吾爱破解 - 52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

查看: 3416|回复: 5
上一主题 下一主题
收起左侧

[原创] Nevercenter CameraBag Pro 2024.0.1破解简易分析

[复制链接]
跳转到指定楼层
楼主
speedboy 发表于 2023-11-5 15:01 回帖奖励
本帖最后由 speedboy 于 2023-11-6 10:22 编辑

0day放出的补丁都是加VMP壳的,不利于我们这样的小白对比学习呀!所以在这里做一个简易的破解记录,此方法不是最完美的,但可以供大家共同探讨。

第一步:运行软件会出现注册窗口,任意输入注册码确认后会出现 "Invalid registration code. Please try again - ……"字符串,所以我们打开X64DBG,加载运行程序。

第二步:在X64DBG中查找字符串"Invalid registration code.",找到后在其上双击来到反汇编窗口
[Asm] 纯文本查看 复制代码
00007FF747D1EA1 | 40:55                  | PUSH RBP                         |
00007FF747D1EA1 | 53                     | PUSH RBX                         |
00007FF747D1EA1 | 56                     | PUSH RSI                         |
00007FF747D1EA1 | 57                     | PUSH RDI                         |
00007FF747D1EA1 | 41:56                  | PUSH R14                         |
00007FF747D1EA1 | 41:57                  | PUSH R15                         |
00007FF747D1EA1 | 48:8BEC                | MOV RBP,RSP                      |
00007FF747D1EA1 | 48:83EC 38             | SUB RSP,0x38                     |
00007FF747D1EA2 | 48:8BF9                | MOV RDI,RCX                      |
00007FF747D1EA2 | 0F297C24 20            | MOVAPS XMMWORD PTR SS:[RSP+0x20] |
00007FF747D1EA2 | 48:8D4D 38             | LEA RCX,QWORD PTR SS:[RBP+0x38]  |
00007FF747D1EA2 | FF15 AE003000          | CALL QWORD PTR DS:[<public: __cd |
00007FF747D1EA3 | 48:8B87 80000000       | MOV RAX,QWORD PTR DS:[RDI+0x80]  |
00007FF747D1EA3 | 45:32FF                | XOR R15B,R15B                    |
00007FF747D1EA3 | 8B98 F0000000          | MOV EBX,DWORD PTR DS:[RAX+0xF0]  | 
00007FF747D1EA4 | 83FB 06                | CMP EBX,0x6                      |
00007FF747D1EA4 | 74 1C                  | JE camerabag pro.7FF747D1EA63    |
00007FF747D1EA4 | 44:38B8 18010000       | CMP BYTE PTR DS:[RAX+0x118],R15B |
00007FF747D1EA4 | 75 13                  | JNE camerabag pro.7FF747D1EA63   |
00007FF747D1EA5 | 48:8B4F 58             | MOV RCX,QWORD PTR DS:[RDI+0x58]  |
00007FF747D1EA5 | 48:8D97 C0000000       | LEA RDX,QWORD PTR DS:[RDI+0xC0]  |
00007FF747D1EA5 | FF15 670A3000          | CALL QWORD PTR DS:[<public: void |
00007FF747D1EA6 | EB 14                  | JMP camerabag pro.7FF747D1EA77   |
00007FF747D1EA6 | 48:8B4F 58             | MOV RCX,QWORD PTR DS:[RDI+0x58]  |
00007FF747D1EA6 | 48:8D97 C8000000       | LEA RDX,QWORD PTR DS:[RDI+0xC8]  |
00007FF747D1EA6 | FF15 540A3000          | CALL QWORD PTR DS:[<public: void |
00007FF747D1EA7 | 41:B7 01               | MOV R15B,0x1                     |
00007FF747D1EA7 | 48:8B87 80000000       | MOV RAX,QWORD PTR DS:[RDI+0x80]  |
00007FF747D1EA7 | 0F57C0                 | XORPS XMM0,XMM0                  |
00007FF747D1EA8 | F248:0F2A40 78         | CVTSI2SD XMM0,QWORD PTR DS:[RAX+ |
00007FF747D1EA8 | 48:8D90 20010000       | LEA RDX,QWORD PTR DS:[RAX+0x120] |
00007FF747D1EA8 | F2:0F5905 FAF2A201     | MULSD XMM0,QWORD PTR DS:[0x7FF74 |
00007FF747D1EA9 | 66:0F5AC0              | CVTPD2PS XMM0,XMM0               |
00007FF747D1EA9 | F3:0F1187 98000000     | MOVSS DWORD PTR DS:[RDI+0x98],XM |
00007FF747D1EAA | 48:837A 18 10          | CMP QWORD PTR DS:[RDX+0x18],0x10 |
00007FF747D1EAA | 72 03                  | JB camerabag pro.7FF747D1EAAC    |
00007FF747D1EAA | 48:8B12                | MOV RDX,QWORD PTR DS:[RDX]       |
00007FF747D1EAA | 41:B8 FFFFFFFF         | MOV R8D,0xFFFFFFFF               |
00007FF747D1EAB | 48:8D4D 48             | LEA RCX,QWORD PTR SS:[RBP+0x48]  |
00007FF747D1EAB | FF15 DCFD2F00          | CALL QWORD PTR DS:[<public: stat |
00007FF747D1EAB | 48:8D55 48             | LEA RDX,QWORD PTR SS:[RBP+0x48]  |
