[DES]YAHOO通群发器－利用程序本身加解密-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[DES]YAHOO通群发器－利用程序本身加解密

发表于: 2006-4-1 13:54 9535

[DES]YAHOO通群发器－利用程序本身加解密

cyto

2006-4-1 13:54

9535

YAHOO通群发器

说明：因为接连碰到了3个软件，硬件跟踪发现都是同样的处理，但过程极其复杂，郁闷之余用查算法的工具查了下，DES，所以决定猛补。
于是翻遍看雪精华，找到精华5的2篇文章，于是step by step，终于有所体会。
在此非常感谢bbbsl的文章－－变脸王，风雨无阻的文章－－公路坐标计算系统  1.0。

1.定位注册按钮：
Borland Delphi 6.0 - 7.0
TForm_Reg ： OnClick = btn_ConfirmClick：004845F4;
004845F4    55             push ebp

2.流程：
00484619    8D55 F8       lea edx,dword ptr ss:[ebp-8]
0048461C    8B83 08030000 mov eax,dword ptr ds:[ebx+308]
00484622    E8 7972FDFF    call AutoSend.0045B8A0                   ; 取得注册码
00484627    8B45 F8       mov eax,dword ptr ss:[ebp-8]
0048462A    8D4D FC       lea ecx,dword ptr ss:[ebp-4]
0048462D    BA F0464800    mov edx,AutoSend.004846F0                ; ASCII "45"
00484632    E8 499DFFFF    call AutoSend.0047E380
00484637    8D45 F4       lea eax,dword ptr ss:[ebp-C]
0048463A    50             push eax
0048463B    8D55 F0       lea edx,dword ptr ss:[ebp-10]
0048463E    8B83 04030000 mov eax,dword ptr ds:[ebx+304]
00484644    E8 5772FDFF    call AutoSend.0045B8A0                   ; 机器码
00484649    8B45 F0       mov eax,dword ptr ss:[ebp-10]             ; (ASCII "1379193")
0048464C    B9 64000000    mov ecx,64
00484651    BA 03000000    mov edx,3
00484656    E8 FDFFF7FF    call AutoSend.00404658                   ; 从第3位开始取
0048465B    8B55 F4       mov edx,dword ptr ss:[ebp-C]             ;  (ASCII "79193")
0048465E    8B45 FC       mov eax,dword ptr ss:[ebp-4]             ; ？？
00484661    E8 DEFEF7FF    call AutoSend.00404544                   ; 比较
00484666    75 31          jnz short AutoSend.00484699
00484668    B8 FC464800    mov eax,AutoSend.004846FC                ; ASCII "OK!"
0048466D    E8 AEF2FFFF    call AutoSend.00483920
00484672    68 08474800    push AutoSend.00484708                   ; ASCII "Main"
00484677    8D55 EC       lea edx,dword ptr ss:[ebp-14]
0048467A    8B83 08030000 mov eax,dword ptr ds:[ebx+308]
00484680    E8 1B72FDFF    call AutoSend.0045B8A0
00484685    8B55 EC       mov edx,dword ptr ss:[ebp-14]
00484688    B9 18474800    mov ecx,AutoSend.00484718                ; ASCII "option.ini"
0048468D    B8 2C474800    mov eax,AutoSend.0048472C                ; ASCII "SN"
00484692    E8 8DE0FFFF    call AutoSend.00482724
00484697    EB 1E          jmp short AutoSend.004846B7

非常清晰，输入的注册码计算值＝机器码的后几位79193。

反复跟踪发现，如果注册码位数小于16位，那么0048465E mov eax,dword ptr ss:[ebp-4] 处的值都为0。

练码：8765432112345678
cryptosearcher查算法：DES+MD5

3.算法之旅：00484632    E8 499DFFFF    call AutoSend.0047E380
分两部分进行，一部分对ASCII "45"下断获得密钥key，一部分对注册码下断获得加解密结果。

3.1密钥key：
在0048462D处对ASCII "45"下硬件访问断点跟踪。
先是对字符串45的加长，得到34 35 00 00 00 00 00 00，这样就有64位；
然后转移了好几处，最后来到：
0047D9A1    8B3498    mov esi,dword ptr ds:[eax+ebx*4]
0047D9A4    4B       dec ebx
0047D9A5    56       push esi
0047D9A6 ^ 79 F9    jns short AutoSend.0047D9A1
堆栈：
0012EC94 00003534
0012EC98 00000000
即key：0012EC94  34 35 00 00 00 00 00 00

3.1.1往下是DES密钥的置换子密钥：PC-1
0047D9C1    B8 08B54800    mov eax,AutoSend.0048B508       ; DES密钥的置换子密钥的参数
0047D9C6    8A18          mov bl,byte ptr ds:[eax]          ; 参数指针*p
0047D9C8    8BCB          mov ecx,ebx                      ; temp=*p
0047D9CA    80E1 07       and cl,7                         ; 以下操作为bit级
0047D9CD    81E1 FF000000 and ecx,0FF
0047D9D3    51             push ecx                         ; push temp&0x7
0047D9D4    B9 07000000    mov ecx,7                         ; temp&0x7和temp mod 8效果一样:)
0047D9D9    5E             pop esi
0047D9DA    2BCE          sub ecx,esi                      ; 7-temp&0x7
0047D9DC    BE 01000000    mov esi,1
0047D9E1    D3E6          shl esi,cl                      ; 需要将0x00000001向左移(7-temp&7)位
0047D9E3    33C9          xor ecx,ecx
0047D9E5    8ACB          mov cl,bl                         ; temp=*p
0047D9E7    C1E9 03       shr ecx,3                         ; 整除以8
0047D9EA    8B5D FC       mov ebx,dword ptr ss:[ebp-4]    ; key=34 35 00 00 00 00 00 00
0047D9ED    0FB60C0B       movzx ecx,byte ptr ds:[ebx+ecx] ; 逆取key？得到第(*p)bit的值
0047D9F1    23F1          and esi,ecx                      ; 用来判断第(*p)bit 的值是否为0
0047D9F3    74 1D          je short AutoSend.0047DA12       ; 如果是0就不用操作了
0047D9F5    8BCA          mov ecx,edx                      ; 不为0就将第i位置1
0047D9F7    83E1 07       and ecx,7
0047D9FA    51             push ecx
0047D9FB    B9 07000000    mov ecx,7
0047DA00    5B             pop ebx
0047DA01    2BCB          sub ecx,ebx
0047DA03    B3 01          mov bl,1
0047DA05    D2E3          shl bl,cl
0047DA07    8BCA          mov ecx,edx
0047DA09    C1E9 03       shr ecx,3
0047DA0C    8B75 F8       mov esi,dword ptr ss:[ebp-8]
0047DA0F    081C0E          or byte ptr ds:[esi+ecx],bl       ; 第i位置一
0047DA12    42             inc edx
0047DA13    40             inc eax
0047DA14    83FA 38       cmp edx,38
0047DA17 ^ 75 AD          jnz short AutoSend.0047D9C6

AutoSend.0048B508的参数为：
0048B508  38 30 28 20 18 10 08 00  80( .
0048B510  39 31 29 21 19 11 09 01  91)!.
0048B518  3A 32 2A 22 1A 12 0A 02  :2*".
0048B520  3B 33 2B 23 3E 36 2E 26  ;3+#>6.&
0048B528  1E 16 0E 06 3D 35 2D 25  =5-%
0048B530  1D 15 0D 05 3C 34 2C 24  .<4,$
0048B538  1C 14 0C 04 1B 13 0B 03  .
将每个值＋1就是PC-1的下标。

说明：64比特的密钥K，经过PC-1后，生成56比特的串。其下标如表所示：
PC-1
57 49 41 33 25 17 09 01
58 50 42 34 26 18 10 02
59 51 43 35 27 19 11 03
60 52 44 36 63 55 47 39
31 23 15 07 62 54 46 38
30 22 14 06 61 53 45 37
29 21 13 05 28 20 12 04

然后返回到：
0047DB45    E8 46FEFFFF    call AutoSend.0047D990          ; PC-1

3.1.2往下，PC-2，获得16个key：
0047DBA4    BF 10000000    mov edi,10
0047DBA9    BB B0B54800    mov ebx,AutoSend.0048B5B0       ; 左移位数的参数，Lsi
0047DBAE    8B75 FC       mov esi,dword ptr ss:[ebp-4]
0047DBB1    8D45 F1       lea eax,dword ptr ss:[ebp-F]    ; 把前28bit转一转:)
0047DBB4    8A0B          mov cl,byte ptr ds:[ebx]          ; 转turnit[ebx]下,一下一位
0047DBB6    BA 03000000    mov edx,3
0047DBBB    E8 00FFFFFF    call AutoSend.0047DAC0          ; 负责转圈的
0047DBC0    8D45 ED       lea eax,dword ptr ss:[ebp-13]    ; 后28也进去转转
0047DBC3    8A0B          mov cl,byte ptr ds:[ebx]
0047DBC5    BA 03000000    mov edx,3
0047DBCA    E8 F1FEFFFF    call AutoSend.0047DAC0          ; 负责转圈的
0047DBCF    8A55 F1       mov dl,byte ptr ss:[ebp-F]
0047DBD2    C1E2 04       shl edx,4
0047DBD5    8A45 F2       mov al,byte ptr ss:[ebp-E]
0047DBD8    33C9          xor ecx,ecx
0047DBDA    8AC8          mov cl,al
0047DBDC    C1E9 04       shr ecx,4
0047DBDF    0AD1          or dl,cl
0047DBE1    8855 E6       mov byte ptr ss:[ebp-1A],dl
0047DBE4    C1E0 04       shl eax,4
0047DBE7    33D2          xor edx,edx
0047DBE9    8A55 F3       mov dl,byte ptr ss:[ebp-D]
0047DBEC    C1EA 04       shr edx,4
0047DBEF    0AC2          or al,dl
0047DBF1    8845 E7       mov byte ptr ss:[ebp-19],al
0047DBF4    8A55 F3       mov dl,byte ptr ss:[ebp-D]
0047DBF7    C1E2 04       shl edx,4
0047DBFA    8A45 F4       mov al,byte ptr ss:[ebp-C]
0047DBFD    33C9          xor ecx,ecx
0047DBFF    8AC8          mov cl,al
0047DC01    C1E9 04       shr ecx,4
0047DC04    0AD1          or dl,cl
0047DC06    8855 E8       mov byte ptr ss:[ebp-18],dl
0047DC09    C1E0 04       shl eax,4
0047DC0C    0A45 ED       or al,byte ptr ss:[ebp-13]
0047DC0F    8845 E9       mov byte ptr ss:[ebp-17],al
0047DC12    8A45 EE       mov al,byte ptr ss:[ebp-12]
0047DC15    8845 EA       mov byte ptr ss:[ebp-16],al
0047DC18    8A45 EF       mov al,byte ptr ss:[ebp-11]
0047DC1B    8845 EB       mov byte ptr ss:[ebp-15],al
0047DC1E    8A45 F0       mov al,byte ptr ss:[ebp-10]
0047DC21    8845 EC       mov byte ptr ss:[ebp-14],al
0047DC24    6A 05          push 5
0047DC26    8BCE          mov ecx,esi
0047DC28    8D45 E6       lea eax,dword ptr ss:[ebp-1A]
0047DC2B    BA 06000000    mov edx,6
0047DC30    E8 F3FDFFFF    call AutoSend.0047DA28          ; 这里是从56取48的过程
0047DC35    83C6 06       add esi,6                         ; 存放16个key的地址
0047DC38    43             inc ebx
0047DC39    4F             dec edi                         ; 要得到16个子密钥
0047DC3A ^ 0F85 71FFFFFF jnz AutoSend.0047DBB1

该比特串分为长度相等的比特串C0和D0。然后C0和D0分别循环左移Ls1位，得到C1和D1。C1和D1合并起来生成C1D1。C1D1经过PC-2变换后即生成48比特的K1。
C1、D1分别循环左移LS2位，再合并，经过PC-2，生成子密钥K2……依次类推直至生成子密钥K16。
注意：Lsi (I =1,2,….16)的数值是不同的。具体见下表：
迭代顺序 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 （LSi）
左移位数 1 1 2 2 2 2 2 2 1  2  2  2  2  2  2  1 （左移位数的参数）

得到的16key（6个字节×16）：
0048CC10  00 08 00 04 00 10 00 20 00 80 00 50 00 04 04 41  .... .?P.A
0048CC20  82 00 40 00 00 10 04 08 00 80 20 08 10 04 80 00  ?@...??
0048CC30  02 00 60 A0 20 02 00 20 08 01 00 10 00 82 00 12  .`?. ..?
0048CC40  00 00 40 81 01 02 00 40 10 04 02 00 04 01 00 50  ..@?.@..P
0048CC50  00 44 02 00 01 00 80 88 09 00 00 00 34 01 00 00  .D..?...4..
0048CC60  88 2A 00 20 10 00 00 00 49 02 10 08 00 04 09 00  ?. ...I...

然后返回到：
0047E1B7    E8 64F9FFFF    call AutoSend.0047DB20
再往下就是注册码的处理了。

3.2跟踪注册码下断：
取得注册码后下硬件访问断点跟踪，断下后返回：
0047E3E8    E8 6B62F8FF    call AutoSend.00404658                   ; 顺取2位
0047E3ED    8B45 F0       mov eax,dword ptr ss:[ebp-10]             ; 返回在此
其实就是字符转换成字节，最后值：
00D4B834  87 65 43 21 12 34 56 78  ?C!4Vx
然后转移2次：
0047E1F9    8810          mov byte ptr ds:[eax],dl                   ; 断在此
0012ED28  87 65 43 21 12 34 56 78  ?C!4Vx
0047DDA7    8811          mov byte ptr ds:[ecx],dl
0012ED20  87 65 43 21 12 34 56 78  ?C!4Vx

3.2.1 HR 0012ED20：IP置换
0047D77D    0FB60C0E       movzx ecx,byte ptr ds:[esi+ecx]    ; 转换后的注册码
0047D781    23F9          and edi,ecx                         ; 断在此
...
0047D79F    42             inc edx
0047D7A0    40             inc eax
0047D7A1    83FA 40       cmp edx,40                         ; 56，估计就是IP置换
0047D7A4 ^ 75 B3          jnz short AutoSend.0047D759

返回：
0047DDB6    E8 81F9FFFF    call AutoSend.0047D73C          ; IP置换
0047DDBB    84DB          test bl,bl                      ; HR 012ED20断下后返回处
此时ecx＝0F63F0C6，edx＝5580AA01

此时可以推测程序是否是IP置换：
输入注册码：8765432112345678，转换后：87 65 43 21 12 34 56 78
10000111 01100101 01000011 00100001 00010010 00110100 01010110 01111000
  3       11    19    27    35    43    51    59
IP置换下标：
58 50 42 34 26 18 10 2
60 52 44 36 28 20 12 4
62 54 46 38 30 22 14 6
64 56 48 40 32 24 16 8
57 49 41 33 25 17 09 1
59 51 43 35 27 19 11 3
61 53 45 37 29 21 13 5
63 55 47 39 31 23 15 7

得到：
11000110 11110000 01100011 00001111 00000001 10101010 10000000 01010101
即：0012ECA0  C6 F0 63 0F 01 AA 80 55  起c?U

至此可以肯定是DES加密的IP置换。往下思路就清晰多了。

3.2.2判断加密或解密：
IP置换的call返回后有一个判断：0047DDBB    test bl,bl       ; 返回处
下面有2段一样的代码，估计一个是解密，一个是加密，程序给出的是bl＝1，k是从16开始取的。
难道作者把解密当加密，把加密当解密进行变动？

3.2.3继续往下，将置换值分成L,R两部分，并解密：
0047DE8D    B8 04000000    mov eax,4
0047DE92    8B55 0C       mov edx,dword ptr ss:[ebp+C]
0047DE95    8D75 F4       lea esi,dword ptr ss:[ebp-C]
0047DE98    8A0A          mov cl,byte ptr ds:[edx]
0047DE9A    880E          mov byte ptr ds:[esi],cl    // Li-1
0047DE9C    46             inc esi
0047DE9D    42             inc edx
0047DE9E    48             dec eax
0047DE9F ^ 75 F7          jnz short AutoSend.0047DE98
0047DEA1    B8 04000000    mov eax,4
0047DEA6    8B55 0C       mov edx,dword ptr ss:[ebp+C]
0047DEA9    83C2 04       add edx,4
0047DEAC    8A0A          mov cl,byte ptr ds:[edx]
0047DEAE    884A FC       mov byte ptr ds:[edx-4],cl    // Ri-1
0047DEB1    42             inc edx
0047DEB2    48             dec eax
0047DEB3 ^ 75 F7          jnz short AutoSend.0047DEAC
0047DEB5    6A 05          push 5
0047DEB7    8D45 F0       lea eax,dword ptr ss:[ebp-10]
0047DEBA    50             push eax
0047DEBB    6A 03          push 3
0047DEBD    8BCB          mov ecx,ebx
0047DEBF    8B45 0C       mov eax,dword ptr ss:[ebp+C]
0047DEC2    8B55 08       mov edx,dword ptr ss:[ebp+8]
0047DEC5    E8 86FDFFFF    call AutoSend.0047DC50          // F函数(Ri-1,Ki)
0047DECA    B8 04000000    mov eax,4
0047DECF    8D55 F4       lea edx,dword ptr ss:[ebp-C]
0047DED2    8D75 F0       lea esi,dword ptr ss:[ebp-10]
0047DED5    8B4D 0C       mov ecx,dword ptr ss:[ebp+C]
0047DED8    83C1 04       add ecx,4
0047DEDB    894D E8       mov dword ptr ss:[ebp-18],ecx
0047DEDE    8A0A          mov cl,byte ptr ds:[edx]
0047DEE0    320E          xor cl,byte ptr ds:[esi]          // Li-1 XOR Fi
0047DEE2    8B7D E8       mov edi,dword ptr ss:[ebp-18]
0047DEE5    880F          mov byte ptr ds:[edi],cl
0047DEE7    FF45 E8       inc dword ptr ss:[ebp-18]
0047DEEA    46             inc esi
0047DEEB    42             inc edx
0047DEEC    48             dec eax
0047DEED ^ 75 EF          jnz short AutoSend.0047DEDE
0047DEEF    83EB 06       sub ebx,6
0047DEF2    FF45 F8       inc dword ptr ss:[ebp-8]
0047DEF5 ^ 75 96          jnz short AutoSend.0047DE8D

解密的结果：
0012ED20  61 BF 27 F2 E0 67 3A 83  a?蜞g:

3.2.4 用到的f函数：
0047DEC5    E8 86FDFFFF    call AutoSend.0047DC50          // F函数？
它的功能是将32比特的输入再转化为32比特的输出

0047DC50    55             push ebp
0047DC51    8BEC          mov ebp,esp
0047DC53    83C4 EC       add esp,-14
0047DC56    53             push ebx
0047DC57    56             push esi
0047DC58    8B5D 10       mov ebx,dword ptr ss:[ebp+10]
0047DC5B    85DB          test ebx,ebx
0047DC5D    78 0A          js short AutoSend.0047DC69
0047DC5F    C1EB 02       shr ebx,2
0047DC62    8B3499          mov esi,dword ptr ds:[ecx+ebx*4]    ; 参数之一－ki
0047DC65    4B             dec ebx
0047DC66    56             push esi
0047DC67 ^ 79 F9          jns short AutoSend.0047DC62
0047DC69    8BCC          mov ecx,esp
0047DC6B    8BDA          mov ebx,edx
0047DC6D    85DB          test ebx,ebx
0047DC6F    78 0A          js short AutoSend.0047DC7B
0047DC71    C1EB 02       shr ebx,2
0047DC74    8B3498          mov esi,dword ptr ds:[eax+ebx*4]    ; 参数之二－Ri-1
0047DC77    4B             dec ebx
0047DC78    56             push esi
0047DC79 ^ 79 F9          jns short AutoSend.0047DC74
0047DC7B    8BC4          mov eax,esp
0047DC7D    894D FC       mov dword ptr ss:[ebp-4],ecx
0047DC80    6A 05          push 5
0047DC82    8D4D F6       lea ecx,dword ptr ss:[ebp-A]
0047DC85    E8 BAFBFFFF    call AutoSend.0047D844             ; 变换E，即膨胀过程，32到48
0047DC8A    BB 06000000    mov ebx,6                         ; 6个字节＝48bit
0047DC8F    8B45 FC       mov eax,dword ptr ss:[ebp-4]       ; Ki
0047DC92    8D55 F6       lea edx,dword ptr ss:[ebp-A]
0047DC95    8A08          mov cl,byte ptr ds:[eax]          ; 顺取ki
0047DC97    300A          xor byte ptr ds:[edx],cl          ; 膨胀后与子密钥ki相异或
0047DC99    42             inc edx
0047DC9A    40             inc eax
0047DC9B    4B             dec ebx
0047DC9C ^ 75 F7          jnz short AutoSend.0047DC95
0047DC9E    8A45 F6       mov al,byte ptr ss:[ebp-A]
...                                                             ; 修改48bit为6bit×8，得到8字节
0047DD15    33DB          xor ebx,ebx
0047DD17    8D75 EE       lea esi,dword ptr ss:[ebp-12]
0047DD1A    8BC3          mov eax,ebx
0047DD1C    8A16          mov dl,byte ptr ds:[esi]
0047DD1E    E8 31FCFFFF    call AutoSend.0047D954             ; s盒查表
0047DD23    8806          mov byte ptr ds:[esi],al          ; 查表值
0047DD25    43             inc ebx
0047DD26    46             inc esi
0047DD27    83FB 08       cmp ebx,8                         ; 得到8字节＝32bit
0047DD2A ^ 75 EE          jnz short AutoSend.0047DD1A
0047DD2C    BB 04000000    mov ebx,4                         ; 以下将2字节整合成1字节
0047DD31    8D45 EE       lea eax,dword ptr ss:[ebp-12]
0047DD34    8D55 F6       lea edx,dword ptr ss:[ebp-A]
0047DD37    8A08          mov cl,byte ptr ds:[eax]
0047DD39    C1E1 04       shl ecx,4
0047DD3C    0A48 01       or cl,byte ptr ds:[eax+1]
0047DD3F    880A          mov byte ptr ds:[edx],cl          ; 整合后保存，得到4个字节
0047DD41    42             inc edx
0047DD42    83C0 02       add eax,2
0047DD45    4B             dec ebx
0047DD46 ^ 75 EF          jnz short AutoSend.0047DD37
0047DD48    8D45 F6       lea eax,dword ptr ss:[ebp-A]
0047DD4B    BA 05000000    mov edx,5
0047DD50    E8 7FFBFFFF    call AutoSend.0047D8D4             ; P变换？输出32bit
0047DD55    BB 04000000    mov ebx,4
0047DD5A    8D45 F6       lea eax,dword ptr ss:[ebp-A]
0047DD5D    8B55 0C       mov edx,dword ptr ss:[ebp+C]
0047DD60    8A08          mov cl,byte ptr ds:[eax]
0047DD62    880A          mov byte ptr ds:[edx],cl          ; 转存
0047DD64    42             inc edx
0047DD65    40             inc eax
0047DD66    4B             dec ebx
0047DD67 ^ 75 F7          jnz short AutoSend.0047DD60
0047DD69    8B75 E4       mov esi,dword ptr ss:[ebp-1C]
0047DD6C    8B5D E8       mov ebx,dword ptr ss:[ebp-18]
0047DD6F    8BE5          mov esp,ebp
0047DD71    5D             pop ebp
0047DD72    C2 0C00       retn 0C

输入Ri-1(32比特)经过变换E后，膨胀为48比特。
膨胀后的比特串分为8组，每组6比特。各组经过各自的S盒后，又变为4比特(具体过程见后)，合并后又成为32比特。该32比特经过P变换后，其下标列表如下：
经过P变换后输出的比特串才是32比特的f (Ri-1,Ki)。

如果message＝87 65 43 21 12 34 56 78
f函数的结果：
3C DD C6 39；1B 4C 8C 73；68 C6 F7 F2；E7 17 77 3F；
A5 FD DC 6E；8E 22 F1 C1；B3 CC 25 CC；D0 39 72 3B；
60 FA 04 BE；D7 11 97 55；CC D2 4E 82；F1 70 A3 5A；
6A 85 92 60；8B 7E 07 C8；A2 10 49 B9；6F 4A EC D6。

3.2.5对解密结果的IP-1置换：
0047DF39    E8 82F8FFFF    call AutoSend.0047D7C0                   ; IP-1置换？
参数：0012ED20  61 BF 27 F2 E0 67 3A 83  a?蜞g:
结果：0012ED20  76 3F 34 18 19 FD E1 93  v?4?

逆置换的结果与取得的机器码部分比较，相等就注册成功。

4.算法总结：
作者很狡猾，提供的key只有2个字符，以00加长为64bit＝34 35 00 00 00 00 00 00
然后运算得到16个key：
k16：10 08 00 04 09 00； k15：10 00 00 00 49 02
k14：00 00 88 2A 00 20； k13：09 00 00 00 34 01
k12：02 00 01 00 80 88； k11：04 01 00 50 00 44
k10：00 40 10 04 02 00； k09：00 00 40 81 01 02
k08：00 10 00 82 00 12； k07：20 02 00 20 08 01
k06：80 00 02 00 60 A0； k05：00 80 20 08 10 04
k04：40 00 00 10 04 08； k03：00 04 04 41 82 00
k02：00 20 00 80 00 50； k01：00 08 00 04 00 10

注册码需要16位字符，转换成8个字节：87 65 43 21 12 34 56 78，
DES解密得到的值＝机器码第3位后的几位，那就注册成功。

5.反推注册码：
程序内置加密解密程序，这就好办，可以利用程序本身来加解密。

先实践程序内置的加解密是否可用：
练码：8765432112345678
解密结果：76 3F 34 18 19 FD E1 93

将0047DDB6（IP置换）前的参数87 65 43 21 12 34 56 78修改成76 3F 34 18 19 FD E1 93，然后步过该call，来到0047DDBB，往下，修改跳转，使其进行加密（作者对输入的注册码进行转换后用到的是解密程序，因此反过来），一路往下，最后结果是：87 65 43 21 12 34 56 78，呵呵，有用。

那好，修改为机器码后几位：79193，即
37 39 31 39 33 00 00 00
解密后得到：
00D4EFB0  A8 51 CF EF 1D 17 0F 73  ㄑ巷s
好，修改0047DDB6（IP置换）的参数为A8 51 CF EF 1D 17 0F 73，步过该call，不修改跳转，继续，呵呵最后结果：37 39 31 39 33 00 00 00

OK，成功！
机器码：1379193
注册码：A8 51 CF EF 1D 17 0F 73

6.后记：
程序虽然使用DES算法，但是它本身既提供了加密也提供了解密。这个很致命，因此你都不用自己写注册机，也不用其他工具解密，直接利用程序本身的加解密搞定注册码。

[课程]FART 脱壳王！加量不加价！FART作者讲授！

收藏・1

免费・7

支持

最新回复 (16)
ww990 雪币： 217 活跃值： (81) 能力值： ( LV4，RANK：50 ) 在线值：发帖 19 回帖 285 粉丝 0 关注私信	ww990 1 2 楼放个DES的delphi源代码 unit des; interface uses SysUtils,IniFiles; type TKeyByte = array[0..5] of Byte; TDesMode = (dmEncry, dmDecry); function EncryStr(Str, Key: String): String; function DecryStr(Str, Key: String): String; function EncryStrHex(Str, Key: String): String; function DecryStrHex(StrHex, Key: String): String; const BitIP: array[0..63] of Byte = (57, 49, 41, 33, 25, 17, 9, 1, 59, 51, 43, 35, 27, 19, 11, 3, 61, 53, 45, 37, 29, 21, 13, 5, 63, 55, 47, 39, 31, 23, 15, 7, 56, 48, 40, 32, 24, 16, 8, 0, 58, 50, 42, 34, 26, 18, 10, 2, 60, 52, 44, 36, 28, 20, 12, 4, 62, 54, 46, 38, 30, 22, 14, 6 ); BitCP: array[0..63] of Byte = ( 39, 7, 47, 15, 55, 23, 63, 31, 38, 6, 46, 14, 54, 22, 62, 30, 37, 5, 45, 13, 53, 21, 61, 29, 36, 4, 44, 12, 52, 20, 60, 28, 35, 3, 43, 11, 51, 19, 59, 27, 34, 2, 42, 10, 50, 18, 58, 26, 33, 1, 41, 9, 49, 17, 57, 25, 32, 0, 40, 8, 48, 16, 56, 24 ); BitExp: array[0..47] of Integer = ( 31, 0, 1, 2, 3, 4, 3, 4, 5, 6, 7, 8, 7, 8, 9,10, 11,12,11,12,13,14,15,16,15,16,17,18,19,20,19,20, 21,22,23,24,23,24,25,26,27,28,27,28,29,30,31,0 ); BitPM: array[0..31] of Byte = ( 15, 6,19,20,28,11,27,16, 0,14,22,25, 4,17,30, 9, 1, 7,23,13,31,26, 2, 8,18,12,29, 5,21,10, 3,24 ); sBox: array[0..7] of array[0..63] of Byte = ( ( 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7, 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8, 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0, 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13 ), ( 15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10, 3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5, 0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15, 13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9 ), ( 10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8, 13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1, 13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7, 1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12 ), ( 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15, 13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9, 10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4, 3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14 ), ( 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9, 14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6, 4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14, 11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3 ), ( 12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11, 10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8, 9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6, 4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13 ), ( 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1, 13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6, 1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2, 6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12 ), ( 13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7, 1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2, 7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8, 2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11 ) ); BitPMC1: array[0..55] of Byte = ( 56, 48, 40, 32, 24, 16, 8, 0, 57, 49, 41, 33, 25, 17, 9, 1, 58, 50, 42, 34, 26, 18, 10, 2, 59, 51, 43, 35, 62, 54, 46, 38, 30, 22, 14, 6, 61, 53, 45, 37, 29, 21, 13, 5, 60, 52, 44, 36, 28, 20, 12, 4, 27, 19, 11, 3 ); BitPMC2: array[0..47] of Byte = ( 13, 16, 10, 23, 0, 4, 2, 27, 14, 5, 20, 9, 22, 18, 11, 3, 25, 7, 15, 6, 26, 19, 12, 1, 40, 51, 30, 36, 46, 54, 29, 39, 50, 44, 32, 47, 43, 48, 38, 55, 33, 52, 45, 41, 49, 35, 28, 31 ); var subKey: array[0..15] of TKeyByte; implementation procedure initPermutation(var inData: array of Byte); var newData: array[0..7] of Byte; i: Integer; begin FillChar(newData, 8, 0); for i := 0 to 63 do if (inData[BitIP[i] shr 3] and (1 shl (7- (BitIP[i] and $07)))) <> 0 then newData[i shr 3] := newData[i shr 3] or (1 shl (7-(i and $07))); for i := 0 to 7 do inData[i] := newData[i]; end; procedure conversePermutation(var inData: array of Byte); var newData: array[0..7] of Byte; i: Integer; begin FillChar(newData, 8, 0); for i := 0 to 63 do if (inData[BitCP[i] shr 3] and (1 shl (7-(BitCP[i] and $07)))) <> 0 then newData[i shr 3] := newData[i shr 3] or (1 shl (7-(i and $07))); for i := 0 to 7 do inData[i] := newData[i]; end; procedure expand(inData: array of Byte; var outData: array of Byte); var i: Integer; begin FillChar(outData, 6, 0); for i := 0 to 47 do if (inData[BitExp[i] shr 3] and (1 shl (7-(BitExp[i] and $07)))) <> 0 then outData[i shr 3] := outData[i shr 3] or (1 shl (7-(i and $07))); end; procedure permutation(var inData: array of Byte); var newData: array[0..3] of Byte; i: Integer; begin FillChar(newData, 4, 0); for i := 0 to 31 do if (inData[BitPM[i] shr 3] and (1 shl (7-(BitPM[i] and $07)))) <> 0 then newData[i shr 3] := newData[i shr 3] or (1 shl (7-(i and $07))); for i := 0 to 3 do inData[i] := newData[i]; end; function si(s,inByte: Byte): Byte; var c: Byte; begin c := (inByte and $20) or ((inByte and $1e) shr 1) or ((inByte and $01) shl 4); Result := (sBox[s][c] and $0f); end; procedure permutationChoose1(inData: array of Byte; var outData: array of Byte); var i: Integer; begin FillChar(outData, 7, 0); for i := 0 to 55 do if (inData[BitPMC1[i] shr 3] and (1 shl (7-(BitPMC1[i] and $07)))) <> 0 then outData[i shr 3] := outData[i shr 3] or (1 shl (7-(i and $07))); end; procedure permutationChoose2(inData: array of Byte; var outData: array of Byte); var i: Integer; begin FillChar(outData, 6, 0); for i := 0 to 47 do if (inData[BitPMC2[i] shr 3] and (1 shl (7-(BitPMC2[i] and $07)))) <> 0 then outData[i shr 3] := outData[i shr 3] or (1 shl (7-(i and $07))); end; procedure cycleMove(var inData: array of Byte; bitMove: Byte); var i: Integer; begin for i := 0 to bitMove - 1 do begin inData[0] := (inData[0] shl 1) or (inData[1] shr 7); inData[1] := (inData[1] shl 1) or (inData[2] shr 7); inData[2] := (inData[2] shl 1) or (inData[3] shr 7); inData[3] := (inData[3] shl 1) or ((inData[0] and $10) shr 4); inData[0] := (inData[0] and $0f); end; end; procedure makeKey(inKey: array of Byte; var outKey: array of TKeyByte); const bitDisplace: array[0..15] of Byte = ( 1,1,2,2, 2,2,2,2, 1,2,2,2, 2,2,2,1 ); var outData56: array[0..6] of Byte; key28l: array[0..3] of Byte; key28r: array[0..3] of Byte; key56o: array[0..6] of Byte; i: Integer; begin permutationChoose1(inKey, outData56); key28l[0] := outData56[0] shr 4; key28l[1] := (outData56[0] shl 4) or (outData56[1] shr 4); key28l[2] := (outData56[1] shl 4) or (outData56[2] shr 4); key28l[3] := (outData56[2] shl 4) or (outData56[3] shr 4); key28r[0] := outData56[3] and $0f; key28r[1] := outData56[4]; key28r[2] := outData56[5]; key28r[3] := outData56[6]; for i := 0 to 15 do begin cycleMove(key28l, bitDisplace[i]); cycleMove(key28r, bitDisplace[i]); key56o[0] := (key28l[0] shl 4) or (key28l[1] shr 4); key56o[1] := (key28l[1] shl 4) or (key28l[2] shr 4); key56o[2] := (key28l[2] shl 4) or (key28l[3] shr 4); key56o[3] := (key28l[3] shl 4) or (key28r[0]); key56o[4] := key28r[1]; key56o[5] := key28r[2]; key56o[6] := key28r[3]; permutationChoose2(key56o, outKey[i]); end; end; procedure encry(inData, subKey: array of Byte; var outData: array of Byte); var outBuf: array[0..5] of Byte; buf: array[0..7] of Byte; i: Integer; begin expand(inData, outBuf); for i := 0 to 5 do outBuf[i] := outBuf[i] xor subKey[i]; // outBuf xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx buf[0] := outBuf[0] shr 2; //xxxxxx -> 2 buf[1] := ((outBuf[0] and $03) shl 4) or (outBuf[1] shr 4); // 4 <- xx xxxx -> 4 buf[2] := ((outBuf[1] and $0f) shl 2) or (outBuf[2] shr 6); // 2 <- xxxx xx -> 6 buf[3] := outBuf[2] and $3f; // xxxxxx buf[4] := outBuf[3] shr 2; // xxxxxx buf[5] := ((outBuf[3] and $03) shl 4) or (outBuf[4] shr 4); // xx xxxx buf[6] := ((outBuf[4] and $0f) shl 2) or (outBuf[5] shr 6); // xxxx xx buf[7] := outBuf[5] and $3f; // xxxxxx for i := 0 to 7 do buf[i] := si(i, buf[i]); for i := 0 to 3 do outBuf[i] := (buf[i2] shl 4) or buf[i2+1]; permutation(outBuf); for i := 0 to 3 do outData[i] := outBuf[i]; end; procedure desData(desMode: TDesMode; inData: array of Byte; var outData: array of Byte); // inData, outData 都为8Bytes，否则出错 var i, j: Integer; temp, buf: array[0..3] of Byte; begin for i := 0 to 7 do outData[i] := inData[i]; initPermutation(outData); if desMode = dmEncry then begin for i := 0 to 15 do begin for j := 0 to 3 do temp[j] := outData[j]; //temp = Ln for j := 0 to 3 do outData[j] := outData[j + 4]; //Ln+1 = Rn encry(outData, subKey[i], buf); //Rn ==Kn==> buf for j := 0 to 3 do outData[j + 4] := temp[j] xor buf[j]; //Rn+1 = Ln^buf end; for j := 0 to 3 do temp[j] := outData[j + 4]; for j := 0 to 3 do outData[j + 4] := outData[j]; for j := 0 to 3 do outData[j] := temp[j]; end else if desMode = dmDecry then begin for i := 15 downto 0 do begin for j := 0 to 3 do temp[j] := outData[j]; for j := 0 to 3 do outData[j] := outData[j + 4]; encry(outData, subKey[i], buf); for j := 0 to 3 do outData[j + 4] := temp[j] xor buf[j]; end; for j := 0 to 3 do temp[j] := outData[j + 4]; for j := 0 to 3 do outData[j + 4] := outData[j]; for j := 0 to 3 do outData[j] := temp[j]; end; conversePermutation(outData); end; ////////////////////////////////////////////////////////////// function EncryStr(Str, Key: String): String; var StrByte, OutByte, KeyByte: array[0..7] of Byte; StrResult: String; I, J: Integer; begin if (Length(Str) > 0) and (Ord(Str[Length(Str)]) = 0) then raise Exception.Create('Error: the last char is NULL char.'); if Length(Key) < 8 then while Length(Key) < 8 do Key := Key + Chr(0); while Length(Str) mod 8 <> 0 do Str := Str + Chr(0); for J := 0 to 7 do KeyByte[J] := Ord(Key[J + 1]); makeKey(keyByte, subKey); StrResult := ''; for I := 0 to Length(Str) div 8 - 1 do begin for J := 0 to 7 do StrByte[J] := Ord(Str[I * 8 + J + 1]); desData(dmEncry, StrByte, OutByte); for J := 0 to 7 do StrResult := StrResult + Chr(OutByte[J]); end; Result := StrResult; end; function DecryStr(Str, Key: String): String; var StrByte, OutByte, KeyByte: array[0..7] of Byte; StrResult: String; I, J: Integer; begin if Length(Key) < 8 then while Length(Key) < 8 do Key := Key + Chr(0); for J := 0 to 7 do KeyByte[J] := Ord(Key[J + 1]); makeKey(keyByte, subKey); StrResult := ''; for I := 0 to Length(Str) div 8 - 1 do begin for J := 0 to 7 do StrByte[J] := Ord(Str[I * 8 + J + 1]); desData(dmDecry, StrByte, OutByte); for J := 0 to 7 do StrResult := StrResult + Chr(OutByte[J]); end; while (Length(StrResult) > 0) and (Ord(StrResult[Length(StrResult)]) = 0) do Delete(StrResult, Length(StrResult), 1); Result := StrResult; end; /////////////////////////////////////////////////////////// function EncryStrHex(Str, Key: String): String; var StrResult, TempResult, Temp: String; I: Integer; begin TempResult := EncryStr(Str, Key); StrResult := ''; for I := 0 to Length(TempResult) - 1 do begin Temp := Format('%x', [Ord(TempResult[I + 1])]); if Length(Temp) = 1 then Temp := '0' + Temp; StrResult := StrResult + Temp; end; Result := StrResult; end; function DecryStrHex(StrHex, Key: String): String; function HexToInt(Hex: String): Integer; var I, Res: Integer; ch: Char; begin Res := 0; for I := 0 to Length(Hex) - 1 do begin ch := Hex[I + 1]; if (ch >= '0') and (ch <= '9') then Res := Res * 16 + Ord(ch) - Ord('0') else if (ch >= 'A') and (ch <= 'F') then Res := Res * 16 + Ord(ch) - Ord('A') + 10 else if (ch >= 'a') and (ch <= 'f') then Res := Res * 16 + Ord(ch) - Ord('a') + 10 else raise Exception.Create('Error: not a Hex String'); end; Result := Res; end; var Str, Temp: String; I: Integer; begin Str := ''; for I := 0 to Length(StrHex) div 2 - 1 do begin Temp := Copy(StrHex, I * 2 + 1, 2); Str := Str + Chr(HexToInt(Temp)); end; Result := DecryStr(Str, Key); end; end. 2006-4-1 14:38 0
aki 雪币： 223 活跃值： (70) 能力值： ( LV6，RANK：90 ) 在线值：发帖 17 回帖 592 粉丝 0 关注私信	aki 2 3 楼看不懂，迷糊 2006-4-1 14:59 0
cyto 雪币： 417 活跃值： (475) 能力值： ( LV9，RANK：1250 ) 在线值：发帖 41 回帖 624 粉丝 0 关注私信	cyto 31 4 楼谢谢2楼的，收藏先。等学会了编程再用上，现在先把这个yahoo通群发器当加解密工具，呵呵。 2006-4-1 15:43 0
lnn1123 雪币： 234 活跃值： (370) 能力值： ( LV9，RANK：530 ) 在线值：发帖 39 回帖 765 粉丝 0 关注私信	lnn1123 13 5 楼支持+学习 2006-4-1 16:18 0
ikki 雪币： 270 活跃值： (176) 能力值： ( LV12，RANK：370 ) 在线值：发帖 17 回帖 316 粉丝 1 关注私信	ikki 9 6 楼最初由 cyto* 发布* 谢谢2楼的，收藏先。等学会了编程再用上，现在先把这个yahoo通群发器当加解密工具，呵呵。这个... 作者知道了要吐血的怎么没把不用到的入口注释掉. 2006-4-1 16:52 0
lingyu 雪币： 1022 活跃值： (31) 能力值： ( LV4，RANK：50 ) 在线值：发帖 29 回帖 449 粉丝 0 关注私信	lingyu 1 7 楼好文章，收下了。 2006-4-1 16:55 0
kitty 雪币： 93 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 13 回帖 93 粉丝 1 关注私信	kitty 8 楼我等愚人在愚人节灌水一篇 2006-4-1 17:28 0
4nil 雪币： 313 活跃值： (440) 能力值： ( LV12，RANK：530 ) 在线值：发帖 45 回帖 631 粉丝 2 关注私信	4nil 13 9 楼对于使用RSA算法的一些程序也可以如此的.. 2006-4-1 18:14 0
koala 雪币： 222 活跃值： (40) 能力值： ( LV8，RANK：130 ) 在线值：发帖 4 回帖 178 粉丝 0 关注私信	koala 3 10 楼好文，支持 2006-4-1 19:48 0
yujinjianx 雪币： 203 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 99 粉丝 0 关注私信	yujinjianx 11 楼支持 2006-4-1 20:50 0
yuwei 雪币： 127 活跃值： (1785) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 191 粉丝 1 关注私信	yuwei 12 楼收下了支持 2006-4-1 20:53 0
ah007 雪币： 250 活跃值： (103) 能力值： ( LV6，RANK：90 ) 在线值：发帖 4 回帖 199 粉丝 1 关注私信	ah007 2 13 楼强！ 2006-4-1 22:04 0
cyto 雪币： 417 活跃值： (475) 能力值： ( LV9，RANK：1250 ) 在线值：发帖 41 回帖 624 粉丝 0 关注私信	cyto 31 14 楼最初由 4nil* 发布* 对于使用RSA算法的一些程序也可以如此的.. 解完程序后有想到对称算法可以通过修改数据实现加解密，也想过不对称的也许可以，还没试过。 2006-4-2 06:57 0
张xiaoye 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 9 粉丝 0 关注私信	张xiaoye 15 楼呵呵,找呃篇文章找好久了偶素菜?...真的很??,著著?上的大大 2006-4-15 00:29 0
eyesonly 雪币： 247 活跃值： (18) 能力值： ( LV2，RANK：10 ) 在线值：发帖 9 回帖 262 粉丝 0 关注私信	eyesonly 16 楼谢谢了，学习一下 2006-4-15 00:33 0
arrowwind 雪币： 215 活跃值： (85) 能力值： ( LV4，RANK：50 ) 在线值：发帖 14 回帖 111 粉丝 0 关注私信	arrowwind 1 17 楼原来如此啊 2006-4-15 15:38 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

cyto

发帖

624

回帖

1250

RANK

关注

私信

他的文章

[原创]-[简单的RSA]-Apex MPEG VCD DVD Converter 4.94 6695
[Asprotect]-[体验Volx 2.2脚本]-VidLogo 3.1 15455
[对称算法]-XX抠图 1.08 9251
[Asprotect]-Aston 1.92 8573
[BD][RSA+Base64]-gwyzl 5.1 8024

关于我们

联系我们

企业服务

看雪公众号

最新回复 (16)
ww990 雪币： 217 活跃值： (81) 能力值： ( LV4，RANK：50 ) 在线值：发帖 19 回帖 285 粉丝 0 关注私信	ww990 1 2 楼放个DES的delphi源代码 unit des; interface uses SysUtils,IniFiles; type TKeyByte = array[0..5] of Byte; TDesMode = (dmEncry, dmDecry); function EncryStr(Str, Key: String): String; function DecryStr(Str, Key: String): String; function EncryStrHex(Str, Key: String): String; function DecryStrHex(StrHex, Key: String): String; const BitIP: array[0..63] of Byte = (57, 49, 41, 33, 25, 17, 9, 1, 59, 51, 43, 35, 27, 19, 11, 3, 61, 53, 45, 37, 29, 21, 13, 5, 63, 55, 47, 39, 31, 23, 15, 7, 56, 48, 40, 32, 24, 16, 8, 0, 58, 50, 42, 34, 26, 18, 10, 2, 60, 52, 44, 36, 28, 20, 12, 4, 62, 54, 46, 38, 30, 22, 14, 6 ); BitCP: array[0..63] of Byte = ( 39, 7, 47, 15, 55, 23, 63, 31, 38, 6, 46, 14, 54, 22, 62, 30, 37, 5, 45, 13, 53, 21, 61, 29, 36, 4, 44, 12, 52, 20, 60, 28, 35, 3, 43, 11, 51, 19, 59, 27, 34, 2, 42, 10, 50, 18, 58, 26, 33, 1, 41, 9, 49, 17, 57, 25, 32, 0, 40, 8, 48, 16, 56, 24 ); BitExp: array[0..47] of Integer = ( 31, 0, 1, 2, 3, 4, 3, 4, 5, 6, 7, 8, 7, 8, 9,10, 11,12,11,12,13,14,15,16,15,16,17,18,19,20,19,20, 21,22,23,24,23,24,25,26,27,28,27,28,29,30,31,0 ); BitPM: array[0..31] of Byte = ( 15, 6,19,20,28,11,27,16, 0,14,22,25, 4,17,30, 9, 1, 7,23,13,31,26, 2, 8,18,12,29, 5,21,10, 3,24 ); sBox: array[0..7] of array[0..63] of Byte = ( ( 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7, 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8, 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0, 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13 ), ( 15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10, 3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5, 0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15, 13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9 ), ( 10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8, 13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1, 13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7, 1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12 ), ( 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15, 13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9, 10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4, 3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14 ), ( 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9, 14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6, 4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14, 11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3 ), ( 12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11, 10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8, 9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6, 4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13 ), ( 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1, 13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6, 1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2, 6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12 ), ( 13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7, 1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2, 7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8, 2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11 ) ); BitPMC1: array[0..55] of Byte = ( 56, 48, 40, 32, 24, 16, 8, 0, 57, 49, 41, 33, 25, 17, 9, 1, 58, 50, 42, 34, 26, 18, 10, 2, 59, 51, 43, 35, 62, 54, 46, 38, 30, 22, 14, 6, 61, 53, 45, 37, 29, 21, 13, 5, 60, 52, 44, 36, 28, 20, 12, 4, 27, 19, 11, 3 ); BitPMC2: array[0..47] of Byte = ( 13, 16, 10, 23, 0, 4, 2, 27, 14, 5, 20, 9, 22, 18, 11, 3, 25, 7, 15, 6, 26, 19, 12, 1, 40, 51, 30, 36, 46, 54, 29, 39, 50, 44, 32, 47, 43, 48, 38, 55, 33, 52, 45, 41, 49, 35, 28, 31 ); var subKey: array[0..15] of TKeyByte; implementation procedure initPermutation(var inData: array of Byte); var newData: array[0..7] of Byte; i: Integer; begin FillChar(newData, 8, 0); for i := 0 to 63 do if (inData[BitIP[i] shr 3] and (1 shl (7- (BitIP[i] and $07)))) <> 0 then newData[i shr 3] := newData[i shr 3] or (1 shl (7-(i and $07))); for i := 0 to 7 do inData[i] := newData[i]; end; procedure conversePermutation(var inData: array of Byte); var newData: array[0..7] of Byte; i: Integer; begin FillChar(newData, 8, 0); for i := 0 to 63 do if (inData[BitCP[i] shr 3] and (1 shl (7-(BitCP[i] and $07)))) <> 0 then newData[i shr 3] := newData[i shr 3] or (1 shl (7-(i and $07))); for i := 0 to 7 do inData[i] := newData[i]; end; procedure expand(inData: array of Byte; var outData: array of Byte); var i: Integer; begin FillChar(outData, 6, 0); for i := 0 to 47 do if (inData[BitExp[i] shr 3] and (1 shl (7-(BitExp[i] and $07)))) <> 0 then outData[i shr 3] := outData[i shr 3] or (1 shl (7-(i and $07))); end; procedure permutation(var inData: array of Byte); var newData: array[0..3] of Byte; i: Integer; begin FillChar(newData, 4, 0); for i := 0 to 31 do if (inData[BitPM[i] shr 3] and (1 shl (7-(BitPM[i] and $07)))) <> 0 then newData[i shr 3] := newData[i shr 3] or (1 shl (7-(i and $07))); for i := 0 to 3 do inData[i] := newData[i]; end; function si(s,inByte: Byte): Byte; var c: Byte; begin c := (inByte and $20) or ((inByte and $1e) shr 1) or ((inByte and $01) shl 4); Result := (sBox[s][c] and $0f); end; procedure permutationChoose1(inData: array of Byte; var outData: array of Byte); var i: Integer; begin FillChar(outData, 7, 0); for i := 0 to 55 do if (inData[BitPMC1[i] shr 3] and (1 shl (7-(BitPMC1[i] and $07)))) <> 0 then outData[i shr 3] := outData[i shr 3] or (1 shl (7-(i and $07))); end; procedure permutationChoose2(inData: array of Byte; var outData: array of Byte); var i: Integer; begin FillChar(outData, 6, 0); for i := 0 to 47 do if (inData[BitPMC2[i] shr 3] and (1 shl (7-(BitPMC2[i] and $07)))) <> 0 then outData[i shr 3] := outData[i shr 3] or (1 shl (7-(i and $07))); end; procedure cycleMove(var inData: array of Byte; bitMove: Byte); var i: Integer; begin for i := 0 to bitMove - 1 do begin inData[0] := (inData[0] shl 1) or (inData[1] shr 7); inData[1] := (inData[1] shl 1) or (inData[2] shr 7); inData[2] := (inData[2] shl 1) or (inData[3] shr 7); inData[3] := (inData[3] shl 1) or ((inData[0] and $10) shr 4); inData[0] := (inData[0] and $0f); end; end; procedure makeKey(inKey: array of Byte; var outKey: array of TKeyByte); const bitDisplace: array[0..15] of Byte = ( 1,1,2,2, 2,2,2,2, 1,2,2,2, 2,2,2,1 ); var outData56: array[0..6] of Byte; key28l: array[0..3] of Byte; key28r: array[0..3] of Byte; key56o: array[0..6] of Byte; i: Integer; begin permutationChoose1(inKey, outData56); key28l[0] := outData56[0] shr 4; key28l[1] := (outData56[0] shl 4) or (outData56[1] shr 4); key28l[2] := (outData56[1] shl 4) or (outData56[2] shr 4); key28l[3] := (outData56[2] shl 4) or (outData56[3] shr 4); key28r[0] := outData56[3] and $0f; key28r[1] := outData56[4]; key28r[2] := outData56[5]; key28r[3] := outData56[6]; for i := 0 to 15 do begin cycleMove(key28l, bitDisplace[i]); cycleMove(key28r, bitDisplace[i]); key56o[0] := (key28l[0] shl 4) or (key28l[1] shr 4); key56o[1] := (key28l[1] shl 4) or (key28l[2] shr 4); key56o[2] := (key28l[2] shl 4) or (key28l[3] shr 4); key56o[3] := (key28l[3] shl 4) or (key28r[0]); key56o[4] := key28r[1]; key56o[5] := key28r[2]; key56o[6] := key28r[3]; permutationChoose2(key56o, outKey[i]); end; end; procedure encry(inData, subKey: array of Byte; var outData: array of Byte); var outBuf: array[0..5] of Byte; buf: array[0..7] of Byte; i: Integer; begin expand(inData, outBuf); for i := 0 to 5 do outBuf[i] := outBuf[i] xor subKey[i]; // outBuf xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx buf[0] := outBuf[0] shr 2; //xxxxxx -> 2 buf[1] := ((outBuf[0] and $03) shl 4) or (outBuf[1] shr 4); // 4 <- xx xxxx -> 4 buf[2] := ((outBuf[1] and $0f) shl 2) or (outBuf[2] shr 6); // 2 <- xxxx xx -> 6 buf[3] := outBuf[2] and $3f; // xxxxxx buf[4] := outBuf[3] shr 2; // xxxxxx buf[5] := ((outBuf[3] and $03) shl 4) or (outBuf[4] shr 4); // xx xxxx buf[6] := ((outBuf[4] and $0f) shl 2) or (outBuf[5] shr 6); // xxxx xx buf[7] := outBuf[5] and $3f; // xxxxxx for i := 0 to 7 do buf[i] := si(i, buf[i]); for i := 0 to 3 do outBuf[i] := (buf[i2] shl 4) or buf[i2+1]; permutation(outBuf); for i := 0 to 3 do outData[i] := outBuf[i]; end; procedure desData(desMode: TDesMode; inData: array of Byte; var outData: array of Byte); // inData, outData 都为8Bytes，否则出错 var i, j: Integer; temp, buf: array[0..3] of Byte; begin for i := 0 to 7 do outData[i] := inData[i]; initPermutation(outData); if desMode = dmEncry then begin for i := 0 to 15 do begin for j := 0 to 3 do temp[j] := outData[j]; //temp = Ln for j := 0 to 3 do outData[j] := outData[j + 4]; //Ln+1 = Rn encry(outData, subKey[i], buf); //Rn ==Kn==> buf for j := 0 to 3 do outData[j + 4] := temp[j] xor buf[j]; //Rn+1 = Ln^buf end; for j := 0 to 3 do temp[j] := outData[j + 4]; for j := 0 to 3 do outData[j + 4] := outData[j]; for j := 0 to 3 do outData[j] := temp[j]; end else if desMode = dmDecry then begin for i := 15 downto 0 do begin for j := 0 to 3 do temp[j] := outData[j]; for j := 0 to 3 do outData[j] := outData[j + 4]; encry(outData, subKey[i], buf); for j := 0 to 3 do outData[j + 4] := temp[j] xor buf[j]; end; for j := 0 to 3 do temp[j] := outData[j + 4]; for j := 0 to 3 do outData[j + 4] := outData[j]; for j := 0 to 3 do outData[j] := temp[j]; end; conversePermutation(outData); end; ////////////////////////////////////////////////////////////// function EncryStr(Str, Key: String): String; var StrByte, OutByte, KeyByte: array[0..7] of Byte; StrResult: String; I, J: Integer; begin if (Length(Str) > 0) and (Ord(Str[Length(Str)]) = 0) then raise Exception.Create('Error: the last char is NULL char.'); if Length(Key) < 8 then while Length(Key) < 8 do Key := Key + Chr(0); while Length(Str) mod 8 <> 0 do Str := Str + Chr(0); for J := 0 to 7 do KeyByte[J] := Ord(Key[J + 1]); makeKey(keyByte, subKey); StrResult := ''; for I := 0 to Length(Str) div 8 - 1 do begin for J := 0 to 7 do StrByte[J] := Ord(Str[I * 8 + J + 1]); desData(dmEncry, StrByte, OutByte); for J := 0 to 7 do StrResult := StrResult + Chr(OutByte[J]); end; Result := StrResult; end; function DecryStr(Str, Key: String): String; var StrByte, OutByte, KeyByte: array[0..7] of Byte; StrResult: String; I, J: Integer; begin if Length(Key) < 8 then while Length(Key) < 8 do Key := Key + Chr(0); for J := 0 to 7 do KeyByte[J] := Ord(Key[J + 1]); makeKey(keyByte, subKey); StrResult := ''; for I := 0 to Length(Str) div 8 - 1 do begin for J := 0 to 7 do StrByte[J] := Ord(Str[I * 8 + J + 1]); desData(dmDecry, StrByte, OutByte); for J := 0 to 7 do StrResult := StrResult + Chr(OutByte[J]); end; while (Length(StrResult) > 0) and (Ord(StrResult[Length(StrResult)]) = 0) do Delete(StrResult, Length(StrResult), 1); Result := StrResult; end; /////////////////////////////////////////////////////////// function EncryStrHex(Str, Key: String): String; var StrResult, TempResult, Temp: String; I: Integer; begin TempResult := EncryStr(Str, Key); StrResult := ''; for I := 0 to Length(TempResult) - 1 do begin Temp := Format('%x', [Ord(TempResult[I + 1])]); if Length(Temp) = 1 then Temp := '0' + Temp; StrResult := StrResult + Temp; end; Result := StrResult; end; function DecryStrHex(StrHex, Key: String): String; function HexToInt(Hex: String): Integer; var I, Res: Integer; ch: Char; begin Res := 0; for I := 0 to Length(Hex) - 1 do begin ch := Hex[I + 1]; if (ch >= '0') and (ch <= '9') then Res := Res * 16 + Ord(ch) - Ord('0') else if (ch >= 'A') and (ch <= 'F') then Res := Res * 16 + Ord(ch) - Ord('A') + 10 else if (ch >= 'a') and (ch <= 'f') then Res := Res * 16 + Ord(ch) - Ord('a') + 10 else raise Exception.Create('Error: not a Hex String'); end; Result := Res; end; var Str, Temp: String; I: Integer; begin Str := ''; for I := 0 to Length(StrHex) div 2 - 1 do begin Temp := Copy(StrHex, I * 2 + 1, 2); Str := Str + Chr(HexToInt(Temp)); end; Result := DecryStr(Str, Key); end; end. 2006-4-1 14:38 0
aki 雪币： 223 活跃值： (70) 能力值： ( LV6，RANK：90 ) 在线值：发帖 17 回帖 592 粉丝 0 关注私信	aki 2 3 楼看不懂，迷糊 2006-4-1 14:59 0
cyto 雪币： 417 活跃值： (475) 能力值： ( LV9，RANK：1250 ) 在线值：发帖 41 回帖 624 粉丝 0 关注私信	cyto 31 4 楼谢谢2楼的，收藏先。等学会了编程再用上，现在先把这个yahoo通群发器当加解密工具，呵呵。 2006-4-1 15:43 0
lnn1123 雪币： 234 活跃值： (370) 能力值： ( LV9，RANK：530 ) 在线值：发帖 39 回帖 765 粉丝 0 关注私信	lnn1123 13 5 楼支持+学习 2006-4-1 16:18 0
ikki 雪币： 270 活跃值： (176) 能力值： ( LV12，RANK：370 ) 在线值：发帖 17 回帖 316 粉丝 1 关注私信	ikki 9 6 楼最初由 cyto* 发布* 谢谢2楼的，收藏先。等学会了编程再用上，现在先把这个yahoo通群发器当加解密工具，呵呵。这个... 作者知道了要吐血的怎么没把不用到的入口注释掉. 2006-4-1 16:52 0
lingyu 雪币： 1022 活跃值： (31) 能力值： ( LV4，RANK：50 ) 在线值：发帖 29 回帖 449 粉丝 0 关注私信	lingyu 1 7 楼好文章，收下了。 2006-4-1 16:55 0
kitty 雪币： 93 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 13 回帖 93 粉丝 1 关注私信	kitty 8 楼我等愚人在愚人节灌水一篇 2006-4-1 17:28 0
4nil 雪币： 313 活跃值： (440) 能力值： ( LV12，RANK：530 ) 在线值：发帖 45 回帖 631 粉丝 2 关注私信	4nil 13 9 楼对于使用RSA算法的一些程序也可以如此的.. 2006-4-1 18:14 0
koala 雪币： 222 活跃值： (40) 能力值： ( LV8，RANK：130 ) 在线值：发帖 4 回帖 178 粉丝 0 关注私信	koala 3 10 楼好文，支持 2006-4-1 19:48 0
yujinjianx 雪币： 203 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 99 粉丝 0 关注私信	yujinjianx 11 楼支持 2006-4-1 20:50 0
yuwei 雪币： 127 活跃值： (1785) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 191 粉丝 1 关注私信	yuwei 12 楼收下了支持 2006-4-1 20:53 0
ah007 雪币： 250 活跃值： (103) 能力值： ( LV6，RANK：90 ) 在线值：发帖 4 回帖 199 粉丝 1 关注私信	ah007 2 13 楼强！ 2006-4-1 22:04 0
cyto 雪币： 417 活跃值： (475) 能力值： ( LV9，RANK：1250 ) 在线值：发帖 41 回帖 624 粉丝 0 关注私信	cyto 31 14 楼最初由 4nil* 发布* 对于使用RSA算法的一些程序也可以如此的.. 解完程序后有想到对称算法可以通过修改数据实现加解密，也想过不对称的也许可以，还没试过。 2006-4-2 06:57 0
张xiaoye 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 9 粉丝 0 关注私信	张xiaoye 15 楼呵呵,找呃篇文章找好久了偶素菜?...真的很??,著著?上的大大 2006-4-15 00:29 0
eyesonly 雪币： 247 活跃值： (18) 能力值： ( LV2，RANK：10 ) 在线值：发帖 9 回帖 262 粉丝 0 关注私信	eyesonly 16 楼谢谢了，学习一下 2006-4-15 00:33 0
arrowwind 雪币： 215 活跃值： (85) 能力值： ( LV4，RANK：50 ) 在线值：发帖 14 回帖 111 粉丝 0 关注私信	arrowwind 1 17 楼原来如此啊 2006-4-15 15:38 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复