A-one Home Looker 1.13
程序进行2轮RSA加密,第1轮只是烟雾弹,第2轮还搞了个脑筋急转弯,而且又是bit级处理,害的我开了n个工具计算,到现在脑袋还很大,晕晕的。写的比较乱,算法实在太繁琐了,加密前处理是根据对注册码的硬件访问断点跟踪的,加密部分是套用加密公式计算推出的。
1.断点
Borland Delphi 6.0 - 7.0
根据注册提示,串参考:
004DCE01 8B45 F8 mov eax,dword ptr ss:[ebp-8]
004DCE04 E8 9F78F2FF call VideoCap.004046A8
004DCE09 83F8 24 cmp eax,24
004DCE0C 74 0C je short VideoCap.004DCE1A
004DCE0E B8 14CF4D00 mov eax,VideoCap.004DCF14 ; ASCII "Please input serial number!"
练码需要36位:876543211234567887654321123456789999
然后来到:
004DCE50 8B45 E8 mov eax,dword ptr ss:[ebp-18]
004DCE53 5A pop edx
004DCE54 E8 67F2FFFF call VideoCap.004DC0C0 ; 计算
004DCE59 84C0 test al,al
004DCE5B 74 22 je short VideoCap.004DCE7F ; 关键比较
004DCE5D B8 38CF4D00 mov eax,VideoCap.004DCF38 ; ASCII "Register successed!"
2.进入计算call来到第一轮加密计算:
004DC15D BA 12000000 mov edx,12
004DC162 8B45 F8 mov eax,dword ptr ss:[ebp-8]
004DC165 E8 9EB1F5FF call VideoCap.00437308 ; 取前18位
004DC16A 8B45 E4 mov eax,dword ptr ss:[ebp-1C] ; "876543211234567887"
004DC16D B9 60C44D00 mov ecx,VideoCap.004DC460 ; ASCII "567315147181381047622517681039"
004DC172 BA 88C44D00 mov edx,VideoCap.004DC488 ; ASCII "65537"
004DC177 E8 34FDFFFF call VideoCap.004DBEB0 ; 第一批注册码的计算
004DC17C 8B55 E8 mov edx,dword ptr ss:[ebp-18] ; 计算值
可以看出N=567315147181381047622517681039(D)=729181748E63BE5BA59406B8F(H),
E=65537(D)=10001(H)
加密过程:
HR EAX(对注册码前半部分下断):
004D9163 8BC6 mov eax,esi
004D9165 8B55 FC mov edx,dword ptr ss:[ebp-4]
004D9168 0FB6543A FF movzx edx,byte ptr ds:[edx+edi-1]
004D916D 8B9495 FCFBFFFF mov edx,dword ptr ss:[ebp+edx*4-404] ; 断在此,查表
004D9174 E8 37B5F2FF call VideoCap.004046B0
004D9179 47 inc edi
004D917A 4B dec ebx
004D917B ^ 75 E6 jnz short VideoCap.004D9163
输入的字符查表得到2进制,其实就是将ASCII码转换成2进制:
比如:876543211234567887=383736353433323131323334353637383837:
001110000011011100110110001101010011010000110011001100100011000100110001001100100011001100110100001101010011011000110111001110000011100000110111
返回到:
004DB896 E8 69D8FFFF call VideoCap.004D9104 ; 查表
004DB89B 8D45 DC lea eax,dword ptr ss:[ebp-24] ; 返回处
004DB89E 8B4D DC mov ecx,dword ptr ss:[ebp-24]
连接上111:
004DB89E 8B4D DC mov ecx,dword ptr ss:[ebp-24]
004DB8A1 BA 7CBA4D00 mov edx,VideoCap.004DBA7C ; ASCII "111"
004DB8A6 E8 498EF2FF call VideoCap.004046F4
堆栈 ss:[0012F90C]=00FC5EE4, (ASCII "111001110000011011100110110001101010011010000110011001100100011000100110001001100100011001100110100001101010011011000110111001110000011100000110111")
长度=147bit(D)
然后分组,后面的98bit为第2组,前面剩下的为第1组:
第1组:长度=49bit(D)
堆栈 ss:[0012F904]=00FC5FB8, (ASCII "1110011100000110111001101100011010100110100001100")
即:M1=1CE0DCD8D4D0C(H)
第2组:长度=98bit(D)
11001100100011000100110001001100100011001100110100001101010011011000110111001110000011100000110111
M2=3323131323334353637383837(H)
加密:
004DB991 8D45 F0 lea eax,dword ptr ss:[ebp-10]
004DB994 E8 8BDCFFFF call VideoCap.004D9624
004DB999 8D45 D4 lea eax,dword ptr ss:[ebp-2C]
004DB99C E8 2B8AF2FF call VideoCap.004043CC
004DB9A1 8D55 D4 lea edx,dword ptr ss:[ebp-2C]
004DB9A4 8D45 E8 lea eax,dword ptr ss:[ebp-18]
004DB9A7 E8 B0E8FFFF call VideoCap.004DA25C
004DB9AC EB 10 jmp short VideoCap.004DB9BE
...
004DB9BE 8B45 D4 mov eax,dword ptr ss:[ebp-2C] ; 加密值
此时出现另一个不一样的值:
堆栈 ss:[0012F904]=00FC5A2C, (ASCII "100111100100010000000100010110100011111010111101010101101010010101111101101101010000110110010011100")
套用RSA加密公式:
N=729181748E63BE5BA59406B8F
E=10001
M1=1CE0DCD8D4D0C
那么:
C1=M1~E MOD(N)=4F22022D1F5EAB52BEDA86C9C
即:100111100100010000000100010110100011111010111101010101101010010101111101101101010000110110010011100
呵呵,的确对上,这就好办。
马上分解N,得到D=68FF4D2042822BBAF2449D1B1(H)
然后判断message加密完了吗:
004DB9C1 E8 E28CF2FF call VideoCap.004046A8
004DB9C6 99 cdq
004DB9C7 F7FB idiv ebx
004DB9C9 85D2 test edx,edx
004DB9CB ^ 75 E1 jnz short VideoCap.004DB9AE ; message都加密完了吗?
如果还有message,再对其加密,因为第一次的message只取前49BIT,还有98BIT,即:
message2:堆栈 ss:[0012F904]=00FC5018, (ASCII "11001100100011000100110001001100100011001100110100001101010011011000110111001110000011100000110111")
十六进制为:3323131323334353637383837
加密后值:堆栈 ss:[0012F904]=00FC7474, (ASCII 101110101011110101110100101001001111001100000111001010100110101011100110011000110101110001000010101
十六进制为:5D5EBA52798395357331AE215
可以在堆栈看到2个加密后的值:
message2:0012F904 00FC7474 ASCII "101110101011110101110100101001001111001100000111001010100110101011100110011000110101110001000010101"
message1:0012F908 00FC5A2C ASCII "100111100100010000000100010110100011111010111101010101101010010101111101101101010000110110010011100"
两个加密值连接:
004DB9D3 E8 D88CF2FF call VideoCap.004046B0
004DB9D8 8D45 E8 lea eax,dword ptr ss:[ebp-18]
100111100100010000000100010110100011111010111101010101101010010101111101101101010000110110010011100101110101011110101110100101001001111001100000111001010100110101011100110011000110101110001000010101
279101168FAF55A95F6D4364E5D5EBA52798395357331AE215
补齐8的倍数:
004D91E4 8D45 FC lea eax,dword ptr ss:[ebp-4]
004D91E7 8B4D FC mov ecx,dword ptr ss:[ebp-4]
004D91EA BA A8924D00 mov edx,VideoCap.004D92A8
004D91EF E8 00B5F2FF call VideoCap.004046F4
004D91F4 8B45 FC mov eax,dword ptr ss:[ebp-4]
004D91F7 E8 ACB4F2FF call VideoCap.004046A8
004D91FC 25 07000080 and eax,80000007
004D9201 79 05 jns short VideoCap.004D9208
004D9203 48 dec eax
004D9204 83C8 F8 or eax,FFFFFFF8
004D9207 40 inc eax
004D9208 85C0 test eax,eax
004D920A ^ 75 D8 jnz short VideoCap.004D91E4
原来的198位,加了2个0,200位(十进制=512),刚好被8整除:
0012F8DC 00FC75B8 ASCII "00100111100100010000000100010110100011111010111101010101101010010101111101101101010000110110010011100101110101011110101110100101001001111001100000111001010100110101011100110011000110101110001000010101"
逆转换:2进制到十六进制
004D9224 8D45 F4 lea eax,dword ptr ss:[ebp-C]
004D9227 50 push eax
004D9228 B9 08000000 mov ecx,8
004D922D BA 01000000 mov edx,1
004D9232 8B45 FC mov eax,dword ptr ss:[ebp-4]
004D9235 E8 CEB6F2FF call VideoCap.00404908 ; 取出8个bit
004D923A 8B55 F4 mov edx,dword ptr ss:[ebp-C]
004D923D 8D45 FB lea eax,dword ptr ss:[ebp-5]
004D9240 E8 6FF8FFFF call VideoCap.004D8AB4 ; 转换
004D9245 8D45 F0 lea eax,dword ptr ss:[ebp-10]
004D9248 8A55 FB mov dl,byte ptr ss:[ebp-5] ; 值
004D924B E8 64B3F2FF call VideoCap.004045B4
004D9250 8B55 F0 mov edx,dword ptr ss:[ebp-10]
004D9253 8BC6 mov eax,esi
004D9255 E8 56B4F2FF call VideoCap.004046B0
004D925A 8D45 FC lea eax,dword ptr ss:[ebp-4]
004D925D B9 08000000 mov ecx,8
004D9262 BA 01000000 mov edx,1
004D9267 E8 DCB6F2FF call VideoCap.00404948
004D926C 4B dec ebx
004D926D ^ 75 B5 jnz short VideoCap.004D9224
00100111 10010001 00000001 00010110 10001111 10101111 01010101 10101001 01011111 01101101 01000011 01100100 11100101 11010101 11101011 10100101 00100111 10011000 00111001 01010011 01010111 00110011 00011010 11100010 00010101
00FC5190 27 91 01 16 8F AF 55 A9 5F 6D 43 64 E5 D5 EB A5 '?彲UmCd逭毳
00FC51A0 27 98 39 53 57 33 1A E2 15 '?SW3?.?
即:279101168FAF55A95F6D4364E5D5EBA52798395357331AE215
然后又转换为2进制:
004D8EA9 8D45 F8 lea eax,dword ptr ss:[ebp-8]
004D8EAC 8B55 FC mov edx,dword ptr ss:[ebp-4]
004D8EAF 0FB65432 FF movzx edx,byte ptr ds:[edx+esi-1]
004D8EB4 8B9495 F4FBFFFF mov edx,dword ptr ss:[ebp+edx*4-40C] ; 断在此
004D8EBB E8 F0B7F2FF call VideoCap.004046B0
004D8EC0 46 inc esi
004D8EC1 4B dec ebx
004D8EC2 ^ 75 E5 jnz short VideoCap.004D8EA9
这一步跟前面注册码的ASCII转换成2进制的一样(200位):
00100111100100010000000100010110100011111010111101010101101010010101111101101101010000110110010011100101110101011110101110100101001001111001100000111001010100110101011100110011000110101110001000010101
分组,6个bit为1组,转换成十六进制:
004D8F04 8D85 F0FBFFFF lea eax,dword ptr ss:[ebp-410]
004D8F0A 50 push eax
004D8F0B B9 06000000 mov ecx,6
004D8F10 BA 01000000 mov edx,1
004D8F15 8B45 F8 mov eax,dword ptr ss:[ebp-8]
004D8F18 E8 EBB9F2FF call VideoCap.00404908 ; 取6个bit
004D8F1D 8B95 F0FBFFFF mov edx,dword ptr ss:[ebp-410]
004D8F23 8D45 F4 lea eax,dword ptr ss:[ebp-C]
004D8F26 E8 1DFCFFFF call VideoCap.004D8B48 ; 转换成十六进制
004D8B65 83F8 06 cmp eax,6
004D8B68 7F 1B jg short VideoCap.004D8B85
004D8B6A 807C03 FF 30 cmp byte ptr ds:[ebx+eax-1],30 ; 断在此
004D8B6F 74 10 je short VideoCap.004D8B81
004D8B71 B9 06000000 mov ecx,6
004D8B76 2BC8 sub ecx,eax
004D8B78 BF 01000000 mov edi,1
004D8B7D D3E7 shl edi,cl
004D8B7F 093E or dword ptr ds:[esi],edi
004D8B81 40 inc eax
004D8B82 4A dec edx
004D8B83 ^ 75 E0 jnz short VideoCap.004D8B65
004D8F2B 8D85 ECFBFFFF lea eax,dword ptr ss:[ebp-414]
004D8F31 8B55 F4 mov edx,dword ptr ss:[ebp-C]
004D8F34 8A92 5F634E00 mov dl,byte ptr ds:[edx+4E635F] ; 查表
004E6360 61 41 62 42 63 43 64 44 65 45 66 46 67 47 68 48 aAbBcCdDeEfFgGhH
004E6370 69 49 6A 4A 6B 4B 6C 4C 6D 4D 6E 4E 6F 4F 70 50 iIjJkKlLmMnNoOpP
004E6380 71 51 72 52 73 53 74 54 75 55 76 56 77 57 78 58 qQrRsStTuUvVwWxX
004E6390 79 59 7A 5A 30 31 32 33 34 35 36 37 38 39 2B 3D yYzZ0123456789+=
004D8F3A E8 75B6F2FF call VideoCap.004045B4
004D8F3F 8B95 ECFBFFFF mov edx,dword ptr ss:[ebp-414]
004D8F45 8BC7 mov eax,edi ; 连接存放地址
004D8F47 E8 64B7F2FF call VideoCap.004046B0
004D8F4C 8D45 F8 lea eax,dword ptr ss:[ebp-8]
004D8F4F B9 06000000 mov ecx,6
004D8F54 BA 01000000 mov edx,1
004D8F59 E8 EAB9F2FF call VideoCap.00404948
004D8F5E 4B dec ebx
004D8F5F ^ 75 A3 jnz short VideoCap.004D8F04
待转换的2进制数(200位):
001001 111001 000100 000001 000101 101000 111110 101111 010101 011010 100101 011111 011011 010100 001101 100100 111001 011101 010111 101011 101001 010010 011110 011000 001110 010101 001101 010111 001100 110001 101011 100010 000101 01
后面01补齐6位=010000
001001 111001 000100 000001 000101 101000 111110 101111 010101 011010 100101 011111 011011 010100 001101 100100 111001 011101 010111 101011 101001 010010 011110 011000 001110 010101 001101 010111 001100 110001 101011 100010 000101 010000
查表是这样查的,取得6个bit,转换成十六进制,根据十六进制+1查表,比如001001的十六进制为9,9+1位为45:
004E6360 61 41 62 42 63 43 64 44 65 45 66 46 67 47 68 48 aAbBcCdDeEfFgGhH
004E6370 69 49 6A 4A 6B 4B 6C 4C 6D 4D 6E 4E 6F 4F 70 50 iIjJkKlLmMnNoOpP
004E6380 71 51 72 52 73 53 74 54 75 55 76 56 77 57 78 58 qQrRsStTuUvVwWxX
004E6390 79 59 7A 5A 30 31 32 33 34 35 36 37 38 39 2B 3D yYzZ0123456789+=
转换后的十六进制值经过查表得到:
00FC37AC 45 35 63 41 43 75 2B 58 4B 6E 53 50 4E 6B 47 73 E5cACu+XKnSPNkGs
00FC37BC 35 4F 4C 56 55 6A 70 6D 68 4B 47 4C 67 59 56 72 5OLVUjpmhKGLgYVr
00FC37CC 43 69 00 00 Ci..
返回到:
004DBF43 E8 F0CEFFFF call VideoCap.004D8E38
004DBF48 8B45 08 mov eax,dword ptr ss:[ebp+8]
004DBF4B 8B55 EC mov edx,dword ptr ss:[ebp-14] ; 查表值
3.然后是注册码后半部分的加密计算:
004DC190 BA 12000000 mov edx,12
004DC195 8B45 F8 mov eax,dword ptr ss:[ebp-8]
004DC198 E8 DBB1F5FF call VideoCap.00437378 ; 取注册码后18位
004DC19D 8B45 DC mov eax,dword ptr ss:[ebp-24] ; 注册码后半部分
004DC1A0 B9 60C44D00 mov ecx,VideoCap.004DC460 ; ASCII "567315147181381047622517681039"
004DC1A5 BA 88C44D00 mov edx,VideoCap.004DC488 ; ASCII "65537"
004DC1AA E8 01FDFFFF call VideoCap.004DBEB0 ; 加密
004DC1AF 8B55 E0 mov edx,dword ptr ss:[ebp-20] ; 加密计算值
第二次入栈的参数为:654321123456789999
得到:堆栈 ss:[0012F9C4]=00FC7B74, (ASCII "gF5zMsOHzIcx3gZyeivlPnKlQ+qPmYr3Ia")
4.这样得到2组加密值,然后写入注册表:
0012F9C0 00FC2568 ASCII "654321123456789999"
0012F9C4 00FC7B70 ASCII "gF5zMsOHzIcx3gZyeivlPnKlQ+qPmYr3Ia"
0012F9C8 00FC5CEC ASCII "876543211234567887"
0012F9CC 00FC37DC ASCII "E5cACu+XKnSPNkGs5OLVUjpmhKGLgYVrCi"
HKU\.DEFAULT\SOFTWARE\HomeLooker\Pass SUCCESS "E5cACu+XKnSPNkGs5OLVUjpmhKGLgYVrCi"
HKU\.DEFAULT\SOFTWARE\HomeLooker\Pass1 SUCCESS "gF5zMsOHzIcx3gZyeivlPnKlQ+qPmYr3Ia"
最后跟踪调试发现,这一轮的加密跟注册几乎无关,只是把加密值写入注册表而已,起到迷惑作用,浪费时间。
5.对输入的注册码前半部分的第2轮加密:
004DC342 8B45 C8 mov eax,dword ptr ss:[ebp-38] ; 注册码前半部分
004DC345 B9 60C44D00 mov ecx,VideoCap.004DC460 ; ASCII "567315147181381047622517681039"
004DC34A BA 30C54D00 mov edx,VideoCap.004DC530 ; ASCII "519921301163664799099496550833"
004DC34F E8 4CFCFFFF call VideoCap.004DBFA0
004DC354 8B45 CC mov eax,dword ptr ss:[ebp-34] ; 运算值
N=567315147181381047622517681039(D)=729181748E63BE5BA59406B8F(H)
E=519921301163664799099496550833(D)=68FF4D2042822BBAF2449D1B1(H)
HR EAX:
004D902F 0FB65432 FF movzx edx,byte ptr ds:[edx+esi-1]
004D9034 8B9495 F4FBFFFF mov edx,dword ptr ss:[ebp+edx*4-40C] ; 断在此
这次类似上面的转换,不过对应关系变了:
表如下:
0:110100;1:110101;2:110110;3:110111;4:111000;
5:111001;6:111010;7:111011;8:111100;9:111101;
=:111111
A到Z对应:
000001;000011;000101;000111;001001;001011;001101;001111;010001;010011;010101;010111;011001;011011;011101;011111;100001;100011;100101;100111;101001;101011;101101;101111;110001;110011;
a到z对应:
000000;000010;000100;000110;001000;001010;001100;001110;010000;010010;010100;010110;011000;011010;011100;011110;100000;100010;100100;100110;101000;101010;101100;101110;110000;110010;
查表后得到2进制流:
111100 111011 111010 111001 111000 110111 110110 110101 110101 110110 110111 111000 111001 111010 111011 111100 111100 111011
这样注册码前半部分876543211234567887转换后为:
堆栈 ss:[0012F924]=00FC7E70, (ASCII "111100111011111010111001111000110111110110110101110101110110110111111000111001111010111011111100111100111011")
分组,8bit为1组,转换成十六进制:
004D9063 8D85 F0FBFFFF lea eax,dword ptr ss:[ebp-410]
004D9069 50 push eax
004D906A B9 08000000 mov ecx,8
004D906F BA 01000000 mov edx,1
004D9074 8B45 F8 mov eax,dword ptr ss:[ebp-8]
004D9077 E8 8CB8F2FF call VideoCap.00404908 ; 取8bit
004D907C 8B95 F0FBFFFF mov edx,dword ptr ss:[ebp-410]
004D9082 8D45 F7 lea eax,dword ptr ss:[ebp-9]
004D9085 E8 2AFAFFFF call VideoCap.004D8AB4 ; 转换成十六进制
004D908A 8D85 ECFBFFFF lea eax,dword ptr ss:[ebp-414]
004D9090 8A55 F7 mov dl,byte ptr ss:[ebp-9] ; 值
004D9093 E8 1CB5F2FF call VideoCap.004045B4
004D9098 8B95 ECFBFFFF mov edx,dword ptr ss:[ebp-414]
004D909E 8BC7 mov eax,edi
004D90A0 E8 0BB6F2FF call VideoCap.004046B0 ; 连接
004D90A5 8D45 F8 lea eax,dword ptr ss:[ebp-8]
004D90A8 B9 08000000 mov ecx,8
004D90AD BA 01000000 mov edx,1
004D90B2 E8 91B8F2FF call VideoCap.00404948
004D90B7 4B dec ebx
004D90B8 ^ 75 A9 jnz short VideoCap.004D9063
11110011 10111110 10111001 11100011 01111101 10110101 11010111 01101101 11111000 11100111 10101110 11111100 11110011 1011
后面4bit舍弃,得到:
00FC7EDC F3 BE B9 E3 7D B5 D7 6D F8 E7 AE FC F3 缶广}底m??
