演算法分析是一種享受---IP-Tools中的密碼學演算法詳細分析
官方主頁:http://www.ks-soft.net/
軟體介紹:
整合了許多TCP/IP實用工具於一體,比如本地資訊、連線資訊、埠掃描、PING、TRACE、WHOIS、
FINGER、NSLOOKUP、Telnet客戶端、NETBIOS資訊、IP監視器等等
IP-Tools的功能確實非常強大,ks-soft公司的客戶包括Adobe Systems Incorporated,Intel Corporation,IBM Corporation
等大公司,不知道是否這些公司也用IP-Tools,剛拿到這個軟體的時候沒想到它的演算法會很複雜
隨著分析的不斷深入才發現自己對它用的演算法卻似乎沒有見到過,這個演算法具有良好的雪崩效應,以及擴散
和混亂,有一個單向陷門函式, 同時又具有一個金鑰對,一個是加密金鑰,另一個是解密金鑰
它和RSA的大數運算很相似,註冊碼為640位,我想這種單向函式應該稱為非對稱演算法的
單向函式,也就是說是公鑰密碼學和單向函式的混合加密.如果這個演算法是作者自己設計和實現的,那麼
我想他有一定的密碼學知識,其註冊碼的驗證很像中途攻擊,有點碰撞的意思
呵呵,說多啦,開始我們的演算法分析之旅吧
eXt |Cnbragon(Radio):Go go go !
----------------------------------------------------------------------------------------
PeID檢視,無殼,Borland Delphi 4.0 - 5.0,Kanal 外掛分析知有Base64,但可惜的是它並沒有用在註冊
演算法當中,如果是Base64,那將會是件很容易的事,可事實並非如此,它只用在最後把使用者名稱和註冊碼加密
後放入登錄檔中,這不是我們要研究的重點,不過你可以看看
這裡:
HKCU\Software\KS-Soft\IP-Tools\UserName
HKCU\Software\KS-Soft\IP-Tools\UserSNum
還有這裡:
Software\Microsoft\Windows\CurrentVersion\Devices\00102
"DATA5"="..."
"DATA6"="..."
程式在啟動的時候會有自校驗.當然會從上面的這個地方讀出註冊碼再驗證一遍
為了對付它,我動用了DeDe,IDA和Ollydbg (Desert Eagle,AK47/B43,AWP),當然Ollydbg是主武器(我是我們
隊的sniper嘛,有空切磋切磋哦).透過DeDe的分析,可以很容易的斷在註冊處理的地方,如下
----------------------------------------------------------------------------------------
00509FF0 <>|. E8 E3C0F2FF call <IP_TOOLS.sub_4360D8> ; ->controls.TControl.GetText(TControl):TCaption;
00509FF5 |. 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00509FF8 |. 8D55 FC lea edx,dword ptr ss:[ebp-4]
00509FFB <>|. E8 88F4EFFF call <IP_TOOLS.sub_409488> ; ->sysutils.Trim(AnsiString):AnsiString;
0050A000 |. 8B55 FC mov edx,dword ptr ss:[ebp-4]
0050A003 |. 8BC7 mov eax,edi
0050A005 <>|. E8 FEC0F2FF call <IP_TOOLS.sub_436108> ; ->controls.TControl.SetText(TControl;TCaption);
0050A00A |. 8D55 F0 lea edx,dword ptr ss:[ebp-10]
0050A00D |. 8B06 mov eax,dword ptr ds:[esi]
0050A00F <>|. 8BB8 E8020000 mov edi,dword ptr ds:[eax+2E8] ; *RxGIFAnimator1:TRxGIFAnimator
0050A015 |. 8BC7 mov eax,edi
0050A017 <>|. E8 BCC0F2FF call <IP_TOOLS.sub_4360D8> ; ->controls.TControl.GetText(TControl):TCaption;
0050A01C |. 8B45 F0 mov eax,dword ptr ss:[ebp-10]
0050A01F |. 8D55 F4 lea edx,dword ptr ss:[ebp-C]
0050A022 <>|. E8 61F4EFFF call <IP_TOOLS.sub_409488> ; ->sysutils.Trim(AnsiString):AnsiString;
0050A027 |. 8B55 F4 mov edx,dword ptr ss:[ebp-C]
0050A02A |. 8BC7 mov eax,edi
0050A02C <>|. E8 D7C0F2FF call <IP_TOOLS.sub_436108> ; ->controls.TControl.SetText(TControl;TCaption);
0050A031 |. 8D55 EC lea edx,dword ptr ss:[ebp-14]
0050A034 |. 8B06 mov eax,dword ptr ds:[esi]
0050A036 <>|. 8B80 E4020000 mov eax,dword ptr ds:[eax+2E4] ; *Label1:TLabel
0050A03C <>|. E8 97C0F2FF call <IP_TOOLS.sub_4360D8> ; ->controls.TControl.GetText(TControl):TCaption;
0050A041 |. 8B45 EC mov eax,dword ptr ss:[ebp-14]
0050A044 |. E8 E7A4FCFF call <IP_TOOLS.sub_4D4530>
0050A049 |. 84C0 test al,al
0050A04B |. 74 3C je short <IP_TOOLS.loc_50A089>
0050A04D |. 68 E4A25000 push <IP_TOOLS.aSorryYourRegis> ; ASCII "Sorry, your registration name ("
0050A052 |. 8D55 E4 lea edx,dword ptr ss:[ebp-1C]
0050A055 |. 8B06 mov eax,dword ptr ds:[esi]
0050A057 <>|. 8B80 E4020000 mov eax,dword ptr ds:[eax+2E4] ; *Label1:TLabel
0050A05D <>|. E8 76C0F2FF call <IP_TOOLS.sub_4360D8> ; ->controls.TControl.GetText(TControl):TCaption;
0050A062 |. FF75 E4 push dword ptr ss:[ebp-1C]
0050A065 |. 68 0CA35000 push <IP_TOOLS.aIsFoundOnTheBl> ; ASCII ") is found on the "Black List".
"
0050A06A |. 68 38A35000 push <IP_TOOLS.aIfYouHaveAnyQu> ; ASCII "If you have any questions, please, contact KS-Soft: line1@ks-soft.net; line2@ks-soft.net"
0050A06F |. 8D45 E8 lea eax,dword ptr ss:[ebp-18]
0050A072 |. BA 04000000 mov edx,4 ; 上面是得到使用者名稱並檢查是否在黑名單中,黑名單N多:D
0050A077 <>|. E8 28A2EFFF call <IP_TOOLS.sub_4042A4> ; ->system.@LStrCatN;
0050A07C |. 8B45 E8 mov eax,dword ptr ss:[ebp-18]
0050A07F <>|. E8 E448F5FF call <IP_TOOLS.sub_45E968> ; ->dialogs.ShowMessage(AnsiString);
0050A084 |. E9 EF010000 jmp <IP_TOOLS.loc_50A278>
0050A089 <>|> 8D55 E0 lea edx,dword ptr ss:[ebp-20] ; loc_50A089
0050A08C |. 8B06 mov eax,dword ptr ds:[esi]
0050A08E <>|. 8B80 E4020000 mov eax,dword ptr ds:[eax+2E4] ; *Label1:TLabel
0050A094 <>|. E8 3FC0F2FF call <IP_TOOLS.sub_4360D8> ; ->controls.TControl.GetText(TControl):TCaption;
0050A099 |. 837D E0 00 cmp dword ptr ss:[ebp-20],0
0050A09D |. 0F84 CB010000 je <IP_TOOLS.loc_50A26E>
0050A0A3 |. 8D55 DC lea edx,dword ptr ss:[ebp-24]
0050A0A6 |. 8B06 mov eax,dword ptr ds:[esi]
0050A0A8 <>|. 8B80 E8020000 mov eax,dword ptr ds:[eax+2E8] ; *RxGIFAnimator1:TRxGIFAnimator
0050A0AE <>|. E8 25C0F2FF call <IP_TOOLS.sub_4360D8> ; ->controls.TControl.GetText(TControl):TCaption;
0050A0B3 |. 837D DC 00 cmp dword ptr ss:[ebp-24],0
0050A0B7 |. 0F84 B1010000 je <IP_TOOLS.loc_50A26E>
0050A0BD |. 8D55 D8 lea edx,dword ptr ss:[ebp-28]
0050A0C0 |. 8B06 mov eax,dword ptr ds:[esi]
0050A0C2 <>|. 8B80 E4020000 mov eax,dword ptr ds:[eax+2E4] ; *Label1:TLabel
0050A0C8 <>|. E8 0BC0F2FF call <IP_TOOLS.sub_4360D8> ; ->controls.TControl.GetText(TControl):TCaption;
0050A0CD |. 8B45 D8 mov eax,dword ptr ss:[ebp-28]
0050A0D0 <>|. E8 67C0FEFF call <IP_TOOLS.sub_4F613C> ; ->:TDebugForm._PROC_004F613C()
0050A0D5 |. 8BF8 mov edi,eax ; 上面這個call是對使用者名稱進行加密處理
0050A0D7 |. 8D55 D4 lea edx,dword ptr ss:[ebp-2C]
0050A0DA |. 8B06 mov eax,dword ptr ds:[esi]
0050A0DC <>|. 8B80 E8020000 mov eax,dword ptr ds:[eax+2E8] ; *RxGIFAnimator1:TRxGIFAnimator
0050A0E2 <>|. E8 F1BFF2FF call <IP_TOOLS.sub_4360D8> ; ->controls.TControl.GetText(TControl):TCaption;
0050A0E7 |. 8B45 D4 mov eax,dword ptr ss:[ebp-2C]
0050A0EA <>|. E8 E9C0FEFF call <IP_TOOLS.sub_4F61D8> ; ->:TDebugForm._PROC_004F61D8()
0050A0EF |. 66:3BF8 cmp di,ax ; 上面這個call是對註冊碼進行解密處理
0050A0F2 |. 0F85 76010000 jnz <IP_TOOLS.loc_50A26E>
0050A0F8 |. A1 9CA95400 mov eax,dword ptr ds:[54A99C]
0050A0FD |. BA FF010000 mov edx,1FF
0050A102 |. E8 19C0FEFF call <IP_TOOLS.HashToInt> ;得到的640位大數進行處理,這個是使用者名稱的
0050A107 |. 8BF8 mov edi,eax
0050A109 |. A1 20A85400 mov eax,dword ptr ds:[54A820]
0050A10E |. BA FF010000 mov edx,1FF
0050A113 |. E8 08C0FEFF call <IP_TOOLS.HashToInt> ;得到的640位大數進行處理,這個是註冊碼的
0050A118 |. 3BF8 cmp edi,eax ;結果相同嗎?不同就出錯,相同就繼續檢驗
0050A11A |. 0F85 4E010000 jnz <IP_TOOLS.loc_50A26E>
0050A120 |. A1 9CA95400 mov eax,dword ptr ds:[54A99C]
0050A125 |. 83C0 07 add eax,7
0050A128 |. 8B00 mov eax,dword ptr ds:[eax]
0050A12A |. 8B15 20A85400 mov edx,dword ptr ds:[54A820] ; IP_TOOLS.0054CB00
0050A130 |. 83C2 07 add edx,7
0050A133 |. 3B02 cmp eax,dword ptr ds:[edx] ;這裡
0050A135 |. 0F85 33010000 jnz <IP_TOOLS.loc_50A26E>
0050A13B |. 8D55 D0 lea edx,dword ptr ss:[ebp-30]
0050A13E |. 8B06 mov eax,dword ptr ds:[esi]
0050A140 <>|. 8B80 E4020000 mov eax,dword ptr ds:[eax+2E4] ; *Label1:TLabel
0050A146 <>|. E8 8DBFF2FF call <IP_TOOLS.sub_4360D8> ; ->controls.TControl.GetText(TControl):TCaption;
0050A14B |. 8B55 D0 mov edx,dword ptr ss:[ebp-30]
0050A14E |. A1 C4AB5400 mov eax,dword ptr ds:[54ABC4]
0050A153 <>|. E8 609EEFFF call <IP_TOOLS.sub_403FB8> ; ->system.@LStrAsg;
0050A158 |. 8D55 CC lea edx,dword ptr ss:[ebp-34]
0050A15B |. 8B06 mov eax,dword ptr ds:[esi]
0050A15D <>|. 8B80 E8020000 mov eax,dword ptr ds:[eax+2E8] ; *RxGIFAnimator1:TRxGIFAnimator
0050A163 <>|. E8 70BFF2FF call <IP_TOOLS.sub_4360D8> ; ->controls.TControl.GetText(TControl):TCaption;
0050A168 |. 8B55 CC mov edx,dword ptr ss:[ebp-34]
0050A16B |. A1 64A85400 mov eax,dword ptr ds:[54A864]
0050A170 <>|. E8 439EEFFF call <IP_TOOLS.sub_403FB8> ; ->system.@LStrAsg;
0050A175 |. 8BC3 mov eax,ebx
0050A177 |. E8 B0F9FFFF call <IP_TOOLS.sub_509B2C>
0050A17C |. B8 9CA35000 mov eax,<IP_TOOLS.aThankYouForReg> ; ASCII "Thank you for registering IP-Tools.
Please, restart the program."
0050A181 <>|. E8 E247F5FF call <IP_TOOLS.sub_45E968> ; ->dialogs.ShowMessage(AnsiString);
0050A186 |. B2 01 mov dl,1
0050A188 |. A1 E0634500 mov eax,dword ptr ds:[<off_4563E0>]
0050A18D <>|. E8 BAC3F4FF call <IP_TOOLS.sub_45654C> ; ->registry.TRegistry.Create(TRegistry;boolean);overload;
0050A192 |. 8BD8 mov ebx,eax
0050A194 |. B1 01 mov cl,1
0050A196 |. BA E8A35000 mov edx,<IP_TOOLS.aSoftwareKsSo_3> ; ASCII "\Software\KS-Soft\IP-Tools"
0050A19B |. 8BC3 mov eax,ebx
0050A19D <>|. E8 CAC5F4FF call <IP_TOOLS.sub_45676C> ; ->registry.TRegistry.OpenKey(TRegistry;AnsiString;Boolean):Boolean;
0050A1A2 |. A1 C4AB5400 mov eax,dword ptr ds:[54ABC4]
0050A1A7 |. 8B00 mov eax,dword ptr ds:[eax]
0050A1A9 <>|. E8 36A0EFFF call <IP_TOOLS.sub_4041E4> ; ->system.@LStrLen:Integer;<+>
0050A1AE |. 8D55 C8 lea edx,dword ptr ss:[ebp-38]
0050A1B1 |. E8 1EA9FCFF call <IP_TOOLS.sub_4D4AD4>
0050A1B6 |. 8B4D C8 mov ecx,dword ptr ss:[ebp-38] ; 下面就是用Base64把UserName和UserNum存入登錄檔
0050A1B9 |. BA 0CA45000 mov edx,<IP_TOOLS.aUsername_1> ; ASCII "UserName"
0050A1BE |. 8BC3 mov eax,ebx
0050A1C0 <>|. E8 43CAF4FF call <IP_TOOLS.sub_456C08> ; ->registry.TRegistry.WriteString(TRegistry;AnsiString;AnsiString);
0050A1C5 |. A1 64A85400 mov eax,dword ptr ds:[54A864]
0050A1CA |. 8B00 mov eax,dword ptr ds:[eax]
0050A1CC <>|. E8 13A0EFFF call <IP_TOOLS.sub_4041E4> ; ->system.@LStrLen:Integer;<+>
0050A1D1 |. 8D55 C4 lea edx,dword ptr ss:[ebp-3C]
0050A1D4 |. E8 FBA8FCFF call <IP_TOOLS.sub_4D4AD4>
0050A1D9 |. 8B4D C4 mov ecx,dword ptr ss:[ebp-3C]
0050A1DC |. BA 20A45000 mov edx,<IP_TOOLS.aUsersnum> ; ASCII "UserSNum"
....................................
---------------------------------------------------------------------------------------------------------------------------
0050A0D0 <>|. E8 67C0FEFF call <IP_TOOLS.sub_4F613C>
{
004F613C <>/$ 55 push ebp ; sub_4F613C
004F613D |. 8BEC mov ebp,esp
004F613F |. 81C4 FCFDFFFF add esp,-204
004F6145 |. 53 push ebx
004F6146 |. 8945 FC mov dword ptr ss:[ebp-4],eax
004F6149 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004F614C |. E8 47E2F0FF call <IP_TOOLS.sub_404398>
004F6151 |. 33C0 xor eax,eax
004F6153 |. 55 push ebp
004F6154 |. 68 C9614F00 push <IP_TOOLS.loc_4F61C9>
004F6159 |. 64:FF30 push dword ptr fs:[eax]
004F615C |. 64:8920 mov dword ptr fs:[eax],esp
---------------------------------------------------------------------
把使用者名稱的長度送給ebx,如果長度大於64的話就以64來計算
004F615F |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004F6162 |. E8 7DE0F0FF call <IP_TOOLS.sub_4041E4>
004F6167 |. 83F8 40 cmp eax,40
004F616A |. 7E 07 jle short <IP_TOOLS.loc_4F6173>
004F616C |. BB 40000000 mov ebx,40
004F6171 |. EB 0A jmp short <IP_TOOLS.loc_4F617D>
004F6173 <>|> 8B45 FC mov eax,dword ptr ss:[ebp-4] ; loc_4F6173
004F6176 |. E8 69E0F0FF call <IP_TOOLS.sub_4041E4>
004F617B |. 8BD8 mov ebx,eax
004F617D <>|> 8D45 FC lea eax,dword ptr ss:[ebp-4] ; loc_4F617D
004F6180 |. E8 2FE2F0FF call <IP_TOOLS.sub_4043B4>
004F6185 |. 8D95 FCFDFFFF lea edx,dword ptr ss:[ebp-204]
004F618B |. 8BCB mov ecx,ebx
004F618D |. E8 62C8F0FF call <IP_TOOLS.sub_4029F4>
004F6192 |. 8D85 FCFDFFFF lea eax,dword ptr ss:[ebp-204]
004F6198 |. 50 push eax ; /Arg5 pointer to name
004F6199 |. 68 00C95400 push IP_TOOLS.0054C900 ; |Arg4 = 0054C900
004F619E |. 53 push ebx ; |Arg3 namelen
004F619F |. 68 02805400 push IP_TOOLS.00548002 ; |Arg2 = 00548002 固定引數1
004F61A4 |. 68 02815400 push IP_TOOLS.00548102 ; |Arg1 = 00548102 公鑰,用於加密
004F61A9 |. E8 3C060000 call <IP_TOOLS.sub_4F67EA> ; \IP_TOOLS.004F67EA
004F61AE |. 0FBEC0 movsx eax,al
}
00548002處的固定引數為一個長度為2的WORD陣列,WORD constants={0x0003,0x0008};
00548102處的公鑰是一個640位的大數,在記憶體中表示如下:
--------------------------------------------------------------------------
00548102 A1 8B 33 A7 FA CE 05 97 99 EA 8F 95 AD 8E F5 7C 3?|
00548112 97 09 D6 3B F3 85 6D CC EA 56 FE 14 FE 22 FB 86 ??m剃V??
00548122 F7 A5 2F 00 C5 86 78 3B 05 DA CE 9E 8E 40 10 E5 鰩/.x;諼@
00548132 77 6F E2 71 80 47 99 C7 60 85 DE 1B 1D E9 EB 9D woqG`殯
00548142 79 C2 7E 40 40 91 EB 2A 38 C9 BB C2 EC EC 79 C9 y~@@*8苫螞y
--------------------------------------------------------------------------
這個公鑰將用於大數運算,是以一個WORD為單位
arg4=0054C900用於存放對使用者名稱處理的結果
上面是使用者名稱的,再來看看註冊碼的
-----------------------------------------------------------------------------------------------
{
004F61D8 <>/$ 55 push ebp ; sub_4F61D8
004F61D9 |. 8BEC mov ebp,esp
004F61DB |. 81C4 FCFDFFFF add esp,-204
004F61E1 |. 53 push ebx
004F61E2 |. 8945 FC mov dword ptr ss:[ebp-4],eax
004F61E5 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004F61E8 |. E8 ABE1F0FF call <IP_TOOLS.sub_404398>
004F61ED |. 33C0 xor eax,eax
004F61EF |. 55 push ebp
004F61F0 |. 68 52624F00 push <IP_TOOLS.loc_4F6252>
004F61F5 |. 64:FF30 push dword ptr fs:[eax]
004F61F8 |. 64:8920 mov dword ptr fs:[eax],esp
004F61FB |. 8D95 FCFDFFFF lea edx,dword ptr ss:[ebp-204]
004F6201 |. B9 FF010000 mov ecx,1FF
004F6206 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004F6209 |. E8 62FEFFFF call <IP_TOOLS.sub_4F6070>
004F620E |. 8D85 FCFDFFFF lea eax,dword ptr ss:[ebp-204]
004F6214 |. 50 push eax ;Arg5 pointer to sn
004F6215 |. 68 00CB5400 push IP_TOOLS.0054CB00 ;Arg4 存放結果
004F621A |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004F621D |. E8 C2DFF0FF call <IP_TOOLS.sub_4041E4>
004F6222 |. D1F8 sar eax,1
004F6224 |. 79 03 jns short <IP_TOOLS.loc_4F6229>
004F6226 |. 83D0 00 adc eax,0
004F6229 <>|> 50 push eax ; |Arg3 snlen
004F622A |. 68 06825400 push IP_TOOLS.00548206 ; |Arg2 = 00548206 固定引數2
004F622F |. 68 06835400 push IP_TOOLS.00548306 ; |Arg1 = 00548306 私鑰,用於解密
004F6234 |. E8 B1050000 call <IP_TOOLS.sub_4F67EA> ; \IP_TOOLS.004F67EA
004F6239 |. 0FBED8 movsx ebx,al
}
00548206處是另外一組固定引數,但是它是一個40個WORD陣列,在記憶體中表示如下:
00548206 CD 4D 02 EB CD B6 98 A2 DF FF 2E C3 42 FD 4B 24 M臚⑦.BK$
00548216 6C 65 47 3D 3B 12 58 58 B7 0A 03 E9 78 C2 C3 97 leG=;XX?x旅
00548226 52 D4 D9 7E 06 7B A5 71 FA 32 40 3D 84 75 89 C0 R再~{q?@=u
00548236 35 2E F8 08 B4 8D 26 DB 03 55 EE C1 DE 0D BC F3 5.?&?U盍?儉
00548246 47 DC A9 D1 9B D2 11 63 DE 34 B2 F5 EB B9 0F 1B G堠?c?蟬牘
----------------------------------------------------------------------
私鑰如下:
--------------------------------------------------------------------
00548306 99 C3 C7 0E E6 7B AE 25 D9 5D 38 3A 43 A3 55 63 ??#123;?]8:CUc
00548316 4E 3A 09 34 AE 1F 8E C5 E8 BB D6 CD F1 EA 44 72 N:.4?杌滯耜Dr
00548326 B5 5F B3 35 1B 06 2C 22 9C 01 5C 8C DC AC 26 CA _?,"?\?
00548336 4B 66 63 7A A7 3D E2 45 3A 10 EB AF 12 B6 ED 6B Kfcz?E:氙俄k
00548346 75 1F 65 44 FD FF E0 9B F2 B1 2C CA 43 71 5B E7 ueD?蟣,Cq[
---------------------------------------------------------------------
雖然得到了兩組資料,但是由於不知道具體的演算法,所以還是要詳細的分析其註冊演算法,對使用者名稱和註冊碼的處理最終都呼叫了同一個call
但是卻使用了不同的金鑰和引數,所以我才稱它為非對稱演算法;
--------------------------------------------------------------------------
{
004F67EA <>/$ 55 push ebp ; sub_4F67EA
.
.
.
004F681C |. 83C4 0C add esp,0C
004F681F |. 56 push esi ; /Arg4 公鑰
004F6820 |. FF75 0C push dword ptr ss:[ebp+C] ; |Arg3 固定引數1
004F6823 |. 68 04CD5400 push IP_TOOLS.0054CD04 ; |Arg2 = 0054CD04 name
004F6828 |. 68 84CD5400 push IP_TOOLS.0054CD84 ; |Arg1 = 0054CD84 存放結果
004F682D |. E8 1B110000 call <IP_TOOLS.sub_4F794D> ; \IP_TOOLS.004F794D
004F6832 |. 83C4 10 add esp,10
.
.
.
