-
-
[原创]KEYGENME#1:GAS的sha1算法分析+注册机
-
发表于: 2006-5-17 20:09
-
【标题】 KEYGENME#1:GAS的sha1算法分析+注册机
【作者】 koala
【工具】 OllyICE
【分析过程】
一、反调试分析
程序有反调试代码,下消息断点,初步分析后可到此处
00407768 . 53 push ebx
00407769 . 56 push esi
0040776A . 57 push edi
0040776B . 8BF1 mov esi, ecx
0040776D . E8 68150000 call <jmp.&MFC42.#4710_CDialog::OnInitDialog>
00407772 . 8B46 20 mov eax, [esi+20]
00407775 . 6A 00 push 0 ; /Revert = FALSE
00407777 . 50 push eax ; |hWnd
00407778 . FF15 C8A24000 call [<&USER32.GetSystemMenu>] ; \GetSystemMenu
0040777E . 50 push eax
0040777F . E8 50150000 call <jmp.&MFC42.#2863_CMenu::FromHandle>
00407784 . 8BF8 mov edi, eax
......
00407818 . 6A 00 push 0
0040781A . 6A 20 push 20
0040781C . 68 C5000000 push 0C5
00407821 . 68 F1030000 push 3F1
00407826 . 8BCE mov ecx, esi
00407828 . E8 9B140000 call <jmp.&MFC42.#5802_CWnd::SendDlgItemMessage>
0040782D . E8 48150000 call <jmp.&KERNEL32.IsDebuggerPresent> ; [IsDebuggerPresent
00407832 . 85C0 test eax, eax
00407834 . 74 07 je short 0040783D ; je改为jmp
00407836 . 8BCE mov ecx, esi
00407838 . E8 AD130000 call <jmp.&MFC42.#4376_CDialog::OnCancel>
0040783D > E8 6E0E0000 call 004086B0
00407842 . 85C0 test eax, eax
00407844 . 74 07 je short 0040784D ; je改为jmp
00407846 . 8BCE mov ecx, esi
00407848 . E8 9D130000 call <jmp.&MFC42.#4376_CDialog::OnCancel>
0040784D 8B0D 74554100 mov ecx, [415574]
00407853 8B15 6C554100 mov edx, [41556C]
00407859 A1 68554100 mov eax, [415568]
0040785E . 51 push ecx ; /Arg3 => 00000000
0040785F . 52 push edx ; |Arg2 => 00000000
00407860 . 50 push eax ; |Arg1 => 00000000
00407861 E8 2A0D0000 call 00408590 ; \gAs.00408590
00407866 . 83C4 0C add esp, 0C
00407869 . 85C0 test eax, eax
0040786B . 74 07 je short 00407874
0040786D . 8BCE mov ecx, esi
0040786F . E8 76130000 call <jmp.&MFC42.#4376_CDialog::OnCancel>
00407874 > 68 CCC04000 push 0040C0CC ; /String = "%s%s%s%s%s%s%s%s%s%
00407879 . FF15 4CA04000 call [<&KERNEL32.OutputDebugStringA>] ; \OutputDebugStringA
0040787F . E8 9C0D0000 call 00408620
00407884 . 85C0 test eax, eax
00407886 . 74 07 je short 0040788F ; je改为jmp
00407888 . 8BCE mov ecx, esi
0040788A . E8 5B130000 call <jmp.&MFC42.#4376_CDialog::OnCancel>
0040788F > 8D4C24 10 lea ecx, [esp+10]
00407893 . E8 2A140000 call <jmp.&MFC42.#475_CPictureHolder::CPictureH>
将以上几处je改为jmp后,可正常调试。
二、算法分析
下断点bp GetDlgItemTextA,运行,程序断下
00407FF4 . 8D4424 18 lea eax, [esp+18]
00407FF8 . 8BCE mov ecx, esi
00407FFA . 50 push eax
00407FFB . 68 F1030000 push 3F1
00408000 . E8 110D0000 call <jmp.&MFC42.#3097_CWnd::GetDlgItemTextA>
00408005 . 8B5424 18 mov edx, [esp+18] ; 取用户名
00408009 . 83C9 FF or ecx, FFFFFFFF
0040800C . 8BFA mov edi, edx
0040800E . 33C0 xor eax, eax
......
0040803B . 8BE9 mov ebp, ecx ; 用户名长度
0040803D . 83FD 03 cmp ebp, 3 ; 要大于3
00408040 . 7D 0A jge short 0040804C
00408042 . 68 D8534100 push 004153D8 ; please insert between 4 and 32 chars...
00408047 . E9 A6030000 jmp 004083F2
0040804C > 6A 01 push 1 ; 关键参数
0040804E . 8D8C24 480200>lea ecx, [esp+248]
00408055 . 55 push ebp
00408056 . 8D9424 000100>lea edx, [esp+100]
0040805D . 51 push ecx
0040805E . 8D8424 A00200>lea eax, [esp+2A0] ; 取用户名做为待加密数据
00408065 . 52 push edx
00408066 . 50 push eax
00408067 . 81EC C4000000 sub esp, 0C4
0040806D . B9 31000000 mov ecx, 31
00408072 . 8DB424 500600>lea esi, [esp+650]
00408079 . 8BFC mov edi, esp
0040807B . F3:A5 rep movs dword ptr es:[edi], dword ptr [esi]
0040807D . E8 3E040000 call 004084C0 ; 变换待加密数据并用sha1加密
00408082 . 81C4 D8000000 add esp, 0D8
00408088 . 8D8C24 300200>lea ecx, [esp+230]
0040808F . 8D9424 900000>lea edx, [esp+90]
00408096 . 8D8424 F80000>lea eax, [esp+F8] ; 第一次加密结果
0040809D . 6A 02 push 2 ; 关键参数
0040809F . 55 push ebp
004080A0 . 51 push ecx
004080A1 . 52 push edx
004080A2 . 50 push eax
004080A3 . B9 31000000 mov ecx, 31
004080A8 . 81EC C4000000 sub esp, 0C4
004080AE . 8DB424 C80400>lea esi, [esp+4C8]
004080B5 . 8BFC mov edi, esp
004080B7 . F3:A5 rep movs dword ptr es:[edi], dword ptr [esi]
004080B9 . E8 02040000 call 004084C0 ; 变换待加密数据并用sha1加密
004080BE . 81C4 D8000000 add esp, 0D8
004080C4 . 8D8C24 6C0200>lea ecx, [esp+26C]
004080CB . 8D5424 28 lea edx, [esp+28]
004080CF . 8D8424 900000>lea eax, [esp+90] ; 第二次加密结果
004080D6 . 6A 04 push 4 ; 关键参数
004080D8 . 55 push ebp
004080D9 . 51 push ecx
004080DA . 52 push edx
004080DB . 50 push eax
004080DC . B9 31000000 mov ecx, 31
004080E1 . 81EC C4000000 sub esp, 0C4
004080E7 . 8DB424 040400>lea esi, [esp+404]
004080EE . 8BFC mov edi, esp
004080F0 . F3:A5 rep movs dword ptr es:[edi], dword ptr [esi]
004080F2 . E8 C9030000 call 004084C0 ; 变换待加密数据并用sha1加密
004080F7 . 81C4 D8000000 add esp, 0D8
004080FD . 8D8C24 800200>lea ecx, [esp+280]
00408104 . 8D5424 5C lea edx, [esp+5C]
00408108 . 8D4424 28 lea eax, [esp+28] ; 第三次加密结果
0040810C . 6A 08 push 8 ; 关键参数
0040810E . 55 push ebp
0040810F . 51 push ecx
00408110 . 52 push edx
00408111 . 50 push eax
00408112 . B9 31000000 mov ecx, 31
00408117 . 81EC C4000000 sub esp, 0C4
0040811D . 8DB424 8C0500>lea esi, [esp+58C]
00408124 . 8BFC mov edi, esp
00408126 . F3:A5 rep movs dword ptr es:[edi], dword ptr [esi]
00408128 . E8 93030000 call 004084C0 ; 变换待加密数据并用sha1加密
0040812D . 81C4 D8000000 add esp, 0D8
00408133 . 8D8C24 580200>lea ecx, [esp+258]
0040813A . 8D9424 C40000>lea edx, [esp+C4]
00408141 . 8D4424 5C lea eax, [esp+5C] ; 第四次加密结果
00408145 . 6A 10 push 10 ; 关键参数
00408147 . 55 push ebp
00408148 . 51 push ecx
00408149 . 52 push edx
0040814A . 50 push eax
0040814B . B9 31000000 mov ecx, 31
00408150 . 81EC C4000000 sub esp, 0C4
00408156 . 8DB424 140700>lea esi, [esp+714]
0040815D . 8BFC mov edi, esp
0040815F . F3:A5 rep movs dword ptr es:[edi], dword ptr [esi]
00408161 . E8 5A030000 call 004084C0 ; 变换待加密数据并用sha1加密
00408166 . 81C4 D8000000 add esp, 0D8
0040816C . 33C0 xor eax, eax
0040816E . 889C24 000100>mov [esp+100], bl
00408175 . 33C9 xor ecx, ecx ; 所有生成的加密数据按位变换
00408177 > 8A9404 980000>mov dl, [esp+eax+98]
0040817E . 889404 900000>mov [esp+eax+90], dl
00408185 . 8A540C 38 mov dl, [esp+ecx+38]
00408189 . 885404 28 mov [esp+eax+28], dl
0040818D . 8A5404 74 mov dl, [esp+eax+74]
00408191 . 885404 5C mov [esp+eax+5C], dl
00408195 . 8A940C E40000>mov dl, [esp+ecx+E4]
0040819C . 889404 C40000>mov [esp+eax+C4], dl
004081A3 . 40 inc eax
004081A4 . 49 dec ecx
004081A5 . 83F9 F8 cmp ecx, -8
004081A8 .^ 7F CD jg short 00408177
004081AA . A3 60554100 mov [415560], eax
004081AF . 8D8424 C40000>lea eax, [esp+C4]
004081B6 . 8D4C24 5C lea ecx, [esp+5C]
004081BA . 50 push eax ; /<%s>
004081BB . 8D5424 2C lea edx, [esp+2C] ; |
004081BF . 51 push ecx ; |<%s>
004081C0 . 8D8424 980000>lea eax, [esp+98] ; |
004081C7 . 52 push edx ; |<%s>
004081C8 . 8D8C24 040100>lea ecx, [esp+104] ; |
004081CF . 50 push eax ; |<%s>
004081D0 . 51 push ecx ; |<%s>
004081D1 . 8D9424 DC0200>lea edx, [esp+2DC] ; |
004081D8 . 68 C8534100 push 004153C8 ; |%s-%s-%s-%s-%s
004081DD . 52 push edx ; |s
004081DE . 889C24 B40000>mov [esp+B4], bl ; |
004081E5 . 885C24 4C mov [esp+4C], bl ; |
004081E9 . 889C24 800000>mov [esp+80], bl ; |
004081F0 . 889C24 E80000>mov [esp+E8], bl ; |
004081F7 . FF15 74A24000 call [<&MSVCRT.sprintf>] ; \sprintf
004081FD . 8B4C24 30 mov ecx, [esp+30] ; 依次取前8位生成注册码
00408201 . 83C4 1C add esp, 1C
00408204 . 8D4424 10 lea eax, [esp+10]
00408208 . 50 push eax
00408209 . 68 F3030000 push 3F3
0040820E . E8 030B0000 call <jmp.&MFC42.#3097_CWnd::GetDlgItemTextA>
00408213 . 8B5424 10 mov edx, [esp+10] ; 取注册码
00408217 . 33C0 xor eax, eax ; 下面就是比较验证(略)
......
==================== 跟进 0040807D call 004084C0 ====================
004084C0 /$ 64:A1 0000000>mov eax, fs:[0]
004084C6 |. 6A FF push -1
004084C8 |. 68 78904000 push 00409078
004084CD |. 50 push eax
004084CE |. 64:8925 00000>mov fs:[0], esp
004084D5 |. 53 push ebx
004084D6 |. 56 push esi
004084D7 |. 57 push edi
004084D8 |. 8D4C24 1C lea ecx, [esp+1C]
004084DC |. C74424 14 000>mov dword ptr [esp+14], 0
004084E4 |. E8 27D3FFFF call 00405810 ; sha1的5个常数,变形
{
00405810 |$ 33C0 xor eax, eax
00405812 |. C701 78A46AD7 mov dword ptr [ecx], D76AA478
00405818 |. C741 04 56B7C>mov dword ptr [ecx+4], E8C7B756
0040581F |. C741 08 DB702>mov dword ptr [ecx+8], 242070DB
00405826 |. C741 0C EECEB>mov dword ptr [ecx+C], C1BDCEEE
0040582D |. C741 10 AF0F7>mov dword ptr [ecx+10], F57C0FAF
00405834 |. 8941 14 mov [ecx+14], eax
00405837 |. 8941 18 mov [ecx+18], eax
0040583A \. C3 retn
}
004084E9 |. 8BB424 F00000>mov esi, [esp+F0] ; 取关键参数
004084F0 |. 83FE 01 cmp esi, 1
004084F3 |. 75 1B jnz short 00408510 ; 第一次加密
004084F5 |. 8B8424 EC0000>mov eax, [esp+EC] ; 用户名长度
004084FC |. 8B8C24 E00000>mov ecx, [esp+E0] ; 用户名
00408503 |. 50 push eax
00408504 |. 51 push ecx
00408505 |. 8D4C24 24 lea ecx, [esp+24] ; 5个常数地址
00408509 |. E8 C2EAFFFF call 00406FD0
0040850E |. EB 36 jmp short 00408546
00408510 |> 85F6 test esi, esi ; 后几次加密
00408512 |. C705 60554100>mov dword ptr [415560], 0
0040851C |. 7E 28 jle short 00408546
0040851E |. 8BBC24 EC0000>mov edi, [esp+EC] ; 用户名长度
00408525 |. 8B9C24 E00000>mov ebx, [esp+E0] ; 上次加密结果
0040852C |> 57 /push edi
0040852D |. 53 |push ebx
0040852E |. 8D4C24 24 |lea ecx, [esp+24]
00408532 |. E8 99EAFFFF |call 00406FD0 ; 生成待加密数据
00408537 |. A1 60554100 |mov eax, [415560]
0040853C |. 40 |inc eax
0040853D |. 3BC6 |cmp eax, esi
0040853F |. A3 60554100 |mov [415560], eax
00408544 |.^ 7C E6 \jl short 0040852C
00408546 |> 8D4C24 1C lea ecx, [esp+1C]
0040854A |. E8 41EBFFFF call 00407090 ; sha1加密
0040854F |. 8B9424 E40000>mov edx, [esp+E4]
00408556 |. 6A 00 push 0 ; /Arg2 = 00000000
00408558 |. 52 push edx ; |Arg1
00408559 |. 8D4C24 24 lea ecx, [esp+24] ; |
0040855D |. E8 0EECFFFF call 00407170 ; \结果转换为ASCII码
00408562 |. 8D4C24 1C lea ecx, [esp+1C]
00408566 |. C74424 14 FFF>mov dword ptr [esp+14], -1
0040856E |. E8 8DD2FFFF call 00405800
00408573 |. 8B4C24 0C mov ecx, [esp+C]
00408577 |. 5F pop edi
00408578 |. 5E pop esi
00408579 |. 64:890D 00000>mov fs:[0], ecx
00408580 |. 5B pop ebx
00408581 |. 83C4 0C add esp, 0C
00408584 \. C3 retn
【注册机源码】
sha1.inc文件可用happytown提供的,在此就不贴源代码了
include sha1.inc
.data
szFormat db "%s-%s-%s-%s-%s",0
.data?
szName db 64 dup (?)
szSerial db 64 dup (?)
szEndata db 512 dup (?)
szRlt db 32 dup (?)
szTStr db 32 dup (?)
szRlt3 db 52 dup (?)
szRlt4 db 52 dup (?)
szRlt2 db 52 dup (?)
szRlt5 db 52 dup (?)
szRlt1 db 52 dup (?)
nLen dd ?
nSize dd ?
.code
hex2str proc lpHStr:DWORD,nLength:DWORD,lpStr:DWORD
local szTmp[4]:BYTE,nCon:DWORD
pushad
mov edi,lpStr
mov esi,lpHStr
mov ecx,nLength
mov nCon,ecx
mov BYTE ptr [szTmp+2],0
@4:
movzx eax,BYTE ptr [esi]
mov ebx,2
@2:
xor edx,edx
mov ecx,10h
div ecx
add dl,30h
cmp dl,3ah
jb @1
add dl,7
@1:
mov BYTE ptr [szTmp+ebx-1],dl
dec ebx
jnz @2
invoke lstrcat,edi,addr szTmp
inc esi
dec nCon
jnz @4
popad
ret
hex2str endp
encode proc nTime:DWORD
invoke RtlZeroMemory,addr szEndata,sizeof szEndata
invoke lstrcpyn,addr szTStr,addr szSerial,nLen
invoke lstrcpy,addr szEndata,addr szTStr
mov ebx,nTime
dec ebx
je @1
@2:
invoke lstrcat,addr szEndata,addr szTStr
dec ebx
jnz @2
@1:
invoke lstrlen,addr szEndata
mov nSize,eax
invoke SHA1Encrypt,addr szEndata,nSize,addr szRlt
invoke RtlZeroMemory,addr szSerial,sizeof szSerial
invoke hex2str,addr szRlt,20,addr szSerial
ret
encode endp
GetSerial proc hDlg
pushad
invoke RtlZeroMemory,addr szName,sizeof szName
invoke RtlZeroMemory,addr szSerial,sizeof szSerial
invoke GetDlgItemText,hDlg,IDC_NAME,addr szName,sizeof szName
.if eax < 4 || eax > 32
invoke SetDlgItemText,hDlg,IDC_REG,CTXT("Please insert between 4 and 32 chars.")
.else
inc eax
mov nLen,eax
invoke lstrcpy,addr szSerial,addr szName
invoke encode,1
invoke lstrcpy,addr szRlt1,addr szSerial
invoke encode,2
invoke lstrcpy,addr szRlt2,addr szSerial
invoke encode,4
invoke lstrcpy,addr szRlt3,addr szSerial
invoke encode,8
invoke lstrcpy,addr szRlt4,addr szSerial
invoke encode,10h
invoke lstrcpy,addr szRlt5,addr szSerial
xor eax,eax
xor ecx,ecx
lea edi,szRlt3
@@:
mov dl,[edi+eax+70h]
mov [edi+eax+68h],dl
mov dl,[edi+ecx+10h]
mov [edi+eax],dl
mov dl,[edi+eax+4ch]
mov [edi+eax+34h],dl
mov dl,[edi+ecx+0bch]
mov [edi+eax+9ch],dl
inc eax
dec ecx
cmp ecx,-8
jg @B
mov [szRlt1+8],0
mov [szRlt2+8],0
mov [szRlt3+8],0
mov [szRlt4+8],0
mov [szRlt5+8],0
invoke wsprintf,addr szSerial,addr szFormat,\
addr szRlt1,addr szRlt2,addr szRlt3,addr szRlt4,addr szRlt5
invoke SetDlgItemText,hDlg,IDC_REG,addr szSerial
.endif
popad
ret
GetSerial endp
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
附件中包括KEYGENME#1:GAS和注册机
[招生]系统0day安全班,企业级设备固件漏洞挖掘,Linux平台漏洞挖掘!
|
|
|---|---|
|
|
|
|
|
|
|
|
最初由 happytown 发布 谢谢支持 
|
|
|
最初由 冷血书生 发布 在什么地方,把代码贴一下,可能我漏掉了 
|
|
|
|
|
|
最初由 koala 发布 就是你文章所说的三处啊~~~ 我完全按照修改,但我这里修改后,载入OD,还是运行不起来~~ |
|
|
最初由 紫色缘 发布 谢谢支持,共同努力 
|
|
|
|
|
|
|
|
|
支持一下
|
|
|
|
|
|
|
