[SHA-1算法练习] SHACrackMe算法分析 / 憋错料

【破文标题】[SHA-1算法练习] SHACrackMe算法分析
【破文作者】静心学习
【作者邮箱】[email protected]
【作者主页】http://www.cnblogs.com/dacainiao/
【破解工具】OD
【破解平台】xp sp3
【软件名称】SHACrackMe
【软件大小】148KB
【原版下载】http://bbs.pediy.com/attachment.php?attachmentid=6581&d=1183561734
【保护方式】无壳
【软件简介】一个SHA-1的算法练习CrackMe，下载时需先登录看雪论坛。
【破解声明】初学密码学，跟着看雪前辈们的脚步学习，错误之处敬请诸位前辈不吝赐教。
------------------------------------------------------------------------
【破解过程】程序使用VC写的，bp GetDlgItemTextA可以很快地找到入口点。

程序很短：

00410C6B > \8D8424 0C0200>LEA EAX, DWORD PTR SS:[ESP+0x20C] ; //Buff
00410C72 . 6A 00 PUSH 0x0
00410C74 . 8D8C24 100100>LEA ECX, DWORD PTR SS:[ESP+0x110] ; //用户名
00410C7B . 50 PUSH EAX
00410C7C . 51 PUSH ECX
00410C7D . E8 EEFCFFFF CALL SHACrack.00410970 ; //1. 用户名 2. Buff
00410C82 . 8D9424 180200>LEA EDX, DWORD PTR SS:[ESP+0x218] ; //SHA-1 hash
00410C89 . 8D4424 18 LEA EAX, DWORD PTR SS:[ESP+0x18] ; //注册码
00410C8D . 52 PUSH EDX
00410C8E . 50 PUSH EAX
00410C8F . E8 CCFDFFFF CALL SHACrack.00410A60 ; //注册码和SHA-1 hash是否相等
00410C94 . 83C4 14 ADD ESP, 0x14
00410C97 . 83F8 01 CMP EAX, 0x1
00410C9A . 6A 40 PUSH 0x40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
00410C9C . 68 3C024200 PUSH SHACrack.0042023C ; |Title = "注册提示"
00410CA1 . 75 18 JNZ SHORT SHACrack.00410CBB ; |
00410CA3 . 68 F8014200 PUSH SHACrack.004201F8 ; |Text = "恭喜你，注册码正确!"
00410CA8 . 56 PUSH ESI ; |hOwner
00410CA9 . FF15 ECD04100 CALL NEAR DWORD PTR DS:[<&USER32.MessageBoxA>] ; \MessageBoxA
00410CAF . 5F POP EDI
00410CB0 . 5E POP ESI
00410CB1 . 33C0 XOR EAX, EAX
00410CB3 . 5D POP EBP
00410CB4 . 81C4 00030000 ADD ESP, 0x300
00410CBA . C3 RETN
00410CBB > 68 E0014200 PUSH SHACrack.004201E0 ; |Text = "注册码错误，继续加油!"
00410CC0 . 56 PUSH ESI ; |hOwner
00410CC1 . FF15 ECD04100 CALL NEAR DWORD PTR DS:[<&USER32.MessageBoxA>] ; \MessageBoxA
00410CC7 . 5F POP EDI
00410CC8 . 5E POP ESI
00410CC9 . 33C0 XOR EAX, EAX
00410CCB . 5D POP EBP
00410CCC . 81C4 00030000 ADD ESP, 0x300
00410CD2 . C3 RETN

主要算法再 CALL SHACrack.00410970：

00410970 /$ 6A FF PUSH -0x1
00410972 |. 68 6BBE4100 PUSH SHACrack.0041BE6B ; SE 处理程序安装
00410977 |. 64:A1 0000000>MOV EAX, DWORD PTR FS:[0]
0041097D |. 50 PUSH EAX
0041097E |. 64:8925 00000>MOV DWORD PTR FS:[0], ESP
00410985 |. 81EC D0010000 SUB ESP, 0x1D0
0041098B |. 53 PUSH EBX
0041098C |. 55 PUSH EBP
0041098D |. 56 PUSH ESI
0041098E |. 33DB XOR EBX, EBX
00410990 |. 57 PUSH EDI
00410991 |. 53 PUSH EBX
00410992 |. 8D8C24 E00000>LEA ECX, DWORD PTR SS:[ESP+0xE0] ; //用户名
00410999 |. E8 121BFFFF CALL SHACrack.004024B0 ; //SHA-1 Init
0041099E |. 8BAC24 F80100>MOV EBP, DWORD PTR SS:[ESP+0x1F8]
004109A5 |. 899C24 E80100>MOV DWORD PTR SS:[ESP+0x1E8], EBX
004109AC |. 3BEB CMP EBP, EBX
004109AE |. 8DB424 DC0000>LEA ESI, DWORD PTR SS:[ESP+0xDC]
004109B5 |. 74 04 JE SHORT SHACrack.004109BB
004109B7 |. 8B7424 10 MOV ESI, DWORD PTR SS:[ESP+0x10]
004109BB |> B9 10000000 MOV ECX, 0x10
004109C0 |. 33C0 XOR EAX, EAX
004109C2 |. 8D7C24 15 LEA EDI, DWORD PTR SS:[ESP+0x15]
004109C6 |. 885C24 14 MOV BYTE PTR SS:[ESP+0x14], BL
004109CA |. F3:AB REP STOS DWORD PTR ES:[EDI]
004109CC |. 8B06 MOV EAX, DWORD PTR DS:[ESI]
004109CE |. 8BCE MOV ECX, ESI
004109D0 |. FF50 0C CALL NEAR DWORD PTR DS:[EAX+0xC] ; //SHA-1 Init
004109D3 |. 8B9424 F00100>MOV EDX, DWORD PTR SS:[ESP+0x1F0] ; //取用户名
004109DA |. 83C9 FF OR ECX, 0xFFFFFFFF
004109DD |. 8BFA MOV EDI, EDX
004109DF |. 33C0 XOR EAX, EAX
004109E1 |. F2:AE REPNE SCAS BYTE PTR ES:[EDI]
004109E3 |. 8B1E MOV EBX, DWORD PTR DS:[ESI]
004109E5 |. F7D1 NOT ECX
004109E7 |. 49 DEC ECX ; //取用户名长度
004109E8 |. 51 PUSH ECX
004109E9 |. 52 PUSH EDX
004109EA |. 8BCE MOV ECX, ESI
004109EC |. FF53 04 CALL NEAR DWORD PTR DS:[EBX+0x4] ; //1. 用户名长度 2. 用户名
004109EF |. 8B16 MOV EDX, DWORD PTR DS:[ESI] ; //拷贝用户名信息
004109F1 |. 8D4424 14 LEA EAX, DWORD PTR SS:[ESP+0x14]
004109F5 |. 50 PUSH EAX
004109F6 |. 8BCE MOV ECX, ESI
004109F8 |. FF52 08 CALL NEAR DWORD PTR DS:[EDX+0x8] ; //1. Buff
004109FB |. B9 20000000 MOV ECX, 0x20
00410A00 |. 33C0 XOR EAX, EAX
00410A02 |. 8D7C24 59 LEA EDI, DWORD PTR SS:[ESP+0x59]
00410A06 |. C64424 58 00 MOV BYTE PTR SS:[ESP+0x58], 0x0
00410A0B |. F3:AB REP STOS DWORD PTR ES:[EDI]
00410A0D |. 5F POP EDI
00410A0E |. 5E POP ESI
00410A0F |. 85ED TEST EBP, EBP
00410A11 |. 5D POP EBP
00410A12 |. 5B POP EBX
00410A13 |. 75 14 JNZ SHORT SHACrack.00410A29
00410A15 |. 8D4C24 48 LEA ECX, DWORD PTR SS:[ESP+0x48] ; //Buff
00410A19 |. 8D5424 04 LEA EDX, DWORD PTR SS:[ESP+0x4] ; //小尾方式的SHA-1 20字节hash
00410A1D |. 51 PUSH ECX
00410A1E |. 6A 14 PUSH 0x14
00410A20 |. 52 PUSH EDX
00410A21 |. E8 DAFEFFFF CALL SHACrack.00410900
00410A26 |. 83C4 0C ADD ESP, 0xC
00410A29 |> 8B8C24 E40100>MOV ECX, DWORD PTR SS:[ESP+0x1E4]
00410A30 |. 8D4424 48 LEA EAX, DWORD PTR SS:[ESP+0x48]
00410A34 |. 50 PUSH EAX ; /String2
00410A35 |. 51 PUSH ECX ; |String1
00410A36 |. FF15 00D04100 CALL NEAR DWORD PTR DS:[<&KERNEL32.lstrcpyA>] ; \lstrcpyA
00410A3C |. 8B8C24 D00100>MOV ECX, DWORD PTR SS:[ESP+0x1D0]
00410A43 |. 64:890D 00000>MOV DWORD PTR FS:[0], ECX
00410A4A |. 81C4 DC010000 ADD ESP, 0x1DC
00410A50 \. C3 RETN

