HpmbCalc破解笔记 by 天易love

最新推荐文章于 2022-02-25 21:57:21 发布

ty_love

最新推荐文章于 2022-02-25 21:57:21 发布

阅读量2.6k

点赞数

文章标签：破解 c user attributes algorithm null

本文链接：https://blog.csdn.net/ty_love/article/details/7188540

版权

总共修改3处，分别如下：

在每次点击弹出注册窗口时都会执行：
00413EAA |. 50 PUSH EAX
00413EAB |. 51 PUSH ECX
00413EAC |. 52 PUSH EDX
00413EAD |. FF15 00904400 CALL DWORD PTR DS:[<&ADVAPI32.CryptVerifySi>; ADVAPI32.CryptVerifySignatureA
00413EB3 8BF8 MOV EDI,EAX //不成功返回0
..................................
00413ECF |. 6A 00 PUSH 0
00413ED1 |. 52 PUSH EDX
00413ED2 |. FF15 34904400 CALL DWORD PTR DS:[<&ADVAPI32.CryptReleaseC> //此处eax总是返回1，正好作为返回值
00413ED8 85FF TEST EDI,EDI
00413EDA 75 15 JNZ SHORT HpmbCalc.00413EF1 //第一处补丁 JE SHORT 00413EF3
00413EDC 6A 10 PUSH 10 //共享版走这里
00413EDE 6A 01 PUSH 1
00413EE0 68 2C924500 PUSH HpmbCalc.0045922C
00413EE5 8D4424 14 LEA EAX,DWORD PTR SS:[ESP+14]
00413EE9 68 FCA04500 PUSH HpmbCalc.0045A0FC
00413EEE 50 PUSH EAX
00413EEF FFD6 CALL ESI
00413EF1 8BC7 MOV EAX,EDI
00413EF3 |. 5F POP EDI
00413EF4 |. 5E POP ESI
00413EF5 |. 83C4 0C ADD ESP,0C
00413EF8 \. C3 RETN //返回值eax总是1
所以校验总是成功。

防修改的技巧：
0040E28A |. 68 00040000 PUSH 400 ; /BufSize = 400 (1024.)
0040E28F |. 51 PUSH ECX ; |PathBuffer
0040E290 |. 6A 00 PUSH 0 ; |hModule = NULL
0040E292 |. FF15 CC924400 CALL DWORD PTR DS:[<&KERNEL32.GetModuleF>; \GetModuleFileNameA
0040E298 |. 6A 00 PUSH 0 ; /hTemplateFile = NULL
0040E29A |. 6A 00 PUSH 0 ; |Attributes = 0
0040E29C |. 6A 03 PUSH 3 ; |Mode = OPEN_EXISTING
0040E29E |. 6A 00 PUSH 0 ; |pSecurity = NULL
0040E2A0 |. 6A 01 PUSH 1 ; |ShareMode = FILE_SHARE_READ
0040E2A2 |. 8D5424 30 LEA EDX,DWORD PTR SS:[ESP+30] ; |
0040E2A6 |. 6A 01 PUSH 1 ; |Access = 1
0040E2A8 |. 52 PUSH EDX ; |FileName
0040E2A9 |. FF15 10934400 CALL DWORD PTR DS:[<&KERNEL32.CreateFile>; \CreateFileA //打开自身计算hash
0040E2AF |. 8BF8 MOV EDI,EAX
0040E2B1 |. 83FF FF CMP EDI,-1
0040E2B4 |. 0F84 C3000000 JE 123.0040E37D
0040E2BA |. 8B0B MOV ECX,DWORD PTR DS:[EBX]
0040E2BC |. 8D4424 10 LEA EAX,DWORD PTR SS:[ESP+10]
0040E2C0 |. 50 PUSH EAX
0040E2C1 |. 6A 00 PUSH 0
0040E2C3 |. 6A 00 PUSH 0
0040E2C5 |. 68 03800000 PUSH 8003
0040E2CA |. 51 PUSH ECX
0040E2CB |. FF15 3C904400 CALL DWORD PTR DS:[<&ADVAPI32.CryptCreat>; ADVAPI32.CryptCreateHash
0040E2D1 |. 8B5424 10 MOV EDX,DWORD PTR SS:[ESP+10]
0040E2D5 |. 52 PUSH EDX
0040E2D6 |. 68 40E14000 PUSH 123.0040E140
0040E2DB |. 6A 00 PUSH 0
0040E2DD |. 57 PUSH EDI
0040E2DE |. FFD5 CALL EBP
0040E2E0 |. 8D43 0C LEA EAX,DWORD PTR DS:[EBX+C]
0040E2E3 |. 6A 00 PUSH 0
0040E2E5 |. 50 PUSH EAX
0040E2E6 |. C700 40000000 MOV DWORD PTR DS:[EAX],40
0040E2EC |. 8B4C24 18 MOV ECX,DWORD PTR SS:[ESP+18]
0040E2F0 |. 8D83 90000000 LEA EAX,DWORD PTR DS:[EBX+90]
0040E2F6 |. 50 PUSH EAX
0040E2F7 |. 6A 02 PUSH 2
0040E2F9 |. 51 PUSH ECX
0040E2FA CALL DWORD PTR DS:[<&ADVAPI32.CryptGetHa>; ADVAPI32.CryptGetHashParam//第三个参数就是返回的程序hash

57 29 42 18 4A 4B DE ED 76 66 5D E4 57 33 11 0F修改版hash 程序在点击菜单时检查hash

8A E9 17 45 9E CF C8 91 4C 5A 52 97 FC CE 28 15 正版hash

第二处补丁，修改内存中错误的hash
0040E2FA . FF15 48904400 CALL DWORD PTR DS:[<&ADVAPI32.CryptGetHa>; ADVAPI32.CryptGetHashParam
0040E300 . 90 NOP
0040E301 . 90 NOP
0040E302 . 90 NOP
0040E303 . 8BC3 MOV EAX,EBX
0040E305 . 05 90000000 ADD EAX,90
0040E30A . C700 8AE91745 MOV DWORD PTR DS:[EAX],4517E98A
0040E310 . C740 04 9ECFC>MOV DWORD PTR DS:[EAX+4],91C8CF9E
0040E317 . C740 08 4C5A5>MOV DWORD PTR DS:[EAX+8],97525A4C
0040E31E . C740 0C FCCE2>MOV DWORD PTR DS:[EAX+C],1528CEFC
0040E325 . E9 BAA50300 JMP HpmbCalc.004488E4
0040E32A > 85ED TEST EBP,EBP

90 90 90 8B C3 05 90 00 00 00 C7 00 8A E9 17 45 C7 40 04 9E CF C8 91 C7 40 08 4C 5A 52 97 C7 40
0C FC CE 28 15 E9 BA A5 03 00

第三处补丁，执行从原地址移过来的代码
004488E3 00 DB 00
004488E4 > 8B5424 10 MOV EDX,DWORD PTR SS:[ESP+10]
004488E8 . 52 PUSH EDX
004488E9 . FF15 4C904400 CALL DWORD PTR DS:[<&ADVAPI32.CryptDestr>; ADVAPI32.CryptDestroyHash
004488EF . 8D73 08 LEA ESI,DWORD PTR DS:[EBX+8]
004488F2 . 8D4424 1C LEA EAX,DWORD PTR SS:[ESP+1C]
004488F6 . 56 PUSH ESI
004488F7 . 50 PUSH EAX
004488F8 . 6A 00 PUSH 0
004488FA . 57 PUSH EDI
004488FB . C706 00040000 MOV DWORD PTR DS:[ESI],400
00448901 . FF5424 28 CALL DWORD PTR SS:[ESP+28]
00448905 . 57 PUSH EDI ; /hObject
00448906 . 8BE8 MOV EBP,EAX ; |
00448908 . FF15 18934400 CALL DWORD PTR DS:[<&KERNEL32.CloseHandl>; \CloseHandle
0044890E .^ E9 175AFCFF JMP HpmbCalc.0040E32A
00448913 00 DB 00

8B 54 24 10 52 FF 15 4C 90 44 00 8D 73 08 8D 44 24 1C 56 50 6A 00 57 C7 06 00 04 00 00 FF 54 24
28 57 8B E8 FF 15 18 93 44 00 E9 17 5A FC FF

运行成功！

2011年12月11日

hpmbcalc注册信息.reg //diy版运行前，先导入该注册表文件

Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Turing 321]
[HKEY_CURRENT_USER\Software\Turing 321\123]
[HKEY_CURRENT_USER\Software\Turing 321\123\Container Info]
"Current"="Default Container"
"Item0"="Default Container"
[HKEY_CURRENT_USER\Software\Turing 321\123\General]
"Already Run"=dword:00000001
"Error Flag"=dword:00000000
"Op1 NS"=dword:00000000
"Op2 NS"=dword:00000000
"Op3 NS"=dword:00000000
"OpR NS"=dword:00000000
[HKEY_CURRENT_USER\Software\Turing 321\123\View]
"Topmost"=dword:00000000
"Toolbar"=dword:00000001
"Tooltip"=dword:00000001
"UpperCase"=dword:00000001
[HKEY_CURRENT_USER\Software\Turing 321\Hpmbcalc]
[HKEY_CURRENT_USER\Software\Turing 321\Hpmbcalc\Checksum]
[HKEY_CURRENT_USER\Software\Turing 321\Hpmbcalc\Container Info]
"Item0"="Default Container"
"Current"="Default Container"
[HKEY_CURRENT_USER\Software\Turing 321\Hpmbcalc\Crc]
[HKEY_CURRENT_USER\Software\Turing 321\Hpmbcalc\Format]
[HKEY_CURRENT_USER\Software\Turing 321\Hpmbcalc\General]
"Product Version"="4.22"
"Already Run"=dword:00000001
"Error Flag"=dword:00000001
"Op1 NS"=dword:00000000
"Op2 NS"=dword:00000000
"Op3 NS"=dword:00000000
"OpR NS"=dword:00000000
[HKEY_CURRENT_USER\Software\Turing 321\Hpmbcalc\Hash]
"FilePath"=""
"InputType"=dword:00000000
"InputMsg"="D8 95 0F EC 3B 7D 5D 68 D9 89 63 04 A6 2E 56 A3 3F 31 EE 99 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 "
"Algorithm"=dword:00000002
"IsIgnore"=dword:00000000
"IgnoreRanges"=""
[HKEY_CURRENT_USER\Software\Turing 321\Hpmbcalc\Prime]
"TestTimes"=dword:00000008
[HKEY_CURRENT_USER\Software\Turing 321\Hpmbcalc\Script]
"ScriptType"=dword:00000000
"FilePath"=""
[HKEY_CURRENT_USER\Software\Turing 321\Hpmbcalc\View]
"TipOfDay"=dword:00000000
"Topmost"=dword:00000000
"Toolbar"=dword:00000001
"Tooltip"=dword:00000001
"UpperCase"=dword:00000001
"SmallSize"=dword:00000000
[HKEY_CURRENT_USER\Software\Turing 321\LicenseCode]
[HKEY_CURRENT_USER\Software\Turing 321\LicenseCode\Hpmbcalc]
"Register Name"="ty"
"Product Version"="4.22"
"Register Data"=hex:54,68,65,72,65,20,61,72,65,20,74,77,6f,20,65,64,69,74,69,\
  6f,6e,73,20,6f,66,20,41,45,46,53,44,52,3a,20,53,74,61,6e,64,61,72,64,20,61,\
  6e,64,20,50,72,6f,66,65,73,73,69,6f,6e,61,6c,2e,20,53,74,61,6e,64,61,72,64,\
  20,45,64,69,74,69,6f,6e,20,77,6f,72,6b,73,20,61,74,20,74,68,65,20,22,66,69,\
  6c,65,20,6c,65,76,65,6c,22,2c,20,73,6f,20,74,68,65,20,65,6e,63,72,79,70,74,\
  69,6f,6e,20,6b,65,79,73,20,73,68,6f,75,6c,64,20,65,78,69,73,74,20,6f,6e,20,\
  74,68,65,20,64,69,73,6b,2e,20,50,72,6f,66,65,73,73,69,6f,6e,61,6c,20,45,64,\
  69,74,69,6f,6e,20,68,61,73,20,61,6c,6c,20,66,75,6e,63,74,69,6f,6e,61,6c,69,\
  74,79,20,6f,66,20,74,68,65,20,53,74,61,6e,64,61,72,64,20,6f,6e,65,2c,20,62,\
