本帖最后由 Terrorblade 于 2015-8-20 01:10 编辑
0x00 前言 终于摆脱了冗余的java,来到了与ARM汇编正面交锋的第二题,验证代码在libclacSn.so文件的Java_com_ucweb_crackme140522_MainActivity_clacSnFuntion中,这里不得不说一句,计算的英文单词是calculate,能把calc写成clac,还有就是Function,这也能写成Funtion ,一个大公司,如此不严谨,看着也是有点醉了……
0x01 so调试前奏 1.以调试模式启动程序,命令: amstart -D -n com.ucweb.crackme140522/.MainActivity 图1.启动程序
2.启动android_server,这个文件在ida的dbgsrv文件夹中,需要上传到avd中,这里不多说,这些细节那两篇绝对说过的,命令: /data/local/tmp/android_server
图2.已经在监听23946端口了
3.启动ddms,就是sdk目录中的ddms.bat
图3.启动ddms
4.端口转发,另外启动一个cmd,执行命令:
图4.端口转发
5.此时可以启动ida了,debugger->attach ->remote arm linux /android debugger, 然后:
图5. 勾上3项
6.选中要调试的进程后,千万记得在debugger->debugger options中再次选中,那3项:
图6.再次选中3项
7.回到cmd,输入jdb -connect com.sun.jdi.SocketAttach:hostname=127.0.0.1,port=8700,回车
8.然后在ida中F9,接着就是选择本地文件映射:
图7.选择映射
9.计算出Java_com_ucweb_crackme140522_MainActivity_clacSnFuntion的地址,F2,再F9运行,期间会出现一个不相关的so文件,cancel就是了
0x02 算法 因为已经调试过了,所以我站在一个已知者角度调试,不多废话,看到起始处,F7进去 0000267C018 BL loc_21B4 ; 起始处
然后直接F4到loc_23E8: [Asm] 纯文本查看 复制代码 1 2 3 4 5 6 7 8 | libclacSn.so:AD9F83E8loc_AD9F83E8
libclacSn.so:AD9F83E8LDRB R2, [R6,R3]
libclacSn.so:AD9F83ECLDRB R1, [R10,R3]
libclacSn.so:AD9F83F0EOR R2, R1, R2
libclacSn.so:AD9F83F4STRB R2, [R6,R3]
libclacSn.so:AD9F83F8ADD R3, R3, #1
libclacSn.so:AD9F83FCCMP R3, R4
libclacSn.so:AD9F8400BNE loc_AD9F83E8
|
F4到loc_2404,此时先看看R6的计算结果: [Asm] 纯文本查看 复制代码 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 | [heap]:B89C69D8DCB 0x64
[heap]:B89C69D9DCB 0x55
[heap]:B89C69DADCB 0x42
[heap]:B89C69DBDCB 0x42
[heap]:B89C69DCDCB 0x5F
[heap]:B89C69DDDCB 0x42
[heap]:B89C69DEDCB 0x52
[heap]:B89C69DFDCB 0x5C
[heap]:B89C69E0DCB 0x51
[heap]:B89C69E1DCB 0x54
[heap]:B89C69E2DCB 0x55
[heap]:B89C69E3DCB 0x30
[heap]:B89C69E4DCB 0x30
[heap]:B89C69E5DCB 0x30
[heap]:B89C69E6DCB 0x30
|
这里只有15位,后面会有0x80补全16位!
看loc_2404代码: [Asm] 纯文本查看 复制代码 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 | libclacSn.so:AD9F8404loc_AD9F8404
libclacSn.so:AD9F8404MOV R0, R9
libclacSn.so:AD9F8408BLX R11
libclacSn.so:AD9F840CLDR R3, [ SP ,#0x50]
libclacSn.so:AD9F8410LDR R0, =0x66666667
libclacSn.so:AD9F8414ADD R4, SP , #0x1AC
libclacSn.so:AD9F8418MOV R2, R3,ASR # 31
libclacSn.so:AD9F841CSMULL R12, R1, R0, R3
libclacSn.so:AD9F8420LDR R0, [R6]
libclacSn.so:AD9F8424RSB R2, R2, R1,ASR # 3
libclacSn.so:AD9F8428LDR R1, [ SP ,#0x10]
libclacSn.so:AD9F842CMOV R3, #0
libclacSn.so:AD9F8430ADD R12, R4, #4
libclacSn.so:AD9F8434STR R3, [R12],#4
libclacSn.so:AD9F8438STR R3, [R12],#4
libclacSn.so:AD9F843CEOR LR, R2, R1
libclacSn.so:AD9F8440EOR LR, R0, LR
libclacSn.so:AD9F8444STR R3, [R12],#4
libclacSn.so:AD9F8448STR LR, [R6]
libclacSn.so:AD9F844CSTR R3, [R12]
libclacSn.so:AD9F8450LDR R12, =0x67452301
libclacSn.so:AD9F8454ADD R5, SP , #0x154
libclacSn.so:AD9F8458LDR R2, [ SP ,#0x14]
libclacSn.so:AD9F845CSTR R12, [ SP ,#0x154]
libclacSn.so:AD9F8460ADD R12, R12,#0x88000000
libclacSn.so:AD9F8464ADD R12, R12, #0x880000
libclacSn.so:AD9F8468ADD R12, R12, #0x8800
libclacSn.so:AD9F846CADD R12, R12, #0x88
libclacSn.so:AD9F8470STR R12, [ SP ,#0x158]
libclacSn.so:AD9F8474LDR R12, =0x98BADCFE
libclacSn.so:AD9F8478MOV R0, R5
libclacSn.so:AD9F847CMOV R1, R6
libclacSn.so:AD9F8480STR R12, [ SP ,#0x15C]
libclacSn.so:AD9F8484LDR R12, =0x10325476
libclacSn.so:AD9F8488ADD R10, SP , #0x1D4
libclacSn.so:AD9F848CSTR R3, [ SP ,#0x164]
libclacSn.so:AD9F8490STR R12, [ SP ,#0x160]
libclacSn.so:AD9F8494STR R3, [ SP ,#0x1AC]
libclacSn.so:AD9F8498STR R3, [ SP ,#0x168]
libclacSn.so:AD9F849CBL unk_AD9F7B78
libclacSn.so:AD9F849C
libclacSn.so:AD9F849C
libclacSn.so:AD9F849C
libclacSn.so:AD9F849C
libclacSn.so:AD9F849C
libclacSn.so:AD9F849C
libclacSn.so:AD9F849C
libclacSn.so:AD9F849C
libclacSn.so:AD9F849C
libclacSn.so:AD9F849C
libclacSn.so:AD9F849C
libclacSn.so:AD9F849C
libclacSn.so:AD9F849C
libclacSn.so:AD9F849C
libclacSn.so:AD9F849C
libclacSn.so:AD9F849C
libclacSn.so:AD9F849C
libclacSn.so:AD9F84A0MOV R0, R10
libclacSn.so:AD9F84A4ADD R1, R5, #0x10
libclacSn.so:AD9F84A8MOV R2, #8
libclacSn.so:AD9F84ACBL unk_AD9F7C64
libclacSn.so:AD9F84B0LDR R2, [ SP ,#0x164]
libclacSn.so:AD9F84B4LDR R3, =0x4A70
libclacSn.so:AD9F84B8MOV R0, R5
libclacSn.so:AD9F84BCMOV R2, R2,LSR # 3
libclacSn.so:AD9F84C0AND R2, R2, #0x3F
libclacSn.so:AD9F84C4ADD R3, PC, R3
