-
-
cnbragon兄的SHA和IDEA加密KeyGenMe算法分析
-
发表于: 2006-5-7 12:15
-
【文章标题】cnbragon兄的SHA和IDEA加密KeyGenMe算法分析
【分析目标】cnbragon兄的KeyGenMe #3
【作 者】小虾&zhanshen[dfcg][rct]
【所用工具】OllyDbg
【声 明】只是个人兴趣,没有其它意思,如要转载,请保留一切信息。
趁着5月1日比较有时间,拿到cnbragon兄的KeyGenMe玩玩,真是收获良多,认识了乘法逆元、IDEA算法。
在开始分析前,用kanal23查了一下程序,发现该程序用了SHA算法,后经过跟踪发现还用了IDEA算法,在此还要谢谢cnbragon兄,是他的提醒我才发现是用了IDEA算法,不然还在晕头呢。(cnbragon兄,来,亲一个
cnbragon吓得赶紧跑掉),不过,刚开始在程序里看到一个私钥0x10001时还以为是RSA算法
!。呵呵,废话说多了。开始吧:
首先输入用户名和注册码:
Name: zhanshen[dfcg][rct]
Code: 1234567898765432 //注册码的位数必须是16位。为什么知道,后面有说^_^
下断自然优先选择GetDlgItemTextA(W)、GetWindowTextA(W)等读取Edit编译框的API函数了。
输入用户名和注册码后按Chack键,程序中断在GetDlgItemTextA函数中(如果你是断在GetDlgItemTextA系统函数的领空中(看地址如果高于7xxxxxxx以上就属于系统函数领空中)就按Alt+F9返回到程序领空里。
00401700 |. 8>LEA EAX,DWORD PTR SS:[ESP+3EC]
00401707 |. 3>XOR ECX,ECX ; 获取用户名
00401709 |. 6>PUSH 0C9 ; /Count = C9 (201.)
0040170E |. 5>PUSH EAX ; |Buffer
0040170F |. 8>MOV DWORD PTR SS:[ESP+3A],ECX ; |
00401713 |. 8>MOV DWORD PTR SS:[ESP+1A],EDX ; |
00401717 |. 6>PUSH 3E8 ; |ControlID = 3E8 (1000.)
0040171C |. 5>PUSH ESI ; |hWnd
0040171D |. 6>MOV WORD PTR SS:[ESP+2C],BX ; |
00401722 |. 6>MOV WORD PTR SS:[ESP+40],BX ; |
00401727 |. 8>MOV DWORD PTR SS:[ESP+46],ECX ; |
0040172B |. 6>MOV WORD PTR SS:[ESP+20],BX ; |
00401730 |. 8>MOV DWORD PTR SS:[ESP+26],EDX ; |
00401734 |. 8>MOV DWORD PTR SS:[ESP+1C],EBX ; |
//中断在这里
00401738 |. F>CALL EDI ; \GetDlgItemTextA
0040173A |. 3>CMP EAX,EBX
0040173C |. 8>MOV DWORD PTR SS:[ESP+3C],EAX
00401740 |. 7>JNZ SHORT KEYGENME.0040175F ; 用户名为空则出错
00401742 |. 6>PUSH KEYGENME.00408048 ; /Text = "Wrong Serial!"
00401747 |. 6>PUSH 3E9 ; |ControlID = 3E9 (1001.)
0040174C |. 5>PUSH ESI ; |hWnd
0040174D |. F>CALL DWORD PTR DS:[<&USER32.SetDlgItemTextA>] ; \SetDlgItemTextA
00401753 |. 5>POP EDI
00401754 |. 5>POP ESI
00401755 |. 3>XOR EAX,EAX
00401757 |. 5>POP EBX
00401758 |. 8>ADD ESP,610
0040175E |. C>RETN
0040175F |> 8>LEA ECX,DWORD PTR SS:[ESP+324] ; 获取注册码
00401766 |. 6>PUSH 0C9
0040176B |. 5>PUSH ECX
0040176C |. 6>PUSH 3E9
00401771 |. 5>PUSH ESI
00401772 |. F>CALL EDI
00401774 |. 8>CMP EAX,10
00401777 |. 7>JE SHORT KEYGENME.00401796 ; 注册码长度必须是16位,否则出错。
00401779 |. 6>PUSH KEYGENME.00408048 ; /Text = "Wrong Serial!"
0040177E |. 6>PUSH 3E9 ; |ControlID = 3E9 (1001.)
00401783 |. 5>PUSH ESI ; |hWnd
00401784 |. F>CALL DWORD PTR DS:[<&USER32.SetDlgItemTextA>] ; \SetDlgItemTextA
0040178A |. 5>POP EDI
0040178B |. 5>POP ESI
0040178C |. 3>XOR EAX,EAX
0040178E |. 5>POP EBX
0040178F |. 8>ADD ESP,610
00401795 |. C>RETN
00401796 |> 5>PUSH EBP
00401797 |. 8>LEA EDI,DWORD PTR SS:[ESP+328]
0040179E |. 8>LEA ESI,DWORD PTR SS:[ESP+36]
004017A2 |. B>MOV EBP,4 ; 将注册码转成Word型HEX的整数
004017A7 |> 5>/PUSH ESI ; /lpwCodeBuffer
004017A8 |. 6>|PUSH KEYGENME.00408040 ; |ASCII "%04X"
004017AD |. 5>|PUSH EDI ; |lpcCharStr
004017AE |. E>|CALL KEYGENME.00401900 ; \_sscanf
004017B3 |. 8>|ADD ESP,0C
004017B6 |. 8>|ADD ESI,2
004017B9 |. 8>|ADD EDI,4
004017BC |. 4>|DEC EBP
004017BD |.^ 7>\JNZ SHORT KEYGENME.004017A7
004017BF |. 8>LEA EDX,DWORD PTR SS:[ESP+4B8] ; 初始化SHA常数及KeyBuffer
004017C6 |. 5>PUSH EDX ; /lpdwSHACountAndwKeyBuffer
004017C7 |. E>CALL KEYGENME.00401000 ; \SetdwSHACountAndKeyBuffer
004017CC |. 8>MOV EDI,DWORD PTR SS:[ESP+44]
004017D0 |. 8>ADD ESP,4
004017D3 |. 3>XOR ESI,ESI
004017D5 |. 3>CMP EDI,EBX
004017D7 |. 5>POP EBP
004017D8 |. 7>JLE SHORT KEYGENME.004017F8
004017DA |> 0>/MOVSX EAX,BYTE PTR SS:[ESP+ESI+3EC] ; 将用户名转化成Word型HEX的整数
004017E2 |. 8>|LEA ECX,DWORD PTR SS:[ESP+4B4]
004017E9 |. 5>|PUSH EAX ; /lpcCharStr
004017EA |. 5>|PUSH ECX ; |lpwNameBuffer
004017EB |. E>|CALL KEYGENME.00401040 ; \_SetszNameTowName64BitSHAKey
004017F0 |. 8>|ADD ESP,8
004017F3 |. 4>|INC ESI
004017F4 |. 3>|CMP ESI,EDI
004017F6 |.^ 7>\JL SHORT KEYGENME.004017DA
004017F8 |> 8>LEA EDX,DWORD PTR SS:[ESP+40]
004017FC |. 8>LEA EAX,DWORD PTR SS:[ESP+4B4]
00401803 |. 5>PUSH EDX ; /lpwSHATmpKeyBuffer
00401804 |. 5>PUSH EAX ; |lpwSHAKeyBuffer
00401805 |. E>CALL KEYGENME.004012A0 ; \SHAEncrypt
0040180A |. 8>ADD ESP,8
0040180D |. 8>LEA ECX,DWORD PTR SS:[ESP+C] ; 获取C盘序列号
00401811 |. 5>PUSH EBX ; /pFileSystemNameSize
00401812 |. 5>PUSH EBX ; |pFileSystemNameBuffer
00401813 |. 5>PUSH EBX ; |pFileSystemFlags
00401814 |. 5>PUSH EBX ; |pMaxFilenameLength
00401815 |. 5>PUSH ECX ; |pVolumeSerialNumber
00401816 |. 5>PUSH EBX ; |MaxVolumeNameSize
00401817 |. 5>PUSH EBX ; |VolumeNameBuffer
00401818 |. 6>PUSH KEYGENME.0040803C ; |RootPathName = "C:\"
0040181D |. F>CALL DWORD PTR DS:[<&KERNEL32.GetVolumeInformati>; \GetVolumeInformationA
00401823 |. 8>MOV EDX,DWORD PTR SS:[ESP+40] ; 用SHA加密的前4位Key作为初始化IDEA的Key
00401827 |. 8>MOV EAX,DWORD PTR SS:[ESP+44]
0040182B |. 8>MOV ECX,DWORD PTR SS:[ESP+48]
0040182F |. 8>MOV DWORD PTR SS:[ESP+1E],EDX
00401833 |. 8>MOV EDX,DWORD PTR SS:[ESP+4C]
00401837 |. 8>MOV DWORD PTR SS:[ESP+22],EAX
0040183B |. 8>MOV EAX,DWORD PTR SS:[ESP+50]
0040183F |. 8>MOV DWORD PTR SS:[ESP+2A],EDX
00401843 |. 8>MOV DWORD PTR SS:[ESP+25C],EAX ; SHA的第5位Key是其中一位加密后的用户名
0040184A |. 8>LEA EDX,DWORD PTR SS:[ESP+108]
00401851 |. 8>MOV DWORD PTR SS:[ESP+26],ECX
00401855 |. 8>MOV ECX,DWORD PTR SS:[ESP+C]
00401859 |. 8>LEA EAX,DWORD PTR SS:[ESP+1C]
0040185D |. 5>PUSH EDX ; /lpIdeaEnKeyBuffer
0040185E |. 5>PUSH EAX ; |lpIdeaUserKey
0040185F |. 8>MOV DWORD PTR SS:[ESP+268],ECX ; 取得C盘序列号作为第二个用户名
00401866 |. E>CALL KEYGENME.004014C0 ; \InitIdeaEnKey
0040186B |. 8>LEA ECX,DWORD PTR SS:[ESP+110]
00401872 |. 8>LEA EDX,DWORD PTR SS:[ESP+18]
00401876 |. 5>PUSH ECX ; /lpIdeaEnKeyBuffer
00401877 |. 8>LEA EAX,DWORD PTR SS:[ESP+3C]
0040187B |. 5>PUSH EDX ; |lpIdeaEnOutBuffer
0040187C |. 5>PUSH EAX ; |lpIdeaEnValue
0040187D |. E>CALL KEYGENME.00401390 ; \IdeaEncrypt
00401882 |. 8>MOV ECX,DWORD PTR SS:[ESP+26]
00401886 |. 8>MOV EDX,DWORD PTR SS:[ESP+2A]
0040188A |. 8>ADD ESP,14
0040188D |. 8>MOV DWORD PTR SS:[ESP+194],ECX ; 加密后的注册码之一
00401894 |. B>MOV ECX,2
00401899 |. 8>LEA EDI,DWORD PTR SS:[ESP+194]
004018A0 |. 8>LEA ESI,DWORD PTR SS:[ESP+25C]
004018A7 |. 3>XOR EAX,EAX
004018A9 |. 8>MOV DWORD PTR SS:[ESP+198],EDX ; 加密后的注册码之二
004018B0 |. F>REPE CMPS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] ; 比较加密后的用户名和加密后的注册码
004018B2 |. 7>JNZ SHORT KEYGENME.004018DB ; 不等则出错,暴破修改这里就行了。
004018B4 |. 8>MOV ECX,DWORD PTR SS:[ESP+620] ; 成功信息
004018BB |. 6>PUSH KEYGENME.00408030 ; /Text = "Success!"
004018C0 |. 6>PUSH 3E9 ; |ControlID = 3E9 (1001.)
004018C5 |. 5>PUSH ECX ; |hWnd
004018C6 |. F>CALL DWORD PTR DS:[<&USER32.SetDlgItemTextA>] ; \SetDlgItemTextA
004018CC |. 5>POP EDI
004018CD |. 5>POP ESI
004018CE |. B>MOV EAX,1
004018D3 |. 5>POP EBX
004018D4 |. 8>ADD ESP,610
004018DA |. C>RETN
004018DB |> 8>MOV EDX,DWORD PTR SS:[ESP+620] ; 出错信息
004018E2 |. 6>PUSH KEYGENME.00408048 ; /Text = "Wrong Serial!"
004018E7 |. 6>PUSH 3E9 ; |ControlID = 3E9 (1001.)
004018EC |. 5>PUSH EDX ; |hWnd
004018ED |. F>CALL DWORD PTR DS:[<&USER32.SetDlgItemTextA>] ; \SetDlgItemTextA
004018F3 |. 5>POP EDI
004018F4 |. 5>POP ESI
004018F5 |. 3>XOR EAX,EAX
004018F7 |. 5>POP EBX
004018F8 |. 8>ADD ESP,610
004018FE \. C>RETN
/****************************************************************/
//初始化SHA常数函数
00401000 /$ 8>MOV EDX,DWORD PTR SS:[ESP+4]
00401004 |. 5>PUSH EDI
00401005 |. B>MOV ECX,50
0040100A |. 3>XOR EAX,EAX
0040100C |. 8>LEA EDI,DWORD PTR DS:[EDX+28]
0040100F |. F>REP STOS DWORD PTR ES:[EDI]
00401011 |. 8>MOV DWORD PTR DS:[EDX+4],EAX
00401014 |. 8>MOV DWORD PTR DS:[EDX],EAX
00401016 |. C>MOV DWORD PTR DS:[EDX+8],67452301 //5个SHA常数
0040101D |. C>MOV DWORD PTR DS:[EDX+C],EFCDAB89
00401024 |. C>MOV DWORD PTR DS:[EDX+10],98BADCFE
0040102B |. C>MOV DWORD PTR DS:[EDX+14],10325476
00401032 |. C>MOV DWORD PTR DS:[EDX+18],C3D2E1F0
00401039 |. 5>POP EDI
0040103A \. C>RETN
/****************************************************************/
//初始化SHA的64位Key函数
00401040 /$ 8>MOV EAX,DWORD PTR SS:[ESP+4]
00401044 |. 5>PUSH ESI
00401045 |. 8>MOV ESI,DWORD PTR SS:[ESP+C]
00401049 |. 8>MOV ECX,DWORD PTR DS:[EAX]
0040104B |. 8>AND ESI,0FF
00401051 |. C>SHR ECX,5
00401054 |. 8>AND ECX,0F
00401057 |. 8>MOV EDX,DWORD PTR DS:[EAX+ECX*4+28]
0040105B |. C>SHL EDX,8
0040105E |. 0>OR EDX,ESI
00401060 |. 5>POP ESI
00401061 |. 8>MOV DWORD PTR DS:[EAX+ECX*4+28],EDX
00401065 |. 8>MOV ECX,DWORD PTR DS:[EAX]
00401067 |. 8>ADD ECX,8
0040106A |. 8>MOV DWORD PTR DS:[EAX],ECX
0040106C |. 7>JNZ SHORT KEYGENME.0040107B
0040106E |. 8>MOV ECX,DWORD PTR DS:[EAX+4]
00401071 |. C>MOV DWORD PTR DS:[EAX],0
00401077 |. 4>INC ECX
00401078 |. 8>MOV DWORD PTR DS:[EAX+4],ECX
0040107B |> F>TEST DWORD PTR DS:[EAX],1FF
00401081 |. 7>JNZ SHORT KEYGENME.0040108A
00401083 |. 5>PUSH EAX
00401084 |. E>CALL KEYGENME.00401090
00401089 |. 5>POP ECX
0040108A \> C>RETN
/****************************************************************/
//SHA加密函数
004012A0 /$ 5>PUSH EBX
004012A1 |. 5>PUSH ESI
004012A2 |. 8>MOV ESI,DWORD PTR SS:[ESP+C]
004012A6 |. 5>PUSH EDI
004012A7 |. 6>PUSH 80 ; /lpcCharStr
004012AC |. 5>PUSH ESI ; |lpwSHAKeyBuffer
; edi = lpdwSHACountAndKeyBuffer[0]
004012AD |. 8>MOV EDI,DWORD PTR DS:[ESI]
