- UID
- 6880
注册时间2006-1-12
阅读权限30
最后登录1970-1-1
龙战于野
TA的每日心情 | 开心
2018-2-26 08:32 |
|---|
签到天数: 19 天 [LV.4]偶尔看看III
|
软件大小:1385KB
软件语言:英文
软件类别:国外软件/共享版/桌面制作
运行环境:Win9x/Me/NT/2000/XP
加入时间:2006-6-19 15:54:14
下载地址:http://www.onlinedown.net/soft/38444.htm
软件详细信息:一款幻灯屏幕保护程序制作软件,你可以用它来制作带照片、音乐和文本的屏保。支持的图片格式:jpg,gif,bmp,
png,tif,tga,pcx。支持音频格式:mp3,midi和wav。可以为图片添加文本,并为图片设置各种转场过渡效果。
预备知识:(希望对象我一样的菜鸟有用)
RSA是第一个既能用于数据加密也能用于数字签名的算法。算法的名字以发明者的名字命名:Ron Rivest、Adi Shamirh和enAdleman。
算法如下:
1,取两个相近的大素数p、q;
2,计算n=p*q,z=(p-1)*(q-1);
3,任取一个与z互素的整数e;
4,计算满足e*d=1 mod z 的整数d;
5,将明文m分成字符块s加密,每个块s小于n。现设明文m小于n,加密后形成密文c。 加密、解密过程如下:
加密:c=m^e mod n
解密:m=c^d mod n
6,(n,e)和(n,d)分别称为“公开密钥”和“秘密密钥”。根据Euler定理可得:
m=c^d mod n=(m^e mod n)^d mod n=m
准备工作:
PEiD查:Microsoft Visual C++ 6.0
注册框里填入用户名:wzwgp 注册码:12345678 提示:“invalid user name or register code”
一、算法跟踪
OD载入,超级字串参考, 找到文本字串=invalid user name or register code,双击返回代码窗口。在0042C211处下断,F9运行程序
,填入用户名、注册码,点击“ok”断下。
0042C211 . 6A 01 PUSH 1
0042C213 . 8BCD MOV ECX,EBP
0042C215 . E8 B2A30700 CALL <JMP.&MFC42.#6334>
0042C21A . 8B45 64 MOV EAX,DWORD PTR SS:[EBP+64] ; 假码地址入EAX
0042C21D . 8B4D 60 MOV ECX,DWORD PTR SS:[EBP+60] ; 用户名地址入ECX
0042C220 . 50 PUSH EAX
0042C221 . 51 PUSH ECX
0042C222 . E8 3065FDFF CALL Photo_Sc.00402757 ; 算法Call F7进入
0042C227 . 83C4 08 ADD ESP,8
0042C22A . 85C0 TEST EAX,EAX ; EAX=1成功
0042C22C . 75 2B JNZ SHORT Photo_Sc.0042C259
0042C22E . 6A 40 PUSH 40
0042C230 . 68 0C984F00 PUSH Photo_Sc.004F980C ; sorry
0042C235 . 68 E0974F00 PUSH Photo_Sc.004F97E0 ; invalid user name or register code
0042C23A . 8BCD MOV ECX,EBP
0042C23C . E8 C1A60700 CALL <JMP.&MFC42.#4224>
0042C241 . 68 F3030000 PUSH 3F3
0042C246 . 8BCD MOV ECX,EBP
0042C248 . E8 17A20700 CALL <JMP.&MFC42.#3092>
0042C24D . 8BC8 MOV ECX,EAX
0042C24F . E8 80A10700 CALL <JMP.&MFC42.#5981>
0042C254 . E9 71010000 JMP Photo_Sc.0042C3CA
0042C259 > C783 C4000000>MOV DWORD PTR DS:[EBX+C4],1
0042C263 . 8B45 60 MOV EAX,DWORD PTR SS:[EBP+60]
0042C266 . 56 PUSH ESI
0042C267 . 50 PUSH EAX
0042C268 . 8D8B CC000000 LEA ECX,DWORD PTR DS:[EBX+CC]
0042C26E . E8 119D0700 CALL <JMP.&MFC42.#860>
