[原创]VoLtAgE KeygenMe 分析-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

[原创]VoLtAgE KeygenMe 分析

发表于: 2011-4-28 07:27 5345

[原创]VoLtAgE KeygenMe 分析

vasthao

2011-4-28 07:27

5345

【文章标题】: VoLtAgE KeygenMe 分析
【文章作者】: vasthao
【作者邮箱】: vasthao@gmail.com
【软件名称】: VoLtAgE KeygenMe
【下载地址】: 附件内
【加壳方式】: 无
【保护方式】: Base32+变形MD5+SHA1+自定义hash+ECDSA
【编写语言】: Delphi
【使用工具】: OD,IDA,DeDe
【作者声明】: 只是感兴趣，没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
  一.基本信息：
1.PEid查看，Delphi编写，并用KANAL插件检测出SHA1,FGInt,ECDSA。
2.IDA载入，导入FGInt sig,并导出Map文件。
  二.分析：
1.在OD中载入刚生成的map文件，用DeDe得到验证按钮的事件为45DBD0,下断。
2.输入试炼码：
   Name:pediy
Serial:123456789012345678901234567890abcdefabcdefabcdefabcdefabcdef,分析如下:
/*****************************************************************************************/
/*****************************************************************************************/
0045DBD0 >/.  55          push ebp                            ;_TForm1_SpeedButton1Click
0045DBD1  |.  8BEC       mov    ebp, esp
0045DBD3  |.  B9 13000000 mov    ecx, 13
0045DBD8 >|>  6A 00       /push 0
0045DBDA  |.  6A 00       |push 0
0045DBDC  |.  49          |dec    ecx
0045DBDD  |.^ 75 F9       \jnz    short <loc_45DBD8>
0045DBDF  |.  51          push ecx
0045DBE0  |.  53          push ebx
0045DBE1  |.  56          push esi
0045DBE2  |.  8BD8       mov    ebx, eax
0045DBE4  |.  8D45 D8    lea    eax, dword ptr [ebp-28]
0045DBE7  |.  8B15 A8914500 mov    edx, dword ptr [<off_4591A8>]
0045DBED  |.  E8 4E6CFAFF call <unknown_libname_73>
0045DBF2  |.  8D45 D0    lea    eax, dword ptr [ebp-30]
0045DBF5  |.  8B15 A8914500 mov    edx, dword ptr [<off_4591A8>]
0045DBFB  |.  E8 406CFAFF call <unknown_libname_73>
0045DC00  |.  8D45 C8    lea    eax, dword ptr [ebp-38]
0045DC03  |.  8B15 A8914500 mov    edx, dword ptr [<off_4591A8>]
0045DC09  |.  E8 326CFAFF call <unknown_libname_73>
0045DC0E  |.  8D45 A0    lea    eax, dword ptr [ebp-60]
0045DC11  |.  8B15 6CAE4500 mov    edx, dword ptr [<off_45AE6C>]
0045DC17  |.  E8 246CFAFF call <unknown_libname_73>
0045DC1C  |.  8D45 8C    lea    eax, dword ptr [ebp-74]
0045DC1F  |.  8B15 6CAE4500 mov    edx, dword ptr [<off_45AE6C>]
0045DC25  |.  E8 166CFAFF call <unknown_libname_73>
0045DC2A  |.  33C0       xor    eax, eax
0045DC2C  |.  55          push ebp
0045DC2D  |.  68 BADE4500 push <loc_45DEBA>
0045DC32  |.  64:FF30    push dword ptr fs:[eax]
0045DC35  |.  64:8920    mov    dword ptr fs:[eax], esp
0045DC38  |.  C645 E3 00 mov    byte ptr [ebp-1D], 0
0045DC3C  |.  8D55 FC    lea    edx, dword ptr [ebp-4]
0045DC3F  |.  8B83 FC020000 mov    eax, dword ptr [ebx+2FC]
0045DC45  |.  E8 3E8BFDFF call <Controls::TControl::GetText(voi>
0045DC4A  |.  8B45 FC    mov    eax, dword ptr [ebp-4]
0045DC4D  |.  E8 F664FAFF call <length>
0045DC52  |.  8BF0       mov    esi, eax
0045DC54  |.  8D55 F8    lea    edx, dword ptr [ebp-8]
0045DC57  |.  8B83 04030000 mov    eax, dword ptr [ebx+304]
0045DC5D  |.  E8 268BFDFF call <Controls::TControl::GetText(voi>
0045DC62  |.  85F6       test esi, esi
0045DC64  |.  0F84 FF010000 je    <loc_45DE69>
0045DC6A  |.  8B45 F8    mov    eax, dword ptr [ebp-8]
0045DC6D  |.  E8 D664FAFF call <length>
0045DC72  |.  85C0       test eax, eax
0045DC74  |.  0F84 EF010000 je    <loc_45DE69>
0045DC7A  |.  8B45 F8    mov    eax, dword ptr [ebp-8]
0045DC7D  |.  E8 CAFAFFFF call <getsplitpos>                   ;得到'+'的位置
0045DC82  |.  8BD8       mov    ebx, eax
0045DC84  |.  85DB       test ebx, ebx
0045DC86  |.  0F84 DD010000 je    <loc_45DE69>
0045DC8C  |.  8D45 F4    lea    eax, dword ptr [ebp-C]
0045DC8F  |.  50          push eax
0045DC90  |.  8BCB       mov    ecx, ebx
0045DC92  |.  49          dec    ecx
0045DC93  |.  BA 01000000 mov    edx, 1
0045DC98  |.  8B45 F8    mov    eax, dword ptr [ebp-8]
0045DC9B  |.  E8 98FDFFFF call <split>                         ;分割字符串
0045DCA0  |.  8D45 F0    lea    eax, dword ptr [ebp-10]
0045DCA3  |.  50          push eax
0045DCA4  |.  8B45 F8    mov    eax, dword ptr [ebp-8]
0045DCA7  |.  E8 9C64FAFF call <length>
0045DCAC  |.  8BC8       mov    ecx, eax
0045DCAE  |.  8D53 01    lea    edx, dword ptr [ebx+1]
0045DCB1  |.  8B45 F8    mov    eax, dword ptr [ebp-8]
0045DCB4  |.  E8 7FFDFFFF call <split>
0045DCB9  |.  8D55 88    lea    edx, dword ptr [ebp-78]
0045DCBC  |.  8B45 F4    mov    eax, dword ptr [ebp-C]
0045DCBF  |.  E8 18B4FFFF call <base32_decode>                ;标准的Base32解码,不跟了
0045DCC4  |.  8B55 88    mov    edx, dword ptr [ebp-78]
0045DCC7  |.  8D45 F4    lea    eax, dword ptr [ebp-C]          ;sn1
0045DCCA  |.  E8 5162FAFF call <System::__linkproc__ LStrLAsg(v>
0045DCCF  |.  8D55 84    lea    edx, dword ptr [ebp-7C]
0045DCD2  |.  8B45 F0    mov    eax, dword ptr [ebp-10]
0045DCD5  |.  E8 02B4FFFF call <base32_decode>
0045DCDA  |.  8B55 84    mov    edx, dword ptr [ebp-7C]
0045DCDD  |.  8D45 F0    lea    eax, dword ptr [ebp-10]       ;sn2
0045DCE0  |.  E8 3B62FAFF call <System::__linkproc__ LStrLAsg(v>
0045DCE5  |.  8B45 F4    mov    eax, dword ptr [ebp-C]
0045DCE8  |.  E8 D7FDFFFF call <isdigit>                      ;是否为数字
0045DCED  |.  3C 01       cmp    al, 1
0045DCEF  |.  0F85 74010000 jnz    <loc_45DE69>
0045DCF5  |.  8B45 F0    mov    eax, dword ptr [ebp-10]
0045DCF8  |.  E8 C7FDFFFF call <isdigit>
0045DCFD  |.  3C 01       cmp    al, 1
0045DCFF  |. /0F85 64010000 jnz    <loc_45DE69>

