菜鸟学习RSA算法,破解Photo Screensaver Maker 3.6.6
软件大小:1385KB软件语言:英文
软件类别:国外软件/共享版/桌面制作
运行环境:Win9x/Me/NT/2000/XP
加入时间:2006-6-19 15:54:14
下载地址:http://www.onlinedown.net/soft/38444.htm
软件详细信息:一款幻灯屏幕保护程序制作软件,你可以用它来制作带照片、音乐和文本的屏保。支持的图片格式:jpg,gif,bmp,
png,tif,tga,pcx。支持音频格式:mp3,midi和wav。可以为图片添加文本,并为图片设置各种转场过渡效果。
预备知识:(希望对象我一样的菜鸟有用)
RSA是第一个既能用于数据加密也能用于数字签名的算法。算法的名字以发明者的名字命名:Ron Rivest、Adi Shamirh和enAdleman。
算法如下:
1,取两个相近的大素数p、q;
2,计算n=p*q,z=(p-1)*(q-1);
3,任取一个与z互素的整数e;
4,计算满足e*d=1 mod z 的整数d;
5,将明文m分成字符块s加密,每个块s小于n。现设明文m小于n,加密后形成密文c。 加密、解密过程如下:
加密:c=m^e mod n
解密:m=c^d mod n
6,(n,e)和(n,d)分别称为“公开密钥”和“秘密密钥”。根据Euler定理可得:
m=c^d mod n=(m^e mod n)^d mod n=m
准备工作:
PEiD查:Microsoft Visual C++ 6.0
注册框里填入用户名:wzwgp 注册码:12345678 提示:“invalid user name or register code”
一、算法跟踪
OD载入,超级字串参考, 找到文本字串=invalid user name or register code,双击返回代码窗口。在0042C211处下断,F9运行程序
,填入用户名、注册码,点击“ok”断下。
0042C211 .6A 01 PUSH 1
0042C213 .8BCD MOV ECX,EBP
0042C215 .E8 B2A30700 CALL <JMP.&MFC42.#6334>
0042C21A .8B45 64 MOV EAX,DWORD PTR SS: ;假码地址入EAX
0042C21D .8B4D 60 MOV ECX,DWORD PTR SS: ;用户名地址入ECX
0042C220 .50 PUSH EAX
0042C221 .51 PUSH ECX
0042C222 .E8 3065FDFF CALL Photo_Sc.00402757 ;算法Call F7进入
0042C227 .83C4 08 ADD ESP,8
0042C22A .85C0 TEST EAX,EAX ;EAX=1成功
0042C22C .75 2B JNZ SHORT Photo_Sc.0042C259
0042C22E .6A 40 PUSH 40
0042C230 .68 0C984F00 PUSH Photo_Sc.004F980C ;sorry
0042C235 .68 E0974F00 PUSH Photo_Sc.004F97E0 ;invalid user name or register code
0042C23A .8BCD MOV ECX,EBP
0042C23C .E8 C1A60700 CALL <JMP.&MFC42.#4224>
0042C241 .68 F3030000 PUSH 3F3
0042C246 .8BCD MOV ECX,EBP
0042C248 .E8 17A20700 CALL <JMP.&MFC42.#3092>
0042C24D .8BC8 MOV ECX,EAX
0042C24F .E8 80A10700 CALL <JMP.&MFC42.#5981>
0042C254 .E9 71010000 JMP Photo_Sc.0042C3CA
0042C259 >C783 C4000000>MOV DWORD PTR DS:,1
0042C263 .8B45 60 MOV EAX,DWORD PTR SS:
0042C266 .56 PUSH ESI
0042C267 .50 PUSH EAX
0042C268 .8D8B CC000000 LEA ECX,DWORD PTR DS:
0042C26E .E8 119D0700 CALL <JMP.&MFC42.#860>
0042C273 .8B45 60 MOV EAX,DWORD PTR SS:
0042C276 .50 PUSH EAX
0042C277 .8D8424 1C0200>LEA EAX,DWORD PTR SS:
0042C27E .68 D0974F00 PUSH Photo_Sc.004F97D0 ;license to:%s
0042C283 .50 PUSH EAX
0042C284 .FF15 84CF5100 CALL NEAR DWORD PTR DS:[<&MSVCRT.sprintf>
0042C28A .83C4 0C ADD ESP,0C
0042C28D .8D8C24 180200>LEA ECX,DWORD PTR SS:
