Sublime Text 3 build 3047 x86/x64

挺好用的一个编辑器。

http://www.sublimetext.com/3

原版下载:
x86
x64

patch下载:
Jump to download

debug log
==================================================
by 荒野无灯
2013年5月16日 23:57:36

--------------------------------------------------------------------------------

无壳。注册判断也比较简单。

老规矩了:
随意输入注册码,报错后F12暂停之。

查看调用栈:
Call stack of main thr3@d
Address Stack Procedure / arguments Called from Frame
0012C0E4 77D19418 Includes ntdll.KiFastSystemCallRet user32.77D19416 0012C118
0012C0E8 77D2770A user32.WaitMessage user32.77D27705 0012C118
0012C11C 77D249C4 user32.77D2757B user32.77D249BF 0012C118
0012C144 77D3A956 user32.77D2490E user32.77D3A951 0012C140
0012C404 77D3A2BC user32.SoftModalMessageBox user32.77D3A2B7 0012C400
0012C554 77D663FD user32.77D3A147 user32.77D663F8 0012C550
0012C5AC 77D50853 user32.MessageBoxTimeoutW user32.77D5084E 0012C5A8
0012C5CC 77D66579 user32.MessageBoxExW user32.77D66574 0012C5C8
0012C5D0 00110316 hOwner = 00110316 ('Enter License',class='PX_WINDOW_CLASS')
0012C5D4 01E48850 Text = "That license key doesn't appear to be valid...Please check that y
0012C5D8 019A5D80 Title = "Sublime Text"
0012C5DC 00000010 Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
0012C5E0 00000000 LanguageID = 0x0 (LANG_NEUTRAL)
0012C5E8 005CDE34 user32.MessageBoxW sublime_.005CDE2E 0012C5E4
0012C5EC 00110316 hOwner = 00110316 ('Enter License',class='PX_WINDOW_CLASS')
0012C5F0 01E48850 Text = "That license key doesn't appear to be valid...Please check that y
0012C5F4 019A5D80 Title = "Sublime Text"
0012C5F8 00000010 Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
0012C654 004C635F ? sublime_.005CDD98 sublime_.004C635A 0012C650

去看看,很明显的switch case语句:
004C621D . 395D E8 cmp dword ptr ss:[ebp-0x18], ebx
004C6220 . 0F84 3D010000 je sublime_.004C6363
004C6226 . 8D45 8C lea eax, dword ptr ss:[ebp-0x74]
004C6229 . 50 push eax
004C622A . 68 04437400 push sublime_.00744304
004C622F . 51 push ecx
004C6230 . 8D45 D8 lea eax, dword ptr ss:[ebp-0x28]
004C6233 . 50 push eax
004C6234 . E8 2BF3FFFF call sublime_.004C5564
004C6239 . 83C4 10 add esp, 0x10
004C623C . 85C0 test eax, eax
004C623E . 0F9405 004374>sete byte ptr ds:[0x744300]
004C6245 85C0 test eax, eax
004C6247 . 0F85 E3000000 jnz sublime_.004C6330
............
004C6318 > 68 C40C6700 push sublime_.00670CC4 ; ASCII "Thanks for purchasing!"
......
004C635A . E8 397A1000 call sublime_.005CDD98

从上面汇编代码可看出,函数 004C5564 返回的值直接用来作为显示提示信息的switch 语句的判断依据。根据它的提示信息,我们知道要让
004C5564函数返回什么。

然后我们在
004C6220 . /0F84 3D010000 je sublime_.004C6363
......
004C6234 . E8 2BF3FFFF call sublime_.004C5564
......
004C6247 . /0F85 E3000000 jnz sublime_.004C6330
这三处下断。
重新测试注册。
在 004C6220 那里没跳。004C6234 处那个call 返回了1. 很明显,返回1的话,程序会跳到 004C6330 ,显示非法注册码消息。
因此我们跟进 004C5564

