首页
社区
课程
招聘
[分享]MD5算法学习笔记
发表于: 2013-6-20 23:19 7063

[分享]MD5算法学习笔记

2013-6-20 23:19
7063
又是学习http://bbs.pediy.com/showthread.php?threadid=30769里的内容,顺便把MD5算法也重新学习了一下

开始是一段初始化,403400保存的是字符串的初始长度,403404保存的是字符串最后剩余的长度,先都初始化为0
004017A8 /$ 57 PUSH EDI
004017A9 |. 33C0 XOR EAX,EAX
004017AB |. A3 00344000 MOV DWORD PTR DS:[403400],EAX
004017B0 |. 33C0 XOR EAX,EAX
004017B2 |. A3 04344000 MOV DWORD PTR DS:[403404],EAX

将中间结果缓冲区前16字节清零,保存每次处理的64字节和用来最后进行填充
004017B7 |. BF B0334000 MOV EDI,kiToKGNm.004033B0
004017BC |. B9 10000000 MOV ECX,10
004017C1 |. F3:AB REP STOS DWORD PTR ES:[EDI]

初始向量赋值后返回
004017C3 |. B8 F0334000 MOV EAX,kiToKGNm.004033F0
004017C8 |. C700 01234567 MOV DWORD PTR DS:[EAX],67452301
004017CE |. C740 04 89ABC>MOV DWORD PTR DS:[EAX+4],EFCDAB89
004017D5 |. C740 08 FEDCB>MOV DWORD PTR DS:[EAX+8],98BADCFE
004017DC |. C740 0C 76543>MOV DWORD PTR DS:[EAX+C],10325476
004017E3 |. 5F POP EDI
004017E4 \. C3 RETN

返回后将明文缓冲区首址和长度压栈
0040116B |. FF35 A0314000 PUSH DWORD PTR DS:[4031A0]
00401171 |. 68 D4324000 PUSH kiToKGNm.004032D4 ; ASCII "MQ==RUQ4ODA4MzBSVVE0T0RBNE=="
00401176 |. E8 6D060000 CALL kiToKGNm.004017E8
0040117B |. E8 C8060000 CALL kiToKGNm.00401848

先分析第一个,开始自然是保护现场和取参数,ebx保存长度,esi保存首地址,403400保存字符串原始长度
004017E8 /$ 55 PUSH EBP
004017E9 |. 8BEC MOV EBP,ESP
004017EB |. 56 PUSH ESI
004017EC |. 57 PUSH EDI
004017ED |. 53 PUSH EBX
004017EE |. 8B5D 0C MOV EBX,DWORD PTR SS:[EBP+C]
004017F1 |. 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
004017F4 |. 011D 00344000 ADD DWORD PTR DS:[403400],EBX

后面是一个循环,每次从源读64字节到4033B0中,再调用核心函数4011d0进行处理,这个放到最后面讲。每循环一次ebx的值就减少64,直到ebx小于64时退出循环
004017FA |. /EB 40 JMP SHORT kiToKGNm.0040183C
004017FC |> |A1 04344000 /MOV EAX,DWORD PTR DS:[403404]
00401801 |. |B9 40000000 |MOV ECX,40
00401806 |. |2BC8 |SUB ECX,EAX
00401808 |. |8DB8 B0334000 |LEA EDI,DWORD PTR DS:[EAX+4033B0]
0040180E |. |3BCB |CMP ECX,EBX
00401810 |. |77 1E |JA SHORT kiToKGNm.00401830
00401812 |. |2BD9 |SUB EBX,ECX
00401814 |. |F3:A4 |REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
00401816 |. |E8 B5F9FFFF |CALL kiToKGNm.004011D0
0040181B |. |33C0 |XOR EAX,EAX
0040181D |. |A3 04344000 |MOV DWORD PTR DS:[403404],EAX
00401822 |. |BF B0334000 |MOV EDI,kiToKGNm.004033B0
00401827 |. |B9 10000000 |MOV ECX,10
0040182C |. |F3:AB |REP STOS DWORD PTR ES:[EDI]
0040182E |. |EB 0C |JMP SHORT kiToKGNm.0040183C
00401830 |> |8BCB |MOV ECX,EBX
00401832 |. |F3:A4 |REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
00401834 |. |011D 04344000 |ADD DWORD PTR DS:[403404],EBX
0040183A |. |EB 04 |JMP SHORT kiToKGNm.00401840
0040183C |> \0BDB OR EBX,EBX
0040183E |.^ 75 BC \JNZ SHORT kiToKGNm.004017FC

然后恢复现场,返回

最后一个函数是对明文进行填充,然后再进行处理

取剩余长度,填充第1个字节,0x80
0040184A |. 8B0D 04344000 MOV ECX,DWORD PTR DS:[403404]
00401850 |. C681 B0334000 80 MOV BYTE PTR DS:[ECX+4033B0],80

剩余长度与0x38比较,如果小于则将最后8个字节填充为数据字节数*8,再做一次运算
00401857 |. 83F9 38 CMP ECX,38
0040185A |. 72 18 JB SHORT kiToKGNm.00401874
...
00401874 |> A1 00344000 MOV EAX,DWORD PTR DS:[403400]
00401879 |. 33D2 XOR EDX,EDX
0040187B |. 0FA4C2 03 SHLD EDX,EAX,3
0040187F |. C1E0 03 SHL EAX,3
00401882 |. A3 E8334000 MOV DWORD PTR DS:[4033E8],EAX
00401887 |. 8915 EC334000 MOV DWORD PTR DS:[4033EC],EDX
0040188D |. E8 3EF9FFFF CALL kiToKGNm.004011D0

如果剩余长度大于0x38,则需要再做两次运算,第一次与上面一种情况一样,第二次是将缓冲区全部清0,最后8个字节填充为数据字节数*8,再做一次运算
0040185C |. E8 6FF9FFFF CALL kiToKGNm.004011D0
00401861 |. 33C0 XOR EAX,EAX
00401863 |. A3 04344000 MOV DWORD PTR DS:[403404],EAX
00401868 |. BF B0334000 MOV EDI,kiToKGNm.004033B0
0040186D |. B9 10000000 MOV ECX,10
00401872 |. F3:AB REP STOS DWORD PTR ES:[EDI]
00401874 |> A1 00344000 MOV EAX,DWORD PTR DS:[403400]
00401879 |. 33D2 XOR EDX,EDX ; kiToKGNm.004032D5
0040187B |. 0FA4C2 03 SHLD EDX,EAX,3
0040187F |. C1E0 03 SHL EAX,3
00401882 |. A3 E8334000 MOV DWORD PTR DS:[4033E8],EAX
00401887 |. 8915 EC334000 MOV DWORD PTR DS:[4033EC],EDX
0040188D |. E8 3EF9FFFF CALL kiToKGNm.004011D0

函数CALL kiToKGNm.004011D0是MD5运算的核心函数,也就是圈运算的部分
这部分不打算多讲,对照百度百科里的讲解还是很容易看懂的http://baike.baidu.com/view/7636.htm。
这里只说下4个寄存器的内容,eax对应的是a,ebx对应的是b,ecx对应的是c,edx对应的是d

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 0
支持
分享
最新回复 (2)
雪    币: 257
活跃值: (67)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
2
多谢分享,来占个沙发.
2013-6-21 01:03
0
雪    币: 1839
活跃值: (295)
能力值: ( LV9,RANK:370 )
在线值:
发帖
回帖
粉丝
3
贴个md5源码给你参考:

{******************************************************************************}
{* DCPcrypt v2.0 written by David Barton (davebarton@bigfoot.com) *************}
{******************************************************************************}
{* A binary compatible implementation of MD5 **********************************}
{******************************************************************************}
{* Copyright (c) 1999-2000 David Barton                                       *}
{* Permission is hereby granted, free of charge, to any person obtaining a    *}
{* copy of this software and associated documentation files (the "Software"), *}
{* to deal in the Software without restriction, including without limitation  *}
{* the rights to use, copy, modify, merge, publish, distribute, sublicense,   *}
{* and/or sell copies of the Software, and to permit persons to whom the      *}
{* Software is furnished to do so, subject to the following conditions:       *}
{*                                                                            *}
{* The above copyright notice and this permission notice shall be included in *}
{* all copies or substantial portions of the Software.                        *}
{*                                                                            *}
{* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR *}
{* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,   *}
{* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL    *}
{* THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER *}
{* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING    *}
{* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER        *}
{* DEALINGS IN THE SOFTWARE.                                                  *}
{******************************************************************************}
unit Md5;