libclacSn.so:AD9F84C8CMP R2, #0x37
libclacSn.so:AD9F84CCSUB R3, R3, #0xFF0
libclacSn.so:AD9F84D0SUB R1, R3, #8
libclacSn.so:AD9F84D4RSBLS R2, R2, #0x38
libclacSn.so:AD9F84D8RSBHI R2, R2, #0x78
libclacSn.so:AD9F84DCBL unk_AD9F7B78
libclacSn.so:AD9F84E0MOV R0, R5
libclacSn.so:AD9F84E4MOV R1, R10
libclacSn.so:AD9F84E8MOV R2, #8
libclacSn.so:AD9F84ECBL unk_AD9F7B78
libclacSn.so:AD9F84F0MOV R2, #0x10
libclacSn.so:AD9F84F4MOV R0, R4
libclacSn.so:AD9F84F8MOV R1, R5
libclacSn.so:AD9F84FCBL unk_AD9F7C64
libclacSn.so:AD9F8500ADD R2, R5, #0x58
libclacSn.so:AD9F8504MOV R3, #0
|
F7进入loc_1B78之后,直接F4来到loc_1BF0,这里是算法所在: [Asm] 纯文本查看 复制代码 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 | libclacSn.so:AD9F712CLDRB R7, [R1,#2]
libclacSn.so:AD9F7130LDRB R8, [R1,#1]
libclacSn.so:AD9F7134LDRB R6, [R1]
libclacSn.so:AD9F7138LDRB R5, [R1,#3]
libclacSn.so:AD9F713CMOV R7, R7, LSL # 16
libclacSn.so:AD9F7140ORR R7, R7, R8, LSL # 8
libclacSn.so:AD9F7144ORR R6, R7, R6
libclacSn.so:AD9F7148ADD R1, R1, #4
libclacSn.so:AD9F714CORR R5, R6, R5, LSL # 24
libclacSn.so:AD9F7150CMP R1, R10
libclacSn.so:AD9F7154STR R5, [R4],#4
libclacSn.so:AD9F7158BNE loc_AD9F712C
libclacSn.so:AD9F715CLDR R7, [ SP ,#0x18]
libclacSn.so:AD9F7160LDR R6, [ SP ,#0xC]
libclacSn.so:AD9F7164LDR R1, =0xD76AA478
libclacSn.so:AD9F7168LDR R8, [ SP ,#0x10]
libclacSn.so:AD9F716CBIC R5, R6, R3
libclacSn.so:AD9F7170AND R4, R2, R3
libclacSn.so:AD9F7174ADD R1, R7, R1
libclacSn.so:AD9F7178ADD R1, R1, R8
libclacSn.so:AD9F717CLDR R9, [ SP ,#0x1C]
libclacSn.so:AD9F7180ORR R4, R5, R4
libclacSn.so:AD9F7184LDR R5, =0xE8C7B756
libclacSn.so:AD9F7188LDR R10, [ SP ,#0xC]
libclacSn.so:AD9F718CADD R4, R1, R4
libclacSn.so:AD9F7190ADD R4, R3, R4, ROR # 25
libclacSn.so:AD9F7194BIC R6, R2, R4
libclacSn.so:AD9F7198AND R1, R4, R3
libclacSn.so:AD9F719CADD R5, R9, R5
libclacSn.so:AD9F71A0ADD R5, R5, R10
libclacSn.so:AD9F71A4LDR R11, [ SP ,#0x20]
libclacSn.so:AD9F71A8ORR R1, R6, R1
libclacSn.so:AD9F71ACLDR R8, =0x242070DB
libclacSn.so:AD9F71B0ADD R1, R5, R1
libclacSn.so:AD9F71B4ADD R1, R4, R1, ROR # 20
libclacSn.so:AD9F71B8AND R5, R1, R4
libclacSn.so:AD9F71BCBIC R6, R3, R1
libclacSn.so:AD9F71C0ADD R8, R11, R8
libclacSn.so:AD9F71C4ADD R8, R8, R2
libclacSn.so:AD9F71C8ORR R6, R6, R5
libclacSn.so:AD9F71CCADD R6, R8, R6
libclacSn.so:AD9F71D0LDR R5, =0xC1BDCEEE
libclacSn.so:AD9F71D4LDR R8, [ SP ,#0x24]
.
.
.
中间是个汉诺塔计算过程,最终计算结果会保存在r6,r2,r3,r4,所以去到下面代码,待会再回头分析这里
.
.
