与校园网斗智斗勇（一）之分析G姓客户端本地密码加密

本帖最后由 红颜世家、 于 2019-7-13 18:33 编辑

前言
注：
本文由楼主个人博客原创文章修改整理而来，菜鸟技术，大神莫喷。
博主所在的学校如果想要上网，需要通过一个认证客户端进行登录认证才允许接通网络，而这款认证客户端是由寰创网络科技制作的，因其软件图标为红房子，所以被各大高校称之为Giwifi。
虽然它的名字叫GiWiFi，听起来温柔亲切，但是它的“所作所为”一点都不亲切，一点都不温柔，导致同学们怨声四起。为什么呢？
因为GiWiFi对Wifi共享软件以及路由器做了相应的限制机制，使得我们无法正常使用Wifi，说是要遵循校园网一人一号的网络安全原则（其实大家心知肚明、心照不宣）。
那么为了突破GiWiFi的种种限制，我们需要对其进行反汇编（破解）。达到最终目的
客户端同目录有一个config.ini文件
[Parameters]
LatestUsername=13788888888
LatestPassword=TxMJCxEc
OD载入搜索字符串找到 LatestUsername 回车进入 下个断 一步一步走可以知道解密函数

[Asm] 纯文本查看 复制代码

0041F368 |. 8D4D C4 lea ecx,[local.15] 0041F36B |. E8 E068FEFF call NiWiFiAs.00405C50 0041F370 |. 50 push eax ; |ReturnBuffer = 00000001 0041F371 |. 68 0CB65B00 push NiWiFiAs.005BB60C ; |Default = "" 0041F376 |. 68 FCEB5B00 push NiWiFiAs.005BEBFC ; |LatestPassword 0041F37B |. 68 14EA5B00 push NiWiFiAs.005BEA14 ; |Parameters 0041F380 |. FF15 28A65B00 call dword ptr ds:[<&KERNEL32.GetPrivate>; \GetPrivateProfileStringA 0041F386 |. 3BF4 cmp esi,esp 0041F388 |. E8 B37A1100 call NiWiFiAs.00536E40 0041F38D |. 6A FF push -0x1 0041F38F |. 8D4D C4 lea ecx,[local.15] 0041F392 |. E8 A9AAFEFF call NiWiFiAs.00409E40 0041F397 |. 8D4D C4 lea ecx,[local.15] 0041F39A |. E8 6161FEFF call NiWiFiAs.00405500 0041F39F |. 50 push eax 0041F3A0 |. 8D85 60FFFFFF lea eax,[local.40] 0041F3A6 |. 50 push eax 0041F3A7 |. E8 4476FFFF call NiWiFiAs.004169F0 ; 解密call 0041F3AC |. 83C4 08 add esp,0x8 0041F3AF |. 85C0 test eax,eax 0041F3B1 |. 74 1E je short NiWiFiAs.0041F3D1

解密call如下

[Asm] 纯文本查看 复制代码

004169F9 |. 53 push ebx 004169FA |. 56 push esi 004169FB |. 57 push edi 004169FC |. 8DBD 04FFFFFF lea edi,[local.63] 00416A02 |. B9 3F000000 mov ecx,0x3F 00416A07 |. B8 CCCCCCCC mov eax,0xCCCCCCCC 00416A0C |. F3:AB rep stos dword ptr es:[edi] 00416A0E |. C745 F8 00000>mov [local.2],0x0 00416A15 |. C745 EC 00000>mov [local.5],0x0 00416A1C |. C745 E0 00000>mov [local.8],0x0 00416A23 |. C745 D4 00000>mov [local.11],0x0 00416A2A |. C745 C8 00000>mov [local.14],0x0 00416A31 |. EB 09 jmp short NiWiFiAs.00416A3C 00416A33 |> 8B45 E0 /mov eax,[local.8] 00416A36 |. 83C0 01 |add eax,0x1 00416A39 |. 8945 E0 |mov [local.8],eax 00416A3C |> 8B45 0C mov eax,[arg.2] 00416A3F |. 0345 E0 |add eax,[local.8] 00416A42 |. 0FBE08 |movsx ecx,byte ptr ds:[eax] ; 获取字符 00416A45 |. 85C9 |test ecx,ecx 00416A47 |. 0F84 F5000000 |je NiWiFiAs.00416B42 00416A4D |. 8B45 0C |mov eax,[arg.2] 00416A50 |. 0345 E0 |add eax,[local.8] 00416A53 |. 0FBE08 |movsx ecx,byte ptr ds:[eax] 00416A56 |. 83F9 3D |cmp ecx,0x3D 00416A59 |. 75 18 |jnz short NiWiFiAs.00416A73 00416A5B |. 8B45 C8 |mov eax,[local.14] 00416A5E |. 83C0 01 |add eax,0x1 00416A61 |. 8945 C8 |mov [local.14],eax 00416A64 |. 837D C8 02 |cmp [local.14],0x2 00416A68 |. 7E 07 |jle short NiWiFiAs.00416A71 00416A6A |. 33C0 |xor eax,eax 00416A6C |. E9 41010000 |jmp NiWiFiAs.00416BB2 00416A71 |> EB 51 |jmp short NiWiFiAs.00416AC4 00416A73 |> C745 EC 00000>|mov [local.5],0x0 00416A7A |. EB 09 |jmp short NiWiFiAs.00416A85 00416A7C |> 8B45 EC |/mov eax,[local.5] 00416A7F |. 83C0 01 ||add eax,0x1 00416A82 |. 8945 EC ||mov [local.5],eax 00416A85 |> 8B45 EC | mov eax,[local.5] 00416A88 |. 0FB688 58D45B>||movzx ecx,byte ptr ds:[eax+0x5BD458] ; ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ 00416A8F |. 85C9 ||test ecx,ecx 00416A91 |. 74 1B ||je short NiWiFiAs.00416AAE 00416A93 |. 8B45 EC ||mov eax,[local.5] 00416A96 |. 0FB688 58D45B>||movzx ecx,byte ptr ds:[eax+0x5BD458] ; ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ 00416A9D |. 8B55 0C ||mov edx,[arg.2] 00416AA0 |. 0355 E0 ||add edx,[local.8] 00416AA3 |. 0FBE02 ||movsx eax,byte ptr ds:[edx] 00416AA6 |. 3BC8 ||cmp ecx,eax 00416AA8 |. 75 02 ||jnz short NiWiFiAs.00416AAC 00416AAA |. EB 02 ||jmp short NiWiFiAs.00416AAE 00416AAC |>^ EB CE |\jmp short NiWiFiAs.00416A7C 00416AAE |> 837D EC 40 |cmp [local.5],0x40 00416AB2 |. 75 07 |jnz short NiWiFiAs.00416ABB 00416AB4 |. 33C0 |xor eax,eax 00416AB6 |. E9 F7000000 |jmp NiWiFiAs.00416BB2 00416ABB |> 8B45 F8 |mov eax,[local.2] 00416ABE |. 0345 EC |add eax,[local.5] 00416AC1 |. 8945 F8 |mov [local.2],eax 00416AC4 |> 8B45 E0 |mov eax,[local.8] 00416AC7 |. 25 03000080 |and eax,0x80000003 00416ACC |. 79 05 |jns short NiWiFiAs.00416AD3 00416ACE |. 48 |dec eax 00416ACF |. 83C8 FC |or eax,-0x4 00416AD2 |. 40 |inc eax 00416AD3 |> 83F8 03 |cmp eax,0x3 00416AD6 |. 75 5C |jnz short NiWiFiAs.00416B34 00416AD8 |. 8B45 F8 |mov eax,[local.2] 00416ADB |. C1E8 10 |shr eax,0x10 00416ADE |. 8B4D 08 |mov ecx,[arg.1] 00416AE1 |. 034D D4 |add ecx,[local.11] 00416AE4 |. 8801 |mov byte ptr ds:[ecx],al ; 位或前密码转换 00416AE6 |. 8B55 D4 |mov edx,[local.11] 00416AE9 |. 83C2 01 |add edx,0x1 00416AEC |. 8955 D4 |mov [local.11],edx 00416AEF |. 837D C8 02 |cmp [local.14],0x2 00416AF3 |. 7D 17 |jge short NiWiFiAs.00416B0C 00416AF5 |. 8B45 F8 |mov eax,[local.2] 00416AF8 |. C1E8 08 |shr eax,0x8 00416AFB |. 8B4D 08 |mov ecx,[arg.1] 00416AFE |. 034D D4 |add ecx,[local.11] 00416B01 |. 8801 |mov byte ptr ds:[ecx],al 00416B03 |. 8B55 D4 |mov edx,[local.11] 00416B06 |. 83C2 01 |add edx,0x1 00416B09 |. 8955 D4 |mov [local.11],edx 00416B0C |> 837D C8 01 |cmp [local.14],0x1 00416B10 |. 7D 14 |jge short NiWiFiAs.00416B26 00416B12 |. 8B45 08 |mov eax,[arg.1] 00416B15 |. 0345 D4 |add eax,[local.11] 00416B18 |. 8A4D F8 |mov cl,byte ptr ss:[ebp-0x8] 00416B1B |. 8808 |mov byte ptr ds:[eax],cl 00416B1D |. 8B55 D4 |mov edx,[local.11] 00416B20 |. 83C2 01 |add edx,0x1 00416B23 |. 8955 D4 |mov [local.11],edx 00416B26 |> C745 F8 00000>|mov [local.2],0x0 00416B2D |. C745 C8 00000>|mov [local.14],0x0 00416B34 |> 8B45 F8 |mov eax,[local.2] ; 计算 00416B37 |. C1E0 06 |shl eax,0x6 00416B3A |. 8945 F8 |mov [local.2],eax 00416B3D |.^ E9 F1FEFFFF \jmp NiWiFiAs.00416A33 00416B42 |> 8B45 E0 mov eax,[local.8] 00416B45 |. 25 03000080 and eax,0x80000003 00416B4A |. 79 05 jns short NiWiFiAs.00416B51 00416B4C |. 48 dec eax 00416B4D |. 83C8 FC or eax,-0x4 00416B50 |. 40 inc eax 00416B51 |> 85C0 test eax,eax 00416B53 |. 75 12 jnz short NiWiFiAs.00416B67 00416B55 |. 68 A0D45B00 push NiWiFiAs.005BD4A0 ; ~!:?$*<(qw2e5o7i8x12c6m67s98w43d2l45we82q3iuu1z4xle23rt4oxclle34e54u6r8m 00416B5A |. E8 61711200 call NiWiFiAs.0053DCC0 00416B5F |. 83C4 04 add esp,0x4 00416B62 |. 3B45 D4 cmp eax,[local.11] 00416B65 |. 7D 04 jge short NiWiFiAs.00416B6B 00416B67 |> 33C0 xor eax,eax 00416B69 |. EB 47 jmp short NiWiFiAs.00416BB2 00416B6B |> C745 E0 00000>mov [local.8],0x0 00416B72 |. EB 09 jmp short NiWiFiAs.00416B7D 00416B74 |> 8B45 E0 /mov eax,[local.8] 00416B77 |. 83C0 01 |add eax,0x1 00416B7A |. 8945 E0 |mov [local.8],eax 00416B7D |> 8B45 E0 mov eax,[local.8] 00416B80 |. 3B45 D4 |cmp eax,[local.11] 00416B83 |. 7D 1F |jge short NiWiFiAs.00416BA4 00416B85 |. 8B45 E0 |mov eax,[local.8] 00416B88 |. 0FBE88 A0D45B>|movsx ecx,byte ptr ds:[eax+0x5BD4A0] ; ~!:?$*<(qw2e5o7i8x12c6m67s98w43d2l45we82q3iuu1z4xle23rt4oxclle34e54u6r8m 00416B8F |. 8B55 08 |mov edx,[arg.1] 00416B92 |. 0355 E0 |add edx,[local.8] 00416B95 |. 0FBE02 |movsx eax,byte ptr ds:[edx] 00416B98 |. 33C1 |xor eax,ecx 00416B9A |. 8B4D 08 |mov ecx,[arg.1] 00416B9D |. 034D E0 |add ecx,[local.8] 00416BA0 |. 8801 |mov byte ptr ds:[ecx],al 00416BA2 |.^ EB D0 \jmp short NiWiFiAs.00416B74 00416BA4 |> 8B45 08 mov eax,[arg.1] 00416BA7 |. 0345 D4 add eax,[local.11] 00416BAA |. C600 00 mov byte ptr ds:[eax],0x0 00416BAD |. B8 01000000 mov eax,0x1 00416BB2 |> 5F pop edi ; 0019D1A8 00416BB3 |. 5E pop esi ; 0019D1A8 00416BB4 |. 5B pop ebx ; 0019D1A8 00416BB5 |. 81C4 FC000000 add esp,0xFC 00416BBB |. 3BEC cmp ebp,esp 00416BBD |. E8 7E021200 call NiWiFiAs.00536E40 00416BC2 |. 8BE5 mov esp,ebp 00416BC4 |. 5D pop ebp ; 0019D1A8 00416BC5 \. C3 retn

