LoginAny 使用笔记
想实现在家办公,当公司有急事的时候,可以在家就处理掉;不必在家里和公司之间copy文件,免去劳苦奔波之苦。于是开始用远程软件。
1. VNN. 免费,主要面向游戏平台。
申请2个用户,互相加为密友,能够2台机器互访,但是只有vnnc302201-winall.zip版本能用(密友功能),且不能升级,一旦升级之后,将没有了密友功能。
用了一段时间,很不错。但不久之后,本地域内3389端口封了。理解,因为远程桌面的3389是个不安全的端口。
其实,把被控机器的Terminal Service 3389端口改掉, 理论上也是可行的,但是还是比较麻烦。
2. Hamachi, 很好用的的软件。推荐,IP局域网穿透。 3389端口还是不能连接,道理同上。
3. 改用LoginAny. 免费版每月只能远程桌面20分钟,文件传输3次。速度超快。 远程桌面是LoginAny开发的,所以不再用3389端口。
自己研究下能否逆向工程下…
———先看文件传输功能———–
打开eXeScope分析资源,首先查看文字:"文件传输已经达到最大使用次数!",String Id: 484
得知Dialog: 1218是提示对话框, Dialog: 1219是文件传输Form.
打开OllyICE,反编译后,
- 搜索4C2(1218), 找提示对话框的代码,自己标注附近的代码,这是一个功能函数。
搜索4C3(1219), 找文件传输Form相关代码。
搜索1E4(484), 找"文件传输已经达到最大使用次数!"的相关代码。
004938D0 /$ 55 push ebp
004938D1 |. 8BEC mov ebp, esp
004938D3 |. 6A FF push -1
004938D5 |. 68 87C25B00 push 005BC287 ; SE 处理程序安装
004938DA |. 64:A1 0000000>mov eax, dword ptr fs:[0]
004938E0 |. 50 push eax
004938E1 |. 64:8925 00000>mov dword ptr fs:[0], esp
004938E8 |. 81EC BC000000 sub esp, 0BC
004938EE |. A1 BCEB6200 mov eax, dword ptr [62EBBC]
004938F3 |. 33C5 xor eax, ebp
004938F5 |. 8945 EC mov dword ptr [ebp-14], eax
004938F8 |. 898D 40FFFFFF mov dword ptr [ebp-C0], ecx
004938FE |. C785 4CFFFFFF>mov dword ptr [ebp-B4], 1
00493908 |. 6A 01 push 1
0049390A |. 8B85 4CFFFFFF mov eax, dword ptr [ebp-B4]
00493910 |. 50 push eax
00493911 |. 8B8D 40FFFFFF mov ecx, dword ptr [ebp-C0]
00493917 |. E8 D4EFFFFF call 004928F0 ; 关键Call !!!!
0049391C |. 85C0 test eax, eax
0049391E |. 75 05 jnz short 00493925
00493920 |. E9 F8000000 jmp 00493A1D
00493925 |> C785 48FFFFFF>mov dword ptr [ebp-B8], 0
0049392F |. 8D4D F0 lea ecx, dword ptr [ebp-10]
00493932 |. FF15 28B95C00 call dword ptr [<&MFC71.#310_ATL::CStringT<char,StrTrai>; MFC71.7C173199
00493938 |. C745 FC 00000>mov dword ptr [ebp-4], 0
0049393F |. 6A 00 push 0
00493941 |. 8D8D 54FFFFFF lea ecx, dword ptr [ebp-AC]
00493947 |. E8 64D30800 call 00520CB0
0049394C |. C645 FC 01 mov byte ptr [ebp-4], 1
00493950 |. 8B8D 4CFFFFFF mov ecx, dword ptr [ebp-B4]
00493956 |. 51 push ecx
00493957 |. 68 DD000000 push 0DD
0049395C |. 8D55 F0 lea edx, dword ptr [ebp-10]
0049395F |. 52 push edx
00493960 |. 8D85 54FFFFFF lea eax, dword ptr [ebp-AC]
00493966 |. 50 push eax
00493967 |. 8D8D 48FFFFFF lea ecx, dword ptr [ebp-B8]
0049396D |. 51 push ecx
0049396E |. 8B8D 40FFFFFF mov ecx, dword ptr [ebp-C0]
00493974 |. E8 A7190000 call 00495320 ; MessageBox ….
