[Asm] 纯文本查看 复制代码
; Beyond Compare v4.2.8 (build 23479)
; Beyond Compare v4.2.4 (build 22795)
; Beyond Compare v4.1.9 (build 21719)
; 网络校验黑名单去除
; 补丁授权用户名,序列号,授权数量等授权显示信息
;
; FASM BC4.ASM version.dll
format PE64 GUI DLL;
entry DllEntryPoint;
use64;
;
include 'win64a.inc';
;
include 'MACRO/RESOURCE.INC';
section '.text' code readable executable;
; 修复导出表项
; 参数: 模块句柄, 函数名, 写出偏移(qword 大小)
macro apifix hMod,sz,fn
{
mov rdx, sz ; proc name
mov rcx, hMod ; hLib
call [GetProcAddress]
mov qword[fn], rax
};
; 利用 VirtualProtect 修改目标区域为可读写执行
; 修改完后再恢复其保护。
; 参数: 修改地址(地址偏移), 保护长度, 储存旧保护的地址,
; 数据宽度(byte/word/dword/qword), 写出数据
macro fixCode lpAddr,len,oldProtect,dataWidth,data
{
lea rax, oldProtect
invoke VirtualProtect, lpAddr, len, PAGE_EXECUTE_READWRITE, rax
mov rax, lpAddr
mov dataWidth [rax], data
lea rax, oldProtect
invoke VirtualProtect, lpAddr, len, dword[rax], rax
};
; 修复导出的 API 地址
proc FixImport
local hModule:QWORD
local lpBuffer:QWORD
frame
invoke LocalAlloc, LPTR, MAX_PATH + 1
mov [lpBuffer], rax
invoke GetSystemDirectory, rax, MAX_PATH
invoke strncat, [lpBuffer], szTargetLibrary, MAX_PATH
invoke LoadLibrary, [lpBuffer]
mov [hModule], rax
invoke LocalFree,[lpBuffer]
apifix [hModule], szGetFileVersionInfoA, _GetFileVersionInfoA
apifix [hModule], szGetFileVersionInfoByHandle, _GetFileVersionInfoByHandle
apifix [hModule], szGetFileVersionInfoExW, _GetFileVersionInfoExW
apifix [hModule], szGetFileVersionInfoSizeA, _GetFileVersionInfoSizeA
apifix [hModule], szGetFileVersionInfoSizeExW, _GetFileVersionInfoSizeExW
apifix [hModule], szGetFileVersionInfoSizeW, _GetFileVersionInfoSizeW
apifix [hModule], szGetFileVersionInfoW, _GetFileVersionInfoW
apifix [hModule], szVerFindFileA, _VerFindFileA
apifix [hModule], szVerFindFileW, _VerFindFileW
apifix [hModule], szVerInstallFileA, _VerInstallFileA
apifix [hModule], szVerInstallFileW, _VerInstallFileW
apifix [hModule], szVerLanguageNameA, _VerLanguageNameA
apifix [hModule], szVerLanguageNameW, _VerLanguageNameW
apifix [hModule], szVerQueryValueA, _VerQueryValueA
apifix [hModule], szVerQueryValueW, _VerQueryValueW
apifix [hModule], szVerQueryValueIndexA, _VerQueryValueIndexA
apifix [hModule], szVerQueryValueIndexW, _VerQueryValueIndexW
endf;
ret
endp;
proc DllEntryPoint hinstDLL,fdwReason,lpvReserved
local hModule:QWORD
local oldProtect:DWORD
local lpBuffer:QWORD
cmp edx, 1
jnz skipPatch
; 检测是否为目标进程
frame
invoke LocalAlloc, LPTR, MAX_PATH + 1
mov [lpBuffer], rax
invoke GetModuleFileName, NULL, rax, MAX_PATH
invoke strstr, [lpBuffer], szTargetExeName
mov dword[oldProtect], eax
invoke LocalFree,[lpBuffer]
endf
cmp dword[oldProtect], 0
jz skipPatch
frame
; 取得当前主程序句柄
; 主程序基地址 0x0000000000400000
invoke GetModuleHandle,NULL
mov [hModule], rax
; 00000000012D0D99 | B0 00 | mov al,0
; 48 8B 4D 20 B2 01 E8 ?? ?? ?? ?? 48 8B 4D 20 B2 01
; 特征码偏移+0x2F +0x1 修改 B0 01 为 B0 00
add rax, 0x1015351 ; 0xFF97F1 ; 0xED0D9A ; offset
mov [lpBuffer], rax
fixCode [lpBuffer], 1, [oldProtect], byte, 0x00
; 00000000017EEADE | B0 00 | mov al,0
; 48 39 45 70 7C 0C 48 83 7D 70 00 74 05 48 33 C0 EB 02
; 特征码偏移+0x12 +0x1 修改 B0 01 为 B0 00
mov rax, [hModule]
add rax, 0x15A56BF; 0x158564F ; 0x13EEADF ; offset
mov [lpBuffer], rax
fixCode [lpBuffer], 1, [oldProtect], byte, 0x00
; 写出 Shell Code, 让其在加载授权信息时显示我们想要的信息。
; 因为要修改好几个到好几个地方,所以还是手动算了
; 0000000000BE9170 | 48 C7 45 30 00 00 00 00 | MOV QWORD PTR SS:[RBP+0x30],0x0 |
; 0000000000BE9178 | 48 C7 45 40 00 00 00 00 | MOV QWORD PTR SS:[RBP+0x40],0x0 |
; 搜索字符串 Windows, Linux, OS X
; 55 53 48 81 EC 98 00 00 00 48 8B EC 48 89 4D 28 48 C7 45 30 00 00 00 00 48 C7 45 40 00 00 00 00
; 特征码偏移+0x10
; 0000000000BE9160 | 55 | PUSH RBP |
; 0000000000BE9161 | 53 | PUSH RBX |
; 0000000000BE9162 | 48 81 EC 98 00 00 00 | SUB RSP,0x98 |
; 0000000000BE9169 | 48 8B EC | MOV RBP,RSP |
; 0000000000BE916C | 48 89 4D 28 | MOV QWORD PTR SS:[RBP+0x28],RCX |
; 0000000000BE9170 | 48 C7 45 30 00 00 00 00 | MOV QWORD PTR SS:[RBP+0x30],0x0 |
; 另一个特征码
; 48 C7 45 38 00 00 00 00 48 C7 45 50 00 00 00 00 48 C7 45 48 00 00 00 00 48 C7 45 58 00 00 00 00 48 C7 45 60 00 00 00 00 48 C7 45 68 00 00 00 00 48 C7 85 88 00 00 00 00 00 00 00 48 C7 85 80 00 00 00 00 00 00 00 48 C7 45 78 00 00 00 00 48 C7 45 70 00 00 00 00
; $-20 0000000000BEBDD0 | 55 | push rbp |
; $-1F 0000000000BEBDD1 | 53 | push rbx |
; $-1E 0000000000BEBDD2 | 48:81EC 98000000 | sub rsp,0x98 |
; $-17 0000000000BEBDD9 | 48:8BEC | mov rbp,rsp |
; $-14 0000000000BEBDDC | 48:894D 28 | mov qword ptr ss:[rbp+0x28],rcx |
; $-10 0000000000BEBDE0 | 48:C745 30 00000000 | mov qword ptr ss:[rbp+0x30],0x0 |
; $-8 0000000000BEBDE8 | 48:C745 40 00000000 | mov qword ptr ss:[rbp+0x40],0x0 |
; $ ==> 0000000000BEBDF0 | 48:C745 38 00000000 | mov qword ptr ss:[rbp+0x38],0x0 |
; $+8 0000000000BEBDF8 | 48:C745 50 00000000 | mov qword ptr ss:[rbp+0x50],0x0 |
; $+10 0000000000BEBE00 | 48:C745 48 00000000 | mov qword ptr ss:[rbp+0x48],0x0 |
; $+18 0000000000BEBE08 | 48:C745 58 00000000 | mov qword ptr ss:[rbp+0x58],0x0 |
; $+20 0000000000BEBE10 | 48:C745 60 00000000 | mov qword ptr ss:[rbp+0x60],0x0 |
; $+28 0000000000BEBE18 | 48:C745 68 00000000 | mov qword ptr ss:[rbp+0x68],0x0 |
; $+30 0000000000BEBE20 | 48:C785 88000000 00000000 | mov qword ptr ss:[rbp+0x88],0x0 |
; $+3B 0000000000BEBE2B | 48:C785 80000000 00000000 | mov qword ptr ss:[rbp+0x80],0x0 |
; $+46 0000000000BEBE36 | 48:C745 78 00000000 | mov qword ptr ss:[rbp+0x78],0x0 |
; $+4E 0000000000BEBE3E | 48:C745 70 00000000 | mov qword ptr ss:[rbp+0x70],0x0 |
; $+56 0000000000BEBE46 | 90 | nop |
mov rax, [hModule]
add rax, 0x7FD170; 0x7EBDE0 ; 0x7E9170 ; offset
mov [lpBuffer], rax
; 准备
lea rax, [oldProtect]
invoke VirtualProtect, [lpBuffer], 0x10, PAGE_EXECUTE_READWRITE, rax
; 修改
mov rax, [lpBuffer]
mov word[rax], 0xB848 ; mov rax, pfn_address
add rax, 2
;
mov qword[rax], fnPatchName
add rax, 8
mov dword[rax], 0x02EBD0FF ; call rax; jmp $2;
;
add rax, 4
mov word[rax], 0x9090 ; nop nop
; 还原
lea rax, [oldProtect]
invoke VirtualProtect, [lpBuffer], 0x10, dword[rax], rax
endf
skipPatch:
call FixImport
mov eax,TRUE
ret
endp
; 修改关于界面的显示信息回调
proc fnPatchName
local base:QWORD
local oldProtect:DWORD
local lpBuffer:QWORD
; rcx = target
; rcx+1A0h: user name
; rcx+F0h : Serial
;
; v4.2.4
; rcx+E0h: 9999|
; rcx+F0h: 8554-0505
; rcx+108h: B.S.
; dump rcx+0xF0
mov [base], rcx
; 拷贝用户名
mov rax, [rcx + 0x108]
mov [lpBuffer], rax
; 欲补丁的原注册的用户名,最好长一点16位长的字符串+1个结束符, 否则退出会崩溃
invoke strncpy, [lpBuffer], szLicenseName, 0x11
; 尝试替换用户名指针
;mov rax, szLicenseName
;mov [rcx + 0x108], rax
; 拷贝序列号
mov rax, [base]
mov rax, [rax + 0xF0]
mov [lpBuffer], rax
; 序列号9位加1位结束符,长10个字符
invoke strncpy, [lpBuffer], szSerialNumber, 0x0A
leave
; 继续程序原本的初始化代码
xor rax, rax
mov [rbp + 0x30], rax
mov [rbp + 0x40], rax
retn
endp
; 导出函数, 全是跳转
_exp_GetFileVersionInfoA: jmp [ _GetFileVersionInfoA ]
_exp_GetFileVersionInfoByHandle: jmp [ _GetFileVersionInfoByHandle ]
_exp_GetFileVersionInfoExW: jmp [ _GetFileVersionInfoExW]
_exp_GetFileVersionInfoSizeA: jmp [ _GetFileVersionInfoSizeA ]
_exp_GetFileVersionInfoSizeExW: jmp [ _GetFileVersionInfoSizeExW]
_exp_GetFileVersionInfoSizeW: jmp [ _GetFileVersionInfoSizeW ]
_exp_GetFileVersionInfoW: jmp [ _GetFileVersionInfoW ]
_exp_VerFindFileA: jmp [ _VerFindFileA ]
_exp_VerFindFileW: jmp [ _VerFindFileW ]
_exp_VerInstallFileA: jmp [ _VerInstallFileA ]
_exp_VerInstallFileW: jmp [ _VerInstallFileW ]
_exp_VerLanguageNameA: jmp [ _VerLanguageNameA ]
_exp_VerLanguageNameW: jmp [ _VerLanguageNameW ]
_exp_VerQueryValueA: jmp [ _VerQueryValueA ]
_exp_VerQueryValueW: jmp [ _VerQueryValueW ]
_exp_VerQueryValueIndexA: jmp [ _VerQueryValueIndexA ]
_exp_VerQueryValueIndexW: jmp [ _VerQueryValueIndexW ]
; 常数
section '.szdb' data readable;
szTargetExeName db "\BCompare.exe", 0
szTargetLibrary db "\version.dll", 0
szLicenseName db "B.S.[allin1.xyz]", 0 ; "FASM v1.71.64", 0 ;
szSerialNumber db "6666-9999", 0
szGetFileVersionInfoA db "GetFileVersionInfoA", 0
szGetFileVersionInfoByHandle db "GetFileVersionInfoByHandle", 0
szGetFileVersionInfoExW db "GetFileVersionInfoExW", 0
szGetFileVersionInfoSizeA db "GetFileVersionInfoSizeA", 0
szGetFileVersionInfoSizeExW db "GetFileVersionInfoSizeExW", 0
szGetFileVersionInfoSizeW db "GetFileVersionInfoSizeW", 0
szGetFileVersionInfoW db "GetFileVersionInfoW", 0
szVerFindFileA db "VerFindFileA", 0
szVerFindFileW db "VerFindFileW", 0
szVerInstallFileA db "VerInstallFileA", 0
szVerInstallFileW db "VerInstallFileW", 0
szVerLanguageNameA db "VerLanguageNameA", 0
szVerLanguageNameW db "VerLanguageNameW", 0
szVerQueryValueA db "VerQueryValueA", 0
szVerQueryValueW db "VerQueryValueW", 0
szVerQueryValueIndexA db "VerQueryValueIndexA", 0
szVerQueryValueIndexW db "VerQueryValueIndexW", 0
; 跳转地址储存
section '.expw' data readable writeable;
_GetFileVersionInfoA dq ?
_GetFileVersionInfoByHandle dq ?
_GetFileVersionInfoExW dq ?
_GetFileVersionInfoSizeA dq ?
_GetFileVersionInfoSizeExW dq ?
_GetFileVersionInfoSizeW dq ?
_GetFileVersionInfoW dq ?
_VerFindFileA dq ?
_VerFindFileW dq ?
_VerInstallFileA dq ?
_VerInstallFileW dq ?
_VerLanguageNameA dq ?
_VerLanguageNameW dq ?
_VerQueryValueA dq ?
_VerQueryValueW dq ?
_VerQueryValueIndexA dq ?
_VerQueryValueIndexW dq ?
section '.idata' import data readable writeable; \ Version.dll 劫持补丁
library kernel,'KERNEL32.DLL', \
msvc,'msvcrt.dll'; \ FASM 1.71.64 编译通过
; \ 测试于 BC4 可正常使用
import kernel, \
VirtualProtect,'VirtualProtect', \
LocalAlloc,'LocalAlloc', \
LocalFree,'LocalFree', \
GetModuleHandle,'GetModuleHandleA', \
LoadLibrary,'LoadLibraryA', \
GetProcAddress,'GetProcAddress', \
GetModuleFileName,'GetModuleFileNameA', \
GetSystemDirectory,'GetSystemDirectoryA'; \ Jixun.Moe and B.S.
import msvc, \
strstr,'strstr', \
strncpy,'strncpy', \
strncat,'strncat'
section '.edata' export data readable; \ 52破解 & 飘云阁
export 'version.dll', \
_exp_GetFileVersionInfoA, 'GetFileVersionInfoA', \
_exp_GetFileVersionInfoByHandle,'GetFileVersionInfoByHandle',\
_exp_GetFileVersionInfoExW, 'GetFileVersionInfoExW', \
_exp_GetFileVersionInfoSizeA, 'GetFileVersionInfoSizeA', \
_exp_GetFileVersionInfoSizeExW, 'GetFileVersionInfoSizeExW', \
_exp_GetFileVersionInfoSizeW, 'GetFileVersionInfoSizeW', \
_exp_GetFileVersionInfoW, 'GetFileVersionInfoW', \
_exp_VerFindFileA, 'VerFindFileA', \
_exp_VerFindFileW, 'VerFindFileW', \
_exp_VerInstallFileA, 'VerInstallFileA', \
_exp_VerInstallFileW, 'VerInstallFileW', \
_exp_VerLanguageNameA, 'VerLanguageNameA', \
_exp_VerLanguageNameW, 'VerLanguageNameW', \
_exp_VerQueryValueA, 'VerQueryValueA', \
_exp_VerQueryValueW, 'VerQueryValueW', \
_exp_VerQueryValueIndexA, 'VerQueryValueIndexA', \
_exp_VerQueryValueIndexW, 'VerQueryValueIndexW'
section '.reloc' data fixups readable discardable;
; 在代码中添加一个资源节。
section '.rsrc' resource data readable
; resource directory
directory RT_VERSION,versions
; resource subdirectories
resource versions,\
1,LANG_NEUTRAL,version
; macro version label, fileos, filetype, filesubtype, lang, cp, [name,value]
versioninfo version,VOS__WINDOWS32,VFT_APP,VFT2_UNKNOWN,LANG_ENGLISH+SUBLANG_DEFAULT,0,\
'CompanyName', 'Allin1.Xyz', \
'FileDescription', 'B.S. x64 Beyond Compare v4 Patcher Version Checking and File Installation Libraries', \
'LegalCopyright', 'Www.Allin1.Xyz No rights reserved.', \
'LegalTrademarks', 'Www.Allin1.Xyz', \
'OriginalFilename', 'version.dll', \
'InternalName', 'version', \
'ProductVersion', '1.5.8.8', \
'ProductName', 'Beyond Compare v4 Patcher', \
'FileVersion','4.2.8.23479'
IP卡
发表于 2017-1-15 08:04:47
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2017-1-15 13:10:54
发表于 2017-1-15 17:19:22
发表于 2017-1-16 09:14:03
发表于 2018-12-31 18:45:21