好友
阅读权限40
听众
最后登录1970-1-1
|
无费话,唠干的!
比如这个吧http://download.jgsoft.com/magic/SetupRegexMagicDemo.exe
似乎官方有32位的 和 64位的
貌似新版本 只有 64位的
该软件是评估版本,网站下载时会要求你提供邮箱,付费给你激活码,否则填了也白搭!
由于是64位的,本身只能用x64dbg来调试,OD发挥不了作用
本人为了汉化而用它。
第1关,解掉自校验
平日的F12 暂停堆栈法,有时能看到 寄存器地址,有时却狗屁没有。x64dbg这软件真的不太稳定,这个新同学可以试下练手吧。
第2关 每次启动总出来这个东西,烦,烦,烦!
你可以用上边的方法,不过拼人品不好拼上的
Resouce Hacker中 修改 Dear X名字随意(有N多处都一样)
CompDisam中比较下,你就能得到类似下面的地址
011FA814: 696F6E06174672 imul ebp, dword ptr [rdi+6Eh], 72461706h
x64dbg中,ctrl+G后 ,粘过去!
已知老版本中,
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\JGsoft\RegexMagic2]
"Key"=hex:2a,b7,08,25,26,dd,47,e9,1b,10,a8,0b,f5,8e,2a,f1,9f,2c,c2,eb,54,b3,75,\
0f,1f,fc,61,99,c1,b8,82,d9,f2,0f,7c,82,1c,a9,78,a8,89,ba,9d,a7,67,b1,d8,9a,\
36,0a,1e,9e,a9,f6,a4,86,5f,95,c7,c4,f6,91,fe,10,8f,0b,38,cd,34,46,bd,35,81,\
50,2b,e2,68,63,2a,c2,e5,69,87,ed,88,cf,7d,98,6c,d7,df,6a,04,32,f2,d2,bc,d5,\
e6,37,16,d1,9f,f6,80,4c,58,75,93,1e,f2,4c,f5,be,45,81,75,3f,b9,8a,85,da,65,\
d8,87,63,ac,0b,b3,f6,36,83,9b,b7,ac,0e,6e,5b,17,dc,40,1f,54,1c,73,b0,a4,99,\
96,f7,6d,ab,1e,9c,53,07,98,c6,b7,7e,6b,14,9e,30,44,72,9d,c4,90,68,2b,e8,d2,\
05,03,c6,56,80,c2,67,21,d2,4a,a7,c4,32,a0,c6,81,fb,f0,10,fe,c8,e1,0c,9e,50,\
df,8e,02,21,76,56,18,66,14,59,68,59,69,99,46,53,cb,f5,1c,b1,f1,12,3d,2d,28,\
04,d6,82,42,21,86,94,0d,5b,61,e1,22,50,89,73,74,08,4b,d9,8a,5f,a8,d9,32,c5,\
80,bd,92,fe,70,54,ec,0c,53,87,e2,08
Key是钥匙文件的存放形式
Demo版本中的资源结构不同,会发现demo这类的资源,而正版中没有的。
另外下注册表 文件类断点可断下,但没有有用的东西。
搜索licese to , Trial, Free Evalation字串中看不到啥内容
buy evalation key这类的会有所发现,
[Delphi] 纯文本查看 复制代码
000007FEFCDD9E48 | 90 | nop |
000007FEFCDD9B50 | 48 89 5C 24 20 | mov qword ptr ss:[rsp+20],rbx CheckToKenMembership 这句话很重要!检测是否会员
checktokenmembership
0000000076C30B1C | 0F 84 33 01 00 00 | je kernel32.76C30C55 |
0000000076C30B22 | 48 8D 15 D7 78 05 00 | lea rdx,qword ptr ds:[76C88400] | 76C88400:"CheckTokenMembership"
0000000076C30B29 | 48 8B C8 | mov rcx,rax |
0000000076C30B2C | E8 F7 2A FC FF | call <kernel32.GetProcAddress> |
0000000076C30B31 | 48 8B F0 | mov rsi,rax |
0000000076C30B34 | 48 3B C5 | cmp rax,rbp |
0000000076C30B37 | 0F 84 0C 01 00 00 | je kernel32.76C30C49 |
0000000076C30B3D | 48 8D 44 24 60 | lea rax,qword ptr ss:[rsp+60] |
0000000076C30B42 | 44 8D 45 20 | lea r8d,dword ptr ss:[rbp+20] |
0000000076C30B46 | 48 8D 4C 24 6C | lea rcx,qword ptr ss:[rsp+6C] |
0000000076C30B4B | 48 89 44 24 50 | mov qword ptr ss:[rsp+50],rax |
0000000076C30B50 | 89 6C 24 48 | mov dword ptr ss:[rsp+48],ebp |
0000000076C30B54 | 89 6C 24 40 | mov dword ptr ss:[rsp+40],ebp |
0000000076C30B58 | 89 6C 24 38 | mov dword ptr ss:[rsp+38],ebp |
0000000076C30B5C | 89 6C 24 30 | mov dword ptr ss:[rsp+30],ebp |
0000000076C30B60 | 41 B9 20 02 00 00 | mov r9d,220 |
0000000076C30B66 | B2 02 | mov dl,2 |
0000000076C30B68 | 89 6C 24 28 | mov dword ptr ss:[rsp+28],ebp |
0000000076C30B6C | 89 6C 24 20 | mov dword ptr ss:[rsp+20],ebp |
0000000076C30B70 | FF 15 C2 B9 03 00 | call qword ptr ds:[<&RtlAllocateAndInit |
0000000076C30B76 | 3B C5 | cmp eax,ebp |
0000000076C30B78 | 7C 2C | jl kernel32.76C30BA6 |
0000000076C30B7A | 48 8B 54 24 60 | mov rdx,qword ptr ss:[rsp+60] |
0000000076C30B7F | 4C 8D 44 24 68 | lea r8,qword ptr ss:[rsp+68] |
0000000076C30B84 | 33 C9 | xor ecx,ecx |
0000000076C30B86 | FF D6 | call rsi |
0000000076C30B88 | 3B C5 | cmp eax,ebp |
0000000076C30B8A | 74 2A | je kernel32.76C30BB6 |
0000000076C30B8C | 39 6C 24 68 | cmp dword ptr ss:[rsp+68],ebp |
0000000076C30B90 | 74 0D | je kernel32.76C30B9F |
0000000076C30B92 | 33 C9 | xor ecx,ecx |
0000000076C30B94 | FF 15 26 C1 03 00 | call qword ptr ds:[<&RtlSetLastWin32Err |
0000000076C30B9A | 8D 5D 01 | lea ebx,dword ptr ss:[rbp+1] |
0000000076C30B9D | EB 19 | jmp kernel32.76C30BB8 |
0000000076C30B9F | B9 05 00 00 00 | mov ecx,5 |
0000000076C30BA4 | EB 0A | jmp kernel32.76C30BB0 |
0000000076C30BA6 | 8B C8 | mov ecx,eax |
0000000076C30BA8 | FF 15 52 C0 03 00 | call qword ptr ds:[<&RtlNtStatusToDosEr |
0000000076C30BAE | 8B C8 | mov ecx,eax |
0000000076C30BB0 | FF 15 0A C1 03 00 | call qword ptr ds:[<&RtlSetLastWin32Err |
0000000076C30BB6 | 8B DD | mov ebx,ebp |
0000000076C30BB8 | 48 8B 4C 24 60 | mov rcx,qword ptr ss:[rsp+60] |
0000000076C30BBD | 48 3B CD | cmp rcx,rbp |
0000000076C30BC0 | 74 0B | je kernel32.76C30BCD |
0000000076C30BC2 | FF 15 68 B9 03 00 | call qword ptr ds:[<&RtlFreeSid>] |
0000000076C30BC8 | 48 89 6C 24 60 | mov qword ptr ss:[rsp+60],rbp |
0000000076C30BCD | 3B DD | cmp ebx,ebp |
0000000076C30BCF | 75 7A | jne kernel32.76C30C4B |
0000000076C30BD1 | 48 8D 44 24 60 | lea rax,qword ptr ss:[rsp+60] |
0000000076C30BD6 | 45 33 C9 | xor r9d,r9d |
0000000076C30BD9 | 48 8D 4C 24 6C | lea rcx,qword ptr ss:[rsp+6C] |
0000000076C30BDE | 48 89 44 24 50 | mov qword ptr ss:[rsp+50],rax |
0000000076C30BE3 | 89 6C 24 48 | mov dword ptr ss:[rsp+48],ebp |
0000000076C30BE7 | 89 6C 24 40 | mov dword ptr ss:[rsp+40],ebp |
0000000076C30BEB | 89 6C 24 38 | mov dword ptr ss:[rsp+38],ebp |
0000000076C30BEF | 89 6C 24 30 | mov dword ptr ss:[rsp+30],ebp |
0000000076C30BF3 | 45 8D 41 12 | lea r8d,dword ptr ds:[r9+12] |
0000000076C30BF7 | B2 01 | mov dl,1 |
0000000076C30BF9 | 89 6C 24 28 | mov dword ptr ss:[rsp+28],ebp |
