看看激活过程系统做了些什么东西
hResult = SLActivateProduct(hSLC, ref bSkuId, null, null, null, null, 0);
关联API及函数:
WINHTTP.DLL WinHttpCrackUrl WinHttpOpen inHttpGetDefaultProxyConfiguration WinHttpSetTimeouts WinHttpConnect WinHttpOpenRequest WinHttpCreateUrl WinHttpSetOption WinHttpGetIEProxyConfigForCurrentUser WinHttpGetProxyForUrl WinHttpCrackUrl WinHttpCloseHandle WinHttpSendRequest WinHttpAddRequestHeaders WinHttpCreateUrl WinHttpSetStatusCallback WinHttpGetProxyForUrlEx2 WinHttpFreeProxyResultEx WinHttpReceiveResponse WinHttpQueryHeaders WinHttpReadData
大致应该是这样(密钥激活过程):加密密钥及硬件等信息,利用httprequest post这些信息到指定网址,如果错误返回错误代码,如果正确返回合法licenseID. 将这些信息存储到SSL Store.Windows调用一系列算法如果该license对应的各种信息是合法就激活系统。
经过拦截WinHttpOpen找到sppcext.dll中的调用加密密钥数据后调用httprequest的关键部分,这样可以不通过安装密钥的模式直接通过sppcext.dll获取错误代码.
.text:572CCD4B lea eax, [ebp-0ACh]
.text:572CCD51 mov edx, esi ; pSKUId
.text:572CCD53 push eax ; ActivationInfo
.text:572CCD54 mov ecx, ebx ; hSLCs
.text:572CCD56 call GetEncryptKey ; 第一层
.text:572CCD5B ; 232: *(_DWORD *)Data = hGet;
.text:572CCD5B mov [ebp-70h], eax
text:572CAFC1 push [ebp+ActivationInfo] ; ActivationInfo
.text:572CAFC4 mov edx, [ebp+pSKUID] ; skuid
.text:572CAFC7 mov ecx, [ebp+hslc] ; hSlc
.text:572CAFCA ; 51: int_1 = 1;
.text:572CAFCA mov [ebp+int_1], 1
.text:572CAFD1 call geterrercode ; 第二层
.text:572CAFD6 ; 53: hSLpSetActivationInProgress = hErrorcode;
.text:572CAFD6 mov ebx, eax
.text:572CA8AF push eax
.text:572CA8B0 call GetResult ; 第三层
.text:572CA8B5 mov esi, eax
.text:572CA125 push [ebp+lpMem] ; int
.text:572CA128 lea edx, [esi+64h]
.text:572CA12B push [ebp+var_C] ; int
.text:572CA12E push eax ; psz
.text:572CA12F push ecx ; int
.text:572CA130 push edx ; int
.text:572CA131 mov ecx, esi
.text:572CA133 call GetRes ; 第四层
.text:572CA138 mov [esi+60h], eax
.text:572CA13B ; 107: sub_572C8E58(0);
.text:572CA13B xor ecx, ecxvoid *__fastcall GetEncryptKey(int hSLCs, SLID *pSKUId, int ActivationInfo)
{
char *v3; // esi
void *v4; // ecx
char *v5; // edi
void *hSLpSetActivationInProgress; // ebx
void *hGetProductSku; // eax
void *v8; // eax
void *v9; // eax
void *hErrorcode; // eax
char v12; // [esp+10h] [ebp-2Ch]
BYTE pbValue[4]; // [esp+14h] [ebp-28h]
int a3a; // [esp+18h] [ebp-24h]
int v15; // [esp+1Ch] [ebp-20h]
int v16; // [esp+20h] [ebp-1Ch]
int int_1; // [esp+24h] [ebp-18h]
int v18; // [esp+28h] [ebp-14h]
char *v19; // [esp+2Ch] [ebp-10h]
char *v20; // [esp+30h] [ebp-Ch]
int hslc; // [esp+34h] [ebp-8h]
SLID *pSKUID; // [esp+38h] [ebp-4h]
int savedregs; // [esp+3Ch] [ebp+0h]
hslc = hSLCs;
v3 = 0;
v16 = 0;
v4 = *(void **)(ActivationInfo + 12);
v5 = 0;
v15 = 0;
int_1 = 0;
pSKUID = pSKUId;
v19 = 0;
v20 = 0;
hSLpSetActivationInProgress = (void *)sub_55C06B08(v4, &v18);
if ( (signed int)hSLpSetActivationInProgress < 0 )
goto LABEL_2;
hGetProductSku = (void *)GetProductSkuInformation(hslc, (int)pSKUID, &a3a);
hSLpSetActivationInProgress = hGetProductSku;
if ( (signed int)hGetProductSku < 0 )
{
sub_55C08E2B(hGetProductSku);
sub_55C21625(dword_55BEF908, &unk_55C4C738);
goto LABEL_22;
}
if ( !a3a )
{
if ( v18 )
goto LABEL_22;
hSLpSetActivationInProgress = (void *)SLpSetActivationInProgress(hslc, pSKUID);
if ( (signed int)hSLpSetActivationInProgress >= 0 )
{
int_1 = 1;
hErrorcode = (void *)geterrercode((int)pSKUID, hslc, (int)&savedregs, 0, 0, ActivationInfo);
hSLpSetActivationInProgress = hErrorcode;
if ( (signed int)hErrorcode >= 0 )
goto LABEL_21;
sub_55C08E2B(hErrorcode);
sub_55C21348(&dword_55C03228, &unk_55C4BC00);
LABEL_20:
if ( !int_1 )
goto LABEL_22;
goto LABEL_21;
}
goto LABEL_2;
}
if ( v18 )
{
*(_DWORD *)pbValue = 1;
hSLpSetActivationInProgress = (void *)SLSetGenuineInformation(
pSKUID,
L"SL_ACTIVATION_VALIDATION_IN_PROGRESS",
SL_DATA_DWORD,
4u,
pbValue);
if ( (signed int)hSLpSetActivationInProgress >= 0 )
goto LABEL_11;
LABEL_2:
sub_55C08E2B(hSLpSetActivationInProgress);
goto LABEL_22;
}
hSLpSetActivationInProgress = (void *)SLpSetActivationInProgress(hslc, pSKUID);
sub_55C20DA2(&dword_55C022C0, &unk_55C4C4D0);
if ( (signed int)hSLpSetActivationInProgress < 0 )
goto LABEL_2;
int_1 = 1;
v8 = (void *)sub_55C0AB42(hslc, pSKUID, ActivationInfo);
hSLpSetActivationInProgress = v8;
if ( (signed int)v8 >= 0 )
{
LABEL_11:
hSLpSetActivationInProgress = (void *)sub_55C0AD04(&v19, &v20);
if ( (signed int)hSLpSetActivationInProgress < 0
|| (hSLpSetActivationInProgress = (void *)SLOpen(&v16), (signed int)hSLpSetActivationInProgress < 0) )
{
sub_55C08E2B(hSLpSetActivationInProgress);
v3 = v19;
v5 = v20;
}
else
{
v5 = v20;
v3 = v19;
v9 = (void *)sub_55C1ED09(v19, v20, 0, pSKUID, v18 == 0 ? ActivationInfo : 0, 1, &v15, &v12);
hSLpSetActivationInProgress = v9;
if ( (signed int)v9 < 0 )
sub_55C08E2B(v9);
}
goto LABEL_20;
}
sub_55C08E2B(v8);
LABEL_21:
SLpClearActivationInProgress(hslc, pSKUID);
LABEL_22:
sub_55C08E58(hSLpSetActivationInProgress);
sub_55C0B09C(&v15);
if ( v5 )
{
sub_55C08F07(v5);
sub_55C2107D(&dword_55C0371C, &unk_55C4B99C);
}
if ( v3 )
sub_55C08F07(v3);
sub_55C0B049(&v16);
return hSLpSetActivationInProgress;
}主要就一处,只要从外部找到这个函数(因为不是输出函数,只能通过基地址加函数入口地址的偏移量定位),直接就可以调用这个函数获取错误代码:
hErrorcode = (void *)geterrercode(hslc,(int)pSKUID, (int)&savedregs, 0, 0, ActivationInfo);以32位的10.0.18362.1为例,比如dll的入口地址为0x10000000,该函数的地址为0x1002A791,偏移量为0x2A791.如果不会算可以找个已有的输出函数做为中间值计算.
public enum SL_ACTIVATION_TYPE
{
SL_ACTIVATION_TYPE_DEFAULT,
SL_ACTIVATION_TYPE_ACTIVE_DIRECTORY
}
public struct SL_ACTIVATION_INFO_HEADER
{
public uint cbSize;
public SL_ACTIVATION_TYPE type;
}
public struct SL_AD_ACTIVATION_INFO
{
public SL_ACTIVATION_INFO_HEADER header;
public string pwszProductKey;
public string pwszActivationObjectName;
}
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
private delegate int GetErrerCode(ref SLID pProductSkuId, IntPtr hSLC, IntPtr unknown, int unk1, int unk2, SL_ACTIVATION_INFO_HEADER pActivationInfo);
//第三个参数具体不详,可能会引起内存写入异常
RetID = PidGenX(Keys, pkeyfilePath, "XXXXX", 0, PID, DPID3, DPID4);
if (RetID == 0)
{
DigitalProductId3 pid3 = (DigitalProductId3)Marshal.PtrToStructure(DPID3, typeof(DigitalProductId3));
DigitalProductId4 pid4 = (DigitalProductId4)Marshal.PtrToStructure(DPID4, typeof(DigitalProductId4));
string szActivationId = Encoding.Unicode.GetString(pid4.szActivationId).Replace("\0", "");
Guid GuidSkuId = new Guid(szActivationId);
IntPtr hSLC = new IntPtr();
int hResult = SLOpen(ref hSLC);
if (hResult == 0)
{
hResult = SLpSetActivationInProgress( hSLC, ref GuidSkuId);
if (hResult==0)
{
IntPtr pDll = LoadLibrary("sppcext.dll");
if (pDll != IntPtr.Zero)
{
var hMod = GetModuleHandle("sppcext");
if (hMod == IntPtr.Zero)
{
Console.WriteLine(Marshal.GetLastWin32Error());
}
var pGetErrerCode = hMod + 0x2A791;
GetErrerCode GetErrerCodeFunc = (GetErrerCode)Marshal.GetDelegateForFunctionPointer(pGetErrerCode, typeof(GetErrerCode));
IntPtr Values = Marshal.AllocHGlobal(128);
var hErrorCode = GetErrerCodeFunc(ref GuidSkuId, hSLC, Values, 0, 0, value);
if (hErrorCode != 0)
{
Console.WriteLine(hResult.ToString());
}
else
{
Console.WriteLine("在线密钥");
}
bool hFree = FreeLibrary(pDll);
Marshal.FreeHGlobal(Values);
}
}
hResult = SLpClearActivationInProgress(hSLC, GuidSkuId.ToByteArray());
}
}
}64位dll:
.text:00007FF9B03DD380 lea r8, [rsp+180h+ptr] ; ptr
.text:00007FF9B03DD385 mov rdx, r14 ; pProductSkuId
.text:00007FF9B03DD388 mov rcx, r15 ; hSLC
.text:00007FF9B03DD38B call GetResult ; 第一层
.text:00007FF9B03DD390 ; 290: hrCode = hRes;
.text:00007FF9B03DD390 mov [rsp+180h+hrCode], eax
hRes = GetResult(hSLC, pProductSkuId, (__int64)&ptr);// 第一层
偏移地址RVA=0xAA4C
.text:00007FF9B03DAC43 mov r8, r13 ; activateinfo
.text:00007FF9B03DAC46 ; 77: v36 = 1;
.text:00007FF9B03DAC46 mov [rbp+arg_10], 1
.text:00007FF9B03DAC4D mov rdx, r14 ; SKUID
.text:00007FF9B03DAC50 mov rcx, r15 ; hSLC
.text:00007FF9B03DAC53 call GetRes ; 第二层
hResult = GetRes(SLC, SKUID, intptr); // 第二层
偏移地址RVA=0xA1D4
.text:00007FF9BE4CA24A ; 47: res = VertifyKey(slc, pSKUID, 1, (_DWORD **)activateinfo, (__int64)&int128);
.text:00007FF9BE4CA24A lea rax, [rsp+130h+int128]
.text:00007FF9BE4CA24F mov r9, rsi
.text:00007FF9BE4CA252 mov r8d, 1
.text:00007FF9BE4CA258 mov [rsp+130h+var_110], rax
.text:00007FF9BE4CA25D ; 44: v5 = sub_7FF9BE4C45D0(v4);
.text:00007FF9BE4CA25D mov rdx, rdi
.text:00007FF9BE4CA260 mov rcx, r14
.text:00007FF9BE4CA263 call VertifyKey ; 调用SLpGetLicenseAcquisitionInfo,该函数必须返回0值
res = VertifyKey(slc, pSKUID, 1, (_DWORD **)activateinfo, (__int64)&int128);
...