0042C273 . 8B45 60 MOV EAX,DWORD PTR SS:[EBP+60]
0042C276 . 50 PUSH EAX
0042C277 . 8D8424 1C0200>LEA EAX,DWORD PTR SS:[ESP+21C]
0042C27E . 68 D0974F00 PUSH Photo_Sc.004F97D0 ; license to:%s
0042C283 . 50 PUSH EAX
0042C284 . FF15 84CF5100 CALL NEAR DWORD PTR DS:[<&MSVCRT.sprintf>
0042C28A . 83C4 0C ADD ESP,0C
0042C28D . 8D8C24 180200>LEA ECX,DWORD PTR SS:[ESP+218]
0042C294 . 6A 40 PUSH 40
0042C296 . 68 C4974F00 PUSH Photo_Sc.004F97C4 ; thank you
0042C29B . 51 PUSH ECX
0042C222处F7到此:
00402757 $ /E9 D4930200 JMP Photo_Sc.0042BB30 ; 跳到:0042BB30
0042BB30 > \6A FF PUSH -1
0042BB32 . 68 49414C00 PUSH Photo_Sc.004C4149 ; SE 处理程序安装
0042BB37 . 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
0042BB3D . 50 PUSH EAX
0042BB3E . 64:8925 00000>MOV DWORD PTR FS:[0],ESP
0042BB45 . 81EC 94000000 SUB ESP,94
0042BB4B . 8B8424 A40000>MOV EAX,DWORD PTR SS:[ESP+A4] ; 用户名地址入EAX
0042BB52 . 53 PUSH EBX
0042BB53 . 56 PUSH ESI
0042BB54 . 50 PUSH EAX
0042BB55 . 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
0042BB59 . C74424 60 478>MOV DWORD PTR SS:[ESP+60],0FBF8A47 |
0042BB61 . C74424 64 C99>MOV DWORD PTR SS:[ESP+64],234E94C9 |
0042BB69 . C74424 68 855>MOV DWORD PTR SS:[ESP+68],E4475D85 |
0042BB71 . C74424 6C EE3>MOV DWORD PTR SS:[ESP+6C],DBF030EE |这组数是n
0042BB79 . C74424 70 069>MOV DWORD PTR SS:[ESP+70],323B9C06 |
0042BB81 . C74424 74 33C>MOV DWORD PTR SS:[ESP+74],E3D3C333 |
0042BB89 . C74424 78 1A2>MOV DWORD PTR SS:[ESP+78],C9BF2B1A |
0042BB91 . C74424 7C EEC>MOV DWORD PTR SS:[ESP+7C],385AC5EE |
0042BB99 . E8 04A70700 CALL <JMP.&MFC42.#537>
0042BB9E . 8B8C24 B00000>MOV ECX,DWORD PTR SS:[ESP+B0] ; 假码地址入ECX
0042BBA5 . C78424 A40000>MOV DWORD PTR SS:[ESP+A4],0
0042BBB0 . 51 PUSH ECX
0042BBB1 . 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C]
0042BBB5 . E8 E8A60700 CALL <JMP.&MFC42.#537>
0042BBBA . 8B5424 0C MOV EDX,DWORD PTR SS:[ESP+C] ; 用户名地址入EDX
0042BBBE . 8B35 40CF5100 MOV ESI,DWORD PTR DS:[<&MSVCRT._mbscmp>]
0042BBC4 . 68 448B5000 PUSH Photo_Sc.00508B44
0042BBC9 . 52 PUSH EDX
0042BBCA . C68424 AC0000>MOV BYTE PTR SS:[ESP+AC],1
0042BBD2 . FFD6 CALL NEAR ESI ; 检查是否输入用户名
0042BBD4 . 83C4 08 ADD ESP,8
