📄 chap6-2-4.htm.primary
字号:
<p>最后,记存器为: (e3) (d3+e2) (c3+d2+e1) (b3+c2+d1+e0)</p>
<p>我用一个不同一点的方法来表示:<br>
a0 + X =(1) 在表中指向 b3 b2 b1 b0 <br>
a1 + b0 + Y =(2) 在表中指向 c3 c2 c1 c0 <br>
a2 + b1 + c0 + Z =(3) 在表中指向 d3 d2 d1 d0 <br>
a3 + b2 + c1 + d0 + W =(4) 在表中指向 e4 e3 e2 e1 <br>
b3 + c2 + d1 + e0 =f0<br>
c3 + d2 + e1 =f1<br>
d3 + e2 =f2<br>
e3 =f3<br>
(1) (2) (3) (4)<br>
(figure 4)</p>
<p>这里是用的与CRC-16同样的方法来实现的,我会给出一个具体值的例子.查找用附录中<br>
CRC-32的值表.</p>
<p>Take for CRC register before, a3 a2 a1 a0 -> AB CD EF 66<br>
Take for CRC register after, f3 f2 f1 f0 -> 56 33 14 78 (wanted value)</p>
<p>我们开始:</p>
<p>First byte of entries entry value<br>
e3=f3 =56 -> 35h=(4) 56B3C423 for e3 e2 e1 e0<br>
d3=f2+e2 =33+B3 =E6 -> 4Fh=(3) E6635C01 for d3 d2 d1 d0<br>
c3=f1+e1+d2 =14+C4+63 =B3 -> F8h=(2) B3667A2E for c3 c2 c1 c0<br>
b3=f0+e0+d1+c2=78+23+5C+66=61 -> DEh=(1) 616BFFD3 for b3 b2 b1 b0</p>
<p>Now we have all needed values, then<br>
X=(1)+ a0= DE+66=B8<br>
Y=(2)+ b0+a1= F8+D3+EF=C4<br>
Z=(3)+ c0+b1+a2= 4F+2E+FF+CD=53<br>
W=(4)+d0+c1+b2+a3=35+01+7A+6B+AB=8E<br>
(final computation)</p>
<p>结论:要将 CRC-32 的记存器的值从 ABCDEF66 改变到 56331478 我们需要这样一个字节<br>
序列: B8 C4 53 8E</p>
<p><br>
CRC-32的破解算法</p>
<p> 假如你考虑手动计算这个可以还原CRC记存器的字节序列,那么这将很难变成一个<br>
简洁的算法. <br>
<br>
看看下面这个最后计算的附加版本:<br>
Position<br>
X =(1) + a0 0<br>
Y =(2) + b0 + a1 1<br>
Z =(3) + c0 + b1 + a2 2<br>
W =(4) + d0 + c1 + b2 + a3 3<br>
f0= e0 + d1 + c2 + b3 4<br>
f1= e1 + d2 + c3 5<br>
f2= e2 + d3 6<br>
f3= e3 7</p>
<p>(figure 5)<br>
<br>
它就等同于figure 4,只不过是一些值/字节被交换了.这种方法可以帮助我们构造一个<br>
简洁的算法.这里我们用一个8字节的缓冲区,0-3位我们放置a0到a3,4-7位我们放置f0到<br>
f3.象以前一样,我们用这个已知值e3(由figure 5中得知)在表中查出(e3 e2 e1 e0),并且<br>
象图5(figure 5)中所示,将它们放到第4位(position 4),我们马上得到了d3的值.因为f2=<br>
e2+d3,所以f2+e2=d3.又因为(4)已知(入口值),我们照样把它也放到位置3.然后在用d3查表<br>
得到(d3 d2 d1 d0),同上也将他们放到图中所述位置.同样,由于有f1+e1+d2=c3在位置5上.<br>
我们继续做直到将b3 b2 b1 b0放到位置1,对了,就是它! Et voila!<br>
此时,缓冲区的第3-第0字节中已经包含全部元素,用来计算X~W! </p>
<p>算法总结如下:<br>
1.对于这个8字节的缓冲区,0~3字节放入a0...a3(CRC记存器起始值),4~7字节放入f0...f3<br>
(目标记存器的值).<br>
2.取出位置7的已知值,查表得到相应值.<br>
3.将查出值放如图5相应位置,其实就是做XOR运算.(为了直观,可以拟定此图)<br>
4.将入口字节放入图中.也是做XOR运算.<br>
5.继续做2,3两步3次,同时每次降低1个位置 position 5 to 4, 4 to 3 and so on.</p>
<p><br>
算法的实现:</p>
<p> 现在是时候给出代码了.下面就是用汇编写成的可执行的CRC-32算法(用其他语言也一样<br>
简单,对于其他的CRC-32标准也一样).注意在汇编中(计算机里)双字在读写操作中顺序都是<br>
反着的.就是逆向顺序.<br>
crcBefore dd (?)<br>
wantedCrc dd (?)<br>
buffer db 8 dup (?)</p>
<p> mov eax, dword ptr[crcBefore] ;/*<br>
mov dword ptr[buffer], eax<br>
mov eax, dword ptr[wantedCrc] ; Step 1<br>
mov dword ptr[buffer+4], eax ;*/</p>
<p> mov di, 4<br>
