一起玩游戏之USB Redirector 6.11算法分析开始啦
本帖最后由 wgz001 于 2025-9-11 21:29 编辑这个软件网上的破解版有很多了,在这里只是写个开始,给那些有想法的表哥看一眼,当然,这个帖子不一定有时间更新完,软件看了几天,有一点点发现,写出来跟大家分享,不一定有用,还没分析完,慢慢来吧,白天搬砖,看的时间少。。。
首先,说说这个软件的调试,软件分为客户端和服务端,客户端负责显示,主要算法在服务端usbredirectorsrv.exe,软件会copy服务端在system的目录,调试的是x64版,以管理员方式打开x64dbg,先运行客户端usbredirector.exe,然后x64dbg附加,找到服务端usbredirectorsrv.exe并附加,下断点ReadFile,客户端输入注册码,用的是网上泄露的正版的注册码,就是下面这个
2cXqlb4tqu2kffvJTzmloQFagDHGOHLX
6w6Mlbd3+XACtXun3kGOtMsF84TgAWBQ
vN9eXJPx9VPYC3EeldBeWJfIMt9oGMDn
gsKrxKIhDx4Ct8Yp1j20etTcpXfzFttz
gJexmQFwrVVvdUJYaxki4fod1Gm4Y2Op
MmyGmtCOBC+ij4vXyv2CyDqjlL2meBGj
Ks+ot/2WyQZak3gUpPsADoZf2BFhXJDn
AwVaGNMPF3zmMfLOgTa07QVrXicFInq9
ZuXfS/2NLg/rlfwvuOoKE3ROuMo4MkU9
jzISa4Ft5GDI0NwV8L45/TUtb576JsMY
RiFIH/eJn26J1jj2dDJOvgcur3h4F8mO
fjsWpMUXq8D6u5j9fli+DMfyMXtZEm7J
KL8UgwqH6/rR1QI2TUQmbEN+oH+slXO3
HeOAmbQH8mJswsUplpM=
点OK的时候,x64dbg会中断下来,接下来就慢慢开始跟踪吧,表哥们一眼看出来这个注册码是base64的,哈哈,那么接下来看看服务端是如何解密这个注册码的吧。。。。
不知道怎么回事,我的x64dbg用ALT+F9返回不到程序领空,一路F8吧,在第三次经过ReadFile函数后会来到下面的地址
00007FF6B0EACDB0 | 41:B9 01000000 | mov r9d,1 |
00007FF6B0EACDB6 | 44:8B4424 68 | mov r8d,dword ptr ss: |
00007FF6B0EACDBB | 48:8BD3 | mov rdx,rbx | rbx:"2cXqlb4tqu2kffvJTzmloQFagDHGOHLX6w6Mlbd3+XACtXun3kGOtMsF84TgAWBQvN9eXJPx9VPYC3EeldBeWJfIMt9oGMDngsKrxKIhDx4Ct8Yp1j20etTcpXfzFttzgJexmQFwrVVvdUJYaxki4fod1Gm4Y2OpMmyGmtCOBC+ij4vXyv2CyDqjlL2meBGjKs+ot/2WyQZak3gUpPsADoZf2BFhXJDnAwVaGNMPF3zmMfLOgTa07QVrXicFInq9ZuXfS/2NLg/rlfwvuOoKE3ROuMo4MkU9jzISa4Ft5GDI0NwV8L45/TUtb576JsMYRiFIH/eJn26J1jj2dDJOvgcur3h4F8mOfjsWpMUXq8D6u5j9fli+DMfyMXtZEm7JKL8UgwqH6/rR1QI2TUQmbEN+oH+slXO3HeOAmbQH8mJswsUplpM="
00007FF6B0EACDBE | 48:8B4F 68 | mov rcx,qword ptr ds: |
00007FF6B0EACDC2 | E8 F9CAFFFF | call usbredirectorsrv.7FF6B0EA98C0 | 这里可能是base64解密
查看寄存器rcx,rdx,r8,r9会发现一个长度0x1B4,可能是要对注册码base64解密了,我们F7跟进去看一眼,尽量用F7,见call就进去看下,可能会看到vm,不用怕的,早期的旧版本,不是那么厉害,会来到下面的地方,看到0D 0A,应该是格式检测了吧
00007FF6B0E923A0 | 41:83F9 02 | cmp r9d,2 |
00007FF6B0E923A4 | 7C 0F | jl usbredirectorsrv.7FF6B0E923B5 |
00007FF6B0E923A6 | 43:803C02 0D | cmp byte ptr ds:,D | r10+r8*1:"2cXqlb4tqu2kffvJTzmloQFagDHGOHLX6w6Mlbd3+XACtXun3kGOtMsF84TgAWBQvN9eXJPx9VPYC3EeldBeWJfIMt9oGMDngsKrxKIhDx4Ct8Yp1j20etTcpXfzFttzgJexmQFwrVVvdUJYaxki4fod1Gm4Y2OpMmyGmtCOBC+ij4vXyv2CyDqjlL2meBGjKs+ot/2WyQZak3gUpPsADoZf2BFhXJDnAwVaGNMPF3zmMfLOgTa07QVrXicFInq9ZuXfS/2NLg/rlfwvuOoKE3ROuMo4MkU9jzISa4Ft5GDI0NwV8L45/TUtb576JsMYRiFIH/eJn26J1jj2dDJOvgcur3h4F8mOfjsWpMUXq8D6u5j9fli+DMfyMXtZEm7JKL8UgwqH6/rR1QI2TUQmbEN+oH+slXO3HeOAmbQH8mJswsUplpM=", 0D:'\r'
