【文章标题】: SENSE4加密锁浅析之实战篇
【文章作者】: yaoyuan[CCG]
【下载地址】: 自己搜索下载
【保护方式】: SENSE4加密锁
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
我们将以某国产软件的模块验证程序Products.exe为例来分析具体加密过程及处理方法。
感谢fogot和Cnbragon提供脱壳及部分代码支持,没有他们的帮助,也没有下面这文章了。
这个程序ASPR加壳,为了调试时方便保存断点,脱掉外壳。
OD载入,运行Aspr2.XX_IATfixer_v2.2s.osc,在OEP处dump,用ImportREC处理IAT,手动补上GetProcAddress修复后再干
掉CRC的SDK,程序可以正常运行了,因为不是脱壳的文章,具体这过程不再详述。
载入脱壳后的程序,这个程序用的是静态方式链接,找不到模块名称,先用bp CreateFileA断下打开设备,当看到USB设
备路径时,已成功断到打开设备,返回到入锁参数压栈时,在代码上下可以找到所有关于设备的函数调用。在所有关于
设备的函数调用下断。
S4的软件锁,我们因为可以重写C51,所以只用关心要访问的目录,文件名及pin码。
CreateFileA断下打开设备,直到edx中出现设备路径:
004E5FBC 5C 5C 3F 5C 75 73 62 23 76 69 64 5F 30 34 37 31 \\?\usb#vid_0471
004E5FCC 26 70 69 64 5F 34 38 35 64 23 35 26 63 32 61 39 &pid_485d#5&c2a9
004E5FDC 39 36 34 26 30 26 32 23 7B 31 37 31 36 33 38 66 964&0&2#{171638f
004E5FEC 37 2D 31 65 61 64 2D 34 38 37 33 2D 62 61 39 38 7-1ead-4873-ba98
004E5FFC 2D 63 39 36 36 61 62 63 66 30 31 34 32 7D -c966abcf0142}
这个程序没有用到目录操作,所有程序均在根目录\。
这里是我们找到的S4VerifyPin
004935E0 <> 55 push ebp
004935E1 8BEC mov ebp,esp
004935E3 51 push ecx
004935E4 53 push ebx
004935E5 56 push esi
004935E6 57 push edi
004935E7 8B7D 0C mov edi,dword ptr ss:[ebp+C]
004935EA 8B45 08 mov eax,dword ptr ss:[ebp+8]
004935ED 8B75 14 mov esi,dword ptr ss:[ebp+14]
004935F0 8BD8 mov ebx,eax
004935F2 C645 FF 00 mov byte ptr ss:[ebp-1],0
004935F6 85FF test edi,edi
004935F8 75 0A jnz short Products.00493604
004935FA B8 02000000 mov eax,2
004935FF E9 D8000000 jmp Products.004936DC
00493604 50 push eax
00493605 E8 2EEFFFFF call Products.00492538
0049360A 59 pop ecx
0049360B 85C0 test eax,eax
0049360D 75 0A jnz short Products.00493619
0049360F B8 02000000 mov eax,2
00493614 E9 C3000000 jmp Products.004936DC
00493619 81FE A1000000 cmp esi,0A1
0049361F 75 10 jnz short Products.00493631
00493621 837D 10 08 cmp dword ptr ss:[ebp+10],8
00493625 74 2C je short Products.00493653
00493627 B8 02000000 mov eax,2
0049362C E9 AB000000 jmp Products.004936DC
00493631 81FE A2000000 cmp esi,0A2
00493637 75 10 jnz short Products.00493649
00493639 837D 10 18 cmp dword ptr ss:[ebp+10],18
0049363D 74 14 je short Products.00493653
0049363F B8 02000000 mov eax,2
00493644 E9 93000000 jmp Products.004936DC
00493649 B8 02000000 mov eax,2
0049364E E9 89000000 jmp Products.004936DC
00493653 8D55 FF lea edx,dword ptr ss:[ebp-1]
00493656 52 push edx
00493657 53 push ebx
00493658 E8 C3CCFFFF call Products.00490320
0049365D 83C4 08 add esp,8
00493660 85C0 test eax,eax
00493662 75 78 jnz short Products.004936DC
00493664 807D FF 02 cmp byte ptr ss:[ebp-1],2
00493668 75 07 jnz short Products.00493671
0049366A B8 20000000 mov eax,20
0049366F EB 6B jmp short Products.004936DC
00493671 807D FF 00 cmp byte ptr ss:[ebp-1],0
00493675 75 0D jnz short Products.00493684
00493677 56 push esi
00493678 57 push edi
00493679 53 push ebx
0049367A E8 55D5FFFF call Products.00490BD4
0049367F 83C4 0C add esp,0C
00493682 EB 58 jmp short Products.004936DC
00493684 807D FF 01 cmp byte ptr ss:[ebp-1],1
00493688 75 52 jnz short Products.004936DC
0049368A 6A 00 push 0
0049368C 6A 00 push 0
0049368E 53 push ebx
0049368F E8 B0D4FFFF call Products.00490B44
00493694 83C4 0C add esp,0C
00493697 85C0 test eax,eax
00493699 75 41 jnz short Products.004936DC
0049369B 56 push esi
0049369C 57 push edi
0049369D 53 push ebx
0049369E E8 31D5FFFF call Products.00490BD4
004936A3 83C4 0C add esp,0C
004936A6 85C0 test eax,eax
004936A8 75 32 jnz short Products.004936DC
004936AA 6A 01 push 1
004936AC 68 BAC34D00 push Products.004DC3BA
004936B1 53 push ebx
004936B2 E8 8DD4FFFF call Products.00490B44
004936B7 83C4 0C add esp,0C
004936BA 85C0 test eax,eax
004936BC 75 1E jnz short Products.004936DC
004936BE 81FE A2000000 cmp esi,0A2
004936C4 75 16 jnz short Products.004936DC
004936C6 56 push esi
004936C7 57 push edi
004936C8 53 push ebx
004936C9 E8 06D5FFFF call Products.00490BD4
004936CE 83C4 0C add esp,0C
004936D1 85C0 test eax,eax
004936D3 74 07 je short Products.004936DC
004936D5 EB 05 jmp short Products.004936DC
004936D7 B8 02000000 mov eax,2
004936DC 5F pop edi
004936DD 5E pop esi
004936DE 5B pop ebx
004936DF 59 pop ecx
004936E0 5D pop ebp
004936E1 C2 1000 retn 10
这里是S4ExecuteEx
00494314 <> 55 push ebp
00494315 8BEC mov ebp,esp
00494317 83C4 F8 add esp,-8
0049431A 33D2 xor edx,edx
0049431C 53 push ebx
0049431D 56 push esi
0049431E 57 push edi
0049431F 8B75 10 mov esi,dword ptr ss:[ebp+10]
00494322 8B45 08 mov eax,dword ptr ss:[ebp+8]
00494325 8B7D 0C mov edi,dword ptr ss:[ebp+C]
00494328 8BD8 mov ebx,eax
0049432A C645 FD 00 mov byte ptr ss:[ebp-3],0
0049432E 8955 F8 mov dword ptr ss:[ebp-8],edx
00494331 83FE 01 cmp esi,1
00494334 74 0E je short Products.00494344
00494336 85F6 test esi,esi
00494338 74 0A je short Products.00494344
0049433A B8 02000000 mov eax,2
0049433F E9 8F010000 jmp Products.004944D3
00494344 85FF test edi,edi
00494346 75 0A jnz short Products.00494352
00494348 B8 02000000 mov eax,2
0049434D E9 81010000 jmp Products.004944D3
00494352 50 push eax
00494353 E8 E0E1FFFF call Products.00492538
00494358 59 pop ecx
00494359 85C0 test eax,eax
0049435B 75 0A jnz short Products.00494367
0049435D B8 02000000 mov eax,2
00494362 E9 6C010000 jmp Products.004944D3
00494367 817D 18 FA00000>cmp dword ptr ss:[ebp+18],0FA
0049436E 77 0E ja short Products.0049437E
00494370 83FE 01 cmp esi,1
00494373 75 13 jnz short Products.00494388
00494375 817D 18 F800000>cmp dword ptr ss:[ebp+18],0F8
0049437C 76 0A jbe short Products.00494388
0049437E B8 02000000 mov eax,2
00494383 E9 4B010000 jmp Products.004944D3
00494388 57 push edi
00494389 E8 FEA6FFFF call <jmp.&msvcrt.strlen>
0049438E 59 pop ecx
0049438F 83F8 04 cmp eax,4
00494392 75 0F jnz short Products.004943A3
00494394 6A 5C push 5C
00494396 57 push edi
00494397 E8 E0A6FFFF call <jmp.&msvcrt.strchr>
0049439C 83C4 08 add esp,8
0049439F 85C0 test eax,eax
004943A1 74 0A je short Products.004943AD
004943A3 B8 02000000 mov eax,2
004943A8 E9 26010000 jmp Products.004944D3
004943AD 8D55 FD lea edx,dword ptr ss:[ebp-3]
004943B0 52 push edx
004943B1 53 push ebx
004943B2 E8 69BFFFFF call Products.00490320
004943B7 83C4 08 add esp,8
004943BA 85C0 test eax,eax
004943BC 0F85 11010000 jnz Products.004944D3
004943C2 807D FD 02 cmp byte ptr ss:[ebp-3],2
004943C6 75 0A jnz short Products.004943D2
004943C8 B8 20000000 mov eax,20
004943CD E9 01010000 jmp Products.004944D3
004943D2 807D FD 01 cmp byte ptr ss:[ebp-3],1
004943D6 75 0F jnz short Products.004943E7
004943D8 83FE 01 cmp esi,1
004943DB 75 0A jnz short Products.004943E7
004943DD B8 20000000 mov eax,20
004943E2 E9 EC000000 jmp Products.004944D3
004943E7 807D FD 01 cmp byte ptr ss:[ebp-3],1
004943EB 75 2D jnz short Products.0049441A
004943ED 6A 00 push 0
004943EF 6A 00 push 0
004943F1 53 push ebx
004943F2 E8 4DC7FFFF call Products.00490B44
004943F7 83C4 0C add esp,0C
004943FA 85C0 test eax,eax
004943FC 0F85 D1000000 jnz Products.004944D3
00494402 6A 01 push 1
00494404 68 25C94D00 push Products.004DC925
00494409 53 push ebx
0049440A E8 35C7FFFF call Products.00490B44
0049440F 83C4 0C add esp,0C
00494412 85C0 test eax,eax
00494414 0F85 B9000000 jnz Products.004944D3
0049441A 6A 04 push 4
0049441C 57 push edi
0049441D 8D55 FE lea edx,dword ptr ss:[ebp-2]
00494420 52 push edx
00494421 E8 5EE0FFFF call Products.00492484
00494426 83C4 0C add esp,0C
00494429 40 inc eax
0049442A 75 0A jnz short Products.00494436
0049442C B8 02000000 mov eax,2
00494431 E9 9D000000 jmp Products.004944D3
00494436 8D55 FE lea edx,dword ptr ss:[ebp-2]
00494439 52 push edx
0049443A 53 push ebx
0049443B E8 4CD2FFFF call Products.0049168C
00494440 83C4 08 add esp,8
00494443 85C0 test eax,eax
00494445 0F85 88000000 jnz Products.004944D3
0049444B 85F6 test esi,esi
0049444D 75 35 jnz short Products.00494484
0049444F 8D4D F8 lea ecx,dword ptr ss:[ebp-8]
00494452 51 push ecx
00494453 8B45 20 mov eax,dword ptr ss:[ebp+20]
00494456 50 push eax
00494457 8B55 1C mov edx,dword ptr ss:[ebp+1C]
0049445A 52 push edx
0049445B 8D55 FE lea edx,dword ptr ss:[ebp-2]
0049445E 8B4D 18 mov ecx,dword ptr ss:[ebp+18]
00494461 51 push ecx
00494462 8B45 14 mov eax,dword ptr ss:[ebp+14]
00494465 50 push eax
00494466 52 push edx
00494467 53 push ebx
00494468 E8 93D3FFFF call Products.00491800
0049446D 83C4 1C add esp,1C
00494470 85C0 test eax,eax
00494472 75 5F jnz short Products.004944D3
00494474 837D 24 00 cmp dword ptr ss:[ebp+24],0
00494478 74 59 je short Products.004944D3
0049447A 8B4D 24 mov ecx,dword ptr ss:[ebp+24]
0049447D 8B55 F8 mov edx,dword ptr ss:[ebp-8]
00494480 8911 mov dword ptr ds:[ecx],edx
00494482 EB 4F jmp short Products.004944D3
00494484 83FE 01 cmp esi,1
00494487 75 4A jnz short Products.004944D3
00494489 817B 04 0003020>cmp dword ptr ds:[ebx+4],20300
00494490 73 07 jnb short Products.00494499
00494492 B8 02000000 mov eax,2
00494497 EB 3A jmp short Products.004944D3
00494499 8D4D F8 lea ecx,dword ptr ss:[ebp-8]
0049449C 51 push ecx
0049449D 8B45 20 mov eax,dword ptr ss:[ebp+20]
004944A0 50 push eax
004944A1 8B55 1C mov edx,dword ptr ss:[ebp+1C]
004944A4 52 push edx
004944A5 8D55 FE lea edx,dword ptr ss:[ebp-2]
004944A8 8B4D 18 mov ecx,dword ptr ss:[ebp+18]
004944AB 51 push ecx
004944AC 8B45 14 mov eax,dword ptr ss:[ebp+14]
004944AF 50 push eax
004944B0 52 push edx
004944B1 53 push ebx
004944B2 E8 21D2FFFF call Products.004916D8
004944B7 83C4 1C add esp,1C
004944BA 85C0 test eax,eax
004944BC 75 15 jnz short Products.004944D3
004944BE 837D 24 00 cmp dword ptr ss:[ebp+24],0
004944C2 74 0F je short Products.004944D3
004944C4 8B4D 24 mov ecx,dword ptr ss:[ebp+24]
004944C7 8B55 F8 mov edx,dword ptr ss:[ebp-8]
004944CA 8911 mov dword ptr ds:[ecx],edx
004944CC EB 05 jmp short Products.004944D3
004944CE B8 02000000 mov eax,2
004944D3 5F pop edi
004944D4 5E pop esi
004944D5 5B pop ebx
004944D6 59 pop ecx
004944D7 59 pop ecx
004944D8 5D pop ebp
004944D9 C2 2000 retn 20
校验pin码后,锁内程序开始被执行,我们分析锁内最难一个程序0801,执行到S4ExecuteEx时,esi指向0801,
ESP情况如下:
0012F88C 83 E2 4A 00 50 BA E9 00 24 06 E8 00 00 00 00 00 ?J.P洪.$?....
0012F89C 40 D5 16 00 0E 00 00 00 DC 04 E8 00 F4 00 00 00 @?....???..
