好友
阅读权限 10
听众
最后登录 1970-1-1
本帖最后由 zyjsuper 于 2019-7-11 16:03 编辑
winrar每次运行都会弹出广告窗口,并且主窗口标题栏会有许可到期时间的提醒,爆破的目的是去掉这两项。
Winrar解压缩软件32位(5.71)版本下载地址:
http://www.winrar.com.cn/download/wrar571scp.exe
64位下载地址:
http://www.winrar.com.cn/download/winrar-x64-571scp.exe
所需工具: OllyDbg 吾爱破解 版、Binary Ninja
https://down.52pojie.cn/Tools/Debuggers/%E5%90%BE%E7%88%B1%E7%A0%B4%E8%A7%A3%E4%B8%93%E7%94%A8%E7%89%88Ollydbg.rar
https://cdn.binary.ninja/installers/BinaryNinja-demo.exe
本文参考了飘云上一位牛人的文章:https://www.chinapyg.com/forum.php?mod=viewthread&tid=125493&highlight=winrar
该方法非常理想,所以借鉴了一下,适合我这种菜菜来练习动手能力。
使用OD加载winrar,如图:
按F9键运行winrar软件,直到弹出主窗口和广告窗口时,按F12键暂停程序,此时点击OD上方的“K”按键或者点击"ALT+K"来查看程序调用的堆栈,查看一下窗口弹出前的函数调用情况,得到如下图所示:
这一步需要注意的是需要看到广告窗口正常弹出,没有其他提示再暂停程序然后查看堆栈,例如在调试时遇到的如下图:
下图只在我们正常看到广告页时才会到这一步。
右击最后一条调用如图所示,选择“显示调用”命令。
得到如下图的调用位置:
直接在该位置点击回车键或者F7步进调试,我们会得到下面的汇编代码段,这段内容包含我们想破解的两处,即去广告和去标题的许可过期提示,看代码注释就可以判断了。
[Asm] 纯文本查看 复制代码
00AE1520 $ 55 push ebp
00AE1521 . 8DAC24 E8CFFF>lea ebp,dword ptr ss:[esp-0x3018]
00AE1528 . B8 18300000 mov eax,0x3018
00AE152D . E8 9E3F0100 call WinRAR.00AF54D0
00AE1532 . 6A FF push -0x1
00AE1534 . 68 5832B100 push WinRAR.00B13258
00AE1539 . 64:A1 0000000>mov eax,dword ptr fs:[0]
00AE153F . 50 push eax
00AE1540 . 83EC 14 sub esp,0x14
00AE1543 . A1 341BB300 mov eax,dword ptr ds:[0xB31B34]
00AE1548 . 33C5 xor eax,ebp
00AE154A . 8985 14300000 mov dword ptr ss:[ebp+0x3014],eax
00AE1550 . 53 push ebx
00AE1551 . 56 push esi
00AE1552 . 57 push edi
00AE1553 . 50 push eax
00AE1554 . 8D45 F4 lea eax,dword ptr ss:[ebp-0xC]
00AE1557 . 64:A3 0000000>mov dword ptr fs:[0],eax
00AE155D . 8965 F0 mov dword ptr ss:[ebp-0x10],esp
00AE1560 . 8BB5 20300000 mov esi,dword ptr ss:[ebp+0x3020]
00AE1566 . 6A 01 push 0x1
00AE1568 . E8 531EFBFF call WinRAR.00A933C0
00AE156D . 68 05800000 push 0x8005 ; /ErrorMode = SEM_FAILCRITICALERRORS|SEM_NOALIGNMENTFAULTEXCEPT|SEM_NOOPENFILEERRORBOX
00AE1572 . FF15 0442B100 call dword ptr ds:[<&KERNEL32.SetErrorMo>; \SetErrorMode
00AE1578 . B9 A04BB400 mov ecx,WinRAR.00B44BA0
00AE157D . E8 DED3F7FF call WinRAR.00A5E960
00AE1582 . C605 D592B300>mov byte ptr ds:[0xB392D5],0x0
00AE1589 . C705 F0A2B300>mov dword ptr ds:[0xB3A2F0],0x0
00AE1593 . FF15 F441B100 call dword ptr ds:[<&KERNEL32.GetCurrent>; [GetCurrentThreadId
00AE1599 . A3 F4A2B300 mov dword ptr ds:[0xB3A2F4],eax
00AE159E . 6A 00 push 0x0 ; /EventName = NULL
00AE15A0 . 6A 00 push 0x0 ; |InitiallySignaled = FALSE
00AE15A2 . 6A 01 push 0x1 ; |ManualReset = TRUE
00AE15A4 . 6A 00 push 0x0 ; |pSecurity = NULL
00AE15A6 . FF15 6841B100 call dword ptr ds:[<&KERNEL32.CreateEven>; \CreateEventW
00AE15AC . A3 F8A2B300 mov dword ptr ds:[0xB3A2F8],eax
00AE15B1 . 68 04DEB100 push WinRAR.00B1DE04 ; /MsgName = "WMUser_DisplayError"
00AE15B6 . FF15 7445B100 call dword ptr ds:[<&USER32.RegisterWind>; \RegisterWindowMessageW
00AE15BC . A3 20A3B300 mov dword ptr ds:[0xB3A320],eax
00AE15C1 . 68 A44BB100 push WinRAR.00B14BA4 ; UNICODE "General"
00AE15C6 . E8 C504FCFF call WinRAR.00AA1A90
00AE15CB . 84C0 test al,al
00AE15CD . 0f94c3 sete bl
00AE15D0 . 885D EF mov byte ptr ss:[ebp-0x11],bl
00AE15D3 . 6A 01 push 0x1
00AE15D5 . 68 00080000 push 0x800
00AE15DA . 8D85 00100000 lea eax,dword ptr ss:[ebp+0x1000]
00AE15E0 . 50 push eax
00AE15E1 . E8 EAA3F9FF call WinRAR.00A7B9D0
00AE15E6 . 68 00080000 push 0x800
00AE15EB . 8D85 00100000 lea eax,dword ptr ss:[ebp+0x1000]
00AE15F1 . 50 push eax
00AE15F2 . E8 1993F9FF call WinRAR.00A7A910
00AE15F7 . 68 00080000 push 0x800
00AE15FC . 8D85 00100000 lea eax,dword ptr ss:[ebp+0x1000]
00AE1602 . 50 push eax
00AE1603 . 68 E092B300 push WinRAR.00B392E0 ; UNICODE "C:\Users\IEUser\AppData\Roaming\WinRAR\rar.log"
00AE1608 . E8 4312FBFF call WinRAR.00A92850
00AE160D . 68 00080000 push 0x800
00AE1612 . 68 CC89B100 push WinRAR.00B189CC ; UNICODE "rar.log"
00AE1617 . 68 E092B300 push WinRAR.00B392E0 ; UNICODE "C:\Users\IEUser\AppData\Roaming\WinRAR\rar.log"
00AE161C . E8 EF11FBFF call WinRAR.00A92810
00AE1621 . 6A 00 push 0x0
00AE1623 . 56 push esi
00AE1624 . B9 08F0B600 mov ecx,WinRAR.00B6F008
00AE1629 . E8 12AEFAFF call WinRAR.00A8C440
00AE162E . 68 2CDEB100 push WinRAR.00B1DE2C ; UNICODE "winrar.lng"
00AE1633 . B9 0CF0B600 mov ecx,WinRAR.00B6F00C
00AE1638 . E8 639FFAFF call WinRAR.00A8B5A0
00AE163D . 56 push esi
00AE163E . E8 ADDBFFFF call WinRAR.00ADF1F0
00AE1643 . 85C0 test eax,eax
00AE1645 . 0F84 66060000 je WinRAR.00AE1CB1
00AE164B . 8D4D E0 lea ecx,dword ptr ss:[ebp-0x20]
00AE164E . E8 AD11FFFF call WinRAR.00AD2800
00AE1653 . C745 FC 00000>mov dword ptr ss:[ebp-0x4],0x0
00AE165A . 8935 04F0B600 mov dword ptr ds:[0xB6F004],esi
00AE1660 . B9 F0B5B500 mov ecx,WinRAR.00B5B5F0
00AE1665 . E8 8643F2FF call WinRAR.00A059F0
00AE166A . E8 6137FEFF call WinRAR.00AC4DD0
00AE166F . E8 4CEAFDFF call WinRAR.00AC00C0
00AE1674 . E8 07FBFFFF call WinRAR.00AE1180
00AE1679 . 68 44DEB100 push WinRAR.00B1DE44 ; /MutexName = "WinRAR_Busy"
00AE167E . 6A 00 push 0x0 ; |InitialOwner = FALSE
00AE1680 . 6A 00 push 0x0 ; |pSecurity = NULL
00AE1682 . FF15 5C43B100 call dword ptr ds:[<&KERNEL32.CreateMute>; \CreateMutexW
00AE1688 . A3 D092B300 mov dword ptr ds:[0xB392D0],eax
00AE168D . 6A 00 push 0x0 ; /Title = NULL
00AE168F . 68 B858B100 push WinRAR.00B158B8 ; |Class = "WinRarWindow"
00AE1694 . FF15 8C45B100 call dword ptr ds:[<&USER32.FindWindowW>>; \FindWindowW
00AE169A . 8BF8 mov edi,eax
00AE169C . 897D E8 mov dword ptr ss:[ebp-0x18],edi
00AE169F 6A 00 push 0x0 ; /lParam = NULL
00AE16A1 56 push esi ; |hInst = 00DBCB64
00AE16A2 6A 00 push 0x0 ; |hMenu = NULL
00AE16A4 6A 00 push 0x0 ; |hParent = NULL
00AE16A6 68 00000080 push 0x80000000 ; |Height = 80000000 (-2147483648.)
