-
-
[原创]菜鸟对QQ一个Key生成算法分析
-
发表于: 2012-11-24 10:45
-
小菜第一次在逆向区发帖,希望大家勿喷
我曾经写过一篇关于QQ Registry.db分析帖子,不过最后却有一个16字节的Key参与运算,这次打算把Key的生成算法发出来,希望对某些用到该Key的人有帮助
该Key可用于解密Registry.db文件里面LoginInfo流里面bufPassword字段关键,具体情况看我在看雪发表的两个帖子
http://bbs.pediy.com/showthread.php?t=159045
http://bbs.pediy.com/showthread.php?t=156031
程序停在这里,因为QQ解密时候用到该Key,因此我在QQ启动时就对该Key的地址下硬件访问断点
31844340 56 PUSH ESI 31844341 8BF1 MOV ESI,ECX 31844343 807E 10 00 CMP BYTE PTR DS:[ESI+10],0 31844347 75 0D JNZ SHORT KernelUt.31844356 31844349 56 PUSH ESI ;参数1,为最后生成Key的地址,16个字节 3184434A E8 31FFFFFF CALL KernelUt.31844280 ;跟进,生成Key的主要算法 3184434F 83C4 04 ADD ESP,4 31844352 C646 10 01 MOV BYTE PTR DS:[ESI+10],1 31844356 5E POP ESI 31844357 C3 RETN 跟进3184434A处的调用来到下面 31844280 55 PUSH EBP 31844281 8BEC MOV EBP,ESP 31844283 83EC 28 SUB ESP,28 31844286 A1 48958831 MOV EAX,DWORD PTR DS:[31889548] 3184428B 33C5 XOR EAX,EBP 3184428D 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 31844290 33C0 XOR EAX,EAX 31844292 53 PUSH EBX 31844293 56 PUSH ESI 31844294 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8] ;将传进来的参数1赋给ESI 31844297 8945 DD MOV DWORD PTR SS:[EBP-23],EAX 3184429A 8945 E1 MOV DWORD PTR SS:[EBP-1F],EAX 3184429D 8945 E5 MOV DWORD PTR SS:[EBP-1B],EAX 318442A0 66:8945 E9 MOV WORD PTR SS:[EBP-17],AX 318442A4 8845 EB MOV BYTE PTR SS:[EBP-15],AL 318442A7 8945 ED MOV DWORD PTR SS:[EBP-13],EAX 318442AA 8945 F1 MOV DWORD PTR SS:[EBP-F],EAX 318442AD 8945 F5 MOV DWORD PTR SS:[EBP-B],EAX 318442B0 66:8945 F9 MOV WORD PTR SS:[EBP-7],AX 318442B4 8845 FB MOV BYTE PTR SS:[EBP-5],AL 318442B7 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24] 318442BA 57 PUSH EDI 318442BB 33DB XOR EBX,EBX 318442BD 50 PUSH EAX ;参数1,称作Key1,16个字节 318442BE 885D DC MOV BYTE PTR SS:[EBP-24],BL 318442C1 885D EC MOV BYTE PTR SS:[EBP-14],BL 318442C4 E8 A7FCFFFF CALL KernelUt.31843F70 ;生成Key1 318442C9 8D4D EC LEA ECX,DWORD PTR SS:[EBP-14] ;参数1,称作Key2,16个字节 318442CC 51 PUSH ECX 318442CD E8 5EFEFFFF CALL KernelUt.31844130 ;生成Key2 318442D2 8D55 ED LEA EDX,DWORD PTR SS:[EBP-13] 318442D5 8BFE MOV EDI,ESI 318442D7 2BFA SUB EDI,EDX 318442D9 8D55 DD LEA EDX,DWORD PTR SS:[EBP-23] 318442DC 8D5D ED LEA EBX,DWORD PTR SS:[EBP-13] 318442DF 83C4 08 ADD ESP,8 318442E2 33C0 XOR EAX,EAX 318442E4 2BD6 SUB EDX,ESI 318442E6 2BDE SUB EBX,ESI 318442E8 8D4E 02 LEA ECX,DWORD PTR DS:[ESI+2] 318442EB 895D D8 MOV DWORD PTR SS:[EBP-28],EBX 318442EE 8BFF MOV EDI,EDI 318442F0 0FB65C05 EC MOVZX EBX,BYTE PTR SS:[EBP+EAX-14] 318442F5 325C05 DC XOR BL,BYTE PTR SS:[EBP+EAX-24] ;将Key1和Key2进行异或 318442F9 8D7405 ED LEA ESI,DWORD PTR SS:[EBP+EAX-13] 318442FD 