標 題: ?【原創(chuàng)】OD+IDA6.1破解HideWizardv9.29(無憂隱藏)
作 者:?hsluoyz
時 間:?2012-04-22,22:01:19
鏈 接:?http://bbs.pediy.com/showthread.php?t=149743

偶以前搞過一些破解，但都是一些軟柿子，前幾天有隱藏木馬這么個需求，包括進程、窗口、硬盤文件等，非要用HideWIzard出手不可。HideWIzard6.4有破解版但功能不夠，只好拿HideWIzard最新版9.29開刀了。感覺還是挺麻煩的，也許是我水平很菜把，廢話不說進入正題


0)先對程序的情況說明一下，程序總共有三處驗證，有些可以觀察到，有些是破解過程中發(fā)現
1.對注冊碼在客戶端進行初步判斷，輸入不正確的話什么提示都沒有，否則進入第二步服務器激活驗證；
2.與服務器通信，在static控件顯示返回結果；
3.使用imagehlp進行EXE校驗，如果發(fā)現二進制被修改則自動退出
下面詳細闡述哈



1)首先是PEiD查殼，啥也沒發(fā)現，事實上到最后我也不知道是什么殼，也沒學過脫殼，汗一個，哪位大大知道不妨告知哈。IDA6.1打開EXE，可以判斷是MFC程序

2)OD加載程序后，自帶的7E42xxxx斷點一定要清除，否則會導致系統(tǒng)假死，狂按F9過一分鐘能緩回來，緩不回來只好重啟了。加載成功后窗口切換焦點時也是一頓一頓的，不知是不是有意為之，調試過程中盡量不要切換焦點。頓的程度好像與系統(tǒng)和OD也有關系，具體作用關系不明，最好找個能自動清除debug標志位的。OD換了好幾個才碰上個順手的，我用的ODbyDYK?v1.10里的Pza74.exe，能自動清除debug標志位，對call?jmp等指令能高亮顯示，Pza74缺點是插件不如OllyICE多，但OllyICE沒高亮，看的很頭疼。



3)正式進入調試步驟，首先需要在激活按鈕處下斷，因為沒有任何提示，只好在CCmdTarget::OnCmdMsg處下斷，在IDA記下地址在OD直接bp。OnCmdMsg第四個參數即為消息響應函數。函數如下,程序在0042AB9B處檢查注冊碼位數，只要讓輸入的注冊碼為17位就不會跳到函數末尾，在末尾處可以看出SendMessageA是進入下一步的關鍵，因此中間的算法就不用看了，直接找跳轉，把該nop的nop掉。

