技术来自rdpwrap。
termsrv.dll 搜索字符串
CEnforcementCore::GetInstanceOfTSLicense FAILED - License type
交叉引用(只有一个)
向上找,找到这样的代码
32E4 E8 5F A9 01 00 call ?IsLicenseTypeLocalOnly@CSLQuery@@SAJAEAU_GUID@@PEAH@Z ; CSLQuery::IsLicenseTypeLocalOnly(_GUID &,int *)
.text:00000001800932E9 85 C0 test eax, eax
.text:00000001800932EB 78 4A js short loc_180093337
.text:00000001800932ED 83 7D 38 00 cmp [rbp+arg_18], 0
.text:00000001800932F1 74 44 jz short loc_180093337
.text:00000001800932F3 83 3D 6E 0D 09 00 02 cmp cs:dword_180124068, 2
.text:00000001800932FA BB 05 00 07 80 mov ebx, 80070005h
.text:00000001800932FF 0F 86 CA 00 00 00 jbe loc_1800933CF
.text:0000000180093305 48 8D 05 94 E4 06 00 lea rax, aCenforcementco_7 ; "CEnforcementCore::GetInstanceOfTSLicens"...
.text:000000018009330C 45 33 C9 xor r9d, r9d
.text:000000018009330F 48 89 45 E0 mov [rbp+var_20], rax
.text:0000000180093313 48 8D 15 8D 6A 05 00 lea rdx, unk_1800E9DA7
.text:000000018009331A 48 8D 45 E0 lea rax, [rbp+var_20]
.text:000000018009331E 45 33 C0 xor r8d, r8d
.text:0000000180093321 48 8D 0D 40 0D 09 00 lea rcx, dword_180124068
.text:0000000180093328 48 89 44 24 20 mov [rsp+70h+var_50], rax
.text:000000018009332D E8 DE 25 F7 FF call ??$Write@U?$_tlgWrapSz@D@@@?$_tlgWriteTemplate@$$A6AJPEBU_tlgProvider_t@@PEBXPEBU_GUID@@2IPEAU_EVENT_DATA_DESCRIPTOR@@@Z$1?_tlgWriteTransfer_EventWriteTransfer@@YAJ0122I3@ZPEBU2@PEBU2@@@SAJPEBU_tlgProvider_t@@PEBXPEBU_GUID@@2AEBU?$_tlgWrapSz@D@@@Z ; _tlgWriteTemplate<long (_tlgProvider_t const *,void const *,_GUID const *,_GUID const *,uint,_EVENT_DATA_DESCRIPTOR *),&_tlgWriteTransfer_EventWriteTransfer(_tlgProvider_t const *,void const *,_GUID const *,_GUID const *,uint,_EVENT_DATA_DESCRIPTOR *),_GUID const *,_GUID const *>::Write<_tlgWrapSz<char>>(_tlgProvider_t const *,void const *,_GUID const *,_GUID const *,_tlgWrapSz<char> const &)
>>> .text:0000000180093332 E9 98 00 00 00 jmp loc_1800933CF
.text:0000000180093337 ; ---------------------------------------------------------------------------
.text:0000000180093337
.text:0000000180093337 loc_180093337: ; CODE XREF: CEnforcementCore::GetInstanceOfTSLicense(_GUID &,ITSLicense * *)+8B↑j
.text:0000000180093337 ; CEnforcementCore::GetInstanceOfTSLicense(_GUID &,ITSLicense * *)+91↑j
.text:0000000180093337 48 8B 8F 58 06 00 00 mov rcx, [rdi+658h]
.text:000000018009333E 4C 8D 45 D8 lea r8, [rbp+var_28]
.text:0000000180093342 0F 10 06 movups xmm0, xmmword ptr [rsi]
.text:0000000180093345 48 8D 55 F0 lea rdx, [rbp+var_10]
.text:0000000180093349 48 8B 01 mov rax, [rcx]
.text:000000018009334C F3 0F 7F 45 F0 movdqu [rbp+var_10], xmm0
.text:0000000180093351 48 8B 40 18 mov rax, [rax+18h]
.text:0000000180093355 FF 15 85 EE 03 00 call cs:__guard_dispatch_icall_fptr
修改jmp 改成 5 个nop
------------------------------------------------------------------------------------------
搜索字符串
CDefPolicy::Query FAILED - License not available
交叉引用(只有一个)
向上找,找到这样的代码
.text:000000018001F290 ; __int64 __fastcall CDefPolicy::Query(CDefPolicy *__hidden this, int *)
.text:000000018001F290 ?Query@CDefPolicy@@UEAAJPEAH@Z proc near
.text:000000018001F290 ; DATA XREF: .rdata:00000001800CCA90↓o
.text:000000018001F290 ; .rdata:00000001800D29B1↓o ...
.text:000000018001F290
.text:000000018001F290 ; FUNCTION CHUNK AT .text:0000000180033836 SIZE 0000001C BYTES
.text:000000018001F290
.text:000000018001F290 48 83 EC 28 sub rsp, 28h
.text:000000018001F294 8B 81 44 06 00 00 mov eax, [rcx+644h]
.text:000000018001F29A 45 33 C0 xor r8d, r8d
.text:000000018001F29D 89 02 mov [rdx], eax
.text:000000018001F29F 8B 81 38 06 00 00 mov eax, [rcx+638h]
>>> .text:000000018001F2A5 39 81 3C 06 00 00 cmp [rcx+63Ch], eax
>>> .text:000000018001F2AB 0F 84 85 45 01 00 jz loc_180033836
.text:000000018001F2B1
.text:000000018001F2B1 loc_18001F2B1: ; CODE XREF: CDefPolicy::Query(int *)+145BD↓j
.text:000000018001F2B1 41 8B C0 mov eax, r8d
.text:000000018001F2B4 48 83 C4 28 add rsp, 28h
.text:000000018001F2B8 C3 retn
.text:000000018001F2B8 ; ---------------------------------------------------------------------------
.text:000000018001F2B9 CC db 0CCh
.text:000000018001F2B9 ?Query@CDefPolicy@@UEAAJPEAH@Z endp
修改上面两行代码
改成 B80001000089813806000090
00007FFD5F9C2D85 B8 00 01 00 00 mov eax, 100h
00007FFD5F9C2D8A 89 81 38 06 00 00 mov [rcx+638h], eax
00007FFD5F9C2D90 90 nop