881C37 MOV BYTE PTR DS:[EDI+ESI],BL ;结果放到传进来的参数1里,下面都是一样 31844300 0FB65C05 DD MOVZX EBX,BYTE PTR SS:[EBP+EAX-23] 31844305 321E XOR BL,BYTE PTR DS:[ESI] 31844307 8B75 D8 MOV ESI,DWORD PTR SS:[EBP-28] 3184430A 8859 FF MOV BYTE PTR DS:[ECX-1],BL 3184430D 0FB65C05 DE MOVZX EBX,BYTE PTR SS:[EBP+EAX-22] 31844312 325C05 EE XOR BL,BYTE PTR SS:[EBP+EAX-12] 31844316 83C0 04 ADD EAX,4 31844319 8819 MOV BYTE PTR DS:[ECX],BL 3184431B 0FB61C0E MOVZX EBX,BYTE PTR DS:[ESI+ECX] 3184431F 321C0A XOR BL,BYTE PTR DS:[EDX+ECX] 31844322 83C1 04 ADD ECX,4 31844325 83F8 10 CMP EAX,10 31844328 8859 FD MOV BYTE PTR DS:[ECX-3],BL 3184432B ^ 7C C3 JL SHORT KernelUt.318442F0 3184432D 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4] 31844330 5F POP EDI 31844331 5E POP ESI 31844332 33CD XOR ECX,EBP 31844334 5B POP EBX 31844335 E8 F08C0100 CALL KernelUt.3185D02A 3184433A 8BE5 MOV ESP,EBP 3184433C 5D POP EBP 3184433D C3 RETN 跟进 318442C4 处的调用,这里生成Key1 31843F70 55 PUSH EBP 31843F71 8BEC MOV EBP,ESP 31843F73 81EC 24070000 SUB ESP,724 31843F79 A1 48958831 MOV EAX,DWORD PTR DS:[31889548] 31843F7E 33C5 XOR EAX,EBP 31843F80 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 31843F83 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 31843F86 53 PUSH EBX 31843F87 56 PUSH ESI 31843F88 57 PUSH EDI 31843F89 33FF XOR EDI,EDI 31843F8B 68 06020000 PUSH 206 31843F90 8985 BCFDFFFF MOV DWORD PTR SS:[EBP-244],EAX 31843F96 33C0 XOR EAX,EAX 31843F98 8D8D D2FDFFFF LEA ECX,DWORD PTR SS:[EBP-22E] 31843F9E 57 PUSH EDI 31843F9F 51 PUSH ECX 31843FA0 66:C745 F4 410>MOV WORD PTR SS:[EBP-C],41 31843FA6 66:C745 F6 3A0>MOV WORD PTR SS:[EBP-A],3A 31843FAC 66:C745 F8 5C0>MOV WORD PTR SS:[EBP-8],5C 31843FB2 66:897D FA MOV WORD PTR SS:[EBP-6],DI 31843FB6 C645 D8 00 MOV BYTE PTR SS:[EBP-28],0 31843FBA 8945 D9 MOV DWORD PTR SS:[EBP-27],EAX 31843FBD 8945 DD MOV DWORD PTR SS:[EBP-23],EAX 31843FC0 8945 E1 MOV DWORD PTR SS:[EBP-1F],EAX 31843FC3 8945 E5 MOV DWORD PTR SS:[EBP-1B],EAX 31843FC6 8945 E9 MOV DWORD PTR SS:[EBP-17],EAX 31843FC9 8945 ED MOV DWORD PTR SS:[EBP-13],EAX 31843FCC 8845 F1 MOV BYTE PTR SS:[EBP-F],AL 31843FCF 66:89BD D0FDFF>MOV WORD PTR SS:[EBP-230],DI 31843FD6 E8 39910100 CALL <JMP.&MSVCR80.memset> 31843FDB 83C4 0C ADD ESP,0C 31843FDE 68 04010000 PUSH 104 31843FE3 8D95 D0FDFFFF LEA EDX,DWORD PTR SS:[EBP-230] 31843FE9 52 PUSH EDX 31843FEA 57 PUSH EDI 31843FEB FF15 84848631 CALL DWORD PTR DS:[<&KERNEL32.GetModuleF>; kernel32.GetModuleFileNameW 31843FF1 8A85 D0FDFFFF MOV AL,BYTE PTR SS:[EBP-230] ;取第一个字节 31843FF7 24 DF AND AL,0DF ;大写字母 31843FF9 8AC8 MOV CL,AL 31843FFB 80E9 41 SUB CL,41 31843FFE 