-
-
象棋世家雷霆三之棋海无涯 RSA124+变形MD5+BASE64注册算法分析
-
发表于: 2004-11-15 22:48
-
仅用于技术交流!!!!!!!!
通过分析这个软件
1,复习了MD5
2,复习了RSA
3,复习了Base64
Feel sth. bad
D:D,
程序启动的时候从注册表的 HKCU\\Software\\www.ai-master.com\\SGUI\\sn下读取键值,然后通过Base64解码得到注册码
也就是说这儿的值是正确的注册码经Base64编码后的.
程序启动的时候就要输入注册码否则无法使用,注册码共36位,经过分析后得知前5位是单独的,后31位作为RSA参数中的M,
前5位经过变形的MD5运算,得到128位的Hash,然后对这个Hash再进行处理得到一个中间整数,我称它为TempInt2.用RSA对注册
码后面的31位序列号进行加密,得到一个中间整数,我称它为TempInt1,如果TempInt1==TempInt2,那么就注册成功.
下面我们就具体看看吧,下面就是整个验证流程,其中有些函数的名子是我在OD中分析出函数的功能后在IDA中改的
0041DA20 <>/$ 64:A1 00000000 mov eax,dword ptr fs:[0] ; Check
0041DA26 |. 6A FF push -1
0041DA28 |. 68 8B744500 push <SGUI.loc_45748B>
0041DA2D |. 50 push eax
0041DA2E |. 64:8925 00000000 mov dword ptr fs:[0],esp
0041DA35 |. 81EC 90010000 sub esp,190
0041DA3B |. 53 push ebx
0041DA3C |. 56 push esi
0041DA3D |. 57 push edi
0041DA3E |. 8BD9 mov ebx,ecx
0041DA40 |. E8 0BFEFFFF call <SGUI.RSACompute> ;这里面是RSA的初始化,里面有不少的构造和析构函数
-----------------------------------------------------------------------------------------
0041D850 <>/$ 6A FF push -1 ; RSACompute
0041D852 |. 68 50744500 push <SGUI.loc_457450> ; SE handler installation
0041D857 |. 64:A1 00000000 mov eax,dword ptr fs:[0]
0041D85D |. 50 push eax
0041D85E |. 64:8925 00000000 mov dword ptr fs:[0],esp
0041D865 |. 83EC 08 sub esp,8
0041D868 |. 53 push ebx
0041D869 |. 56 push esi
0041D86A |. 8BF1 mov esi,ecx
0041D86C |. 57 push edi
0041D86D |. 68 08D64600 push SGUI.0046D608 ; ASCII "343A6F971A5035321CDECBC4ECE1945"
0041D872 |. 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
0041D876 |. E8 C7610300 call <SGUI.CString::CString(char const *)> ; 上面的这个是RSA参数n
0041D87B |. 8DBE 10040000 lea edi,dword ptr ds:[esi+410]
0041D881 |. 50 push eax
0041D882 |. 8BCF mov ecx,edi
0041D884 |. C74424 20 00000000 mov dword ptr ss:[esp+20],0
0041D88C |. E8 E7610300 call <SGUI.CString::operator=(CString const &)>; jmp to MFC42.#858
0041D891 |. 8D4C24 0C lea ecx,dword ptr ss:[esp+C]
0041D895 |. C74424 1C FFFFFFFF mov dword ptr ss:[esp+1C],-1
0041D89D |. E8 C45E0300 call <SGUI.CString::~CString(void)> ; jmp to MFC42.#800
0041D8A2 |. 68 00D64600 push SGUI.0046D600 ; ASCII "10001"
0041D8A7 |. 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
0041D8AB |. E8 92610300 call <SGUI.CString::CString(char const *)> ; 上面的这个是公钥e
0041D8B0 |. 8D9E 0C040000 lea ebx,dword ptr ds:[esi+40C]
0041D8B6 |. 50 push eax
0041D8B7 |. 8BCB mov ecx,ebx
0041D8B9 |. C74424 20 01000000 mov dword ptr ss:[esp+20],1
0041D8C1 |. E8 B2610300 call <SGUI.CString::operator=(CString const &)>; jmp to MFC42.#858
0041D8C6 |. 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
0041D8CA |. C74424 1C FFFFFFFF mov dword ptr ss:[esp+1C],-1
0041D8D2 |. E8 8F5E0300 call <SGUI.CString::~CString(void)> ; jmp to MFC42.#800
0041D8D7 |. 6A 10 push 10 ; /Arg2 = 00000010
0041D8D9 |. 57 push edi ; |Arg1
0041D8DA |. 8D8E 34050000 lea ecx,dword ptr ds:[esi+534] ; |
0041D8E0 |. E8 5BF8FFFF call <SGUI.RSAMove> ; \SGUI.0041D140
0041D8E5 |. 6A 10 push 10 ; /Arg2 = 00000010
0041D8E7 |. 53 push ebx ; |Arg1
0041D8E8 |. 8D8E C4050000 lea ecx,dword ptr ds:[esi+5C4] ; |
0041D8EE |. E8 4DF8FFFF call <SGUI.RSAMove> ; \SGUI.0041D140
0041D8F3 |. B9 40000000 mov ecx,40
0041D8F8 |. 33C0 xor eax,eax
0041D8FA |. 8D7E 04 lea edi,dword ptr ds:[esi+4]
0041D8FD |. F3:AB rep stos dword ptr es:[edi]
0041D8FF |. B9 40000000 mov ecx,40
0041D904 |. 8DBE 04010000 lea edi,dword ptr ds:[esi+104]
0041D90A |. F3:AB rep stos dword ptr es:[edi]
0041D90C |. B9 40000000 mov ecx,40
0041D911 |. 8DBE 04020000 lea edi,dword ptr ds:[esi+204]
0041D917 |. F3:AB rep stos dword ptr es:[edi]
0041D919 |. B9 40000000 mov ecx,40
0041D91E |. 8DBE 04030000 lea edi,dword ptr ds:[esi+304]
0041D924 |. F3:AB rep stos dword ptr es:[edi]
0041D926 |. 8B4C24 14 mov ecx,dword ptr ss:[esp+14]
0041D92A |. 5F pop edi
0041D92B |. 5E pop esi
0041D92C |. B8 01000000 mov eax,1
0041D931 |. 5B pop ebx
0041D932 |. 64:890D 00000000 mov dword ptr fs:[0],ecx
0041D939 |. 83C4 14 add esp,14
0041D93C \. C3 retn
--------------------------------------------------------------------------------------------------------
0041DA45 |. 8BB424 AC010000 mov esi,dword ptr ss:[esp+1AC]
0041DA4C |. 8B06 mov eax,dword ptr ds:[esi] ;这里是注册码
0041DA4E |. 8B40 F8 mov eax,dword ptr ds:[eax-8] ;这里是注册码的长度
0041DA51 |. 83F8 24 cmp eax,24
0041DA54 |. 74 07 je short <SGUI.loc_41DA5D>
0041DA56 |. 33C0 xor eax,eax
0041DA58 |. E9 8D010000 jmp <SGUI.loc_41DBEA>
0041DA5D <>|> 56 push esi ; loc_41DA5D
0041DA5E |. E8 AD010000 call <SGUI.BalckList> ; 这里是检验黑名单
0041DA63 |. 83C4 04 add esp,4
0041DA66 |. 85C0 test eax,eax ; 是黑名单中的eax=1 else eax=0
0041DA68 |. 74 07 je short <SGUI.loc_41DA71>
0041DA6A |. 33C0 xor eax,eax
0041DA6C |. E9 79010000 jmp <SGUI.loc_41DBEA>
0041DA71 <>|> B9 40000000 mov ecx,40 ; loc_41DA71
0041DA76 |. 33C0 xor eax,eax
0041DA78 |. 8D7C24 0C lea edi,dword ptr ss:[esp+C]
0041DA7C |. F3:AB rep stos dword ptr es:[edi]
0041DA7E |. 8B0E mov ecx,dword ptr ds:[esi]
0041DA80 |. 8B41 F8 mov eax,dword ptr ds:[ecx-8]
0041DA83 |. 8BCE mov ecx,esi
0041DA85 |. 50 push eax
0041DA86 |. E8 F35F0300 call <SGUI.CString::GetBuffer(int)> ; jmp to MFC42.#2915
0041DA8B |. 8BF8 mov edi,eax
0041DA8D |. 83C9 FF or ecx,FFFFFFFF
0041DA90 |. 33C0 xor eax,eax
0041DA92 |. 8D5424 0C lea edx,dword ptr ss:[esp+C]
0041DA96 |. F2:AE repne scas byte ptr es:[edi]
0041DA98 |. F7D1 not ecx
0041DA9A |. 2BF9 sub edi,ecx
0041DA9C |. 8BC1 mov eax,ecx
0041DA9E |. 8BF7 mov esi,edi
0041DAA0 |. 8BFA mov edi,edx
0041DAA2 |. C1E9 02 shr ecx,2
0041DAA5 |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi]
0041DAA7 |. 8BC8 mov ecx,eax
0041DAA9 |. 33C0 xor eax,eax
0041DAAB |. 83E1 03 and ecx,3
0041DAAE |. F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi]
0041DAB0 |. 8D7C24 0C lea edi,dword ptr ss:[esp+C]
0041DAB4 |. 83C9 FF or ecx,FFFFFFFF
0041DAB7 |. F2:AE repne scas byte ptr es:[edi]
0041DAB9 |. F7D1 not ecx
0041DABB |. 49 dec ecx
0041DABC |. 83F9 24 cmp ecx,24
0041DABF |. 0F85 25010000 jnz <SGUI.loc_41DBEA>
0041DAC5 |. 8B5424 0C mov edx,dword ptr ss:[esp+C]
0041DAC9 |. 8A4424 10 mov al,byte ptr ss:[esp+10]
0041DACD |. 55 push ebp
0041DACE |. 8D6B 04 lea ebp,dword ptr ds:[ebx+4]
0041DAD1 |. 8BCD mov ecx,ebp
0041DAD3 |. 8D7424 15 lea esi,dword ptr ss:[esp+15]
0041DAD7 |. 8911 mov dword ptr ds:[ecx],edx
0041DAD9 |. 8841 04 mov byte ptr ds:[ecx+4],al
0041DADC |. 8D83 04010000 lea eax,dword ptr ds:[ebx+104]
0041DAE2 |. B9 07000000 mov ecx,7
0041DAE7 |. 8BF8 mov edi,eax
0041DAE9 |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi]
0041DAEB |. 66:A5 movs word ptr es:[edi],word ptr ds:[esi]
0041DAED |. A4 movs byte ptr es:[edi],byte ptr ds:[esi]
0041DAEE |. 8DB3 08040000 lea esi,dword ptr ds:[ebx+408]
0041DAF4 |. 50 push eax
0041DAF5 |. 68 0CA74600 push SGUI.0046A70C ; ASCII "%s"
0041DAFA |. 56 push esi
0041DAFB |. E8 A6610300 call <SGUI.CString::Format(char const *,...)> ; jmp to MFC42.#2818
0041DB00 |. 83C4 0C add esp,0C
0041DB03 |. 8DBB A4040000 lea edi,dword ptr ds:[ebx+4A4]
0041DB09 |. 8BCF mov ecx,edi
0041DB0B |. 6A 10 push 10 ; /Arg2 = 00000010
0041DB0D |. 56 push esi ; |Arg1
0041DB0E |. E8 2DF6FFFF call <SGUI.RSAMove> ; \SGUI.0041D140
0041DB13 |. 8D8B 34050000 lea ecx,dword ptr ds:[ebx+534]
0041DB19 |. 8D93 C4050000 lea edx,dword ptr ds:[ebx+5C4]
0041DB1F |. 51 push ecx ; /Arg3
0041DB20 |. 8D8424 14010000 lea eax,dword ptr ss:[esp+114] ; |
0041DB27 |. 52 push edx ; |Arg2
0041DB28 |. 50 push eax ; |Arg1
0041DB29 |. 8BCF mov ecx,edi ; |
0041DB2B |. E8 10F8FFFF call <SGUI.sub_41D340> ; \SGUI.0041D340
0041DB30 |. 8DBB 14040000 lea edi,dword ptr ds:[ebx+414] ; 上面这个call就是RSA的加密过程
0041DB36 |. 50 push eax ; 对c=m^e mod n是怎样实现的兄弟可以看看啊
0041DB37 |. 8BCF mov ecx,edi
0041DB39 |. C78424 AC010000 00>mov dword ptr ss:[esp+1AC],0
0041DB44 |. E8 F7EDFFFF call <SGUI.sub_41C940>
0041DB49 |. 8D8C24 10010000 lea ecx,dword ptr ss:[esp+110]
0041DB50 |. C78424 A8010000 FF>mov dword ptr ss:[esp+1A8],-1
0041DB5B |. E8 70FBFEFF call <SGUI.nullsub_2>
0041DB60 |. 8DB3 04040000 lea esi,dword ptr ds:[ebx+404]
0041DB66 |. 6A 10 push 10 ; /Arg2 = 00000010
0041DB68 |. 56 push esi ; |Arg1
0041DB69 |. 8BCF mov ecx,edi ; |
0041DB6B |. E8 A0F6FFFF call <SGUI.sub_41D210> ; \SGUI.0041D210
0041DB70 |. 8BFD mov edi,ebp
0041DB72 |. 83C9 FF or ecx,FFFFFFFF
0041DB75 |. 33C0 xor eax,eax
0041DB77 |. 8D93 04020000 lea edx,dword ptr ds:[ebx+204]
0041DB7D |. F2:AE repne scas byte ptr es:[edi]
0041DB7F |. F7D1 not ecx
0041DB81 |. 49 dec ecx
0041DB82 |. 51 push ecx ; /Arg3
0041DB83 |. 52 push edx ; |Arg2
0041DB84 |. 55 push ebp ; |Arg1
0041DB85 |. 8BCB mov ecx,ebx ; |
0041DB87 |. E8 B4FDFFFF call <SGUI.sub_41D940> ; \SGUI.0041D940
------------------------------------------------------------------------------------------------------
0041DD39 |. 51 push ecx ; /Arg2
0041DD3A |. 50 push eax ; |Arg1
0041DD3B |. 8BCE mov ecx,esi ; |
0041DD3D |. E8 CE000000 call <SGUI.MD5HashData> ; \SGUI.0041DE10
0041DD42 |. 8BEB mov ebp,ebx ; 这里就是变形的MD5了
0041DD44 |. 83C3 3F add ebx,3F ; 如果对RSA公司的标准MD5 C语言算法熟悉
0041DD47 |. 3BDF cmp ebx,edi ; 的朋友会觉得曾相识 ^_*
0041DD49 |. 73 1E jnb short <SGUI.loc_41DD69> ; 下面我会说明详细说明这个变形MD5
0041DD4B <>|> 8B5424 14 /mov edx,dword ptr ss:[esp+14] ; loc_41DD4B
0041DD4F |. 8BCE |mov ecx,esi
0041DD51 |. 8D441A C1 |lea eax,dword ptr ds:[edx+ebx-3F]
0041DD55 |. 50 |push eax ; /Arg2
0041DD56 |. 8D46 04 |lea eax,dword ptr ds:[esi+4] ; |
0041DD59 |. 50 |push eax ; |Arg1
0041DD5A |. E8 B1000000 |call <SGUI.MD5HashData> ; \SGUI.0041DE10
0041DD5F |. 83C3 40 |add ebx,40
0041DD62 |. 83C5 40 |add ebp,40
0041DD65 |. 3BDF |cmp ebx,edi
0041DD67 |.^ 72 E2 \jb short <SGUI.loc_41DD4B>
0041DD69 <>|> 33C0 xor eax,eax ; loc_41DD69
0041DD6B |. EB 02 jmp short <SGUI.loc_41DD6F>
0041DD6D <>|> 33ED xor ebp,ebp ; loc_41DD6D
0041DD6F <>|> 8B4C24 14 mov ecx,dword ptr ss:[esp+14] ; loc_41DD6F
0041DD73 |. 2BFD sub edi,ebp
0041DD75 |. 03E9 add ebp,ecx
0041DD77 |. 57 push edi
0041DD78 |. 8D5430 1C lea edx,dword ptr ds:[eax+esi+1C]
0041DD7C |. 55 push ebp
0041DD7D |. 52 push edx
0041DD7E |. 8BCE mov ecx,esi
0041DD80 |. E8 7B0A0000 call <SGUI.sub_41E800>
0041DD85 |. 5F pop edi
0041DD86 |. 5E pop esi
0041DD87 |. 5D pop ebp
0041DD88 |. 5B pop ebx
0041DD89 \. C2 0800 retn 8
---------------------------------------------------------------------------------------------
0041DB8C |. 8DBB 04030000 lea edi,dword ptr ds:[ebx+304]
0041DB92 |. 68 00010000 push 100
0041DB97 |. 8D83 04020000 lea eax,dword ptr ds:[ebx+204]
0041DB9D |. 57 push edi
0041DB9E |. 50 push eax ;MD5Hash的结果
0041DB9F |. 8BCB mov ecx,ebx
0041DBA1 |. E8 2AFEFFFF call <SGUI.HashToTempInt> ;这里是对Hash后的数据进行转换
--------------------------------------------------------------------------------------------------------------
0041D9D0 <>/$ 53 push ebx ; HashToTempInt
0041D9D1 |. 8B5C24 10 mov ebx,dword ptr ss:[esp+10] ;此转换相当简单,只是取余罢了
0041D9D5 |. 33C9 xor ecx,ecx
0041D9D7 |. 85DB test ebx,ebx
0041D9D9 |. 7E 33 jle short <SGUI.loc_41DA0E>
0041D9DB |. 55 push ebp
0041D9DC |. 56 push esi
0041D9DD |. 8B7424 14 mov esi,dword ptr ss:[esp+14]
0041D9E1 |. 57 push edi
0041D9E2 |. 8B7C24 14 mov edi,dword ptr ss:[esp+14]
0041D9E6 <>|> 33C0 /xor eax,eax ; loc_41D9E6
0041D9E8 |. 8A0439 |mov al,byte ptr ds:[ecx+edi]
0041D9EB |. 85C0 |test eax,eax
0041D9ED |. 74 0E |je short <SGUI.loc_41D9FD>
0041D9EF |. 99 |cdq
0041D9F0 |. BD 0A000000 |mov ebp,0A
0041D9F5 |. F7FD |idiv ebp
0041D9F7 |. 80C2 30 |add dl,30
0041D9FA |. 8816 |mov byte ptr ds:[esi],dl
0041D9FC |. 46 |inc esi
0041D9FD <>|> 41 |inc ecx ; loc_41D9FD
0041D9FE |. 3BCB |cmp ecx,ebx
0041DA00 |.^ 7C E4 \jl short <SGUI.loc_41D9E6>
0041DA02 |. 5F pop edi
0041DA03 |. 5E pop esi
0041DA04 |. 5D pop ebp
0041DA05 |. B8 01000000 mov eax,1
0041DA0A |. 5B pop ebx
0041DA0B |. C2 0C00 retn 0C
0041DA0E <>|> B8 01000000 mov eax,1 ; loc_41DA0E
0041DA13 |. 5B pop ebx
0041DA14 \. C2 0C00 retn 0C
------------------------------------------------------------------------------------------------------------
0041DBA6 |. 8B0E mov ecx,dword ptr ds:[esi] ;这里是经RSA运算后的TempInt1
0041DBA8 |. 8B41 F8 mov eax,dword ptr ds:[ecx-8]
0041DBAB |. 8BCE mov ecx,esi
0041DBAD |. 50 push eax
0041DBAE |. E8 CB5E0300 call <SGUI.CString::GetBuffer(int)> ; jmp to MFC42.#2915
0041DBB3 |. 5D pop ebp
0041DBB4 <>|> 8A17 /mov dl,byte ptr ds:[edi] ; 这里就是转换后的结果TempInt2
0041DBB6 |. 8A18 |mov bl,byte ptr ds:[eax] ; TempInt1,下面开始比较了
0041DBB8 |. 8ACA |mov cl,dl
0041DBBA |. 3AD3 |cmp dl,bl
0041DBBC |. 75 1E |jnz short <SGUI.loc_41DBDC>
0041DBBE |. 84C9 |test cl,cl
0041DBC0 |. 74 16 |je short <SGUI.loc_41DBD8>
0041DBC2 |. 8A57 01 |mov dl,byte ptr ds:[edi+1]
0041DBC5 |. 8A58 01 |mov bl,byte ptr ds:[eax+1]
0041DBC8 |. 8ACA |mov cl,dl
0041DBCA |. 3AD3 |cmp dl,bl
0041DBCC |. 75 0E |jnz short <SGUI.loc_41DBDC>
0041DBCE |. 83C7 02 |add edi,2
0041DBD1 |. 83C0 02 |add eax,2
0041DBD4 |. 84C9 |test cl,cl
0041DBD6 |.^ 75 DC \jnz short <SGUI.loc_41DBB4>
0041DBD8 <>|> 33C0 xor eax,eax ; loc_41DBD8
0041DBDA |. EB 05 jmp short <SGUI.loc_41DBE1>
0041DBDC <>|> 1BC0 sbb eax,eax ; loc_41DBDC
0041DBDE |. 83D8 FF sbb eax,-1
0041DBE1 <>|> 33C9 xor ecx,ecx ; loc_41DBE1
0041DBE3 |. 85C0 test eax,eax
0041DBE5 |. 0F94C1 sete cl ; 为0就置真
0041DBE8 |. 8BC1 mov eax,ecx
0041DBEA <>|> 8B8C24 9C010000 mov ecx,dword ptr ss:[esp+19C] ; loc_41DBEA
0041DBF1 |. 5F pop edi
0041DBF2 |. 5E pop esi
0041DBF3 |. 5B pop ebx
0041DBF4 |. 64:890D 00000000 mov dword ptr fs:[0],ecx
0041DBFB |. 81C4 9C010000 add esp,19C
0041DC01 \. C2 0400 retn 4
-----------------------------------------------------------------------------------------------------
好了,这个软件的注册认证流程大致的看了一遍,得到了RSA参数中的模数n和公钥e,然后用tE!的RSATool或者Bigcalc
可以对n进行因式分解,得到p,q分别为D60E52C6D8EAE47,3E765C045B128613,然后Cacl.D就可以得到私钥d了
d=13F6BE4EF8ECEDD6C1214F2894041E5。
下面来看看这个MD5是怎么变形的,一些初始化的工作就不说啦.
0041DD3D |. E8 CE000000 call <SGUI.MD5HashData>
-----------------------------------------------------------------------------------------------------
0041DE10 <>/$ 83EC 44 sub esp,44 ; MD5HashData
0041DE13 |. 53 push ebx
0041DE14 |. 8B5424 50 mov edx,dword ptr ss:[esp+50] ;来看一下RSA Security INC.
0041DE18 |. 55 push ebp ;公司的用C语言的写的MD5算法
------------------------------------------------------------------------------------------------------------
#define S11 7 //这四个参数是第一轮循环中用到的
#define S12 12
#define S13 17
#define S14 22
#define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n))))
//这是用左移和右移及或运算来实现循环左移n位
#define FF(a, b, c, d, x, s, ac) { \
(a) += F ((b), (c), (d)) + (x) + (UINT4)(ac); \
(a) = ROTATE_LEFT ((a), (s)); \
(a) += (b); \
}//变换的函数,包括MD5的基本函数F
/*下面是第一轮变换*/
Decode (x, block, 64);
/* Round 1 */
FF (a, b, c, d, x[ 0], S11, 0xd76aa478); /* 1 */
FF (d, a, b, c, x[ 1], S12, 0xe8c7b756); /* 2 */
FF (c, d, a, b, x[ 2], S13, 0x242070db); /* 3 */
FF (b, c, d, a, x[ 3], S14, 0xc1bdceee); /* 4 */
FF (a, b, c, d, x[ 4], S11, 0xf57c0faf); /* 5 */
FF (d, a, b, c, x[ 5], S12, 0x4787c62a); /* 6 */
FF (c, d, a, b, x[ 6], S13, 0xa8304613); /* 7 */
FF (b, c, d, a, x[ 7], S14, 0xfd469501); /* 8 */
FF (a, b, c, d, x[ 8], S11, 0x698098d8); /* 9 */
FF (d, a, b, c, x[ 9], S12, 0x8b44f7af); /* 10 */
FF (c, d, a, b, x[10], S13, 0xffff5bb1); /* 11 */
FF (b, c, d, a, x[11], S14, 0x895cd7be); /* 12 */
FF (a, b, c, d, x[12], S11, 0x6b901122); /* 13 */
FF (d, a, b, c, x[13], S12, 0xfd987193); /* 14 */
FF (c, d, a, b, x[14], S13, 0xa679438e); /* 15 */
FF (b, c, d, a, x[15], S14, 0x49b40821); /* 16 */
上面的这些是标准的MD5变换(暂且这么说),但在这个软件里作者自己修改了四个参数S11,S12,S17,S14 分别为十六进制的48,1,27和8
就变形在这个地方,其它的都没变
------------------------------------------------------------------------------------------------------------
0041DE19 |. 56 push esi
0041DE1A |. 8B7424 54 mov esi,dword ptr ss:[esp+54]
0041DE1E |. 57 push edi
0041DE1F |. 6A 40 push 40
0041DE21 |. 52 push edx
0041DE22 |. 8B06 mov eax,dword ptr ds:[esi]
0041DE24 |. 8B7E 04 mov edi,dword ptr ds:[esi+4]
0041DE27 |. 8B5E 08 mov ebx,dword ptr ds:[esi+8]
0041DE2A |. 8B6E 0C mov ebp,dword ptr ds:[esi+C]
0041DE2D |. 894424 60 mov dword ptr ss:[esp+60],eax
0041DE31 |. 8D4424 1C lea eax,dword ptr ss:[esp+1C]
0041DE35 |. 50 push eax
0041DE36 |. 894C24 1C mov dword ptr ss:[esp+1C],ecx
0041DE3A |. E8 71090000 call <SGUI.sub_41E7B0>
0041DE3F |. 8B4424 14 mov eax,dword ptr ss:[esp+14]
0041DE43 |. 8BCF mov ecx,edi
0041DE45 |. F7D1 not ecx
0041DE47 |. 8BD3 mov edx,ebx
0041DE49 |. 23CD and ecx,ebp
0041DE4B |. 23D7 and edx,edi
0041DE4D |. 0BCA or ecx,edx
0041DE4F |. 8BD7 mov edx,edi
0041DE51 |. 03C8 add ecx,eax
0041DE53 |. 8B4424 58 mov eax,dword ptr ss:[esp+58]
0041DE57 |. 8D8C08 78A46AD7 lea ecx,dword ptr ds:[eax+ecx+D76AA478]
0041DE5E |. 8BC1 mov eax,ecx
0041DE60 |. C1E0 48 shl eax,48 ;就是这里变形的,在标准的MD5算法中这里应该是
0041DE63 |. C1E9 D8 shr ecx,0D8 ;shl eax,7
0041DE66 |. 0BC1 or eax,ecx ;shr ecx,19
0041DE68 |. 03C7 add eax,edi
0041DE6A |. 8BC8 mov ecx,eax
0041DE6C |. 23D0 and edx,eax
0041DE6E |. F7D1 not ecx
0041DE70 |. 23CB and ecx,ebx
0041DE72 |. 0BCA or ecx,edx
0041DE74 |. 8B5424 18 mov edx,dword ptr ss:[esp+18]
0041DE78 |. 03CA add ecx,edx
0041DE7A |. 8D9429 56B7C7E8 lea edx,dword ptr ds:[ecx+ebp+E8C7B756]
0041DE81 |. 8BCA mov ecx,edx
0041DE83 |. 03D2 add edx,edx ;这里的add edx,edx就相当于shl edx,1
0041DE85 |. C1E9 1F shr ecx,1F ;所以这里只有shr ecx,1F而没有shl
0041DE88 |. 0BCA or ecx,edx
0041DE8A |. 03C8 add ecx,eax
0041DE8C |. 8BD1 mov edx,ecx
0041DE8E |. 8BE9 mov ebp,ecx
0041DE90 |. F7D2 not edx
0041DE92 |. 23D7 and edx,edi
0041DE94 |. 23E8 and ebp,eax
0041DE96 |. 0BD5 or edx,ebp
0041DE98 |. 8B6C24 1C mov ebp,dword ptr ss:[esp+1C]
0041DE9C |. 03D5 add edx,ebp
0041DE9E |. 8BE9 mov ebp,ecx
0041DEA0 |. 8D9C13 DB702024 lea ebx,dword ptr ds:[ebx+edx+242070DB]
0041DEA7 |. 8BD3 mov edx,ebx
0041DEA9 |. C1E2 27 shl edx,27 ;原来的应该是shl edx,0C
0041DEAC |. C1EB F9 shr ebx,0F9 ;shr ebx,14
0041DEAF |. 0BD3 or edx,ebx
0041DEB1 |. 03D1 add edx,ecx
0041DEB3 |. 8BDA mov ebx,edx
0041DEB5 |. 23EA and ebp,edx
0041DEB7 |. F7D3 not ebx
0041DEB9 |. 23D8 and ebx,eax
0041DEBB |. 0BDD or ebx,ebp
0041DEBD |. 8B6C24 20 mov ebp,dword ptr ss:[esp+20]
0041DEC1 |. 03DD add ebx,ebp
0041DEC3 |. 8D9C1F EECEBDC1 lea ebx,dword ptr ds:[edi+ebx+C1BDCEEE]
0041DECA |. 8BFB mov edi,ebx
0041DECC |. C1EF 18 shr edi,18 ;原来的应该是shl ebx,11
0041DECF |. C1E3 08 shl ebx,8 ;shr edi,0F
0041DED2 |. 0BFB or edi,ebx
0041DED4 |. 8BDA mov ebx,edx
0041DED6 |. 03FA add edi,edx
0041DED8 |. 897C24 58 mov dword ptr ss:[esp+58],edi
0041DEDC |. 8B6C24 58 mov ebp,dword ptr ss:[esp+58]
0041DEE0 |. F7D7 not edi
0041DEE2 |. 23F9 and edi,ecx
0041DEE4 |. 23DD and ebx,ebp
0041DEE6 |. 0BFB or edi,ebx
0041DEE8 |. 8B6C24 24 mov ebp,dword ptr ss:[esp+24]
0041DEEC |. 8B5C24 58 mov ebx,dword ptr ss:[esp+58]
0041DEF0 |. 03FD add edi,ebp
0041DEF2 |. 8BEB mov ebp,ebx
0041DEF4 |. 8D8438 AF0F7CF5 lea eax,dword ptr ds:[eax+edi+F57C0FAF]
0041DEFB |. 8BF8 mov edi,eax
0041DEFD |. C1E7 48 shl edi,48
0041DF00 |. C1E8 D8 shr eax,0D8
0041DF03 |. 0BF8 or edi,eax
0041DF05 |. 03FB add edi,ebx
0041DF07 |. 8BC7 mov eax,edi
0041DF09 |. 23EF and ebp,edi
--------------------------------------------------------------------------------------------
例如前5位为WUMIN,那么经过变形MD5计算得到7A C1 34 14 70 41 E9 0B 10 13 EA FD 13 98 24 0F这个Hash结果,然后经过
HashtoInt这个转换为2320253169439265这样一个整数,现在我们用BigCalc中的RSATool设置好Private(D),Modulu(n)和
Encrypt&Decrypt Text:为2320253169439265,然后按下Decrypt就可以得到一组31位的字符串,这就是注册码后面的31位,到此
这个软件的注册算法大致清楚了
感谢 无名 兄弟的帮助和支持 D
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
|
|
:D
支持,我的算法什么时候才能到这种境界 
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
此作者应该要把这三个算法流程拆开搞,产生多个真假数,混沌起来,一个分布在启动,一个分布在程序使用中,一个部分在注册中,我看难度能提升多少。首先阻止了人对算法结构的整理,自然他也就无计可施。为什么做注册机的人很少爆破,秘密就在这里,算法结构过于紧凑,仅仅紧凑的存在一个地方,只要突破一点,则全盘突破,然而爆破虽然也是突破一点,但分析范围却不是局限一点,而是全局性的分析,相比下爆破与注册算法分析,根本不存在谁优谁劣。比如很BT的网络验证,一部分算法结构存在服务器里,这个时候注册机肯定是出不来的,但爆破却可以出来。
|
|
|
|
