Chinaunix首页 | 论坛 | 博客
  • 博客访问: 59148
  • 博文数量: 1
  • 博客积分: 55
  • 博客等级: 民兵
  • 技术积分: 25
  • 用 户 组: 普通用户
  • 注册时间: 2011-12-24 16:15
文章分类
文章存档

2011年(1)

分类: 网络与安全

2011-12-29 20:27:44

现在很多大学都是用的正方教务管理系统,该系统后台使用的oracle数据库,数据库里存储的密码是经过加密的,如下图所示:


在网站目录下/bin/zjdx.dll 中 zjdx.mmtp 类的 jiemi() 方法负责解密,zjdx.dll是用VB.Net生成的,用 MSIL 反汇编得到如下代码:

  1. .method public instance string jiemi(string PlainStr,
  2.                                       string key) cil managed
  3. {
  4.   // Code size 279 (0x117)
  5.   .maxstack 3
  6.   .locals init ([0] int32 i,
  7.            [1] string jiemi,
  8.            [2] string KeyChar,
  9.            [3] string NewStr,
  10.            [4] int32 Pos,
  11.            [5] string Side1,
  12.            [6] string Side2,
  13.            [7] string strChar,
  14.            [8] int32 _Vb_t_i4_0)
  15.   IL_0000: nop
  16.   IL_0001: ldc.i4.1
  17.   IL_0002: stloc.s Pos
  18.   IL_0004: ldarg.1
  19.   IL_0005: call int32 [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::Len(string)
  20.   IL_000a: ldc.i4.2
  21.   IL_000b: rem
  22.   IL_000c: ldc.i4.0
  23.   IL_000d: bne.un.s IL_0062
  24.   IL_000f: ldarg.1
  25.   IL_0010: ldarg.1
  26.   IL_0011: call int32 [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::Len(string)
  27.   IL_0016: conv.r8
  28.   IL_0017: ldc.r8 2.
  29.   IL_0020: div
  30.   IL_0021: call float64 [mscorlib]System.Math::Round(float64)
  31.   IL_0026: conv.ovf.i4
  32.   IL_0027: call string [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::Left(string,
  33.                                                                                          int32)
  34.   IL_002c: call string [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::StrReverse(string)
  35.   IL_0031: stloc.s Side1
  36.   IL_0033: ldarg.1
  37.   IL_0034: ldarg.1
  38.   IL_0035: call int32 [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::Len(string)
  39.   IL_003a: conv.r8
  40.   IL_003b: ldc.r8 2.
  41.   IL_0044: div
  42.   IL_0045: call float64 [mscorlib]System.Math::Round(float64)
  43.   IL_004a: conv.ovf.i4
  44.   IL_004b: call string [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::Right(string,
  45.                                                                                           int32)
  46.   IL_0050: call string [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::StrReverse(string)
  47.   IL_0055: stloc.s Side2
  48.   IL_0057: ldloc.s Side1
  49.   IL_0059: ldloc.s Side2
  50.   IL_005b: call string [mscorlib]System.String::Concat(string,
  51.                                                               string)
  52.   IL_0060: starg.s PlainStr
  53.   IL_0062: nop
  54.   IL_0063: ldc.i4.1
  55.   IL_0064: ldarg.1
  56.   IL_0065: call int32 [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::Len(string)
  57.   IL_006a: stloc.s _Vb_t_i4_0
  58.   IL_006c: stloc.0
  59.   IL_006d: br IL_010b
  60.   IL_0072: ldarg.1
  61.   IL_0073: ldloc.0
  62.   IL_0074: ldc.i4.1
  63.   IL_0075: call string [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::Mid(string,
  64.                                                                                         int32,
  65.                                                                                         int32)
  66.   IL_007a: stloc.s strChar
  67.   IL_007c: ldarg.2
  68.   IL_007d: ldloc.s Pos
  69.   IL_007f: ldc.i4.1
  70.   IL_0080: call string [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::Mid(string,
  71.                                                                                         int32,
  72.                                                                                         int32)
  73.   IL_0085: stloc.2
  74.   IL_0086: ldloc.s strChar
  75.   IL_0088: call int32 [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::Asc(string)
  76.   IL_008d: ldloc.2
  77.   IL_008e: call int32 [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::Asc(string)
  78.   IL_0093: xor
  79.   IL_0094: ldc.i4.s 32
  80.   IL_0096: clt
  81.   IL_0098: ldloc.s strChar
  82.   IL_009a: call int32 [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::Asc(string)
  83.   IL_009f: ldloc.2
  84.   IL_00a0: call int32 [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::Asc(string)
  85.   IL_00a5: xor
  86.   IL_00a6: ldc.i4.s 126
  87.   IL_00a8: cgt
  88.   IL_00aa: or
  89.   IL_00ab: ldloc.s strChar
  90.   IL_00ad: call int32 [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::Asc(string)
  91.   IL_00b2: ldc.i4.0
  92.   IL_00b3: clt
  93.   IL_00b5: or
  94.   IL_00b6: ldloc.s strChar
  95.   IL_00b8: call int32 [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::Asc(string)
  96.   IL_00bd: ldc.i4 0xff
  97.   IL_00c2: cgt
  98.   IL_00c4: or
  99.   IL_00c5: brfalse.s IL_00d2
  100.   IL_00c7: ldloc.3
  101.   IL_00c8: ldloc.s strChar
  102.   IL_00ca: call string [mscorlib]System.String::Concat(string,
  103.                                                               string)
  104.   IL_00cf: stloc.3
  105.   IL_00d0: br.s IL_00f2
  106.   IL_00d2: nop
  107.   IL_00d3: ldloc.3
  108.   IL_00d4: ldloc.s strChar
  109.   IL_00d6: call int32 [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::Asc(string)
  110.   IL_00db: ldloc.2
  111.   IL_00dc: call int32 [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::Asc(string)
  112.   IL_00e1: xor
  113.   IL_00e2: call char [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::Chr(int32)
  114.   IL_00e7: call string [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.StringType::FromChar(char)
  115.   IL_00ec: call string [mscorlib]System.String::Concat(string,
  116.                                                               string)
  117.   IL_00f1: stloc.3
  118.   IL_00f2: nop
  119.   IL_00f3: ldloc.s Pos
  120.   IL_00f5: ldarg.2
  121.   IL_00f6: call int32 [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::Len(string)
  122.   IL_00fb: bne.un.s IL_0100
  123.   IL_00fd: ldc.i4.0
  124.   IL_00fe: stloc.s Pos
  125.   IL_0100: ldloc.s Pos
  126.   IL_0102: ldc.i4.1
  127.   IL_0103: add.ovf
  128.   IL_0104: stloc.s Pos
  129.   IL_0106: nop
  130.   IL_0107: ldloc.0
  131.   IL_0108: ldc.i4.1
  132.   IL_0109: add.ovf
  133.   IL_010a: stloc.0
  134.   IL_010b: ldloc.0
  135.   IL_010c: ldloc.s _Vb_t_i4_0
  136.   IL_010e: ble IL_0072
  137.   IL_0113: ldloc.3
  138.   IL_0114: stloc.1
  139.   IL_0115: ldloc.1
  140.   IL_0116: ret
  141. } // end of method mmtp::jiemi