00AE16AB 68 00000080 push 0x80000000 ; |Width = 80000000 (-2147483648.)
00AE16B0 68 00000080 push 0x80000000 ; |Y = 80000000 (-2147483648.)
00AE16B5 68 00000080 push 0x80000000 ; |X = 80000000 (-2147483648.)
00AE16BA 68 0000CF06 push 0x6CF0000 ; |Style = WS_OVERLAPPED|WS_MINIMIZEBOX|WS_MAXIMIZEBOX|WS_CLIPSIBLINGS|WS_CLIPCHILDREN|WS_SYSMENU|WS_THICKFRAME|WS_CAPTION
00AE16BF 68 6C71B100 push WinRAR.00B1716C ; |WindowName = "WinRAR"
00AE16C4 68 B858B100 push WinRAR.00B158B8 ; |Class = "WinRarWindow"
00AE16C9 6A 10 push 0x10 ; |ExtStyle = WS_EX_ACCEPTFILES
00AE16CB FF15 A045B100 call dword ptr ds:[<&USER32.CreateWindow>; \CreateWindowExW
00AE16D1 . A3 AC81B300 mov dword ptr ds:[0xB381AC],eax
00AE16D6 . 85C0 test eax,eax
00AE16D8 . 0F84 C4050000 je WinRAR.00AE1CA2
00AE16DE . 50 push eax
00AE16DF . B9 0CF0B600 mov ecx,WinRAR.00B6F00C
00AE16E4 . E8 F7A6FAFF call WinRAR.00A8BDE0
00AE16E9 . 6A 00 push 0x0
00AE16EB . E8 60DAFFFF call WinRAR.00ADF150
00AE16F0 . E8 8BF8FFFF call WinRAR.00AE0F80
00AE16F5 . 84DB test bl,bl
00AE16F7 . 74 1A je short WinRAR.00AE1713
00AE16F9 . E8 D22EFCFF call WinRAR.00AA45D0
00AE16FE . 84C0 test al,al
00AE1700 . 75 11 jnz short WinRAR.00AE1713
00AE1702 . 6A 01 push 0x1
00AE1704 . 6A 00 push 0x0
00AE1706 . E8 D596F2FF call WinRAR.00A0ADE0
00AE170B . 84C0 test al,al
00AE170D . 75 04 jnz short WinRAR.00AE1713
00AE170F . B7 01 mov bh,0x1
00AE1711 . EB 02 jmp short WinRAR.00AE1715
00AE1713 > 32FF xor bh,bh
00AE1715 > 8D85 00300000 lea eax,dword ptr ss:[ebp+0x3000]
00AE171B . 50 push eax
00AE171C . E8 FF8BF2FF call WinRAR.00A0A320
00AE1721 . 0FB785 003000>movzx eax,word ptr ss:[ebp+0x3000]
00AE1728 . 50 push eax ; /StringOrChar = 27BC
00AE1729 . E8 5247FBFF call <jmp.&USER32.CharUpperW> ; \CharUpperW
00AE172E . 0FB7F0 movzx esi,ax
00AE1731 . 68 34040000 push 0x434
00AE1736 . 6A 00 push 0x0
00AE1738 . 68 38A3B300 push WinRAR.00B3A338
00AE173D . E8 DE620100 call WinRAR.00AF7A20
00AE1742 . 83C4 0C add esp,0xC
00AE1745 . 6A 00 push 0x0
00AE1747 . 6A 00 push 0x0
00AE1749 . 6A 01 push 0x1
00AE174B . B9 A04BB400 mov ecx,WinRAR.00B44BA0
00AE1750 . E8 FBD6F7FF call WinRAR.00A5EE50
00AE1755 . E8 06E9F2FF call WinRAR.00A10060
00AE175A . 66:85F6 test si,si
00AE175D . 74 66 je short WinRAR.00AE17C5
00AE175F . 803D B46BB400>cmp byte ptr ds:[0xB46BB4],0x0
00AE1766 . 75 5D jnz short WinRAR.00AE17C5
00AE1768 . 56 push esi
00AE1769 . 68 5CDEB100 push WinRAR.00B1DE5C ; UNICODE "AFUMD"
00AE176E . E8 6F500100 call WinRAR.00AF67E2
00AE1773 . 83C4 08 add esp,0x8
00AE1776 . 85C0 test eax,eax
00AE1778 . 75 32 jnz short WinRAR.00AE17AC
00AE177A . 83FE 43 cmp esi,0x43
00AE177D . 75 09 jnz short WinRAR.00AE1788
00AE177F . 66:3985 02300>cmp word ptr ss:[ebp+0x3002],ax
00AE1786 . 74 24 je short WinRAR.00AE17AC
00AE1788 > 803D B46BB400>cmp byte ptr ds:[0xB46BB4],0x0
00AE178F . 75 34 jnz short WinRAR.00AE17C5
00AE1791 . 56 push esi
00AE1792 . 68 68DEB100 push WinRAR.00B1DE68 ; UNICODE "TXE"
00AE1797 . E8 46500100 call WinRAR.00AF67E2
00AE179C . 83C4 08 add esp,0x8
00AE179F . 85C0 test eax,eax
00AE17A1 . 74 22 je short WinRAR.00AE17C5
00AE17A3 . 6A 00 push 0x0
00AE17A5 . E8 3609FFFF call WinRAR.00AD20E0
00AE17AA . EB 20 jmp short WinRAR.00AE17CC
00AE17AC > E8 3F6FFEFF call WinRAR.00AC86F0
00AE17B1 . 83FE 44 cmp esi,0x44
00AE17B4 . 74 05 je short WinRAR.00AE17BB
00AE17B6 . 83FE 43 cmp esi,0x43
00AE17B9 . 75 11 jnz short WinRAR.00AE17CC
00AE17BB > 33C0 xor eax,eax
00AE17BD . 66:A3 B05BB40>mov word ptr ds:[0xB45BB0],ax
00AE17C3 . EB 07 jmp short WinRAR.00AE17CC
00AE17C5 > 6A 00 push 0x0
00AE17C7 . E8 4436FEFF call WinRAR.00AC4E10
00AE17CC > 6A 00 push 0x0
00AE17CE . 6A 00 push 0x0
00AE17D0 . 6A 01 push 0x1
00AE17D2 . B9 A04BB400 mov ecx,WinRAR.00B44BA0
00AE17D7 . E8 74D6F7FF call WinRAR.00A5EE50
00AE17DC . 68 A04BB400 push WinRAR.00B44BA0
00AE17E1 . B9 D011B500 mov ecx,WinRAR.00B511D0
00AE17E6 . E8 6567F2FF call WinRAR.00A07F50
00AE17EB . 68 00080000 push 0x800
00AE17F0 . 68 EAFFB400 push WinRAR.00B4FFEA
00AE17F5 . 68 B081B300 push WinRAR.00B381B0
00AE17FA . E8 5110FBFF call WinRAR.00A92850
00AE17FF . 33C0 xor eax,eax
00AE1801 . 66:A3 EAFFB40>mov word ptr ds:[0xB4FFEA],ax
00AE1807 . 68 00080000 push 0x800
00AE180C . 8D45 00 lea eax,dword ptr ss:[ebp]
00AE180F . 50 push eax
00AE1810 . E8 CB93FEFF call WinRAR.00ACABE0
00AE1815 . 8D45 00 lea eax,dword ptr ss:[ebp]
00AE1818 . 50 push eax
00AE1819 . B9 78E2B500 mov ecx,WinRAR.00B5E278
00AE181E . E8 1D38F6FF call WinRAR.00A45040
00AE1823 . C705 5492B300>mov dword ptr ds:[0xB39254],0x0
00AE182D . C645 FC 01 mov byte ptr ss:[ebp-0x4],0x1
00AE1831 . E8 4A87F2FF call WinRAR.00A09F80
00AE1836 . C745 FC 00000>mov dword ptr ss:[ebp-0x4],0x0
00AE183D . FF35 AC81B300 push dword ptr ds:[0xB381AC]
00AE1843 . E8 58FBFFFF call WinRAR.00AE13A0
00AE1848 . 66:833D CC9CB>cmp word ptr ds:[0xB49CCC],0x0
00AE1850 . 74 2C je short WinRAR.00AE187E
00AE1852 . 68 CC9CB400 push WinRAR.00B49CCC
00AE1857 . E8 54ACF9FF call WinRAR.00A7C4B0
00AE185C . 68 00080000 push 0x800
00AE1861 . 68 CC9CB400 push WinRAR.00B49CCC
00AE1866 . 68 E092B300 push WinRAR.00B392E0 ; UNICODE "C:\Users\IEUser\AppData\Roaming\WinRAR\rar.log"
00AE186B . 3D CC9CB400 cmp eax,WinRAR.00B49CCC
00AE1870 . 75 07 jnz short WinRAR.00AE1879
00AE1872 . E8 39ADF9FF call WinRAR.00A7C5B0
00AE1877 . EB 05 jmp short WinRAR.00AE187E
00AE1879 > E8 D20FFBFF call WinRAR.00A92850
00AE187E > 6A 00 push 0x0 ; /lParam = 0x0
00AE1880 . 6A 00 push 0x0 ; |wParam = 0x0
00AE1882 . 68 03800000 push 0x8003 ; |Message = MSG(0x8003)
00AE1887 . FF35 AC81B300 push dword ptr ds:[0xB381AC] ; |hWnd = 0xB05BC
00AE188D . FF15 9845B100 call dword ptr ds:[<&USER32.SendMessageW>; \SendMessageW
00AE1893 . 833D AC81B300>cmp dword ptr ds:[0xB381AC],0x0
00AE189A . 0F84 93010000 je WinRAR.00AE1A33
00AE18A0 . 66:833D CAEFB>cmp word ptr ds:[0xB4EFCA],0x0
00AE18A8 . 0F85 6F030000 jnz WinRAR.00AE1C1D
00AE18AE . 32DB xor bl,bl
00AE18B0 . 66:833D EAFFB>cmp word ptr ds:[0xB4FFEA],0x0
00AE18B8 . 0F84 3A030000 je WinRAR.00AE1BF8
00AE18BE . 68 EAFFB400 push WinRAR.00B4FFEA
00AE18C3 . E8 F8A7F8FF call WinRAR.00A6C0C0
00AE18C8 . 83F8 FF cmp eax,-0x1
00AE18CB . 74 06 je short WinRAR.00AE18D3
00AE18CD . A8 10 test al,0x10
00AE18CF . 74 02 je short WinRAR.00AE18D3
00AE18D1 . B3 01 mov bl,0x1
00AE18D3 > 66:833D EAFFB>cmp word ptr ds:[0xB4FFEA],0x0
00AE18DB . 0F84 EB020000 je WinRAR.00AE1BCC
00AE18E1 . 84DB test bl,bl
00AE18E3 . 0F85 E7020000 jnz WinRAR.00AE1BD0
00AE18E9 . 6A 00 push 0x0
00AE18EB . 68 8850B100 push WinRAR.00B15088 ; UNICODE "ReuseWindow"
00AE18F0 . 68 A44BB100 push WinRAR.00B14BA4 ; UNICODE "General"
00AE18F5 . E8 9623FCFF call WinRAR.00AA3C90
00AE18FA . 85C0 test eax,eax
00AE18FC . 0F84 F7000000 je WinRAR.00AE19F9
00AE1902 . 85FF test edi,edi
00AE1904 . 0F84 EF000000 je WinRAR.00AE19F9
00AE190A . 6A 00 push 0x0
00AE190C . 68 00080000 push 0x800
00AE1911 . 8D85 00200000 lea eax,dword ptr ss:[ebp+0x2000]
00AE1917 . 50 push eax
00AE1918 . E8 F37FFEFF call WinRAR.00AC9910
00AE191D . 68 00080000 push 0x800
00AE1922 . 8D85 00200000 lea eax,dword ptr ss:[ebp+0x2000]
00AE1928 . 50 push eax
00AE1929 . E8 E28FF9FF call WinRAR.00A7A910
00AE192E . 68 00080000 push 0x800
00AE1933 . 68 8CC3B100 push WinRAR.00B1C38C ; UNICODE "Rar$"
00AE1938 . 8D85 00200000 lea eax,dword ptr ss:[ebp+0x2000]
00AE193E . 50 push eax
00AE193F . E8 CC0EFBFF call WinRAR.00A92810
00AE1944 . 8D8D 00200000 lea ecx,dword ptr ss:[ebp+0x2000]
00AE194A . 8D51 02 lea edx,dword ptr ds:[ecx+0x2]
00AE194D . 8D49 00 lea ecx,dword ptr ds:[ecx]
00AE1950 > 66:8B01 mov ax,word ptr ds:[ecx]
00AE1953 . 83C1 02 add ecx,0x2
00AE1956 . 66:85C0 test ax,ax
00AE1959 .^ 75 F5 jnz short WinRAR.00AE1950
00AE195B . 2BCA sub ecx,edx
00AE195D . D1F9 sar ecx,1
00AE195F . 51 push ecx
00AE1960 . 8D85 00200000 lea eax,dword ptr ss:[ebp+0x2000]
00AE1966 . 50 push eax
00AE1967 . 68 EAFFB400 push WinRAR.00B4FFEA
00AE196C . E8 DF45FBFF call WinRAR.00A95F50
00AE1971 . 85C0 test eax,eax
00AE1973 . 0F84 80000000 je WinRAR.00AE19F9
00AE1979 . 68 20DDB100 push WinRAR.00B1DD20 ; /MapName = "RarArchiveWideName"
00AE197E . 68 00100000 push 0x1000 ; |MaximumSizeLow = 0x1000
00AE1983 . 6A 00 push 0x0 ; |MaximumSizeHigh = 0x0
00AE1985 . 68 04000008 push 0x8000004 ; |Protection = PAGE_READWRITE|SEC_COMMIT
00AE198A . 6A 00 push 0x0 ; |pSecurity = NULL
00AE198C . 6A FF push -0x1 ; |hFile = FFFFFFFF
00AE198E . FF15 9843B100 call dword ptr ds:[<&KERNEL32.CreateFile>; \CreateFileMappingW
00AE1994 . 8BF8 mov edi,eax
00AE1996 . 85FF test edi,edi
00AE1998 . 74 5C je short WinRAR.00AE19F6
00AE199A . 68 00100000 push 0x1000 ; /MapSize = 1000 (4096.)
00AE199F . 6A 00 push 0x0 ; |OffsetLow = 0x0
00AE19A1 . 6A 00 push 0x0 ; |OffsetHigh = 0x0
00AE19A3 . 6A 02 push 0x2 ; |AccessMode = FILE_MAP_WRITE
00AE19A5 . 57 push edi ; |hMapObject = NULL
00AE19A6 . FF15 A043B100 call dword ptr ds:[<&KERNEL32.MapViewOfF>; \MapViewOfFile
00AE19AC . 8BF0 mov esi,eax
00AE19AE . 68 00080000 push 0x800
00AE19B3 . 56 push esi
00AE19B4 . 68 EAFFB400 push WinRAR.00B4FFEA
00AE19B9 . B9 78E2B500 mov ecx,WinRAR.00B5E278
00AE19BE . E8 8DF6F5FF call WinRAR.00A41050
00AE19C3 . 56 push esi ; /BaseAddress = 00DBCB64
00AE19C4 . FF15 9C43B100 call dword ptr ds:[<&KERNEL32.UnmapViewO>; \UnmapViewOfFile
00AE19CA . 68 F164E97A push 0x7AE964F1 ; /lParam = 0x7AE964F1
00AE19CF . 68 5EAC89D4 push 0xD489AC5E ; |wParam = 0xD489AC5E
00AE19D4 . 68 01800000 push 0x8001 ; |Message = MSG(0x8001)
00AE19D9 . FF75 E8 push dword ptr ss:[ebp-0x18] ; |hWnd = 0xDBCBB0
00AE19DC . FF15 9845B100 call dword ptr ds:[<&USER32.SendMessageW>; \SendMessageW
00AE19E2 . 85C0 test eax,eax
00AE19E4 . 0f95c3 setne bl
00AE19E7 . 57 push edi ; /hObject = NULL
00AE19E8 . FF15 A443B100 call dword ptr ds:[<&KERNEL32.CloseHandl>; \CloseHandle
00AE19EE . 84DB test bl,bl
00AE19F0 . 0F85 B8010000 jnz WinRAR.00AE1BAE
00AE19F6 > 8B7D E8 mov edi,dword ptr ss:[ebp-0x18]
00AE19F9 > 68 EAFFB400 push WinRAR.00B4FFEA
00AE19FE . B9 78E2B500 mov ecx,WinRAR.00B5E278
00AE1A03 . E8 68FFF5FF call WinRAR.00A41970
00AE1A08 . 84C0 test al,al
00AE1A0A 0F84 9E010000 je WinRAR.00AE1BAE
00AE1A10 . 803D D491B300>cmp byte ptr ds:[0xB391D4],0x0
00AE1A17 . 75 17 jnz short WinRAR.00AE1A30
00AE1A19 . 833D BC91B300>cmp dword ptr ds:[0xB391BC],0x0
00AE1A20 . 0F84 77010000 je WinRAR.00AE1B9D
00AE1A26 . B9 78E2B500 mov ecx,WinRAR.00B5E278
00AE1A2B . E8 302EF6FF call WinRAR.00A44860
00AE1A30 > 8A5D EF mov bl,byte ptr ss:[ebp-0x11]
00AE1A33 > 57 push edi
00AE1A34 . 68 00000100 push 0x10000
00AE1A39 . 68 B038AD00 push WinRAR.00AD38B0
00AE1A3E . E8 DEAC0100 call WinRAR.00AFC721
00AE1A43 . 83C4 0C add esp,0xC
00AE1A46 . FF35 AC81B300 push dword ptr ds:[0xB381AC] ; /hWnd = 000B05BC ('winrar32 (评估版本)',class='WinRarWindow')
00AE1A4C . FF15 C445B100 call dword ptr ds:[<&USER32.IsWindowVisi>; \IsWindowVisible
00AE1A52 . 85C0 test eax,eax
00AE1A54 . 75 0E jnz short WinRAR.00AE1A64
00AE1A56 . 85FF test edi,edi
00AE1A58 . 0f95c0 setne al
00AE1A5B . 0FB6C0 movzx eax,al
00AE1A5E . 50 push eax
00AE1A5F . E8 CCF5FFFF call WinRAR.00AE1030
00AE1A64 > FF35 AC81B300 push dword ptr ds:[0xB381AC] ; /hWnd = 000B05BC ('winrar32 (评估版本)',class='WinRarWindow')
00AE1A6A . FF15 0C45B100 call dword ptr ds:[<&USER32.UpdateWindow>; \UpdateWindow
00AE1A70 . 84FF test bh,bh
00AE1A72 . 74 27 je short WinRAR.00AE1A9B
00AE1A74 . 84DB test bl,bl
00AE1A76 . 74 23 je short WinRAR.00AE1A9B
00AE1A78 . 68 704BB100 push WinRAR.00B14B70 ; UNICODE "Setup"
00AE1A7D . E8 0E00FCFF call WinRAR.00AA1A90
00AE1A82 . 84C0 test al,al
00AE1A84 . 75 15 jnz short WinRAR.00AE1A9B
00AE1A86 . 68 844CB100 push WinRAR.00B14C84 ; UNICODE ".rar"
00AE1A8B . E8 8096F5FF call WinRAR.00A3B110
00AE1A90 . 84C0 test al,al
00AE1A92 . 75 07 jnz short WinRAR.00AE1A9B
00AE1A94 . 6A 06 push 0x6
00AE1A96 . E8 65B2F2FF call WinRAR.00A0CD00
00AE1A9B > 6A 00 push 0x0
00AE1A9D . 68 1855B100 push WinRAR.00B15518 ; UNICODE "ExportedSettings"
00AE1AA2 . 68 7C48B100 push WinRAR.00B1487C
00AE1AA7 . E8 E421FCFF call WinRAR.00AA3C90
00AE1AAC . 85C0 test eax,eax
00AE1AAE . 74 05 je short WinRAR.00AE1AB5
00AE1AB0 . E8 7B92F2FF call WinRAR.00A0AD30
00AE1AB5 > 6A 00 push 0x0
00AE1AB7 . 6A 01 push 0x1
00AE1AB9 . E8 E238FCFF call WinRAR.00AA53A0
00AE1ABE . 6A 00 push 0x0
00AE1AC0 . 68 7050B100 push WinRAR.00B15070 ; UNICODE "WizardMode"
00AE1AC5 . 68 A44BB100 push WinRAR.00B14BA4 ; UNICODE "General"
00AE1ACA . E8 C121FCFF call WinRAR.00AA3C90
00AE1ACF . 85C0 test eax,eax
00AE1AD1 . 74 24 je short WinRAR.00AE1AF7
00AE1AD3 . FF35 AC81B300 push dword ptr ds:[0xB381AC]
00AE1AD9 . E8 E2390000 call WinRAR.00AE54C0
00AE1ADE . 84C0 test al,al
00AE1AE0 . 74 15 je short WinRAR.00AE1AF7
00AE1AE2 . 833D BC91B300>cmp dword ptr ds:[0xB391BC],0x0
00AE1AE9 . 75 0C jnz short WinRAR.00AE1AF7
00AE1AEB . FF35 AC81B300 push dword ptr ds:[0xB381AC] ; /hWnd = 000B05BC ('winrar32 (评估版本)',class='WinRarWindow')
00AE1AF1 . FF15 A445B100 call dword ptr ds:[<&USER32.DestroyWindo>; \DestroyWindow
00AE1AF7 > 6A 00 push 0x0
00AE1AF9 . 6A 00 push 0x0
00AE1AFB . E8 00F0FFFF call WinRAR.00AE0B00
00AE1B00 . 84C0 test al,al
00AE1B02 .^ 75 F3 jnz short WinRAR.00AE1AF7
00AE1B04 . 6A 01 push 0x1
