|
|
用OllDbg载入microwin,新建项目,右键点击SBR_0,属性,设定保护密码为4321,确定。
再次进入属性,输入错误密码1234,提示输入了不正确密码,于是从该处入手,中断。
思路:在输入密码时,程序会判断输入的密码跟保存的POU密码进行判断,关键点就是输入后中断程序,用分析软件单步运行,
找到程序判断密码的地方,由于密码错误时有消息框提示,我们便可从此处入手中断,然后往前查找程序判断密码的地方。
切换到OllDbg,在命令栏插件中输入bpx messageboxa,切换到microwin再次输入错误密码,非常幸运,OllDbg中断在这里:
0051DA0C |. 8B00 mov eax,dword ptr ds:[eax]
0051DA0E |. 52 push edx ; /Style
0051DA0F |. 50 push eax ; |Title
0051DA10 |. 8B4424 18 mov eax,dword ptr ss:[esp+18] ; |
0051DA14 |. 50 push eax ; |Text
0051DA15 |. 53 push ebx ; |hOwner
0051DA16 |. FF15 88306C00 call dword ptr ds:[<&USER32.MessageBoxA>] ; \MessageBoxA <==中断在此处
0051DA1C |. 8D4C24 7C lea ecx,dword ptr ss:[esp+7C]
0051DA20 |. FFD7 call edi
0051DA22 |. 8B7424 14 mov esi,dword ptr ss:[esp+14]
0051DA26 |. 8B8424 800000>mov eax,dword ptr ss:[esp+80]
0051DA2D |. 8B4C24 18 mov ecx,dword ptr ss:[esp+18]
0051DA31 |. 85C0 test eax,eax
0051DA33 |. 898E 9C010000 mov dword ptr ds:[esi+19C],ecx
0051DA39 |. 74 09 je short microwin.0051DA44
0051DA3B |. 6A 01 push 1 ; /Enable = TRUE
0051DA3D |. 50 push eax ; |hWnd
0051DA3E |. FF15 C0306C00 call dword ptr ds:[<&USER32.EnableWindow>] ; \EnableWindow
0051DA44 |> 6A 01 push 1
0051DA46 |. 8BCE mov ecx,esi
0051DA48 |. E8 47C00900 call <jmp.&MFC42.#2629>
0051DA4D |. 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
0051DA51 |. C78424 8C0000>mov dword ptr ss:[esp+8C],-1
0051DA5C |. E8 89AF0900 call <jmp.&MFC42.#800>
0051DA61 |. 8B8C24 840000>mov ecx,dword ptr ss:[esp+84]
0051DA68 |. 5F pop edi
0051DA69 |. 5E pop esi
0051DA6A |. 5D pop ebp
0051DA6B |. 5B pop ebx
0051DA6C |. 64:890D 00000>mov dword ptr fs:[0],ecx
0051DA73 |. 81C4 80000000 add esp,80
0051DA79 \. C2 1000 retn 10
往下看,从中断到返回处都没有越过该中断的跳转,于是按F8到0051DA79,返回上一级。返回后来到这里:
0047F050 /$ 56 push esi
0047F051 |. E8 0C9A1300 call <jmp.&MFC42.#1168>
0047F056 |. 8B40 04 mov eax,dword ptr ds:[eax+4]
0047F059 |. 85C0 test eax,eax
0047F05B |. 74 32 je short microwin.0047F08F <==此处跳转
0047F05D |. 8B7424 0C mov esi,dword ptr ss:[esp+C]
0047F061 |. 8D8E 2EF8FF5F lea ecx,dword ptr ds:[esi+5FFFF82E] ; Switch (cases A00007D2..A00007DD)
0047F067 |. 83F9 0B cmp ecx,0B
0047F06A |. 77 0F ja short microwin.0047F07B
0047F06C |. 33D2 xor edx,edx
0047F06E |. 8A91 A0F04700 mov dl,byte ptr ds:[ecx+47F0A0]
0047F074 |. FF2495 98F047>jmp dword ptr ds:[edx*4+47F098]
0047F07B |> 8B4C24 10 mov ecx,dword ptr ss:[esp+10] ; Default case of switch 0047F061
0047F07F |. 8B5424 08 mov edx,dword ptr ss:[esp+8]
0047F083 |. 6A 00 push 0 ; /Arg4 = 00000000
0047F085 |. 51 push ecx ; |Arg3
0047F086 |. 56 push esi ; |Arg2
0047F087 |. 52 push edx ; |Arg1
0047F088 |. 8BC8 mov ecx,eax ; |
0047F08A |. E8 C1E20900 call microwin.0051D350 ; \microwin.0051D350 <==此处是调用刚才call的地方
0047F08F |> B8 01000000 mov eax,1 ; Cases A00007D2,A00007D3,A00007DC,A00007DD of switch 0047F061
0047F094 |. 5E pop esi
0047F095 \. C3 retn
注意从0047F05B处有一跳转到0047F08F,刚好绕过错误提示框,于是在0047F05B处下断,重复运行后中断在此处。
修改标志位,强制跳转到0047F08F,按F9运行。此时提示框没再出来,但访问权限依然没变,不得不继续往上继续寻找关键点。
在0047F095处下断点,重复运行后来到断点处,F8返回到上一级CALL:
0042FB35 |. 83C4 10 add esp,10
0042FB38 |. C3 retn
0042FB39 |> 68 30200000 push 2030 <==注意这里,有一跳转到此处
0042FB3E |. 50 push eax
0042FB3F |. 68 7E130000 push 137E
0042FB44 |. E8 07F50400 call microwin.0047F050 <==此处为返回call
0042FB49 |. 8DB5 B0000000 lea esi,dword ptr ss:[ebp+B0]
往上查找,发现跳转在此处:
0042F883 |. 53 push ebx
0042F884 |. 57 push edi
0042F885 |. FF15 2C396C00 call dword ptr ds:[<&executive200.TAB_AuthorizeP>; executiv.TAB_AuthorizePassword
0042F88B |. 83C4 08 add esp,8
0042F88E |. 85C0 test eax,eax
0042F890 |. 0F85 A3020000 jnz microwin.0042FB39 <==此处跳转
0042F896 |. 50 push eax
不知大家注意到没,executiv.TAB_AuthorizePassword这几个字眼非常敏感,呵呵。于是尝试在此处下断点。
重复后来到此处,F7跟进去看看有啥东东^_^
00B0A280 e> 51 push ecx
00B0A281 8B4C24 08 mov ecx,dword ptr ss:[esp+8]
00B0A285 C74424 00 F00A0>mov dword ptr ss:[esp],E0000AF0
00B0A28D 8B41 04 mov eax,dword ptr ds:[ecx+4]
00B0A290 3D E8030000 cmp eax,3E8
00B0A295 7C 1A jl short executiv.00B0A2B1
00B0A297 3D EC030000 cmp eax,3EC
00B0A29C 7F 13 jg short executiv.00B0A2B1
00B0A29E 8B4424 0C mov eax,dword ptr ss:[esp+C]
00B0A2A2 50 push eax
00B0A2A3 51 push ecx
00B0A2A4 8B0D A4C1B300 mov ecx,dword ptr ds:[<&storeretrieveverify200.g_Store>] ; storeret.g_Store
00B0A2AA E8 F1A70200 call <jmp.&storeretrieveverify200.MWStore::SRV_POU_Authoriz> <==注意此处
00B0A2AF EB 1F jmp short executiv.00B0A2D0
00B0A2B1 3D 88130000 cmp eax,1388
00B0A2B6 7C 1C jl short executiv.00B0A2D4
00B0A2B8 3D 8A130000 cmp eax,138A
00B0A2BD 7F 15 jg short executiv.00B0A2D4
00B0A2BF 8B5424 0C mov edx,dword ptr ss:[esp+C]
00B0A2C3 52 push edx
00B0A2C4 51 push ecx
00B0A2C5 8B0D A4C1B300 mov ecx,dword ptr ds:[<&storeretrieveverify200.g_Store>] ; storeret.g_Store
00B0A2CB E8 CAA70200 call <jmp.&storeretrieveverify200.MWStore::SRV_DB_Authorize>
00B0A2D0 894424 00 mov dword ptr ss:[esp],eax
00B0A2D4 8D4424 00 lea eax,dword ptr ss:[esp]
00B0A2D8 50 push eax
00B0A2D9 E8 22CAFFFF call executiv.00B06D00
00B0A2DE 83C4 08 add esp,8
00B0A2E1 C3 retn
此段程序比较短,不用想你也明白了,到00B0A2AA时F7跟进去看看:
跳到这里:
00BF5D7F 90 nop
00BF5D80 s> 8B4424 08 mov eax,dword ptr ss:[esp+8]
00BF5D84 8B4C24 04 mov ecx,dword ptr ss:[esp+4]
00BF5D88 50 push eax
00BF5D89 51 push ecx
00BF5D8A 8B0D B033C300 mov ecx,dword ptr ds:[<&datamanagers200.g_PouDataMgr>] ; datamana.g_PouDataMgr
00BF5D90 E8 47640200 call <jmp.&datamanagers200.MWPouDataMgr::Authorize> <==继续跟进……
00BF5D95 C2 0800 retn 8
00BF5D98 90 nop
几番转折后,终于来到了这里:
00D0A330 d> 6A FF push -1
00D0A332 68 5036DD00 push datamana.00DD3650
00D0A337 64:A1 00000000 mov eax,dword ptr fs:[0]
00D0A33D 50 push eax
00D0A33E 64:8925 0000000>mov dword ptr fs:[0],esp
00D0A345 83EC 20 sub esp,20
00D0A348 53 push ebx
00D0A349 55 push ebp
00D0A34A 8BE9 mov ebp,ecx
00D0A34C 56 push esi
00D0A34D 57 push edi
00D0A34E 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
00D0A352 E8 D75C0C00 call <jmp.&MFC42.#287>
00D0A357 8B5C24 40 mov ebx,dword ptr ss:[esp+40]
00D0A35B 8D4424 1C lea eax,dword ptr ss:[esp+1C]
00D0A35F 50 push eax
00D0A360 53 push ebx
00D0A361 8BCD mov ecx,ebp
00D0A363 C74424 40 00000>mov dword ptr ss:[esp+40],0
00D0A36B E8 28E90B00 call <jmp.&objectmanagers200.MWPouObjMgr::GetPassword> <==注意
00D0A370 8BF0 mov esi,eax
00D0A372 85F6 test esi,esi
00D0A374 0F85 88010000 jnz datamana.00D0A502
00D0A37A 8B4C24 24 mov ecx,dword ptr ss:[esp+24]
00D0A37E 8B5424 20 mov edx,dword ptr ss:[esp+20]
00D0A382 51 push ecx
00D0A383 68 AAAA0000 push 0AAAA
00D0A388 52 push edx
00D0A389 E8 74F10B00 call <jmp.&systemdata200.MW_GLOBAL_DeCrypt>
00D0A38E 8BF0 mov esi,eax
00D0A390 83C4 0C add esp,0C
00D0A393 85F6 test esi,esi
00D0A395 0F85 67010000 jnz datamana.00D0A502
00D0A39B 8B4424 44 mov eax,dword ptr ss:[esp+44]
00D0A39F 8B4C24 24 mov ecx,dword ptr ss:[esp+24]
00D0A3A3 8B7C24 20 mov edi,dword ptr ss:[esp+20]
00D0A3A7 33D2 xor edx,edx
00D0A3A9 8B30 mov esi,dword ptr ds:[eax]
00D0A3AB F3:A6 repe cmps byte ptr es:[edi],byte ptr ds:[esi] ; 比较密码
00D0A3AD 74 1B je short datamana.00D0A3CA ;相等则跳转
00D0A3AF 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
00D0A3B3 C74424 38 FFFFF>mov dword ptr ss:[esp+38],-1
00D0A3BB E8 605B0C00 call <jmp.&MFC42.#610>
00D0A3C0 B8 3E0100A0 mov eax,A000013E
00D0A3C5 E9 4B010000 jmp datamana.00D0A515
抬头看看标题,此时已经是datamanagers200程序领空了,一直F8走下来,到00D0A36B时F8跳过,如想仔细研究的朋友可以追进去看看。
走到00D0A3AB时相信你已经喜出望外了,在注释窗口你会看到这些东西:
ecx=00000004 (十进制 4.)
ds:[esi]=[02102B08]=31 ('1')
es:[edi]=[02073C80]=34 ('4')
在内存窗口分别转到这两个窗口看看^_^:分别是1234和4321,这不正是我们加密时的密码和输入的错误密码吗?
到此处,分析已经基本完成了,00D0A3AD处为关键跳转,密码相等则跳转,由于采用爆破,只需把je改为jmp即可。
根据相同的原理,项目密码也可采用此方法找到,爆破。
注意:文中提及的POU和PRJ密码是指保存在电脑中的源程序密码,不是下载到PLC中的密码。关于PLC密码的解密要用监听端口
|
|
[复制链接]
|小黑屋|PLC解密家园
( 京ICP备14025225号-2 )
发表于 2016-11-10 14:11:04
发表于 2016-11-19 15:03:31