00493979 |. 85C0 test eax, eax
0049397B |. 75 21 jnz short 0049399E
0049397D |. C645 FC 00 mov byte ptr [ebp-4], 0
00493981 |. 8D8D 54FFFFFF lea ecx, dword ptr [ebp-AC]
00493987 |. E8 24D40800 call 00520DB0
0049398C |. C745 FC FFFFF>mov dword ptr [ebp-4], -1
00493993 |. 8D4D F0 lea ecx, dword ptr [ebp-10]
00493996 |. FF15 68B95C00 call dword ptr [<&MFC71.#578_ATL::CStringT<char,StrTrai>; MFC71.7C1771B1
0049399C |. EB 7F jmp short 00493A1D
0049399E |> 8B95 48FFFFFF mov edx, dword ptr [ebp-B8]
004939A4 |. 52 push edx
004939A5 |. 68 2CF16200 push 0062F12C
004939AA |. 51 push ecx
004939AB |. 8BCC mov ecx, esp
004939AD |. 89A5 44FFFFFF mov dword ptr [ebp-BC], esp
004939B3 |. 8D45 F0 lea eax, dword ptr [ebp-10]
004939B6 |. 50 push eax
004939B7 |. FF15 38B95C00 call dword ptr [<&MFC71.#297_ATL::CStringT<char,StrTrai>; MFC71.7C14E575
004939BD |. 8985 3CFFFFFF mov dword ptr [ebp-C4], eax
004939C3 |. 8D8D 54FFFFFF lea ecx, dword ptr [ebp-AC]
004939C9 |. 51 push ecx
004939CA |. B9 E4F26200 mov ecx, 0062F2E4
004939CF |. E8 ECDAFCFF call 004614C0 ; 调用打开文件传输Form
004939D4 |. 8985 38FFFFFF mov dword ptr [ebp-C8], eax
004939DA |. 8B95 38FFFFFF mov edx, dword ptr [ebp-C8]
004939E0 |. 8995 50FFFFFF mov dword ptr [ebp-B0], edx
004939E6 |. 6A 05 push 5
004939E8 |. 8B8D 50FFFFFF mov ecx, dword ptr [ebp-B0]
004939EE |. E8 6DCC1100 call <jmp.&MFC71.#6090_CWnd::ShowWindow>
004939F3 |. 8B8D 50FFFFFF mov ecx, dword ptr [ebp-B0]
004939F9 |. E8 12D8FAFF call 00441210
004939FE |. C645 FC 00 mov byte ptr [ebp-4], 0
00493A02 |. 8D8D 54FFFFFF lea ecx, dword ptr [ebp-AC]
00493A08 |. E8 A3D30800 call 00520DB0
00493A0D |. C745 FC FFFFF>mov dword ptr [ebp-4], -1
00493A14 |. 8D4D F0 lea ecx, dword ptr [ebp-10]
00493A17 |. FF15 68B95C00 call dword ptr [<&MFC71.#578_ATL::CStringT<char,StrTrai>; MFC71.7C1771B1
00493A1D |> 8B4D F4 mov ecx, dword ptr [ebp-C]
00493A20 |. 64:890D 00000>mov dword ptr fs:[0], ecx
00493A27 |. 8B4D EC mov ecx, dword ptr [ebp-14]
00493A2A |. 33CD xor ecx, ebp
00493A2C |. E8 5ADE1100 call 005B188B
00493A31 |. 8BE5 mov esp, ebp
00493A33 |. 5D pop ebp
00493A34 \. C3 retn
在0049 3917发现关键Call.
