【名称】
破解华夏银行U盾全屏幕遮挡
【前提】
华夏银行在线登录系统
或者
华夏银行Client登录系统
网址:
http://www.hxb.com.cn/index.shtml
关键的验证URL:
https://dbank.hxb.com.cn/easybanking/jsp/indexCert.jsp
安装目录:
C:\Program Files (x86)\HXB\EBankingAssistant
需要破解华夏银行的全屏锁定UI。
1、点击托盘--Login--全屏锁定。
2、插入U盘---Web登录--全屏锁定
3、转账最后一步,确认--全屏锁定。
为什么要去掉这个全屏锁定?
因为自动转账的一些软件无法正常使用了。
【破解过程】
1、先破解 托盘启动的方式,即:certd_I3000_HXB.exe
2、OD加载,查找字符串: UNICODE "Login successfully!"
锁定:
004074A3 68 B4C14100 push 0041C1B4 ; UNICODE "Login successfully!"
3、关键位置
这个Call 就是点击 Login 的位置:
0040707A 55 push ebp
0040707B 8BEC mov ebp, esp
0040707D 81EC DC010000 sub esp, 1DC
00407083 53 push ebx
00407084 56 push esi
00407085 57 push edi
00407086 8BF1 mov esi, ecx
00407088 6A 01 push 1
0040708A E8 D9F60000 call <jmp.&MFC42u.#6330>
0040708F 8B3D B4764100 mov edi, dword ptr [<&USER32.SendMes>; USER32.SendMessageW
00407095 6A 00 push 0
00407097 BB 0A110000 mov ebx, 110A
0040709C 6A 09 push 9
0040709E 53 push ebx
0040709F FFB6 9C030000 push dword ptr [esi+39C]
004070A5 FFD7 call edi
逐步跟踪,查找全屏显示的Call,最后锁定:创建全屏窗口:
00407176 8D45 C0 lea eax, dword ptr [ebp-40]
00407179 50 push eax
0040717A FF75 8C push dword ptr [ebp-74]
0040717D 6A 04 push 4
0040717F E8 44B5FFFF call 004026C8 ; 创建全屏窗口
分析结果: 在2个地址,直接Jmp,就可以实现。
00402713 8D4D D0 lea ecx, dword ptr [ebp-30]
00402716 E8 C62E0100 call 004155E1
0040271B 8D8D 1CFFFFFF lea ecx, dword ptr [ebp-E4]
00402721 8975 DC mov dword ptr [ebp-24], esi
00402724 E8 1B970000 call 0040BE44
00402729 8B45 08 mov eax, dword ptr [ebp+8]
0040272C 8D4D E8 lea ecx, dword ptr [ebp-18]
0040272F 8945 9C mov dword ptr [ebp-64], eax
00402732 8B45 0C mov eax, dword ptr [ebp+C]
00402735 8945 A0 mov dword ptr [ebp-60], eax
00402738 E8 AB380100 call 00415FE8
0040273D 8D4D E8 lea ecx, dword ptr [ebp-18]
00402740 E8 E5380100 call 0041602A
00402745 85C0 test eax, eax
00402747 0F84 0B010000 je 00402858 ;这里必须JMP
0040274D 8D4D E8 lea ecx, dword ptr [ebp-18]
00402750 E8 8E390100 call 004160E3
00402755 85C0 test eax, eax
00402757 0F84 FB000000 je 00402858 ;这里必须JMP
0040275D 53 push ebx
0040275E 53 push ebx
0040275F 53 push ebx
00402760 B9 601E4200 mov ecx, 00421E60
00402765 E8 462B0100 call 004152B0
0040276A 50 push eax
0040276B FF15 08714100 call dword ptr [<&KERNEL32.CreateEven>; kernel32.CreateEventW
ds:[00417108]=7672180E (kernel32.CreateEventW)
00402771 8BF0 mov esi, eax
00402773 3BF3 cmp esi, ebx
00402775 8975 08 mov dword ptr [ebp+8], esi
00402778 0F84 DA000000 je 00402858
0040277E 8D85 1CFFFFFF lea eax, dword ptr [ebp-E4]
00402784 8D4D E8 lea ecx, dword ptr [ebp-18]
00402787 50 push eax
00402788 8D45 D0 lea eax, dword ptr [ebp-30]
0040278B 50 push eax
0040278C 56 push esi
0040278D E8 51390100 call 004160E3
00402792 50 push eax
00402793 8D4D A4 lea ecx, dword ptr [ebp-5C]
00402796 E8 0D2D0100 call 004154A8
0040279B 33C0 xor eax, eax
0040279D 8D7D E4 lea edi, dword ptr [ebp-1C]
004027A0 895D E0 mov dword ptr [ebp-20], ebx
004027A3 895D F8 mov dword ptr [ebp-8], ebx
004027A6 AB stos dword ptr es:[edi]
004027A7 8D7D FC lea edi, dword ptr [ebp-4]
004027AA 8D4D E8 lea ecx, dword ptr [ebp-18]
004027AD AB stos dword ptr es:[edi]
004027AE E8 34390100 call 004160E7 ; 灰屏出现的位置
004027B3 85C0 test eax, eax
004027B5 0F84 87000000 je 00402842
004027BB 8D45 E0 lea eax, dword ptr [ebp-20]
004027BE 8B35 90754100 mov esi, dword ptr [<&MSVCRT._begint>; msvcrt._beginthreadex
修改后的汇编:
00402729 8B45 08 mov eax, dword ptr [ebp+8]
0040272C 8D4D E8 lea ecx, dword ptr [ebp-18]
0040272F 8945 9C mov dword ptr [ebp-64], eax
00402732 8B45 0C mov eax, dword ptr [ebp+C]
00402735 8945 A0 mov dword ptr [ebp-60], eax
00402738 E8 AB380100 call 00415FE8
0040273D 8D4D E8 lea ecx, dword ptr [ebp-18]
00402740 E8 E5380100 call 0041602A
00402745 85C0 test eax, eax
00402747 E9 0C010000 jmp 00402858 ; 修改为Jmp
0040274C 90 nop
0040274D 8D4D E8 lea ecx, dword ptr [ebp-18]
00402750 E8 8E390100 call 004160E3
最后,进行分析,有下面文件需要破解:
1、破解Exe方式,需要破解
安装目录\certd_I3000_HXB.exe
安装目录\certd2ka_hxb.exe
安装目录\shuttle_certd3003_hxb.exe
2、破解Web方式登录,需要破解
C:\Windows\System32\hxkey2feitian.dll
【其他的,查找关键点的思路 Log】
1、进行分析
00416108 FF15 58714100 call dword ptr [<&KERNEL32.LocalFree>>; kernel32.LocalFree
0041610E 895E 04 mov dword ptr [esi+4], ebx
00416111 8D46 04 lea eax, dword ptr [esi+4]
00416114 55 push ebp
00416115 50 push eax
00416116 6A 03 push 3
00416118 68 00010000 push 100
0041611D 8BCE mov ecx, esi
0041611F FF36 push dword ptr [esi]
00416121 E8 D0000000 call 004161F6
00416126 FF76 08 push dword ptr [esi+8]
00416129 FF15 4C764100 call dword ptr [<&USER32.SwitchDeskto>; USER32.SwitchDesktop
根据 bp USER32.SwitchDesktop, 向上逆推
08FDEAA4 . FF15 5CC10109 call dword ptr [<&KERNEL32.LocalFree>>; \LocalFree
08FDEAAA . 895E 04 mov dword ptr [esi+4], ebx
08FDEAAD > 8D46 04 lea eax, dword ptr [esi+4]
08FDEAB0 . 55 push ebp
08FDEAB1 . 50 push eax
08FDEAB2 . 6A 03 push 3
08FDEAB4 . 68 00010000 push 100
08FDEAB9 . 8BCE mov ecx, esi
08FDEABB . FF36 push dword ptr [esi]
08FDEABD . E8 F54FF6FF call 08F43AB7
08FDEAC2 . FF76 08 push dword ptr [esi+8] ; /hDesktop
08FDEAC5 . FF15 D8C80109 call dword ptr [<&USER32.SwitchDeskto>; \SwitchDesktop
08FDC2B8 . /0F84 5D020000 je 08FDC51B ; here, must ,JMP
08FDC2BE . |8D4D C8 lea ecx, dword ptr [ebp-38]
08FDC2C1 . |E8 687EF6FF call 08F4412E
08FDC2C6 . |85C0 test eax, eax
08FDC2C8 . |0F84 4D020000 je 08FDC51B ; here, must ,JMP
08FDC2CE . |53 push ebx
08FDC2CF . |53 push ebx
08FDC2D0 . |53 push ebx
08FDC2D1 . |B9 10540109 mov ecx, 09015410
08FDC2D6 . |E8 B64DF6FF call 08F41091
08FDC2DB . |50 push eax ; |pSecurity
08FDC2DC . |FF15 10C10109 call dword ptr [<&KERNEL32.CreateEven>; \CreateEventW
08FDC2E2 . |3BC3 cmp eax, ebx
08FDC2E4 . |8945 D8 mov dword ptr [ebp-28], eax
