【作者】ryOsUkE
转载请注明出处来自看雪论坛,以及本文的完整性,谢谢!
这个主题是ECC(Elliptic Curves Cryptography,椭圆曲线密码编码学),有关ECC的知识,zmworm大侠的一篇文章有了很深入的介绍,见http://zmworm.haha567.com/index.php?job=art&articleid=a_20040711_113809,看雪精华6上面也有。
小生也有一篇拙文:http://bbs.pediy.com/showthread.php?s=&threadid=26590
这里关于基础知识的介绍就不再累赘了,可以看看zmworm大侠的文章。
今天我主要想通过一个KeyGenMe,让大家对ECC有个感性的认识,这个KeyGenMe实际上没有用到ECC加密,只不过涉及到椭圆曲线的相关计算,不过也好,我觉得比较简单,比较适合入门。
KeyGenMe在附件里,用到miracl库,呵呵,这个是老版本的miracl库,用目前的办法分析不出来函数。
=========================================================================================
【分析】
输入
name:nightfox
v-code:1
registration code:12345678
根据错误提示来到
00401286 |> \8D8C24 A40000>lea ecx, [esp+A4]
0040128D |. 51 push ecx
0040128E |. 6A 41 push 41
00401290 |. 6A 0D push 0D
00401292 |. 68 F2030000 push 3F2
00401297 |. 57 push edi
00401298 |. FFD6 call esi
0040129A |. 85C0 test eax, eax ;sn的长度
0040129C |. 8BF0 mov esi, eax
0040129E |. 0F84 81040000 je 00401725
004012A4 |. 33D2 xor edx, edx
004012A6 |. 85C0 test eax, eax
004012A8 |. 76 23 jbe short 004012CD
004012AA |> 8A8C14 A40000>/mov cl, [esp+edx+A4]
004012B1 |. 80F9 30 |cmp cl, 30
004012B4 |. 73 01 |jnb short 004012B7
004012B6 |. 4E |dec esi
004012B7 |> 80F9 46 |cmp cl, 46
004012BA |. 76 01 |jbe short 004012BD
004012BC |. 4E |dec esi
004012BD |> 80F9 39 |cmp cl, 39
004012C0 |. 76 06 |jbe short 004012C8
004012C2 |. 80F9 41 |cmp cl, 41
004012C5 |. 73 01 |jnb short 004012C8
004012C7 |. 4E |dec esi
004012C8 |> 42 |inc edx
004012C9 |. 3BD6 |cmp edx, esi
004012CB |.^ 72 DD \jb short 004012AA
=========================================================================================
上面是验证sn必须娶自'0'-'9','A'-'F'
=========================================================================================
004012CD |> 33C6 xor eax, esi
004012CF |. 74 1E je short 004012EF
004012D1 |. 6A 10 push 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
004012D3 |. 68 10E24000 push 0040E210 ; |bad *luck*
004012D8 |. 68 C4E14000 push 0040E1C4 ; |using your brain (and some tools) might help more than wild guessing ;-)
004012DD |. 57 push edi ; |hOwner
004012DE |. FF15 CC214100 call [<&user32.MessageBoxA>] ; \MessageBoxA
004012E4 |. 5F pop edi
004012E5 |. 5E pop esi
004012E6 |. 5D pop ebp
004012E7 |. 5B pop ebx
004012E8 |. 81C4 94010000 add esp, 194
004012EE |. C3 retn
004012EF |> 8B15 F80D4100 mov edx, [410DF8] ; mir*
004012F5 |. 6A 00 push 0 ; /(initial cpu selection)
004012F7 |. C782 38020000>mov dword ptr [edx+238], 10 ; |16进制
00401301 |. E8 1A2D0000 call 00404020 ; \mirvar(0)
00401306 |. 83C4 04 add esp, 4
00401309 |. 894424 1C mov [esp+1C], eax
0040130D |. 6A 00 push 0 ; /Arg1 = 00000000
0040130F |. E8 0C2D0000 call 00404020 ; \mirvar(0)
00401314 |. 83C4 04 add esp, 4
