现在离线升级包的安装都要验证授权?这也太霸道了!
巧用OD破解安装验证授权问题,也算是OD的另类应用吧?!
用OD装载,下API工具对话框断点,F9运行,断下后Alt+F9返回程序领空:
-------------------------------------------------------
00419712 |. FF15 18654A00 call dword ptr [<&ole32.CoInitialize>] ; ole32.CoInitialize
00419718 |. 8D4424 0C lea eax, dword ptr [esp+C] ; 返回这里
0041971C |. 50 push eax ; /pInitEx
0041971D |. C74424 10 08000000 mov dword ptr [esp+10], 8 ; |
00419725 |. C74424 14 FF080000 mov dword ptr [esp+14], 8FF ; |
0041972D |. FF15 40604A00 call dword ptr [<&COMCTL32.InitCommonControlsEx>] ; \InitCommonControlsEx
00419733 |. 8BCE mov ecx, esi
00419735 |. E8 34580400 call 0045EF6E
0041973A |. 6A 00 push 0
0041973C |. E8 F2F20400 call 00468A33
00419741 |. 83C4 04 add esp, 4
00419744 |. 68 D0114B00 push 004B11D0 ; UNICODE "Local AppWizard-Generated Applications"
00419749 |. 8BCE mov ecx, esi
0041974B |. E8 34E80400 call 00467F84
00419750 |. 8D4C24 08 lea ecx, dword ptr [esp+8]
00419754 |. 51 push ecx
00419755 |. 68 06000200 push 20006
0041975A |. 6A 00 push 0
0041975C |. 68 C4E44A00 push 004AE4C4 ; UNICODE "SoftWare"
00419761 |. 68 02000080 push 80000002
00419766 |. C74424 1C 00000000 mov dword ptr [esp+1C], 0
0041976E |. FF15 C40B5800 call dword ptr [580BC4] ; ADVAPI32.RegOpenKeyExW
00419774 |. 85C0 test eax, eax
00419776 |. 0F85 30010000 jnz 004198AC
0041977C |. 8B4424 08 mov eax, dword ptr [esp+8]
00419780 |. 85C0 test eax, eax
00419782 |. 74 07 je short 0041978B
00419784 |. 50 push eax ; /hKey
00419785 |. FF15 20604A00 call dword ptr [<&ADVAPI32.RegCloseKey>] ; \RegCloseKey
0041978B |> A1 28124B00 mov eax, dword ptr [4B1228]
00419790 |. 8B0D 20124B00 mov ecx, dword ptr [4B1220] ; 08KvUpd2.00450053
00419796 |. 8B15 24124B00 mov edx, dword ptr [4B1224] ; 08KvUpd2.00550054
0041979C |. 68 F4010000 push 1F4
004197A1 |. 898424 98000000 mov dword ptr [esp+98], eax
004197A8 |. 898C24 90000000 mov dword ptr [esp+90], ecx
004197AF |. 8B0D 2C124B00 mov ecx, dword ptr [4B122C] ; 08KvUpd2.00560049
004197B5 |. 899424 94000000 mov dword ptr [esp+94], edx
004197BC |. 8B15 30124B00 mov edx, dword ptr [4B1230]
004197C2 |. 8D8424 A4000000 lea eax, dword ptr [esp+A4]
004197C9 |. 6A 00 push 0
004197CB |. 50 push eax
004197CC |. 898C24 A4000000 mov dword ptr [esp+A4], ecx
004197D3 |. 899424 A8000000 mov dword ptr [esp+A8], edx
004197DA |. E8 41260600 call 0047BE20
004197DF |. 83C4 0C add esp, 0C
004197E2 |. 8D8C24 8C000000 lea ecx, dword ptr [esp+8C]
004197E9 |. 51 push ecx
004197EA |. 6A 01 push 1
004197EC |. 6A 00 push 0
004197EE |. FF15 2C0C5800 call dword ptr [580C2C] ; 08KvUpd2.0044A0B6
004197F4 |. 85C0 test eax, eax
004197F6 |. 8986 A8000000 mov dword ptr [esi+A8], eax
004197FC |. 0F84 86000000 je 00419888
00419802 |. 6A 00 push 0 ; /Timeout = 0. ms
00419804 |. 50 push eax ; |hObject
00419805 |. FF15 58614A00 call dword ptr [<&KERNEL32.WaitForSingleObject>] ; \WaitForSingleObject
0041980B |. 85C0 test eax, eax
0041980D |. 75 79 jnz short 00419888
0041980F |. 8B56 48 mov edx, dword ptr [esi+48]
00419812 |. 52 push edx ; /Arg1
00419813 |. E8 687A0000 call 00421280 ; \08KvUpd2.00421280 ; 失败对话框
00419818 |. 85C0 test eax, eax
0041981A |. 74 66 je short 00419882 ; 下断点
0041981C |. E8 CF390000 call 0041D1F0
00419821 |. FF15 F8604A00 call dword ptr [<&KERNEL32.GetCurrentThreadId>] ; [GetCurrentThreadId
00419827 |. 50 push eax
00419828 |. 6A 00 push 0
0041982A |. 68 F09A4100 push 00419AF0
0041982F |. 6A 03 push 3
00419831 |. FF15 F40D5800 call dword ptr [580DF4] ; USER32.SetWindowsHookExW
---------------------------------------------------
向下找,F8单步运行到00419813的CALL,再按F8出现“授权验证失败”对话框。在下面0041981A跳转处下断,点确定停在上一行,F8来到跳转上。想改为nop,却自动变为:
------------------------------------------------
00419812 |. 52 push edx ; /Arg1
00419813 |. E8 687A0000 call 00421280 ; \08KvUpd2.00421280
00419818 |. 85C0 test eax, eax
0041981A CC int3
0041981B 66:E8 CF39 call 0000D1EE
0041981F |? 0000 add byte ptr [eax], al
00419821 |. FF15 F8604A00 call dword ptr [<&KERNEL32.GetCurrentThreadId>] ; [GetCurrentThreadId
---------------------------------------------------
程序停在0041981A,按F9无法继续运行下去,Ctrl+A分析代码,又变为:
---------------------------------------------------
00419812 . 52 push edx ; /Arg1
00419813 . E8 687A0000 call 00421280 ; \08KvUpd2.00421280
00419818 . 85C0 test eax, eax
0041981A . CC int3
0041981B . 66 E8 CF 39 00 ascii "f柘9",0
00419820 . 00FF add bh, bh
00419822 . 15 F8604A00 adc eax, <&KERNEL32.GetCurrentThreadId>
---------------------------------------------------
在00419820右键——此处为新EIP,F9运行,便出现升级对话框。可以正常升级了!
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
