联创宽带上网助手协议的简单分析(三)：密码包的构造过程

最新推荐文章于 2024-09-02 16:16:45 发布

bysdy

最新推荐文章于 2024-09-02 16:16:45 发布

阅读量741

点赞数

分类专栏：调试与汇编文章标签： byte c 服务器加密 comments command

本文链接：https://blog.youkuaiyun.com/bysdy/article/details/3931561

版权

调试与汇编专栏收录该内容

6 篇文章

订阅专栏

本文详细解析了一个特定程序中密码包的构造过程。该过程包括从服务器请求的数据中提取信息、利用MD5加密算法生成密钥，并最终将这些信息组合成密码包发送。涉及的技术包括数据加密、哈希函数应用及网络通信。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

密码包的构造过程：

密码包用同样的方法得到

CPU Disasm

Address Hex dump Command Comments

00408E70 /$ 81EC 40060000 SUB ESP,640 ; 构造密码包ORZ~~~

00408E76 |. A1 A0984100 MOV EAX,DWORD PTR DS:[4198A0]

00408E7B |. 66:8B0D A4984 MOV CX,WORD PTR DS:[4198A4]

00408E82 |. 56 PUSH ESI

00408E83 |. 57 PUSH EDI

00408E84 |. 894424 6C MOV DWORD PTR SS:[LOCAL.374],EAX

00408E88 |. 66:894C24 70 MOV WORD PTR SS:[LOCAL.373],CX ; 写入服务器MAC

00408E8D |. E8 4E87FFFF CALL 004015E0 ; [mycrack.004015E0

00408E92 |. 8B10 MOV EDX,DWORD PTR DS:[EAX]

00408E94 |. 895424 72 MOV DWORD PTR SS:[ESP+72],EDX ; 写入本机MAC

00408E98 |. 66:8B40 04 MOV AX,WORD PTR DS:[EAX+4]

00408E9C |. 66:894424 76 MOV WORD PTR SS:[LOCAL.372+2],AX

00408EA1 |. C64424 78 88 MOV BYTE PTR SS:[LOCAL.371],88

00408EA6 |. C64424 79 8E MOV BYTE PTR SS:[LOCAL.371+1],8E

00408EAB |. C64424 7B 00 MOV BYTE PTR SS:[LOCAL.371+3],0

00408EB0 |. C64424 7A 01 MOV BYTE PTR SS:[LOCAL.371+2],1

00408EB5 |. C64424 7E 02 MOV BYTE PTR SS:[LOCAL.370+2],2

00408EBA |. E8 3184FFFF CALL 004012F0 ; [mycrack.004012F0, 获取ID

00408EBF |. 8D8C24 820000 LEA ECX,[LOCAL.369+2]

00408EC6 |. 51 PUSH ECX ; /Arg1

00408EC7 |. 888424 830000 MOV BYTE PTR SS:[LOCAL.370+3],AL ; |

00408ECE |. E8 7DFDFFFF CALL 00408C50 ; /mycrack.00408C50, 写入type_data,关键CALL

00408ED3 |. 8BF0 MOV ESI,EAX

00408ED5 |. 83C4 04 ADD ESP,4

00408ED8 |. 8D7E 04 LEA EDI,[ESI+4] ; (type_data+type)+4byte的length

00408EDB |. 57 PUSH EDI

00408EDC |. E8 71410000 CALL <JMP.&ws2_32.htons> ; Jump to ws2_32.ntohs

00408EE1 |. 57 PUSH EDI

00408EE2 |. 66:898424 800 MOV WORD PTR SS:[ESP+80],AX ; 填入length

00408EEA |. E8 63410000 CALL <JMP.&ws2_32.htons> ; Jump to ws2_32.ntohs

00408EEF |. 0FB65424 7F MOVZX EDX,BYTE PTR SS:[ARG.31+3]

00408EF4 |. 52 PUSH EDX

00408EF5 |. 66:898424 840 MOV WORD PTR SS:[ARG.33],AX ; 填入length

00408EFD |. 8D4424 0C LEA EAX,[ARG.3]

00408F01 |. 68 14664100 PUSH OFFSET mycrack.00416614 ; ASCII "SEND : RSP/AUTH ID(%d)

00408F06 |. 50 PUSH EAX

00408F07 |. E8 31430000 CALL 0040D23D

00408F0C |. 8D4C24 14 LEA ECX,[ARG.5]

00408F10 |. 68 08000088 PUSH 88000008 ; /Arg2 = 88000008

00408F15 |. 51 PUSH ECX ; |Arg1

00408F16 |. E8 350E0000 CALL 00409D50 ; /mycrack.00409D50

00408F1B |. 8B0D 68654100 MOV ECX,DWORD PTR DS:[416568] ; 填入尾部

00408F21 |. 83C6 16 ADD ESI,16

00408F24 |. 8D8434 800000 LEA EAX,[ESI+ESP+80]

00408F2B |. 8BD0 MOV EDX,EAX

00408F2D |. 890A MOV DWORD PTR DS:[EDX],ECX

00408F2F |. 8B0D 6C654100 MOV ECX,DWORD PTR DS:[41656C] ; ASCII "age"

00408F35 |. 894A 04 MOV DWORD PTR DS:[EDX+4],ECX

00408F38 |. 83C6 0C ADD ESI,0C

00408F3B |. 8D9424 800000 LEA EDX,[ARG.32]

00408F42 |. 56 PUSH ESI

00408F43 |. 52 PUSH EDX

00408F44 |. C740 08 00000 MOV DWORD PTR DS:[EAX+8],0

00408F4B |. E8 C0320000 CALL 0040C210 ; 发送密码包ORZ~~~

00408F50 |. A1 10B24100 MOV EAX,DWORD PTR DS:[41B210]

其他字段都是简单明了的，就只有trailer段了

跟入00408ECE 处的 CALL 00408C50 单步几步

00408C7F |. 6A 64 PUSH 64 ; /Arg2 = 64

00408C81 |. 50 PUSH EAX ; |Arg1 => OFFSET LOCAL.46

00408C82 |. E8 E986FFFF CALL 00401370 ; /mycrack.00401370, 获取request中的TYPE_DATA

……………………..

00408C94 |> 0FB6540C 1C /MOVZX EDX,BYTE PTR SS:[ECX+ESP+1C] ; 累加request中type_data的密匙

00408C99 |. 03C2 |ADD EAX,EDX

00408C9B |. 41 |INC ECX

00408C9C |. 3BCE |CMP ECX,ESI

00408C9E |.^ 7C F4 /JL SHORT 00408C94

00408CA0 |> 99 CDQ ; edi=累加值%0x0a

00408CA1 |. B9 0A000000 MOV ECX,0A

00408CA6 |. F7F9 IDIV ECX

00408CA8 |. 8BFA MOV EDI,EDX

00408CAA |. E8 4186FFFF CALL 004012F0 ; [mycrack.004012F0, 获取ID

00408CAF |. 8D9424 800000 LEA EDX,[LOCAL.21]

00408CB6 |. 52 PUSH EDX

00408CB7 |. 884434 20 MOV BYTE PTR SS:[ESI+ESP+20],AL ; 填入id

………………

00408CD4 |. 8D9424 900000 LEA EDX,[LOCAL.21]

00408CDB |. 52 PUSH EDX ; /Arg2 => OFFSET LOCAL.21

00408CDC |. 8D4424 20 LEA EAX,[LOCAL.50] ; |

00408CE0 |. 50 PUSH EAX ; |Arg1 => OFFSET LOCAL.50

00408CE1 |. E8 DA1B0000 CALL 0040A8C0 ; MD5final函数

前面的那段就是把服务器发过来的第2个request包中的type_data的值进行累加，在对0xa取余，即累加和转为10进制后的个位数保持起来，后面用到，然后再对type_data的16个字节再加上包中的ID值(第17个字节)MD5加密，再看后面

00408CEE |. 8D8F C9644100 LEA ECX,[EDI+4164C9] ; ASCII "se md5 error!!"

00408CF4 |> 8A5401 FF /MOV DL,BYTE PTR DS:[EAX+ECX-1] ; 哈希表位置4164c8+esi>>4

00408CF8 |. 8A5C04 0C |MOV BL,BYTE PTR SS:[EAX+ESP+0C] ; 按位异或

00408CFC |. 32DA |XOR BL,DL

00408CFE |. 8A1401 |MOV DL,BYTE PTR DS:[EAX+ECX]

00408D01 |. 885C04 0C |MOV BYTE PTR SS:[EAX+ESP+0C],BL

00408D05 |. 8A5C04 0D |MOV BL,BYTE PTR SS:[EAX+ESP+0D]

00408D09 |. 32DA |XOR BL,DL

00408D0B |. 8A5401 01 |MOV DL,BYTE PTR DS:[EAX+ECX+1]

00408D0F |. 885C04 0D |MOV BYTE PTR SS:[EAX+ESP+0D],BL

00408D13 |. 8A5C04 0E |MOV BL,BYTE PTR SS:[EAX+ESP+0E]

