- UID
- 73728
注册时间2014-1-30
阅读权限40
最后登录1970-1-1
独步武林
 
TA的每日心情 | 开心
2025-1-4 10:11 |
|---|
签到天数: 490 天 [LV.9]以坛为家II
|
【破文标题】Sublime Text Build 3059
【破文作者】vipcrack
【破文邮箱】-
【作者主页】-
【破解工具】OD 1.1
【破解平台】WIN7 X64
【软件名称】Sublime Text Build 3059
【软件大小】8.56M
【来源地址】http://c758482.r82.cf2.rackcdn.com/Sublime%20Text%20Build%203059.zip
【保护方式】RSA
【软件简介】
Sublime Text is a sophisticated text editor for code, markup and prose.
You'll love the slick user interface, extraordinary features and amazing performance.
----------------------------------------------
【破解声明】本文仅供交流分析,请勿用于商业用途。
----------------------------------------------
【破解过程】
既然程序显示Unregistered,那么就从Unregistered入手,OD里查找跳转,定位关键点:
00A54AA3 . E8 C7020000 call 00A54D6F ;跟进去找要点
00A54AA8 . 83C4 38 add esp, 0x38
00A54AAB . 803D 908DCF00 00 cmp byte ptr [0xCF8D90], 0x0 ;全局变量
00A54AB2 . 0F84 2B010000 je 00A54BE3 ;不跳则显示授权
00A54AB8 . 8D8D C0FBFFFF lea ecx, dword ptr [ebp-0x440]
00A54ABE . E8 C42BF2FF call 00977687
00A54AC3 . 8365 FC 00 and dword ptr [ebp-0x4], 0x0
00A54AC7 . 68 26FEC100 push 00C1FE26 ; /Arg2 = 00C1FE26
00A54ACC . 68 18FEC100 push 00C1FE18 ; |Registered to
00A54AD1 . 8D8D C0FBFFFF lea ecx, dword ptr [ebp-0x440] ; |
00A54AD7 . E8 C03BF2FF call 0097869C ; \sublime_.001D869C
00A54ADC . 68 74DFCB00 push 00CBDF74 ; /Arg1 = 00CBDF74
00A54AE1 . 8D8D B0FBFFFF lea ecx, dword ptr [ebp-0x450] ; |
00A54AE7 . E8 4624F2FF call 00976F32 ; \sublime_.001D6F32
00A54AEC . FFB5 B4FBFFFF push dword ptr [ebp-0x44C] ; /Arg2
00A54AF2 . 8D8D C0FBFFFF lea ecx, dword ptr [ebp-0x440] ; |
00A54AF8 . FFB5 B0FBFFFF push dword ptr [ebp-0x450] ; |Arg1
00A54AFE . E8 993BF2FF call 0097869C ; \sublime_.001D869C
00A54B03 . 8D8D C0FBFFFF lea ecx, dword ptr [ebp-0x440]
00A54B09 . E8 043AF2FF call 00978512
00A54B0E . DD85 A0FBFFFF fld qword ptr [ebp-0x460]
00A54B14 . FFB5 C8FBFFFF push dword ptr [ebp-0x438]
00A54B1A . DD05 6891C100 fld qword ptr [0xC19168]
00A54B20 . DCC1 fadd st(1), st
00A54B22 . C785 BCFBFFFF FFFFFFFF mov dword ptr [ebp-0x444], -0x1
00A54B2C . FFB5 BCFBFFFF push dword ptr [ebp-0x444]
00A54B32 . D9C9 fxch st(1)
00A54B34 . 8DB5 80FBFFFF lea esi, dword ptr [ebp-0x480]
00A54B3A . FFB3 B4000000 push dword ptr [ebx+0xB4]
00A54B40 . DD95 A0FBFFFF fst qword ptr [ebp-0x460]
00A54B46 . DEC1 faddp st(1), st
00A54B48 . 83EC 28 sub esp, 0x28
00A54B4B . DD5C24 20 fstp qword ptr [esp+0x20]
00A54B4F . 6A 08 push 0x8
00A54B51 . 59 pop ecx
00A54B52 . 8BFC mov edi, esp
00A54B54 . FFB5 B8FBFFFF push dword ptr [ebp-0x448]
00A54B5A . F3:A5 rep movs dword ptr es:[edi], dword ptr [esi]
00A54B5C . E8 0E020000 call 00A54D6F
00A54B61 . FF35 948DCF00 push dword ptr [0xCF8D94]
00A54B67 . 8D45 D8 lea eax, dword ptr [ebp-0x28]
00A54B6A . 50 push eax
00A54B6B . E8 32091700 call 00BC54A2
00A54B70 . 83C4 40 add esp, 0x40
00A54B73 . 8378 14 10 cmp dword ptr [eax+0x14], 0x10
00A54B77 . C645 FC 01 mov byte ptr [ebp-0x4], 0x1
00A54B7B . 72 02 jb short 00A54B7F
00A54B7D . 8B00 mov eax, dword ptr [eax]
00A54B7F > DD85 A0FBFFFF fld qword ptr [ebp-0x460]
00A54B85 . 50 push eax
00A54B86 . DC85 A8FBFFFF fadd qword ptr [ebp-0x458]
00A54B8C . C785 BCFBFFFF FFFFFFFF mov dword ptr [ebp-0x444], -0x1
00A54B96 . FFB5 BCFBFFFF push dword ptr [ebp-0x444]
00A54B9C . 8DB5 80FBFFFF lea esi, dword ptr [ebp-0x480]
00A54BA2 . FFB3 B4000000 push dword ptr [ebx+0xB4]
00A54BA8 . DC05 60CBC100 fadd qword ptr [0xC1CB60]
00A54BAE . 83EC 28 sub esp, 0x28
00A54BB1 . DD5C24 20 fstp qword ptr [esp+0x20]
00A54BB5 . 6A 08 push 0x8
00A54BB7 . 59 pop ecx
00A54BB8 . 8BFC mov edi, esp
00A54BBA . FFB5 B8FBFFFF push dword ptr [ebp-0x448]
00A54BC0 . F3:A5 rep movs dword ptr es:[edi], dword ptr [esi]
00A54BC2 . E8 A8010000 call 00A54D6F
00A54BC7 . 83C4 38 add esp, 0x38
00A54BCA . 8D4D D8 lea ecx, dword ptr [ebp-0x28]
00A54BCD . E8 7DCFF1FF call 00971B4F
00A54BD2 . 834D FC FF or dword ptr [ebp-0x4], 0xFFFFFFFF
00A54BD6 . 8D8D C0FBFFFF lea ecx, dword ptr [ebp-0x440]
00A54BDC . E8 B92AF2FF call 0097769A
00A54BE1 . EB 4D jmp short 00A54C30
00A54BE3 > DD85 A0FBFFFF fld qword ptr [ebp-0x460]
00A54BE9 . 68 28FEC100 push 00C1FE28 ; Unregistered
00A54BEE . DD05 6891C100 fld qword ptr [0xC19168]
00A54BF4 . C785 BCFBFFFF FFFFFFFF mov dword ptr [ebp-0x444], -0x1
00A54BFE . FFB5 BCFBFFFF push dword ptr [ebp-0x444]
00A54C04 . DCC1 fadd st(1), st
00A54C06 . 8DB5 80FBFFFF lea esi, dword ptr [ebp-0x480]
00A54C0C . FFB3 B4000000 push dword ptr [ebx+0xB4]
00A54C12 . DEC1 faddp st(1), st
00A54C14 . 83EC 28 sub esp, 0x28
00A54C17 . DD5C24 20 fstp qword ptr [esp+0x20]
00A54C1B . 6A 08 push 0x8
00A54C1D . 59 pop ecx
00A54C1E . 8BFC mov edi, esp
跟入之后,发现没有修改全局变量的内容:
00A54D6F 55 push ebp
00A54D70 8BEC mov ebp, esp
00A54D72 51 push ecx
00A54D73 FF75 3C push dword ptr [ebp+0x3C]
00A54D76 |. FF75 34 push dword ptr [ebp+0x34]
00A54D79 |. E8 5461F3FF call 0098AED2
00A54D7E |. D95D FC fstp dword ptr [ebp-0x4]
00A54D81 |. D945 FC fld dword ptr [ebp-0x4]
00A54D84 |. 83C4 04 add esp, 0x4
00A54D87 |. D91C24 fstp dword ptr [esp]
00A54D8A |. E8 CA62F3FF call 0098B059
00A54D8F |. DD45 1C fld qword ptr [ebp+0x1C]
00A54D92 |. 51 push ecx
00A54D93 |. DC65 0C fsub qword ptr [ebp+0xC]
00A54D96 |. DD05 082FC100 fld qword ptr [0xC12F08]
00A54D9C |. DCC9 fmul st(1), st
00A54D9E |. DECA fmulp st(2), st
00A54DA0 |. DEE1 fsubrp st(1), st
00A54DA2 |. DD1C24 fstp qword ptr [esp]
00A54DA5 |. E8 269C0100 call 00A6E9D0
00A54DAA |. DD45 2C fld qword ptr [ebp+0x2C]
00A54DAD |. 59 pop ecx
00A54DAE |. 59 pop ecx
00A54DAF |. D9C9 fxch st(1)
00A54DB1 |. FF75 3C push dword ptr [ebp+0x3C]
00A54DB4 |. 8B4D 08 mov ecx, dword ptr [ebp+0x8]
00A54DB7 |. FF75 38 push dword ptr [ebp+0x38]
00A54DBA |. 8B11 mov edx, dword ptr [ecx]
00A54DBC |. 83EC 10 sub esp, 0x10
00A54DBF |. 8BC4 mov eax, esp
00A54DC1 |. FF75 34 push dword ptr [ebp+0x34]
00A54DC4 |. DD18 fstp qword ptr [eax]
00A54DC6 |. DD58 08 fstp qword ptr [eax+0x8]
00A54DC9 |. FF52 08 call dword ptr [edx+0x8]
00A54DCC |. C9 leave
00A54DCD \. C3 retn
那么我们就直接搜索全局常量
参考位于 sublime_:.text 到常量 0xCF8D90
地址 反汇编 注释
00A0CF14 mov byte ptr [0xCF8D90], al
00A0CF5B mov byte ptr [0xCF8D90], al
00A0CF77 mov al, byte ptr [0xCF8D90] [00CF8D90]=01
00A0D223 cmp byte ptr [0xCF8D90], 0x0 ds:[00CF8D90]=01
00A0D44B cmp byte ptr [0xCF8D90], 0x0 ds:[00CF8D90]=01
00A0DE29 and byte ptr [0xCF8D90], al
00A0EF54 mov al, byte ptr [0xCF8D90] [00CF8D90]=01
00A210EA cmp byte ptr [0xCF8D90], bl
00A33F76 cmp byte ptr [0xCF8D90], 0x0 ds:[00CF8D90]=01
00A34394 mov byte ptr [0xCF8D90], bl
00A343D9 sete byte ptr [0xCF8D90] ds:[00CF8D90]=01
00A345C3 mov byte ptr [0xCF8D90], bl
00A35638 cmp byte ptr [0xCF8D90], 0x0 ds:[00CF8D90]=01
00A48279 mov al, byte ptr [0xCF8D90] [00CF8D90]=01
00A48283 cmp byte ptr [0xCF8D90], al
00A54AAB cmp byte ptr [0xCF8D90], 0x0 (初始 CPU 选择)
从查表结果可以更加确定,全局变量是准确的。
找赋值的看看:
00A0CF06 . E8 A2660200 call 00A335AD ;多次调用,
00A0CF0B . 83C4 14 add esp, 0x14
00A0CF0E . F7D8 neg eax
00A0CF10 . 1AC0 sbb al, al
00A0CF12 . FEC0 inc al
00A0CF14 . A2 908DCF00 mov byte ptr [0xCF8D90], al ;修改全局变量
00A0CF19 . 75 4E jnz short 00A0CF69
00A0CF1B . 8365 E8 00 and dword ptr [ebp-0x18], 0x0
00A0CF1F . 57 push edi
00A0CF20 . 56 push esi
00A0CF21 . 8D4D D8 lea ecx, dword ptr [ebp-0x28]
00A0CF24 . C745 EC 0F000000 mov dword ptr [ebp-0x14], 0xF
00A0CF2B . C645 D8 00 mov byte ptr [ebp-0x28], 0x0
00A0CF2F . E8 2A61F6FF call 0097305E
00A0CF34 . 8D45 9C lea eax, dword ptr [ebp-0x64]
00A0CF37 . 50 push eax
00A0CF38 . 68 948DCF00 push 00CF8D94
00A0CF3D . 8D45 D8 lea eax, dword ptr [ebp-0x28]
00A0CF40 . 68 74DFCB00 push 00CBDF74
00A0CF45 . 50 push eax
00A0CF46 . C645 FC 01 mov byte ptr [ebp-0x4], 0x1
00A0CF4A . E8 5E660200 call 00A335AD ;多次调用
00A0CF4F . 83C4 10 add esp, 0x10
00A0CF52 . F7D8 neg eax
00A0CF54 . 1AC0 sbb al, al
00A0CF56 . FEC0 inc al
00A0CF58 . 8D4D D8 lea ecx, dword ptr [ebp-0x28]
00A0CF5B . A2 908DCF00 mov byte ptr [0xCF8D90], al ;修改全局变量
00A0CF60 . C645 FC 00 mov byte ptr [ebp-0x4], 0x0
00A0CF64 . E8 E64BF6FF call 00971B4F
00A0CF69 > FF35 0897CB00 push dword ptr [0xCB9708] ; /Arg1 = 00C1956C ASCII "licensed"
前面这两个调用我们可以调试发现,只要修改CALL返回的EAX=0,即可实现给全局变量赋值1,那么实际修改后的程序,是否能完成破解呢?
