Eltima 端口虚拟化软件授权分析
发布时间:2024年01月08日
目录
Eltima 端口虚拟化软件
- USB Network Gate
通过局域网和互联网共享和接入USB端口
最新版本:https://cdn.electronic.us/products/usb-over-ethernet/windows/update/settings.xml - Serial to Ethernet Connector
通过以太网远程连接串口设备
最新版本:https://cdn.electronic.us/products/sec/windows/update/settings.xml - Virtual Serial Port Driver
创建使用虚拟零调制解调线连接的虚拟串口
最新版本:https://cdn.electronic.us/products/vspd/windows/update/settings.xml
授权文件加密方式
??????授权文件保存在{commonappdata}目录下,名称为*.act,采用RSA2048私钥加密,通过公钥解密。公钥保存在*service.exe文件中,通过搜索“-----BEGIN PUBLIC KEY-----”可以获得。
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwknN5/81qIoM+k1WEc/5
A+u3YzWeDNE5i5rpayiNWv4TvxX9udMz3uKF4tmDJfjuSCVUHQWAjJefwSv4ZBQ7
egXHtGzh/HVY/Geei7A1TwOroHxxgUKVkXRoPGYIVNBhrqX0CsCgYCZv7Ij6CSy4
Iamw0Gb/BnZ4Uw1AkOs6DfbGaVspeQGg7oTjSj+TKOWdK1dJ7ZoGyoVQLqxpaq41
r893XqSK5mXlbE3pFSjS6Rn8unyt57EuIcFy+x2VqjOf3KiwiGCeIaQtAtF5Pqii
KoEMoGgcDedO4C6h/LKy1oXJR7QeHQijUAn7JXE/i0I57BXyKylR6/YIV6hV+Ovm
bQIDAQAB
-----END PUBLIC KEY-----
通过公钥解密授权文件的代码:
#pragma comment(lib,"crypt32.lib")
#pragma comment(lib,"ws2_32.lib")
#pragma comment(lib,"libssl.lib")
#pragma comment(lib,"libcrypto.lib")
#include <string>
#include <fstream>
#include "openssl/pem.h"
#include "openssl/rsa.h"
#include <openssl/bn.h>
using namespace std;
int main()
{
ifstream ifs("./vspdpro.act", ifstream::binary | ifstream::ate);
if (ifs) {
streampos size = ifs.tellg();
char* buffer = new char[size];
ifs.seekg(0, ifstream::beg);
ifs.read(buffer, size);
ifs.close();
string public_key = "-----BEGIN PUBLIC KEY-----\r\n" \
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwknN5/81qIoM+k1WEc/5\r\n" \
"A+u3YzWeDNE5i5rpayiNWv4TvxX9udMz3uKF4tmDJfjuSCVUHQWAjJefwSv4ZBQ7\r\n" \
"egXHtGzh/HVY/Geei7A1TwOroHxxgUKVkXRoPGYIVNBhrqX0CsCgYCZv7Ij6CSy4\r\n" \
"Iamw0Gb/BnZ4Uw1AkOs6DfbGaVspeQGg7oTjSj+TKOWdK1dJ7ZoGyoVQLqxpaq41\r\n" \
"r893XqSK5mXlbE3pFSjS6Rn8unyt57EuIcFy+x2VqjOf3KiwiGCeIaQtAtF5Pqii\r\n" \
"KoEMoGgcDedO4C6h/LKy1oXJR7QeHQijUAn7JXE/i0I57BXyKylR6/YIV6hV+Ovm\r\n" \
"bQIDAQAB\r\n" \
"-----END PUBLIC KEY-----";
BIO* bio = BIO_new_mem_buf(public_key.c_str(), public_key.size());
RSA* rsa = PEM_read_bio_RSA_PUBKEY(bio, nullptr, nullptr, nullptr);
BIO_free(bio);
printf("n='%s';\n", BN_bn2hex(RSA_get0_n(rsa)));
printf("e='%s';\n", BN_bn2hex(RSA_get0_e(rsa)));
unsigned char* from = (unsigned char*)buffer;
unsigned char to[256];
string txt = "";
while (true)
{
int len = RSA_public_decrypt(256, from, to, rsa, RSA_PKCS1_PADDING);
if (len < 0) break;
txt.append((char *)to, len);
from += 256;
}
printf("%s", txt.c_str());
delete[] buffer;
RSA_free(rsa);
}
}
授权文件格式
解密后的授权文件为文本文件:
hid=xxxxxxxx_xxxxxxxx_xxxxxxxx_x_xxxxxxxx
license_key_code=XXXXXXXX-XXXXXXXX-XXXXXXXX-XXXXXXXX-XXXXXXXX-XXXXXXXX
licenseName=Single License SEC
product_id=114
product_name=Serial to Ethernet Connector
product_version=9
serverDate=2024-01-06
activationDate=2024-01-06
nextActivation=2024-01-07
firstActivation=2024-01-06
errorCode=0
key_type=2
registed_name=support
license_options=
key_options=14
serverTime=1704535404
activation_param=
subscription=0
key_not_check_hid=0
其中最关键的两个值key_type和errorCode:
-
key_type 授权类型
0 = Single License 单机版许可授权
1 = Limited func (license_options)?表示根据功能授权,license_options的值表示功能的限制数量
2 = Limited time(key_options=days) 表示根据时间授权,key_options的值表示授权天数。
3 = OEM
-
errorCode 授权状态
0 = ALREADY_ACTIVATED?
DEMO_IS_OVER
NO_AVAILABLE_ACTIVATIONS
KEY_BANNED
+REACTIVATE
+STARTING
- nextActivation 下次联网验证key的时间
-
hid 硬件编码
硬件编码由5部分组成,格式如下:
Cpu信息_硬盘几何信息_硬盘固件编号信息_0_系统BIOS信息
详细算法代码如下:
unit HardwareID;
interface
uses Windows,Registry,SysUtils;
function GetHid():string;
implementation
type
TRegisters = record
EAX: DWORD;
EBX: DWORD;
ECX: DWORD;
EDX: DWORD;
end;
procedure GetCPUID(Param: Cardinal; var Registers: TRegisters);
asm
PUSH EBX { save affected registers }
PUSH EDI
MOV EDI, Registers
XOR EBX, EBX { clear EBX register }
XOR ECX, ECX { clear ECX register }
XOR EDX, EDX { clear EDX register }
DB $0F, $A2 { CPUID opcode }
MOV TRegisters(EDI).&EAX, EAX { save EAX register }
MOV TRegisters(EDI).&EBX, EBX { save EBX register }
MOV TRegisters(EDI).&ECX, ECX { save ECX register }
MOV TRegisters(EDI).&EDX, EDX { save EDX register }
POP EDI { restore registers }
POP EBX
end;
function GetHid1():Integer;
var
regs1,regs2:TRegisters;
i:Cardinal;
begin
GetCPUID(0,regs1);
Result:= regs1.EBX xor regs1.ECX xor regs1.EDX;
if regs1.EAX>=1 then
begin
for i := 1 to 13 do
begin
GetCPUID(i,regs2);
case i of
2,3,4,5,8,9,12,13:
begin
Result:=Result xor regs2.EAX xor regs2.EBX xor regs2.ECX xor regs2.EDX;
end;
11:
begin
Result:=Result xor regs2.EAX xor regs2.EBX xor regs2.ECX xor(regs2.EDX and $FFFFFF00);
end;
end;
end;
end;
GetCPUID($80000000,regs1);
for i := $80000002 to regs1.EAX do
begin
GetCPUID(i,regs2);
case i of
$80000001,$80000002,$80000003,$80000004,$80000006,$80000008,$8000000A,$8000001A:
begin
Result:=Result xor regs2.EAX xor regs2.EBX xor regs2.ECX xor regs2.EDX;
end;
end;
end;
end;
function GetHid11():Integer;
var
SystemInfo:TSystemInfo;
begin
GetSystemInfo(SystemInfo);
if SystemInfo.wProcessorArchitecture>=0 then
Result:=2*SystemInfo.wProcessorArchitecture
else
Result:=2*SystemInfo.wProcessorArchitecture+1;
Result:=SystemInfo.dwNumberOfProcessors xor Result;
if Result>=0 then
Result := 2 * Result
else
Result := 2 * Result+1;
Result := SystemInfo.dwProcessorType xor Result;
if Result>=0 then
Result := 2 * Result
else
Result := 2 * Result+1;
Result := SystemInfo.wProcessorLevel xor Result;
if Result>=0 then
Result := 2 * Result
else
Result := 2 * Result+1;
Result := SystemInfo.wProcessorRevision xor Result;
if Result>=0 then
Result := 2 * Result
else
Result := 2 * Result+1;
end;
function GetHid2:Integer;
type
TDiskGeometry=record
Cylinders:LARGE_INTEGER;
MediaType:DWORD;
TracksPerCylinder:DWORD;
SectorsPerTrack:DWORD;
BytesPerSector:DWORD;
end;
var
hDevice : THandle;
DiskGeometry:TDiskGeometry;
cbBytesReturned:DWORD;
Value1,Value2:LARGE_INTEGER;
const
IOCTL_DISK_GET_DRIVE_GEOMETRY = $00070000;
begin
Result:=0;
hDevice := CreateFile( '\\.\PhysicalDrive0',GENERIC_READ,FILE_SHARE_READ or FILE_SHARE_WRITE,nil, OPEN_EXISTING, 0, 0 );
if hDevice<>INVALID_HANDLE_VALUE then
begin
if DeviceIoControl(hDevice, IOCTL_DISK_GET_DRIVE_GEOMETRY,nil,0, @DiskGeometry,SizeOf(TDiskGeometry), cbBytesReturned, nil ) then
begin
Value1.QuadPart:=DiskGeometry.BytesPerSector * DiskGeometry.SectorsPerTrack*DiskGeometry.TracksPerCylinder*DiskGeometry.Cylinders.QuadPart;
if (Value1.QuadPart and $80000000)=0 then
Value2.QuadPart:=2*Value1.QuadPart
else
Value2.QuadPart:=(2*Value1.QuadPart) or 1;
Result:=Value2.LowPart xor Value1.HighPart;
if Result>=0 then
Result:=2*Result
else
Result:=(2*Result) or 1;
end;
CloseHandle(hDevice);
end;
end;
function GetHid3:Integer;
type
TStorgePropertyQuery=record
PropertyId:DWORD;
QueryType:DWORD;
AdditionalParameters:Byte;
end;
TStorgeDeviceDescriptor=record
Version:DWORD;
Size:DWORD;
DeviceType:Byte;
