HippoEdit1.47 爆破分析
未加壳,OD载入下:bpx CreateFileW 断点,F9运行,当堆栈中出现0012EA78 00F235F0|FileName = "F:\常用工具\HippoEDITen\license.dat"
0012EA7C 80000000|Access = GENERIC_READ
0012EA80 00000001|ShareMode = FILE_SHARE_READ
0012EA84 00000000|pSecurity = NULL
0012EA88 00000003|Mode = OPEN_EXISTING
0012EA8C 08000080|Attributes = NORMAL|SEQUENTIAL_SCAN
0012EA90 00000000\hTemplateFile = NULL
00431FBF|.6A 00 PUSH 0 ; /hTemplateFile = NULL
00431FC1|.68 80000008 PUSH 8000080 ; |Attributes = NORMAL|SEQUENTIAL_SCAN
00431FC6|.6A 03 PUSH 3 ; |Mode = OPEN_EXISTING
00431FC8|.6A 00 PUSH 0 ; |pSecurity = NULL
00431FCA|.6A 01 PUSH 1 ; |ShareMode = FILE_SHARE_READ
00431FCC|.68 00000080 PUSH 80000000 ; |Access = GENERIC_READ
00431FD1|.50 PUSH EAX ; |FileName
00431FD2|.FF15 089B5000 CALL DWORD PTR DS:[<&KERNEL32.CreateFile>; \CreateFileW
00431FD8|.8D4C24 18 LEA ECX,DWORD PTR SS:
00431FDC|.8BF8 MOV EDI,EAX
00431FDE|.FF15 70A65000 CALL DWORD PTR DS:[<&MFC80U.#577>] ;mfc80u.#578
00431FE4|.32DB XOR BL,BL
00431FE6|.83FF FF CMP EDI,-1
00431FE9|.0F84 DF000000 JE HippoEdi.004320CE
00431FEF|.6A 00 PUSH 0 ; /pOverlapped = NULL
00431FF1|.8D4C24 18 LEA ECX,DWORD PTR SS: ; |
00431FF5|.51 PUSH ECX ; |pBytesRead
00431FF6|.BE 00080000 MOV ESI,800 ; |
00431FFB|.56 PUSH ESI ; |BytesToRead => 800 (2048.)
00431FFC|.8D9424 B00000>LEA EDX,DWORD PTR SS: ; |
00432003|.52 PUSH EDX ; |Buffer
00432004|.57 PUSH EDI ; |hFile
00432005|.897424 28 MOV DWORD PTR SS:,ESI ; |
00432009|.FF15 0C9B5000 CALL DWORD PTR DS:[<&KERNEL32.ReadFile>] ; \ReadFile
0043200F|.85C0 TEST EAX,EAX
00432011|.0F84 AC000000 JE HippoEdi.004320C3
00432017|.397424 14 CMP DWORD PTR SS:,ESI
0043201B|.0F85 A2000000 JNZ HippoEdi.004320C3
00432021|.8D4424 1C LEA EAX,DWORD PTR SS:
00432025|.50 PUSH EAX
00432026|.B3 01 MOV BL,1
00432028|.E8 13FEFFFF CALL HippoEdi.00431E40
0043202D|.83C4 04 ADD ESP,4
00432030|.C78424 B00800>MOV DWORD PTR SS:,0
0043203B|.8B30 MOV ESI,DWORD PTR DS:
0043203D|.8D4C24 24 LEA ECX,DWORD PTR SS:
00432041|.894C24 20 MOV DWORD PTR SS:,ECX
00432045|.FF15 34F05500 CALL DWORD PTR DS: ;HippoEdi.004CCE63
0043204B|.50 PUSH EAX
0043204C|.56 PUSH ESI
0043204D|.8D4424 28 LEA EAX,DWORD PTR SS:
00432051|.E8 8AF40000 CALL HippoEdi.004414E0
00432056|.8B4C24 20 MOV ECX,DWORD PTR SS:
0043205A|.8D9424 A40200>LEA EDX,DWORD PTR SS:
00432061|.52 PUSH EDX ; /Arg1
00432062|.BA 00060000 MOV EDX,600 ; |