.text:00007FF9B03DA33C mov rax, [rbp+30h+var_B0]
.text:00007FF9B03DA340 lea rcx, [rsi+28h] ; slc
.text:00007FF9B03DA344 ; 76: Dst = v19;
.text:00007FF9B03DA344 mov [rbp+30h+Dst], rax
.text:00007FF9B03DA348 lea r8, [rbp+30h+Dst] ; a3
.text:00007FF9B03DA34C mov rax, [rbp+30h+var_A0]
.text:00007FF9B03DA350 mov rdx, r14 ; skuid
.text:00007FF9B03DA353 ; 77: v27 = v20;
.text:00007FF9B03DA353 mov [rbp+30h+var_38], rax
.text:00007FF9B03DA357 ; 78: v28 = v21;
.text:00007FF9B03DA357 mov eax, [rbp+30h+var_98]
.text:00007FF9B03DA35A mov [rbp+30h+var_30], eax
.text:00007FF9B03DA35D call activateinfo ; 第三层
errorcode = ::activateinfo((_DWORD *)pActivateinfo + 10, slc, (__int64)&Dst);
偏移地址RVA=0x95D4
.text:00007FF9A9E896A3 loc_7FF9A9E896A3: ; CODE XREF: activateinfo+C1↑j
.text:00007FF9A9E896A3 mov r9d, [rbp+40h+var_C0]
.text:00007FF9A9E896A7 lea rax, [rbp+40h+var_A0]
.text:00007FF9A9E896AB mov r8, [rbp+40h+var_90]
.text:00007FF9A9E896AF mov rdx, r13
.text:00007FF9A9E896B2 mov [rsp+140h+var_108], rax
.text:00007FF9A9E896B7 mov rcx, r12
.text:00007FF9A9E896BA lea rax, [rbp+40h+var_A8]
.text:00007FF9A9E896BE mov [rsp+140h+var_110], rax
.text:00007FF9A9E896C3 lea rax, [rsp+140h+var_FC]
.text:00007FF9A9E896C8 mov [rsp+140h+var_118], rax
.text:00007FF9A9E896CD lea rax, [rbp+40h+var_B0]
.text:00007FF9A9E896D1 mov [rsp+140h+var_120], rax
.text:00007FF9A9E896D6 call httprequest ; 发送请求数据
...
.text:00007FF9A9E8978F loc_7FF9A9E8978F: ; CODE XREF: activateinfo+164↑j
.text:00007FF9A9E8978F ; activateinfo+195↑j
.text:00007FF9A9E8978F mov r8, [r13+18h]
.text:00007FF9A9E89793 mov rdx, [r13+20h]
.text:00007FF9A9E89797 ; 142: v11 = sub_7FF9B08E8668(v5);
.text:00007FF9A9E89797
.text:00007FF9A9E89797 loc_7FF9A9E89797: ; CODE XREF: activateinfo+1AB↑j
.text:00007FF9A9E89797 mov r9d, [rsp+140h+var_FC]
.text:00007FF9A9E8979C mov rcx, rbx
.text:00007FF9A9E8979F mov [rsp+140h+var_120], rdi
.text:00007FF9A9E897A4 call post ;通过POST获取错误代码
...
.text:00007FF9B03D9829 loc_7FF9B03D9829: ; CODE XREF: activateinfo+21A↑j
.text:00007FF9B03D9829 test rax, rax
.text:00007FF9B03D982C mov r8d, r12d
.text:00007FF9B03D982F ; 159: if ( v17 )
.text:00007FF9B03D982F cmovnz r9, rax
.text:00007FF9B03D9833 mov rax, [r13+58h]
.text:00007FF9B03D9837 mov edx, [rax+0Ch]
.text:00007FF9B03D983A call Get ; 第四层
Get(v14, *(unsigned int *)(*(_QWORD *)(v4 + 88) + 12i64), (unsigned int)RESULTS, v16, v6);// 第四层
```c
拿第二层的这个函数测试下:
```c#
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
private delegate int GetResult(IntPtr hSLC, ref SLID pProductSkuId, byte[] pActivationInfo);
Guid GuidSkuId = new Guid(szActivationId);
IntPtr hSLC = new IntPtr();
int hResult = SLOpen(ref hSLC);
if (hResult == 0)
{
hResult = SLpSetActivationInProgress( hSLC, ref GuidSkuId);
if (hResult==0)
{
IntPtr pDll = LoadLibrary("sppcext.dll");
if (pDll != IntPtr.Zero)
{
var hMod = GetModuleHandle("sppcext");
if (hMod == IntPtr.Zero)
{
Console.WriteLine(Marshal.GetLastWin32Error());
}
var pGetResult = hMod + 0xA1D4;
GetResult GetResultFunc = (GetResult)Marshal.GetDelegateForFunctionPointer(pGetResult, typeof(GetResult));
byte[] Activatinfo = new byte[64];
var hErrorCode = GetResultFunc(hSLC, ref GuidSkuId, value);
if (hErrorCode != 0)
{
Console.WriteLine(hResult.ToString());
}
else
{
Console.WriteLine("在线密钥");
}
bool hFree = FreeLibrary(pDll);
}
}
hResult = SLpClearActivationInProgress(hSLC, GuidSkuId.ToByteArray());
}
}
