题记:
少见使用基于DLP(Discrete Logarithm Problem,离散对数问题)的Elgamal公钥算法来作为注册验证机制
的程序,谨以此例作为对其的研究。
关于Elgamal可以参考:
http://www.cacr.math.uwaterloo.ca/hac/about/chap8.pdf
另外本站的教学也有http://www.pediy.com/tutorial/chap6/Chap6-3-3.htm
以及<<加密与解密(第二版)>>
关于FGInt请参考:
http://triade.studentenweb.org/GInt/gint.html
简单的说是用于Delphi的一种实现了大数运算及几种公钥算法的库。
软件说明:
Official Site:http://www.solid-programs.com/
Introduction:Solid Encryption's One-Time Pad (OTP) encryption a.k.a. infinite key cryptography is absolutely unbreakable if used correctly.
This encryption algorithm is well known and has been used for a long time by various intelligence agencies. W
hen no mistakes were made it has survived unbroken even when the resources off great world powers have been employed to break it.
Unlike most encryption schemes today, not only can you be certain that your communications will not be decoded this year,
but that your secrets are safe for eternity.
用PEiD查无壳,Delphi所写,Krypto ANALyzer识别出RIPEMD-160散列算法和FGInt ElgmalVerify函数,使我们对程序中所
有的算法有个大概的了解。有人说kanal插件有时候会不准,有的算法查不出来,但是这只是个辅助工具。
我平时习惯拿到一个程序后,如果没有加壳就用此插件看一看,有哪些算法,甚至有些加密算法库它都可以
识别出来,如miracl,FGInt.那么这样至少自己心里大概有个数,程序中有哪些算法,虽然这些算法并不一定
用于注册的验证。
接着,用DeDe反编译一下主程序看看,在DeDe的单元信息中可以看到程序的确使用了FGInt和FGIntElGamal
另外还使用了DCP,这是一个在Delphi程序中使用相当广泛的加密算法库。
可以找到RegForm,其中有个RegButtonClick事件,看了一下,注册验证就在其中。将从DeDe导出的map文件导入OD.
可以有两种以上的办法找到注册验证的地方,一种是在DeDe中就可以看到事件处理的地址,另一种就是在
OD中搜索参考字符串,找到与注册有关的字符串。在本例中,这两种方法都可以使用。
另外,还可以在下载FGInt并且编译FGInt后,做出其sig,然后在IDA中apply一下就可以识别FGInt中的一些函数了。
0047D2BC <>/. 55 push ebp ; <-TRegForm@RegButtonClick
0047D2BD |. 8BEC mov ebp,esp
0047D2BF |. 33C9 xor ecx,ecx
0047D2C1 |. 51 push ecx
0047D2C2 |. 51 push ecx
0047D2C3 |. 51 push ecx
0047D2C4 |. 51 push ecx
0047D2C5 |. 51 push ecx
0047D2C6 |. 51 push ecx
0047D2C7 |. 51 push ecx
0047D2C8 |. 53 push ebx
0047D2C9 |. 56 push esi
0047D2CA |. 8BD8 mov ebx,eax
0047D2CC |. BE 684D4800 mov esi,OTP.00484D68
0047D2D1 |. 33C0 xor eax,eax
0047D2D3 |. 55 push ebp
0047D2D4 |. 68 C5D34700 push <OTP.->System.@HandleFinally;>
0047D2D9 |. 64:FF30 push dword ptr fs:[eax]
0047D2DC |. 64:8920 mov dword ptr fs:[eax],esp
0047D2DF |. 8BC3 mov eax,ebx
0047D2E1 <>|. E8 16FEFFFF call <OTP.<-TRegForm@WriteCodeIni> ; ->:TRegForm.WriteCodeIni()
0047D2E6 |. 8BC3 mov eax,ebx ;这里是将注册信息写入code.ini中,无关紧要
0047D2E8 |. E8 33060000 call OTP.0047D920
0047D2ED |. 8D55 FC lea edx,dword ptr ss:[ebp-4]
0047D2F0 |. 8B06 mov eax,dword ptr ds:[esi]
0047D2F2 <>|. 8B80 1C0300>mov eax,dword ptr ds:[eax+31C] ; *EditSerial:TEdit
0047D2F8 <>|. E8 CF84FCFF call OTP.004457CC ; ->Controls.TControl.GetText(TControl):TCaption;
0047D2FD |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
0047D300 |. 50 push eax
0047D301 |. 8D55 F4 lea edx,dword ptr ss:[ebp-C]
0047D304 |. 8B06 mov eax,dword ptr ds:[esi]
0047D306 <>|. 8B80 080300>mov eax,dword ptr ds:[eax+308] ; *EditName:TEdit
0047D30C <>|. E8 BB84FCFF call OTP.004457CC ; ->Controls.TControl.GetText(TControl):TCaption;
0047D311 |. FF75 F4 push dword ptr ss:[ebp-C]
0047D314 |. 8D55 F0 lea edx,dword ptr ss:[ebp-10]
0047D317 |. 8B06 mov eax,dword ptr ds:[esi]
0047D319 <>|. 8B80 0C0300>mov eax,dword ptr ds:[eax+30C] ; *EditAdr1:TEdit
0047D31F <>|. E8 A884FCFF call OTP.004457CC ; ->Controls.TControl.GetText(TControl):TCaption;
0047D324 |. FF75 F0 push dword ptr ss:[ebp-10]
0047D327 |. 8D55 EC lea edx,dword ptr ss:[ebp-14]
0047D32A |. 8B06 mov eax,dword ptr ds:[esi]
0047D32C <>|. 8B80 100300>mov eax,dword ptr ds:[eax+310] ; *EditAdr2:TEdit
0047D332 <>|. E8 9584FCFF call OTP.004457CC ; ->Controls.TControl.GetText(TControl):TCaption;
0047D337 |. FF75 EC push dword ptr ss:[ebp-14]
0047D33A |. 6A 00 push 0
0047D33C |. 8D55 E8 lea edx,dword ptr ss:[ebp-18]
0047D33F |. 8B06 mov eax,dword ptr ds:[esi]
0047D341 <>|. 8B80 140300>mov eax,dword ptr ds:[eax+314] ; *EditCountry:TEdit
0047D347 <>|. E8 8084FCFF call OTP.004457CC ; ->Controls.TControl.GetText(TControl):TCaption;
0047D34C |. FF75 E8 push dword ptr ss:[ebp-18]
0047D34F |. 8D55 E4 lea edx,dword ptr ss:[ebp-1C]
0047D352 |. 8B06 mov eax,dword ptr ds:[esi]
0047D354 <>|. 8B80 180300>mov eax,dword ptr ds:[eax+318] ; *EditEmail:TEdit
0047D35A <>|. E8 6D84FCFF call OTP.004457CC ; ->Controls.TControl.GetText(TControl):TCaption;
0047D35F |. FF75 E4 push dword ptr ss:[ebp-1C]
0047D362 |. 8D45 F8 lea eax,dword ptr ss:[ebp-8]
0047D365 |. BA 06000000 mov edx,6
0047D36A <>|. E8 9574F8FF call OTP.00404804 ; ->System.@LStrCatN;
0047D36F |. 8B55 F8 mov edx,dword ptr ss:[ebp-8] ;
0047D372 |. 8BC3 mov eax,ebx ;
0047D374 |. 59 pop ecx
0047D375 |. E8 C6020000 call OTP.0047D640 ;这儿就是验证的地方
0047D37A |. 84C0 test al,al
0047D37C |. 74 17 je short OTP.0047D395
0047D37E |. A1 E4314800 mov eax,dword ptr ds:[4831E4]
0047D383 |. 8B00 mov eax,dword ptr ds:[eax]
0047D385 |. B2 01 mov dl,1
0047D387 |. 8B08 mov ecx,dword ptr ds:[eax]
0047D389 |. FF51 64 call dword ptr ds:[ecx+64]
0047D38C |. 8BC3 mov eax,ebx
0047D38E <>|. E8 694DFEFF call OTP.004620FC ; ->Forms.TCustomForm.Close(TCustomForm);
0047D393 |. EB 15 jmp short OTP.0047D3AA
0047D395 |> 6A 00 push 0 ; /Arg1 = 00000000
0047D397 |. 66:8B0D D4D>mov cx,word ptr ds:[47D3D4] ; |
0047D39E |. B2 01 mov dl,1 ; |
0047D3A0 |. B8 E0D34700 mov eax,OTP.0047D3E0 ; |ASCII "Incorrect registration, please try again."