; ebx = lpdwSHACountAndKeyBuffer[2]
004012AF |. 8>MOV EBX,DWORD PTR DS:[ESI+4]
004012B2 |. E>CALL KEYGENME.00401040 ; \SetszNameTowName64BitSHAKey
004012B7 |. 8>MOV EAX,DWORD PTR DS:[ESI] ; eax = lpwSHAKeyBuffer[0]
004012B9 |. 8>ADD ESP,8
004012BC |. 2>AND EAX,1FF
004012C1 |. 3>CMP EAX,1C0
004012C6 |. 7>JE SHORT KEYGENME.004012E3 ; 连续填充SHAKey
004012C8 |> 6>/PUSH 0 ; /lpcCharStr
004012CA |. 5>|PUSH ESI ; |lpwSHAKeyBuffer
004012CB |. E>|CALL KEYGENME.00401040 ; \SetszNameTowName64BitSHAKey
004012D0 |. 8>|MOV ECX,DWORD PTR DS:[ESI]
004012D2 |. 8>|ADD ESP,8
004012D5 |. 8>|AND ECX,1FF
004012DB |. 8>|CMP ECX,1C0
004012E1 |.^ 7>\JNZ SHORT KEYGENME.004012C8
004012E3 |> 5>PUSH ESI ; /lpwSHAKeyBuffer
; lpdwSHACountAndKeyBuffer[0x30] = lpdwSHACountAndkeyBuffer[2];
004012E4 |. 8>MOV DWORD PTR DS:[ESI+60],EBX
; lpdwSHACountAndKeyBuffer[0x32] = lpdwSHACountAndKeyBuffer[0]
004012E7 |. 8>MOV DWORD PTR DS:[ESI+64],EDI
//call SHA1算法
004012EA |. E>CALL KEYGENME.00401090 ; \SHA1Encrypt
004012EF |. 8>MOV EBX,DWORD PTR SS:[ESP+18]
004012F3 |. 8>ADD ESP,4
004012F6 |. 3>XOR EDI,EDI
; 将SHA1加密的5个Dword值每个都倒序排序(即:12345678 == 78563412)
004012F8 |> 8>/MOV EDX,EDI
004012FA |. 8>|AND EDX,80000003
00401300 |. 7>|JNS SHORT KEYGENME.00401307
00401302 |. 4>|DEC EDX
00401303 |. 8>|OR EDX,FFFFFFFC
00401306 |. 4>|INC EDX
00401307 |> C>|SHL EDX,3
0040130A |. B>|MOV ECX,18
0040130F |. 8>|MOV EAX,EDI
00401311 |. 2>|SUB ECX,EDX
00401313 |. 9>|CDQ
00401314 |. 8>|AND EDX,3
00401317 |. 0>|ADD EAX,EDX
00401319 |. C>|SAR EAX,2
0040131C |. 8>|MOV EAX,DWORD PTR DS:[ESI+EAX*4+8]
00401320 |. D>|SHR EAX,CL
00401322 |. 4>|INC EDI
00401323 |. 8>|CMP EDI,14
00401326 |. 8>|MOV BYTE PTR DS:[EDI+EBX-1],AL
0040132A |.^ 7>\JL SHORT KEYGENME.004012F8
0040132C |. 5>PUSH ESI ; /lpdwSHACountAndwKeyBuffer
0040132D |. E>CALL KEYGENME.00401000 ; \SetSHACountAndKeyBuffer
00401332 |. 8>ADD ESP,4
00401335 |. 5>POP EDI
00401336 |. 5>POP ESI
00401337 |. 5>POP EBX
00401338 \. C>RETN
/****************************************************************/
//SHA加密函数(省略……)
/****************************************************************/
//呵呵,标准的IDEA初始化Key函数
004014C0 /$ 8>SUB ESP,6C
004014C3 |. 8>MOV EAX,DWORD PTR SS:[ESP+70]
004014C7 |. 5>PUSH EBX
004014C8 |. 8>ADD EAX,2
004014CB |. 5>PUSH ESI
004014CC |. 5>PUSH EDI
004014CD |. 8>MOV ECX,DWORD PTR DS:[EAX]
004014CF |. 8>MOV EDX,DWORD PTR DS:[EAX+4]
004014D2 |. 8>MOV DWORD PTR SS:[ESP+C],ECX
004014D6 |. 8>MOV ECX,DWORD PTR DS:[EAX+8]
004014D9 |. 8>MOV DWORD PTR SS:[ESP+10],EDX
004014DD |. 8>MOV EDX,DWORD PTR DS:[EAX+C]
004014E0 |. 8>LEA EAX,DWORD PTR SS:[ESP+C]
004014E4 |. 8>MOV DWORD PTR SS:[ESP+14],ECX
004014E8 |. 8>MOV DWORD PTR SS:[ESP+18],EDX
004014EC |. B>MOV ECX,9
004014F1 |. 8>SUB EAX,0C
004014F4 |> 8>/LEA EDX,DWORD PTR DS:[ECX+1]
004014F7 |. 8>|MOV ESI,EDX
004014F9 |. 8>|AND ESI,80000007
004014FF |. 7>|JNS SHORT KEYGENME.00401506
00401501 |. 4>|DEC ESI
00401502 |. 8>|OR ESI,FFFFFFF8
00401505 |. 4>|INC ESI
00401506 |> 7>|JNZ SHORT KEYGENME.00401519
00401508 |. 6>|MOV CX,WORD PTR DS:[EAX+E]
0040150C |. 6>|MOV SI,WORD PTR DS:[EAX]
0040150F |. 6>|SHL CX,9
00401513 |. 6>|SHR SI,7
00401517 |. E>|JMP SHORT KEYGENME.00401549
00401519 |> 8>|AND ECX,80000007
0040151F |. 7>|JNS SHORT KEYGENME.00401526
00401521 |. 4>|DEC ECX
00401522 |. 8>|OR ECX,FFFFFFF8
00401525 |. 4>|INC ECX
00401526 |> 7>|JNZ SHORT KEYGENME.00401539
00401528 |. 6>|MOV CX,WORD PTR DS:[EAX-2]
0040152C |. 6>|MOV SI,WORD PTR DS:[EAX]
0040152F |. 6>|SHL CX,9
00401533 |. 6>|SHR SI,7
00401537 |. E>|JMP SHORT KEYGENME.00401549
00401539 |> 6>|MOV CX,WORD PTR DS:[EAX+10]
0040153D |. 6>|MOV SI,WORD PTR DS:[EAX+E]
00401541 |. 6>|SHR CX,7
00401545 |. 6>|SHL SI,9
00401549 |> 3>|XOR ECX,ESI
0040154B |. 6>|MOV WORD PTR DS:[EAX+1C],CX
0040154F |. 8>|MOV ECX,EDX
00401551 |. 8>|ADD EAX,2
00401554 |. 8>|LEA EDX,DWORD PTR DS:[ECX-1]
00401557 |. 8>|CMP EDX,36
0040155A |.^ 7>\JL SHORT KEYGENME.004014F4
0040155C |. 8>MOV EAX,DWORD PTR SS:[ESP+80]
00401563 |. B>MOV EDI,9
00401568 |. 8>LEA ESI,DWORD PTR DS:[EAX+16]
0040156B |. 8>LEA EAX,DWORD PTR SS:[ESP+C]
0040156F |> 8>/MOV ECX,ESI
00401571 |. B>|MOV EDX,6
00401576 |> 6>|/MOV BX,WORD PTR DS:[EAX]
00401579 |. 8>||ADD EAX,2
0040157C |. 6>||MOV WORD PTR DS:[ECX],BX
0040157F |. 8>||ADD ECX,14
00401582 |. 4>||DEC EDX
00401583 |.^ 7>|\JNZ SHORT KEYGENME.00401576
00401585 |. 8>|ADD ESI,2
00401588 |. 4>|DEC EDI
00401589 |.^ 7>\JNZ SHORT KEYGENME.0040156F
0040158B |. 5>POP EDI
0040158C |. 5>POP ESI
0040158D |. 5>POP EBX
0040158E |. 8>ADD ESP,6C
00401591 \. C>RETN