00007FF6B0E923AB | 75 08 | jne usbredirectorsrv.7FF6B0E923B5 |
00007FF6B0E923AD | 43:807C02 01 0A | cmp byte ptr ds:,A | r10+r8*1+01:"cXqlb4tqu2kffvJTzmloQFagDHGOHLX6w6Mlbd3+XACtXun3kGOtMsF84TgAWBQvN9eXJPx9VPYC3EeldBeWJfIMt9oGMDngsKrxKIhDx4Ct8Yp1j20etTcpXfzFttzgJexmQFwrVVvdUJYaxki4fod1Gm4Y2OpMmyGmtCOBC+ij4vXyv2CyDqjlL2meBGjKs+ot/2WyQZak3gUpPsADoZf2BFhXJDnAwVaGNMPF3zmMfLOgTa07QVrXicFInq9ZuXfS/2NLg/rlfwvuOoKE3ROuMo4MkU9jzISa4Ft5GDI0NwV8L45/TUtb576JsMYRiFIH/eJn26J1jj2dDJOvgcur3h4F8mOfjsWpMUXq8D6u5j9fli+DMfyMXtZEm7JKL8UgwqH6/rR1QI2TUQmbEN+oH+slXO3HeOAmbQH8mJswsUplpM=", 0A:'\n'
00007FF6B0E923B3 | 74 2F | je usbredirectorsrv.7FF6B0E923E4 |
00007FF6B0E923B5 | 43:0FB60402 | movzx eax,byte ptr ds: | r10+r8*1:"2cXqlb4tqu2kffvJTzmloQFagDHGOHLX6w6Mlbd3+XACtXun3kGOtMsF84TgAWBQvN9eXJPx9VPYC3EeldBeWJfIMt9oGMDngsKrxKIhDx4Ct8Yp1j20etTcpXfzFttzgJexmQFwrVVvdUJYaxki4fod1Gm4Y2OpMmyGmtCOBC+ij4vXyv2CyDqjlL2meBGjKs+ot/2WyQZak3gUpPsADoZf2BFhXJDnAwVaGNMPF3zmMfLOgTa07QVrXicFInq9ZuXfS/2NLg/rlfwvuOoKE3ROuMo4MkU9jzISa4Ft5GDI0NwV8L45/TUtb576JsMYRiFIH/eJn26J1jj2dDJOvgcur3h4F8mOfjsWpMUXq8D6u5j9fli+DMfyMXtZEm7JKL8UgwqH6/rR1QI2TUQmbEN+oH+slXO3HeOAmbQH8mJswsUplpM="
00007FF6B0E923BA | 3C 0A | cmp al,A | 0A:'\n'
00007FF6B0E923BC | 74 26 | je usbredirectorsrv.7FF6B0E923E4 |
00007FF6B0E923BE | 3C 3D | cmp al,3D | 3D:'='
00007FF6B0E923C0 | 75 07 | jne usbredirectorsrv.7FF6B0E923C9 |
00007FF6B0E923C2 | FFC2 | inc edx |
00007FF6B0E923C4 | 83FA 02 | cmp edx,2 |
00007FF6B0E923C7 | 7F 4B | jg usbredirectorsrv.7FF6B0E92414 |
00007FF6B0E923C9 | 3C 7F | cmp al,7F |
00007FF6B0E923CB | 77 47 | ja usbredirectorsrv.7FF6B0E92414 |
00007FF6B0E923CD | 0FB6C0 | movzx eax,al |
00007FF6B0E923D0 | 41:8B0C84 | mov ecx,dword ptr ds: | R12中是base64码表
00007FF6B0E923D4 | 83F9 7F | cmp ecx,7F |
00007FF6B0E923D7 | 74 3B | je usbredirectorsrv.7FF6B0E92414 |
00007FF6B0E923D9 | 83F9 40 | cmp ecx,40 | 40:'@'
00007FF6B0E923DC | 7D 04 | jge usbredirectorsrv.7FF6B0E923E2 |
00007FF6B0E923DE | 85D2 | test edx,edx |
继续F7走起,走的时候注意寄存器内的值,会看到base64的码表也跟普通的存储的方式不同,下面这个样子
00007FF6B0F1A97800 00 00 00 00 00 00 00 41 00 00 00 42 00 00 00........A...B...
00007FF6B0F1A98843 00 00 00 44 00 00 00 45 00 00 00 46 00 00 00C...D...E...F...
00007FF6B0F1A99847 00 00 00 48 00 00 00 49 00 00 00 4A 00 00 00G...H...I...J...
00007FF6B0F1A9A84B 00 00 00 4C 00 00 00 4D 00 00 00 4E 00 00 00K...L...M...N...
00007FF6B0F1A9B84F 00 00 00 50 00 00 00 51 00 00 00 52 00 00 00O...P...Q...R...
00007FF6B0F1A9C853 00 00 00 54 00 00 00 55 00 00 00 56 00 00 00S...T...U...V...
00007FF6B0F1A9D857 00 00 00 58 00 00 00 59 00 00 00 5A 00 00 00W...X...Y...Z...
00007FF6B0F1A9E861 00 00 00 62 00 00 00 63 00 00 00 64 00 00 00a...b...c...d...
00007FF6B0F1A9F865 00 00 00 66 00 00 00 67 00 00 00 68 00 00 00e...f...g...h...
00007FF6B0F1AA0869 00 00 00 6A 00 00 00 6B 00 00 00 6C 00 00 00i...j...k...l...
00007FF6B0F1AA186D 00 00 00 6E 00 00 00 6F 00 00 00 70 00 00 00m...n...o...p...
00007FF6B0F1AA2871 00 00 00 72 00 00 00 73 00 00 00 74 00 00 00q...r...s...t...
00007FF6B0F1AA3875 00 00 00 76 00 00 00 77 00 00 00 78 00 00 00u...v...w...x...
00007FF6B0F1AA4879 00 00 00 7A 00 00 00 30 00 00 00 31 00 00 00y...z...0...1...
00007FF6B0F1AA5832 00 00 00 33 00 00 00 34 00 00 00 35 00 00 002...3...4...5...
00007FF6B0F1AA6836 00 00 00 37 00 00 00 38 00 00 00 39 00 00 006...7...8...9...
00007FF6B0F1AA782B 00 00 00 2F 00 00 00 7F 00 00 00 7F 00 00 00+.../...........
继续走到下面的地方,就可以看到base64的解密结果了,可以去这个内存地址等全部的结果出来
00007FF6B0E92474 | 8842 FF | mov byte ptr ds:,al | 保存base64解密的结果1
00007FF6B0E92477 | 7E 0C | jle usbredirectorsrv.7FF6B0E92485 |
00007FF6B0E92479 | 41:8BC1 | mov eax,r9d |
00007FF6B0E9247C | C1E8 08 | shr eax,8 |
00007FF6B0E9247F | 48:FFC2 | inc rdx |
00007FF6B0E92482 | 8842 FF | mov byte ptr ds:,al | 保存base64解密的结果2
00007FF6B0E92485 | 41:83FA 02 | cmp r10d,2 |
00007FF6B0E92489 | 7E 06 | jle usbredirectorsrv.7FF6B0E92491 |
00007FF6B0E9248B | 44:880A | mov byte ptr ds:,r9b |
运行到段尾的retn后会看到注册码base64解密的结果,长度是0x146:
$ ==> D9 C5 EA 95 BE 2D AA ED A4 7D FB C9 4F 39 A5 A1ÙÅê.¾-ªí¤}ûÉO9¥¡
$+10 01 5A 80 31 C6 38 72 D7 EB 0E 8C 95 B7 77 F9 70.Z.1Æ8r×ë...·wùp
$+20 02 B5 7B A7 DE 41 8E B4 CB 05 F3 84 E0 01 60 50.µ{§ÞA.´Ë.ó.à.`P
$+30 BC DF 5E 5C 93 F1 F5 53 D8 0B 71 1E 95 D0 5E 58¼ß^\.ñõSØ.q..Ð^X
$+40 97 C8 32 DF 68 18 C0 E7 82 C2 AB C4 A2 21 0F 1E.È2ßh.Àç.«Ģ!..
$+50 02 B7 C6 29 D6 3D B4 7A D4 DC A5 77 F3 16 DB 73.·Æ)Ö=´zÔÜ¥wó.Ûs
$+60 80 97 B1 99 01 70 AD 55 6F 75 42 58 6B 19 22 E1..±..p.UouBXk."á
$+70 FA 1D D4 69 B8 63 63 A9 32 6C 86 9A D0 8E 04 2Fú.Ôi¸cc©2l..Ð../
$+80 A2 8F 8B D7 CA FD 82 C8 3A A3 94 BD A6 78 11 A3¢..×Êý.È:£.½¦x.£
$+90 2A CF A8 B7 FD 96 C9 06 5A 93 78 14 A4 FB 00 0E*Ϩ·ý.É.Z.x.¤û..
$+A0 86 5F D8 11 61 5C 90 E7 03 05 5A 18 D3 0F 17 7C._Ø.a\.ç..Z.Ó..|
$+B0 E6 31 F2 CE 81 36 B4 ED 05 6B 5E 27 05 22 7A BDæ1òÎ.6´í.k^'."z½
$+C0 66 E5 DF 4B FD 8D 2E 0F EB 95 FC 2F B8 EA 0A 13fåßKý...ë.ü/¸ê..
$+D0 74 4E B8 CA 38 32 45 3D 8F 32 12 6B 81 6D E4 60tN¸Ê82E=.2.k.mä`
$+E0 C8 D0 DC 15 F0 BE 39 FD 35 2D 6F 9E FA 26 C3 18ÈÐÜ.ð¾9ý5-o.ú&Ã.
$+F0 46 21 48 1F F7 89 9F 6E 89 D6 38 F6 74 32 4E BEF!H.÷..n.Ö8öt2N¾
$+100 07 2E AF 78 78 17 C9 8E 7E 3B 16 A4 C5 17 AB C0..¯xx.É.~;.¤Å.«À
$+110 FA BB 98 FD 7E 58 BE 0C C7 F2 31 7B 59 12 6E C9ú».ý~X¾.Çò1{Y.nÉ
$+120 28 BF 14 83 0A 87 EB FA D1 D5 02 36 4D 44 26 6C(¿....ëúÑÕ.6MD&l
$+130 43 7E A0 7F AC 95 73 B7 1D E3 80 99 B4 07 F2 62C~ .¬.s·.ã..´.òb
$+140 6C C2 C5 29 96 93 B9 08 FD CC 8A F1 A8 0A 00 80lÂÅ)..¹.ýÌ.ñ¨...
下面可以说是开始第二步了,等base64完全解密后,接下继续F7,我们会发现走进了作者的vm中,哈哈,不过不用怕,我们有F7按键,因为是低版本的vm,我们只需要F7看我们想要东西就行,经过一番F7过后,会走到下面一个地址
00007FF6B0F88BA4 | 81FD E536DB69 | cmp ebp,69DB36E5 |
00007FF6B0F88BAA | 83BC24 E8040000 10| cmp dword ptr ss:,10 | 这里是取base64解密结果的前32字节,分奇偶位保存
继续F7,暂时忘记F8吧,又经过N次F7后,来到下面的地方
00007FF6B0EC9D40 | 0FB60410 | movzx eax,byte ptr ds: | 开始分出奇数偶数位字节
00007FF6B0EC9D44 | B2 2A | mov dl,2A | 2A:'*'
00007FF6B0EC9D46 | 48:8D1445 4FD98649| lea rdx,qword ptr ds:[rax*2+4986D9 |
00007FF6B0EC9D4E | 88840C D8040000 | mov byte ptr ss:,al | 保存奇数位字节
00007FF6B0EC9D55 | 0FBEC0 | movsx eax,al |
又是几次F7过后。。。。F7的时候一定要注意观察寄存器地址内的值,不然看指令我是看不出什么来的
00007FF6B0F459CA | 0FB60410 | movzx eax,byte ptr ds: | 取偶数位字节
00007FF6B0F459CE | E9 1ACCFFFF | jmp usbredirectorsrv.7FF6B0F425ED|
00007FF6B0F78655 | 88840C C0040000 | mov byte ptr ss:,al | 保存偶数位字节
00007FF6B0F7865C | E9 5BA9FCFF | jmp usbredirectorsrv.7FF6B0F42FBC|
最后我们看一下得到的结果,啊呀,偶数位的字节忘记在内存中看了,尴尬,表哥们自己注意看一下吧
000000000188FCA8D9 EA BE AA A4 FB 4F A5 01 80 C6 72 EB 8C B7 F9Ù꾪¤ûO¥..Ærë.·ù
000000000188FCB810 00 00 00 00 00 00 00 F4 01 00 00 00 00 00 00........ô.......
跟base64解密后的结果对比,我们的猜测是对的,暗喜...
接下来就应该是对这两个16字节的应用了吧,继续在vm中F7,会看到一段初始化,这个地方也看了好多次,最后问了一下AI,他说是RC4,哈哈,AI给力
00007FF6B0E94DF0 | 894481 08 | mov dword ptr ds:,eax | 初始化0x100大小的内存并填充00-FF
00007FF6B0E94DF4 | 48:FFC0 | inc rax |
00007FF6B0E94DF7 | 48:3D 00010000 | cmp rax,100 |
00007FF6B0E94DFD | 72 F1 | jb usbredirectorsrv.7FF6B0E94DF0 |
继续F7下去,然后去网上对照RC4的源码,发现这里是RC4的密钥,就是base64解密结果的前32字节中的奇数位的16个字节,这个地方在将来还会用到的,这个RC4用工具的过程中也遇到了很多麻烦的,论坛中789表哥的小玩具解密没对上,后来换了个工具。。。。所有东西都不会来的那么容易,这大概就是小白的原因吧...
我们可以在内存中观察到RC4解密的结果,跟用工具计算的对比一下,发现是一样一样的,哈哈
$ ==> 41 81 E3 51 1F 68 B4 86 58 E6 E6 4F 16 BB 9B 69A.ãQ.h´.XææO.».i
$+10 22 4A 06 37 BD E2 1F 42 49 5E 9D 13 51 1E C7 8B"J.7½â.BI^..Q.Ç.
$+20 4C 4C 64 00 00 00 00 00 00 00 0F 00 60 22 02 06LLd.........`"..
$+30 DF 1F 69 DA 29 40 E5 BE FF 28 7E 1F 88 25 7A 60ß.iÚ)@å¾ÿ(~..%z`
$+40 05 D4 25 FD 3E 76 8A 45 F3 4A 00 00 00 00 00 00.Ô%ý>v.EóJ......
$+50 0F 00 E3 02 04 C7 9F 04 27 92 79 EC 83 D5 4B D3..ã..Ç..'.yì.ÕKÓ
$+60 23 12 76 26 AF DB 54 2D AC B7 AC C1 D3 C1 54 80#.v&¯ÛT-¬·¬ÁÓÁT.
$+70 38 00 03 00 00 00 0F 00 7F 61 99 E2 BB 7F F3 7E8........a.â».ó~
$+80 AC 93 F1 A5 3B 09 16 3C 11 CC 8F DA 1A 55 9E 7C¬.ñ¥;..<.Ì.Ú.U.|
$+90 A9 46 09 3D F9 07 00 00 00 00 00 00 0F 00 B7 6D©F.=ù.........·m
$+A0 28 84 A3 46 C6 0D DA 3F AB 07 8D D2 33 14 CE CA(.£FÆ.Ú?«..Ò3.ÎÊ
$+B0 71 1A 66 CF 1C 70 B2 19 3D 4F 5F 11 8E 00 D4 3Eq.fÏ.p².=O_...Ô>
$+C0 8E 00 5D A9 AD 82 35 2D AE 95 AB 93 13 1F 80 C5..]©..5-®.«....Å
$+D0 2D 9E 94 6D 14 33 15 87 4D 76 AC 3E 71 8B A4 AC-..m.3..Mv¬>q.¤¬
$+E0 3C 93 3A 95 E9 A7 46 3F 9B C1 F4 FE AE F5 04 77<.:.é§F?.Áôþ®õ.w
$+F0 7D 7E 9B 36 40 6C 96 D0 77 68 04 D0 E9 AC 88 71}~.6@l.Ðwh.Ðé¬.q
$+100 DB 09 7B 39 4D 3F DA E4 B5 5A E8 10 71 93 EE FDÛ.{9M?ÚäµZè.q.îý
$+110 1E AC 9E E9 89 18 6F 2F 72 83 0E 83 F1 5E 76 1F.¬.é..o/r...ñ^v.
$+120 1B 2F A4 14 20 D0 51 75 01 CC DE F1 A8 06 00 80./¤. ÐQu.ÌÞñ¨...
继续在vm中F7走下去,会来到下面任何一位表哥都可以一眼看穿的代码
00007FF6B0E94A90 | 33C0 | xor eax,eax | MD5初始化
00007FF6B0E94A92 | C701 01234567 | mov dword ptr ds:,67452301 |
00007FF6B0E94A98 | C741 04 89ABCDEF | mov dword ptr ds:,EFCDAB89|
00007FF6B0E94A9F | C741 08 FEDCBA98 | mov dword ptr ds:,98BADCFE|
00007FF6B0E94AA6 | C741 0C 76543210 | mov dword ptr ds:,10325476|
00007FF6B0E94AAD | 48:8941 10 | mov qword ptr ds:,rax |
00007FF6B0E94AB1 | 8941 18 | mov dword ptr ds:,eax |
既然进入了作者的vm,也就只能F7走下去了,慢慢的下面会发现要进行md5加密的数据的长度是0x126,在这里可以对比一下md5加密的源码,熟悉一下比较好看,继续往下面走就会看到对下面这0x126字节进行md5加密
$ ==> 41 81 E3 51 1F 68 B4 86 58 E6 E6 4F 16 BB 9B 69A.ãQ.h´.XææO.».i
$+10 22 4A 06 37 BD E2 1F 42 49 5E 9D 13 51 1E C7 8B"J.7½â.BI^..Q.Ç.
$+20 4C 4C 64 00 00 00 00 00 00 00 0F 00 60 22 02 06LLd.........`"..
$+30 DF 1F 69 DA 29 40 E5 BE FF 28 7E 1F 88 25 7A 60ß.iÚ)@å¾ÿ(~..%z`
$+40 05 D4 25 FD 3E 76 8A 45 F3 4A 00 00 00 00 00 00.Ô%ý>v.EóJ......
$+50 0F 00 E3 02 04 C7 9F 04 27 92 79 EC 83 D5 4B D3..ã..Ç..'.yì.ÕKÓ
$+60 23 12 76 26 AF DB 54 2D AC B7 AC C1 D3 C1 54 80#.v&¯ÛT-¬·¬ÁÓÁT.
$+70 38 00 03 00 00 00 0F 00 7F 61 99 E2 BB 7F F3 7E8........a.â».ó~
$+80 AC 93 F1 A5 3B 09 16 3C 11 CC 8F DA 1A 55 9E 7C¬.ñ¥;..<.Ì.Ú.U.|
$+90 A9 46 09 3D F9 07 00 00 00 00 00 00 0F 00 B7 6D©F.=ù.........·m
$+A0 28 84 A3 46 C6 0D DA 3F AB 07 8D D2 33 14 CE CA(.£FÆ.Ú?«..Ò3.ÎÊ
$+B0 71 1A 66 CF 1C 70 B2 19 3D 4F 5F 11 8E 00 D4 3Eq.fÏ.p².=O_...Ô>
$+C0 8E 00 5D A9 AD 82 35 2D AE 95 AB 93 13 1F 80 C5..]©..5-®.«....Å
$+D0 2D 9E 94 6D 14 33 15 87 4D 76 AC 3E 71 8B A4 AC-..m.3..Mv¬>q.¤¬
$+E0 3C 93 3A 95 E9 A7 46 3F 9B C1 F4 FE AE F5 04 77<.:.é§F?.Áôþ®õ.w
$+F0 7D 7E 9B 36 40 6C 96 D0 77 68 04 D0 E9 AC 88 71}~.6@l.Ðwh.Ðé¬.q
$+100 DB 09 7B 39 4D 3F DA E4 B5 5A E8 10 71 93 EE FDÛ.{9M?ÚäµZè.q.îý
$+110 1E AC 9E E9 89 18 6F 2F 72 83 0E 83 F1 5E 76 1F.¬.é..o/r...ñ^v.
$+120 1B 2F A4 14 20 D0 00 00 CA 05 52 B2 35 3C 00 00./¤. Ð..Ê.R²5<..
我们在md5初始化的那个地址那里等最后的加密结果,会有下面的值
000000000173FC30C5 95 2D ED 7D C9 39 A1 5A 31 38 D7 0E 95 77 70Å.-í}É9¡Z18×..wp
那么我们用表哥的工具计算对比一下,看看是不是一致
结果是一样一样的,太好了,这下又对上了。聪明表哥一定还记得base64解密前32字节中的偶数位的16个字节,跟这个md5的加密结果是一样的,这里也算是一处校验,叫数据的完事性校验吧。继续在vm中往下走,我们会来到检测这个md5的地方
00007FF739DC101E | 74 9B | je usbredirectorsrv.7FF739DC0FBB |
00007FF739DC1020 | 48:8B01 | mov rax,qword ptr ds: | rcx中是base64解密后的偶数位字节
00007FF739DC1023 | 48:3B040A | cmp rax,qword ptr ds: | rdx+rcx第一次是后面126字节的md5,
00007FF739DC1027 | 75 1B | jne usbredirectorsrv.7FF739DC1044 | rdx+rcx中也可能是黑名单
00007FF739DC1029 | 48:83C1 08 | add rcx,8 | 都在这里比较的
00007FF739DC102D | 49:FFC9 | dec r9 |
00007FF739DC1030 | 75 EE | jne usbredirectorsrv.7FF739DC1020 |
00007FF739DC1032 | 49:83E0 07 | and r8,7 |
00007FF739DC1036 | EB 83 | jmp usbredirectorsrv.7FF739DC0FBB |
00007FF739DC1038 | 48:83C1 08 | add rcx,8 |
00007FF739DC103C | 48:83C1 08 | add rcx,8 |
00007FF739DC1040 | 48:83C1 08 | add rcx,8 |
00007FF739DC1044 | 48:8B0C11 | mov rcx,qword ptr ds: |
00007FF739DC1048 | 48:0FC8 | bswap rax |
00007FF739DC104B | 48:0FC9 | bswap rcx |
上面这个地方还是比较关键的,完整性校验通过后来到这里
00007FF739DC0FBB | 4D:85C0 | test r8,r8 |
00007FF739DC0FBE | 74 0F | je usbredirectorsrv.7FF739DC0FCF |
00007FF739DC0FC0 | 8A01 | mov al,byte ptr ds: |
00007FF739DC0FC2 | 3A040A | cmp al,byte ptr ds: |
00007FF739DC0FC5 | 75 0C | jne usbredirectorsrv.7FF739DC0FD3 |
00007FF739DC0FC7 | 48:FFC1 | inc rcx |
00007FF739DC0FCA | 49:FFC8 | dec r8 |
00007FF739DC0FCD | 75 F1 | jne usbredirectorsrv.7FF739DC0FC0 |
00007FF739DC0FCF | 48:33C0 | xor rax,rax | 第一次比较md5通过就到这里来
00007FF739DC0FD2 | C3 | ret |
接下来继续走的话,我们会在vm中来到另外一处数据长度的校验,就是这个0x126长度,在vm中也校验了一下。先看这个长度在vm中是怎么计算的
00007FF739E2430E | 66:0FB6CA | movzx cx,dl |
00007FF739E24312 | 66:0FBEC0 | movsx ax,al |
00007FF739E24316 | 80D4 75 | adc ah,75 |
00007FF739E24319 | 0FBAE5 02 | bt ebp,2 |
00007FF739E2431D | 48:8B4424 60 | mov rax,qword ptr ss: | 取base64解密后数据的地址----->rax
00007FF739E24322 | D2DA | rcr dl,cl |
00007FF739E24324 | 48:894424 28 | mov qword ptr ss:,rax | 地址保存到临时空间
00007FF739E24329 | 66:0FA3F2 | bt dx,si |
00007FF739E2432D | 0FA3E6 | bt esi,esp |
00007FF739E24330 | 48:8B4424 28 | mov rax,qword ptr ss: |
00007FF739E24335 | D3D1 | rcl ecx,cl |
00007FF739E24337 | F6DD | neg ch |
00007FF739E24339 | 66:0FCA | bswap dx |
00007FF739E2433C | 66:A9 AF5C | test ax,5CAF |
00007FF739E24340 | 0FB648 20 | movzx ecx,byte ptr ds: | 取出要解密的数据1
00007FF739E24344 | 3C C8 | cmp al,C8 |
00007FF739E24346 | 66:09F0 | or ax,si |
00007FF739E24349 | 20F2 | and dl,dh |
00007FF739E2434B | 48:8B4424 28 | mov rax,qword ptr ss: |
00007FF739E24350 | 80DE 2B | sbb dh,2B |
00007FF739E24353 | D3E2 | shl edx,cl |
00007FF739E24355 | C6C6 C1 | mov dh,C1 |
00007FF739E24358 | 0FB640 21 | movzx eax,byte ptr ds: | 取出要解密的数据2
00007FF739E2435C | 66:D3C2 | rol dx,cl |
00007FF739E2435F | 66:0FBAFA 0B | btc dx,B |
00007FF739E24364 | 48:F7DA | neg rdx |
00007FF739E24367 | 48:8D5401 2A | lea rdx,qword ptr ds: | 两个数据相加再加2A
00007FF739E2436C | 66:81F1 2A35 | xor cx,352A |
00007FF739E24371 | 48:8B4424 28 | mov rax,qword ptr ss: |
00007FF739E24376 | 66:81F1 4F78 | xor cx,784F |
00007FF739E2437B | C0C1 04 | rol cl,4 |
00007FF739E2437E | 0FB740 22 | movzx eax,word ptr ds: | 取出要解密的数据3
00007FF739E24382 | D2D9 | rcr cl,cl |
00007FF739E24384 | 66:0FB3C9 | btr cx,cx |
00007FF739E24388 | 48:03D0 | add rdx,rax | 跟上面的数据相加
00007FF739E2438B | 10D4 | adc ah,dl |
00007FF739E2438D | F6D8 | neg al |
00007FF739E2438F | FECD | dec ch |
00007FF739E24391 | 48:8B4424 28 | mov rax,qword ptr ss: |
00007FF739E24396 | 48:8D8D B3E08BD8 | lea rcx,qword ptr ss: |
00007FF739E2439D | 66:81E9 ABAF | sub cx,AFAB |
00007FF739E243A2 | 0FB748 24 | movzx ecx,word ptr ds: | 取出要解密的数据4
00007FF739E243A6 | D2C0 | rol al,cl |
00007FF739E243A8 | D2C4 | rol ah,cl |
00007FF739E243AA | 48:8BC2 | mov rax,rdx | 计算结果---->rax
00007FF739E200E1 | 48:03C1 | add rax,rcx | 取到的数据4再相加---->rax
00007FF739E200E4 | F6C3 92 | test bl,92 |
00007FF739E200E7 | 894424 20 | mov dword ptr ss:,eax | 保存计算结果到临时空间
00007FF739E200EB | 66:D3C0 | rol ax,cl |
00007FF739E200EE | 8B4424 68 | mov eax,dword ptr ss: | 解密后数据的长度--->eax
00007FF739E200F2 | F5 | cmc |
00007FF739E200F3 | F9 | stc |
00007FF739E200F4 | 394424 20 | cmp dword ptr ss:,eax | 校验长度
00007FF739E200F8 | E9 3E99FEFF | jmp usbredirectorsrv.7FF739E09A3B |
其实这个是对base64解密结果的偏移+0x40处一个dword的计算得到的一个数
4C 4C 64 00
最后面4个字节是数据的长度,计算如下:
4C + 4C + 2A = C2
C2 + 64 + 00 = 126------长度
继续在vm中F7会来到下面一处的校验,就是base64解密后的偏移+0x20和+0x30处这两个16字节的校验了,首先我们会跟到上次md5初始化的地方,发现会先对0x20处的16个字节做一个md5加密
000000000173F6D001 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10.#Eg.«Íïþܺ.vT2.
000000000173F6E080 00 00 00 00 00 00 00 00 00 00 00 41 81 E3 51............A.ãQ
000000000173F6F01F 68 B4 86 58 E6 E6 4F 16 BB 9B 69 00 00 00 00.h´.XææO.».i....
000000000173F70000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00................
000000000173F71000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00................
会得到一个结果,同时我们用表哥的工具计算一下并比较
内存中的结果
000000000173F6D063 CB E5 66 A2 8A AB C4 11 B8 7B 5C 47 A5 5C E2cËåf¢.«Ä.¸{\G¥\â
000000000173F6E080 00 00 00 00 00 00 00 10 00 00 00 41 81 E3 51............A.ãQ
000000000173F6F01F 68 B4 86 58 E6 E6 4F 16 BB 9B 69 80 00 00 00.h´.XææO.».i....