00401317 |. 894424 24 mov [esp+24], eax
0040131B |. 6A 00 push 0 ; /Arg1 = 00000000
0040131D |. E8 FE2C0000 call 00404020 ; \mirvar(0)
00401322 |. 83C4 04 add esp, 4
00401325 |. 894424 20 mov [esp+20], eax
00401329 |. 6A 00 push 0 ; /Arg1 = 00000000
0040132B |. E8 F02C0000 call 00404020 ; \mirvar(0)
00401330 |. 83C4 04 add esp, 4
00401333 |. 894424 28 mov [esp+28], eax
00401337 |. 6A FD push -3 ; /Arg1 = FFFFFFFD
00401339 |. E8 E22C0000 call 00404020 ; \big a=mirvar(-3)
0040133E |. 83C4 04 add esp, 4
00401341 |. 894424 2C mov [esp+2C], eax
00401345 |. 6A 00 push 0 ; /Arg1 = 00000000
00401347 |. E8 D42C0000 call 00404020 ; \mirvar(0)
0040134C |. 83C4 04 add esp, 4
0040134F |. 8BE8 mov ebp, eax
00401351 |. 896C24 34 mov [esp+34], ebp
00401355 |. 6A 00 push 0 ; /Arg1 = 00000000
00401357 |. E8 C42C0000 call 00404020 ; \mirvar(0)
0040135C |. 83C4 04 add esp, 4
0040135F |. 8BF8 mov edi, eax
00401361 |. 68 98E14000 push 0040E198 ; "ADF85458A2BB4A9AAFDC5620273D3CF1D8B9C841"
00401366 |. 55 push ebp ; |big b
00401367 |. E8 04440000 call 00405770 ; \cinstr(b,"ADF85458A2BB4A9AAFDC5620273D3CF1D8B9C841")
0040136C |. 83C4 08 add esp, 8
0040136F |. 6A 00 push 0 ; /Arg1 = 00000000
00401371 |. E8 AA2C0000 call 00404020 ; \mirvar(0)
00401376 |. 83C4 04 add esp, 4
00401379 |. 8BD8 mov ebx, eax
0040137B |. 6A 00 push 0 ; /Arg1 = 00000000
0040137D |. E8 9E2C0000 call 00404020 ; \mirvar(0)
00401382 |. 83C4 04 add esp, 4
00401385 |. 8BF0 mov esi, eax
00401387 |. 68 6CE14000 push 0040E16C ;C90FDAA22168C234C4C6628B80DC1CD129024E20
0040138C |. 57 push edi ; big p
0040138D |. E8 DE430000 call 00405770 ; cinstr(p,"C90FDAA22168C234C4C6628B80DC1CD129024E20")
00401392 |. 83C4 08 add esp, 8
00401395 |. 6A 00 push 0 ; /Arg1 = 00000000
00401397 |. E8 842C0000 call 00404020 ; \mirvar(0)
0040139C |. 83C4 04 add esp, 4
0040139F |. 894424 30 mov [esp+30], eax
004013A3 |. 68 40E14000 push 0040E140 ;1C341C34E32D5EC8F3DC83E7DA1A9DAC84E26624
004013A8 |. 50 push eax ;点p1的x坐标
004013A9 |. E8 C2430000 call 00405770 ; \cinstr
004013AE |. 83C4 08 add esp, 8
004013B1 |. 57 push edi ; /p
004013B2 |. 6A 01 push 1 ; |1
004013B4 |. 57 push edi ; |p
004013B5 |. E8 66430000 call 00405720 ; \decr(p,1,p) p=p-1 p是质数
004013BA |. 83C4 0C add esp, 0C
004013BD |. 8D4424 4C lea eax, [esp+4C]
004013C1 |. 50 push eax ;md5_state
004013C2 |. E8 C9080000 call 00401C90 ; md5_init
=========================================================================================
进去后
00401C90 /$ 8B4424 04 mov eax, [esp+4]
00401C94 |. 33C9 xor ecx, ecx
00401C96 |. 8948 14 mov [eax+14], ecx
00401C99 |. 8948 10 mov [eax+10], ecx
00401C9C |. C700 01234567 mov dword ptr [eax], 67452301
00401CA2 |. C740 04 89ABC>mov dword ptr [eax+4], EFCDAB89
