某截图软件爆破教程
原谅我不说那个软件名字……说了恐怕会被很快和谐掉软件是,功能很好
现在软件更新到8.4.7了,昨天截图的时候才看到,正想PJ了分享结果被老妈轰走了……
软件有一个很神异的类似于暗桩一样的东西,爆破之后不能点击Help项下的About项,否则会直接挂
软件为英文版,无汉化,勿喷!
下面开始教程
首先去官网下载原版软件,地址http://www.hyperionics.com/hsdx/downloads.asp,64下64位,32下32位,下载完成后安装,打开会直接提示,退出软件(从任务栏右侧中右键图标退出,不是直接关闭软件)
第二步,OD打开
第三步,转到00401000
最关键的一步,也是逆向的关键{:6_225:}我说了啊,别打我
Ctrl+B,HEX输入8BC38B4DF464890D00000000595F5E5B8BE55DC21000{:6_209:}
搜到的语句改成mov eax,1即可,保存{:6_209:}好了PJ完成
是不是很想打我{:6_209:}
这个方法如果没猜错的话适用于8.x.x版本,也就是说8版本全部适用,当然这是大家不太张扬的情况下,不然……我也不知道这方法能活多久{:6_224:}
本帖最后由 月光下の魔术师 于 2015-3-7 12:09 编辑
那么这个方法原理是什么呢
软件打开直接提示未注册,那么软件要么是读注册表判断注册,要么是读文件判断注册
有了思路就好办了,OD载入,Ctrl+N,果然找到了几个有关函数,右键——在每个调用处设置断点,看着四个函数,其实断点也不是非常多,慢慢判断就好了
F9运行,断在RegOpenKeyExW上,看一下堆栈
0012F418 80000002|hKey = HKEY_LOCAL_MACHINE
0012F41C 001C1C30|Subkey = "SOFTWARE\Hyperionics\HyperSnap 8"
0012F420 00000000|Reserved = 0x0
0012F424 00020019|Access = KEY_READ
0012F428 0012F438\pHandle = 0012F438
注意hKey = HKEY_LOCAL_MACHINE
理论来说软件不应该在LocalMachine里写这东西,但是也不排除这种可能性,这个先注释一下标成可疑地址
继续F9,中断后堆栈0012DF48 80000000|hKey = HKEY_CLASSES_ROOT
0012DF4C 0066DE18|Subkey = "Applications\HprSnap8.exe\shell\open\command"
0012DF50 00000000|Reserved = 0x0
0012DF54 00020019|Access = KEY_READ
0012DF58 0012DF68\pHandle = 0012DF68
这个一看直接跳过,取消断点防止以后浪费调试时间
再次F9,中断
0012E1EC 80000001|hKey = HKEY_CURRENT_USER
0012E1F0 0012E320|Subkey = "Identities\{492EB3C4-CA39-31BF-B518-527AD6AE017B}"
0012E1F4 00000000|Reserved = 0x0
0012E1F8 00020019|Access = KEY_READ
0012E1FC 0012E20C\pHandle = 0012E20C
取消断点不解释
0012E210 80000000|hKey = HKEY_CLASSES_ROOT
0012E214 0012E280|Subkey = "CLSID\{492EB3C4-C9A3-1B3F-B185-D6A527AE017B}\VERSION"
0012E218 00000000|Reserved = 0x0
0012E21C 00020019|Access = KEY_READ
0012E220 0012E22C\pHandle = 0012E22C
取消,理由同上
0012E05C 80000001|hKey = HKEY_CURRENT_USER
0012E060 00681CD0|Subkey = "Control Panel\Cursors"
0012E064 00000000|Reserved = 0x0
0012E068 00020019|Access = KEY_READ
0012E06C 0012E078\pHandle = 0012E078
同上
0012E308 80000001|hKey = HKEY_CURRENT_USER
0012E30C 0066E540|Subkey = "Control Panel\International"
0012E310 00000000|Reserved = 0x0
0012E314 00020019|Access = KEY_READ
0012E318 0012E344\pHandle = 0012E344
同上
0012D8D8 80000001|hKey = HKEY_CURRENT_USER
0012D8DC 001C22F0|Subkey = "Software\Hyperionics\HyperSnap 8"
0012D8E0 00000000|Reserved = 0x0
0012D8E4 00020019|Access = KEY_READ
0012D8E8 0012D900\pHandle = 0012D900
这个很可疑啊,hKey = HKEY_CURRENT_USER,Subkey = "Software\Hyperionics\HyperSnap 8",我们也列为可疑地址,记下它的地址:00530CBA
0012D8D8 80000001|hKey = HKEY_CURRENT_USER
0012D8DC 003322F0|Subkey = "Software\Hyperionics\HyperSnap 8"
0012D8E0 00000000|Reserved = 0x0
0012D8E4 00020019|Access = KEY_READ
0012D8E8 0012D900\pHandle = 0012D900
再次中断后不仅地址一致,就连堆栈也一样,该处调用嫌疑瞬间暴涨
0012D8D8 80000001|hKey = HKEY_CURRENT_USER
0012D8DC 003322F0|Subkey = "Software\Hyperionics\HyperSnap 7"
0012D8E0 00000000|Reserved = 0x0
0012D8E4 00020019|Access = KEY_READ
0012D8E8 0012D900\pHandle = 0012D900
还是熟悉的地址,还是熟悉的堆栈,只是Subkey不同,嫌疑再次暴涨
0012D8D8 80000001|hKey = HKEY_CURRENT_USER
0012D8DC 001E22F0|Subkey = "Software\Hyperionics\HyperSnap 7"
0012D8E0 00000000|Reserved = 0x0
0012D8E4 00020019|Access = KEY_READ
0012D8E8 0012D900\pHandle = 0012D900
又来一次,调用地址一样,全部都是00530CBA;堆栈也几乎相同,再加上这时候未注册的提示框还未跳出,这处地址显得非常的……诡异
再次F9,程序运行,未注册出现。
显然00530CBA是重中之重
重载程序,将未标注的断点全部删除(强迫症……)
下面来着重分析这两个地址,究竟是第一个HKEY_LOCAL_MACHINE的调用是判断,还是HKEY_CURRENT_USER的4个调用时判断?
注:下面就是我凭直觉走(就是乱猜)的部分了,分析不一定对(应该是一定不对),错误之处望指出,希望可以共同进步!
运行,断在第一个断点单步到0052C3C3|.FF15 08806600 call near dword ptr ds:[<&ADVAPI32.RegQu>; \RegQueryValueExW
这里是取一个表项的值,到目前为止还没发现有什么异常,再次F8
EAX=2,查阅后发现这个含义是表项不存在
然后就是关闭句柄,也成功了,EAX=0,含义为ERROR_SUCCESS
单步到返回,函数返回值为1
出来之后……{:6_199:}wc这是要我老命的节奏?还!能!愉!快!的!玩!耍!么!于是……我选择了一种非常蛋疼的方法:直接看函数猜这是要干啥
0052D495|.FF15 2C9A6600 call near dword ptr ds:[<&KERNEL32.Creat>; \CreateFileW看下堆栈
0012F438 002AF6B8|FileName = "E:\HyperSnap 8\" //这是软件的安装目录
0012F43C 80000000|Access = GENERIC_READ //允许对设备进行读访问
0012F440 00000003|ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE //共享模式为读和写
0012F444 00000000|pSecurity = NULL //文件安全特性的指针,为空
0012F448 00000003|Mode = OPEN_EXISTING //文件必须存在
0012F44C 02000000|Attributes = BACKUP_SEMANTICS //允许改变属性
0012F450 00000000\hTemplateFile = NULL //用来复制文件句柄的,为空就不看了
本着乱猜胡诌的原则,我猜这玩意是读取安装目录下的啥文件——这和注册表有啥关系?
0052D4AE|.FF15 1C9A6600 call near dword ptr ds:[<&KERNEL32.GetFi>; \GetFileTime 取文件事件信息
0012F444 000000C0|hFile = 000000C0 (window)
0012F448 0012F47C|pCreationTime = 0012F47C
0012F44C 00000000|pLastAccess = NULL
0012F450 00000000\pLastWrite = NULL
看到这个我立马想到了易语言的一个子程序 取启动时间 ()先是读注册表,然后是打开了个啥文件,然后又取了系统的启动时间——这是要干啥?
剩下的我就不一一截图分析了,取了系统启动到目前为止的事件后又取了一个环境变量,然后又搜索了一个字符串,然后又设置了一个环境变量——小弟不学无术才疏学浅实在不懂这是要干啥,望大牛分析{:6_209:}
事实上我第一次看这个的时候看到这里我心基本凉完了——看都看不懂还破个毛线……
最后返回值是个很怪异的值,再往后走了两个函数,返回值都没啥引人注意的地方,再加上后面那个“极度可疑”的00530CBA,所以我果断放弃了这个地址……
然后F9运行到之前所说的那个“极度可疑”的地址:00530CBA|.FF15 04806600 call near dword ptr ds:[<&ADVAPI32.RegOp>; |\可疑地址2
下面是代码
00530C00/.55 push ebp
00530C01|.8BEC mov ebp,esp
00530C03|.6A FF push -0x1
00530C05|.68 BB216600 push HprSnap8.006621BB
00530C0A|.64:A1 0000000>mov eax,dword ptr fs:
00530C10|.50 push eax
00530C11|.83EC 0C sub esp,0xC
00530C14|.53 push ebx
00530C15|.56 push esi
00530C16|.57 push edi
00530C17|.A1 38D57300 mov eax,dword ptr ds:
00530C1C|.33C5 xor eax,ebp
00530C1E|.50 push eax
00530C1F|.8D45 F4 lea eax,dword ptr ss:
00530C22|.64:A3 0000000>mov dword ptr fs:,eax
00530C28|.8B7D 10 mov edi,dword ptr ss:
00530C2B|.8D4D 10 lea ecx,dword ptr ss:
00530C2E|.33F6 xor esi,esi
00530C30|.C745 FC 00000>mov dword ptr ss:,0x0
00530C37|.8975 EC mov dword ptr ss:,esi
00530C3A|.8937 mov dword ptr ds:,esi
00530C3C|.FF15 B4B16600 call near dword ptr ds:[<&mfc120u.#296>] ;mfc120u.#316
00530C42|.68 78690000 push 0x6978
00530C47|.8D4D 10 lea ecx,dword ptr ss:
00530C4A|.C645 FC 01 mov byte ptr ss:,0x1
00530C4E|.FF15 E0AE6600 call near dword ptr ds:[<&mfc120u.#8346>>;mfc120u.#8346
00530C54|.8D4D 10 lea ecx,dword ptr ss:
00530C57|.FF15 98B16600 call near dword ptr ds:[<&mfc120u.#5824>>;mfc120u.#5825
00530C5D|.50 push eax
00530C5E|.68 2C4B6800 push HprSnap8.00684B2C ;ASCII "EN"
00530C63|.8D4D F0 lea ecx,dword ptr ss:
00530C66|.FF15 00AD6600 call near dword ptr ds:[<&mfc120u.#293>] ;mfc120u.#293
00530C6C|.8D4D F0 lea ecx,dword ptr ss:
00530C6F|.C645 FC 02 mov byte ptr ss:,0x2
00530C73|.FF15 74B16600 call near dword ptr ds:[<&mfc120u.#1658>>;mfc120u.#6864
00530C79|.50 push eax
00530C7A|.8D4D 10 lea ecx,dword ptr ss:
00530C7D|.FF15 94B16600 call near dword ptr ds:[<&mfc120u.#2948>>;mfc120u.#2948
00530C83|.85C0 test eax,eax
00530C85|.C645 FC 01 mov byte ptr ss:,0x1
00530C89|.8D4D F0 lea ecx,dword ptr ss:
00530C8C|.0F94C3 sete bl
00530C8F|.FF15 A8B16600 call near dword ptr ds:[<&mfc120u.#1042>>;mfc120u.#1501
00530C95|.84DB test bl,bl
00530C97|.74 09 je short HprSnap8.00530CA2
00530C99|.8D4D 10 lea ecx,dword ptr ss:
00530C9C|.FF15 E4AE6600 call near dword ptr ds:[<&mfc120u.#4280>>;mfc120u.#4280
00530CA2|>8D45 EC lea eax,dword ptr ss:
00530CA5|.50 push eax
00530CA6|.68 19000200 push 0x20019
00530CAB|.6A 00 push 0x0
00530CAD|.8D4D 0C lea ecx,dword ptr ss:
00530CB0|.FF15 74B16600 call near dword ptr ds:[<&mfc120u.#1658>>;mfc120u.#6864
00530CB6|.50 push eax ; ||Subkey
00530CB7|.FF75 08 push dword ptr ss: ; ||hKey
00530CBA|.FF15 04806600 call near dword ptr ds:[<&ADVAPI32.RegOp>; |\可疑地址2
00530CC0|.85C0 test eax,eax ; |
00530CC2|.0F85 8D000000 jnz HprSnap8.00530D55 ; |
00530CC8|.68 00100000 push 0x1000 ; |/size = 1000 (4096.)
00530CCD|.FF15 E89D6600 call near dword ptr ds:[<&MSVCR120.mallo>; |\malloc
00530CD3|.8BF0 mov esi,eax ; |
00530CD5|.C745 F0 00100>mov dword ptr ss:,0x1000 ; |
00530CDC|.8D45 10 lea eax,dword ptr ss: ; |
00530CDF|.50 push eax ; |Arg3
00530CE0|.8D45 E8 lea eax,dword ptr ss: ; |
00530CE3|.68 304B6800 push HprSnap8.00684B30 ; |Arg2 = 00684B30
00530CE8|.50 push eax ; |Arg1
00530CE9|.E8 72AEF3FF call HprSnap8.0046BB60 ; \HprSnap8.0046BB60
00530CEE|.83C4 10 add esp,0x10
00530CF1|.8D4D F0 lea ecx,dword ptr ss:
00530CF4|.51 push ecx
00530CF5|.56 push esi
00530CF6|.6A 00 push 0x0
00530CF8|.6A 00 push 0x0
00530CFA|.8BC8 mov ecx,eax
00530CFC|.FF15 74B16600 call near dword ptr ds:[<&mfc120u.#1658>>;mfc120u.#6864
00530D02|.50 push eax ; |ValueName
00530D03|.FF75 EC push dword ptr ss: ; |hKey
00530D06|.FF15 08806600 call near dword ptr ds:[<&ADVAPI32.RegQu>; \RegQueryValueExW
00530D0C|.85C0 test eax,eax
00530D0E|.8D4D E8 lea ecx,dword ptr ss:
00530D11|.0F94C3 sete bl
00530D14|.FF15 A8B16600 call near dword ptr ds:[<&mfc120u.#1042>>;mfc120u.#1501
00530D1A|.84DB test bl,bl
00530D1C|.74 07 je short HprSnap8.00530D25
00530D1E|.8B45 F0 mov eax,dword ptr ss:
00530D21|.8907 mov dword ptr ds:,eax
00530D23|.EB 21 jmp short HprSnap8.00530D46
00530D25|>8D45 F0 lea eax,dword ptr ss:
00530D28|.50 push eax ; /pBufSize
00530D29|.56 push esi ; |Buffer
00530D2A|.6A 00 push 0x0 ; |pValueType = NULL
00530D2C|.6A 00 push 0x0 ; |Reserved = NULL
00530D2E|.68 304B6800 push HprSnap8.00684B30 ; |ValueName = "Key"
00530D33|.FF75 EC push dword ptr ss: ; |hKey
00530D36|.FF15 08806600 call near dword ptr ds:[<&ADVAPI32.RegQu>; \RegQueryValueExW
00530D3C|.33C9 xor ecx,ecx
00530D3E|.85C0 test eax,eax
00530D40|.0F444D F0 cmove ecx,dword ptr ss:
00530D44|.890F mov dword ptr ds:,ecx
00530D46|>8B07 mov eax,dword ptr ds:
00530D48|.C60406 00 mov byte ptr ds:,0x0
00530D4C|.FF75 EC push dword ptr ss: ; /hKey
00530D4F|.FF15 3C806600 call near dword ptr ds:[<&ADVAPI32.RegCl>; \RegCloseKey
00530D55|>8D4D 10 lea ecx,dword ptr ss:
00530D58|.FF15 A8B16600 call near dword ptr ds:[<&mfc120u.#1042>>;mfc120u.#1501
00530D5E|.8D4D 0C lea ecx,dword ptr ss:
00530D61|.FF15 A8B16600 call near dword ptr ds:[<&mfc120u.#1042>>;mfc120u.#1501
00530D67|.8BC6 mov eax,esi
00530D69|.8B4D F4 mov ecx,dword ptr ss:
00530D6C|.64:890D 00000>mov dword ptr fs:,ecx
00530D73|.59 pop ecx
00530D74|.5F pop edi
00530D75|.5E pop esi
00530D76|.5B pop ebx
00530D77|.8BE5 mov esp,ebp
00530D79|.5D pop ebp
00530D7A\.C3 retn
这个是可疑的call所在的函数,走到00530D7A后单步走出该函数,来到下面这个函数:00531010 [ DISCUZ_CODE_11 ]nbsp; 55 push ebp
00531011 .8BEC mov ebp,esp
00531013 .6A FF push -0x1
00531015 .68 83226600 push HprSnap8.00662283
0053101A .64:A1 0000000>mov eax,dword ptr fs:
00531020 .50 push eax
00531021 .83EC 28 sub esp,0x28
00531024 .53 push ebx
00531025 .56 push esi
00531026 .57 push edi
00531027 .A1 38D57300 mov eax,dword ptr ds:
0053102C .33C5 xor eax,ebp
0053102E .50 push eax
0053102F .8D45 F4 lea eax,dword ptr ss:
00531032 .64:A3 0000000>mov dword ptr fs:,eax
00531038 .8BF9 mov edi,ecx
0053103A .897D E0 mov dword ptr ss:,edi
0053103D .C745 F0 00000>mov dword ptr ss:,0x0
00531044 .33F6 xor esi,esi
00531046 .33DB xor ebx,ebx
00531048 .E8 533EF6FF call HprSnap8.00494EA0
0053104D .395D 08 cmp dword ptr ss:,ebx
00531050 .0F85 33010000 jnz HprSnap8.00531189
00531056 .68 38F46600 push HprSnap8.0066F438 ;UNICODE "\"
0053105B .8D4D EC lea ecx,dword ptr ss:
0053105E .FF15 A0AD6600 call near dword ptr ds:[<&mfc120u.#290>] ;mfc120u.#290
00531064 .68 204B6800 push HprSnap8.00684B20 ;ASCII "Software\"
00531069 .8D4D E8 lea ecx,dword ptr ss:
0053106C .895D FC mov dword ptr ss:,ebx
0053106F .FF15 A0AD6600 call near dword ptr ds:[<&mfc120u.#290>] ;mfc120u.#290
00531075 .8D87 84000000 lea eax,dword ptr ds:
0053107B .C645 FC 01 mov byte ptr ss:,0x1
0053107F .50 push eax
00531080 .8D45 E8 lea eax,dword ptr ss:
00531083 .50 push eax
00531084 .8D45 D4 lea eax,dword ptr ss:
00531087 .50 push eax
00531088 .E8 33AAF3FF call HprSnap8.0046BAC0
0053108D .8D4D EC lea ecx,dword ptr ss:
00531090 .C645 FC 02 mov byte ptr ss:,0x2
00531094 .51 push ecx
00531095 .50 push eax
00531096 .8D45 D8 lea eax,dword ptr ss:
00531099 .50 push eax
0053109A .E8 21AAF3FF call HprSnap8.0046BAC0
0053109F .8BC8 mov ecx,eax ; |
005310A1 .8D47 2C lea eax,dword ptr ds: ; |
005310A4 .C645 FC 03 mov byte ptr ss:,0x3 ; |
005310A8 .50 push eax ; |Arg3
005310A9 .51 push ecx ; |Arg2
005310AA .8D45 E4 lea eax,dword ptr ss: ; |
005310AD .50 push eax ; |Arg1
005310AE .E8 0DAAF3FF call HprSnap8.0046BAC0 ; \HprSnap8.0046BAC0
005310B3 .83C4 24 add esp,0x24
005310B6 .8D4D D8 lea ecx,dword ptr ss:
005310B9 .FF15 A8B16600 call near dword ptr ds:[<&mfc120u.#1042>>;mfc120u.#1501
005310BF .8D4D D4 lea ecx,dword ptr ss:
005310C2 .FF15 A8B16600 call near dword ptr ds:[<&mfc120u.#1042>>;mfc120u.#1501
005310C8 .8D4D E8 lea ecx,dword ptr ss:
005310CB .FF15 A8B16600 call near dword ptr ds:[<&mfc120u.#1042>>;mfc120u.#1501
005310D1 .8D4D EC lea ecx,dword ptr ss:
005310D4 .C645 FC 08 mov byte ptr ss:,0x8
005310D8 .FF15 A8B16600 call near dword ptr ds:[<&mfc120u.#1042>>;mfc120u.#1501
005310DE .8D45 F0 lea eax,dword ptr ss:
005310E1 .50 push eax
005310E2 .51 push ecx
005310E3 .8D45 E4 lea eax,dword ptr ss:
005310E6 .8BCC mov ecx,esp
005310E8 .50 push eax
005310E9 .FF15 84AF6600 call near dword ptr ds:[<&mfc120u.#280>] ;mfc120u.#280
005310EF .68 01000080 push 0x80000001 ; |Arg1 = 80000001
005310F4 .E8 07FBFFFF call HprSnap8.00530C00 ; \HprSnap8.00530C00
005310F9 .8BF0 mov esi,eax
005310FB .83C4 0C add esp,0xC
005310FE .8B45 F0 mov eax,dword ptr ss:
00531101 .83F8 05 cmp eax,0x5
00531104 .7E 16 jle short HprSnap8.0053111C
00531106 .FF75 10 push dword ptr ss:
00531109 .8BCF mov ecx,edi
0053110B .53 push ebx
0053110C .FF75 0C push dword ptr ss:
0053110F .50 push eax
00531110 .56 push esi
00531111 .E8 4A030000 call HprSnap8.00531460
00531116 .8BD8 mov ebx,eax
00531118 .85DB test ebx,ebx
0053111A .75 55 jnz short HprSnap8.00531171
0053111C >56 push esi ; /block
0053111D .FF15 549E6600 call near dword ptr ds:[<&MSVCR120.free>>; \free
00531123 .83C4 04 add esp,0x4
00531126 .8D45 F0 lea eax,dword ptr ss:
00531129 .50 push eax
0053112A .51 push ecx
0053112B .8D45 E4 lea eax,dword ptr ss:
0053112E .8BCC mov ecx,esp
00531130 .50 push eax
00531131 .FF15 84AF6600 call near dword ptr ds:[<&mfc120u.#280>] ;mfc120u.#280
00531137 .68 01000080 push 0x80000001 ; |Arg1 = 80000001
0053113C .E8 BFFAFFFF call HprSnap8.00530C00 ; \HprSnap8.00530C00
00531141 .8BF0 mov esi,eax
00531143 .83C4 0C add esp,0xC
00531146 .8B45 F0 mov eax,dword ptr ss:
00531149 .83F8 05 cmp eax,0x5
0053114C .7E 17 jle short HprSnap8.00531165
0053114E .FF75 10 push dword ptr ss:
00531151 .8BCF mov ecx,edi
00531153 .6A 00 push 0x0
00531155 .FF75 0C push dword ptr ss:
00531158 .50 push eax
00531159 .56 push esi
0053115A .E8 01030000 call HprSnap8.00531460
0053115F .8BD8 mov ebx,eax
00531161 .85DB test ebx,ebx
00531163 .75 0C jnz short HprSnap8.00531171
00531165 >56 push esi ; /block
00531166 .FF15 549E6600 call near dword ptr ds:[<&MSVCR120.free>>; \free
0053116C .83C4 04 add esp,0x4
0053116F .33F6 xor esi,esi
00531171 >8D4D E4 lea ecx,dword ptr ss:
00531174 .C745 FC FFFFF>mov dword ptr ss:,-0x1
0053117B .FF15 A8B16600 call near dword ptr ds:[<&mfc120u.#1042>>;mfc120u.#1501
00531181 .85DB test ebx,ebx
00531183 .0F85 AC020000 jnz HprSnap8.00531435
00531189 >8D4D EC lea ecx,dword ptr ss:
0053118C .FF15 B4B16600 call near dword ptr ds:[<&mfc120u.#296>] ;mfc120u.#316
00531192 .8B45 08 mov eax,dword ptr ss:
00531195 .8D4D EC lea ecx,dword ptr ss:
00531198 .C745 FC 09000>mov dword ptr ss:,0x9
0053119F .85C0 test eax,eax
005311A1 .74 09 je short HprSnap8.005311AC
005311A3 .50 push eax
005311A4 .FF15 A0B16600 call near dword ptr ds:[<&mfc120u.#1520>>;mfc120u.#1520
005311AA .EB 0D jmp short HprSnap8.005311B9
005311AC >8D87 AC000000 lea eax,dword ptr ds:
005311B2 .50 push eax
005311B3 .FF15 A4B16600 call near dword ptr ds:[<&mfc120u.#1518>>;mfc120u.#1518
005311B9 >68 48096700 push HprSnap8.00670948 ;UNICODE "rb"
005311BE .8D4D EC lea ecx,dword ptr ss:
005311C1 .FF15 74B16600 call near dword ptr ds:[<&mfc120u.#1658>>;mfc120u.#6864
005311C7 .50 push eax ; |path
005311C8 .FF15 FC9D6600 call near dword ptr ds:[<&MSVCR120._wfop>; \_wfopen
005311CE .83C4 08 add esp,0x8
005311D1 .8945 E8 mov dword ptr ss:,eax
005311D4 .85C0 test eax,eax
005311D6 .75 38 jnz short HprSnap8.00531210
005311D8 .3945 08 cmp dword ptr ss:,eax
005311DB .0F85 A7000000 jnz HprSnap8.00531288
005311E1 .8D87 B0000000 lea eax,dword ptr ds:
005311E7 .50 push eax
005311E8 .8D4D EC lea ecx,dword ptr ss:
005311EB .FF15 A4B16600 call near dword ptr ds:[<&mfc120u.#1518>>;mfc120u.#1518
005311F1 .68 48096700 push HprSnap8.00670948 ;UNICODE "rb"
005311F6 .8D4D EC lea ecx,dword ptr ss:
005311F9 .FF15 74B16600 call near dword ptr ds:[<&mfc120u.#1658>>;mfc120u.#6864
005311FF .50 push eax ; |path
00531200 .FF15 FC9D6600 call near dword ptr ds:[<&MSVCR120._wfop>; \_wfopen
00531206 .83C4 08 add esp,0x8
00531209 .8945 E8 mov dword ptr ss:,eax
0053120C .85C0 test eax,eax
0053120E .74 78 je short HprSnap8.00531288
00531210 >8B3D A49D6600 mov edi,dword ptr ds:[<&MSVCR120.fseek>] ;msvcr120.fseek
00531216 .6A 02 push 0x2 ; /whence = SEEK_END
00531218 .6A 00 push 0x0 ; |offset = 0x0
0053121A .50 push eax ; |stream
0053121B .FFD7 call near edi ; \fseek
0053121D .FF75 E8 push dword ptr ss: ; /stream
00531220 .FF15 A09D6600 call near dword ptr ds:[<&MSVCR120.ftell>; \ftell
00531226 .6A 00 push 0x0
00531228 .6A 00 push 0x0
0053122A .FF75 E8 push dword ptr ss:
0053122D .8945 F0 mov dword ptr ss:,eax
00531230 .FFD7 call near edi
00531232 .83C4 1C add esp,0x1C
00531235 .85F6 test esi,esi
00531237 .75 10 jnz short HprSnap8.00531249
00531239 .8B45 F0 mov eax,dword ptr ss:
0053123C .40 inc eax
0053123D .50 push eax ; /size
0053123E .FF15 E89D6600 call near dword ptr ds:[<&MSVCR120.mallo>; \malloc
00531244 .83C4 04 add esp,0x4
00531247 .8BF0 mov esi,eax
00531249 >8B7D E8 mov edi,dword ptr ss:
0053124C .57 push edi ; /stream
0053124D .FF75 F0 push dword ptr ss: ; |n
00531250 .6A 01 push 0x1 ; |size = 0x1
00531252 .56 push esi ; |ptr
00531253 .FF15 A89D6600 call near dword ptr ds:[<&MSVCR120.fread>; \fread
00531259 .8B45 F0 mov eax,dword ptr ss:
0053125C .57 push edi ; /stream
0053125D .C60406 00 mov byte ptr ds:,0x0 ; |
00531261 .FF15 F89D6600 call near dword ptr ds:[<&MSVCR120.fclos>; \fclose
00531267 .8B45 F0 mov eax,dword ptr ss:
0053126A .83C4 14 add esp,0x14
0053126D .8B7D E0 mov edi,dword ptr ss:
00531270 .83F8 05 cmp eax,0x5
00531273 .7E 13 jle short HprSnap8.00531288
00531275 .FF75 10 push dword ptr ss:
00531278 .8BCF mov ecx,edi
0053127A .6A 00 push 0x0
0053127C .FF75 0C push dword ptr ss:
0053127F .50 push eax
00531280 .56 push esi
00531281 .E8 DA010000 call HprSnap8.00531460
00531286 .8BD8 mov ebx,eax
00531288 >8D4D EC lea ecx,dword ptr ss:
0053128B .C745 FC FFFFF>mov dword ptr ss:,-0x1
00531292 .FF15 A8B16600 call near dword ptr ds:[<&mfc120u.#1042>>;mfc120u.#1501
00531298 .85DB test ebx,ebx
0053129A .0F85 95010000 jnz HprSnap8.00531435
005312A0 .56 push esi ; /block
005312A1 .FF15 549E6600 call near dword ptr ds:[<&MSVCR120.free>>; \free
005312A7 .83C4 04 add esp,0x4
005312AA .8D47 5C lea eax,dword ptr ds:
005312AD .33F6 xor esi,esi
005312AF .8945 0C mov dword ptr ss:,eax
005312B2 .8975 E8 mov dword ptr ss:,esi
005312B5 .EB 09 jmp short HprSnap8.005312C0
005312B7 .8DA424 000000>lea esp,dword ptr ss:
005312BE .8BFF mov edi,edi
005312C0 >68 B4C86D00 push HprSnap8.006DC8B4
005312C5 .8D48 D8 lea ecx,dword ptr ds:
005312C8 .FF15 A8A46600 call near dword ptr ds:[<&mfc120u.#2949>>;mfc120u.#2949
005312CE .85C0 test eax,eax
005312D0 .0F8E 5F010000 jle HprSnap8.00531435
005312D6 .68 38F46600 push HprSnap8.0066F438 ;UNICODE "\"
005312DB .8D4D DC lea ecx,dword ptr ss:
005312DE .FF15 A0AD6600 call near dword ptr ds:[<&mfc120u.#290>] ;mfc120u.#290
005312E4 .68 204B6800 push HprSnap8.00684B20 ;ASCII "Software\"
005312E9 .8D4D E0 lea ecx,dword ptr ss:
005312EC .C745 FC 0A000>mov dword ptr ss:,0xA
005312F3 .FF15 A0AD6600 call near dword ptr ds:[<&mfc120u.#290>] ;mfc120u.#290
005312F9 .8D87 84000000 lea eax,dword ptr ds:
005312FF .C645 FC 0B mov byte ptr ss:,0xB
00531303 .50 push eax
00531304 .8D45 E0 lea eax,dword ptr ss:
00531307 .50 push eax
00531308 .8D45 CC lea eax,dword ptr ss:
0053130B .50 push eax
0053130C .E8 AFA7F3FF call HprSnap8.0046BAC0
00531311 .8D4D DC lea ecx,dword ptr ss:
00531314 .C645 FC 0C mov byte ptr ss:,0xC
00531318 .51 push ecx
00531319 .50 push eax
0053131A .8D45 D0 lea eax,dword ptr ss:
0053131D .50 push eax
0053131E .E8 9DA7F3FF call HprSnap8.0046BAC0
00531323 .FF75 0C push dword ptr ss: ; |Arg3
00531326 .C645 FC 0D mov byte ptr ss:,0xD ; |
0053132A .50 push eax ; |Arg2
0053132B .8D45 08 lea eax,dword ptr ss: ; |
0053132E .50 push eax ; |Arg1
0053132F .E8 8CA7F3FF call HprSnap8.0046BAC0 ; \HprSnap8.0046BAC0
00531334 .83C4 24 add esp,0x24
00531337 .8D4D D0 lea ecx,dword ptr ss:
0053133A .FF15 A8B16600 call near dword ptr ds:[<&mfc120u.#1042>>;mfc120u.#1501
00531340 .8D4D CC lea ecx,dword ptr ss:
00531343 .FF15 A8B16600 call near dword ptr ds:[<&mfc120u.#1042>>;mfc120u.#1501
00531349 .8D4D E0 lea ecx,dword ptr ss:
0053134C .FF15 A8B16600 call near dword ptr ds:[<&mfc120u.#1042>>;mfc120u.#1501
00531352 .8D4D DC lea ecx,dword ptr ss:
00531355 .C645 FC 12 mov byte ptr ss:,0x12
00531359 .FF15 A8B16600 call near dword ptr ds:[<&mfc120u.#1042>>;mfc120u.#1501
0053135F .8D45 F0 lea eax,dword ptr ss:
00531362 .50 push eax
00531363 .51 push ecx
00531364 .8D45 08 lea eax,dword ptr ss:
00531367 .8BCC mov ecx,esp
00531369 .50 push eax
0053136A .FF15 84AF6600 call near dword ptr ds:[<&mfc120u.#280>] ;mfc120u.#280
00531370 .68 01000080 push 0x80000001 ; |Arg1 = 80000001
00531375 .E8 86F8FFFF call HprSnap8.00530C00 ; \HprSnap8.00530C00
0053137A .8BF0 mov esi,eax
0053137C .83C4 0C add esp,0xC
0053137F .8B45 F0 mov eax,dword ptr ss:
00531382 .83F8 05 cmp eax,0x5
00531385 .7E 1A jle short HprSnap8.005313A1
00531387 .FF75 10 push dword ptr ss:
0053138A .8BCF mov ecx,edi
0053138C .6A 00 push 0x0
0053138E .6A 01 push 0x1
00531390 .50 push eax
00531391 .56 push esi
00531392 .E8 C9000000 call HprSnap8.00531460
00531397 .8BD8 mov ebx,eax
00531399 .85DB test ebx,ebx
0053139B .0F85 8B000000 jnz HprSnap8.0053142C
005313A1 >56 push esi ; /block
005313A2 .FF15 549E6600 call near dword ptr ds:[<&MSVCR120.free>>; \free
005313A8 .83C4 04 add esp,0x4
005313AB .8D45 F0 lea eax,dword ptr ss:
005313AE .50 push eax
005313AF .51 push ecx
005313B0 .8D45 08 lea eax,dword ptr ss:
005313B3 .8BCC mov ecx,esp
005313B5 .50 push eax
005313B6 .FF15 84AF6600 call near dword ptr ds:[<&mfc120u.#280>] ;mfc120u.#280
005313BC .68 01000080 push 0x80000001 ; |Arg1 = 80000001
005313C1 .E8 3AF8FFFF call HprSnap8.00530C00 ; \HprSnap8.00530C00
005313C6 .8B4D F0 mov ecx,dword ptr ss:
005313C9 .83C4 0C add esp,0xC
005313CC .8BF0 mov esi,eax
005313CE .83F9 05 cmp ecx,0x5
005313D1 .7E 22 jle short HprSnap8.005313F5
005313D3 .33C0 xor eax,eax
005313D5 .3905 70207300 cmp dword ptr ds:,eax
005313DB .0F94C0 sete al
005313DE .0B45 10 or eax,dword ptr ss:
005313E1 .50 push eax
005313E2 .6A 00 push 0x0
005313E4 .6A 01 push 0x1
005313E6 .51 push ecx
005313E7 .56 push esi
005313E8 .8BCF mov ecx,edi
005313EA .E8 71000000 call HprSnap8.00531460
005313EF .8BD8 mov ebx,eax
005313F1 .85DB test ebx,ebx
005313F3 .75 37 jnz short HprSnap8.0053142C
005313F5 >56 push esi ; /block
005313F6 .FF15 549E6600 call near dword ptr ds:[<&MSVCR120.free>>; \free
005313FC .83C4 04 add esp,0x4
005313FF .C745 FC FFFFF>mov dword ptr ss:,-0x1
00531406 .8D4D 08 lea ecx,dword ptr ss:
00531409 .33F6 xor esi,esi
0053140B .FF15 A8B16600 call near dword ptr ds:[<&mfc120u.#1042>>;mfc120u.#1501
00531411 .8B4D E8 mov ecx,dword ptr ss:
00531414 .8B45 0C mov eax,dword ptr ss:
00531417 .41 inc ecx
00531418 .83C0 04 add eax,0x4
0053141B .894D E8 mov dword ptr ss:,ecx
0053141E .8945 0C mov dword ptr ss:,eax
00531421 .83F9 0A cmp ecx,0xA
00531424 .^ 0F8C 96FEFFFF jl HprSnap8.005312C0
0053142A .EB 09 jmp short HprSnap8.00531435
0053142C >8D4D 08 lea ecx,dword ptr ss:
0053142F .FF15 A8B16600 call near dword ptr ds:[<&mfc120u.#1042>>;mfc120u.#1501
00531435 >8B45 14 mov eax,dword ptr ss:
00531438 .85C0 test eax,eax
0053143A .74 04 je short HprSnap8.00531440
0053143C .8930 mov dword ptr ds:,esi
0053143E .EB 0A jmp short HprSnap8.0053144A
00531440 >56 push esi ; /block
00531441 .FF15 549E6600 call near dword ptr ds:[<&MSVCR120.free>>; \free
00531447 .83C4 04 add esp,0x4
0053144A >8BC3 mov eax,ebx
0053144C .8B4D F4 mov ecx,dword ptr ss:
0053144F .64:890D 00000>mov dword ptr fs:,ecx
00531456 .59 pop ecx
00531457 .5F pop edi
00531458 .5E pop esi
00531459 .5B pop ebx
0053145A .8BE5 mov esp,ebp
0053145C .5D pop ebp
0053145D .C2 1000 retn 0x10
从中可以非常清晰的看出这个函数调用了四次00530C00(也就是包含可疑地址2的函数),执行这个函数完之后未注册窗口出现,这意味着什么不言而喻,再看一下返回值:EAX=0,显然这个函数就是我们苦苦寻找的关键函数!
最后一次对eax的赋值是在0053144A处,等等,还记得之前我给大家的特征码吗?8BC38B4DF464890D00000000595F5E5B8BE55DC21000,没错,就是0053144C的代码!
然后就好办了,将0053144A的代码修改为mov eax,1即可。
@逍遥绝尘 更新完成
附上逆向后成果可以看见已经没有水印了
楼主说明一下输入这个8BC38B4DF464890D00000000595F5E5B8BE55DC21000的意思!不详细啊!
Chrome你妹{:6_224:}不小心点了一个快捷方式然后我所有图片都……没了……我!@#¥%…………
卧槽撸主好流弊啊{:6_201:}
闪耀 发表于 2015-3-7 11:01
卧槽撸主好流弊啊
大牛别讽刺我了……{:5_118:}知道自己渣
楼主好流弊啊,膜拜
我初三都只会耍朋友,都没这么流弊。。
闪耀 发表于 2015-3-7 11:01
卧槽撸主好流弊啊
大神是怎么用点评的,为啥我没找到,特权?