[转载]变形的 MD5(页 1) - 工程学类分支{ Engineering Column } - 逆向工程[ Reverse Engineering ] - 邪恶八进制信息安全团队技术讨论组努力为祖国的信息安全撑起一片蓝天

pub!1c 2006-1-23 10:59

[转载]变形的 MD5

文章作者:rdsnow[BCG][PYG][D.4s]
【破文作者】rdsnow[BCG][PYG][D.4s] 【作者主页】<A href="http://rdsnow.ys168.com/" target=_blank>[url]http://rdsnow.ys168.com[/url]</A> 【E-mail】<A href="mailto:rdsnow@163.com">rdsnow@163.com</A> 【作者QQ】83757177 【文章题目】变形的MD5 【软件名称】AutoRunProEnterprise 【软件版本】V4.0.0.32 【下载地址】<A href="http://www.longtion.com/" target=_blank>[url]http://www.longtion.com[/url]</A> ---------------------------------------------------------------------------------------- 【加密方式】序列号 【破解工具】ODbyDYKv1.10[05.09] 【软件限制】功能限制 【破解平台】MicrosoftWindowsXPProfessional 【平台版本】5.1.2600ServicePack2内部版本号2600 ---------------------------------------------------------------------------------------- 【软件简介】 AutoRunProEnterprisecancreate,editprofessionalautoruninterfaceandgenerateautorunfilesforCD/DVDsinaWYSIWYGenvironment. Displayaprofessionalandbeautifulinterfaceforuserstoopenorexecutefiles,printdocuments,sende-mail,visitWebsites,browseCDs, playsound,musicandsoon,whenyourCDisinserted.It'sfastandeasytouse.AnyonecanquicklycreateautorunCD-ROMswithinminutes. 【文章简介】 我编程只有5、6年前学习的一点turboc的基础，为了学习编程，一般的程序都是尽可能的学出keygen，这下遇到了个采用变形MD5算法的软件，也来试了下。 给变形的MD5的程序要写出keygen，必须找到变形的地方，然后在标准MD5源码中作出相应的修改。 ---------------------------------------------------------------------------------------- 【破解过程】 程序注册窗口要输入三个编辑框：username，serial和key，从后面代码看出serial的前四位必须是"0018" 所以输入： username＝rdsnow[BCG][PYG][D.4s] serial＝001812345678cdef key＝9898989832323232 因为有注册码错误的对话框，所以很容易找到关键的地方。 00562BD2.8B8314030000MOVEAX,DWORDPTR[EBX+314] 00562BD8.E83F78F1FFCALLAutoRunP.0047A41C;取得username 00562BDD.8B45E4MOVEAX,DWORDPTR[EBP-1C] 00562BE0.8D55FCLEAEDX,DWORDPTR[EBP-4] 00562BE3.E88460EAFFCALLAutoRunP.00408C6C 00562BE8.8D55E0LEAEDX,DWORDPTR[EBP-20] 00562BEB.8B83F8020000MOVEAX,DWORDPTR[EBX+2F8] 00562BF1.E82678F1FFCALLAutoRunP.0047A41C;取得serial 00562BF6.8B45E0MOVEAX,DWORDPTR[EBP-20] 00562BF9.8D55F8LEAEDX,DWORDPTR[EBP-8] 00562BFC.E86B60EAFFCALLAutoRunP.00408C6C 00562C01.8D55DCLEAEDX,DWORDPTR[EBP-24] 00562C04.8B83FC020000MOVEAX,DWORDPTR[EBX+2FC] 00562C0A.E80D78F1FFCALLAutoRunP.0047A41C;取得key 00562C0F.8B45DCMOVEAX,DWORDPTR[EBP-24] 00562C12.8D55F4LEAEDX,DWORDPTR[EBP-C] 00562C15.E85260EAFFCALLAutoRunP.00408C6C 00562C1A.8B45F4MOVEAX,DWORDPTR[EBP-C] 00562C1D.50PUSHEAX;压入key 00562C1E.A1709E5600MOVEAX,DWORDPTR[569E70] 00562C23.8B00MOVEAX,DWORDPTR[EAX] 00562C25.8B4DF8MOVECX,DWORDPTR[EBP-8];serial 00562C28.8B55FCMOVEDX,DWORDPTR[EBP-4];username 00562C2B.E85466FFFFCALLAutoRunP.00559284;关键CALL 00562C30.84C0TESTAL,AL 00562C32.751DJNZSHORTAutoRunP.00562C51;关键跳转 00562C34.6A10PUSH10 00562C36.B9602D5600MOVECX,AutoRunP.00562D60;ASCII"Register" 00562C3B.BA6C2D5600MOVEDX,AutoRunP.00562D6C;ASCII"Incompleteorincorrectinformation." 00562C40.A15CA15600MOVEAX,DWORDPTR[56A15C] 00562C45.8B00MOVEAX,DWORDPTR[EAX] 00562C47.E8788DF3FFCALLAutoRunP.0049B9C4;错误的对话框 00562C4C.E9C8000000JMPAutoRunP.00562D19 00562C51>33C0XOREAX,EAX 如果是爆破，不建议在00562C32关键跳转处改跳转，应该跟进关键CALL,修改注册标志 ---------------------------------------------------------------------------------------- 下面就跟进吧： 005592F5.8B45E4MOVEAX,DWORDPTR[EBP-1C] 005592F8.E8F7B3EAFFCALLAutoRunP.004046F4;取Serial的长度 005592FD.8BD8MOVEBX,EAX 005592FF.83FB01CMPEBX,1 00559302.7C1EJLSHORTAutoRunP.00559322;Serial为空就跳走 00559304>8B45E4MOVEAX,DWORDPTR[EBP-1C] 00559307.807C18FF20CMPBYTEPTR[EAX+EBX-1],20 0055930C.750FJNZSHORTAutoRunP.0055931D 0055930E.8D45E4LEAEAX,DWORDPTR[EBP-1C] 00559311.B901000000MOVECX,1 00559316.8BD3MOVEDX,EBX 00559318.E877B6EAFFCALLAutoRunP.00404994;去掉Serial中的空格 0055931D>4BDECEBX 0055931E.85DBTESTEBX,EBX 00559320.^75E2JNZSHORTAutoRunP.00559304 00559322>8B45E0MOVEAX,DWORDPTR[EBP-20] 00559325.E8CAB3EAFFCALLAutoRunP.004046F4;取key的长度 0055932A.8BD8MOVEBX,EAX 0055932C.83FB01CMPEBX,1 0055932F.7C1EJLSHORTAutoRunP.0055934F;key为空就跳走 00559331>8B45E0MOVEAX,DWORDPTR[EBP-20] 00559334.807C18FF20CMPBYTEPTR[EAX+EBX-1],20 00559339.750FJNZSHORTAutoRunP.0055934A 0055933B.8D45E0LEAEAX,DWORDPTR[EBP-20] 0055933E.B901000000MOVECX,1 00559343.8BD3MOVEDX,EBX 00559345.E84AB6EAFFCALLAutoRunP.00404994;去掉key中的空格 0055934A>4BDECEBX 0055934B.85DBTESTEBX,EBX 0055934D.^75E2JNZSHORTAutoRunP.00559331 0055934F>8B45E4MOVEAX,DWORDPTR[EBP-1C] 00559352.E89DB3EAFFCALLAutoRunP.004046F4;取Serial的长度 00559357.83F810CMPEAX,10 0055935A.0F8598010000JNZAutoRunP.005594F8;Serial的长度不等于16就跳走 00559360.8B45E0MOVEAX,DWORDPTR[EBP-20] 00559363.E88CB3EAFFCALLAutoRunP.004046F4;取key的长度 00559368.83F810CMPEAX,10 0055936B.0F8587010000JNZAutoRunP.005594F8;key的长度不等于16就跳走 00559371.33C0XOREAX,EAX 00559373.55PUSHEBP 00559374.684B945500PUSHAutoRunP.0055944B 00559379.64:FF30PUSHDWORDPTRFS:[EAX] 0055937C.64:8920MOVDWORDPTRFS:[EAX],ESP 0055937F.8D45D4LEAEAX,DWORDPTR[EBP-2C] 00559382.50PUSHEAX 00559383.B908000000MOVECX,8 00559388.BA01000000MOVEDX,1 0055938D.8B45E4MOVEAX,DWORDPTR[EBP-1C] 00559390.E8BFB5EAFFCALLAutoRunP.00404954;取Serial的前8个字符 00559395.8B4DD4MOVECX,DWORDPTR[EBP-2C] 00559398.8D45D8LEAEAX,DWORDPTR[EBP-28] 0055939B.BA3C955500MOVEDX,AutoRunP.0055953C 005593A0.E89BB3EAFFCALLAutoRunP.00404740;准备转换 005593A5.8B45D8MOVEAX,DWORDPTR[EBP-28] 005593A8.E863FCEAFFCALLAutoRunP.00409010;将8个字符组成的Hex文本转为数值a 005593AD.8945F8MOVDWORDPTR[EBP-8],EAX;保存a进inbuff 005593B0.8D45CCLEAEAX,DWORDPTR[EBP-34] 005593B3.50PUSHEAX 005593B4.B908000000MOVECX,8 005593B9.BA09000000MOVEDX,9 005593BE.8B45E4MOVEAX,DWORDPTR[EBP-1C] 005593C1.E88EB5EAFFCALLAutoRunP.00404954;取Serial的后8个字符 005593C6.8B4DCCMOVECX,DWORDPTR[EBP-34] 005593C9.8D45D0LEAEAX,DWORDPTR[EBP-30] 005593CC.BA3C955500MOVEDX,AutoRunP.0055953C 005593D1.E86AB3EAFFCALLAutoRunP.00404740;准备转换 005593D6.8B45D0MOVEAX,DWORDPTR[EBP-30] 005593D9.E832FCEAFFCALLAutoRunP.00409010;将8个字符组成的Hex文本转为数值b 005593DE.8945F4MOVDWORDPTR[EBP-C],EAX;保存b进入inbuff 005593E1.8D45C4LEAEAX,DWORDPTR[EBP-3C] 005593E4.50PUSHEAX 005593E5.B908000000MOVECX,8 005593EA.BA01000000MOVEDX,1 005593EF.8B45E0MOVEAX,DWORDPTR[EBP-20] 005593F2.E85DB5EAFFCALLAutoRunP.00404954;取key的前8个字符 005593F7.8B4DC4MOVECX,DWORDPTR[EBP-3C] 005593FA.8D45C8LEAEAX,DWORDPTR[EBP-38] 005593FD.BA3C955500MOVEDX,AutoRunP.0055953C 00559402.E839B3EAFFCALLAutoRunP.00404740;准备转换 00559407.8B45C8MOVEAX,DWORDPTR[EBP-38] 0055940A.E801FCEAFFCALLAutoRunP.00409010;将8个字符组成的Hex文本转为数值c 0055940F.8BD8MOVEBX,EAX;c保存到EBX 00559411.8D45BCLEAEAX,DWORDPTR[EBP-44] 00559414.50PUSHEAX 00559415.B908000000MOVECX,8 0055941A.BA09000000MOVEDX,9 0055941F.8B45E0MOVEAX,DWORDPTR[EBP-20] 00559422.E82DB5EAFFCALLAutoRunP.00404954;取key的后8个字符 00559427.8B4DBCMOVECX,DWORDPTR[EBP-44] 0055942A.8D45C0LEAEAX,DWORDPTR[EBP-40] 0055942D.BA3C955500MOVEDX,AutoRunP.0055953C 00559432.E809B3EAFFCALLAutoRunP.00404740;准备转换 00559437.8B45C0MOVEAX,DWORDPTR[EBP-40] 0055943A.E8D1FBEAFFCALLAutoRunP.00409010;将8个字符组成的Hex文本转为数值d 0055943F.8BF0MOVESI,EAX;d保存到ESI 00559441.33C0XOREAX,EAX 00559443.5APOPEDX 00559444.59POPECX 00559445.59POPECX 00559446.64:8910MOVDWORDPTRFS:[EAX],EDX 00559449.EB14JMPSHORTAutoRunP.0055945F 0055944B.^E990A6EAFFJMPAutoRunP.00403AE0 00559450.E8F3A9EAFFCALLAutoRunP.00403E48 00559455.E99E000000JMPAutoRunP.005594F8 0055945A.E8E9A9EAFFCALLAutoRunP.00403E48 0055945F>8B45F4MOVEAX,DWORDPTR[EBP-C];取出b 00559462.83E00FANDEAX,0F;取b的低4位 00559465.8945DCMOVDWORDPTR[EBP-24],EAX;保存,他会作为其中一个注册标志，不要等于0 00559468.8B45F8MOVEAX,DWORDPTR[EBP-8];取出a 0055946B.C1E810SHREAX,10;取a的高16位 0055946E.66:83F818CMPAX,18 00559472.0F8580000000JNZAutoRunP.005594F8;a的高16位不等于0x18就跳 00559478.8B45F8MOVEAX,DWORDPTR[EBP-8];取a 0055947B.8945F0MOVDWORDPTR[EBP-10],EAX;保存a进inbuff 0055947E.8B45F4MOVEAX,DWORDPTR[EBP-C];取b 00559481.8945ECMOVDWORDPTR[EBP-14],EAX;保存b进inbuff 00559484.8B45F8MOVEAX,DWORDPTR[EBP-8];取a 00559487.25FFFF0000ANDEAX,0FFFF;取a的低16位 0055948C.8BF8MOVEDI,EAX 0055948E.C1E710SHLEDI,10;放在32位数据的高16位 00559491.8B45F4MOVEAX,DWORDPTR[EBP-C];取b的高16位 00559494.C1E810SHREAX,10;放在32位数据的低16位 00559497.03F8ADDEDI,EAX;a的高16位和b的低16位拼成一个32位数值 00559499.8D45ECLEAEAX,DWORDPTR[EBP-14] 0055949C.50PUSHEAX;此时inbuff在内存中显示成baba 0055949D.8D4DF0LEAECX,DWORDPTR[EBP-10] 005594A0.8D55F4LEAEDX,DWORDPTR[EBP-C] 005594A3.8D45F8LEAEAX,DWORDPTR[EBP-8] 005594A6.E8295DFCFFCALLAutoRunP.0051F1D4;baba组成的128位进行MD5编码 005594AB.3B5DF8CMPEBX,DWORDPTR[EBP-8];c跟MD5结果的前32位比较 005594AE.7511JNZSHORTAutoRunP.005594C1 005594B0.3B75F4CMPESI,DWORDPTR[EBP-C];d跟MD5结果的32-64位比较 005594B3.750CJNZSHORTAutoRunP.005594C1;即key跟MD5结果的前64位比较 005594B5.8B45E8MOVEAX,DWORDPTR[EBP-18];取name 005594B8.E8FF5BFCFFCALLAutoRunP.0051F0BC;计算serial 005594BD.3BF8CMPEDI,EAX 005594BF.7404JESHORTAutoRunP.005594C5 005594C1>33C0XOREAX,EAX;＝0 005594C3.EB02JMPSHORTAutoRunP.005594C7 005594C5>B001MOVAL,1;＝1 005594C7>8845FFMOVBYTEPTR[EBP-1],AL;保存注册标志 005594CA.807DFF00CMPBYTEPTR[EBP-1],0;判断注册标志是不是0 005594CE.7428JESHORTAutoRunP.005594F8 005594D0.837DDC00CMPDWORDPTR[EBP-24],0;判断另外一个注册标志是不是0 005594D4.750AJNZSHORTAutoRunP.005594E0 程序是这样判断的：serial和key都是16个字符组成。 1、看serial的前4位是不是"0018"，serial的最后一位不能是'0' 2、将serial填充到inbuff中，注意，因为程序是用dword传送的，所以内存中低位在前，高位在后，我的serial在buff中显示成： 0012F104EFCD785634121800EFCD785634121800锿xV4.锿xV4. 3、inbuff中数据进行变形MD5编码，得到 0012F104E5F90F72A3469E09B25AABE343EE3D3F妁r?瞆C?? 4、这个结果从后面开始的3F3DEE43AB5AB209组成的字符串"3F3DEE43AB5AB209"是个符合要求的key是个符合要求的serial，但是这个时候serial还没有 得到验证，所以用serial生成的key只能躲过第一次跳转。 5、程序把serial的验证放在最后。 ---------------------------------------------------------------------------------------- 大致跟了下serial的生成，前四位必须是"0018"，中间8个字符由username生成，最后四位任意。 