代碼: 0042AB5F???/.??55?????????????push?ebp 0042AB60???|.??8BEC???????????mov?ebp,esp 0042AB62???|.??83EC?14????????sub?esp,14 0042AB65???|.??56?????????????push?esi 0042AB66???|.??8BF1???????????mov?esi,ecx 0042AB68???|.??8975?EC????????mov?dword?ptr?ss:[ebp-14],esi 0042AB6B???|.??FF15?C4D14600??call?dword?ptr?ds:[<&KERNEL32.GetTickCount>]?????;?[GetTickCount 0042AB71???|.??8BC8???????????mov?ecx,eax 0042AB73???|.??2B0D?A4F44800??sub?ecx,dword?ptr?ds:[48F4A4] 0042AB79???|.??81F9?2C010000??cmp?ecx,12C 0042AB7F???|.??0F82?40010000??jb?HideWiza.0042ACC5 0042AB85???|.??6A?01??????????push?1 0042AB87???|.??8BCE???????????mov?ecx,esi 0042AB89???|.??A3?A4F44800????mov?dword?ptr?ds:[48F4A4],eax 0042AB8E???|.??E8?B0530000????call?HideWiza.0042FF43 0042AB93???|.??81C6?10040000??add?esi,410 0042AB99???|.??8B06???????????mov?eax,dword?ptr?ds:[esi] 0042AB9B???|.??8378?F4?11?????cmp?dword?ptr?ds:[eax-C],11? 0042AB9F???|.??8BCE???????????mov?ecx,esi 0042ABA1???|.??0F85?14010000??jnz?HideWiza.0042ACBB?不成立則跳到0042ACC5處，不能跳，需要nop掉 ... 0042AC9B???|.?/75?1C??????????jnz?short?HideWiza.0042ACB9?/不能跳，需要nop掉 0042AC9D???|.?|394D?F0????????cmp?dword?ptr?ss:[ebp-10],ecx 0042ACA0???|.?|75?17??????????jnz?short?HideWiza.0042ACB9?/不能跳，需要nop掉 0042ACA2???|.?|8B45?EC????????mov?eax,dword?ptr?ss:[ebp-14] 0042ACA5???|.?|6A?0A??????????push?0A??????????????????????????????????????????;?/lParam?=?A 0042ACA7???|.?|6A?01??????????push?1???????????????????????????????????????????;?|wParam?=?1 0042ACA9???|.?|68?CA040000????push?4CA?????????????????????????????????????????;?|Message?=?MSG(4CA) 0042ACAE???|.?|FF70?20????????push?dword?ptr?ds:[eax+20]???????????????????????;?|hWnd 0042ACB1???|.?|FF15?84D54600??call?dword?ptr?ds:[<&USER32.SendMessageA>]???????;?\SendMessageA 0042ACB7???|.?|EB?0C??????????jmp?short?HideWiza.0042ACC5 0042ACB9???|>?\8BCE???????????mov?ecx,esi 0042ACBB???|>??68?F2DC4600????push?HideWiza.0046DCF2 0042ACC0???|.??E8?1B7BFDFF????call?HideWiza.004027E0 0042ACC5???|>??5E?????????????pop?esi 0042ACC6???|.??C9?????????????leave 0042ACC7???\.??C3?????????????retn 4)用ue把exe改掉后發(fā)現程序自動退出，猜測是某種校驗，這時程序不會彈出窗口，判斷是在CXXDlg構造函數或OnInitialDialog等處。直接在入口處跟進，這里有個取巧的辦法，直接od同時加載未修改和已修改的一起debug，比較哪里不一樣，如果過程中哪個call直接把窗口彈出來或是退出，就需要重新加載跟進這個call。最后發(fā)現下面的代碼，終于找到了，就是imagehlp.MapFileAndCheckSumA這個東西做的怪。查了一下imagehlp，的確是進行二進制校驗的一個東東。0041E36E處可以看出[ebp-2C]與[ebp-28]一個是編譯時生成的，一個是現算的。后面jnz判斷是否一致，后面的OpenMutexA啥的應該是保證程序單例，是程序后面的邏輯，因此把jnz?nop掉即可。

