|
論壇說明 | 標記討論區已讀 |
歡迎您來到『史萊姆論壇』 ^___^ 您目前正以訪客的身份瀏覽本論壇,訪客所擁有的權限將受到限制,您可以瀏覽本論壇大部份的版區與文章,但您將無法參與任何討論或是使用私人訊息與其他會員交流。若您希望擁有完整的使用權限,請註冊成為我們的一份子,註冊的程序十分簡單、快速,而且最重要的是--註冊是完全免費的! 請點擊這裡:『註冊成為我們的一份子!』 |
|
主題工具 | 顯示模式 |
2003-12-12, 02:59 AM | #1 |
榮譽會員
|
一篇關於密碼學的入門級破解實例-BiSHoP's CrackMe4
一篇關於密碼學的入門級破解實例
BiSHoP 的 LockLess CrackMe4 破解 昨天整理電腦時候偶然發現的一個CrackMe 作者為:BiSHoP 難度:簡單 算法: MD5+RSA130 使用工具: 我修改的 TRW2000 1.23 (這個CrackMe包含有SoftICE,TRW等偵錯器的Anti程式碼 使用我修改的這個版本不會被察覺) W32Dasm 10.0 (用的是Killer修改的版本∼ 感謝Killer) RSATool2.17 (tE!/[TMG]的RSA工具 Cool) BigInt Calculator Pro 1.2 (感謝Stkman/[CCG]提供給我的KeyFile ) 執行CrackMe 輸入相關資訊 Name:娃娃 Organization:[CCG] Registeration Code:38383838 * Reference To: USER32.GetDlgItemTextA, Ord:0000h | :00401544 8B3DCCB04000 mov edi, dword ptr [0040B0CC] :0040154A 8D9424B0000000 lea edx, dword ptr [esp+000000B0] :00401551 6A32 push 00000032 :00401553 52 push edx :00401554 68EB030000 push 000003EB :00401559 56 push esi :0040155A FFD7 call edi :0040155C 85C0 test eax, eax :0040155E 7521 jne 00401581 /檢測用戶名位數是否為0 需要跳轉 :00401560 6A40 push 00000040 * Possible StringData Ref from Data Obj ->"Name" | :00401562 6838C44000 push 0040C438 * Possible StringData Ref from Data Obj ->"Please enter a name." | :00401567 6820C44000 push 0040C420 :0040156C 56 push esi * Reference To: USER32.MessageBoxA, Ord:0000h | :0040156D FF15D0B04000 Call dword ptr [0040B0D0] :00401573 5F pop edi :00401574 5E pop esi :00401575 33C0 xor eax, eax :00401577 5B pop ebx :00401578 81C488010000 add esp, 00000188 :0040157E C21000 ret 0010 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040155E(C) | :00401581 8D8424E8000000 lea eax, dword ptr [esp+000000E8] :00401588 6A32 push 00000032 :0040158A 50 push eax :0040158B 68EC030000 push 000003EC :00401590 56 push esi :00401591 FFD7 call edi :00401593 85C0 test eax, eax :00401595 7521 jne 004015B8 /組織名位數不能為0 需要跳轉 :00401597 6A40 push 00000040 * Possible StringData Ref from Data Obj ->"Company" | :00401599 6818C44000 push 0040C418 * Possible StringData Ref from Data Obj ->"Please enter company or organization." | :0040159E 68F0C34000 push 0040C3F0 :004015A3 56 push esi * Reference To: USER32.MessageBoxA, Ord:0000h | :004015A4 FF15D0B04000 Call dword ptr [0040B0D0] :004015AA 5F pop edi :004015AB 5E pop esi :004015AC 33C0 xor eax, eax :004015AE 5B pop ebx :004015AF 81C488010000 add esp, 00000188 :004015B5 C21000 ret 0010 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401595(C) | * Reference To: KERNEL32.lstrcpyA, Ord:0000h | :004015B8 8B1D10B04000 mov ebx, dword ptr [0040B010] :004015BE 8D8C24B0000000 lea ecx, dword ptr [esp+000000B0] :004015C5 8D942420010000 lea edx, dword ptr [esp+00000120] :004015CC 51 push ecx :004015CD 52 push edx :004015CE FFD3 call ebx :004015D0 8D8424E8000000 lea