一,寻找登录包 First, log on to find package
输入错误的用户名或密码,让TCP流尽早结束,这样交流的数据包较少,容易找 Enter the wrong user name or password, so that the end of the TCP stream as soon as possible, so that the exchange of small packets, easy to find
截包工具有很多,看个人喜好了~~我Iris用惯了启动倚天II,出现登录界面,随便找个服务器,以用户名 shoooo 密码1234登录,报错。 Contracting with a lot of cut-off, look at the personal preferences of the Iris ~ ~ I used to start the Sword II, appear to log interface, just to find a server to the user name shoooo password to log 1234, the error. 看看截的包包,在登录过程中,含有数据的共有9 Take a look at the cut-off packs in the registry, the data contain a total of 9
个包,包中的数据都是无规则的16进制,可以肯定是经过加密的。 000 packets, packages of data are no rules of the 16-band, is certain is encrypted. 很容易发现前面7个包长度较短,内容近似。 Easily found in front of a shorter length of 7 packets, similar to the content.
第8个包是客户端发给服务器,长度有56字节如下 No. 8 is a package sent to the client server, the length of 56 bytes are as follows
C8 9E 23 AC BA 93 FD 12 05 72 11 85 BF D0 E7 BB C8 9E 23 AC BA 93 FD 12 05 72 11 85 BF D0 E7 BB
D1 C0 A9 36 35 AA 5B 0B 05 72 11 85 BF D0 E7 BB D1 C0 A9 36 35 AA 5B 0B 05 72 11 85 BF D0 E7 BB
F3 9C 41 BD C1 62 6B 7A 22 E5 37 46 B7 13 1E 00 F3 9C 41 BD C1 62 6B 7A 22 E5 37 46 B7 13 1E 00
B2 BC FA 80 11 B6 2D 82 B2 BC FA 80 11 B6 2D 82
第9个包从服务器发来给客户端,长度为16字节如下 9 packets sent from the server to the client, a length of 16 bytes are as follows
0E 6B 32 F1 40 39 80 69 05 72 11 85 BF D0 E7 BB 0E 6B 32 F1 40 39 80 69 05 72 11 85 BF D0 E7 BB
猜测第8个包是登录包,第9个登录包是登录响应包。 No. 8 guess is the package to log package, the first 9 months is a sign in response to the package log package.
用相同的账号再登录一次重点观察第8个包如下,并发现前32字节与前次登录中的数据相同 Use the same account and then log on a key section 8 to observe the following package, and found that before the last 32 bytes of data in the same registry
C8 9E 23 AC BA 93 FD 12 05 72 11 85 BF D0 E7 BB C8 9E 23 AC BA 93 FD 12 05 72 11 85 BF D0 E7 BB
D1 C0 A9 36 35 AA 5B 0B 05 72 11 85 BF D0 E7 BB D1 C0 A9 36 35 AA 5B 0B 05 72 11 85 BF D0 E7 BB
5C 7C 2A 03 B6 CF D3 39 FE 04 3D 80 C8 B0 E3 25 5C 7C 2A 03 B6 CF D3 39 FE 04 3D 80 C8 B0 E3 25
5A F8 EA 9E 62 2A 13 87 5A F8 EA 9E 62 2A 13 87
重点观察第9个包如下,与前次完全相同 Observation focused on the first 9 months following package, with exactly the same as the previous
0E 6B 32 F1 40 39 80 69 05 72 11 85 BF D0 E7 BB 0E 6B 32 F1 40 39 80 69 05 72 11 85 BF D0 E7 BB
省略n次的相同或不同账号密码组合的登录试验...... N omitted at the same or different combinations of the account password to log test ......
这时我们得到如下结论 At this time we have concluded
a. 登录包长度固定为56字节,若以相同的账号,密码登录,登录包的前32字节相同。 a. Log in to a fixed packet length of 56 bytes, if the same account number, password, log on the package before the 32-byte identical. 登录的错误响应包数据相同,固定16字节 Sign in the wrong package in response to the same data, fixed 16 bytes
b. 56,32,16都是8的倍数,加密算法极有可能是8字节的分组算法 b. 56,32,16 are a multiple of 8, the encryption algorithm, which is very likely 8-byte packet algorithm
二,寻找发送buffer Second, look for send buffer
可以从输入的账号,密码开始跟,也可以从发送的数据包反向跟,我个人倾向于后者,这里采用后者 的方法 Can enter the account number, password to start with, and can also send packets with the reverse, I personally prefer the latter, here adopt the latter approach
请出softice,symbol loader 加载ws2_32.dll,倚天2有防softice,用上iceext插件顺利躲过启动客户 端至登录界面 Out softice, symbol loader to load ws2_32.dll, Sword 2, there are anti-softice, the use of plug-in iceext successfully escaped to start the client interface to log on
ctrl-d 呼出确认右下角显示为倚天II的领空metein2(以下不再提示),如果不是可多试几次或用 addr命令 ctrl-d breath for the show confirmed the lower right corner of the Sword II air space metein2 (The following tips will not), if not a few more test or order addr
下断点bpx send Bpx send the next breakpoint
下断点bpx wsasend Under the breakpoint bpx wsasend
随便选个服务器,输用户名shoooo,密码1234。 Pick a server, users were lost shoooo, code 1234. 点登录 Sign-On
softice在send处断下,按F11回到调用send的地方,看EAX的值,EAX是调用send后 的返回值也就是实际发送的字节长度,我们想要看到的 softice in the Department send off, according to send the call back to the F11, EAX see the value, EAX is a call to send the return value is the actual length of bytes sent, we want to see
是56字节,即十六进制的38。 Is 56 bytes, or hexadecimal 38. 现在不是,ctrl-d让它继续跑,马上又在send处断下,F11,看EAX的值,不是就ctrl-d 再继续约5到6次后,EAX的值显示为38,立即对准调用send的EIP:499722下断点,同时清除 send,wsasend断点,按若干次 ctrl-d,让登录过程结束 This is not, ctrl-d to keep it running, immediately send in the Department under the break, F11, to see the value of EAX is not on the ctrl-d to continue at about 5-6 times, EAX value of the show for 38, immediately at the Send the call EIP: 499722 next break point, cleared the same time, send, wsasend break point, according to a number of ctrl-d, so that the process of the end of the log
.text:00499716 push 0 ; flags . text: 00499716 push 0; flags
.text:00499718 push eax ; len . text: 00499718 push eax; len
.text:00499719 push dword ptr [esi+24h] ; buf . text: 00499719 push dword ptr [esi +24 h]; buf
.text:0049971C push dword ptr [esi+244h] ; s . text: 0049971C push dword ptr [esi +244 h]; s
.text:00499722 call send 此处下断点 . text: 00499722 call send here under the breakpoint
.text:00499727 mov edi, eax . text: 00499727 mov edi, eax
.text:00499729 test edi, edi . text: 00499729 test edi, edi
再次点击登录,这次在EIP:499722处断下下命令d esi+24 Click sign in again, this time in the EIP: 499722 off under the Department under the command d esi +24
B8 07 EE 01 08 08 00 00 ....... B8 07 EE 01 08 08 00 00 .......
下命令d 1ee07b8 Under the command d 1ee07b8
C8 9E 23 AC BA 93 FD 12 05 72 11 85 BF D0 E7 BB C8 9E 23 AC BA 93 FD 12 05 72 11 85 BF D0 E7 BB
D1 C0 A9 36 35 AA 5B 0B 05 72 11 85 BF D0 E7 BB D1 C0 A9 36 35 AA 5B 0B 05 72 11 85 BF D0 E7 BB
0D 15 41 28 73 52 5A 05 CF 87 39 DF 74 35 24 1C 0D 15 41 28 73 52 5A 05 CF 87 39 DF 74 35 24 1C
87 7B 41 D6 18 21 BA B3 87 7B 41 D6 18 21 BA B3
这便是实际发送的登录包的数据 This is actually sent the package to log data
三,寻找加密过程 Third, the process of looking for encryption
即寻找发送buffer的数据从何而来,不断的下内存断点,直到找到我们需要的账号,密码的明 文 That is, looking for buffer send data came from under the constant memory break point until we need to find the account number, password express
只保留499722的eip断点下断点bpmd 1ee07b8 Only 499,722 of eip break point under bpmd 1ee07b8
以shoooo,1234再次登录第一次断在1ee07b8的内存写入,先别急着看,ctrl-d继续第二次断在了EIP:499722处。 To shoooo, 1234 once again to log off for the first time in memory 1ee07b8 write, Do not look at first, ctrl-d to continue in the second off the EIP: 499722 Department.
好了,到这里清楚了,第一次断下的地方便是对发送buffer的头8个字节的写入再次登录,断 在第一处 Well, here clearly for the first time off the next place is sent to the buffer in the first 8 bytes of the write log on again, off in the first
.text:0048F30D mov [edx], eax 这里edx值是1ee07b8 . text: 0048F30D mov [edx], eax here edx value is 1ee07b8
.text:0048F30F mov [edx+4], ecx 断在此处 . text: 0048F30F mov [edx +4], ecx off here
.text:0048F312 pop ebx . text: 0048F312 pop ebx
.text:0048F313 pop ebp . text: 0048F313 pop ebp
.text:0048F314 retn 跳转到48F3D0 . text: 0048F314 retn Jump to 48F3D0
取消1ee07b8的内存断点,F10单步跟踪,48F314的retn语句后,跳转到了48 F3D0 1ee07b8 cancel the memory breakpoints, F10 single-step tracking, 48F314 the retn statement after the jump to the 48F3D0
.text:0048F383 push ebp . text: 0048F383 push ebp
.....省略若干行 ..... Omitted a number of line
.text:0048F3C0 / push [ebp+arg_0] . text: 0048F3C0 / push [ebp + arg_0]
.text:0048F3C3 | push [ebp+arg_8] . text: 0048F3C3 | push [ebp + arg_8]
.text:0048F3C6 | push dword ptr [edi] . text: 0048F3C6 | push dword ptr [edi]
.text:0048F3C8 | push dword ptr [edi+4] 指向明文,待输出密文的指针入栈 . text: 0048F3C8 | push dword ptr [edi +4] clearly point to, to be indicators of output ciphertext Ruzhan
.text:0048F3CB | call sub_48F2AA 核心加密,8字节明文加密,8字节密文输出 . text: 0048F3CB | call sub_48F2AA encryption core, 8-bit encryption explicitly, 8 bytes of ciphertext output
.text:0048F3D0 | add [ebp+arg_0], 8 准备下次加密的8字节明文 . text: 0048F3D0 | add [ebp + arg_0], 8 to prepare the next encrypted 8-byte clear
.text:0048F3D4 | add esp, 10h . text: 0048F3D4 | add esp, 10h
.text:0048F3D7 | add edi, 8 准备下次输出的8字节密文 . text: 0048F3D7 | add edi, 8 to prepare the next 8 bytes of output ciphertext
.text:0048F3DA | dec [ebp+arg_C] . text: 0048F3DA | dec [ebp + arg_C]
.text:0048F3DD \ jnz short loc_48F3C0 跳上去继续加密下一组 . text: 0048F3DD \ jnz short loc_48F3C0 jumped to the next group to continue to encrypt
.text:0048F3DF pop edi . text: 0048F3DF pop edi
.text:0048F3E0 mov eax, esi . text: 0048F3E0 mov eax, esi
.text:0048F3E2 pop esi . text: 0048F3E2 pop esi
.text:0048F3E3 pop ebp . text: 0048F3E3 pop ebp
.text:0048F3E4 retn 跳转到499706 . text: 0048F3E4 retn Jump to 499,706
48F3E4返回后,到了499706 48F3E4 return, to 499,706
.text:004996EF push edi 需要加密的字节数 . text: 004996EF push edi need to encrypt the number of bytes
.text:004996F0 lea ecx, [esi+42h] . text: 004996F0 lea ecx, [esi +42 h]
.text:004996F3 push ecx 指向密钥 . text: 004996F3 push ecx key point
.text:004996F4 mov ecx, [esi+30h] . text: 004996F4 mov ecx, [esi +30 h]
.text:004996F7 add ecx, eax . text: 004996F7 add ecx, eax
.text:004996F9 mov eax, [esi+24h] . text: 004996F9 mov eax, [esi +24 h]
.text:004996FC add eax, [esi+2Ch] . text: 004996FC add eax, [esi +2 Ch]
.text:004996FF push ecx 指向登录包的明文(包含账号,密码) . text: 004996FF push ecx log on to an express package (including account numbers, passwords)
.text:00499700 push eax 指向登录包的待输出的密文,这里是1ee07b8 . text: 00499700 push eax point to the package log on to be the output of Micronesia, here is 1ee07b8
.text:00499701 call sub_48F383 最外层的加密函数 . text: 00499701 call sub_48F383 the outermost layer of encryption function
.text:00499706 add [esi+2Ch], eax . text: 00499706 add [esi +2 Ch], eax
此时可以清除先前的所有断点,在EIP: 499071处下断,跟踪整个加密过程,到这里不难发现登录包的明文必须是8字节的倍数,每8个字节 At this point they can get rid of all the previous breakpoint in the EIP: 499071 Department under the cut, tracking the whole process of encryption, log on here is not difficult to find an express package must be a multiple of 8 bytes, each 8 bytes
调用call 48F2AA进行加密,输出8字节的密文 Call 48F2AA call for encryption, the output of 8 bytes of ciphertext
四,加密算法求逆 Fourth, encryption algorithm inversion
既然服务器能对我们发送的加密登录包作出登录失败的反应,显然它是可逆的 Since the server we can send encrypted login packet log on to the failure of the reaction, it is clear that it is reversible
重点观察48F2AA处的核心加密函数,分析出相应的解密算法 Key observation 48F2AA core function of encryption, analysis of the corresponding decryption algorithm
.text:0048F2AA push ebp . text: 0048F2AA push ebp
.text:0048F2AB mov ebp, esp . text: 0048F2AB mov ebp, esp
.text:0048F2AD mov eax, [ebp+arg_4] . text: 0048F2AD mov eax, [ebp + arg_4]
.text:0048F2B0 mov ecx, [ebp+arg_0] . text: 0048F2B0 mov ecx, [ebp + arg_0]
.text:0048F2B3 mov edx, [ebp+arg_8] . text: 0048F2B3 mov edx, [ebp + arg_8]
.text:0048F2B6 push ebx . text: 0048F2B6 push ebx
.text:0048F2B7 push esi . text: 0048F2B7 push esi
.text:0048F2B8 push edi . text: 0048F2B8 push edi
.text:0048F2B9 xor esi, esi . text: 0048F2B9 xor esi, esi
.text:0048F2BB mov [ebp+arg_4], 20h 作32轮 . text: 0048F2BB mov [ebp + arg_4], 20h for 32
.text:0048F2C2 mov edi, ecx . text: 0048F2C2 mov edi, ecx
.text:0048F2C4 shr edi, 5 . text: 0048F2C4 shr edi, 5
.text:0048F2C7 mov ebx, ecx . text: 0048F2C7 mov ebx, ecx
.text:0048F2C9 shl ebx, 4 . text: 0048F2C9 shl ebx, 4
.text:0048F2CC xor edi, ebx . text: 0048F2CC xor edi, ebx
.text:0048F2CE add edi, ecx . text: 0048F2CE add edi, ecx
.text:0048F2D0 mov ebx, esi . text: 0048F2D0 mov ebx, esi
.text:0048F2D2 and ebx, 3 . text: 0048F2D2 and ebx, 3
.text:0048F2D5 mov ebx, [edx+ebx*4] . text: 0048F2D5 mov ebx, [edx + ebx * 4]
.text:0048F2D8 add ebx, esi . text: 0048F2D8 add ebx, esi
.text:0048F2DA xor edi, ebx . text: 0048F2DA xor edi, ebx
.text:0048F2DC add eax, edi . text: 0048F2DC add eax, edi
.text:0048F2DE mov edi, eax . text: 0048F2DE mov edi, eax
.text:0048F2E0 shr edi, 5 . text: 0048F2E0 shr edi, 5
.text:0048F2E3 mov ebx, eax . text: 0048F2E3 mov ebx, eax
.text:0048F2E5 shl ebx, 4 . text: 0048F2E5 shl ebx, 4
.text:0048F2E8 xor edi, ebx . text: 0048F2E8 xor edi, ebx
.text:0048F2EA sub esi, 61C88647h 加密函数中唯一出现的奇怪常数 . text: 0048F2EA sub esi, 61C88647h encryption function appears strange that the only constant
.text:0048F2F0 mov ebx, esi . text: 0048F2F0 mov ebx, esi
.text:0048F2F2 shr ebx, 0Bh . text: 0048F2F2 shr ebx, 0Bh
.text:0048F2F5 and ebx, 3 . text: 0048F2F5 and ebx, 3
.text:0048F2F8 mov ebx, [edx+ebx*4] . text: 0048F2F8 mov ebx, [edx + ebx * 4]
.text:0048F2FB add edi, eax . text: 0048F2FB add edi, eax
.text:0048F2FD add ebx, esi . text: 0048F2FD add ebx, esi
.text:0048F2FF xor edi, ebx . text: 0048F2FF xor edi, ebx
.text:0048F301 add ecx, edi . text: 0048F301 add ecx, edi
.text:0048F303 dec [ebp+arg_4] . text: 0048F303 dec [ebp + arg_4]
.text:0048F306 jnz short loc_48F2C2 . text: 0048F306 jnz short loc_48F2C2
.text:0048F308 mov edx, [ebp+arg_C] . text: 0048F308 mov edx, [ebp + arg_C]
.text:0048F30B pop edi . text: 0048F30B pop edi
.text:0048F30C pop esi . text: 0048F30C pop esi
.text:0048F30D mov [edx], eax . text: 0048F30D mov [edx], eax
.text:0048F30F mov [edx+4], ecx . text: 0048F30F mov [edx +4], ecx
.text:0048F312 pop ebx . text: 0048F312 pop ebx
.text:0048F313 pop ebp . text: 0048F313 pop ebp
.text:0048F314 retn . text: 0048F314 retn
一般到这里就要开始体力劳动了,不过或许可以碰碰运气 General here to begin the manual, however, may be able to take a chance
google 关键字0x61C88647 很快便能找到这个公开的加密解密算法^_^ google keyword 0x61C88647 soon be able to find open the encryption and decryption algorithm ^ _ ^
本文以讨论思路为主,破解到此为止,在网吧玩游戏的朋友小心哦~ In this paper, mainly to discuss ideas, the end of crack, Internet cafes playing games in the care of friends Oh ~
The wave of network server applications, "Sword II"
NF280是浪潮新一代商用服务器平台中的一款产品,此次在网游领域算是初露峥嵘。 NF280 is the wave of next-generation server platform business in a product, in the field of online games is here lofty. NF280 采用英特尔新至强处理器,配合先进的PCI-E总线技术,拥有了强大的数据处理能力;同时这款产品在稳定性 上有突出的表现,风扇、电源、内存等关键部件均采用了冗余技术,同时针对机架式服务器因为空间因素影响散热 的问题,浪潮在NF280中采用了定向导风技术,大大提升了散热的效率,在业内素有“稳定之王 ”的美誉。 NF280 using the new Intel Xeon processor with advanced PCI-E bus, with a powerful data-processing capability; at the same time in the stability of this product on the outstanding performance of the fan, power, memory, and other key components are used Redundant technology, for the same time, rack-mounted servers because the factors of space cooling, the wave of NF280 in the guide will be used in wind technology has greatly improved the efficiency of the heat in the industry known as "King of stability" reputation .
技术分类: 服务器 Technology: Server x86/PC服务器 x86/PC server 通用服务器 Universal Server
