2024-11-20-SHABOOM

十一月 20, 2024

反汇编得到的加密函数

sub_401230

SHA

int __cdecl sub_401230(BYTE *pbData, DWORD dwDataLen, LPSTR lpString1)
{
  DWORD i; // [esp+4Ch] [ebp-28h]
  CHAR String2[4]; // [esp+50h] [ebp-24h] BYREF
  BYTE v6[20]; // [esp+54h] [ebp-20h] BYREF
  DWORD pdwDataLen; // [esp+68h] [ebp-Ch] BYREF
  HCRYPTHASH phHash; // [esp+6Ch] [ebp-8h] BYREF
  HCRYPTPROV phProv; // [esp+70h] [ebp-4h] BYREF

  if ( !CryptAcquireContextA(&phProv, 0, 0, 1u, 0xF0000000) )
    return 0;
  if ( CryptCreateHash(phProv, 0x8004u, 0, 0, &phHash) )
  {
    if ( CryptHashData(phHash, pbData, dwDataLen, 0) )
    {
      CryptGetHashParam(phHash, 2u, v6, &pdwDataLen, 0);
      *lpString1 = 0;
      for ( i = 0; i < pdwDataLen; ++i )
      {
        wsprintfA(String2, "%02X", v6[i]);
        lstrcatA(lpString1, String2);
      }
      CryptDestroyHash(phHash);
      CryptReleaseContext(phProv, 0);
      return 1;
    }
    else
    {
      CryptDestroyHash(phHash);
      CryptReleaseContext(phProv, 0);
      return 0;
    }
  }
  else
  {
    CryptReleaseContext(phProv, 0);
    return 0;
  }
}

sub_401040MD5

int __cdecl sub_401040(BYTE *pbData, DWORD dwDataLen, LPSTR lpString1)
{
  DWORD i; // [esp+4Ch] [ebp-24h]
  CHAR String2[4]; // [esp+50h] [ebp-20h] BYREF
  BYTE v6[16]; // [esp+54h] [ebp-1Ch] BYREF
  DWORD pdwDataLen; // [esp+64h] [ebp-Ch] BYREF
  HCRYPTHASH phHash; // [esp+68h] [ebp-8h] BYREF
  HCRYPTPROV phProv; // [esp+6Ch] [ebp-4h] BYREF

  if ( !CryptAcquireContextA(&phProv, 0, 0, 1u, 0xF0000000) )
    return 0;
  if ( CryptCreateHash(phProv, 0x8003u, 0, 0, &phHash) )
  {
    if ( CryptHashData(phHash, pbData, dwDataLen, 0) )
    {
      CryptGetHashParam(phHash, 2u, v6, &pdwDataLen, 0);
      *lpString1 = 0;
      for ( i = 0; i < pdwDataLen; ++i )
      {
        wsprintfA(String2, "%02X", v6[i]);
        lstrcatA(lpString1, String2);
      }
      CryptDestroyHash(phHash);
      CryptReleaseContext(phProv, 0);
      return 1;
    }
    else
    {
      CryptDestroyHash(phHash);
      CryptReleaseContext(phProv, 0);
      return 0;
    }
  }
  else
  {
    CryptReleaseContext(phProv, 0);
    return 0;
  }
}

通过中间函数简单访问

#include <windows.h>
#include "testCode.h"
int __cdecl sub_40100A(BYTE *pbData, DWORD dwDataLen, LPSTR lpString1)
{
  return sub_401230(pbData, dwDataLen, lpString1);
}

我的解密过程

首先是基本情报搜集

len(Destination) = 6 v3 = 6 v7 = Destination 中的数字 v7 > 100000 也就是六位数起步 Destination 然后末尾加上 @DBApp String1 将包含由传入数据 Destination 和长度 v3 计算出的哈希值的十六进制表示 String1 == Hax(Destination) == 6E32D0943418C2C33385BC35A1470250DD8923A9

Str 长度v4 v4 == 6 String1 == MD5(Str) String1 == 27019e688a4e62a649fd99cadaafdb4e

Destination由数字构成且数字长度(v7) == 6 六位数的数字传入v3和原型计算出sha = 6E32D0943418C2C33385BC35A1470250DD8923A9 逆推或爆破原型

Str也是 6位但是经过了 strcat 所以 Str + Destination的md5值是 27019e688a4e62a649fd99cadaafdb4e

解密脚本 SHA部分

#include <iostream>

#include "testCode.h"
#include "test.h"


using namespace std;
int main()
{
    testHeadFile();

    char String1[260];
    memset(String1, 0, sizeof(String1)); // 填充0

    // for循环爆破
    for (int num = 0; num < 1000000; num++){
        std::string Destination = std::to_string(num);

        while (Destination.length() < 6) {
            Destination = '0' + Destination;
        }

        char String1[256];
        cout << Destination << endl;

        char destinationWithSuffix[512];
        strcpy(destinationWithSuffix, Destination.c_str()); // 类型转换
        strcat(destinationWithSuffix, "@DBApp"); // 拼凑字符

        int v3;

        v3 = strlen(destinationWithSuffix);
        sub_40100A((BYTE*)destinationWithSuffix, v3, String1);
        if (_strcmpi(String1, "6E32D0943418C2C33385BC35A1470250DD8923A9") == 0) {
            cout << "correct:" << endl; // 爆破成功
            cout << Destination << endl;
			cout << "@DBApp" << endl;
            break;
        }
    }

    return 0;
}

查看评论

1. 反汇编得到的加密函数
1. 1.1. 通过中间函数简单访问
2. 1.2. 我的解密过程
  1. 1.2.1. 首先是基本情报搜集
  2. 1.2.2. 解密脚本 SHA部分