使用x64dbg进行修改
从网上找来一片文章,感觉靠谱,如下
---------------------------------------------------------------------------------------
第一次看到这个界面还是在十多年前,当时的我并不明白这些数据的含义。
现在为它写一篇博客,算是一种纪念吧。
用x64dbg加载exescope,来到0x401000。搜索当前模块中的字符串 在结果中搜索关键字“reg"。
来到004CA44 ,这就是判断注册是否合法的函数。
1 004C2A44 | 55 | push ebp | 2 004C2A45 | 8BEC | mov ebp,esp | 3 004C2A47 | 33C9 | xor ecx,ecx | ecx:EntryPoint 4 004C2A49 | 51 | push ecx | ecx:EntryPoint 5 004C2A4A | 51 | push ecx | ecx:EntryPoint 6 004C2A4B | 51 | push ecx | ecx:EntryPoint 7 004C2A4C | 51 | push ecx | ecx:EntryPoint 8 004C2A4D | 51 | push ecx | ecx:EntryPoint 9 004C2A4E | 53 | push ebx | 10 004C2A4F | 56 | push esi | esi:EntryPoint 11 004C2A50 | 57 | push edi | edi:EntryPoint 12 004C2A51 | 8BD8 | mov ebx,eax | 13 004C2A53 | 33C0 | xor eax,eax | 14 004C2A55 | 55 | push ebp | 15 004C2A56 | 68 A12B4C00 | push 0x4C2BA1 | 16 004C2A5B | 64:FF30 | push dword ptr fs:[eax] | 17 004C2A5E | 64:8920 | mov dword ptr fs:[eax],esp | 18 004C2A61 | A1 5CFC4C00 | mov eax,dword ptr ds:[0x4CFC5C] | 19 004C2A66 | 8038 00 | cmp byte ptr ds:[eax],0x0 | 20 004C2A69 | 74 0F | je 0x4C2A7A | 21 004C2A6B | C783 4C020000 02000000 | mov dword ptr ds:[ebx+0x24C],0x2 | ebx+24C:L"練" 22 004C2A75 | E9 FF000000 | jmp 0x4C2B79 | 23 004C2A7A | 8D55 FC | lea edx,dword ptr ss:[ebp-0x4] | edx:EntryPoint 24 004C2A7D | 8B83 F8020000 | mov eax,dword ptr ds:[ebx+0x2F8] | 25 004C2A83 | E8 F4F8FAFF | call 0x47237C | 26 004C2A88 | 8B55 FC | mov edx,dword ptr ss:[ebp-0x4] | edx:EntryPoint 27 004C2A8B | A1 E8FE4C00 | mov eax,dword ptr ds:[0x4CFEE8] | 004CFEE8:"T.M" 28 004C2A90 | E8 4F1FF4FF | call 0x4049E4 | 29 004C2A95 | 8D55 F8 | lea edx,dword ptr ss:[ebp-0x8] | edx:EntryPoint 30 004C2A98 | 8B83 FC020000 | mov eax,dword ptr ds:[ebx+0x2FC] | 31 004C2A9E | E8 D9F8FAFF | call 0x47237C | 32 004C2AA3 | 8B55 F8 | mov edx,dword ptr ss:[ebp-0x8] | edx:EntryPoint 33 004C2AA6 | A1 4CFE4C00 | mov eax,dword ptr ds:[0x4CFE4C] | 004CFE4C:"X.M" 34 004C2AAB | E8 341FF4FF | call 0x4049E4 | 35 004C2AB0 | 8B15 4CFE4C00 | mov edx,dword ptr ds:[0x4CFE4C] | edx:EntryPoint, 004CFE4C:"X.M" 36 004C2AB6 | 8B12 | mov edx,dword ptr ds:[edx] | edx:EntryPoint 37 004C2AB8 | A1 54FC4C00 | mov eax,dword ptr ds:[0x4CFC54] | 38 004C2ABD | 8B00 | mov eax,dword ptr ds:[eax] | 39 004C2ABF | E8 B8940000 | call 0x4CBF7C | 40 004C2AC4 | 84C0 | test al,al | 41 004C2AC6 | 0F84 8D000000 | je 0x4C2B59 | 42 004C2ACC | A1 E8FE4C00 | mov eax,dword ptr ds:[0x4CFEE8] | 004CFEE8:"T.M" 43 004C2AD1 | 8B00 | mov eax,dword ptr ds:[eax] | 44 004C2AD3 | E8 7821F4FF | call 0x404C50 | 45 004C2AD8 | 85C0 | test eax,eax | 46 004C2ADA | 7E 7D | jle 0x4C2B59 | 47 004C2ADC | 8D55 F0 | lea edx,dword ptr ss:[ebp-0x10] | edx:EntryPoint 48 004C2ADF | A1 FCFE4C00 | mov eax,dword ptr ds:[0x4CFEFC] | 49 004C2AE4 | 8B00 | mov eax,dword ptr ds:[eax] | 50 004C2AE6 | E8 11FCFCFF | call 0x4926FC | 51 004C2AEB | 8B45 F0 | mov eax,dword ptr ss:[ebp-0x10] | 52 004C2AEE | 8D4D F4 | lea ecx,dword ptr ss:[ebp-0xC] | ecx:EntryPoint 53 004C2AF1 | BA B82B4C00 | mov edx,0x4C2BB8 | edx:EntryPoint, 4C2BB8:".ini" 54 004C2AF6 | E8 2570F4FF | call 0x409B20 | 55 004C2AFB | 8B4D F4 | mov ecx,dword ptr ss:[ebp-0xC] | ecx:EntryPoint 56 004C2AFE | B2 01 | mov dl,0x1 | 57 004C2B00 | A1 2CBE4300 | mov eax,dword ptr ds:[0x43BE2C] | 0043BE2C:"x綜" 58 004C2B05 | E8 D293F7FF | call 0x43BEDC | 59 004C2B0A | 8BF0 | mov esi,eax | esi:EntryPoint 60 004C2B0C | A1 E8FE4C00 | mov eax,dword ptr ds:[0x4CFEE8] | 004CFEE8:"T.M" 61 004C2B11 | 8B00 | mov eax,dword ptr ds:[eax] | 62 004C2B13 | 50 | push eax | 63 004C2B14 | B9 C82B4C00 | mov ecx,0x4C2BC8 | ecx:EntryPoint, 4C2BC8:"Name" 64 004C2B19 | BA D82B4C00 | mov edx,0x4C2BD8 | edx:EntryPoint, 4C2BD8:"Reg" 65 004C2B1E | 8BC6 | mov eax,esi | esi:EntryPoint 66 004C2B20 | 8B38 | mov edi,dword ptr ds:[eax] | edi:EntryPoint 67 004C2B22 | FF57 04 | call dword ptr ds:[edi+0x4] | 68 004C2B25 | A1 4CFE4C00 | mov eax,dword ptr ds:[0x4CFE4C] | 004CFE4C:"X.M" 69 004C2B2A | 8B00 | mov eax,dword ptr ds:[eax] | 70 004C2B2C | 50 | push eax | 71 004C2B2D | BA D82B4C00 | mov edx,0x4C2BD8 | edx:EntryPoint, 4C2BD8:"Reg" 72 004C2B32 | B9 E42B4C00 | mov ecx,0x4C2BE4 | ecx:EntryPoint, 4C2BE4:"ID" 73 004C2B37 | 8BC6 | mov eax,esi | esi:EntryPoint 74 004C2B39 | 8B38 | mov edi,dword ptr ds:[eax] | edi:EntryPoint 75 004C2B3B | FF57 04 | call dword ptr ds:[edi+0x4] | 76 004C2B3E | 8BC6 | mov eax,esi | esi:EntryPoint 77 004C2B40 | E8 9B10F4FF | call 0x403BE0 | 78 004C2B45 | A1 5CFC4C00 | mov eax,dword ptr ds:[0x4CFC5C] | 79 004C2B4A | C600 01 | mov byte ptr ds:[eax],0x1 | 80 004C2B4D | C783 4C020000 01000000 | mov dword ptr ds:[ebx+0x24C],0x1 | ebx+24C:L"練" 81 004C2B57 | EB 20 | jmp 0x4C2B79 | 82 004C2B59 | 6A 00 | push 0x0 | 83 004C2B5B | 8D55 EC | lea edx,dword ptr ss:[ebp-0x14] | edx:EntryPoint 84 004C2B5E | B8 F02B4C00 | mov eax,0x4C2BF0 | 4C2BF0:"无效的 ID 或名字" 85 004C2B63 | E8 680D0000 | call 0x4C38D0 | 86 004C2B68 | 8B45 EC | mov eax,dword ptr ss:[ebp-0x14] | 87 004C2B6B | 66:8B0D 202C4C00 | mov cx,word ptr ds:[0x4C2C20] | 88 004C2B72 | B2 01 | mov dl,0x1 | 89 004C2B74 | E8 2F4BF7FF | call 0x4376A8 | 90 004C2B79 | 33C0 | xor eax,eax | 91 004C2B7B | 5A | pop edx | edx:EntryPoint 92 004C2B7C | 59 | pop ecx | ecx:EntryPoint 93 004C2B7D | 59 | pop ecx | ecx:EntryPoint 94 004C2B7E | 64:8910 | mov dword ptr fs:[eax],edx | edx:EntryPoint 95 004C2B81 | 68 A82B4C00 | push 0x4C2BA8 | 96 004C2B86 | 8D45 EC | lea eax,dword ptr ss:[ebp-0x14] | 97 004C2B89 | BA 03000000 | mov edx,0x3 | edx:EntryPoint 98 004C2B8E | E8 211EF4FF | call 0x4049B4 | 99 004C2B93 | 8D45 F8 | lea eax,dword ptr ss:[ebp-0x8] | 100 004C2B96 | BA 02000000 | mov edx,0x2 | edx:EntryPoint 101 004C2B9B | E8 141EF4FF | call 0x4049B4 | 102 004C2BA0 | C3 | ret | 103 004C2BA1 | E9 CE17F4FF | jmp 0x404374 | 104 004C2BA6 | EB DE | jmp 0x4C2B86 | 105 004C2BA8 | 5F | pop edi | edi:EntryPoint 106 004C2BA9 | 5E | pop esi | esi:EntryPoint 107 004C2BAA | 5B | pop ebx | 108 004C2BAB | 8BE5 | mov esp,ebp | 109 004C2BAD | 5D | pop ebp | 110 004C2BAE | C3 | ret |
其中
004C2AC6 | 0F84 8D000000 | je 0x4C2B59
跳过了一大段,根据经验不能让它跳。
但是这里不直接更改跳转。跟进
004C2ABF | E8 B8940000 | call 0x4CBF7C
这个call,修改如下
004CBF7C | 33C0 | xor eax,eax | 004CBF7E | 40 | inc eax | 004CBF7F | C3 | ret |
直接对eax置1 然后返回,F9让程序跑起来
已经注册成功了。
那么为什么不直接更改跳转指令呢?
这个软件除了在验证注册码的时候有校验,启动的时候会根据 .ini 中的信息再一次校验,直接patch校验注册的函数 让它return TRUE 可以一次性bypass所有的认证
如果单单改那个跳转,每次打开exescope就得重新注册一次。
2024-01-31 11:31:23【出处】:https://www.cnblogs.com/BD1A489/p/9825382.html
=======================================================================================
eXeScope注册码算法bat版
出处:http://www.js-code.com/dosbat/dosbat_106305.html
=======================================================================================
标签:EntryPoint,mov,破解,eax,算法,eXeScope,dword,edx,ptr From: https://www.cnblogs.com/mq0036/p/17998881