00AE1B06 . 6A 00 push 0x0
00AE1B08 . 6A 00 push 0x0
00AE1B0A . E8 7187FEFF call WinRAR.00ACA280
00AE1B0F . B9 34A3B300 mov ecx,WinRAR.00B3A334
00AE1B14 . E8 C7080000 call WinRAR.00AE23E0
00AE1B19 . E8 A21EFFFF call WinRAR.00AD39C0
00AE1B1E . C605 D592B300>mov byte ptr ds:[0xB392D5],0x1
00AE1B25 . FF35 F8A2B300 push dword ptr ds:[0xB3A2F8] ; /hEvent = 00000238 (window)
00AE1B2B . FF15 9441B100 call dword ptr ds:[<&KERNEL32.SetEvent>] ; \SetEvent
00AE1B31 . 33F6 xor esi,esi
00AE1B33 . 8B3D 5043B100 mov edi,dword ptr ds:[<&KERNEL32.Sleep>] ; KERNEL32.Sleep
00AE1B39 . 8DA424 000000>lea esp,dword ptr ss:[esp]
00AE1B40 > 833D F0A2B300>cmp dword ptr ds:[0xB3A2F0],0x0
00AE1B47 . 7E 0D jle short WinRAR.00AE1B56
00AE1B49 . 6A 64 push 0x64
00AE1B4B . FFD7 call edi
00AE1B4D . 4E dec esi
00AE1B4E . 81FE C8000000 cmp esi,0xC8
00AE1B54 .^ 7C EA jl short WinRAR.00AE1B40
00AE1B56 > FF35 F8A2B300 push dword ptr ds:[0xB3A2F8] ; /hObject = 00000238 (window)
00AE1B5C . FF15 A443B100 call dword ptr ds:[<&KERNEL32.CloseHandl>; \CloseHandle
00AE1B62 . 833D CC92B300>cmp dword ptr ds:[0xB392CC],0x0
00AE1B69 . 0F84 0B010000 je WinRAR.00AE1C7A
00AE1B6F . 83C8 FF or eax,-0x1
00AE1B72 . A3 CC92B300 mov dword ptr ds:[0xB392CC],eax
00AE1B77 . 33F6 xor esi,esi
00AE1B79 . 8DA424 000000>lea esp,dword ptr ss:[esp]
00AE1B80 > 85C0 test eax,eax
00AE1B82 . 0F84 10010000 je WinRAR.00AE1C98
00AE1B88 . 6A 64 push 0x64
00AE1B8A . FFD7 call edi
00AE1B8C . 46 inc esi
00AE1B8D . 83FE 0A cmp esi,0xA
00AE1B90 . 0F8D 02010000 jge WinRAR.00AE1C98
00AE1B96 . A1 CC92B300 mov eax,dword ptr ds:[0xB392CC]
00AE1B9B .^ EB E3 jmp short WinRAR.00AE1B80
00AE1B9D > FF35 AC81B300 push dword ptr ds:[0xB381AC] ; /hWnd = 000B05BC ('winrar32 (评估版本)',class='WinRarWindow')
00AE1BA3 . FF15 A445B100 call dword ptr ds:[<&USER32.DestroyWindo>; \DestroyWindow
00AE1BA9 .^ E9 82FEFFFF jmp WinRAR.00AE1A30
00AE1BAE > E8 FDDDFEFF call WinRAR.00ACF9B0
其中在“DestroyWindow”这一处(这里有两处,分别代表关闭主窗口和广告窗口,不知道是哪个的话我们可以下断点测试一下),应该是关闭窗口的操作,那么广告窗口应该就在它的上方,向上找相关调用,下断点调试肯定找到调用广告窗口的地方,判断出00AE1AB9位置的call WinRAR.00AA53A0这个函数调用,在这个位置向上找关键跳转,看看能否跳过这个函数调用,也可以直接nop掉该处的调用,找到00AE1AAE位置的跳转操作je short WinRAR.00AE1AB5,将其改为jmp 0x00AE1AF7直接跳过DestroyWindow函数,
另一处的修改我选择用Binary Ninja这款反编译工具来完成,因为这款软件的流程图排版比较合理容易分析,并且占用系统资源比较小,其右键"patch"功能在修改汇编代码方面相对比较优秀。
使用Binary Ninja加载winrar主程序后,按“G”键输入我们需要查找的地址,与OD的偏移地址不同,我们需要自己对应一下,00AE1520对应的是004E1520,直接查找该位置如图所示:
在上述代码中我们关注到有一处调用系统API函数IsWindowVisible(设置可见属性)的地方,即位置00AE1A4C处,这处如果调用起来的话就会使得标题栏对应的许可信息隐藏,那么我们在Binary Ninja中查找位置004E1A4C,得到如下图所示:
点选该位置所在的流程块的第一行即“push edi {var_18_13}”处,在左下角的“Cross References”窗口中可以看到两个地址跳转到它,分析之后我们判断可以将最早跳转的地址0x4e189a的汇编代码修改为“jmp 0x4e1a33”(在该位置右击-->"patch"-->"Edit Current Line",如图所示)
修改之后如下图:
完成这两步后保存好修改,然后我们运行一下winrar得到如图:这下可以软件可以安静的启动,没有广告弹窗和标题栏的许可过期提醒。
可是别高兴太早,我们将系统时间调至软件过期,重新启动winrar,还是会出现如下窗口,提示购买winrar许可。
重复运行、暂停、查看堆栈、查看调用、步进调试一系列操作我们会找到如下代码段,可以看到这段代码包含广告的链接地址http://ad.winrar.com.cn/show_2.html?L=7&bl=7&v=Vpersonal&a=Vpersonal&a=A&src=pe001以及提醒许可过期需要重新购买的函数RarReminder。
[Asm] 纯文本查看 复制代码
00B853A0 /$ B8 18100000 mov eax,0x1018
00B853A5 |. E8 26010500 call WinRAR1.00BD54D0
00B853AA |. A1 341BC100 mov eax,dword ptr ds:[0xC11B34]
00B853AF |. 33C4 xor eax,esp
00B853B1 |. 898424 141000>mov dword ptr ss:[esp+0x1014],eax
00B853B8 |. 803D 74A5C500>cmp byte ptr ds:[0xC5A574],0x0
00B853BF |. 74 0E je short WinRAR1.00B853CF
00B853C1 |. 80BC24 201000>cmp byte ptr ss:[esp+0x1020],0x0
00B853C9 |. 0F84 08040000 je WinRAR1.00B857D7
00B853CF |> 833D ACFBC000>cmp dword ptr ds:[0xC0FBAC],0x0
00B853D6 |. 56 push esi
00B853D7 |. 74 1C je short WinRAR1.00B853F5
00B853D9 |. B9 98FBC000 mov ecx,WinRAR1.00C0FB98 ; ASCII "8g3#0w1$5r7%2ta"
00B853DE |. E8 1DF9FFFF call WinRAR1.00B84D00
00B853E3 |. 833D ACFBC000>cmp dword ptr ds:[0xC0FBAC],0x0
00B853EA |. 0F84 A1000000 je WinRAR1.00B85491
00B853F0 |. E9 88000000 jmp WinRAR1.00B8547D
00B853F5 |> 68 FD040000 push 0x4FD
00B853FA |. E8 6171FEFF call WinRAR1.00B6C560
00B853FF |. 8BF0 mov esi,eax
00B85401 |. 66:833E 23 cmp word ptr ds:[esi],0x23
00B85405 |. 75 20 jnz short WinRAR1.00B85427
00B85407 |. 66:837E 02 23 cmp word ptr ds:[esi+0x2],0x23
00B8540C |. 75 19 jnz short WinRAR1.00B85427
00B8540E |. 8BCE mov ecx,esi
00B85410 |. 8D51 02 lea edx,dword ptr ds:[ecx+0x2]
00B85413 |> 66:8B01 /mov ax,word ptr ds:[ecx]
00B85416 |. 83C1 02 |add ecx,0x2
00B85419 |. 66:85C0 |test ax,ax
00B8541C |.^ 75 F5 \jnz short WinRAR1.00B85413
00B8541E |. 2BCA sub ecx,edx
00B85420 |. D1F9 sar ecx,1
00B85422 |. 83F9 64 cmp ecx,0x64
