- UID
- 2198
注册时间2005-6-29
阅读权限255
最后登录1970-1-1
副坛主
该用户从未签到
|
论坛的X64和谐补丁,启动后如果马上点关于,会先出现注册给:PYG,然后马上显示未注册。
于是研究一下,简单跟了一下弹窗,发现弹窗上修改注册给用的API为 SetDlgItemTextW,所以我们把这个拦截下来,用Detours把这里Patch出来,看是谁设置的文字。
- typedef BOOL (WINAPI * PF_SetDlgItemTextW)(HWND hDlg,
- int nIDDlgItem,
- LPCWSTR lpString
- );
- PF_SetDlgItemTextW g_SetDlgItemTextW = SetDlgItemTextW;
- BOOL WINAPI NsSetDlgItemTextW(HWND hDlg,
- int nIDDlgItem,
- LPCWSTR lpString
- )
- {
- if ( lpString )
- {
- CString szBuffer = lpString;
- if ( szBuffer.CompareNoCase(L"注册至:(未注册)") == 0)
- {
- MessageBox(NULL,L"XXX",L"aaa",0);
- }
- OutputDebugString( lpString );
- }
- return g_SetDlgItemTextW(hDlg,nIDDlgItem,lpString);
- }
- // 启用 Detours HOOK
- BOOL InitDetours()
- {
- BOOL bRet = FALSE;
- __try
- {
- // 简单判一下函数是否成功,也可以不用判断返回值
- // 第一步
- if ( DetourTransactionBegin() )
- __leave;
- // 第二步
- if ( DetourUpdateThread( ::GetCurrentThread() ) )
- __leave;
- // 第三步 添加我们HOOK的替换函数
- DetourAttach( &(PVOID&)g_SetDlgItemTextW, NsSetDlgItemTextW );
- //DetourAttach( &(PVOID&)g_LoadLibraryW, NsLoadLibraryW );
- // 继续添加其他的HOOK
- // DetourAttach( &(PVOID&)pMessageBoxA, NsMessageBoxA );
- // 第四步
- if ( DetourTransactionCommit() != NO_ERROR )
- __leave;
- bRet = TRUE;
- }
- __finally
- {
- ;
- }
- return bRet;
- }
复制代码
返回之后,我们发现调用来自于 000007FDFFA94B95 call qword ptr ds:[<&SetDlgItemTextW>]
我们看一下这个函数,首先 mov rbx,rcx ,这里 rcx 应该就是类对象了,然后 dword ptr ds:[rbx+90] 赋值并比较,所以猜测这个应该就是 这里是类对象的 RegisterType 成员,由于我们知道这里必须为1,所以我们要想办法把这个内存数据动态修改为1就可以完成完美破解了。
- 000007FDFFA94974 | 48 8B C4 | mov rax,rsp | ;rax:DoAbout
- 000007FDFFA94977 | 48 89 58 08 | mov qword ptr ds:[rax+8],rbx |
- 000007FDFFA9497B | 48 89 70 10 | mov qword ptr ds:[rax+10],rsi |
- 000007FDFFA9497F | 48 89 78 18 | mov qword ptr ds:[rax+18],rdi |
- 000007FDFFA94983 | 4C 89 70 20 | mov qword ptr ds:[rax+20],r14 |
- 000007FDFFA94987 | 55 | push rbp |
- 000007FDFFA94988 | 48 8D A8 A8 F9 FF FF | lea rbp,qword ptr ds:[rax-658] |
- 000007FDFFA9498F | 48 81 EC 50 07 00 00 | sub rsp,750 |
- 000007FDFFA94996 | 83 B9 90 00 00 00 FF | cmp dword ptr ds:[rcx+90],FFFFFFFF |;判断该数值是否为-1(未初始化)
- 000007FDFFA9499D | 48 8B D9 | mov rbx,rcx |;类对象指针给 rbx
- 000007FDFFA949A0 | 0F 84 0F 02 00 00 | je emeddlgs.7FDFFA94BB5 |
- 000007FDFFA949A6 | 4C 8D 81 94 00 00 00 | lea r8,qword ptr ds:[rcx+94] |
- 000007FDFFA949AD | BF 2C 01 00 00 | mov edi,12C |
- 000007FDFFA949B2 | 48 8D 4D D0 | lea rcx,qword ptr ss:[rbp-30] |
- 000007FDFFA949B6 | 8B D7 | mov edx,edi |
- 000007FDFFA949B8 | E8 5B CC FF FF | call emeddlgs.7FDFFA91618 |
- 000007FDFFA949BD | 8B 83 90 00 00 00 | mov eax,dword ptr ds:[rbx+90] |;这里是类对象的 RegisterType 成员
- 000007FDFFA949C3 | BE 01 00 00 00 | mov esi,1 |
- 000007FDFFA949C8 | 83 F8 06 | cmp eax,6 |
- 000007FDFFA949CB | 0F 87 A4 01 00 00 | ja emeddlgs.7FDFFA94B75 |
- 000007FDFFA949D1 | 8D 4E 49 | lea ecx,dword ptr ds:[rsi+49] |
- 000007FDFFA949D4 | 0F A3 C1 | bt ecx,eax |
- 000007FDFFA949D7 | 0F 83 98 01 00 00 | jnb emeddlgs.7FDFFA94B75 |
- 000007FDFFA949DD | 48 8D 55 80 | lea rdx,qword ptr ss:[rbp-80] |
- 000007FDFFA949E1 | 48 8D 4C 24 40 | lea rcx,qword ptr ss:[rsp+40] |
- 000007FDFFA949E6 | E8 FD F7 FF FF | call emeddlgs.7FDFFA941E8 |
- 000007FDFFA949EB | 45 33 F6 | xor r14d,r14d |
- 000007FDFFA949EE | 85 C0 | test eax,eax |
- 000007FDFFA949F0 | 0F 84 92 01 00 00 | je emeddlgs.7FDFFA94B88 |
- 000007FDFFA949F6 | 66 44 39 74 24 40 | cmp word ptr ss:[rsp+40],r14w |
- 000007FDFFA949FC | 0F 84 86 01 00 00 | je emeddlgs.7FDFFA94B88 |
- 000007FDFFA94A02 | 4C 8D 05 47 DB 03 00 | lea r8,qword ptr ds:[7FDFFAD2550] |
- 000007FDFFA94A09 | 48 8D 4D D0 | lea rcx,qword ptr ss:[rbp-30] |
- 000007FDFFA94A0D | 8B D7 | mov edx,edi |
- 000007FDFFA94A0F | E8 60 EA FF FF | call emeddlgs.7FDFFA93474 |
- 000007FDFFA94A14 | 4C 8D 45 80 | lea r8,qword ptr ss:[rbp-80] |
- 000007FDFFA94A18 | 48 8D 4D D0 | lea rcx,qword ptr ss:[rbp-30] |
- 000007FDFFA94A1C | 8B D7 | mov edx,edi |
- 000007FDFFA94A1E | E8 51 EA FF FF | call emeddlgs.7FDFFA93474 |
- 000007FDFFA94A23 | 48 8B 0D 8E 2F 05 00 | mov rcx,qword ptr ds:[7FDFFAE79B8] |
- 000007FDFFA94A2A | 44 8D 4F D8 | lea r9d,dword ptr ds:[rdi-28] |
- 000007FDFFA94A2E | 4C 8D 85 40 04 00 00 | lea r8,qword ptr ss:[rbp+440] |
- 000007FDFFA94A35 | 8D 56 74 | lea edx,dword ptr ds:[rsi+74] |
- 000007FDFFA94A38 | FF 15 8A 4C 03 00 | call qword ptr ds:[<&LoadStringW>] |
- 000007FDFFA94A3E | 48 8B 4B 08 | mov rcx,qword ptr ds:[rbx+8] |
- 000007FDFFA94A42 | 4C 8D 85 40 04 00 00 | lea r8,qword ptr ss:[rbp+440] |
- 000007FDFFA94A49 | BA 53 04 00 00 | mov edx,453 |
- 000007FDFFA94A4E | FF 15 14 4D 03 00 | call qword ptr ds:[<&SetDlgItemTextW>] |
- 000007FDFFA94A54 | 8B 83 90 00 00 00 | mov eax,dword ptr ds:[rbx+90] | ;这里是类对象的 RegisterType 成员
- 000007FDFFA94A5A | 3B C6 | cmp eax,esi |
- 000007FDFFA94A5C | 74 09 | je emeddlgs.7FDFFA94A67 |
- 000007FDFFA94A5E | 83 F8 06 | cmp eax,6 |
- 000007FDFFA94A61 | 0F 85 21 01 00 00 | jnz emeddlgs.7FDFFA94B88 |
- 000007FDFFA94A67 | 48 8D 54 24 30 | lea rdx,qword ptr ss:[rsp+30] |
- 000007FDFFA94A6C | 48 8D 4C 24 40 | lea rcx,qword ptr ss:[rsp+40] |
- 000007FDFFA94A71 | E8 F2 19 02 00 | call emeddlgs.7FDFFAB6468 |
- 000007FDFFA94A76 | 84 C0 | test al,al |
- 000007FDFFA94A78 | 0F 84 0A 01 00 00 | je emeddlgs.7FDFFA94B88 |
- 000007FDFFA94A7E | 4C 8D 05 C3 DA 03 00 | lea r8,qword ptr ds:[7FDFFAD2548] |
- 000007FDFFA94A85 | 48 8D 4D D0 | lea rcx,qword ptr ss:[rbp-30] |
- 000007FDFFA94A89 | 48 8B D7 | mov rdx,rdi |
- 000007FDFFA94A8C | E8 E3 E9 FF FF | call emeddlgs.7FDFFA93474 |
- 000007FDFFA94A91 | B8 DD 07 00 00 | mov eax,7DD |
- 000007FDFFA94A96 | 66 39 44 24 30 | cmp word ptr ss:[rsp+30],ax |
- 000007FDFFA94A9B | 75 31 | jnz emeddlgs.7FDFFA94ACE |
- 000007FDFFA94A9D | 66 39 74 24 32 | cmp word ptr ss:[rsp+32],si |
- 000007FDFFA94AA2 | 75 2A | jnz emeddlgs.7FDFFA94ACE |
- 000007FDFFA94AA4 | 66 39 74 24 36 | cmp word ptr ss:[rsp+36],si |
- 000007FDFFA94AA9 | 75 23 | jnz emeddlgs.7FDFFA94ACE |
- 000007FDFFA94AAB | 48 8B 0D 06 2F 05 00 | mov rcx,qword ptr ds:[7FDFFAE79B8] |
- 000007FDFFA94AB2 | 41 B9 04 01 00 00 | mov r9d,104 |
- 000007FDFFA94AB8 | 4C 8D 85 30 02 00 00 | lea r8,qword ptr ss:[rbp+230] |
- 000007FDFFA94ABF | 41 8D 51 5C | lea edx,dword ptr ds:[r9+5C] |
- 000007FDFFA94AC3 | FF 15 FF 4B 03 00 | call qword ptr ds:[<&LoadStringW>] |
- 000007FDFFA94AC9 | E9 8B 00 00 00 | jmp emeddlgs.7FDFFA94B59 | ;JUMP ...
- 000007FDFFA94ACE | 48 8B 4B 08 | mov rcx,qword ptr ds:[rbx+8] |
- 000007FDFFA94AD2 | BA 10 07 00 00 | mov edx,710 |
- 000007FDFFA94AD7 | FF 15 63 4C 03 00 | call qword ptr ds:[<&GetDlgItem>] |
- 000007FDFFA94ADD | 8B D6 | mov edx,esi |
- 000007FDFFA94ADF | 48 8B C8 | mov rcx,rax | ;rax:DoAbout
- 000007FDFFA94AE2 | FF 15 90 4C 03 00 | call qword ptr ds:[<&EnableWindow>] |
- 000007FDFFA94AE8 | 48 8B 0D C9 2E 05 00 | mov rcx,qword ptr ds:[7FDFFAE79B8] |
- 000007FDFFA94AEF | 41 B9 04 01 00 00 | mov r9d,104 |
- 000007FDFFA94AF5 | 41 8D 51 5B | lea edx,dword ptr ds:[r9+5B] |
- 000007FDFFA94AF9 | 4C 8D 85 30 02 00 00 | lea r8,qword ptr ss:[rbp+230] |
- 000007FDFFA94B00 | FF 15 C2 4B 03 00 | call qword ptr ds:[<&LoadStringW>] |
- 000007FDFFA94B06 | 4C 8D 85 30 02 00 00 | lea r8,qword ptr ss:[rbp+230] |
- 000007FDFFA94B0D | 48 8D 4D D0 | lea rcx,qword ptr ss:[rbp-30] |
- 000007FDFFA94B11 | 48 8B D7 | mov rdx,rdi |
- 000007FDFFA94B14 | E8 5B E9 FF FF | call emeddlgs.7FDFFA93474 |
- 000007FDFFA94B19 | 48 8D 85 30 02 00 00 | lea rax,qword ptr ss:[rbp+230] | ;rax:DoAbout
- 000007FDFFA94B20 | 4C 8D 44 24 30 | lea r8,qword ptr ss:[rsp+30] |
- 000007FDFFA94B25 | 45 33 C9 | xor r9d,r9d |
- 000007FDFFA94B28 | 8B D6 | mov edx,esi |
- 000007FDFFA94B2A | B9 00 04 00 00 | mov ecx,400 |
- 000007FDFFA94B2F | C7 44 24 28 04 01 00 00 | mov dword ptr ss:[rsp+28],104 |
- 000007FDFFA94B37 | 48 89 44 24 20 | mov qword ptr ss:[rsp+20],rax | ;rax:DoAbout
- 000007FDFFA94B3C | FF 15 76 46 03 00 | call qword ptr ds:[<&GetDateFormatW>] |
- 000007FDFFA94B42 | 85 C0 | test eax,eax |
- 000007FDFFA94B44 | 74 26 | je emeddlgs.7FDFFA94B6C |
- 000007FDFFA94B46 | 4C 8D 05 0B DA 03 00 | lea r8,qword ptr ds:[7FDFFAD2558] |
- 000007FDFFA94B4D | 48 8D 4D D0 | lea rcx,qword ptr ss:[rbp-30] |
- 000007FDFFA94B51 | 48 8B D7 | mov rdx,rdi |
- 000007FDFFA94B54 | E8 1B E9 FF FF | call emeddlgs.7FDFFA93474 |
- 000007FDFFA94B59 | 4C 8D 85 30 02 00 00 | lea r8,qword ptr ss:[rbp+230] |
- 000007FDFFA94B60 | 48 8D 4D D0 | lea rcx,qword ptr ss:[rbp-30] |
- 000007FDFFA94B64 | 48 8B D7 | mov rdx,rdi |
- 000007FDFFA94B67 | E8 08 E9 FF FF | call emeddlgs.7FDFFA93474 |
- 000007FDFFA94B6C | 4C 8D 05 E1 D9 03 00 | lea r8,qword ptr ds:[7FDFFAD2554] |
- 000007FDFFA94B73 | EB 07 | jmp emeddlgs.7FDFFA94B7C |
- 000007FDFFA94B75 | 4C 8D 83 5C 01 00 00 | lea r8,qword ptr ds:[rbx+15C] | ;xxxxxxxxxxxx
- 000007FDFFA94B7C | 48 8D 4D D0 | lea rcx,qword ptr ss:[rbp-30] |
- 000007FDFFA94B80 | 48 8B D7 | mov rdx,rdi |
- 000007FDFFA94B83 | E8 EC E8 FF FF | call emeddlgs.7FDFFA93474 |
- 000007FDFFA94B88 | 48 8B 4B 08 | mov rcx,qword ptr ds:[rbx+8] |
- 000007FDFFA94B8C | 4C 8D 45 D0 | lea r8,qword ptr ss:[rbp-30] |
- 000007FDFFA94B90 | BA 1B 04 00 00 | mov edx,41B |
- 000007FDFFA94B95 | FF 15 CD 4B 03 00 | call qword ptr ds:[<&SetDlgItemTextW>] | ;就是这里设置注册给 XXX
- 000007FDFFA94B9B | 48 8B 4B 08 | mov rcx,qword ptr ds:[rbx+8] |
- 000007FDFFA94B9F | BA 53 04 00 00 | mov edx,453 |
- 000007FDFFA94BA4 | FF 15 96 4B 03 00 | call qword ptr ds:[<&GetDlgItem>] |
- 000007FDFFA94BAA | 8B D6 | mov edx,esi |
- 000007FDFFA94BAC | 48 8B C8 | mov rcx,rax | ;rax:DoAbout
- 000007FDFFA94BAF | FF 15 C3 4B 03 00 | call qword ptr ds:[<&EnableWindow>] |
- 000007FDFFA94BB5 | 4C 8D 9C 24 50 07 00 00 | lea r11,qword ptr ss:[rsp+750] |
- 000007FDFFA94BBD | 49 8B 5B 10 | mov rbx,qword ptr ds:[r11+10] |
- 000007FDFFA94BC1 | 49 8B 73 18 | mov rsi,qword ptr ds:[r11+18] |
- 000007FDFFA94BC5 | 49 8B 7B 20 | mov rdi,qword ptr ds:[r11+20] |
- 000007FDFFA94BC9 | 4D 8B 73 28 | mov r14,qword ptr ds:[r11+28] |
- 000007FDFFA94BCD | 49 8B E3 | mov rsp,r11 |
- 000007FDFFA94BD0 | 5D | pop rbp |
- 000007FDFFA94BD1 | C3 | ret |
复制代码
这个是分析思路,剩下的就是去实现这个想法了。O(∩_∩)O哈哈~
|
评分
-
查看全部评分
|