1-1-3-5-15 这段代码是什么意思啊？

文选流氓

发信人: FrankCH (终有绿叶衬), 信区: Java      
标  题: Re: 这段代码是什么意思啊？
发信站: BBS 水木清华站 (Wed Jul  3 17:38:34 2002)


【 在 FrankCH (终有绿叶衬) 的大作中提到: 】
: 嘿嘿，这块石头好眼熟啊。。
嘿嘿。。
我贴一段东西大家看看吧。想玩java decode的都该看看的

1. 
   
2. $Revision: 1.1 $
   
3.                 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
   
4.                 Cracking Zelix KlassMaster's String Encryption
   
5.                    (and how to get hiscores in Java games)
   
6.                 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
   
7.                              by Morten Poulsen
   
8.                               [email]m0rtenp@ofir.dk[/email]
   
9.       [url]http://www.zelix.com/klassmaster/featuresStringEncryption.html[/url]
   
10.       "However, note that Zelix KlassMaster's String Encryption isn't and
    
11.       cannot be fundamentally irreversible."
    
12.                                Introduction
    
13.                                ~~~~~~~~~~~~
    
14.    To make decompilation of Java applets and making changes to the code more
    
15. 
    
16. difficult, and to hide secret information (eg. how to calculate hashes for
    
17. hiscores) people obfuscate their java bytecode. Some of the ways to do so is
    
18. 
    
19. to scramble the line number tables, replace all names of classes, methods an
    
20. d
    
21. variables with nonsense, and the one we will look at, string encryption.
    
22. You will need a few tools to help you do the job:
    
23. - Java decompiler (Jad)
    
24. - editor (vim)
    
25. - common sense (brain)
    
26. some knowlage about JVMs will be nice, but I tell you everything you need to
    
27. 
    
28. know here. If you want to make your own cracks, you need that knowlage.
    
29. Some tools are nice to have when cracking the hiscore tables of Java games:
    
30. - TCP sniffer (tcpdump)
    
31. - "Java enabled" browser (Mozilla)
    
32. - C compiler (gcc)
    
33. - all the GNU tools (eg. grep)
    
34. - webserver with PHP ;-)
    
35.                             What's going on?
    
36.                             ~~~~~~~~~~~~~~~~
    
37.    Forst of all we need to find a game to crack. The games on Coca~Cola's
    
38. (nordic) website looks like great candidates. Start the TCP sniffer (tcpdump
    
39. 
    
40. -w file), and launch the game. Play the game and write down your score. Stop
    
41. 
    
42. the TCP sniffer, and open the file (vi file). Search for your score in the
    
43. binary masses. You shuld find a line a'la:
    
44. GET /magazine/servlet/SetHighscoreServlet?score=6324&game=0&cookie=yourname&
    
45. 
    
46. md5=c404cd019e1a214487cd4c841
    
47. So all we need to know is how to generate the md5 hash, then we will be able
    
48. 
    
49. to make our own hiscores, hopefully.
    
50.                          Decompiling and Thinking
    
51.                          ~~~~~~~~~~~~~~~~~~~~~~~~
    
52.    Download the .jar archive containing the game (hint: view source, <applet
    
53. >
    
54. tag, archive=...), unpack it and decompile each class. Now try to find the
    
55. place in the code where the result is send back to the server (fgrep -rn "UR
    
56. L"
    
57. *). b/a/a.java line 122 (decompiled with jad) looks like a god place to star
    
58. t.
    
59. It reads:
    
60.     URL url = new URL(c, b("L9\001 qMdK|)\016rZ!\f\007cfg8\ndMa-\007DK|)
    
61.     \016rZ1,\001x\\kb") + Integer.toString(i) + b("DpOc:_") + d + b("DtA
    
62.     a4\013r\023") + e + b("DzJ;b") + a.a.a.a.a.a(i, Integer.parseInt(d), e))
    
63. ;
    
64. The URL looks a lot like what we seek:
    
65.     "long text"+i+"text"+d+"text"+e+"text"+result_of_calculation(i,d,e)
    
66. the problems are now "are these strings the ones we seek?" (just for the fun
    
67. 
    
