好友
阅读权限40
听众
最后登录1970-1-1
|
本帖最后由 冥界3大法王 于 2021-2-14 11:04 编辑
首先,我们先来看下四哈的目录结构:(无壳)
安装时,也是同理的,安装若勾选,则安装其下的一波软件,大约有个三四款吧。
接着,我们来看下,启动后的表现:
启动时,弹框注册;【购买】【激活】【继续】
大家看到没?有个在线帐户输入的地方
点中路【激活】得到临时试用机会
查看当前进程,就会发现【商店周边程序】
接下来,我们画一个简单的流程图吧~~
到这里大家是否就比较清楚了呢?
下面我们来实战爆破它吧。
第1步,还是先查看下进程中是否有“脏进程或脏服务”,删除或移入回收站吧。
第2步,我们删除【商店文件夹】
第3步,我们用x64dbg来加载它,并直接按F9运行,中间遇到异常就按Shift+F9
第4步,让上面的注册框弹出,然后暂停程序,查看堆栈
此时堆栈情况如图
国际惯例,基本是标黄的前三个就足够了,回车跟随并下好断点
Ctrl+F2重启下。另外打开Process Monitor捕获下该进程
设后监控的进程名,只捕获注册表就足够了。
然后我们就会得到下面两条关键的键值
HKEY_CURRENT_USER\Software\四哈\Licenses\CDMM\License-1
HKEY_CURRENT_USER\Software\四哈\Licenses\CDMM\URL-1
注意后面的状态是not found name
然后打开RegWorkshop粘入上面两个完整的注册表路径,如提示【新建】那就回车,确定
接下来,我们回到主会场x64dbg中,重启刚才。。。以继续。。。
此时,我们就会断在
0000000140A8A2B4 | FFD3 | call rbx | 这里弹出注册框
然后我们Ctrl+A分析下程序,Ctrl-来到段首
[Asm] 纯文本查看 复制代码 0000000140A89B40 | 48:8BC4 | mov rax,rsp | 这里是段首了!
0000000140A89B43 | 55 | push rbp |
0000000140A89B44 | 41:54 | push r12 | r12:sub_14092DD50
0000000140A89B46 | 41:55 | push r13 |
0000000140A89B48 | 41:56 | push r14 | r14:"MZ?"
0000000140A89B4A | 41:57 | push r15 |
0000000140A89B4C | 48:8DA8 78FEFFFF | lea rbp,qword ptr ds:[rax-188] | rax-188:sub_14092DA90+138
0000000140A89B53 | 48:81EC 60020000 | sub rsp,260 |
0000000140A89B5A | 48:C745 F0 FEFFFFFF | mov qword ptr ss:[rbp-10],FFFFFFFFFFFF |
0000000140A89B62 | 48:8958 08 | mov qword ptr ds:[rax+8],rbx | rax+8:sub_14092DD50+8
0000000140A89B66 | 48:8970 10 | mov qword ptr ds:[rax+10],rsi | rax+10:sub_14092DD60
0000000140A89B6A | 48:8978 18 | mov qword ptr ds:[rax+18],rdi | rax+18:sub_14092DD60+8
0000000140A89B6E | 48:8B05 4B919F00 | mov rax,qword ptr ds:[141482CC0] | rax:sub_14092DD50
0000000140A89B75 | 48:33C4 | xor rax,rsp | rax:sub_14092DD50
0000000140A89B78 | 48:8985 50010000 | mov qword ptr ss:[rbp+150],rax | rax:sub_14092DD50
0000000140A89B7F | 48:8BD9 | mov rbx,rcx | rcx:"MZ?"
0000000140A89B82 | 48:894D C8 | mov qword ptr ss:[rbp-38],rcx |
0000000140A89B86 | 33FF | xor edi,edi |
0000000140A89B88 | 897C24 40 | mov dword ptr ss:[rsp+40],edi |
0000000140A89B8C | 33D2 | xor edx,edx |
0000000140A89B8E | 41:B8 9C000000 | mov r8d,9C |
0000000140A89B94 | 48:8D4D 64 | lea rcx,qword ptr ss:[rbp+64] |
0000000140A89B98 | E8 4343ECFF | call 四哈.14094DEE0 |
0000000140A89B9D | C745 60 A0000000 | mov dword ptr ss:[rbp+60],A0 |
0000000140A89BA4 | 48:897D 6C | mov qword ptr ss:[rbp+6C],rdi |
0000000140A89BA8 | C745 74 10000000 | mov dword ptr ss:[rbp+74],10 |
0000000140A89BAF | 48:C785 84000000 037F0000 | mov qword ptr ss:[rbp+84],7F03 |
0000000140A89BBA | 48:C745 7C 80000000 | mov qword ptr ss:[rbp+7C],80 |
0000000140A89BC2 | 48:8D05 57080000 | lea rax,qword ptr ds:[<sub_140A8A420>] | rax:sub_14092DD50
0000000140A89BC9 | 48:8985 EC000000 | mov qword ptr ss:[rbp+EC],rax | rax:sub_14092DD50
0000000140A89BD0 | 48:897D A8 | mov qword ptr ss:[rbp-58],rdi |
0000000140A89BD4 | 48:897D B0 | mov qword ptr ss:[rbp-50],rdi |
0000000140A89BD8 | 0F57C0 | xorps xmm0,xmm0 |
0000000140A89BDB | F3:0F7F45 B8 | movdqu xmmword ptr ss:[rbp-48],xmm0 |
0000000140A89BE0 | 8BF7 | mov esi,edi |
0000000140A89BE2 | 48:897D D0 | mov qword ptr ss:[rbp-30],rdi |
0000000140A89BE6 | 48:897D D8 | mov qword ptr ss:[rbp-28],rdi |
0000000140A89BEA | F3:0F7F45 E0 | movdqu xmmword ptr ss:[rbp-20],xmm0 |
0000000140A89BEF | 44:8BE7 | mov r12d,edi |
0000000140A89BF2 | 48:897D 88 | mov qword ptr ss:[rbp-78],rdi |
0000000140A89BF6 | 48:897D 90 | mov qword ptr ss:[rbp-70],rdi |
0000000140A89BFA | F3:0F7F45 98 | movdqu xmmword ptr ss:[rbp-68],xmm0 |
0000000140A89BFF | 44:8BFF | mov r15d,edi |
0000000140A89C02 | 48:897C24 68 | mov qword ptr ss:[rsp+68],rdi |
0000000140A89C07 | 48:897C24 70 | mov qword ptr ss:[rsp+70],rdi |
0000000140A89C0C | F3:0F7F4424 78 | movdqu xmmword ptr ss:[rsp+78],xmm0 |
0000000140A89C12 | 44:8BF7 | mov r14d,edi |
0000000140A89C15 | 48:897C24 48 | mov qword ptr ss:[rsp+48],rdi |
0000000140A89C1A | 48:897C24 50 | mov qword ptr ss:[rsp+50],rdi |
0000000140A89C1F | F3:0F7F4424 58 | movdqu xmmword ptr ss:[rsp+58],xmm0 |
0000000140A89C25 | E8 2615FDFF | call <四哈.sub_140A5B150> |
0000000140A89C2A | 48:8BC8 | mov rcx,rax | rcx:"MZ?", rax:sub_14092DD50
0000000140A89C2D | E8 CE08FDFF | call <四哈.sub_140A5A500> |
0000000140A89C32 | 4C:8D2D 87B86A00 | lea r13,qword ptr ds:[1411354C0] |
0000000140A89C39 | 83F8 02 | cmp eax,2 |
0000000140A89C3C | 0F85 4D020000 | jne 四哈.140A89E8F |
0000000140A89C42 | E8 09412A00 | call <四哈.sub_140D2DD50> |
0000000140A89C47 | 4C:8B08 | mov r9,qword ptr ds:[rax] | rax:sub_14092DD50
0000000140A89C4A | 4C:8D05 4F976300 | lea r8,qword ptr ds:[1410C33A0] | 00000001410C33A0:"LM_PURCHASE_BUTTON"
0000000140A89C51 | 48:8D5424 20 | lea rdx,qword ptr ss:[rsp+20] | [rsp+20]:"D嬋A嬃H?$@H媡$HH兡0_描?"
