-
-
[原创]协议分析
-
发表于: 2013-2-17 02:43
-
1.
传入字符结构
0470FED0 015675C8 萿V ASCII "5.132GIGABYTEUSB\VID_18D1&PID_9025&REV_0231&MI_01default"
跟踪下面两个算法,粗略写
sub_004BBBEC>
sub_004BBD44>
函数1结果
函数2结果
USB\VID_18D1&PID_9025&REV_0231&MI_01
硬件ID重新编码
"USB%5CVID%5F18D1%26PID%5F9025%26REV%5F0231%26MI%5F01"
Send:
Recv:
跟踪过程:
-----------------------------------------------------------------------------------------------------
解密函数
跟进解密函数,简单测试
------------------------------------
测试
获得结果
。。。
继续解密
最后结果
2.其他驱动下载软件发送类似数据结构
小于0x80字节,直接存放
大于处理
标志+SIZE+内容
------end----
005486E0 > $ 55 push ebp ; DriverUpdate.sub_005486E0 005486E1 . 8BEC mov ebp,esp 005486E3 . B9 38000000 mov ecx,0x38 005486E8 > 6A 00 push 0x0 005486EA . 6A 00 push 0x0 005486EC . 49 dec ecx 005486ED .^ 75 F9 jnz short Computer.005486E8 005486EF . 51 push ecx 005486F0 . 53 push ebx 005486F1 . 56 push esi 005486F2 . 57 push edi 005486F3 . 8955 F8 mov dword ptr ss:[ebp-0x8],edx 005486F6 . 8945 FC mov dword ptr ss:[ebp-0x4],eax 005486F9 . 33C0 xor eax,eax 005486FB . 55 push ebp 005486FC . 68 7E945400 push Computer.0054947E 00548701 . 64:FF30 push dword ptr fs:[eax] 00548704 . 64:8920 mov dword ptr fs:[eax],esp 00548707 . C645 F7 00 mov byte ptr ss:[ebp-0x9],0x0 0054870B . 8B45 FC mov eax,dword ptr ss:[ebp-0x4] 0054870E . 66:8378 0A 00 cmp word ptr ds:[eax+0xA],0x0 00548713 . 74 18 je short Computer.0054872D 00548715 . 8B45 F8 mov eax,dword ptr ss:[ebp-0x8] 00548718 . 8378 10 00 cmp dword ptr ds:[eax+0x10],0x0 0054871C . 74 0F je short Computer.0054872D 0054871E . 8B45 F8 mov eax,dword ptr ss:[ebp-0x8] 00548721 . 8B50 10 mov edx,dword ptr ds:[eax+0x10] 00548724 . 8B5D FC mov ebx,dword ptr ss:[ebp-0x4] 00548727 . 8B43 0C mov eax,dword ptr ds:[ebx+0xC] 0054872A . FF53 08 call dword ptr ds:[ebx+0x8] 0054872D > 8B45 F8 mov eax,dword ptr ss:[ebp-0x8] 00548730 . 8B10 mov edx,dword ptr ds:[eax] 00548732 . 8B45 FC mov eax,dword ptr ss:[ebp-0x4] 00548735 . E8 A6140000 call <Computer.DriverUpdate.sub_00549BE0> 0054873A . 84C0 test al,al 0054873C . 0F84 360B0000 je Computer.00549278 00548742 . 8D45 E0 lea eax,dword ptr ss:[ebp-0x20] 00548745 . 50 push eax 00548746 . A1 10A85B00 mov eax,dword ptr ds:[0x5BA810] 0054874B . 8B00 mov eax,dword ptr ds:[eax] 0054874D . 8B40 10 mov eax,dword ptr ds:[eax+0x10] 00548750 . 8945 B0 mov dword ptr ss:[ebp-0x50],eax 00548753 . C645 B4 00 mov byte ptr ss:[ebp-0x4C],0x0 00548757 . A1 10A85B00 mov eax,dword ptr ds:[0x5BA810] 0054875C . 8B00 mov eax,dword ptr ds:[eax] 0054875E . 8B40 14 mov eax,dword ptr ds:[eax+0x14] 00548761 . 8945 B8 mov dword ptr ss:[ebp-0x48],eax 00548764 . C645 BC 00 mov byte ptr ss:[ebp-0x44],0x0 00548768 . 8D55 B0 lea edx,dword ptr ss:[ebp-0x50] 0054876B . B9 01000000 mov ecx,0x1 00548770 . B8 9C945400 mov eax,Computer.0054949C ; %d.%d 00548775 . E8 3E53ECFF call <Computer.SysUtils.Format> 0054877A . A1 10A85B00 mov eax,dword ptr ds:[0x5BA810] 0054877F . 8B00 mov eax,dword ptr ds:[eax] 00548781 . 8078 50 00 cmp byte ptr ds:[eax+0x50],0x0 00548785 . 74 0F je short Computer.00548796 00548787 . 8D45 DC lea eax,dword ptr ss:[ebp-0x24] 0054878A . BA AC945400 mov edx,Computer.005494AC ; [B]64[/B] 0054878F . E8 40C6EBFF call <Computer.system.@LStrLAsg> 00548794 . EB 0D jmp short Computer.005487A3 00548796 > 8D45 DC lea eax,dword ptr ss:[ebp-0x24] 00548799 . BA B8945400 mov edx,Computer.005494B8 ; [B]32[/B] 0054879E . E8 31C6EBFF call <Computer.system.@LStrLAsg> 005487A3 > 8D45 D8 lea eax,dword ptr ss:[ebp-0x28] 005487A6 . 8B15 7CA05B00 mov edx,dword ptr ds:[0x5BA07C] ; Computer.005CA6A0 005487AC . 83C2 0C add edx,0xC 005487AF . B9 20000000 mov ecx,0x20 005487B4 . E8 F3C7EBFF call <Computer.system.@LStrFromArray> 005487B9 . A0 BC945400 mov al,byte ptr ds:[0x5494BC] 005487BE . 50 push eax 005487BF . 8D45 D4 lea eax,dword ptr ss:[ebp-0x2C] 005487C2 . 50 push eax 005487C3 . 8D55 AC lea edx,dword ptr ss:[ebp-0x54] 005487C6 . 8B45 F8 mov eax,dword ptr ss:[ebp-0x8] 005487C9 . 8B00 mov eax,dword ptr ds:[eax] 005487CB . E8 8036ECFF call <Computer.SysUtils.UpperCase> 005487D0 . 8B45 AC mov eax,dword ptr ss:[ebp-0x54] 005487D3 . B9 C8945400 mov ecx,Computer.005494C8 ; & 005487D8 . BA D4945400 mov edx,Computer.005494D4 ; @ 005487DD . E8 4A97ECFF call <Computer.SysUtils.StringReplace> 005487E2 . 8D45 D0 lea eax,dword ptr ss:[ebp-0x30] 005487E5 . BA E0945400 mov edx,<Computer.aDefault_2> ; default 005487EA . E8 E5C5EBFF call <Computer.system.@LStrLAsg> 005487EF . 8D55 CC lea edx,dword ptr ss:[ebp-0x34] 005487F2 . 8B45 F8 mov eax,dword ptr ss:[ebp-0x8] 005487F5 . 