标签:
通过SHA-1加密算法原理的介绍,会了解到SHA-1在加密的过程中,有几个固定的流程(特征),在逆向分析的过程中通过这些特征可以识别出当前使用的是SHA-1的加密算法,从而更高效的分析还原算法。
整理下SHA-1加密的几个特征:
1. 处理的数据是512位为1组,补位数据的填充方式
2. 5个初始常数 H0 = 0x67452301, H1 = 0x0xefcdab89, H2 = 0x98badcfe, H3 = 0x10325476, H4 = 0xc3d2e1f0 (4个初始常数的值为主要特征)
3. 对W0~W79的80步处理,分为4个20步,每个20步循环中,有Kt常数
K0 = 0x5a827999, K1 = 0x6ed9eba1, K2 = 0x8f1bbcdc, K3 = 0xca62c1d6
下面为标准SHA-1在OD的特征:
初始5个H常数:
00401000 /$ 8B5424 04 MOV EDX, DWORD PTR SS:[ESP+0x4] 00401004 |. 57 PUSH EDI 00401005 |. B9 50000000 MOV ECX, 0x50 0040100A |. 33C0 XOR EAX, EAX 0040100C |. 8D7A 28 LEA EDI, DWORD PTR DS:[EDX+0x28] 0040100F |. F3:AB REP STOS DWORD PTR ES:[EDI] 00401011 |. 8942 04 MOV DWORD PTR DS:[EDX+0x4], EAX 00401014 |. 8902 MOV DWORD PTR DS:[EDX], EAX 00401016 |. C742 08 01234567 MOV DWORD PTR DS:[EDX+0x8], 0x67452301 0040101D |. C742 0C 89ABCDEF MOV DWORD PTR DS:[EDX+0xC], 0xEFCDAB89 00401024 |. C742 10 FEDCBA98 MOV DWORD PTR DS:[EDX+0x10], 0x98BADCFE 0040102B |. C742 14 76543210 MOV DWORD PTR DS:[EDX+0x14], 0x10325476 ; //初始5个H常量 00401032 |. C742 18 F0E1D2C3 MOV DWORD PTR DS:[EDX+0x18], 0xC3D2E1F0 00401039 |. 5F POP EDI 0040103A \. C3 RETN
对W0~W79的80步处理,分为4个20步,每个20步循环中,有Kt常数:
004010C8 |. 8B79 08 MOV EDI, DWORD PTR DS:[ECX+0x8] 004010CB |. 8B41 0C MOV EAX, DWORD PTR DS:[ECX+0xC] 004010CE |. 8B51 10 MOV EDX, DWORD PTR DS:[ECX+0x10] 004010D1 |. 8B71 14 MOV ESI, DWORD PTR DS:[ECX+0x14] 004010D4 |. 8B49 18 MOV ECX, DWORD PTR DS:[ECX+0x18] ; //取出5个H常量 004010D7 |. 895C24 14 MOV DWORD PTR SS:[ESP+0x14], EBX 004010DB |. 894C24 10 MOV DWORD PTR SS:[ESP+0x10], ECX 004010DF |. C74424 18 14000000 MOV DWORD PTR SS:[ESP+0x18], 0x14 ; //W0~W19 004010E7 |> 8BC8 /MOV ECX, EAX 004010E9 |. 8BDA |MOV EBX, EDX 004010EB |. F7D1 |NOT ECX 004010ED |. 23CE |AND ECX, ESI 004010EF |. 23D8 |AND EBX, EAX 004010F1 |. 0BCB |OR ECX, EBX 004010F3 |. 8BDF |MOV EBX, EDI 004010F5 |. 8BEF |MOV EBP, EDI 004010F7 |. C1EB 1B |SHR EBX, 0x1B 004010FA |. C1E5 05 |SHL EBP, 0x5 004010FD |. 0BDD |OR EBX, EBP 004010FF |. 8B6C24 14 |MOV EBP, DWORD PTR SS:[ESP+0x14] 00401103 |. 03CB |ADD ECX, EBX 00401105 |. 8B5D 00 |MOV EBX, DWORD PTR SS:[EBP] 00401108 |. 83C5 04 |ADD EBP, 0x4 0040110B |. 03CB |ADD ECX, EBX 0040110D |. 8B5C24 10 |MOV EBX, DWORD PTR SS:[ESP+0x10] 00401111 |. 896C24 14 |MOV DWORD PTR SS:[ESP+0x14], EBP 00401115 |. 8B6C24 18 |MOV EBP, DWORD PTR SS:[ESP+0x18] 00401119 |. 8D8C19 9979825A |LEA ECX, DWORD PTR DS:[ECX+EBX+0x5A827999] ; //K0 00401120 |. 8BDE |MOV EBX, ESI 00401122 |. 8BF2 |MOV ESI, EDX 00401124 |. 8BD0 |MOV EDX, EAX 00401126 |. C1E2 1E |SHL EDX, 0x1E 00401129 |. C1E8 02 |SHR EAX, 0x2 0040112C |. 0BD0 |OR EDX, EAX 0040112E |. 4D |DEC EBP 0040112F |. 8BC7 |MOV EAX, EDI 00401131 |. 895C24 10 |MOV DWORD PTR SS:[ESP+0x10], EBX 00401135 |. 8BF9 |MOV EDI, ECX 00401137 |. 896C24 18 |MOV DWORD PTR SS:[ESP+0x18], EBP 0040113B |.^ 75 AA \JNZ SHORT SHA1KeyG.004010E7 0040113D |. 8B6C24 20 MOV EBP, DWORD PTR SS:[ESP+0x20] 00401141 |. C74424 14 14000000 MOV DWORD PTR SS:[ESP+0x14], 0x14 00401149 |. 83C5 78 ADD EBP, 0x78 0040114C |. 896C24 18 MOV DWORD PTR SS:[ESP+0x18], EBP 00401150 |> 8BE9 /MOV EBP, ECX 00401152 |. C1ED 1B |SHR EBP, 0x1B 00401155 |. C1E1 05 |SHL ECX, 0x5 00401158 |. 0BE9 |OR EBP, ECX 0040115A |. 8BCE |MOV ECX, ESI 0040115C |. 33CA |XOR ECX, EDX 0040115E |. 33C8 |XOR ECX, EAX 00401160 |. 03E9 |ADD EBP, ECX 00401162 |. 8BCD |MOV ECX, EBP 00401164 |. 8B6C24 18 |MOV EBP, DWORD PTR SS:[ESP+0x18] 00401168 |. 034D 00 |ADD ECX, DWORD PTR SS:[EBP] 0040116B |. 83C5 04 |ADD EBP, 0x4 0040116E |. 896C24 18 |MOV DWORD PTR SS:[ESP+0x18], EBP 00401172 |. 8B6C24 14 |MOV EBP, DWORD PTR SS:[ESP+0x14] 00401176 |. 8D8C19 A1EBD96E |LEA ECX, DWORD PTR DS:[ECX+EBX+0x6ED9EBA1] ; //K1 0040117D |. 8BDE |MOV EBX, ESI 0040117F |. 8BF2 |MOV ESI, EDX 00401181 |. 8BD0 |MOV EDX, EAX 00401183 |. C1E2 1E |SHL EDX, 0x1E 00401186 |. C1E8 02 |SHR EAX, 0x2 00401189 |. 0BD0 |OR EDX, EAX 0040118B |. 4D |DEC EBP 0040118C |. 8BC7 |MOV EAX, EDI 0040118E |. 8BF9 |MOV EDI, ECX 00401190 |. 896C24 14 |MOV DWORD PTR SS:[ESP+0x14], EBP 00401194 |.^ 75 BA \JNZ SHORT SHA1KeyG.00401150 00401196 |. 895C24 10 MOV DWORD PTR SS:[ESP+0x10], EBX 0040119A |. 8B5C24 20 MOV EBX, DWORD PTR SS:[ESP+0x20] 0040119E |. 81C3 C8000000 ADD EBX, 0xC8 004011A4 |. C74424 14 14000000 MOV DWORD PTR SS:[ESP+0x14], 0x14 004011AC |. 895C24 18 MOV DWORD PTR SS:[ESP+0x18], EBX 004011B0 |> 8BEA /MOV EBP, EDX 004011B2 |. 8BDA |MOV EBX, EDX 004011B4 |. 0BE8 |OR EBP, EAX 004011B6 |. 23D8 |AND EBX, EAX 004011B8 |. 23EE |AND EBP, ESI 004011BA |. 0BEB |OR EBP, EBX 004011BC |. 8BD9 |MOV EBX, ECX 004011BE |. C1EB 1B |SHR EBX, 0x1B 004011C1 |. C1E1 05 |SHL ECX, 0x5 004011C4 |. 0BD9 |OR EBX, ECX 004011C6 |. 03EB |ADD EBP, EBX 004011C8 |. 8B5C24 18 |MOV EBX, DWORD PTR SS:[ESP+0x18] 004011CC |. 8B0B |MOV ECX, DWORD PTR DS:[EBX] 004011CE |. 83C3 04 |ADD EBX, 0x4 004011D1 |. 03E9 |ADD EBP, ECX 004011D3 |. 8B4C24 10 |MOV ECX, DWORD PTR SS:[ESP+0x10] 004011D7 |. 897424 10 |MOV DWORD PTR SS:[ESP+0x10], ESI 004011DB |. 8BF2 |MOV ESI, EDX 004011DD |. 8BD0 |MOV EDX, EAX 004011DF |. 895C24 18 |MOV DWORD PTR SS:[ESP+0x18], EBX 004011E3 |. 8B5C24 14 |MOV EBX, DWORD PTR SS:[ESP+0x14] 004011E7 |. 