变形Md5反汇编代码简单注释
注释人:Baby2008 日期:2005.09.18 (中秋节快乐)
------------------------------------------------------------------------------
这是某行业软件里的一段代码,发现这个MD5变形很BT, cnbragon 在论坛里说过:MD5的变形无非就是变一下四个常数,变一下用于填充的字符,变一下hash的处理过程,这种不幸的事情在我这里全部发生了,本代码Md5变形包括:1 常数变形 2 填充字符变形 3 Hash变形 ,其中填充字符变形3处,Hash变形更厉害... 经过自己努力,现在已经搞定,特留分析笔记,不知是否有参考价值.
1 常数变形
006650AC /$ 55 push ebp
006650AD |. 8BEC mov ebp,esp
006650AF |. 33D2 xor edx,edx
006650B1 |. 8B45 08 mov eax,[arg.1]
006650B4 |. C740 44 67452301 mov dword ptr ds:[eax+44],1234567
006650BB |. C740 48 EFCDAB89 mov dword ptr ds:[eax+48],89ABCDEF
006650C2 |. C740 4C 98BADCFE mov dword ptr ds:[eax+4C],FEDCBA98
006650C9 |. C740 50 10325476 mov dword ptr ds:[eax+50],76543210
006650D0 |. 8950 64 mov dword ptr ds:[eax+64],edx
006650D3 |. 5D pop ebp
006650D4 \. C3 retn
2 填充字符变形
006652FC /$ 55 push ebp ; 进行Md5作准备
006652FD |. 8BEC mov ebp,esp
006652FF |. 53 push ebx
00665300 |. 56 push esi
00665301 |. 8B75 10 mov esi,[arg.3]
00665304 |. 8B5D 08 mov ebx,[arg.1]
00665307 |. 8B43 64 mov eax,dword ptr ds:[ebx+64] ; 开始Md5补位操作
0066530A |. 83E0 3F and eax,3F
0066530D |. 8B53 68 mov edx,dword ptr ds:[ebx+68] ; 待Md5字符串
00665310 |. C60402 01 mov byte ptr ds:[edx+eax],1 ; #1结束 //填充变形(1)
00665314 |. 83F8 37 cmp eax,37 ; 长度>37
00665317 |. 7E 2E jle short Baby2008.00665347
00665319 |. 40 inc eax
0066531A |. 83F8 40 cmp eax,40
0066531D |. 7D 0D jge short Baby2008.0066532C
0066531F |> 8B53 68 /mov edx,dword ptr ds:[ebx+68]
00665322 |. C60402 00 |mov byte ptr ds:[edx+eax],0
00665326 |. 40 |inc eax
00665327 |. 83F8 40 |cmp eax,40
0066532A |.^ 7C F3 \jl short Baby2008.0066531F
0066532C |> 53 push ebx ; /Arg1
0066532D |. E8 A6FDFFFF call Baby2008.006650D8 ; \Baby2008.006650D8
00665332 |. 59 pop ecx
00665333 |. 33D2 xor edx,edx
00665335 |. 8D43 04 lea eax,dword ptr ds:[ebx+4]
00665338 |> 33C9 /xor ecx,ecx
0066533A |. 8908 |mov dword ptr ds:[eax],ecx
0066533C |. 42 |inc edx
0066533D |. 83C0 04 |add eax,4
00665340 |. 83FA 0E |cmp edx,0E
00665343 |.^ 7C F3 \jl short Baby2008.00665338
00665345 |. EB 13 jmp short Baby2008.0066535A
00665347 |> 40 inc eax ; 因为有#1,所以加1
00665348 |. 83F8 38 cmp eax,38
0066534B |. 7D 0D jge short Baby2008.0066535A
0066534D |> 8B53 68 /mov edx,dword ptr ds:[ebx+68] ; 待Md5字符串
00665350 |. C60402 00 |mov byte ptr ds:[edx+eax],0
00665354 |. 40 |inc eax
00665355 |. 83F8 38 |cmp eax,38
00665358 |.^ 7C F3 \jl short Baby2008.0066534D ; 用#0补足38Byte
0066535A |> 8B4B 64 mov ecx,dword ptr ds:[ebx+64] ; 长度
0066535D |. C1E9 1D shr ecx,1D ; 长度 shr 1D
00665360 |. 894B 3C mov dword ptr ds:[ebx+3C],ecx ; 补到字符串后 填充变形(2)
00665363 |. 8B43 64 mov eax,dword ptr ds:[ebx+64]
00665366 |. C1E0 03 shl eax,3 ; 长度 shl 3
00665369 |. 8943 40 mov dword ptr ds:[ebx+40],eax ; 补到字符串后 填充变形(3)
0066536C |. 53 push ebx ; /Arg1
0066536D |. E8 66FDFFFF call Baby2008.006650D8 ; \里面有很多重要处理,变形MD5?