08FDC2E7 . |0F84 2E020000 je 08FDC51B
08FDC2ED . |8D8D F8FEFFFF lea ecx, dword ptr [ebp-108]
08FDC2F3 . |51 push ecx
08FDC2F4 . |8D4D A0 lea ecx, dword ptr [ebp-60]
08FDC2F7 . |51 push ecx
08FDC2F8 . |50 push eax
08FDC2F9 . |8D4D C8 lea ecx, dword ptr [ebp-38]
08FDC2FC . |E8 2D7EF6FF call 08F4412E
08FDC301 . |50 push eax
08FDC302 . |8D4D 80 lea ecx, dword ptr [ebp-80]
08FDC305 . |E8 0A52F6FF call 08F41514
08FDC30A . |A1 6C1F0109 mov eax, dword ptr [9011F6C]
08FDC30F . |8D7D B8 lea edi, dword ptr [ebp-48]
08FDC312 . |8945 84 mov dword ptr [ebp-7C], eax //89458433C0895DB4895DE0
08FDC315 . |33C0 xor eax, eax
08FDC317 . |895D B4 mov dword ptr [ebp-4C], ebx
08FDC31A . |895D E0 mov dword ptr [ebp-20], ebx
08FDC31D . |AB stos dword ptr es:[edi]
08FDC31E . |8D7D E4 lea edi, dword ptr [ebp-1C]
08FDC321 . |8D4D C8 lea ecx, dword ptr [ebp-38]
08FDC324 . |C645 FC 04 mov byte ptr [ebp-4], 4
08FDC328 . |AB stos dword ptr es:[edi]
08FDC329 . |E8 A871F6FF call 08F434D6 ; USER32.SwitchDesktop
【最终解决办法】
1、Client登录的话,就需要破解
安装目录\certd_I3000_HXB.exe
安装目录\certd2ka_hxb.exe
安装目录\shuttle_certd3003_hxb.exe
1009C2B8 /0F84 5D020000 je 1009C51B ; 这里必须跳走,否则就锁屏了。
1009C2BE . |8D4D C8 lea ecx, dword ptr [ebp-38]
1009C2C1 . |E8 687EF6FF call 1000412E
1009C2C6 . |85C0 test eax, eax
1009C2C8 . |0F84 4D020000 je 1009C51B ; 这里必须跳走,否则就锁屏了。
1009C2CE . |53 push ebx
1009C2CF . |53 push ebx
1009C2D0 . |53 push ebx
1009C2D1 . |B9 10540D10 mov ecx, 100D5410
1009C2D6 . |E8 B64DF6FF call 10001091
1009C2DB . |50 push eax ; |pSecurity
1009C2DC . |FF15 10C10D10 call dword ptr [<&KERNEL32.CreateEven>; \CreateEventW
1009C2E2 . |3BC3 cmp eax, ebx
1009C2E4 . |8945 D8 mov dword ptr [ebp-28], eax
1009C2E7 . |0F84 2E020000 je 1009C51B
1009C2ED . |8D8D F8FEFFFF lea ecx, dword ptr [ebp-108]
1009C2F3 . |51 push ecx
1009C2F4 . |8D4D A0 lea ecx, dword ptr [ebp-60]
1009C2F7 . |51 push ecx
1009C2F8 . |50 push eax
1009C2F9 . |8D4D C8 lea ecx, dword ptr [ebp-38]
1009C2FC . |E8 2D7EF6FF call 1000412E
1009C301 . |50 push eax
1009C302 . |8D4D 80 lea ecx, dword ptr [ebp-80]
1009C305 . |E8 0A52F6FF call 10001514
1009C30A . |A1 6C1F0D10 mov eax, dword ptr [100D1F6C]
1009C30F . |8D7D B8 lea edi, dword ptr [ebp-48]
1009C312 . |8945 84 mov dword ptr [ebp-7C], eax ; 89458433C0895DB4895DE0
1009C315 . |33C0 xor eax, eax
1009C317 . |895D B4 mov dword ptr [ebp-4C], ebx
1009C31A . |895D E0 mov dword ptr [ebp-20], ebx
1009C31D . |AB stos dword ptr es:[edi]
1009C31E . |8D7D E4 lea edi, dword ptr [ebp-1C]
1009C321 . |8D4D C8 lea ecx, dword ptr [ebp-38]
1009C324 . |C645 FC 04 mov byte ptr [ebp-4], 4
1009C328 . |AB stos dword ptr es:[edi]
1009C329 . |E8 A871F6FF call 100034D6 ; USER32.SwitchDesktop 锁屏
2、破解Web方式登录,需要破解
C:\Windows\System32\hxkey2feitian.dll
方法,Code和上面一样的。
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)