-
-
一段加密算法,有厉害的朋友帮忙看看
-
发表于: 2005-9-27 15:07
-
某软件中验证步骤中的一步,delphi程序,自己试着还原成了C代码,但感觉糟透了,有厉害的朋友,帮忙看看,感激不尽
005AF69C 55 push ebp ; 参数1 长度 0x20 单位为字
005AF69D 8BEC mov ebp,esp ; 参数2为已变换过一次的加密数据长度0x100
005AF69F 83C4 F8 add esp,-8 ; 参数3为未变换过的加密数据
005AF6A2 33C0 xor eax,eax
005AF6A4 53 push ebx
005AF6A5 56 push esi
005AF6A6 8945 FC mov dword ptr ss:[ebp-4],eax ; [ebp-4]局部变量,存放变换中临时数据
005AF6A9 8B55 08 mov edx,dword ptr ss:[ebp+8] ; 参数1
005AF6AC 03D2 add edx,edx
005AF6AE C1E2 02 shl edx,2
005AF6B1 0155 0C add dword ptr ss:[ebp+C],edx
005AF6B4 8B4D 10 mov ecx,dword ptr ss:[ebp+10]
005AF6B7 8B45 08 mov eax,dword ptr ss:[ebp+8]
005AF6BA 8D1481 lea edx,dword ptr ds:[ecx+eax*4]
005AF6BD 8955 F8 mov dword ptr ss:[ebp-8],edx
005AF6C0 E9 A9000000 jmp L2Walker.005AF76E
005AF6C5 8B4D F8 mov ecx,dword ptr ss:[ebp-8]
005AF6C8 8B19 mov ebx,dword ptr ds:[ecx]
005AF6CA 8BD3 mov edx,ebx
005AF6CC 0FB7C2 movzx eax,dx
005AF6CF 8BC8 mov ecx,eax
005AF6D1 0FAFC8 imul ecx,eax
005AF6D4 C1EB 10 shr ebx,10
005AF6D7 8BC1 mov eax,ecx
005AF6D9 0FB7CB movzx ecx,bx
005AF6DC 0FB7F3 movzx esi,bx
005AF6DF 0FB7DB movzx ebx,bx
005AF6E2 0FB7D2 movzx edx,dx
005AF6E5 0FAFDA imul ebx,edx
005AF6E8 0FAFCE imul ecx,esi
005AF6EB 8BF3 mov esi,ebx
005AF6ED 8BD0 mov edx,eax
005AF6EF C1E6 10 shl esi,10
005AF6F2 03C6 add eax,esi
005AF6F4 8BF3 mov esi,ebx
005AF6F6 C1EE 10 shr esi,10
005AF6F9 3BC2 cmp eax,edx
005AF6FB 0F92C2 setb dl
005AF6FE 83E2 01 and edx,1
005AF701 03F2 add esi,edx
005AF703 8BD0 mov edx,eax
005AF705 03CE add ecx,esi
005AF707 8BF3 mov esi,ebx
005AF709 C1E6 10 shl esi,10
005AF70C C1EB 10 shr ebx,10
005AF70F 03C6 add eax,esi
005AF711 3BC2 cmp eax,edx
005AF713 0F92C2 setb dl
005AF716 83E2 01 and edx,1
005AF719 03DA add ebx,edx
005AF71B 8BD0 mov edx,eax
005AF71D 0345 FC add eax,dword ptr ss:[ebp-4]
005AF720 03CB add ecx,ebx
005AF722 3BC2 cmp eax,edx
005AF724 0F92C2 setb dl
005AF727 836D 0C 04 sub dword ptr ss:[ebp+C],4
005AF72B 8B5D 0C mov ebx,dword ptr ss:[ebp+C]
005AF72E 83E2 01 and edx,1
005AF731 03CA add ecx,edx
005AF733 8BD0 mov edx,eax
005AF735 0303 add eax,dword ptr ds:[ebx]
005AF737 8B5D 0C mov ebx,dword ptr ss:[ebp+C]
005AF73A 3BC2 cmp eax,edx
005AF73C 8BD1 mov edx,ecx
005AF73E 8903 mov dword ptr ds:[ebx],eax
005AF740 0F92C3 setb bl
005AF743 83E3 01 and ebx,1
005AF746 03CB add ecx,ebx
005AF748 3BCA cmp ecx,edx
005AF74A 8BD1 mov edx,ecx
005AF74C 0F92C0 setb al
005AF74F 83E0 01 and eax,1
005AF752 8945 FC mov dword ptr ss:[ebp-4],eax
005AF755 836D 0C 04 sub dword ptr ss:[ebp+C],4
005AF759 8B45 0C mov eax,dword ptr ss:[ebp+C]
005AF75C 0308 add ecx,dword ptr ds:[eax]
005AF75E 8B45 0C mov eax,dword ptr ss:[ebp+C]
005AF761 3BCA cmp ecx,edx
005AF763 0F92C2 setb dl
005AF766 83E2 01 and edx,1
005AF769 8908 mov dword ptr ds:[eax],ecx
005AF76B 0155 FC add dword ptr ss:[ebp-4],edx
005AF76E 8345 F8 FC add dword ptr ss:[ebp-8],-4
005AF772 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
005AF775 8345 08 FF add dword ptr ss:[ebp+8],-1
005AF779 85C9 test ecx,ecx
005AF77B ^ 0F85 44FFFFFF jnz L2Walker.005AF6C5
005AF781 5E pop esi
005AF782 5B pop ebx
005AF783 59 pop ecx
005AF784 59 pop ecx
005AF785 5D pop ebp
005AF786 C3 retn
这是我自己试着还原的,看了我想吊死算了
void decrypt2(int len, long *pdest, long *pcryptdat)
{
ulong key, m1,m2,m3,m4;
short int al,ah, bl,bh;
ulong ms;
pdest = pdest + len * 2;
pcryptdat = pcryptdat + len;
pcryptdat--;
while(len--)
{
al = loword(*pcryptdat)
m1 = al * al;
m2 = al * ah;
m3 = ah * ah;
temp = m1;
ms = m2 << 16;
m1 = m1 + ms;
if(m1 < temp)
ms++;
temp = m1;
m3 = m3 + ms;
ms = m2 << 16;
m2 = m2 >> 16;
m1 = m1 + ms;
if(m1 < temp)
m2++;
temp = m1;
m1 = m1 + key;
if (m1 < temp)
m3++;
pdest--;
temp = m1;
m1 = m1 + *pdest;
*pdest = m1;
if(m1 < temp)
m3++;
pdest--;
m3 = m3 + *pdest;
}
}
005AF69C 55 push ebp ; 参数1 长度 0x20 单位为字
005AF69D 8BEC mov ebp,esp ; 参数2为已变换过一次的加密数据长度0x100
005AF69F 83C4 F8 add esp,-8 ; 参数3为未变换过的加密数据
005AF6A2 33C0 xor eax,eax
005AF6A4 53 push ebx
005AF6A5 56 push esi
005AF6A6 8945 FC mov dword ptr ss:[ebp-4],eax ; [ebp-4]局部变量,存放变换中临时数据
005AF6A9 8B55 08 mov edx,dword ptr ss:[ebp+8] ; 参数1
005AF6AC 03D2 add edx,edx
005AF6AE C1E2 02 shl edx,2
005AF6B1 0155 0C add dword ptr ss:[ebp+C],edx
005AF6B4 8B4D 10 mov ecx,dword ptr ss:[ebp+10]
005AF6B7 8B45 08 mov eax,dword ptr ss:[ebp+8]
005AF6BA 8D1481 lea edx,dword ptr ds:[ecx+eax*4]
005AF6BD 8955 F8 mov dword ptr ss:[ebp-8],edx
005AF6C0 E9 A9000000 jmp L2Walker.005AF76E
005AF6C5 8B4D F8 mov ecx,dword ptr ss:[ebp-8]
005AF6C8 8B19 mov ebx,dword ptr ds:[ecx]
005AF6CA 8BD3 mov edx,ebx
005AF6CC 0FB7C2 movzx eax,dx
005AF6CF 8BC8 mov ecx,eax
005AF6D1 0FAFC8 imul ecx,eax
005AF6D4 C1EB 10 shr ebx,10
005AF6D7 8BC1 mov eax,ecx
005AF6D9 0FB7CB movzx ecx,bx
005AF6DC 0FB7F3 movzx esi,bx
005AF6DF 0FB7DB movzx ebx,bx
005AF6E2 0FB7D2 movzx edx,dx
005AF6E5 0FAFDA imul ebx,edx
005AF6E8 0FAFCE imul ecx,esi
005AF6EB 8BF3 mov esi,ebx
005AF6ED 8BD0 mov edx,eax
005AF6EF C1E6 10 shl esi,10
005AF6F2 03C6 add eax,esi
005AF6F4 8BF3 mov esi,ebx
005AF6F6 C1EE 10 shr esi,10
005AF6F9 3BC2 cmp eax,edx
005AF6FB 0F92C2 setb dl
005AF6FE 83E2 01 and edx,1
005AF701 03F2 add esi,edx
005AF703 8BD0 mov edx,eax
005AF705 03CE add ecx,esi
005AF707 8BF3 mov esi,ebx
005AF709 C1E6 10 shl esi,10
005AF70C C1EB 10 shr ebx,10
005AF70F 03C6 add eax,esi
005AF711 3BC2 cmp eax,edx
005AF713 0F92C2 setb dl
005AF716 83E2 01 and edx,1
005AF719 03DA add ebx,edx
005AF71B 8BD0 mov edx,eax
005AF71D 0345 FC add eax,dword ptr ss:[ebp-4]
005AF720 03CB add ecx,ebx
005AF722 3BC2 cmp eax,edx
005AF724 0F92C2 setb dl
005AF727 836D 0C 04 sub dword ptr ss:[ebp+C],4
005AF72B 8B5D 0C mov ebx,dword ptr ss:[ebp+C]
005AF72E 83E2 01 and edx,1
005AF731 03CA add ecx,edx
005AF733 8BD0 mov edx,eax
005AF735 0303 add eax,dword ptr ds:[ebx]
005AF737 8B5D 0C mov ebx,dword ptr ss:[ebp+C]
005AF73A 3BC2 cmp eax,edx
005AF73C 8BD1 mov edx,ecx
005AF73E 8903 mov dword ptr ds:[ebx],eax
005AF740 0F92C3 setb bl
005AF743 83E3 01 and ebx,1
005AF746 03CB add ecx,ebx
005AF748 3BCA cmp ecx,edx
005AF74A 8BD1 mov edx,ecx
005AF74C 0F92C0 setb al
005AF74F 83E0 01 and eax,1
005AF752 8945 FC mov dword ptr ss:[ebp-4],eax
005AF755 836D 0C 04 sub dword ptr ss:[ebp+C],4
005AF759 8B45 0C mov eax,dword ptr ss:[ebp+C]
005AF75C 0308 add ecx,dword ptr ds:[eax]
005AF75E 8B45 0C mov eax,dword ptr ss:[ebp+C]
005AF761 3BCA cmp ecx,edx
005AF763 0F92C2 setb dl
005AF766 83E2 01 and edx,1
005AF769 8908 mov dword ptr ds:[eax],ecx
005AF76B 0155 FC add dword ptr ss:[ebp-4],edx
005AF76E 8345 F8 FC add dword ptr ss:[ebp-8],-4
005AF772 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
005AF775 8345 08 FF add dword ptr ss:[ebp+8],-1
005AF779 85C9 test ecx,ecx
005AF77B ^ 0F85 44FFFFFF jnz L2Walker.005AF6C5
005AF781 5E pop esi
005AF782 5B pop ebx
005AF783 59 pop ecx
005AF784 59 pop ecx
005AF785 5D pop ebp
005AF786 C3 retn
这是我自己试着还原的,看了我想吊死算了
void decrypt2(int len, long *pdest, long *pcryptdat)
{
ulong key, m1,m2,m3,m4;
short int al,ah, bl,bh;
ulong ms;
pdest = pdest + len * 2;
pcryptdat = pcryptdat + len;
pcryptdat--;
while(len--)
{
al = loword(*pcryptdat)
m1 = al * al;
m2 = al * ah;
m3 = ah * ah;
temp = m1;
ms = m2 << 16;
m1 = m1 + ms;
if(m1 < temp)
ms++;
temp = m1;
m3 = m3 + ms;
ms = m2 << 16;
m2 = m2 >> 16;
m1 = m1 + ms;
if(m1 < temp)
m2++;
temp = m1;
m1 = m1 + key;
if (m1 < temp)
m3++;
pdest--;
temp = m1;
m1 = m1 + *pdest;
*pdest = m1;
if(m1 < temp)
m3++;
pdest--;
m3 = m3 + *pdest;
}
}
|
|
|---|---|
|
|
|
|
|
又是外挂程序
|
|
|
|
|
|
最初由 tmzerg 发布  本来就是
|
|
|
最初由 baby2008 发布 哈……baby,你怎么知道?你也看到这段代码了? 是哪个就不说了,这个函数只是其中一部分,这个算法中间像这样的操作执行了很多很多次,整个算法的输入是 0x80字节的二进制数据,输入结果是一个ascii用户名 |
|
|
下面是RCE的 bilbo 做的回答
/* coded by bilbo - 27sep05 */ /* replaced +C with +12, 10 with 16 */ #include <stdio.h> __declspec(naked) void decrypt2(int len, unsigned *pout, unsigned *pin) { __asm { push ebp mov ebp,esp add esp,-8 xor eax,eax push ebx push esi mov dword ptr ss:[ebp-4],eax ; clear prev loop carry mov edx,dword ptr ss:[ebp+8] ; arg 1: number of longs add edx,edx shl edx,2 ; *= 8 add dword ptr ss:[ebp+12],edx ; pout at end: += 2*longs*4 mov ecx,dword ptr ss:[ebp+16] mov eax,dword ptr ss:[ebp+8] lea edx,dword ptr ds:[ecx+eax*4] ; pin at end: += longs*4 mov dword ptr ss:[ebp-8],edx jmp loop_check ; a loop per input long, to calculate two output longs loop_start: mov ecx,dword ptr ss:[ebp-8] ; pin mov ebx,dword ptr ds:[ecx] ; get one long from in mov edx,ebx movzx eax,dx mov ecx,eax imul ecx,eax ; low * low = ll shr ebx,16 mov eax,ecx movzx ecx,bx movzx esi,bx movzx ebx,bx movzx edx,dx imul ebx,edx ; high * low = hl imul ecx,esi ; high * high = hh mov esi,ebx mov edx,eax shl esi,16 ; hl<<16 add eax,esi ; low_long_tot = ll+(hl<<16) mov esi,ebx shr esi,16 ; hl>>16 ; carry correction stuff cmp eax,edx setb dl and edx,1 ; 0 or 1 add esi,edx mov edx,eax add ecx,esi ; high_long_tot = hh+(hl>>16) mov esi,ebx shl esi,16 ; hl<<16 shr ebx,16 ; hl>>16 add eax,esi ; low_long_tot = ll+(hl<<16)+(hl<<16) ; carry correction stuff cmp eax,edx setb dl and edx,1 ; 0 or 1 add ebx,edx ; add prev loop carry (always null!) mov edx,eax add eax,dword ptr ss:[ebp-4] add ecx,ebx ; high_long_tot = hh+(hl>>16)+(hl>>16) ; carry correction stuff cmp eax,edx setb dl sub dword ptr ss:[ebp+12],4 ; updated pout mov ebx,dword ptr ss:[ebp+12] ; updated pout and edx,1 ; 0 or 1 add ecx,edx ; low_long_tot += low_prev_value mov edx,eax add eax,dword ptr ds:[ebx] mov ebx,dword ptr ss:[ebp+12] ; pout cmp eax,edx mov edx,ecx ; stuff-in low_long result mov dword ptr ds:[ebx],eax ; carry correction stuff setb bl and ebx,1 ; 0 or 1 add ecx,ebx ; carry correction stuff cmp ecx,edx mov edx,ecx setb al and eax,1 ; 0 or 1 ; migrate carry to next loop mov dword ptr ss:[ebp-4],eax ; update pout sub dword ptr ss:[ebp+12],4 mov eax,dword ptr ss:[ebp+12] ; high_long_tot += high_prev_value add ecx,dword ptr ds:[eax] mov eax,dword ptr ss:[ebp+12] ; pout ; carry correction stuff cmp ecx,edx setb dl and edx,1 ; stuff-in high_long result mov dword ptr ds:[eax],ecx ; migrate carry to next loop add dword ptr ss:[ebp-4],edx ; update cy loop_check: add dword ptr ss:[ebp-8],-4 ; bump back pin mov ecx,dword ptr ss:[ebp+8] ; number of longs add dword ptr ss:[ebp+8],-1 ; dec number of longs test ecx,ecx jnz loop_start ; continue pop esi pop ebx pop ecx pop ecx pop ebp retn } } /* * let's see a sample with two longs in input: it will give 4 longs * in output */ #define LONGS 2 void main(void) { // the new values will be added to the old ones! so clear them unsigned out[2*LONGS] = { 0 }; unsigned in[LONGS] = { 0x12345678, 0x87654321 }; // for example... int i; unsigned hi, lo; decrypt2(LONGS, out, in); printf("result: %08x %08x %08x %08x\n\n", out[0], out[1], out[2], out[3]); // note that we here invert the loop direction without problems // (neither if both inputs longs are 0xFFFFFFFF) printf("power-of-two alternate method: "); for (i=0; i<LONGS; i++) { hi = in[i]; // could'n avoid this extra step __asm mov eax, hi; __asm mul eax; __asm mov hi, edx; __asm mov lo, eax; printf("%08x %08x ", hi, lo); } printf("\n"); } 他说这个算法是个64位数的2次方运算... 
|