0042BBD7 . 85C0 TEST EAX,EAX
0042BBD9 . 0F84 11020000 JE Photo_Sc.0042BDF0
0042BBDF . 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
0042BBE3 . 68 448B5000 PUSH Photo_Sc.00508B44
0042BBE8 . 50 PUSH EAX
0042BBE9 . FFD6 CALL NEAR ESI ; 检查是否输入注册码
0042BBEB . 83C4 08 ADD ESP,8
0042BBEE . 85C0 TEST EAX,EAX
0042BBF0 . 0F84 FA010000 JE Photo_Sc.0042BDF0
0042BBF6 . 57 PUSH EDI
0042BBF7 . 6A 00 PUSH 0
0042BBF9 . 8D4C24 44 LEA ECX,DWORD PTR SS:[ESP+44]
0042BBFD . E8 CF5AFDFF CALL Photo_Sc.004016D1
0042BC02 . 6A 00 PUSH 0
0042BC04 . 8D4C24 4C LEA ECX,DWORD PTR SS:[ESP+4C]
0042BC08 . C68424 AC0000>MOV BYTE PTR SS:[ESP+AC],2
0042BC10 . E8 BC5AFDFF CALL Photo_Sc.004016D1
0042BC15 . B3 03 MOV BL,3
0042BC17 . 68 01000100 PUSH 10001 ; 加密密钥e=10001入栈
0042BC1C . 8D4C24 5C LEA ECX,DWORD PTR SS:[ESP+5C]
0042BC20 . 889C24 AC0000>MOV BYTE PTR SS:[ESP+AC],BL
0042BC27 . E8 A55AFDFF CALL Photo_Sc.004016D1
0042BC2C . 8D4C24 58 LEA ECX,DWORD PTR SS:[ESP+58]
0042BC30 . C68424 A80000>MOV BYTE PTR SS:[ESP+A8],4
0042BC38 . 51 PUSH ECX
0042BC39 . 8D4C24 4C LEA ECX,DWORD PTR SS:[ESP+4C]
0042BC3D . E8 CA60FDFF CALL Photo_Sc.00401D0C
0042BC42 . 8D4C24 58 LEA ECX,DWORD PTR SS:[ESP+58]
0042BC46 . 889C24 A80000>MOV BYTE PTR SS:[ESP+A8],BL
0042BC4D . E8 7A5FFDFF CALL Photo_Sc.00401BCC
0042BC52 . 8D5424 60 LEA EDX,DWORD PTR SS:[ESP+60]
0042BC56 . 6A 08 PUSH 8
0042BC58 . 52 PUSH EDX
0042BC59 . 8D4C24 48 LEA ECX,DWORD PTR SS:[ESP+48]
0042BC5D . E8 0E6BFDFF CALL Photo_Sc.00402770
0042BC62 . B9 08000000 MOV ECX,8
0042BC67 . 33C0 XOR EAX,EAX
0042BC69 . 8D7C24 18 LEA EDI,DWORD PTR SS:[ESP+18]
0042BC6D . 8D5424 2C LEA EDX,DWORD PTR SS:[ESP+2C]
0042BC71 . F3:AB REP STOS DWORD PTR ES:[EDI] ; 堆栈空出位置
0042BC73 . 8D4424 34 LEA EAX,DWORD PTR SS:[ESP+34]
0042BC77 . 8D4C24 30 LEA ECX,DWORD PTR SS:[ESP+30]
0042BC7B . 50 PUSH EAX
0042BC7C . 51 PUSH ECX
0042BC7D . 8D4424 30 LEA EAX,DWORD PTR SS:[ESP+30]
0042BC81 . 52 PUSH EDX
0042BC82 . 8D4C24 30 LEA ECX,DWORD PTR SS:[ESP+30]
0042BC86 . 50 PUSH EAX
0042BC87 . 8D5424 30 LEA EDX,DWORD PTR SS:[ESP+30]
0042BC8B . 51 PUSH ECX
0042BC8C . 8D4424 30 LEA EAX,DWORD PTR SS:[ESP+30]
