- UID
- 6621
注册时间2006-1-8
阅读权限50
最后登录1970-1-1
感悟天道
 
TA的每日心情 | 奋斗
昨天 08:37 |
|---|
签到天数: 1480 天 [LV.10]以坛为家III
|
本帖最后由 speedboy 于 2021-4-7 18:41 编辑
【文章标题】: Xara Photo & Graphic Designer 18.0.0.61670(X64)分析爆破
【文章作者】: speedboy
【软件名称】: Xara Photo & Graphic Designer
【下载地址】:
【加壳方式】: 无
【编写语言】: Microsoft Visual C++
【使用工具】: x64dbg
【操作平台】: win7
【软件介绍】: Xara Photo & Graphic Designer - Realize your ideas easily. Make your photos pop Image editing, graphic design and illustration. Enjoy detailed photo editing, creative drawing and professional design from photo collages and print documents to digital artwork – realize each and every one of your creative ideas with Xara Photo & Graphic Designer! Create impressive designs in no time.
【作者声明】: 只做学习、交流
--------------------------------------------------------------------------------
【详细过程】
1、搜索“CheckSerialRegistration”得到如下信息
[Asm] 纯文本查看 复制代码 000000014063341D lea rcx,qword ptr ds:[1414BA620] L"After CheckSerialRegistration\n"
2、在此行双击来到反汇编区,发现上一行的Call是检测注册的,在此行F2下断
[Asm] 纯文本查看 复制代码 00000001406333F6 | 49:8B8F C8020000 | mov rcx,qword ptr ds:[r15+2C8] |
00000001406333FD | 48:85C9 | test rcx,rcx |
0000000140633400 | 0F84 D30A0000 | je photographicdesigner.140633ED9 |
0000000140633406 | BA 01000000 | mov edx,1 |
000000014063340B | E8 708A1300 | call <photographicdesigner.public: int __cdecl CopyProtectionVPL::IsRunable(int) __ptr64> |
0000000140633410 | 85C0 | test eax,eax |
0000000140633412 | 0F84 C10A0000 | je photographicdesigner.140633ED9 |
0000000140633418 | E8 13450100 | call <photographicdesigner.public: static void __cdecl InternetManager::CheckSerialRegistration(void)> |
000000014063341D | 48:8D0D FC71E800 | lea rcx,qword ptr ds:[1414BA620] | 00000001414BA620:L"After CheckSerialRegistration\n"
0000000140633424 | E8 87020100 | call <photographicdesigner.public: static void __cdecl Error::ReleaseTrace(wchar_t const * __ptr64,...) |
3、运行程序,没有断下而是出现“欢迎”提示窗口,说明前面有调用执行了,经分析,call <photographicdesigner.public: int __cdecl CopyProtectionVPL::IsRunable(int) __ptr64>调用了“欢迎”提示窗口,那就在此处下断,跟进分析,依次来到
[Asm] 纯文本查看 复制代码 000000014076BE80 | E9 EB080000 | jmp <photographicdesigner.private: int __cdecl CopyProtectionVPL::InitialCheck(int) __ptr64>
[Asm] 纯文本查看 复制代码 000000014076C770 | 40:57 | push rdi |
000000014076C772 | 48:83EC 30 | sub rsp,30 |
000000014076C776 | 48:C74424 20 FEFFFFFF | mov qword ptr ss:[rsp+20],FFFFFFFFFFFFFFFE |
000000014076C77F | 48:895C24 48 | mov qword ptr ss:[rsp+48],rbx |
000000014076C784 | 48:897424 50 | mov qword ptr ss:[rsp+50],rsi |
000000014076C789 | 8BF2 | mov esi,edx |
000000014076C78B | 48:8BD9 | mov rbx,rcx |
000000014076C78E | 48:8D4C24 40 | lea rcx,qword ptr ss:[rsp+40] |
000000014076C793 | E8 B850ECFF | call <photographicdesigner.public: __cdecl DisableFPExceptions::DisableFPExceptions(void) __ptr64> |
000000014076C798 | 90 | nop |
000000014076C799 | 33FF | xor edi,edi |
000000014076C79B | 48:39BB 30380000 | cmp qword ptr ds:[rbx+3830],rdi |
