使用Beyond Compare比较,得到破解以后的VA_X.dll 与原版文件之间的差异。
1F87C133
>-
\E9 C86E0A00
JMP
VA_X.1F923000
; Jmp to ShellCode
1F923000
>
\
60
PUSHAD
; ShellCode start
1F923001
.
54
PUSH
ESP
1F923002
.
54
PUSH
ESP
1F923003
.
6A
40
PUSH
0x40
; rwx
1F923005
.
68
00E01200
PUSH
0x12E000
1F92300A
.
8BF1
MOV
ESI
,
ECX
1F92300C
.
51
PUSH
ECX
1F92300D
. E8
00000000
CALL
VA_X.1F923012
1F923012
/$
5F
POP
EDI
; edi -> 1F923012
1F923013
|
. FF97
22020100
CALL
DWORD
PTR
DS
:[
EDI
+
0x10222
]
; VirtualProtect
1F923019
|
.
58
POP
EAX
1F92301A
|
.
8BC7
MOV
EAX
,
EDI
; edi=1F923012
1F92301C
|
.
83C0
23
ADD
EAX
,
0x23
; eax -> 1F923035
1F92301F
|
.
8986
D4510E00
MOV
DWORD
PTR
DS
:[
ESI
+
0xE51D4
],
EAX
; ** Hook OutputDebugStringA
1F923025
|
.
8BC7
MOV
EAX
,
EDI
; edi=1F923012
1F923027
|
.
83C0
49
ADD
EAX
,
0x49
; eax -> 1F92305B
1F92302A
|
.
8986
0C510E00
MOV
DWORD
PTR
DS
:[
ESI
+
0xE510C
],
EAX
; ** Hook VirtualProtect
1F923030
|
.
61
POPAD
1F923031
|
.
8BE5
MOV
ESP
,
EBP
1F923033
|
.
5D
POP
EBP
; 0E430000
1F923034
\. C3
RETN
1F923035
.
8B0424
MOV
EAX
,DWORD
PTR
SS
:[
ESP
]
; For OutputDebugStringA
1F923038
.
8178
1E
33511433
CMP
DWORD
PTR
DS
:[
EAX
+
0x1E
],
0x33145133
1F92303F
.
74
03
JE
SHORT
VA_X.1F923044
1F923041
>
C2
0400
RETN
0x4
1F923044
>
60
PUSHAD
1F923045
.
8D7D
D8
LEA
EDI
,DWORD
PTR
SS
:[
EBP
-
0x28
]
1F923048
. E8
00000000
CALL
VA_X.1F92304D
1F92304D
$
5E
POP
ESI
; esi -> 1F92304D
1F92304E
.
83C6
4A
ADD
ESI
,
0x4A
; esi -> 1F923097
1F923051
. B9
06000000
MOV
ECX
,
0x6
1F923056
. F3
:
A5
REP
MOVS
DWORD
PTR
ES
:[
EDI
],DWORD
PTR
DS
:[
ESI
]
; Patch CRCs
1F923058
.
61
POPAD
1F923059
.
^
EB E6
JMP
SHORT
VA_X.1F923041
--------------------------------------------------------
1F923097
.
32BFD9B1
DD
B1D9BF32
; CRC patch data
1F92309B
. FF6BA250
DD
50A26BFF
1F92309F
.
13DE9427
DD
2794DE13
1F9230A3
. C465329B
DD
9B3265C4
1F9230A7
.
00000000
DD
00000000
1F9230AB
.
57783D6F
DD
6F3D7857
1F92305B
. C74424
0C
40000000
MOV
DWORD
PTR
SS
:[
ESP
+
0xC
],
0x40
; For VirtualProtect
1F923063
. E8
00000000
CALL
VA_X.1F923068
1F923068
$
58
POP
EAX
; 0E430000
1F923069
.
80B8
0E7561FF
00
CMP
BYTE
PTR
DS
:[
EAX
+
0xFF61750E
],
0x0
1F923070
.
74
1F
JE
SHORT
VA_X.1F923091
1F923072
. C680
0E7561FF
B8
MOV
BYTE
PTR
DS
:[
EAX
+
0xFF61750E
],
0xB8
; Patch-1
1F923079
. C780
0F7561FF
01000000
MOV
DWORD
PTR
DS
:[
EAX
+
0xFF61750F
],
0x1
1F923083
. C680
3DEC5CFF
40
MOV
BYTE
PTR
DS
:[
EAX
+
0xFF5CEC3D
],
0x40
; Patch-2
1F92308A
. C680
3EEC5CFF
90
MOV
BYTE
PTR
DS
:[
EAX
+
0xFF5CEC3E
],
0x90
1F923091
>-
FFA0 CC010100
JMP
DWORD
PTR
DS
:[
EAX
+
0x101CC
]
Patch-1: Fuck Initial Lic Check
1EF3A576
E8 B5
51
F0 FF
1EF3A576
E8 B551F0FF
CALL
VA_X.1EE3F730
->
1EF3A576
B8
01
00
00
00
1EF3A576
B8
01000000
MOV
EAX
,
0x1
; Fuck Initial Lic Check
Patch-2: Fuck LAN-check
1EEF1CA5
84
C0
1EEF1CA5
84C0
TEST
AL
,
AL
->
1EEF1CA5
40
90
1EEF1CA5
40
INC
EAX
; Fuck LAN-check
1EEF1CA6
90
NOP
52打补丁的思路,与早些时候发布的BRD补丁之间的异同
相同点:
- 都是通过hook OutputDebugStringA函数, 来patch CRC:判断patch时机的code完全一致(0x33145133),细微差别存在于patch CRC的具体方式。
- 都是通过hook VirtualProtect函数,来暴力破解VA。暴破点均为两处,一处均为“过License初始检测”,目的是为了去Nag窗口。
- 对OutputDebugStringA和VirtualProtect两个函数进行hook的时机和方式不同;
- 对于另一处暴破点:52补丁为“过局域网检测“,而 BRD修改了相关Trial信息;
由此可见:BRD1903版补丁的About窗口中的声明并非完全没有根据。