首页
社区
课程
招聘
[求助]谁能给个思路,关于破解的
发表于: 2009-1-1 11:20 3282

[求助]谁能给个思路,关于破解的

2009-1-1 11:20
3282
主机和从机通信,主机发16个数据(A1~A6,B1~B6,C1~C4),从机要回复8个数据(S1~S8),我用主机模拟得到以下影响关系
A1 ->> S4 S6     B1 ->> S1 S7     C1 ->> S3 S6
A2 ->> S6 S8     B2 ->> S4 S8     C2 ->> S2 S4
A3 ->> S3 S5     B3 ->> S1 S8     C3 ->> S5 S6
A4 ->> S7 S8     B4 ->> S3 S7     C4 ->> S1 S4
A5 ->> S2 S7     B5 ->> S2 S3
A6 ->> S2 S5     B6 ->> S1 S5
  
因此可以得到如下影响关系
S1 ->>B1 B3 B6 C4  
S2 ->>A5 A6 B5 C2
S3 ->>A3 B4 B5 C1
S4 ->>A1 B2 C2 C4
S5 ->>A3 A6 B6 C3
S6 ->>A1 A2 C1 C3
S7 ->>A4 A5 B1 B4
S8 ->>A2 A4 B2 B3

我的主机是这样模拟的:A1++,其他为0,返回S4,S6发生变化(两数字相同),其他类似,这个过程中我得到了两个表格,其中A1~A6生成的表格是一样的(一张表格),B5,B6,C1~C4生成的表格也是一样的(另外一张表格),B1~B4变化生成的表格与前述两张表格重复。
变化数           S1 S2 S3 S4 S5 S6 S7 S8
A1=0,其他为0      FF,FF,FF,FF,FF,FF,FF,FF
A1=1,其他为0      FF,FF,FF,5E,FF,5E,FF,FF
...
A1=0xff 其他为0   FF,FF,FF,F2,FF,F2,FF,FF    由此生成一个256字节的表格,每个数唯一

B1=0,其他为0      FF,FF,FF,FF,FF,FF,FF,FF
B1=1,其他为0      5E,FF,FF,FF,FF,FF,C4,FF
...
B1=0xff 其他为0   F2,FF,FF,FF,FF,FF,5B,FF      

B5=0,其他为0      FF,FF,FF,FF,FF,FF,FF,FF
B5=1,其他为0      FF,C4,C4,FF,FF,FF,FF,FF
B5=0xff 其他为0  FF,5B,5B,FF,FF,FF,FF,FF    由此生成另外一个256字节的表格,每个数唯一
并且我发现若A1,A3~A6,B1~B6,C1~C4改变任意一个字节(针对我抓到的原始数据),从机都按照如下规则返回数据:
S[1]= table1[B1]^table1[B3]^table2[B6]^table2[C4]^0xff;
S[2]= table1[A5]^table1[A6]^table2[B5]^table2[C2]^0xff;
S[3]= table1[A3]^table1[B4]^table2[B5]^table2[C1]^0xff;
...
S[8]= table1[A2]^table1[A4]^table2[B2]^table2[B3]^0xff;
但只要用抓到的原始数据去读取从机数据,结果就发生了突变(不是公式得出的结果)。A2从0~0xFF发生变化,很多地方会发生突变(32个地方)
针对这个突变我发现只要用我这个公式得到的S1^S2^...^S8=0的时候,真的S1^S2^...^S8=0。到这里为止我就卡住了, 想问问坛上的高人要走下去的话还有什么地方需要去留意。
以下为一组数据
unsigned char DatA[]={0x81,0x81,0x81,0x81,0x81,0x81};
unsigned char Datb[]={0x81,0x81,0x81,0x81,0xef,0x65};
unsigned char DatC[]={0x7b,0x43,0x75,0x0c};//0x22,0xe6,0xa3,0x8f,0x1e,0xf6,0xff,0xff
                                    
/*                  原始数据            查表            真正结果
S1 B1/B3/B6/C4 81,81,65,0c// | 30^30^31^b2^ff= 7c  ->22 (former table)  关系???         
S2 A5/A6/B5/C2 81,81,ef,43// - 30^30^cf^1f^ff= 2f  ->e6
S3 A3/B4/B5/C1 81,81,ef,7b// | 30^30^cf^ea^ff= da  ->a3 (former table)
S4 A1/B2/C2/C4 81,81,43,0c// | 30^30^1f^b2^ff= 52  ->8f (former table)
S5 A3/A6/B6/C3 81,81,65,75// - 30^30^31^8a^ff= 44  ->1e
S6 A1/A2/C1/C3 81,81,7b,75// - 30^30^ea^8a^ff= 9f  ->f6
S7 A4/A5/B1/B4 81,81,81,81// | 30^30^8b^8b^ff= ff  ->ff (later table)
S8 A2/A4/B2/B3 81,81,81,81// | 30^30^8b^8b^ff= ff  ->ff (later table)*/

unsigned char table1[256]={
0xFF,0x5E,0x57,0x9C,0x28,0xC1,0x7B,0x59,0x48,0x2A,0x04,0xEB,0x98,0xE9,0xF7,0x43,
0xA3,0xEA,0xCA,0xD8,0xA7,0x8C,0x6F,0xAA,0xF8,0xB1,0x06,0x4E,0xA5,0x8A,0x6D,0x67,
0x72,0x0C,0xBB,0x33,0x14,0xB0,0x53,0xEE,0xB4,0x1B,0x34,0x10,0x21,0x38,0x91,0x61,
0x76,0x70,0xFC,0x32,0xF6,0x56,0x89,0x6A,0x93,0xDF,0x4F,0xD6,0x1A,0xC7,0x87,0x68,
0x9E,0x8F,0x7F,0xE8,0xD0,0x18,0x86,0x47,0x3A,0xB8,0x64,0xBC,0x50,0x49,0x82,0xBD,
0x4D,0xDC,0xE4,0x78,0x3C,0xCC,0xC3,0xD3,0x62,0x2C,0xD7,0x17,0x9D,0x65,0x2F,0xCF,
0xC6,0xA0,0xE0,0xC8,0xBF,0x45,0xFD,0xE6,0xD5,0xC0,0x41,0x96,0x9F,0x02,0xAC,0x3E,
0x20,0x1E,0xF4,0xA6,0xED,0xA4,0xFE,0x40,0xE2,0x6E,0xF0,0xAD,0xEC,0x03,0x1C,0x90,
0x44,0x30,0xDA,0xD9,0xBA,0x81,0x79,0x5D,0x5F,0x2B,0xAE,0xBE,0x1D,0x07,0x7D,0x09,
0x39,0x5C,0xCB,0x36,0x25,0xE7,0x55,0xD1,0xEF,0xDB,0x13,0xCD,0x60,0xAB,0x1F,0xB6,
0x51,0x8D,0x7A,0x24,0xD4,0x54,0xAF,0x15,0x63,0x6B,0x4C,0x35,0x19,0x8E,0x7E,0x00,
0xB2,0x9B,0xFA,0x11,0x3B,0x0F,0x3D,0xC4,0x4A,0x0B,0xA1,0xDD,0x77,0x23,0xCE,0x5B,
0x75,0x2D,0x08,0x22,0xB3,0x9A,0x29,0x0E,0x71,0x12,0xA8,0xC9,0xA2,0x5A,0xF3,0xF9,
0x88,0x74,0xD2,0xF5,0x4B,0x26,0x3F,0xE1,0x16,0xC5,0x0A,0xB5,0xE5,0xB9,0x92,0xB7,
0x99,0x85,0x6C,0x31,0x8B,0x80,0xDE,0x27,0x83,0xC2,0x69,0x84,0x2E,0xFB,0x95,0xF1,
0xE3,0x05,0x7C,0x66,0xA9,0x73,0x0D,0x94,0x42,0x52,0x37,0x58,0x01,0x46,0x97,0xF2};

unsigned char table2[256]={
0xFF,0xC4,0xB3,0x76,0x84,0x5A,0x88,0xE8,0x00,0x61,0x64,0x63,0xB2,0x5C,0x1E,0xF3,
0x0D,0xB8,0x95,0x11,0xC3,0x72,0xB9,0x0E,0xC9,0xB4,0x93,0x05,0x0A,0x18,0x6C,0xED,
0x7E,0x03,0xE0,0x26,0x0F,0x16,0xAF,0x39,0x3C,0xFB,0x06,0xD4,0x8E,0xBB,0x29,0x1B,
0xE4,0xD2,0x85,0x6F,0x2B,0xE3,0x8D,0xE1,0xF4,0x17,0x13,0xEB,0x4E,0x7A,0x28,0x73,
0xC6,0xA1,0xCD,0x1F,0xDD,0xAB,0x97,0x04,0x75,0xB0,0x08,0x59,0xDA,0x15,0x83,0x9E,
0x40,0x66,0x9B,0x52,0x38,0xA8,0xB7,0x36,0x8C,0x43,0x46,0xF0,0x62,0x34,0xCA,0x42,
0x23,0xC2,0xFC,0xCC,0xBA,0x31,0x3F,0x87,0x41,0x58,0x69,0xA5,0x7C,0x2F,0xA3,0x8F,
0xEF,0x51,0x55,0x0C,0x9C,0x8A,0xF6,0xBF,0x32,0x60,0x20,0xEA,0x19,0x44,0x3A,0xC0,
0x14,0x8B,0xAD,0xC5,0xE7,0x37,0xD1,0x4C,0x9D,0xD0,0x3E,0x9A,0x98,0x01,0x2E,0xDB,
0xCB,0x30,0x49,0xA7,0x5D,0x10,0x35,0xF9,0x67,0x77,0xD7,0xBC,0x4B,0x4A,0xD8,0xA0,
0x71,0x0B,0x7F,0x47,0xF8,0x57,0x6E,0xE6,0xB1,0x56,0xFA,0x54,0xBD,0xF2,0xB6,0xEC,
0x48,0x92,0x78,0x1D,0xFE,0xAE,0xBE,0xB5,0x25,0x70,0x2C,0xF1,0x80,0x2A,0x6B,0x22,
0xD5,0xAA,0x6D,0xF5,0x02,0x99,0x1C,0x3B,0xCE,0x4F,0x9F,0xAC,0xD3,0xA6,0xD9,0xDE,
0xC7,0x33,0xC8,0xD6,0x6A,0xE2,0xE9,0x7B,0x07,0x65,0x82,0x90,0xA9,0x2D,0x4D,0x86,
0x79,0x91,0xC1,0xE5,0x81,0x12,0x96,0xF7,0x45,0xA4,0x09,0x5F,0xEE,0xDC,0xFD,0xCF,
0x3D,0x1A,0x53,0x7D,0x27,0x68,0x74,0xDF,0x94,0x5E,0x21,0x24,0x50,0xA2,0x89,0x5B};

array.h
//以下为我抓到的一些数据,
unsigned char array194[16]=// should return {0x22,0xe6,0xa3,0x8f,0x1e,0xf6,0xff,0xff }
{0x81,0x81,0x81,0x81,0x81,0x81,0x81,0x81,0x81,0x81,0xef,0x65,0x7b,0x43,0x75,0x0c};
unsigned char array195[16]=//should return {0x42,0xf6,0xe1,0xae,0x7b,0x49,0xa7,0x6e}
{0xd4,0x4e,0xd4,0x4e,0xd4,0x4e,0xd4,0x4e,0xd4,0x4e,0x1d,0x0c,0x3c,0x0a,0xda,0x5c};
unsigned char array196[16]=//should return {0x70,0xd6,0x2c,0x46,0xf7,0x4c,0x05,0x72}
{0x52,0xea,0x52,0xea,0x52,0xea,0x52,0xea,0x52,0xea,0xad,0x2e,0x09,0x44,0x27,0x71};
unsigned char array197[16]=//should return {0xfc,0x03,0x33,0x8c,0x18,0xcf,0xbd,0x2a}
{0xc7,0x60,0xc7,0x60,0xc7,0x60,0xc7,0x60,0xc7,0x60,0x8e,0x6e,0xa2,0x36,0x97,0xf4};
unsigned char array198[16]=//should return {0xcd,0x65,0xb1,0x79,0x79,0x19,0xff,0xff}
{0xd4,0xd4,0xd4,0xd4,0xd4,0xd4,0xd4,0xd4,0xd4,0xd4,0x1d,0xa4,0x43,0x39,0xda,0xf4};
unsigned char array199[16]=//should return {0x70,0xd6,0x2c,0x46,0xf7,0x4c,0x05,0x72}
{0x52,0xea,0x52,0xea,0x52,0xea,0x52,0xea,0x52,0xea,0xad,0x2e,0x09,0x44,0x27,0x71};
unsigned char array200[16]=//should return {0x7b,0x4b,0xf8,0x52,0xd1,0x45,0xc7,0x4a}
{0x32,0x9f,0x32,0x9f,0x32,0x9f,0x32,0x9f,0x32,0x9f,0x2d,0x31,0x85,0xf9,0xd8,0x17};
unsigned char array201[16]=//should return {0x05,0xb6,0xfc,0x6f,0x35,0xd4,0x24,0xe5}
{0xcc,0xff,0xcc,0xff,0xcc,0xff,0xcc,0xff,0xcc,0xff,0x73,0xd9,0xd4,0xb2,0xea,0x21};
//上面数据中有些数组前面10个数据是比较特殊的,这种数组得出的8个值异或后肯定=0,真正结果中的8个数据异或后也=0
main.c

#define arrayX array##194
void main()
{
unsigned char res=0,sum=0;
unsigned char rxor=0,r[8];
unsigned int i;
unsigned char *pchar;
for(i=0;i <16;i=i+1)
{
res ^=arrayX[i];
}

for(i=0;i <16;i=i+1)
{
sum +=arrayX[i];
}

r[0]= table1[arrayX[6]]^table1[arrayX[8]]^table2[arrayX[0xb]]^table2[arrayX[0xf]]^0xff;
r[1]= table1[arrayX[4]]^table1[arrayX[5]]^table2[arrayX[0xa]]^table2[arrayX[0xd]]^0xff;
r[2]= table1[arrayX[2]]^table1[arrayX[9]]^table2[arrayX[0xa]]^table2[arrayX[0xc]]^0xff;
r[3]= table1[arrayX[0]]^table1[arrayX[7]]^table2[arrayX[0xd]]^table2[arrayX[0xf]]^0xff;
r[4]= table1[arrayX[2]]^table1[arrayX[5]]^table2[arrayX[0xb]]^table2[arrayX[0xe]]^0xff;
r[5]= table1[arrayX[0]]^table1[arrayX[1]]^table2[arrayX[0xc]]^table2[arrayX[0xe]]^0xff;
r[6]= table1[arrayX[3]]^table1[arrayX[4]]^table2[arrayX[0x6]]^table2[arrayX[0x9]]^0xff;
r[7]= table1[arrayX[1]]^table1[arrayX[3]]^table2[arrayX[0x7]]^table2[arrayX[0x8]]^0xff;
rxor=r[0]^r[1]^r[2]^r[3]^r[4]^r[5]^r[6]^r[7];

while(1)
{}
}

我的总的意思是如果将原始的15个字节数据(除了A2)改变任何一个字节,发往从机,从机返回的结果与我用上面公式生成的结果是一致的,但若未做改动发往从机,返回的结果与公式计算出的结果就不同,但是以上例子可知,若发过去的16个字节前10个字节异或=0的话,所得的8个字节结果异或也是=0。
A2改动后所得结果与其他字节改动稍有不同,A2在0~0XFF之间改动,有32处返回结果会突变到真正结果去,其他256-32=224处为用上述公式计算所得结果。比如上面的例子:我抓到的主机发往从机数据为0x81,0x81,0x81,0x81,0x81,0x81,0x81,0x81,0x81,0x81,0xef,0x65,0x7b,0x43,0x75,0x0c     总共16个字节,分6、6、4三次发送,返回0x22,0xe6,0xa3,0x8f,0x1e,0xf6,0xff,0xff ,我把第一个字节0x81换成0x80或0x82等其他255个数字,从机返回的结果与上述公式产生的结果一致,但用0x81,返回的结果就突变到0x22,0xe6,0xa3,0x8f,0x1e,0xf6,0xff,0xff ,但由于主机发送的前10个字节异或=0,所以0x22^0xe6^0xa3^0x8f^0x1e^0xf6^0xff^0xff 也等于0

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 0
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回
//