| 查看: 457 | 回复: 1 | |||
| 当前主题已经存档。 | |||
sdlj8051金虫 (著名写手)
|
[交流]
[转贴]CRC32碰撞的实现
|
||
|
????????????????????? ??CRC32??????N??????Ч??,???Ч????0xFFFFFFFF,????N????????????????Ч??? ?????????????????????4????????Ч???????????????????????? ??: ???????????Ч????ABCD,?????Ч?????????abcd,Ч???????WXYZ,????4???????????mnop (??????????????????) ???????????ABCD+WXYZ???abcd ????4??????F(x),G(x),H(x),I(x)???????x????????,???????DWORD????λ????λ??4????? CRC32Ч??abcd???????????: R0:A,B,C,D R1:F(m),A^G(m),B^H(m),C^I(m) R2:F(n),F(m)^G(n),A^G(m)^H(n),B^H(m)^I(n) R3:F(o),F(n)^G(o),F(m)^G(n)^H(o),A^G(m)^H(n)^I(o) R4:F(p),F(o)^G(p),F(n)^G(o)^H(p),F(m)^G(n)^H(o)^I(p) ??R4????????4???????Ч???WXYZ,?????????????: ------------------------- <1> W=F(p); X=F(o)^G(p); Y=F(n)^G(o)^H(p); Z=F(m)^G(n)^H(o)^I(p); <2> m=d^D; n=c^C^I(m); o=b^B^H(m)^I(n); p=a^A^G(m)^H(n)^I(o); ------------------------- ????????????????ABCD,abcd,WXYZ??????,??mnop???м???? ????abcd????????,??F(x)???????RF(x),??: ----------------------- ~<1> p=RF(W); o=RF(X^G(p)); n=RF(Y^G(o)^H(p)); m=RF(Z^G(n)^H(o)^I(p)); ~<2> d=m^D; c=n^C^I(m); b=o^B^H(m)^I(n); a=p^A^G(m)^H(n)^I(o); ----------------------- ???????????????????????е?????:d,c,b,a (????????????С????) ???????????????????,??????????????????RF(x)??????,??????????????????y=F(x)????????: void TestRF() { BYTE i,j; DWORD flag; for(i=0;i<=0xFF;i++) { flag=0; for(j=0;j<=0xFF;j++) { if(HIBYTE(HIWORD(CRC32_tab[j])) == i) { flag=1; printf("%X gets!\r\n",i); break; } if(j==0xFF)break; } if(!flag)printf("%X can't get RF\r\n",i); if(i==0xFF)break; } } ???????????е?0~255????RF(x)???????,?????RF(x)??????????,?????????????! ??????~<1> ~<2>????: BYTE RF(BYTE x) { BYTE j; for(j=0;j<=0xFF;j++) { if(HIBYTE(HIWORD(CRC32_tab[j])) == x)break; } return j; } BYTE F(BYTE x) { return HIBYTE(HIWORD(CRC32_tab[x])); } BYTE G(BYTE x) { return LOBYTE(HIWORD(CRC32_tab[x])); } BYTE H(BYTE x) { return HIBYTE(LOWORD(CRC32_tab[x])); } BYTE I(BYTE x) { return LOBYTE(LOWORD(CRC32_tab[x])); } #define MakeLong(a,b) MAKELONG(b,a) #define MakeWord(a,b) MAKEWORD(b,a) DWORD rCRC32(DWORD WXYZ,DWORD ABCD) { BYTE p,o,n,m,a,b,c,d,W,X,Y,Z,A,B,C,D; W=HIBYTE(HIWORD(WXYZ)); X=LOBYTE(HIWORD(WXYZ)); Y=HIBYTE(LOWORD(WXYZ)); Z=LOBYTE(LOWORD(WXYZ)); A=HIBYTE(HIWORD(ABCD)); B=LOBYTE(HIWORD(ABCD)); C=HIBYTE(LOWORD(ABCD)); D=LOBYTE(LOWORD(ABCD)); p=RF(W); o=RF(X^G(p)); n=RF(Y^G(o)^H(p)); m=RF(Z^G(n)^H(o)^I(p)); d=m^D; c=n^C^I(m); b=o^B^H(m)^I(n); a=p^A^G(m)^H(n)^I(o); return