决定修改其后的跳转,
00493920 |. E9 F8000000 jmp 00493A1D 这一行是跳过调用打开文件传输Form的代码。
把它改为:
00493920 |. 90 90909090 Nop 什么也不做
经试验,文件传输功能可以超过3次的使用了。
———远程桌面的功能———-
远程桌面的功能只能连接20分钟。 解决办法还是老一套:
打开eXeScope分析资源,找到对话框:远程桌面,ID=1306.
打开OllyICE,搜索常量1306,很快定位下面代码:
00493670 /$ 55 push ebp
00493671 |. 8BEC mov ebp, esp
00493673 |. 6A FF push -1
00493675 |. 68 69C25B00 push 005BC269 ; SE 处理程序安装
0049367A |. 64:A1 0000000>mov eax, dword ptr fs:[0]
00493680 |. 50 push eax
00493681 |. 64:8925 00000>mov dword ptr fs:[0], esp
00493688 |. 81EC D4000000 sub esp, 0D4
0049368E |. A1 BCEB6200 mov eax, dword ptr [62EBBC]
00493693 |. 33C5 xor eax, ebp
00493695 |. 8945 EC mov dword ptr [ebp-14], eax
00493698 |. 898D 30FFFFFF mov dword ptr [ebp-D0], ecx
0049369E |. C785 50FFFFFF>mov dword ptr [ebp-B0], 0
004936A8 |. 6A 01 push 1
004936AA |. 8B85 50FFFFFF mov eax, dword ptr [ebp-B0]
004936B0 |. 50 push eax
004936B1 |. 8B8D 30FFFFFF mov ecx, dword ptr [ebp-D0]
004936B7 |. E8 34F2FFFF call 004928F0 ; 关键Call–remote desk.
004936BC |. 85C0 test eax, eax
004936BE |. 75 05 jnz short 004936C5
004936C0 |. E9 F0010000 jmp 004938B5
004936C5 |> C785 4CFFFFFF>mov dword ptr [ebp-B4], 0
004936CF |. 6A 00 push 0
004936D1 |. 8D8D 54FFFFFF lea ecx, dword ptr [ebp-AC]
004936D7 |. E8 D4D50800 call 00520CB0
004936DC |. C745 FC 00000>mov dword ptr [ebp-4], 0
004936E3 |. 8D4D F0 lea ecx, dword ptr [ebp-10]
004936E6 |. FF15 28B95C00 call dword ptr [<&MFC71.#310_ATL::CStringT<char,StrTrai>; MFC71.7C173199
004936EC |. C645 FC 01 mov byte ptr [ebp-4], 1
004936F0 |. 8B8D 50FFFFFF mov ecx, dword ptr [ebp-B0]
004936F6 |. 51 push ecx
004936F7 |. 68 19010000 push 119
004936FC |. 8D55 F0 lea edx, dword ptr [ebp-10]
004936FF |. 52 push edx
00493700 |. 8D85 54FFFFFF lea eax, dword ptr [ebp-AC]
00493706 |. 50 push eax
00493707 |. 8D8D 4CFFFFFF lea ecx, dword ptr [ebp-B4]
0049370D |. 51 push ecx
0049370E |. 8B8D 30FFFFFF mov ecx, dword ptr [ebp-D0]
00493714 |. E8 071C0000 call 00495320 ; 消息处理
00493719 |. 85C0 test eax, eax
0049371B |. 75 24 jnz short 00493741
0049371D |. C645 FC 00 mov byte ptr [ebp-4], 0
00493721 |. 8D4D F0 lea ecx, dword ptr [ebp-10]
00493724 |. FF15 68B95C00 call dword ptr [<&MFC71.#578_ATL::CStringT<char,StrTrai>; MFC71.7C1771B1
0049372A |. C745 FC FFFFF>mov dword ptr [ebp-4], -1
00493731 |. 8D8D 54FFFFFF lea ecx, dword ptr [ebp-AC]
00493737 |. E8 74D60800 call 00520DB0 ; 字符处理
0049373C |. E9 74010000 jmp 004938B5
00493741 |> 817D A4 01030>cmp dword ptr [ebp-5C], 90301
00493748 |. 0F83 E8000000 jnb 00493836
0049374E |. 8B95 4CFFFFFF mov edx, dword ptr [ebp-B4]
00493754 |. 52 push edx
00493755 |. 6A 00 push 0
00493757 |. 51 push ecx
00493758 |. 8BCC mov ecx, esp
0049375A |. 89A5 38FFFFFF mov dword ptr [ebp-C8], esp
00493760 |. 8D45 F0 lea eax, dword ptr [ebp-10]
00493763 |. 50 push eax
00493764 |. FF15 38B95C00 call dword ptr [<&MFC71.#297_ATL::CStringT<char,StrTrai>; MFC71.7C14E575
0049376A |. 8985 2CFFFFFF mov dword ptr [ebp-D4], eax
00493770 |. 8D8D 54FFFFFF lea ecx, dword ptr [ebp-AC]
00493776 |. 51 push ecx
00493777 |. B9 E4F26200 mov ecx, 0062F2E4
0049377C |. E8 BFD7FCFF call 00460F40 ; ???? XX new opeator
00493781 |. 8985 28FFFFFF mov dword ptr [ebp-D8], eax
00493787 |. 8B95 28FFFFFF mov edx, dword ptr [ebp-D8]
0049378D |. 8995 48FFFFFF mov dword ptr [ebp-B8], edx
00493793 |. 83BD 48FFFFFF>cmp dword ptr [ebp-B8], 0
0049379A |. 0F85 94000000 jnz 00493834
004937A0 |. 8D8D 40FFFFFF lea ecx, dword ptr [ebp-C0]
004937A6 |. FF15 28B95C00 call dword ptr [<&MFC71.#310_ATL::CStringT<char,StrTrai>; MFC71.7C173199
004937AC |. C645 FC 02 mov byte ptr [ebp-4], 2
004937B0 |. 8D8D 44FFFFFF lea ecx, dword ptr [ebp-BC]
004937B6 |. FF15 28B95C00 call dword ptr [<&MFC71.#310_ATL::CStringT<char,StrTrai>; MFC71.7C173199
004937BC |. C645 FC 03 mov byte ptr [ebp-4], 3
004937C0 |. FF15 90AA5C00 call dword ptr [<&KERNEL32.GetLastError>] ; [GetLastError
004937C6 |. 50 push eax
004937C7 |. 68 42010000 push 142
004937CC |. 8D85 44FFFFFF lea eax, dword ptr [ebp-BC]
004937D2 |. 50 push eax
004937D3 |. FF15 3CB95C00 call dword ptr [<&MFC71.#2321_ATL::CStringT<char,StrTra>; MFC71.7C18B260
004937D9 |. 83C4 0C add esp, 0C
004937DC |. 68 00E00000 push 0E000
004937E1 |. 8D8D 40FFFFFF lea ecx, dword ptr [ebp-C0]
004937E7 |. FF15 2CB95C00 call dword ptr [<&MFC71.#4035_ATL::CStringT<char,StrTra>; MFC71.7C153789
004937ED |. 6A 40 push 40
004937EF |. 8D8D 40FFFFFF lea ecx, dword ptr [ebp-C0]
004937F5 |. FF15 30B95C00 call dword ptr [<&MFC71.#876_ATL::CSimpleStringT<char,1>; MFC71.7C158BCD
004937FB |. 50 push eax
004937FC |. 8D8D 44FFFFFF lea ecx, dword ptr [ebp-BC]
00493802 |. FF15 30B95C00 call dword ptr [<&MFC71.#876_ATL::CSimpleStringT<char,1>; MFC71.7C158BCD
00493808 |. 50 push eax
00493809 |. 8B8D 30FFFFFF mov ecx, dword ptr [ebp-D0]
0049380F |. E8 5ECE1100 call <jmp.&MFC71.#4104_CWnd::MessageBoxA>
