本帖最后由 wgz001 于 2025-9-9 19:50 编辑
这个软件网上的破解版有很多了,在这里只是写个开始,给那些有想法的表哥看一眼,当然,这个帖子不一定有时间更新完,软件看了几天,有一点点发现,写出来跟大家分享,不一定有用,还没分析完,慢慢来吧,白天搬砖,看的时间少。。。
首先,说说这个软件的调试,软件分为客户端和服务端,客户端负责显示,主要算法在服务端usbredirectorsrv.exe,软件会copy服务端在system的目录,调试的是x64版,以管理员方式打开x64dbg,先运行客户端usbredirector.exe,然后x64dbg附加,找到服务端usbredirectorsrv.exe并附加,下断点ReadFile,客户端输入注册码,用的是网上泄露的正版的注册码,就是下面这个
2cXqlb4tqu2kffvJTzmloQFagDHGOHLX
6w6Mlbd3+XACtXun3kGOtMsF84TgAWBQ
vN9eXJPx9VPYC3EeldBeWJfIMt9oGMDn
gsKrxKIhDx4Ct8Yp1j20etTcpXfzFttz
gJexmQFwrVVvdUJYaxki4fod1Gm4Y2Op
MmyGmtCOBC+ij4vXyv2CyDqjlL2meBGj
Ks+ot/2WyQZak3gUpPsADoZf2BFhXJDn
AwVaGNMPF3zmMfLOgTa07QVrXicFInq9
ZuXfS/2NLg/rlfwvuOoKE3ROuMo4MkU9
jzISa4Ft5GDI0NwV8L45/TUtb576JsMY
RiFIH/eJn26J1jj2dDJOvgcur3h4F8mO
fjsWpMUXq8D6u5j9fli+DMfyMXtZEm7J
KL8UgwqH6/rR1QI2TUQmbEN+oH+slXO3
HeOAmbQH8mJswsUplpM=
点OK的时候,x64dbg会中断下来,接下来就慢慢开始跟踪吧,表哥们一眼看出来这个注册码是base64的,哈哈,那么接下来看看服务端是如何解密这个注册码的吧。。。。
不知道怎么回事,我的x64dbg用ALT+F9返回不到程序领空,一路F8吧,在第三次经过ReadFile函数后会来到下面的地址
[Asm] 纯文本查看 复制代码 00007FF6B0EACDB0 | 41:B9 01000000 | mov r9d,1 |
00007FF6B0EACDB6 | 44:8B4424 68 | mov r8d,dword ptr ss:[rsp+68] |
00007FF6B0EACDBB | 48:8BD3 | mov rdx,rbx | rbx:"2cXqlb4tqu2kffvJTzmloQFagDHGOHLX6w6Mlbd3+XACtXun3kGOtMsF84TgAWBQvN9eXJPx9VPYC3EeldBeWJfIMt9oGMDngsKrxKIhDx4Ct8Yp1j20etTcpXfzFttzgJexmQFwrVVvdUJYaxki4fod1Gm4Y2OpMmyGmtCOBC+ij4vXyv2CyDqjlL2meBGjKs+ot/2WyQZak3gUpPsADoZf2BFhXJDnAwVaGNMPF3zmMfLOgTa07QVrXicFInq9ZuXfS/2NLg/rlfwvuOoKE3ROuMo4MkU9jzISa4Ft5GDI0NwV8L45/TUtb576JsMYRiFIH/eJn26J1jj2dDJOvgcur3h4F8mOfjsWpMUXq8D6u5j9fli+DMfyMXtZEm7JKL8UgwqH6/rR1QI2TUQmbEN+oH+slXO3HeOAmbQH8mJswsUplpM="
00007FF6B0EACDBE | 48:8B4F 68 | mov rcx,qword ptr ds:[rdi+68] |
00007FF6B0EACDC2 | E8 F9CAFFFF | call usbredirectorsrv.7FF6B0EA98C0 | 这里可能是base64解密
查看寄存器rcx,rdx,r8,r9会发现一个长度0x1B4,可能是要对注册码base64解密了,我们F7跟进去看一眼,尽量用F7,见call就进去看下,可能会看到vm,不用怕的,早期的旧版本,不是那么厉害,会来到下面的地方,看到0D 0A,应该是格式检测了吧
[Asm] 纯文本查看 复制代码 00007FF6B0E923A0 | 41:83F9 02 | cmp r9d,2 |
00007FF6B0E923A4 | 7C 0F | jl usbredirectorsrv.7FF6B0E923B5 |
