【作者】ryOsUkE
转载请注明出处来自看雪论坛,以及本文的完整性,谢谢!
这次是DSA,呵呵,先来介绍一下什么是DSA。Digital Signature Algorithm (DSA)是Schnorr和ElGamal签名算法的变种,被美国NIST作为DSS(Digital Signature Standard)。算法中应用了下述参数:
p:L bits长的素数。L是64的倍数,范围是512到1024;
q:p - 1的160bits的素因子;
g:g = h^((p-1)/q) mod p,h满足h < p - 1, h^((p-1)/q) mod p > 1;
x:x < q,x为私钥 ;
y:y = g^x mod p ,( p, q, g, y )为公钥;
H( x ):One-Way Hash函数。DSS中选用SHA( Secure Hash Algorithm )。
p, q, g可由一组用户共享,但在实际应用中,使用公共模数可能会带来一定的威胁。签名及验证协议如下:
1. P产生随机数k,k < q;
2. P计算 r = ( g^k mod p ) mod q
s = ( k^(-1) (H(m) + xr)) mod q
签名结果是( m, r, s )。
3. 验证时计算 w = s^(-1)mod q
u1 = ( H( m ) * w ) mod q
u2 = ( r * w ) mod q
v = (( g^u1 * y^u2 ) mod p ) mod q
若v = r,则认为签名有效。
DSA是基于整数有限域离散对数难题的,其安全性与RSA相比差不多。DSA的一个重要特点是两个素数公开,这样,当使用别人的p和q时,即使不知道私钥,你也能确认它们是否是随机产生的,还是作了手脚。RSA算法却作不到。
============================================================================================
下面通过一个keygenme来说明上面的问题。这个keygenme加了土壳,在入口处Ctrl+F9直接到OEP,dump和修复IAT便可以拉,这个不是重点,下面我们来分析这个keygenme。用到miracl库。
【分析】
输入
name:nightfox
key:12345678
根据提示来到下面:
004012DE > \8D85 D4FDFFFF lea eax, [ebp-22C]
004012E4 . 50 push eax ;buffer
004012E5 . E8 16060000 call 00401900 ;md5_init
===========================================================================================
进入这个call
00401900 /$ 8B4424 04 mov eax, [esp+4]
00401904 |. 33C9 xor ecx, ecx
00401906 |. 8948 14 mov [eax+14], ecx
00401909 |. 8948 10 mov [eax+10], ecx
0040190C |. C700 01234567 mov dword ptr [eax], 67452301
00401912 |. C740 04 89ABC>mov dword ptr [eax+4], EFCDAB89
00401919 |. C740 08 FEDCB>mov dword ptr [eax+8], 98BADCFE
00401920 |. C740 0C 76543>mov dword ptr [eax+C], 10325476
00401927 \. C3 retn
好熟悉的东西,不用说了,md5的state初始化。
============================================================================================
004012EA . 83C4 04 add esp, 4
004012ED . 8A0D C6E94000 mov cl, [40E9C6]
004012F3 . 880D 40E94000 mov [40E940], cl
004012F9 . 8A15 CDE94000 mov dl, [40E9CD]
004012FF . 8815 41E94000 mov [40E941], dl
00401305 . A0 D4E94000 mov al, [40E9D4]
0040130A . A2 42E94000 mov [40E942], al
============================================================================================
这里看一下40e9c6是什么东西
0040E9C0 31 32 33 34 35 36 37 38 00 00 00 00 00 00 00 00 12345678........
0040E9D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040E9E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040E9F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
是我的输入的key
40E9C6,40E9CD,40E9D4分别是key的7,14,21位
再看看40E940
0040E940 37 00 00 7..
分析可知前3个BYTE是key的7,14,21位
============================================================================================
0040130F . C745 B8 43E94>mov dword ptr [ebp-48], 0040E943
00401316 . 8B8D FCFEFFFF mov ecx, [ebp-104]
0040131C . 51 push ecx ;Key的长度
0040131D . 68 C0D14000 push 0040D1C0 ; ASCII "%d"
00401322 . 8B55 B8 mov edx, [ebp-48]
00401325 . 52 push edx ;buffer 地址0040E943
00401326 . E8 D5650000 call 00407900 ;sprintf
0040132B . 83C4 0C add esp, 0C
0040132E . C745 B8 45E94>mov dword ptr [ebp-48], 0040E945
00401335 . 68 B4D14000 push 0040D1B4 ; ASCII "EGBE-YEAH!!"
