|
本帖最后由 tt911 于 2019-1-8 17:20 编辑
绿色版,影子中,时而需要开启服务,再卸载恢复还原激活。实在无法忍受了,直接上手术台吧。
启动winword 2010后
2F3A1EBD . E8 16FDFFFF call WINWORD.2F3A1BD8 ; 看来这里是核心进入点
2F3A1EC2 . A3 5C303A2F mov dword ptr ds:[0x2F3A305C],eax
2F3A1EC7 . 833D 50303A2F>cmp dword ptr ds:[0x2F3A3050],0x0
2F3A1ECE . 75 5B jnz short WINWORD.2F3A1F2B
2F3A1ED0 . 50 push eax ; /status
2F3A1ED1 . FF15 D4103A2F call near dword ptr ds:[<&MSVCR90.exi>; \exit
F7进入后便来到这里
2F3A1C13 |. FF15 08103A2F call near dword ptr ds:[<&KERNEL32.Ge>; [GetLastError
2F3A1C19 |. 33C0 xor eax,eax
2F3A1C1B |. 40 inc eax
2F3A1C1C |. EB 52 jmp short WINWORD.2F3A1C70
2F3A1C1E |> 56 push esi
2F3A1C1F |. 8B35 24103A2F mov esi,dword ptr ds:[<&KERNEL32.Get>; kernel32.GetProcAddress
2F3A1C25 |. 68 84133A2F push WINWORD.2F3A1384 ; /FMain
2F3A1C2A |. 57 push edi ; |hModule
2F3A1C2B |. FFD6 call near esi ; \GetProcAddress
wwlib.dll 这个貌似就是一个库文件!
当弹出盗版微软提示窗口时,再按F12,一般情况下都已经晚了,跑过了。
最终于研究得知,下一个bp SetRect (为什么是这个呢?如果你们仔细观察的话,微软 office 窗口标题先是正常的,接着被改成盗版的(背景颜色被修改为红))
65EB523D FF15 E420C465 call near dword ptr ds:[<&USER32.SetR>; USER32.SetRect
- 65EB5230 . 51 push ecx ; /Bottom 底
- 65EB5231 . 8B4D EC mov ecx,dword ptr ss:[ebp-0x14] ; |
- 65EB5234 . 03D1 add edx,ecx ; |
- 65EB5236 . 52 push edx ; |Right 右
- 65EB5237 . 50 push eax ; |Top 顶
- 65EB5238 . 51 push ecx ; |Left 左
- 65EB5239 . 8D45 DC lea eax,dword ptr ss:[ebp-0x24] ; |
- 65EB523C . 50 push eax ; |pRect
- 65EB523D . FF15 E420C465 call near dword ptr ds:[<&USER32.SetR>; \SetRect 就是这个函数早就的那个盗版水印!
- 65EB5243 . 85FF test edi,edi
- 65EB5245 . 0F84 57090000 je mso.65EB5BA2
- 65EB524B . 8B46 08 mov eax,dword ptr ds:[esi+0x8]
- 65EB524E . 8AC8 mov cl,al
- 65EB5250 . F6D1 not cl
- 65EB5252 . F6C1 01 test cl,0x1
- 65EB5255 . 0F84 47090000 je mso.65EB5BA2
- 65EB525B . C1E8 02 shr eax,0x2
- 65EB525E . 83E0 01 and eax,0x1
- 65EB5261 . 50 push eax
- 65EB5262 . 8D45 DC lea eax,dword ptr ss:[ebp-0x24]
- 65EB5265 . 50 push eax
- 65EB5266 . 57 push edi
- 65EB5267 . E8 DE8CFCFF call mso.#8277
- 65EB526C > 8B46 08 mov eax,dword ptr ds:[esi+0x8]
- 65EB526F . 8B4D E8 mov ecx,dword ptr ss:[ebp-0x18]
- 65EB5272 . 2B4D E0 sub ecx,dword ptr ss:[ebp-0x20]
- 65EB5275 . 8B56 1C mov edx,dword ptr ds:[esi+0x1C]
- 65EB5278 . C1E8 06 shr eax,0x6
- 65EB527B . 83E0 10 and eax,0x10
- 65EB527E . 3BD1 cmp edx,ecx
- 65EB5280 . 0F8F B75C4200 jg mso.662DAF3D
- 65EB5286 > 8B55 E4 mov edx,dword ptr ss:[ebp-0x1C]
- 65EB5289 . 2B55 DC sub edx,dword ptr ss:[ebp-0x24]
- 65EB528C . 8B7E 18 mov edi,dword ptr ds:[esi+0x18]
- 65EB528F . 3BFA cmp edi,edx
- 65EB5291 . 0F8F AD5C4200 jg mso.662DAF44
- 65EB5297 > 50 push eax
- 65EB5298 . 8B06 mov eax,dword ptr ds:[esi]
- 65EB529A . 51 push ecx
- 65EB529B . 52 push edx
- 65EB529C . FF75 E0 push dword ptr ss:[ebp-0x20]
- 65EB529F . 8BCE mov ecx,esi
- 65EB52A1 . FF75 DC push dword ptr ss:[ebp-0x24]
- 65EB52A4 . 6A 00 push 0x0
- 65EB52A6 . FF50 4C call near dword ptr ds:[eax+0x4C]
- 65EB52A9 . 50 push eax
- 65EB52AA . E8 868CDDFF call mso.#6319
- 65EB52AF . 8A46 08 mov al,byte ptr ds:[esi+0x8]
- 65EB52B2 . F6D0 not al
- 65EB52B4 . 32DB xor bl,bl
- 65EB52B6 . A8 01 test al,0x1
- 65EB52B8 . 0F84 11A22000 je mso.660BF4CF ; 00000000000
- 65EB52BE > 8B06 mov eax,dword ptr ds:[esi]
- 65EB52C0 . 8BCE mov ecx,esi
- 65EB52C2 . FF90 C0000000 call near dword ptr ds:[eax+0xC0]
- 65EB52C8 . 84DB test bl,bl
- 65EB52CA . 0F85 0DA22000 jnz mso.660BF4DD
- 65EB52D0 > 8B06 mov eax,dword ptr ds:[esi]
- 65EB52D2 . 6A 00 push 0x0
- 65EB52D4 . 8BCE mov ecx,esi
- 65EB52D6 . FF90 C8000000 call near dword ptr ds:[eax+0xC8]
- 65EB52DC . F646 08 20 test byte ptr ds:[esi+0x8],0x20
- 65EB52E0 . 0F85 655C4200 jnz mso.662DAF4B
- 65EB52E6 > 8B06 mov eax,dword ptr ds:[esi]
- 65EB52E8 . 8BCE mov ecx,esi
- 65EB52EA . FF90 9C000000 call near dword ptr ds:[eax+0x9C]
- 65EB52F0 . 8B4E 14 mov ecx,dword ptr ds:[esi+0x14]
- 65EB52F3 . 85C9 test ecx,ecx
- 65EB52F5 . 74 16 je short mso.65EB530D
- 65EB52F7 . E8 A365DEFF call mso.#10489
- 65EB52FC . 50 push eax
- 65EB52FD . E8 C94BE2FF call mso.65CD9ECB
- 65EB5302 . 85C0 test eax,eax
- 65EB5304 . 74 07 je short mso.65EB530D
- 65EB5306 . C680 95000000>mov byte ptr ds:[eax+0x95],0x0
- 65EB530D > 8B7E 08 mov edi,dword ptr ds:[esi+0x8]
- 65EB5310 . 8B46 34 mov eax,dword ptr ds:[esi+0x34]
- 65EB5313 . 81E7 00020000 and edi,0x200
- 65EB5319 . F7DF neg edi
- 65EB531B . 1BFF sbb edi,edi
- 65EB531D . 83E7 FB and edi,0xFFFFFFFB
- 65EB5320 . 83C7 05 add edi,0x5
- 65EB5323 . 85C0 test eax,eax
- 65EB5325 . 0F85 2C5C4200 jnz mso.662DAF57
- 65EB532B > F746 08 00040>test dword ptr ds:[esi+0x8],0x400
- 65EB5332 . 0F85 B1A12000 jnz mso.660BF4E9 ; temp modify
- 65EB5338 > 8B06 mov eax,dword ptr ds:[esi]
- 65EB533A . 57 push edi
- 65EB533B . 8BCE mov ecx,esi
- 65EB533D . FF50 4C call near dword ptr ds:[eax+0x4C]
- 65EB5340 . 50 push eax
- 65EB5341 . E8 AE58DBFF call mso.#5166
- 65EB5346 . F646 08 03 test byte ptr ds:[esi+0x8],0x3
- 65EB534A . 75 1E jnz short mso.65EB536A
- 65EB534C . 8B06 mov eax,dword ptr ds:[esi]
- 65EB534E . 8BCE mov ecx,esi
- 65EB5350 . 90 nop ; 它就是祸害!
复制代码 SetRect的作用就是设置一个句型的区域,背景为红
这就是为什么启动word 2010后,为什么先看到的窗口标题是正常的,接着是盗版且有红色背景的原因了。
我们进阶手术后,大家看一看,是不是很有成就感呢?