根据代码执行和分析可以看出来
每次取加密后的密码一次取四位
按ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
取出密码与A的相对位置然后与之前的计算累计后乘以2的6次方
最后一位直接累加不乘64
算出来之后的数字按十六进制的顺序位置在~!:?$*<(qw2e5o7i8x12c6m67s98w43d2l45we82q3iuu1z4xle23rt4oxclle34e54u6r8m表中相应字符的ascii进行异
例如
第一位与 ~
第二位与 !
第三位与 : 以此类推等等
所以我们可以写出代码

[C++] 纯文本查看 复制代码

#include <iostream> #include <string> using namespace std; string calpass(const string &); int main() { string lastpass; cin >> lastpass; cout<<calpass(lastpass); system("pause"); return 0; } string calpass(const string &pass) { static int numcal = 0; static string charlist = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; static string passlist = "~!:?$*<(qw2e5o7i8x12c6m67s98w43d2l45we82q3iuu1z4xle23rt4oxclle34e54u6r8m"; string retpass = ""; unsigned int startcal = 0,passcal=0; for (unsigned calnum = 0; calnum < pass.length();calnum++) { int test = 0; int num = 0; startcal++; if (pass[calnum] != '=') { while (pass[calnum] != charlist[num]) num++; passcal += num; } if (startcal == 4) { test = (passcal & 0xff0000)>>16; retpass += test ^ passlist[numcal++]; test = (passcal & 0x00ff00)>>8; retpass += test ^ passlist[numcal++]; if(test = (passcal & 0x0000ff)>>0) retpass += test ^ passlist[numcal++]; passcal=startcal = 0; } else passcal *= 64; } return retpass; }

图片.png (12.99 KB, 下载次数: 36)

下载附件

2019-7-13 18:32 上传

本地密码的加密解密成功客户端下载地址:
下期解密sign加密
 

免费评分 参与人数 26威望 +1 吾爱币 +29 热心值 +24 理由

原来是阿翔啊     + 1   + 1   谢谢@Thanks！  

时光的旅人99     + 1     用心讨论，共获提升！  

莫扎尔特     + 1   + 1   我很赞同！  

szjzxm4321     + 1   + 1   我很赞同！  

350627392     + 1   + 1   谢谢@Thanks！  

Hmily   + 1   + 7   + 1   感谢发布原创作品，吾爱破解论坛因你更精彩！  

Ghang       + 1   热心回复！  

真龙夺魄       + 1   谢谢@Thanks！  

baby赵     + 1   + 1   热心回复！  

焚心     + 1   + 1   我很赞同！  

悍匪戾     + 1   + 1   热心回复！  

ddyyy     + 1   + 1   我很赞同！  

王星星     + 1   + 1   用心讨论，共获提升！  

海天一色001     + 1   + 1   热心回复！  

鼓捣猫呢     + 1   + 1   我很赞同！  

ljh15     + 2     毕业年看的津津有味，加油小火鸡  

坚持奋斗的小白       + 1   欢迎分析讨论交流，吾爱破解论坛有你更精彩！  

jizhihaoSAMA     + 1   + 1   谢谢@Thanks！  

笙若     + 1   + 1   谢谢@Thanks！  

zqguang3708     + 2   + 1   很硬核 kyd  

YAO21     + 1   + 1   热心回复！  

ningzhiduanya     + 1   + 1   谢谢@Thanks！  

mhwuliao     + 1   + 1   热心回复！  

已经好晕了       + 1   我很赞同！  

bF6eUh3       + 1   欢迎分析讨论交流，吾爱破解论坛有你更精彩！  

慕琪     + 1   + 1   谢谢@Thanks！  

查看全部评分