00401CA9 |. C740 08 FEDCB>mov dword ptr [eax+8], 98BADCFE
00401CB0 |. C740 0C 76543>mov dword ptr [eax+C], 10325476
00401CB7 \. C3 retn
很熟悉,md5的初始化
=========================================================================================
004013C7 |. 8B4C24 18 mov ecx, [esp+18]
004013CB |. 83C4 04 add esp, 4
004013CE |. 8D9424 240100>lea edx, [esp+124]
004013D5 |. 8D4424 4C lea eax, [esp+4C]
004013D9 |. 51 push ecx ;name size
004013DA |. 52 push edx ;name
004013DB |. 50 push eax ;&md5_state
004013DC |. E8 DF080000 call 00401CC0 ; md5_update
004013E1 |. 83C4 0C add esp, 0C
004013E4 |. 8D4C24 4C lea ecx, [esp+4C]
004013E8 |. 8D5424 3C lea edx, [esp+3C]
004013EC |. 51 push ecx ; md5_state
004013ED |. 52 push edx ; md5_digest
004013EE |. E8 7D090000 call 00401D70 ; md5_final
=========================================================================================
上面是计算md5(name),我输入的name是nightfox,应该是
06 F6 42 A1 74 36 2E B5 77 1E 93 C5 C3 71 5B FE
实际上的md5摘要是
0012F8F4 68 2A 80 48 D9 4D EF 2D 1A C9 55 8A 45 DB 36 A3 h*?偻?烧??
与上面值不符合,估计用到了md5的变形,好在有ida,直接抓下来用。
=========================================================================================
004013F3 |. A1 F80D4100 mov eax, [410DF8]
004013F8 |. 83C4 08 add esp, 8
004013FB |. C780 38020000>mov dword ptr [eax+238], 100 ; BASE 256
00401405 |. 8B0D F80D4100 mov ecx, [410DF8]
0040140B |. 8D5424 3C lea edx, [esp+3C]
0040140F |. C781 48020000>mov dword ptr [ecx+248], 10 ;16进制
00401419 |. 52 push edx ; /md5_digest
0040141A |. 53 push ebx ; |hashname
0040141B |. E8 50430000 call 00405770 ; \cinstr(hashname,md5_digest)
00401420 |. A1 F80D4100 mov eax, [410DF8]
00401425 |. 83C4 08 add esp, 8
00401428 |. 68 2CE14000 push 0040E12C ; "AB6853BDD1100F57"
0040142D |. 56 push esi ; |hashmod
0040142E |. C780 38020000>mov dword ptr [eax+238], 10 ; |16进制
00401438 |. E8 33430000 call 00405770 ; \cinstr(hashmod,"AB6853BDD1100F57")
0040143D |. 83C4 08 add esp, 8
00401440 |. 53 push ebx ; /hashname
00401441 |. 56 push esi ; |hashmod
00401442 |. 6A 03 push 3 ; |3
00401444 |. 53 push ebx ; |hashname
00401445 |. E8 D63C0000 call 00405120 ; \powmod(hashname,3,hashmod,hashname)
0040144A |. 83C4 10 add esp, 10
=========================================================================================
上面计算hashname=hashname^3 mod hashmod
=========================================================================================
0040144D |. 8D8C24 A40000>lea ecx, [esp+A4]
00401454 |. 51 push ecx ; /输入的sn字符串
00401455 |. 56 push esi ; |sn
00401456 |. E8 15430000 call 00405770 ; \cinstr(sn,输入的sn字符串)
0040145B |. 8B5424 30 mov edx, [esp+30]
0040145F |. 83C4 08 add esp, 8
