📄 crack tutorial.htm

📁 一个16为的blowfish的加密算法的源码
💻 HTM
📖 第 1 页 / 共 5 页
字号:
12 3 4 5 下一页
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!-- saved from url=(0049)http://www.pediy.com/tutorial/chap6/Chap6-3-6.htm -->
<HTML><HEAD><TITLE>Crack Tutorial</TITLE>
<META http-equiv=Content-Type content="text/html; charset=gb2312"><LINK 
href="style/css.css" type=text/css rel=stylesheet><LINK 
href="Crack Tutorial.files/Css.css" type=text/css rel=stylesheet>
<META content="MSHTML 6.00.2900.2995" name=GENERATOR></HEAD>
<BODY text=#000000 vLink=#004080 link=#004080 bgColor=white 
background="Crack Tutorial.files/Back.gif">
<P><A href="http://www.pediy.com/tutorial/Catalog.htm">目录</A>＞＞第6章</P>
<P class=shadow1Copy align=center><B class=p3>第6章 软件保护技术</B></P>
<TABLE class=shadow1 borderColor=#111111 cellSpacing=0 cellPadding=3 width="80%" 
align=center bgColor=#bcbcbc border=0>
  <TBODY>
  <TR>
    <TD class=shadow1 width="25%">
      <DIV align=center><A 
      href="http://www.pediy.com/tutorial/chap6/Chap6-1.htm"><FONT 
      color=#ffffff>第一节 常见保护技巧</FONT></A></DIV></TD>
    <TD class=shadow1 width="25%">
      <DIV align=center><A 
      href="http://www.pediy.com/tutorial/chap6/Chap6-2.htm"><FONT 
      color=#ffffff>第二节 反跟踪技术</FONT></A></DIV></TD>
    <TD class=shadow1 width="25%">
      <DIV align=center><A 
      href="http://www.pediy.com/tutorial/chap6/Chap6-3.htm"><FONT 
      color=#ffffff>第三节 加密算法</FONT></A></DIV></TD>
    <TD class=shadow1 width="25%">
      <DIV align=center><A 
      href="http://www.pediy.com/tutorial/chap6/Chap6-4.htm"><FONT 
      color=#ffffff>第四节 软件保护建议</FONT></A></DIV></TD></TR></TBODY></TABLE>
<P align=center><SPAN class=p9><B>第三节 加密算法</B></SPAN></P>
<TABLE borderColor=#111111 cellSpacing=0 cellPadding=5 width="80%" align=center 
bgColor=#efefef border=1>
  <TBODY>
  <TR>
    <TD class=p9 vAlign=center align=middle width="33%" height=23>
      <DIV class=p align=left><SPAN class=p9><SPAN class=p9>　　　<SPAN 
      class=p9>1、<A 
      href="http://www.pediy.com/tutorial/chap6/Chap6-3-1.htm">RSA算法</A></SPAN></SPAN></SPAN></DIV></TD>
    <TD class=p9 vAlign=center align=middle width="33%" height=23>
      <DIV align=left><SPAN class=p9><SPAN class=p9>　　　<SPAN class=p9>2、<A 
      href="http://www.pediy.com/tutorial/chap6/Chap6-3-2.htm">DES算法</A></SPAN></SPAN></SPAN></DIV></TD>
    <TD class=p9 vAlign=top width="34%" height=23>
      <DIV align=left><SPAN class=p9><SPAN class=p9>　　　<SPAN class=p9>3、<A 
      href="http://www.pediy.com/tutorial/chap6/Chap6-3-3.htm">ElGamal算法</A></SPAN></SPAN></SPAN></DIV></TD></TR>
  <TR>
    <TD class=p9 vAlign=center align=middle width="33%" height=23>
      <DIV align=left><SPAN class=p9><SPAN class=p9>　　　<SPAN class=p9>4、<A 
      href="http://www.pediy.com/tutorial/chap6/Chap6-3-4.htm">DSA算法</A></SPAN></SPAN></SPAN></DIV></TD>
    <TD class=p9 vAlign=center align=middle width="33%" height=23>
      <DIV align=left><SPAN class=p9><SPAN class=p9>　　　<SPAN class=p9>5、<A 
      href="http://www.pediy.com/tutorial/chap6/Chap6-3-5.htm">MD5算法</A></SPAN></SPAN></SPAN></DIV></TD>
    <TD class=p9 vAlign=top width="34%" height=23>
      <DIV align=left><SPAN class=p9><SPAN class=p9>　　　<SPAN class=p9>6、<A 
      href="http://www.pediy.com/tutorial/chap6/Chap6-3-6.htm">BLOWFISH算法</A></SPAN></SPAN></SPAN></DIV></TD></TR></TBODY></TABLE>
<P align=center><SPAN class=p9><SPAN class=p9><SPAN 
class=p9><B>6、BLOWFISH算法</B></SPAN></SPAN></SPAN></P>
<P class=p9 align=left>作<SPAN class=p9>　</SPAN>者：夜月<BR>联<SPAN 
class=p9>　</SPAN>系：<A 
href="mailto:luoyi_ly1@sina.com">luoyi_ly1@sina.com</A><BR>时<SPAN 
class=p9>　</SPAN>间：2001年10月6日<BR>范<SPAN class=p9>　</SPAN>例：<A 
href="http://www.pediy.com/tutorial/chap6/Exercise/cryptogram/Blowfish/Blowfish.zip">BlowFish's 
CrackMe1</A><BR>注册机：<A 
href="http://www.pediy.com/tutorial/chap6/Exercise/cryptogram/Blowfish/bfkeygen.zip">Bfkeygen</A></P>
<P class=p9 align=left><B>一、BlowFish算法说明</B>（文中数据类型以Tc2.0为准） </P>
<P class=p9 align=left><SPAN class=p9>　</SPAN><SPAN 
class=p9>　</SPAN>BlowFish算法用来加密64Bit长度的字符串。 <BR>&nbsp; 
&nbsp;&nbsp;BlowFish算法使用两个“盒”——ungigned long pbox[18]和unsigned long sbox[4,256]。 
<BR>&nbsp; &nbsp;&nbsp;BlowFish算法中，有一个核心加密函数:BF_En(后文详细介绍）。该函数输入64位信息，运算后， 
以64位密文的形式输出。 用BlowFish算法加密信息，需要两个过程：<BR>&nbsp; &nbsp;&nbsp;<BR>1.密钥预处理 
<BR>2.信息加密 </P>
<P class=p9 align=left>分别说明如下： <BR>密钥预处理： <BR>&nbsp; 
&nbsp;&nbsp;BlowFish算法的源密钥——pbox和sbox是固定的。我们要加密一个信息，需要自己选择一个key， 
用这个key对pbox和sbox进行变换，得到下一步信息加密所要用的key_pbox和key_sbox。具体的变化算法如下： 
<BR><BR>1)用sbox填充key_sbox 
<BR>2)用自己选择的key8个一组地去异或pbox，用异或的结果填充key_pbox。key可以循环使用。 <BR>&nbsp; 
比如说：选的key是"abcdefghijklmn"。则异或过程为： <BR>&nbsp; key_pbox[0]=pbox[0]^abcdefgh 
<BR>&nbsp; key_pbox[1]=pbox[1]^ijklmnab <BR>&nbsp; ………… <BR>&nbsp; ………… 
<BR>&nbsp; 如此循环，直到key_box填充完毕。 
<BR>3)用BF_En加密一个全0的64位信息，用输出的结果替换key_pbox[0]和key_pbox[1]。i=0 
<BR>4)用BF_En加密替换后的key_pbox[i],key_pbox[i+1],用输出替代key_pbox[i+2]和key_pbox[i+3] 
<BR>5)i+2，继续第4步，直到key_pbox全部被替换 
<BR>6)用key_pbox[16]和key_pbox[17]做首次输入（相当于上面的全0的输入），用类似的方法，替换key_sbox 
信息加密。信息加密就是用函数把待加密信息x分成32位的两部分:xL,xR BF_En对输入信息进行变换，BF_En函数详细过程如下： 
<BR><BR>对于i=1至16 <BR>&nbsp; xL=xL^Pi <BR>&nbsp; xR=F(xL)^xR <BR>&nbsp; 
交换xL和xR(最后一轮取消该运算) <BR>&nbsp; xR=xR^P17 <BR>&nbsp; xL=xL^P18 <BR>&nbsp; 
重新合并xL和xR <BR>&nbsp; 函数F见下图: <BR><BR>&nbsp; &nbsp; &nbsp; &nbsp; 8位&nbsp; &nbsp; 
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 32位 <BR>&nbsp; &nbsp; 
|-----------S盒1----------- <BR>&nbsp; &nbsp; |&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; |加 <BR>&nbsp; &nbsp; |&nbsp; 
8位&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 32位&nbsp; |---- <BR>&nbsp; 
&nbsp; |-----------S盒2-----------&nbsp; | <BR>&nbsp; &nbsp; |&nbsp; &nbsp; 
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
&nbsp; | <BR>&nbsp; &nbsp; |&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; |异或---- <BR>32位-|&nbsp; &nbsp; 
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
&nbsp; |&nbsp; &nbsp; &nbsp; | <BR>&nbsp; &nbsp; |&nbsp; 8位&nbsp; &nbsp; &nbsp; 
&nbsp; &nbsp; &nbsp; &nbsp; 32位&nbsp; &nbsp; &nbsp; |&nbsp; &nbsp; &nbsp; | 
<BR>&nbsp; &nbsp; |-----------S盒3---------------&nbsp; &nbsp; &nbsp; |加 
<BR>&nbsp; &nbsp; |&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
|-----------------32位 <BR>&nbsp; &nbsp; |&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
&nbsp; &nbsp; | <BR>&nbsp; &nbsp; |&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
&nbsp; | <BR>&nbsp; &nbsp; |&nbsp; 8位&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
&nbsp; 32位&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | <BR>&nbsp; &nbsp; 
|-----------S盒4----------------------- <BR><BR>把xL分成4个8位分组:a,b,c和d 
<BR>输出为：F(xL)=((((S[1,a]+S[2,b])MOD 4294967296)^s[3,c])+S[4,d])MOD 4294967296 
<BR>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; (2的32次方)&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
&nbsp; &nbsp; &nbsp; &nbsp; (2的32次方) <BR>&nbsp; &nbsp; &nbsp; &nbsp; 
重新合并后输出的结果就是我们需要的密文。 <BR>&nbsp; &nbsp; &nbsp; &nbsp; 用BlowFish算法解密，同样也需要两个过程。 
<BR>1.密钥预处理 <BR>2.信息解密 <BR>&nbsp; &nbsp;&nbsp;密钥预处理的过程与加密时完全相同 <BR>&nbsp; 
&nbsp;&nbsp;信息解密的过程就是把信息加密过程的key_pbox逆序使用即可。 <BR><BR>&nbsp; 
&nbsp;&nbsp;可以看出，选择不同的key，用BlowFish算法加密同样的信息，可以得出不同的结果。 <BR>&nbsp; 
&nbsp;&nbsp;要破解BlowFish算法，就是要得到BlowFish算法的key。所以，使用BlowFish算法进行加密，最重要的也就是key的选择以及key的保密。其中key的选择可以使用bf_sdk中的_WeakKey函数进行检验。以下是该函数的说明： 
<BR><BR>源文： 
<BR>--------------------------------------------------------------------------------------- 
<BR>_WeakKey <BR>Function&nbsp; : Test if the generated Boxes are weak 
<BR>Argument&nbsp; : none <BR>Return&nbsp; &nbsp; : AX = Status (1=weak, 0=good) 
<BR>Affects&nbsp; &nbsp; : AX, BX, CX, DX, SI, DI, direction Flag 
<BR>Description: After "_InitCrypt" you should test the Boxes with this 
function. <BR>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; If they provide a 
weakness which a cryptoanalyst could use to <BR>&nbsp; &nbsp; &nbsp; &nbsp; 
&nbsp; &nbsp; &nbsp; break the cipher a "1" is returned. In this case you should 
<BR>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; reload the original boxes 
and let the user choose a different <BR>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
&nbsp; &nbsp; password. 
<BR>--------------------------------------------------------------------------------------- 
<BR>译文： 
<BR>--------------------------------------------------------------------------------------- 
<BR>_WeakKey <BR>功能：测试产生的box是否安全 <BR>参数：无 <BR>返回：AX=1 不安全；AX=0&nbsp; 安全 
<BR>影响：AX, BX, CX, DX, SI, DI, 方向标志 
<BR>描述：使用"_InitCrypt"函数产生用于加密的Boxes后，你应该用这个函数测试产生的Boxes是否安全。如果该key产生的Boxes不安全——可以被密码分析者通过分析Boxes得到key，那么，你应该采用另外一个key产生一个安全的Boxes用来加密。 
<BR>&nbsp; &nbsp; &nbsp; <BR>&nbsp; 
&nbsp;--------------------------------------------------------------------------------------- 
</P>
<P class=p9 align=left><B>二、BlowFish's CrackMe1分析 </B></P>
<P class=p9 
align=left>由于该CrackMe主要是测试你的密码学知识，所以没有在其他方面设关卡。为了减小文件体积，缩短大家下载的时间，用upx加了壳，直接用Trw2000的"PNewSec+Makepe"很方便地就能脱掉壳。 
<BR>用常规的方法，很快找到下面关键比较处： <BR>:004015D9 51&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; push ecx <BR>:004015DA 52&nbsp; &nbsp; 
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; push edx 
<BR>:004015DB 6880894000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; push 
00408980 <BR>:004015E0 E8EBFAFFFF&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
&nbsp; call 004010D0&nbsp; &nbsp; &nbsp; //BF_De(sn) <BR>:004015E5 
8B442464&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; mov eax, dword 
ptr [esp+64] <BR>:004015E9 8B0DF0994000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
mov ecx, dword ptr [004099F0] <BR>:004015EF 83C41C&nbsp; &nbsp; &nbsp; &nbsp; 
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; add esp, 0000001C <BR>:004015F2 3BC1&nbsp; 
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; cmp eax, 
ecx&nbsp; &nbsp; &nbsp; //比较 <BR>:004015F4 7529&nbsp; &nbsp; &nbsp; &nbsp; 
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; jne 0040161F <BR>:004015F6 
8B4C244C&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; mov ecx, dword 
ptr [esp+4C] <BR>:004015FA A1EC994000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
&nbsp; mov eax, dword ptr [004099EC] <BR>:004015FF 3BC8&nbsp; &nbsp; &nbsp; 
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; cmp ecx, eax&nbsp; &nbsp; 
&nbsp; //比较 <BR>:00401601 751C&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
&nbsp; &nbsp; &nbsp; jne 0040161F <BR>:00401603 6A30&nbsp; &nbsp; &nbsp; &nbsp; 
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; push 00000030 <BR>&nbsp; &nbsp; 
由于BlowFish算法加密，解密输出的信息都是64Bit的，所以要进行两次比较。 <BR>&nbsp; &nbsp; 
我们既然知道了他对我们的sn进行的变换是BF_De，那么，很显然，我们要找到程序初始化key_pbox和key_sbox的地方。跟进4015E0的Call，找到key_pbox在408980处，下bpm，然后跟踪，分析，找到程序初始化key_pbox和key_sbox的地方，如下： 
<BR><BR>:004016C0 50&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
&nbsp; &nbsp; &nbsp; push eax <BR><BR>* Possible StringData Ref from Data Obj 
-&gt;"CrackingForFun" <BR>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | 
<BR>:004016C1 6844804000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; push
12 3 4 5 下一页
💿 文件大小 1008 K
👤 上传用户 evenxyz
📂 所属分类 CA认证
🏷️ 相关标签

#blowfish #加密算法 #源码
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -