飘云阁算法详解02==PYG5.4教学第14轮密码学专题 CrackMe 练习题（更新02）

shaoge 发表于 2017-6-3 19:41:33

算法详解02==PYG5.4教学第14轮密码学专题 CrackMe 练习题（更新02）

本帖最后由 shaoge 于 2017-6-4 13:29 编辑

实在不懂脱壳，还好算法位置基本没变：
那就分析分析，学习学习：

先写小结：
1、中间结果对比
用户名结果：标准MD5（用户名）的32位16进制值。
注册码结果：一、典型的变形BASE64算法1+二、古典算法,换位密码1+三、变形BASE64算法2（与1同）+四、换位查表（单字节前后4位换位，并查表，表长256）+五、古典算法,换位密码2
2、相关信息
1）、注册码必须32位长度，包含0-9，A-Z，a-z；也就是base64字符范围；
2）、循环不少，太耗电了。。。{:lol:}
3）、大神们多指点，斧正！这次练习，学习和巩固

CryptoMe_02.exe:00408A83 sub esp, 304h
CryptoMe_02.exe:00408A89 mov eax, dword_414570
CryptoMe_02.exe:00408A8E xor eax, ebp
CryptoMe_02.exe:00408A90 mov , eax
CryptoMe_02.exe:00408A93 mov , ecx
CryptoMe_02.exe:00408A99 mov , 0
CryptoMe_02.exe:00408AA3 lea eax,
CryptoMe_02.exe:00408AA9 push eax
CryptoMe_02.exe:00408AAA call sub_4075F0                   ; md5常数表
CryptoMe_02.exe:00408AAF add esp, 4
CryptoMe_02.exe:00408AB2 mov ecx,
CryptoMe_02.exe:00408AB5 push ecx
CryptoMe_02.exe:00408AB6 call sub_4094D0
CryptoMe_02.exe:00408ABB add esp, 4
CryptoMe_02.exe:00408ABE push eax
CryptoMe_02.exe:00408ABF mov edx,
CryptoMe_02.exe:00408AC2 push edx
CryptoMe_02.exe:00408AC3 lea eax,
CryptoMe_02.exe:00408AC9 push eax
CryptoMe_02.exe:00408ACA call sub_407630
CryptoMe_02.exe:00408ACF add esp, 0Ch
CryptoMe_02.exe:00408AD2 lea ecx,
CryptoMe_02.exe:00408AD8 push ecx
CryptoMe_02.exe:00408AD9 lea edx,
CryptoMe_02.exe:00408ADF push edx
CryptoMe_02.exe:00408AE0 call sub_408560                   ; 用户名算法：标准MD5核心
CryptoMe_02.exe:00408AE5 add esp, 8
CryptoMe_02.exe:00408AE8 mov , 104h
CryptoMe_02.exe:00408AEF lea eax,
CryptoMe_02.exe:00408AF2 push eax
CryptoMe_02.exe:00408AF3 lea ecx,

‘=变形Base64算法===============================================
CryptoMe_02.exe:00408AF3 lea ecx,
CryptoMe_02.exe:00408AF9 push ecx
CryptoMe_02.exe:00408AFA mov edx,
CryptoMe_02.exe:00408AFD push edx                         ; 注册码算法1、变形base64解密1
CryptoMe_02.exe:00408AFE call sub_408E40
CryptoMe_02.exe:00408B03 add esp, 12
CryptoMe_02.exe:00408B06 test eax, eax
CryptoMe_02.exe:00408B08 jnz short loc_408B11
CryptoMe_02.exe:00408B0A xor eax, eax
CryptoMe_02.exe:00408B0C jmp loc_408E30