先看一下对SHA-1的Init 004109D0 |. FF50 0C CALL NEAR DWORD PTR DS:[EAX+0xC] ; //SHA-1 Init：

00402EE7 > \B8 28D14100 MOV EAX, SHACrack.0041D128 ; Case 0 of switch 00402ED4
00402EEC . 8D51 0C LEA EDX, DWORD PTR DS:[ECX+0xC]
00402EEF > 8B30 MOV ESI, DWORD PTR DS:[EAX]
00402EF1 . 83C0 04 ADD EAX, 0x4
00402EF4 . 8932 MOV DWORD PTR DS:[EDX], ESI
00402EF6 . 83C2 04 ADD EDX, 0x4 ; //初始化H0~H5
00402EF9 . 3D 3CD14100 CMP EAX, SHACrack.0041D13C
00402EFE .^ 7C EF JL SHORT SHACrack.00402EEF

初始化的内存数据：

0012F664 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 #Eg壂惋簶vT2
0012F674 F0 E1 D2 C3 疳颐岞

sha1_transform在 004109F8 CALL NEAR DWORD PTR DS:[EDX+0x8] 中的子CALL：
00402C2C CALL NEAR DWORD PTR DS:[EAX+0x10]：

00402FDD . 8DBC24 901400>LEA EDI, DWORD PTR SS:[ESP+0x1490] ; //取填充好的数据首地址
00402FE4 . BD 10000000 MOV EBP, 0x10
00402FE9 > 33C9 XOR ECX, ECX
00402FEB . 33D2 XOR EDX, EDX
00402FED . 8A28 MOV CH, BYTE PTR DS:[EAX] ; //0
00402FEF . 8A50 02 MOV DL, BYTE PTR DS:[EAX+0x2] ; //2
00402FF2 . 8A48 01 MOV CL, BYTE PTR DS:[EAX+0x1] ; //1
00402FF5 . 83C7 04 ADD EDI, 0x4
00402FF8 . C1E1 08 SHL ECX, 0x8
00402FFB . 0BCA OR ECX, EDX
00402FFD . 33D2 XOR EDX, EDX
00402FFF . 8A50 03 MOV DL, BYTE PTR DS:[EAX+0x3]
00403002 . 83C0 04 ADD EAX, 0x4
00403005 . C1E1 08 SHL ECX, 0x8
00403008 . 0BCA OR ECX, EDX ; //数据的前4字节
0040300A . 4D DEC EBP
0040300B . 894F FC MOV DWORD PTR DS:[EDI-0x4], ECX ; //存起来
0040300E .^ 75 D9 JNZ SHORT SHACrack.00402FE9
00403010 . 8D8C24 981400>LEA ECX, DWORD PTR SS:[ESP+0x1498]
00403017 . BA 40000000 MOV EDX, 0x40
0040301C > 8B41 2C MOV EAX, DWORD PTR DS:[ECX+0x2C]
0040301F . 8B69 18 MOV EBP, DWORD PTR DS:[ECX+0x18]
00403022 . 8B59 F8 MOV EBX, DWORD PTR DS:[ECX-0x8] ; //数据前4字节
00403025 . 8B39 MOV EDI, DWORD PTR DS:[ECX]
00403027 . 33C5 XOR EAX, EBP
00403029 . 83C1 04 ADD ECX, 0x4
0040302C . 33C3 XOR EAX, EBX
0040302E . 33C7 XOR EAX, EDI
00403030 . 8BF8 MOV EDI, EAX
00403032 . 03C0 ADD EAX, EAX
00403034 . C1EF 1F SHR EDI, 0x1F ; //W16~W79的处理
00403037 . 0BF8 OR EDI, EAX
00403039 . 4A DEC EDX
0040303A . 8979 34 MOV DWORD PTR DS:[ECX+0x34], EDI
0040303D .^ 75 DD JNZ SHORT SHACrack.0040301C
0040303F . 8B5E 0C MOV EBX, DWORD PTR DS:[ESI+0xC] ; //取H常数 h1
00403042 . 8D46 10 LEA EAX, DWORD PTR DS:[ESI+0x10]
00403045 . 895C24 68 MOV DWORD PTR SS:[ESP+0x68], EBX
00403049 . 895C24 18 MOV DWORD PTR SS:[ESP+0x18], EBX
0040304D . 894424 60 MOV DWORD PTR SS:[ESP+0x60], EAX
