0019F578 05AC72EE /CALL 到 VirtualProtect 来自 UserData.05AC72E8 0019F57C 062F1000 |Address = 062F1000 0019F580 0019FE1A |Size = 19FE1A (1703450.) 0019F584 00000040 |NewProtect = PAGE_EXECUTE_READWRITE 0019F588 0019F5FC \pOldProtect = 0019F5FC 转到062F1000搜索命令序列: MOV ESI, DWORD PTR DS:[EAX] CMP ESI, DWORD PTR DS:[ECX] 0643E21C /E9 32040000 JMP 0643E653 0643E221 |8B30 MOV ESI, DWORD PTR DS:[EAX] 0643E223 |3B31 CMP ESI, DWORD PTR DS:[ECX] 0643E225 |74 74 JE SHORT 0643E29B ; patch黑名单检测 0643E227 |0FB630 MOVZX ESI, BYTE PTR DS:[EAX] 0643E22A |0FB619 MOVZX EBX, BYTE PTR DS:[ECX] 0643E22D |2BF3 SUB ESI, EBX 0643E22F |74 13 JE SHORT 0643E244 // 修改如下: 0643E21C /E9 32040000 JMP 0643E653 0643E221 |8B30 MOV ESI, DWORD PTR DS:[EAX] 0643E223 |3B31 CMP ESI, DWORD PTR DS:[ECX] 0643E225 |40 INC EAX ; patch黑名单检测 0643E226 |90 NOP 0643E227 |0FB630 MOVZX ESI, BYTE PTR DS:[EAX] 0643E22A |0FB619 MOVZX EBX, BYTE PTR DS:[ECX] 0643E22D |2BF3 SUB ESI, EBX 0643E22F |74 13 JE SHORT 0643E244 0507FC88 . 53 PUSH EBX 0507FC89 . 56 PUSH ESI 0507FC8A . 57 PUSH EDI 0507FC8B . 55 PUSH EBP 0507FC8C . 8BE9 MOV EBP, ECX 0507FC8E . 8BFA MOV EDI, EDX 0507FC90 . 8BF0 MOV ESI, EAX 0507FC92 . 833D 18961705>CMP DWORD PTR DS:[0x5179618], 0x0 0507FC99 . 74 0D JE SHORT Office_1.0507FCA8 0507FC9B . 55 PUSH EBP 0507FC9C . 57 PUSH EDI 0507FC9D . 56 PUSH ESI 0507FC9E . FF15 18961705 CALL NEAR DWORD PTR DS:[0x5179618] ; UserData.DllOTUpgradeEnd 返回0解决过期问题!!! 0507FCA4 . 8BD8 MOV EBX, EAX 0507FCA6 . EB 50 JMP SHORT Office_1.0507FCF8 0507FCA8 > 833D 04961705>CMP DWORD PTR DS:[0x5179604], 0x0 0507FCAF . 75 05 JNZ SHORT Office_1.0507FCB6 0507FCB1 . E8 E2FBFFFF CALL Office_1.0507F898 0507FCB6 > 833D 04961705>CMP DWORD PTR DS:[0x5179604], 0x0 0507FCBD . 75 05 JNZ SHORT Office_1.0507FCC4 0507FCBF . E8 34AAF1FF CALL Office_1.04F9A6F8 0507FCC4 > B3 01 MOV BL, 0x1 0507FCC6 . 833D 04961705>CMP DWORD PTR DS:[0x5179604], 0x0 0507FCCD . 76 29 JBE SHORT Office_1.0507FCF8 0507FCCF . 68 00FD0705 PUSH Office_1.0507FD00 ; DllOTUpgradeEnd 0507FCD4 . A1 04961705 MOV EAX, DWORD PTR DS:[0x5179604] 0507FCD9 . 50 PUSH EAX 0507FCDA . E8 652CF0FF CALL Office_1.04F82944 0507FCDF . A3 18961705 MOV DWORD PTR DS:[0x5179618], EAX 0507FCE4 . 833D 18961705>CMP DWORD PTR DS:[0x5179618], 0x0 0507FCEB . 74 0B JE SHORT Office_1.0507FCF8 0507FCED . 55 PUSH EBP 0507FCEE . 57 PUSH EDI 0507FCEF . 56 PUSH ESI 0507FCF0 . FF15 18961705 CALL NEAR DWORD PTR DS:[0x5179618] ; UserData.DllOTUpgradeEnd 0507FCF6 . 8BD8 MOV EBX, EAX 0507FCF8 > 8BC3 MOV EAX, EBX 0507FCFA . 5D POP EBP 0507FCFB . 5F POP EDI 0507FCFC . 5E POP ESI 0507FCFD . 5B POP EBX 0507FCFE . C3 RETN Registered Name: Tracy Shaffer-1 License: 000016-Q4F8Y7-Y79K5Q-2BHBZE-8QB29N-Q15BHF-3J3R8Y-GC2XPE-XK8T0Q-UJ02K9