.
libclacSn.so:AD9F7A80STR R6, [R0,#0xC]
libclacSn.so:AD9F7A84STR R3, [R0,#4]
libclacSn.so:AD9F7A88STR R2, [R0,#8]
libclacSn.so:AD9F7A8CSTR R4, [R0]
libclacSn.so:AD9F7A90ADD R2, R12, #0x40
libclacSn.so:AD9F7A94MOV R3, #0
|
存储后,R0的内容: [Asm] 纯文本查看 复制代码 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 | [stack]:BEE8D454DCB 0xB2
[stack]:BEE8D455DCB 0x52
[stack]:BEE8D456DCB 0x7A
[stack]:BEE8D457DCB 0x16
[stack]:BEE8D458DCB 0
[stack]:BEE8D459DCB 0xD5
[stack]:BEE8D45ADCB 0x8A
[stack]:BEE8D45BDCB 0x99
[stack]:BEE8D45CDCB 0x5F
[stack]:BEE8D45DDCB 0x21
[stack]:BEE8D45EDCB 0x1C
[stack]:BEE8D45FDCB 0x96
[stack]:BEE8D460DCB 0xA2
[stack]:BEE8D461DCB 0x48
[stack]:BEE8D462DCB 0xB8
[stack]:BEE8D463DCB 0x3C
|
跳出算法的关键部分以后,后续还有一些运算: [Asm] 纯文本查看 复制代码 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 | libclacSn.so:AD9F851Cloc_AD9F851C
libclacSn.so:AD9F851CLDRB R0, [R4,R3]
libclacSn.so:AD9F8520ADD R1, R2, #1
libclacSn.so:AD9F8524EOR R2, R2, R0
libclacSn.so:AD9F8528STRB R2, [R7,R3]
libclacSn.so:AD9F852CADD R3, R3, #1
libclacSn.so:AD9F8530CMP R3, #0x10
libclacSn.so:AD9F8534AND R2, R1, #0xFF
libclacSn.so:AD9F8538BNE loc_AD9F851C
libclacSn.so:AD9F853CNOP
libclacSn.so:AD9F8540LDR R10, =(unk_AD9F9C58 -0xAD9F8554)
libclacSn.so:AD9F8544LDR R5, [ SP ,#4]
libclacSn.so:AD9F8548MOV R4, #0
libclacSn.so:AD9F854CADD R10, PC, R10
libclacSn.so:AD9F8550
libclacSn.so:AD9F8550loc_AD9F8550
libclacSn.so:AD9F8550LDRB R2, [R7,R4]
libclacSn.so:AD9F8554ADD R3, R4, #0x10
libclacSn.so:AD9F8558MOV R0, R5
libclacSn.so:AD9F855CADD R4, R4, #1
libclacSn.so:AD9F8560EOR R2, R2, R3
libclacSn.so:AD9F8564MOV R1, R10
libclacSn.so:AD9F8568BL sprintf
libclacSn.so:AD9F856CCMP R4, #0x10
libclacSn.so:AD9F8570ADD R5, R5, #2
libclacSn.so:AD9F8574BNE loc_AD9F8550
libclacSn.so:AD9F8578MOV R0, R9
libclacSn.so:AD9F857CBLX R11
libclacSn.so:AD9F8580LDR R1, [ SP ,#0x50]
libclacSn.so:AD9F8584LDR R0, =0x66666667
libclacSn.so:AD9F8588LDR R12, [ SP ,#0x10]
libclacSn.so:AD9F858CMOV R3, R1,ASR # 31
libclacSn.so:AD9F8590SMULL R7, R2, R0, R1
libclacSn.so:AD9F8594MOV R0, R6
libclacSn.so:AD9F8598RSB R3, R3, R2,ASR # 3
libclacSn.so:AD9F859CLDR R2, [ SP ,#0x54]
libclacSn.so:AD9F85A0EOR R3, R12, R3
libclacSn.so:AD9F85A4EOR R3, R2, R3
libclacSn.so:AD9F85A8STR R3, [ SP ,#0x54]
libclacSn.so:AD9F85ACBL free
libclacSn.so:AD9F85B0LDR R0, [ SP ,#4]
libclacSn.so:AD9F85B4LDR R1, [ SP ,#0xC]
libclacSn.so:AD9F85B8MOV R2, R4
libclacSn.so:AD9F85BCBL memcmp
libclacSn.so:AD9F85C0CMP R0, #0
libclacSn.so:AD9F85C4BNE loc_AD9F8340
libclacSn.so:AD9F85C8NOP
libclacSn.so:AD9F85CCMOV R0, #1
