EmEditor X64 显注册的问题
论坛的X64和谐补丁,启动后如果马上点关于,会先出现注册给:PYG,然后马上显示未注册。
于是研究一下,简单跟了一下弹窗,发现弹窗上修改注册给用的API为 SetDlgItemTextW,所以我们把这个拦截下来,用Detours把这里Patch出来,看是谁设置的文字。
typedef BOOL (WINAPI * PF_SetDlgItemTextW)(HWND hDlg,
int nIDDlgItem,
LPCWSTR lpString
);
PF_SetDlgItemTextW g_SetDlgItemTextW = SetDlgItemTextW;
BOOL WINAPI NsSetDlgItemTextW(HWND hDlg,
int nIDDlgItem,
LPCWSTR lpString
)
{
if ( lpString )
{
CString szBuffer = lpString;
if ( szBuffer.CompareNoCase(L"注册至:(未注册)") == 0)
{
MessageBox(NULL,L"XXX",L"aaa",0);
}
OutputDebugString( lpString );
}
return g_SetDlgItemTextW(hDlg,nIDDlgItem,lpString);
}
// 启用 Detours HOOK
BOOL InitDetours()
{
BOOL bRet = FALSE;
__try
{
// 简单判一下函数是否成功,也可以不用判断返回值
// 第一步
if ( DetourTransactionBegin() )
__leave;
// 第二步
if ( DetourUpdateThread( ::GetCurrentThread() ) )
__leave;
// 第三步 添加我们HOOK的替换函数
DetourAttach( &(PVOID&)g_SetDlgItemTextW, NsSetDlgItemTextW );
//DetourAttach( &(PVOID&)g_LoadLibraryW, NsLoadLibraryW );
// 继续添加其他的HOOK
// DetourAttach( &(PVOID&)pMessageBoxA, NsMessageBoxA );
// 第四步
if ( DetourTransactionCommit() != NO_ERROR )
__leave;
bRet = TRUE;
}
__finally
{
;
}
return bRet;
}
返回之后,我们发现调用来自于 000007FDFFA94B95call qword ptr ds:[<&SetDlgItemTextW>]
我们看一下这个函数,首先 mov rbx,rcx,这里 rcx 应该就是类对象了,然后 dword ptr ds:赋值并比较,所以猜测这个应该就是 这里是类对象的 RegisterType 成员,由于我们知道这里必须为1,所以我们要想办法把这个内存数据动态修改为1就可以完成完美破解了。
000007FDFFA94974 | 48 8B C4 | mov rax,rsp | ;rax:DoAbout
000007FDFFA94977 | 48 89 58 08 | mov qword ptr ds:,rbx |
000007FDFFA9497B | 48 89 70 10 | mov qword ptr ds:,rsi |
000007FDFFA9497F | 48 89 78 18 | mov qword ptr ds:,rdi |
000007FDFFA94983 | 4C 89 70 20 | mov qword ptr ds:,r14 |
000007FDFFA94987 | 55 | push rbp |
000007FDFFA94988 | 48 8D A8 A8 F9 FF FF | lea rbp,qword ptr ds: |
000007FDFFA9498F | 48 81 EC 50 07 00 00 | sub rsp,750 |
000007FDFFA94996 | 83 B9 90 00 00 00 FF | cmp dword ptr ds:,FFFFFFFF |;判断该数值是否为-1(未初始化)
000007FDFFA9499D | 48 8B D9 | mov rbx,rcx |;类对象指针给 rbx
000007FDFFA949A0 | 0F 84 0F 02 00 00 | je emeddlgs.7FDFFA94BB5 |
000007FDFFA949A6 | 4C 8D 81 94 00 00 00 | lea r8,qword ptr ds: |
000007FDFFA949AD | BF 2C 01 00 00 | mov edi,12C |
000007FDFFA949B2 | 48 8D 4D D0 | lea rcx,qword ptr ss: |
000007FDFFA949B6 | 8B D7 | mov edx,edi |
000007FDFFA949B8 | E8 5B CC FF FF | call emeddlgs.7FDFFA91618 |
000007FDFFA949BD | 8B 83 90 00 00 00 | mov eax,dword ptr ds: |;这里是类对象的 RegisterType 成员
