SHA1算法的识别

2019-11-06 06:10:22

字体：大中小

来源：转载

供稿：网友

前言

用PEID算法扫描插件, 可以扫描出使用了SHA1的程序. 扫描的特征码是K3.

#define H0 0x67452301L#define H1 0xefcdab89L#define H2 0x98badcfeL#define H3 0x10325476L#define H4 0xc3d2e1f0L#define K0 0x5a827999L#define K1 0x6ed9eba1L#define K2 0x8f1bbcdcL#define K3 0xca62c1d6L

记录

K3所在的函数是sha1_transform

00401090 <SHA1KeyG.sha1_tra>/$ 8B4C24 04 mov ecx, dWord ptr [esp+4]00401094 |. 83EC 0C sub esp, 0C00401097 |. 53 push ebx00401098 |. 55 push ebp00401099 |. 8D59 28 lea ebx, dword ptr [ecx+28]0040109C |. 56 push esi0040109D |. 57 push edi0040109E |. 8BD3 mov edx, ebx004010A0 |. BE 40000000 mov esi, 40004010A5 |> 8B42 34 /mov eax, dword ptr [edx+34]004010A8 |. 8B7A 20 |mov edi, dword ptr [edx+20]004010AB |. 8B6A 08 |mov ebp, dword ptr [edx+8]004010AE |. 33C7 |xor eax, edi004010B0 |. 8B3A |mov edi, dword ptr [edx]004010B2 |. 33C5 |xor eax, ebp004010B4 |. 33C7 |xor eax, edi004010B6 |. 83C2 04 |add edx, 4004010B9 |. 8BF8 |mov edi, eax004010BB |. 03C0 |add eax, eax004010BD |. C1EF 1F |shr edi, 1F004010C0 |. 0BF8 |or edi, eax004010C2 |. 4E |dec esi004010C3 |. 897A 3C |mov dword ptr [edx+3C], edi004010C6 |.^ 75 DD /jnz short 004010A5004010C8 |. 8B79 08 mov edi, dword ptr [ecx+8]004010CB |. 8B41 0C mov eax, dword ptr [ecx+C]004010CE |. 8B51 10 mov edx, dword ptr [ecx+10]004010D1 |. 8B71 14 mov esi, dword ptr [ecx+14]004010D4 |. 8B49 18 mov ecx, dword ptr [ecx+18]004010D7 |. 895C24 14 mov dword ptr [esp+14], ebx004010DB |. 894C24 10 mov dword ptr [esp+10], ecx004010DF |. C74424 18 140>mov dword ptr [esp+18], 14004010E7 |> 8BC8 /mov ecx, eax004010E9 |. 8BDA |mov ebx, edx004010EB |. F7D1 |not ecx004010ED |. 23CE |and ecx, esi004010EF |. 23D8 |and ebx, eax004010F1 |. 0BCB |or ecx, ebx004010F3 |. 8BDF |mov ebx, edi004010F5 |. 8BEF |mov ebp, edi004010F7 |. C1EB 1B |shr ebx, 1B004010FA |. C1E5 05 |shl ebp, 5004010FD |. 0BDD |or ebx, ebp004010FF |. 8B6C24 14 |mov ebp, dword ptr [esp+14]00401103 |. 03CB |add ecx, ebx00401105 |. 8B5D 00 |mov ebx, dword ptr [ebp]00401108 |. 83C5 04 |add ebp, 40040110B |. 03CB |add ecx, ebx0040110D |. 8B5C24 10 |mov ebx, dword ptr [esp+10]00401111 |. 896C24 14 |mov dword ptr [esp+14], ebp00401115 |. 8B6C24 18 |mov ebp, dword ptr [esp+18]00401119 |. 8D8C19 997982>|lea ecx, dword ptr [ecx+ebx+5A827999]00401120 |. 8BDE |mov ebx, esi00401122 |. 8BF2 |mov esi, edx00401124 |. 8BD0 |mov edx, eax00401126 |. C1E2 1E |shl edx, 1E00401129 |. C1E8 02 |shr eax, 20040112C |. 0BD0 |or edx, eax0040112E |. 4D |dec ebp0040112F |. 8BC7 |mov eax, edi00401131 |. 895C24 10 |mov dword ptr [esp+10], ebx00401135 |. 8BF9 |mov edi, ecx00401137 |. 896C24 18 |mov dword ptr [esp+18], ebp0040113B |.^ 75 AA /jnz short 004010E70040113D |. 8B6C24 20 mov ebp, dword ptr [esp+20]00401141 |. C74424 14 140>mov dword ptr [esp+14], 1400401149 |. 83C5 78 add ebp, 780040114C |. 896C24 18 mov dword ptr [esp+18], ebp00401150 |> 8BE9 /mov ebp, ecx00401152 |. C1ED 1B |shr ebp, 1B00401155 |. C1E1 05 |shl ecx, 500401158 |. 0BE9 |or ebp, ecx0040115A |. 8BCE |mov ecx, esi0040115C |. 33CA |xor ecx, edx0040115E |. 33C8 |xor ecx, eax00401160 |. 03E9 |add ebp, ecx00401162 |. 8BCD |mov ecx, ebp00401164 |. 8B6C24 18 |mov ebp, dword ptr [esp+18]00401168 |. 034D 00 |add ecx, dword ptr [ebp]0040116B |. 83C5 04 |add ebp, 40040116E |. 896C24 18 |mov dword ptr [esp+18], ebp00401172 |. 8B6C24 14 |mov ebp, dword ptr [esp+14]00401176 |. 8D8C19 A1EBD9>|lea ecx, dword ptr [ecx+ebx+6ED9EBA1]0040117D |. 8BDE |mov ebx, esi0040117F |. 8BF2 |mov esi, edx00401181 |. 8BD0 |mov edx, eax00401183 |. C1E2 1E |shl edx, 1E00401186 |. C1E8 02 |shr eax, 200401189 |. 0BD0 |or edx, eax0040118B |. 4D |dec ebp0040118C |. 8BC7 |mov eax, edi0040118E |. 8BF9 |mov edi, ecx00401190 |. 896C24 14 |mov dword ptr [esp+14], ebp00401194 |.^ 75 BA /jnz short 0040115000401196 |. 895C24 10 mov dword ptr [esp+10], ebx0040119A |. 8B5C24 20 mov ebx, dword ptr [esp+20]0040119E |. 81C3 C8000000 add ebx, 0C8004011A4 |. C74424 14 140>mov dword ptr [esp+14], 14004011AC |. 895C24 18 mov dword ptr [esp+18], ebx004011B0 |> 8BEA /mov ebp, edx004011B2 |. 8BDA |mov ebx, edx004011B4 |. 0BE8 |or ebp, eax004011B6 |. 23D8 |and ebx, eax004011B8 |. 23EE |and ebp, esi004011BA |. 0BEB |or ebp, ebx004011BC |. 8BD9 |mov ebx, ecx004011BE |. C1EB 1B |shr ebx, 1B004011C1 |. C1E1 05 |shl ecx, 5004011C4 |. 0BD9 |or ebx, ecx004011C6 |. 03EB |add ebp, ebx004011C8 |. 8B5C24 18 |mov ebx, dword ptr [esp+18]004011CC |. 8B0B |mov ecx, dword ptr [ebx]004011CE |. 83C3 04 |add ebx, 4004011D1 |. 03E9 |add ebp, ecx004011D3 |. 8B4C24 10 |mov ecx, dword ptr [esp+10]004011D7 |. 897424 10 |mov dword ptr [esp+10], esi004011DB |. 8BF2 |mov esi, edx004011DD |. 8BD0 |mov edx, eax004011DF |. 895C24 18 |mov dword ptr [esp+18], ebx004011E3 |. 8B5C24 14 |mov ebx, dword ptr [esp+14]004011E7 |. 8D8C29 DCBC1B>|lea ecx, dword ptr [ecx+ebp+8F1BBCDC]004011EE |. C1E2 1E |shl edx, 1E004011F1 |. C1E8 02 |shr eax, 2004011F4 |. 0BD0 |or edx, eax004011F6 |. 4B |dec ebx004011F7 |. 8BC7 |mov eax, edi004011F9 |. 8BF9 |mov edi, ecx004011FB |. 895C24 14 |mov dword ptr [esp+14], ebx004011FF |.^ 75 AF /jnz short 004011B000401201 |. 8B5C24 20 mov ebx, dword ptr [esp+20]00401205 |. C74424 18 140>mov dword ptr [esp+18], 140040120D |. 8DAB 18010000 lea ebp, dword ptr [ebx+118]00401213 |. 