继续往下看,有个比较巧妙的and计算就直接干掉了我们这种想法……
直接跟入call 00A335AD
00A335AD /$ 68 80000000 push 0x80
00A335B2 |. B8 6A9FBF00 mov eax, 00BF9F6A
00A335B7 |. E8 43670300 call 00A69CFF
00A335BC |. 8B45 10 mov eax, dword ptr [ebp+0x10]
00A335BF |. 8B75 08 mov esi, dword ptr [ebp+0x8]
00A335C2 |. 8B5D 0C mov ebx, dword ptr [ebp+0xC]
00A335C5 |. 8985 7CFFFFFF mov dword ptr [ebp-0x84], eax
00A335CB |. 8B45 14 mov eax, dword ptr [ebp+0x14]
00A335CE |. 8985 74FFFFFF mov dword ptr [ebp-0x8C], eax
00A335D4 |. 8D45 98 lea eax, dword ptr [ebp-0x68]
00A335D7 |. 50 push eax
00A335D8 |. E8 D0080000 call 00A33EAD
00A335DD |. 33C9 xor ecx, ecx
00A335DF |. 6A 0F push 0xF
00A335E1 |. 58 pop eax
00A335E2 |. 894D FC mov dword ptr [ebp-0x4], ecx
00A335E5 |. 8945 94 mov dword ptr [ebp-0x6C], eax
00A335E8 |. 894D 90 mov dword ptr [ebp-0x70], ecx
00A335EB |. 884D 80 mov byte ptr [ebp-0x80], cl
00A335EE |. 8945 C4 mov dword ptr [ebp-0x3C], eax
00A335F1 |. 894D C0 mov dword ptr [ebp-0x40], ecx
00A335F4 |. 884D B0 mov byte ptr [ebp-0x50], cl
00A335F7 |. 8945 DC mov dword ptr [ebp-0x24], eax
00A335FA |. 894D D8 mov dword ptr [ebp-0x28], ecx
00A335FD |. 884D C8 mov byte ptr [ebp-0x38], cl
00A33600 |. 8D45 C8 lea eax, dword ptr [ebp-0x38]
00A33603 |. 50 push eax
00A33604 |. 8D45 B0 lea eax, dword ptr [ebp-0x50]
00A33607 |. 50 push eax
00A33608 |. 8D85 78FFFFFF lea eax, dword ptr [ebp-0x88]
00A3360E |. 50 push eax
00A3360F |. 8D45 80 lea eax, dword ptr [ebp-0x80]
00A33612 |. 50 push eax
00A33613 |. 8D45 98 lea eax, dword ptr [ebp-0x68]
00A33616 |. 50 push eax
00A33617 |. 56 push esi
00A33618 |. C645 FC 03 mov byte ptr [ebp-0x4], 0x3
00A3361C |. 8BF9 mov edi, ecx
00A3361E |. E8 F81F1900 call 00BC561B
00A33623 |. 83C4 1C add esp, 0x1C
00A33626 |. 84C0 test al, al
00A33628 |. 75 01 jnz short 00A3362B
00A3362A |. 47 inc edi
00A3362B |> 837D AC 10 cmp dword ptr [ebp-0x54], 0x10
00A3362F |. 8B45 98 mov eax, dword ptr [ebp-0x68]
00A33632 |. 73 03 jnb short 00A33637
00A33634 |. 8D45 98 lea eax, dword ptr [ebp-0x68]
00A33637 |> 8D4D E0 lea ecx, dword ptr [ebp-0x20]
00A3363A |. 51 push ecx
00A3363B |. FF75 A8 push dword ptr [ebp-0x58]
00A3363E |. 50 push eax
00A3363F |. E8 F7351300 call 00B66C3B
00A33644 |. 83C4 0C add esp, 0xC
00A33647 |. 807D E1 5B cmp byte ptr [ebp-0x1F], 0x5B
00A3364B |. 74 03 je short 00A33650
00A3364D |. 33FF xor edi, edi
00A3364F |. 47 inc edi
00A33650 |> 85FF test edi, edi
00A33652 |. 0F85 9A060000 jnz 00A33CF2
00A33658 |. BE 1CBEC100 mov esi, 00C1BE1C ; EA7E
00A3365D |. 56 push esi ; /Arg1 => 00C1BE1C ASCII "EA7E"
00A3365E |. E8 3C06F4FF call 00973C9F ; \sublime_.001D3C9F
00A33663 |. 59 pop ecx
00A33664 |. 50 push eax
00A33665 |. 56 push esi
00A33666 |. FF75 C0 push dword ptr [ebp-0x40]
00A33669 |. 8D4D B0 lea ecx, dword ptr [ebp-0x50]
00A3366C |. 57 push edi
00A3366D |. E8 DB84F4FF call 0097BB4D
00A33672 |. 85C0 test eax, eax
00A33674 |. 74 06 je short 00A3367C
00A33676 |. 47 inc edi
00A33677 |. E9 76060000 jmp 00A33CF2
00A3367C |> 837D DC 10 cmp dword ptr [ebp-0x24], 0x10
00A33680 |. 8B45 C8 mov eax, dword ptr [ebp-0x38]
00A33683 |. 73 03 jnb short 00A33688
00A33685 |. 8D45 C8 lea eax, dword ptr [ebp-0x38]
00A33688 |> 50 push eax ; /Arg1
00A33689 |. E8 1EB80300 call 00A6EEAC ; \sublime_.002CEEAC
00A3368E |. 59 pop ecx
00A3368F |. 3D 241C0C00 cmp eax, 0xC1C24
00A33694 |. 0F84 55060000 je 00A33CEF
00A3369A |. 3D 231C0C00 cmp eax, 0xC1C23
00A3369F |. 0F84 4A060000 je 00A33CEF
00A336A5 |. 3D 261C0C00 cmp eax, 0xC1C26
00A336AA |. 0F84 3F060000 je 00A33CEF
00A336B0 |. 3D 1C1C0C00 cmp eax, 0xC1C1C
00A336B5 |. 0F84 34060000 je 00A33CEF
00A336BB |. 3D A21A0C00 cmp eax, 0xC1AA2
00A336C0 |. 0F84 29060000 je 00A33CEF
00A336C6 |. 3D 5C1C0C00 cmp eax, 0xC1C5C
00A336CB |. 0F84 1E060000 je 00A33CEF
00A336D1 |. 3D 591C0C00 cmp eax, 0xC1C59
00A336D6 |. 0F84 13060000 je 00A33CEF
00A336DC |. 3D 9B1C0C00 cmp eax, 0xC1C9B
本地调用来自 00A0CF06, 00A0CF4A, 00A0DE1D, 00A343CF
看看这些调用,在调用完成后如何修改全局变量的,前两个在上面有代码,后两个如下:
第3处:
00A0DD6F /$ 6A 7C push 0x7C
00A0DD71 |. B8 1151BF00 mov eax, 00BF5111
00A0DD76 |. E8 84BF0500 call 00A69CFF
00A0DD7B |. 68 B492C100 push 00C192B4 ; /EA7E-1000\n
00A0DD80 |. 8D8D 78FFFFFF lea ecx, dword ptr [ebp-0x88] ; |
00A0DD86 |. E8 E039F6FF call 0097176B ; \sublime_.001D176B
00A0DD8B |. 8BF8 mov edi, eax
00A0DD8D |. 33DB xor ebx, ebx
00A0DD8F |. 68 C092C100 push 00C192C0 ; /Unlimited User License\n
00A0DD94 |. 8D4D A8 lea ecx, dword ptr [ebp-0x58] ; |
00A0DD97 |. 895D FC mov dword ptr [ebp-0x4], ebx ; |
00A0DD9A |. E8 CC39F6FF call 0097176B ; \sublime_.001D176B
00A0DD9F |. 8BF0 mov esi, eax
00A0DDA1 |. 68 D892C100 push 00C192D8 ; /Invalid Key\n
00A0DDA6 |. 8D4D C0 lea ecx, dword ptr [ebp-0x40] ; |
00A0DDA9 |. C645 FC 01 mov byte ptr [ebp-0x4], 0x1 ; |
00A0DDAD |. E8 B939F6FF call 0097176B ; \sublime_.001D176B
00A0DDB2 |. 56 push esi
00A0DDB3 |. 50 push eax
00A0DDB4 |. 8D45 90 lea eax, dword ptr [ebp-0x70]
00A0DDB7 |. 50 push eax