/*****************************************************************************************/
/*****************************************************************************************/
因此假设sn=base32_encode("123456789012345678901234567890")+'+'
   +base32_encode("987654321098765432109876543210")
   =GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ+HE4DONRVGQZTEMJQHE4DONRVGQZTEMJQHE4DONRVGQZTEMJQ
重新输入试炼码：
   Name:pediy
Serial:GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ+HE4DONRVGQZTEMJQHE4DONRVGQZTEMJQHE4DONRVGQZTEMJQ
跟到这：
0045DD05  |.  8D55 EC    lea    edx, dword ptr [ebp-14]
0045DD08  |.  8B45 FC    mov    eax, dword ptr [ebp-4]          ;  name
0045DD0B  |.  E8 A4B1FFFF call <md5_modify>                   ;  变形md5,跟进

/******************************************************************************************/
/******************************************************************************************/
md5变形得很厉害，主要有以下几个变形:
1.4个常量变形:
state[0] = 0xABCBBBBD;
state[1] = 0xAEEEEEF2;
state[2] = 0xAEEEEEF1;
state[3] = 0xAFE00000;

0045838C >/$  53          push ebx                            ;md5_modify_init
0045838D  |.  8BD8       mov    ebx, eax
0045838F  |.  8BC3       mov    eax, ebx
00458391  |.  33C9       xor    ecx, ecx
00458393  |.  BA 58000000 mov    edx, 58
00458398  |.  E8 B7A7FAFF call <System::__linkproc__ FillChar(v>
0045839D  |.  C703 BBBBCBAB mov    dword ptr [ebx], ABCBBBBB
004583A3  |.  C743 04 EEEEE>mov    dword ptr [ebx+4], AEEEEEEE
004583AA  |.  C743 08 EEEEE>mov    dword ptr [ebx+8], AEEEEEEE
004583B1  |.  C743 0C FFFFD>mov    dword ptr [ebx+C], AFDFFFFF
004583B8  |.  FF03       inc    dword ptr [ebx]
004583BA  |.  FF43 04    inc    dword ptr [ebx+4]
004583BD  |.  FF43 04    inc    dword ptr [ebx+4]
004583C0  |.  FF43 04    inc    dword ptr [ebx+4]
004583C3  |.  FF43 04    inc    dword ptr [ebx+4]
004583C6  |.  FF43 08    inc    dword ptr [ebx+8]
004583C9  |.  FF03       inc    dword ptr [ebx]
004583CB  |.  FF43 08    inc    dword ptr [ebx+8]
004583CE  |.  FF43 08    inc    dword ptr [ebx+8]
004583D1  |.  FF43 0C    inc    dword ptr [ebx+C]
004583D4  |.  5B          pop    ebx                            ;四个常量：0xABCBBBBD，0xAEEEEEF2，
004583D5  \.  C3          retn                                  ;0xAEEEEEF1，0xAFE00000
/******************************************************************************************/
2.填充字符变形：
md5_padding[64] =
{
   0x6E, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
      0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
      0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
      0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
};

004584A4 >/$  53          push ebx                            ;md5_modify_final
004584A5  |.  56          push esi
004584A6  |.  8BDA       mov    ebx, edx
004584A8  |.  8BF0       mov    esi, eax
004584AA  |.  8B43 10    mov    eax, dword ptr [ebx+10]
004584AD  |.  C1E8 03    shr    eax, 3
004584B0  |.  66:83E0 3F and    ax, 3F
004584B4  |.  8BD0       mov    edx, eax
004584B6  |.  33C9       xor    ecx, ecx
004584B8  |.  8ACA       mov    cl, dl
004584BA  |.  C6440B 18 6E  mov    byte ptr [ebx+ecx+18], 6E       ;填充字符6E,标准的是80
004584BF  |.  42          inc    edx
004584C0  |.  66:B9 3F00 mov    cx, 3F
004584C4  |.  66:2BC8    sub    cx, ax
004584C7  |.  8BC1       mov    eax, ecx
004584C9  |.  66:83F8 08 cmp    ax, 8
004584CD  |.  73 37       jnb    short <loc_458506>
004584CF  |.  81E2 FF000000 and    edx, 0FF
004584D5  |.  8D5413 18    lea    edx, dword ptr [ebx+edx+18]
004584D9  |.  0FB7C0       movzx eax, ax
004584DC  |.  33C9       xor    ecx, ecx
004584DE  |.  92          xchg eax, edx
004584DF  |.  E8 70A6FAFF call <System::__linkproc__ FillChar(v>
004584E4  |.  6A 0F       push 0F
004584E6  |.  8D4B 18    lea    ecx, dword ptr [ebx+18]
004584E9  |.  8BC3       mov    eax, ebx
004584EB  |.  BA 03000000 mov    edx, 3
004584F0  |.  E8 57010000 call <md5_modify_transform>
004584F5  |.  8D43 18    lea    eax, dword ptr [ebx+18]
004584F8  |.  33C9       xor    ecx, ecx
004584FA  |.  BA 38000000 mov    edx, 38
004584FF  |.  E8 50A6FAFF call <System::__linkproc__ FillChar(v>
00458504  |.  EB 18       jmp    short <loc_45851E>
00458506 >|>  81E2 FF000000 and    edx, 0FF
0045850C  |.  8D5413 18    lea    edx, dword ptr [ebx+edx+18]
00458510  |.  0FB7C0       movzx eax, ax
00458513  |.  83E8 08    sub    eax, 8
00458516  |.  33C9       xor    ecx, ecx
00458518  |.  92          xchg eax, edx
00458519  |.  E8 36A6FAFF call <System::__linkproc__ FillChar(v>
0045851E >|>  8B43 10    mov    eax, dword ptr [ebx+10]
00458521  |.  8943 50    mov    dword ptr [ebx+50], eax
00458524  |.  8B43 14    mov    eax, dword ptr [ebx+14]
00458527  |.  8943 54    mov    dword ptr [ebx+54], eax
0045852A  |.  6A 0F       push 0F
0045852C  |.  8D4B 18    lea    ecx, dword ptr [ebx+18]
0045852F  |.  8BC3       mov    eax, ebx
00458531  |.  BA 03000000 mov    edx, 3
00458536  |.  E8 11010000 call <md5_modify_transform>
0045853B  |.  8BD6       mov    edx, esi
0045853D  |.  8BC3       mov    eax, ebx
0045853F  |.  B9 10000000 mov    ecx, 10
00458544  |.  E8 6FA3FAFF call <System::Move(void *,void *,int)>
00458549  |.  8BC3       mov    eax, ebx
0045854B  |.  33C9       xor    ecx, ecx
0045854D  |.  BA 58000000 mov    edx, 58
00458552  |.  E8 FDA5FAFF call <System::__linkproc__ FillChar(v>
00458557  |.  5E          pop    esi
00458558  |.  5B          pop    ebx
00458559  \.  C3          retn
/******************************************************************************************/
3.hash过程变形：
3个辅助函数不一样:
F=x&(y^z)^z
G=z&(x^y)^y
H=x^y^(z<<x)
第3个函数HH不再循环左移n位,而是x<<n|x<<(32-n)
(1)4个辅助函数：

