Proxifier will not be introduced here. For a detailed introduction, you can read the previous article. Here we will directly enter the topic to analyze the Windows version of Proxifier.
Reverse analysis on Windows
Environment and tools
Windows 10 any version
frida
east
X64dbg
vscode
010editor
Go to the official website to download the latest windows version, the running effect is shown in the figure below.
I won’t show you how to see what to write here (the same method is to view all modules), let’s register to see the effect, as shown in the figure below.
Try to find a key online, as shown in the figure below, it can be used, but we still have to analyze it, learning is the focus of this article.
To restore the image to the inactive state, we use frida to hang up the trace box first, as shown in the figure below.
Write code hook popup function to print the stack (first use 010editor to remove the random address, I didn't talk about it here, you can ask the author if you don't understand.) Try it, as shown in the figure below.
Go directly to ida to locate this function, and then look for references, and found that there are too many functions, as shown in the figure below.
Add another tool here, use x64dbg to attach the api breakpoint of the lower popup box (x64dbg detailed video tutorial can contact the author.), through debugging all the way back to the function address 0x140041520, and then go to ida to view this function, as shown in the figure below.
Found that there is a very obvious prompt message, we can use ida to view the reference of this function to see the successful prompt message, as shown in the figure below.
Continue to use x64dbg for dynamic debugging, modify the return value of the sub_140041520 function to see the effect, as shown in the figure below.
It is found that the analysis route is correct. When we modify the system to see if it is really successful, as shown in the picture.
Unfortunately, there is not, so I can only continue to analyze the sub_140041520 function. After entering it, I found that the registry information was added, and there was a prompt to display how many days, as shown in the figure.
By debugging this function to find the place to get the time, modify some logic, and find that it is indeed this detection function.
Then we can directly modify (or hook to get the time logic function.) this function to achieve the permanent registration effect, as shown in the figure.
The test function is normal, as shown in the figure below.
In fact, you can also start from other aspects. For example, you can click the event function like the mac analysis in the previous article, or set the window text api breakpoint (SetWindowTextW), which can also be analyzed. This side just simply wrote some text and added some pictures. , You can contact the author for specific tools using basic detailed tutorials, and you can only learn it by doing it yourself.
Proxifier reverse analysis (Mac)
The big guys keep a concern before leaving, and follow-up wonderful articles continue