上面這個是關鍵call,其它的都無關緊要
}
{
004F7A2F |. 53 push ebx ; /Arg1 = 00548102 公鑰
004F7A30 |. E8 6EF6FFFF call <IP_TOOLS.sub_4F70A3> ; \IP_TOOLS.004F70A3 生成16個子金鑰
-----------------------------------------------------------------------------------------------------
004F70A3 <>/$ 55 push ebp ; sub_4F70A3
004F70A4 |. 8BEC mov ebp,esp
004F70A6 |. 53 push ebx
004F70A7 |. 56 push esi
004F70A8 |. 8B45 08 mov eax,dword ptr ss:[ebp+8]
004F70AB |. BE 0C8C5400 mov esi,IP_TOOLS.00548C0C
004F70B0 |. 8906 mov dword ptr ds:[esi],eax
004F70B2 |. 0FBF15 08845400 movsx edx,word ptr ds:[548408]
004F70B9 |. 03D2 add edx,edx
004F70BB |. 03C2 add eax,edx
004F70BD |. 83C0 FE add eax,-2
004F70C0 |. 66:8B08 mov cx,word ptr ds:[eax]
004F70C3 |. 66:890D 508C5400 mov word ptr ds:[548C50],cx
004F70CA |. 83E8 02 sub eax,2
004F70CD |. 66:8B00 mov ax,word ptr ds:[eax]
004F70D0 |. 66:A3 728C5400 mov word ptr ds:[548C72],ax
004F70D6 |. 66:BB 0100 mov bx,1
004F70DA <>|> 0FBFC3 /movsx eax,bx ; loc_4F70DA
004F70DD |. FF7486 FC |push dword ptr ds:[esi+eax*4-4] ; /Arg2
004F70E1 |. 0FBFD3 |movsx edx,bx ; |
004F70E4 |. FF3496 |push dword ptr ds:[esi+edx*4] ; |Arg1
004F70E7 |. E8 8AFAFFFF |call <IP_TOOLS.memcpy> ; \IP_TOOLS.004F6B76
004F70EC |. 83C4 08 |add esp,8
004F70EF |. 6A 00 |push 0 ; /Arg2 = 00000000
004F70F1 |. 0FBFCB |movsx ecx,bx ; |
004F70F4 |. FF348E |push dword ptr ds:[esi+ecx*4] ; |Arg1
004F70F7 |. E8 27F9FFFF |call <IP_TOOLS.SHL1> ; \IP_TOOLS.004F6A23
----------------------------------------------------------------------------------------------------
004F6A23 <>/$ 55 push ebp ; SHL1
004F6A24 |. 8BEC mov ebp,esp ; 對金鑰們左移也就是變為2倍
004F6A26 |. 53 push ebx ; 但是這個金鑰是672位的大數
004F6A27 |. 56 push esi ; 我稱之為subKey4name
004F6A28 |. 8B4D 0C mov ecx,dword ptr ss:[ebp+C]
004F6A2B |. 8B45 08 mov eax,dword ptr ss:[ebp+8]
004F6A2E |. 66:8B35 08845400 mov si,word ptr ds:[548408]
004F6A35 |. EB 1A jmp short <IP_TOOLS.loc_4F6A51>
004F6A37 <>|> 66:8338 00 /cmp word ptr ds:[eax],0 ; loc_4F6A37
004F6A3B |. 0F9CC2 |setl dl
004F6A3E |. 83E2 01 |and edx,1
004F6A41 |. 66:D120 |shl word ptr ds:[eax],1
004F6A44 |. 84C9 |test cl,cl
004F6A46 |. 74 04 |je short <IP_TOOLS.loc_4F6A4C>
004F6A48 |. 66:8308 01 |or word ptr ds:[eax],1
004F6A4C <>|> 8BCA |mov ecx,edx ; loc_4F6A4C
004F6A4E |. 83C0 02 |add eax,2
004F6A51 <>|> 8BDE mov ebx,esi ; loc_4F6A51
004F6A53 |. 66:83C6 FF |add si,0FFFF
004F6A57 |. 66:85DB |test bx,bx
004F6A5A |.^ 75 DB \jnz short <IP_TOOLS.loc_4F6A37>
004F6A5C |. 8BC2 mov eax,edx
------------------------------------------------------------------------------------------------------
004F70FC |. 83C4 08 |add esp,8
004F70FF |. 0FBFC3 |movsx eax,bx
004F7102 |. 8B0486 |mov eax,dword ptr ds:[esi+eax*4]
004F7105 |. 0FBF15 08845400 |movsx edx,word ptr ds:[548408]
004F710C |. 03D2 |add edx,edx
004F710E |. 03C2 |add eax,edx
004F7110 |. 83C0 FE |add eax,-2
004F7113 |. 0FBFCB |movsx ecx,bx
004F7116 |. 66:8B10 |mov dx,word ptr ds:[eax]
004F7119 |. 66:89144D 508C5400 |mov word ptr ds:[ecx*2+548C50],dx ;這是把子金鑰的最高位放到548C50地址處
004F7121 |. 83E8 02 |sub eax,2
004F7124 |. 0FBFCB |movsx ecx,bx
004F7127 |. 66:8B00 |mov ax,word ptr ds:[eax]
004F712A |. 66:89044D 728C5400 |mov word ptr ds:[ecx*2+548C72],ax ;這是把子金鑰的次高位放到548C72地址處
004F7132 |. 43 |inc ebx
004F7133 |. 66:83FB 11 |cmp bx,11
004F7137 |.^ 7C A1 \jl short <IP_TOOLS.loc_4F70DA>
004F7139 |. 33C0 xor eax,eax
004F713B |. 5E pop esi
004F713C |. 5B pop ebx
004F713D |. 5D pop ebp
004F713E \. C3 retn
}
-----------------------------------------------------------------
上面就要用到大數運算的知識了,可以參考罈子的"RSA與大數運算",這裡是一個672位的大數,我用了一個42個字的陣列來表示這樣一個大數
如下,比如說公鑰:
#define Len 42
WORD wkey4name1[Len]={0x8BA1,0xA733,0xCEFA,0x9705,0xEA99,0x958F,0x8EAD,0x7CF5,
0x0997,0x3BD6,0x85F3,0xCC6D,0x56ea,0x14FE,0x22FE,0x86FB,
0xA5F7,0x002F,0x86C5,0x3B78,0xDA05,0x9ECE,0x408E,0xE510,
0x6F77,0x71E2,0x4780,0xC799,0x8560,0x1BDE,0xE91D,0x9DEB,
0xC279,0x407E,0x9140,0x2AEB,0xC938,0xC2BB,0xECEC,0xC979,
0x0000,0x0000};
而左移運算根據對彙編的分析可以寫出如下的C程式碼:
void WORDSHL(WORD source[],WORD dest[],int length)
{
DWORD result=0; //因為DWORD的存在所以比較成為可能
int carry=0; //進位標誌
int d=0;
int j;
for(j=0;j<length;j++)
{
result=(source[j]<<1);
if(result>0xFFFF)
carry=1;
else
carry=0;
dest[j]=(source[j]<<1);
if(d==1)
{
dest[j]=(dest[j]|1); 加上進位
}
d=carry;
}
}
關於大數運算,我想那篇"RSA與大數運算"確實不錯,兄弟們一定要看看
------------------------------------------------------------------------------------------
生成子金鑰後
004F7A95 |. 66:D1EB shr bx,1 ;bx初始化為0x8000
004F7A98 |. 66:85DB test bx,bx
004F7A9B |. 75 61 jnz short <IP_TOOLS.loc_4F7AFE>
004F7A9D |. 66:BB 0080 mov bx,8000
004F7AA1 |. 83EF 02 sub edi,2
004F7AA4 |. EB 58 jmp short <IP_TOOLS.loc_4F7AFE>
004F7AA6 <>|> 56 /push esi ; /loc_4F7AA6
004F7AA7 |. 56 |push esi ; |Arg2
004F7AA8 |. 8D85 78FFFFFF |lea eax,dword ptr ss:[ebp-88] ; |
004F7AAE |. 50 |push eax ; |Arg1
004F7AAF |. E8 8BF6FFFF |call <IP_TOOLS.kernel> ; \IP_TOOLS.004F713F 核心Function
004F7AB4 |. 83C4 0C |add esp,0C
004F7AB7 |. 8D95 78FFFFFF |lea edx,dword ptr ss:[ebp-88]
004F7ABD |. 52 |push edx ; /Arg2
004F7ABE |. 56 |push esi ; |Arg1
004F7ABF |. E8 B2F0FFFF |call <IP_TOOLS.memcpy> ; \IP_TOOLS.004F6B76
004F7AC4 |. 83C4 08 |add esp,8 ; 把上面計算出來的結果存入esi
004F7AC7 |. 66:851F |test word ptr ds:[edi],bx ;這裡edi就指向固定引數1
004F7ACA |. 74 23 |je short <IP_TOOLS.loc_4F7AEF> ;和bx相與不為0的話就再做一次
004F7ACC |. FF75 0C |push dword ptr ss:[ebp+C] ; /Arg3
004F7ACF |. 56 |push esi ; |Arg2
004F7AD0 |. 8D8D 78FFFFFF |lea ecx,dword ptr ss:[ebp-88] ; |
004F7AD6 |. 51 |push ecx ; |Arg1
004F7AD7 |. E8 63F6FFFF |call <IP_TOOLS.kernel> ; \IP_TOOLS.004F713F
004F7ADC |. 83C4 0C |add esp,0C
004F7ADF |. 8D85 78FFFFFF |lea eax,dword ptr ss:[ebp-88]
004F7AE5 |. 50 |push eax ; /Arg2
004F7AE6 |. 56 |push esi ; |Arg1
004F7AE7 |. E8 8AF0FFFF |call <IP_TOOLS.memcpy> ; \IP_TOOLS.004F6B76
004F7AEC |. 83C4 08 |add esp,8
004F7AEF <>|> 66:D1EB |shr bx,1 ; loc_4F7AEF
004F7AF2 |. 66:85DB |test bx,bx ; 一輪共16次迴圈
004F7AF5 |. 75 07 |jnz short <IP_TOOLS.loc_4F7AFE>
004F7AF7 |. 66:BB 0080 |mov bx,8000
004F7AFB |. 83EF 02 |sub edi,2
004F7AFE <>|> 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 這裡是0x1F, 這好像也是一個不變的量
004F7B01 |. 8345 FC FF |add dword ptr ss:[ebp-4],-1
004F7B05 |. 85C0 |test eax,eax
004F7B07 |.^ 75 9D \jnz short <IP_TOOLS.loc_4F7AA6>
004F7B09 |. 6A 00 push 0 ; /Arg2 = 00000000
004F7B0B |. 8D95 78FFFFFF lea edx,dword ptr ss:[ebp-88] ; |
004F7B11 |. 52 push edx ; |Arg1
004F7B12 |. E8 85F0FFFF call <IP_TOOLS.memset> ; \IP_TOOLS.004F6B9C
}
------------------------------------------------------------------------------------------------------
004F7AAF |. E8 8BF6FFFF |call <IP_TOOLS.kernel> ; \IP_TOOLS.004F713F
{
004F713F <>/$ 55 push ebp ; sub_4F713F
004F7140 |. 8BEC mov ebp,esp
004F7142 |. 83C4 F8 add esp,-8
004F7145 |. 53 push ebx
004F7146 |. 56 push esi
004F7147 |. 57 push edi
004F7148 |. 8B7D 10 mov edi,dword ptr ss:[ebp+10]
004F714B |. 8B5D 08 mov ebx,dword ptr ss:[ebp+8]
004F714E |. FF75 0C push dword ptr ss:[ebp+C] ; /Arg2
004F7151 |. 68 14945400 push IP_TOOLS.00549414 ; |Arg1 = 00549414
004F7156 |. E8 07FFFFFF call <IP_TOOLS.sub_4F7062> ; \IP_TOOLS.004F7062
----------------------------------------------------------------------------------------------------
004F7062 <>/$ 55 push ebp ; 這裡是對訊息進行處理
004F7063 |. 8BEC mov ebp,esp ; 生成16個大數我稱之為
004F7065 |. 53 push ebx ; SubKey4Key
004F7066 |. 56 push esi
004F7067 |. 8B75 08 mov esi,dword ptr ss:[ebp+8]
004F706A |. 8B45 0C mov eax,dword ptr ss:[ebp+C]
004F706D |. 8906 mov dword ptr ds:[esi],eax
004F706F |. 66:BB 0100 mov bx,1
004F7073 <>|> 0FBFC3 /movsx eax,bx ; loc_4F7073
004F7076 |. FF7486 FC |push dword ptr ds:[esi+eax*4-4] ; /Arg2
004F707A |. 0FBFD3 |movsx edx,bx ; |
004F707D |. FF3496 |push dword ptr ds:[esi+edx*4] ; |Arg1
004F7080 |. E8 F1FAFFFF |call <IP_TOOLS.memcpy> ; \IP_TOOLS.004F6B76
004F7085 |. 83C4 08 |add esp,8
004F7088 |. 6A 00 |push 0 ; /Arg2 = 00000000
004F708A |. 0FBFCB |movsx ecx,bx ; |
004F708D |. FF348E |push dword ptr ds:[esi+ecx*4] ; |Arg1
004F7090 |. E8 8EF9FFFF |call <IP_TOOLS.SHL1> ; \IP_TOOLS.004F6A23
004F7095 |. 83C4 08 |add esp,8
004F7098 |. 43 |inc ebx
004F7099 |. 66:83FB 10 |cmp bx,10
004F709D |.^ 7C D4 \jl short <IP_TOOLS.loc_4F7073>
004F709F |. 5E pop esi
-------------------------------------------------------------------------------------------------
004F715B |. 83C4 08 add esp,8
004F715E |. 0FBF05 08845400 movsx eax,word ptr ds:[548408]
004F7165 |. 03C0 add eax,eax
004F7167 |. 03C3 add eax,ebx
004F7169 |. 83C0 FE add eax,-2
004F716C |. 8945 FC mov dword ptr ss:[ebp-4],eax
004F716F |. 8B75 FC mov esi,dword ptr ss:[ebp-4]
004F7172 |. 83EE 02 sub esi,2
004F7175 |. 6A 00 push 0 ; /Arg2 = 00000000
004F7177 |. 53 push ebx ; |Arg1
004F7178 |. E8 1FFAFFFF call <IP_TOOLS.memset> ; \IP_TOOLS.004F6B9C
004F717D |. 83C4 08 add esp,8 ; 把存放結果的地方清零
004F7180 |. 57 push edi ; /Arg1
004F7181 |. E8 45FAFFFF call <IP_TOOLS.sub_4F6BCB> ; \IP_TOOLS.004F6BCB
004F7186 |. 59 pop ecx
004F7187 |. 66:8945 FA mov word ptr ss:[ebp-6],ax
004F718B |. 66:837D FA 00 cmp word ptr ss:[ebp-6],0
004F7190 |. 75 07 jnz short <IP_TOOLS.loc_4F7199>
004F7192 |. 33C0 xor eax,eax
004F7194 |. E9 2A070000 jmp <IP_TOOLS.loc_4F78C3>
004F7199 <>|> 0FBF55 FA movsx edx,word ptr ss:[ebp-6] ; loc_4F7199
004F719D |. 03D2 add edx,edx
004F719F |. 03FA add edi,edx
004F71A1 |. 83C7 FE add edi,-2
004F71A4 |. E9 06070000 jmp <IP_TOOLS.loc_4F78AF>
004F71A9 <>|> 53 /push ebx ; /loc_4F71A9
004F71AA |. E8 7DFEFFFF |call <IP_TOOLS.sub_4F702C> ; \IP_TOOLS.004F702C
004F71AF |. 59 |pop ecx ; 上面這個call起到了把陣列元素後移的作用
--------------------------------------------------------------------------
void F702C(WORD w[Len])
{
WORD bx;
for(int i=Len;i>0;--i)
{
bx=w[i-1];
w[i]=bx;
}
w[i]=0;
}
-----------------------------------------------------------------------------
004F71B0 |. F647 01 80 |test byte ptr ds:[edi+1],80 ;訊息的最後一個位元組和80進行與不為0就加上
004F71B4 |. 74 11 |je short <IP_TOOLS.loc_4F71C7> ;subKey4key的最後一個key
004F71B6 |. 6A 00 |push 0 ; /Arg3 = 00000000
004F71B8 |. FF35 50945400 |push dword ptr ds:[549450] ; |Arg2 = 00549394
004F71BE |. 53 |push ebx ; |Arg1
004F71BF |. E8 C5F7FFFF |call <IP_TOOLS.AddHash> ; \IP_TOOLS.004F6989
--------------------------------------------------------------------------------------------
004F6989 <>/$ 55 push ebp ; 這是AddHash函式
004F698A |. 8BEC mov ebp,esp
004F698C |. 53 push ebx
004F698D |. 56 push esi
004F698E |. 57 push edi
004F698F |. 8B45 10 mov eax,dword ptr ss:[ebp+10] ;Arg3 經過分析發現這個Arg3是進位標誌
004F6992 |. 8B4D 0C mov ecx,dword ptr ss:[ebp+C] ;Arg2 加數
004F6995 |. 8B55 08 mov edx,dword ptr ss:[ebp+8] ;Arg1 0012EA20被 加數結果也存在這裡
004F6998 |. 66:8B35 08845400 mov si,word ptr ds:[548408] ;2A
004F699F |. EB 25 jmp short <IP_TOOLS.loc_4F69C6>
004F69A1 <>|> 0FB71A /movzx ebx,word ptr ds:[edx] ;ebx=DWORD(result[i])
004F69A4 |. 0FB739 |movzx edi,word ptr ds:[ecx] ;edi=DWORD(key16[i])
004F69A7 |. 03DF |add ebx,edi ;ebx+=edi
004F69A9 |. 25 FF000000 |and eax,0FF ;eax&=0xFF,如果eax=1,則結果為1,否則為0
004F69AE |. 03D8 |add ebx,eax ;ebx+=eax
004F69B0 |. 8BC3 |mov eax,ebx ;eax=ebx
004F69B2 |. 83C1 02 |add ecx,2 ;下一個WORD
004F69B5 |. 66:8902 |mov word ptr ds:[edx],ax ;把結果的清零的地方=WORD(result[i])
004F69B8 |. 83C2 02 |add edx,2 ;儲存結果的地方也+2
004F69BB |. A9 00000100 |test eax,10000 ;相加的結果和10000相與
004F69C0 |. 0F95C0 |setne al ;如果不等於0的話al=1
004F69C3 |. 83E0 01 |and eax,1 ;eax=1或者eax=0
004F69C6 <>|> 8BDE |mov ebx,esi ;
004F69C8 |. 66:83C6 FF |add si,0FFFF
004F69CC |. 66:85DB |test bx,bx
004F69CF |.^ 75 D0 \jnz short <IP_TOOLS.loc_4F69A1>
004F69D1 |. 5F pop edi
004F69D2 |. 5E pop esi
004F69D3 |. 5B pop ebx
004F69D4 |. 5D pop ebp
004F69D5 \. C3 retn
-----------------------------------------------------------------------------------------------------------------
我寫的C程式碼,大數加法
void AddHash(WORD result[],WORD subkey[],int carry)
{
DWORD ebx,edi;
for(int i=0;i<Len;i++)
{
ebx=DWORD(result[i]);
edi=DWORD(subkey[i]);
ebx+=edi;
carry=(carry&0xFF);
ebx+=carry;
result[i]=WORD(ebx);
if((ebx&0x10000)!=0)
carry=1;
else
carry=0;
carry=(carry&1);
}
}
---------------------------------------------------------------------------------------------------
004F71C4 |. 83C4 0C |add esp,0C
004F71C7 <>|> F647 01 40 |test byte ptr ds:[edi+1],40 ; loc_4F71C7
004F71CB |. 74 11 |je short <IP_TOOLS.loc_4F71DE>
004F71CD |. 6A 00 |push 0 ; /Arg3 = 00000000
004F71CF |. FF35 4C945400 |push dword ptr ds:[54944C] ; |Arg2 = 00549314
004F71D5 |. 53 |push ebx ; |Arg1
004F71D6 |. E8 AEF7FFFF |call <IP_TOOLS.AddHash> ; \IP_TOOLS.004F6989
004F71DB |. 83C4 0C |add esp,0C
004F71DE <>|> F647 01 20 |test byte ptr ds:[edi+1],20 ; loc_4F71DE
004F71E2 |. 74 11 |je short <IP_TOOLS.loc_4F71F5>
004F71E4 |. 6A 00 |push 0 ; /Arg3 = 00000000
004F71E6 |. FF35 48945400 |push dword ptr ds:[549448] ; |Arg2 = 00549294
004F71EC |. 53 |push ebx ; |Arg1
004F71ED |. E8 97F7FFFF |call <IP_TOOLS.AddHash> ; \IP_TOOLS.004F6989
004F71F2 |. 83C4 0C |add esp,0C
004F71F5 <>|> F647 01 10 |test byte ptr ds:[edi+1],10 ; loc_4F71F5
004F71F9 |. 74 11 |je short <IP_TOOLS.loc_4F720C>
004F71FB |. 6A 00 |push 0 ; /Arg3 = 00000000
004F71FD |. FF35 44945400 |push dword ptr ds:[549444] ; |Arg2 = 00549214
004F7203 |. 53 |push ebx ; |Arg1
004F7204 |. E8 80F7FFFF |call <IP_TOOLS.AddHash> ; \IP_TOOLS.004F6989
004F7209 |. 83C4 0C |add esp,0C
004F720C <>|> F647 01 08 |test byte ptr ds:[edi+1],8 ; loc_4F720C
004F7210 |. 74 11 |je short <IP_TOOLS.loc_4F7223>
004F7212 |. 6A 00 |push 0 ; /Arg3 = 00000000
004F7214 |. FF35 40945400 |push dword ptr ds:[549440] ; |Arg2 = 00549194
004F721A |. 53 |push ebx ; |Arg1
004F721B |. E8 69F7FFFF |call <IP_TOOLS.AddHash> ; \IP_TOOLS.004F6989
004F7220 |. 83C4 0C |add esp,0C
004F7223 <>|> F647 01 04 |test byte ptr ds:[edi+1],4 ; loc_4F7223
004F7227 |. 74 11 |je short <IP_TOOLS.loc_4F723A>
004F7229 |. 6A 00 |push 0 ; /Arg3 = 00000000
004F722B |. FF35 3C945400 |push dword ptr ds:[54943C] ; |Arg2 = 00549114
004F7231 |. 53 |push ebx ; |Arg1
004F7232 |. E8 52F7FFFF |call <IP_TOOLS.AddHash> ; \IP_TOOLS.004F6989
004F7237 |. 83C4 0C |add esp,0C
004F723A <>|> F647 01 02 |test byte ptr ds:[edi+1],2 ; loc_4F723A
004F723E |. 74 11 |je short <IP_TOOLS.loc_4F7251>
004F7240 |. 6A 00 |push 0 ; /Arg3 = 00000000
004F7242 |. FF35 38945400 |push dword ptr ds:[549438] ; |Arg2 = 00549094
004F7248 |. 53 |push ebx ; |Arg1
004F7249 |. E8 3BF7FFFF |call <IP_TOOLS.AddHash> ; \IP_TOOLS.004F6989
004F724E |. 83C4 0C |add esp,0C
004F7251 <>|> F647 01 01 |test byte ptr ds:[edi+1],1 ; loc_4F7251
004F7255 |. 74 11 |je short <IP_TOOLS.loc_4F7268>
004F7257 |. 6A 00 |push 0 ; /Arg3 = 00000000
004F7259 |. FF35 34945400 |push dword ptr ds:[549434] ; |Arg2 = 00549014
004F725F |. 53 |push ebx ; |Arg1
004F7260 |. E8 24F7FFFF |call <IP_TOOLS.AddHash> ; \IP_TOOLS.004F6989
004F7265 |. 83C4 0C |add esp,0C
004F7268 <>|> F607 80 |test byte ptr ds:[edi],80 ; loc_4F7268
004F726B |. 74 11 |je short <IP_TOOLS.loc_4F727E>
004F726D |. 6A 00 |push 0 ; /Arg3 = 00000000
004F726F |. FF35 30945400 |push dword ptr ds:[549430] ; |Arg2 = 00548F94
004F7275 |. 53 |push ebx ; |Arg1
