对密码学类是个小白,逆向也刚入门,找个练手的,却遇上了怀疑是rsa 4096bit的,由于是小白,可能已经跟进RSA内部,,希望能帮帮小弟一把。
004045C6 |. 8B1D 08B14600 mov ebx, dword ptr [<&MSVCRT.fopen>] ; msvcrt.fopen
004045CC |. 68 30014700 push 00470130 ; /mode = "rb"
004045D1 |. 50 push eax ; |path => "c:\c\key1"
004045D2 |. C605 44EC4D00 56 mov byte ptr [4DEC44], 56 ; |从配置文件读取KEY文件路径
004045D9 |. FFD3 call ebx ; \fopen
004045DB |. 8BF0 mov esi, eax
004045DD |. 56 push esi ; /stream
004045DE |. 6A 01 push 1 ; |n = 1
004045E0 |. 68 04010000 push 104 ; |size = 104 (260.)
004045E5 |. 68 602E4E00 push 004E2E60 ; |读出KEY文件内容到4E2E60
004045EA |. FF15 04B14600 call dword ptr [<&MSVCRT.fread>] ; \fread
004045F0 |. 56 push esi ; /stream
004045F1 |. FF15 00B14600 call dword ptr [<&MSVCRT.fclose>] ; \fclose
004045F7 |. A0 702E4E00 mov al, byte ptr [4E2E70]
004045FC |. 83C4 1C add esp, 1C
004045FF |. 3C 44 cmp al, 44
00404601 |. 0F85 05060000 jnz 00404C0C
00404607 |. 803D 712E4E00 04 cmp byte ptr [4E2E71], 4
0040460E |. 0F85 F8050000 jnz 00404C0C
00404614 |. B9 7C000000 mov ecx, 7C
00404619 |. BE 98C74600 mov esi, 0046C798 ; 从46c78取出492byte数据填充到刚读出来的buff
0040461E |. BF 602E4E00 mov edi, 004E2E60 ; 怀疑前面的读取是假的?
00404623 |. 68 30014700 push 00470130 ; ASCII "rb"
00404628 |. F3:A5 rep movs dword ptr es:[edi], dword p>
0040462A |. B9 85000000 mov ecx, 85
0040462F |. BE 40C34600 mov esi, 0046C340 ; 把剩下的20byte从46c340填充进去,492+20=512
00404634 |. BF 50304E00 mov edi, 004E3050 ; 这512应该就是rsa的N,512*8=4096bit的rsa
00404639 |. F3:A5 rep movs dword ptr es:[edi], dword p>
0040463B |. 8B0D 6C124C00 mov ecx, dword ptr [4C126C]
00404641 |. 51 push ecx
00404642 |. FFD3 call ebx
00404644 |. 8BF0 mov esi, eax
00404646 |. 56 push esi ; /stream
00404647 |. 6A 01 push 1 ; |n = 1
00404649 |. 68 00020000 push 200 ; |size = 200 (512.)
0040464E |. 68 00DA4900 push 0049DA00 ; |读出密文文件,也是512Byte
00404653 |. FF15 04B14600 call dword ptr [<&MSVCRT.fread>] ; \fread
00404659 |. 56 push esi ; /stream
0040465A |. FF15 00B14600 call dword ptr [<&MSVCRT.fclose>] ; \fclose
00404660 |. 68 602E4E00 push 004E2E60 ; 压入N
00404665 |. 68 00020000 push 200 ; 长度512
0040466A |. 8D5424 40 lea edx, dword ptr [esp+40]
0040466E |. 68 00DA4900 push 0049DA00 ; 压入密文
00404673 |. 8D8424 F0000000 lea eax, dword ptr [esp+F0]
0040467A |. 52 push edx ; edx=12F3ac指向的数据是ED 95 96 7C 34
0040467B |. 50 push eax ; 接受返回信息的buff
0040467C |. E8 DFE30500 call 00462A60 ; 跟进去看下
00462A60 /$ 8B4424 14 mov eax, dword ptr [esp+14]
00462A64 |. 81EC 04020000 sub esp, 204
00462A6A |. 8B8C24 14020000 mov ecx, dword ptr [esp+214]
00462A71 |. 56 push esi
00462A72 |. 8B30 mov esi, dword ptr [eax]
00462A74 |. 83C6 07 add esi, 7
00462A77 |. C1EE 03 shr esi, 3
00462A7A |. 3BCE cmp ecx, esi
00462A7C |. 76 0D jbe short 00462A8B
00462A7E |. B8 06040000 mov eax, 406
00462A83 |. 5E pop esi
00462A84 |. 81C4 04020000 add esp, 204
00462A8A |. C3 retn
00462A8B |> 50 push eax ; 压入N
00462A8C |. 8B8424 18020000 mov eax, dword ptr [esp+218]
00462A93 |. 51 push ecx ; 长度512
00462A94 |. 8D4C24 0C lea ecx, dword ptr [esp+C]
00462A98 |. 50 push eax ; 压入密文
00462A99 |. 8D5424 14 lea edx, dword ptr [esp+14]
00462A9D |. 51 push ecx
00462A9E |. 52 push edx ; 接受返回信息的buff
00462A9F |. E8 AC000000 call 00462B50 ; 跟进去看下
00462B50 /$ 8B4424 10 mov eax, dword ptr [esp+10]
00462B54 |. 8B4C24 0C mov ecx, dword ptr [esp+C]
00462B58 |. 81EC 10080000 sub esp, 810
00462B5E |. 8D5424 00 lea edx, dword ptr [esp]
00462B62 |. 53 push ebx
00462B63 |. 56 push esi
00462B64 |. 57 push edi
00462B65 |. 50 push eax ; 压入0x200
00462B66 |. 51 push ecx ; 压入密文
00462B67 |. 68 81000000 push 81
00462B6C |. 52 push edx ; 接收buff
00462B6D |. E8 6EA8FCFF call 0042D3E0 ; 通过结果观察,应该是把密文倒置
00462B72 |. 8BBC24 40080000 mov edi, dword ptr [esp+840]
00462B79 |. 68 00020000 push 200
00462B7E |. 8D8C24 24020000 lea ecx, dword ptr [esp+224]
00462B85 |. 8D47 04 lea eax, dword ptr [edi+4]
00462B88 |. 50 push eax
00462B89 |. 68 81000000 push 81
00462B8E |. 51 push ecx
00462B8F |. E8 4CA8FCFF call 0042D3E0 ; 把N倒置
00462B94 |. 8D97 04020000 lea edx, dword ptr [edi+204]
00462B9A |. 68 00020000 push 200
00462B9F |. 52 push edx
00462BA0 |. 8D8424 3C040000 lea eax, dword ptr [esp+43C]
00462BA7 |. 68 81000000 push 81
00462BAC |. 50 push eax
00462BAD |. E8 2EA8FCFF call 0042D3E0 ; 把4E3064倒置,是一个全0区域
00462BB2 |. 8D8C24 40020000 lea ecx, dword ptr [esp+240]
00462BB9 |. 68 81000000 push 81
00462BBE |. 51 push ecx
00462BBF |. E8 7CAFFCFF call 0042DB40 ; 计算倒置后的N的长度
00462BC4 |. 8D9424 4C040000 lea edx, dword ptr [esp+44C] ; 返回eax=80,80*4=0x200=512
00462BCB |. 68 81000000 push 81
00462BD0 |. 52 push edx
00462BD1 |. 8BF0 mov esi, eax
00462BD3 |. E8 68AFFCFF call 0042DB40 ; 计算长度,edx=12ed34指向数值是0x10001,应该是rsa的E
00462BD8 |. 83C4 40 add esp, 40 ; 返回eax=1
00462BDB |. 8BD8 mov ebx, eax
00462BDD |. 8D8424 10020000 lea eax, dword ptr [esp+210]
00462BE4 |. 8D4C24 0C lea ecx, dword ptr [esp+C]
00462BE8 |. 56 push esi
00462BE9 |. 50 push eax
00462BEA |. 51 push ecx
00462BEB |. E8 10AFFCFF call 0042DB00
00462BF0 |. 83C4 0C add esp, 0C
00462BF3 |. 85C0 test eax, eax
00462BF5 |. 7C 0F jl short 00462C06 ; 跳
00462BF7 |. 5F pop edi
00462BF8 |. 5E pop esi
00462BF9 |. B8 01040000 mov eax, 401
00462BFE |. 5B pop ebx
00462BFF |. 81C4 10080000 add esp, 810
00462C05 |. C3 retn
00462C06 |> 8D9424 10020000 lea edx, dword ptr [esp+210]
00462C0D |. 56 push esi ; esi=0x80
00462C0E |. 52 push edx ; 指向一个512byte区域,应该是rsa的N
00462C0F |. 8D8424 1C040000 lea eax, dword ptr [esp+41C]
00462C16 |. 53 push ebx ; edx=1
00462C17 |. 8D4C24 18 lea ecx, dword ptr [esp+18]
00462C1B |. 50 push eax ; 指向一个地址,地址的值是0x010001 应该是rsa的e
00462C1C |. 8D9424 28060000 lea edx, dword ptr [esp+628]
00462C23 |. 51 push ecx ; 密文
00462C24 |. 52 push edx ; 指向接收解密后字符串
00462C25 |. E8 46ADFCFF call 0042D970 ; 应该是rsa public解密
我用rsatool2生成了4096长度的d,n,e,我把N替换到里面512byte部分之后,把授权文件替换成我用rsatool2加密的密文,运行时候N和密文都是正确的,但却解不出明文,对rsa第一次接触,只看了些资料就乱整了,不知道是不是哪里没对,文件在附件里,求指导。。谢谢。。
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)