0000000076C30BFD | 89 6C 24 20 | mov dword ptr ss:[rsp+20],ebp |
0000000076C30C01 | FF 15 31 B9 03 00 | call qword ptr ds:[<&RtlAllocateAndInit |
0000000076C30C07 | 3B C5 | cmp eax,ebp |
0000000076C30C09 | 7C 2E | jl kernel32.76C30C39 |
0000000076C30C0B | 48 8B 54 24 60 | mov rdx,qword ptr ss:[rsp+60] |
0000000076C30C10 | 4C 8D 44 24 68 | lea r8,qword ptr ss:[rsp+68] |
0000000076C30C15 | 33 C9 | xor ecx,ecx |
0000000076C30C17 | FF D6 | call rsi |
0000000076C30C19 | 3B C5 | cmp eax,ebp |
0000000076C30C1B | 74 2C | je kernel32.76C30C49 |
0000000076C30C1D | 39 6C 24 68 | cmp dword ptr ss:[rsp+68],ebp |
0000000076C30C21 | 74 0F | je kernel32.76C30C32 |
0000000076C30C23 | 33 C9 | xor ecx,ecx |
0000000076C30C25 | FF 15 95 C0 03 00 | call qword ptr ds:[<&RtlSetLastWin32Err |
0000000076C30C2B | BB 01 00 00 00 | mov ebx,1 |
0000000076C30C30 | EB 19 | jmp kernel32.76C30C4B |
0000000076C30C32 | B9 05 00 00 00 | mov ecx,5 |
0000000076C30C37 | EB 0A | jmp kernel32.76C30C43 |
0000000076C30C39 | 8B C8 | mov ecx,eax |
0000000076C30C3B | FF 15 BF BF 03 00 | call qword ptr ds:[<&RtlNtStatusToDosEr |
0000000076C30C41 | 8B C8 | mov ecx,eax |
0000000076C30C43 | FF 15 77 C0 03 00 | call qword ptr ds:[<&RtlSetLastWin32Err |
0000000076C30C49 | 8B DD | mov ebx,ebp |
0000000076C30C4B | 48 8B CF | mov rcx,rdi |
0000000076C30C4E | E8 D5 59 FB FF | call <kernel32.FreeLibrary> |
0000000076C30C53 | EB 02 | jmp kernel32.76C30C57 |
0000000076C30C55 | 8B DD | mov ebx,ebp |
点关于时:
0000000000D98ABF | 48 8D 05 52 03 00 00 | lea rax,qword ptr ds:[D98E18] | D98E18:L"2.5.0"
0000000000D98AC6 | 48 89 45 68 | mov qword ptr ss:[rbp+68],rax |
0000000000D98ACA | C6 45 70 11 | mov byte ptr ss:[rbp+70],11 |
0000000000D98ACE | 48 8D 4D 60 | lea rcx,qword ptr ss:[rbp+60] |
0000000000D98AD2 | E8 79 66 8B FF | call crack 3.64F150 |
0000000000D98AD7 | 48 8B 45 60 | mov rax,qword ptr ss:[rbp+60] |
0000000000D98ADB | 48 89 45 78 | mov qword ptr ss:[rbp+78],rax |
0000000000D98ADF | C6 85 80 00 00 00 11 | mov byte ptr ss:[rbp+80],11 |
0000000076AF724F | E8 2C 2C FF FF | call <user32.IsDialogMessageW> |
0000000076AF7254 | 41 3B C7 | cmp eax,r15d |
0000000076AF7257 | 75 16 | jne user32.76AF726F |
0000000076AF7259 | 48 8D 4C 24 30 | lea rcx,qword ptr ss:[rsp+30] |
0000000076AF725E | E8 AD 4A FF FF | call <user32.TranslateMessage> |
mov rbx, qword ptr [rsp + 0x20]
前两处 都能干掉,注册给谁,这个貌似只能造假显示了,因为demo版本,似乎没有输入的地方。
另外x64dbg的作者 bug 改良和邮件的反馈力度 还是很大的,提了几次建议都改了。是个好雷锋。只是宽屏显示器 还不够宽!
一点心得写得不好,调试记录没怎么记录,只写个大概吧。
虚拟机中测试了几台,还算正常。有需要【点点生成 正则魔术师】的可以联系我。
|
|
[复制链接]
发表于 2016-9-17 13:17
发表于 2016-9-18 18:32
发表于 2016-10-12 20:08
