作者:david
本文地址:http://blog.iyi.cn/user/david/archives/2005/01/210.html
原来网上早就有了checksum的相关破解,下面试checksum的汇编代码和vb版的破解。
目前我所用的就是vb版的checksum代码。
checksum的汇编代码:
GOOGLECHECK proc near
var_8 = dword ptr -8
var_4 = dword ptr -4
url_offset = dword ptr 8
url_length = dword ptr 0Ch
magic_dword = dword ptr 10h
push ebp
mov ebp, esp
push ecx
push ecx
mov eax, [ebp+url_length]
cmp eax, 0Ch
push ebx
push esi
mov esi, [ebp+magic_dword] ; = 0xE6359A60
push edi
mov edi, 9E3779B9h ; derived from the golden number, hi TEA ;)
mov ebx, edi
mov [ebp+var_4], eax
jb jump_1
push 0Ch
pop ecx
xor edx, edx
div ecx
mov ecx, [ebp+url_offset]
mov [ebp+var_8], eax
loop_1:
movzx eax, byte ptr [ecx+7]
movzx edx, byte ptr [ecx+6]
shl eax, 8
add eax, edx
movzx edx, byte ptr [ecx+5]
shl eax, 8
add eax, edx
movzx edx, byte ptr [ecx+4]
add edx, edi
shl eax, 8
lea edi, [edx+eax]
movzx eax, byte ptr [ecx+0Bh]
movzx edx, byte ptr [ecx+0Ah]
shl eax, 8
add eax, edx
movzx edx, byte ptr [ecx+9]
shl eax, 8
add eax, edx
movzx edx, byte ptr [ecx+8]
add edx, esi
shl eax, 8
lea esi, [edx+eax]
movzx edx, byte ptr [ecx+3]
movzx eax, byte ptr [ecx+2]
shl edx, 8
add edx, eax
movzx eax, byte ptr [ecx+1]
shl edx, 8
add edx, eax
movzx eax, byte ptr [ecx]
shl edx, 8
add edx, eax
sub edx, edi
sub edx, esi
mov eax, esi
shr eax, 0Dh
add edx, ebx
xor edx, eax
sub edi, edx
sub edi, esi
mov eax, edx
shl eax, 8
xor edi, eax
sub esi, edi
sub esi, edx
mov eax, edi
shr eax, 0Dh
xor esi, eax
sub edx, edi
sub edx, esi
mov eax, esi
shr eax, 0Ch
xor edx, eax
sub edi, edx
sub edi, esi
mov eax, edx
shl eax, 10h
xor edi, eax
sub esi, edi
sub [ebp+var_4], 0Ch
sub esi, edx
mov eax, edi
shr eax, 5
xor esi, eax
sub edx, edi
mov eax, esi
shr eax, 3
sub edx, esi
xor edx, eax
mov ebx, edx
sub edi, ebx
sub edi, esi
mov eax, ebx
shl eax, 0Ah
xor edi, eax
sub esi, edi
mov eax, edi
sub esi, ebx
shr eax, 0Fh
xor esi, eax
add ecx, 0Ch
dec [ebp+var_8]
jnz loop_1
jmp short jump_2
jump_1:
mov ecx, [ebp+url_offset]
jump_2:
add esi, [ebp+url_length]
mov eax, [ebp+var_4]
dec eax
cmp eax, 0Ah ; switch 11 cases
ja defaultswitch ; default
jmp ds:off_100307EA[eax*4] ; switch jump
switch_10:
movzx eax, byte ptr [ecx+0Ah] ; case 0xA
shl eax, 18h
add esi, eax
switch_9:
movzx eax, byte ptr [ecx+9] ; case 0x9
shl eax, 10h
add esi, eax
switch_8:
movzx eax, byte ptr [ecx+8] ; case 0x8
shl eax, 8
add esi, eax
switch_7:
movzx eax, byte ptr [ecx+7] ; case 0x7
movzx edx, byte ptr [ecx+6]
shl eax, 8
add eax, edx