0045855C >/$  55          push ebp                            ;FF
0045855D  |.  8BEC       mov    ebp, esp
0045855F  |.  53          push ebx
00458560  |.  56          push esi
00458561  |.  8B5D 10    mov    ebx, dword ptr [ebp+10]
00458564  |.  33CB       xor    ecx, ebx                      ;y^z
00458566  |.  23CA       and    ecx, edx                      ;(y^z)&x
00458568  |.  33D9       xor    ebx, ecx                      ;z^((y^z)&x)辅助函F=x(y^z)^z
0045856A  |.  035D 0C    add    ebx, dword ptr [ebp+C]
0045856D  |.  0118       add    dword ptr [eax], ebx
0045856F  |.  33C9       xor    ecx, ecx
00458571  |.  8A4D 08    mov    cl, byte ptr [ebp+8]
00458574  |.  51          push ecx
00458575  |.  B9 20000000 mov    ecx, 20
0045857A  |.  5B          pop    ebx
0045857B  |.  2BCB       sub    ecx, ebx
0045857D  |.  8B18       mov    ebx, dword ptr [eax]
0045857F  |.  D3EB       shr    ebx, cl
00458581  |.  8A4D 08    mov    cl, byte ptr [ebp+8]
00458584  |.  8B30       mov    esi, dword ptr [eax]
00458586  |.  D3E6       shl    esi, cl
00458588  |.  0BDE       or    ebx, esi
0045858A  |.  8918       mov    dword ptr [eax], ebx
0045858C  |.  0110       add    dword ptr [eax], edx
0045858E  |.  5E          pop    esi
0045858F  |.  5B          pop    ebx
00458590  |.  5D          pop    ebp
00458591  \.  C2 0C00    retn 0C

00458594 >/$  55          push ebp                            ;GG
00458595  |.  8BEC       mov    ebp, esp
00458597  |.  53          push ebx
00458598  |.  56          push esi
00458599  |.  8B5D 08    mov    ebx, dword ptr [ebp+8]
0045859C  |.  8BF1       mov    esi, ecx
0045859E  |.  33F2       xor    esi, edx                      ;y^x
004585A0  |.  2375 10    and    esi, dword ptr [ebp+10]       ;(y^x)&z
004585A3  |.  33CE       xor    ecx, esi                      ;y^((y^x)&z)辅助函数G=z&(x^y)^y
004585A5  |.  034D 0C    add    ecx, dword ptr [ebp+C]
004585A8  |.  0108       add    dword ptr [eax], ecx
004585AA  |.  33C9       xor    ecx, ecx
004585AC  |.  8ACB       mov    cl, bl
004585AE  |.  51          push ecx
004585AF  |.  B9 20000000 mov    ecx, 20
004585B4  |.  5E          pop    esi
004585B5  |.  2BCE       sub    ecx, esi
004585B7  |.  8B30       mov    esi, dword ptr [eax]
004585B9  |.  D3EE       shr    esi, cl
004585BB  |.  8BCB       mov    ecx, ebx
004585BD  |.  8B18       mov    ebx, dword ptr [eax]
004585BF  |.  D3E3       shl    ebx, cl
004585C1  |.  0BF3       or    esi, ebx
004585C3  |.  8930       mov    dword ptr [eax], esi
004585C5  |.  0110       add    dword ptr [eax], edx
004585C7  |.  5E          pop    esi
004585C8  |.  5B          pop    ebx
004585C9  |.  5D          pop    ebp
004585CA  \.  C2 0C00    retn 0C

004585D0 >/$  55          push ebp                            ;HH
004585D1  |.  8BEC       mov    ebp, esp
004585D3  |.  53          push ebx
004585D4  |.  56          push esi
004585D5  |.  57          push edi
004585D6  |.  8BF1       mov    esi, ecx
004585D8  |.  8B5D 08    mov    ebx, dword ptr [ebp+8]
004585DB  |.  8BCA       mov    ecx, edx
004585DD  |.  8B7D 10    mov    edi, dword ptr [ebp+10]
004585E0  |.  D3E7       shl    edi, cl                         ;z<<x
004585E2  |.  33F2       xor    esi, edx                      ;y^x
004585E4  |.  33FE       xor    edi, esi                      ;(z<<x)^y^x辅助函数H=x^y^(z<<x)
004585E6  |.  037D 0C    add    edi, dword ptr [ebp+C]
004585E9  |.  0138       add    dword ptr [eax], edi
004585EB  |.  33C9       xor    ecx, ecx
004585ED  |.  8ACB       mov    cl, bl
004585EF  |.  51          push ecx
004585F0  |.  B9 20000000 mov    ecx, 20
004585F5  |.  5E          pop    esi
004585F6  |.  2BCE       sub    ecx, esi
004585F8  |.  8B30       mov    esi, dword ptr [eax]
004585FA  |.  D3E6       shl    esi, cl                         ;标准的应该是shr
004585FC  |.  8BCB       mov    ecx, ebx
004585FE  |.  8B18       mov    ebx, dword ptr [eax]
00458600  |.  D3E3       shl    ebx, cl
00458602  |.  0BF3       or    esi, ebx
00458604  |.  8930       mov    dword ptr [eax], esi
00458606  |.  0110       add    dword ptr [eax], edx
00458608  |.  5F          pop    edi
00458609  |.  5E          pop    esi
0045860A  |.  5B          pop    ebx
0045860B  |.  5D          pop    ebp
0045860C  \.  C2 0C00    retn 0C

00458610 >/$  55          push ebp                            ;II
00458611  |.  8BEC       mov    ebp, esp
00458613  |.  53          push ebx
00458614  |.  56          push esi
00458615  |.  8B5D 08    mov    ebx, dword ptr [ebp+8]
00458618  |.  8B75 10    mov    esi, dword ptr [ebp+10]
0045861B  |.  F7D6       not    esi                            ;~z
0045861D  |.  0BF2       or    esi, edx                      ;~z|x
0045861F  |.  33CE       xor    ecx, esi                      ;y^(~z|x)辅助函数I=y^(x|~z)跟标准的一样
00458621  |.  034D 0C    add    ecx, dword ptr [ebp+C]
00458624  |.  0108       add    dword ptr [eax], ecx
00458626  |.  33C9       xor    ecx, ecx
00458628  |.  8ACB       mov    cl, bl
0045862A  |.  51          push ecx
0045862B  |.  B9 20000000 mov    ecx, 20
00458630  |.  5E          pop    esi
00458631  |.  2BCE       sub    ecx, esi
00458633  |.  8B30       mov    esi, dword ptr [eax]
00458635  |.  D3EE       shr    esi, cl
00458637  |.  8BCB       mov    ecx, ebx
00458639  |.  8B18       mov    ebx, dword ptr [eax]
0045863B  |.  D3E3       shl    ebx, cl
0045863D  |.  0BF3       or    esi, ebx
0045863F  |.  8930       mov    dword ptr [eax], esi
00458641  |.  0110       add    dword ptr [eax], edx
00458643  |.  5E          pop    esi
00458644  |.  5B          pop    ebx
00458645  |.  5D          pop    ebp
00458646  \.  C2 0C00    retn 0C
/******************************************************************************************/
(2)hash函数：

0045864C >/$  55          push ebp                            ;md5_modify_transform
0045864D  |.  8BEC       mov    ebp, esp
0045864F  |.  83C4 EC    add    esp, -14
00458652  |.  53          push ebx
00458653  |.  56          push esi
00458654  |.  57          push edi
00458655  |.  8BD9       mov    ebx, ecx
00458657  |.  8945 FC    mov    dword ptr [ebp-4], eax
0045865A  |.  8D75 F8    lea    esi, dword ptr [ebp-8]
0045865D  |.  8D7D F4    lea    edi, dword ptr [ebp-C]
00458660  |.  8B45 FC    mov    eax, dword ptr [ebp-4]
00458663  |.  8B00       mov    eax, dword ptr [eax]
00458665  |.  8906       mov    dword ptr [esi], eax
00458667  |.  8B45 FC    mov    eax, dword ptr [ebp-4]
0045866A  |.  8B40 04    mov    eax, dword ptr [eax+4]
0045866D  |.  8907       mov    dword ptr [edi], eax
0045866F  |.  8B45 FC    mov    eax, dword ptr [ebp-4]
00458672  |.  8B40 08    mov    eax, dword ptr [eax+8]
00458675  |.  8945 F0    mov    dword ptr [ebp-10], eax
00458678  |.  8B45 FC    mov    eax, dword ptr [ebp-4]
0045867B  |.  8B40 0C    mov    eax, dword ptr [eax+C]
0045867E  |.  8945 EC    mov    dword ptr [ebp-14], eax
00458681  |.  8B45 EC    mov    eax, dword ptr [ebp-14]
00458684  |.  50          push eax
00458685  |.  8B03       mov    eax, dword ptr [ebx]
00458687  |.  05 77A46AD7 add    eax, D76AA477                   ;标准的是0xd76aa478
0045868C  |.  50          push eax
0045868D  |.  6A 07       push 7
0045868F  |.  8BC6       mov    eax, esi
00458691  |.  8B4D F0    mov    ecx, dword ptr [ebp-10]
00458694  |.  8B17       mov    edx, dword ptr [edi]
00458696  |.  E8 C1FEFFFF call <FF>
0045869B  |.  8B45 F0    mov    eax, dword ptr [ebp-10]
0045869E  |.  50          push eax
0045869F  |.  8B43 04    mov    eax, dword ptr [ebx+4]
004586A2  |.  05 55B7C7E8 add    eax, E8C7B755                   ;标准的是0xe8c7b756
004586A7  |.  50          push eax
004586A8  |.  6A 0C       push 0C
004586AA  |.  8D45 EC    lea    eax, dword ptr [ebp-14]
004586AD  |.  8B0F       mov    ecx, dword ptr [edi]
004586AF  |.  8B16       mov    edx, dword ptr [esi]
004586B1  |.  E8 A6FEFFFF call <FF>
004586B6  |.  8B07       mov    eax, dword ptr [edi]
004586B8  |.  50          push eax
004586B9  |.  8B43 08    mov    eax, dword ptr [ebx+8]
004586BC  |.  05 DA702024 add    eax, 242070DA                   ;标准的是0x242070db
004586C1  |.  50          push eax
004586C2  |.  6A 11       push 11
004586C4  |.  8D45 F0    lea    eax, dword ptr [ebp-10]
004586C7  |.  8B0E       mov    ecx, dword ptr [esi]
004586C9  |.  8B55 EC    mov    edx, dword ptr [ebp-14]
004586CC  |.  E8 8BFEFFFF call <FF>
004586D1  |.  8B06       mov    eax, dword ptr [esi]
004586D3  |.  50          push eax
004586D4  |.  8B43 0C    mov    eax, dword ptr [ebx+C]
004586D7  |.  05 EDCEBDC1 add    eax, C1BDCEED                   ;标准的是0xc1bdceee
004586DC  |.  50          push eax
004586DD  |.  6A 16       push 16
004586DF  |.  8BC7       mov    eax, edi
004586E1  |.  8B4D EC    mov    ecx, dword ptr [ebp-14]
004586E4  |.  8B55 F0    mov    edx, dword ptr [ebp-10]
004586E7  |.  E8 70FEFFFF call <FF>
004586EC  |.  8B45 EC    mov    eax, dword ptr [ebp-14]
004586EF  |.  50          push eax
004586F0  |.  8B43 10    mov    eax, dword ptr [ebx+10]
004586F3  |.  05 AE0F7CF5 add    eax, F57C0FAE                   ;标准的是0xf57c0faf
004586F8  |.  50          push eax
004586F9  |.  6A 07       push 7
004586FB  |.  8BC6       mov    eax, esi
004586FD  |.  8B4D F0    mov    ecx, dword ptr [ebp-10]
00458700  |.  8B17       mov    edx, dword ptr [edi]
00458702  |.  E8 55FEFFFF call <FF>
00458707  |.  8B45 F0    mov    eax, dword ptr [ebp-10]
0045870A  |.  50          push eax
0045870B  |.  8B43 14    mov    eax, dword ptr [ebx+14]
0045870E  |.  05 29C68747 add    eax, 4787C629                   ;标准的是0x4787c62a
00458713  |.  50          push eax
00458714  |.  6A 0C       push 0C
00458716  |.  8D45 EC    lea    eax, dword ptr [ebp-14]
00458719  |.  8B0F       mov    ecx, dword ptr [edi]
0045871B  |.  8B16       mov    edx, dword ptr [esi]
0045871D  |.  E8 3AFEFFFF call <FF>
00458722  |.  8B07       mov    eax, dword ptr [edi]
00458724  |.  50          push eax
00458725  |.  8B43 18    mov    eax, dword ptr [ebx+18]
00458728  |.  05 124630A8 add    eax, A8304612                   ;标准的是0xa8304613
0045872D  |.  50          push eax
0045872E  |.  6A 11       push 11
00458730  |.  8D45 F0    lea    eax, dword ptr [ebp-10]
00458733  |.  8B0E       mov    ecx, dword ptr [esi]
00458735  |.  8B55 EC    mov    edx, dword ptr [ebp-14]
00458738  |.  E8 1FFEFFFF call <FF>
0045873D  |.  8B06       mov    eax, dword ptr [esi]
0045873F  |.  50          push eax
00458740  |.  8B43 1C    mov    eax, dword ptr [ebx+1C]
00458743  |.  05 009546FD add    eax, FD469500                   ;标准的是0xfd469501
00458748  |.  50          push eax
00458749  |.  6A 16       push 16
0045874B  |.  8BC7       mov    eax, edi
0045874D  |.  8B4D EC    mov    ecx, dword ptr [ebp-14]
00458750  |.  8B55 F0    mov    edx, dword ptr [ebp-10]
00458753  |.  E8 04FEFFFF call <FF>
00458758  |.  8B45 EC    mov    eax, dword ptr [ebp-14]
0045875B  |.  50          push eax
0045875C  |.  8B43 20    mov    eax, dword ptr [ebx+20]
0045875F  |.  05 D7988069 add    eax, 698098D7                   ;标准的是0x698098d8
00458764  |.  50          push eax
00458765  |.  6A 07       push 7
00458767  |.  8BC6       mov    eax, esi
00458769  |.  8B4D F0    mov    ecx, dword ptr [ebp-10]
0045876C  |.  8B17       mov    edx, dword ptr [edi]
0045876E  |.  E8 E9FDFFFF call <FF>
00458773  |.  8B45 F0    mov    eax, dword ptr [ebp-10]
00458776  |.  50          push eax
00458777  |.  8B43 24    mov    eax, dword ptr [ebx+24]
0045877A  |.  05 AEF7448B add    eax, 8B44F7AE                   ;标准的是0x8b44f7af
0045877F  |.  50          push eax
00458780  |.  6A 0C       push 0C
00458782  |.  8D45 EC    lea    eax, dword ptr [ebp-14]
00458785  |.  8B0F       mov    ecx, dword ptr [edi]
00458787  |.  8B16       mov    edx, dword ptr [esi]
00458789  |.  E8 CEFDFFFF call <FF>
0045878E  |.  8B07       mov    eax, dword ptr [edi]
00458790  |.  50          push eax
00458791  |.  8B43 28    mov    eax, dword ptr [ebx+28]
00458794  |.  05 B05BFFFF add    eax, FFFF5BB0                   ;标准的是0xffff5bb1
00458799  |.  50          push eax
0045879A  |.  6A 11       push 11
0045879C  |.  8D45 F0    lea    eax, dword ptr [ebp-10]
0045879F  |.  8B0E       mov    ecx, dword ptr [esi]
004587A1  |.  8B55 EC    mov    edx, dword ptr [ebp-14]
004587A4  |.  E8 B3FDFFFF call <FF>
004587A9  |.  8B06       mov    eax, dword ptr [esi]
004587AB  |.  50          push eax
004587AC  |.  8B43 2C    mov    eax, dword ptr [ebx+2C]
004587AF  |.  05 BDD75C89 add    eax, 895CD7BD                   ;标准的是0x895cd7be
004587B4  |.  50          push eax
004587B5  |.  6A 16       push 16
004587B7  |.  8BC7       mov    eax, edi
004587B9  |.  8B4D EC    mov    ecx, dword ptr [ebp-14]
004587BC  |.  8B55 F0    mov    edx, dword ptr [ebp-10]
004587BF  |.  E8 98FDFFFF call <FF>
004587C4  |.  8B45 EC    mov    eax, dword ptr [ebp-14]
004587C7  |.  50          push eax
004587C8  |.  8B43 30    mov    eax, dword ptr [ebx+30]
004587CB  |.  05 2111906B add    eax, 6B901121                   ;标准的是0x6b901122
004587D0  |.  50          push eax
004587D1  |.  6A 07       push 7
004587D3  |.  8BC6       mov    eax, esi
004587D5  |.  8B4D F0    mov    ecx, dword ptr [ebp-10]
004587D8  |.  8B17       mov    edx, dword ptr [edi]
004587DA  |.  E8 7DFDFFFF call <FF>
004587DF  |.  8B45 F0    mov    eax, dword ptr [ebp-10]
004587E2  |.  50          push eax
004587E3  |.  8B43 34    mov    eax, dword ptr [ebx+34]
004587E6  |.  05 927198FD add    eax, FD987192                   ;标准的是0xfd987193
...........................................................
/******************************************************************************************/
最后的处理:
state[0] += a+1;
state[1] += b;
state[2] += c;
state[3] += d+2;

