Computerinsel PhotoLine 21.50 x64 爆破分析

爱必应

目标软件:Computerinsel PhotoLine 21.50 x64版本

调试工具:x64dbg

程序信息:VC编译,无壳

找个软柿子不容易啊~

======================================
输入假码点注册,有个错误弹窗,上F12大法:

Computerinsel PhotoLine 21.50 x64 爆破分析-图1

堆栈返回,下个断点,F9一次成功断下:

Computerinsel PhotoLine 21.50 x64 爆破分析-图2

取消之前的断点,F8返回上一层,断尾下断,F9运行,回到错误弹窗上点“确定”:

Computerinsel PhotoLine 21.50 x64 爆破分析-图3

断下后F8一路返回,找关键代码段:
[Asm] 纯文本查看 复制代码

0000000140AD1751 | E8 FAF5FFFF | call photoline.140AD0D50 | 关键CALL0000000140AD1756 | BA 68BF0000 | mov edx,BF68 |0000000140AD175B | 48:8D4C24 30 | lea rcx,qword ptr ss:[rsp+30] |0000000140AD1760 | 66:85C0 | test ax,ax |0000000140AD1763 | 0F85 83000000 | jne photoline.140AD17EC | 关键跳0000000140AD1769 | E8 82A2BFFF | call photoline.1406CB9F0 |0000000140AD176E | 48:8BF8 | mov rdi,rax |0000000140AD1771 | BA B8960000 | mov edx,96B8 |0000000140AD1776 | 48:8D4C24 78 | lea rcx,qword ptr ss:[rsp+78] |0000000140AD177B | E8 70A2BFFF | call photoline.1406CB9F0 |0000000140AD1780 | 48:8BD8 | mov rbx,rax |0000000140AD1783 | BA 72BF0000 | mov edx,BF72 |0000000140AD1788 | 48:8D4D B8 | lea rcx,qword ptr ss:[rbp-48] |0000000140AD178C | E8 5FA2BFFF | call photoline.1406CB9F0 |0000000140AD1791 | 90 | nop |0000000140AD1792 | 4C:8D0D 878EC100 | lea r9,qword ptr ds:[1416EA620] |0000000140AD1799 | 4C:894C24 28 | mov qword ptr ss:[rsp+28],r9 |0000000140AD179E | 4C:894C24 20 | mov qword ptr ss:[rsp+20],r9 |0000000140AD17A3 | 4C:8BC7 | mov r8,rdi |0000000140AD17A6 | 48:8BD3 | mov rdx,rbx |0000000140AD17A9 | 48:8BC8 | mov rcx,rax |0000000140AD17AC | E8 5F3B95FF | call photoline.140425310 | F8 出CALL0000000140AD17B1 | 90 | nop |0000000140AD17B2 | 48:8D4D B8 | lea rcx,qword ptr ss:[rbp-48] |0000000140AD17B6 | E8 C5A7BFFF | call photoline.1406CBF80 |0000000140AD17BB | 90 | nop |0000000140AD17BC | 48:8D4C24 78 | lea rcx,qword ptr ss:[rsp+78] |0000000140AD17C1 | E8 BAA7BFFF | call photoline.1406CBF80 |0000000140AD17C6 | 90 | nop |0000000140AD17C7 | 48:8D4C24 30 | lea rcx,qword ptr ss:[rsp+30] |0000000140AD17CC | E8 AFA7BFFF | call photoline.1406CBF80 |0000000140AD17D1 | B9 02000000 | mov ecx,2 |0000000140AD17D6 | E8 3518E3FF | call photoline.140903010 |0000000140AD17DB | B9 983A0000 | mov ecx,3A98 |0000000140AD17E0 | E8 ABBC93FF | call photoline.14040D490 | 卡0000000140AD17E5 | E8 C617E3FF | call photoline.140902FB0 |0000000140AD17EA | EB 69 | jmp photoline.140AD1855 |0000000140AD17EC | E8 FFA1BFFF | call photoline.1406CB9F0 |0000000140AD17F1 | 48:8BF8 | mov rdi,rax |0000000140AD17F4 | BA 8D960000 | mov edx,968D |0000000140AD17F9 | 48:8D4C24 78 | lea rcx,qword ptr ss:[rsp+78] |0000000140AD17FE | E8 EDA1BFFF | call photoline.1406CB9F0 |0000000140AD1803 | 48:8BD8 | mov rbx,rax |0000000140AD1806 | BA 73BF0000 | mov edx,BF73 |0000000140AD180B | 48:8D4D B8 | lea rcx,qword ptr ss:[rbp-48] |

F7入关键CALL:
[Asm] 纯文本查看 复制代码

0000000140AD0E6B | E8 60FA0800 | call photoline.140B608D0 | 关键CALL 20000000140AD0E70 | 8B45 B4 | mov eax,dword ptr ss:[rbp-4C] |0000000140AD0E73 | A9 FF0F0000 | test eax,FFF | eax = 000 时,jne不跳0000000140AD0E78 | 0F85 1E010000 | jne photoline.140AD0F9C |0000000140AD0E7E | 25 00F0FFFF | and eax,FFFFF000 |0000000140AD0E83 | 3D 00D00800 | cmp eax,8D000 | eax = 8D000 时,jne不跳0000000140AD0E88 | 0F85 0E010000 | jne photoline.140AD0F9C |0000000140AD0E8E | 48:8B45 B0 | mov rax,qword ptr ss:[rbp-50] |0000000140AD0E92 | 3D 28230000 | cmp eax,2328 | eax < 2328 时,ja不跳0000000140AD0E97 | 0F87 FF000000 | ja photoline.140AD0F9C |0000000140AD0E9D | 8B0D E564C200 | mov ecx,dword ptr ds:[1416F7388] |0000000140AD0EA3 | 85C9 | test ecx,ecx |0000000140AD0EA5 | 74 1D | je photoline.140AD0EC4 |0000000140AD0EA7 | 48:8BD3 | mov rdx,rbx |0000000140AD0EAA | 4C:8D05 D764C200 | lea r8,qword ptr ds:[1416F7388] |0000000140AD0EB1 | 3BC8 | cmp ecx,eax |0000000140AD0EB3 | 0F84 E3000000 | je photoline.140AD0F9C |0000000140AD0EB9 | 48:FFC2 | inc rdx |0000000140AD0EBC | 41:8B0C90 | mov ecx,dword ptr ds:[r8+rdx*4] |0000000140AD0EC0 | 85C9 | test ecx,ecx |0000000140AD0EC2 | 75 ED | jne photoline.140AD0EB1 |0000000140AD0EC4 | 48:8D55 B0 | lea rdx,qword ptr ss:[rbp-50] |0000000140AD0EC8 | 48:8D4D A8 | lea rcx,qword ptr ss:[rbp-58] |0000000140AD0ECC | E8 FFF90800 | call photoline.140B608D0 | 大于 63 小于 1F3F 时显示注册码0000000140AD0ED1 | 8B45 B0 | mov eax,dword ptr ss:[rbp-50] |0000000140AD0ED4 | 83C0 9C | add eax,FFFFFF9C |0000000140AD0ED7 | 3D DB1E0000 | cmp eax,1EDB | 100000000 < eax+FFFFFF9C < 100001EDB0000000140AD0EDC | 77 2E | ja photoline.140AD0F0C | 时,不跳0000000140AD0EDE | 48:8D9F A8020000 | lea rbx,qword ptr ds:[rdi+2A8] | ja成立时显示"********"0000000140AD0EE5 | 48:8B03 | mov rax,qword ptr ds:[rbx] | 否则显示输入的假码0000000140AD0EE8 | 8B55 AC | mov edx,dword ptr ss:[rbp-54] |0000000140AD0EEB | 48:8BCB | mov rcx,rbx |0000000140AD0EEE | FF90 A8000000 | call qword ptr ds:[rax+A8] |0000000140AD0EF4 | 48:81C7 08060000 | add rdi,608 |0000000140AD0EFB | 48:8B07 | mov rax,qword ptr ds:[rdi] |0000000140AD0EFE | 8B55 A8 | mov edx,dword ptr ss:[rbp-58] |0000000140AD0F01 | 48:8BCF | mov rcx,rdi |0000000140AD0F04 | FF90 A8000000 | call qword ptr ds:[rax+A8] |0000000140AD0F0A | EB 68 | jmp photoline.140AD0F74 |0000000140AD0F0C | 48:8D15 15146D00 | lea rdx,qword ptr ds:[1411A2328] | 00000001411A2328:"********"0000000140AD0F13 | 48:8D4C24 28 | lea rcx,qword ptr ss:[rsp+28] |0000000140AD0F18 | E8 13ABBFFF | call photoline.1406CBA30 |0000000140AD0F1D | 90 | nop |0000000140AD0F1E | 48:8D9F A8020000 | lea rbx,qword ptr ds:[rdi+2A8] |0000000140AD0F25 | 4C:8B03 | mov r8,qword ptr ds:[rbx] |0000000140AD0F28 | 48:8BD0 | mov rdx,rax |0000000140AD0F2B | 48:8BCB | mov rcx,rbx |0000000140AD0F2E | 41:FF90 C8000000 | call qword ptr ds:[r8+C8] |0000000140AD0F35 | 90 | nop |0000000140AD0F36 | 48:8D4C24 28 | lea rcx,qword ptr ss:[rsp+28] |0000000140AD0F3B | E8 40B0BFFF | call photoline.1406CBF80 |0000000140AD0F40 | 48:8D15 E1136D00 | lea rdx,qword ptr ds:[1411A2328] | 00000001411A2328:"********"0000000140AD0F47 | 48:8D4C24 28 | lea rcx,qword ptr ss:[rsp+28] |0000000140AD0F4C | E8 DFAABFFF | call photoline.1406CBA30 |0000000140AD0F51 | 90 | nop |0000000140AD0F52 | 48:81C7 08060000 | add rdi,608 |0000000140AD0F59 | 4C:8B07 | mov r8,qword ptr ds:[rdi] |0000000140AD0F5C | 48:8BD0 | mov rdx,rax |0000000140AD0F5F | 48:8BCF | mov rcx,rdi |0000000140AD0F62 | 41:FF90 C8000000 | call qword ptr ds:[r8+C8] |0000000140AD0F69 | 90 | nop |0000000140AD0F6A | 48:8D4C24 28 | lea rcx,qword ptr ss:[rsp+28] |0000000140AD0F6F | E8 0CB0BFFF | call photoline.1406CBF80 |0000000140AD0F74 | 48:8B03 | mov rax,qword ptr ds:[rbx] |0000000140AD0F77 | BE 01000000 | mov esi,1 | esi = 10000000140AD0F7C | 8BD6 | mov edx,esi |0000000140AD0F7E | 48:8BCB | mov rcx,rbx |0000000140AD0F81 | FF50 40 | call qword ptr ds:[rax+40] |0000000140AD0F84 | 48:8B07 | mov rax,qword ptr ds:[rdi] |0000000140AD0F87 | 8BD6 | mov edx,esi |0000000140AD0F89 | 48:8BCF | mov rcx,rdi |0000000140AD0F8C | FF50 40 | call qword ptr ds:[rax+40] |0000000140AD0F8F | B9 9D310000 | mov ecx,319D |0000000140AD0F94 | E8 57D8B0FF | call photoline.1405DE7F0 |0000000140AD0F99 | 0FB7DE | movzx ebx,si | ebx 值由 si 决定0000000140AD0F9C | 48:8D4D 00 | lea rcx,qword ptr ss:[rbp] | 验证失败跳到此处0000000140AD0FA0 | E8 DBAFBFFF | call photoline.1406CBF80 |0000000140AD0FA5 | 90 | nop |0000000140AD0FA6 | 48:8D4D C0 | lea rcx,qword ptr ss:[rbp-40] |0000000140AD0FAA | E8 D1AFBFFF | call photoline.1406CBF80 |0000000140AD0FAF | 0FB7C3 | movzx eax,bx | eax 值由 bx 决定0000000140AD0FB2 | 48:8B4D 40 | mov rcx,qword ptr ss:[rbp+40] |0000000140AD0FB6 | 48:33CC | xor rcx,rsp |0000000140AD0FB9 | E8 72FC4400 | call photoline.140F20C30 |0000000140AD0FBE | 4C:8D9C24 50010000 | lea r11,qword ptr ss:[rsp+150] |0000000140AD0FC6 | 49:8B5B 18 | mov rbx,qword ptr ds:[r11+18] |0000000140AD0FCA | 49:8B73 20 | mov rsi,qword ptr ds:[r11+20] |0000000140AD0FCE | 49:8B7B 28 | mov rdi,qword ptr ds:[r11+28] |0000000140AD0FD2 | 49:8BE3 | mov rsp,r11 |0000000140AD0FD5 | 5D | pop rbp |0000000140AD0FD6 | C3 | ret |

