mov ebx,BFLOW
mov eax,ebx
mov edi,offset szText+8
mov ecx,8
@@22:
mov eax,ebx
shl ebx,4
shr eax,28
cmp eax,9
jle @@21
add eax,7
@@21: add eax,30h
and eax,0ffh
stosb
loop @@22
xor eax,eax
mov [edi],eax
invoke SetDlgItemText,hWnd,Edit2,offset szText
mov eax,FALSE
ret
.elseif eax==IDCLOSE
invoke EndDialog,hWnd,NULL
.endif
.else
mov eax,FALSE
ret
.endif
mov eax,TRUE
ret
_ProcDlgMain endp
;主程序
start:
invoke InitCommonControls
invoke GetModuleHandle,NULL
mov hInstance,eax
invoke DialogBoxParam,hInstance,DLG_MAIN,NULL,offset _ProcDlgMain,0
invoke ExitProcess,NULL
end start
end
;资源文件:rsrc.rc
;#include <Resource.h>
;#define IDGEN 10
;#define DLG_MAIN 100
;#define EDIT1 11
;#define EDIT2 12
;
;DLG_MAIN DIALOGEX 100,150,250,60
;STYLE DS_MODALFRAME|WS_POPUP|WS_VISIBLE|WS_CAPTION|WS_SYSMENU|WS_THICKFRAME
;CAPTION "BlowFish's CrackMe KenGen By 夜月[CCG] "
;FONT 9,"宋体"
;
;BEGIN
;CONTROL " ID:",-1,"Static",SS_LEFT,10,13,40,17
;CONTROL "SN:" ,-2,"Static",SS_CENTER,10,40,20,17
;CONTROL "" ,11,"Edit",ES_LEFT,30,13,150,10
;CONTROL "" ,12,"Edit",ES_LEFT,30,40,150,10
;CONTROL "GENERATE",IDGEN,"BUTTON",BS_PUSHBUTTON,200,11,40,15
;CONTROL "EXIT",IDCLOSE,"BUTTON",BS_PUSHBUTTON,200,36,41,14
;END 标 题:BlowFish's CrackMe1 算法分析,以前夜月写过 (18千字)
发信人:DiKeN
时 间:2002-4-11 13:53:00
详细信息:
=========================================================
=
= BlowFish's CrackMe1 验证算法分析
= DiKeN/OCG
=========================================================
* Possible Reference to Dialog: DialogID_0065, CONTROL_ID:03EB, ""
|
:004015A4 68EB030000 push 000003EB
:004015A9 56 push esi
* Reference To: USER32.GetDlgItemTextA, Ord:0000h
|
:004015AA FF151C614000 Call dword ptr [0040611C]
:004015B0 85C0 test eax, eax
:004015B2 0F8432010000 je 004016EA
:004015B8 8D4C244C lea ecx, dword ptr [esp+4C]
:004015BC 8D542448 lea edx, dword ptr [esp+48]
:004015C0 51 push ecx
:004015C1 52 push edx
:004015C2 8D44240C lea eax, dword ptr [esp+0C]
* Possible StringData Ref from Data Obj ->"%08lX%08lX"
|
:004015C6 686C804000 push 0040806C
:004015CB 50 push eax
:004015CC E81F020000 call 004017F0
:004015D1 8D4C245C lea ecx, dword ptr [esp+5C]
:004015D5 8D542458 lea edx, dword ptr [esp+58]
:004015D9 51 push ecx=========>[ecx]=0x90ABCDEF=xr
:004015DA 52 push edx=========>[edx]=0x12345678=xl
:004015DB 6880894000 push 00408980====>P-Box(密钥盒)
:004015E0 E8EBFAFFFF call 004010D0====>计算Blowfish_Dec(long *xl,long *xr)
======================================BF_Dec过程分析============================
:004010D0 8B442408 mov eax, dword ptr [esp+08]
:004010D4 8B4C240C mov ecx, dword ptr [esp+0C]
:004010D8 53 push ebx
:004010D9 55 push ebp
:004010DA 8B00 mov eax, dword ptr [eax]====>xl
:004010DC 56 push esi
:004010DD 8B31 mov esi, dword ptr [ecx]====>xr
:004010DF 57 push edi
:004010E0 8B7C2414 mov edi, dword ptr [esp+14]
:004010E4 C744241410000000 mov [esp+14], 00000010
:004010EC 8D5F44 lea ebx, dword ptr [edi+44]==>P-Box(FORM 18 to 1<==因此使用的Dec)
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040110D(C)
|
:004010EF 3303 xor eax, dword ptr [ebx]
:004010F1 50 push eax
:004010F2 57 push edi
:004010F3 8BE8 mov ebp, eax
:004010F5 E806FFFFFF call 00401000
================================================================================
================================函数F(xl)
================================================================================
:00401000 8B4C2408 mov ecx, dword ptr [esp+08]
:00401004 53 push ebx
:00401005 8AC1 mov al, cl
:00401007 56 push esi
:00401008 25FF000000 and eax, 000000FF
:0040100D 57 push edi
:0040100E C1E908 shr ecx, 08
:00401011 8BD0 mov edx, eax
:00401013 8AC1 mov al, cl
:00401015 8B7C2410 mov edi, dword ptr [esp+10]
:00401019 25FF000000 and eax, 000000FF
:0040101E C1E908 shr ecx, 08
:00401021 8BF0 mov esi, eax
:00401023 8BC1 mov eax, ecx
:00401025 C1E808 shr eax, 08
:00401028 25FF000000 and eax, 000000FF
:0040102D 81E1FF000000 and ecx, 000000FF
:00401033 81E6FFFF0000 and esi, 0000FFFF
:00401039 81E2FFFF0000 and edx, 0000FFFF
:0040103F 8B448748 mov eax, dword ptr [edi+4*eax+48]
:00401043 8B9C8F48040000 mov ebx, dword ptr [edi+4*ecx+00000448]
:0040104A 8B8CB748080000 mov ecx, dword ptr [edi+4*esi+00000848]
:00401051 03C3 add eax, ebx
:00401053 33C1 xor eax, ecx
:00401055 8B8C97480C0000 mov ecx, dword ptr [edi+4*edx+00000C48]
:0040105C 5F pop edi
:0040105D 5E pop esi
:0040105E 03C1 add eax, ecx
:00401060 5B pop ebx
:00401061 C3 ret
================================================================================
================================end 函数F(xl)
================================================================================
:004010FA 8B4C241C mov ecx, dword ptr [esp+1C]
:004010FE 83C408 add esp, 00000008
:00401101 33C6 xor eax, esi
:00401103 83EB04 sub ebx, 00000004
:00401106 49 dec ecx
:00401107 8BF5 mov esi, ebp
:00401109 894C2414 mov dword ptr [esp+14], ecx
:0040110D 75E0 jne 004010EF
:0040110F 8B4F04 mov ecx, dword ptr [edi+04]
:00401112 8B17 mov edx, dword ptr [edi]
:00401114 33C8 xor ecx, eax
:00401116 8B442418 mov eax, dword ptr [esp+18]
:0040111A 33D6 xor edx, esi
:0040111C 5F pop edi
:0040111D 8910 mov dword ptr [eax], edx
:0040111F 8B542418 mov edx, dword ptr [esp+18]
:00401123 5E pop esi
:00401124 5D pop ebp
:00401125 890A mov dword ptr [edx], ecx
:00401127 5B pop ebx
:00401128 C3 ret