破解USB HID 設備接口協議

分析 USB HID 設備接口協議

工具： OllyDbg，Bus hound

程序識別USB HID外設的方法：調用HidD_GetHidGuid函數獲取HID設備的類標識，調用SetupDiGetClassDevs函數查詢所有已安裝的HID設備，得到一個指向該HID設備集合的句柄，調用SetupDiEnumDeviceInterface函數查詢HID設備集中每一個設備的接口信息，對每一個接口，調用SetupDiGetDeviceInterfaceDetail函數獲取其詳細的信息，包括設備名稱（頭四個字節），CreateFile用此設備名打開設備，調用SetupDiDestroyDeviceInfoList函數釋放設備信息集合；第二步，打開設備，獲取設備的屬性值以及設備能力描述，調用CreaterFile函數打開本設備。調用HidD_GetAttributes函數，獲取USB設備的有關屬性。它包含了設備的廠商ID、產品ID及產品的版本號等。

啓動OllyDbg 裝入模擬器軟件，下斷點 HidD_GetAttributes，CreateFile，這個函數是能把HID 的關鍵信息獲取。


004417B2   . 8B0D D8CD9500  MOV ECX,DWORD PTR DS:[95CDD8]    
004417B8   . A3 00CE9500    MOV DWORD PTR DS:[95CE00],EAX
004417BD   . 33D2           XOR EDX,EDX
004417BF   . 8BC1           MOV EAX,ECX
004417C1   . 8A15 D7CD9500  MOV DL,BYTE PTR DS:[95CDD7]      
004417C7   . 25 FF000000    AND EAX,0FF
004417CC   . 8BF2           MOV ESI,EDX                    
004417CE   . 8BD0           MOV EDX,EAX
004417D0   . 83E2 03        AND EDX,3                        
004417D3   . 33DB           XOR EBX,EBX 
004417D5   . C1E2 08        SHL EDX,8                        
004417D8   . 8A1D D6CD9500  MOV BL,BYTE PTR DS:[95CDD6]    
004417DE   . 8D9432 DC03000>LEA EDX,DWORD PTR DS:[EDX+ESI+3DC]
004417E5   . 8915 E0CD9500  MOV DWORD PTR DS:[95CDE0],EDX     
004417EB   . 8BD0           MOV EDX,EAX
004417ED   . 83E2 0C        AND EDX,0C                     
004417F0   . C1E2 06        SHL EDX,6                      
004417F3   . 8D941A DC03000>LEA EDX,DWORD PTR DS:[EDX+EBX+3DC] 
004417FA   . 33DB           XOR EBX,EBX
004417FC   . 8915 E4CD9500  MOV DWORD PTR DS:[95CDE4],EDX  
00441802   . 8BD0           MOV EDX,EAX
00441804   . 83E2 30        AND EDX,30                        
00441807   . 8ADD           MOV BL,CH                         
00441809   . C1E2 04        SHL EDX,4                        
0044180C   . 25 C0000000    AND EAX,0C0                     
00441811   . 8D8C1A DC03000>LEA ECX,DWORD PTR DS:[EDX+EBX+3DC] 
00441818   . 33D2           XOR EDX,EDX
0044181A   . 8A15 D5CD9500  MOV DL,BYTE PTR DS:[95CDD5]       
00441820   . 890D E8CD9500  MOV DWORD PTR DS:[95CDE8],ECX    
00441826   . 8D8482 DC03000>LEA EAX,DWORD PTR DS:[EDX+EAX*4+3DC] 
0044182D   . A3 ECCD9500    MOV DWORD PTR DS:[95CDEC],EAX      
00441832   . A1 DCCD9500    MOV EAX,DWORD PTR DS:[95CDDC]      
00441837   . A8 40          TEST AL,40  
00441839   . 74 41          JE SHORT REFLEX.0044187C 
0044183B   . 25 FF000000    AND EAX,0FF  
00441840   . 33D2           XOR EDX,EDX
00441842   . 8A15 DBCD9500  MOV DL,BYTE PTR DS:[95CDDB]  //取CH5的低8位數據
00441848   . 8BC8           MOV ECX,EAX
0044184A   . 83E1 0C        AND ECX,0C
0044184D   . C1E1 06        SHL ECX,6
00441850   . 8D8C11 DC03000>LEA ECX,DWORD PTR DS:[ECX+EDX+3DC]
00441857   . 8BD0           MOV EDX,EAX
00441859   . 83E2 03        AND EDX,3       //取CH6 的高2位
0044185C   . 890D F8CD9500  MOV DWORD PTR DS:[95CDF8],ECX //保存CH5
00441862   . C1E2 08        SHL EDX,8
