无聊中,找了一个1G小U盘,ChipGenius检测一下,得到以下信息:
芯片制造商: Chipsbank(芯邦)
芯片型号: CBM2091
找到对应量产工具CBM209XUMPToolV1.9.17_A30515,量产为加密盘。成功后,U盘里有
logintool2090.exe及ResEng.dll两个文件。点击logintool2090.exe,输入密码正确才能进入真正u盘。
破解法:
运行logintool2090.exe,OD附加进程(若OD载入,程序会退出),密码错误F12大法,找到以下关键点:
0040333C . 8D7E 6C lea edi, dword ptr [esi+6C]
0040333F . 8D46 70 lea eax, dword ptr [esi+70]
00403342 . 50 push eax
00403343 . 8BCF mov ecx, edi
00403345 . E8 4E0A0000 call <jmp.&MFC42.#858_CString::operat>
0040334A . 8D4C24 08 lea ecx, dword ptr [esp+8]
0040334E . E8 210A0000 call <jmp.&MFC42.#540_CString::CStrin>
00403353 . 8D4C24 08 lea ecx, dword ptr [esp+8]
00403357 . C74424 14 000>mov dword ptr [esp+14], 0
0040335F . 51 push ecx ; /Arg1
00403360 . 8BCE mov ecx, esi ; |
00403362 . E8 B9040000 call 00403820 ; \logintoo.00403820
00403367 . 85C0 test eax, eax
00403369 . 75 0A jnz short 00403375
0040336B . 6A FF push -1
0040336D . 50 push eax
0040336E . 6A 6B push 6B
00403370 . E8 2F0A0000 call <jmp.&MFC42.#1199_AfxMessageBox>
00403375 > 8B3F mov edi, dword ptr [edi]
00403377 . 8B5424 08 mov edx, dword ptr [esp+8]
0040337B . 57 push edi ; /假码
0040337C . 52 push edx ; |真码
0040337D . FF15 44524000 call dword ptr [<&MSVCRT._mbscmp>] ; \关键对比00403383 . 83C4 08 add esp, 8
00403386 . 85C0 test eax, eax
00403388 . 0F85 93000000 jnz 00403421
0040338E . 8B4E 64 mov ecx, dword ptr [esi+64]
00403391 . 53 push ebx
00403392 . 55 push ebp
00403393 . 6A 00 push 0
00403395 . 8B01 mov eax, dword ptr [ecx]
00403397 . 68 FF000000 push 0FF
0040339C . 6A 00 push 0
0040339E . FF50 1C call dword ptr [eax+1C]
004033A1 . 8B4E 64 mov ecx, dword ptr [esi+64]
004033A4 . 6A 00 push 0
004033A6 . 8B11 mov edx, dword ptr [ecx]
004033A8 . FF52 18 call dword ptr [edx+18]
真码与假码明文对比................无言
总结:这种形式加密u盘太不安全了,起码在logintool2090加个壳。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