0012F8AC F0 F8 12 00 BC DA 4A 00 2E F9 12 00 2C BA E9 00 瘌.稼J..?.,洪.
可以看到入锁数据为0e长,首址16d540,出锁数据长度0f4,首址0e804dc
看看入锁数据是什么:
0016D540 3D E3 6F 4E A6 FD D5 76 7E 7F 76 76 76 96 =泔N?睁~vvv?
执行完毕后出锁数据如下:
00E804DC F3 AA A2 A5 8D 6F E5 AC 5A BA BB B2 B2 B2 BB BB 螵??瀣Z夯膊不
00E804EC BB BB F5 F4 F4 F4 F4 F4 F4 F4 F5 F5 F4 F4 F4 0B 换豸趑趑趑貂趑?
00E804FC F4 F4 F4 0B F4 F4 F4 F4 F4 0A 09 09 08 08 08 F7 趑?趑趑?..
00E8050C 08 08 08 F7 08 08 08 08 08 08 0E 0E 0F 0F 0F F0 ?
00E8051C 0F 0F 0F F0 0F 0F 0F 0F 0F 0C 00 00 01 01 01 FE ?...
00E8052C 01 01 01 FE 01 01 01 01 01 08 07 07 06 06 06 F9 ?
00E8053C 06 06 06 F9 06 06 06 06 06 0A 19 19 18 18 18 E7 ?.
00E8054C 18 18 18 E7 18 18 18 18 18 08 1F 1F 1E 1E 1E E1 ?
00E8055C 1E 1E 1E E1 1E 1E 1E 1E 1E 0A 3A 3A 3B 3B 3B C4 ?.::;;;
00E8056C 3B 3B 3B C4 3B 3B 3B 3B 3B 16 27 27 26 26 26 D9 ;;;?;;;;''&&&
00E8057C 26 26 26 D9 26 26 26 26 26 08 3B 3B 3A 3A 3A C5 &&&?&&&&;;:::
00E8058C 3A 3A 3A C5 3A 3A 3A 3A 3A 0A 3C 3C 3D 3D 3D C2 :::?::::.<<===
00E8059C 3D 3D 3D C2 3D 3D 3D 3D 3D 0E 4D 4D 4C 4C 4C B3 ===?====MMLLL
00E805AC 4C 4C 4C B3 4C 4C 4C 4C 4C 0C 48 48 49 49 49 B6 LLL程LLLL.HHIII
00E805BC 49 49 49 B6 49 49 49 49 49 08 00 00 00 00 00 00 III渡IIII......
00E805CC 00 00 00 00 ....
数据好象完全没有什么关系?从0e个字节扩展到了0f4个字节,猜测出锁数据一定有加密,在数据下内存断点,
寻找解码过程,确实程序有解码:
0049DE7C 53 push ebx
0049DE7D 56 push esi
0049DE7E 57 push edi
0049DE7F 83C4 F0 add esp,-10
0049DE82 891424 mov dword ptr ss:[esp],edx
0049DE85 8BF8 mov edi,eax
0049DE87 BB 5C024E00 mov ebx,Products.004E025C
0049DE8C 8D7424 04 lea esi,dword ptr ss:[esp+4]
0049DE90 8D4C24 08 lea ecx,dword ptr ss:[esp+8]
0049DE94 8BD6 mov edx,esi
0049DE96 8B0424 mov eax,dword ptr ss:[esp]
0049DE99 E8 92FEFFFF call Products.0049DD30
0049DE9E 8D5424 08 lea edx,dword ptr ss:[esp+8]
0049DEA2 8BC6 mov eax,esi
0049DEA4 E8 D7FEFFFF call Products.0049DD80
0049DEA9 897C24 0C mov dword ptr ss:[esp+C],edi
0049DEAD BA 08000000 mov edx,8
0049DEB2 8B4424 08 mov eax,dword ptr ss:[esp+8]
0049DEB6 C1E8 04 shr eax,4
0049DEB9 8B4C24 08 mov ecx,dword ptr ss:[esp+8]
0049DEBD C1E1 1C shl ecx,1C
0049DEC0 0BC1 or eax,ecx
0049DEC2 8B4C24 0C mov ecx,dword ptr ss:[esp+C]
0049DEC6 3301 xor eax,dword ptr ds:[ecx]
0049DEC8 834424 0C 04 add dword ptr ss:[esp+C],4
0049DECD 8BC8 mov ecx,eax
0049DECF 83E1 3F and ecx,3F
0049DED2 8B8C8B 00060000 mov ecx,dword ptr ds:[ebx+ecx*4+600]
0049DED9 310E xor dword ptr ds:[esi],ecx ; 00200002
0049DEDB 8BC8 mov ecx,eax
0049DEDD C1E9 08 shr ecx,8
0049DEE0 83E1 3F and ecx,3F
0049DEE3 8B8C8B 00040000 mov ecx,dword ptr ds:[ebx+ecx*4+400]
0049DEEA 310E xor dword ptr ds:[esi],ecx ; 02000000
0049DEEC 8BC8 mov ecx,eax
0049DEEE C1E9 10 shr ecx,10
0049DEF1 83E1 3F and ecx,3F
0049DEF4 8B8C8B 00020000 mov ecx,dword ptr ds:[ebx+ecx*4+200]
0049DEFB 310E xor dword ptr ds:[esi],ecx ; 08020000
0049DEFD C1E8 18 shr eax,18
0049DF00 83E0 3F and eax,3F
0049DF03 8B0483 mov eax,dword ptr ds:[ebx+eax*4]
0049DF06 3106 xor dword ptr ds:[esi],eax ; 08020000
0049DF08 8B4424 0C mov eax,dword ptr ss:[esp+C]
0049DF0C 8B00 mov eax,dword ptr ds:[eax]
0049DF0E 334424 08 xor eax,dword ptr ss:[esp+8]
0049DF12 834424 0C 04 add dword ptr ss:[esp+C],4
0049DF17 8BC8 mov ecx,eax
0049DF19 83E1 3F and ecx,3F
0049DF1C 8B8C8B 00070000 mov ecx,dword ptr ds:[ebx+ecx*4+700]
0049DF23 310E xor dword ptr ds:[esi],ecx ; 10000000
0049DF25 8BC8 mov ecx,eax
0049DF27 C1E9 08 shr ecx,8
0049DF2A 83E1 3F and ecx,3F
0049DF2D 8B8C8B 00050000 mov ecx,dword ptr ds:[ebx+ecx*4+500]
0049DF34 310E xor dword ptr ds:[esi],ecx ; 00400000
0049DF36 8BC8 mov ecx,eax
0049DF38 C1E9 10 shr ecx,10
0049DF3B 83E1 3F and ecx,3F
0049DF3E 8B8C8B 00030000 mov ecx,dword ptr ds:[ebx+ecx*4+300] ; 00000001
0049DF45 310E xor dword ptr ds:[esi],ecx
0049DF47 C1E8 18 shr eax,18
0049DF4A 83E0 3F and eax,3F
0049DF4D 8B8483 00010000 mov eax,dword ptr ds:[ebx+eax*4+100]
0049DF54 3106 xor dword ptr ds:[esi],eax ; 00000001
0049DF56 8B06 mov eax,dword ptr ds:[esi]
0049DF58 C1E8 04 shr eax,4
0049DF5B 8B0E mov ecx,dword ptr ds:[esi]
0049DF5D C1E1 1C shl ecx,1C
0049DF60 0BC1 or eax,ecx
0049DF62 8B4C24 0C mov ecx,dword ptr ss:[esp+C]
0049DF66 3301 xor eax,dword ptr ds:[ecx]
0049DF68 834424 0C 04 add dword ptr ss:[esp+C],4
0049DF6D 8BC8 mov ecx,eax
0049DF6F 83E1 3F and ecx,3F
0049DF72 8B8C8B 00060000 mov ecx,dword ptr ds:[ebx+ecx*4+600]
0049DF79 314C24 08 xor dword ptr ss:[esp+8],ecx ; 00200800
0049DF7D 8BC8 mov ecx,eax
0049DF7F C1E9 08 shr ecx,8
0049DF82 83E1 3F and ecx,3F
0049DF85 8B8C8B 00040000 mov ecx,dword ptr ds:[ebx+ecx*4+400]
0049DF8C 314C24 08 xor dword ptr ss:[esp+8],ecx ; 42080000
0049DF90 8BC8 mov ecx,eax
0049DF92 C1E9 10 shr ecx,10
0049DF95 83E1 3F and ecx,3F
0049DF98 8B8C8B 00020000 mov ecx,dword ptr ds:[ebx+ecx*4+200]
0049DF9F 314C24 08 xor dword ptr ss:[esp+8],ecx
0049DFA3 C1E8 18 shr eax,18
0049DFA6 83E0 3F and eax,3F
0049DFA9 8B0483 mov eax,dword ptr ds:[ebx+eax*4]
0049DFAC 314424 08 xor dword ptr ss:[esp+8],eax
0049DFB0 8B4424 0C mov eax,dword ptr ss:[esp+C]
0049DFB4 8B00 mov eax,dword ptr ds:[eax]
0049DFB6 3306 xor eax,dword ptr ds:[esi]
0049DFB8 834424 0C 04 add dword ptr ss:[esp+C],4
0049DFBD 8BC8 mov ecx,eax
0049DFBF 83E1 3F and ecx,3F
0049DFC2 8B8C8B 00070000 mov ecx,dword ptr ds:[ebx+ecx*4+700]
0049DFC9 314C24 08 xor dword ptr ss:[esp+8],ecx
0049DFCD 8BC8 mov ecx,eax
0049DFCF C1E9 08 shr ecx,8
0049DFD2 83E1 3F and ecx,3F
0049DFD5 8B8C8B 00050000 mov ecx,dword ptr ds:[ebx+ecx*4+500]
0049DFDC 314C24 08 xor dword ptr ss:[esp+8],ecx
0049DFE0 8BC8 mov ecx,eax
0049DFE2 C1E9 10 shr ecx,10
0049DFE5 83E1 3F and ecx,3F
0049DFE8 8B8C8B 00030000 mov ecx,dword ptr ds:[ebx+ecx*4+300]
0049DFEF 314C24 08 xor dword ptr ss:[esp+8],ecx
0049DFF3 C1E8 18 shr eax,18
0049DFF6 83E0 3F and eax,3F
0049DFF9 8B8483 00010000 mov eax,dword ptr ds:[ebx+eax*4+100]
0049E000 314424 08 xor dword ptr ss:[esp+8],eax
0049E004 4A dec edx
0049E005 ^ 0F85 A7FEFFFF jnz Products.0049DEB2
0049E00B 8D5424 08 lea edx,dword ptr ss:[esp+8]
0049E00F 8BC6 mov eax,esi
0049E011 E8 E6FDFFFF call Products.0049DDFC
0049E016 8B0C24 mov ecx,dword ptr ss:[esp]
0049E019 8B5424 08 mov edx,dword ptr ss:[esp+8]
0049E01D 8B06 mov eax,dword ptr ds:[esi]
0049E01F E8 38FDFFFF call Products.0049DD5C
0049E024 83C4 10 add esp,10
0049E027 5F pop edi
0049E028 5E pop esi
0049E029 5B pop ebx
0049E02A C3 retn
看着眼熟吧,这不就是大名鼎鼎的DES,源程序是delphi的,整理成源代码如下:
procedure DES_Func(Data: PIntArray; Key: PInteger); register;
var
L,R,X,Y,I: LongWord;
begin
L := SwapInteger(Data[0]);
R := SwapInteger(Data[1]);
X := (L shr 4 xor R) and $0F0F0F0F; R := R xor X; L := L xor X shl 4;
X := (L shr 16 xor R) and $0000FFFF; R := R xor X; L := L xor X shl 16;
X := (R shr 2 xor L) and $33333333; L := L xor X; R := R xor X shl 2;
X := (R shr 8 xor L) and $00FF00FF; L := L xor X; R := R xor X shl 8;
R := R shl 1 or R shr 31;
X := (L xor R) and $AAAAAAAA;
R := R xor X;
L := L xor X;
L := L shl 1 or L shr 31;
for I := 0 to 7 do
begin
X := (R shl 28 or R shr 4) xor Key^; Inc(Key);
Y := R xor Key^; Inc(Key);
L := L xor (DES_Data[0, X and $3F] or DES_Data[1, X shr 8 and $3F] or
DES_Data[2, X shr 16 and $3F] or DES_Data[3, X shr 24 and $3F] or
DES_Data[4, Y and $3F] or DES_Data[5, Y shr 8 and $3F] or
DES_Data[6, Y shr 16 and $3F] or DES_Data[7, Y shr 24 and $3F]);
X := (L shl 28 or L shr 4) xor Key^; Inc(Key);
Y := L xor Key^; Inc(Key);
R := R xor (DES_Data[0, X and $3F] or DES_Data[1, X shr 8 and $3F] or
DES_Data[2, X shr 16 and $3F] or DES_Data[3, X shr 24 and $3F] or
DES_Data[4, Y and $3F] or DES_Data[5, Y shr 8 and $3F] or
DES_Data[6, Y shr 16 and $3F] or DES_Data[7, Y shr 24 and $3F]);
end;
R := R shl 31 or R shr 1;
X := (L xor R) and $AAAAAAAA;
R := R xor X;
L := L xor X;
L := L shl 31 or L shr 1;
X := (L shr 8 xor R) and $00FF00FF; R := R xor X; L := L xor X shl 8;
X := (L shr 2 xor R) and $33333333; R := R xor X; L := L xor X shl 2;
X := (R shr 16 xor L) and $0000FFFF; L := L xor X; R := R xor X shl 16;
X := (R shr 4 xor L) and $0F0F0F0F; L := L xor X; R := R xor X shl 4;
Data[0] := SwapInteger(R);
Data[1] := SwapInteger(L);
end;
前8个字节DES解码,后面的字节逐字节xor完成解码:
0016D540 01 06 00 01 1B 24 00 35 3F 3E 37 D7 D7 37 09 00 .$.5?>7鬃7..
0016D550 00 00 4E 01 00 00 00 00 00 00 01 00 01 00 00 FF ..N.........?
0016D560 FF 00 00 FF FF 00 00 00 00 FE 03 00 01 00 00 FF ?.?....?...?
0016D570 FF 00 00 FF FF 00 00 00 00 00 06 00 01 00 00 FF ?.?........?
0016D580 FF 00 00 FF FF 00 00 00 00 03 0C 00 01 00 00 FF ?.?........?
0016D590 FF 00 00 FF FF 00 00 00 00 09 0F 00 01 00 00 FF ?.?........?
0016D5A0 FF 00 00 FF FF 00 00 00 00 0C 13 00 01 00 00 FF ?.?........?
0016D5B0 FF 00 00 FF FF 00 00 00 00 10 17 00 01 00 00 FF ?.?.......?
0016D5C0 FF 00 00 FF FF 00 00 00 00 14 30 00 01 00 00 FF ?.?....0...?
0016D5D0 FF 00 00 FF FF 00 00 00 00 2D 31 00 01 00 00 FF ?.?....-1...?
0016D5E0 FF 00 00 FF FF 00 00 00 00 2E 33 00 01 00 00 FF ?.?.....3...?
0016D5F0 FF 00 00 FF FF 00 00 00 00 30 36 00 01 00 00 FF ?.?....06...?
0016D600 FF 00 00 FF FF 00 00 00 00 33 43 00 01 00 00 FF ?.?....3C...?
0016D610 FF 00 00 FF FF 00 00 00 00 40 44 00 01 00 00 FF ?.?....@D...?
0016D620 FF 00 00 FF FF 00 00 00 00 41 00 00 00 00 00 00 ?.?....A......
0016D630 00 00 00 00 ....
现在看上去出锁数据有点意思了,正好对应着注册了的模块代码比如1-01、1-03,可是出锁数据
和入锁数据有什么关系呢?
感觉入锁数据也是经过了加密的,从头再来跟踪入锁数据:原来是这样的:
0049E6AC 53 push ebx
0049E6AD 56 push esi
0049E6AE 83C4 F4 add esp,-0C
0049E6B1 8BF0 mov esi,eax
0049E6B3 8D4424 0A lea eax,dword ptr ss:[esp+A]
0049E6B7 50 push eax
0049E6B8 8D4C24 0D lea ecx,dword ptr ss:[esp+D]
0049E6BC 8D5424 0C lea edx,dword ptr ss:[esp+C]
0049E6C0 8BC6 mov eax,esi
0049E6C2 E8 05010000 call Products.0049E7CC
0049E6C7 8B46 04 mov eax,dword ptr ds:[esi+4]
0049E6CA 894424 04 mov dword ptr ss:[esp+4],eax
0049E6CE 8B5C24 04 mov ebx,dword ptr ss:[esp+4]
0049E6D2 C603 01 mov byte ptr ds:[ebx],1
0049E6D5 8BC6 mov eax,esi
0049E6D7 8B10 mov edx,dword ptr ds:[eax]
0049E6D9 FF12 call dword ptr ds:[edx]
0049E6DB 2C 08 sub al,8
0049E6DD 8843 01 mov byte ptr ds:[ebx+1],al
0049E6E0 C643 02 00 mov byte ptr ds:[ebx+2],0
0049E6E4 8A4424 08 mov al,byte ptr ss:[esp+8]
0049E6E8 8843 03 mov byte ptr ds:[ebx+3],al
0049E6EB 8A4424 09 mov al,byte ptr ss:[esp+9]
0049E6EF 8843 04 mov byte ptr ds:[ebx+4],al
0049E6F2 8A4424 0A mov al,byte ptr ss:[esp+A]
0049E6F6 8843 05 mov byte ptr ds:[ebx+5],al
0049E6F9 C643 06 00 mov byte ptr ds:[ebx+6],0
0049E6FD C643 07 00 mov byte ptr ds:[ebx+7],0
0049E701 8BC6 mov eax,esi
0049E703 8B10 mov edx,dword ptr ds:[eax]
0049E705 FF12 call dword ptr ds:[edx]
0049E707 8BC8 mov ecx,eax
0049E709 8B56 04 mov edx,dword ptr ds:[esi+4]
0049E70C 8BC6 mov eax,esi
0049E70E E8 69FEFFFF call Products.0049E57C
0049E713 8B5424 04 mov edx,dword ptr ss:[esp+4]
0049E717 8842 07 mov byte ptr ds:[edx+7],al
0049E71A 8B4424 04 mov eax,dword ptr ss:[esp+4]
0049E71E 83C0 08 add eax,8
0049E721 890424 mov dword ptr ss:[esp],eax
0049E724 8B4424 04 mov eax,dword ptr ss:[esp+4]
0049E728 8A50 03 mov dl,byte ptr ds:[eax+3]
0049E72B 52 push edx
0049E72C 8A50 04 mov dl,byte ptr ds:[eax+4]
0049E72F 52 push edx
0049E730 33C9 xor ecx,ecx
0049E732 8A48 01 mov cl,byte ptr ds:[eax+1]
0049E735 8B5424 08 mov edx,dword ptr ss:[esp+8]
0049E739 8BC6 mov eax,esi
0049E73B E8 20000000 call Products.0049E760
这里完成入锁数据初始化:
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D
01 00 01 00 00 24 01 09 E0
以上为固定字节,01为入锁长度0e-8=6,QueryPerformanceCounter返回值低32位设为Count
(Count*8088405+1)*FF 结果高位在DX 为04位
((Count*8088405+1)*8088405+1)*FF 结果高位在DX 为05位
这里原来在取随机数,累S我了。
07位:各位累加和。
0B 0C在不同次数读狗时数据不同:
分别为:第一次读狗:00 00
第二次读狗:00 E0
第三次读狗:C0 01
.....
这是第三次读狗原始入锁数据:
0016D540 01 06 00 01 90 AD 00 14 24 01 09 C0 01 E0 .?.$.???
加密入锁数据:(前8个字节DES加密,后面逐字节xor)
0016D540 77 6F 6D 4E 6D 6A 31 73 B4 B5 BC 7C 7D 9D womNmj1s吹键}??
出锁数据:
0016D540 BB 6E 9F 91 0E FB C8 B9 90 70 C8 C8 CA CA CA 35 活???p热适?
0016D550 CA CA CA 35 CA CA CA CA CA 7C B3 B3 B1 B1 B1 4E 适?适适庶吵北蔽
0016D560 B1 B1 B1 4E B1 B1 B1 B1 B1 7C A4 A4 A6 A6 A6 59 北蔽北北秉いΖ?
0016D570 A6 A6 A6 59 A6 A6 A6 A6 A6 70 AB AB A9 A9 A9 56 Ζ?ΖΖ??┅┲
0016D580 A9 A9 A9 56 A9 A9 A9 A9 A9 70 69 68 6A 6A 6A 95 ┅┲┅┅?ihjjj
0016D590 6A 6A 6A 95 6A 6A 6A 6A 6A 72 68 69 6B 6B 6B 94 jjj?jjjjrhikkk
0016D5A0 6B 6B 6B 94 6B 6B 6B 6B 6B 72 69 68 6A 6A 6A 95 kkk?kkkkrihjjj
0016D5B0 6A 6A 6A 95 6A 6A 6A 6A 6A 70 6C 6D 6F 6F 6F 90 jjj?jjjjplmooo
0016D5C0 6F 6F 6F 90 6F 6F 6F 6F 6F 74 69 68 6A 6A 6A 95 ooo?ooootihjjj
0016D5D0 6A 6A 6A 95 6A 6A 6A 6A 6A 76 2D 2C 2E 2E 2E D1 jjj?jjjjv-,...
0016D5E0 2E 2E 2E D1 2E 2E 2E 2E 2E 74 6A 68 6A 6A 6A 95 ...?....tjhjjj
0016D5F0 6A 6A 6A 95 6A 6A 6A 6A 6A 74 42 40 42 42 42 BD jjj?jjjjtB@BBB
0016D600 42 42 42 BD 42 42 42 42 42 74 43 41 43 43 43 BC BBB铰BBBBtCACCC
0016D610 43 43 43 BC 43 43 43 43 43 74 4C 4E 4C 4C 4C B3 CCC济CCCCtLNLLL
0016D620 4C 4C 4C B3 4C 4C 4C 4C 4C 74 00 00 00 00 00 00 LLL程LLLLt......
0016D630 00 00 00 00 ....
解码出锁数据:(前8个字节DES解密,从0e字节开始后面逐字节xor)
0016D540 01 E2 00 01 90 AD 00 14 24 01 09 A0 02 E0 00 FF ??.$.???
0016D550 FF 00 00 FF FF 00 00 00 00 B6 CF 00 02 00 00 FF ?.?....断...?
0016D560 FF 00 00 FF FF 00 00 00 00 CD D8 00 02 00 00 FF ?.?....拓...?
0016D570 FF 00 00 FF FF 00 00 00 00 D6 DB 00 02 00 00 FF ?.?....舟...?
0016D580 FF 00 00 FF FF 00 00 00 00 D9 19 01 02 00 00 FF ?.?....?..?
0016D590 FF 00 00 FF FF 00 00 00 00 18 1A 01 02 00 00 FF ?.?......?
0016D5A0 FF 00 00 FF FF 00 00 00 00 19 1B 01 02 00 00 FF ?.?......?
0016D5B0 FF 00 00 FF FF 00 00 00 00 1A 1C 01 02 00 00 FF ?.?......?
0016D5C0 FF 00 00 FF FF 00 00 00 00 1B 1D 01 02 00 00 FF ?.?......?
0016D5D0 FF 00 00 FF FF 00 00 00 00 1C 5B 01 02 00 00 FF ?.?....[..?
0016D5E0 FF 00 00 FF FF 00 00 00 00 5A 1E 02 02 00 00 FF ?.?....Z..?
0016D5F0 FF 00 00 FF FF 00 00 00 00 1E 36 02 02 00 00 FF ?.?....6..?
0016D600 FF 00 00 FF FF 00 00 00 00 36 37 02 02 00 00 FF ?.?....67..?
0016D610 FF 00 00 FF FF 00 00 00 00 37 38 02 02 00 00 FF ?.?....78..?
0016D620 FF 00 00 FF FF 00 00 00 00 38 00 00 00 00 00 00 ?.?....8......
0016D630 00 00 00 00 ....
原来出锁数据后e0位是从狗中读出的数据!每次读e0字节,至读完为止。至此数据分析完毕,将锁内数据全部记录,出锁数据还有一些简单的变换比如01字节,比较简单,不再详述了,现在我们有了关键的pin,执行ID,DES的key,算法也分析完成,下面的任务就是写出C51再回写入狗了,这是个简单的coding,就不再赘述了。
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007年01月29日 13:05:16
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课