-
-
[原创]RED Official KeygenMe #1的分析
-
发表于: 2011-4-20 08:12 4071
-
【文章标题】: RED Official KeygenMe #1
【文章作者】: vasthao
【作者邮箱】: [email]vasthao@gmail.com[/email]
【软件名称】: RED Official KeygenMe #1
【下载地址】: 附件内
【加壳方式】: upx
【保护方式】: MD5+SHA1+CRC32b+ElGamal+RSA
【编写语言】: Delphi
【使用工具】: OD,IDA,DeDe
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
一.基本信息:
1.PEid查看,upx壳,可用upx -d脱去。
2.PEid查看脱壳后的文件,Delphi编写,并用KANAL插件检测出CRC32b,FGInt,MD5,SHA1。
3.IDA载入,导入FGInt Sign,并导出Map文件。
二.分析:
1.在OD中载入刚生成的map文件,用DeDe得到验证按钮的事件为45E1BC,下断。
2.输入试炼码:
Name:pediy
Serial:12345678901234567890123456789012345678901234567890,分析如下:
0045E1BC >/. 55 push ebp ; _TForm1_SpeedButton3Click
0045E1BD |. 8BEC mov ebp, esp
0045E1BF |. 33C9 xor ecx, ecx
0045E1C1 |. 51 push ecx
0045E1C2 |. 51 push ecx
0045E1C3 |. 51 push ecx
0045E1C4 |. 51 push ecx
0045E1C5 |. 51 push ecx
0045E1C6 |. 53 push ebx
0045E1C7 |. 8BD8 mov ebx, eax
0045E1C9 |. 33C0 xor eax, eax
0045E1CB |. 55 push ebp
0045E1CC |. 68 8DE24500 push <loc_45E28D>
0045E1D1 |. 64:FF30 push dword ptr fs:[eax]
0045E1D4 |. 64:8920 mov dword ptr fs:[eax], esp
0045E1D7 |. C645 F7 00 mov byte ptr [ebp-9], 0
0045E1DB |. 8D55 FC lea edx, dword ptr [ebp-4]
0045E1DE |. 8B83 FC020000 mov eax, dword ptr [ebx+2FC]
0045E1E4 |. E8 7B78FDFF call <Controls::TControl::GetText(voi>
0045E1E9 |. 8B45 FC mov eax, dword ptr [ebp-4]
0045E1EC |. E8 575FFAFF call <sub_404148>
0045E1F1 |. 85C0 test eax, eax
0045E1F3 |. 74 70 je short <loc_45E265>
0045E1F5 |. 8D55 F8 lea edx, dword ptr [ebp-8]
0045E1F8 |. 8B83 00030000 mov eax, dword ptr [ebx+300]
0045E1FE |. E8 6178FDFF call <Controls::TControl::GetText(voi>
0045E203 |. 8B45 F8 mov eax, dword ptr [ebp-8]
0045E206 |. E8 3D5FFAFF call <sub_404148>
0045E20B |. 85C0 test eax, eax
0045E20D |. 74 56 je short <loc_45E265>
0045E20F |. 8D4D F7 lea ecx, dword ptr [ebp-9] ; 验证flags
0045E212 |. 8B55 F8 mov edx, dword ptr [ebp-8] ; 序列号
0045E215 |. 8B45 FC mov eax, dword ptr [ebp-4] ; 用户名
0045E218 >|. E8 07FCFFFF call <sub_45DE24> ; 验证CALL,跟入
/****************************************************************/
0045DE24 > $ 55 push ebp ; sub_45DE24
0045DE25 . 8BEC mov ebp, esp
0045DE27 . 51 push ecx
0045DE28 . B9 0D000000 mov ecx, 0D
0045DE2D > > 6A 00 push 0 ; loc_45DE2D
0045DE2F . 6A 00 push 0
0045DE31 . 49 dec ecx
0045DE32 .^ 75 F9 jnz short <loc_45DE2D>
0045DE34 . 51 push ecx
0045DE35 . 874D FC xchg dword ptr [ebp-4], ecx
0045DE38 . 53 push ebx
0045DE39 . 56 push esi
0045DE3A . 57 push edi
0045DE3B . 894D F4 mov dword ptr [ebp-C], ecx
0045DE3E . 8955 F8 mov dword ptr [ebp-8], edx
0045DE41 . 8945 FC mov dword ptr [ebp-4], eax
0045DE44 . 8B45 FC mov eax, dword ptr [ebp-4]
0045DE47 . E8 EC64FAFF call <System::__linkproc__ LStrAddRef>
0045DE4C . 8B45 F8 mov eax, dword ptr [ebp-8]
0045DE4F . E8 E464FAFF call <System::__linkproc__ LStrAddRef>
0045DE54 . 8D45 D0 lea eax, dword ptr [ebp-30]
0045DE57 . 8B15 20714500 mov edx, dword ptr [<off_457120>] ;
0045DE5D . E8 DE69FAFF call <unknown_libname_73>
0045DE62 . 8D45 C8 lea eax, dword ptr [ebp-38]
0045DE65 . 8B15 20714500 mov edx, dword ptr [<off_457120>] ;
0045DE6B . E8 D069FAFF call <unknown_libname_73>
0045DE70 . 8D45 C0 lea eax, dword ptr [ebp-40]
0045DE73 . 8B15 20714500 mov edx, dword ptr [<off_457120>] ;
0045DE79 . E8 C269FAFF call <unknown_libname_73>
0045DE7E . 33C0 xor eax, eax
0045DE80 . 55 push ebp
0045DE81 . 68 28E14500 push <loc_45E128>
0045DE86 . 64:FF30 push dword ptr fs:[eax]
0045DE89 . 64:8920 mov dword ptr fs:[eax], esp
0045DE8C . 8B45 F4 mov eax, dword ptr [ebp-C]
0045DE8F . C600 00 mov byte ptr [eax], 0
0045DE92 . C645 BF 00 mov byte ptr [ebp-41], 0
0045DE96 . 33C0 xor eax, eax
0045DE98 . 8945 EC mov dword ptr [ebp-14], eax
0045DE9B . 8B45 FC mov eax, dword ptr [ebp-4]
0045DE9E . E8 A562FAFF call <sub_404148> ; 用户名长度
0045DEA3 . 85C0 test eax, eax
0045DEA5 . 75 0B jnz short <loc_45DEB2>
0045DEA7 . 8B45 F4 mov eax, dword ptr [ebp-C]
0045DEAA . C600 00 mov byte ptr [eax], 0
0045DEAD . E9 26020000 jmp <loc_45E0D8>
0045DEB2 > > 8B45 F8 mov eax, dword ptr [ebp-8] ; loc_45DEB2
0045DEB5 . E8 8E62FAFF call <sub_404148> ; 序列号长度
0045DEBA . 83F8 28 cmp eax, 28 ; 序列号长度必须大于40
0045DEBD . 7F 0B jg short <loc_45DECA>
0045DEBF . 8B45 F4 mov eax, dword ptr [ebp-C]
0045DEC2 . C600 00 mov byte ptr [eax], 0
0045DEC5 . E9 0E020000 jmp <loc_45E0D8>
0045DECA > > C745 AC 07000>mov dword ptr [ebp-54], 7 ;
0045DED1 . C745 B0 05000>mov dword ptr [ebp-50], 5
0045DED8 . C745 B4 02000>mov dword ptr [ebp-4C], 2
0045DEDF . C745 B8 15000>mov dword ptr [ebp-48], 15
0045DEE6 . 33D2 xor edx, edx
0045DEE8 . 55 push ebp
0045DEE9 . 68 0CDF4500 push <loc_45DF0C>
0045DEEE . 64:FF32 push dword ptr fs:[edx]
0045DEF1 . 64:8922 mov dword ptr fs:[edx], esp
0045DEF4 . 8D4D F0 lea ecx, dword ptr [ebp-10]
0045DEF7 . 8D55 AC lea edx, dword ptr [ebp-54]
0045DEFA . 8B45 F8 mov eax, dword ptr [ebp-8] ; 序列号
0045DEFD . E8 22FDFFFF call <sub_45DC24> ; 序列号解码CALL,跟进
/***************************************************************************/
//解码算法(Base62????)
