-
-
[原创]最新Winrar 32位版本爆破笔记
-
发表于: 2019-7-10 07:19
-
看到了许多论坛的朋友分享的winrar破解的教程,参考大神们的教程我也整理了一篇文章,分享给同样菜菜的我们,希望大家能够共同学习到一些经验和方法。
winrar每次运行都会弹出广告窗口,并且主窗口标题栏会有许可到期时间的提醒,爆破的目的是去掉这两项。
Winrar解压缩软件32位(5.71)版本下载地址:
http://www.winrar.com.cn/download/wrar571scp.exe
64位下载地址:
http://www.winrar.com.cn/download/winrar-x64-571scp.exe
所需工具: OllyDbg吾爱破解版、Binary Ninja
https://down.52pojie.cn/Tools/Debuggers/%E5%90%BE%E7%88%B1%E7%A0%B4%E8%A7%A3%E4%B8%93%E7%94%A8%E7%89%88Ollydbg.rar
https://cdn.binary.ninja/installers/BinaryNinja-demo.exe
本文参考了飘云上一位牛人的文章:https://www.chinapyg.com/forum.php?mod=viewthread&tid=125493&highlight=winrar
该方法非常理想,所以借鉴了一下,适合我这种菜菜来练习动手能力。
使用OD加载winrar,如图:
按F9键运行winrar软件,直到弹出主窗口和广告窗口时,按F12键暂停程序,此时点击OD上方的“K”按键或者点击"ALT+K"来查看程序调用的堆栈,查看一下窗口弹出前的函数调用情况,得到如下图所示:
这一步需要注意的是需要看到广告窗口正常弹出,没有其他提示再暂停程序然后查看堆栈,例如在调试时遇到的如下图:
下图只在我们正常看到广告页时才会到这一步。
右击最后一条调用如图所示,选择“显示调用”命令。
得到如下图的调用位置:
直接在该位置点击回车键或者F7步进调试,我们会得到下面的汇编代码段,这段内容包含我们想破解的两处,即去广告和去标题的许可过期提示,看代码注释就可以判断了。
00AE1520 $ 55 push ebp
00AE1521 . 8DAC24 E8CFFF>lea ebp,dword ptr ss:[esp-0x3018]
00AE1528 . B8 18300000 mov eax,0x3018
00AE152D . E8 9E3F0100 call WinRAR.00AF54D0
00AE1532 . 6A FF push -0x1
00AE1534 . 68 5832B100 push WinRAR.00B13258
00AE1539 . 64:A1 0000000>mov eax,dword ptr fs:[0]
00AE153F . 50 push eax
00AE1540 . 83EC 14 sub esp,0x14
00AE1543 . A1 341BB300 mov eax,dword ptr ds:[0xB31B34]
00AE1548 . 33C5 xor eax,ebp
00AE154A . 8985 14300000 mov dword ptr ss:[ebp+0x3014],eax
00AE1550 . 53 push ebx
00AE1551 . 56 push esi
00AE1552 . 57 push edi
00AE1553 . 50 push eax
00AE1554 . 8D45 F4 lea eax,dword ptr ss:[ebp-0xC]
00AE1557 . 64:A3 0000000>mov dword ptr fs:[0],eax
00AE155D . 8965 F0 mov dword ptr ss:[ebp-0x10],esp
00AE1560 . 8BB5 20300000 mov esi,dword ptr ss:[ebp+0x3020]
00AE1566 . 6A 01 push 0x1
00AE1568 . E8 531EFBFF call WinRAR.00A933C0
00AE156D . 68 05800000 push 0x8005 ; /ErrorMode = SEM_FAILCRITICALERRORS|SEM_NOALIGNMENTFAULTEXCEPT|SEM_NOOPENFILEERRORBOX
00AE1572 . FF15 0442B100 call dword ptr ds:[<&KERNEL32.SetErrorMo>; \SetErrorMode
00AE1578 . B9 A04BB400 mov ecx,WinRAR.00B44BA0
00AE157D . E8 DED3F7FF call WinRAR.00A5E960
00AE1582 . C605 D592B300>mov byte ptr ds:[0xB392D5],0x0
00AE1589 . C705 F0A2B300>mov dword ptr ds:[0xB3A2F0],0x0
00AE1593 . FF15 F441B100 call dword ptr ds:[<&KERNEL32.GetCurrent>; [GetCurrentThreadId
00AE1599 . A3 F4A2B300 mov dword ptr ds:[0xB3A2F4],eax
00AE159E . 6A 00 push 0x0 ; /EventName = NULL
00AE15A0 . 6A 00 push 0x0 ; |InitiallySignaled = FALSE
00AE15A2 . 6A 01 push 0x1 ; |ManualReset = TRUE
00AE15A4 . 6A 00 push 0x0 ; |pSecurity = NULL
00AE15A6 . FF15 6841B100 call dword ptr ds:[<&KERNEL32.CreateEven>; \CreateEventW
00AE15AC . A3 F8A2B300 mov dword ptr ds:[0xB3A2F8],eax
00AE15B1 . 68 04DEB100 push WinRAR.00B1DE04 ; /MsgName = "WMUser_DisplayError"
00AE15B6 . FF15 7445B100 call dword ptr ds:[<&USER32.RegisterWind>; \RegisterWindowMessageW
00AE15BC . A3 20A3B300 mov dword ptr ds:[0xB3A320],eax
00AE15C1 . 68 A44BB100 push WinRAR.00B14BA4 ; UNICODE "General"
00AE15C6 . E8 C504FCFF call WinRAR.00AA1A90
00AE15CB . 84C0 test al,al
00AE15CD . 0f94c3 sete bl
00AE15D0 . 885D EF mov byte ptr ss:[ebp-0x11],bl
00AE15D3 . 6A 01 push 0x1
00AE15D5 . 68 00080000 push 0x800
00AE15DA . 8D85 00100000 lea eax,dword ptr ss:[ebp+0x1000]
00AE15E0 . 50 push eax
00AE15E1 . E8 EAA3F9FF call WinRAR.00A7B9D0
00AE15E6 . 68 00080000 push 0x800
00AE15EB . 8D85 00100000 lea eax,dword ptr ss:[ebp+0x1000]
00AE15F1 . 50 push eax
00AE15F2 . E8 1993F9FF call WinRAR.00A7A910
00AE15F7 . 68 00080000 push 0x800
00AE15FC . 8D85 00100000 lea eax,dword ptr ss:[ebp+0x1000]
00AE1602 . 50 push eax
00AE1603 . 68 E092B300 push WinRAR.00B392E0 ; UNICODE "C:\Users\IEUser\AppData\Roaming\WinRAR\rar.log"
00AE1608 . E8 4312FBFF call WinRAR.00A92850
00AE160D . 68 00080000 push 0x800
00AE1612 . 68 CC89B100 push WinRAR.00B189CC ; UNICODE "rar.log"
00AE1617 . 68 E092B300 push WinRAR.00B392E0 ; UNICODE "C:\Users\IEUser\AppData\Roaming\WinRAR\rar.log"
00AE161C . E8 EF11FBFF call WinRAR.00A92810
00AE1621 . 6A 00 push 0x0
00AE1623 . 56 push esi
00AE1624 . B9 08F0B600 mov ecx,WinRAR.00B6F008
00AE1629 . E8 12AEFAFF call WinRAR.00A8C440
00AE162E . 68 2CDEB100 push WinRAR.00B1DE2C ; UNICODE "winrar.lng"
00AE1633 . B9 0CF0B600 mov ecx,WinRAR.00B6F00C
00AE1638 . E8 639FFAFF call WinRAR.00A8B5A0
00AE163D . 56 push esi
00AE163E . E8 ADDBFFFF call WinRAR.00ADF1F0
00AE1643 . 85C0 test eax,eax
00AE1645 . 0F84 66060000 je WinRAR.00AE1CB1
00AE164B . 8D4D E0 lea ecx,dword ptr ss:[ebp-0x20]
00AE164E . E8 AD11FFFF call WinRAR.00AD2800
00AE1653 . C745 FC 00000>mov dword ptr ss:[ebp-0x4],0x0
00AE165A . 8935 04F0B600 mov dword ptr ds:[0xB6F004],esi
00AE1660 . B9 F0B5B500 mov ecx,WinRAR.00B5B5F0
00AE1665 . E8 8643F2FF call WinRAR.00A059F0
00AE166A . E8 6137FEFF call WinRAR.00AC4DD0
00AE166F . E8 4CEAFDFF call WinRAR.00AC00C0
00AE1674 . E8 07FBFFFF call WinRAR.00AE1180
00AE1679 . 68 44DEB100 push WinRAR.00B1DE44 ; /MutexName = "WinRAR_Busy"
00AE167E . 6A 00 push 0x0 ; |InitialOwner = FALSE
00AE1680 . 6A 00 push 0x0 ; |pSecurity = NULL
00AE1682 . FF15 5C43B100 call dword ptr ds:[<&KERNEL32.CreateMute>; \CreateMutexW
00AE1688 . A3 D092B300 mov dword ptr ds:[0xB392D0],eax
00AE168D . 6A 00 push 0x0 ; /Title = NULL
00AE168F . 68 B858B100 push WinRAR.00B158B8 ; |Class = "WinRarWindow"
00AE1694 . FF15 8C45B100 call dword ptr ds:[<&USER32.FindWindowW>>; \FindWindowW
00AE169A . 8BF8 mov edi,eax
00AE169C . 897D E8 mov dword ptr ss:[ebp-0x18],edi
00AE169F 6A 00 push 0x0 ; /lParam = NULL
00AE16A1 56 push esi ; |hInst = 00DBCB64
00AE16A2 6A 00 push 0x0 ; |hMenu = NULL
00AE16A4 6A 00 push 0x0 ; |hParent = NULL
00AE16A6 68 00000080 push 0x80000000 ; |Height = 80000000 (-2147483648.)