004C5564 /$ 6A 70 push 0x70 ; 这里下断
004C5566 |. B8 0D376500 mov eax, sublime_.0065370D
004C556B |. E8 46470300 call sublime_.004F9CB6
004C5570 |. 8B45 10 mov eax, dword ptr ss:[ebp+0x10]
004C5573 |. 8B75 08 mov esi, dword ptr ss:[ebp+0x8]
004C5576 |. 8B7D 0C mov edi, dword ptr ss:[ebp+0xC]
004C5579 |. 8945 88 mov dword ptr ss:[ebp-0x78], eax
004C557C |. 8B45 14 mov eax, dword ptr ss:[ebp+0x14]
004C557F |. 68 00096700 push sublime_.00670900 ; ASCII "30819D300D06092A864886F70D010101050003818B0030818702818100D87BA24562F7C5D14A0CFB12B9740C195C6BDC7E6D6EC92BAC0EB29D59E1D9AE67890C2B88C3ABDCAFFE7D4A33DCC1BFBE531A251CEF0C923F06BE79B2328559ACFEE986D5E15E4D1766EA56C4E10657FA74DB0977C3FB7582B"...
004C5584 |. 8D4D 90 lea ecx, dword ptr ss:[ebp-0x70]
004C5587 |. 8945 8C mov dword ptr ss:[ebp-0x74], eax
004C558A |. E8 36C2F3FF call sublime_.004017C5
004C558F |. 33DB xor ebx, ebx ;默认返回值为0 (注册码合法)
004C5591 |. 6A 0F push 0xF
004C5593 |. 58 pop eax ; sublime_.004A3C88
004C5594 |. 895D FC mov dword ptr ss:[ebp-0x4], ebx
004C5597 |. 8945 BC mov dword ptr ss:[ebp-0x44], eax
004C559A |. 895D B8 mov dword ptr ss:[ebp-0x48], ebx
004C559D |. 885D A8 mov byte ptr ss:[ebp-0x58], bl
004C55A0 |. 8945 D4 mov dword ptr ss:[ebp-0x2C], eax
004C55A3 |. 895D D0 mov dword ptr ss:[ebp-0x30], ebx
004C55A6 |. 885D C0 mov byte ptr ss:[ebp-0x40], bl
004C55A9 |. 8945 EC mov dword ptr ss:[ebp-0x14], eax
004C55AC |. 895D E8 mov dword ptr ss:[ebp-0x18], ebx
004C55AF |. 885D D8 mov byte ptr ss:[ebp-0x28], bl
004C55B2 |. 8D45 D8 lea eax, dword ptr ss:[ebp-0x28]
004C55B5 |. 50 push eax
004C55B6 |. 8D45 C0 lea eax, dword ptr ss:[ebp-0x40]
004C55B9 |. 50 push eax
004C55BA |. 8D45 84 lea eax, dword ptr ss:[ebp-0x7C]
004C55BD |. 50 push eax
004C55BE |. 8D45 A8 lea eax, dword ptr ss:[ebp-0x58]
004C55C1 |. 50 push eax
004C55C2 |. 8D45 90 lea eax, dword ptr ss:[ebp-0x70]
004C55C5 |. 50 push eax
004C55C6 |. 56 push esi
004C55C7 |. C645 FC 03 mov byte ptr ss:[ebp-0x4], 0x3
004C55CB |. E8 F2AA1500 call sublime_.006200C2 ;此函数返回0即表示注册码非法,否则,继续下面的判断
004C55D0 |. 83C4 18 add esp, 0x18
004C55D3 |. 84C0 test al, al
004C55D5 |. 74 1E je short sublime_.004C55F5
004C55D7 |. BE 440A6700 mov esi, sublime_.00670A44 ; ASCII "EA7E"
004C55DC |. 56 push esi
004C55DD |. E8 22E8F3FF call sublime_.00403E04
004C55E2 |. 59 pop ecx ; sublime_.004A3C88
004C55E3 |. 50 push eax
004C55E4 |. 56 push esi
004C55E5 |. FF75 D0 push dword ptr ss:[ebp-0x30]
004C55E8 |. 8D4D C0 lea ecx, dword ptr ss:[ebp-0x40]
004C55EB |. 53 push ebx
004C55EC |. E8 D44BF4FF call sublime_.0040A1C5
004C55F1 |. 85C0 test eax, eax
004C55F3 |. 74 08 je short sublime_.004C55FD
004C55F5 |> 33DB xor ebx, ebx
004C55F7 |. 43 inc ebx
004C55F8 |. E9 75050000 jmp sublime_.004C5B72 ; 这一跳表示注册码不是有效的,程序返回1
004C55FD |> 837D EC 10 cmp dword ptr ss:[ebp-0x14], 0x10
004C5601 |. 8D45 D8 lea eax, dword ptr ss:[ebp-0x28]
004C5604 |. 0F4345 D8 cmovnb eax, dword ptr ss:[ebp-0x28]
004C5608 |. 50 push eax
004C5609 |. E8 90950300 call sublime_.004FEB9E
004C560E |. 59 pop ecx ; sublime_.004A3C88
004C560F |. 3D 241C0C00 cmp eax, 0xC1C24 ;这里是在比较不再被支持的注册码
004C5614 |. 0F84 55050000 je sublime_.004C5B6F