80F9 19 CMP CL,19 ;是否是26个字母里面的任何一个 31844001 77 08 JA SHORT KernelUt.3184400B 31844003 0FBED0 MOVSX EDX,AL 31844006 C64415 97 01 MOV BYTE PTR SS:[EBP+EDX-69],1 ;将对应磁盘索引的字节设置成1 3184400B 68 04010000 PUSH 104 31844010 8D85 D0FDFFFF LEA EAX,DWORD PTR SS:[EBP-230] 31844016 50 PUSH EAX 31844017 FF15 04858631 CALL DWORD PTR DS:[<&KERNEL32.GetSystemD>; kernel32.GetSystemDirectoryW 3184401D 8A85 D0FDFFFF MOV AL,BYTE PTR SS:[EBP-230] ;取第一个字节 31844023 24 DF AND AL,0DF ;大写字母 31844025 8AC8 MOV CL,AL 31844027 80E9 41 SUB CL,41 ;得到磁盘索引 3184402A 80F9 19 CMP CL,19 ;是否是26个字母里面的任何一个 3184402D 77 08 JA SHORT KernelUt.31844037 3184402F 0FBED0 MOVSX EDX,AL 31844032 C64415 97 01 MOV BYTE PTR SS:[EBP+EDX-69],1 ;将对应磁盘索引的字节设置成1 31844037 68 DC040000 PUSH 4DC 3184403C 8D85 E0F8FFFF LEA EAX,DWORD PTR SS:[EBP-720] 31844042 57 PUSH EDI 31844043 50 PUSH EAX 31844044 89BD DCF8FFFF MOV DWORD PTR SS:[EBP-724],EDI 3184404A E8 C5900100 CALL <JMP.&MSVCR80.memset> 3184404F 8D4D D8 LEA ECX,DWORD PTR SS:[EBP-28] 31844052 83C4 0C ADD ESP,0C 31844055 33F6 XOR ESI,ESI ;清空ESI 31844057 32DB XOR BL,BL ;清空BL 31844059 898D CCFDFFFF MOV DWORD PTR SS:[EBP-234],ECX 3184405F 90 NOP 31844060 8B95 CCFDFFFF MOV EDX,DWORD PTR SS:[EBP-234] 31844066 803A 00 CMP BYTE PTR DS:[EDX],0 ;比较对应的字节是否为1 31844069 74 78 JE SHORT KernelUt.318440E3 3184406B 57 PUSH EDI 3184406C 57 PUSH EDI 3184406D 57 PUSH EDI 3184406E 57 PUSH EDI 3184406F 8D8D C8FDFFFF LEA ECX,DWORD PTR SS:[EBP-238] 31844075 51 PUSH ECX 31844076 66:0FB6C3 MOVZX AX,BL 3184407A 57 PUSH EDI 3184407B 57 PUSH EDI 3184407C 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C] 3184407F 66:05 4100 ADD AX,41 31844083 52 PUSH EDX 31844084 66:8945 F4 MOV WORD PTR SS:[EBP-C],AX 31844088 89BD C8FDFFFF MOV DWORD PTR SS:[EBP-238],EDI 3184408E FF15 00858631 CALL DWORD PTR DS:[<&KERNEL32.GetVolumeI>; kernel32.GetVolumeInformationW 31844094 57 PUSH EDI 31844095 8D85 C0FDFFFF LEA EAX,DWORD PTR SS:[EBP-240] 3184409B 50 PUSH EAX 3184409C 57 PUSH EDI 3184409D 8D4D F4 LEA ECX,DWORD PTR SS:[EBP-C] 318440A0 51 PUSH ECX 318440A1 89BD C0FDFFFF MOV DWORD PTR SS:[EBP-240],EDI 318440A7 89BD C4FDFFFF MOV DWORD PTR SS:[EBP-23C],EDI 318440AD FF15 FC848631 CALL DWORD PTR DS:[<&KERNEL32.GetDiskFre>; kernel32.GetDiskFreeSpaceExW 318440B3 8B95 C8FDFFFF MOV EDX,DWORD PTR SS:[EBP-238] 318440B9 8B85 C0FDFFFF MOV EAX,DWORD PTR SS:[EBP-240] 318440BF 8B8D C4FDFFFF MOV ECX,DWORD PTR SS:[EBP-23C] 318440C5 8994B5 DCF8FFF>MOV DWORD PTR SS:[EBP+ESI*4-724],EDX ;驱动器序列号 318440CC 83C6 01 ADD ESI,1 ;ESI加1 318440CF 8984B5 DCF8FFF>MOV DWORD PTR SS:[EBP+ESI*4-724],EAX ;驱动器总字节数高32位 318440D6 83C6 01 ADD