00408D17 |. 32DA |XOR BL,DL

00408D19 |. 8A5401 02 |MOV DL,BYTE PTR DS:[EAX+ECX+2]

00408D1D |. 885C04 0E |MOV BYTE PTR SS:[EAX+ESP+0E],BL

00408D21 |. 305404 0F |XOR BYTE PTR SS:[EAX+ESP+0F],DL

00408D25 |. 83C0 04 |ADD EAX,4

00408D28 |. 83F8 10 |CMP EAX,10

00408D2B |.^ 7C C7 /JL SHORT 00408CF4

00408D2D |. E8 BE8FFFFF CALL 00401CF0 ; [mycrack.00401CF0, 获取密码

这里4164C8开始的0xA0个字节(最大余数为9，右移4位，为0x90,再加上最后的16个字节，共0xA0个字节)为哈希表，与之异或后得到计算得到新的16字节密钥，然后取出密码，与得到的新的密钥进行异或，代码如下

00408D92 |> /33C0 /XOR EAX,EAX ; 异或密码与密匙16字节

00408D94 |> |8A5404 0C |/MOV DL,BYTE PTR SS:[EAX+ESP+0C]

00408D98 |. |8A5C01 FF ||MOV BL,BYTE PTR DS:[EAX+ECX-1]

00408D9C |. |32DA ||XOR BL,DL

00408D9E |. |8A5404 0D ||MOV DL,BYTE PTR SS:[EAX+ESP+0D]

00408DA2 |. |885C01 FF ||MOV BYTE PTR DS:[EAX+ECX-1],BL

00408DA6 |. |8A1C01 ||MOV BL,BYTE PTR DS:[EAX+ECX]

00408DA9 |. |32DA ||XOR BL,DL

00408DAB |. |8A5404 0E ||MOV DL,BYTE PTR SS:[EAX+ESP+0E]

00408DAF |. |881C01 ||MOV BYTE PTR DS:[EAX+ECX],BL

00408DB2 |. |8A5C01 01 ||MOV BL,BYTE PTR DS:[EAX+ECX+1]

00408DB6 |. |32DA ||XOR BL,DL

00408DB8 |. |8A5404 0F ||MOV DL,BYTE PTR SS:[EAX+ESP+0F]

00408DBC |. |885C01 01 ||MOV BYTE PTR DS:[EAX+ECX+1],BL

00408DC0 |. |305401 02 ||XOR BYTE PTR DS:[EAX+ECX+2],DL

00408DC4 |. |83C0 04 ||ADD EAX,4

00408DC7 |. |83F8 10 ||CMP EAX,10

00408DCA |.^|7C C8 |/JL SHORT 00408D94

00408DCC |. |83C1 10 |ADD ECX,10

00408DCF |. |4F |DEC EDI

00408DD0 |.^/75 C0 /JNE SHORT 00408D92

00408DD2 |> 8B9424 DC0000 MOV EDX,DWORD PTR SS:[ARG.1]

00408DD9 |. 8D46 02 LEA EAX,[ESI+2]

00408DDC |. C602 99 MOV BYTE PTR DS:[EDX],99 ; type

00408DDF |. 8842 01 MOV BYTE PTR DS:[EDX+1],AL ; response包type_data中的第一个字节

00408DE2 |. 8BC8 MOV ECX,EAX ; 填入type_data

00408DE4 |. 8D7A 02 LEA EDI,[EDX+2] ; MD5加密结果与密码异或结果一般为16字节，再+1字节的type+1t字节本身

00408DE7 |. 8BD1 MOV EDX,ECX

00408DE9 |. C1E9 02 SHR ECX,2

最后返回到调用函数，进行最后的填写：

00408F1B |. 8B0D 68654100 MOV ECX,DWORD PTR DS:[416568] ; 填入尾部

00408F21 |. 83C6 16 ADD ESI,16

00408F24 |. 8D8434 800000 LEA EAX,[ESI+ESP+80]

00408F2B |. 8BD0 MOV EDX,EAX

00408F2D |. 890A MOV DWORD PTR DS:[EDX],ECX

00408F2F |. 8B0D 6C654100 MOV ECX,DWORD PTR DS:[41656C] ; ASCII "age"

00408F35 |. 894A 04 MOV DWORD PTR DS:[EDX+4],ECX

00408F38 |. 83C6 0C ADD ESI,0C

00408F3B |. 8D9424 800000 LEA EDX,[ARG.32]

00408F42 |. 56 PUSH ESI

00408F43 |. 52 PUSH EDX

00408F44 |. C740 08 00000 MOV DWORD PTR DS:[EAX+8],0

00408F4B |. E8 C0320000 CALL 0040C210 ; 发送密码包ORZ~~~

到这里，密码包就构造完成了。

附上面的hash表

75 73 65 20 6D 64 35 20 65 72 72 6F 72 21 21 00

8B F4 6A 01 A1 00 2C 43 00 50 FF 15 00 68 43 00

3B F4 E8 70 B7 FF FF 8B F4 6A 01 A1 8C 2D 43 00

50 FF 15 00 68 43 00 3B F4 E8 59 B7 FF FF 8B F4

6A 01 A1 98 30 43 00 50 FF 15 00 68 43 00 3B F4

E8 42 B7 FF FF 8B F4 6A 01 A1 10 2C 43 00 50 FF

15 00 68 43 00 3B F4 E8 2B B7 FF FF 8B F4 6A 01

A1 04 2C 43 00 50 FF 15 00 68 43 00 3B F4 E8 14

B7 FF FF 8B F4 6A 01 A1 90 2D 43 00 50 FF 15 00

68 43 00 3B F4 E8 FD B6 FF FF 8B F4 6A 01 A1 F0

后面这个是用户包的校验hash表

00000000963007772C610EEEBA510999

19C46D078FF46A7035A563E9A395649E

3288DB0EA4B8DC791EE9D5E088D9D297

2B4CB609BD7CB17E072DB8E7911DBF90

6410B71DF220B06A4871B9F3DE41BE84

7DD4DA1AEBE4DD6D51B5D4F4C785D383

56986C13C0A86B647AF962FDECC9658A

4F5C0114D96C0663633D0FFAF50D088D

C8206E3B5E10694CE44160D5727167A2

D1E4033C47D4044BFD850DD26BB50AA5

FAA8B5356C98B242D6C9BBDB40F9BCAC

E36CD832755CDF45CF0DD6DC593DD1AB

AC30D9263A00DE518051D7C81661D0BF

B5F4B42123C4B3569995BACF0FA5BDB8

9EB802280888055FB2D90CC624E90BB1

877C6F2F114C6858AB1D61C13D2D66B6

9041DC760671DB01BC20D2982A10D5EF

8985B1711FB5B606A5E4BF9F33D4B8E8

A2C9077834F9000F8EA8099618980EE1

BB0D6A7F2D3D6D08976C6491015C63E6

F4516B6B62616C1CD83065854E0062F2

ED95066C7BA5011BC1F4088257C40FF5

C6D9B06550E9B712EAB8BE8B7C88B9FC

DF1DDD62492DDA15F37CD38C654CD4FB

5861B24DCE51B53A7400BCA3E230BBD4

41A5DF4AD795D83D6DC4D1A4FBF4D6D3

6AE96943FCD96E34468867ADD0B860DA

732D0444E51D03335F4C0AAAC97C0DDD

3C710550AA41022710100BBE86200CC9

25B56857B3856F2009D466B99FE461CE

0EF9DE5E98C9D9292298D0B0B4A8D7C7

173DB359810DB42E3B5CBDB7AD6CBAC0

2083B8EDB6B3BF9A0CE2B6039AD2B174

3947D5EAAF77D29D1526DB048316DC73

120B63E3843B64943E6A6D0DA85A6A7A

0BCF0EE49DFF099327AE000AB19E077D

44930FF0D2A3088768F2011EFEC20669

5D5762F7CB67658071366C19E7066B6E

761BD4FEE02BD3895A7ADA10CC4ADD67

6FDFB9F9F9EFBE8E43BEB717D58EB060

E8A3D6D67E93D1A1C4C2D83852F2DF4F

F167BBD16757BCA6DD06B53F4B36B248

DA2B0DD84C1B0AAFF64A0336607A0441

C3EF60DF55DF67A8EF8E6E3179BE6946

8CB361CB1A8366BCA0D26F2536E26852

95770CCC03470BBBB91602222F260555

BE3BBAC5280BBDB2925AB42B046AB35C

A7FFD7C231CFD0B58B9ED92C1DAEDE5B

B0C2649B26F263EC9CA36A750A936D02

A906099C3F360EEB8567077213570005

824ABF95147AB8E2AE2BB17B381BB60C

9B8ED2920DBED5E5B7EFDC7C21DFDB0B

D4D2D38642E2D4F1F8B3DD686E83DA1F

CD16BE815B26B9F6E177B06F7747B718

E65A0888706A0FFFCA3B06665C0B0111

FF9E658F69AE62F8D3FF6B6145CF6C16

78E20AA0EED20DD75483044EC2B30339

612667A7F71660D04D476949DB776E3E

4A6AD1AEDC5AD6D9660BDF40F03BD837