004F7276 |. E8 0EF7FFFF |call <IP_TOOLS.AddHash> ; \IP_TOOLS.004F6989
004F727B |. 83C4 0C |add esp,0C
004F727E <>|> F607 40 |test byte ptr ds:[edi],40 ; loc_4F727E
004F7281 |. 74 11 |je short <IP_TOOLS.loc_4F7294>
004F7283 |. 6A 00 |push 0 ; /Arg3 = 00000000
004F7285 |. FF35 2C945400 |push dword ptr ds:[54942C] ; |Arg2 = 00548F14
004F728B |. 53 |push ebx ; |Arg1
004F728C |. E8 F8F6FFFF |call <IP_TOOLS.AddHash> ; \IP_TOOLS.004F6989
004F7291 |. 83C4 0C |add esp,0C
004F7294 <>|> F607 20 |test byte ptr ds:[edi],20 ; loc_4F7294
004F7297 |. 74 11 |je short <IP_TOOLS.loc_4F72AA>
004F7299 |. 6A 00 |push 0 ; /Arg3 = 00000000
004F729B |. FF35 28945400 |push dword ptr ds:[549428] ; |Arg2 = 00548E94
004F72A1 |. 53 |push ebx ; |Arg1
004F72A2 |. E8 E2F6FFFF |call <IP_TOOLS.AddHash> ; \IP_TOOLS.004F6989
004F72A7 |. 83C4 0C |add esp,0C
004F72AA <>|> F607 10 |test byte ptr ds:[edi],10 ; loc_4F72AA
004F72AD |. 74 11 |je short <IP_TOOLS.loc_4F72C0>
004F72AF |. 6A 00 |push 0 ; /Arg3 = 00000000
004F72B1 |. FF35 24945400 |push dword ptr ds:[549424] ; |Arg2 = 00548E14
004F72B7 |. 53 |push ebx ; |Arg1
004F72B8 |. E8 CCF6FFFF |call <IP_TOOLS.AddHash> ; \IP_TOOLS.004F6989
004F72BD |. 83C4 0C |add esp,0C
004F72C0 <>|> F607 08 |test byte ptr ds:[edi],8 ; loc_4F72C0
004F72C3 |. 74 11 |je short <IP_TOOLS.loc_4F72D6>
004F72C5 |. 6A 00 |push 0 ; /Arg3 = 00000000
004F72C7 |. FF35 20945400 |push dword ptr ds:[549420] ; |Arg2 = 00548D94
004F72CD |. 53 |push ebx ; |Arg1
004F72CE |. E8 B6F6FFFF |call <IP_TOOLS.AddHash> ; \IP_TOOLS.004F6989
004F72D3 |. 83C4 0C |add esp,0C
004F72D6 <>|> F607 04 |test byte ptr ds:[edi],4 ; loc_4F72D6
004F72D9 |. 74 11 |je short <IP_TOOLS.loc_4F72EC>
004F72DB |. 6A 00 |push 0 ; /Arg3 = 00000000
004F72DD |. FF35 1C945400 |push dword ptr ds:[54941C] ; |Arg2 = 00548D14
004F72E3 |. 53 |push ebx ; |Arg1
004F72E4 |. E8 A0F6FFFF |call <IP_TOOLS.AddHash> ; \IP_TOOLS.004F6989
004F72E9 |. 83C4 0C |add esp,0C
004F72EC <>|> F607 02 |test byte ptr ds:[edi],2 ; loc_4F72EC
004F72EF |. 74 11 |je short <IP_TOOLS.loc_4F7302>
004F72F1 |. 6A 00 |push 0 ; /Arg3 = 00000000
004F72F3 |. FF35 18945400 |push dword ptr ds:[549418] ; |Arg2 = 00548C94
004F72F9 |. 53 |push ebx ; |Arg1
004F72FA |. E8 8AF6FFFF |call <IP_TOOLS.AddHash> ; \IP_TOOLS.004F6989
004F72FF |. 83C4 0C |add esp,0C
004F7302 <>|> F607 01 |test byte ptr ds:[edi],1 ; loc_4F7302
004F7305 |. 74 11 |je short <IP_TOOLS.loc_4F7318>
004F7307 |. 6A 00 |push 0 ; /Arg3 = 00000000
004F7309 |. FF35 14945400 |push dword ptr ds:[549414] ; |Arg2 = 0054CD84 ASCII "Cnbragon"
004F730F |. 53 |push ebx ; |Arg1
004F7310 |. E8 74F6FFFF |call <IP_TOOLS.AddHash> ; \IP_TOOLS.004F6989
004F7315 |. 83C4 0C |add esp,0C
004F7318 <>|> 8B4D FC |mov ecx,dword ptr ss:[ebp-4] ; 從這裡開始是把上面Add的結果的最高位和
004F731B |. 66:8B01 |mov ax,word ptr ds:[ecx] ; SubKey4name的最高位比較,次高位和次高位比較
004F731E |. 66:2B05 708C5400 |sub ax,word ptr ds:[548C70] ;如果比SubKey4name的大就把結果減去那個SubKey4name
004F7325 |. 66:85C0 |test ax,ax
004F7328 |. 7F 31 |jg short <IP_TOOLS.loc_4F735B>
004F732A |. 66:85C0 |test ax,ax
004F732D |. 75 3D |jnz short <IP_TOOLS.loc_4F736C>
004F732F |. 66:8B16 |mov dx,word ptr ds:[esi]
004F7332 |. 66:3B15 928C5400 |cmp dx,word ptr ds:[548C92]
004F7339 |. 77 20 |ja short <IP_TOOLS.loc_4F735B>
004F733B |. 66:8B0E |mov cx,word ptr ds:[esi]
004F733E |. 66:3B0D 928C5400 |cmp cx,word ptr ds:[548C92]
004F7345 |. 75 25 |jnz short <IP_TOOLS.loc_4F736C>
004F7347 |. FF35 4C8C5400 |push dword ptr ds:[548C4C] ; /Arg2 = 00548B8A
004F734D |. 53 |push ebx ; |Arg1
004F734E |. E8 54F7FFFF |call <IP_TOOLS.sub_4F6AA7> ; \IP_TOOLS.004F6AA7
004F7353 |. 83C4 08 |add esp,8
004F7356 |. 66:85C0 |test ax,ax
004F7359 |. 7C 11 |jl short <IP_TOOLS.loc_4F736C>
004F735B <>|> 6A 00 |push 0 ; /loc_4F735B
004F735D |. FF35 4C8C5400 |push dword ptr ds:[548C4C] ; |Arg2 = 00548B8A
004F7363 |. 53 |push ebx ; |Arg1
004F7364 |. E8 6DF6FFFF |call <IP_TOOLS.sub_4F69D6> ; \IP_TOOLS.004F69D6
----------------------------------------------------------------------------------------------------
004F69D6 <>/$ 55 push ebp ; SubHash
004F69D7 |. 8BEC mov ebp,esp
004F69D9 |. 53 push ebx
004F69DA |. 56 push esi
004F69DB |. 57 push edi
004F69DC |. 8B45 10 mov eax,dword ptr ss:[ebp+10]
004F69DF |. 8B4D 0C mov ecx,dword ptr ss:[ebp+C]
004F69E2 |. 8B55 08 mov edx,dword ptr ss:[ebp+8]
004F69E5 |. 66:8B35 08845400 mov si,word ptr ds:[548408]
004F69EC |. EB 25 jmp short <IP_TOOLS.loc_4F6A13>
004F69EE <>|> 0FB71A /movzx ebx,word ptr ds:[edx]
004F69F1 |. 0FB739 |movzx edi,word ptr ds:[ecx]
004F69F4 |. 2BDF |sub ebx,edi ;ebx-=edi;
004F69F6 |. 25 FF000000 |and eax,0FF ;eax&=0xff
004F69FB |. 2BD8 |sub ebx,eax ;ebx-=eax;
004F69FD |. 8BC3 |mov eax,ebx ;eax=ebx
004F69FF |. 83C1 02 |add ecx,2
004F6A02 |. 66:8902 |mov word ptr ds:[edx],ax ;ax=WORD(eax)
004F6A05 |. 83C2 02 |add edx,2
004F6A08 |. A9 00000100 |test eax,10000 ;if(eax&0x10000)
004F6A0D |. 0F95C0 |setne al ;如果不等於0就置al=1
004F6A10 |. 83E0 01 |and eax,1 ;和1相與
004F6A13 <>|> 8BDE mov ebx,esi
004F6A15 |. 66:83C6 FF |add si,0FFFF
004F6A19 |. 66:85DB |test bx,bx
004F6A1C |.^ 75 D0 \jnz short <IP_TOOLS.loc_4F69EE>
004F6A1E |. 5F pop edi
004F6A1F |. 5E pop esi
004F6A20 |. 5B pop ebx
004F6A21 |. 5D pop ebp
004F6A22 \. C3 retn
-----------------------------------------------------------------------------------------
我寫的C程式碼,672位的大數減法
void SubHash(WORD result[],WORD subkey[],int carry)
{
DWORD ebx,edi;
for(int i=0;i<Len;i++)
{
ebx=DWORD(result[i]);
edi=DWORD(subkey[i]);
ebx-=edi;
carry=(carry&0xFF);
ebx-=carry;
result[i]=WORD(ebx);
if((ebx&0x10000)!=0)
carry=1;
else
carry=0;
carry=(carry&1);
}
}
------------------------------------------------------------------------------------------
004F7369 |. 83C4 0C |add esp,0C
004F736C <>|> 8B45 FC |mov eax,dword ptr ss:[ebp-4] ; loc_4F736C
004F736F |. 66:8B00 |mov ax,word ptr ds:[eax]
004F7372 |. 66:2B05 6E8C5400 |sub ax,word ptr ds:[548C6E]
004F7379 |. 66:85C0 |test ax,ax
004F737C |. 7F 31 |jg short <IP_TOOLS.loc_4F73AF>
004F737E |. 66:85C0 |test ax,ax
004F7381 |. 75 3D |jnz short <IP_TOOLS.loc_4F73C0>
004F7383 |. 66:8B16 |mov dx,word ptr ds:[esi]
004F7386 |. 66:3B15 908C5400 |cmp dx,word ptr ds:[548C90]
004F738D |. 77 20 |ja short <IP_TOOLS.loc_4F73AF>
004F738F |. 66:8B0E |mov cx,word ptr ds:[esi]
004F7392 |. 66:3B0D 908C5400 |cmp cx,word ptr ds:[548C90]
004F7399 |. 75 25 |jnz short <IP_TOOLS.loc_4F73C0>
004F739B |. FF35 488C5400 |push dword ptr ds:[548C48] ; /Arg2 = 00548B0A
004F73A1 |. 53 |push ebx ; |Arg1
004F73A2 |. E8 00F7FFFF |call <IP_TOOLS.sub_4F6AA7> ; \IP_TOOLS.004F6AA7
004F73A7 |. 83C4 08 |add esp,8
004F73AA |. 66:85C0 |test ax,ax
004F73AD |. 7C 11 |jl short <IP_TOOLS.loc_4F73C0>
004F73AF <>|> 6A 00 |push 0 ; /loc_4F73AF
004F73B1 |. FF35 488C5400 |push dword ptr ds:[548C48] ; |Arg2 = 00548B0A
004F73B7 |. 53 |push ebx ; |Arg1
004F73B8 |. E8 19F6FFFF |call <IP_TOOLS.sub_4F69D6> ; \IP_TOOLS.004F69D6
004F73BD |. 83C4 0C |add esp,0C
004F73C0 <>|> 8B45 FC |mov eax,dword ptr ss:[ebp-4] ; loc_4F73C0
004F73C3 |. 66:8B00 |mov ax,word ptr ds:[eax]
004F73C6 |. 66:2B05 6C8C5400 |sub ax,word ptr ds:[548C6C]
004F73CD |. 66:85C0 |test ax,ax
004F73D0 |. 7F 31 |jg short <IP_TOOLS.loc_4F7403>
004F73D2 |. 66:85C0 |test ax,ax
004F73D5 |. 75 3D |jnz short <IP_TOOLS.loc_4F7414>
004F73D7 |. 66:8B16 |mov dx,word ptr ds:[esi]
004F73DA |. 66:3B15 8E8C5400 |cmp dx,word ptr ds:[548C8E]
004F73E1 |. 77 20 |ja short <IP_TOOLS.loc_4F7403>
004F73E3 |. 66:8B0E |mov cx,word ptr ds:[esi]
004F73E6 |. 66:3B0D 8E8C5400 |cmp cx,word ptr ds:[548C8E]
004F73ED |. 75 25 |jnz short <IP_TOOLS.loc_4F7414>
004F73EF |. FF35 448C5400 |push dword ptr ds:[548C44] ; /Arg2 = 00548A8A
004F73F5 |. 53 |push ebx ; |Arg1
004F73F6 |. E8 ACF6FFFF |call <IP_TOOLS.sub_4F6AA7> ; \IP_TOOLS.004F6AA7
004F73FB |. 83C4 08 |add esp,8
004F73FE |. 66:85C0 |test ax,ax
004F7401 |. 7C 11 |jl short <IP_TOOLS.loc_4F7414>
004F7403 <>|> 6A 00 |push 0 ; /loc_4F7403
004F7405 |. FF35 448C5400 |push dword ptr ds:[548C44] ; |Arg2 = 00548A8A
004F740B |. 53 |push ebx ; |Arg1
004F740C |. E8 C5F5FFFF |call <IP_TOOLS.sub_4F69D6> ; \IP_TOOLS.004F69D6
004F7411 |. 83C4 0C |add esp,0C
004F7414 <>|> 8B45 FC |mov eax,dword ptr ss:[ebp-4] ; loc_4F7414
004F7417 |. 66:8B00 |mov ax,word ptr ds:[eax]
004F741A |. 66:2B05 6A8C5400 |sub ax,word ptr ds:[548C6A]
004F7421 |. 66:85C0 |test ax,ax
004F7424 |. 7F 31 |jg short <IP_TOOLS.loc_4F7457>
004F7426 |. 66:85C0 |test ax,ax
004F7429 |. 75 3D |jnz short <IP_TOOLS.loc_4F7468>
004F742B |. 66:8B16 |mov dx,word ptr ds:[esi]
004F742E |. 66:3B15 8C8C5400 |cmp dx,word ptr ds:[548C8C]
004F7435 |. 77 20 |ja short <IP_TOOLS.loc_4F7457>
004F7437 |. 66:8B0E |mov cx,word ptr ds:[esi]
004F743A |. 66:3B0D 8C8C5400 |cmp cx,word ptr ds:[548C8C]
004F7441 |. 75 25 |jnz short <IP_TOOLS.loc_4F7468>
004F7443 |. FF35 408C5400 |push dword ptr ds:[548C40] ; /Arg2 = 00548A0A
004F7449 |. 53 |push ebx ; |Arg1
004F744A |. E8 58F6FFFF |call <IP_TOOLS.sub_4F6AA7> ; \IP_TOOLS.004F6AA7
004F744F |. 83C4 08 |add esp,8
004F7452 |. 66:85C0 |test ax,ax
004F7455 |. 7C 11 |jl short <IP_TOOLS.loc_4F7468>
004F7457 <>|> 6A 00 |push 0 ; /loc_4F7457
004F7459 |. FF35 408C5400 |push dword ptr ds:[548C40] ; |Arg2 = 00548A0A
004F745F |. 53 |push ebx ; |Arg1
004F7460 |. E8 71F5FFFF |call <IP_TOOLS.sub_4F69D6> ; \IP_TOOLS.004F69D6
004F7465 |. 83C4 0C |add esp,0C
004F7468 <>|> 8B45 FC |mov eax,dword ptr ss:[ebp-4] ; loc_4F7468
004F746B |. 66:8B00 |mov ax,word ptr ds:[eax]
004F746E |. 66:2B05 688C5400 |sub ax,word ptr ds:[548C68]
004F7475 |. 66:85C0 |test ax,ax
004F7478 |. 7F 31 |jg short <IP_TOOLS.loc_4F74AB>
004F747A |. 66:85C0 |test ax,ax
004F747D |. 75 3D |jnz short <IP_TOOLS.loc_4F74BC>
004F747F |. 66:8B16 |mov dx,word ptr ds:[esi]
004F7482 |. 66:3B15 8A8C5400 |cmp dx,word ptr ds:[548C8A]
004F7489 |. 77 20 |ja short <IP_TOOLS.loc_4F74AB>
004F748B |. 66:8B0E |mov cx,word ptr ds:[esi]
004F748E |. 66:3B0D 8A8C5400 |cmp cx,word ptr ds:[548C8A]
004F7495 |. 75 25 |jnz short <IP_TOOLS.loc_4F74BC>
004F7497 |. FF35 3C8C5400 |push dword ptr ds:[548C3C] ; /Arg2 = 0054898A
004F749D |. 53 |push ebx ; |Arg1
004F749E |. E8 04F6FFFF |call <IP_TOOLS.sub_4F6AA7> ; \IP_TOOLS.004F6AA7
004F74A3 |. 83C4 08 |add esp,8
004F74A6 |. 66:85C0 |test ax,ax
004F74A9 |. 7C 11 |jl short <IP_TOOLS.loc_4F74BC>
004F74AB <>|> 6A 00 |push 0 ; /loc_4F74AB
004F74AD |. FF35 3C8C5400 |push dword ptr ds:[548C3C] ; |Arg2 = 0054898A
004F74B3 |. 53 |push ebx ; |Arg1
004F74B4 |. E8 1DF5FFFF |call <IP_TOOLS.sub_4F69D6> ; \IP_TOOLS.004F69D6
004F74B9 |. 83C4 0C |add esp,0C
004F74BC <>|> 8B45 FC |mov eax,dword ptr ss:[ebp-4] ; loc_4F74BC
004F74BF |. 66:8B00 |mov ax,word ptr ds:[eax]
004F74C2 |. 66:2B05 668C5400 |sub ax,word ptr ds:[548C66]
004F74C9 |. 66:85C0 |test ax,ax
004F74CC |. 7F 31 |jg short <IP_TOOLS.loc_4F74FF>
004F74CE |. 66:85C0 |test ax,ax
004F74D1 |. 75 3D |jnz short <IP_TOOLS.loc_4F7510>
004F74D3 |. 66:8B16 |mov dx,word ptr ds:[esi]
004F74D6 |. 66:3B15 888C5400 |cmp dx,word ptr ds:[548C88]
004F74DD |. 77 20 |ja short <IP_TOOLS.loc_4F74FF>
004F74DF |. 66:8B0E |mov cx,word ptr ds:[esi]
004F74E2 |. 66:3B0D 888C5400 |cmp cx,word ptr ds:[548C88]
004F74E9 |. 75 25 |jnz short <IP_TOOLS.loc_4F7510>
004F74EB |. FF35 388C5400 |push dword ptr ds:[548C38] ; /Arg2 = 0054890A
004F74F1 |. 53 |push ebx ; |Arg1
004F74F2 |. E8 B0F5FFFF |call <IP_TOOLS.sub_4F6AA7> ; \IP_TOOLS.004F6AA7
004F74F7 |. 83C4 08 |add esp,8
004F74FA |. 66:85C0 |test ax,ax
004F74FD |. 7C 11 |jl short <IP_TOOLS.loc_4F7510>
004F74FF <>|> 6A 00 |push 0 ; /loc_4F74FF
004F7501 |. FF35 388C5400 |push dword ptr ds:[548C38] ; |Arg2 = 0054890A
004F7507 |. 53 |push ebx ; |Arg1
004F7508 |. E8 C9F4FFFF |call <IP_TOOLS.sub_4F69D6> ; \IP_TOOLS.004F69D6
004F750D |. 83C4 0C |add esp,0C
004F7510 <>|> 8B45 FC |mov eax,dword ptr ss:[ebp-4] ; loc_4F7510
004F7513 |. 66:8B00 |mov ax,word ptr ds:[eax]
004F7516 |. 66:2B05 648C5400 |sub ax,word ptr ds:[548C64]
004F751D |. 66:85C0 |test ax,ax
004F7520 |. 7F 31 |jg short <IP_TOOLS.loc_4F7553>
004F7522 |. 66:85C0 |test ax,ax
004F7525 |. 75 3D |jnz short <IP_TOOLS.loc_4F7564>
004F7527 |. 66:8B16 |mov dx,word ptr ds:[esi]
004F752A |. 66:3B15 868C5400 |cmp dx,word ptr ds:[548C86]
004F7531 |. 77 20 |ja short <IP_TOOLS.loc_4F7553>
004F7533 |. 66:8B0E |mov cx,word ptr ds:[esi]
004F7536 |. 66:3B0D 868C5400 |cmp cx,word ptr ds:[548C86]
004F753D |. 75 25 |jnz short <IP_TOOLS.loc_4F7564>
004F753F |. FF35 348C5400 |push dword ptr ds:[548C34] ; /Arg2 = 0054888A
004F7545 |. 53 |push ebx ; |Arg1
004F7546 |. E8 5CF5FFFF |call <IP_TOOLS.sub_4F6AA7> ; \IP_TOOLS.004F6AA7
004F754B |. 83C4 08 |add esp,8
004F754E |. 66:85C0 |test ax,ax
004F7551 |. 7C 11 |jl short <IP_TOOLS.loc_4F7564>
004F7553 <>|> 6A 00 |push 0 ; /loc_4F7553
004F7555 |. FF35 348C5400 |push dword ptr ds:[548C34] ; |Arg2 = 0054888A
004F755B |. 53 |push ebx ; |Arg1
004F755C |. E8 75F4FFFF |call <IP_TOOLS.sub_4F69D6> ; \IP_TOOLS.004F69D6
004F7561 |. 83C4 0C |add esp,0C
004F7564 <>|> 8B45 FC |mov eax,dword ptr ss:[ebp-4] ; loc_4F7564
004F7567 |. 66:8B00 |mov ax,word ptr ds:[eax]
004F756A |. 66:2B05 628C5400 |sub ax,word ptr ds:[548C62]
004F7571 |. 66:85C0 |test ax,ax
004F7574 |. 7F 31 |jg short <IP_TOOLS.loc_4F75A7>
004F7576 |. 66:85C0 |test ax,ax
004F7579 |. 75 3D |jnz short <IP_TOOLS.loc_4F75B8>
004F757B |. 66:8B16 |mov dx,word ptr ds:[esi]
004F757E |. 66:3B15 848C5400 |cmp dx,word ptr ds:[548C84]
004F7585 |. 77 20 |ja short <IP_TOOLS.loc_4F75A7>
004F7587 |. 66:8B0E |mov cx,word ptr ds:[esi]
004F758A |. 66:3B0D 848C5400 |cmp cx,word ptr ds:[548C84]
004F7591 |. 75 25 |jnz short <IP_TOOLS.loc_4F75B8>
004F7593 |. FF35 308C5400 |push dword ptr ds:[548C30] ; /Arg2 = 0054880A
004F7599 |. 53 |push ebx ; |Arg1
004F759A |. E8 08F5FFFF |call <IP_TOOLS.sub_4F6AA7> ; \IP_TOOLS.004F6AA7
004F759F |. 83C4 08 |add esp,8
004F75A2 |. 66:85C0 |test ax,ax
004F75A5 |. 7C 11 |jl short <IP_TOOLS.loc_4F75B8>
004F75A7 <>|> 6A 00 |push 0 ; /loc_4F75A7
004F75A9 |. FF35 308C5400 |push dword ptr ds:[548C30] ; |Arg2 = 0054880A
004F75AF |. 53 |push ebx ; |Arg1
004F75B0 |. E8 21F4FFFF |call <IP_TOOLS.sub_4F69D6> ; \IP_TOOLS.004F69D6
004F75B5 |. 83C4 0C |add esp,0C
004F75B8 <>|> 8B45 FC |mov eax,dword ptr ss:[ebp-4] ; loc_4F75B8
004F75BB |. 66:8B00 |mov ax,word ptr ds:[eax]
004F75BE |. 66:2B05 608C5400 |sub ax,word ptr ds:[548C60]
004F75C5 |. 66:85C0 |test ax,ax
004F75C8 |. 7F 31 |jg short <IP_TOOLS.loc_4F75FB>
004F75CA |. 66:85C0 |test ax,ax
004F75CD |. 75 3D |jnz short <IP_TOOLS.loc_4F760C>
004F75CF |. 66:8B16 |mov dx,word ptr ds:[esi]
004F75D2 |. 66:3B15 828C5400 |cmp dx,word ptr ds:[548C82]
004F75D9 |. 77 20 |ja short <IP_TOOLS.loc_4F75FB>
004F75DB |. 66:8B0E |mov cx,word ptr ds:[esi]
004F75DE |. 66:3B0D 828C5400 |cmp cx,word ptr ds:[548C82]
004F75E5 |. 75 25 |jnz short <IP_TOOLS.loc_4F760C>
004F75E7 |. FF35 2C8C5400 |push dword ptr ds:[548C2C] ; /Arg2 = 0054878A
004F75ED |. 53 |push ebx ; |Arg1
004F75EE |. E8 B4F4FFFF |call <IP_TOOLS.sub_4F6AA7> ; \IP_TOOLS.004F6AA7
004F75F3 |. 83C4 08 |add esp,8
