-
-
[求助]一封包算法求助。
-
发表于: 2016-9-1 14:41
-
各位前辈!这是游戏封包加密算法,已经跟到算法加密位置了,求助。
例如:账号密码
文本代码长度 = 十到十六 (到整数 (文本代码长度) + 1) + “ 00 01 01 ” + 账号长度 + “ ” + 到十六 (账号) + “ ” + 密码长度 + “ ” + 到十六(密码) + “00 00 00 00 00 00 00 00 00 00 00 00”
mov byte ptr ds:[eax],dl 这里取key 34 6F 54
帐号密码[1] + key[1]
帐号密码[2] + key[2]
帐号密码[3] + key[3]
帐号密码[4] + key[1]
求前辈指点下 这样的该怎么写算法
10009790 55 push ebp
10009791 8BEC mov ebp,esp
10009793 83EC 20 sub esp,0x20
10009796 68 F4410000 push 0x41F4
1000979B E8 AA8D0000 call Core.1001254A
100097A0 83C4 04 add esp,0x4
100097A3 8945 E4 mov dword ptr ss:[ebp-0x1C],eax
100097A6 8B45 E4 mov eax,dword ptr ss:[ebp-0x1C]
100097A9 8945 F4 mov dword ptr ss:[ebp-0xC],eax
100097AC 68 F4410000 push 0x41F4
100097B1 6A 00 push 0x0
100097B3 8B4D F4 mov ecx,dword ptr ss:[ebp-0xC]
100097B6 51 push ecx
100097B7 E8 74C30100 call Core.10025B30
100097BC 83C4 0C add esp,0xC
100097BF 8B55 08 mov edx,dword ptr ss:[ebp+0x8]
100097C2 0FB702 movzx eax,word ptr ds:[edx]
100097C5 8945 FC mov dword ptr ss:[ebp-0x4],eax
100097C8 E8 32A90100 call Core.100240FF
100097CD 25 07000080 and eax,0x80000007
100097D2 79 05 jns short Core.100097D9
100097D4 48 dec eax
100097D5 83C8 F8 or eax,-0x8
100097D8 40 inc eax
100097D9 83C0 02 add eax,0x2 ; eax+2
100097DC 8945 F8 mov dword ptr ss:[ebp-0x8],eax ; eax=00000003
100097DF C745 EC 0100000>mov dword ptr ss:[ebp-0x14],0x1 ; 堆栈 ss:[00181C6C]=00000001
100097E6 EB 09 jmp short Core.100097F1
100097E8 8B4D EC mov ecx,dword ptr ss:[ebp-0x14]
100097EB 83C1 01 add ecx,0x1
100097EE 894D EC mov dword ptr ss:[ebp-0x14],ecx
100097F1 8B55 F8 mov edx,dword ptr ss:[ebp-0x8] ; 堆栈 ss:[00181C78]=00000003
100097F4 83C2 01 add edx,0x1 ; edx=00000003
100097F7 3955 EC cmp dword ptr ss:[ebp-0x14],edx ; edx=00000004
100097FA 7D 17 jge short Core.10009813
100097FC E8 FEA80100 call Core.100240FF
10009801 99 cdq
10009802 B9 7F000000 mov ecx,0x7F ; ecx=C823F683/ ecx=18BE873A
10009807 F7F9 idiv ecx ; ecx=0000007F
10009809 8B45 F4 mov eax,dword ptr ss:[ebp-0xC] ; 堆栈 ss:[00181C74]=1540FEE0
1000980C 0345 EC add eax,dword ptr ss:[ebp-0x14] ; 堆栈 ss:[00181C6C]=00000001
1000980F 8810 mov byte ptr ds:[eax],dl ; dl=34 ('4')
10009811 ^ EB D5 jmp short Core.100097E8
10009813 C745 E8 0000000>mov dword ptr ss:[ebp-0x18],0x0
1000981A EB 09 jmp short Core.10009825
1000981C 8B4D E8 mov ecx,dword ptr ss:[ebp-0x18]
1000981F 83C1 01 add ecx,0x1
10009822 894D E8 mov dword ptr ss:[ebp-0x18],ecx
10009825 8B55 E8 mov edx,dword ptr ss:[ebp-0x18]
10009828 3B55 FC cmp edx,dword ptr ss:[ebp-0x4]
1000982B 7D 31 jge short Core.1000985E
1000982D 8B45 08 mov eax,dword ptr ss:[ebp+0x8] ; 堆栈 ss:[00181B48]=00181BA4
10009830 0345 E8 add eax,dword ptr ss:[ebp-0x18] ; 堆栈 ss:[00181B28]=00000013
10009833 0FBE08 movsx ecx,byte ptr ds:[eax] ; EAX取出字符
10009836 8B45 E8 mov eax,dword ptr ss:[ebp-0x18] ; 堆栈 ss:[00181A28]=00000020
10009839 99 cdq
1000983A F77D F8 idiv dword ptr ss:[ebp-0x8]
1000983D 8B45 F4 mov eax,dword ptr ss:[ebp-0xC]
10009840 0FBE5410 01 movsx edx,byte ptr ds:[eax+edx+0x1] ; ds:[14ED7E23]=54 ('T')
10009845 33CA xor ecx,edx
10009847 8B45 FC mov eax,dword ptr ss:[ebp-0x4] ; eax=21
1000984A 2B45 E8 sub eax,dword ptr ss:[ebp-0x18] ; 堆栈 ss:[00181B28]=00000011
1000984D 33C8 xor ecx,eax
1000984F 8B55 E8 mov edx,dword ptr ss:[ebp-0x18] ; edx = 54
10009852 0355 F8 add edx,dword ptr ss:[ebp-0x8] ; edx = 11
10009855 8B45 F4 mov eax,dword ptr ss:[ebp-0xC] ; 堆栈 ss:[00181B34]=1537A560 -c = eax = 10
10009858 884C10 01 mov byte ptr ds:[eax+edx+0x1],cl ; cl=34 ('4')
1000985C ^ EB BE jmp short Core.1000981C
1000985E 8B4D F8 mov ecx,dword ptr ss:[ebp-0x8]
10009861 8B55 FC mov edx,dword ptr ss:[ebp-0x4]
10009864 8D440A 01 lea eax,dword ptr ds:[edx+ecx+0x1]
10009868 8945 F0 mov dword ptr ss:[ebp-0x10],eax
1000986B 6A 07 push 0x7
1000986D 0FB64D F8 movzx ecx,byte ptr ss:[ebp-0x8]
10009871 51 push ecx
10009872 E8 E9FEFFFF call Core.10009760
10009877 83C4 08 add esp,0x8
1000987A 0FB6D0 movzx edx,al
1000987D F7D2 not edx
1000987F 8B45 F4 mov eax,dword ptr ss:[ebp-0xC]
10009882 8810 mov byte ptr ds:[eax],dl
10009884 8B4D F0 mov ecx,dword ptr ss:[ebp-0x10]
10009887 51 push ecx
10009888 8B55 F4 mov edx,dword ptr ss:[ebp-0xC]
1000988B 52 push edx
1000988C 8B45 08 mov eax,dword ptr ss:[ebp+0x8]
1000988F 83C0 02 add eax,0x2
10009892 50 push eax
10009893 E8 48FC0100 call Core.100294E0
10009898 83C4 0C add esp,0xC
1000989B 8B4D F4 mov ecx,dword ptr ss:[ebp-0xC]
1000989E 894D E0 mov dword ptr ss:[ebp-0x20],ecx
100098A1 8B55 E0 mov edx,dword ptr ss:[ebp-0x20]
100098A4 52 push edx
100098A5 E8 958C0000 call Core.1001253F
100098AA 83C4 04 add esp,0x4
100098AD 8B45 F0 mov eax,dword ptr ss:[ebp-0x10]
100098B0 83C0 02 add eax,0x2
100098B3 8B4D 08 mov ecx,dword ptr ss:[ebp+0x8]
100098B6 66:8901 mov word ptr ds:[ecx],ax
100098B9 8B45 F0 mov eax,dword ptr ss:[ebp-0x10]
100098BC 83C0 02 add eax,0x2
100098BF 8BE5 mov esp,ebp
100098C1 5D pop ebp
100098C2 C3 retn
===================================================================
核心的加密算法是在这里
1000982D 8B45 08 mov eax,dword ptr ss:[ebp+0x8] ; 堆栈 ss:[00181988]=001819E4
10009830 0345 E8 add eax,dword ptr ss:[ebp-0x18] ; 堆栈 ss:[00181968]=00000000
10009833 0FBE08 movsx ecx,byte ptr ds:[eax] ; 堆栈 ds:[001819E4]=21 ('!')
10009836 8B45 E8 mov eax,dword ptr ss:[ebp-0x18] ; 堆栈 ss:[00181968]=00000000
10009839 99 cdq
1000983A F77D F8 idiv dword ptr ss:[ebp-0x8] ; 堆栈 ss:[00181978]=00000003
1000983D 8B45 F4 mov eax,dword ptr ss:[ebp-0xC] ; 堆栈 ss:[00181974]=1679FEE0
10009840 0FBE5410 01 movsx edx,byte ptr ds:[eax+edx+0x1] ; ds:[1679FEE1]=34 ('4')
10009845 33CA xor ecx,edx ; edx=00000034
10009847 8B45 FC mov eax,dword ptr ss:[ebp-0x4] ; 堆栈 ss:[0018197C]=00000021
1000984A 2B45 E8 sub eax,dword ptr ss:[ebp-0x18] ; 堆栈 ss:[00181968]=00000000
1000984D 33C8 xor ecx,eax ; eax=00000021
1000984F 8B55 E8 mov edx,dword ptr ss:[ebp-0x18] ; 堆栈 ss:[00181968]=00000000
10009852 0355 F8 add edx,dword ptr ss:[ebp-0x8] ; 堆栈 ss:[00181978]=00000003
10009855 8B45 F4 mov eax,dword ptr ss:[ebp-0xC] ; 堆栈 ss:[00181974]=1679FEE0
10009858 884C10 01 mov byte ptr ds:[eax+edx+0x1],cl ; cl=34 ('4')
1000985C ^ EB BE jmp short Core.1000981C
例如:账号密码
文本代码长度 = 十到十六 (到整数 (文本代码长度) + 1) + “ 00 01 01 ” + 账号长度 + “ ” + 到十六 (账号) + “ ” + 密码长度 + “ ” + 到十六(密码) + “00 00 00 00 00 00 00 00 00 00 00 00”
mov byte ptr ds:[eax],dl 这里取key 34 6F 54
帐号密码[1] + key[1]
帐号密码[2] + key[2]
帐号密码[3] + key[3]
帐号密码[4] + key[1]
求前辈指点下 这样的该怎么写算法
10009790 55 push ebp
10009791 8BEC mov ebp,esp
10009793 83EC 20 sub esp,0x20
10009796 68 F4410000 push 0x41F4
1000979B E8 AA8D0000 call Core.1001254A
100097A0 83C4 04 add esp,0x4
100097A3 8945 E4 mov dword ptr ss:[ebp-0x1C],eax
100097A6 8B45 E4 mov eax,dword ptr ss:[ebp-0x1C]
100097A9 8945 F4 mov dword ptr ss:[ebp-0xC],eax
100097AC 68 F4410000 push 0x41F4
100097B1 6A 00 push 0x0
100097B3 8B4D F4 mov ecx,dword ptr ss:[ebp-0xC]
100097B6 51 push ecx
100097B7 E8 74C30100 call Core.10025B30
100097BC 83C4 0C add esp,0xC
100097BF 8B55 08 mov edx,dword ptr ss:[ebp+0x8]
100097C2 0FB702 movzx eax,word ptr ds:[edx]
100097C5 8945 FC mov dword ptr ss:[ebp-0x4],eax
100097C8 E8 32A90100 call Core.100240FF
100097CD 25 07000080 and eax,0x80000007
100097D2 79 05 jns short Core.100097D9
100097D4 48 dec eax
100097D5 83C8 F8 or eax,-0x8
100097D8 40 inc eax
100097D9 83C0 02 add eax,0x2 ; eax+2
100097DC 8945 F8 mov dword ptr ss:[ebp-0x8],eax ; eax=00000003
100097DF C745 EC 0100000>mov dword ptr ss:[ebp-0x14],0x1 ; 堆栈 ss:[00181C6C]=00000001
100097E6 EB 09 jmp short Core.100097F1
100097E8 8B4D EC mov ecx,dword ptr ss:[ebp-0x14]
100097EB 83C1 01 add ecx,0x1
100097EE 894D EC mov dword ptr ss:[ebp-0x14],ecx
100097F1 8B55 F8 mov edx,dword ptr ss:[ebp-0x8] ; 堆栈 ss:[00181C78]=00000003
100097F4 83C2 01 add edx,0x1 ; edx=00000003
100097F7 3955 EC cmp dword ptr ss:[ebp-0x14],edx ; edx=00000004
100097FA 7D 17 jge short Core.10009813
100097FC E8 FEA80100 call Core.100240FF
10009801 99 cdq
10009802 B9 7F000000 mov ecx,0x7F ; ecx=C823F683/ ecx=18BE873A
10009807 F7F9 idiv ecx ; ecx=0000007F
10009809 8B45 F4 mov eax,dword ptr ss:[ebp-0xC] ; 堆栈 ss:[00181C74]=1540FEE0
1000980C 0345 EC add eax,dword ptr ss:[ebp-0x14] ; 堆栈 ss:[00181C6C]=00000001
1000980F 8810 mov byte ptr ds:[eax],dl ; dl=34 ('4')
10009811 ^ EB D5 jmp short Core.100097E8
10009813 C745 E8 0000000>mov dword ptr ss:[ebp-0x18],0x0
1000981A EB 09 jmp short Core.10009825
1000981C 8B4D E8 mov ecx,dword ptr ss:[ebp-0x18]
1000981F 83C1 01 add ecx,0x1
10009822 894D E8 mov dword ptr ss:[ebp-0x18],ecx
10009825 8B55 E8 mov edx,dword ptr ss:[ebp-0x18]
10009828 3B55 FC cmp edx,dword ptr ss:[ebp-0x4]
1000982B 7D 31 jge short Core.1000985E
1000982D 8B45 08 mov eax,dword ptr ss:[ebp+0x8] ; 堆栈 ss:[00181B48]=00181BA4
10009830 0345 E8 add eax,dword ptr ss:[ebp-0x18] ; 堆栈 ss:[00181B28]=00000013
10009833 0FBE08 movsx ecx,byte ptr ds:[eax] ; EAX取出字符
10009836 8B45 E8 mov eax,dword ptr ss:[ebp-0x18] ; 堆栈 ss:[00181A28]=00000020
10009839 99 cdq
1000983A F77D F8 idiv dword ptr ss:[ebp-0x8]
1000983D 8B45 F4 mov eax,dword ptr ss:[ebp-0xC]
10009840 0FBE5410 01 movsx edx,byte ptr ds:[eax+edx+0x1] ; ds:[14ED7E23]=54 ('T')
10009845 33CA xor ecx,edx
10009847 8B45 FC mov eax,dword ptr ss:[ebp-0x4] ; eax=21
1000984A 2B45 E8 sub eax,dword ptr ss:[ebp-0x18] ; 堆栈 ss:[00181B28]=00000011
1000984D 33C8 xor ecx,eax
1000984F 8B55 E8 mov edx,dword ptr ss:[ebp-0x18] ; edx = 54
10009852 0355 F8 add edx,dword ptr ss:[ebp-0x8] ; edx = 11
10009855 8B45 F4 mov eax,dword ptr ss:[ebp-0xC] ; 堆栈 ss:[00181B34]=1537A560 -c = eax = 10
10009858 884C10 01 mov byte ptr ds:[eax+edx+0x1],cl ; cl=34 ('4')
1000985C ^ EB BE jmp short Core.1000981C
1000985E 8B4D F8 mov ecx,dword ptr ss:[ebp-0x8]
10009861 8B55 FC mov edx,dword ptr ss:[ebp-0x4]
10009864 8D440A 01 lea eax,dword ptr ds:[edx+ecx+0x1]
10009868 8945 F0 mov dword ptr ss:[ebp-0x10],eax
1000986B 6A 07 push 0x7
1000986D 0FB64D F8 movzx ecx,byte ptr ss:[ebp-0x8]
10009871 51 push ecx
10009872 E8 E9FEFFFF call Core.10009760
10009877 83C4 08 add esp,0x8
1000987A 0FB6D0 movzx edx,al
1000987D F7D2 not edx
1000987F 8B45 F4 mov eax,dword ptr ss:[ebp-0xC]
10009882 8810 mov byte ptr ds:[eax],dl
10009884 8B4D F0 mov ecx,dword ptr ss:[ebp-0x10]
10009887 51 push ecx
10009888 8B55 F4 mov edx,dword ptr ss:[ebp-0xC]
1000988B 52 push edx
1000988C 8B45 08 mov eax,dword ptr ss:[ebp+0x8]
1000988F 83C0 02 add eax,0x2
10009892 50 push eax
10009893 E8 48FC0100 call Core.100294E0
10009898 83C4 0C add esp,0xC
1000989B 8B4D F4 mov ecx,dword ptr ss:[ebp-0xC]
1000989E 894D E0 mov dword ptr ss:[ebp-0x20],ecx
100098A1 8B55 E0 mov edx,dword ptr ss:[ebp-0x20]
100098A4 52 push edx
100098A5 E8 958C0000 call Core.1001253F
100098AA 83C4 04 add esp,0x4
100098AD 8B45 F0 mov eax,dword ptr ss:[ebp-0x10]
100098B0 83C0 02 add eax,0x2
100098B3 8B4D 08 mov ecx,dword ptr ss:[ebp+0x8]
100098B6 66:8901 mov word ptr ds:[ecx],ax
100098B9 8B45 F0 mov eax,dword ptr ss:[ebp-0x10]
100098BC 83C0 02 add eax,0x2
100098BF 8BE5 mov esp,ebp
100098C1 5D pop ebp
100098C2 C3 retn
===================================================================
核心的加密算法是在这里
1000982D 8B45 08 mov eax,dword ptr ss:[ebp+0x8] ; 堆栈 ss:[00181988]=001819E4
10009830 0345 E8 add eax,dword ptr ss:[ebp-0x18] ; 堆栈 ss:[00181968]=00000000
10009833 0FBE08 movsx ecx,byte ptr ds:[eax] ; 堆栈 ds:[001819E4]=21 ('!')
10009836 8B45 E8 mov eax,dword ptr ss:[ebp-0x18] ; 堆栈 ss:[00181968]=00000000
10009839 99 cdq
1000983A F77D F8 idiv dword ptr ss:[ebp-0x8] ; 堆栈 ss:[00181978]=00000003
1000983D 8B45 F4 mov eax,dword ptr ss:[ebp-0xC] ; 堆栈 ss:[00181974]=1679FEE0
10009840 0FBE5410 01 movsx edx,byte ptr ds:[eax+edx+0x1] ; ds:[1679FEE1]=34 ('4')
10009845 33CA xor ecx,edx ; edx=00000034
10009847 8B45 FC mov eax,dword ptr ss:[ebp-0x4] ; 堆栈 ss:[0018197C]=00000021
1000984A 2B45 E8 sub eax,dword ptr ss:[ebp-0x18] ; 堆栈 ss:[00181968]=00000000
1000984D 33C8 xor ecx,eax ; eax=00000021
1000984F 8B55 E8 mov edx,dword ptr ss:[ebp-0x18] ; 堆栈 ss:[00181968]=00000000
10009852 0355 F8 add edx,dword ptr ss:[ebp-0x8] ; 堆栈 ss:[00181978]=00000003
10009855 8B45 F4 mov eax,dword ptr ss:[ebp-0xC] ; 堆栈 ss:[00181974]=1679FEE0
10009858 884C10 01 mov byte ptr ds:[eax+edx+0x1],cl ; cl=34 ('4')
1000985C ^ EB BE jmp short Core.1000981C
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