896C24 20 mov dword ptr [esp+20], ebp00401217 |> 8BE9 /mov ebp, ecx00401219 |. C1ED 1B |shr ebp, 1B0040121C |. C1E1 05 |shl ecx, 50040121F |. 0BE9 |or ebp, ecx00401221 |. 8BCE |mov ecx, esi00401223 |. 33CA |xor ecx, edx00401225 |. 33C8 |xor ecx, eax00401227 |. 03E9 |add ebp, ecx00401229 |. 8B4C24 20 |mov ecx, dword ptr [esp+20]0040122D |. 0329 |add ebp, dword ptr [ecx]0040122F |. 8B4C24 10 |mov ecx, dword ptr [esp+10]00401233 |. 897424 10 |mov dword ptr [esp+10], esi00401237 |. 8BF2 |mov esi, edx00401239 |. 8BD0 |mov edx, eax0040123B |. 8D8C29 D6C162>|lea ecx, dword ptr [ecx+ebp+CA62C1D6]00401242 |. 8B6C24 20 |mov ebp, dword ptr [esp+20]00401246 |. 83C5 04 |add ebp, 400401249 |. C1E2 1E |shl edx, 1E0040124C |. C1E8 02 |shr eax, 20040124F |. 896C24 20 |mov dword ptr [esp+20], ebp00401253 |. 8B6C24 18 |mov ebp, dword ptr [esp+18]00401257 |. 0BD0 |or edx, eax00401259 |. 4D |dec ebp0040125A |. 8BC7 |mov eax, edi0040125C |. 8BF9 |mov edi, ecx0040125E |. 896C24 18 |mov dword ptr [esp+18], ebp00401262 |.^ 75 B3 /jnz short 0040121700401264 |. 8B7B 08 mov edi, dword ptr [ebx+8]00401267 |. 03F9 add edi, ecx00401269 |. 8B4B 0C mov ecx, dword ptr [ebx+C]0040126C |. 03C8 add ecx, eax0040126E |. 8B43 10 mov eax, dword ptr [ebx+10]00401271 |. 03C2 add eax, edx00401273 |. 894B 0C mov dword ptr [ebx+C], ecx00401276 |. 8B4C24 10 mov ecx, dword ptr [esp+10]0040127A |. 8943 10 mov dword ptr [ebx+10], eax0040127D |. 8B43 14 mov eax, dword ptr [ebx+14]00401280 |. 897B 08 mov dword ptr [ebx+8], edi00401283 |. 03C6 add eax, esi00401285 |. 5F pop edi00401286 |. 8943 14 mov dword ptr [ebx+14], eax00401289 |. 8B43 18 mov eax, dword ptr [ebx+18]0040128C |. 03C1 add eax, ecx0040128E |. 5E pop esi0040128F |. 8943 18 mov dword ptr [ebx+18], eax00401292 |. 5D pop ebp00401293 |. 5B pop ebx00401294 |. 83C4 0C add esp, 0C00401297 /. C3 retnstatic void sha1_transform(sha *sh){ /* basic transformation step */ unsigned int a,b,c,d,e,temp; int t; for (t=16;t<80;t++) sh->w[t]=S(1,sh->w[t-3]^sh->w[t-8]^sh->w[t-14]^sh->w[t-16]); a=sh->h[0]; b=sh->h[1]; c=sh->h[2]; d=sh->h[3]; e=sh->h[4]; for (t=0;t<20;t++) { /* 20 times - mush it up */ temp=K0+F0(b,c,d)+S(5,a)+e+sh->w[t]; e=d; d=c; c=S(30,b); b=a; a=temp; } for (t=20;t<40;t++) { /* 20 more times - mush it up */ temp=K1+F1(b,c,d)+S(5,a)+e+sh->w[t]; e=d; d=c; c=S(30,b); b=a; a=temp; } for (t=40;t<60;t++) { /* 20 more times - mush it up */ temp=K2+F2(b,c,d)+S(5,a)+e+sh->w[t]; e=d; d=c; c=S(30,b); b=a; a=temp; } for (t=60;t<80;t++) { /* 20 more times - mush it up */ temp=K3+F3(b,c,d)+S(5,a)+e+sh->w[t]; e=d; d=c; c=S(30,b); b=a; a=temp; } sh->h[0]+=a; sh->h[1]+=b; sh->h[2]+=c; sh->h[3]+=d; sh->h[4]+=e;}

