1. 去除驱动反调试
.text:0001071A ; int __stdcall fn_DeviceControl(int, PIRP Irp)
...
.text:00010731 mov eax, [eax+0Ch]
.text:00010734 sub eax, 222004h
.text:00010739 mov ecx, [esi+0Ch]
.text:0001073C jz short loc_1076A
...
.text:0001076A mov dword_114D8, 1
.text:00010774 call ds:IoGetCurrentProcess
.text:0001077A mov g_process, eax
.text:0001077F call sub_10486 // nop掉并更新pe的checksum即可
...
2. 驱动处理逻辑
memset32(DriverObject->MajorFunction, (int)fn_common, 0x1Bu);
DriverObject->MajorFunction[0] = (PDRIVER_DISPATCH)fn_null;
DriverObject->MajorFunction[3] = (PDRIVER_DISPATCH)fn_read;
DriverObject->MajorFunction[4] = (PDRIVER_DISPATCH)fn_write;
DriverObject->MajorFunction[14] = (PDRIVER_DISPATCH)fn_DeviceControl;
DriverObject->MajorFunction[18] = (PDRIVER_DISPATCH)fn_null;
DriverObject->MajorFunction[2] = (PDRIVER_DISPATCH)fn_null;
DriverObject->DriverUnload = (PDRIVER_UNLOAD)fn_unload;
fn_write(应用层WriteFile): 简单处理sn, 计算md5保存到g_digest
.text:0001067F push offset g_digest
.text:00010684 push ebx
.text:00010685 call sub_104B6
.text:0001050D inc [ebp+sn]
.text:00010510 cmp esi, eax
.text:00010512 jle short loc_1051D
.text:00010514 add [ebp+eax+sn], al
.text:00010518 inc eax
.text:00010519 cmp eax, esi
.text:0001051B jl short loc_10514
.text:0001051D lea eax, [ebp+digest]
.text:00010520 push eax
.text:00010521 call md5_init
.text:00010526 lea eax, [ebp+sn]
.text:00010529 lea edx, [eax+1]
.text:0001052C mov cl, [eax]
.text:0001052E inc eax
.text:0001052F test cl, cl
.text:00010531 jnz short loc_1052C
.text:00010533 sub eax, edx
.text:00010535 push eax
.text:00010536 lea eax, [ebp+sn]
.text:00010539 push eax
.text:0001053A lea eax, [ebp+digest]
.text:0001053D push eax
.text:0001053E call md5_update
.text:00010543 push ebx
.text:00010544 lea eax, [ebp+digest]
.text:00010547 push eax
.text:00010548 call md5_final
fn_read(应用层ReadFile): 输出g_digest
3. 应用层逻辑
.rdata:0042381C dd offset CXXDlg__OnInitDialog
.rdata:00423824 dd offset CXXDlg__OnOK
CXXDlg::OnInitDialog: 释放并加载驱动
CXXDlg::OnOK
sn转小写逆序
.text:004017A2 lea ecx, [esp+2Ch+sn]
.text:004017A6 mov [esp+2Ch+var_8], 1
.text:004017AB call lower
.text:004017B0 lea ecx, [esp+2Ch+sn]
.text:004017B4 call reverse
sn长度6位
.text:004017BE mov ecx, [esp+2Ch+sn]
.text:004017C2 mov eax, [eax+4]
.text:004017C5 cmp dword ptr [ecx-8], 6
.text:004017C9 jnz loc_4018C2
与驱动通信处理sn
.text:004017E5 mov edx, [esp+2Ch+sn]
.text:004017E9 lea ecx, [esp+2Ch+sn]
.text:004017ED mov eax, [edx-8]
.text:004017F0 push eax ; size_t
.text:004017F1 push 0
.text:004017F3 call sub_418263
.text:004017F8 push eax ; char *
.text:004017F9 mov ecx, esi
.text:004017FB call drv_comm
返回后再计算一次md5
.text:00401829 call md5
取md5第2-12位与888aeda4ab比较
.text:0040182E push 0Ah
.text:00401830 lea eax, [esp+30h+var_18]
.text:00401834 push 2
.text:00401836 push eax
.text:00401837 lea ecx, [esp+38h+var_1C]
.text:0040183B call sub_415A78
...
.text:00401872 mov ecx, [esp+30h+var_1C]
.text:00401876 push offset a888aeda4ab
.text:0040187B push ecx
.text:0040187C call __mbsicmp
4. 穷举(跑了40分钟左右)
import hashlib
def md5(s):
d=hashlib.md5()
d.update(s.encode('utf8'))
return d.hexdigest()
m='0123456789abcdefghijklmnopqrstuvwxyz'
#print(len(m))
def revert(s):
a=[]
for i in range(6):
a.append(ord(s[i]))
a[0]=a[0]-1
for i in range(6):
a[i]=a[i]-i
r=''
for i in range(6):
r+=chr(a[i])
return r[::-1]
def solve():
for k1 in range(36):
for k2 in range(36):
for k3 in range(36):
for k4 in range(36):
for k5 in range(36):
for k6 in range(36):
f=chr(ord(m[k1])+1)+chr(ord(m[k2])+1)+chr(ord(m[k3])+2)+chr(ord(m[k4])+3)+chr(ord(m[k5])+4)+chr(ord(m[k6])+5)
#print(f)
s=md5(md5(f))
if (s[2:12]=='888aeda4ab'):
print(revert(f))
return
print('start')
solve()
print('end')>>> su1986
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
