忍村DS里的口令19ds什么意思思?

来源:蜘蛛抓取(WebSpider) 时间:2012-08-13 10:27 标签: ds什么意思
强奸乱论2_李宗瑞午夜剧场合集_小峰由衣 肛_邓紫棋撞脸苍井空看雪安全论坛 -
算法分析是一种享受---IP-Tools中的密码学算法详细分析
(/index.php)
(/forumdisplay.php?f=4)
(/showthread.php?t=8226)
算法分析是一种享受---IP-Tools中的密码学算法详细分析&
官方主页:[url]http://www.ks-soft.net/[/url]
软件介绍:
集成了许多TCP/IP实用工具于一体,比如本地信息、连接信息、端口扫描、PING、TRACE、WHOIS、
FINGER、NSLOOKUP、Telnet客户端、NETBIOS信息、IP监视器等等
IP-Tools的功能确实非常强大,ks-soft公司的客户包括Adobe Systems Incorporated,Intel Corporation,IBM Corporation
等大公司,不知道是否这些公司也用IP-Tools,刚拿到这个软件的时候没想到它的算法会很复杂
随着分析的不断深入才发现自己对它用的算法却似乎没有见到过,这个算法具有良好的雪崩效应,以及扩散
和混乱,有一个单向陷门函数, 同时又具有一个密钥对,一个是加密密钥,另一个是解密密钥
它和RSA的大数运算很相似,注册码为640位,我想这种单向函数应该称为非对称算法的
单向函数,也就是说是公钥密码学和单向函数的混合加密.如果这个算法是作者自己设计和实现的,那么
我想他有一定的密码学知识,其注册码的验证很像中途攻击,有点碰撞的意思
呵呵,说多啦,开始我们的算法分析之旅吧
eXt |Cnbragon(Radio):Go go go !
----------------------------------------------------------------------------------------
PeID查看,无壳,Borland Delphi 4.0 - 5.0,Kanal 插件分析知有Base64,但可惜的是它并没有用在注册
算法当中,如果是Base64,那将会是件很容易的事,可事实并非如此,它只用在最后把用户名和注册码加密
后放入注册表中,这不是我们要研究的重点,不过你可以看看
HKCU\Software\KS-Soft\IP-Tools\UserName
HKCU\Software\KS-Soft\IP-Tools\UserSNum
Software\Microsoft\Windows\CurrentVersion\Devices\00102
&DATA5&=&...&
&DATA6&=&...&
程序在启动的时候会有自校验.当然会从上面的这个地方读出注册码再验证一遍
为了对付它,我动用了DeDe,IDA和Ollydbg (Desert Eagle,AK47/B43,AWP),当然Ollydbg是主武器(我是我们
队的sniper嘛,有空切磋切磋哦).通过DeDe的分析,可以很容易的断在注册处理的地方,如下
----------------------------------------------------------------------------------------
00509FF0 &&|.
E8 E3C0F2FF
call &IP_TOOLS.sub_4360D8&
-&controls.TControl.GetText(TControl):TC
mov eax,dword ptr ss:[ebp-8]
lea edx,dword ptr ss:[ebp-4]
00509FFB &&|.
E8 88F4EFFF
call &IP_TOOLS.sub_409488&
-&sysutils.Trim(AnsiString):AnsiS
mov edx,dword ptr ss:[ebp-4]
mov eax,edi
E8 FEC0F2FF
call &IP_TOOLS.sub_436108&
-&controls.TControl.SetText(TCTCaption);
lea edx,dword ptr ss:[ebp-10]
mov eax,dword ptr ds:[esi]
0050A00F &&|.
8BB8 E8020000
mov edi,dword ptr ds:[eax+2E8]
*RxGIFAnimator1:TRxGIFAnimator
mov eax,edi
E8 BCC0F2FF
call &IP_TOOLS.sub_4360D8&
-&controls.TControl.GetText(TControl):TC
mov eax,dword ptr ss:[ebp-10]
lea edx,dword ptr ss:[ebp-C]
E8 61F4EFFF
call &IP_TOOLS.sub_409488&
-&sysutils.Trim(AnsiString):AnsiS
mov edx,dword ptr ss:[ebp-C]
mov eax,edi
0050A02C &&|.
E8 D7C0F2FF
call &IP_TOOLS.sub_436108&
-&controls.TControl.SetText(TCTCaption);
lea edx,dword ptr ss:[ebp-14]
mov eax,dword ptr ds:[esi]
8B80 E4020000
mov eax,dword ptr ds:[eax+2E4]
*Label1:TLabel
0050A03C &&|.
E8 97C0F2FF
call &IP_TOOLS.sub_4360D8&
-&controls.TControl.GetText(TControl):TC
mov eax,dword ptr ss:[ebp-14]
E8 E7A4FCFF
call &IP_TOOLS.sub_4D4530&
test al,al
je short &IP_TOOLS.loc_50A089&
68 E4A25000
push &IP_TOOLS.aSorryYourRegis&
ASCII &Sorry, your registration name (&
lea edx,dword ptr ss:[ebp-1C]
mov eax,dword ptr ds:[esi]
8B80 E4020000
mov eax,dword ptr ds:[eax+2E4]
*Label1:TLabel
0050A05D &&|.
E8 76C0F2FF
call &IP_TOOLS.sub_4360D8&
-&controls.TControl.GetText(TControl):TC
push dword ptr ss:[ebp-1C]
68 0CA35000
push &IP_TOOLS.aIsFoundOnTheBl&
ASCII &) is found on the &Black List&.
68 38A35000
push &IP_TOOLS.aIfYouHaveAnyQu&
ASCII &If you have any questions, please, contact KS-Soft: [email]line1@ks-soft.net[/email]; [email]line2@ks-soft.net[/email]&
lea eax,dword ptr ss:[ebp-18]
上面是得到用户名并检查是否在黑名单中,黑名单N多:D
E8 28A2EFFF
call &IP_TOOLS.sub_4042A4&
-&system.@LStrCatN;
mov eax,dword ptr ss:[ebp-18]
0050A07F &&|.
E8 E448F5FF
call &IP_TOOLS.sub_45E968&
-&dialogs.ShowMessage(AnsiString);
E9 EF010000
jmp &IP_TOOLS.loc_50A278&
lea edx,dword ptr ss:[ebp-20]
loc_50A089
mov eax,dword ptr ds:[esi]
0050A08E &&|.
8B80 E4020000
mov eax,dword ptr ds:[eax+2E4]
*Label1:TLabel
E8 3FC0F2FF
call &IP_TOOLS.sub_4360D8&
-&controls.TControl.GetText(TControl):TC
837D E0 00
cmp dword ptr ss:[ebp-20],0
0F84 CB010000
je &IP_TOOLS.loc_50A26E&
lea edx,dword ptr ss:[ebp-24]
mov eax,dword ptr ds:[esi]
8B80 E8020000
mov eax,dword ptr ds:[eax+2E8]
*RxGIFAnimator1:TRxGIFAnimator
0050A0AE &&|.
E8 25C0F2FF
call &IP_TOOLS.sub_4360D8&
-&controls.TControl.GetText(TControl):TC
837D DC 00
cmp dword ptr ss:[ebp-24],0
0F84 B1010000
je &IP_TOOLS.loc_50A26E&
lea edx,dword ptr ss:[ebp-28]
mov eax,dword ptr ds:[esi]
8B80 E4020000
mov eax,dword ptr ds:[eax+2E4]
*Label1:TLabel
E8 0BC0F2FF
call &IP_TOOLS.sub_4360D8&
-&controls.TControl.GetText(TControl):TC
mov eax,dword ptr ss:[ebp-28]
E8 67C0FEFF
call &IP_TOOLS.sub_4F613C&
-&:TDebugForm._PROC_004F613C()
mov edi,eax
上面这个call是对用户名进行加密处理
lea edx,dword ptr ss:[ebp-2C]
mov eax,dword ptr ds:[esi]
0050A0DC &&|.
8B80 E8020000
mov eax,dword ptr ds:[eax+2E8]
*RxGIFAnimator1:TRxGIFAnimator
E8 F1BFF2FF
call &IP_TOOLS.sub_4360D8&
-&controls.TControl.GetText(TControl):TC
mov eax,dword ptr ss:[ebp-2C]
0050A0EA &&|.
