扫一扫
分享文章到微信
扫一扫
关注官方公众号
至顶头条
在本页阅读全文(共6页)
标 题:BlowFish's CrackMe1 算法分析,以前夜月写过 (18千字)
发信人:DiKeN
时 间:2002-4-11 13:53:00
详细信息:
=========================================================
=
= BlowFish's CrackMe1 验证算法分析
= DiKeN/OCG
=========================================================
* Possible Reference to Dialog: DialogID_0065, CONTROL_ID:03EB, ""
|
:004015A4 68EB030000 push 000003EB
:004015A9 56 push esi
* Reference To: USER32.GetDlgItemTextA, Ord:0000h
|
:004015AA FF151C614000 Call dword ptr [0040611C]
:004015B0 85C0 test eax, eax
:004015B2 0F8432010000 je 004016EA
:004015B8 8D4C244C lea ecx, dword ptr [esp+4C]
:004015BC 8D542448 lea edx, dword ptr [esp+48]
:004015C0 51 push ecx
:004015C1 52 push edx
:004015C2 8D44240C lea eax, dword ptr [esp+0C]
* Possible StringData Ref from Data Obj ->"%08lX%08lX"
|
:004015C6 686C804000 push 0040806C
:004015CB 50 push eax
:004015CC E81F020000 call 004017F0
:004015D1 8D4C245C lea ecx, dword ptr [esp+5C]
:004015D5 8D542458 lea edx, dword ptr [esp+58]
:004015D9 51 push ecx=========>[ecx]=0x90ABCDEF=xr
:004015DA 52 push edx=========>[edx]=0x12345678=xl
:004015DB 6880894000 push 00408980====>P-Box(密钥盒)
:004015E0 E8EBFAFFFF call 004010D0====>计算Blowfish_Dec(long *xl,long *xr)
======================================BF_Dec过程分析============================
:004010D0 8B442408 mov eax, dword ptr [esp+08]
:004010D4 8B4C240C mov ecx, dword ptr [esp+0C]
:004010D8 53 push ebx
:004010D9 55 push ebp
:004010DA 8B00 mov eax, dword ptr [eax]====>xl
:004010DC 56 push esi
:004010DD 8B31 mov esi, dword ptr [ecx]====>xr
:004010DF 57 push edi
:004010E0 8B7C2414 mov edi, dword ptr [esp+14]
:004010E4 C744241410000000 mov [esp+14], 00000010
:004010EC 8D5F44 lea ebx, dword ptr [edi+44]==>P-Box(FORM 18 to 1<==因此使用的Dec)
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040110D(C)
|
:004010EF 3303 xor eax, dword ptr [ebx]
:004010F1 50 push eax
:004010F2 57 push edi
:004010F3 8BE8 mov ebp, eax
:004010F5 E806FFFFFF call 00401000
================================================================================
================================函数F(xl)
================================================================================
:00401000 8B4C2408 mov ecx, dword ptr [esp+08]
:00401004 53 push ebx
:00401005 8AC1 mov al, cl
:00401007 56 push esi
:00401008 25FF000000 and eax, 000000FF
:0040100D 57 push edi
:0040100E C1E908 shr ecx, 08
:00401011 8BD0 mov edx, eax
:00401013 8AC1 mov al, cl
:00401015 8B7C2410 mov edi, dword ptr [esp+10]
:00401019 25FF000000 and eax, 000000FF
:0040101E C1E908 shr ecx, 08
:00401021 8BF0 mov esi, eax
:00401023 8BC1 mov eax, ecx
:00401025 C1E808 shr eax, 08
:00401028 25FF000000 and eax, 000000FF
:0040102D 81E1FF000000 and ecx, 000000FF
:00401033 81E6FFFF0000 and esi, 0000FFFF
:00401039 81E2FFFF0000 and edx, 0000FFFF
:0040103F 8B448748 mov eax, dword ptr [edi+4*eax+48]
:00401043 8B9C8F48040000 mov ebx, dword ptr [edi+4*ecx+00000448]
:0040104A 8B8CB748080000 mov ecx, dword ptr [edi+4*esi+00000848]
:00401051 03C3 add eax, ebx
:00401053 33C1 xor eax, ecx
:00401055 8B8C97480C0000 mov ecx, dword ptr [edi+4*edx+00000C48]
:0040105C 5F pop edi
:0040105D 5E pop esi
:0040105E 03C1 add eax, ecx
:00401060 5B pop ebx
:00401061 C3 ret
================================================================================
================================end 函数F(xl)
================================================================================
:004010FA 8B4C241C mov ecx, dword ptr [esp+1C]
:004010FE 83C408 add esp, 00000008
:00401101 33C6 xor eax, esi
:00401103 83EB04 sub ebx, 00000004
:00401106 49 dec ecx
:00401107 8BF5 mov esi, ebp
:00401109 894C2414 mov dword ptr [esp+14], ecx
:0040110D 75E0 jne 004010EF
:0040110F 8B4F04 mov ecx, dword ptr [edi+04]
:00401112 8B17 mov edx, dword ptr [edi]
:00401114 33C8 xor ecx, eax
:00401116 8B442418 mov eax, dword ptr [esp+18]
:0040111A 33D6 xor edx, esi
:0040111C 5F pop edi
:0040111D 8910 mov dword ptr [eax], edx
:0040111F 8B542418 mov edx, dword ptr [esp+18]
:00401123 5E pop esi
:00401124 5D pop ebp
:00401125 890A mov dword ptr [edx], ecx
:00401127 5B pop ebx
:00401128 C3 ret
=========================BF_Dec过程分析完毕====================================
:004015E5 8B442464 mov eax, dword ptr [esp+64]
:004015E9 8B0DF0994000 mov ecx, dword ptr [004099F0]
:004015EF 83C41C add esp, 0000001C
:004015F2 3BC1 cmp eax, ecx=============>
:004015F4 7529 jne 0040161F
:004015F6 8B4C244C mov ecx, dword ptr [esp+4C]
:004015FA A1EC994000 mov eax, dword ptr [004099EC]=======>我们的找到这个数据的来源,
======================================================================>我们定义为Yl,Yr
==========================================================>我们定义输入的注册码为Ml,Mr
==============================================>即有Blowfish_Dec(Ml,Mr)=Yl,Yr
==============================================>所以Blowfish_Enc(Yl,Yr)=Ml,Mr
==========================================================>我们还需要key
:004015FF 3BC8 cmp ecx, eax=============>两次比较
:00401601 751C jne 0040161F
:00401603 6A30 push 00000030
...........
如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。
现场直击|2021世界人工智能大会
直击5G创新地带,就在2021MWC上海
5G已至 转型当时——服务提供商如何把握转型的绝佳时机
寻找自己的Flag
华为开发者大会2020(Cloud)- 科技行者
京公网安备 11010802021500号