- 64806352 . 53 push ebx ; /n
- 64806353 . FF35 9C3F7E65 push dword ptr ds:[0x657E3F9C] ; |src = wwlib.66F380C0
- 64806359 . 8D45 84 lea eax,dword ptr ss:[ebp-0x7C] ; |
- 6480635C . 50 push eax ; |dest
- 6480635D . C685 5AFFFFFF>mov byte ptr ss:[ebp-0xA6],0x0 ; |
- 64806364 . C685 5BFFFFFF>mov byte ptr ss:[ebp-0xA5],0x1 ; |
- 6480636B . A4 movs byte ptr es:[edi],byte ptr ds:[e>; |
- 6480636C . E8 F5190000 call <jmp.&MSVCR90.memcpy> ; \memcpy
- 64806371 . 83C4 0C add esp,0xC
- 64806374 . 8D7C1D 84 lea edi,dword ptr ss:[ebp+ebx-0x7C]
- 64806378 . BE 6C648064 mov esi,mso.6480646C ; \Security
-
-
- 6488B221 |. 68 58B28864 push mso.6488B258 ; office-LicenseType
-
- 6527729F /. 55 push ebp
- 652772A0 |. 8BEC mov ebp,esp
- 652772A2 |. 56 push esi
- 652772A3 |. 8B75 08 mov esi,[arg.1]
- 652772A6 |. 81C6 9C000000 add esi,0x9C
- 652772AC |. 833E 00 cmp dword ptr ds:[esi],0x0
- 652772AF |. B8 60BBAA64 mov eax,mso.64AABB60 ; TRUE
- 652772B4 |. 75 05 jnz short mso.652772BB
- 652772B6 |. B8 58BBAA64 mov eax,mso.64AABB58 ; FALSE
- 652772BB |> 50 push eax
- 652772BC |. 68 D0722765 push mso.652772D0 ; LIC::FLicEnterprise %s\n
-
-
-
-
- 6488B7F3 > /6A FF push -0x1 ; /Count2 = FFFFFFFF (-1.)
- 6488B7F5 . |FF75 08 push dword ptr ss:[ebp+0x8] ; |String2
- 6488B7F8 . |6A FF push -0x1 ; |Count1 = FFFFFFFF (-1.)
- 6488B7FA . |FF34F5 D00ABC>push dword ptr ds:[esi*8+0x64BC0AD0] ; |String1
- 6488B801 . |6A 01 push 0x1 ; |CmpOptions = NORM_IGNORECASE
- 6488B803 . |6A 7F push 0x7F ; |LocaleId = 0x7F
- 6488B805 . |FF15 EC198064 call near dword ptr ds:[<&KERNEL32.Co>; \CompareStringW
- 6488B80B . |3BC7 cmp eax,edi
- 6488B80D |EB 4D jmp short mso.6488B85C ; JMP这里后 标题不完美破解 2代
复制代码
再度进阶修改:
直接肯定搜索不到,但确实是这个位置,WinHEX的Shift+Insert是个好功能要学会好好利用。
另外TC不愧是神器!只要不是加密过的字串,一搜便得!中者立毙。几步得到修改串所在的文件范围成为可能。当然此处你也可以个性DIY一下,比如ctrl+B来你想要的字符
https://zhIDAo.baidu.com/question/923692184441763699.html
http://jingyan.baidu.com/article/d713063561f60d13fdf47590.html 纯属胡扯~~ 如此搞法,绿色版本过些天就会反弹,不明内因只会转载的造就出太多可笑滑稽的小白解释。
D:\Office2010四合一_纯绿色版\ospp\ospp64\OSPPSVC.EXE 此文件目录不能被修改 或 移除,否则文件映射无法成功,所以会崩溃!
1.启动过程:
先加载 D:\Office2010四合一_纯绿色版\ospp\ospp64\OSPPSVC.EXE 映射入文件的清单(如无,则启动崩溃;服务未开启,正版自然也不让你过!)
OfficeSoftwareProtectionPlatform是被读取到注册表键值
图中所示的这三个2进制的键值,应该就是转型后的秘钥
2.窗口标题 先是正常的字,之后是盗版的字出现,接着通过SetRect函数来矩形渲染上红色的背景字样,最后才是出来了上面的那个很大的窗口,虽然不影响正常使用,但每次都出来,的确很是烦人;其实本次汇编修改中也是去水印的过程。
3. 通过汇编修改后,标题字就变为 【文档1 - Microsoft Word (朚经授权产品)】
纳尼? TC上阵
28001A67CF7E88634367A74EC15429 就是这玩意(WinHEX中修改之)
最终,跟正版一般无二了。使用几天来,再也没烦过病。
|
评分
-
查看全部评分
|