2018年五四挑战赛第一题 Sublimetext 验证分析£¨视频分析见附件£©

九层楼

1. 工具
x32dbg: 调试
CyberChef https://gchq.github.io/CyberChef: 测试如 sha1, sha256, asn1解析等
Big Integer Calculator v1.13: 测试 RSA 签名过程
?#29992;?#35299;密小玩具 Ver0.3 by Lucky_789 [bbs.chinapyg.com]: double check
RSA-Tool 2 by tE!: 生成替换 RSA 秘钥
sfk191 https://sourceforge.net/projects/swissfileknife/: 二进制文件替换修改

2. 载入后搜索 "License" and "Unregistered", 设定断点

[Asm] 纯文本查看 复制代码

 地址       反汇编                                           ?#22336;?#20018;
* 002CF7F2 mov edx,sublime_text.664930                   "Hello! Thanks for trying out Sublime Text.\n\nThis is an unregistered evaluation version, and although the trial is untimed, a license must be purchased for continued use.\n\nWould you like to purchase a license now?"
* 002CF883 mov edx,sublime_text.664A70                   "Hello! Thanks for trying out Sublime Text 3!\n\nSublime Text 3 is a paid upgrade from Sublime Text 2, and your license key is for Sublime Text 2.\n\nWould you like to upgrade your license now?"
* 002CF8AD mov edx,sublime_text.664B70                   "That license key doesn't appear to be valid.\n\nPlease check that you have entered all lines from the license key, including the BEGIN LICENSE and END LICENSE lines."
* 002CF8B9 mov edx,sublime_text.664C14                   "That license key is no longer valid."
* 002CF8C5 mov edx,sublime_text.664C40                   "That license key has been invalidated, due to being shared.\n\nPlease email [url=mailto:[email protected]][email protected][/url] to get your license key reissued."
* 002D086B push sublime_text.664D68                      "Enter your license key below. You can purchase one from [url=https://www.sublimetext.com/buy]https://www.sublimetext.com/buy[/url]"
* 002D0F02 mov ecx,sublime_text.664E18                   "license_check"
* 002D10A0 mov esi,sublime_text.664E30                   "license.sublimehq.com"
* 002D10EB mov esi,sublime_text.664E48                   "sublime-license-check/3.0"
* 002E9A67 mov edx,sublime_text.667B18                   "Remove license key? This will revert Sublime Text to an unregistered state."
* 002F6594 mov dword ptr ss:[esp],sublime_text.66965C    "Unregistered"
* 00308DBC push sublime_text.66B428                      "%s\nSingle User License\n%s-%s"
* 00308DE7 push sublime_text.66B408                      "%s\nUnlimited User License\n%s-%s"
* 00308E29 push sublime_text.66B45C                      "%s\n%d User License\n%s-%s"
* 00309214 mov esi,sublime_text.66B4BC                   "----- BEGIN LICENSE -----\n"
* 003092AD mov ebx,sublime_text.66B4A0                   "------ END LICENSE ------"

3. 使用网上泄露的 TwitterInc 证书调试
¡ª¨C BEGIN LICENSE ¡ª¨C
TwitterInc
200 User License
EA7E-890007
1D77F72E 390CDD93 4DCBA022 FAF60790
61AA12C0 A37081C5 D0316412 4584D136
94D7F7D4 95BC8C1C 527DA828 560BB037
D1EDDD8C AE7B379F 50C9D69D B35179EF
2FE898C4 8E4277A8 555CE714 E1FB0E43
D5D52613 C3D12E98 BC49967F 7652EED2
9D2D2E61 67610860 6D338B72 5CF95C69
E36B85CC 84991F19 7575D828 470A92AB
¡ª¡ª END LICENSE ¡ª¡ª

4. 单步调试. 抛砖引玉, 简单录了小视频来描述流程, 地址在 .zip 格式的附件中 (论坛提示不允许上传 .txt 格式)
(1) 跑起来之后, CPU 窗格点右键, 转到, 文件偏移, 4F17B, 下断点, F7/F8 调试可以发现, 这个函数将产生 asn1 der 编码的 rsa 公钥字串  (需要 xor 0x53).

