本帖最后由 speedboy 于 2023-12-13 10:30 编辑
这个软件前段时间就调试过,通过搜索“Unregistered”或“The registration code is invalid.”都未成功,昨天发现更新版本了,所以又调试了一下。今天把主要精力放在 register.dll 和 CommonUtils.dll上。
一、首先对 CommonUtils.dll 用 IDA 进行静态分析,你问我为什么?(度娘对我眉来眼去的说:commonUtils 通用工具类,涵盖加密,日期处理,验证,网络,字符串处理,配置,文件处理,异常等工具类。)
加载CommonUtils.dll文件成功后,点 Imports 标签,然后按组合键 Ctrl+F 输入 registed 会得到如图导入函数表,最后一个看着不舒服吗?妥妥的是否注册成功啊!
2、双击最后一行来到 IAD View,会停留在idata数据区域,拖动右侧滑块到顶部 .text代码区域,按组合键 Alt+T 搜索文本 isRegisted
3、搜索到函数调用Call,把鼠标定位到此Call的最左边,然后切换到到 Hex View 标签,我们就能得到此Call的十六进制特征码。(FF 15 34 1A 02 00)
前期工作结束,我们就是为了得到这串特征码而已 ^_^
二、在X64DBG中调试程序
1、程序加载后连续按几次F9,这样做就是让程序把 register.dll 和 CommonUtils.dll都加载到符号库里,然后打开“符号”标签,双击CommonUtils.dll来到反汇编区,然后按组合键Ctrl+B在当前区域搜索特征码 FF 15 34 1A 02 00 得到函数调用,双击此函数来到反汇编区。
2、我们看着四行代码: [Asm] 纯文本查看 复制代码 000007FED67D4C4 | FF15 341A0200 | CALL QWORD PTR DS:[<public: bool __cdecl Register::isRegisted(class QString const &)>] | 》** 此处很明显就是返回是否注册成功标志吗!**
000007FED67D4C4 | 8845 E0 | MOV BYTE PTR SS:[RBP-0x20],AL | 》返回的 AL 值赋给 栈段
000007FED67D4C4 | 84C0 | TEST AL,AL |
000007FED67D4C5 | 0F84 E5000000 | JE commonutils.7FED67D4D3C | 》al=0 跳转;al≠0 不跳转
第一行函数调用结束返回一个AL值;第二行是把AL的值赋给堆栈段;第三行检测AL的值;第四行简单地说就是AL=0时跳转,Al≠0时不跳转。所以破解就给了我们两个选择(让AL=0或AL≠0),经测试Al=0时,软件未注册,AL≠0时,软件注册成功。
1、下面就进入这个Call动刀吧 在CALL QWORD PTR DS:[<public: bool __cdecl Register::isRegisted(class QString const &)>] 处下断点,重新加载程序运行端在此处,F7跟进来到此处: [Asm] 纯文本查看 复制代码 000007FEFACF804 | CC | INT3 |
000007FEFACF805 | 48:8B49 30 | MOV RCX,QWORD PTR DS:[RCX+0x30] |
000007FEFACF805 | E9 E74AFFFF | JMP register.7FEFACECB40 |
000007FEFACF805 | CC | INT3 |
F8单步跟进,来到此处:
000007FEFACECB4 | 48:895424 10 | MOV QWORD PTR SS:[RSP+0x10],RDX | 》*****
000007FEFACECB4 | 48:894C24 08 | MOV QWORD PTR SS:[RSP+0x8],RCX |
000007FEFACECB4 | 55 | PUSH RBP |
000007FEFACECB4 | 53 | PUSH RBX |
000007FEFACECB4 | 56 | PUSH RSI |
000007FEFACECB4 | 57 | PUSH RDI |
000007FEFACECB4 | 48:8D6C24 F8 | LEA RBP,QWORD PTR SS:[RSP-0x8] |
000007FEFACECB5 | 48:81EC 08010000 | SUB RSP,0x108 |
000007FEFACECB5 | 48:C745 A8 FEFFFFFF | MOV QWORD PTR SS:[RBP-0x58],0xFFFFFFFFFFFFFFFE |
000007FEFACECB6 | 48:8BDA | MOV RBX,RDX |
000007FEFACECB6 | 48:8BF1 | MOV RSI,RCX |
000007FEFACECB6 | 33D2 | XOR EDX,EDX |
000007FEFACECB6 | E8 313B0000 | CALL register.7FEFACF06A0 |
000007FEFACECB6 | 40:32FF | XOR DIL,DIL | 》【破解处】修改为 mov dil,1
000007FEFACECB7 | 48:8D4D 48 | LEA RCX,QWORD PTR SS:[RBP+0x48] |
000007FEFACECB7 | FF15 C43D0100 | CALL QWORD PTR DS:[<public: static class QDateTime __cdecl QDateTime::currentDateTime(void |
000007FEFACECB7 | 90 | NOP |
000007FEFACECB7 | 49:C7C0 F6FFFFFF | MOV R8,0xFFFFFFFFFFFFFFF6 |
000007FEFACECB8 | 48:8D55 98 | LEA RDX,QWORD PTR SS:[RBP-0x68] |
000007FEFACECB8 | 48:8D4D 48 | LEA RCX,QWORD PTR SS:[RBP+0x48] |
000007FEFACECB8 | FF15 863B0100 | CALL QWORD PTR DS:[<public: class QDateTime __cdecl QDateTime::addDays(__int64) const>] |
000007FEFACECB9 | 48:8BD0 | MOV RDX,RAX |
000007FEFACECB9 | 48:8D4D 48 | LEA RCX,QWORD PTR SS:[RBP+0x48] |
000007FEFACECB9 | FF15 993B0100 | CALL QWORD PTR DS:[<public: class QDateTime & __cdecl QDateTime::operator=(class QDateTime |
000007FEFACECB9 | 48:8D4D 98 | LEA RCX,QWORD PTR SS:[RBP-0x68] |
000007FEFACECBA | FF15 A73D0100 | CALL QWORD PTR DS:[<public: __cdecl QDateTime::~QDateTime(void)>] |
000007FEFACECBA | 48:8D55 A0 | LEA RDX,QWORD PTR SS:[RBP-0x60] |
000007FEFACECBA | 48:8BCB | MOV RCX,RBX |
000007FEFACECBB | FF15 423D0100 | CALL QWORD PTR DS:[<public: class QString __cdecl QString::trimmed(void) const>] |
000007FEFACECBB | 48:8B08 | MOV RCX,QWORD PTR DS:[RAX] |
000007FEFACECBB | 8379 04 00 | CMP DWORD PTR DS:[RCX+0x4],0x0 |
000007FEFACECBB | 0F94C3 | SETE BL |
000007FEFACECBC | 48:8D4D A0 | LEA RCX,QWORD PTR SS:[RBP-0x60] |
000007FEFACECBC | FF15 563E0100 | CALL QWORD PTR DS:[<public: __cdecl QString::~QString(void)>] |
000007FEFACECBC | 48:8D4E 28 | LEA RCX,QWORD PTR DS:[RSI+0x28] |
000007FEFACECBC | 84DB | TEST BL,BL |
000007FEFACECBD | 0F84 54020000 | JE register.7FEFACECE2A |
000007FEFACECBD | 48:8D55 40 | LEA RDX,QWORD PTR SS:[RBP+0x40] |
000007FEFACECBD | E8 B17B0000 | CALL register.7FEFACF4790 |
000007FEFACECBD | 90 | NOP |
000007FEFACECBE | 48:8BD0 | MOV RDX,RAX |
000007FEFACECBE | 48:8D4C24 20 | LEA RCX,QWORD PTR SS:[RSP+0x20] |
000007FEFACECBE | E8 63A7FFFF | CALL register.7FEFACE7350 |
000007FEFACECBE | 48:8B4C24 20 | MOV RCX,QWORD PTR SS:[RSP+0x20] |
000007FEFACECBF | 48:6341 08 | MOVSXD RAX,DWORD PTR DS:[RCX+0x8] |
000007FEFACECBF | 48:83C0 02 | ADD RAX,0x2 |
000007FEFACECBF | 48:8D14C1 | LEA RDX,QWORD PTR DS:[RCX+RAX*8] |
000007FEFACECBF | 48:895424 28 | MOV QWORD PTR SS:[RSP+0x28],RDX |
000007FEFACECC0 | 48:6341 0C | MOVSXD RAX,DWORD PTR DS:[RCX+0xC] |
000007FEFACECC0 | 48:8D0CC1 | LEA RCX,QWORD PTR DS:[RCX+RAX*8] |
000007FEFACECC0 | 48:83C1 10 | ADD RCX,0x10 |
000007FEFACECC0 | 48:894C24 30 | MOV QWORD PTR SS:[RSP+0x30],RCX |
000007FEFACECC1 | B8 01000000 | MOV EAX,0x1 |
000007FEFACECC1 | 894424 38 | MOV DWORD PTR SS:[RSP+0x38],EAX |
000007FEFACECC1 | 48:8B5D 40 | MOV RBX,QWORD PTR SS:[RBP+0x40] |
000007FEFACECC2 | 8B03 | MOV EAX,DWORD PTR DS:[RBX] |
000007FEFACECC2 | 83CE FF | OR ESI,0xFFFFFFFF |
000007FEFACECC2 | 85C0 | TEST EAX,EAX |
000007FEFACECC2 | 74 0D | JE register.7FEFACECC37 |
000007FEFACECC2 | 3BC6 | CMP EAX,ESI |
000007FEFACECC2 | 74 43 | JE register.7FEFACECC71 |
000007FEFACECC2 | F0:FF0B | LOCK DEC DWORD PTR DS:[RBX] |
000007FEFACECC3 | 75 2E | JNE register.7FEFACECC61 |
000007FEFACECC3 | 48:8B5D 40 | MOV RBX,QWORD PTR SS:[RBP+0x40] |
000007FEFACECC3 | 4C:6343 0C | MOVSXD R8,DWORD PTR DS:[RBX+0xC] |
000007FEFACECC3 | 49:83C0 02 | ADD R8,0x2 |
000007FEFACECC3 | 4E:8D04C3 | LEA R8,QWORD PTR DS:[RBX+R8*8] |
000007FEFACECC4 | 48:6353 08 | MOVSXD RDX,DWORD PTR DS:[RBX+0x8] |
000007FEFACECC4 | 48:83C2 02 | ADD RDX,0x2 |
000007FEFACECC4 | 48:8D14D3 | LEA RDX,QWORD PTR DS:[RBX+RDX*8] |
000007FEFACECC4 | 48:8D4D 40 | LEA RCX,QWORD PTR SS:[RBP+0x40] |
000007FEFACECC5 | E8 A8210000 | CALL register.7FEFACEEE00 |
000007FEFACECC5 | 48:8BCB | MOV RCX,RBX |
000007FEFACECC5 | FF15 A73D0100 | CALL QWORD PTR DS:[<public: static void __cdecl QListData::dispose(struct QListData::Data |
000007FEFACECC6 | 837C24 38 00 | CMP DWORD PTR SS:[RSP+0x38],0x0 |
000007FEFACECC6 | 0F84 6C010000 | JE register.7FEFACECDD8 |
000007FEFACECC6 | 48:8B5424 28 | MOV RDX,QWORD PTR SS:[RSP+0x28] |
000007FEFACECC7 | 48:8B75 30 | MOV RSI,QWORD PTR SS:[RBP+0x30] |
000007FEFACECC7 | 48:3B5424 30 | CMP RDX,QWORD PTR SS:[RSP+0x30] |
000007FEFACECC7 | 0F84 55010000 | JE register.7FEFACECDD5 |
000007FEFACECC8 | 48:8B1A | MOV RBX,QWORD PTR DS:[RDX] |
000007FEFACECC8 | 48:8BD3 | MOV RDX,RBX |
000007FEFACECC8 | 48:8D4C24 40 | LEA RCX,QWORD PTR SS:[RSP+0x40] |
000007FEFACECC8 | FF15 973D0100 | CALL QWORD PTR DS:[<public: __cdecl QString::QString(class QString const &)>] |
000007FEFACECC9 | 90 | NOP |
000007FEFACECC9 | 48:8D53 08 | LEA RDX,QWORD PTR DS:[RBX+0x8] |
000007FEFACECC9 | 48:8D4C24 48 | LEA RCX,QWORD PTR SS:[RSP+0x48] |
000007FEFACECC9 | FF15 873D0100 | CALL QWORD PTR DS:[<public: __cdecl QString::QString(class QString const &)>] |
000007FEFACECCA | 90 | NOP |
000007FEFACECCA | 48:8D53 10 | LEA RDX,QWORD PTR DS:[RBX+0x10] |
000007FEFACECCA | 48:8D4C24 50 | LEA RCX,QWORD PTR SS:[RSP+0x50] |
000007FEFACECCA | FF15 773D0100 | CALL QWORD PTR DS:[<public: __cdecl QString::QString(class QString const &)>] |
000007FEFACECCB | 90 | NOP |
000007FEFACECCB | 8B43 18 | MOV EAX,DWORD PTR DS:[RBX+0x18] |
000007FEFACECCB | 894424 58 | MOV DWORD PTR SS:[RSP+0x58],EAX |
000007FEFACECCB | 8B43 1C | MOV EAX,DWORD PTR DS:[RBX+0x1C] |
000007FEFACECCB | 894424 5C | MOV DWORD PTR SS:[RSP+0x5C],EAX |
000007FEFACECCC | 48:8D53 20 | LEA RDX,QWORD PTR DS:[RBX+0x20] |
000007FEFACECCC | 48:8D4C24 60 | LEA RCX,QWORD PTR SS:[RSP+0x60] |
000007FEFACECCC | FF15 713A0100 | CALL QWORD PTR DS:[<public: __cdecl QDateTime::QDateTime(class QDateTime const &)>] |
000007FEFACECCC | 90 | NOP |
000007FEFACECCD | 48:8D53 28 | LEA RDX,QWORD PTR DS:[RBX+0x28] |
000007FEFACECCD | 48:8D4C24 68 | LEA RCX,QWORD PTR SS:[RSP+0x68] |
000007FEFACECCD | FF15 613A0100 | CALL QWORD PTR DS:[<public: __cdecl QDateTime::QDateTime(class QDateTime const &)>] |
000007FEFACECCD | 90 | NOP |
000007FEFACECCE | 48:8D53 30 | LEA RDX,QWORD PTR DS:[RBX+0x30] |
000007FEFACECCE | 48:8D4C24 70 | LEA RCX,QWORD PTR SS:[RSP+0x70] |
000007FEFACECCE | FF15 513A0100 | CALL QWORD PTR DS:[<public: __cdecl QDateTime::QDateTime(class QDateTime const &)>] |
000007FEFACECCE | 48:8D53 38 | LEA RDX,QWORD PTR DS:[RBX+0x38] |
000007FEFACECCF | 48:8D4C24 78 | LEA RCX,QWORD PTR SS:[RSP+0x78] |
000007FEFACECCF | FF15 2A3D0100 | CALL QWORD PTR DS:[<public: __cdecl QString::QString(class QString const &)>] |
000007FEFACECCF | 48:8D53 40 | LEA RDX,QWORD PTR DS:[RBX+0x40] |
000007FEFACECD0 | 48:8D4D 80 | LEA RCX,QWORD PTR SS:[RBP-0x80] |
000007FEFACECD0 | FF15 1C3D0100 | CALL QWORD PTR DS:[<public: __cdecl QString::QString(class QString const &)>] |
000007FEFACECD0 | 8B43 48 | MOV EAX,DWORD PTR DS:[RBX+0x48] |
000007FEFACECD0 | 8945 88 | MOV DWORD PTR SS:[RBP-0x78],EAX |
000007FEFACECD1 | 837C24 38 00 | CMP DWORD PTR SS:[RSP+0x38],0x0 |
000007FEFACECD1 | 74 45 | JE register.7FEFACECD5E |
000007FEFACECD1 | 48:8D55 90 | LEA RDX,QWORD PTR SS:[RBP-0x70] |