0042C294 .6A 40 PUSH 40
0042C296 .68 C4974F00 PUSH Photo_Sc.004F97C4 ;thank you
0042C29B .51 PUSH ECX
0042C222处F7到此:
00402757 $ /E9 D4930200 JMP Photo_Sc.0042BB30 ;跳到:0042BB30
0042BB30 > \6A FF PUSH -1
0042BB32 .68 49414C00 PUSH Photo_Sc.004C4149 ;SE 处理程序安装
0042BB37 .64:A1 0000000>MOV EAX,DWORD PTR FS:
0042BB3D .50 PUSH EAX
0042BB3E .64:8925 00000>MOV DWORD PTR FS:,ESP
0042BB45 .81EC 94000000 SUB ESP,94
0042BB4B .8B8424 A40000>MOV EAX,DWORD PTR SS: ;用户名地址入EAX
0042BB52 .53 PUSH EBX
0042BB53 .56 PUSH ESI
0042BB54 .50 PUSH EAX
0042BB55 .8D4C24 10 LEA ECX,DWORD PTR SS:
0042BB59 .C74424 60 478>MOV DWORD PTR SS:,0FBF8A47 |
0042BB61 .C74424 64 C99>MOV DWORD PTR SS:,234E94C9 |
0042BB69 .C74424 68 855>MOV DWORD PTR SS:,E4475D85 |
0042BB71 .C74424 6C EE3>MOV DWORD PTR SS:,DBF030EE |这组数是n
0042BB79 .C74424 70 069>MOV DWORD PTR SS:,323B9C06 |
0042BB81 .C74424 74 33C>MOV DWORD PTR SS:,E3D3C333 |
0042BB89 .C74424 78 1A2>MOV DWORD PTR SS:,C9BF2B1A |
0042BB91 .C74424 7C EEC>MOV DWORD PTR SS:,385AC5EE |
0042BB99 .E8 04A70700 CALL <JMP.&MFC42.#537>
0042BB9E .8B8C24 B00000>MOV ECX,DWORD PTR SS: ;假码地址入ECX
0042BBA5 .C78424 A40000>MOV DWORD PTR SS:,0
0042BBB0 .51 PUSH ECX
0042BBB1 .8D4C24 0C LEA ECX,DWORD PTR SS:
0042BBB5 .E8 E8A60700 CALL <JMP.&MFC42.#537>
0042BBBA .8B5424 0C MOV EDX,DWORD PTR SS: ;用户名地址入EDX
0042BBBE .8B35 40CF5100 MOV ESI,DWORD PTR DS:[<&MSVCRT._mbscmp>]
0042BBC4 .68 448B5000 PUSH Photo_Sc.00508B44
0042BBC9 .52 PUSH EDX
0042BBCA .C68424 AC0000>MOV BYTE PTR SS:,1
0042BBD2 .FFD6 CALL NEAR ESI ;检查是否输入用户名
0042BBD4 .83C4 08 ADD ESP,8
0042BBD7 .85C0 TEST EAX,EAX
0042BBD9 .0F84 11020000 JE Photo_Sc.0042BDF0
0042BBDF .8B4424 08 MOV EAX,DWORD PTR SS:
0042BBE3 .68 448B5000 PUSH Photo_Sc.00508B44
0042BBE8 .50 PUSH EAX
0042BBE9 .FFD6 CALL NEAR ESI ;检查是否输入注册码
0042BBEB .83C4 08 ADD ESP,8
0042BBEE .85C0 TEST EAX,EAX
0042BBF0 .0F84 FA010000 JE Photo_Sc.0042BDF0
0042BBF6 .57 PUSH EDI
0042BBF7 .6A 00 PUSH 0
0042BBF9 .8D4C24 44 LEA ECX,DWORD PTR SS:
0042BBFD .E8 CF5AFDFF CALL Photo_Sc.004016D1
0042BC02 .6A 00 PUSH 0
0042BC04 .8D4C24 4C LEA ECX,DWORD PTR SS:
0042BC08 .C68424 AC0000>MOV BYTE PTR SS:,2
0042BC10 .E8 BC5AFDFF CALL Photo_Sc.004016D1
0042BC15 .B3 03 MOV BL,3
0042BC17 .68 01000100 PUSH 10001 ;加密密钥e=10001入栈
0042BC1C .8D4C24 5C LEA ECX,DWORD PTR SS:
0042BC20 .889C24 AC0000>MOV BYTE PTR SS:,BL
0042BC27 .E8 A55AFDFF CALL Photo_Sc.004016D1
0042BC2C .8D4C24 58 LEA ECX,DWORD PTR SS:
0042BC30 .C68424 A80000>MOV BYTE PTR SS:,4
0042BC38 .51 PUSH ECX
0042BC39 .8D4C24 4C LEA ECX,DWORD PTR SS:
0042BC3D .E8 CA60FDFF CALL Photo_Sc.00401D0C
0042BC42 .8D4C24 58 LEA ECX,DWORD PTR SS:
0042BC46 .889C24 A80000>MOV BYTE PTR SS:,BL
0042BC4D .E8 7A5FFDFF CALL Photo_Sc.00401BCC
0042BC52 .8D5424 60 LEA EDX,DWORD PTR SS:
0042BC56 .6A 08 PUSH 8
0042BC58 .52 PUSH EDX
0042BC59 .8D4C24 48 LEA ECX,DWORD PTR SS:
0042BC5D .E8 0E6BFDFF CALL Photo_Sc.00402770
0042BC62 .B9 08000000 MOV ECX,8
0042BC67 .33C0 XOR EAX,EAX
0042BC69 .8D7C24 18 LEA EDI,DWORD PTR SS:
0042BC6D .8D5424 2C LEA EDX,DWORD PTR SS:
0042BC71 .F3:AB REP STOS DWORD PTR ES: ;堆栈空出位置
0042BC73 .8D4424 34 LEA EAX,DWORD PTR SS:
0042BC77 .8D4C24 30 LEA ECX,DWORD PTR SS:
0042BC7B .50 PUSH EAX
0042BC7C .51 PUSH ECX
0042BC7D .8D4424 30 LEA EAX,DWORD PTR SS:
0042BC81 .52 PUSH EDX
0042BC82 .8D4C24 30 LEA ECX,DWORD PTR SS:
0042BC86 .50 PUSH EAX
0042BC87 .8D5424 30 LEA EDX,DWORD PTR SS:
0042BC8B .51 PUSH ECX
0042BC8C .8D4424 30 LEA EAX,DWORD PTR SS:
0042BC90 .52 PUSH EDX
0042BC91 .8B5424 24 MOV EDX,DWORD PTR SS: ;假码入EDX
0042BC95 .8D4C24 30 LEA ECX,DWORD PTR SS:
0042BC99 .50 PUSH EAX
0042BC9A .51 PUSH ECX
0042BC9B .68 50974F00 PUSH Photo_Sc.004F9750 ;%08lx-%08lx-%08lx-%08lx-%08lx-%08lx-%08lx-%08lx\n
0042BCA0 .52 PUSH EDX ; 注册码格式
0042BCA1 .FF15 80CF5100 CALL NEAR DWORD PTR DS:[<&MSVCRT.sscanf>] ; 取注册码
0042BCA7 .8B4424 50 MOV EAX,DWORD PTR SS: ; s5
0042BCAB .8B4C24 4C MOV ECX,DWORD PTR SS: ; s4
0042BCAF .8B7C24 48 MOV EDI,DWORD PTR SS: ; s3
0042BCB3 .8B5424 44 MOV EDX,DWORD PTR SS: ; s2
0042BCB7 .03C1 ADD EAX,ECX ; s5+s4
0042BCB9 .8B4C24 5C MOV ECX,DWORD PTR SS: ; s8
0042BCBD .03C7 ADD EAX,EDI ; s5+s4+s3
0042BCBF .8B7C24 58 MOV EDI,DWORD PTR SS: ; s7
0042BCC3 .03C2 ADD EAX,EDX ; s5+s4+s3+s2
0042BCC5 .8B5424 54 MOV EDX,DWORD PTR SS: ; s6
0042BCC9 .33C8 XOR ECX,EAX ; s5+s4+s3+s2 xor s8
0042BCCB .8B4424 40 MOV EAX,DWORD PTR SS: ; s1
0042BCCF .83C4 28 ADD ESP,28
0042BCD2 .03D0 ADD EDX,EAX ; s6+s1
0042BCD4 .894C24 34 MOV DWORD PTR SS:,ECX ; 与s8异或后的结果替换s8
0042BCD8 .33FA XOR EDI,EDX ; s6+s1 xor s7
0042BCDA .6A 00 PUSH 0
0042BCDC .8D4C24 3C LEA ECX,DWORD PTR SS:
0042BCE0 .897C24 34 MOV DWORD PTR SS:,EDI ; 与s7异或后的结果替换s7
0042BCE4 .E8 E859FDFF CALL Photo_Sc.004016D1
0042BCE9 .8D4C24 18 LEA ECX,DWORD PTR SS:
0042BCED .6A 08 PUSH 8
0042BCEF .51 PUSH ECX
0042BCF0 .8D4C24 40 LEA ECX,DWORD PTR SS:
0042BCF4 .C68424 B00000>MOV BYTE PTR SS:,5
0042BCFC .E8 6F6AFDFF CALL Photo_Sc.00402770
0042BD01 .8D5424 38 LEA EDX,DWORD PTR SS:
0042BD05 .8D4424 50 LEA EAX,DWORD PTR SS:
0042BD09 .52 PUSH EDX
0042BD0A .50 PUSH EAX
0042BD0B .8D4C24 48 LEA ECX,DWORD PTR SS:
0042BD0F .E8 FF6CFDFF CALL Photo_Sc.00402A13 ; RSA运算
0042BD14 .B9 08000000 MOV ECX,8
0042BD19 .33C0 XOR EAX,EAX
0042BD1B .8D7C24 18 LEA EDI,DWORD PTR SS:
0042BD1F .6A 08 PUSH 8
0042BD21 .F3:AB REP STOS DWORD PTR ES:
0042BD23 .8D4C24 1C LEA ECX,DWORD PTR SS:
0042BD27 .C68424 AC0000>MOV BYTE PTR SS:,6
0042BD2F .51 PUSH ECX
0042BD30 .8D4C24 58 LEA ECX,DWORD PTR SS:
0042BD34 .E8 655FFDFF CALL Photo_Sc.00401C9E ; 输出RSA运算结果
0042BD39 .B9 08000000 MOV ECX,8
0042BD3E .33C0 XOR EAX,EAX
0042BD40 .8DBC24 800000>LEA EDI,DWORD PTR SS:
0042BD47 .F3:AB REP STOS DWORD PTR ES: ;堆栈空出空间
0042BD49 .5F POP EDI
0042BD4A >8B4C04 14 MOV ECX,DWORD PTR SS:
0042BD4E .83C0 04 ADD EAX,4
0042BD51 .8BD1 MOV EDX,ECX
0042BD53 .C1EA 18 SHR EDX,18
0042BD56 .885404 78 MOV BYTE PTR SS:,DL
0042BD5A .8BD1 MOV EDX,ECX
0042BD5C .C1EA 10 SHR EDX,10
0042BD5F .C1E9 08 SHR ECX,8
0042BD62 .885404 79 MOV BYTE PTR SS:,DL
0042BD66 .884C04 7A MOV BYTE PTR SS:,CL
0042BD6A .8A4C04 10 MOV CL,BYTE PTR SS:
0042BD6E .83F8 20 CMP EAX,20
0042BD71 .884C04 7B MOV BYTE PTR SS:,CL
0042BD75 .^ 7C D3 JL SHORT Photo_Sc.0042BD4A ; 循环重排序RSA运算结果
0042BD77 .8D5424 7C LEA EDX,DWORD PTR SS:
0042BD7B .8D4C24 10 LEA ECX,DWORD PTR SS:
0042BD7F .52 PUSH EDX
0042BD80 .E8 1DA50700 CALL <JMP.&MFC42.#537>
0042BD85 .8B4424 10 MOV EAX,DWORD PTR SS:
0042BD89 .8B4C24 0C MOV ECX,DWORD PTR SS:
0042BD8D .50 PUSH EAX ; 运算结果
0042BD8E .51 PUSH ECX ; 用户名
0042BD8F .FFD6 CALL NEAR ESI ; 用户名与运算结果比较
0042BD91 .83C4 08 ADD ESP,8
0042BD94 .C68424 A40000>MOV BYTE PTR SS:,6
0042BD9C .85C0 TEST EAX,EAX ; 相等EAX=0 不等EAX=FFFFFFFF
0042BD9E .8D4C24 10 LEA ECX,DWORD PTR SS:
0042BDA2 .0F84 86000000 JE Photo_Sc.0042BE2E
0042BDA8 .E8 ADA10700 CALL <JMP.&MFC42.#800>
0042BDAD .8D4C24 4C LEA ECX,DWORD PTR SS:
0042BDB1 .C68424 A40000>MOV BYTE PTR SS:,5
0042BDB9 .E8 0E5EFDFF CALL Photo_Sc.00401BCC
0042BDBE .8D4C24 34 LEA ECX,DWORD PTR SS:
0042BDC2 .889C24 A40000>MOV BYTE PTR SS:,BL
0042BDC9 .E8 FE5DFDFF CALL Photo_Sc.00401BCC
0042BDCE .8D4C24 44 LEA ECX,DWORD PTR SS:
0042BDD2 .C68424 A40000>MOV BYTE PTR SS:,8
0042BDDA .E8 ED5DFDFF CALL Photo_Sc.00401BCC
0042BDDF .8D4C24 3C LEA ECX,DWORD PTR SS:
0042BDE3 .C68424 A40000>MOV BYTE PTR SS:,1
0042BDEB .E8 DC5DFDFF CALL Photo_Sc.00401BCC
0042BDF0 >8D4C24 08 LEA ECX,DWORD PTR SS:
0042BDF4 .C68424 A40000>MOV BYTE PTR SS:,0
0042BDFC .E8 59A10700 CALL <JMP.&MFC42.#800>
0042BE01 .8D4C24 0C LEA ECX,DWORD PTR SS:
0042BE05 .C78424 A40000>MOV DWORD PTR SS:,-1
0042BE10 .E8 45A10700 CALL <JMP.&MFC42.#800>
0042BE15 .5E POP ESI
0042BE16 .33C0 XOR EAX,EAX
0042BE18 .5B POP EBX
0042BE19 .8B8C24 940000>MOV ECX,DWORD PTR SS:
0042BE20 .64:890D 00000>MOV DWORD PTR FS:,ECX
0042BE27 .81C4 A0000000 ADD ESP,0A0
0042BE2D .C3 RETN
二、算法分析
1.注册码分为8组,s1、s2、s3、s4、s5、s6、s7、s8
验证前预处理:s7=(s1+s6) xor s7 s8=(s2+s3+s4+s5) xor s8
2.RSA256运算
n=385AC5EEC9BF2B1AE3D3C333323B9C06DBF030EEE4475D85234E94C90FBF8A47
e=10001
3. 重排序运算结果
比如:B1BE436A 6A43BEB1
F29961A1 ------> A16199F2
6A85B49E 9EB4856A
4. 重排序的运算结果和用户名16进制数比较,相等则注册成功,不等则失败。
三、算法验证
用RSATool工具,根据n、e,求出p、q、d
p= B2D357E7DFA69C5CDE44DEBCD6607553
q= 50ACD489C8A870905E9BE188D169E4BD
d= F9816C36FF24564487CF5BBF9FF82BA1F5D47F0BBA287F2B0A1DDB78B11CF09
用户名m=wzwgp -> wzwg-p -> p000wzwg (0x70000000777A7767)
设:X=70000000777A7767 <------ m
Y=F9816C36FF24564487CF5BBF9FF82BA1F5D47F0BBA287F2B0A1DDB78B11CF09<------ d
Z=385AC5EEC9BF2B1AE3D3C333323B9C06DBF030EEE4475D85234E94C90FBF8A47 <------ n
用Bigclc“X^Y%Z”计算出C (基数选16)
c=2E3A48AABCF2A3594C5564AB5D3ADBED3823D1184DE44472E853C7EB364C2AA6
变为:2E3A48AA-BCF2A359-4C5564AB-5D3ADBED-3823D118-4DE44472-E853C7EB-364C2AA6
364C2AA6-E853C7EB-4DE44472-3823D118-5D3ADBED-4C5564AB-BCF2A359-2E3A48AA
计算:s7=(s6+s1) xor s7 = 82A18F51 xor BCF2A359 = 3E532C08
s8=(s5+s4+s3+s2) xor s8 = CB96B962 xor 2E3A48AA = E5ACF1C8
364C2AA6-E853C7EB-4DE44472-3823D118-5D3ADBED-4C5564AB-3E532C08-E5ACF1C8
用户名:wzwgp
注册码:364C2AA6-E853C7EB-4DE44472-3823D118-5D3ADBED-4C5564AB-3E532C08-E5ACF1C8
注册成功。注册信息保存在*:\Photo Screensaver Maker\DATA\regdata.ini文件里。 厉害,加密算法也搞得定。。。。。。。。 在看雪支持,在这里也支持一下 谢谢二位兄弟的鼓励。分析出算法是碰巧,运气好。
因式分解n一定要用好机器,要不然看完二场球赛还没有结果。 自感学习的地方还有很多,努力! 偶对这个算发感觉头晕~~ 学习,强啊,支持啊。。。。。。 加密算法能搞定真厉害。
页:
[1]