大漠插件破解器逆向思路

灵剑丹心 · 发表于 2023-1-21 21:17

本帖最后由灵剑丹心于 2023-2-2 13:16 编辑

大漠7.1753版本被某人破解了，但是破解的功能写在了加了vmp的xdyl.dll里

，vmp搞不定，如果知道这个dll用的什么api函数破解的，hook这个函数把参数输出看一下可能有所帮助，但就是不知道关键的api

我想知道怎么破的，希望能写出易语言破解源码，因为它这个dll有使用限制，被作者加了验证，有的说调用它破解大漠写的软件多久后会闪退

这个在线文本疑似就是控制软件能否使用的配置文件，不过已经访问不到了

这是dll公开的破解接口

原破解者提供的使用代码，注释里说破解后会随机生成一个名字的dll，用火绒监控看了下其实只是把大漠的dll重命名成一个随机名字而已，前后dll文件文件md5都一样的

现在就是不知道重命名之后做了什么操作，

，但根据之前老版本的破解代码

（网上找到的）也就是往dll模块地址+xxx的地方写入1字节就行了，而且此dll好像还注入了别的系统进程rundll32

看看大家有什么想法能够还原出破解代码，附件太大我上传到 123pan.com/s/mNiA-mxv43

找到了没加壳的xydl.dll，依然有混淆代码，但是发现了

传参expconfig字符串，感觉是扫描本机漏洞来利用

灵剑丹心 · 发表于 2023-2-2 18:29

本帖最后由灵剑丹心于 2023-2-2 18:32 编辑

[Asm] 纯文本查看 复制代码

00E221A4                       | A3 00D7F300                        | mov dword ptr ds:[0xF3D700],eax                |
00E221A9                       | 833D 00D7F300 00                   | cmp dword ptr ds:[0xF3D700],0x0                |
00E221B0                       | 0F8E 27000000                      | jle xdyl.E221DD                                | 未执行转移
00E221B6                       | DB05 00D7F300                      | fild st(0),dword ptr ds:[0xF3D700]             | 什么操作
00E221BC                       | DD5D F4                            | fstp qword ptr ss:[ebp-0xC],st(0)              |
00E221BF                       | DD45 F4                            | fld st(0),qword ptr ss:[ebp-0xC]               |
00E221C2                       | DC0D C230F000                      | fmul st(0),qword ptr ds:[0xF030C2]             |
00E221C8                       | DD5D EC                            | fstp qword ptr ss:[ebp-0x14],st(0)             |
00E221CB                       | DD45 EC                            | fld st(0),qword ptr ss:[ebp-0x14]              |
00E221CE                       | E8 43FAFFFF                        | call xdyl.E21C16                               |
00E221D3                       | A3 00D7F300                        | mov dword ptr ds:[0xF3D700],eax                |
00E221D8                       | E9 1C000000                        | jmp xdyl.E221F9                                |
00E221DD                       | C745 F8 00000000                   | mov dword ptr ss:[ebp-0x8],0x0                 |
00E221E4                       | 6A 00                              | push 0x0                                       |
00E221E6                       | FF75 F8                            | push dword ptr ss:[ebp-0x8]                    |
00E221E9                       | 68 02000000                        | push 0x2                                       |
00E221EE                       | E8 FDFAFFFF                        | call <xdyl.sub_E21CF0>                         |
00E221F3                       | 59                                 | pop ecx                                        |
00E221F4                       | E9 72FFFFFF                        | jmp xdyl.E2216B                                |
00E221F9                       | 83C4 04                            | add esp,0x4                                    |
00E221FC                       | 833D 00D7F300 00                   | cmp dword ptr ds:[0xF3D700],0x0                |
00E22203                       | 0F85 3A000000                      | jne xdyl.E22243                                | 执行转移
00E22209                       | 6A 01                              | push 0x1                                       |
00E2220B                       | 68 64000000                        | push 0x64                                      |
00E22210                       | 68 32000000                        | push 0x32                                      |
00E22215                       | E8 D6FAFFFF                        | call <xdyl.sub_E21CF0>                         |
00E2221A                       | 68 010100A0                        | push 0xA0000101                                |
00E2221F                       | 6A 00                              | push 0x0                                       |
00E22221                       | 68 CA30F000                        | push xdyl.F030CA                               |
00E22226                       | 68 01000000                        | push 0x1                                       |
00E2222B                       | BB 60D2E200                        | mov ebx,<xdyl.sub_E2D260>                      |
00E22230                       | E8 3F9B0000                        | call <xdyl.sub_E2BD74>                         |
00E22235                       | 83C4 10                            | add esp,0x10                                   |
00E22238                       | 8945 F8                            | mov dword ptr ss:[ebp-0x8],eax                 |
00E2223B                       | 8B45 F8                            | mov eax,dword ptr ss:[ebp-0x8]                 |
00E2223E                       | E9 C80A0000                        | jmp xdyl.E22D0B                                |
00E22243                       | DB05 00D7F300                      | fild st(0),dword ptr ds:[0xF3D700]             | 什么操作
00E22249                       | DD5D F4                            | fstp qword ptr ss:[ebp-0xC],st(0)              |
00E2224C                       | DD45 F4                            | fld st(0),qword ptr ss:[ebp-0xC]               |
00E2224F                       | DC35 C230F000                      | fdiv st(0),qword ptr ds:[0xF030C2]             |
00E22255                       | DD5D EC                            | fstp qword ptr ss:[ebp-0x14],st(0)             |
00E22258                       | DD45 EC                            | fld st(0),qword ptr ss:[ebp-0x14]              |
00E2225B                       | DC25 F030F000                      | fsub st(0),qword ptr ds:[0xF030F0]             |
00E22261                       | D9E4                               | ftst                                           |
00E22263                       | DFE0                               | fnstsw ax                                      |
00E22265                       | F6C4 01                            | test ah,0x1                                    |
00E22268                       | 74 02                              | je xdyl.E2226C                                 |
00E2226A                       | D9E0                               | fchs                                           |
00E2226C                       | DC1D F830F000                      | fcomp st(0),qword ptr ds:[0xF030F8]            |
00E22272                       | DFE0                               | fnstsw ax                                      |
00E22274                       | F6C4 41                            | test ah,0x41                                   |
00E22277                       | 0F84 44000000                      | je xdyl.E222C1                                 |

揰掵佲 · 发表于 2023-1-22 06:06

[Asm] 纯文本查看 复制代码

8C3C68====={163,8,217,139,0,137,29,12,217,139,0,137,13,16,217,139,0,137,21,20,217,139,0,137,61,24,217,139,0,137,53,28,217,139,0,137,45,32,217,139,0,137,37,36,217,139,0,96,184,231,144,0,16,255,208,97,141,76,36,48,81,233,203,255,124,7}

008C3C68 - A3 08D98B00           - mov [008BD908],eax { (0) }
008C3C6D - 89 1D 0CD98B00        - mov [008BD90C],ebx { (0) }
008C3C73 - 89 0D 10D98B00        - mov [008BD910],ecx { (0) }
008C3C79 - 89 15 14D98B00        - mov [008BD914],edx { (0) }
008C3C7F - 89 3D 18D98B00        - mov [008BD918],edi { (0) }
008C3C85 - 89 35 1CD98B00        - mov [008BD91C],esi { (0) }
008C3C8B - 89 2D 20D98B00        - mov [008BD920],ebp { (0) }
008C3C91 - 89 25 24D98B00        - mov [008BD924],esp { (0) }
008C3C97 - 60                    - pushad 
008C3C98 - B8 E7900010           - mov eax,xdyl.dll+90E7 { (86) }
008C3C9D - FF D0                 - call eax
008C3C9F - 61                    - popad 
008C3CA0 - 8D 4C 24 30           - lea ecx,[esp+30]
008C3CA4 - 51                    - push ecx
008C3CA5 - E9 CBFF7C07           - jmp fAAkm3439.dll+33C75


8093C70====={233,243,255,130,248}
fAAkm3439.dll+33C70 - E9 F3FF82F8           - jmp 008C3C68


83BEA02====={1,0,0,0}
83BEA06====={1,0,0,0}
83BEA0A====={1,0,0,0}
83BEA0E====={1,0,0,0}
83BEA12====={1,0,0,0}
83BEA16====={1,0,0,0}
83BEA1A====={1,0,0,0}
83BEA1E====={1,0,0,0}
83BEA22====={1,0,0,0}
83BEA26====={1,0,0,0}
83BEA2A====={1,0,0,0}
83BEA2E====={1,0,0,0}
83BEA32====={1,0,0,0}
83BEA36====={1,0,0,0}
83BEA3A====={1,0,0,0}
83BEA3E====={1,0,0,0}
83BEA42====={1,0,0,0}
83BEA46====={1,0,0,0}
83BEA4A====={1,0,0,0}
83BEA4E====={1,0,0,0}
83BEA52====={78,9,176,8}
83BEA56====={211,195,175,8}
83BEA5A====={5,154,175,8}
83BEA5E====={96,139,175,8}
83BEA62====={235,139,175,8}
83BEA66====={37,187,175,8}
83BEA6A====={212,206,175,8}
83BEA6E====={227,211,175,8}
83BEA72====={205,215,175,8}
83BEA76====={126,216,175,8}
83BEA7A====={14,160,175,8}
83BEA7E====={165,223,175,8}
83BEA82====={122,196,175,8}
83BEA86====={217,183,175,8}
83BEA8A====={20,146,175,8}
83BEA8E====={143,216,175,8}
83BEA92====={10,239,175,8}
83BEA96====={130,241,175,8}
83BEA9A====={82,205,175,8}
83BEA9E====={109,177,175,8}
83BEAA2====={230,250,175,8}
83BEAA6====={202,231,175,8}
83BEAAA====={33,5,176,8}
83BEAAE====={68,1,176,8}
83BEAB2====={208,207,175,8}
83BEAB6====={255,156,175,8}
83BEABA====={236,197,175,8}
83BEABE====={230,168,175,8}
83BEAC2====={36,249,175,8}
83BEAC6====={155,165,175,8}

fAAkm3439.dll+35EA02 - 01 00                 - add [eax],eax
fAAkm3439.dll+35EA04 - 00 00                 - add [eax],al
fAAkm3439.dll+35EA06 - 01 00                 - add [eax],eax
fAAkm3439.dll+35EA08 - 00 00                 - add [eax],al
fAAkm3439.dll+35EA0A - 01 00                 - add [eax],eax
fAAkm3439.dll+35EA0C - 00 00                 - add [eax],al
fAAkm3439.dll+35EA0E - 01 00                 - add [eax],eax
fAAkm3439.dll+35EA10 - 00 00                 - add [eax],al
fAAkm3439.dll+35EA12 - 01 00                 - add [eax],eax
fAAkm3439.dll+35EA14 - 00 00                 - add [eax],al
fAAkm3439.dll+35EA16 - 01 00                 - add [eax],eax
fAAkm3439.dll+35EA18 - 00 00                 - add [eax],al
fAAkm3439.dll+35EA1A - 01 00                 - add [eax],eax
fAAkm3439.dll+35EA1C - 00 00                 - add [eax],al
fAAkm3439.dll+35EA1E - 01 00                 - add [eax],eax
fAAkm3439.dll+35EA20 - 00 00                 - add [eax],al
fAAkm3439.dll+35EA22 - 01 00                 - add [eax],eax
fAAkm3439.dll+35EA24 - 00 00                 - add [eax],al
fAAkm3439.dll+35EA26 - 01 00                 - add [eax],eax
fAAkm3439.dll+35EA28 - 00 00                 - add [eax],al
fAAkm3439.dll+35EA2A - 01 00                 - add [eax],eax
fAAkm3439.dll+35EA2C - 00 00                 - add [eax],al
fAAkm3439.dll+35EA2E - 01 00                 - add [eax],eax
fAAkm3439.dll+35EA30 - 00 00                 - add [eax],al
fAAkm3439.dll+35EA32 - 01 00                 - add [eax],eax
fAAkm3439.dll+35EA34 - 00 00                 - add [eax],al
fAAkm3439.dll+35EA36 - 01 00                 - add [eax],eax
fAAkm3439.dll+35EA38 - 00 00                 - add [eax],al
fAAkm3439.dll+35EA3A - 01 00                 - add [eax],eax
fAAkm3439.dll+35EA3C - 00 00                 - add [eax],al
fAAkm3439.dll+35EA3E - 01 00                 - add [eax],eax
fAAkm3439.dll+35EA40 - 00 00                 - add [eax],al
fAAkm3439.dll+35EA42 - 01 00                 - add [eax],eax
fAAkm3439.dll+35EA44 - 00 00                 - add [eax],al
fAAkm3439.dll+35EA46 - 01 00                 - add [eax],eax
fAAkm3439.dll+35EA48 - 00 00                 - add [eax],al
fAAkm3439.dll+35EA4A - 01 00                 - add [eax],eax
fAAkm3439.dll+35EA4C - 00 00                 - add [eax],al
fAAkm3439.dll+35EA4E - 01 00                 - add [eax],eax
fAAkm3439.dll+35EA50 - 00 00                 - add [eax],al
fAAkm3439.dll+35EA52 - 4E                    - dec esi
fAAkm3439.dll+35EA53 - 09 B0 08D3C3AF        - or [eax-503C2CF8],esi
fAAkm3439.dll+35EA59 - 08 05 9AAF0860        - or [6008AF9A],al { 1611181978 }
fAAkm3439.dll+35EA5F - 8B AF 08EB8BAF        - mov ebp,[edi-507414F8]
fAAkm3439.dll+35EA65 - 08 25 BBAF08D4        - or [D408AFBB],ah { -737628229 }
fAAkm3439.dll+35EA6B - CE                    - into 
fAAkm3439.dll+35EA6C - AF                    - scasd 
fAAkm3439.dll+35EA6D - 08 E3                 - or bl,ah
fAAkm3439.dll+35EA6F - D3 AF 08CDD7AF        - shr [edi-502832F8],cl
fAAkm3439.dll+35EA75 - 08 7E D8              - or [esi-28],bh
fAAkm3439.dll+35EA78 - AF                    - scasd 
fAAkm3439.dll+35EA79 - 08 0E                 - or [esi],cl
fAAkm3439.dll+35EA7B - A0 AF08A5DF           - mov al,[DFA508AF] { -542832465 }
fAAkm3439.dll+35EA80 - AF                    - scasd 
fAAkm3439.dll+35EA81 - 08 7A C4              - or [edx-3C],bh
fAAkm3439.dll+35EA84 - AF                    - scasd 
fAAkm3439.dll+35EA85 - 08 D9                 - or cl,bl
fAAkm3439.dll+35EA87 - B7 AF                 - mov bh,-51 { 175 }
fAAkm3439.dll+35EA89 - 08 14 92              - or [edx+edx*4],dl
fAAkm3439.dll+35EA8C - AF                    - scasd 
fAAkm3439.dll+35EA8D - 08 8F D8AF080A        - or [edi+0A08AFD8],cl
fAAkm3439.dll+35EA93 - EF                    - out dx,eax
fAAkm3439.dll+35EA94 - AF                    - scasd 
fAAkm3439.dll+35EA95 - 08 82 F1AF0852        - or [edx+5208AFF1],al
fAAkm3439.dll+35EA9B - CD AF                 - int -51 { 175 }
fAAkm3439.dll+35EA9D - 08 6D B1              - or [ebp-4F],ch
fAAkm3439.dll+35EAA0 - AF                    - scasd 
fAAkm3439.dll+35EAA1 - 08 E6                 - or dh,ah
fAAkm3439.dll+35EAA3 - FA                    - cli 
fAAkm3439.dll+35EAA4 - AF                    - scasd 
fAAkm3439.dll+35EAA5 - 08 CA                 - or dl,cl
fAAkm3439.dll+35EAA7 - E7 AF                 - out -51,eax { 175 }
fAAkm3439.dll+35EAA9 - 08 21                 - or [ecx],ah
fAAkm3439.dll+35EAAB - 05 B0084401           - add eax,014408B0 { 21235888 }
fAAkm3439.dll+35EAB0 - B0 08                 - mov al,08 { 8 }
fAAkm3439.dll+35EAB2 - D0 CF                 - ror bh,1
fAAkm3439.dll+35EAB4 - AF                    - scasd 
fAAkm3439.dll+35EAB5 - 08 FF                 - or bh,bh
fAAkm3439.dll+35EAB7 - 9C                    - pushfd 
fAAkm3439.dll+35EAB8 - AF                    - scasd 
fAAkm3439.dll+35EAB9 - 08 EC                 - or ah,ch
fAAkm3439.dll+35EABB - C5AF08                - invd 
fAAkm3439.dll+35EABE - E6 A8                 - out -58,al { 168 }
fAAkm3439.dll+35EAC0 - AF                    - scasd 
fAAkm3439.dll+35EAC1 - 08 24 F9              - or [ecx+edi*8],ah
fAAkm3439.dll+35EAC4 - AF                    - scasd 
fAAkm3439.dll+35EAC5 - 08 9B A5AF0800        - or [ebx+0008AFA5],bl

jy3318007 · 发表于 2023-1-22 04:19

买个正版的大漠也用不了几个钱啊？需要去使用破解？

WZL1188888 · 发表于 2023-1-22 10:02

新春快乐！也祝自己在新的一年里学到一些知识。

myxyvip · 发表于 2023-1-22 10:10

jy3318007 发表于 2023-1-22 04:19
买个正版的大漠也用不了几个钱啊？需要去使用破解？

正版有时候注册不了，必须要网络！做不了本地的脚本

zg2600 · 发表于 2023-1-22 12:19

用6.1544

king1027 · 发表于 2023-1-22 13:41

没用，核心代码VMP了

影风 · 发表于 2023-1-25 22:50

哪个功能是绑定收费的功能发我一份调用源码我这边测试一下

灵剑丹心 · 发表于 2023-1-26 16:54

影风发表于 2023-1-25 22:50
哪个功能是绑定收费的功能发我一份调用源码我这边测试一下

传到网盘了，保护盾和绑定后台窗口都是收费的功能

灵剑丹心 · 发表于 2023-1-26 20:02

king1027 发表于 2023-1-22 13:41
没用，核心代码VMP了

找到一个没加vmp的，是upx，能逆向出具体操作吗

帐号		自动登录	找回密码
密码			注册[Register]

[求助] 大漠插件破解器逆向思路

免费评分

浏览过的版块