-
-
[原创]某公司otp生成的so层分析备忘
-
发表于: 2020-2-15 09:08 5463
-
一、IDA打开libmkey.so,定位Java_com_netease_mkey_core_OtpLib_getOtp函数,这是一个jni函数,先f5看一下
int __fastcall Java_com_netease_mkey_core_OtpLib_getOtpp(JNIEnv *jnienv, int a2, int a3, int a4, int a5, int a6, int a7)
{
int v7; // r4
JNIEnv *jinenv2; // r5
jbyte *v9; // r6
int v10; // r1
int v11; // r7
v7 = a3;
jinenv2 = jnienv;
v9 = (*jnienv)->GetByteArrayElements(jnienv, a7, 0);
v11 = get_otp(v7, v10, a5, a6, v9); // a3 a5 a6 a7
((*jinenv2)->ReleaseByteArrayElements)(jinenv2, a7, v9, 0);
return v11;
}
第一个参数a1改为*jnienv,第二个参数为jobject,a3为参数e,a4是寄存器r3没用上动态一下发现a5,a6参数合起来为参数Long.parseLong(str),位数太多一个寄存器放不下a7为byte数组str2先通过jni函数GetByteArrayElements转换类型,在ReleaseByteArrayElements还原为javabyte数组
二、关键代码在get_otp函数里
int __fastcall get_otp(int a1, int a2, unsigned int a3, unsigned int a4, int a5)
{
unsigned int strr; // ST08_4 a3 a4 存储序列号 a5存储str2转化为的数组
unsigned int strr2; // ST0C_4
struct tm *tm; // r4
int tm_y; // r0
unsigned int strr_nor; // r4
signed int v10; // r4
int result; // r0
unsigned __int8 v12; // r1
time_t timer; // [sp+14h] [bp-244h]
int v14[129]; // [sp+18h] [bp-240h]
char s; // [sp+21Ch] [bp-3Ch]
char v16; // [sp+21Dh] [bp-3Bh]
char v17; // [sp+21Eh] [bp-3Ah]
char tm_m; // [sp+21Fh] [bp-39h]
char tm_d; // [sp+220h] [bp-38h]
char tm_h; // [sp+221h] [bp-37h]
char tm_mi; // [sp+222h] [bp-36h]
char tm_sec; // [sp+223h] [bp-35h]
char strr_nor2; // [sp+224h] [bp-34h]
char strr_nor3; // [sp+225h] [bp-33h]
char strr_h; // [sp+226h] [bp-32h]
char strr_nor_b1; // [sp+227h] [bp-31h]
char strr_nor_b2; // [sp+228h] [bp-30h]
char strr_nor_h; // [sp+229h] [bp-2Fh]
char v29[16]; // [sp+22Ch] [bp-2Ch]
strr = a3;
strr2 = a4;
timer = a1 + 28800;
tm = gmtime(&timer); // gmtime根据时间戳产生tm时间结构体,因为从1900年开始算+28800
memset(&s, 0, 16u); // 把*s后面16字节设置为0
tm_y = tm->tm_year;
v16 = 20;
s = 0;
v17 = tm_y % 10;
tm_m = tm->tm_mon;
tm_d = tm->tm_mday;
tm_h = tm->tm_hour;
tm_mi = tm->tm_min;
tm_sec = 30 * (tm->tm_sec / 30);
strr_nor = (strr << 24) | (strr >> 24) | ((strr & 0xFF00) << 8) | ((strr & 0xFF0000) >> 8);
strr_h = HIBYTE(strr);
strr_nor2 = ((strr2 << 24) | (strr2 >> 24) | ((strr2 & 0xFF00) << 8) | ((strr2 & 0xFF0000) >> 8)) >> 16;
strr_nor3 = ((strr2 << 24) | (strr2 >> 24) | ((strr2 & 0xFF00) << 8) | ((strr2 & 0xFF0000) >> 8)) >> 24;
strr_nor_b1 = BYTE1(strr_nor);
strr_nor_b2 = BYTE2(strr_nor);
strr_nor_h = HIBYTE(strr_nor); //上面一系列操作把时间戳e与序列号str经过运算转换成为s数组的1-14位
my_md5(v14, a5, 128); // 把a5按128位my_md5加密结果放入v14
v10 = 10;
my_sha256(v14, &s, v29); // 把v14与s通过my_sha256加密结果放入v29
result = 0;
do
{
v12 = v29[v10++] % 0xAu;
result = 10 * result + v12; // 循环6次,每次取v29的11-16位与10取余数作为opt密码
}
while ( v10 != 16 );
return result;
}
很清晰,,首先,通过一系列操作把时间戳e与序列号str转换成为s数组的1-14位,s数组共16位调用my_md5加密a5也就是参数str2,结果放在v14中,简单看一下堆栈
-00000240 v14 DCD 129 dup(?) v14是 my_md5加密结果129个dword -0000003C s DCB ? s数组开始 -0000003B anonymous_0 DCB ? -0000003A anonymous_1 DCB ? -00000039 tm_m DCB ? -00000038 tm_d DCB ? -00000037 tm_h DCB ? -00000036 tm_mi DCB ? -00000035 tm_sec DCB ? -00000034 strr_nor2 DCB ? -00000033 strr_nor3 DCB ? -00000032 strr_h DCB ? -00000031 strr_nor_b1 DCB ? -00000030 strr_nor_b2 DCB ? -0000002F strr_nor_h DCB ? -0000002E DCB ? ; undefined -0000002D DCB ? ; undefined s数组结束 -0000002C var_2C DCB 16 dup(?) 这是v29, my_sha256加密结果 -0000001C var_1C DCD ?
三、简单看下my_md5,比较清晰,生成v14共有129位,不算最后一位共512个字节 my_md5(v14,a5, 128); // 把a5按128位my_md5哈希结果放入v14
1.if a3=128 v5=10 a1[128]=10
2.fori=0:3 通过a2[i,i+3]字节生成a1字节a1[0-3]生成
3.通过a1[0-3]位与dword_4D14[a1[3]经过运算]生成a1[4-7] 循环到a1[40-43]停止
4.初始化KT0-KT4[256]
5.a1[64-67]=a1[40-43]
6.循环9次,通过a1[40-4i]作为下标运算KT0123生成a1[64+4i] a1[41-4i]作为下标运算KT0123生成a1[65+4i] a1[42-4i]作为下标运算KT0123生成a1[66+4i] a1[43-4i]作为下标运算KT0123生成a1[67+4i]
最终生成a1[68-103]
7.a1[104]=a1[0]a1[105]=a1[1]a1[106]=a1[2]a1[107]=a1[3]
signed int __fastcall my_md5(int *a1, unsigned __int8 *a2, int a3)
{
int *a1a; // r5
int a3a; // r6
signed int v5; // r2
unsigned __int8 *s22; // r2
int *a1aaa; // r0
int v8; // r1
int v9; // r3
int v10; // r7
int *a1aa; // r3
int *dword_4D14a; // r2
int dword_4D14_0; // r6
unsigned int a1aaa3; // r1
int v15; // r6
int a1aa1; // r7
int v17; // r7
int *v18; // r2
int v19; // r6
unsigned int v20; // r1
int v21; // r6
int v22; // r7
int v23; // r7
int v24; // r6
int v25; // r6
int v26; // r6
unsigned int v27; // r1
int v28; // r7
int v29; // r0
int v30; // r7
int v31; // r0
int v32; // r7
int v33; // r0
int v34; // r7
unsigned int v35; // r0
int v36; // r7
int v37; // r0
int v38; // r7
int v39; // r0
int v40; // r7
int v41; // r0
int v42; // r2
int v43; // r1
int v44; // ST10_4
_DWORD *v45; // r2
int v46; // r1
int a44in; // r3
int *a1a68; // r2
unsigned int a1a39in; // r1
unsigned int a1a36in; // r1
signed int result; // r0
unsigned __int8 *s2; // [sp+Ch] [bp-24h]
signed int v53; // [sp+14h] [bp-1Ch]
s2 = a2;
a1a = a1;
a3a = a3;
if ( do_init )
{
iVc3tO();
do_init = 0;
}
v5 = 10;
a1a[128] = v5;
s22 = s2;
a1aaa = a1a;
v8 = 0;
while ( v8 < a3a >> 5 ) // for i=0:3 通过a2[i,i+3]字节生成a1[i]字节 a1[0-3]生成
{
++v8;
v9 = (s22[1] << 16) | (*s22 << 24) | s22[3];
v10 = s22[2];
s22 += 4;
*a1aaa = (v10 << 8) | v9;
++a1aaa;
}
a1aa = a1a;
switch ( a3a )
{
case 128: // 通过a1[0-3]位与dword_4D14[fx(a1[3])] << 16]生成a1[4-7]
// 循环到生成a1[40-43]停止
dword_4D14a = dword_4D14;
do
{
dword_4D14_0 = *dword_4D14a;
++dword_4D14a;
a1aaa3 = a1aa[3];
v15 = (dword_4D14[(a1aaa3 >> 8) + 10] << 16) ^ dword_4D14_0 ^ *a1aa ^ (dword_4D14[a1aaa3 + 10] << 8) ^ dword_4D14[(a1aaa3 >> 24) + 10] ^ (dword_4D14[((a1aaa3 >> 16) & 0xFF) + 10] << 24);
a1aa1 = a1aa[1];
a1aa[4] = v15;
a1aa[5] = v15 ^ a1aa1;
v17 = v15 ^ a1aa1 ^ a1aa[2];
a1aa[7] = a1aaa3 ^ v17;
a1aa[6] = v17;
a1aa += 4;
}
while ( dword_4D14a != &dword_4D14[10] );
a1aa = a1a + 40;
break;
}
if ( KT_init ) // 初始化KT0-KT4[256],通过dword_4D14生成dword_5114、dword_5514、dword_5914、dword_5D14的下标生成KT0-KT4[256]
{
v42 = 0;
do
{
v43 = dword_4D14[v42 + 10];
v44 = dword_4D14[v42 + 10];
KT0[v42] = dword_5114[v43 + 10];
KT1[v42] = dword_5514[v43 + 10];
KT2[v42] = dword_5914[v44 + 10];
KT3[v42] = dword_5D14[v44 + 10];
++v42;
}
while ( v42 != 256 );
KT_init = 0;
}
v45 = a1a + 63;
v45[1] = *a1aa;
v45[2] = a1aa[1];
v53 = 1;
v45[3] = a1aa[2];
v46 = a1aa[3];
a44in = (a1aa + 4); // a44in=a1aa[4]
v45[4] = v46;
a1a68 = a1a + 68;
while ( 1 )
{
a1a36in = *(a44in - 32); // 00001400 sub r1 0x20 相当于a1[44-8],在此取出一个dword4位
if ( v53 >= a1a[128] ) // a1[128]=10,所以循环9次,通过a1[40-4i]作为下标运算KT0123生成a1[64+4i]
// a1[41-4i]作为下标运算KT0123生成a1[65+4i]
// a1[42-4i]作为下标运算KT0123生成a1[66+4i]
// a1[43-4i]作为下标运算KT0123生成a1[67+4i]
break;
*a1a68 = KT3[a1a36in] ^ KT0[a1a36in >> 24] ^ KT1[(a1a36in >> 16) & 0xFF] ^ KT2[a1a36in >> 8];
a1a68[1] = KT3[*(a44in - 28) & 0xFF] ^ KT0[*(a44in - 28) >> 24] ^ KT1[(*(a44in - 28) >> 16) & 0xFF] ^ KT2[*(a44in - 28) >> 8];
a1a68[2] = KT3[*(a44in - 24) & 0xFF] ^ KT0[*(a44in - 24) >> 24] ^ KT1[(*(a44in - 24) >> 16) & 0xFF] ^ KT2[*(a44in - 24) >> 8];
a1a39in = *(a44in - 20); // 相当于a1[44-5]
a44in -= 16; // a44in每次下标-4 因为他前面类型转换为int了 出循环时变为a1[8]
a1a68[3] = KT0[a1a39in >> 24] ^ KT1[(a1a39in >> 16) & 0xFF] ^ KT3[a1a39in] ^ KT2[a1a39in >> 8];
a1a68 += 4; // 出循环时变为a1[104]
++v53;
}
*a1a68 = a1a36in; // a44in循环9次最后变成a1[8],所以a36in变为a1[0]
// a1[104]=a1[0]
// a1[105]=a1[1]
// a1[106]=a1[2]
// a1[107]=a1[3]
//
result = 0;
a1a68[1] = *(a44in - 28);
a1a68[2] = *(a44in - 24);
a1a68[3] = *(a44in - 20);
return result;
}
四、my_sha256函数比较复杂,是把上一部生成的s数组与my_md5的结果v14经过一些计算,我看了半天,也没搞明白他跟sha256算法有什么关系,希望大佬来解释一下,密码学学的很渣 手动狗头
1.首先,分别取a1和a2前4个4字节运算生成v3v4v5v6
1.首先,分别取a1和a2前4个4字节运算生成v3v4v5v6
2.然后,通过a1的4567字节与v3456运算生成双字数组dword_6114,6514,6914,6d14的下标取出4个字节异或v78910循环到v35363738最后生成v54555339
3.如果a1[128]>10 通过a1的40-43与v54555339生成v41424344 通过v41424344与a1的44-47重新生成v54555339 v40=a1+44 如果a1[128]>12 通过a1的48-51与v54555339生成v45464748 通过v45464748与a1的52-55重新生成v54555339 v40=a1+52否则a1[128]<=10,通过上文我们知道a1[128]=10,所以直接跑这一句 v40=a1+36
4.通过v40的4-7与v54555339运算得到dword_4D14下标生成v495051与result返回值将v495051与result填充到v56的0-15位
3.如果a1[128]>10 通过a1的40-43与v54555339生成v41424344 通过v41424344与a1的44-47重新生成v54555339 v40=a1+44 如果a1[128]>12 通过a1的48-51与v54555339生成v45464748 通过v45464748与a1的52-55重新生成v54555339 v40=a1+52否则a1[128]<=10,通过上文我们知道a1[128]=10,所以直接跑这一句 v40=a1+36
4.通过v40的4-7与v54555339运算得到dword_4D14下标生成v495051与result返回值将v495051与result填充到v56的0-15位
int __fastcall my_sha256(_DWORD *a1, unsigned int *a2, _BYTE *a3)
{
unsigned int v3; // ST0C_4 a1是my_md5结果v14,a2是s数组,a3是结果存储
unsigned int v4; // ST10_4
unsigned int v5; // r7
unsigned int v6; // r6
unsigned int v7; // ST14_4
unsigned int v8; // ST18_4
unsigned int v9; // ST1C_4
unsigned int v10; // r6
unsigned int v11; // ST0C_4
unsigned int v12; // ST10_4
unsigned int v13; // ST24_4
unsigned int v14; // r6
unsigned int v15; // ST14_4
unsigned int v16; // ST18_4
unsigned int v17; // ST1C_4
unsigned int v18; // r7
unsigned int v19; // ST0C_4
unsigned int v20; // ST10_4
unsigned int v21; // ST28_4
unsigned int v22; // r5
unsigned int v23; // ST1C_4
unsigned int v24; // ST24_4
unsigned int v25; // ST2C_4
unsigned int v26; // r6
unsigned int v27; // ST0C_4
unsigned int v28; // ST10_4
unsigned int v29; // ST34_4
unsigned int v30; // r6
unsigned int v31; // ST1C_4
unsigned int v32; // ST24_4
unsigned int v33; // ST08_4
unsigned int v34; // r6