E8 E9C0FEFF
call &IP_TOOLS.sub_4F61D8&
-&:TDebugForm._PROC_004F61D8()
上面这个call是对注册码进行解密处理
jnz &IP_TOOLS.loc_50A26E&
A1 9CA95400
mov eax,dword ptr ds:[54A99C]
BA FF010000
mov edx,1FF
E8 19C0FEFF
call &IP_TOOLS.HashToInt& 得到的640位大数进行处理,这个是用户名的
mov edi,eax
A1 20A85400
mov eax,dword ptr ds:[54A820]
BA FF010000
mov edx,1FF
E8 08C0FEFF
call &IP_TOOLS.HashToInt& 得到的640位大数进行处理,这个是注册码的
cmp edi,eax
结果相同吗?不同就出错,相同就继续检验
0F85 4E010000
jnz &IP_TOOLS.loc_50A26E&
A1 9CA95400
mov eax,dword ptr ds:[54A99C]
mov eax,dword ptr ds:[eax]
8B15 20A85400
mov edx,dword ptr ds:[54A820]
IP_TOOLS.0054CB00
cmp eax,dword ptr ds:[edx]这里
jnz &IP_TOOLS.loc_50A26E&
lea edx,dword ptr ss:[ebp-30]
mov eax,dword ptr ds:[esi]
8B80 E4020000
mov eax,dword ptr ds:[eax+2E4]
*Label1:TLabel
E8 8DBFF2FF
call &IP_TOOLS.sub_4360D8&
-&controls.TControl.GetText(TControl):TC
mov edx,dword ptr ss:[ebp-30]
A1 C4AB5400
mov eax,dword ptr ds:[54ABC4]
E8 609EEFFF
call &IP_TOOLS.sub_403FB8&
-&system.@LStrA
lea edx,dword ptr ss:[ebp-34]
mov eax,dword ptr ds:[esi]
0050A15D &&|.
8B80 E8020000
mov eax,dword ptr ds:[eax+2E8]
*RxGIFAnimator1:TRxGIFAnimator
E8 70BFF2FF
call &IP_TOOLS.sub_4360D8&
-&controls.TControl.GetText(TControl):TC
mov edx,dword ptr ss:[ebp-34]
A1 64A85400
mov eax,dword ptr ds:[54A864]
E8 439EEFFF
call &IP_TOOLS.sub_403FB8&
-&system.@LStrA
mov eax,ebx
E8 B0F9FFFF
call &IP_TOOLS.sub_509B2C&
B8 9CA35000
mov eax,&IP_TOOLS.aThankYouForReg&
ASCII &Thank you for registering IP-Tools.
Please, restart the program.&
E8 E247F5FF
call &IP_TOOLS.sub_45E968&
-&dialogs.ShowMessage(AnsiString);
A1 E0634500
mov eax,dword ptr ds:[&off_4563E0&]
0050A18D &&|.
E8 BAC3F4FF
call &IP_TOOLS.sub_45654C&
-&registry.TRegistry.Create(TRboolean);
mov ebx,eax
BA E8A35000
mov edx,&IP_TOOLS.aSoftwareKsSo_3&
ASCII &\Software\KS-Soft\IP-Tools&
mov eax,ebx
0050A19D &&|.
E8 CAC5F4FF
call &IP_TOOLS.sub_45676C&
-&registry.TRegistry.OpenKey(TRAnsiSBoolean):B
A1 C4AB5400
mov eax,dword ptr ds:[54ABC4]
mov eax,dword ptr ds:[eax]
E8 36A0EFFF
call &IP_TOOLS.sub_4041E4&
-&system.@LStrLen:I&+&
lea edx,dword ptr ss:[ebp-38]
E8 1EA9FCFF
call &IP_TOOLS.sub_4D4AD4&
mov ecx,dword ptr ss:[ebp-38]
下面就是用Base64把UserName和UserNum存入注册表
BA 0CA45000
mov edx,&IP_TOOLS.aUsername_1&
ASCII &UserName&
mov eax,ebx
E8 43CAF4FF
call &IP_TOOLS.sub_456C08&
-&registry.TRegistry.WriteString(TRAnsiSAnsiString);
A1 64A85400
mov eax,dword ptr ds:[54A864]
mov eax,dword ptr ds:[eax]
0050A1CC &&|.
E8 13A0EFFF
call &IP_TOOLS.sub_4041E4&
-&system.@LStrLen:I&+&
lea edx,dword ptr ss:[ebp-3C]
E8 FBA8FCFF
call &IP_TOOLS.sub_4D4AD4&
mov ecx,dword ptr ss:[ebp-3C]
BA 20A45000
mov edx,&IP_TOOLS.aUsersnum&
ASCII &UserSNum&
....................................
---------------------------------------------------------------------------------------------------------------------------
E8 67C0FEFF
call &IP_TOOLS.sub_4F613C&
004F613C &&/$
sub_4F613C
mov ebp,esp
81C4 FCFDFFFF
add esp,-204
mov dword ptr ss:[ebp-4],eax
mov eax,dword ptr ss:[ebp-4]
E8 47E2F0FF
call &IP_TOOLS.sub_404398&
xor eax,eax
68 C9614F00
push &IP_TOOLS.loc_4F61C9&
push dword ptr fs:[eax]
mov dword ptr fs:[eax],esp
---------------------------------------------------------------------
把用户名的长度送给ebx,如果长度大于64的话就以64来计算
mov eax,dword ptr ss:[ebp-4]
E8 7DE0F0FF
call &IP_TOOLS.sub_4041E4&
cmp eax,40
jle short &IP_TOOLS.loc_4F6173&
mov ebx,40
jmp short &IP_TOOLS.loc_4F617D&
004F6173 &&|&
mov eax,dword ptr ss:[ebp-4]
loc_4F6173
E8 69E0F0FF
call &IP_TOOLS.sub_4041E4&
mov ebx,eax
004F617D &&|&
lea eax,dword ptr ss:[ebp-4]
loc_4F617D
E8 2FE2F0FF
call &IP_TOOLS.sub_4043B4&
8D95 FCFDFFFF
lea edx,dword ptr ss:[ebp-204]
mov ecx,ebx
E8 62C8F0FF
call &IP_TOOLS.sub_4029F4&
8D85 FCFDFFFF
lea eax,dword ptr ss:[ebp-204]
/Arg5 pointer to name
68 00C95400
push IP_TOOLS.
|Arg3 namelen
push IP_TOOLS.
push IP_TOOLS.
公钥,用于加密
E8 3C060000
call &IP_TOOLS.sub_4F67EA& \IP_TOOLS.004F67EA
movsx eax,al
处的固定参数为一个长度为2的WORD数组,WORD constants={0x8};
处的公钥是一个640位的大数,在内存中表示如下:
--------------------------------------------------------------------------
A1 8B 33 A7 FA CE 05 97 99 EA 8F 95 AD 8E F5 7C
09 D6 3B F3 85 6D CC EA 56 FE 14 FE 22 FB 86
???m剃V???
F7 A5 2F 00 C5 86 78 3B 05 DA CE 9E 8E 40 10 E5
鳐/.?x;谖?@
6F E2 71 80 47 99 C7 60 85 DE 1B 1D E9 EB 9D
wo怦??`?殡
C2 7E 40 40 91 EB 2A 38 C9 BB C2 EC EC 79 C9
y漫@@?*8苫蚂禊
--------------------------------------------------------------------------
这个公钥将用于大数运算,是以一个WORD为单位
arg4=用于存放对用户名处理的结果
上面是用户名的,再来看看注册码的
-----------------------------------------------------------------------------------------------
004F61D8 &&/$
sub_4F61D8
mov ebp,esp
81C4 FCFDFFFF
add esp,-204
mov dword ptr ss:[ebp-4],eax
mov eax,dword ptr ss:[ebp-4]
E8 ABE1F0FF
call &IP_TOOLS.sub_404398&
xor eax,eax
68 52624F00
push &IP_TOOLS.loc_4F6252&
push dword ptr fs:[eax]
mov dword ptr fs:[eax],esp
8D95 FCFDFFFF
lea edx,dword ptr ss:[ebp-204]
B9 FF010000
mov ecx,1FF
mov eax,dword ptr ss:[ebp-4]
E8 62FEFFFF
call &IP_TOOLS.sub_4F6070&
8D85 FCFDFFFF
lea eax,dword ptr ss:[ebp-204]
Arg5 pointer to sn
68 00CB5400
push IP_TOOLS.0054CB00
Arg4 存放结果
mov eax,dword ptr ss:[ebp-4]
E8 C2DFF0FF
call &IP_TOOLS.sub_4041E4&
jns short &IP_TOOLS.loc_4F6229&
004F6229 &&|&
|Arg3 snlen
push IP_TOOLS.
push IP_TOOLS.
私钥,用于解密
E8 B1050000
call &IP_TOOLS.sub_4F67EA& \IP_TOOLS.004F67EA
movsx ebx,al
处是另外一组固定参数,但是它是一个40个WORD数组,在内存中表示如下:
CD 4D 02 EB CD B6 98 A2 DF FF 2E C3 42 FD 4B 24
屯胪?⑦?寐?$
C 65 47 3D 3B 12 58 58 B7 0A 03 E9 78 C2 C3 97
leG=;XX?轼旅
D4 D9 7E 06 7B A5 71 FA 32 40 3D 84 75 89 C0
R再~{ヱ?@=??
2E F8 08 B4 8D 26 DB 03 55 EE C1 DE 0D BC F3
5.??&?U盍?俭
DC A9 D1 9B D2 11 63 DE 34 B2 F5 EB B9 0F 1B
G堠??c?蝉牍
----------------------------------------------------------------------
--------------------------------------------------------------------
C3 C7 0E E6 7B AE 25 D9 5D 38 3A 43 A3 55 63
??纣?佥8:CUc
E 3A 09 34 AE 1F 8E C5 E8 BB D6 CD F1 EA 44 72
N:.4??杌滞耜Dr
B5 5F B3 35 1B 06 2C 22 9C 01 5C 8C DC AC 26 CA
颠?,&?\??
B 66 63 7A A7 3D E2 45 3A 10 EB AF 12 B6 ED 6B
Kfcz?馀:氙俄k
1F 65 44 FD FF E0 9B F2 B1 2C CA 43 71 5B E7
ueD??虮,拭q[
---------------------------------------------------------------------
虽然得到了两组数据,但是由于不知道具体的算法,所以还是要详细的分析其注册算法,对用户名和注册码的处理最终都调用了同一个call
但是却使用了不同的密钥和参数,所以我才称它为非对称算法;
--------------------------------------------------------------------------
004F67EA &&/$
sub_4F67EA
add esp,0C
/Arg4 公钥
push dword ptr ss:[ebp+C]
|Arg3 固定参数1
68 04CD5400
push IP_TOOLS.0054CD04
|Arg2 = 0054CD04 name
68 84CD5400
push IP_TOOLS.0054CD84
|Arg1 = 0054CD84 存放结果
E8 1B110000
call &IP_TOOLS.sub_4F794D& \IP_TOOLS.004F794D
add esp,10
上面这个是关键call,其它的都无关紧要
E8 6EF6FFFF
call &IP_TOOLS.sub_4F70A3& \IP_TOOLS.004F70A3 生成16个子密钥
-----------------------------------------------------------------------------------------------------
004F70A3 &&/$
sub_4F70A3
mov ebp,esp
mov eax,dword ptr ss:[ebp+8]
BE 0C8C5400
mov esi,IP_TOOLS.00548C0C
mov dword ptr ds:[esi],eax
movsx edx,word ptr ds:[548408]
add edx,edx
add eax,edx
add eax,-2
mov cx,word ptr ds:[eax]
66:890D 508C5400
mov word ptr ds:[548C50],cx
mov ax,word ptr ds:[eax]
66:A3 728C5400
mov word ptr ds:[548C72],ax
66:BB 0100
004F70DA &&|&
/movsx eax,bx
loc_4F70DA
|push dword ptr ds:[esi+eax*4-4] /Arg2
|movsx edx,bx
|push dword ptr ds:[esi+edx*4] |Arg1
E8 8AFAFFFF
|call &IP_TOOLS.memcpy&
\IP_TOOLS.004F6B76
|add esp,8
|movsx ecx,bx
|push dword ptr ds:[esi+ecx*4] |Arg1
E8 27F9FFFF
|call &IP_TOOLS.SHL1&
\IP_TOOLS.004F6A23
----------------------------------------------------------------------------------------------------
004F6A23 &&/$
mov ebp,esp
对密钥们左移也就是变为2倍
但是这个密钥是672位的大数
我称之为subKey4name
mov ecx,dword ptr ss:[ebp+C]
mov eax,dword ptr ss:[ebp+8]
mov si,word ptr ds:[548408]
jmp short &IP_TOOLS.loc_4F6A51&
004F6A37 &&|&
66:8338 00
/cmp word ptr ds:[eax],0
loc_4F6A37
|and edx,1
|shl word ptr ds:[eax],1
|test cl,cl
|je short &IP_TOOLS.loc_4F6A4C&
66:8308 01
|or word ptr ds:[eax],1
004F6A4C &&|&
|mov ecx,edx
loc_4F6A4C
|add eax,2
004F6A51 &&|&
mov ebx,esi
loc_4F6A51
66:83C6 FF
|add si,0FFFF
|test bx,bx
\jnz short &IP_TOOLS.loc_4F6A37&
mov eax,edx
------------------------------------------------------------------------------------------------------
|add esp,8
|movsx eax,bx
|mov eax,dword ptr ds:[esi+eax*4]
|movsx edx,word ptr ds:[548408]
|add edx,edx
|add eax,edx
|add eax,-2
|movsx ecx,bx
|mov dx,word ptr ds:[eax]
66:800 |mov word ptr ds:[ecx*2+548C50],这是把子密钥的最高位放到548C50地址处
|sub eax,2
|movsx ecx,bx
|mov ax,word ptr ds:[eax]
66:800 |mov word ptr ds:[ecx*2+548C72],这是把子密钥的次高位放到548C72地址处
66:83FB 11
|cmp bx,11
\jl short &IP_TOOLS.loc_4F70DA&
xor eax,eax
-----------------------------------------------------------------
上面就要用到大数运算的知识了,可以参考坛子的&RSA与大数运算&,这里是一个672位的大数,我用了一个42个字的数组来表示这样一个大数
如下,比如说公钥:
#define Len 42
WORD wkey4name1[Len]={0x8BA1,0xA733,0xCEFA,0x9705,0xEA99,0x958F,0x8EAD,0x7CF5,
0xBD6,0x85F3,0xCC6D,0x56ea,0x14FE,0x22FE,0x86FB,
0xA5F7,0x002F,0x86C5,0x3B78,0xDA05,0x9ECE,0x408E,0xE510,
0x6F77,0x71E2,0x9,0xBDE,0xE91D,0x9DEB,
0xC279,0x407E,0xAEB,0xC938,0xC2BB,0xECEC,0xC979,
而左移运算根据对汇编的分析可以写出如下的C代码:
[COLOR=blue]
void WORDSHL(WORD source[],WORD dest[],int length)
DWORD result=0; //因为DWORD的存在所以比较成为可能
int carry=0;
//进位标志
for(j=0;j&j++)
result=(source[j]&&1);
if(result&0xFFFF)
dest[j]=(source[j]&&1);
dest[j]=(dest[j]|1); 加上进位
关于大数运算,我想那篇&RSA与大数运算&确实不错,兄弟们一定要看看
------------------------------------------------------------------------------------------
生成子密钥后
bx初始化为0x8000
test bx,bx
jnz short &IP_TOOLS.loc_4F7AFE&
66:BB 0080
mov bx,8000
jmp short &IP_TOOLS.loc_4F7AFE&
004F7AA6 &&|&
/loc_4F7AA6
8D85 78FFFFFF
|lea eax,dword ptr ss:[ebp-88] |
E8 8BF6FFFF
|call &IP_TOOLS.kernel&
\IP_TOOLS.004F713F 核心Function
|add esp,0C
8D95 78FFFFFF
|lea edx,dword ptr ss:[ebp-88]
E8 B2F0FFFF
|call &IP_TOOLS.memcpy&
\IP_TOOLS.004F6B76
|add esp,8
把上面计算出来的结果存入esi
|test word ptr ds:[edi],bx这里edi就指向固定参数1
|je short &IP_TOOLS.loc_4F7AEF&和bx相与不为0的话就再做一次
|push dword ptr ss:[ebp+C] /Arg3
8D8D 78FFFFFF
|lea ecx,dword ptr ss:[ebp-88] |
E8 63F6FFFF
|call &IP_TOOLS.kernel&
\IP_TOOLS.004F713F
|add esp,0C
8D85 78FFFFFF
|lea eax,dword ptr ss:[ebp-88]
E8 8AF0FFFF
|call &IP_TOOLS.memcpy&
\IP_TOOLS.004F6B76
|add esp,8
004F7AEF &&|&
loc_4F7AEF
|test bx,bx
一轮共16次循环
|jnz short &IP_TOOLS.loc_4F7AFE&
66:BB 0080
|mov bx,8000
|sub edi,2
004F7AFE &&|&
mov eax,dword ptr ss:[ebp-4]
这里是0x1F, 这好像也是一个不变的量
8345 FC FF
|add dword ptr ss:[ebp-4],-1
|test eax,eax
\jnz short &IP_TOOLS.loc_4F7AA6&
8D95 78FFFFFF
lea edx,dword ptr ss:[ebp-88] |
E8 85F0FFFF
call &IP_TOOLS.memset&
\IP_TOOLS.004F6B9C
------------------------------------------------------------------------------------------------------
E8 8BF6FFFF
|call &IP_TOOLS.kernel&
\IP_TOOLS.004F713F
004F713F &&/$
sub_4F713F
mov ebp,esp
add esp,-8
mov edi,dword ptr ss:[ebp+10]
mov ebx,dword ptr ss:[ebp+8]
push dword ptr ss:[ebp+C]
push IP_TOOLS.
E8 07FFFFFF
call &IP_TOOLS.sub_4F7062& \IP_TOOLS.004F7062
----------------------------------------------------------------------------------------------------
004F7062 &&/$
这里是对消息进行处理
mov ebp,esp
生成16个大数我称之为
SubKey4Key
mov esi,dword ptr ss:[ebp+8]
mov eax,dword ptr ss:[ebp+C]
mov dword ptr ds:[esi],eax
66:BB 0100
004F7073 &&|&
/movsx eax,bx
loc_4F7073
|push dword ptr ds:[esi+eax*4-4] /Arg2
|movsx edx,bx
|push dword ptr ds:[esi+edx*4] |Arg1
E8 F1FAFFFF
|call &IP_TOOLS.memcpy&
\IP_TOOLS.004F6B76
|add esp,8
|movsx ecx,bx
|push dword ptr ds:[esi+ecx*4] |Arg1
E8 8EF9FFFF
|call &IP_TOOLS.SHL1&
\IP_TOOLS.004F6A23
|add esp,8
66:83FB 10
|cmp bx,10
\jl short &IP_TOOLS.loc_4F7073&
-------------------------------------------------------------------------------------------------
movsx eax,word ptr ds:[548408]
add eax,eax
add eax,ebx
add eax,-2
mov dword ptr ss:[ebp-4],eax
mov esi,dword ptr ss:[ebp-4]
E8 1FFAFFFF
call &IP_TOOLS.memset&
\IP_TOOLS.004F6B9C
把存放结果的地方清零
E8 45FAFFFF
call &IP_TOOLS.sub_4F6BCB& \IP_TOOLS.004F6BCB
66:8945 FA
mov word ptr ss:[ebp-6],ax
66:837D FA 00
cmp word ptr ss:[ebp-6],0
jnz short &IP_TOOLS.loc_4F7199&
xor eax,eax
E9 2A070000
jmp &IP_TOOLS.loc_4F78C3&
004F7199 &&|&
movsx edx,word ptr ss:[ebp-6]
loc_4F7199
add edx,edx
add edi,edx
add edi,-2
jmp &IP_TOOLS.loc_4F78AF&
004F71A9 &&|&
/loc_4F71A9
E8 7DFEFFFF
|call &IP_TOOLS.sub_4F702C& \IP_TOOLS.004F702C
上面这个call起到了把数组元素后移的作用
--------------------------------------------------------------------------
[COLOR=blue]
void F702C(WORD w[Len])
for(int i=Li&0;--i)
bx=w[i-1];
-----------------------------------------------------------------------------
F647 01 80
|test byte ptr ds:[edi+1],80消息的最后一个字节和80进行与不为0就加上
|je short &IP_TOOLS.loc_4F71C7&subKey4key的最后一个key
|push dword ptr ds:[549450] |Arg2 =
E8 C5F7FFFF
|call &IP_TOOLS.AddHash&
\IP_TOOLS.004F6989
--------------------------------------------------------------------------------------------
004F6989 &&/$
这是AddHash函数
mov ebp,esp
mov eax,dword ptr ss:[ebp+10]Arg3 经过分析发现这个Arg3是进位标志
mov ecx,dword ptr ss:[ebp+C]Arg2 加数
mov edx,dword ptr ss:[ebp+8]Arg1 0012EA20被 加数结果也存在这里
mov si,word ptr ds:[A
jmp short &IP_TOOLS.loc_4F69C6&
004F69A1 &&|&
/movzx ebx,word ptr ds:[edx]ebx=DWORD(result[i])
|movzx edi,word ptr ds:[ecx]edi=DWORD(key16[i])
|add ebx,edi
25 FF000000
|and eax,0FF
eax&=0xFF,如果eax=1,则结果为1,否则为0
|add ebx,eax
|mov eax,ebx
|add ecx,2
下一个WORD
|mov word ptr ds:[edx],ax 把结果的清零的地方=WORD(result[i])
|add edx,2
保存结果的地方也+2
|test eax,10000
相加的结果和10000相与
如果不等于0的话al=1
|and eax,1
eax=1或者eax=0
004F69C6 &&|&
|mov ebx,esi
66:83C6 FF
|add si,0FFFF
|test bx,bx
\jnz short &IP_TOOLS.loc_4F69A1&
-----------------------------------------------------------------------------------------------------------------
我写的C代码,大数加法
[COLOR=blue]
void AddHash(WORD result[],WORD subkey[],int carry)
DWORD ebx,
for(int i=0;i&Li++)
ebx=DWORD(result[i]);
edi=DWORD(subkey[i]);
carry=(carry&0xFF);
result[i]=WORD(ebx);
if((ebx&0x10000)!=0)
carry=(carry&1);
---------------------------------------------------------------------------------------------------
|add esp,0C
004F71C7 &&|&
F647 01 40
|test byte ptr ds:[edi+1],40
loc_4F71C7
|je short &IP_TOOLS.loc_4F71DE&
FF35 4C945400
|push dword ptr ds:[54944C] |Arg2 =
E8 AEF7FFFF
|call &IP_TOOLS.AddHash&
\IP_TOOLS.004F6989
|add esp,0C
004F71DE &&|&
F647 01 20
|test byte ptr ds:[edi+1],20
loc_4F71DE
|je short &IP_TOOLS.loc_4F71F5&
|push dword ptr ds:[549448] |Arg2 =
E8 97F7FFFF
|call &IP_TOOLS.AddHash&
\IP_TOOLS.004F6989
|add esp,0C
004F71F5 &&|&
F647 01 10
|test byte ptr ds:[edi+1],10
loc_4F71F5
|je short &IP_TOOLS.loc_4F720C&
|push dword ptr ds:[549444] |Arg2 =
E8 80F7FFFF
|call &IP_TOOLS.AddHash&
\IP_TOOLS.004F6989
|add esp,0C
004F720C &&|&
F647 01 08
|test byte ptr ds:[edi+1],8
loc_4F720C
|je short &IP_TOOLS.loc_4F7223&
|push dword ptr ds:[549440] |Arg2 =
E8 69F7FFFF
|call &IP_TOOLS.AddHash&
\IP_TOOLS.004F6989
|add esp,0C
004F7223 &&|&
F647 01 04
|test byte ptr ds:[edi+1],4
loc_4F7223
|je short &IP_TOOLS.loc_4F723A&
FF35 3C945400
|push dword ptr ds:[54943C] |Arg2 =
E8 52F7FFFF
|call &IP_TOOLS.AddHash&
\IP_TOOLS.004F6989
|add esp,0C
004F723A &&|&
F647 01 02
|test byte ptr ds:[edi+1],2
loc_4F723A
|je short &IP_TOOLS.loc_4F7251&
|push dword ptr ds:[549438] |Arg2 =
E8 3BF7FFFF
|call &IP_TOOLS.AddHash&
\IP_TOOLS.004F6989
|add esp,0C
004F7251 &&|&
F647 01 01
|test byte ptr ds:[edi+1],1
loc_4F7251
|je short &IP_TOOLS.loc_4F7268&
|push dword ptr ds:[549434] |Arg2 =
E8 24F7FFFF
|call &IP_TOOLS.AddHash&
\IP_TOOLS.004F6989
|add esp,0C
004F7268 &&|&
|test byte ptr ds:[edi],80
loc_4F7268
|je short &IP_TOOLS.loc_4F727E&
|push dword ptr ds:[549430] |Arg2 = 00548F94
E8 0EF7FFFF
|call &IP_TOOLS.AddHash&
\IP_TOOLS.004F6989
|add esp,0C
004F727E &&|&
|test byte ptr ds:[edi],40
loc_4F727E
|je short &IP_TOOLS.loc_4F7294&
FF35 2C945400
|push dword ptr ds:[54942C] |Arg2 = 00548F14
E8 F8F6FFFF
|call &IP_TOOLS.AddHash&
\IP_TOOLS.004F6989
|add esp,0C
004F7294 &&|&
|test byte ptr ds:[edi],20
loc_4F7294
|je short &IP_TOOLS.loc_4F72AA&
|push dword ptr ds:[549428] |Arg2 = 00548E94
E8 E2F6FFFF
|call &IP_TOOLS.AddHash&
\IP_TOOLS.004F6989
|add esp,0C
004F72AA &&|&
|test byte ptr ds:[edi],10
loc_4F72AA
|je short &IP_TOOLS.loc_4F72C0&
|push dword ptr ds:[549424] |Arg2 = 00548E14
E8 CCF6FFFF
|call &IP_TOOLS.AddHash&
\IP_TOOLS.004F6989
|add esp,0C
004F72C0 &&|&
|test byte ptr ds:[edi],8
loc_4F72C0
|je short &IP_TOOLS.loc_4F72D6&
|push dword ptr ds:[549420] |Arg2 = 00548D94
E8 B6F6FFFF
|call &IP_TOOLS.AddHash&
\IP_TOOLS.004F6989
|add esp,0C
004F72D6 &&|&
|test byte ptr ds:[edi],4
loc_4F72D6
|je short &IP_TOOLS.loc_4F72EC&
FF35 1C945400
|push dword ptr ds:[54941C] |Arg2 = 00548D14
E8 A0F6FFFF
|call &IP_TOOLS.AddHash&
\IP_TOOLS.004F6989
|add esp,0C
004F72EC &&|&
|test byte ptr ds:[edi],2
loc_4F72EC
|je short &IP_TOOLS.loc_4F7302&
|push dword ptr ds:[549418] |Arg2 = 00548C94
E8 8AF6FFFF
|call &IP_TOOLS.AddHash&
\IP_TOOLS.004F6989
|add esp,0C
004F7302 &&|&
|test byte ptr ds:[edi],1
loc_4F7302
|je short &IP_TOOLS.loc_4F7318&
|push dword ptr ds:[549414] |Arg2 = 0054CD84 ASCII &Cnbragon&
E8 74F6FFFF
|call &IP_TOOLS.AddHash&
\IP_TOOLS.004F6989
|add esp,0C
004F7318 &&|&
|mov ecx,dword ptr ss:[ebp-4]
从这里开始是把上面Add的结果的最高位和
|mov ax,word ptr ds:[ecx]
SubKey4name的最高位比较,次高位和次高位比较
66:2B05 708C5400
|sub ax,word ptr ds:[548C70]如果比SubKey4name的大就把结果减去那个SubKey4name
|test ax,ax
|jg short &IP_TOOLS.loc_4F735B&
|test ax,ax
|jnz short &IP_TOOLS.loc_4F736C&
|mov dx,word ptr ds:[esi]
66:3B15 928C5400
|cmp dx,word ptr ds:[548C92]
|ja short &IP_TOOLS.loc_4F735B&
|mov cx,word ptr ds:[esi]
66:3B0D 928C5400
|cmp cx,word ptr ds:[548C92]
|jnz short &IP_TOOLS.loc_4F736C&
FF35 4C8C5400
|push dword ptr ds:[548C4C] /Arg2 = 00548B8A
E8 54F7FFFF
|call &IP_TOOLS.sub_4F6AA7& \IP_TOOLS.004F6AA7
|add esp,8
|test ax,ax
|jl short &IP_TOOLS.loc_4F736C&
004F735B &&|&
/loc_4F735B
FF35 4C8C5400
|push dword ptr ds:[548C4C] |Arg2 = 00548B8A
E8 6DF6FFFF
|call &IP_TOOLS.sub_4F69D6& \IP_TOOLS.004F69D6
----------------------------------------------------------------------------------------------------
004F69D6 &&/$
mov ebp,esp
mov eax,dword ptr ss:[ebp+10]
mov ecx,dword ptr ss:[ebp+C]
mov edx,dword ptr ss:[ebp+8]
mov si,word ptr ds:[548408]
jmp short &IP_TOOLS.loc_4F6A13&
004F69EE &&|&
/movzx ebx,word ptr ds:[edx]
|movzx edi,word ptr ds:[ecx]
|sub ebx,edi ebx-=
25 FF000000
|and eax,0FF eax&=0xff
|sub ebx,eax ebx-=
|mov eax,ebx eax=ebx
|add ecx,2
|mov word ptr ds:[edx],ax=WORD(eax)
|add edx,2
|test eax,10000if(eax&0x10000)
如果不等于0就置al=1
|and eax,1
004F6A13 &&|&
mov ebx,esi
66:83C6 FF
|add si,0FFFF
|test bx,bx
\jnz short &IP_TOOLS.loc_4F69EE&
-----------------------------------------------------------------------------------------
我写的C代码,672位的大数减法
[COLOR=blue]
void SubHash(WORD result[],WORD subkey[],int carry)
DWORD ebx,
for(int i=0;i&Li++)
ebx=DWORD(result[i]);
edi=DWORD(subkey[i]);
carry=(carry&0xFF);
result[i]=WORD(ebx);
if((ebx&0x10000)!=0)
carry=(carry&1);
------------------------------------------------------------------------------------------
|add esp,0C
004F736C &&|&
|mov eax,dword ptr ss:[ebp-4]
loc_4F736C
|mov ax,word ptr ds:[eax]
66:2B05 6E8C5400
|sub ax,word ptr ds:[548C6E]
|test ax,ax
|jg short &IP_TOOLS.loc_4F73AF&
|test ax,ax
|jnz short &IP_TOOLS.loc_4F73C0&
|mov dx,word ptr ds:[esi]
66:3B15 908C5400
|cmp dx,word ptr ds:[548C90]
|ja short &IP_TOOLS.loc_4F73AF&
|mov cx,word ptr ds:[esi]
66:3B0D 908C5400
|cmp cx,word ptr ds:[548C90]
|jnz short &IP_TOOLS.loc_4F73C0&
FF35 488C5400
|push dword ptr ds:[548C48] /Arg2 = 00548B0A
E8 00F7FFFF
|call &IP_TOOLS.sub_4F6AA7& \IP_TOOLS.004F6AA7
|add esp,8
|test ax,ax
|jl short &IP_TOOLS.loc_4F73C0&
004F73AF &&|&
/loc_4F73AF
FF35 488C5400
|push dword ptr ds:[548C48] |Arg2 = 00548B0A
E8 19F6FFFF
|call &IP_TOOLS.sub_4F69D6& \IP_TOOLS.004F69D6
|add esp,0C
004F73C0 &&|&
|mov eax,dword ptr ss:[ebp-4]
loc_4F73C0
|mov ax,word ptr ds:[eax]
66:2B05 6C8C5400
|sub ax,word ptr ds:[548C6C]
|test ax,ax
|jg short &IP_TOOLS.loc_4F7403&
|test ax,ax
|jnz short &IP_TOOLS.loc_4F7414&
|mov dx,word ptr ds:[esi]
66:3B15 8E8C5400
|cmp dx,word ptr ds:[548C8E]
|ja short &IP_TOOLS.loc_4F7403&
|mov cx,word ptr ds:[esi]
66:3B0D 8E8C5400
|cmp cx,word ptr ds:[548C8E]
|jnz short &IP_TOOLS.loc_4F7414&
FF35 448C5400
|push dword ptr ds:[548C44] /Arg2 = 00548A8A
E8 ACF6FFFF
|call &IP_TOOLS.sub_4F6AA7& \IP_TOOLS.004F6AA7
|add esp,8
|test ax,ax
|jl short &IP_TOOLS.loc_4F7414&
004F7403 &&|&
/loc_4F7403
FF35 448C5400
|push dword ptr ds:[548C44] |Arg2 = 00548A8A
E8 C5F5FFFF
|call &IP_TOOLS.sub_4F69D6& \IP_TOOLS.004F69D6
|add esp,0C
004F7414 &&|&
|mov eax,dword ptr ss:[ebp-4]
loc_4F7414
|mov ax,word ptr ds:[eax]
66:2B05 6A8C5400
|sub ax,word ptr ds:[548C6A]
|test ax,ax
|jg short &IP_TOOLS.loc_4F7457&
|test ax,ax
|jnz short &IP_TOOLS.loc_4F7468&
|mov dx,word ptr ds:[esi]
66:3B15 8C8C5400
|cmp dx,word ptr ds:[548C8C]
|ja short &IP_TOOLS.loc_4F7457&
|mov cx,word ptr ds:[esi]
66:3B0D 8C8C5400
|cmp cx,word ptr ds:[548C8C]
|jnz short &IP_TOOLS.loc_4F7468&
FF35 408C5400
|push dword ptr ds:[548C40] /Arg2 = 00548A0A
E8 58F6FFFF
|call &IP_TOOLS.sub_4F6AA7& \IP_TOOLS.004F6AA7
|add esp,8
|test ax,ax
|jl short &IP_TOOLS.loc_4F7468&
004F7457 &&|&
/loc_4F7457
FF35 408C5400
|push dword ptr ds:[548C40] |Arg2 = 00548A0A
E8 71F5FFFF
|call &IP_TOOLS.sub_4F69D6& \IP_TOOLS.004F69D6
|add esp,0C
004F7468 &&|&
|mov eax,dword ptr ss:[ebp-4]
loc_4F7468
|mov ax,word ptr ds:[eax]
66:2B05 688C5400
|sub ax,word ptr ds:[548C68]
|test ax,ax
|jg short &IP_TOOLS.loc_4F74AB&
|test ax,ax
|jnz short &IP_TOOLS.loc_4F74BC&
|mov dx,word ptr ds:[esi]
66:3B15 8A8C5400
|cmp dx,word ptr ds:[548C8A]
|ja short &IP_TOOLS.loc_4F74AB&
|mov cx,word ptr ds:[esi]
66:3B0D 8A8C5400
|cmp cx,word ptr ds:[548C8A]
|jnz short &IP_TOOLS.loc_4F74BC&
FF35 3C8C5400
|push dword ptr ds:[548C3C] /Arg2 = 0054898A
E8 04F6FFFF
|call &IP_TOOLS.sub_4F6AA7& \IP_TOOLS.004F6AA7
|add esp,8
|test ax,ax
|jl short &IP_TOOLS.loc_4F74BC&
004F74AB &&|&
/loc_4F74AB
FF35 3C8C5400
|push dword ptr ds:[548C3C] |Arg2 = 0054898A
E8 1DF5FFFF
|call &IP_TOOLS.sub_4F69D6& \IP_TOOLS.004F69D6
|add esp,0C
004F74BC &&|&
|mov eax,dword ptr ss:[ebp-4]
loc_4F74BC
|mov ax,word ptr ds:[eax]
66:2B05 668C5400
|sub ax,word ptr ds:[548C66]
|test ax,ax
|jg short &IP_TOOLS.loc_4F74FF&
|test ax,ax
|jnz short &IP_TOOLS.loc_4F7510&
|mov dx,word ptr ds:[esi]
66:3B15 888C5400
|cmp dx,word ptr ds:[548C88]
|ja short &IP_TOOLS.loc_4F74FF&
|mov cx,word ptr ds:[esi]
66:3B0D 888C5400
|cmp cx,word ptr ds:[548C88]
|jnz short &IP_TOOLS.loc_4F7510&
FF35 388C5400
|push dword ptr ds:[548C38] /Arg2 = 0054890A
E8 B0F5FFFF
|call &IP_TOOLS.sub_4F6AA7& \IP_TOOLS.004F6AA7
|add esp,8
|test ax,ax
|jl short &IP_TOOLS.loc_4F7510&
004F74FF &&|&
/loc_4F74FF
FF35 388C5400
|push dword ptr ds:[548C38] |Arg2 = 0054890A
E8 C9F4FFFF
|call &IP_TOOLS.sub_4F69D6& \IP_TOOLS.004F69D6
|add esp,0C
004F7510 &&|&
|mov eax,dword ptr ss:[ebp-4]
loc_4F7510
|mov ax,word ptr ds:[eax]
66:2B05 648C5400
|sub ax,word ptr ds:[548C64]
|test ax,ax
|jg short &IP_TOOLS.loc_4F7553&
|test ax,ax
|jnz short &IP_TOOLS.loc_4F7564&
|mov dx,word ptr ds:[esi]
66:3B15 868C5400
|cmp dx,word ptr ds:[548C86]
|ja short &IP_TOOLS.loc_4F7553&
|mov cx,word ptr ds:[esi]
66:3B0D 868C5400
|cmp cx,word ptr ds:[548C86]
|jnz short &IP_TOOLS.loc_4F7564&
FF35 348C5400
|push dword ptr ds:[548C34] /Arg2 = 0054888A
E8 5CF5FFFF
|call &IP_TOOLS.sub_4F6AA7& \IP_TOOLS.004F6AA7
|add esp,8
|test ax,ax
|jl short &IP_TOOLS.loc_4F7564&
004F7553 &&|&
/loc_4F7553
FF35 348C5400
|push dword ptr ds:[548C34] |Arg2 = 0054888A
E8 75F4FFFF
|call &IP_TOOLS.sub_4F69D6& \IP_TOOLS.004F69D6
|add esp,0C
004F7564 &&|&
|mov eax,dword ptr ss:[ebp-4]
loc_4F7564
|mov ax,word ptr ds:[eax]
66:2B05 628C5400
|sub ax,word ptr ds:[548C62]
|test ax,ax
|jg short &IP_TOOLS.loc_4F75A7&
|test ax,ax
|jnz short &IP_TOOLS.loc_4F75B8&
|mov dx,word ptr ds:[esi]
66:3B15 848C5400
|cmp dx,word ptr ds:[548C84]
|ja short &IP_TOOLS.loc_4F75A7&
|mov cx,word ptr ds:[esi]
66:3B0D 848C5400
|cmp cx,word ptr ds:[548C84]
|jnz short &IP_TOOLS.loc_4F75B8&
FF35 308C5400
|push dword ptr ds:[548C30] /Arg2 = 0054880A
E8 08F5FFFF
|call &IP_TOOLS.sub_4F6AA7& \IP_TOOLS.004F6AA7
|add esp,8
|test ax,ax
|jl short &IP_TOOLS.loc_4F75B8&
004F75A7 &&|&
/loc_4F75A7
FF35 308C5400
|push dword ptr ds:[548C30] |Arg2 = 0054880A
E8 21F4FFFF
|call &IP_TOOLS.sub_4F69D6& \IP_TOOLS.004F69D6
|add esp,0C
004F75B8 &&|&
|mov eax,dword ptr ss:[ebp-4]
loc_4F75B8
|mov ax,word ptr ds:[eax]
66:2B05 608C5400
|sub ax,word ptr ds:[548C60]
|test ax,ax
|jg short &IP_TOOLS.loc_4F75FB&
|test ax,ax
|jnz short &IP_TOOLS.loc_4F760C&
|mov dx,word ptr ds:[esi]
66:3B15 828C5400
|cmp dx,word ptr ds:[548C82]
|ja short &IP_TOOLS.loc_4F75FB&
|mov cx,word ptr ds:[esi]
66:3B0D 828C5400
|cmp cx,word ptr ds:[548C82]
|jnz short &IP_TOOLS.loc_4F760C&
FF35 2C8C5400
|push dword ptr ds:[548C2C] /Arg2 = 0054878A
E8 B4F4FFFF
|call &IP_TOOLS.sub_4F6AA7& \IP_TOOLS.004F6AA7
|add esp,8
|test ax,ax
|jl short &IP_TOOLS.loc_4F760C&
004F75FB &&|&
/loc_4F75FB
FF35 2C8C5400
|push dword ptr ds:[548C2C] |Arg2 = 0054878A
E8 CDF3FFFF
|call &IP_TOOLS.sub_4F69D6& \IP_TOOLS.004F69D6
|add esp,0C
004F760C &&|&
|mov eax,dword ptr ss:[ebp-4]
loc_4F760C
|mov ax,word ptr ds:[eax]
66:2B05 5E8C5400
|sub ax,word ptr ds:[548C5E]
|test ax,ax
|jg short &IP_TOOLS.loc_4F764F&
|test ax,ax
|jnz short &IP_TOOLS.loc_4F7660&
|mov dx,word ptr ds:[esi]
66:3B15 808C5400
|cmp dx,word ptr ds:[548C80]
|ja short &IP_TOOLS.loc_4F764F&
|mov cx,word ptr ds:[esi]
66:3B0D 808C5400
|cmp cx,word ptr ds:[548C80]
|jnz short &IP_TOOLS.loc_4F7660&
FF35 288C5400
|push dword ptr ds:[548C28] /Arg2 = 0054870A
E8 60F4FFFF
|call &IP_TOOLS.sub_4F6AA7& \IP_TOOLS.004F6AA7
|add esp,8
|test ax,ax
|jl short &IP_TOOLS.loc_4F7660&
004F764F &&|&
/loc_4F764F
FF35 288C5400
|push dword ptr ds:[548C28] |Arg2 = 0054870A
E8 79F3FFFF
|call &IP_TOOLS.sub_4F69D6& \IP_TOOLS.004F69D6
|add esp,0C
004F7660 &&|&
|mov eax,dword ptr ss:[ebp-4]
loc_4F7660
|mov ax,word ptr ds:[eax]
66:2B05 5C8C5400
|sub ax,word ptr ds:[548C5C]
|test ax,ax
|jg short &IP_TOOLS.loc_4F76A3&
|test ax,ax
|jnz short &IP_TOOLS.loc_4F76B4&
|mov dx,word ptr ds:[esi]
66:3B15 7E8C5400
|cmp dx,word ptr ds:[548C7E]
|ja short &IP_TOOLS.loc_4F76A3&
|mov cx,word ptr ds:[esi]
66:3B0D 7E8C5400
|cmp cx,word ptr ds:[548C7E]
|jnz short &IP_TOOLS.loc_4F76B4&
FF35 248C5400
|push dword ptr ds:[548C24] /Arg2 = 0054868A
E8 0CF4FFFF
|call &IP_TOOLS.sub_4F6AA7& \IP_TOOLS.004F6AA7
|add esp,8
|test ax,ax
|jl short &IP_TOOLS.loc_4F76B4&
004F76A3 &&|&
/loc_4F76A3
FF35 248C5400
|push dword ptr ds:[548C24] |Arg2 = 0054868A
E8 25F3FFFF
|call &IP_TOOLS.sub_4F69D6& \IP_TOOLS.004F69D6
|add esp,0C
004F76B4 &&|&
|mov eax,dword ptr ss:[ebp-4]
loc_4F76B4
|mov ax,word ptr ds:[eax]
66:2B05 5A8C5400
|sub ax,word ptr ds:[548C5A]
|test ax,ax
|jg short &IP_TOOLS.loc_4F76F7&
|test ax,ax
|jnz short &IP_TOOLS.loc_4F7708&
|mov dx,word ptr ds:[esi]
66:3B15 7C8C5400
|cmp dx,word ptr ds:[548C7C]
|ja short &IP_TOOLS.loc_4F76F7&
|mov cx,word ptr ds:[esi]
66:3B0D 7C8C5400
|cmp cx,word ptr ds:[548C7C]
|jnz short &IP_TOOLS.loc_4F7708&
FF35 208C5400
|push dword ptr ds:[548C20] /Arg2 = 0054860A
E8 B8F3FFFF
|call &IP_TOOLS.sub_4F6AA7& \IP_TOOLS.004F6AA7
|add esp,8
|test ax,ax
|jl short &IP_TOOLS.loc_4F7708&
004F76F7 &&|&
/loc_4F76F7
FF35 208C5400
|push dword ptr ds:[548C20] |Arg2 = 0054860A
E8 D1F2FFFF
|call &IP_TOOLS.sub_4F69D6& \IP_TOOLS.004F69D6
|add esp,0C
004F7708 &&|&
|mov eax,dword ptr ss:[ebp-4]
loc_4F7708
|mov ax,word ptr ds:[eax]
66:2B05 588C5400
|sub ax,word ptr ds:[548C58]
|test ax,ax
|jg short &IP_TOOLS.loc_4F774B&
|test ax,ax
|jnz short &IP_TOOLS.loc_4F775C&
|mov dx,word ptr ds:[esi]
66:3B15 7A8C5400
|cmp dx,word ptr ds:[548C7A]
|ja short &IP_TOOLS.loc_4F774B&
|mov cx,word ptr ds:[esi]
66:3B0D 7A8C5400
|cmp cx,word ptr ds:[548C7A]
|jnz short &IP_TOOLS.loc_4F775C&
FF35 1C8C5400
|push dword ptr ds:[548C1C] /Arg2 = 0054858A
E8 64F3FFFF
|call &IP_TOOLS.sub_4F6AA7& \IP_TOOLS.004F6AA7
|add esp,8
|test ax,ax
|jl short &IP_TOOLS.loc_4F775C&
004F774B &&|&
/loc_4F774B
FF35 1C8C5400
|push dword ptr ds:[548C1C] |Arg2 = 0054858A
E8 7DF2FFFF
|call &IP_TOOLS.sub_4F69D6& \IP_TOOLS.004F69D6
|add esp,0C
004F775C &&|&
|mov eax,dword ptr ss:[ebp-4]
loc_4F775C
|mov ax,word ptr ds:[eax]
66:2B05 568C5400
|sub ax,word ptr ds:[548C56]
|test ax,ax
|jg short &IP_TOOLS.loc_4F779F&
|test ax,ax
|jnz short &IP_TOOLS.loc_4F77B0&
|mov dx,word ptr ds:[esi]
66:3B15 788C5400
|cmp dx,word ptr ds:[548C78]
|ja short &IP_TOOLS.loc_4F779F&
|mov cx,word ptr ds:[esi]
66:3B0D 788C5400
|cmp cx,word ptr ds:[548C78]
|jnz short &IP_TOOLS.loc_4F77B0&
FF35 188C5400
|push dword ptr ds:[548C18] /Arg2 = 0054850A
E8 10F3FFFF
|call &IP_TOOLS.sub_4F6AA7& \IP_TOOLS.004F6AA7
|add esp,8
|test ax,ax
|jl short &IP_TOOLS.loc_4F77B0&
004F779F &&|&
/loc_4F779F
FF35 188C5400
|push dword ptr ds:[548C18] |Arg2 = 0054850A
E8 29F2FFFF
|call &IP_TOOLS.sub_4F69D6& \IP_TOOLS.004F69D6
|add esp,0C
004F77B0 &&|&
|mov eax,dword ptr ss:[ebp-4]
loc_4F77B0
|mov ax,word ptr ds:[eax]
66:2B05 548C5400
|sub ax,word ptr ds:[548C54]
|test ax,ax
|jg short &IP_TOOLS.loc_4F77F3&
|test ax,ax
|jnz short &IP_TOOLS.loc_4F7804&
|mov dx,word ptr ds:[esi]
66:3B15 768C5400
|cmp dx,word ptr ds:[548C76]
|ja short &IP_TOOLS.loc_4F77F3&
|mov cx,word ptr ds:[esi]
66:3B0D 768C5400
|cmp cx,word ptr ds:[548C76]
|jnz short &IP_TOOLS.loc_4F7804&
FF35 148C5400
|push dword ptr ds:[548C14] /Arg2 = 0054848A
E8 BCF2FFFF
|call &IP_TOOLS.sub_4F6AA7& \IP_TOOLS.004F6AA7
|add esp,8
|test ax,ax
|jl short &IP_TOOLS.loc_4F7804&
004F77F3 &&|&
/loc_4F77F3
FF35 148C5400
|push dword ptr ds:[548C14] |Arg2 = 0054848A
E8 D5F1FFFF
|call &IP_TOOLS.sub_4F69D6& \IP_TOOLS.004F69D6
|add esp,0C
004F7804 &&|&
|mov eax,dword ptr ss:[ebp-4]
loc_4F7804
|mov ax,word ptr ds:[eax]
66:2B05 528C5400
|sub ax,word ptr ds:[548C52]
|test ax,ax
|jg short &IP_TOOLS.loc_4F7847&
|test ax,ax
|jnz short &IP_TOOLS.loc_4F7858&
|mov dx,word ptr ds:[esi]
66:3B15 748C5400
|cmp dx,word ptr ds:[548C74]
|ja short &IP_TOOLS.loc_4F7847&
|mov cx,word ptr ds:[esi]
66:3B0D 748C5400
|cmp cx,word ptr ds:[548C74]
|jnz short &IP_TOOLS.loc_4F7858&
FF35 108C5400
|push dword ptr ds:[548C10] /Arg2 = 0054840A
E8 68F2FFFF
|call &IP_TOOLS.sub_4F6AA7& \IP_TOOLS.004F6AA7
|add esp,8
|test ax,ax
|jl short &IP_TOOLS.loc_4F7858&
004F7847 &&|&
/loc_4F7847
FF35 108C5400
|push dword ptr ds:[548C10] |Arg2 = 0054840A
E8 81F1FFFF
|call &IP_TOOLS.sub_4F69D6& \IP_TOOLS.004F69D6
|add esp,0C
004F7858 &&|&
|mov eax,dword ptr ss:[ebp-4]
loc_4F7858
|mov ax,word ptr ds:[eax]
66:2B05 508C5400
|sub ax,word ptr ds:[548C50]
|test ax,ax
|jg short &IP_TOOLS.loc_4F789B&
|test ax,ax
|jnz short &IP_TOOLS.loc_4F78AC&
|mov dx,word ptr ds:[esi]
66:3B15 728C5400
|cmp dx,word ptr ds:[548C72]
|ja short &IP_TOOLS.loc_4F789B&
|mov cx,word ptr ds:[esi]
66:3B0D 728C5400
|cmp cx,word ptr ds:[548C72]
|jnz short &IP_TOOLS.loc_4F78AC&
FF35 0C8C5400
|push dword ptr ds:[548C0C] /Arg2 =
E8 14F2FFFF
|call &IP_TOOLS.sub_4F6AA7& \IP_TOOLS.004F6AA7
|add esp,8
|test ax,ax
|jl short &IP_TOOLS.loc_4F78AC&
004F789B &&|&
/loc_4F789B
FF35 0C8C5400
|push dword ptr ds:[548C0C] |Arg2 =
E8 2DF1FFFF
|call &IP_TOOLS.sub_4F69D6& \IP_TOOLS.004F69D6
|add esp,0C
004F78AC &&|&
|sub edi,2
loc_4F78AC
004F78AF &&|&
66:8B45 FA
mov ax,word ptr ss:[ebp-6]
这里是用户名的字长
66:8345 FA FF
|add word ptr ss:[ebp-6],0FFFF
|test ax,ax
|.^ 0F85 E8F8FFFF
\jnz &IP_TOOLS.loc_4F71A9&
xor eax,eax
-------------------------------------------------------------------------------------------------------
[COLOR=red]下面是我用C写的核心函数,称之为θ函数Y=θ(message)[/COLOR]
[COLOR=blue]void theta1(WORD message[Len])
WORD arg[8]={0x80,0x40,0x20,0x10,0x8,0x4,0x2,0x1};
MakeTempKey(message,subKey4Key,16);//根据消息生成子密钥这个是变化的
for(int i=0;i&Li++)
subKey4Key[0][i]=message[i];
memset(Result,0);
for(int l=0;l&Ll++)
if(message[l+1]==0x0000)
for(int t=l;t&=0;t--)
F702C(Result);
w=message[t];
whtemp=(w & 0xFF);
wltemp=(w &&8);
for(int i=0;i&8;i++)
function1(wltemp,arg[i],(15-i));
for(int j=0;j&8;j++)
function1(whtemp,arg[j],(7-j));
for(int s=16;s&=0;s--)
function2(s);
void function1(WORD arg1, WORD arg2, WORD arg3)
if(arg1 & arg2)
AddHash(Result,subKey4Key[arg3],0);
void function2(int n)
ax=Result[Len-1];
ax-=wHigh[n];
//这个是最高位
SubHash(Result,subKey4name[n],0);
else if(ax==0)
dx=Result[Len-2];
if(dx&wLow[n])
SubHash(Result,subKey4name[n],0);
else if(dx==wLow[n])
cx=F6AA7(subKey4name[n],Result);
SubHash(Result,subKey4name[n],0);
---------------------------------------------------------
比如:第一次以我的名子作为消息message,然后做θ运算,得到一个Hash,
然后把这个Hash作为下一次θ运算的message,也就是迭代运算,我的C代码如下:
MakeKey4PK(wkey4name,subKey4name,17);
//由公钥生成子密钥
for(int i=0;i&Li++)
subKey4name[0][i]=wkey4name[i];
memcpy(name,tempname,Len);
WORD arg[2]={0x0};
//固定参数1
WORD bx=0x4000;
for(int i=0;i&0x1f;i++)
theta1(tempname);
memcpy(Result,tempname,Len);
if((bx & v)==0)
bx=(bx&&1);
if(bx==0x0000)
bx=0x8000;
theta2(tempname,name);
memcpy(Result,tempname,Len);
----------------------------------------------------------------------------------
上面是对用户名的处理,总的来说就是用公钥和固定参数1对用户名进行加密0x1F轮,得到一个640位的大数,
以Cnbragon为例最终生成
DC 2C 08 4D CE 56 49 E8 FC 21 DE 66 33 32 FF
?M沃I椟!捩32?
D C9 06 B2 74 CC C7 F9 3F 6A 03 4E BD 70 6D 56
-?掺糖?jN金mV
E 44 2A E5 68 26 90 E1 3C 59 78 E1 CD 4C 00 DA
&D*彖&?&Yx嵬L.
67 4D 34 A5 F2 03 B1 6F 3B FD 9F AB 9B 50 7A
HgM4ヲ憋;??Pz
82 F9 00 17 9D F2 AC 45 DF 7E FD B7 0E 6C A9
P?.??唼?l
我称之为Cipher1,即Cipher1=f(Encryptkey,Arg1,0x1f,name)
---------------------------------------------------------------------------------
那么,程序是如何对注册码进行处理的呢?前面说过这是一个非对称算法,其加密和解密算法是一样的,只是参数不同
用私钥和固定参数2对注册码进行0x27C次处理,最终也得到一个640位的大数,
我称之为Cipher2,即Cipher2=f(Decryptkey,Arg2,0x27C,sn)
如果 HashToInt(Cipher1)=HashToInt(Cipher2)那么注册就成功!实际上也就是Cipher1=Cipher2
但是函数f是看起来是一个单向散列函数,把明文和密文混和在一起,并且依赖于密钥,因此其扩散和混乱效果很好,对其进行密码分析
有一定的难度,不过从对注册码的处理看来可以利用这个单向函数的碰撞来进行生成注册码,而且我们有解密密钥
因为我并不清楚这个算法的名称(可能是作者自己设计的),所以我无法一下子就知道是如何生成注册码,所以我对以上的几组参数进行了
EncryptKey和DecryptKey 可以作为一组
从分析来看固定参数1和0x1F一定是不可分开的
同样固定参数2和0x27C也是不可分开的,理由兄弟们可以自己分析一下,很有意思
所以在解密的时候我做了几组尝试,可惜都没有成功,幸运的是我静下心来仔细思考这其中的关系,根据经验我得出了这样一个函数
[COLOR=green] f(DecryptKey,Arg1,0x1F,(f(EncryptKey,Arg1,0x1F,name)))[/COLOR],也就是说先对用户名进行加密得到一个640位的大数,然后用解密密钥
和固定参数1,0x1F对这个640位的大数进行解密,最终我成功的得到了注册码!!
[COLOR=green]sn=f(DecryptKey,Arg1,0x1F,(f(EncryptKey,Arg1,0x1F,name)))
Enemy down!
后记:不难看出保密密钥的重要性,对于未知密码学算法,只要逆向出了算法,有了密钥我们就可以轻而易举的实现解密.在分析这个算法的
过程中偶始终感到对未知算法的分析充满乐趣,愿把我的乐趣和兄弟们一起分享
让我感到不爽的是我在10月28号的0day中发现了IP-Tools的TSZ的注册机:(
我把我写的注册机的部分源码打了包,我没有放编译好的注册机,在我的源码里只差用户名的输入部分我没有写,很容易的,兄弟们自己写吧
[URL=/upload/file/2004/12/keygen.rar_542.rar][COLOR=darkblue]附件:keygen.rar[/COLOR][/URL]
up,学习....
分析这软件断断续续有半个月的时间了吧,不容易。
置顶三天,以资鼓励
///////////
所以在解密的时候我做了几组尝试,可惜都没有成功,幸运的是我静下心来仔细思考这其中的关系,根据经验我得出了这个一个函数
[CODE] f(DecryptKey,Arg1,0x1F,(f(EncryptKey,Arg1,0x1F,name))) ,也就是说先对用户名进行加密得到一个640位的大数,然后用解密密钥
和固定参数1,0x1F对这个640位的大数进行解密,最终我成功的得到了注册码!!
///////////////////
是否类似的算法都可以用类似的方法搞定呢?有一个软件也是采用大数运算,但由于密码学知识缺乏,我一直没搞定。
cnbragon是干什么的?看样子对密码学相当了解么!
[QUOTE][i]最初由 kanxue 发布[/i]
[B]分析这软件断断续续有半个月的时间了吧,不容易。
置顶三天,以资鼓励 [/B][/QUOTE]
是啊,其实也不算是很复杂。
因为最近复习考试,所以零零散散的总算赶在精六前完成了:D
虽然偶是密码学白痴 但是还要帮龙大顶下!:D :D
超牛,不顶不行啊!
IP-Tools,这个软件到偶到是小用过。。。。
在没有看这篇破文之间,幸亏我没有动它。。。
支持!:eek: :eek: :eek:
: 10-27-2004
: Lord Blix
LANGUAGE : English
PROTECTION : [color=red]RSA-640[/color]
REL TYPE : Keygen
URL: [url]http://www./[/url]
谢谢BlowFish:D
可是这其中并没有C=m^e (mod n)这样的指数运算
因此只能说它是属于RSA密码体制中的一种变形算法。
不佩服也不行,真的很强!
cnbragon肯定CS打得不错。
请问你是什么专业?数学系?还是信息安全?
[QUOTE][i]最初由 firstrose 发布[/i]
[B]cnbragon肯定CS打得不错。
请问你是什么专业?数学系?还是信息安全? [/B][/QUOTE]
:D 有空上浩方切磋切磋啊
计算机专业:)
pendan2001
厉害啊?!!!!!!
所有时间均为北京时间, 现在的时间是 .
&&& 看雪学院()
| 提供带宽资源
|&微信公众帐号:
& 手机客户端:

我要回帖

更多关于 ds什么意思 的文章

 

随机推荐