00458D3D  |.  8B45 FC    mov    eax, dword ptr [ebp-4]
00458D40  |.  8B16       mov    edx, dword ptr [esi]
00458D42  |.  0110       add    dword ptr [eax], edx          ;state[0]+=a
00458D44  |.  8B45 FC    mov    eax, dword ptr [ebp-4]
00458D47  |.  FF00       inc    dword ptr [eax]                ;state[0]+=1
00458D49  |.  8B45 FC    mov    eax, dword ptr [ebp-4]
00458D4C  |.  8B17       mov    edx, dword ptr [edi]
00458D4E  |.  0150 04    add    dword ptr [eax+4], edx          ;state[1]+=b
00458D51  |.  8B45 FC    mov    eax, dword ptr [ebp-4]
00458D54  |.  8340 0C 02 add    dword ptr [eax+C], 2          ;state[3]+=2
00458D58  |.  8B45 FC    mov    eax, dword ptr [ebp-4]
00458D5B  |.  8B55 F0    mov    edx, dword ptr [ebp-10]
00458D5E  |.  0150 08    add    dword ptr [eax+8], edx          ;state[2]+=c
00458D61  |.  8B45 FC    mov    eax, dword ptr [ebp-4]
00458D64  |.  8B55 EC    mov    edx, dword ptr [ebp-14]
00458D67  |.  0150 0C    add    dword ptr [eax+C], edx          ;state[3]+=d
00458D6A  |.  5F          pop    edi
00458D6B  |.  5E          pop    esi
00458D6C  |.  5B          pop    ebx
00458D6D  |.  8BE5       mov    esp, ebp
00458D6F  |.  5D          pop    ebp
00458D70  \.  C2 0400    retn 4
/******************************************************************************************/
4.输出:

00458E6F >|> /8D4D 90    /lea    ecx, dword ptr [ebp-70]       ;modify_bytestohexstring
00458E72  |. |33C0       |xor    eax, eax
00458E74  |. |8A06       |mov    al, byte ptr [esi]             ;当byte[i]<0x10时，前面的'0'被吃掉了
00458E76  |. |33D2       |xor    edx, edx                      ;正常应该是mov edx,2
00458E78  |. |E8 9FF2FAFF |call <Sysutils::IntToHex(int,int)> ;
00458E7D  |. |8B55 90    |mov    edx, dword ptr [ebp-70]
00458E80  |. |8B45 FC    |mov    eax, dword ptr [ebp-4]
00458E83  |. |E8 C8B2FAFF |call <System::__linkproc__ LStrCat(v>
00458E88  |. |8B45 FC    |mov    eax, dword ptr [ebp-4]
00458E8B  |. |46          |inc    esi
00458E8C  |. |4B          |dec    ebx
00458E8D  |.^\75 E0       \jnz    short <loc_458E6F>
/******************************************************************************************/
/******************************************************************************************/
跟到这：

0045DD10  |.  8D45 B4    lea    eax, dword ptr [ebp-4C]
0045DD13  |.  8B55 FC    mov    edx, dword ptr [ebp-4]          ;name
0045DD16  |.  E8 01A1FFFF call <sha1>                         ;标准sha1,不跟了
0045DD1B  |.  8D4D E8    lea    ecx, dword ptr [ebp-18]       ;sha1string
0045DD1E  |.  8D45 B4    lea    eax, dword ptr [ebp-4C]
0045DD21  |.  BA 14000000 mov    edx, 14
0045DD26  |.  E8 6D9BFFFF call <bytestohexstring>             ;正常的bytestohexstring
0045DD2B  |.  8B45 EC    mov    eax, dword ptr [ebp-14]       ;md5string
0045DD2E  |.  E8 21FBFFFF call <custom_hash>                   ;自定义hash,跟进

