某截图软件爆破教程

月光下の魔术师 · 发表于 2015-3-7 09:56

原谅我不说那个软件名字……说了恐怕会被很快和谐掉
软件是

，功能很好
现在软件更新到8.4.7了，昨天截图的时候才看到，正想PJ了分享结果被老妈轰走了……
软件有一个很神异的类似于暗桩一样的东西，爆破之后不能点击Help项下的About项，否则会直接挂
软件为英文版，无汉化，勿喷！
下面开始教程
首先去官网下载原版软件，地址http://www.hyperionics.com/hsdx/downloads.asp，

64下64位，32下32位，下载完成后安装，打开会直接提示 QQ截图20150307094643.png

，退出软件（从任务栏右侧中右键图标退出，不是直接关闭软件）
第二步，OD打开 QQ截图20150307095016.png

第三步，转到00401000 QQ截图20150307095050.png

最关键的一步，也是逆向的关键

我说了啊，别打我
Ctrl+B，HEX输入8BC38B4DF464890D00000000595F5E5B8BE55DC21000 QQ截图20150307095153.png

搜到的语句改成mov eax,1即可 QQ截图20150307095314.png

，保存

好了PJ完成
是不是很想打我{:6_209:}
这个方法如果没猜错的话适用于8.x.x版本，也就是说8版本全部适用，当然这是大家不太张扬的情况下，不然……我也不知道这方法能活多久

月光下の魔术师 · 发表于 2015-3-7 10:26

本帖最后由月光下の魔术师于 2015-3-7 12:09 编辑

那么这个方法原理是什么呢
软件打开直接提示未注册，那么软件要么是读注册表判断注册，要么是读文件判断注册
有了思路就好办了，OD载入，Ctrl+N，果然找到了几个有关函数 QQ截图20150307102502.png

，右键——在每个调用处设置断点，看着四个函数，其实断点也不是非常多，慢慢判断就好了
F9运行，断在RegOpenKeyExW上，看一下堆栈
0012F418 80000002  |hKey = HKEY_LOCAL_MACHINE
0012F41C 001C1C30  |Subkey = "SOFTWARE\Hyperionics\HyperSnap 8"
0012F420 00000000  |Reserved = 0x0
0012F424 00020019  |Access = KEY_READ
0012F428 0012F438  \pHandle = 0012F438
注意hKey = HKEY_LOCAL_MACHINE
理论来说软件不应该在LocalMachine里写这东西，但是也不排除这种可能性，这个先注释一下标成可疑地址
继续F9，中断后堆栈0012DF48 80000000  |hKey = HKEY_CLASSES_ROOT
0012DF4C 0066DE18  |Subkey = "Applications\HprSnap8.exe\shell\open\command"
0012DF50 00000000  |Reserved = 0x0
0012DF54 00020019  |Access = KEY_READ
0012DF58 0012DF68  \pHandle = 0012DF68
这个一看直接跳过，取消断点防止以后浪费调试时间
再次F9，中断
0012E1EC 80000001  |hKey = HKEY_CURRENT_USER
0012E1F0 0012E320  |Subkey = "Identities\{492EB3C4-CA39-31BF-B518-527AD6AE017B}"
0012E1F4 00000000  |Reserved = 0x0
0012E1F8 00020019  |Access = KEY_READ
0012E1FC 0012E20C  \pHandle = 0012E20C
取消断点不解释

0012E210 80000000  |hKey = HKEY_CLASSES_ROOT
0012E214 0012E280  |Subkey = "CLSID\{492EB3C4-C9A3-1B3F-B185-D6A527AE017B}\VERSION"
0012E218 00000000  |Reserved = 0x0
0012E21C 00020019  |Access = KEY_READ
0012E220 0012E22C  \pHandle = 0012E22C
取消，理由同上

0012E05C 80000001  |hKey = HKEY_CURRENT_USER
0012E060 00681CD0  |Subkey = "Control Panel\Cursors"
0012E064 00000000  |Reserved = 0x0
0012E068 00020019  |Access = KEY_READ
0012E06C 0012E078  \pHandle = 0012E078
同上

0012E308 80000001  |hKey = HKEY_CURRENT_USER
0012E30C 0066E540  |Subkey = "Control Panel\International"
0012E310 00000000  |Reserved = 0x0
0012E314 00020019  |Access = KEY_READ
0012E318 0012E344  \pHandle = 0012E344
同上

0012D8D8 80000001  |hKey = HKEY_CURRENT_USER
0012D8DC 001C22F0  |Subkey = "Software\Hyperionics\HyperSnap 8"
0012D8E0 00000000  |Reserved = 0x0
0012D8E4 00020019  |Access = KEY_READ
0012D8E8 0012D900  \pHandle = 0012D900
这个很可疑啊，hKey = HKEY_CURRENT_USER，Subkey = "Software\Hyperionics\HyperSnap 8"，我们也列为可疑地址，记下它的地址：00530CBA

0012D8D8 80000001  |hKey = HKEY_CURRENT_USER
0012D8DC 003322F0  |Subkey = "Software\Hyperionics\HyperSnap 8"
0012D8E0 00000000  |Reserved = 0x0
0012D8E4 00020019  |Access = KEY_READ
0012D8E8 0012D900  \pHandle = 0012D900
再次中断后不仅地址一致，就连堆栈也一样，该处调用嫌疑瞬间暴涨

0012D8D8 80000001  |hKey = HKEY_CURRENT_USER
0012D8DC 003322F0  |Subkey = "Software\Hyperionics\HyperSnap 7"
0012D8E0 00000000  |Reserved = 0x0
0012D8E4 00020019  |Access = KEY_READ
0012D8E8 0012D900  \pHandle = 0012D900
还是熟悉的地址，还是熟悉的堆栈，只是Subkey不同，嫌疑再次暴涨