00007FF6B0E923A6 | 43:803C02 0D | cmp byte ptr ds:[r10+r8],D | r10+r8*1:"2cXqlb4tqu2kffvJTzmloQFagDHGOHLX6w6Mlbd3+XACtXun3kGOtMsF84TgAWBQvN9eXJPx9VPYC3EeldBeWJfIMt9oGMDngsKrxKIhDx4Ct8Yp1j20etTcpXfzFttzgJexmQFwrVVvdUJYaxki4fod1Gm4Y2OpMmyGmtCOBC+ij4vXyv2CyDqjlL2meBGjKs+ot/2WyQZak3gUpPsADoZf2BFhXJDnAwVaGNMPF3zmMfLOgTa07QVrXicFInq9ZuXfS/2NLg/rlfwvuOoKE3ROuMo4MkU9jzISa4Ft5GDI0NwV8L45/TUtb576JsMYRiFIH/eJn26J1jj2dDJOvgcur3h4F8mOfjsWpMUXq8D6u5j9fli+DMfyMXtZEm7JKL8UgwqH6/rR1QI2TUQmbEN+oH+slXO3HeOAmbQH8mJswsUplpM=", 0D:'\r'
00007FF6B0E923AB | 75 08 | jne usbredirectorsrv.7FF6B0E923B5 |
00007FF6B0E923AD | 43:807C02 01 0A | cmp byte ptr ds:[r10+r8+1],A | r10+r8*1+01:"cXqlb4tqu2kffvJTzmloQFagDHGOHLX6w6Mlbd3+XACtXun3kGOtMsF84TgAWBQvN9eXJPx9VPYC3EeldBeWJfIMt9oGMDngsKrxKIhDx4Ct8Yp1j20etTcpXfzFttzgJexmQFwrVVvdUJYaxki4fod1Gm4Y2OpMmyGmtCOBC+ij4vXyv2CyDqjlL2meBGjKs+ot/2WyQZak3gUpPsADoZf2BFhXJDnAwVaGNMPF3zmMfLOgTa07QVrXicFInq9ZuXfS/2NLg/rlfwvuOoKE3ROuMo4MkU9jzISa4Ft5GDI0NwV8L45/TUtb576JsMYRiFIH/eJn26J1jj2dDJOvgcur3h4F8mOfjsWpMUXq8D6u5j9fli+DMfyMXtZEm7JKL8UgwqH6/rR1QI2TUQmbEN+oH+slXO3HeOAmbQH8mJswsUplpM=", 0A:'\n'
00007FF6B0E923B3 | 74 2F | je usbredirectorsrv.7FF6B0E923E4 |
00007FF6B0E923B5 | 43:0FB60402 | movzx eax,byte ptr ds:[r10+r8] | r10+r8*1:"2cXqlb4tqu2kffvJTzmloQFagDHGOHLX6w6Mlbd3+XACtXun3kGOtMsF84TgAWBQvN9eXJPx9VPYC3EeldBeWJfIMt9oGMDngsKrxKIhDx4Ct8Yp1j20etTcpXfzFttzgJexmQFwrVVvdUJYaxki4fod1Gm4Y2OpMmyGmtCOBC+ij4vXyv2CyDqjlL2meBGjKs+ot/2WyQZak3gUpPsADoZf2BFhXJDnAwVaGNMPF3zmMfLOgTa07QVrXicFInq9ZuXfS/2NLg/rlfwvuOoKE3ROuMo4MkU9jzISa4Ft5GDI0NwV8L45/TUtb576JsMYRiFIH/eJn26J1jj2dDJOvgcur3h4F8mOfjsWpMUXq8D6u5j9fli+DMfyMXtZEm7JKL8UgwqH6/rR1QI2TUQmbEN+oH+slXO3HeOAmbQH8mJswsUplpM="
00007FF6B0E923BA | 3C 0A | cmp al,A | 0A:'\n'
00007FF6B0E923BC | 74 26 | je usbredirectorsrv.7FF6B0E923E4 |
00007FF6B0E923BE | 3C 3D | cmp al,3D | 3D:'='
00007FF6B0E923C0 | 75 07 | jne usbredirectorsrv.7FF6B0E923C9 |
00007FF6B0E923C2 | FFC2 | inc edx |
00007FF6B0E923C4 | 83FA 02 | cmp edx,2 |
00007FF6B0E923C7 | 7F 4B | jg usbredirectorsrv.7FF6B0E92414 |
00007FF6B0E923C9 | 3C 7F | cmp al,7F |
00007FF6B0E923CB | 77 47 | ja usbredirectorsrv.7FF6B0E92414 |
00007FF6B0E923CD | 0FB6C0 | movzx eax,al |
00007FF6B0E923D0 | 41:8B0C84 | mov ecx,dword ptr ds:[r12+rax*4] | R12中是base64码表
00007FF6B0E923D4 | 83F9 7F | cmp ecx,7F |
00007FF6B0E923D7 | 74 3B | je usbredirectorsrv.7FF6B0E92414 |
00007FF6B0E923D9 | 83F9 40 | cmp ecx,40 | 40:'@'
00007FF6B0E923DC | 7D 04 | jge usbredirectorsrv.7FF6B0E923E2 |
00007FF6B0E923DE | 85D2 | test edx,edx |
继续F7走起,走的时候注意寄存器内的值,会看到base64的码表也跟普通的存储的方式不同,下面这个样子
[Asm] 纯文本查看 复制代码 00007FF6B0F1A978 00 00 00 00 00 00 00 00 41 00 00 00 42 00 00 00 ........A...B...
00007FF6B0F1A988 43 00 00 00 44 00 00 00 45 00 00 00 46 00 00 00 C...D...E...F...
00007FF6B0F1A998 47 00 00 00 48 00 00 00 49 00 00 00 4A 00 00 00 G...H...I...J...
00007FF6B0F1A9A8 4B 00 00 00 4C 00 00 00 4D 00 00 00 4E 00 00 00 K...L...M...N...
00007FF6B0F1A9B8 4F 00 00 00 50 00 00 00 51 00 00 00 52 00 00 00 O...P...Q...R...
00007FF6B0F1A9C8 53 00 00 00 54 00 00 00 55 00 00 00 56 00 00 00 S...T...U...V...
00007FF6B0F1A9D8 57 00 00 00 58 00 00 00 59 00 00 00 5A 00 00 00 W...X...Y...Z...
00007FF6B0F1A9E8 61 00 00 00 62 00 00 00 63 00 00 00 64 00 00 00 a...b...c...d...
00007FF6B0F1A9F8 65 00 00 00 66 00 00 00 67 00 00 00 68 00 00 00 e...f...g...h...
00007FF6B0F1AA08 69 00 00 00 6A 00 00 00 6B 00 00 00 6C 00 00 00 i...j...k...l...
00007FF6B0F1AA18 6D 00 00 00 6E 00 00 00 6F 00 00 00 70 00 00 00 m...n...o...p...
00007FF6B0F1AA28 71 00 00 00 72 00 00 00 73 00 00 00 74 00 00 00 q...r...s...t...
00007FF6B0F1AA38 75 00 00 00 76 00 00 00 77 00 00 00 78 00 00 00 u...v...w...x...
00007FF6B0F1AA48 79 00 00 00 7A 00 00 00 30 00 00 00 31 00 00 00 y...z...0...1...
00007FF6B0F1AA58 32 00 00 00 33 00 00 00 34 00 00 00 35 00 00 00 2...3...4...5...
00007FF6B0F1AA68 36 00 00 00 37 00 00 00 38 00 00 00 39 00 00 00 6...7...8...9...
00007FF6B0F1AA78 2B 00 00 00 2F 00 00 00 7F 00 00 00 7F 00 00 00 +.../...........
