WINZIP8.0PASSWORD追踪部分认识(7千字),WINZIP,加密算法

2010-1-22 18:40| 发布者: admin| 查看: 64| 评论: 0|原作者: 情殇

WINZIP8.0PASSWORD追踪部分认识(7千字),WINZIP,加密算法
2008年06月23日星期一下午 12:43
WINZIP8.0PASSWORD追踪部分认识

1.加密加压一个ABC.ZIP

2.解压ABC.ZIP，输入PASSWORD

3.BPX HMEMCPY 确认PASSWORD

4.按F12 进入无模块提醒领空

5.U 20001EC6

6.BPX 20001EC6

7.F5拦截成功如下

:20001EC6 A1CC4D0620 mov eax, dword ptr [20064DCC]--passwod

:20001ECB 56 push esi

:20001ECC 50 push eax

:20001ECD E83EFDFFFF call 20001C10----计算1

:20001ED2 8B4D08 mov ecx, dword ptr [ebp 08]

:20001ED5 83C404 add esp, 00000004

:20001ED8 33F6 xor esi, esi

:20001EDA 8B11 mov edx, dword ptr [ecx]

:20001EDC 8955F4 mov dword ptr [ebp-0C], edx

:20001EDF 8B4104 mov eax, dword ptr [ecx 04]

:20001EE2 8945F8 mov dword ptr [ebp-08], eax

:20001EE5 8B4908 mov ecx, dword ptr [ecx 08]

:20001EE8 894DFC mov dword ptr [ebp-04], ecx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:20001F0E(C)

|

:20001EEB E890FCFFFF call 20001B80---计算2

:20001EF0 8A5435F4 mov dl, byte ptr [ebp esi-0C]

:20001EF4 32D0 xor dl, al

:20001EF6 8AC2 mov al, dl

:20001EF8 885435F4 mov byte ptr [ebp esi-0C], dl

:20001EFC 25FF000000 and eax, 000000FF

:20001F01 50 push eax

:20001F02 E899FCFFFF call 20001BA0----计算3

:20001F07 83C404 add esp, 00000004

:20001F0A 46 inc esi

:20001F0B 83FE0C cmp esi,0000000C--oc=12,

( the encryption header=12 bytes )

:20001F0E 7CDB jl 20001EEB--计算2. 计算3 循环12计算

:20001F10 8B15240F0320 mov edx, dword ptr [20030F24]

:20001F16 660FB645FF movzx ax, byte ptr [ebp-01]--计算结果

:20001F1B F6422002 test [edx 20], 02

:20001F1F 7414 je 20001F35

:20001F35 8B156A170820 mov edx, dword ptr [2008176A]--crc32

:20001F3B C1EA18 shr edx, 18

:20001F3E 663BC2 cmp ax, dx

:20001F41 7407 je 20001F4A

计算1--可能是PAUL文章如下部分：

process_keys(key):

key0_{1-l} <-- 0x12345678

key1_{1-l} <-- 0x23456789

key2_{1-l} <-- 0x34567890

loop for i <-- 1 to l

update_keys_{i-l}(key_{i})

end loop

end process_keys

:20001C10 55 push ebp

:20001C11 8BEC mov ebp, esp

:20001C13 56 push esi

:20001C14 8B7508 mov esi, dword ptr [ebp 08]--password

:20001C17 C7058840032078563412 mov dword ptr [20034088], 12345678

:20001C21 C7058C40032089674523 mov dword ptr [2003408C], 23456789

:20001C2B C7059040032090785634 mov dword ptr [20034090], 34567890

:20001C35 8A06 mov al, byte ptr [esi]--password

:20001C37 84C0 test al, al

:20001C39 7416 je 20001C51

* Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:20001C4F(C)

|

:20001C3B 25FF000000 and eax, 000000FF

:20001C40 50 push eax

:20001C41 E85AFFFFFF call 20001BA0 -----计算1.1

:20001C46 8A4601 mov al, byte ptr [esi 01]--next password

:20001C49 83C404 add esp, 00000004

:20001C4C 46 inc esi---password长度 1

:20001C4D 84C0 test al, al

:20001C4F 75EA jne 20001C3B --password长度=0 NO JUMP

* Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:20001C39(C)