interface
uses
  Classes, Sysutils, DCPcrypt, DCPconst;

type
  TDCP_md5= class(TDCP_hash)
  protected
    LenHi: longint;
    LenLo2, LenLo1: word; { annoying fix for D1-3 users who don't have longword }
    Index: DWord;
    CurrentHash: array[0..3] of DWord;
    HashBuffer: array[0..63] of byte;
    procedure Compress;
  public
    class function GetId: longint; override;
    class function GetAlgorithm: string; override;
    class function GetHashSize: longint; override;
    class function SelfTest: boolean; override;
    procedure Init; override;
    procedure Burn; override;
    procedure Update(const Buffer; Size: longint); override;
    procedure Final(var Digest); override;
  end;

{******************************************************************************}
{******************************************************************************}
implementation
{$R-}{$Q-}

procedure TDCP_md5.Compress;
var
  Data: array[0..15] of dword;
  A, B, C, D: dword;
begin
  Move(HashBuffer,Data,Sizeof(Data));
  A:= CurrentHash[0];
  B:= CurrentHash[1];
  C:= CurrentHash[2];
  D:= CurrentHash[3];

  A:= B + LRot32(A + (D xor (B and (C xor D))) + Data[ 0] + $d76aa478,7);
  D:= A + LRot32(D + (C xor (A and (B xor C))) + Data[ 1] + $e8c7b756,12);
  C:= D + LRot32(C + (B xor (D and (A xor B))) + Data[ 2] + $242070db,17);
  B:= C + LRot32(B + (A xor (C and (D xor A))) + Data[ 3] + $c1bdceee,22);
  A:= B + LRot32(A + (D xor (B and (C xor D))) + Data[ 4] + $f57c0faf,7);
  D:= A + LRot32(D + (C xor (A and (B xor C))) + Data[ 5] + $4787c62a,12);
  C:= D + LRot32(C + (B xor (D and (A xor B))) + Data[ 6] + $a8304613,17);
  B:= C + LRot32(B + (A xor (C and (D xor A))) + Data[ 7] + $fd469501,22);
  A:= B + LRot32(A + (D xor (B and (C xor D))) + Data[ 8] + $698098d8,7);
  D:= A + LRot32(D + (C xor (A and (B xor C))) + Data[ 9] + $8b44f7af,12);
  C:= D + LRot32(C + (B xor (D and (A xor B))) + Data[10] + $ffff5bb1,17);
  B:= C + LRot32(B + (A xor (C and (D xor A))) + Data[11] + $895cd7be,22);
  A:= B + LRot32(A + (D xor (B and (C xor D))) + Data[12] + $6b901122,7);
  D:= A + LRot32(D + (C xor (A and (B xor C))) + Data[13] + $fd987193,12);
  C:= D + LRot32(C + (B xor (D and (A xor B))) + Data[14] + $a679438e,17);
  B:= C + LRot32(B + (A xor (C and (D xor A))) + Data[15] + $49b40821,22);

  A:= B + LRot32(A + (C xor (D and (B xor C))) + Data[ 1] + $f61e2562,5);
  D:= A + LRot32(D + (B xor (C and (A xor B))) + Data[ 6] + $c040b340,9);
  C:= D + LRot32(C + (A xor (B and (D xor A))) + Data[11] + $265e5a51,14);
  B:= C + LRot32(B + (D xor (A and (C xor D))) + Data[ 0] + $e9b6c7aa,20);
  A:= B + LRot32(A + (C xor (D and (B xor C))) + Data[ 5] + $d62f105d,5);
  D:= A + LRot32(D + (B xor (C and (A xor B))) + Data[10] + $02441453,9);
  C:= D + LRot32(C + (A xor (B and (D xor A))) + Data[15] + $d8a1e681,14);
  B:= C + LRot32(B + (D xor (A and (C xor D))) + Data[ 4] + $e7d3fbc8,20);
  A:= B + LRot32(A + (C xor (D and (B xor C))) + Data[ 9] + $21e1cde6,5);
  D:= A + LRot32(D + (B xor (C and (A xor B))) + Data[14] + $c33707d6,9);
  C:= D + LRot32(C + (A xor (B and (D xor A))) + Data[ 3] + $f4d50d87,14);
  B:= C + LRot32(B + (D xor (A and (C xor D))) + Data[ 8] + $455a14ed,20);
  A:= B + LRot32(A + (C xor (D and (B xor C))) + Data[13] + $a9e3e905,5);
  D:= A + LRot32(D + (B xor (C and (A xor B))) + Data[ 2] + $fcefa3f8,9);
  C:= D + LRot32(C + (A xor (B and (D xor A))) + Data[ 7] + $676f02d9,14);
  B:= C + LRot32(B + (D xor (A and (C xor D))) + Data[12] + $8d2a4c8a,20);