unsigned int v35; // ST2C_4
unsigned int v36; // ST34_4
unsigned int v37; // ST00_4
unsigned int v38; // r7
unsigned int v39; // r5
_DWORD *v40; // r7
unsigned int v41; // ST34_4
unsigned int v42; // r1
unsigned int v43; // r4
unsigned int v44; // r3
unsigned int v45; // ST14_4
unsigned int v46; // ST18_4
unsigned int v47; // ST28_4
unsigned int v48; // r5
int v49; // r1
int v50; // r2
int v51; // r4
int result; // r0
unsigned int v53; // [sp+8h] [bp-48h]
unsigned int v54; // [sp+Ch] [bp-44h]
unsigned int v55; // [sp+10h] [bp-40h]
_BYTE *v56; // [sp+20h] [bp-30h]
signed int v57; // [sp+24h] [bp-2Ch]
v56 = a3; // a2有16个字节 4个字
// a1有521个字节 128个字
v3 = _byteswap_ulong(*a2) ^ *a1;
v4 = _byteswap_ulong(a2[1]) ^ a1[1];
v5 = _byteswap_ulong(a2[2]) ^ a1[2];
v6 = _byteswap_ulong(a2[3]) ^ a1[3];
v7 = dword_6114[v6 + 10] ^ a1[4] ^ dword_6514[(v3 >> 24) + 10] ^ dword_6914[((v4 >> 16) & 0xFF) + 10] ^ dword_6D14[(v5 >> 8) + 10];
v8 = dword_6114[v3 + 10] ^ a1[5] ^ dword_6514[(v4 >> 24) + 10] ^ dword_6914[((v5 >> 16) & 0xFF) + 10] ^ dword_6D14[(v6 >> 8) + 10];
v9 = dword_6D14[(v3 >> 8) + 10] ^ dword_6114[v4 + 10] ^ a1[6] ^ dword_6514[(v5 >> 24) + 10] ^ dword_6914[((v6 >> 16) & 0xFF) + 10];
v10 = dword_6D14[(v4 >> 8) + 10] ^ a1[7] ^ dword_6114[v5 + 10] ^ dword_6514[(v6 >> 24) + 10] ^ dword_6914[((v3 >> 16) & 0xFF) + 10];
v11 = dword_6114[v10 + 10] ^ a1[8] ^ dword_6514[(v7 >> 24) + 10] ^ dword_6914[((v8 >> 16) & 0xFF) + 10] ^ dword_6D14[(v9 >> 8) + 10];
v12 = dword_6114[v7 + 10] ^ a1[9] ^ dword_6514[(v8 >> 24) + 10] ^ dword_6914[((v9 >> 16) & 0xFF) + 10] ^ dword_6D14[(v10 >> 8) + 10];
v13 = dword_6114[v8 + 10] ^ a1[10] ^ dword_6514[(v9 >> 24) + 10] ^ dword_6914[((v10 >> 16) & 0xFF) + 10] ^ dword_6D14[(v7 >> 8) + 10];
v14 = a1[11] ^ dword_6114[v9 + 10] ^ dword_6514[(v10 >> 24) + 10] ^ dword_6914[((v7 >> 16) & 0xFF) + 10] ^ dword_6D14[(v8 >> 8) + 10];
v15 = dword_6114[v14 + 10] ^ a1[12] ^ dword_6514[(v11 >> 24) + 10] ^ dword_6914[((v12 >> 16) & 0xFF) + 10] ^ dword_6D14[(v13 >> 8) + 10];
v16 = dword_6114[v11 + 10] ^ a1[13] ^ dword_6514[(v12 >> 24) + 10] ^ dword_6914[((v13 >> 16) & 0xFF) + 10] ^ dword_6D14[(v14 >> 8) + 10];
v17 = dword_6D14[(v11 >> 8) + 10] ^ dword_6114[v12 + 10] ^ a1[14] ^ dword_6514[(v13 >> 24) + 10] ^ dword_6914[((v14 >> 16) & 0xFF) + 10];
v18 = a1[15] ^ dword_6114[v13 + 10] ^ dword_6514[(v14 >> 24) + 10] ^ dword_6914[((v11 >> 16) & 0xFF) + 10] ^ dword_6D14[(v12 >> 8) + 10];
v19 = dword_6114[v18 + 10] ^ a1[16] ^ dword_6514[(v15 >> 24) + 10] ^ dword_6914[((v16 >> 16) & 0xFF) + 10] ^ dword_6D14[(v17 >> 8) + 10];
v20 = dword_6114[v15 + 10] ^ a1[17] ^ dword_6514[(v16 >> 24) + 10] ^ dword_6914[((v17 >> 16) & 0xFF) + 10] ^ dword_6D14[(v18 >> 8) + 10];
v21 = dword_6114[v16 + 10] ^ a1[18] ^ dword_6514[(v17 >> 24) + 10] ^ dword_6914[((v18 >> 16) & 0xFF) + 10] ^ dword_6D14[(v15 >> 8) + 10];
v22 = a1[19] ^ dword_6114[v17 + 10] ^ dword_6514[(v18 >> 24) + 10] ^ dword_6914[((v15 >> 16) & 0xFF) + 10] ^ dword_6D14[(v16 >> 8) + 10];
