文章作者:FishSeeWater
【下载地址】Microsoft的
【破解工具】OllyDbg(cao_cong汉化版)+C32Asm
【保护方式】无
【软件限制】不接受密码参数
【破解难度】简单
-----------------------------------------------------------------
【软件介绍】
Microsoft系统自带的命令,不用我多罗嗦了吧:)
-----------------------------------------------------------------
【DIY声明】
最近由于公司领导要求“计算机资料保密”,我决定采用WIN2000的系统特性加上NTFS权限完成。用Win2003架了台服务器,然后为每位工程师建了User帐户,但是发现好几个CAD软件在User用户下没法运行,但通过右键的“运行方式”以"Administrator"运行就没事儿,调整组权限,整了好几天也没能搞定,微软出于安全考虑RunAs命令不能直接跟密码参数。每次都要单独输入密码,这样的话那我岂不要~~*&@#$$@:(。在网上找RunAs命令的程序实现方式,准备写个程序调用CAD来运行,可是用LogonUser();CreateProcessAsUse();CreateProcessWithLogonW()这几个函数死活不行,LogonUser()总是返加1314错误,郁闷。无奈之下,还是打RunAs的主意吧。让它支持密码参数不就OK了:)
-----------------------------------------------------------------
【破解分析】
好!开始:
首先预习一下基础知识,控制台程序获取运行参数是用GetCommandLine(VOID)函数
打开OD加载目标程序,参数为"/user:administratorcmd.exe"
然后下断点BPXGetCommandLine回车
F9运行,程序断在01001572CALLDWORDPTRDS:[<&KERNEL32.GetCommandLineW>;|[GetCommandLineW
瞧瞧它是怎样RunAs的:)
F8一步一步走:
[CODE]
01001555|.50PUSHEAX;/pArgc
01001556|.895D>MOVDWORDPTRSS:[EBP-1C],EBX;|
01001559|.895D>MOVDWORDPTRSS:[EBP-20],EBX;|
0100155C|.895D>MOVDWORDPTRSS:[EBP-C],EBX;|
0100155F|.895D>MOVDWORDPTRSS:[EBP-18],EBX;|
01001562|.895D>MOVDWORDPTRSS:[EBP-38],EBX;|
01001565|.8975>MOVDWORDPTRSS:[EBP-4],ESI;|
01001568|.895D>MOVDWORDPTRSS:[EBP-14],EBX;|
0100156B|.C745>MOVDWORDPTRSS:[EBP-7C],44;|
//得到参数
01001572|.FF15>CALLDWORDPTRDS:[<&KERNEL32.GetCommandLineW>;|[GetCommandLineW
01001578|.50PUSHEAX;|CmdLine
//得到参数个数
01001579|.FF15>CALLDWORDPTRDS:[<&SHELL32.CommandLineToArg>;\CommandLineToArgvW
0100157F|.8BC8MOVECX,EAX
01001581|.3BCBCMPECX,EBX
01001583|.894D>MOVDWORDPTRSS:[EBP+8],ECX
01001586|.0F85>JNZrunas.0100163E
0100158C|.895D>MOVDWORDPTRSS:[EBP-4],EBX
.......
.......
.......
//比较参数个数,不等于3就跳走,显示RunAs的帮助(自身的程序名也算一个参数)
0100163E|>\8B45>MOVEAX,DWORDPTRSS:[EBP-14]
01001641|.83F8>CMPEAX,5
01001644|.740>JESHORTrunas.01001650
01001646|.83F8>CMPEAX,4
01001649|.740>JESHORTrunas.01001650
0100164B|.83F8>CMPEAX,3
0100164E|.757>JNZSHORTrunas.010016CF
01001650|>8D50>LEAEDX,DWORDPTRDS:[EAX-2]
//以下是判断并取出第二个参数"administraor"(第一个参数是RunAs.exe)
01001653|.8975>MOVDWORDPTRSS:[EBP-8],ESI
01001656|.3BD6CMPEDX,ESI
01001658|.7C7>JLSHORTrunas.010016CA
0100165A|.8D79>LEAEDI,DWORDPTRDS:[ECX+4]
0100165D|>8B07MOVEAX,DWORDPTRDS:[EDI]
0100165F|.66:8>CMPWORDPTRDS:[EAX],2F
01001663|.756>JNZSHORTrunas.010016CF
01001665|.0FB7>MOVZXECX,WORDPTRDS:[EAX+2]
01001669|.83F9>CMPECX,4E;Switch(cases45..75)
0100166C|.7F1>JGSHORTrunas.0100167E
0100166E|.0F84>JErunas.01001BA4
01001674|.83F9>CMPECX,45
01001677|.755>JNZSHORTrunas.010016CF
01001679|>8975>MOVDWORDPTRSS:[EBP-1C],ESI;Cases45('E'),65('e')ofswitch01001669
0100167C|.EB4>JMPSHORTrunas.010016BF
0100167E|>83E9>SUBECX,50
01001681|.743>JESHORTrunas.010016BC
01001683|.83E9>SUBECX,5
01001686|.741>JESHORTrunas.0100169F
01001688|.83E9>SUBECX,10
0100168B|.^74E>JESHORTrunas.01001679
0100168D|.83E9>SUBECX,9
01001690|.0F84>JErunas.01001BA4
01001696|.49DECECX
01001697|.49DECECX
01001698|.742>JESHORTrunas.010016BC
0100169A|.83E9>SUBECX,5
0100169D|.753>JNZSHORTrunas.010016CF
0100169F|>83C0>ADDEAX,4;Cases55('U'),75('u')ofswitch01001669
010016A2|>66:8>/MOVCX,WORDPTRDS:[EAX]
.......
.......
.......
010016CD|./750>JNZSHORTrunas.010016DC
010016CF|>|E88>CALLrunas.0100125B;Defaultcaseofswitch01001669
010016D4|>|895D>MOVDWORDPTRSS:[EBP-4],EBX
010016D7|.|E95>JMPrunas.01001B38
//加载提示资源串"键入密码administrator:"
010016DC|>\8B3D>MOVEDI,DWORDPTRDS:[<&USER32.LoadStringW>];USER32.LoadStringW
010016E2|.8D85>LEAEAX,DWORDPTRSS:[EBP-630]
010016E8|.68F>PUSH1F4;/Count=1F4(500.)
010016ED|.50PUSHEAX;|Buffer
010016EE|.687>PUSH1B76;|RsrcID=STRING"Enterpasswordfor"
010016F3|.FF35>PUSHDWORDPTRDS:[1003020];|hInst=01000000
010016F9|.FFD7CALLEDI;\LoadStringW
010016FB|.8B35>MOVESI,DWORDPTRDS:[<&USER32.CharToOemW>];USER32.CharToOemW
01001701|.8D85>LEAEAX,DWORDPTRSS:[EBP-8EC]
01001707|.50PUSHEAX;/pDest
01001708|.8D85>LEAEAX,DWORDPTRSS:[EBP-630];|
0100170E|.50PUSHEAX;|pSrc
0100170F|.FFD6CALLESI;\CharToOemW
01001711|.FF75>PUSHDWORDPTRSS:[EBP-C];/String
01001714|.8B1D>MOVEBX,DWORDPTRDS:[<&KERNEL32.lstrlenW>];|kernel32.lstrlenW
0100171A|.FFD3CALLEBX;\lstrlenW
0100171C|.3DF>CMPEAX,1F4
01001721|.760>JBESHORTrunas.0100172E
01001723|.8B45>MOVEAX,DWORDPTRSS:[EBP-C]
01001726|.66:8>ANDWORDPTRDS:[EAX+3E6],0
0100172E|>8D85>LEAEAX,DWORDPTRSS:[EBP-D9C]
01001734|.50PUSHEAX
01001735|.FF75>PUSHDWORDPTRSS:[EBP-C]
01001738|.FFD6CALLESI
0100173A|.8D85>LEAEAX,DWORDPTRSS:[EBP-D9C]
01001740|.50PUSHEAX;/<%s>
01001741|.8D85>LEAEAX,DWORDPTRSS:[EBP-8EC];|
01001747|.50PUSHEAX;|<%s>
01001748|.688>PUSHrunas.0100118C;|format="%s%s:"
0100174D|.FF15>CALLDWORDPTRDS:[<&MSVCRT.printf>];\printf
01001753|.83C4>ADDESP,0C
01001756|.8D85>LEAEAX,DWORDPTRSS:[EBP-248]
//这个104是干嘛的?难道是最大长度?请高手指点:)
0100175C|.680>PUSH104;/Arg2=00000104
//压入变量地址
01001761|.50PUSHEAX;|Arg1
//下面是调用ReadConsoleW函数读取键盘输入的密码
01001762>|.E84>CALLrunas.010011B0;\读入密码
01001767|.85C0TESTEAX,EAX
01001769|.744>JESHORTrunas.010017AD
0100176B|.8D85>LEAEAX,DWORDPTRSS:[EBP-630]
........
........
........
0100179B|.683>PUSHrunas.01001134;|format="%s"
010017A0|.FF15>CALLDWORDPTRDS:[<&MSVCRT.printf>];\printf
010017A6|.59POPECX
010017A7|.59POPECX
010017A8|.E94>JMPrunas.010019ED
//处理输入的密码
010017AD|>8D85>LEAEAX,DWORDPTRSS:[EBP-248]
010017B3|.50PUSHEAX;/Translation
010017B4|.8D85>LEAEAX,DWORDPTRSS:[EBP-248];|
010017BA|.50PUSHEAX;|OemString
010017BB|.FF15>CALLDWORDPTRDS:[<&USER32.OemToCharA>];\OemToCharA
010017C1|.8D85>LEAEAX,DWORDPTRSS:[EBP-248]
//将密码复制后保存
010017C7|.50PUSHEAX;/<%S>
010017C8|.8D85>LEAEAX,DWORDPTRSS:[EBP-1198];|
010017CE|.688>PUSHrunas.01001184;|Format="%S"
010017D3|.50PUSHEAX;|s
010017D4|.FF15>CALLDWORDPTRDS:[<&USER32.wsprintfW>];\wsprintfW
010017DA|.83C4>ADDESP,0C
010017DD|.8D85>LEAEAX,DWORDPTRSS:[EBP-E0]
010017E3|.6A3>PUSH32
010017E5|.50PUSHEAX
010017E6|.687>PUSH1B77
010017EB|.FF35>PUSHDWORDPTRDS:[1003020];runas.01000000
010017F1|.FFD7CALLEDI
010017F3|.8B45>MOVEAX,DWORDPTRSS:[EBP-14]
010017F6|.8B4D>MOVECX,DWORDPTRSS:[EBP+8]
//得到命令行参数的第三个参数长度。(DS:[ECX+EAX*4-4]为第三个参数)
010017F9|.FF74>PUSHDWORDPTRDS:[ECX+EAX*4-4]
010017FD|.FFD3CALLEBX;kernel32.lstrlenW
010017FF|.8BF8MOVEDI,EAX
01001801|.8D85>LEAEAX,DWORDPTRSS:[EBP-E0]
01001807|.50PUSHEAX
01001808|.FFD3CALLEBX
0100180A|.FF75>PUSHDWORDPTRSS:[EBP-C]
........
........
........
01001A0B|.C745>MOVDWORDPTRSS:[EBP-24],400
01001A12|.EB0>JMPSHORTrunas.01001A17
01001A14|>8B5D>MOVEBX,DWORDPTRSS:[EBP-38]
01001A17|>8D45>LEAEAX,DWORDPTRSS:[EBP-34]
//调用CreateProcessWithLogonW函数以"administrator"身份创建进程
01001A1A|.50PUSHEAX;/Arg11
01001A1B|.8D45>LEAEAX,DWORDPTRSS:[EBP-7C];|
01001A1E|.50PUSHEAX;|Arg10
01001A1F|.8B45>MOVEAX,DWORDPTRSS:[EBP-14];|
01001A22|.53PUSHEBX;|Arg9
01001A23|.FF75>PUSHDWORDPTRSS:[EBP-20];|Arg8
01001A26|.FF75>PUSHDWORDPTRSS:[EBP-24];|Arg7
01001A29|.FF74>PUSHDWORDPTRDS:[EDI+EAX*4-4];|Arg6
01001A2D|.8D85>LEAEAX,DWORDPTRSS:[EBP-1198];|
01001A33|.6A0>PUSH0;|Arg5=00000000
01001A35|.FF75>PUSHDWORDPTRSS:[EBP-10];|Arg4
01001A38|.50PUSHEAX;|Arg3
01001A39|.FF75>PUSHDWORDPTRSS:[EBP-18];|Arg2
01001A3C|.FF75>PUSHDWORDPTRSS:[EBP-C];|Arg1
01001A3F|.FF15>CALLDWORDPTRDS:[<&ADVAPI32.CreateProcessWi>;\CreateProcessWithLogonW
01001A45|.85C0TESTEAX,EAX
01001A47|.0F85>JNZrunas.01001B36
01001A4D|.33FFXOREDI,EDI
01001A4F|.C745>MOVDWORDPTRSS:[EBP-10],7B
////////////////////////////////////
[CODE]
过程基本分析完毕,要想达到我们的目的,只要在ReadConsoleW函数之后,将我们的已有密码添上就OK了。
思路:1、先将程序中提示输入密码和读取密码的函数NOP掉!从10016e2处开始一直到1001766
2、我们有现成的密码,也不用他来处理,所以嘛处理过程也NOP!从1007AD处开始到1007D4(哈哈,这下有足够的空间来写我们的代码了)
3、由于我们要用参数型式添入密码,而程序中有检测参数个数的语句,所以在CommandLineToArgvW函数后,将参数个数减1。
好!开工:
首先处理步骤1和2
然后修改1001586处
01001586JNZrunas.0100163E为01001586JNZrunas.010016F2
在010016EF处添加语句
010016EFJMPSHORTrunas.01001767//正常运行时跳过下面处理参数的两句
在010016F2处添加语句
010016F2DECDWORDPTRSS:[EBP-14]//将参数个数减1
010016F5JMPrunas.0100163E//跳回去
处理参数完毕,再处理密码:
修改01001767处
01001767TESTEAX,EAX为01001767XOREAX,EAX//标志位为零
从010017AF处开始添加语句
010017AFMOVEAX,DWORDPTRSS:[EBP-14]
010017B2INCEAX//将参数个数加1
010017B3MOVECX,DWORDPTRSS:[EBP+8]
010017B6NOP
010017B7NOP
010017B8MOVEAX,DWORDPTRDS:[ECX+EAX*4-4]
010017BCPUSHEAX;/String2
010017BDLEAEAX,DWORDPTRSS:[EBP-1198];|
010017C3NOP;|
010017C4PUSHEAX;|String1
010017C5CALLDWORDPTRDS:[<&KERNEL32.lstrcpyW>];\lstrcpyW
OK!!!处理完成!!!运行试试!真爽:)
再写个外壳调用就OK了:)
收工
-----------------------------------------------------------------