跟进，在005594B8CALLAutoRunP.0051F0BC来到： 0051F0E6|.8B45ECMOVEAX,DWORDPTR[EBP-14] 0051F0E9|.E80656EEFFCALLAutoRunP.004046F4;取name的长度Length 0051F0EE|.2507000080ANDEAX,80000007;长度%8,准备下面消息分组 0051F0F3|.7905JNSSHORTAutoRunP.0051F0FA 0051F0F5|.48DECEAX 0051F0F6|.83C8F8OREAX,FFFFFFF8 0051F0F9|.40INCEAX 0051F0FA|>BA08000000MOVEDX,8 0051F0FF|.2BD0SUBEDX,EAX;8-余数＝在用户名的后面添加0的个数 0051F101|.8BC2MOVEAX,EDX 0051F103|.8BD8MOVEBX,EAX 0051F105|.85DBTESTEBX,EBX 0051F107|.7E10JLESHORTAutoRunP.0051F119 0051F109|>8D45EC/LEAEAX,DWORDPTR[EBP-14] 0051F10C|.BAB0F15100|MOVEDX,AutoRunP.0051F1B0 0051F111|.E8E655EEFF|CALLAutoRunP.004046FC;在用户名信息后面添加0 0051F116|.4B|DECEBX 0051F117|.^75F0\JNZSHORTAutoRunP.0051F109 这个地方要小心的是即使用户名本身的长度是8的倍数，也会在后面加上8个0，不是8的倍数，正好通过补0，补0后的用户名的长度应该是8的倍数。 0051F119|>8B45ECMOVEAX,DWORDPTR[EBP-14] 0051F11C|.E8D355EEFFCALLAutoRunP.004046F4 0051F121|.33D2XOREDX,EDX 0051F123|.8955FCMOVDWORDPTR[EBP-4],EDX 0051F126|.33D2XOREDX,EDX 0051F128|.8955F8MOVDWORDPTR[EBP-8],EDX 0051F12B|.8BD8MOVEBX,EAX 0051F12D|.85DBTESTEBX,EBX 0051F12F|.7903JNSSHORTAutoRunP.0051F134 0051F131|.83C307ADDEBX,7 0051F134|>C1FB03SAREBX,3 0051F137|.4BDECEBX 0051F138|.85DBTESTEBX,EBX 0051F13A|.7C3EJLSHORTAutoRunP.0051F17A 0051F13C|.43INCEBX 0051F13D|.33F6XORESI,ESI 0051F13F|>8D45E8/LEAEAX,DWORDPTR[EBP-18] 0051F142|.50|PUSHEAX 0051F143|.8BD6|MOVEDX,ESI 0051F145|.C1E203|SHLEDX,3 0051F148|.42|INCEDX 0051F149|.B908000000|MOVECX,8 0051F14E|.8B45EC|MOVEAX,DWORDPTR[EBP-14] 0051F151|.E8FE57EEFF|CALLAutoRunP.00404954;取出分组后的各组消息，每组8个字符 0051F156|.8B45E8|MOVEAX,DWORDPTR[EBP-18] 0051F159|.8D4DF0|LEAECX,DWORDPTR[EBP-10] 0051F15C|.8D55F4|LEAEDX,DWORDPTR[EBP-C] 0051F15F|.E8D0FEFFFF|CALLAutoRunP.0051F034;将得到的8个字符顺序颠倒,并填入inbuff息的高64位 0051F164|.8D45F0|LEAEAX,DWORDPTR[EBP-10] 0051F167|.50|PUSHEAX 0051F168|.8D4DF4|LEAECX,DWORDPTR[EBP-C] 0051F16B|.8D55F8|LEAEDX,DWORDPTR[EBP-8] 0051F16E|.8D45FC|LEAEAX,DWORDPTR[EBP-4] 0051F171|.E85E000000|CALLAutoRunP.0051F1D4;MD5(inbuff) 0051F176|.46|INCESI 0051F177|.4B|DECEBX 0051F178|.^75C5\JNZSHORTAutoRunP.0051F13F 0051F17A|>8B5DFCMOVEBX,DWORDPTR[EBP-4] 0051F17D|.33C0XOREAX,EAX 这里就是将用户名添0后成8字节的倍数，然后分成n组，分别用每一组消息修改inbuff的前8个字节，然后进行MD5编码，循环n次。 ---------------------------------------------------------------------------------------- 要写出keygen，必须跟进CALLAutoRunP.0051F034，跟进MD5函数 0051F1FF|.64:8920MOVDWORDPTRFS:[EAX],ESP 0051F202|.C745E46745>MOVDWORDPTR[EBP-1C],1234567;传递四个链接变量(已经变形) 0051F209|.C745E8EFCD>MOVDWORDPTR[EBP-18],89ABCDE> 0051F210|.C745ECDCFE>MOVDWORDPTR[EBP-14],BA98FED> 0051F217|.C745F02143>MOVDWORDPTR[EBP-10],7650432> ★★★★★变形1★★★★★ 这里已经不是： A＝0x67452301 B＝0xefcdab89 C＝0x98badcfe D＝0x10325476 找到一个变形 0051F21E|.8B45F0MOVEAX,DWORDPTR[EBP-10] 0051F221|.8903MOVDWORDPTR[EBX],EAX;复制四个链接变量的副本 0051F223|.8B45ECMOVEAX,DWORDPTR[EBP-14] 0051F226|.8906MOVDWORDPTR[ESI],EAX;复制四个链接变量的副本 0051F228|.8B45E8MOVEAX,DWORDPTR[EBP-18] 0051F22B|.8907MOVDWORDPTR[EDI],EAX;复制四个链接变量的副本 0051F22D|.8B45E4MOVEAX,DWORDPTR[EBP-1C] 0051F230|.8945D4MOVDWORDPTR[EBP-2C],EAX;复制四个链接变量的副本 0051F233|.6A10PUSH10 0051F235|.8D45D0LEAEAX,DWORDPTR[EBP-30] 0051F238|.B901000000MOVECX,1 0051F23D|.8B15B4F15100MOVEDX,DWORDPTR[51F1B4];AutoRunP.0051F1B8 0051F243|.E87465EEFFCALLAutoRunP.004057BC 0051F248|.83C404ADDESP,4;下面将128位信息填充成512位 0051F24B|.8B45FCMOVEAX,DWORDPTR[EBP-4] 0051F24E|.8B00MOVEAX,DWORDPTR[EAX] 0051F250|.8B55D0MOVEDX,DWORDPTR[EBP-30] 0051F253|.8902MOVDWORDPTR[EDX],EAX;填充 ……………………（总共有16个填充） 0051F2EF|.8B45FCMOVEAX,DWORDPTR[EBP-4] 0051F2F2|.8B00MOVEAX,DWORDPTR[EAX] 0051F2F4|.8B55D0MOVEDX,DWORDPTR[EBP-30] 0051F2F7|.89423CMOVDWORDPTR[EDX+3C],EAX;填充 0051F2FA|.8B45D4MOVEAX,DWORDPTR[EBP-2C] ★★★★★变形2★★★★★ 和标准的MD5的填充不一样，并不是加个1在消息后然后填充0，最后附上消息长度 而是将消息分为四个dword，逆序、顺序、逆序、顺序填充成512位 比如消息是： 0012F104313233343536373839304142434445461234567890ABCDEF 填充后是： 0106CF7443444546393041423536373831323334CDEF90AB56781234 0106CF84313233343536373839304142434445461234567890ABCDEF 0106CF9443444546393041423536373831323334CDEF90AB56781234 0106CFA4313233343536373839304142434445461234567890ABCDEF //-------------round1-------------// 0051F2FD|.50PUSHEAX;/Arg4 0051F2FE|.8B45D0MOVEAX,DWORDPTR[EBP-30];| 0051F301|.8B00MOVEAX,DWORDPTR[EAX];| 0051F303|.50PUSHEAX;|Arg3 0051F304|.6A07PUSH7;|Arg2=00000007 0051F306|.6878A46AD7PUSHD76AA478;|Arg1=D76AA478 0051F30B|.8BC3MOVEAX,EBX;| 0051F30D|.8B0FMOVECX,DWORDPTR[EDI];| 0051F30F|.8B16MOVEDX,DWORDPTR[ESI];| 0051F311|.E8CE070000CALLAutoRunP.0051FAE4;\AutoRunP.0051FAE4 0051F316|.8B07MOVEAX,DWORDPTR[EDI] …………………… 0051F4C2|.8B17MOVEDX,DWORDPTR[EDI];| 0051F4C4|.E81B060000CALLAutoRunP.0051FAE4;\AutoRunP.0051FAE4 0051F4C9|.8B45D4MOVEAX,DWORDPTR[EBP-2C] //-------------round2-------------// 0051F4CC|.50PUSHEAX;/Arg4 0051F4CD|.8B45D0MOVEAX,DWORDPTR[EBP-30];| 0051F4D0|.8B4004MOVEAX,DWORDPTR[EAX+4];| 0051F4D3|.50PUSHEAX;|Arg3 0051F4D4|.6A05PUSH5;|Arg2=00000005 0051F4D6|.6862251EF6PUSHF61E2562;|Arg1=F61E2562 0051F4DB|.8BC3MOVEAX,EBX;| 0051F4DD|.8B0FMOVECX,DWORDPTR[EDI];| 0051F4DF|.8B16MOVEDX,DWORDPTR[ESI];| 0051F4E1|.E83A060000CALLAutoRunP.0051FB20;\AutoRunP.0051FB20 0051F4E6|.8B07MOVEAX,DWORDPTR[EDI] …………………… 0051F691|.8B17MOVEDX,DWORDPTR[EDI];| 0051F693|.E888040000CALLAutoRunP.0051FB20;\AutoRunP.0051FB20 0051F698|.8B45D4MOVEAX,DWORDPTR[EBP-2C] //-------------round3-------------// 0051F69B|.50PUSHEAX;/Arg4 0051F69C|.8B45D0MOVEAX,DWORDPTR[EBP-30];| 0051F69F|.8B4014MOVEAX,DWORDPTR[EAX+14];| 0051F6A2|.50PUSHEAX;|Arg3 0051F6A3|.6A04PUSH4;|Arg2=00000004 0051F6A5|.684239FAFFPUSHFFFA3942;|Arg1=FFFA3942 0051F6AA|.8BC3MOVEAX,EBX;| 0051F6AC|.8B0FMOVECX,DWORDPTR[EDI];| 0051F6AE|.8B16MOVEDX,DWORDPTR[ESI];| 0051F6B0|.E8A7040000CALLAutoRunP.0051FB5C;\AutoRunP.0051FB5C 0051F6B5|.8B07MOVEAX,DWORDPTR[EDI] …………………… 0051F860|.8B17MOVEDX,DWORDPTR[EDI];| 0051F862|.E8F5020000CALLAutoRunP.0051FB5C;\AutoRunP.0051FB5C 0051F867|.8B45D4MOVEAX,DWORDPTR[EBP-2C] //-------------round4-------------// 0051F86A|.50PUSHEAX;/Arg4 0051F86B|.8B45D0MOVEAX,DWORDPTR[EBP-30];| 0051F86E|.8B00MOVEAX,DWORDPTR[EAX];| 0051F870|.50PUSHEAX;|Arg3 0051F871|.6A06PUSH6;|Arg2=00000006 0051F873|.68442229F4PUSHF4292244;|Arg1=F4292244 0051F878|.8BC3MOVEAX,EBX;| 0051F87A|.8B0FMOVECX,DWORDPTR[EDI];| 0051F87C|.8B16MOVEDX,DWORDPTR[ESI];| 0051F87E|.E815030000CALLAutoRunP.0051FB98;\AutoRunP.0051FB98 0051F883|.8B07MOVEAX,DWORDPTR[EDI] …………………… 0051FA2F|.8B17MOVEDX,DWORDPTR[EDI];| 0051FA31|.E862010000CALLAutoRunP.0051FB98;\AutoRunP.0051FB98 0051FA36|.8B45F0MOVEAX,DWORDPTR[EBP-10] 0051FA39|.0303ADDEAX,DWORDPTR[EBX];+d 0051FA3B|.8B55FCMOVEDX,DWORDPTR[EBP-4] 0051FA3E|.8902MOVDWORDPTR[EDX],EAX;save 0051FA40|.8B45ECMOVEAX,DWORDPTR[EBP-14] 0051FA43|.0306ADDEAX,DWORDPTR[ESI];+c 0051FA45|.8B55F8MOVEDX,DWORDPTR[EBP-8] 0051FA48|.8902MOVDWORDPTR[EDX],EAX;save 0051FA4A|.8B45E8MOVEAX,DWORDPTR[EBP-18] 0051FA4D|.0307ADDEAX,DWORDPTR[EDI];+b 0051FA4F|.8B55F4MOVEDX,DWORDPTR[EBP-C] 0051FA52|.8902MOVDWORDPTR[EDX],EAX;save 0051FA54|.8B45E4MOVEAX,DWORDPTR[EBP-1C] 0051FA57|.0345D4ADDEAX,DWORDPTR[EBP-2C];+a 0051FA5A|.8B5508MOVEDX,DWORDPTR[EBP+8] 0051FA5D|.8902MOVDWORDPTR[EDX],EAX;save ★★★★★变形3★★★★★ 跟进后发现HASH函数本身没有变形，但是参与运算的链接变量的顺序变化了。 ---------------------------------------------------------------------------------------- 【破解心得】 要得到正确的serial和key，按照下面的流程： 先对用户名添0后分成n组，再反序，分别用每一组消息修改inbuff的前8个字节，然后进行MD5编码，循环n次后，结果的最后32位作为dword转为十六进制 文本作为serial的中间8个字符。 然后前面接上"0018",后面接上长度是4的任意16进制文本，总共16个字符作为serial 将serial填入inbuff的高64位，同时也填入低64位，MD5(inbuff)得到key 这个MD5有三处变形，变形没有什么新意，还是老一套： (1)四个变量的变形 (2)数据填充变形 (3)参与HASH运算的变量的顺序变形，HASH本身没有变形。 ---------------------------------------------------------------------------------------- 【注册机源码】 因为程序只对128位消息进行MD5编码，为了便于编辑，没有采用类，大家直接看吧。 //响应Generate按钮 voidCkeygenDlg::OnOK() { //TODO:Addextravalidationhere CkeygenDlg::OnChangeEdit1(); } voidCkeygenDlg::OnChangeEdit1() { //TODO:IfthisisaRICHEDITcontrol,thecontrolwillnot //sendthisnotificationunlessyouoverridetheCDialog::OnInitDialog() //functionandcallCRichEditCtrl().SetEventMask() //withtheENM_CHANGEflagORedintothemask. //TODO:Addyourcontrolnotificationhandlercodehere UpdateData(true); Beep(1000,50); charinbuff[16]={0},name[12]; unsignedlongstate[4]; inti,n,namelen; //对用户名处理 namelen=m_Edit1.GetLength(); n=namelen>>3; for(i=0;i<n;i++){ strcpy(name,m_Edit1.Mid(i<<3,8))//取用户名的8个字符 strrev(name);//将8个字符顺序反转 memcpy(inbuff,name,8);//复制到待加密信息的高64位 MD5(inbuff,state);//MD5编码 memcpy(inbuff,state,16);//替换掉待加密信息 } n=namelen&7;//判断用户名有没有处理完毕 strcpy(name,m_Edit1.Mid(i<<3,n));;//取出剩余字符 strrev(name);//剩余字符顺序反转 i=8-n;//计算补0的个数 memset(inbuff,0,i);//将0填入待加密信息 memcpy(inbuff+i,name,n);//将反转字符填入待加密信息 MD5(inbuff,state);//MD5编码 m_Edit2.Format("%08X",state[3]);//将State[3]转为16进制字符串作为Serial的一部分 m_Edit2.Insert(0,"0018");//serial前面插入"0018" n=rand(); sprintf(inbuff,"%04X",n); m_Edit2+=inbuff;//serial的最后四位任意，并且传递给编辑框 memcpy(inbuff,&n,2); memcpy(inbuff+2,state+3,4); inbuff[6]=char(0x18); inbuff[7]=char(0); memcpy(inbuff+8,inbuff,8);//serial填充到inbuff MD5(inbuff,state);//对serialMD5编码 sprintf(inbuff,"%08X",state[2]); m_Edit3.Format("%08X",state[3]);//取state[2]和state[2]作为Code m_Edit3+=inbuff;//将code传递给编辑框 UpdateData(false); } //将128待加密信息填充成512位，即16个整数 voidCkeygenDlg::FillBuff(unsignedlong*buff,char*inbuff) { int*from=(int*)inbuff; buff[3]=*from;buff[2]=*(from+1);buff[1]=*(from+2);buff[0]=*(from+3); buff[4]=*from;buff[5]=*(from+1);buff[6]=*(from+2);buff[7]=*(from+3); buff[11]=*from;buff[10]=*(from+1);buff[9]=*(from+2);buff[8]=*(from+3); buff[12]=*from;buff[13]=*(from+1);buff[14]=*(from+2);buff[15]=*(from+3); } //四个函数定义1FF unsignedlongCkeygenDlg::FF(unsignedlonga,unsignedlongb,unsignedlongc,unsignedlongd,unsignedlongx,bytes,unsignedlongac) { a=((b&c)|((~b)&d))+a+x+ac; a=(a<<s)|(a>>(32-s)); a+=b; returna; } //四个函数定义2GG unsignedlongCkeygenDlg::GG(unsignedlonga,unsignedlongb,unsignedlongc,unsignedlongd,unsignedlongx,bytes,unsignedlongac) { a=((b&d)|(c&(~d)))+a+x+ac; a=(a<<s)|(a>>(32-s)); a+=b; returna; } //四个函数定义3HH unsignedlongCkeygenDlg::HH(unsignedlonga,unsignedlongb,unsignedlongc,unsignedlongd,unsignedlongx,bytes,unsignedlongac) { a=(b^c^d)+a+x+ac; a=(a<<s)|(a>>(32-s)); a+=b; returna; } //四个函数定义4II unsignedlongCkeygenDlg::II(unsignedlonga,unsignedlongb,unsignedlongc,unsignedlongd,unsignedlongx,bytes,unsignedlongac) { a=(c^(b|(~d)))+a+x+ac; a=(a<<s)|(a>>(32-s)); a+=b; returna; } //MD5运算主函数待加密信息保存在在inbuff中，结果保存在state[4]中 voidCkeygenDlg::MD5(char*inbuff,unsignedlong*state) { unsignedlongcontext[16]; state[0]=0x1234567; state[1]=0x89ABCDEF; state[2]=0xBA98FEDC; state[3]=0x76504321; FillBuff(context,inbuff); //-------------round1-------------// state[3]=FF(state[3],state[2],state[1],state[0],context[0],7,0xd76aa478);//-1 state[0]=FF(state[0],state[3],state[2],state[1],context[1],12,0xe8c7b756);//-2 state[1]=FF(state[1],state[0],state[3],state[2],context[2],17,0x242070db);//-3 state[2]=FF(state[2],state[1],state[0],state[3],context[3],22,0xc1bdceee);//-4 state[3]=FF(state[3],state[2],state[1],state[0],context[4],7,0xf57c0faf);//-5 state[0]=FF(state[0],state[3],state[2],state[1],context[5],12,0x4787c62a);//-6 state[1]=FF(state[1],state[0],state[3],state[2],context[6],17,0xa8304613);//-7 state[2]=FF(state[2],state[1],state[0],state[3],context[7],22,0xfd469501);//-8 state[3]=FF(state[3],state[2],state[1],state[0],context[8],7,0x698098d8);//-9 state[0]=FF(state[0],state[3],state[2],state[1],context[9],12,0x8b44f7af);//-10 state[1]=FF(state[1],state[0],state[3],state[2],context[10],17,0xffff5bb1);//-11 state[2]=FF(state[2],state[1],state[0],state[3],context[11],22,0x895cd7be);//-12 state[3]=FF(state[3],state[2],state[1],state[0],context[12],7,0x6b901122);//-13 state[0]=FF(state[0],state[3],state[2],state[1],context[13],12,0xfd987193);//-14 state[1]=FF(state[1],state[0],state[3],state[2],context[14],17,0xa679438e);//-15 state[2]=FF(state[2],state[1],state[0],state[3],context[15],22,0x49b40821);//-16 //-------------round2-------------// state[3]=GG(state[3],state[2],state[1],state[0],context[1],5,0xf61e2562);//-17 state[0]=GG(state[0],state[3],state[2],state[1],context[6],9,0xc040b340);//-18 state[1]=GG(state[1],state[0],state[3],state[2],context[11],14,0x265e5a51);//-19 state[2]=GG(state[2],state[1],state[0],state[3],context[0],20,0xe9b6c7aa);//-20 state[3]=GG(state[3],state[2],state[1],state[0],context[5],5,0xd62f105d);//-21 state[0]=GG(state[0],state[3],state[2],state[1],context[10],9,0x2441453);//-22 state[1]=GG(state[1],state[0],state[3],state[2],context[15],14,0xd8a1e681);//-23 state[2]=GG(state[2],state[1],state[0],state[3],context[4],20,0xe7d3fbc8);//-24 state[3]=GG(state[3],state[2],state[1],state[0],context[9],5,0x21e1cde6);//-25 state[0]=GG(state[0],state[3],state[2],state[1],context[14],9,0xc33707d6);//-26 state[1]=GG(state[1],state[0],state[3],state[2],context[3],14,0xf4d50d87);//-27 state[2]=GG(state[2],state[1],state[0],state[3],context[8],20,0x455a14ed);//-28 state[3]=GG(state[3],state[2],state[1],state[0],context[13],5,0xa9e3e905);//-28 state[0]=GG(state[0],state[3],state[2],state[1],context[2],9,0xfcefa3f8);//-30 state[1]=GG(state[1],state[0],state[3],state[2],context[7],14,0x676f02d9);//-31 state[2]=GG(state[2],state[1],state[0],state[3],context[12],20,0x8d2a4c8a);//-32 //-------------round3-------------// state[3]=HH(state[3],state[2],state[1],state[0],context[5],4,0xfffa3942);//-33 state[0]=HH(state[0],state[3],state[2],state[1],context[8],11,0x8771f681);//-34 state[1]=HH(state[1],state[0],state[3],state[2],context[11],16,0x6d9d6122);//-35 state[2]=HH(state[2],state[1],state[0],state[3],context[14],23,0xfde5380c);//-36 state[3]=HH(state[3],state[2],state[1],state[0],context[1],4,0xa4beea44);//-37 state[0]=HH(state[0],state[3],state[2],state[1],context[4],11,0x4bdecfa9);//-38 state[1]=HH(state[1],state[0],state[3],state[2],context[7],16,0xf6bb4b60);//-39 state[2]=HH(state[2],state[1],state[0],state[3],context[10],23,0xbebfbc70);//-40 state[3]=HH(state[3],state[2],state[1],state[0],context[13],4,0x289b7ec6);//-41 state[0]=HH(state[0],state[3],state[2],state[1],context[0],11,0xeaa127fa);//-42 state[1]=HH(state[1],state[0],state[3],state[2],context[3],16,0xd4ef3085);//-43 state[2]=HH(state[2],state[1],state[0],state[3],context[6],23,0x4881d05);//-44 state[3]=HH(state[3],state[2],state[1],state[0],context[9],4,0xd9d4d039);//-45 state[0]=HH(state[0],state[3],state[2],state[1],context[12],11,0xe6db99e5);//-46 state[1]=HH(state[1],state[0],state[3],state[2],context[15],16,0x1fa27cf8);//-47 state[2]=HH(state[2],state[1],state[0],state[3],context[2],23,0xc4ac5665);//-48 //-------------round4-------------// state[3]=II(state[3],state[2],state[1],state[0],context[0],6,0xf4292244);//-49 state[0]=II(state[0],state[3],state[2],state[1],context[7],10,0x432aff97);//-50 state[1]=II(state[1],state[0],state[3],state[2],context[14],15,0xab9423a7);//-51 state[2]=II(state[2],state[1],state[0],state[3],context[5],21,0xfc93a039);//-52 state[3]=II(state[3],state[2],state[1],state[0],context[12],6,0x655b59c3);//-53 state[0]=II(state[0],state[3],state[2],state[1],context[3],10,0x8f0ccc92);//-54 state[1]=II(state[1],state[0],state[3],state[2],context[10],15,0xffeff47d);//-55 state[2]=II(state[2],state[1],state[0],state[3],context[1],21,0x85845dd1);//-56 state[3]=II(state[3],state[2],state[1],state[0],context[8],6,0x6fa87e4f);//-57 state[0]=II(state[0],state[3],state[2],state[1],context[15],10,0xfe2ce6e0);//-58 state[1]=II(state[1],state[0],state[3],state[2],context[6],15,0xa3014314);//-59 state[2]=II(state[2],state[1],state[0],state[3],context[13],21,0x4e0811a1);//-60 state[3]=II(state[3],state[2],state[1],state[0],context[4],6,0xf7537e82);//-61 state[0]=II(state[0],state[3],state[2],state[1],context[11],10,0xbd3af235);//-62 state[1]=II(state[1],state[0],state[3],state[2],context[2],15,0x2ad7d2bb);//-63 state[2]=II(state[2],state[1],state[0],state[3],context[9],21,0xeb86d391);//-64 state[0]+=0x1234567; state[1]+=0x89ABCDEF; state[2]+=0xBA98FEDC; state[3]+=0x76504321; } ---------------------------------------------------------------------------------------- 【破解声明】我是一只小菜鸟，偶得一点心得，愿与大家分享:) 【版权声明】本文纯属技术交流,转载请注明作者并保持文章的完整,谢谢! ---------------------------------------------------------------------------------------- 文章写于2006-1-2118:10:17

页: [1]

邪恶八进制信息安全团队技术讨论组's Archiver

[转载]变形的 MD5