本帖最后由 speedboy 于 2021-3-23 10:57 编辑
【文章标题】: HitPaw Watermark Remover 1.1.0.6(X64)分析爆破
【文章作者】: speedboy
【软件名称】: HitPaw Watermark Remover
【下载地址】:
【加壳方式】: 无
【编写语言】: Microsoft Visual C++
【使用工具】: x64dbg
【操作平台】: win7
【软件介绍】: 一款能够轻松去除图片、视频水印的软件。对于有水印的图片、视频你可以使用HitPaw Watermark Remover轻松去除水印。该软件还可以删除视频中的日期,建筑物,人物和其他内容,以满足用户对各种图片和视频水印功能的需求。
【作者声明】: 只做学习、交流
--------------------------------------------------------------------------------
【详细过程】
1、搜索“registerState”,registerState有两处,在第一处双击来到反汇编区。
[Asm] 纯文本查看 复制代码 000000013F202BE4 lea rcx,qword ptr ds:[13F291808] "registerState"
000000013F2056AA lea rcx,qword ptr ds:[13F291808] "registerState"
2、在反汇编区上溯分析,软件未注册状态时,此语句 movzx edx,al,的al=0,进入上面的Call,使返回的al=1,试一试。
[Asm] 纯文本查看 复制代码 000000013F202BCD | E8 BEB40600 | call removewatermark.13F26E090 | 》F7跟进分析
000000013F202BD2 | 0FB6D0 | movzx edx,al |
000000013F202BD5 | 48:8D4D E0 | lea rcx,qword ptr ss:[rbp-20] |
000000013F202BD9 | FF15 A9910800 | call qword ptr ds:[<&??0QVariant@@QEAA@_N@Z>] |
000000013F202BDF | 90 | nop |
000000013F202BE0 | 41:8D56 0D | lea edx,qword ptr ds:[r14+D] |
000000013F202BE4 | 48:8D0D 1DEC0800 | lea rcx,qword ptr ds:[13F291808] | 000000013F291808:"registerState"
000000013F202BEB | FF15 D7970800 | call qword ptr ds:[<&?fromAscii_helper@QString@@CAPEAU?$QTypedArrayDa |
000000013F202BF1 | 48:8945 40 | mov qword ptr ss:[rbp+40],rax
3、Call调用函数的最后一行是个大跳转。
[Asm] 纯文本查看 复制代码 000000013F26E090 | 48:83EC 28 | sub rsp,28 |
000000013F26E094 | E8 E7060000 | call removewatermark.13F26E780 |
000000013F26E099 | 48:8BC8 | mov rcx,rax |
000000013F26E09C | 48:83C4 28 | add rsp,28 |
000000013F26E0A0 | E9 FB050000 | jmp removewatermark.13F26E6A0 |
4、跳转来到此处,在此程序段的最末 由此赋值语句 movzx eax,dil 所以当 dil=1时eax的值即为1,好,那就上溯分析,何处使得dil=1,此处000000013F26E6FF mov dil,1 跳转来自 je removewatermark.13F26E6FF,此处实现跳转,上面还有一个跳转语句 je removewatermark.13F26E704,此处不跳转,跳转的话会使得 dil=0(跳到此语句 xor dil,dil),经分析在【1】处修改即可实现破解。
[Asm] 纯文本查看 复制代码 000000013F26E6A0 | 48:895C24 18 | mov qword ptr ss:[rsp+18],rbx |
000000013F26E6A5 | 48:897424 20 | mov qword ptr ss:[rsp+20],rsi |
000000013F26E6AA | 57 | push rdi | rdi:&"癟"
000000013F26E6AB | 48:83EC 50 | sub rsp,50 |
000000013F26E6AF | 48:8D5424 20 | lea rdx,qword ptr ss:[rsp+20] |
000000013F26E6B4 | 48:8B49 10 | mov rcx,qword ptr ds:[rcx+10] |
000000013F26E6B8 | E8 E39A0000 | call removewatermark.13F2781A0 |
000000013F26E6BD | 90 | nop |
000000013F26E6BE | 48:837C24 20 00 | cmp qword ptr ss:[rsp+20],0 |
000000013F26E6C4 | 74 3E | je removewatermark.13F26E704 | 》【1】不跳
000000013F26E6C6 | 48:8D4C24 40 | lea rcx,qword ptr ss:[rsp+40] |
000000013F26E6CB | FF15 AFCF0100 | call qword ptr ds:[<&?isValid@QDateTime@@QEBA_NXZ>] |
000000013F26E6D1 | 84C0 | test al,al |
000000013F26E6D3 | 74 2A | je removewatermark.13F26E6FF | 》跳转
000000013F26E6D5 | 48:8D4C24 68 | lea rcx,qword ptr ss:[rsp+68] |
000000013F26E6DA | FF15 F8D40100 | call qword ptr ds:[<&?currentDateTime@QDateTime@@SA?AV1@XZ>] |
000000013F26E6E0 | 90 | nop |
000000013F26E6E1 | 48:8D5424 40 | lea rdx,qword ptr ss:[rsp+40] |
000000013F26E6E6 | 48:8BC8 | mov rcx,rax |
000000013F26E6E9 | FF15 89CF0100 | call qword ptr ds:[<&??MQDateTime@@QEBA_NAEBV0@@Z>] |
000000013F26E6EF | 0FB6F8 | movzx edi,al | edi:&"癟"
000000013F26E6F2 | 48:8D4C24 68 | lea rcx,qword ptr ss:[rsp+68] |
000000013F26E6F7 | FF15 EBD40100 | call qword ptr ds:[<&??1QDateTime@@QEAA@XZ>] |
000000013F26E6FD | EB 08 | jmp removewatermark.13F26E707 |
000000013F26E6FF | 40:B7 01 | mov dil,1 | 》dil=1,后面会传递给eax
000000013F26E702 | EB 03 | jmp removewatermark.13F26E707 |
000000013F26E704 | 40:32FF | xor dil,dil |
000000013F26E707 | 48:8D4C24 40 | lea rcx,qword ptr ss:[rsp+40] |
000000013F26E70C | FF15 D6D40100 | call qword ptr ds:[<&??1QDateTime@@QEAA@XZ>] |
000000013F26E712 | 48:8D4C24 38 | lea rcx,qword ptr ss:[rsp+38] |
000000013F26E717 | FF15 CBDD0100 | call qword ptr ds:[<&??1QXmlStreamStringRef@@QEAA@XZ>] |
000000013F26E71D | 48:8D4C24 30 | lea rcx,qword ptr ss:[rsp+30] |
000000013F26E722 | FF15 C0DD0100 | call qword ptr ds:[<&??1QXmlStreamStringRef@@QEAA@XZ>] |
000000013F26E728 | 48:8B5C24 28 | mov rbx,qword ptr ss:[rsp+28] |
000000013F26E72D | 48:85DB | test rbx,rbx |
000000013F26E730 | 74 2C | je removewatermark.13F26E75E |
000000013F26E732 | BE FFFFFFFF | mov esi,FFFFFFFF |
000000013F26E737 | 8BC6 | mov eax,esi |
000000013F26E739 | F0:0FC143 04 | lock xadd dword ptr ds:[rbx+4],eax |
000000013F26E73E | 83F8 01 | cmp eax,1 |
000000013F26E741 | 75 09 | jne removewatermark.13F26E74C |
000000013F26E743 | 48:8B53 08 | mov rdx,qword ptr ds:[rbx+8] |
000000013F26E747 | 48:8BCB | mov rcx,rbx |
000000013F26E74A | FFD2 | call rdx |
000000013F26E74C | F0:0FC133 | lock xadd dword ptr ds:[rbx],esi |
000000013F26E750 | 83FE 01 | cmp esi,1 |
000000013F26E753 | 75 09 | jne removewatermark.13F26E75E |
000000013F26E755 | 48:8BCB | mov rcx,rbx |
000000013F26E758 | E8 731E0100 | call removewatermark.13F2805D0 |
000000013F26E75D | 90 | nop |
000000013F26E75E | 40:0FB6C7 | movzx eax,dil | 》eax=1,注册成功标志
000000013F26E762 | 48:8B5C24 70 | mov rbx,qword ptr ss:[rsp+70] |
000000013F26E767 | 48:8B7424 78 | mov rsi,qword ptr ss:[rsp+78] |
000000013F26E76C | 48:83C4 50 | add rsp,50 |
000000013F26E770 | 5F | pop rdi | rdi:&"癟"
000000013F26E771 | C3 | ret |
5、破解前后对比
| 
IP卡
发表于 2021-3-23 10:53:45
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2021-3-25 08:06:29
发表于 2021-3-25 13:53:49
楼主