WINZIP8.0PASSWORD追踪部分认识

标题：WINZIP8.0PASSWORD追踪部分认识 (7千字)
作者：KINGSUN
时间：2001-9-1 16:07:31
链接：http://bbs.pediy.com

WINZIP8.0PASSWORD追踪部分认识

1.加密加压一个ABC.ZIP
2.解压ABC.ZIP，输入PASSWORD
3.BPX HMEMCPY 确认PASSWORD
4.按F12 进入无模块提醒领空
5.U 20001EC6
6.BPX 20001EC6
7.F5拦截成功如下

:20001EC6 A1CC4D0620 mov eax, dword ptr [20064DCC]--passwod
:20001ECB 56 push esi
:20001ECC 50 push eax
:20001ECD E83EFDFFFF call 20001C10----计算1
:20001ED2 8B4D08 mov ecx, dword ptr [ebp+08]
:20001ED5 83C404 add esp, 00000004
:20001ED8 33F6 xor esi, esi
:20001EDA 8B11 mov edx, dword ptr [ecx]
:20001EDC 8955F4 mov dword ptr [ebp-0C], edx
:20001EDF 8B4104 mov eax, dword ptr [ecx+04]
:20001EE2 8945F8 mov dword ptr [ebp-08], eax
:20001EE5 8B4908 mov ecx, dword ptr [ecx+08]
:20001EE8 894DFC mov dword ptr [ebp-04], ecx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:20001F0E(C)
|
:20001EEB E890FCFFFF call 20001B80---计算2
:20001EF0 8A5435F4 mov dl, byte ptr [ebp+esi-0C]
:20001EF4 32D0 xor dl, al
:20001EF6 8AC2 mov al, dl
:20001EF8 885435F4 mov byte ptr [ebp+esi-0C], dl
:20001EFC 25FF000000 and eax, 000000FF
:20001F01 50 push eax
:20001F02 E899FCFFFF call 20001BA0----计算3
:20001F07 83C404 add esp, 00000004
:20001F0A 46 inc esi
:20001F0B 83FE0C cmp esi,0000000C--oc=12,
( the encryption header=12 bytes )
:20001F0E 7CDB jl 20001EEB--计算2. 计算3 循环12计算
:20001F10 8B15240F0320 mov edx, dword ptr [20030F24]
:20001F16 660FB645FF movzx ax, byte ptr [ebp-01]--计算结果
:20001F1B F6422002 test [edx+20], 02
:20001F1F 7414 je 20001F35

:20001F35 8B156A170820 mov edx, dword ptr [2008176A]--crc32
:20001F3B C1EA18 shr edx, 18
:20001F3E 663BC2 cmp ax, dx
:20001F41 7407 je 20001F4A

计算1--可能是PAUL文章如下部分：
process_keys(key):
key0_{1-l} <-- 0x12345678
key1_{1-l} <-- 0x23456789
key2_{1-l} <-- 0x34567890
loop for i <-- 1 to l
update_keys_{i-l}(key_{i})
end loop
end process_keys

:20001C10 55 push ebp
:20001C11 8BEC mov ebp, esp
:20001C13 56 push esi
:20001C14 8B7508 mov esi, dword ptr [ebp+08]--password
:20001C17 C7058840032078563412 mov dword ptr [20034088], 12345678
:20001C21 C7058C40032089674523 mov dword ptr [2003408C], 23456789
:20001C2B C7059040032090785634 mov dword ptr [20034090], 34567890
:20001C35 8A06 mov al, byte ptr [esi]--password
:20001C37 84C0 test al, al
:20001C39 7416 je 20001C51

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:20001C4F(C)
|
:20001C3B 25FF000000 and eax, 000000FF
:20001C40 50 push eax
:20001C41 E85AFFFFFF call 20001BA0 -----计算1.1
:20001C46 8A4601 mov al, byte ptr [esi+01]--next password
:20001C49 83C404 add esp, 00000004
:20001C4C 46 inc esi---password长度+1
:20001C4D 84C0 test al, al
:20001C4F 75EA jne 20001C3B --password长度=0 NO JUMP

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:20001C39(C)

:20001C51 5E pop esi
:20001C52 5D pop ebp
:20001C53 C3 ret

计算1.1

* Referenced by a CALL at Addresses:
|:20001C41 , :20001CB7 , :20001D0B , :20001D44 , :20001D78
|:20001DEE , :20001F02 , :20001F93 , :20008ACC
|
:20001BA0 55 push ebp
:20001BA1 8BEC mov ebp, esp
:20001BA3 8B1588400320 mov edx, dword ptr [20034088]-12345678
:20001BA9 8B4508 mov eax, dword ptr [ebp+08]- password
:20001BAC 8BCA mov ecx, edx
:20001BAE 56 push esi
:20001BAF 33C8 xor ecx, eax
:20001BB1 81E1FF000000 and ecx, 000000FF
:20001BB7 C1EA08 shr edx, 08
:20001BBA 8B0C8D04110320 mov ecx, dword ptr [4*ecx+20031104]
:20001BC1 33CA xor ecx, edx
:20001BC3 8B158C400320 mov edx, dword ptr [2003408C]-23456789
:20001BC9 890D88400320 mov dword ptr [20034088], ecx
:20001BCF 81E1FF000000 and ecx, 000000FF
:20001BD5 03CA add ecx, edx
:20001BD7 8B1590400320 mov edx, dword ptr [20034090]-3456790
:20001BDD 69C905840808 imul ecx, 08088405
:20001BE3 41 inc ecx
:20001BE4 8BF2 mov esi, edx
:20001BE6 890D8C400320 mov dword ptr [2003408C], ecx
:20001BEC 81E6FF000000 and esi, 000000FF
:20001BF2 C1E918 shr ecx, 18
:20001BF5 33CE xor ecx, esi
:20001BF7 5E pop esi
:20001BF8 C1EA08 shr edx, 08
:20001BFB 8B0C8D04110320 mov ecx, dword ptr [4*ecx+20031104]
:20001C02 33CA xor ecx, edx
:20001C04 890D90400320 mov dword ptr [20034090], ecx --[20034090]
结果存放地址
:20001C0A 5D pop ebp
:20001C0B C3 ret

计算2
:20001B80 8B0D90400320 mov ecx, dword ptr [20034090]
:20001B86 83C902 or ecx, 00000002
:20001B89 8BC1 mov eax, ecx
:20001B8B 83F001 xor eax, 00000001
:20001B8E 0FAFC1 imul eax, ecx
:20001B91 25FFFF0000 and eax, 0000FFFF
:20001B96 C1E808 shr eax, 08
:20001B99 C3 ret

计算3
:20001BA0 55 push ebp
:20001BA1 8BEC mov ebp, esp
:20001BA3 8B1588400320 mov edx, dword ptr [20034088]
:20001BA9 8B4508 mov eax, dword ptr [ebp+08]
:20001BAC 8BCA mov ecx, edx
:20001BAE 56 push esi
:20001BAF 33C8 xor ecx, eax
:20001BB1 81E1FF000000 and ecx, 000000FF
:20001BB7 C1EA08 shr edx, 08
:20001BBA 8B0C8D04110320 mov ecx, dword ptr [4*ecx+20031104]
:20001BC1 33CA xor ecx, edx
:20001BC3 8B158C400320 mov edx, dword ptr [2003408C]
:20001BC9 890D88400320 mov dword ptr [20034088], ecx
:20001BCF 81E1FF000000 and ecx, 000000FF
:20001BD5 03CA add ecx, edx
:20001BD7 8B1590400320 mov edx, dword ptr [20034090]
:20001BDD 69C905840808 imul ecx, 08088405
:20001BE3 41 inc ecx
:20001BE4 8BF2 mov esi, edx
:20001BE6 890D8C400320 mov dword ptr [2003408C], ecx
:20001BEC 81E6FF000000 and esi, 000000FF
:20001BF2 C1E918 shr ecx, 18
:20001BF5 33CE xor ecx, esi
:20001BF7 5E pop esi
:20001BF8 C1EA08 shr edx, 08
:20001BFB 8B0C8D04110320 mov ecx, dword ptr [4*ecx+20031104]
:20001C02 33CA xor ecx, edx
:20001C04 890D90400320 mov dword ptr [20034090], ecx--好象最终结果是解密解压的key
:20001C0A 5D pop ebp
:20001C0B C3 ret

KINGSUN

版权所有