扫一扫
分享文章到微信
扫一扫
关注官方公众号
至顶头条
在本页阅读全文(共6页)
刚分析了BF_Dec过程,再来分析一个Enc过程:
======================================================================
其实BF_Enc过程与BF_Dec完全一样,只是使用P-Box顺序到过来了
======================================================================
:00401070 8B442408 mov eax, dword ptr [esp+08]
:00401074 8B4C240C mov ecx, dword ptr [esp+0C]
:00401078 53 push ebx
:00401079 55 push ebp
:0040107A 8B00 mov eax, dword ptr [eax]
:0040107C 56 push esi
:0040107D 8B31 mov esi, dword ptr [ecx]
:0040107F 57 push edi
:00401080 8B7C2414 mov edi, dword ptr [esp+14]
:00401084 C744241410000000 mov [esp+14], 00000010
:0040108C 8BDF mov ebx, edi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004010AC(C)
|
:0040108E 3303 xor eax, dword ptr [ebx]
:00401090 50 push eax
:00401091 57 push edi
:00401092 8BE8 mov ebp, eax
:00401094 E867FFFFFF call 00401000<=========函数F(xl),参见上面的分析
:00401099 8B4C241C mov ecx, dword ptr [esp+1C]
:0040109D 83C408 add esp, 00000008
:004010A0 33C6 xor eax, esi
:004010A2 83C304 add ebx, 00000004
:004010A5 49 dec ecx
:004010A6 8BF5 mov esi, ebp
:004010A8 894C2414 mov dword ptr [esp+14], ecx
:004010AC 75E0 jne 0040108E
:004010AE 8B4F40 mov ecx, dword ptr [edi+40]
:004010B1 8B5744 mov edx, dword ptr [edi+44]
:004010B4 33C8 xor ecx, eax
:004010B6 8B442418 mov eax, dword ptr [esp+18]
:004010BA 33D6 xor edx, esi
:004010BC 5F pop edi
:004010BD 8910 mov dword ptr [eax], edx
:004010BF 8B542418 mov edx, dword ptr [esp+18]
:004010C3 5E pop esi
:004010C4 5D pop ebp
:004010C5 890A mov dword ptr [edx], ecx
:004010C7 5B pop ebx
:004010C8 C3 ret
========================BF_Enc分析完毕================================
最后再来一个Init_Key的过程分析:
======================================================================
:00401130 51 push ecx
:00401131 53 push ebx
:00401132 55 push ebp
:00401133 56 push esi
:00401134 8B742414 mov esi, dword ptr [esp+14]
:00401138 57 push edi
:00401139 B898614000 mov eax, 00406198
:0040113E 8D4E48 lea ecx, dword ptr [esi+48]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401158(C)
|
:00401141 BA00010000 mov edx, 00000100
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401151(C)
|
:00401146 8B38 mov edi, dword ptr [eax]==========>S-Box
:00401148 83C004 add eax, 00000004
:0040114B 8939 mov dword ptr [ecx], edi
:0040114D 83C104 add ecx, 00000004
:00401150 4A dec edx
:00401151 75F3 jne 00401146
:00401153 3D98714000 cmp eax, 00407198
:00401158 7CE7 jl 00401141
:0040115A 8B6C2420 mov ebp, dword ptr [esp+20]
:0040115E 8B54241C mov edx, dword ptr [esp+1C]
:00401162 BF50614000 mov edi, 00406150
:00401167 33C0 xor eax, eax
:00401169 2BFE sub edi, esi
:0040116B C744241012000000 mov [esp+10], 00000012
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004011AD(C)
|
:00401173 33C9 xor ecx, ecx
:00401175 C744242004000000 mov [esp+20], 00000004
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401197(C)
|
:0040117D 33DB xor ebx, ebx
:0040117F 8A1C10 mov bl, byte ptr [eax+edx]
:00401182 C1E108 shl ecx, 08
:00401185 0BCB or ecx, ebx
:00401187 40 inc eax
:00401188 3BC5 cmp eax, ebp
:0040118A 7C02 jl 0040118E
:0040118C 33C0 xor eax, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040118A(C)
|
:0040118E 8B5C2420 mov ebx, dword ptr [esp+20]
:00401192 4B dec ebx
:00401193 895C2420 mov dword ptr [esp+20], ebx
:00401197 75E4 jne 0040117D
:00401199 8B1C37 mov ebx, dword ptr [edi+esi]
:0040119C 83C604 add esi, 00000004
:0040119F 33D9 xor ebx, ecx
:004011A1 8B4C2410 mov ecx, dword ptr [esp+10]
:004011A5 895EFC mov dword ptr [esi-04], ebx
:004011A8 49 dec ecx
:004011A9 894C2410 mov dword ptr [esp+10], ecx
:004011AD 75C4 jne 00401173
:004011AF 8B5C2418 mov ebx, dword ptr [esp+18]
:004011B3 33C0 xor eax, eax
:004011B5 89442420 mov dword ptr [esp+20], eax
:004011B9 8944241C mov dword ptr [esp+1C], eax
:004011BD 8BF3 mov esi, ebx
:004011BF BF09000000 mov edi, 00000009
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004011E8(C)
|
:004011C4 8D44241C lea eax, dword ptr [esp+1C]
:004011C8 8D4C2420 lea ecx, dword ptr [esp+20]
:004011CC 50 push eax
:004011CD 51 push ecx
:004011CE 53 push ebx
:004011CF E89CFEFFFF call 00401070================>BF_Enc(0,0,key)
:004011D4 8B54242C mov edx, dword ptr [esp+2C]
:004011D8 8B442428 mov eax, dword ptr [esp+28]
:004011DC 8916 mov dword ptr [esi], edx
:004011DE 894604 mov dword ptr [esi+04], eax
:004011E1 83C40C add esp, 0000000C
:004011E4 83C608 add esi, 00000008
:004011E7 4F dec edi
:004011E8 75DA jne 004011C4
:004011EA 8D734C lea esi, dword ptr [ebx+4C]
:004011ED BD04000000 mov ebp, 00000004
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040121E(C)
|
:004011F2 BF80000000 mov edi, 00000080
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040121B(C)
|
:004011F7 8D4C241C lea ecx, dword ptr [esp+1C]
:004011FB 8D542420 lea edx, dword ptr [esp+20]
:004011FF 51 push ecx
:00401200 52 push edx
:00401201 53 push ebx
:00401202 E869FEFFFF call 00401070================>BF_Enc(xl,xr,key)
:00401207 8B44242C mov eax, dword ptr [esp+2C]
:0040120B 8B4C2428 mov ecx, dword ptr [esp+28]
:0040120F 8946FC mov dword ptr [esi-04], eax
:00401212 890E mov dword ptr [esi], ecx
:00401214 83C40C add esp, 0000000C
:00401217 83C608 add esi, 00000008
:0040121A 4F dec edi
:0040121B 75DA jne 004011F7
:0040121D 4D dec ebp
:0040121E 75D2 jne 004011F2
:00401220 5F pop edi
:00401221 5E pop esi
:00401222 5D pop ebp
:00401223 5B pop ebx
:00401224 59 pop ecx
:00401225 C3 ret
======================Init_Key过程分析完毕============================ ======================================================================
======================================================================
======================================================================
=============================分析详细总结=============================
======================================================================
======================================================================
=====>BF_Enc(ComputerID,key="ChinaCrackingGroup");
* Possible StringData Ref from Data Obj ->"ChinaCrackingGroup"
:00401434 6830804000 push 00408030
:00401439 6880894000 push 00408980
:0040143E E8EDFCFFFF call 00401130===>Init_Key
...........
:00401667 68EC994000 push 004099EC
:0040166C 68F0994000 push 004099F0
:00401671 6880894000 push 00408980
:00401676 E8F5F9FFFF call 00401070===>BF_Enc
=====>BF_Enc(ComputerID,key="ChinaCrackingGroup");
======================================================================
======================================================================
=====>BF_Dec(Code,key="CrackingForFun")
* Possible StringData Ref from Data Obj ->"CrackingForFun"
|
:004016C1 6844804000 push 00408044
:004016C6 6880894000 push 00408980
:004016CB E860FAFFFF call 00401130===>Init_Key
...........
:004015D9 51 push ecx
:004015DA 52 push edx
:004015DB 6880894000 push 00408980
:004015E0 E8EBFAFFFF call 004010D0===>BF_Dec
=====>BF_Dec(Code,key="CrackingForFun")
======================================================================
======================================================================
=====>BF_Enc("blowfish",key=ProductID)
:0040131F 6880894000 push 00408980
:00401324 E807FEFFFF call 00401130===>Init_Key
:00401329 68EC994000 push 004099EC
:0040132E 68F0994000 push 004099F0
:00401333 6880894000 push 00408980
:00401338 C705F0994000626C6F77 mov dword ptr [004099F0], 776F6C62
:00401342 C705EC99400066697368 mov dword ptr [004099EC], 68736966
:0040134C E81FFDFFFF call 00401070===>BF_Enc
=====>BF_Enc("blowfish",key=ProductID)
======================================================================
======================================================================
=====>最后分析结果
ComputerID=BF_Enc("blowfish",key=ProductID)
x=BF_Dec(Code,key="CrackingForFun")
y=BF_Enc(ComputerID,key="ChinaCrackingGroup")
x=y则注册成功;
我们要得到正确的注册码,那么
Code=BF_Enc(x,key="CrackingForFun");
=BF_Enc(y,key="CrackingForFun");
=BF_Enc(BF_Enc(ComputerID,key="ChinaCrackingGroup"),key="CrackingForFun");
如果更进一步,那么
=BF_Enc(BF_Enc(BF_Enc("blowfish",
key=ProductID),
key="ChinaCrackingGroup"),
key="CrackingForFun");
这样我们便可以编写它的keygen了
=====>
======================================================================
如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。
现场直击|2021世界人工智能大会
直击5G创新地带,就在2021MWC上海
5G已至 转型当时——服务提供商如何把握转型的绝佳时机
寻找自己的Flag
华为开发者大会2020(Cloud)- 科技行者
京公网安备 11010802021500号