0000000140A89C56 | 48:8BC8 | mov rcx,rax | rcx:"MZ?", rax:sub_14092DD50
0000000140A89C59 | 41:FF51 10 | call qword ptr ds:[r9+10] |
0000000140A89C5D | 90 | nop |
0000000140A89C5E | 48:8B10 | mov rdx,qword ptr ds:[rax] | rax:sub_14092DD50
0000000140A89C61 | 48:8D4D 88 | lea rcx,qword ptr ss:[rbp-78] |
0000000140A89C65 | E8 E63F79FF | call <四哈.sub_14021DC50> |
0000000140A89C6A | 90 | nop |
0000000140A89C6B | 48:8B4C24 20 | mov rcx,qword ptr ss:[rsp+20] | [rsp+20]:"D嬋A嬃H?$@H媡$HH兡0_描?"
0000000140A89C70 | 48:85C9 | test rcx,rcx | rcx:"MZ?"
0000000140A89C73 | 74 05 | je 四哈.140A89C7A |
0000000140A89C75 | E8 46C38BFF | call <四哈.sub_140345FC0> |
0000000140A89C7A | 48:8B4C24 30 | mov rcx,qword ptr ss:[rsp+30] |
0000000140A89C7F | 48:85C9 | test rcx,rcx | rcx:"MZ?"
0000000140A89C82 | 74 0A | je 四哈.140A89C8E |
0000000140A89C84 | BA 01000000 | mov edx,1 |
0000000140A89C89 | E8 42A962FF | call <四哈.sub_1400B45D0> |
0000000140A89C8E | 48:8B4C24 38 | mov rcx,qword ptr ss:[rsp+38] |
0000000140A89C93 | 48:85C9 | test rcx,rcx | rcx:"MZ?"
0000000140A89C96 | 74 0A | je 四哈.140A89CA2 |
0000000140A89C98 | BA 01000000 | mov edx,1 |
0000000140A89C9D | E8 2EA962FF | call <四哈.sub_1400B45D0> |
0000000140A89CA2 | E8 A9402A00 | call <四哈.sub_140D2DD50> |
0000000140A89CA7 | 4C:8B08 | mov r9,qword ptr ds:[rax] | rax:sub_14092DD50
0000000140A89CAA | 4C:8D05 A7966300 | lea r8,qword ptr ds:[1410C3358] | 00000001410C3358:"LM_ACTIVATE_LICENSE"
0000000140A89CB1 | 48:8D5424 20 | lea rdx,qword ptr ss:[rsp+20] | [rsp+20]:"D嬋A嬃H?$@H媡$HH兡0_描?"
0000000140A89CB6 | 48:8BC8 | mov rcx,rax | rcx:"MZ?", rax:sub_14092DD50
0000000140A89CB9 | 41:FF51 10 | call qword ptr ds:[r9+10] |
0000000140A89CBD | 90 | nop |
0000000140A89CBE | 48:8B10 | mov rdx,qword ptr ds:[rax] | rax:sub_14092DD50
0000000140A89CC1 | 48:8D4C24 68 | lea rcx,qword ptr ss:[rsp+68] |
0000000140A89CC6 | E8 853F79FF | call <四哈.sub_14021DC50> |
0000000140A89CCB | 90 | nop |
0000000140A89CCC | 48:8B4C24 20 | mov rcx,qword ptr ss:[rsp+20] | [rsp+20]:"D嬋A嬃H?$@H媡$HH兡0_描?"
0000000140A89CD1 | 48:85C9 | test rcx,rcx | rcx:"MZ?"
0000000140A89CD4 | 74 05 | je 四哈.140A89CDB |
0000000140A89CD6 | E8 E5C28BFF | call <四哈.sub_140345FC0> |
0000000140A89CDB | 48:8B4C24 30 | mov rcx,qword ptr ss:[rsp+30] |
0000000140A89CE0 | 48:85C9 | test rcx,rcx | rcx:"MZ?"
0000000140A89CE3 | 74 0A | je 四哈.140A89CEF |
0000000140A89CE5 | BA 01000000 | mov edx,1 |
0000000140A89CEA | E8 E1A862FF | call <四哈.sub_1400B45D0> |
0000000140A89CEF | 48:8B4C24 38 | mov rcx,qword ptr ss:[rsp+38] |
0000000140A89CF4 | 48:85C9 | test rcx,rcx | rcx:"MZ?"
0000000140A89CF7 | 74 0A | je 四哈.140A89D03 |
0000000140A89CF9 | BA 01000000 | mov edx,1 |
0000000140A89CFE | E8 CDA862FF | call <四哈.sub_1400B45D0> |
0000000140A89D03 | E8 48402A00 | call <四哈.sub_140D2DD50> |
0000000140A89D08 | 4C:8B08 | mov r9,qword ptr ds:[rax] | rax:sub_14092DD50
0000000140A89D0B | 4C:8D05 5E966300 | lea r8,qword ptr ds:[1410C3370] | 00000001410C3370:"WLM_CONTINUE_IN_DEMO_MODE"
0000000140A89D12 | 48:8D5424 20 | lea rdx,qword ptr ss:[rsp+20] | [rsp+20]:"D嬋A嬃H?$@H媡$HH兡0_描?"
0000000140A89D17 | 48:8BC8 | mov rcx,rax | rcx:"MZ?", rax:sub_14092DD50
0000000140A89D1A | 41:FF51 10 | call qword ptr ds:[r9+10] |
0000000140A89D1E | 90 | nop |
0000000140A89D1F | 48:8B10 | mov rdx,qword ptr ds:[rax] | rax:sub_14092DD50
0000000140A89D22 | 48:8D4C24 48 | lea rcx,qword ptr ss:[rsp+48] |
0000000140A89D27 | E8 243F79FF | call <四哈.sub_14021DC50> |
0000000140A89D2C | 90 | nop |
0000000140A89D2D | 48:8B4C24 20 | mov rcx,qword ptr ss:[rsp+20] | [rsp+20]:"D嬋A嬃H?$@H媡$HH兡0_描?"
0000000140A89D32 | 48:85C9 | test rcx,rcx | rcx:"MZ?"
0000000140A89D35 | 74 05 | je 四哈.140A89D3C |
0000000140A89D37 | E8 84C28BFF | call <四哈.sub_140345FC0> |
0000000140A89D3C | 48:8B4C24 30 | mov rcx,qword ptr ss:[rsp+30] |
0000000140A89D41 | 48:85C9 | test rcx,rcx | rcx:"MZ?"
0000000140A89D44 | 74 0A | je 四哈.140A89D50 |
0000000140A89D46 | BA 01000000 | mov edx,1 |
0000000140A89D4B | E8 80A862FF | call <四哈.sub_1400B45D0> |
0000000140A89D50 | 48:8B4C24 38 | mov rcx,qword ptr ss:[rsp+38] |
0000000140A89D55 | 48:85C9 | test rcx,rcx | rcx:"MZ?"