computeReverseLoop:<br>
mov al, byte ptr[buffer+di+3] ;/*<br>
call GetTableEntry ; Step 2 */<br>
xor dword ptr[buffer+di], eax ; Step 3<br>
xor byte ptr[buffer+di-1], bl ; Step 4<br>
dec di ;/*<br>
jnz computeReverseLoop ; Step 5 */</p>
<p>Notes:<br>
-Registers eax, di bx are used</p>
<p>Implementation of GetTableEntry</p>
<p>crctable dd 256 dup (?) ;should be defined globally somewhere & initialized
of course</p>
<p> mov bx, offset crctable-1<br>
getTableEntryLoop:<br>
add bx, 4 ;points to (crctable-1)+k*4 (k:1..256)<br>
cmp [bx], al ;must always find the value somewhere<br>
jne getTableEntryLoop</p>
<p> sub bx, 3<br>
mov eax, [bx]<br>
sub bx, offset crctable<br>
shr bx, 2</p>
<p> ret</p>
<p> On return eax contains a table entry, bx contains the entry number.</p>
<p><br>
Outtro</p>
<p> 好了...你终于读到了本文的结尾.假如你认为从此不管对什么样的CRC保护都可以说bye<br>
bye了,那么你错了,不是的!很容易就可以写出对付破解CRC的代码的.想要成功的破解CRC<br>
你需要知道在一个保护中,到底使用的是那一种CRC算法,并且要知道CRC的具体的计算位置.<br>
比如说这里一种简单的对策就是使用2种不同的CRC算法,或者可以结合其他的数据保护算法<br>
共同使用.<br>
无论如何...我希望所有这里所介绍的内容都是受人关注的,并且我希望你(读者)可以很<br>
高兴的读着篇文章,就象我很高兴写一样. </p>
<p><br>
</p>
<p> 翻译过程中难免有错误,不当之处,请见谅. 译者: arbiter<br>
2001-2-8 22:41<br>
<br>
<br>
<br>
Fnx go out to the beta-testers Douby/DREAD and Knotty Dread for the good<br>
comments on my work which made it even better!</p>
<p>For a sample CRC-32 correcting patcher program visit my webpages:<br>
http://surf.to/anarchriz -> Programming -> Projects<br>
(it's still a preview but will give you a proof of my idea)</p>
<p>For more info on DREAD visit http://dread99.cjb.net</p>
<p>If you still have questions you can mail me at anarchriz@hotmail.com,<br>
or try the channels #DreaD, #Win32asm, #C.I.A and #Cracking4Newbies (in that<br>
order) on EFnet (on IRC).</p>
<p>CYA ALL! - Anarchriz</p>
<p>"The system makes its morons, then despises them for their ineptitude,
and<br>
rewards its 'gifted few' for their rarity." - Colin Ward</p>
<p><br>
附录:</p>
<p>CRC-16 Table</p>
<p> 00h 0000 C0C1 C181 0140 C301 03C0 0280 C241<br>
08h C601 06C0 0780 C741 0500 C5C1 C481 0440<br>
10h CC01 0CC0 0D80 CD41 0F00 CFC1 CE81 0E40<br>
18h 0A00 CAC1 CB81 0B40 C901 09C0 0880 C841</p>
<p> 20h D801 18C0 1980 D941 1B00 DBC1 DA81 1A40<br>
28h 1E00 DEC1 DF81 1F40 DD01 1DC0 1C80 DC41<br>
30h 1400 D4C1 D581 1540 D701 17C0 1680 D641<br>
38h D201 12C0 1380 D341 1100 D1C1 D081 1040</p>
<p> 40h F001 30C0 3180 F141 3300 F3C1 F281 3240<br>
48h 3600 F6C1 F781 3740 F501 35C0 3480 F441<br>
50h 3C00 FCC1 FD81 3D40 FF01 3FC0 3E80 FE41<br>
58h FA01 3AC0 3B80 FB41 3900 F9C1 F881 3840</p>