00403051 . 8B08 MOV ECX, DWORD PTR DS:[EAX] ; //h2
00403053 . 8D46 14 LEA EAX, DWORD PTR DS:[ESI+0x14]
00403056 . 894424 58 MOV DWORD PTR SS:[ESP+0x58], EAX
0040305A . 8B10 MOV EDX, DWORD PTR DS:[EAX] ; //h3
0040305C . 8D46 18 LEA EAX, DWORD PTR DS:[ESI+0x18]
0040305F . 894424 50 MOV DWORD PTR SS:[ESP+0x50], EAX
00403063 . 8B38 MOV EDI, DWORD PTR DS:[EAX] ; //h4
00403065 . 8D46 1C LEA EAX, DWORD PTR DS:[ESI+0x1C]
00403068 . 894424 10 MOV DWORD PTR SS:[ESP+0x10], EAX
0040306C . 8B00 MOV EAX, DWORD PTR DS:[EAX] ; //h5
0040306E . C74424 40 140>MOV DWORD PTR SS:[ESP+0x40], 0x14
00403076 . 894424 28 MOV DWORD PTR SS:[ESP+0x28], EAX
0040307A . 8D8424 901400>LEA EAX, DWORD PTR SS:[ESP+0x1490]
00403081 . 894424 20 MOV DWORD PTR SS:[ESP+0x20], EAX ; //用户名前4字节
00403085 > 8BC1 MOV EAX, ECX ; //h2
00403087 . 8BEA MOV EBP, EDX ; //h3
00403089 . F7D0 NOT EAX ; //~h2
0040308B . 23C7 AND EAX, EDI ; //~h2 & h4
0040308D . 23E9 AND EBP, ECX ; //h3 & h2
0040308F . 0BC5 OR EAX, EBP ; //(~h2 & h4) | (h3 & h2)
00403091 . 8BEB MOV EBP, EBX ; //h1
00403093 . C1ED 1B SHR EBP, 0x1B ; //h1 >> 0x1B
00403096 . C1E3 05 SHL EBX, 0x5 ; //h1 << 5
00403099 . 0BEB OR EBP, EBX
0040309B . 03C5 ADD EAX, EBP
0040309D . 8B6C24 20 MOV EBP, DWORD PTR SS:[ESP+0x20]
004030A1 . 8B5D 00 MOV EBX, DWORD PTR SS:[EBP] ; //数据前4字节
004030A4 . 83C5 04 ADD EBP, 0x4
004030A7 . 03C3 ADD EAX, EBX
004030A9 . 8B1D 18D14100 MOV EBX, DWORD PTR DS:[0x41D118] ; //5A827999 K0
004030AF . 03C3 ADD EAX, EBX
004030B1 . 8B5C24 28 MOV EBX, DWORD PTR SS:[ESP+0x28]
004030B5 . 897C24 28 MOV DWORD PTR SS:[ESP+0x28], EDI
004030B9 . 8BFA MOV EDI, EDX
004030BB . 8BD1 MOV EDX, ECX
004030BD . 896C24 20 MOV DWORD PTR SS:[ESP+0x20], EBP
004030C1 . 8B6C24 40 MOV EBP, DWORD PTR SS:[ESP+0x40]
004030C5 . 03C3 ADD EAX, EBX
004030C7 . C1E2 1E SHL EDX, 0x1E
004030CA . C1E9 02 SHR ECX, 0x2
004030CD . 0BD1 OR EDX, ECX
004030CF . 8B4C24 18 MOV ECX, DWORD PTR SS:[ESP+0x18]
004030D3 . 8BD8 MOV EBX, EAX
004030D5 . 4D DEC EBP
004030D6 . 895C24 18 MOV DWORD PTR SS:[ESP+0x18], EBX
004030DA . 896C24 40 MOV DWORD PTR SS:[ESP+0x40], EBP ; //0x14循环
004030DE .^ 75 A5 JNZ SHORT SHACrack.00403085
004030E0 . 8DAC24 E01400>LEA EBP, DWORD PTR SS:[ESP+0x14E0]
004030E7 . C74424 20 140>MOV DWORD PTR SS:[ESP+0x20], 0x14
004030EF . 896C24 18 MOV DWORD PTR SS:[ESP+0x18], EBP
004030F3 > 8BE8 MOV EBP, EAX
004030F5 . C1ED 1B SHR EBP, 0x1B
004030F8 . C1E0 05 SHL EAX, 0x5