00493814 |. C645 FC 02 mov byte ptr [ebp-4], 2
00493818 |. 8D8D 44FFFFFF lea ecx, dword ptr [ebp-BC]
0049381E |. FF15 68B95C00 call dword ptr [<&MFC71.#578_ATL::CStringT<char,StrTrai>; MFC71.7C1771B1
00493824 |. C645 FC 01 mov byte ptr [ebp-4], 1
00493828 |. 8D8D 40FFFFFF lea ecx, dword ptr [ebp-C0]
0049382E |. FF15 68B95C00 call dword ptr [<&MFC71.#578_ATL::CStringT<char,StrTrai>; MFC71.7C1771B1
00493834 |> EB 60 jmp short 00493896 ; !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
00493836 |> 8B8D 4CFFFFFF mov ecx, dword ptr [ebp-B4]
0049383C |. 51 push ecx
0049383D |. 68 2CF16200 push 0062F12C
00493842 |. 51 push ecx
00493843 |. 8BCC mov ecx, esp
00493845 |. 89A5 34FFFFFF mov dword ptr [ebp-CC], esp
0049384B |. 8D55 F0 lea edx, dword ptr [ebp-10]
0049384E |. 52 push edx
0049384F |. FF15 38B95C00 call dword ptr [<&MFC71.#297_ATL::CStringT<char,StrTrai>; MFC71.7C14E575
00493855 |. 8985 24FFFFFF mov dword ptr [ebp-DC], eax
0049385B |. 8D85 54FFFFFF lea eax, dword ptr [ebp-AC]
00493861 |. 50 push eax
00493862 |. B9 E4F26200 mov ecx, 0062F2E4
00493867 |. E8 74D9FCFF call 004611E0 ; 调用1:远程桌面的Form
0049386C |. 8985 20FFFFFF mov dword ptr [ebp-E0], eax
00493872 |. 8B8D 20FFFFFF mov ecx, dword ptr [ebp-E0]
00493878 |. 898D 3CFFFFFF mov dword ptr [ebp-C4], ecx
0049387E |. 6A 05 push 5
00493880 |. 8B8D 3CFFFFFF mov ecx, dword ptr [ebp-C4]
00493886 |. E8 D5CD1100 call <jmp.&MFC71.#6090_CWnd::ShowWindow>
0049388B |. 8B8D 3CFFFFFF mov ecx, dword ptr [ebp-C4]
00493891 |. E8 1A72F9FF call 0042AAB0
00493896 |> C645 FC 00 mov byte ptr [ebp-4], 0
0049389A |. 8D4D F0 lea ecx, dword ptr [ebp-10]
0049389D |. FF15 68B95C00 call dword ptr [<&MFC71.#578_ATL::CStringT<char,StrTrai>; MFC71.7C1771B1
004938A3 |. C745 FC FFFFF>mov dword ptr [ebp-4], -1
004938AA |. 8D8D 54FFFFFF lea ecx, dword ptr [ebp-AC]
004938B0 |. E8 FBD40800 call 00520DB0
004938B5 |> 8B4D F4 mov ecx, dword ptr [ebp-C]
004938B8 |. 64:890D 00000>mov dword ptr fs:[0], ecx
004938BF |. 8B4D EC mov ecx, dword ptr [ebp-14]
004938C2 |. 33CD xor ecx, ebp
004938C4 |. E8 C2DF1100 call 005B188B
004938C9 |. 8BE5 mov esp, ebp
004938CB |. 5D pop ebp
004938CC \. C3 retn
找到关键Call.
004936B7 |. E8 34F2FFFF call 004928F0 ; 关键Call–remote desk.
修改关键call之后的跳转:
004936C0 |. E9 F0010000 jmp 004938B5
修改为什么都不作。免得它影响后面的代码。
用9090909090 填充。
经试验,远程桌面功能可以超过20分钟的使用了。
实际摸索中还是走了不少弯路,总结经验为:在OllyDbg中,看过的弄明白的函数,要自己加上注释。 在看其他相关的代码的时候,极有可能就碰到了自己曾经注释过的代码,这样一下子就全通了。