-
-
关于winrar校验方法的分析
-
发表于: 2009-9-10 14:48
-
首先祝愿所有的老师节日快乐!(当然包括看雪老师),没有看雪老师的论坛,中国的计算机事业至少要倒退20年,估计这还是保守数字。独乐乐,不如众乐乐,下面把这两天的学习体会奉献给大家:
我们经常会遇到winrar提示校验错误,到底是怎么回事呢?很多前辈都对crc校验了如指掌,理论基础扎实,但是还没有人愿意谈谈rar的校验方法。懒人被逼无奈只能亲自动手,通过调试发现不超过10行代码(其实我优化了一下,原本有100行左右)。源代码在演示的压缩文件中给出。
简单说一下调试方法,在OD中设个条件断点如:
bp WriteFile [esp+4]==000000cc 表示对句柄为000000cc的文件写时中断,句柄到底是多少,你可以先用bp WriteFile 下个普通断点看一下。然后设内存断点就能搞定了。
上图中蓝色下划线是3处校验值,还有一处在尾部这里看不到。
写出来是这样的C43D7B00400700,前面的C43D就是对紧接的7B00400700进行校验运算得到的。蓝色块就是对压缩包内的文本文件内容计算得到的校验值这里是488641cd、灰色下划线是时间、括号包含的块就是压缩文件的关键部分,长度是002e,我用红色下划线加以标记。具体含义请看文章尾部,这里要感谢密码学版主R大上传的资料,节省了我分析的时间。
下面主要介绍一下这几个crc是如何得到的。贴出我优化的算法代码:
MOV EDX,myebx
xor ecx,ecx
XOR DL,tt
MOV cl,DL
SHR myebx,8
shl ecx,2
mov edx,dword ptr [table+ecx]
XOR EDX,myebx
mov myebx,edx
用winhex打开待压缩的文本文件RarCRCCode.txt,全部复制二进制代码到crc计算工具中,点击calc按钮即可。其他几处计算请看截图。
工具核心代码如下:
const
table: array[0..1023] of byte = (
$00, $00, $00, $00, $96, $30, $07, $77, $2C, $61, $0E, $EE, $BA, $51, $09, $99,
$19, $C4, $6D, $07, $8F, $F4, $6A, $70, $35, $A5, $63, $E9, $A3, $95, $64, $9E,
$32, $88, $DB, $0E, $A4, $B8, $DC, $79, $1E, $E9, $D5, $E0, $88, $D9, $D2, $97,
$2B, $4C, $B6, $09, $BD, $7C, $B1, $7E, $07, $2D, $B8, $E7, $91, $1D, $BF, $90,
$64, $10, $B7, $1D, $F2, $20, $B0, $6A, $48, $71, $B9, $F3, $DE, $41, $BE, $84,
$7D, $D4, $DA, $1A, $EB, $E4, $DD, $6D, $51, $B5, $D4, $F4, $C7, $85, $D3, $83,
$56, $98, $6C, $13, $C0, $A8, $6B, $64, $7A, $F9, $62, $FD, $EC, $C9, $65, $8A,
$4F, $5C, $01, $14, $D9, $6C, $06, $63, $63, $3D, $0F, $FA, $F5, $0D, $08, $8D,
$C8, $20, $6E, $3B, $5E, $10, $69, $4C, $E4, $41, $60, $D5, $72, $71, $67, $A2,
$D1, $E4, $03, $3C, $47, $D4, $04, $4B, $FD, $85, $0D, $D2, $6B, $B5, $0A, $A5,
$FA, $A8, $B5, $35, $6C, $98, $B2, $42, $D6, $C9, $BB, $DB, $40, $F9, $BC, $AC,
$E3, $6C, $D8, $32, $75, $5C, $DF, $45, $CF, $0D, $D6, $DC, $59, $3D, $D1, $AB,
$AC, $30, $D9, $26, $3A, $00, $DE, $51, $80, $51, $D7, $C8, $16, $61, $D0, $BF,
$B5, $F4, $B4, $21, $23, $C4, $B3, $56, $99, $95, $BA, $CF, $0F, $A5, $BD, $B8,
$9E, $B8, $02, $28, $08, $88, $05, $5F, $B2, $D9, $0C, $C6, $24, $E9, $0B, $B1,
$87, $7C, $6F, $2F, $11, $4C, $68, $58, $AB, $1D, $61, $C1, $3D, $2D, $66, $B6,
$90, $41, $DC, $76, $06, $71, $DB, $01, $BC, $20, $D2, $98, $2A, $10, $D5, $EF,
$89, $85, $B1, $71, $1F, $B5, $B6, $06, $A5, $E4, $BF, $9F, $33, $D4, $B8, $E8,
$A2, $C9, $07, $78, $34, $F9, $00, $0F, $8E, $A8, $09, $96, $18, $98, $0E, $E1,
$BB, $0D, $6A, $7F, $2D, $3D, $6D, $08, $97, $6C, $64, $91, $01, $5C, $63, $E6,
$F4, $51, $6B, $6B, $62, $61, $6C, $1C, $D8, $30, $65, $85, $4E, $00, $62, $F2,
$ED, $95, $06, $6C, $7B, $A5, $01, $1B, $C1, $F4, $08, $82, $57, $C4, $0F, $F5,
$C6, $D9, $B0, $65, $50, $E9, $B7, $12, $EA, $B8, $BE, $8B, $7C, $88, $B9, $FC,
$DF, $1D, $DD, $62, $49, $2D, $DA, $15, $F3, $7C, $D3, $8C, $65, $4C, $D4, $FB,
