signed int __cdecl sub_42CB77(LPVOID lpInBuffer, LPVOID lpOutBuffer)
{
void *v2; // esi@1
signed int v4; // eax@3
void *v5; // edi@3
char v6; // [sp+96h] [bp-6h]@1
char v7; // [sp+97h] [bp-5h]@1
signed int v8; // [sp+8Ch] [bp-10h]@1
__int16 v9; // [sp+90h] [bp-Ch]@1
__int16 v10; // [sp+92h] [bp-Ah]@1
char v11; // [sp+94h] [bp-8h]@1
char v12; // [sp+95h] [bp-7h]@1
char v13; // [sp+98h] [bp-4h]@1
char v14; // [sp+99h] [bp-3h]@1
char v15; // [sp+9Ah] [bp-2h]@1
char v16; // [sp+9Bh] [bp-1h]@1
char v17; // [sp+8h] [bp-94h]@1
DWORD BytesReturned; // [sp+88h] [bp-14h]@4
v6 = 0;
v7 = 0;
v8 = -44953887;
v9 = -5543;
v10 = 4565;
v11 = -77;
v12 = -36;
v13 = -24;
v14 = -25;
v15 = -42;
v16 = -59;
sub_42CEDD(&v17, 0, 128);
v2 = lpInBuffer;
if ( *((_BYTE *)lpInBuffer + 2) == 21 )
return 30005; // USB狗不支持级联
v4 = Get_SerialSN_Umi1((int)&v8, (int)&v17, (int)lpInBuffer); // Get_SerialSN,获取狗内绑定值
v5 = (void *)v4;
if ( v4 != -1 ) // 命令字20时,下面是Get_Bind功能
{
if ( DeviceIoControl((HANDLE)v4, 0x222A94u, v2, 0x115u, lpOutBuffer, 0x107u, &BytesReturned, 0) )
{
CloseHandle(v5);
return 0;
}
GetLastError();
CloseHandle(v5);
Sleep(0x64u);
}
return 30002; // 没有找到硬件狗
}
------------------------------------------------------------------------
signed int __cdecl Get_SerialSN_Umi1(int a1, int a2, int a3)
{
HMODULE v3; // eax@1
unsigned int v4; // ebx@1
HMODULE v5; // edi@1
signed int v6; // esi@7
HGLOBAL v7; // eax@10
FARPROC v9; // eax@2
FARPROC v10; // eax@3
FARPROC v11; // eax@4
FARPROC v12; // eax@5
int v13; // eax@6
signed int v14; // eax@14
signed int v15; // [sp+2Ch] [bp-Ch]@1
HGLOBAL hMem; // [sp+30h] [bp-8h]@1
HMODULE hLibModule; // [sp+28h] [bp-10h]@1
int v18; // [sp+34h] [bp-4h]@6
int v19; // [sp+Ch] [bp-2Ch]@7
v15 = -1;
v4 = 0;
hMem = 0;
v3 = LoadLibraryA("setupapi.dll");
v5 = v3;
hLibModule = v3;
if ( v3 )
{
v9 = GetProcAddress(v3, "SetupDiGetClassDevsA");
dword_4BA00C = (int (__stdcall *)(_DWORD, _DWORD, _DWORD, _DWORD))v9;
if ( v9 )
{
v10 = GetProcAddress(v5, "SetupDiEnumDeviceInterfaces");
dword_4BA008 = (int (__stdcall *)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD))v10;
if ( v10 )
{
v11 = GetProcAddress(v5, "SetupDiGetDeviceInterfaceDetailA");
dword_4BA004 = (int (__stdcall *)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD))v11;
if ( v11 )
{
v12 = GetProcAddress(v5, "SetupDiDestroyDeviceInfoList");
dword_4BA000 = (int (__stdcall *)(_DWORD))v12;
if ( v12 )
{
v13 = dword_4BA00C(a1, 0, 0, 18);
v18 = v13;
if ( v13 != -1 )
{
v6 = 4;
sub_42CDAF(&v19, 0, 28);
v19 = 28;
while ( 1 )
{
v6 *= 2;
if ( hMem )
GlobalFree(hMem);
v7 = GlobalAlloc(0x40u, 18 * v6);
if ( !v7 )
break;
hMem = (char *)v7 + 18 * v4;
while ( v4 < v6 )
{
if ( dword_4BA008(v18, 0, a1, v4, &v19) ) // 注意这个的返回
{
v14 = Get_SerialSN_Umi2(v18, &v19, a2, a3); // 这里Get_SerialSN
v15 = v14;
if ( v14 != -1 )
goto LABEL_21;
v15 = 0;
}
else
{
if ( GetLastError() == 259 )
{
LABEL_21:
if ( v18 )
dword_4BA000(v18);
if ( hMem )
GlobalFree(hMem);
FreeLibrary(hLibModule);
return v15;
}
}
++v4;
}
}
dword_4BA000(v18);
}
}
}
}
}
}
return 0;
}
-----------------------------------------------------------------------------
void *__cdecl Get_SerialSN_Umi2(int a1, int a2, int a3, int a4)
{
HGLOBAL v4; // edi@1
HANDLE v5; // eax@2
void *v6; // ebx@2
SIZE_T v8; // ebx@1
HGLOBAL v9; // eax@1
int v10; // ST0C_4@1
SIZE_T dwBytes; // [sp+18h] [bp-8h]@1
__int16 OutBuffer; // [sp+Ch] [bp-14h]@3
DWORD BytesReturned; // [sp+14h] [bp-Ch]@3
int v14; // [sp+1Ch] [bp-4h]@5
char v15; // [sp+Eh] [bp-12h]@5
dwBytes = 0;
dword_4BA004(a1, a2, 0, 0, &dwBytes, 0);
v8 = dwBytes;
v9 = GlobalAlloc(0x40u, dwBytes);
v4 = v9;
v10 = a2;
*(_DWORD *)v9 = 5;
if ( !dword_4BA004(a1, v10, v9, v8, &dwBytes, 0) )
goto LABEL_6;
sub_42CEC6(a3, (char *)v4 + 4);
v5 = CreateFileA((LPCSTR)v4 + 4, 0xC0000000u, 3u, 0, 3u, 0, 0);
v6 = v5;
if ( v5 != (HANDLE)-1 )
{
if ( !DeviceIoControl(v5, 0x222A90u, 0, 0, &OutBuffer, 8u, &BytesReturned, 0) )
{
GetLastError();
CloseHandle(v6);
LABEL_6:
v6 = (void *)-1;
goto LABEL_7;
}
sub_42CDAF(&v14, 0, 4); //开辟一个全0的4字节空间
BYTE2(v14) = v15 & 0xF;
LOWORD(v14) = OutBuffer;
if ( v14 + 810000 != *(_DWORD *)(a4 + 4) )
goto LABEL_6;
}
LABEL_7:
GlobalFree(v4);
return v6;
}
UMI微狗制工分析资料.zip
需积分: 9 59 浏览量
2022-09-24
20:05:31
上传
评论
收藏 6.87MB ZIP 举报
UMI微狗制工分析资料.zip (25个子文件) 
UMI微狗硬复制工具及分析资料 
总2.JPG 169KB 断绑定码.JPG 206KB
CloneDog的副本.exe 112KB
UMI复制工具.rar 768KB UMIDogClone.exe 112KB 读时a1的结构.jpg 354KB
IDA伪码加密Call.txt 2KB IDA伪码解密Call.txt 1KB 总1.JPG 325KB 解码Call.jpg 274KB
.DS_Store 8KB 写时a1的结构.jpg 384KB IDA伪码操作狗CALL.txt 6KB Get_SerialSN过程.jpg 428KB IDA伪码总1.jpg 202KB UMI工具1 DogEdt32_系统区.exe 1.67MB DogEdt32.exe 1.67MB Errcode.txt 5KB CloneDog.exe 112KB 加密call.jpg 392KB 读取长度限制.jpg 299KB 写入长度限制.jpg 319KB 读狗命令字.jpg 320KB UMI复制工具 UMI服务端.exe 1.42MB 专用驱动.exe 804KB
评论0