’------------------------------------------------------------------------------------
CryptoMe_02.exe:00408E8E mov eax,
CryptoMe_02.exe:00408E91 cmp eax,
CryptoMe_02.exe:00408E94 jge loc_40900E
CryptoMe_02.exe:00408E9A mov ecx,
CryptoMe_02.exe:00408E9D movsx edx, byte ptr
CryptoMe_02.exe:00408EA0 cmp edx, 0Dh
CryptoMe_02.exe:00408EA3 jz    loc_408FF7
CryptoMe_02.exe:00408EA9 mov eax,
CryptoMe_02.exe:00408EAC movsx ecx, byte ptr
CryptoMe_02.exe:00408EAF cmp ecx, 0Ah
CryptoMe_02.exe:00408EB2 jz    loc_408FF7
CryptoMe_02.exe:00408EB8 mov edx,             ; 变形base64的核心
CryptoMe_02.exe:00408EBB movsx eax, byte ptr          ; 先计算前2字节
CryptoMe_02.exe:00408EBE movsx ecx, byte_414350    ;byte_414350，变形字符表，逆算后可得："zdTWmCuoyL53IvrBt4Zb/Ep92e7KRYj+hiJVfsOUa08QqxgHGPDk61XMSFwAnlcN"
CryptoMe_02.exe:00408EC5 shl ecx, 16
CryptoMe_02.exe:00408EC8 mov , ecx
CryptoMe_02.exe:00408ECB mov edx,
CryptoMe_02.exe:00408ECE add edx, 1
CryptoMe_02.exe:00408ED1 mov , edx
CryptoMe_02.exe:00408ED4 mov eax,
CryptoMe_02.exe:00408ED7 movsx ecx, byte ptr
CryptoMe_02.exe:00408EDA movsx edx, byte_414350
CryptoMe_02.exe:00408EE1 mov , edx
CryptoMe_02.exe:00408EE4 mov eax,
CryptoMe_02.exe:00408EE7 add eax, 1
CryptoMe_02.exe:00408EEA mov , eax
CryptoMe_02.exe:00408EED mov ecx,
CryptoMe_02.exe:00408EF0 and ecx, 3                      ; 与3
CryptoMe_02.exe:00408EF3 shl ecx, 22
CryptoMe_02.exe:00408EF6 add ecx,
CryptoMe_02.exe:00408EF9 mov , ecx
CryptoMe_02.exe:00408EFC mov edx,
CryptoMe_02.exe:00408EFF and edx, 60                      ; 与60
CryptoMe_02.exe:00408F02 shl edx, 6
CryptoMe_02.exe:00408F05 add edx,             ; 相加
CryptoMe_02.exe:00408F08 mov , edx
CryptoMe_02.exe:00408F0B mov eax,
CryptoMe_02.exe:00408F0E and eax, 0FF0000h
CryptoMe_02.exe:00408F13 sar eax, 16
CryptoMe_02.exe:00408F16 mov ecx,
CryptoMe_02.exe:00408F19 mov , al
CryptoMe_02.exe:00408F1B mov edx,
CryptoMe_02.exe:00408F1E add edx, 1
CryptoMe_02.exe:00408F21 mov , edx
CryptoMe_02.exe:00408F24 mov eax,
CryptoMe_02.exe:00408F27 add eax, 1
CryptoMe_02.exe:00408F2A mov , eax
CryptoMe_02.exe:00408F2D mov ecx,
CryptoMe_02.exe:00408F30 movsx edx, byte ptr
CryptoMe_02.exe:00408F33 movsx eax, byte_414348
CryptoMe_02.exe:00408F3A cmp edx, eax
CryptoMe_02.exe:00408F3C jz    loc_408FEC
CryptoMe_02.exe:00408F42 mov ecx,
CryptoMe_02.exe:00408F45 movsx edx, byte ptr          ; 计算第3字节
CryptoMe_02.exe:00408F48 movsx eax, byte_414350
CryptoMe_02.exe:00408F4F mov , eax
CryptoMe_02.exe:00408F52 mov ecx,
CryptoMe_02.exe:00408F55 add ecx, 1
CryptoMe_02.exe:00408F58 mov , ecx
CryptoMe_02.exe:00408F5B mov edx,
CryptoMe_02.exe:00408F5E and edx, 15                      ; 与15
CryptoMe_02.exe:00408F61 shl edx, 0Ch
CryptoMe_02.exe:00408F64 add edx,
CryptoMe_02.exe:00408F67 mov , edx
CryptoMe_02.exe:00408F6A mov eax,
CryptoMe_02.exe:00408F6D and eax, 48                      ; 与48
CryptoMe_02.exe:00408F70 sar eax, 4
CryptoMe_02.exe:00408F73 add eax,             ; 相加
CryptoMe_02.exe:00408F76 mov , eax
CryptoMe_02.exe:00408F79 mov ecx,
CryptoMe_02.exe:00408F7C and ecx, 0FF00h
CryptoMe_02.exe:00408F82 sar ecx, 8
CryptoMe_02.exe:00408F85 mov edx,
CryptoMe_02.exe:00408F88 mov , cl
CryptoMe_02.exe:00408F8A mov eax,
CryptoMe_02.exe:00408F8D add eax, 1
CryptoMe_02.exe:00408F90 mov , eax
CryptoMe_02.exe:00408F93 mov ecx,
CryptoMe_02.exe:00408F96 add ecx, 1
CryptoMe_02.exe:00408F99 mov , ecx
CryptoMe_02.exe:00408F9C mov edx,
CryptoMe_02.exe:00408F9F movsx eax, byte ptr
CryptoMe_02.exe:00408FA2 movsx ecx, byte_414348
CryptoMe_02.exe:00408FA9 cmp eax, ecx
CryptoMe_02.exe:00408FAB jz    short loc_408FEC
CryptoMe_02.exe:00408FAD mov edx,
CryptoMe_02.exe:00408FB0 movsx eax, byte ptr          ; 第4字节
CryptoMe_02.exe:00408FB3 movsx ecx, byte_414350
CryptoMe_02.exe:00408FBA mov edx,
CryptoMe_02.exe:00408FBD lea eax,             ; 乘4，相加
CryptoMe_02.exe:00408FC0 mov , eax
CryptoMe_02.exe:00408FC3 mov ecx,
CryptoMe_02.exe:00408FC6 add ecx, 1
CryptoMe_02.exe:00408FC9 mov , ecx
CryptoMe_02.exe:00408FCC mov edx,
CryptoMe_02.exe:00408FCF and edx, 255                      ; 与255
CryptoMe_02.exe:00408FD5 mov eax,
CryptoMe_02.exe:00408FD8 mov , dl
CryptoMe_02.exe:00408FDA mov ecx,
CryptoMe_02.exe:00408FDD add ecx, 1
CryptoMe_02.exe:00408FE0 mov , ecx
CryptoMe_02.exe:00408FE3 mov edx,
CryptoMe_02.exe:00408FE6 add edx, 1
CryptoMe_02.exe:00408FE9 mov , edx
CryptoMe_02.exe:00408FEC
CryptoMe_02.exe:00408FEC loc_408FEC:                         ; CODE XREF: sub_408E40+FCj
CryptoMe_02.exe:00408FEC                                     ; sub_408E40+16Bj
CryptoMe_02.exe:00408FEC mov eax,
CryptoMe_02.exe:00408FEF add eax, 4
CryptoMe_02.exe:00408FF2 mov , eax
CryptoMe_02.exe:00408FF5 jmp short loc_409009
CryptoMe_02.exe:00408FF7 ; ---------------------------------------------------------------------------
CryptoMe_02.exe:00408FF7
CryptoMe_02.exe:00408FF7 loc_408FF7:                         ; CODE XREF: sub_408E40+63j
CryptoMe_02.exe:00408FF7                                     ; sub_408E40+72j
CryptoMe_02.exe:00408FF7 mov ecx,
CryptoMe_02.exe:00408FFA add ecx, 1
CryptoMe_02.exe:00408FFD mov , ecx
CryptoMe_02.exe:00409000 mov edx,
CryptoMe_02.exe:00409003 add edx, 1
CryptoMe_02.exe:00409006 mov , edx
CryptoMe_02.exe:00409009
CryptoMe_02.exe:00409009 loc_409009:                         ; CODE XREF: sub_408E40+1B5j
CryptoMe_02.exe:00409009 jmp loc_408E8E

’======================================================
CryptoMe_02.exe:00408B35 mov , 0             ; 换位密码表1，4位一换
CryptoMe_02.exe:00408B3C mov , 2
CryptoMe_02.exe:00408B43 mov , 0
CryptoMe_02.exe:00408B4A mov , 3
CryptoMe_02.exe:00408B51 mov , 1
CryptoMe_02.exe:00408B58 mov , 0
CryptoMe_02.exe:00408B62 jmp short loc_408B7C
CryptoMe_02.exe:00408B64 ; ---------------------------------------------------------------------------
CryptoMe_02.exe:00408B64
CryptoMe_02.exe:00408B64 loc_408B64:                         ; CODE XREF: sub_408A80+186j
CryptoMe_02.exe:00408B64 mov ecx,
CryptoMe_02.exe:00408B6A add ecx, 4
CryptoMe_02.exe:00408B6D mov , ecx
CryptoMe_02.exe:00408B73 mov edx,
CryptoMe_02.exe:00408B76 add edx, 1
CryptoMe_02.exe:00408B79 mov , edx
CryptoMe_02.exe:00408B7C
CryptoMe_02.exe:00408B7C loc_408B7C:                         ; CODE XREF: sub_408A80+E2j
CryptoMe_02.exe:00408B7C mov eax,
CryptoMe_02.exe:00408B7F cmp eax,
CryptoMe_02.exe:00408B85 jge loc_408C0B
CryptoMe_02.exe:00408B8B push 4                            ; 注册码算法：二、换位密码1
CryptoMe_02.exe:00408B8D mov ecx,
CryptoMe_02.exe:00408B93 lea edx,
CryptoMe_02.exe:00408B9A push edx
CryptoMe_02.exe:00408B9B lea eax,
CryptoMe_02.exe:00408BA1 push eax
CryptoMe_02.exe:00408BA2 call sub_409E20
CryptoMe_02.exe:00408BA7 add esp, 0Ch
CryptoMe_02.exe:00408BAA mov ecx,
CryptoMe_02.exe:00408BB0 mov edx,
CryptoMe_02.exe:00408BB3 mov al,
CryptoMe_02.exe:00408BBA mov , al
CryptoMe_02.exe:00408BC1 mov ecx,
CryptoMe_02.exe:00408BC7 mov edx,
CryptoMe_02.exe:00408BCA mov al,
CryptoMe_02.exe:00408BD1 mov , al
CryptoMe_02.exe:00408BD8 mov ecx,
CryptoMe_02.exe:00408BDE mov edx,
CryptoMe_02.exe:00408BE1 mov al,
CryptoMe_02.exe:00408BE8 mov , al
CryptoMe_02.exe:00408BEF mov ecx,
CryptoMe_02.exe:00408BF5 mov edx,
CryptoMe_02.exe:00408BF8 mov al,
CryptoMe_02.exe:00408BFF mov , al
CryptoMe_02.exe:00408C06 jmp loc_408B64

‘===============================================
CryptoMe_02.exe:00408C0B mov , 104h
CryptoMe_02.exe:00408C12 lea ecx,
CryptoMe_02.exe:00408C15 push ecx
CryptoMe_02.exe:00408C16 lea edx,
CryptoMe_02.exe:00408C1C push edx
CryptoMe_02.exe:00408C1D lea eax,
CryptoMe_02.exe:00408C23 push eax
CryptoMe_02.exe:00408C24 call sub_408E40                   ; 注册码算法：三、变形Base64解密2
CryptoMe_02.exe:00408C29 add esp, 0Ch
CryptoMe_02.exe:00408C2C mov , eax
CryptoMe_02.exe:00408C2F cmp , 16             ; 检查长度是否为16，不是16跳错
CryptoMe_02.exe:00408C33 jz    short loc_408C3C
CryptoMe_02.exe:00408C35 xor eax, eax
CryptoMe_02.exe:00408C37 jmp loc_408E30

’===================================================
CryptoMe_02.exe:00408CB8 loc_408CB8:                         ; CODE XREF: sub_408A80:loc_408DB3j
CryptoMe_02.exe:00408CB8 mov ecx,
CryptoMe_02.exe:00408CBE add ecx, 1
CryptoMe_02.exe:00408CC1 mov , ecx
CryptoMe_02.exe:00408CC7
CryptoMe_02.exe:00408CC7 loc_408CC7:                         ; CODE XREF: sub_408A80+236j
CryptoMe_02.exe:00408CC7 cmp , 4
CryptoMe_02.exe:00408CCE jge loc_408DB8
CryptoMe_02.exe:00408CD4 lea edx,
CryptoMe_02.exe:00408CDA push edx
CryptoMe_02.exe:00408CDB call sub_409020                   ; 注册码算法：四、换位+查表
CryptoMe_02.exe:00408CE0 add esp, 4
CryptoMe_02.exe:00408CE3 mov , 0
CryptoMe_02.exe:00408CED jmp short loc_408CFE

‘-------换位查表子函数，分2轮循环完成--------------------------------------------------------------------------------------------
CryptoMe_02.exe:00409051 cmp , 4
CryptoMe_02.exe:00409055 jge short loc_4090A9
CryptoMe_02.exe:00409057 mov edx,
CryptoMe_02.exe:0040905A mov eax,
CryptoMe_02.exe:0040905D lea ecx,
CryptoMe_02.exe:00409060 mov edx,
CryptoMe_02.exe:00409063 movsx eax, byte ptr
CryptoMe_02.exe:00409067 and eax, 0F0h                   ; 取字节左
CryptoMe_02.exe:0040906C sar eax, 4
CryptoMe_02.exe:0040906F mov , eax
CryptoMe_02.exe:00409072 mov ecx,
CryptoMe_02.exe:00409075 mov edx,
CryptoMe_02.exe:00409078 lea eax,
CryptoMe_02.exe:0040907B mov ecx,
CryptoMe_02.exe:0040907E movsx edx, byte ptr
CryptoMe_02.exe:00409082 and edx, 0Fh                      ; 取字节右
CryptoMe_02.exe:00409085 mov , edx
CryptoMe_02.exe:00409088 mov eax,
CryptoMe_02.exe:0040908B shl eax, 4
CryptoMe_02.exe:0040908E mov ecx,
CryptoMe_02.exe:00409091 mov edx,
CryptoMe_02.exe:00409094 lea ecx,
CryptoMe_02.exe:00409097 mov edx,
CryptoMe_02.exe:0040909A mov esi,
CryptoMe_02.exe:0040909D mov al, byte_414450    ; 换位+查表。byte_414450表长256
CryptoMe_02.exe:004090A4 mov , al
CryptoMe_02.exe:004090A7 jmp short loc_409048

‘-----byte_414450表------------------------------------------------------------------------------------------------------
E2D681A62AFEC53CBDAF540A75D85120E9BBED7A92EE48A46E03B56DB8A5597D
DF4A391A4DD3C722EC50DEFCF3C95CC8899183D7F4438874C06A589602083772
0C7C0DA92F7E6980684C352D40BE9A36F72C8FC6B6DBCE09BCEB04D0A8C411B2
0552B1D415A2972E90642963318AE8CA873E762321D20B257824E034A1D90EAC
8D0060E4AA5D0FEA3827BA7FA3703216FB66DA06653DBF3B2871E162F8AD9F4E
9D42F2CF1285A04F672B93F0824B01561C9CE513C2FAFFDC9B9498E3F684EF77
E76B10465EB386B0F9176F73D1AE7B446CAB1ED55B9E265FC33A14181B3F79F1
FD8EB7C1CC55F5455357A747958BCD6149198C1F305A99411D33B4E6CB07DDB9