00441865   . 33C9           XOR ECX,ECX
00441867   . 8A0D DACD9500  MOV CL,BYTE PTR DS:[95CDDA]   //取CH6 的低8位
0044186D   . 8D940A DC03000>LEA EDX,DWORD PTR DS:[EDX+ECX+3DC]  //計算出CH6 數據
00441874   . 8915 FCCD9500  MOV DWORD PTR DS:[95CDFC],EDX // 保存CH6 數據
0044187A   . EB 4A          JMP SHORT REFLEX.004418C6
0044187C   > 25 FF000000    AND EAX,0FF
00441881   . 33D2           XOR EDX,EDX
00441883   . 8A15 DBCD9500  MOV DL,BYTE PTR DS:[95CDDB]
00441889   . 8BC8           MOV ECX,EAX
0044188B   . 83E1 0C        AND ECX,0C
0044188E   . C1E1 06        SHL ECX,6
00441891   . 8D8C11 DC03000>LEA ECX,DWORD PTR DS:[ECX+EDX+3DC]
00441898   . 8BD0           MOV EDX,EAX
0044189A   . 890D F0CD9500  MOV DWORD PTR DS:[95CDF0],ECX
004418A0   . 83E2 03        AND EDX,3
004418A3   . 33C9           XOR ECX,ECX
004418A5   . 8A0D DACD9500  MOV CL,BYTE PTR DS:[95CDDA]
004418AB   . C1E2 08        SHL EDX,8
004418AE   . 8D940A DC03000>LEA EDX,DWORD PTR DS:[EDX+ECX+3DC]
004418B5   . 8BC8           MOV ECX,EAX
004418B7   . C1E9 07        SHR ECX,7                 
004418BA   . 8915 F4CD9500  MOV DWORD PTR DS:[95CDF4],EDX   
004418C0   . 890D 04CE9500  MOV DWORD PTR DS:[95CE04],ECX
004418C6   > 8BD0           MOV EDX,EAX                    
004418C8   . 83F6 07        XOR ESI,7                      
004418CB   . 83E2 0F        AND EDX,0F                     
004418CE   . 03D6           ADD EDX,ESI                    
004418D0   . D1E2           SHL EDX,1                      
004418D2   . 33D0           XOR EDX,EAX                    
004418D4   . F6C2 30        TEST DL,30                     
004418D7   . 74 3A          JE SHORT REFLEX.00441913
004418D9   . A1 C4CD9500    MOV EAX,DWORD PTR DS:[95CDC4]
004418DE   . 85C0           TEST EAX,EAX
004418E0   . 75 40          JNZ SHORT REFLEX.00441922
004418E2   . A1 08CE9500    MOV EAX,DWORD PTR DS:[95CE08]
004418E7   . C705 C4CD9500 >MOV DWORD PTR DS:[95CDC4],1
004418F1   . 50             PUSH EAX
004418F2   . EB 1D          JMP SHORT REFLEX.00441911
004418F4   > 8B0D 08CE9500  MOV ECX,DWORD PTR DS:[95CE08]
004418FA   . C705 C4CD9500 >MOV DWORD PTR DS:[95CDC4],1
00441904   . 8935 B8CD9500  MOV DWORD PTR DS:[95CDB8],ESI
0044190A   . 8935 BCCD9500  MOV DWORD PTR DS:[95CDBC],ESI
00441910   . 51             PUSH ECX
00441911   > FFD5           CALL EBP
00441913   > A1 C4CD9500    MOV EAX,DWORD PTR DS:[95CDC4]
00441918   . 33F6           XOR ESI,ESI
0044191A   . 3BC6           CMP EAX,ESI
0044191C   .^0F84 61FEFFFF  JE REFLEX.00441783
00441922   > 5F             POP EDI
00441923   . 5E             POP ESI
00441924   . 5D             POP EBP
00441925   . 33C0           XOR EAX,EAX
00441927   . 5B             POP EBX
00441928   . 59             POP ECX
00441929   . C2 0400        RETN 4

破解USB HID 設備接口協議

複習8086彙編指令

Okhttp3使用

Servlet詳解

SharedPreferences 簡介

關於xposed

https://yachay.unat.edu.pe/blog/index.php?comment_area=format_blog&comment_component=blog&comment_co

linux以太網驅動總結