00A0DDB8 |. C645 FC 02 mov byte ptr [ebp-0x4], 0x2
00A0DDBC |. E8 8272FBFF call 009C5043
00A0DDC1 |. 57 push edi
00A0DDC2 |. 50 push eax
00A0DDC3 |. 8D45 D8 lea eax, dword ptr [ebp-0x28]
00A0DDC6 |. 50 push eax
00A0DDC7 |. C645 FC 03 mov byte ptr [ebp-0x4], 0x3
00A0DDCB |. E8 7372FBFF call 009C5043
00A0DDD0 |. 83C4 18 add esp, 0x18
00A0DDD3 |. 8D4D 90 lea ecx, dword ptr [ebp-0x70]
00A0DDD6 |. E8 743DF6FF call 00971B4F
00A0DDDB |. 8D4D C0 lea ecx, dword ptr [ebp-0x40]
00A0DDDE |. E8 6C3DF6FF call 00971B4F
00A0DDE3 |. 8D4D A8 lea ecx, dword ptr [ebp-0x58]
00A0DDE6 |. E8 643DF6FF call 00971B4F
00A0DDEB |. 8D8D 78FFFFFF lea ecx, dword ptr [ebp-0x88]
00A0DDF1 |. C645 FC 08 mov byte ptr [ebp-0x4], 0x8
00A0DDF5 |. E8 553DF6FF call 00971B4F
00A0DDFA |. 6A 09 push 0x9
00A0DDFC |. 5E pop esi
00A0DDFD |. BF E892C100 mov edi, 00C192E8 ; 00000000000000000000000000000000\n
00A0DE02 |> 57 /push edi ; /Arg1
00A0DE03 |. E8 975EF6FF |call 00973C9F ; \sublime_.001D3C9F
00A0DE08 |. 59 |pop ecx
00A0DE09 |. 50 |push eax
00A0DE0A |. 57 |push edi
00A0DE0B |. 8D4D D8 |lea ecx, dword ptr [ebp-0x28]
00A0DE0E |. E8 C650F6FF |call 00972ED9
00A0DE13 |. 4E |dec esi
00A0DE14 |.^ 75 EC \jnz short 00A0DE02
00A0DE16 |. 53 push ebx
00A0DE17 |. 53 push ebx
00A0DE18 |. 8D45 D8 lea eax, dword ptr [ebp-0x28]
00A0DE1B |. 53 push ebx
00A0DE1C |. 50 push eax
00A0DE1D |. E8 8B570200 call 00A335AD
00A0DE22 |. 83C4 10 add esp, 0x10
00A0DE25 |. F7D8 neg eax
00A0DE27 |. 1AC0 sbb al, al
00A0DE29 |. 2005 908DCF00 and byte ptr [0xCF8D90], al ;与前面1,2个CALL调用后的内存数据再次and计算,最终确定全局变量结果,这个and方式不错。
;前面调用我们修改了EAX来让全局变量为1,再次调用如果还是返回EAX=0,则会修改全局为未授权。
00A0DE2F |. 8D4D D8 lea ecx, dword ptr [ebp-0x28]
00A0DE32 |. E8 183DF6FF call 00971B4F
00A0DE37 |. E8 72BE0500 call 00A69CAE
00A0DE3C \. C3 retn
第4处:
00A343CF . E8 D9F1FFFF call 00A335AD
00A343D4 . 83C4 10 add esp, 0x10
00A343D7 . 85C0 test eax, eax
00A343D9 . 0F9405 908DCF00 sete byte ptr [0xCF8D90] ;设置全局变量,并根据EAX的数值跳转判断授权码是否正确等
00A343E0 . 85C0 test eax, eax ; Switch (cases 0..3)
00A343E2 . 0F85 E4000000 jnz 00A344CC
00A343E8 . 8D45 D8 lea eax, dword ptr [ebp-0x28] ; Case 0 of switch 00A343E0
00A343EB . 50 push eax
00A343EC . E8 C7F9FFFF call 00A33DB8
00A343F1 . 8D45 A8 lea eax, dword ptr [ebp-0x58]
00A343F4 . 50 push eax
00A343F5 . E8 30FBFFFF call 00A33F2A
00A343FA . 59 pop ecx
00A343FB . 59 pop ecx
00A343FC . 8B4D D8 mov ecx, dword ptr [ebp-0x28]
00A343FF . C645 FC 03 mov byte ptr [ebp-0x4], 0x3
00A34403 . 397D EC cmp dword ptr [ebp-0x14], edi
00A34406 . 73 03 jnb short 00A3440B
00A34408 . 8D4D D8 lea ecx, dword ptr [ebp-0x28]
00A3440B > 3978 14 cmp dword ptr [eax+0x14], edi
00A3440E . 72 02 jb short 00A34412
00A34410 . 8B00 mov eax, dword ptr [eax]
00A34412 > 6A 01 push 0x1 ; /Arg5 = 00000001
00A34414 . 53 push ebx ; |Arg4
00A34415 . FF75 E8 push dword ptr [ebp-0x18] ; |Arg3
00A34418 . 51 push ecx ; |Arg2
00A34419 . 50 push eax ; |Arg1
00A3441A . E8 B055F4FF call 009799CF ; \sublime_.001D99CF
00A3441F . 8AD8 mov bl, al
00A34421 . 83C4 14 add esp, 0x14
00A34424 . F6DB neg bl
00A34426 . 8D4D A8 lea ecx, dword ptr [ebp-0x58]
00A34429 . 1ADB sbb bl, bl
00A3442B . C645 FC 02 mov byte ptr [ebp-0x4], 0x2
00A3442F . E8 1BD7F3FF call 00971B4F
00A34434 . FEC3 inc bl
00A34436 . 74 4E je short 00A34486
00A34438 . 8D45 C0 lea eax, dword ptr [ebp-0x40]
00A3443B . 50 push eax
00A3443C . E8 E9FAFFFF call 00A33F2A
00A34441 . 50 push eax
00A34442 . 8D45 A8 lea eax, dword ptr [ebp-0x58]
00A34445 . 68 ACBFC100 push 00C1BFAC ; Unable to write license file:
00A3444A . 50 push eax
00A3444B . C645 FC 04 mov byte ptr [ebp-0x4], 0x4
00A3444F . E8 3D95F6FF call 0099D991
00A34454 . 83C4 10 add esp, 0x10
00A34457 . C645 FC 05 mov byte ptr [ebp-0x4], 0x5
00A3445B . 3978 14 cmp dword ptr [eax+0x14], edi
00A3445E . 72 02 jb short 00A34462
00A34460 . 8B00 mov eax, dword ptr [eax]
00A34462 > 50 push eax
00A34463 . 8BCE mov ecx, esi
00A34465 . E8 503C1400 call 00B780BA
00A3446A . 50 push eax
00A3446B . E8 CE6B1300 call 00B6B03E
00A34470 . 59 pop ecx
00A34471 . 59 pop ecx
00A34472 . 8D4D A8 lea ecx, dword ptr [ebp-0x58]
00A34475 . E8 D5D6F3FF call 00971B4F
00A3447A . 8D4D C0 lea ecx, dword ptr [ebp-0x40]
00A3447D . C645 FC 02 mov byte ptr [ebp-0x4], 0x2
00A34481 . E8 C9D6F3FF call 00971B4F
00A34486 > 8B7D 8C mov edi, dword ptr [ebp-0x74]
00A34489 . 57 push edi ; /Arg1
00A3448A . E8 87FBFFFF call 00A34016 ; \sublime_.00294016
00A3448F . 59 pop ecx
00A34490 . 81FF F00D0C00 cmp edi, 0xC0DF0
00A34496 . 7E 08 jle short 00A344A0
00A34498 . 81FF 0CF20C00 cmp edi, 0xCF20C
00A3449E . 7C 0D jl short 00A344AD
00A344A0 > 8D87 9F51F5FF lea eax, dword ptr [edi+0xFFF5519F]
00A344A6 . 3D E6030000 cmp eax, 0x3E6
00A344AB . 77 07 ja short 00A344B4
00A344AD > 68 D0BFC100 push 00C1BFD0 ; Thanks for trying out Sublime Text 3!\n\nSublime Text 3 is a paid upgrade from Sublime Text 2, and an upgrade will be required for use when 3.0 is released.\n\nUntil then, please enjoy Sublime Text 3 Beta.