0047D3A5 |. E8 4213FCFF call OTP.0043E6EC ; \OTP.0043E6EC
0047D3AA |> 33C0 xor eax,eax ; 注册不正确的提示
0047D3AC |. 5A pop edx
0047D3AD |. 59 pop ecx
0047D3AE |. 59 pop ecx
0047D3AF |. 64:8910 mov dword ptr fs:[eax],edx
0047D3B2 |. 68 CCD34700 push OTP.0047D3CC
0047D3B7 |> 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
0047D3BA |. BA 07000000 mov edx,7
0047D3BF <>|. E8 EC70F8FF call OTP.004044B0 ; ->System.@LStrArrayClr(void;void;Integer);
0047D3C4 \. C3 retn
0047D640 /$ 55 push ebp
0047D641 |. 8BEC mov ebp,esp
0047D643 |. 83C4 C4 add esp,-3C
0047D646 |. 53 push ebx
0047D647 |. 56 push esi
0047D648 |. 33DB xor ebx,ebx
0047D64A |. 895D C4 mov dword ptr ss:[ebp-3C],ebx
0047D64D |. 895D C8 mov dword ptr ss:[ebp-38],ebx
0047D650 |. 895D CC mov dword ptr ss:[ebp-34],ebx
0047D653 |. 895D D0 mov dword ptr ss:[ebp-30],ebx
0047D656 |. 895D D4 mov dword ptr ss:[ebp-2C],ebx
0047D659 |. 895D DC mov dword ptr ss:[ebp-24],ebx
0047D65C |. 895D D8 mov dword ptr ss:[ebp-28],ebx
0047D65F |. 894D F8 mov dword ptr ss:[ebp-8],ecx
0047D662 |. 8955 FC mov dword ptr ss:[ebp-4],edx
0047D665 |. 8BF0 mov esi,eax
0047D667 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
0047D66A |. E8 BD72F8FF call OTP.0040492C
0047D66F |. 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0047D672 |. E8 B572F8FF call OTP.0040492C
0047D677 |. 8D45 F0 lea eax,dword ptr ss:[ebp-10]
0047D67A |. 8B15 94A447>mov edx,dword ptr ds:[47A494] ; OTP.0047A498
0047D680 |. E8 2F78F8FF call OTP.00404EB4
0047D685 |. 8D45 E8 lea eax,dword ptr ss:[ebp-18]
0047D688 |. 8B15 94A447>mov edx,dword ptr ds:[47A494] ; OTP.0047A498
0047D68E |. E8 2178F8FF call OTP.00404EB4
0047D693 |. 8D45 E0 lea eax,dword ptr ss:[ebp-20]
0047D696 |. 8B15 94A447>mov edx,dword ptr ds:[47A494] ; OTP.0047A498
0047D69C |. E8 1378F8FF call OTP.00404EB4
0047D6A1 |. 33C0 xor eax,eax
0047D6A3 |. 55 push ebp
0047D6A4 |. 68 C5D74700 push OTP.0047D7C5
0047D6A9 |. 64:FF30 push dword ptr fs:[eax]
0047D6AC |. 64:8920 mov dword ptr fs:[eax],esp
0047D6AF |. 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0047D6B2 |. E8 8D70F8FF call OTP.00404744
0047D6B7 |. 83F8 05 cmp eax,5 ;注册码长度要大于5
0047D6BA |. 7D 07 jge short OTP.0047D6C3
0047D6BC |. 33DB xor ebx,ebx
0047D6BE |. E9 C7000000 jmp OTP.0047D78A
0047D6C3 |> 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
0047D6C6 |. BA DCD74700 mov edx,OTP.0047D7DC ; ASCII "CECDCECCCAC6CDCBCDCCCECFCF"
0047D6CB |. 8BC6 mov eax,esi
0047DB18 /$ 55 push ebp
0047DB19 |. 8BEC mov ebp,esp
0047DB1B |. 83C4 F8 add esp,-8
0047DB1E |. 53 push ebx
0047DB1F |. 56 push esi
0047DB20 |. 57 push edi
0047DB21 |. 33DB xor ebx,ebx
0047DB23 |. 895D F8 mov dword ptr ss:[ebp-8],ebx
0047DB26 |. 8BF9 mov edi,ecx
0047DB28 |. 8955 FC mov dword ptr ss:[ebp-4],edx
0047DB2B |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
0047DB2E |. E8 F96DF8FF call OTP.0040492C
0047DB33 |. 33C0 xor eax,eax
0047DB35 |. 55 push ebp
0047DB36 |. 68 E7DB4700 push OTP.0047DBE7
0047DB3B |. 64:FF30 push dword ptr fs:[eax]
0047DB3E |. 64:8920 mov dword ptr fs:[eax],esp
0047DB41 |. 8BC7 mov eax,edi
0047DB43 |. E8 4469F8FF call OTP.0040448C ; LStrClr
0047DB48 |. BB 01000000 mov ebx,1
0047DB4D |> 8B45 FC /mov eax,dword ptr ss:[ebp-4]
0047DB50 |. 8A4418 FF |mov al,byte ptr ds:[eax+ebx-1]
0047DB54 |. 3C 39 |cmp al,39
0047DB56 |. 76 15 |jbe short OTP.0047DB6D
0047DB58 |. 8B55 FC |mov edx,dword ptr ss:[ebp-4]
0047DB5B |. 25 FF000000 |and eax,0FF
0047DB60 |. 83E8 41 |sub eax,41
0047DB63 |. 83C0 0A |add eax,0A
0047DB66 |. 8BF0 |mov esi,eax
0047DB68 |. C1E6 04 |shl esi,4
0047DB6B |. EB 10 |jmp short OTP.0047DB7D
0047DB6D |> 8B55 FC |mov edx,dword ptr ss:[ebp-4]
0047DB70 |. 25 FF000000 |and eax,0FF
0047DB75 |. 83E8 30 |sub eax,30
0047DB78 |. 8BF0 |mov esi,eax
0047DB7A |. C1E6 04 |shl esi,4
0047DB7D |> 43 |inc ebx
0047DB7E |. 8B45 FC |mov eax,dword ptr ss:[ebp-4]
0047DB81 |. 8A4418 FF |mov al,byte ptr ds:[eax+ebx-1]
0047DB85 |. 3C 39 |cmp al,39
0047DB87 |. 76 12 |jbe short OTP.0047DB9B
0047DB89 |. 8B55 FC |mov edx,dword ptr ss:[ebp-4]
0047DB8C |. 25 FF000000 |and eax,0FF
0047DB91 |. 03F0 |add esi,eax
0047DB93 |. 83EE 41 |sub esi,41
0047DB96 |. 83C6 0A |add esi,0A
0047DB99 |. EB 0D |jmp short OTP.0047DBA8
0047DB9B |> 8B55 FC |mov edx,dword ptr ss:[ebp-4]
0047DB9E |. 25 FF000000 |and eax,0FF
0047DBA3 |. 03F0 |add esi,eax
0047DBA5 |. 83EE 30 |sub esi,30
0047DBA8 |> 43 |inc ebx
0047DBA9 |. 8D45 F8 |lea eax,dword ptr ss:[ebp-8]
0047DBAC |. 8BD6 |mov edx,esi
0047DBAE |. 80F2 FF |xor dl,0FF
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课