00B85425 |. 73 06 jnb short WinRAR1.00B8542D
00B85427 |> 8B35 1800C100 mov esi,dword ptr ds:[0xC10018] ; WinRAR1.00BF9628
00B8542D |> 68 00100000 push 0x1000
00B85432 |. 8D4424 1C lea eax,dword ptr ss:[esp+0x1C]
00B85436 |. 6A 00 push 0x0
00B85438 |. 50 push eax
00B85439 |. E8 E2250500 call WinRAR1.00BD7A20
00B8543E |. 83C4 0C add esp,0xC
00B85441 |. 8D4424 18 lea eax,dword ptr ss:[esp+0x18]
00B85445 |. 68 00100000 push 0x1000
00B8544A |. 50 push eax
00B8544B |. 8D46 04 lea eax,dword ptr ds:[esi+0x4]
00B8544E |. 50 push eax
00B8544F |. E8 0C07FFFF call WinRAR1.00B75B60
00B85454 |. 8D4C24 18 lea ecx,dword ptr ss:[esp+0x18]
00B85458 |. 8D51 01 lea edx,dword ptr ds:[ecx+0x1]
00B8545B |. EB 03 jmp short WinRAR1.00B85460
00B8545D | 8D49 00 lea ecx,dword ptr ds:[ecx]
00B85460 |> 8A01 /mov al,byte ptr ds:[ecx]
00B85462 |. 41 |inc ecx
00B85463 |. 84C0 |test al,al
00B85465 |.^ 75 F9 \jnz short WinRAR1.00B85460
00B85467 |. 2BCA sub ecx,edx
00B85469 |. 8D4424 18 lea eax,dword ptr ss:[esp+0x18]
00B8546D |. 51 push ecx
00B8546E |. 50 push eax
00B8546F |. B9 98FBC000 mov ecx,WinRAR1.00C0FB98 ; ASCII "8g3#0w1$5r7%2ta"
00B85474 |. E8 67F4FFFF call WinRAR1.00B848E0
00B85479 |. 84C0 test al,al
00B8547B |. 75 14 jnz short WinRAR1.00B85491
00B8547D |> 68 80040000 push 0x480
00B85482 |. 6A 00 push 0x0
00B85484 |. 68 98FBC000 push WinRAR1.00C0FB98 ; ASCII "8g3#0w1$5r7%2ta"
00B85489 |. E8 92250500 call WinRAR1.00BD7A20
00B8548E |. 83C4 0C add esp,0xC
00B85491 |> 803D B467C400>cmp byte ptr ds:[0xC467B4],0x0
00B85498 |. 53 push ebx
00B85499 |. 75 12 jnz short WinRAR1.00B854AD
00B8549B |. A1 DC92C100 mov eax,dword ptr ds:[0xC192DC]
00B854A0 |. 83F8 28 cmp eax,0x28
00B854A3 |. 7F 04 jg short WinRAR1.00B854A9
00B854A5 |. 85C0 test eax,eax
00B854A7 |. 79 04 jns short WinRAR1.00B854AD
00B854A9 |> B3 01 mov bl,0x1
00B854AB |. EB 02 jmp short WinRAR1.00B854AF
00B854AD |> 32DB xor bl,bl
00B854AF |> 80BC24 241000>cmp byte ptr ss:[esp+0x1024],0x0
00B854B7 |. 0F84 EE020000 je WinRAR1.00B857AB
00B854BD |. E8 4EA0FCFF call WinRAR1.00B4F510
00B854C2 |. 3D 01050000 cmp eax,0x501
00B854C7 |. 77 10 ja short WinRAR1.00B854D9
00B854C9 |. F705 A8FBC000>test dword ptr ds:[0xC0FBA8],0x200
00B854D3 |. 0F84 FC020000 je WinRAR1.00B857D5
00B854D9 |> 803D 18FFC000>cmp byte ptr ds:[0xC0FF18],0x0
00B854E0 |. 0F84 EF020000 je WinRAR1.00B857D5
00B854E6 |. C605 C3FCC000>mov byte ptr ds:[0xC0FCC3],0x0
00B854ED |. C605 C7FDC000>mov byte ptr ds:[0xC0FDC7],0x0
00B854F4 |. C605 1700C100>mov byte ptr ds:[0xC10017],0x0
00B854FB |. 84DB test bl,bl
00B854FD |. 75 14 jnz short WinRAR1.00B85513
00B854FF |. A0 A8FBC000 mov al,byte ptr ds:[0xC0FBA8]
00B85504 |. 24 80 and al,0x80
00B85506 |. 0FB6C0 movzx eax,al
00B85509 |. F7D8 neg eax
00B8550B |. 1BC0 sbb eax,eax
00B8550D |. 2105 B0FBC000 and dword ptr ds:[0xC0FBB0],eax
00B85513 |> 32FF xor bh,bh
00B85515 |. 833D C0FBC000>cmp dword ptr ds:[0xC0FBC0],0x0
00B8551C |. 76 50 jbe short WinRAR1.00B8556E
00B8551E |. 383D B467C400 cmp byte ptr ds:[0xC467B4],bh
00B85524 |. 75 48 jnz short WinRAR1.00B8556E
00B85526 |. 6A 00 push 0x0
00B85528 |. 68 A098BF00 push WinRAR1.00BF98A0 ; UNICODE "RemShown"
00B8552D |. 68 306CBF00 push WinRAR1.00BF6C30 ; UNICODE "Interface\Misc"
00B85532 |. E8 59E7FFFF call WinRAR1.00B83C90
00B85537 |. 3B05 C0FBC000 cmp eax,dword ptr ds:[0xC0FBC0]
00B8553D |. 73 2F jnb short WinRAR1.00B8556E
00B8553F |. 40 inc eax
00B85540 |. 50 push eax
00B85541 |. 68 A098BF00 push WinRAR1.00BF98A0 ; UNICODE "RemShown"
00B85546 |. 68 306CBF00 push WinRAR1.00BF6C30 ; UNICODE "Interface\Misc"
00B8554B |. E8 50F3FFFF call WinRAR1.00B848A0
00B85550 |. 803D C4FBC000>cmp byte ptr ds:[0xC0FBC4],0x0
00B85557 |. B7 01 mov bh,0x1
00B85559 |. 0F84 B8000000 je WinRAR1.00B85617
00B8555F |. 68 00010000 push 0x100
00B85564 |. 68 C4FBC000 push WinRAR1.00C0FBC4 ; ASCII "http://ad.winrar.com.cn/show_1.html?L=7&bl=7&v=$Vpersonal&a=$A&src=pe001"
00B85569 |. E9 9F000000 jmp WinRAR1.00B8560D
00B8556E |> 833D C4FCC000>cmp dword ptr ds:[0xC0FCC4],0x0
00B85575 |. 76 45 jbe short WinRAR1.00B855BC
00B85577 |. 84DB test bl,bl
00B85579 |. 74 41 je short WinRAR1.00B855BC
00B8557B |. 6A 00 push 0x0
00B8557D |. 68 B498BF00 push WinRAR1.00BF98B4 ; UNICODE "ExpRemShown"
00B85582 |. 68 306CBF00 push WinRAR1.00BF6C30 ; UNICODE "Interface\Misc"
00B85587 |. E8 04E7FFFF call WinRAR1.00B83C90
00B8558C |. 3B05 C4FCC000 cmp eax,dword ptr ds:[0xC0FCC4]
00B85592 |. 73 28 jnb short WinRAR1.00B855BC
00B85594 |. 40 inc eax
00B85595 |. 50 push eax
