邪恶八进制信息安全团队技术讨论组's Archiver

pub!1c 2006-2-1 22:59

[转载][RSA的另类爆破] RM to AVI MPEG WMV VCD SVCD DVD Converter 2.7

<P><FONT color=#666686>文章作者: cyto</FONT></P>
<P><FONT face=宋体>RMtoAVIMPEGWMVVCDSVCDDVDConverter2.7<BR><BR>说明:程序使用RSA加密的,N有82位十六进制,太难分解了,于是想到捏造一个N替换它,然后逆推注册码就完美的爆破它了。<BR>终于在除夕夜完成爆破,以此文辞旧迎新!祝大家春节快乐,身体健康,合家平安,万事如意!<BR><BR>1.重启验证,注册后生成一个文件:rmtoall.ini<BR>[Options]<BR>User=cyto<BR>Pass=87654321012345678<BR><BR>2.查壳脱壳:<BR>PEID:ASPack2.12->AlexeySolodovnikov<BR>OD载入:<BR>00595001r>60pushad;入口点<BR>00595002E803000000callrmtoall.0059500A<BR>...<BR>005953AF61popad<BR>005953B07508jnzshortrmtoall.005953BA<BR>005953B2B801000000moveax,1<BR>005953B7C20C00retn0C<BR>005953BA683C4E5000pushrmtoall.00504E3C<BR>005953BFC3retn<BR>dump,BorlandDelphi6.0-7.0<BR>运行ok。<BR><BR>3.注册码存在ini文件里,下断kernel.GetPrivateProfileStringA<BR>断下返回,上下翻翻,发现是读ini文件的内容,比如user,pass:<BR>0050481Fmovecx,up-rmto.005048E4;ASCII"User"<BR>00504851movecx,up-rmto.00504904;ASCII"Pass"<BR>然后返回到:<BR>00504FC3|.E8E8F7FFFFcallup-rmto.005047B0;取得ini内容<BR>00504FC8|.A158815000moveax,dwordptrds:[508158]<BR>00504FCD|.833800cmpdwordptrds:[eax],0;用户名是否为空?<BR>00504FD0|.0F84EE000000jeup-rmto.005050C4<BR>00504FD6|.A118825000moveax,dwordptrds:[508218]<BR>00504FDB|.833800cmpdwordptrds:[eax],0;注册码是否为空?<BR>00504FDE|.0F84E0000000jeup-rmto.005050C4<BR>00504FE4|.B860A05000moveax,up-rmto.0050A060<BR>00504FE9|.8B1518825000movedx,dwordptrds:[508218];up-rmto.00509FA8<BR>00504FEF|.8B12movedx,dwordptrds:[edx]<BR>00504FF1|.E8B2F4EFFFcallup-rmto.004044A8<BR>00504FF6|.BA44A05000movedx,up-rmto.0050A044<BR>00504FFB|.A160A05000moveax,dwordptrds:[50A060]<BR>00505000|.E823CBFFFFcallup-rmto.00501B28;输入的注册码处理<BR>00505005|.B860A05000moveax,up-rmto.0050A060<BR>0050500A|.E845F4EFFFcallup-rmto.00404454<BR>0050500F|.8D55E8leaedx,dwordptrss:[ebp-18]<BR>00505012|.A1AC815000moveax,dwordptrds:[5081AC]<BR>00505017|.8B00moveax,dwordptrds:[eax]<BR>00505019|.8B8050040000moveax,dwordptrds:[eax+450]<BR>0050501F|.E88CF5F5FFcallup-rmto.004645B0;取字符串A=RSA(E)<BR>00505024|.8B45E8moveax,dwordptrss:[ebp-18];E=65537=10001(H)<BR>00505027|.8D55ECleaedx,dwordptrss:[ebp-14]<BR>0050502A|.E8B53AF0FFcallup-rmto.00408AE4<BR>0050502F|.8B45ECmoveax,dwordptrss:[ebp-14]<BR>00505032|.BA48A05000movedx,up-rmto.0050A048<BR>00505037|.E8E0CEFFFFcallup-rmto.00501F1C;对E的处理<BR>0050503C|.8D55E0leaedx,dwordptrss:[ebp-20]<BR>0050503F|.A1AC815000moveax,dwordptrds:[5081AC]<BR>00505044|.8B00moveax,dwordptrds:[eax]<BR>00505046|.8B8054040000moveax,dwordptrds:[eax+454]<BR>0050504C|.E85FF5F5FFcallup-rmto.004645B0;取字符串B=RSA(N)<BR>00505051|.8B45E0moveax,dwordptrss:[ebp-20];N<BR>00505054|.8D55E4leaedx,dwordptrss:[ebp-1C]<BR>00505057|.E8883AF0FFcallup-rmto.00408AE4<BR>0050505C|.8B45E4moveax,dwordptrss:[ebp-1C]<BR>0050505F|.BA50A05000movedx,up-rmto.0050A050<BR>00505064|.E8B3CEFFFFcallup-rmto.00501F1C;对N的处理<BR>00505069|.6858A05000pushup-rmto.0050A058<BR>0050506E|.6858A05000pushup-rmto.0050A058<BR>00505073|.6858A05000pushup-rmto.0050A058<BR>00505078|.6858A05000pushup-rmto.0050A058<BR>0050507D|.6860A05000pushup-rmto.0050A060<BR>00505082|.B950A05000movecx,up-rmto.0050A050<BR>00505087|.BA48A05000movedx,up-rmto.0050A048<BR>0050508C|.A144A05000moveax,dwordptrds:[50A044];转换后的十六进制<BR>00505091|.E8EAF2FFFFcallup-rmto.00504380;RSA加密<BR>00505096|.A118825000moveax,dwordptrds:[508218]<BR>0050509B|.8B1560A05000movedx,dwordptrds:[50A060]<BR>005050A1|.E802F4EFFFcallup-rmto.004044A8<BR>005050A6|.B848A05000moveax,up-rmto.0050A048<BR>005050AB|.E8E4D0FFFFcallup-rmto.00502194<BR>005050B0|.B850A05000moveax,up-rmto.0050A050<BR>005050B5|.E8DAD0FFFFcallup-rmto.00502194<BR>005050BA|.B858A05000moveax,up-rmto.0050A058<BR>005050BF|.E8D0D0FFFFcallup-rmto.00502194<BR>005050C4|>A158815000moveax,dwordptrds:[508158]<BR>005050C9|.8B00moveax,dwordptrds:[eax]<BR>005050CB|.8B1518825000movedx,dwordptrds:[508218];up-rmto.00509FA8<BR>005050D1|.8B12movedx,dwordptrds:[edx]<BR>005050D3|.E888F7EFFFcallup-rmto.00404860;比较<BR>005050D8|.752Djnzshortup-rmto.00505107;关键跳转<BR><BR>以上就是注册码计算判断的主线。经过计算后的注册码最后与用户名比较,相等就成功了。<BR><BR>4.从关键比较入手,分析比较值与存放地址:<BR>005050C4|>A158815000moveax,dwordptrds:[508158]<BR>005050C9|.8B00moveax,dwordptrds:[eax]<BR>005050CB|.8B1518825000movedx,dwordptrds:[508218];up-rmto.00509FA8<BR>005050D1|.8B12movedx,dwordptrds:[edx]<BR>005050D3|.E888F7EFFFcallup-rmto.00404860;比较<BR>005050D8|.752Djnzshortup-rmto.00505107;关键跳转<BR><BR>比较的长度:<BR>00404877|.8B46FCmoveax,dwordptrds:[esi-4];用户名长度=4<BR>0040487A|.8B57FCmovedx,dwordptrds:[edi-4];计算值长度=26<BR><BR>比较的东西:<BR>00508158A49F5000P.0<BR>00509FA48C3FEF00??(帮<BR>00EF3F8C6379746Fcyto<BR><BR>00508218A89F5000P.皉<BR>00509FA828B0EF00帮..<BR>00EFB028039019BD6AD3873FE4B3D9C950799FB8?絡訃?涑偕Py煾<BR>00EFB038117777C9E6C78F564BFB7C352D62D586ww涉菑VK鹼5-b諉<BR>00EFB0486C8A10D91657l??W..埉?埉?<BR><BR>通过修改ini的注册码那如发现:只要注册码不变上面比较的地址都是固定的。如果注册码有变的话,存放地址也会跟着变,值也会变,比较的长度也变。<BR><BR>5.定位加密算法<BR>从上面的比较结果可以看出,太像RSA运算了,于是上cryptosearcher0.97分析,发现FGIntRSA,查找google:<BR>RSA加密一共需要三个单元FGInt,FGIntPrimeGeneration,FGIntRSA:<BR>FGint是一个大型数运算库;GIntPrimeGeneration是一个找大质数的类库;FGIntRSA是实现加密和解密以及验证的单元。<BR>而且主线对输入的注册码处理后紧接着出现两个字符串:<BR>65537=10001(H)<BR>63790510521550840388844862178357891512889443215420175471639593023445165917945890380913786330112957=1DDD59DD5BE4EB02D560C324464193E0369A5ADAA8776B560E6ECA51F550EFD32B3FAE992B478963BD(H)<BR>估计第一个就是RSA的E,第二个应该就是传说中的N。<BR><BR>6.算法过程分析:<BR>对注册码下硬件访问断点,分析程序对注册码的处理:<BR>从ini中取得注册码,存放地址:<BR>00EFB1CC383736353433323130313233343536373887654321012345678<BR><BR>6.100505000callup-rmto.00501B28:对输入的注册码进行处理<BR>首先根据注册码的ASCII码取出表中的值:<BR>00501B99|>/8D45F8/leaeax,dwordptrss:[ebp-8]<BR>00501B9C|.|8B55FC|movedx,dwordptrss:[ebp-4]<BR>00501B9F|.|0FB65432FF|movzxedx,byteptrds:[edx+esi-1];edx=注册码ASCII码<BR>00501BA4|.|8B9495F4FBFFFF|movedx,dwordptrss:[ebp+edx*4-40C];取值,ebp=0012FF4C<BR>00501BAB|.|E86C2BF0FF|callup-rmto.0040471C<BR>00501BB0|.|46|incesi<BR>00501BB1|.|4B|decebx<BR>00501BB2|.^\75E5\jnzshortup-rmto.00501B99<BR>在00501BA4处先根据顺取到的注册码ASCII码计算得到存放表单的地址。<BR><BR>对应关系:<BR>0=110100;1=110101;2=110110;3=110111;4=111000;5=111001;<BR>6=111010;7=111011;8=111100;9=111101。<BR><BR>a=000000;b=000010;c=000100;d=000110;e=001000;f=001010;<BR>g=001100;h=001110;i=010000;j=010010;k=010100;l=010110;<BR>m=011000;n=011010;o=011100;p=011110;q=100000;r=100010;<BR>s=100100;t=100110;u=101000;v=101010;w=101100;x=101110;<BR>y=110000;z=110010。<BR><BR>A=000001;B=000011;C=000101;D=000111;E=001001;F=001011;<BR>G=001101;H=001111;I=010001;J=010011;K=010101;L=010111;<BR>M=011001;N=011011;O=011101;P=011111;Q=100001;R=100011;<BR>S=100101;T=100111;U=101001;V=101011;W=101101;X=101111;<BR>Y=110001;Z=110011<BR><BR>注册码:87654321012345678;3837363534333231303132333435363738<BR>堆栈ss:[0012FF44]=00EFAED4,(ASCII"111100111011111010111001111000110111110110110101110100110101110110110111111000111001111010111011111100")<BR><BR>然后转换成十六进制:<BR>顺取8位转换成十六进制,最后剩余的6位不够就丢弃了:<BR>111100111011111010111001111000110111110110110101110100110101110110110111111000111001111010111011111100=F3BEB9E37DB5D35DB7E39EBB<BR>即:111100111011111010111001111000110111110110110101110100110101110110110111111000111001111010111011=F3BEB9E37DB5D35DB7E39EBB<BR>在内存搜索到:00EFAEB8F3BEB9E37DB5D35DB7E39EBB<BR><BR>6.2取得RSA的E&N:<BR>0050501F|.E88CF5F5FFcallup-rmto.004645B0;取字符串A=RSA(E)<BR>00505024|.8B45E8moveax,dwordptrss:[ebp-18];E=65537=10001(H)<BR>00505027|.8D55ECleaedx,dwordptrss:[ebp-14]<BR>0050502A|.E8B53AF0FFcallup-rmto.00408AE4<BR>0050502F|.8B45ECmoveax,dwordptrss:[ebp-14]<BR>00505032|.BA48A05000movedx,up-rmto.0050A048<BR>00505037|.E8E0CEFFFFcallup-rmto.00501F1C;对E的处理<BR>0050503C|.8D55E0leaedx,dwordptrss:[ebp-20]<BR>0050503F|.A1AC815000moveax,dwordptrds:[5081AC]<BR>00505044|.8B00moveax,dwordptrds:[eax]<BR>00505046|.8B8054040000moveax,dwordptrds:[eax+454]<BR>0050504C|.E85FF5F5FFcallup-rmto.004645B0;取字符串B=RSA(N)<BR>00505051|.8B45E0moveax,dwordptrss:[ebp-20];N<BR>00505054|.8D55E4leaedx,dwordptrss:[ebp-1C]<BR>00505057|.E8883AF0FFcallup-rmto.00