再转换成2进制(HR 00FC7EDC):
004D9163 8BC6 mov eax,esi
004D9165 8B55 FC mov edx,dword ptr ss:[ebp-4]
004D9168 0FB6543A FF movzx edx,byte ptr ds:[edx+edi-1]
004D916D 8B9495 FCFBFFFF mov edx,dword ptr ss:[ebp+edx*4-404] ; 转换成2进制,断在此
004D9174 E8 37B5F2FF call VideoCap.004046B0
004D9179 47 inc edi
004D917A 4B dec ebx
004D917B ^ 75 E6 jnz short VideoCap.004D9163
堆栈 ss:[0012F8CC]=00FC7B18, (ASCII "11110011101111101011100111100011011111011011010111010111011011011111100011100111101011101111110011110011")
分组,后面63(H)=99(D)位为1组,前面剩下的为1组:
M1=11110=1E(H)
M2=011101111101011100111100011011111011011010111010111011011011111100011100111101011101111110011110011
=3BEB9E37DB5D76DF8E7AEFCF3(H)
因为注册码前部分为18位,×6=108bit,舍弃后4bit=104bit,分成2组的话,第1组只能5bit,第2组99bit。
加密:
004DBD3E 8D45 F0 lea eax,dword ptr ss:[ebp-10]
004DBD41 E8 DED8FFFF call VideoCap.004D9624
004DBD46 8D45 AC lea eax,dword ptr ss:[ebp-54]
004DBD49 E8 7E86F2FF call VideoCap.004043CC
004DBD4E 8D55 AC lea edx,dword ptr ss:[ebp-54]
004DBD51 8D45 E8 lea eax,dword ptr ss:[ebp-18]
004DBD54 E8 03E5FFFF call VideoCap.004DA25C
004DBD59 EB 10 jmp short VideoCap.004DBD6B
004DBD6B 8B45 AC mov eax,dword ptr ss:[ebp-54] ; 加密值
第1组加密值为:
堆栈 ss:[0012F8C4]=00FC383C, (ASCII "100110100000010101000101001000011111000000011100010010111010000110100101000111010100001010001011000")
即:4D02A290F80E25D0D28EA1458
然后前面补0,第1组补不补都一样。
验证一下:
N=729181748E63BE5BA59406B8F
E=68FF4D2042822BBAF2449D1B1
M=1E
C=4D02A290F80E25D0D28EA1458
的确如此,看来这次加密只是把E换了而已,挺大的。
第2组加密值为:
堆栈 ss:[0012F8C4]=00FC4FE4, (ASCII "101100010011101110100000111000100110111001011010101010101001110001001101110110011110101011100111")
即:B13BA0E26E5AAA9C4DD9EAE7
补0到98的倍数(前面添了2个0):
堆栈 ss:[0012F8C4]=00FC4FE4, (ASCII "00101100010011101110100000111000100110111001011010101010101001110001001101110110011110101011100111")
注意:第1组前面补不补0没关系,但是第2组加密值一定要补,不补的话会影响到下面连接值
2组加密值的2进制流连接起来:
堆栈 ss:[0012F8C8]=00FC7C68, (ASCII "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010011010000001010100010100100001111100000001110001001011101000011010010100011101010000101000101100000101100010011101110100000111000100110111001011010101010101001110001001101110110011110101011100111".)
即:1340A8A43E03897434A3A85160B13BA0E26E5AAA9C4DD9EAE7
找第1个111,找到111后取后面的值(十进制163bit):
004DBDB1 8D45 B0 lea eax,dword ptr ss:[ebp-50]
004DBDB4 B9 01000000 mov ecx,1
004DBDB9 BA 01000000 mov edx,1
004DBDBE E8 858BF2FF call VideoCap.00404948
004DBDC3 8D45 A0 lea eax,dword ptr ss:[ebp-60]
004DBDC6 50 push eax
004DBDC7 B9 03000000 mov ecx,3
004DBDCC BA 01000000 mov edx,1
004DBDD1 8B45 B0 mov eax,dword ptr ss:[ebp-50]
004DBDD4 E8 2F8BF2FF call VideoCap.00404908
004DBDD9 8B45 A0 mov eax,dword ptr ss:[ebp-60]
004DBDDC BA 74BE4D00 mov edx,VideoCap.004DBE74 ; ASCII "111"
004DBDE1 E8 0E8AF2FF call VideoCap.004047F4
004DBDE6 74 0D je short VideoCap.004DBDF5
004DBDE8 8B45 B0 mov eax,dword ptr ss:[ebp-50]
004DBDEB E8 B888F2FF call VideoCap.004046A8
004DBDF0 83F8 03 cmp eax,3
004DBDF3 ^ 7F BC jg short VideoCap.004DBDB1
004DBDF8 B9 03000000 mov ecx,3
004DBDFD BA 01000000 mov edx,1
004DBE02 E8 418BF2FF call VideoCap.00404948 ; 取后面的值
004DBE07 8B55 08 mov edx,dword ptr ss:[ebp+8]
加密值(补了n个0)为:
堆栈 ss:[0012F8C8]=00FC7C68, (ASCII "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010011010000001010100010100100001111100000001110001001011101000011010010100011101010000101000101100000101100010011101110100000111000100110111001011010101010101001110001001101110110011110101011100111".)
即:1340A8A43E03897434A3A85160B13BA0E26E5AAA9C4DD9EAE7
111后面的值(163BIT):
1100000001110001001011101000011010010100011101010000101000101100000101100010011101110100000111000100110111001011010101010101001110001001101110110011110101011100111
即:603897434A3A85160B13BA0E26E5AAA9C4DD9EAE7(H)
然后8bit为1组,转换成十六进制,不够的前面补0:
004DBE0A 8B45 B0 mov eax,dword ptr ss:[ebp-50]
004DBE0D E8 9ED3FFFF call VideoCap.004D91B0
004DBE12 8D45 B8 lea eax,dword ptr ss:[ebp-48]
004DBE15 E8 0AD8FFFF call VideoCap.004D9624
163/8,余数3,前面补5个0:
00000110 00000011 10001001 01110100 00110100 10100011 10101000 01010001 01100000 10110001 00111011 10100000 11100010 01101110 01011010 10101010 10011100 01001101 11011001 11101010 11100111
转换后的值:
00FC38E4 06 03 89 74 34 A3 A8 51 60 B1 3B A0 E2 6E 5A AA 塼4(Q`?_鈔Z
00FC38F4 9C 4D D9 EA E7 00 淢訇?..(
返回到:
004DC059 E8 22FAFFFF call VideoCap.004DBA80
004DC05E 8B45 08 mov eax,dword ptr ss:[ebp+8]
004DC061 8B55 F0 mov edx,dword ptr ss:[ebp-10] ; 值?
再返回就完成第1组注册码的加密运算过程。
6.对最后加密运算值的运算
004DC354 8B45 CC mov eax,dword ptr ss:[ebp-34] ; 运算值
004DC357 8D55 D0 lea edx,dword ptr ss:[ebp-30]
004DC35A E8 85040000 call VideoCap.004DC7E4 ; 取出数字,并连接
004DC35F 8B45 D0 mov eax,dword ptr ss:[ebp-30] ; 值
004DC362 E8 C1CDF2FF call VideoCap.00409128 ; 转换成十六进制
004DC367 8945 F0 mov dword ptr ss:[ebp-10],eax ; 保存
HR EAX:
004DC827 0FBFC3 movsx eax,bx
004DC82A 8B55 FC mov edx,dword ptr ss:[ebp-4]
004DC82D 8A4402 FF mov al,byte ptr ds:[edx+eax-1]
004DC831 04 D0 add al,0D0 ; 断在此
004DC833 2C 0A sub al,0A
004DC835 73 1C jnb short VideoCap.004DC853 ; 是不是数字?
004DC837 8D45 F8 lea eax,dword ptr ss:[ebp-8]
004DC83A 0FBFD3 movsx edx,bx
004DC83D 8B4D FC mov ecx,dword ptr ss:[ebp-4]
004DC840 8A5411 FF mov dl,byte ptr ds:[ecx+edx-1]
004DC844 E8 6B7DF2FF call VideoCap.004045B4 ; 转换成字符
004DC849 8B55 F8 mov edx,dword ptr ss:[ebp-8]
004DC84C 8BC7 mov eax,edi
004DC84E E8 5D7EF2FF call VideoCap.004046B0 ; 连接字符
004DC853 43 inc ebx
004DC854 66:FFCE dec si
004DC857 ^ 75 CE jnz short VideoCap.004DC827
顺取,+D0-A,如果小于0的话就进行运算,其实就是看看有没有30-39的数字,比如第1组注册码的第二轮加密值为:
06 03 89 74 34 A3 A8 51 60 B1 3B A0 E2 6E 5A AA 9C 4D D9 EA E7 00
只有第5位=34符合。
转换成十进制:
00402EB7 8A1E mov bl,byte ptr ds:[esi]
00402EB9 46 inc esi ; 断在此
小结:
加密值参数:06 03 89 74 34 A3 A8 51 60 B1 3B A0 E2 6E 5A AA 9C 4D D9 EA E7 00
取出其中的数字,这个加密值只有第5位34是数字,然后转换成字符:4
7.第2部分注册码的第2轮加密:
004DC37E 8B45 BC mov eax,dword ptr ss:[ebp-44] ; 注册码后半部分
004DC381 B9 60C44D00 mov ecx,VideoCap.004DC460 ; ASCII "567315147181381047622517681039"
004DC386 BA 30C54D00 mov edx,VideoCap.004DC530 ; ASCII "519921301163664799099496550833"
004DC38B E8 10FCFFFF call VideoCap.004DBFA0
004DC390 8B45 C0 mov eax,dword ptr ss:[ebp-40]
004DC390 8B45 C0 mov eax,dword ptr ss:[ebp-40]
004DC393 8D55 C4 lea edx,dword ptr ss:[ebp-3C]
004DC396 E8 49040000 call VideoCap.004DC7E4 ; 取出数字,并连接
004DC39B 8B45 C4 mov eax,dword ptr ss:[ebp-3C] ; (ASCII "480")
004DC39E E8 85CDF2FF call VideoCap.00409128 ; 转换成十六进制
004DC3A3 8945 EC mov dword ptr ss:[ebp-14],eax ; 保存
加密并运算后的值:
00FC5D7C 12 57 34 64 5F A9 6C 08 88 7E 7A 38 5B E5 EE E3 W4d_﹍垀z8[孱
00FC5D8C 0B 87 FE 30 D1 5C 26 AA 00 圑0裓&?...
总管有3个数字34,38,30,转换成字符:480
8.小结第二轮加密:
注册码需要36位,分2部分进行加密,18位×2;
顺取注册码(18位),查表转成2进制流(1个注册码对应6bit),得到18×6=108bit,顺取8bit转换成十六进制(108/8=13,余数=4),舍弃后面4bit,得到13个字节的十六进制,再转换成2进制(104bit);
对2进制流的再分组,第1组为前5bit,第2组为后99bit;
RSA加密:N=729181748E63BE5BA59406B8F,E=68FF4D2042822BBAF2449D1B1,对加密值的2进制流前面补0,使得是98的整数倍,将两组加密值连接起来,第1组在前面,第2组在后面(所以第1组补0可以不考虑,第二组的补0就一定要);
对连接完的加密值的2进制流进行搜索,直到碰到第1个111,然后取111后面剩下的2进制流;
在前面补0,使得被8整除,8bit1组转换成十六进制;
对转换的十六进制进行字节检查,如果可以得到数字(即30到39的范围),就将数字按顺序连接起来,得到最终参数之一。
比如:
输入的注册码为876543211234567887654321123456789999
分成2组:876543211234567887,654321123456789999
拿第1组示例:876543211234567887
表如下:
0:110100;1:110101;2:110110;3:110111;4:111000;
5:111001;6:111010;7:111011;8:111100;9:111101;
A到Z对应:
000001;000011;000101;000111;001001;001011;001101;001111;010001;010011;010101;010111;011001;011011;011101;011111;100001;100011;100101;100111;101001;101011;101101;101111;110001;110011;
a到z对应:
000000;000010;000100;000110;001000;001010;001100;001110;010000;010010;010100;010110;011000;011010;011100;011110;100000;100010;100100;100110;101000;101010;101100;101110;110000;110010;
查表后得到2进制流:108bit
111100 111011 111010 111001 111000 110111 110110 110101 110101 110110 110111 111000 111001 111010 111011 111100 111100 111011
即:111100111011111010111001111000110111110110110101110101110110110111111000111001111010111011111100111100111011
去除后面4bit:
11110011101111101011100111100011011111011011010111010111011011011111100011100111101011101111110011110011
分2组:
M1=11110
M2=011101111101011100111100011011111011011010111010111011011011111100011100111101011101111110011110011
RSA加密后:
第1组:
4D02A290F80E25D0D28EA1458(H)=100110100000010101000101001000011111000000011100010010111010000110100101000111010100001010001011000
第2组:
B13BA0E26E5AAA9C4DD9EAE7(H)=101100010011101110100000111000100110111001011010101010101001110001001101110110011110101011100111(96bit)
第2组补0,98的倍数,需2个0:
00101100010011101110100000111000100110111001011010101010101001110001001101110110011110101011100111(98bit)
连接2组加密值:
10011010000001010100010100100001111100000001110001001011101000011010010100011101010000101000101100000101100010011101110100000111000100110111001011010101010101001110001001101110110011110101011100111
检查第1个111,取后面的值:
1100000001110001001011101000011010010100011101010000101000101100000101100010011101110100000111000100110111001011010101010101001110001001101110110011110101011100111
分成8bit,不够前面补0:
00000110 00000011 10001001 01110100 00110100 10100011 10101000 01010001 01100000 10110001 00111011 10100000 11100010 01101110 01011010 10101010 10011100 01001101 11011001 11101010 11100111
转换成十六进制:
0603897434A3A85160B13BA0E26E5AAA9C4DD9EAE7
检查字节是否有0到9的数字:
06 03 89 74 34 A3 A8 51 60 B1 3B A0 E2 6E 5A AA 9C 4D D9 EA E7
只有1个,第5位34,再转换成字符=“4”=4(H)
同样的,注册码后半部分得到的为:
12 57 34 64 5F A9 6C 08 88 7E 7A 38 5B E5 EE E3 0B 87 FE 30 D1 5C 26 AA
有3个,34,38,30,连接起来就是=“480”=1E0(H)
这样得到2个最终参数:
0012F9D0 000001E0 第2组注册码的最终参数
0012F9D4 00000004 第1组注册码的最终参数
9.对2个最终参数的运算比较:
004DC3C4 8B45 EC mov eax,dword ptr ss:[ebp-14] ; 第2组的最终参数
004DC3C7 2B45 F0 sub eax,dword ptr ss:[ebp-10] ; -第1组的最终参数
004DC3CA 3D E8030000 cmp eax,3E8
004DC3CF 75 0D jnz short VideoCap.004DC3DE
如果第2组的最终参数-第1组的最终参数=3E8,注册就通过。
10.反推注册码:
注册码前半部分不改变,那么:要得到值3E8,注册码后半部分的最终参数要=3EC(H)=1004(D)
从注册码后半部分入手,18个字符转换成2进制流(1个得到6bit)为108bit,去掉后面4bit后可以被8整除,也就是对104bit的2进制流进行再分组,第1组只有5bit,第2组99bit,这样要反推得到第1组难度比较大,所以只好从第2组入手,另外,如果第1组得到的加密值有0到9的字符也不好办,于是变换练码的后半部分,使得加密值的前面没有数字字符,发现练码:876543211234567887123456788765432199的后半部分123456788765432199的加密值为:
00FC7E98 02 BD 69 7E 83 F4 20 B9 C4 14 F4 80 00 00 00 00 絠~凈 鼓魛....
00FC7EA8 00 00 00 00 00 00 00 06 CD 99 9D 7B F3 AF 12 D3 .......蜋?#123;蟑
00FC7EB8 D6 46 B3 07 諪?.~
竟然一个数字字符都没有,方便下手,调试后发现最后1个字节不管是不是数字都无效,所以改前面的D3 D6 46 B3为31 30 30 34(就是字符1004)。
123456788765432199的RSA加密后295bit:
1000001011100101011110101101001011111101000001111110100001000001011100111000100000101001111010010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000110110011011001100110011101011110111111001110101111000100101101001111010110010001101011001100000111
4172BD697E83F420B9C414F480000000000000000000000006CD999D7BF3AF12D3D646B307
修改为:
4172BD697E83F420B9C414F480000000000000000000000006CD999D7BF3AF123130303407
31303034=00110001001100000011000000110100,注意补0,使得是8的倍数,
参照123456788765432199的RSA加密值,因为我们只改了后面的值,不会影响到第1组的加密值,所以前面不变,后面改动,也就是要让RSA后的值变为:295bit
1000001011100101011110101101001011111101000001111110100001000001011100111000100000101001111010010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000110110011011001100110011101011110111111001110101111000100100011000100110000001100000011010000000111
中间贼多的0,很明显,是第2组超过98个,所以补了贼多的0,分组:
第1组:295bit-2×98bit=99bit
100000101110010101111010110100101111110100000111111010000100000101110011100010000010100111101001000
即:C1=4172BD697E83F420B9C414F48
第2组:196bit-97个0=99bit
110110011011001100110011101011110111111001110101111000100100011000100110000001100000011010000000111
即:C2=6CD999D7BF3AF123130303407
分别解密后:
N=729181748E63BE5BA59406B8F(H)
E=68FF4D2042822BBAF2449D1B1(H)
D=10001(H)
M=C~D MOD(N)
M1=1A=11010(5BIT)
M2=16C3D73F1B3CCA15B42926CB4=1011011000011110101110011111100011011001111001100101000010101101101000010100100100110110010110100(97BIT)
M2补了2个0,凑足99bit,这样M1M2就为:
11010001011011000011110101110011111100011011001111001100101000010101101101000010100100100110110010110100(104bit)
104bit不够6整除,后面再补4个0(0或1随意),得到18个字符的1组注册码:
110100 010110 110000 111101 011100 111111 000110 110011 110011 001010 000101 011011 010000 101001 001001 101100 101101 000000
逆查表得:
0:110100;1:110101;2:110110;3:110111;4:111000;
5:111001;6:111010;7:111011;8:111100;9:111101;
A到Z对应:
000001;000011;000101;000111;001001;001011;001101;001111;010001;010011;010101;010111;011001;
A B C D E F G H I J K L M
011011;011101;011111;100001;100011;100101;100111;101001;101011;101101;101111;110001;110011;
N O P Q R S T U V W X Y Z
a到z对应:
000000;000010;000100;000110;001000;001010;001100;001110;010000;010010;010100;010110;011000;
a b c d e f g h i j k l m
011010;011100;011110;100000;100010;100100;100110;101000;101010;101100;101110;110000;110010;
n o p q r s t u v w x y z
110100 010110 110000 111101 011100 111111
0 l y 9 o =
000110 110011 110011 001010 000101 011011
d Z Z f C N
010000 101001 001001 101100 101101 000000
i U E w W a
用户名:cyto
注册码:8765432112345678870ly9o=dZZfCNiUEwWa
注册成功!其实注册码与用户名无关。
11.后记
跟踪过程相当“闷”,特别是第1轮加密注册码,浪费了不少时间跟踪。
RSA加密N很小,分解数秒搞定,然后第2轮的时候搞了个脑筋急转弯,把D做E用,分解到的D就是原来的E=10001。
虽然第2轮加密很繁琐,对bit级的处理,没能找到有效方法,只好很土的step by step。
程序的算法只对输入的注册码进行运算,得到的注册码具有通用性,这个不好。