8D8C29 DCBC1B8F |LEA ECX, DWORD PTR DS:[ECX+EBP+0x8F1BBCDC] ; //K2 004011EE |. C1E2 1E |SHL EDX, 0x1E 004011F1 |. C1E8 02 |SHR EAX, 0x2 004011F4 |. 0BD0 |OR EDX, EAX 004011F6 |. 4B |DEC EBX 004011F7 |. 8BC7 |MOV EAX, EDI 004011F9 |. 8BF9 |MOV EDI, ECX 004011FB |. 895C24 14 |MOV DWORD PTR SS:[ESP+0x14], EBX 004011FF |.^ 75 AF \JNZ SHORT SHA1KeyG.004011B0 00401201 |. 8B5C24 20 MOV EBX, DWORD PTR SS:[ESP+0x20] 00401205 |. C74424 18 14000000 MOV DWORD PTR SS:[ESP+0x18], 0x14 0040120D |. 8DAB 18010000 LEA EBP, DWORD PTR DS:[EBX+0x118] 00401213 |. 896C24 20 MOV DWORD PTR SS:[ESP+0x20], EBP 00401217 |> 8BE9 /MOV EBP, ECX 00401219 |. C1ED 1B |SHR EBP, 0x1B 0040121C |. C1E1 05 |SHL ECX, 0x5 0040121F |. 0BE9 |OR EBP, ECX 00401221 |. 8BCE |MOV ECX, ESI 00401223 |. 33CA |XOR ECX, EDX 00401225 |. 33C8 |XOR ECX, EAX 00401227 |. 03E9 |ADD EBP, ECX 00401229 |. 8B4C24 20 |MOV ECX, DWORD PTR SS:[ESP+0x20] 0040122D |. 0329 |ADD EBP, DWORD PTR DS:[ECX] 0040122F |. 8B4C24 10 |MOV ECX, DWORD PTR SS:[ESP+0x10] 00401233 |. 897424 10 |MOV DWORD PTR SS:[ESP+0x10], ESI 00401237 |. 8BF2 |MOV ESI, EDX 00401239 |. 8BD0 |MOV EDX, EAX 0040123B |. 8D8C29 D6C162CA |LEA ECX, DWORD PTR DS:[ECX+EBP+0xCA62C1D6] ; //K3 00401242 |. 8B6C24 20 |MOV EBP, DWORD PTR SS:[ESP+0x20] 00401246 |. 83C5 04 |ADD EBP, 0x4 00401249 |. C1E2 1E |SHL EDX, 0x1E 0040124C |. C1E8 02 |SHR EAX, 0x2 0040124F |. 896C24 20 |MOV DWORD PTR SS:[ESP+0x20], EBP 00401253 |. 8B6C24 18 |MOV EBP, DWORD PTR SS:[ESP+0x18] 00401257 |. 0BD0 |OR EDX, EAX 00401259 |. 4D |DEC EBP 0040125A |. 8BC7 |MOV EAX, EDI 0040125C |. 8BF9 |MOV EDI, ECX 0040125E |. 896C24 18 |MOV DWORD PTR SS:[ESP+0x18], EBP 00401262 |.^ 75 B3 \JNZ SHORT SHA1KeyG.00401217 00401264 |. 8B7B 08 MOV EDI, DWORD PTR DS:[EBX+0x8] 00401267 |. 03F9 ADD EDI, ECX 00401269 |. 8B4B 0C MOV ECX, DWORD PTR DS:[EBX+0xC] 0040126C |. 03C8 ADD ECX, EAX 0040126E |. 8B43 10 MOV EAX, DWORD PTR DS:[EBX+0x10] 00401271 |. 03C2 ADD EAX, EDX 00401273 |. 894B 0C MOV DWORD PTR DS:[EBX+0xC], ECX 00401276 |. 8B4C24 10 MOV ECX, DWORD PTR SS:[ESP+0x10] 0040127A |. 8943 10 MOV DWORD PTR DS:[EBX+0x10], EAX 0040127D |. 8B43 14 MOV EAX, DWORD PTR DS:[EBX+0x14] 00401280 |. 897B 08 MOV DWORD PTR DS:[EBX+0x8], EDI ; //更新H 00401283 |. 03C6 ADD EAX, ESI 00401285 |. 5F POP EDI 00401286 |. 8943 14 MOV DWORD PTR DS:[EBX+0x14], EAX 00401289 |. 8B43 18 MOV EAX, DWORD PTR DS:[EBX+0x18] 0040128C |. 03C1 ADD EAX, ECX 0040128E |. 5E POP ESI 0040128F |. 8943 18 MOV DWORD PTR DS:[EBX+0x18], EAX 00401292 |. 5D POP EBP 00401293 |. 5B POP EBX 00401294 |. 83C4 0C ADD ESP, 0xC 00401297 \. C3 RETN
IDA F5的特征更为明显:
int __cdecl sub_401090(int a1) { int v1; // edx@1 signed int v2; // esi@1 int v3; // eax@2 unsigned int v4; // edi@3 unsigned int v5; // eax@3 int v6; // edx@3 int v7; // esi@3 int v8; // ecx@4 unsigned int v9; // ecx@4 int v10; // ebx@4 bool v11; // zf@4 int v12; // ecx@6 int v13; // ebp@8 int v14; // ecx@8 int v15; // ebx@9 int v16; // ebp@10 int v17; // ecx@10 int v18; // edi@11 int v19; // ecx@11 int v20; // eax@11 int v21; // eax@11 int result; // eax@11 int v23; // [sp+10h] [bp-Ch]@3 int v24; // [sp+10h] [bp-Ch]@7 int v25; // [sp+14h] [bp-8h]@3 signed int v26; // [sp+14h] [bp-8h]@5 signed int v27; // [sp+14h] [bp-8h]@7 signed int v28; // [sp+18h] [bp-4h]@3 int v29; // [sp+18h] [bp-4h]@5 int v30; // [sp+18h] [bp-4h]@7 signed int v31; // [sp+18h] [bp-4h]@9 int v32; // [sp+20h] [bp+4h]@9 v1 = a1 + 40; v2 = 64; do { v3 = *(_DWORD *)v1 ^ *(_DWORD *)(v1 + 8) ^ *(_DWORD *)(v1 + 32) ^ *(_DWORD *)(v1 + 52); v1 += 4; --v2; *(_DWORD *)(v1 + 60) = 2 * v3 | ((unsigned int)v3 >> 31); } while ( v2 ); v4 = *(_DWORD *)(a1 + 8); v5 = *(_DWORD *)(a1 + 12); v6 = *(_DWORD *)(a1 + 16); v7 = *(_DWORD *)(a1 + 20); v25 = a1 + 40; v23 = *(_DWORD *)(a1 + 24); v28 = 20; do { v8 = *(_DWORD *)v25 + (32 * v4 | (v4 >> 27)) + (v5 & v6 | v7 & ~v5); v25 += 4; v9 = v8 + v23 + 0x5A827999; v10 = v7; v7 = v6; v6 = (v5 >> 2) | (v5 << 30); v11 = v28 == 1; v5 = v4; v23 = v10; v4 = v9; --v28; } while ( !v11 ); v26 = 20; v29 = a1 + 120; do { v12 = *(_DWORD *)v29 + (v5 ^ v6 ^ v7) + (32 * v9 | (v9 >> 27)); v29 += 4; v9 = v12 + v10 + 0x6ED9EBA1; v10 = v7; v7 = v6; v6 = (v5 >> 2) | (v5 << 30); v11 = v26 == 1; v5 = v4; v4 = v9; --v26; } while ( !v11 ); v24 = v10; v27 = 20; v30 = a1 + 200; do { v13 = *(_DWORD *)v30 + (32 * v9 | (v9 >> 27)) + (v5 & v6 | v7 & (v5 | v6)); v14 = v24; v24 = v7; v7 = v6; v30 += 4; v9 = v14 + v13 + 0x8F1BBCDC; v6 = (v5 >> 2) | (v5 << 30); v11 = v27 == 1; v5 = v4; v4 = v9; --v27; } while ( !v11 ); v15 = a1; v31 = 20; v32 = a1 + 280; do { v16 = *(_DWORD *)v32 + (v5 ^ v6 ^ v7) + (32 * v9 | (v9 >> 27)); v17 = v24; v24 = v7; v7 = v6; v9 = v17 + v16 + 0xCA62C1D6; v32 += 4; v6 = (v5 >> 2) | (v5 << 30); v11 = v31 == 1; v5 = v4; v4 = v9; --v31; } while ( !v11 ); v18 = v9 + *(_DWORD *)(v15 + 8); v19 = v5 + *(_DWORD *)(v15 + 12); v20 = v6 + *(_DWORD *)(v15 + 16); *(_DWORD *)(v15 + 12) = v19; *(_DWORD *)(v15 + 16) = v20; v21 = *(_DWORD *)(v15 + 20); *(_DWORD *)(v15 + 8) = v18; *(_DWORD *)(v15 + 20) = v7 + v21; result = v24 + *(_DWORD *)(v15 + 24); *(_DWORD *)(v15 + 24) = result; return result; }
标签:
原文地址:http://www.cnblogs.com/dacainiao/p/5554811.html