代碼: 0041E349????.??E9?AD030000????jmp?HideWiza.0041E6FB 0041E34E????>??8D45?D8????????lea?eax,dword?ptr?ss:[ebp-28] 0041E351????.??50?????????????push?eax 0041E352????.??8D45?D4????????lea?eax,dword?ptr?ss:[ebp-2C] 0041E355????.??33FF???????????xor?edi,edi 0041E357????.??50?????????????push?eax 0041E358????.??47?????????????inc?edi 0041E359????.??68?40EA4800????push?HideWiza.0048EA40 0041E35E????.??897D?D4????????mov?dword?ptr?ss:[ebp-2C],edi 0041E361????.??895D?D8????????mov?dword?ptr?ss:[ebp-28],ebx 0041E364????.??FF15?FCD74600??call?dword?ptr?ds:[<&imagehlp.Ma>;??imagehlp.MapFileAndCheckSumA?/Checksum!!! 0041E36A????.??85C0???????????test?eax,eax 0041E36C????.??75?0C??????????jnz?short?HideWiza.0041E37A 0041E36E????.??8B45?D4????????mov?eax,dword?ptr?ss:[ebp-2C] 0041E371????.??3B45?D8????????cmp?eax,dword?ptr?ss:[ebp-28] 0041E374????.??0F85?81030000??jnz?HideWiza.0041E6FB?should?not?jmp,?so?nop?it 0041E37A????>??68?6C3E4700????push?HideWiza.00473E6C???????????;??ASCII?"SEAN_U_HIDE_WIZARD" 0041E37F????.??8D4D?E0????????lea?ecx,dword?ptr?ss:[ebp-20] 0041E382????.??E8?604BFEFF????call?HideWiza.00402EE7 0041E387????.??FF75?E0????????push?dword?ptr?ss:[ebp-20]???????;?/MutexName 0041E38A????.??895D?FC????????mov?dword?ptr?ss:[ebp-4],ebx?????;?| 0041E38D????.??53?????????????push?ebx?????????????????????????;?|Inheritable 0041E38E????.??57?????????????push?edi?????????????????????????;?|Access 0041E38F????.??FF15?2CD44600??call?dword?ptr?ds:[<&KERNEL32.Op>;?\OpenMutexA 0041E395????.??8B7D?DC????????mov?edi,dword?ptr?ss:[ebp-24] 0041E398????.??8987?A4000000??mov?dword?ptr?ds:[edi+A4],eax 0041E39E????.??3BC3???????????cmp?eax,ebx 0041E3A0????.??0F84?97000000??je?HideWiza.0041E43D

5)終于到最后一步，這時運行程序隨便輸入注冊碼注冊，發(fā)現還有服務器驗證，IDA里發(fā)現程序網絡通信用的是CHttpFile，繼承于CInternetFile，結合IDA6.1的hex?rays進行反編譯，CInternetFile有四個方法，Read?ReadString?Write?WriteString，我們主要關心的是讀取，記下地址在OD里下斷，發(fā)現程序調用的是CInternetFile::Read函數。一般人寫通信程序都會把建立連接、發(fā)送、接受、關閉連接自己封裝一下，因此可以順便在IDA里把周圍的關于網絡通信的函數沒名字的都命名一下，找調用者就結合OD，這么比較方便查看。
用OD在CInternetFile::Read往上導，發(fā)現一個可疑函數，IDA反編譯一下：

代碼: signed?int?__thiscall?sub_42BFB4(void?*this,?int?a2,?int?a3) {int?v3;?//?edi@1void?*v4;?//?ebx@1int?v6;?//?eax@3int?v7;?//?eax@3int?v8;?//?eax@3int?v9;?//?edi@3const?CHAR?*v10;?//?ebx@5int?v11;?//?esi@5int?v12;?//?esi@7int?v13;?//?eax@10int?v14;?//?eax@10int?v15;?//?eax@12int?v16;?//?eax@12int?v17;?//?eax@14int?v18;?//?eax@14int?v19;?//?eax@15int?v20;?//?eax@15int?v21;?//?eax@15int?v22;?//?[sp+Ch]?[bp-20h]@11const?CHAR?*v23;?//?[sp+10h]?[bp-1Ch]@3char?*v24;?//?[sp+14h]?[bp-18h]@15int?v25;?//?[sp+18h]?[bp-14h]@3int?v26;?//?[sp+1Ch]?[bp-10h]@3int?v27;?//?[sp+28h]?[bp-4h]@1char?v28;?//?[sp+2Ch]?[bp+0h]@1char?Src;?//?[sp+82Ch]?[bp+800h]@15char?v30;?//?[sp+82Dh]?[bp+801h]@15unsigned?int?v31;?//?[sp+C2Ch]?[bp+C00h]@1v31?=?(unsigned?int)&v28?^?__security_cookie;v3?=?a3;v4?=?this;v27?=?0;if?(?!WaitForSingleObject(hHandle,?0)?)goto?LABEL_2;unknown_libname_115(v3);v6?=?sub_435E86(v26);unknown_libname_113(v6);v7?=?sub_435E86(v26);unknown_libname_113(v7);LOBYTE(v27)?=?2;sub_402793(&a2);sub_42BF09(&v25,?&v23);LOBYTE(v27)?=?3;v8?=?(int)_LN34_4(v4,?0,?0,?0,?0);v9?=?v8;if?(?!v8?){ATL::CStringData::Release(v23?-?16);ATL::CStringData::Release(v25?-?16); LABEL_2:ATL::CStringData::Release(a2?-?16);return?-20;}v10?=?v23;v27?=?2;LOBYTE(v27)?=?5;v11?=?(int)sub_4415E2(v8,?0,?v23,?0,?1u,?0,?0,?0x20000000u);if?(?!v11?)goto?LABEL_6;v27?=?2;LOBYTE(v27)?=?7;if?(?!CHttpFile::SendRequest(v11,?0,?0,?0,?0)?)?///發(fā)送消息{(*(void?(__thiscall?**)(int))(*(_DWORD?*)v11?+?76))(v11);v13?=?*(_DWORD?*)v11;v25?=?1;(*(void?(__thiscall?**)(int,?signed?int))(v13?+?4))(v11,?1);(*(void?(__thiscall?**)(int))(*(_DWORD?*)v9?+?12))(v9);v14?=?*(_DWORD?*)v9;v25?=?1;(*(void?(__thiscall?**)(int,?signed?int))(v14?+?4))(v9,?1); LABEL_6:ATL::CStringData::Release(v10?-?16);ATL::CStringData::Release(v25?-?16);v25?=?-20; LABEL_7:v12?=?v25; LABEL_8:ATL::CStringData::Release(a2?-?16);return?v12;}v27?=?2;if?(?!CHttpFile::QueryInfoStatusCode(&v22)?){(*(void?(__thiscall?**)(int))(*(_DWORD?*)v11?+?76))(v11);v15?=?*(_DWORD?*)v11;v25?=?1;(*(void?(__thiscall?**)(int,?signed?int))(v15?+?4))(v11,?1);(*(void?(__thiscall?**)(int))(*(_DWORD?*)v9?+?12))(v9);v16?=?*(_DWORD?*)v9;v25?=?1;(*(void?(__thiscall?**)(int,?signed?int))(v16?+?4))(v9,?1);ATL::CStringData::Release(v10?-?16);ATL::CStringData::Release(v25?-?16);v25?=?-21;goto?LABEL_7;}if?(?v22?!=?200?){(*(void?(__thiscall?**)(_DWORD))(*(_DWORD?*)v11?+?76))(v11);v17?=?*(_DWORD?*)v11;v25?=?1;(*(void?(__thiscall?**)(int,?signed?int))(v17?+?4))(v11,?1);(*(void?(__thiscall?**)(_DWORD))(*(_DWORD?*)v9?+?12))(v9);v18?=?*(_DWORD?*)v9;v25?=?1;(*(void?(__thiscall?**)(int,?signed?int))(v18?+?4))(v9,?1);v12?=?v22;ATL::CStringData::Release(v10?-?16);ATL::CStringData::Release(v25?-?16);goto?LABEL_8;}Src?=?0;memset(&v30,?0,?0x3FFu);sub_4027E0(Caption);v19?=?*(_DWORD?*)v11;v25?=?1000;v24?=?&Src;(*(void?(__thiscall?**)(int,?char?*,?signed?int))(v19?+?52))(v11,?&Src,?1000);?CInternetFile_Read?此處地址00440915?一共兩次read，調用CInternet::Readsub_4027E0(&Src);?/?-->調用sub_402466?Src返回的c字符串?此處地址為0042C1F3?寫了2個byte的內存，后面都不用看了(*(void?(__thiscall?**)(_DWORD))(*(_DWORD?*)v11?+?76))(v11);?CInternetFile::Closev20?=?*(_DWORD?*)v11;v25?=?1;(*(void?(__thiscall?**)(int,?signed?int))(v20?+?4))(v11,?1);?CHttpFile::_scalar_deleting_destructor_(*(void?(__thiscall?**)(_DWORD))(*(_DWORD?*)v9?+?12))(v9);?CInternetFile::Closev21?=?*(_DWORD?*)v9;v25?=?1;(*(void?(__thiscall?**)(int,?signed?int))(v21?+?4))(v9,?1);?sub_440C6D一些字符串釋放ATL::CStringData::Release(v10?-?16);ATL::CStringData::Release(v25?-?16);ATL::CStringData::Release(a2?-?16);return?1; } 6)可以發(fā)現干貨就在最后幾行，00440915內部調用CInternet::Read，整個函數一共調用了兩次，用ethereal截報文發(fā)現客戶端向www.seapsoft.com發(fā)送兩個HTTP請求，服務器回的都是很簡單的字符串1，存在Src里，sub_4027E0(&Src)處理一下，寫了兩個2Bytes的內存，位置是動態(tài)分配的，第一個字節(jié)是Src的長度，也就是1，（似乎Src作為狀態(tài)字長度1個Byte也就夠了，不知作者為何要做此設計），第二個字節(jié)就是狀態(tài)字（從內存對齊上也可看出Src只能是1個Byte）。自己在這里修改一下Src對照程序的提示可以發(fā)現數字的含義：2是序列號已存在，1是序列號無效，其它值似乎都是網絡故障云云。可以大膽猜測程序以后肯定會讀取Src或者其復制版本。
7)明顯的思路是在2Bytes的內存處下內存訪問斷點，發(fā)現到了strtoxl這么個函數，是C的一個內部使用的函數，往上導，到strtol，最后到atol，后來發(fā)現這個地址被讀了十幾次，于是干脆換了另一個方法。程序在請求返回后會設置static字符串，于是在SetWindowTextA處下API斷點。往上倒騰，功夫不負有心人，發(fā)現了程序的驗證邏輯：

代碼: 0042B1F5????>?\FF75?DC????????push?dword?ptr?ss:[ebp-24] 0042B1F8????.??E8?46620200????call?HideWiza.00451443 0042B1FD????.??83F8?1E????????cmp?eax,1E 0042B200????.??59?????????????pop?ecx 0042B201????.??7D?77??????????jge?short?HideWiza.0042B27A?//jump?it 0042B203????.??83F8?02????????cmp?eax,2 0042B206????.??75?21??????????jnz?short?HideWiza.0042B229 0042B208????.??51?????????????push?ecx 0042B209????.??8BCC???????????mov?ecx,esp 0042B20B????.??8965?F0????????mov?dword?ptr?ss:[ebp-10],esp 0042B20E????.??68?24534700????push?HideWiza.00475324 0042B213????.??E8?CF7CFDFF????call?HideWiza.00402EE7 0042B218????.??8D45?F0????????lea?eax,dword?ptr?ss:[ebp-10] 0042B21B????.??50?????????????push?eax 0042B21C????.??E8?EFEEFFFF????call?HideWiza.0042A110 0042B221????.??59?????????????pop?ecx 0042B222????.??59?????????????pop?ecx 0042B223????.??C645?FC?0A?????mov?byte?ptr?ss:[ebp-4],0A 0042B227????.^?EB?9D??????????jmp?short?HideWiza.0042B1C6?jump?back?to?death 0042B229????>??3BC7???????????cmp?eax,edi 0042B22B????.??74?29??????????je?short?HideWiza.0042B256 0042B22D????.??83F8?14????????cmp?eax,14 0042B230????.??74?24??????????je?short?HideWiza.0042B256 0042B232????.??51?????????????push?ecx 0042B233????.??8BCC???????????mov?ecx,esp 0042B235????.??8965?F0????????mov?dword?ptr?ss:[ebp-10],esp 0042B238????.??68?E4524700????push?HideWiza.004752E4 0042B23D????.??E8?A57CFDFF????call?HideWiza.00402EE7 0042B242????.??8D45?F0????????lea?eax,dword?ptr?ss:[ebp-10] 0042B245????.??50?????????????push?eax 0042B246????.??E8?C5EEFFFF????call?HideWiza.0042A110 0042B24B????.??59?????????????pop?ecx 0042B24C????.??59?????????????pop?ecx 0042B24D????.??C645?FC?0C?????mov?byte?ptr?ss:[ebp-4],0C 0042B251????.^?E9?70FFFFFF????jmp?HideWiza.0042B1C6?jump?back?to?death 0042B256????>??51?????????????push?ecx 0042B257????.??8BCC???????????mov?ecx,esp 0042B259????.??8965?F0????????mov?dword?ptr?ss:[ebp-10],esp 0042B25C????.??68?0C534700????push?HideWiza.0047530C 0042B261????.??E8?817CFDFF????call?HideWiza.00402EE7 0042B266????.??8D45?F0????????lea?eax,dword?ptr?ss:[ebp-10] 0042B269????.??50?????????????push?eax 0042B26A????.??E8?A1EEFFFF????call?HideWiza.0042A110 0042B26F????.??59?????????????pop?ecx 0042B270????.??59?????????????pop?ecx 0042B271????.??C645?FC?0B?????mov?byte?ptr?ss:[ebp-4],0B 0042B275????.^?E9?4CFFFFFF????jmp?HideWiza.0042B1C6?jump?back?to?death 0042B27A????>??8B4D?E4????????mov?ecx,dword?ptr?ss:[ebp-1C] 0042B27D????.??8BD1???????????mov?edx,ecx 0042B27F????.??6BD2?0D????????imul?edx,edx,0D 0042B282????.??81EA?2E160000??sub?edx,162E 0042B288????.??3BD0???????????cmp?edx,eax 0042B28A????.??74?46??????????je?short?HideWiza.0042B2D2?//jump?it 0042B28C????.??51?????????????push?ecx 0042B28D????.??8BCC???????????mov?ecx,esp 0042B28F????.??8965?F0????????mov?dword?ptr?ss:[ebp-10],esp 0042B292????.??68?E4524700????push?HideWiza.004752E4 0042B297????.??E8?4B7CFDFF????call?HideWiza.00402EE7 0042B29C????.??8D45?F0????????lea?eax,dword?ptr?ss:[ebp-10] 0042B29F????.??50?????????????push?eax 0042B2A0????.??E8?6BEEFFFF????call?HideWiza.0042A110 0042B2A5????.??59?????????????pop?ecx 0042B2A6????.??59?????????????pop?ecx 0042B2A7????.??FF30???????????push?dword?ptr?ds:[eax]???????????????;?/Arg1 0042B2A9????.??8B4D?E0????????mov?ecx,dword?ptr?ss:[ebp-20]?????????;?| 0042B2AC????.??C645?FC?0D?????mov?byte?ptr?ss:[ebp-4],0D????????????;?| 0042B2B0????.??E8?2A1F0000????call?HideWiza.0042D1DF????????????????;?\HideWiza.0042D1DF 0042B2B5????.??8B4D?F0????????mov?ecx,dword?ptr?ss:[ebp-10] 0042B2B8????.??83C1?F0????????add?ecx,-10 0042B2BB????.??C645?FC?07?????mov?byte?ptr?ss:[ebp-4],7 0042B2BF????.??E8?DF5DFDFF????call?HideWiza.004010A3 0042B2C4????.??8B4D?EC????????mov?ecx,dword?ptr?ss:[ebp-14] 0042B2C7????.??57?????????????push?edi??????????????????????????????;?/Arg1 0042B2C8????.??E8?F61F0000????call?HideWiza.0042D2C3????????????????;?\HideWiza.0042D2C3 0042B2CD????.??E9?B8020000????jmp?HideWiza.0042B58A 0042B2D2????>??6BC9?0B????????imul?ecx,ecx,0B 0042B2D5????.??81F1?07060000??xor?ecx,607 0042B2DB????.??8BC1???????????mov?eax,ecx 0042B2DD????.??894D?EC????????mov?dword?ptr?ss:[ebp-14],ecx 0042B2E0????.??B9?10270000????mov?ecx,2710 0042B2E5????.??3BC1???????????cmp?eax,ecx 0042B2E7????.??7D?0A??????????jge?short?HideWiza.0042B2F3?//auto?jump?it 0042B2E9????>??6BC0?0A????????imul?eax,eax,0A 0042B2EC????.??3BC1???????????cmp?eax,ecx 0042B2EE????.^?7C?F9??????????jl?short?HideWiza.0042B2E9 0042B2F0????.??8945?EC????????mov?dword?ptr?ss:[ebp-14],eax 0042B2F3????>??3D?A0860100????cmp?eax,186A0 0042B2F8????.??7C?15??????????jl?short?HideWiza.0042B30F?//auto?jump?it 0042B2FA????.??EB?03??????????jmp?short?HideWiza.0042B2FF 0042B2FC????>??8B45?EC????????mov?eax,dword?ptr?ss:[ebp-14] 0042B2FF????>??6A?0A??????????push?0A 0042B301????.??99?????????????cdq 0042B302????.??59?????????????pop?ecx 0042B303????.??F7F9???????????idiv?ecx 0042B305????.??3D?A0860100????cmp?eax,186A0 0042B30A????.??8945?EC????????mov?dword?ptr?ss:[ebp-14],eax 0042B30D????.^?7D?ED??????????jge?short?HideWiza.0042B2FC 0042B30F????>??893D?40F04800??mov?dword?ptr?ds:[48F040],edi 0042B315????.??E8?6CAB0000????call?HideWiza.00435E86 0042B31A????.??50?????????????push?eax 0042B31B????.??8D4D?E4????????lea?ecx,dword?ptr?ss:[ebp-1C] 0042B31E????.??E8?816DFDFF????call?HideWiza.004020A4 0042B323????.??FF75?EC????????push?dword?ptr?ss:[ebp-14] 0042B326????.??8D45?E4????????lea?eax,dword?ptr?ss:[ebp-1C] 0042B329????.??68?F0EF4600????push?HideWiza.0046EFF0????????????????;??ASCII?"%d" 8)0042D21B是CWnd::SetWindowText，他調用SetWindowTextA顯示序列號無效字符串
0042D21B的調用者為0042B1CB，找通向0042B1CB的跳轉，有三處，還都在后邊，分別是227?251?275，分析一下這段代碼，發(fā)現eax被判了多次，且eax=1，可以初步判定這就是服務器返回的狀態(tài)字。0042B201處判斷eax是不是不小于1e，如果小于1e，再判斷是不是2，如果是2，進入227玩完；不是2，判斷是不是14，不是的話進入251玩完，是的話進入275玩完。總之是進入了死胡同，只好在前面的0042B201處jmp掉。隨后在0042B28A處發(fā)現一個je，一般相等肯定是驗證對不對，肯定是好的，不用看直接jmp掉，最后什么都沒改，程序已經crack掉了，記錄一下中間沒改卻實現的跳轉，0042B2E7和0042B2F8，為保險起見，可以jmp一下。

后記：
很早就注冊pediy了，最近實驗室搞安全方面的東西，才開始經常在pediy混，前兩天發(fā)現以前只顧問問題，都弄得木有分了，等到失去才發(fā)現分的珍貴，現在趁肚子里有點貨，果斷寫篇破解賺點分，水平本來就有限，還是第一次寫破解教程，寫的不好，各位大大輕拍啊

最后附上源程序+破解補丁：
http://115.com/file/c2a07wc1#
《窗口、文件、進程隱藏工具——無憂隱藏》(HideWizard_v9.29)最新版含破解補丁.rar*轉載請注明來自看雪論壇@PEdiy.com?

總結

以上是生活随笔為你收集整理的OD+IDA6.1破解HideWizardv9.29(无忧隐藏)的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。