00AE16AB 68 00000080 push 0x80000000 ; |Width = 80000000 (-2147483648.)
00AE16B0 68 00000080 push 0x80000000 ; |Y = 80000000 (-2147483648.)
00AE16B5 68 00000080 push 0x80000000 ; |X = 80000000 (-2147483648.)
00AE16BA 68 0000CF06 push 0x6CF0000 ; |Style = WS_OVERLAPPED|WS_MINIMIZEBOX|WS_MAXIMIZEBOX|WS_CLIPSIBLINGS|WS_CLIPCHILDREN|WS_SYSMENU|WS_THICKFRAME|WS_CAPTION
00AE16BF 68 6C71B100 push WinRAR.00B1716C ; |WindowName = "WinRAR"
00AE16C4 68 B858B100 push WinRAR.00B158B8 ; |Class = "WinRarWindow"
00AE16C9 6A 10 push 0x10 ; |ExtStyle = WS_EX_ACCEPTFILES
00AE16CB FF15 A045B100 call dword ptr ds:[<&USER32.CreateWindow>; \CreateWindowExW
00AE16D1 . A3 AC81B300 mov dword ptr ds:[0xB381AC],eax
00AE16D6 . 85C0 test eax,eax
00AE16D8 . 0F84 C4050000 je WinRAR.00AE1CA2
00AE16DE . 50 push eax
00AE16DF . B9 0CF0B600 mov ecx,WinRAR.00B6F00C
00AE16E4 . E8 F7A6FAFF call WinRAR.00A8BDE0
00AE16E9 . 6A 00 push 0x0
00AE16EB . E8 60DAFFFF call WinRAR.00ADF150
00AE16F0 . E8 8BF8FFFF call WinRAR.00AE0F80
00AE16F5 . 84DB test bl,bl
00AE16F7 . 74 1A je short WinRAR.00AE1713
00AE16F9 . E8 D22EFCFF call WinRAR.00AA45D0
00AE16FE . 84C0 test al,al
00AE1700 . 75 11 jnz short WinRAR.00AE1713
00AE1702 . 6A 01 push 0x1
00AE1704 . 6A 00 push 0x0
00AE1706 . E8 D596F2FF call WinRAR.00A0ADE0
00AE170B . 84C0 test al,al
00AE170D . 75 04 jnz short WinRAR.00AE1713
00AE170F . B7 01 mov bh,0x1
00AE1711 . EB 02 jmp short WinRAR.00AE1715
00AE1713 > 32FF xor bh,bh
00AE1715 > 8D85 00300000 lea eax,dword ptr ss:[ebp+0x3000]
00AE171B . 50 push eax
00AE171C . E8 FF8BF2FF call WinRAR.00A0A320
00AE1721 . 0FB785 003000>movzx eax,word ptr ss:[ebp+0x3000]
00AE1728 . 50 push eax ; /StringOrChar = 27BC
00AE1729 . E8 5247FBFF call <jmp.&USER32.CharUpperW> ; \CharUpperW
00AE172E . 0FB7F0 movzx esi,ax
00AE1731 . 68 34040000 push 0x434
00AE1736 . 6A 00 push 0x0
00AE1738 . 68 38A3B300 push WinRAR.00B3A338
00AE173D . E8 DE620100 call WinRAR.00AF7A20
00AE1742 . 83C4 0C add esp,0xC
00AE1745 . 6A 00 push 0x0
00AE1747 . 6A 00 push 0x0
00AE1749 . 6A 01 push 0x1
00AE174B . B9 A04BB400 mov ecx,WinRAR.00B44BA0
00AE1750 . E8 FBD6F7FF call WinRAR.00A5EE50
00AE1755 . E8 06E9F2FF call WinRAR.00A10060
00AE175A . 66:85F6 test si,si
00AE175D . 74 66 je short WinRAR.00AE17C5
00AE175F . 803D B46BB400>cmp byte ptr ds:[0xB46BB4],0x0
00AE1766 . 75 5D jnz short WinRAR.00AE17C5
00AE1768 . 56 push esi
00AE1769 . 68 5CDEB100 push WinRAR.00B1DE5C ; UNICODE "AFUMD"
00AE176E . E8 6F500100 call WinRAR.00AF67E2
00AE1773 . 83C4 08 add esp,0x8
00AE1776 . 85C0 test eax,eax
00AE1778 . 75 32 jnz short WinRAR.00AE17AC
00AE177A . 83FE 43 cmp esi,0x43
00AE177D . 75 09 jnz short WinRAR.00AE1788
00AE177F . 66:3985 02300>cmp word ptr ss:[ebp+0x3002],ax
00AE1786 . 74 24 je short WinRAR.00AE17AC
00AE1788 > 803D B46BB400>cmp byte ptr ds:[0xB46BB4],0x0
00AE178F . 75 34 jnz short WinRAR.00AE17C5
00AE1791 . 56 push esi
00AE1792 . 68 68DEB100 push WinRAR.00B1DE68 ; UNICODE "TXE"
00AE1797 . E8 46500100 call WinRAR.00AF67E2
00AE179C . 83C4 08 add esp,0x8
00AE179F . 85C0 test eax,eax
00AE17A1 . 74 22 je short WinRAR.00AE17C5
00AE17A3 . 6A 00 push 0x0
00AE17A5 . E8 3609FFFF call WinRAR.00AD20E0
00AE17AA . EB 20 jmp short WinRAR.00AE17CC
00AE17AC > E8 3F6FFEFF call WinRAR.00AC86F0
00AE17B1 . 83FE 44 cmp esi,0x44
00AE17B4 . 74 05 je short WinRAR.00AE17BB
00AE17B6 . 83FE 43 cmp esi,0x43
00AE17B9 . 75 11 jnz short WinRAR.00AE17CC
00AE17BB > 33C0 xor eax,eax
00AE17BD . 66:A3 B05BB40>mov word ptr ds:[0xB45BB0],ax
00AE17C3 . EB 07 jmp short WinRAR.00AE17CC
00AE17C5 > 6A 00 push 0x0
00AE17C7 . E8 4436FEFF call WinRAR.00AC4E10
00AE17CC > 6A 00 push 0x0
00AE17CE . 6A 00 push 0x0
00AE17D0 . 6A 01 push 0x1
00AE17D2 . B9 A04BB400 mov ecx,WinRAR.00B44BA0
00AE17D7 . E8 74D6F7FF call WinRAR.00A5EE50
00AE17DC . 68 A04BB400 push WinRAR.00B44BA0
00AE17E1 . B9 D011B500 mov ecx,WinRAR.00B511D0
00AE17E6 . E8 6567F2FF call WinRAR.00A07F50
00AE17EB . 68 00080000 push 0x800
00AE17F0 . 68 EAFFB400 push WinRAR.00B4FFEA
00AE17F5 . 68 B081B300 push WinRAR.00B381B0
00AE17FA . E8 5110FBFF call WinRAR.00A92850
00AE17FF . 33C0 xor eax,eax
00AE1801 . 66:A3 EAFFB40>mov word ptr ds:[0xB4FFEA],ax
00AE1807 . 68 00080000 push 0x800
00AE180C . 8D45 00 lea eax,dword ptr ss:[ebp]
00AE180F . 50 push eax
00AE1810 . E8 CB93FEFF call WinRAR.00ACABE0