00401462 |. 68 00E14000 push 0040E100 ;"C90FDAA22168C234C4C5D89F4F2DD72349EE61F7"
00401467 |. 52 push edx ; |order这个值是ECC的阶,可惜没有用到
00401468 |. E8 03430000 call 00405770 ; \cinstr
0040146D |. 8B4424 34 mov eax, [esp+34]
00401471 |. 83C4 08 add esp, 8
00401474 |. 6A 01 push 1 ; MR_AFFINE
00401476 |. 57 push edi ; p
00401477 |. 55 push ebp ; b
00401478 |. 50 push eax ; a
00401479 |. E8 72130000 call 004027F0 ; ecurve_init(a,b,p,MR_AFFINE)
0040147E |. 83C4 10 add esp, 10
=========================================================================================
初始化ecc
y^2=x^3+a*x+b mod p
=========================================================================================
00401481 |. E8 BA140000 call 00402940 ; p1 = epoint_init
00401486 |. 8B4C24 1C mov ecx, [esp+1C]
0040148A |. 68 D4E04000 push 0040E0D4 ;"902166CCF366300FAF8B1CCA939C1280E5450F40"
0040148F |. 51 push ecx ; |点p1的y坐标 p1y
00401490 |. 8BE8 mov ebp, eax ; |
00401492 |. E8 D9420000 call 00405770 ; \cinstr
00401497 |. 8B5424 2C mov edx, [esp+2C]
0040149B |. 83C4 08 add esp, 8
0040149E |. 68 A8E04000 push 0040E0A8 ;5A3884AF3E676F49470F441CBEEBE7C0B1D9DF66
004014A3 |. 52 push edx ; 点p2的x坐标 p2x
004014A4 |. E8 C7420000 call 00405770 ; cinstr
004014A9 |. 8B4424 24 mov eax, [esp+24]
004014AD |. 8B4C24 38 mov ecx, [esp+38]
004014B1 |. 83C4 08 add esp, 8
004014B4 |. 55 push ebp ; p1
004014B5 |. 6A 00 push 0 ; 0
004014B7 |. 50 push eax ; p1y
004014B8 |. 51 push ecx ; p1x
004014B9 |. E8 12150000 call 004029D0 ; epoint_set(p1x,p1y,0,p1); 设置p1
004014BE |. 8B5424 30 mov edx, [esp+30]
004014C2 |. 83C4 10 add esp, 10
004014C5 |. 68 7CE04000 push 0040E07C ;12C34484F6C34BB886EEE052ACC6247098BEDC3C
004014CA |. 52 push edx ; 点p2的y坐标 p2y
004014CB |. E8 A0420000 call 00405770 ; cinstr
004014D0 |. 83C4 08 add esp, 8
004014D3 |. E8 68140000 call 00402940 ; p2 = epoint_init
004014D8 |. 8B4C24 24 mov ecx, [esp+24]
004014DC |. 894424 14 mov [esp+14], eax
004014E0 |. 50 push eax ; p2
004014E1 |. 8B4424 24 mov eax, [esp+24] ;
004014E5 |. 6A 00 push 0 ;0
004014E7 |. 50 push eax ; p2y
004014E8 |. 51 push ecx ; p2x
004014E9 |. E8 E2140000 call 004029D0 ; epoint_set(p2x,p2y,0,p2); 设置p2
004014EE |. 83C4 10 add esp, 10
004014F1 |. E8 4A140000 call 00402940 ;sn_point3 = epoint_init
004014F6 |. 894424 18 mov [esp+18], eax
004014FA |. E8 41140000 call 00402940 ;hash_p4 = epoint_init
004014FF |. 8B5424 18 mov edx, [esp+18] ; p3
00401503 |. 894424 10 mov [esp+10], eax
00401507 |. 8B4424 38 mov eax, [esp+38]
0040150B |. 52 push edx ; sn_point3
0040150C |. 50 push eax ; 1
0040150D |. 56 push esi ; sn
0040150E |. 56 push esi ; sn
0040150F |. E8 BC140000 call 004029D0 ; epoint_set(sn,sn,1,sn_point3)
00401514 |. 83C4 10 add esp, 10
00401517 |. 85C0 test eax, eax
