对加密算法进行逆向工程

逆向工程 加密 解密
2021-06-18 01:16:02

我有一个能够加密文件的程序,我希望能够创建一个可以读取这些文件的程序。我相信它使用 Blowfish 加密,但我不确定。如何找到使用的加密类型及其密钥?

使用反射器,我能够找到以下代码:

public static unsafe string Encrypt(string text)
{
    string str;
    basic_string<char,std::char_traits<char>,std::allocator<char> > local2;
    sbyte modopt(IsSignUnspecifiedByte)* numPtr = (sbyte modopt(IsSignUnspecifiedByte)*) Marshal.StringToHGlobalAnsi(text);
    std.basic_string<char,std::char_traits<char>,std::allocator<char> >.{ctor}(&local2, numPtr);
    try
    {
        basic_string<char,std::char_traits<char>,std::allocator<char> > local;
        IntPtr hglobal = new IntPtr(numPtr);
        Marshal.FreeHGlobal(hglobal);
        basic_string<char,std::char_traits<char>,std::allocator<char> >* localPtr = _Encrypt(&local, (basic_string<char,std::char_traits<char>,std::allocator<char> > modopt(IsConst)* modopt(IsImplicitlyDereferenced)) &local2);
        try
        {
            str = new string(std.basic_string<char,std::char_traits<char>,std::allocator<char> >.c_str((basic_string<char,std::char_traits<char>,std::allocator<char> > modopt(IsConst)* modopt(IsConst) modopt(IsConst)) localPtr));
        }
        fault
        {
            ___CxxCallUnwindDtor(std.basic_string<char,std::char_traits<char>,std::allocator<char> >.{dtor}, (void*) &local);
        }
        std.basic_string<char,std::char_traits<char>,std::allocator<char> >.{dtor}(&local);
    }
    fault
    {
        ___CxxCallUnwindDtor(std.basic_string<char,std::char_traits<char>,std::allocator<char> >.{dtor}, (void*) &local2);
    }
    std.basic_string<char,std::char_traits<char>,std::allocator<char> >.{dtor}(&local2);
    return str;
}

我注意到它也引用了this,但我根本不明白它的作用......

[PreserveSig, MethodImpl(MethodImplOptions.Unmanaged, MethodCodeType=MethodCodeType.Native), SuppressUnmanagedCodeSecurity]
internal static unsafe basic_string<char,std::char_traits<char>,std::allocator<char> >* modreq(IsUdtReturn) modopt(CallConvCdecl) _Encrypt(basic_string<char,std::char_traits<char>,std::allocator<char> >*, basic_string<char,std::char_traits<char>,std::allocator<char> > modopt(IsConst)* modopt(IsImplicitlyDereferenced));

我还是桌面编程的新手,我唯一的编程经验主要是基于 Web 的技术和 C++ 的绝对基础。我之前也从未涉足过逆向工程。所以请在你的回复中保持温和和彻底,因为我真的很想学习。