004030FB . 0BE8 OR EBP, EAX
004030FD . 8BC7 MOV EAX, EDI
004030FF . 33C2 XOR EAX, EDX
00403101 . 33C1 XOR EAX, ECX
00403103 . 03E8 ADD EBP, EAX
00403105 . 8B4424 18 MOV EAX, DWORD PTR SS:[ESP+0x18]
00403109 . 0328 ADD EBP, DWORD PTR DS:[EAX]
0040310B . A1 1CD14100 MOV EAX, DWORD PTR DS:[0x41D11C] ; //0x6EDEBA1 K1
00403110 . 03E8 ADD EBP, EAX
00403112 . 8B4424 28 MOV EAX, DWORD PTR SS:[ESP+0x28]
00403116 . 03C5 ADD EAX, EBP
00403118 . 8B6C24 18 MOV EBP, DWORD PTR SS:[ESP+0x18]
0040311C . 897C24 28 MOV DWORD PTR SS:[ESP+0x28], EDI
00403120 . 8BFA MOV EDI, EDX
00403122 . 8BD1 MOV EDX, ECX
00403124 . 83C5 04 ADD EBP, 0x4
00403127 . C1E2 1E SHL EDX, 0x1E
0040312A . C1E9 02 SHR ECX, 0x2
0040312D . 896C24 18 MOV DWORD PTR SS:[ESP+0x18], EBP
00403131 . 8B6C24 20 MOV EBP, DWORD PTR SS:[ESP+0x20]
00403135 . 0BD1 OR EDX, ECX
00403137 . 4D DEC EBP
00403138 . 8BCB MOV ECX, EBX
0040313A . 8BD8 MOV EBX, EAX
0040313C . 896C24 20 MOV DWORD PTR SS:[ESP+0x20], EBP
00403140 .^ 75 B1 JNZ SHORT SHACrack.004030F3
00403142 . 895C24 18 MOV DWORD PTR SS:[ESP+0x18], EBX
00403146 . 8D9C24 301500>LEA EBX, DWORD PTR SS:[ESP+0x1530]
0040314D . 895C24 20 MOV DWORD PTR SS:[ESP+0x20], EBX
00403151 . C74424 40 140>MOV DWORD PTR SS:[ESP+0x40], 0x14
00403159 > 8BDA MOV EBX, EDX
0040315B . 8BEA MOV EBP, EDX
0040315D . 0BD9 OR EBX, ECX
0040315F . 23E9 AND EBP, ECX
00403161 . 23DF AND EBX, EDI
00403163 . 0BDD OR EBX, EBP
00403165 . 8BE8 MOV EBP, EAX
00403167 . C1ED 1B SHR EBP, 0x1B
0040316A . C1E0 05 SHL EAX, 0x5
0040316D . 0BE8 OR EBP, EAX
0040316F . 8B4424 20 MOV EAX, DWORD PTR SS:[ESP+0x20]
00403173 . 03DD ADD EBX, EBP
00403175 . 8B28 MOV EBP, DWORD PTR DS:[EAX]
00403177 . 8B4424 28 MOV EAX, DWORD PTR SS:[ESP+0x28]
0040317B . 03DD ADD EBX, EBP
0040317D . 8B2D 20D14100 MOV EBP, DWORD PTR DS:[0x41D120] ; //K2
00403183 . 03DD ADD EBX, EBP
00403185 . 8B6C24 20 MOV EBP, DWORD PTR SS:[ESP+0x20]
00403189 . 03C3 ADD EAX, EBX
0040318B . 8BDF MOV EBX, EDI
0040318D . 8BFA MOV EDI, EDX
0040318F . 8BD1 MOV EDX, ECX
00403191 . 83C5 04 ADD EBP, 0x4
00403194 . 895C24 28 MOV DWORD PTR SS:[ESP+0x28], EBX
00403198 . C1E2 1E SHL EDX, 0x1E
0040319B . C1E9 02 SHR ECX, 0x2
0040319E . 896C24 20 MOV DWORD PTR SS:[ESP+0x20], EBP
004031A2 . 8B6C24 40 MOV EBP, DWORD PTR SS:[ESP+0x40]
004031A6 . 0BD1 OR EDX, ECX
004031A8 . 8B4C24 18 MOV ECX, DWORD PTR SS:[ESP+0x18]
004031AC . 4D DEC EBP