’======================================================
CryptoMe_02.exe:00408C3C mov , 3             ; 换位密码表2
CryptoMe_02.exe:00408C43 mov , 0
CryptoMe_02.exe:00408C4A mov , 1
CryptoMe_02.exe:00408C51 mov , 2
CryptoMe_02.exe:00408C58 mov , 2
CryptoMe_02.exe:00408C5F mov , 1
CryptoMe_02.exe:00408C66 mov , 0
CryptoMe_02.exe:00408C6D mov , 3
CryptoMe_02.exe:00408C74 mov , 3
CryptoMe_02.exe:00408C7B mov , 0
CryptoMe_02.exe:00408C82 mov , 2
CryptoMe_02.exe:00408C89 mov , 1
CryptoMe_02.exe:00408C90 mov , 1
CryptoMe_02.exe:00408C97 mov , 3
CryptoMe_02.exe:00408C9E mov , 0
CryptoMe_02.exe:00408CA5 mov , 2
CryptoMe_02.exe:00408CAC mov , 0
CryptoMe_02.exe:00408CB6 jmp short loc_408CC7

‘--------------------------------------------------------------------------------------------
CryptoMe_02.exe:00408CEF mov eax,
CryptoMe_02.exe:00408CF5 add eax, 1
CryptoMe_02.exe:00408CF8 mov , eax
CryptoMe_02.exe:00408CFE
CryptoMe_02.exe:00408CFE loc_408CFE:                         ; CODE XREF: sub_408A80+26Dj
CryptoMe_02.exe:00408CFE cmp , 4
CryptoMe_02.exe:00408D05 jge loc_408DB3
CryptoMe_02.exe:00408D0B push 4                            ; 注册码算法：五、换位密码2
CryptoMe_02.exe:00408D0D mov ecx,
CryptoMe_02.exe:00408D13 lea edx,
CryptoMe_02.exe:00408D1A push edx
CryptoMe_02.exe:00408D1B lea eax,
CryptoMe_02.exe:00408D21 push eax
CryptoMe_02.exe:00408D22 call sub_409E20
CryptoMe_02.exe:00408D27 add esp, 0Ch
CryptoMe_02.exe:00408D2A mov ecx,
CryptoMe_02.exe:00408D30 shl ecx, 2
CryptoMe_02.exe:00408D33 mov edx,
CryptoMe_02.exe:00408D37 mov eax,
CryptoMe_02.exe:00408D3D mov cl,
CryptoMe_02.exe:00408D44 mov , cl
CryptoMe_02.exe:00408D4B mov edx,
CryptoMe_02.exe:00408D51 shl edx, 2
CryptoMe_02.exe:00408D54 mov eax,
CryptoMe_02.exe:00408D58 mov ecx,
CryptoMe_02.exe:00408D5E mov dl,
CryptoMe_02.exe:00408D65 mov , dl
CryptoMe_02.exe:00408D6C mov eax,
CryptoMe_02.exe:00408D72 shl eax, 2
CryptoMe_02.exe:00408D75 mov ecx,
CryptoMe_02.exe:00408D79 mov edx,
CryptoMe_02.exe:00408D7F mov al,
CryptoMe_02.exe:00408D86 mov , al
CryptoMe_02.exe:00408D8D mov ecx,
CryptoMe_02.exe:00408D93 shl ecx, 2
CryptoMe_02.exe:00408D96 mov edx,
CryptoMe_02.exe:00408D9A mov eax,
CryptoMe_02.exe:00408DA0 mov cl,
CryptoMe_02.exe:00408DA7 mov , cl
CryptoMe_02.exe:00408DAE jmp loc_408CEF

3、正函数

4、逆函数

PYG官方论坛 发表于 2017-6-4 13:40:27

perfect ～

zwc123xyz 发表于 2017-6-5 19:01:11

每一次破解分析都是思想的碰撞！

jfaumt 发表于 2017-6-5 20:49:46

vb写的注册机，好长时间没用VB啦

zeknight 发表于 2017-6-8 13:45:04

涉及算法部分我感觉非常头痛~~

lhp462 发表于 2017-6-10 14:49:32

感谢楼主的分享学习一下

dwcxb 发表于 2017-6-10 15:39:20

这个算法分析我什么时候才能达到呢，真是牛人

页: [1]

飘云阁's Archiver

算法详解02==PYG5.4教学第14轮密码学专题 CrackMe 练习题（更新02）