image.png (99.06 KB, 下载次数: 0)
下载附件
2023-4-10 18:06 上传
老的N个版本都可以这么玩,这让对话框出来
然后F12(暂停)
Alt+K窗口
image.png (165.42 KB, 下载次数: 0)
下载附件
2023-4-10 18:09 上传
第1个NOP
第2个JMP
但是!!!新版本变化了。
[Asm] 纯文本查看 复制代码00478C5D | E8 9EE11C00 | call |
00478C62 | F2:0F5E05 58926600 | divsd xmm0,qword ptr ds:[669258] |
00478C6A | BE 15000000 | mov esi,15 | esi:EntryPoint
00478C6F | F2:0F5805 C0086E00 | addsd xmm0,qword ptr ds:[6E08C0] |
00478C77 | F2:0F2CC0 | cvttsd2si eax,xmm0 |
00478C7B | 2BF0 | sub esi,eax | esi:EntryPoint
00478C7D | 85C0 | test eax,eax |
00478C7F | 0F4EF0 | cmovle esi,eax | esi:EntryPoint
00478C82 | 89B5 A8D4FFFF | mov dword ptr ss:[ebp-2B58],esi | [ebp-2B58]:"\"C", esi:EntryPoint
00478C88 | 85F6 | test esi,esi | esi:EntryPoint
00478C8A | 7F 12 | jg 478C9E |
00478C8C | 33F6 | xor esi,esi | esi:EntryPoint
00478C8E | C785 94D4FFFF 01000000 | mov dword ptr ss:[ebp-2B6C],1 |
00478C98 | 89B5 A8D4FFFF | mov dword ptr ss:[ebp-2B58],esi | [ebp-2B58]:"\"C", esi:EntryPoint
00478C9E | 83BF 28030000 00 | cmp dword ptr ds:[edi+328],0 | edi+328:sub_646AC1+2D
00478CA5 | 74 0C | je 478CB3 ==================>这里NOP就能过注册提醒框,但是!水印犹在!
00478CA7 | 8BCF | mov ecx,edi | ecx:EntryPoint, edi:EntryPoint
00478CA9 | E8 22600000 | call |
00478CAE | E9 D1040000 | jmp 479184 |
00478CB3 | 8D8D B8D4FFFF | lea ecx,dword ptr ss:[ebp-2B48] | ecx:EntryPoint, [ebp-2B48]:sub_52EFD0+1089
00478CB9 | FF15 04526600 | call dword ptr ds:[] |
00478CBF | 8D8D BCD4FFFF | lea ecx,dword ptr ss:[ebp-2B44] | ecx:EntryPoint, [ebp-2B44]:sub_450010+44
00478CC5 | FF15 04526600 | call dword ptr ds:[] |
00478CCB | 8D8D ACD4FFFF | lea ecx,dword ptr ss:[ebp-2B54] | ecx:EntryPoint
00478CD1 | FF15 04526600 | call dword ptr ds:[] |
00478CD7 | 8D8D 9CD4FFFF | lea ecx,dword ptr ss:[ebp-2B64] | ecx:EntryPoint, [ebp-2B64]:L"C:\\Windows\\SYSTEM32\\kernelbase.dll"
00478CDD | FF15 04526600 | call dword ptr ds:[] |
00478CE3 | 68 C0000000 | push C0 |
00478CE8 | 8D8D B8D4FFFF | lea ecx,dword ptr ss:[ebp-2B48] | ecx:EntryPoint, [ebp-2B48]:sub_52EFD0+1089
00478CEE | C645 FC 1F | mov byte ptr ss:[ebp-4],1F |
00478CF2 | FF15 644D6600 | call dword ptr ds:[] |
00478CF8 | 68 C5000000 | push C5 |
00478CFD | 8D8D 9CD4FFFF | lea ecx,dword ptr ss:[ebp-2B64] | ecx:EntryPoint, [ebp-2B64]:L"C:\\Windows\\SYSTEM32\\kernelbase.dll"
00478D03 | FF15 644D6600 | call dword ptr ds:[] |
00478D09 | 83BD 94D4FFFF 00 | cmp dword ptr ss:[ebp-2B6C],0 |
00478D10 | 0F84 AF000000 | je 478DC5 | NOP
00478D16 | 68 C2000000 | push C2 |
00478D1B | 8D8D ACD4FFFF | lea ecx,dword ptr ss:[ebp-2B54] | ecx:EntryPoint
00478D21 | FF15 644D6600 | call dword ptr ds:[] |
00478D27 | 68 C3000000 | push C3 |
00478D2C | 8D8D BCD4FFFF | lea ecx,dword ptr ss:[ebp-2B44] | ecx:EntryPoint, [ebp-2B44]:sub_450010+44
00478D32 | FF15 644D6600 | call dword ptr ds:[] |
00478D38 | 8D85 BCD4FFFF | lea eax,dword ptr ss:[ebp-2B44] | [ebp-2B44]:sub_450010+44
00478D3E | 50 | push eax |
00478D3F | 8D85 ACD4FFFF | lea eax,dword ptr ss:[ebp-2B54] |
00478D45 | 50 | push eax |
00478D46 | 8D85 8CD4FFFF | lea eax,dword ptr ss:[ebp-2B74] |
00478D4C | 50 | push eax |
00478D4D | E8 6EE2FEFF | call |
00478D52 | 8D8D 9CD4FFFF | lea ecx,dword ptr ss:[ebp-2B64] | ecx:EntryPoint, [ebp-2B64]:L"C:\\Windows\\SYSTEM32\\kernelbase.dll"
00478D58 | C645 FC 20 | mov byte ptr ss:[ebp-4],20 | 20:' '
00478D5C | 51 | push ecx | ecx:EntryPoint
00478D5D | 50 | push eax |
00478D5E | 8D85 B4D4FFFF | lea eax,dword ptr ss:[ebp-2B4C] | [ebp-2B4C]:sub_52EFD0+108C
00478D64 | 50 | push eax |
00478D65 | E8 56E2FEFF | call |
00478D6A | 83C4 18 | add esp,18 |
00478D6D | 50 | push eax |
00478D6E | 8D8D B8D4FFFF | lea ecx,dword ptr ss:[ebp-2B48] | ecx:EntryPoint, [ebp-2B48]:sub_52EFD0+1089
00478D74 | C645 FC 21 | mov byte ptr ss:[ebp-4],21 | 21:'!'
00478D78 | FF15 78526600 | call dword ptr ds:[] |
00478D7E | 8D8D B4D4FFFF | lea ecx,dword ptr ss:[ebp-2B4C] | ecx:EntryPoint, [ebp-2B4C]:sub_52EFD0+108C
00478D84 | FF15 84526600 | call dword ptr ds:[] |
00478D8A | 8D8D 8CD4FFFF | lea ecx,dword ptr ss:[ebp-2B74] | ecx:EntryPoint
00478D90 | C645 FC 1F | mov byte ptr ss:[ebp-4],1F |
00478D94 | FF15 84526600 | call dword ptr ds:[] |
00478D9A | 8D46 FF | lea eax,dword ptr ds:[esi-1] | esi-1:sub_64677F+46
00478D9D | 8985 B0D4FFFF | mov dword ptr ss:[ebp-2B50],eax |
00478DA3 | 8D45 D0 | lea eax,dword ptr ss:[ebp-30] |
00478DA6 | 6A 0F | push F |
00478DA8 | 50 | push eax |
00478DA9 | 68 F88A6600 | push 668AF8 | 668AF8:L"CR30HSDX"
00478DAE | FF15 58396600 | call dword ptr ds:[ |
00478DD6 | 56 | push esi | esi:EntryPoint
00478DD7 | FF30 | push dword ptr ds:[eax] |
00478DD9 | 8D85 ACD4FFFF | lea eax,dword ptr ss:[ebp-2B54] |
00478DDF | C645 FC 22 | mov byte ptr ss:[ebp-4],22 | 22:'\"'
00478DE3 | 50 | push eax |
00478DE4 | FF15 60526600 | call dword ptr ds:[] |
00478DEA | 83C4 14 | add esp,14 |
00478DED | C645 FC 1F | mov byte ptr ss:[ebp-4],1F |
00478DF1 | 8D8D B4D4FFFF | lea ecx,dword ptr ss:[ebp-2B4C] | ecx:EntryPoint, [ebp-2B4C]:sub_52EFD0+108C
00478DF7 | FF15 84526600 | call dword ptr ds:[] |
00478DFD | 68 C88A6600 | push 668AC8 | 668AC8:L"HprUnInst.log"
00478E02 | 8D87 70010000 | lea eax,dword ptr ds:[edi+170] | edi+170:sub_6468B9+7D
00478E08 | 50 | push eax |
00478E09 | 8D85 8CD4FFFF | lea eax,dword ptr ss:[ebp-2B74] |
00478E0F | 50 | push eax |
00478E10 | E8 2BE2FEFF | call |
00478E15 | 68 54836600 | push 668354 | 668354:L"r"
00478E1A | FF30 | push dword ptr ds:[eax] |
00478E1C | FF15 74426600 | call dword ptr ds:[] |
00478E22 | 83C4 14 | add esp,14 |
00478E25 | 8985 B0D4FFFF | mov dword ptr ss:[ebp-2B50],eax |
00478E2B | 8D8D 8CD4FFFF | lea ecx,dword ptr ss:[ebp-2B74] | ecx:EntryPoint
00478E31 | FF15 84526600 | call dword ptr ds:[] |
00478E37 | 8B85 B0D4FFFF | mov eax,dword ptr ss:[ebp-2B50] |
00478E3D | 85C0 | test eax,eax |
00478E3F | 0F84 BB000000 | je 478F00 |
00478E45 | 50 | push eax |
00478E46 | 8D85 40E9FFFF | lea eax,dword ptr ss:[ebp-16C0] |
00478E4C | 68 00040000 | push 400 |
00478E51 | 50 | push eax |
00478E52 | FF15 78426600 | call dword ptr ds:[] |
00478E58 | 83C4 0C | add esp,C |
00478E5B | 85C0 | test eax,eax |
00478E5D | 0F84 8E000000 | je 478EF1 |
00478E63 | 0F1F40 00 | nop dword ptr ds:[eax],eax |
00478E67 | 66:0F1F8400 00000000 | nop word ptr ds:[eax+eax],ax |
00478E70 | 33C0 | xor eax,eax |
00478E72 | 66:8985 3EF1FFFF | mov word ptr ss:[ebp-EC2],ax |
00478E79 | 8D85 40E9FFFF | lea eax,dword ptr ss:[ebp-16C0] |
00478E7F | 50 | push eax |
00478E80 | E8 FB130B00 | call |
00478E85 | 8D85 40E9FFFF | lea eax,dword ptr ss:[ebp-16C0] |
00478E8B | 68 E48A6600 | push 668AE4 | 668AE4:L"Promo: "
00478E90 | 50 | push eax |
00478E91 | E8 B00F1D00 | call |
00478E96 | 8D8D 40E9FFFF | lea ecx,dword ptr ss:[ebp-16C0] | ecx:EntryPoint
00478E9C | 83C4 0C | add esp,C |
00478E9F | 3BC1 | cmp eax,ecx | ecx:EntryPoint
00478EA1 | 74 1D | je 478EC0 |
00478EA3 | FFB5 B0D4FFFF | push dword ptr ss:[ebp-2B50] |
00478EA9 | 8BC1 | mov eax,ecx | ecx:EntryPoint
00478EAB | 68 00040000 | push 400 |
00478EB0 | 50 | push eax |
00478EB1 | FF15 78426600 | call dword ptr ds:[] |
00478EB7 | 83C4 0C | add esp,C |
00478EBA | 85C0 | test eax,eax |
00478EBC | 75 B2 | jne 478E70 |
00478EBE | EB 31 | jmp 478EF1 |
00478EC0 | 8D85 4EE9FFFF | lea eax,dword ptr ss:[ebp-16B2] |
00478EC6 | 50 | push eax |
00478EC7 | 8D8F 6C010000 | lea ecx,dword ptr ds:[edi+16C] | ecx:EntryPoint, edi+16C:L","
00478ECD | FF15 7C526600 | call dword ptr ds:[] |
00478ED3 | 8D8F 6C010000 | lea ecx,dword ptr ds:[edi+16C] | ecx:EntryPoint, edi+16C:L","
00478ED9 | FF15 404B6600 | call dword ptr ds:[] |
00478EDF | 8D8F 6C010000 | lea ecx,dword ptr ds:[edi+16C] | ecx:EntryPoint, edi+16C:L","
00478EE5 | FF15 444B6600 | call dword ptr ds:[] |
00478EEB | 8BB5 A8D4FFFF | mov esi,dword ptr ss:[ebp-2B58] | esi:EntryPoint, [ebp-2B58]:"\"C"
00478EF1 | FFB5 B0D4FFFF | push dword ptr ss:[ebp-2B50] |
00478EF7 | FF15 6C426600 | call dword ptr ds:[] |
00478EFD | 83C4 04 | add esp,4 |
00478F00 | 8D8F 6C010000 | lea ecx,dword ptr ds:[edi+16C] | ecx:EntryPoint, edi+16C:L","
00478F06 | 68 F48A6600 | push 668AF4 | 668AF4:L"h"
00478F0B | FF15 70526600 | call dword ptr ds:[] |
00478F11 | 85C0 | test eax,eax |
00478F13 | 7E 3E | jle 478F53 |
00478F15 | 8D85 B4D4FFFF | lea eax,dword ptr ss:[ebp-2B4C] | [ebp-2B4C]:sub_52EFD0+108C
00478F1B | 68 CC000000 | push CC |
00478F20 | 50 | push eax |
00478F21 | E8 2A0F0B00 | call |
00478F26 | 8D4E FF | lea ecx,dword ptr ds:[esi-1] | ecx:EntryPoint, esi-1:sub_64677F+46
00478F29 | C645 FC 23 | mov byte ptr ss:[ebp-4],23 | 23:'#'
00478F2D | 51 | push ecx | ecx:EntryPoint
00478F2E | 56 | push esi | esi:EntryPoint
00478F2F | FF30 | push dword ptr ds:[eax] |
00478F31 | 8D85 BCD4FFFF | lea eax,dword ptr ss:[ebp-2B44] | [ebp-2B44]:sub_450010+44
00478F37 | 50 | push eax |
00478F38 | FF15 60526600 | call dword ptr ds:[] |
00478F3E | 83C4 18 | add esp,18 |
00478F41 | C645 FC 1F | mov byte ptr ss:[ebp-4],1F |
00478F45 | 8D8D B4D4FFFF | lea ecx,dword ptr ss:[ebp-2B4C] | ecx:EntryPoint, [ebp-2B4C]:sub_52EFD0+108C
00478F4B | FF15 84526600 | call dword ptr ds:[] |
00478F51 | EB 11 | jmp 478F64 |
00478F53 | 68 C4000000 | push C4 |
00478F58 | 8D8D BCD4FFFF | lea ecx,dword ptr ss:[ebp-2B44] | ecx:EntryPoint, [ebp-2B44]:sub_450010+44
00478F5E | FF15 644D6600 | call dword ptr ds:[] |
00478F64 | 8D85 BCD4FFFF | lea eax,dword ptr ss:[ebp-2B44] | [ebp-2B44]:sub_450010+44
00478F6A | 50 | push eax |
00478F6B | 8D85 ACD4FFFF | lea eax,dword ptr ss:[ebp-2B54] |
00478F71 | 50 | push eax |
00478F72 | 8D85 8CD4FFFF | lea eax,dword ptr ss:[ebp-2B74] |
00478F78 | 50 | push eax |
00478F79 | E8 42E0FEFF | call |
00478F7E | 8D8D 9CD4FFFF | lea ecx,dword ptr ss:[ebp-2B64] | ecx:EntryPoint, [ebp-2B64]:L"C:\\Windows\\SYSTEM32\\kernelbase.dll"
00478F84 | C645 FC 24 | mov byte ptr ss:[ebp-4],24 | 24:'$'
00478F88 | 51 | push ecx | ecx:EntryPoint
00478F89 | 50 | push eax |
00478F8A | 8D85 B4D4FFFF | lea eax,dword ptr ss:[ebp-2B4C] | [ebp-2B4C]:sub_52EFD0+108C
00478F90 | 50 | push eax |
00478F91 | E8 2AE0FEFF | call |
00478F96 | 83C4 18 | add esp,18 |
00478F99 | 50 | push eax |
00478F9A | 8D8D B8D4FFFF | lea ecx,dword ptr ss:[ebp-2B48] | ecx:EntryPoint, [ebp-2B48]:sub_52EFD0+1089
00478FA0 | C645 FC 25 | mov byte ptr ss:[ebp-4],25 | 25:'%'
00478FA4 | FF15 78526600 | call dword ptr ds:[] |
00478FAA | 8D8D B4D4FFFF | lea ecx,dword ptr ss:[ebp-2B4C] | ecx:EntryPoint, [ebp-2B4C]:sub_52EFD0+108C
00478FB0 | FF15 84526600 | call dword ptr ds:[] |
00478FB6 | 8D8D 8CD4FFFF | lea ecx,dword ptr ss:[ebp-2B74] | ecx:EntryPoint
00478FBC | C645 FC 1F | mov byte ptr ss:[ebp-4],1F |
00478FC0 | FF15 84526600 | call dword ptr ds:[] |
00478FC6 | 8D46 FF | lea eax,dword ptr ds:[esi-1] | esi-1:sub_64677F+46
00478FC9 | 8985 B0D4FFFF | mov dword ptr ss:[ebp-2B50],eax |
00478FCF | 8D45 D0 | lea eax,dword ptr ss:[ebp-30] |
00478FD2 | 6A 0F | push F |
00478FD4 | 50 | push eax |
00478FD5 | 68 F88A6600 | push 668AF8 | 668AF8:L"CR30HSDX"
00478FDA | FF15 58396600 | call dword ptr ds:[JMP
00478FEE | 6A 00 | push 0 |
00478FF0 | 56 | push esi | esi:EntryPoint
00478FF1 | FF77 20 | push dword ptr ds:[edi+20] | edi+20:sub_6467E1+5
00478FF4 | 8D8D 88E7FFFF | lea ecx,dword ptr ss:[ebp-1878] | ecx:EntryPoint, [ebp-1878]:L"C:\\Windows\\SYSTEM32\\zh-CN\\MSVFW32.dll.mui"
00478FFA | E8 F1900B00 | call |
00478FFF | 68 F48A6600 | push 668AF4 | 668AF4:L"h"
00479004 | 8D8F 6C010000 | lea ecx,dword ptr ds:[edi+16C] | ecx:EntryPoint, edi+16C:L","
0047900A | C645 FC 26 | mov byte ptr ss:[ebp-4],26 | 26:'&'
0047900E | FF15 70526600 | call dword ptr ds:[] |
00479014 | 85C0 | test eax,eax |
00479016 | 7E 12 | jle 47902A | jmp
所以,我们点下关于找到了 "Unlicensed Evaluation Copy"
字符串搜索下:
[Asm] 纯文本查看 复制代码004E4782 | FF15 84526600 | call dword ptr ds:[] |
004E4788 | 833D 70567300 00 | cmp dword ptr ds:[735670],0 ==》重点这里!
004E478F | 0F84 44030000 | je hprsnap8.4E4AD9 |
代码较长。。。。省略
004E4AD9 | 68 F8486700 | push hp8.6748F8 | 6748F8:"Unlicensed Evaluation Copy"
也就是说有个全局常量735670是开关
尝试改成1,没效果~~
再搜索下全局常量
image.png (42.54 KB, 下载次数: 1)
下载附件
2023-4-10 18:30 上传
尝试一下全下断,Ctrl+F2重启调试器
image.png (118.09 KB, 下载次数: 1)
下载附件
2023-4-10 18:33 上传
把 mov dword ptr ds:[735670],eax 改成 mov dword ptr ds:[735670],1
改完之后,直接运行会出来一个垃圾对话框
所以,后面那两个call简单的跟踪一下
发现上面的那个是 与 注册有关
image.png (71.22 KB, 下载次数: 0)
下载附件
2023-4-10 18:36 上传
故此ret掉,或NOP
下一个 是报错的 "First call to TWAIN_IsAvailable()\n" 同样我们段首ret,或直接NOP了。
这样再来就会直接进主界面,截图就没有水印了。
关于中未注册部分也可以修改下,就会显示临时授权版。就不说了。
image.png (252.43 KB, 下载次数: 1)
下载附件
2023-4-10 18:40 上传
