好友
阅读权限40
听众
最后登录1970-1-1
|
本帖最后由 冥界3大法王 于 2021-2-14 11:04 编辑
游戏开始,首先上场的这个程序安装后,运行就弹框了。
国际惯例点注册呗,进来后发现,点复选框勾上同意授权
输入注册码,并数一数注册码多少位呢? ==》 24
好吧,来吧,直接开搞,来到x32dbg中按下Ctrl+Shift+F , cmp eax, 24
Ctrl+F2 重载程序,果然能断下,但此时断得太早,一切难下定论。
继续走走看看,到处瞧瞧。
我们随便找个查看窗口控件信息的工具吧,得到其类名之类的,然后搜索下:
就得到了兰色圈3,然而下好断点难以断下。
然后我们用x32dbg的字符串增强外员插件过滤搜索看看有啥? (话说这个插件不能整个复制出来,有点遗憾,我们可以用WinHEX,Ctrl+F10提取啊)
经过简单的提取发现可疑的网址有两个,我们用WinHEX,Ctrl+L 成00保存到目录里,然后原版我们加个.bak扩展名,继续调试原来的文件名的去网址修改版。
黑名单( 看到这个你想到啥?,显然得改得网络请求呗,比较简单的方法修改hosts)
注册号已被搬~~
无效的授权
注册码格式错误等。。。就不一一说了。
我们本想找找那个无效的小图标的,结果意外发现了下球点和借力点。
下个硬件断点吧~~幸福来敲门了~~
加油~~ 加油~~ 楼主你是好样的~~ 一定能战胜它~~
此时,国际惯例和习惯,Ctrl+A , Ctrl- 到段首~~
查看下,右下角的堆栈区,有没有啥 飞跃点?
貌似当前情况不好也不坏~~
继续前行~~
兰色圈7 有两个下球点
上面的优先回车跟过去看看吧~~
现在感觉情况比刚才好一些了。
上边的此用点共有 7个jmp xxxx 语句
现在感觉好像硬件断点可以禁用或删除了吧? 建议先禁用,楼主手快给删除了。
此时,我们发现几个JMP中的一个被断下了,堆栈里暴露了新的地址调用点,继续回车跟过去
刚才无用的JMP断也可以删除了
[Asm] 纯文本查看 复制代码 00A894C0 | 55 | push ebp | 这系断首~~ 以此F2,发现只有一处,来自于00A88469
00A894C1 | 8BEC | mov ebp,esp |
00A894C3 | 6A FF | push FFFFFFFF |
00A894C5 | 68 80 | push FD0880 |
00A894CA | 64:A1 | mov eax,dword ptr fs:[0] | 00000000:"嗒Y"
00A894D0 | 50 | push eax |
00A894D1 | 51 | push ecx | ecx:&"0{o"
00A894D2 | 53 | push ebx |
00A894D3 | 56 | push esi |
00A894D4 | 57 | push edi |
00A894D5 | A1 34 | mov eax,dword ptr ds:[21F8434] |
00A894DA | 33C5 | xor eax,ebp |
00A894DC | 50 | push eax |
00A894DD | 8D45 | lea eax,dword ptr ss:[ebp-C] |
00A894E0 | 64:A3 | mov dword ptr fs:[0],eax | 00000000:"嗒Y"
00A894E6 | 8B45 | mov eax,dword ptr ss:[ebp+8] |
00A894E9 | 83E8 | sub eax,0 |
00A894EC | 0F84 | je A8961B |
00A894F2 | 83E8 | sub eax,1 |
00A894F5 | 0F85 | jne A8962D |
00A894FB | 8B5D | mov ebx,dword ptr ss:[ebp+C] |
00A894FE | 8B35 | mov esi,dword ptr ds:[<&?text@QLineEdit@@QBE?AVQString@@XZ>] |
00A89504 | 8B43 | mov eax,dword ptr ds:[ebx+8] |
00A89507 | C740 | mov dword ptr ds:[eax+5C],7 |
00A8950E | 8B43 | mov eax,dword ptr ds:[ebx+8] |
00A89511 | 8B78 | mov edi,dword ptr ds:[eax+10] |
00A89514 | 8D45 | lea eax,dword ptr ss:[ebp-10] | [ebp-10]:"Invalid license signature"
00A89517 | 50 | push eax |
00A89518 | 8BCF | mov ecx,edi | ecx:&"0{o"
00A8951A | FFD6 | call esi |
00A8951C | 8B43 | mov eax,dword ptr ds:[ebx+8] |
00A8951F | 8D55 | lea edx,dword ptr ss:[ebp-10] | [ebp-10]:"Invalid license signature"
00A89522 | 52 | push edx | edx:"0{o"
00A89523 | C745 | mov dword ptr ss:[ebp-4],0 |
00A8952A | 8B48 | mov ecx,dword ptr ds:[eax+54] | ecx:&"0{o"
00A8952D | 8B01 | mov eax,dword ptr ds:[ecx] | [ecx]:"0{o"
00A8952F | FF50 | call dword ptr ds:[eax+3C] |
00A89532 | 8B53 | mov edx,dword ptr ds:[ebx+8] | edx:"0{o"
00A89535 | 8BCF | mov ecx,edi | ecx:&"0{o"
00A89537 | 8942 | mov dword ptr ds:[edx+5C],eax | [edx+5C]:sub_6C01D0
00A8953A | 8D45 | lea eax,dword ptr ss:[ebp+8] |
00A8953D | 50 | push eax |
00A8953E | FFD6 | call esi |
00A89540 | 8D4D | lea ecx,dword ptr ss:[ebp+8] |
00A89543 | 8B00 | mov eax,dword ptr ds:[eax] |
00A89545 | 8B70 | mov esi,dword ptr ds:[eax+4] |
00A89548 | FF15 | call dword ptr ds:[<&??1QString@@QAE@XZ>] |
00A8954E | 83FE | cmp esi,1A |
00A89551 | 74 3A | je A8958D |
00A89553 | 8D4D | lea ecx,dword ptr ss:[ebp+8] |
00A89556 | FF15 | call dword ptr ds:[<&??0QBitArray@@QAE@XZ>] |
00A8955C | 8B4B | mov ecx,dword ptr ds:[ebx+8] | ecx:&"0{o"
00A8955F | 6A 00 | push 0 |
00A89561 | 50 | push eax |
00A89562 | C645 | mov byte ptr ss:[ebp-4],1 |
00A89566 | 8B49 | mov ecx,dword ptr ds:[ecx+64] | ecx:&"0{o"
00A89569 | E8 F2 | call <sub_DC0A60> |
00A8956E | 8D4D | lea ecx,dword ptr ss:[ebp+8] |
00A89571 | C645 | mov byte ptr ss:[ebp-4],0 |
00A89575 | FF15 | call dword ptr ds:[<&??1QString@@QAE@XZ>] |
00A8957B | 8B43 | mov eax,dword ptr ds:[ebx+8] |
00A8957E | 6A 00 | push 0 |
00A89580 | FF70 | push dword ptr ds:[eax+10] |
00A89583 | E8 A8 | call <sub_DEBB30> |
00A89588 | 83C4 | add esp,8 |
00A8958B | EB 54 | jmp A895E1 |
00A8958D | 8B43 | mov eax,dword ptr ds:[ebx+8] |
00A89590 | 8B48 | mov ecx,dword ptr ds:[eax+54] | ecx:&"0{o"
00A89593 | FF70 | push dword ptr ds:[eax+5C] |
00A89596 | 8D45 | lea eax,dword ptr ss:[ebp+8] |
00A89599 | 50 | push eax |
00A8959A | 8B11 | mov edx,dword ptr ds:[ecx] | edx:"0{o", [ecx]:"0{o"
00A8959C | FF52 | call dword ptr ds:[edx+48] |
00A8959F | 8B4B | mov ecx,dword ptr ds:[ebx+8] | 跟过来后来到这里
00A895A2 | 8D45 | lea eax,dword ptr ss:[ebp+8] |
00A895A5 | 33DB | xor ebx,ebx |
00A895A7 | C645 | mov byte ptr ss:[ebp-4],2 |
00A895AB | 3959 | cmp dword ptr ds:[ecx+5C],ebx |
00A895AE | 8B49 | mov ecx,dword ptr ds:[ecx+64] | ecx:&"0{o"
00A895B1 | 0F95C | setne bl |
00A895B4 | 8D1C5 | lea ebx,dword ptr ds:[ebx*2+2] |
00A895BB | 53 | push ebx |
00A895BC | 50 | push eax |
00A895BD | E8 9E | call <sub_DC0A60> |
00A895C2 | 53 | push ebx |
00A895C3 | 8B5D | mov ebx,dword ptr ss:[ebp+C] |
00A895C6 | 8B43 | mov eax,dword ptr ds:[ebx+8] |
00A895C9 | FF70 | push dword ptr ds:[eax+10] |
00A895CC | E8 5F | call <sub_DEBB30> |
00A895D1 | 83C4 | add esp,8 |
00A895D4 | C645 | mov byte ptr ss:[ebp-4],0 |
00A895D8 | 8D4D | lea ecx,dword ptr ss:[ebp+8] |
00A895DB | FF15 | call dword ptr ds:[<&??1QString@@QAE@XZ>] |
00A895E1 | 8B4B | mov ecx,dword ptr ds:[ebx+8] | ecx:&"0{o"
00A895E4 | 8379 | cmp dword ptr ds:[ecx+5C],0 |
00A895E8 | 75 0A | jne A895F4 |
00A895EA | 8079 | cmp byte ptr ds:[ecx+60],0 |
00A895EE | 74 04 | je A895F4 |
00A895F0 | B0 01 | mov al,1 |
00A895F2 | EB 02 | jmp A895F6 |
00A895F4 | 32C0 | xor al,al |
00A895F6 | 8B49 | mov ecx,dword ptr ds:[ecx+50] | ecx:&"0{o"
00A895F9 | 50 | push eax |
00A895FA | FF15 | call dword ptr ds:[<&?setEnabled@QWidget@@QAEX_N@Z>] |
00A89600 | 8D4D | lea ecx,dword ptr ss:[ebp-10] | [ebp-10]:"Invalid license signature"
于是,我们这次又来到了一片新大陆~~
然后我们简单的分析下吧。
[Asm] 纯文本查看 复制代码 00A88100 | 55 | push ebp |
00A88101 | 8BEC | mov ebp,esp |
00A88103 | 6A FF | push FFFFFFFF |
00A88105 | 68 85 | push <sub_FD0785> |
00A8810A | 64:A1 | mov eax,dword ptr fs:[0] | 00000000:"嗒Y"
00A88110 | 50 | push eax |
00A88111 | 83EC | sub esp,78 |
00A88114 | 53 | push ebx |
00A88115 | 56 | push esi |
00A88116 | 57 | push edi |
00A88117 | A1 34 | mov eax,dword ptr ds:[21F8434] |
00A8811C | 33C5 | xor eax,ebp |
00A8811E | 50 | push eax |
00A8811F | 8D45 | lea eax,dword ptr ss:[ebp-C] |
00A88122 | 64:A3 | mov dword ptr fs:[0],eax | 00000000:"嗒Y"
00A88128 | 8BF9 | mov edi,ecx | ecx:&"0{o"
00A8812A | 897D | mov dword ptr ss:[ebp-5C],edi |
00A8812D | C745 | mov dword ptr ss:[ebp-18],0 |
00A88134 | 8B45 | mov eax,dword ptr ss:[ebp+8] |
00A88137 | 8907 | mov dword ptr ds:[edi],eax |
00A88139 | C747 | mov dword ptr ds:[edi+54],0 |
00A88140 | C747 | mov dword ptr ds:[edi+58],0 |
00A88147 | 8D4F | lea ecx,dword ptr ds:[edi+68] | ecx:&"0{o"
00A8814A | C745 | mov dword ptr ss:[ebp-4],0 |
00A88151 | 6A 00 | push 0 |
00A88153 | C747 | mov dword ptr ds:[edi+5C],7 | edi+5C:"铪铪"
00A8815A | C647 | mov byte ptr ds:[edi+60],0 |
00A8815E | C747 | mov dword ptr ds:[edi+64],0 |
00A88165 | E8 D6 | call <sub_F01D40> |
00A8816A | C747 | mov dword ptr ds:[edi+7C],0 |
00A88171 | C787 | mov dword ptr ds:[edi+80],0 |
00A8817B | C645 | mov byte ptr ss:[ebp-4],2 |
00A8817F | C787 | mov dword ptr ds:[edi+84],0 |
00A88189 | C787 | mov dword ptr ds:[edi+88],0 |
00A88193 | C787 | mov dword ptr ds:[edi+8C],0 |
00A8819D | FF15 | call dword ptr ds:[<&?kernel@AMServiceLocator@utils@am@@SAPAVKer |
00A881A3 | 8945 | mov dword ptr ss:[ebp+8],eax |
00A881A6 | 8D4D | lea ecx,dword ptr ss:[ebp+8] |
00A881A9 | 8D45 | lea eax,dword ptr ss:[ebp-50] |
00A881AC | 50 | push eax |
00A881AD | E8 AE | call <sub_67EF60> |
00A881B2 | 8B77 | mov esi,dword ptr ds:[edi+58] |
00A881B5 | 83CB | or ebx,FFFFFFFF |
00A881B8 | 8B45 | mov eax,dword ptr ss:[ebp-50] |
00A881BB | 8B4D | mov ecx,dword ptr ss:[ebp-4C] |
00A881BE | C745 | mov dword ptr ss:[ebp-50],0 |
00A881C5 | C745 | mov dword ptr ss:[ebp-4C],0 |
00A881CC | 8947 | mov dword ptr ds:[edi+54],eax |
00A881CF | 894F | mov dword ptr ds:[edi+58],ecx | ecx:&"0{o"
00A881D2 | 85F6 | test esi,esi |
00A881D4 | 74 45 | je A8821B |
00A881D6 | 8BC3 | mov eax,ebx |
00A881D8 | F0:0F | lock xadd dword ptr ds:[esi+4],eax |
00A881DD | 75 16 | jne A881F5 |
00A881DF | 8B06 | mov eax,dword ptr ds:[esi] |
00A881E1 | 8BCE | mov ecx,esi | ecx:&"0{o"
00A881E3 | FF10 | call dword ptr ds:[eax] |
00A881E5 | 8BC3 | mov eax,ebx |
00A881E7 | F0:0F | lock xadd dword ptr ds:[esi+8],eax |
00A881EC | 75 07 | jne A881F5 |
00A881EE | 8B06 | mov eax,dword ptr ds:[esi] |
00A881F0 | 8BCE | mov ecx,esi | ecx:&"0{o"
00A881F2 | FF50 | call dword ptr ds:[eax+4] |
00A881F5 | 8B75 | mov esi,dword ptr ss:[ebp-4C] |
00A881F8 | 85F6 | test esi,esi |
00A881FA | 74 1F | je A8821B |
00A881FC | 8BC3 | mov eax,ebx |
00A881FE | F0:0F | lock xadd dword ptr ds:[esi+4],eax |
00A88203 | 75 16 | jne A8821B |
00A88205 | 8B06 | mov eax,dword ptr ds:[esi] |
00A88207 | 8BCE | mov ecx,esi | ecx:&"0{o"
00A88209 | FF10 | call dword ptr ds:[eax] |
00A8820B | 8BC3 | mov eax,ebx |
00A8820D | F0:0F | lock xadd dword ptr ds:[esi+8],eax |
00A88212 | 75 07 | jne A8821B |
00A88214 | 8B06 | mov eax,dword ptr ds:[esi] |
00A88216 | 8BCE | mov ecx,esi | ecx:&"0{o"
00A88218 | FF50 | call dword ptr ds:[eax+4] |
00A8821B | FF37 | push dword ptr ds:[edi] |
00A8821D | 8D4F | lea ecx,dword ptr ds:[edi+4] | ecx:&"0{o"
00A88220 | E8 7B | call <sub_A897A0> |
00A88225 | 8B4F | mov ecx,dword ptr ds:[edi+10] | ecx:&"0{o"
00A88228 | 6A 01 | push 1 |
00A8822A | FF15 | call dword ptr ds:[<&?blockSignals@QObject@@QAE_N_N@Z>] |
00A88230 | 51 | push ecx | ecx:&"0{o"
00A88231 | 8BCC | mov ecx,esp |
00A88233 | 6A 4E | push 4E |
00A88235 | FF15 | call dword ptr ds:[<&??0QChar@@QAE@H@Z>] |
00A8823B | 6A 08 | push 8 |
00A8823D | 8D4D | lea ecx,dword ptr ss:[ebp-44] |
00A88240 | FF15 | call dword ptr ds:[<&??0QString@@QAE@HVQChar@@@Z>] |
00A88246 | A1 30 | mov eax,dword ptr ds:[<&?shared_null@QListData@@2UData@1@B>] |
00A8824B | 8945 | mov dword ptr ss:[ebp-2C],eax |
00A8824E | C645 | mov byte ptr ss:[ebp-4],4 |
00A88252 | BE 03 | mov esi,3 |
00A88257 | 8D45 | lea eax,dword ptr ss:[ebp-44] |
00A8825A | 50 | push eax |
00A8825B | 8D4D | lea ecx,dword ptr ss:[ebp-2C] |
00A8825E | E8 6D | call 6AD6D0 |
00A88263 | 83EE | sub esi,1 |
00A88266 | 75 EF | jne A88257 |
00A88268 | 6A 2D | push 2D |
00A8826A | 8D4D | lea ecx,dword ptr ss:[ebp+A] |
00A8826D | FF15 | call dword ptr ds:[<&??0QChar@@QAE@H@Z>] |
00A88273 | 6A 01 | push 1 |
00A88275 | 8D45 | lea eax,dword ptr ss:[ebp+A] |
00A88278 | 50 | push eax |
00A88279 | 8D45 | lea eax,dword ptr ss:[ebp-2C] |
00A8827C | 50 | push eax |
00A8827D | 8D45 | lea eax,dword ptr ss:[ebp-3C] |
00A88280 | 50 | push eax |
00A88281 | FF15 | call dword ptr ds:[<&?QStringList_join@QtPrivate@@YA?AVQString@@ |QT私有变量?
00A88287 | 83C4 | add esp,10 |
00A8828A | 8D45 | lea eax,dword ptr ss:[ebp-3C] |
00A8828D | C645 | mov byte ptr ss:[ebp-4],6 |
00A88291 | 50 | push eax |
00A88292 | 8D4D | lea ecx,dword ptr ss:[ebp-38] |
00A88295 | FF15 | call dword ptr ds:[<&??0QByteArray@@QAE@ABV0@@Z>] |以字节的数组
00A8829B | 8BF0 | mov esi,eax |
00A8829D | C745 | mov dword ptr ss:[ebp-18],D | D:'\r'
00A882A4 | 8D45 | lea eax,dword ptr ss:[ebp-E] |
00A882A7 | 6A 3E | push 3E |
00A882A9 | 50 | push eax |
00A882AA | FF15 | call dword ptr ds:[<&?fromAscii@QChar@@SA?AV1@D@Z>] |这个应该是转码用的函数,比如窄字节变宽节字那种吧,就先这么理解吧,你们明白我的意思吧
00A882B0 | 83C4 | add esp,8 |
00A882B3 | 66:8B | mov cx,word ptr ds:[eax] |
00A882B6 | 66:89 | mov word ptr ss:[ebp-14],cx |
00A882BA | 8D4D | lea ecx,dword ptr ss:[ebp-38] |
00A882BD | FF75 | push dword ptr ss:[ebp-14] |
00A882C0 | 6A 00 | push 0 |
00A882C2 | FF15 | call dword ptr ds:[<&?insert@QString@@QAEAAV1@HVQChar@@@Z>] |插入一个字符串。。
00A882C8 | 56 | push esi |
00A882C9 | 8D4D | lea ecx,dword ptr ss:[ebp-34] |
00A882CC | C645 | mov byte ptr ss:[ebp-4],7 |
00A882D0 | FF15 | call dword ptr ds:[<&??0QByteArray@@QAE@ABV0@@Z>] |
00A882D6 | 6A FF | push FFFFFFFF |
00A882D8 | 8BF0 | mov esi,eax |
00A882DA | C745 | mov dword ptr ss:[ebp-18],1D |
00A882E1 | 8D45 | lea eax,dword ptr ss:[ebp-4C] |
00A882E4 | 68 28 | push 1082C28 | 1082C28:L";"
00A882E9 | 50 | push eax |
00A882EA | FF15 | call dword ptr ds:[<&?fromUtf8@QString@@SA?AV1@PBDH@Z>] |转成utf8
00A882F0 | 83C4 | add esp,C |
00A882F3 | 50 | push eax |
00A882F4 | 8D4D | lea ecx,dword ptr ss:[ebp-34] |
00A882F7 | C645 | mov byte ptr ss:[ebp-4],8 |
00A882FB | FF15 | call dword ptr ds:[<&?append@QString@@QAEAAV1@ABV1@@Z>] |追加上去~~因为我每次输入注册码长度皆在变化啊~~
00A88301 | 8D4D | lea ecx,dword ptr ss:[ebp-4C] |
00A88304 | FF15 | call dword ptr ds:[<&??1QString@@QAE@XZ>] |
00A8830A | 56 | push esi |
00A8830B | 8D4D | lea ecx,dword ptr ss:[ebp-30] |
00A8830E | C645 | mov byte ptr ss:[ebp-4],9 | 9:'\t'
00A88312 | FF15 | call dword ptr ds:[<&??0QByteArray@@QAE@ABV0@@Z>] |
00A88318 | 8D45 | lea eax,dword ptr ss:[ebp-12] |
00A8831B | C745 | mov dword ptr ss:[ebp-18],3D | 3D:'='
00A88322 | 6A 23 | push 23 |
00A88324 | 50 | push eax |
00A88325 | FF15 | call dword ptr ds:[<&?fromAscii@QChar@@SA?AV1@D@Z>] |
00A8832B | 83C4 | add esp,8 |
00A8832E | 8D4D | lea ecx,dword ptr ss:[ebp-30] |
00A88331 | 0FB70 | movzx eax,word ptr ds:[eax] |
00A88334 | 50 | push eax |
00A88335 | FF15 | call dword ptr ds:[<&?append@QString@@QAEAAV1@VQChar@@@Z>] |
00A8833B | 8D4D | lea ecx,dword ptr ss:[ebp-34] |
00A8833E | C745 | mov dword ptr ss:[ebp-4],7 |
00A88345 | FF15 | call dword ptr ds:[<&??1QString@@QAE@XZ>] |
00A8834B | 8D4D | lea ecx,dword ptr ss:[ebp-38] |
00A8834E | C745 | mov dword ptr ss:[ebp-18],7 |
00A88355 | FF15 | call dword ptr ds:[<&??1QString@@QAE@XZ>] |
00A8835B | 8D4D | lea ecx,dword ptr ss:[ebp-3C] |
00A8835E | FF15 | call dword ptr ds:[<&??1QString@@QAE@XZ>] |
00A88364 | 8D4D | lea ecx,dword ptr ss:[ebp-2C] |
00A88367 | E8 94 | call <sub_6AD400> |
00A8836C | 8D4D | lea ecx,dword ptr ss:[ebp-44] |
00A8836F | FF15 | call dword ptr ds:[<&??1QString@@QAE@XZ>] |
00A88375 | C645 | mov byte ptr ss:[ebp-4],A | A:'\n'
00A88379 | 8B4F | mov ecx,dword ptr ds:[edi+10] | ecx:&"0{o"
00A8837C | 8D45 | lea eax,dword ptr ss:[ebp-30] |
00A8837F | 50 | push eax |
00A88380 | FF15 | call dword ptr ds:[<&?setInputMask@QLineEdit@@QAEXABVQString@@@Z |设置输入的内容被#花屏蔽掉用户输入的注册码
00A88386 | 8D4D | lea ecx,dword ptr ss:[ebp-30] |
00A88389 | C645 | mov byte ptr ss:[ebp-4],2 |
00A8838D | FF15 | call dword ptr ds:[<&??1QString@@QAE@XZ>] |
00A88393 | 6A 30 | push 30 |
00A88395 | E8 90 | call <sub_F11A2A> |
00A8839A | 8BF0 | mov esi,eax |
00A8839C | 83C4 | add esp,4 |
00A8839F | 8975 | mov dword ptr ss:[ebp+8],esi |
00A883A2 | 85F6 | test esi,esi |
00A883A4 | 74 70 | je A88416 |
00A883A6 | 8D85 | lea eax,dword ptr ss:[ebp-84] |
00A883AC | C785 | mov dword ptr ss:[ebp-84],<&sub_A88FA0> |
00A883B6 | 897D | mov dword ptr ss:[ebp-80],edi |
00A883B9 | 8945 | mov dword ptr ss:[ebp-60],eax |
00A883BC | 6A 00 | push 0 |
00A883BE | 8BCE | mov ecx,esi | ecx:&"0{o"
00A883C0 | C645 | mov byte ptr ss:[ebp-4],C | C:'\f'
00A883C4 | FF15 | call dword ptr ds:[<&??0QValidator@@QAE@PAVQObject@@@Z>] |百度了一下自定义派生类,不用理它
00A883CA | 8D4E | lea ecx,dword ptr ds:[esi+8] | ecx:&"0{o"
00A883CD | C706 | mov dword ptr ds:[esi],<&JMP.&?metaObject@QValidator@ | 1B10A40:"\\嬸"
00A883D3 | 894D | mov dword ptr ss:[ebp-4C],ecx |
00A883D6 | C741 | mov dword ptr ds:[ecx+24],0 |
00A883DD | 8B55 | mov edx,dword ptr ss:[ebp-60] |
00A883E0 | C645 | mov byte ptr ss:[ebp-4],E |
00A883E4 | 85D2 | test edx,edx | edx:"0{o"
00A883E6 | 74 30 | je A88418 |
00A883E8 | 8B02 | mov eax,dword ptr ds:[edx] | edx:"0{o"
00A883EA | 51 | push ecx | ecx:&"0{o"
00A883EB | 8BCA | mov ecx,edx | ecx:&"0{o", edx:"0{o""
00A883ED | FF10 | call dword ptr ds:[eax] |
00A883EF | 8946 | mov dword ptr ds:[esi+2C],eax |
00A883F2 | 8B4D | mov ecx,dword ptr ss:[ebp-60] |
00A883F5 | 85C9 | test ecx,ecx | ecx:&"0{o"
00A883F7 | 74 1F | je A88418 |
00A883F9 | 8B11 | mov edx,dword ptr ds:[ecx] | edx:"0{o", [ecx]:"0{o"
00A883FB | 8D85 | lea eax,dword ptr ss:[ebp-84] |
00A88401 | 3BC8 | cmp ecx,eax | ecx:&"0{o"
00A88403 | 0F95C | setne al |
00A88406 | 0FB6C | movzx eax,al |
00A88409 | 50 | push eax |
00A8840A | FF52 | call dword ptr ds:[edx+10] | [edx+10]:sub_F0F60D
00A8840D | C745 | mov dword ptr ss:[ebp-60],0 |
00A88414 | EB 02 | jmp A88418 |
00A88416 | 33F6 | xor esi,esi |
00A88418 | 8B4F | mov ecx,dword ptr ds:[edi+10] | ecx:&"0{o"
00A8841B | 56 | push esi |
00A8841C | C645 | mov byte ptr ss:[ebp-4],2 |
00A88420 | FF15 | call dword ptr ds:[<&?setValidator@QLineEdit@@QAEXPBVQValidator@ |
00A88426 | 8B4F | mov ecx,dword ptr ds:[edi+10] | ecx:&"0{o"
00A88429 | 6A 00 | push 0 |
00A8842B | FF15 | call dword ptr ds:[<&?blockSignals@QObject@@QAE_N_N@Z>] |
00A88431 | 8B4F | mov ecx,dword ptr ds:[edi+10] | ecx:&"0{o"
00A88434 | 6A 07 | push 7 |
00A88436 | FF15 | call dword ptr ds:[<&?setFocus@QWidget@@QAEXW4FocusReason@Qt@@@Z |设置光标焦点
00A8843C | A1 94 | mov eax,dword ptr ds:[<&?textChanged@QLineEdit@@QAEXABVQString@@ |文字改变时
00A88441 | 8B77 | mov esi,dword ptr ds:[edi+10] |
00A88444 | 6A 0C | push C |
00A88446 | C645 | mov byte ptr ss:[ebp-4],F |
00A8844A | 8945 | mov dword ptr ss:[ebp-48],eax |
00A8844D | C745 | mov dword ptr ss:[ebp-44],0 |
00A88454 | E8 D1 | call <sub_F11A2A> |
00A88459 | 83C4 | add esp,4 |
00A8845C | 8945 | mov dword ptr ss:[ebp-4C],eax |
00A8845F | 85C0 | test eax,eax |
00A88461 | 74 12 | je A88475 |
00A88463 | C700 | mov dword ptr ds:[eax],1 |
00A88469 | C740 | mov dword ptr ds:[eax+4],<sub_A894C0> | 来到这里~~这就是顶层了~~
00A88470 | 8978 | mov dword ptr ds:[eax+8],edi |
00A88473 | EB 02 | jmp A88477 |
00A88475 | 33C0 | xor eax,eax |
00A88477 | FF35 | push dword ptr ds:[<&?staticMetaObject@QLineEdit@@2UQMetaObject@ | 0106E1E0:&"減Qj P>j╒>j痃!j"
00A8847D | 6A 00 | push 0 |
00A8847F | 6A 01 | push 1 |
00A88481 | 50 | push eax |
00A88482 | 6A 00 | push 0 |
00A88484 | 56 | push esi |
00A88485 | 8D45 | lea eax,dword ptr ss:[ebp-48] |
00A88488 | 50 | push eax |
00A88489 | 56 | push esi |
00A8848A | 8B35 | mov esi,dword ptr ds:[<&?connectImpl@QObject@@CA?AVConnection@QM |
00A88490 | 8D45 | lea eax,dword ptr ss:[ebp+8] |
00A88493 | 50 | push eax |
00A88494 | FFD6 | call esi |
00A88496 | 83C4 | add esp,20 |
00A88499 | C745 | mov dword ptr ss:[ebp-18],1C7 |
00A884A0 | 8D45 | lea eax,dword ptr ss:[ebp+8] |
00A884A3 | 8BCC | mov ecx,esp |
00A884A5 | 50 | push eax |
00A884A6 | FF15 | call dword ptr ds:[<&??0Connection@QMetaObject@@QAE@ABV01@@Z>] |
00A884AC | 8D4F | lea ecx,dword ptr ds:[edi+68] | ecx:&"0{o"
00A884AF | E8 8C | call <sub_F01F40> |
00A884B4 | 8D4D | lea ecx,dword ptr ss:[ebp+8] |
00A884B7 | C745 | mov dword ptr ss:[ebp-18],187 |
00A884BE | C645 | mov byte ptr ss:[ebp-4],2 |
00A884C2 | FF15 | call dword ptr ds:[<&??1Connection@QMetaObject@@QAE@XZ>] |
00A884C8 | 6A 1C | push 1C |
00A884CA | E8 5B | call <sub_F11A2A> |
00A884CF | 83C4 | add esp,4 |
00A884D2 | 8945 | mov dword ptr ss:[ebp+8],eax |
00A884D5 | C645 | mov byte ptr ss:[ebp-4],10 |
00A884D9 | 85C0 | test eax,eax |
00A884DB | 74 0C | je A884E9 |
00A884DD | FF77 | push dword ptr ds:[edi+10] |
00A884E0 | 8BC8 | mov ecx,eax | ecx:&"0{o"
00A884E2 | E8 C9 | call <sub_DBFEB0> |
00A884E7 | EB 02 | jmp A884EB |
00A884E9 | 33C0 | xor eax,eax |
00A884EB | 0F280 | movaps xmm0,xmmword ptr ds:[1B091F0] |
00A884F2 | 8D4D | lea ecx,dword ptr ss:[ebp-58] |
00A884F5 | 51 | push ecx | ecx:&"0{o"
00A884F6 | FF77 | push dword ptr ds:[edi+10] |
00A884F9 | 8BC8 | mov ecx,eax | ecx:&"0{o"
00A884FB | C645 | mov byte ptr ss:[ebp-4],2 |
00A884FF | 8947 | mov dword ptr ds:[edi+64],eax |
00A88502 | 0F114 | movups xmmword ptr ss:[ebp-58],xmm0 |
00A88506 | E8 F5 | call <sub_DC0200> |
00A8850B | 8B4F | mov ecx,dword ptr ds:[edi+64] | ecx:&"0{o"
00A8850E | 6A 00 | push 0 |
00A88510 | E8 8B | call <sub_DC09A0> |
00A88515 | 6A FF | push FFFFFFFF |
00A88517 | 6A 00 | push 0 |
00A88519 | 68 78 | push 1B10A78 | 1B10A78:"If you do not have a license, you can <a>buy your license</a> online."
00A8851E | 8D45 | lea eax,dword ptr ss:[ebp-28] |
00A88521 | 68 10 | push 1B10A10 | 1B10A10:"EnterLicenseWidget"
00A88526 | 50 | push eax |
00A88527 | FF15 | call dword ptr ds:[<&?translate@QCoreApplication@@SA?AVQString@@ |
00A8852D | 6A 0A | push A |
00A8852F | 68 C0 | push 1B10AC0 | 1B10AC0:"<a href=#>"
然后我们再来尝试断下小图标
Alt+E,搜索ico,结果发现有多个被断下。
6981FAA0 | 8B11 | mov edx,dword ptr ds:[ecx] ??1QIcon@@QEXXY
但是由于楼主对QT程序还不精通,至少你得编个简单的程序自己爆破找找行情吧,所以此处没分析出关键点来,只看到了注册码取码的部分字符串。
我们再换个思路,从顶层窗口出现的前一时刻开始吧
经过一通周折来到下面的地方
remote Activation And Trial Init 远程激活和试用初始化
上面有几处JCC跳转修改后程序异常了,貌似一下子跳过的内容太多了。
来到上面的地方,原来进入后是个dll文件,修改后没啥效果~~
再去查看下关于,发现了【Demo字样】
[Asm] 纯文本查看 复制代码
012DCD40 | 55 | push ebp ============================》我只关心其公用调用点
012DCD41 | 8BEC | mov ebp,esp |
012DCD43 | 6A FF | push FFFFFFFF |
012DCD45 | 68 57877E01 | push 7.17E8757 |
012DCD4A | 64:A1 00000000 | mov eax,dword ptr fs:[0] |
012DCD50 | 50 | push eax |
012DCD51 | 83EC 08 | sub esp,8 |
012DCD54 | 56 | push esi |
012DCD55 | A1 3484A002 | mov eax,dword ptr ds:[2A08434] |
012DCD5A | 33C5 | xor eax,ebp |
012DCD5C | 50 | push eax |
012DCD5D | 8D45 F4 | lea eax,dword ptr ss:[ebp-C] |
012DCD60 | 64:A3 00000000 | mov dword ptr fs:[0],eax |
012DCD66 | 8BF1 | mov esi,ecx |
012DCD68 | 8B46 04 | mov eax,dword ptr ds:[esi+4] |
012DCD6B | 80B8 C4000000 00 | cmp byte ptr ds:[eax+C4],0 |======================================》 我只关心这句
012DCD72 | 74 43 | je 7.12DCDB7 |======》》》》》》》》》》》》》》不跳,则会显示下面的星花
012DCD74 | 8D88 C8000000 | lea ecx,dword ptr ds:[eax+C8] |
012DCD7A | 8B01 | mov eax,dword ptr ds:[ecx] |
012DCD7C | 8378 04 00 | cmp dword ptr ds:[eax+4],0 |======================================》 我只关心这句
012DCD80 | 74 35 | je 7.12DCDB7 ||======》》》》》》》》》》》》》》不跳,则会显示下面的星花
012DCD82 | 6A 08 | push 8 |
012DCD84 | 6A 00 | push 0 |
012DCD86 | 8D45 F0 | lea eax,dword ptr ss:[ebp-10] |
012DCD89 | 50 | push eax |
012DCD8A | FF15 9CC08701 | call dword ptr ds:[<&?mid@QString@@QBE?AV1 |
012DCD90 | 6A 01 | push 1 |
012DCD92 | 68 5C653202 | push 7.232655C | 232655C:"-********-********" 看到这一串了没有? 典型特征,符合冥王秘传中的记载,楼主有个小本本。。。
也就是说注册版的内容显示为星花儿
012DCD97 | 8BC8 | mov ecx,eax |
012DCD99 | C745 FC 00000000 | mov dword ptr ss:[ebp-4],0 |
012DCDA0 | FF15 04BF8701 | call dword ptr ds:[<&??YQString@@QAEAAV0@P |
012DCDA6 | 8B4E 04 | mov ecx,dword ptr ds:[esi+4] |
012DCDA9 | 50 | push eax |
012DCDAA | 83C1 50 | add ecx,50 |
012DCDAD | E8 5EBC2D00 | call <7.sub_15B8A10> |
012DCDB2 | 8D4D F0 | lea ecx,dword ptr ss:[ebp-10] |
012DCDB5 | EB 33 | jmp 7.12DCDEA |
012DCDB7 | 6A FF | push FFFFFFFF |
012DCDB9 | 6A 00 | push 0 |
012DCDBB | 68 70653202 | push 7.2326570 | 2326570:"Demo"
012DCDC0 | 8D45 EC | lea eax,dword ptr ss:[ebp-14] |
012DCDC3 | 68 10753002 | push 7.2307510 | 2307510:"AboutDialog"
通过跨模块搜索,最终锁定了days
00330770 | B8 1E000000 | mov eax,1E 我改成了10000天,当然FFFFFFFF用到死也够用了。
变成注册版,实在绕晕了,不会搞,先到这里吧。
2021.1.31号不死心,再战。。。续传~~
我们搜索【试用模式】操作前先到语言文件夹,把除英文外的QM文件统统移入回收站
我们就会得到下面的执行流
[Asm] 纯文本查看 复制代码 00A46D17 | 68 C006AD01 | push <aTry> | 1AD06C0:"Try"
00A46D1C | 8D45 F0 | lea eax,dword ptr ss:[ebp-10] |
00A46D1F | 68 4C06AD01 | push <aDemowidget> | 1AD064C:"DemoWidget"
00A46D24 | 50 | push eax |
00A46D25 | FFD7 | call edi |
00A46D27 | 83C4 14 | add esp,14 |
00A46D2A | 8B4B 44 | mov ecx,dword ptr ds:[ebx+44] |
00A46D2D | 50 | push eax |
00A46D2E | C745 FC 07000000 | mov dword ptr ss:[ebp-4],7 |
00A46D35 | FFD6 | call esi |
00A46D37 | 8D4D F0 | lea ecx,dword ptr ss:[ebp-10] |
00A46D3A | C745 FC FFFFFFFF | mov dword ptr ss:[ebp-4],FFFFFFFF |
00A46D41 | FF15 80C40201 | call dword ptr ds:[<&??1QString@@QAE@XZ |
00A46D47 | 6A FF | push FFFFFFFF |
00A46D49 | 6A 00 | push 0 |
00A46D4B | 68 C406AD01 | push <aBuyNow> | 1AD06C4:"Buy now"
然后结合上面找到的 【license mode】
最终我们来到上面的代码处,下面不远处接第一次【试用窗口处】的call处
最终如图修改,我们就过了,那个启动的全部窗口。
试用10000天,28年还不够吗?至于注册还有跟QT程序的走位,以后掌握了窍门再来分析吧,好吧,就到这里吧。
|
免费评分
-
查看全部评分
|
发表于 2021-1-31 08:38
|
发表于 2021-1-31 13:26