408AE4<BR>0050505C|.8B45E4moveax,dwordptrss:[ebp-1C]<BR>0050505F|.BA50A05000movedx,up-rmto.0050A050<BR>00505064|.E8B3CEFFFFcallup-rmto.00501F1C;对N的处理<BR>这两个计算对应两个字符串:<BR>E=65537(D)=10001(H)<BR>N=63790510521550840388844862178357891512889443215420175471639593023445165917945890380913786330112957(D)=1DDD59DD5BE4EB02D560C324464193E0369A5ADAA8776B560E6ECA51F550EFD32B3FAE992B478963BD(H)<BR><BR>6.3加密并处理得到最后结果:00505091callup-rmto.00504380<BR>加密:<BR>M:处理后的注册码=F3BEB9E37DB5D35DB7E39EBB(H)<BR>111100111011111010111001111000110111110110110101110100110101110110110111111000111001111010111011<BR><BR>E:10001(H)<BR>N:325个字符<BR>63790510521550840388844862178357891512889443215420175471639593023445165917945890380913786330112957(D)<BR>1DDD59DD5BE4EB02D560C324464193E0369A5ADAA8776B560E6ECA51F550EFD32B3FAE992B478963BD(H)<BR>1110111011101010110011101110101011011111001001110101100000010110101010110000011000011001001000100011001000001100100111110000000110110100110100101101011011010101010000111011101101011010101100000111001101110110010100101000111110101010100001110111111010011001010110011111110101110100110010010101101000111100010010110001110111101(2)<BR><BR>C=ME(modN)=F3BEB9E37DB5D35DB7E39EBB^10001(mod1DDD59DD5BE4EB02D560C324464193E0369A5ADAA8776B560E6ECA51F550EFD32B3FAE992B478963BD)=ACA353B9019BD6AD3873FE4B3D9C950799FB8117777C9E6C78F564BFB7C352D62D5866C8A10D91657<BR><BR>加密后得到密文:ACA353B9019BD6AD3873FE4B3D9C950799FB8117777C9E6C78F564BFB7C352D62D5866C8A10D91657(H)<BR><BR>密文转换成2进制:00504654callup-rmto.00502DCC<BR>00502E00|.8945F8movdwordptrss:[ebp-8],eax<BR>00502E03|.BF01000000movedi,1<BR>00502E08|>33DB/xorebx,ebx<BR>00502E0A|>8B45FC|/moveax,dwordptrss:[ebp-4]<BR>00502E0D|.8B4004||moveax,dwordptrds:[eax+4]<BR>00502E10|.8B54F804||movedx,dwordptrds:[eax+edi*8+4]<BR>00502E14|.8B04F8||moveax,dwordptrds:[eax+edi*8]<BR>00502E17|.8BCB||movecx,ebx<BR>00502E19|.E8D626F0FF||callup-rmto.004054F4<BR>00502E1E|.81E001000000||andeax,1<BR>00502E24|.33D2||xoredx,edx<BR>00502E26|.52||pushedx;/Arg2=>00000000<BR>00502E27|.50||pusheax;|Arg1<BR>00502E28|.8D45F4||leaeax,dwordptrss:[ebp-C];|<BR>00502E2B|.E8A05EF0FF||callup-rmto.00408CD0;\up-rmto.00408CD0<BR>00502E30|.8B55F4||movedx,dwordptrss:[ebp-C]<BR>00502E33|.8B0E||movecx,dwordptrds:[esi];存于n个地址,最后存于00EF4330&00EFAED4<BR>00502E35|.8BC6||moveax,esi<BR>00502E37|.E82419F0FF||callup-rmto.00404760<BR>00502E3C|.43||incebx<BR>00502E3D|.83FB1F||cmpebx,1F<BR>00502E40|.^75C8|\jnzshortup-rmto.00502E0A<BR>00502E42|.47|incedi<BR>00502E43|.FF4DF8|decdwordptrss:[ebp-8]<BR>00502E46|.^75C0\jnzshortup-rmto.00502E08<BR>101011001010001101010011101110010000000110011011110101101010110100111000011100111111111001001011001111011001110010010101000001111001100111111011100000010001011101110111011111001001111001101100011110001111010101100100101111111011011111000011010100101101011000101101010110000110011011001000101000010000110110010001011001010111<BR><BR>2进制里寻找第一个111,去除前面的数<BR>005046AF|./EB12jmpshortup-rmto.005046C3<BR>005046B1|>|8D45B0/leaeax,dwordptrss:[ebp-50]<BR>005046B4|.|B901000000|movecx,1<BR>005046B9|.|BA01000000|movedx,1<BR>005046BE|.|E8F102F0FF|callup-rmto.004049B4;下一位开始<BR>005046C3|>\8D45A0leaeax,dwordptrss:[ebp-60]<BR>005046C6|.50|pusheax<BR>005046C7|.B903000000|movecx,3<BR>005046CC|.BA01000000|movedx,1<BR>005046D1|.8B45B0|moveax,dwordptrss:[ebp-50];初始值为00504654计算的2进制,存在00EFAED4<BR>005046D4|.E89B02F0FF|callup-rmto.00404974;取出3位<BR>005046D9|.8B45A0|moveax,dwordptrss:[ebp-60]<BR>005046DC|.BA74475000|movedx,up-rmto.00504774;ASCII"111"<BR>005046E1|.E87A01F0FF|callup-rmto.00404860;比较<BR>005046E6|.740D|jeshortup-rmto.005046F5;相等就跳走<BR>005046E8|.8B45B0|moveax,dwordptrss:[ebp-50]<BR>005046EB|.E82400F0FF|callup-rmto.00404714<BR>005046F0|.83F803|cmpeax,3<BR>005046F3|.^7FBC\jgshortup-rmto.005046B1<BR>数据放置的初始位置为00EFAED4,然后转移到00EF4330,找第一个111,找到后就跳走,去除其前面的字符。<BR>11101110010000000110011011110101101010110100111000011100111111111001001011001111011001110010010101000001111001100111111011100000010001011101110111011111001001111001101100011110001111010101100100101111111011011111000011010100101101011000101101010110000110011011001000101000010000110110010001011001010111<BR><BR>又去掉值的前面3位:<BR>005046F5|>\8D45B0leaeax,dwordptrss:[ebp-50]<BR>005046F8|.B903000000movecx,3<BR>005046FD|.BA01000000movedx,1<BR>00504702|.E8AD02F0FFcallup-rmto.004049B4;又去掉3位?<BR>01110010000000110011011110101101010110100111000011100111111111001001011001111011001110010010101000001111001100111111011100000010001011101110111011111001001111001101100011110001111010101100100101111111011011111000011010100101101011000101101010110000110011011001000101000010000110110010001011001010111<BR><BR>转换成十六进制:得到最终的结果<BR>00EFB028039019BD6AD3873FE4B3D9C950799FB8?絡訃?涑偕Py煾<BR>00EFB038117777C9E6C78F564BFB7C352D62D586ww涉菑VK鹼5-b諉<BR>00EFB0486C8A10D91657l??W..<BR>即:39019BD6AD3873FE4B3D9C950799FB8117777C9E6C78F564BFB7C352D62D5866C8A10D91657<BR><BR>6.4算法流程:<BR>处理输入的注册码,查表得2进制再转换成十六进制,加密,然后加密后的数据转换成2进制,去除第一个111前面的数,然后再去除前面3位,然后再转换成十六进制与用户名比较,相等就注册成功。<BR><BR>7.爆破<BR>RSA加密,N太长,无法运算,只好爆破。<BR>爆破之一:启动程序后判断注册码<BR>005050C4|>\A158815000moveax,dwordptrds:[508158]<BR>005050C9|.8B00moveax,dwordptrds:[eax];用户名<BR>005050CB|.8B1518825000movedx,dwordptrds:[508218];up-rmto.00509FA8<BR>005050D1|.8B12movedx,dwordptrds:[edx];注册码<BR>005050D3|.E888F7EFFFcallup-rmto.00404860;bj<BR>005050D8752Djnzshortup-rmto.00505107<BR><BR>005050C4A158815000moveax,dwordptrds:[508158]<BR>改为:<BR>005050C4A118825000moveax,dwordptrds:[508218]<BR><BR>修改后输入注册码用户名的地方变灰色的。<BR><BR>爆破之二:退出程序判断<BR>可是退出的时候还是提示:Thisisaunregisteredversion。<BR>地址=004FCD98反汇编=movedx,up-rmto.004FCDEC<BR>文本字符串=Thisisaunregisteredversion,Don'tforgettoregisterit.\nToregistersoftware,pleaseclick'OK'button.<BR><BR>004FCD6F|.A1A49F5000moveax,dwordptrds:[509FA4]<BR>004FCD74|.8B15A89F5000movedx,dwordptrds:[509FA8]<BR>004FCD7A|.E8E17AF0FFcallup-rmto.00404860<BR>004FCD7F7512jnzshortup-rmto.004FCD93<BR>004FCD81|.833DA49F500000cmpdwordptrds:[509FA4],0<BR>004FCD88|.7409jeshortup-rmto.004FCD93<BR>004FCD8A|.833DA89F500000cmpdwordptrds:[509FA8],0<BR>004FCD91|.7537jnzshortup-rmto.004FCDCA<BR>004FCD93|>6A00push0<BR>004FCD95|.8D45FCleaeax,dwordptrss:[ebp-4]<BR>004FCD98|.BAECCD4F00movedx,up-rmto.004FCDEC;ASCII"Thisisaunregisteredversion,Don'tforgettoregisterit.<BR>Toregistersoftware,pleaseclick'OK'button."<BR><BR>004FCD6F|.A1A49F5000moveax,dwordptrds:[509FA4]<BR>改为:<BR>004FCD6FA1A89F5000moveax,dwordptrds:[509FA8]<BR><BR>意外发现:爆破之二的比较入栈2个参数又跟爆破之一的不一样,可能退出的时候算法又不一样?还是只是挑取其中的一部分判断?<BR><BR>爆破之三:<BR>通过了上面两个爆破后,点击convert后跳出注册框。<BR>其中About里面写着:Licenceto:Unregister<BR>好,先搞定这个:<BR>地址=004FB45D反汇编=movedx,baopo.004FB53C文本字符串=Licenceto:Unregister<BR>004FB433|.A158815000moveax,dwordptrds:[508158]<BR>004FB438|.8B00moveax,dwordptrds:[eax]<BR>004FB43A|.8B1518825000movedx,dwordptrds:[508218];baopo.00509FA8<BR>004FB440|.8B12movedx,dwordptrds:[edx]<BR>004FB442|.E81994F0FFcallbaopo.00404860<BR>004FB447|.7514jnzshortbaopo.004FB45D<BR>004FB449|.A158815000moveax,dwordptrds:[508158]<BR>004FB44E|.833800cmpdwordptrds:[eax],0<BR>004FB451|.740Ajeshortbaopo.004FB45D<BR>004FB453|.A118825000moveax,dwordptrds:[508218]<BR>004FB458|.833800cmpdwordptrds:[eax],0<BR>004FB45B|.7512jnzshortbaopo.004FB46F<BR>004FB45D|>BA3CB54F00movedx,baopo.004FB53C;ASCII"Licenceto:Unregister"<BR><BR>004FB433|.A158815000moveax,dwordptrds:[508158]<BR>改为:<BR>004FB433A118825000moveax,dwordptrds:[508218]<BR><BR>点击convert还是跳出要注册的框,郁闷!继续爆!<BR><BR>可疑的串参考:<BR>地址=004CCA03反汇编=moveax,baopo.004CCA34文本字符串=ThisversionofAlphaControlsistrial.Forpurchaseofthefullyfunctionalversionpleasecometothe[url]http://www.alphaskins.com.Thanks![/url]<BR>地址=00505251反汇编=moveax,baopo.00505520文本字符串=Thissoftwarecanonlytry7day.\nPleaseregistration!<BR>都下断,不管从启动到退出,时间调整1年都没能断下,看来无关。<BR><BR>看来来硬的不行了,可能暗桩的缘故。<BR><BR>8.