00432067|.E8 14F0FFFF CALL HippoEdi.00431080 ; \HippoEdi.00431080
0043206C|.8B4424 24 MOV EAX,DWORD PTR SS:
00432070|.8D4C24 28 LEA ECX,DWORD PTR SS:
00432074|.83C4 04 ADD ESP,4
00432077|.3BC1 CMP EAX,ECX
00432079|.74 0A JE SHORT HippoEdi.00432085
0043207B|.50 PUSH EAX ; /block
0043207C|.FF15 E8A95000 CALL DWORD PTR DS:[<&MSVCR80.free>] ; \free
00432082|.83C4 04 ADD ESP,4
00432085|>8D4C24 1C LEA ECX,DWORD PTR SS:
00432089|.C78424 B00800>MOV DWORD PTR SS:,-1
00432094|.FF15 70A65000 CALL DWORD PTR DS:[<&MFC80U.#577>] ;mfc80u.#578
0043209A|.8B7424 10 MOV ESI,DWORD PTR SS:
0043209E|.8D9424 080400>LEA EDX,DWORD PTR SS:
004320A5|.52 PUSH EDX ; /Arg2
004320A6|.56 PUSH ESI ; |Arg1
004320A7|.E8 94F1FFFF CALL HippoEdi.00431240 ; \HippoEdi.00431240
004320AC|.84C0 TEST AL,AL
004320AE|.74 06 JE SHORT HippoEdi.004320B6
004320B0|.807E 74 00 CMP BYTE PTR DS:,0
004320B4|.75 0D JNZ SHORT HippoEdi.004320C3
004320B6|>E8 D5FCFFFF CALL HippoEdi.00431D90
004320BB|.84C0 TEST AL,AL
004320BD|.74 04 JE SHORT HippoEdi.004320C3
004320BF|.C646 74 43 MOV BYTE PTR DS:,43
004320C3|>57 PUSH EDI ; /hObject
004320C4|.FF15 049B5000 CALL DWORD PTR DS:[<&KERNEL32.CloseHandl>; \CloseHandle
004320CA|.84DB TEST BL,BL
004320CC|.75 2A JNZ SHORT HippoEdi.004320F8
004320CE|>E8 7F950900 CALL <JMP.&MFC80U.#1086>
004320D3|.85C0 TEST EAX,EAX
004320D5|.74 0D JE SHORT HippoEdi.004320E4
004320D7|.8B10 MOV EDX,DWORD PTR DS:
004320D9|.8BC8 MOV ECX,EAX
004320DB|.8B42 7C MOV EAX,DWORD PTR DS:
004320DE|.FFD0 CALL EAX
004320E0|.85C0 TEST EAX,EAX
004320E2|.75 04 JNZ SHORT HippoEdi.004320E8
004320E4|>33C0 XOR EAX,EAX
004320E6|.EB 03 JMP SHORT HippoEdi.004320EB
004320E8|>8B40 20 MOV EAX,DWORD PTR DS:
004320EB|>6A 00 PUSH 0 ; /lParam = 0
004320ED|.6A 00 PUSH 0 ; |wParam = 0
004320EF|.6A 10 PUSH 10 ; |Message = WM_CLOSE
004320F1|.50 PUSH EAX ; |hWnd
004320F2|.FF15 0CAD5000 CALL DWORD PTR DS:[<&USER32.PostMessageW>; \PostMessageW
004320F8|>8B4C24 10 MOV ECX,DWORD PTR SS:
004320FC|.33C0 XOR EAX,EAX
004320FE|.3841 74 CMP BYTE PTR DS:,AL
00432101|>8B8C24 A80800>MOV ECX,DWORD PTR SS:
00432108|.5F POP EDI
00432109|.5E POP ESI
0043210A 0F95C0 SETNE AL Al=1即可注册成功
0043210D|.64:890D 00000>MOV DWORD PTR FS:,ECX
00432114|.5B POP EBX
00432115|.81C4 A8080000 ADD ESP,8A8
将
0043210A 0F95C0 SETNE AL Al=1即可注册成功
改成 mov al,1即可
复制到可执行程序,即可破解 /:013 谢谢楼主了!收藏学习了! 很详细也很简单!
谢谢楼主共享! 终于看到你们的文章那个了 支持一下 ~
页:
[1]