2014-05-06 14:41 45,056 rsa_genkey.exe
2014-05-06 16:55 16,384 PatchRSAKey.exe
2014-05-07 00:16 28,672 Keygen4CM360.exe
1. rsa_genkey.exe
=================
是用PolarSSL的示例源码简单修改的。生成一对密钥:
Public Key
----------
N = 860A7AB35B950C7DD9A487D246590B3827DD83C9FE3C28B635B3D0B947907030C9FC1090D6F9E35E937F254B0207695A76D0003E4BEA6C85D674A81C71963EFF
E = 25
Private Key
-----------
N = 860A7AB35B950C7DD9A487D246590B3827DD83C9FE3C28B635B3D0B947907030C9FC1090D6F9E35E937F254B0207695A76D0003E4BEA6C85D674A81C71963EFF
E = 25
D = 53529F4CE5E707C3DA5184DCA845307CDA82C78B66AFC647C08488AA866E8AECF57802A668A654647BD2EB27E6D67BF5C5BB7210D37DCC7A15C7BBF2E119D3E5
P = F6E7349ED26DA41C8E6F8D746728FD24B7CC53439546B8D348486F98E80136D5
Q = 8AFAC16BE1C374B6A20A33CE114299AA5F883843D1B7F05254DFC760FE127083
DP = 64188AF447788EA3CB0AA1215A410CAE0552D5A5C6E551D91D4DCC60956846A9
DQ = 7BF467526192A65DB31DDB2D6957136E70E146F06119ACD3CF28738DDBAF94C7
QP = 9B4B22409E6B51ADC0B6E53BA5B7934E0E223CEE52CA611ABA098A58095E4ED1
2. PatchRSAKey.exe
==================
先运行目标,再运行它。一个示例输出(只在Windows XP SP3的虚拟机上测试过):
PatchRSAKey.exe
---------------
A RSA Public Key Modulus Patcher for 360CrackMe
by MistHill, 05/05/2014
Target Process ID: 1796
Target Thread ID: 1780
Target Process Handle: 000007CC
Target Module Name: C:\Temp\52T253719\360CrackMe.exe
Modules List in target process:
00400000 C:\Temp\52T253719\360CrackMe.exe
7C920000 C:\WINDOWS\system32\ntdll.dll
7C800000 C:\WINDOWS\system32\kernel32.dll
77D10000 C:\WINDOWS\system32\USER32.dll
77EF0000 C:\WINDOWS\system32\GDI32.dll
76300000 C:\WINDOWS\system32\IMM32.DLL
77DA0000 C:\WINDOWS\system32\ADVAPI32.dll
77E50000 C:\WINDOWS\system32\RPCRT4.dll
77FC0000 C:\WINDOWS\system32\Secur32.dll
62C20000 C:\WINDOWS\system32\LPK.DLL
73FA0000 C:\WINDOWS\system32\USP10.dll
762F0000 C:\WINDOWS\system32\MSIMG32.dll
72F70000 C:\WINDOWS\system32\WINSPOOL.DRV
77BE0000 C:\WINDOWS\system32\msvcrt.dll
7D590000 C:\WINDOWS\system32\SHELL32.dll
77F40000 C:\WINDOWS\system32\SHLWAPI.dll
77180000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
5ADC0000 C:\WINDOWS\system32\UxTheme.dll
76990000 C:\WINDOWS\system32\ole32.dll
770F0000 C:\WINDOWS\system32\OLEAUT32.dll
74C90000 C:\WINDOWS\system32\oledlg.dll
4AE90000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6002.22791_x-ww_c8dff154\gdiplus.dll
61880000 C:\WINDOWS\system32\OLEACC.dll
76B10000 C:\WINDOWS\system32\WINMM.dll
74680000 C:\WINDOWS\system32\MSCTF.dll
73640000 C:\WINDOWS\system32\msctfime.ime
68000000 C:\WINDOWS\system32\rsaenh.dll
759D0000 C:\WINDOWS\system32\USERENV.dll
5FDD0000 C:\WINDOWS\system32\netapi32.dll
765E0000 C:\WINDOWS\system32\CRYPT32.dll
76DB0000 C:\WINDOWS\system32\MSASN1.dll
Target Imagebase: 00400000
Address of exported function "LSG" in "bitchDll.dll":
51D51F20
Module Imagebase of "bitchDll.dll":
51D50000
Target's RSA public key (N):
8566E66A9FAACDEAA74E77A674331C7A6E086A31C6EC837D2D8196432B7B5561A95F9E7A330866F8F8427567B8C30A8923F89572DCAB5575F2B19203B7EB6745
*** Patching succeeded! ***
You can use my keygen to create "Password" now.
Have fun!!!
3. Keygen4CM360.exe
===================
用来计算Password:
SYNTAX:
"Keygen4CM360.exe" Username
Keygen4CM360.exe MistHill
-------------------------
Keygen for 360CrackMe
By MistHill, build 422.332
Ciphertext (Size: 0x40)
0A 54 44 39 EB EF 0B 3D 1D 37 B6 06 CB 5F D0 51
02 35 0A 56 A4 DC DD A5 B1 59 C9 E0 94 5C FB AF
FC A3 AF 50 A5 68 86 35 D5 3A 5F 5A CE 11 49 5C
53 02 70 C7 9C 58 95 85 E7 4E 0F 11 14 34 86 48
Base64 Encoded as: length=88
ClREOevvCz0dN7YGy1/QUQI1Clak3N2lsVnJ4JRc+6/8o69QpWiGNdU6X1rOEUlcUwJwx5xYlYXnTg8RFDSGSA==
*** RESULT ***
Username: MistHill
Password: 436c52454f657676437a30644e37594779312f5155514931436c616b334e326c73566e4a344a52632b362f386f363951705769474e6455365831724f45556c6355774a77783578596c59586e546738524644534753413d3d
/*
File: "ByPassCreatingProcess.osc"
Author: MistHill
Version: 1.4.0.647
Created: 17:07:21 2014-04-23
*/
history 0
lclr
bpmc
bphwc
bc
var OEP
var PatchAddr
mov OEP, 00527392
mov PatchAddr, 00401D67
bphws OEP, "x"
erun
bphwc OEP
/*
00401D67 3D B7000000 CMP EAX, 0xB7 ; patch eax to B7
*/
bphws PatchAddr, "x"
erun
bphwc PatchAddr
mov eax, B7
/*
00401C01 833D 94405B00 01 CMP DWORD PTR [5B4094], 1 ; patch [005B4094]=00000001
*/
mov PatchAddr, [00401C01+2], 4
mov [PatchAddr], 00000001, 4
ret
<0041216C>
0041216C 6A 10 PUSH 0x10
...
004121A9 FF15 0C575500 CALL NEAR DWORD PTR [0x55570C] ; user32.CreateDialogIndirectParamW
0012FD40 00400000 |hInst = 00400000
0012FD44 005BBBD0 |pTemplate = 360Crack.005BBBD0
0012FD48 00000000 |hOwner = NULL
0012FD4C 0041166C |pDlgProc = 360Crack.0041166C
0012FD50 00000000 \lParam = 0x0
...
004121C7 C2 1400 RETN 0x14
</0041216C>
<0041166C>
0041166C 55 PUSH EBP
0041166D 8BEC MOV EBP, ESP ; 0012F7DC
0041166F 817D 0C 10010000 CMP DWORD PTR [EBP+0xC], 0x110
...