00007FF747D1EAC | 48:8D8F 90000000       | LEA RCX,QWORD PTR DS:[RDI+0x90]  |
00007FF747D1EAC | FF15 ABFD2F00          | CALL QWORD PTR DS:[<public: clas |
00007FF747D1EAC | 48:8D4D 48             | LEA RCX,QWORD PTR SS:[RBP+0x48]  |
00007FF747D1EAD | FF15 99003000          | CALL QWORD PTR DS:[<public: __cd |
00007FF747D1EAD | 80BF EC000000 00       | CMP BYTE PTR DS:[RDI+0xEC],0x0   |
00007FF747D1EAD | 0F57FF                 | XORPS XMM7,XMM7                  |
00007FF747D1EAE | 0F84 9F000000          | JE camerabag pro.7FF747D1EB86    | 
00007FF747D1EAE | 83FB 05                | CMP EBX,0x5                      |
00007FF747D1EAE | 74 05                  | JE camerabag pro.7FF747D1EAF1    |
00007FF747D1EAE | 83FB 02                | CMP EBX,0x2                      |
00007FF747D1EAE | 75 11                  | JNE camerabag pro.7FF747D1EB02   | 
00007FF747D1EAF | 48:8D15 D833A101       | LEA RDX,QWORD PTR DS:[0x7FF74973 | ds:[00007FF749731ED0]:"Registration successful! Enjoy!"
00007FF747D1EAF | 48:8D4D 38             | LEA RCX,QWORD PTR SS:[RBP+0x38]  |
00007FF747D1EAF | FF15 9EFD2F00          | CALL QWORD PTR DS:[<public: clas |
00007FF747D1EB0 | 83FB 01                | CMP EBX,0x1                      |
00007FF747D1EB0 | 75 16                  | JNE camerabag pro.7FF747D1EB1D   |
00007FF747D1EB0 | 48:8D15 E233A101       | LEA RDX,QWORD PTR DS:[0x7FF74973 | ds:[00007FF749731EF0]:"Validating registration code..."
00007FF747D1EB0 | 48:8D4D 38             | LEA RCX,QWORD PTR SS:[RBP+0x38]  |
00007FF747D1EB1 | FF15 88FD2F00          | CALL QWORD PTR DS:[<public: clas |
00007FF747D1EB1 | E9 F3010000            | JMP camerabag pro.7FF747D1ED10   |
00007FF747D1EB1 | 83FB 06                | CMP EBX,0x6                      |
00007FF747D1EB2 | 75 16                  | JNE camerabag pro.7FF747D1EB38   |
00007FF747D1EB2 | 48:8D15 E733A101       | LEA RDX,QWORD PTR DS:[0x7FF74973 | ds:[00007FF749731F10]:"This code is only valid for a previous version of this software. Please upgrade your license using the button below in order to use this version."
00007FF747D1EB2 | 48:8D4D 38             | LEA RCX,QWORD PTR SS:[RBP+0x38]  |
00007FF747D1EB2 | FF15 6DFD2F00          | CALL QWORD PTR DS:[<public: clas |
00007FF747D1EB3 | E9 D8010000            | JMP camerabag pro.7FF747D1ED10   |
00007FF747D1EB3 | 83FB 03                | CMP EBX,0x3                      |
00007FF747D1EB3 | 75 16                  | JNE camerabag pro.7FF747D1EB53   |
00007FF747D1EB3 | 48:8D15 2C36A101       | LEA RDX,QWORD PTR DS:[0x7FF74973 | ds:[00007FF749732170]:"Unable to validate registration. Please make sure your computer is connected to the internet. If the problem persists please contact us at [url=mailto:support@nevercenter.com]support@nevercenter.com[/url]"
00007FF747D1EB4 | 48:8D4D 38             | LEA RCX,QWORD PTR SS:[RBP+0x38]  |
00007FF747D1EB4 | FF15 52FD2F00          | CALL QWORD PTR DS:[<public: clas |
00007FF747D1EB4 | E9 BD010000            | JMP camerabag pro.7FF747D1ED10   |
00007FF747D1EB5 | 83FB 04                | CMP EBX,0x4                      |
00007FF747D1EB5 | 0F85 B4010000          | JNE camerabag pro.7FF747D1ED10   |
00007FF747D1EB5 | 48:8D15 0DA23B00       | LEA RDX,QWORD PTR DS:[0x7FF7480D |
00007FF747D1EB6 | 48:8D8F 90000000       | LEA RCX,QWORD PTR DS:[RDI+0x90]  |
00007FF747D1EB6 | FF15 30FD2F00          | CALL QWORD PTR DS:[<public: clas |
00007FF747D1EB7 | 48:8D15 A936A101       | LEA RDX,QWORD PTR DS:[0x7FF74973 | ds:[00007FF749732220]:"Invalid registration code. Please try again - copy and paste the code from your registration email to ensure accuracy. If the problem persists please contact us at [url=mailto:support@nevercenter.com]support@nevercenter.com[/url]"

往上分析,可以见到 "Registration successful! Enjoy!",这不就是注册成功提示吗!,在其上一行有个jne,只要不跳转就会出现注册成功提示,再往上是一个比较 CMP EBX,0x2,这两行的意思是:只要使EBX=2,jne就不会实现跳转,好了,下面我们接着往上分析看何处给EBX赋值了,很快发现这个 MOV EBX,DWORD PTR DS:[RAX+0xF0],也就是说只要把此处修改为 MOV EBX,2 就行了(此处可视为破解点-1)。

第三步:还是在本程序段,在“CMP EBX,0x2“上面还有两个je及cmp比较,关键是最上面的这个“CMP BYTE PTR DS:[RDI+0xEC],0x0“,当数据段DS:[RDI+0xEC]中的值为 1 时,其下面的je不跳转,所以我们在其上右键——查找引用——常量,找给DS:[XXX+0xEC]赋值为0的地方,得到3处:
[Asm] 纯文本查看 复制代码
00007FF747D1DE07 mov byte ptr ds:[rcx+EC],0
00007FF747D1E1AF mov byte ptr ds:[rcx+EC],0
00007FF747D1E270 mov byte ptr ds:[rcx+EC],0

把三处赋值的0分别修改为1(此处可视为破解点-2)

第四步:以上完成后运行破解完的程序,在启动界面点击"Dismiss",程序终止,看来还有关键位置。重新开始分析,在00007FF6B8C2DE0 MOV BYTE PTR DS:[RCX+0xEC],0x0处往下分析,发现有一个退出函数调用 00007FF6B8C2DE3 CALL QWORD PTR DS:[<exit>],上面有一个je,在上面使cmp比较语句,00007FF6B8C2DE2 CMP BYTE PTR DS:[RCX+0x9C],0x0 很显然只要DS:[RCX+0x9C]=0,je跳转实现,所以在此cmp上 右键——查找引用——常量,找给DS:[XXX+0x9C]赋值为1的语句,得到4处:
[Asm] 纯文本查看 复制代码
MOV BYTE PTR DS:[RCX+0x9C],0x1
MOV BYTE PTR DS:[RAX+0x9C],0x1
MOV BYTE PTR DS:[RBX+0x9C],0x1
MOV DWORD PTR DS:[RAX+0x9C],0x1

经逐步分析,MOV BYTE PTR DS:[RAX+0x9C],0x1是我们所要的,在此处赋值为0(此处视为破解点-3),有兴趣的可以逐个试一下就明白了。

免费评分

参与人数 4吾爱币 +10 热心值 +4 收起 理由
Hmily + 7 + 1 欢迎分析讨论交流,吾爱破解论坛有你更精彩!
daoye9988 + 1 + 1 谢谢@Thanks!
suko + 1 + 1 我很赞同!
3yu3 + 1 + 1 用心讨论,共获提升!

查看全部评分

本帖被以下淘专辑推荐:

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

沙发
 楼主| speedboy 发表于 2023-11-5 15:02 |楼主
破解以后的程序

2023-11-05_145309.png (650.58 KB, 下载次数: 2)

2023-11-05_145309.png
3#
ttdota 发表于 2023-11-5 15:03
4#
daoye9988 发表于 2023-11-5 20:38
5#
xiaoxino 发表于 2023-11-8 13:52
破解能出个视频教程吗
6#
 楼主| speedboy 发表于 2023-11-17 19:34 |楼主
感谢老大鼓励
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则

返回列表

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2024-11-15 08:17

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表