先按照 https://www.52pojie.cn/thread-2056733-1-1.html 这篇做的,对比公钥
原始公钥MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw1dq......
替换公钥MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvVdq......
需要替换"w1"为"vV",即可使用私钥
[Asm] 纯文本查看 复制代码-----BEGIN PRIVATE KEY-----
MIIEPAIBADANBgkqhkiG9w0BAQEFAASCBCYwggQiAgEAAoIBAQC9V2oXdKQJoACY
zOzzz0ip1b0zZ0h2HeMb3I9yYueYmIakEXgT1UdIwZ7yg8DLaQkOZ023gFwTKC+y
wR+CKe9rm3mObfnZQCgOixQmRNcZCGkBYwXh8GYGk7cR50bras6yowGCZJ0DLEJI
8FEkg4VHRCBkVtGdTR+uPfh+JWaBiIu5lICYhuzxnGIc92nWgPi1Sm+wVyLhAm1g
2M2cZTZY8fqu8KEaXUhEqvEy2ouJ6Wy9qNSPKuA4Lo2bKZgy9k0RHeG0US0vV5Bs
LJN8Oa1jJDVa3g63XaXF/TBUhHmZwY3tcJclEc4UdJ/WDNdZptFK+a3WeuXuxbpy
PGWO65BrAgMBAAECggEAARnraMDtZELScsXF4pJRIHcL51+xeG9X1LKYaoWqoFmG
hYoBpfY8TzLYoGjw8Wsa+eiWfuUV4D8eacjsW6OR3DbVot1/AN/FPcFavZa2Fr1N
T/05GadQ/6faZ8qa7RwS3VceyE24zQGSEhEfDVhBx5o3P202jMduhsxxtY3iIkZE
VRLQgz/Fpq1k/wvH7vwphTc9YeKYVCmG+zdWp/yQmRATAHrj7XU16Ebs1sz/jC69
f2gxn5hBL/RZIGGrq01jbsYNuCGXU5H87YYFykjTH+6ckcYGCj3PUI0h2eOFty85
Ayl4PxwgG21oz6QFXKERZ4EOJJuQgHIVBlq3VtqkIQIBEQKCAQALI0J52a9L3DxF
OTsdZovNwUddYG2smFinSTWdURyun49zEBYfSMf1OJDhFs8bBi21jZso6W7T804Z
kuO8XNHZJ0NiuyzQi02mgKbVExu2LavS57UNSmBavWUfK7jgq+4Kgg8lya7iEamL
0eany4BPfHpgQVef11w3bQ6eAjM0y8v7248YB+/R+iPjlhVI2mj7mveC1/L+LVG6
ZxsnUT9upNKCwtxM2E+LkZW3soCtwm/O69BEqCtOmVOftycSDn0BAcH7jE3zudtR
qETpMJG6iajJHB77ujbth10yJekJC2KznTYRPUhbjmPBTAyq67H1Wfsqu+9oZfvo
miQXd0S7AgEBAoIBAAEZ62jA7WRC0nLFxeKSUSB3C+dfsXhvV9SymGqFqqBZhoWK
AaX2PE8y2KBo8PFrGvnoln7lFeA/HmnI7Fujkdw21aLdfwDfxT3BWr2Wtha9TU/9
ORmnUP+n2mfKmu0cEt1XHshNuM0BkhIRHw1YQceaNz9tNozHbobMcbWN4iJGRFUS
0IM/xaatZP8Lx+78KYU3PWHimFQphvs3Vqf8kJkQEwB64+11NehG7NbM/4wuvX9o
MZ+YQS/0WSBhq6tNY27GDbghl1OR/O2GBcpI0x/unJHGBgo9z1CNIdnjhbcvOQMp
eD8cIBttaM+kBVyhEWeBDiSbkIByFQZat1bapCECAQc=
-----END PRIVATE KEY-----
image.png (54.87 KB, 下载次数: 2)
下载附件
2025-9-29 23:34 上传
按文中方法,搜索 7731c6852201,将7731替换为5676,结果运行到ret后rax是空的,看来这个版本每个小步骤都会验证拼出的来字符串。
原版在call r8后面一步下断,修改内存rax指向的字符串后能注册成功。但重启后又是未注册状态,看来软件每次重启都会校验。所以只要在call r8后,ret前修改字符就行。
在call r8处下断,按f7进入,再按ctrl+f9运行到ret。
image.png (67.5 KB, 下载次数: 1)
下载附件
2025-9-29 23:11 上传
ret上面一段是恢复寄存器状态的,再往上全部下断点,按ctrl+f2重新运行。
image.png (121.25 KB, 下载次数: 2)
下载附件
2025-9-29 23:32 上传
断在这一行,说明这行上面全是正常情况下执行不到的代码。这时r15为私钥字符串地址。rax和rbx都是0。再继续往下走。下面的je也不会跳,正好利用这行往上跳,把上面改成修改字符串的代码再跳回来。
image.png (37.05 KB, 下载次数: 2)
下载附件
2025-9-29 23:22 上传
导出补丁,按ctrl+f2后导入补丁。测试成功后再点修补文件就可以导出修改后的libcc.dll。
image.png (100.95 KB, 下载次数: 1)
下载附件
2025-9-29 23:25 上传
导出的.1337文件如下:
[Asm] 纯文本查看 复制代码>libcc.dll
000000000216A4A6:C6->49
000000000216A4A7:45->8B
000000000216A4A8:A4->1F
000000000216A4A9:30->48
000000000216A4AA:48->8D
000000000216A4AB:8D->5B
000000000216A4AC:45->2C
000000000216A4AD:A4->66
000000000216A4AE:48->B8
000000000216A4AF:89->76
000000000216A4B0:85->56
000000000216A4B1:20->66
000000000216A4B2:1E->89
000000000216A4B3:00->03
000000000216A4B4:00->48
000000000216A4B5:48->C7
000000000216A4B6:8D->C0
000000000216A4B7:45->00
000000000216A4B8:A5->00
000000000216A4B9:48->00
000000000216A4BA:89->00
000000000216A4BB:85->48
000000000216A4BC:28->C7
000000000216A4BD:1E->C3
000000000216A4C0:48->00
000000000216A4C1:8D->00
000000000216A4C2:95->EB
000000000216A4C3:20->19
000000000216A4C4:1E->90
000000000216A4C5:00->90
000000000216A4C6:00->90
000000000216A4D9:84->EB
000000000216A4DA:C9->CB
000000000216A4DB:74->90
000000000216A4DC:2D->90