$58, $61, $B2, $4D, $CE, $51, $B5, $3A, $74, $00, $BC, $A3, $E2, $30, $BB, $D4,
$41, $A5, $DF, $4A, $D7, $95, $D8, $3D, $6D, $C4, $D1, $A4, $FB, $F4, $D6, $D3,
$6A, $E9, $69, $43, $FC, $D9, $6E, $34, $46, $88, $67, $AD, $D0, $B8, $60, $DA,
$73, $2D, $04, $44, $E5, $1D, $03, $33, $5F, $4C, $0A, $AA, $C9, $7C, $0D, $DD,
$3C, $71, $05, $50, $AA, $41, $02, $27, $10, $10, $0B, $BE, $86, $20, $0C, $C9,
$25, $B5, $68, $57, $B3, $85, $6F, $20, $09, $D4, $66, $B9, $9F, $E4, $61, $CE,
$0E, $F9, $DE, $5E, $98, $C9, $D9, $29, $22, $98, $D0, $B0, $B4, $A8, $D7, $C7,
$17, $3D, $B3, $59, $81, $0D, $B4, $2E, $3B, $5C, $BD, $B7, $AD, $6C, $BA, $C0,
$20, $83, $B8, $ED, $B6, $B3, $BF, $9A, $0C, $E2, $B6, $03, $9A, $D2, $B1, $74,
$39, $47, $D5, $EA, $AF, $77, $D2, $9D, $15, $26, $DB, $04, $83, $16, $DC, $73,
$12, $0B, $63, $E3, $84, $3B, $64, $94, $3E, $6A, $6D, $0D, $A8, $5A, $6A, $7A,
$0B, $CF, $0E, $E4, $9D, $FF, $09, $93, $27, $AE, $00, $0A, $B1, $9E, $07, $7D,
$44, $93, $0F, $F0, $D2, $A3, $08, $87, $68, $F2, $01, $1E, $FE, $C2, $06, $69,
$5D, $57, $62, $F7, $CB, $67, $65, $80, $71, $36, $6C, $19, $E7, $06, $6B, $6E,
$76, $1B, $D4, $FE, $E0, $2B, $D3, $89, $5A, $7A, $DA, $10, $CC, $4A, $DD, $67,
$6F, $DF, $B9, $F9, $F9, $EF, $BE, $8E, $43, $BE, $B7, $17, $D5, $8E, $B0, $60,
$E8, $A3, $D6, $D6, $7E, $93, $D1, $A1, $C4, $C2, $D8, $38, $52, $F2, $DF, $4F,
$F1, $67, $BB, $D1, $67, $57, $BC, $A6, $DD, $06, $B5, $3F, $4B, $36, $B2, $48,
$DA, $2B, $0D, $D8, $4C, $1B, $0A, $AF, $F6, $4A, $03, $36, $60, $7A, $04, $41,
$C3, $EF, $60, $DF, $55, $DF, $67, $A8, $EF, $8E, $6E, $31, $79, $BE, $69, $46,
$8C, $B3, $61, $CB, $1A, $83, $66, $BC, $A0, $D2, $6F, $25, $36, $E2, $68, $52,
$95, $77, $0C, $CC, $03, $47, $0B, $BB, $B9, $16, $02, $22, $2F, $26, $05, $55,
$BE, $3B, $BA, $C5, $28, $0B, $BD, $B2, $92, $5A, $B4, $2B, $04, $6A, $B3, $5C,
$A7, $FF, $D7, $C2, $31, $CF, $D0, $B5, $8B, $9E, $D9, $2C, $1D, $AE, $DE, $5B,
$B0, $C2, $64, $9B, $26, $F2, $63, $EC, $9C, $A3, $6A, $75, $0A, $93, $6D, $02,
$A9, $06, $09, $9C, $3F, $36, $0E, $EB, $85, $67, $07, $72, $13, $57, $00, $05,
$82, $4A, $BF, $95, $14, $7A, $B8, $E2, $AE, $2B, $B1, $7B, $38, $1B, $B6, $0C,
$9B, $8E, $D2, $92, $0D, $BE, $D5, $E5, $B7, $EF, $DC, $7C, $21, $DF, $DB, $0B,
$D4, $D2, $D3, $86, $42, $E2, $D4, $F1, $F8, $B3, $DD, $68, $6E, $83, $DA, $1F,
$CD, $16, $BE, $81, $5B, $26, $B9, $F6, $E1, $77, $B0, $6F, $77, $47, $B7, $18,
$E6, $5A, $08, $88, $70, $6A, $0F, $FF, $CA, $3B, $06, $66, $5C, $0B, $01, $11,
$FF, $9E, $65, $8F, $69, $AE, $62, $F8, $D3, $FF, $6B, $61, $45, $CF, $6C, $16,
$78, $E2, $0A, $A0, $EE, $D2, $0D, $D7, $54, $83, $04, $4E, $C2, $B3, $03, $39,
$61, $26, $67, $A7, $F7, $16, $60, $D0, $4D, $47, $69, $49, $DB, $77, $6E, $3E,
$4A, $6A, $D1, $AE, $DC, $5A, $D6, $D9, $66, $0B, $DF, $40, $F0, $3B, $D8, $37,
$53, $AE, $BC, $A9, $C5, $9E, $BB, $DE, $7F, $CF, $B2, $47, $E9, $FF, $B5, $30,
$1C, $F2, $BD, $BD, $8A, $C2, $BA, $CA, $30, $93, $B3, $53, $A6, $A3, $B4, $24,
$05, $36, $D0, $BA, $93, $06, $D7, $CD, $29, $57, $DE, $54, $BF, $67, $D9, $23,
$2E, $7A, $66, $B3, $B8, $4A, $61, $C4, $02, $1B, $68, $5D, $94, $2B, $6F, $2A,
$37, $BE, $0B, $B4, $A1, $8E, $0C, $C3, $1B, $DF, $05, $5A, $8D, $EF, $02, $2D);
procedure TForm1.Button1Click(Sender: TObject);
var
len,myebx:LongWord;
s:string;
i:integer;
temp:pchar;
tt,tt1,tt2:byte;
begin
len:=length(memo1.Text) div 2;
if len=0 then exit;
s:=lowercase(memo1.Text);
temp:=pchar(s);
i:=0;
myebx:=$ffffffff;
while i<len do
begin
if (temp[2*i]>='a') and (temp[2*i]<='f') then tt1:=Byte(temp[2*i])-Byte('a')+10
else tt1:=Byte(temp[2*i])-Byte('0');
if (temp[2*i+1]>='a') and (temp[2*i+1]<='f') then tt2:=Byte(temp[2*i+1])-Byte('a')+10
else tt2:=Byte(temp[2*i+1])-Byte('0');
tt:=tt1*16+tt2;
asm
MOV EDX,myebx
xor ecx,ecx
XOR DL,tt
MOV cl,DL
SHR myebx,8
shl ecx,2
mov edx,dword ptr [table+ecx]
XOR EDX,myebx
mov myebx,edx
end;
i:=i+1;
end;
Edit1.Text:=inttohex(not myebx,8);
End;
注:不加密压缩时的文件格式
Markerblock
1.Head-CRC:Always 0x6152 (2bytes)
2.Head-Type:Headertype=0x72(1byte)
3.Head-Flags:Always 0x1a21 (2bytes)
4.Head-Size:Blocksize=0x0007(2bytes)
Archive header
5.Head-CRC:CRC of fields Head-Type to Reserved2 (2bytes)
6.Head-Type:Header type=0x73(1byte)
7.Head-Flags(2bytes)
Bit flags:
0x0001=Archive volume
0x0002=Archive comment present RAR3.x uses the separate comment block and does not set this flag.
0x0004=Archive lock attribute
0x0008-Solidattribute
0x0010-New volume naming scheme
0x0020-Authenticity information present RAR3.x does not set this flag.
0x0040-Recovery record present
0x0080-Block headers are encrypted
0x0100-First volume (set only by RAR3.x).
Other bits in Head-Flags are reserved for internaluse.
8.Head-Size
9.Reserved1
10.Reserved2
Fileheader
11.Head-CRC:CRC of fields fromHead-Type toFile-Name (2bytes)
12.Head-Type:Headertype=0x74(1byte)
13.Head-Flags:Bitflags(2bytes)
14.Head-Size:File header full size including the filename and comments (2bytes)
15.Compressed-Size(4bytes)
16.Uncompressed-Size(4bytes)
17.Host-Operating-System:Operating system used for archiving (1byte)
18.File-CRC:(4bytes)
19.Date&Time: Date&time in standard MSDOS format (4bytes)
20.RAR-Version(1byte)
21.Packing-Method(1byte)
22.File-Name-Size(2bytes)
23. 固定字符0x 00000020 (4bytes)
24. File-Name
知道这些,你就可以手工打造自己的rar压缩文件了,最好的用途就是开发rar辅助压缩软件,将生成的rar文件中关键的数据加密修改,rar解密工具再厉害,它也是束手无策。因为解密工具毕竟是人编的,你可以把它耍的团团转,这样加密数据就更安全了。存在错误难免,请大家批判的吸收!
天易love
2009-9-10
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
|
|
support!
看楼主的图让我想起当初分析游戏资源文件的情形.感慨啊~  
|
|
|
占楼先。。。
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
支持楼主的说法,逆向后才知道mm脱光了衣服看清naked啊。
|
|
|
支持!还真没看过这么仔细的RAR格式介绍。
收藏了 
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
厉害啊,慢慢看
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
