- UID
- 6621
注册时间2006-1-8
阅读权限50
最后登录1970-1-1
感悟天道
 
TA的每日心情 | 奋斗
昨天 09:41 |
|---|
签到天数: 1483 天 [LV.10]以坛为家III
|
1、搜索“trial”,得到如下信息。
[Asm] 纯文本查看 复制代码 00663955 push Soundop.008A3490 ?ref=trial
2、双击此行来到反汇编区。
[Asm] 纯文本查看 复制代码 006638A0 /$ 55 push ebp
006638A1 |. 8BEC mov ebp,esp
006638A3 |. 6A FF push -0x1
006638A5 |. 68 886E8500 push Soundop.00856E88
006638AA |. 64:A1 00000000 mov eax,dword ptr fs:[0]
006638B0 |. 50 push eax ; kernel32.BaseThreadInitThunk
006638B1 |. 83EC 08 sub esp,0x8
006638B4 |. 56 push esi
006638B5 |. 57 push edi
006638B6 |. A1 58759000 mov eax,dword ptr ds:[0x907558]
006638BB |. 33C5 xor eax,ebp
006638BD |. 50 push eax ; kernel32.BaseThreadInitThunk
006638BE |. 8D45 F4 lea eax,[local.3]
006638C1 |. 64:A3 00000000 mov dword ptr fs:[0],eax ; kernel32.BaseThreadInitThunk
006638C7 |. E8 5B151700 call Soundop.007D4E27
006638CC |. 8B70 04 mov esi,dword ptr ds:[eax+0x4]
006638CF |. 66:83BE D8000000 01 cmp word ptr ds:[esi+0xD8],0x1
006638D7 |. 0F84 69010000 je Soundop.00663A46
006638DD |. E8 BE071700 call Soundop.007D40A0
006638E2 |. 8BC8 mov ecx,eax ; kernel32.BaseThreadInitThunk
006638E4 |. 85C9 test ecx,ecx
006638E6 |. 0F84 6B010000 je Soundop.00663A57
006638EC |. 8B01 mov eax,dword ptr ds:[ecx]
006638EE |. 8B50 0C mov edx,dword ptr ds:[eax+0xC]
006638F1 |. 3D FCC08600 cmp eax,Soundop.0086C0FC
006638F6 |. 0F85 65010000 jnz Soundop.00663A61
006638FC |. F0:FF41 14 lock inc dword ptr ds:[ecx+0x14]
00663900 |. 8D41 08 lea eax,dword ptr ds:[ecx+0x8]
00663903 |> 83C0 10 add eax,0x10
00663906 |. 8945 F0 mov [local.4],eax ; kernel32.BaseThreadInitThunk
00663909 |. B8 EC338A00 mov eax,Soundop.008A33EC ; [url]https://ivosight.com/purchase/[/url]
0066390E |. C745 FC 00000000 mov [local.1],0x0
00663915 |. 8D4D F0 lea ecx,[local.4]
00663918 |. A9 0000FFFF test eax,0xFFFF0000
0066391D |. 75 0B jnz short Soundop.0066392A
0066391F |. 0FB7C0 movzx eax,ax
00663922 |. 50 push eax ; kernel32.BaseThreadInitThunk
00663923 |. E8 1883DAFF call Soundop.0040BC40
00663928 |. EB 0C jmp short Soundop.00663936
0066392A |> 6A 1E push 0x1E
0066392C |. 68 EC338A00 push Soundop.008A33EC ; [url]https://ivosight.com/purchase/[/url]
00663931 |. E8 4A87DAFF call Soundop.0040C080
00663936 |> C745 FC 01000000 mov [local.1],0x1
0066393D |. 8D4D F0 lea ecx,[local.4]
00663940 |. 66:83BE F0000000 00 cmp word ptr ds:[esi+0xF0],0x0
00663948 |. 74 09 je short Soundop.00663953
0066394A |. 6A 09 push 0x9
0066394C |. 68 2C348A00 push Soundop.008A342C ; ?ref=demo
00663951 |. EB 07 jmp short Soundop.0066395A
00663953 |> 6A 0A push 0xA
00663955 |. 68 90348A00 push Soundop.008A3490 ; ?ref=trial
3、上溯分析,关键跳转为 je Soundop.00663A46,所以上一行的比较 cmp word ptr ds:[esi+0xD8],0x1 中ds:[esi+0xD8]=1时,跳转实现,在cmp word ptr ds:[esi+0xD8],0x1上 右键——查找参考——地址常量 找到给ds:[esi+0xD8]赋值的语句。
[Asm] 纯文本查看 复制代码 000000D8 00663018 mov word ptr ds:[esi+0xD8],ax
4、在赋值语句上双击来到反汇编区,发现mov word ptr ds:[esi+0xD8],ax的上一行是一个Call,F7跟进分析。
[Asm] 纯文本查看 复制代码 00662FD0 . 55 push ebp
00662FD1 . 8BEC mov ebp,esp
00662FD3 . 6A FF push -0x1
00662FD5 . 68 406E8500 push Soundop.00856E40
00662FDA . 64:A1 00000000 mov eax,dword ptr fs:[0]
00662FE0 . 50 push eax ; kernel32.BaseThreadInitThunk
00662FE1 . 81EC B8030000 sub esp,0x3B8
00662FE7 . A1 58759000 mov eax,dword ptr ds:[0x907558]
00662FEC . 33C5 xor eax,ebp
00662FEE . 8945 F0 mov dword ptr ss:[ebp-0x10],eax ; kernel32.BaseThreadInitThunk
00662FF1 . 56 push esi
00662FF2 . 57 push edi
00662FF3 . 50 push eax ; kernel32.BaseThreadInitThunk
00662FF4 . 8D45 F4 lea eax,dword ptr ss:[ebp-0xC]
00662FF7 . 64:A3 00000000 mov dword ptr fs:[0],eax ; kernel32.BaseThreadInitThunk
00662FFD . 8BF1 mov esi,ecx
00662FFF . 89B5 84FCFFFF mov dword ptr ss:[ebp-0x37C],esi
00663005 . E8 C6110000 call Soundop.006641D0
0066300A . 85C0 test eax,eax ; kernel32.BaseThreadInitThunk
0066300C . 74 77 je short Soundop.00663085
0066300E . E8 3D8DF5FF call Soundop.005BBD50
00663013 . E8 5891F5FF call Soundop.005BC170 ; 》关键Call,F7跟进分析,使返回的ax=1
00663018 . 66:8986 D8000000 mov word ptr ds:[esi+0xD8],ax
0066301F . 8D85 7CFCFFFF lea eax,dword ptr ss:[ebp-0x384]
5、经过分析,只要修改【1】处,使得al=1即可实现破解
[Asm] 纯文本查看 复制代码 005BC170 /$ 55 push ebp
005BC171 |. 8BEC mov ebp,esp
005BC173 |. 81EC 04010000 sub esp,0x104
005BC179 |. A1 58759000 mov eax,dword ptr ds:[0x907558]
………………
………………
………………
005BC191 |. 85F6 test esi,esi
005BC193 |. 7F 5A jg short Soundop.005BC1EF
005BC195 |. 68 00010000 push 0x100
005BC19A |. 8D85 FCFEFFFF lea eax,[local.65]
005BC1A0 |. 50 push eax ; kernel32.BaseThreadInitThunk
005BC1A1 |. 68 F09C8900 push Soundop.00899CF0 ; EVAL_CODE
005BC1A6 |. FF15 B01A9200 call dword ptr ds:[0x921AB0]
005BC1AC |. B9 709D8900 mov ecx,Soundop.00899D70 ; 1
005BC1B1 |. 8D85 FCFEFFFF lea eax,[local.65]
005BC1B7 |> 8A10 /mov dl,byte ptr ds:[eax]
005BC1B9 |. 3A11 |cmp dl,byte ptr ds:[ecx]
005BC1BB |. 75 1A |jnz short Soundop.005BC1D7
005BC1BD |. 84D2 |test dl,dl
005BC1BF |. 74 12 |je short Soundop.005BC1D3
005BC1C1 |. 8A50 01 |mov dl,byte ptr ds:[eax+0x1]
005BC1C4 |. 3A51 01 |cmp dl,byte ptr ds:[ecx+0x1]
005BC1C7 |. 75 0E |jnz short Soundop.005BC1D7
005BC1C9 |. 83C0 02 |add eax,0x2
005BC1CC |. 83C1 02 |add ecx,0x2
005BC1CF |. 84D2 |test dl,dl
005BC1D1 |.^ 75 E4 \jnz short Soundop.005BC1B7
005BC1D3 |> 33C0 xor eax,eax ; kernel32.BaseThreadInitThunk
005BC1D5 |. EB 05 jmp short Soundop.005BC1DC
005BC1D7 |> 1BC0 sbb eax,eax ; kernel32.BaseThreadInitThunk
005BC1D9 |. 83C8 01 or eax,0x1
005BC1DC |> 85C0 test eax,eax ; kernel32.BaseThreadInitThunk
005BC1DE |. 75 0F jnz short Soundop.005BC1EF
005BC1E0 |. 5E pop esi ; kernel32.74E0344D
005BC1E1 |. 8B4D FC mov ecx,[local.1]
005BC1E4 |. 33CD xor ecx,ebp
005BC1E6 |. E8 210F2500 call Soundop.0080D10C
005BC1EB |. 8BE5 mov esp,ebp
005BC1ED |. 5D pop ebp ; kernel32.74E0344D
005BC1EE |. C3 retn
005BC1EF |> 83FE 04 cmp esi,0x4
005BC1F2 |. 75 0B jnz short Soundop.005BC1FF
005BC1F4 |. 68 009D8900 push Soundop.00899D00 ; P0193768-QAB:D58hetVYpTxgAUL6/6ZFG2NzG8I14/XSCK8OXTYkrVbpsM+jqbUadIJbB73gZZNxtu2ajoNw3ff9q1NKYUFwoN
005BC1F9 |. FF15 B41A9200 call dword ptr ds:[0x921AB4]
005BC1FF |> 8B4D FC mov ecx,[local.1]
005BC202 |. 33C0 xor eax,eax ;
005BC204 |. 85F6 test esi,esi
005BC206 |. 5E pop esi ; kernel32.74E0344D
005BC207 |. 0F9EC0 setle al 》【1】
005BC20A |. 33CD xor ecx,ebp
005BC20C |. E8 FB0E2500 call Soundop.0080D10C
005BC211 |. 8BE5 mov esp,ebp
005BC213 |. 5D pop ebp ; kernel32.74E0344D
005BC214 \. C3 retn
6、破解后
|
-
评分
-
查看全部评分
|
IP卡
发表于 2021-3-30 11:22:20
提升卡
置顶卡
变色卡
千斤顶
显身卡
楼主
发表于 2021-3-30 14:43:48
发表于 2021-3-30 19:24:09
发表于 2021-3-31 06:29:01