  A:= B + LRot32(A + (B xor C xor D) + Data[ 5] + $fffa3942,4);
  D:= A + LRot32(D + (A xor B xor C) + Data[ 8] + $8771f681,11);
  C:= D + LRot32(C + (D xor A xor B) + Data[11] + $6d9d6122,16);
  B:= C + LRot32(B + (C xor D xor A) + Data[14] + $fde5380c,23);
  A:= B + LRot32(A + (B xor C xor D) + Data[ 1] + $a4beea44,4);
  D:= A + LRot32(D + (A xor B xor C) + Data[ 4] + $4bdecfa9,11);
  C:= D + LRot32(C + (D xor A xor B) + Data[ 7] + $f6bb4b60,16);
  B:= C + LRot32(B + (C xor D xor A) + Data[10] + $bebfbc70,23);
  A:= B + LRot32(A + (B xor C xor D) + Data[13] + $289b7ec6,4);
  D:= A + LRot32(D + (A xor B xor C) + Data[ 0] + $eaa127fa,11);
  C:= D + LRot32(C + (D xor A xor B) + Data[ 3] + $d4ef3085,16);
  B:= C + LRot32(B + (C xor D xor A) + Data[ 6] + $04881d05,23);
  A:= B + LRot32(A + (B xor C xor D) + Data[ 9] + $d9d4d039,4);
  D:= A + LRot32(D + (A xor B xor C) + Data[12] + $e6db99e5,11);
  C:= D + LRot32(C + (D xor A xor B) + Data[15] + $1fa27cf8,16);
  B:= C + LRot32(B + (C xor D xor A) + Data[ 2] + $c4ac5665,23);

  A:= B + LRot32(A + (C xor (B or (not D))) + Data[ 0] + $f4292244,6);
  D:= A + LRot32(D + (B xor (A or (not C))) + Data[ 7] + $432aff97,10);
  C:= D + LRot32(C + (A xor (D or (not B))) + Data[14] + $ab9423a7,15);
  B:= C + LRot32(B + (D xor (C or (not A))) + Data[ 5] + $fc93a039,21);
  A:= B + LRot32(A + (C xor (B or (not D))) + Data[12] + $655b59c3,6);
  D:= A + LRot32(D + (B xor (A or (not C))) + Data[ 3] + $8f0ccc92,10);
  C:= D + LRot32(C + (A xor (D or (not B))) + Data[10] + $ffeff47d,15);
  B:= C + LRot32(B + (D xor (C or (not A))) + Data[ 1] + $85845dd1,21);
  A:= B + LRot32(A + (C xor (B or (not D))) + Data[ 8] + $6fa87e4f,6);
  D:= A + LRot32(D + (B xor (A or (not C))) + Data[15] + $fe2ce6e0,10);
  C:= D + LRot32(C + (A xor (D or (not B))) + Data[ 6] + $a3014314,15);
  B:= C + LRot32(B + (D xor (C or (not A))) + Data[13] + $4e0811a1,21);
  A:= B + LRot32(A + (C xor (B or (not D))) + Data[ 4] + $f7537e82,6);
  D:= A + LRot32(D + (B xor (A or (not C))) + Data[11] + $bd3af235,10);
  C:= D + LRot32(C + (A xor (D or (not B))) + Data[ 2] + $2ad7d2bb,15);
  B:= C + LRot32(B + (D xor (C or (not A))) + Data[ 9] + $eb86d391,21);

  Inc(CurrentHash[0],A);
  Inc(CurrentHash[1],B);
  Inc(CurrentHash[2],C);
  Inc(CurrentHash[3],D);
  Index:= 0;
  FillChar(HashBuffer,Sizeof(HashBuffer),0);
end;

class function TDCP_md5.GetHashSize: longint;
begin
  Result:= 128;
end;

class function TDCP_md5.GetId: longint;
begin
  Result:= DCP_md5;
end;

class function TDCP_md5.GetAlgorithm: string;
begin
  Result:= 'MD5';
end;

class function TDCP_md5.SelfTest: boolean;
const
  Test1Out: array[0..15] of byte=
    ($90,$01,$50,$98,$3c,$d2,$4f,$b0,$d6,$96,$3f,$7d,$28,$e1,$7f,$72);
  Test2Out: array[0..15] of byte=
    ($c3,$fc,$d3,$d7,$61,$92,$e4,$00,$7d,$fb,$49,$6c,$ca,$67,$e1,$3b);
var
  TestHash: TDCP_md5;
  TestOut: array[0..19] of byte;
begin
  TestHash:= TDCP_md5.Create(nil);
  TestHash.Init;
  TestHash.UpdateStr('abc');
  TestHash.Final(TestOut);
  Result:= CompareMemory(@TestOut,@Test1Out,Sizeof(Test1Out));
  TestHash.Init;
  TestHash.UpdateStr('abcdefghijklmnopqrstuvwxyz');
  TestHash.Final(TestOut);
  Result:= CompareMemory(@TestOut,@Test2Out,Sizeof(Test2Out)) and Result;
  TestHash.Free;
end;

procedure TDCP_md5.Init;
begin
  Burn;
  CurrentHash[0]:= $67452301;
  CurrentHash[1]:= $efcdab89;
  CurrentHash[2]:= $98badcfe;
  CurrentHash[3]:= $10325476;
  fInitialized:= true;
end;

procedure TDCP_md5.Burn;
begin
  LenHi:= 0; LenLo1:= 0; LenLo2:= 0;
  Index:= 0;
  FillChar(HashBuffer,Sizeof(HashBuffer),0);
  FillChar(CurrentHash,Sizeof(CurrentHash),0);
  fInitialized:= false;
end;

procedure TDCP_md5.Update(const Buffer; Size: longint);
var
  PBuf: ^byte;
begin
  if not fInitialized then
    raise EDCP_hash.Create('Hash not initialized');

  { I wish Borland had included an unsigned 32bit from the start }
  Inc(LenLo1,(Size shl 3) and $FFFF);
  if LenLo1< ((Size shl 3) and $FFFF) then
  begin
    Inc(LenLo2);
    if LenLo2= 0 then
      Inc(LenHi);
  end;
  Inc(LenLo2,Size shr 13);
  if LenLo2< ((Size shr 13) and $FFFF) then
    Inc(LenHi);
  Inc(LenHi,Size shr 29);

  PBuf:= @Buffer;
  while Size> 0 do
  begin
    if (Sizeof(HashBuffer)-Index)<= DWord(Size) then
    begin
      Move(PBuf^,HashBuffer[Index],Sizeof(HashBuffer)-Index);
      Dec(Size,Sizeof(HashBuffer)-Index);
      Inc(PBuf,Sizeof(HashBuffer)-Index);
      Compress;
    end
    else
    begin
      Move(PBuf^,HashBuffer[Index],Size);
      Inc(Index,Size);
      Size:= 0;
    end;
  end;
end;

procedure TDCP_md5.Final(var Digest);
begin
  if not fInitialized then
    raise EDCP_hash.Create('Hash not initialized');
  HashBuffer[Index]:= $80;
  if Index>= 56 then
    Compress;
  PDWord(@HashBuffer[56])^:= LenLo1 or (longint(LenLo2) shl 16);
  PDWord(@HashBuffer[60])^:= LenHi;
  Compress;
  Move(CurrentHash,Digest,Sizeof(CurrentHash));
  Burn;
end;

initialization
//  RegisterClass(TDCP_md5);
  DCPreghash(TDCP_md5);

end.
2013-6-21 09:18
0
游客
登录 | 注册 方可回帖
返回
//