为keynener_Assistant v2.12添加支持拖放功能
本帖最后由 csjwaman 于 2020-1-29 11:45 编辑keynener_Assistant v2.12是一个非常实用的工具,尤其是其中的密码学算法分析模块,对于密码学分析来说,有很好的辅助作用.
但程序不支持文件拖放,所以使用上不是很方便.于是作一修改,不算完美,因为退出时会异常.但不影响使用.
程序用UPX加壳,脱壳后用DelphiDecompiler分析,找到File Hash计算的Open按钮和密码学算法分析模块的Scan按钮响应事件代码:
Hashing->Calc Hash->File Hash->Open按钮事件响应代码:
0052AA28 55 push ebp
0052AA29 8BEC mov ebp, esp
0052AA2B 6A00 push $00
0052AA2D 53 push ebx
0052AA2E 56 push esi
0052AA2F 57 push edi
0052AA30 8BF2 mov esi, edx //ESI=EDX=0205207C参数1
0052AA32 8BD8 mov ebx, eax //EBX=EAX=02001074参数2
0052AA34 33C0 xor eax, eax
0052AA36 55 push ebp
* Possible String Reference to: '樽濏?腽_^?
|
0052AA37 6818AB5200 push $0052AB18
0052AA3C 64FF30 push dword ptr fs:
0052AA3F 648920 mov fs:, esp
* Reference to field TForm1.OFFS_1747
|
0052AA42 80BB7A74010000 cmp byte ptr , $00
0052AA49 740C jz 0052AA57
* Reference to field TForm1.OFFS_1747
|
0052AA4B C6837974010001 mov byte ptr , $01
0052AA52 E9AB000000 jmp 0052AB02
* Reference to control TForm1.OpenDialog2 : TOpenDialog
|
0052AA57 8B8350070000 mov eax,
0052AA5D 8B10 mov edx,
* Possible reference to virtual method TOpenDialog.OFFS_3C
|
0052AA5F FF523C call dword ptr //打开文件对话框
0052AA62 84C0 test al, al
0052AA64 0F8498000000 jz 0052AB02
0052AA6A 8D55FC lea edx,
* Reference to control TForm1.OpenDialog2 : TOpenDialog
|
0052AA6D 8B8350070000 mov eax,
* Reference to: Dialogs.TOpenDialog.GetFileName()
|
0052AA73 E82477F1FF call 0044219C //获取文件路径
0052AA78 8B55FC mov edx, //EDX为路径
0052AA7B B888505E00 mov eax, $005E5088
|
0052AA80 E8A7A5EDFF call 0040502C
0052AA85 803D7B625E0001 cmp byte ptr [$005E627B], $01
0052AA8C 7517 jnz 0052AAA5
0052AA8E 6A00 push $00
0052AA90 668B0D28AB5200 mov cx, word ptr [$0052AB28]
0052AA97 B203 mov dl, $03
* Possible String Reference to: 'Some Hash you use are modified!You
| want to restore default values?'
|
0052AA99 B834AB5200 mov eax, $0052AB34
* Reference to: Dialogs.MessageDlg(System.AnsiString; Dialogs.TMsgDlgType; System.; Integer)
|
0052AA9E E80D8BF1FF call 004435B0
0052AAA3 8BF8 mov edi, eax
0052AAA5 4F dec edi
0052AAA6 7551 jnz 0052AAF9
0052AAA8 8BD6 mov edx, esi
0052AAAA 8BC3 mov eax, ebx
* Reference to : TForm1.BitBtn2Click()
|
0052AAAC E863B4FFFF call 00525F14
0052AAB1 8BD6 mov edx, esi
0052AAB3 8BC3 mov eax, ebx
* Reference to : TForm1.BitBtn4Click()
|
0052AAB5 E8BAB5FFFF call 00526074
0052AABA 8BD6 mov edx, esi
0052AABC 8BC3 mov eax, ebx
* Reference to : TForm1.BitBtn5Click()
|
0052AABE E811B7FFFF call 005261D4
0052AAC3 8BD6 mov edx, esi
0052AAC5 8BC3 mov eax, ebx
* Reference to : TForm1.BitBtn8Click()
|
0052AAC7 E830B8FFFF call 005262FC
0052AACC 8BD6 mov edx, esi
0052AACE 8BC3 mov eax, ebx
* Reference to : TForm1.BitBtn9Click()
|
0052AAD0 E87BB9FFFF call 00526450
0052AAD5 8BD6 mov edx, esi
0052AAD7 8BC3 mov eax, ebx
* Reference to : TForm1.BitBtn11Click()
|
0052AAD9 E8AABBFFFF call 00526688
0052AADE 8BD6 mov edx, esi
0052AAE0 8BC3 mov eax, ebx
* Reference to : TForm1.BitBtn13Click()
|
0052AAE2 E825BDFFFF call 0052680C
0052AAE7 8BD6 mov edx, esi
0052AAE9 8BC3 mov eax, ebx
* Reference to : TForm1.BitBtn15Click()
|
0052AAEB E80CBFFFFF call 005269FC
0052AAF0 8BD6 mov edx, esi
0052AAF2 8BC3 mov eax, ebx
* Reference to : TForm1.BitBtn17Click()
|
0052AAF4 E8F3C0FFFF call 00526BEC
0052AAF9 8BD6 mov edx, esi
0052AAFB 8BC3 mov eax, ebx
* Reference to : TForm1.FileHashing()
|
0052AAFD E8E6FCFFFF call 0052A7E8
0052AB02 33C0 xor eax, eax
0052AB04 5A pop edx
0052AB05 59 pop ecx
0052AB06 59 pop ecx
0052AB07 648910 mov fs:, edx
****** FINALLY
|
* Possible String Reference to: '_^?