  75,74,20,61,6c,73,6f,20,61,6c,6c,6f,77,73,20,74,6f,20,73,63,61,6e,20,74,68,\
  65,20,64,69,73,6b,73,20,62,79,20,73,65,63,74,6f,72,73,2c,20,73,6f,20,69,74,\
  20,69,73,20,61,62,6c,65,20,74,6f,20,66,69,6e,64,20,74,68,65,20,65,6e,63,72,\
  79,70,74,69,6f,6e,20,6b,65,79,73,20,69,66,20,74,68,65,79,20,68,61,76,65,20,\
  62,65,65,6e,20,64,65,6c,65,74,65,64,2c,20,6f,72,20,73,6f,6d,65,74,69,6d,65,\
  73,20,61,66,74,65,72,20,64,69,73,6b,20,72,65,2d,66,6f,72,6d,61,74,74,69,6e,\
  67,20,6f,72,20,73,79,73,74,65,6d,20,72,65,69,6e,73,74,61,6c,6c,61,74,69,6f,\
  6e,2e,0d,0a,0d,0a,59,6f,75,20,63,61,6e,20,70,6c,61,63,65,20,61,6e,20,6f,72,\
  64,65,72,20,6f,6e,6c,69,6e,65,20,75,73,69,6e,67,20,74,68,65,20,66,6f,6c,6c,\
  6f,77,69,6e,67,20,6f,72,64,65,72,20,66,6f,72,6d,3a,0d,0a,0d,0a,68,74,74,70,\
  3a,2f,2f,77,77,77,2e,65,6c,63,6f,6d,73,6f,66,74,2e,63,6f,6d,2f,70,75,72,63,\
  68,61,73,65,2f,62,75,79,2e,70,68,70,3f,70,72,6f,64,75,63,74,3d,61,65,66,73,\
  64,72,6e,26,72,65,66,3d,4f,52,44,45,52,54,58,54,0d,0a,0d,0a,50,6c,65,61,73,\
  65,20,6e,6f,74,65,20,74,68,61,74,20,74,68,65,72,65,20,61,72,65,20,73,6f,6d,\
  65,20,73,6d,61,6c,6c,20,70,72,6f,63,65,73,73,69,6e,67,20,63,68,61,72,67,65,\
  73,20,66,6f,72,20,6f,72,64,65,72,73,20,70,6c,61,63,65,64,20,62,79,20,66,61,\
  78,2c,20,62,79,20,63,68,65,63,6b,2f,6d,6f,6e,65,79,20,6f,72,64,65,72,20,6f,\
  72,20,77,69,74,68,20,62,61,63,6b,2f,77,69,72,65,20,74,72,61,6e,73,66,65,72,\
  2e,20,45,75,72,6f,70,65,61,6e,20,63,75,73,74,6f,6d,65,72,73,20,61,72,65,20,\
  61,6c,73,6f,20,63,68,61,72,67,65,64,20,56,41,54,2e,0d,0a,0d,0a,4d,6f,72,65,\
  20,69,6e,66,6f,72,6d,61,74,69,6f,6e,20,61,62,6f,75,74,20,61,6c,6c,20,70,61,\
  79,6d,65,6e,74,20,6f,70,74,69,6f,6e,73,20,69,73,20,61,76,61,69,6c,61,62,6c,\
  65,20,61,74,20,6f,72,64,65,72,69,6e,67,20,70,61,67,65,20,6f,6e,20,45,6c,63,\
  6f,6d,53,6f,66,74,20,77,65,62,20,73,69,74,65,3a,0d,0a,0d,0a,68,74,74,70,3a,\
  2f,2f,77,77,77,2e,65,6c,63,6f,6d,73,6f,66,74,2e,63,6f,6d,2f,6f,72,64,65,72,\
  2e,68,74,6d,6c,3f,70,72,6f,64,75,63,74,3d,61,65,66,73,64,72,6e,0d,0a,0d,0a,\
  4f,6e,20,70,61,79,6d,65,6e,74,20,61,70,70,72,6f,76,61,6c,20,28,66,6f,72,20,\
  6f,6e,6c,69,6e,65,20,6f,72,64,65,72,73,2c,20,75,73,75,61,6c,6c,79,20,77,69,\
  74,68,69,6e,20,61,20,66,65,77,20,6d,69,6e,75,74,65,73,29,2c,20,77,65,27,6c,\
  6c,20,73,65,6e,64,20,79,6f,75,20,74,68,65,20,72,65,67,69,73,74,72,61,74,69,\
  6f,6e,20,6b,65,79,20,77,68,69,63,68,20,77,69,6c,6c,20,72,65,6d,6f,76,65,20,\
  61,6c,6c,20,6c,69,6d,69,74,61,74,69,6f,6e,73,20,6f,66,20,74,68,65,20,75,6e,\
  72,65,67,69,73

ty_love

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
HpmbCalc破解笔记 by 天易love

总共修改3处，分别如下：在每次点击弹出注册窗口时都会执行：00413EAA |. 50 PUSH EAX00413EAB |. 51 PUSH ECX00413EAC |. 52 PUSH EDX00413EAD |. FF15 00904400 CALL DWORD PTR DS:[; ADV
复制链接

扫一扫