00401519 |. 0F85 CB000000 jnz 004015EA ; sn_point3必须在ecc上面
0040151F |. 55 push ebp ; /Arg1
00401520 |. E8 6B140000 call 00402990 ; \dumped_.00402990
00401525 |. 8B4C24 18 mov ecx, [esp+18]
00401529 |. 83C4 04 add esp, 4
0040152C |. 51 push ecx ; /Arg1
0040152D |. E8 5E140000 call 00402990 ; \dumped_.00402990
00401532 |. 8B5424 1C mov edx, [esp+1C]
00401536 |. 83C4 04 add esp, 4
00401539 |. 52 push edx ; /Arg1
0040153A |. E8 51140000 call 00402990 ; \dumped_.00402990
0040153F |. 8B4424 14 mov eax, [esp+14]
00401543 |. 83C4 04 add esp, 4
00401546 |. 50 push eax ; /Arg1
00401547 |. E8 44140000 call 00402990 ; \dumped_.00402990
0040154C |. 8B4C24 34 mov ecx, [esp+34]
00401550 |. 83C4 04 add esp, 4
00401553 |. 51 push ecx ; /Arg1
00401554 |. E8 87300000 call 004045E0 ; \dumped_.004045E0
00401559 |. 8B5424 20 mov edx, [esp+20]
0040155D |. 83C4 04 add esp, 4
00401560 |. 52 push edx ; /Arg1
00401561 |. E8 7A300000 call 004045E0 ; \dumped_.004045E0
00401566 |. 8B4424 28 mov eax, [esp+28]
0040156A |. 83C4 04 add esp, 4
0040156D |. 50 push eax ; /Arg1
0040156E |. E8 6D300000 call 004045E0 ; \dumped_.004045E0
00401573 |. 8B4C24 24 mov ecx, [esp+24]
00401577 |. 83C4 04 add esp, 4
0040157A |. 51 push ecx ; /Arg1
0040157B |. E8 60300000 call 004045E0 ; \dumped_.004045E0
00401580 |. 83C4 04 add esp, 4
00401583 |. 57 push edi ; /Arg1
00401584 |. E8 57300000 call 004045E0 ; \dumped_.004045E0
00401589 |. 8B5424 2C mov edx, [esp+2C]
0040158D |. 83C4 04 add esp, 4
00401590 |. 52 push edx ; /Arg1
00401591 |. E8 4A300000 call 004045E0 ; \dumped_.004045E0
00401596 |. 8B4424 30 mov eax, [esp+30]
0040159A |. 83C4 04 add esp, 4
0040159D |. 50 push eax ; /Arg1
0040159E |. E8 3D300000 call 004045E0 ; \dumped_.004045E0
004015A3 |. 8B4C24 38 mov ecx, [esp+38]
004015A7 |. 83C4 04 add esp, 4
004015AA |. 51 push ecx ; /Arg1
004015AB |. E8 30300000 call 004045E0 ; \dumped_.004045E0
004015B0 |. 83C4 04 add esp, 4
004015B3 |. 53 push ebx ; /Arg1
004015B4 |. E8 27300000 call 004045E0 ; \dumped_.004045E0
004015B9 |. 83C4 04 add esp, 4
004015BC |. 56 push esi ; /Arg1
004015BD |. E8 1E300000 call 004045E0 ; \dumped_.004045E0
004015C2 |. 8B9424 AC0100>mov edx, [esp+1AC]
004015C9 |. 83C4 04 add esp, 4
004015CC |. 6A 10 push 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
004015CE |. 68 10E24000 push 0040E210 ; |bad *luck*
004015D3 |. 68 C4E14000 push 0040E1C4 ; |using your brain (and some tools) might help more than wild guessing ;-)
004015D8 |. 52 push edx ; |hOwner
004015D9 |. FF15 CC214100 call [<&user32.MessageBoxA>] ; \MessageBoxA
004015DF |. 5F pop edi
004015E0 |. 5E pop esi
004015E1 |. 5D pop ebp
004015E2 |. 5B pop ebx
004015E3 |. 81C4 94010000 add esp, 194
004015E9 |. C3 retn
004015EA |> 8B4424 10 mov eax, [esp+10] ; hash_p4
004015EE |. 50 push eax ; hash_p4
004015EF |. 55 push ebp ; p1
004015F0 |. 53 push ebx ; hashname
004015F1 |. E8 9A230000 call 00403990 ; ecurve_mult(hashname,p1,hash_p4);
=========================================================================================
计算
hash_p4=hashname*p1
=========================================================================================
004015F6 |. 8B4C24 1C mov ecx, [esp+1C]
004015FA |. 8B5424 20 mov edx, [esp+20]
004015FE |. 83C4 0C add esp, 0C
00401601 |. 51 push ecx ; hash_p4
00401602 |. 52 push edx ; p2
00401603 |. E8 28230000 call 00403930 ; ecurve_sub(p2,hash_p4);
=========================================================================================
计算
hash_p4=hash_p4-p2;
=========================================================================================
00401608 |. 83C4 08 add esp, 8
0040160B |. 55 push ebp ; p1
0040160C |. 55 push ebp ; p1
0040160D |. E8 0E190000 call 00402F20 ; ecure_add(p1,p1)
=========================================================================================
计算
p1=p1+p1
=========================================================================================
00401612 |. 8B4424 20 mov eax, [esp+20]
00401616 |. 83C4 08 add esp, 8
00401619 |. 50 push eax ; sn_point3
0040161A |. 55 push ebp ; p1
0040161B |. E8 00190000 call 00402F20 ; ecure_add(p1,sn_point3)
=========================================================================================
计算
sn_point3=p1+sn_point3
=========================================================================================
00401620 |. 8B4C24 18 mov ecx, [esp+18]
00401624 |. 8B5424 20 mov edx, [esp+20]
00401628 |. 83C4 08 add esp, 8
0040162B |. 51 push ecx ; hash_p4
0040162C |. 52 push edx ; sn_point3
0040162D |. E8 6E180000 call 00402EA0 ; compare(sn_point3,hash_p4)
00401632 |. 83C4 08 add esp, 8
00401635 |. 83F8 01 cmp eax, 1
00401638 |. 75 20 jnz short 0040165A ;相等则注册成功
0040163A |. 8B8424 A80100>mov eax, [esp+1A8]
00401641 |. 8B0D 080E4100 mov ecx, [410E08] ; dumped_.00400000
00401647 |. 6A 00 push 0 ; /lParam = NULL
00401649 |. 68 00104000 push 00401000 ; |DlgProc = dumped_.00401000
0040164E |. 50 push eax ; |hOwner
0040164F |. 6A 76 push 76 ; |pTemplate = 76
00401651 |. 51 push ecx ; |hInst => 00400000
00401652 |. FF15 C4214100 call [<&user32.DialogBoxParamA>] ; \DialogBoxParamA
00401658 |. EB 1A jmp short 00401674
0040165A |> 8B9424 A80100>mov edx, [esp+1A8]
00401661 |. 6A 10 push 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
00401663 |. 68 70E04000 push 0040E070 ; |bad luck
00401668 |. 68 50E04000 push 0040E050 ; |registration code is invalid!
0040166D |. 52 push edx ; |hOwner
0040166E |. FF15 CC214100 call [<&user32.MessageBoxA>] ; \MessageBoxA
00401674 |> 55 push ebp ; /Arg1
00401675 |. E8 16130000 call 00402990 ; \dumped_.00402990
0040167A |. 8B4424 18 mov eax, [esp+18]
0040167E |. 83C4 04 add esp, 4
00401681 |. 50 push eax ; /Arg1
00401682 |. E8 09130000 call 00402990 ; \dumped_.00402990
00401687 |. 8B4C24 1C mov ecx, [esp+1C]
0040168B |. 83C4 04 add esp, 4
0040168E |. 51 push ecx ; /Arg1
0040168F |. E8 FC120000 call 00402990 ; \dumped_.00402990
00401694 |. 8B5424 14 mov edx, [esp+14]
00401698 |. 83C4 04 add esp, 4
0040169B |. 52 push edx ; /Arg1
0040169C |. E8 EF120000 call 00402990 ; \dumped_.00402990
004016A1 |. 8B4424 34 mov eax, [esp+34]
004016A5 |. 83C4 04 add esp, 4
004016A8 |. 50 push eax ; /Arg1
004016A9 |. E8 322F0000 call 004045E0 ; \dumped_.004045E0
004016AE |. 8B4C24 20 mov ecx, [esp+20]
004016B2 |. 83C4 04 add esp, 4
004016B5 |. 51 push ecx ; /Arg1
004016B6 |. E8 252F0000 call 004045E0 ; \dumped_.004045E0
004016BB |. 8B5424 28 mov edx, [esp+28]
004016BF |. 83C4 04 add esp, 4
004016C2 |. 52 push edx ; /Arg1
004016C3 |. E8 182F0000 call 004045E0 ; \dumped_.004045E0
004016C8 |. 8B4424 24 mov eax, [esp+24]
004016CC |. 83C4 04 add esp, 4
004016CF |. 50 push eax ; /Arg1
004016D0 |. E8 0B2F0000 call 004045E0 ; \dumped_.004045E0
004016D5 |. 83C4 04 add esp, 4
004016D8 |. 57 push edi ; /Arg1
004016D9 |. E8 022F0000 call 004045E0 ; \dumped_.004045E0
004016DE |. 8B4C24 2C mov ecx, [esp+2C]
004016E2 |. 83C4 04 add esp, 4
004016E5 |. 51 push ecx ; /Arg1
004016E6 |. E8 F52E0000 call 004045E0 ; \dumped_.004045E0
004016EB |. 8B5424 30 mov edx, [esp+30]
004016EF |. 83C4 04 add esp, 4
004016F2 |. 52 push edx ; /Arg1
004016F3 |. E8 E82E0000 call 004045E0 ; \dumped_.004045E0
004016F8 |. 8B4424 38 mov eax, [esp+38]
004016FC |. 83C4 04 add esp, 4
004016FF |. 50 push eax ; /Arg1
00401700 |. E8 DB2E0000 call 004045E0 ; \dumped_.004045E0
00401705 |. 83C4 04 add esp, 4
00401708 |. 53 push ebx ; /Arg1
00401709 |. E8 D22E0000 call 004045E0 ; \dumped_.004045E0
0040170E |. 83C4 04 add esp, 4
00401711 |. 56 push esi ; /Arg1
00401712 |. E8 C92E0000 call 004045E0 ; \dumped_.004045E0
00401717 |. 83C4 04 add esp, 4
0040171A |. 5F pop edi
0040171B |. 5E pop esi
0040171C |. 5D pop ebp
0040171D |. 5B pop ebx
0040171E |. 81C4 94010000 add esp, 194
00401724 |. C3 retn
【总结】
这个KeyGenMe谈不上椭圆曲线加密,因为加密设计到K=k*G,ECDLP的计算问题,这里没有涉及,小生的前面说的文章有谈到,各位如果觉得这个不能满足的话,可以看看那篇。这个KeyGenMe主要就是一些椭圆曲线的运算问题。具体如下
1.
hash_p4=hash_name*p1
hash_p4=hash_p4-p2;
2.
p1=p1+p1
sn_point3=sn_point3+p1
最后判断hash_p4和sn_point3是否相等。
破解也很简单
先计算
hash_p4=hash_name*p1
hash_p4=hash_p4-p2;
再求
sn_point3=hash_p4-p1-p1就可以了。
vcode=epoint_get(sn_point3,sn,sn);
vcode是y的LSB,sn是sn_point3的x坐标。
具体程序见注册机,谢谢看到这里。
未完待续。。。先休息几天
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!