继续走到下面的地方,就可以看到base64的解密结果了,可以去这个内存地址等全部的结果出来
[Asm] 纯文本查看 复制代码 00007FF6B0E92474 | 8842 FF | mov byte ptr ds:[rdx-1],al | 保存base64解密的结果1
00007FF6B0E92477 | 7E 0C | jle usbredirectorsrv.7FF6B0E92485 |
00007FF6B0E92479 | 41:8BC1 | mov eax,r9d |
00007FF6B0E9247C | C1E8 08 | shr eax,8 |
00007FF6B0E9247F | 48:FFC2 | inc rdx |
00007FF6B0E92482 | 8842 FF | mov byte ptr ds:[rdx-1],al | 保存base64解密的结果2
00007FF6B0E92485 | 41:83FA 02 | cmp r10d,2 |
00007FF6B0E92489 | 7E 06 | jle usbredirectorsrv.7FF6B0E92491 |
00007FF6B0E9248B | 44:880A | mov byte ptr ds:[rdx],r9b |
运行到段尾的retn后会看到注册码base64解密的结果,长度是0x146:
[Asm] 纯文本查看 复制代码 $ ==> D9 C5 EA 95 BE 2D AA ED A4 7D FB C9 4F 39 A5 A1 ÙÅê.¾-ªí¤}ûÉO9¥¡
$+10 01 5A 80 31 C6 38 72 D7 EB 0E 8C 95 B7 77 F9 70 .Z.1Æ8r×ë...·wùp
$+20 02 B5 7B A7 DE 41 8E B4 CB 05 F3 84 E0 01 60 50 .µ{§ÞA.´Ë.ó.à.`P
$+30 BC DF 5E 5C 93 F1 F5 53 D8 0B 71 1E 95 D0 5E 58 ¼ß^\.ñõSØ.q..Ð^X
$+40 97 C8 32 DF 68 18 C0 E7 82 C2 AB C4 A2 21 0F 1E .È2ßh.Àç.«Ģ!..
$+50 02 B7 C6 29 D6 3D B4 7A D4 DC A5 77 F3 16 DB 73 .·Æ)Ö=´zÔÜ¥wó.Ûs
$+60 80 97 B1 99 01 70 AD 55 6F 75 42 58 6B 19 22 E1 ..±..p.UouBXk."á
$+70 FA 1D D4 69 B8 63 63 A9 32 6C 86 9A D0 8E 04 2F ú.Ôi¸cc©2l..Ð../
$+80 A2 8F 8B D7 CA FD 82 C8 3A A3 94 BD A6 78 11 A3 ¢..×Êý.È:£.½¦x.£
$+90 2A CF A8 B7 FD 96 C9 06 5A 93 78 14 A4 FB 00 0E *Ϩ·ý.É.Z.x.¤û..
$+A0 86 5F D8 11 61 5C 90 E7 03 05 5A 18 D3 0F 17 7C ._Ø.a\.ç..Z.Ó..|
$+B0 E6 31 F2 CE 81 36 B4 ED 05 6B 5E 27 05 22 7A BD æ1òÎ.6´í.k^'."z½
$+C0 66 E5 DF 4B FD 8D 2E 0F EB 95 FC 2F B8 EA 0A 13 fåßKý...ë.ü/¸ê..
$+D0 74 4E B8 CA 38 32 45 3D 8F 32 12 6B 81 6D E4 60 tN¸Ê82E=.2.k.mä`
$+E0 C8 D0 DC 15 F0 BE 39 FD 35 2D 6F 9E FA 26 C3 18 ÈÐÜ.ð¾9ý5-o.ú&Ã.
$+F0 46 21 48 1F F7 89 9F 6E 89 D6 38 F6 74 32 4E BE F!H.÷..n.Ö8öt2N¾
$+100 07 2E AF 78 78 17 C9 8E 7E 3B 16 A4 C5 17 AB C0 ..¯xx.É.~;.¤Å.«À
$+110 FA BB 98 FD 7E 58 BE 0C C7 F2 31 7B 59 12 6E C9 ú».ý~X¾.Çò1{Y.nÉ
$+120 28 BF 14 83 0A 87 EB FA D1 D5 02 36 4D 44 26 6C (¿....ëúÑÕ.6MD&l
$+130 43 7E A0 7F AC 95 73 B7 1D E3 80 99 B4 07 F2 62 C~ .¬.s·.ã..´.òb
$+140 6C C2 C5 29 96 93 B9 08 FD CC 8A F1 A8 0A 00 80 lÂÅ)..¹.ýÌ.ñ¨...
下面可以说是开始第二步了,等base64完全解密后,接下继续F7,我们会发现走进了作者的vm中,哈哈,不过不用怕,我们有F7按键,因为是低版本的vm,我们只需要F7看我们想要东西就行,经过一番F7过后,会走到下面一个地址
[Asm] 纯文本查看 复制代码 00007FF6B0F88BA4 | 81FD E536DB69 | cmp ebp,69DB36E5 |
00007FF6B0F88BAA | 83BC24 E8040000 10 | cmp dword ptr ss:[rsp+4E8],10 | 这里是取base64解密结果的前32字节,分奇偶位保存
继续F7,暂时忘记F8吧,又经过N次F7后,来到下面的地方
[Asm] 纯文本查看 复制代码 00007FF6B0EC9D40 | 0FB60410 | movzx eax,byte ptr ds:[rax+rdx] | 开始分出奇数偶数位字节
00007FF6B0EC9D44 | B2 2A | mov dl,2A | 2A:'*'
00007FF6B0EC9D46 | 48:8D1445 4FD98649 | lea rdx,qword ptr ds:[rax*2+4986D9 |
00007FF6B0EC9D4E | 88840C D8040000 | mov byte ptr ss:[rsp+rcx+4D8],al | 保存奇数位字节
00007FF6B0EC9D55 | 0FBEC0 | movsx eax,al |
又是几次F7过后。。。。F7的时候一定要注意观察寄存器地址内的值,不然看指令我是看不出什么来的
[Asm] 纯文本查看 复制代码 00007FF6B0F459CA | 0FB60410 | movzx eax,byte ptr ds:[rax+rdx] | 取偶数位字节
00007FF6B0F459CE | E9 1ACCFFFF | jmp usbredirectorsrv.7FF6B0F425ED |
[Asm] 纯文本查看 复制代码 00007FF6B0F78655 | 88840C C0040000 | mov byte ptr ss:[rsp+rcx+4C0],al | 保存偶数位字节
00007FF6B0F7865C | E9 5BA9FCFF | jmp usbredirectorsrv.7FF6B0F42FBC |
最后我们看一下得到的结果,啊呀,偶数位的字节忘记在内存中看了,尴尬,表哥们自己注意看一下吧
[Asm] 纯文本查看 复制代码 000000000188FCA8 D9 EA BE AA A4 FB 4F A5 01 80 C6 72 EB 8C B7 F9 Ù꾪¤ûO¥..Ærë.·ù
000000000188FCB8 10 00 00 00 00 00 00 00 F4 01 00 00 00 00 00 00 ........ô.......
跟base64解密后的结果对比,我们的猜测是对的,暗喜...
接下来就应该是对这两个16字节的应用了吧,继续在vm中F7,会看到一段初始化,这个地方也看了好多次,最后问了一下AI,他说是RC4,哈哈,AI给力
[Asm] 纯文本查看 复制代码 00007FF6B0E94DF0 | 894481 08 | mov dword ptr ds:[rcx+rax*4+8],eax | 初始化0x100大小的内存并填充00-FF
00007FF6B0E94DF4 | 48:FFC0 | inc rax |
00007FF6B0E94DF7 | 48:3D 00010000 | cmp rax,100 |
00007FF6B0E94DFD | 72 F1 | jb usbredirectorsrv.7FF6B0E94DF0 |
继续F7下去,然后去网上对照RC4的源码,发现这里是RC4的密钥,就是base64解密结果的前32字节中的奇数位的16个字节,这个地方在将来还会用到的,这个RC4用工具的过程中也遇到了很多麻烦的,论坛中789表哥的小玩具解密没对上,后来换了个工具。。。。所有东西都不会来的那么容易,这大概就是小白的原因吧...
我们可以在内存中观察到RC4解密的结果,跟用工具计算的对比一下,发现是一样一样的,哈哈
[Asm] 纯文本查看 复制代码 $ ==> 41 81 E3 51 1F 68 B4 86 58 E6 E6 4F 16 BB 9B 69 A.ãQ.h´.XææO.».i
$+10 22 4A 06 37 BD E2 1F 42 49 5E 9D 13 51 1E C7 8B "J.7½â.BI^..Q.Ç.
