-
-
[旧帖] [分享]处女贴:破解了飞信签名档 0.00雪花
-
发表于: 2008-3-18 08:37
-
学过一阵子破解,也试着破解过一些共享软件,今天第一次发贴,请大侠们指教:
以下是我分析破解的某知名通讯软件的用户验证方法:
1、过程分析
因为是网络软件,所以分了服务器端,和客户端。服务器端负责发送随机字串GUID和记录Session,客户端根据GUID进行加密得到EncryptKey,再将EncryptKey发往服务器端进行验证。
分析的切入点是客户端,我们是无法控制服务器端(黑客方法除外)。从客户端,我们能得到接收到的参数GUID和加密过程。
2、加密算法分析
这是我通过多次跟踪后,得到的EXE中的加密函数
Code
10040227B |. 68 B0144300 PUSH Appxxx.004314B0 ; "RandomKey.aspx"返回GUID
200402280 |. 68 0C344300 PUSH Appxxx.0043340C
300402285 |. 52 PUSH EDX
400402286 |. E8 AD990100 CALL Appxxx.0041BC38
50040228B |. 8DAE D4000000 LEA EBP,DWORD PTR DS:[ESI+D4]
600402291 |. 8BCD MOV ECX,EBP
700402293 |. E8 A84B0000 CALL Appxxx.00406E40
800402298 |. 85C0 TEST EAX,EAX
90040229A |. 75 19 JNZ SHORT Appxxx.004022B5
100040229C |. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
11004022A0 |. C74424 54 FFF>MOV DWORD PTR SS:[ESP+54],-1
12004022A8 |. E8 37970100 CALL Appxxx.0041B9E4
13004022AD |. 83C8 FF OR EAX,FFFFFFFF
14004022B0 |. E9 CA050000 JMP Appxxx.0040287F
15004022B5 |> 8D4C24 24 LEA ECX,DWORD PTR SS:[ESP+24]
16004022B9 |. E8 F2700000 CALL Appxxx.004093B0
17004022BE |. 8B4424 14 MOV EAX,DWORD PTR SS:[ESP+14]
18004022C2 |. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
19004022C6 |. C64424 54 01 MOV BYTE PTR SS:[ESP+54],1
20004022CB |. 8B40 F8 MOV EAX,DWORD PTR DS:[EAX-8]
21004022CE |. 50 PUSH EAX
22004022CF |. E8 8B9A0100 CALL Appxxx.0041BD5F
23004022D4 |. 50 PUSH EAX ; /Arg1
24004022D5 |. 8D4C24 28 LEA ECX,DWORD PTR SS:[ESP+28] ; |
25004022D9 |. E8 D27C0000 CALL Appxxx.00409FB0 ; \ MD5第一次加密
26004022DE |. 50 PUSH EAX
27004022DF |. 8D4C24 24 LEA ECX,DWORD PTR SS:[ESP+24]
28004022E3 |. E8 6A970100 CALL Appxxx.0041BA52
29004022E8 |. 6A 05 PUSH 5
30004022EA |. 8D4C24 44 LEA ECX,DWORD PTR SS:[ESP+44]
31004022EE |. 6A 13 PUSH 13 ; 取19位置5个字符
32004022F0 |. 51 PUSH ECX
33004022F1 |. 8D4C24 2C LEA ECX,DWORD PTR SS:[ESP+2C]
34004022F5 |. C64424 60 02 MOV BYTE PTR SS:[ESP+60],2
35004022FA |. E8 D27A0100 CALL Appxxx.00419DD1
36004022FF |. 8BD8 MOV EBX,EAX
3700402301 |. 6A 05 PUSH 5
3800402303 |. 8D5424 40 LEA EDX,DWORD PTR SS:[ESP+40]
3900402307 |. 6A 04 PUSH 4 ; 取4位置的5个了符
4000402309 |. 52 PUSH EDX
410040230A |. 8D4C24 2C LEA ECX,DWORD PTR SS:[ESP+2C]
420040230E |. C64424 60 03 MOV BYTE PTR SS:[ESP+60],3
4300402313 |. E8 B97A0100 CALL Appxxx.00419DD1
4400402318 |. 8DBE FC020000 LEA EDI,DWORD PTR DS:[ESI+2FC]
450040231E |. C64424 54 04 MOV BYTE PTR SS:[ESP+54],4
4600402323 |. 57 PUSH EDI
4700402324 |. 50 PUSH EAX
4800402325 |. 8D4424 40 LEA EAX,DWORD PTR SS:[ESP+40]
4900402329 |. 50 PUSH EAX
500040232A |. E8 A3980100 CALL Appxxx.0041BBD2
510040232F |. 53 PUSH EBX
5200402330 |. 8D4C24 38 LEA ECX,DWORD PTR SS:[ESP+38]
5300402334 |. 50 PUSH EAX
5400402335 |. 51 PUSH ECX
5500402336 |. C64424 60 05 MOV BYTE PTR SS:[ESP+60],5
560040233B |. E8 92980100 CALL Appxxx.0041BBD2
5700402340 |. 8D5424 14 LEA EDX,DWORD PTR SS:[ESP+14]
5800402344 |. C64424 54 06 MOV BYTE PTR SS:[ESP+54],6
5900402349 |. 52 PUSH EDX
600040234A |. 50 PUSH EAX
610040234B |. 8D4424 24 LEA EAX,DWORD PTR SS:[ESP+24]
620040234F |. 50 PUSH EAX
6300402350 |. E8 7D980100 CALL Appxxx.0041BBD2 ; 连接字串
6400402355 |. 8D4C24 34 LEA ECX,DWORD PTR SS:[ESP+34]
6500402359 |. C64424 54 0B MOV BYTE PTR SS:[ESP+54],0B
660040235E |. E8 81960100 CALL Appxxx.0041B9E4
6700402363 |. 8D4C24 38 LEA ECX,DWORD PTR SS:[ESP+38]
6800402367 |. C64424 54 0A MOV BYTE PTR SS:[ESP+54],0A
690040236C |. E8 73960100 CALL Appxxx.0041B9E4
7000402371 |. 8D4C24 3C LEA ECX,DWORD PTR SS:[ESP+3C]
7100402375 |. C64424 54 09 MOV BYTE PTR SS:[ESP+54],9
720040237A |. E8 65960100 CALL Appxxx.0041B9E4 ; 往串前加字串了
730040237F |. 8D4C24 40 LEA ECX,DWORD PTR SS:[ESP+40]
7400402383 |. C64424 54 08 MOV BYTE PTR SS:[ESP+54],8
7500402388 |. E8 57960100 CALL Appxxx.0041B9E4
760040238D |. 8B4C24 1C MOV ECX,DWORD PTR SS:[ESP+1C]
7700402391 |. 8B41 F8 MOV EAX,DWORD PTR DS:[ECX-8]
7800402394 |. 8D4C24 1C LEA ECX,DWORD PTR SS:[ESP+1C]
7900402398 |. 50 PUSH EAX
8000402399 |. E8 C1990100 CALL Appxxx.0041BD5F
810040239E |. 50 PUSH EAX ; /Arg1
820040239F |. 8D4C24 28 LEA ECX,DWORD PTR SS:[ESP+28] ; |
83004023A3 |. E8 087C0000 CALL Appxxx.00409FB0 ; \ MD5第二次 加密
84004023A8 |. 50 PUSH EAX
85 //后期处理
从上面分析看出,这个加密过程用到了两次md5加密,第一次结果的处理后,交由第二次加密。
3、加密算法还原C#代码
弄清楚了过程,写还原代码就简单了,以下是用C#实现的代码
1 /**//// <summary>
2 /// 加密函数
3 /// </summary>
4 /// <param name="strKey">RandomKey.aspx得到的随机字串</param>
5 /// <param name="strID">某ID字串</param>
6 /// <returns>加密文本</returns>
7 public string GetEncrypKey(string strKey, string strID)
8 {
9 string result = "";
10 //第一次加密
11 MD5 md5 = new MD5CryptoServiceProvider();
12 byte[] buffer = System.Text.Encoding.Default.GetBytes(strKey);
13 byte[] EncrypArray = md5.ComputeHash(buffer);
14 for (int i = 0; i < EncrypArray.Length; i++)
15 {
16 result += string.Format("{0:X2}", EncrypArray[i]);
17 }
18
19 //为第二次加密准备数据
20 string tmpStr = result.ToLower();
21 string str2 = string.Format("{0}{1}{2}{3}", tmpStr.Substring(4, 5), strID, tmpStr.Substring(19, 5), strKey);
22
23 //第二次加密
24 buffer = System.Text.Encoding.Default.GetBytes(str2);
25 EncrypArray = md5.ComputeHash(buffer);
26 result = "";
27 for (int i = 0; i < EncrypArray.Length; i++)
28 {
29 result += string.Format("{0:X2}", EncrypArray[i]);