/******************************************************************************************/
/******************************************************************************************/
0045D854 >/$  55          push ebp                            ;custom_hash
0045D855  |.  8BEC       mov    ebp, esp
0045D857  |.  83C4 C0    add    esp, -40
0045D85A  |.  53          push ebx
0045D85B  |.  56          push esi
0045D85C  |.  8945 FC    mov    dword ptr [ebp-4], eax
0045D85F  |.  8B45 FC    mov    eax, dword ptr [ebp-4]
0045D862  |.  E8 D16AFAFF call <System::__linkproc__ LStrAddRef>
0045D867  |.  33C0       xor    eax, eax
0045D869  |.  55          push ebp
0045D86A  |.  68 23DA4500 push <loc_45DA23>
0045D86F  |.  64:FF30    push dword ptr fs:[eax]
0045D872  |.  64:8920    mov    dword ptr fs:[eax], esp
0045D875  |.  8B45 FC    mov    eax, dword ptr [ebp-4]
0045D878  |.  E8 CB68FAFF call <length>
0045D87D  |.  C745 E8 00000>mov    dword ptr [ebp-18], 0          ;temp1
0045D884  |.  C745 EC 00000>mov    dword ptr [ebp-14], 0
0045D88B  |.  C745 E0 00000>mov    dword ptr [ebp-20], 0          ;temp2
0045D892  |.  C745 E4 00000>mov    dword ptr [ebp-1C], 0
0045D899  |.  C745 D8 00000>mov    dword ptr [ebp-28], 0          ;temp3
0045D8A0  |.  C745 DC 00000>mov    dword ptr [ebp-24], 0
0045D8A7  |.  C745 D0 00000>mov    dword ptr [ebp-30], 0          ;temp4
0045D8AE  |.  C745 D4 00000>mov    dword ptr [ebp-2C], 0
0045D8B5  |.  C745 C8 00000>mov    dword ptr [ebp-38], 0          ;temp5
0045D8BC  |.  C745 CC 00000>mov    dword ptr [ebp-34], 0
0045D8C3  |.  C745 C0 00000>mov    dword ptr [ebp-40], 0          ;temp6
0045D8CA  |.  C745 C4 00000>mov    dword ptr [ebp-3C], 0
0045D8D1  |.  85C0       test eax, eax
0045D8D3  |.  0F84 34010000 je    <loc_45DA0D>
0045D8D9  |.  8BF0       mov    esi, eax
0045D8DB  |.  85F6       test esi, esi
0045D8DD  |.  0F8E 13010000 jle    <loc_45D9F6>
0045D8E3  |.  BB 01000000 mov    ebx, 1
0045D8E8 >|>  FF75 EC    /push dword ptr [ebp-14]
0045D8EB  |.  FF75 E8    |push dword ptr [ebp-18]
0045D8EE  |.  8BC3       |mov    eax, ebx
0045D8F0  |.  99          |cdq
0045D8F1  |.  52          |push edx
0045D8F2  |.  50          |push eax
0045D8F3  |.  E8 C4FEFFFF |call <custom_pow>                   ;pow(temp1,i)
0045D8F8  |.  52          |push edx
0045D8F9  |.  50          |push eax
0045D8FA  |.  8B45 FC    |mov    eax, dword ptr [ebp-4]
0045D8FD  |.  8A4418 FF    |mov    al, byte ptr [eax+ebx-1]
0045D901  |.  25 FF000000 |and    eax, 0FF
0045D906  |.  33D2       |xor    edx, edx
0045D908  |.  030424       |add    eax, dword ptr [esp]
0045D90B  |.  135424 04    |adc    edx, dword ptr [esp+4]
0045D90F  |.  83C4 08    |add    esp, 8
0045D912  |.  8945 E8    |mov    dword ptr [ebp-18], eax       ;temp1=pow(temp1,i)+str[i]
0045D915  |.  8955 EC    |mov    dword ptr [ebp-14], edx
0045D918  |.  8B45 E8    |mov    eax, dword ptr [ebp-18]
0045D91B  |.  8B55 EC    |mov    edx, dword ptr [ebp-14]
0045D91E  |.  3345 E0    |xor    eax, dword ptr [ebp-20]
0045D921  |.  3355 E4    |xor    edx, dword ptr [ebp-1C]
0045D924  |.  8BCB       |mov    ecx, ebx
0045D926  |.  E8 2575FAFF |call <System::__linkproc__ _llshl(vo>;(temp1^temp2)<<i(64位有符号左移)
0045D92B  |.  0345 E0    |add    eax, dword ptr [ebp-20]
0045D92E  |.  1355 E4    |adc    edx, dword ptr [ebp-1C]
0045D931  |.  0345 E8    |add    eax, dword ptr [ebp-18]
0045D934  |.  1355 EC    |adc    edx, dword ptr [ebp-14]
0045D937  |.  8945 E0    |mov    dword ptr [ebp-20], eax       ;temp2=(temp1^temp2)<<i+temp2+temp1
0045D93A  |.  8955 E4    |mov    dword ptr [ebp-1C], edx
0045D93D  |.  8BC3       |mov    eax, ebx
0045D93F  |.  99          |cdq
0045D940  |.  52          |push edx
0045D941  |.  50          |push eax
0045D942  |.  8BC3       |mov    eax, ebx
0045D944  |.  99          |cdq
0045D945  |.  52          |push edx
0045D946  |.  50          |push eax
0045D947  |.  E8 70FEFFFF |call <custom_pow>                   ;pow(i,i)
0045D94C  |.  8BC8       |mov    ecx, eax
0045D94E  |.  8B45 E0    |mov    eax, dword ptr [ebp-20]
0045D951  |.  8B55 E4    |mov    edx, dword ptr [ebp-1C]
0045D954  |.  3345 D8    |xor    eax, dword ptr [ebp-28]
0045D957  |.  3355 DC    |xor    edx, dword ptr [ebp-24]
0045D95A  |.  E8 F174FAFF |call <System::__linkproc__ _llshl(vo>;(temp2^temp3)<<pow(i,i)(64位有符号左移)
0045D95F  |.  0345 D8    |add    eax, dword ptr [ebp-28]
0045D962  |.  1355 DC    |adc    edx, dword ptr [ebp-24]
0045D965  |.  0345 E0    |add    eax, dword ptr [ebp-20]
0045D968  |.  1355 E4    |adc    edx, dword ptr [ebp-1C]
0045D96B  |.  8945 D8    |mov    dword ptr [ebp-28], eax       ;temp3=(temp2^temp3)<<pow(i,i)+temp3+temp2
0045D96E  |.  8955 DC    |mov    dword ptr [ebp-24], edx
0045D971  |.  8B45 D8    |mov    eax, dword ptr [ebp-28]
0045D974  |.  8B55 DC    |mov    edx, dword ptr [ebp-24]
0045D977  |.  3345 D0    |xor    eax, dword ptr [ebp-30]
0045D97A  |.  3355 D4    |xor    edx, dword ptr [ebp-2C]
0045D97D  |.  8BCB       |mov    ecx, ebx
0045D97F  |.  E8 EC74FAFF |call <System::__linkproc__ _llushr(v>;(temp3^temp4)>>i
0045D984  |.  0345 D0    |add    eax, dword ptr [ebp-30]
0045D987  |.  1355 D4    |adc    edx, dword ptr [ebp-2C]
0045D98A  |.  0345 D8    |add    eax, dword ptr [ebp-28]
0045D98D  |.  1355 DC    |adc    edx, dword ptr [ebp-24]
0045D990  |.  8945 D0    |mov    dword ptr [ebp-30], eax       ;temp4=(temp3^temp4)>>i+temp4+temp3
0045D993  |.  8955 D4    |mov    dword ptr [ebp-2C], edx
0045D996  |.  8B45 E8    |mov    eax, dword ptr [ebp-18]
0045D999  |.  8B55 EC    |mov    edx, dword ptr [ebp-14]
0045D99C  |.  3345 D8    |xor    eax, dword ptr [ebp-28]       ;temp1^temp3
0045D99F  |.  3355 DC    |xor    edx, dword ptr [ebp-24]
0045D9A2  |.  0345 E0    |add    eax, dword ptr [ebp-20]       ;temp1^temp3+temp2
0045D9A5  |.  1355 E4    |adc    edx, dword ptr [ebp-1C]
0045D9A8  |.  3345 D0    |xor    eax, dword ptr [ebp-30]       ;(temp1^temp3+temp2)^temp4
0045D9AB  |.  3355 D4    |xor    edx, dword ptr [ebp-2C]
0045D9AE  |.  0345 C8    |add    eax, dword ptr [ebp-38]
0045D9B1  |.  1355 CC    |adc    edx, dword ptr [ebp-34]
0045D9B4  |.  8945 C8    |mov    dword ptr [ebp-38], eax       ;temp5=(temp1^temp3+temp2)^temp4+temp5
0045D9B7  |.  8955 CC    |mov    dword ptr [ebp-34], edx
0045D9BA  |.  FF75 CC    |push dword ptr [ebp-34]
0045D9BD  |.  FF75 C8    |push dword ptr [ebp-38]
0045D9C0  |.  8BC3       |mov    eax, ebx
0045D9C2  |.  99          |cdq
0045D9C3  |.  52          |push edx
0045D9C4  |.  50          |push eax
0045D9C5  |.  E8 F2FDFFFF |call <custom_pow>                   ;pow(temp5,i)
0045D9CA  |.  0345 C0    |add    eax, dword ptr [ebp-40]
0045D9CD  |.  1355 C4    |adc    edx, dword ptr [ebp-3C]
0045D9D0  |.  8945 C0    |mov    dword ptr [ebp-40], eax       ;temp6=pow(temp5,i)+temp6
0045D9D3  |.  8955 C4    |mov    dword ptr [ebp-3C], edx
0045D9D6  |.  8B45 C0    |mov    eax, dword ptr [ebp-40]
0045D9D9  |.  8B55 C4    |mov    edx, dword ptr [ebp-3C]
0045D9DC  |.  81F0 EFBEADDE |xor    eax, DEADBEEF
0045D9E2  |.  81F2 00000000 |xor    edx, 0
0045D9E8  |.  8945 E8    |mov    dword ptr [ebp-18], eax       ;temp1=temp6^0xDEADBEEF
0045D9EB  |.  8955 EC    |mov    dword ptr [ebp-14], edx
0045D9EE  |.  43          |inc    ebx
0045D9EF  |.  4E          |dec    esi
0045D9F0  |.^ 0F85 F2FEFFFF \jnz    <loc_45D8E8>
0045D9F6 >|>  8B45 C0    mov    eax, dword ptr [ebp-40]       ;return temp6
0045D9F9  |.  8B55 C4    mov    edx, dword ptr [ebp-3C]
0045D9FC  |.  85D2       test edx, edx
0045D9FE  |.  7D 07       jge    short <loc_45DA07>
0045DA00  |.  F7D8       neg    eax
0045DA02  |.  83D2 00    adc    edx, 0
0045DA05  |.  F7DA       neg    edx
0045DA07 >|>  8945 F0    mov    dword ptr [ebp-10], eax
0045DA0A  |.  8955 F4    mov    dword ptr [ebp-C], edx
0045DA0D >|>  33C0       xor    eax, eax
0045DA0F  |.  5A          pop    edx
0045DA10  |.  59          pop    ecx
0045DA11  |.  59          pop    ecx
0045DA12  |.  64:8910    mov    dword ptr fs:[eax], edx
0045DA15  |.  68 2ADA4500 push <loc_45DA2A>
0045DA1A >|>  8D45 FC    lea    eax, dword ptr [ebp-4]
0045DA1D  |.  E8 6664FAFF call <System::__linkproc__ LStrClr(vo>
0045DA22  \.  C3          retn
0045DA23 > .^ E9 645EFAFF jmp    <unknown_libname_53>
0045DA28 .^ EB F0       jmp    short <loc_45DA1A>
0045DA2A > .  8B45 F0    mov    eax, dword ptr [ebp-10]
0045DA2D .  8B55 F4    mov    edx, dword ptr [ebp-C]
0045DA30 .  5E          pop    esi
0045DA31 .  5B          pop    ebx
0045DA32 .  8BE5       mov    esp, ebp
0045DA34 .  5D          pop    ebp
0045DA35 .  C3          retn

64位有符号左移怎么表示?<<是无符号的吧?怎么弄都不行，最后抠汇编了
/******************************************************************************************/
/******************************************************************************************/

0045DD33  |.  8BD8       mov    ebx, eax                      ;ebx=custom_hash(md5_modif(name).tostring)
0045DD35  |.  8B45 E8    mov    eax, dword ptr [ebp-18]       ;sha1string
0045DD38  |.  E8 17FBFFFF call <custom_hash>                   ;eax=custom_hash(sha1(name).tostring)
0045DD3D  |.  33D8       xor    ebx, eax                      ;ebx=ebx^eax
0045DD3F  |.  8D4D E4    lea    ecx, dword ptr [ebp-1C]       ;[ebp-1c]=ebx.tostring
0045DD42  |.  33D2       xor    edx, edx                      ;感觉mov edx,8比较好
0045DD44  |.  8BC3       mov    eax, ebx                      ;如果eax=0xxxxxxx
0045DD46  |.  E8 D1A3FAFF call <Sysutils::IntToHex(int,int)> ;前面的'0'就被吃掉了
0045DD4B  |.  8D55 80    lea    edx, dword ptr [ebp-80]
0045DD4E  |.  B8 0CD74500 mov    eax, <off_45D70C>
0045DD53  |.  E8 707FFAFF call <System::LoadResString(System::T>
0045DD58  |.  8B45 80    mov    eax, dword ptr [ebp-80]       ;q=54634094332570460673290453
0045DD5B  |.  8D55 D8    lea    edx, dword ptr [ebp-28]
0045DD5E  |.  E8 11BAFFFF call <Base10StringToFGInt(AnsiString,>
0045DD63  |.  8D95 7CFFFFFF lea    edx, dword ptr [ebp-84]
0045DD69  |.  B8 14D74500 mov    eax, <off_45D714>
0045DD6E  |.  E8 557FFAFF call <System::LoadResString(System::T>
0045DD73  |.  8B85 7CFFFFFF mov    eax, dword ptr [ebp-84]
0045DD79  |.  8D55 D0    lea    edx, dword ptr [ebp-30]       ;a=1,b=0
0045DD7C  |.  E8 F3B9FFFF call <Base10StringToFGInt(AnsiString,>
0045DD81  |.  8D95 78FFFFFF lea    edx, dword ptr [ebp-88]
0045DD87  |.  B8 1CD74500 mov    eax, <off_45D71C>
0045DD8C  |.  E8 377FFAFF call <System::LoadResString(System::T>
0045DD91  |.  8B85 78FFFFFF mov    eax, dword ptr [ebp-88]       ;n=3114828639257633374313
0045DD97  |.  8D55 C8    lea    edx, dword ptr [ebp-38]       ;阶
0045DD9A  |.  E8 D5B9FFFF call <Base10StringToFGInt(AnsiString,>
0045DD9F  |.  8D95 74FFFFFF lea    edx, dword ptr [ebp-8C]
0045DDA5  |.  B8 24D74500 mov    eax, <off_45D724>
0045DDAA  |.  E8 197FFAFF call <System::LoadResString(System::T>
0045DDAF  |.  8B85 74FFFFFF mov    eax, dword ptr [ebp-8C]       ;Px=45755731989545870856686427
0045DDB5  |.  8D55 A0    lea    edx, dword ptr [ebp-60]       ;基点的x坐标
0045DDB8  |.  E8 B7B9FFFF call <Base10StringToFGInt(AnsiString,>
0045DDBD  |.  8D95 70FFFFFF lea    edx, dword ptr [ebp-90]
0045DDC3  |.  B8 2CD74500 mov    eax, <off_45D72C>
0045DDC8  |.  E8 FB7EFAFF call <System::LoadResString(System::T>
0045DDCD  |.  8B85 70FFFFFF mov    eax, dword ptr [ebp-90]       ;Py=26209762790701662855805685
0045DDD3  |.  8D55 A8    lea    edx, dword ptr [ebp-58]       ;基点的y坐标
0045DDD6  |.  E8 99B9FFFF call <Base10StringToFGInt(AnsiString,>
0045DDDB  |.  8D95 6CFFFFFF lea    edx, dword ptr [ebp-94]
0045DDE1  |.  B8 34D74500 mov    eax, <off_45D734>
0045DDE6  |.  E8 DD7EFAFF call <System::LoadResString(System::T>
0045DDEB  |.  8B85 6CFFFFFF mov    eax, dword ptr [ebp-94]       ;Qx=2551882749847930242152319
0045DDF1  |.  8D55 8C    lea    edx, dword ptr [ebp-74]       ;公钥的x坐标
0045DDF4  |.  E8 7BB9FFFF call <Base10StringToFGInt(AnsiString,>
0045DDF9  |.  8D95 68FFFFFF lea    edx, dword ptr [ebp-98]
0045DDFF  |.  B8 3CD74500 mov    eax, <off_45D73C>
0045DE04  |.  E8 BF7EFAFF call <System::LoadResString(System::T>
0045DE09  |.  8B85 68FFFFFF mov    eax, dword ptr [ebp-98]       ;Qy=49588612658893045283534677
0045DE0F  |.  8D55 94    lea    edx, dword ptr [ebp-6C]       ;公钥的y坐标
0045DE12  |.  E8 5DB9FFFF call <Base10StringToFGInt(AnsiString,>
0045DE17  |.  8D45 D8    lea    eax, dword ptr [ebp-28]
0045DE1A  |.  50          push eax                            ;q=54634094332570460673290453
0045DE1B  |.  8D45 D0    lea    eax, dword ptr [ebp-30]
0045DE1E  |.  50          push eax                            ;a=1,b=0
0045DE1F  |.  8D45 C8    lea    eax, dword ptr [ebp-38]
0045DE22  |.  50          push eax                            ;n=3114828639257633374313
0045DE23  |.  8D45 A0    lea    eax, dword ptr [ebp-60]
0045DE26  |.  50          push eax                            ;Px=45755731989545870856686427
0045DE27  |.  8D45 8C    lea    eax, dword ptr [ebp-74]
0045DE2A  |.  50          push eax                            ;Qx=2551882749847930242152319
0045DE2B  |.  8D45 E3    lea    eax, dword ptr [ebp-1D]
0045DE2E  |.  50          push eax                            ;Valid?
0045DE2F  |.  8B4D F0    mov    ecx, dword ptr [ebp-10]       ;s=sn2
0045DE32  |.  8B55 F4    mov    edx, dword ptr [ebp-C]          ;r=sn1
0045DE35  |.  8B45 E4    mov    eax, dword ptr [ebp-1C]       ;M
0045DE38  |.  E8 67D8FFFF call <ECDSAVerify>                   ;注意M为256进制，也就是bytes_to_big(M)
/******************************************************************************************/
/******************************************************************************************/
ECDSA的主要参数为：
q:54634094332570460673290453
a:1
b:0
n:3114828639257633374313
Px:45755731989545870856686427
Py:26209762790701662855805685
Qx:2551882749847930242152319
Qy:49588612658893045283534677
关键是求出私钥d,用mrhaandi的ecdlp solver v2.0(附件已提供)在AMD 3200上跑了差不多一天，得出：
d:3114828630828921214586


--------------------------------------------------------------------------------
【经验总结】
这个keygenme使用了base32,变形MD5,SHA1,自定义hash,ECDSA,具体验证算法如下:
(1)对输入的sn按'+'分割，再分别base32解码，得到sn1,sn2。
(2)用变形的MD5和标准的SHA1分别对用户名hash,转为字符串(大写)。
(3)用自定义的hash分别对md5string和sha1string进行hash,则
   M=(custom_hash(md5_modify(name).tostring)^custom_hash(sha1(name).tostring)).tostring。
   M为256进制，也就是bytes_to_big(M),字符数组转为大数，就是ECDSA中的e。
(4)对(r,s)进行ECDSA验证:
   e=bytes_to_big(M);
   w=s-1mod(n);
   u1=ewmod(n),u2=rwmod(n);
   X=u1*P+u2*Q;
   v=Xmod(n);
   v?=r;

注册算法:
(1)ECDSA签名：
随机在区间[1,n)选择k,k与n互素。
e=bytes_to_big(M);
r=kPmod(n);
s=k-1(e+dr)mod(n);
r,s为0时重新签名。

(2)对ECDSA签名得到的(r,s),分别对其base32编码，用'+'相连就是注册码，注册机见附件。
  一组可以的注册码:
  name:pediy
  serial:GE3DOMRSGMYDOMRRGIZDCNBSGE4TKNZZGAYQ+GMYDMNJUHE2DAMJQGM2DIMJRGE4DCMRUGQ2A




--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!

                                                                                                2011年04月25日 21:23:57

登录后可查看完整内容

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入！

上传的附件：

VoLtAgE.rar （919.60kb，41次下载）

收藏・3

免费・7

支持

最新回复 (6)
超然雪币： 422 活跃值： (115) 能力值： ( LV8，RANK：130 ) 在线值：发帖 7 回帖 86 粉丝 3 关注私信	超然 3 2 楼好强悍的算法啊 2011-5-12 14:07 0
china 雪币： 3688 活跃值： (4242) 能力值： (RANK：215 ) 在线值：发帖 72 回帖 1985 粉丝 9 关注私信	china 5 3 楼直接不懂,膜拜ing 2011-5-12 14:23 0
红尘岁月雪币： 517 活跃值： (64) 能力值： ( LV8，RANK：130 ) 在线值：发帖 23 回帖 476 粉丝 2 关注私信	红尘岁月 2 4 楼强大打酱油的路过 2011-5-12 19:02 0
cntrump 雪币： 1708 活跃值： (586) 能力值： ( LV15，RANK：670 ) 在线值：发帖 204 回帖 2062 粉丝 19 关注私信	cntrump 13 5 楼强悍 2011-5-12 19:42 0
yijun8354 雪币： 1919 活跃值： (901) 能力值： ( LV9，RANK：490 ) 在线值：发帖 22 回帖 784 粉丝 1 关注私信	yijun8354 12 6 楼厉害，学习哈 2011-5-15 23:36 0
渤海屠夫雪币： 72 活跃值： (26) 能力值： ( LV3，RANK：20 ) 在线值：发帖 3 回帖 17 粉丝 0 关注私信	渤海屠夫 7 楼贾不假, 白玉为堂金作马. 阿房宫,三百里,住不下金陵一个史. 东海缺少白玉床, 龙王来请金陵王. 丰年好大雪, 珍珠如土金如铁. 2011-5-16 07:25 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

vasthao

发帖

回帖

320

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (6)
超然雪币： 422 活跃值： (115) 能力值： ( LV8，RANK：130 ) 在线值：发帖 7 回帖 86 粉丝 3 关注私信	超然 3 2 楼好强悍的算法啊 2011-5-12 14:07 0
china 雪币： 3688 活跃值： (4242) 能力值： (RANK：215 ) 在线值：发帖 72 回帖 1985 粉丝 9 关注私信	china 5 3 楼直接不懂,膜拜ing 2011-5-12 14:23 0
红尘岁月雪币： 517 活跃值： (64) 能力值： ( LV8，RANK：130 ) 在线值：发帖 23 回帖 476 粉丝 2 关注私信	红尘岁月 2 4 楼强大打酱油的路过 2011-5-12 19:02 0
cntrump 雪币： 1708 活跃值： (586) 能力值： ( LV15，RANK：670 ) 在线值：发帖 204 回帖 2062 粉丝 19 关注私信	cntrump 13 5 楼强悍 2011-5-12 19:42 0
yijun8354 雪币： 1919 活跃值： (901) 能力值： ( LV9，RANK：490 ) 在线值：发帖 22 回帖 784 粉丝 1 关注私信	yijun8354 12 6 楼厉害，学习哈 2011-5-15 23:36 0
渤海屠夫雪币： 72 活跃值： (26) 能力值： ( LV3，RANK：20 ) 在线值：发帖 3 回帖 17 粉丝 0 关注私信	渤海屠夫 7 楼贾不假, 白玉为堂金作马. 阿房宫,三百里,住不下金陵一个史. 东海缺少白玉床, 龙王来请金陵王. 丰年好大雪, 珍珠如土金如铁. 2011-5-16 07:25 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复