00AE1815 . 8D45 00 lea eax,dword ptr ss:[ebp]
00AE1818 . 50 push eax
00AE1819 . B9 78E2B500 mov ecx,WinRAR.00B5E278
00AE181E . E8 1D38F6FF call WinRAR.00A45040
00AE1823 . C705 5492B300>mov dword ptr ds:[0xB39254],0x0
00AE182D . C645 FC 01 mov byte ptr ss:[ebp-0x4],0x1
00AE1831 . E8 4A87F2FF call WinRAR.00A09F80
00AE1836 . C745 FC 00000>mov dword ptr ss:[ebp-0x4],0x0
00AE183D . FF35 AC81B300 push dword ptr ds:[0xB381AC]
00AE1843 . E8 58FBFFFF call WinRAR.00AE13A0
00AE1848 . 66:833D CC9CB>cmp word ptr ds:[0xB49CCC],0x0
00AE1850 . 74 2C je short WinRAR.00AE187E
00AE1852 . 68 CC9CB400 push WinRAR.00B49CCC
00AE1857 . E8 54ACF9FF call WinRAR.00A7C4B0
00AE185C . 68 00080000 push 0x800
00AE1861 . 68 CC9CB400 push WinRAR.00B49CCC
00AE1866 . 68 E092B300 push WinRAR.00B392E0 ; UNICODE "C:\Users\IEUser\AppData\Roaming\WinRAR\rar.log"
00AE186B . 3D CC9CB400 cmp eax,WinRAR.00B49CCC
00AE1870 . 75 07 jnz short WinRAR.00AE1879
00AE1872 . E8 39ADF9FF call WinRAR.00A7C5B0
00AE1877 . EB 05 jmp short WinRAR.00AE187E
00AE1879 > E8 D20FFBFF call WinRAR.00A92850
00AE187E > 6A 00 push 0x0 ; /lParam = 0x0
00AE1880 . 6A 00 push 0x0 ; |wParam = 0x0
00AE1882 . 68 03800000 push 0x8003 ; |Message = MSG(0x8003)
00AE1887 . FF35 AC81B300 push dword ptr ds:[0xB381AC] ; |hWnd = 0xB05BC
00AE188D . FF15 9845B100 call dword ptr ds:[<&USER32.SendMessageW>; \SendMessageW
00AE1893 . 833D AC81B300>cmp dword ptr ds:[0xB381AC],0x0
00AE189A . 0F84 93010000 je WinRAR.00AE1A33
00AE18A0 . 66:833D CAEFB>cmp word ptr ds:[0xB4EFCA],0x0
00AE18A8 . 0F85 6F030000 jnz WinRAR.00AE1C1D
00AE18AE . 32DB xor bl,bl
00AE18B0 . 66:833D EAFFB>cmp word ptr ds:[0xB4FFEA],0x0
00AE18B8 . 0F84 3A030000 je WinRAR.00AE1BF8
00AE18BE . 68 EAFFB400 push WinRAR.00B4FFEA
00AE18C3 . E8 F8A7F8FF call WinRAR.00A6C0C0
00AE18C8 . 83F8 FF cmp eax,-0x1
00AE18CB . 74 06 je short WinRAR.00AE18D3
00AE18CD . A8 10 test al,0x10
00AE18CF . 74 02 je short WinRAR.00AE18D3
00AE18D1 . B3 01 mov bl,0x1
00AE18D3 > 66:833D EAFFB>cmp word ptr ds:[0xB4FFEA],0x0
00AE18DB . 0F84 EB020000 je WinRAR.00AE1BCC
00AE18E1 . 84DB test bl,bl
00AE18E3 . 0F85 E7020000 jnz WinRAR.00AE1BD0
00AE18E9 . 6A 00 push 0x0
00AE18EB . 68 8850B100 push WinRAR.00B15088 ; UNICODE "ReuseWindow"
00AE18F0 . 68 A44BB100 push WinRAR.00B14BA4 ; UNICODE "General"
00AE18F5 . E8 9623FCFF call WinRAR.00AA3C90
00AE18FA . 85C0 test eax,eax
00AE18FC . 0F84 F7000000 je WinRAR.00AE19F9
00AE1902 . 85FF test edi,edi
00AE1904 . 0F84 EF000000 je WinRAR.00AE19F9
00AE190A . 6A 00 push 0x0
00AE190C . 68 00080000 push 0x800
00AE1911 . 8D85 00200000 lea eax,dword ptr ss:[ebp+0x2000]
00AE1917 . 50 push eax
00AE1918 . E8 F37FFEFF call WinRAR.00AC9910
00AE191D . 68 00080000 push 0x800
00AE1922 . 8D85 00200000 lea eax,dword ptr ss:[ebp+0x2000]
00AE1928 . 50 push eax
00AE1929 . E8 E28FF9FF call WinRAR.00A7A910
00AE192E . 68 00080000 push 0x800
00AE1933 . 68 8CC3B100 push WinRAR.00B1C38C ; UNICODE "Rar$"
00AE1938 . 8D85 00200000 lea eax,dword ptr ss:[ebp+0x2000]
00AE193E . 50 push eax
00AE193F . E8 CC0EFBFF call WinRAR.00A92810
00AE1944 . 8D8D 00200000 lea ecx,dword ptr ss:[ebp+0x2000]
00AE194A . 8D51 02 lea edx,dword ptr ds:[ecx+0x2]
00AE194D . 8D49 00 lea ecx,dword ptr ds:[ecx]
00AE1950 > 66:8B01 mov ax,word ptr ds:[ecx]
00AE1953 . 83C1 02 add ecx,0x2
00AE1956 . 66:85C0 test ax,ax
00AE1959 .^ 75 F5 jnz short WinRAR.00AE1950
00AE195B . 2BCA sub ecx,edx
00AE195D . D1F9 sar ecx,1
00AE195F . 51 push ecx
00AE1960 . 8D85 00200000 lea eax,dword ptr ss:[ebp+0x2000]
00AE1966 . 50 push eax
00AE1967 . 68 EAFFB400 push WinRAR.00B4FFEA
00AE196C . E8 DF45FBFF call WinRAR.00A95F50
00AE1971 . 85C0 test eax,eax
00AE1973 . 0F84 80000000 je WinRAR.00AE19F9
00AE1979 . 68 20DDB100 push WinRAR.00B1DD20 ; /MapName = "RarArchiveWideName"
00AE197E . 68 00100000 push 0x1000 ; |MaximumSizeLow = 0x1000
00AE1983 . 6A 00 push 0x0 ; |MaximumSizeHigh = 0x0
00AE1985 . 68 04000008 push 0x8000004 ; |Protection = PAGE_READWRITE|SEC_COMMIT
00AE198A . 6A 00 push 0x0 ; |pSecurity = NULL
00AE198C . 6A FF push -0x1 ; |hFile = FFFFFFFF
00AE198E . FF15 9843B100 call dword ptr ds:[<&KERNEL32.CreateFile>; \CreateFileMappingW
00AE1994 . 8BF8 mov edi,eax
00AE1996 . 85FF test edi,edi
00AE1998 . 74 5C je short WinRAR.00AE19F6
00AE199A . 68 00100000 push 0x1000 ; /MapSize = 1000 (4096.)
00AE199F . 6A 00 push 0x0 ; |OffsetLow = 0x0
00AE19A1 . 6A 00 push 0x0 ; |OffsetHigh = 0x0
00AE19A3 . 6A 02 push 0x2 ; |AccessMode = FILE_MAP_WRITE
00AE19A5 . 57 push edi ; |hMapObject = NULL
00AE19A6 . FF15 A043B100 call dword ptr ds:[<&KERNEL32.MapViewOfF>; \MapViewOfFile
00AE19AC . 8BF0 mov esi,eax
00AE19AE . 68 00080000 push 0x800
00AE19B3 . 56 push esi
00AE19B4 . 68 EAFFB400 push WinRAR.00B4FFEA
00AE19B9 . B9 78E2B500 mov ecx,WinRAR.00B5E278
00AE19BE . E8 8DF6F5FF call WinRAR.00A41050
00AE19C3 . 56 push esi ; /BaseAddress = 00DBCB64
00AE19C4 . FF15 9C43B100 call dword ptr ds:[<&KERNEL32.UnmapViewO>; \UnmapViewOfFile
00AE19CA . 68 F164E97A push 0x7AE964F1 ; /lParam = 0x7AE964F1
00AE19CF . 68 5EAC89D4 push 0xD489AC5E ; |wParam = 0xD489AC5E
00AE19D4 . 68 01800000 push 0x8001 ; |Message = MSG(0x8001)
00AE19D9 . FF75 E8 push dword ptr ss:[ebp-0x18] ; |hWnd = 0xDBCBB0
00AE19DC . FF15 9845B100 call dword ptr ds:[<&USER32.SendMessageW>; \SendMessageW
00AE19E2 . 85C0 test eax,eax
00AE19E4 . 0f95c3 setne bl
00AE19E7 . 57 push edi ; /hObject = NULL
00AE19E8 . FF15 A443B100 call dword ptr ds:[<&KERNEL32.CloseHandl>; \CloseHandle
00AE19EE . 84DB test bl,bl
00AE19F0 . 0F85 B8010000 jnz WinRAR.00AE1BAE
00AE19F6 > 8B7D E8 mov edi,dword ptr ss:[ebp-0x18]
00AE19F9 > 68 EAFFB400 push WinRAR.00B4FFEA
00AE19FE . B9 78E2B500 mov ecx,WinRAR.00B5E278
00AE1A03 . E8 68FFF5FF call WinRAR.00A41970
00AE1A08 . 84C0 test al,al
00AE1A0A 0F84 9E010000 je WinRAR.00AE1BAE
00AE1A10 . 803D D491B300>cmp byte ptr ds:[0xB391D4],0x0
00AE1A17 . 75 17 jnz short WinRAR.00AE1A30
00AE1A19 . 833D BC91B300>cmp dword ptr ds:[0xB391BC],0x0
00AE1A20 . 0F84 77010000 je WinRAR.00AE1B9D
00AE1A26 . B9 78E2B500 mov ecx,WinRAR.00B5E278
00AE1A2B . E8 302EF6FF call WinRAR.00A44860
00AE1A30 > 8A5D EF mov bl,byte ptr ss:[ebp-0x11]
00AE1A33 > 57 push edi
00AE1A34 . 68 00000100 push 0x10000
00AE1A39 . 68 B038AD00 push WinRAR.00AD38B0
00AE1A3E . E8 DEAC0100 call WinRAR.00AFC721
00AE1A43 . 83C4 0C add esp,0xC
00AE1A46 . FF35 AC81B300 push dword ptr ds:[0xB381AC] ; /hWnd = 000B05BC ('winrar32 (评估版本)',class='WinRarWindow')
00AE1A4C . FF15 C445B100 call dword ptr ds:[<&USER32.IsWindowVisi>; \IsWindowVisible
00AE1A52 . 85C0 test eax,eax
00AE1A54 . 75 0E jnz short WinRAR.00AE1A64
00AE1A56 . 85FF test edi,edi
00AE1A58 . 0f95c0 setne al
00AE1A5B . 0FB6C0 movzx eax,al
00AE1A5E . 50 push eax
00AE1A5F . E8 CCF5FFFF call WinRAR.00AE1030
00AE1A64 > FF35 AC81B300 push dword ptr ds:[0xB381AC] ; /hWnd = 000B05BC ('winrar32 (评估版本)',class='WinRarWindow')
00AE1A6A . FF15 0C45B100 call dword ptr ds:[<&USER32.UpdateWindow>; \UpdateWindow
00AE1A70 . 84FF test bh,bh
00AE1A72 . 74 27 je short WinRAR.00AE1A9B
00AE1A74 . 84DB test bl,bl
00AE1A76 . 74 23 je short WinRAR.00AE1A9B
00AE1A78 . 68 704BB100 push WinRAR.00B14B70 ; UNICODE "Setup"
00AE1A7D . E8 0E00FCFF call WinRAR.00AA1A90
00AE1A82 . 84C0 test al,al
00AE1A84 . 75 15 jnz short WinRAR.00AE1A9B
00AE1A86 . 68 844CB100 push WinRAR.00B14C84 ; UNICODE ".rar"
00AE1A8B . E8 8096F5FF call WinRAR.00A3B110
00AE1A90 . 84C0 test al,al
00AE1A92 . 75 07 jnz short WinRAR.00AE1A9B
00AE1A94 . 6A 06 push 0x6
00AE1A96 . E8 65B2F2FF call WinRAR.00A0CD00
00AE1A9B > 6A 00 push 0x0
00AE1A9D . 68 1855B100 push WinRAR.00B15518 ; UNICODE "ExportedSettings"
00AE1AA2 . 68 7C48B100 push WinRAR.00B1487C
00AE1AA7 . E8 E421FCFF call WinRAR.00AA3C90
00AE1AAC . 85C0 test eax,eax
00AE1AAE . 74 05 je short WinRAR.00AE1AB5
00AE1AB0 . E8 7B92F2FF call WinRAR.00A0AD30
00AE1AB5 > 6A 00 push 0x0
00AE1AB7 . 6A 01 push 0x1
00AE1AB9 . E8 E238FCFF call WinRAR.00AA53A0
00AE1ABE . 6A 00 push 0x0
00AE1AC0 . 68 7050B100 push WinRAR.00B15070 ; UNICODE "WizardMode"
00AE1AC5 . 68 A44BB100 push WinRAR.00B14BA4 ; UNICODE "General"
00AE1ACA . E8 C121FCFF call WinRAR.00AA3C90
00AE1ACF . 85C0 test eax,eax
00AE1AD1 . 74 24 je short WinRAR.00AE1AF7
00AE1AD3 . FF35 AC81B300 push dword ptr ds:[0xB381AC]
00AE1AD9 . E8 E2390000 call WinRAR.00AE54C0
00AE1ADE . 84C0 test al,al
00AE1AE0 . 74 15 je short WinRAR.00AE1AF7
00AE1AE2 . 833D BC91B300>cmp dword ptr ds:[0xB391BC],0x0
00AE1AE9 . 75 0C jnz short WinRAR.00AE1AF7
00AE1AEB . FF35 AC81B300 push dword ptr ds:[0xB381AC] ; /hWnd = 000B05BC ('winrar32 (评估版本)',class='WinRarWindow')
00AE1AF1 . FF15 A445B100 call dword ptr ds:[<&USER32.DestroyWindo>; \DestroyWindow
00AE1AF7 > 6A 00 push 0x0
00AE1AF9 . 6A 00 push 0x0
00AE1AFB . E8 00F0FFFF call WinRAR.00AE0B00
00AE1B00 . 84C0 test al,al
00AE1B02 .^ 75 F3 jnz short WinRAR.00AE1AF7
00AE1B04 . 6A 01 push 0x1
00AE1B06 . 6A 00 push 0x0
00AE1B08 . 6A 00 push 0x0
00AE1B0A . E8 7187FEFF call WinRAR.00ACA280
00AE1B0F . B9 34A3B300 mov ecx,WinRAR.00B3A334
00AE1B14 . E8 C7080000 call WinRAR.00AE23E0
00AE1B19 . E8 A21EFFFF call WinRAR.00AD39C0
00AE1B1E . C605 D592B300>mov byte ptr ds:[0xB392D5],0x1
00AE1B25 . FF35 F8A2B300 push dword ptr ds:[0xB3A2F8] ; /hEvent = 00000238 (window)
00AE1B2B . FF15 9441B100 call dword ptr ds:[<&KERNEL32.SetEvent>] ; \SetEvent
00AE1B31 . 33F6 xor esi,esi
00AE1B33 . 8B3D 5043B100 mov edi,dword ptr ds:[<&KERNEL32.Sleep>] ; KERNEL32.Sleep
00AE1B39 . 8DA424 000000>lea esp,dword ptr ss:[esp]
00AE1B40 > 833D F0A2B300>cmp dword ptr ds:[0xB3A2F0],0x0
00AE1B47 . 7E 0D jle short WinRAR.00AE1B56
00AE1B49 . 6A 64 push 0x64
00AE1B4B . FFD7 call edi
00AE1B4D . 4E dec esi
00AE1B4E . 81FE C8000000 cmp esi,0xC8
00AE1B54 .^ 7C EA jl short WinRAR.00AE1B40
00AE1B56 > FF35 F8A2B300 push dword ptr ds:[0xB3A2F8] ; /hObject = 00000238 (window)
00AE1B5C . FF15 A443B100 call dword ptr ds:[<&KERNEL32.CloseHandl>; \CloseHandle
00AE1B62 . 833D CC92B300>cmp dword ptr ds:[0xB392CC],0x0
00AE1B69 . 0F84 0B010000 je WinRAR.00AE1C7A
00AE1B6F . 83C8 FF or eax,-0x1
00AE1B72 . A3 CC92B300 mov dword ptr ds:[0xB392CC],eax
00AE1B77 . 33F6 xor esi,esi
00AE1B79 . 8DA424 000000>lea esp,dword ptr ss:[esp]
00AE1B80 > 85C0 test eax,eax
00AE1B82 . 0F84 10010000 je WinRAR.00AE1C98
00AE1B88 . 6A 64 push 0x64
00AE1B8A . FFD7 call edi
00AE1B8C . 46 inc esi
00AE1B8D . 83FE 0A cmp esi,0xA
00AE1B90 . 0F8D 02010000 jge WinRAR.00AE1C98
00AE1B96 . A1 CC92B300 mov eax,dword ptr ds:[0xB392CC]
00AE1B9B .^ EB E3 jmp short WinRAR.00AE1B80
00AE1B9D > FF35 AC81B300 push dword ptr ds:[0xB381AC] ; /hWnd = 000B05BC ('winrar32 (评估版本)',class='WinRarWindow')
00AE1BA3 . FF15 A445B100 call dword ptr ds:[<&USER32.DestroyWindo>; \DestroyWindow
00AE1BA9 .^ E9 82FEFFFF jmp WinRAR.00AE1A30
00AE1BAE > E8 FDDDFEFF call WinRAR.00ACF9B0
其中在“DestroyWindow”这一处(这里有两处,分别代表关闭主窗口和广告窗口,不知道是哪个的话我们可以下断点测试一下),应该是关闭窗口的操作,那么广告窗口应该就在它的上方,向上找相关调用,下断点调试肯定找到调用广告窗口的地方,判断出00AE1AB9位置的call WinRAR.00AA53A0这个函数调用,在这个位置向上找关键跳转,看看能否跳过这个函数调用,也可以直接nop掉该处的调用,找到00AE1AAE位置的跳转操作je short WinRAR.00AE1AB5,将其改为jmp 0x00AE1AF7直接跳过DestroyWindow函数,
另一处的修改我选择用Binary Ninja这款反编译工具来完成,因为这款软件的流程图排版比较合理容易分析,并且占用系统资源比较小,其右键"patch"功能在修改汇编代码方面相对比较优秀。
使用Binary Ninja加载winrar主程序后,按“G”键输入我们需要查找的地址,与OD的偏移地址不同,我们需要自己对应一下,00AE1520对应的是004E1520,直接查找该位置如图所示:
在上述代码中我们关注到有一处调用系统API函数IsWindowVisible(设置可见属性)的地方,即位置00AE1A4C处,这处如果调用起来的话就会使得标题栏对应的许可信息隐藏,那么我们在Binary Ninja中查找位置004E1A4C,得到如下图所示:
点选该位置所在的流程块的第一行即“push edi {var_18_13}”处,在左下角的“Cross References”窗口中可以看到两个地址跳转到它,分析之后我们判断可以将最早跳转的地址0x4e189a的汇编代码修改为“jmp 0x4e1a33”(在该位置右击-->"patch"-->"Edit Current Line",如图所示)
修改之后如下图:
完成这两步后保存好修改,然后我们运行一下winrar得到如图:这下可以软件可以安静的启动,没有广告弹窗和标题栏的许可过期提醒。
可是别高兴太早,我们将系统时间调至软件过期,重新启动winrar,还是会出现如下窗口,提示购买winrar许可。
重复运行、暂停、查看堆栈、查看调用、步进调试一系列操作我们会找到如下代码段,可以看到这段代码包含广告的链接地址"http://ad.winrar.com.cn/show_2.html?L=7&bl=7&v=Vpersonal&a=A&src=pe001"以及提醒许可过期需要重新购买的函数RarReminder。
1 00B853A0 /$ B8 18100000 mov eax,0x1018 2 00B853A5 |. E8 26010500 call WinRAR1.00BD54D0 3 00B853AA |. A1 341BC100 mov eax,dword ptr ds:[0xC11B34] 4 00B853AF |. 33C4 xor eax,esp 5 00B853B1 |. 898424 141000>mov dword ptr ss:[esp+0x1014],eax 6 00B853B8 |. 803D 74A5C500>cmp byte ptr ds:[0xC5A574],0x0 7 00B853BF |. 74 0E je short WinRAR1.00B853CF 8 00B853C1 |. 80BC24 201000>cmp byte ptr ss:[esp+0x1020],0x0 9 00B853C9 |. 0F84 08040000 je WinRAR1.00B857D7 10 00B853CF |> 833D ACFBC000>cmp dword ptr ds:[0xC0FBAC],0x0 11 00B853D6 |. 56 push esi 12 00B853D7 |. 74 1C je short WinRAR1.00B853F5 13 00B853D9 |. B9 98FBC000 mov ecx,WinRAR1.00C0FB98 ; ASCII "8g3#0w1$5r7%2ta" 14 00B853DE |. E8 1DF9FFFF call WinRAR1.00B84D00 15 00B853E3 |. 833D ACFBC000>cmp dword ptr ds:[0xC0FBAC],0x0 16 00B853EA |. 0F84 A1000000 je WinRAR1.00B85491 17 00B853F0 |. E9 88000000 jmp WinRAR1.00B8547D 18 00B853F5 |> 68 FD040000 push 0x4FD 19 00B853FA |. E8 6171FEFF call WinRAR1.00B6C560 20 00B853FF |. 8BF0 mov esi,eax 21 00B85401 |. 66:833E 23 cmp word ptr ds:[esi],0x23 22 00B85405 |. 75 20 jnz short WinRAR1.00B85427 23 00B85407 |. 66:837E 02 23 cmp word ptr ds:[esi+0x2],0x23 24 00B8540C |. 75 19 jnz short WinRAR1.00B85427 25 00B8540E |. 8BCE mov ecx,esi 26 00B85410 |. 8D51 02 lea edx,dword ptr ds:[ecx+0x2] 27 00B85413 |> 66:8B01 /mov ax,word ptr ds:[ecx] 28 00B85416 |. 83C1 02 |add ecx,0x2 29 00B85419 |. 66:85C0 |test ax,ax 30 00B8541C |.^ 75 F5 \jnz short WinRAR1.00B85413 31 00B8541E |. 2BCA sub ecx,edx 32 00B85420 |. D1F9 sar ecx,1 33 00B85422 |. 83F9 64 cmp ecx,0x64 34 00B85425 |. 73 06 jnb short WinRAR1.00B8542D 35 00B85427 |> 8B35 1800C100 mov esi,dword ptr ds:[0xC10018] ; WinRAR1.00BF9628 36 00B8542D |> 68 00100000 push 0x1000 37 00B85432 |. 8D4424 1C lea eax,dword ptr ss:[esp+0x1C] 38 00B85436 |. 6A 00 push 0x0 39 00B85438 |. 50 push eax 40 00B85439 |. E8 E2250500 call WinRAR1.00BD7A20 41 00B8543E |. 83C4 0C add esp,0xC 42 00B85441 |. 8D4424 18 lea eax,dword ptr ss:[esp+0x18] 43 00B85445 |. 68 00100000 push 0x1000 44 00B8544A |. 50 push eax 45 00B8544B |. 8D46 04 lea eax,dword ptr ds:[esi+0x4] 46 00B8544E |. 50 push eax 47 00B8544F |. E8 0C07FFFF call WinRAR1.00B75B60 48 00B85454 |. 8D4C24 18 lea ecx,dword ptr ss:[esp+0x18] 49 00B85458 |. 8D51 01 lea edx,dword ptr ds:[ecx+0x1] 50 00B8545B |. EB 03 jmp short WinRAR1.00B85460 51 00B8545D | 8D49 00 lea ecx,dword ptr ds:[ecx] 52 00B85460 |> 8A01 /mov al,byte ptr ds:[ecx] 53 00B85462 |. 41 |inc ecx 54 00B85463 |. 84C0 |test al,al 55 00B85465 |.^ 75 F9 \jnz short WinRAR1.00B85460 56 00B85467 |. 2BCA sub ecx,edx 57 00B85469 |. 8D4424 18 lea eax,dword ptr ss:[esp+0x18] 58 00B8546D |. 51 push ecx 59 00B8546E |. 50 push eax 60 00B8546F |. B9 98FBC000 mov ecx,WinRAR1.00C0FB98 ; ASCII "8g3#0w1$5r7%2ta" 61 00B85474 |. E8 67F4FFFF call WinRAR1.00B848E0 62 00B85479 |. 84C0 test al,al 63 00B8547B |. 75 14 jnz short WinRAR1.00B85491 64 00B8547D |> 68 80040000 push 0x480 65 00B85482 |. 6A 00 push 0x0 66 00B85484 |. 68 98FBC000 push WinRAR1.00C0FB98 ; ASCII "8g3#0w1$5r7%2ta" 67 00B85489 |. E8 92250500 call WinRAR1.00BD7A20 68 00B8548E |. 83C4 0C add esp,0xC 69 00B85491 |> 803D B467C400>cmp byte ptr ds:[0xC467B4],0x0 70 00B85498 |. 53 push ebx 71 00B85499 |. 75 12 jnz short WinRAR1.00B854AD 72 00B8549B |. A1 DC92C100 mov eax,dword ptr ds:[0xC192DC] 73 00B854A0 |. 83F8 28 cmp eax,0x28 74 00B854A3 |. 7F 04 jg short WinRAR1.00B854A9 75 00B854A5 |. 85C0 test eax,eax 76 00B854A7 |. 79 04 jns short WinRAR1.00B854AD 77 00B854A9 |> B3 01 mov bl,0x1 78 00B854AB |. EB 02 jmp short WinRAR1.00B854AF 79 00B854AD |> 32DB xor bl,bl 80 00B854AF |> 80BC24 241000>cmp byte ptr ss:[esp+0x1024],0x0 81 00B854B7 |. 0F84 EE020000 je WinRAR1.00B857AB 82 00B854BD |. E8 4EA0FCFF call WinRAR1.00B4F510 83 00B854C2 |. 3D 01050000 cmp eax,0x501 84 00B854C7 |. 77 10 ja short WinRAR1.00B854D9 85 00B854C9 |. F705 A8FBC000>test dword ptr ds:[0xC0FBA8],0x200 86 00B854D3 |. 0F84 FC020000 je WinRAR1.00B857D5 87 00B854D9 |> 803D 18FFC000>cmp byte ptr ds:[0xC0FF18],0x0 88 00B854E0 |. 0F84 EF020000 je WinRAR1.00B857D5 89 00B854E6 |. C605 C3FCC000>mov byte ptr ds:[0xC0FCC3],0x0 90 00B854ED |. C605 C7FDC000>mov byte ptr ds:[0xC0FDC7],0x0 91 00B854F4 |. C605 1700C100>mov byte ptr ds:[0xC10017],0x0 92 00B854FB |. 84DB test bl,bl 93 00B854FD |. 75 14 jnz short WinRAR1.00B85513 94 00B854FF |. A0 A8FBC000 mov al,byte ptr ds:[0xC0FBA8] 95 00B85504 |. 24 80 and al,0x80 96 00B85506 |. 0FB6C0 movzx eax,al 97 00B85509 |. F7D8 neg eax 98 00B8550B |. 1BC0 sbb eax,eax 99 00B8550D |. 2105 B0FBC000 and dword ptr ds:[0xC0FBB0],eax 100 00B85513 |> 32FF xor bh,bh 101 00B85515 |. 833D C0FBC000>cmp dword ptr ds:[0xC0FBC0],0x0 102 00B8551C |. 76 50 jbe short WinRAR1.00B8556E 103 00B8551E |. 383D B467C400 cmp byte ptr ds:[0xC467B4],bh 104 00B85524 |. 75 48 jnz short WinRAR1.00B8556E 105 00B85526 |. 6A 00 push 0x0 106 00B85528 |. 68 A098BF00 push WinRAR1.00BF98A0 ; UNICODE "RemShown" 107 00B8552D |. 68 306CBF00 push WinRAR1.00BF6C30 ; UNICODE "Interface\Misc" 108 00B85532 |. E8 59E7FFFF call WinRAR1.00B83C90 109 00B85537 |. 3B05 C0FBC000 cmp eax,dword ptr ds:[0xC0FBC0] 110 00B8553D |. 73 2F jnb short WinRAR1.00B8556E 111 00B8553F |. 40 inc eax 112 00B85540 |. 50 push eax 113 00B85541 |. 68 A098BF00 push WinRAR1.00BF98A0 ; UNICODE "RemShown" 114 00B85546 |. 68 306CBF00 push WinRAR1.00BF6C30 ; UNICODE "Interface\Misc" 115 00B8554B |. E8 50F3FFFF call WinRAR1.00B848A0 116 00B85550 |. 803D C4FBC000>cmp byte ptr ds:[0xC0FBC4],0x0 117 00B85557 |. B7 01 mov bh,0x1 118 00B85559 |. 0F84 B8000000 je WinRAR1.00B85617 119 00B8555F |. 68 00010000 push 0x100 120 00B85564 |. 68 C4FBC000 push WinRAR1.00C0FBC4 ; ASCII "http://ad.winrar.com.cn/show_1.html?L=7&bl=7&v=$Vpersonal&a=$A&src=pe001" 121 00B85569 |. E9 9F000000 jmp WinRAR1.00B8560D 122 00B8556E |> 833D C4FCC000>cmp dword ptr ds:[0xC0FCC4],0x0 123 00B85575 |. 76 45 jbe short WinRAR1.00B855BC 124 00B85577 |. 84DB test bl,bl 125 00B85579 |. 74 41 je short WinRAR1.00B855BC 126 00B8557B |. 6A 00 push 0x0 127 00B8557D |. 68 B498BF00 push WinRAR1.00BF98B4 ; UNICODE "ExpRemShown" 128 00B85582 |. 68 306CBF00 push WinRAR1.00BF6C30 ; UNICODE "Interface\Misc" 129 00B85587 |. E8 04E7FFFF call WinRAR1.00B83C90 130 00B8558C |. 3B05 C4FCC000 cmp eax,dword ptr ds:[0xC0FCC4] 131 00B85592 |. 73 28 jnb short WinRAR1.00B855BC 132 00B85594 |. 40 inc eax 133 00B85595 |. 50 push eax 134 00B85596 |. 68 B498BF00 push WinRAR1.00BF98B4 ; UNICODE "ExpRemShown" 135 00B8559B |. 68 306CBF00 push WinRAR1.00BF6C30 ; UNICODE "Interface\Misc" 136 00B855A0 |. E8 FBF2FFFF call WinRAR1.00B848A0 137 00B855A5 |. 803D C8FCC000>cmp byte ptr ds:[0xC0FCC8],0x0 138 00B855AC |. B7 01 mov bh,0x1 139 00B855AE |. 