[CrackMe] 【D01E06】电子管 反破解教程之六【驱动程序试验】
本帖最后由 dianziguan 于 2013-7-23 17:53 编辑把注册码的验证放到一个小驱动程序dzg_test.sys中,给破解者添点麻烦。
欢迎试验!
程序源代码如下:
.386
.model flat, stdcall
option casemap:none
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; I N C L U D E F I L E S
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
include \masm32\include\advapi32.inc
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\advapi32.lib
include \masm32\include\winioctl.inc
include \masm32\Macros\Strings.mac
DlgProc PROTO :DWORD,:DWORD,:DWORD,:DWORD
IOCTL_GET_INFO equ CTL_CODE(FILE_DEVICE_UNKNOWN, 800h, METHOD_BUFFERED, FILE_READ_ACCESS + FILE_WRITE_ACCESS)
; Macro definition for defining IOCTL and FSCTL function control codes.Note
; that function codes 0-2047 are reserved for Microsoft Corporation, and
; 2048-4095 are reserved for customers.
;CTL_CODE MACRO DeviceType:=<0>, Function:=<0>, Method:=<0>, Access:=<0>
; EXITM %(((DeviceType) SHL 16) OR ((Access) SHL 14) OR ((Function) SHL 2) OR (Method))
;ENDM
.const
IDC_EDIT2 equ 3800
IDC_EDIT3 equ 3801
IDC_BUTTON equ 3001
IDC_EXIT equ 3002
.data
sysname db "dzg_test.sys",0 ;驱动程序名
device db "dzg_test",0
driver db "dzg_test Driver",0
abyInBuffer db 32 dup (0);"1415926535",22 dup(0);传输试验数据用
abyOutBuffer db 32 dup(0) ;用于存放驱动传回的数据
name_buffer db 'reg0.txt',0;读取的数据保存
ok_1 db "注册结果请查看文件 reg0.txt",0
mesberr_1 db "未能注册成功",0
DlgName db "MyDialog",0
AppName db "注册程序,(C)电子管 2012.07.23",0
dwBytesReturned dd 0
SerialNumber1 db "1234567890",0
.data?
hFile HANDLE ? ;文件句柄
SizeReadWrite DWORD ? ;文件中实际写入的字节数
hInstance HINSTANCE ?
CommandLine LPSTR ?
regbuffer1 db 512 dup(?)
.code
start:
invoke GetModuleHandle, NULL
mov hInstance,eax
invoke DialogBoxParam, hInstance, ADDR DlgName,NULL,addr DlgProc,NULL
jmp start2
invoke ExitProcess,eax
DlgProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM
.IF uMsg==WM_INITDIALOG
invoke SetDlgItemText,hWnd,IDC_EDIT2,ADDR SerialNumber1
.ELSEIF uMsg== WM_CLOSE
invoke EndDialog, hWnd,NULL
.ELSEIF uMsg==WM_COMMAND
mov edx,wParam
mov eax,edx
shr edx,16
.if dx==BN_CLICKED
.IF ax==IDC_BUTTON
invoke GetDlgItemText,hWnd,IDC_EDIT3,ADDR regbuffer1,512
push esi
mov esi,offset regbuffer1
mov edi,offset abyInBuffer
cld
lodsd
stosd
lodsd
stosd
lodsw
stosw
cmp ax,3533h
jz loc_1
jmp loc_2
loc_1:jmp loc_3
loc_2:
pop esi
invoke MessageBox,NULL,ADDR mesberr_1,ADDR AppName,MB_OK
exit_1:invoke EndDialog, hWnd,NULL
invoke ExitProcess,eax
loc_3: invoke EndDialog, hWnd,NULL
.ELSEIF ax==IDC_EXIT
invoke EndDialog, hWnd,NULL
.ENDIF
.ENDIF
.ELSE
mov eax,FALSE
ret
.ENDIF
mov eax,TRUE
ret
DlgProc endp
start2:
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
drive1 proc uses esi edi
local hSCManager:HANDLE
local hService:HANDLE
local acModulePath:CHAR
local _ss:SERVICE_STATUS
local hDevice:HANDLE
local acVersion:CHAR
; Open a handle to the SC Manager database
invoke OpenSCManager, NULL, NULL, SC_MANAGER_ALL_ACCESS
.if eax != NULL
mov hSCManager, eax
;invoke GetCurrentDirectory, sizeof g_acBuffer, addr g_acBuffer
push eax
invoke GetFullPathName, addr sysname, sizeof acModulePath, addr acModulePath, esp
pop eax
; Install service
invoke CreateService, hSCManager, addr device, addr driver, \
SERVICE_START + SERVICE_STOP + DELETE, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, \
SERVICE_ERROR_IGNORE, addr acModulePath, NULL, NULL, NULL, NULL, NULL
.if eax != NULL
mov hService, eax
; Driver's DriverEntry procedure will be called
invoke StartService, hService, 0, NULL
.if eax != 0
; Driver will receive I/O request packet (IRP) of type IRP_MJ_CREATE
invoke CreateFile, $CTA0("\\\\.\\dzg_test"), GENERIC_READ + GENERIC_WRITE, \
0, NULL, OPEN_EXISTING, 0, NULL
.if eax != INVALID_HANDLE_VALUE
mov hDevice, eax
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; Driver will receive IRP of type IRP_MJ_DEVICE_CONTROL
invoke DeviceIoControl, hDevice, IOCTL_GET_INFO, addr abyInBuffer, sizeof abyInBuffer, addr abyOutBuffer, sizeof abyOutBuffer, addr dwBytesReturned, NULL
.if ( eax != 0 ) && ( dwBytesReturned != 0 )
invoke MessageBox, NULL, addr ok_1, $CTA0("dzg_test"), MB_OK + MB_ICONINFORMATION
invoke CreateFile,ADDR name_buffer,\
GENERIC_READ or GENERIC_WRITE ,\
FILE_SHARE_READ or FILE_SHARE_WRITE,\
NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_ARCHIVE,\
NULL
mov hFile,eax
invoke WriteFile,hFile,ADDR abyOutBuffer,32,\
ADDR SizeReadWrite,NULL
invoke CloseHandle,hFile
tt_3:
.else
invoke MessageBox, NULL, $CTA0("发送控制失败."), NULL, MB_OK + MB_ICONSTOP
.endif
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
invoke CloseHandle, hDevice; Driver will received IRP of type IRP_MJ_CLOSE
.else
invoke MessageBox, NULL, $CTA0("Device is not present."), NULL, MB_ICONSTOP
.endif
invoke ControlService, hService, SERVICE_CONTROL_STOP, addr _ss
; DriverUnload proc in our driver will be called
.else
invoke MessageBox, NULL, $CTA0("Can't start driver."), NULL, MB_OK + MB_ICONSTOP
.endif
invoke DeleteService, hService
invoke CloseServiceHandle, hService
.else
invoke MessageBox, NULL, $CTA0("Can't register driver."), NULL, MB_OK + MB_ICONSTOP
.endif
invoke CloseServiceHandle, hSCManager
.else
invoke MessageBox, NULL, $CTA0("Can't connect to Service Control Manager."), NULL, MB_OK + MB_ICONSTOP
.endif
invoke ExitProcess, 0
drive1 endp
end start
;以下是驱动程序dzg_test.sys的汇编源码:
;goto make
;文件名dzg_test.bat 作者:电子管 2013年7月23日用masm32v8和kmdkit1.8在winxp sp3下调试成功。
.386
.model flat, stdcall
option casemap:none
include \masm32\include\w2k\ntstatus.inc
include \masm32\include\w2k\ntddk.inc
include \masm32\include\w2k\ntoskrnl.inc
includelib \masm32\lib\w2k\ntoskrnl.lib
include \masm32\Macros\Strings.mac
IOCTL_GET_INFO equ CTL_CODE(FILE_DEVICE_UNKNOWN, 800h, METHOD_BUFFERED, FILE_READ_ACCESS + FILE_WRITE_ACCESS)
.const
CCOUNTED_UNICODE_STRING "\\Device\\dzg_test", g_usDeviceName, 4
CCOUNTED_UNICODE_STRING "\\??\\dzg_test", g_usSymbolicLinkName, 4
.data
buff1db 40 dup (0) ;
key_1db 32 dup (0) ;
data1 db 0e6h,96h,83h,0d4h,8ah,0fbh,8fh,93h,0,0; "注册成功"
.code
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; DispatchCreateClose
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
DispatchCreateClose proc pDeviceObject:PDEVICE_OBJECT, pIrp:PIRP
; CreateFile was called, to get driver handle
; CloseHandle was called, to close driver handle
; In both cases we are in user process context here
mov eax, pIrp
assume eax:ptr _IRP
mov .IoStatus.Status, STATUS_SUCCESS
and .IoStatus.Information, 0
assume eax:nothing
fastcall IofCompleteRequest, pIrp, IO_NO_INCREMENT
mov eax, STATUS_SUCCESS
ret
DispatchCreateClose endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; DispatchControl
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
DispatchControl proc uses esi edi pDeviceObject:PDEVICE_OBJECT, pIrp:PIRP
local status:NTSTATUS
local dwBytesReturned:DWORD ;实际返回的字节数
and dwBytesReturned, 0
mov esi, pIrp
assume esi:ptr _IRP
IoGetCurrentIrpStackLocation esi
mov edi, eax
assume edi:ptr IO_STACK_LOCATION
.if .Parameters.DeviceIoControl.IoControlCode == IOCTL_GET_INFO
.if .Parameters.DeviceIoControl.OutputBufferLength >= 30
mov eax, .AssociatedIrp.SystemBuffer
pushad
push eax
mov esi,eax
mov ecx,30
mov edi,offset key_1
cld
rep movsb;保存传过来的数据到key_1
pop edi
mov esi,offset key_1
mov ebx,offset data1
lodsd
xor eax,
stosd
lodsd
xor eax,
stosd
popad
mov dwBytesReturned, 32
mov status, STATUS_SUCCESS
.else
mov status, STATUS_BUFFER_TOO_SMALL
.endif
.else
mov status, STATUS_INVALID_DEVICE_REQUEST
.endif
assume edi:nothing
push status
pop .IoStatus.Status
push dwBytesReturned
pop .IoStatus.Information
assume esi:nothing
fastcall IofCompleteRequest, esi, IO_NO_INCREMENT
mov eax, status
ret
DispatchControl endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; DriverUnload
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
DriverUnload proc pDriverObject:PDRIVER_OBJECT
; ControlService,,SERVICE_CONTROL_STOP was called
; We are in System process (pid = 8) context here
invoke IoDeleteSymbolicLink, addr g_usSymbolicLinkName
mov eax, pDriverObject
invoke IoDeleteDevice, (DRIVER_OBJECT PTR ).DeviceObject
ret
DriverUnload endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; D I S C A R D A B L E C O D E
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
.code INIT
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; DriverEntry
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING
; StartService was called
; We are in System process (pid = 8) context here
local status:NTSTATUS
local pDeviceObject:PDEVICE_OBJECT
mov status, STATUS_DEVICE_CONFIGURATION_ERROR
invoke IoCreateDevice, pDriverObject, 0, addr g_usDeviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, addr pDeviceObject
.if eax == STATUS_SUCCESS
invoke IoCreateSymbolicLink, addr g_usSymbolicLinkName, addr g_usDeviceName
.if eax == STATUS_SUCCESS
mov eax, pDriverObject
assume eax:ptr DRIVER_OBJECT
mov .MajorFunction, offset DispatchCreateClose
mov .MajorFunction, offset DispatchCreateClose
mov .MajorFunction, offset DispatchControl
mov .DriverUnload,offset DriverUnload
assume eax:nothing
mov status, STATUS_SUCCESS
.else
invoke IoDeleteDevice, pDeviceObject
.endif
.endif
mov eax, status
ret
DriverEntry endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
end DriverEntry
:make
set drv=dzg_test
\masm32\bin\ml /nologo /c /coff %drv%.bat
\masm32\bin\link /nologo /driver /base:0x10000 /align:32 /out:%drv%.sys /subsystem:native /ignore:4078 %drv%.obj
del %drv%.obj
pause
本帖最后由 a13686593572 于 2013-7-23 11:43 编辑
先抢个沙发
只知道关键在这= =
等待神牛来破=。=
int __stdcall sub_102A4(int a1, int a2)
{
int v2; // esi@1
int v3; // edi@1
int v4; // ST00_4@3
int v6; // @1
int v7; // @3
v6 = 0;
v2 = a2;
v3 = *(_DWORD *)(a2 + 96);
if ( *(_DWORD *)(v3 + 12) == 2285568 )//2285568d = IoControlCode:22E000h
{
if ( *(_DWORD *)(v3 + 4) < 0x1Eu )
{
v7 = -1073741789;
}
else
{
v4 = *(_DWORD *)(a2 + 12);
memcpy(dword_10428, *(const void **)(a2 + 12), 0x1Eu);
*(_DWORD *)v4 = dword_10448 ^ dword_10428;
*(_DWORD *)(v4 + 4) = dword_10448 ^ dword_10428;
v2 = a2;
v6 = 32;
v7 = 0;
}
}
else
{
v7 = -1073741808;
}
*(_DWORD *)(v2 + 24) = v7;
*(_DWORD *)(v2 + 28) = v6;
IofCompleteRequest((PIRP)v2, 0);
return v7;
} 听名字很NB的样子! a13686593572 发表于 2013-7-23 11:40 static/image/common/back.gif
先抢个沙发
只知道关键在这= =
等待神牛来破=。=
这是个什么工具软件啊?挺神奇
能把汇编变成c?这不像把香肠变成猪吗?
吾爱扣扣 发表于 2013-7-23 11:45 static/image/common/back.gif
听名字很NB的样子!
不要只看名字 {:1_931:}虽然又是简单的XOR...不熟练IDA有种淡淡的忧桑.
*(_DWORD *)v4 = *(_DWORD *)"鏂冊婝彄" ^ dword_10428;
*(_DWORD *)(v4 + 4) = *(_DWORD *)"婝彄" ^ dword_10428;
派遣函数中,属于算法应该就这两句~坐等尊师Zzh沙发是IDA的F5~吃饭去 不会写驱动,不会调试带驱动的路过; 1415926535
其实是bang姐告诉我答案的,我小白一个,不会...
具体等bang姐做教材啦
Zzh 发表于 2013-7-23 12:35 static/image/common/back.gif
1415926535
{:1_902:} 吃完饭回来,尊师就搞定了!!!已经私密尊师,
好吧,前面8位算出信息框字符+35.与邦姐给出的字串xor
IDA F5.....
页:
[1]
2