libclacSn.so:AD9F85D0B loc_AD9F8344
|
来看看loc_25B0中,R0的内容: [Asm] 纯文本查看 复制代码 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 | [stack]:BEE8D354DCB 0x42
[stack]:BEE8D355DCB 0x32
[stack]:BEE8D356DCB 0x35
[stack]:BEE8D357DCB 0x32
[stack]:BEE8D358DCB 0x37
[stack]:BEE8D359DCB 0x41
[stack]:BEE8D35ADCB 0x31
[stack]:BEE8D35BDCB 0x36
[stack]:BEE8D35CDCB 0x30
[stack]:BEE8D35DDCB 0x30
[stack]:BEE8D35EDCB 0x44
[stack]:BEE8D35FDCB 0x35
[stack]:BEE8D360DCB 0x38
[stack]:BEE8D361DCB 0x41
[stack]:BEE8D362DCB 0x39
[stack]:BEE8D363DCB 0x39
[stack]:BEE8D364DCB 0x35
[stack]:BEE8D365DCB 0x46
[stack]:BEE8D366DCB 0x32
[stack]:BEE8D367DCB 0x31
[stack]:BEE8D368DCB 0x31
[stack]:BEE8D369DCB 0x43
[stack]:BEE8D36ADCB 0x39
[stack]:BEE8D36BDCB 0x36
[stack]:BEE8D36CDCB 0x41
[stack]:BEE8D36DDCB 0x32
[stack]:BEE8D36EDCB 0x34
[stack]:BEE8D36FDCB 0x38
[stack]:BEE8D370DCB 0x42
[stack]:BEE8D371DCB 0x38
[stack]:BEE8D372DCB 0x33
[stack]:BEE8D373DCB 0x43
|
至此,我们可以试一试,我们找到的注册码B2527A1600D58A995F211C96A248B83C,取前16位,验证结果如下:
图8.验证成功!
这里确实验证成功了,但是这个过程中会有彩蛋,只有自己走过一遍,看看能不能得到真正的注册码,才能知道彩蛋到底是什么!
最后,我们来说算法的关键部分sub_1100,先在ida中看看F5后的类C代码: [C] 纯文本查看 复制代码 001 002 003 004 005 006 007 008 009 010 011 012 013 014 015 016 017 018 019 020 021 022 023 024 025 026 027 028 029 030 031 032 033 034 035 036 037 038 039 040 041 042 043 044 045 046 047 048 049 050 051 052 053 054 055 056 057 058 059 060 061 062 063 064 065 066 067 068 069 070 071 072 073 074 075 076 077 078 079 080 081 082 083 084 085 086 087 088 089 090 091 092 093 094 095 096 097 098 099 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 | int__fastcall sub_1100( int result, int a2)
{
int v2;
int v3;
int *v4;
int v5;
int *v6;
int v7;
int v8;
int v9;
int v10;
int v11;
int v12;
int v13;
int v14;
int v15;
int v16;
int v17;
int v18;
int v19;
int v20;
int v21;
int v22;
int v23;
int v24;
int v25;
int v26;
int v27;
int v28;
int v29;
int v30;
int v31;
int v32;
int v33;
int v34;
int v35;
int v36;
int v37;
int v38;
int v39;
int v40;
int v41;
int v42;
int v43;
int v44;
int v45;
int v46;
int v47;
int v48;
int v49;
int v50;
int v51;
int v52;
int v53;
int v54;
int v55;
int v56;
int v57;
int v58;
int v59;
int v60;
int v61;
int v62;
int v63;
int v64;
int v65;
int v66;
int v67;
int v68;
int v69;
int v70;
int v71;
int v72;
int v73;
int v74;
int v75;
int v76;
int v77;
int v78;
int v79;
int v80;
int v81;
int v82;
int v83;
int v84;
int v85;
int v86;
int v87;
int v88;
int v89;
int v90;
int v91;
int v92;
int v93;
int v94;
int v95;
int v96;
int v97;
int v98;
int v99;
int v100;
int v101;
int v102;
int v103;
int v104;
int v105;
int v106;
int v107;
int v108;
int v109;
int v110;
int v111;
int v112;
int v113;
int v114;
int v115;
int v116;
int v117;
int v118;
int v119;
int v120;
int v121;
int v122;
int v123;
int v124;
int v125;
int v126;
int v127;
int v128;
int v129;
int v130;
int v131;
int v132;
int v133;
int v134;
int v135;
int v136;
int v137;
int v138;
int v139;
int v140;
int v141;
int v142;
int v143;
int v144;
int v145;
int v146;
int v147;
int v148;
int v149;
int v150;
int v151;
int v152;
int v153;
int v154;
int v155;
int v156;
int v157;
int v158;
v141 = *(_DWORD *)result;
v2 = *(_DWORD *)(result + 8);
v3 = *(_DWORD *)(result + 4);
v4 = &v142;
v140 = *(_DWORD *)(result + 12);
v5 = a2 + 64;
v6 = &v142;
do
{
v7 = *(_BYTE *)(a2 + 3);
v8 = (*(_BYTE *)(a2 + 2) << 16) |(*(_BYTE *)(a2 + 1) << 8) | *(_BYTE *)a2;
a2 += 4;
*v6 = v8 | (v7 << 24);
++v6;
}
while ( a2 != v5 );
v10 = __ROR4__(v142 - 680876936 + v141 +(v140 & ~v3 | v2 & v3), 25);
v9 = v3 + v10;
v12 = __ROR4__(v143 - 389564586 + v140 + (v2& ~(v3 + v10) | (v3 + v10) & v3), 20);
v11 = v9 + v12;
v14 = __ROR4__(v144 + 606105819 + v2 + (v3& ~(v9 + v12) | (v9 + v12) & v9), 15);
v13 = v11 + v14;
v16 = __ROR4__(v145 - 1044525330 + v3 + (v9& ~(v11 + v14) | (v11 + v14) & v11), 10);
v15 = v13 + v16;
v18 = __ROR4__(v146 - 176418897 + v9 + (v11 &~(v13 + v16) | (v13 + v16) & v13), 25);
v17 = v15 + v18;
v20 = __ROR4__(v147 + 1200080426 + v11 + (v13& ~(v15 + v18) | (v15 + v18) & v15), 20);
v19 = v17 + v20;
v22 = __ROR4__(v148 - 1473231341 + v13 + (v15& ~(v17 + v20) | (v17 + v20) & v17), 15);
v21 = v19 + v22;
v24 = __ROR4__(v149 - 45705983 + v15 + (v17& ~(v19 + v22) | (v19 + v22) & v19), 10);
v23 = v21 + v24;
v26 = __ROR4__(v150 + 1770035416 + v17 + (v19& ~(v21 + v24) | (v21 + v24) & v21), 25);
v25 = v23 + v26;
v28 = __ROR4__(v151 - 1958414417 + v19 + (v21& ~(v23 + v26) | (v23 + v26) & v23), 20);
v27 = v25 + v28;
v30 = __ROR4__(v152 - 42063 + v21 + (v23& ~(v25 + v28) | (v25 + v28) & v25), 15);
v29 = v27 + v30;
v32 = __ROR4__(v153 - 1990404162 + v23 + (v25& ~(v27 + v30) | (v27 + v30) & v27), 10);
v31 = v29 + v32;
v34 = __ROR4__(v154 + 1804603682 + v25 + (v27& ~(v29 + v32) | (v29 + v32) & v29), 25);
v33 = v31 + v34;
v36 = __ROR4__(v155 - 40341101 + v27 + (v29& ~(v31 + v34) | (v31 + v34) & v31), 20);
v35 = v33 + v36;
v37 = ~(v33 + v36);
v39 = __ROR4__(v156 - 1502002290 + v29 + (v37& v31 | (v33 + v36) & v33), 15);
v38 = v35 + v39;
v40 = ~(v35 + v39);
v42 = __ROR4__(v157 + 1236535329 + v31 + (v40& v33 | (v35 + v39) & v35), 10);
v41 = v38 + v42;
v43 = (v38 + v42) & v40;
v45 = __ROR4__(v143 - 165796510 + v33 + ((v38+ v42) & v35 | v38 & v37), 27);
v44 = v41 + v45;
v47 = __ROR4__(v148 - 1069501632 + v35 +((v41 + v45) & v38 | v43), 23);
v46 = v44 + v47;
v49 = __ROR4__(v153 + 643717713 + v38 + ((v44+ v47) & v41 | v44 & ~v41), 18);
v48 = v46 + v49;
v51 = __ROR4__(v142 - 373897302 + v41 + ((v46+ v49) & v44 | v46 & ~v44), 12);
v50 = v48 + v51;
v53 = __ROR4__(v147 - 701558691 + v44 + ((v48+ v51) & v46 | v48 & ~v46), 27);
v52 = v50 + v53;
v55 = __ROR4__(v152 + 38016083 + v46 + ((v50+ v53) & v48 | v50 & ~v48), 23);
v54 = v52 + v55;
v57 = __ROR4__(v157 - 660478335 + v48 + ((v52+ v55) & v50 | v52 & ~v50), 18);
v56 = v54 + v57;
v59 = __ROR4__(v146 - 405537848 + v50 + ((v54+ v57) & v52 | v54 & ~v52), 12);
v58 = v56 + v59;
v61 = __ROR4__(v151 + 568446438 + v52 + ((v56+ v59) & v54 | v56 & ~v54), 27);
v60 = v58 + v61;
v63 = __ROR4__(v156 - 1019803690 + v54 +((v58 + v61) & v56 | v58 & ~v56), 23);
v62 = v60 + v63;
v65 = __ROR4__(v145 - 187363961 + v56 + ((v60+ v63) & v58 | v60 & ~v58), 18);
v64 = v62 + v65;
v67 = __ROR4__(v150 + 1163531501 + v58 +((v62 + v65) & v60 | v62 & ~v60), 12);
v66 = v64 + v67;
v69 = __ROR4__(v155 - 1444681467 + v60 +((v64 + v67) & v62 | v64 & ~v62), 27);
v68 = v66 + v69;
v71 = __ROR4__(v144 - 51403784 + v62 + ((v66+ v69) & v64 | v66 & ~v64), 23);
v70 = v68 + v71;
v73 = __ROR4__(v149 + 1735328473 + v64 +((v68 + v71) & v66 | v68 & ~v66), 18);
v72 = v70 + v73;
v75 = __ROR4__(v154 - 1926607734 + v66 +((v70 + v73) & v68 | v70 & ~v68), 12);
v74 = v72 + v75;
v77 = __ROR4__(v147 - 378558 + v68 + (v72 ^v70 ^ (v72 + v75)), 28);
v76 = v74 + v77;
v79 = __ROR4__(v150 - 2022574463 + v70 + (v74^ v72 ^ (v74 + v77)), 21);
v78 = v76 + v79;
v81 = __ROR4__(v153 + 1839030562 + v72 + (v76^ v74 ^ (v76 + v79)), 16);
v80 = v78 + v81;
v83 = __ROR4__(v156 - 35309556 + v74 + (v78 ^v76 ^ (v78 + v81)), 9);
v82 = v80 + v83;
v85 = __ROR4__(v143 - 1530992060 + v76 + (v80^ v78 ^ (v80 + v83)), 28);
v84 = v82 + v85;
v87 = __ROR4__(v146 + 1272893353 + v78 + (v82^ v80 ^ (v82 + v85)), 21);
v86 = v84 + v87;
v89 = __ROR4__(v149 - 155497632 + v80 + (v84^ v82 ^ (v84 + v87)), 16);
v88 = v86 + v89;
v91 = __ROR4__(v152 - 1094730640 + v82 + (v86^ v84 ^ (v86 + v89)), 9);
v90 = v88 + v91;
v93 = __ROR4__(v155 + 681279174 + v84 + (v88^ v86 ^ (v88 + v91)), 28);
v92 = v90 + v93;
v95 = __ROR4__(v142 - 358537222 + v86 + (v90^ v88 ^ (v90 + v93)), 21);
v94 = v92 + v95;
v97 = __ROR4__(v145 - 722521979 + v88 + (v92^ v90 ^ (v92 + v95)), 16);
v96 = v94 + v97;