v23 = dword_6114[v22 + 10] ^ a1[20] ^ dword_6514[(v19 >> 24) + 10] ^ dword_6914[((v20 >> 16) & 0xFF) + 10] ^ dword_6D14[(v21 >> 8) + 10];
v24 = dword_6114[v19 + 10] ^ a1[21] ^ dword_6514[(v20 >> 24) + 10] ^ dword_6914[((v21 >> 16) & 0xFF) + 10] ^ dword_6D14[(v22 >> 8) + 10];
v25 = dword_6D14[(v19 >> 8) + 10] ^ dword_6114[v20 + 10] ^ a1[22] ^ dword_6514[(v21 >> 24) + 10] ^ dword_6914[((v22 >> 16) & 0xFF) + 10];
v26 = a1[23] ^ dword_6114[v21 + 10] ^ dword_6514[(v22 >> 24) + 10] ^ dword_6914[((v19 >> 16) & 0xFF) + 10] ^ dword_6D14[(v20 >> 8) + 10];
v27 = dword_6114[v26 + 10] ^ a1[24] ^ dword_6514[(v23 >> 24) + 10] ^ dword_6914[((v24 >> 16) & 0xFF) + 10] ^ dword_6D14[(v25 >> 8) + 10];
v28 = dword_6114[v23 + 10] ^ a1[25] ^ dword_6514[(v24 >> 24) + 10] ^ dword_6914[((v25 >> 16) & 0xFF) + 10] ^ dword_6D14[(v26 >> 8) + 10];
v29 = dword_6114[v24 + 10] ^ a1[26] ^ dword_6514[(v25 >> 24) + 10] ^ dword_6914[((v26 >> 16) & 0xFF) + 10] ^ dword_6D14[(v23 >> 8) + 10];
v30 = a1[27] ^ dword_6114[v25 + 10] ^ dword_6514[(v26 >> 24) + 10] ^ dword_6914[((v23 >> 16) & 0xFF) + 10] ^ dword_6D14[(v24 >> 8) + 10];
v31 = dword_6114[v30 + 10] ^ a1[28] ^ dword_6514[(v27 >> 24) + 10] ^ dword_6914[((v28 >> 16) & 0xFF) + 10] ^ dword_6D14[(v29 >> 8) + 10];
v32 = dword_6114[v27 + 10] ^ a1[29] ^ dword_6514[(v28 >> 24) + 10] ^ dword_6914[((v29 >> 16) & 0xFF) + 10] ^ dword_6D14[(v30 >> 8) + 10];
v33 = dword_6D14[(v27 >> 8) + 10] ^ dword_6114[v28 + 10] ^ a1[30] ^ dword_6514[(v29 >> 24) + 10] ^ dword_6914[((v30 >> 16) & 0xFF) + 10];
v34 = dword_6514[(v30 >> 24) + 10] ^ a1[31] ^ dword_6114[v29 + 10] ^ dword_6914[((v27 >> 16) & 0xFF) + 10] ^ dword_6D14[(v28 >> 8) + 10];
v35 = dword_6114[v34 + 10] ^ a1[32] ^ dword_6514[(v31 >> 24) + 10] ^ dword_6914[((v32 >> 16) & 0xFF) + 10] ^ dword_6D14[(v33 >> 8) + 10];
v36 = dword_6114[v31 + 10] ^ a1[33] ^ dword_6514[(v32 >> 24) + 10] ^ dword_6914[((v33 >> 16) & 0xFF) + 10] ^ dword_6D14[(v34 >> 8) + 10];
v37 = dword_6114[v32 + 10] ^ a1[34] ^ dword_6514[(v33 >> 24) + 10] ^ dword_6914[((v34 >> 16) & 0xFF) + 10] ^ dword_6D14[(v31 >> 8) + 10];
v38 = a1[35] ^ dword_6114[v33 + 10] ^ dword_6514[(v34 >> 24) + 10] ^ dword_6914[((v31 >> 16) & 0xFF) + 10] ^ dword_6D14[(v32 >> 8) + 10];
v54 = dword_6114[v38 + 10] ^ a1[36] ^ dword_6514[(v35 >> 24) + 10] ^ dword_6914[((v36 >> 16) & 0xFF) + 10] ^ dword_6D14[(v37 >> 8) + 10];
v55 = dword_6114[v35 + 10] ^ a1[37] ^ dword_6514[(v36 >> 24) + 10] ^ dword_6914[((v37 >> 16) & 0xFF) + 10] ^ dword_6D14[(v38 >> 8) + 10];
v53 = dword_6D14[(v35 >> 8) + 10] ^ dword_6114[v36 + 10] ^ a1[38] ^ dword_6514[(v37 >> 24) + 10] ^ dword_6914[((v38 >> 16) & 0xFF) + 10];
v39 = a1[39] ^ dword_6114[v37 + 10] ^ dword_6514[(v38 >> 24) + 10] ^ dword_6914[((v35 >> 16) & 0xFF) + 10] ^ dword_6D14[(v36 >> 8) + 10];
v57 = a1[128];
if ( v57 > 10 )
{
v41 = dword_6114[v39 + 10] ^ a1[40] ^ dword_6514[(v54 >> 24) + 10] ^ dword_6914[((v55 >> 16) & 0xFF) + 10] ^ dword_6D14[(v53 >> 8) + 10];
v42 = dword_6D14[(v39 >> 8) + 10] ^ dword_6114[v54 + 10] ^ a1[41] ^ dword_6514[(v55 >> 24) + 10] ^ dword_6914[((v53 >> 16) & 0xFF) + 10];
v43 = dword_6114[v55 + 10] ^ a1[42] ^ dword_6514[(v53 >> 24) + 10] ^ dword_6914[((v39 >> 16) & 0xFF) + 10] ^ dword_6D14[(v54 >> 8) + 10];
v44 = a1[43] ^ dword_6114[v53 + 10] ^ dword_6514[(v39 >> 24) + 10] ^ dword_6914[((v54 >> 16) & 0xFF) + 10] ^ dword_6D14[(v55 >> 8) + 10];
v54 = dword_6114[v44 + 10] ^ a1[44] ^ dword_6514[(v41 >> 24) + 10] ^ dword_6914[((v42 >> 16) & 0xFF) + 10] ^ dword_6D14[(v43 >> 8) + 10];
v55 = dword_6114[v41 + 10] ^ a1[45] ^ dword_6514[(v42 >> 24) + 10] ^ dword_6914[((v43 >> 16) & 0xFF) + 10] ^ dword_6D14[(v44 >> 8) + 10];
v53 = dword_6114[v42 + 10] ^ a1[46] ^ dword_6514[(v43 >> 24) + 10] ^ dword_6914[((v44 >> 16) & 0xFF) + 10] ^ dword_6D14[(v41 >> 8) + 10];
v39 = dword_6914[((v41 >> 16) & 0xFF) + 10] ^ a1[47] ^ dword_6114[v43 + 10] ^ dword_6514[(v44 >> 24) + 10] ^ dword_6D14[(v42 >> 8) + 10];
v40 = a1 + 44;
if ( v57 > 12 )
{
v45 = dword_6114[v39 + 10] ^ a1[48] ^ dword_6514[(v54 >> 24) + 10] ^ dword_6914[((v55 >> 16) & 0xFF) + 10] ^ dword_6D14[(v53 >> 8) + 10];
v46 = dword_6114[v54 + 10] ^ a1[49] ^ dword_6514[(v55 >> 24) + 10] ^ dword_6914[((v53 >> 16) & 0xFF) + 10] ^ dword_6D14[(v39 >> 8) + 10];
v47 = dword_6114[v55 + 10] ^ a1[50] ^ dword_6514[(v53 >> 24) + 10] ^ dword_6914[((v39 >> 16) & 0xFF) + 10] ^ dword_6D14[(v54 >> 8) + 10];
v40 = a1 + 52;
v48 = dword_6D14[(v55 >> 8) + 10] ^ a1[51] ^ dword_6114[v53 + 10] ^ dword_6514[(v39 >> 24) + 10] ^ dword_6914[((v54 >> 16) & 0xFF) + 10];
v54 = dword_6114[v48 + 10] ^ a1[52] ^ dword_6514[(v45 >> 24) + 10] ^ dword_6914[((v46 >> 16) & 0xFF) + 10] ^ dword_6D14[(v47 >> 8) + 10];
v55 = dword_6114[v45 + 10] ^ a1[53] ^ dword_6514[(v46 >> 24) + 10] ^ dword_6914[((v47 >> 16) & 0xFF) + 10] ^ dword_6D14[(v48 >> 8) + 10];
v53 = dword_6D14[(v45 >> 8) + 10] ^ dword_6114[v46 + 10] ^ a1[54] ^ dword_6514[(v47 >> 24) + 10] ^ dword_6914[((v48 >> 16) & 0xFF) + 10];
v39 = dword_6D14[(v46 >> 8) + 10] ^ dword_6114[v47 + 10] ^ a1[55] ^ dword_6514[(v48 >> 24) + 10] ^ dword_6914[((v45 >> 16) & 0xFF) + 10];
}
}
else
{
v40 = a1 + 36;
}
v49 = dword_4D14[v39 + 10] ^ v40[4] ^ (dword_4D14[(v54 >> 24) + 10] << 24) ^ (dword_4D14[((v55 >> 16) & 0xFF) + 10] << 16) ^ (dword_4D14[(v53 >> 8) + 10] << 8);
v50 = v40[5] ^ dword_4D14[v54 + 10] ^ (dword_4D14[(v55 >> 24) + 10] << 24) ^ (dword_4D14[((v53 >> 16) & 0xFF) + 10] << 16) ^ (dword_4D14[(v39 >> 8) + 10] << 8);
v51 = dword_4D14[v55 + 10] ^ v40[6] ^ (dword_4D14[(v53 >> 24) + 10] << 24) ^ (dword_4D14[((v39 >> 16) & 0xFF) + 10] << 16) ^ (dword_4D14[(v54 >> 8) + 10] << 8);
result = (dword_4D14[(v39 >> 24) + 10] << 24) ^ v40[7] ^ dword_4D14[v53 + 10] ^ (dword_4D14[((v54 >> 16) & 0xFF) + 10] << 16) ^ (dword_4D14[(v55 >> 8) + 10] << 8);
*v56 = HIBYTE(v49);
v56[1] = BYTE2(v49);
