[原创]FI 3.10 中的CRC32校验分析-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[原创]FI 3.10 中的CRC32校验分析

发表于: 2008-7-28 13:08 6692

[原创]FI 3.10 中的CRC32校验分析

option

2008-7-28 13:08

6692

对照加密解密(第二版/第三版)，分析CRC32如下：
PS：第二版CRC32计算算法有误，第三版已更正。看看FI的校验吧
seg014:04AB FileCRC       proc far
seg014:04AB
seg014:04AB crc32tbl       = byte ptr -58Eh
seg014:04AB offset_lo    = word ptr -18Eh
seg014:04AB offset_hi    = word ptr -18Ch
seg014:04AB dwCRC          = dword ptr -18Ah
seg014:04AB var_185       = byte ptr -185h
seg014:04AB handle       = byte ptr -184h
seg014:04AB filename       = byte ptr -104h
seg014:04AB crc32lo       = word ptr -4
seg014:04AB crc32hi       = word ptr -2
seg014:04AB FileName       = dword ptr  6
seg014:04AB crcvalue       = dword ptr  0Ah
seg014:04AB arg_8          = word ptr  0Eh
seg014:04AB arg_A          = word ptr  10h
seg014:04AB size_lo       = word ptr  12h
seg014:04AB size_hi       = word ptr  14h
seg014:04AB
seg014:04AB                enter 58Eh, 0
seg014:04AF                mov    bx, ss
seg014:04B1                mov    es, bx
seg014:04B3                mov    bx, ds
seg014:04B5                cld
seg014:04B6                lea    di, [bp+filename]
seg014:04BA                lds    si, [bp+FileName]
seg014:04BD                lodsb
seg014:04BE                stosb
seg014:04BF                xchg ax, cx
seg014:04C0                xor    ch, ch
seg014:04C2                rep movsb
seg014:04C4                mov    ds, bx                   ；以下是利用CRC32多项式的值
seg014:04C6                mov    edx, [bp+crcvalue] ；crcvalue=EDB88320
seg014:04CA                lea    di, [bp+crc32tbl]    ；生成CRC32表
seg014:04CE                xor    bx, bx
seg014:04D0
seg014:04D0 for0:
seg014:04D0                xor    eax, eax
seg014:04D3                mov    al, bl
seg014:04D5                mov    cx, 8
seg014:04D8
seg014:04D8 for1:
seg014:04D8                test al, 1
seg014:04DA                pushf
seg014:04DB                shr    eax, 1
seg014:04DE                popf
seg014:04DF                jz    short loc_6DB14
seg014:04E1                xor    eax, edx
seg014:04E4
seg014:04E4 loc_6DB14:
seg014:04E4                loop for1
seg014:04E6                shl    bx, 2
seg014:04E9                mov    ss:[bx+di], eax
seg014:04ED                shr    bx, 2
seg014:04F0                inc    bx
seg014:04F1                cmp    bx, 255
seg014:04F5                jbe    short for0                ； fill crc table
seg014:04F7                mov    word ptr [bp+dwCRC], 0FFFFh    ；CRC32初始值
seg014:04FD                mov    word ptr [bp+dwCRC+2], 0FFFFh
seg014:0503                cmp    ds:BaseMem, 0
seg014:0508                jnz    short open_checkcrc
seg014:050A                jmp    exit
seg014:050D
seg014:050D open_checkcrc:
seg014:050D                lea    di, [bp+handle]
seg014:0511                push ss
seg014:0512                push di
seg014:0513                push 'R'
seg014:0515                lea    di, [bp+filename]
seg014:0519                push ss
seg014:051A                push di
seg014:051B                push cs
seg014:051C                call near ptr OpenFile
seg014:051F                or    al, al
seg014:0521                jnz    short checkcrc
seg014:0523                jmp    exit
seg014:0526
seg014:0526 checkcrc:
seg014:0526                mov    ax, [bp+size_lo]
seg014:0529                mov    dx, [bp+size_hi]
seg014:052C                cmp    dx, ds:filesize_hi
seg014:0530                jg    short loc_6DB6A
seg014:0532                jl    short loc_6DB76
seg014:0534                cmp    ax, ds:filesize_lo
seg014:0538                jbe    short loc_6DB76
seg014:053A
seg014:053A loc_6DB6A:
seg014:053A                xor    ax, ax
seg014:053C                mov    [bp+offset_lo], ax
seg014:0540                mov    [bp+offset_hi], ax
seg014:0544                jmp    short loc_6DB84
seg014:0546
seg014:0546 loc_6DB76:
seg014:0546                mov    ax, [bp+size_lo]
seg014:0549                mov    dx, [bp+size_hi]
seg014:054C                mov    [bp+offset_lo], ax
seg014:0550                mov    [bp+offset_hi], dx
seg014:0554
seg014:0554 loc_6DB84:
seg014:0554                mov    ax, [bp+arg_8]
seg014:0557                mov    dx, [bp+arg_A]
seg014:055A                cmp    dx, ds:filesize_hi
seg014:055E                jg    short loc_6DB98
seg014:0560                jl    short loc_6DBA5
seg014:0562                cmp    ax, ds:filesize_lo
seg014:0566                jbe    short loc_6DBA5
seg014:0568
seg014:0568 loc_6DB98:
seg014:0568                mov    ax, ds:filesize_lo
seg014:056B                mov    dx, ds:filesize_hi
seg014:056F                mov    [bp+arg_8], ax
seg014:0572                mov    [bp+arg_A], dx
seg014:0575
seg014:0575 loc_6DBA5:
seg014:0575                lea    di, [bp+handle]
seg014:0579                push ss
seg014:057A                push di             ; handle
seg014:057B                push [bp+offset_hi]  ; offset_hi
seg014:057F                push [bp+offset_lo]  ; offset_lo
seg014:0583                push cs
seg014:0584                call near ptr lseek_begin
seg014:0587                mov    [bp+var_185], 0
seg014:058C
seg014:058C loc_6DBBC:
seg014:058C                mov    ax, [bp+arg_8]
seg014:058F                mov    dx, [bp+arg_A]
seg014:0592                sub    ax, [bp+offset_lo]
seg014:0596                sbb    dx, [bp+offset_hi]
seg014:059A                cmp    dx, 0
seg014:059D                jg    short loc_6DBD6
seg014:059F                jl    short loc_6DBDE
seg014:05A1                cmp    ax, 0FFEFh
seg014:05A4                jbe    short loc_6DBDE
seg014:05A6
seg014:05A6 loc_6DBD6:
seg014:05A6                mov    ds:CRC_Len, 0FFEFh
seg014:05AC                jmp    short loc_6DBEF
seg014:05AE
seg014:05AE loc_6DBDE:
seg014:05AE                mov    ax, [bp+arg_8]
seg014:05B1                mov    dx, [bp+arg_A]
seg014:05B4                sub    ax, [bp+offset_lo]
seg014:05B8                sbb    dx, [bp+offset_hi]
seg014:05BC                mov    ds:CRC_Len, ax
seg014:05BF
seg014:05BF loc_6DBEF:
seg014:05BF                mov    ax, ds:CRC_Len
seg014:05C2                xor    dx, dx
seg014:05C4                add    [bp+offset_lo], ax
seg014:05C8                adc    [bp+offset_hi], dx
seg014:05CC                lea    di, [bp+handle]
seg014:05D0                push ss
seg014:05D1                push di             ; handle
seg014:05D2                mov    ax, ds:BaseMem
seg014:05D5                push ax
seg014:05D6                mov    di, 1
seg014:05D9                pop    es
seg014:05DA                push es
seg014:05DB                push di             ; buffer
seg014:05DC                push ds:CRC_Len    ; bytes
seg014:05E0                push cs
seg014:05E1                call near ptr ReadFile
seg014:05E4                mov    ds:CRC_Len, ax
seg014:05E7                mov    dx, ds:CRC_Len
seg014:05EB                or    dx, dx
seg014:05ED                jz    short crcend
seg014:05EF                lea    si, [bp+crc32tbl]                ；开始计算CRC32值
seg014:05F3                push ds:BaseMem
seg014:05F7                pop    es
seg014:05F8                mov    di, 1
seg014:05FB
seg014:05FB nextcrc:
seg014:05FB                mov    ebx, [bp+dwCRC]
seg014:0600                mov    ecx, ebx
seg014:0603                shr    ecx, 8
seg014:0607                xor    bl, es:[di]
seg014:060A                xor    bh, bh
seg014:060C                shl    bx, 2
seg014:060F                mov    eax, ss:[bx+si]
seg014:0613                xor    eax, ecx
seg014:0616                mov    [bp+dwCRC], eax
seg014:061B                inc    di
seg014:061C                cmp    di, dx
seg014:061E                jbe    short nextcrc
seg014:0620
seg014:0620 crcend:
seg014:0620                call GetCh                            ；计算完毕
seg014:0623                or    al, al
seg014:0625                jz    short loc_6DC66
seg014:0627                xor    ax, ax
seg014:0629                mov    word ptr [bp+dwCRC], ax
seg014:062D                mov    word ptr [bp+dwCRC+2], ax
seg014:0631                mov    [bp+var_185], 1
seg014:0636
seg014:0636 loc_6DC66:
seg014:0636                mov    ax, [bp+offset_lo]
seg014:063A                mov    dx, [bp+offset_hi]
seg014:063E                cmp    dx, [bp+arg_A]
seg014:0641                jg    short close_exit
seg014:0643                jl    short loc_6DC7A
seg014:0645                cmp    ax, [bp+arg_8]
seg014:0648                jnb    short close_exit
seg014:064A
seg014:064A loc_6DC7A:
seg014:064A                cmp    [bp+var_185], 0
seg014:064F                jnz    short close_exit
seg014:0651                jmp    loc_6DBBC
seg014:0654
seg014:0654 close_exit:
seg014:0654                lea    di, [bp+handle]
seg014:0658                push ss
seg014:0659                push di             ; handle
seg014:065A                push cs
seg014:065B                call near ptr CloseFile
seg014:065E
seg014:065E exit:
seg014:065E                mov    ax, word ptr [bp+dwCRC]
seg014:0662                mov    dx, word ptr [bp+dwCRC+2]
seg014:0666                xor    ax, 0FFFFh
seg014:0669                xor    dx, 0FFFFh    ; real CRC
seg014:066D                mov    [bp+crc32lo], ax
seg014:0670                mov    [bp+crc32hi], dx
seg014:0673                mov    ax, [bp+crc32lo]
seg014:0676                mov    dx, [bp+crc32hi]
seg014:0679                leave
seg014:067A                retf 10h
seg014:067A FileCRC       endp

从上面可以看出CRC32校验不难找，但是，上面的其它校验还挺麻烦。

登录后可查看完整内容

[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)

#调试逆向

收藏・0

免费・7

支持

最新回复 (1)
wyfe 雪币： 2575 活跃值： (502) 能力值： ( LV2，RANK：85 ) 在线值：发帖 65 回帖 461 粉丝 0 关注私信	wyfe 2 楼去除这个校验可以不关注过程，找比较点 2008-7-29 20:20 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

option

发帖

713

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (1)
wyfe 雪币： 2575 活跃值： (502) 能力值： ( LV2，RANK：85 ) 在线值：发帖 65 回帖 461 粉丝 0 关注私信	wyfe 2 楼去除这个校验可以不关注过程，找比较点 2008-7-29 20:20 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复