协同拨号器2.7账号密码加密分析
This is By FLYZER0 2011-5
;初始化文件记录 0041B05C |. 68 4C7B4400 PUSH GHCADail.00447B4C ; |rb 0041B061 |. 8D5424 24 LEA EDX,DWORD PTR SS:[ESP+24] ; | 0041B065 |. 68 407B4400 PUSH GHCADail.00447B40 ; |Record.txt 0041B06A |. 52 PUSH EDX ; |Arg1 0041B06B |. E8 A0390000 CALL GHCADail.0041EA10 ; \GHCADail.0041EA10 0041B070 |. 8B4424 2C MOV EAX,DWORD PTR SS:[ESP+2C] 0041B074 |. 83C4 24 ADD ESP,24 0041B077 |. 85C0 TEST EAX,EAX 0041B079 |. 0F84 D1000000 JE GHCADail.0041B150 0041B07F |. 53 PUSH EBX 0041B080 |. 57 PUSH EDI 0041B081 |. 50 PUSH EAX 0041B082 |. 68 00020000 PUSH 200 0041B087 |. 8D8424 040400>LEA EAX,DWORD PTR SS:[ESP+404] 0041B08E |. 6A 02 PUSH 2 0041B090 |. 50 PUSH EAX ; Record.txt 内容 0041B091 |. E8 82380000 CALL GHCADail.0041E918 0041B096 |. 8B4C24 20 MOV ECX,DWORD PTR SS:[ESP+20] 0041B09A |. 51 PUSH ECX 0041B09B |. E8 3F350000 CALL GHCADail.0041E5DF 0041B0A0 |. 83C4 14 ADD ESP,14 0041B0A3 |. 8D7C24 14 LEA EDI,DWORD PTR SS:[ESP+14] 0041B0A7 |. 8D8424 FC0300>LEA EAX,DWORD PTR SS:[ESP+3FC] 0041B0AE |. E8 8DFEFFFF CALL GHCADail.0041AF40 ; core ;一般加密 0041AF40 /$ 0FB710 MOVZX EDX,WORD PTR DS:[EAX] ; eax为record.txt内存地址 0041AF43 |. 8D48 02 LEA ECX,DWORD PTR DS:[EAX+2] 0041AF46 |. 66:8B0455 801>MOV AX,WORD PTR DS:[EDX*2+451780] 0041AF4E |. 66:3301 XOR AX,WORD PTR DS:[ECX] 0041AF51 |. 66:8907 MOV WORD PTR DS:[EDI],AX 0041AF54 |. 74 2B JE SHORT GHCADail.0041AF81 0041AF56 |. 53 PUSH EBX 0041AF57 |. 56 PUSH ESI 0041AF58 |. 8BF7 MOV ESI,EDI ; Key Data=(451780~45197F) 0041AF5A |. 2BF1 SUB ESI,ECX 0041AF5C |. 8D6424 00 LEA ESP,DWORD PTR SS:[ESP] 0041AF60 |> 8D42 01 /LEA EAX,DWORD PTR DS:[EDX+1] ; edx+1 -》 eax 0041AF63 |. 99 |CDQ ; edx=0 0041AF64 |. BB FF010000 |MOV EBX,1FF ; ebx=1FF 0041AF69 |. F7FB |IDIV EBX ; eax <= 1FF ,edx=eax ,eax=0,edx=eax(mod)1FF 0041AF6B |. 83C1 02 |ADD ECX,2 ; ecx+=2 0041AF6E |. 66:8B0455 801>|MOV AX,WORD PTR DS:[EDX*2+451780] ; next group worddata 0041AF76 |. 66:3301 |XOR AX,WORD PTR DS:[ECX] ; key xor 0041AF79 |. 66:89040E |MOV WORD PTR DS:[ESI+ECX],AX ; ax 为0 就改变z标志,结束账户解密 0041AF7D |.^ 75 E1 \JNZ SHORT GHCADail.0041AF60 0041AF7F |. 5E POP ESI 0041AF80 |. 5B POP EBX 0041AF81 |> 8BC7 MOV EAX,EDI 0041AF83 \. C3 RETN
;451780 ~ 45197F ,长度为1FF的密钥Key ;C32ASM C Format Data 0x62, 0x00, 0x15, 0x00, 0x56, 0x00, 0x7B, 0x00, 0x14, 0x00, 0x00, 0x00, 0x0F, 0x00, 0x77, 0x00, 0x73, 0x00, 0x04, 0x00, 0x42, 0x00, 0x5C, 0x00, 0x5A, 0x00, 0x3D, 0x00, 0x75, 0x00, 0x2D, 0x00, 0x1D, 0x00, 0x2E, 0x00, 0x09, 0x00, 0x28, 0x00, 0x2A, 0x00, 0x3B, 0x00, 0x3F, 0x00, 0x30, 0x00, 0x4B, 0x00, 0x0A, 0x00, 0x19, 0x00, 0x56, 0x00, 0x2E, 0x00, 0x1F, 0x00, 0x59, 0x00, 0x10, 0x00, 0x35, 0x00, 0x30, 0x00, 0x0B, 0x00, 0x49, 0x00, 0x30, 0x00, 0x1A, 0x00, 0x40, 0x00, 0x23, 0x00, 0x1E, 0x00, 0x02, 0x00, 0x7F, 0x00, 0x78, 0x00, 0x40, 0x00, 0x74, 0x00, 0x25, 0x00, 0x5D, 0x00, 0x23, 0x00, 0x2E, 0x00, 0x05, 0x00, 0x4D, 0x00, 0x69, 0x00, 0x44, 0x00, 0x7D, 0x00, 0x34, 0x00, 0x4E, 0x00, 0x16, 0x00, 0x0A, 0x00, 0x7C, 0x00, 0x36, 0x00, 0x64, 0x00, 0x0C, 0x00, 0x6B, 0x00, 0x14, 0x00, 0x18, 0x00, 0x34, 0x00, 0x44, 0x00, 0x32, 0x00, 0x74, 0x00, 0x67, 0x00, 0x51, 0x00, 0x77, 0x00, 0x66, 0x00, 0x49, 0x00, 0x37, 0x00, 0x5A, 0x00, 0x6F, 0x00, 0x14, 0x00, 0x7D, 0x00, 0x1D, 0x00, 0x19, 0x00, 0x4B, 0x00, 0x07, 0x00, 0x5D, 0x00, 0x48, 0x00, 0x3B, 0x00, 0x2B, 0x00, 0x5F, 0x00, 0x46, 0x00, 0x28, 0x00, 0x15, 0x00, 0x2A, 0x00, 0x34, 0x00, 0x00, 0x00, 0x3E, 0x00, 0x4C, 0x00, 0x34, 0x00, 0x02, 0x00, 0x7F, 0x00, 0x28, 0x00, 0x69, 0x00, 0x50, 0x00, 0x1F, 0x00, 0x4F, 0x00, 0x19, 0x00, 0x56, 0x00, 0x29, 0x00, 0x08, 0x00, 0x6A, 0x00, 0x27, 0x00, 0x26, 0x00, 0x03, 0x00, 0x72, 0x00, 0x2D, 0x00, 0x60, 0x00, 0x3A, 0x00, 0x68, 0x00, 0x0C, 0x00, 0x19, 0x00, 0x2E, 0x00, 0x34, 0x00, 0x2E, 0x00, 0x58, 0x00, 0x68, 0x00, 0x2E, 0x00, 0x16, 0x00, 0x35, 0x00, 0x62, 0x00, 0x18, 0x00, 0x34, 0x00, 0x0B, 0x00, 0x01, 0x00, 0x04, 0x00, 0x2A, 0x00, 0x50, 0x00, 0x1D, 0x00, 0x01, 0x00, 0x7A, 0x00, 0x26, 0x00, 0x6B, 0x00, 0x21, 0x00, 0x4C, 0x00, 0x6F, 0x00, 0x13, 0x00, 0x79, 0x00, 0x4F, 0x00, 0x4D, 0x00, 0x61, 0x00, 0x5B, 0x00, 0x67, 0x00, 0x10, 0x00, 0x0F, 0x00, 0x15, 0x00, 0x68, 0x00, 0x78, 0x00, 0x44, 0x00, 0x7F, 0x00, 0x2D, 0x00, 0x26, 0x00, 0x17, 0x00, 0x61, 0x00, 0x31, 0x00, 0x19, 0x00, 0x65, 0x00, 0x5C, 0x00, 0x69, 0x00, 0x02, 0x00, 0x5D, 0x00, 0x63, 0x00, 0x28, 0x00, 0x48, 0x00, 0x04, 0x00, 0x74, 0x00, 0x37, 0x00, 0x17, 0x00, 0x6D, 0x00, 0x07, 0x00, 0x65, 0x00, 0x4F, 0x00, 0x62, 0x00, 0x4C, 0x00, 0x5F, 0x00, 0x72, 0x00, 0x61, 0x00, 0x47, 0x00, 0x6A, 0x00, 0x25, 0x00, 0x46, 0x00, 0x17, 0x00, 0x4C, 0x00, 0x5E, 0x00, 0x78, 0x00, 0x7D, 0x00, 0x77, 0x00, 0x5D, 0x00, 0x59, 0x00, 0x60, 0x00, 0x5F, 0x00, 0x36, 0x00, 0x44, 0x00, 0x08, 0x00, 0x7F, 0x00, 0x48, 0x00, 0x7C, 0x00, 0x36, 0x00, 0x60, 0x00, 0x6A, 0x00, 0x3D, 0x00, 0x45, 0x00, 0x39, 0x00, 0x20, 0x00, 0x11, 0x00, 0x18, 0x00, 0x12, 0x00, 0x72, 0x00, 0x5F, 0x00, 0x7C, 0x00, 0x18, 0x00, 0x26, 0x00, 0x13, 0x00, 0x64, 0x00, 0x04, 0x00, 0x0B, 0x00, 0x61, 0x00, 0x7B, 0x00, 0x68, 0x00, 0x3B, 0x00, 0x5B, 0x00, 0x47, 0x00, 0x71, 0x00, 0x1F, 0x00, 0x4F, 0x00, 0x70, 0x00, 0x68, 0x00, 0x4C, 0x00, 0x27, 0x00, 0x48, 0x00, 0x36, 0x00, 0x64, 0x00, 0x0D, 0x00, 0x6F, 0x00, 0x04, 0x00, 0x1E, 0x00, 0x07, 0x00, 0x16, 0x00, 0x10, 0x00, 0x66, 0x00, 0x12, 0x00, 0x28, 0x00, 0x0C, 0x00, 0x25, 0x00, 0x0C, 0x00, 0x10, 0x00, 0x30, 0x00, 0x6E, 0x00,
// ghca_crack.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include "windows.h"
//一些变量
unsigned int i=0;
WORD userpwd[256]={0}; //解密出来的用户信息unicode
char userpwdasc[256]={0}; //解密出来的用户信息ascii
unsigned char fbuffer[256]={0}; //文件内存缓冲区
WORD *gaddress; //gkey动态选择地址
//声明密钥key
unsigned char gkey[]={
0x62,0x00,0x15,0x00,0x56,0x00,0x7B,0x00,0x14,0x00,0x00,0x00,0x0F,0x00,0x77,0x00,
0x73,0x00,0x04,0x00,0x42,0x00,0x5C,0x00,0x5A,0x00,0x3D,0x00,0x75,0x00,0x2D,0x00,
0x1D,0x00,0x2E,0x00,0x09,0x00,0x28,0x00,0x2A,0x00,0x3B,0x00,0x3F,0x00,0x30,0x00,
0x4B,0x00,0x0A,0x00,0x19,0x00,0x56,0x00,0x2E,0x00,0x1F,0x00,0x59,0x00,0x10,0x00,
0x35,0x00,0x30,0x00,0x0B,0x00,0x49,0x00,0x30,0x00,0x1A,0x00,0x40,0x00,0x23,0x00,
0x1E,0x00,0x02,0x00,0x7F,0x00,0x78,0x00,0x40,0x00,0x74,0x00,0x25,0x00,0x5D,0x00,
0x23,0x00,0x2E,0x00,0x05,0x00,0x4D,0x00,0x69,0x00,0x44,0x00,0x7D,0x00,0x34,0x00,
0x4E,0x00,0x16,0x00,0x0A,0x00,0x7C,0x00,0x36,0x00,0x64,0x00,0x0C,0x00,0x6B,0x00,
0x14,0x00,0x18,0x00,0x34,0x00,0x44,0x00,0x32,0x00,0x74,0x00,0x67,0x00,0x51,0x00,
0x77,0x00,0x66,0x00,0x49,0x00,0x37,0x00,0x5A,0x00,0x6F,0x00,0x14,0x00,0x7D,0x00,
0x1D,0x00,0x19,0x00,0x4B,0x00,0x07,0x00,0x5D,0x00,0x48,0x00,0x3B,0x00,0x2B,0x00,
0x5F,0x00,0x46,0x00,0x28,0x00,0x15,0x00,0x2A,0x00,0x34,0x00,0x00,0x00,0x3E,0x00,
0x4C,0x00,0x34,0x00,0x02,0x00,0x7F,0x00,0x28,0x00,0x69,0x00,0x50,0x00,0x1F,0x00,
0x4F,0x00,0x19,0x00,0x56,0x00,0x29,0x00,0x08,0x00,0x6A,0x00,0x27,0x00,0x26,0x00,
0x03,0x00,0x72,0x00,0x2D,0x00,0x60,0x00,0x3A,0x00,0x68,0x00,0x0C,0x00,0x19,0x00,
0x2E,0x00,0x34,0x00,0x2E,0x00,0x58,0x00,0x68,0x00,0x2E,0x00,0x16,0x00,0x35,0x00,
0x62,0x00,0x18,0x00,0x34,0x00,0x0B,0x00,0x01,0x00,0x04,0x00,0x2A,0x00,0x50,0x00,
0x1D,0x00,0x01,0x00,0x7A,0x00,0x26,0x00,0x6B,0x00,0x21,0x00,0x4C,0x00,0x6F,0x00,
0x13,0x00,0x79,0x00,0x4F,0x00,0x4D,0x00,0x61,0x00,0x5B,0x00,0x67,0x00,0x10,0x00,
0x0F,0x00,0x15,0x00,0x68,0x00,0x78,0x00,0x44,0x00,0x7F,0x00,0x2D,0x00,0x26,0x00,
0x17,0x00,0x61,0x00,0x31,0x00,0x19,0x00,0x65,0x00,0x5C,0x00,0x69,0x00,0x02,0x00,
0x5D,0x00,0x63,0x00,0x28,0x00,0x48,0x00,0x04,0x00,0x74,0x00,0x37,0x00,0x17,0x00,
0x6D,0x00,0x07,0x00,0x65,0x00,0x4F,0x00,0x62,0x00,0x4C,0x00,0x5F,0x00,0x72,0x00,
0x61,0x00,0x47,0x00,0x6A,0x00,0x25,0x00,0x46,0x00,0x17,0x00,0x4C,0x00,0x5E,0x00,
0x78,0x00,0x7D,0x00,0x77,0x00,0x5D,0x00,0x59,0x00,0x60,0x00,0x5F,0x00,0x36,0x00,
0x44,0x00,0x08,0x00,0x7F,0x00,0x48,0x00,0x7C,0x00,0x36,0x00,0x60,0x00,0x6A,0x00,
0x3D,0x00,0x45,0x00,0x39,0x00,0x20,0x00,0x11,0x00,0x18,0x00,0x12,0x00,0x72,0x00,
0x5F,0x00,0x7C,0x00,0x18,0x00,0x26,0x00,0x13,0x00,0x64,0x00,0x04,0x00,0x0B,0x00,
0x61,0x00,0x7B,0x00,0x68,0x00,0x3B,0x00,0x5B,0x00,0x47,0x00,0x71,0x00,0x1F,0x00,
0x4F,0x00,0x70,0x00,0x68,0x00,0x4C,0x00,0x27,0x00,0x48,0x00,0x36,0x00,0x64,0x00,
0x0D,0x00,0x6F,0x00,0x04,0x00,0x1E,0x00,0x07,0x00,0x16,0x00,0x10,0x00,0x66,0x00,
0x12,0x00,0x28,0x00,0x0C,0x00,0x25,0x00,0x0C,0x00,0x10,0x00,0x30,0x00,0x6E,0x00,
};
int _tmain(int argc, _TCHAR* argv[])
{
printf(" 协同拨号器-密码破解 in vs.net 2003 By FLYZER0\n\n");
//打开文件
FILE* fp;
if(fp = fopen("Record.txt","rb")){
//读取起始头
fread(fbuffer,sizeof(WORD),2,fp);
i+=2;
//xor交换值
//fbuffer[0]=fbuffer[0]^fbuffer[1];
//fbuffer[1]=fbuffer[0]^fbuffer[1];
//fbuffer[0]=fbuffer[0]^fbuffer[1];
//读取加密内容
while(!feof(fp)){
fread(fbuffer+i,sizeof(WORD),1,fp);
fbuffer[0]++;
fbuffer[0]%=0x1FF;
gaddress=(WORD*)gkey;
gaddress+=fbuffer[0];
userpwd[i-1]=*gaddress^fbuffer[i];
//xor为0时结束循环
if(userpwd[i-1]==0){
break;
}
i++;
}
//fbuffer是unicode存储的,转换成char,可以自己写,可用WideCharToMultiByte
WideCharToMultiByte(CP_ACP,0,(LPCWSTR)userpwd+1,sizeof(userpwd)/2,userpwdasc,sizeof(userpwdasc),NULL,NULL);
printf("%s\n\n",userpwdasc);
}else{
printf("文件打开失败,请确认是否放到该目录下面.\n\n");
}
printf("回车键退出。。。");
getchar();
return 0;
}