0042BC90 . 52 PUSH EDX
0042BC91 . 8B5424 24 MOV EDX,DWORD PTR SS:[ESP+24] ; 假码入EDX
0042BC95 . 8D4C24 30 LEA ECX,DWORD PTR SS:[ESP+30]
0042BC99 . 50 PUSH EAX
0042BC9A . 51 PUSH ECX
0042BC9B . 68 50974F00 PUSH Photo_Sc.004F9750 ; %08lx-%08lx-%08lx-%08lx-%08lx-%08lx-%08lx-%08lx\n
0042BCA0 . 52 PUSH EDX ; 注册码格式
0042BCA1 . FF15 80CF5100 CALL NEAR DWORD PTR DS:[<&MSVCRT.sscanf>] ; 取注册码
0042BCA7 . 8B4424 50 MOV EAX,DWORD PTR SS:[ESP+50] ; s5
0042BCAB . 8B4C24 4C MOV ECX,DWORD PTR SS:[ESP+4C] ; s4
0042BCAF . 8B7C24 48 MOV EDI,DWORD PTR SS:[ESP+48] ; s3
0042BCB3 . 8B5424 44 MOV EDX,DWORD PTR SS:[ESP+44] ; s2
0042BCB7 . 03C1 ADD EAX,ECX ; s5+s4
0042BCB9 . 8B4C24 5C MOV ECX,DWORD PTR SS:[ESP+5C] ; s8
0042BCBD . 03C7 ADD EAX,EDI ; s5+s4+s3
0042BCBF . 8B7C24 58 MOV EDI,DWORD PTR SS:[ESP+58] ; s7
0042BCC3 . 03C2 ADD EAX,EDX ; s5+s4+s3+s2
0042BCC5 . 8B5424 54 MOV EDX,DWORD PTR SS:[ESP+54] ; s6
0042BCC9 . 33C8 XOR ECX,EAX ; s5+s4+s3+s2 xor s8
0042BCCB . 8B4424 40 MOV EAX,DWORD PTR SS:[ESP+40] ; s1
0042BCCF . 83C4 28 ADD ESP,28
0042BCD2 . 03D0 ADD EDX,EAX ; s6+s1
0042BCD4 . 894C24 34 MOV DWORD PTR SS:[ESP+34],ECX ; 与s8异或后的结果替换s8
0042BCD8 . 33FA XOR EDI,EDX ; s6+s1 xor s7
0042BCDA . 6A 00 PUSH 0
0042BCDC . 8D4C24 3C LEA ECX,DWORD PTR SS:[ESP+3C]
0042BCE0 . 897C24 34 MOV DWORD PTR SS:[ESP+34],EDI ; 与s7异或后的结果替换s7
0042BCE4 . E8 E859FDFF CALL Photo_Sc.004016D1
0042BCE9 . 8D4C24 18 LEA ECX,DWORD PTR SS:[ESP+18]
0042BCED . 6A 08 PUSH 8
0042BCEF . 51 PUSH ECX
0042BCF0 . 8D4C24 40 LEA ECX,DWORD PTR SS:[ESP+40]
0042BCF4 . C68424 B00000>MOV BYTE PTR SS:[ESP+B0],5
0042BCFC . E8 6F6AFDFF CALL Photo_Sc.00402770
0042BD01 . 8D5424 38 LEA EDX,DWORD PTR SS:[ESP+38]
0042BD05 . 8D4424 50 LEA EAX,DWORD PTR SS:[ESP+50]
0042BD09 . 52 PUSH EDX
0042BD0A . 50 PUSH EAX
0042BD0B . 8D4C24 48 LEA ECX,DWORD PTR SS:[ESP+48]
0042BD0F . E8 FF6CFDFF CALL Photo_Sc.00402A13 ; RSA运算
0042BD14 . B9 08000000 MOV ECX,8
0042BD19 . 33C0 XOR EAX,EAX
0042BD1B . 8D7C24 18 LEA EDI,DWORD PTR SS:[ESP+18]
0042BD1F . 6A 08 PUSH 8
0042BD21 . F3:AB REP STOS DWORD PTR ES:[EDI]
0042BD23 . 8D4C24 1C LEA ECX,DWORD PTR SS:[ESP+1C]
