本帖最后由 Sendige 于 2016-7-30 18:13 编辑
其实我很早之前就想研究这个验证的封包算法了,这是我在前2个月左右吧,忽然浏览了Brack大牛的一个帖子,是关于飘零4.0的封包加密解密的易语言源码,至于怎么用只有简单的介绍,没有分析是怎么找出来的。 飘零商业4.0封包加解密与静态数据加解密源码 http://www.52pojie.cn/thread-292460-1-1.html 于是我就想,既然有源码,我就可以从源码中学习怎么找算法,因为当时没有怎么接触算法分析,所以简单的调试了几下就放弃了,因为根本就不是我这种菜鸟搞的,于是我就开始从简单的软件开始进行算法分析,一步一步来学习。 然后到了现在,我又再次尝试分析飘零4.0的封包算法,因为有了一些算法分析的基础,所以分析起来没有当时感觉这么难,所以这几天下班有空的话,就开电脑继续分析,经过这几天的研究,得出了这篇分析文章。很兴庆自己有这么耐心研究这么一个算法 其次就是我有动手去做了。
[Asm] 纯文本查看 复制代码 0040239F $ 55 push ebp
004023A0 . 8BEC mov ebp,esp
004023A2 . 81EC 0C000000 sub esp,0xC
004023A8 . EB 10 jmp short 飘零网络.004023BA
004023AA . 56 4D 50 72 6>ascii "VMProtect begin",0
004023BA > E8 65000000 call 飘零网络.00402424 ; 拿出要加密的数据 注意这里拿出来的数据每次都是变化的
004023BF . 8945 FC mov dword ptr ss:[ebp-0x4],eax
004023C2 . 8B5D 08 mov ebx,dword ptr ss:[ebp+0x8]
004023C5 . FF33 push dword ptr ds:[ebx]
004023C7 . FF75 FC push dword ptr ss:[ebp-0x4]
004023CA . B9 02000000 mov ecx,0x2
004023CF . E8 12F2FFFF call 飘零网络.004015E6
004023D4 . 83C4 08 add esp,0x8
004023D7 . 8945 F8 mov dword ptr ss:[ebp-0x8],eax
004023DA . 8B5D FC mov ebx,dword ptr ss:[ebp-0x4]
004023DD . 85DB test ebx,ebx
004023DF . 74 09 je short 飘零网络.004023EA
004023E1 . 53 push ebx
004023E2 . E8 4D630100 call 飘零网络.00418734
004023E7 . 83C4 04 add esp,0x4
004023EA > 8D45 F8 lea eax,dword ptr ss:[ebp-0x8]
004023ED . 50 push eax
004023EE . E8 1E020000 call 飘零网络.00402611 ; 开始加密
004023F3 . 8945 F4 mov dword ptr ss:[ebp-0xC],eax 加密后保存在eax
004023F6 . 8B5D F8 mov ebx,dword ptr ss:[ebp-0x8]
004023F9 . 85DB test ebx,ebx
004023FB . 74 09 je short 飘零网络.00402406
004023FD . 53 push ebx
004023FE . E8 31630100 call 飘零网络.00418734
00402403 . 83C4 04 add esp,0x4
00402406 > 8B45 F4 mov eax,dword ptr ss:[ebp-0xC]
00402409 . E9 10000000 jmp 飘零网络.0040241E
0040240E . EB 0E jmp short 飘零网络.0040241E
00402410 . 56 4D 50 72 6>ascii "VMProtect end",0
0040241E > 8BE5 mov esp,ebp
00402420 . 5D pop ebp ; 飘零网络.004023F3
00402421 . C2 0400 retn 0x4
进入 004023EE . E8 1E020000 call 飘零网络.00402611 ; 开始加密 这个为关键的算法加密call 进入call后,以下代码为核心加密算法 [Asm] 纯文本查看 复制代码 004027E2 |> \8B45 E8 mov eax,[local.6] ; 待加密数据长度
004027E5 |. 33C9 xor ecx,ecx ; 112366465{[good-rose]}dl 转换成数组
004027E7 |. 50 push eax ; 长度为18
004027E8 |. 8D45 E4 lea eax,[local.7]
004027EB |. 8BD8 mov ebx,eax
004027ED |. 58 pop eax ; 001ED680
004027EE |> 41 /inc ecx
004027EF |. 51 |push ecx
004027F0 |. 53 |push ebx ; 飘零网络.00418C40
004027F1 |. 890B |mov dword ptr ds:[ebx],ecx ; ecx=开始加密第X位
004027F3 |. 50 |push eax
004027F4 |. 3BC8 |cmp ecx,eax ; eax=18
004027F6 |. 0F8F A3040000 |jg 飘零网络.00402C9F
004027FC |. 8B5D FC |mov ebx,[local.1] ; 传输密码
004027FF |. E8 EDFDFFFF |call 飘零网络.004025F1
00402804 |. 53 |push ebx ; 拿出传输密码位数 这里为8
00402805 |. 51 |push ecx
00402806 |. 8B45 F8 |mov eax,[local.2]
00402809 |. 48 |dec eax
0040280A |. 79 0D |jns short 飘零网络.00402819
0040280C |. 68 04000000 |push 0x4
00402811 |. E8 485F0100 |call 飘零网络.0041875E
00402816 |. 83C4 04 |add esp,0x4
00402819 |> 59 |pop ecx ; 001ED680
0040281A |. 5B |pop ebx ; 001ED680
0040281B |. 3BC1 |cmp eax,ecx
0040281D |. 7C 0D |jl short 飘零网络.0040282C
0040281F |. 68 01000000 |push 0x1
00402824 |. E8 355F0100 |call 飘零网络.0041875E
00402829 |. 83C4 04 |add esp,0x4
0040282C |> 03D8 |add ebx,eax
0040282E |. 895D D0 |mov [local.12],ebx ; ebx=007D6418 指向传输密码 并且下一次指向下一个密码
00402831 |. 8B5D D0 |mov ebx,[local.12] ; 记得密码转换为字节 01 09 09 03 00 05 01 06
00402834 |. 8A03 |mov al,byte ptr ds:[ebx] ; 拿出第X位传输密码 这里为1 第二次为09
00402836 |. 25 FF000000 |and eax,0xFF ; and操作
0040283B |. 8945 C8 |mov [local.14],eax
0040283E |. DB45 C8 |fild [local.14] ; 浮点化结果
00402841 |. DD5D C8 |fstp qword ptr ss:[ebp-0x38] ; 浮点保存出栈
00402844 |. DD45 C8 |fld qword ptr ss:[ebp-0x38] ; 浮点加载数
00402847 |. DC05 A21A4A00 |fadd qword ptr ds:[0x4A1AA2] ; 浮点相加 第X位密码+1 [0x4A1AA2] =1
0040284D |. DD5D C0 |fstp qword ptr ss:[ebp-0x40] ; 浮点保存出栈
00402850 |. DD45 C0 |fld qword ptr ss:[ebp-0x40] ; 浮点加载数
00402853 |. E8 C5FCFFFF |call 飘零网络.0040251D ; 转换为16进制
00402858 |. 8945 E0 |mov [local.8],eax ; 2 10 这里结果记为a
0040285B |. 68 01030080 |push 0x80000301
00402860 |. 6A 00 |push 0x0
00402862 |. 68 04000000 |push 0x4
00402867 |. 68 01030080 |push 0x80000301
0040286C |. 6A 00 |push 0x0
0040286E |. FF75 E0 |push [local.8]
00402871 |. 68 02000000 |push 0x2
00402876 |. BB 708A4100 |mov ebx,飘零网络.00418A70
0040287B |. E8 BA5E0100 |call 飘零网络.0041873A ; a=xor a,4 自己可以进call看,这里每次都是和4 异或
00402880 |. 83C4 1C |add esp,0x1C
00402883 |. 8945 E0 |mov [local.8],eax ; a
00402886 |. DB45 F4 |fild [local.3]
00402889 |. DD5D CC |fstp qword ptr ss:[ebp-0x34]
0040288C |. DD45 CC |fld qword ptr ss:[ebp-0x34]
0040288F |. DB45 E4 |fild [local.7] ; 1
00402892 |. DD5D C4 |fstp qword ptr ss:[ebp-0x3C]
00402895 |. DC45 C4 |fadd qword ptr ss:[ebp-0x3C] ; 1+0 2+0
00402898 |. DD5D BC |fstp qword ptr ss:[ebp-0x44]
0040289B |. DD45 BC |fld qword ptr ss:[ebp-0x44]
0040289E |. E8 7AFCFFFF |call 飘零网络.0040251D ; 转换为16进制
004028A3 |. 8945 F0 |mov [local.4],eax ; 1 2
004028A6 |. 8B45 E8 |mov eax,[local.6] ; 18为待加密数据得长度
004028A9 |. 3945 F0 |cmp [local.4],eax ; 18和第X位待加密数据对比
004028AC |. 0F8E 05000000 |jle 飘零网络.004028B7 ; 检测数据加密完毕没有
004028B2 |. E9 E8030000 |jmp 飘零网络.00402C9F
004028B7 |> 8B5D EC |mov ebx,[local.5] ; 112366465{[good-rose]}dl
004028BA |. E8 32FDFFFF |call 飘零网络.004025F1
004028BF |. 53 |push ebx ; 飘零网络.00418C40
004028C0 |. 51 |push ecx
004028C1 |. 8B45 F0 |mov eax,[local.4] ; 拿出第X位
004028C4 |. 48 |dec eax
004028C5 |. 79 0D |jns short 飘零网络.004028D4
004028C7 |. 68 04000000 |push 0x4
004028CC |. E8 8D5E0100 |call 飘零网络.0041875E
004028D1 |. 83C4 04 |add esp,0x4
004028D4 |> 59 |pop ecx ; 001ED680
004028D5 |. 5B |pop ebx ; 001ED680
004028D6 |. 3BC1 |cmp eax,ecx
004028D8 |. 7C 0D |jl short 飘零网络.004028E7
004028DA |. 68 01000000 |push 0x1
004028DF |. E8 7A5E0100 |call 飘零网络.0041875E
004028E4 |. 83C4 04 |add esp,0x4
004028E7 |> 03D8 |add ebx,eax
004028E9 |. 895D D0 |mov [local.12],ebx ; 指向加密数据的第X个
004028EC |. 68 01010080 |push 0x80000101
004028F1 |. 6A 00 |push 0x0
004028F3 |. 8B5D D0 |mov ebx,[local.12] ;
004028F6 |. 8A03 |mov al,byte ptr ds:[ebx] ; 拿出待加密数据第X位 “1”=0x31
004028F8 |. 50 |push eax
004028F9 |. 68 01000000 |push 0x1
004028FE |. BB A0944100 |mov ebx,飘零网络.004194A0
00402903 |. E8 325E0100 |call 飘零网络.0041873A
00402908 |. 83C4 10 |add esp,0x10
0040290B |. 8945 C8 |mov [local.14],eax ; 31
0040290E |. 837D C8 7F |cmp [local.14],0x7F ; 对比是否大于0x7f 这里暂时没有发现大于0x7F 如果有的话要跟下去分析另一个算法 即jle跳转不实现
00402912 |. 0F8E CE010000 |jle 飘零网络.00402AE6
00402918 |. FF45 F4 |inc [local.3]
0040291B |. 68 01030080 |push 0x80000301
00402920 |. 6A 00 |push 0x0
00402922 |. 68 02000000 |push 0x2
00402927 |. 68 01030080 |push 0x80000301
0040292C |. 6A 00 |push 0x0
0040292E |. FF75 F0 |push [local.4]
00402931 |. 68 05000080 |push 0x80000005
00402936 |. 6A 00 |push 0x0
00402938 |. 8B45 EC |mov eax,[local.5]
0040293B |. 85C0 |test eax,eax
0040293D |. 75 05 |jnz short 飘零网络.00402944
0040293F |. B8 9A1A4A00 |mov eax,飘零网络.004A1A9A
00402944 |> 50 |push eax
00402945 |. 68 03000000 |push 0x3
0040294A |. BB 509B4100 |mov ebx,飘零网络.00419B50
0040294F |. E8 E65D0100 |call 飘零网络.0041873A
00402954 |. 83C4 28 |add esp,0x28
00402957 |. 8945 D0 |mov [local.12],eax
0040295A |. 8B45 D0 |mov eax,[local.12]
0040295D |. 50 |push eax
0040295E |. 8B5D DC |mov ebx,[local.9]
00402961 |. 85DB |test ebx,ebx ; 飘零网络.00418C40
00402963 |. 74 09 |je short 飘零网络.0040296E
00402965 |. 53 |push ebx ; 飘零网络.00418C40
00402966 |. E8 C95D0100 |call 飘零网络.00418734
0040296B |. 83C4 04 |add esp,0x4
0040296E |> 58 |pop eax ; 001ED680
0040296F |. 8945 DC |mov [local.9],eax
00402972 |. 8B5D DC |mov ebx,[local.9]
00402975 |. E8 77FCFFFF |call 飘零网络.004025F1
0040297A |. B8 00000000 |mov eax,0x0
0040297F |. 3BC1 |cmp eax,ecx
00402981 |. 7C 0D |jl short 飘零网络.00402990
00402983 |. 68 01000000 |push 0x1
00402988 |. E8 D15D0100 |call 飘零网络.0041875E
0040298D |. 83C4 04 |add esp,0x4
00402990 |> 03D8 |add ebx,eax
00402992 |. 895D D0 |mov [local.12],ebx ; 飘零网络.00418C40
00402995 |. 68 01030080 |push 0x80000301
0040299A |. 6A 00 |push 0x0
0040299C |. 68 08000000 |push 0x8
004029A1 |. 8B5D D0 |mov ebx,[local.12]
004029A4 |. 8A03 |mov al,byte ptr ds:[ebx]
004029A6 |. 25 FF000000 |and eax,0xFF
004029AB |. 68 01030080 |push 0x80000301
004029B0 |. 6A 00 |push 0x0
004029B2 |. 50 |push eax
004029B3 |. 68 02000000 |push 0x2
004029B8 |. BB 50C34100 |mov ebx,飘零网络.0041C350
004029BD |. E8 785D0100 |call 飘零网络.0041873A
004029C2 |. 83C4 1C |add esp,0x1C
004029C5 |. 8945 CC |mov [local.13],eax
004029C8 |. 8B5D DC |mov ebx,[local.9]
004029CB |. E8 21FCFFFF |call 飘零网络.004025F1
004029D0 |. B8 01000000 |mov eax,0x1
004029D5 |. 3BC1 |cmp eax,ecx
004029D7 |. 7C 0D |jl short 飘零网络.004029E6
004029D9 |. 68 01000000 |push 0x1
004029DE |. E8 7B5D0100 |call 飘零网络.0041875E
004029E3 |. 83C4 04 |add esp,0x4
004029E6 |> 03D8 |add ebx,eax
004029E8 |. 895D C8 |mov [local.14],ebx ; 飘零网络.00418C40
004029EB |. DB45 CC |fild [local.13]
004029EE |. DD5D C0 |fstp qword ptr ss:[ebp-0x40]
004029F1 |. DD45 C0 |fld qword ptr ss:[ebp-0x40]
004029F4 |. 8B5D C8 |mov ebx,[local.14]
004029F7 |. 8A03 |mov al,byte ptr ds:[ebx]
004029F9 |. 25 FF000000 |and eax,0xFF
004029FE |. 8945 B8 |mov [local.18],eax
00402A01 |. DB45 B8 |fild [local.18]
00402A04 |. DD5D B8 |fstp qword ptr ss:[ebp-0x48]
00402A07 |. DC45 B8 |fadd qword ptr ss:[ebp-0x48]
00402A0A |. DD5D B0 |fstp qword ptr ss:[ebp-0x50]
00402A0D |. DD45 B0 |fld qword ptr ss:[ebp-0x50]
00402A10 |. E8 08FBFFFF |call 飘零网络.0040251D
00402A15 |. 66:8945 D8 |mov word ptr ss:[ebp-0x28],ax
00402A19 |. 68 01030080 |push 0x80000301
00402A1E |. 6A 00 |push 0x0
00402A20 |. FF75 E0 |push [local.8]
00402A23 |. 8B45 D8 |mov eax,[local.10]
00402A26 |. 98 |cwde
00402A27 |. 68 01030080 |push 0x80000301
00402A2C |. 6A 00 |push 0x0
00402A2E |. 50 |push eax
00402A2F |. 68 02000000 |push 0x2
00402A34 |. BB 708A4100 |mov ebx,飘零网络.00418A70
00402A39 |. E8 FC5C0100 |call 飘零网络.0041873A
00402A3E |. 83C4 1C |add esp,0x1C
00402A41 |. 68 01030080 |push 0x80000301
00402A46 |. 6A 00 |push 0x0
00402A48 |. 50 |push eax
00402A49 |. 68 01000000 |push 0x1
00402A4E |. BB A0A04100 |mov ebx,飘零网络.0041A0A0
00402A53 |. E8 E25C0100 |call 飘零网络.0041873A
00402A58 |. 83C4 10 |add esp,0x10
00402A5B |. 8945 CC |mov [local.13],eax
00402A5E |. 68 01030080 |push 0x80000301
00402A63 |. 6A 00 |push 0x0
00402A65 |. 68 04000000 |push 0x4
00402A6A |. 68 04000080 |push 0x80000004
00402A6F |. 6A 00 |push 0x0
00402A71 |. 8B45 CC |mov eax,[local.13]
00402A74 |. 85C0 |test eax,eax
00402A76 |. 75 05 |jnz short 飘零网络.00402A7D
00402A78 |. B8 FC134A00 |mov eax,飘零网络.004A13FC
00402A7D |> 50 |push eax
00402A7E |. 68 02000000 |push 0x2
00402A83 |. BB C08D4100 |mov ebx,飘零网络.00418DC0
00402A88 |. E8 AD5C0100 |call 飘零网络.0041873A
00402A8D |. 83C4 1C |add esp,0x1C
00402A90 |. 8945 C8 |mov [local.14],eax
00402A93 |. 8B5D CC |mov ebx,[local.13]
00402A96 |. 85DB |test ebx,ebx ; 飘零网络.00418C40
00402A98 |. 74 09 |je short 飘零网络.00402AA3
00402A9A |. 53 |push ebx ; 飘零网络.00418C40
00402A9B |. E8 945C0100 |call 飘零网络.00418734
00402AA0 |. 83C4 04 |add esp,0x4
00402AA3 |> FF75 C8 |push [local.14]
00402AA6 |. FF75 D4 |push [local.11]
00402AA9 |. B9 02000000 |mov ecx,0x2
00402AAE |. E8 33EBFFFF |call 飘零网络.004015E6
00402AB3 |. 83C4 08 |add esp,0x8
00402AB6 |. 8945 C4 |mov [local.15],eax
00402AB9 |. 8B5D C8 |mov ebx,[local.14]
00402ABC |. 85DB |test ebx,ebx ; 飘零网络.00418C40
00402ABE |. 74 09 |je short 飘零网络.00402AC9
00402AC0 |. 53 |push ebx ; 飘零网络.00418C40
00402AC1 |. E8 6E5C0100 |call 飘零网络.00418734
00402AC6 |. 83C4 04 |add esp,0x4
00402AC9 |> 8B45 C4 |mov eax,[local.15]
00402ACC |. 50 |push eax
00402ACD |. 8B5D D4 |mov ebx,[local.11]
00402AD0 |. 85DB |test ebx,ebx ; 飘零网络.00418C40
00402AD2 |. 74 09 |je short 飘零网络.00402ADD
00402AD4 |. 53 |push ebx ; 飘零网络.00418C40
00402AD5 |. E8 5A5C0100 |call 飘零网络.00418734
00402ADA |. 83C4 04 |add esp,0x4
00402ADD |> 58 |pop eax ; 001ED680
00402ADE |. 8945 D4 |mov [local.11],eax
00402AE1 |. E9 73010000 |jmp 飘零网络.00402C59
00402AE6 |> 68 01030080 |push 0x80000301
00402AEB |. 6A 00 |push 0x0
00402AED |. 68 01000000 |push 0x1
00402AF2 |. 68 01030080 |push 0x80000301
00402AF7 |. 6A 00 |push 0x0
00402AF9 |. FF75 F0 |push [local.4]
00402AFC |. 68 05000080 |push 0x80000005
00402B01 |. 6A 00 |push 0x0
00402B03 |. 8B45 EC |mov eax,[local.5]
00402B06 |. 85C0 |test eax,eax
00402B08 |. 75 05 |jnz short 飘零网络.00402B0F
00402B0A |. B8 9A1A4A00 |mov eax,飘零网络.004A1A9A
00402B0F |> 50 |push eax
00402B10 |. 68 03000000 |push 0x3
00402B15 |. BB 509B4100 |mov ebx,飘零网络.00419B50
00402B1A |. E8 1B5C0100 |call 飘零网络.0041873A
00402B1F |. 83C4 28 |add esp,0x28 ; 待加密的数据换为数组
00402B22 |. 8945 D0 |mov [local.12],eax
00402B25 |. 8B45 D0 |mov eax,[local.12]
00402B28 |. 50 |push eax
00402B29 |. 8B5D DC |mov ebx,[local.9]
00402B2C |. 85DB |test ebx,ebx ; 飘零网络.00418C40
00402B2E |. 74 09 |je short 飘零网络.00402B39
00402B30 |. 53 |push ebx ; 飘零网络.00418C40
00402B31 |. E8 FE5B0100 |call 飘零网络.00418734
00402B36 |. 83C4 04 |add esp,0x4
00402B39 |> 58 |pop eax ; 001ED680
00402B3A |. 8945 DC |mov [local.9],eax
00402B3D |. 8B5D DC |mov ebx,[local.9]
00402B40 |. E8 ACFAFFFF |call 飘零网络.004025F1 ; 拿出eax的数组 1
00402B45 |. B8 00000000 |mov eax,0x0
00402B4A |. 3BC1 |cmp eax,ecx
00402B4C |. 7C 0D |jl short 飘零网络.00402B5B
00402B4E |. 68 01000000 |push 0x1
00402B53 |. E8 065C0100 |call 飘零网络.0041875E
00402B58 |. 83C4 04 |add esp,0x4
00402B5B |> 03D8 |add ebx,eax
00402B5D |. 895D D0 |mov [local.12],ebx ; 拿出待加密的数据
00402B60 |. 8B5D D0 |mov ebx,[local.12]
00402B63 |. 8A03 |mov al,byte ptr ds:[ebx] ; 1=31 这里的al记为hex
00402B65 |. 25 FF000000 |and eax,0xFF
00402B6A |. 66:8945 D8 |mov word ptr ss:[ebp-0x28],ax ; 31
00402B6E |. 68 01010080 |push 0x80000101
00402B73 |. 6A 00 |push 0x0
00402B75 |. 68 30000000 |push 0x30
00402B7A |. 68 01000000 |push 0x1
00402B7F |. BB 708E4100 |mov ebx,飘零网络.00418E70
00402B84 |. E8 B15B0100 |call 飘零网络.0041873A ;
00402B89 |. 83C4 10 |add esp,0x10
00402B8C |. 8945 D0 |mov [local.12],eax ; 0
00402B8F |. 68 01010080 |push 0x80000101
00402B94 |. 6A 00 |push 0x0
00402B96 |. 68 30000000 |push 0x30
00402B9B |. 68 01000000 |push 0x1
00402BA0 |. BB 708E4100 |mov ebx,飘零网络.00418E70
00402BA5 |. E8 905B0100 |call 飘零网络.0041873A
00402BAA |. 83C4 10 |add esp,0x10 ; 0变为Unicode
00402BAD |. 8945 CC |mov [local.13],eax
00402BB0 |. 68 01030080 |push 0x80000301
00402BB5 |. 6A 00 |push 0x0
00402BB7 |. FF75 E0 |push [local.8] ; a
00402BBA |. 8B45 D8 |mov eax,[local.10] ; hex
00402BBD |. 98 |cwde
00402BBE |. 68 01030080 |push 0x80000301
00402BC3 |. 6A 00 |push 0x0
00402BC5 |. 50 |push eax
00402BC6 |. 68 02000000 |push 0x2
00402BCB |. BB 708A4100 |mov ebx,飘零网络.00418A70
00402BD0 |. E8 655B0100 |call 飘零网络.0041873A ; result=xor a,hex 这里也是自己进入call分析 每次都是 xor a,hex
00402BD5 |. 83C4 1C |add esp,0x1C
00402BD8 |. 68 01030080 |push 0x80000301
00402BDD |. 6A 00 |push 0x0
00402BDF |. 50 |push eax
00402BE0 |. 68 01000000 |push 0x1
00402BE5 |. BB A0A04100 |mov ebx,飘零网络.0041A0A0
00402BEA |. E8 4B5B0100 |call 飘零网络.0041873A
00402BEF |. 83C4 10 |add esp,0x10 ; 转换为字符串37
00402BF2 |. 8945 C4 |mov [local.15],eax
00402BF5 |. FF75 C4 |push [local.15] ; 37
00402BF8 |. FF75 CC |push [local.13] ; 0
00402BFB |. FF75 D0 |push [local.12] ; 0
00402BFE |. FF75 D4 |push [local.11] ; 上一次的加密后的数据
00402C01 |. B9 04000000 |mov ecx,0x4
00402C06 |. E8 DBE9FFFF |call 飘零网络.004015E6 ; 合并 0037
00402C0B |. 83C4 10 |add esp,0x10 ; 这里的1加密后的结果是0037
00402C0E |. 8945 C0 |mov [local.16],eax
00402C11 |. 8B5D D0 |mov ebx,[local.12]
00402C14 |. 85DB |test ebx,ebx ; 飘零网络.00418C40
00402C16 |. 74 09 |je short 飘零网络.00402C21
00402C18 |. 53 |push ebx ; 飘零网络.00418C40
00402C19 |. E8 165B0100 |call 飘零网络.00418734
00402C1E |. 83C4 04 |add esp,0x4
00402C21 |> 8B5D CC |mov ebx,[local.13] ; 0
00402C24 |. 85DB |test ebx,ebx ; 飘零网络.00418C40
00402C26 |. 74 09 |je short 飘零网络.00402C31
00402C28 |. 53 |push ebx ; 飘零网络.00418C40
00402C29 |. E8 065B0100 |call 飘零网络.00418734
00402C2E |. 83C4 04 |add esp,0x4
00402C31 |> 8B5D C4 |mov ebx,[local.15] ; 37
00402C34 |. 85DB |test ebx,ebx ; 飘零网络.00418C40
00402C36 |. 74 09 |je short 飘零网络.00402C41
00402C38 |. 53 |push ebx ; 飘零网络.00418C40
00402C39 |. E8 F65A0100 |call 飘零网络.00418734
00402C3E |. 83C4 04 |add esp,0x4
00402C41 |> 8B45 C0 |mov eax,[local.16] ; 0037
00402C44 |. 50 |push eax
00402C45 |. 8B5D D4 |mov ebx,[local.11]
00402C48 |. 85DB |test ebx,ebx ; 飘零网络.00418C40
00402C4A |. 74 09 |je short 飘零网络.00402C55
00402C4C |. 53 |push ebx ; 飘零网络.00418C40
00402C4D |. E8 E25A0100 |call 飘零网络.00418734
00402C52 |. 83C4 04 |add esp,0x4
00402C55 |> 58 |pop eax ; 001ED680
00402C56 |. 8945 D4 |mov [local.11],eax ; 0037
00402C59 |> 68 05000080 |push 0x80000005
00402C5E |. 6A 00 |push 0x0
00402C60 |. 8B45 FC |mov eax,[local.1] ; 指向密码
00402C63 |. 85C0 |test eax,eax
00402C65 |. 75 05 |jnz short 飘零网络.00402C6C
00402C67 |. B8 9A1A4A00 |mov eax,飘零网络.004A1A9A
00402C6C |> 50 |push eax
00402C6D |. 68 01000000 |push 0x1
00402C72 |. BB 408C4100 |mov ebx,飘零网络.00418C40
00402C77 |. E8 BE5A0100 |call 飘零网络.0041873A ; 取出密码位数 8
00402C7C |. 83C4 10 |add esp,0x10
00402C7F |. 3945 F8 |cmp [local.2],eax ; 8和加密后的下一位比较
00402C82 |. 0F8D 08000000 |jge 飘零网络.00402C90
00402C88 |. FF45 F8 |inc [local.2] ; 这里为2 证明开始加密第二位
00402C8B |. E9 07000000 |jmp 飘零网络.00402C97
00402C90 |> C745 F8 01000>|mov [local.2],0x1
00402C97 |> 58 |pop eax ; 001ED680
00402C98 |. 5B |pop ebx ; 001ED680
00402C99 |. 59 |pop ecx ; 001ED680
00402C9A |.^ E9 4FFBFFFF \jmp 飘零网络.004027EE
我这里的传输密码 19930516 小结: 1.开始加密第X个数据和总数据进行对比,等于就跳出加密循环 2.拿出第X位传输密码,X每次自增1, and X,0xff 然后+1 结果记为a 3.a=xor a,4 4.拿出待加密数据的第X个,并转换为hex 和0x7F对比 大于就跳出循环 5.result=xor a,hex 6.然后前面加上00后面加上result 给出2组数据给大家验证看看对不对 112449767{[good-rose]}dl 0037003F003C00340031003B003100350031007500550067006A006D0062002E00740061007D00650058007F0062006F 112450317{[good-rose]}dl 0037003F003C003400300032003500320031007500550067006A006D0062002E00740061007D00650058007F0062006F 0040D350 |. E8 FA020000 call 飘零网络.0040D64F ; 登陆引擎 = 飘零商业客户端取回数据 ()
[Asm] 纯文本查看 复制代码 004069CE $ 55 push ebp
004069CF . 8BEC mov ebp,esp
004069D1 . 81EC 08000000 sub esp,0x8
004069D7 . EB 10 jmp short 飘零网络.004069E9
004069D9 . 56 4D 50 72 6>ascii "VMProtect begin",0
004069E9 > FF75 08 push dword ptr ss:[ebp+0x8]
004069EC . E8 94000000 call 飘零网络.00406A85 ; 开始解密
004069F1 . 8945 FC mov dword ptr ss:[ebp-0x4],eax
004069F4 . 8D45 FC lea eax,dword ptr ss:[ebp-0x4]
004069F7 . 50 push eax
004069F8 . E8 A8070000 call 飘零网络.004071A5
004069FD . 8945 F8 mov dword ptr ss:[ebp-0x8],eax
00406A00 . 8B5D FC mov ebx,dword ptr ss:[ebp-0x4]
00406A03 . 85DB test ebx,ebx
00406A05 . 74 09 je short 飘零网络.00406A10
00406A07 . 53 push ebx
00406A08 . E8 271D0100 call 飘零网络.00418734
00406A0D . 83C4 04 add esp,0x4
00406A10 > 8B45 F8 mov eax,dword ptr ss:[ebp-0x8]
00406A13 . E9 10000000 jmp 飘零网络.00406A28
00406A18 . EB 0E jmp short 飘零网络.00406A28
00406A1A . 56 4D 50 72 6>ascii "VMProtect end",0
00406A28 > 8BE5 mov esp,ebp
00406A2A . 5D pop ebp ; 0012F894
00406A2B . C2 0400 retn 0x4
[Asm] 纯文本查看 复制代码 解密循环:
00406BED |> /52 /push edx
00406BEE |. |51 |push ecx
00406BEF |. |53 |push ebx
00406BF0 |. |890B |mov dword ptr ds:[ebx],ecx
00406BF2 |. |3BCA |cmp ecx,edx ; edx为未解密数据长度
00406BF4 |. |0F8F 2F050000 |jg 飘零网络.00407129
00406BFA |. |8B5D F8 |mov ebx,[local.2] ; 指向传输密码
00406BFD |. |E8 EFB9FFFF |call 飘零网络.004025F1
00406C02 |. |53 |push ebx ; 8
00406C03 |. |51 |push ecx
00406C04 |. |8B45 FC |mov eax,[local.1]
00406C07 |. |48 |dec eax
00406C08 |. |79 0D |jns short 飘零网络.00406C17
00406C0A |. |68 04000000 |push 0x4
00406C0F |. |E8 4A1B0100 |call 飘零网络.0041875E
00406C14 |. |83C4 04 |add esp,0x4
00406C17 |> |59 |pop ecx ; 0012F894
00406C18 |. |5B |pop ebx ; 0012F894
00406C19 |. |3BC1 |cmp eax,ecx
00406C1B |. |7C 0D |jl short 飘零网络.00406C2A
00406C1D |. |68 01000000 |push 0x1
00406C22 |. |E8 371B0100 |call 飘零网络.0041875E
00406C27 |. |83C4 04 |add esp,0x4
00406C2A |> |03D8 |add ebx,eax
00406C2C |. |895D D8 |mov [local.10],ebx
00406C2F |. |8B5D D8 |mov ebx,[local.10]
00406C32 |. |8A03 |mov al,byte ptr ds:[ebx] ; 指向密码的第X位
00406C34 |. |25 FF000000 |and eax,0xFF
00406C39 |. |8945 D0 |mov [local.12],eax
00406C3C |. |DB45 D0 |fild [local.12]
00406C3F |. |DD5D D0 |fstp qword ptr ss:[ebp-0x30]
00406C42 |. |DD45 D0 |fld qword ptr ss:[ebp-0x30]
00406C45 |. |DC05 A21A4A00 |fadd qword ptr ds:[0x4A1AA2] ; 1+1
00406C4B |. |DD5D C8 |fstp qword ptr ss:[ebp-0x38]
00406C4E |. |DD45 C8 |fld qword ptr ss:[ebp-0x38]
00406C51 |. |E8 C7B8FFFF |call 飘零网络.0040251D
00406C56 |. |8945 F0 |mov [local.4],eax
00406C59 |. |68 01030080 |push 0x80000301
00406C5E |. |6A 00 |push 0x0
00406C60 |. |68 04000000 |push 0x4
00406C65 |. |68 01030080 |push 0x80000301
00406C6A |. |6A 00 |push 0x0
00406C6C |. |FF75 F0 |push [local.4]
00406C6F |. |68 02000000 |push 0x2
00406C74 |. |BB 708A4100 |mov ebx,飘零网络.00418A70
00406C79 |. |E8 BC1A0100 |call 飘零网络.0041873A
00406C7E |. |83C4 1C |add esp,0x1C
00406C81 |. |8945 F0 |mov [local.4],eax
00406C84 |. |68 01030080 |push 0x80000301
00406C89 |. |6A 00 |push 0x0
00406C8B |. |68 04000000 |push 0x4
00406C90 |. |68 01030080 |push 0x80000301
00406C95 |. |6A 00 |push 0x0
00406C97 |. |FF75 F4 |push [local.3]
00406C9A |. |68 04000080 |push 0x80000004
00406C9F |. |6A 00 |push 0x0
00406CA1 |. |8B5D 08 |mov ebx,[arg.1]
00406CA4 |. |8B03 |mov eax,dword ptr ds:[ebx]
00406CA6 |. |85C0 |test eax,eax
00406CA8 |. |75 05 |jnz short 飘零网络.00406CAF
00406CAA |. |B8 FC134A00 |mov eax,飘零网络.004A13FC
00406CAF |> |50 |push eax
00406CB0 |. |68 03000000 |push 0x3
00406CB5 |. |BB 108E4100 |mov ebx,飘零网络.00418E10
00406CBA |. |E8 7B1A0100 |call 飘零网络.0041873A
00406CBF |. |83C4 28 |add esp,0x28
00406CC2 |. |8945 D8 |mov [local.10],eax
00406CC5 |. |8B45 D8 |mov eax,[local.10]
00406CC8 |. |50 |push eax
00406CC9 |. |8B5D EC |mov ebx,[local.5]
00406CCC |. |85DB |test ebx,ebx
00406CCE |. |74 09 |je short 飘零网络.00406CD9
00406CD0 |. |53 |push ebx
00406CD1 |. |E8 5E1A0100 |call 飘零网络.00418734
00406CD6 |. |83C4 04 |add esp,0x4
00406CD9 |> |58 |pop eax ; 0012F894
00406CDA |. |8945 EC |mov [local.5],eax
00406CDD |. |68 01030080 |push 0x80000301
00406CE2 |. |6A 00 |push 0x0
00406CE4 |. |68 02000000 |push 0x2
00406CE9 |. |68 04000080 |push 0x80000004
00406CEE |. |6A 00 |push 0x0
00406CF0 |. |8B45 EC |mov eax,[local.5]
00406CF3 |. |85C0 |test eax,eax
00406CF5 |. |75 05 |jnz short 飘零网络.00406CFC
00406CF7 |. |B8 FC134A00 |mov eax,飘零网络.004A13FC
00406CFC |> |50 |push eax
00406CFD |. |68 02000000 |push 0x2
00406D02 |. |BB 808D4100 |mov ebx,飘零网络.00418D80
00406D07 |. |E8 2E1A0100 |call 飘零网络.0041873A
00406D0C |. |83C4 1C |add esp,0x1C
00406D0F |. |8945 D8 |mov [local.10],eax
00406D12 |. |68 01010080 |push 0x80000101
00406D17 |. |6A 00 |push 0x0
00406D19 |. |68 30000000 |push 0x30
00406D1E |. |68 01000000 |push 0x1
00406D23 |. |BB 708E4100 |mov ebx,飘零网络.00418E70
00406D28 |. |E8 0D1A0100 |call 飘零网络.0041873A
00406D2D |. |83C4 10 |add esp,0x10
00406D30 |. |8945 D4 |mov [local.11],eax
00406D33 |. |68 01010080 |push 0x80000101
00406D38 |. |6A 00 |push 0x0
00406D3A |. |68 78000000 |push 0x78
00406D3F |. |68 01000000 |push 0x1
00406D44 |. |BB 708E4100 |mov ebx,飘零网络.00418E70
00406D49 |. |E8 EC190100 |call 飘零网络.0041873A
00406D4E |. |83C4 10 |add esp,0x10
00406D51 |. |8945 D0 |mov [local.12],eax
00406D54 |. |FF75 D0 |push [local.12]
00406D57 |. |FF75 D4 |push [local.11]
00406D5A |. |B9 02000000 |mov ecx,0x2
00406D5F |. |E8 82A8FFFF |call 飘零网络.004015E6
00406D64 |. |83C4 08 |add esp,0x8
00406D67 |. |8945 CC |mov [local.13],eax
00406D6A |. |8B5D D4 |mov ebx,[local.11]
00406D6D |. |85DB |test ebx,ebx
00406D6F |. |74 09 |je short 飘零网络.00406D7A
00406D71 |. |53 |push ebx
00406D72 |. |E8 BD190100 |call 飘零网络.00418734
00406D77 |. |83C4 04 |add esp,0x4
00406D7A |> |8B5D D0 |mov ebx,[local.12]
00406D7D |. |85DB |test ebx,ebx
00406D7F |. |74 09 |je short 飘零网络.00406D8A
00406D81 |. |53 |push ebx
00406D82 |. |E8 AD190100 |call 飘零网络.00418734
00406D87 |. |83C4 04 |add esp,0x4
00406D8A |> |8B45 CC |mov eax,[local.13]
00406D8D |. |50 |push eax
00406D8E |. |FF75 D8 |push [local.10]
00406D91 |. |E8 CCA2FFFF |call 飘零网络.00401062
00406D96 |. |83C4 08 |add esp,0x8
00406D99 |. |83F8 00 |cmp eax,0x0
00406D9C |. |B8 00000000 |mov eax,0x0
00406DA1 |. |0f95c0 |setne al
00406DA4 |. |8945 C8 |mov [local.14],eax
00406DA7 |. |8B5D D8 |mov ebx,[local.10]
00406DAA |. |85DB |test ebx,ebx
00406DAC |. |74 09 |je short 飘零网络.00406DB7
00406DAE |. |53 |push ebx
00406DAF |. |E8 80190100 |call 飘零网络.00418734
00406DB4 |. |83C4 04 |add esp,0x4
00406DB7 |> |8B5D CC |mov ebx,[local.13]
00406DBA |. |85DB |test ebx,ebx
00406DBC |. |74 09 |je short 飘零网络.00406DC7
00406DBE |. |53 |push ebx
00406DBF |. |E8 70190100 |call 飘零网络.00418734
00406DC4 |. |83C4 04 |add esp,0x4
00406DC7 |> |837D C8 00 |cmp [local.14],0x0
00406DCB |. |0F84 BB000000 |je 飘零网络.00406E8C
00406DD1 |. |68 01010080 |push 0x80000101
00406DD6 |. |6A 00 |push 0x0
00406DD8 |. |68 30000000 |push 0x30
00406DDD |. |68 01000000 |push 0x1
00406DE2 |. |BB 708E4100 |mov ebx,飘零网络.00418E70
00406DE7 |. |E8 4E190100 |call 飘零网络.0041873A
00406DEC |. |83C4 10 |add esp,0x10
00406DEF |. |8945 D8 |mov [local.10],eax
00406DF2 |. |68 01010080 |push 0x80000101
00406DF7 |. |6A 00 |push 0x0
00406DF9 |. |68 78000000 |push 0x78
00406DFE |. |68 01000000 |push 0x1
00406E03 |. |BB 708E4100 |mov ebx,飘零网络.00418E70
00406E08 |. |E8 2D190100 |call 飘零网络.0041873A
00406E0D |. |83C4 10 |add esp,0x10
00406E10 |. |8945 D4 |mov [local.11],eax
00406E13 |. |FF75 EC |push [local.5]
00406E16 |. |FF75 D4 |push [local.11]
00406E19 |. |FF75 D8 |push [local.10]
00406E1C |. |B9 03000000 |mov ecx,0x3
00406E21 |. |E8 C0A7FFFF |call 飘零网络.004015E6
00406E26 |. |83C4 0C |add esp,0xC
00406E29 |. |8945 D0 |mov [local.12],eax
00406E2C |. |8B5D D8 |mov ebx,[local.10]
00406E2F |. |85DB |test ebx,ebx
00406E31 |. |74 09 |je short 飘零网络.00406E3C
00406E33 |. |53 |push ebx
00406E34 |. |E8 FB180100 |call 飘零网络.00418734
00406E39 |. |83C4 04 |add esp,0x4
00406E3C |> |8B5D D4 |mov ebx,[local.11]
00406E3F |. |85DB |test ebx,ebx
00406E41 |. |74 09 |je short 飘零网络.00406E4C
00406E43 |. |53 |push ebx
00406E44 |. |E8 EB180100 |call 飘零网络.00418734
00406E49 |. |83C4 04 |add esp,0x4
00406E4C |> |8965 CC |mov [local.13],esp
00406E4F |. |8D45 E8 |lea eax,[local.6]
00406E52 |. |50 |push eax
00406E53 |. |68 01000000 |push 0x1
00406E58 |. |FF75 D0 |push [local.12]
00406E5B |. |B8 06000000 |mov eax,0x6
00406E60 |. |E8 FF180100 |call 飘零网络.00418764
00406E65 |. |3965 CC |cmp [local.13],esp
00406E68 |. |74 0D |je short 飘零网络.00406E77
00406E6A |. |68 06000000 |push 0x6
00406E6F |. |E8 EA180100 |call 飘零网络.0041875E
00406E74 |. |83C4 04 |add esp,0x4
00406E77 |> |8B5D D0 |mov ebx,[local.12]
00406E7A |. |85DB |test ebx,ebx
00406E7C |. |74 09 |je short 飘零网络.00406E87
00406E7E |. |53 |push ebx
00406E7F |. |E8 B0180100 |call 飘零网络.00418734
00406E84 |. |83C4 04 |add esp,0x4
00406E87 |> |E9 2B000000 |jmp 飘零网络.00406EB7
00406E8C |> |8965 D8 |mov [local.10],esp
00406E8F |. |8D45 E8 |lea eax,[local.6]
00406E92 |. |50 |push eax
00406E93 |. |68 01000000 |push 0x1
00406E98 |. |FF75 EC |push [local.5]
00406E9B |. |B8 06000000 |mov eax,0x6
00406EA0 |. |E8 BF180100 |call 飘零网络.00418764
00406EA5 |. |3965 D8 |cmp [local.10],esp
00406EA8 |. |74 0D |je short 飘零网络.00406EB7
00406EAA |. |68 06000000 |push 0x6
00406EAF |. |E8 AA180100 |call 飘零网络.0041875E
00406EB4 |. |83C4 04 |add esp,0x4
00406EB7 |> |68 01030080 |push 0x80000301
00406EBC |. |6A 00 |push 0x0
00406EBE |. |FF75 F0 |push [local.4]
00406EC1 |. |68 01030080 |push 0x80000301
00406EC6 |. |6A 00 |push 0x0
00406EC8 |. |FF75 E8 |push [local.6]
00406ECB |. |68 02000000 |push 0x2
00406ED0 |. |BB 708A4100 |mov ebx,飘零网络.00418A70
00406ED5 |. |E8 60180100 |call 飘零网络.0041873A
00406EDA |. |83C4 1C |add esp,0x1C
00406EDD |. |68 01030080 |push 0x80000301
00406EE2 |. |6A 00 |push 0x0
00406EE4 |. |50 |push eax
00406EE5 |. |68 01000000 |push 0x1
00406EEA |. |BB 80934100 |mov ebx,飘零网络.00419380
00406EEF |. |E8 46180100 |call 飘零网络.0041873A
00406EF4 |. |83C4 10 |add esp,0x10
00406EF7 |. |68 01020080 |push 0x80000201
00406EFC |. |6A 00 |push 0x0
00406EFE |. |50 |push eax
00406EFF |. |68 01000000 |push 0x1
00406F04 |. |BB D0994100 |mov ebx,飘零网络.004199D0
00406F09 |. |E8 2C180100 |call 飘零网络.0041873A
00406F0E |. |83C4 10 |add esp,0x10
00406F11 |. |8945 D0 |mov [local.12],eax
00406F14 |. |8B45 D0 |mov eax,[local.12]
00406F17 |. |50 |push eax
00406F18 |. |8B5D E4 |mov ebx,[local.7]
00406F1B |. |85DB |test ebx,ebx
00406F1D |. |74 09 |je short 飘零网络.00406F28
00406F1F |. |53 |push ebx
00406F20 |. |E8 0F180100 |call 飘零网络.00418734
00406F25 |. |83C4 04 |add esp,0x4
00406F28 |> |58 |pop eax ; 0012F894
00406F29 |. |8945 E4 |mov [local.7],eax
00406F2C |. |8B5D E4 |mov ebx,[local.7]
00406F2F |. |E8 BDB6FFFF |call 飘零网络.004025F1
00406F34 |. |B8 01000000 |mov eax,0x1
00406F39 |. |3BC1 |cmp eax,ecx
00406F3B |. |7C 0D |jl short 飘零网络.00406F4A
00406F3D |. |68 01000000 |push 0x1
00406F42 |. |E8 17180100 |call 飘零网络.0041875E
00406F47 |. |83C4 04 |add esp,0x4
00406F4A |> |03D8 |add ebx,eax
00406F4C |. |895D D8 |mov [local.10],ebx
00406F4F |. |68 01010080 |push 0x80000101
00406F54 |. |6A 00 |push 0x0
00406F56 |. |8B5D D8 |mov ebx,[local.10]
00406F59 |. |8A03 |mov al,byte ptr ds:[ebx]
00406F5B |. |50 |push eax
00406F5C |. |68 01000000 |push 0x1
00406F61 |. |BB A0944100 |mov ebx,飘零网络.004194A0
00406F66 |. |E8 CF170100 |call 飘零网络.0041873A
00406F6B |. |83C4 10 |add esp,0x10
00406F6E |. |8945 D0 |mov [local.12],eax
00406F71 |. |837D D0 00 |cmp [local.12],0x0
00406F75 |. |0F85 46000000 |jnz 飘零网络.00406FC1
00406F7B |. |68 05000080 |push 0x80000005
00406F80 |. |6A 00 |push 0x0
00406F82 |. |8B45 E4 |mov eax,[local.7]
00406F85 |. |85C0 |test eax,eax
00406F87 |. |75 05 |jnz short 飘零网络.00406F8E
00406F89 |. |B8 9A1A4A00 |mov eax,飘零网络.004A1A9A
00406F8E |> |50 |push eax
00406F8F |. |68 01000000 |push 0x1
00406F94 |. |BB 909F4100 |mov ebx,飘零网络.00419F90
00406F99 |. |E8 9C170100 |call 飘零网络.0041873A
00406F9E |. |83C4 10 |add esp,0x10
00406FA1 |. |8945 D8 |mov [local.10],eax
00406FA4 |. |8B45 D8 |mov eax,[local.10]
00406FA7 |. |50 |push eax
00406FA8 |. |8B5D E0 |mov ebx,[local.8]
00406FAB |. |85DB |test ebx,ebx
00406FAD |. |74 09 |je short 飘零网络.00406FB8
00406FAF |. |53 |push ebx
00406FB0 |. |E8 7F170100 |call 飘零网络.00418734
00406FB5 |. |83C4 04 |add esp,0x4
00406FB8 |> |58 |pop eax ; 0012F894
00406FB9 |. |8945 E0 |mov [local.8],eax
00406FBC |. |E9 F1000000 |jmp 飘零网络.004070B2
00406FC1 |> |68 01030080 |push 0x80000301
00406FC6 |. |6A 00 |push 0x0
00406FC8 |. |68 01000000 |push 0x1
00406FCD |. |68 05000080 |push 0x80000005
00406FD2 |. |6A 00 |push 0x0
00406FD4 |. |8B45 E4 |mov eax,[local.7]
00406FD7 |. |85C0 |test eax,eax
00406FD9 |. |75 05 |jnz short 飘零网络.00406FE0
00406FDB |. |B8 9A1A4A00 |mov eax,飘零网络.004A1A9A
00406FE0 |> |50 |push eax
00406FE1 |. |68 02000000 |push 0x2
00406FE6 |. |BB 109B4100 |mov ebx,飘零网络.00419B10
00406FEB |. |E8 4A170100 |call 飘零网络.0041873A
00406FF0 |. |83C4 1C |add esp,0x1C
00406FF3 |. |8945 D8 |mov [local.10],eax
00406FF6 |. |68 01030080 |push 0x80000301
00406FFB |. |6A 00 |push 0x0
00406FFD |. |68 01000000 |push 0x1
00407002 |. |68 05000080 |push 0x80000005
00407007 |. |6A 00 |push 0x0
00407009 |. |8B45 E4 |mov eax,[local.7]
0040700C |. |85C0 |test eax,eax
0040700E |. |75 05 |jnz short 飘零网络.00407015
00407010 |. |B8 9A1A4A00 |mov eax,飘零网络.004A1A9A
00407015 |> |50 |push eax
00407016 |. |68 02000000 |push 0x2
0040701B |. |BB D09A4100 |mov ebx,飘零网络.00419AD0
00407020 |. |E8 15170100 |call 飘零网络.0041873A
00407025 |. |83C4 1C |add esp,0x1C
00407028 |. |8945 D4 |mov [local.11],eax
0040702B |. |FF75 D4 |push [local.11]
0040702E |. |FF75 D8 |push [local.10]
00407031 |. |B9 02000000 |mov ecx,0x2
00407036 |. |E8 F3F9FFFF |call 飘零网络.00406A2E
0040703B |. |83C4 08 |add esp,0x8
0040703E |. |8945 D0 |mov [local.12],eax
00407041 |. |8B5D D8 |mov ebx,[local.10]
00407044 |. |85DB |test ebx,ebx
00407046 |. |74 09 |je short 飘零网络.00407051
00407048 |. |53 |push ebx
00407049 |. |E8 E6160100 |call 飘零网络.00418734
0040704E |. |83C4 04 |add esp,0x4
00407051 |> |8B5D D4 |mov ebx,[local.11]
00407054 |. |85DB |test ebx,ebx
00407056 |. |74 09 |je short 飘零网络.00407061
00407058 |. |53 |push ebx
00407059 |. |E8 D6160100 |call 飘零网络.00418734
0040705E |. |83C4 04 |add esp,0x4
00407061 |> |68 05000080 |push 0x80000005
00407066 |. |6A 00 |push 0x0
00407068 |. |8B45 D0 |mov eax,[local.12]
0040706B |. |85C0 |test eax,eax
0040706D |. |75 05 |jnz short 飘零网络.00407074
0040706F |. |B8 9A1A4A00 |mov eax,飘零网络.004A1A9A
00407074 |> |50 |push eax
00407075 |. |68 01000000 |push 0x1
0040707A |. |BB 909F4100 |mov ebx,飘零网络.00419F90
0040707F |. |E8 B6160100 |call 飘零网络.0041873A
00407084 |. |83C4 10 |add esp,0x10
00407087 |. |8945 CC |mov [local.13],eax
0040708A |. |8B5D D0 |mov ebx,[local.12]
0040708D |. |85DB |test ebx,ebx
0040708F |. |74 09 |je short 飘零网络.0040709A
00407091 |. |53 |push ebx
00407092 |. |E8 9D160100 |call 飘零网络.00418734
00407097 |. |83C4 04 |add esp,0x4
0040709A |> |8B45 CC |mov eax,[local.13]
0040709D |. |50 |push eax
0040709E |. |8B5D E0 |mov ebx,[local.8]
004070A1 |. |85DB |test ebx,ebx
004070A3 |. |74 09 |je short 飘零网络.004070AE
004070A5 |. |53 |push ebx
004070A6 |. |E8 89160100 |call 飘零网络.00418734
004070AB |. |83C4 04 |add esp,0x4
004070AE |> |58 |pop eax ; 0012F894
004070AF |. |8945 E0 |mov [local.8],eax
004070B2 |> |FF75 E0 |push [local.8]
004070B5 |. |FF75 DC |push [local.9]
004070B8 |. |B9 02000000 |mov ecx,0x2
004070BD |. |E8 24A5FFFF |call 飘零网络.004015E6
004070C2 |. |83C4 08 |add esp,0x8
004070C5 |. |8945 D8 |mov [local.10],eax
004070C8 |. |8B45 D8 |mov eax,[local.10]
004070CB |. |50 |push eax
004070CC |. |8B5D DC |mov ebx,[local.9]
004070CF |. |85DB |test ebx,ebx
004070D1 |. |74 09 |je short 飘零网络.004070DC
004070D3 |. |53 |push ebx
004070D4 |. |E8 5B160100 |call 飘零网络.00418734
004070D9 |. |83C4 04 |add esp,0x4
004070DC |> |58 |pop eax ; 0012F894
004070DD |. |8945 DC |mov [local.9],eax
004070E0 |. |68 05000080 |push 0x80000005
004070E5 |. |6A 00 |push 0x0
004070E7 |. |8B45 F8 |mov eax,[local.2]
004070EA |. |85C0 |test eax,eax
004070EC |. |75 05 |jnz short 飘零网络.004070F3
004070EE |. |B8 9A1A4A00 |mov eax,飘零网络.004A1A9A
004070F3 |> |50 |push eax
004070F4 |. |68 01000000 |push 0x1
004070F9 |. |BB 408C4100 |mov ebx,飘零网络.00418C40
004070FE |. |E8 37160100 |call 飘零网络.0041873A
00407103 |. |83C4 10 |add esp,0x10
00407106 |. |3945 FC |cmp [local.1],eax
00407109 |. |0F8D 08000000 |jge 飘零网络.00407117
0040710F |. |FF45 FC |inc [local.1]
00407112 |. |E9 07000000 |jmp 飘零网络.0040711E
00407117 |> |C745 FC 01000>|mov [local.1],0x1
0040711E |> |5B |pop ebx ; 0012F894
0040711F |. |59 |pop ecx ; 0012F894
00407120 |. |5A |pop edx ; 0012F894
00407121 |. |83C1 04 |add ecx,0x4
00407124 |.^\E9 C4FAFFFF \jmp 飘零网络.00406BED
解密的封包就不再研究了,因为已经找到了加密的算法,所以解密肯定是不成问题的。上图就是自己写的解密和程序解密后对比,证明解密没有写错! 下面开始分析静态数据解密: [Asm] 纯文本查看 复制代码 0040DFE3 |> /41 /inc ecx
0040DFE4 |. |51 |push ecx
0040DFE5 |. |53 |push ebx ; 创建256个0
0040DFE6 |. |890B |mov dword ptr ds:[ebx],ecx
0040DFE8 |. |81F9 00010000 |cmp ecx,0x100
0040DFEE |. |0F8F FF000000 |jg 飘零网络.0040E0F3
0040DFF4 |. |68 04000080 |push 0x80000004
0040DFF9 |. |6A 00 |push 0x0
0040DFFB |. |8B5D 0C |mov ebx,[arg.2]
0040DFFE |. |8B03 |mov eax,dword ptr ds:[ebx]
0040E000 |. |85C0 |test eax,eax
0040E002 |. |75 05 |jnz short 飘零网络.0040E009
0040E004 |. |B8 FC134A00 |mov eax,飘零网络.004A13FC
0040E009 |> |50 |push eax
0040E00A |. |68 01000000 |push 0x1
0040E00F |. |BB 208C4100 |mov ebx,飘零网络.00418C20
0040E014 |. |E8 21A70000 |call 飘零网络.0041873A
0040E019 |. |83C4 10 |add esp,0x10
0040E01C |. |3945 EC |cmp [local.5],eax
0040E01F |. |0F8E 07000000 |jle 飘零网络.0040E02C
0040E025 |. |C745 EC 01000>|mov [local.5],0x1
0040E02C |> |8B5D E8 |mov ebx,[local.6]
0040E02F |. |E8 BD45FFFF |call 飘零网络.004025F1
0040E034 |. |53 |push ebx ; 飘零网络.00418A70
0040E035 |. |51 |push ecx
0040E036 |. |8B45 F4 |mov eax,[local.3]
0040E039 |. |48 |dec eax
0040E03A |. |79 0D |jns short 飘零网络.0040E049
0040E03C |. |68 04000000 |push 0x4
0040E041 |. |E8 18A70000 |call 飘零网络.0041875E
0040E046 |. |83C4 04 |add esp,0x4
0040E049 |> |59 |pop ecx
0040E04A |. |5B |pop ebx ; 飘零网络.00418A70
0040E04B |. |3BC1 |cmp eax,ecx
0040E04D |. |7C 0D |jl short 飘零网络.0040E05C
0040E04F |. |68 01000000 |push 0x1
0040E054 |. |E8 05A70000 |call 飘零网络.0041875E
0040E059 |. |83C4 04 |add esp,0x4
0040E05C |> |03D8 |add ebx,eax
0040E05E |. |895D D0 |mov [local.12],ebx ; 飘零网络.00418A70
0040E061 |. |68 01030080 |push 0x80000301
0040E066 |. |6A 00 |push 0x0
0040E068 |. |68 01000000 |push 0x1
0040E06D |. |68 01030080 |push 0x80000301
0040E072 |. |6A 00 |push 0x0
0040E074 |. |FF75 EC |push [local.5]
0040E077 |. |68 04000080 |push 0x80000004
0040E07C |. |6A 00 |push 0x0
0040E07E |. |8B5D 0C |mov ebx,[arg.2]
0040E081 |. |8B03 |mov eax,dword ptr ds:[ebx]
0040E083 |. |85C0 |test eax,eax
0040E085 |. |75 05 |jnz short 飘零网络.0040E08C
0040E087 |. |B8 FC134A00 |mov eax,飘零网络.004A13FC
0040E08C |> |50 |push eax
0040E08D |. |68 03000000 |push 0x3
0040E092 |. |BB 108E4100 |mov ebx,飘零网络.00418E10
0040E097 |. |E8 9EA60000 |call 飘零网络.0041873A
0040E09C |. |83C4 28 |add esp,0x28
0040E09F |. |8945 CC |mov [local.13],eax
0040E0A2 |. |6A 00 |push 0x0
0040E0A4 |. |6A 00 |push 0x0
0040E0A6 |. |6A 00 |push 0x0
0040E0A8 |. |68 04000080 |push 0x80000004
0040E0AD |. |6A 00 |push 0x0
0040E0AF |. |8B45 CC |mov eax,[local.13]
0040E0B2 |. |85C0 |test eax,eax
0040E0B4 |. |75 05 |jnz short 飘零网络.0040E0BB
0040E0B6 |. |B8 FC134A00 |mov eax,飘零网络.004A13FC
0040E0BB |> |50 |push eax
0040E0BC |. |68 02000000 |push 0x2
0040E0C1 |. |BB A08E4100 |mov ebx,飘零网络.00418EA0
0040E0C6 |. |E8 6FA60000 |call 飘零网络.0041873A
0040E0CB |. |83C4 1C |add esp,0x1C
0040E0CE |. |8945 C8 |mov [local.14],eax
0040E0D1 |. |8B5D CC |mov ebx,[local.13]
0040E0D4 |. |85DB |test ebx,ebx ; 飘零网络.00418A70
0040E0D6 |. |74 09 |je short 飘零网络.0040E0E1
0040E0D8 |. |53 |push ebx ; 飘零网络.00418A70
0040E0D9 |. |E8 56A60000 |call 飘零网络.00418734
0040E0DE |. |83C4 04 |add esp,0x4
0040E0E1 |> |8B45 C8 |mov eax,[local.14]
0040E0E4 |. |8B5D D0 |mov ebx,[local.12]
0040E0E7 |. |8803 |mov byte ptr ds:[ebx],al
0040E0E9 |. |FF45 EC |inc [local.5]
0040E0EC |. |5B |pop ebx ; 飘零网络.00418A70
0040E0ED |. |59 |pop ecx
0040E0EE |.^\E9 F0FEFFFF \jmp 飘零网络.0040DFE3
这段就是创建256个空白地址,为后面的解密表开好地方。
0040E104 |> /41 /inc ecx
0040E105 |. |51 |push ecx
0040E106 |. |53 |push ebx ; 飘零网络.00418A70
0040E107 |. |890B |mov dword ptr ds:[ebx],ecx ; 覆盖上一个[ebx]
0040E109 |. |81F9 00010000 |cmp ecx,0x100
0040E10F |. |0F8F E0010000 |jg 飘零网络.0040E2F5
0040E115 |. |8B5D F0 |mov ebx,[local.4] ; 重新指向0-FF的数据 记为addr 00387408
0040E118 |. |E8 D444FFFF |call 飘零网络.004025F1 ; 0-FF 一共有256个 所以hex 100 addr+8
0040E11D |. |53 |push ebx ; 飘零网络.00418A70
0040E11E |. |51 |push ecx
0040E11F |. |8B45 F4 |mov eax,[local.3] ; 这里初始化为1 记为U
0040E122 |. |48 |dec eax ; U-1
0040E123 |. |79 0D |jns short 飘零网络.0040E132
0040E125 |. |68 04000000 |push 0x4
0040E12A |. |E8 2FA60000 |call 飘零网络.0041875E
0040E12F |. |83C4 04 |add esp,0x4
0040E132 |> |59 |pop ecx
0040E133 |. |5B |pop ebx ; 飘零网络.00418A70
0040E134 |. |3BC1 |cmp eax,ecx
0040E136 |. |7C 0D |jl short 飘零网络.0040E145
0040E138 |. |68 01000000 |push 0x1
0040E13D |. |E8 1CA60000 |call 飘零网络.0041875E
0040E142 |. |83C4 04 |add esp,0x4
0040E145 |> |03D8 |add ebx,eax ; U-1+指向256个数据地址(addr+8) 记为D
0040E147 |. |895D D0 |mov [local.12],ebx ; 飘零网络.00418A70
0040E14A |. |8B5D E8 |mov ebx,[local.6] ; 00388588
0040E14D |. |E8 9F44FFFF |call 飘零网络.004025F1
0040E152 |. |53 |push ebx ; 00388588+8=00388590
0040E153 |. |51 |push ecx
0040E154 |. |8B45 F4 |mov eax,[local.3] ; U
0040E157 |. |48 |dec eax ; U-1
0040E158 |. |79 0D |jns short 飘零网络.0040E167
0040E15A |. |68 04000000 |push 0x4
0040E15F |. |E8 FAA50000 |call 飘零网络.0041875E
0040E164 |. |83C4 04 |add esp,0x4
0040E167 |> |59 |pop ecx
0040E168 |. |5B |pop ebx ; 飘零网络.00418A70
0040E169 |. |3BC1 |cmp eax,ecx
0040E16B |. |7C 0D |jl short 飘零网络.0040E17A
0040E16D |. |68 01000000 |push 0x1
0040E172 |. |E8 E7A50000 |call 飘零网络.0041875E
0040E177 |. |83C4 04 |add esp,0x4
0040E17A |> |03D8 |add ebx,eax ; U-1+00388590 记为Z
0040E17C |. |895D CC |mov [local.13],ebx ; 飘零网络.00418A70
0040E17F |. |DB45 EC |fild [local.5] ; 这里记为Y 初始化0
0040E182 |. |DD5D C4 |fstp qword ptr ss:[ebp-0x3C]
0040E185 |. |DD45 C4 |fld qword ptr ss:[ebp-0x3C]
0040E188 |. |8B5D D0 |mov ebx,[local.12] ; 拿出D的数据 记为f
0040E18B |. |8A03 |mov al,byte ptr ds:[ebx]
0040E18D |. |25 FF000000 |and eax,0xFF ; and f,0xff 记为W
0040E192 |. |8945 BC |mov [local.17],eax ; W
0040E195 |. |DB45 BC |fild [local.17]
0040E198 |. |DD5D BC |fstp qword ptr ss:[ebp-0x44]
0040E19B |. |DC45 BC |fadd qword ptr ss:[ebp-0x44] ; Y+W
0040E19E |. |8B5D CC |mov ebx,[local.13] ; 指向Z全部是0的地址
0040E1A1 |. |8A03 |mov al,byte ptr ds:[ebx] ; 这里全部都是0
0040E1A3 |. |25 FF000000 |and eax,0xFF
0040E1A8 |. |8945 B4 |mov [local.19],eax
0040E1AB |. |DB45 B4 |fild [local.19]
0040E1AE |. |DD5D B4 |fstp qword ptr ss:[ebp-0x4C]
0040E1B1 |. |DC45 B4 |fadd qword ptr ss:[ebp-0x4C] ; Y+W +0
0040E1B4 |. |DD5D AC |fstp qword ptr ss:[ebp-0x54]
0040E1B7 |. |68 01060080 |push 0x80000601
0040E1BC |. |68 00007040 |push 0x40700000
0040E1C1 |. |68 00000000 |push 0x0
0040E1C6 |. |68 01060080 |push 0x80000601
0040E1CB |. |FF75 B0 |push [local.20] ; 40000000
0040E1CE |. |FF75 AC |push [local.21] ; 0
0040E1D1 |. |68 02000000 |push 0x2
0040E1D6 |. |BB 50894100 |mov ebx,飘零网络.00418950
0040E1DB |. |E8 5AA50000 |call 飘零网络.0041873A
0040E1E0 |. |83C4 1C |add esp,0x1C
0040E1E3 |. |8945 A4 |mov [local.23],eax
0040E1E6 |. |8955 A8 |mov [local.22],edx ; 40000000
0040E1E9 |. |DD45 A4 |fld qword ptr ss:[ebp-0x5C] ; Y+W
0040E1EC |. |DC05 A21A4A00 |fadd qword ptr ds:[0x4A1AA2] ; Y+W+1
0040E1F2 |. |DD5D 9C |fstp qword ptr ss:[ebp-0x64]
0040E1F5 |. |DD45 9C |fld qword ptr ss:[ebp-0x64]
0040E1F8 |. |E8 2043FFFF |call 飘零网络.0040251D ; 转16进制
0040E1FD |. |8945 EC |mov [local.5],eax ; Y+W+1
0040E200 |. |8B5D F0 |mov ebx,[local.4] ; 重新指向0-FF的数据 00387408
0040E203 |. |E8 E943FFFF |call 飘零网络.004025F1 ; 00387408+8=00387410
0040E208 |. |53 |push ebx ; 飘零网络.00418A70
0040E209 |. |51 |push ecx
0040E20A |. |8B45 F4 |mov eax,[local.3] ; U
0040E20D |. |48 |dec eax ; U-1
0040E20E |. |79 0D |jns short 飘零网络.0040E21D
0040E210 |. |68 04000000 |push 0x4
0040E215 |. |E8 44A50000 |call 飘零网络.0041875E
0040E21A |. |83C4 04 |add esp,0x4
0040E21D |> |59 |pop ecx
0040E21E |. |5B |pop ebx ; 飘零网络.00418A70
0040E21F |. |3BC1 |cmp eax,ecx
0040E221 |. |7C 0D |jl short 飘零网络.0040E230
0040E223 |. |68 01000000 |push 0x1
0040E228 |. |E8 31A50000 |call 飘零网络.0041875E
0040E22D |. |83C4 04 |add esp,0x4
0040E230 |> |03D8 |add ebx,eax ; U-1+00387410
0040E232 |. |895D D0 |mov [local.12],ebx ; 飘零网络.00418A70
0040E235 |. |8B5D D0 |mov ebx,[local.12]
0040E238 |. |8A03 |mov al,byte ptr ds:[ebx]
0040E23A |. |8845 E4 |mov byte ptr ss:[ebp-0x1C],al ; 这里是下面 local.7 eax的结果 记为T
0040E23D |. |8B5D F0 |mov ebx,[local.4] ; 指向00387408
0040E240 |. |E8 AC43FFFF |call 飘零网络.004025F1 ; 00387408+8-00387410
0040E245 |. |53 |push ebx ; 飘零网络.00418A70
0040E246 |. |51 |push ecx
0040E247 |. |8B45 F4 |mov eax,[local.3] ; U
0040E24A |. |48 |dec eax ; U-1
0040E24B |. |79 0D |jns short 飘零网络.0040E25A
0040E24D |. |68 04000000 |push 0x4
0040E252 |. |E8 07A50000 |call 飘零网络.0041875E
0040E257 |. |83C4 04 |add esp,0x4
0040E25A |> |59 |pop ecx
0040E25B |. |5B |pop ebx ; 飘零网络.00418A70
0040E25C |. |3BC1 |cmp eax,ecx
0040E25E |. |7C 0D |jl short 飘零网络.0040E26D
0040E260 |. |68 01000000 |push 0x1
0040E265 |. |E8 F4A40000 |call 飘零网络.0041875E
0040E26A |. |83C4 04 |add esp,0x4
0040E26D |> |03D8 |add ebx,eax ; U-1+00387410=addr1
0040E26F |. |895D D0 |mov [local.12],ebx ; 飘零网络.00418A70
0040E272 |. |8B5D F0 |mov ebx,[local.4] ; 重新指向0-FF的数据 基址:00387408
0040E275 |. |E8 7743FFFF |call 飘零网络.004025F1 ; addr1+8=00387410
0040E27A |. |53 |push ebx ; 飘零网络.00418A70
0040E27B |. |51 |push ecx
0040E27C |. |8B45 EC |mov eax,[local.5] ; Y+W+1
0040E27F |. |48 |dec eax ; Y+W+1-1
0040E280 |. |79 0D |jns short 飘零网络.0040E28F
0040E282 |. |68 04000000 |push 0x4
0040E287 |. |E8 D2A40000 |call 飘零网络.0041875E
0040E28C |. |83C4 04 |add esp,0x4
0040E28F |> |59 |pop ecx
0040E290 |. |5B |pop ebx ; 飘零网络.00418A70
0040E291 |. |3BC1 |cmp eax,ecx
0040E293 |. |7C 0D |jl short 飘零网络.0040E2A2
0040E295 |. |68 01000000 |push 0x1
0040E29A |. |E8 BFA40000 |call 飘零网络.0041875E
0040E29F |. |83C4 04 |add esp,0x4
0040E2A2 |> |03D8 |add ebx,eax ; Y+W+1-1+00387410
0040E2A4 |. |895D CC |mov [local.13],ebx ; 飘零网络.00418A70
0040E2A7 |. |8B5D CC |mov ebx,[local.13]
0040E2AA |. |8A03 |mov al,byte ptr ds:[ebx]
0040E2AC |. |8B5D D0 |mov ebx,[local.12] ; U-1+00387408
0040E2AF |. |8803 |mov byte ptr ds:[ebx],al
0040E2B1 |. |8B5D F0 |mov ebx,[local.4] ; 重新指向0-FF的数据 基址:00387408
0040E2B4 |. |E8 3843FFFF |call 飘零网络.004025F1 ; 00387408+8
0040E2B9 |. |53 |push ebx ; 飘零网络.00418A70
0040E2BA |. |51 |push ecx
0040E2BB |. |8B45 EC |mov eax,[local.5] ; Y+W+1
0040E2BE |. |48 |dec eax
0040E2BF |. |79 0D |jns short 飘零网络.0040E2CE
0040E2C1 |. |68 04000000 |push 0x4
0040E2C6 |. |E8 93A40000 |call 飘零网络.0041875E
0040E2CB |. |83C4 04 |add esp,0x4
0040E2CE |> |59 |pop ecx
0040E2CF |. |5B |pop ebx ; 飘零网络.00418A70
0040E2D0 |. |3BC1 |cmp eax,ecx
0040E2D2 |. |7C 0D |jl short 飘零网络.0040E2E1
0040E2D4 |. |68 01000000 |push 0x1
0040E2D9 |. |E8 80A40000 |call 飘零网络.0041875E
0040E2DE |. |83C4 04 |add esp,0x4
0040E2E1 |> |03D8 |add ebx,eax ; Y+W+1-1+00387410
0040E2E3 |. |895D D0 |mov [local.12],ebx ; 飘零网络.00418A70
0040E2E6 |. |8B45 E4 |mov eax,[local.7] ; T
0040E2E9 |. |8B5D D0 |mov ebx,[local.12]
0040E2EC |. |8803 |mov byte ptr ds:[ebx],al
0040E2EE |. |5B |pop ebx ; 飘零网络.00418A70
0040E2EF |. |59 |pop ecx
0040E2F0 |.^\E9 0FFEFFFF \jmp 飘零网络.0040E104
这段我分析的比较不好,注释可以不用看我的,这里应该是生成一张解密表,重点还是看下面的分析,O(∩_∩)O哈哈~ [Asm] 纯文本查看 复制代码 0040E317 |> /41 /inc ecx
0040E318 |. |51 |push ecx
0040E319 |. |53 |push ebx ; 飘零网络.00418A70
0040E31A |. |890B |mov dword ptr ds:[ebx],ecx
0040E31C |. |50 |push eax
0040E31D |. |3BC8 |cmp ecx,eax ; eax=要解密数据的个数
0040E31F |. |0F8F 15040000 |jg 飘零网络.0040E73A
0040E325 |. DB45 F4 |fild [local.3] ; 这里初始化等于0 记为B
0040E328 |. |DD5D CC |fstp qword ptr ss:[ebp-0x34]
0040E32B |. |DD45 CC |fld qword ptr ss:[ebp-0x34]
0040E32E |. |DC05 A21A4A00 |fadd qword ptr ds:[0x4A1AA2] ; 1+0 记为A
0040E334 |. |DD5D C4 |fstp qword ptr ss:[ebp-0x3C]
0040E337 |. |68 01060080 |push 0x80000601
0040E33C |. |68 00007040 |push 0x40700000
0040E341 |. |68 00000000 |push 0x0
0040E346 |. |68 01060080 |push 0x80000601
0040E34B |. |FF75 C8 |push [local.14]
0040E34E |. |FF75 C4 |push [local.15]
0040E351 |. |68 02000000 |push 0x2
0040E356 |. |BB 50894100 |mov ebx,飘零网络.00418950
0040E35B |. |E8 DAA30000 |call 飘零网络.0041873A
0040E360 |. |83C4 1C |add esp,0x1C
0040E363 |. |8945 BC |mov [local.17],eax
0040E366 |. |8955 C0 |mov [local.16],edx
0040E369 |. |DD45 BC |fld qword ptr ss:[ebp-0x44]
0040E36C |. |DC05 A21A4A00 |fadd qword ptr ds:[0x4A1AA2] ; A+1 = B
0040E372 |. |DD5D B4 |fstp qword ptr ss:[ebp-0x4C]
0040E375 |. |DD45 B4 |fld qword ptr ss:[ebp-0x4C]
0040E378 |. |E8 A041FFFF |call 飘零网络.0040251D ; 转换为16进制
0040E37D |. |8945 F4 |mov [local.3],eax ; 这里eax记为 B
0040E380 |. |8B5D F0 |mov ebx,[local.4]
0040E383 |. |E8 6942FFFF |call 飘零网络.004025F1
0040E388 |. |53 |push ebx ; 飘零网络.00418A70
0040E389 |. |51 |push ecx
0040E38A |. |8B45 F4 |mov eax,[local.3] ; B
0040E38D |. |48 |dec eax ; B-1
0040E38E |. |79 0D |jns short 飘零网络.0040E39D
0040E390 |. |68 04000000 |push 0x4
0040E395 |. |E8 C4A30000 |call 飘零网络.0041875E
0040E39A |. |83C4 04 |add esp,0x4
0040E39D |> |59 |pop ecx
0040E39E |. |5B |pop ebx ; 飘零网络.00418A70
0040E39F |. |3BC1 |cmp eax,ecx
0040E3A1 |. |7C 0D |jl short 飘零网络.0040E3B0
0040E3A3 |. |68 01000000 |push 0x1
0040E3A8 |. |E8 B1A30000 |call 飘零网络.0041875E
0040E3AD |. |83C4 04 |add esp,0x4
0040E3B0 |> |03D8 |add ebx,eax ; ebx=指向解密参数数据表 ebx+B-1
0040E3B2 |. |895D D0 |mov [local.12],ebx ; 飘零网络.00418A70
0040E3B5 |. |DB45 EC |fild [local.5] ; 0 这里记为W
0040E3B8 |. |DD5D C8 |fstp qword ptr ss:[ebp-0x38]
0040E3BB |. |DD45 C8 |fld qword ptr ss:[ebp-0x38]
0040E3BE |. |8B5D D0 |mov ebx,[local.12]
0040E3C1 |. |8A03 |mov al,byte ptr ds:[ebx] ; 02
0040E3C3 |. |25 FF000000 |and eax,0xFF
0040E3C8 |. |8945 C0 |mov [local.16],eax ; 拿出后的数据 记为Q
0040E3CB |. |DB45 C0 |fild [local.16]
0040E3CE |. |DD5D C0 |fstp qword ptr ss:[ebp-0x40]
0040E3D1 |. |DC45 C0 |fadd qword ptr ss:[ebp-0x40] ; Q+W =2
0040E3D4 |. |DD5D B8 |fstp qword ptr ss:[ebp-0x48]
0040E3D7 |. |68 01060080 |push 0x80000601
0040E3DC |. |68 00007040 |push 0x40700000
0040E3E1 |. |68 00000000 |push 0x0
0040E3E6 |. |68 01060080 |push 0x80000601
0040E3EB |. |FF75 BC |push [local.17]
0040E3EE |. |FF75 B8 |push [local.18]
0040E3F1 |. |68 02000000 |push 0x2
0040E3F6 |. |BB 50894100 |mov ebx,飘零网络.00418950
0040E3FB |. |E8 3AA30000 |call 飘零网络.0041873A
0040E400 |. |83C4 1C |add esp,0x1C
0040E403 |. |8945 B0 |mov [local.20],eax
0040E406 |. |8955 B4 |mov [local.19],edx
0040E409 |. |DD45 B0 |fld qword ptr ss:[ebp-0x50]
0040E40C |. |DC05 A21A4A00 |fadd qword ptr ds:[0x4A1AA2] ; Q+W+1=3
0040E412 |. |DD5D A8 |fstp qword ptr ss:[ebp-0x58]
0040E415 |. |DD45 A8 |fld qword ptr ss:[ebp-0x58]
0040E418 |. |E8 0041FFFF |call 飘零网络.0040251D
0040E41D |. |8945 EC |mov [local.5],eax ; Q+w+1=3 存在W
0040E420 |. |8B5D F0 |mov ebx,[local.4]
0040E423 |. |E8 C941FFFF |call 飘零网络.004025F1
0040E428 |. |53 |push ebx ; 飘零网络.00418A70
0040E429 |. |51 |push ecx
0040E42A |. |8B45 F4 |mov eax,[local.3] ; B=2
0040E42D |. |48 |dec eax ; 2-1
0040E42E |. |79 0D |jns short 飘零网络.0040E43D
0040E430 |. |68 04000000 |push 0x4
0040E435 |. |E8 24A30000 |call 飘零网络.0041875E
0040E43A |. |83C4 04 |add esp,0x4
0040E43D |> |59 |pop ecx
0040E43E |. |5B |pop ebx ; 飘零网络.00418A70
0040E43F |. |3BC1 |cmp eax,ecx
0040E441 |. |7C 0D |jl short 飘零网络.0040E450
0040E443 |. |68 01000000 |push 0x1
0040E448 |. |E8 11A30000 |call 飘零网络.0041875E
0040E44D |. |83C4 04 |add esp,0x4
0040E450 |> |03D8 |add ebx,eax ; B-1+指向解密表
0040E452 |. |895D D0 |mov [local.12],ebx ; 飘零网络.00418A70
0040E455 |. |8B5D D0 |mov ebx,[local.12]
0040E458 |. |8A03 |mov al,byte ptr ds:[ebx] ; 拿出02 记为Z
0040E45A |. |8845 E4 |mov byte ptr ss:[ebp-0x1C],al ; Z 覆盖local5
0040E45D |. |8B5D F0 |mov ebx,[local.4]
0040E460 |. |E8 8C41FFFF |call 飘零网络.004025F1
0040E465 |. |53 |push ebx ; 飘零网络.00418A70
0040E466 |. |51 |push ecx
0040E467 |. |8B45 F4 |mov eax,[local.3] ; B
0040E46A |. |48 |dec eax ; B-1
0040E46B |. |79 0D |jns short 飘零网络.0040E47A
0040E46D |. |68 04000000 |push 0x4
0040E472 |. |E8 E7A20000 |call 飘零网络.0041875E
0040E477 |. |83C4 04 |add esp,0x4
0040E47A |> |59 |pop ecx
0040E47B |. |5B |pop ebx ; 飘零网络.00418A70
0040E47C |. |3BC1 |cmp eax,ecx
0040E47E |. |7C 0D |jl short 飘零网络.0040E48D
0040E480 |. |68 01000000 |push 0x1
0040E485 |. |E8 D4A20000 |call 飘零网络.0041875E
0040E48A |. |83C4 04 |add esp,0x4
0040E48D |> |03D8 |add ebx,eax ; B-1+指向解密表
0040E48F |. |895D D0 |mov [local.12],ebx ; 飘零网络.00418A70
0040E492 |. |8B5D F0 |mov ebx,[local.4]
0040E495 |. |E8 5741FFFF |call 飘零网络.004025F1
0040E49A |. |53 |push ebx ; 飘零网络.00418A70
0040E49B |. |51 |push ecx
0040E49C |. |8B45 EC |mov eax,[local.5] ; W
0040E49F |. |48 |dec eax ; W-1
0040E4A0 |. |79 0D |jns short 飘零网络.0040E4AF
0040E4A2 |. |68 04000000 |push 0x4
0040E4A7 |. |E8 B2A20000 |call 飘零网络.0041875E
0040E4AC |. |83C4 04 |add esp,0x4
0040E4AF |> |59 |pop ecx
0040E4B0 |. |5B |pop ebx ; 飘零网络.00418A70
0040E4B1 |. |3BC1 |cmp eax,ecx
0040E4B3 |. |7C 0D |jl short 飘零网络.0040E4C2
0040E4B5 |. |68 01000000 |push 0x1
0040E4BA |. |E8 9FA20000 |call 飘零网络.0041875E
0040E4BF |. |83C4 04 |add esp,0x4
0040E4C2 |> |03D8 |add ebx,eax ; W-1+指向解密表
0040E4C4 |. |895D CC |mov [local.13],ebx ; 飘零网络.00418A70
0040E4C7 |. |8B5D CC |mov ebx,[local.13]
0040E4CA |. |8A03 |mov al,byte ptr ds:[ebx] ; 拿出2A
0040E4CC |. |8B5D D0 |mov ebx,[local.12] ; B-1+指向解密表
0040E4CF |. |8803 |mov byte ptr ds:[ebx],al ; 2A覆盖B-1+指向解密表的02
0040E4D1 |. |8B5D F0 |mov ebx,[local.4]
0040E4D4 |. |E8 1841FFFF |call 飘零网络.004025F1
0040E4D9 |. |53 |push ebx ; 飘零网络.00418A70
0040E4DA |. |51 |push ecx
0040E4DB |. |8B45 EC |mov eax,[local.5] ; W
0040E4DE |. |48 |dec eax ; W-1
0040E4DF |. |79 0D |jns short 飘零网络.0040E4EE
0040E4E1 |. |68 04000000 |push 0x4
0040E4E6 |. |E8 73A20000 |call 飘零网络.0041875E
0040E4EB |. |83C4 04 |add esp,0x4
0040E4EE |> |59 |pop ecx
0040E4EF |. |5B |pop ebx ; 飘零网络.00418A70
0040E4F0 |. |3BC1 |cmp eax,ecx
0040E4F2 |. |7C 0D |jl short 飘零网络.0040E501
0040E4F4 |. |68 01000000 |push 0x1
0040E4F9 |. |E8 60A20000 |call 飘零网络.0041875E
0040E4FE |. |83C4 04 |add esp,0x4
0040E501 |> |03D8 |add ebx,eax ; W-1+指向解密表
0040E503 |. |895D D0 |mov [local.12],ebx ; 飘零网络.00418A70
0040E506 |. |8B45 E4 |mov eax,[local.7] ; Z
0040E509 |. |8B5D D0 |mov ebx,[local.12]
0040E50C |. |8803 |mov byte ptr ds:[ebx],al ; Z覆盖解密表指向的2A
0040E50E |. |8B5D F0 |mov ebx,[local.4]
0040E511 |. |E8 DB40FFFF |call 飘零网络.004025F1
0040E516 |. |53 |push ebx ; 飘零网络.00418A70
0040E517 |. |51 |push ecx
0040E518 |. |8B45 F4 |mov eax,[local.3] ; B
0040E51B |. |48 |dec eax ; B-1
0040E51C |. |79 0D |jns short 飘零网络.0040E52B
0040E51E |. |68 04000000 |push 0x4
0040E523 |. |E8 36A20000 |call 飘零网络.0041875E
0040E528 |. |83C4 04 |add esp,0x4
0040E52B |> |59 |pop ecx
0040E52C |. |5B |pop ebx ; 飘零网络.00418A70
0040E52D |. |3BC1 |cmp eax,ecx
0040E52F |. |7C 0D |jl short 飘零网络.0040E53E
0040E531 |. |68 01000000 |push 0x1
0040E536 |. |E8 23A20000 |call 飘零网络.0041875E
0040E53B |. |83C4 04 |add esp,0x4
0040E53E |> |03D8 |add ebx,eax ; B-1+指向解密表
0040E540 |. |895D D0 |mov [local.12],ebx ; 这里记为K
0040E543 |. |8B5D F0 |mov ebx,[local.4]
0040E546 |. |E8 A640FFFF |call 飘零网络.004025F1
0040E54B |. |53 |push ebx ; 飘零网络.00418A70
0040E54C |. |51 |push ecx
0040E54D |. |8B45 EC |mov eax,[local.5] ; W
0040E550 |. |48 |dec eax ; W-1
0040E551 |. |79 0D |jns short 飘零网络.0040E560
0040E553 |. |68 04000000 |push 0x4
0040E558 |. |E8 01A20000 |call 飘零网络.0041875E
0040E55D |. |83C4 04 |add esp,0x4
0040E560 |> |59 |pop ecx
0040E561 |. |5B |pop ebx ; 飘零网络.00418A70
0040E562 |. |3BC1 |cmp eax,ecx
0040E564 |. |7C 0D |jl short 飘零网络.0040E573
0040E566 |. |68 01000000 |push 0x1
0040E56B |. |E8 EEA10000 |call 飘零网络.0041875E
0040E570 |. |83C4 04 |add esp,0x4
0040E573 |> |03D8 |add ebx,eax ; W-1+指向解密表
0040E575 |. |895D CC |mov [local.13],ebx ; 飘零网络.00418A70
0040E578 |. |68 01060080 |push 0x80000601
0040E57D |. |68 00007040 |push 0x40700000
0040E582 |. |68 00000000 |push 0x0
0040E587 |. |8B5D CC |mov ebx,[local.13]
0040E58A |. |8A03 |mov al,byte ptr ds:[ebx] ; 拿出02
0040E58C |. |25 FF000000 |and eax,0xFF
0040E591 |. |8945 C4 |mov [local.15],eax ; 02存在W
0040E594 |. |DB45 C4 |fild [local.15] ; 浮点W参与下个计算
0040E597 |. |DD5D C4 |fstp qword ptr ss:[ebp-0x3C]
0040E59A |. |68 01060080 |push 0x80000601
0040E59F |. |FF75 C8 |push [local.14]
0040E5A2 |. |FF75 C4 |push [local.15]
0040E5A5 |. |68 02000000 |push 0x2
0040E5AA |. |BB 50894100 |mov ebx,飘零网络.00418950
0040E5AF |. |E8 86A10000 |call 飘零网络.0041873A
0040E5B4 |. |83C4 1C |add esp,0x1C
0040E5B7 |. |8945 BC |mov [local.17],eax
0040E5BA |. |8955 C0 |mov [local.16],edx
0040E5BD |. |8B5D D0 |mov ebx,[local.12] ; K
0040E5C0 |. |8A03 |mov al,byte ptr ds:[ebx] ; 拿出2A
0040E5C2 |. |25 FF000000 |and eax,0xFF
0040E5C7 |. |8945 B4 |mov [local.19],eax ; 2A
0040E5CA |. |DB45 B4 |fild [local.19] ; 浮点K
0040E5CD |. |DD5D B4 |fstp qword ptr ss:[ebp-0x4C]
0040E5D0 |. |DD45 B4 |fld qword ptr ss:[ebp-0x4C] ; 2A=42
0040E5D3 |. |DC45 BC |fadd qword ptr ss:[ebp-0x44] ; 42+2 K+W
0040E5D6 |. |DD5D AC |fstp qword ptr ss:[ebp-0x54]
0040E5D9 |. |68 01060080 |push 0x80000601
0040E5DE |. |68 00007040 |push 0x40700000
0040E5E3 |. |68 00000000 |push 0x0
0040E5E8 |. |68 01060080 |push 0x80000601
0040E5ED |. |FF75 B0 |push [local.20]
0040E5F0 |. |FF75 AC |push [local.21]
0040E5F3 |. |68 02000000 |push 0x2
0040E5F8 |. |BB 50894100 |mov ebx,飘零网络.00418950
0040E5FD |. |E8 38A10000 |call 飘零网络.0041873A
0040E602 |. |83C4 1C |add esp,0x1C
0040E605 |. |8945 A4 |mov [local.23],eax
0040E608 |. |8955 A8 |mov [local.22],edx
0040E60B |. |DD45 A4 |fld qword ptr ss:[ebp-0x5C] ; K+W
0040E60E |. |DC05 A21A4A00 |fadd qword ptr ds:[0x4A1AA2] ; 44+1=45 hex=2D k+w+1
0040E614 |. |DD5D 9C |fstp qword ptr ss:[ebp-0x64]
0040E617 |. |DD45 9C |fld qword ptr ss:[ebp-0x64]
0040E61A |. |E8 FE3EFFFF |call 飘零网络.0040251D ; 转换为16进制 45
0040E61F |. |8945 DC |mov [local.9],eax ; 2D
0040E622 |. |8B5D F0 |mov ebx,[local.4]
0040E625 |. |E8 C73FFFFF |call 飘零网络.004025F1 ; ebx+8 指向解密参数表
0040E62A |. |53 |push ebx ; 飘零网络.00418A70
0040E62B |. |51 |push ecx
0040E62C |. |8B45 DC |mov eax,[local.9] ; 2D
0040E62F |. |48 |dec eax ; 2D-1=2C
0040E630 |. |79 0D |jns short 飘零网络.0040E63F
0040E632 |. |68 04000000 |push 0x4
0040E637 |. |E8 22A10000 |call 飘零网络.0041875E
0040E63C |. |83C4 04 |add esp,0x4
0040E63F |> |59 |pop ecx
0040E640 |. |5B |pop ebx ; 飘零网络.00418A70
0040E641 |. |3BC1 |cmp eax,ecx
0040E643 |. |7C 0D |jl short 飘零网络.0040E652
0040E645 |. |68 01000000 |push 0x1
0040E64A |. |E8 0FA10000 |call 飘零网络.0041875E
0040E64F |. |83C4 04 |add esp,0x4
0040E652 |> |03D8 |add ebx,eax ; 2C+007CBA10 这个地址指向解密参数 这个相当于一个对应的解密表
0040E654 |. |895D D0 |mov [local.12],ebx ; 飘零网络.00418A70
0040E657 |. |8B5D D0 |mov ebx,[local.12]
0040E65A |. |8A03 |mov al,byte ptr ds:[ebx] ; 拿出解密参数 11 这里记为 X
0040E65C |. |25 FF000000 |and eax,0xFF
0040E661 |. |8945 D8 |mov [local.10],eax
0040E664 |. |8B5D F8 |mov ebx,[local.2]
0040E667 |. |E8 853FFFFF |call 飘零网络.004025F1
0040E66C |. |53 |push ebx ; 飘零网络.00418A70
0040E66D |. |51 |push ecx
0040E66E |. |8B45 E0 |mov eax,[local.8] ; local 8指向要解密的第几个静态数据
0040E671 |. |48 |dec eax ; 然后-1
0040E672 |. |79 0D |jns short 飘零网络.0040E681
0040E674 |. |68 04000000 |push 0x4
0040E679 |. |E8 E0A00000 |call 飘零网络.0041875E
0040E67E |. |83C4 04 |add esp,0x4
0040E681 |> |59 |pop ecx
0040E682 |. |5B |pop ebx ; 飘零网络.00418A70
0040E683 |. |3BC1 |cmp eax,ecx
0040E685 |. |7C 0D |jl short 飘零网络.0040E694
0040E687 |. |68 01000000 |push 0x1
0040E68C |. |E8 CDA00000 |call 飘零网络.0041875E
0040E691 |. |83C4 04 |add esp,0x4
0040E694 |> |03D8 |add ebx,eax ; ebx=0082AD90 指向未解密的静态数据
0040E696 |. |895D D0 |mov [local.12],ebx ; 飘零网络.00418A70
0040E699 |. |68 01030080 |push 0x80000301
0040E69E |. |6A 00 |push 0x0
0040E6A0 |. |FF75 D8 |push [local.10] ; 解密参数X
0040E6A3 |. |8B5D D0 |mov ebx,[local.12]
0040E6A6 |. |8A03 |mov al,byte ptr ds:[ebx] ; 拿出要待解密的未加密数据 Y
0040E6A8 |. |25 FF000000 |and eax,0xFF
0040E6AD |. |68 01030080 |push 0x80000301
0040E6B2 |. |6A 00 |push 0x0
0040E6B4 |. |50 |push eax
0040E6B5 |. |68 02000000 |push 0x2
0040E6BA |. |BB 708A4100 |mov ebx,飘零网络.00418A70
0040E6BF |. |E8 76A00000 |call 飘零网络.0041873A ; 开始解密 xor Y,X
0040E6C4 |. |83C4 1C |add esp,0x1C
0040E6C7 |. |8945 CC |mov [local.13],eax ; 解密后的结果
0040E6CA |. |8D45 D4 |lea eax,[local.11]
0040E6CD |. |50 |push eax
0040E6CE |. |6A 01 |push 0x1
0040E6D0 |. |B8 02000000 |mov eax,0x2
0040E6D5 |. |E8 54A00000 |call 飘零网络.0041872E
0040E6DA |. |83C4 08 |add esp,0x8
0040E6DD |. |8B45 CC |mov eax,[local.13] ; 解密后的结果
0040E6E0 |. |8945 C8 |mov [local.14],eax
0040E6E3 |. |8B5D D4 |mov ebx,[local.11]
0040E6E6 |. |895D C4 |mov [local.15],ebx ; 飘零网络.00418A70
0040E6E9 |. |E8 033FFFFF |call 飘零网络.004025F1
0040E6EE |. |894D C0 |mov [local.16],ecx
0040E6F1 |. |8B7D C4 |mov edi,[local.15]
0040E6F4 |. |C707 01000000 |mov dword ptr ds:[edi],0x1
0040E6FA |. |83C7 04 |add edi,0x4
0040E6FD |. |8BC1 |mov eax,ecx
0040E6FF |. |40 |inc eax
0040E700 |. |8907 |mov dword ptr ds:[edi],eax
0040E702 |. |83C7 04 |add edi,0x4
0040E705 |. |3BFB |cmp edi,ebx ; 飘零网络.00418A70
0040E707 |. |74 04 |je short 飘零网络.0040E70D
0040E709 |. |8BF3 |mov esi,ebx ; 飘零网络.00418A70
0040E70B |. |F3:A4 |rep movs byte ptr es:[edi],byte ptr ds:>
0040E70D |> |8B45 C0 |mov eax,[local.16]
0040E710 |. |40 |inc eax
0040E711 |. |83C0 08 |add eax,0x8
0040E714 |. |50 |push eax
0040E715 |. |FF75 C4 |push [local.15]
0040E718 |. |E8 4DA00000 |call 飘零网络.0041876A
0040E71D |. |83C4 08 |add esp,0x8
0040E720 |. |8945 D4 |mov [local.11],eax
0040E723 |. |8BF8 |mov edi,eax
0040E725 |. |83C7 08 |add edi,0x8
0040E728 |. |8B45 C0 |mov eax,[local.16]
0040E72B |. |03F8 |add edi,eax
0040E72D |. |8B45 C8 |mov eax,[local.14]
0040E730 |. |8807 |mov byte ptr ds:[edi],al
0040E732 |. |58 |pop eax
0040E733 |. |5B |pop ebx ; 飘零网络.00418A70
0040E734 |. |59 |pop ecx
0040E735 |.^\E9 DDFBFFFF \jmp 飘零网络.0040E317
我的后台静态数据是123456 我就展示第一个1是怎么解密出来的,其他的以此类推。。。。 小结: 因为上面两段的循环搞得我头脑比较混乱,有一个循环之前我不知道他在干什么,但是我从结果开始往上推算,可以轻松的发现上面的循环,只不过是得出一个相应的解密表罢了!所以很多时候,追算法的时候,如果没什么头绪的话,可以倒着逆,将需要用到的 变量一个一个向上逆出来,这样就可以得出之前得出的数据是干什么用了。比如我下面的解密过程,大家看可以参考下: 0040E6BF |. E8 76A00000 |call 飘零网络.0041873A ; 开始解密 xor Y,X 这个地址步过后可以看到eax为31 因为31ASCII就是“1” 所以这里可以判断出开始解密出静态数据的“1”了。 然后我们进入这个call看看是怎么解密出来的
004189D0 /$ 8B5424 10 mov edx,dword ptr ss:[esp+0x10]
004189D4 |. 8B4424 0C mov eax,dword ptr ss:[esp+0xC] ; 2
004189D8 |. 83F8 01 cmp eax,0x1
004189DB |. 8B0A mov ecx,dword ptr ds:[edx] ; x+1
004189DD |. 7E 2F jle short 飘零网络.00418A0E
004189DF |. 56 push esi ; 飘零网络.004A1AA2
004189E0 |. 8B7424 08 mov esi,dword ptr ss:[esp+0x8]
004189E4 |. 57 push edi
004189E5 |. 8D78 FF lea edi,dword ptr ds:[eax-0x1]
004189E8 |> 8BC6 /mov eax,esi ; 飘零网络.004A1AA2
004189EA |. 83C2 0C |add edx,0xC
004189ED |. 83E8 00 |sub eax,0x0 ; Switch (cases 0..2)
004189F0 |. 74 0E |je short 飘零网络.00418A00
004189F2 |. 48 |dec eax
004189F3 |. 74 07 |je short 飘零网络.004189FC
004189F5 |. 48 |dec eax
004189F6 |. 75 0A |jnz short 飘零网络.00418A02
004189F8 |. 330A |xor ecx,dword ptr ds:[edx] ; 4; Case 2 of switch 004189ED
004189FA |. EB 06 |jmp short 飘零网络.00418A02
004189FC |> 0B0A |or ecx,dword ptr ds:[edx] ; Case 1 of switch 004189ED
004189FE |. EB 02 |jmp short 飘零网络.00418A02
00418A00 |> 230A |and ecx,dword ptr ds:[edx] ; Case 0 of switch 004189ED
00418A02 |> 4F |dec edi ; Default case of switch 004189ED
00418A03 |.^ 75 E3 \jnz short 飘零网络.004189E8
00418A05 |. 8B4424 10 mov eax,dword ptr ss:[esp+0x10]
00418A09 |. 5F pop edi ; 飘零网络.00418A86
00418A0A |. 5E pop esi ; 飘零网络.00418A86
00418A0B |. 8908 mov dword ptr ds:[eax],ecx
00418A0D |. C3 retn
00418A0E |> 8B5424 08 mov edx,dword ptr ss:[esp+0x8]
00418A12 |. 890A mov dword ptr ds:[edx],ecx
00418A14 \. C3 retn
整段代码我们只要看004189F8 这个地址的命令
我们看上图,20就是静态数据的第一位,因为上面已经得出了静态数据是20B959438CAA 这个,xor 11,20 结果是等于31的 所以就是ASCII“1” 然后我们就要向上逆,11是怎么来的 向上面看代码可以看到 0040E65A |. 8A03 |mov al,byte ptr ds:[ebx] ; 拿出解密参数 11 这里记为 X 这个al就是等于11的。 0040E652 |> \03D8 |add ebx,eax ; 2C+007CBA10 这个地址指向解密参数 这个相当于一个对应的解密表 0040E654 |. 895D D0 |mov [local.12],ebx ; 飘零网络.00418A70 0040E657 |. 8B5D D0 |mov ebx,[local.12] 0040E65A |. 8A03 |mov al,byte ptr ds:[ebx] ; 拿出解密参数 11 这里记为 X Al是由ebx+eax这个地址里面的数据 拿出一个字节 然后EBX是指向解密数据表,以下就是解密数据表 基址:08D267A0(地址是动态的) 22 02 2A 08 0A 40 E4 1F 23 85 61 3A 21 FF 98 D5 C7 3F A0 BE 3D 05 18 37 E9 30 F5 44 84 CA C1 09 29 E3 C5 C2 F4 EB 5A CD 16 EA 1A 89 11 8E F9 F3 4B 7A D8 83 F8 47 7E 5D 96 20 3B F7 54 B0 D1 8D 52 6D 8B 28 86 C3 ED 9B F1 8C 42 04 B8 82 3E 88 24 AB 78 45 8F EC 81 10 2B FC A5 4D C8 0B 76 D6 06 7D 71 60 BF 34 03 FD 2C 65 79 E5 57 C0 80 9F 7B 53 6B EE BC 97 77 72 CE 31 AF 55 9C A3 BA 46 00 0E 39 1C 14 2D 90 F6 A1 5E B6 0C E1 9E AE DC 63 5F C9 64 B1 99 2E CC 69 93 67 5C 6F 19 A4 7F B9 91 D9 41 D2 AA 59 FB 12 27 62 DE AD FE 32 4C E2 2F DB A7 75 DF 66 4A 68 7C C6 48 51 38 B4 50 94 43 33 E7 15 01 D7 70 1D 6C A2 5B 3C 0D 07 25 E0 4E E6 A9 EF 13 DA CB 95 B3 BB 73 BD F0 C4 B2 56 49 92 4F 35 D3 0F A6 DD 87 D4 36 B5 8A 17 D0 FA CF 1B 6E 58 9D 9A F2 6A E8 A8 74 B7 1E 26 AC 0040E60B |. DD45 A4 |fld qword ptr ss:[ebp-0x5C] ; K+W 0040E60E |. DC05 A21A4A00 |fadd qword ptr ds:[0x4A1AA2] ; 44+1=45 hex=2D k+w+1 0040E614 |. DD5D 9C |fstp qword ptr ss:[ebp-0x64] 0040E617 |. DD45 9C |fld qword ptr ss:[ebp-0x64] 0040E61A |. E8 FE3EFFFF |call 飘零网络.0040251D ; 转换为16进制 45 0040E61F |. 8945 DC |mov [local.9],eax ; 2D 0040E622 |. 8B5D F0 |mov ebx,[local.4] 0040E625 |. E8 C73FFFFF |call 飘零网络.004025F1 ; ebx+8 指向解密参数表 0040E62A |. 53 |push ebx 0040E62B |. 51 |push ecx 0040E62C |. 8B45 DC |mov eax,[local.9] ; 2D 0040E62F |. 48 |dec eax ; 2D-1=2C K+W+1=44+1=45 转16进制是2D 接着2D-1=2C K+w=44 其中K=42 W=2 K=B-1+指向解密参数表 指向解密数据表中的2A 2A转10进制等于42 0040E450 |> \03D8 |add ebx,eax ; B-1+指向解密表 0040E452 |. 895D D0 |mov [local.12],ebx 0040E455 |. 8B5D D0 |mov ebx,[local.12] 0040E458 |. 8A03 |mov al,byte ptr ds:[ebx] ; 拿出02 记为Z 0040E45A |. 8845 E4 |mov byte ptr ss:[ebp-0x1C],al ; Z=02 0040E4C2 |> \03D8 |add ebx,eax ; W-1+指向解密表 0040E4C4 |. 895D CC |mov [local.13],ebx 0040E4C7 |. 8B5D CC |mov ebx,[local.13] 0040E4CA |. 8A03 |mov al,byte ptr ds:[ebx] ; 拿出2A 0040E4CC |. 8B5D D0 |mov ebx,[local.12] 0040E4CF |. 8803 |mov byte ptr ds:[ebx],al ; 2A覆盖B-1+指向解密表的02 0040E501 |> \03D8 |add ebx,eax ; W-1+指向解密表 0040E503 |. 895D D0 |mov [local.12],ebx 0040E506 |. 8B45 E4 |mov eax,[local.7] ; Z=02 0040E509 |. 8B5D D0 |mov ebx,[local.12] 0040E50C |. 8803 |mov byte ptr ds:[ebx],al ; Z覆盖解密表指向的2A 0040E54D |. 8B45 EC |mov eax,[local.5] ; W 0040E550 |. 48 |dec eax ; W-1 0040E573 |> \03D8 |add ebx,eax ; W-1+指向解密表 0040E575 |. 895D CC |mov [local.13],ebx 0040E578 |. 68 01060080 |push 0x80000601 0040E57D |. 68 00007040 |push 0x40700000 0040E582 |. 68 00000000 |push 0x0 0040E587 |. 8B5D CC |mov ebx,[local.13] 0040E58A |. 8A03 |mov al,byte ptr ds:[ebx] ; 拿出02 W-1+指向解密参数表(002B6848)=2 这里的2存在W变量中 3-1+08D267A0=08D267A2 [002B684A]=2 因为上面的02覆盖了原来的2A 所以这里取出来的数据是02 0040E400 |. 83C4 1C |add esp,0x1C 0040E403 |. 8945 B0 |mov [local.20],eax 0040E406 |. 8955 B4 |mov [local.19],edx 0040E409 |. DD45 B0 |fld qword ptr ss:[ebp-0x50] 0040E40C |. DC05 A21A4A00 |fadd qword ptr ds:[0x4A1AA2] ; Q+W+1=3 0040E412 |. DD5D A8 |fstp qword ptr ss:[ebp-0x58] 0040E415 |. DD45 A8 |fld qword ptr ss:[ebp-0x58] 0040E41D |. 8945 EC |mov [local.5],eax ; Q+w+1=3 存放在W Q+w+1=3 存放在W变量 W初始化等于0 即W=3 Q= B-1+指向解密参数表(002B6848) 指向解密数据表中 的2 即 2-1+08D267A0=08D267A1 指向加密表中的2 0040E36C |. DC05 A21A4A00 |fadd qword ptr ds:[0x4A1AA2] ; A+1 = B=2 B=A+1=2 0040E325 |. DB45 F4 |fild [local.3] ; 这里初始化等于0 0040E328 |. DD5D CC |fstp qword ptr ss:[ebp-0x34] 0040E32B |. DD45 CC |fld qword ptr ss:[ebp-0x34] 0040E32E |. DC05 A21A4A00 |fadd qword ptr ds:[0x4A1AA2] ; 1+0 记为A [0x4A1AA2] =00000001 A=1+0 其实这段大概就是分别拿出2个数据,将2个数据覆盖到指定的2个位置,这样就生成了一张新的解密表 然后就进行相应的拿数据解密。 下面是解密第一个静态数据的解密表 22 02 2A 08 0A 40 E4 1F 23 85 61 3A 21 FF 98 D5 C7 3F A0 BE 3D 05 18 37 E9 30 F5 44 84 CA C1 09 29 E3 C5 C2 F4 EB 5A CD 16 EA 1A 89 11 8E F9 F3 4B 7A D8 83 F8 47 7E 5D 96 20 3B F7 54 B0 D1 8D 52 6D 8B 28 86 C3 ED 9B F1 8C 42 04 B8 82 3E 88 24 AB 78 45 8F EC 81 10 2B FC A5 4D C8 0B 76 D6 06 7D 71 60 BF 34 03 FD 2C 65 79 E5 57 C0 80 9F 7B 53 6B EE BC 97 77 72 CE 31 AF 55 9C A3 BA 46 00 0E 39 1C 14 2D 90 F6 A1 5E B6 0C E1 9E AE DC 63 5F C9 64 B1 99 2E CC 69 93 67 5C 6F 19 A4 7F B9 91 D9 41 D2 AA 59 FB 12 27 62 DE AD FE 32 4C E2 2F DB A7 75 DF 66 4A 68 7C C6 48 51 38 B4 50 94 43 33 E7 15 01 D7 70 1D 6C A2 5B 3C 0D 07 25 E0 4E E6 A9 EF 13 DA CB 95 B3 BB 73 BD F0 C4 B2 56 49 92 4F 35 D3 0F A6 DD 87 D4 36 B5 8A 17 D0 FA CF 1B 6E 58 9D 9A F2 6A E8 A8 74 B7 1E 26 AC 上面的解密表从0开始数 要解密的静态数据:20B959438CAA 拿出20开始解密 local 3=0 A=0+1=1 B=A+1=2 结果转16进制 B-1+[] 拿出02 Q=02 W=0 Q+W=2+0=2 Q+W+1=2+1=3 W=3 B-1+[] 拿出02 Z=02 Z覆盖local 5 local5初始化为0 W-1+[] 拿出2A 把2A覆盖B-1+指向解密表的02 然后把Z=02 覆盖在 W-1+[]的2A上 解密表更新如下: 22 2A 02 08 0A 40 E4 1F 23 85 61 3A 21 FF 98 D5 C7 3F A0 BE 3D 05 18 37 E9 30 F5 44 84 CA C1 09 29 E3 C5 C2 F4 EB 5A CD 16 EA 1A 89 11 8E F9 F3 4B 7A D8 83 F8 47 7E 5D 96 20 3B F7 54 B0 D1 8D 52 6D 8B 28 86 C3 ED 9B F1 8C 42 04 B8 82 3E 88 24 AB 78 45 8F EC 81 10 2B FC A5 4D C8 0B 76 D6 06 7D 71 60 BF 34 03 FD 2C 65 79 E5 57 C0 80 9F 7B 53 6B EE BC 97 77 72 CE 31 AF 55 9C A3 BA 46 00 0E 39 1C 14 2D 90 F6 A1 5E B6 0C E1 9E AE DC 63 5F C9 64 B1 99 2E CC 69 93 67 5C 6F 19 A4 7F B9 91 D9 41 D2 AA 59 FB 12 27 62 DE AD FE 32 4C E2 2F DB A7 75 DF 66 4A 68 7C C6 48 51 38 B4 50 94 43 33 E7 15 01 D7 70 1D 6C A2 5B 3C 0D 07 25 E0 4E E6 A9 EF 13 DA CB 95 B3 BB 73 BD F0 C4 B2 56 49 92 4F 35 D3 0F A6 DD 87 D4 36 B5 8A 17 D0 FA CF 1B 6E 58 9D 9A F2 6A E8 A8 74 B7 1E 26 AC W-1+[] 拿出02 Y=2 B-1+[] 拿出2A K=2A and 2A,0xFF=K Y+K=2A+2 2A=42 42+2=44 44+1=45 45转16进制等于 2D 2D-1=2C 2C+[] 拿出11 xor 11,20 得出结果31 就是ASCii “1” 拿出B9开始解密 B=2 A=2+1=3 B=3+1=4 结果转16进制 B-1+[] 拿出02 Q=08 and 08,0xFF W=3 Q+W=8+3=11 Q+W+1=11+1=12 W=12 B-1+[] 拿出08 Z=08 Z覆盖local 5 local5=08 W-1+[] 拿出3A 把3A覆盖B-1+指向解密表的08 然后把Z=08 覆盖在 W-1+[]的3A上 解密表更新如下: 22 2A 02 3A 0A 40 E4 1F 23 85 61 08 21 FF 98 D5 C7 3F A0 BE 3D 05 18 37 E9 30 F5 44 84 CA C1 09 29 E3 C5 C2 F4 EB 5A CD 16 EA 1A 89 11 8E F9 F3 4B 7A D8 83 F8 47 7E 5D 96 20 3B F7 54 B0 D1 8D 52 6D 8B 28 86 C3 ED 9B F1 8C 42 04 B8 82 3E 88 24 AB 78 45 8F EC 81 10 2B FC A5 4D C8 0B 76 D6 06 7D 71 60 BF 34 03 FD 2C 65 79 E5 57 C0 80 9F 7B 53 6B EE BC 97 77 72 CE 31 AF 55 9C A3 BA 46 00 0E 39 1C 14 2D 90 F6 A1 5E B6 0C E1 9E AE DC 63 5F C9 64 B1 99 2E CC 69 93 67 5C 6F 19 A4 7F B9 91 D9 41 D2 AA 59 FB 12 27 62 DE AD FE 32 4C E2 2F DB A7 75 DF 66 4A 68 7C C6 48 51 38 B4 50 94 43 33 E7 15 01 D7 70 1D 6C A2 5B 3C 0D 07 25 E0 4E E6 A9 EF 13 DA CB 95 B3 BB 73 BD F0 C4 B2 56 49 92 4F 35 D3 0F A6 DD 87 D4 36 B5 8A 17 D0 FA CF 1B 6E 58 9D 9A F2 6A E8 A8 74 B7 1E 26 AC W-1+[] 拿出08 Y=08 B-1+[] 拿出3A K=3A and 3A,0xFF Y+K =3A+2 3A=58 58+8=66 66+1=67 67转16进制等于 43 43-1=42 42+[] 拿出8B xor 8B,B9 得出结果32 ASCII “2” 如果还是看不明白的话,可以参考下我的源码,源码写的不是很好,还请各位多多指教!! 源码那里,静态数据加密那里偷了一下懒,自己去换成编辑框内容并把所输入的文字转成成ASCII
这样就可以进行本地该验证了。
源码和Demo下载:https://yunpan.cn/c6FYQzg5MIJVN 访问密码 62fa
|
发表于 2016-7-30 17:03
|
发表于 2016-7-30 18:51