F7入关键CALL2,直接拉到段尾看返回值:
[Asm] 纯文本查看 复制代码

0000000140B609A8 | 337C24 40 | xor edi,dword ptr ss:[rsp+40] |0000000140B609AC | 335C24 44 | xor ebx,dword ptr ss:[rsp+44] |0000000140B609B0 | 48:8B6C24 58 | mov rbp,qword ptr ss:[rsp+58] |0000000140B609B5 | 895C24 4C | mov dword ptr ss:[rsp+4C],ebx |0000000140B609B9 | 48:8B5C24 50 | mov rbx,qword ptr ss:[rsp+50] |0000000140B609BE | 897C24 48 | mov dword ptr ss:[rsp+48],edi |0000000140B609C2 | 48:8B4424 48 | mov rax,qword ptr ss:[rsp+48] |0000000140B609C7 | 49:8907 | mov qword ptr ds:[r15],rax |0000000140B609CA | 48:83C4 20 | add rsp,20 |0000000140B609CE | 41:5F | pop r15 |0000000140B609D0 | 5F | pop rdi |0000000140B609D1 | 5E | pop rsi |0000000140B609D2 | C3 | ret |

返回值放在rax中,不过又用r15暂存了一下:

Computerinsel PhotoLine 21.50 x64 爆破分析-图4

第一次验证的[rbp-4C]即为r15的高八位:

Computerinsel PhotoLine 21.50 x64 爆破分析-图5

第二次验证的[rbp-50]即为r15的低八位:

Computerinsel PhotoLine 21.50 x64 爆破分析-图6

由此推测软件将关键CALL 2的返回值高低位分开验证,高八位值为0x0008D000,低八位要小于0x00002328(低八位大于0x63,小于0x1F3F时显示出输入的假码,否则显示成“**********”,没搞清楚有什么区别。。。)

爆破的话直接在关键CALL 2段尾处固定一下rax的值就可以了~

====================================================

第一次写破文,有点乱,一个简单的小软件写了这么多,凑合看一下吧

原版安装程序:https://www.lanzous.com/i882qed

感兴趣的可以玩玩~

声明:本站所有资源均由网友分享,如有侵权内容,请在文章下方留言,本站会立即处理。

原文链接:,转发请注明来源!

发表评论