chap6-3-6.htm.primary

加密与解密,软件加密保护技术与解决方案,看雪文档!

<html>
<head>
<title>Crack Tutorial</title>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<link rel="stylesheet" href="style/css.css" type="text/css">
<link rel="stylesheet" href="../STYLE/Css.css" type="text/css">
</head>

<body bgcolor="white" text="#000000" link="#004080" vlink="#004080" background="../image/Back.gif">
<p><a href="../catalog.htm">目录</a>＞＞第6章</p>
<p align="center" class="shadow1Copy"><b class="p3">第6章 软件保护技术</b></p>
<table width="80%" border="0" cellspacing="0" cellpadding="3" align="center" bgcolor="#bcbcbc" bordercolor="#111111" class="shadow1">
  <tr> 
    <td class="shadow1" width="25%"> 
      <div align="center"><a href="Chap6-1.htm"><font color="#FFFFFF">第一节 常见保护技巧</font></a></div>
    </td>
    <td class="shadow1" width="25%"> 
      <div align="center"><a href="Chap6-2.htm"><font color="#FFFFFF">第二节 反跟踪技术</font></a></div>
    </td>
    <td class="shadow1" width="25%"> 
      <div align="center"><a href="Chap6-3.htm"><font color="#FFFFFF">第三节 加密算法</font></a></div>
    </td>
    <td class="shadow1" width="25%"> 
      <div align="center"><a href="Chap6-4.htm"><font color="#FFFFFF">第四节 软件保护建议</font></a></div>
    </td>
  </tr>
</table>
<p align="center"><span class="p9"><b>第三节 加密算法</b></span></p>
<table border="1" width="80%" cellpadding="5" bordercolor="#111111" bgcolor="#efefef" align="center" cellspacing="0">
  <tr> 
    <td width="33%" valign="middle" align="center" class="p9" height="23"> 
      <div align="left" class="p"><span class="p9"><span class="p9">　　　<span class="p9">1、<a href="Chap6-3-1.htm">RSA算法</a></span></span></span></div>
    </td>
    <td width="33%" valign="middle" align="center" class="p9" height="23"> 
      <div align="left"><span class="p9"><span class="p9">　　　<span class="p9">2、<a href="Chap6-3-2.htm">DES算法</a></span></span></span></div>
    </td>
    <td width="34%" valign="top" class="p9" height="23"> 
      <div align="left"><span class="p9"><span class="p9">　　　<span class="p9">3、<a href="Chap6-3-3.htm">ElGamal算法</a></span></span></span></div>
    </td>
  </tr>
  <tr> 
    <td width="33%" valign="middle" align="center" class="p9" height="23"> 
      <div align="left"><span class="p9"><span class="p9">　　　<span class="p9">4、<a href="Chap6-3-4.htm">DSA算法</a></span></span></span></div>
    </td>
    <td width="33%" valign="middle" align="center" class="p9" height="23"> 
      <div align="left"><span class="p9"><span class="p9">　　　<span class="p9">5、<a href="Chap6-3-5.htm">MD5算法</a></span></span></span></div>
    </td>
    <td width="34%" valign="top" class="p9" height="23"> 
      <div align="left"><span class="p9"><span class="p9">　　　<span class="p9">6、<a href="Chap6-3-6.htm">BLOWFISH算法</a></span></span></span></div>
    </td>
  </tr>
</table>
<p align="center"><span class="p9"><span class="p9"><span class="p9"><b>6、BLOWFISH算法</b></span></span></span></p>
<p align="left" class="p9">作<span class="p9">　</span>者：夜月<br>
  联<span class="p9">　</span>系：<a href="mailto:luoyi_ly1@sina.com">luoyi_ly1@sina.com</a><br>
  时<span class="p9">　</span>间：2001年10月6日<br>
  范<span class="p9">　</span>例：<a href="Exercise/cryptogram/Blowfish/Blowfish.zip">BlowFish's 
  CrackMe1</a><br>
  注册机：<a href="Exercise/cryptogram/Blowfish/bfkeygen.zip">Bfkeygen</a></p>
<p align="left" class="p9"><b>一、BlowFish算法说明</b>（文中数据类型以Tc2.0为准） </p>
<p align="left" class="p9"> <span class="p9">　</span><span class="p9">　</span>BlowFish算法用来加密64Bit长度的字符串。 
  <br>
  &nbsp; &nbsp;&nbsp;BlowFish算法使用两个“盒”——ungigned long pbox[18]和unsigned long sbox[4,256]。 
  <br>
  &nbsp; &nbsp;&nbsp;BlowFish算法中，有一个核心加密函数:BF_En(后文详细介绍）。该函数输入64位信息，运算后， 以64位密文的形式输出。 
  用BlowFish算法加密信息，需要两个过程：<br>
  &nbsp; &nbsp;&nbsp;<br>
  1.密钥预处理 <br>
  2.信息加密 </p>
<p align="left" class="p9">分别说明如下： <br>
  密钥预处理： <br>
  &nbsp; &nbsp;&nbsp;BlowFish算法的源密钥——pbox和sbox是固定的。我们要加密一个信息，需要自己选择一个key， 用这个key对pbox和sbox进行变换，得到下一步信息加密所要用的key_pbox和key_sbox。具体的变化算法如下： 
  <br>
  <br>
  1)用sbox填充key_sbox <br>
  2)用自己选择的key8个一组地去异或pbox，用异或的结果填充key_pbox。key可以循环使用。 <br>
  &nbsp; 比如说：选的key是"abcdefghijklmn"。则异或过程为： <br>
  &nbsp; key_pbox[0]=pbox[0]^abcdefgh <br>
  &nbsp; key_pbox[1]=pbox[1]^ijklmnab <br>
  &nbsp; ………… <br>
  &nbsp; ………… <br>
  &nbsp; 如此循环，直到key_box填充完毕。 <br>
  3)用BF_En加密一个全0的64位信息，用输出的结果替换key_pbox[0]和key_pbox[1]。i=0 <br>
  4)用BF_En加密替换后的key_pbox[i],key_pbox[i+1],用输出替代key_pbox[i+2]和key_pbox[i+3] <br>
  5)i+2，继续第4步，直到key_pbox全部被替换 <br>
  6)用key_pbox[16]和key_pbox[17]做首次输入（相当于上面的全0的输入），用类似的方法，替换key_sbox 信息加密。信息加密就是用函数把待加密信息x分成32位的两部分:xL,xR 
  BF_En对输入信息进行变换，BF_En函数详细过程如下： <br>
  <br>
  对于i=1至16 <br>
  &nbsp; xL=xL^Pi <br>
  &nbsp; xR=F(xL)^xR <br>
  &nbsp; 交换xL和xR(最后一轮取消该运算) <br>
  &nbsp; xR=xR^P17 <br>
  &nbsp; xL=xL^P18 <br>
  &nbsp; 重新合并xL和xR <br>
  &nbsp; 函数F见下图: <br>
  <br>
  &nbsp; &nbsp; &nbsp; &nbsp; 8位&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  32位 <br>
  &nbsp; &nbsp; |-----------S盒1----------- <br>
  &nbsp; &nbsp; |&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; &nbsp; &nbsp; |加 <br>
  &nbsp; &nbsp; |&nbsp; 8位&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 32位&nbsp; 
  |---- <br>
  &nbsp; &nbsp; |-----------S盒2-----------&nbsp; | <br>
  &nbsp; &nbsp; |&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | <br>
  &nbsp; &nbsp; |&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; |异或---- <br>
  32位-|&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; &nbsp; &nbsp; |&nbsp; &nbsp; &nbsp; | <br>
  &nbsp; &nbsp; |&nbsp; 8位&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 32位&nbsp; 
  &nbsp; &nbsp; |&nbsp; &nbsp; &nbsp; | <br>
  &nbsp; &nbsp; |-----------S盒3---------------&nbsp; &nbsp; &nbsp; |加 <br>
  &nbsp; &nbsp; |&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; |-----------------32位 
  <br>
  &nbsp; &nbsp; |&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | <br>
  &nbsp; &nbsp; |&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | <br>
  &nbsp; &nbsp; |&nbsp; 8位&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 32位&nbsp; 
  &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | <br>
  &nbsp; &nbsp; |-----------S盒4----------------------- <br>
  <br>
  把xL分成4个8位分组:a,b,c和d <br>
  输出为：F(xL)=((((S[1,a]+S[2,b])MOD 4294967296)^s[3,c])+S[4,d])MOD 4294967296 <br>
  &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; (2的32次方)&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; &nbsp; &nbsp; &nbsp; (2的32次方) <br>
  &nbsp; &nbsp; &nbsp; &nbsp; 重新合并后输出的结果就是我们需要的密文。 <br>
  &nbsp; &nbsp; &nbsp; &nbsp; 用BlowFish算法解密，同样也需要两个过程。 <br>
  1.密钥预处理 <br>
  2.信息解密 <br>
  &nbsp; &nbsp;&nbsp;密钥预处理的过程与加密时完全相同 <br>
  &nbsp; &nbsp;&nbsp;信息解密的过程就是把信息加密过程的key_pbox逆序使用即可。 <br>
  <br>
  &nbsp; &nbsp;&nbsp;可以看出，选择不同的key，用BlowFish算法加密同样的信息，可以得出不同的结果。 <br>
  &nbsp; &nbsp;&nbsp;要破解BlowFish算法，就是要得到BlowFish算法的key。所以，使用BlowFish算法进行加密，最重要的也就是key的选择以及key的保密。其中key的选择可以使用bf_sdk中的_WeakKey函数进行检验。以下是该函数的说明： 
  <br>
  <br>
  源文： <br>
  --------------------------------------------------------------------------------------- 
  <br>
  _WeakKey <br>
  Function&nbsp; : Test if the generated Boxes are weak <br>
  Argument&nbsp; : none <br>
  Return&nbsp; &nbsp; : AX = Status (1=weak, 0=good) <br>
  Affects&nbsp; &nbsp; : AX, BX, CX, DX, SI, DI, direction Flag <br>
  Description: After "_InitCrypt" you should test the Boxes with this function. 
  <br>
  &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; If they provide a weakness 
  which a cryptoanalyst could use to <br>
  &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; break the cipher a "1" is returned. 
  In this case you should <br>
  &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; reload the original boxes and 
  let the user choose a different <br>
  &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; password. <br>
  --------------------------------------------------------------------------------------- 
  <br>
  译文： <br>
  --------------------------------------------------------------------------------------- 
  <br>
  _WeakKey <br>
  功能：测试产生的box是否安全 <br>
  参数：无 <br>
  返回：AX=1 不安全；AX=0&nbsp; 安全 <br>
  影响：AX, BX, CX, DX, SI, DI, 方向标志 <br>
  描述：使用"_InitCrypt"函数产生用于加密的Boxes后，你应该用这个函数测试产生的Boxes是否安全。如果该key产生的Boxes不安全——可以被密码分析者通过分析Boxes得到key，那么，你应该采用另外一个key产生一个安全的Boxes用来加密。 
  <br>
  &nbsp; &nbsp; &nbsp; <br>
  &nbsp; &nbsp;--------------------------------------------------------------------------------------- 
</p>
<p align="left" class="p9"><b>二、BlowFish's CrackMe1分析 </b></p>
<p align="left" class="p9">由于该CrackMe主要是测试你的密码学知识，所以没有在其他方面设关卡。为了减小文件体积，缩短大家下载的时间，用upx加了壳，直接用Trw2000的"PNewSec+Makepe"很方便地就能脱掉壳。 
  <br>
  用常规的方法，很快找到下面关键比较处： <br>
  :004015D9 51&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; push ecx <br>
  :004015DA 52&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; push edx <br>
  :004015DB 6880894000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; push 00408980 
  <br>
  :004015E0 E8EBFAFFFF&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; call 004010D0&nbsp; 
  &nbsp; &nbsp; //BF_De(sn) <br>
  :004015E5 8B442464&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; mov 
  eax, dword ptr [esp+64] <br>
  :004015E9 8B0DF0994000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; mov ecx, dword 
  ptr [004099F0] <br>
  :004015EF 83C41C&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  add esp, 0000001C <br>
  :004015F2 3BC1&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; cmp eax, ecx&nbsp; &nbsp; &nbsp; //比较 <br>
  :004015F4 7529&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; jne 0040161F <br>
  :004015F6 8B4C244C&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; mov 
  ecx, dword ptr [esp+4C] <br>
  :004015FA A1EC994000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; mov eax, 
  dword ptr [004099EC] <br>
  :004015FF 3BC8&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; cmp ecx, eax&nbsp; &nbsp; &nbsp; //比较 <br>
  :00401601 751C&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; jne 0040161F <br>
  :00401603 6A30&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; push 00000030 <br>
  &nbsp; &nbsp; 由于BlowFish算法加密，解密输出的信息都是64Bit的，所以要进行两次比较。 <br>
  &nbsp; &nbsp; 我们既然知道了他对我们的sn进行的变换是BF_De，那么，很显然，我们要找到程序初始化key_pbox和key_sbox的地方。跟进4015E0的Call，找到key_pbox在408980处，下bpm，然后跟踪，分析，找到程序初始化key_pbox和key_sbox的地方，如下： 
  <br>
  <br>
  :004016C0 50&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; push eax <br>
  <br>
  * Possible StringData Ref from Data Obj ->"CrackingForFun" <br>
  &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | <br>
  :004016C1 6844804000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; push 00408044 
  <br>
  :004016C6 6880894000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; push 00408980 
  <br>
  :004016CB E860FAFFFF&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; call 00401130&nbsp; 
  //初始化Boxes <br>
  &nbsp;由此我们知道了BF_De(sn)的key是"CrackingForFun"。 <br>
  问题的一半已经解决了。下面我们来看用来比较的另外的64Bit的数是从何而来。 <br>
  &nbsp; &nbsp;&nbsp;bpm 4099EC w <br>
  跟踪分析后，发现这个用来比较的数是由BF_En(ComputerID,key="ChinaCrackingGroup")生成。 <br>
  &nbsp; &nbsp;&nbsp;至此，我们可以写出注册机的算法： <br>
  &nbsp; &nbsp;&nbsp;sn=BF_En((BF_En(ComputerID,key="ChinaCrackingGroup"),key="CrackingForFun") 
  <br>
  &nbsp; &nbsp;&nbsp;只要你编程够强，密码学也还过得去，写出这个东西的注册机就不是困难的事情了。 <br>
  附： <br>
  ComputerID的产生 <br>
  &nbsp; &nbsp; 如果你对这个CrackMe很有兴趣，还想研究一下他的ComputerID是如何产生的，也可以继续跟踪，分析，在这里，我给处我分析的结果： 
  <br>
  &nbsp; &nbsp; &nbsp; &nbsp; ComputerID=BF_En(0776f6c62h, 068736966h,key=PW_1) 
  <br>
  &nbsp; &nbsp;&nbsp;其中，PW_1就是你的Windows版本号，可以在“系统属性”里头看到，也就是注册表中的 <br>
  H_L_M\Software\Microsoft\Windows\CurrentVersion 中的ProductId项。在我的机器上是： <br>
  &nbsp; &nbsp; &nbsp; &nbsp; "25001-OEM-0080247-46673" <br>
  &nbsp; &nbsp;&nbsp;注册机源码里头有一些语句没有派上用场，用“;”屏蔽了，如果你有兴趣，可以把前面的;号去掉然后把.data段里头的PW_1换成你机器的ComputerID,再按照程序中的说明自己修改一下源程序，用Masm32V6重新编译，直接按Generate，也能得到正确的序列号。<br>
  <br>
  <b>三、注册机源码</b></p>
<blockquote>;BlowFish's Crackme's KeyGen Writen By 夜月[CCG] <br>
  ;Any Questions,Please E-Mail To luoyi.ly@yeah.net <br>
  ;Thancks To Garfield,BlowFish,Toye <br>
  ;软件流程： <br>
  ;1.GetVersion得到机器Windows版本号。PW_1 <br>
  ;2.固定字符串"ChinaCrackingGroup"。PW_2 <br>
  ;3.固定字符串"CrackingForFun"。PW_3 <br>
  ;4.你输入的字符串。sn <br>
  ;BF_En(0776f6c62h, 068736966h,key=PW_1)得到Computer ID <br>
  ;BF_En(ComputerID,key=PW_2)得到MagicNum <br>