000007FDFFA949C3 | BE 01 00 00 00 | mov esi,1 |
000007FDFFA949C8 | 83 F8 06 | cmp eax,6 |
000007FDFFA949CB | 0F 87 A4 01 00 00 | ja emeddlgs.7FDFFA94B75 |
000007FDFFA949D1 | 8D 4E 49 | lea ecx,dword ptr ds: |
000007FDFFA949D4 | 0F A3 C1 | bt ecx,eax |
000007FDFFA949D7 | 0F 83 98 01 00 00 | jnb emeddlgs.7FDFFA94B75 |
000007FDFFA949DD | 48 8D 55 80 | lea rdx,qword ptr ss: |
000007FDFFA949E1 | 48 8D 4C 24 40 | lea rcx,qword ptr ss: |
000007FDFFA949E6 | E8 FD F7 FF FF | call emeddlgs.7FDFFA941E8 |
000007FDFFA949EB | 45 33 F6 | xor r14d,r14d |
000007FDFFA949EE | 85 C0 | test eax,eax |
000007FDFFA949F0 | 0F 84 92 01 00 00 | je emeddlgs.7FDFFA94B88 |
000007FDFFA949F6 | 66 44 39 74 24 40 | cmp word ptr ss:,r14w |
000007FDFFA949FC | 0F 84 86 01 00 00 | je emeddlgs.7FDFFA94B88 |
000007FDFFA94A02 | 4C 8D 05 47 DB 03 00 | lea r8,qword ptr ds: |
000007FDFFA94A09 | 48 8D 4D D0 | lea rcx,qword ptr ss: |
000007FDFFA94A0D | 8B D7 | mov edx,edi |
000007FDFFA94A0F | E8 60 EA FF FF | call emeddlgs.7FDFFA93474 |
000007FDFFA94A14 | 4C 8D 45 80 | lea r8,qword ptr ss: |
000007FDFFA94A18 | 48 8D 4D D0 | lea rcx,qword ptr ss: |
000007FDFFA94A1C | 8B D7 | mov edx,edi |
000007FDFFA94A1E | E8 51 EA FF FF | call emeddlgs.7FDFFA93474 |
000007FDFFA94A23 | 48 8B 0D 8E 2F 05 00 | mov rcx,qword ptr ds: |
000007FDFFA94A2A | 44 8D 4F D8 | lea r9d,dword ptr ds: |
000007FDFFA94A2E | 4C 8D 85 40 04 00 00 | lea r8,qword ptr ss: |
000007FDFFA94A35 | 8D 56 74 | lea edx,dword ptr ds: |
000007FDFFA94A38 | FF 15 8A 4C 03 00 | call qword ptr ds:[<&LoadStringW>] |
000007FDFFA94A3E | 48 8B 4B 08 | mov rcx,qword ptr ds: |
000007FDFFA94A42 | 4C 8D 85 40 04 00 00 | lea r8,qword ptr ss: |
000007FDFFA94A49 | BA 53 04 00 00 | mov edx,453 |
000007FDFFA94A4E | FF 15 14 4D 03 00 | call qword ptr ds:[<&SetDlgItemTextW>]|
000007FDFFA94A54 | 8B 83 90 00 00 00 | mov eax,dword ptr ds: | ;这里是类对象的 RegisterType 成员
000007FDFFA94A5A | 3B C6 | cmp eax,esi |
000007FDFFA94A5C | 74 09 | je emeddlgs.7FDFFA94A67 |
000007FDFFA94A5E | 83 F8 06 | cmp eax,6 |
000007FDFFA94A61 | 0F 85 21 01 00 00 | jnz emeddlgs.7FDFFA94B88 |
000007FDFFA94A67 | 48 8D 54 24 30 | lea rdx,qword ptr ss: |
000007FDFFA94A6C | 48 8D 4C 24 40 | lea rcx,qword ptr ss: |
000007FDFFA94A71 | E8 F2 19 02 00 | call emeddlgs.7FDFFAB6468 |
000007FDFFA94A76 | 84 C0 | test al,al |
000007FDFFA94A78 | 0F 84 0A 01 00 00 | je emeddlgs.7FDFFA94B88 |
000007FDFFA94A7E | 4C 8D 05 C3 DA 03 00 | lea r8,qword ptr ds: |
000007FDFFA94A85 | 48 8D 4D D0 | lea rcx,qword ptr ss: |
000007FDFFA94A89 | 48 8B D7 | mov rdx,rdi |
000007FDFFA94A8C | E8 E3 E9 FF FF | call emeddlgs.7FDFFA93474 |
000007FDFFA94A91 | B8 DD 07 00 00 | mov eax,7DD |
000007FDFFA94A96 | 66 39 44 24 30 | cmp word ptr ss:,ax |
000007FDFFA94A9B | 75 31 | jnz emeddlgs.7FDFFA94ACE |
000007FDFFA94A9D | 66 39 74 24 32 | cmp word ptr ss:,si |
000007FDFFA94AA2 | 75 2A | jnz emeddlgs.7FDFFA94ACE |
000007FDFFA94AA4 | 66 39 74 24 36 | cmp word ptr ss:,si |
000007FDFFA94AA9 | 75 23 | jnz emeddlgs.7FDFFA94ACE |
000007FDFFA94AAB | 48 8B 0D 06 2F 05 00 | mov rcx,qword ptr ds: |
000007FDFFA94AB2 | 41 B9 04 01 00 00 | mov r9d,104 |
000007FDFFA94AB8 | 4C 8D 85 30 02 00 00 | lea r8,qword ptr ss: |
000007FDFFA94ABF | 41 8D 51 5C | lea edx,dword ptr ds: |
000007FDFFA94AC3 | FF 15 FF 4B 03 00 | call qword ptr ds:[<&LoadStringW>] |
000007FDFFA94AC9 | E9 8B 00 00 00 | jmp emeddlgs.7FDFFA94B59 | ;JUMP ...
000007FDFFA94ACE | 48 8B 4B 08 | mov rcx,qword ptr ds: |
000007FDFFA94AD2 | BA 10 07 00 00 | mov edx,710 |
000007FDFFA94AD7 | FF 15 63 4C 03 00 | call qword ptr ds:[<&GetDlgItem>] |
000007FDFFA94ADD | 8B D6 | mov edx,esi |
000007FDFFA94ADF | 48 8B C8 | mov rcx,rax | ;rax:DoAbout
000007FDFFA94AE2 | FF 15 90 4C 03 00 | call qword ptr ds:[<&EnableWindow>] |
000007FDFFA94AE8 | 48 8B 0D C9 2E 05 00 | mov rcx,qword ptr ds: |
000007FDFFA94AEF | 41 B9 04 01 00 00 | mov r9d,104 |
000007FDFFA94AF5 | 41 8D 51 5B | lea edx,dword ptr ds: |
000007FDFFA94AF9 | 4C 8D 85 30 02 00 00 | lea r8,qword ptr ss: |
000007FDFFA94B00 | FF 15 C2 4B 03 00 | call qword ptr ds:[<&LoadStringW>] |
000007FDFFA94B06 | 4C 8D 85 30 02 00 00 | lea r8,qword ptr ss: |
000007FDFFA94B0D | 48 8D 4D D0 | lea rcx,qword ptr ss: |
000007FDFFA94B11 | 48 8B D7 | mov rdx,rdi |
000007FDFFA94B14 | E8 5B E9 FF FF | call emeddlgs.7FDFFA93474 |
000007FDFFA94B19 | 48 8D 85 30 02 00 00 | lea rax,qword ptr ss: | ;rax:DoAbout
000007FDFFA94B20 | 4C 8D 44 24 30 | lea r8,qword ptr ss: |
000007FDFFA94B25 | 45 33 C9 | xor r9d,r9d |
000007FDFFA94B28 | 8B D6 | mov edx,esi |
000007FDFFA94B2A | B9 00 04 00 00 | mov ecx,400 |
000007FDFFA94B2F | C7 44 24 28 04 01 00 00| mov dword ptr ss:,104 |
000007FDFFA94B37 | 48 89 44 24 20 | mov qword ptr ss:,rax | ;rax:DoAbout