00411676 75 2A JNZ SHORT 004116A2
00411678 FF75 08 PUSH DWORD PTR [EBP+0x8] ; hWndMain: 005D0104; Processing WM_INITDIALOG
0041167B E8 AD830000 CALL 00419A2D
00411680 50 PUSH EAX ; 0012FE84
00411681 68 086E5500 PUSH 00556E08
00556E08 00556E00 ASCII "CDialog"
00411686 E8 91CE0000 CALL 0041E51C
0041168B 59 POP ECX
0041168C 59 POP ECX
0041168D 85C0 TEST EAX, EAX ; 0012FE84
0041168F 74 0C JE SHORT 0041169D
00411691 8B10 MOV EDX, DWORD PTR [EAX] ; 00588CFC
00411693 8BC8 MOV ECX, EAX
00411695 FF92 74010000 CALL NEAR DWORD PTR [EDX+0x174] ; 360Crack.00401CC0
0041169B /EB 07 JMP SHORT 004116A4
0041169D |33C0 XOR EAX, EAX
0041169F |40 INC EAX
004116A0 |EB 02 JMP SHORT 004116A4
004116A2 |33C0 XOR EAX, EAX
004116A4 -5D POP EBP
004116A5 C2 1000 RETN 0x10
</0041166C>
<00401CC0>
00401CC0 55 PUSH EBP
00401CC1 8BEC MOV EBP, ESP
00401CC3 83E4 F8 AND ESP, 0xFFFFFFF8
00401CC6 81EC D8020000 SUB ESP, 0x2D8
...
00401D0D 8D8424 C4000000 LEA EAX, DWORD PTR [ESP+0xC4] ; 0012F5B4
00401D14 50 PUSH EAX
00401D15 6A 00 PUSH 0x0
00401D17 0F57C0 XORPS XMM0, XMM0
00401D1A 6A 00 PUSH 0x0
00401D1C C74424 14 00000000 MOV DWORD PTR [ESP+0x14], 0x0
00401D24 660FD6442418 MOVQ [ESP][018], XMM0
00401D2A C74424 20 00000000 MOV DWORD PTR [ESP+0x20], 0x0
00401D32 C78424 D0000000 68006D00 MOV DWORD PTR [ESP+0xD0], 0x6D0068
00401D3D C78424 D4000000 69006C00 MOV DWORD PTR [ESP+0xD4], 006C0069
00401D48 C78424 D8000000 79000000 MOV DWORD PTR [ESP+0xD8], 0x79
00401D53 FF15 48545500 CALL NEAR DWORD PTR [0x555448] ; kernel32.CreateMutexW
0012F4E4 00000000 |pSecurity = NULL
0012F4E8 00000000 |InitialOwner = FALSE
0012F4EC 0012F5B4 \MutexName = "hmily"
00401D59 85C0 TEST EAX, EAX ; 000000BC, handle
00401D5B 0F84 14010000 JE 00401E75
00401D61 FF15 44545500 CALL NEAR DWORD PTR [0x555444] ; ntdll.RtlGetLastWin32Error
00401D67 3D B7000000 CMP EAX, 0xB7 ; 00000000
00401D6C /0F84 EE000000 JE 00401E60
00401D72 |33C0 XOR EAX, EAX
00401D74 |68 06020000 PUSH 0x206
00401D79 |50 PUSH EAX
00401D7A |66:898424 D8000000 MOV WORD PTR [ESP+0xD8], AX
00401D82 |8D8424 DA000000 LEA EAX, DWORD PTR [ESP+0xDA]
00401D89 |50 PUSH EAX
00401D8A |E8 316E1200 CALL 00528BC0 ; memset
00401D8F |6A 40 PUSH 0x40
00401D91 |8D8424 8C000000 LEA EAX, DWORD PTR [ESP+0x8C]
00401D98 |6A 00 PUSH 0x0
00401D9A |50 PUSH EAX
00401D9B |E8 206E1200 CALL 00528BC0 ; memset
00401DA0 |83C4 18 ADD ESP, 0x18
00401DA3 |8D8424 D0000000 LEA EAX, DWORD PTR [ESP+0xD0] ; 0012F5C0
00401DAA |68 08020000 PUSH 0x208
00401DAF |50 PUSH EAX
00401DB0 |6A 00 PUSH 0x0
00401DB2 |C78424 84000000 44000000 MOV DWORD PTR [ESP+0x84], 0x44
00401DBD |FF15 40545500 CALL NEAR DWORD PTR [0x555440] ; kernel32.GetModuleFileNameW
0012F4E4 00000000 |hModule = NULL
0012F4E8 0012F5C0 |PathBuffer = 0012F5C0
0012F4EC 00000208 \BufSize = 208 (520.)
00401DC3 |8D4424 08 LEA EAX, DWORD PTR [ESP+0x8] ; 0012F4F8
00401DC7 |50 PUSH EAX
00401DC8 |8D4424 7C LEA EAX, DWORD PTR [ESP+0x7C] ; 0012F568
00401DCC |50 PUSH EAX
00401DCD |6A 00 PUSH 0x0
00401DCF |6A 00 PUSH 0x0
00401DD1 |6A 01 PUSH 0x1
00401DD3 |6A 00 PUSH 0x0
00401DD5 |6A 00 PUSH 0x0
00401DD7 |6A 00 PUSH 0x0
00401DD9 |6A 00 PUSH 0x0
00401DDB |8D8424 F4000000 LEA EAX, DWORD PTR [ESP+0xF4] ; 0012F5C0 UNICODE "C:\Temp\52T253719\360CrackMe.exe"
00401DE2 |50 PUSH EAX
00401DE3 |FF15 3C545500 CALL NEAR DWORD PTR [0x55543C] ; kernel32.CreateProcessW
0012F4C8 0012F5C0 |ModuleFileName = "C:\Temp\52T253719\360CrackMe.exe"
0012F4CC 00000000 |CommandLine = NULL
0012F4D0 00000000 |pProcessSecurity = NULL
0012F4D4 00000000 |pThreadSecurity = NULL
0012F4D8 00000000 |InheritHandles = FALSE
0012F4DC 00000001 |CreationFlags = DEBUG_PROCESS
0012F4E0 00000000 |pEnvironment = NULL
0012F4E4 00000000 |CurrentDir = NULL
0012F4E8 0012F568 |pStartupInfo = 0012F568
0012F4EC 0012F4F8 \pProcessInfo = 0012F4F8
00401DE9 |85C0 TEST EAX, EAX ; 00000001
00401DEB |0F84 84000000 JE 00401E75
00401DF1 |6A 5C PUSH 0x5C
00401DF3 |8D4424 20 LEA EAX, DWORD PTR [ESP+0x20] ; 0012F50C
00401DF7 |6A 00 PUSH 0x0
00401DF9 |50 PUSH EAX
00401DFA |C74424 24 00000000 MOV DWORD PTR [ESP+0x24], 0x0
00401E02 |E8 B96D1200 CALL 00528BC0 ; memset 0012F50C 00 5C
00401E07 |8B35 38545500 MOV ESI, DWORD PTR [0x555438] ; kernel32.WaitForDebugEvent
00401E0D |83C4 0C ADD ESP, 0xC
00401E10 |8D4424 18 LEA EAX, DWORD PTR [ESP+0x18] ; 0012F508
00401E14 |6A FF PUSH -0x1
00401E16 |50 PUSH EAX
00401E17 |FFD6 CALL NEAR ESI ; kernel32.WaitForDebugEvent
0012F4E4 00401E19 /CALL to WaitForDebugEvent from 360Crack.00401E17
0012F4E8 0012F508 |pDebugEvent = 0012F508
0012F4EC FFFFFFFF \Timeout = INFINITE
00401E19 |85C0 TEST EAX, EAX ; 00000001
00401E1B |74 29 JE SHORT 00401E46
00401E1D |8B3D 34545500 MOV EDI, DWORD PTR [0x555434] ; kernel32.ContinueDebugEvent
00401E23 -|837C24 18 08 CMP DWORD PTR [ESP+0x18], 0x8 ; Stack SS:[0012F508]=00000003, till == 00000008
00401E28 ||74 1C JE SHORT 00401E46
00401E2A ||68 02000100 PUSH 0x10002
00401E2F ||FF7424 24 PUSH DWORD PTR [ESP+0x24]
00401E33 ||FF7424 24 PUSH DWORD PTR [ESP+0x24]
00401E37 ||FFD7 CALL NEAR EDI ; kernel32.ContinueDebugEvent
00401E39 ||6A FF PUSH -0x1
00401E3B ||8D4424 1C LEA EAX, DWORD PTR [ESP+0x1C] ; 0012F508
00401E3F ||50 PUSH EAX
00401E40 ||FFD6 CALL NEAR ESI ; kernel32.WaitForDebugEvent
00401E42 ||85C0 TEST EAX, EAX ; 00000001
00401E44 \|75 DD JNZ SHORT 00401E23 ; loop to wait Sig.
