WINZIP8.0PASSWORD追踪部分认识(7千字),WINZIP,加密算法 2008年06月23日 星期一 下午 12:43 WINZIP8.0PASSWORD追踪部分认识 1.加密加压一个ABC.ZIP 2.解压ABC.ZIP,输入PASSWORD 3.BPX HMEMCPY 确认PASSWORD 4.按F12 进入无模块提醒领空 5.U 20001EC6 6.BPX 20001EC6 7.F5拦截成功如下 :20001EC6 A1CC4D0620 mov eax, dword ptr [20064DCC]--passwod :20001ECB 56 push esi :20001ECC 50 push eax :20001ECD E83EFDFFFF call 20001C10----计算1 :20001ED2 8B4D08 mov ecx, dword ptr [ebp 08] :20001ED5 83C404 add esp, 00000004 :20001ED8 33F6 xor esi, esi :20001EDA 8B11 mov edx, dword ptr [ecx] :20001EDC 8955F4 mov dword ptr [ebp-0C], edx :20001EDF 8B4104 mov eax, dword ptr [ecx 04] :20001EE2 8945F8 mov dword ptr [ebp-08], eax :20001EE5 8B4908 mov ecx, dword ptr [ecx 08] :20001EE8 894DFC mov dword ptr [ebp-04], ecx * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:20001F0E(C) | :20001EEB E890FCFFFF call 20001B80---计算2 :20001EF0 8A5435F4 mov dl, byte ptr [ebp esi-0C] :20001EF4 32D0 xor dl, al :20001EF6 8AC2 mov al, dl :20001EF8 885435F4 mov byte ptr [ebp esi-0C], dl :20001EFC 25FF000000 and eax, 000000FF :20001F01 50 push eax :20001F02 E899FCFFFF call 20001BA0----计算3 :20001F07 83C404 add esp, 00000004 :20001F0A 46 inc esi :20001F0B 83FE0C cmp esi,0000000C--oc=12, ( the encryption header=12 bytes ) :20001F0E 7CDB jl 20001EEB--计算2. 计算3 循环12计算 :20001F10 8B15240F0320 mov edx, dword ptr [20030F24] :20001F16 660FB645FF movzx ax, byte ptr [ebp-01]--计算结果 :20001F1B F6422002 test [edx 20], 02 :20001F1F 7414 je 20001F35 :20001F35 8B156A170820 mov edx, dword ptr [2008176A]--crc32 :20001F3B C1EA18 shr edx, 18 :20001F3E 663BC2 cmp ax, dx :20001F41 7407 je 20001F4A 计算1--可能是PAUL文章如下部分: process_keys(key): key0_{1-l} <-- 0x12345678 key1_{1-l} <-- 0x23456789 key2_{1-l} <-- 0x34567890 loop for i <-- 1 to l update_keys_{i-l}(key_{i}) end loop end process_keys :20001C10 55 push ebp :20001C11 8BEC mov ebp, esp :20001C13 56 push esi :20001C14 8B7508 mov esi, dword ptr [ebp 08]--password :20001C17 C7058840032078563412 mov dword ptr [20034088], 12345678 :20001C21 C7058C40032089674523 mov dword ptr [2003408C], 23456789 :20001C2B C7059040032090785634 mov dword ptr [20034090], 34567890 :20001C35 8A06 mov al, byte ptr [esi]--password :20001C37 84C0 test al, al :20001C39 7416 je 20001C51 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:20001C4F(C) | :20001C3B 25FF000000 and eax, 000000FF :20001C40 50 push eax :20001C41 E85AFFFFFF call 20001BA0 -----计算1.1 :20001C46 8A4601 mov al, byte ptr [esi 01]--next password :20001C49 83C404 add esp, 00000004 :20001C4C 46 inc esi---password长度 1 :20001C4D 84C0 test al, al :20001C4F 75EA jne 20001C3B --password长度=0 NO JUMP * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:20001C39(C) :20001C51 5E pop esi :20001C52 5D pop ebp :20001C53 C3 ret 计算1.1 * Referenced by a CALL at Addresses: |:20001C41 , :20001CB7 , :20001D0B , :20001D44 , :20001D78 |:20001DEE , :20001F02 , :20001F93 , :20008ACC | :20001BA0 55 push ebp :20001BA1 8BEC mov ebp, esp :20001BA3 8B1588400320 mov edx, dword ptr [20034088]-12345678 :20001BA9 8B4508 mov eax, dword ptr [ebp 08]- password :20001BAC 8BCA mov ecx, edx :20001BAE 56 push esi :20001BAF 33C8 xor ecx, eax :20001BB1 81E1FF000000 and ecx, 000000FF :20001BB7 C1EA08 shr edx, 08 :20001BBA 8B0C8D04110320 mov ecx, dword ptr [4*ecx 20031104] :20001BC1 33CA xor ecx, edx :20001BC3 8B158C400320 mov edx, dword ptr [2003408C]-23456789 :20001BC9 890D88400320 mov dword ptr [20034088], ecx :20001BCF 81E1FF000000 and ecx, 000000FF :20001BD5 03CA add ecx, edx :20001BD7 8B1590400320 mov edx, dword ptr [20034090]-3456790 :20001BDD 69C905840808 imul ecx, 08088405 :20001BE3 41 inc ecx :20001BE4 8BF2 mov esi, edx :20001BE6 890D8C400320 mov dword ptr [2003408C], ecx :20001BEC 81E6FF000000 and esi, 000000FF :20001BF2 C1E918 shr ecx, 18 :20001BF5 33CE xor ecx, esi :20001BF7 5E pop esi :20001BF8 C1EA08 shr edx, 08 :20001BFB 8B0C8D04110320 mov ecx, dword ptr [4*ecx 20031104] :20001C02 33CA xor ecx, edx :20001C04 890D90400320 mov dword ptr [20034090], ecx --[20034090] 结果存放地址 :20001C0A 5D pop ebp :20001C0B C3 ret 计算2 :20001B80 8B0D90400320 mov ecx, dword ptr [20034090] :20001B86 83C902 or ecx, 00000002 :20001B89 8BC1 mov eax, ecx :20001B8B 83F001 xor eax, 00000001 :20001B8E 0FAFC1 imul eax, ecx :20001B91 25FFFF0000 and eax, 0000FFFF :20001B96 C1E808 shr eax, 08 :20001B99 C3 ret 计算3 :20001BA0 55 push ebp :20001BA1 8BEC mov ebp, esp :20001BA3 8B1588400320 mov edx, dword ptr [20034088] :20001BA9 8B4508 mov eax, dword ptr [ebp 08] :20001BAC 8BCA mov ecx, edx :20001BAE 56 push esi :20001BAF 33C8 xor ecx, eax :20001BB1 81E1FF000000 and ecx, 000000FF :20001BB7 C1EA08 shr edx, 08 :20001BBA 8B0C8D04110320 mov ecx, dword ptr [4*ecx 20031104] :20001BC1 33CA xor ecx, edx :20001BC3 8B158C400320 mov edx, dword ptr [2003408C] :20001BC9 890D88400320 mov dword ptr [20034088], ecx :20001BCF 81E1FF000000 and ecx, 000000FF :20001BD5 03CA add ecx, edx :20001BD7 8B1590400320 mov edx, dword ptr [20034090] :20001BDD 69C905840808 imul ecx, 08088405 :20001BE3 41 inc ecx :20001BE4 8BF2 mov esi, edx :20001BE6 890D8C400320 mov dword ptr [2003408C], ecx :20001BEC 81E6FF000000 and esi, 000000FF :20001BF2 C1E918 shr ecx, 18 :20001BF5 33CE xor ecx, esi :20001BF7 5E pop esi :20001BF8 C1EA08 shr edx, 08 :20001BFB 8B0C8D04110320 mov ecx, dword ptr [4*ecx 20031104] :20001C02 33CA xor ecx, edx :20001C04 890D90400320 mov dword ptr [20034090], ecx--好象最终结果是解密解压的key :20001C0A 5D pop ebp :20001C0B C3 ret KINGSUN 版权所有 |
|小黑屋|最新主题|手机版|微赢网络技术论坛 ( 苏ICP备08020429号 )
GMT+8, 2024-9-30 03:33 , Processed in 0.196951 second(s), 12 queries , Gzip On, MemCache On.
Powered by Discuz! X3.5
© 2001-2023 Discuz! Team.