movzx edx, byte ptr [ecx+5]
shl eax, 8
add eax, edx
movzx edx, byte ptr [ecx+4]
shl eax, 8
add edx, edi
lea edi, [edx+eax]
jmp short switch_3 ; case 0x3
switch_6:
movzx eax, byte ptr [ecx+6] ; case 0x6
shl eax, 10h
add edi, eax
switch_5:
movzx eax, byte ptr [ecx+5] ; case 0x5
shl eax, 8
add edi, eax
switch_4:
movzx eax, byte ptr [ecx+4] ; case 0x4
add edi, eax
switch_3:
movzx eax, byte ptr [ecx+3] ; case 0x3
movzx edx, byte ptr [ecx+2]
shl eax, 8
add eax, edx
movzx edx, byte ptr [ecx+1]
movzx ecx, byte ptr [ecx]
shl eax, 8
add eax, edx
shl eax, 8
add ecx, ebx
lea ebx, [ecx+eax]
jmp short defaultswitch ; default
switch_2:
movzx eax, byte ptr [ecx+2] ; case 0x2
shl eax, 10h
add ebx, eax
switch_1:
movzx eax, byte ptr [ecx+1] ; case 0x1
shl eax, 8
add ebx, eax
switch_0:
movzx eax, byte ptr [ecx] ; case 0x0
add ebx, eax
defaultswitch:
sub ebx, edi ; default
sub ebx, esi
mov eax, esi
shr eax, 0Dh
xor ebx, eax
sub edi, ebx
sub edi, esi
mov eax, ebx
shl eax, 8
xor edi, eax
sub esi, edi
sub esi, ebx
mov eax, edi
shr eax, 0Dh
xor esi, eax
sub ebx, edi
sub ebx, esi
mov eax, esi
shr eax, 0Ch
xor ebx, eax
sub edi, ebx
sub edi, esi
mov eax, ebx
shl eax, 10h
xor edi, eax
sub esi, edi
mov eax, edi
sub esi, ebx
shr eax, 5
xor esi, eax
sub ebx, edi
mov eax, esi
mov ecx, eax
sub ebx, eax
shr ecx, 3
xor ebx, ecx
sub edi, ebx
sub edi, eax
mov ecx, ebx
shl ecx, 0Ah
xor edi, ecx
sub eax, edi
sub eax, ebx
shr edi, 0Fh
xor eax, edi
pop edi
pop esi
pop ebx
leave
retn
GOOGLECHECK endp
; Switch table
off_100307EA
dd offset switch_0
dd offset switch_1
dd offset switch_2
dd offset switch_3
dd offset switch_4
dd offset switch_5
dd offset switch_6
dd offset switch_7
dd offset switch_8
dd offset switch_9
dd offset switch_10
checksum的vb代码:
'=========================================================
' functions for the checksum:
'
' Function sl(ByVal x, ByVal n)
' Function sr(ByVal x, ByVal n)
' Function zeroFill(ByVal a, ByVal b)
' Private Function uadd(ByVal L1, ByVal L2)
' Private Function usub(ByVal L1, ByVal L2)
' Function mix(ByVal ia, ByVal ib, ByVal ic)
' Function gc(ByVal s, ByVal i)
' function GoogleCH(ByVal sURL)
' Function CalculateChecksum(sURL)
'=========================================================
Function sl(ByVal x, ByVal n)
If n = 0 Then
sl = x
Else
Dim k
k = CLng(2 ^ (32 - n - 1))
Dim d
d = x And (k - 1)
Dim c
c = d * CLng(2 ^ n)
If x And k Then
c = c Or &H80000000
End If
sl = c
End If
End Function
Function sr(ByVal x, ByVal n)
If n = 0 Then
sr = x
Else
Dim y
y = x And &H7FFFFFFF
Dim z
If n = 32 - 1 Then
z = 0
Else
z = y \ CLng(2 ^ n)
End If
If y <> x Then
z = z Or CLng(2 ^ (32 - n - 1))
End If
sr = z
End If
End Function
Function zeroFill(ByVal a, ByVal b)
Dim x
if (&H80000000 AND a) then
x = sr(a,1)
x = x AND (NOT &H80000000)
x = x OR &H40000000
x = sr(x,b-1)
else
x = sr(a,b)
end if
zeroFill = x
End Function
Private Function uadd(ByVal L1, ByVal L2)
Dim L11, L12, L21, L22, L31, L32
L11 = L1 And &HFFFFFF
L12 = (L1 And &H7F000000) \ &H1000000
If L1 < 0 Then L12 = L12 Or &H80
L21 = L2 And &HFFFFFF
L22 = (L2 And &H7F000000) \ &H1000000
If L2 < 0 Then L22 = L22 Or &H80
L32 = L12 + L22
L31 = L11 + L21
If (L31 And &H1000000) Then L32 = L32 + 1
uadd = (L31 And &HFFFFFF) + (L32 And &H7F) * &H1000000
If L32 And &H80 Then uadd = uadd Or &H80000000
End Function
Private Function usub(ByVal L1, ByVal L2)
Dim L11, L12, L21, L22, L31, L32
L11 = L1 And &HFFFFFF
L12 = (L1 And &H7F000000) \ &H1000000
If L1 < 0 Then L12 = L12 Or &H80
L21 = L2 And &HFFFFFF
L22 = (L2 And &H7F000000) \ &H1000000
If L2 < 0 Then L22 = L22 Or &H80
L32 = L12 - L22
L31 = L11 - L21
If L31 < 0 Then
L32 = L32 - 1
L31 = L31 + &H1000000
End If
usub = L31 + (L32 And &H7F) * &H1000000
If L32 And &H80 Then usub = usub Or &H80000000
End Function
Function mix(ByVal ia, ByVal ib, ByVal ic)
Dim a, b, c
a = ia
b = ib
c = ic
a = usub(a,b)
a = usub(a,c)
a = a XOR zeroFill(c,13)
b = usub(b,c)
b = usub(b,a)
b = b XOR sl(a,8)
c = usub(c,a)
c = usub(c,b)
c = c XOR zeroFill(b,13)
a = usub(a,b)
a = usub(a,c)
a = a XOR zeroFill(c,12)
b = usub(b,c)
b = usub(b,a)
b = b XOR sl(a,16)
c = usub(c,a)
c = usub(c,b)
c = c XOR zeroFill(b,5)
a = usub(a,b)
a = usub(a,c)
a = a XOR zeroFill(c,3)
b = usub(b,c)
b = usub(b,a)
b = b XOR sl(a,10)
c = usub(c,a)
c = usub(c,b)
c = c XOR zeroFill(b,15)
Dim ret(3)
ret(0) = a
ret(1) = b
ret(2) = c
mix = ret
End Function
Function gc(ByVal s, ByVal i)
gc = Asc(Mid(s,i+1,1))
End Function
function GoogleCH(ByVal sURL)
Dim iLength, a, b, c, k, iLen, m
iLength = Len(sURL)
a = &H9E3779B9
b = &H9E3779B9
c = GOOGLE_MAGIC
k = 0
iLen = iLength
do while iLen >= 12
a = uadd(a,(uadd(gc(sURL,k+0),uadd(sl(gc(sURL,k+1),8),uadd(sl(gc(sURL,k+2),16),sl(gc(sURL,k+3),24))))))
b = uadd(b,(uadd(gc(sURL,k+4),uadd(sl(gc(sURL,k+5),8),uadd(sl(gc(sURL,k+6),16),sl(gc(sURL,k+7),24))))))
c = uadd(c,(uadd(gc(sURL,k+8),uadd(sl(gc(sURL,k+9),8),uadd(sl(gc(sURL,k+10),16),sl(gc(sURL,k+11),24))))))
m = mix(a,b,c)
a = m(0)
b = m(1)
c = m(2)
k = k + 12
iLen = iLen - 12
loop
c = uadd(c,iLength)
select case iLen ' all the case statements fall through
case 11
c = uadd(c,sl(gc(sURL,k+10),24))
c = uadd(c,sl(gc(sURL,k+9),16))
c = uadd(c,sl(gc(sURL,k+8),8))
b = uadd(b,sl(gc(sURL,k+7),24))
b = uadd(b,sl(gc(sURL,k+6),16))
b = uadd(b,sl(gc(sURL,k+5),8))
b = uadd(b,gc(sURL,k+4))
a = uadd(a,sl(gc(sURL,k+3),24))
a = uadd(a,sl(gc(sURL,k+2),16))
a = uadd(a,sl(gc(sURL,k+1),8))
a = uadd(a,gc(sURL,k+0))
case 10
c = uadd(c,sl(gc(sURL,k+9),16))
c = uadd(c,sl(gc(sURL,k+8),8))
b = uadd(b,sl(gc(sURL,k+7),24))
b = uadd(b,sl(gc(sURL,k+6),16))
b = uadd(b,sl(gc(sURL,k+5),8))
b = uadd(b,gc(sURL,k+4))
a = uadd(a,sl(gc(sURL,k+3),24))
a = uadd(a,sl(gc(sURL,k+2),16))
a = uadd(a,sl(gc(sURL,k+1),8))
a = uadd(a,gc(sURL,k+0))
case 9
c = uadd(c,sl(gc(sURL,k+8),8))
b = uadd(b,sl(gc(sURL,k+7),24))
b = uadd(b,sl(gc(sURL,k+6),16))
b = uadd(b,sl(gc(sURL,k+5),8))
b = uadd(b,gc(sURL,k+4))
a = uadd(a,sl(gc(sURL,k+3),24))
a = uadd(a,sl(gc(sURL,k+2),16))
a = uadd(a,sl(gc(sURL,k+1),8))
a = uadd(a,gc(sURL,k+0))
case 8
b = uadd(b,sl(gc(sURL,k+7),24))
b = uadd(b,sl(gc(sURL,k+6),16))
b = uadd(b,sl(gc(sURL,k+5),8))
b = uadd(b,gc(sURL,k+4))
a = uadd(a,sl(gc(sURL,k+3),24))
a = uadd(a,sl(gc(sURL,k+2),16))
a = uadd(a,sl(gc(sURL,k+1),8))
a = uadd(a,gc(sURL,k+0))
case 7
b = uadd(b,sl(gc(sURL,k+6),16))
b = uadd(b,sl(gc(sURL,k+5),8))
b = uadd(b,gc(sURL,k+4))
a = uadd(a,sl(gc(sURL,k+3),24))
a = uadd(a,sl(gc(sURL,k+2),16))
a = uadd(a,sl(gc(sURL,k+1),8))
a = uadd(a,gc(sURL,k+0))
case 6
b = uadd(b,sl(gc(sURL,k+5),8))
b = uadd(b,gc(sURL,k+4))
a = uadd(a,sl(gc(sURL,k+3),24))
a = uadd(a,sl(gc(sURL,k+2),16))
a = uadd(a,sl(gc(sURL,k+1),8))
a = uadd(a,gc(sURL,k+0))
case 5
b = uadd(b,gc(sURL,k+4))
a = uadd(a,sl(gc(sURL,k+3),24))
a = uadd(a,sl(gc(sURL,k+2),16))
a = uadd(a,sl(gc(sURL,k+1),8))
a = uadd(a,gc(sURL,k+0))
case 4
a = uadd(a,sl(gc(sURL,k+3),24))
a = uadd(a,sl(gc(sURL,k+2),16))
a = uadd(a,sl(gc(sURL,k+1),8))
a = uadd(a,gc(sURL,k+0))
case 3
a = uadd(a,sl(gc(sURL,k+2),16))
a = uadd(a,sl(gc(sURL,k+1),8))
a = uadd(a,gc(sURL,k+0))
case 2
a = uadd(a,sl(gc(sURL,k+1),8))
a = uadd(a,gc(sURL,k+0))
case 1
a = uadd(a,gc(sURL,k+0))
End Select
m = mix(a,b,c)
GoogleCH = m(2)
End Function
Function CalculateChecksum(sURL)
CalculateChecksum = "6" & CStr(GoogleCH("info:" & sURL) AND &H7FFFFFFF)
End Function
相关文章:
IYI web stat. system(iyi网站统计系统) 我实现出来的显示pagerank的网站统计小插件