设为首页收藏本站
开启辅助访问

【逆向工具】使用x64dbg+spy去除WinRAR5.40(64位)广告弹框

 您所在的位置:网站首页 怎么去广告呀 【逆向工具】使用x64dbg+spy去除WinRAR5.40(64位)广告弹框

【逆向工具】使用x64dbg+spy去除WinRAR5.40(64位)广告弹框

2024-07-13 20:44| 来源: 网络整理| 查看: 265

1 学习目标

WinRAR5.40(64位)的弹框广告去除,由于我的系统为x64版本,所以安装了WinRAR(x64)版本。

OD无法调试64位的程序,可以让我熟悉x64dbg进行调试的界面。

其次是这玩意儿真是太蛋疼了,无休止弹广告。

2 破解思路

1)偷梁换柱

修改汇编函数段首为返回值(本次逆向破解采用的方法)

2)NOP掉整个函数内容

3 涉及知识

x64dbg工具快捷键与OD无异

F9:运行

bp CreateWindowExW:在x64dbg底部输入这行命令,对使用CreateWindowExW函数的位置断点。

CreateWindowExW:该函数创建一个层叠式窗口、弹出式窗口或子窗口。 参数:

HWND CreateWindowEx( DWORD DdwExStyle, //窗口的扩展风格 LPCTSTR lpClassName, //指向注册类名的指针 LPCTSTR lpWindowName, //指向窗口名称的指针 DWORD dwStyle, //窗口风格 int x, //窗口的水平位置 int y, //窗口的垂直位置 int nWidth, //窗口的宽度 int nHeight, //窗口的高度 HWND hWndParent, //父窗口的句柄 HMENU hMenu, //菜单的句柄或是子窗口的标识符 HINSTANCE hInstance, //应用程序实例的句柄 LPVOID lpParam //指向窗口的创建数据 ); 4 实现流程

【软件名称】:WinRar 【软件版本】:5.4 【外壳保护】:无 【操作系统】:Windows 10

既然是弹出窗口,首先要知道弹窗窗口的窗口类名,我使用的是VS2015里自带的工具Spy++ x64。

图1 调出Spy++ x64

图2 使用Spy++64查看WinRAR弹出的窗口类名为RarReminder

通过上诉步骤得到WinRAR的类名为RarReminder后,使用x64dbg工具载入WinRAR.exe。在命令的地方使用断点命令【bp CreateWindowExW】,在CreateWindowEx函数断下断点。F9运行到各个断点时观察广告窗口弹出的状态变化。

图3 使用断点命令【bp CreateWindowExW】

F9运行到出现RarReminder字样的地方,x64dbg这款工具还具备查看断点触发的次数的功能,通过【断点】选项卡看到断点共触发了30次才到这里。

图4 断点触发的次数

在堆栈窗口在call指令的地方按回车键返回到用户层函数。

图5 堆栈窗口信息

返回到00007FF6780AD4E8这个地址处,向上看会看到“http://ad.winrar.com.cn/show_40.html?L=7&bl=7&v=540&a=64&src=wrr”这个很明显的广告地址。

汇编函数的代码如下:

00007FF6780AD077 | int3 | 00007FF6780AD078 | mov qword ptr ss:[rsp+8],rbx | 00007FF6780AD07D | mov qword ptr ss:[rsp+10],rbp | 00007FF6780AD082 | mov qword ptr ss:[rsp+18],rsi | 00007FF6780AD087 | push rdi | 00007FF6780AD088 | push r12 | 00007FF6780AD08A | push r13 | 00007FF6780AD08C | push r14 | 00007FF6780AD08E | push r15 | 00007FF6780AD090 | mov eax,1080 | 00007FF6780AD095 | call winrar.7FF6780F8BD0 | 00007FF6780AD09A | sub rsp,rax | 00007FF6780AD09D | mov rax,qword ptr ds:[7FF678148200] | 00007FF6780AD0A4 | xor rax,rsp | 00007FF6780AD0A7 | mov qword ptr ss:[rsp+1070],rax | 00007FF6780AD0AF | xor r15d,r15d | 00007FF6780AD0B2 | mov sil,cl | 00007FF6780AD0B5 | cmp byte ptr ds:[7FF67819A204],r15b | 00007FF6780AD0BC | je winrar.7FF6780AD0C6 | 00007FF6780AD0BE | test dl,dl | 00007FF6780AD0C0 | je winrar.7FF6780AD55D | 00007FF6780AD0C6 | or rbp,FFFFFFFFFFFFFFFF | 00007FF6780AD0CA | mov r12d,1 | 00007FF6780AD0D0 | cmp dword ptr ds:[7FF678145EE4],r15d | 00007FF6780AD0D7 | je winrar.7FF6780AD127 | 00007FF6780AD0D9 | mov rcx,r15 | 00007FF6780AD0DC | lea rbx,qword ptr ds:[7FF678145ED0] | 7FF678145ED0:"8g3#0w1$5r7%2ta" 00007FF6780AD0E3 | mov r9,r15 | 00007FF6780AD0E6 | mov r8d,480 | 00007FF6780AD0EC | xor byte ptr ds:[r9+rbx],cl | 00007FF6780AD0F0 | movabs rax,AAAAAAAAAAAAAAAB | 00007FF6780AD0FA | mul rcx | 00007FF6780AD0FD | add rcx,3 | 00007FF6780AD101 | add r9,r12 | 00007FF6780AD104 | shr rdx,1 | rdx:L"RarReminder" 00007FF6780AD107 | add rcx,rdx | rdx:L"RarReminder" 00007FF6780AD10A | and ecx,FFFFFF | 00007FF6780AD110 | cmp r9,r8 | r8:L"WinRAR" 00007FF6780AD113 | jb winrar.7FF6780AD0EC | 00007FF6780AD115 | cmp dword ptr ds:[7FF678145EE4],r15d | 00007FF6780AD11C | je winrar.7FF6780AD1B9 | 00007FF6780AD122 | jmp winrar.7FF6780AD1AF | 00007FF6780AD127 | mov ecx,4F8 | 00007FF6780AD12C | call winrar.7FF678093F34 | 00007FF6780AD131 | mov rbx,rax | 00007FF6780AD134 | cmp word ptr ds:[rax],23 | 23:'#' 00007FF6780AD138 | jne winrar.7FF6780AD154 | 00007FF6780AD13A | cmp word ptr ds:[rax+2],23 | 23:'#' 00007FF6780AD13F | jne winrar.7FF6780AD154 | 00007FF6780AD141 | mov rax,rbp | 00007FF6780AD144 | inc rax | 00007FF6780AD147 | cmp word ptr ds:[rbx+rax*2],r15w | 00007FF6780AD14C | jne winrar.7FF6780AD144 | 00007FF6780AD14E | cmp rax,64 | 64:'d' 00007FF6780AD152 | jae winrar.7FF6780AD15B | 00007FF6780AD154 | mov rbx,qword ptr ds:[7FF678146350] | 7FF678146350:&L"##0C69??3n:rbtmee,fon)Okskcift.;kckgvgfa:$I&pitvdg8RBTMEE&iambhj`rdgf;gmuqq&ucswnmk=$P&euamiwcbprp`=$G=]1rbtmee,fon)Okskcift.;kckgvgfa:$I&pitvdg8RBTMEE&iambhj`rdgf;gmuqqexvhvbf&vftrmhl8$U&`vdjltfeuqug8$B;>WBQK=0W5hwrq>(-waqj`f)ajm,Hnpndleq)>hflbubad9$N&slssgb?WAQJ@F&ndngoocwcbe>cxtnp`d&pdvtkjn>$W&fpfhjrdgswwe>$@:" 00007FF6780AD15B | mov edi,1000 | 00007FF6780AD160 | lea rcx,qword ptr ss:[rsp+70] | 00007FF6780AD165 | mov r8d,edi | 00007FF6780AD168 | xor edx,edx | 00007FF6780AD16A | call winrar.7FF6780F9ED0 | 00007FF6780AD16F | lea rcx,qword ptr ds:[rbx+4] | 00007FF6780AD173 | mov r8d,edi | 00007FF6780AD176 | lea rdx,qword ptr ss:[rsp+70] | 00007FF6780AD17B | call winrar.7FF67809CA7C | 00007FF6780AD180 | lea rax,qword ptr ss:[rsp+70] | 00007FF6780AD185 | mov r8,rbp | 00007FF6780AD188 | inc r8 | r8:L"WinRAR" 00007FF6780AD18B | cmp byte ptr ds:[rax+r8],r15b | 00007FF6780AD18F | jne winrar.7FF6780AD188 | 00007FF6780AD191 | lea rbx,qword ptr ds:[7FF678145ED0] | 7FF678145ED0:"8g3#0w1$5r7%2ta" 00007FF6780AD198 | mov rcx,rbx | 00007FF6780AD19B | lea rdx,qword ptr ss:[rsp+70] | 00007FF6780AD1A0 | call winrar.7FF6780AC24C | 00007FF6780AD1A5 | test al,al | 00007FF6780AD1A7 | jne winrar.7FF6780AD1B9 | 00007FF6780AD1A9 | mov r8d,480 | 00007FF6780AD1AF | xor edx,edx | 00007FF6780AD1B1 | mov rcx,rbx | 00007FF6780AD1B4 | call winrar.7FF6780F9ED0 | 00007FF6780AD1B9 | cmp byte ptr ds:[7FF6781857E4],r15b | 00007FF6780AD1C0 | jne winrar.7FF6780AD1CE | 00007FF6780AD1C2 | cmp dword ptr ds:[7FF678158474],28 | 28:'(' 00007FF6780AD1C9 | mov dil,r12b | 00007FF6780AD1CC | ja winrar.7FF6780AD1D1 | 00007FF6780AD1CE | mov dil,r15b | 00007FF6780AD1D1 | test sil,sil | 00007FF6780AD1D4 | je winrar.7FF6780AD528 | 00007FF6780AD1DA | call winrar.7FF678078ECC | 00007FF6780AD1DF | cmp eax,501 | 00007FF6780AD1E4 | ja winrar.7FF6780AD1F6 | 00007FF6780AD1E6 | test dword ptr ds:[7FF678145EE0],200 | 00007FF6780AD1F0 | je winrar.7FF6780AD55D | 00007FF6780AD1F6 | cmp byte ptr ds:[7FF678146250],r15b | 7FF678146250:"http://ad.winrar.com.cn/show_40.html?L=7&bl=7&v=540&a=64&src=wrr" 00007FF6780AD1FD | je winrar.7FF6780AD55D | 00007FF6780AD203 | mov byte ptr ds:[7FF678145FFB],r15b | 00007FF6780AD20A | mov byte ptr ds:[7FF6781460FF],r15b | 00007FF6780AD211 | mov byte ptr ds:[7FF67814634F],r15b | 00007FF6780AD218 | test dil,dil | 00007FF6780AD21B | jne winrar.7FF6780AD22F | 00007FF6780AD21D | mov al,byte ptr ds:[7FF678145EE0] | 00007FF6780AD223 | and al,80 | 00007FF6780AD225 | neg al | 00007FF6780AD227 | sbb eax,eax | 00007FF6780AD229 | and dword ptr ds:[7FF678145EE8],eax | 00007FF6780AD22F | cmp dword ptr ds:[7FF678145EF8],r15d | 00007FF6780AD236 | lea rbp,qword ptr ds:[7FF678146250] | 7FF678146250:"http://ad.winrar.com.cn/show_40.html?L=7&bl=7&v=540&a=64&src=wrr" 00007FF6780AD23D | mov bl,r15b | 00007FF6780AD240 | lea rsi,qword ptr ds:[7FF67811BA38] | 7FF67811BA38:L"Interface\\Misc" 00007FF6780AD247 | mov r13d,100 | 00007FF6780AD24D | jbe winrar.7FF6780AD2A1 | 00007FF6780AD24F | cmp byte ptr ds:[7FF6781857E4],r15b | 00007FF6780AD256 | jne winrar.7FF6780AD2A1 | 00007FF6780AD258 | xor r8d,r8d | 00007FF6780AD25B | lea rdx,qword ptr ds:[7FF678120DC8] | rdx:L"RarReminder", 7FF678120DC8:L"RemShown" 00007FF6780AD262 | mov rcx,rsi | 00007FF6780AD265 | call winrar.7FF6780AB6AC | 00007FF6780AD26A | cmp eax,dword ptr ds:[7FF678145EF8] | 00007FF6780AD270 | jae winrar.7FF6780AD2A1 | 00007FF6780AD272 | lea r8d,dword ptr ds:[rax+1] | 00007FF6780AD276 | mov rcx,rsi | 00007FF6780AD279 | lea rdx,qword ptr ds:[7FF678120DC8] | rdx:L"RarReminder", 7FF678120DC8:L"RemShown" 00007FF6780AD280 | call winrar.7FF6780AC210 | 00007FF6780AD285 | cmp byte ptr ds:[7FF678145EFC],r15b | 7FF678145EFC:"http://ad.winrar.com.cn/show_1.html?L=7&bl=7&v=$V&a=$A&src=wrr" 00007FF6780AD28C | mov bl,r12b | 00007FF6780AD28F | je winrar.7FF6780AD34E | 00007FF6780AD295 | lea rdx,qword ptr ds:[7FF678145EFC] | rdx:L"RarReminder", 7FF678145EFC:"http://ad.winrar.com.cn/show_1.html?L=7&bl=7&v=$V&a=$A&src=wrr" 00007FF6780AD29C | jmp winrar.7FF6780AD343 | 00007FF6780AD2A1 | cmp dword ptr ds:[7FF678145FFC],r15d | 00007FF6780AD2A8 | jbe winrar.7FF6780AD2F1 | 00007FF6780AD2AA | test dil,dil | 00007FF6780AD2AD | je winrar.7FF6780AD2F1 | 00007FF6780AD2AF | xor r8d,r8d | 00007FF6780AD2B2 | lea rdx,qword ptr ds:[7FF678120DE0] | rdx:L"RarReminder", 7FF678120DE0:L"ExpRemShown" 00007FF6780AD2B9 | mov rcx,rsi | 00007FF6780AD2BC | call winrar.7FF6780AB6AC | 00007FF6780AD2C1 | cmp eax,dword ptr ds:[7FF678145FFC] | 00007FF6780AD2C7 | jae winrar.7FF6780AD2F1 | 00007FF6780AD2C9 | lea r8d,dword ptr ds:[rax+1] | 00007FF6780AD2CD | mov rcx,rsi | 00007FF6780AD2D0 | lea rdx,qword ptr ds:[7FF678120DE0] | rdx:L"RarReminder", 7FF678120DE0:L"ExpRemShown" 00007FF6780AD2D7 | call winrar.7FF6780AC210 | 00007FF6780AD2DC | cmp byte ptr ds:[7FF678146000],r15b | 7FF678146000:"http://ad.winrar.com.cn/show_40.html?L=7&bl=7&v=$V&a=$A&src=wrr" 00007FF6780AD2E3 | mov bl,r12b | 00007FF6780AD2E6 | je winrar.7FF6780AD34E | 00007FF6780AD2E8 | lea rdx,qword ptr ds:[7FF678146000] | rdx:L"RarReminder", 7FF678146000:"http://ad.winrar.com.cn/show_40.html?L=7&bl=7&v=$V&a=$A&src=wrr" 00007FF6780AD2EF | jmp winrar.7FF6780AD343 | 00007FF6780AD2F1 | cmp dword ptr ds:[7FF678146100],r15d | 00007FF6780AD2F8 | jbe winrar.7FF6780AD34E | 00007FF6780AD2FA | cmp byte ptr ds:[7FF6781857E4],r15b | 00007FF6780AD301 | je winrar.7FF6780AD34E | 00007FF6780AD303 | xor r8d,r8d | 00007FF6780AD306 | lea rdx,qword ptr ds:[7FF678120DF8] | rdx:L"RarReminder", 7FF678120DF8:L"RegRemShown" 00007FF6780AD30D | mov rcx,rsi | 00007FF6780AD310 | call winrar.7FF6780AB6AC | 00007FF6780AD315 | cmp eax,dword ptr ds:[7FF678146100] | 00007FF6780AD31B | jae winrar.7FF6780AD34E | 00007FF6780AD31D | lea r8d,dword ptr ds:[rax+1] | 00007FF6780AD321 | mov rcx,rsi | 00007FF6780AD324 | lea rdx,qword ptr ds:[7FF678120DF8] | rdx:L"RarReminder", 7FF678120DF8:L"RegRemShown" 00007FF6780AD32B | call winrar.7FF6780AC210 | 00007FF6780AD330 | cmp byte ptr ds:[7FF678146104],r15b | 00007FF6780AD337 | mov bl,r12b | 00007FF6780AD33A | je winrar.7FF6780AD34E | 00007FF6780AD33C | lea rdx,qword ptr ds:[7FF678146104] | rdx:L"RarReminder" 00007FF6780AD343 | mov r8,r13 | r8:L"WinRAR" 00007FF6780AD346 | mov rcx,rbp | 00007FF6780AD349 | call winrar.7FF678099E48 | 00007FF6780AD34E | call qword ptr ds:[] | 00007FF6780AD354 | mov ecx,eax | 00007FF6780AD356 | mov eax,10624DD3 | 00007FF6780AD35B | mul ecx | 00007FF6780AD35D | mov eax,edx | 00007FF6780AD35F | shr eax,6 | 00007FF6780AD362 | cmp byte ptr ds:[7FF6781857E4],r15b | 00007FF6780AD369 | je winrar.7FF6780AD382 | 00007FF6780AD36B | mov ecx,dword ptr ds:[7FF678145EF4] | 00007FF6780AD371 | test ecx,ecx | 00007FF6780AD373 | je winrar.7FF6780AD3B2 | 00007FF6780AD375 | xor edx,edx | 00007FF6780AD377 | div ecx | 00007FF6780AD379 | test edx,edx | 00007FF6780AD37B | jne winrar.7FF6780AD3B2 | 00007FF6780AD37D | mov bl,r12b | 00007FF6780AD380 | jmp winrar.7FF6780AD3B2 | 00007FF6780AD382 | test dil,dil | 00007FF6780AD385 | jne winrar.7FF6780AD39B | 00007FF6780AD387 | mov ecx,dword ptr ds:[7FF678145EEC] | 00007FF6780AD38D | test ecx,ecx | 00007FF6780AD38F | je winrar.7FF6780AD3B2 | 00007FF6780AD391 | xor edx,edx | 00007FF6780AD393 | div ecx | 00007FF6780AD395 | test edx,edx | 00007FF6780AD397 | jne winrar.7FF6780AD3B2 | 00007FF6780AD399 | jmp winrar.7FF6780AD3BA | 00007FF6780AD39B | mov ecx,dword ptr ds:[7FF678145EF0] | 00007FF6780AD3A1 | test ecx,ecx | 00007FF6780AD3A3 | je winrar.7FF6780AD3B2 | 00007FF6780AD3A5 | xor edx,edx | 00007FF6780AD3A7 | movzx ebx,bl | 00007FF6780AD3AA | div ecx | 00007FF6780AD3AC | test edx,edx | 00007FF6780AD3AE | cmove ebx,r12d | 00007FF6780AD3B2 | test bl,bl | 00007FF6780AD3B4 | je winrar.7FF6780AD55D | 00007FF6780AD3BA | test byte ptr ds:[7FF678145EE0],2 | 00007FF6780AD3C1 | mov edi,16C80000 | 00007FF6780AD3C6 | mov eax,16CC0000 | 00007FF6780AD3CB | cmove edi,eax | 00007FF6780AD3CE | test byte ptr ds:[7FF678145EE0],8 | 00007FF6780AD3D5 | jne winrar.7FF6780AD3DD | 00007FF6780AD3D7 | or edi,30000 | 00007FF6780AD3DD | mov ecx,dword ptr ds:[7FF678146208] | 00007FF6780AD3E3 | mov ebx,80000000 | 00007FF6780AD3E8 | mov esi,ebx | 00007FF6780AD3EA | mov ebp,ebx | 00007FF6780AD3EC | mov r14d,ebx | 00007FF6780AD3EF | test ecx,ecx | 00007FF6780AD3F1 | je winrar.7FF6780AD494 | 00007FF6780AD3F7 | cmp dword ptr ds:[7FF678146204],r15d | 00007FF6780AD3FE | je winrar.7FF6780AD494 | 00007FF6780AD404 | call winrar.7FF6780D08F8 | 00007FF6780AD409 | mov ecx,21 | 21:'!' 00007FF6780AD40E | mov ebx,eax | 00007FF6780AD410 | call qword ptr ds:[] | 00007FF6780AD416 | mov ecx,4 | 00007FF6780AD41B | lea esi,dword ptr ds:[rbx+rax*2] | 00007FF6780AD41E | call qword ptr ds:[] | 00007FF6780AD424 | add esi,eax | 00007FF6780AD426 | mov eax,dword ptr ds:[7FF678145EE0] | 00007FF6780AD42C | test al,40 | 00007FF6780AD42E | jne winrar.7FF6780AD435 | 00007FF6780AD430 | test r13d,eax | 00007FF6780AD433 | jne winrar.7FF6780AD43B | 00007FF6780AD435 | add esi,dword ptr ds:[7FF67819A200] | 00007FF6780AD43B | mov ecx,dword ptr ds:[7FF678146204] | 00007FF6780AD441 | call winrar.7FF6780D088C | 00007FF6780AD446 | mov ecx,20 | 20:' ' 00007FF6780AD44B | mov ebx,eax | 00007FF6780AD44D | call qword ptr ds:[] | 00007FF6780AD453 | xor edx,edx | 00007FF6780AD455 | lea r8,qword ptr ss:[rsp+60] | 00007FF6780AD45A | xor r9d,r9d | 00007FF6780AD45D | lea ebx,dword ptr ds:[rbx+rax*2] | 00007FF6780AD460 | lea ecx,dword ptr ds:[rdx+30] | rdx+30:L"BUTTON" 00007FF6780AD463 | call qword ptr ds:[


【本文地址】


今日新闻

推荐新闻

CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3