[软件]不详细透露,狗的版本,不详。Usb狗,大概是2008年的。
[工具]OD,MASM
首先谈谈加密狗。加密狗,是一个硬件,内部大概xxxx,很多的细节,我也不太了解。
在windows平台访问一个硬件,首先要访问设备驱动,要访问一个设备驱动首先要做的就是CreateFile.打开一个设备驱动。然后使用DeviceIoControl.
恩,明白了这点后,我们就知道,只要挂接deviceIoControl就可以截获其通信流了。
下边先发一个挂接DeviceIoControl的历程,破解硬盘帮定的历程。
我感觉,几乎所有物理硬件硬盘帮定,都可以使用其。破之
;在此文档的文档工具栏项目上单击右键->参数属性
.386
.model flat, stdcall
option casemap :none
include windows.inc
include user32.inc
include kernel32.inc
include masm32.inc
include shlwapi.inc
includelib user32.lib
includelib kernel32.lib
includelib masm32.lib
includelib shlwapi.lib
HookApi PROTO :DWORD,:DWORD,:DWORD
MyDeviceIoControl PROTO
MyCreateProcessA PROTO
.data
lpszByDll db "Welcome",0
lpHookDll db "kernel32.dll",0
szDeviceIoControl db "DeviceIoControl",0
szCreateProcessA db "CreateProcessA",0
szExplorer db 'c:\windows\explorer.exe',0
szCmpProc db 'c:\windows\system32\check.exe',0
dbRedDate1 db 01h,01h,00h,04h,07h,00h,00h,00h,0FAh,0C1h,0E3h,2Dh,82h,0DCh,\
86h,0BFh,78h,0DAh,4Ah,0E2h,78h,0A8h,5Eh,0E2h,0
dbRedDate2 db 01h,01h,00h,04h,07h,00h,00h,00h,0E8h,22h,0D3h,8Ah,00h,00h,00h,\
00h,00h,00h,00h,00h,05h,00h,00h,84h
dbReadDate11 db 00h,02h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,\
5Ah,0Ch,0FFh,3Fh,37h,0C8h,10h,00h,00h,00h,00h,00h,3Fh,00h,00h,00h,\
00h,00h,00h,00h,20h,20h,20h,20h,20h,20h,20h,20h,20h,20h,20h,20h
r12 db 52h,35h,30h,59h,35h,52h,35h,36h,00h,00h,00h,40h,04h,00h,2Eh,33h,\
41h,41h,20h,46h,20h,20h,54h,53h,32h,33h,30h,35h,31h,33h,41h,30h,\
20h,53h,20h,20h,20h,20h,20h,20h,20h,20h,20h,20h,20h,20h,20h,20h
r13 db 20h,20h,20h,20h,20h,20h,20h,20h,20h,20h,20h,20h,20h,20h,10h,80h,\
00h,00h,00h,2Fh,00h,40h,00h,02h,00h,02h,07h,00h,0FFh,3Fh,10h,00h,\
3Fh,00h,10h,0FCh,0FBh,00h,10h,01h,0FFh,0FFh,0FFh,0Fh,00h,00h,07h,00h
r14 db 03h,00h,78h,00h,78h,00h,78h,00h,78h,00h,00h,00h,00h,00h,00h,00h,\
00h,00h,00h,00h,00h,00h,1Fh,00h,02h,05h,00h,00h,48h,00h,40h,00h,\
0FEh,00h,00h,00h,6Bh,34h,01h,7Dh,23h,40h,68h,34h,01h,0BCh,23h,40h
r15 db 7Fh,20h,00h,00h,00h,00h,0FEh,0FEh,0FEh,0FFh,00h,00h,00h,0D0h,00h,00h,\
00h,00h,00h,00h,00h,00h,00h,00h,70h,59h,1Ch,1Dh,00h,00h,00h,00h,\
00h,00h,00h,00h,00h,40h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
r16 db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,1Eh,40h,\
1Ch,40h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,\
09h,00h,70h,59h,1Ch,1Dh,70h,59h,1Ch,1Dh,20h,20h,02h,00h,0B6h,02h
r17 db 02h,00h,8Ah,00h,06h,3Ch,0Ah,3Ch,00h,00h,0C6h,07h,00h,01h,00h,08h,\
14h,13h,00h,12h,02h,00h,80h,00h,00h,00h,00h,00h,80h,00h,02h,02h,\
00h,00h,04h,04h,00h,00h,00h,00h,00h,00h,00h,00h,00h,1Dh,0Bh,00h
r18 db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,\
00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,
00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
r19 db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,\
00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,\
00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,01h,00h,00h,00h
r1a db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,\
00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,\
00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
r1b db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,\
00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,\
00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,0a5h,8fh
r1c db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
dbReadDate22 db 00h,02h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,\
5Ah,0Ch,0FFh,3Fh,37h,0C8h,10h,00h,00h,00h,00h,00h,3Fh,00h,00h,00h,\
00h,00h,00h,00h,20h,20h,20h,20h,20h,20h,20h,20h,20h,20h,20h,20h
r22 db 52h,35h,30h,59h,35h,52h,35h,36h,00h,00h,00h,40h,04h,00h,2Eh,33h,\
41h,41h,20h,46h,20h,20h,54h,53h,32h,33h,30h,35h,31h,33h,41h,30h,\
20h,53h,20h,20h,20h,20h,20h,20h,20h,20h,20h,20h,20h,20h,20h,20h
r23 db 20h,20h,20h,20h,20h,20h,20h,20h,20h,20h,20h,20h,20h,20h,10h,80h,\
00h,00h,00h,2Fh,00h,40h,00h,02h,00h,02h,07h,00h,0FFh,3Fh,10h,00h,\
3Fh,00h,10h,0FCh,0FBh,00h,10h,01h,0FFh,0FFh,0FFh,0Fh,00h,00h,07h,00h
r24 db 03h,00h,78h,00h,78h,00h,78h,00h,78h,00h,00h,00h,00h,00h,00h,00h,\
00h,00h,00h,00h,00h,00h,1Fh,00h,02h,05h,00h,00h,48h,00h,40h,00h,\
0FEh,00h,00h,00h,6Bh,34h,01h,7Dh,23h,40h,68h,34h,01h,0BCh,23h,40h
r25 db 7Fh,20h,00h,00h,00h,00h,0FEh,0FEh,0FEh,0FFh,00h,00h,00h,0D0h,00h,00h,\
00h,00h,00h,00h,00h,00h,00h,00h,70h,59h,1Ch,1Dh,00h,00h,00h,00h,\
00h,00h,00h,00h,00h,40h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
r26 db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,1Eh,40h,\
1Ch,40h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,\
09h,00h,70h,59h,1Ch,1Dh,70h,59h,1Ch,1Dh,20h,20h,02h,00h,0B6h,02h
r27 db 02h,00h,8Ah,00h,06h,3Ch,0Ah,3Ch,00h,00h,0C6h,07h,00h,01h,00h,08h,\
14h,13h,00h,12h,02h,00h,80h,00h,00h,00h,00h,00h,80h,00h,02h,02h,\
00h,00h,04h,04h,00h,00h,00h,00h,00h,00h,00h,00h,00h,1Dh,0Bh,00h
r28 db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,\
00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,\
00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
r29 db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,\
00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,\
00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,01h,00h,00h,00h
r2a db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,\
00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,\
00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
r2b db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,\
00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,\
00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,0a5h,8fh
r2c db 00h,00h,00h,00h,33h,2Eh,41h,41h,46h,00h,33h,31h
lpError db "pg error",0
lpJMP db 0e9h,00h,00h,00h,00h,90h,90h
.data?
hInstance dd ?
pDeviceIoControl dd ?
pCreateProcessA dd ?
hKernel32 dd ?
pProcName db MAX_PATH dup (?)
bFlag dd ?
.CODE
;入口.如果DLL需要加载资源,需要保存hIinstDLL这个句柄到全局变量.它才是模块句柄
;使用GetModuleHandle获得的永远是主程序的句柄
LibMain proc hInstDLL:DWORD, reason:DWORD, unused:DWORD
.if reason == DLL_PROCESS_ATTACH ;动态库被加载时调用,返回0加载失败!
mov eax,hInstDLL
mov hInstance,eax
; invoke MessageBox,NULL,addr lpError,addr lpError,MB_OK
;hook DeviceIoControl
;invoke GetModuleFileName,NULL,addr pProcName,MAX_PATH
;invoke MessageBox,NULL,addr pProcName,addr pProcName,MB_OK
invoke LoadLibrary,addr lpHookDll
mov hKernel32,eax
invoke GetProcAddress,hKernel32,addr szDeviceIoControl
mov pDeviceIoControl,eax
invoke GetProcAddress,hKernel32,addr szCreateProcessA
mov pCreateProcessA,eax
mov eax,MyDeviceIoControl
invoke HookApi,eax,pDeviceIoControl,7h
mov eax,MyCreateProcessA
invoke HookApi,eax,pCreateProcessA,5h
mov eax,TRUE
ret
.elseif reason == DLL_PROCESS_DETACH
.elseif reason == DLL_THREAD_ATTACH
.elseif reason == DLL_THREAD_DETACH
;添加处理代码
.endif
ret
LibMain Endp
;供主程序调用的函数
MsgBox proc hWnd,lpszText,fStyle
invoke MessageBox,hWnd,lpszText,offset lpszByDll,fStyle
ret
MsgBox endp
HookApi proc MyAdd:DWORD,HookAdd:DWORD,WriteLen:DWORD
local @OldPro:DWORD
local @mbi:MEMORY_BASIC_INFORMATION
local @temp:DWORD
local @hCurPro:DWORD
local @DWWRITE:DWORD
invoke VirtualQuery,HookAdd,addr @mbi,sizeof MEMORY_BASIC_INFORMATION
cmp eax,0
jz Error
invoke VirtualProtect,@mbi.BaseAddress,@mbi.RegionSize,PAGE_EXECUTE_READWRITE,addr @OldPro
cmp eax,0
jz Error
;hook code
mov eax,MyAdd
mov ebx,HookAdd
sub eax,ebx
sub eax,5
mov @temp,eax
;anay machin code addr
lea ecx,lpJMP
mov DWORD ptr[ecx+1],eax
;hook
;invoke MemCopy,HookAdd,addr lpJMP,5
invoke GetCurrentProcess
mov @hCurPro,eax
invoke WriteProcessMemory,@hCurPro, HookAdd, addr lpJMP, WriteLen,addr @DWWRITE
;
; this error
invoke VirtualProtect,@mbi.BaseAddress,@mbi.RegionSize,@OldPro,addr @OldPro
cmp eax,0
jz Error
jmp Succe
Error:
invoke MessageBox,NULL,addr lpError,addr lpError,MB_OK
mov eax,0
ret
Succe:
mov eax,1
ret
HookApi endp
MyDeviceIoControl proc
pushad
pushfd
;24h是原始入口 在这里边不能使用messagebox等函数 因为messagebox本来也会引发这个操作
; invoke MessageBox,NULL,addr lpError,addr lpError,MB_OK
mov ebx,DWORD ptr [esp+2ch]
.if ebx == 74080h;判断是不是SMART_GET_VERSION
mov ecx,bFlag
.if ecx ==FALSE;记数复位
mov edi,DWORD ptr [esp+38h];out buffer
mov ecx,18h
lea esi,dbRedDate1
rep movs BYTE ptr[edi],BYTE ptr[esi]
popfd
popad
;恢复堆栈
pop ecx
pop eax
pop eax
pop eax
pop eax
pop eax
pop eax
pop eax
pop eax
push ecx
mov eax,1
ret
.elseif ecx == TRUE
mov edi,DWORD ptr [esp+38h];out buffer
mov ecx,18h
lea esi,dbRedDate2
rep movs BYTE ptr[edi],BYTE ptr[esi]
popfd
popad
;恢复堆栈
pop ecx
pop eax
pop eax
pop eax
pop eax
pop eax
pop eax
pop eax
pop eax
push ecx
mov eax,1
ret
.endif
.elseif ebx == 0007C088h;判断是不是SMART_RCV_DRIVE_DATA
mov ecx,DWORD ptr[esp+3ch]
.if ecx != 213h;判断接受buffer长度是不是213h.如果是的话,如果不是就恢复执行正常流程
popfd
popad
jmp GO_HOME
.endif
mov ecx,bFlag;计数复位
.if ecx == FALSE
mov edi,DWORD ptr [esp+38h];out buffer
mov ecx,21ch
lea esi,dbReadDate11
rep movs BYTE ptr[edi],BYTE ptr[esi]
popfd
popad
mov bFlag,TRUE
;恢复堆栈
pop ecx
pop eax
pop eax
pop eax
pop eax
pop eax
pop eax
pop eax
pop eax
push ecx
mov eax,1
ret
.elseif ecx == TRUE
mov edi,DWORD ptr [esp+38h];out buffer
mov ecx,21ch
lea esi,dbReadDate22
rep movs BYTE ptr[edi],BYTE ptr[esi]
popfd
popad
mov bFlag,FALSE
;恢复堆栈
pop ecx
pop eax
pop eax
pop eax
pop eax
pop eax
pop eax
pop eax
pop eax
push ecx
mov eax,1
ret
.endif
.endif
; invoke MessageBox,NULL,addr lpError,addr lpError,MB_OK
;执行恢复过程
popfd
popad
GO_HOME:
push 14h
push 7C810CC8h
;这里只能使用ecx寄存器
mov ecx, pDeviceIoControl
add ecx,7h
jmp ecx
ret
MyDeviceIoControl endp
MyCreateProcessA proc
pushad
pushfd
;24h是原始入口
; mov ebx,DWORD ptr [esp+2ch]
; invoke MessageBox,NULL,ebx,ebx,MB_OK
lea eax,dbReadDate11
lea eax,dbRedDate2
mov ebx,DWORD ptr [esp+2ch]
invoke StrCmpN,addr szCmpProc,ebx,30
.if eax == FALSE
;修改
mov edi,DWORD ptr [esp+2ch]
mov ecx,30
lea esi,szExplorer
rep movs BYTE ptr[edi],BYTE ptr [esi]
.endif
popfd
popad
GO_HOME:
mov edi,edi
push ebp
mov ebp,esp
mov eax,pCreateProcessA
add eax,5h
jmp eax
ret
MyCreateProcessA endp
End LibMain
大概就是这个样子,狗,的话。我后边慢慢谈杂破。
从某种意义上来说,从通信级破解,是最好的解决方法,以后的话,我们我们只有关注随机变量和软件通信验证算法了。
待续..
- 标 题:彩虹加秘狗-比较新的版本破解
- 作 者:Thomasyzh
- 时 间:2009-05-01 17:18
- 链 接:http://bbs.pediy.com/showthread.php?t=87613