000007FEFACECD1 | 48:8D4C24 40 | LEA RCX,QWORD PTR SS:[RSP+0x40] |
000007FEFACECD2 | FF15 D03B0100 | CALL QWORD PTR DS:[<public: class QString __cdecl QString::trimmed(void) const>] |
000007FEFACECD2 | 48:8B08 | MOV RCX,QWORD PTR DS:[RAX] |
000007FEFACECD2 | 8379 04 00 | CMP DWORD PTR DS:[RCX+0x4],0x0 |
000007FEFACECD2 | 0F94C3 | SETE BL |
000007FEFACECD3 | 48:8D4D 90 | LEA RCX,QWORD PTR SS:[RBP-0x70] |
000007FEFACECD3 | FF15 E43C0100 | CALL QWORD PTR DS:[<public: __cdecl QString::~QString(void)>] |
000007FEFACECD3 | 84DB | TEST BL,BL |
000007FEFACECD3 | 75 16 | JNE register.7FEFACECD56 |
000007FEFACECD4 | 48:8D5424 40 | LEA RDX,QWORD PTR SS:[RSP+0x40] |
000007FEFACECD4 | 48:8BCE | MOV RCX,RSI |
000007FEFACECD4 | E8 F3FDFFFF | CALL register.7FEFACECB40 |
000007FEFACECD4 | 84C0 | TEST AL,AL |
000007FEFACECD4 | 74 05 | JE register.7FEFACECD56 |
000007FEFACECD5 | 40:B7 01 | MOV DIL,0x1 |
000007FEFACECD5 | EB 08 | JMP register.7FEFACECD5E |
000007FEFACECD5 | C74424 38 00000000 | MOV DWORD PTR SS:[RSP+0x38],0x0 |
000007FEFACECD5 | 48:8D4D 80 | LEA RCX,QWORD PTR SS:[RBP-0x80] |
000007FEFACECD6 | FF15 B83C0100 | CALL QWORD PTR DS:[<public: __cdecl QString::~QString(void)>] |
000007FEFACECD6 | 90 | NOP |
000007FEFACECD6 | 48:8D4C24 78 | LEA RCX,QWORD PTR SS:[RSP+0x78] |
000007FEFACECD6 | FF15 AC3C0100 | CALL QWORD PTR DS:[<public: __cdecl QString::~QString(void)>] |
000007FEFACECD7 | 90 | NOP |
000007FEFACECD7 | 48:8D4C24 70 | LEA RCX,QWORD PTR SS:[RSP+0x70] |
000007FEFACECD7 | FF15 D03B0100 | CALL QWORD PTR DS:[<public: __cdecl QDateTime::~QDateTime(void)>] |
000007FEFACECD8 | 90 | NOP |
000007FEFACECD8 | 48:8D4C24 68 | LEA RCX,QWORD PTR SS:[RSP+0x68] |
000007FEFACECD8 | FF15 C43B0100 | CALL QWORD PTR DS:[<public: __cdecl QDateTime::~QDateTime(void)>] |
000007FEFACECD8 | 90 | NOP |
000007FEFACECD8 | 48:8D4C24 60 | LEA RCX,QWORD PTR SS:[RSP+0x60] |
000007FEFACECD9 | FF15 B83B0100 | CALL QWORD PTR DS:[<public: __cdecl QDateTime::~QDateTime(void)>] |
000007FEFACECD9 | 90 | NOP |
000007FEFACECD9 | 48:8D4C24 50 | LEA RCX,QWORD PTR SS:[RSP+0x50] |
000007FEFACECD9 | FF15 7C3C0100 | CALL QWORD PTR DS:[<public: __cdecl QString::~QString(void)>] |
000007FEFACECDA | 90 | NOP |
000007FEFACECDA | 48:8D4C24 48 | LEA RCX,QWORD PTR SS:[RSP+0x48] |
