当前位置：首页 > article >正文

SanDisk U盘加密软件在其他u盘使用

article 2025/9/18 11:57:16

RunSanDiskSecureAccess_Win.exe 这个软件是SanDisk U盘加密工具，它被设计为只在SanDisk U盘上运行，如果不是sandisk的，就弹窗不让用

于是我们Patch它，IDA打开发现还是QT开发的，不管，搜索exit 函数调用，全部挂断点，然后运行，弹窗在OK后exit命中，向上找到提示信息

_InterlockedExchangeAdd(v465, 1u);
if ( !TestSandiskDrv(v449) )
{
v449 = (void **)-1;
v252 = (void *)sub_10B2480(&v459, "This application only runs on a SanDisk flash drive", 0, -1);
LOBYTE(v469) = 91;
v253 = sub_10B1000(" V3.0");
LOBYTE(v469) = 92;
v254 = sub_10B1000("SanDisk SecureAccess");
LOWORD(v453) = 8482;
LOBYTE(v469) = 93;
v255 = sub_10B22D0(&v456, v254, v453);
LOBYTE(v469) = 94;
v256 = (void *)sub_10B2250(&a2, v255, v253);
v453 = (int)&v448;
LOBYTE(v469) = 95;
sub_11D7F00((int)v2, v256, v252, 1024, 0);
v257 = a2;
v258 = *(_DWORD *)a2;
LOBYTE(v469) = 94;
if ( v258 )
{
if ( v258 == -1 || _InterlockedExchangeAdd((volatile signed __int32 *)a2, 0xFFFFFFFF) )
{
LABEL_353:
v259 = v456;
v260 = *(_DWORD *)v456;
LOBYTE(v469) = 93;
if ( v260 )
{
if ( v260 == -1 || _InterlockedExchangeAdd((volatile signed __int32 *)v456, 0xFFFFFFFF) )
{
LABEL_358:
v261 = v457;
v262 = *(_DWORD *)v457;
LOBYTE(v469) = 92;
if ( v262 )
{
if ( v262 == -1 || _InterlockedExchangeAdd((volatile signed __int32 *)v457, 0xFFFFFFFF) )
{
LABEL_363:
v263 = v458;
v264 = *(_DWORD *)v458;
LOBYTE(v469) = 91;
if ( v264 )
{
if ( v264 == -1 || _InterlockedExchangeAdd((volatile signed __int32 *)v458, 0xFFFFFFFF) )
{
LABEL_368:
v265 = v459;
v266 = *(_DWORD *)v459;
LOBYTE(v469) = 89;
if ( v266 )
{
if ( v266 == -1 || _InterlockedExchangeAdd((volatile signed __int32 *)v459, 0xFFFFFFFF) )
LABEL_373:
exit(0);

剩下的就是把TestSandiskDrv Patch掉，进去看看

v42 = v6;
if ( v7 || v5 == v44 )
{
v27 = v41;
v28 = *((_DWORD *)v41 + 2);
LOBYTE(v45) = 0;
if ( !v28 || v28 != -1 && !_InterlockedExchangeAdd((volatile signed __int32 *)v41 + 2, 0xFFFFFFFF) )
sub_18292E0(v27, (int)sub_116B1B0);
v29 = sub_11443A0(&v40, 4, (int)"..\\shared\\encstickmanager.cpp", 199, (int)"ENCStickManager::isSandiskFlashDrive");
LOBYTE(v45) = 5;
v30 = sub_10B8430(&v39, "isSandiskFlashDrive failed for", -1);
v31 = *v29;
LOBYTE(v45) = 6;
sub_17D54E0(v31, v30);
v32 = v39;
v33 = *(_DWORD *)v39;
LOBYTE(v45) = 5;
if ( v33 )
{
if ( v33 == -1 || _InterlockedExchangeAdd((volatile signed __int32 *)v39, 0xFFFFFFFF) )
{
LABEL_53:
if ( *(_BYTE *)(*v29 + 20) )
sub_17D53F0((void *)0x20);
v34 = *v29;
v35 = sub_17D53F0((void *)0x22);
sub_17D54E0(v35, &a1);
sub_17D53F0((void *)0x22);
if ( *(_BYTE *)(*v29 + 20) )
sub_17D53F0((void *)0x20);
LOBYTE(v45) = 0;
sub_10BA600(&v40);
v36 = a1;
v37 = *(_DWORD *)a1;
v45 = -1;
if ( v37 )
{
if ( v37 == -1 || _InterlockedExchangeAdd((volatile signed __int32 *)a1, 0xFFFFFFFF) )
return 0;
v36 = a1;
}
sub_17C1990(v36);
return 0;
}
v32 = v39;

return 0 设上断点，断过去，

ext:012FA063 xor al, al ，改成mov al,1 就行了
.text:012FA065 mov ecx, [esp+3Ch+var_C]
.text:012FA069 mov large fs:0, ecx
.text:012FA070 pop ecx
.text:012FA071 pop edi
.text:012FA072 pop esi
.text:012FA073 pop ebp
.text:012FA074 pop ebx
.text:012FA075 add esp, 28h
.text:012FA078 retn

查看全文

http://www.lryc.cn/news/2412584.html