v99 = __ROR4__(v148 + 76029189 + v90 + (v94 ^v92 ^ (v94 + v97)), 9);
v98 = v96 + v99;
v101 = __ROR4__(v151 - 640364487 + v92 + (v96^ v94 ^ (v96 + v99)), 28);
v100 = v98 + v101;
v103 = __ROR4__(v154 - 421815835 + v94 + (v98^ v96 ^ (v98 + v101)), 21);
v102 = v100 + v103;
v105 = __ROR4__(v157 + 530742520 + v96 +(v100 ^ v98 ^ (v100 + v103)), 16);
v104 = v102 + v105;
v107 = __ROR4__(v144 - 995338651 + v98 +(v102 ^ v100 ^ (v102 + v105)), 9);
v106 = v104 + v107;
v109 = __ROR4__(v142 - 198630844 + v100 +(((v104 + v107) | ~v102) ^ v104), 26);
v108 = v106 + v109;
v111 = __ROR4__(v149 + 1126891415 + v102 +(((v106 + v109) | ~v104) ^ v106), 22);
v110 = v108 + v111;
v113 = __ROR4__(v156 - 1416354905 + v104 +(((v108 + v111) | ~v106) ^ v108), 17);
v112 = v110 + v113;
v115 = __ROR4__(v147 - 57434055 + v106 +(((v110 + v113) | ~v108) ^ v110), 11);
v114 = v112 + v115;
v117 = __ROR4__(v154 + 1700485571 + v108 +(((v112 + v115) | ~v110) ^ v112), 26);
v116 = v114 + v117;
v119 = __ROR4__(v145 - 1894986606 + v110 + (((v114+ v117) | ~v112) ^ v114), 22);
v118 = v116 + v119;
v121 = __ROR4__(v152 - 1051523 + v112 +(((v116 + v119) | ~v114) ^ v116), 17);
v120 = v118 + v121;
v123 = __ROR4__(v143 - 2054922799 + v114 +(((v118 + v121) | ~v116) ^ v118), 11);
v122 = v120 + v123;
v125 = __ROR4__(v150 + 1873313359 + v116 +(((v120 + v123) | ~v118) ^ v120), 26);
v124 = v122 + v125;
v127 = __ROR4__(v157 - 30611744 + v118 +(((v122 + v125) | ~v120) ^ v122), 22);
v126 = v124 + v127;
v129 = __ROR4__(v148 - 1560198380 + v120 +(((v124 + v127) | ~v122) ^ v124), 17);
v128 = v126 + v129;
v131 = __ROR4__(v155 + 1309151649 + v122 +(((v126 + v129) | ~v124) ^ v126), 11);
v130 = v128 + v131;
v133 = __ROR4__(v146 - 145523070 + v124 +(((v128 + v131) | ~v126) ^ v128), 26);
v132 = v130 + v133;
v135 = __ROR4__(v153 - 1120210379 + v126 +(((v130 + v133) | ~v128) ^ v130), 22);
v134 = v132 + v135;
v136 = __ROR4__(v144 + 718787259 + v128 +(((v132 + v135) | ~v130) ^ v132), 17);
v137 = v2 + v134 + v136;
v138 = v134 + v136 + v3;
v139 = __ROR4__(v151 - 343485551 + v130 +(((v134 + v136) | ~v132) ^ v134), 11);
*(_DWORD *)(result + 12) = v140 + v134;
*(_DWORD *)(result + 4) = v138 + v139;
*(_DWORD *)(result + 8) = v137;
*(_DWORD *)result = v141 + v132;
do
{
*(_BYTE *)v4 = 0;
v4 = ( int *)(( char *)v4 + 1);
}
while ( v4 != &v158 );
return result;
}
|
算法不难,但是很冗余!!我们以计算R6的地址为例: R6 =v140 + v134 = *(_DWORD *)(result + 12) + v132 + v135 = *(_DWORD *)(result + 12) + v130 + v133 +__ROR4__(v153 - 1120210379 + v126 + (((v130 + v133) | ~v128) ^ v130), 22) = .. |