000000000173F70000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00................
000000000173F71000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00................
表哥工具计算的结果
一对比,结果又对上了,那么这个md5的结果会作为一个异或的key来在vm中做一个异或的计算,继续F7在vm中跟,我们会看到计算的过程
00007FF739E20E1E | 48:638C24 AC000000| movsxd rcx,dword ptr ss: | 这个是计数器----->rcx
00007FF739E20E26 | 0FC0C6 | xadd dh,al |
00007FF739E20E29 | 48:8B8424 D0000000| mov rax,qword ptr ss: | 取base64解密后的数据地址
00007FF739E20E31 | 66:89C2 | mov dx,ax |
00007FF739E20E34 | D3FA | sar edx,cl |
00007FF739E20E36 | 0FB60408 | movzx eax,byte ptr ds: | 取要运算的数据1
00007FF739E20E3A | C0F5 05 | shl ch,5 |
00007FF739E20E3D | 66:0FADE2 | shrd dx,sp,cl |
00007FF739E20E41 | 66:0FABEA | bts dx,bp |
00007FF739E20E45 | 888424 90000000 | mov byte ptr ss:,al | 保存数据1到临时空间
00007FF739E20E4C | F8 | clc |
00007FF739E20E4D | 80C9 2C | or cl,2C |
00007FF739E20E50 | 86EA | xchg dl,ch |
00007FF739E20E52 | 38F5 | cmp ch,dh |
00007FF739E20E54 | 48:638424 AC000000| movsxd rax,dword ptr ss: | 序号---->rax
00007FF739E20E5C | F9 | stc |
00007FF739E20E5D | 66:0FBDCA | bsr cx,dx |
00007FF739E20E61 | 0FB68404 98000000 | movzx eax,byte ptr ss: | 取解密用到的数据key----->eax
00007FF739E20E69 | 48:19CA | sbb rdx,rcx |
00007FF739E20E6C | 80F9 66 | cmp cl,66 | 66:'f'
00007FF739E20E6F | 66:0FACEA 0B | shrd dx,bp,B |
00007FF739E20E74 | 66:29E2 | sub dx,sp |
00007FF739E20E77 | 888424 A8000000 | mov byte ptr ss:,al | 保存key到临时空间
00007FF739E20E7E | 66:1D 8DD5 | sbb ax,D58D |
00007FF739E20E82 | 38F7 | cmp bh,dh |
00007FF739E20E84 | 0FC9 | bswap ecx |
00007FF739E20E86 | 48:638C24 AC000000| movsxd rcx,dword ptr ss: | 序号---->rcx
00007FF739E20E8E | F6C3 B5 | test bl,B5 |
00007FF739E20E91 | 66:F7D0 | not ax |
00007FF739E20E94 | F9 | stc |
00007FF739E20E95 | 48:8B8424 D8000000| mov rax,qword ptr ss: | 比较结果的地址----->rax
00007FF739E20E9D | 66:0FCA | bswap dx |
00007FF739E20EA0 | 30F6 | xor dh,dh |
00007FF739E20EA2 | 0FB61408 | movzx edx,byte ptr ds: | 取base64解密后的数据1----校验结果
00007FF739E20EA6 | 66:D3F9 | sar cx,cl |
00007FF739E20EA9 | 66:91 | xchg cx,ax |
00007FF739E20EAB | 0FB68424 90000000 | movzx eax,byte ptr ss: | 取base64解密后的数据2----参与运算
00007FF739E20EB3 | C0CD 04 | ror ch,4 |
00007FF739E20EB6 | 0FB68C24 A8000000 | movzx ecx,byte ptr ss: | 取参与计算的key
00007FF739E20EBE | F5 | cmc |
00007FF739E20EBF | 33C1 | xor eax,ecx | 两个数异或---key xor 数据2
00007FF739E20EC1 | 48:0FBAE1 3B | bt rcx,3B |
00007FF739E20EC6 | 0FA3ED | bt ebp,ebp |
00007FF739E20EC9 | 80FA C2 | cmp dl,C2 |
其实这个是下面的简单运算,只是小小的vm了一下,不怎么好看了,耐心的表哥只要F7多按几下,会看的很清楚的,毕竟vm是低版本的
0000000000F8406041 81 E3 51 1F 68 B4 86 58 E6 E6 4F 16 BB 9B 69<--------------S1
0000000000F8407022 4A 06 37 BD E2 1F 42 49 5E 9D 13 51 1E C7 8B<--------------S2
000000000188F73863 CB E5 66 A2 8A AB C4 11 B8 7B 5C 47 A5 5C E2<--------------key=md5(S1)
检测方式: S2== S1 xor key
一起玩游戏 占楼补充 占楼补充 占楼补充 本帖最后由 wgz001 于 2025-9-8 06:20 编辑
占楼补充 本帖最后由 wgz001 于 2025-9-8 06:20 编辑
占楼补充 用此注册码的前提还要破解俩文件呢 超版威武,感谢分享 占楼细心观看学习{:victory:} 感谢分享