0012D8D8 80000001  |hKey = HKEY_CURRENT_USER
0012D8DC 001E22F0  |Subkey = "Software\Hyperionics\HyperSnap 7"
0012D8E0 00000000  |Reserved = 0x0
0012D8E4 00020019  |Access = KEY_READ
0012D8E8 0012D900  \pHandle = 0012D900
又来一次，调用地址一样，全部都是00530CBA；堆栈也几乎相同，再加上这时候未注册的提示框还未跳出，这处地址显得非常的……诡异
再次F9，程序运行，未注册出现。
显然00530CBA是重中之重
重载程序，将未标注的断点全部删除（强迫症……）
下面来着重分析这两个地址，究竟是第一个HKEY_LOCAL_MACHINE的调用是判断，还是HKEY_CURRENT_USER的4个调用时判断？
注：下面就是我凭直觉走（就是乱猜）的部分了，分析不一定对（应该是一定不对），错误之处望指出，希望可以共同进步！
运行，断在第一个断点 QQ截图20150307102114.png

单步到0052C3C3 |. FF15 08806600 call near dword ptr ds:[<&ADVAPI32.RegQu>; \RegQueryValueExW
这里是取一个表项的值，到目前为止还没发现有什么异常，再次F8
QQ截图20150307103350.png

EAX=2，查阅后发现这个含义是表项不存在
然后就是关闭句柄，也成功了，EAX=0，含义为ERROR_SUCCESS
单步到返回，函数返回值为1 QQ截图20150307103735.png

出来之后……

wc这是要我老命的节奏？还！能！愉！快！的！玩！耍！么！于是……我选择了一种非常蛋疼的方法：直接看函数猜这是要干啥
0052D495  |.  FF15 2C9A6600 call near dword ptr ds:[<&KERNEL32.Creat>; \CreateFileW  看下堆栈
0012F438 002AF6B8  |FileName = "E:\HyperSnap 8\"                                                 //这是软件的安装目录
0012F43C 80000000  |Access = GENERIC_READ                                                       //允许对设备进行读访问
0012F440 00000003  |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE          //共享模式为读和写
0012F444 00000000  |pSecurity = NULL                                                                   //文件安全特性的指针，为空
0012F448 00000003  |Mode = OPEN_EXISTING                                                       //文件必须存在
0012F44C 02000000  |Attributes = BACKUP_SEMANTICS                                           //允许改变属性
0012F450 00000000  \hTemplateFile = NULL                                                             //用来复制文件句柄的，为空就不看了
本着乱猜胡诌的原则，我猜这玩意是读取安装目录下的啥文件——这和注册表有啥关系？
0052D4AE  |.  FF15 1C9A6600 call near dword ptr ds:[<&KERNEL32.GetFi>; \GetFileTime 取文件事件信息
0012F444 000000C0  |hFile = 000000C0 (window)
0012F448 0012F47C  |pCreationTime = 0012F47C
0012F44C 00000000  |pLastAccess = NULL
0012F450 00000000  \pLastWrite = NULL
看到这个我立马想到了易语言的一个子程序取启动时间 ()先是读注册表，然后是打开了个啥文件，然后又取了系统的启动时间——这是要干啥？
剩下的我就不一一截图分析了，取了系统启动到目前为止的事件后又取了一个环境变量，然后又搜索了一个字符串，然后又设置了一个环境变量——小弟不学无术才疏学浅实在不懂这是要干啥，望大牛分析

事实上我第一次看这个的时候看到这里我心基本凉完了——看都看不懂还破个毛线……
最后返回值是个很怪异的值，再往后走了两个函数，返回值都没啥引人注意的地方，再加上后面那个“极度可疑”的00530CBA，所以我果断放弃了这个地址……
然后F9运行到之前所说的那个“极度可疑”的地址：00530CBA |. FF15 04806600 call near dword ptr ds:[<&ADVAPI32.RegOp>; |\可疑地址2
下面是代码

00530C00 /. 55 push ebp
00530C01 |. 8BEC mov ebp,esp
00530C03 |. 6A FF push -0x1
00530C05 |. 68 BB216600 push HprSnap8.006621BB
00530C0A |. 64:A1 0000000>mov eax,dword ptr fs:[0]
00530C10 |. 50 push eax
00530C11 |. 83EC 0C sub esp,0xC
00530C14 |. 53 push ebx
00530C15 |. 56 push esi
00530C16 |. 57 push edi
00530C17 |. A1 38D57300 mov eax,dword ptr ds:[0x73D538]
00530C1C |. 33C5 xor eax,ebp
00530C1E |. 50 push eax
00530C1F |. 8D45 F4 lea eax,dword ptr ss:[ebp-0xC]
00530C22 |. 64:A3 0000000>mov dword ptr fs:[0],eax
00530C28 |. 8B7D 10 mov edi,dword ptr ss:[ebp+0x10]
00530C2B |. 8D4D 10 lea ecx,dword ptr ss:[ebp+0x10]
00530C2E |. 33F6 xor esi,esi
00530C30 |. C745 FC 00000>mov dword ptr ss:[ebp-0x4],0x0
00530C37 |. 8975 EC mov dword ptr ss:[ebp-0x14],esi
00530C3A |. 8937 mov dword ptr ds:[edi],esi
00530C3C |. FF15 B4B16600 call near dword ptr ds:[<&mfc120u.#296>] ; mfc120u.#316
00530C42 |. 68 78690000 push 0x6978
00530C47 |. 8D4D 10 lea ecx,dword ptr ss:[ebp+0x10]
00530C4A |. C645 FC 01 mov byte ptr ss:[ebp-0x4],0x1
00530C4E |. FF15 E0AE6600 call near dword ptr ds:[<&mfc120u.#8346>>; mfc120u.#8346
00530C54 |. 8D4D 10 lea ecx,dword ptr ss:[ebp+0x10]
00530C57 |. FF15 98B16600 call near dword ptr ds:[<&mfc120u.#5824>>; mfc120u.#5825
00530C5D |. 50 push eax
00530C5E |. 68 2C4B6800 push HprSnap8.00684B2C ; ASCII "EN"
00530C63 |. 8D4D F0 lea ecx,dword ptr ss:[ebp-0x10]
00530C66 |. FF15 00AD6600 call near dword ptr ds:[<&mfc120u.#293>] ; mfc120u.#293
00530C6C |. 8D4D F0 lea ecx,dword ptr ss:[ebp-0x10]
00530C6F |. C645 FC 02 mov byte ptr ss:[ebp-0x4],0x2
00530C73 |. FF15 74B16600 call near dword ptr ds:[<&mfc120u.#1658>>; mfc120u.#6864
00530C79 |. 50 push eax
00530C7A |. 8D4D 10 lea ecx,dword ptr ss:[ebp+0x10]
00530C7D |. FF15 94B16600 call near dword ptr ds:[<&mfc120u.#2948>>; mfc120u.#2948
00530C83 |. 85C0 test eax,eax
00530C85 |. C645 FC 01 mov byte ptr ss:[ebp-0x4],0x1
00530C89 |. 8D4D F0 lea ecx,dword ptr ss:[ebp-0x10]
00530C8C |. 0F94C3 sete bl
00530C8F |. FF15 A8B16600 call near dword ptr ds:[<&mfc120u.#1042>>; mfc120u.#1501
00530C95 |. 84DB test bl,bl
00530C97 |. 74 09 je short HprSnap8.00530CA2
00530C99 |. 8D4D 10 lea ecx,dword ptr ss:[ebp+0x10]
00530C9C |. FF15 E4AE6600 call near dword ptr ds:[<&mfc120u.#4280>>; mfc120u.#4280
00530CA2 |> 8D45 EC lea eax,dword ptr ss:[ebp-0x14]
00530CA5 |. 50 push eax
00530CA6 |. 68 19000200 push 0x20019
00530CAB |. 6A 00 push 0x0
00530CAD |. 8D4D 0C lea ecx,dword ptr ss:[ebp+0xC]
00530CB0 |. FF15 74B16600 call near dword ptr ds:[<&mfc120u.#1658>>; mfc120u.#6864
00530CB6 |. 50 push eax ; ||Subkey
00530CB7 |. FF75 08 push dword ptr ss:[ebp+0x8] ; ||hKey
00530CBA |. FF15 04806600 call near dword ptr ds:[<&ADVAPI32.RegOp>; |\可疑地址2
00530CC0 |. 85C0 test eax,eax ; |
00530CC2 |. 0F85 8D000000 jnz HprSnap8.00530D55 ; |
00530CC8 |. 68 00100000 push 0x1000 ; |/size = 1000 (4096.)
00530CCD |. FF15 E89D6600 call near dword ptr ds:[<&MSVCR120.mallo>; |\malloc
00530CD3 |. 8BF0 mov esi,eax ; |
00530CD5 |. C745 F0 00100>mov dword ptr ss:[ebp-0x10],0x1000 ; |
00530CDC |. 8D45 10 lea eax,dword ptr ss:[ebp+0x10] ; |
00530CDF |. 50 push eax ; |Arg3
00530CE0 |. 8D45 E8 lea eax,dword ptr ss:[ebp-0x18] ; |
00530CE3 |. 68 304B6800 push HprSnap8.00684B30 ; |Arg2 = 00684B30
00530CE8 |. 50 push eax ; |Arg1
00530CE9 |. E8 72AEF3FF call HprSnap8.0046BB60 ; \HprSnap8.0046BB60
00530CEE |. 83C4 10 add esp,0x10
00530CF1 |. 8D4D F0 lea ecx,dword ptr ss:[ebp-0x10]
00530CF4 |. 51 push ecx
00530CF5 |. 56 push esi
00530CF6 |. 6A 00 push 0x0
00530CF8 |. 6A 00 push 0x0
00530CFA |. 8BC8 mov ecx,eax
00530CFC |. FF15 74B16600 call near dword ptr ds:[<&mfc120u.#1658>>; mfc120u.#6864
00530D02 |. 50 push eax ; |ValueName
00530D03 |. FF75 EC push dword ptr ss:[ebp-0x14] ; |hKey
00530D06 |. FF15 08806600 call near dword ptr ds:[<&ADVAPI32.RegQu>; \RegQueryValueExW
00530D0C |. 85C0 test eax,eax
00530D0E |. 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
00530D11 |. 0F94C3 sete bl
00530D14 |. FF15 A8B16600 call near dword ptr ds:[<&mfc120u.#1042>>; mfc120u.#1501
00530D1A |. 84DB test bl,bl
00530D1C |. 74 07 je short HprSnap8.00530D25
00530D1E |. 8B45 F0 mov eax,dword ptr ss:[ebp-0x10]
00530D21 |. 8907 mov dword ptr ds:[edi],eax
00530D23 |. EB 21 jmp short HprSnap8.00530D46
00530D25 |> 8D45 F0 lea eax,dword ptr ss:[ebp-0x10]
00530D28 |. 50 push eax ; /pBufSize
00530D29 |. 56 push esi ; |Buffer
00530D2A |. 6A 00 push 0x0 ; |pValueType = NULL
00530D2C |. 6A 00 push 0x0 ; |Reserved = NULL
00530D2E |. 68 304B6800 push HprSnap8.00684B30 ; |ValueName = "Key"
00530D33 |. FF75 EC push dword ptr ss:[ebp-0x14] ; |hKey
00530D36 |. FF15 08806600 call near dword ptr ds:[<&ADVAPI32.RegQu>; \RegQueryValueExW
00530D3C |. 33C9 xor ecx,ecx
00530D3E |. 85C0 test eax,eax
00530D40 |. 0F444D F0 cmove ecx,dword ptr ss:[ebp-0x10]
00530D44 |. 890F mov dword ptr ds:[edi],ecx
00530D46 |> 8B07 mov eax,dword ptr ds:[edi]
00530D48 |. C60406 00 mov byte ptr ds:[esi+eax],0x0
00530D4C |. FF75 EC push dword ptr ss:[ebp-0x14] ; /hKey
00530D4F |. FF15 3C806600 call near dword ptr ds:[<&ADVAPI32.RegCl>; \RegCloseKey
00530D55 |> 8D4D 10 lea ecx,dword ptr ss:[ebp+0x10]
00530D58 |. FF15 A8B16600 call near dword ptr ds:[<&mfc120u.#1042>>; mfc120u.#1501
00530D5E |. 8D4D 0C lea ecx,dword ptr ss:[ebp+0xC]
00530D61 |. FF15 A8B16600 call near dword ptr ds:[<&mfc120u.#1042>>; mfc120u.#1501
00530D67 |. 8BC6 mov eax,esi
00530D69 |. 8B4D F4 mov ecx,dword ptr ss:[ebp-0xC]
00530D6C |. 64:890D 00000>mov dword ptr fs:[0],ecx
00530D73 |. 59 pop ecx
00530D74 |. 5F pop edi
00530D75 |. 5E pop esi
00530D76 |. 5B pop ebx
00530D77 |. 8BE5 mov esp,ebp
00530D79 |. 5D pop ebp
00530D7A \. C3 retn

复制代码

这个是可疑的call所在的函数，走到00530D7A后单步走出该函数，来到下面这个函数：

00531010 [ DISCUZ_CODE_11 ]nbsp; 55 push ebp
00531011 . 8BEC mov ebp,esp
00531013 . 6A FF push -0x1
00531015 . 68 83226600 push HprSnap8.00662283
0053101A . 64:A1 0000000>mov eax,dword ptr fs:[0]
00531020 . 50 push eax
00531021 . 83EC 28 sub esp,0x28
00531024 . 53 push ebx
00531025 . 56 push esi
00531026 . 57 push edi
00531027 . A1 38D57300 mov eax,dword ptr ds:[0x73D538]
0053102C . 33C5 xor eax,ebp
0053102E . 50 push eax
0053102F . 8D45 F4 lea eax,dword ptr ss:[ebp-0xC]
00531032 . 64:A3 0000000>mov dword ptr fs:[0],eax
00531038 . 8BF9 mov edi,ecx
0053103A . 897D E0 mov dword ptr ss:[ebp-0x20],edi
0053103D . C745 F0 00000>mov dword ptr ss:[ebp-0x10],0x0
00531044 . 33F6 xor esi,esi
00531046 . 33DB xor ebx,ebx
00531048 . E8 533EF6FF call HprSnap8.00494EA0
0053104D . 395D 08 cmp dword ptr ss:[ebp+0x8],ebx
00531050 . 0F85 33010000 jnz HprSnap8.00531189
00531056 . 68 38F46600 push HprSnap8.0066F438 ; UNICODE ""
0053105B . 8D4D EC lea ecx,dword ptr ss:[ebp-0x14]
0053105E . FF15 A0AD6600 call near dword ptr ds:[<&mfc120u.#290>] ; mfc120u.#290
00531064 . 68 204B6800 push HprSnap8.00684B20 ; ASCII "Software"
00531069 . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
0053106C . 895D FC mov dword ptr ss:[ebp-0x4],ebx
0053106F . FF15 A0AD6600 call near dword ptr ds:[<&mfc120u.#290>] ; mfc120u.#290
00531075 . 8D87 84000000 lea eax,dword ptr ds:[edi+0x84]
0053107B . C645 FC 01 mov byte ptr ss:[ebp-0x4],0x1
0053107F . 50 push eax
00531080 . 8D45 E8 lea eax,dword ptr ss:[ebp-0x18]
00531083 . 50 push eax
00531084 . 8D45 D4 lea eax,dword ptr ss:[ebp-0x2C]
00531087 . 50 push eax
00531088 . E8 33AAF3FF call HprSnap8.0046BAC0
0053108D . 8D4D EC lea ecx,dword ptr ss:[ebp-0x14]
00531090 . C645 FC 02 mov byte ptr ss:[ebp-0x4],0x2
00531094 . 51 push ecx
00531095 . 50 push eax
00531096 . 8D45 D8 lea eax,dword ptr ss:[ebp-0x28]
00531099 . 50 push eax
0053109A . E8 21AAF3FF call HprSnap8.0046BAC0
0053109F . 8BC8 mov ecx,eax ; |
005310A1 . 8D47 2C lea eax,dword ptr ds:[edi+0x2C] ; |
005310A4 . C645 FC 03 mov byte ptr ss:[ebp-0x4],0x3 ; |
005310A8 . 50 push eax ; |Arg3
005310A9 . 51 push ecx ; |Arg2
005310AA . 8D45 E4 lea eax,dword ptr ss:[ebp-0x1C] ; |
005310AD . 50 push eax ; |Arg1
005310AE . E8 0DAAF3FF call HprSnap8.0046BAC0 ; \HprSnap8.0046BAC0
005310B3 . 83C4 24 add esp,0x24
005310B6 . 8D4D D8 lea ecx,dword ptr ss:[ebp-0x28]
005310B9 . FF15 A8B16600 call near dword ptr ds:[<&mfc120u.#1042>>; mfc120u.#1501
005310BF . 8D4D D4 lea ecx,dword ptr ss:[ebp-0x2C]
005310C2 . FF15 A8B16600 call near dword ptr ds:[<&mfc120u.#1042>>; mfc120u.#1501
005310C8 . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
005310CB . FF15 A8B16600 call near dword ptr ds:[<&mfc120u.#1042>>; mfc120u.#1501
005310D1 . 8D4D EC lea ecx,dword ptr ss:[ebp-0x14]
005310D4 . C645 FC 08 mov byte ptr ss:[ebp-0x4],0x8
005310D8 . FF15 A8B16600 call near dword ptr ds:[<&mfc120u.#1042>>; mfc120u.#1501
005310DE . 8D45 F0 lea eax,dword ptr ss:[ebp-0x10]
005310E1 . 50 push eax
005310E2 . 51 push ecx
005310E3 . 8D45 E4 lea eax,dword ptr ss:[ebp-0x1C]
005310E6 . 8BCC mov ecx,esp
005310E8 . 50 push eax
005310E9 . FF15 84AF6600 call near dword ptr ds:[<&mfc120u.#280>] ; mfc120u.#280
005310EF . 68 01000080 push 0x80000001 ; |Arg1 = 80000001
005310F4 . E8 07FBFFFF call HprSnap8.00530C00 ; \HprSnap8.00530C00
005310F9 . 8BF0 mov esi,eax
005310FB . 83C4 0C add esp,0xC
005310FE . 8B45 F0 mov eax,dword ptr ss:[ebp-0x10]
00531101 . 83F8 05 cmp eax,0x5
00531104 . 7E 16 jle short HprSnap8.0053111C
00531106 . FF75 10 push dword ptr ss:[ebp+0x10]
00531109 . 8BCF mov ecx,edi
0053110B . 53 push ebx
0053110C . FF75 0C push dword ptr ss:[ebp+0xC]
0053110F . 50 push eax
00531110 . 56 push esi
00531111 . E8 4A030000 call HprSnap8.00531460
00531116 . 8BD8 mov ebx,eax
00531118 . 85DB test ebx,ebx
0053111A . 75 55 jnz short HprSnap8.00531171
0053111C > 56 push esi ; /block
0053111D . FF15 549E6600 call near dword ptr ds:[<&MSVCR120.free>>; \free
00531123 . 83C4 04 add esp,0x4
00531126 . 8D45 F0 lea eax,dword ptr ss:[ebp-0x10]
00531129 . 50 push eax
0053112A . 51 push ecx
0053112B . 8D45 E4 lea eax,dword ptr ss:[ebp-0x1C]
0053112E . 8BCC mov ecx,esp
00531130 . 50 push eax
00531131 . FF15 84AF6600 call near dword ptr ds:[<&mfc120u.#280>] ; mfc120u.#280
00531137 . 68 01000080 push 0x80000001 ; |Arg1 = 80000001
0053113C . E8 BFFAFFFF call HprSnap8.00530C00 ; \HprSnap8.00530C00
00531141 . 8BF0 mov esi,eax
00531143 . 83C4 0C add esp,0xC
00531146 . 8B45 F0 mov eax,dword ptr ss:[ebp-0x10]
00531149 . 83F8 05 cmp eax,0x5
0053114C . 7E 17 jle short HprSnap8.00531165
0053114E . FF75 10 push dword ptr ss:[ebp+0x10]
00531151 . 8BCF mov ecx,edi
00531153 . 6A 00 push 0x0
00531155 . FF75 0C push dword ptr ss:[ebp+0xC]
00531158 . 50 push eax
00531159 . 56 push esi
0053115A . E8 01030000 call HprSnap8.00531460
0053115F . 8BD8 mov ebx,eax
00531161 . 85DB test ebx,ebx
00531163 . 75 0C jnz short HprSnap8.00531171
00531165 > 56 push esi ; /block
00531166 . FF15 549E6600 call near dword ptr ds:[<&MSVCR120.free>>; \free
0053116C . 83C4 04 add esp,0x4
0053116F . 33F6 xor esi,esi
00531171 > 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
00531174 . C745 FC FFFFF>mov dword ptr ss:[ebp-0x4],-0x1
0053117B . FF15 A8B16600 call near dword ptr ds:[<&mfc120u.#1042>>; mfc120u.#1501
00531181 . 85DB test ebx,ebx
00531183 . 0F85 AC020000 jnz HprSnap8.00531435
00531189 > 8D4D EC lea ecx,dword ptr ss:[ebp-0x14]
0053118C . FF15 B4B16600 call near dword ptr ds:[<&mfc120u.#296>] ; mfc120u.#316
00531192 . 8B45 08 mov eax,dword ptr ss:[ebp+0x8]
00531195 . 8D4D EC lea ecx,dword ptr ss:[ebp-0x14]
00531198 . C745 FC 09000>mov dword ptr ss:[ebp-0x4],0x9
0053119F . 85C0 test eax,eax
005311A1 . 74 09 je short HprSnap8.005311AC
005311A3 . 50 push eax
005311A4 . FF15 A0B16600 call near dword ptr ds:[<&mfc120u.#1520>>; mfc120u.#1520
005311AA . EB 0D jmp short HprSnap8.005311B9
005311AC > 8D87 AC000000 lea eax,dword ptr ds:[edi+0xAC]
005311B2 . 50 push eax
005311B3 . FF15 A4B16600 call near dword ptr ds:[<&mfc120u.#1518>>; mfc120u.#1518
005311B9 > 68 48096700 push HprSnap8.00670948 ; UNICODE "rb"
005311BE . 8D4D EC lea ecx,dword ptr ss:[ebp-0x14]
005311C1 . FF15 74B16600 call near dword ptr ds:[<&mfc120u.#1658>>; mfc120u.#6864
005311C7 . 50 push eax ; |path
005311C8 . FF15 FC9D6600 call near dword ptr ds:[<&MSVCR120._wfop>; \_wfopen
005311CE . 83C4 08 add esp,0x8
005311D1 . 8945 E8 mov dword ptr ss:[ebp-0x18],eax
005311D4 . 85C0 test eax,eax
005311D6 . 75 38 jnz short HprSnap8.00531210
005311D8 . 3945 08 cmp dword ptr ss:[ebp+0x8],eax
005311DB . 0F85 A7000000 jnz HprSnap8.00531288
005311E1 . 8D87 B0000000 lea eax,dword ptr ds:[edi+0xB0]
005311E7 . 50 push eax
005311E8 . 8D4D EC lea ecx,dword ptr ss:[ebp-0x14]
005311EB . FF15 A4B16600 call near dword ptr ds:[<&mfc120u.#1518>>; mfc120u.#1518
005311F1 . 68 48096700 push HprSnap8.00670948 ; UNICODE "rb"
005311F6 . 8D4D EC lea ecx,dword ptr ss:[ebp-0x14]
005311F9 . FF15 74B16600 call near dword ptr ds:[<&mfc120u.#1658>>; mfc120u.#6864
005311FF . 50 push eax ; |path
00531200 . FF15 FC9D6600 call near dword ptr ds:[<&MSVCR120._wfop>; \_wfopen
00531206 . 83C4 08 add esp,0x8
00531209 . 8945 E8 mov dword ptr ss:[ebp-0x18],eax
0053120C . 85C0 test eax,eax
0053120E . 74 78 je short HprSnap8.00531288
00531210 > 8B3D A49D6600 mov edi,dword ptr ds:[<&MSVCR120.fseek>] ; msvcr120.fseek
00531216 . 6A 02 push 0x2 ; /whence = SEEK_END
00531218 . 6A 00 push 0x0 ; |offset = 0x0
0053121A . 50 push eax ; |stream
0053121B . FFD7 call near edi ; \fseek
0053121D . FF75 E8 push dword ptr ss:[ebp-0x18] ; /stream
00531220 . FF15 A09D6600 call near dword ptr ds:[<&MSVCR120.ftell>; \ftell
00531226 . 6A 00 push 0x0
00531228 . 6A 00 push 0x0
0053122A . FF75 E8 push dword ptr ss:[ebp-0x18]
0053122D . 8945 F0 mov dword ptr ss:[ebp-0x10],eax
00531230 . FFD7 call near edi
00531232 . 83C4 1C add esp,0x1C
00531235 . 85F6 test esi,esi
00531237 . 75 10 jnz short HprSnap8.00531249
00531239 . 8B45 F0 mov eax,dword ptr ss:[ebp-0x10]
0053123C . 40 inc eax
0053123D . 50 push eax ; /size
0053123E . FF15 E89D6600 call near dword ptr ds:[<&MSVCR120.mallo>; \malloc
00531244 . 83C4 04 add esp,0x4
00531247 . 8BF0 mov esi,eax
00531249 > 8B7D E8 mov edi,dword ptr ss:[ebp-0x18]
0053124C . 57 push edi ; /stream
0053124D . FF75 F0 push dword ptr ss:[ebp-0x10] ; |n
00531250 . 6A 01 push 0x1 ; |size = 0x1
00531252 . 56 push esi ; |ptr
00531253 . FF15 A89D6600 call near dword ptr ds:[<&MSVCR120.fread>; \fread
00531259 . 8B45 F0 mov eax,dword ptr ss:[ebp-0x10]
0053125C . 57 push edi ; /stream
0053125D . C60406 00 mov byte ptr ds:[esi+eax],0x0 ; |
00531261 . FF15 F89D6600 call near dword ptr ds:[<&MSVCR120.fclos>; \fclose
00531267 . 8B45 F0 mov eax,dword ptr ss:[ebp-0x10]
0053126A . 83C4 14 add esp,0x14
0053126D . 8B7D E0 mov edi,dword ptr ss:[ebp-0x20]
00531270 . 83F8 05 cmp eax,0x5
00531273 . 7E 13 jle short HprSnap8.00531288
00531275 . FF75 10 push dword ptr ss:[ebp+0x10]
00531278 . 8BCF mov ecx,edi
0053127A . 6A 00 push 0x0
0053127C . FF75 0C push dword ptr ss:[ebp+0xC]
0053127F . 50 push eax
00531280 . 56 push esi
00531281 . E8 DA010000 call HprSnap8.00531460
00531286 . 8BD8 mov ebx,eax
00531288 > 8D4D EC lea ecx,dword ptr ss:[ebp-0x14]
0053128B . C745 FC FFFFF>mov dword ptr ss:[ebp-0x4],-0x1
00531292 . FF15 A8B16600 call near dword ptr ds:[<&mfc120u.#1042>>; mfc120u.#1501
00531298 . 85DB test ebx,ebx
0053129A . 0F85 95010000 jnz HprSnap8.00531435
005312A0 . 56 push esi ; /block
005312A1 . FF15 549E6600 call near dword ptr ds:[<&MSVCR120.free>>; \free
005312A7 . 83C4 04 add esp,0x4
005312AA . 8D47 5C lea eax,dword ptr ds:[edi+0x5C]
005312AD . 33F6 xor esi,esi
005312AF . 8945 0C mov dword ptr ss:[ebp+0xC],eax
005312B2 . 8975 E8 mov dword ptr ss:[ebp-0x18],esi
005312B5 . EB 09 jmp short HprSnap8.005312C0
005312B7 . 8DA424 000000>lea esp,dword ptr ss:[esp]
005312BE . 8BFF mov edi,edi
005312C0 > 68 B4C86D00 push HprSnap8.006DC8B4
005312C5 . 8D48 D8 lea ecx,dword ptr ds:[eax-0x28]
005312C8 . FF15 A8A46600 call near dword ptr ds:[<&mfc120u.#2949>>; mfc120u.#2949
005312CE . 85C0 test eax,eax
005312D0 . 0F8E 5F010000 jle HprSnap8.00531435
005312D6 . 68 38F46600 push HprSnap8.0066F438 ; UNICODE ""
005312DB . 8D4D DC lea ecx,dword ptr ss:[ebp-0x24]
005312DE . FF15 A0AD6600 call near dword ptr ds:[<&mfc120u.#290>] ; mfc120u.#290
005312E4 . 68 204B6800 push HprSnap8.00684B20 ; ASCII "Software"
005312E9 . 8D4D E0 lea ecx,dword ptr ss:[ebp-0x20]
005312EC . C745 FC 0A000>mov dword ptr ss:[ebp-0x4],0xA
005312F3 . FF15 A0AD6600 call near dword ptr ds:[<&mfc120u.#290>] ; mfc120u.#290
005312F9 . 8D87 84000000 lea eax,dword ptr ds:[edi+0x84]
005312FF . C645 FC 0B mov byte ptr ss:[ebp-0x4],0xB
00531303 . 50 push eax
00531304 . 8D45 E0 lea eax,dword ptr ss:[ebp-0x20]
00531307 . 50 push eax
00531308 . 8D45 CC lea eax,dword ptr ss:[ebp-0x34]
0053130B . 50 push eax
0053130C . E8 AFA7F3FF call HprSnap8.0046BAC0
00531311 . 8D4D DC lea ecx,dword ptr ss:[ebp-0x24]
00531314 . C645 FC 0C mov byte ptr ss:[ebp-0x4],0xC
00531318 . 51 push ecx
00531319 . 50 push eax
0053131A . 8D45 D0 lea eax,dword ptr ss:[ebp-0x30]
0053131D . 50 push eax
0053131E . E8 9DA7F3FF call HprSnap8.0046BAC0
00531323 . FF75 0C push dword ptr ss:[ebp+0xC] ; |Arg3
00531326 . C645 FC 0D mov byte ptr ss:[ebp-0x4],0xD ; |
0053132A . 50 push eax ; |Arg2
0053132B . 8D45 08 lea eax,dword ptr ss:[ebp+0x8] ; |
0053132E . 50 push eax ; |Arg1
0053132F . E8 8CA7F3FF call HprSnap8.0046BAC0 ; \HprSnap8.0046BAC0
00531334 . 83C4 24 add esp,0x24
00531337 . 8D4D D0 lea ecx,dword ptr ss:[ebp-0x30]
0053133A . FF15 A8B16600 call near dword ptr ds:[<&mfc120u.#1042>>; mfc120u.#1501
00531340 . 8D4D CC lea ecx,dword ptr ss:[ebp-0x34]
00531343 . FF15 A8B16600 call near dword ptr ds:[<&mfc120u.#1042>>; mfc120u.#1501
00531349 . 8D4D E0 lea ecx,dword ptr ss:[ebp-0x20]
0053134C . FF15 A8B16600 call near dword ptr ds:[<&mfc120u.#1042>>; mfc120u.#1501
00531352 . 8D4D DC lea ecx,dword ptr ss:[ebp-0x24]
00531355 . C645 FC 12 mov byte ptr ss:[ebp-0x4],0x12
00531359 . FF15 A8B16600 call near dword ptr ds:[<&mfc120u.#1042>>; mfc120u.#1501
0053135F . 8D45 F0 lea eax,dword ptr ss:[ebp-0x10]
00531362 . 50 push eax
00531363 . 51 push ecx
00531364 . 8D45 08 lea eax,dword ptr ss:[ebp+0x8]
00531367 . 8BCC mov ecx,esp
00531369 . 50 push eax
0053136A . FF15 84AF6600 call near dword ptr ds:[<&mfc120u.#280>] ; mfc120u.#280
00531370 . 68 01000080 push 0x80000001 ; |Arg1 = 80000001
00531375 . E8 86F8FFFF call HprSnap8.00530C00 ; \HprSnap8.00530C00
0053137A . 8BF0 mov esi,eax
0053137C . 83C4 0C add esp,0xC
0053137F . 8B45 F0 mov eax,dword ptr ss:[ebp-0x10]
00531382 . 83F8 05 cmp eax,0x5
00531385 . 7E 1A jle short HprSnap8.005313A1
00531387 . FF75 10 push dword ptr ss:[ebp+0x10]
0053138A . 8BCF mov ecx,edi
0053138C . 6A 00 push 0x0
0053138E . 6A 01 push 0x1
00531390 . 50 push eax
00531391 . 56 push esi
00531392 . E8 C9000000 call HprSnap8.00531460
00531397 . 8BD8 mov ebx,eax
00531399 . 85DB test ebx,ebx
0053139B . 0F85 8B000000 jnz HprSnap8.0053142C
005313A1 > 56 push esi ; /block
005313A2 . FF15 549E6600 call near dword ptr ds:[<&MSVCR120.free>>; \free
005313A8 . 83C4 04 add esp,0x4
005313AB . 8D45 F0 lea eax,dword ptr ss:[ebp-0x10]
005313AE . 50 push eax
005313AF . 51 push ecx
005313B0 . 8D45 08 lea eax,dword ptr ss:[ebp+0x8]
005313B3 . 8BCC mov ecx,esp
005313B5 . 50 push eax
005313B6 . FF15 84AF6600 call near dword ptr ds:[<&mfc120u.#280>] ; mfc120u.#280
005313BC . 68 01000080 push 0x80000001 ; |Arg1 = 80000001
005313C1 . E8 3AF8FFFF call HprSnap8.00530C00 ; \HprSnap8.00530C00
005313C6 . 8B4D F0 mov ecx,dword ptr ss:[ebp-0x10]
005313C9 . 83C4 0C add esp,0xC
005313CC . 8BF0 mov esi,eax
005313CE . 83F9 05 cmp ecx,0x5
005313D1 . 7E 22 jle short HprSnap8.005313F5
005313D3 . 33C0 xor eax,eax
005313D5 . 3905 70207300 cmp dword ptr ds:[0x732070],eax
005313DB . 0F94C0 sete al
005313DE . 0B45 10 or eax,dword ptr ss:[ebp+0x10]
005313E1 . 50 push eax
005313E2 . 6A 00 push 0x0
005313E4 . 6A 01 push 0x1
005313E6 . 51 push ecx
005313E7 . 56 push esi
005313E8 . 8BCF mov ecx,edi
005313EA . E8 71000000 call HprSnap8.00531460
005313EF . 8BD8 mov ebx,eax
005313F1 . 85DB test ebx,ebx
005313F3 . 75 37 jnz short HprSnap8.0053142C
005313F5 > 56 push esi ; /block
005313F6 . FF15 549E6600 call near dword ptr ds:[<&MSVCR120.free>>; \free
005313FC . 83C4 04 add esp,0x4
005313FF . C745 FC FFFFF>mov dword ptr ss:[ebp-0x4],-0x1
00531406 . 8D4D 08 lea ecx,dword ptr ss:[ebp+0x8]
00531409 . 33F6 xor esi,esi
0053140B . FF15 A8B16600 call near dword ptr ds:[<&mfc120u.#1042>>; mfc120u.#1501
00531411 . 8B4D E8 mov ecx,dword ptr ss:[ebp-0x18]
00531414 . 8B45 0C mov eax,dword ptr ss:[ebp+0xC]
00531417 . 41 inc ecx
00531418 . 83C0 04 add eax,0x4
0053141B . 894D E8 mov dword ptr ss:[ebp-0x18],ecx
0053141E . 8945 0C mov dword ptr ss:[ebp+0xC],eax
00531421 . 83F9 0A cmp ecx,0xA
00531424 .^ 0F8C 96FEFFFF jl HprSnap8.005312C0
0053142A . EB 09 jmp short HprSnap8.00531435
0053142C > 8D4D 08 lea ecx,dword ptr ss:[ebp+0x8]
0053142F . FF15 A8B16600 call near dword ptr ds:[<&mfc120u.#1042>>; mfc120u.#1501
00531435 > 8B45 14 mov eax,dword ptr ss:[ebp+0x14]
00531438 . 85C0 test eax,eax
0053143A . 74 04 je short HprSnap8.00531440
0053143C . 8930 mov dword ptr ds:[eax],esi
0053143E . EB 0A jmp short HprSnap8.0053144A
00531440 > 56 push esi ; /block
00531441 . FF15 549E6600 call near dword ptr ds:[<&MSVCR120.free>>; \free
00531447 . 83C4 04 add esp,0x4
0053144A > 8BC3 mov eax,ebx
0053144C . 8B4D F4 mov ecx,dword ptr ss:[ebp-0xC]
0053144F . 64:890D 00000>mov dword ptr fs:[0],ecx
00531456 . 59 pop ecx
00531457 . 5F pop edi
00531458 . 5E pop esi
00531459 . 5B pop ebx
0053145A . 8BE5 mov esp,ebp
0053145C . 5D pop ebp
0053145D . C2 1000 retn 0x10

复制代码

从中可以非常清晰的看出这个函数调用了四次00530C00（也就是包含可疑地址2的函数），执行这个函数完之后未注册窗口出现，这意味着什么不言而喻，再看一下返回值：EAX=0，显然这个函数就是我们苦苦寻找的关键函数！
最后一次对eax的赋值是在0053144A处，等等，还记得之前我给大家的特征码吗？8BC38B4DF464890D00000000595F5E5B8BE55DC21000，没错，就是0053144C的代码！
然后就好办了，将0053144A的代码修改为mov eax,1即可。
@逍遥绝尘更新完成

月光下の魔术师 · 发表于 2015-3-7 09:57

附上逆向后成果

可以看见已经没有水印了

逍遥绝尘 · 发表于 2015-3-7 10:22

楼主说明一下输入这个8BC38B4DF464890D00000000595F5E5B8BE55DC21000的意思！不详细啊！

月光下の魔术师 · 发表于 2015-3-7 10:24

Chrome你妹

不小心点了一个快捷方式然后我所有图片都……没了……我！@#￥%…………

闪耀 · 发表于 2015-3-7 11:01

卧槽撸主好流弊啊

月光下の魔术师 · 发表于 2015-3-7 11:19

闪耀发表于 2015-3-7 11:01
卧槽撸主好流弊啊

大牛别讽刺我了……

知道自己渣

Scar-疤痕 · 发表于 2015-3-7 11:29

楼主好流弊啊，膜拜

xor · 发表于 2015-3-7 11:37

我初三都只会耍朋友，都没这么流弊。。

月光下の魔术师 · 发表于 2015-3-7 12:11

闪耀发表于 2015-3-7 11:01
卧槽撸主好流弊啊

大神是怎么用点评的，为啥我没找到，特权？

		自动登录	找回密码
密码			立即注册

[原创逆向图文] 某截图软件爆破教程

评分

评分

评分

点评