004F75F6 |. 66:85C0 |test ax,ax
004F75F9 |. 7C 11 |jl short <IP_TOOLS.loc_4F760C>
004F75FB <>|> 6A 00 |push 0 ; /loc_4F75FB
004F75FD |. FF35 2C8C5400 |push dword ptr ds:[548C2C] ; |Arg2 = 0054878A
004F7603 |. 53 |push ebx ; |Arg1
004F7604 |. E8 CDF3FFFF |call <IP_TOOLS.sub_4F69D6> ; \IP_TOOLS.004F69D6
004F7609 |. 83C4 0C |add esp,0C
004F760C <>|> 8B45 FC |mov eax,dword ptr ss:[ebp-4] ; loc_4F760C
004F760F |. 66:8B00 |mov ax,word ptr ds:[eax]
004F7612 |. 66:2B05 5E8C5400 |sub ax,word ptr ds:[548C5E]
004F7619 |. 66:85C0 |test ax,ax
004F761C |. 7F 31 |jg short <IP_TOOLS.loc_4F764F>
004F761E |. 66:85C0 |test ax,ax
004F7621 |. 75 3D |jnz short <IP_TOOLS.loc_4F7660>
004F7623 |. 66:8B16 |mov dx,word ptr ds:[esi]
004F7626 |. 66:3B15 808C5400 |cmp dx,word ptr ds:[548C80]
004F762D |. 77 20 |ja short <IP_TOOLS.loc_4F764F>
004F762F |. 66:8B0E |mov cx,word ptr ds:[esi]
004F7632 |. 66:3B0D 808C5400 |cmp cx,word ptr ds:[548C80]
004F7639 |. 75 25 |jnz short <IP_TOOLS.loc_4F7660>
004F763B |. FF35 288C5400 |push dword ptr ds:[548C28] ; /Arg2 = 0054870A
004F7641 |. 53 |push ebx ; |Arg1
004F7642 |. E8 60F4FFFF |call <IP_TOOLS.sub_4F6AA7> ; \IP_TOOLS.004F6AA7
004F7647 |. 83C4 08 |add esp,8
004F764A |. 66:85C0 |test ax,ax
004F764D |. 7C 11 |jl short <IP_TOOLS.loc_4F7660>
004F764F <>|> 6A 00 |push 0 ; /loc_4F764F
004F7651 |. FF35 288C5400 |push dword ptr ds:[548C28] ; |Arg2 = 0054870A
004F7657 |. 53 |push ebx ; |Arg1
004F7658 |. E8 79F3FFFF |call <IP_TOOLS.sub_4F69D6> ; \IP_TOOLS.004F69D6
004F765D |. 83C4 0C |add esp,0C
004F7660 <>|> 8B45 FC |mov eax,dword ptr ss:[ebp-4] ; loc_4F7660
004F7663 |. 66:8B00 |mov ax,word ptr ds:[eax]
004F7666 |. 66:2B05 5C8C5400 |sub ax,word ptr ds:[548C5C]
004F766D |. 66:85C0 |test ax,ax
004F7670 |. 7F 31 |jg short <IP_TOOLS.loc_4F76A3>
004F7672 |. 66:85C0 |test ax,ax
004F7675 |. 75 3D |jnz short <IP_TOOLS.loc_4F76B4>
004F7677 |. 66:8B16 |mov dx,word ptr ds:[esi]
004F767A |. 66:3B15 7E8C5400 |cmp dx,word ptr ds:[548C7E]
004F7681 |. 77 20 |ja short <IP_TOOLS.loc_4F76A3>
004F7683 |. 66:8B0E |mov cx,word ptr ds:[esi]
004F7686 |. 66:3B0D 7E8C5400 |cmp cx,word ptr ds:[548C7E]
004F768D |. 75 25 |jnz short <IP_TOOLS.loc_4F76B4>
004F768F |. FF35 248C5400 |push dword ptr ds:[548C24] ; /Arg2 = 0054868A
004F7695 |. 53 |push ebx ; |Arg1
004F7696 |. E8 0CF4FFFF |call <IP_TOOLS.sub_4F6AA7> ; \IP_TOOLS.004F6AA7
004F769B |. 83C4 08 |add esp,8
004F769E |. 66:85C0 |test ax,ax
004F76A1 |. 7C 11 |jl short <IP_TOOLS.loc_4F76B4>
004F76A3 <>|> 6A 00 |push 0 ; /loc_4F76A3
004F76A5 |. FF35 248C5400 |push dword ptr ds:[548C24] ; |Arg2 = 0054868A
004F76AB |. 53 |push ebx ; |Arg1
004F76AC |. E8 25F3FFFF |call <IP_TOOLS.sub_4F69D6> ; \IP_TOOLS.004F69D6
004F76B1 |. 83C4 0C |add esp,0C
004F76B4 <>|> 8B45 FC |mov eax,dword ptr ss:[ebp-4] ; loc_4F76B4
004F76B7 |. 66:8B00 |mov ax,word ptr ds:[eax]
004F76BA |. 66:2B05 5A8C5400 |sub ax,word ptr ds:[548C5A]
004F76C1 |. 66:85C0 |test ax,ax
004F76C4 |. 7F 31 |jg short <IP_TOOLS.loc_4F76F7>
004F76C6 |. 66:85C0 |test ax,ax
004F76C9 |. 75 3D |jnz short <IP_TOOLS.loc_4F7708>
004F76CB |. 66:8B16 |mov dx,word ptr ds:[esi]
004F76CE |. 66:3B15 7C8C5400 |cmp dx,word ptr ds:[548C7C]
004F76D5 |. 77 20 |ja short <IP_TOOLS.loc_4F76F7>
004F76D7 |. 66:8B0E |mov cx,word ptr ds:[esi]
004F76DA |. 66:3B0D 7C8C5400 |cmp cx,word ptr ds:[548C7C]
004F76E1 |. 75 25 |jnz short <IP_TOOLS.loc_4F7708>
004F76E3 |. FF35 208C5400 |push dword ptr ds:[548C20] ; /Arg2 = 0054860A
004F76E9 |. 53 |push ebx ; |Arg1
004F76EA |. E8 B8F3FFFF |call <IP_TOOLS.sub_4F6AA7> ; \IP_TOOLS.004F6AA7
004F76EF |. 83C4 08 |add esp,8
004F76F2 |. 66:85C0 |test ax,ax
004F76F5 |. 7C 11 |jl short <IP_TOOLS.loc_4F7708>
004F76F7 <>|> 6A 00 |push 0 ; /loc_4F76F7
004F76F9 |. FF35 208C5400 |push dword ptr ds:[548C20] ; |Arg2 = 0054860A
004F76FF |. 53 |push ebx ; |Arg1
004F7700 |. E8 D1F2FFFF |call <IP_TOOLS.sub_4F69D6> ; \IP_TOOLS.004F69D6
004F7705 |. 83C4 0C |add esp,0C
004F7708 <>|> 8B45 FC |mov eax,dword ptr ss:[ebp-4] ; loc_4F7708
004F770B |. 66:8B00 |mov ax,word ptr ds:[eax]
004F770E |. 66:2B05 588C5400 |sub ax,word ptr ds:[548C58]
004F7715 |. 66:85C0 |test ax,ax
004F7718 |. 7F 31 |jg short <IP_TOOLS.loc_4F774B>
004F771A |. 66:85C0 |test ax,ax
004F771D |. 75 3D |jnz short <IP_TOOLS.loc_4F775C>
004F771F |. 66:8B16 |mov dx,word ptr ds:[esi]
004F7722 |. 66:3B15 7A8C5400 |cmp dx,word ptr ds:[548C7A]
004F7729 |. 77 20 |ja short <IP_TOOLS.loc_4F774B>
004F772B |. 66:8B0E |mov cx,word ptr ds:[esi]
004F772E |. 66:3B0D 7A8C5400 |cmp cx,word ptr ds:[548C7A]
004F7735 |. 75 25 |jnz short <IP_TOOLS.loc_4F775C>
004F7737 |. FF35 1C8C5400 |push dword ptr ds:[548C1C] ; /Arg2 = 0054858A
004F773D |. 53 |push ebx ; |Arg1
004F773E |. E8 64F3FFFF |call <IP_TOOLS.sub_4F6AA7> ; \IP_TOOLS.004F6AA7
004F7743 |. 83C4 08 |add esp,8
004F7746 |. 66:85C0 |test ax,ax
004F7749 |. 7C 11 |jl short <IP_TOOLS.loc_4F775C>
004F774B <>|> 6A 00 |push 0 ; /loc_4F774B
004F774D |. FF35 1C8C5400 |push dword ptr ds:[548C1C] ; |Arg2 = 0054858A
004F7753 |. 53 |push ebx ; |Arg1
004F7754 |. E8 7DF2FFFF |call <IP_TOOLS.sub_4F69D6> ; \IP_TOOLS.004F69D6
004F7759 |. 83C4 0C |add esp,0C
004F775C <>|> 8B45 FC |mov eax,dword ptr ss:[ebp-4] ; loc_4F775C
004F775F |. 66:8B00 |mov ax,word ptr ds:[eax]
004F7762 |. 66:2B05 568C5400 |sub ax,word ptr ds:[548C56]
004F7769 |. 66:85C0 |test ax,ax
004F776C |. 7F 31 |jg short <IP_TOOLS.loc_4F779F>
004F776E |. 66:85C0 |test ax,ax
004F7771 |. 75 3D |jnz short <IP_TOOLS.loc_4F77B0>
004F7773 |. 66:8B16 |mov dx,word ptr ds:[esi]
004F7776 |. 66:3B15 788C5400 |cmp dx,word ptr ds:[548C78]
004F777D |. 77 20 |ja short <IP_TOOLS.loc_4F779F>
004F777F |. 66:8B0E |mov cx,word ptr ds:[esi]
004F7782 |. 66:3B0D 788C5400 |cmp cx,word ptr ds:[548C78]
004F7789 |. 75 25 |jnz short <IP_TOOLS.loc_4F77B0>
004F778B |. FF35 188C5400 |push dword ptr ds:[548C18] ; /Arg2 = 0054850A
004F7791 |. 53 |push ebx ; |Arg1
004F7792 |. E8 10F3FFFF |call <IP_TOOLS.sub_4F6AA7> ; \IP_TOOLS.004F6AA7
004F7797 |. 83C4 08 |add esp,8
004F779A |. 66:85C0 |test ax,ax
004F779D |. 7C 11 |jl short <IP_TOOLS.loc_4F77B0>
004F779F <>|> 6A 00 |push 0 ; /loc_4F779F
004F77A1 |. FF35 188C5400 |push dword ptr ds:[548C18] ; |Arg2 = 0054850A
004F77A7 |. 53 |push ebx ; |Arg1
004F77A8 |. E8 29F2FFFF |call <IP_TOOLS.sub_4F69D6> ; \IP_TOOLS.004F69D6
004F77AD |. 83C4 0C |add esp,0C
004F77B0 <>|> 8B45 FC |mov eax,dword ptr ss:[ebp-4] ; loc_4F77B0
004F77B3 |. 66:8B00 |mov ax,word ptr ds:[eax]
004F77B6 |. 66:2B05 548C5400 |sub ax,word ptr ds:[548C54]
004F77BD |. 66:85C0 |test ax,ax
004F77C0 |. 7F 31 |jg short <IP_TOOLS.loc_4F77F3>
004F77C2 |. 66:85C0 |test ax,ax
004F77C5 |. 75 3D |jnz short <IP_TOOLS.loc_4F7804>
004F77C7 |. 66:8B16 |mov dx,word ptr ds:[esi]
004F77CA |. 66:3B15 768C5400 |cmp dx,word ptr ds:[548C76]
004F77D1 |. 77 20 |ja short <IP_TOOLS.loc_4F77F3>
004F77D3 |. 66:8B0E |mov cx,word ptr ds:[esi]
004F77D6 |. 66:3B0D 768C5400 |cmp cx,word ptr ds:[548C76]
004F77DD |. 75 25 |jnz short <IP_TOOLS.loc_4F7804>
004F77DF |. FF35 148C5400 |push dword ptr ds:[548C14] ; /Arg2 = 0054848A
004F77E5 |. 53 |push ebx ; |Arg1
004F77E6 |. E8 BCF2FFFF |call <IP_TOOLS.sub_4F6AA7> ; \IP_TOOLS.004F6AA7
004F77EB |. 83C4 08 |add esp,8
004F77EE |. 66:85C0 |test ax,ax
004F77F1 |. 7C 11 |jl short <IP_TOOLS.loc_4F7804>
004F77F3 <>|> 6A 00 |push 0 ; /loc_4F77F3
004F77F5 |. FF35 148C5400 |push dword ptr ds:[548C14] ; |Arg2 = 0054848A
004F77FB |. 53 |push ebx ; |Arg1
004F77FC |. E8 D5F1FFFF |call <IP_TOOLS.sub_4F69D6> ; \IP_TOOLS.004F69D6
004F7801 |. 83C4 0C |add esp,0C
004F7804 <>|> 8B45 FC |mov eax,dword ptr ss:[ebp-4] ; loc_4F7804
004F7807 |. 66:8B00 |mov ax,word ptr ds:[eax]
004F780A |. 66:2B05 528C5400 |sub ax,word ptr ds:[548C52]
004F7811 |. 66:85C0 |test ax,ax
004F7814 |. 7F 31 |jg short <IP_TOOLS.loc_4F7847>
004F7816 |. 66:85C0 |test ax,ax
004F7819 |. 75 3D |jnz short <IP_TOOLS.loc_4F7858>
004F781B |. 66:8B16 |mov dx,word ptr ds:[esi]
004F781E |. 66:3B15 748C5400 |cmp dx,word ptr ds:[548C74]
004F7825 |. 77 20 |ja short <IP_TOOLS.loc_4F7847>
004F7827 |. 66:8B0E |mov cx,word ptr ds:[esi]
004F782A |. 66:3B0D 748C5400 |cmp cx,word ptr ds:[548C74]
004F7831 |. 75 25 |jnz short <IP_TOOLS.loc_4F7858>
004F7833 |. FF35 108C5400 |push dword ptr ds:[548C10] ; /Arg2 = 0054840A
004F7839 |. 53 |push ebx ; |Arg1
004F783A |. E8 68F2FFFF |call <IP_TOOLS.sub_4F6AA7> ; \IP_TOOLS.004F6AA7
004F783F |. 83C4 08 |add esp,8
004F7842 |. 66:85C0 |test ax,ax
004F7845 |. 7C 11 |jl short <IP_TOOLS.loc_4F7858>
004F7847 <>|> 6A 00 |push 0 ; /loc_4F7847
004F7849 |. FF35 108C5400 |push dword ptr ds:[548C10] ; |Arg2 = 0054840A
004F784F |. 53 |push ebx ; |Arg1
004F7850 |. E8 81F1FFFF |call <IP_TOOLS.sub_4F69D6> ; \IP_TOOLS.004F69D6
004F7855 |. 83C4 0C |add esp,0C
004F7858 <>|> 8B45 FC |mov eax,dword ptr ss:[ebp-4] ; loc_4F7858
004F785B |. 66:8B00 |mov ax,word ptr ds:[eax]
004F785E |. 66:2B05 508C5400 |sub ax,word ptr ds:[548C50]
004F7865 |. 66:85C0 |test ax,ax
004F7868 |. 7F 31 |jg short <IP_TOOLS.loc_4F789B>
004F786A |. 66:85C0 |test ax,ax
004F786D |. 75 3D |jnz short <IP_TOOLS.loc_4F78AC>
004F786F |. 66:8B16 |mov dx,word ptr ds:[esi]
004F7872 |. 66:3B15 728C5400 |cmp dx,word ptr ds:[548C72]
004F7879 |. 77 20 |ja short <IP_TOOLS.loc_4F789B>
004F787B |. 66:8B0E |mov cx,word ptr ds:[esi]
004F787E |. 66:3B0D 728C5400 |cmp cx,word ptr ds:[548C72]
004F7885 |. 75 25 |jnz short <IP_TOOLS.loc_4F78AC>
004F7887 |. FF35 0C8C5400 |push dword ptr ds:[548C0C] ; /Arg2 = 00548102
004F788D |. 53 |push ebx ; |Arg1
004F788E |. E8 14F2FFFF |call <IP_TOOLS.sub_4F6AA7> ; \IP_TOOLS.004F6AA7
004F7893 |. 83C4 08 |add esp,8
004F7896 |. 66:85C0 |test ax,ax
004F7899 |. 7C 11 |jl short <IP_TOOLS.loc_4F78AC>
004F789B <>|> 6A 00 |push 0 ; /loc_4F789B
004F789D |. FF35 0C8C5400 |push dword ptr ds:[548C0C] ; |Arg2 = 00548102
004F78A3 |. 53 |push ebx ; |Arg1
004F78A4 |. E8 2DF1FFFF |call <IP_TOOLS.sub_4F69D6> ; \IP_TOOLS.004F69D6
004F78A9 |. 83C4 0C |add esp,0C
004F78AC <>|> 83EF 02 |sub edi,2 ; loc_4F78AC
004F78AF <>|> 66:8B45 FA mov ax,word ptr ss:[ebp-6] ; 這裡是使用者名稱的字長
004F78B3 |. 66:8345 FA FF |add word ptr ss:[ebp-6],0FFFF
004F78B8 |. 66:85C0 |test ax,ax
004F78BB |.^ 0F85 E8F8FFFF \jnz <IP_TOOLS.loc_4F71A9>
004F78C1 |. 33C0 xor eax,eax
}
-------------------------------------------------------------------------------------------------------
下面是我用C寫的核心函式,稱之為θ函式Y=θ(message)
void theta1(WORD message[Len])
{
WORD arg[8]={0x80,0x40,0x20,0x10,0x8,0x4,0x2,0x1};
WORD w;
WORD wltemp;
WORD whtemp;
MakeTempKey(message,subKey4Key,16);//根據訊息生成子金鑰這個是變化的
for(int i=0;i<Len;i++)
{
subKey4Key[0][i]=message[i];
}
memset(Result,0);
for(int l=0;l<Len;l++)
{
if(message[l+1]==0x0000)
break;
}
for(int t=l;t>=0;t--)
{
F702C(Result);
w=message[t];
whtemp=(w & 0xFF);
wltemp=(w >>8);
for(int i=0;i<8;i++)
{
function1(wltemp,arg[i],(15-i)); //函式f1
}
for(int j=0;j<8;j++)
{
function1(whtemp,arg[j],(7-j));
}
for(int s=16;s>=0;s--)
{
function2(s); //函式f2
}
}
}
void function1(WORD arg1, WORD arg2, WORD arg3)
{
if(arg1 & arg2)
{
AddHash(Result,subKey4Key[arg3],0);
}
}
void function2(int n)
{
WORD ax;
WORD dx;
int cx;
ax=Result[Len-1];
ax-=wHigh[n]; //這個是最高位
if(ax>0)
{
SubHash(Result,subKey4name[n],0);
}
else if(ax==0)
{
dx=Result[Len-2];
if(dx>wLow[n]) //次高位
{
SubHash(Result,subKey4name[n],0);
}
else if(dx==wLow[n])
{
cx=F6AA7(subKey4name[n],Result);
if(cx>=0)
{
SubHash(Result,subKey4name[n],0);
}
}
}
}
---------------------------------------------------------
比如:第一次以我的名子作為訊息message,然後做θ運算,得到一個Hash,
然後把這個Hash作為下一次θ運算的message,也就是迭代運算,我的C程式碼如下:
MakeKey4PK(wkey4name,subKey4name,17); //由公鑰生成子金鑰
for(int i=0;i<Len;i++)
{
subKey4name[0][i]=wkey4name[i];
}
memcpy(name,tempname,Len);
WORD arg[2]={0x0003,0x8000}; //固定引數1
int m=1;
WORD v;
v=arg[m];
WORD bx=0x4000;
for(int i=0;i<0x1f;i++)
{
theta1(tempname);
memcpy(Result,tempname,Len);
if((bx & v)==0)
{
bx=(bx>>1);
if(bx==0x0000)
{
bx=0x8000;
--m;
v=arg[m];
}
}
else
{
theta2(tempname,name);
memcpy(Result,tempname,Len);
}
}
----------------------------------------------------------------------------------
上面是對使用者名稱的處理,總的來說就是用公鑰和固定引數1對使用者名稱進行加密0x1F輪,得到一個640位的大數,
以Cnbragon為例最終生成
0054C900 17 DC 2C 08 4D CE 56 49 E8 FC 21 DE 66 33 32 FF ?MVI櫝!f32
0054C910 2D C9 06 B2 74 CC C7 F9 3F 6A 03 4E BD 70 6D 56 -?t糖?jNpmV
0054C920 3E 44 2A E5 68 26 90 E1 3C 59 78 E1 CD 4C 00 DA >D*h&<Yx嵬L.
0054C930 48 67 4D 34 A5 F2 03 B1 6F 3B FD 9F AB 9B 50 7A HgM4ヲo;Pz
0054C940 50 82 F9 00 17 9D F2 AC 45 DF 7E FD B7 0E 6C A9 P.顬E~l
我稱之為Cipher1,即Cipher1=f(Encryptkey,Arg1,0x1f,name)
---------------------------------------------------------------------------------
那麼,程式是如何對註冊碼進行處理的呢?前面說過這是一個非對稱演算法,其加密和解密演算法是一樣的,只是引數不同
用私鑰和固定引數2對註冊碼進行0x27C次處理,最終也得到一個640位的大數,
我稱之為Cipher2,即Cipher2=f(Decryptkey,Arg2,0x27C,sn)
如果 HashToInt(Cipher1)=HashToInt(Cipher2)那麼註冊就成功!實際上也就是Cipher1=Cipher2
但是函式f是看起來是一個單向雜湊函式,把明文和密文混和在一起,並且依賴於金鑰,因此其擴散和混亂效果很好,對其進行密碼分析
有一定的難度,不過從對註冊碼的處理看來可以利用這個單向函式的碰撞來進行生成註冊碼,而且我們有解密金鑰
因為我並不清楚這個演算法的名稱(可能是作者自己設計的),所以我無法一下子就知道是如何生成註冊碼,所以我對以上的幾組引數進行了
分析:
EncryptKey和DecryptKey 可以作為一組
從分析來看固定引數1和0x1F一定是不可分開的
同樣固定引數2和0x27C也是不可分開的,理由兄弟們可以自己分析一下,很有意思
所以在解密的時候我做了幾組嘗試,可惜都沒有成功,幸運的是我靜下心來仔細思考這其中的關係,根據經驗我得出了這樣一個函式
f(DecryptKey,Arg1,0x1F,(f(EncryptKey,Arg1,0x1F,name))),也就是說先對使用者名稱進行加密得到一個640位的大數,然後用解密金鑰
和固定引數1,0x1F對這個640位的大數進行解密,最終我成功的得到了註冊碼!!
sn=f(DecryptKey,Arg1,0x1F,(f(EncryptKey,Arg1,0x1F,name)))
Enemy down!
後記:不難看出保密金鑰的重要性,對於未知密碼學演算法,只要逆向出了演算法,有了金鑰我們就可以輕而易舉的實現解密.在分析這個演算法的
過程中偶始終感到對未知演算法的分析充滿樂趣,願把我的樂趣和兄弟們一起分享
讓我感到不爽的是我在10月28號的0day中發現了IP-Tools的TSZ的序號產生器:(
我把我寫的序號產生器的部分原始碼打了包,我沒有放編譯好的序號產生器,在我的原始碼裡只差使用者名稱的輸入部分我沒有寫,很容易的,兄弟們自己寫吧
附件:keygen.rar
相關文章
- 《密碼學系列》|| 詳解密碼學的多重DES演算法...2020-04-07密碼學解密演算法
- 【原創】一個彩票軟體演算法分析過程(詳細)2015-11-15演算法
- 【原創】 一個會計軟體的演算法分析過程(詳細)2015-11-15演算法
- 密碼學中的RSA演算法與橢圓曲線演算法2024-04-16密碼學演算法
- 密碼學系列之:bcrypt加密演算法詳解2021-09-16密碼學加密演算法
- 詳細分析
《LRC 傻瓜編輯器 V1.1》演算法2004-08-01演算法
- js中cookie的使用詳細分析2016-12-19JSCookie
- 密碼學之各種加解密演算法比較2017-06-07密碼學解密演算法
- MD5演算法:密碼學中的傳奇2024-03-15演算法密碼學
- Java:這是一份詳細&全面的HashMap 1.7 原始碼分析2018-03-14JavaHashMap原始碼
- Android:這是一份全面 & 詳細的Retrofit 2.0 原始碼分析指南2018-03-07Android原始碼
- 密碼學系列之:加密貨幣中的scrypt演算法2021-10-14密碼學加密演算法
- 《密碼學系列》|| 密碼學中的流密碼是怎麼回事?2020-04-07密碼學
- 密碼學系列之:Argon2加密演算法詳解2021-09-20密碼學Go加密演算法
- ZIP壓縮演算法詳細分析及解壓例項解釋2014-09-10演算法
- 一款勒索病毒的詳細分析2017-10-26
- 詳細分析Java中斷機制2015-01-21Java
- 好嗨詳細的vuex原始碼分析之API 是如何實現2018-10-22Vue原始碼API
- 密碼學之DES/AES演算法2019-02-16密碼學演算法
- 一道演算法題的分析2021-09-09演算法
- 常見的排序演算法分析(一)2020-12-21排序演算法
- JWT 詳細分析2018-10-12JWT
- 中華通訊錄演算法分析2015-11-15演算法
- React原始碼分析 - Diff演算法2018-03-08React原始碼演算法
- 【密碼學原理】流密碼和RC4演算法2020-10-03密碼學演算法
- 一致 Hash 演算法分析2018-01-07演算法
- Java List 用法程式碼分析 非常詳細2015-03-12Java
- **超詳細的**10種排序演算法原理及 JS 實現2019-04-08排序演算法JS
- 分組密碼(四)AES演算法① — 密碼學複習(七)2021-09-27演算法密碼學
- JWT 超詳細分析2018-10-04JWT
- PE頭詳細分析2021-11-02
- Https詳細分析2020-09-25HTTP
- apisix 最詳細原始碼分析以及手擼一個 apisix2021-11-15API原始碼
- SQLite3原始碼學習(32) WAL日誌詳細分析2018-06-06SQLite原始碼
- 前端資料結構與演算法細緻分析—上(複雜度分析)2019-11-17前端資料結構演算法複雜度
- appium的log詳細分析2018-01-30APP
- HanLP 關鍵詞提取演算法分析詳解2018-11-05HanLP演算法
- SiamBAN詳細分析,一看就懂!2020-10-04