可访问多个示例的 CRC32 参数逆向工程
CRC32 Parameters Reverse Engineering having access to multiple examples
我必须找出如何重现专有数据库文件上使用的 CRC32 算法,该文件由许多 "chunks" 个 128 字节组成,每个都是一条记录。我知道对于每条记录,字节 1-4 是 CRC32 校验和,接下来的 35 个字节似乎无关紧要,因为我可以轻松更改它们而无需应用程序告诉我 CRC 校验失败。因此,我希望找出用于计算后者的多项式和其他参数。下面是一个例子。
文字版:
00 27 AE 3B 9F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 41 08 41 41 41 41 41 41 41 41
19 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42
42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00
如果我们只取我们不能改变的字节,打破记录,我们得到这个:
41 08 41 41 41 41 41 41 41 41 19 42 42 42 42 42 42 42 42 42 42 42 42 42 42
42 42 42 42 42 42 42 42 42 42 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00
上面的 CRC32 是 27 AE 3B 9F
Real Record Example 1.1,与上面的只差一个字节(CRC为BC D4 84 FB):
41 08 41 41 41 41 41 41 41 41 19 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42
42 42 42 42 42 42 42 42 42 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00
真实记录示例2(输出CRC为3B 6A D1 AF):
41 07 41 41 41 41 41 41 41 00 19 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42
42 42 42 42 42 42 42 42 42 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00
真实记录示例3(输出CRC为0B 54 CC 09):
41 01 31 00 00 00 00 00 00 00 03 41 73 61 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00
真实记录示例4(输出CRC为12 91 EA 8E):
41 B4 A8 D0 02 46 00 B4 A8 00 03 52 4D 31 03 53 54 50 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 25 00 00 00 00 00 00 00
00 00 A3 05 00 00 00 64 00 64 00 64 00 64 00 64 00 64 00 64 00 64 00 64 00 64
00 64 00 64 00 64 00 64 00 64 00 64 00 64 00 64 00 64 00 64 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
真实记录示例5(输出CRC为8A 68 00 3B):
41 B4 A8 D0 02 46 00 B4 A8 01 03 52 4D 31 03 53 54 50 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 25 00 00 00 00 00 00 00
00 00 A3 05 00 00 00 64 00 64 00 64 00 64 00 64 00 64 00 64 00 64 00 64 00 64
00 64 00 64 00 64 00 64 00 64 00 64 00 64 00 64 00 64 00 64 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
最后两条记录只有一个字节不同。通过使用@rcgldr 指定的方法,我能够获得 0x9902539d 的最终 Xor 值,并且我可以在没有应用程序抱怨的情况下成功更改数据。我 运行 一些代码可以为应用程序中的每个 entitity/file 找到这些最终的异或值,并且在所有这些上都成功了,但是能够找到单个 crc 参数集将是一个很好的补充。
编辑:添加了另外两个示例记录
编辑 2:添加了一个示例,与第一个相比只有一个字节不同
编辑 3:添加了另外两个示例,大小不同,因为它们来自应用程序中的另一种记录类型。还删除了部分问题,因为它变得无关紧要
异或 1.0 和 1.1 结果:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00
对两个 crc 进行异或运算得到
9b 7a bf 64
假设存储的crc为"little endian",计算得到的crc为
0x64bf7a9b
通过对两条记录进行异或运算,初始值和最终的异或值因异或而被抵消,这允许仅根据数据确定crc多项式,假设初始值= 0并且最终xor value = 0。利用这个,我尝试了一些常见的crc多项式,确定crc多项式是
0x104C11DB7 or ignoring the msb: 0x04C11DB7
使用您在评论中链接到的网站:
http://www.sunshine2k.de/coding/javascript/crc/crc_js.html
参数为:
crc32
custom
input: not reflected
result: not reflected
polynomial: 0x04C11DB7
initial value: 0x0
final xor value: 0x0
如果数据大小始终相同,则可以使用初始值或最终异或值或两者的组合来调整 crc,使其与示例中显示的实际 crc 相匹配,但它使用最终异或来匹配示例是最简单的,因为它只需要使用示例之一计算 crc,假设初始值 = 0 且最终 xor 值 = 0,然后将计算出的 crc 与来自示例的实际 crc 进行异或运算计算特定长度数据的最终异或值的示例 crc。
因此对于第一个示例中的数据大小,最终异或值 0x189B52BC 将生成与示例匹配的 crc。这些是crc计算器的参数。
crc32
custom
input: not reflected
result: not reflected
polynomial: 0x04C11DB7
initial value: 0x0
final xor value: 0x189B52BC
这些参数与您发布的所有第一个示例相匹配。再次注意,crc 的存储方式是 "little endian",最高有效字节在前。
如果数据大小可变,则需要初始值(并且可能同时使用初始值和最终异或值)。一旦多项式已知,就可以执行 "reverse" CRC 来找到初始值,或者可以使用蛮力搜索。我使用快速 crc 计算器对初始值进行了强力搜索(因为我还没有 "reverse" CRC 程序),它似乎适用于任何数据大小,至少基于您添加的新示例。这些参数适用于上述所有示例,包括您添加的新参数:
crc32
custom
input: not reflected
result: not reflected
polynomial: 0x04C11DB7
initial value: 0xc704dd7b
final xor value: 0x0
0xc704dd7b的初始值为{ff ff ff ff}数据模式生成的crc,初始值为0,最终异或值=0,等同于给数据加上前缀{ff ff ff }.
我必须找出如何重现专有数据库文件上使用的 CRC32 算法,该文件由许多 "chunks" 个 128 字节组成,每个都是一条记录。我知道对于每条记录,字节 1-4 是 CRC32 校验和,接下来的 35 个字节似乎无关紧要,因为我可以轻松更改它们而无需应用程序告诉我 CRC 校验失败。因此,我希望找出用于计算后者的多项式和其他参数。下面是一个例子。
00 27 AE 3B 9F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 41 08 41 41 41 41 41 41 41 41
19 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42
42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00
如果我们只取我们不能改变的字节,打破记录,我们得到这个:
41 08 41 41 41 41 41 41 41 41 19 42 42 42 42 42 42 42 42 42 42 42 42 42 42
42 42 42 42 42 42 42 42 42 42 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00
上面的 CRC32 是 27 AE 3B 9F
Real Record Example 1.1,与上面的只差一个字节(CRC为BC D4 84 FB):
41 08 41 41 41 41 41 41 41 41 19 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42
42 42 42 42 42 42 42 42 42 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00
真实记录示例2(输出CRC为3B 6A D1 AF):
41 07 41 41 41 41 41 41 41 00 19 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42
42 42 42 42 42 42 42 42 42 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00
真实记录示例3(输出CRC为0B 54 CC 09):
41 01 31 00 00 00 00 00 00 00 03 41 73 61 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00
真实记录示例4(输出CRC为12 91 EA 8E):
41 B4 A8 D0 02 46 00 B4 A8 00 03 52 4D 31 03 53 54 50 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 25 00 00 00 00 00 00 00
00 00 A3 05 00 00 00 64 00 64 00 64 00 64 00 64 00 64 00 64 00 64 00 64 00 64
00 64 00 64 00 64 00 64 00 64 00 64 00 64 00 64 00 64 00 64 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
真实记录示例5(输出CRC为8A 68 00 3B):
41 B4 A8 D0 02 46 00 B4 A8 01 03 52 4D 31 03 53 54 50 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 25 00 00 00 00 00 00 00
00 00 A3 05 00 00 00 64 00 64 00 64 00 64 00 64 00 64 00 64 00 64 00 64 00 64
00 64 00 64 00 64 00 64 00 64 00 64 00 64 00 64 00 64 00 64 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
最后两条记录只有一个字节不同。通过使用@rcgldr 指定的方法,我能够获得 0x9902539d 的最终 Xor 值,并且我可以在没有应用程序抱怨的情况下成功更改数据。我 运行 一些代码可以为应用程序中的每个 entitity/file 找到这些最终的异或值,并且在所有这些上都成功了,但是能够找到单个 crc 参数集将是一个很好的补充。
编辑:添加了另外两个示例记录
编辑 2:添加了一个示例,与第一个相比只有一个字节不同
编辑 3:添加了另外两个示例,大小不同,因为它们来自应用程序中的另一种记录类型。还删除了部分问题,因为它变得无关紧要
异或 1.0 和 1.1 结果:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00
对两个 crc 进行异或运算得到
9b 7a bf 64
假设存储的crc为"little endian",计算得到的crc为
0x64bf7a9b
通过对两条记录进行异或运算,初始值和最终的异或值因异或而被抵消,这允许仅根据数据确定crc多项式,假设初始值= 0并且最终xor value = 0。利用这个,我尝试了一些常见的crc多项式,确定crc多项式是
0x104C11DB7 or ignoring the msb: 0x04C11DB7
使用您在评论中链接到的网站:
http://www.sunshine2k.de/coding/javascript/crc/crc_js.html
参数为:
crc32
custom
input: not reflected
result: not reflected
polynomial: 0x04C11DB7
initial value: 0x0
final xor value: 0x0
如果数据大小始终相同,则可以使用初始值或最终异或值或两者的组合来调整 crc,使其与示例中显示的实际 crc 相匹配,但它使用最终异或来匹配示例是最简单的,因为它只需要使用示例之一计算 crc,假设初始值 = 0 且最终 xor 值 = 0,然后将计算出的 crc 与来自示例的实际 crc 进行异或运算计算特定长度数据的最终异或值的示例 crc。
因此对于第一个示例中的数据大小,最终异或值 0x189B52BC 将生成与示例匹配的 crc。这些是crc计算器的参数。
crc32
custom
input: not reflected
result: not reflected
polynomial: 0x04C11DB7
initial value: 0x0
final xor value: 0x189B52BC
这些参数与您发布的所有第一个示例相匹配。再次注意,crc 的存储方式是 "little endian",最高有效字节在前。
如果数据大小可变,则需要初始值(并且可能同时使用初始值和最终异或值)。一旦多项式已知,就可以执行 "reverse" CRC 来找到初始值,或者可以使用蛮力搜索。我使用快速 crc 计算器对初始值进行了强力搜索(因为我还没有 "reverse" CRC 程序),它似乎适用于任何数据大小,至少基于您添加的新示例。这些参数适用于上述所有示例,包括您添加的新参数:
crc32
custom
input: not reflected
result: not reflected
polynomial: 0x04C11DB7
initial value: 0xc704dd7b
final xor value: 0x0
0xc704dd7b的初始值为{ff ff ff ff}数据模式生成的crc,初始值为0,最终异或值=0,等同于给数据加上前缀{ff ff ff }.