前言
用PEID算法扫描插件, 可以扫描出使用了SHA1的程序.
扫描的特征码是K3.
#define H0 0x67452301L
#define H1 0xefcdab89L
#define H2 0x98badcfeL
#define H3 0x10325476L
#define H4 0xc3d2e1f0L
#define K0 0x5a827999L
#define K1 0x6ed9eba1L
#define K2 0x8f1bbcdcL
#define K3 0xca62c1d6L
记录
K3所在的函数是sha1_transform
00401090 <SHA1KeyG.sha1_tra>/$ 8B4C24 04 mov ecx, dword ptr [esp+4]
00401094 |. 83EC 0C sub esp, 0C
00401097 |. 53 push ebx
00401098 |. 55 push ebp
00401099 |. 8D59 28 lea ebx, dword ptr [ecx+28]
0040109C |. 56 push esi
0040109D |. 57 push edi
0040109E |. 8BD3 mov edx, ebx
004010A0 |. BE 40000000 mov esi, 40
004010A5 |> 8B42 34 /mov eax, dword ptr [edx+34]
004010A8 |. 8B7A 20 |mov edi, dword ptr [edx+20]
004010AB |. 8B6A 08 |mov ebp, dword ptr [edx+8]
004010AE |. 33C7 |xor eax, edi
004010B0 |. 8B3A |mov edi, dword ptr [edx]
004010B2 |. 33C5 |xor eax, ebp
004010B4 |. 33C7 |xor eax, edi
004010B6 |. 83C2 04 |add edx, 4
004010B9 |. 8BF8 |mov edi, eax
004010BB |. 03C0 |add eax, eax
004010BD |. C1EF 1F |shr edi, 1F
004010C0 |. 0BF8 |or edi, eax
004010C2 |. 4E |dec esi
004010C3 |. 897A 3C |mov dword ptr [edx+3C], edi
004010C6 |.^ 75 DD \jnz short 004010A5
004010C8 |. 8B79 08 mov edi, dword ptr [ecx+8]
004010CB |. 8B41 0C mov eax, dword ptr [ecx+C]
004010CE |. 8B51 10 mov edx, dword ptr [ecx+10]
004010D1 |. 8B71 14 mov esi, dword ptr [ecx+14]
004010D4 |. 8B49 18 mov ecx, dword ptr [ecx+18]
004010D7 |. 895C24 14 mov dword ptr [esp+14], ebx
004010DB |. 894C24 10 mov dword ptr [esp+10], ecx
004010DF |. C74424 18 140>mov dword ptr [esp+18], 14
004010E7 |> 8BC8 /mov ecx, eax
004010E9 |. 8BDA |mov ebx, edx
004010EB |. F7D1 |not ecx
004010ED |. 23CE |and ecx, esi
004010EF |. 23D8 |and ebx, eax
004010F1 |. 0BCB |or ecx, ebx
004010F3 |. 8BDF |mov ebx, edi
004010F5 |. 8BEF |mov ebp, edi
004010F7 |. C1EB 1B |shr ebx, 1B
004010FA |. C1E5 05 |shl ebp, 5
004010FD |. 0BDD |or ebx, ebp
004010FF |. 8B6C24 14 |mov ebp, dword ptr [esp+14]
00401103 |. 03CB |add ecx, ebx
00401105 |. 8B5D 00 |mov ebx, dword ptr [ebp]
00401108 |. 83C5 04 |add ebp, 4
0040110B |. 03CB |add ecx, ebx
0040110D |. 8B5C24 10 |mov ebx, dword ptr [esp+10]
00401111 |. 896C24 14 |mov dword ptr [esp+14], ebp
00401115 |. 8B6C24 18 |mov ebp, dword ptr [esp+18]
00401119 |. 8D8C19 997982>|lea ecx, dword ptr [ecx+ebx+5A827999]
00401120 |. 8BDE |mov ebx, esi
00401122 |. 8BF2 |mov esi, edx
00401124 |. 8BD0 |mov edx, eax
00401126 |. C1E2 1E |shl edx, 1E
00401129 |. C1E8 02 |shr eax, 2
0040112C |. 0BD0 |or edx, eax
0040112E |. 4D |dec ebp
0040112F |. 8BC7 |mov eax, edi
00401131 |. 895C24 10 |mov dword ptr [esp+10], ebx
00401135 |. 8BF9 |mov edi, ecx
00401137 |. 896C24 18 |mov dword ptr [esp+18], ebp
0040113B |.^ 75 AA \jnz short 004010E7
