Keep It Simple, Stupid.

荒野无灯weblog

Sublime Text 3 build 3047 x86/x64

挺好用的一个编辑器。

http://www.sublimetext.com/3

原版下载: x86 x64

patch下载: Jump to download

debug log

by 荒野无灯
2013年5月16日 23:57:36


无壳。注册判断也比较简单。

老规矩了: 随意输入注册码,报错后F12暂停之。

查看调用栈: Call stack of main thr3@d Address Stack Procedure / arguments Called from Frame 0012C0E4 77D19418 Includes ntdll.KiFastSystemCallRet user32.77D19416 0012C118 0012C0E8 77D2770A user32.WaitMessage user32.77D27705 0012C118 0012C11C 77D249C4 user32.77D2757B user32.77D249BF 0012C118 0012C144 77D3A956 user32.77D2490E user32.77D3A951 0012C140 0012C404 77D3A2BC user32.SoftModalMessageBox user32.77D3A2B7 0012C400 0012C554 77D663FD user32.77D3A147 user32.77D663F8 0012C550 0012C5AC 77D50853 user32.MessageBoxTimeoutW user32.77D5084E 0012C5A8 0012C5CC 77D66579 user32.MessageBoxExW user32.77D66574 0012C5C8 0012C5D0 00110316 hOwner = 00110316 ('Enter License',class='PX_WINDOW_CLASS') 0012C5D4 01E48850 Text = "That license key doesn't appear to be valid...Please check that y 0012C5D8 019A5D80 Title = "Sublime Text" 0012C5DC 00000010 Style = MB_OK|MB_ICONHAND|MB_APPLMODAL 0012C5E0 00000000 LanguageID = 0x0 (LANGNEUTRAL) 0012C5E8 005CDE34 user32.MessageBoxW sublime.005CDE2E 0012C5E4 0012C5EC 00110316 hOwner = 00110316 ('Enter License',class='PX_WINDOW_CLASS') 0012C5F0 01E48850 Text = "That license key doesn't appear to be valid...Please check that y 0012C5F4 019A5D80 Title = "Sublime Text" 0012C5F8 00000010 Style = MB_OK|MB_ICONHAND|MBAPPLMODAL 0012C654 004C635F ? sublime.005CDD98 sublime_.004C635A 0012C650

去看看,很明显的switch case语句: 004C621D . 395D E8 cmp dword ptr ss:[ebp-0x18], ebx 004C6220 . 0F84 3D010000 je sublime.004C6363 004C6226 . 8D45 8C lea eax, dword ptr ss:[ebp-0x74] 004C6229 . 50 push eax 004C622A . 68 04437400 push sublime.00744304 004C622F . 51 push ecx 004C6230 . 8D45 D8 lea eax, dword ptr ss:[ebp-0x28] 004C6233 . 50 push eax 004C6234 . E8 2BF3FFFF call sublime.004C5564 004C6239 . 83C4 10 add esp, 0x10 004C623C . 85C0 test eax, eax 004C623E . 0F9405 004374>sete byte ptr ds:[0x744300] 004C6245 85C0 test eax, eax 004C6247 . 0F85 E3000000 jnz sublime.004C6330 ............ 004C6318 > 68 C40C6700 push sublime.00670CC4 ; ASCII "Thanks for purchasing!" ...... 004C635A . E8 397A1000 call sublime.005CDD98

从上面汇编代码可看出,函数 004C5564 返回的值直接用来作为显示提示信息的switch 语句的判断依据。根据它的提示信息,我们知道要让 004C5564函数返回什么。

然后我们在 004C6220 . /0F84 3D010000 je sublime.004C6363 ...... 004C6234 . E8 2BF3FFFF call sublime.004C5564 ...... 004C6247 . /0F85 E3000000 jnz sublime_.004C6330 这三处下断。 重新测试注册。 在 004C6220 那里没跳。004C6234 处那个call 返回了1. 很明显,返回1的话,程序会跳到 004C6330 ,显示非法注册码消息。 因此我们跟进 004C5564

004C5564 /$ 6A 70 push 0x70 ; 这里下断 004C5566 |. B8 0D376500 mov eax, sublime.0065370D 004C556B |. E8 46470300 call sublime.004F9CB6 004C5570 |. 8B45 10 mov eax, dword ptr ss:[ebp+0x10] 004C5573 |. 8B75 08 mov esi, dword ptr ss:[ebp+0x8] 004C5576 |. 8B7D 0C mov edi, dword ptr ss:[ebp+0xC] 004C5579 |. 8945 88 mov dword ptr ss:[ebp-0x78], eax 004C557C |. 8B45 14 mov eax, dword ptr ss:[ebp+0x14] 004C557F |. 68 00096700 push sublime.00670900 ; ASCII "30819D300D06092A864886F70D010101050003818B0030818702818100D87BA24562F7C5D14A0CFB12B9740C195C6BDC7E6D6EC92BAC0EB29D59E1D9AE67890C2B88C3ABDCAFFE7D4A33DCC1BFBE531A251CEF0C923F06BE79B2328559ACFEE986D5E15E4D1766EA56C4E10657FA74DB0977C3FB7582B"... 004C5584 |. 8D4D 90 lea ecx, dword ptr ss:[ebp-0x70] 004C5587 |. 8945 8C mov dword ptr ss:[ebp-0x74], eax 004C558A |. E8 36C2F3FF call sublime.004017C5 004C558F |. 33DB xor ebx, ebx ;默认返回值为0 (注册码合法) 004C5591 |. 6A 0F push 0xF 004C5593 |. 58 pop eax ; sublime.004A3C88 004C5594 |. 895D FC mov dword ptr ss:[ebp-0x4], ebx 004C5597 |. 8945 BC mov dword ptr ss:[ebp-0x44], eax 004C559A |. 895D B8 mov dword ptr ss:[ebp-0x48], ebx 004C559D |. 885D A8 mov byte ptr ss:[ebp-0x58], bl 004C55A0 |. 8945 D4 mov dword ptr ss:[ebp-0x2C], eax 004C55A3 |. 895D D0 mov dword ptr ss:[ebp-0x30], ebx 004C55A6 |. 885D C0 mov byte ptr ss:[ebp-0x40], bl 004C55A9 |. 8945 EC mov dword ptr ss:[ebp-0x14], eax 004C55AC |. 895D E8 mov dword ptr ss:[ebp-0x18], ebx 004C55AF |. 885D D8 mov byte ptr ss:[ebp-0x28], bl 004C55B2 |. 8D45 D8 lea eax, dword ptr ss:[ebp-0x28] 004C55B5 |. 50 push eax 004C55B6 |. 8D45 C0 lea eax, dword ptr ss:[ebp-0x40] 004C55B9 |. 50 push eax 004C55BA |. 8D45 84 lea eax, dword ptr ss:[ebp-0x7C] 004C55BD |. 50 push eax 004C55BE |. 8D45 A8 lea eax, dword ptr ss:[ebp-0x58] 004C55C1 |. 50 push eax 004C55C2 |. 8D45 90 lea eax, dword ptr ss:[ebp-0x70] 004C55C5 |. 50 push eax 004C55C6 |. 56 push esi 004C55C7 |. C645 FC 03 mov byte ptr ss:[ebp-0x4], 0x3 004C55CB |. E8 F2AA1500 call sublime.006200C2 ;此函数返回0即表示注册码非法,否则,继续下面的判断 004C55D0 |. 83C4 18 add esp, 0x18 004C55D3 |. 84C0 test al, al 004C55D5 |. 74 1E je short sublime.004C55F5 004C55D7 |. BE 440A6700 mov esi, sublime.00670A44 ; ASCII "EA7E" 004C55DC |. 56 push esi 004C55DD |. E8 22E8F3FF call sublime.00403E04 004C55E2 |. 59 pop ecx ; sublime.004A3C88 004C55E3 |. 50 push eax 004C55E4 |. 56 push esi 004C55E5 |. FF75 D0 push dword ptr ss:[ebp-0x30] 004C55E8 |. 8D4D C0 lea ecx, dword ptr ss:[ebp-0x40] 004C55EB |. 53 push ebx 004C55EC |. E8 D44BF4FF call sublime.0040A1C5 004C55F1 |. 85C0 test eax, eax 004C55F3 |. 74 08 je short sublime.004C55FD 004C55F5 |> 33DB xor ebx, ebx 004C55F7 |. 43 inc ebx 004C55F8 |. E9 75050000 jmp sublime.004C5B72 ; 这一跳表示注册码不是有效的,程序返回1 004C55FD |> 837D EC 10 cmp dword ptr ss:[ebp-0x14], 0x10 004C5601 |. 8D45 D8 lea eax, dword ptr ss:[ebp-0x28] 004C5604 |. 0F4345 D8 cmovnb eax, dword ptr ss:[ebp-0x28] 004C5608 |. 50 push eax 004C5609 |. E8 90950300 call sublime.004FEB9E 004C560E |. 59 pop ecx ; sublime.004A3C88 004C560F |. 3D 241C0C00 cmp eax, 0xC1C24 ;这里是在比较不再被支持的注册码 004C5614 |. 0F84 55050000 je sublime.004C5B6F 004C561A |. 3D 231C0C00 cmp eax, 0xC1C23 004C561F |. 0F84 4A050000 je sublime.004C5B6F 004C5625 |. 3D 261C0C00 cmp eax, 0xC1C26 004C562A |. 0F84 3F050000 je sublime.004C5B6F 004C5630 |. 3D 1C1C0C00 cmp eax, 0xC1C1C 004C5635 |. 0F84 34050000 je sublime.004C5B6F 004C563B |. 3D A21A0C00 cmp eax, 0xC1AA2 004C5640 |. 0F84 29050000 je sublime.004C5B6F 004C5646 |. 3D 5C1C0C00 cmp eax, 0xC1C5C 004C564B |. 0F84 1E050000 je sublime.004C5B6F 004C5651 |. 3D 591C0C00 cmp eax, 0xC1C59 004C5656 |. 0F84 13050000 je sublime.004C5B6F 004C565C |. 3D 9B1C0C00 cmp eax, 0xC1C9B 004C5661 |. 0F84 08050000 je sublime.004C5B6F 004C5667 |. 3D 841C0C00 cmp eax, 0xC1C84 004C566C |. 0F84 FD040000 je sublime.004C5B6F 004C5672 |. 3D 41220C00 cmp eax, 0xC2241 004C5677 |. 0F84 F2040000 je sublime.004C5B6F 004C567D |. 3D EA230C00 cmp eax, 0xC23EA 004C5682 |. 0F84 E7040000 je sublime.004C5B6F 004C5688 |. 3D 3A240C00 cmp eax, 0xC243A 004C568D |. 0F84 DC040000 je sublime.004C5B6F 004C5693 |. 3D 7C250C00 cmp eax, 0xC257C 004C5698 |. 0F84 D1040000 je sublime.004C5B6F 004C569E |. 3D D2270C00 cmp eax, 0xC27D2 004C56A3 |. 0F84 C6040000 je sublime.004C5B6F 004C56A9 |. 3D AB290C00 cmp eax, 0xC29AB 004C56AE |. 0F84 BB040000 je sublime.004C5B6F 004C56B4 |. 3D 722E0C00 cmp eax, 0xC2E72 004C56B9 |. 0F84 B0040000 je sublime.004C5B6F 004C56BF |. 3D 89310C00 cmp eax, 0xC3189 004C56C4 |. 0F84 A5040000 je sublime.004C5B6F 004C56CA |. 3D 5A330C00 cmp eax, 0xC335A 004C56CF |. 0F84 9A040000 je sublime.004C5B6F 004C56D5 |. 3D D9320C00 cmp eax, 0xC32D9 004C56DA |. 0F84 8F040000 je sublime.004C5B6F 004C56E0 |. 3D 4A330C00 cmp eax, 0xC334A 004C56E5 |. 0F84 84040000 je sublime.004C5B6F 004C56EB |. 3D 92270C00 cmp eax, 0xC2792 004C56F0 |. 0F84 79040000 je sublime.004C5B6F 004C56F6 |. 3D DD340C00 cmp eax, 0xC34DD 004C56FB |. 0F84 6E040000 je sublime.004C5B6F 004C5701 |. 3D E2270C00 cmp eax, 0xC27E2 004C5706 |. 0F84 63040000 je sublime.004C5B6F 004C570C |. 3D 60370C00 cmp eax, 0xC3760 004C5711 |. 0F84 58040000 je sublime.004C5B6F 004C5717 |. 3D C7370C00 cmp eax, 0xC37C7 004C571C |. 0F84 4D040000 je sublime.004C5B6F 004C5722 |. 3D EC390C00 cmp eax, 0xC39EC 004C5727 |. 0F84 42040000 je sublime.004C5B6F 004C572D |. 3D AA3E0C00 cmp eax, 0xC3EAA 004C5732 |. 0F84 37040000 je sublime.004C5B6F 004C5738 |. 3D 9D410C00 cmp eax, 0xC419D 004C573D |. 0F84 2C040000 je sublime.004C5B6F 004C5743 |. 3D D4480C00 cmp eax, 0xC48D4 004C5748 |. 0F84 21040000 je sublime.004C5B6F 004C574E |. 3D E1470C00 cmp eax, 0xC47E1 004C5753 |. 0F84 16040000 je sublime.004C5B6F 004C5759 |. 3D CB4A0C00 cmp eax, 0xC4ACB 004C575E |. 0F84 0B040000 je sublime.004C5B6F 004C5764 |. 3D 984D0C00 cmp eax, 0xC4D98 004C5769 |. 0F84 00040000 je sublime.004C5B6F 004C576F |. 3D 4C500C00 cmp eax, 0xC504C 004C5774 |. 0F84 F5030000 je sublime.004C5B6F 004C577A |. 3D 5A520C00 cmp eax, 0xC525A 004C577F |. 0F84 EA030000 je sublime.004C5B6F 004C5785 |. 3D F23E0C00 cmp eax, 0xC3EF2 004C578A |. 0F84 DF030000 je sublime.004C5B6F 004C5790 |. 3D DE440C00 cmp eax, 0xC44DE 004C5795 |. 0F84 D4030000 je sublime.004C5B6F 004C579B |. 