朋友们好,向大家求助。
关GetTickCount的破解,请问如何让定时功能失效?
分享一下破解思路。先谢过见贴的朋友们。
举例:某些音频程序(包括dll插件),在试用版状态下,设有定时器限制,每运行10秒就静音3秒或每运行20秒就插入1秒的杂音。
下面将我通过对比两个软件得到的相似代码贴出,请朋友们帮助分析一下。
程序一:每二十秒就直通一次效果(Silverspike Reverb-it Demo.dll)
12350CD0 /$ 8B4424 04 mov eax,dword ptr ss:[esp+4]
12350CD4 |. 50 push eax ; /Timeout
12350CD5 |. FF15 1CD63712 call dword ptr ds:[<&KERNEL32.Sleep>] ; \Sleep
12350CDB \. C2 0400 retn 4
12350CDE 90 nop
12350CDF 90 nop
12350CE0 $- FF25 80D63712 jmp dword ptr ds:[<&KERNEL32.GetTickCount>; kernel32.GetTickCount
12350CE6 90 nop
12350CE7 90 nop
12350CE8 90 nop
12350CE9 90 nop
12350CEA 90 nop
12350CEB 90 nop
12350CEC 90 nop
12350CED 90 nop
12350CEE 90 nop
12350CEF 90 nop
12350CF0 . 56 push esi
12350CF1 . 57 push edi
12350CF2 . 8BF1 mov esi,ecx
12350CF4 . E8 E7FFFFFF call <jmp.&KERNEL32.GetTickCount> ; [GetTickCount
12350CF9 . 8BF8 mov edi,eax
12350CFB . 8B06 mov eax,dword ptr ds:[esi]
12350CFD . 8BCE mov ecx,esi
12350CFF . FF50 10 call dword ptr ds:[eax+10]
12350D02 . 8B4E 1C mov ecx,dword ptr ds:[esi+1C]
12350D05 . 83C1 64 add ecx,64
12350D08 . 3BF9 cmp edi,ecx
12350D0A . 73 16 jnb short Silversp.12350D22
12350D0C . 6A 0A push 0A
12350D0E . 8BCE mov ecx,esi
12350D10 . E8 BBFFFFFF call Silversp.12350CD0
12350D15 . 8B56 1C mov edx,dword ptr ds:[esi+1C]
12350D18 . 83C7 0A add edi,0A
12350D1B . 83C2 32 add edx,32
12350D1E . 3BFA cmp edi,edx
12350D20 . 72 3C jb short Silversp.12350D5E
12350D22 > 6A 01 push 1 ; /RemoveMsg = PM_REMOVE
12350D24 . 6A 0F push 0F ; |MsgFilterMax = WM_PAINT
12350D26 . 6A 0F push 0F ; |MsgFilterMin = WM_PAINT
12350D28 . 6A 00 push 0 ; |hWnd = NULL
12350D2A . 68 E8AA3712 push Silversp.1237AAE8 ; |pMsg = Silversp.1237AAE8
12350D2F . FF15 BCD73712 call dword ptr ds:[<&USER32.PeekMessageA>>; \PeekMessageA
12350D35 B8 01000000 mov eax,1
12350D3A 90 nop
12350D3B 90 nop
12350D3C 90 nop
12350D3D 90 nop
12350D3E . FF15 C0D73712 call dword ptr ds:[<&USER32.DispatchMessa>; \DispatchMessageA
12350D44 > 8B4E 04 mov ecx,dword ptr ds:[esi+4]
12350D47 . 897E 1C mov dword ptr ds:[esi+1C],edi
12350D4A . 85C9 test ecx,ecx
12350D4C . C646 20 01 mov byte ptr ds:[esi+20],1
12350D50 . 74 08 je short Silversp.12350D5A
12350D52 . 8B01 mov eax,dword ptr ds:[ecx]
12350D54 . FF90 98000000 call dword ptr ds:[eax+98]
12350D5A > C646 20 00 mov byte ptr ds:[esi+20],0
12350D5E > 5F pop edi
12350D5F . 5E pop esi
12350D60 . C3 retn
程序二:每运行十秒就失去功能10秒(TheExtractor.dll)
1299C3B0 . 56 push esi
1299C3B1 . 57 push edi
1299C3B2 . 8BF1 mov esi,ecx
1299C3B4 . FF15 2851A212 call dword ptr ds:[<&KERNEL32.GetTickCoun>; [GetTickCount
1299C3BA . 8BF8 mov edi,eax
1299C3BC . 3B7E 1C cmp edi,dword ptr ds:[esi+1C]
1299C3BF . 73 15 jnb short TheExtra.1299C3D6
1299C3C1 . 6A 04 push 4 ; /Timeout = 4. ms
1299C3C3 . FF15 F050A212 call dword ptr ds:[<&KERNEL32.Sleep>] ; \Sleep
1299C3C9 . 8B46 1C mov eax,dword ptr ds:[esi+1C]
1299C3CC . 83C7 04 add edi,4
1299C3CF . 83E8 32 sub eax,32
1299C3D2 . 3BF8 cmp edi,eax
1299C3D4 . 72 46 jb short TheExtra.1299C41C
1299C3D6 > 8B16 mov edx,dword ptr ds:[esi]
1299C3D8 . 8BCE mov ecx,esi
1299C3DA . FF52 10 call dword ptr ds:[edx+10]
1299C3DD . 6A 01 push 1 ; /RemoveMsg = PM_REMOVE
1299C3DF . 6A 0F push 0F ; |MsgFilterMax = WM_PAINT
1299C3E1 . 6A 0F push 0F ; |MsgFilterMin = WM_PAINT
1299C3E3 . 6A 00 push 0 ; |hWnd = NULL
1299C3E5 . 68 387FA312 push TheExtra.12A37F38 ; |pMsg = TheExtra.12A37F38
1299C3EA . FF15 E851A212 call dword ptr ds:[<&USER32.PeekMessageA>>; \PeekMessageA
1299C3F0 . 85C0 test eax,eax
1299C3F2 . 74 0B je short TheExtra.1299C3FF
1299C3F4 . 68 387FA312 push TheExtra.12A37F38 ; /pMsg = WM_NULL?.*s
1299C3F9 . FF15 9C51A212 call dword ptr ds:[<&USER32.DispatchMessa>; \DispatchMessageA
1299C3FF > 8B4E 04 mov ecx,dword ptr ds:[esi+4]
1299C402 . 83C7 64 add edi,64
1299C405 . 85C9 test ecx,ecx
1299C407 . 897E 1C mov dword ptr ds:[esi+1C],edi
1299C40A . C646 20 01 mov byte ptr ds:[esi+20],1
1299C40E . 74 08 je short TheExtra.1299C418
1299C410 . 8B01 mov eax,dword ptr ds:[ecx]
1299C412 . FF90 98000000 call dword ptr ds:[eax+98]
1299C418 > C646 20 00 mov byte ptr ds:[esi+20],0
1299C41C > 5F pop edi
1299C41D . 5E pop esi
1299C41E . C3 retn
1299C41F CC int3
1299C420 . 8B4424 04 mov eax,dword ptr ss:[esp+4]
1299C424 . 83C1 10 add ecx,10
1299C427 . 8908 mov dword ptr ds:[eax],ecx
1299C429 . B8 01000000 mov eax,1
1299C42E . C2 0400 retn 4
1299C431 CC int3
1299C432 CC int3
1299C433 CC int3
1299C434 CC int3
1299C435 CC int3
1299C436 CC int3
1299C437 CC int3
1299C438 CC int3
1299C439 CC int3
1299C43A CC int3
1299C43B CC int3
1299C43C CC int3
1299C43D CC int3
1299C43E CC int3
1299C43F CC int3
1299C440 /$ 8B4424 04 mov eax,dword ptr ss:[esp+4]
1299C444 |. 53 push ebx
1299C445 |. 33DB xor ebx,ebx
1299C447 |. 56 push esi
1299C448 |. 8BF1 mov esi,ecx
1299C44A |. 8946 04 mov dword ptr ds:[esi+4],eax
1299C44D |. 895E 0C mov dword ptr ds:[esi+C],ebx
1299C450 |. C706 509AA212 mov dword ptr ds:[esi],TheExtra.12A29A50
1299C456 |. 895E 18 mov dword ptr ds:[esi+18],ebx
1299C459 |. 885E 20 mov byte ptr ds:[esi+20],bl
1299C45C |. 8B48 44 mov ecx,dword ptr ds:[eax+44]
1299C45F |. 83C9 01 or ecx,1
1299C462 |. 8970 08 mov dword ptr ds:[eax+8],esi
1299C465 |. 8948 44 mov dword ptr ds:[eax+44],ecx
1299C468 |. 895E 08 mov dword ptr ds:[esi+8],ebx
1299C46B |. FF15 2851A212 call dword ptr ds:[<&KERNEL32.GetTickCoun>; [GetTickCount
1299C471 |. 53 push ebx
1299C472 |. 8946 1C mov dword ptr ds:[esi+1C],eax
1299C475 |. FF15 1452A212 call dword ptr ds:[<&ole32.OleInitialize>>; ole32.OleInitialize
1299C47B |. 8BC6 mov eax,esi
1299C47D |. 5E pop esi
1299C47E |. 5B pop ebx
1299C47F \. C2 0400 retn 4
也许贴的代码根本不是破解的关键,也请谅解,我期待朋友们的帮助与说明。
补充说明:OD+宿主软件(个人爱好,比较喜欢破音频音乐相关的程序)
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