/****************************************************************/
//标准的IDEA加密解密算法
00401390 /$ 8>SUB ESP,8
00401393 |. 8>MOV EAX,DWORD PTR SS:[ESP+C]
00401397 |. 5>PUSH EBX
00401398 |. 5>PUSH EBP
00401399 |. 5>PUSH ESI
0040139A |. 5>PUSH EDI
0040139B |. 3>XOR EBP,EBP
0040139D |. 6>MOV BP,WORD PTR DS:[EAX+2]
004013A1 |. 3>XOR EBX,EBX
004013A3 |. 6>MOV BX,WORD PTR DS:[EAX+4]
004013A7 |. 3>XOR ECX,ECX
004013A9 |. 6>MOV CX,WORD PTR DS:[EAX+6]
004013AD |. 3>XOR EDI,EDI
004013AF |. 6>MOV DI,WORD PTR DS:[EAX+8]
004013B3 |. 8>MOV EAX,DWORD PTR SS:[ESP+24]
004013B7 |. 8>MOV DWORD PTR SS:[ESP+10],ECX
004013BB |. C>MOV DWORD PTR SS:[ESP+14],8
004013C3 |. 8>LEA ESI,DWORD PTR DS:[EAX+52]
004013C6 |. E>JMP SHORT KEYGENME.004013CC
004013C8 |> 8>/MOV EDI,DWORD PTR SS:[ESP+1C]
004013CC |> 3> XOR ECX,ECX
004013CE |. 6>|MOV CX,WORD PTR DS:[ESI-3C]
004013D2 |. 5>|PUSH ECX
004013D3 |. 5>|PUSH EBP
004013D4 |. E>|CALL KEYGENME.00401340
004013D9 |. 3>|XOR EDX,EDX
004013DB |. 8>|MOV EBP,EAX
004013DD |. 6>|MOV DX,WORD PTR DS:[ESI]
004013E0 |. 5>|PUSH EDX
004013E1 |. 5>|PUSH EDI
004013E2 |. E>|CALL KEYGENME.00401340
004013E7 |. 6>|MOV DI,WORD PTR DS:[ESI-28]
004013EB |. 8>|MOV ECX,DWORD PTR SS:[ESP+20]
004013EF |. 0>|ADD EDI,EBX
004013F1 |. 6>|MOV BX,WORD PTR DS:[ESI-14]
004013F5 |. 0>|ADD EBX,ECX
004013F7 |. 8>|MOV DWORD PTR SS:[ESP+2C],EAX
004013FB |. 8>|AND EBX,0FFFF
00401401 |. 3>|XOR ECX,ECX
00401403 |. 6>|MOV CX,WORD PTR DS:[ESI+14]
00401407 |. 8>|MOV EAX,EBX
00401409 |. 3>|XOR EAX,EBP
0040140B |. 8>|AND EDI,0FFFF
00401411 |. 5>|PUSH EAX
00401412 |. 5>|PUSH ECX
00401413 |. E>|CALL KEYGENME.00401340
00401418 |. 8>|MOV EDX,DWORD PTR SS:[ESP+34]
0040141C |. 8>|MOV DWORD PTR SS:[ESP+28],EAX
00401420 |. 3>|XOR EDX,EDI
00401422 |. 0>|ADD EDX,EAX
00401424 |. 3>|XOR EAX,EAX
00401426 |. 6>|MOV AX,WORD PTR DS:[ESI+28]
0040142A |. 8>|AND EDX,0FFFF
00401430 |. 5>|PUSH EDX
00401431 |. 5>|PUSH EAX
00401432 |. E>|CALL KEYGENME.00401340
00401437 |. 8>|MOV ECX,DWORD PTR SS:[ESP+30]
0040143B |. 8>|MOV EDX,DWORD PTR SS:[ESP+3C]
0040143F |. 0>|ADD ECX,EAX
00401441 |. 3>|XOR EBP,EAX
00401443 |. 8>|AND ECX,0FFFF
00401449 |. 3>|XOR EAX,EBX
0040144B |. 3>|XOR EDX,ECX
0040144D |. 8>|MOV EBX,EAX
0040144F |. 8>|MOV EAX,DWORD PTR SS:[ESP+34]
00401453 |. 3>|XOR ECX,EDI