004C561A |. 3D 231C0C00 cmp eax, 0xC1C23
004C561F |. 0F84 4A050000 je sublime_.004C5B6F
004C5625 |. 3D 261C0C00 cmp eax, 0xC1C26
004C562A |. 0F84 3F050000 je sublime_.004C5B6F
004C5630 |. 3D 1C1C0C00 cmp eax, 0xC1C1C
004C5635 |. 0F84 34050000 je sublime_.004C5B6F
004C563B |. 3D A21A0C00 cmp eax, 0xC1AA2
004C5640 |. 0F84 29050000 je sublime_.004C5B6F
004C5646 |. 3D 5C1C0C00 cmp eax, 0xC1C5C
004C564B |. 0F84 1E050000 je sublime_.004C5B6F
004C5651 |. 3D 591C0C00 cmp eax, 0xC1C59
004C5656 |. 0F84 13050000 je sublime_.004C5B6F
004C565C |. 3D 9B1C0C00 cmp eax, 0xC1C9B
004C5661 |. 0F84 08050000 je sublime_.004C5B6F
004C5667 |. 3D 841C0C00 cmp eax, 0xC1C84
004C566C |. 0F84 FD040000 je sublime_.004C5B6F
004C5672 |. 3D 41220C00 cmp eax, 0xC2241
004C5677 |. 0F84 F2040000 je sublime_.004C5B6F
004C567D |. 3D EA230C00 cmp eax, 0xC23EA
004C5682 |. 0F84 E7040000 je sublime_.004C5B6F
004C5688 |. 3D 3A240C00 cmp eax, 0xC243A
004C568D |. 0F84 DC040000 je sublime_.004C5B6F
004C5693 |. 3D 7C250C00 cmp eax, 0xC257C
004C5698 |. 0F84 D1040000 je sublime_.004C5B6F
004C569E |. 3D D2270C00 cmp eax, 0xC27D2
004C56A3 |. 0F84 C6040000 je sublime_.004C5B6F
004C56A9 |. 3D AB290C00 cmp eax, 0xC29AB
004C56AE |. 0F84 BB040000 je sublime_.004C5B6F
004C56B4 |. 3D 722E0C00 cmp eax, 0xC2E72
004C56B9 |. 0F84 B0040000 je sublime_.004C5B6F
004C56BF |. 3D 89310C00 cmp eax, 0xC3189
004C56C4 |. 0F84 A5040000 je sublime_.004C5B6F
004C56CA |. 3D 5A330C00 cmp eax, 0xC335A
004C56CF |. 0F84 9A040000 je sublime_.004C5B6F
004C56D5 |. 3D D9320C00 cmp eax, 0xC32D9
004C56DA |. 0F84 8F040000 je sublime_.004C5B6F
004C56E0 |. 3D 4A330C00 cmp eax, 0xC334A
004C56E5 |. 0F84 84040000 je sublime_.004C5B6F
004C56EB |. 3D 92270C00 cmp eax, 0xC2792
004C56F0 |. 0F84 79040000 je sublime_.004C5B6F
004C56F6 |. 3D DD340C00 cmp eax, 0xC34DD
004C56FB |. 0F84 6E040000 je sublime_.004C5B6F
004C5701 |. 3D E2270C00 cmp eax, 0xC27E2
004C5706 |. 0F84 63040000 je sublime_.004C5B6F
004C570C |. 3D 60370C00 cmp eax, 0xC3760
004C5711 |. 0F84 58040000 je sublime_.004C5B6F
004C5717 |. 3D C7370C00 cmp eax, 0xC37C7
004C571C |. 0F84 4D040000 je sublime_.004C5B6F
004C5722 |. 3D EC390C00 cmp eax, 0xC39EC
004C5727 |. 0F84 42040000 je sublime_.004C5B6F
004C572D |. 3D AA3E0C00 cmp eax, 0xC3EAA
004C5732 |. 0F84 37040000 je sublime_.004C5B6F
004C5738 |. 3D 9D410C00 cmp eax, 0xC419D
004C573D |. 0F84 2C040000 je sublime_.004C5B6F
004C5743 |. 3D D4480C00 cmp eax, 0xC48D4
004C5748 |. 0F84 21040000 je sublime_.004C5B6F
004C574E |. 3D E1470C00 cmp eax, 0xC47E1
004C5753 |. 0F84 16040000 je sublime_.004C5B6F
004C5759 |. 3D CB4A0C00 cmp eax, 0xC4ACB
004C575E |. 0F84 0B040000 je sublime_.004C5B6F
004C5764 |. 3D 984D0C00 cmp eax, 0xC4D98
004C5769 |. 0F84 00040000 je sublime_.004C5B6F
004C576F |. 3D 4C500C00 cmp eax, 0xC504C
004C5774 |. 0F84 F5030000 je sublime_.004C5B6F
004C577A |. 3D 5A520C00 cmp eax, 0xC525A
004C577F |. 0F84 EA030000 je sublime_.004C5B6F
004C5785 |. 3D F23E0C00 cmp eax, 0xC3EF2
004C578A |. 0F84 DF030000 je sublime_.004C5B6F
004C5790 |. 3D DE440C00 cmp eax, 0xC44DE
004C5795 |. 0F84 D4030000 je sublime_.004C5B6F
004C579B |. 3D BA580C00 cmp eax, 0xC58BA
