Ashampoo ® Cut Out 4.4 (X64位破解案例)

冥界3大法王 · 发表于 2015-11-5 11:35

本帖最后由冥界3大法王于 2015-11-5 11:50 编辑

软件嘛

在这个地方:http://www.ashampoo.com/cn/rmb/fdl,大本营了.
这是本人用X64DBG 破解的X64位,第二个程序,第一个撞枪口上的程序是HyperSnap - DX (混蛋国产代{过}{滤}理公司,纳尼? 这是你家产的?16年前人家国外公司就有了,你在哪里辰筋呢?

)

第1步查壳

这样,千万别相信.拖入OD中你会发现运行不了,说:不是有效32位PE
第一天死心了,以为可能是exe文件中运行另外的exe文件.

第2天不死心X64DBG拖入进去看看发生什么情况? 竟然还真是64位的.

进到主界面里出来个这东西,试用版本,You know.

本人习惯用OD,这X64DBG 真心用不习惯和超级不顺手.

所以习惯性的 F12 暂停下来按后Alt+K, 堆栈中只看到两行, F2 下上注之后看竞猜结果,纳尼?没有效果
字串搜索 license 找到几行,同样F2 之后还是断不下来,索性往上多找几行,发现一个 loop ,结果断下后,来到下面这个地方 .
双击写注释吧,纳尼?What ? What ' up ? What 's go on ? What happend? 靠,直接注释都是乱码.晕,超级晕,干脆用英文写注释吧.

000000013F67F64 | E8 31 68 05 00       | call cutout.13F6D5E80                |
000000013F67F64 | 4C 8D 0D CA F3 3C 00 | lea r9,qword ptr ds:[13FA4EA20]       | ;13FA4EA20:L"menuicon.png"
000000013F67F65 | 4C 8D 05 07 A2 49 00 | lea r8,qword ptr ds:[13FB19864]       | ;13FB19864:L"D:\\Program Files (x86)\\Franzis\\Cut Out 4\\"
000000013F67F65 | 48 8D 15 34 4D 3D 00 | lea rdx,qword ptr ds:[13FA54398]       | ;13FA54398:L"%sskin\\%s"
000000013F67F66 | 48 8D 0D 4D AA 49 00 | lea rcx,qword ptr ds:[13FB1A0B8]       | ;13FB1A0B8:L"D:\\Program Files (x86)\\Franzis\\Cut Out 4\\skin\\folderthumb.png"
000000013F67F66 | FF 15 2F 6A 34 00    | call qword ptr ds:[<&wsprintfW>]       |
000000013F67F67 | 48 8D 15 40 AA 49 00 | lea rdx,qword ptr ds:[13FB1A0B8]       | ;13FB1A0B8:L"D:\\Program Files (x86)\\Franzis\\Cut Out 4\\skin\\folderthumb.png"
000000013F67F67 | 48 8D 0D 69 57 49 00 | lea rcx,qword ptr ds:[13FB14DE8]       |
000000013F67F67 | 41 B8 10 00 00 00    | mov r8d,10                            |
000000013F67F68 | E8 F6 5F 05 00       | call cutout.13F6D5680                | =====>let's you go to reg NAG.(F7)

复制出来的代码都这奶奶样的,看着好别扭啊.各位看客凑合看吧,实用就得了.

--------------------------------------------------------------------------------------------------------------------------------------------
After F7,we are here!

000000013F0E463 | 0F 84 25 01 00 00    | je cutout.13F0E4765                   | ;see here 远跳似乎能过(经过依次排雷和爆破实验发现改这里就O了)
000000013F0E464 | 48 8B 0D 79 D6 42 00 | mov rcx,qword ptr ds:[13F511CC0]       |
000000013F0E464 | 48 8B D3             | mov rdx,rbx                            |
000000013F0E464 | E8 B1 6E 00 00       | call cutout.13F0EB500                |
000000013F0E464 | 48 8B 0D 6A D6 42 00 | mov rcx,qword ptr ds:[13F511CC0]       |
000000013F0E465 | FF 05 B0 88 3F 00    | inc dword ptr ds:[13F4DCF0C]          |
000000013F0E465 | 44 8D 47 1B          | lea r8d,dword ptr ds:[rdi+1B]          |
000000013F0E466 | 45 33 C9             | xor r9d,r9d                            |
000000013F0E466 | 48 8B D3             | mov rdx,rbx                            |
000000013F0E466 | 89 7C 24 28          | mov dword ptr ss:[rsp+28],edi          |
000000013F0E466 | E8 41 7B 00 00       | call cutout.13F0EC1B0                |
000000013F0E466 | 48 8B 03             | mov rax,qword ptr ds:[rbx]             |
000000013F0E467 | 48 8B CB             | mov rcx,rbx                            |
000000013F0E467 | FF 90 00 01 00 00    | call qword ptr ds:[rax+100]          |
000000013F0E467 | 39 3D 87 88 3F 00    | cmp dword ptr ds:[13F4DCF08],edi       |
000000013F0E468 | 74 23                | je cutout.13F0E46A6                   |
000000013F0E468 | C7 83 F8 00 00 00 01 00 | mov dword ptr ds:[rbx+F8],1          |
000000013F0E468 | FF 15 8D 11 2E 00    | call qword ptr ds:[<&GetTickCount>]    |
000000013F0E469 | 89 83 F0 00 00 00    | mov dword ptr ds:[rbx+F0],eax          |
000000013F0E469 | 05 F4 01 00 00       | add eax,1F4                            |
000000013F0E469 | 89 83 F4 00 00 00    | mov dword ptr ds:[rbx+F4],eax          |
000000013F0E46A | EB 17                | jmp cutout.13F0E46BD                   |
000000013F0E46A | 89 BB F8 00 00 00    | mov dword ptr ds:[rbx+F8],edi          |
000000013F0E46A | C7 83 E0 00 00 00 FF 00 | mov dword ptr ds:[rbx+E0],FF          |
000000013F0E46B | C7 43 6C 01 00 00 00 | mov dword ptr ds:[rbx+6C],1          |
000000013F0E46B | 89 BB 70 06 00 00    | mov dword ptr ds:[rbx+670],edi       |
000000013F0E46C | 48 8D 4C 24 40       | lea rcx,qword ptr ss:[rsp+40]          |
000000013F0E46C | 45 33 C9             | xor r9d,r9d                            |
000000013F0E46C | 45 33 C0             | xor r8d,r8d                            |
000000013F0E46C | 33 D2                | xor edx,edx                            |
000000013F0E46D | FF 15 12 18 2E 00    | call qword ptr ds:[<&GetMessageW>]    |
000000013F0E46D | 85 C0                | test eax,eax                         |
000000013F0E46D | 7E 50                | jle cutout.13F0E472A                   | ;see here 远跳似乎能过
000000013F0E46D | 8B 44 24 48          | mov eax,dword ptr ss:[rsp+48]          |
000000013F0E46D | 4C 8B 0D DB D5 42 00 | mov r9,qword ptr ds:[13F511CC0]       |
000000013F0E46E | 05 00 FF FF FF       | add eax,FFFFFF00                      |
000000013F0E46E | A9 FD FF FF FF       | test eax,FFFFFFFD                      |
000000013F0E46E | 75 13                | jnz cutout.13F0E4704                   |
000000013F0E46F | 48 8B 44 24 40       | mov rax,qword ptr ss:[rsp+40]          |
000000013F0E46F | 49 3B 41 40          | cmp rax,qword ptr ds:[r9+40]          |
000000013F0E46F | 49 0F 45 41 40       | cmovne rax,qword ptr ds:[r9+40]       |
000000013F0E46F | 48 89 44 24 40       | mov qword ptr ss:[rsp+40],rax          |
000000013F0E470 | 39 BB 70 06 00 00    | cmp dword ptr ds:[rbx+670],edi       |
000000013F0E470 | 75 2D                | jnz cutout.13F0E4739                   | ;only here jump 试过了,老了~~~
000000013F0E470 | 48 8D 4C 24 40       | lea rcx,qword ptr ss:[rsp+40]          |
000000013F0E471 | FF 15 C9 17 2E 00    | call qword ptr ds:[<&TranslateMessage>] |
000000013F0E471 | 48 8D 4C 24 40       | lea rcx,qword ptr ss:[rsp+40]          |
000000013F0E471 | FF 15 B6 17 2E 00    | call qword ptr ds:[<&DispatchMessageW>] |      ;nag 让你注册... 你懂~~
000000013F0E472 | 39 BB 70 06 00 00    | cmp dword ptr ds:[rbx+670],edi       |
000000013F0E472 | 75 08                | jnz cutout.13F0E4732                   |
000000013F0E472 | 39 BB 70 06 00 00    | cmp dword ptr ds:[rbx+670],edi       |
000000013F0E473 | 74 91                | je cutout.13F0E46C3                   |
000000013F0E473 | 4C 8B 0D 87 D5 42 00 | mov r9,qword ptr ds:[13F511CC0]       |
000000013F0E473 | 39 BB 14 01 00 00    | cmp dword ptr ds:[rbx+114],edi       |
000000013F0E473 | 74 24                | je cutout.13F0E4765                   |
000000013F0E474 | 39 3D C1 87 3F 00    | cmp dword ptr ds:[13F4DCF08],edi       |
000000013F0E474 | 74 1C                | je cutout.13F0E4765                   |
000000013F0E474 | 0F 10 83 CC 00 00 00 | movups xmm0,dqword ptr ds:[rbx+CC]    |
000000013F0E475 | 48 8D 54 24 30       | lea rdx,qword ptr ss:[rsp+30]          |
000000013F0E475 | 45 33 C0             | xor r8d,r8d                            |
000000013F0E475 | 49 8B C9             | mov rcx,r9                            |
000000013F0E475 | 0F 29 44 24 30       | movaps dqword ptr ss:[rsp+30],xmm0    |
000000013F0E476 | E8 DB 64 00 00       | call cutout.13F0EAC40                |
000000013F0E476 | B9 64 00 00 00       | mov ecx,64                            |
000000013F0E476 | FF 15 F8 11 2E 00    | call qword ptr ds:[<&Sleep>]          |

好了,闪~~

Simplecracker · 发表于 2015-11-5 11:41

我很赞同！

尼霸Rc_ · 发表于 2015-11-10 09:33

好像发帖高级选项可以增加代码框的代码可以放里面排列整齐然而这个功能我用不到所以没怎么注意你可以去百度看看

帐号		自动登录	找回密码
密码			注册[Register]

[原创] Ashampoo ® Cut Out 4.4 (X64位破解案例)

免费评分