00401E46 |6A 00 PUSH 0x0
00401E48 |FF15 30545500 CALL NEAR DWORD PTR [0x555430] ; kernel32.DebugSetProcessKillOnExit
00401E4E |FF7424 10 PUSH DWORD PTR [ESP+0x10] ; Stack SS:[0012F500]=00000928
00401E52 |FF15 2C545500 CALL NEAR DWORD PTR [0x55542C] ; kernel32.DebugActiveProcessStop
00401E58 |6A 00 PUSH 0x0
00401E5A |FF15 28545500 CALL NEAR DWORD PTR [0x555428] ; kernel32.ExitProcess
00401E60 \6A 00 PUSH 0x0 ; lpThreadId
00401E62 6A 00 PUSH 0x0 ; dwCreationFlags
00401E64 6A 00 PUSH 0x0 ; lpParameter
00401E66 68 C01B4000 PUSH 00401BC0 ; lpStartAddress
00401E6B 6A 00 PUSH 0x0 ; dwStackSize
00401E6D 6A 00 PUSH 0x0 ; lpThreadAttributes
00401E6F FF15 6C545500 CALL NEAR DWORD PTR [0x55546C] ; kernel32.CreateThread
00401E75 8B8C24 DC020000 MOV ECX, DWORD PTR [ESP+0x2DC]
00401E7C 5F POP EDI
00401E7D 5E POP ESI
00401E7E 33CC XOR ECX, ESP
00401E80 B8 01000000 MOV EAX, 0x1
00401E85 E8 12551200 CALL 0052739C
00401E8A 8BE5 MOV ESP, EBP
00401E8C 5D POP EBP
00401E8D C3 RETN
</00401CC0>
TLS CALLBACK Function
=====================
<00401AD0>
00401AD0 833D 90405B00 00 CMP DWORD PTR [0x5B4090], 0x0 ; DS:[005B4090]=00000001
00401AD7 /75 22 JNZ SHORT 00401AFB
00401AD9 |FF15 74545500 CALL NEAR DWORD PTR [0x555474] ; kernel32.IsDebuggerPresent
00401ADF |8B0D 94405B00 MOV ECX, DWORD PTR [0x5B4094]
00401AE5 |BA 01000000 MOV EDX, 0x1
00401AEA |85C0 TEST EAX, EAX
00401AEC |0F45CA CMOVNE ECX, EDX
00401AEF |890D 94405B00 MOV DWORD PTR [0x5B4094], ECX
00401AF5 |8915 90405B00 MOV DWORD PTR [0x5B4090], EDX
00401AFB -C2 0C00 RETN 0xC
</00401AD0>
0040299B E8 20FD1300 CALL 005426C0
upx.exe -d -o bitchDll_UpK.dll bitchDll.dll
upx: bitchDll.dll: CantUnpackException: file is modified/hacked/protected; take care!!!
UPX1HEAD(header.S)
000003DB: 00 00 00 00 00 "x.xx" ASCII Version ? (probably 1.25)
000003E0: 00 00 00 00 UPX_MAGIC_LE32
000003E4: 00 00 02 0A version: ?; format: ?; method: 02 = M_NRV2B_LE32; level: 0A
000003E8: 288A71D6 uncompressed adler32
000003EC: 345AD7C2 compressed adler32
000003F0: 0002F141 uncompressed length
000003F4: 00010777 compressed length
000003F8: 00028400 original file size (not including Overlay!)
000003FC: 26 0C 00 CB filter id: 26; filter cto: 0C; unused: 00; header checksum: CB
000003DB: 31 2E 32 35 00 "1.25" ASCII Version
000003E0: 55 50 58 21 UPX_MAGIC_LE32: "UPX!" (55 50 58 21)
000003E4: 0D 09 version 0D = all; format 09 = UPX_F_WIN32_PE
upx: bitchDll.dll: CantUnpackException: unexpected value in the PE header
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
。发题解的主要目的是各种求带
。