DeviceTypeModifier:Byte;
RemovableMedia:Boolean;
CommandQueueing:Boolean;
VendorIdOffset:DWORD;
ProductIdOffset:DWORD;
ProductRevisionOffset:DWORD;
SerialNumberOffset:DWORD;
BusType:DWORD;
RawPropertiesLength:DWORD;
RawDeviceProperties:Byte;
end;
PStorgeDeviceDescriptor=^TStorgeDeviceDescriptor;
TGetVersionInParams=record
bVersion:Byte;
bRevision:Byte;
bReserved:Byte;
bIDEDeviceMap:Byte;
fCapabilities:DWORD;
dwReserved:array[0..3] of DWORD;
end;
_IDEREGS=record
bFeaturesReg:Byte;
bSectorCountReg:Byte;
bSectorNumberReg:Byte;
bCylLowReg:Byte;
bCylHighReg:Byte;
bDriveHeadReg:Byte;
bCommandReg:Byte;
bReserved:Byte;
end;
TSendCmdInParams=record
cBufferSize:DWORD;
irDriveRegs:_IDEREGS;
bDriveNumber:Byte;
bReserved:array[0..2] of Byte;
dwReserved:array[0..3] of DWORD;
bBuffer:Byte;
end;
_DRIVERSTATUS=record
bDriverError:Byte;
bIDEError:Byte;
bReserved:array[0..1] of Byte;
dwReserved:array[0..1] of DWORD;
end;
TSendCmdOutParams=record
cBufferSize:DWORD;
DriverStatus:_DRIVERSTATUS;
bBuffer:Byte;
end;
PSendCmdOutParams=^TSendCmdOutParams;
var
hDevice : THandle;
StorgePropertyQuery:TStorgePropertyQuery;
StorgeDeviceDescriptor:PStorgeDeviceDescriptor;
GetVersionInParams:TGetVersionInParams;
SendCmdInParams:TSendCmdInParams;
SendCmdOutParams:PSendCmdOutParams;
cbBytesReturned,i:DWORD;
P:PChar;
W:PWORD;
Str:string;
const
IOCTL_STORAGE_QUERY_PROPERTY = $002D1400;
SMART_GET_VERSION = $00074080;
SMART_RCV_DRIVE_DATA = $0007C088;
IDENTIFY_BUFFER_SIZE = 512;
// Valid values for the bCommandReg member of IDEREGS.
ATAPI_ID_CMD = $A1; // Returns ID sector for ATAPI.
ID_CMD = $EC; // Returns ID sector for ATA.
SMART_CMD = $B0; // Performs SMART cmd.
begin
Result:=0;
hDevice := CreateFile( '\\.\PhysicalDrive0',GENERIC_READ,FILE_SHARE_READ or FILE_SHARE_WRITE,nil, OPEN_EXISTING, 0, 0 );
if hDevice<>INVALID_HANDLE_VALUE then
begin
ZeroMemory(@StorgePropertyQuery,SizeOf(TStorgePropertyQuery));
ZeroMemory(@GetVersionInParams,SizeOf(TGetVersionInParams));
StorgeDeviceDescriptor:=AllocMem(10000);
if DeviceIoControl(hDevice, IOCTL_STORAGE_QUERY_PROPERTY,@StorgePropertyQuery,SizeOf(TStorgePropertyQuery),
StorgeDeviceDescriptor,10000, cbBytesReturned, nil ) then
begin
Str:='';
P:=PChar(@StorgeDeviceDescriptor^.Version);
if StorgeDeviceDescriptor^.SerialNumberOffset>0 then Str:=Str+StrPas(PChar(Integer(P)+StorgeDeviceDescriptor^.SerialNumberOffset));
if StorgeDeviceDescriptor^.VendorIdOffset>0 then Str:=Str+StrPas(PChar(Integer(P)+StorgeDeviceDescriptor^.VendorIdOffset));
if StorgeDeviceDescriptor^.ProductIdOffset>0 then Str:=Str+StrPas(PChar(Integer(P)+StorgeDeviceDescriptor^.ProductIdOffset));
for i := 1 to Length(Str) do
begin
Result:=Result xor Ord(Str[i]);
if Result>=0 then
Result:=2*Result
else
Result:=(2*Result) or 1;
end;
end
else if DeviceIoControl(hDevice, SMART_GET_VERSION,nil,0,@GetVersionInParams,SizeOf(TGetVersionInParams), cbBytesReturned, nil) then
begin
if GetVersionInParams.bIDEDeviceMap>0 then
begin
SendCmdOutParams:=AllocMem(SizeOf(TSendCmdOutParams)+IDENTIFY_BUFFER_SIZE);
ZeroMemory(@SendCmdInParams,SizeOf(TSendCmdInParams));
SendCmdInParams.irDriveRegs.bSectorCountReg:=1;
SendCmdInParams.irDriveRegs.bSectorNumberReg:=1;
SendCmdInParams.irDriveRegs.bDriveHeadReg:=$A0;
if (GetVersionInParams.bIDEDeviceMap and $10) <>0 then
SendCmdInParams.irDriveRegs.bCommandReg:=ATAPI_ID_CMD
else
SendCmdInParams.irDriveRegs.bCommandReg:=ID_CMD;
SendCmdInParams.cBufferSize:=512;
if DeviceIoControl(hDevice, SMART_RCV_DRIVE_DATA,@SendCmdInParams,SizeOf(TSendCmdInParams),
SendCmdOutParams,SizeOf(TSendCmdOutParams)+IDENTIFY_BUFFER_SIZE, cbBytesReturned, nil ) then
begin
W:=@SendCmdOutParams^.bBuffer;
Inc(W,10);
Result:=W^;
if Result>=0 then
Result:=2*Result
else
Result:=(2*Result) or 1;
Inc(W,1);
Result:=Result xor W^;
if Result>=0 then
Result:=2*Result
else
Result:=(2*Result) or 1;
Inc(W,1);
Result:=Result xor W^;
if Result>=0 then
Result:=2*Result
else
Result:=(2*Result) or 1;
Inc(W,1);
Result:=Result xor W^;
if Result>=0 then
Result:=2*Result
else
Result:=(2*Result) or 1;
Inc(W,1);
Result:=Result xor W^;
if Result>=0 then
Result:=2*Result
else
Result:=(2*Result) or 1;
Inc(W,1);
Result:=Result xor W^;
if Result>=0 then
Result:=2*Result
else
Result:=(2*Result) or 1;
Inc(W,1);
Result:=Result xor W^;
if Result>=0 then
Result:=2*Result
else
Result:=(2*Result) or 1;
Inc(W,1);
Result:=Result xor W^;
if Result>=0 then
Result:=2*Result
else
Result:=(2*Result) or 1;
Inc(W,1);
Result:=Result xor W^;
if Result>=0 then
Result:=2*Result
else
Result:=(2*Result) or 1;
Inc(W,1);
Result:=Result xor W^;
end;
FreeMem(SendCmdOutParams);
end;
end;
FreeMemory(StorgeDeviceDescriptor);
CloseHandle(hDevice);
end;
end;
function GetHid5:Integer;
var
Reg:TRegistry;
Size,i:Integer;
B:TBytes;
begin
Result:=0;
Reg:=TRegistry.Create;
try
Reg.RootKey:=HKEY_LOCAL_MACHINE;
if Reg.OpenKeyReadOnly('HARDWARE\DESCRIPTION\System') then
begin
Size:=Reg.GetDataSize('SystemBiosVersion');
if Size>0 then
begin
SetLength(B,Size);
if Reg.ReadBinaryData('SystemBiosVersion',B[0],Size)<>0 then
begin
for i := 0 to Size - 1 do
begin
Result:=Result xor B[i];
if Result>=0 then
Result:=2*Result
else
Result:=2*Result or 1;
//UNICODE STRING
Result:=Result xor $00;
if Result>=0 then
Result:=2*Result
else
Result:=2*Result or 1;
end;
end;
end;
end;
finally
FreeAndNil(Reg);
end;
end;
function GetHid():string;
var
regs:TRegisters;
hid1,hid2,hid3,hid4,hid5:DWORD;
begin
GetCPUID(0,regs);
if regs.EAX>0 then
hid1:=GetHid1
else
hid1:=GetHid11;
hid2:=GetHid2;
hid3:=GetHid3;
hid4:=0;
hid5:=GetHid5;
Result:=Format('%x_%x_%x_%x_%x',[hid1,hid2,hid3,hid4,hid5]);
Result:=LowerCase(Result)
end;
end.
授权许可
可以通过两种方式实现本地授权,一是重新生成RSA2048秘钥对,替换可执行文件内的公钥,用私钥加密授权文件保存为act文件,既可实现授权许可;二是通过dll劫持方式hook可执行文件内解密act文件的函数,修改返回的内容,既可实现本地授权许可。
1、替换公钥
//替换公钥
procedure PatchFile(FileName:string);
var
Stream:TMemoryStream;
SubStr,Str:string;
P:PByte;
Offset:Integer;
begin
SubStr:='-----BEGIN PUBLIC KEY-----';
Stream:=TMemoryStream.Create;
try
Stream.LoadFromFile(FileName);
Stream.Position:=0;
SetLength(Str,Stream.Size);
MoveMemory(@Str[1],Stream.Memory,Stream.Size);
Offset:=Pos(SubStr,Str);
if Offset<1 then raise Exception.Create('Can not find PublicKey,Patch failed!');
P:= PByte(DWORD(Stream.Memory)+Offset-1);
MoveMemory(P,@RSA_PUBLIC_KEY[1],Length(RSA_PUBLIC_KEY));
Stream.SaveToFile(FileName);
finally
Stream.Free;
end;
end;通过FGInt实现RSA公钥解密私钥加密,也可以直接通过openssl实现,会增加2个dll文件。
unit FGIntRSA;
{
n=p*q
φ(n) = (p-1)(q-1)
d*e mod φ(n) = 1
public key => n e
private key => n d
public key enc dec => M= C^e mod n
private key enc dec => C= M^d mod n
}
interface
uses FGInt;
type
RSA_PADDING = (RSA_PKCS1_PADDING,RSA_X931_PADDING,RSA_NO_PADDING);
function RSA_Public_Decrypt(Src:string;StrE,StrN:string;Padding:RSA_PADDING = RSA_PKCS1_PADDING):string;
function RSA_Private_Encrypt(Src:string;StrD,StrN:string;Padding:RSA_PADDING = RSA_PKCS1_PADDING):string;
implementation
uses SysUtils,Windows;
const
RSA_PKCS1_PADDING_SIZE = 11;
function RSA_padding_check_PKCS1_type_1(Src:string):string;
var
p:PByte;
i,len:Integer;
begin
{
00 || 01 || PS || 00 || D
PS - padding string, at least 8 bytes of FF
D - data.
}
p:=PByte(@Src[1]);
if p^=$00 then inc(p);
if p^<>$01 then raise Exception.Create('RSA_R_BLOCK_TYPE_IS_NOT_01');
Inc(p);
for i := 0 to Length(Src) - 2 do
begin
if p^<>$FF then
begin
if p^=0 then
begin
Inc(p);
Break;
end
else
raise Exception.Create('RSA_R_BAD_FIXED_HEADER_DECRYPT');
end;
Inc(p);
end;
len:=Length(Src) - (Cardinal(p)-Cardinal(@Src[1]));
SetLength(Result,len);
MoveMemory(@Result[1],p,len);
end;
function RSA_padding_add_PKCS1_type_1(Src:string;Num:Integer):string;
var
p:PByte;
len:Integer;
begin
if Length(Src)>Num - RSA_PKCS1_PADDING_SIZE then raise Exception.Create('RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE');
SetLength(Result,Num);
p:=PByte(@Result[1]);
p^:=$00;
Inc(p);
p^:=$01;
Inc(p);
len:=Num - Length(Src) - 3;
FillMemory(p,len,$FF);
Inc(p,len);
p^:=$00;
Inc(p);
MoveMemory(p,@Src[1],Length(Src));
end;
function RSA_padding_check_X931(Src:string):string;
var
p:PByte;
i,len:Integer;
begin
p:=PByte(@Src[1]);
if p^ = $6B then
begin
Inc(p);
for i := 0 to Length(Src) - 3 do
begin
if p^ = $BA then
begin
inc(p);
Break;
end
else if p^<>$BB then raise Exception.Create('RSA_R_INVALID_PADDING');
Inc(p);
end;
len:=Length(Src) - (Cardinal(p)-Cardinal(@Src[1])) - 1;
end
else if p^ = $6A then
begin
Inc(p);
len:=Length(Src) - 2;
end
else
raise Exception.Create('RSA_R_INVALID_HEADER');
if PByte(Cardinal(p)+len)^ <> $CC then raise Exception.Create('RSA_R_INVALID_TRAILER');
SetLength(Result,len);
MoveMemory(@Result[1],p,len);
end;
function RSA_padding_add_X931(Src:string;Num:Integer):string;
var
p:PByte;
len:Integer;
begin
len:= Num -2 - Length(Src);
if len < 0 then raise Exception.Create('RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE');
SetLength(Result,Num);
p:=PByte(@Result[1]);
if len = 0 then
begin
p^:=$6A;
Inc(p);
end
else
begin
p^:=$6B;
Inc(p);
if len > 1 then
begin
FillMemory(p,len - 1,$BB);
Inc(p,len-1);
end;
p^:=$BA;
Inc(p);
end;
MoveMemory(p,@Src[1],Length(Src));
Inc(p,Length(Src));
p^:=$CC;
end;
function RSA_Public_Decrypt(Src:string;StrE,StrN:string;Padding:RSA_PADDING):string;
var
tempstr:string;
c,e,n,temp:TFGInt;
i,j,num:Integer;
begin
Base256StringToFGInt(StrE,E);
Base256StringToFGInt(StrN,N);
Result:='';
FGIntToBase2String(n,tempstr);
num:=Length(tempstr) div 8;
j :=Length(Src) div num;
if Length(Src) mod num <> 0 then inc(j);
for i := 1 To j do
begin
tempstr := copy(Src, 1, num);
delete(Src, 1, num);
Base256StringToFGInt(tempstr,c);
FGIntModExp(c, e, n, temp);
FGIntToBase256String(temp, tempstr);
case Padding of
RSA_PKCS1_PADDING:Result := Result + RSA_padding_check_PKCS1_type_1(tempstr);
RSA_X931_PADDING:Result:= Result + RSA_padding_check_X931(tempstr);
RSA_NO_PADDING:Result := Result + tempstr;
end;
FGIntDestroy(c);
FGIntDestroy(temp);
end;
FGIntDestroy(e);
FGIntDestroy(n);
end;
function RSA_Private_Encrypt(Src:string;StrD,StrN:string;Padding:RSA_PADDING):string;
var
i, j ,num,padding_size:Integer;
tempstr:string;
c,d,n,temp:TFGInt;
begin
Base256StringToFGInt(StrD,d);
Base256StringToFGInt(StrN,n);
Result:='';
FGIntToBase2String(n,tempstr);
num:=Length(tempstr) div 8;
padding_size:=0;
case Padding of
RSA_PKCS1_PADDING:padding_size:=RSA_PKCS1_PADDING_SIZE;
RSA_X931_PADDING:padding_size:=2;
RSA_NO_PADDING:padding_size:=0;
end;
j :=Length(Src) div (num - padding_size);
if Length(Src) mod (num - padding_size) <> 0 then inc(j);
for i := 1 To j do
begin
tempstr := copy(Src, 1, num - padding_size);
delete(Src, 1, num - padding_size);
case Padding of
RSA_PKCS1_PADDING:tempstr:=RSA_padding_add_PKCS1_type_1(tempstr,num);
RSA_X931_PADDING:tempstr:=RSA_padding_add_X931(tempstr,num);
RSA_NO_PADDING:tempstr:=tempstr;
end;
Base256StringToFGInt(tempstr, c);
FGIntModExp(c, d, n, temp);
FGIntToBase256String(temp,tempstr);
Result:=Result+tempstr;
FGIntDestroy(c);
FGIntDestroy(temp);
end;
FGIntDestroy(d);
FGIntDestroy(n);
end;
end.