|
0052AB0A 681FAB5200 push $0052AB1F
0052AB0F 8D45FC lea eax,
|
0052AB12 E8C1A4EDFF call 00404FD8
0052AB17 C3 ret
0052AB18 E9D79DEDFF jmp 004048F4
0052AB1D EBF0 jmp 0052AB0F
****** END
|
0052AB1F 5F pop edi
0052AB20 5E pop esi
0052AB21 5B pop ebx
0052AB22 59 pop ecx
0052AB23 5D pop ebp
0052AB24 C3 ret
Scanning->San按钮事件响应代码:
00521734 55 push ebp
00521735 8BEC mov ebp, esp
00521737 6A00 push $00
00521739 53 push ebx
0052173A 8BD8 mov ebx, eax
0052173C 33C0 xor eax, eax
0052173E 55 push ebp
0052173F 688B175200 push $0052178B
00521744 64FF30 push dword ptr fs:
00521747 648920 mov fs:, esp
* Reference to control TForm1.OpenDialog1 : TOpenDialog
|
0052174A 8B8330030000 mov eax,
00521750 8B10 mov edx,
* Possible reference to virtual method TOpenDialog.OFFS_3C
|
00521752 FF523C call dword ptr
00521755 84C0 test al, al
00521757 741C jz 00521775
00521759 8D55FC lea edx,
* Reference to control TForm1.OpenDialog1 : TOpenDialog
|
0052175C 8B8330030000 mov eax,
* Reference to: Dialogs.TOpenDialog.GetFileName()
|
00521762 E8350AF2FF call 0044219C
00521767 8B55FC mov edx, //EDX为文件路径 参数1
* Reference to control TForm1.Traget : TEdit
|
0052176A 8B834C030000 mov eax, //EAX为参数2
* Reference to: Controls.TControl.SetText(System.AnsiString)
|
00521770 E8B394F2FF call 0044AC28 //调用密码学分析CALL
00521775 33C0 xor eax, eax
00521777 5A pop edx
00521778 59 pop ecx
00521779 59 pop ecx
0052177A 648910 mov fs:, edx
****** FINALLY
|
0052177D 6892175200 push $00521792
00521782 8D45FC lea eax,
|
00521785 E84E38EEFF call 00404FD8
0052178A C3 ret
0052178B E96431EEFF jmp 004048F4
00521790 EBF0 jmp 00521782
****** END
|
00521792 5B pop ebx
00521793 59 pop ecx
00521794 5D pop ebp
00521795 C3 ret
添加一个区段用于放补丁代码.基址为0x7d0000
用OD插件multiasm_odbg写补丁代码:
<0x0044BED2>
jmp @scan_hash
@continue:
<7d0000>
@scan_hash:
pushad
cmp eax,0x233;拖放消息ID
jne @next
lea eax,
mov eax,
mov eax,
lea eax,;EAX为拖放文件完整路径
mov edx,eax;保存一下宽字符串指针
xor ecx,ecx
@looper:;循环计算宽字符串长度
movzx ebx,word ptr ss:
cmp ebx,0
je @loop_over
add eax,2
inc ecx
jmp @looper
@loop_over:
push esi;保存esi指针,函数会用到
push 0
push 0
push 0xfff;多字符串的最大长度
push 0x5D7E80;保存多字符串的指针
;mov dword ptr ss:,ecx;保存长度
add ecx,1;增加1就是在字符串最后加个0,用于截断后面的字符
push ecx;宽字符串长度
push edx;宽字符串地址指针
push 0
push 3
call 0x401388;将宽字符串转换为多字符串
sub eax,1;返回的长度包括结束符0,所以真实长度要-1
mov dword ptr ss:,eax;保存长度
push @str
push 0
call 00407FB8;查找窗口以判断是否切换到Scan窗口
cmp eax,0
je @hash
pop eax;将ESI弹到EAX
add eax,0x34c
mov eax,
mov edx,0x5D7E80
call 0x44ac28
jmp @next
@hash:
push @str2
push 0
call 00407FB8;查找窗口以判断是否切换到hashing窗口
cmp eax,0
pop eax;将ESI弹到EAX
je @next
add eax,0x6f4;获取HASH函数参数
mov eax,
mov ebx,esi
mov esi,eax
mov edx,0x5D7E80
MOV EAX,05E5088H;;以下为原程序代码
CALL 0040502C
MOV EDX,ESI
MOV EAX,EBX
CALL 00525F14
MOV EDX,ESI
MOV EAX,EBX
CALL 00526074
MOV EDX,ESI
MOV EAX,EBX
CALL 005261D4
MOV EDX,ESI
MOV EAX,EBX
CALL 005262FC
MOV EDX,ESI
MOV EAX,EBX
CALL 00526450
MOV EDX,ESI
MOV EAX,EBX
CALL 00526688
MOV EDX,ESI
MOV EAX,EBX
CALL 0052680C
MOV EDX,ESI
MOV EAX,EBX
CALL 005269FC
MOV EDX,ESI
MOV EAX,EBX
CALL 00526BEC
MOV EDX,ESI
MOV EAX,EBX
CALL 0052A7E8
@next:
popad
CMP EAX,0x100
jmp @continue
@str:
"Keygener_Assistant v2.1.2 - Scanning : Hash & Crypto Detector\0"
@str2:
"Keygener_Assistant v2.1.2 - Hashing , Analyzer & Brute Forcer\0"
最后说明:
修改密码算法分析模块,程序能正常运行.修改HASH计算模块后,程序退出时会异常:
00402B2C/$53 PUSH EBX
00402B2D|.85C0 TEST EAX,EAX
00402B2F|.74 15 JE SHORT 00402B46
00402B31|.FF15 48805900 CALL DWORD PTR DS:
00402B37|.8BD8 MOV EBX,EAX
00402B39|.85DB TEST EBX,EBX
00402B3B|.74 0B JE SHORT 00402B48
00402B3D|.B0 02 MOV AL,0x2
00402B3F E8 38010000 CALL 00402C7C //这里异常,找不到原因,直接NOP了
00402B44|.EB 02 JMP SHORT 00402B48
00402B46|>33DB XOR EBX,EBX
00402B48|>8BC3 MOV EAX,EBX
00402B4A|.5B POP EBX
00402B4B\.C3 RETN
另外,只有Hashing->File Hash页活动时,才可以使用拖放功能.但只能通过主窗口标题判断Hashing页是否活动,
不知道如何判断这个窗口页中的File Hash窗口页是否激活.有兄弟知道的话告知一下啊:)
更新了一下,加上了对中文路径及文件名的支持.另外,将原版文件也一起打包上传,便于测试.
链接: https://pan.baidu.com/s/1T_hZczDpFTeEK_c2A_QqSQ 提取码: qg7e csjwaman 发表于 2020-1-28 23:42
我在WIN7测试的,WIN10下没测试。用管理员身份运行试试。另外,重建PE试试
我在WIN10虚拟机里测试了,可以运行。 csjwaman 发表于 2020-1-29 10:15
我在WIN10虚拟机里测试了,可以运行。
找到原因了,我电脑上装着冰点还原,关了就能正常使用了 本帖最后由 我的爱是你 于 2020-1-28 23:10 编辑
那么强!为已打包的程序添加功能,这需要很强的汇编功底吧。
Win10,打开后是这个 本帖最后由 csjwaman 于 2020-1-28 23:43 编辑
FleTime 发表于 2020-1-28 23:15
Win10,打开后是这个
我在WIN7测试的,WIN10下没测试。用管理员身份运行试试。另外,重建PE试试 感觉好厉害呀........... 膜拜大神,现在看不懂,保存待用 感觉很厉害 只不过我认识他 他不认识我呀 不明觉厉,牛人无疑!
页:
[1]
2