- UID
- 2198
注册时间2005-6-29
阅读权限255
最后登录1970-1-1
副坛主
该用户从未签到
|
软件请从官方下载原版,切勿从国内山寨网下载。
官网:https://www.netsarang.com/zh/Xshell/
之前安装用了一下,过期了,今天需要远程,发现过期了,从网上找了注册机,还需要修改host,在沙箱运行注册机直接算号直接崩溃 ...
回家后寻思着调试一下,x64dbg 载入,下 CreateWindowsExW 无效,于是载入后直接运行,用暂停大法看堆栈,发现弹框的API
007A5C08 770CB8DB 返回到 user32.770CB8DB 自 user32.DialogBoxIndirectParamAorW
再往下翻翻,发现弹框位于模块 nslicense.dll 中,于是分析下该模块的导出函数:
于是下断点,再次运行,中断到 NSLICENSE_CheckLicense 导出函数:
- 01233B50 | 55 | push ebp | <NSLICENSE_CheckLicense>
- ...
- 01233D21 | E8 EA 0D 00 00 | call <nslicense.NSLICENSE_OpenRegistry> |
- ...
- 01233D93 | E8 78 0A 00 00 | call <nslicense.NSLICENSE_GetProductKey> |
- ...
- 01233DA5 | E8 A6 05 00 00 | call <nslicense.NSLICENSE_CloseRegistry> |
- ...
- 01233E67 | 8B BD 58 F2 FF FF | mov edi,dword ptr ss:[ebp-DA8] |
- 01233E6D | 8D 45 DC | lea eax,dword ptr ss:[ebp-24] |
- 01233E70 | 50 | push eax |
- 01233E71 | 57 | push edi |
- 01233E72 | E8 F9 08 00 00 | call <nslicense.NSLICENSE_GetMagicCode> |
- 01233E77 | 83 C4 08 | add esp,8 |
- 01233E7A | 85 C0 | test eax,eax |
- 01233E7C | 0F 84 9D 01 00 00 | je nslicense.123401F |
- 01233E82 | 8D 85 48 F2 FF FF | lea eax,dword ptr ss:[ebp-DB8] |
- 01233E88 | 50 | push eax |
- 01233E89 | 8D 45 DC | lea eax,dword ptr ss:[ebp-24] |
- 01233E8C | 50 | push eax |
- 01233E8D | E8 AE 0B 00 00 | call <nslicense.NSLICENSE_MagicCodeToDate> |
- 01233E92 | 83 C4 08 | add esp,8 |
- 01233E95 | 85 C0 | test eax,eax |
- 01233E97 | 0F 84 82 01 00 00 | je nslicense.123401F |
- 01233E9D | 8D 85 38 F2 FF FF | lea eax,dword ptr ss:[ebp-DC8] |
- 01233EA3 | 50 | push eax |
- 01233EA4 | E8 B7 05 00 00 | call <nslicense.NSLICENSE_GetCurrentDate> |
- 01233EA9 | 8D 45 DC | lea eax,dword ptr ss:[ebp-24] |
- 01233EAC | 50 | push eax |
- 01233EAD | 53 | push ebx | ebx:IsEnterprise
- 01233EAE | 57 | push edi |
- 01233EAF | 33 F6 | xor esi,esi | esi:"Sep 26 2019"
- 01233EB1 | E8 9A FA FF FF | call nslicense.1233950 |
- 01233EB6 | 83 C4 10 | add esp,10 |
- 01233EB9 | 85 C0 | test eax,eax |
- 01233EBB | 74 64 | je nslicense.1233F21 |
- 01233EBD | 8D 85 40 F2 FF FF | lea eax,dword ptr ss:[ebp-DC0] |
- 01233EC3 | 50 | push eax |
- 01233EC4 | 8D 45 DC | lea eax,dword ptr ss:[ebp-24] |
- 01233EC7 | 50 | push eax |
- 01233EC8 | E8 73 0B 00 00 | call <nslicense.NSLICENSE_MagicCodeToDate> |
- 01233ECD | 8B BD 40 F2 FF FF | mov edi,dword ptr ss:[ebp-DC0] |
- 01233ED3 | 8B 8D 48 F2 FF FF | mov ecx,dword ptr ss:[ebp-DB8] |
- 01233ED9 | 66 8B 95 44 F2 FF FF | mov dx,word ptr ss:[ebp-DBC] |
- 01233EE0 | 83 C4 08 | add esp,8 |
- 01233EE3 | 66 3B F9 | cmp di,cx |
- 01233EE6 | 72 1C | jb nslicense.1233F04 | 比较年份
- 01233EE8 | 66 8B 85 42 F2 FF FF | mov ax,word ptr ss:[ebp-DBE] |
- 01233EEF | 66 3B 85 4A F2 FF FF | cmp ax,word ptr ss:[ebp-DB6] | A compare A
- 01233EF6 | 72 0C | jb nslicense.1233F04 |
- 01233EF8 | 66 8B 85 4C F2 FF FF | mov ax,word ptr ss:[ebp-DB4] | 08
- 01233EFF | 66 3B D0 | cmp dx,ax |
- 01233F02 | 73 2A | jae nslicense.1233F2E |
- 01233F04 | BE 01 00 00 00 | mov esi,1 | esi:"Sep 26 2019"
- 01233F09 | 8B CF | mov ecx,edi |
- 01233F0B | 66 89 95 64 F2 FF FF | mov word ptr ss:[ebp-D9C],dx |
- 01233F12 | 89 BD 50 F2 FF FF | mov dword ptr ss:[ebp-DB0],edi |
- 01233F18 | 66 89 95 54 F2 FF FF | mov word ptr ss:[ebp-DAC],dx |
- 01233F1F | EB 21 | jmp nslicense.1233F42 |
- 01233F21 | 8B 8D 48 F2 FF FF | mov ecx,dword ptr ss:[ebp-DB8] |
- 01233F27 | 66 8B 85 4C F2 FF FF | mov ax,word ptr ss:[ebp-DB4] |
- 01233F2E | 66 89 85 54 F2 FF FF | mov word ptr ss:[ebp-DAC],ax |
- 01233F35 | 89 8D 50 F2 FF FF | mov dword ptr ss:[ebp-DB0],ecx |
- 01233F3B | 66 89 85 64 F2 FF FF | mov word ptr ss:[ebp-D9C],ax |
- 01233F42 | 89 8D 60 F2 FF FF | mov dword ptr ss:[ebp-DA0],ecx |
- 01233F48 | C1 E9 10 | shr ecx,10 |
- 01233F4B | 41 | inc ecx |
- 01233F4C | 66 89 8D 62 F2 FF FF | mov word ptr ss:[ebp-D9E],cx |
- 01233F53 | 66 83 F9 0C | cmp cx,C | 月份 <= 12
- 01233F57 | 76 16 | jbe nslicense.1233F6F |
- 01233F59 | 66 FF 85 60 F2 FF FF | inc word ptr ss:[ebp-DA0] |
- 01233F60 | B8 F4 FF 00 00 | mov eax,FFF4 |
- 01233F65 | 66 03 C8 | add cx,ax |
- 01233F68 | 66 89 8D 62 F2 FF FF | mov word ptr ss:[ebp-D9E],cx |
- 01233F6F | 8D 85 50 F2 FF FF | lea eax,dword ptr ss:[ebp-DB0] |
- 01233F75 | 50 | push eax |
- 01233F76 | 8D 85 38 F2 FF FF | lea eax,dword ptr ss:[ebp-DC8] |
- 01233F7C | 50 | push eax |
- 01233F7D | E8 EE 03 00 00 | call <nslicense.NSLICENSE_CompareDate> |
- 01233F82 | 83 C4 08 | add esp,8 |
- 01233F85 | 85 C0 | test eax,eax |
- 01233F87 | 78 65 | js nslicense.1233FEE |
- 01233F89 | 8D 85 60 F2 FF FF | lea eax,dword ptr ss:[ebp-DA0] |
- 01233F8F | 50 | push eax |
- 01233F90 | 8D 85 38 F2 FF FF | lea eax,dword ptr ss:[ebp-DC8] |
- 01233F96 | 50 | push eax |
- 01233F97 | E8 D4 03 00 00 | call <nslicense.NSLICENSE_CompareDate> |
- 01233F9C | 83 C4 08 | add esp,8 |
- 01233F9F | 85 C0 | test eax,eax |
- 01233FA1 | 7F 4B | jg nslicense.1233FEE | 这里跳走就弹过期框了 ...
- 01233FA3 | BF 01 00 00 00 | mov edi,1 |
- 01233FA8 | 8B B5 68 F2 FF FF | mov esi,dword ptr ss:[ebp-D98] |
- 01233FAE | FF B5 58 F2 FF FF | push dword ptr ss:[ebp-DA8] |
- 01233FB4 | E8 97 03 00 00 | call <nslicense.NSLICENSE_CloseRegistry> |
- ...
- 10003FEA | 8B E5 | mov esp,ebp |
- 10003FEC | 5D | pop ebp |
- 10003FED | C3 | ret | 函数返回 __cdecl 方式调用 调用方来平衡堆栈
- 10003FEE | F7 DE | neg esi | 下方为弹框逻辑
- 10003FF0 | 1B F6 | sbb esi,esi |
- ...
大体思路应该就是读取存储的安装时间,然后 GetCurrentDate 获取今天的日期,比较下是否过期,过期就弹框阻止运行。
于是拿出 Baymax 来验证下思路,断点地址选择导出函数:NSLICENSE_CheckLicense
设置函数直接返回(因为函数就是验证是否过期,直接返回就好),该函数返回 __cdecl 方式调用,调用方来平衡堆栈,所以这里记得需要设置栈调整为4 :
Baymax 设置如图:
Test OK!补丁后程序可以运行,Done ...
|
评分
-
查看全部评分
|
[复制链接]
IP卡
发表于 2019-11-13 23:02:39
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2019-11-14 07:42:09
发表于 2019-11-14 07:51:30
发表于 2019-11-15 16:40:46
发表于 2019-12-25 02:26:00