Вы находитесь на странице: 1из 17

Anarchriz/DREAD

CRC,
CRC and how to Reverse it

Anarchriz/DREAD Copyright (c) 1998,1999 by Anarchriz

CRC . CRC, , , . CRC, . , CRC 32, . , , "" CRC, , , . , . , . ? , , CRC , "X" . , , .

1. CRC: ,
Cyclic Redundancy Code (CRC)
CRC. , RAR, ZIP , . CRC , , , . CRC . , , . CRC 32 1/232.

: http://huizen.dds.nl/~noway66/programming/crc.htm ( . .)

1. CRC: ,

, CRC Cyclic Redundancy Check ( ). , , , "CRC 12345678" ?. , , CRC , ? : CRC " " " ". ? , , , ; CRC! (, ), 9/3=3, =0; (9+2)/3=3, =2. (X ) (), . , "X" ( "X" ) . CRC , " ". "" . : 1 , 2 3 : -+ (1) 1101 1010---0011 (2) 1010 1111+ ---0101 1010 1111---0101 (3) 0+0=0 0-0=0 0+1=1 *0-1=1 1+0=1 1-0=1 *1+1=0 1-1=0

1 0-1=-1, , "" : (10+0)-1=1. ( " ".) 1+1 10, "" . ( 2 3) "". , 0 1 1, ( 1). "" . , " " (eXclusive OR, XOR), . : : 1001/1111000\1101 13 9/120\13 1001 09 -| ----| 1100 30 | 1001 27 ----0110 3 -> 0000 ---1100 1001 ---011 -> 3,

CRC, CRC ( 3): 1001/1111000\1110 9/120\14 6 (120/9=14 1001 ---1100 1001 ---1010 1001 ---0110 0000 ---110 ->

3 6)

, , , CRC. , ! . , CRC.

CRC
CRC , . (W Width) , , 1001 "3", "4". , 1, , , , . CRC , , . W . 3 , 1111. ( 4): = 10011, W=4 + W = 110101101 + 0000 10011/1101011010000\110000101 ( 10011|||||||| -----|||||||| 10011||||||| 10011||||||| -----||||||| 00001|||||| 00000|||||| -----|||||| 00010||||| 00000||||| -----||||| 00101|||| 00000|||| -----|||| 01010||| 00000||| -----||| 10100|| 10011|| -----|| 01110| 00000| -----| 11100 10011 ----1111 -> -> )

CRC!

1. CRC: ,

2 : 1. XOR , 1, . 2. XOR W , 0.


, , . . , , 8 ( ). 32 (W=32). 3 + < | + 1< ( 1) , CRC, CRC . , , 1, " " (XOR) W ( 32). . , ( ) . CRC 8 4 . : 10110100 4 , 4 . 1011, 1101. : 8 (CRC) : 01001101 4 , : 1011 ( W=8) : 101011100 : . ---- -------1011 01001101 1010 11100  (*1) XOR, 3 (, 1) ------------0001 10101101 XOR + | + 2 + | + 32 1 + | + 0 + |< + > , W ( 32 ) 4*8

CRC,

0 , 1 0001 10101101 1 01011100  (*2) XOR, 0 (, 1) ------------0000 11110001 XOR ^^^^ 4 , XOR. , (*1) XOR (*2). (a XOR b) XOR c = a XOR (b XOR c). 1010 11100 , 3 1 01011100  (*2) , 0 ------------1011 10111100 (*3) XOR XOR (*3), : 1011 10111100 1011 01001101  ------------0000 11110001

? ! (*3) , , 1011, W=8 10111100 (, ). , XOR . , 0. 1. (8 ), , . 256 ( 28) (32 ) ( CRC 32 ). : While ( ) Begin Top = top_byte of register ; Register = ( Register 8 ) OR ( ); Register = Register XOR _[Top]; End


. "" . XOR , , . , .

1. CRC: ,

, ( " "), , / ( , , :) ). ( 2): + < | v 3 2 1 0 | + + + + XOR <| | | | | + + + + | | | XOR | ^ v + + + + | | | | | | + + + + + > : : : : + + + + | | | | + + + + ( ) + | +

+ | + : + | +

""
, "" . "" . , '0111011001' "" '1001101110'. UART ( /), , ( 0) ( 7), . , , , , . , , , , , . ( ) > + | 1. 3 2 1 0 V 2. + + + + + | 3. | | | | |> XOR , + + + + + | . | | XOR V ^ | + + + + + | | | | | | | + + + + + | : : : : : < + + + + + + | | | | | + + + + + ( 3)

CRC,

: 1. 1 . 2. XOR ([0,255]). 3. XOR . 4. , 1.


CRC 32: : "CRC-32" : 32 : 04C11DB7 : FFFFFFFF : XOR : FFFFFFFF ( ) CRC 16: : "CRC-16" : 16 : 8005 : 0000 : XOR : 0000 , " XOR ", , XOR CRC. , "" CRC , , . , . 32 16 DOS ( 16 32 ), , , 32 . , , Java C . . CRC 32: xor InitTableLoop: xor mov xor entryLoop: test jz shr xor jmp ebx, ebx ;ebx=0,

eax, eax ;eax=0 al, bl ; 8 ebx 8 eax ; cx, cx eax, 1 no_topbit eax, 1 eax, poly entrygoon

1. CRC: , no_topbit: shr entrygoon: inc test jz mov inc test jz

eax, 1 cx cx, 8 entryLoop dword ptr[ebx*4 + crctable], eax bx bx, 256 InitTableLoop

crctable 256 , CRC; eax , "" ; 8  Java C (int 32 ): for (int bx=0; bx<256; bx++){ int eax=0; eax=eax&0xFFFFFF00+bx&0xFF; for (int cx=0; cx<8; cx++){ if (eax&&0x1) { eax>>=1; eax^=poly; } else eax>>=1; } crctable[bx]=eax; }

//

'mov al,bl'

CRC 32 : computeLoop: xor xor mov shr xor inc loop xor ebx, ebx al, [si] bl, al eax, 8 eax, dword ptr[4*ebx+crctable] si computeLoop eax, 0FFFFFFFFh

'ds:si' , ; cx ( ); eax CRC; ; CRC CRC 32 FFFFFFFF; CRC XOR FFFFFFFF ( NOT).

CRC, Java C : for (int cx=0; cx>=8; eax^=crcTable[ebx]; } eax^=0xFFFFFFFF;

, CRC. , , . ! : CRC!

2. CRC
CRC . "" CRC, , , . , , CRC , , , (, ) . CRC :) , "" CRC . , CRC , ! . : 01234567890123456789012345678901234567890123456789012 , ( 9 26). , 4 ( 30 ) , CRC. CRC 32 9 ; , , CRC . 26 , , CRC . , , , . : 1. CRC 9 . 2. CRC 30 (, , 4 ) . 3. CRC "" , 4 ( 27 9+4=22 ), , 1, . 4. "" CRC. , , CRC "" . 4 "" . . .

10

2. CRC

CRC 16
16 CRC. , , CRC. CRC ( ), . 2 , CRC . CRC 2 ( "X" "Y"). , a1 a0, 00. 3 . "X Y". . , "a1 a0". XOR "". 1 ("X"): a0X "" (1) b1 b0 00 a1 , 00b1 a1b0 XOR : (b1) (a1b0). 2 ("Y"): (a1b0)Y "" (2) 1 0 00 b1 , 00 1 b1c0 XOR (c1) (b1c0). : a0  X =(1) b1 b0 a1  b0  Y =(2) c1 c0 b1  c0 =d0 c1 =d1 (1) (2) :). ( , ). ! d1 d0 ( CRC), ( a1 a0). 2 , , , "X" "Y" CRC? . d0 b1c0, d1 = c1. , : " b1 c0?!!!". ? c0 c0 c1, c1. . , , , , (1) (2). b1 b0, , c1 c0? b1c0=d0, b1=d0c0! , , b1, b1 b0. "X" "Y"! , ?!!!

CRC, a1b0Y=(2), Y=a1b0(2) a0X=(1), X=a0(1)

11

CRC 16
:  : (a1=)DEh (a0=)ADh  : (d1=)12h (d0=)34h CRC 16 (. ) , 12h. 38h, 12C0h. , , , , 256. , (2)=38, c1=12, c0=C0, b1=C034=F4, , F4h. 4Fh F441h. , (1)=4F, b1=F4, b0=41. , "X" "Y": Y=a1b0(2) =DE4138 =A7 X=a0(1) =AD+4F =E2 , CRC 16 DEAD 1234 E2 A7 ( ). , CRC, "" . , Intel ( , ). , , , , CRC 16, CRC 32.

CRC 32
CRC 32 , CRC 16. , 4 2. , . , 4 "X Y Z W", . , "a3 a2 a1 a0", "a3" , "a0" ( ) . ("X"): a0X (1) b3 b2 b1 b0 00 a3 a2 a1 00b3 a3b2 a2b1 a1b0 XOR : (b3) (a3b2) (a2b1) (a1b0) ("Y"): (a1b0)Y (2) c3 c2 c1 c0 00 b3 a3b2 a2b1 00c3 b3c2 a3b2c1 a2b1c0 XOR : (c3) (b3c2) (a3b2c1) (a2b1c0)

12

2. CRC ("Z"): (a2b1c0)Z (3) d3 d2 d1 d0 00 c3 b3c2 a3b2c1 00d3 c3d2 b3c2d1 a3b2c1d0 XOR : (d3) (c3d2) (b3c2d1) (a3b2c1d0) ("W"): (a3b2c1d0)W (4) e3 e2 e1 e0 00 d3 c3d2 b3c2d1 00e3 d3e2 c3d2e1 b3c2d1e0 XOR : (e3) (d3e2) (c3d2e1) (b3c2d1e0) : a0  X =(1) a1  b0  Y =(2) a2  b1  c0  Z =(3) a3  b2  c1  d0  W =(4) b3  c2  d1  e0 =f0 c3  d2  e1 =f1 d3  e2 =f2 e3 =f3 (1) (2) (3) (4) ( 4)

b3 c3 d3 e4

b2 c2 d2 e3

b1 c1 d1 e2

b0 c0 d0 e1

, 16 . . CRC 32 . , CRC (a3 a2 a1 a0) "AB CD EF 66". (f3 f2 f1 f0) "56 33 14 78". : e3=f3 =56 -> 35h=(4) 56B3C423 (e3 e2 e1 e0) d3=f2e2 =33B3 =E6 -> 4Fh=(3) E6635C01 (d3 d2 d1 d0) c3=f1e1d2 =14C463 =B3 -> F8h=(2) B3667A2E (c3 c2 c1 c0) b3=f0e0d1c2 =78235C66 =61 -> DEh=(1) 616BFFD3 (b3 b2 b1 b0) , , : X=(1) a0 = DE66 = B8 Y=(2) b0a1 = F8D3EF = C4 Z=(3) c0b1a2 = 4F2EFFCD = 53 W=(4) d0c1b2a3 = 35017A6BAB = 8E : CRC 32 "ABCDEF66" "56331478" "B8 C4 53 8E".

CRC,

13

CRC 32
CRC "a3 a2 a1 a0" "f3 f2 f1 f0", . : X = (1) Y = (2) Z = (3) W = (4) f0 = e0 f1 = e1 f2 = e2 f3 = e3 ( 5)        a0 b0  a1 c0  b1  a2 d0  c1  b2  a3 d1  c2  b3 d2  c3 d3 0 1 2 3 4 5 6 7

4, , , , . 8 , 5. 0 3 a0-a3, 4 7 f0-f3. , e3, f3, CRC, XOR , 4 ( 5). d3 "f3 f2 f1 f0" XOR "e3 e2 e1 e0", f2e2=d3. , (4) ( e3 e2 e1 e0), XOR 3. d3, d3 d2 d1 d0, XOR, , 3 ( !). d3 d2 d1 d0 ( (3)) 2. 5 c3, "f1e1d2=c3". XOR b3 b2 b1 b0 1. ! 0 3 X W! : 1. 8 0 3 a0-a3 ( CRC), 4 7 f0-f3 ( CRC, ). 2. 7 . 3. (dword) XOR , 4. 4. , , XOR 3. 5. 2 4, 1.

14

2. CRC


. CRC 32 ( CRC). , Intel . crcBefore wantedCrc buffer mov mov mov mov dd (?) dd (?) db 8 dup (?) eax, dword ptr[crcBefore] ;/* dword ptr[buffer], eax eax, dword ptr[wantedCrc] ; 1 dword ptr[buffer+4], eax ;*/

mov di, 4 computeReverseLoop: mov al, byte ptr[buffer+di+3] call GetTableEntry xor dword ptr[buffer+di], eax xor byte ptr[buffer+di 1], bl dec di jnz computeReverseLoop

;/* ; ; ; ;/* ;

2 */ 3 4 5 */

: eax, di bx. GetTableEntry crctable dd 256 dup (?) ; , , ;

mov bx, offset crctable 1 getTableEntryLoop: add bx, 4 ; (crctable 1)+k*4 (k:1..256) cmp [bx], al ; jne getTableEntryLoop sub bx, 3 mov eax, [bx] sub bx, offset crctable shr bx, 2 ret eax , bx .

. , , CRC " ", . CRC . CRC , CRC, .

CRC,

15

2 , . , , , . Douby/DREAD Knotty Dread , . CRC 32 http://surf.to/anarchriz > Programming > Projects (, , , , ). DREAD http://dread99.cjb.net. , anarchriz@hotmail.com, EFnet (IRC) #DreaD, #Win32asm, #C.I.A #Cracking4Newbies ( ). CYA ALL! Anarchriz "The system makes its morons, then despises them for their ineptitude, and rewards its 'gifted few' for their rarity." Colin Ward (" , , ." .)

CRC 16 Table
00h 08h 10h 18h 20h 28h 30h 38h 40h 48h 50h 58h 60h 68h 70h 78h 80h 88h 90h 98h A0h A8h B0h B8h 0000 C601 CC01 0A00 D801 1E00 1400 D201 F001 3600 3C00 FA01 2800 EE01 E401 2200 A001 6600 6C00 AA01 7800 BE01 B401 7200 C0C1 06C0 0CC0 CAC1 18C0 DEC1 D4C1 12C0 30C0 F6C1 FCC1 3AC0 E8C1 2EC0 24C0 E2C1 60C0 A6C1 ACC1 6AC0 B8C1 7EC0 74C0 B2C1 C181 0780 0D80 CB81 1980 DF81 D581 1380 3180 F781 FD81 3B80 E981 2F80 2580 E381 6180 A781 AD81 6B80 B981 7F80 7580 B381 0140 C741 CD41 0B40 D941 1F40 1540 D341 F141 3740 3D40 FB41 2940 EF41 E541 2340 A141 6740 6D40 AB41 7940 BF41 B541 7340 C301 0500 0F00 C901 1B00 DD01 D701 1100 3300 F501 FF01 3900 EB01 2D00 2700 E101 6300 A501 AF01 6900 BB01 7D00 7700 B101 03C0 C5C1 CFC1 09C0 DBC1 1DC0 17C0 D1C1 F3C1 35C0 3FC0 F9C1 2BC0 EDC1 E7C1 21C0 A3C1 65C0 6FC0 A9C1 7BC0 BDC1 B7C1 71C0 0280 C481 CE81 0880 DA81 1C80 1680 D081 F281 3480 3E80 F881 2A80 EC81 E681 2080 A281 6480 6E80 A881 7A80 BC81 B681 7080 C241 0440 0E40 C841 1A40 DC41 D641 1040 3240 F441 FE41 3840 EA41 2C40 2640 E041 6240 A441 AE41 6840 BA41 7C40 7640 B041

16 C0h C8h D0h D8h E0h E8h F0h F8h 5000 9601 9C01 5A00 8801 4E00 4400 8201 90C1 56C0 5CC0 9AC1 48C0 8EC1 84C1 42C0 9181 5780 5D80 9B81 4980 8F81 8581 4380 5140 9741 9D41 5B40 8941 4F40 4540 8341 9301 5500 5F00 9901 4B00 8D01 8701 4100 53C0 95C1 9FC1 59C0 8BC1 4DC0 47C0 81C1 5280 9481 9E81 5880 8A81 4C80 4680 8081 9241 5440 5E40 9841 4A40 8C41 8641 4040

CRC 32 Table
00h 04h 08h 0Ch 10h 14h 18h 1Ch 20h 24h 28h 2Ch 30h 34h 38h 3Ch 40h 44h 48h 4Ch 50h 54h 58h 5Ch 60h 64h 68h 6Ch 70h 74h 78h 7Ch 80h 84h 88h 8Ch 90h 94h 98h 9Ch 00000000 076DC419 0EDB8832 09B64C2B 1DB71064 1ADAD47D 136C9856 14015C4F 3B6E20C8 3C03E4D1 35B5A8FA 32D86CE3 26D930AC 21B4F4B5 2802B89E 2F6F7C87 76DC4190 71B18589 7807C9A2 7F6A0DBB 6B6B51F4 6C0695ED 65B0D9C6 62DD1DDF 4DB26158 4ADFA541 4369E96A 44042D73 5005713C 5768B525 5EDEF90E 59B33D17 EDB88320 EAD54739 E3630B12 E40ECF0B F00F9344 F762575D FED41B76 F9B9DF6F 77073096 706AF48F 79DCB8A4 7EB17CBD 6AB020F2 6DDDE4EB 646BA8C0 63066CD9 4C69105E 4B04D447 42B2986C 45DF5C75 51DE003A 56B3C423 5F058808 58684C11 01DB7106 06B6B51F 0F00F934 086D3D2D 1C6C6162 1B01A57B 12B7E950 15DA2D49 3AB551CE 3DD895D7 346ED9FC 33031DE5 270241AA 206F85B3 29D9C998 2EB40D81 9ABFB3B6 9DD277AF 94643B84 9309FF9D 8708A3D2 806567CB 89D32BE0 8EBEEFF9 EE0E612C E963A535 E0D5E91E E7B82D07 F3B97148 F4D4B551 FD62F97A FA0F3D63 D56041E4 D20D85FD DBBBC9D6 DCD60DCF C8D75180 CFBA9599 C60CD9B2 C1611DAB 98D220BC 9FBFE4A5 9609A88E 91646C97 856530D8 8208F4C1 8BBEB8EA 8CD37CF3 A3BC0074 A4D1C46D AD678846 AA0A4C5F BE0B1010 B966D409 B0D09822 B7BD5C3B 03B6E20C 04DB2615 0D6D6A3E 0A00AE27 1E01F268 196C3671 10DA7A5A 17B7BE43 990951BA 9E6495A3 97D2D988 90BF1D91 84BE41DE 83D385C7 8A65C9EC 8D080DF5 A2677172 A50AB56B ACBCF940 ABD13D59 BFD06116 B8BDA50F B10BE924 B6662D3D EFD5102A E8B8D433 E10E9818 E6635C01 F262004E F50FC457 FCB9887C FBD44C65 D4BB30E2 D3D6F4FB DA60B8D0 DD0D7CC9 C90C2086 CE61E49F C7D7A8B4 C0BA6CAD 74B1D29A 73DC1683 7A6A5AA8 7D079EB1 6906C2FE 6E6B06E7 67DD4ACC 60B08ED5

CRC, A0h A4h A8h ACh B0h B4h B8h BCh C0h C4h C8h CCh D0h D4h D8h DCh E0h E4h E8h ECh F0h F4h F8h FCh D6D6A3E8 D1BB67F1 D80D2BDA DF60EFC3 CB61B38C CC0C7795 C5BA3BBE C2D7FFA7 9B64C2B0 9C0906A9 95BF4A82 92D28E9B 86D3D2D4 81BE16CD 88085AE6 8F659EFF A00AE278 A7672661 AED16A4A A9BCAE53 BDBDF21C BAD03605 B3667A2E B40BBE37 A1D1937E A6BC5767 AF0A1B4C A867DF55 BC66831A BB0B4703 B2BD0B28 B5D0CF31 EC63F226 EB0E363F E2B87A14 E5D5BE0D F1D4E242 F6B9265B FF0F6A70 F862AE69 D70DD2EE D06016F7 D9D65ADC DEBB9EC5 CABAC28A CDD70693 C4614AB8 C30C8EA1 38D8C2C4 3FB506DD 36034AF6 316E8EEF 256FD2A0 220216B9 2BB45A92 2CD99E8B 756AA39C 72076785 7BB12BAE 7CDCEFB7 68DDB3F8 6FB077E1 66063BCA 616BFFD3 4E048354 4969474D 40DF0B66 47B2CF7F 53B39330 54DE5729 5D681B02 5A05DF1B 4FDFF252 48B2364B 41047A60 4669BE79 5268E236 5505262F 5CB36A04 5BDEAE1D 026D930A 05005713 0CB61B38 0BDBDF21 1FDA836E 18B74777 11010B5C 166CCF45 3903B3C2 3E6E77DB 37D83BF0 30B5FFE9 24B4A3A6 23D967BF 2A6F2B94 2D02EF8D

17

"A painless guide to CRC error detection algorithm" ftp://ftp.adelaide.edu.au/pub/rocksoft/crc_v3.txt (, " " , "" ;) , , CRC 32. CRC??? "CRC.ZIP" "CRC.EXE", ftpsearch (http://ftpsearch.lycos.com?form=advanced) Copyright (c) 1998,1999 by Anarchriz ( :)

: http://dore.on.ru : Sergey R.

. : ftp://www.internode.net.au/clients/rocksoft/papers/crc_v3.txt

Оценить