2、dll劫持hook
通过python脚本创建winhttp.dll的劫持工程模板。
#CreatePatchDll.py
import os,sys,winreg,pefile
from string import Template
def IsKnownDLLs(dllname:str):
key = winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE,r"SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs")
try:
j = 0
while True:
_,value,_ = winreg.EnumValue(key, j)
if value.upper() == dllname.upper():
return True
j += 1
except WindowsError as e:
pass
return False
if __name__ == '__main__':
if (len(sys.argv)>1):
name = sys.argv[1]
else:
#name = 'version.dll'
print('Missing file name')
exit(-1)
if IsKnownDLLs(name):
print(f'{name} is system know dll!')
exit(-1)
dll_paths=[os.getcwd(),os.getenv('windir'),os.path.join(os.getenv('windir'),'system32')]
dll_path = None
for path in dll_paths:
if os.path.exists(os.path.join(path,name)):
dll_path = os.path.join(path,name)
break
if not dll_path:
print('Could not find %s' % name)
exit(-1)
name = os.path.basename(dll_path).split('.')[0]
pe = pefile.PE(dll_path)
dpr = f"""library {name};
uses
SysUtils,
Classes,
Windows,
u{name} in 'u{name}.pas';
{{$R *.res}}
procedure DLLHandler(Reason: Integer);
begin
case Reason of
DLL_PROCESS_ATTACH:
begin
OnLoad();
end;
DLL_PROCESS_DETACH:
begin
end;
DLL_THREAD_ATTACH:;
DLL_THREAD_DETACH:;
end;
end;
begin
DLLProc := @DLLHandler;
DLLProc(DLL_PROCESS_ATTACH);
end.
"""
code = Template(f"""unit u{name};
interface
uses Windows;
procedure OnLoad;stdcall;
$code1
exports
$code2
implementation
const
$code3
var
$code4
$code5
procedure OnLoad;stdcall;
var
SysPath:array[0..MAX_PATH-1] of Char ;
LibPath:string ;
LibHandle: THandle ;
begin
GetSystemDirectory(SysPath,MAX_PATH);
LibPath:= SysPath+'\{name}.dll';
LibHandle := LoadLibrary(PChar(LibPath));
if LibHandle <> 0 then
begin
$code6
end
else
ExitProcess(0);
end;
end.
""")
code1 = '\n'
code2 = '\n'
code3 = '\n'
code4 = '\n'
code5 = '\n'
code6 = '\n'
for i in range(len(pe.DIRECTORY_ENTRY_EXPORT.symbols)):
func_name = pe.DIRECTORY_ENTRY_EXPORT.symbols[i].name.decode()
code1 += f' procedure {func_name};stdcall;\n'
if i == len(pe.DIRECTORY_ENTRY_EXPORT.symbols)-1:
code2 += f' {func_name};\n'
else:
code2 += f' {func_name},\n'
code3 += f" str{func_name} = '{func_name}';\n"
code4 += f" p{func_name}:Pointer;\n"
code5 += f"procedure {func_name};stdcall;\n{{$IF Defined(CPUX86)}}\nasm jmp dword ptr [p{func_name}] end;\n{{$ELSEIF Defined(CPUX64)}}\nasm jmp qword ptr [p{func_name}] end;\n{{$ENDIF}}\n\n"
code6 += f" p{func_name}:=GetProcAddress(LibHandle,str{func_name});\n"
pas = code.substitute(code1=code1,code2=code2,code3=code3,code4=code4,code5=code5,code6=code6)
with open(f'u{name}.pas','w') as f:
f.write(pas)
with open(f'{name}.dpr','w') as f:
f.write(dpr)
python?CreatePatchDll.py WinHttp.dll
IDA、OD分析授权文件解密函数,提取特征,通过内存搜索定位hook的位置。
{$IFDEF CPUX86}
SEARCH:string ='55 8B EC 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 83 EC ?? 53 56 57 A1 ?? ?? ?? ?? 33 C5 50 8D 45 ?? 64 A3 00 00 00 00 C7 45 ?? 00 00 00 00 8B C1 C7 45 ?? 00 00 00 00 83 79 ?? ?? C7 45 ?? 00 00 00 00 72';
{
55 push ebp
8B EC mov ebp, esp
6A FF push 0FFFFFFFFh
68 DE DE 65 00 push offset SEH_488580 //?? ?? ?? ??
64 A1 00 00 00 00 mov eax, large fs:0
50 push eax
83 EC 0C sub esp, 0Ch //??
53 push ebx
56 push esi
57 push edi
A1 3C EB 72 00 mov eax, ___security_cookie //?? ?? ?? ??
33 C5 xor eax, ebp
50 push eax
8D 45 F4 lea eax, [ebp] //??
64 A3 00 00 00 00 mov large fs:0, eax
C7 45 FC 00 00 00 00 mov [ebp-4], 0 //??
8B C1 mov eax, ecx
C7 45 EC 00 00 00 00 mov [ebp-14h], 0 //??
83 79 14 10 cmp dword ptr [ecx+14h], 10h //?? ??
C7 45 F0 00 00 00 00 mov [ebp-10h], 0 //??
72 02 jb short
}
{$ELSEIF Defined(CPUX64)}
SEARCH:string = '48 89 5C 24 ?? 48 89 54 24 ?? 55 56 57 41 56 41 57 48 83 EC ?? 49 8B F9 49 8B E8 48 8B F2 33 DB 89 5C 24 ?? 48 89 5C 24 ?? 48 8B C1 48 83 79 ?? ?? 72';
{
48 89 5C 24 18 mov [rsp+18h], rbx //??
48 89 54 24 10 mov [rsp+10h], rdx //??
55 push rbp
56 push rsi
57 push rdi
41 56 push r14
41 57 push r15
48 83 EC 40 sub rsp, 40h //??
49 8B F9 mov rdi, r9
49 8B E8 mov rbp, r8
48 8B F2 mov rsi, rdx
33 DB xor ebx, ebx
89 5C 24 30 mov [rsp+68h-38h], ebx //??
48 89 5C 24 70 mov [rsp+68h+8], rbx //??
48 8B C1 mov rax, rcx
48 83 79 18 10 cmp qword ptr [rcx+18h], 10h //?? ??
72 03 jb short loc_1400B8E76
}
{$ENDIF}?根据通配符搜索内存函数
function SearchMemory(Addr:PByte;Size:Cardinal;Search:string):PByte;
var
i:Integer;
P:PByte;
WildcardBytes,SearchBytes:array of Byte;
begin
Result:=nil;
Search:=StringReplace(Search,' ','',[rfReplaceAll]);
if Length(Search) mod 2 <>0 then raise Exception.Create('Search Hex String Lenght Must be Even number');
SetLength(WildcardBytes,Length(Search) div 2);
SetLength(SearchBytes,Length(WildcardBytes));
for i := 0 to Length(SearchBytes) - 1 do
begin
if Search[2*i+1] + Search[2*i+2] = '??' then
begin
WildcardBytes[i]:=$00;
SearchBytes[i]:=$00;
end
else if Search[2*i+1] = '?' then
begin
WildcardBytes[i]:=$0F;
SearchBytes[i]:=StrToInt('$'+Search[2*i+2]);
end
else if Search[2*i+2] = '?' then
begin
WildcardBytes[i]:=$F0;
SearchBytes[i]:=StrToInt('$'+Search[2*i+1]) shl 8;
end
else
begin
WildcardBytes[i]:=$FF;
SearchBytes[i]:=StrToInt('$'+Search[2*i+1] + Search[2*i+2]);
end;
end;
while Size>0 do
begin
P:=Addr;
for i := 0 to Length(SearchBytes) - 1 do
begin
if P^ and WildcardBytes[i] <> SearchBytes[i] then Break;
Inc(P);
end;
if i = Length(SearchBytes) then
begin
Result:=Addr;
Break;
end;
Inc(Addr);
Dec(Size);
end;
end;根据特征值,搜索确定解密函数位置后进行hook
function HookDecryptLicense:Boolean;
var
P:PByte;
ModuleInfo:TModuleInfo;
begin
Result:=False;
if GetModuleInformation(GetCurrentProcess,GetModuleHandle(nil),@ModuleInfo,SizeOf(TModuleInfo)) then
begin
P:=SearchMemory(ModuleInfo.lpBaseOfDll,ModuleInfo.SizeOfImage,SEARCH);
if P<>nil then
begin
HookProc(P,@New_DecryptLicense,Old_DecryptLicense);
Result:=True;
end;
end;
end;hook后跳转到新的函数
procedure New_DecryptLicense;assembler;
{$IFDEF CPUX86}
asm
PUSH EBP
MOV EBP,ESP
PUSH [EBP+$10]
PUSH [EBP+$0C]
PUSH [EBP+$08]
CALL Old_DecryptLicense
CALL ModifyLicense
POP EBP
RET $0C
end;
{$ELSEIF Defined(CPUX64)}
asm
SUB RSP,$18
CALL Old_DecryptLicense
MOV RCX,RAX
CALL ModifyLicense
ADD RSP,$18
end;
{$ENDIF}新的函数首先调用原来的解密函数,得到返回值后通过ModifyLicense函数,修改返回的license再返回给程序。
function GenerateKey(LicenseKey:string):string;
const
DEFAULT_CHAR = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
var
i,j,Count,Size:Integer;
StringList:TStringList;
begin
Randomize;
Result:='';
StringList:=TStringList.Create;
try
StringList.Delimiter:='-';
StringList.StrictDelimiter:=True;
StringList.DelimitedText:=LicenseKey;
Count:=StringList.Count;
for i := 0 to Count - 1 do
begin
Size:=Length(StringList[i]);
for j := 0 to Size - 1 do
begin
Result:=Result+UpCase(DEFAULT_CHAR[Random(Length(DEFAULT_CHAR) - 1) + 1])
end;
if i <> Count - 1 then Result := Result + '-';
end;
finally
StringList.Free;
end;
end;
function ModifyLicense(pLicense:PPAnsiChar):PPAnsiChar;
var
StringList:TStringList;
NewLicense:AnsiString;
begin
StringList:=TStringList.Create;
try
StringList.Delimiter:='&';
StringList.StrictDelimiter:=True;
StringList.DelimitedText:=string(pLicense^);
StringList.Values['license_key_code']:=GenerateKey(StringList.Values['license_key_code']);
StringList.Values['licenseName']:='Single license';
StringList.Values['key_type']:='0'; 1 Limited func (license_options) 2= Limited time(key_options=days) 3=OEM
StringList.Values['errorCode']:='0';//ALREADY_ACTIVATED DEMO_IS_OVER NO_AVAILABLE_ACTIVATIONS KEY_BANNED +REACTIVATE +STARTING
StringList.Values['key_options']:='';
StringList.Values['license_options']:='';
StringList.Values['nextActivation']:='2100-01-01';
StringList.Values['activationDate']:='2010-12-31';
StringList.Values['firstActivation']:='2010-12-31';
StringList.Values['serverDate']:='2010-12-31';
StringList.Values['serverTime']:='1293724800'; //2010/12/31 0:0:0 = 1293724800
StringList.Values['registed_name']:='ElseIf@Live.cn';
{$IFDEF DEBUG}
StringList.SaveToFile(ExtractFilePath(ParamStr(0))+'License.txt');
{$ENDIF}
ZeroMemory(pLicense^,PNativeUInt(NativeUInt(pLicense)+16)^);
NewLicense:=AnsiString(StringList.DelimitedText);
CopyMemory(pLicense^,PAnsiChar(NewLicense),Length(NewLicense));
