这是一个用cryptoapi加密文件的程序。
char __fastcall sub_5E2F77D0(DWORD a1, const char *a2, HANDLE hFile, LPCWSTR lpFileName, int a5, int a6, int a7, int a8, int a9, int a10, int a11)
{
const void *v11; // ebx@1
const char *v12; // edi@1
DWORD v13; // esi@3
void (__stdcall ***v14)(_DWORD); // esi@5
void (__stdcall ***v15)(_DWORD); // ecx@7
const WCHAR *v16; // eax@11
const WCHAR *v17; // esi@14
int v18; // esi@21
bool v19; // bl@23
BYTE v21[4]; // [sp+14h] [bp-10178h]@4
int v22; // [sp+18h] [bp-10174h]@36
LARGE_INTEGER FileSize; // [sp+1Ch] [bp-10170h]@2
const char *v24; // [sp+24h] [bp-10168h]@1
HANDLE hObject; // [sp+28h] [bp-10164h]@1
HCRYPTKEY phKey; // [sp+2Ch] [bp-10160h]@18
DWORD NumberOfBytesRead; // [sp+30h] [bp-1015Ch]@1
bool v28; // [sp+37h] [bp-10155h]@1
struct _OSVERSIONINFOW VersionInformation; // [sp+38h] [bp-10154h]@14
BYTE pbData[4]; // [sp+14Ch] [bp-10040h]@18
int v31; // [sp+150h] [bp-1003Ch]@18
int v32; // [sp+154h] [bp-10038h]@18
char v33; // [sp+158h] [bp-10034h]@18
char Buffer; // [sp+178h] [bp-10014h]@22
int v35; // [sp+10188h] [bp-4h]@1
v11 = (const void *)a11;
v12 = a2;
v24 = a2;
NumberOfBytesRead = a1;
v35 = 0;
v28 = 0;
hObject = 0;
if ( a8 )
{
v16 = lpFileName;
if ( (unsigned int)a9 < 8 )
v16 = (const WCHAR *)&lpFileName;
hObject = CreateFileW(v16, 0x40000000u, 0, 0, 2u, 0x80u, 0);
if ( hObject == (HANDLE)-1 )
{
v24 = "Cannot open destination file\r\n";
std::exception::exception(&v22);
v22 = (int)&off_5E313084;
j__CxxThrowException(&v22, &dword_5E3160A4, &v24);
}
}
else
{
if ( !GetFileSizeEx(hFile, &FileSize) )
goto LABEL_33;
v13 = FileSize.LowPart - 149;
if ( FileSize.LowPart == 149 )
goto LABEL_33;
*(_DWORD *)v21 = operator new(8);
LOBYTE(v35) = 1;
if ( *(_DWORD *)v21 )
v14 = (void (__stdcall ***)(_DWORD))sub_5E309E60(v13);
else
v14 = 0;
LOBYTE(v35) = 0;
v15 = (void (__stdcall ***)(_DWORD))*((_DWORD *)v12 + 4);
if ( v14 != v15 && v15 )
(**v15)(1);
*((_DWORD *)v12 + 4) = v14;
}
FileSize.HighPart = 0;
j_memset(&VersionInformation, 0, 276);
VersionInformation.dwOSVersionInfoSize = 276;
GetVersionExW(&VersionInformation);
v17 = L"Microsoft Enhanced RSA and AES Cryptographic Provider";
if ( VersionInformation.dwMajorVersion <= 5 )
v17 = L"Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)";
if ( CryptAcquireContextW((HCRYPTPROV *)&FileSize.HighPart, 0, v17, 0x18u, 0xF0000000)
|| CryptAcquireContextW((HCRYPTPROV *)&FileSize.HighPart, 0, v17, 0x18u, 0xF0000008) )
{
phKey = 0;
*(_DWORD *)pbData = 520;
v31 = 26128;
v32 = 32;
qmemcpy(&v33, v11, 0x20u);
if ( CryptImportKey(FileSize.HighPart, pbData, 0x2Cu, 0, 0, &phKey) )
{
*(_DWORD *)v21 = 1;
if ( CryptSetKeyParam(phKey, 4u, v21, 0) && CryptSetKeyParam(phKey, 1u, (const BYTE *)NumberOfBytesRead, 0) )
{
NumberOfBytesRead = 0;
v18 = 0;
do
{
if ( !ReadFile(hFile, &Buffer, 0x10000u, &NumberOfBytesRead, 0) )
break;
v19 = NumberOfBytesRead < 0x10000;
if ( !CryptDecrypt(phKey, 0, NumberOfBytesRead < 0x10000, 0, (BYTE *)&Buffer, &NumberOfBytesRead) )
break;
if ( hObject )
{
if ( !WriteFile(hObject, &Buffer, NumberOfBytesRead, &NumberOfBytesRead, 0) )
break;
}
else
{
j_memcpy(v18 + *(_DWORD *)(*(_DWORD *)(*((_DWORD *)v24 + 4) + 4) + 12), &Buffer, NumberOfBytesRead);
v18 += NumberOfBytesRead;
}
v28 = v19;
}
while ( !v19 );
}
CryptDestroyKey(phKey);
}
CryptReleaseContext(FileSize.HighPart, 0);
}
if ( hObject )
CloseHandle(hObject);
LABEL_33:
if ( (unsigned int)a9 >= 8 )
operator delete(lpFileName);
return v28;
}
IDA F5之后代码如上,但是V31,V32,V33就在此处赋值了,后面没再用,是怎么回事呢?

[培训]科锐逆向工程师培训第53期2025年7月8日开班!