sha1_transform 分别在sha1_PRocess和sha1_hash中被调用. sha1_process中调用sha1_transform的条件是((sh->length[0]%512)==0) sha1_hash中调用了2次sha1_process(一次是循环外, 一次是循环内) 从反汇编上, 就可以识别出sha1_process和sha1_hash

00401040 <SHA1KeyG.sha1_process> /$ 8B4424 04 mov eax, dword ptr [esp+4]00401044 |. 56 push esi00401045 |. 8B7424 0C mov esi, dword ptr [esp+C]00401049 |. 8B08 mov ecx, dword ptr [eax]0040104B |. 81E6 FF000000 and esi, 0FF00401051 |. C1E9 05 shr ecx, 500401054 |. 83E1 0F and ecx, 0F00401057 |. 8B5488 28 mov edx, dword ptr [eax+ecx*4+28]0040105B |. C1E2 08 shl edx, 80040105E |. 0BD6 or edx, esi00401060 |. 5E pop esi00401061 |. 895488 28 mov dword ptr [eax+ecx*4+28], edx00401065 |. 8B08 mov ecx, dword ptr [eax]00401067 |. 83C1 08 add ecx, 80040106A |. 8908 mov dword ptr [eax], ecx0040106C |. 75 0D jnz short 0040107B0040106E |. 8B48 04 mov ecx, dword ptr [eax+4]00401071 |. C700 00000000 mov dword ptr [eax], 000401077 |. 41 inc ecx00401078 |. 8948 04 mov dword ptr [eax+4], ecx0040107B |> F700 FF010000 test dword ptr [eax], 1FF00401081 |. 75 07 jnz short 0040108A00401083 |. 50 push eax00401084 |. E8 07000000 call <sha1_transform>00401089 |. 59 pop ecx0040108A /> C3 retnvoid sha1_process(sha *sh,int byte){ /* process the next message byte */ int cnt; cnt=(int)((sh->length[0]/32)%16); sh->w[cnt]<<=8; sh->w[cnt]|=(unsigned int)(byte&0xFF); sh->length[0]+=8; if (sh->length[0]==0L) { sh->length[1]++; sh->length[0]=0L; } if ((sh->length[0]%512)==0) sha1_transform(sh);}004012A0 <SHA1KeyG.sha1_hash> /$ 53 push ebx004012A1 |. 56 push esi004012A2 |. 8B7424 0C mov esi, dword ptr [esp+C]004012A6 |. 57 push edi004012A7 |. 68 80000000 push 80004012AC |. 56 push esi004012AD |. 8B3E mov edi, dword ptr [esi]004012AF |. 8B5E 04 mov ebx, dword ptr [esi+4]004012B2 |. E8 89FDFFFF call <sha1_process>004012B7 |. 8B06 mov eax, dword ptr [esi]004012B9 |. 83C4 08 add esp, 8004012BC |. 25 FF010000 and eax, 1FF004012C1 |. 3D C0010000 cmp eax, 1C0004012C6 |. 74 1B je short 004012E3004012C8 |> 6A 00 /push 0004012CA |. 56 |push esi004012CB |. E8 70FDFFFF |call <sha1_process>004012D0 |. 8B0E |mov ecx, dword ptr [esi]004012D2 |. 83C4 08 |add esp, 8004012D5 |. 81E1 FF010000 |and ecx, 1FF004012DB |. 81F9 C0010000 |cmp ecx, 1C0004012E1 |.^ 75 E5 /jnz short 004012C8004012E3 |> 56 push esi004012E4 |. 895E 60 mov dword ptr [esi+60], ebx004012E7 |. 897E 64 mov dword ptr [esi+64], edi004012EA |. E8 A1FDFFFF call <sha1_transform>004012EF |. 8B5C24 18 mov ebx, dword ptr [esp+18]004012F3 |. 83C4 04 add esp, 4004012F6 |. 33FF xor edi, edi004012F8 |> 8BD7 /mov edx, edi004012FA |. 81E2 03000080 |and edx, 8000000300401300 |. 79 05 |jns short 0040130700401302 |. 4A |dec edx00401303 |. 83CA FC |or edx, FFFFFFFC00401306 |. 42 |inc edx00401307 |> C1E2 03 |shl edx, 30040130A |. B9 18000000 |mov ecx, 180040130F |. 8BC7 |mov eax, edi00401311 |. 2BCA |sub ecx, edx00401313 |. 99 |cdq00401314 |. 83E2 03 |and edx, 300401317 |. 03C2 |add eax, edx00401319 |. C1F8 02 |sar eax, 20040131C |. 8B4486 08 |mov eax, dword ptr [esi+eax*4+8]00401320 |. D3E8 |shr eax, cl00401322 |. 47 |inc edi00401323 |. 83FF 14 |cmp edi, 1400401326 |. 88441F FF |mov byte ptr [edi+ebx-1], al0040132A |.^ 7C CC /jl short 004012F80040132C |. 56 push esi0040132D |. E8 CEFCFFFF call 0040100000401332 |. 83C4 04 add esp, 400401335 |. 5F pop edi00401336 |. 5E pop esi00401337 |. 5B pop ebx00401338 /. C3 retnvoid sha1_hash(sha *sh,char hash[20]){ /* pad message and finish - supply digest */ int i; unsigned int len0,len1; len0=sh->length[0]; len1=sh->length[1]; sha1_process(sh,PAD); while ((sh->length[0]%512)!=448) sha1_process(sh,ZERO); sh->w[14]=len1; sh->w[15]=len0; sha1_transform(sh); for (i=0;i<20;i++) { /* convert to bytes */ hash[i]=((sh->h[i/4]>>(8*(3-i%4))) & 0xffL); } sha1_init(sh);}

在sha1_hash之外调用的sha1_process, 是用户逻辑, 从上下文可以确定sha1_init sha1_hash出来的结果就是hash值

sha1_init和其他hash算法一样, 会赋值一些魔法数.

void sha1_init(sha *sh){ /* re-initialise */ int i; for (i=0;i<80;i++) sh->w[i]=0L; sh->length[0]=sh->length[1]=0L; sh->h[0]=H0; sh->h[1]=H1; sh->h[2]=H2; sh->h[3]=H3; sh->h[4]=H4;}

sha1总的调用流程

sha1_init(&sh); sha1_process(&sh,szName[i]); // 可以在循环中多次调用, 类似于md5_update sha1_hash(&sh,szHash);

上一篇：sizeof复习

下一篇：设计模式之九 --- 外观(Facade)模式