<p> 60h 2800 E8C1 E981 2940 EB01 2BC0 2A80 EA41<br>
68h EE01 2EC0 2F80 EF41 2D00 EDC1 EC81 2C40<br>
70h E401 24C0 2580 E541 2700 E7C1 E681 2640<br>
78h 2200 E2C1 E381 2340 E101 21C0 2080 E041</p>
<p> 80h A001 60C0 6180 A141 6300 A3C1 A281 6240<br>
88h 6600 A6C1 A781 6740 A501 65C0 6480 A441<br>
90h 6C00 ACC1 AD81 6D40 AF01 6FC0 6E80 AE41<br>
98h AA01 6AC0 6B80 AB41 6900 A9C1 A881 6840</p>
<p> A0h 7800 B8C1 B981 7940 BB01 7BC0 7A80 BA41<br>
A8h BE01 7EC0 7F80 BF41 7D00 BDC1 BC81 7C40<br>
B0h B401 74C0 7580 B541 7700 B7C1 B681 7640<br>
B8h 7200 B2C1 B381 7340 B101 71C0 7080 B041</p>
<p> C0h 5000 90C1 9181 5140 9301 53C0 5280 9241<br>
C8h 9601 56C0 5780 9741 5500 95C1 9481 5440<br>
D0h 9C01 5CC0 5D80 9D41 5F00 9FC1 9E81 5E40<br>
D8h 5A00 9AC1 9B81 5B40 9901 59C0 5880 9841</p>
<p> E0h 8801 48C0 4980 8941 4B00 8BC1 8A81 4A40<br>
E8h 4E00 8EC1 8F81 4F40 8D01 4DC0 4C80 8C41<br>
F0h 4400 84C1 8581 4540 8701 47C0 4680 8641<br>
F8h 8201 42C0 4380 8341 4100 81C1 8081 4040</p>
<p><br>
CRC-32 Table</p>
<p> 00h 00000000 77073096 EE0E612C 990951BA<br>
04h 076DC419 706AF48F E963A535 9E6495A3<br>
08h 0EDB8832 79DCB8A4 E0D5E91E 97D2D988<br>
0Ch 09B64C2B 7EB17CBD E7B82D07 90BF1D91</p>
<p> 10h 1DB71064 6AB020F2 F3B97148 84BE41DE<br>
14h 1ADAD47D 6DDDE4EB F4D4B551 83D385C7<br>
18h 136C9856 646BA8C0 FD62F97A 8A65C9EC<br>
1Ch 14015C4F 63066CD9 FA0F3D63 8D080DF5</p>
<p> 20h 3B6E20C8 4C69105E D56041E4 A2677172<br>
24h 3C03E4D1 4B04D447 D20D85FD A50AB56B<br>
28h 35B5A8FA 42B2986C DBBBC9D6 ACBCF940<br>
2Ch 32D86CE3 45DF5C75 DCD60DCF ABD13D59</p>
<p> 30h 26D930AC 51DE003A C8D75180 BFD06116<br>
34h 21B4F4B5 56B3C423 CFBA9599 B8BDA50F<br>
38h 2802B89E 5F058808 C60CD9B2 B10BE924<br>
3Ch 2F6F7C87 58684C11 C1611DAB B6662D3D</p>
<p> 40h 76DC4190 01DB7106 98D220BC EFD5102A<br>
44h 71B18589 06B6B51F 9FBFE4A5 E8B8D433<br>
48h 7807C9A2 0F00F934 9609A88E E10E9818<br>
4Ch 7F6A0DBB 086D3D2D 91646C97 E6635C01</p>
<p> 50h 6B6B51F4 1C6C6162 856530D8 F262004E<br>
54h 6C0695ED 1B01A57B 8208F4C1 F50FC457<br>
58h 65B0D9C6 12B7E950 8BBEB8EA FCB9887C<br>
5Ch 62DD1DDF 15DA2D49 8CD37CF3 FBD44C65</p>
<p> 60h 4DB26158 3AB551CE A3BC0074 D4BB30E2<br>
64h 4ADFA541 3DD895D7 A4D1C46D D3D6F4FB<br>
68h 4369E96A 346ED9FC AD678846 DA60B8D0<br>
6Ch 44042D73 33031DE5 AA0A4C5F DD0D7CC9</p>
<p> 70h 5005713C 270241AA BE0B1010 C90C2086<br>
74h 5768B525 206F85B3 B966D409 CE61E49F<br>
78h 5EDEF90E 29D9C998 B0D09822 C7D7A8B4<br>
7Ch 59B33D17 2EB40D81 B7BD5C3B C0BA6CAD</p>
<p> 80h EDB88320 9ABFB3B6 03B6E20C 74B1D29A<br>
84h EAD54739 9DD277AF 04DB2615 73DC1683<br>
88h E3630B12 94643B84 0D6D6A3E 7A6A5AA8<br>
8Ch E40ECF0B 9309FF9D 0A00AE27 7D079EB1</p>
<p> 90h F00F9344 8708A3D2 1E01F268 6906C2FE<br>
94h F762575D 806567CB 196C3671 6E6B06E7<br>
98h FED41B76 89D32BE0 10DA7A5A 67DD4ACC<br>
9Ch F9B9DF6F 8EBEEFF9 17B7BE43 60B08ED5</p>
<p> A0h D6D6A3E8 A1D1937E 38D8C2C4 4FDFF252<br>
A4h D1BB67F1 A6BC5767 3FB506DD 48B2364B<br>
A8h D80D2BDA AF0A1B4C 36034AF6 41047A60<br>
ACh DF60EFC3 A867DF55 316E8EEF 4669BE79</p>
<p> B0h CB61B38C BC66831A 256FD2A0 5268E236<br>
B4h CC0C7795 BB0B4703 220216B9 5505262F<br>
B8h C5BA3BBE B2BD0B28 2BB45A92 5CB36A04<br>
BCh C2D7FFA7 B5D0CF31 2CD99E8B 5BDEAE1D</p>
<p> C0h 9B64C2B0 EC63F226 756AA39C 026D930A<br>
C4h 9C0906A9 EB0E363F 72076785 05005713<br>
C8h 95BF4A82 E2B87A14 7BB12BAE 0CB61B38<br>
CCh 92D28E9B E5D5BE0D 7CDCEFB7 0BDBDF21</p>
<p> D0h 86D3D2D4 F1D4E242 68DDB3F8 1FDA836E<br>
D4h 81BE16CD F6B9265B 6FB077E1 18B74777<br>
D8h 88085AE6 FF0F6A70 66063BCA 11010B5C<br>
DCh 8F659EFF F862AE69 616BFFD3 166CCF45</p>
<p> E0h A00AE278 D70DD2EE 4E048354 3903B3C2<br>
E4h A7672661 D06016F7 4969474D 3E6E77DB<br>
E8h AED16A4A D9D65ADC 40DF0B66 37D83BF0<br>
ECh A9BCAE53 DEBB9EC5 47B2CF7F 30B5FFE9</p>
<p> F0h BDBDF21C CABAC28A 53B39330 24B4A3A6<br>
F4h BAD03605 CDD70693 54DE5729 23D967BF<br>
F8h B3667A2E C4614AB8 5D681B02 2A6F2B94<br>
FCh B40BBE37 C30C8EA1 5A05DF1B 2D02EF8D</p>
<p><br>
参考:</p>
<p>> A painless guide to CRC error detection algorithm<br>
url: ftp://ftp.adelaide.edu.au/pub/rocksoft/crc_v3.txt<br>
(I bet this 'painless guide' is more painfull then my 'short' one ;)<br>
> I also used a random source of a CRC-32 algorithm to understand the algorithm<br>
better.<br>
> Link to crc calculation progs... hmmm search for 'CRC.ZIP' or 'CRC.EXE'
or something<br>
alike at ftpsearch (http://ftpsearch.lycos.com?form=advanced)</p>
<p>Copyright (c) 1998,1999 by Anarchriz<br>
(this is REALLY the last line :)</p>
</blockquote>
<p align="center"><a href="../Catalog.htm"><img src="../image/navtoc.gif" width="84" height="23" border="0"></a><a href="../chap5/Chap5-5.htm"><img src="../image/Navprev.gif" width="80" height="23" border="0"></a><a href="Chap6-1-1.htm"><img src="../image/navnext.gif" width="83" height="23" border="0"></a></p>
<hr width=735>
<div align="center"><span class="p9"><font size="2"><span class="p9"><font size="2"><span class="p9">Copyright
© 2000-2001 <a href="http://www.pediy.com/">KanXue Studio</a> All Rights
Reserved.</span></font></span></font></span></div>
</body>
</html>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -