 |
00007FF79644172E | 90 | nop |
00007FF79644172F | 48:8D4C24 60 | lea rcx,qword ptr ss:[rsp+60] |
00007FF796441734 | FF15 F6402B00 | call qword ptr ds:[<&??1?$basic_iostream@_WU?$ch |
00007FF79644173A | 48:8D4D D8 | lea rcx,qword ptr ss:[rbp-28] |
00007FF79644173E | FF15 4C412B00 | call qword ptr ds:[<&??1?$basic_ios@_WU?$char_tr |
00007FF796441744 | 90 | nop |
00007FF796441745 | 48:8B55 58 | mov rdx,qword ptr ss:[rbp+58] |
00007FF796441749 | 48:83FA 08 | cmp rdx,8 |
00007FF79644174D | 72 11 | jb 原版.7FF796441760 |
00007FF79644174F | 48:8D1455 02000000 | lea rdx,qword ptr ds:[rdx*2+2] |
00007FF796441757 | 48:8B4D 40 | mov rcx,qword ptr ss:[rbp+40] |
00007FF79644175B | E8 4032FEFF | call 原版.7FF7964249A0 |
00007FF796441760 | 4C:8975 50 | mov qword ptr ss:[rbp+50],r14 |
00007FF796441764 | 48:C745 58 07000000 | mov qword ptr ss:[rbp+58],7 |
00007FF79644176C | 6644:8975 40 | mov word ptr ss:[rbp+40],r14w |
00007FF796441771 | 48:8BC3 | mov rax,rbx |
00007FF796441774 | 48:8B4D 60 | mov rcx,qword ptr ss:[rbp+60] |
00007FF796441778 | 48:33CC | xor rcx,rsp |
00007FF79644177B | E8 D0021000 | call 原版.7FF796541A50 |
00007FF796441780 | 4C:8D9C24 70010000 | lea r11,qword ptr ss:[rsp+170] |
00007FF796441788 | 49:8B5B 30 | mov rbx,qword ptr ds:[r11+30] |
00007FF79644178C | 49:8B73 38 | mov rsi,qword ptr ds:[r11+38] |
00007FF796441790 | 49:8BE3 | mov rsp,r11 |
00007FF796441793 | 41:5E | pop r14 |
00007FF796441795 | 5F | pop rdi |
00007FF796441796 | 5D | pop rbp |
00007FF796441797 | C3 | ret |
最终修改好了,就这个样子吧。这马赛克打的,累死我了。
要想弄个山寨的注册版,就修改上面的文件吧。
|
免费评分
-
查看全部评分
|