你或许会看到过以下的信息:
Sorry, this database has been created by a pirate version of IDA
Another copy of IDA Pro has been detected
要解决这些提示,可以通过很简单的方法(IDA Pro 7.0.170914 x64):
局域网
ida.exe和ida64.exe
搜索
5D C3 41 56 48 83 EC 40
改成
5D C3 B0 00 C3 90 90 90
idat.exe和idat64.exe
搜索
C3 CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC 41 56 48 83 EC 40 48 C7
改为
C3 CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC B0 00 C3 83 EC 40 48 C7
mac版
ida和ida64和idat和idat64
搜索
31 C0 5A C3 66 0F 1F 44 00 00 55 41 57 41 56 41 55
改为
31 C0 5A C3 66 0F 1F 44 00 00 B0 00 C3 41 56 41 55
idb
ida.dll和ida64.dll
搜索
CC 00 00 00 00 00 00 00 00 00 00 00 00 00 40 53 48 81 EC A0 00 00 00
改为
CC 00 00 00 00 00 00 00 00 00 00 00 00 00 B0 00 C3 90 90 90 90 90 90
mac版
libida.dylib和libida64.dylib
搜索
41 57 41 56 53 48 81 EC 80 00 00 00
改为
C3 57 41 56 53 48 81 EC 80 00 00 00
去局域网限制
研究过程使用的ida版本:7.0.171130 的ida.exe(网上泄露的)
0000000140258910 aAnotherCopyOfS
sub_140190C40
sub_140192B60
sub_140193850
?post_pgo_initialization@@YAHXZ_1
sub_140194B40
sub_140194B40->sub_140190290
或sub_140194B40->sub_14018F9E0->sub_140190290
总之无论是通过哪种调用方法,最终都是调用到sub_140190290
看看这个函数的上一层
一个不知道干啥的,一个是检查更新的吧?那就改sub_140190290吧
就是在ida.exe中
搜索
5D C3 41 56 48 83 EC 40
改成
5D C3 B0 00 C3 90 90 90
去盗版idb黑名单检测
打开ida64.dll搜索字符串
对两处引用该字符串的函数进行分析
这就很简单了,直接让sub_10167950返回0就行了
搜索
CC 00 00 00 00 00 00 00 00 00 00 00 00 00 40 53 48 81 EC A0 00 00 00
改为
CC 00 00 00 00 00 00 00 00 00 00 00 00 00 B0 00 C3 90 90 90 90 90 90
mac版的流程稍有不同,不再写出来了
mac版的在sub_1001EE430