00B85596 |. 68 B498BF00 push WinRAR1.00BF98B4 ; UNICODE "ExpRemShown"
00B8559B |. 68 306CBF00 push WinRAR1.00BF6C30 ; UNICODE "Interface\Misc"
00B855A0 |. E8 FBF2FFFF call WinRAR1.00B848A0
00B855A5 |. 803D C8FCC000>cmp byte ptr ds:[0xC0FCC8],0x0
00B855AC |. B7 01 mov bh,0x1
00B855AE |. 74 67 je short WinRAR1.00B85617
00B855B0 |. 68 00010000 push 0x100
00B855B5 |. 68 C8FCC000 push WinRAR1.00C0FCC8 ; ASCII "http://ad.winrar.com.cn/show_2.html?L=7&bl=7&v=$Vpersonal&a=$A&src=pe001"
00B855BA |. EB 51 jmp short WinRAR1.00B8560D
00B855BC |> 833D C8FDC000>cmp dword ptr ds:[0xC0FDC8],0x0
00B855C3 |. 76 52 jbe short WinRAR1.00B85617
00B855C5 |. 803D B467C400>cmp byte ptr ds:[0xC467B4],0x0
00B855CC |. 74 49 je short WinRAR1.00B85617
00B855CE |. 6A 00 push 0x0
00B855D0 |. 68 CC98BF00 push WinRAR1.00BF98CC ; UNICODE "RegRemShown"
00B855D5 |. 68 306CBF00 push WinRAR1.00BF6C30 ; UNICODE "Interface\Misc"
00B855DA |. E8 B1E6FFFF call WinRAR1.00B83C90
00B855DF |. 3B05 C8FDC000 cmp eax,dword ptr ds:[0xC0FDC8]
00B855E5 |. 73 30 jnb short WinRAR1.00B85617
00B855E7 |. 40 inc eax
00B855E8 |. 50 push eax
00B855E9 |. 68 CC98BF00 push WinRAR1.00BF98CC ; UNICODE "RegRemShown"
00B855EE |. 68 306CBF00 push WinRAR1.00BF6C30 ; UNICODE "Interface\Misc"
00B855F3 |. E8 A8F2FFFF call WinRAR1.00B848A0
00B855F8 |. 803D CCFDC000>cmp byte ptr ds:[0xC0FDCC],0x0
00B855FF |. B7 01 mov bh,0x1
00B85601 |. 74 14 je short WinRAR1.00B85617
00B85603 |. 68 00010000 push 0x100
00B85608 |. 68 CCFDC000 push WinRAR1.00C0FDCC
00B8560D |> 68 18FFC000 push WinRAR1.00C0FF18 ; ASCII "http://ad.winrar.com.cn/show_2.html?L=7&bl=7&v=$Vpersonal&a=$A&src=pe001"
00B85612 |. E8 49D1FEFF call WinRAR1.00B72760
00B85617 |> FF15 3843BF00 call dword ptr ds:[<&KERNEL32.GetTickCou>; [GetTickCount
00B8561D |. 8BC8 mov ecx,eax
00B8561F |. B8 D34D6210 mov eax,0x10624DD3
00B85624 |. F7E1 mul ecx
00B85626 |. C1EA 06 shr edx,0x6
00B85629 |. 803D B467C400>cmp byte ptr ds:[0xC467B4],0x0
00B85630 |. 74 08 je short WinRAR1.00B8563A
00B85632 |. 8B0D BCFBC000 mov ecx,dword ptr ds:[0xC0FBBC]
00B85638 |. EB 20 jmp short WinRAR1.00B8565A
00B8563A |> 84DB test bl,bl
00B8563C |. 75 16 jnz short WinRAR1.00B85654
00B8563E |. 8B0D B4FBC000 mov ecx,dword ptr ds:[0xC0FBB4]
00B85644 |. 85C9 test ecx,ecx
00B85646 |. 74 20 je short WinRAR1.00B85668
00B85648 |. 8BC2 mov eax,edx
00B8564A |. 33D2 xor edx,edx
00B8564C |. F7F1 div ecx
00B8564E |. 85D2 test edx,edx
00B85650 |. 75 16 jnz short WinRAR1.00B85668
00B85652 |. EB 1C jmp short WinRAR1.00B85670
00B85654 |> 8B0D B8FBC000 mov ecx,dword ptr ds:[0xC0FBB8]
00B8565A |> 85C9 test ecx,ecx
00B8565C |. 74 0A je short WinRAR1.00B85668
00B8565E |. 8BC2 mov eax,edx
00B85660 |. 33D2 xor edx,edx
00B85662 |. F7F1 div ecx
00B85664 |. 85D2 test edx,edx
00B85666 |. 74 08 je short WinRAR1.00B85670
00B85668 |> 84FF test bh,bh
00B8566A |. 0F84 65010000 je WinRAR1.00B857D5
00B85670 |> 55 push ebp
00B85671 |. 57 push edi
00B85672 |. 8B3D A8FBC000 mov edi,dword ptr ds:[0xC0FBA8]
00B85678 |. C1E7 11 shl edi,0x11
00B8567B |. F7D7 not edi
00B8567D |. 81E7 00000400 and edi,0x40000
00B85683 |. 81CF 0000C816 or edi,0x16C80000
00B85689 |. F605 A8FBC000>test byte ptr ds:[0xC0FBA8],0x8
00B85690 |. 75 06 jnz short WinRAR1.00B85698
00B85692 |. 81CF 00000300 or edi,0x30000
00B85698 |> A1 D0FEC000 mov eax,dword ptr ds:[0xC0FED0]
00B8569D |. BD 00000080 mov ebp,0x80000000
00B856A2 |. C74424 10 000>mov dword ptr ss:[esp+0x10],0x80000000
00B856AA |. 8BF5 mov esi,ebp
00B856AC |. 8BDE mov ebx,esi
00B856AE |. 85C0 test eax,eax
00B856B0 |. 0F84 90000000 je WinRAR1.00B85746
00B856B6 |. 833D CCFEC000>cmp dword ptr ds:[0xC0FECC],0x0
00B856BD |. 0F84 83000000 je WinRAR1.00B85746
00B856C3 |. 50 push eax
00B856C4 |. E8 87530200 call WinRAR1.00BAAA50
00B856C9 |. 8B2D 8C46BF00 mov ebp,dword ptr ds:[<&USER32.GetSystem>; USER32.GetSystemMetrics
00B856CF |. 8BF0 mov esi,eax
00B856D1 |. 6A 21 push 0x21 ; /Index = SM_CYFRAME
00B856D3 |. FFD5 call ebp ; \GetSystemMetrics
00B856D5 |. 6A 04 push 0x4 ; /Index = SM_CYCAPTION
00B856D7 |. 8D1C46 lea ebx,dword ptr ds:[esi+eax*2] ; |
00B856DA |. FFD5 call ebp ; \GetSystemMetrics
00B856DC |. 03D8 add ebx,eax
00B856DE |. F605 A8FBC000>test byte ptr ds:[0xC0FBA8],0x40
00B856E5 |. 75 0C jnz short WinRAR1.00B856F3
00B856E7 |. F705 A8FBC000>test dword ptr ds:[0xC0FBA8],0x100
00B856F1 |. 75 06 jnz short WinRAR1.00B856F9
00B856F3 |> 031D 70A5C500 add ebx,dword ptr ds:[0xC5A570]
00B856F9 |> FF35 CCFEC000 push dword ptr ds:[0xC0FECC]
00B856FF |. E8 FC520200 call WinRAR1.00BAAA00
00B85704 |. 6A 20 push 0x20
00B85706 |. 8BF0 mov esi,eax
00B85708 |. FFD5 call ebp
00B8570A |. 6A 00 push 0x0 ; /UpdateProfile = 0
00B8570C |. 8D3446 lea esi,dword ptr ds:[esi+eax*2] ; |
00B8570F |. 8D4424 18 lea eax,dword ptr ss:[esp+0x18] ; |
00B85713 |. 50 push eax ; |pParam = NULL
00B85714 |. 6A 00 push 0x0 ; |wParam = 0x0
00B85716 |. 6A 30 push 0x30 ; |Action = SPI_GETWORKAREA
00B85718 |. FF15 8C44BF00 call dword ptr ds:[<&USER32.SystemParame>; \SystemParametersInfoW
00B8571E |. 8B4424 1C mov eax,dword ptr ss:[esp+0x1C]
00B85722 |. 3BF0 cmp esi,eax
00B85724 |. 7C 02 jl short WinRAR1.00B85728
00B85726 |. 8BF0 mov esi,eax
00B85728 |> 2BC6 sub eax,esi
00B8572A |. 99 cdq
00B8572B |. 2BC2 sub eax,edx
00B8572D |. D1F8 sar eax,1
00B8572F |. 894424 10 mov dword ptr ss:[esp+0x10],eax
00B85733 |. 8B4424 20 mov eax,dword ptr ss:[esp+0x20] ; WinRAR1.00C4D45D
00B85737 |. 3BD8 cmp ebx,eax
00B85739 |. 7C 02 jl short WinRAR1.00B8573D
00B8573B |. 8BD8 mov ebx,eax
00B8573D |> 2BC3 sub eax,ebx
00B8573F |. 99 cdq
00B85740 |. 2BC2 sub eax,edx
00B85742 |. 8BE8 mov ebp,eax
00B85744 |. D1FD sar ebp,1
00B85746 |> 68 00010000 push 0x100
00B8574B |. 68 18FFC000 push WinRAR1.00C0FF18 ; ASCII "http://ad.winrar.com.cn/show_2.html?L=7&bl=7&v=$Vpersonal&a=$A&src=pe001"
00B85750 |. E8 3BF3FFFF call WinRAR1.00B84A90
00B85755 |. 6A 00 push 0x0 ; /lParam = NULL
00B85757 |. FF35 04F0C400 push dword ptr ds:[0xC4F004] ; |hInst = 00AE0000
00B8575D |. 6A 00 push 0x0 ; |hMenu = NULL
00B8575F |. 6A 00 push 0x0 ; |hParent = NULL
00B85761 |. 53 push ebx ; |Height = 902DC (590556.)
00B85762 |. 56 push esi ; |Width = 0x0
00B85763 |. 55 push ebp ; |Y = 5FA518 (6268184.)
00B85764 |. FF7424 2C push dword ptr ss:[esp+0x2C] ; |X = 0x0
00B85768 |. 57 push edi ; |Style = WS_OVERLAPPED|WS_MINIMIZEBOX|WS_SYSMENU|WS_THICKFRAME|3FE
00B85769 |. 68 6C71BF00 push WinRAR1.00BF716C ; |WindowName = "WinRAR"
00B8576E |. 68 E498BF00 push WinRAR1.00BF98E4 ; |Class = "RarReminder"
00B85773 |. 6A 00 push 0x0 ; |ExtStyle = 0
00B85775 |. FF15 A045BF00 call dword ptr ds:[<&USER32.CreateWindow>; \CreateWindowExW
00B8577B |. F605 A8FBC000>test byte ptr ds:[0xC0FBA8],0x1
00B85782 |. 5F pop edi ; USER32.76CD87ED
00B85783 |. 5D pop ebp ; USER32.76CD87ED
00B85784 |. 74 13 je short WinRAR1.00B85799
00B85786 |. 6A 03 push 0x3 ; /Flags = SWP_NOSIZE|SWP_NOMOVE
00B85788 |. 6A 00 push 0x0 ; |Height = 0x0
00B8578A |. 6A 00 push 0x0 ; |Width = 0x0
00B8578C |. 6A 00 push 0x0 ; |Y = 0x0
00B8578E |. 6A 00 push 0x0 ; |X = 0x0
00B85790 |. 6A FF push -0x1 ; |InsertAfter = HWND_TOPMOST
00B85792 |. 50 push eax ; |hWnd = NULL
00B85793 |. FF15 B845BF00 call dword ptr ds:[<&USER32.SetWindowPos>; \SetWindowPos
00B85799 |> 833D C091C100>cmp dword ptr ds:[0xC191C0],0x0
00B857A0 |. 74 33 je short WinRAR1.00B857D5
00B857A2 |. C605 74A5C500>mov byte ptr ds:[0xC5A574],0x1
00B857A9 |. EB 2A jmp short WinRAR1.00B857D5
00B857AB |> 84DB test bl,bl
00B857AD |. 74 26 je short WinRAR1.00B857D5
00B857AF |. 6A 00 push 0x0 ; /lParam = NULL
00B857B1 |. 68 10C2BB00 push WinRAR1.00BBC210 ; |DlgProc = WinRAR1.00BBC210
00B857B6 |. C605 74A5C500>mov byte ptr ds:[0xC5A574],0x1 ; |
00B857BD |. FF15 F444BF00 call dword ptr ds:[<&USER32.GetFocus>] ; |[GetFocus
00B857C3 |. 50 push eax ; |hOwner = NULL
00B857C4 |. 68 FC98BF00 push WinRAR1.00BF98FC ; |pTemplate = "REMINDER"
00B857C9 |. FF35 00F0C400 push dword ptr ds:[0xC4F000] ; |hInst = 00AE0000
00B857CF |. FF15 C845BF00 call dword ptr ds:[<&USER32.DialogBoxPar>; \DialogBoxParamW
00B857D5 |> 5B pop ebx ; USER32.76CD87ED
00B857D6 |. 5E pop esi ; USER32.76CD87ED
00B857D7 |> 8B8C24 141000>mov ecx,dword ptr ss:[esp+0x1014]
00B857DE |. 33CC xor ecx,esp
00B857E0 |. E8 D7FC0400 call WinRAR1.00BD54BC
00B857E5 |. 81C4 18100000 add esp,0x1018
00B857EB \. C2 0800 retn 0x8
经过分析判断,我们需要关注两处跳转,在函数开始第7行和第9行的跳转,将第7行的跳转NOP掉,第9行改jmp无条件跳转,即可以将程序的执行流程跳过广告链接和重新购买许可证的窗口。 7 00B853BF |. 74 0E je short WinRAR1.00B853CF 8 00B853C1 |. 80BC24 201000>cmp byte ptr ss:[esp+0x1020],0x0 9 00B853C9 |. 0F84 08040000 je WinRAR1.00B857D7
完成修改后,点击鼠标右键,在弹出的菜单中依次选择“复制到可执行文件”-->“所有修改”-->“复制”。
然后在新窗口中右击选择“保存文件”即可保存修改。
整个世界彻底清净来,老衲要继续清修了^_^!!!!附:分享几个系统函数。
CreateWindowEx function:https://msdn.microsoft.com/zh-cn/vstudio/ms632680(v=vs.90)
DestroyWindow function:https://docs.microsoft.com/zh-cn/windows/win32/api/winuser/nf-winuser-destroywindow
IsWindowVisible function:https://docs.microsoft.com/zh-cn/windows/win32/api/winuser/nf-winuser-iswindowvisible
还有一个大牛写的注册机:https://www.52pojie.cn/thread-984747-1-1.html
免费评分
查看全部评分