000007FEFACECDA | FF15 703C0100 | CALL QWORD PTR DS:[<public: __cdecl QString::~QString(void)>] |
000007FEFACECDB | 90 | NOP |
000007FEFACECDB | 48:8D4C24 40 | LEA RCX,QWORD PTR SS:[RSP+0x40] |
000007FEFACECDB | FF15 643C0100 | CALL QWORD PTR DS:[<public: __cdecl QString::~QString(void)>] |
000007FEFACECDB | 48:8B5424 28 | MOV RDX,QWORD PTR SS:[RSP+0x28] |
000007FEFACECDC | 48:83C2 08 | ADD RDX,0x8 |
000007FEFACECDC | 48:895424 28 | MOV QWORD PTR SS:[RSP+0x28],RDX |
000007FEFACECDC | 837424 38 01 | XOR DWORD PTR SS:[RSP+0x38],0x1 |
000007FEFACECDC | 0F85 A0FEFFFF | JNE register.7FEFACECC75 |
000007FEFACECDD | 83CE FF | OR ESI,0xFFFFFFFF |
000007FEFACECDD | 48:8B5C24 20 | MOV RBX,QWORD PTR SS:[RSP+0x20] |
000007FEFACECDD | 8B03 | MOV EAX,DWORD PTR DS:[RBX] |
000007FEFACECDD | 85C0 | TEST EAX,EAX |
000007FEFACECDE | 74 1A | JE register.7FEFACECDFD |
000007FEFACECDE | 83F8 FF | CMP EAX,0xFFFFFFFF |
000007FEFACECDE | 0F84 BA000000 | JE register.7FEFACECEA6 |
000007FEFACECDE | F0:0FC133 | LOCK XADD DWORD PTR DS:[RBX],ESI |
000007FEFACECDF | FFCE | DEC ESI |
000007FEFACECDF | 0F85 AE000000 | JNE register.7FEFACECEA6 |
000007FEFACECDF | 48:8B5C24 20 | MOV RBX,QWORD PTR SS:[RSP+0x20] |
000007FEFACECDF | 4C:6343 0C | MOVSXD R8,DWORD PTR DS:[RBX+0xC] |
000007FEFACECE0 | 49:83C0 02 | ADD R8,0x2 |
000007FEFACECE0 | 4E:8D04C3 | LEA R8,QWORD PTR DS:[RBX+R8*8] |
000007FEFACECE0 | 48:6353 08 | MOVSXD RDX,DWORD PTR DS:[RBX+0x8] |
000007FEFACECE0 | 48:83C2 02 | ADD RDX,0x2 |
000007FEFACECE1 | 48:8D14D3 | LEA RDX,QWORD PTR DS:[RBX+RDX*8] |
000007FEFACECE1 | 48:8D4C24 20 | LEA RCX,QWORD PTR SS:[RSP+0x20] |
000007FEFACECE1 | E8 E11F0000 | CALL register.7FEFACEEE00 |
000007FEFACECE1 | 48:8BCB | MOV RCX,RBX |
000007FEFACECE2 | FF15 E03B0100 | CALL QWORD PTR DS:[<public: static void __cdecl QListData::dispose(struct QListData::Data |
000007FEFACECE2 | EB 7C | JMP register.7FEFACECEA6 |
000007FEFACECE2 | 48:8B55 38 | MOV RDX,QWORD PTR SS:[RBP+0x38] |
000007FEFACECE2 | E8 ADB5FFFF | CALL register.7FEFACE83E0 |
000007FEFACECE3 | 48:8BD0 | MOV RDX,RAX |
000007FEFACECE3 | 48:8D4D B0 | LEA RCX,QWORD PTR SS:[RBP-0x50] |
000007FEFACECE3 | E8 41A9FFFF | CALL register.7FEFACE7780 |
000007FEFACECE3 | 40:0FB6FF | MOVZX EDI,DIL |
000007FEFACECE4 | B8 01000000 | MOV EAX,0x1 |
000007FEFACECE4 | 3945 C8 | CMP DWORD PTR SS:[RBP-0x38],EAX |
000007FEFACECE4 | 0F44F8 | CMOVE EDI,EAX |
000007FEFACECE4 | 48:8D4D F0 | LEA RCX,QWORD PTR SS:[RBP-0x10] |
000007FEFACECE5 | FF15 C83B0100 | CALL QWORD PTR DS:[<public: __cdecl QString::~QString(void)>] |
000007FEFACECE5 | 90 | NOP |
000007FEFACECE5 | 48:8D4D E8 | LEA RCX,QWORD PTR SS:[RBP-0x18] |
000007FEFACECE5 | FF15 BD3B0100 | CALL QWORD PTR DS:[<public: __cdecl QString::~QString(void)>] |
000007FEFACECE6 | 90 | NOP |
000007FEFACECE6 | 48:8D4D E0 | LEA RCX,QWORD PTR SS:[RBP-0x20] |
000007FEFACECE6 | FF15 E23A0100 | CALL QWORD PTR DS:[<public: __cdecl QDateTime::~QDateTime(void)>] |
000007FEFACECE6 | 90 | NOP |
000007FEFACECE6 | 48:8D4D D8 | LEA RCX,QWORD PTR SS:[RBP-0x28] |
000007FEFACECE7 | FF15 D73A0100 | CALL QWORD PTR DS:[<public: __cdecl QDateTime::~QDateTime(void)>] |
000007FEFACECE7 | 90 | NOP |
000007FEFACECE7 | 48:8D4D D0 | LEA RCX,QWORD PTR SS:[RBP-0x30] |
000007FEFACECE7 | FF15 CC3A0100 | CALL QWORD PTR DS:[<public: __cdecl QDateTime::~QDateTime(void)>] |
000007FEFACECE8 | 90 | NOP |
000007FEFACECE8 | 48:8D4D C0 | LEA RCX,QWORD PTR SS:[RBP-0x40] |
000007FEFACECE8 | FF15 913B0100 | CALL QWORD PTR DS:[<public: __cdecl QString::~QString(void)>] |
000007FEFACECE8 | 90 | NOP |
000007FEFACECE9 | 48:8D4D B8 | LEA RCX,QWORD PTR SS:[RBP-0x48] |
000007FEFACECE9 | FF15 863B0100 | CALL QWORD PTR DS:[<public: __cdecl QString::~QString(void)>] |
000007FEFACECE9 | 90 | NOP |
000007FEFACECE9 | 48:8D4D B0 | LEA RCX,QWORD PTR SS:[RBP-0x50] |
000007FEFACECE9 | FF15 7B3B0100 | CALL QWORD PTR DS:[<public: __cdecl QString::~QString(void)>] |
000007FEFACECEA | 90 | NOP |
000007FEFACECEA | 48:8D4D 48 | LEA RCX,QWORD PTR SS:[RBP+0x48] |
000007FEFACECEA | FF15 A03A0100 | CALL QWORD PTR DS:[<public: __cdecl QDateTime::~QDateTime(void)>] |
000007FEFACECEB | 40:0FB6C7 | MOVZX EAX,DIL | 》参数传递
000007FEFACECEB | 48:81C4 08010000 | ADD RSP,0x108 |
000007FEFACECEB | 5F | POP RDI |
000007FEFACECEB | 5E | POP RSI |
000007FEFACECEB | 5B | POP RBX |
000007FEFACECEB | 5D | POP RBP |
000007FEFACECEB | C3 | RET |
1、从代码段末尾发现EAX=DIL,所以我们上溯找给DIL可以赋值为 1 的地方,经调试分析在段首下方附近有一句 XOR DIL,DIL,在此处赋值即可实现破解。(注意修改完存储的是register.dll文件,因为此时我们是在她的领空呢)
各位看官,说的够细吗?今天是南京大屠杀纪念日,希望国人记住家仇国恨,再细的枪也能红缨在手挥斥方遒,让我们“铭记历史,祭奠民族伤痛”吧,谨以此致!
|
IP卡
发表于 2023-12-13 10:29:00
提升卡
置顶卡
变色卡
千斤顶
显身卡
楼主
发表于 2023-12-13 10:50:29
发表于 2023-12-13 11:01:49