00665372 |. 59 pop ecx ; 这个为多处变形Md5
00665373 |. 33C0 xor eax,eax
00665375 |. 8B55 0C mov edx,[arg.2]
00665378 |. 3BF0 cmp esi,eax
0066537A |. 7E 0E jle short Baby2008.0066538A
0066537C |> 8B4B 6C /mov ecx,dword ptr ds:[ebx+6C]
0066537F |. 8A0C01 |mov cl,byte ptr ds:[ecx+eax]
00665382 |. 880A |mov byte ptr ds:[edx],cl
00665384 |. 40 |inc eax
00665385 |. 42 |inc edx
00665386 |. 3BF0 |cmp esi,eax
00665388 |.^ 7F F2 \jg short Baby2008.0066537C ; 循环取16位
0066538A |> 5E pop esi
0066538B |. 5B pop ebx
0066538C |. 5D pop ebp
0066538D \. C3 retn
3 Hash 变形
006650D8 /$ 55 push ebp
006650D9 |. 8BEC mov ebp,esp
006650DB |. 53 push ebx
006650DC |. 56 push esi
006650DD |. 8B5D 08 mov ebx,[arg.1]
006650E0 |. 33D2 xor edx,edx
006650E2 |. 8D43 44 lea eax,dword ptr ds:[ebx+44]
006650E5 |> 8B08 /mov ecx,dword ptr ds:[eax]
006650E7 |. 8948 10 |mov dword ptr ds:[eax+10],ecx
006650EA |. 42 |inc edx
006650EB |. 83C0 04 |add eax,4
006650EE |. 83FA 04 |cmp edx,4
006650F1 |.^ 7C F2 \jl short Baby2008.006650E5 ; MD5的4个常数
006650F3 |. 33F6 xor esi,esi ; i=0
006650F5 |> 8BC6 /mov eax,esi
006650F7 |. 83E0 03 |and eax,3
006650FA |. 83E8 01 |sub eax,1 ; Switch (cases 0..3)
006650FD |. 72 0A |jb short Baby2008.00665109
006650FF |. 74 27 |je short Baby2008.00665128
00665101 |. 48 |dec eax
00665102 |. 74 43 |je short Baby2008.00665147
00665104 |. 48 |dec eax
00665105 |. 74 5F |je short Baby2008.00665166
00665107 |. EB 7A |jmp short Baby2008.00665183
00665109 |> 56 |push esi ; /Arg6; Case 0 of switch 006650FA
0066510A |. 8B53 60 |mov edx,dword ptr ds:[ebx+60] ; |d
0066510D |. 52 |push edx ; |Arg5
0066510E |. 8B4B 5C |mov ecx,dword ptr ds:[ebx+5C] ; |c
00665111 |. 51 |push ecx ; |Arg4
00665112 |. 8B43 58 |mov eax,dword ptr ds:[ebx+58] ; |b
00665115 |. 50 |push eax ; |Arg3
00665116 |. 8B53 54 |mov edx,dword ptr ds:[ebx+54] ; |a
00665119 |. 52 |push edx ; |Arg2
0066511A |. 53 |push ebx ; |Arg1
0066511B |. E8 84000000 |call Baby2008.006651A4 ; \Baby2008.006651A4
00665120 |. 83C4 18 |add esp,18
00665123 |. 8943 54 |mov dword ptr ds:[ebx+54],eax
00665126 |. EB 5B |jmp short Baby2008.00665183
00665128 |> 56 |push esi ; /Arg6; Case 1 of switch 006650FA
00665129 |. 8B4B 5C |mov ecx,dword ptr ds:[ebx+5C] ; |c
0066512C |. 51 |push ecx ; |Arg5
0066512D |. 8B43 58 |mov eax,dword ptr ds:[ebx+58] ; |b
00665130 |. 50 |push eax ; |Arg4
00665131 |. 8B53 54 |mov edx,dword ptr ds:[ebx+54] ; |a
00665134 |. 52 |push edx ; |Arg3
00665135 |. 8B4B 60 |mov ecx,dword ptr ds:[ebx+60] ; |d
00665138 |. 51 |push ecx ; |Arg2
00665139 |. 53 |push ebx ; |Arg1
0066513A |. E8 65000000 |call Baby2008.006651A4 ; \Baby2008.006651A4
0066513F |. 83C4 18 |add esp,18
00665142 |. 8943 60 |mov dword ptr ds:[ebx+60],eax
00665145 |. EB 3C |jmp short Baby2008.00665183
00665147 |> 56 |push esi ; /Arg6; Case 2 of switch 006650FA
00665148 |. 8B43 58 |mov eax,dword ptr ds:[ebx+58] ; |
0066514B |. 50 |push eax ; |Arg5
0066514C |. 8B53 54 |mov edx,dword ptr ds:[ebx+54] ; |
0066514F |. 52 |push edx ; |Arg4
00665150 |. 8B4B 60 |mov ecx,dword ptr ds:[ebx+60] ; |
00665153 |. 51 |push ecx ; |Arg3
00665154 |. 8B43 5C |mov eax,dword ptr ds:[ebx+5C] ; |
00665157 |. 50 |push eax ; |Arg2
00665158 |. 53 |push ebx ; |Arg1
00665159 |. E8 46000000 |call Baby2008.006651A4 ; \Baby2008.006651A4
0066515E |. 83C4 18 |add esp,18
00665161 |. 8943 5C |mov dword ptr ds:[ebx+5C],eax
00665164 |. EB 1D |jmp short Baby2008.00665183
00665166 |> 56 |push esi ; /Arg6; Case 3 of switch 006650FA
00665167 |. 8B53 54 |mov edx,dword ptr ds:[ebx+54] ; |
0066516A |. 52 |push edx ; |Arg5
0066516B |. 8B4B 60 |mov ecx,dword ptr ds:[ebx+60] ; |
0066516E |. 51 |push ecx ; |Arg4
0066516F |. 8B43 5C |mov eax,dword ptr ds:[ebx+5C] ; |
00665172 |. 50 |push eax ; |Arg3
00665173 |. 8B53 58 |mov edx,dword ptr ds:[ebx+58] ; |
00665176 |. 52 |push edx ; |Arg2
00665177 |. 53 |push ebx ; |Arg1
00665178 |. E8 27000000 |call Baby2008.006651A4 ; \Baby2008.006651A4
0066517D |. 83C4 18 |add esp,18
00665180 |. 8943 58 |mov dword ptr ds:[ebx+58],eax
00665183 |> 46 |inc esi ; Default case of switch 006650FA
00665184 |. 83FE 40 |cmp esi,40
00665187 |.^ 0F8C 68FFFFFF \jl Baby2008.006650F5
0066518D |. 33D2 xor edx,edx
0066518F |. 8D43 54 lea eax,dword ptr ds:[ebx+54]
00665192 |> 8B08 mov ecx,dword ptr ds:[eax]
00665194 |. 0148 F0 add dword ptr ds:[eax-10],ecx
00665197 |. 42 inc edx
00665198 |. 83C0 04 add eax,4
0066519B |. 83FA 04 cmp edx,4
0066519E |.^ 7C F2 jl short Baby2008.00665192
006651A0 |. 5E pop esi
006651A1 |. 5B pop ebx
006651A2 |. 5D pop ebp
006651A3 \. C3 retn
以上代码正常,下面开始变形:
006651A4 /$ 55 push ebp
006651A5 |. 8BEC mov ebp,esp
006651A7 |. 51 push ecx
006651A8 |. 53 push ebx
006651A9 |. 56 push esi
006651AA |. 8B45 1C mov eax,[arg.6] ; Case参数 i
006651AD |. 8B5D 18 mov ebx,[arg.5] ; d
006651B0 |. 8B4D 08 mov ecx,[arg.1] ; 待Md5字符串
006651B3 |. 8BD0 mov edx,eax ; i
006651B5 |. C1FA 04 sar edx,4 ; i / 16
006651B8 |. 8BF2 mov esi,edx ; i / 16
006651BA |. 83EE 01 sub esi,1 ; Switch (cases 0..3)
006651BD |. 72 0A jb short Baby2008.006651C9
006651BF |. 74 27 je short Baby2008.006651E8
006651C1 |. 4E dec esi
006651C2 |. 74 44 je short Baby2008.00665208
006651C4 |. 4E dec esi
006651C5 |. 74 5B je short Baby2008.00665222
006651C7 |. EB 7A jmp short Baby2008.00665243
006651C9 |> 8BF0 mov esi,eax ; i; Case 0 of switch 006651BA
006651CB |. 83E6 0F and esi,0F ; i and F
006651CE |. 8B4CB1 04 mov ecx,dword ptr ds:[ecx+esi*4+4] ; 取a[i and F],0..15
006651D2 |. 8B75 10 mov esi,[arg.3] ; b
006651D5 |. F7D6 not esi ; Not b
006651D7 |. 23DE and ebx,esi ; d and (Not b)
006651D9 |. 03CB add ecx,ebx ; a + (d and (Not b))
006651DB |. 8B5D 10 mov ebx,[arg.3] ; b
006651DE |. 235D 14 and ebx,[arg.4] ; b and c
006651E1 |. 0BCB or ecx,ebx ; (a + (d and (Not b))) Or (b and c)
006651E3 |. 014D 0C add [arg.2],ecx ; a+(a + (d and (Not b))) Or (b and c))
006651E6 |. EB 5B jmp short Baby2008.00665243
006651E8 |> 8D3480 lea esi,dword ptr ds:[eax+eax*4] ; 5*(i / 16); Case 1 of switch 006651BA
006651EB |. 83C6 B1 add esi,-4F ; +1
006651EE |. 83E6 0F and esi,0F
006651F1 |. 8B4CB1 04 mov ecx,dword ptr ds:[ecx+esi*4+4] ; a[5(i/16)+1],1,6,11,0,5...
006651F5 |. 8BF3 mov esi,ebx ; d
006651F7 |. F7D6 not esi ; not d
006651F9 |. 2375 14 and esi,[arg.4] ; (not d) and c
006651FC |. 235D 10 and ebx,[arg.3] ; d and b
006651FF |. 03CE add ecx,esi ; a+((not d) and c)
00665201 |. 0BCB or ecx,ebx ; (a+((not d) and c)) or (d and b)
00665203 |. 014D 0C add [arg.2],ecx ; a+((a+((not d) and c)) or (d and b))
00665206 |. EB 3B jmp short Baby2008.00665243
00665208 |> 8D3440 lea esi,dword ptr ds:[eax+eax*2] ; 3*(i/16); Case 2 of switch 006651BA
0066520B |. 83C6 A5 add esi,-5B ; +5
0066520E |. 83E6 0F and esi,0F
00665211 |. 035CB1 04 add ebx,dword ptr ds:[ecx+esi*4+4] ; d+a[3*(i/16)+5],5,8,11,14,1,...
00665215 |. 8B4D 10 mov ecx,[arg.3] ; b
00665218 |. 334D 14 xor ecx,[arg.4] ; b xor c
0066521B |. 33D9 xor ebx,ecx ; (d+a[3*(i/16)+5]) xor (b xor c)
0066521D |. 015D 0C add [arg.2],ebx ; a+(d xor (b xor c))
00665220 |. EB 21 jmp short Baby2008.00665243
00665222 |> 8BF0 mov esi,eax ; i/16; Case 3 of switch 006651BA
00665224 |. C1E6 03 shl esi,3 ; 8*(i/16)
00665227 |. 2BF0 sub esi,eax ; -(i/16)
00665229 |. 81C6 B0FEFFFF add esi,-150 ; 7(i/16)+0
0066522F |. 83E6 0F and esi,0F
00665232 |. F7D3 not ebx ; not d
00665234 |. 235D 10 and ebx,[arg.3] ; (not d) and b
00665237 |. 8B4CB1 04 mov ecx,dword ptr ds:[ecx+esi*4+4] ; a[7*(i/16)],0,7,14,5,...
0066523B |. 03CB add ecx,ebx ; a+((not d) and b)
0066523D |. 334D 14 xor ecx,[arg.4] ; (a+((not d) and b)) xor c
00665240 |. 014D 0C add [arg.2],ecx ; a+((a+((not d) and b)) xor c)
00665243 |> 8D1490 lea edx,dword ptr ds:[eax+edx*4] ; Default case of switch 006651BA
00665246 |. 8B0485 8CE56700 mov eax,dword ptr ds:[eax*4+67E58C] ; MD5常数表,eax=ac
0066524D |. 83E2 03 and edx,3 ; //移位变形##
00665250 |. 33DB xor ebx,ebx
00665252 |. 0345 0C add eax,[arg.2] ; a
00665255 |. 8A9A 8CE66700 mov bl,byte ptr ds:[edx+67E68C] ; 位移数表
0066525B |. 8945 FC mov [local.1],eax
0066525E |. 8BCB mov ecx,ebx
00665260 |. 8B55 FC mov edx,[local.1]
00665263 |. 8B45 FC mov eax,[local.1]
00665266 |. D3E2 shl edx,cl
00665268 |. B9 20000000 mov ecx,20
0066526D |. 2BCB sub ecx,ebx
0066526F |. D3E8 shr eax,cl
00665271 |. 0BD0 or edx,eax
00665273 |. 0355 10 add edx,[arg.3]
00665276 |. 8BC2 mov eax,edx
00665278 |. 5E pop esi
00665279 |. 5B pop ebx
0066527A |. 59 pop ecx
0066527B |. 5D pop ebp
0066527C \. C3 retn
变换函数(Hash处理)变形的很厉害,不过总还能找到影子 ^_&...
要急着去...,注释不是很详细,万望各位看官鉴谅.
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)