[Asm] 纯文本查看 复制代码

00401910  63 D2 CE 63 5E 55 5A 79 D5 1B D5 A4 5E 52 52 52  c¨°Îc^UZyÕ.Õ¡è^RRR  
00401920  56 53 50 D2 D8 53 63 D2 D4 51 D2 D2 53 8B 28 F1  VSP¨°ØSc¨°ÔQ¨°¨°S.(ñ  
00401930  16 31 A4 96 82 19 5F A8 41 EA 27 5F 4A 0F 38 8F  .1¡è..._¡§A¨º'_J.8.  
00401940  2D 3E 3D 9A 78 FF 5D E1 CE 0A B2 8A FD 34 DA 5F  ->=.xÿ]¨¢Î.2.y4¨²_  
00401950  78 DB 90 F8 8F FC AD 2E 19 60 8F 92 EC ED 00 49  xÛ.ø.¨¹...`..¨¬¨ª.I  
00401960  76 4F BC 5F C1 6C 55 ED 2A E1 61 D6 0A FF AD BA  vO¼_¨¢lU¨ª*¨¢aÖ.ÿ.o  
00401970  D5 86 B2 0D 1E 44 35 B9 05 97 B2 55 04 A9 27 88  Õ.2..D51..2U.©'.  
00401980  5A 24 90 A8 26 D1 E4 DF 87 28 E1 94 AA E1 01 E7  Z$.¡§&Ñäß.(¨¢.a¨¢.ç  
00401990  FA 15 6E 46 A5 FD 3D BA 70 2E 07 96 1B 48 A0 B3  ¨².nF£¤y=op....H 3  
004019A0  E3 CA 73 4A 58 9C E0 4D 08 B6 5A 90 68 51 52 42  㨺sJX.¨¤M.¶Z.hQRB  

(2) CPU 窗格点右键, 转到, 文件偏移, 4F276, 下断点, 这个函数将使用 rsa 公钥验证输入的验证码信息, 成功则在 eax 返回1. 该函数体内几步关键的流程为:
首先计算注册信息前三行的 sha1 hash. 可以参见下面函数调用, 文件偏移 (x32dbg 中按 ctrl+shift+G) 为 87E82

[Asm] 纯文本查看 复制代码

00FD8A82 | E8 9E 57 15 00              | call sublime_text.112E225                            | InArg.1 保存了 注册信息的 sha1 值 (记得?#26041;?#21435;时好像看到了 MD5 特征码, 看来是没用)

然后从 asn1 der 编码的 rsa 公钥字串中解码 rsa 公钥. 可以参见下面函数调用, 文件偏移 (x32dbg 中按 ctrl+shift+G) 为 87EDC

[Asm] 纯文本查看 复制代码

00FD8ADC | E8 14 77 15 00              | call <sublime_text.从 asn1 中解码 rsa_key>               | 有机会再检查下, 和手动在 cyberchef 得到的值不一样 ???

最后调用 LibTomCrypt 中的 rsa_verify_hash.c 中的函数, 验证 RSA PKCS #1 v1.5 or v2 PSS signature verification, 验证成功则将在 [ebp-10] 写 1. 可以参见下面函数调用, 文件偏移 (x32dbg 中按 ctrl+shift+G) 为 87F3E

[Asm] 纯文本查看 复制代码

00FD8B24 | 50                          | push eax                                             | InArg.9 = *key
00FD8B25 | 8D 45 F0                    | lea eax,dword ptr ss:[ebp-10]                        |
00FD8B28 | 8B D6                       | mov edx,esi                                          | InArg.2 = siglen
00FD8B2A | 50                          | push eax                                             | InArg.8 = *stat
00FD8B2B | 51                          | push ecx                                             | InArg.7 = saltlen = 0x80 
00FD8B2C | 57                          | push edi                                             | InArg.6 = hash_idx = 0
00FD8B2D | 51                          | push ecx                                             | InArg.5 = padding = 0x80 ??
00FD8B2E | FF 75 EC                    | push dword ptr ss:[ebp-14]                           | InArg.4 = hashlen = length(sha1_of_lic)
00FD8B31 | 8D 85 48 FF FF FF           | lea eax,dword ptr ss:[ebp-B8]                        | [ebp-B8]:&"43C60213C780ACBF344A91DB577163EA1F7257AF110E619447A45D3A4F6ECAC45E0F25FDA71A537DBCD6B2A179B45AD4F532B5B65933D7FB5578436F6D5B854CC430DB4EE87FDF991D85C91E61076223A33E841D0A529D79D5A493DE28717FB4C4C323033F7AA81384B46A0F52AC424E495E98DA284C7F894810D723C3969C6F"
00FD8B37 | 50                          | push eax                                             | InArg.3 = hash = sha1_of_lic
00FD8B38 | 8D 8D 48 DF FF FF           | lea ecx,dword ptr ss:[ebp-20B8]                      | InArg.1 = sig = 注册信息下面的码
00FD8B3E | E8 8F 88 15 00              | call <sublime_text.int rsa_verify_hash_ex(const unsi |
00FD8B43 | 83 C4 1C                    | add esp,1C                                           |
00FD8B46 | 85 C0                       | test eax,eax                                         |
00FD8B48 | 0F 85 40 FF FF FF           | jne sublime_text.FD8A8E                              |
00FD8B4E | 8D 4D C8                    | lea ecx,dword ptr ss:[ebp-38]                        |
00FD8B51 | E8 1A 79 15 00              | call sublime_text.1130470                            |
00FD8B56 | 33 C0                       | xor eax,eax                                          |
00FD8B58 | 83 7D F0 01                 | cmp dword ptr ss:[ebp-10],1                          | 比较 *stat, 看来还是九层楼的信息没通过 ??

  
(3) CPU 窗格点右键, 转到, 文件偏移, 4F2B9, 下断点, 这个函数将计算 asn1 der 编码的 rsa 公钥字串的 sha256 hash 并随后验证其中三位
例如, 对于内置的 asn1 der 编码的 rsa 公钥字串, 将验证中括号内的几位

[Asm] 纯文本查看 复制代码

ori 30819D300D06092A864886F70D010101050003818B0030818702818100D87BA24562F7C5D14A0CFB12B9740C195C6BDC7E6D6EC92BAC0EB29D59E1D9AE67890C2B88C3ABDCAFFE7D4A33DCC1BFBE531A251CEF0C923F06BE79B2328559ACFEE986D5E15E4D1766EA56C4E10657FA74DB0977C3FB7582B78CD47BB2C7F9B252B4A9463D15F6AE6EE9237D54C5481BF3E0B09920190BCFB31E5BE509C33B020111
[c6] 34  03  97 05 9a  1d  2a
 b1  a4  13  40 ce d7  a5  a8
 f8  6d [ea] 0c 22 7f  a9  40
 b6  e7  4f  0e f8 46 [56] ea

x. 破解步骤
(1) 在 Cygwin 下运行下面步骤使用 sfk 修改原文件
  exe=sublime_text.exe
  bak=sublime_text.exe.bak
  cp $exe $bak
  ./sfk191 replace $exe -firsthit -yes -bin "/807DBCC6/807DBCA3/"  
  ./sfk191 replace $exe -firsthit -yes -bin "/807DCEEA/807DCE38/"  
  ./sfk191 replace $exe -firsthit -yes -bin "/807DDA56/807DDA62/"   
  ./sfk191 replace $exe -firsthit -yes -bin "/63d2ce635e555a79d51bd5a45e525252565350d2d85363d2d451d2d2538b28f11631a49682195fa841ea275f4a0f388f2d3e3d9a78ff5de1ce0ab28afd34da5f78db90f88ffcad2e19608f92eced0049764fbc5fc16c55ed2ae161d60affadbad586b20d1e4435b90597b25504a927885a2490a826d1e4df8728e194aae101e7fa156e46a5fd3dba702e07961b48a0b3e3ca734a589ce04d08b65a9068515242/63d2ce635e555a79d51bd5a45e525252565350d2d85363d2d451d2d253d1b87c5f52734dd758ee69729ed18e5880ba3628a3a0b95df0599205cf7026d74d3c0a985ff9b5bd6401d58fc2e2bb6ebee7c4b5ffc02e7bd194f4083b85cb3f370b5d8c7d604684f7314b72fbd29679a15795d4ee20340d1b2aacb5ad10cfdd6163625f33c42766094478d1211a53bdaad7f5a7e6454c43c27aa6954d4cd50a515242/"

(2) 在断开网络的情况下, 使用下面的许可注册
¡ª¨C BEGIN LICENSE ¡ª¨C
九层楼/PYG
Single User License
EA7E-887766
43C60213 C780ACBF 344A91DB 577163EA
1F7257AF 110E6194 47A45D3A 4F6ECAC4
5E0F25FD A71A537D BCD6B2A1 79B45AD4
F532B5B6 5933D7FB 5578436F 6D5B854C
C430DB4E E87FDF99 1D85C91E 61076223
A33E841D 0A529D79 D5A493DE 28717FB4
C4C32303 3F7AA813 84B46A0F 52AC424E
495E98DA 284C7F89 4810D723 C3969C6F
¡ª¡ª END LICENSE ¡ª¡ª

y. 验证流程总结
(1) 对前三行信息计算 sha1
(2) 添加 salt
(3) RSA 私?#22771;?#21517;即得注册码. 因此需要替换公钥, 以及程序对于公钥的三处验证

z. 知识总结 (仅仅是一知半解)
(1) RSA 加解密, 签名
(2) ASN
(3) RSA PKCS #1 v1.5 or v2 PSS signature verification
(4) LibTomMath & LibTomCrypt
(5) 遇到函数调用时, 可以通过观察传入的指针型?#38382;?#22312;调用完成后的赋值推测流程.
(6) 积累并应用经验: 例如通过识别 +10/+14 偏?#21697;?#29616; C++ ?#22336;?#20018;, 通过 Assert 语句查阅相关库

最后, ?#34892;?a href="http://www.ssoc.tw" target="_blank" class="relatedlink">飘云阁的老师们 !

飘云

不错的解答~~

00FD8A82 | E8 9E 57 15 00              | call sublime_text.112E225                            | InArg.1 保存了 注册信息的 sha1 值 (记得?#26041;?#21435;时好像看到了 MD5 特征码, 看来是没用)

你确实是看到了MD5特征(但?#23548;?#26159;SHA)  

SHA 和 MD5常数仅一组数据值之差(有空多看看各种?#29992;?#31639;法的?#21019;?#30721;就好了£¬推荐openssl)

[C++] 纯文本查看 复制代码

    

  SHA --->
  digest[0] = 0x67452301;
  digest[1] = 0xefcdab89;
  digest[2] = 0x98badcfe;
  digest[3] = 0x10325476;
  digest[4] = 0xc3d2e1f0;


  MD5 --->
  state[0] = 0x67452301;
  state[1] = 0xefcdab89;
  state[2] = 0x98badcfe;
  state[3] = 0x10325476;

[Asm] 纯文本查看 复制代码

.text:005E10AA sub_5E10AA      proc near               ; CODE XREF: sub_5E12ED+17¡ýp
.text:005E10AA                                         ; DATA XREF: .rdata:007D0A9C¡ýo
.text:005E10AA
.text:005E10AA arg_0           = dword ptr  4
.text:005E10AA
.text:005E10AA                 mov     eax, [esp+arg_0]
.text:005E10AE                 test    eax, eax
.text:005E10B0                 jz      short loc_5E10E2
.text:005E10B2                 xor     ecx, ecx
.text:005E10B4                 mov     dword ptr [eax+8], 67452301h
.text:005E10BB                 mov     dword ptr [eax+0Ch], 0EFCDAB89h
.text:005E10C2                 mov     dword ptr [eax+10h], 98BADCFEh
.text:005E10C9                 mov     dword ptr [eax+14h], 10325476h
.text:005E10D0                 mov     dword ptr [eax+18h], 0C3D2E1F0h
.text:005E10D7                 mov     [eax+1Ch], ecx
.text:005E10DA                 mov     [eax], ecx
.text:005E10DC                 mov     [eax+4], ecx
.text:005E10DF                 xor     eax, eax
.text:005E10E1                 retn
.text:005E10E2 ; ---------------------------------------------------------------------------
.text:005E10E2
.text:005E10E2 loc_5E10E2:                             ; CODE XREF: sub_5E10AA+6¡üj
.text:005E10E2                 push    0A7h
.text:005E10E7                 mov     edx, offset aCUsersJskinner_5 ; "C:/Users/jskinner/sublime_text/third_pa"...
.text:005E10EC                 mov     ecx, offset aMdNull ; "md != NULL"
.text:005E10F1                 call    sub_5E1C0F
.text:005E10F1 sub_5E10AA      endp
.text:005E10F1
.text:005E10F1 ; ---------------------------------------------------------------------------

Nisy

分析过程呢£¿ 算法流程呢£¿无分析过程的keygen意义就不大了¡£

九层楼

Nisy 发表于 2018-5-23 10:51
分析过程呢£¿ 算法流程呢£¿无分析过程的keygen意义就不大了¡£

嗯好的, 尽量尝试着把知道的有用信息更多地整理出来

九层楼

飘云 发表于 2018-5-24 12:15
不错的解答~~

谢谢飘总的热心指点 ! 真是差之毫厘谬以千里
话?#30340;?#38745;态分析就搞定啦 , 庖丁解牛的既视感, 赞 !

ubuntu

sublime text虽然不限制功能£¬但是一直弹确?#24403;Ƚ戏常¬¸行?#20061;层楼大佬的分析£¬收藏了

snynisad3

下载学习看好吗£¿

theend

飘大都表扬的解答方法得好好学习一下£¬30PYB值

qian15

方法得好好学习一下

Prajna

楼主£¬附件下载失效了£¬麻烦补发一下£¬行吗£¿