ESI,1 ;ESI加1 318440D9 898CB5 DCF8FFF>MOV DWORD PTR SS:[EBP+ESI*4-724],ECX ;驱动器总字节数低32位 318440E0 83C6 01 ADD ESI,1 ;ESI加1 318440E3 8385 CCFDFFFF >ADD DWORD PTR SS:[EBP-234],1 318440EA 80C3 01 ADD BL,1 ;BL加1 318440ED 80FB 1A CMP BL,1A ;BL小于26 318440F0 ^ 0F82 6AFFFFFF JB KernelUt.31844060 318440F6 8B8D BCFDFFFF MOV ECX,DWORD PTR SS:[EBP-244] 318440FC 8D14B5 0000000>LEA EDX,DWORD PTR DS:[ESI*4] ;ESI*4得到数据总大小 31844103 52 PUSH EDX ;EDX为数据大小 31844104 8D85 DCF8FFFF LEA EAX,DWORD PTR SS:[EBP-724] 3184410A 50 PUSH EAX ;EAX为要计算MD5的数据 3184410B 51 PUSH ECX ;数据的MD5,这就是Key1 3184410C E8 3BDFFBFF CALL KernelUt.3180204C ;计算MD5 31844111 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4] 31844114 83C4 0C ADD ESP,0C 31844117 5F POP EDI 31844118 5E POP ESI 31844119 33CD XOR ECX,EBP 3184411B 5B POP EBX 3184411C E8 098F0100 CALL KernelUt.3185D02A 31844121 8BE5 MOV ESP,EBP 31844123 5D POP EBP 31844124 C3 RETN 跟进 318442CD 处的调用,这里生成Key2 31844130 55 PUSH EBP 31844131 8BEC MOV EBP,ESP 31844133 81EC B0000000 SUB ESP,0B0 31844139 A1 48958831 MOV EAX,DWORD PTR DS:[31889548] 3184413E 33C5 XOR EAX,EBP 31844140 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 31844143 57 PUSH EDI 31844144 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8] 31844147 8D85 58FFFFFF LEA EAX,DWORD PTR SS:[EBP-A8] 3184414D 50 PUSH EAX 3184414E 68 19000200 PUSH 20019 31844153 6A 00 PUSH 0 31844155 68 10108731 PUSH KernelUt.31871010 ; UNICODE "SOFTWARE\Microsoft\Cryptography" 3184415A 68 02000080 PUSH 80000002 3184415F FF15 08808631 CALL DWORD PTR DS:[<&ADVAPI32.RegOpenKey>; ADVAPI32.RegOpenKeyExW 31844165 85C0 TEST EAX,EAX 31844167 0F85 02010000 JNZ KernelUt.3184426F 3184416D 56 PUSH ESI 3184416E 8D8D 50FFFFFF LEA ECX,DWORD PTR SS:[EBP-B0] 31844174 51 PUSH ECX 31844175 8B8D 58FFFFFF MOV ECX,DWORD PTR SS:[EBP-A8] 3184417B 8D95 5CFFFFFF LEA EDX,DWORD PTR SS:[EBP-A4] 31844181 52 PUSH EDX 31844182 8845 DC MOV BYTE PTR SS:[EBP-24],AL 31844185 8945 DD MOV DWORD PTR SS:[EBP-23],EAX 31844188 8945 E1 MOV DWORD PTR SS:[EBP-1F],EAX 3184418B 8945 E5 MOV DWORD PTR SS:[EBP-1B],EAX 3184418E 8945 E9 MOV DWORD PTR SS:[EBP-17],EAX 31844191 8945 ED MOV DWORD PTR SS:[EBP-13],EAX 31844194 8945 F1 MOV DWORD PTR SS:[EBP-F],EAX 31844197 8945 F5 MOV DWORD PTR SS:[EBP-B],EAX 3184419A 66:8945 F9 MOV WORD PTR SS:[EBP-7],AX 3184419E 8845 FB MOV BYTE PTR SS:[EBP-5],AL 318441A1 8D85 54FFFFFF LEA EAX,DWORD PTR SS:[EBP-AC] 318441A7 50 PUSH EAX 318441A8 6A 00 PUSH 0 318441AA 68 F40F8731 PUSH KernelUt.31870FF4 ; UNICODE "MachineGuid" 318441AF 51 PUSH ECX 318441B0 C785 50FFFFFF >MOV DWORD PTR SS:[EBP-B0],80 318441BA C785 54FFFFFF >MOV DWORD PTR SS:[EBP-AC],1 318441C4 FF15 04808631 CALL DWORD PTR DS:[<&ADVAPI32.RegQueryVa>; ADVAPI32.RegQueryValueExW 318441CA 8B95 58FFFFFF MOV EDX,DWORD PTR SS:[EBP-A8] 318441D0 52 PUSH EDX 318441D1 FF15 00808631 CALL DWORD PTR DS:[<&ADVAPI32.RegCloseKe>; ADVAPI32.RegCloseKey 318441D7 33C0 XOR EAX,EAX 318441D9 66:83BD 5CFFFF>CMP WORD PTR SS:[EBP-A4],7B 318441E1 B1 46 MOV CL,46 ;CL赋值为0x46 318441E3 0F94C0 SETE AL 318441E6 BE CC0F8731 MOV ESI,KernelUt.31870FCC ; ASCII "FGDEBC@A-JKHI-NOLM-PQRS-TUVWXYZ[\]^_" 318441EB 8D9445 5CFFFFF>LEA EDX,DWORD PTR SS:[EBP+EAX*2-A4] ;EDX指向从注册表读取到的MachineGuid 318441F2 80F9 40 CMP CL,40 ;CL大于0x40 318441F5 7C 1D JL SHORT KernelUt.31844214 318441F7 66:8B02 MOV AX,WORD PTR DS:[EDX] ;取MachineGuid第一个字节 318441FA 66:0D 2000 OR AX,20 ;小写 318441FE 0FB7C0 MOVZX EAX,AX 31844201 66:3D 6100 CMP AX,61 ;是数字还是字母 31844205 72 04 JB SHORT KernelUt.3184420B 31844207 2C 57 SUB AL,57 ;如果是字母的话减除0x57 31844209 EB 02 JMP SHORT KernelUt.3184420D 3184420B 2C 30 SUB AL,30 ;数字减除0x30 3184420D 0FBEC9 MOVSX ECX,CL 31844210 88440D 9C MOV BYTE PTR SS:[EBP+ECX-64],AL ;根据ECX的位置存储AL 31844214 8A4E 01 MOV CL,BYTE PTR DS:[ESI+1] 31844217 83C6 01 ADD ESI,1 3184421A 83C2 02 ADD EDX,2 3184421D 84C9 TEST CL,CL 3184421F ^ 75 D1 JNZ SHORT KernelUt.318441F2 31844221 8D4F 01 LEA ECX,DWORD PTR DS:[EDI+1] 31844224 8D45 DD LEA EAX,DWORD PTR SS:[EBP-23] 31844227 BE 04000000 MOV ESI,4 ;4轮,将高位和低位合成一个字节,共生成16的字节,这就是Key2 3184422C 8D6424 00 LEA ESP,DWORD PTR SS:[ESP] 31844230 0FB650 FF MOVZX EDX,BYTE PTR DS:[EAX-1] 31844234 C0E2 04 SHL DL,4 31844237 0A10 OR DL,BYTE PTR DS:[EAX] 31844239 83C1 04 ADD ECX,4 3184423C 8851 FB MOV BYTE PTR DS:[ECX-5],DL 3184423F 0FB650 01 MOVZX EDX,BYTE PTR DS:[EAX+1] 31844243 C0E2 04 SHL DL,4 31844246 0A50 02 OR DL,BYTE PTR DS:[EAX+2] 31844249 83C0 08 ADD EAX,8 3184424C 8851 FC MOV BYTE PTR DS:[ECX-4],DL 3184424F 0FB650 FB MOVZX EDX,BYTE PTR DS:[EAX-5] 31844253 C0E2 04 SHL DL,4 31844256 0A50 FC OR DL,BYTE PTR DS:[EAX-4] 31844259 8851 FD MOV BYTE PTR DS:[ECX-3],DL 3184425C 0FB650 FD MOVZX EDX,BYTE PTR DS:[EAX-3] 31844260 C0E2 04 SHL DL,4 31844263 0A50 FE OR DL,BYTE PTR DS:[EAX-2] 31844266 83EE 01 SUB ESI,1 31844269 8851 FE MOV BYTE PTR DS:[ECX-2],DL 3184426C ^ 75 C2 JNZ SHORT KernelUt.31844230 3184426E 5E POP ESI 3184426F 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4] 31844272 33CD XOR ECX,EBP 31844274 5F POP EDI 31844275 E8 B08D0100 CALL KernelUt.3185D02A 3184427A 8BE5 MOV ESP,EBP 3184427C 5D POP EBP 3184427D C3 RETN
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
|
|
|---|---|
|
|
|
|
|
正在分析中,多谢楼主分享!
|
|
|
|
|
|
|
|
|
|
|
|
|