修改程序:<BR>因为爆破的话不晓得会不会有暗桩,而且程序本身的N(82位十六进制)实在太大了,很难分解因子,所以想到将N替换掉,利用RSAtool随机产生长度一样的N:<BR>P=4D52ECB185B842EC6F55395F3F6B9CE826A7F3043<BR>Q=55E9F05EF5518B1FB4FAEDF2A4B48CF35733455AB<BR>N=19F331AACB6B3741A5ECA989567BFB8BB8573554BD31E8247BFD2196A907C9746820362DDC44977BC1(H)=55428813623153400097073003728047268187658784397941308834162197241730534619050749533994595198139329(D)<BR>D=153C6FE8D58F6828D1205B9D88A8EDB1E9A9747B5BFF968BB520E979F2DE72FB77F7DF3A968F9CFE1<BR><BR>Winhex打开脱壳后的程序,然后搜索:<BR>63790510521550840388844862178357891512889443215420175471639593023445165917945890380913786330112957<BR>替换成产生的N=55428813623153400097073003728047268187658784397941308834162197241730534619050749533994595198139329(D)<BR>好了,这下不用分解大数因子就可以轻松搞定加解密。<BR><BR>9.然后逆推注册码:<BR>用户名=otyc=6F747963=1101111011101000111100101100011<BR>加上前面3位数111=1111101111011101000111100101100011=3EF747963<BR>解密3EF747963=16D71276E2E7617551A0251C940897907C38097CED12E6472BBF5568A5308C50AA533165922F269223<BR>其2进制为:(328位,注意前面的0不能省略,关系到下面转换的问题)<BR>0001011011010111000100100111011011100010111001110110000101110101010100011010000000100101000111001001010000001000100101111001000001111100001110000000100101111100111011010001001011100110010001110010101110111111010101010110100010100101001100001000110001010000101010100101001100110001011001011001001000101111001001101001001000100011<BR>328位不能为6整除,只好在后面(因为注册码处理是从前面开始处理的,每次取8位,最后面不够位数的话就放弃)加2个0,使其能被6整除:<BR>000101101101011100010010011101101110001011100111011000010111010101010001101000000010010100011100100101000000100010010111100100000111110000111000000010010111110011101101000100101110011001000111001010111011111101010101011010001010010100110000100011000101000010101010010100110011000101100101100100100010111100100110100100100010001100<BR><BR>分成6位6位的:<BR>000101101101011100010010011101101110001011100111011000010111010101010001101000000010010100011100100101000000100010010111100100000111110000111000000010010111110011101101000100101110011001000111001010111011111101010101011010001010010100110000100011000101000010101010010100110011000101100101100100100010111100100110100100100010001100<BR><BR>逆查表得:<BR>000101101101011100010010011101101110001011100111011000010111010101010001101000000010<BR>CWojOxFTmLKIub<BR>010100011100100101000000100010010111100100000111110000111000000010010111110011101101<BR>koSarLsDy4bLZW<BR>000100101110011001000111001010111011111101010101011010001010010100110000100011000101<BR>cxMDf79KnfkyRC<BR>000010101010010100110011000101100101100100100010111100100110100100100010001100<BR>bvkZCSsr8tsrg<BR><BR>整理后:<BR>CWojOxFTmLKIubkoSarLsDy4bLZWcxMDf79KnfkyRCbvkZCSsr8tsrg<BR><BR>用户名:otyc<BR>注册码:CWojOxFTmLKIubkoSarLsDy4bLZWcxMDf79KnfkyRCbvkZCSsr8tsrg<BR>这下输入用户名注册码的地方变成灰色的,退出的时候不再提示未注册版本。<BR>理论上讲应该是完美爆破。</FONT><BR></P>

页: [1]
© 1999-2008 EvilOctal Security Team