// x64
0000000006DFDA80 sub rdx,rcx 0000000006DFDA83 cmp r8,8 0000000006DFDA87 jb 6DFDAAB 0000000006DFDA89 test cl,7 0000000006DFDA8C je 6DFDAA2 0000000006DFDA8E nop 0000000006DFDA90 mov al,byte ptr ds:[rcx] 0000000006DFDA92 cmp al,byte ptr ds:[rdx+rcx] 0000000006DFDA95 jne 6DFDAC3 Patch黑名单--->inc rcx 0000000006DFDA97 inc rcx 0000000006DFDA9A dec r8 0000000006DFDA9D test cl,7 0000000006DFDAA0 jne 6DFDA90 0000000006DFDAA2 mov r9,r8 r9:"racy Shaffer-1" 0000000006DFDAA5 shr r9,3 r9:"racy Shaffer-1" 0000000006DFDAA9 jne 6DFDACA 0000000006DFDAAB test r8,r8 0000000006DFDAAE je 6DFDABF 0000000006DFDAB0 mov al,byte ptr ds:[rcx] 0000000006DFDAB2 cmp al,byte ptr ds:[rdx+rcx] 0000000006DFDAB5 jne 6DFDAC3 0000000006DFDAB7 inc rcx 0000000006DFDABA dec r8 0000000006DFDABD jne 6DFDAB0 0000000006DFDABF xor rax,rax 0000000006DFDAC2 ret 0000000006DFDAC3 sbb eax,eax 0000000006DFDAC5 sbb eax,FFFFFFFF 0000000006DFDAC8 ret 0000000006DFDAC9 nop 0000000006DFDACA shr r9,2 r9:"racy Shaffer-1" 0000000006DFDACE je 6DFDB07 0000000006DFDAD0 mov rax,qword ptr ds:[rcx] 0000000006DFDAD3 cmp rax,qword ptr ds:[rdx+rcx] 0000000006DFDAD7 jne 6DFDB34 0000000006DFDAD9 mov rax,qword ptr ds:[rcx+8] 0000000006DFDADD cmp rax,qword ptr ds:[rdx+rcx+8] 0000000006DFDAE2 jne 6DFDB30 0000000006DFDAE4 mov rax,qword ptr ds:[rcx+10] 0000000006DFDAE8 cmp rax,qword ptr ds:[rdx+rcx+10] 0000000006DFDAED jne 6DFDB2C 0000000006DFDAEF mov rax,qword ptr ds:[rcx+18] 0000000006DFDAF3 cmp rax,qword ptr ds:[rdx+rcx+18] 0000000006DFDAF8 jne 6DFDB28 0000000006DFDAFA add rcx,20 0000000006DFDAFE dec r9 r9:"racy Shaffer-1" 0000000006DFDB01 jne 6DFDAD0 0000000006DFDB03 and r8,1F 0000000006DFDB07 mov r9,r8 r9:"racy Shaffer-1" 0000000006DFDB0A shr r9,3 r9:"racy Shaffer-1" 0000000006DFDB0E je 6DFDAAB 0000000006DFDB10 mov rax,qword ptr ds:[rcx] 0000000006DFDB13 cmp rax,qword ptr ds:[rdx+rcx] 0000000006DFDB17 jne 6DFDB34 0000000006DFDB19 add rcx,8 0000000006DFDB1D dec r9 r9:"racy Shaffer-1" 0000000006DFDB20 jne 6DFDB10 0000000006DFDB22 and r8,7 0000000006DFDB26 jmp 6DFDAAB 0000000006DFDB28 add rcx,8 0000000006DFDB2C add rcx,8 0000000006DFDB30 add rcx,8 0000000006DFDB34 mov rcx,qword ptr ds:[rcx+rdx] 0000000006DFDB38 bswap rax 0000000006DFDB3B bswap rcx 0000000006DFDB3E cmp rax,rcx 0000000006DFDB41 sbb eax,eax 0000000006DFDB43 sbb eax,FFFFFFFF 0000000006DFDB46 ret
发表评论