-
-
[原创]QT程序的破解之道仅供学习
-
发表于: 2021-2-26 10:33
-
接下来,我们用“相面法”来破解吧@-@
注册码是26位的,那就是mov eax, 26
在x32dbg中搜索下(Ctrl+Shift+F)
找到3个,全F2
然后我们F8单步走
由于是QT妖孽程序,所以,你在大部分时间里看不到几次我们键入的字符
012294C0 | 55 | push ebp | 012294C1 | 8BEC | mov ebp,esp | 012294C3 | 6A FF | push FFFFFFFF | 012294C5 | 68 80 | push guitarpro7.1770880 | 012294CA | 64:A1 | mov eax,dword ptr fs:[0] | 00000000:"8鼻" 012294D0 | 50 | push eax | 012294D1 | 51 | push ecx | 012294D2 | 53 | push ebx | 012294D3 | 56 | push esi | 012294D4 | 57 | push edi | 012294D5 | A1 34 | mov eax,dword ptr ds:[2998434] | 012294DA | 33C5 | xor eax,ebp | 012294DC | 50 | push eax | 012294DD | 8D45 | lea eax,dword ptr ss:[ebp-C] | 012294E0 | 64:A3 | mov dword ptr fs:[0],eax | 00000000:"8鼻" 012294E6 | 8B45 | mov eax,dword ptr ss:[ebp+8] | 012294E9 | 83E8 | sub eax,0 | 012294EC | 0F84 | je guitarpro7.122961B | 012294F2 | 83E8 | sub eax,1 | 012294F5 | 0F85 | jne guitarpro7.122962D | 012294FB | 8B5D | mov ebx,dword ptr ss:[ebp+C] | 012294FE | 8B35 | mov esi,dword ptr ds:[<&?text@QLineEdit@@QBE?AVQString | 01229504 | 8B43 | mov eax,dword ptr ds:[ebx+8] | 01229507 | C740 | mov dword ptr ds:[eax+5C],7 | 0122950E | 8B43 | mov eax,dword ptr ds:[ebx+8] | 01229511 | 8B78 | mov edi,dword ptr ds:[eax+10] | 01229514 | 8D45 | lea eax,dword ptr ss:[ebp-10] | 01229517 | 50 | push eax | 01229518 | 8BCF | mov ecx,edi | 0122951A | FFD6 | call esi | 0122951C | 8B43 | mov eax,dword ptr ds:[ebx+8] | 0122951F | 8D55 | lea edx,dword ptr ss:[ebp-10] | 01229522 | 52 | push edx | 01229523 | C745 | mov dword ptr ss:[ebp-4],0 | 0122952A | 8B48 | mov ecx,dword ptr ds:[eax+54] | 0122952D | 8B01 | mov eax,dword ptr ds:[ecx] | 0122952F | FF50 | call dword ptr ds:[eax+3C] | 01229532 | 8B53 | mov edx,dword ptr ds:[ebx+8] | 01229535 | 8BCF | mov ecx,edi | 01229537 | 8942 | mov dword ptr ds:[edx+5C],eax | 0122953A | 8D45 | lea eax,dword ptr ss:[ebp+8] | 0122953D | 50 | push eax | 0122953E | FFD6 | call esi | 01229540 | 8D4D | lea ecx,dword ptr ss:[ebp+8] | 01229543 | 8B00 | mov eax,dword ptr ds:[eax] | 01229545 | 8B70 | mov esi,dword ptr ds:[eax+4] | 01229548 | FF15 | call dword ptr ds:[<&??1QString@@QAE@XZ>] | 0122954E | 83FE | cmp esi,1A | 测试注册码是否是26位? 01229551 | 74 3A | je guitarpro7.122958D | 01229553 | 8D4D | lea ecx,dword ptr ss:[ebp+8] | 01229556 | FF15 | call dword ptr ds:[<&??0QBitArray@@QAE@XZ>] | 0122955C | 8B4B | mov ecx,dword ptr ds:[ebx+8] | 0122955F | 6A 00 | push 0 | 01229561 | 50 | push eax | 01229562 | C645 | mov byte ptr ss:[ebp-4],1 | 01229566 | 8B49 | mov ecx,dword ptr ds:[ecx+64] | 01229569 | E8 F2 | call <guitarpro7.sub_1560A60> | 0122956E | 8D4D | lea ecx,dword ptr ss:[ebp+8] | 01229571 | C645 | mov byte ptr ss:[ebp-4],0 | 01229575 | FF15 | call dword ptr ds:[<&??1QString@@QAE@XZ>] | 0122957B | 8B43 | mov eax,dword ptr ds:[ebx+8] | 0122957E | 6A 00 | push 0 | 01229580 | FF70 | push dword ptr ds:[eax+10] | 01229583 | E8 A8 | call <guitarpro7.sub_158BB30> | 01229588 | 83C4 | add esp,8 | 0122958B | EB 54 | jmp guitarpro7.12295E1 | 同理,不能让跳 0122958D | 8B43 | mov eax,dword ptr ds:[ebx+8] | 01229590 | 8B48 | mov ecx,dword ptr ds:[eax+54] | 01229593 | FF70 | push dword ptr ds:[eax+5C] | 01229596 | 8D45 | lea eax,dword ptr ss:[ebp+8] | 01229599 | 50 | push eax | 0122959A | 8B11 | mov edx,dword ptr ds:[ecx] | 0122959C | FF52 | call dword ptr ds:[edx+48] | 调用无效的授权提示字符! 0122959F | 8B4B | mov ecx,dword ptr ds:[ebx+8] | 012295A2 | 8D45 | lea eax,dword ptr ss:[ebp+8] | 012295A5 | 33DB | xor ebx,ebx | 012295A7 | C645 | mov byte ptr ss:[ebp-4],2 | 012295AB | 3959 | cmp dword ptr ds:[ecx+5C],ebx | 012295AE | 8B49 | mov ecx,dword ptr ds:[ecx+64] | 012295B1 | 0F95C | setne bl | 012295B4 | 8D1C5 | lea ebx,dword ptr ds:[ebx*2+2] | 012295BB | 53 | push ebx | 012295BC | 50 | push eax | 012295BD | E8 9E | call <guitarpro7.sub_1560A60> | 012295C2 | 53 | push ebx | 012295C3 | 8B5D | mov ebx,dword ptr ss:[ebp+C] | 012295C6 | 8B43 | mov eax,dword ptr ds:[ebx+8] | 012295C9 | FF70 | push dword ptr ds:[eax+10] | 012295CC | E8 5F | call <guitarpro7.sub_158BB30> | 012295D1 | 83C4 | add esp,8 | 012295D4 | C645 | mov byte ptr ss:[ebp-4],0 | 012295D8 | 8D4D | lea ecx,dword ptr ss:[ebp+8] | 012295DB | FF15 | call dword ptr ds:[<&??1QString@@QAE@XZ>] | 012295E1 | 8B4B | mov ecx,dword ptr ds:[ebx+8] | 012295E4 | 8379 | cmp dword ptr ds:[ecx+5C],0 | 012295E8 | 75 0A | jne guitarpro7.12295F4 | 012295EA | 8079 | cmp byte ptr ds:[ecx+60],0 | 012295EE | 74 04 | je guitarpro7.12295F4 | 012295F0 | B0 01 | mov al,1 | 012295F2 | EB 02 | jmp guitarpro7.12295F6 | 012295F4 | 32C0 | xor al,al | 012295F6 | 8B49 | mov ecx,dword ptr ds:[ecx+50] | 012295F9 | 50 | push eax | 012295FA | FF15 | call dword ptr ds:[<&?setEnabled@QWidget@@QAEX_N@Z>] | 01229600 | 8D4D | lea ecx,dword ptr ss:[ebp-10] | 01229603 | FF15 | call dword ptr ds:[<&??1QString@@QAE@XZ>] | 01229609 | 8B4D | mov ecx,dword ptr ss:[ebp-C] | 0122960C | 64:89 | mov dword ptr fs:[0],ecx | 00000000:"8鼻" 01229613 | 59 | pop ecx | 01229614 | 5F | pop edi | 01229615 | 5E | pop esi | 01229616 | 5B | pop ebx | 01229617 | 8BE5 | mov esp,ebp | 01229619 | 5D | pop ebp | 0122961A | C3 | ret | 0122961B | 8B45 | mov eax,dword ptr ss:[ebp+C] | 0122961E | 85C0 | test eax,eax | 01229620 | 74 0B | je guitarpro7.122962D | 01229622 | 6A 0C | push C | 01229624 | 50 | push eax | 01229625 | E8 30 | call <guitarpro7.sub_16B1A5A> | 0122962A | 83C4 | add esp,8 | 0122962D | 8B4D | mov ecx,dword ptr ss:[ebp-C] | 01229630 | 64:89 | mov dword ptr fs:[0],ecx | 00000000:"8鼻" 01229637 | 59 | pop ecx | 01229638 | 5F | pop edi | 01229639 | 5E | pop esi | 0122963A | 5B | pop ebx | 0122963B | 8BE5 | mov esp,ebp | 0122963D | 5D | pop ebp | 0122963E | C3 | ret |
012295E8 | 75 0A | jne guitarpro7.12295F4 | NOP这里 012295EA | 8079 | cmp byte ptr ds:[ecx+60],0 | 012295EE | 74 04 | je guitarpro7.12295F4 | 012295F0 | B0 01 | mov al,1 | 012295F2 | EB 02 | jmp guitarpro7.12295F6 | 012295F4 | 32C0 | xor al,al | 012295F6 | 8B49 | mov ecx,dword ptr ds:[ecx+50] | 012295F9 | 50 | push eax | 012295FA | FF15 | call dword ptr ds:[<&?setEnabled@QWidget@@QAEX_N@Z>] | 01229600 | 8D4D | lea ecx,dword ptr ss:[ebp-10] | 01229603 | FF15 | call dword ptr ds:[<&??1QString@@QAE@XZ>] |
然后我们就知道一个奥秘,调用了
setEnabled@QWidget
那就不是Alt+E,主模,setEnabled@QWidget啊
然后F2
双击过去 62BB8B50 | 8B51 | mov edx,dword ptr ds:[ecx+4] 就是在qt5widgets领空。。。
012296FC、01229702 皆NOP掉!
这样无论上面输入注册码时,还是左边点复选框时皆为 【激活】状态
此时保险起见,先Ctrl+P==> patch1强激活按钮不为灰.exe
===================================================================
接下来,再来解决时间问题,接茬用【相面法】多少天?30天
Ctrl+Shift+F, mov eax, 1e(在x32dbg/x64dbg中你不能搜索1E,要写成10进制的30)
so
下个断试下就知道了:
00E60770 | B8 1E000000 mov eax,1E ====》我们把1E改成 2710 (即10进制的1万天,相当于28年) 00E60775 | C3 ret
上面我们解决了两个问题,1是灰色按钮问题,2是无限试用问题。。。
上面写得不详细,发现有些问题上面的时间改的是分子,分母则是走字的天数
顺势跟下去。。。
来到
很有意思吧,就来到了
00EF65C2 | 0F4DC6 | cmovge eax,esi
这个代码很有意思吧?
反转下对比的条件,交换两个寄存器
同理可证
然后我们点击关于时
依然反转下两个寄存器
===============================================================
接下来,我们再来解决网络校验问题。。。。
用process hacker查看下进程就能得到该软件的域名了
用WinHEX的充零大法。。。
Ctrl+L==》 00吧,注意两种编码都别放过就好,具体就不截图了
==============================================================
另外还有个问题,重启后注册码被干掉,导致我们还得再着注册。。。看看哪里发生的?
另外就在注册码注册成功的提示不远处,有个地方清空了al
最终在wgz001表哥的帮助下找到了那个位置。。。最终版完美爆破,同时我们在爆破QT程序的过程中得到了很多启迪。
比如QT程序调用注册表API不被api monitor 和 process monitor 监控到
但是以下断点仍然有效果
[5]注册表
5.RegOpenKeyA(打开注册表项)
5.RegOpenKeyExA(重启验证常用)
5.RegCreateKeyExA
5.RegQueryValueExA
5.RegCreateKeyA(创建新项)
5.RegCloseKey(关闭注册表)
5.RegQueryValueA(取值)
5.RegEnumKeyExA(枚举子项)
5.RegSetValueA(设置默认值)
5.RegSetValueW()
5.RegSetValueExA(设置指定项的值)
5.RegSetValueExW
删除注册表键值 不使用RegDeleteKeyA、RegDeleteKeyW
解决办法很简单;使用条件断点,和条件记录断点。为此我写了个条件断点生成器
==============================================================
接下来,我们再来看看QT程序的某些通用特性:
一般都有QM文件作为语言文件,然后不断的点击,就会发现这个QM翻译软件中,右面的字符串列表的前面,必然是那个QM的一个大类【比如这里是License】
反正就那个意思吧,具体你自己实践下就明白了。。。
分别 用自带的字符搜索和插件搜索下,你就会发现有得看,没得吃。
0110B2EA | 68 54 | push 试用10000天_加跳过启动注册窗.2190E54 | 2190E54:"Your software has been successfully activated."
字符串容易找到,但确缺少中间的东西来联系到。。。哪里发现的。。。。跟注册码也不会完全看到注册码的全部分,而是其中的1两位而已
调用点 的字符串要么早了,要么老了,因此我们还要回到 调用取EditText 控件 和 注册码 26位的 那块 就跟,发现发现了什么?
00E694C0 | 55 | push ebp | 00E694C1 | 8BEC | mov ebp,esp | 00E694C3 | 6A FF | push FFFFFFFF | 00E694C5 | 68 80083B01 | push <强制按钮为实1.sub_13B0880> | 00E694CA | 64:A1 00000000 | mov eax,dword ptr fs:[0] | eax:sub_E694C0 00E694D0 | 50 | push eax | eax:sub_E694C0 00E694D1 | 51 | push ecx | 00E694D2 | 53 | push ebx | 00E694D3 | 56 | push esi | 00E694D4 | 57 | push edi | 00E694D5 | A1 34845D02 | mov eax,dword ptr ds:[25D8434] | eax:sub_E694C0, 025D8434:L"皸肅" 00E694DA | 33C5 | xor eax,ebp | eax:sub_E694C0 00E694DC | 50 | push eax | eax:sub_E694C0 00E694DD | 8D45 F4 | lea eax,dword ptr ss:[ebp-C] | eax:sub_E694C0 00E694E0 | 64:A3 00000000 | mov dword ptr fs:[0],eax | eax:sub_E694C0 00E694E6 | 8B45 08 | mov eax,dword ptr ss:[ebp+8] | eax:sub_E694C0 00E694E9 | 83E8 00 | sub eax,0 | eax:sub_E694C0 00E694EC | 0F84 29010000 | je 强制按钮为实1.E6961B | 00E694F2 | 83E8 01 | sub eax,1 | eax:sub_E694C0 00E694F5 | 0F85 32010000 | jne 强制按钮为实1.E6962D | 00E694FB | 8B5D 0C | mov ebx,dword ptr ss:[ebp+C] | 00E694FE | 8B35 18E04401 | mov esi,dword ptr ds:[<&?text@QLineEdit@@QBE?AVQSt | 00E69504 | 8B43 08 | mov eax,dword ptr ds:[ebx+8] | eax:sub_E694C0 00E69507 | C740 5C 07000000 | mov dword ptr ds:[eax+5C],7 | eax+5C:sub_E694C0+5C 00E6950E | 8B43 08 | mov eax,dword ptr ds:[ebx+8] | eax:sub_E694C0 00E69511 | 8B78 10 | mov edi,dword ptr ds:[eax+10] | eax+10:sub_E694C0+10 00E69514 | 8D45 F0 | lea eax,dword ptr ss:[ebp-10] | eax:sub_E694C0 00E69517 | 50 | push eax | eax:sub_E694C0 00E69518 | 8BCF | mov ecx,edi | 00E6951A | FFD6 | call esi | 00E6951C | 8B43 08 | mov eax,dword ptr ds:[ebx+8] | eax:sub_E694C0 00E6951F | 8D55 F0 | lea edx,dword ptr ss:[ebp-10] | 00E69522 | 52 | push edx | 00E69523 | C745 FC 00000000 | mov dword ptr ss:[ebp-4],0 | 00E6952A | 8B48 54 | mov ecx,dword ptr ds:[eax+54] | eax+54:sub_E694C0+54 00E6952D | 8B01 | mov eax,dword ptr ds:[ecx] | eax:sub_E694C0 00E6952F | FF50 3C | call dword ptr ds:[eax+3C] | eax+3C:sub_E694C0+3C 00E69532 | 8B53 08 | mov edx,dword ptr ds:[ebx+8] | 00E69535 | 8BCF | mov ecx,edi | 00E69537 | 8942 5C | mov dword ptr ds:[edx+5C],eax | eax:sub_E694C0 00E6953A | 8D45 08 | lea eax,dword ptr ss:[ebp+8] | eax:sub_E694C0 00E6953D | 50 | push eax | eax:sub_E694C0 00E6953E | FFD6 | call esi | 00E69540 | 8D4D 08 | lea ecx,dword ptr ss:[ebp+8] | 00E69543 | 8B00 | mov eax,dword ptr ds:[eax] | eax:sub_E694C0 00E69545 | 8B70 04 | mov esi,dword ptr ds:[eax+4] | eax+4:sub_E694C0+4 00E69548 | FF15 80C44401 | call dword ptr ds:[<&??1QString@@QAE@XZ>] | 00E6954E | 83FE 1A | cmp esi,1A | 00E69551 | 90 | nop | 00E69552 | 90 | nop | 00E69553 | 8D4D 08 | lea ecx,dword ptr ss:[ebp+8] | 00E69556 | FF15 E4C34401 | call dword ptr ds:[<&??0QBitArray@@QAE@XZ>] | 00E6955C | 8B4B 08 | mov ecx,dword ptr ds:[ebx+8] | 00E6955F | 6A 00 | push 0 | 00E69561 | 50 | push eax | eax:sub_E694C0 00E69562 | C645 FC 01 | mov byte ptr ss:[ebp-4],1 | 00E69566 | 8B49 64 | mov ecx,dword ptr ds:[ecx+64] | 00E69569 | E8 F2743300 | call <强制按钮为实1.sub_11A0A60> | 00E6956E | 8D4D 08 | lea ecx,dword ptr ss:[ebp+8] | 00E69571 | C645 FC 00 | mov byte ptr ss:[ebp-4],0 | 00E69575 | FF15 80C44401 | call dword ptr ds:[<&??1QString@@QAE@XZ>] | 00E6957B | 8B43 08 | mov eax,dword ptr ds:[ebx+8] | eax:sub_E694C0 00E6957E | 6A 00 | push 0 | 00E69580 | FF70 10 | push dword ptr ds:[eax+10] | eax+10:sub_E694C0+10 00E69583 | E8 A8253600 | call <强制按钮为实1.sub_11CBB30> | 00E69588 | 83C4 08 | add esp,8 | 00E6958B | EB 54 | jmp 强制按钮为实1.E695E1 | 00E6958D | 8B43 08 | mov eax,dword ptr ds:[ebx+8] | eax:sub_E694C0 00E69590 | 8B48 54 | mov ecx,dword ptr ds:[eax+54] | eax+54:sub_E694C0+54 00E69593 | FF70 5C | push dword ptr ds:[eax+5C] | eax+5C:sub_E694C0+5C 00E69596 | 8D45 08 | lea eax,dword ptr ss:[ebp+8] | eax:sub_E694C0 00E69599 | 50 | push eax | eax:sub_E694C0 00E6959A | 8B11 | mov edx,dword ptr ds:[ecx] | 00E6959C | FF52 48 | call dword ptr ds:[edx+48] | 00E6959F | 8B4B 08 | mov ecx,dword ptr ds:[ebx+8] | 00E695A2 | 8D45 08 | lea eax,dword ptr ss:[ebp+8] | eax:sub_E694C0 00E695A5 | 33DB | xor ebx,ebx | 00E695A7 | C645 FC 02 | mov byte ptr ss:[ebp-4],2 | 00E695AB | 3959 5C | cmp dword ptr ds:[ecx+5C],ebx | 00E695AE | 8B49 64 | mov ecx,dword ptr ds:[ecx+64] | 00E695B1 | 0F95C3 | setne bl | 00E695B4 | 8D1C5D 02000000 | lea ebx,dword ptr ds:[ebx*2+2] | 00E695BB | 53 | push ebx | 00E695BC | 50 | push eax | eax:sub_E694C0 00E695BD | E8 9E743300 | call <强制按钮为实1.sub_11A0A60> | 00E695C2 | 53 | push ebx | 00E695C3 | 8B5D 0C | mov ebx,dword ptr ss:[ebp+C] | 00E695C6 | 8B43 08 | mov eax,dword ptr ds:[ebx+8] | eax:sub_E694C0 00E695C9 | FF70 10 | push dword ptr ds:[eax+10] | eax+10:sub_E694C0+10 00E695CC | E8 5F253600 | call <强制按钮为实1.sub_11CBB30> | 00E695D1 | 83C4 08 | add esp,8 | 00E695D4 | C645 FC 00 | mov byte ptr ss:[ebp-4],0 | 00E695D8 | 8D4D 08 | lea ecx,dword ptr ss:[ebp+8] | 00E695DB | FF15 80C44401 | call dword ptr ds:[<&??1QString@@QAE@XZ>] | 00E695E1 | 8B4B 08 | mov ecx,dword ptr ds:[ebx+8] | 00E695E4 | 8379 5C 00 | cmp dword ptr ds:[ecx+5C],0 | 00E695E8 | 90 | nop | 00E695E9 | 90 | nop | 00E695EA | 8079 60 00 | cmp byte ptr ds:[ecx+60],0 | 00E695EE | 90 | nop | 00E695EF | 90 | nop | 00E695F0 | B0 01 | mov al,1 | 00E695F2 | EB 02 | jmp 强制按钮为实1.E695F6 | 00E695F4 | 32C0 | xor al,al | 00E695F6 | 8B49 50 | mov ecx,dword ptr ds:[ecx+50] | 00E695F9 | 50 | push eax | eax:sub_E694C0 00E695FA | FF15 C8E34401 | call dword ptr ds:[<&?setEnabled@QWidget@@QAEX_N@Z | 00E69600 | 8D4D F0 | lea ecx,dword ptr ss:[ebp-10] | 00E69603 | FF15 80C44401 | call dword ptr ds:[<&??1QString@@QAE@XZ>] | 00E69609 | 8B4D F4 | mov ecx,dword ptr ss:[ebp-C] | 00E6960C | 64:890D 00000000 | mov dword ptr fs:[0],ecx | 00E69613 | 59 | pop ecx | 00E69614 | 5F | pop edi | 00E69615 | 5E | pop esi | 00E69616 | 5B | pop ebx | 00E69617 | 8BE5 | mov esp,ebp | 00E69619 | 5D | pop ebp | 00E6961A | C3 | ret | 00E6961B | 8B45 0C | mov eax,dword ptr ss:[ebp+C] | eax:sub_E694C0 00E6961E | 85C0 | test eax,eax | eax:sub_E694C0 00E69620 | 74 0B | je 强制按钮为实1.E6962D | 00E69622 | 6A 0C | push C | 00E69624 | 50 | push eax | eax:sub_E694C0 00E69625 | E8 30844800 | call <强制按钮为实1.sub_12F1A5A> | 00E6962A | 83C4 08 | add esp,8 | 00E6962D | 8B4D F4 | mov ecx,dword ptr ss:[ebp-C] | 00E69630 | 64:890D 00000000 | mov dword ptr fs:[0],ecx | 00E69637 | 59 | pop ecx | 00E69638 | 5F | pop edi | 00E69639 | 5E | pop esi | 00E6963A | 5B | pop ebx | 00E6963B | 8BE5 | mov esp,ebp | 00E6963D | 5D | pop ebp | 00E6963E | C3 | ret |
改完之后,再存个档
00EACD40 | 55 | push ebp | 00EACD41 | 8BEC | mov ebp,esp | 00EACD43 | 6A F | push FFFFFFFF | 00EACD45 | 68 5 | push <强制按钮为实1.sub_13B8757> | 00EACD4A | 64:A | mov eax,dword ptr fs:[0] | 00EACD50 | 50 | push eax | 00EACD51 | 83EC | sub esp,8 | 00EACD54 | 56 | push esi | 00EACD55 | A1 3 | mov eax,dword ptr ds:[25D8434] | 025D8434:L"皸肅" 00EACD5A | 33C5 | xor eax,ebp | 00EACD5C | 50 | push eax | 00EACD5D | 8D45 | lea eax,dword ptr ss:[ebp-C] | 00EACD60 | 64:A | mov dword ptr fs:[0],eax | 00EACD66 | 8BF1 | mov esi,ecx | 00EACD68 | 8B46 | mov eax,dword ptr ds:[esi+4] | 00EACD6B | 80B8 | cmp byte ptr ds:[eax+C4],0 | 00EACD72 | 74 4 | je 强制按钮为实1.EACDB7 | 通往Demo字样的地方 就不会跳转了 00EACD74 | 8D88 | lea ecx,dword ptr ds:[eax+C8] | 00EACD7A | 8B01 | mov eax,dword ptr ds:[ecx] | 00EACD7C | 8378 | cmp dword ptr ds:[eax+4],0 | 00EACD80 | 74 3 | je 强制按钮为实1.EACDB7 | 通往Demo字样的地方 00EACD82 | 6A 0 | push 8 | 00EACD84 | 6A 0 | push 0 | 00EACD86 | 8D45 | lea eax,dword ptr ss:[ebp-10] | 00EACD89 | 50 | push eax | 00EACD8A | FF15 | call dword ptr ds:[<&?mid@QString@@QBE?AV1@HH@Z>] | 00EACD90 | 6A 0 | push 1 | 00EACD92 | 68 5 | push 强制按钮为实1.1EF655C | 1EF655C:"-********-********" 00EACD97 | 8BC8 | mov ecx,eax | 00EACD99 | C745 | mov dword ptr ss:[ebp-4],0 | 00EACDA0 | FF15 | call dword ptr ds:[<&??YQString@@QAEAAV0@PBD@Z>] | 00EACDA6 | 8B4E | mov ecx,dword ptr ds:[esi+4] | 00EACDA9 | 50 | push eax | 00EACDAA | 83C1 | add ecx,50 | 00EACDAD | E8 5 | call <强制按钮为实1.sub_1188A10> | 00EACDB2 | 8D4D | lea ecx,dword ptr ss:[ebp-10] | 00EACDB5 | EB 3 | jmp 强制按钮为实1.EACDEA | 00EACDB7 | 6A F | push FFFFFFFF | 00EACDB9 | 6A 0 | push 0 | 00EACDBB | 68 7 | push 强制按钮为实1.1EF6570 | 1EF6570:"Demo" 00EACDC0 | 8D45 | lea eax,dword ptr ss:[ebp-14] | 00EACDC3 | 68 1 | push 强制按钮为实1.1ED7510 | 1ED7510:"AboutDialog" 00EACDC8 | 50 | push eax | 00EACDC9 | FF15 | call dword ptr ds:[<&?translate@QCoreApplication@@SA?AVQString@@PBD00H@Z> |
QT启动的阶段:
Initialization 1/4
Initialization 2/4
Initialization 3/4
Initialization 4/4
00315136 | 68 203CCE00 | push 强制按钮为实1_强制注册成功(强跳).CE3C20 | CE3C20:"Initialization Done"
00A94EF8 | FF15 | call dword ptr ds:[<&?isDebugEnabled@QLoggingCategory@@QBE_N | 00A94EFE | 84C0 | test al,al | 00A94F00 | 74 4 | je 强制按钮为实1.A94F43 | 00A94F02 | E8 D | call <强制按钮为实1.sub_A9A8E0> | 00A94F07 | 8D4D | lea ecx,dword ptr ss:[ebp-64] | 00A94F0A | 51 | push ecx | 00A94F0B | 8D4D | lea ecx,dword ptr ss:[ebp-24] | 00A94F0E | FF70 | push dword ptr ds:[eax+4] | 00A94F11 | 6A 0 | push 0 | 00A94F13 | 6A 0 | push 0 | 00A94F15 | 6A 0 | push 0 | 00A94F17 | FF15 | call dword ptr ds:[<&??0QMessageLogger@@QAE@PBDH00@Z>] | 00A94F1D | 8BC8 | mov ecx,eax | 00A94F1F | FFD3 | call ebx | 00A94F21 | 68 B | push 强制按钮为实1.1463BB8 | 1463BB8:"Creating Main Window" 00A94F26 | 8BC8 | mov ecx,eax | 00A94F28 | C645 | mov byte ptr ss:[ebp-4],11 | 00A94F2C | FF15 | call dword ptr ds:[<&??6QDebug@@QAEAAV0@PBD@Z>] | 00A94F32 | 8B35 | mov esi,dword ptr ds:[<&??1QDebug@@QAE@XZ>] | 00A94F38 | 8D4D | lea ecx,dword ptr ss:[ebp-64] | 00A94F3B | C645 | mov byte ptr ss:[ebp-4],D | D:'\r' 00A94F3F | FFD6 | call esi | 00A94F41 | EB 0 | jmp 强制按钮为实1.A94F49 | 00A94F43 | 8B35 | mov esi,dword ptr ds:[<&??1QDebug@@QAE@XZ>] | 00A94F49 | 6A 0 | push 0 | 00A94F4B | 6A 0 | push 1 | 00A94F4D | E8 6 | call <强制按钮为实1.sub_CE57C0> | 上上上层 注册成功1 00A94F52 | 8B8D | mov ecx,dword ptr ss:[ebp-84] | 00A94F58 | 83C4 | add esp,8 | 00A94F5B | 8B01 | mov eax,dword ptr ds:[ecx] | 00A94F5D | 8B80 | mov eax,dword ptr ds:[eax+80] | 00A94F63 | FFD0 | call eax | 00A94F65 | 84C0 | test al,al | 00A94F67 | 75 0 | jne 强制按钮为实1.A94F74 | 00A94F69 | 8B8D | mov ecx,dword ptr ss:[ebp-84] | 00A94F6F | 8B01 | mov eax,dword ptr ds:[ecx] | 00A94F71 | FF50 | call dword ptr ds:[eax+78] | 00A94F74 | E8 6 | call <强制按钮为实1.sub_A9A8E0> | 00A94F79 | 8BC8 | mov ecx,eax | 00A94F7B | FF15 | call dword ptr ds:[<&?isDebugEnabled@QLoggingCategory@@QBE_N | 00A94F81 | 84C0 | test al,al | 00A94F83 | 74 3 | je 强制按钮为实1.A94FBE | 00A94F85 | E8 5 | call <强制按钮为实1.sub_A9A8E0> | 00A94F8A | 8D4D | lea ecx,dword ptr ss:[ebp-64] | 00A94F8D | 51 | push ecx | 00A94F8E | 8D4D | lea ecx,dword ptr ss:[ebp-24] | 00A94F91 | FF70 | push dword ptr ds:[eax+4] | 00A94F94 | 6A 0 | push 0 | 00A94F96 | 6A 0 | push 0 | 00A94F98 | 6A 0 | push 0 | 00A94F9A | FF15 | call dword ptr ds:[<&??0QMessageLogger@@QAE@PBDH00@Z>] | 00A94FA0 | 8BC8 | mov ecx,eax | 00A94FA2 | FFD3 | call ebx | 00A94FA4 | 68 D | push 强制按钮为实1.1463BD0 | 1463BD0:"Initialization 1/4" 00A94FA9 | 8BC8 | mov ecx,eax | 00A94FAB | C645 | mov byte ptr ss:[ebp-4],12 | 00A94FAF | FF15 | call dword ptr ds:[<&??6QDebug@@QAEAAV0@PBD@Z>] | 00A94FB5 | 8D4D | lea ecx,dword ptr ss:[ebp-64] | 00A94FB8 | C645 | mov byte ptr ss:[ebp-4],D | D:'\r' 00A94FBC | FFD6 | call esi | 00A94FBE | 8D8D | lea ecx,dword ptr ss:[ebp-A4] | 00A94FC4 | FF15 | call dword ptr ds:[<&?waitForFinished@QFutureInterfaceBase@@ | 00A94FCA | E8 1 | call <强制按钮为实1.sub_A9A8E0> | 00A94FCF | 8BC8 | mov ecx,eax | 00A94FD1 | FF15 | call dword ptr ds:[<&?isDebugEnabled@QLoggingCategory@@QBE_N | 00A94FD7 | 84C0 | test al,al | 00A94FD9 | 74 3 | je 强制按钮为实1.A95010 | 00A94FDB | E8 0 | call <强制按钮为实1.sub_A9A8E0> | 00A94FE0 | 8D4D | lea ecx,dword ptr ss:[ebp-64] | 00A94FE3 | 51 | push ecx | 00A94FE4 | 8D4D | lea ecx,dword ptr ss:[ebp-24] | 00A94FE7 | FF70 | push dword ptr ds:[eax+4] | 00A94FEA | 6A 0 | push 0 | 00A94FEC | 6A 0 | push 0 | 00A94FEE | 6A 0 | push 0 | 00A94FF0 | FF15 | call dword ptr ds:[<&??0QMessageLogger@@QAE@PBDH00@Z>] | 00A94FF6 | 8BC8 | mov ecx,eax | 00A94FF8 | FFD3 | call ebx | 00A94FFA | 68 E | push 强制按钮为实1.1463BE4 | 1463BE4:"Initialization 2/4" 00A94FFF | 8BC8 | mov ecx,eax | 00A95001 | C645 | mov byte ptr ss:[ebp-4],13 | 00A95005 | FF15 | call dword ptr ds:[<&??6QDebug@@QAEAAV0@PBD@Z>] | 00A9500B | 8D4D | lea ecx,dword ptr ss:[ebp-64] | 00A9500E | FFD6 | call esi | 00A95010 | 8D4D | lea ecx,dword ptr ss:[ebp-70] | 00A95013 | FF15 | call dword ptr ds:[<&??0QBitArray@@QAE@XZ>] | 00A95019 | 8B8D | mov ecx,dword ptr ss:[ebp-84] | 00A9501F | 8D55 | lea edx,dword ptr ss:[ebp-70] | 00A95022 | 52 | push edx | 00A95023 | C645 | mov byte ptr ss:[ebp-4],14 | 00A95027 | 8B01 | mov eax,dword ptr ds:[ecx] | 00A95029 | 8B40 | mov eax,dword ptr ds:[eax+6C] | 00A9502C | FFD0 | call eax | 00A9502E | 8845 | mov byte ptr ss:[ebp-79],al | 00A95031 | E8 A | call <强制按钮为实1.sub_A9A8E0> | 00A95036 | 8BC8 | mov ecx,eax | 00A95038 | FF15 | call dword ptr ds:[<&?isDebugEnabled@QLoggingCategory@@QBE_N | 00A9503E | 84C0 | test al,al | 00A95040 | 74 3 | je 强制按钮为实1.A9507B | 00A95042 | E8 9 | call <强制按钮为实1.sub_A9A8E0> | 00A95047 | 8D4D | lea ecx,dword ptr ss:[ebp-64] | 00A9504A | 51 | push ecx | 00A9504B | 8D4D | lea ecx,dword ptr ss:[ebp-24] | 00A9504E | FF70 | push dword ptr ds:[eax+4] | 00A95051 | 6A 0 | push 0 | 00A95053 | 6A 0 | push 0 | 00A95055 | 6A 0 | push 0 | 00A95057 | FF15 | call dword ptr ds:[<&??0QMessageLogger@@QAE@PBDH00@Z>] | 00A9505D | 8BC8 | mov ecx,eax | 00A9505F | FFD3 | call ebx | 00A95061 | 68 F | push 强制按钮为实1.1463BF8 | 1463BF8:"Initialization 3/4" 00A95066 | 8BC8 | mov ecx,eax | 00A95068 | C645 | mov byte ptr ss:[ebp-4],15 | 00A9506C | FF15 | call dword ptr ds:[<&??6QDebug@@QAEAAV0@PBD@Z>] | 00A95072 | 8D4D | lea ecx,dword ptr ss:[ebp-64] | 00A95075 | C645 | mov byte ptr ss:[ebp-4],14 | 00A95079 | FFD6 | call esi | 00A9507B | 8BB5 | mov esi,dword ptr ss:[ebp-84] | 00A95081 | 8D45 | lea eax,dword ptr ss:[ebp-70] | 00A95084 | 51 | push ecx | 00A95085 | 8BCC | mov ecx,esp | 00A95087 | 50 | push eax | 00A95088 | FF15 | call dword ptr ds:[<&??0QByteArray@@QAE@ABV0@@Z>] | 00A9508E | 8B06 | mov eax,dword ptr ds:[esi] | 00A95090 | 8BCE | mov ecx,esi | 00A95092 | FF50 | call dword ptr ds:[eax+50] | 00A95095 | E8 4 | call <强制按钮为实1.sub_A9A8E0> | 00A9509A | 8BC8 | mov ecx,eax | 00A9509C | FF15 | call dword ptr ds:[<&?isDebugEnabled@QLoggingCategory@@QBE_N | 00A950A2 | 84C0 | test al,al | 00A950A4 | 74 3 | je 强制按钮为实1.A950E3 | 00A950A6 | E8 3 | call <强制按钮为实1.sub_A9A8E0> | 00A950AB | 8D4D | lea ecx,dword ptr ss:[ebp-64] | 00A950AE | 51 | push ecx | 00A950AF | 8D4D | lea ecx,dword ptr ss:[ebp-24] | 00A950B2 | FF70 | push dword ptr ds:[eax+4] | 00A950B5 | 6A 0 | push 0 | 00A950B7 | 6A 0 | push 0 | 00A950B9 | 6A 0 | push 0 | 00A950BB | FF15 | call dword ptr ds:[<&??0QMessageLogger@@QAE@PBDH00@Z>] | 00A950C1 | 8BC8 | mov ecx,eax | 00A950C3 | FFD3 | call ebx | 00A950C5 | 68 0 | push 强制按钮为实1.1463C0C | 1463C0C:"Initialization 4/4" 00A950CA | 8BC8 | mov ecx,eax | 00A950CC | C645 | mov byte ptr ss:[ebp-4],16 | 00A950D0 | FF15 | call dword ptr ds:[<&??6QDebug@@QAEAAV0@PBD@Z>] | 00A950D6 | 8D4D | lea ecx,dword ptr ss:[ebp-64] | 00A950D9 | C645 | mov byte ptr ss:[ebp-4],14 | 00A950DD | FF15 | call dword ptr ds:[<&??1QDebug@@QAE@XZ>] | 00A950E3 | 807D | cmp byte ptr ss:[ebp-79],0 | 00A950E7 | 74 1 | je 强制按钮为实1.A95106 | 00A950E9 | 8BB5 | mov esi,dword ptr ss:[ebp-84] | 00A950EF | 8D45 | lea eax,dword ptr ss:[ebp-70] | 00A950F2 | 51 | push ecx | 00A950F3 | 8BCC | mov ecx,esp | 00A950F5 | 50 | push eax | 00A950F6 | FF15 | call dword ptr ds:[<&??0QByteArray@@QAE@ABV0@@Z>] | 00A950FC | 8B06 | mov eax,dword ptr ds:[esi] | 00A950FE | 8BCE | mov ecx,esi | 00A95100 | FF90 | call dword ptr ds:[eax+B4] | 00A95106 | E8 D | call <强制按钮为实1.sub_A9A8E0> | 00A9510B | 8BC8 | mov ecx,eax | 00A9510D | FF15 | call dword ptr ds:[<&?isDebugEnabled@QLoggingCategory@@QBE_N | 00A95113 | 84C0 | test al,al | 00A95115 | 74 3 | je 强制按钮为实1.A95150 | 00A95117 | E8 C | call <强制按钮为实1.sub_A9A8E0> | 00A9511C | 8D4D | lea ecx,dword ptr ss:[ebp-64] | 00A9511F | 51 | push ecx | 00A95120 | 8D4D | lea ecx,dword ptr ss:[ebp-24] | 00A95123 | FF70 | push dword ptr ds:[eax+4] | 00A95126 | 6A 0 | push 0 | 00A95128 | 6A 0 | push 0 | 00A9512A | 6A 0 | push 0 | 00A9512C | FF15 | call dword ptr ds:[<&??0QMessageLogger@@QAE@PBDH00@Z>] | 00A95132 | 8BC8 | mov ecx,eax | 00A95134 | FFD3 | call ebx | 00A95136 | 68 2 | push 强制按钮为实1.1463C20 | 1463C20:"Initialization Done"
00E67930 | 55 | push ebp | 00E67931 | 8BEC | mov ebp,esp | 00E67933 | 6A F | push FFFFFFFF | 00E67935 | 68 B | push 强制按钮为实1.13B03B9 | 00E6793A | 64:A | mov eax,dword ptr fs:[0] | 00E67940 | 50 | push eax | 00E67941 | 83EC | sub esp,10 | 00E67944 | 56 | push esi | 00E67945 | 57 | push edi | 00E67946 | A1 3 | mov eax,dword ptr ds:[25D8434] | 025D8434:L"皸肅" 00E6794B | 33C5 | xor eax,ebp | 00E6794D | 50 | push eax | 00E6794E | 8D45 | lea eax,dword ptr ss:[ebp-C] | 00E67951 | 64:A | mov dword ptr fs:[0],eax | 00E67957 | 8BF9 | mov edi,ecx | 00E67959 | 837D | cmp dword ptr ss:[ebp+8],0 | 00E6795D | 8D45 | lea eax,dword ptr ss:[ebp-18] | 00E67960 | 6A F | push FFFFFFFF | 00E67962 | 6A 0 | push 0 | 00E67964 | 7E 6 | jle 强制按钮为实1.E679D0 | 00E67966 | 68 2 | push 强制按钮为实1.1EF0724 | 1EF0724:"<b>%1</b> day(s) left" 00E6796B | 68 4 | push 强制按钮为实1.1EF064C | 1EF064C:"DemoWidget" 00E67970 | 50 | push eax | 00E67971 | FF15 | call dword ptr ds:[<&?translate@QCoreApplication@@SA?AVQStri | 00E67977 | 8BF0 | mov esi,eax | 00E67979 | 83C4 | add esp,10 | 00E6797C | C645 | mov byte ptr ss:[ebp-10],20 | 20:' ' 00E67980 | 8BCC | mov ecx,esp | 00E67982 | C745 | mov dword ptr ss:[ebp-4],0 | 00E67989 | FF75 | push dword ptr ss:[ebp-10] | 00E6798C | FF15 | call dword ptr ds:[<&??0QChar@@QAE@D@Z>] | 00E67992 | 6A 0 | push A | 00E67994 | 6A 0 | push 0 | 00E67996 | FF75 | push dword ptr ss:[ebp+8] | 00E67999 | 8D45 | lea eax,dword ptr ss:[ebp-14] | 00E6799C | 8BCE | mov ecx,esi | 00E6799E | 50 | push eax | 00E6799F | FF15 | call dword ptr ds:[<&?arg@QString@@QBE?AV1@HHHVQChar@@@Z>] | 00E679A5 | 8B4F | mov ecx,dword ptr ds:[edi+1C] | 00E679A8 | 50 | push eax | 00E679A9 | C645 | mov byte ptr ss:[ebp-4],1 | 00E679AD | FF15 | call dword ptr ds:[<&?setText@QLabel@@QAEXABVQString@@@Z>] | 00E679B3 | 8D4D | lea ecx,dword ptr ss:[ebp-14] | 00E679B6 | FF15 | call dword ptr ds:[<&??1QString@@QAE@XZ>] | 00E679BC | 8D4D | lea ecx,dword ptr ss:[ebp-18] | 00E679BF | C745 | mov dword ptr ss:[ebp-4],FFFFFFFF | 00E679C6 | FF15 | call dword ptr ds:[<&??1QString@@QAE@XZ>] | 00E679CC | 6A 0 | push 0 | 00E679CE | EB 6 | jmp 强制按钮为实1.E67A3F | 00E679D0 | 68 3 | push 强制按钮为实1.1EF073C | 1EF073C:"Trial expired" 00E679D5 | 68 4 | push 强制按钮为实1.1EF064C | 1EF064C:"DemoWidget" 00E679DA | 50 | push eax | 00E679DB | FF15 | call dword ptr ds:[<&?translate@QCoreApplication@@SA?AVQStri | 00E679E1 | 83C4 | add esp,14 | 00E679E4 | 8B4F | mov ecx,dword ptr ds:[edi+1C] | 00E679E7 | 50 | push eax | 00E679E8 | C745 | mov dword ptr ss:[ebp-4],2 | 00E679EF | FF15 | call dword ptr ds:[<&?setText@QLabel@@QAEXABVQString@@@Z>] | 00E679F5 | 8D4D | lea ecx,dword ptr ss:[ebp-18] | 00E679F8 | C745 | mov dword ptr ss:[ebp-4],FFFFFFFF | 00E679FF | FF15 | call dword ptr ds:[<&??1QString@@QAE@XZ>] | 00E67A05 | 6A 0 | push F | 00E67A07 | 68 4 | push 强制按钮为实1.1EF074C | 1EF074C:"am_trialExpired"
最初最早我的改法是强跳注册窗口,那么做是没有啥实际意义的。
1点心得。。。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
最后于 2021-3-12 09:52
被ninebell编辑
,原因: 完美结局
|
|
|---|---|
|
|
|
|
|
|
|
|
mov 0x1e哪儿有点混… |
|
|
|
