[CrackMe] 【D01E06】电子管反破解教程之六【驱动程序试验】

dianziguan · 发表于 2013-7-23 11:19

本帖最后由 dianziguan 于 2013-7-23 17:53 编辑

把注册码的验证放到一个小驱动程序dzg_test.sys中，给破解者添点麻烦。
欢迎试验!

程序源代码如下：
.386
.model flat, stdcall
option casemap:none
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                               I N C L U D E F I L E S
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
include \masm32\include\advapi32.inc
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\advapi32.lib
include \masm32\include\winioctl.inc
include \masm32\Macros\Strings.mac
DlgProc PROTO :DWORD,:DWORD,:DWORD,:DWORD
IOCTL_GET_INFO equ CTL_CODE(FILE_DEVICE_UNKNOWN, 800h, METHOD_BUFFERED, FILE_READ_ACCESS + FILE_WRITE_ACCESS)
; Macro definition for defining IOCTL and FSCTL function control codes.  Note
; that function codes 0-2047 are reserved for Microsoft Corporation, and
; 2048-4095 are reserved for customers.
;CTL_CODE MACRO DeviceType:=<0>, Function:=<0>, Method:=<0>, Access:=<0>
; EXITM %(((DeviceType) SHL 16) OR ((Access) SHL 14) OR ((Function) SHL 2) OR (Method))
;ENDM

.const
IDC_EDIT2       equ 3800
IDC_EDIT3       equ 3801
IDC_BUTTON    equ 3001
IDC_EXIT       equ 3002
.data
sysname db "dzg_test.sys",0    ;驱动程序名
device db "dzg_test",0
driver db "dzg_test Driver",0
abyInBuffer db 32 dup (0);"1415926535",22 dup(0);传输试验数据用
abyOutBuffer db 32 dup(0) ;用于存放驱动传回的数据
name_buffer db 'reg0.txt',0  ;读取的数据保存
ok_1 db "注册结果请查看文件 reg0.txt",0
mesberr_1 db "未能注册成功",0
DlgName db "MyDialog",0
AppName db "注册程序，(C)电子管 2012.07.23",0
dwBytesReturned dd 0
SerialNumber1 db "1234567890",0
.data?
hFile HANDLE ?       ;文件句柄
SizeReadWrite DWORD ? ;文件中实际写入的字节数
hInstance HINSTANCE ?
CommandLine LPSTR ?
regbuffer1 db 512 dup(?)
.code
start:
   invoke GetModuleHandle, NULL
mov hInstance,eax
invoke DialogBoxParam, hInstance, ADDR DlgName,NULL,addr DlgProc,NULL
   jmp start2
invoke ExitProcess,eax
DlgProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM
.IF uMsg==WM_INITDIALOG
   invoke SetDlgItemText,hWnd,IDC_EDIT2,ADDR SerialNumber1

.ELSEIF uMsg== WM_CLOSE
  invoke EndDialog, hWnd,NULL
.ELSEIF uMsg==WM_COMMAND

  mov edx,wParam
            mov eax,edx
shr edx,16
.if dx==BN_CLICKED
.IF ax==IDC_BUTTON

                           invoke GetDlgItemText,hWnd,IDC_EDIT3,ADDR regbuffer1,512
                           push esi
                           mov esi,offset regbuffer1
                           mov edi,offset abyInBuffer
                           cld
                           lodsd
                           stosd
                           lodsd
                           stosd
                           lodsw
                           stosw
                           cmp ax,3533h
                           jz loc_1
                           jmp loc_2

                     loc_1:jmp loc_3

                     loc_2:
                     pop esi
                     invoke MessageBox,NULL,ADDR mesberr_1,ADDR AppName,MB_OK

                  exit_1:  invoke EndDialog, hWnd,NULL
                     invoke ExitProcess,eax
               loc_3: invoke EndDialog, hWnd,NULL

                     .ELSEIF ax==IDC_EXIT
   invoke EndDialog, hWnd,NULL
.ENDIF
.ENDIF

.ELSE
  mov eax,FALSE
  ret
.ENDIF
mov eax,TRUE
ret
DlgProc endp
start2:
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
drive1 proc uses esi edi
local hSCManager:HANDLE
local hService:HANDLE
local acModulePath[MAX_PATH]:CHAR
local _ss:SERVICE_STATUS
local hDevice:HANDLE
local acVersion[16]:CHAR
; Open a handle to the SC Manager database
invoke OpenSCManager, NULL, NULL, SC_MANAGER_ALL_ACCESS
.if eax != NULL
      mov hSCManager, eax
      ;invoke GetCurrentDirectory, sizeof g_acBuffer, addr g_acBuffer
      push eax
      invoke GetFullPathName, addr sysname, sizeof acModulePath, addr acModulePath, esp
      pop eax
      ; Install service
      invoke CreateService, hSCManager, addr device, addr driver, \
         SERVICE_START + SERVICE_STOP + DELETE, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, \
         SERVICE_ERROR_IGNORE, addr acModulePath, NULL, NULL, NULL, NULL, NULL
      .if eax != NULL
         mov hService, eax
         ; Driver's DriverEntry procedure will be called
         invoke StartService, hService, 0, NULL
         .if eax != 0
            ; Driver will receive I/O request packet (IRP) of type IRP_MJ_CREATE
            invoke CreateFile, $CTA0("[url=]\\\\.\\dzg_test[/url]"), GENERIC_READ + GENERIC_WRITE, \
                              0, NULL, OPEN_EXISTING, 0, NULL
            .if eax != INVALID_HANDLE_VALUE
                  mov hDevice, eax
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
                  ; Driver will receive IRP of type IRP_MJ_DEVICE_CONTROL
                  invoke DeviceIoControl, hDevice, IOCTL_GET_INFO, addr abyInBuffer, sizeof abyInBuffer, addr abyOutBuffer, sizeof abyOutBuffer, addr dwBytesReturned, NULL
                  .if ( eax != 0 ) && ( dwBytesReturned != 0 )
                  invoke MessageBox, NULL, addr ok_1, $CTA0("dzg_test"), MB_OK + MB_ICONINFORMATION
                  invoke CreateFile,ADDR name_buffer,\
         GENERIC_READ or GENERIC_WRITE ,\
         FILE_SHARE_READ or FILE_SHARE_WRITE,\
         NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_ARCHIVE,\
         NULL
mov hFile,eax
invoke WriteFile,hFile,ADDR abyOutBuffer,32,\
         ADDR SizeReadWrite,NULL
invoke CloseHandle,hFile

                        tt_3:
                  .else
                     invoke MessageBox, NULL, $CTA0("发送控制失败."), NULL, MB_OK + MB_ICONSTOP
                  .endif
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

                  invoke CloseHandle, hDevice  ; Driver will received IRP of type IRP_MJ_CLOSE
            .else
                  invoke MessageBox, NULL, $CTA0("Device is not present."), NULL, MB_ICONSTOP
            .endif

            invoke ControlService, hService, SERVICE_CONTROL_STOP, addr _ss
                                    ; DriverUnload proc in our driver will be called
         .else
            invoke MessageBox, NULL, $CTA0("Can't start driver."), NULL, MB_OK + MB_ICONSTOP
         .endif
         invoke DeleteService, hService
         invoke CloseServiceHandle, hService
      .else
         invoke MessageBox, NULL, $CTA0("Can't register driver."), NULL, MB_OK + MB_ICONSTOP
      .endif
      invoke CloseServiceHandle, hSCManager
.else
      invoke MessageBox, NULL, $CTA0("Can't connect to Service Control Manager."), NULL, MB_OK + MB_ICONSTOP
.endif
invoke ExitProcess, 0
drive1 endp
end start
;以下是驱动程序dzg_test.sys的汇编源码：
;goto make
;文件名dzg_test.bat 作者：电子管 2013年7月23日用masm32v8和kmdkit1.8在winxp sp3下调试成功。
.386
.model flat, stdcall
option casemap:none
include \masm32\include\w2k\ntstatus.inc
include \masm32\include\w2k\ntddk.inc
include \masm32\include\w2k\ntoskrnl.inc
includelib \masm32\lib\w2k\ntoskrnl.lib
include \masm32\Macros\Strings.mac
IOCTL_GET_INFO equ CTL_CODE(FILE_DEVICE_UNKNOWN, 800h, METHOD_BUFFERED, FILE_READ_ACCESS + FILE_WRITE_ACCESS)

.const
CCOUNTED_UNICODE_STRING "\\Device\\dzg_test", g_usDeviceName, 4
CCOUNTED_UNICODE_STRING "\\??\\dzg_test", g_usSymbolicLinkName, 4

.data
buff1  db 40 dup (0) ;
key_1  db 32 dup (0) ;
data1 db 0e6h,96h,83h,0d4h,8ah,0fbh,8fh,93h,0,0; "注册成功"
.code
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                                  DispatchCreateClose
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
DispatchCreateClose proc pDeviceObject:PDEVICE_OBJECT, pIrp:PIRP
; CreateFile was called, to get driver handle
; CloseHandle was called, to close driver handle
; In both cases we are in user process context here
mov eax, pIrp
assume eax:ptr _IRP
mov [eax].IoStatus.Status, STATUS_SUCCESS
and [eax].IoStatus.Information, 0
assume eax:nothing
fastcall IofCompleteRequest, pIrp, IO_NO_INCREMENT
mov eax, STATUS_SUCCESS
ret
DispatchCreateClose endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                                  DispatchControl
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
DispatchControl proc uses esi edi pDeviceObject:PDEVICE_OBJECT, pIrp:PIRP
local status:NTSTATUS
local dwBytesReturned:DWORD ;实际返回的字节数
and dwBytesReturned, 0
mov esi, pIrp
assume esi:ptr _IRP
IoGetCurrentIrpStackLocation esi
mov edi, eax
assume edi:ptr IO_STACK_LOCATION
.if [edi].Parameters.DeviceIoControl.IoControlCode == IOCTL_GET_INFO
      .if [edi].Parameters.DeviceIoControl.OutputBufferLength >= 30
         mov eax, [esi].AssociatedIrp.SystemBuffer

                     pushad
                     push eax
         mov esi,eax
         mov ecx,30
         mov edi,offset key_1
         cld
         rep movsb  ;保存传过来的数据到key_1

                     pop edi
                     mov esi,offset key_1
                     mov ebx,offset data1
                     lodsd
                     xor eax,[ebx]
                     stosd
                     lodsd
                     xor eax,[ebx+4]
                     stosd
                     popad
         mov dwBytesReturned, 32
         mov status, STATUS_SUCCESS
      .else
         mov status, STATUS_BUFFER_TOO_SMALL
      .endif
.else
      mov status, STATUS_INVALID_DEVICE_REQUEST
.endif
assume edi:nothing
push status
pop [esi].IoStatus.Status
push dwBytesReturned
pop [esi].IoStatus.Information
assume esi:nothing
fastcall IofCompleteRequest, esi, IO_NO_INCREMENT
mov eax, status
ret
DispatchControl endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                                     DriverUnload
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
DriverUnload proc pDriverObject:PDRIVER_OBJECT
; ControlService,,SERVICE_CONTROL_STOP was called
; We are in System process (pid = 8) context here
invoke IoDeleteSymbolicLink, addr g_usSymbolicLinkName
mov eax, pDriverObject
invoke IoDeleteDevice, (DRIVER_OBJECT PTR [eax]).DeviceObject
ret
DriverUnload endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                            D I S C A R D A B L E C O D E
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
.code INIT
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                                     DriverEntry
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING
; StartService was called
; We are in System process (pid = 8) context here
local status:NTSTATUS
local pDeviceObject:PDEVICE_OBJECT
mov status, STATUS_DEVICE_CONFIGURATION_ERROR
invoke IoCreateDevice, pDriverObject, 0, addr g_usDeviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, addr pDeviceObject
.if eax == STATUS_SUCCESS
      invoke IoCreateSymbolicLink, addr g_usSymbolicLinkName, addr g_usDeviceName
      .if eax == STATUS_SUCCESS
         mov eax, pDriverObject
         assume eax:ptr DRIVER_OBJECT
         mov [eax].MajorFunction[IRP_MJ_CREATE*(sizeof PVOID)],          offset DispatchCreateClose
         mov [eax].MajorFunction[IRP_MJ_CLOSE*(sizeof PVOID)],          offset DispatchCreateClose
         mov [eax].MajorFunction[IRP_MJ_DEVICE_CONTROL*(sizeof PVOID)], offset DispatchControl
         mov [eax].DriverUnload,offset DriverUnload
         assume eax:nothing
         mov status, STATUS_SUCCESS
      .else
         invoke IoDeleteDevice, pDeviceObject
      .endif
.endif
mov eax, status
ret
DriverEntry endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
end DriverEntry
:make
set drv=dzg_test
\masm32\bin\ml /nologo /c /coff %drv%.bat
\masm32\bin\link /nologo /driver /base:0x10000 /align:32 /out:%drv%.sys /subsystem:native /ignore:4078 %drv%.obj
del %drv%.obj
pause

a13686593572 · 发表于 2013-7-23 11:40

本帖最后由 a13686593572 于 2013-7-23 11:43 编辑

先抢个沙发
只知道关键在这= =
等待神牛来破=。=

[C++] 纯文本查看 复制代码

int __stdcall sub_102A4(int a1, int a2)
{
  int v2; // esi@1
  int v3; // edi@1
  int v4; // ST00_4@3
  int v6; // [sp+8h] [bp-8h]@1
  int v7; // [sp+Ch] [bp-4h]@3

  v6 = 0;
  v2 = a2;
  v3 = *(_DWORD *)(a2 + 96);
  if ( *(_DWORD *)(v3 + 12) == 2285568 )//2285568d = IoControlCode:22E000h
  {
    if ( *(_DWORD *)(v3 + 4) < 0x1Eu )
    {
      v7 = -1073741789;
    }
    else
    {
      v4 = *(_DWORD *)(a2 + 12);
      memcpy(dword_10428, *(const void **)(a2 + 12), 0x1Eu);
      *(_DWORD *)v4 = dword_10448[0] ^ dword_10428[0];
      *(_DWORD *)(v4 + 4) = dword_10448[1] ^ dword_10428[1];
      v2 = a2;
      v6 = 32;
      v7 = 0;
    }
  }
  else
  {
    v7 = -1073741808;
  }
  *(_DWORD *)(v2 + 24) = v7;
  *(_DWORD *)(v2 + 28) = v6;
  IofCompleteRequest((PIRP)v2, 0);
  return v7;
}

吾爱扣扣 · 发表于 2013-7-23 11:45

听名字很NB的样子！

dianziguan · 发表于 2013-7-23 11:48

a13686593572 发表于 2013-7-23 11:40
先抢个沙发
只知道关键在这= =
等待神牛来破=。=

这是个什么工具软件啊？挺神奇
能把汇编变成c？这不像把香肠变成猪吗？

dianziguan · 发表于 2013-7-23 11:50

吾爱扣扣发表于 2013-7-23 11:45
听名字很NB的样子！

不要只看名字

Rookietp · 发表于 2013-7-23 11:52

{:1_931:}虽然又是简单的XOR...不熟练IDA有种淡淡的忧桑.
*(_DWORD *)v4 = *(_DWORD *)"鏂冊婝彄" ^ dword_10428[0];
*(_DWORD *)(v4 + 4) = *(_DWORD *)"婝彄" ^ dword_10428[1];

派遣函数中,属于算法应该就这两句~坐等尊师Zzh 沙发是IDA的F5~吃饭去

sunflover · 发表于 2013-7-23 12:07

不会写驱动，不会调试带驱动的路过；

Zzh · 发表于 2013-7-23 12:35

1415926535

其实是bang姐告诉我答案的,我小白一个,不会...

具体等bang姐做教材啦

Rookietp · 发表于 2013-7-23 12:50

Zzh 发表于 2013-7-23 12:35
1415926535

{:1_902:} 吃完饭回来,尊师就搞定了!!!已经私密尊师,

RedAngel丶 · 发表于 2013-7-23 14:49

好吧,前面8位算出信息框字符+35.与邦姐给出的字串xor

IDA F5.....

帐号		自动登录	找回密码
密码			注册[Register]

[CrackMe] [CrackMe] 【D01E06】电子管反破解教程之六【驱动程序试验】

本帖子中包含更多资源

点评

本帖子中包含更多资源

点评

[CrackMe] [CrackMe] 【D01E06】电子管 反破解教程之六【驱动程序试验】

本帖子中包含更多资源

点评

本帖子中包含更多资源

点评

[CrackMe] [CrackMe] 【D01E06】电子管反破解教程之六【驱动程序试验】