Xshell 6.x 过期验证简单分析
软件请从官方下载原版,切勿从国内山寨网下载。官网:https://www.netsarang.com/zh/Xshell/
之前安装用了一下,过期了,今天需要远程,发现过期了,从网上找了注册机,还需要修改host,在沙箱运行注册机直接算号直接崩溃 ...
回家后寻思着调试一下,x64dbg 载入,下 CreateWindowsExW 无效,于是载入后直接运行,用暂停大法看堆栈,发现弹框的API
007A5C08770CB8DB返回到 user32.770CB8DB 自 user32.DialogBoxIndirectParamAorW
再往下翻翻,发现弹框位于模块 nslicense.dll 中,于是分析下该模块的导出函数:
于是下断点,再次运行,中断到 NSLICENSE_CheckLicense 导出函数:
01233B50 | 55 | push ebp | <NSLICENSE_CheckLicense>
...
01233D21 | E8 EA 0D 00 00 | call <nslicense.NSLICENSE_OpenRegistry> |
...
01233D93 | E8 78 0A 00 00 | call <nslicense.NSLICENSE_GetProductKey> |
...
01233DA5 | E8 A6 05 00 00 | call <nslicense.NSLICENSE_CloseRegistry> |
...
01233E67 | 8B BD 58 F2 FF FF | mov edi,dword ptr ss: |
01233E6D | 8D 45 DC | lea eax,dword ptr ss: |
01233E70 | 50 | push eax |
01233E71 | 57 | push edi |
01233E72 | E8 F9 08 00 00 | call <nslicense.NSLICENSE_GetMagicCode> |
01233E77 | 83 C4 08 | add esp,8 |
01233E7A | 85 C0 | test eax,eax |
01233E7C | 0F 84 9D 01 00 00 | je nslicense.123401F |
01233E82 | 8D 85 48 F2 FF FF | lea eax,dword ptr ss: |
01233E88 | 50 | push eax |
01233E89 | 8D 45 DC | lea eax,dword ptr ss: |
01233E8C | 50 | push eax |
01233E8D | E8 AE 0B 00 00 | call <nslicense.NSLICENSE_MagicCodeToDate> |
01233E92 | 83 C4 08 | add esp,8 |
01233E95 | 85 C0 | test eax,eax |
01233E97 | 0F 84 82 01 00 00 | je nslicense.123401F |
01233E9D | 8D 85 38 F2 FF FF | lea eax,dword ptr ss: |
01233EA3 | 50 | push eax |
01233EA4 | E8 B7 05 00 00 | call <nslicense.NSLICENSE_GetCurrentDate> |
01233EA9 | 8D 45 DC | lea eax,dword ptr ss: |
01233EAC | 50 | push eax |
01233EAD | 53 | push ebx | ebx:IsEnterprise
01233EAE | 57 | push edi |
01233EAF | 33 F6 | xor esi,esi | esi:"Sep 26 2019"
01233EB1 | E8 9A FA FF FF | call nslicense.1233950 |
01233EB6 | 83 C4 10 | add esp,10 |
01233EB9 | 85 C0 | test eax,eax |
01233EBB | 74 64 | je nslicense.1233F21 |
01233EBD | 8D 85 40 F2 FF FF | lea eax,dword ptr ss: |
01233EC3 | 50 | push eax |
01233EC4 | 8D 45 DC | lea eax,dword ptr ss: |
01233EC7 | 50 | push eax |
01233EC8 | E8 73 0B 00 00 | call <nslicense.NSLICENSE_MagicCodeToDate> |
01233ECD | 8B BD 40 F2 FF FF | mov edi,dword ptr ss: |
01233ED3 | 8B 8D 48 F2 FF FF | mov ecx,dword ptr ss: |
01233ED9 | 66 8B 95 44 F2 FF FF | mov dx,word ptr ss: |
01233EE0 | 83 C4 08 | add esp,8 |
01233EE3 | 66 3B F9 | cmp di,cx |
01233EE6 | 72 1C | jb nslicense.1233F04 | 比较年份
01233EE8 | 66 8B 85 42 F2 FF FF | mov ax,word ptr ss: |
01233EEF | 66 3B 85 4A F2 FF FF | cmp ax,word ptr ss: | A compare A
01233EF6 | 72 0C | jb nslicense.1233F04 |
01233EF8 | 66 8B 85 4C F2 FF FF | mov ax,word ptr ss: | 08
01233EFF | 66 3B D0 | cmp dx,ax |
01233F02 | 73 2A | jae nslicense.1233F2E |
01233F04 | BE 01 00 00 00 | mov esi,1 | esi:"Sep 26 2019"
01233F09 | 8B CF | mov ecx,edi |
01233F0B | 66 89 95 64 F2 FF FF | mov word ptr ss:,dx |
01233F12 | 89 BD 50 F2 FF FF | mov dword ptr ss:,edi |
01233F18 | 66 89 95 54 F2 FF FF | mov word ptr ss:,dx |
01233F1F | EB 21 | jmp nslicense.1233F42 |
01233F21 | 8B 8D 48 F2 FF FF | mov ecx,dword ptr ss: |
01233F27 | 66 8B 85 4C F2 FF FF | mov ax,word ptr ss: |
01233F2E | 66 89 85 54 F2 FF FF | mov word ptr ss:,ax |
01233F35 | 89 8D 50 F2 FF FF | mov dword ptr ss:,ecx |
01233F3B | 66 89 85 64 F2 FF FF | mov word ptr ss:,ax |
01233F42 | 89 8D 60 F2 FF FF | mov dword ptr ss:,ecx |
01233F48 | C1 E9 10 | shr ecx,10 |
01233F4B | 41 | inc ecx |
01233F4C | 66 89 8D 62 F2 FF FF | mov word ptr ss:,cx |
01233F53 | 66 83 F9 0C | cmp cx,C | 月份 <= 12
01233F57 | 76 16 | jbe nslicense.1233F6F |
01233F59 | 66 FF 85 60 F2 FF FF | inc word ptr ss: |
01233F60 | B8 F4 FF 00 00 | mov eax,FFF4 |
01233F65 | 66 03 C8 | add cx,ax |
01233F68 | 66 89 8D 62 F2 FF FF | mov word ptr ss:,cx |
01233F6F | 8D 85 50 F2 FF FF | lea eax,dword ptr ss: |
01233F75 | 50 | push eax |
01233F76 | 8D 85 38 F2 FF FF | lea eax,dword ptr ss: |
01233F7C | 50 | push eax |
01233F7D | E8 EE 03 00 00 | call <nslicense.NSLICENSE_CompareDate> |
01233F82 | 83 C4 08 | add esp,8 |
01233F85 | 85 C0 | test eax,eax |
01233F87 | 78 65 | js nslicense.1233FEE |
01233F89 | 8D 85 60 F2 FF FF | lea eax,dword ptr ss: |
01233F8F | 50 | push eax |
01233F90 | 8D 85 38 F2 FF FF | lea eax,dword ptr ss: |
01233F96 | 50 | push eax |
01233F97 | E8 D4 03 00 00 | call <nslicense.NSLICENSE_CompareDate> |
01233F9C | 83 C4 08 | add esp,8 |
01233F9F | 85 C0 | test eax,eax |
01233FA1 | 7F 4B | jg nslicense.1233FEE | 这里跳走就弹过期框了 ...
01233FA3 | BF 01 00 00 00 | mov edi,1 |
01233FA8 | 8B B5 68 F2 FF FF | mov esi,dword ptr ss: |
01233FAE | FF B5 58 F2 FF FF | push dword ptr ss: |
01233FB4 | E8 97 03 00 00 | call <nslicense.NSLICENSE_CloseRegistry> |
...
10003FEA | 8B E5 | mov esp,ebp |
10003FEC | 5D | pop ebp |
10003FED | C3 | ret | 函数返回 __cdecl 方式调用 调用方来平衡堆栈
10003FEE | F7 DE | neg esi | 下方为弹框逻辑
10003FF0 | 1B F6 | sbb esi,esi |
...
大体思路应该就是读取存储的安装时间,然后 GetCurrentDate 获取今天的日期,比较下是否过期,过期就弹框阻止运行。
于是拿出 Baymax 来验证下思路,断点地址选择导出函数:NSLICENSE_CheckLicense
设置函数直接返回(因为函数就是验证是否过期,直接返回就好),该函数返回 __cdecl 方式调用,调用方来平衡堆栈,所以这里记得需要设置栈调整为4 :
Baymax 设置如图:
Test OK!补丁后程序可以运行,Done ...
讲的很详细,谢谢分享。 卧槽,又学一招,校长藏了那么多妓术! 一篇分析加补丁工具使用的实战教程 大白实用教学!{:victory:} 感谢表哥,您辛苦了。 受教了。简单易懂。 學習學習校長的分析,但過於高深只能膜拜 受教了。简单易懂。 太强了。坐沙发学习一
页:
[1]
2