$+20 4C 4C 64 00 00 00 00 00 00 00 0F 00 60 22 02 06 LLd.........`"..
$+30 DF 1F 69 DA 29 40 E5 BE FF 28 7E 1F 88 25 7A 60 ß.iÚ)@å¾ÿ(~..%z`
$+40 05 D4 25 FD 3E 76 8A 45 F3 4A 00 00 00 00 00 00 .Ô%ý>v.EóJ......
$+50 0F 00 E3 02 04 C7 9F 04 27 92 79 EC 83 D5 4B D3 ..ã..Ç..'.yì.ÕKÓ
$+60 23 12 76 26 AF DB 54 2D AC B7 AC C1 D3 C1 54 80 #.v&¯ÛT-¬·¬ÁÓÁT.
$+70 38 00 03 00 00 00 0F 00 7F 61 99 E2 BB 7F F3 7E 8........a.â».ó~
$+80 AC 93 F1 A5 3B 09 16 3C 11 CC 8F DA 1A 55 9E 7C ¬.ñ¥;..<.Ì.Ú.U.|
$+90 A9 46 09 3D F9 07 00 00 00 00 00 00 0F 00 B7 6D ©F.=ù.........·m
$+A0 28 84 A3 46 C6 0D DA 3F AB 07 8D D2 33 14 CE CA (.£FÆ.Ú?«..Ò3.ÎÊ
$+B0 71 1A 66 CF 1C 70 B2 19 3D 4F 5F 11 8E 00 D4 3E q.fÏ.p².=O_...Ô>
$+C0 8E 00 5D A9 AD 82 35 2D AE 95 AB 93 13 1F 80 C5 ..]©..5-®.«....Å
$+D0 2D 9E 94 6D 14 33 15 87 4D 76 AC 3E 71 8B A4 AC -..m.3..Mv¬>q.¤¬
$+E0 3C 93 3A 95 E9 A7 46 3F 9B C1 F4 FE AE F5 04 77 <.:.é§F?.Áôþ®õ.w
$+F0 7D 7E 9B 36 40 6C 96 D0 77 68 04 D0 E9 AC 88 71 }~.6@l.Ðwh.Ðé¬.q
$+100 DB 09 7B 39 4D 3F DA E4 B5 5A E8 10 71 93 EE FD Û.{9M?ÚäµZè.q.îý
$+110 1E AC 9E E9 89 18 6F 2F 72 83 0E 83 F1 5E 76 1F .¬.é..o/r...ñ^v.
$+120 1B 2F A4 14 20 D0 51 75 01 CC DE F1 A8 06 00 80 ./¤. ÐQu.ÌÞñ¨...
继续在vm中F7走下去,会来到下面任何一位表哥都可以一眼看穿的代码
[Asm] 纯文本查看 复制代码 00007FF6B0E94A90 | 33C0 | xor eax,eax | MD5初始化
00007FF6B0E94A92 | C701 01234567 | mov dword ptr ds:[rcx],67452301 |
00007FF6B0E94A98 | C741 04 89ABCDEF | mov dword ptr ds:[rcx+4],EFCDAB89 |
00007FF6B0E94A9F | C741 08 FEDCBA98 | mov dword ptr ds:[rcx+8],98BADCFE |
00007FF6B0E94AA6 | C741 0C 76543210 | mov dword ptr ds:[rcx+C],10325476 |
00007FF6B0E94AAD | 48:8941 10 | mov qword ptr ds:[rcx+10],rax |
00007FF6B0E94AB1 | 8941 18 | mov dword ptr ds:[rcx+18],eax |
既然进入了作者的vm,也就只能F7走下去了,慢慢的下面会发现要进行md5加密的数据的长度是0x126,在这里可以对比一下md5加密的源码,熟悉一下比较好看
来自群组: 一起玩游戏 | 
IP卡
发表于 
提升卡
置顶卡
变色卡
千斤顶
显身卡
楼主
发表于 
发表于 
发表于 
发表于