AB Commander爆破过网络自校验及大白补丁的运用

文章资讯 2020-02-03 15:15:11

AB Commander爆破过网络自校验及大白补丁的运用

软件会根据系统不同,安装不同的版本x86/x64 所对应的EXE/DLL
网上搜索下不难发现该软件的注册机。该软件有假注册行为+联网+退出暗桩(具体表现为command->split->Cancel , View>option>save 就会弹出一个框)
点是,让你联网注册; 点否,直接退出。
先用注册机注册下:

然后注册表里用RegWorkshop随便看看,就发现了以下信息
Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINESOFTWAREWinAbilityAB CommanderSetup1]
"Result"="96C44282908B1126413081D9D512D986892C6B091A4B5571CE2FB2EEA33CCCB5CEEC85F46CF438CC69051A6329B8FD23AB30A12F5A4D7A2DEC550D40087E8417520F932B2031B58382BC0DCE983F225AFDF15860F19633F2256B86D47448687CCFEC043446F2162DE41E561E1014194BE8403FEC11A441BA0CE42C55EF8498E2"
"Info"="435549435549-38-53353139393936363839303938373635"

接下来打开X64dbg战斗开始:
首先,我们点关于,注册,触发!成功断下!来到下面!
看看前后走势,不难发现位于注册码读取区间

00007FF898DB8E10 <ab | 48: | mov qword ptr ss:[rsp+8],rbx             |
00007FF898DB8E15     | 48: | mov qword ptr ss:[rsp+10],rsi            |
00007FF898DB8E1A     | 57  | push rdi                                 |
00007FF898DB8E1B     | 48: | sub rsp,30                               |
00007FF898DB8E1F     | 48: | mov rbx,rcx                              | rcx:L"CUICUI"
00007FF898DB8E22     | C74 | mov dword ptr ss:[rsp+28],5471           |
00007FF898DB8E2A     | 48: | add rcx,1CC                              | rcx:L"CUICUI"
00007FF898DB8E31     | C74 | mov dword ptr ss:[rsp+20],5470           |
00007FF898DB8E39     | 41: | mov r9d,546F                             |
00007FF898DB8E3F     | 48: | mov rdx,qword ptr ds:[rbx+8]             |
00007FF898DB8E43     | 4C: | lea r8,qword ptr ds:[rbx+1C8]            |
00007FF898DB8E4A     | E8  | call <abc64.?RCDlg_ProcessEnter@@YAHPEAV |
00007FF898DB8E4F     | 83B | cmp dword ptr ds:[rbx+1C8],0             |
00007FF898DB8E56     | 8BF | mov esi,eax                              |
00007FF898DB8E58     | 74  | je abc64.7FF898DB8E62                    |
00007FF898DB8E5A     | 48: | mov rcx,rbx                              | rcx:L"CUICUI"
00007FF898DB8E5D     | E8  | call <abc64.sub_7FF898DB9990>            |
00007FF898DB8E62     | 85F | test esi,esi                             |
00007FF898DB8E64     | 75  | jne abc64.7FF898DB8E78                   |
00007FF898DB8E66     | 33C | xor eax,eax                              |
00007FF898DB8E68     | 48: | mov rbx,qword ptr ss:[rsp+40]            |
00007FF898DB8E6D     | 48: | mov rsi,qword ptr ss:[rsp+48]            |
00007FF898DB8E72     | 48: | add rsp,30                               |
00007FF898DB8E76     | 5F  | pop rdi                                  |
00007FF898DB8E77     | C3  | ret                                      |
00007FF898DB8E78     | 48: | mov rcx,rbx                              | rcx:L"CUICUI"
00007FF898DB8E7B     | C78 | mov dword ptr ds:[rbx+1C8],1             |
00007FF898DB8E85     | 48: | mov rbx,qword ptr ss:[rsp+40]            |
00007FF898DB8E8A     | 48: | mov rsi,qword ptr ss:[rsp+48]            |
00007FF898DB8E8F     | 48: | add rsp,30                               |
00007FF898DB8E93     | 5F  | pop rdi                                  |
00007FF898DB8E94     | E9  | jmp <abc64.?OnOK@CSDlg@@UEAA_JXZ>        |

00007FF898D9CBD0 <ab | 48: | mov qword ptr ss:[rsp+8],rbx      | AAAAAAAAAAAAAAAAAAAAAA
00007FF898D9CBD5     | 48: | mov qword ptr ss:[rsp+10],rsi     |
00007FF898D9CBDA     | 57  | push rdi                          |
00007FF898D9CBDB     | 48: | sub rsp,20                        |
00007FF898D9CBDF     | 49: | mov rbx,r8                        |
00007FF898D9CBE2     | 8BF | mov edi,edx                       |
00007FF898D9CBE4     | 48: | mov rsi,rcx                       |
00007FF898D9CBE7     | 41: | mov eax,r8d                       |
00007FF898D9CBEA     | C1E | shr eax,10                        |
00007FF898D9CBED     | 66: | dec ax                            |
00007FF898D9CBF0     | B9  | mov ecx,FFFD                      |
00007FF898D9CBF5     | 66: | cmp ax,cx                         |
00007FF898D9CBF8     | 77  | ja abc64.7FF898D9CC11             |
00007FF898D9CBFA     | 48: | mov rcx,rsi                       |
00007FF898D9CBFD     | 48: | mov rbx,qword ptr ss:[rsp+30]     |
00007FF898D9CC02     | 48: | mov rsi,qword ptr ss:[rsp+38]     |
00007FF898D9CC07     | 48: | add rsp,20                        |
00007FF898D9CC0B     | 5F  | pop rdi                           |
00007FF898D9CC0C     | E9  | jmp <abc64.sub_7FF898D9CC70>      |
00007FF898D9CC11     | 33D | xor edx,edx                       |
00007FF898D9CC13     | 44: | lea r9d,qword ptr ds:[rdx+1]      |
00007FF898D9CC17     | 45: | xor r8d,r8d                       |
00007FF898D9CC1A     | 48: | lea rcx,qword ptr ss:[rsp+40]     |
00007FF898D9CC1F     | E8  | call <abc64.??0ResStr@@QEAA@FPEAU |
00007FF898D9CC24     | 90  | nop                               |
00007FF898D9CC25     | 41: | mov r9d,1                         |
00007FF898D9CC2B     | 45: | xor r8d,r8d                       |
00007FF898D9CC2E     | 0FB | movzx edx,bx                      |
00007FF898D9CC31     | 48: | lea rcx,qword ptr ss:[rsp+40]     |
00007FF898D9CC36     | E8  | call <abc64.?Load@ResStr@@QEAAPEB |
00007FF898D9CC3B     | 48: | lea rcx,qword ptr ss:[rsp+40]     |
00007FF898D9CC40     | E8  | call <abc64.??BResStr@@QEAAPEB_WX |
00007FF898D9CC45     | 4C: | mov r8,rax                        |
00007FF898D9CC48     | 8BD | mov edx,edi                       |
00007FF898D9CC4A     | 48: | mov rcx,rsi                       |
00007FF898D9CC4D     | E8  | call <abc64.sub_7FF898D9CC70>     | 调用【此许可证密钥仅供家庭使用,非商业用途】
00007FF898D9CC52     | 8BD | mov ebx,eax                       |
00007FF898D9CC54     | 48: | lea rcx,qword ptr ss:[rsp+40]     |
00007FF898D9CC59     | E8  | call <abc64.?Empty@ResStr@@QEAAXX |
00007FF898D9CC5E     | 8BC | mov eax,ebx                       |
00007FF898D9CC60     | 48: | mov rbx,qword ptr ss:[rsp+30]     |
00007FF898D9CC65     | 48: | mov rsi,qword ptr ss:[rsp+38]     |
00007FF898D9CC6A     | 48: | add rsp,20                        |
00007FF898D9CC6E     | 5F  | pop rdi                           |
00007FF898D9CC6F     | C3  | ret                               |

接下来,走过上面的地方!
都走完之后,来到了这里!

00007FF898D9CC70 <ab | 48: | mov qword ptr ss:[rsp+10],rbx     |
00007FF898D9CC75     | 48: | mov qword ptr ss:[rsp+18],rbp     |
00007FF898D9CC7A     | 48: | mov qword ptr ss:[rsp+20],rsi     |
00007FF898D9CC7F     | 57  | push rdi                          |
00007FF898D9CC80     | 48: | sub rsp,20                        |
00007FF898D9CC84     | 48: | mov rdi,rcx                       |
00007FF898D9CC87     | 48: | mov qword ptr ss:[rsp+30],8       | [rsp+30]:sub_7FF898DB9A00+31C
00007FF898D9CC90     | 48: | lea rcx,qword ptr ss:[rsp+30]     | [rsp+30]:sub_7FF898DB9A00+31C
00007FF898D9CC95     | C74 | mov dword ptr ss:[rsp+34],4000    |
00007FF898D9CC9D     | 49: | mov rbp,r8                        |
00007FF898D9CCA0     | 8BF | mov esi,edx                       |
00007FF898D9CCA2     | FF1 | call qword ptr ds:[<&InitCommonCo |
00007FF898D9CCA8     | 48: | test rdi,rdi                      |
00007FF898D9CCAB     | 75  | jne abc64.7FF898D9CCB6            |
00007FF898D9CCAD     | FF1 | call qword ptr ds:[<&GetActiveWin |
00007FF898D9CCB3     | 48: | mov rdi,rax                       | rax:L"Thank you!nnPlease keep your licensing information in a safe place, since you will need to enter it again if you decide to reinstall the software.nnA processing fee will be charged for a replacement copy of your license key."
00007FF898D9CCB6     | 33D | xor ebx,ebx                       |
00007FF898D9CCB8     | 48: | cmp rdi,1                         |
00007FF898D9CCBC     | 48: | cmovne rbx,rdi                    |
00007FF898D9CCC0     | 48: | test rbx,rbx                      |
00007FF898D9CCC3     | 74  | je abc64.7FF898D9CCD1             |
00007FF898D9CCC5     | 48: | mov rcx,rbx                       |
00007FF898D9CCC8     | FF1 | call qword ptr ds:[<&GetLastActiv |
00007FF898D9CCCE     | 48: | mov rbx,rax                       | rax:L"Thank you!nnPlease keep your licensing information in a safe place, since you will need to enter it again if you decide to reinstall the software.nnA processing fee will be charged for a replacement copy of your license key."
00007FF898D9CCD1     | 48: | mov rax,qword ptr ds:[7FF898E62C5 | rax:L"Thank you!nnPlease keep your licensing information in a safe place, since you will need to enter it again if you decide to reinstall the software.nnA processing fee will be charged for a replacement copy of your license key."
00007FF898D9CCD8     | 48: | test rax,rax                      | rax:L"Thank you!nnPlease keep your licensing information in a safe place, since you will need to enter it again if you decide to reinstall the software.nnA processing fee will be charged for a replacement copy of your license key."
00007FF898D9CCDB     | 74  | je abc64.7FF898D9CCE1             |
00007FF898D9CCDD     | 33C | xor ecx,ecx                       |
00007FF898D9CCDF     | FFD | call rax                          |
00007FF898D9CCE1     | E8  | call <abc64.?GetMyProductInfo@@YA |
00007FF898D9CCE6     | 48: | mov rcx,rax                       | rax:L"Thank you!nnPlease keep your licensing information in a safe place, since you will need to enter it again if you decide to reinstall the software.nnA processing fee will be charged for a replacement copy of your license key."
00007FF898D9CCE9     | 0FB | bts esi,10                        |
00007FF898D9CCED     | 48: | mov rdx,qword ptr ds:[rax]        | rax:L"Thank you!nnPlease keep your licensing information in a safe place, since you will need to enter it again if you decide to reinstall the software.nnA processing fee will be charged for a replacement copy of your license key."

这样我们就注册成功了,同时暗桩也没有触发,但是文件自校验的问题还得处理,不然保存出的文件,就会接茬弹窗!

重启后,诱发暗桩发生,我们就到了上面这个地方(记得这次不再是DLL了,而是主程序了哟~~)

00007FF68CEC77E0     | 40: | push rbx                          |
00007FF68CEC77E2     | 48: | sub rsp,20                        |
00007FF68CEC77E6     | 48: | mov rbx,rcx                       |
00007FF68CEC77E9     | 48: | lea rcx,qword ptr ds:[7FF68CFD731 |
00007FF68CEC77F0     | E8  | call abcmdr64.7FF68CEB24E0        | 所以这里F7进入修改吧
00007FF68CEC77F5     | 85C | test eax,eax                      |
00007FF68CEC77F7     | 0F8 | jne abcmdr64.7FF68CEC78D1         | 暗桩调用点跳过处,果然需要修改eax返回值
00007FF68CEC77FD     | 48: | mov rcx,qword ptr ds:[rbx+40]     |
00007FF68CEC7801     | 8D5 | lea edx,qword ptr ds:[rax+14]     |
00007FF68CEC7804     | 41: | mov r8d,7DC                       |
00007FF68CEC780A     | 48: | mov qword ptr ss:[rsp+30],rdi     |
00007FF68CEC780F     | FF1 | call qword ptr ds:[<&?Msg@@YAHPEA |
00007FF68CEC7815     | 83F | cmp eax,6                         |
00007FF68CEC7818     | 75  | jne abcmdr64.7FF68CEC782E         |
00007FF68CEC781A     | 48: | mov rcx,qword ptr ds:[rbx+40]     |
00007FF68CEC781E     | 48: | lea rdx,qword ptr ds:[7FF68CF828E | 00007FF68CF828E0:L"integrity-abc"
00007FF68CEC7825     | 45: | xor r8d,r8d                       |
00007FF68CEC7828     | FF1 | call qword ptr ds:[<&?GoOnline@@Y |
00007FF68CEC782E     | 33F | xor edi,edi                       |
00007FF68CEC7830     | 48: | lea rdx,qword ptr ss:[rsp+38]     |
00007FF68CEC7835     | 48: | lea rcx,qword ptr ds:[7FF68CEB96A |
00007FF68CEC783C     | 897 | mov dword ptr ss:[rsp+38],edi     |
00007FF68CEC7840     | FF1 | call qword ptr ds:[<&EnumWindows> |
00007FF68CEC7846     | 397 | cmp dword ptr ss:[rsp+38],edi     |
00007FF68CEC784A     | 74  | je abcmdr64.7FF68CEC7886          |
00007FF68CEC784C     | 0F1 | nop dword ptr ds:[rax],eax        |
00007FF68CEC7850     | 48: | mov rcx,qword ptr ds:[rbx+40]     |
00007FF68CEC7854     | BA  | mov edx,35                        | 35:'5'
00007FF68CEC7859     | 41: | mov r8d,7F3                       |
00007FF68CEC785F     | FF1 | call qword ptr ds:[<&?Msg@@YAHPEA |
00007FF68CEC7865     | 83F | cmp eax,4                         |
00007FF68CEC7868     | 75  | jne abcmdr64.7FF68CEC78CC         |
00007FF68CEC786A     | 48: | lea rdx,qword ptr ss:[rsp+38]     |
00007FF68CEC786F     | 897 | mov dword ptr ss:[rsp+38],edi     |
00007FF68CEC7873     | 48: | lea rcx,qword ptr ds:[7FF68CEB96A |
00007FF68CEC787A     | FF1 | call qword ptr ds:[<&EnumWindows> |
00007FF68CEC7880     | 397 | cmp dword ptr ss:[rsp+38],edi     |
00007FF68CEC7884     | 75  | jne abcmdr64.7FF68CEC7850         |
00007FF68CEC7886     | C78 | mov dword ptr ds:[rbx+1378],1     |
00007FF68CEC7890     | FF1 | call qword ptr ds:[<&GetCurrentTh |
00007FF68CEC7896     | 48: | mov rcx,rax                       |
00007FF68CEC7899     | BA  | mov edx,F                         |
00007FF68CEC789E     | FF1 | call qword ptr ds:[<&SetThreadPri |
00007FF68CEC78A4     | FF1 | call qword ptr ds:[<&GetCurrentPr |
00007FF68CEC78AA     | 48: | mov rcx,rax                       |
00007FF68CEC78AD     | BA  | mov edx,80                        |
00007FF68CEC78B2     | FF1 | call qword ptr ds:[<&SetPriorityC |
00007FF68CEC78B8     | 48: | mov rcx,qword ptr ds:[rbx+40]     |
00007FF68CEC78BC     | 45: | xor r9d,r9d                       |
00007FF68CEC78BF     | 45: | xor r8d,r8d                       |
00007FF68CEC78C2     | 41: | lea edx,qword ptr ds:[r9+10]      |
00007FF68CEC78C6     | FF1 | call qword ptr ds:[<&PostMessageW |
00007FF68CEC78CC     | 48: | mov rdi,qword ptr ss:[rsp+30]     |
00007FF68CEC78D1     | 48: | add rsp,20                        |
00007FF68CEC78D5     | 5B  | pop rbx                           |
00007FF68CEC78D6     | C3  | ret                               |

这样暗桩问题就解决了。小伙伴们就可以愉快的玩耍了~~