8B40 24 mov eax,dword ptr ds:[eax+0x24] 005487F8 . E8 773FECFF call <Computer.SysUtils.IntToStr> 005487FD . FF75 E0 push dword ptr ss:[ebp-0x20] 00548800 . FF75 DC push dword ptr ss:[ebp-0x24] 00548803 . FF75 D8 push dword ptr ss:[ebp-0x28] 00548806 . FF75 D4 push dword ptr ss:[ebp-0x2C] 00548809 . FF75 D0 push dword ptr ss:[ebp-0x30] 0054880C . 8D45 E4 lea eax,dword ptr ss:[ebp-0x1C] 0054880F . BA 05000000 mov edx,0x5 00548814 . E8 A3C8EBFF call <Computer.system.@LStrCatN> 00548819 . 8D4D C4 lea ecx,dword ptr ss:[ebp-0x3C] 0054881C . BA 64000000 mov edx,0x64 00548821 . 8B45 E4 mov eax,dword ptr ss:[ebp-0x1C] 00548824 . E8 C333F7FF call <Computer.EncryptUtil.[B]sub_004BBBEC>[/B] 00548829 . 8D55 E4 lea edx,dword ptr ss:[ebp-0x1C] 0054882C . 8B45 C4 mov eax,dword ptr ss:[ebp-0x3C] 0054882F . E8 1035F7FF call <Computer.EncryptUtil.[B]sub_004BBD44>[/B] ;这两个加密函数产生KEY 00548834 . 8B45 F8 mov eax,dword ptr ss:[ebp-0x8] 00548837 . 05 90000000 add eax,0x90 0054883C . 8B55 E4 mov edx,dword ptr ss:[ebp-0x1C] 0054883F . E8 4CC5EBFF call <Computer.system.@LStrAsg> 00548844 . 8D45 F0 lea eax,dword ptr ss:[ebp-0x10] 00548847 . 50 push eax 00548848 . B8 F0945400 mov eax,<Computer.aHttpApi_driver> ; [B]http://api.driver.360safe.com/appserv/qd_queryc.2.0.php[/B] 0054884D . 8985 6CFFFFFF mov dword ptr ss:[ebp-0x94],eax 00548853 . C685 70FFFFFF 0>mov byte ptr ss:[ebp-0x90],0xB 0054885A . 8B45 E0 mov eax,dword ptr ss:[ebp-0x20] 0054885D . 8985 74FFFFFF mov dword ptr ss:[ebp-0x8C],eax 00548863 . C685 78FFFFFF 0>mov byte ptr ss:[ebp-0x88],0xB 0054886A . 8B45 DC mov eax,dword ptr ss:[ebp-0x24] 0054886D . 8985 7CFFFFFF mov dword ptr ss:[ebp-0x84],eax 00548873 . C645 80 0B mov byte ptr ss:[ebp-0x80],0xB 00548877 . 8B45 D8 mov eax,dword ptr ss:[ebp-0x28] 0054887A . 8945 84 mov dword ptr ss:[ebp-0x7C],eax 0054887D . C645 88 0B mov byte ptr ss:[ebp-0x78],0xB 00548881 . 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-0x98] 00548887 . 8B45 D4 mov eax,dword ptr ss:[ebp-0x2C] 0054888A . E8 BD9FFFFF call <Computer.?Unit155.sub_0054284C> 0054888F . 8B85 68FFFFFF mov eax,dword ptr ss:[ebp-0x98] 00548895 . 8945 8C mov dword ptr ss:[ebp-0x74],eax 00548898 . C645 90 0B mov byte ptr ss:[ebp-0x70],0xB 0054889C . 8B45 D0 mov eax,dword ptr ss:[ebp-0x30] 0054889F . 8945 94 mov dword ptr ss:[ebp-0x6C],eax 005488A2 . C645 98 0B mov byte ptr ss:[ebp-0x68],0xB 005488A6 . 8B45 CC mov eax,dword ptr ss:[ebp-0x34] 005488A9 . 8945 9C mov dword ptr ss:[ebp-0x64],eax 005488AC . C645 A0 0B mov byte ptr ss:[ebp-0x60],0xB 005488B0 . 8B45 E4 mov eax,dword ptr ss:[ebp-0x1C] 005488B3 . 8945 A4 mov dword ptr ss:[ebp-0x5C],eax 005488B6 . C645 A8 0B mov byte ptr ss:[ebp-0x58],0xB 005488BA . 8D95 6CFFFFFF lea edx,dword ptr ss:[ebp-0x94] 005488C0 . B9 07000000 mov ecx,0x7 005488C5 . B8 30955400 mov eax,<Computer.aS?osSPfSCnSHid> ; [B] %s?os=%s&pf=%s&cn=%s&hid=%s&nw=%s&err=%s&c=%s[/B] 005488CA . E8 E951ECFF call <Computer.SysUtils.Format> 005488CF . 6A 01 push 0x1 005488D1 . 8B45 F8 mov eax,dword ptr ss:[ebp-0x8] 005488D4 . 8B00 mov eax,dword ptr ds:[eax] 005488D6 . 8945 B0 mov dword ptr ss:[ebp-0x50],eax 005488D9 . C645 B4 0B mov byte ptr ss:[ebp-0x4C],0xB 005488DD . 8B45 F0 mov eax,dword ptr ss:[ebp-0x10] 005488E0 . 8945 B8 mov dword ptr ss:[ebp-0x48],eax 005488E3 . C645 BC 0B mov byte ptr ss:[ebp-0x44],0xB 005488E7 . 8D4D B0 lea ecx,dword ptr ss:[ebp-0x50] 005488EA . A1 ECA95B00 mov eax,dword ptr ds:[0x5BA9EC] 005488EF . 8B00 mov eax,dword ptr ds:[eax] 005488F1 . BA 68955400 mov edx,Computer.00549568 ; [B]设备%s, URL:%s[/B] 005488F6 . E8 D1E6FFFF call <Computer.?Unit160.sub_00546FCC> 005488FB . B2 01 mov dl,0x1 005488FD . A1 64255400 mov eax,dword ptr ds:[0x542564] 00548902 . E8 919DFFFF call <Computer.?Unit155.TWinHTTPLib.Crea> 00548907 . 8945 EC mov dword ptr ss:[ebp-0x14],eax 0054890A . 8B45 EC mov eax,dword ptr ss:[ebp-0x14] 0054890D . C740 4C 409C000>mov dword ptr ds:[eax+0x4C],0x9C40 00548914 . 8B45 EC mov eax,dword ptr ss:[ebp-0x14] 00548917 . C740 48 3075000>mov dword ptr ds:[eax+0x48],0x7530 0054891E . 8B45 EC mov eax,dword ptr ss:[ebp-0x14] 00548921 . C740 50 3075000>mov dword ptr ds:[eax+0x50],0x7530 00548928 . 33C9 xor ecx,ecx 0054892A . 8B55 F0 mov edx,dword ptr ss:[ebp-0x10] 0054892D . 8B45 EC mov eax,dword ptr ss:[ebp-0x14] 00548930 . E8 5FA1FFFF call <Computer.[B]QueryDownLoad[/B]> 00548935 . 84C0 test al,al 00548937 . 0F84 2C090000 je Computer.00549269 0054893D . 8D45 E8 lea eax,dword ptr ss:[ebp-0x18] 00548940 . E8 1BE3EBFF call <Computer.system.@IntfClear> 00548945 . 33C0 xor eax,eax 00548947 . 55 push ebp 00548948 . 