00401455 |. 8>|ADD ESP,20
00401458 |. 8>|ADD ESI,2
0040145B |. 8>|MOV EDI,ECX
0040145D |. 4>|DEC EAX
0040145E |. 8>|MOV DWORD PTR SS:[ESP+1C],EDX
00401462 |. 8>|MOV DWORD PTR SS:[ESP+10],EDI
00401466 |. 8>|MOV DWORD PTR SS:[ESP+14],EAX
0040146A |.^ 0>\JNZ KEYGENME.004013C8
00401470 |. 8>MOV ESI,DWORD PTR SS:[ESP+24]
00401474 |. 3>XOR EDX,EDX
00401476 |. 6>MOV DX,WORD PTR DS:[ESI+26]
0040147A |. 5>PUSH EDX
0040147B |. 5>PUSH EBP
0040147C |. E>CALL KEYGENME.00401340
00401481 |. 8>MOV EBP,DWORD PTR SS:[ESP+28]
00401485 |. 8>MOV ECX,DWORD PTR SS:[ESP+24]
00401489 |. 6>MOV WORD PTR SS:[EBP+2],AX
0040148D |. 3>XOR EAX,EAX
0040148F |. 6>MOV AX,WORD PTR DS:[ESI+62]
00401493 |. 5>PUSH EAX
00401494 |. 5>PUSH ECX
00401495 |. E>CALL KEYGENME.00401340
0040149A |. 6>MOV WORD PTR SS:[EBP+8],AX
0040149E |. 6>MOV DX,WORD PTR DS:[ESI+3A]
004014A2 |. 6>ADD DX,DI
004014A5 |. 8>ADD ESP,10
004014A8 |. 6>MOV WORD PTR SS:[EBP+4],DX
004014AC |. 6>MOV AX,WORD PTR DS:[ESI+4E]
004014B0 |. 6>ADD AX,BX
004014B3 |. 5>POP EDI
004014B4 |. 6>MOV WORD PTR SS:[EBP+6],AX
004014B8 |. 5>POP ESI
004014B9 |. 5>POP EBP
004014BA |. 5>POP EBX
004014BB |. 8>ADD ESP,8
004014BE \. C>RETN
/****************************************************************/
//这个就是乘法模运算了,就在这里让我误认为是RSA算法了。
00401340 /$ 8>MOV ECX,DWORD PTR SS:[ESP+4]
00401344 |. 8>TEST ECX,ECX
00401346 |. 7>JNZ SHORT KEYGENME.00401359
00401348 |. 8>MOV ECX,DWORD PTR SS:[ESP+8]
0040134C |. B>MOV EAX,10001 //0x10001私钥
00401351 |. 2>SUB EAX,ECX
00401353 |. 2>AND EAX,0FFFF
00401358 |. C>RETN
00401359 |> 8>MOV EAX,DWORD PTR SS:[ESP+8]
0040135D |. 8>TEST EAX,EAX
0040135F |. 7>JNZ SHORT KEYGENME.0040136E
00401361 |. B>MOV EAX,10001
00401366 |. 2>SUB EAX,ECX
00401368 |. 2>AND EAX,0FFFF
0040136D |. C>RETN
0040136E |> 0>IMUL ECX,EAX
00401371 |. 8>MOV EAX,ECX
00401373 |. C>SHR ECX,10
00401376 |. 2>AND EAX,0FFFF
0040137B |. 2>SUB EAX,ECX
0040137D |. 8>TEST EAX,EAX
0040137F |. 7>JG SHORT KEYGENME.00401386
00401381 |. 0>ADD EAX,10001
00401386 |> 2>AND EAX,0FFFF
0040138B \. C>RETN
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
|
|
|
|
|
|
|
|
千年等一顶
|
|
|
顶一下战神 兄。学习了
|
|
|
支持传说中的大侠~~
|
|
|
|
|
|
|
|
|
谢谢看雪老大。
|
|
|
|
|
|
|
|
|
|
|
|
支持
|
|
|
|
|
|
|
|
|
|
|
|
下载了脱机看
|
|
|
|
|
|
支持
|
|
|
|
|
|
顶,学习ing
|
|
|
|
|
|
|
