渗透TEA加密算法
0040139C CALL <CrackMe_._powmod>
powmod(edi,esi,ebp,esi)作用是esi=esi^edi mod ebp
004013A1 LEA EAX,DWORD PTR SS:[ESP+1CC]
004013A8 PUSH 0
004013AA PUSH EAX
004013AB PUSH ESI
004013AC PUSH 0
004013AE CALL <CrackMe_._big_to_bytes>
;big_to_bytes() 大数转为字符串
004013B3 PUSH ESI
004013B4 CALL <CrackMe_._mirkill>
; mirkill(esi) 清空内存
004013B9 PUSH EBP
004013BA CALL <CrackMe_._mirkill>
; mirkill(ebp) 清空内存
004013BF PUSH EDI
004013C0 CALL <CrackMe_._mirkill>
; mirkill(edi) 清空内存
004013C5 PUSH EBX
004013C6 CALL <CrackMe_._mirkill>
; mirkill(ebx) 清空内存
004013CB ADD ESP,30
004013CE CALL CrackMe_.004023D0
004013D3 MOV ECX,2
004013D8 LEA EDI,DWORD PTR SS:[ESP+1BC]
004013DF LEA ESI,DWORD PTR SS:[ESP+20]
;比较SS:[ESP+1BC]和SS:[ESP+20]中的值 相等则OK
004013E3 XOR EDX,EDX
004013E5 REPE CMPS DWORD PTR ES:[EDI],DWORD PTR D>
004013E7 POP EDI
004013E8 MOV EAX,EDX
经过我上面的注释,应该很明了了。我再详细说明一下:
Esi= edi^ebx mod ebp=
7FB021984C05838E237FADC57C627AD7ED8C8FE25D4853FECA71C86108F69AA1 然后esi= esi^edi mod ebp=
04AB07B64C12164E9F4DD622D3D37D5670AE03D737031D5222F78A94B52A1AA2 然后把ESI转为大数即可。
取大数的前16位和TEA解密那个数比较,如果相等就注册成功。
因此用TEA加密大数的前16位即可。即TEA_encrypto(A21A2AB5948AF722,KEY) 用我的TEA算法工具可以得出:如图5