004031AD . 894424 18 MOV DWORD PTR SS:[ESP+0x18], EAX
004031B1 . 896C24 40 MOV DWORD PTR SS:[ESP+0x40], EBP
004031B5 .^ 75 A2 JNZ SHORT SHACrack.00403159
004031B7 . 8DAC24 801500>LEA EBP, DWORD PTR SS:[ESP+0x1580]
004031BE . C74424 20 140>MOV DWORD PTR SS:[ESP+0x20], 0x14
004031C6 . 896C24 28 MOV DWORD PTR SS:[ESP+0x28], EBP
004031CA > 8BE8 MOV EBP, EAX
004031CC . C1ED 1B SHR EBP, 0x1B
004031CF . C1E0 05 SHL EAX, 0x5
004031D2 . 0BE8 OR EBP, EAX
004031D4 . 8BC7 MOV EAX, EDI
004031D6 . 33C2 XOR EAX, EDX
004031D8 . 33C1 XOR EAX, ECX
004031DA . 03E8 ADD EBP, EAX
004031DC . 8B4424 28 MOV EAX, DWORD PTR SS:[ESP+0x28]
004031E0 . 0328 ADD EBP, DWORD PTR DS:[EAX]
004031E2 . A1 24D14100 MOV EAX, DWORD PTR DS:[0x41D124] ; //K3
004031E7 . 03E8 ADD EBP, EAX
004031E9 . 03EB ADD EBP, EBX
004031EB . 8BDF MOV EBX, EDI
004031ED . 8BC5 MOV EAX, EBP
004031EF . 8B6C24 28 MOV EBP, DWORD PTR SS:[ESP+0x28]
004031F3 . 8BFA MOV EDI, EDX
004031F5 . 8BD1 MOV EDX, ECX
004031F7 . 83C5 04 ADD EBP, 0x4
004031FA . C1E2 1E SHL EDX, 0x1E
004031FD . C1E9 02 SHR ECX, 0x2
00403200 . 896C24 28 MOV DWORD PTR SS:[ESP+0x28], EBP
00403204 . 8B6C24 20 MOV EBP, DWORD PTR SS:[ESP+0x20]
00403208 . 0BD1 OR EDX, ECX
0040320A . 8B4C24 18 MOV ECX, DWORD PTR SS:[ESP+0x18]
0040320E . 4D DEC EBP
0040320F . 894424 18 MOV DWORD PTR SS:[ESP+0x18], EAX
00403213 . 896C24 20 MOV DWORD PTR SS:[ESP+0x20], EBP
00403217 .^ 75 B1 JNZ SHORT SHACrack.004031CA
00403219 . 8B6C24 68 MOV EBP, DWORD PTR SS:[ESP+0x68]
0040321D . 03E8 ADD EBP, EAX
0040321F . 896E 0C MOV DWORD PTR DS:[ESI+0xC], EBP ; //更新H0~H5
00403222 . 8B4424 60 MOV EAX, DWORD PTR SS:[ESP+0x60]
00403226 . 8B28 MOV EBP, DWORD PTR DS:[EAX]
00403228 . 03E9 ADD EBP, ECX
0040322A . 8928 MOV DWORD PTR DS:[EAX], EBP
0040322C . 8B4424 58 MOV EAX, DWORD PTR SS:[ESP+0x58]
00403230 . 8B30 MOV ESI, DWORD PTR DS:[EAX]
00403232 . 03F2 ADD ESI, EDX
00403234 . 8930 MOV DWORD PTR DS:[EAX], ESI
00403236 . 8B4424 50 MOV EAX, DWORD PTR SS:[ESP+0x50]
0040323A . 8B10 MOV EDX, DWORD PTR DS:[EAX]
0040323C . 03D7 ADD EDX, EDI
0040323E . 5F POP EDI
0040323F . 8910 MOV DWORD PTR DS:[EAX], EDX
00403241 . 8B4424 0C MOV EAX, DWORD PTR SS:[ESP+0xC]
00403245 . 5E POP ESI
00403246 . 5D POP EBP
00403247 . 8B08 MOV ECX, DWORD PTR DS:[EAX]
00403249 . 03CB ADD ECX, EBX
0040324B . 5B POP EBX
0040324C . 8908 MOV DWORD PTR DS:[EAX], ECX
0040324E . 81C4 00170000 ADD ESP, 0x1700
00403254 . C3 RETN

计算完SHA-1的Hash后，大尾转小尾方式：

00402C81 . 8D48 01 LEA ECX, DWORD PTR DS:[EAX+0x1]
00402C84 . 8D46 0C LEA EAX, DWORD PTR DS:[ESI+0xC]
00402C87 > 8A10 MOV DL, BYTE PTR DS:[EAX] ; //SHA-1第1字节
00402C89 . 83C0 04 ADD EAX, 0x4
00402C8C . 8851 02 MOV BYTE PTR DS:[ECX+0x2], DL
00402C8F . 8B50 FC MOV EDX, DWORD PTR DS:[EAX-0x4]
00402C92 . C1EA 08 SHR EDX, 0x8
00402C95 . 8851 01 MOV BYTE PTR DS:[ECX+0x1], DL ; //SHA-1 第2字节
00402C98 . 8B50 FC MOV EDX, DWORD PTR DS:[EAX-0x4]
00402C9B . C1EA 10 SHR EDX, 0x10 ; //第3字节
00402C9E . 8811 MOV BYTE PTR DS:[ECX], DL
00402CA0 . 8B50 FC MOV EDX, DWORD PTR DS:[EAX-0x4]
00402CA3 . C1EA 18 SHR EDX, 0x18 ; //第4字节
00402CA6 . 8851 FF MOV BYTE PTR DS:[ECX-0x1], DL
00402CA9 . 83C1 04 ADD ECX, 0x4
00402CAC . 4F DEC EDI
00402CAD .^ 75 D8 JNZ SHORT SHACrack.00402C87 ; //大尾转小尾

然后将SHA-1中的小写字母转大写字母，最终和输入的注册码比较，相同就注册成功，否则就失败。

------------------------------------------------------------------------
【破解总结】软件使用标准SHA-1算法，将输入的用户名计算出SHA-1的Hash，将Hash中的小写字母转大写字母就是正确的注册码。
------------------------------------------------------------------------
【版权声明】无

时间： 2024-11-05 09:56:54

[SHA-1算法练习] SHACrackMe算法分析

[SHA-1算法练习] SHACrackMe算法分析的相关文章

[CRC32算法练习] CRC32CrackMe算法分析

[MD5算法练习] MD5CrackMe算法分析

普林斯顿公开课算法1-1：算法分析

算法简介及算法分析

[SHA-1算法练习] sha1crackme算法分析

javascript数据结构与算法--基本排序算法分析

数据结构算法1------算法和算法分析

[数据结构与算法]常用排序算法分析与实现：第二部分

[数据结构与算法]常用排序算法分析与实现：第一部分