0000000140A89D58 | 74 0A | je 四哈.140A89D64 |
0000000140A89D5A | BA 01000000 | mov edx,1 |
0000000140A89D5F | E8 6CA862FF | call <四哈.sub_1400B45D0> |
0000000140A89D64 | C785 00010000 EC030000 | mov dword ptr ss:[rbp+100],3EC |
0000000140A89D6E | 49:8BC5 | mov rax,r13 | rax:sub_14092DD50
0000000140A89D71 | 4C:8B65 88 | mov r12,qword ptr ss:[rbp-78] | r12:sub_14092DD50
0000000140A89D75 | 4D:85E4 | test r12,r12 | r12:sub_14092DD50
0000000140A89D78 | 49:0F45C4 | cmovne rax,r12 | rax:sub_14092DD50, r12:sub_14092DD50
0000000140A89D7C | 48:8985 04010000 | mov qword ptr ss:[rbp+104],rax | rax:sub_14092DD50
0000000140A89D83 | C785 0C010000 EB030000 | mov dword ptr ss:[rbp+10C],3EB |
0000000140A89D8D | 49:8BC5 | mov rax,r13 | rax:sub_14092DD50
0000000140A89D90 | 4C:8B7C24 68 | mov r15,qword ptr ss:[rsp+68] |
0000000140A89D95 | 4D:85FF | test r15,r15 |
0000000140A89D98 | 49:0F45C7 | cmovne rax,r15 | rax:sub_14092DD50
0000000140A89D9C | 48:8985 10010000 | mov qword ptr ss:[rbp+110],rax | rax:sub_14092DD50
0000000140A89DA3 | C785 18010000 01000000 | mov dword ptr ss:[rbp+118],1 |
0000000140A89DAD | 49:8BC5 | mov rax,r13 | rax:sub_14092DD50
0000000140A89DB0 | 4C:8B7424 48 | mov r14,qword ptr ss:[rsp+48] |
0000000140A89DB5 | 4D:85F6 | test r14,r14 | r14:"MZ?"
0000000140A89DB8 | 49:0F45C6 | cmovne rax,r14 | rax:sub_14092DD50, r14:"MZ?"
0000000140A89DBC | 48:8985 1C010000 | mov qword ptr ss:[rbp+11C],rax | rax:sub_14092DD50
0000000140A89DC3 | E8 883F2A00 | call <四哈.sub_140D2DD50> |
0000000140A89DC8 | 4C:8B08 | mov r9,qword ptr ds:[rax] | rax:sub_14092DD50
0000000140A89DCB | 4C:8D05 16966300 | lea r8,qword ptr ds:[1410C33E8] | 00000001410C33E8:"LM_EXPIRED_MODE"
0000000140A89DD2 | 48:8D5424 20 | lea rdx,qword ptr ss:[rsp+20] | [rsp+20]:"D嬋A嬃H?$@H媡$HH兡0_描?"
0000000140A89DD7 | 48:8BC8 | mov rcx,rax | rcx:"MZ?", rax:sub_14092DD50
0000000140A89DDA | 41:FF51 10 | call qword ptr ds:[r9+10] |
0000000140A89DDE | 90 | nop |
0000000140A89DDF | 48:8B10 | mov rdx,qword ptr ds:[rax] | rax:sub_14092DD50
0000000140A89DE2 | 48:8D4D D0 | lea rcx,qword ptr ss:[rbp-30] |
0000000140A89DE6 | E8 653E79FF | call <四哈.sub_14021DC50> |
0000000140A89DEB | 90 | nop |
0000000140A89DEC | 48:8B4C24 20 | mov rcx,qword ptr ss:[rsp+20] | [rsp+20]:"D嬋A嬃H?$@H媡$HH兡0_描?"
0000000140A89DF1 | 48:85C9 | test rcx,rcx | rcx:"MZ?"
0000000140A89DF4 | 74 05 | je 四哈.140A89DFB |
0000000140A89DF6 | E8 C5C18BFF | call <四哈.sub_140345FC0> |
0000000140A89DFB | 48:8B4C24 30 | mov rcx,qword ptr ss:[rsp+30] |
0000000140A89E00 | 48:85C9 | test rcx,rcx | rcx:"MZ?"
0000000140A89E03 | 74 0A | je 四哈.140A89E0F |
0000000140A89E05 | BA 01000000 | mov edx,1 |
0000000140A89E0A | E8 C1A762FF | call <四哈.sub_1400B45D0> |
0000000140A89E0F | 48:8B4C24 38 | mov rcx,qword ptr ss:[rsp+38] |
0000000140A89E14 | 48:85C9 | test rcx,rcx | rcx:"MZ?"
0000000140A89E17 | 74 0A | je 四哈.140A89E23 |
0000000140A89E19 | BA 01000000 | mov edx,1 |
0000000140A89E1E | E8 ADA762FF | call <四哈.sub_1400B45D0> |
0000000140A89E23 | E8 283F2A00 | call <四哈.sub_140D2DD50> |
0000000140A89E28 | 4C:8B08 | mov r9,qword ptr ds:[rax] | rax:sub_14092DD50
0000000140A89E2B | 4C:8D05 C6956300 | lea r8,qword ptr ds:[1410C33F8] | 00000001410C33F8:"LM_EXPIRED_MODE_DESCRIPTION"
0000000140A89E32 | 48:8D5424 20 | lea rdx,qword ptr ss:[rsp+20] | [rsp+20]:"D嬋A嬃H?$@H媡$HH兡0_描?"
0000000140A89E37 | 48:8BC8 | mov rcx,rax | rcx:"MZ?", rax:sub_14092DD50
0000000140A89E3A | 41:FF51 10 | call qword ptr ds:[r9+10] |
0000000140A89E3E | 90 | nop |
0000000140A89E3F | 48:8B10 | mov rdx,qword ptr ds:[rax] | rax:sub_14092DD50
0000000140A89E42 | 48:8D4D A8 | lea rcx,qword ptr ss:[rbp-58] |
0000000140A89E46 | E8 053E79FF | call <四哈.sub_14021DC50> |
0000000140A89E4B | 90 | nop |
0000000140A89E4C | 48:8B4C24 20 | mov rcx,qword ptr ss:[rsp+20] | [rsp+20]:"D嬋A嬃H?$@H媡$HH兡0_描?"
0000000140A89E51 | 48:85C9 | test rcx,rcx | rcx:"MZ?"
0000000140A89E54 | 74 05 | je 四哈.140A89E5B |
0000000140A89E56 | E8 65C18BFF | call <四哈.sub_140345FC0> |
0000000140A89E5B | 48:8B4C24 30 | mov rcx,qword ptr ss:[rsp+30] |
0000000140A89E60 | 48:85C9 | test rcx,rcx | rcx:"MZ?"
0000000140A89E63 | 74 0A | je 四哈.140A89E6F |
0000000140A89E65 | BA 01000000 | mov edx,1 |
0000000140A89E6A | E8 61A762FF | call <四哈.sub_1400B45D0> |
0000000140A89E6F | 48:8B4C24 38 | mov rcx,qword ptr ss:[rsp+38] |
0000000140A89E74 | 48:85C9 | test rcx,rcx | rcx:"MZ?"
0000000140A89E77 | 74 0A | je 四哈.140A89E83 |
0000000140A89E79 | BA 01000000 | mov edx,1 |
0000000140A89E7E | E8 4DA762FF | call <四哈.sub_1400B45D0> |
0000000140A89E83 | 48:8D85 00010000 | lea rax,qword ptr ss:[rbp+100] | rax:sub_14092DD50
0000000140A89E8A | E9 9A030000 | jmp 四哈.140A8A229 |
0000000140A89E8F | 85C0 | test eax,eax |
0000000140A89E91 | 0F85 B3030000 | jne 四哈.140A8A24A |
0000000140A89E97 | E8 B43E2A00 | call <四哈.sub_140D2DD50> |
0000000140A89E9C | 4C:8B08 | mov r9,qword ptr ds:[rax] | rax:sub_14092DD50
0000000140A89E9F | 4C:8D05 12956300 | lea r8,qword ptr ds:[1410C33B8] | 00000001410C33B8:"LM_PURCHASE_BUTTON"
0000000140A89EA6 | 48:8D5424 20 | lea rdx,qword ptr ss:[rsp+20] | [rsp+20]:"D嬋A嬃H?$@H媡$HH兡0_描?"
0000000140A89EAB | 48:8BC8 | mov rcx,rax | rcx:"MZ?", rax:sub_14092DD50
0000000140A89EAE | 41:FF51 10 | call qword ptr ds:[r9+10] |
0000000140A89EB2 | 90 | nop |
0000000140A89EB3 | 48:8B10 | mov rdx,qword ptr ds:[rax] | rax:sub_14092DD50
0000000140A89EB6 | 48:8D4D 88 | lea rcx,qword ptr ss:[rbp-78] |
0000000140A89EBA | E8 913D79FF | call <四哈.sub_14021DC50> |
0000000140A89EBF | 90 | nop |
0000000140A89EC0 | 48:8B4C24 20 | mov rcx,qword ptr ss:[rsp+20] | [rsp+20]:"D嬋A嬃H?$@H媡$HH兡0_描?"
0000000140A89EC5 | 48:85C9 | test rcx,rcx | rcx:"MZ?"
0000000140A89EC8 | 74 05 | je 四哈.140A89ECF |
0000000140A89ECA | E8 F1C08BFF | call <四哈.sub_140345FC0> |
0000000140A89ECF | 48:8B4C24 30 | mov rcx,qword ptr ss:[rsp+30] |
0000000140A89ED4 | 48:85C9 | test rcx,rcx | rcx:"MZ?"
0000000140A89ED7 | 74 0A | je 四哈.140A89EE3 |
0000000140A89ED9 | BA 01000000 | mov edx,1 |
0000000140A89EDE | E8 EDA662FF | call <四哈.sub_1400B45D0> |
0000000140A89EE3 | 48:8B4C24 38 | mov rcx,qword ptr ss:[rsp+38] |
0000000140A89EE8 | 48:85C9 | test rcx,rcx | rcx:"MZ?"
0000000140A89EEB | 74 0A | je 四哈.140A89EF7 |
0000000140A89EED | BA 01000000 | mov edx,1 |
0000000140A89EF2 | E8 D9A662FF | call <四哈.sub_1400B45D0> |
0000000140A89EF7 | E8 543E2A00 | call <四哈.sub_140D2DD50> |
0000000140A89EFC | 4C:8B08 | mov r9,qword ptr ds:[rax] | rax:sub_14092DD50
0000000140A89EFF | 4C:8D05 CA946300 | lea r8,qword ptr ds:[1410C33D0] | 00000001410C33D0:"LM_ACTIVATE_LICENSE"
0000000140A89F06 | 48:8D5424 20 | lea rdx,qword ptr ss:[rsp+20] | [rsp+20]:"D嬋A嬃H?$@H媡$HH兡0_描?"
0000000140A89F0B | 48:8BC8 | mov rcx,rax | rcx:"MZ?", rax:sub_14092DD50
0000000140A89F0E | 41:FF51 10 | call qword ptr ds:[r9+10] |
0000000140A89F12 | 90 | nop |
0000000140A89F13 | 48:8B10 | mov rdx,qword ptr ds:[rax] | rax:sub_14092DD50
0000000140A89F16 | 48:8D4C24 68 | lea rcx,qword ptr ss:[rsp+68] |
0000000140A89F1B | E8 303D79FF | call <四哈.sub_14021DC50> |
0000000140A89F20 | 90 | nop |
0000000140A89F21 | 48:8B4C24 20 | mov rcx,qword ptr ss:[rsp+20] | [rsp+20]:"D嬋A嬃H?$@H媡$HH兡0_描?"
0000000140A89F26 | 48:85C9 | test rcx,rcx | rcx:"MZ?"
0000000140A89F29 | 74 05 | je 四哈.140A89F30 |
0000000140A89F2B | E8 90C08BFF | call <四哈.sub_140345FC0> |
0000000140A89F30 | 48:8B4C24 30 | mov rcx,qword ptr ss:[rsp+30] |
0000000140A89F35 | 48:85C9 | test rcx,rcx | rcx:"MZ?"
0000000140A89F38 | 74 0A | je 四哈.140A89F44 |
0000000140A89F3A | BA 01000000 | mov edx,1 |
0000000140A89F3F | E8 8CA662FF | call <四哈.sub_1400B45D0> |
0000000140A89F44 | 48:8B4C24 38 | mov rcx,qword ptr ss:[rsp+38] |
0000000140A89F49 | 48:85C9 | test rcx,rcx | rcx:"MZ?"
0000000140A89F4C | 74 0A | je 四哈.140A89F58 |
0000000140A89F4E | BA 01000000 | mov edx,1 |
0000000140A89F53 | E8 78A662FF | call <四哈.sub_1400B45D0> |
0000000140A89F58 | E8 F33D2A00 | call <四哈.sub_140D2DD50> |
0000000140A89F5D | 4C:8B08 | mov r9,qword ptr ds:[rax] | rax:sub_14092DD50
0000000140A89F60 | 4C:8D05 B9926300 | lea r8,qword ptr ds:[1410C3220] | 00000001410C3220:"WLM_CONTINUE_IN_TIME_LIMITED_MODE"
0000000140A89F67 | 48:8D5424 20 | lea rdx,qword ptr ss:[rsp+20] | [rsp+20]:"D嬋A嬃H?$@H媡$HH兡0_描?"
0000000140A89F6C | 48:8BC8 | mov rcx,rax | rcx:"MZ?", rax:sub_14092DD50
0000000140A89F6F | 41:FF51 10 | call qword ptr ds:[r9+10] |
0000000140A89F73 | 90 | nop |
0000000140A89F74 | 48:8B10 | mov rdx,qword ptr ds:[rax] | rax:sub_14092DD50
0000000140A89F77 | 48:8D4C24 48 | lea rcx,qword ptr ss:[rsp+48] |
0000000140A89F7C | E8 CF3C79FF | call <四哈.sub_14021DC50> |
0000000140A89F81 | 90 | nop |
0000000140A89F82 | 48:8B4C24 20 | mov rcx,qword ptr ss:[rsp+20] | [rsp+20]:"D嬋A嬃H?$@H媡$HH兡0_描?"
0000000140A89F87 | 48:85C9 | test rcx,rcx | rcx:"MZ?"
0000000140A89F8A | 74 05 | je 四哈.140A89F91 |
0000000140A89F8C | E8 2FC08BFF | call <四哈.sub_140345FC0> |
0000000140A89F91 | 48:8B4C24 30 | mov rcx,qword ptr ss:[rsp+30] |
0000000140A89F96 | 48:85C9 | test rcx,rcx | rcx:"MZ?"
0000000140A89F99 | 74 0A | je 四哈.140A89FA5 |
0000000140A89F9B | BA 01000000 | mov edx,1 |
0000000140A89FA0 | E8 2BA662FF | call <四哈.sub_1400B45D0> |
0000000140A89FA5 | 48:8B4C24 38 | mov rcx,qword ptr ss:[rsp+38] |
0000000140A89FAA | 48:85C9 | test rcx,rcx | rcx:"MZ?"
0000000140A89FAD | 74 0A | je 四哈.140A89FB9 |
0000000140A89FAF | BA 01000000 | mov edx,1 |
0000000140A89FB4 | E8 17A662FF | call <四哈.sub_1400B45D0> |
0000000140A89FB9 | C785 28010000 E9030000 | mov dword ptr ss:[rbp+128],3E9 |
0000000140A89FC3 | 49:8BC5 | mov rax,r13 | rax:sub_14092DD50
0000000140A89FC6 | 4C:8B65 88 | mov r12,qword ptr ss:[rbp-78] | r12:sub_14092DD50
0000000140A89FCA | 4D:85E4 | test r12,r12 | r12:sub_14092DD50
0000000140A89FCD | 49:0F45C4 | cmovne rax,r12 | rax:sub_14092DD50, r12:sub_14092DD50
0000000140A89FD1 | 48:8985 2C010000 | mov qword ptr ss:[rbp+12C],rax | rax:sub_14092DD50
0000000140A89FD8 | C785 34010000 EB030000 | mov dword ptr ss:[rbp+134],3EB |
0000000140A89FE2 | 49:8BC5 | mov rax,r13 | rax:sub_14092DD50
0000000140A89FE5 | 4C:8B7C24 68 | mov r15,qword ptr ss:[rsp+68] |
0000000140A89FEA | 4D:85FF | test r15,r15 |
0000000140A89FED | 49:0F45C7 | cmovne rax,r15 | rax:sub_14092DD50
0000000140A89FF1 | 48:8985 38010000 | mov qword ptr ss:[rbp+138],rax | rax:sub_14092DD50
0000000140A89FF8 | C785 40010000 01000000 | mov dword ptr ss:[rbp+140],1 |
0000000140A8A002 | 49:8BC5 | mov rax,r13 | rax:sub_14092DD50
0000000140A8A005 | 4C:8B7424 48 | mov r14,qword ptr ss:[rsp+48] |
0000000140A8A00A | 4D:85F6 | test r14,r14 | r14:"MZ?"
0000000140A8A00D | 49:0F45C6 | cmovne rax,r14 | rax:sub_14092DD50, r14:"MZ?"
0000000140A8A011 | 48:8985 44010000 | mov qword ptr ss:[rbp+144],rax | rax:sub_14092DD50
0000000140A8A018 | E8 333D2A00 | call <四哈.sub_140D2DD50> |
0000000140A8A01D | 4C:8B08 | mov r9,qword ptr ds:[rax] | rax:sub_14092DD50
0000000140A8A020 | 4C:8D05 21926300 | lea r8,qword ptr ds:[1410C3248] | 00000001410C3248:"LM_TIME_LIMITED_MODE"
0000000140A8A027 | 48:8D5424 20 | lea rdx,qword ptr ss:[rsp+20] | [rsp+20]:"D嬋A嬃H?$@H媡$HH兡0_描?"
0000000140A8A02C | 48:8BC8 | mov rcx,rax | rcx:"MZ?", rax:sub_14092DD50
0000000140A8A02F | 41:FF51 10 | call qword ptr ds:[r9+10] |
0000000140A8A033 | 90 | nop |
0000000140A8A034 | 48:8B10 | mov rdx,qword ptr ds:[rax] | rax:sub_14092DD50
0000000140A8A037 | 48:8D4D D0 | lea rcx,qword ptr ss:[rbp-30] |
0000000140A8A03B | E8 103C79FF | call <四哈.sub_14021DC50> |
0000000140A8A040 | 90 | nop |
0000000140A8A041 | 48:8B4C24 20 | mov rcx,qword ptr ss:[rsp+20] | [rsp+20]:"D嬋A嬃H?$@H媡$HH兡0_描?"
0000000140A8A046 | 48:85C9 | test rcx,rcx | rcx:"MZ?"
0000000140A8A049 | 74 05 | je 四哈.140A8A050 |
0000000140A8A04B | E8 70BF8BFF | call <四哈.sub_140345FC0> |
0000000140A8A050 | 48:8B4C24 30 | mov rcx,qword ptr ss:[rsp+30] |
0000000140A8A055 | 48:85C9 | test rcx,rcx | rcx:"MZ?"
0000000140A8A058 | 74 0A | je 四哈.140A8A064 |
0000000140A8A05A | BA 01000000 | mov edx,1 |
0000000140A8A05F | E8 6CA562FF | call <四哈.sub_1400B45D0> |
0000000140A8A064 | 48:8B4C24 38 | mov rcx,qword ptr ss:[rsp+38] |
0000000140A8A069 | 48:85C9 | test rcx,rcx | rcx:"MZ?"
0000000140A8A06C | 74 0A | je 四哈.140A8A078 |
0000000140A8A06E | BA 01000000 | mov edx,1 |
0000000140A8A073 | E8 58A562FF | call <四哈.sub_1400B45D0> |
0000000140A8A078 | E8 D33C2A00 | call <四哈.sub_140D2DD50> |
0000000140A8A07D | 48:8BD8 | mov rbx,rax | rax:sub_14092DD50
0000000140A8A080 | E8 CB3C2A00 | call <四哈.sub_140D2DD50> |
0000000140A8A085 | 48:8BF8 | mov rdi,rax | rax:sub_14092DD50
0000000140A8A088 | 4C:8B0B | mov r9,qword ptr ds:[rbx] |
0000000140A8A08B | 4C:8D05 FE916300 | lea r8,qword ptr ds:[1410C3290] | 00000001410C3290:"LM_TIME_LIMITED_MESSAGE2"
0000000140A8A092 | 48:8D95 00010000 | lea rdx,qword ptr ss:[rbp+100] |
0000000140A8A099 | 48:8BCB | mov rcx,rbx | rcx:"MZ?"
0000000140A8A09C | 41:FF51 10 | call qword ptr ds:[r9+10] |
0000000140A8A0A0 | 48:8BF0 | mov rsi,rax | rax:sub_14092DD50
0000000140A8A0A3 | E8 A810FDFF | call <四哈.sub_140A5B150> |
0000000140A8A0A8 | 48:8BC8 | mov rcx,rax | rcx:"MZ?", rax:sub_14092DD50
0000000140A8A0AB | E8 3001FDFF | call <四哈.sub_140A5A1E0> |
0000000140A8A0B0 | 44:8BC0 | mov r8d,eax |
0000000140A8A0B3 | 48:8D15 5E916300 | lea rdx,qword ptr ds:[1410C3218] | 00000001410C3218:L" %d"
0000000140A8A0BA | 48:8D4D 38 | lea rcx,qword ptr ss:[rbp+38] |
0000000140A8A0BE | E8 2D2A79FF | call <四哈.sub_14021CAF0> |
0000000140A8A0C3 | 48:8BD8 | mov rbx,rax | rax:sub_14092DD50
0000000140A8A0C6 | 4C:8B0F | mov r9,qword ptr ds:[rdi] |
0000000140A8A0C9 | 4C:8D05 20916300 | lea r8,qword ptr ds:[1410C31F0] | 00000001410C31F0:"LM_TIME_LIMITED_MESSAGE1"
0000000140A8A0D0 | 48:8D55 18 | lea rdx,qword ptr ss:[rbp+18] |
0000000140A8A0D4 | 48:8BCF | mov rcx,rdi | rcx:"MZ?"
0000000140A8A0D7 | 41:FF51 10 | call qword ptr ds:[r9+10] |
0000000140A8A0DB | 90 | nop |
0000000140A8A0DC | 4C:8BC3 | mov r8,rbx |
0000000140A8A0DF | 48:8D55 F8 | lea rdx,qword ptr ss:[rbp-8] |
0000000140A8A0E3 | 48:8BC8 | mov rcx,rax | rcx:"MZ?", rax:sub_14092DD50
0000000140A8A0E6 | E8 D53C79FF | call <四哈.sub_14021DDC0> |
0000000140A8A0EB | 90 | nop |
0000000140A8A0EC | 4C:8BC6 | mov r8,rsi |
0000000140A8A0EF | 48:8D5424 20 | lea rdx,qword ptr ss:[rsp+20] | [rsp+20]:"D嬋A嬃H?$@H媡$HH兡0_描?"
0000000140A8A0F4 | 48:8BC8 | mov rcx,rax | rcx:"MZ?", rax:sub_14092DD50
0000000140A8A0F7 | E8 C43C79FF | call <四哈.sub_14021DDC0> |
0000000140A8A0FC | 90 | nop |
0000000140A8A0FD | 48:8B10 | mov rdx,qword ptr ds:[rax] | rax:sub_14092DD50
0000000140A8A100 | 48:8D4D A8 | lea rcx,qword ptr ss:[rbp-58] |
0000000140A8A104 | E8 473B79FF | call <四哈.sub_14021DC50> |
0000000140A8A109 | 90 | nop |
0000000140A8A10A | 48:8B4C24 20 | mov rcx,qword ptr ss:[rsp+20] | [rsp+20]:"D嬋A嬃H?$@H媡$HH兡0_描?"
0000000140A8A10F | 48:85C9 | test rcx,rcx | rcx:"MZ?"
0000000140A8A112 | 74 05 | je 四哈.140A8A119 |
0000000140A8A114 | E8 A7BE8BFF | call <四哈.sub_140345FC0> |
0000000140A8A119 | 48:8B4C24 30 | mov rcx,qword ptr ss:[rsp+30] |
0000000140A8A11E | 48:85C9 | test rcx,rcx | rcx:"MZ?"
0000000140A8A121 | 74 0A | je 四哈.140A8A12D |
0000000140A8A123 | BA 01000000 | mov edx,1 |
0000000140A8A128 | E8 A3A462FF | call <四哈.sub_1400B45D0> |
0000000140A8A12D | 48:8B4C24 38 | mov rcx,qword ptr ss:[rsp+38] |
0000000140A8A132 | 48:85C9 | test rcx,rcx | rcx:"MZ?"
0000000140A8A135 | 74 0B | je 四哈.140A8A142 |
0000000140A8A137 | BA 01000000 | mov edx,1 |
0000000140A8A13C | E8 8FA462FF | call <四哈.sub_1400B45D0> |
0000000140A8A141 | 90 | nop |
0000000140A8A142 | 48:8B4D F8 | mov rcx,qword ptr ss:[rbp-8] |
0000000140A8A146 | 48:85C9 | test rcx,rcx | rcx:"MZ?"
0000000140A8A149 | 74 05 | je 四哈.140A8A150 |
0000000140A8A14B | E8 70BE8BFF | call <四哈.sub_140345FC0> |
0000000140A8A150 | 48:8B4D 08 | mov rcx,qword ptr ss:[rbp+8] |
0000000140A8A154 | 48:85C9 | test rcx,rcx | rcx:"MZ?"
0000000140A8A157 | 74 0A | je 四哈.140A8A163 |
0000000140A8A159 | BA 01000000 | mov edx,1 |
0000000140A8A15E | E8 6DA462FF | call <四哈.sub_1400B45D0> |
0000000140A8A163 | 48:8B4D 10 | mov rcx,qword ptr ss:[rbp+10] |
0000000140A8A167 | 48:85C9 | test rcx,rcx | rcx:"MZ?"
0000000140A8A16A | 74 0B | je 四哈.140A8A177 |
0000000140A8A16C | BA 01000000 | mov edx,1 |
0000000140A8A171 | E8 5AA462FF | call <四哈.sub_1400B45D0> |
0000000140A8A176 | 90 | nop |
0000000140A8A177 | 48:8B4D 18 | mov rcx,qword ptr ss:[rbp+18] |
0000000140A8A17B | 48:85C9 | test rcx,rcx | rcx:"MZ?"
0000000140A8A17E | 74 05 | je 四哈.140A8A185 |
0000000140A8A180 | E8 3BBE8BFF | call <四哈.sub_140345FC0> |
0000000140A8A185 | 48:8B4D 28 | mov rcx,qword ptr ss:[rbp+28] |
0000000140A8A189 | 48:85C9 | test rcx,rcx | rcx:"MZ?"
0000000140A8A18C | 74 0A | je 四哈.140A8A198 |
0000000140A8A18E | BA 01000000 | mov edx,1 |
0000000140A8A193 | E8 38A462FF | call <四哈.sub_1400B45D0> |
0000000140A8A198 | 48:8B4D 30 | mov rcx,qword ptr ss:[rbp+30] |
0000000140A8A19C | 48:85C9 | test rcx,rcx | rcx:"MZ?"
0000000140A8A19F | 74 0B | je 四哈.140A8A1AC |
0000000140A8A1A1 | BA 01000000 | mov edx,1 |
0000000140A8A1A6 | E8 25A462FF | call <四哈.sub_1400B45D0> |
0000000140A8A1AB | 90 | nop |
0000000140A8A1AC | 48:8B4D 38 | mov rcx,qword ptr ss:[rbp+38] |
0000000140A8A1B0 | 48:85C9 | test rcx,rcx | rcx:"MZ?"
0000000140A8A1B3 | 74 05 | je 四哈.140A8A1BA |
0000000140A8A1B5 | E8 06BE8BFF | call <四哈.sub_140345FC0> |
0000000140A8A1BA | 48:8B4D 48 | mov rcx,qword ptr ss:[rbp+48] |
0000000140A8A1BE | 48:85C9 | test rcx,rcx | rcx:"MZ?"
0000000140A8A1C1 | 74 0A | je 四哈.140A8A1CD |
0000000140A8A1C3 | BA 01000000 | mov edx,1 |
0000000140A8A1C8 | E8 03A462FF | call <四哈.sub_1400B45D0> |
0000000140A8A1CD | 48:8B4D 50 | mov rcx,qword ptr ss:[rbp+50] |
0000000140A8A1D1 | 48:85C9 | test rcx,rcx | rcx:"MZ?"
0000000140A8A1D4 | 74 0B | je 四哈.140A8A1E1 |
0000000140A8A1D6 | BA 01000000 | mov edx,1 |
0000000140A8A1DB | E8 F0A362FF | call <四哈.sub_1400B45D0> |
0000000140A8A1E0 | 90 | nop |
0000000140A8A1E1 | 48:8B8D 00010000 | mov rcx,qword ptr ss:[rbp+100] |
0000000140A8A1E8 | 48:85C9 | test rcx,rcx | rcx:"MZ?"
0000000140A8A1EB | 74 05 | je 四哈.140A8A1F2 |
0000000140A8A1ED | E8 CEBD8BFF | call <四哈.sub_140345FC0> |
0000000140A8A1F2 | 48:8B8D 10010000 | mov rcx,qword ptr ss:[rbp+110] |
0000000140A8A1F9 | 48:85C9 | test rcx,rcx | rcx:"MZ?"
0000000140A8A1FC | 74 0A | je 四哈.140A8A208 |
0000000140A8A1FE | BA 01000000 | mov edx,1 |
0000000140A8A203 | E8 C8A362FF | call <四哈.sub_1400B45D0> |
0000000140A8A208 | 48:8B8D 18010000 | mov rcx,qword ptr ss:[rbp+118] |
0000000140A8A20F | 48:85C9 | test rcx,rcx | rcx:"MZ?"
0000000140A8A212 | 74 0A | je 四哈.140A8A21E |
0000000140A8A214 | BA 01000000 | mov edx,1 |
0000000140A8A219 | E8 B2A362FF | call <四哈.sub_1400B45D0> |
0000000140A8A21E | 48:8D85 28010000 | lea rax,qword ptr ss:[rbp+128] | rax:sub_14092DD50
0000000140A8A225 | 48:8B5D C8 | mov rbx,qword ptr ss:[rbp-38] |
0000000140A8A229 | C785 9C000000 03000000 | mov dword ptr ss:[rbp+9C],3 |
0000000140A8A233 | 48:8985 A0000000 | mov qword ptr ss:[rbp+A0],rax | rax:sub_14092DD50
0000000140A8A23A | 48:8B75 D0 | mov rsi,qword ptr ss:[rbp-30] |
0000000140A8A23E | 48:8B7D A8 | mov rdi,qword ptr ss:[rbp-58] |
0000000140A8A242 | 48:85F6 | test rsi,rsi |
0000000140A8A245 | 48:8BC6 | mov rax,rsi | rax:sub_14092DD50
0000000140A8A248 | 75 03 | jne 四哈.140A8A24D |
0000000140A8A24A | 49:8BC5 | mov rax,r13 | rax:sub_14092DD50
0000000140A8A24D | 48:8985 8C000000 | mov qword ptr ss:[rbp+8C],rax | rax:sub_14092DD50
0000000140A8A254 | 48:85FF | test rdi,rdi |
0000000140A8A257 | 4C:0F45EF | cmovne r13,rdi |
0000000140A8A25B | 4C:89AD 94000000 | mov qword ptr ss:[rbp+94],r13 |
0000000140A8A262 | 48:891D 0FB9A700 | mov qword ptr ds:[141505B78],rbx |
0000000140A8A269 | 48:8D0D F08F6300 | lea rcx,qword ptr ds:[1410C3260] | rcx:"MZ?", 00000001410C3260:L"comctl32.dll"
0000000140A8A270 | FF15 CACA3B00 | call qword ptr ds:[<&GetModuleHandleW> |
0000000140A8A276 | 48:8BC8 | mov rcx,rax | rcx:"MZ?", rax:sub_14092DD50
0000000140A8A279 | 48:8D15 38906300 | lea rdx,qword ptr ds:[1410C32B8] | 00000001410C32B8:"TaskDialogIndirect"
0000000140A8A280 | FF15 D2CA3B00 | call qword ptr ds:[<&GetProcAddress>] |
0000000140A8A286 | 48:8BD8 | mov rbx,rax | rax:sub_14092DD50
0000000140A8A289 | E8 0ABD8CFF | call <四哈.sub_140355F98> |
0000000140A8A28E | 48:8B48 08 | mov rcx,qword ptr ds:[rax+8] | rcx:"MZ?", rax+8:sub_14092DD50+8
0000000140A8A292 | 45:33C0 | xor r8d,r8d |
0000000140A8A295 | 48:8D15 74750200 | lea rdx,qword ptr ds:[<sub_140AB1810>] |
0000000140A8A29C | 8B49 60 | mov ecx,dword ptr ds:[rcx+60] | rcx+60:"t be run in DOS mode.\r\r\n$"
0000000140A8A29F | FF15 A3D43B00 | call qword ptr ds:[<&EnumThreadWindows |
0000000140A8A2A5 | 45:33C9 | xor r9d,r9d |
0000000140A8A2A8 | 45:33C0 | xor r8d,r8d |
0000000140A8A2AB | 48:8D5424 40 | lea rdx,qword ptr ss:[rsp+40] |
0000000140A8A2B0 | 48:8D4D 60 | lea rcx,qword ptr ss:[rbp+60] |
0000000140A8A2B4 | FFD3 | call rbx | 这里弹出注册框
然后你会看到很多诸如: TIME_LIMITED_MESSAGE1 这类的东西,它到底是什么呢?
我们用FileLocator_2951搜索下
一下就找到了,原来是个英文的xml文件,相当于语言字典文件
左面是字符串id,右面是对应的相关词条
字符简单的搜索下,哇,都在啊~~
再过滤搜索下:TIME_LIMITED_MESSAGE1
一般都是三个组队成伙出现的~~
如果全设上断点,那一般第1个先被断下,而且临近还有很多很多的词条
第一次加载时的那个是读取词条列表,显然不是;找到此规律后,第一行的就可以不加断点了。
接下来,我们继续分析下上面的汇编代码吧~~
0000000140A89E91下面是购买按钮
0000000140A89E2B | 4C:8D05 C6956300 | lea r8,qword ptr ds:[1410C33F8] | 00000001410C33F8:"LM_EXPIRED_MODE_DESCRIPTION" 这个是过期模式
0000000140A89C2D | E8 CE08FDFF | call <sub_140A5A500> | ▲下面又是购买按钮
简单的分析完几个之后,就可以在这几个附近设上断点了,然后在 段首 按Ctrl+R
然后我们不难发现上级在 0000000140A89ABB | E8 80000000 | call <四哈.sub_140A89B40> | 这个是 调用下面的注册框
然后呢,你可以继续找段首,下断,查看堆栈,一级一级向上分析。。。这样操作起来有点慢,不过呢,可以试试。。。试的越多,回报越多。。。(这是一条思路)
当然呢,我还是觉得该先四处转转,调查清楚了周边发生了哪些故事才好进一步分析和做出行动,定出计划和对策。。。(这是一条思路)
前边的流程图说明,有三个与商店登录相关的进程被启动了,你可以搜索下。。。(这是一条思路)
另外一条线索时,弹出了一个临时试用xx天被激活了。。。(这是一条思路)我们就用这个试试
暂停下来,查看堆栈,我们马上就得到了,如图所示的新地址,试用等消息一应聚在啊~~
[Asm] 纯文本查看 复制代码 0000000140A8854A | E8 B11FFDFF | call <四哈.sub_140A5A500> | 这个call里有文章
0000000140A8854F | 33C9 | xor ecx,ecx |
0000000140A88551 | 48:894C24 28 | mov qword ptr ss:[rsp+28],rcx | [rsp+28]:&L"Px "
0000000140A88556 | 48:894C24 30 | mov qword ptr ss:[rsp+30],rcx |
0000000140A8855B | 0F57C0 | xorps xmm0,xmm0 |
0000000140A8855E | F3:0F7F4424 38 | movdqu xmmword ptr ss:[rsp+38],xmm0 |
0000000140A88564 | 48:894C24 48 | mov qword ptr ss:[rsp+48],rcx |
0000000140A88569 | 48:894C24 50 | mov qword ptr ss:[rsp+50],rcx |
0000000140A8856E | F3:0F7F4424 58 | movdqu xmmword ptr ss:[rsp+58],xmm0 |
0000000140A88574 | 85C0 | test eax,eax |
0000000140A88576 | 78 41 | js 四哈.140A885B9 |
0000000140A88578 | 83F8 01 | cmp eax,1 |
0000000140A8857B | 7E 33 | jle 四哈.140A885B0 |
0000000140A8857D | 83F8 02 | cmp eax,2 |
0000000140A88580 | 74 0E | je 四哈.140A88590 |
0000000140A88582 | 83F8 03 | cmp eax,3 |
0000000140A88585 | 75 32 | jne 四哈.140A885B9 |
0000000140A88587 | 48:8D15 A2B06300 | lea rdx,qword ptr ds:[1410C3630] | 00000001410C3630:L"Full License has been activated successfully."