eax, dword ptr [esp+000000E8] :004015D7 8D8C24B0000000 lea ecx, dword ptr [esp+000000B0] :004015DE 50 push eax /EAX中存放用戶名 :004015DF 51 push ecx /ECX中存放組織名 * Reference To: KERNEL32.lstrlenA, Ord:0000h | :004015E0 FF1578B04000 Call dword ptr [0040B078] :004015E6 8D940424010000 lea edx, dword ptr [esp+eax+00000124] :004015ED 52 push edx :004015EE FFD3 call ebx /使用LSTRCPYA將用戶名和組織名合併 :004015F0 8D44242C lea eax, dword ptr [esp+2C] :004015F4 8D8C2420010000 lea ecx, dword ptr [esp+00000120] :004015FB 50 push eax :004015FC 51 push ecx :004015FD E86EFBFFFF call 00401170 *//關鍵Call(1) :00401602 8D542434 lea edx, dword ptr [esp+34] :00401606 52 push edx /EDX中存放Hash運算結果 設結果為Temp便於後面分析 :00401607 E8F4F9FFFF call 00401000 :0040160C 83C40C add esp, 0000000C :0040160F 8D442478 lea eax, dword ptr [esp+78] :00401613 6A32 push 00000032 :00401615 50 push eax :00401616 68ED030000 push 000003ED :0040161B 56 push esi :0040161C FFD7 call edi :0040161E 85C0 test eax, eax :00401620 7521 jne 00401643 /檢測註冊碼位數是否為0 必須跳轉 :00401622 6A40 push 00000040 * Possible StringData Ref from Data Obj ->"Registeration" | :00401624 68E0C34000 push 0040C3E0 * Possible StringData Ref from Data Obj ->"Please enter your registeration " ->"code." | :00401629 68B8C34000 push 0040C3B8 :0040162E 56 push esi * Reference To: USER32.MessageBoxA, Ord:0000h | :0040162F FF15D0B04000 Call dword ptr [0040B0D0] :00401635 5F pop edi :00401636 5E pop esi :00401637 33C0 xor eax, eax :00401639 5B pop ebx :0040163A 81C488010000 add esp, 00000188 :00401640 C21000 ret 0010 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401620(C) | :00401643 8D4C2478 lea ecx, dword ptr [esp+78] :00401647 51 push ecx /ECX中存放Registeration Code :00401648 E843FAFFFF call 00401090 /此Call檢測Registeration Code中是否含有非法字串 (合法範圍:0123456789ABCDEF) :0040164D 83C404 add esp, 00000004 :00401650 83F801 cmp eax, 00000001 /EAX為標誌位 若檢測出Registeration Code含有非法字串 EAX為0 :00401653 7526 jne 0040167B /不能跳轉 :00401655 8D542450 lea edx, dword ptr [esp+50] :00401659 8D442478 lea eax, dword ptr [esp+78] :0040165D 52 push edx :0040165E 50 push eax /EAX=Registeration Code :0040165F E86CFAFFFF call 004010D0 *//關鍵Call(2) :00401664 83C408 add esp, 00000008 :00401667 8D4C242C lea ecx, dword ptr [esp+2C] :0040166B 8D542450 lea edx, dword ptr [esp+50] :0040166F 51 push ecx /ECX=Temp :00401670 52 push edx /EDX存放Registeration Code經過關鍵Call2後的Hash運算結果 設為Temp2 * Reference To: KERNEL32.lstrcmpA, Ord:0000h //使用lstrcmpA進行比較 所以若temp=temp2則註冊成功 | :00401671 FF150CB04000 Call dword ptr [0040B00C] :00401677 85C0 test eax, eax /EAX為註冊成功與否的標誌 :00401679 7421 je 0040169C /跳轉則註冊成功 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401653(C) | :0040167B 6A10 push 00000010 * Possible StringData Ref from Data Obj ->"Invalid code" | :0040167D 68A8C34000 push 0040C3A8 * Possible StringData Ref from Data Obj ->"Sorry, the registeration code " ->"you entered is invalid." | :00401682 6870C34000 push 0040C370 :00401687 56 push esi * Reference To: USER32.MessageBoxA, Ord:0000h | :00401688 FF15D0B04000 Call dword ptr [0040B0D0] :0040168E 5F pop edi :0040168F 5E pop esi :00401690 33C0 xor eax, eax :00401692 5B pop ebx :00401693 81C488010000 add esp, 00000188 :00401699 C21000 ret 0010 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401679(C) | :0040169C 6A40 push 00000040 * Possible StringData Ref from Data Obj ->"Thank you!" | :0040169E 6864C34000 push 0040C364 * Possible StringData Ref from Data Obj ->"Thank you for your support, the " ->"program has been registered!" | :004016A3 6824C34000 push 0040C324 :004016A8 56 push esi * Reference To: USER32.MessageBoxA, Ord:0000h | :004016A9 FF15D0B04000 Call dword ptr [0040B0D0] :004016AF 5F pop edi :004016B0 5E pop esi :004016B1 33C0 xor eax, eax :004016B3 5B pop ebx :004016B4 81C488010000 add esp, 00000188 :004016BA C21000 ret 0010 *************************************關鍵Call(1)*********************************************** * Referenced by a CALL at Address: |:004015FD | :00401170 B8001A0000 mov eax, 00001A00 :00401175 E8565D0000 call 00406ED0 :0040117A 33C0 xor eax, eax :0040117C 53 push ebx :0040117D 89442405 mov dword ptr [esp+05], eax :00401181 56 push esi :00401182 8944240D mov dword ptr [esp+0D], eax :00401186 57 push edi :00401187 89442415 mov dword ptr [esp+15], eax :0040118B 33DB xor ebx, ebx :0040118D 89442419 mov dword ptr [esp+19], eax :00401191 B908000000 mov ecx, 00000008 :00401196 668944241D mov word ptr [esp+1D], ax :0040119B 8D7C2421 lea edi, dword ptr [esp+21] :0040119F 8844241F mov byte ptr [esp+1F], al :004011A3 885C2420 mov byte ptr [esp+20], bl :004011A7 F3 repz :004011A8 AB stosd :004011A9 8D4C2444 lea ecx, dword ptr [esp+44] :004011AD 885C240C mov byte ptr [esp+0C], bl :004011B1 51 push ecx :004011B2 66AB stosw :004011B4 E847060000 call 00401800 :004011B9 8BB424141A0000 mov esi, dword ptr [esp+00001A14] :004011C0 83C404 add esp, 00000004 :004011C3 56 push esi * Reference To: KERNEL32.lstrlenA, Ord:0000h | :004011C4 FF1578B04000 Call dword ptr [0040B078] :004011CA 50 push eax :004011CB 8D542448 lea edx, dword ptr [esp+48] :004011CF 56 push esi /ESI=Name=娃娃[CCG] :004011D0 52 push edx /EDX="0123456789ABCDEFFEDEBA9876543210" :004011D1 E85A060000 call 00401830 :004011D6 8D442418 lea eax, dword ptr [esp+18] :004011DA 50 push eax :004011DB E800070000 call 004018E0 * Reference To: USER32.wsprintfA, Ord:0000h | :004011E0 8B1DECB04000 mov ebx, dword ptr [0040B0EC] :004011E6 83C410 add esp, 00000010 :004011E9 33F6 xor esi, esi :004011EB 8D7C2420 lea edi, dword ptr [esp+20] * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401208(C) | :004011EF 33C9 xor ecx, ecx :004011F1 8A4C340C mov cl, byte ptr [esp+esi+0C] :004011F5 51 push ecx * Possible StringData Ref from Data Obj ->"%02lX" | :004011F6 681CC34000 push 0040C31C :004011FB 57 push edi :004011FC FFD3 call ebx :004011FE 83C40C add esp, 0000000C :00401201 46 inc esi :00401202 83C702 add edi, 00000002 :00401205 83FE10 cmp esi, 00000010 :00401208 7CE5 jl 004011EF :0040120A 8B8424141A0000 mov eax, dword ptr [esp+00001A14] :00401211 8D542420 lea edx, dword ptr [esp+20] :00401215 52 push edx :00401216 50 push eax * Reference To: KERNEL32.lstrcpyA, Ord:0000h | :00401217 FF1510B04000 Call dword ptr [0040B010] :0040121D 5F pop edi :0040121E 5E pop esi :0040121F 5B pop ebx :00401220 81C4001A0000 add esp, 00001A00 :00401226 C3 ret 由004011D0處可以根據Hash計算的常量「0123456789ABCDEFFEDEBA9876543210」推算出程序的第一部分 Hash計算使用的是MD5算法 關於MD5算法算法我在這篇文章裡面就不多說了 如果對它感興趣的話可以參看 我以前發佈在看雪論壇上面的《MD5的介紹,算法和實現》 我想多多少少會對您有點說明 根據MD5的特性-單向不可逆 所以在這個CrackMe中MD5算法只是起到一個計算中間值的作用 只要能看出來是MD5算法其他的都不用管了 **********************************Call(1)分析結束********************************************** **********************************關鍵Call(2)************************************************** * Referenced by a CALL at Address: |:0040165F | :004010D0 51 push ecx :004010D1 53 push ebx :004010D2 55 push ebp :004010D3 56 push esi :004010D4 57 push edi :004010D5 6A00 push 00000000 :004010D7 6A64 push 00000064 :004010D9 E832180000 call 00402910 :004010DE 6A00 push 00000000 :004010E0 8944241C mov dword ptr [esp+1C], eax :004010E4 E887170000 call 00402870 :004010E9 6A00 push 00000000 :004010EB 8BF0 mov esi, eax :004010ED E87E170000 call 00402870 :004010F2 6A00 push 00000000 :004010F4 8BF8 mov edi, eax :004010F6 E875170000 call 00402870 :004010FB 6A00 push 00000000 :004010FD 8BD8 mov ebx, eax :004010FF E86C170000 call 00402870 :00401104 8B4C2430 mov ecx, dword ptr [esp+30] :00401108 8BE8 mov ebp, eax :0040110A 8B442428 mov eax, dword ptr [esp+28] :0040110E 51 push ecx :0040110F 55 push ebp :00401110 C7803802000010000000 mov dword ptr [ebx+00000238], 00000010 :0040111A E891260000 call 004037B0 * Possible StringData Ref from Data Obj ->"24DFDA27FA14D3F27DDF62CEA5D2381F9" /*N*/ | :0040111F 68F0C24000 push 0040C2F0 :00401124 57 push edi :00401125 E886260000 call 004037B0 * Possible StringData Ref from Data Obj ->"E401C1B" /*E*/ | :0040112A 6814C34000 push 0040C314 :0040112F 53 push ebx :00401130 E87B260000 call 004037B0 :00401135 56 push esi :00401136 57 push edi :00401137 53 push ebx :00401138 55 push ebp :00401139 E8422D0000 call 00403E80 :0040113E 8B54245C mov edx, dword ptr [esp+5C] :00401142 83C440 add e -------------------------------------------------------------------------------- |
送花文章: 3,
|