Winrar阻止弹窗分析（鼓捣版）

1 目标
WinRAR(64位)的弹框广告去除，由于我的系统为x64版本，所以安装了WinRAR（x64）版本。
OD无法调试64位的程序，可以让我熟悉x64dbg进行调试的界面。
主要涉及软件spy++，x64dbg

2 破解思路
1）偷梁换柱
修改汇编函数段首为返回值（本次逆向破解采用的方法）
2）NOP掉整个函数内容
3 涉及知识
x64dbg工具快捷键与OD无异
F9：运行

bp CreateWindowExW：在x64dbg底部输入这行命令，对使用CreateWindowExW函数的位置断点。
CreateWindowExW：该函数创建一个层叠式窗口、弹出式窗口或子窗口。

参数：

4 实现流程
【软件名称】：WinRar
【软件版本】：评估版本5.4br> 【外壳保护】：无
【操作系统】：Windows 10

既然是弹出窗口，首先要知道弹窗窗口的窗口类名，我使用的是VS2015里自带的工具Spy++ x64。

图1 调出Spy++ x64

通过上诉步骤得到WinRAR的类名为RarReminder后，使用x64dbg工具载入WinRAR.exe。在命令的地方使用断点命令【bp CreateWindowExW】，在CreateWindowEx函数断下断点。F9运行到各个断点时观察广告窗口弹出的状态变化。

在堆栈窗口在call指令的地方按回车键返回到用户层函数。

返回到00007FF6780AD4E8这个地址处，向上看会看到“http://ad.winrar.com.cn/show_40.html=7&bl=7&v=540&a=64&src=wrr”这个很明显的广告地址。

汇编函数的代码如下：

00007FF6780AD077 | int3      |00007FF6780AD078 | mov qword ptr ss:[rsp+8],rbx            |00007FF6780AD07D | mov qword ptr ss:[rsp+10],rbp           |00007FF6780AD082 | mov qword ptr ss:[rsp+18],rsi           |00007FF6780AD087 | push rdi  |00007FF6780AD088 | push r12  |00007FF6780AD08A | push r13  |00007FF6780AD08C | push r14  |00007FF6780AD08E | push r15  |00007FF6780AD090 | mov eax,1080             |00007FF6780AD095 | call winrar.7FF6780F8BD0 |00007FF6780AD09A | sub rsp,rax              |00007FF6780AD09D | mov rax,qword ptr ds:[7FF678148200]     |00007FF6780AD0A4 | xor rax,rsp              |00007FF6780AD0A7 | mov qword ptr ss:[rsp+1070],rax         |00007FF6780AD0AF | xor r15d,r15d            |00007FF6780AD0B2 | mov sil,cl|00007FF6780AD0B5 |  cmp byte ptr ds:[7FF67819A204],r15b     |00007FF6780AD0BC |  je winrar.7FF6780AD0C6   |00007FF6780AD0BE |  test dl,dl|00007FF6780AD0C0 |  je winrar.7FF6780AD55D   |00007FF6780AD0C6 |  or rbp,FFFFFFFFFFFFFFFF  |00007FF6780AD0CA |  mov r12d,1|00007FF6780AD0D0 |  cmp dword ptr ds:[7FF678145EE4],r15d    |00007FF6780AD0D7 |  je winrar.7FF6780AD127   |00007FF6780AD0D9 |  mov rcx,r15              |00007FF6780AD0DC |  lea rbx,qword ptr ds:[7FF678145ED0]     | 7FF678145ED0:"8g3#0w1$5r7%2ta"00007FF6780AD0E3 |  mov r9,r15|00007FF6780AD0E6 |  mov r8d,480              |00007FF6780AD0EC |  xor byte ptr ds:[r9+rbx],cl             |00007FF6780AD0F0 |  movabs rax,AAAAAAAAAAAAAAAB             |00007FF6780AD0FA |  mul rcx   |00007FF6780AD0FD |  add rcx,3 |00007FF6780AD101 |  add r9,r12|00007FF6780AD104 |  shr rdx,1 | rdx:L"RarReminder"00007FF6780AD107 |  add rcx,rdx              | rdx:L"RarReminder"00007FF6780AD10A |  and ecx,FFFFFF           |00007FF6780AD110 |  cmp r9,r8 | r8:L"WinRAR"00007FF6780AD113 |  jb winrar.7FF6780AD0EC   |00007FF6780AD115 |  cmp dword ptr ds:[7FF678145EE4],r15d    |00007FF6780AD11C |  je winrar.7FF6780AD1B9   |00007FF6780AD122 |  jmp winrar.7FF6780AD1AF  |00007FF6780AD127 |  mov ecx,4F8              |00007FF6780AD12C |  call winrar.7FF678093F34 |00007FF6780AD131 |  mov rbx,rax              |00007FF6780AD134 |  cmp word ptr ds:[rax],23 | 23:'#'00007FF6780AD138 |  jne winrar.7FF6780AD154  |00007FF6780AD13A |  cmp word ptr ds:[rax+2],23              | 23:'#'00007FF6780AD13F |  jne winrar.7FF6780AD154  |00007FF6780AD141 |  mov rax,rbp              |00007FF6780AD144 |  inc rax   |00007FF6780AD147 |  cmp word ptr ds:[rbx+rax*2],r15w        |00007FF6780AD14C |  jne winrar.7FF6780AD144  |00007FF6780AD14E |  cmp rax,64| 64:'d'00007FF6780AD152 |  jae winrar.7FF6780AD15B  |00007FF6780AD154 |  mov rbx,qword ptr ds:[7FF678146350]     | 7FF678146350:&L"##0C693n:rbtmee,fon)Okskcift.;kckgvgfa:$I&pitvdg8RBTMEE&iambhj`rdgf;gmuqq&ucswnmk=$P&euamiwcbprp`=$G=]1rbtmee,fon)Okskcift.;kckgvgfa:$I&pitvdg8RBTMEE&iambhj`rdgf;gmuqqexvhvbf&vftrmhl8$U&`vdjltfeuqug8$B;>WBQK=0W5hwrq>(-waqj`f)ajm,Hnpndleq)>hflbubad9$N&slssgbAQJ@F&ndngoocwcbe>cxtnp`d&pdvtkjn>$W&fpfhjrdgswwe>$@:"00007FF6780AD15B |  mov edi,1000             |00007FF6780AD160 |  lea rcx,qword ptr ss:[rsp+70]           |00007FF6780AD165 |  mov r8d,edi              |00007FF6780AD168 |  xor edx,edx              |00007FF6780AD16A |  call winrar.7FF6780F9ED0 |00007FF6780AD16F |  lea rcx,qword ptr ds:[rbx+4]            |00007FF6780AD173 |  mov r8d,edi              |00007FF6780AD176 |  lea rdx,qword ptr ss:[rsp+70]           |00007FF6780AD17B |  call winrar.7FF67809CA7C |00007FF6780AD180 |  lea rax,qword ptr ss:[rsp+70]           |00007FF6780AD185 |  mov r8,rbp|00007FF6780AD188 |  inc r8    | r8:L"WinRAR"00007FF6780AD18B |  cmp byte ptr ds:[rax+r8],r15b           |00007FF6780AD18F |  jne winrar.7FF6780AD188  |00007FF6780AD191 |  lea rbx,qword ptr ds:[7FF678145ED0]     | 7FF678145ED0:"8g3#0w1$5r7%2ta"00007FF6780AD198 |  mov rcx,rbx              |00007FF6780AD19B |  lea rdx,qword ptr ss:[rsp+70]           |00007FF6780AD1A0 |  call winrar.7FF6780AC24C |00007FF6780AD1A5 |  test al,al|00007FF6780AD1A7 |  jne winrar.7FF6780AD1B9  |00007FF6780AD1A9 |  mov r8d,480              |00007FF6780AD1AF |  xor edx,edx              |00007FF6780AD1B1 |  mov rcx,rbx              |00007FF6780AD1B4 |  call winrar.7FF6780F9ED0 |00007FF6780AD1B9 |  cmp byte ptr ds:[7FF6781857E4],r15b     |00007FF6780AD1C0 |  jne winrar.7FF6780AD1CE  |00007FF6780AD1C2 |  cmp dword ptr ds:[7FF678158474
声明：本站部分文章及图片源自用户投稿，如本站任何资料有侵权请您尽早请联系jinwei@zod.com.cn进行处理,非常感谢！