MakeLong(MakeWord(a,b),MakeWord(c,d)); } DWORD RCRC32(DWORD WXYZ,DWORD abcd) { BYTE p,o,n,m,a,b,c,d,W,X,Y,Z,A,B,C,D; W=HIBYTE(HIWORD(WXYZ)); X=LOBYTE(HIWORD(WXYZ)); Y=HIBYTE(LOWORD(WXYZ)); Z=LOBYTE(LOWORD(WXYZ)); a=HIBYTE(HIWORD(abcd)); b=LOBYTE(HIWORD(abcd)); c=HIBYTE(LOWORD(abcd)); d=LOBYTE(LOWORD(abcd)); p=RF(W); o=RF(X^G(p)); n=RF(Y^G(o)^H(p)); m=RF(Z^G(n)^H(o)^I(p)); D=m^d; C=n^c^I(m); B=o^b^H(m)^I(n); A=p^a^G(m)^H(n)^I(o); return MakeLong(MakeWord(A,B),MakeWord(C,D)); } DWORD CRC32(DWORD ABCD,DWORD abcd) { BYTE p,o,n,m,a,b,c,d,W,X,Y,Z,A,B,C,D; A=HIBYTE(HIWORD(ABCD)); B=LOBYTE(HIWORD(ABCD)); C=HIBYTE(LOWORD(ABCD)); D=LOBYTE(LOWORD(ABCD)); a=HIBYTE(HIWORD(abcd)); b=LOBYTE(HIWORD(abcd)); c=HIBYTE(LOWORD(abcd)); d=LOBYTE(LOWORD(abcd)); m=d^D; n=c^C^I(m); o=b^B^H(m)^I(n); p=a^A^G(m)^H(n)^I(o); W=F(p); X=F(o)^G(p); Y=F(n)^G(o)^H(p); Z=F(m)^G(n)^H(o)^I(p); return MakeLong(MakeWord(W,X),MakeWord(Y,Z)); } ??????????????÷????,??????????????????,??CRC32Ч??,???????ABCD ???????????<1><2>????abcd,??abcd?????????????????????????! ????,"DonQuixote[CCG][iPB]"??????????CRC32??0x8A0C90C9,??????δ??????????????????: int main(int argc, char* argv[]) { DWORD x=rCRC32(~0x8A0C90C9,~CRC((BYTE*)"ipb",3)); char str[5]; memcpy(str,&x,4); str[4]=0; printf("x=%X\r\nstring=%s\r\n",x,str); return 0; } ????????Щ???: DonQuixote[CCG][iPB] 123?Dp0 ccg_G?? ipbkw?? ?????????????CRC32Ч???=0x8A0C90C9 (????и???????????????,?????http://www.pediy.com/tools/Crypt ... N%20Hash%20Calculat or%20.zip) ??????????????????????DWORD,????????????????м????λ???DWORD,???????????? ??????WXYZ,abcd?????ABCD???????: ------------------------- (mnop??????~<1>~<2>???) ~<2'> D=m^d; C=n^c^I(m); B=o^b^H(m)^I(n); A=p^a^G(m)^H(n)^I(o); ------------------------- ????????????????"Ч??"???,?????м????λ???????????? ****************************************************************************************8 ?????????Щ???: ??????????????????????anti-debug??,?????Ч?鶼???????????Ч??????? ???????~<2'>??~<2>????????Ч?????????,?????????????:CRC(***A***)=A ????windows??????????CRC32Ч???,?????????д??????????????????????Ч????????????? ??????????????RootKit?????????,?????????????????? ???TCP/IP??????????CRC32Ч??,??????????д?????????????????????????Ч?????? [ Last edited by sdlj8051 on 2006-10-6 at 12:34 ] |
回复此楼» 猜你喜欢
拟解决的关键科学问题还要不要写
已经有3人回复
-
基金申报
已经有5人回复
-
基金委咋了?2026年的指南还没有出来?
已经有7人回复
-
国自然申请面上模板最新2026版出了吗?
已经有17人回复
-
纳米粒子粒径的测量
已经有8人回复
-
疑惑?
已经有5人回复
-
计算机、0854电子信息(085401-058412)调剂
已经有5人回复
-
Materials Today Chemistry审稿周期
已经有5人回复
-
溴的反应液脱色
已经有7人回复
-
推荐一本书
已经有12人回复
sdlj8051
金虫 (著名写手)
- 应助: 0 (幼儿园)
- 贵宾: 0.1
- 金币: 1149.8
- 红花: 3
- 帖子: 2254
- 在线: 18.1小时
- 虫号: 71297
- 注册: 2005-05-30
- 专业: 电路与系统
|
利用反向效验写了一个anti-debug的例子,全部代码和数据一起效验,然后利用效验值解密,当然效验值是事先想好的,这个例子里效验值=0x123456789 加密前的代码: .code check_start: start: mov esi,check_start call InitCRC32 mov ecx,check_end-check_start mov eax,0FFFFFFFFh call CRC32 mov ecx,(encrypt_end-encrypt_start) shr ecx,2 mov esi,encrypt_start decrypt: push eax push ecx mov ecx,4 call CRC32 mov [esi-4],eax pop ecx pop eax inc eax loop decrypt encrypt_start: jmp msgout msg db "this debugme cracked by none!",0,0,0,0,0,0,0,0,0 tmsg db "test CRC32 by DonQuixote[CCG][iPB]",0 msgout: invoke MessageBox,NULL,offset msg,offset tmsg,MB_OK invoke ExitProcess,NULL encrypt_end: InitCRC32: mov ecx, 256 _nexttable: lea eax, [ecx-1] push ecx mov ecx, 8 _nextbit: shr eax,1 jnc _notcarry xor eax, 0edb88320h _notcarry: dec ecx jnz _nextbit pop ecx mov [dwcrc32table + ecx*4 - 4], eax dec ecx jnz _nexttable ret CRC32: ;esi=data ;ecx=len of data ;eax=init of checksum or esi, esi jz _done or ecx, ecx jz _done _nextbyte: mov dl, [esi] xor dl, al movzx edx, dl shr eax, 8 xor eax, [dwcrc32table + edx*4] inc esi call antibp loop _nextbyte _done: not eax ret antibp: push seh push fs:[0] mov fs:[0],esp db 0CCh pop fs:[0] add esp,4 ret seh: mov eax,dword ptr ss:[esp+4h] mov ecx,dword ptr ss:[esp+0Ch] inc dword ptr ds:[ecx+0B8h] mov eax,dword ptr ds:[eax] xor eax,80000003h jnz start ;xor eax,eax and dword ptr ds:[ecx+4h],eax and dword ptr ds:[ecx+8h],eax and dword ptr ds:[ecx+0Ch],eax and dword ptr ds:[ecx+10h],eax and dword ptr ds:[ecx+14h],0FFFF0FF0h and dword ptr ds:[ecx+18h],0DC00h ret check_end: end start 对硬件断点做了一点处理,加密算法仍然是CRC32 因为用CRC32效验一个DWORD时,知道 效验数据 效验初值 效验值 3个中的2个就可以求另外一个 CRC32:是CRC32效验,eax指定效验初值(eax=0xFFFFFFFF就是标准CRC32) 加密时的算法: #define LEN 0x141 BYTE data[LEN]; DWORD wantedcrc=0x12345678; DWORD filebase=0x400; int fixfile() { FILE*fh=fopen("E:\\Crack\\CRC32\\anti.exe","r+"  ;fseek(fh,filebase,SEEK_SET); fread(data,1,LEN,fh); DWORD iendata=0x3A; for(int i=0;i<0x1A;i++) { *(DWORD*)(data+iendata)=rCRC32(~*(DWORD*)(data+iendata),(wantedcrc+i)); iendata+=4; } DWORD b=~StdCRC(data,0x5D); DWORD a=RevCRC(~wantedcrc,(DWORD*)(data+0x61),(0x141-0x61)/4); *(DWORD*)(data+0x5D)=rCRC32(a,b); fseek(fh,filebase,SEEK_SET); fwrite(data,1,LEN,fh); fclose(fh); return 0; } wantedcrc=0x12345678是预先设定的效验值 for(int i=0;i<0x1A;i++)部分加密数据 RevCRC反向效验,然后在*(DWORD*)(data+0x5D)这里patch修补码,使效验值=wantedcrc 反向效验的代码: //return init reg DWORD RevCRC(DWORD reg,DWORD*pdata,int n) { for(int i=n-1;i>=0;i--)reg=RCRC32(reg,pdata); return reg; } //根据数据和效验值求出效验初值 利用CRC32加密的变换也可以应用到序列号变换里,可以增加一点写KeyGen的难度:) |
2楼2006-08-23 18:15:28