0040113D |. 8B6C24 20 mov ebp, dword ptr [esp+20]
00401141 |. C74424 14 140>mov dword ptr [esp+14], 14
00401149 |. 83C5 78 add ebp, 78
0040114C |. 896C24 18 mov dword ptr [esp+18], ebp
00401150 |> 8BE9 /mov ebp, ecx
00401152 |. C1ED 1B |shr ebp, 1B
00401155 |. C1E1 05 |shl ecx, 5
00401158 |. 0BE9 |or ebp, ecx
0040115A |. 8BCE |mov ecx, esi
0040115C |. 33CA |xor ecx, edx
0040115E |. 33C8 |xor ecx, eax
00401160 |. 03E9 |add ebp, ecx
00401162 |. 8BCD |mov ecx, ebp
00401164 |. 8B6C24 18 |mov ebp, dword ptr [esp+18]
00401168 |. 034D 00 |add ecx, dword ptr [ebp]
0040116B |. 83C5 04 |add ebp, 4
0040116E |. 896C24 18 |mov dword ptr [esp+18], ebp
00401172 |. 8B6C24 14 |mov ebp, dword ptr [esp+14]
00401176 |. 8D8C19 A1EBD9>|lea ecx, dword ptr [ecx+ebx+6ED9EBA1]
0040117D |. 8BDE |mov ebx, esi
0040117F |. 8BF2 |mov esi, edx
00401181 |. 8BD0 |mov edx, eax
00401183 |. C1E2 1E |shl edx, 1E
00401186 |. C1E8 02 |shr eax, 2
00401189 |. 0BD0 |or edx, eax
0040118B |. 4D |dec ebp
0040118C |. 8BC7 |mov eax, edi
0040118E |. 8BF9 |mov edi, ecx
00401190 |. 896C24 14 |mov dword ptr [esp+14], ebp
00401194 |.^ 75 BA \jnz short 00401150
00401196 |. 895C24 10 mov dword ptr [esp+10], ebx
0040119A |. 8B5C24 20 mov ebx, dword ptr [esp+20]
0040119E |. 81C3 C8000000 add ebx, 0C8
004011A4 |. C74424 14 140>mov dword ptr [esp+14], 14
004011AC |. 895C24 18 mov dword ptr [esp+18], ebx
004011B0 |> 8BEA /mov ebp, edx
004011B2 |. 8BDA |mov ebx, edx
004011B4 |. 0BE8 |or ebp, eax
004011B6 |. 23D8 |and ebx, eax
004011B8 |. 23EE |and ebp, esi
004011BA |. 0BEB |or ebp, ebx
004011BC |. 8BD9 |mov ebx, ecx
004011BE |. C1EB 1B |shr ebx, 1B
004011C1 |. C1E1 05 |shl ecx, 5
004011C4 |. 0BD9 |or ebx, ecx
004011C6 |. 03EB |add ebp, ebx
004011C8 |. 8B5C24 18 |mov ebx, dword ptr [esp+18]
004011CC |. 8B0B |mov ecx, dword ptr [ebx]
004011CE |. 83C3 04 |add ebx, 4
004011D1 |. 03E9 |add ebp, ecx
004011D3 |. 8B4C24 10 |mov ecx, dword ptr [esp+10]
004011D7 |. 897424 10 |mov dword ptr [esp+10], esi
004011DB |. 8BF2 |mov esi, edx
004011DD |. 8BD0 |mov edx, eax
004011DF |. 895C24 18 |mov dword ptr [esp+18], ebx
004011E3 |. 8B5C24 14 |mov ebx, dword ptr [esp+14]
004011E7 |. 8D8C29 DCBC1B>|lea ecx, dword ptr [ecx+ebp+8F1BBCDC]
004011EE |. C1E2 1E |shl edx, 1E
004011F1 |. C1E8 02 |shr eax, 2
004011F4 |. 0BD0 |or edx, eax
004011F6 |. 4B |dec ebx
004011F7 |. 8BC7 |mov eax, edi
004011F9 |. 8BF9 |mov edi, ecx
004011FB |. 895C24 14 |mov dword ptr [esp+14], ebx
004011FF |.^ 75 AF \jnz short 004011B0
00401201 |. 8B5C24 20 mov ebx, dword ptr [esp+20]
00401205 |. C74424 18 140>mov dword ptr [esp+18], 14
0040120D |. 8DAB 18010000 lea ebp, dword ptr [ebx+118]
00401213 |. 896C24 20 mov dword ptr [esp+20], ebp
00401217 |> 8BE9 /mov ebp, ecx
00401219 |. C1ED 1B |shr ebp, 1B
0040121C |. C1E1 05 |shl ecx, 5
0040121F |. 0BE9 |or ebp, ecx
00401221 |. 8BCE |mov ecx, esi
00401223 |. 33CA |xor ecx, edx
00401225 |. 33C8 |xor ecx, eax
00401227 |. 03E9 |add ebp, ecx
00401229 |. 8B4C24 20 |mov ecx, dword ptr [esp+20]
0040122D |. 0329 |add ebp, dword ptr [ecx]
0040122F |. 8B4C24 10 |mov ecx, dword ptr [esp+10]
00401233 |. 897424 10 |mov dword ptr [esp+10], esi
00401237 |. 8BF2 |mov esi, edx
00401239 |. 8BD0 |mov edx, eax
0040123B |. 8D8C29 D6C162>|lea ecx, dword ptr [ecx+ebp+CA62C1D6]
00401242 |. 8B6C24 20 |mov ebp, dword ptr [esp+20]
00401246 |. 83C5 04 |add ebp, 4
00401249 |. C1E2 1E |shl edx, 1E
0040124C |. C1E8 02 |shr eax, 2
0040124F |. 896C24 20 |mov dword ptr [esp+20], ebp
00401253 |. 8B6C24 18 |mov ebp, dword ptr [esp+18]
00401257 |. 0BD0 |or edx, eax
00401259 |. 4D |dec ebp
0040125A |. 8BC7 |mov eax, edi
0040125C |. 8BF9 |mov edi, ecx
0040125E |. 896C24 18 |mov dword ptr [esp+18], ebp
00401262 |.^ 75 B3 \jnz short 00401217
00401264 |. 8B7B 08 mov edi, dword ptr [ebx+8]
00401267 |. 03F9 add edi, ecx
00401269 |. 8B4B 0C mov ecx, dword ptr [ebx+C]
0040126C |. 03C8 add ecx, eax
0040126E |. 8B43 10 mov eax, dword ptr [ebx+10]
00401271 |. 03C2 add eax, edx
00401273 |. 894B 0C mov dword ptr [ebx+C], ecx
00401276 |. 8B4C24 10 mov ecx, dword ptr [esp+10]
0040127A |. 8943 10 mov dword ptr [ebx+10], eax
0040127D |. 8B43 14 mov eax, dword ptr [ebx+14]
00401280 |. 897B 08 mov dword ptr [ebx+8], edi
00401283 |. 03C6 add eax, esi
00401285 |. 5F pop edi
00401286 |. 8943 14 mov dword ptr [ebx+14], eax
00401289 |. 8B43 18 mov eax, dword ptr [ebx+18]
0040128C |. 03C1 add eax, ecx
0040128E |. 5E pop esi
0040128F |. 8943 18 mov dword ptr [ebx+18], eax
00401292 |. 5D pop ebp
00401293 |. 5B pop ebx
00401294 |. 83C4 0C add esp, 0C
00401297 \. C3 retn
static void sha1_transform(sha *sh)
{ /* basic transformation step */
unsigned int a,b,c,d,e,temp;
int t;
for (t=16;t<80;t++) sh->w[t]=S(1,sh->w[t-3]^sh->w[t-8]^sh->w[t-14]^sh->w[t-16]);
a=sh->h[0]; b=sh->h[1]; c=sh->h[2]; d=sh->h[3]; e=sh->h[4];
for (t=0;t<20;t++)
{ /* 20 times - mush it up */
temp=K0+F0(b,c,d)+S(5,a)+e+sh->w[t];
e=d; d=c;
c=S(30,b);
b=a; a=temp;
}
for (t=20;t<40;t++)
{ /* 20 more times - mush it up */
temp=K1+F1(b,c,d)+S(5,a)+e+sh->w[t];
e=d; d=c;
c=S(30,b);
b=a; a=temp;
}
for (t=40;t<60;t++)
{ /* 20 more times - mush it up */
temp=K2+F2(b,c,d)+S(5,a)+e+sh->w[t];
e=d; d=c;
c=S(30,b);
b=a; a=temp;
}
for (t=60;t<80;t++)
{ /* 20 more times - mush it up */
temp=K3+F3(b,c,d)+S(5,a)+e+sh->w[t];
e=d; d=c;
c=S(30,b);
b=a; a=temp;
}
sh->h[0]+=a; sh->h[1]+=b; sh->h[2]+=c;
sh->h[3]+=d; sh->h[4]+=e;
}
sha1_transform 分别在sha1_process和sha1_hash中被调用.
sha1_process中调用sha1_transform的条件是((sh->length[0]%512)==0)
sha1_hash中调用了2次sha1_process(一次是循环外, 一次是循环内)
从反汇编上, 就可以识别出sha1_process和sha1_hash
00401040 <SHA1KeyG.sha1_process> /$ 8B4424 04 mov eax, dword ptr [esp+4]
00401044 |. 56 push esi
00401045 |. 8B7424 0C mov esi, dword ptr [esp+C]
00401049 |. 8B08 mov ecx, dword ptr [eax]
0040104B |. 81E6 FF000000 and esi, 0FF
00401051 |. C1E9 05 shr ecx, 5
00401054 |. 83E1 0F and ecx, 0F
00401057 |. 8B5488 28 mov edx, dword ptr [eax+ecx*4+28]
0040105B |. C1E2 08 shl edx, 8
0040105E |. 0BD6 or edx, esi
00401060 |. 5E pop esi
00401061 |. 895488 28 mov dword ptr [eax+ecx*4+28], edx
00401065 |. 8B08 mov ecx, dword ptr [eax]
00401067 |. 83C1 08 add ecx, 8
0040106A |. 8908 mov dword ptr [eax], ecx
0040106C |. 75 0D jnz short 0040107B
0040106E |. 8B48 04 mov ecx, dword ptr [eax+4]
00401071 |. C700 00000000 mov dword ptr [eax], 0
00401077 |. 41 inc ecx
00401078 |. 8948 04 mov dword ptr [eax+4], ecx
0040107B |> F700 FF010000 test dword ptr [eax], 1FF
00401081 |. 75 07 jnz short 0040108A
00401083 |. 50 push eax
00401084 |. E8 07000000 call <sha1_transform>
00401089 |. 59 pop ecx
0040108A \> C3 retn
void sha1_process(sha *sh,int byte)
{ /* process the next message byte */
int cnt;
cnt=(int)((sh->length[0]/32)%16);
sh->w[cnt]<<=8;
sh->w[cnt]|=(unsigned int)(byte&0xFF);
sh->length[0]+=8;
if (sh->length[0]==0L) { sh->length[1]++; sh->length[0]=0L; }
if ((sh->length[0]%512)==0) sha1_transform(sh);
}
004012A0 <SHA1KeyG.sha1_hash> /$ 53 push ebx
004012A1 |. 56 push esi
004012A2 |. 8B7424 0C mov esi, dword ptr [esp+C]
004012A6 |. 57 push edi
004012A7 |. 68 80000000 push 80
004012AC |. 56 push esi
004012AD |. 8B3E mov edi, dword ptr [esi]
004012AF |. 8B5E 04 mov ebx, dword ptr [esi+4]
004012B2 |. E8 89FDFFFF call <sha1_process>
004012B7 |. 8B06 mov eax, dword ptr [esi]
004012B9 |. 83C4 08 add esp, 8
004012BC |. 25 FF010000 and eax, 1FF
004012C1 |. 3D C0010000 cmp eax, 1C0
004012C6 |. 74 1B je short 004012E3
004012C8 |> 6A 00 /push 0
004012CA |. 56 |push esi
004012CB |. E8 70FDFFFF |call <sha1_process>
004012D0 |. 8B0E |mov ecx, dword ptr [esi]
004012D2 |. 83C4 08 |add esp, 8
004012D5 |. 81E1 FF010000 |and ecx, 1FF
004012DB |. 81F9 C0010000 |cmp ecx, 1C0
004012E1 |.^ 75 E5 \jnz short 004012C8
004012E3 |> 56 push esi
004012E4 |. 895E 60 mov dword ptr [esi+60], ebx
004012E7 |. 897E 64 mov dword ptr [esi+64], edi
004012EA |. E8 A1FDFFFF call <sha1_transform>
004012EF |. 8B5C24 18 mov ebx, dword ptr [esp+18]
004012F3 |. 83C4 04 add esp, 4
004012F6 |. 33FF xor edi, edi
004012F8 |> 8BD7 /mov edx, edi
004012FA |. 81E2 03000080 |and edx, 80000003
00401300 |. 79 05 |jns short 00401307
00401302 |. 4A |dec edx
00401303 |. 83CA FC |or edx, FFFFFFFC
00401306 |. 42 |inc edx
00401307 |> C1E2 03 |shl edx, 3
0040130A |. B9 18000000 |mov ecx, 18
0040130F |. 8BC7 |mov eax, edi
00401311 |. 2BCA |sub ecx, edx
00401313 |. 99 |cdq
00401314 |. 83E2 03 |and edx, 3
00401317 |. 03C2 |add eax, edx
00401319 |. C1F8 02 |sar eax, 2
0040131C |. 8B4486 08 |mov eax, dword ptr [esi+eax*4+8]
00401320 |. D3E8 |shr eax, cl
00401322 |. 47 |inc edi
00401323 |. 83FF 14 |cmp edi, 14
00401326 |. 88441F FF |mov byte ptr [edi+ebx-1], al
0040132A |.^ 7C CC \jl short 004012F8
0040132C |. 56 push esi
0040132D |. E8 CEFCFFFF call 00401000
00401332 |. 83C4 04 add esp, 4
00401335 |. 5F pop edi
00401336 |. 5E pop esi
00401337 |. 5B pop ebx
00401338 \. C3 retn
void sha1_hash(sha *sh,char hash[20])
{ /* pad message and finish - supply digest */
int i;
unsigned int len0,len1;
len0=sh->length[0];
len1=sh->length[1];
sha1_process(sh,PAD);
while ((sh->length[0]%512)!=448) sha1_process(sh,ZERO);
sh->w[14]=len1;
sh->w[15]=len0;
sha1_transform(sh);
for (i=0;i<20;i++)
{ /* convert to bytes */
hash[i]=((sh->h[i/4]>>(8*(3-i%4))) & 0xffL);
}
sha1_init(sh);
}
在sha1_hash之外调用的sha1_process, 是用户逻辑, 从上下文可以确定sha1_init
sha1_hash出来的结果就是hash值
004014FF |. E8 FCFAFFFF call 00401000 ; sh1_init?
00401504 |. 83C4 04 add esp, 4
00401507 |. 33FF xor edi, edi
00401509 |. 3BF3 cmp esi, ebx
0040150B |. 7E 1E jle short 0040152B
0040150D |> 0FBE8C3C D001>/movsx ecx, byte ptr [esp+edi+1D0]
00401515 |. 8D9424 600300>|lea edx, dword ptr [esp+360]
0040151C |. 51 |push ecx
0040151D |. 52 |push edx
0040151E |. E8 1DFBFFFF |call <sha1_process>
00401523 |. 83C4 08 |add esp, 8
00401526 |. 47 |inc edi
00401527 |. 3BFE |cmp edi, esi
00401529 |.^ 7C E2 \jl short 0040150D
0040152B |> 8D8424 080100>lea eax, dword ptr [esp+108]
00401532 |. 8D8C24 600300>lea ecx, dword ptr [esp+360]
00401539 |. 50 push eax
0040153A |. 51 push ecx
0040153B |. E8 60FDFFFF call <sha1_hash>
00401000 <SHA1KeyG.sh1_init> /$ 8B5424 04 mov edx, dword ptr [esp+4]
00401004 |. 57 push edi
00401005 |. B9 50000000 mov ecx, 50
0040100A |. 33C0 xor eax, eax
0040100C |. 8D7A 28 lea edi, dword ptr [edx+28]
0040100F |. F3:AB rep stos dword ptr es:[edi]
00401011 |. 8942 04 mov dword ptr [edx+4], eax
00401014 |. 8902 mov dword ptr [edx], eax
00401016 |. C742 08 01234>mov dword ptr [edx+8], 67452301
0040101D |. C742 0C 89ABC>mov dword ptr [edx+C], EFCDAB89
00401024 |. C742 10 FEDCB>mov dword ptr [edx+10], 98BADCFE
0040102B |. C742 14 76543>mov dword ptr [edx+14], 10325476
00401032 |. C742 18 F0E1D>mov dword ptr [edx+18], C3D2E1F0
00401039 |. 5F pop edi
0040103A \. C3 retn
sha1_init和其他hash算法一样, 会赋值一些魔法数.
void sha1_init(sha *sh)
{ /* re-initialise */
int i;
for (i=0;i<80;i++) sh->w[i]=0L;
sh->length[0]=sh->length[1]=0L;
sh->h[0]=H0;
sh->h[1]=H1;
sh->h[2]=H2;
sh->h[3]=H3;
sh->h[4]=H4;
}
sha1总的调用流程
sha1_init(&sh);
sha1_process(&sh,szName[i]); // 可以在循环中多次调用, 类似于md5_update
sha1_hash(&sh,szHash);