0040133A . 68 B0D14000 push 0040D1B0 ; ASCII "%s"
0040133F . 8B45 B8 mov eax, [ebp-48]
00401342 . 50 push eax ;buffer 地址0040E945
00401343 . E8 B8650000 call 00407900 ;sprintf
============================================================================================
运行到这里后
0040E943 38 00 45 47 42 45 2D 59 45 41 48 21 21 00 00 00 8.EGBE-YEAH!!...
0040E953 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
前两个BYTE代表Key的长度
============================================================================================
00401348 . 83C4 0C add esp, 0C
0040134B . 8A0D 45E94000 mov cl, [40E945]
00401351 . 80C1 01 add cl, 1
00401354 . 880D 45E94000 mov [40E945], cl
0040135A . 8A15 46E94000 mov dl, [40E946]
00401360 . 80C2 01 add dl, 1
00401363 . 8815 46E94000 mov [40E946], dl
00401369 . A0 47E94000 mov al, [40E947]
0040136E . 04 01 add al, 1
00401370 . A2 47E94000 mov [40E947], al
00401375 . 8A0D 48E94000 mov cl, [40E948]
0040137B . 80C1 01 add cl, 1
0040137E . 880D 48E94000 mov [40E948], cl
00401384 . C605 50E94000>mov byte ptr [40E950], 0
============================================================================================
上面字符变换,变换完是的内存内容是
0040E940 37 00 00 38 00 46 48 43 46 2D 59 45 41 48 21 21 7..8.FHCF-YEAH!!
0040E950 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
============================================================================================
0040138B . 6A 10 push 10
0040138D . 68 40E94000 push 0040E940
00401392 . 8D95 D4FDFFFF lea edx, [ebp-22C]
00401398 . 52 push edx
00401399 . E8 92050000 call 00401930 ;md5 update
0040139E . 83C4 0C add esp, 0C
004013A1 . 8D85 D4FDFFFF lea eax, [ebp-22C]
004013A7 . 50 push eax
004013A8 . 8D8D 10FFFFFF lea ecx, [ebp-F0] ;md5result的地址
004013AE . 51 push ecx
004013AF . E8 2C060000 call 004019E0 ;md5 final
004013B4 . 83C4 08 add esp, 8
004013B7 . 8B95 34FEFFFF mov edx, [ebp-1CC] ;big md5hash
004013BD . 52 push edx
004013BE . 8D85 10FFFFFF lea eax, [ebp-F0] ;md5result
004013C4 . 50 push eax
004013C5 . 6A 10 push 10
004013C7 . E8 F4510000 call 004065C0 ;bytes_to_big(0x10,md5result,md5hash)
004013CC . 83C4 0C add esp, 0C
004013CF . 68 94D14000 push 0040D194 ; ASCII "Bn6EN1dDFrupNxw1Wk4WO5=="
004013D4 . 8B8D 04FFFFFF mov ecx, [ebp-FC]
004013DA . 51 push ecx ;md5const 是一个md5的常数
004013DB . E8 A04A0000 call 00405E80 ;cinstr(md5const,"Bn6EN1dDFrupNxw1Wk4WO5==")
============================================================================================
"Bn6EN1dDFrupNxw1Wk4WO5=="这里注意一下,是64进制的,见
004011AD . C782 20020000>mov dword ptr [edx+220], 40
mir->IOBASE=64
表示16进制
08F07090 B9 63 E1 A4
08F070A0 55 C3 71 93 BA 6B 31 74 75 43 E8 67 U民?k1tuC桤...
============================================================================================
004013E0 . 83C4 08 add esp, 8
004013E3 . 8B95 34FEFFFF mov edx, [ebp-1CC] ;md5hash
004013E9 . 52 push edx
004013EA . 8B85 04FFFFFF mov eax, [ebp-FC] ;md5const
004013F0 . 50 push eax
004013F1 . E8 CA250000 call 004039C0 ;compare(md5const,md5hash) 要相等
004013F6 . 83C4 08 add esp, 8
004013F9 . 85C0 test eax, eax
004013FB . 74 26 je short 00401423
============================================================================================
呵呵,我可不想穷举md5
那就猜想了
Key:XXXXXX-XXXXXX-XXXXXX-XXXXXX 因为前面取了7,14,21位的东西撒
不然不出所料。
============================================================================================
004013FD . 6A 00 push 0
004013FF . 8D85 C4FFFFFF lea eax, [ebp-3C]
00401405 . 50 push eax
00401406 . 8D85 28FFFFFF lea eax, [ebp-D8]
0040140C . 50 push eax
0040140D . 8D85 08000000 lea eax, [ebp+8]
00401413 . 8B00 mov eax, [eax]
00401415 . 50 push eax
00401416 . 8D05 BD174000 lea eax, [4017BD]
0040141C . 50 push eax
0040141D .- FF25 A4E94000 jmp [40E9A4] ; user32.MessageBoxA
00401423 > C785 00FFFFFF>mov dword ptr [ebp-100], 0
0040142D . C785 F8FEFFFF>mov dword ptr [ebp-108], 0
00401437 . EB 0F jmp short 00401448
00401439 > 8B8D 00FFFFFF mov ecx, [ebp-100]
0040143F . 83C1 01 add ecx, 1
00401442 . 898D 00FFFFFF mov [ebp-100], ecx
00401448 > BF C0E94000 mov edi, 0040E9C0 ; ASCII "12345678"
0040144D . 83C9 FF or ecx, FFFFFFFF
00401450 . 33C0 xor eax, eax
00401452 . F2:AE repne scas byte ptr es:[edi]
00401454 . F7D1 not ecx
00401456 . 83C1 FF add ecx, -1
00401459 . 398D 00FFFFFF cmp [ebp-100], ecx
0040145F . 7D 74 jge short 004014D5
00401461 . 83BD 00FFFFFF>cmp dword ptr [ebp-100], 6
00401468 . 75 0F jnz short 00401479
0040146A . 8B95 00FFFFFF mov edx, [ebp-100]
00401470 . 83C2 01 add edx, 1
00401473 . 8995 00FFFFFF mov [ebp-100], edx
00401479 > 83BD 00FFFFFF>cmp dword ptr [ebp-100], 0D
00401480 . 75 0F jnz short 00401491
00401482 . 8B85 00FFFFFF mov eax, [ebp-100]
00401488 . 83C0 01 add eax, 1
0040148B . 8985 00FFFFFF mov [ebp-100], eax
00401491 > 83BD 00FFFFFF>cmp dword ptr [ebp-100], 14
00401498 . 75 0F jnz short 004014A9
0040149A . 8B8D 00FFFFFF mov ecx, [ebp-100]
004014A0 . 83C1 01 add ecx, 1
004014A3 . 898D 00FFFFFF mov [ebp-100], ecx
004014A9 > 8B95 F8FEFFFF mov edx, [ebp-108]
004014AF . 8B85 00FFFFFF mov eax, [ebp-100]
004014B5 . 8A88 C0E94000 mov cl, [eax+40E9C0]
004014BB . 888A 40E94000 mov [edx+40E940], cl
004014C1 . 8B95 F8FEFFFF mov edx, [ebp-108]
004014C7 . 83C2 01 add edx, 1
004014CA . 8995 F8FEFFFF mov [ebp-108], edx
004014D0 .^ E9 64FFFFFF jmp 00401439
004014D5 > C785 00FFFFFF>mov dword ptr [ebp-100], 0
============================================================================================
上面是吧Key除去7,14,21位的'-'存到40E940出,第二次输入的Key是244773-28A148-0D2158-5204F6
内存中的内容
0040E940 32 34 34 37 37 33 32 38 41 31 34 38 30 44 32 31 24477328A1480D21
0040E950 35 38 35 32 30 34 46 36 00 00 00 00 00 00 00 00 585204F6........
Key除'-',一共24位。
============================================================================================
004014DF . EB 0F jmp short 004014F0
004014E1 > 8B85 00FFFFFF mov eax, [ebp-100]
004014E7 . 83C0 01 add eax, 1
004014EA . 8985 00FFFFFF mov [ebp-100], eax
004014F0 > BF 40E94000 mov edi, 0040E940
004014F5 . 83C9 FF or ecx, FFFFFFFF
004014F8 . 33C0 xor eax, eax
004014FA . F2:AE repne scas byte ptr es:[edi]
004014FC . F7D1 not ecx
004014FE . 83C1 FF add ecx, -1
00401501 . 398D 00FFFFFF cmp [ebp-100], ecx
00401507 . 7D 73 jge short 0040157C
00401509 . 8B8D 00FFFFFF mov ecx, [ebp-100]
0040150F . 0FBE91 40E940>movsx edx, byte ptr [ecx+40E940]
00401516 . 83FA 41 cmp edx, 41
00401519 . 7C 12 jl short 0040152D
0040151B . 8B85 00FFFFFF mov eax, [ebp-100]
00401521 . 0FBE88 40E940>movsx ecx, byte ptr [eax+40E940]
00401528 . 83F9 46 cmp ecx, 46
0040152B . 7E 4A jle short 00401577
0040152D > 8B95 00FFFFFF mov edx, [ebp-100]
00401533 . 0FBE82 40E940>movsx eax, byte ptr [edx+40E940]
0040153A . 83F8 30 cmp eax, 30
0040153D . 7C 12 jl short 00401551
0040153F . 8B8D 00FFFFFF mov ecx, [ebp-100]
00401545 . 0FBE91 40E940>movsx edx, byte ptr [ecx+40E940]
0040154C . 83FA 39 cmp edx, 39
0040154F . 7E 26 jle short 00401577
============================================================================================
上面是验证key中的字符必须在'0'-'9'和'A'-'Z'
============================================================================================
00401551 > 6A 00 push 0
00401553 . 8D85 C4FFFFFF lea eax, [ebp-3C]
00401559 . 50 push eax
0040155A . 8D85 3CFEFFFF lea eax, [ebp-1C4]
00401560 . 50 push eax
00401561 . 8D85 08000000 lea eax, [ebp+8]
00401567 . 8B00 mov eax, [eax]
00401569 . 50 push eax
0040156A . 8D05 BD174000 lea eax, [4017BD]
00401570 . 50 push eax
00401571 .- FF25 A4E94000 jmp [40E9A4] ; user32.MessageBoxA
00401577 >^ E9 65FFFFFF jmp 004014E1
0040157C > 8B85 2CFEFFFF mov eax, [ebp-1D4] ;mir
00401582 . C780 20020000>mov dword ptr [eax+220], 10 ;IOBASE变成16进制
0040158C . C745 B8 4CE94>mov dword ptr [ebp-48], 0040E94C ;Key的后12位
00401593 . 8B4D B8 mov ecx, [ebp-48]
00401596 . 51 push ecx
00401597 . 8B95 20FFFFFF mov edx, [ebp-E0]
0040159D . 52 push edx ;DSA中验证big s
0040159E . E8 DD480000 call 00405E80 ;cinstr(s,Key后12位)
004015A3 . 83C4 08 add esp, 8
004015A6 . C605 4CE94000>mov byte ptr [40E94C], 0
004015AD . 68 40E94000 push 0040E940 ;Key的前12位
004015B2 . 8B85 24FFFFFF mov eax, [ebp-DC] ;DSA中验证big r
004015B8 . 50 push eax
004015B9 . E8 C2480000 call 00405E80 ;cinstr(r,Key前12位)
004015BE . 83C4 08 add esp, 8
004015C1 . 8D8D 5CFFFFFF lea ecx, [ebp-A4]
004015C7 . 51 push ecx ;buffer
004015C8 . E8 C30E0000 call 00402490 ;SHA_Init
============================================================================================
进入这个call
00402490 /$ 8B4424 04 mov eax, [esp+4]
00402494 |. 33C9 xor ecx, ecx
00402496 |. C700 01234567 mov dword ptr [eax], 67452301
0040249C |. C740 04 89ABC>mov dword ptr [eax+4], EFCDAB89
004024A3 |. C740 08 FEDCB>mov dword ptr [eax+8], 98BADCFE
004024AA |. C740 0C 76543>mov dword ptr [eax+C], 10325476
004024B1 |. C740 10 F0E1D>mov dword ptr [eax+10], C3D2E1F0
004024B8 |. 8948 14 mov [eax+14], ecx
004024BB |. 8948 18 mov [eax+18], ecx
004024BE \. C3 retn
是不是又很熟悉,SHA1的state初始化
============================================================================================
004015CD . 83C4 04 add esp, 4
004015D0 . 8B95 30FEFFFF mov edx, [ebp-1D0]
004015D6 . 52 push edx
004015D7 . 68 C0E84000 push 0040E8C0 ; ASCII "nightfox"
004015DC . 8D85 5CFFFFFF lea eax, [ebp-A4]
004015E2 . 50 push eax
004015E3 . E8 D80E0000 call 004024C0 ;SHA_Update
004015E8 . 83C4 0C add esp, 0C
004015EB . 8D8D 5CFFFFFF lea ecx, [ebp-A4]
004015F1 . 51 push ecx
004015F2 . 8D95 E0FEFFFF lea edx, [ebp-120]
004015F8 . 52 push edx ;SHA_result地址
004015F9 . E8 62110000 call 00402760 ;SHA_Final
============================================================================================
上面是进行SHA(name)的计算,我的name:nightfox
SHA结果应该是:
D6 54 57 E1 75 C7 B8 20 95 6A 22 FA D1 D6 0B 12 91 63 EA 7A
但事实上结果是:
0012FB30 02 81 30 67 88 CC 0D BD F0 60 0A A2 7A 04 BB 6E ?g?.金`.Ⅹ活
0012FB40 4E 98 4D 7A N?z.
估计用了SHA的变形算法,好在这些hash算法都是单向的,用IDA把程序抓出来直接用就得了。
============================================================================================
004015FE . 83C4 08 add esp, 8
00401601 . 8B85 2CFEFFFF mov eax, [ebp-1D4]
00401607 . C780 20020000>mov dword ptr [eax+220], 40 ;又变成64进制的
00401611 . 68 70D14000 push 0040D170 ; ASCII "rizMjllW3niYFDZJlEEI7vyix++QkBK7="
00401616 . 8B4D C0 mov ecx, [ebp-40]
00401619 . 51 push ecx ;DSA中的big p
0040161A . E8 61480000 call 00405E80 ;cinstr(p,"rizMjllW3niYFDZJlEEI7vyix++QkBK7=")
0040161F . 83C4 08 add esp, 8
00401622 . 68 64D14000 push 0040D164 ; ASCII "p911BFFR="
00401627 . 8B55 BC mov edx, [ebp-44]
0040162A . 52 push edx ;DSA中的Q
0040162B . E8 50480000 call 00405E80 ;cinstr(q,"p911BFFR=")
00401630 . 83C4 08 add esp, 8
00401633 . 68 40D14000 push 0040D140 ; ASCII "jfwz34Lt7/VqvRrhYb4X+8H0A9XfEzEG="
00401638 . 8B85 08FFFFFF mov eax, [ebp-F8]
0040163E . 50 push eax ;DSA中的G
0040163F . E8 3C480000 call 00405E80 ;cinstr(g,"jfwz34Lt7/VqvRrhYb4X+8H0A9XfEzEG=")
00401644 . 83C4 08 add esp, 8
00401647 . 68 1CD14000 push 0040D11C ; ASCII "qg1kJK2T1pVDWjoJ+q/VNYYg03Ij7q85="
0040164C . 8B8D 04FFFFFF mov ecx, [ebp-FC]
00401652 . 51 push ecx ;DSA中的Y
00401653 . E8 28480000 call 00405E80 ;cinstr(Y,"qg1kJK2T1pVDWjoJ+q/VNYYg03Ij7q85=")
============================================================================================
上面是赋值DSA中的,P,Q,G,Y
16进制是
P=AE2CCC8E5956DE7898143649944108EEFCA2C7EF909012BB;
Q=A7DD75045151;
G=8DFC33DF82EDEFF56ABD1AE161BE17FBC1F403D5DF133106;
Y=AA0D6424AD93D695435A3A09FAAFD5358620D37223EEAF39;
通过http://www.alpertron.com.ar/DILOG.HTM在线计算
X=7402C34F8804F8AB2FBC5319FEF7A015D1421C8386F957F0
注意上面的在线计算只能是10进制,所以要进行一下转换
============================================================================================
00401658 . 83C4 08 add esp, 8
0040165B . 8B95 34FEFFFF mov edx, [ebp-1CC]
00401661 . 52 push edx ;big hashname
00401662 . 8D85 E0FEFFFF lea eax, [ebp-120]
00401668 . 50 push eax ;SHA_result
00401669 . 6A 14 push 14
0040166B . E8 504F0000 call 004065C0 ;bytes_to_big(20,SHA_result,hashname)
00401670 . 83C4 0C add esp, 0C
00401673 . 8B8D 20FFFFFF mov ecx, [ebp-E0] ;s
00401679 . 51 push ecx
0040167A . 8B95 20FFFFFF mov edx, [ebp-E0] ;s
00401680 . 52 push edx
00401681 . 8B85 20FFFFFF mov eax, [ebp-E0] ;s
00401687 . 50 push eax
00401688 . 8B4D BC mov ecx, [ebp-44] ;q
0040168B . 51 push ecx
0040168C . 8B95 20FFFFFF mov edx, [ebp-E0] ;s
00401692 . 52 push edx
00401693 . E8 983E0000 call 00405530 ;xgcd(s,q,s,s,s)
============================================================================================
上面计算
w = s^(-1)mod q
============================================================================================
00401698 . 83C4 14 add esp, 14
0040169B . 8B85 DCFEFFFF mov eax, [ebp-124] ;u1
004016A1 . 50 push eax
004016A2 . 8B4D BC mov ecx, [ebp-44] ;q
004016A5 . 51 push ecx
004016A6 . 8B55 BC mov edx, [ebp-44] ;q
004016A9 . 52 push edx
004016AA . 8B85 20FFFFFF mov eax, [ebp-E0] ;s^-1
004016B0 . 50 push eax
004016B1 . 8B8D 20FFFFFF mov ecx, [ebp-E0] ;s^-1
004016B7 . 51 push ecx
004016B8 . 8B95 34FEFFFF mov edx, [ebp-1CC] ;hashname
004016BE . 52 push edx
004016BF . E8 8C370000 call 00404E50 ;mad(hashname,s^-1,s^-1,q,q,u1)
============================================================================================
上面计算
u1 = ( H( m ) * w ) mod q
============================================================================================
004016C4 . 83C4 18 add esp, 18
004016C7 . 8B85 38FEFFFF mov eax, [ebp-1C8] ;u2
004016CD . 50 push eax
004016CE . 8B4D BC mov ecx, [ebp-44] ;q
004016D1 . 51 push ecx
004016D2 . 8B55 BC mov edx, [ebp-44] ;q
004016D5 . 52 push edx
004016D6 . 8B85 20FFFFFF mov eax, [ebp-E0] ;s^-1
004016DC . 50 push eax
004016DD . 8B8D 20FFFFFF mov ecx, [ebp-E0] ;s^-1
004016E3 . 51 push ecx
004016E4 . 8B95 24FFFFFF mov edx, [ebp-DC] ;r
004016EA . 52 push edx
004016EB . E8 60370000 call 00404E50 ;mad(r,s^-1,s^-1,q,q,u2)
============================================================================================
上面计算
u2 = ( r * w ) mod q
============================================================================================
004016F0 . 83C4 18 add esp, 18
004016F3 . 8B85 0CFFFFFF mov eax, [ebp-F4] ;v
004016F9 . 50 push eax
004016FA . 8B4D C0 mov ecx, [ebp-40] ;p
004016FD . 51 push ecx
004016FE . 8B95 38FEFFFF mov edx, [ebp-1C8] ;u2
00401704 . 52 push edx
00401705 . 8B85 04FFFFFF mov eax, [ebp-FC] ;y
0040170B . 50 push eax
0040170C . 8B8D DCFEFFFF mov ecx, [ebp-124] ;u1
00401712 . 51 push ecx
00401713 . 8B95 08FFFFFF mov edx, [ebp-F8] ;g
00401719 . 52 push edx
0040171A . E8 713D0000 call 00405490 ;powmod2(g,u1,y,u2,p,v)
0040171F . 83C4 18 add esp, 18
00401722 . 8B45 BC mov eax, [ebp-44]
00401725 . 50 push eax ;q
00401726 . 8B4D BC mov ecx, [ebp-44]
00401729 . 51 push ecx ;q
0040172A . 8B95 0CFFFFFF mov edx, [ebp-F4]
00401730 . 52 push edx ;v
00401731 . E8 7A2D0000 call 004044B0 ;divide(v,q,q)
============================================================================================
上面计算
v = (( g^u1 * y^u2 ) mod p ) mod q
============================================================================================
00401736 . 83C4 0C add esp, 0C
00401739 . 8B85 24FFFFFF mov eax, [ebp-DC] ;r
0040173F . 50 push eax
00401740 . 8B8D 0CFFFFFF mov ecx, [ebp-F4] ;v
00401746 . 51 push ecx
00401747 . E8 74220000 call 004039C0 ;compare(v,r)
============================================================================================
若v = r,则认为签名有效。
============================================================================================
0040174C . 83C4 08 add esp, 8
0040174F . 85C0 test eax, eax
00401751 . 74 28 je short 0040177B
00401753 . 6A 00 push 0
00401755 . 8D85 C4FFFFFF lea eax, [ebp-3C]
0040175B . 50 push eax
0040175C . 8D85 68FEFFFF lea eax, [ebp-198]
00401762 . 50 push eax
00401763 . 8D85 08000000 lea eax, [ebp+8]
00401769 . 8B00 mov eax, [eax]
0040176B . 50 push eax
0040176C . 8D05 BD174000 lea eax, [4017BD]
00401772 . 50 push eax
00401773 .- FF25 A4E94000 jmp [40E9A4] ; user32.MessageBoxA
00401779 . EB 26 jmp short 004017A1
0040177B > 6A 00 push 0
0040177D . 8D85 D0FFFFFF lea eax, [ebp-30]
00401783 . 50 push eax
00401784 . 8D85 8CFEFFFF lea eax, [ebp-174]
0040178A . 50 push eax
0040178B . 8D85 08000000 lea eax, [ebp+8]
00401791 . 8B00 mov eax, [eax]
00401793 . 50 push eax
00401794 . 8D05 BD174000 lea eax, [4017BD]
0040179A . 50 push eax
0040179B .- FF25 A4E94000 jmp [40E9A4] ; user32.MessageBoxA
004017A1 > 33D2 xor edx, edx
004017A3 . 85D2 test edx, edx
004017A5 . 74 16 je short 004017BD
004017A7 . 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
004017A9 . 68 10D14000 push 0040D110 ; |Title = "!!!!!!:)"
004017AE . 68 08D14000 push 0040D108 ; |Text = "HIHI.."
004017B3 . 8B45 08 mov eax, [ebp+8] ; |
004017B6 . 50 push eax ; |hOwner
004017B7 . FF15 B8C04000 call [<&user32.MessageBoxA>] ; \MessageBoxA
004017BD > 8B8D 04FFFFFF mov ecx, [ebp-FC]
004017C3 . 51 push ecx
004017C4 . E8 671C0000 call 00403430
004017C9 . 83C4 04 add esp, 4
004017CC . 8B95 08FFFFFF mov edx, [ebp-F8]
004017D2 . 52 push edx
004017D3 . E8 581C0000 call 00403430
004017D8 . 83C4 04 add esp, 4
004017DB . 8B45 BC mov eax, [ebp-44]
004017DE . 50 push eax
004017DF . E8 4C1C0000 call 00403430
004017E4 . 83C4 04 add esp, 4
004017E7 . 8B4D C0 mov ecx, [ebp-40]
004017EA . 51 push ecx
004017EB . E8 401C0000 call 00403430
004017F0 . 83C4 04 add esp, 4
004017F3 . 8B95 0CFFFFFF mov edx, [ebp-F4]
004017F9 . 52 push edx
004017FA . E8 311C0000 call 00403430
004017FF . 83C4 04 add esp, 4
00401802 . 8B85 38FEFFFF mov eax, [ebp-1C8]
00401808 . 50 push eax
00401809 . E8 221C0000 call 00403430
0040180E . 83C4 04 add esp, 4
00401811 . 8B8D DCFEFFFF mov ecx, [ebp-124]
00401817 . 51 push ecx
00401818 . E8 131C0000 call 00403430
0040181D . 83C4 04 add esp, 4
00401820 . 8B95 20FFFFFF mov edx, [ebp-E0]
00401826 . 52 push edx
00401827 . E8 041C0000 call 00403430
0040182C . 83C4 04 add esp, 4
0040182F . 8B85 24FFFFFF mov eax, [ebp-DC]
00401835 . 50 push eax
00401836 . E8 F51B0000 call 00403430
0040183B . 83C4 04 add esp, 4
0040183E . 8B8D 34FEFFFF mov ecx, [ebp-1CC]
00401844 . 51 push ecx
00401845 . E8 E61B0000 call 00403430
0040184A . 83C4 04 add esp, 4
0040184D . E8 FE1B0000 call 00403450
00401852 . EB 16 jmp short 0040186A
【总结】
从分析中看出,该Keygenme应用了DSA的验证过程,所以注册机按照签名过程写就行了,具体见注册机代码,其中SHA部分直接从源代码中摘出来的。
谢谢你看到这里。
未完待续。。。
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
上传的附件: