密码学逆向&miracl学习笔记--RSA200
来源:互联网 发布:下载淘宝特卖 编辑:程序博客网 时间:2024/05/29 01:56
c00lw0lf/CHAOS
时间: 2004-02-19
工具: WIN2K环境下 Ollydbg, RSATool2, miracl, VC
难 度: 一般
说 明: 过年前拿到的CrackMe,今天才有心情活动一下 ^o^
=================================================================
废话少说,打开运行之后从about里知道了是rsa-200,用Ollydbg加载,bpx GetDlgItemTextA,断了下来:
00401074 |. E8 AD010000 CALL <JMP.&user32.GetDlgItemTextA> ; GetDlgItemTextA //取得name
00401079 |. 83F8 05 CMP EAX,5
0040107C |. 0F82 92010000 JB keygenme.00401214 //小于5就完蛋
00401082 |. 83F8 14 CMP EAX,14
00401085 |. 0F87 89010000 JA keygenme.00401214 //大于20就完蛋
0040108B |. A3 29444000 MOV DWORD PTR DS:[404429],EAX
00401090 |. 68 96000000 PUSH 96 ; /Count = 96 (150.)
00401095 |. 68 49434000 PUSH keygenme.00404349 ; |Buffer = keygenme.00404349
0040109A |. 68 12270000 PUSH 2712 ; |ControlID = 2712 (10002.)
0040109F |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
004010A2 |. E8 7F010000 CALL <JMP.&user32.GetDlgItemTextA> ; GetDlgItemTextA //取得serial
004010A7 |. 84C0 TEST AL,AL
004010A9 |. 0F84 65010000 JE keygenme.00401214
004010AF |. 8D35 49434000 LEA ESI,DWORD PTR DS:[404349]
004010B5 |> AC /LODS BYTE PTR DS:[ESI]
004010B6 |. 84C0 |TEST AL,AL
004010B8 |. 74 1E |JE SHORT keygenme.004010D8
004010BA |. 3C 30 |CMP AL,30
004010BC |. 0F82 52010000 |JB keygenme.00401214
004010C2 |. 3C 39 |CMP AL,39
004010C4 |.^76 EF |JBE SHORT keygenme.004010B5//循环
004010C6 |. 3C 41 |CMP AL,41
004010C8 |. 0F82 46010000 |JB keygenme.00401214
004010CE |. 3C 46 |CMP AL,46
004010D0 |. 0F87 3E010000 |JA keygenme.00401214
004010D6 |.^EB DD JMP SHORT keygenme.004010B5
004010D8 |> 33C9 XOR ECX,ECX
004010DA |> 6A 00 /PUSH 0
004010DC |. E8 6F010000 |CALL keygenme.00401250 //生成什么?
004010E1 |. 89048D 1144400>|MOV DWORD PTR DS:[ECX*4+404411],EAX
004010E8 |. 41 |INC ECX
004010E9 |. 83F9 06 |CMP ECX,6 //6个
004010EC |.^75 EC JNZ SHORT keygenme.004010DA
004010EE |. FF35 11444000 PUSH DWORD PTR DS:[404411] ; /Arg3 = 00F50000
004010F4 |. 6A 10 PUSH 10 ; |Arg2 = 00000010
004010F6 |. 68 1F404000 PUSH keygenme.0040401F ; |Arg1 = 0040401F ASCII "8ACFB4D27CBC8C2024A30C9417BBCA41AF3FC3BD9BDFF97F89" //可以肯定为N
004010FB |. E8 F3020000 CALL keygenme.004013F3 ; keygenme.004013F3
00401100 |. FF35 15444000 PUSH DWORD PTR DS:[404415] ; /Arg3 = 00F60000
00401106 |. 6A 10 PUSH 10 ; |Arg2 = 00000010
00401108 |. 68 19404000 PUSH keygenme.00404019 ; |Arg1 = 00404019 ASCII "10001" //E
0040110D |. E8 E1020000 CALL keygenme.004013F3 ; keygenme.004013F3
00401112 |. FF35 25444000 PUSH DWORD PTR DS:[404425] ; /Arg3 = 00FA0000
00401118 |. 6A 10 PUSH 10 ; |Arg2 = 00000010
0040111A |. 68 49434000 PUSH keygenme.00404349 ; |Arg1 = 00404349 ASCII "1212" //伪劣产品
0040111F |. E8 CF020000 CALL keygenme.004013F3 ; keygenme.004013F3
//如果有兴趣跟进keygenme.004013F3,会发现他的作用是把我们输入的用户名转换成一个大数,相当于miracl库里的cinstr函数
00401124 |. 68 30434000 PUSH keygenme.00404330 ; /String = "CoolWolF"
00401129 |. E8 16010000 CALL <JMP.&kernel32.lstrlenA> ; lstrlenA
//现在知道了N,那么就可以用RSAtool2或者其他密码学工具分解出p和q,在我的电脑上,这个过程大约是8分钟。毕竟是200位的啊
//另外要注意,num base是16位的
//分解之后得到:p=970E1A438A10E069571BDCCBB,q=EB3FFE9F5C761995147C7A28B
0040112E |. FF35 19444000 PUSH DWORD PTR DS:[404419]
00401134 |. 50 PUSH EAX //EAX=用户名长度
00401135 |. 68 30434000 PUSH keygenme.00404330 ; ASCII "CoolWolF"
0040113A |. E8 0D020000 CALL keygenme.0040134C
//这个CALL把用户名长度转换成大数,相当于miracl库里的bytes_to_big
//从0040113F开始,每走一步,就用“在转存中跟随数值”功能,看一下内存里的内容,会很好判断它们有什么作用
0040113F |. FF35 21444000 PUSH DWORD PTR DS:[404421] //C,此时值为0
00401145 |. FF35 11444000 PUSH DWORD PTR DS:[404411] //N
0040114B |. FF35 15444000 PUSH DWORD PTR DS:[404415] //E
00401151 |. FF35 25444000 PUSH DWORD PTR DS:[404425] //我们输入的serial
00401157 |. E8 A8100000 CALL keygenme.00402204 //关键CALL,跟进去
=================================
00402204 /$ 55 PUSH EBP
00402205 |. 8BEC MOV EBP,ESP
00402207 |. 53 PUSH EBX
00402208 |. 51 PUSH ECX
00402209 |. 57 PUSH EDI
0040220A |. 56 PUSH ESI
0040220B |. 8B5D 10 MOV EBX,DWORD PTR SS:[EBP+10]
0040220E |. 833B 00 CMP DWORD PTR DS:[EBX],0
00402211 |. 74 5D JE SHORT keygenme.00402270
00402213 |. 6A 01 PUSH 1
00402215 |. E8 36F0FFFF CALL keygenme.00401250
0040221A |. 8BF8 MOV EDI,EAX
0040221C |. 8B75 0C MOV ESI,DWORD PTR SS:[EBP+C]
0040221F |. 8B0E MOV ECX,DWORD PTR DS:[ESI]
00402221 |. 85C9 TEST ECX,ECX
00402223 |. 74 32 JE SHORT keygenme.00402257
00402225 |. C1E1 05 SHL ECX,5
00402228 |. 49 DEC ECX
00402229 |. 8D49 00 LEA ECX,DWORD PTR DS:[ECX]
0040222C |> 57 /PUSH EDI ; /Arg3
0040222D |. 57 |PUSH EDI ; |Arg2
0040222E |. 57 |PUSH EDI ; |Arg1
0040222F |. E8 40FAFFFF |CALL keygenme.00401C74 ; keygenme.00401C74
00402234 |. 57 |PUSH EDI ; /Arg3
00402235 |. 53 |PUSH EBX ; |Arg2
00402236 |. 57 |PUSH EDI ; |Arg1
00402237 |. E8 CAFDFFFF |CALL keygenme.00402006 ; keygenme.00402006
0040223C |. 0FA34E 04 |BT DWORD PTR DS:[ESI+4],ECX
00402240 |. 73 12 |JNB SHORT keygenme.00402254
00402242 |. 57 |PUSH EDI ; /Arg3
00402243 |. FF75 08 |PUSH DWORD PTR SS:[EBP+8] ; |Arg2
00402246 |. 57 |PUSH EDI ; |Arg1
00402247 |. E8 28FAFFFF |CALL keygenme.00401C74 ; keygenme.00401C74
0040224C |. 57 |PUSH EDI ; /Arg3
0040224D |. 53 |PUSH EBX ; |Arg2
0040224E |. 57 |PUSH EDI ; |Arg1
0040224F |. E8 B2FDFFFF |CALL keygenme.00402006 ; keygenme.00402006
00402254 |> 49 |DEC ECX
00402255 |.^79 D5 JNS SHORT keygenme.0040222C
00402257 |> FF75 14 PUSH DWORD PTR SS:[EBP+14]
0040225A |. 57 PUSH EDI
0040225B |. E8 39F0FFFF CALL keygenme.00401299
00402260 |. 57 PUSH EDI
00402261 |. E8 17F0FFFF CALL keygenme.0040127D
00402266 |. 33C0 XOR EAX,EAX
00402268 |. 5E POP ESI
00402269 |. 5F POP EDI
0040226A |. 59 POP ECX
0040226B |. 5B POP EBX
0040226C |. C9 LEAVE
0040226D |. C2 1000 RETN 10
//这个CALL是为了计算[404421]也就是C的值,公式为C=serial(cronk)^e mod n,相当于miracl库里的powmod
0040115C |. B8 37130000 MOV EAX,1337 //我们不知道1337是什么意思,但是肯定有用,先记下来
00401161 |. 6A 00 PUSH 0 ; /Arg4 = 00000000 //0
00401163 |. FF35 1D444000 PUSH DWORD PTR DS:[40441D] ; |Arg3 = 00F80000 //前面没用过,我们假设为X
00401169 |. 50 PUSH EAX ; |Arg2 => 00001337 //神秘的1337
0040116A |. FF35 21444000 PUSH DWORD PTR DS:[404421] ; |Arg1 = 00F90000 //404421,刚刚算好的C
00401170 |. E8 B20B0000 CALL keygenme.00401D27 ; keygenme.00401D27 //进去看看
=========================================
00401D27 /$ 55 PUSH EBP
00401D28 |. 8BEC MOV EBP,ESP
00401D2A |. 83C4 F8 ADD ESP,-8
00401D2D |. 53 PUSH EBX
00401D2E |. 51 PUSH ECX
00401D2F |. 57 PUSH EDI
00401D30 |. 56 PUSH ESI
00401D31 |. 8B5D 0C MOV EBX,DWORD PTR SS:[EBP+C]
00401D34 |. 85DB TEST EBX,EBX
00401D36 |. 0F84 B6000000 JE keygenme.00401DF2
00401D3C |. 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
00401D3F |. 8B0E MOV ECX,DWORD PTR DS:[ESI]
00401D41 |. 6A 00 PUSH 0
00401D43 |. E8 08F5FFFF CALL keygenme.00401250
00401D48 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00401D4B |. 49 DEC ECX
00401D4C |. 0F84 8C000000 JE keygenme.00401DDE
00401D52 |. 0F88 A7000000 JS keygenme.00401DFF
00401D58 |. 41 INC ECX
00401D59 |. C1E1 05 SHL ECX,5
00401D5C |. 49 DEC ECX
00401D5D |. 8B7D FC MOV EDI,DWORD PTR SS:[EBP-4]
00401D60 |. C707 01000000 MOV DWORD PTR DS:[EDI],1
00401D66 |. BB 00000000 MOV EBX,0
00401D6B |. 90 NOP
00401D6C |> 0FA34E 04 /BT DWORD PTR DS:[ESI+4],ECX
00401D70 |. 72 03 |JB SHORT keygenme.00401D75
00401D72 |. 49 |DEC ECX
00401D73 |.^EB F7 JMP SHORT keygenme.00401D6C
00401D75 |> 53 /PUSH EBX
00401D76 |. 8B17 |MOV EDX,DWORD PTR DS:[EDI]
00401D78 |. 8BDF |MOV EBX,EDI
00401D7A |. 83C3 04 |ADD EBX,4
00401D7D |. F8 |CLC
00401D7E |. 8BFF |MOV EDI,EDI
00401D80 |> D113 |/RCL DWORD PTR DS:[EBX],1
00401D82 |. 8D5B 04 ||LEA EBX,DWORD PTR DS:[EBX+4]
00401D85 |. 4A ||DEC EDX
00401D86 |.^75 F8 |JNZ SHORT keygenme.00401D80
00401D88 |. 73 04 |JNB SHORT keygenme.00401D8E
00401D8A |. FF03 |INC DWORD PTR DS:[EBX]
00401D8C |. FF07 |INC DWORD PTR DS:[EDI]
00401D8E |> 5B |POP EBX
00401D8F |. D1E3 |SHL EBX,1
00401D91 |. 0FA34E 04 |BT DWORD PTR DS:[ESI+4],ECX
00401D95 |. 0F92C0 |SETB AL
00401D98 |. 0FB6C0 |MOVZX EAX,AL
00401D9B |. 0BD8 |OR EBX,EAX
00401D9D |. 3B5D 0C |CMP EBX,DWORD PTR SS:[EBP+C]
00401DA0 |. 7C 07 |JL SHORT keygenme.00401DA9
00401DA2 |. 2B5D 0C |SUB EBX,DWORD PTR SS:[EBP+C]
00401DA5 |. 804F 04 01 |OR BYTE PTR DS:[EDI+4],1
00401DA9 |> 49 |DEC ECX
00401DAA |.^79 C9 JNS SHORT keygenme.00401D75
00401DAC |> 837D 10 00 CMP DWORD PTR SS:[EBP+10],0
00401DB0 |. 74 0B JE SHORT keygenme.00401DBD
00401DB2 |. FF75 10 PUSH DWORD PTR SS:[EBP+10]
00401DB5 |. FF75 FC PUSH DWORD PTR SS:[EBP-4]
00401DB8 |. E8 DCF4FFFF CALL keygenme.00401299
00401DBD |> 837D 14 00 CMP DWORD PTR SS:[EBP+14],0
00401DC1 |. 74 09 JE SHORT keygenme.00401DCC
00401DC3 |. FF75 14 PUSH DWORD PTR SS:[EBP+14]
00401DC6 |. 53 PUSH EBX
00401DC7 |. E8 FDF5FFFF CALL keygenme.004013C9
00401DCC |> FF75 FC PUSH DWORD PTR SS:[EBP-4]
00401DCF |. E8 A9F4FFFF CALL keygenme.0040127D
00401DD4 |. 8BC3 MOV EAX,EBX
00401DD6 |. 5E POP ESI
00401DD7 |. 5F POP EDI
00401DD8 |. 59 POP ECX
00401DD9 |. 5B POP EBX
00401DDA |. C9 LEAVE
00401DDB |. C2 1000 RETN 10
//这么一大堆,头晕。还是那个办法,多看转存来判断程序到底干了什么。
//我们得到这样一个公式:X=C/1337(16进制) 相当于miracl库里的divide
00401175 |. FF35 1D444000 PUSH DWORD PTR DS:[40441D] //40441D为X
0040117B |. FF35 19444000 PUSH DWORD PTR DS:[404419] //我们的大名
00401181 |. E8 41010000 CALL keygenme.004012C7 //比较,如果X=Name就OK
00401186 |. 75 14 JNZ SHORT keygenme.0040119C //不同就完蛋
00401188 |. 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
0040118A |. 68 14404000 PUSH keygenme.00404014 ; |Title = "iNFO"
0040118F |. 68 04404000 PUSH keygenme.00404004 ; |Text = "Serial is valid"
00401194 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hOwner
00401197 |. E8 90000000 CALL <JMP.&user32.MessageBoxA> ; MessageBoxA
=======================================================
整理:(确定你看过miracl Users Manual,所用到函数的原型和说明都可以在这里找到)
1.把初始化的数据大数化(cinstr&bytes_to_big)
2.C=Name*1337
3.设我们的serial为S,S=C^D mod N (powmod),因为N,P,Q已知,可以很方便的用RSATool算出D=32593252229255151794D86C1A09C7AFCC2CCE42D440F55A2D
4.动手写注册机喽~
CrackMe, keygen及其源代码可以在这里下载
c00lw0lf/CHAOS
2004-02-19
- 密码学逆向&miracl学习笔记--RSA200
- 密码学学习笔记
- 密码学基础知识(学习笔记)
- 密码学原理_学习笔记
- 【MIRACL】 用户手册研究学习 chapter1
- 逆向工程学习笔记
- 驱动逆向学习笔记
- 逆向工程学习笔记
- 密码学基本概念与信息理论基础学习笔记
- 密码学笔记
- 密码学笔记
- 密码学笔记
- 密码学笔记
- 密码学笔记
- 学习密码学
- ios逆向的学习笔记
- [学习笔记]逆向练习1
- 安卓逆向学习笔记
- 设计模式之Factory
- 設計模式之Prototype(原型)
- 設計模式之Builder
- 设计模式之Singleton(单态)
- 設計模式之Facade(外觀)
- 密码学逆向&miracl学习笔记--RSA200
- 設計模式之Proxy(代理)
- csdn上的第一篇blog
- 設計模式之Adapter(適配器)
- 設計模式之Composite(組合)
- 設計模式之Decorator(油漆工)
- 設計模式之Bridge
- 設計模式之Flyweight(享元)
- 設計模式之Template