:20001C51 5E pop esi

:20001C52 5D pop ebp

:20001C53 C3 ret

计算1.1

* Referenced by a CALL at Addresses:

|:20001C41 , :20001CB7 , :20001D0B , :20001D44 , :20001D78

|:20001DEE , :20001F02 , :20001F93 , :20008ACC

|

:20001BA0 55 push ebp

:20001BA1 8BEC mov ebp, esp

:20001BA3 8B1588400320 mov edx, dword ptr [20034088]-12345678

:20001BA9 8B4508 mov eax, dword ptr [ebp 08]- password

:20001BAC 8BCA mov ecx, edx

:20001BAE 56 push esi

:20001BAF 33C8 xor ecx, eax

:20001BB1 81E1FF000000 and ecx, 000000FF

:20001BB7 C1EA08 shr edx, 08

:20001BBA 8B0C8D04110320 mov ecx, dword ptr [4*ecx 20031104]

:20001BC1 33CA xor ecx, edx

:20001BC3 8B158C400320 mov edx, dword ptr [2003408C]-23456789

:20001BC9 890D88400320 mov dword ptr [20034088], ecx

:20001BCF 81E1FF000000 and ecx, 000000FF

:20001BD5 03CA add ecx, edx

:20001BD7 8B1590400320 mov edx, dword ptr [20034090]-3456790

:20001BDD 69C905840808 imul ecx, 08088405

:20001BE3 41 inc ecx

:20001BE4 8BF2 mov esi, edx

:20001BE6 890D8C400320 mov dword ptr [2003408C], ecx

:20001BEC 81E6FF000000 and esi, 000000FF

:20001BF2 C1E918 shr ecx, 18

:20001BF5 33CE xor ecx, esi

:20001BF7 5E pop esi

:20001BF8 C1EA08 shr edx, 08

:20001BFB 8B0C8D04110320 mov ecx, dword ptr [4*ecx 20031104]

:20001C02 33CA xor ecx, edx

:20001C04 890D90400320 mov dword ptr [20034090], ecx --[20034090]

结果存放地址

:20001C0A 5D pop ebp

:20001C0B C3 ret

计算2

:20001B80 8B0D90400320 mov ecx, dword ptr [20034090]

:20001B86 83C902 or ecx, 00000002

:20001B89 8BC1 mov eax, ecx

:20001B8B 83F001 xor eax, 00000001

:20001B8E 0FAFC1 imul eax, ecx

:20001B91 25FFFF0000 and eax, 0000FFFF

:20001B96 C1E808 shr eax, 08

:20001B99 C3 ret

计算3

:20001BA0 55 push ebp

:20001BA1 8BEC mov ebp, esp

:20001BA3 8B1588400320 mov edx, dword ptr [20034088]

:20001BA9 8B4508 mov eax, dword ptr [ebp 08]

:20001BAC 8BCA mov ecx, edx

:20001BAE 56 push esi

:20001BAF 33C8 xor ecx, eax

:20001BB1 81E1FF000000 and ecx, 000000FF

:20001BB7 C1EA08 shr edx, 08

:20001BBA 8B0C8D04110320 mov ecx, dword ptr [4*ecx 20031104]

:20001BC1 33CA xor ecx, edx

:20001BC3 8B158C400320 mov edx, dword ptr [2003408C]

:20001BC9 890D88400320 mov dword ptr [20034088], ecx

:20001BCF 81E1FF000000 and ecx, 000000FF

:20001BD5 03CA add ecx, edx

:20001BD7 8B1590400320 mov edx, dword ptr [20034090]

:20001BDD 69C905840808 imul ecx, 08088405

:20001BE3 41 inc ecx

:20001BE4 8BF2 mov esi, edx

:20001BE6 890D8C400320 mov dword ptr [2003408C], ecx

:20001BEC 81E6FF000000 and esi, 000000FF

:20001BF2 C1E918 shr ecx, 18

:20001BF5 33CE xor ecx, esi

:20001BF7 5E pop esi

:20001BF8 C1EA08 shr edx, 08

:20001BFB 8B0C8D04110320 mov ecx, dword ptr [4*ecx 20031104]

:20001C02 33CA xor ecx, edx

:20001C04 890D90400320 mov dword ptr [20034090], ecx--好象最终结果是解密解压的key

:20001C0A 5D pop ebp

:20001C0B C3 ret

KINGSUN

版权所有

收藏分享邀请

		自动登录	找回密码
密码			注册

WINZIP8.0PASSWORD追踪部分认识(7千字),WINZIP,加密算法

最新评论

相关分类