74 67 je short WinRAR1.00B85617 140 00B855B0 |. 68 00010000 push 0x100 141 00B855B5 |. 68 C8FCC000 push WinRAR1.00C0FCC8 ; ASCII "http://ad.winrar.com.cn/show_2.html?L=7&bl=7&v=$Vpersonal&a=$A&src=pe001" 142 00B855BA |. EB 51 jmp short WinRAR1.00B8560D 143 00B855BC |> 833D C8FDC000>cmp dword ptr ds:[0xC0FDC8],0x0 144 00B855C3 |. 76 52 jbe short WinRAR1.00B85617 145 00B855C5 |. 803D B467C400>cmp byte ptr ds:[0xC467B4],0x0 146 00B855CC |. 74 49 je short WinRAR1.00B85617 147 00B855CE |. 6A 00 push 0x0 148 00B855D0 |. 68 CC98BF00 push WinRAR1.00BF98CC ; UNICODE "RegRemShown" 149 00B855D5 |. 68 306CBF00 push WinRAR1.00BF6C30 ; UNICODE "Interface\Misc" 150 00B855DA |. E8 B1E6FFFF call WinRAR1.00B83C90 151 00B855DF |. 3B05 C8FDC000 cmp eax,dword ptr ds:[0xC0FDC8] 152 00B855E5 |. 73 30 jnb short WinRAR1.00B85617 153 00B855E7 |. 40 inc eax 154 00B855E8 |. 50 push eax 155 00B855E9 |. 68 CC98BF00 push WinRAR1.00BF98CC ; UNICODE "RegRemShown" 156 00B855EE |. 68 306CBF00 push WinRAR1.00BF6C30 ; UNICODE "Interface\Misc" 157 00B855F3 |. E8 A8F2FFFF call WinRAR1.00B848A0 158 00B855F8 |. 803D CCFDC000>cmp byte ptr ds:[0xC0FDCC],0x0 159 00B855FF |. B7 01 mov bh,0x1 160 00B85601 |. 74 14 je short WinRAR1.00B85617 161 00B85603 |. 68 00010000 push 0x100 162 00B85608 |. 68 CCFDC000 push WinRAR1.00C0FDCC 163 00B8560D |> 68 18FFC000 push WinRAR1.00C0FF18 ; ASCII "http://ad.winrar.com.cn/show_2.html?L=7&bl=7&v=$Vpersonal&a=$A&src=pe001" 164 00B85612 |. E8 49D1FEFF call WinRAR1.00B72760 165 00B85617 |> FF15 3843BF00 call dword ptr ds:[<&KERNEL32.GetTickCou>; [GetTickCount 166 00B8561D |. 8BC8 mov ecx,eax 167 00B8561F |. B8 D34D6210 mov eax,0x10624DD3 168 00B85624 |. F7E1 mul ecx 169 00B85626 |. C1EA 06 shr edx,0x6 170 00B85629 |. 803D B467C400>cmp byte ptr ds:[0xC467B4],0x0 171 00B85630 |. 74 08 je short WinRAR1.00B8563A 172 00B85632 |. 8B0D BCFBC000 mov ecx,dword ptr ds:[0xC0FBBC] 173 00B85638 |. EB 20 jmp short WinRAR1.00B8565A 174 00B8563A |> 84DB test bl,bl 175 00B8563C |. 75 16 jnz short WinRAR1.00B85654 176 00B8563E |. 8B0D B4FBC000 mov ecx,dword ptr ds:[0xC0FBB4] 177 00B85644 |. 85C9 test ecx,ecx 178 00B85646 |. 74 20 je short WinRAR1.00B85668 179 00B85648 |. 8BC2 mov eax,edx 180 00B8564A |. 33D2 xor edx,edx 181 00B8564C |. F7F1 div ecx 182 00B8564E |. 85D2 test edx,edx 183 00B85650 |. 75 16 jnz short WinRAR1.00B85668 184 00B85652 |. EB 1C jmp short WinRAR1.00B85670 185 00B85654 |> 8B0D B8FBC000 mov ecx,dword ptr ds:[0xC0FBB8] 186 00B8565A |> 85C9 test ecx,ecx 187 00B8565C |. 74 0A je short WinRAR1.00B85668 188 00B8565E |. 8BC2 mov eax,edx 189 00B85660 |. 33D2 xor edx,edx 190 00B85662 |. F7F1 div ecx 191 00B85664 |. 85D2 test edx,edx 192 00B85666 |. 74 08 je short WinRAR1.00B85670 193 00B85668 |> 84FF test bh,bh 194 00B8566A |. 0F84 65010000 je WinRAR1.00B857D5 195 00B85670 |> 55 push ebp 196 00B85671 |. 57 push edi 197 00B85672 |. 8B3D A8FBC000 mov edi,dword ptr ds:[0xC0FBA8] 198 00B85678 |. C1E7 11 shl edi,0x11 199 00B8567B |. F7D7 not edi 200 00B8567D |. 81E7 00000400 and edi,0x40000 201 00B85683 |. 81CF 0000C816 or edi,0x16C80000 202 00B85689 |. F605 A8FBC000>test byte ptr ds:[0xC0FBA8],0x8 203 00B85690 |. 75 06 jnz short WinRAR1.00B85698 204 00B85692 |. 81CF 00000300 or edi,0x30000 205 00B85698 |> A1 D0FEC000 mov eax,dword ptr ds:[0xC0FED0] 206 00B8569D |. BD 00000080 mov ebp,0x80000000 207 00B856A2 |. C74424 10 000>mov dword ptr ss:[esp+0x10],0x80000000 208 00B856AA |. 8BF5 mov esi,ebp 209 00B856AC |. 8BDE mov ebx,esi 210 00B856AE |. 85C0 test eax,eax 211 00B856B0 |. 0F84 90000000 je WinRAR1.00B85746 212 00B856B6 |. 833D CCFEC000>cmp dword ptr ds:[0xC0FECC],0x0 213 00B856BD |. 0F84 83000000 je WinRAR1.00B85746 214 00B856C3 |. 50 push eax 215 00B856C4 |. E8 87530200 call WinRAR1.00BAAA50 216 00B856C9 |. 8B2D 8C46BF00 mov ebp,dword ptr ds:[<&USER32.GetSystem>; USER32.GetSystemMetrics 217 00B856CF |. 8BF0 mov esi,eax 218 00B856D1 |. 6A 21 push 0x21 ; /Index = SM_CYFRAME 219 00B856D3 |. FFD5 call ebp ; \GetSystemMetrics 220 00B856D5 |. 6A 04 push 0x4 ; /Index = SM_CYCAPTION 221 00B856D7 |. 8D1C46 lea ebx,dword ptr ds:[esi+eax*2] ; | 222 00B856DA |. FFD5 call ebp ; \GetSystemMetrics 223 00B856DC |. 03D8 add ebx,eax 224 00B856DE |. F605 A8FBC000>test byte ptr ds:[0xC0FBA8],0x40 225 00B856E5 |. 75 0C jnz short WinRAR1.00B856F3 226 00B856E7 |. F705 A8FBC000>test dword ptr ds:[0xC0FBA8],0x100 227 00B856F1 |. 75 06 jnz short WinRAR1.00B856F9 228 00B856F3 |> 031D 70A5C500 add ebx,dword ptr ds:[0xC5A570] 229 00B856F9 |> FF35 CCFEC000 push dword ptr ds:[0xC0FECC] 230 00B856FF |. E8 FC520200 call WinRAR1.00BAAA00 231 00B85704 |. 6A 20 push 0x20 232 00B85706 |. 8BF0 mov esi,eax 233 00B85708 |. FFD5 call ebp 234 00B8570A |. 6A 00 push 0x0 ; /UpdateProfile = 0 235 00B8570C |. 8D3446 lea esi,dword ptr ds:[esi+eax*2] ; | 236 00B8570F |. 8D4424 18 lea eax,dword ptr ss:[esp+0x18] ; | 237 00B85713 |. 50 push eax ; |pParam = NULL 238 00B85714 |. 6A 00 push 0x0 ; |wParam = 0x0 239 00B85716 |. 6A 30 push 0x30 ; |Action = SPI_GETWORKAREA 240 00B85718 |. FF15 8C44BF00 call dword ptr ds:[<&USER32.SystemParame>; \SystemParametersInfoW 241 00B8571E |. 8B4424 1C mov eax,dword ptr ss:[esp+0x1C] 242 00B85722 |. 3BF0 cmp esi,eax 243 00B85724 |. 7C 02 jl short WinRAR1.00B85728 244 00B85726 |. 8BF0 mov esi,eax 245 00B85728 |> 2BC6 sub eax,esi 246 00B8572A |. 99 cdq 247 00B8572B |. 2BC2 sub eax,edx 248 00B8572D |. D1F8 sar eax,1 249 00B8572F |. 894424 10 mov dword ptr ss:[esp+0x10],eax 250 00B85733 |. 8B4424 20 mov eax,dword ptr ss:[esp+0x20] ; WinRAR1.00C4D45D 251 00B85737 |. 3BD8 cmp ebx,eax 252 00B85739 |. 7C 02 jl short WinRAR1.00B8573D 253 00B8573B |. 8BD8 mov ebx,eax 254 00B8573D |> 2BC3 sub eax,ebx 255 00B8573F |. 99 cdq 256 00B85740 |. 2BC2 sub eax,edx 257 00B85742 |. 8BE8 mov ebp,eax 258 00B85744 |. D1FD sar ebp,1 259 00B85746 |> 68 00010000 push 0x100 260 00B8574B |. 68 18FFC000 push WinRAR1.00C0FF18 ; ASCII "http://ad.winrar.com.cn/show_2.html?L=7&bl=7&v=$Vpersonal&a=$A&src=pe001" 261 00B85750 |. E8 3BF3FFFF call WinRAR1.00B84A90 262 00B85755 |. 6A 00 push 0x0 ; /lParam = NULL 263 00B85757 |. FF35 04F0C400 push dword ptr ds:[0xC4F004] ; |hInst = 00AE0000 264 00B8575D |. 6A 00 push 0x0 ; |hMenu = NULL 265 00B8575F |. 6A 00 push 0x0 ; |hParent = NULL 266 00B85761 |. 53 push ebx ; |Height = 902DC (590556.) 267 00B85762 |. 56 push esi ; |Width = 0x0 268 00B85763 |. 55 push ebp ; |Y = 5FA518 (6268184.) 269 00B85764 |. FF7424 2C push dword ptr ss:[esp+0x2C] ; |X = 0x0 270 00B85768 |. 57 push edi ; |Style = WS_OVERLAPPED|WS_MINIMIZEBOX|WS_SYSMENU|WS_THICKFRAME|3FE 271 00B85769 |. 68 6C71BF00 push WinRAR1.00BF716C ; |WindowName = "WinRAR" 272 00B8576E |. 68 E498BF00 push WinRAR1.00BF98E4 ; |Class = "RarReminder" 273 00B85773 |. 6A 00 push 0x0 ; |ExtStyle = 0 274 00B85775 |. FF15 A045BF00 call dword ptr ds:[<&USER32.CreateWindow>; \CreateWindowExW 275 00B8577B |. F605 A8FBC000>test byte ptr ds:[0xC0FBA8],0x1 276 00B85782 |. 5F pop edi ; USER32.76CD87ED 277 00B85783 |. 5D pop ebp ; USER32.76CD87ED 278 00B85784 |. 74 13 je short WinRAR1.00B85799 279 00B85786 |. 6A 03 push 0x3 ; /Flags = SWP_NOSIZE|SWP_NOMOVE 280 00B85788 |. 6A 00 push 0x0 ; |Height = 0x0 281 00B8578A |. 6A 00 push 0x0 ; |Width = 0x0 282 00B8578C |. 6A 00 push 0x0 ; |Y = 0x0 283 00B8578E |. 6A 00 push 0x0 ; |X = 0x0 284 00B85790 |. 6A FF push -0x1 ; |InsertAfter = HWND_TOPMOST 285 00B85792 |. 50 push eax ; |hWnd = NULL 286 00B85793 |. FF15 B845BF00 call dword ptr ds:[<&USER32.SetWindowPos>; \SetWindowPos 287 00B85799 |> 833D C091C100>cmp dword ptr ds:[0xC191C0],0x0 288 00B857A0 |. 74 33 je short WinRAR1.00B857D5 289 00B857A2 |. C605 74A5C500>mov byte ptr ds:[0xC5A574],0x1 290 00B857A9 |. EB 2A jmp short WinRAR1.00B857D5 291 00B857AB |> 84DB test bl,bl 292 00B857AD |. 74 26 je short WinRAR1.00B857D5 293 00B857AF |. 6A 00 push 0x0 ; /lParam = NULL 294 00B857B1 |. 68 10C2BB00 push WinRAR1.00BBC210 ; |DlgProc = WinRAR1.00BBC210 295 00B857B6 |. C605 74A5C500>mov byte ptr ds:[0xC5A574],0x1 ; | 296 00B857BD |. FF15 F444BF00 call dword ptr ds:[<&USER32.GetFocus>] ; |[GetFocus 297 00B857C3 |. 50 push eax ; |hOwner = NULL 298 00B857C4 |. 68 FC98BF00 push WinRAR1.00BF98FC ; |pTemplate = "REMINDER" 299 00B857C9 |. FF35 00F0C400 push dword ptr ds:[0xC4F000] ; |hInst = 00AE0000 300 00B857CF |. FF15 C845BF00 call dword ptr ds:[<&USER32.DialogBoxPar>; \DialogBoxParamW 301 00B857D5 |> 5B pop ebx ; USER32.76CD87ED 302 00B857D6 |. 5E pop esi ; USER32.76CD87ED 303 00B857D7 |> 8B8C24 141000>mov ecx,dword ptr ss:[esp+0x1014] 304 00B857DE |. 33CC xor ecx,esp 305 00B857E0 |. E8 D7FC0400 call WinRAR1.00BD54BC 306 00B857E5 |. 81C4 18100000 add esp,0x1018 307 00B857EB \. C2 0800 retn 0x8
经过分析判断,我们需要关注两处跳转,在函数开始第7行和第9行的跳转,将第7行的跳转NOP掉,第9行改jmp无条件跳转,即可以将程序的执行流程跳过广告链接和重新购买许可证的窗口。
7 00B853BF |. 74 0E je short WinRAR1.00B853CF 8 00B853C1 |. 80BC24 201000>cmp byte ptr ss:[esp+0x1020],0x0 9 00B853C9 |. 0F84 08040000 je WinRAR1.00B857D7
完成修改后,点击鼠标右键,在弹出的菜单中依次选择“复制到可执行文件”-->“所有修改”-->“复制”。
然后在新窗口中右击选择“保存文件”即可保存修改。
整个世界彻底清净来,老衲要继续清修了^_^!!!!
附:分享几个系统函数。
CreateWindowEx function:https://msdn.microsoft.com/zh-cn/vstudio/ms632680(v=vs.90)
DestroyWindow function:https://docs.microsoft.com/zh-cn/windows/win32/api/winuser/nf-winuser-destroywindow
IsWindowVisible function:https://docs.microsoft.com/zh-cn/windows/win32/api/winuser/nf-winuser-iswindowvisible
还有一个大牛写的注册机:https://www.52pojie.cn/thread-984747-1-1.html
最后于 2019-7-11 16:05
被zyj_super编辑
,原因:
