邮箱:384896761@qq.com
https://www.52pojie.cn/thread-1483472-1-1.html
[资源求助] 联想智能云教室系统 V1.3.20.1109_C201105 最新官网版本
解答:
1. 3.客户端可以使用bscnt文件夹中的SetupCnt.exe跳过品牌检测成功安装
这个是不对的。虽然了跳过品牌机BIOS字串的检查,但是没有在注册表里面记录本机的MAC.
setup不只是检查BIOS字串的,还对MAC地址进行了验算.
IDA打开 setup.exe
从String Window里面找到:“本机器非联想机器”,
.data:00408190 s_KI db '本机器非联想机器',0 ; DATA XREF: _text_402810+5D
点击右边的引用 ,来到
.text:00402DDE pop ebx
.text:00402DDF jnz short _text_402DEE
.text:00402DDF
.text:00402DE1 push eax
.text:00402DE2 push offset s_A ; "错误"
.text:00402DE7 push offset s_KI ; "本机器非联想机器"
.text:00402DEC jmp short _text_402E29
.text:00402DEC
.text:00402DEE ; ---------------------------------------------------------------------------
.text:00402DEE
.text:00402DEE _text_402DEE: ; CODE XREF: _text_402810+5CF
.text:00402DEE cmp dword ptr [ebp+10Ch], 5
.text:00402DF5 jge short _text_402E05
.text:00402DF5
.text:00402DF7 push 0
.text:00402DF9 push offset s_A ; "错误"
.text:00402DFE push offset s_KIISGmIKKIBAI ; "联想智能云教室未授权此设备使用,请联系?...
.text:00402E03 jmp short _text_402E5A
.text:00402E03
.text:00402E05 ; ---------------------------------------------------------------------------
.text:00402E05
.text:00402E05 _text_402E05: ; CODE XREF: _text_402810+5E5
.text:00402E05 lea edx, [ebp+110h]
.text:00402E0B lea esi, [ebp+190h]
.text:00402E11 push edx
.text:00402E12 push esi
.text:00402E13 mov ecx, ebp
.text:00402E15 call _text_4023B0
.text:00402E15
.text:00402E1A test eax, eax
.text:00402E1C jnz short _text_402E42
.text:00402E1C
.text:00402E1E push eax
.text:00402E1F push offset s_Invalid ; "INVALID"
.text:00402E24 push offset s_KIISGmIKKIBAI ; "联想智能云教室未授权此设备使用,请联系?...
.text:00402E24
.text:00402E29
向上看
text:00402DD4 call _text_4027A0
点开 _text_4027A0
.text:004027A0 _text_4027A0 proc near ; CODE XREF: _text_402810+5C4
.text:004027A0
.text:004027A0 arg_0 = dword ptr 4
.text:004027A0
.text:004027A0 mov eax, [esp+arg_0]
.text:004027A4 mov cl, [eax]
.text:004027A6 cmp cl, 6Ch
.text:004027A9 jz short _text_4027B3
.text:004027A9
.text:004027AB cmp cl, 4Ch
.text:004027AE jz short _text_4027B3
.text:004027AE
.text:004027B0 xor eax, eax
.text:004027B2 retn
.text:004027B2
.text:004027B3 ; ---------------------------------------------------------------------------
.text:004027B3
.text:004027B3 _text_4027B3: ; CODE XREF: _text_4027A0+9
.text:004027B3 ; _text_4027A0+E
.text:004027B3 mov cl, [eax+1
.text:004027B6 cmp cl, 65h
.text:004027B9 jz short _text_4027C3
.text:004027B9
.text:004027BB cmp cl, 45h
.text:004027BE jz short _text_4027C3
.text:004027BE
.text:004027C0 xor eax, eax
.text:004027C2 retn
.text:004027C2
.text:004027C3 ; ---------------------------------------------------------------------------
.text:004027C3
.text:004027C3 _text_4027C3: ; CODE XREF: _text_4027A0+
.text:004027C3 ; _text_4027A0+1E
.text:004027C3 mov cl, [eax+2]
.text:004027C6 cmp cl, 6Eh
.text:004027C9 jz short _text_4027D3
.text:004027C9
.text:004027CB cmp cl, 4Eh
.text:004027CE jz short _text_4027D3
.text:004027CE
.text:004027D0 xor eax, eax
.text:004027D2 retn
.text:004027D2
这是一个大小写判断 lenovo LENOVO . 有此字串 ,ret eax==1
;---------------------------------------------------------
后面几个还有另外的判断,
到了这里
text:00402E42 _text_402E42: ; CODE XREF: _text_402810+60
.text:00402E42 push esi
.text:00402E43 call _text_402270
.text:00402E43
.text:00402E48 add esp, 4
.text:00402E4B test eax, eax
.text:00402E4D jnz short _text_402E73
.text:00402E4D
.text:00402E4F push eax
.text:00402E50 push offset s_A ; "错误"
.text:00402E55 push offset s_IVSAZ ; "记录网卡到注册表失败!!"
.text:00402E55
判断 _text_402270,就是记录MAC到注册表的
.text:00402270
.text:00402270 _text_402270 proc near ; CODE XREF: _text_402810+633
.text:00402270
.text:00402270 hKey = dword ptr -24h
.text:00402270 Data = byte ptr -20h
.text:00402270 arg_0 = dword ptr 4
.text:00402270
.text:00402270 sub esp, 24h
.text:00402273 push edi
.text:00402274 mov ecx, 7
.text:00402279 xor eax, eax
.text:0040227B lea edi, [esp+9]
.text:0040227F mov [esp+28h+Data], 0
.text:00402284 mov [esp+28h+hKey], 0
.text:0040228C rep stosd
.text:0040228E mov ecx, [esp+28h+arg_0]
.text:00402292 stosw
.text:00402294 stosb
.text:00402295 lea eax, [esp+28h+Data]
.text:00402299 push eax
.text:0040229A push ecx
.text:0040229B call _text_402210
.text:0040229B
.text:004022A0 add esp, 8
.text:004022A3 lea edx, [esp+28h+hKey]
.text:004022A7 push edx ; phkResult
.text:004022A8 push offset SubKey ; "SOFTWARE\\WFBS"
.text:004022AD push 80000002h ; hKey
.text:004022B2 call ds:RegOpenKeyA
.text:004022B8 mov edx, [esp+28h+hKey]
.text:004022BC test edx, edx
.text:004022BE jnz short _text_4022E4
.text:004022BE
.text:004022C0 lea eax, [esp+28h+hKey]
.text:004022C4 push eax ; phkResult
.text:004022C5 push offset SubKey ; "SOFTWARE\\WFBS"
.text:004022CA push 80000002h ; hKey
.text:004022CF call ds:RegCreateKeyA
.text:004022D5 mov edx, [esp+28h+hKey]
.text:004022D9 test edx, edx
.text:004022DB jnz short _text_4022E4
.text:004022DB
.text:004022DD xor eax, eax
.text:004022DF pop edi
.text:004022E0 add esp, 24h
.text:004022E3 retn
.text:004022E3
.text:004022E4 ; ---------------------------------------------------------------------------
.text:004022E4
.text:004022E4 _text_4022E4: ; CODE XREF: _text_402270+
.text:004022E4 ; _text_402270+6B
.text:004022E4 lea edi, [esp+28h+Data]
.text:004022E8 or ecx, 0FFFFFFFFh
.text:004022EB xor eax, eax
.text:004022ED repne scasb
.text:004022EF not ecx
.text:004022F1 push ecx ; cbData
.text:004022F2 lea ecx, [esp+2Ch+Data]
.text:004022F6 push ecx ; lpData
.text:004022F7 push 1 ; dwType
.text:004022F9 push eax ; Reserved
.text:004022FA push offset ValueName ; "NetCardMac"
.text:004022FF push edx ; hKey
.text:00402300 call ds:RegSetValueExA
.text:00402306 test eax, eax
.text:00402308 jz short _text_402311
.text:00402308
.text:0040230A xor eax, eax
.text:0040230C pop edi
.text:0040230D add esp, 24h
.text:00402310 retn
.text:00402310
.text:00402311 ; ---------------------------------------------------------------------------
.text:00402311
.text:00402311 _text_402311: ; CODE XREF: _text_402270+98
.text:00402311 mov edx, [esp+28h+hKey]
.text:00402315 push edx ; hKey
.text:00402316 call ds:RegCloseKey
.text:0040231C mov eax, 1
.text:00402321 pop edi
.text:00402322 add esp, 24h
.text:00402325 retn
这个前面面还有MAC的计算校验。
setup部分就是这些,
SetupCnt.exe 和SetupSvr.exe,的2个nsis的压缩包,里面还有文件在每次启动的时候,进行判断. |
吾爱游客
发表于 2023-4-24 10:03
发表于 2023-4-24 11:42
|
发表于 2023-4-24 19:45