30 }
31 return result.ToLower();
32 }
33
以下是我分析破解的某知名通讯软件的用户验证方法:
1、过程分析
因为是网络软件,所以分了服务器端,和客户端。服务器端负责发送随机字串GUID和记录Session,客户端根据GUID进行加密得到EncryptKey,再将EncryptKey发往服务器端进行验证。
分析的切入点是客户端,我们是无法控制服务器端(黑客方法除外)。从客户端,我们能得到接收到的参数GUID和加密过程。
2、加密算法分析
这是我通过多次跟踪后,得到的EXE中的加密函数
Code
10040227B |. 68 B0144300 PUSH Appxxx.004314B0 ; "RandomKey.aspx"返回GUID
200402280 |. 68 0C344300 PUSH Appxxx.0043340C
300402285 |. 52 PUSH EDX
400402286 |. E8 AD990100 CALL Appxxx.0041BC38
50040228B |. 8DAE D4000000 LEA EBP,DWORD PTR DS:[ESI+D4]
600402291 |. 8BCD MOV ECX,EBP
700402293 |. E8 A84B0000 CALL Appxxx.00406E40
800402298 |. 85C0 TEST EAX,EAX
90040229A |. 75 19 JNZ SHORT Appxxx.004022B5
100040229C |. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
11004022A0 |. C74424 54 FFF>MOV DWORD PTR SS:[ESP+54],-1
12004022A8 |. E8 37970100 CALL Appxxx.0041B9E4
13004022AD |. 83C8 FF OR EAX,FFFFFFFF
14004022B0 |. E9 CA050000 JMP Appxxx.0040287F
15004022B5 |> 8D4C24 24 LEA ECX,DWORD PTR SS:[ESP+24]
16004022B9 |. E8 F2700000 CALL Appxxx.004093B0
17004022BE |. 8B4424 14 MOV EAX,DWORD PTR SS:[ESP+14]
18004022C2 |. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
19004022C6 |. C64424 54 01 MOV BYTE PTR SS:[ESP+54],1
20004022CB |. 8B40 F8 MOV EAX,DWORD PTR DS:[EAX-8]
21004022CE |. 50 PUSH EAX
22004022CF |. E8 8B9A0100 CALL Appxxx.0041BD5F
23004022D4 |. 50 PUSH EAX ; /Arg1
24004022D5 |. 8D4C24 28 LEA ECX,DWORD PTR SS:[ESP+28] ; |
25004022D9 |. E8 D27C0000 CALL Appxxx.00409FB0 ; \ MD5第一次加密
26004022DE |. 50 PUSH EAX
27004022DF |. 8D4C24 24 LEA ECX,DWORD PTR SS:[ESP+24]
28004022E3 |. E8 6A970100 CALL Appxxx.0041BA52
29004022E8 |. 6A 05 PUSH 5
30004022EA |. 8D4C24 44 LEA ECX,DWORD PTR SS:[ESP+44]
31004022EE |. 6A 13 PUSH 13 ; 取19位置5个字符
32004022F0 |. 51 PUSH ECX
33004022F1 |. 8D4C24 2C LEA ECX,DWORD PTR SS:[ESP+2C]
34004022F5 |. C64424 60 02 MOV BYTE PTR SS:[ESP+60],2
35004022FA |. E8 D27A0100 CALL Appxxx.00419DD1
36004022FF |. 8BD8 MOV EBX,EAX
3700402301 |. 6A 05 PUSH 5
3800402303 |. 8D5424 40 LEA EDX,DWORD PTR SS:[ESP+40]
3900402307 |. 6A 04 PUSH 4 ; 取4位置的5个了符
4000402309 |. 52 PUSH EDX
410040230A |. 8D4C24 2C LEA ECX,DWORD PTR SS:[ESP+2C]
420040230E |. C64424 60 03 MOV BYTE PTR SS:[ESP+60],3
4300402313 |. E8 B97A0100 CALL Appxxx.00419DD1
4400402318 |. 8DBE FC020000 LEA EDI,DWORD PTR DS:[ESI+2FC]
450040231E |. C64424 54 04 MOV BYTE PTR SS:[ESP+54],4
4600402323 |. 57 PUSH EDI
4700402324 |. 50 PUSH EAX
4800402325 |. 8D4424 40 LEA EAX,DWORD PTR SS:[ESP+40]
4900402329 |. 50 PUSH EAX
500040232A |. E8 A3980100 CALL Appxxx.0041BBD2
510040232F |. 53 PUSH EBX
5200402330 |. 8D4C24 38 LEA ECX,DWORD PTR SS:[ESP+38]
