逆向么么辅助发现一种很有意思过掉签名验证的方法
如图
F5后逆向的代码
signed __int64 __fastcall fn80001070(LPVOID lpThreadParameter)
{
__int64 **v1; // rdi
signed __int64 result; // rax
__int64 *i; // rbx
const CHAR *lpString2; // rax
bool v5; // zf
__int64 **v6; // rbx
__int64 *v7; // rdx
v1 = (__int64 **)
hVerifyFuncSet
;
if ( !
hVerifyFuncSet
)
return 0i64;
//遍历第一个链表找到CryptSIPDllVerifyIndirectData
while ( CompareStringA(0x409u, 1u, "CryptSIPDllVerifyIndirectData", -1, (PCNZCH)v1[1], -1) != 2 )
{
v1 = (__int64 **)*v1;
if ( !v1 )
return 0i64;
}
for ( i = v1[8]; !i; i = v1[8] )
Sleep(1u);
while ( 1 )
{
if ( *(_DWORD *)i )
goto LABEL_13;
lpString2 = (const CHAR *)i[2];
if ( (unsigned __int64)"{C689AAB8-8E78-11D0-8C47-00C04FC295EE}" <= 0xFFFF )
break;
if ( (unsigned __int64)lpString2 > 0xFFFF )
{
//遍历第二个链表找到对应注册表登记的 “{C689AAB8-8E78-11D0-8C47-00C04FC295EE}”
v5 = CompareStringA(0x409u, 1u, "{C689AAB8-8E78-11D0-8C47-00C04FC295EE}", -1, lpString2, -1) == 2;
goto LABEL_12;
}
LABEL_13:
i = (__int64 *)i[1];
if ( !i )
return 0i64;
}
v5 = "{C689AAB8-8E78-11D0-8C47-00C04FC295EE}" == lpString2;
LABEL_12:
if ( !v5 )
goto LABEL_13;
v6 = (__int64 **)i[3];
if ( !v6 )
return 0i64;
//遍历第三个链表找到
对应注册表登记的
“
CryptSIPVerifyIndirectData
”
while ( CompareStringA(0x409u, 1u, "CryptSIPVerifyIndirectData", -1, (PCNZCH)v6[2], -1) != 2 )
{
v6 = (__int64 **)*v6;
if ( !v6 )
return 0i64;
}
v7 = v6[2];
result = 1i64;
*v7 = 0i64;
v7[1] = 0i64;
v7[2] = 0i64;
v7[4] = 0i64;
//将找到的字符串函数名字
CryptSIPVerifyIndirectData替换成
WTHelperProvDataFromStat
strcpy(v7, "WTHelperProvDataFromStat");
v6[3] = 0i64;
return result;
}
signed __int64 __fastcall fn80001070(LPVOID lpThreadParameter)
{
__int64 **v1; // rdi
signed __int64 result; // rax
__int64 *i; // rbx
const CHAR *lpString2; // rax
bool v5; // zf
__int64 **v6; // rbx
__int64 *v7; // rdx
v1 = (__int64 **)
hVerifyFuncSet
;
if ( !
hVerifyFuncSet
)
return 0i64;
//遍历第一个链表找到CryptSIPDllVerifyIndirectData
while ( CompareStringA(0x409u, 1u, "CryptSIPDllVerifyIndirectData", -1, (PCNZCH)v1[1], -1) != 2 )
{
v1 = (__int64 **)*v1;
if ( !v1 )
return 0i64;
}
for ( i = v1[8]; !i; i = v1[8] )
Sleep(1u);
while ( 1 )
{
if ( *(_DWORD *)i )
goto LABEL_13;
lpString2 = (const CHAR *)i[2];
if ( (unsigned __int64)"{C689AAB8-8E78-11D0-8C47-00C04FC295EE}" <= 0xFFFF )
break;
if ( (unsigned __int64)lpString2 > 0xFFFF )
{
//遍历第二个链表找到对应注册表登记的 “{C689AAB8-8E78-11D0-8C47-00C04FC295EE}”
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
最后于 2018-12-21 18:44
被sxpp编辑
,原因: