破解Telegram
Fosom
+ 前提
1, Telegram(简称TG)是海外很常用的一款即时通讯软件。
2, 某公司想监控Telegram的通讯记录。
+ 思路
1, 用Dll劫持,把自己的Dll让TG主动加载起来。
(这里就略过了,这个很简单,而已我其他帖子有专门总结过很多加载方式)
2, 找到TG的加解密函数,把代码扣出来做成一个Dll,或,做一个Jmp复制出明文。
3, 最后把明文保存下来,就实现了对TG聊天记录的监控。
+ 条件
tsetup.0.9.49.exe,OD,IDA
+ 开始
1.无壳,无驱动,无VM,没有anti,裸体一个。毫无难度。
请高手略过。
2.既然是裸体一个,我一般是用最快速的思路来解决问题。
用IDA打开telegram.exe之后, 直接关键字搜索 crypt
很快就看到了
采用了:crypto\\aes\\aes_ige.c aes加密算法。
3.OD附加后,下断:bp WSASend, bp WSARecv
必须先确定 Recv收回来的数据的真实存放地址,和长度。
4.下个内存断点,发现数据复制了N次。
只管下内存断点,终会找到解密的地方。
5,关键点,似乎已经找到了解密的附近, 因为看到了"decrypted message".
所以建议写加密算法的时候,算法和提示信息一定要用多线程分开处理,要不然,很容易破解的。
0040D263 > \83C9 FF or ecx, FFFFFFFF
0040D266 > 51 push ecx
0040D267 . 52 push edx
0040D268 . E8 534F1F00 call 006021C0
0040D26D . 8985 70FFFFFF mov dword ptr [ebp-90], eax
0040D273 . 6A 2E push 2E
0040D275 . 68 B890E601 push 01E690B8 ; ASCII "TCP Info: decrypted message %1,%2,%3 is %4 len"
0040D27A . C645 FC 23 mov byte ptr [ebp-4], 23
0040D27E . E8 3D4F1F00 call 006021C0
6,解谜地址
00BC43CA |. 3147 F4 |xor dword ptr [edi-C], eax ; EDI-C=终于找到解密的结果
.text:00E64160
.text:00E64160 ; telegram.crypt: method = crypto\\aes\\aes_ige.c
.text:00E64160 ; 07FFD2CC 00410709 返回到 Telegram.00410709 来自 Telegram.00BC4160
.text:00E64160 ; 07FFD2D0 065C25F0 原始密文地址
.text:00E64160 ; 07FFD2D4 02788428 解密后结果地址
.text:00E64160 ; 07FFD2D8 00000060 size
.text:00E64160 ;
.text:00E64160 ; 065C25F0 F2 CE 2A D6 96 F9 B1 59 5C A5 81 BF 3C B4 D2 09
.text:00E64160 ; 065C2600 42 EB FC 36 6E 7C 86 FE 7A AE 9A 0A 7F CE E6 FC
.text:00E64160 ; 065C2610 41 48 B8 83 C5 F2 0A 24 FD 92 0F 24 0C 02 7D 65
.text:00E64160 ; 065C2620 F1 7A 64 DB CC 13 DF 0F 08 8D A6 48 65 A2 4A D3
.text:00E64160 ; 065C2630 A5 20 FA 89 72 11 F3 1A 9D 0B 41 F2 D4 16 8A 55
.text:00E64160 ; 065C2640 FE 81 61 E5 9C 83 35 E5 85 A4 D5 59 7B FF D6 CC
.text:00E64160 ;
.text:00E64160 ; 02788428 5F BE BF A5 7F CE 87 A2 C8 C5 3B D7 E7 DB 0B 99
.text:00E64160 ; 02788438 01 84 25 C1 63 A1 5B 57 27 00 00 00 40 00 00 00
.text:00E64160 ; 02788448 11 BF 4F 91 03 00 00 00 AD 08 00 00 6B 8A 15 0C
.text:00E64160 ; 02788458 20 41 61 61 61 61 61 61 61 61 61 61 61 61 61 61 Aaaaaaaaaaaaaaa 明文
.text:00E64160 ; 02788468 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
.text:00E64160 ; 02788478 61 00 00 00 71 0E 00 00 01 00 00 00 63 A1 5B 57
下面是解密算法:
.text:00E64160 ;
.text:00E64160
.text:00E64160 pak_decrypt proc near ; CODE XREF: sub_6590A0+A3p
.text:00E64160 ; 加解密函数
.text:00E64160
.text:00E64160 arg_0 = dword ptr 4
.text:00E64160 arg_4 = dword ptr 8
.text:00E64160 arg_8 = dword ptr 0Ch
.text:00E64160 arg_C = xmmword ptr 10h
.text:00E64160 arg_1C = xmmword ptr 20h
.text:00E64160 arg_2C = xmmword ptr 30h
.text:00E64160 mov eax, 44h
.text:00E64165 call sub_1103950
.text:00E6416A mov eax, ___security_cookie
.text:00E6416F xor eax, esp
.text:00E64171 mov [esp+arg_3C], eax
.text:00E64175 mov eax, [esp+arg_50]
.text:00E64179 push ebx
.text:00E6417A push ebp
.text:00E6417B mov ebp, [esp+8+arg_54]
.text:00E6417F push esi
.text:00E64180 mov esi, [esp+0Ch+arg_44]
.text:00E64184 mov [esp+0Ch+srcAddr], eax
.text:00E64188 mov [esp+0Ch+resultAddr], ebp
.text:00E6418C push edi
.text:00E6418D mov edi, [esp+10h+arg_48]
.text:00E64191 test esi, esi
.text:00E64193 jz short loc_E641A1
.text:00E64195 test edi, edi
.text:00E64197 jz short loc_E641A1
.text:00E64199 test eax, eax
.text:00E6419B jz short loc_E641A1
.text:00E6419D test ebp, ebp
.text:00E6419F jnz short loc_E641B5
.text:00E641A1
.text:00E641A1 loc_E641A1: ; CODE XREF: pak_decrypt+33j
.text:00E641A1 ; pak_decrypt+37j ...
.text:00E641A1 push offset aInOutKeyIvec ; "in && out && key && ivec"
.text:00E641A6 push 56h
.text:00E641A8 push offset a_CryptoAesAes_ ; ".\\crypto\\aes\\aes_ige.c"
.text:00E641AD call loc_E63230
.text:00E641B2 add esp, 0Ch
.text:00E641B5
.text:00E641B5 loc_E641B5: ; CODE XREF: pak_decrypt+3Fj
.text:00E641B5 mov eax, [esp+10h+arg_58]
.text:00E641B9 cmp eax, 1
.text:00E641BC jz short loc_E641D6
.text:00E641BE test eax, eax
.text:00E641C0 jz short loc_E641D6
.text:00E641C2 push offset aAes_encryptEnc ; "(AES_ENCRYPT == enc) || (AES_DECRYPT =="...
.text:00E641C7 push 57h
.text:00E641C9 push offset a_CryptoAesAes_ ; ".\\crypto\\aes\\aes_ige.c"
.text:00E641CE call loc_E63230
.text:00E641D3 add esp, 0Ch
.text:00E641D6
.text:00E641D6 loc_E641D6: ; CODE XREF: pak_decrypt+5Cj
.text:00E641D6 ; pak_decrypt+60j
.text:00E641D6 mov ebx, [esp+10h+arg_4C]
.text:00E641DA test bl, 0Fh
.text:00E641DD jz short loc_E641F3
.text:00E641DF push offset aLengthAes_bloc ; "(length % AES_BLOCK_SIZE) == 0"
.text:00E641E4 push 58h
.text:00E641E6 push offset a_CryptoAesAes_ ; ".\\crypto\\aes\\aes_ige.c"
.text:00E641EB call loc_E63230
.text:00E641F0 add esp, 0Ch
.text:00E641F3
.text:00E641F3 loc_E641F3: ; CODE XREF: pak_decrypt+7Dj
.text:00E641F3 shr ebx, 4
.text:00E641F6 cmp [esp+10h+arg_58], 1
.text:00E641FB jnz loc_E64339
.text:00E64201 cmp esi, edi
.text:00E64203 jz loc_E642BE
.text:00E64209 mov eax, ebp
.text:00E6420B or eax, edi
.text:00E6420D or eax, esi
.text:00E6420F test al, 3
.text:00E64211 jnz loc_E642BE
.text:00E64217 lea eax, [ebp+10h]
.text:00E6421A mov edx, ebp
.text:00E6421C mov [esp+10h+size], eax
.text:00E64220 test ebx, ebx
.text:00E64222 jz short loc_E6429D
.text:00E64224 lea ecx, [esi+8]
.text:00E64227 lea ebp, [edi+8]
.text:00E6422A mov [esp+10h], ecx
.text:00E6422E db 66h
.text:00E6422E nop
.text:00E64230
.text:00E64230 loc_E64230: ; CODE XREF: pak_decrypt+137j
.text:00E64230 mov eax, [edx]
.text:00E64232 lea edi, [ecx-8]
.text:00E64235 xor eax, [edi]
.text:00E64237 lea esi, [ebp-8]
.text:00E6423A push [esp+10h+srcAddr]
.text:00E6423E mov [esi], eax
.text:00E64240 mov eax, [ecx-4]
.text:00E64243 xor eax, [edx+4]
.text:00E64246 mov [ebp-4], eax
.text:00E64249 mov eax, [edx+8]
.text:00E6424C xor eax, [ecx]
.text:00E6424E mov [ebp+0], eax
.text:00E64251 mov eax, [ecx+4]
.text:00E64254 xor eax, [edx+0Ch]
.text:00E64257 push esi
.text:00E64258 push esi
.text:00E64259 mov [ebp+4], eax
.text:00E6425C call sub_4433C0
.text:00E64261 mov ecx, [esp+1Ch+size]
.text:00E64265 lea ebp, [ebp+10h]
.text:00E64268 add esp, 0Ch
.text:00E6426B mov edx, esi
.text:00E6426D mov eax, [ecx]
.text:00E6426F xor [esi], eax
.text:00E64271 mov eax, [ecx+4]
.text:00E64274 xor [ebp-14h], eax
.text:00E64277 mov eax, [ecx+8]
.text:00E6427A xor [ebp-10h], eax
.text:00E6427D mov eax, [ecx+0Ch]
.text:00E64280 xor [ebp-0Ch], eax
.text:00E64283 mov eax, edi
.text:00E64285 mov ecx, [esp+10h]
.text:00E64289 add ecx, 10h
.text:00E6428C mov [esp+10h+size], eax
.text:00E64290 mov [esp+10h], ecx
.text:00E64294 sub ebx, 1
.text:00E64297 jnz short loc_E64230
.text:00E64299 mov ebp, [esp+10h+resultAddr]
.text:00E6429D
.text:00E6429D loc_E6429D: ; CODE XREF: pak_decrypt+C2j
.text:00E6429D movups xmm0, xmmword ptr [edx]
.text:00E642A0 pop edi
.text:00E642A1 pop esi
.text:00E642A2 movups xmmword ptr [ebp+0], xmm0
.text:00E642A6 movups xmm0, xmmword ptr [eax]
.text:00E642A9 movups xmmword ptr [ebp+10h], xmm0
.text:00E642AD pop ebp
.text:00E642AE pop ebx
.text:00E642AF mov ecx, [esp+arg_3C]
.text:00E642B3 xor ecx, esp
.text:00E642B5 call __except_fail
.text:00E642BA add esp, 44h
.text:00E642BD retn
.text:00E642BE ; ---------------------------------------------------------------------------
.text:00E642BE
.text:00E642BE loc_E642BE: ; CODE XREF: pak_decrypt+A3j
.text:00E642BE ; pak_decrypt+B1j
.text:00E642BE movups xmm0, xmmword ptr [ebp+10h]
.text:00E642C2 movups xmm1, xmmword ptr [ebp+0]
.text:00E642C6 movups [esp+10h+arg_C], xmm0
.text:00E642CB test ebx, ebx
.text:00E642CD jz short loc_E6431E
.text:00E642CF mov ebp, [esp+10h+srcAddr]
.text:00E642D3
.text:00E642D3 loc_E642D3: ; CODE XREF: pak_decrypt+1B8j
.text:00E642D3 movups xmm0, xmmword ptr [esi]
.text:00E642D6 lea eax, [esp+10h+arg_2C]
.text:00E642DA push ebp
.text:00E642DB movups [esp+14h+arg_1C], xmm0
.text:00E642E0 push eax
.text:00E642E1 pxor xmm0, xmm1
.text:00E642E5 push eax
.text:00E642E6 movups [esp+1Ch+arg_2C], xmm0
.text:00E642EB call sub_4433C0
.text:00E642F0 movups xmm0, [esp+1Ch+arg_C]
.text:00E642F5 add esp, 0Ch
.text:00E642F8 lea esi, [esi+10h]
.text:00E642FB lea edi, [edi+10h]
.text:00E642FE movups xmm1, [esp+10h+arg_2C]
.text:00E64303 pxor xmm1, xmm0
.text:00E64307 movups xmm0, [esp+10h+arg_1C]
.text:00E6430C movups xmmword ptr [edi-10h], xmm1
.text:00E64310 movups [esp+10h+arg_C], xmm0
.text:00E64315 sub ebx, 1
.text:00E64318 jnz short loc_E642D3
.text:00E6431A mov ebp, [esp+10h+resultAddr]
.text:00E6431E
.text:00E6431E loc_E6431E: ; CODE XREF: pak_decrypt+16Dj
.text:00E6431E pop edi
.text:00E6431F pop esi
.text:00E64320 movups xmmword ptr [ebp+0], xmm1
.text:00E64324 movups xmmword ptr [ebp+10h], xmm0
.text:00E64328 pop ebp
.text:00E64329 pop ebx
.text:00E6432A mov ecx, [esp+arg_3C]
.text:00E6432E xor ecx, esp
.text:00E64330 call __except_fail
.text:00E64335 add esp, 44h
.text:00E64338 retn
.text:00E64339 ; ---------------------------------------------------------------------------
.text:00E64339
.text:00E64339 loc_E64339: ; CODE XREF: pak_decrypt+9Bj
.text:00E64339 cmp esi, edi
.text:00E6433B jz loc_E643F9
.text:00E64341 mov eax, ebp
.text:00E64343 or eax, edi
.text:00E64345 or eax, esi
.text:00E64347 test al, 3
.text:00E64349 jnz loc_E643F9
.text:00E6434F lea ecx, [ebp+10h]
.text:00E64352 mov eax, ebp
.text:00E64354 mov [esp+10h], eax
.text:00E64358 test ebx, ebx
.text:00E6435A jz short loc_E643D8
.text:00E6435C add edi, 8
.text:00E6435F lea ebp, [esi+8]
.text:00E64362
.text:00E64362 loop_decrypt: ; CODE XREF: pak_decrypt+272j
.text:00E64362 mov eax, [ebp-8]
.text:00E64365 lea esi, [ebp-8]
.text:00E64368 xor eax, [ecx]
.text:00E6436A push [esp+10h+srcAddr]
.text:00E6436E mov dword ptr [esp+14h+arg_2C], eax
.text:00E64372 mov eax, [ebp-4]
.text:00E64375 xor eax, [ecx+4]
.text:00E64378 mov dword ptr [esp+14h+arg_2C+4], eax
.text:00E6437C mov eax, [ecx+8]
.text:00E6437F xor eax, [ebp+0]
.text:00E64382 mov dword ptr [esp+14h+arg_2C+8], eax
.text:00E64386 mov eax, [ebp+4]
.text:00E64389 xor eax, [ecx+0Ch]
.text:00E6438C mov dword ptr [esp+14h+arg_2C+0Ch], eax
.text:00E64390 lea eax, [edi-8]
.text:00E64393 push eax
.text:00E64394 mov [esp+18h+size], eax
.text:00E64398 lea eax, [esp+18h+arg_2C]
.text:00E6439C push eax
.text:00E6439D call sub_444A00
.text:00E643A2 mov edx, [esp+1Ch]
.text:00E643A6 lea ebp, [ebp+10h]
.text:00E643A9 mov ecx, [esp+1Ch+size]
.text:00E643AD lea edi, [edi+10h]
.text:00E643B0 add esp, 0Ch
.text:00E643B3 mov [esp+10h], esi
.text:00E643B7 mov eax, [edx]
.text:00E643B9 xor [ecx], eax
.text:00E643BB mov eax, [edx+4]
.text:00E643BE xor [edi-14h], eax
.text:00E643C1 mov eax, [edx+8]
.text:00E643C4 xor [edi-10h], eax
.text:00E643C7 mov eax, [edx+0Ch] ; 02788450 AD 08 00 00 6B 8A 15 0C 20 41 61 61 61 61 61 61 ?..k?. Aaaaaaa
.text:00E643C7 ; 02788460 61 61 61 61 6D 63 1C aaaamc
.text:00E643CA xor [edi-0Ch], eax ; 00BC43CA |. 3147 F4 |xor dword ptr [edi-C], eax ; EDI-C=??óú?òμ??a?üμ??á1?
.text:00E643CD mov eax, esi
.text:00E643CF sub ebx, 1
.text:00E643D2 jnz short loop_decrypt
.text:00E643D4 mov ebp, [esp+10h+resultAddr]
.text:00E643D8
.text:00E643D8 loc_E643D8: ; CODE XREF: pak_decrypt+1FAj
.text:00E643D8 movups xmm0, xmmword ptr [eax]
.text:00E643DB pop edi
.text:00E643DC pop esi
.text:00E643DD movups xmmword ptr [ebp+0], xmm0
.text:00E643E1 movups xmm0, xmmword ptr [ecx]
.text:00E643E4 movups xmmword ptr [ebp+10h], xmm0
.text:00E643E8 pop ebp
.text:00E643E9 pop ebx
.text:00E643EA mov ecx, [esp+arg_3C]
.text:00E643EE xor ecx, esp
.text:00E643F0 call __except_fail
.text:00E643F5 add esp, 44h
.text:00E643F8 retn
.text:00E643F9 ; ---------------------------------------------------------------------------
.text:00E643F9
.text:00E643F9 loc_E643F9: ; CODE XREF: pak_decrypt+1DBj
.text:00E643F9 ; pak_decrypt+1E9j
.text:00E643F9 movups xmm0, xmmword ptr [ebp+0]
.text:00E643FD movups xmm2, xmmword ptr [ebp+10h]
.text:00E64401 movups [esp+10h+arg_C], xmm0
.text:00E64406 test ebx, ebx
.text:00E64408 jz short loc_E6445E
.text:00E6440A mov ebp, [esp+10h+srcAddr]
.text:00E6440E db 66h
.text:00E6440E nop
.text:00E64410
.text:00E64410 loc_E64410: ; CODE XREF: pak_decrypt+2F8j
.text:00E64410 movups xmm0, xmmword ptr [esi]
.text:00E64413 lea eax, [esp+10h+arg_2C]
.text:00E64417 movups xmm1, xmmword ptr [esi]
.text:00E6441A push ebp
.text:00E6441B push eax
.text:00E6441C pxor xmm0, xmm2
.text:00E64420 push eax
.text:00E64421 movups [esp+1Ch+arg_1C], xmm1
.text:00E64426 movups [esp+1Ch+arg_2C], xmm0
.text:00E6442B call sub_444A00
.text:00E64430 movups xmm0, [esp+1Ch+arg_C]
.text:00E64435 add esp, 0Ch
.text:00E64438 lea esi, [esi+10h]
.text:00E6443B lea edi, [edi+10h]
.text:00E6443E movups xmm2, [esp+10h+arg_2C]
.text:00E64443 pxor xmm2, xmm0
.text:00E64447 movups xmm0, [esp+10h+arg_1C]
.text:00E6444C movups xmmword ptr [edi-10h], xmm2
.text:00E64450 movups [esp+10h+arg_C], xmm0
.text:00E64455 sub ebx, 1
.text:00E64458 jnz short loc_E64410
.text:00E6445A mov ebp, [esp+10h+resultAddr]
.text:00E6445E
.text:00E6445E loc_E6445E: ; CODE XREF: pak_decrypt+2A8j
.text:00E6445E mov ecx, [esp+10h+arg_3C]
.text:00E64462 pop edi
.text:00E64463 pop esi
.text:00E64464 movups xmmword ptr [ebp+0], xmm0
.text:00E64468 movups xmmword ptr [ebp+10h], xmm2
.text:00E6446C pop ebp
.text:00E6446D pop ebx
.text:00E6446E xor ecx, esp
.text:00E64470 call __except_fail
.text:00E64475 add esp, 44h
.text:00E64478 retn
.text:00E64478 pak_decrypt endp ; sp-analysis failed
7. 写一个钩子,注入进去,类似下图,截取通信数据。
8.数据分析
R=>2A090000 6B81150C 27 E68891E8AFB4E68891E8AFB4E68891E8AFB4E68891E8AFB4E68891E8AFB4E68891E8AFB4E68891690F000001000000471E5E572BF3172C635BBA9E2B99B175
R=>27090000 6B81150C 12 61616161616161616161616161616161616100640F000001000000A01B5E57(0050)
R=>28090000 6971F506 0F E8BF99E698AFE4BB80E4B988E591A2650F000001000000001C5E5776F13D70(0050)
R=>016C2513 121D5E57 00 03000014000000C5737734C067DBE1111D5E57903C645E6F77BF8201E42513121D5E57000300001400000059B4D66215C4B51C01000000F897DBE1111D5E57(0070)
R=>925E4206 4939B9ED 5E 1E5E57321D5E57491F0BBDF639F434(0040)
R=>29090000 6971F506 2E 3030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303000670F000001000000671D5E57BD058504(0070)
用于识别Send和Recv 说话者的ID 内容长度 内容 .用的UTF8字符集