00A344B2 . EB 05 jmp short 00A344B9
00A344B4 > 68 9CC0C100 push 00C1C09C ; Thanks for purchasing!
00A344B9 > 8BCE mov ecx, esi
00A344BB . E8 FA3B1400 call 00B780BA
00A344C0 . 50 push eax
00A344C1 . E8 786B1300 call 00B6B03E
00A344C6 . 59 pop ecx
00A344C7 . 59 pop ecx
00A344C8 . 33DB xor ebx, ebx
00A344CA . EB 5B jmp short 00A34527
00A344CC > 83F8 01 cmp eax, 0x1
00A344CF . 75 07 jnz short 00A344D8
00A344D1 . 68 B8C0C100 push 00C1C0B8 ; That license key doesn't appear to be valid.\n\nPlease check that you have entered all lines from the license key, including the BEGIN LICENSE and END LICENSE lines.; Case 1 of switch 00A343E0
00A344D6 . EB 16 jmp short 00A344EE
00A344D8 > 83F8 02 cmp eax, 0x2
00A344DB . 75 07 jnz short 00A344E4
00A344DD . 68 5CC1C100 push 00C1C15C ; That license key is no longer valid.; Case 2 of switch 00A343E0
00A344E2 . EB 0A jmp short 00A344EE
00A344E4 > 83F8 03 cmp eax, 0x3
00A344E7 . 75 3E jnz short 00A34527
00A344E9 . 68 88C1C100 push 00C1C188 ; That license key has been invalidated, due to being shared.\n\nPlease email [email protected] to get your license key reissued.; Case 3 of switch 00A343E0
00A344EE > 8BCE mov ecx, esi
00A344F0 . E8 C53B1400 call 00B780BA
00A344F5 . 50 push eax
00A344F6 . E8 846A1300 call 00B6AF7F
00A344FB . 59 pop ecx
00A344FC . 59 pop ecx
00A344FD . EB 28 jmp short 00A34527
00A344FF > 8D45 C0 lea eax, dword ptr [ebp-0x40]
00A34502 . 50 push eax
00A34503 . E8 22FAFFFF call 00A33F2A
00A34508 . 59 pop ecx
00A34509 . C645 FC 06 mov byte ptr [ebp-0x4], 0x6
00A3450D . 3978 14 cmp dword ptr [eax+0x14], edi
00A34510 . 72 02 jb short 00A34514
00A34512 . 8B00 mov eax, dword ptr [eax]
00A34514 > 50 push eax
00A34515 . E8 DD43F4FF call 009788F7
00A3451A . 59 pop ecx
00A3451B . 8D4D C0 lea ecx, dword ptr [ebp-0x40]
00A3451E . C645 FC 02 mov byte ptr [ebp-0x4], 0x2
00A34522 . E8 28D6F3FF call 00971B4F
00A34527 > 399E D0000000 cmp dword ptr [esi+0xD0], ebx ; Default case of switch 00A343E0
00A3452D . 74 14 je short 00A34543
00A3452F . 8B8E D0000000 mov ecx, dword ptr [esi+0xD0]
00A34535 . 85C9 test ecx, ecx
00A34537 . 75 05 jnz short 00A3453E
00A34539 . E8 9F2E0300 call 00A673DD
00A3453E > 8B01 mov eax, dword ptr [ecx]
00A34540 . FF50 08 call dword ptr [eax+0x8]
至于其他方面的比较,并不修改全局变量,那么我们可以直接下手修改:
00A0CF12 . B001 mov al,1
00A0CF56 . B001 mov al,1
00A0DE27 B001 mov al,1
00A343D7 00A343D7 C605 908D5B01 01 mov byte ptr [0x15B8D90], 0x1
00A343DE 90 nop
00A343DF 90 nop
00A343E0 33C0 xor eax, eax
00A343E2 90 nop
00A343E3 90 nop
00A343E4 90 nop
00A343E5 90 nop
00A343E6 90 nop
00A343E7 90 nop
保存程序,完成PATCH。
【破解总结】
修改的时候发现不能直接返回0,感觉这种检测还不错,需要修改检测后的数据。
【版权声明】无
|
评分
-
查看全部评分
|
IP卡
发表于 2014-7-25 18:53:18
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2014-7-31 15:23:47