004C57A0 |. 0F84 C9030000 je sublime_.004C5B6F
004C57A6 |. 3D 0D580C00 cmp eax, 0xC580D
004C57AB |. 0F84 BE030000 je sublime_.004C5B6F
004C57B1 |. 3D BA550C00 cmp eax, 0xC55BA
004C57B6 |. 0F84 B3030000 je sublime_.004C5B6F
004C57BC |. 3D 485D0C00 cmp eax, 0xC5D48
004C57C1 |. 0F84 A8030000 je sublime_.004C5B6F
004C57C7 |. 3D C3680C00 cmp eax, 0xC68C3
004C57CC |. 0F84 9D030000 je sublime_.004C5B6F
004C57D2 |. 3D 94680C00 cmp eax, 0xC6894
004C57D7 |. 0F84 92030000 je sublime_.004C5B6F
004C57DD |. 3D 18660C00 cmp eax, 0xC6618
004C57E2 |. 0F84 87030000 je sublime_.004C5B6F
004C57E8 |. 3D 6C710C00 cmp eax, 0xC716C
004C57ED |. 0F84 7C030000 je sublime_.004C5B6F
004C57F3 |. 3D 7D7A0C00 cmp eax, 0xC7A7D
004C57F8 |. 0F84 71030000 je sublime_.004C5B6F
004C57FE |. 3D A05D0C00 cmp eax, 0xC5DA0
004C5803 |. 0F84 66030000 je sublime_.004C5B6F
004C5809 |. 3D 55660C00 cmp eax, 0xC6655
004C580E |. 0F84 5B030000 je sublime_.004C5B6F
004C5814 |. 3D E86E0C00 cmp eax, 0xC6EE8
004C5819 |. 0F84 50030000 je sublime_.004C5B6F
004C581F |. 3D 88720C00 cmp eax, 0xC7288
004C5824 |. 0F84 45030000 je sublime_.004C5B6F
004C582A |. 3D 77780C00 cmp eax, 0xC7877
004C582F |. 0F84 3A030000 je sublime_.004C5B6F
004C5835 |. 3D A9800C00 cmp eax, 0xC80A9
004C583A |. 0F84 2F030000 je sublime_.004C5B6F
004C5840 |. 3D E3810C00 cmp eax, 0xC81E3
004C5845 |. 0F84 24030000 je sublime_.004C5B6F
004C584B |. 3D D17A0C00 cmp eax, 0xC7AD1
004C5850 |. 0F84 19030000 je sublime_.004C5B6F
004C5856 |. 3D 0A730C00 cmp eax, 0xC730A
004C585B |. 0F84 0E030000 je sublime_.004C5B6F
004C5861 |. 3D EE810C00 cmp eax, 0xC81EE
004C5866 |. 0F84 03030000 je sublime_.004C5B6F
004C586C |. 3D 58960C00 cmp eax, 0xC9658
004C5871 |. 0F84 F8020000 je sublime_.004C5B6F
004C5877 |. 3D 8E990C00 cmp eax, 0xC998E
004C587C |. 0F84 ED020000 je sublime_.004C5B6F
004C5882 |. 3D A59B0C00 cmp eax, 0xC9BA5
004C5887 |. 0F84 E2020000 je sublime_.004C5B6F
004C588D |. 3D CC9B0C00 cmp eax, 0xC9BCC
004C5892 |. 0F84 D7020000 je sublime_.004C5B6F
004C5898 |. 3D 6C930C00 cmp eax, 0xC936C
004C589D |. 0F84 CC020000 je sublime_.004C5B6F
004C58A3 |. 3D 73B20C00 cmp eax, 0xCB273
004C58A8 |. 0F84 C1020000 je sublime_.004C5B6F
004C58AE |. 3D 33B20C00 cmp eax, 0xCB233
004C58B3 |. 0F84 B6020000 je sublime_.004C5B6F
004C58B9 |. 3D 2AE00C00 cmp eax, 0xCE02A
004C58BE |. 0F84 AB020000 je sublime_.004C5B6F
004C58C4 |. 3D 55560C00 cmp eax, 0xC5655
004C58C9 |. 0F84 A0020000 je sublime_.004C5B6F
004C58CF |. 3D B6D50C00 cmp eax, 0xCD5B6
004C58D4 |. 0F84 95020000 je sublime_.004C5B6F
004C58DA |. 3D 5AE10C00 cmp eax, 0xCE15A
004C58DF |. 0F84 8A020000 je sublime_.004C5B6F
004C58E5 |. 3D 7A820C00 cmp eax, 0xC827A
004C58EA |. 0F84 7F020000 je sublime_.004C5B6F
004C58F0 |. 3D 096D0C00 cmp eax, 0xC6D09
004C58F5 |. 0F84 74020000 je sublime_.004C5B6F
004C58FB |. 3D 2D540C00 cmp eax, 0xC542D
004C5900 |. 0F84 69020000 je sublime_.004C5B6F
004C5906 |. 3D 3A200C00 cmp eax, 0xC203A
004C590B |. 0F84 5E020000 je sublime_.004C5B6F
004C5911 |. 3D C5490C00 cmp eax, 0xC49C5
004C5916 |. 0F84 53020000 je sublime_.004C5B6F
004C591C |. 3D 2A1A0C00 cmp eax, 0xC1A2A
004C5921 |. 0F84 48020000 je sublime_.004C5B6F
004C5927 |. 3D 973E0C00 cmp eax, 0xC3E97
004C592C |. 0F84 3D020000 je sublime_.004C5B6F
004C5932 |. 3D 02E20C00 cmp eax, 0xCE202
004C5937 |. 0F84 32020000 je sublime_.004C5B6F
004C593D |. 3D 2A4D0C00 cmp eax, 0xC4D2A
004C5942 |. 0F84 27020000 je sublime_.004C5B6F
004C5948 |. 3D 74D30C00 cmp eax, 0xCD374
004C594D |. 0F84 1C020000 je sublime_.004C5B6F
004C5953 |. 3D 8ADC0C00 cmp eax, 0xCDC8A
004C5958 |. 0F84 11020000 je sublime_.004C5B6F
004C595E |. 3D B5C90C00 cmp eax, 0xCC9B5
004C5963 |. 0F84 06020000 je sublime_.004C5B6F
004C5969 |. 3D BCD60C00 cmp eax, 0xCD6BC
004C596E |. 0F84 FB010000 je sublime_.004C5B6F
004C5974 |. 3D EABE0C00 cmp eax, 0xCBEEA
004C5979 |. 0F84 F0010000 je sublime_.004C5B6F
004C597F |. 3D 6E9F0C00 cmp eax, 0xC9F6E
004C5984 |. 0F84 E5010000 je sublime_.004C5B6F
004C598A |. 3D 7D9C0C00 cmp eax, 0xC9C7D
004C598F |. 0F84 DA010000 je sublime_.004C5B6F
004C5995 |. 3D 637C0C00 cmp eax, 0xC7C63
004C599A |. 0F84 CF010000 je sublime_.004C5B6F
004C59A0 |. 3D CC840C00 cmp eax, 0xC84CC
004C59A5 |. 0F84 C4010000 je sublime_.004C5B6F
004C59AB |. 3D 1BEA0C00 cmp eax, 0xCEA1B
004C59B0 |. 0F84 B9010000 je sublime_.004C5B6F
004C59B6 |. 3D 8EEC0C00 cmp eax, 0xCEC8E
004C59BB |. 0F84 AE010000 je sublime_.004C5B6F
004C59C1 |. 3D 1DF00C00 cmp eax, 0xCF01D
004C59C6 |. 0F84 A3010000 je sublime_.004C5B6F
004C59CC |. 3D 75330D00 cmp eax, 0xD3375
004C59D1 |. 0F84 98010000 je sublime_.004C5B6F
004C59D7 |. 3D E8260D00 cmp eax, 0xD26E8
004C59DC |. 0F84 8D010000 je sublime_.004C5B6F
004C59E2 |. 3D B92F0D00 cmp eax, 0xD2FB9
004C59E7 |. 0F84 82010000 je sublime_.004C5B6F
004C59ED |. 3D E2230D00 cmp eax, 0xD23E2
004C59F2 |. 0F84 77010000 je sublime_.004C5B6F
004C59F8 |. 3D BE390D00 cmp eax, 0xD39BE
004C59FD |. 0F84 6C010000 je sublime_.004C5B6F
004C5A03 |. 3D 02270D00 cmp eax, 0xD2702
004C5A08 |. 0F84 61010000 je sublime_.004C5B6F
004C5A0E |. 3D FE360D00 cmp eax, 0xD36FE
004C5A13 |. 0F84 56010000 je sublime_.004C5B6F
004C5A19 |. 3D 421C0C00 cmp eax, 0xC1C42
004C5A1E |. 0F84 47010000 je sublime_.004C5B6B ;从这开始黑名单license比较
004C5A24 |. 3D DA230C00 cmp eax, 0xC23DA
004C5A29 |. 0F84 3C010000 je sublime_.004C5B6B
004C5A2F |. 3D 20280C00 cmp eax, 0xC2820
004C5A34 |. 0F84 31010000 je sublime_.004C5B6B
004C5A3A |. 3D 6A280C00 cmp eax, 0xC286A
004C5A3F |. 0F84 26010000 je sublime_.004C5B6B
004C5A45 |. 3D 88280C00 cmp eax, 0xC2888
004C5A4A |. 0F84 1B010000 je sublime_.004C5B6B
004C5A50 |. 3D C4320C00 cmp eax, 0xC32C4
004C5A55 |. 0F84 10010000 je sublime_.004C5B6B
004C5A5B |. 3D F5350C00 cmp eax, 0xC35F5
004C5A60 |. 0F84 05010000 je sublime_.004C5B6B
004C5A66 |. 3D 173C0C00 cmp eax, 0xC3C17
004C5A6B |. 0F84 FA000000 je sublime_.004C5B6B
004C5A71 |. 3D 463E0C00 cmp eax, 0xC3E46
004C5A76 |. 0F84 EF000000 je sublime_.004C5B6B
004C5A7C |. 3D F74A0C00 cmp eax, 0xC4AF7
004C5A81 |. 0F84 E4000000 je sublime_.004C5B6B
004C5A87 |. 3D 2D500C00 cmp eax, 0xC502D
004C5A8C |. 0F84 D9000000 je sublime_.004C5B6B
004C5A92 |. 3D 43540C00 cmp eax, 0xC5443
004C5A97 |. 0F84 CE000000 je sublime_.004C5B6B
004C5A9D |. 3D 3E550C00 cmp eax, 0xC553E
004C5AA2 |. 0F84 C3000000 je sublime_.004C5B6B
004C5AA8 |. 3D 27610C00 cmp eax, 0xC6127
004C5AAD |. 0F84 B8000000 je sublime_.004C5B6B
004C5AB3 |. 3D 18670C00 cmp eax, 0xC6718
004C5AB8 |. 0F84 AD000000 je sublime_.004C5B6B
004C5ABE |. 3D C5750C00 cmp eax, 0xC75C5
004C5AC3 |. 0F84 A2000000 je sublime_.004C5B6B
004C5AC9 |. 3D 737C0C00 cmp eax, 0xC7C73
004C5ACE |. 0F84 97000000 je sublime_.004C5B6B
004C5AD4 |. 3D 137D0C00 cmp eax, 0xC7D13
004C5AD9 |. 0F84 8C000000 je sublime_.004C5B6B
004C5ADF |. 3D 3E830C00 cmp eax, 0xC833E
004C5AE4 |. 0F84 81000000 je sublime_.004C5B6B
004C5AEA |. 3D CCA20C00 cmp eax, 0xCA2CC
004C5AEF |. 74 7A je short sublime_.004C5B6B
004C5AF1 |. 3D ABA60C00 cmp eax, 0xCA6AB
004C5AF6 |. 74 73 je short sublime_.004C5B6B
004C5AF8 |. 3D 4EAD0C00 cmp eax, 0xCAD4E
004C5AFD |. 74 6C je short sublime_.004C5B6B
004C5AFF |. 3D 28AF0C00 cmp eax, 0xCAF28
004C5B04 |. 74 65 je short sublime_.004C5B6B
004C5B06 |. 3D 2DBF0C00 cmp eax, 0xCBF2D
004C5B0B |. 74 5E je short sublime_.004C5B6B
004C5B0D |. 3D 22D00C00 cmp eax, 0xCD022
004C5B12 |. 74 57 je short sublime_.004C5B6B
004C5B14 |. 3D 2AE30C00 cmp eax, 0xCE32A
004C5B19 |. 74 50 je short sublime_.004C5B6B
004C5B1B |. 3D 8DEA0C00 cmp eax, 0xCEA8D
004C5B20 |. 74 49 je short sublime_.004C5B6B
004C5B22 |. 3D 0B390C00 cmp eax, 0xC390B
004C5B27 |. 74 42 je short sublime_.004C5B6B
004C5B29 |. 3D 0EC60C00 cmp eax, 0xCC60E
004C5B2E |. 74 3B je short sublime_.004C5B6B
004C5B30 |. 3D 57740C00 cmp eax, 0xC7457
004C5B35 |. 74 34 je short sublime_.004C5B6B
004C5B37 |. 3D A0E80C00 cmp eax, 0xCE8A0
004C5B3C |. 74 2D je short sublime_.004C5B6B
004C5B3E |. 8B4D 8C mov ecx, dword ptr ss:[ebp-0x74]
004C5B41 |. 85C9 test ecx, ecx ; sublime_.004C5D2B
004C5B43 |. 74 02 je short sublime_.004C5B47
004C5B45 |. 8901 mov dword ptr ds:[ecx], eax
004C5B47 |> 85FF test edi, edi
004C5B49 |. 74 12 je short sublime_.004C5B5D
004C5B4B |. 8D45 A8 lea eax, dword ptr ss:[ebp-0x58]
004C5B4E |. 3BF8 cmp edi, eax
004C5B50 |. 74 0B je short sublime_.004C5B5D
004C5B52 |. 6A FF push -0x1
004C5B54 |. 53 push ebx
004C5B55 |. 50 push eax
004C5B56 |. 8BCF mov ecx, edi
004C5B58 |. E8 A6D5F3FF call sublime_.00403103
004C5B5D |> 8B4D 88 mov ecx, dword ptr ss:[ebp-0x78]
004C5B60 |. 85C9 test ecx, ecx ; sublime_.004C5D2B
004C5B62 |. 74 0E je short sublime_.004C5B72
004C5B64 |. 8B45 84 mov eax, dword ptr ss:[ebp-0x7C]
004C5B67 |. 8901 mov dword ptr ds:[ecx], eax
004C5B69 |. EB 07 jmp short sublime_.004C5B72
004C5B6B |> 6A 03 push 0x3 ;如果输入的License是在被加入黑名单的列表中,那么会跳到这儿,程序返回3
004C5B6D |. EB 02 jmp short sublime_.004C5B71
004C5B6F |> 6A 02 push 0x2 ;注册码是不再被此版本的程序支持的,跳到这儿。程序返回2
004C5B71 |> 5B pop ebx ; sublime_.004A3C88
004C5B72 |> 8D4D D8 lea ecx, dword ptr ss:[ebp-0x28]
004C5B75 |. E8 37C0F3FF call sublime_.00401BB1
004C5B7A |. 8D4D C0 lea ecx, dword ptr ss:[ebp-0x40]
004C5B7D |. E8 2FC0F3FF call sublime_.00401BB1
004C5B82 |. 8D4D A8 lea ecx, dword ptr ss:[ebp-0x58]
004C5B85 |. E8 27C0F3FF call sublime_.00401BB1
004C5B8A |. 8D4D 90 lea ecx, dword ptr ss:[ebp-0x70]
004C5B8D |. E8 1FC0F3FF call sublime_.00401BB1
004C5B92 |. 8BC3 mov eax, ebx
004C5B94 |. E8 CC400300 call sublime_.004F9C65
004C5B99 \. C3 retn

注意最后那句:
004C5B92 |. 8BC3 mov eax, ebx
而ebx是被初始化为0的 :
004C558F |. 33DB xor ebx, ebx

如果此函数没有返回0,那么肯定是在后面有些地方被修改了,如这种情况:
004C55F5 |> \33DB xor ebx, ebx
004C55F7 |. 43 inc ebx ;不是有效的注册码."That license key doesn't appear to be valid."
这种情况,ebx = 1 , 最终 eax = 1,也就是注册码invalid的情况。

还有这两种情况:
004C5B6B |> \6A 03 push 0x3 ;注册码被封了."That license key has been invalidated, due to being shared.Please email sales@sublimetext.com to get your license key reissued."
004C5B6D |. EB 02 jmp short sublime_.004C5B71
004C5B6F |> 6A 02 push 0x2 ;可能是老版本的注册码."That license key is no longer valid."
004C5B71 |> 5B pop ebx

如果ebx被初始化之后就直接跳到 004C5B72 ,或者把最后的004C5B92 8BC3 mov eax, ebx 修改成置1的语句,如:
mov al,1 或者 xor eax,eax
都可以让函数老老实实地返回0.
两条语句对应opcode :
004C5B92 B0 00 mov al, 0x0

004C5B92 33C0 xor eax, eax
相信经常练手的童鞋都能背出这个opcode了。
以上这样修改已经可以暴破了。

------------------------------------------------------------------------------------------

由于我之前在004C5564 下了断,发现程序在启动时即调用了此函数来判断是否已经注册成功。
然后,注意到此函数中有一个调用,其实刚才就应该注意到的,只不过我起先调试是没太注意:
004C55CB |. E8 F2AA1500 call sublime_.006200C2

发现006200C2 其实是校验license信息是否正确,及根据license来设定对应的license类型的ascii字符的:
006200C2 /$ 6A 58 push 0x58
006200C4 |. B8 13406600 mov eax, sublime_.00664013
006200C9 |. E8 E89BEDFF call sublime_.004F9CB6
006200CE |. 8B4D 0C mov ecx, dword ptr ss:[ebp+0xC] ; sublime_.0070F0CC
006200D1 |. 8B45 08 mov eax, dword ptr ss:[ebp+0x8]
006200D4 |. 894D 9C mov dword ptr ss:[ebp-0x64], ecx
006200D7 |. 8B4D 10 mov ecx, dword ptr ss:[ebp+0x10] ; sublime_.00744304
006200DA |. 894D A0 mov dword ptr ss:[ebp-0x60], ecx
006200DD |. 8B4D 14 mov ecx, dword ptr ss:[ebp+0x14]
006200E0 |. 894D AC mov dword ptr ss:[ebp-0x54], ecx
006200E3 |. 8B4D 18 mov ecx, dword ptr ss:[ebp+0x18]
006200E6 |. 33DB xor ebx, ebx ;ebx置0, 此reg保存返回值, 此函数返回0表示注册码非法
......
006201B8 |. E8 462FDEFF call sublime_.00403103
006201BD |> 68 345A6B00 push sublime_.006B5A34 ; ASCII "Single User License"
006201C2 |. 8D77 18 lea esi, dword ptr ds:[edi+0x18]
006201C5 |. E8 3A3CDEFF call sublime_.00403E04
006201CA |. 59 pop ecx ; sublime_.004C55D0
006201CB |. 50 push eax
006201CC |. 68 345A6B00 push sublime_.006B5A34 ; ASCII "Single User License"
006201D1 |. FF76 10 push dword ptr ds:[esi+0x10]
006201D4 |. 8BCE mov ecx, esi
006201D6 |. 53 push ebx
006201D7 |. E8 E99FDEFF call sublime_.0040A1C5
006201DC |. 85C0 test eax, eax
006201DE |. 75 0B jnz short sublime_.006201EB ; 跳到无限制用户
006201E0 |. 8B4D AC mov ecx, dword ptr ss:[ebp-0x54]
006201E3 |. C701 01000000 mov dword ptr ds:[ecx], 0x1
006201E9 |. EB 3B jmp short sublime_.00620226
006201EB |> 68 485A6B00 push sublime_.006B5A48 ; ASCII "Unlimited User License"
......
0062034B |. 8AC3 mov al, bl
0062034D |. E8 1399EDFF call sublime_.004F9C65
00620352 \. C3 retn

004C5564 函数中对006200C2的调用:
004C55CB |. E8 F2AA1500 call sublime_.006200C2
004C55D0 |. 83C4 18 add esp, 0x18
004C55D3 |. 84C0 test al, al
004C55D5 |. 74 1E je short sublime_.004C55F5
若 006200C2 返回0,那么程序会跳到 004C55F5 ,也就是ebx=1,最后, eax = ebx ,程序返回 1.显示注册码非法信息。

然后,004C5564 函数中还有一个调用检测注册码:
004C55EC |. E8 D44BF4FF call sublime_.0040A1C5
004C55F1 |. 85C0 test eax, eax
004C55F3 |. 74 08 je short sublime_.004C55FD
004C55F5 |> 33DB xor ebx, ebx
004C55F7 |. 43 inc ebx
004C55F8 |. E9 75050000 jmp sublime_.004C5B72 ; 这一跳表示注册码不是有效的,程序返回1

0040A1C5 若返回非0 ,表示注册码非法。如果返回0,则要分三种情况:1,注册码对当前版本的软件是有效的 . 2,注册码不适用于当前版本 3.注册码已被封
如果不跳到 004C55FD ,那么结果就跟 006200C2 返回0一样了。

因此,我们需要:
006200C2 返回 非0
0040A1C5 返回 0

看到这里,应该反思上面的暴破点了。上面是直接让 004C5564 这个函数返回0. 那么程序有没有在别的地方调用 006200C2 和 0040A1C5 来判断注册呢?
值得庆幸的是,这个程序的判断是比较集中的,没有在其它地方调用 006200C2 和 0040A1C5 ,因此,上面的暴破是可以工作的。

另外,调试中还发现,授权文件保存位置为:
ecx=01E56060, (ASCII "/C/Documents and Settings/Administrator/Application Data/Sublime Text 3/Local/License.sublime_license")

patch文件下载
链接: http://pan.baidu.com/share/link?shareid=260461667&uk=539163738
密码: mmoq

更多
11 Responses Post a comment
  1. alex

    新版出来了 Sublime Text 3 Build 3059

  2. 红色石头

    过来看看,这个是3啊,我之前用的是2,居然还有破解,挺蛋疼的~

  3. 荒野无灯

    @007
    这里是国外下载地址:
    https://www.dropbox.com/sh/8k2y14kmddsbn4l/ne3Kxm1jIT

  4. 007

    可以上传其他地方的补丁?不起作用pan.baidu.com以及亚洲以外的地区。谢谢你!

  5. 谢单单

    看得不明觉厉...

    下载都不知道下载哪个...

  6. Yusky

    我去~~~ 你最近都在搞破解了。。。。。

  7. anopos

    怎么感觉博主的名字好熟悉呢!

  8. 故作调

    谢谢,已下载patch
    推荐配合ConvertToUTF8 Plugin使用
    GIT地址:https://github.com/seanliang/ConvertToUTF8

Leave a Reply

Note: You may use basic HTML in your comments. Your email address will not be published.

Subscribe to this comment feed via RSS