5300402334 |. 50 PUSH EAX
5400402335 |. 51 PUSH ECX
5500402336 |. C64424 60 05 MOV BYTE PTR SS:[ESP+60],5
560040233B |. E8 92980100 CALL Appxxx.0041BBD2
5700402340 |. 8D5424 14 LEA EDX,DWORD PTR SS:[ESP+14]
5800402344 |. C64424 54 06 MOV BYTE PTR SS:[ESP+54],6
5900402349 |. 52 PUSH EDX
600040234A |. 50 PUSH EAX
610040234B |. 8D4424 24 LEA EAX,DWORD PTR SS:[ESP+24]
620040234F |. 50 PUSH EAX
6300402350 |. E8 7D980100 CALL Appxxx.0041BBD2 ; 连接字串
6400402355 |. 8D4C24 34 LEA ECX,DWORD PTR SS:[ESP+34]
6500402359 |. C64424 54 0B MOV BYTE PTR SS:[ESP+54],0B
660040235E |. E8 81960100 CALL Appxxx.0041B9E4
6700402363 |. 8D4C24 38 LEA ECX,DWORD PTR SS:[ESP+38]
6800402367 |. C64424 54 0A MOV BYTE PTR SS:[ESP+54],0A
690040236C |. E8 73960100 CALL Appxxx.0041B9E4
7000402371 |. 8D4C24 3C LEA ECX,DWORD PTR SS:[ESP+3C]
7100402375 |. C64424 54 09 MOV BYTE PTR SS:[ESP+54],9
720040237A |. E8 65960100 CALL Appxxx.0041B9E4 ; 往串前加字串了
730040237F |. 8D4C24 40 LEA ECX,DWORD PTR SS:[ESP+40]
7400402383 |. C64424 54 08 MOV BYTE PTR SS:[ESP+54],8
7500402388 |. E8 57960100 CALL Appxxx.0041B9E4
760040238D |. 8B4C24 1C MOV ECX,DWORD PTR SS:[ESP+1C]
7700402391 |. 8B41 F8 MOV EAX,DWORD PTR DS:[ECX-8]
7800402394 |. 8D4C24 1C LEA ECX,DWORD PTR SS:[ESP+1C]
7900402398 |. 50 PUSH EAX
8000402399 |. E8 C1990100 CALL Appxxx.0041BD5F
810040239E |. 50 PUSH EAX ; /Arg1
820040239F |. 8D4C24 28 LEA ECX,DWORD PTR SS:[ESP+28] ; |
83004023A3 |. E8 087C0000 CALL Appxxx.00409FB0 ; \ MD5第二次 加密
84004023A8 |. 50 PUSH EAX
85 //后期处理
从上面分析看出,这个加密过程用到了两次md5加密,第一次结果的处理后,交由第二次加密。
3、加密算法还原C#代码
弄清楚了过程,写还原代码就简单了,以下是用C#实现的代码
1 /**//// <summary>
2 /// 加密函数
3 /// </summary>
4 /// <param name="strKey">RandomKey.aspx得到的随机字串</param>
5 /// <param name="strID">某ID字串</param>
6 /// <returns>加密文本</returns>
7 public string GetEncrypKey(string strKey, string strID)
8 {
9 string result = "";
10 //第一次加密
11 MD5 md5 = new MD5CryptoServiceProvider();
12 byte[] buffer = System.Text.Encoding.Default.GetBytes(strKey);
13 byte[] EncrypArray = md5.ComputeHash(buffer);
14 for (int i = 0; i < EncrypArray.Length; i++)
15 {
16 result += string.Format("{0:X2}", EncrypArray[i]);
17 }
18
19 //为第二次加密准备数据
20 string tmpStr = result.ToLower();
21 string str2 = string.Format("{0}{1}{2}{3}", tmpStr.Substring(4, 5), strID, tmpStr.Substring(19, 5), strKey);
22
23 //第二次加密
24 buffer = System.Text.Encoding.Default.GetBytes(str2);
25 EncrypArray = md5.ComputeHash(buffer);
26 result = "";
27 for (int i = 0; i < EncrypArray.Length; i++)
28 {
29 result += string.Format("{0:X2}", EncrypArray[i]);
30 }
31 return result.ToLower();
32 }
33