68 E0895400 push Computer.005489E0 0054894D . 64:FF30 push dword ptr fs:[eax] 00548950 . 64:8920 mov dword ptr fs:[eax],esp 00548953 . 8D45 C8 lea eax,dword ptr ss:[ebp-0x38] 00548956 . 8B55 EC mov edx,dword ptr ss:[ebp-0x14] 00548959 . 8B52 14 mov edx,dword ptr ds:[edx+0x14] 0054895C . 8B52 04 mov edx,dword ptr ds:[edx+0x4] 0054895F . E8 D0C5EBFF call <Computer.system.@LStrFromPChar> 00548964 . 8D95 64FFFFFF lea edx,dword ptr ss:[ebp-0x9C] 0054896A . 8B45 C8 mov eax,dword ptr ss:[ebp-0x38] 0054896D . E8 429AFFFF call <Computer.?Unit153.sub_005423B4> 00548972 . 8B95 64FFFFFF mov edx,dword ptr ss:[ebp-0x9C] 00548978 . 8D45 C8 lea eax,dword ptr ss:[ebp-0x38] 0054897B . E8 54C4EBFF call <Computer.system.@LStrLAsg> 00548980 . 8D8D 5CFFFFFF lea ecx,dword ptr ss:[ebp-0xA4] 00548986 . BA 64000000 mov edx,0x64 0054898B . 8B45 C8 mov eax,dword ptr ss:[ebp-0x38] 0054898E . E8 5932F7FF call <Computer.EncryptUtil.sub_004BBBEC> 00548993 . 8B85 5CFFFFFF mov eax,dword ptr ss:[ebp-0xA4] 00548999 . 8D95 60FFFFFF lea edx,dword ptr ss:[ebp-0xA0] 0054899F . E8 FC4BECFF call <Computer.SysUtils.StrPas> 005489A4 . 8B95 60FFFFFF mov edx,dword ptr ss:[ebp-0xA0] 005489AA . 8D45 C8 lea eax,dword ptr ss:[ebp-0x38] 005489AD . E8 22C4EBFF call <Computer.system.@LStrLAsg> 005489B2 . 8B45 C8 mov eax,dword ptr ss:[ebp-0x38] 005489B5 . E8 52960500 call <Computer.?Unit233.sub_005A200C> 005489BA . 8D85 58FFFFFF lea eax,dword ptr ss:[ebp-0xA8] 005489C0 . 8B55 C8 mov edx,dword ptr ss:[ebp-0x38] 005489C3 . E8 14CCEBFF call <Computer.system.@WStrFromLStr> 005489C8 . 8B85 58FFFFFF mov eax,dword ptr ss:[ebp-0xA8] 005489CE . 8D55 E8 lea edx,dword ptr ss:[ebp-0x18] 005489D1 . E8 3216FFFF call <Computer.superobject.sub_0053A008> 005489D6 . 33C0 xor eax,eax 005489D8 . 5A pop edx 005489D9 . 59 pop ecx 005489DA . 59 pop ecx 005489DB . 64:8910 mov dword ptr fs:[eax],edx
0470FCFC 005494E0 ASCII "default" 0470FD00 015860D8 ASCII "USB\VID_18D1&PID_9025&REV_0231&MI_01" ;[B]HardwareId[/B] 0470FD04 01BE3EA8 ASCII "GIGABYTE" ;[B]motherboard?[/B] 0470FD08 005494B8 ASCII "32" ;[B]-bit[/B] 0470FD0C 0157A1F8 0157A1F8 00312E35 5.1. [B]OS: 5.1[/B].2600.0
传入字符结构
0470FED0 015675C8 萿V ASCII "5.132GIGABYTEUSB\VID_18D1&PID_9025&REV_0231&MI_01default"
跟踪下面两个算法,粗略写
sub_004BBBEC>
sub_004BBD44>
函数1结果
01567898 CB213A43 C:! 0156789C B75D83D4 詢] 015678A0 90C35C0B \脨 015678A4 16B5FD45 E 015678A8 80E93AFE ?閫 015678AC 5AE2C5DF 吲鈀 015678B0 BDB6D6A3 V督 015678B4 2277912C ,憌" 015678B8 F6C0A77E ~Ю 015678BC 4CA3C245 E拢L 015678C0 54D96FA8 ╫賂 015678C4 865DC9BF 可] 015678C8 42F18E8F 弾馚 015678CC 2C905151 QQ?
函数2结果
0470FED0 015675C8 萿V ASCII "[B]151901a8[/B]"
void TestEntryptedKey(char* pUlrStr,int& ckey)
{
int TempKey[256]={0};
for (int i=0;i<0x100;i++)
{
int TempC=0;
int TempI=i*0x1000000;
for (int j=0;j<8;j++)
{
int TempEDI=TempC^TempI;
if (TempEDI>=0)
{
TempC=TempC*2;
}
else
{
TempC=TempC*2;
TempC=TempC^0x4C10DB7;
}
TempI=TempI*2;
}
TempKey[i]=TempC;
}
int UlrstrLen=strlen(pUlrStr);
unsigned int arg1=0x64;
for(int i=0;i<0x40;i++)
{
arg1=arg1*2;
unsigned int Temp1=(arg1/8)&1;
unsigned int Temp2=(arg1/0x8000)&1;
Temp1=Temp1^Temp2;
Temp2=(arg1/0x800000)&1;
Temp1=Temp1^Temp2;
Temp2=(arg1/0x80)&1;
Temp1=Temp1^Temp2;
if((Temp1-1)==0)
arg1=arg1|1;
}
int TempSet=0;
int TempNum=8;
for(int i=0;i<UlrstrLen;i++)
{
TempSet=0;
unsigned char* charTempSet=(unsigned char*)&TempSet;
for(int j=0;j<TempNum;j++)
{
unsigned int Temp1=arg1;
Temp1=Temp1/0x80000000;
Temp1=Temp1&1;
if((Temp1-1)==0)
{
*charTempSet=*charTempSet|1;
}
TempSet=TempSet*2;
arg1=arg1*2;
Temp1=(arg1/8)&1;
unsigned int Temp2=(arg1/0x8000)&1;
Temp1=Temp1^Temp2;
Temp2=(arg1/0x800000)&1;
Temp1=Temp1^Temp2;
Temp2=(arg1/0x80)&1;
Temp1=Temp1^Temp2;
if((Temp1-1)==0)
{
arg1=arg1|1;
}
}
pUlrStr[i]= (unsigned char)pUlrStr[i]^(unsigned char)(*charTempSet);
}
unsigned int key2=0;
for (int i=0;i<UlrstrLen;i++)
{
unsigned int TempA=key2/0x1000000;
unsigned int TempESI=(unsigned int)pUlrStr[i];
TempA=TempA^TempESI;
TempA=TempA&0x800000FF;
if (TempA<0)
{
TempA--;
TempA=TempA|-0x100;
TempA++;
}
key2=key2*0x100;
key2=key2^(unsigned int)TempKey[TempA];
}
ckey=key2;
}USB\VID_18D1&PID_9025&REV_0231&MI_01
硬件ID重新编码
"USB%5CVID%5F18D1%26PID%5F9025%26REV%5F0231%26MI%5F01"
Send:
"http://api.driver.360safe.com/appserv/qd_queryc.2.0.php?os=5.1&pf=32&cn=GIGABYTE&hid=USB%5CVID%5F18D1%26PID%5F9025%26REV%5F0231%26MI%5F01&nw=default&err=1&c=[B]151901a8[/B]"
Recv:
DTZinZLmLsFmPP62dsGSMc9Omp/71r5s+4aDhh6rPDB2sNKKMLrMTKpsxkLCsDKGnMa2QEJNij1yFt+gMskkF1q8xN24FF98dPRpnFyr+HT+4LIQ0UhvIrYVA/z+o6u39hyw0S7yNvtnFMoldQ8AfTsRHOdu25KelI/G1M04nDvntTxUQCaec1pXMszF81eenuCLoSWJXiPu4TYi/t3PrsI/heCOfpoWeotGXv4mus5gaSyJgLTFLwZlUKSCvh7wGiHBnirkrUjpHNK5scMMYaVa/pXkAyWyM7kec8q2z585z/zmgF+abTO+K99sbNFm4Foc8tzmK0+4ovq2eJONJJpI8G4hhxCQIDXDgbE4A63U9MV8lxlq6aWQD5wIOzExWwQQTFt4ezEg59/cirEGEID2KFpiKTPwfqoY2UM1fICAwfpCI8NPGCOm9EcHvAntcW8NHDcNbpN+aMEec9xEDi8ALANoMCI2JcUxL30IhT6rLiSY66/CDHGd1o4omqzyxVy6ekQ720XyoA8NjZbRt9uUehjOonoG5+4vjPR1Ok/2Rq0yfFufjH9cCQX5xN+vX2YtAs1aQ2F3s2EEDzsrN6oxVfbwnGsbPC3YIM7sWBly3qIgxI87S29p0b6tp5e6cAYjo62raOFFF/XEzVXyqBaZGZybLgbAnPwNVkb4vMyseaCJmI8RmPmY6vSwKFtBBTxVFhTMYjojEiNiGCat+u1UGy627MIv49N3JLUYxNuyr7jSVnLvwGMKK0KgvAP8o5QggiogPDJ1sxrfPOH38fHH1mLMcCTuo5r/YEgQVjSvBvxe/nNiJUi6OjzXVYXKasHFA+IUhyx89lmwsyhQor/oJnewK3cK78q0BdRq0oq2KBYqM9cRysO83pAsacS+Oo0nrVdWbj447mh4BNYp0k6YhmdpeE8U+ua0117WT/h/KgpuHk1y0GJiHhHieQsv3u/sXiz7RPU5h6TjdNzax6e3Zjrg+GiiKDgftYzyake4n1qYbuCuKOTgU9RilDxkpxK6VrRTS1JAxHjP8r+hgoh3kPxRZFU/uDh1loGLQ6Qn5iJWr+Y6+mHJmTD0lHU+uNTpcT6NP/l6SZ0k/od8fvKqduF/fy96JEr8sHTkPv1sC7LpKOh28WMwaXAodiYmNDJ7bHFjcyIe8N0UbvqBVXIzIWT23Ujxf42n2KlHY8REGEd2WIc+fmDgxymQtAus711B
跟踪过程:
005429E0 |. 50 push eax
005429E1 |. 6A 00 push 0x0
005429E3 |. 6A 00 push 0x0
005429E5 |. 8B45 FC mov eax,[local.1]
005429E8 |. 50 push eax
005429E9 |. E8 AEFAFFFF call <Computer.[B]WinHttpCrackUrl[/B]> ; jmp 到 WINHTTP.WinHttpCrackUrl
005436B9 . 50 push eax
005436BA . E8 F5EDFFFF call <Computer.[B]WinHttpOpen[/B]> ; jmp 到 WINHTTP.WinHttpOpen
0461FC04 001B7B3C UNICODE "[B]Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)[/B]"
0054370D . 50 push eax
0054370E . 8B45 FC mov eax,dword ptr ss:[ebp-0x4]
00543711 . 8B40 6C mov eax,dword ptr ds:[eax+0x6C]
00543714 . 50 push eax
00543715 . E8 A2EDFFFF call <Computer.[B]WinHttpConnect[/B]> ; jmp 到 WINHTTP.WinHttpConnect
0461FC08 02A34000
0461FC0C 001AA514 UNICODE "api.driver.360safe.com"
0461FC10 01510050
0461FC14 00000000
0054373C . 56 push esi
0054373D . 6A 00 push 0x0
0054373F . 6A 00 push 0x0
00543741 . 6A 00 push 0x0
00543743 . 8B45 B4 mov eax,dword ptr ss:[ebp-0x4C]
00543746 . E8 A11EECFF call <Computer.system.@WStrToPWChar>
0054374B . 50 push eax
0054374C . 8B45 E4 mov eax,dword ptr ss:[ebp-0x1C]
0054374F . E8 981EECFF call <Computer.system.@WStrToPWChar>
00543754 . 50 push eax
00543755 . 8B45 FC mov eax,dword ptr ss:[ebp-0x4]
00543758 . 8B40 70 mov eax,dword ptr ds:[eax+0x70]
0054375B . 50 push eax
0054375C . E8 63EDFFFF call <Computer.[B]WinHttpOpenRequest[/B]> ; jmp 到 WINHTTP.WinHttpOpenRequest
0461FBFC 02A34100
0461FC00 001C88A4 UNICODE "GET"
0461FC04 001C3644 UNICODE "/appserv/qd_queryc.2.0.php?os=5.1&pf=32&cn=GIGABYTE&hid=USB%5CVID%5F18D1%26PID%5F9025%26REV%5F0231%2"
0461FC08 00000000
0461FC0C 00000000
0461FC10 00000000
0461FC14 00000000
0151771C 001AC1CC UNICODE "gzip, deflate"
01517720 00000000
01517724 001C43A4 UNICODE "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)"
01517728 001AAE54 UNICODE "*/*"
0151772C 00000000
01517730 00000000
01517734 00000000
01517738 00000000
0151773C 00000000
01517740 00000000
01517744 00000000
01517748 00007530
0151774C 00009C40
01517750 00007530
01517754 00000001
01517758 001AC224 UNICODE "Keep-Alive"
005433AF |. 6A 04 push 0x4
005433B1 |. 8D45 08 lea eax,[arg.1]
005433B4 |. 50 push eax
005433B5 |. 51 push ecx
005433B6 |. 52 push edx
005433B7 |. E8 D0F0FFFF call <Computer.[B]WinHttpSetOption[/B]> ; jmp 到 WINHTTP.WinHttpSetOption
0461FBFC 00EF2000
0461FC00 00000003 ;WINHTTP_OPTION_CONNECT_TIMEOUT
0461FC04 0461FC14
0461FC08 00000004
005433AF |. 6A 04 push 0x4
005433B1 |. 8D45 08 lea eax,[arg.1]
005433B4 |. 50 push eax
005433B5 |. 51 push ecx
005433B6 |. 52 push edx
005433B7 |. E8 D0F0FFFF call <Computer.WinHttpSetOption> ; jmp 到 WINHTTP.WinHttpSetOption
0461FBFC 00EF2000
0461FC00 00000005 ;WINHTTP_OPTION_SEND_TIMEOUT
0461FC04 0461FC14 ASCII "0u"
0461FC08 00000004
同上
0461FBFC 00EF2000
0461FC00 00000006 ;WINHTTP_OPTION_RECEIVE_TIMEOUT
0461FC04 0461FC14 ASCII "0u"
0461FC08 00000004
005432F6 |. 50 push eax
005432F7 |. 53 push ebx
005432F8 |. E8 97F1FFFF call <Computer.[B]WinHttpAddRequestHeaders[/B]> ; jmp 到 WINHTTP.WinHttpAddRequestHeaders
0461FBCC 00EF2000
0461FBD0 001C2E3C UNICODE "Accept:*/*"
0461FBCC 00EF2000
0461FBD0 0016AAAC UNICODE "Accept-Encoding:gzip, deflate"
0461FBCC 00EF2000
0461FBD0 0016AAAC UNICODE "Connection:Keep-Alive"
0461FBCC 00EF2000
0461FBD0 0016AAAC UNICODE "Accept-Language:zh-cn"
struct
{
wchar_t* AcceptData;
wchar_t* Encoding;
wchar_t* ContentType;
wchar_t* Language;
}Headers = {L"Accept:*/*\n",
L"Accept-Encoding:gzip,deflate\n",
L"Connection:Keep-Alive\n",
L"Accept-Language:zh-cn\n",};
// Add request header.
if (!AddRequestHeaders(hRequest, Headers.AcceptData)) {
printf("Error:AddRequestHeaders AcceptData failed!\n");
return -1;
}
// Add request header 。。。
005438CA . 6A 00 push 0x0
005438CC . 6A 00 push 0x0
005438CE . 6A 00 push 0x0
005438D0 . 6A 00 push 0x0
005438D2 . 6A 00 push 0x0
005438D4 . 6A 00 push 0x0
005438D6 . 8B45 FC mov eax,dword ptr ss:[ebp-0x4]
005438D9 . 8B40 74 mov eax,dword ptr ds:[eax+0x74]
005438DC . 50 push eax ; xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
005438DD . E8 EAEBFFFF call <Computer.WinHttpSendRequest> ; jmp 到 WINHTTP.WinHttpSendRequest
0461FBFC 00EF2000
0461FC00 00000000
0461FC04 00000000
0461FC08 00000000
0461FC0C 00000000
0461FC10 00000000
0461FC14 00000000
00543968 . 6A 00 push 0x0
0054396A . 8B45 FC mov eax,dword ptr ss:[ebp-0x4]
0054396D . 8B40 74 mov eax,dword ptr ds:[eax+0x74]
00543970 . 50 push eax
00543971 . E8 5EEBFFFF call <Computer.WinHttpReceiveResponse> ; jmp 到 WINHTTP.WinHttpReceiveResponse
[B]Query header info.[/B]
00542B73 |. 6A 00 push 0x0
00542B75 |. 8D45 F8 lea eax,[local.2]
00542B78 |. 50 push eax
00542B79 |. 8B45 F4 mov eax,[local.3]
00542B7C |. 50 push eax
00542B7D |. 6A 00 push 0x0
00542B7F |. 56 push esi
00542B80 |. 53 push ebx
00542B81 |. E8 56F9FFFF call <Computer.WinHttpQueryHeaders> ; jmp 到 WINHTTP.WinHttpQueryHeaders
0461FBB8 00EF2000
0461FBBC 000000[COLOR="red"]13[/COLOR] ;WINHTTP_QUERY_STATUS_CODE
0461FBC0 00000000
0461FBC4 00000000
0471FBC8 0471FC04 --8 size
0471FBCC 00000000
0471FBB8 02A42000
0471FBBC 00000013
0471FBC0 00000000
0471FBC4 [COLOR="blue"]0157A230 buf[/COLOR]
0471FBC8 0471FC04 --8 size
0471FBCC 00000000
[COLOR="blue"]buf[/COLOR]
[COLOR="blue"]0157A230[/COLOR] 00300032 2.0.
0157A234 00000030 0...
0471FBB8 02A42000
0471FBBC 0000000[COLOR="Red"]1[/COLOR] ;WINHTTP_QUERY_CONTENT_TYPE
0471FBC0 00000000
0471FBC4 00000000
0471FBC8 [COLOR="blue"]0471FC04[/COLOR]
0471FBCC 00000000
[COLOR="blue"]0471FC04[/COLOR] 00000014 ...
0471FC08 00000000 ....
0471FBB8 02A42000
0471FBBC 00000001
0471FBC0 00000000
0471FBC4 [COLOR="Blue"]01BFE980 [/COLOR]
0471FBC8 0471FC04
0471FBCC 00000000
[COLOR="Blue"]01BFE980[/COLOR] text/html.
0471FBB8 02A42000
0471FBBC 000000[COLOR="Red"]1D[/COLOR] ;WINHTTP_QUERY_CONTENT_ENCODING
0471FBC0 00000000
0471FBC4 00000000
0471FBC8 0471FC04
0471FBCC 00000000
0471FBB8 02A42000
0471FBBC 000000[COLOR="red"]16[/COLOR] ;WINHTTP_QUERY_RAW_HEADERS_CRLF
0471FBC0 00000000
0471FBC4 00000000
0471FBC8 [COLOR="Blue"]0471FC04[/COLOR]
0471FBCC 00000000
[COLOR="blue"]0471FC04[/COLOR] 000001D2 ?..
0471FBB8 02A42000
0471FBBC 00000016
0471FBC0 00000000
0471FBC4 0147DC80
0471FBC8 0471FC04
0471FBCC 00000000
0471FBB8 02A42000
0471FBBC 80000016 WINHTTP_QUERY_FLAG_REQUEST_HEADERS|WINHTTP_QUERY_RAW_HEADERS_CRLF
0471FBC0 00000000
0471FBC4 00000000
0471FBC8 0471FC04
0471FBCC 00000000
0471FBB8 02A42000
0471FBBC 80000016
0471FBC0 00000000
0471FBC4 [COLOR="blue"]01C38890[/COLOR]
0471FBC8 0471FC04
0471FBCC 00000000
0471FC00 [COLOR="Blue"]01C38890[/COLOR] UNICODE "GET /appserv/qd_queryc.2.0.php?os=5.1&pf=32&cn=GIGABYTE&hid=USB%5CVID%5F18D1%26PID%5F9025%26REV%5F02"
0471FB84 02A42000
0471FB88 0000000[COLOR="Red"]5[/COLOR] ;WINHTTP_QUERY_CONTENT_LENGTH
0471FB8C 00000000
0471FB90 00000000
0471FB94 0471FBD0
0471FB98 00000000
0471FB84 02A42000
0471FB88 0000000[COLOR="Red"]5[/COLOR]
0471FB8C 00000000
0471FB90 [COLOR="blue"]0157A260[/COLOR]
0471FB94 0471FBD0
0471FB98 00000000
0471FBCC [COLOR="blue"]0157A260[/COLOR] UNICODE "1221"
0471FBB8 02A42000
0471FBBC 000000[COLOR="red"]2B[/COLOR] ;WINHTTP_QUERY_SET_COOKIE
0471FBC0 00000000
0471FBC4 00000000
0471FBC8 0471FC04
0471FBCC 00000000
0471FBE0 02A42000
0471FBE4 0000002B
0471FBE8 00000000
0471FBEC 00000000
0471FBF0 [COLOR="Blue"]0471FBF8[/COLOR]
0471FBF4 0471FBFC
0461FBB8 00EF2000
0461FBBC 0000001D
0461FBC0 00000000
0461FBC4 00000000
0461FBC8 0461FC04
0461FBCC 00000000
0461FBB8 00EF2000
0461FBBC 00000016
0461FBC0 00000000
0461FBC4 00000000
0461FBC8 0461FC04
0461FBCC 00000000
0461FC04 000001EC ?..
返回一个大小
AllocMem
0461FBB8 00EF2000
0461FBBC 00000016
0461FBC0 00000000
0461FBC4 0407ADB0
0461FBC8 0461FC04
0461FBCC 00000000
0461FBB8 00EF2000
0461FBBC 00000016
0461FBC0 00000000
0461FBC4 0407ADB0 UNICODE "HTTP/1.1 200 OK
Date: Sat, 15 Dec 2012 10:18:01 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Cache"
0461FBC8 0461FC04
0461FBCC 00000000
0461FBB8 00EF2000
0461FBBC 80000016
0461FBC0 00000000
0461FBC4 01C38890
0461FBC8 0461FC04
0461FBCC 00000000
0461FBB4 00542BB4 返回到 Computer.?Unit155.sub_00542B3C+78 来自 <Computer.WinHttpQueryHeaders>
0461FBB8 00EF2000
0461FBBC 80000016
0461FBC0 00000000
0461FBC4 01C38890 UNICODE "GET /appserv/qd_queryc.2.0.php?os=5.1&pf=32&cn=GIGABYTE&hid=USB%5CVID%5F18D1%26PID%5F9025%26REV%5F02"
0461FBC8 0461FC04
0461FBCC 00000000
0461FB84 00EF2000
0461FB88 00000005
0461FB8C 00000000
0461FB90 00000000
0461FB94 0461FBD0
0461FB98 00000000
0461FB80 00542BB4 返回到 Computer.?Unit155.sub_00542B3C+78 来自 <Computer.WinHttpQueryHeaders>
0461FB84 00EF2000
0461FB88 00000005
0461FB8C 00000000
0461FB90 0157A250 UNICODE "1221"
0461FB94 0461FBD0
0461FB98 00000000
0461FBB8 00EF2000
0461FBBC 0000002B
0461FBC0 00000000
0461FBC4 00000000
0461FBC8 0461FC04
0461FBCC 00000000
0461FBE0 00EF2000
0461FBE4 0000002B
0461FBE8 00000000
0461FBEC 00000000
0461FBF0 0461FBF8
0461FBF4 0461FBFC
Date: Sat, 16 Feb 2013 17:19:15 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Cache-Control: max-age=3600
Expires: Sat, 16 Feb 2013 18:19:15 GMT
Content-Length: 1221
Connection: close
Content-Type: text/html
]
headers Info:[Get /appserv/qd_queryc.2.0.php?os=5.1&pf=32&cn=GIGABYTE&hid=USB%5C
VID%5F18D1%26PID%5F9025%26REV%5F0231%26MI%5F01&nw=default&err=1&c=151901a8 HTTP/
1.1
Accept: */*
Accept-Encoding: gzip,deflate
Connection: Keep-Alive
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.5072
7)
Host: api.driver.360safe.com
Content-Length: 0
]
context Length:[1221]-----------------------------------------------------------------------------------------------------
00543B69 . 50 push eax 00543B6A . 8B45 FC mov eax,dword ptr ss:[ebp-0x4] 00543B6D . 8B40 74 mov eax,dword ptr ds:[eax+0x74] 00543B70 . 50 push eax 00543B71 . E8 6EE9FFFF call <Computer.[B]WinHttpQueryDataAvailable[/B]> ; jmp 到 WINHTTP.WinHttpQueryDataAvailable 0461FC10 00EF2000 0461FC14 0461FCB0 0471FCB0 00000318 .. [COLOR="blue"]size[/COLOR] 00543BE8 . 50 push eax 00543BE9 . 8B45 F0 mov eax,dword ptr ss:[ebp-0x10] 00543BEC . 50 push eax 00543BED . 8B45 E8 mov eax,dword ptr ss:[ebp-0x18] 00543BF0 . 50 push eax 00543BF1 . 8B45 FC mov eax,dword ptr ss:[ebp-0x4] 00543BF4 . 8B40 74 mov eax,dword ptr ds:[eax+0x74] 00543BF7 . 50 push eax 00543BF8 . E8 EFE8FFFF call <Computer.[B]WinHttpReadData[/B]> ; jmp 到 WINHTTP.WinHttpReadData 0471FC08 02A42000 0471FC0C 014F8650 0471FC10 00000318 0471FC14 0471FC98 OfpoWeotGXv4mus5ga".) 堆栈 ss:[0471FCA8]=014F8650, (ASCII "DTZinZLmLsFmPP62dsGSMc9Omp/71r5s+4aDhh6rPDB2sNKKMLrMTKpsxkLCsDKGnMa2QEJNij1yFt+gMskkF1q8xN24FF98dPRpnFyr+HT+4LIQ0UhvIrYVA/z+o6u39hyw0S7yNvtnFMoldQ8AfTsRHOdu25KelI/G1M04nDvntTxUQCaec1pXMszF81eenuCLoSWJXiPu4TYi/t3PrsI/heCOfpoWeotGXv4mus5ga".) edx=00000000
解密函数
00542361 |. E8 4AFEFFFF ||call <Computer.?Unit153.sub_005421B0> 00542366 |. 8945 9C ||mov [local.25],eax 00542369 |. 33C0 ||xor eax,eax 0054236B |. 837D A4 00 ||cmp [local.23],0x0 0054236F |. 7E 11 ||jle short Computer.00542382
跟进解密函数,简单测试
int EntryptedData[]=
{
0x0000003D,0x00000040,0x00000040,0x00000040,0x00000040,0x00000040,0x00000040,0x00000040,
0x00000040,0x00000040,0x00000040,0x00000040,0x00000040,0x00000040,0x00000040,0x00000040,
0x00000040,0x00000040,0x00000040,0x00000040,0x00000040,0x00000040,0x00000040,0x00000040,
0x00000040,0x00000040,0x00000040,0x00000040,0x00000040,0x00000040,0x00000040,0x00000040,
0x00000040,0x00000040,0x00000040,0x00000040,0x00000040,0x00000040,0x00000040,0x00000040,
0x00000040,0x00000040,0x00000040,0x0000003E,0x00000040,0x00000040,0x00000040,0x0000003F,
0x00000034,0x00000035,0x00000036,0x00000037,0x00000038,0x00000039,0x0000003A,0x0000003B,
0x0000003C,0x0000003D,0x00000040,0x00000040,0x00000040,0x00000040,0x00000040,0x00000040,
0x00000040,0x00000000,0x00000001,0x00000002,0x00000003,0x00000004,0x00000005,0x00000006,
0x00000007,0x00000008,0x00000009,0x0000000A,0x0000000B,0x0000000C,0x0000000D,0x0000000E,
0x0000000F,0x00000010,0x00000011,0x00000012,0x00000013,0x00000014,0x00000015,0x00000016,
0x00000017,0x00000018,0x00000019,0x00000040,0x00000040,0x00000040,0x00000040,0x00000040,
0x00000040,0x0000001A,0x0000001B,0x0000001C,0x0000001D,0x0000001E,0x0000001F,0x00000020,
0x00000021,0x00000022,0x00000023,0x00000024,0x00000025,0x00000026,0x00000027,0x00000028,
0x00000029,0x0000002A,0x0000002B,0x0000002C,0x0000002D,0x0000002E,0x0000002F,0x00000030,
0x00000031,0x00000032,0x00000033,0x00000040,0x00000040,0x00000040,0x00000040,0x00000040
};
int EntrypedFunAdd(char* key,char* tempOut,int strLen)
{
char *pkey=key;
for (unsigned int i=0;i<strLen;i++)
{
int TempEsi=0;
// unsigned char* pkey=&key;
unsigned int tempEdx=(int)*(tempOut+i*4);
tempEdx=EntryptedData[tempEdx]*4;
unsigned int tempEdi=(int)*(tempOut+1+i*4);
unsigned int tempEcx=EntryptedData[tempEdi];
tempEcx=tempEcx/0x10;
unsigned char *tempCl=(unsigned char*)&tempEcx;
unsigned char *tempDl=(unsigned char*)&tempEdx;
*tempDl=*tempDl|*tempCl;
*(pkey+i*4)=*tempDl;
TempEsi++;
*tempDl=*(tempOut+2+i*4);
if (*tempDl!=0x3d)
{
TempEsi++;
*tempCl=EntryptedData[tempEdi];
tempEcx=tempEcx*0x10;
}
unsigned int tempEbx=0;
unsigned char* tempBl=(unsigned char*)&tempEbx;
*tempBl=*tempDl;
tempEbx=EntryptedData[tempEbx];
tempEbx=tempEbx/4;
*tempCl=*tempCl|*tempBl;
*(pkey+1+i*4)=*tempCl;
*tempCl=*(tempOut+3+i*4);
if (*tempCl!=0x3d)
{
TempEsi++;
tempEdx=tempEdx&0xff;
*tempDl=EntryptedData[tempEdx];
tempEdx=tempEdx*0x40;
unsigned int tempEax=0;
unsigned char* tempAl=(unsigned char*)&tempEax;
*tempAl=*tempCl;
*tempDl=*tempDl|EntryptedData[tempEax];
*(pkey+2+i*4)=*tempDl;
}
pkey--;
}
return 0;
}------------------------------------
测试
LPSTR pszOutBuffer;
char OutBuffer[0x1024]={0};
int OutNum=0;
DWORD getWriteSize=0;
while(1)
{
dwSize = 0;
if (!WinHttpQueryDataAvailable( hRequest, &dwSize))
{
printf( "Error %u in WinHttpQueryDataAvailable.\n",
GetLastError());
}
if (!dwSize)
break;
pszOutBuffer = new char[dwSize+1];
if (!pszOutBuffer)
{
printf("Out of memory \r\n");
}
ZeroMemory(pszOutBuffer, dwSize+1);
if (ReadData(hRequest, pszOutBuffer, dwSize, &getWriteSize) == FALSE) {
printf("Error:RedaData failed!\n");
}
if (getWriteSize <= 0) {
printf("Error:WriteData failed!\n");
}
memcpy(OutBuffer+OutNum,pszOutBuffer,getWriteSize);
OutNum=OutNum+getWriteSize;
delete(pszOutBuffer);
pszOutBuffer=NULL;
}
char* Testkey=NULL;
Testkey = new char[OutNum+1];
ZeroMemory(Testkey, OutNum+1);
EntrypedFunAdd(Testkey,OutBuffer,OutNum/4);获得结果
0471FC2F 9D62360D .6b 0471FC33 C12EE692 掓. 0471FC37 B6FE3C66 f< 0471FC3B 3192C176 v翏1 0471FC3F 9F9A4ECF 螻殶 0471FC43 6CBED6FB 緇 0471FC47 868386FB 麊儐 0471FC4B 303CAB1E ?0 0471FC4F 8AD2B076 v耙 0471FC53 4CCCBA30 0禾L 0471FC57 42C66CAA 猯艬 0471FC5B 8632B0C2 掳2 0471FC5F 40B6C69C 溒禓 0471FC63 3D8A4D42 BM? 0471FC67 00000072 r...
。。。
继续解密
int UlrstrLen=OutNum/4*3;
unsigned int arg1=0x64;
for(int i=0;i<0x40;i++)
{
arg1=arg1*2;
unsigned int Temp1=(arg1/8)&1;
unsigned int Temp2=(arg1/0x8000)&1;
Temp1=Temp1^Temp2;
Temp2=(arg1/0x800000)&1;
Temp1=Temp1^Temp2;
Temp2=(arg1/0x80)&1;
Temp1=Temp1^Temp2;
if((Temp1-1)==0)
arg1=arg1|1;
}
int TempSet=0;
int TempNum=8;
for(int i=0;i<UlrstrLen;i++)
{
TempSet=0;
unsigned char* charTempSet=(unsigned char*)&TempSet;
for(int j=0;j<TempNum;j++)
{
unsigned int Temp1=arg1;
Temp1=Temp1/0x80000000;
Temp1=Temp1&1;
if((Temp1-1)==0)
{
*charTempSet=*charTempSet|1;
}
TempSet=TempSet*2;
arg1=arg1*2;
Temp1=(arg1/8)&1;
unsigned int Temp2=(arg1/0x8000)&1;
Temp1=Temp1^Temp2;
Temp2=(arg1/0x800000)&1;
Temp1=Temp1^Temp2;
Temp2=(arg1/0x80)&1;
Temp1=Temp1^Temp2;
if((Temp1-1)==0)
{
arg1=arg1|1;
}
}
Testkey[i]= (unsigned char)Testkey[i]^(unsigned char)(*charTempSet);
}
最后结果
{"ret":1,"drvitem":[{"driverver":"4.0.0000.00000","driverpubdate":"12\/06\/2010","driverdispname":"Android Composite ADB Interface","driverdesc":"Google Android Mod 4.0 All","driverdownURL":"pdown:\/\/p2=17D1CF2C097871634FAE1E4D4C8310AC48C08B48|p3=20|p4=1800|p5=6|h1=17D1CF2C097871634FAE1E4D4C8310AC48C08B48|h3=60|h7=5|b2=8679721|b5=\u9a71\u52a8\u4e0b\u8f7d|b6=Google Android Mod 4.0 All|b7=1|b9=1|k=1|http:\/\/driver.360safe.com\/mobile\/google_mod_android_4.0.zip","packagename":"google_mod_android_4.0.zip","driversize":"8679721","driverprovider":"Google, Inc.","installtype":"0","setupcommand":"\/PATH \"%drvdir%\" \/SA \/SW \/F \/LM","innersetuppath":"","isWHQL":"1","isAMR":"0","pid":"9161","devtype":"\u624b\u673a\u8bbe\u5907","IsMd":"0","os":"5.1","pf":"32","hid":"USB\\VID_18D1&PID_9025&MI_01","infname":"android_winusb.inf","usecn":"0","installfailed":"","class":"AndroidUsbDeviceClass","infid":"17067"}]}
2.其他驱动下载软件发送类似数据结构
0B29C469 [COLOR="Magenta"][U]2A[/U][/COLOR][COLOR="Red"]09[/COLOR][COLOR="Blue"]0A[/COLOR][COLOR="Purple"]78[/COLOR] x..[COLOR="Magenta"][U]*[/U][/COLOR] [COLOR="Red"]SIZE[/COLOR] [COLOR="Green"]1[/COLOR][COLOR="Blue"]*8|2=0A[/COLOR] [COLOR="Green"]1 HardwareID[/COLOR] <80 0B29C46D [U][COLOR="Magenta"]47565346[/COLOR][/U] [U][COLOR="Magenta"]FSVG[/COLOR][/U] 0B29C471 [U][COLOR="Magenta"]32333941[/COLOR][/U] [U][COLOR="Magenta"]A932[/COLOR][/U] 0B29C475 [U][COLOR="Magenta"]3032[/COLOR][/U][COLOR="Red"]0A[/COLOR][COLOR="Blue"]12 [/COLOR] .[U][COLOR="Magenta"]20[/COLOR][/U] [COLOR="Green"]2[/COLOR][COLOR="Blue"]*8|2=12[/COLOR] [COLOR="Green"]2 DriverDate[/COLOR] 0B29C479 [U][COLOR="Magenta"]302D3130[/COLOR][/U] [U][COLOR="Magenta"]01-0[/COLOR][/U] 0B29C47D [U][COLOR="Magenta"]31302D37[/COLOR][/U] [U][COLOR="Magenta"]7-01[/COLOR][/U] 0B29C481 [U][COLOR="Magenta"]2E35[/COLOR][/U][COLOR="Red"]0A[/COLOR][COLOR="Blue"]1A [/COLOR] .[U][COLOR="Magenta"]5.[/COLOR][/U] [COLOR="Green"]3[/COLOR][COLOR="Blue"]*8|2=1A[/COLOR] [COLOR="Green"]3 DriverVersion[/COLOR] 0B29C485 [U][COLOR="Magenta"]35322E31[/COLOR][/U] [U][COLOR="Magenta"]1.25[/COLOR][/U] 0B29C489 [U][COLOR="Magenta"]302E3533[/COLOR][/U] [U][COLOR="Magenta"]35.0[/COLOR][/U] 0B29C48D [U][COLOR="Magenta"]3A63[/COLOR][/U][COLOR="Red"]18[/COLOR][COLOR="Blue"]22[/COLOR] "[U][COLOR="Magenta"]c:[/COLOR][/U] [COLOR="Green"]4[/COLOR][COLOR="Blue"]*8|2=22 [/COLOR] [COLOR="Green"] 4 InfPath[/COLOR] 0B29C491 [U][COLOR="Magenta"]6E69775C[/COLOR][/U] [U][COLOR="Magenta"]\win[/COLOR][/U] 0B29C495 [U][COLOR="Magenta"]73776F64[/COLOR][/U] [U][COLOR="Magenta"]dows[/COLOR][/U] 0B29C499 [U][COLOR="Magenta"]666E695C[/COLOR][/U] [U][COLOR="Magenta"]\inf[/COLOR][/U] 0B29C49D [U][COLOR="Magenta"]7673665C[/COLOR][/U] [U][COLOR="Magenta"]\fsv[/COLOR][/U] 0B29C4A1 [U][COLOR="Magenta"]692E6167[/COLOR][/U] [U][COLOR="Magenta"]ga.i[/COLOR][/U] 0B29C4A5 [COLOR="Red"]0D[/COLOR][COLOR="Blue"]2A[/COLOR][U][COLOR="Magenta"]666E[/COLOR][/U] [U][COLOR="Magenta"]nf[/COLOR][/U]*. [COLOR="Green"]5[/COLOR][COLOR="Blue"]*8|2=2A[/COLOR] [COLOR="Green"]5 InfSection:[/COLOR] 0B29C4A9 [U][COLOR="Magenta"]67567346[/COLOR][/U] [U][COLOR="Magenta"]FsVg[/COLOR][/U] 0B29C4AD [U][COLOR="Magenta"]6E495F61[/COLOR][/U] [U][COLOR="Magenta"]a_In[/COLOR][/U] 0B29C4B1 [U][COLOR="Magenta"]6C617473[/COLOR][/U] [U][COLOR="Magenta"]stal[/COLOR][/U] 0B29C4B5 [U][COLOR="Magenta"]3F[/COLOR][/U][COLOR="Red"]1C[/COLOR][COLOR="Blue"]42[/COLOR][U][COLOR="Magenta"]6C[/COLOR][/U] lB[U][COLOR="Magenta"]?[/COLOR][/U] [COLOR="Green"]8[/COLOR][COLOR="Blue"]*8|2=42[/COLOR] [COLOR="Green"]8 DeviceDesc[/COLOR] 0B29C4B9 [U][COLOR="Magenta"]3F3F3F3F[/COLOR][/U] [U][COLOR="Magenta"]????[/COLOR][/U] 0B29C4BD [U][COLOR="Magenta"]3F3F3F3F[/COLOR][/U] [U][COLOR="Magenta"]????[/COLOR][/U] 0B29C4C1 [U][COLOR="Magenta"]3F3F3F3F[/COLOR][/U] [U][COLOR="Magenta"]????[/COLOR][/U] 0B29C4C5 [U][COLOR="Magenta"]3F3F3F3F[/COLOR][/U] [U][COLOR="Magenta"]????[/COLOR][/U] 0B29C4C9 [U][COLOR="Magenta"]3F3F3F3F[/COLOR][/U] [U][COLOR="Magenta"]????[/COLOR][/U] 0B29C4CD [U][COLOR="Magenta"]3F3F3F3F[/COLOR][/U] [U][COLOR="Magenta"]????[/COLOR][/U] 0B29C4D1 [COLOR="Blue"]4A[/COLOR][U][COLOR="Magenta"]3F3F3F[/COLOR][/U] [U][COLOR="Magenta"]???[/COLOR][/U][COLOR="Blue"]J [/COLOR] [COLOR="Green"]9[/COLOR][COLOR="Blue"]*8|2=4A [/COLOR] [COLOR="Green"]9 System? [/COLOR] 0B29C4D5 [U][COLOR="Magenta"]737953[/COLOR][/U][COLOR="Red"]06[/COLOR] [U][COLOR="Magenta"]Sys[/COLOR][/U] 0B29C4D9 [COLOR="Blue"]52[/COLOR][U][COLOR="Magenta"]6D6574[/COLOR][/U] [U][COLOR="Magenta"]tem[/COLOR][/U]. [COLOR="Green"]A[/COLOR][COLOR="Blue"]*8|2=52[/COLOR] [COLOR="Green"] A UnKnown [/COLOR] 0B29C4DD [U][COLOR="Magenta"]0A[/COLOR][/U][U][COLOR="Red"]02[/COLOR][/U][COLOR="Blue"]62[/COLOR][COLOR="Red"]00[/COLOR] .b. [COLOR="Green"]C UnKnown [/COLOR] [COLOR="Blue"]*8|2=62[/COLOR] [COLOR="Green"]C [/COLOR] _____________________________________________ 0B29C4E1 [COLOR="Purple"]0190[/COLOR][COLOR="Blue"]0A[/COLOR][U][COLOR="Magenta"]00[/COLOR][/U] .... [COLOR="Red"]SIZE[/COLOR] [COLOR="Green"]1[/COLOR][COLOR="Blue"]*8|2=0A [/COLOR] [COLOR="Green"]1 HardwareID [/COLOR]硬件ID [COLOR="Purple"]90 /80|80=81 ^7F 01 >80[/COLOR] 0B29C4E5 562A[COLOR="Red"]0E[/COLOR][COLOR="Blue"]0A[/COLOR] .*V 0B29C4E9 74656E4D Mnet 0B29C4ED 70616441 Adap 0B29C4F1 31726574 ter1
0040D739 8B4C24 04 mov ecx,dword ptr ss:[esp+0x4] 0040D73D 81F9 80000000 cmp ecx,[COLOR="Purple"]0x80[/COLOR] 0040D743 73 08 jnb short DriverTu.0040D74D 0040D745 8B4424 08 mov eax,dword ptr ss:[esp+0x8] 0040D749 8808 mov byte ptr ds:[eax],cl 0040D74B 40 inc eax 0040D74C C3 retn 0040D74D FF7424 08 push dword ptr ss:[esp+0x8] 0040D751 51 push ecx 0040D752 E8 79460200 call DriverTu.00431DD0 0040D757 59 pop ecx 0040D758 59 pop ecx 0040D759 C3 retn
小于0x80字节,直接存放
大于处理
00431CFD 8B55 08 mov edx,dword ptr ss:[ebp+0x8] ; 90
00431D00 C1EA 07 [COLOR="Purple"]shr edx,0x7[/COLOR] ; 1
00431D03 81CA 80000000 [COLOR="Purple"]or edx,0x80[/COLOR] ; 81
00431D09 8B45 0C mov eax,dword ptr ss:[ebp+0xC]
00431D0C 8850 01 mov byte ptr ds:[eax+0x1],dl
00431D0F 817D 08 0040000>cmp dword ptr ss:[ebp+0x8],0x4000
00431D16 72 7F jb short DriverTu.00431D97
00431D18 8B4D 08 mov ecx,dword ptr ss:[ebp+0x8]
00431D1B C1E9 0E shr ecx,0xE
00431D1E 81C9 80000000 or ecx,0x80
00431D24 8B55 0C mov edx,dword ptr ss:[ebp+0xC]
00431D27 884A 02 mov byte ptr ds:[edx+0x2],cl
00431D2A 817D 08 0000200>cmp dword ptr ss:[ebp+0x8],0x200000 ; UNICODE "60-C0A9-11D0-96D8-00AA0051E51D}\{9B365890-165F-11D0-A195-0020AFD156E4}"
00431D31 72 4A jb short DriverTu.00431D7D
00431D33 8B45 08 mov eax,dword ptr ss:[ebp+0x8]
00431D36 C1E8 15 shr eax,0x15
00431D39 0D 80000000 or eax,0x80
00431D3E 8B4D 0C mov ecx,dword ptr ss:[ebp+0xC]
00431D41 8841 03 mov byte ptr ds:[ecx+0x3],al
00431D44 817D 08 0000001>cmp dword ptr ss:[ebp+0x8],offset Resour>
00431D9E 83E2 7F [COLOR="Purple"]and edx,0x7F[/COLOR]
00431DA1 8B45 0C mov eax,dword ptr ss:[ebp+0xC]
00431DA4 8850 01 mov byte ptr ds:[eax+0x1],dl标志+SIZE+内容
------end----
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