- - - - - - - 编辑

我终于能够在 OllyDBG 中找到相同的函数调用了。但是,设置断点并使其运行代码不会导致它中断。

我可能做错了什么?:/

CPU Disasm
Address   Hex dump          Command                            Comments
00A088D8  /$  02            ldarg.0
00A088D9  |.  7B CC000004   ldfld openFileDialog3
00A088DE  |.  02            ldarg.0
00A088DF  |.  6F D101000A   callvirt ShowDialog
00A088E4  |.  17            ldc.i4.1
00A088E5  |.- 2E 01         beq.s 0A088E8
00A088E7  |.  2A            ret
00A088E8  |>  02            ldarg.0
00A088E9  |.  7B CC000004   ldfld openFileDialog3
00A088EE  |.  6F 8501000A   callvirt get_FileName
00A088F3  |.  28 D201000A   call ReadAllText
00A088F8  |.  0A            stloc.0
00A088F9  |.  06            ldloc.0
00A088FA  |.  6F 9000000A   callvirt Trim
00A088FF  |.  6F 3900000A   callvirt get_Length
00A08904  |.- 2D 01         brtrue.s 0A08907
00A08906  |.  2A            ret
00A08907  |>  06            ldloc.0
00A08908  |.  6F 9000000A   callvirt Trim
00A0890D  |.  72 99340070   ldstr "ENCRYPTED"                  ; UNICODE "ENCRYPTED"
00A08912  |.  6F D301000A   callvirt StartsWith
00A08917  |.- 2C 1F         brfalse.s 0A08938
00A08919  |.  02            ldarg.0
00A0891A  |.  72 AD340070   ldstr "File is already encrypted"  ; UNICODE "File is already encrypted"
00A0891F  |.  28 14000006   call Translate
00A08924  |.  72 E1340070   ldstr "Error"                      ; UNICODE "Error"
00A08929  |.  28 14000006   call Translate
00A0892E  |.  16            ldc.i4.0
00A0892F  |.  1F 10         ldc.i4.s 10
00A08931  |.  28 D401000A   call Show
00A08936  |.  26            pop
00A08937  |.  2A            ret
00A08938  |>  06            ldloc.0
00A08939  |.  28 D501000A   call Encrypt
00A0893E  |.  0A            stloc.0
00A0893F  |.  06            ldloc.0
00A08940  |.  6F 9000000A   callvirt Trim
00A08945  |.  6F 3900000A   callvirt get_Length
00A0894A  |.- 2D 01         brtrue.s 0A0894D
00A0894C  |.  2A            ret
00A0894D  |>  02            ldarg.0
00A0894E  |.  7B CC000004   ldfld openFileDialog3
00A08953  |.  6F 8501000A   callvirt get_FileName
00A08958  |.  02            ldarg.0
00A08959  |.  7B CC000004   ldfld openFileDialog3
00A0895E  |.  6F 8501000A   callvirt get_FileName
00A08963  |.  72 ED340070   ldstr ".bak"                       ; UNICODE ".bak"
00A08968  |.  28 3A00000A   call Concat
00A0896D  |.  17            ldc.i4.1
00A0896E  |.  28 B700000A   call Copy
00A08973  |.  02            ldarg.0
00A08974  |.  7B CC000004   ldfld openFileDialog3
00A08979  |.  6F 8501000A   callvirt get_FileName
00A0897E  |.  06            ldloc.0
00A0897F  |.  28 A200000A   call WriteAllText
00A08984  |.  02            ldarg.0
00A08985  |.  72 F7340070   ldstr "File encrypted"             ; UNICODE "File encrypted"
00A0898A  |.  28 14000006   call Translate
00A0898F  |.  72 15350070   ldstr "Info"                       ; UNICODE "Info"
00A08994  |.  28 14000006   call Translate
00A08999  |.  16            ldc.i4.0
00A0899A  |.  1F 40         ldc.i4.s 40
00A0899C  |.  28 D401000A   call Show
00A089A1  |.  26            pop
00A089A2  \.  2A            ret
1个回答
[PreserveSig, MethodImpl(MethodImplOptions.Unmanaged, MethodCodeType=MethodCodeType.Native), SuppressUnmanagedCodeSecurity]

你看到第一部分说不受管理吗?.net 是一个“托管”环境。由于这是指内存,我可以告诉你 C 和 C++ 不是(当心 C++.net,因为它是托管 C++。

无论如何,从外观上看,我会说它从外部源调用该函数(我怀疑是 DLL)。 

internal static unsafe basic_string<char,std::char_traits<char>,std::allocator<char> >* modreq(IsUdtReturn) modopt(CallConvCdecl) _Encrypt(basic_string<char,std::char_traits<char>,std::allocator<char> >*, basic_string<char,std::char_traits<char>,std::allocator<char> > modopt(IsConst)* modopt(IsImplicitlyDereferenced));

这说明了它被称为Cdecl函数的方法被称为 _Encrypt 并且有一些参数。

希望这会有所帮助,现在您应该首先学习基础知识,尤其是当您要深入反汇编此本机代码时。

其它你可能感兴趣的问题
上一篇如何验证 Android 应用程序和库是否被正确混淆 下一篇找出多态恶意软件的解密主体