000007FDFFA94B3C | FF 15 76 46 03 00 | call qword ptr ds:[<&GetDateFormatW>] |
000007FDFFA94B42 | 85 C0 | test eax,eax |
000007FDFFA94B44 | 74 26 | je emeddlgs.7FDFFA94B6C |
000007FDFFA94B46 | 4C 8D 05 0B DA 03 00 | lea r8,qword ptr ds: |
000007FDFFA94B4D | 48 8D 4D D0 | lea rcx,qword ptr ss: |
000007FDFFA94B51 | 48 8B D7 | mov rdx,rdi |
000007FDFFA94B54 | E8 1B E9 FF FF | call emeddlgs.7FDFFA93474 |
000007FDFFA94B59 | 4C 8D 85 30 02 00 00 | lea r8,qword ptr ss: |
000007FDFFA94B60 | 48 8D 4D D0 | lea rcx,qword ptr ss: |
000007FDFFA94B64 | 48 8B D7 | mov rdx,rdi |
000007FDFFA94B67 | E8 08 E9 FF FF | call emeddlgs.7FDFFA93474 |
000007FDFFA94B6C | 4C 8D 05 E1 D9 03 00 | lea r8,qword ptr ds: |
000007FDFFA94B73 | EB 07 | jmp emeddlgs.7FDFFA94B7C |
000007FDFFA94B75 | 4C 8D 83 5C 01 00 00 | lea r8,qword ptr ds: | ;xxxxxxxxxxxx
000007FDFFA94B7C | 48 8D 4D D0 | lea rcx,qword ptr ss: |
000007FDFFA94B80 | 48 8B D7 | mov rdx,rdi |
000007FDFFA94B83 | E8 EC E8 FF FF | call emeddlgs.7FDFFA93474 |
000007FDFFA94B88 | 48 8B 4B 08 | mov rcx,qword ptr ds: |
000007FDFFA94B8C | 4C 8D 45 D0 | lea r8,qword ptr ss: |
000007FDFFA94B90 | BA 1B 04 00 00 | mov edx,41B |
000007FDFFA94B95 | FF 15 CD 4B 03 00 | call qword ptr ds:[<&SetDlgItemTextW>]| ;就是这里设置注册给 XXX
000007FDFFA94B9B | 48 8B 4B 08 | mov rcx,qword ptr ds: |
000007FDFFA94B9F | BA 53 04 00 00 | mov edx,453 |
000007FDFFA94BA4 | FF 15 96 4B 03 00 | call qword ptr ds:[<&GetDlgItem>] |
000007FDFFA94BAA | 8B D6 | mov edx,esi |
000007FDFFA94BAC | 48 8B C8 | mov rcx,rax | ;rax:DoAbout
000007FDFFA94BAF | FF 15 C3 4B 03 00 | call qword ptr ds:[<&EnableWindow>] |
000007FDFFA94BB5 | 4C 8D 9C 24 50 07 00 00| lea r11,qword ptr ss: |
000007FDFFA94BBD | 49 8B 5B 10 | mov rbx,qword ptr ds: |
000007FDFFA94BC1 | 49 8B 73 18 | mov rsi,qword ptr ds: |
000007FDFFA94BC5 | 49 8B 7B 20 | mov rdi,qword ptr ds: |
000007FDFFA94BC9 | 4D 8B 73 28 | mov r14,qword ptr ds: |
000007FDFFA94BCD | 49 8B E3 | mov rsp,r11 |
000007FDFFA94BD0 | 5D | pop rbp |
000007FDFFA94BD1 | C3 | ret |
这个是分析思路,剩下的就是去实现这个想法了。O(∩_∩)O哈哈~
好强大!认真学习!
X64下的调试看起来也很顺眼~
顺便问下,楼主真是姐姐?{:soso_e113:}
我看到熟人7DD了。这可算是14.X的一个特征了。
因为X86的注册信息与X64的通用,也一直没机会来分析64环境下的,感谢"姐姐"?的分析!赞一个。 给力的作品。。。。。。。顶一下呀。哈哈。 感谢楼主分享分析思路。 好强大的分析啊,感谢~~ {:soso_e192:}
来学习了哟 不错看看 楼主幸苦了
没看太懂,楼主能把成品发出来就更好了 学习了. 64位的汇编语言 和32位的差别还是有的.要重新学习才行呢
页:
[1]
2