3D BA580C00 cmp eax, 0xC58BA 004C57A0 |. 0F84 C9030000 je sublime.004C5B6F 004C57A6 |. 3D 0D580C00 cmp eax, 0xC580D 004C57AB |. 0F84 BE030000 je sublime.004C5B6F 004C57B1 |. 3D BA550C00 cmp eax, 0xC55BA 004C57B6 |. 0F84 B3030000 je sublime.004C5B6F 004C57BC |. 3D 485D0C00 cmp eax, 0xC5D48 004C57C1 |. 0F84 A8030000 je sublime.004C5B6F 004C57C7 |. 3D C3680C00 cmp eax, 0xC68C3 004C57CC |. 0F84 9D030000 je sublime.004C5B6F 004C57D2 |. 3D 94680C00 cmp eax, 0xC6894 004C57D7 |. 0F84 92030000 je sublime.004C5B6F 004C57DD |. 3D 18660C00 cmp eax, 0xC6618 004C57E2 |. 0F84 87030000 je sublime.004C5B6F 004C57E8 |. 3D 6C710C00 cmp eax, 0xC716C 004C57ED |. 0F84 7C030000 je sublime.004C5B6F 004C57F3 |. 3D 7D7A0C00 cmp eax, 0xC7A7D 004C57F8 |. 0F84 71030000 je sublime.004C5B6F 004C57FE |. 3D A05D0C00 cmp eax, 0xC5DA0 004C5803 |. 0F84 66030000 je sublime.004C5B6F 004C5809 |. 3D 55660C00 cmp eax, 0xC6655 004C580E |. 0F84 5B030000 je sublime.004C5B6F 004C5814 |. 3D E86E0C00 cmp eax, 0xC6EE8 004C5819 |. 0F84 50030000 je sublime.004C5B6F 004C581F |. 3D 88720C00 cmp eax, 0xC7288 004C5824 |. 0F84 45030000 je sublime.004C5B6F 004C582A |. 3D 77780C00 cmp eax, 0xC7877 004C582F |. 0F84 3A030000 je sublime.004C5B6F 004C5835 |. 3D A9800C00 cmp eax, 0xC80A9 004C583A |. 0F84 2F030000 je sublime.004C5B6F 004C5840 |. 3D E3810C00 cmp eax, 0xC81E3 004C5845 |. 0F84 24030000 je sublime.004C5B6F 004C584B |. 3D D17A0C00 cmp eax, 0xC7AD1 004C5850 |. 0F84 19030000 je sublime.004C5B6F 004C5856 |. 3D 0A730C00 cmp eax, 0xC730A 004C585B |. 0F84 0E030000 je sublime.004C5B6F 004C5861 |. 3D EE810C00 cmp eax, 0xC81EE 004C5866 |. 0F84 03030000 je sublime.004C5B6F 004C586C |. 3D 58960C00 cmp eax, 0xC9658 004C5871 |. 0F84 F8020000 je sublime.004C5B6F 004C5877 |. 3D 8E990C00 cmp eax, 0xC998E 004C587C |. 0F84 ED020000 je sublime.004C5B6F 004C5882 |. 3D A59B0C00 cmp eax, 0xC9BA5 004C5887 |. 0F84 E2020000 je sublime.004C5B6F 004C588D |. 3D CC9B0C00 cmp eax, 0xC9BCC 004C5892 |. 0F84 D7020000 je sublime.004C5B6F 004C5898 |. 3D 6C930C00 cmp eax, 0xC936C 004C589D |. 0F84 CC020000 je sublime.004C5B6F 004C58A3 |. 3D 73B20C00 cmp eax, 0xCB273 004C58A8 |. 0F84 C1020000 je sublime.004C5B6F 004C58AE |. 3D 33B20C00 cmp eax, 0xCB233 004C58B3 |. 0F84 B6020000 je sublime.004C5B6F 004C58B9 |. 3D 2AE00C00 cmp eax, 0xCE02A 004C58BE |. 0F84 AB020000 je sublime.004C5B6F 004C58C4 |. 3D 55560C00 cmp eax, 0xC5655 004C58C9 |. 0F84 A0020000 je sublime.004C5B6F 004C58CF |. 3D B6D50C00 cmp eax, 0xCD5B6 004C58D4 |. 0F84 95020000 je sublime.004C5B6F 004C58DA |. 3D 5AE10C00 cmp eax, 0xCE15A 004C58DF |. 0F84 8A020000 je sublime.004C5B6F 004C58E5 |. 3D 7A820C00 cmp eax, 0xC827A 004C58EA |. 0F84 7F020000 je sublime.004C5B6F 004C58F0 |. 3D 096D0C00 cmp eax, 0xC6D09 004C58F5 |. 0F84 74020000 je sublime.004C5B6F 004C58FB |. 3D 2D540C00 cmp eax, 0xC542D 004C5900 |. 0F84 69020000 je sublime.004C5B6F 004C5906 |. 3D 3A200C00 cmp eax, 0xC203A 004C590B |. 0F84 5E020000 je sublime.004C5B6F 004C5911 |. 3D C5490C00 cmp eax, 0xC49C5 004C5916 |. 0F84 53020000 je sublime.004C5B6F 004C591C |. 3D 2A1A0C00 cmp eax, 0xC1A2A 004C5921 |. 