0042BD27 . C68424 AC0000>MOV BYTE PTR SS:[ESP+AC],6
0042BD2F . 51 PUSH ECX
0042BD30 . 8D4C24 58 LEA ECX,DWORD PTR SS:[ESP+58]
0042BD34 . E8 655FFDFF CALL Photo_Sc.00401C9E ; 输出RSA运算结果
0042BD39 . B9 08000000 MOV ECX,8
0042BD3E . 33C0 XOR EAX,EAX
0042BD40 . 8DBC24 800000>LEA EDI,DWORD PTR SS:[ESP+80]
0042BD47 . F3:AB REP STOS DWORD PTR ES:[EDI] ; 堆栈空出空间
0042BD49 . 5F POP EDI
0042BD4A > 8B4C04 14 MOV ECX,DWORD PTR SS:[ESP+EAX+14]
0042BD4E . 83C0 04 ADD EAX,4
0042BD51 . 8BD1 MOV EDX,ECX
0042BD53 . C1EA 18 SHR EDX,18
0042BD56 . 885404 78 MOV BYTE PTR SS:[ESP+EAX+78],DL
0042BD5A . 8BD1 MOV EDX,ECX
0042BD5C . C1EA 10 SHR EDX,10
0042BD5F . C1E9 08 SHR ECX,8
0042BD62 . 885404 79 MOV BYTE PTR SS:[ESP+EAX+79],DL
0042BD66 . 884C04 7A MOV BYTE PTR SS:[ESP+EAX+7A],CL
0042BD6A . 8A4C04 10 MOV CL,BYTE PTR SS:[ESP+EAX+10]
0042BD6E . 83F8 20 CMP EAX,20
0042BD71 . 884C04 7B MOV BYTE PTR SS:[ESP+EAX+7B],CL
0042BD75 .^ 7C D3 JL SHORT Photo_Sc.0042BD4A ; 循环重排序RSA运算结果
0042BD77 . 8D5424 7C LEA EDX,DWORD PTR SS:[ESP+7C]
0042BD7B . 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
0042BD7F . 52 PUSH EDX
0042BD80 . E8 1DA50700 CALL <JMP.&MFC42.#537>
0042BD85 . 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10]
0042BD89 . 8B4C24 0C MOV ECX,DWORD PTR SS:[ESP+C]
0042BD8D . 50 PUSH EAX ; 运算结果
0042BD8E . 51 PUSH ECX ; 用户名
0042BD8F . FFD6 CALL NEAR ESI ; 用户名与运算结果比较
0042BD91 . 83C4 08 ADD ESP,8
0042BD94 . C68424 A40000>MOV BYTE PTR SS:[ESP+A4],6
0042BD9C . 85C0 TEST EAX,EAX ; 相等EAX=0 不等EAX=FFFFFFFF
0042BD9E . 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
0042BDA2 . 0F84 86000000 JE Photo_Sc.0042BE2E
0042BDA8 . E8 ADA10700 CALL <JMP.&MFC42.#800>
0042BDAD . 8D4C24 4C LEA ECX,DWORD PTR SS:[ESP+4C]
0042BDB1 . C68424 A40000>MOV BYTE PTR SS:[ESP+A4],5
0042BDB9 . E8 0E5EFDFF CALL Photo_Sc.00401BCC
0042BDBE . 8D4C24 34 LEA ECX,DWORD PTR SS:[ESP+34]
0042BDC2 . 889C24 A40000>MOV BYTE PTR SS:[ESP+A4],BL
0042BDC9 . E8 FE5DFDFF CALL Photo_Sc.00401BCC
0042BDCE . 8D4C24 44 LEA ECX,DWORD PTR SS:[ESP+44]
0042BDD2 . C68424 A40000>MOV BYTE PTR SS:[ESP+A4],8
0042BDDA . E8 ED5DFDFF CALL Photo_Sc.00401BCC
0042BDDF . 8D4C24 3C LEA ECX,DWORD PTR SS:[ESP+3C]
0042BDE3 . C68424 A40000>MOV BYTE PTR SS:[ESP+A4],1
0042BDEB . E8 DC5DFDFF CALL Photo_Sc.00401BCC
0042BDF0 > 8D4C24 08 LEA ECX,DWORD PTR SS:[ESP+8]
0042BDF4 . C68424 A40000>MOV BYTE PTR SS:[ESP+A4],0
0042BDFC . E8 59A10700 CALL <JMP.&MFC42.#800>
0042BE01 . 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C]
0042BE05 . C78424 A40000>MOV DWORD PTR SS:[ESP+A4],-1
0042BE10 . E8 45A10700 CALL <JMP.&MFC42.#800>
0042BE15 . 5E POP ESI
0042BE16 . 33C0 XOR EAX,EAX
0042BE18 . 5B POP EBX
0042BE19 . 8B8C24 940000>MOV ECX,DWORD PTR SS:[ESP+94]
0042BE20 . 64:890D 00000>MOV DWORD PTR FS:[0],ECX
0042BE27 . 81C4 A0000000 ADD ESP,0A0
0042BE2D . C3 RETN
二、算法分析
1.注册码分为8组,s1、s2、s3、s4、s5、s6、s7、s8
验证前预处理:s7=(s1+s6) xor s7 s8=(s2+s3+s4+s5) xor s8
2.RSA256运算
n=385AC5EEC9BF2B1AE3D3C333323B9C06DBF030EEE4475D85234E94C90FBF8A47
e=10001
3. 重排序运算结果
比如:B1BE436A 6A43BEB1
F29961A1 ------> A16199F2
6A85B49E 9EB4856A
4. 重排序的运算结果和用户名16进制数比较,相等则注册成功,不等则失败。
三、算法验证
用RSATool工具,根据n、e,求出p、q、d
p= B2D357E7DFA69C5CDE44DEBCD6607553
q= 50ACD489C8A870905E9BE188D169E4BD
d= F9816C36FF24564487CF5BBF9FF82BA1F5D47F0BBA287F2B0A1DDB78B11CF09
用户名m=wzwgp -> wzwg-p -> p000wzwg (0x70000000777A7767)
设:X=70000000777A7767 <------ m
Y=F9816C36FF24564487CF5BBF9FF82BA1F5D47F0BBA287F2B0A1DDB78B11CF09 <------ d
Z=385AC5EEC9BF2B1AE3D3C333323B9C06DBF030EEE4475D85234E94C90FBF8A47 <------ n
用Bigclc“X^Y%Z”计算出C (基数选16)
c=2E3A48AABCF2A3594C5564AB5D3ADBED3823D1184DE44472E853C7EB364C2AA6
变为:2E3A48AA-BCF2A359-4C5564AB-5D3ADBED-3823D118-4DE44472-E853C7EB-364C2AA6
364C2AA6-E853C7EB-4DE44472-3823D118-5D3ADBED-4C5564AB-BCF2A359-2E3A48AA
计算:s7=(s6+s1) xor s7 = 82A18F51 xor BCF2A359 = 3E532C08
s8=(s5+s4+s3+s2) xor s8 = CB96B962 xor 2E3A48AA = E5ACF1C8
364C2AA6-E853C7EB-4DE44472-3823D118-5D3ADBED-4C5564AB-3E532C08-E5ACF1C8
用户名:wzwgp
注册码:364C2AA6-E853C7EB-4DE44472-3823D118-5D3ADBED-4C5564AB-3E532C08-E5ACF1C8
注册成功。注册信息保存在*:\Photo Screensaver Maker\DATA\regdata.ini文件里。 |
|
IP卡
发表于 2006-6-22 15:18:39
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2006-6-22 16:05:21
楼主
发表于 2006-7-19 11:27:26
发表于 2006-7-24 11:22:37