68. of it - lets find out) and "what does a.a.a.a.a.a() do?".
    
69.   Open the file (vi b/a/a.java) and seek to line 122. We can see that the
    
70. method used to decrypt the string is b(). Seek to b() (line 224). It looks
    
71. like this:
    
72. 224:     private static String b(String s)
    
73. 225:     {
    
74. 226:         char ac[];
    
75. 227:         int i;
    
76. 228:         int j;
    
77. 229:         ac = s.toCharArray();
    
78. 230:         i = ac.length;
    
79. 231:         j = 0;
    
80. 232:           goto _L1
    
81. 233: _L9:
    
82. 234:         ac;
    
83. 235:         j;
    
84. 236:         JVM INSTR dup2 ;
    
85. 237:         JVM INSTR caload ;
    
86. 238:         j % 5;
    
87. 239:         JVM INSTR tableswitch 0 3: default 76
    
88. 240:     //                   0 52
    
89. 241:     //                   1 58
    
90. 242:     //                   2 64
    
91. 243:     //                   3 70;
    
92. 244:            goto _L2 _L3 _L4 _L5 _L6
    
93. 245: _L3:
    
94. 246:         0x62;
    
95. 247:           goto _L7
    
96. 248: _L4:
    
97. 249:         23;
    
98. 250:           goto _L7
    
99. 251: _L5:
    
100. 252:         46;
     
101. 253:           goto _L7
     
102. 254: _L6:
     
103. 255:         14;
     
104. 256:           goto _L7
     
105. 257: _L2:
     
106. 258:         95;
     
107. 259: _L7:
     
108. 260:         JVM INSTR ixor ;
     
109. 261:         (char);
     
110. 262:         JVM INSTR castore ;
     
111. 263:         j++;
     
112. 264: _L1:
     
113. 265:         if(j < i) goto _L9; else goto _L8
     
114. 266: _L8:
     
115. 267:         return new String(ac);
     
116. 268:     }
     
117.    Java's Virtual Machine is a stack based machine. That is, there is only o
     
118. ne
     
119. register, the instruction pointer, the rest of what registers are normaly us
     
120. ed
     
121. for is done on the stack. Example: c=a+b is done PUSH a, PUSH b, ADD (which
     
122. pop the operands off the stack, and push the result back), POP c.
     
123.    If we look closer at the code, we can see that the lines 232,233,264,265,
     
124. 
     
125. 266 are just a while-loop, looping through the chars in the string. Line 238
     
126. 
     
127. pushes the result of j (the index into the string) modulus 5 on the stack.
     
128. Lines 239-259 looks like a switch/case, pushing a nubmer onto the stack, bas
     
129. ed
     
130. on j%5. Line 260 pops two operands off the stack - a char from the encrypted
     
131. 
     
132. string, and the mysterious number, and pushes back the result of an XOR. Ah!
     
133. 
     
134. The mysterious numbers are the key of a simple XOR encryption! Written in C
     
135. it
     
136. would look like:
     
137.     for (j=0; j<strlen(str); j++) {
     
138.         str[j] ^= key[j%5];
     
139.     }
     
140. that's it. Just a plain 40-bit XOR. Let's make a short program to decrypt a
     
141. string. I am lazy so everything is hard-coded.
     
142. decode1.c:
     
143. ----------------------------------------------------------------------------
     
144. --
     
145. #include <stdlib.h>
     
146. #define KEYSIZE 5
     
147. int main(void) {
     
148.     unsigned char buf[] = "L9\001 qMdK|)\016rZ!\f\007cfg8\ndMa-\007DK|)\016r
     
149. Z1,\001x\\kb";
     
150.     unsigned char key1[] = { 0x62, 23, 46, 14, 95 };
     
151.     unsigned char c;
     
152.     int i;
     
153.      for (i=0; i<strlen(buf); i++) {
     
154.          c = buf[i] ^ key1[i%KEYSIZE];
     
155.          printf("%c", c);
     
156.      }
     
157.      printf("\n");
     
158.      return EXIT_SUCCESS;
     
159. }
     
160. ----------------------------------------------------------------------------
     
161. --
     
162. weeee, running it (gcc decode1.c && ./a.out) returns:
     
163.     ../../servlet/SetHighscoreServlet?score=
     
164. so this was all that had to be done! A few lines of C, and the strings can b
     
165. e
     
166. decrypted.
     
167.                             The Hash Function
     
168.                             ~~~~~~~~~~~~~~~~~
     
169.    The hash in the HTTP-request looks a lot like an MD5, and the name in the
     
170. 
     
171. URL is "md5", so my guess is: It's an md5 of the score, the game id, the
     
172. username and some secret string. But why does the method take three paramete
     
173. rs
     
174. (long,int,String)? That's not normal for MD5 functions. Open the file (vi
     
175. a/a/a/a/a.java) and seek to the version of a() taking the three parameters
     
176. (line 83). Ah! It calls the real MD5 method with a string:
     
177.     (l + i) + s + "some secret string"
     
178. where l is the score, i is the gameid and s is the username. But the secret
     
179. string is encrypted. Actualy it is encrypted two times (see, it calls both c
     
180. ()
     
181. and b()), but that shuld be no problem at all.
     
182.    Seek to method c() (line 140). Ha! It's just like the other one, only the
     
183. 
     
184. key is changed. Let's have a look at methos b() (line 89). Haha, the same
     
185. thing here. So all we need to do to get the secret string is to change a few
     
186. 
     
187. lines in the decode program so it can handle two keys.
     
188. decode2.c:
     
189. ----------------------------------------------------------------------------
     
190. --
     
191. #include <stdlib.h>
     
192. #define KEYSIZE 5
     
193. #define BUFSIZE 25   /* needed, 'cause buf has a null byte */
     
194. int main(void) {
     
195.     unsigned char buf[] = "mS?\032<lD/\0137aS&\003<e_,\013*}D.\000>";
     
196.     unsigned char key1[] = { 0x71, 103, 47, 41, 9 };
     
197.     unsigned char key2[] = { 120, 81, 100, 71, 80 };
     
198.     unsigned char c;
     
199.     int i;
     
200.      for (i=0; i<BUFSIZE; i++) {
     
201.          c = buf[i] ^ key1[i%KEYSIZE] ^ key2[i%KEYSIZE];
     
202.          printf("%c", c);
     
203.      }
     
204.      printf("\n");
     
205.      return EXIT_SUCCESS;
     
206. }
     
207. ----------------------------------------------------------------------------
     
208. --
     
209. running the program gives us the result "detteerdenhemmeligestreng" which is
     
210. 
     
211. danish for "thisisthesecretstring". ROFL.
     
212.                           Exploiting the Hiscore
     
213.                           ~~~~~~~~~~~~~~~~~~~~~~
     
214.    WARNING! Don't try this at home, you will just get into trouble ;-)
     
215. I am lazy, so I wrote a little PHP script to generate the URL's to request
     
216. from the server to set hiscores (eg. just copy/paste into browser). Try it t
     
217. o
     
218. see if the hash is the same as the one you got playing the game (no, my hash
     
219. 
     
220. here is fake, use your own).
     
221. hash.php:
     
222. ----------------------------------------------------------------------------
     
223. --
     
224. <html>
     
225.   <head>
     
226.     <title>Coca~Cola hiscore generator</title>
     
227.   </head>
     
228.   <body>
     
229.     <?php
     
230.       if ($cookie) print("http://www.coca-cola.fi/magazine/servlet/SetHighsc
     
231. oreServlet?score=$score&game=$game&cookie=$cookie&md5=".md5($score.$cookie.'
     
232. detteerdenhemmeligestreng')."<br>\n");
     
233.       print("<form>\n");
     
234.       print("<input type="text" name="score" value="" . (int)$score . "
     
235. " size="10"><br>\n");
     
236.       print("<input type="text" name="game" value="" . (int)$game . ""
     
237. size="2"><br>\n");
     
238.       print("<input type="text" name="cookie" value="$cookie" size="3
     
239. 0"<br>\n");
     
240.       print("<input type="submit" value="go go go">\n");
     
241.       print("</form>");
     
242.     ?>
     
243.   </body>
     
244. </html>
     
245. ----------------------------------------------------------------------------
     
246. --
     

复制代码