[转载]噢易硬盘保护的密码加密分析

很简单，在安装目录中有个LegacyBase.dll文件。

这个dll导出一个encode函数

密码验证时会通过该函数对用户输入的密码进行加密

od里，定位一下该函数：

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106

10020CF0 55 push ebp 10020CF1 8BEC mov ebp,esp 10020CF3 83EC 1C sub esp,0x1C 10020CF6 C745 FC 00000 mov dword ptr ss:[ebp-0x4],0x0 10020CFD C745 F8 00000 mov dword ptr ss:[ebp-0x8],0x0 10020D04 EB 12 jmp short 10020D18 10020D06 8B45 FC mov eax,dword ptr ss:[ebp-0x4] 10020D09 83C0 03 add eax,0x3 10020D0C 8945 FC mov dword ptr ss:[ebp-0x4],eax 10020D0F 8B4D F8 mov ecx,dword ptr ss:[ebp-0x8] 10020D12 83C1 04 add ecx,0x4 10020D15 894D F8 mov dword ptr ss:[ebp-0x8],ecx 10020D18 8B55 FC mov edx,dword ptr ss:[ebp-0x4] 10020D1B 3B55 0C cmp edx,dword ptr ss:[ebp+0xC] 10020D1E 0F8D 26010000 jge 10020E4A 10020D24 C745 F0 00000 mov dword ptr ss:[ebp-0x10],0x0 10020D2B C745 F4 00000 mov dword ptr ss:[ebp-0xC],0x0 10020D32 8B45 08 mov eax,dword ptr ss:[ebp+0x8] 10020D35 0345 FC add eax,dword ptr ss:[ebp-0x4] 10020D38 0FBE08 movsx ecx,byte ptr ds:[eax] 10020D3B 81E1 FF000000 and ecx,0xFF 10020D41 894D EC mov dword ptr ss:[ebp-0x14],ecx 10020D44 8B55 EC mov edx,dword ptr ss:[ebp-0x14] 10020D47 C1E2 08 shl edx,0x8 10020D4A 8955 EC mov dword ptr ss:[ebp-0x14],edx 10020D4D 8B45 FC mov eax,dword ptr ss:[ebp-0x4] 10020D50 83C0 01 add eax,0x1 10020D53 3B45 0C cmp eax,dword ptr ss:[ebp+0xC] 10020D56 7D 1D jge short 10020D75 10020D58 8B4D 08 mov ecx,dword ptr ss:[ebp+0x8] 10020D5B 034D FC add ecx,dword ptr ss:[ebp-0x4] 10020D5E 0FBE51 01 movsx edx,byte ptr ds:[ecx+0x1] 10020D62 81E2 FF000000 and edx,0xFF 10020D68 0B55 EC or edx,dword ptr ss:[ebp-0x14] 10020D6B 8955 EC mov dword ptr ss:[ebp-0x14],edx 10020D6E C745 F4 01000 mov dword ptr ss:[ebp-0xC],0x1 10020D75 8B45 EC mov eax,dword ptr ss:[ebp-0x14] 10020D78 C1E0 08 shl eax,0x8 10020D7B 8945 EC mov dword ptr ss:[ebp-0x14],eax 10020D7E 8B4D FC mov ecx,dword ptr ss:[ebp-0x4] 10020D81 83C1 02 add ecx,0x2 10020D84 3B4D 0C cmp ecx,dword ptr ss:[ebp+0xC] 10020D87 7D 1C jge short 10020DA5 10020D89 8B55 08 mov edx,dword ptr ss:[ebp+0x8] 10020D8C 0355 FC add edx,dword ptr ss:[ebp-0x4] 10020D8F 0FBE42 02 movsx eax,byte ptr ds:[edx+0x2] 10020D93 25 FF000000 and eax,0xFF 10020D98 0B45 EC or eax,dword ptr ss:[ebp-0x14] 10020D9B 8945 EC mov dword ptr ss:[ebp-0x14],eax 10020D9E C745 F0 01000 mov dword ptr ss:[ebp-0x10],0x1 10020DA5 837D F0 00 cmp dword ptr ss:[ebp-0x10],0x0 10020DA9 74 0B je short 10020DB6 10020DAB 8B4D EC mov ecx,dword ptr ss:[ebp-0x14] 10020DAE 83E1 3F and ecx,0x3F 10020DB1 894D E8 mov dword ptr ss:[ebp-0x18],ecx 10020DB4 EB 07 jmp short 10020DBD 10020DB6 C745 E8 40000 mov dword ptr ss:[ebp-0x18],0x40 10020DBD 8B55 10 mov edx,dword ptr ss:[ebp+0x10] 10020DC0 0355 F8 add edx,dword ptr ss:[ebp-0x8] 10020DC3 A1 8CD00210 mov eax,dword ptr ds:[0x1002D08C] 10020DC8 0345 E8 add eax,dword ptr ss:[ebp-0x18] 10020DCB 8A08 mov cl,byte ptr ds:[eax] 10020DCD 884A 03 mov byte ptr ds:[edx+0x3],cl 10020DD0 8B55 EC mov edx,dword ptr ss:[ebp-0x14] 10020DD3 C1FA 06 sar edx,0x6 10020DD6 8955 EC mov dword ptr ss:[ebp-0x14],edx 10020DD9 837D F4 00 cmp dword ptr ss:[ebp-0xC],0x0 10020DDD 74 0B je short 10020DEA 10020DDF 8B45 EC mov eax,dword ptr ss:[ebp-0x14] 10020DE2 83E0 3F and eax,0x3F 10020DE5 8945 E4 mov dword ptr ss:[ebp-0x1C],eax 10020DE8 EB 07 jmp short 10020DF1 10020DEA C745 E4 40000 mov dword ptr ss:[ebp-0x1C],0x40 10020DF1 8B4D 10 mov ecx,dword ptr ss:[ebp+0x10] 10020DF4 034D F8 add ecx,dword ptr ss:[ebp-0x8] 10020DF7 8B15 8CD00210 mov edx,dword ptr ds:[0x1002D08C] 10020DFD 0355 E4 add edx,dword ptr ss:[ebp-0x1C] 10020E00 8A02 mov al,byte ptr ds:[edx] 10020E02 8841 02 mov byte ptr ds:[ecx+0x2],al 10020E05 8B4D EC mov ecx,dword ptr ss:[ebp-0x14] 10020E08 C1F9 06 sar ecx,0x6 10020E0B 894D EC mov dword ptr ss:[ebp-0x14],ecx 10020E0E 8B55 EC mov edx,dword ptr ss:[ebp-0x14] 10020E11 83E2 3F and edx,0x3F 10020E14 8B45 10 mov eax,dword ptr ss:[ebp+0x10] 10020E17 0345 F8 add eax,dword ptr ss:[ebp-0x8] 10020E1A 8B0D 8CD00210 mov ecx,dword ptr ds:[0x1002D08C] 10020E20 8A1411 mov dl,byte ptr ds:[ecx+edx] 10020E23 8850 01 mov byte ptr ds:[eax+0x1],dl 10020E26 8B45 EC mov eax,dword ptr ss:[ebp-0x14] 10020E29 C1F8 06 sar eax,0x6 10020E2C 8945 EC mov dword ptr ss:[ebp-0x14],eax 10020E2F 8B4D EC mov ecx,dword ptr ss:[ebp-0x14] 10020E32 83E1 3F and ecx,0x3F 10020E35 8B55 10 mov edx,dword ptr ss:[ebp+0x10] 10020E38 0355 F8 add edx,dword ptr ss:[ebp-0x8] 10020E3B A1 8CD00210 mov eax,dword ptr ds:[0x1002D08C] 10020E40 8A0C08 mov cl,byte ptr ds:[eax+ecx] 10020E43 880A mov byte ptr ds:[edx],cl 10020E45 E9 BCFEFFFF jmp 10020D06 10020E4A 8B55 10 mov edx,dword ptr ss:[ebp+0x10] 10020E4D 0355 F8 add edx,dword ptr ss:[ebp-0x8] 10020E50 C602 00 mov byte ptr ds:[edx],0x0 10020E53 8BE5 mov esp,ebp 10020E55 5D pop ebp 10020E56 C3 retn

转换成C后 大概是这样的：

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79

char* table = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="; DWORD encode(char* pwd, DWORD dwSize, char* pOut) { DWORD v4 = 0; DWORD v8 = 0; DWORD vC = 0; DWORD v10 = 0; DWORD v14 = 0; DWORD v18 = 0; DWORD v1C = 0; while(1) { if(v4 >= dwSize) { break; } v10 = 0; vC = 0; v14 = pwd[v4] & 0xFF; v14 <<= 8; if(v4 + 1 < dwSize) { v14 = pwd[v4 + 1] & 0xFF | v14; vC = 1; } v14 <<= 0x8; if(v4 + 2 < dwSize) { v14 = pwd[v4 + 2] & 0xFF | v14; v10 = 1; } if(v10 != 0) { v18 = v14 & 0x3F; } else { v18 = 0x40; } pOut[v8 + 3] = table[v18]; v14 >>= 0x6; if(vC != 0) { v1C = v14 & 0x3F; } else { v1C = 0x40; } pOut[v8 + 2] = table[v1C]; v14 >>= 0x6; pOut[v8 + 1] = table[v14 & 0x3F]; v14 >>= 0x6; pOut[v8] = table[v14 & 0x3F]; v4 += 3; v8 += 4; } pOut[v8] = 0; return 0; }

这样看起来就很清晰了，简单的说明一下这个加密

他这是将密码划分为每3个字节为一组，加密成每4个字节为一组的密文，因此密文必定是4的倍数

加密流程：

最终值 = 得到明文3 - 左移8位 - 或上明文2 - 左移8位 - 或上明文1

然后将 最终值 分为4个6位的值，这个值是个索引，拿去table里找对应的字符

再将字符填充到密文里。

下边是解密代码：

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34

char* table = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="; DWORD GetIndex(char ch) { int nSize = strlen(table); for(int i = 0; i < nSize; i++) { if(ch == table[i]) { return i; } } return -1; } void decode(char* pwd, char *pOut) { DWORD dwSize = strlen(pwd); for(int i = 0, j = 0; i < dwSize; i += 4, j += 3) { char ch1 = GetIndex(pwd[i]); char ch2 = GetIndex(pwd[i + 1]); char ch3 = GetIndex(pwd[i + 2]); char ch4 = GetIndex(pwd[i + 3]); DWORD dwVal = ((ch1 << 6 | ch2) << 6 | ch3) << 6 | ch4; pOut[j + 2] = dwVal & 0xFF; pOut[j + 1] = dwVal >> 8 & 0xFF; pOut[j] = dwVal >> 16 & 0xFF; } }

大概就是这样了，没啥难度，很久没发帖了，发一个记录下。