[转载]噢易硬盘保护的密码加密分析

很简单,在安装目录中有个LegacyBase.dll文件。

这个dll导出一个encode函数

密码验证时会通过该函数对用户输入的密码进行加密

od里,定位一下该函数:

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

10020CF0 55 push ebp

10020CF1 8BEC mov ebp,esp

10020CF3 83EC 1C sub esp,0x1C

10020CF6 C745 FC 00000 mov dword ptr ss:[ebp-0x4],0x0

10020CFD C745 F8 00000 mov dword ptr ss:[ebp-0x8],0x0

10020D04 EB 12 jmp short 10020D18

10020D06 8B45 FC mov eax,dword ptr ss:[ebp-0x4]

10020D09 83C0 03 add eax,0x3

10020D0C 8945 FC mov dword ptr ss:[ebp-0x4],eax

10020D0F 8B4D F8 mov ecx,dword ptr ss:[ebp-0x8]

10020D12 83C1 04 add ecx,0x4

10020D15 894D F8 mov dword ptr ss:[ebp-0x8],ecx

10020D18 8B55 FC mov edx,dword ptr ss:[ebp-0x4]

10020D1B 3B55 0C cmp edx,dword ptr ss:[ebp+0xC]

10020D1E 0F8D 26010000 jge 10020E4A

10020D24 C745 F0 00000 mov dword ptr ss:[ebp-0x10],0x0

10020D2B C745 F4 00000 mov dword ptr ss:[ebp-0xC],0x0

10020D32 8B45 08 mov eax,dword ptr ss:[ebp+0x8]

10020D35 0345 FC add eax,dword ptr ss:[ebp-0x4]

10020D38 0FBE08 movsx ecx,byte ptr ds:[eax]

10020D3B 81E1 FF000000 and ecx,0xFF

10020D41 894D EC mov dword ptr ss:[ebp-0x14],ecx

10020D44 8B55 EC mov edx,dword ptr ss:[ebp-0x14]

10020D47 C1E2 08 shl edx,0x8

10020D4A 8955 EC mov dword ptr ss:[ebp-0x14],edx

10020D4D 8B45 FC mov eax,dword ptr ss:[ebp-0x4]

10020D50 83C0 01 add eax,0x1

10020D53 3B45 0C cmp eax,dword ptr ss:[ebp+0xC]

10020D56 7D 1D jge short 10020D75

10020D58 8B4D 08 mov ecx,dword ptr ss:[ebp+0x8]

10020D5B 034D FC add ecx,dword ptr ss:[ebp-0x4]

10020D5E 0FBE51 01 movsx edx,byte ptr ds:[ecx+0x1]

10020D62 81E2 FF000000 and edx,0xFF

10020D68 0B55 EC or edx,dword ptr ss:[ebp-0x14]

10020D6B 8955 EC mov dword ptr ss:[ebp-0x14],edx

10020D6E C745 F4 01000 mov dword ptr ss:[ebp-0xC],0x1

10020D75 8B45 EC mov eax,dword ptr ss:[ebp-0x14]

10020D78 C1E0 08 shl eax,0x8

10020D7B 8945 EC mov dword ptr ss:[ebp-0x14],eax

10020D7E 8B4D FC mov ecx,dword ptr ss:[ebp-0x4]

10020D81 83C1 02 add ecx,0x2

10020D84 3B4D 0C cmp ecx,dword ptr ss:[ebp+0xC]

10020D87 7D 1C jge short 10020DA5

10020D89 8B55 08 mov edx,dword ptr ss:[ebp+0x8]

10020D8C 0355 FC add edx,dword ptr ss:[ebp-0x4]

10020D8F 0FBE42 02 movsx eax,byte ptr ds:[edx+0x2]

10020D93 25 FF000000 and eax,0xFF

10020D98 0B45 EC or eax,dword ptr ss:[ebp-0x14]

10020D9B 8945 EC mov dword ptr ss:[ebp-0x14],eax

10020D9E C745 F0 01000 mov dword ptr ss:[ebp-0x10],0x1

10020DA5 837D F0 00 cmp dword ptr ss:[ebp-0x10],0x0

10020DA9 74 0B je short 10020DB6

10020DAB 8B4D EC mov ecx,dword ptr ss:[ebp-0x14]

10020DAE 83E1 3F and ecx,0x3F

10020DB1 894D E8 mov dword ptr ss:[ebp-0x18],ecx

10020DB4 EB 07 jmp short 10020DBD

10020DB6 C745 E8 40000 mov dword ptr ss:[ebp-0x18],0x40

10020DBD 8B55 10 mov edx,dword ptr ss:[ebp+0x10]

10020DC0 0355 F8 add edx,dword ptr ss:[ebp-0x8]

10020DC3 A1 8CD00210 mov eax,dword ptr ds:[0x1002D08C]

10020DC8 0345 E8 add eax,dword ptr ss:[ebp-0x18]

10020DCB 8A08 mov cl,byte ptr ds:[eax]

10020DCD 884A 03 mov byte ptr ds:[edx+0x3],cl

10020DD0 8B55 EC mov edx,dword ptr ss:[ebp-0x14]

10020DD3 C1FA 06 sar edx,0x6

10020DD6 8955 EC mov dword ptr ss:[ebp-0x14],edx

10020DD9 837D F4 00 cmp dword ptr ss:[ebp-0xC],0x0

10020DDD 74 0B je short 10020DEA

10020DDF 8B45 EC mov eax,dword ptr ss:[ebp-0x14]

10020DE2 83E0 3F and eax,0x3F

10020DE5 8945 E4 mov dword ptr ss:[ebp-0x1C],eax

10020DE8 EB 07 jmp short 10020DF1

10020DEA C745 E4 40000 mov dword ptr ss:[ebp-0x1C],0x40

10020DF1 8B4D 10 mov ecx,dword ptr ss:[ebp+0x10]

10020DF4 034D F8 add ecx,dword ptr ss:[ebp-0x8]

10020DF7 8B15 8CD00210 mov edx,dword ptr ds:[0x1002D08C]

10020DFD 0355 E4 add edx,dword ptr ss:[ebp-0x1C]

10020E00 8A02 mov al,byte ptr ds:[edx]

10020E02 8841 02 mov byte ptr ds:[ecx+0x2],al

10020E05 8B4D EC mov ecx,dword ptr ss:[ebp-0x14]

10020E08 C1F9 06 sar ecx,0x6

10020E0B 894D EC mov dword ptr ss:[ebp-0x14],ecx

10020E0E 8B55 EC mov edx,dword ptr ss:[ebp-0x14]

10020E11 83E2 3F and edx,0x3F

10020E14 8B45 10 mov eax,dword ptr ss:[ebp+0x10]

10020E17 0345 F8 add eax,dword ptr ss:[ebp-0x8]

10020E1A 8B0D 8CD00210 mov ecx,dword ptr ds:[0x1002D08C]

10020E20 8A1411 mov dl,byte ptr ds:[ecx+edx]

10020E23 8850 01 mov byte ptr ds:[eax+0x1],dl

10020E26 8B45 EC mov eax,dword ptr ss:[ebp-0x14]

10020E29 C1F8 06 sar eax,0x6

10020E2C 8945 EC mov dword ptr ss:[ebp-0x14],eax

10020E2F 8B4D EC mov ecx,dword ptr ss:[ebp-0x14]

10020E32 83E1 3F and ecx,0x3F

10020E35 8B55 10 mov edx,dword ptr ss:[ebp+0x10]

10020E38 0355 F8 add edx,dword ptr ss:[ebp-0x8]

10020E3B A1 8CD00210 mov eax,dword ptr ds:[0x1002D08C]

10020E40 8A0C08 mov cl,byte ptr ds:[eax+ecx]

10020E43 880A mov byte ptr ds:[edx],cl

10020E45 E9 BCFEFFFF jmp 10020D06

10020E4A 8B55 10 mov edx,dword ptr ss:[ebp+0x10]

10020E4D 0355 F8 add edx,dword ptr ss:[ebp-0x8]

10020E50 C602 00 mov byte ptr ds:[edx],0x0

10020E53 8BE5 mov esp,ebp

10020E55 5D pop ebp

10020E56 C3 retn

转换成C后 大概是这样的:

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

char* table = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";

DWORD encode(char* pwd, DWORD dwSize, char* pOut)

{

DWORD v4 = 0;

DWORD v8 = 0;

DWORD vC = 0;

DWORD v10 = 0;

DWORD v14 = 0;

DWORD v18 = 0;

DWORD v1C = 0;

while(1)

{

if(v4 >= dwSize)

{

break;

}

v10 = 0;

vC = 0;

v14 = pwd[v4] & 0xFF;

v14 <<= 8;

if(v4 + 1 < dwSize)

{

v14 = pwd[v4 + 1] & 0xFF | v14;

vC = 1;

}

v14 <<= 0x8;

if(v4 + 2 < dwSize)

{

v14 = pwd[v4 + 2] & 0xFF | v14;

v10 = 1;

}

if(v10 != 0)

{

v18 = v14 & 0x3F;

}

else

{

v18 = 0x40;

}

pOut[v8 + 3] = table[v18];

v14 >>= 0x6;

if(vC != 0)

{

v1C = v14 & 0x3F;

}

else

{

v1C = 0x40;

}

pOut[v8 + 2] = table[v1C];

v14 >>= 0x6;

pOut[v8 + 1] = table[v14 & 0x3F];

v14 >>= 0x6;

pOut[v8] = table[v14 & 0x3F];

v4 += 3;

v8 += 4;

}

pOut[v8] = 0;

return 0;

}

这样看起来就很清晰了,简单的说明一下这个加密

他这是将密码划分为每3个字节为一组,加密成每4个字节为一组的密文,因此密文必定是4的倍数

加密流程:

最终值 = 得到明文3 - 左移8位 - 或上明文2 - 左移8位 - 或上明文1

然后将 最终值 分为4个6位的值,这个值是个索引,拿去table里找对应的字符

再将字符填充到密文里。

下边是解密代码:

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

char* table = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";

DWORD GetIndex(char ch)

{

int nSize = strlen(table);

for(int i = 0; i < nSize; i++)

{

if(ch == table[i])

{

return i;

}

}

return -1;

}

void decode(char* pwd, char *pOut)

{

DWORD dwSize = strlen(pwd);

for(int i = 0, j = 0; i < dwSize; i += 4, j += 3)

{

char ch1 = GetIndex(pwd[i]);

char ch2 = GetIndex(pwd[i + 1]);

char ch3 = GetIndex(pwd[i + 2]);

char ch4 = GetIndex(pwd[i + 3]);

DWORD dwVal = ((ch1 << 6 | ch2) << 6 | ch3) << 6 | ch4;

pOut[j + 2] = dwVal & 0xFF;

pOut[j + 1] = dwVal >> 8 & 0xFF;

pOut[j] = dwVal >> 16 & 0xFF;

}

}

大概就是这样了,没啥难度,很久没发帖了,发一个记录下。

posted @   Arlan  阅读(9)  评论(0编辑  收藏  举报  
相关博文:
·  我写的bootloader代码,用nasm编写
·  python 学习记录
·  [DDCTF2018](╯°□°)╯︵ ┻━┻
·  在线加密网站合集
·  CTF中常见密码学
阅读排行:
· 地球OL攻略 —— 某应届生求职总结
· 周边上新:园子的第一款马克杯温暖上架
· Open-Sora 2.0 重磅开源!
· 提示词工程——AI应用必不可少的技术
· .NET周刊【3月第1期 2025-03-02】
点击右上角即可分享
微信分享提示
SQL AI 助手