------------

这也都没有Windows环境了，只好在网上找了几个文章看看。

就是到了2019年，也还有搞这个的。相比十几年前的通过firewire接口，现在的通过PCI-E接口。还没仔细看，大概好像是用块PCI-E的fpga开发板，插上以后搜内存。

好消息是，win10的验证系统和xp基本没变，还是有msv1_0.dll

https://docs.microsoft.com/en-us/windows/win32/secauthn/msv1-0-authentication-package

最终核心函数还是MsvpPasswordValidate，我自己这没环境，看文章里的图

https://www.synacktiv.com/en/publications/practical-dma-attack-on-windows-10.html

 最终比较rc4的hash的是用RtlCompareMemory

让朋友帮着u了份汇编

0:003> uf RtlCompareMemory

ntdll!RtlCompareMemory:

76ff6970 56 push esi

76ff6971 57 push edi

76ff6972 fc cld

76ff6973 8b74240c mov esi,dword ptr [esp+0Ch]

76ff6977 8b7c2410 mov edi,dword ptr [esp+10h]

76ff697b 8b4c2414 mov ecx,dword ptr [esp+14h]

76ff697f c1e902 shr ecx,2

76ff6982 7404 je ntdll!RtlCompareMemory+0x18 (76ff6988)

ntdll!RtlCompareMemory+0x14:

76ff6984 f3a7 repe cmps dword ptr [esi],dword ptr es:[edi]

76ff6986 7516 jne ntdll!RtlCompareMemory+0x2e (76ff699e)

ntdll!RtlCompareMemory+0x18:

76ff6988 8b4c2414 mov ecx,dword ptr [esp+14h]

76ff698c 83e103 and ecx,3

76ff698f 7404 je ntdll!RtlCompareMemory+0x25 (76ff6995)

ntdll!RtlCompareMemory+0x21:

76ff6991 f3a6 repe cmps byte ptr [esi],byte ptr es:[edi]

76ff6993 7516 jne ntdll!RtlCompareMemory+0x3b (76ff69ab)

ntdll!RtlCompareMemory+0x25:

76ff6995 8b442414 mov eax,dword ptr [esp+14h]

76ff6999 5f pop edi

76ff699a 5e pop esi

76ff699b c20c00 ret 0Ch

ntdll!RtlCompareMemory+0x2e:

76ff699e 83ee04 sub esi,4

76ff69a1 83ef04 sub edi,4

76ff69a4 b904000000 mov ecx,4

76ff69a9 f3a6 repe cmps byte ptr [esi],byte ptr es:[edi]

ntdll!RtlCompareMemory+0x3b:

76ff69ab 4e dec esi

76ff69ac 2b74240c sub esi,dword ptr [esp+0Ch]

76ff69b0 8bc6 mov eax,esi

76ff69b2 5f pop edi

76ff69b3 5e          

如果要比较的内存长度是4字节对齐的，就走红色代码部分。

rc4 hash是16字节，这个时32bit系统。

所以要搞的就是repe cmps byte ptr [esi],byte ptr es:[edi]

比如密码123的rc4 hash是

97e6bd3d a79016d7 eb4b2069 78362812 

repe应该是prefix，先看看qemu tcg里怎么搞。

64位的RtlCompareMemory

0:000> uf RtlCompareMemory
ntdll!RtlCompareMemory:
00007ff9`1cbb06f0 57              push    rdi
00007ff9`1cbb06f1 56              push    rsi
00007ff9`1cbb06f2 488bf1          mov     rsi,rcx
00007ff9`1cbb06f5 488bfa          mov     rdi,rdx
00007ff9`1cbb06f8 33d1            xor     edx,ecx
00007ff9`1cbb06fa 83e207          and     edx,7
00007ff9`1cbb06fd 7553            jne     ntdll!RtlCompareMemory+0x62 (00007ff9`1cbb0752)

ntdll!RtlCompareMemory+0xf:
00007ff9`1cbb06ff 4983f808        cmp     r8,8
00007ff9`1cbb0703 724d            jb      ntdll!RtlCompareMemory+0x62 (00007ff9`1cbb0752)

ntdll!RtlCompareMemory+0x15:
00007ff9`1cbb0705 4c8bcf          mov     r9,rdi
00007ff9`1cbb0708 f7d9            neg     ecx
00007ff9`1cbb070a 83e107          and     ecx,7
00007ff9`1cbb070d 7407            je      ntdll!RtlCompareMemory+0x26 (00007ff9`1cbb0716)

ntdll!RtlCompareMemory+0x1f:
00007ff9`1cbb070f 4c2bc1          sub     r8,rcx
00007ff9`1cbb0712 f3a6            repe cmps byte ptr [rsi],byte ptr [rdi]
00007ff9`1cbb0714 7530            jne     ntdll!RtlCompareMemory+0x56 (00007ff9`1cbb0746)

ntdll!RtlCompareMemory+0x26:
00007ff9`1cbb0716 498bc8          mov     rcx,r8
00007ff9`1cbb0719 4883e1f8        and     rcx,0FFFFFFFFFFFFFFF8h
00007ff9`1cbb071d 741b            je      ntdll!RtlCompareMemory+0x4a (00007ff9`1cbb073a)

ntdll!RtlCompareMemory+0x2f:
00007ff9`1cbb071f 4c2bc1          sub     r8,rcx
00007ff9`1cbb0722 48c1e903        shr     rcx,3
00007ff9`1cbb0726 f348a7          repe cmps qword ptr [rsi],qword ptr [rdi]
00007ff9`1cbb0729 740f            je      ntdll!RtlCompareMemory+0x4a (00007ff9`1cbb073a)

ntdll!RtlCompareMemory+0x3b:
00007ff9`1cbb072b 48ffc1          inc     rcx
00007ff9`1cbb072e 4883ee08        sub     rsi,8
00007ff9`1cbb0732 4883ef08        sub     rdi,8
00007ff9`1cbb0736 48c1e103        shl     rcx,3

ntdll!RtlCompareMemory+0x4a:
00007ff9`1cbb073a 4c03c1          add     r8,rcx
00007ff9`1cbb073d 740a            je      ntdll!RtlCompareMemory+0x59 (00007ff9`1cbb0749)

ntdll!RtlCompareMemory+0x4f:
00007ff9`1cbb073f 498bc8          mov     rcx,r8
00007ff9`1cbb0742 f3a6            repe cmps byte ptr [rsi],byte ptr [rdi]
00007ff9`1cbb0744 7403            je      ntdll!RtlCompareMemory+0x59 (00007ff9`1cbb0749)

ntdll!RtlCompareMemory+0x56:
00007ff9`1cbb0746 48ffcf          dec     rdi

ntdll!RtlCompareMemory+0x59:
00007ff9`1cbb0749 492bf9          sub     rdi,r9
00007ff9`1cbb074c 488bc7          mov     rax,rdi
00007ff9`1cbb074f 5e              pop     rsi
00007ff9`1cbb0750 5f              pop     rdi
00007ff9`1cbb0751 c3              ret

ntdll!RtlCompareMemory+0x62:
00007ff9`1cbb0752 4d85c0          test    r8,r8
00007ff9`1cbb0755 740d            je      ntdll!RtlCompareMemory+0x74 (00007ff9`1cbb0764)

ntdll!RtlCompareMemory+0x67:
00007ff9`1cbb0757 498bc8          mov     rcx,r8
00007ff9`1cbb075a f3a6            repe cmps byte ptr [rsi],byte ptr [rdi]
00007ff9`1cbb075c 7406            je      ntdll!RtlCompareMemory+0x74 (00007ff9`1cbb0764)

ntdll!RtlCompareMemory+0x6e:
00007ff9`1cbb075e 48ffc1          inc     rcx
00007ff9`1cbb0761 4c2bc1          sub     r8,rcx

ntdll!RtlCompareMemory+0x74:
00007ff9`1cbb0764 498bc0          mov     rax,r8
00007ff9`1cbb0767 5e              pop     rsi
00007ff9`1cbb0768 5f              pop     rdi
00007ff9`1cbb0769 c3              ret

龙芯8089d装debian系统

 https://mirrors.cloud.tencent.com/loongson/install/

 

就这里还能找到龙芯8089d能用的debian iso了。

试了几个，就loongson2_debian6_20111010.tar.lzma 这个最好用。

 直接放u盘根目录里，开机按tab恢复安装就行。把vmlinux 也一起下载放到根目录。

网络配置也可以，能用wifi， 图形界面是gnome的。

gnome太慢了，换成了i3，就还可以凑合用了 。

软件源就这里说的这些，还可以用，就是密钥的问题总解决不了。

只是apt-get update不行了，但装软件没事。

https://www.jianshu.com/p/5cdb7fb4b6a8