0045DC24 >/$ 55 push ebp ; sub_45DC24
0045DC25 |. 8BEC mov ebp, esp
0045DC27 |. 83C4 DC add esp, -24
0045DC2A |. 53 push ebx
0045DC2B |. 56 push esi
0045DC2C |. 57 push edi
0045DC2D |. 33DB xor ebx, ebx
0045DC2F |. 895D DC mov dword ptr [ebp-24], ebx
0045DC32 |. 895D E0 mov dword ptr [ebp-20], ebx
0045DC35 |. 8BF2 mov esi, edx
0045DC37 |. 8D7D E4 lea edi, dword ptr [ebp-1C]
0045DC3A |. A5 movs dword ptr es:[edi], dword ptr [e>
0045DC3B |. A5 movs dword ptr es:[edi], dword ptr [e>
0045DC3C |. A5 movs dword ptr es:[edi], dword ptr [e>
0045DC3D |. A5 movs dword ptr es:[edi], dword ptr [e>
0045DC3E |. 8BF9 mov edi, ecx
0045DC40 |. 8945 FC mov dword ptr [ebp-4], eax
0045DC43 |. 8B45 FC mov eax, dword ptr [ebp-4]
0045DC46 |. E8 ED66FAFF call <System::__linkproc__ LStrAddRef>
0045DC4B |. 33C0 xor eax, eax
0045DC4D |. 55 push ebp
0045DC4E |. 68 0EDD4500 push <loc_45DD0E>
0045DC53 |. 64:FF30 push dword ptr fs:[eax]
0045DC56 |. 64:8920 mov dword ptr fs:[eax], esp
0045DC59 |. 8B45 E4 mov eax, dword ptr [ebp-1C] ; eax=7
0045DC5C |. F76D F0 imul dword ptr [ebp-10] ; eax=7*0x15=0x93
0045DC5F |. 8B55 E8 mov edx, dword ptr [ebp-18]
0045DC62 |. 0FAF55 EC imul edx, dword ptr [ebp-14] ; edx=0x2*0x5=0xa
0045DC66 |. 2BC2 sub eax, edx ; eax=0x93-0xa=0x89
0045DC68 |. 8945 F4 mov dword ptr [ebp-C], eax
0045DC6B |. 837D F4 00 cmp dword ptr [ebp-C], 0
0045DC6F |. 7F 09 jg short <loc_45DC7A>
0045DC71 |. 8BC7 mov eax, edi
0045DC73 |. E8 1062FAFF call <System::__linkproc__ LStrClr(vo>
0045DC78 |. EB 71 jmp short <loc_45DCEB>
0045DC7A >|> 8B45 FC mov eax, dword ptr [ebp-4] ; loc_45DC7A
0045DC7D |. E8 C664FAFF call <sub_404148> ; 序列号长度
0045DC82 |. 85C0 test eax, eax
0045DC84 |. 75 09 jnz short <loc_45DC8F>
0045DC86 |. 8BC7 mov eax, edi
0045DC88 |. E8 FB61FAFF call <System::__linkproc__ LStrClr(vo>
0045DC8D |. EB 5C jmp short <loc_45DCEB>
0045DC8F >|> 8BF0 mov esi, eax ; loc_45DC8F
0045DC91 |. 85F6 test esi, esi
0045DC93 |. 7E 56 jle short <loc_45DCEB>
0045DC95 |. C745 F8 01000>mov dword ptr [ebp-8], 1
0045DC9C >|> 8D45 E0 /lea eax, dword ptr [ebp-20] ; loc_45DC9C
0045DC9F |. 8B55 FC |mov edx, dword ptr [ebp-4]
0045DCA2 |. 8B4D F8 |mov ecx, dword ptr [ebp-8]
0045DCA5 |. 8A540A FF |mov dl, byte ptr [edx+ecx-1]
0045DCA9 |. E8 C263FAFF |call <unknown_libname_63>
0045DCAE |. 8B45 E0 |mov eax, dword ptr [ebp-20]
0045DCB1 |. BA 24DD4500 |mov edx, 0045DD24 ;
/***************************************************************************/
[0045DD24]=ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz
/***************************************************************************/
0045DCB6 |. E8 D167FAFF |call <unknown_libname_69> ; 得到字符在字符串中的索引index
0045DCBB |. 8BD8 |mov ebx, eax
0045DCBD |. 8BC3 |mov eax, ebx
0045DCBF |. F76D F4 |imul dword ptr [ebp-C] ; index=index*0x89
0045DCC2 |. B9 3E000000 |mov ecx, 3E
0045DCC7 |. 99 |cdq
0045DCC8 |. F7F9 |idiv ecx
0045DCCA |. B8 24DD4500 |mov eax, 0045DD24 ;
/***************************************************************************/
[0045DD24]=ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz
/***************************************************************************/
0045DCCF |. 8A5410 FF |mov dl, byte ptr [eax+edx-1] ;
/*******************************************/
edx=index*0x89mod0x3e=index*0xdmod0x3e
/*******************************************/
0045DCD3 |. 8D45 DC |lea eax, dword ptr [ebp-24]
0045DCD6 |. E8 9563FAFF |call <unknown_libname_63>
0045DCDB |. 8B55 DC |mov edx, dword ptr [ebp-24]
0045DCDE |. 8BC7 |mov eax, edi
0045DCE0 |. E8 6B64FAFF |call <System::__linkproc__ LStrCat(v>
0045DCE5 |. FF45 F8 |inc dword ptr [ebp-8]
0045DCE8 |. 4E |dec esi
0045DCE9 |.^ 75 B1 \jnz short <loc_45DC9C>
0045DCEB >|> 33C0 xor eax, eax ; loc_45DCEB
0045DCED |. 5A pop edx
0045DCEE |. 59 pop ecx
0045DCEF |. 59 pop ecx
0045DCF0 |. 64:8910 mov dword ptr fs:[eax], edx
0045DCF3 |. 68 15DD4500 push <loc_45DD15>
0045DCF8 >|> 8D45 DC lea eax, dword ptr [ebp-24] ; loc_45DCF8
0045DCFB |. BA 02000000 mov edx, 2
0045DD00 |. E8 A761FAFF call <System::__linkproc__ LStrArrayC>
0045DD05 |. 8D45 FC lea eax, dword ptr [ebp-4]
0045DD08 |. E8 7B61FAFF call <System::__linkproc__ LStrClr(vo>
0045DD0D \. C3 retn
0045DD0E > .^ E9 795BFAFF jmp <unknown_libname_53> ; loc_45DD0E
0045DD13 .^ EB E3 jmp short <loc_45DCF8>
0045DD15 > . 5F pop edi ; loc_45DD15
0045DD16 . 5E pop esi
0045DD17 . 5B pop ebx
0045DD18 . 8BE5 mov esp, ebp
0045DD1A . 5D pop ebp
0045DD1B . C3 retn
/***************************************************************************/
上面可以表示为(仿射密码??):
f(index1)=a;
f(index2)=b;
f(index1*0x89mod0x3e)=f(index1*0xdmod0x3e)=b;
则
index1*0xdmod0x3e=f-1(b);
index1=f-1(a)=f-1(b)/0xdmod0x3e=f-1(b)*0x2bmod0x3e=index2*0x2bmod0x3e;
编码函数可以写成:
string Encode(const string DecodeString,string &EncodeString){
string EncodeTable="=ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz";
EncodeString="";
string::size_type pos;
for(string::size_type i=0;i<DecodeString.length();i++){
pos=EncodeTable.find(DecodeString.at(i));
EncodeString+=EncodeTable[pos*0x2b%0x3e];
}
return EncodeString;
}
/***************************************************************************/
跟到这:
0045DF32 > > \8D4D EC lea ecx, dword ptr [ebp-14] ; loc_45DF32
0045DF35 . B2 2D mov dl, 2D
0045DF37 . 8B45 F0 mov eax, dword ptr [ebp-10] ; 以'-'分割解码后的字符串
0045DF3A . E8 85F8FFFF call <Idglobal::RightStr(System::Ansi>
/***************************************************************************/
所以可以假设解码后的字符串是"123456789012345678901234567890-abcdefabcdefabcdefabcdefabcdef",编码后
Encode("123456789012345678901234567890-abcdefabcdefabcdefabcdefabcdef",Encodestring)
="ZGm4Lr9QwhZGm4Lr9QwhZGm4Lr9QwhdVCi0HnVCi0HnVCi0HnVCi0HnVCi0Hn",重新输入试炼码:
Name:pediy
Serial:ZGm4Lr9QwhZGm4Lr9QwhZGm4Lr9QwhdVCi0HnVCi0HnVCi0HnVCi0HnVCi0Hn,继续:
/***************************************************************************/
//RSA算法
0045DF3F . 837D EC 00 cmp dword ptr [ebp-14], 0
0045DF43 . 75 0B jnz short <loc_45DF50>
0045DF45 . 8B45 F4 mov eax, dword ptr [ebp-C]
0045DF48 . C600 00 mov byte ptr [eax], 0
0045DF4B . E9 88010000 jmp <loc_45E0D8>
0045DF50 > > 8D45 E8 lea eax, dword ptr [ebp-18]
0045DF53 . 50 push eax
0045DF54 . 8B4D EC mov ecx, dword ptr [ebp-14]
0045DF57 . 49 dec ecx
0045DF58 . BA 01000000 mov edx, 1
0045DF5D . 8B45 F0 mov eax, dword ptr [ebp-10]
0045DF60 . E8 D7F8FFFF call <sub_45D83C> ;
/*****************************************/
ebp-18=s1=123456789012345678901234567890
/******************************************/
0045DF65 . 8D45 E4 lea eax, dword ptr [ebp-1C]
0045DF68 . 50 push eax
0045DF69 . 8B45 F0 mov eax, dword ptr [ebp-10]
0045DF6C . E8 D761FAFF call <sub_404148>
0045DF71 . 8BC8 mov ecx, eax
0045DF73 . 8B55 EC mov edx, dword ptr [ebp-14]
0045DF76 . 42 inc edx
0045DF77 . 8B45 F0 mov eax, dword ptr [ebp-10]
0045DF7A . E8 BDF8FFFF call <sub_45D83C> ;
/*****************************************/
ebp-1c=s2=abcdefabcdefabcdefabcdefabcdef
/*****************************************/
0045DF7F . 8D45 E0 lea eax, dword ptr [ebp-20]
0045DF82 . 50 push eax ; sn1
/***************************************************************************/
sn1小于"214531558149839109621772662645101524753"
/***************************************************************************/
0045DF83 . 8D55 A8 lea edx, dword ptr [ebp-58]
0045DF86 . B8 94D74500 mov eax, <off_45D794>
0045DF8B . E8 747DFAFF call <System::LoadResString(System::T>
0045DF90 . 8B45 A8 mov eax, dword ptr [ebp-58] ; eax="65537" 很熟悉吧
0045DF93 . 50 push eax
0045DF94 . 8D55 A4 lea edx, dword ptr [ebp-5C]
0045DF97 . B8 84D74500 mov eax, <off_45D784>
0045DF9C . E8 637DFAFF call <System::LoadResString(System::T>
0045DFA1 . 8B55 A4 mov edx, dword ptr [ebp-5C] ;
/***************************************************************************/
edx="214531558149839109621772662645101524753"
/***************************************************************************/
0045DFA4 . 8B45 E8 mov eax, dword ptr [ebp-18] ;
/*******************************************/
eax=s1=123456789012345678901234567890
/*******************************************/
0045DFA7 . 59 pop ecx
0045DFA8 . E8 23F9FFFF call <sub_45D8D0> ; RSADecrypt
0045DFAD . 8D45 DC lea eax, dword ptr [ebp-24]
0045DFB0 . 50 push eax ; sn2
/***************************************************************************/
sn2小于"244875180354855501399901547088907207321"
/***************************************************************************/
0045DFB1 . 8D55 A0 lea edx, dword ptr [ebp-60]
0045DFB4 . B8 94D74500 mov eax, <off_45D794>
0045DFB9 . E8 467DFAFF call <System::LoadResString(System::T>
0045DFBE . 8B45 A0 mov eax, dword ptr [ebp-60] ; eax="65537"
0045DFC1 . 50 push eax
0045DFC2 . 8D55 9C lea edx, dword ptr [ebp-64]
0045DFC5 . B8 8CD74500 mov eax, <off_45D78C>
0045DFCA . E8 357DFAFF call <System::LoadResString(System::T>
0045DFCF . 8B55 9C mov edx, dword ptr [ebp-64] ;
/***************************************************************************/
edx="244875180354855501399901547088907207321"
/***************************************************************************/
0045DFD2 . 8B45 E4 mov eax, dword ptr [ebp-1C] ;
/*************************************************/
eax=s2=abcdefabcdefabcdefabcdefabcdef
/*************************************************/
0045DFD5 . 59 pop ecx
0045DFD6 . E8 F5F8FFFF call <sub_45D8D0> ; RSADecrypt,跟进
/***************************************************************************/
RSA-64的参数:
N1:214531558149839109621772662645101524753=12045117503226267611*17810665449496622723
E1:65537
D1:205189155126209086570183648469679264253
N2:244875180354855501399901547088907207321=15056966986685713091*16263247476825116531
E2:65537
D2:167855907384554199055222970030109813873
/********************************************************************************/
0045D8D0 >/$ 55 push ebp ; sub_45D8D0
0045D8D1 |. 8BEC mov ebp, esp
0045D8D3 |. 83C4 D4 add esp, -2C
0045D8D6 |. 894D F4 mov dword ptr [ebp-C], ecx
0045D8D9 |. 8955 F8 mov dword ptr [ebp-8], edx
0045D8DC |. 8945 FC mov dword ptr [ebp-4], eax
0045D8DF |. 8B45 FC mov eax, dword ptr [ebp-4]
0045D8E2 |. E8 516AFAFF call <System::__linkproc__ LStrAddRef>
0045D8E7 |. 8B45 F8 mov eax, dword ptr [ebp-8]
0045D8EA |. E8 496AFAFF call <System::__linkproc__ LStrAddRef>
0045D8EF |. 8B45 F4 mov eax, dword ptr [ebp-C]
0045D8F2 |. E8 416AFAFF call <System::__linkproc__ LStrAddRef>
0045D8F7 |. 8D45 EC lea eax, dword ptr [ebp-14]
0045D8FA |. 8B15 20714500 mov edx, dword ptr [<off_457120>] ;
0045D900 |. E8 3B6FFAFF call <unknown_libname_73>
0045D905 |. 8D45 E4 lea eax, dword ptr [ebp-1C]
0045D908 |. 8B15 20714500 mov edx, dword ptr [<off_457120>] ;
0045D90E |. E8 2D6FFAFF call <unknown_libname_73>
0045D913 |. 8D45 DC lea eax, dword ptr [ebp-24]
0045D916 |. 8B15 20714500 mov edx, dword ptr [<off_457120>] ;
0045D91C |. E8 1F6FFAFF call <unknown_libname_73>
0045D921 |. 8D45 D4 lea eax, dword ptr [ebp-2C]
0045D924 |. 8B15 20714500 mov edx, dword ptr [<off_457120>] ;
0045D92A |. E8 116FFAFF call <unknown_libname_73>
0045D92F |. 33C0 xor eax, eax
0045D931 |. 55 push ebp
0045D932 |. 68 D4D94500 push <loc_45D9D4>
0045D937 |. 64:FF30 push dword ptr fs:[eax]
0045D93A |. 64:8920 mov dword ptr fs:[eax], esp
0045D93D |. 8D55 FC lea edx, dword ptr [ebp-4]
0045D940 |. 8B45 FC mov eax, dword ptr [ebp-4] ;
/**************************************/
eax=abcdefabcdefabcdefabcdefabcdef
/**************************************/
0045D943 >|. E8 8C9AFFFF call <ConvertHexStringToBase256String>;
/**************************************/
eax=s2是16进制
/**************************************/
0045D948 |. 8D55 DC lea edx, dword ptr [ebp-24]
0045D94B |. 8B45 FC mov eax, dword ptr [ebp-4]
0045D94E |. E8 7D9DFFFF call <Base256StringToFGInt(AnsiString>
0045D953 |. 8D55 EC lea edx, dword ptr [ebp-14]
0045D956 |. 8B45 F8 mov eax, dword ptr [ebp-8] ; N2
0045D959 |. E8 069FFFFF call <Base10StringToFGInt(AnsiString,>
0045D95E |. 8D55 E4 lea edx, dword ptr [ebp-1C]
0045D961 |. 8B45 F4 mov eax, dword ptr [ebp-C] ; E2
0045D964 |. E8 FB9EFFFF call <Base10StringToFGInt(AnsiString,>
0045D969 |. 8D45 D4 lea eax, dword ptr [ebp-2C]
0045D96C |. 50 push eax
0045D96D |. 8D4D EC lea ecx, dword ptr [ebp-14]
0045D970 |. 8D55 E4 lea edx, dword ptr [ebp-1C]
0045D973 |. 8D45 DC lea eax, dword ptr [ebp-24]
0045D976 |. E8 DDB3FFFF call <FGIntModExp(TFGInt &,TFGInt &,T>;
/************************************************/
s2^E2MODN2
/************************************************/
0045D97B |. 8B55 08 mov edx, dword ptr [ebp+8]
0045D97E |. 8D45 D4 lea eax, dword ptr [ebp-2C]
0045D981 |. E8 3EA1FFFF call <FGIntToBase10String(TFGInt &,An>;
/***************************************************************************/
ebp+8=51500506821326607889565761299897989217
/***************************************************************************/
0045D986 |. 8D45 EC lea eax, dword ptr [ebp-14]
0045D989 |. E8 62A2FFFF call <FGIntDestroy(TFGInt &)>
0045D98E |. 8D45 E4 lea eax, dword ptr [ebp-1C]
0045D991 |. E8 5AA2FFFF call <FGIntDestroy(TFGInt &)>
0045D996 |. 8D45 DC lea eax, dword ptr [ebp-24]
0045D999 |. E8 52A2FFFF call <FGIntDestroy(TFGInt &)>
0045D99E |. 8D45 D4 lea eax, dword ptr [ebp-2C]
0045D9A1 |. E8 4AA2FFFF call <FGIntDestroy(TFGInt &)>
0045D9A6 |. 33C0 xor eax, eax
0045D9A8 |. 5A pop edx
0045D9A9 |. 59 pop ecx
0045D9AA |. 59 pop ecx
0045D9AB |. 64:8910 mov dword ptr fs:[eax], edx
0045D9AE |. 68 DBD94500 push <loc_45D9DB>
0045D9B3 >|> 8D45 D4 lea eax, dword ptr [ebp-2C] ; loc_45D9B3
0045D9B6 |. 8B15 20714500 mov edx, dword ptr [<off_457120>] ;
0045D9BC |. B9 04000000 mov ecx, 4
0045D9C1 |. E8 966FFAFF call <System::__linkproc__ FinalizeAr>
0045D9C6 |. 8D45 F4 lea eax, dword ptr [ebp-C]
0045D9C9 |. BA 03000000 mov edx, 3
0045D9CE |. E8 D964FAFF call <System::__linkproc__ LStrArrayC>
0045D9D3 \. C3 retn
0045D9D4 > .^ E9 B35EFAFF jmp <unknown_libname_53> ; loc_45D9D4
0045D9D9 .^ EB D8 jmp short <loc_45D9B3>
0045D9DB > . 8BE5 mov esp, ebp ; loc_45D9DB
0045D9DD . 5D pop ebp
0045D9DE . C2 0400 retn 4
/***************************************************************************/
//hash算法
0045DFDB . 8D55 D8 lea edx, dword ptr [ebp-28]
0045DFDE . 8B45 FC mov eax, dword ptr [ebp-4]
0045DFE1 . E8 7EFDFFFF call <sub_45DD64> ; Hash函数,跟进
/***************************************************************************/
0045DD64 >/$ 55 push ebp ; Hash函数
0045DD65 |. 8BEC mov ebp, esp
0045DD67 |. 33C9 xor ecx, ecx
0045DD69 |. 51 push ecx
0045DD6A |. 51 push ecx
0045DD6B |. 51 push ecx
0045DD6C |. 51 push ecx
0045DD6D |. 51 push ecx
0045DD6E |. 51 push ecx
0045DD6F |. 53 push ebx
0045DD70 |. 56 push esi
0045DD71 |. 8955 F8 mov dword ptr [ebp-8], edx
0045DD74 |. 8945 FC mov dword ptr [ebp-4], eax
0045DD77 |. 8B45 FC mov eax, dword ptr [ebp-4]
0045DD7A |. E8 B965FAFF call <System::__linkproc__ LStrAddRef(void *)>
0045DD7F |. 33C0 xor eax, eax
0045DD81 |. 55 push ebp
0045DD82 |. 68 15DE4500 push <loc_45DE15>
0045DD87 |. 64:FF30 push dword ptr fs:[eax]
0045DD8A |. 64:8920 mov dword ptr fs:[eax], esp
0045DD8D |. 33DB xor ebx, ebx
0045DD8F |. 33F6 xor esi, esi
0045DD91 |. 8B45 FC mov eax, dword ptr [ebp-4]
0045DD94 |. E8 AF63FAFF call <sub_404148> ; 用户名长度
0045DD99 |. 8D55 F4 lea edx, dword ptr [ebp-C]
0045DD9C |. 8B45 FC mov eax, dword ptr [ebp-4]
0045DD9F |. E8 50CBFFFF call <sub_45A8F4> ; 标准的MD5,不跟了
0045DDA4 |. 8D55 F0 lea edx, dword ptr [ebp-10]
0045DDA7 |. 8B45 F4 mov eax, dword ptr [ebp-C] ; 注意MD5值是大写!!!!!