0000000140A8858E | EB 30 | jmp 四哈.140A885C0 |
0000000140A88590 | E8 CB000000 | call <四哈.sub_140A88660> |
0000000140A88595 | 48:8D4C24 28 | lea rcx,qword ptr ss:[rsp+28] | [rsp+28]:&L"Px "
0000000140A8859A | 84C0 | test al,al |
0000000140A8859C | 74 09 | je 四哈.140A885A7 |
0000000140A8859E | 48:8D15 EBB06300 | lea rdx,qword ptr ds:[1410C3690] | 00000001410C3690:L"License has been activated successfully.The trial license you activated is expired, the application will function in demo mode. In demo mode one can only view existing files."
0000000140A885A5 | EB 1E | jmp 四哈.140A885C5 |
0000000140A885A7 | 48:8D15 B2B26300 | lea rdx,qword ptr ds:[1410C3860] | 00000001410C3860:L"To enable your Trial License or Full License, please connect with your ConceptDraw.com account info in ConceptDraw STORE Application.The application will function in demo mode unless this is done. In demo mode one can only view existing files."
0000000140A885AE | EB 15 | jmp 四哈.140A885C5 |
0000000140A885B0 | 48:8D15 49B26300 | lea rdx,qword ptr ds:[1410C3800] | 00000001410C3800:L"Trial License has been activated successfully."
0000000140A885B7 | EB 07 | jmp 四哈.140A885C0 |
0000000140A885B9 | 48:8D15 A0B26300 | lea rdx,qword ptr ds:[1410C3860] | 00000001410C3860:L"To enable your Trial License or Full License, please connect with your ConceptDraw.com account info in ConceptDraw STORE Application.The application will function in demo mode unless this is done. In demo mode one can only view existing files."
0000000140A8854A | E8 B11FFDFF | call <四哈.sub_140A5A500> | 这个call里有文章,所以此地址回车进入,并Ctrl+A, Ctrl+R
一般情况下,我们说个经典的语句吧:
call 地址 //按修改的优先级来说,修改F7进入后的返回值,将直接影响到下面2行
test xx,xx 或 cmp xx ,xx //比较测试。。。影响标志位什么的。。。具体自己看书
JCC //实在不行我们在强暴修改成:JMP xxxxxxxx
然后每个进入看看,里边到底发生了什么?
此处无用,请略过吧~~
重点关注图中画箭头的几个地方!!!
0000000140A892C0 | E8 3B12FDFF | call <四哈.sub_140A5A500>
0000000140A892C5 | 49:83CF FF | or r15,FFFFFFFFFFFFFFFF
0000000140A892C9 | 83F8 02 | cmp eax,2 和2 进 比较 0000000140A89ACA | E8 310AFDFF | call <四哈.sub_140A5A500>
0000000140A89ACF | 83F8 02 | cmp eax,2 和2 进 比较
0000000140A89AD2 | 75 07 | jne 四哈.140A89ADB 0000000140A89C2D | E8 CE08FDFF | call <四哈.sub_140A5A500> |
0000000140A89C32 | 4C:8D2D 87B86A00 | lea r13,qword ptr ds:[1411354C0] |
0000000140A89C39 | 83F8 02 | cmp eax,2 | 和2 进 比较
0000000140A89C3C | 0F85 4D020000 | jne 四哈.140A89E8F |
0000000140A89C42 | E8 09412A00 | call <四哈.sub_140D2DD50> |
0000000140A89C47 | 4C:8B08 | mov r9,qword ptr ds:[rax] |
0000000140A89C4A | 4C:8D05 4F976300 | lea r8,qword ptr ds:[1410C33A0] | 00000001410C33A0:"LM_PURCHASE_BUTTON" 0000000140B152F6 | E8 0552F4FF | call <四哈.sub_140A5A500> |
0000000140B152FB | 83F8 01 | cmp eax,1 | 和1 进 比较
0000000140B152FE | 76 66 | jbe 四哈.140B15366 |
0000000140B15300 | 83F8 02 | cmp eax,2 | 和2 进 比较
0000000140B15303 | 75 2C | jne 四哈.140B15331 |
0000000140B15305 | E8 468A2100 | call <四哈.sub_140D2DD50> |
0000000140B1530A | 4C:8B08 | mov r9,qword ptr ds:[rax] |
0000000140B1530D | 4C:8D05 EC1E5B00 | lea r8,qword ptr ds:[1410C7200] | 00000001410C7200:"LM_EXPIRED_MODE2" 过期模式
0000000140B15314 | 48:8D55 50 | lea rdx,qword ptr ss:[rbp+50] |
0000000140B15318 | 48:8BC8 | mov rcx,rax |
0000000140B1531B | 41:FF51 10 | call qword ptr ds:[r9+10] |
0000000140B1531F | 90 | nop |
0000000140B15320 | 48:8B10 | mov rdx,qword ptr ds:[rax] |
0000000140B15323 | 49:8BCC | mov rcx,r12 |
0000000140B15326 | E8 258970FF | call <四哈.sub_14021DC50> |
0000000140B1532B | 90 | nop |
0000000140B1532C | E9 18010000 | jmp 四哈.140B15449 |
0000000140B15331 | 83F8 03 | cmp eax,3 | 和3 进 比较
0000000140B15334 | 0F85 44010000 | jne 四哈.140B1547E |
0000000140B1533A | E8 118A2100 | call <四哈.sub_140D2DD50> |
0000000140B1533F | 4C:8B08 | mov r9,qword ptr ds:[rax] |
0000000140B15342 | 4C:8D05 D71E5B00 | lea r8,qword ptr ds:[1410C7220] | 00000001410C7220:"LM_FULL_FEATURED_MODE" 完整特性模式
由上面的种种情报显示:敌军eax=1 2 3 有三个参数:
1.试用版
2.过期版
3.注册版
地址⑨ 反汇编
0000000140A25A83 call <sub_140A5A500>
0000000140A270C8 call <sub_140A5A500>
0000000140A8854A call <sub_140A5A500>
0000000140A892C0 call <sub_140A5A500>
0000000140A89ACA call <sub_140A5A500>
0000000140A89C2D call <sub_140A5A500>
0000000140A9C631 call <sub_140A5A500>
0000000140B152F6 call <sub_140A5A500>
0000000140B1631D call <sub_140A5A500>
0000000140B1A2C4 call <sub_140A5A500>
0000000140B7B4BE call <sub_140A5A500>
0000000140CE3691 call <sub_140A5A500>
0000000140CE3BFB call <sub_140A5A500>
发现我们,为1跳过了注册,得到了临时试用版。
为2,则是过期版
为3,则是注册版
圈1 ,圈2, 圈3 表明了上述推论的正确性。
而且满足了四个条件的地理位置一定是关键call
1)后面有关键性事情,如跳到xx处发生事件
2)由test cmp JXX组成,当然也可能由mov啥的间接传值
3)多次比较
4)公共调用复合的被断下
|
-
免费评分
-
查看全部评分
|
[复制链接]
发表于 2021-1-30 11:16