000000014076C7A2 | 75 18 | jne photographicdesigner.14076C7BC |
000000014076C7A4 | 48:8BCB | mov rcx,rbx |
000000014076C7A7 | E8 D4AA3900 | call <photographicdesigner.class IConsumerLibraryAdapter * __ptr64 __cdecl CreateConsumerLibraryAdapter |
000000014076C7AC | 48:8983 30380000 | mov qword ptr ds:[rbx+3830],rax |
000000014076C7B3 | 48:85C0 | test rax,rax |
000000014076C7B6 | 75 04 | jne photographicdesigner.14076C7BC |
000000014076C7B8 | 8BDF | mov ebx,edi |
000000014076C7BA | EB 17 | jmp photographicdesigner.14076C7D3 |
000000014076C7BC | 48:8B8B 30380000 | mov rcx,qword ptr ds:[rbx+3830] |
000000014076C7C3 | 48:8B01 | mov rax,qword ptr ds:[rcx] |
000000014076C7C6 | 85F6 | test esi,esi | 》【1】修改为 xor
000000014076C7C8 | 0F95C2 | setne dl | 》此处使dl=0时,不出现欢迎提示窗口
000000014076C7CB | FF90 88000000 | call qword ptr ds:[rax+88] | 》调用欢迎窗口
000000014076C7D1 | 8BD8 | mov ebx,eax |
000000014076C7D3 | 45:33C9 | xor r9d,r9d |
000000014076C7D6 | 45:33C0 | xor r8d,r8d |
000000014076C7D9 | 33D2 | xor edx,edx |
000000014076C7DB | B9 02000010 | mov ecx,10000002 |
000000014076C7E0 | E8 BFCD3000 | call <photographicdesigner.UrlMkSetSessionOption> |
000000014076C7E5 | B8 01000000 | mov eax,1 |
000000014076C7EA | 83FB 02 | cmp ebx,2 |
000000014076C7ED | 0F44F8 | cmove edi,eax |
000000014076C7F0 | 48:8D4C24 40 | lea rcx,qword ptr ss:[rsp+40] |
000000014076C7F5 | E8 9650ECFF | call <photographicdesigner.public: __cdecl DisableFPExceptions::~DisableFPExceptions(void) __ptr64> |
000000014076C7FA | 8BC7 | mov eax,edi |
000000014076C7FC | 48:8B5C24 48 | mov rbx,qword ptr ss:[rsp+48] |
000000014076C801 | 48:8B7424 50 | mov rsi,qword ptr ss:[rsp+50] |
000000014076C806 | 48:83C4 30 | add rsp,30 |
000000014076C80A | 5F | pop rdi |
000000014076C80B | C3 | ret |
4、经分析 此处000000014076C7CB call qword ptr ds:[rax+88] 调用欢迎窗口,下断跟进发现与dl的值有关,当dl=0时,不出现欢迎提示窗口,在函数的上一行恰是一个dl置值语句,当test esi,esi中的esi=0时,dl=0,所以只要把test esi,esi改为xor esi,esi即可实现破解。
[Asm] 纯文本查看 复制代码 000000014076C7C6 | 85F6 | test esi,esi | 》【1】修改为 xor
000000014076C7C8 | 0F95C2 | setne dl | 》此处使dl=0时,不出现欢迎提示窗口
000000014076C7CB | FF90 88000000 | call qword ptr ds:[rax+88] | 》调用欢迎窗口
5、到此在调试器下运行程序正常,但运行保存修改文件时会出现“重新启动程序错误提示窗口”,看来有暗桩,在分析过程中会发现包含IsTrialVersion的处理函数,所以Ctrl+N调出符号窗口,搜索IsTrialVersion,得到以下信息
[Asm] 纯文本查看 复制代码 000000013F7B99B0 符号 ?IsTrialVersion@Application@@QEAAHXZ public: int __cdecl Application::IsTrialVersion(void) __ptr64
000000014030EDA0 符号 ?IsTrialVersion@CCamApp@@QEAAHXZ public: int __cdecl CCamApp::IsTrialVersion(void) __ptr64
0000000140A05000 符号 ?IsTrialVersion@CMX_ProteinLib@ProtectionEnvironment@@QEBA_NXZ public: bool __cdecl ProtectionEnvironment::CMX_ProteinLib::IsTrialVersion(void)const __ptr64
0000000140A067D0 符号 ?IsTrialVersion@MXProtectionWrapper@@SA_NXZ public: static bool __cdecl MXProtectionWrapper::IsTrialVersion(void)
0000000140B920C6 符号 `CCamApp::IsTrialVersion'::`1'::dtor$0
0000000140B920D2 符号 `CCamApp::IsTrialVersion'::`1'::dtor$1
0000000140B920DE 符号 `CCamApp::IsTrialVersion'::`1'::dtor$2
0000000140B920EA 符号 `CCamApp::IsTrialVersion'::`1'::dtor$3
0000000140B920F6 符号 `CCamApp::IsTrialVersion'::`1'::dtor$4
0000000140B92102 符号 `CCamApp::IsTrialVersion'::`1'::dtor$5
0000000140B9210E 符号 `CCamApp::IsTrialVersion'::`1'::dtor$6
0000000140B9211A 符号 `CCamApp::IsTrialVersion'::`1'::dtor$8
0000000140B92126 符号 `CCamApp::IsTrialVersion'::`1'::dtor$9
0000000140B92132 符号 `CCamApp::IsTrialVersion'::`1'::dtor$10
6、经分析 0000000140A067D0 public: static bool __cdecl MXProtectionWrapper::IsTrialVersion(void) 是关键信息,双击此行来到反汇编区
[Asm] 纯文本查看 复制代码 0000000140A067D0 | 48:8D0D D1821001 | lea rcx,qword ptr ds:[<class ProtectionEnvironment::CMX_ProteinLib s_proteinLib>]
7、在此行的地址处“右键-查找引用-选定的地址”,会得到三个调用函数
[Asm] 纯文本查看 复制代码 00000001409ECAE6 call <photographicdesigner.public: static bool __cdecl MXProtectionWrapper::IsTrialVersion(void)>
00000001409EDE21 call <photographicdesigner.public: static bool __cdecl MXProtectionWrapper::IsTrialVersion(void)>
00000001409EDE60 call <photographicdesigner.public: static bool __cdecl MXProtectionWrapper::IsTrialVersion(void)>
8、在第一个上面双击来到反汇编区,看到了吗?原来这里是检测程序版本的,上溯分析使得je photographicdesigner.1409ECAD3不跳转(至于为什么,你亲身调试一下看看,体会一下就会明白,跳转的话就会到试用版本那结束),再往上看到 CheckMuMaPatchFile (检查木马补丁文件?是不是我搞错了?嘻嘻)好直白呀,进入此Call,直接在段首ret返回试试(检测个毛哇)
[Asm] 纯文本查看 复制代码 00000001409ECAB0 | 48:83EC 28 | sub rsp,28 |
00000001409ECAB4 | 45:33C0 | xor r8d,r8d |
00000001409ECAB7 | 41:8D50 01 | lea edx,qword ptr ds:[r8+1] |
00000001409ECABB | E8 E0F0FFFF | call <photographicdesigner.public: int __cdecl CProductInterchangeAdapterForMumaEasy::invoke_CheckMuMaPatchFile |
00000001409ECAC0 | E8 7B9C0100 | call <photographicdesigner.public: static bool __cdecl MXProtectionWrapper::IsConsumerBoxVersion(void)> |
00000001409ECAC5 | 84C0 | test al,al |
00000001409ECAC7 | 74 0A | je photographicdesigner.1409ECAD3 | 》【2】不跳,修改为nop
00000001409ECAC9 | B8 01000000 | mov eax,1 |
00000001409ECACE | 48:83C4 28 | add rsp,28 |
00000001409ECAD2 | C3 | ret |
00000001409ECAD3 | E8 C89C0100 | call <photographicdesigner.public: static bool __cdecl MXProtectionWrapper::IsProfessionalBoxVersion(void)> |
00000001409ECAD8 | 84C0 | test al,al |
00000001409ECADA | 74 0A | je photographicdesigner.1409ECAE6 |
00000001409ECADC | B8 02000000 | mov eax,2 |
00000001409ECAE1 | 48:83C4 28 | add rsp,28 |
00000001409ECAE5 | C3 | ret |
00000001409ECAE6 | E8 E59C0100 | call <photographicdesigner.public: static bool __cdecl MXProtectionWrapper::IsTrialVersion(void)> |
00000001409ECAEB | 84C0 | test al,al |
00000001409ECAED | 74 0A | je photographicdesigner.1409ECAF9 |
00000001409ECAEF | B8 04000000 | mov eax,4 |
00000001409ECAF4 | 48:83C4 28 | add rsp,28 |
00000001409ECAF8 | C3 | ret |
00000001409ECAF9 | E8 729C0100 | call <photographicdesigner.public: static bool __cdecl MXProtectionWrapper::IsNonextensibleDemoVersion(void)> |
00000001409ECAFE | 84C0 | test al,al |
00000001409ECB00 | 74 0A | je photographicdesigner.1409ECB0C |
00000001409ECB02 | B8 08000000 | mov eax,8 |
00000001409ECB07 | 48:83C4 28 | add rsp,28 |
00000001409ECB0B | C3 | ret |
00000001409ECB0C | E8 9F9C0100 | call <photographicdesigner.public: static bool __cdecl MXProtectionWrapper::IsSilverVersion(void)> |
00000001409ECB11 | 84C0 | test al,al |
00000001409ECB13 | 74 0A | je photographicdesigner.1409ECB1F |
00000001409ECB15 | B8 10000000 | mov eax,10 |
00000001409ECB1A | 48:83C4 28 | add rsp,28 |
00000001409ECB1E | C3 | ret |
00000001409ECB1F | E8 5C9C0100 | call <photographicdesigner.public: static bool __cdecl MXProtectionWrapper::IsOEMVersion(void)> |
00000001409ECB24 | 84C0 | test al,al |
00000001409ECB26 | 74 0A | je photographicdesigner.1409ECB32 |
00000001409ECB28 | B8 20000000 | mov eax,20 | 20:' '
00000001409ECB2D | 48:83C4 28 | add rsp,28 |
00000001409ECB31 | C3 | ret
9、进入00000001409ECABB call <photographicdesigner.public: int __cdecl CProductInterchangeAdapterForMumaEasy::invoke_CheckMuMaPatchFile,在段首直接ret
[Asm] 纯文本查看 复制代码 00000001409EBBA0 | 40:53 | push rbx |》【3】改为ret
00000001409EBBA2 | 48:83EC 20 | sub rsp,20 |
00000001409EBBA6 | 803D 48271201 00 | cmp byte ptr ds:[141B0E2F5],0 |
00000001409EBBAD | 41:8BD8 | mov ebx,r8d |
00000001409EBBB0 | 75 14 | jne photographicdesigner.1409EBBC6 |
00000001409EBBB2 | E8 99AA0100 | call <photographicdesigner.bool __cdecl InitCopyProtection(void)> |
00000001409EBBB7 | C605 37271201 01 | mov byte ptr ds:[141B0E2F5],1 |
00000001409EBBBE | 8805 3CB0F000 | mov byte ptr ds:[1418F6C00],al |
00000001409EBBC4 | EB 07 | jmp photographicdesigner.1409EBBCD |
00000001409EBBC6 | 0FB605 33B0F000 | movzx eax,byte ptr ds:[1418F6C00] |
00000001409EBBCD | 84C0 | test al,al |
00000001409EBBCF | 74 4E | je photographicdesigner.1409EBC1F |
00000001409EBBD1 | 85DB | test ebx,ebx |
00000001409EBBD3 | 74 2C | je photographicdesigner.1409EBC01 |
00000001409EBBD5 | 48:8D5424 48 | lea rdx,qword ptr ss:[rsp+48] |
00000001409EBBDA | 48:8D0D C72E1201 | lea rcx,qword ptr ds:[<class ProtectionEnvironment::CMX_ProteinLib s_proteinLib>] |
00000001409EBBE1 | C74424 48 00000000 | mov dword ptr ss:[rsp+48],0 |
00000001409EBBE9 | E8 229D0100 | call <photographicdesigner.public: virtual enum ProtectionEnvironment::t_proteinResult __cdecl ProtectionEnviro |
00000001409EBBEE | 8B4C24 48 | mov ecx,dword ptr ss:[rsp+48] |
00000001409EBBF2 | 85C0 | test eax,eax |
00000001409EBBF4 | 74 1A | je photographicdesigner.1409EBC10 |
00000001409EBBF6 | 85C9 | test ecx,ecx |
00000001409EBBF8 | 74 16 | je photographicdesigner.1409EBC10 |
00000001409EBBFA | 0FB605 FFAFF000 | movzx eax,byte ptr ds:[1418F6C00] |
00000001409EBC01 | 84C0 | test al,al |
00000001409EBC03 | 74 1A | je photographicdesigner.1409EBC1F |
00000001409EBC05 | B8 01000000 | mov eax,1 |
00000001409EBC0A | 48:83C4 20 | add rsp,20 |
00000001409EBC0E | 5B | pop rbx |
00000001409EBC0F | C3 | ret |
|
-
-
评分
-
查看全部评分
|
IP卡
发表于 2021-4-7 18:37:50
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2021-4-21 16:32:50
发表于 2022-6-12 12:46:23