0045DDAA |. E8 0DD0FFFF call <sub_45ADBC> ; 标准的SHA1,不跟了
0045DDAF |. 8D55 EC lea edx, dword ptr [ebp-14]
0045DDB2 |. 8B45 F0 mov eax, dword ptr [ebp-10]
0045DDB5 >|. E8 C6BFFFFF call <sub_459D80> ; CRC32b,不跟了
0045DDBA |. 8B45 EC mov eax, dword ptr [ebp-14]
0045DDBD |. E8 8663FAFF call <sub_404148>
0045DDC2 |. 85C0 test eax, eax
0045DDC4 |. 7E 17 jle short <loc_45DDDD>
0045DDC6 |. BA 01000000 mov edx, 1
0045DDCB >|> 8B4D EC /mov ecx, dword ptr [ebp-14] ; ecx='680ED875'
0045DDCE |. 0FB64C11 FF |movzx ecx, byte ptr [ecx+edx-1]
0045DDD3 |. 03D9 |add ebx, ecx ; 当前值和下个值相加
0045DDD5 |. 03F3 |add esi, ebx ; 当前值+当前值+下个值
0045DDD7 |. 8BDE |mov ebx, esi ; 保存当前的值
0045DDD9 |. 42 |inc edx
0045DDDA |. 48 |dec eax
0045DDDB |.^ 75 EE \jnz short <loc_45DDCB> ;
/***************************************************************************/
esi='6'<<7+'8'<<6+'0'<<5+'E'<<4+'D'<<3+'8'<<2+'7'<<1+'5'
/***************************************************************************/
0045DDDD >|> 8D55 E8 lea edx, dword ptr [ebp-18] ; loc_45DDDD
0045DDE0 |. 8BC6 mov eax, esi ; esi=0x36f3
0045DDE2 |. E8 95A2FAFF call <Sysutils::IntToStr(int)>
0045DDE7 |. 8B55 E8 mov edx, dword ptr [ebp-18] ; EBP-18='14067'
0045DDEA |. 8B45 F8 mov eax, dword ptr [ebp-8]
0045DDED |. E8 EA60FAFF call <System::__linkproc__ LStrAsg(void *,voi>
0045DDF2 |. 33C0 xor eax, eax
0045DDF4 |. 5A pop edx
0045DDF5 |. 59 pop ecx
0045DDF6 |. 59 pop ecx
0045DDF7 |. 64:8910 mov dword ptr fs:[eax], edx
0045DDFA |. 68 1CDE4500 push <loc_45DE1C>
0045DDFF >|> 8D45 E8 lea eax, dword ptr [ebp-18] ; loc_45DDFF
0045DE02 |. BA 04000000 mov edx, 4
0045DE07 |. E8 A060FAFF call <System::__linkproc__ LStrArrayClr(void >
0045DE0C |. 8D45 FC lea eax, dword ptr [ebp-4]
0045DE0F |. E8 7460FAFF call <System::__linkproc__ LStrClr(void *)>
0045DE14 \. C3 retn
0045DE15 > .^ E9 725AFAFF jmp <unknown_libname_53> ; loc_45DE15
0045DE1A .^ EB E3 jmp short <loc_45DDFF>
0045DE1C > . 5E pop esi ; loc_45DE1C
0045DE1D . 5B pop ebx
0045DE1E . 8BE5 mov esp, ebp
0045DE20 . 5D pop ebp
0045DE21 . C3 retn
/*********************************************************************/
其中MD5,SHA1都是标准的。
CRC32b算法:
unsigned int crc32_be(unsigned char const *p, size_t len)
{
unsigned int crc=0xffffffff;
while (len--) {
crc ^= *p++ << 24;
for (int i = 0; i < 8; i++)
crc =(crc << 1) ^ ((crc & 0x80000000) ?0x04c11db7 :0);
}
return ~crc;
}
/****************************************************************************/
//ElGamal验证
0045DFE6 . 8B45 E0 mov eax, dword ptr [ebp-20] ; eax=sn1
0045DFE9 . E8 5A61FAFF call <sub_404148>
0045DFEE . 85C0 test eax, eax
0045DFF0 . 7E 23 jle short <loc_45E015>
0045DFF2 . BA 01000000 mov edx, 1
0045DFF7 > > 8B4D E0 mov ecx, dword ptr [ebp-20] ; loc_45DFF7
0045DFFA . 8A4C11 FF mov cl, byte ptr [ecx+edx-1]
0045DFFE . 80C1 D0 add cl, 0D0
0045E001 . 80E9 0A sub cl, 0A
0045E004 . 72 0B jb short <loc_45E011> ; 是否为数字
0045E006 . 8B45 F4 mov eax, dword ptr [ebp-C]
0045E009 . C600 00 mov byte ptr [eax], 0
0045E00C . E9 C7000000 jmp <loc_45E0D8>
0045E011 > > 42 inc edx ; loc_45E011
0045E012 . 48 dec eax
0045E013 .^ 75 E2 jnz short <loc_45DFF7>
0045E015 > > 8B45 DC mov eax, dword ptr [ebp-24] ; eax=sn2
0045E018 . E8 2B61FAFF call <sub_404148>
0045E01D . 85C0 test eax, eax
0045E01F . 7E 23 jle short <loc_45E044>
0045E021 . BA 01000000 mov edx, 1
0045E026 > > 8B4D DC mov ecx, dword ptr [ebp-24] ; loc_45E026
0045E029 . 8A4C11 FF mov cl, byte ptr [ecx+edx-1]
0045E02D . 80C1 D0 add cl, 0D0
0045E030 . 80E9 0A sub cl, 0A
0045E033 . 72 0B jb short <loc_45E040>
0045E035 . 8B45 F4 mov eax, dword ptr [ebp-C]
0045E038 . C600 00 mov byte ptr [eax], 0
0045E03B . E9 98000000 jmp <loc_45E0D8>
0045E040 > > 42 inc edx ; loc_45E040
0045E041 . 48 dec eax
0045E042 .^ 75 E2 jnz short <loc_45E026>
0045E044 > > 8D55 98 lea edx, dword ptr [ebp-68] ; loc_45E044
0045E047 . B8 9CD74500 mov eax, <off_45D79C>
0045E04C . E8 B37CFAFF call <System::LoadResString(System::TResStrin>
0045E051 . 8B45 98 mov eax, dword ptr [ebp-68] ;
/***************************************************************************/
P=337187229886387141785478049829234100463
/***************************************************************************/
0045E054 . 8D55 D0 lea edx, dword ptr [ebp-30]
0045E057 . E8 0898FFFF call <Base10StringToFGInt(AnsiString,TFGInt &>
0045E05C . 8D55 94 lea edx, dword ptr [ebp-6C]
0045E05F . B8 A4D74500 mov eax, <off_45D7A4>
0045E064 . E8 9B7CFAFF call <System::LoadResString(System::TResStrin>
0045E069 . 8B45 94 mov eax, dword ptr [ebp-6C] ;
/***************************************************************************/
G=208384547864955790279535919262727623043
/***************************************************************************/
0045E06C . 8D55 C8 lea edx, dword ptr [ebp-38]
0045E06F . E8 F097FFFF call <Base10StringToFGInt(AnsiString,TFGInt &>
0045E074 . 8D55 90 lea edx, dword ptr [ebp-70]
0045E077 . B8 ACD74500 mov eax, <off_45D7AC>
0045E07C . E8 837CFAFF call <System::LoadResString(System::TResStrin>
0045E081 . 8B45 90 mov eax, dword ptr [ebp-70] ;
/***************************************************************************/
Y=32257573436640707566982045066111677313
/***************************************************************************/
0045E084 . 8D55 C0 lea edx, dword ptr [ebp-40]
0045E087 . E8 D897FFFF call <Base10StringToFGInt(AnsiString,TFGInt &>
0045E08C . 8D45 D0 lea eax, dword ptr [ebp-30] ; P
0045E08F . 50 push eax
0045E090 . 8D45 C8 lea eax, dword ptr [ebp-38] ; G
0045E093 . 50 push eax
0045E094 . 8D45 C0 lea eax, dword ptr [ebp-40] ; Y
0045E097 . 50 push eax
0045E098 . 8D45 BF lea eax, dword ptr [ebp-41] ; OK?
0045E09B . 50 push eax
0045E09C . 8B4D DC mov ecx, dword ptr [ebp-24] ;
/***************************************************************************/
sn2=51500506821326607889565761299897989217
/***************************************************************************/
0045E09F . 8B55 E0 mov edx, dword ptr [ebp-20] ;
/***************************************************************************/
sn1=130339248367019973463929393932250330565
/***************************************************************************/
0045E0A2 . 8B45 D8 mov eax, dword ptr [ebp-28] ;
/**********************************************/
ebp-28=M=36f3="14067"
/**********************************************/
0045E0A5 . E8 3AF9FFFF call <sub_45D9E4> ; ElGamalVerify,跟进
0045D9E4 >/$ 55 push ebp ; ElGamalVerify函数
0045D9E5 |. 8BEC mov ebp, esp
0045D9E7 |. 83C4 94 add esp, -6C
0045D9EA |. 53 push ebx
0045D9EB |. 56 push esi
0045D9EC |. 57 push edi
0045D9ED |. 8B75 0C mov esi, dword ptr [ebp+C]
0045D9F0 |. 8D7D DC lea edi, dword ptr [ebp-24] ;
/***************************************************************************/
[ebp-24]=Y=32257573436640707566982045066111677313
/***************************************************************************/
0045D9F3 |. A5 movs dword ptr es:[edi], dword ptr [esi]
0045D9F4 |. A5 movs dword ptr es:[edi], dword ptr [esi]
0045D9F5 |. 8B75 10 mov esi, dword ptr [ebp+10] ;
/***************************************************************************/
[ebp-1c]=G=208384547864955790279535919262727623043
/***************************************************************************/
0045D9F8 |. 8D7D E4 lea edi, dword ptr [ebp-1C]
0045D9FB |. A5 movs dword ptr es:[edi], dword ptr [esi]
0045D9FC |. A5 movs dword ptr es:[edi], dword ptr [esi]
0045D9FD |. 8B75 14 mov esi, dword ptr [ebp+14] ;
/***************************************************************************/
[ebp-14]=P=337187229886387141785478049829234100463
/***************************************************************************/
0045DA00 |. 8D7D EC lea edi, dword ptr [ebp-14]
0045DA03 |. A5 movs dword ptr es:[edi], dword ptr [esi]
0045DA04 |. A5 movs dword ptr es:[edi], dword ptr [esi]
0045DA05 |. 894D F4 mov dword ptr [ebp-C], ecx
0045DA08 |. 8955 F8 mov dword ptr [ebp-8], edx
0045DA0B |. 8945 FC mov dword ptr [ebp-4], eax
0045DA0E |. 8B5D 08 mov ebx, dword ptr [ebp+8]
0045DA11 |. 8B45 FC mov eax, dword ptr [ebp-4]
0045DA14 |. E8 1F69FAFF call <System::__linkproc__ LStrAddRef(void *)>
0045DA19 |. 8B45 F8 mov eax, dword ptr [ebp-8]
0045DA1C |. E8 1769FAFF call <System::__linkproc__ LStrAddRef(void *)>
0045DA21 |. 8B45 F4 mov eax, dword ptr [ebp-C]
0045DA24 |. E8 0F69FAFF call <System::__linkproc__ LStrAddRef(void *)>
0045DA29 |. 8D45 EC lea eax, dword ptr [ebp-14]
0045DA2C |. 8B15 20714500 mov edx, dword ptr [<off_457120>] ;
0045DA32 |. E8 1D70FAFF call <unknown_libname_77>
0045DA37 |. 8D45 E4 lea eax, dword ptr [ebp-1C]
0045DA3A |. 8B15 20714500 mov edx, dword ptr [<off_457120>] ;
0045DA40 |. E8 0F70FAFF call <unknown_libname_77>
0045DA45 |. 8D45 DC lea eax, dword ptr [ebp-24]
0045DA48 |. 8B15 20714500 mov edx, dword ptr [<off_457120>] ;
0045DA4E |. E8 0170FAFF call <unknown_libname_77>
0045DA53 |. 8D45 D4 lea eax, dword ptr [ebp-2C]
0045DA56 |. 8B15 20714500 mov edx, dword ptr [<off_457120>] ;
0045DA5C |. E8 DF6DFAFF call <unknown_libname_73>
0045DA61 |. 8D45 CC lea eax, dword ptr [ebp-34]
0045DA64 |. 8B15 20714500 mov edx, dword ptr [<off_457120>] ;
0045DA6A |. E8 D16DFAFF call <unknown_libname_73>
0045DA6F |. 8D45 C4 lea eax, dword ptr [ebp-3C]
0045DA72 |. 8B15 20714500 mov edx, dword ptr [<off_457120>] ;
0045DA78 |. E8 C36DFAFF call <unknown_libname_73>
0045DA7D |. 8D45 BC lea eax, dword ptr [ebp-44]
0045DA80 |. 8B15 20714500 mov edx, dword ptr [<off_457120>] ;
0045DA86 |. E8 B56DFAFF call <unknown_libname_73>
0045DA8B |. 8D45 B4 lea eax, dword ptr [ebp-4C]
0045DA8E |. 8B15 20714500 mov edx, dword ptr [<off_457120>] ;
0045DA94 |. E8 A76DFAFF call <unknown_libname_73>
0045DA99 |. 8D45 AC lea eax, dword ptr [ebp-54]
0045DA9C |. 8B15 20714500 mov edx, dword ptr [<off_457120>] ;
0045DAA2 |. E8 996DFAFF call <unknown_libname_73>
0045DAA7 |. 8D45 A4 lea eax, dword ptr [ebp-5C]
0045DAAA |. 8B15 20714500 mov edx, dword ptr [<off_457120>] ;
0045DAB0 |. E8 8B6DFAFF call <unknown_libname_73>
0045DAB5 |. 8D45 9C lea eax, dword ptr [ebp-64]
0045DAB8 |. 8B15 20714500 mov edx, dword ptr [<off_457120>] ;
0045DABE |. E8 7D6DFAFF call <unknown_libname_73>
0045DAC3 |. 8D45 94 lea eax, dword ptr [ebp-6C]
0045DAC6 |. 8B15 20714500 mov edx, dword ptr [<off_457120>] ;
0045DACC |. E8 6F6DFAFF call <unknown_libname_73>
0045DAD1 |. 33C0 xor eax, eax
0045DAD3 |. 55 push ebp
0045DAD4 |. 68 07DC4500 push <loc_45DC07>
0045DAD9 |. 64:FF30 push dword ptr fs:[eax]
0045DADC |. 64:8920 mov dword ptr fs:[eax], esp
0045DADF |. C603 01 mov byte ptr [ebx], 1
0045DAE2 |. 8D55 D4 lea edx, dword ptr [ebp-2C]
0045DAE5 |. B8 20DC4500 mov eax, 0045DC20 ; 1
0045DAEA |. E8 759DFFFF call <Base10StringToFGInt(AnsiString,TFGInt &>
0045DAEF |. 8D55 CC lea edx, dword ptr [ebp-34] ;
/***************************************************************************/
[ebp-34]=sn1=130339248367019973463929393932250330565
/***************************************************************************/
0045DAF2 |. 8B45 F8 mov eax, dword ptr [ebp-8]
0045DAF5 |. E8 6A9DFFFF call <Base10StringToFGInt(AnsiString,TFGInt &>
0045DAFA |. 8D55 C4 lea edx, dword ptr [ebp-3C] ;
/***************************************************************************/
[ebp-3c]=sn2=51500506821326607889565761299897989217
/***************************************************************************/
0045DAFD |. 8B45 F4 mov eax, dword ptr [ebp-C]
0045DB00 |. E8 5F9DFFFF call <Base10StringToFGInt(AnsiString,TFGInt &>
0045DB05 |. 8D55 BC lea edx, dword ptr [ebp-44] ;
/***************************************************************************/
[ebp-44]=M=36f3='14067'
/***************************************************************************/
0045DB08 |. 8B45 FC mov eax, dword ptr [ebp-4]
0045DB0B |. E8 549DFFFF call <Base10StringToFGInt(AnsiString,TFGInt &>
0045DB10 |. 8D4D B4 lea ecx, dword ptr [ebp-4C]
0045DB13 |. 8D55 D4 lea edx, dword ptr [ebp-2C] ; 1
0045DB16 |. 8D45 EC lea eax, dword ptr [ebp-14] ;
/***************************************************************************/
[ebp-14]=P=337187229886387141785478049829234100463
/***************************************************************************/
0045DB19 |. E8 A6A3FFFF call <FGIntSub(TFGInt &,TFGInt &,TFGInt &)> ;
/**************************************************/
EBP-4C=P-1
/**************************************************/
0045DB1E |. 8D55 B4 lea edx, dword ptr [ebp-4C]
0045DB21 |. 8D45 CC lea eax, dword ptr [ebp-34]
0045DB24 |. E8 DBA0FFFF call <FGIntCompareAbs(TFGInt &,TFGInt &)>
0045DB29 |. 3C 01 cmp al, 1
0045DB2B |. 74 08 je short <loc_45DB35>
0045DB2D |. C603 00 mov byte ptr [ebx], 0
0045DB30 |. E9 A4000000 jmp <loc_45DBD9>
0045DB35 >|> 8D45 AC lea eax, dword ptr [ebp-54] ; loc_45DB35
0045DB38 |. 50 push eax
0045DB39 |. 8D4D EC lea ecx, dword ptr [ebp-14]
0045DB3C |. 8D55 CC lea edx, dword ptr [ebp-34]
0045DB3F |. 8D45 DC lea eax, dword ptr [ebp-24]
0045DB42 |. E8 EDB6FFFF call <FGIntMontgomeryModExp(TFGInt &,TFGInt &>; EBP-54=Y^sn1modP
0045DB47 |. 8D45 A4 lea eax, dword ptr [ebp-5C]
0045DB4A |. 50 push eax
0045DB4B |. 8D4D EC lea ecx, dword ptr [ebp-14]
0045DB4E |. 8D55 C4 lea edx, dword ptr [ebp-3C]
0045DB51 |. 8D45 CC lea eax, dword ptr [ebp-34]
0045DB54 |. E8 DBB6FFFF call <FGIntMontgomeryModExp(TFGInt &,TFGInt &>; ebp-5c=sn1^sn2modp
0045DB59 |. 8D45 9C lea eax, dword ptr [ebp-64]
0045DB5C |. 50 push eax
0045DB5D |. 8D4D EC lea ecx, dword ptr [ebp-14]
0045DB60 |. 8D55 A4 lea edx, dword ptr [ebp-5C]
0045DB63 |. 8D45 AC lea eax, dword ptr [ebp-54]
0045DB66 |. E8 75B1FFFF call <unknown_libname_881> ;
/***************************************************************************/
ebp-64=[ebp-54]*[ebp-5c]modp(Y^sn1modp*sn1^sn2modp)modp
=Y^sn1*sn1^sn2modp
/***************************************************************************/
0045DB6B |. 8D45 94 lea eax, dword ptr [ebp-6C]
0045DB6E |. 50 push eax
0045DB6F |. 8D4D EC lea ecx, dword ptr [ebp-14]
0045DB72 |. 8D55 BC lea edx, dword ptr [ebp-44]
0045DB75 |. 8D45 E4 lea eax, dword ptr [ebp-1C]
0045DB78 |. E8 DBB1FFFF call <FGIntModExp(TFGInt &,TFGInt &,TFGInt &,>; [ebp-6c]=G^M(ModP)
0045DB7D |. 8D55 94 lea edx, dword ptr [ebp-6C]
0045DB80 |. 8D45 9C lea eax, dword ptr [ebp-64]
0045DB83 |. E8 7CA0FFFF call <FGIntCompareAbs(TFGInt &,TFGInt &)> ;
/******************************************/
Y^sn1*sn1^sn2modp?=G^Mmodp
/******************************************/
0045DB88 |. 3C 02 cmp al, 2
0045DB8A |. 74 05 je short <loc_45DB91>
0045DB8C |. C603 00 mov byte ptr [ebx], 0
0045DB8F |. EB 48 jmp short <loc_45DBD9>
0045DB91 >|> 8D45 D4 lea eax, dword ptr [ebp-2C] ; loc_45DB91
0045DB94 |. E8 57A0FFFF call <FGIntDestroy(TFGInt &)>
0045DB99 |. 8D45 CC lea eax, dword ptr [ebp-34]
0045DB9C |. E8 4FA0FFFF call <FGIntDestroy(TFGInt &)>
0045DBA1 |. 8D45 C4 lea eax, dword ptr [ebp-3C]
0045DBA4 |. E8 47A0FFFF call <FGIntDestroy(TFGInt &)>
0045DBA9 |. 8D45 BC lea eax, dword ptr [ebp-44]
0045DBAC |. E8 3FA0FFFF call <FGIntDestroy(TFGInt &)>
0045DBB1 |. 8D45 B4 lea eax, dword ptr [ebp-4C]
0045DBB4 |. E8 37A0FFFF call <FGIntDestroy(TFGInt &)>
0045DBB9 |. 8D45 AC lea eax, dword ptr [ebp-54]
0045DBBC |. E8 2FA0FFFF call <FGIntDestroy(TFGInt &)>
0045DBC1 |. 8D45 A4 lea eax, dword ptr [ebp-5C]
0045DBC4 |. E8 27A0FFFF call <FGIntDestroy(TFGInt &)>
0045DBC9 |. 8D45 9C lea eax, dword ptr [ebp-64]
0045DBCC |. E8 1FA0FFFF call <FGIntDestroy(TFGInt &)>
0045DBD1 |. 8D45 94 lea eax, dword ptr [ebp-6C]
0045DBD4 |. E8 17A0FFFF call <FGIntDestroy(TFGInt &)>
0045DBD9 >|> 33C0 xor eax, eax ; loc_45DBD9
0045DBDB |. 5A pop edx
0045DBDC |. 59 pop ecx
0045DBDD |. 59 pop ecx
0045DBDE |. 64:8910 mov dword ptr fs:[eax], edx
0045DBE1 |. 68 0EDC4500 push <loc_45DC0E>
0045DBE6 >|> 8D45 94 lea eax, dword ptr [ebp-6C] ; loc_45DBE6
0045DBE9 |. 8B15 20714500 mov edx, dword ptr [<off_457120>] ;
0045DBEF |. B9 0C000000 mov ecx, 0C
0045DBF4 |. E8 636DFAFF call <System::__linkproc__ FinalizeArray(void>
0045DBF9 |. 8D45 F4 lea eax, dword ptr [ebp-C]
0045DBFC |. BA 03000000 mov edx, 3
0045DC01 |. E8 A662FAFF call <System::__linkproc__ LStrArrayClr(void >
0045DC06 \. C3 retn
0045DC07 > .^ E9 805CFAFF jmp <unknown_libname_53> ; loc_45DC07
0045DC0C .^ EB D8 jmp short <loc_45DBE6>
0045DC0E > . 5F pop edi ; loc_45DC0E
0045DC0F . 5E pop esi
0045DC10 . 5B pop ebx
0045DC11 . 8BE5 mov esp, ebp
0045DC13 . 5D pop ebp
0045DC14 . C2 1000 retn 10
/***************************************************************************/
ElGamal的参数:
P:337187229886387141785478049829234100463
G:208384547864955790279535919262727623043
Y:32257573436640707566982045066111677313
关键是求出X,目前我所知道的求离散对数最快的是a6aK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3#2S2k6$3#2S2i4K6u0W2L8h3q4@1K9s2y4Q4x3X3g2#2M7%4W2V1i4K6u0W2k6h3c8#2i4K6u0W2j5i4g2Q4x3V1k6U0j5h3I4U0i4K6u0r3在线计算,输入以下命令:
P:=337187229886387141785478049829234100463;
K:=GF(P);
G:=K!208384547864955790279535919262727623043;
Y:=K!32257573436640707566982045066111677313;
Log(G, Y);
等一会儿,内存超标了(好像有150M的限制),没办法,网上找了个用IndexCalculus算法(附件已提供,注意DEBUG编译有问题)计算离散对数的,在我的老爷机AMD 3200差不多跑了8个小时,最终得X=118087687500430042465381609720321284069;
--------------------------------------------------------------------------------
【经验总结】
可以看出,这个keygenme使用了MD5,SHA1,CRC32b,ElGamal,RSA算法,编码应该是仿射,具体验证算法如下:
1.解码输入的系列号,得到以'-'分割的字符串,分割成两个字符串s1,s2;
2.RSA解密,s1^E1modN1=sn1,s2^E2modN2=sn2;其中:
N1:214531558149839109621772662645101524753=12045117503226267611*17810665449496622723
E1:65537
D1:205189155126209086570183648469679264253
N2:244875180354855501399901547088907207321=15056966986685713091*16263247476825116531
E2:65537
D2:167855907384554199055222970030109813873
3.Hash(name),首先得到用户名的MD5字符串(注意是大写!!!),并用SHA1算法得到MD5字符串的SHA1值,再用CRC32b算法得到SHA1的CRC32字符串a7a6a5a4a3a2a1a0(也是大写),则
M=a7<<7+a6<<6+a5<<5+a4<<4+a3<<3+a2<<2+a1<<1+a0;
4,ElGamal验证,主要参数:
P:337187229886387141785478049829234100463
G:208384547864955790279535919262727623043
Y:32257573436640707566982045066111677313
X:118087687500430042465381609720321284069
验证Y^sn1*sn1^sn2modP?=G^MmodP
注册算法:
1.ElGamal签名
M=Hash(name);
首先选择一个随机数k, k与 P - 1互质,计算
sn1 = G^k ( mod P )
sn2=k^-1*(M-X*s1) ( mod P - 1 )(不断加P-1直至非负)
注意sn1必须小于N1,sn2必须小于N2,否则重新生成。
2.RSA加密
s1=sn1^D1modN1,s2=sn2^D2modN2,转为十六进制,用'-'相连得到s。
3.编码
对s进行编码,Encode(s,Serial),Serial就是序列号了,注册机见附件。
给出一组可用的注册码:
name:pediy
serial:944GZfXErLfhrGfLwmJfL2Z4GkfEZhXfdXLQLXGrQ49J2ZQG9h4hJX2kZEX2G4mf9
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2011年04月19日 21:02:42
赞赏
|
|
|---|---|
|
|