0F84 48020000 je sublime.004C5B6F 004C5927 |. 3D 973E0C00 cmp eax, 0xC3E97 004C592C |. 0F84 3D020000 je sublime.004C5B6F 004C5932 |. 3D 02E20C00 cmp eax, 0xCE202 004C5937 |. 0F84 32020000 je sublime.004C5B6F 004C593D |. 3D 2A4D0C00 cmp eax, 0xC4D2A 004C5942 |. 0F84 27020000 je sublime.004C5B6F 004C5948 |. 3D 74D30C00 cmp eax, 0xCD374 004C594D |. 0F84 1C020000 je sublime.004C5B6F 004C5953 |. 3D 8ADC0C00 cmp eax, 0xCDC8A 004C5958 |. 0F84 11020000 je sublime.004C5B6F 004C595E |. 3D B5C90C00 cmp eax, 0xCC9B5 004C5963 |. 0F84 06020000 je sublime.004C5B6F 004C5969 |. 3D BCD60C00 cmp eax, 0xCD6BC 004C596E |. 0F84 FB010000 je sublime.004C5B6F 004C5974 |. 3D EABE0C00 cmp eax, 0xCBEEA 004C5979 |. 0F84 F0010000 je sublime.004C5B6F 004C597F |. 3D 6E9F0C00 cmp eax, 0xC9F6E 004C5984 |. 0F84 E5010000 je sublime.004C5B6F 004C598A |. 3D 7D9C0C00 cmp eax, 0xC9C7D 004C598F |. 0F84 DA010000 je sublime.004C5B6F 004C5995 |. 3D 637C0C00 cmp eax, 0xC7C63 004C599A |. 0F84 CF010000 je sublime.004C5B6F 004C59A0 |. 3D CC840C00 cmp eax, 0xC84CC 004C59A5 |. 0F84 C4010000 je sublime.004C5B6F 004C59AB |. 3D 1BEA0C00 cmp eax, 0xCEA1B 004C59B0 |. 0F84 B9010000 je sublime.004C5B6F 004C59B6 |. 3D 8EEC0C00 cmp eax, 0xCEC8E 004C59BB |. 0F84 AE010000 je sublime.004C5B6F 004C59C1 |. 3D 1DF00C00 cmp eax, 0xCF01D 004C59C6 |. 0F84 A3010000 je sublime.004C5B6F 004C59CC |. 3D 75330D00 cmp eax, 0xD3375 004C59D1 |. 0F84 98010000 je sublime.004C5B6F 004C59D7 |. 3D E8260D00 cmp eax, 0xD26E8 004C59DC |. 0F84 8D010000 je sublime.004C5B6F 004C59E2 |. 3D B92F0D00 cmp eax, 0xD2FB9 004C59E7 |. 0F84 82010000 je sublime.004C5B6F 004C59ED |. 3D E2230D00 cmp eax, 0xD23E2 004C59F2 |. 0F84 77010000 je sublime.004C5B6F 004C59F8 |. 3D BE390D00 cmp eax, 0xD39BE 004C59FD |. 0F84 6C010000 je sublime.004C5B6F 004C5A03 |. 3D 02270D00 cmp eax, 0xD2702 004C5A08 |. 0F84 61010000 je sublime.004C5B6F 004C5A0E |. 3D FE360D00 cmp eax, 0xD36FE 004C5A13 |. 0F84 56010000 je sublime.004C5B6F 004C5A19 |. 3D 421C0C00 cmp eax, 0xC1C42 004C5A1E |. 0F84 47010000 je sublime.004C5B6B ;从这开始黑名单license比较 004C5A24 |. 3D DA230C00 cmp eax, 0xC23DA 004C5A29 |. 0F84 3C010000 je sublime.004C5B6B 004C5A2F |. 3D 20280C00 cmp eax, 0xC2820 004C5A34 |. 0F84 31010000 je sublime.004C5B6B 004C5A3A |. 3D 6A280C00 cmp eax, 0xC286A 004C5A3F |. 0F84 26010000 je sublime.004C5B6B 004C5A45 |. 3D 88280C00 cmp eax, 0xC2888 004C5A4A |. 0F84 1B010000 je sublime.004C5B6B 004C5A50 |. 3D C4320C00 cmp eax, 0xC32C4 004C5A55 |. 0F84 10010000 je sublime.004C5B6B 004C5A5B |. 3D F5350C00 cmp eax, 0xC35F5 004C5A60 |. 0F84 05010000 je sublime.004C5B6B 004C5A66 |. 3D 173C0C00 cmp eax, 0xC3C17 004C5A6B |. 0F84 FA000000 je sublime.004C5B6B 004C5A71 |. 3D 463E0C00 cmp eax, 0xC3E46 004C5A76 |. 0F84 EF000000 je sublime.004C5B6B 004C5A7C |. 3D F74A0C00 cmp eax, 0xC4AF7 004C5A81 |. 0F84 E4000000 je sublime.004C5B6B 004C5A87 |. 3D 2D500C00 cmp eax, 0xC502D 004C5A8C |. 0F84 D9000000 je sublime.004C5B6B 004C5A92 |. 3D 43540C00 cmp eax, 0xC5443 004C5A97 |. 0F84 CE000000 je sublime.004C5B6B 004C5A9D |. 3D 3E550C00 cmp eax, 0xC553E 004C5AA2 |. 0F84 C3000000 je sublime.004C5B6B 004C5AA8 |. 3D 27610C00 cmp eax, 0xC6127 004C5AAD |. 0F84 B8000000 je sublime.004C5B6B 004C5AB3 |. 3D 18670C00 cmp eax, 0xC6718 004C5AB8 |. 0F84 AD000000 je sublime.004C5B6B 004C5ABE |. 3D C5750C00 cmp eax, 0xC75C5 004C5AC3 |. 0F84 A2000000 je sublime.004C5B6B 004C5AC9 |. 3D 737C0C00 cmp eax, 0xC7C73 004C5ACE |. 0F84 97000000 je sublime.004C5B6B 004C5AD4 |. 3D 137D0C00 cmp eax, 0xC7D13 004C5AD9 |. 0F84 8C000000 je sublime.004C5B6B 004C5ADF |. 3D 3E830C00 cmp eax, 0xC833E 004C5AE4 |. 0F84 81000000 je sublime.004C5B6B 004C5AEA |. 3D CCA20C00 cmp eax, 0xCA2CC 004C5AEF |. 74 7A je short sublime.004C5B6B 004C5AF1 |. 3D ABA60C00 cmp eax, 0xCA6AB 004C5AF6 |. 74 73 je short sublime.004C5B6B 004C5AF8 |. 3D 4EAD0C00 cmp eax, 0xCAD4E 004C5AFD |. 74 6C je short sublime.004C5B6B 004C5AFF |. 3D 28AF0C00 cmp eax, 0xCAF28 004C5B04 |. 74 65 je short sublime.004C5B6B 004C5B06 |. 3D 2DBF0C00 cmp eax, 0xCBF2D 004C5B0B |. 74 5E je short sublime.004C5B6B 004C5B0D |. 3D 22D00C00 cmp eax, 0xCD022 004C5B12 |. 74 57 je short sublime.004C5B6B 004C5B14 |. 3D 2AE30C00 cmp eax, 0xCE32A 004C5B19 |. 74 50 je short sublime.004C5B6B 004C5B1B |. 3D 8DEA0C00 cmp eax, 0xCEA8D 004C5B20 |. 74 49 je short sublime.004C5B6B 004C5B22 |. 3D 0B390C00 cmp eax, 0xC390B 004C5B27 |. 74 42 je short sublime.004C5B6B 004C5B29 |. 3D 0EC60C00 cmp eax, 0xCC60E 004C5B2E |. 74 3B je short sublime.004C5B6B 004C5B30 |. 3D 57740C00 cmp eax, 0xC7457 004C5B35 |. 74 34 je short sublime.004C5B6B 004C5B37 |. 3D A0E80C00 cmp eax, 0xCE8A0 004C5B3C |. 74 2D je short sublime.004C5B6B 004C5B3E |. 8B4D 8C mov ecx, dword ptr ss:[ebp-0x74] 004C5B41 |. 85C9 test ecx, ecx ; sublime.004C5D2B 004C5B43 |. 74 02 je short sublime.004C5B47 004C5B45 |. 8901 mov dword ptr ds:[ecx], eax 004C5B47 |> 85FF test edi, edi 004C5B49 |. 74 12 je short sublime.004C5B5D 004C5B4B |. 8D45 A8 lea eax, dword ptr ss:[ebp-0x58] 004C5B4E |. 3BF8 cmp edi, eax 004C5B50 |. 74 0B je short sublime.004C5B5D 004C5B52 |. 6A FF push -0x1 004C5B54 |. 53 push ebx 004C5B55 |. 50 push eax 004C5B56 |. 8BCF mov ecx, edi 004C5B58 |. E8 A6D5F3FF call sublime.00403103 004C5B5D |> 8B4D 88 mov ecx, dword ptr ss:[ebp-0x78] 004C5B60 |. 85C9 test ecx, ecx ; sublime.004C5D2B 004C5B62 |. 74 0E je short sublime.004C5B72 004C5B64 |. 8B45 84 mov eax, dword ptr ss:[ebp-0x7C] 004C5B67 |. 8901 mov dword ptr ds:[ecx], eax 004C5B69 |. EB 07 jmp short sublime.004C5B72 004C5B6B |> 6A 03 push 0x3 ;如果输入的License是在被加入黑名单的列表中,那么会跳到这儿,程序返回3 004C5B6D |. EB 02 jmp short sublime.004C5B71 004C5B6F |> 6A 02 push 0x2 ;注册码是不再被此版本的程序支持的,跳到这儿。程序返回2 004C5B71 |> 5B pop ebx ; sublime.004A3C88 004C5B72 |> 8D4D D8 lea ecx, dword ptr ss:[ebp-0x28] 004C5B75 |. E8 37C0F3FF call sublime.00401BB1 004C5B7A |. 8D4D C0 lea ecx, dword ptr ss:[ebp-0x40] 004C5B7D |. E8 2FC0F3FF call sublime.00401BB1 004C5B82 |. 8D4D A8 lea ecx, dword ptr ss:[ebp-0x58] 004C5B85 |. E8 27C0F3FF call sublime.00401BB1 004C5B8A |. 8D4D 90 lea ecx, dword ptr ss:[ebp-0x70] 004C5B8D |. E8 1FC0F3FF call sublime.00401BB1 004C5B92 |. 8BC3 mov eax, ebx 004C5B94 |. E8 CC400300 call sublime_.004F9C65 004C5B99 . C3 retn

注意最后那句: 004C5B92 |. 8BC3 mov eax, ebx 而ebx是被初始化为0的 : 004C558F |. 33DB xor ebx, ebx

如果此函数没有返回0,那么肯定是在后面有些地方被修改了,如这种情况: 004C55F5 |> \33DB xor ebx, ebx 004C55F7 |. 43 inc ebx ;不是有效的注册码."That license key doesn't appear to be valid." 这种情况,ebx = 1 , 最终 eax = 1,也就是注册码invalid的情况。

还有这两种情况: 004C5B6B |> \6A 03 push 0x3 ;注册码被封了."That license key has been invalidated, due to being shared.Please email sales@sublimetext.com to get your license key reissued." 004C5B6D |. EB 02 jmp short sublime_.004C5B71 004C5B6F |> 6A 02 push 0x2 ;可能是老版本的注册码."That license key is no longer valid." 004C5B71 |> 5B pop ebx

如果ebx被初始化之后就直接跳到 004C5B72 ,或者把最后的004C5B92 8BC3 mov eax, ebx 修改成置1的语句,如: mov al,1 或者 xor eax,eax 都可以让函数老老实实地返回0. 两条语句对应opcode : 004C5B92 B0 00 mov al, 0x0

004C5B92 33C0 xor eax, eax 相信经常练手的童鞋都能背出这个opcode了。 以上这样修改已经可以暴破了。


由于我之前在004C5564 下了断,发现程序在启动时即调用了此函数来判断是否已经注册成功。 然后,注意到此函数中有一个调用,其实刚才就应该注意到的,只不过我起先调试是没太注意: 004C55CB |. E8 F2AA1500 call sublime_.006200C2

发现006200C2 其实是校验license信息是否正确,及根据license来设定对应的license类型的ascii字符的: 006200C2 /$ 6A 58 push 0x58 006200C4 |. B8 13406600 mov eax, sublime.00664013 006200C9 |. E8 E89BEDFF call sublime.004F9CB6 006200CE |. 8B4D 0C mov ecx, dword ptr ss:[ebp+0xC] ; sublime.0070F0CC 006200D1 |. 8B45 08 mov eax, dword ptr ss:[ebp+0x8] 006200D4 |. 894D 9C mov dword ptr ss:[ebp-0x64], ecx 006200D7 |. 8B4D 10 mov ecx, dword ptr ss:[ebp+0x10] ; sublime.00744304 006200DA |. 894D A0 mov dword ptr ss:[ebp-0x60], ecx 006200DD |. 8B4D 14 mov ecx, dword ptr ss:[ebp+0x14] 006200E0 |. 894D AC mov dword ptr ss:[ebp-0x54], ecx 006200E3 |. 8B4D 18 mov ecx, dword ptr ss:[ebp+0x18] 006200E6 |. 33DB xor ebx, ebx ;ebx置0, 此reg保存返回值, 此函数返回0表示注册码非法 ...... 006201B8 |. E8 462FDEFF call sublime.00403103 006201BD |> 68 345A6B00 push sublime.006B5A34 ; ASCII "Single User License" 006201C2 |. 8D77 18 lea esi, dword ptr ds:[edi+0x18] 006201C5 |. E8 3A3CDEFF call sublime.00403E04 006201CA |. 59 pop ecx ; sublime.004C55D0 006201CB |. 50 push eax 006201CC |. 68 345A6B00 push sublime.006B5A34 ; ASCII "Single User License" 006201D1 |. FF76 10 push dword ptr ds:[esi+0x10] 006201D4 |. 8BCE mov ecx, esi 006201D6 |. 53 push ebx 006201D7 |. E8 E99FDEFF call sublime.0040A1C5 006201DC |. 85C0 test eax, eax 006201DE |. 75 0B jnz short sublime.006201EB ; 跳到无限制用户 006201E0 |. 8B4D AC mov ecx, dword ptr ss:[ebp-0x54] 006201E3 |. C701 01000000 mov dword ptr ds:[ecx], 0x1 006201E9 |. EB 3B jmp short sublime.00620226 006201EB |> 68 485A6B00 push sublime.006B5A48 ; ASCII "Unlimited User License" ...... 0062034B |. 8AC3 mov al, bl 0062034D |. E8 1399EDFF call sublime.004F9C65 00620352 . C3 retn

004C5564 函数中对006200C2的调用: 004C55CB |. E8 F2AA1500 call sublime.006200C2 004C55D0 |. 83C4 18 add esp, 0x18 004C55D3 |. 84C0 test al, al 004C55D5 |. 74 1E je short sublime.004C55F5 若 006200C2 返回0,那么程序会跳到 004C55F5 ,也就是ebx=1,最后, eax = ebx ,程序返回 1.显示注册码非法信息。

然后,004C5564 函数中还有一个调用检测注册码: 004C55EC |. E8 D44BF4FF call sublime.0040A1C5 004C55F1 |. 85C0 test eax, eax 004C55F3 |. 74 08 je short sublime.004C55FD 004C55F5 |> 33DB xor ebx, ebx 004C55F7 |. 43 inc ebx 004C55F8 |. E9 75050000 jmp sublime_.004C5B72 ; 这一跳表示注册码不是有效的,程序返回1

0040A1C5 若返回非0 ,表示注册码非法。如果返回0,则要分三种情况:1,注册码对当前版本的软件是有效的 . 2,注册码不适用于当前版本 3.注册码已被封 如果不跳到 004C55FD ,那么结果就跟 006200C2 返回0一样了。

因此,我们需要: 006200C2 返回 非0 0040A1C5 返回 0

看到这里,应该反思上面的暴破点了。上面是直接让 004C5564 这个函数返回0. 那么程序有没有在别的地方调用 006200C2 和 0040A1C5 来判断注册呢? 值得庆幸的是,这个程序的判断是比较集中的,没有在其它地方调用 006200C2 和 0040A1C5 ,因此,上面的暴破是可以工作的。

另外,调试中还发现,授权文件保存位置为: ecx=01E56060, (ASCII "/C/Documents and Settings/Administrator/Application Data/Sublime Text 3/Local/License.sublime_license")

patch文件下载 链接: http://pan.baidu.com/share/link?shareid=260461667&uk=539163738 密码: mmoq

Tagged in :

All Comments (0)
Gravatar image
No Comments