PNativeUInt(NativeUInt(pLicense)+16)^:=Length(NewLicense);
finally
StringList.Free;
end;
Result:=pLicense;
end;另外程序注册表内加密存储了试用期相关信息,可以直接把CryptUnprotectData函数hook掉就好了。
type
_CRYPTOAPI_BLOB = record
cbData: DWORD;
pbData: PByte;
end;
DATA_BLOB = _CRYPTOAPI_BLOB;
PDATA_BLOB = ^DATA_BLOB;
_CRYPTPROTECT_PROMPTSTRUCT = record
cbSize: DWORD;
dwPromptFlags: DWORD;
hwndApp: HWND;
szPrompt: PWideChar;
end;
CRYPTPROTECT_PROMPTSTRUCT = _CRYPTPROTECT_PROMPTSTRUCT;
PCRYPTPROTECT_PROMPTSTRUCT = ^CRYPTPROTECT_PROMPTSTRUCT;
var
Old_CryptProtectData:function(pDataIn: PDATA_BLOB;
szDataDescr: PWideChar; pOptionalEntropy: PDATA_BLOB;
pReserved: Pointer; pPromptStruct: PCRYPTPROTECT_PROMPTSTRUCT; dwFlags: DWORD;
pDataOut: PDATA_BLOB): BOOL; stdcall;
function CryptUnprotectData(pDataIn: PDATA_BLOB; ppszDataDescr: PPWideChar;
pOptionalEntropy: PDATA_BLOB; pReserved: Pointer;
pPromptStruct: PCRYPTPROTECT_PROMPTSTRUCT; dwFlags: DWORD;
pDataOut: PDATA_BLOB): BOOL; stdcall; external 'Crypt32.dll';
function New_CryptUnprotectData(pDataIn: PDATA_BLOB; ppszDataDescr: PPWideChar;
pOptionalEntropy: PDATA_BLOB; pReserved: Pointer;
pPromptStruct: PCRYPTPROTECT_PROMPTSTRUCT; dwFlags: DWORD;
pDataOut: PDATA_BLOB): BOOL; stdcall;
begin
Result:=False;
//Result:=Old_CryptUnprotectData(pDataIn,ppszDataDescr,pOptionalEntropy,pReserved,pPromptStruct,dwFlags,pDataOut);
end;
HookProc(@CryptUnprotectData,@New_CryptUnprotectData,@Old_CryptUnprotectData);测试验证
把编译好的WinHttp.dll复制到程序根目录下,USB Network Gate 有64位版本,需要复制Win64目录下的WinHttp.dll,32位版本的复制Win32目录下的WinHttp.dll。
重新启动程序后台服务:
Virtual Serial Port Driver = > net stop vspd_pro & net start vspd_pro
Serial to Ethernet Connector= > net stop sec_service & net start sec_service?? ?
USB Network Gate= > net stop usb_service & net start usb_service?? ?
已经测试过的软件版本名称:
Virtual Serial Port Driver 11.0.1047
Released: April 5, 2023
?? ?Fixed: a crash when importing invalid COM-port bundle settings.
?? ?Fixed: minor issues with the software auto-update feature.
https://help.electronic.us/support/solutions/articles/44002275017-what-s-new-in-this-version
Serial to Ethernet Connector 9.0.1253
Released: April 12, 2023
?? ?Added: new software drivers signed by Microsoft.
?? ?Added: color indication that the maximum number of client connections allowed for a remote server has been reached.
?? ?Improved: Spanish, French, and German localizations. ?
?? ?Fixed: compatibility issues with 12th Gen Intel? Core? processors.
?? ?Fixed: issues with displaying long port names.
?? ?Lots of minor fixes and improvements.
https://help.electronic.us/support/solutions/articles/44002207950-what-s-new-in-this-version
USB Network Gate 10.0
Build 10.0.2593 [Released: November 01, 2023]
?? ?Added: Minor bug fixes and performance improvements.
https://help.electronic.us/support/solutions/articles/44001309944-what-s-new-in-this-version-for-windows
成品
Virtual Serial Port Driver 11.0.1047
https://download.csdn.net/download/chivalrys/88714991Serial to Ethernet Connector 9.0.1253https://download.csdn.net/download/chivalrys/88714990USB Network Gate 10.0.2593https://download.csdn.net/download/chivalrys/88714979
Eltima端口虚拟化软件dll劫持hook授权https://download.csdn.net/download/chivalrys/88714978
?
?
?
文章来源:https://blog.csdn.net/chivalrys/article/details/135445575
本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。 如若内容造成侵权/违法违规/事实不符,请联系我的编程经验分享网邮箱:chenni525@qq.com进行投诉反馈,一经查实,立即删除!
本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。 如若内容造成侵权/违法违规/事实不符,请联系我的编程经验分享网邮箱:chenni525@qq.com进行投诉反馈,一经查实,立即删除!
最新文章
- Python教程
- 深入理解 MySQL 中的 HAVING 关键字和聚合函数
- Qt之QChar编码(1)
- MyBatis入门基础篇
- 用Python脚本实现FFmpeg批量转换
- Linux mail自动推送邮件脚本+一键发送邮件脚本
- 使用virtualenv管理python环境
- C# OpenVINO 直接读取百度模型实现图片旋转角度检测
- 状态空间模型(SSM)是近来一种备受关注的 Transformer 替代技术
- 一天吃透JVM面试八股文
- Vue小练习--任务列表
- Java版企业电子招标采购系统源码—鸿鹄电子招投标系统-企业战略布局下的采购寻源
- Windows云服务器如何配置多用户登录?(Windows 2012)华为云官方文档与视频地址
- cocos creator 2.4.7字段绑定jsb mac版本
- 2024最新版ANACONDA安装使用指南