逆向得到如下C++代码(为保持清晰性,所用到的变量名与原来的一致,如jiemi, Side1, Side2...):

  1. string ReverseStr(string strFormer)
  2. {
  3.      string strReversed = "";
  4.      string:: iterator iter = strFormer.end();
  5.      while(iter != strFormer.begin())
  6.      {
  7.          strReversed += *(--iter);
  8.      }
  9.      return strReversed;
  10.  }

  11. string Decode(string PlainStr, string key)
  12. {
  13.     int i;
  14.     string jiemi;
  15.     string KeyChar;
  16.     string NewStr;
  17.     int Pos;
  18.     string Side1;
  19.     string Side2;
  20.     string strChar;
  21.     int _Vb_t_i4_0;
  22.     
  23.     Pos = 1;
  24.     if(PlainStr.size()%2 == 0)
  25.     {
  26.         Side1 = ReverseStr(PlainStr.substr(0, PlainStr.size()/2));
  27.         Side2 = ReverseStr(PlainStr.substr(PlainStr.size()/2));
  28.         PlainStr = Side1 + Side2;
  29.     }
  30.     
  31.     _Vb_t_i4_0 = PlainStr.size();
  32.     int bl_1, bl_2, bl_3, bl_4=0;
  33.     for(i=1; i<=_Vb_t_i4_0; i++)
  34.     {
  35.         strChar = PlainStr.substr(i-1, 1);
  36.         KeyChar = key.substr(Pos-1, 1);
  37.         
  38.         bl_1 = (strChar[0] ^ KeyChar[0]) < 32? 1:0;
  39.         bl_2 = (strChar[0] ^ KeyChar[0]) > 126? 1:0;
  40.         bl_3 = (strChar[0] < 0? 1:0) | (bl_1 | bl_2);
  41.         bl_4 = (strChar[0] > 0xFF? 1:0) | bl_3;
  42.         if(bl_4)
  43.         {
  44.             cout << "if" << endl;
  45.             NewStr += strChar;
  46.             cout << "strChar :" <<endl;
  47.         }
  48.         else
  49.         {
  50.             cout << "else" << endl;
  51.             char ch = strChar[0] ^ KeyChar[0];
  52.             string str = "";
  53.             str += ch;
  54.             NewStr += str;
  55.             cout << strChar << " xor " << KeyChar << " is " << ch << endl;
  56.         }
  57.         if(key.size() == Pos)
  58.         {
  59.             cout << "key.size() == Pos" << endl;
  60.             Pos = 0;
  61.         }
  62.         Pos += 1;
  63.     }
  64.     jiemi = NewStr;
  65.     return jiemi;
  66. }
要利用上述解密算法进行解密,还需要知道加密所用的密钥(即上述解密函数第二个参数),这里不公开该key, 因为自己也不知道每个学校用的 key 是否相同。其实从上述解密算法看,要逆出该 key 是非常简单的,有需要的人就自己动手吧

知道 key 之后就可以对密码进行还原了,,

展示一下战果

稍微懂点编程的人大概已经看出来正方教务系统后台程序编程风格就是初学者的水平,变量命名混乱,很多直接用汉语拼音命名。加解密算法毫无强度可言,其实就是简单的异或的基础上作了下处理。数据库中表的命名全部是拼音, 如cxxsmm(查询学生密码),cjb(成绩表),jsxxb(教师信息表),,,,各种无语。真不知道这样的烂系统是怎么会有1000多所学校还在用。。。


  1. 正方教务系统全部程序在附件中,仅供学习研究,请勿用于非法用途。 zjdxgc.part01.rar    zjdxgc.part02.rar   
阅读(18474) | 评论(1) | 转发(0) |
0

上一篇:没有了

下一篇:没有了

给主人留下些什么吧!~~

yuzhibo刚2012-12-07 17:42:52

大哥 这上面的正方这篇文章是你原创的吗  可以帮我办点事吗  事后有酬金  我QQ1337057779