v56[2] = BYTE1(v49);
v56[3] = v49;
v56[4] = HIBYTE(v50);
v56[5] = BYTE2(v50);
v56[6] = BYTE1(v50);
v56[8] = HIBYTE(v51);
v56[9] = BYTE2(v51);
v56[10] = BYTE1(v51);
v56[12] = HIBYTE(result);
v56[13] = BYTE2(result);
v56[7] = v50;
v56[11] = v51;
v56[14] = BYTE1(result);
v56[15] = result;
return result;
}
五、最后,my_sha256加密后放入v29中,最后用数组v29的11-16位模10生成动态密码result的1-6位,完结,感谢大家的支持
int __fastcall get_otp(int a1, int a2, unsigned int a3, unsigned int a4, int a5)
{
unsigned int strr; // ST08_4 a3 a4 存储序列号 a5存储str2转化为的数组
unsigned int strr2; // ST0C_4
struct tm *tm; // r4
int tm_y; // r0
unsigned int strr_nor; // r4
signed int v10; // r4
int result; // r0
unsigned __int8 v12; // r1
time_t timer; // [sp+14h] [bp-244h]
int v14[129]; // [sp+18h] [bp-240h]
char s; // [sp+21Ch] [bp-3Ch]
char v16; // [sp+21Dh] [bp-3Bh]
char v17; // [sp+21Eh] [bp-3Ah]
char tm_m; // [sp+21Fh] [bp-39h]
char tm_d; // [sp+220h] [bp-38h]
char tm_h; // [sp+221h] [bp-37h]
char tm_mi; // [sp+222h] [bp-36h]
char tm_sec; // [sp+223h] [bp-35h]
char strr_nor2; // [sp+224h] [bp-34h]
char strr_nor3; // [sp+225h] [bp-33h]
char strr_h; // [sp+226h] [bp-32h]
char strr_nor_b1; // [sp+227h] [bp-31h]
char strr_nor_b2; // [sp+228h] [bp-30h]
char strr_nor_h; // [sp+229h] [bp-2Fh]
char v29[16]; // [sp+22Ch] [bp-2Ch]
strr = a3;
strr2 = a4;
timer = a1 + 28800;
tm = gmtime(&timer); // gmtime根据时间戳产生tm时间结构体,因为从1900年开始算+28800
memset(&s, 0, 16u); // 把*s后面16字节设置为0
tm_y = tm->tm_year;
v16 = 20;
s = 0;
v17 = tm_y % 10;
tm_m = tm->tm_mon;
tm_d = tm->tm_mday;
tm_h = tm->tm_hour;
tm_mi = tm->tm_min;
tm_sec = 30 * (tm->tm_sec / 30);
strr_nor = (strr << 24) | (strr >> 24) | ((strr & 0xFF00) << 8) | ((strr & 0xFF0000) >> 8);
strr_h = HIBYTE(strr);
strr_nor2 = ((strr2 << 24) | (strr2 >> 24) | ((strr2 & 0xFF00) << 8) | ((strr2 & 0xFF0000) >> 8)) >> 16;
strr_nor3 = ((strr2 << 24) | (strr2 >> 24) | ((strr2 & 0xFF00) << 8) | ((strr2 & 0xFF0000) >> 8)) >> 24;
strr_nor_b1 = BYTE1(strr_nor);
strr_nor_b2 = BYTE2(strr_nor);
strr_nor_h = HIBYTE(strr_nor); //上面一系列操作把时间戳e与序列号str经过运算转换成为s数组的1-14位
my_md5(v14, a5, 128); // 把a5按128位my_md5加密结果放入v14
v10 = 10;
my_sha256(v14, &s, v29); // 把v14与s通过my_sha256加密结果放入v29
result = 0;
do
{
v12 = v29[v10++] % 0xAu;
result = 10 * result + v12; // 循环6次,每次取v29的11-16位与10取余数作为opt密码
}
while ( v10 != 16 );
return result;
}
很清晰,,首先,通过一系列操作把时间戳e与序列号str转换成为s数组的1-14位,s数组共16位调用my_md5加密a5也就是参数str2,结果放在v14中,简单看一下堆栈
-00000240 v14 DCD 129 dup(?) v14是 my_md5加密结果129个dword -0000003C s DCB ? s数组开始 -0000003B anonymous_0 DCB ? -0000003A anonymous_1 DCB ? -00000039 tm_m DCB ? -00000038 tm_d DCB ? -00000037 tm_h DCB ? -00000036 tm_mi DCB ? -00000035 tm_sec DCB ? -00000034 strr_nor2 DCB ? -00000033 strr_nor3 DCB ? -00000032 strr_h DCB ? -00000031 strr_nor_b1 DCB ? -00000030 strr_nor_b2 DCB ? -0000002F strr_nor_h DCB ? -0000002E DCB ? ; undefined -0000002D DCB ? ; undefined s数组结束 -0000002C var_2C DCB 16 dup(?) 这是v29, my_sha256加密结果 -0000001C var_1C DCD ?
三、简单看下my_md5,比较清晰,生成v14共有129位,不算最后一位共512个字节 my_md5(v14,a5, 128); // 把a5按128位my_md5哈希结果放入v14
1.if a3=128 v5=10 a1[128]=10
2.fori=0:3 通过a2[i,i+3]字节生成a1字节a1[0-3]生成
3.通过a1[0-3]位与dword_4D14[a1[3]经过运算]生成a1[4-7] 循环到a1[40-43]停止
4.初始化KT0-KT4[256]
5.a1[64-67]=a1[40-43]
6.循环9次,通过a1[40-4i]作为下标运算KT0123生成a1[64+4i] a1[41-4i]作为下标运算KT0123生成a1[65+4i] a1[42-4i]作为下标运算KT0123生成a1[66+4i] a1[43-4i]作为下标运算KT0123生成a1[67+4i]
最终生成a1[68-103]
7.a1[104]=a1[0]a1[105]=a1[1]a1[106]=a1[2]a1[107]=a1[3]
signed int __fastcall my_md5(int *a1, unsigned __int8 *a2, int a3)
{
int *a1a; // r5
int a3a; // r6
signed int v5; // r2
unsigned __int8 *s22; // r2
int *a1aaa; // r0
int v8; // r1
int v9; // r3
int v10; // r7
int *a1aa; // r3
int *dword_4D14a; // r2
int dword_4D14_0; // r6
unsigned int a1aaa3; // r1
int v15; // r6
int a1aa1; // r7
int v17; // r7
int *v18; // r2
int v19; // r6
unsigned int v20; // r1
int v21; // r6
int v22; // r7
int v23; // r7
int v24; // r6
int v25; // r6
int v26; // r6
unsigned int v27; // r1
int v28; // r7
int v29; // r0
int v30; // r7
int v31; // r0
int v32; // r7
int v33; // r0
int v34; // r7
unsigned int v35; // r0
int v36; // r7
int v37; // r0
int v38; // r7
int v39; // r0
int v40; // r7
int v41; // r0
int v42; // r2
int v43; // r1
int v44; // ST10_4
_DWORD *v45; // r2
int v46; // r1
int a44in; // r3
int *a1a68; // r2
unsigned int a1a39in; // r1
unsigned int a1a36in; // r1
signed int result; // r0
unsigned __int8 *s2; // [sp+Ch] [bp-24h]
signed int v53; // [sp+14h] [bp-1Ch]
s2 = a2;
a1a = a1;
a3a = a3;
if ( do_init )
{
iVc3tO();
do_init = 0;
}
v5 = 10;
a1a[128] = v5;
s22 = s2;
a1aaa = a1a;
v8 = 0;
while ( v8 < a3a >> 5 ) // for i=0:3 通过a2[i,i+3]字节生成a1[i]字节 a1[0-3]生成
{
++v8;
v9 = (s22[1] << 16) | (*s22 << 24) | s22[3];
v10 = s22[2];
s22 += 4;
*a1aaa = (v10 << 8) | v9;
++a1aaa;
}
a1aa = a1a;
switch ( a3a )
{
case 128: // 通过a1[0-3]位与dword_4D14[fx(a1[3])] << 16]生成a1[4-7]
// 循环到生成a1[40-43]停止
dword_4D14a = dword_4D14;
do
{
dword_4D14_0 = *dword_4D14a;
++dword_4D14a;
a1aaa3 = a1aa[3];
v15 = (dword_4D14[(a1aaa3 >> 8) + 10] << 16) ^ dword_4D14_0 ^ *a1aa ^ (dword_4D14[a1aaa3 + 10] << 8) ^ dword_4D14[(a1aaa3 >> 24) + 10] ^ (dword_4D14[((a1aaa3 >> 16) & 0xFF) + 10] << 24);
a1aa1 = a1aa[1];
a1aa[4] = v15;
a1aa[5] = v15 ^ a1aa1;
v17 = v15 ^ a1aa1 ^ a1aa[2];
a1aa[7] = a1aaa3 ^ v17;
a1aa[6] = v17;
a1aa += 4;
}
while ( dword_4D14a != &dword_4D14[10] );
a1aa = a1a + 40;
break;
}
if ( KT_init ) // 初始化KT0-KT4[256],通过dword_4D14生成dword_5114、dword_5514、dword_5914、dword_5D14的下标生成KT0-KT4[256]
{
v42 = 0;
do
{
v43 = dword_4D14[v42 + 10];
v44 = dword_4D14[v42 + 10];
KT0[v42] = dword_5114[v43 + 10];
KT1[v42] = dword_5514[v43 + 10];
KT2[v42] = dword_5914[v44 + 10];
KT3[v42] = dword_5D14[v44 + 10];
++v42;
}
while ( v42 != 256 );
KT_init = 0;
}
v45 = a1a + 63;
v45[1] = *a1aa;
v45[2] = a1aa[1];
v53 = 1;
v45[3] = a1aa[2];
v46 = a1aa[3];
a44in = (a1aa + 4); // a44in=a1aa[4]
v45[4] = v46;
a1a68 = a1a + 68;
while ( 1 )
{
a1a36in = *(a44in - 32); // 00001400 sub r1 0x20 相当于a1[44-8],在此取出一个dword4位
if ( v53 >= a1a[128] ) // a1[128]=10,所以循环9次,通过a1[40-4i]作为下标运算KT0123生成a1[64+4i]
// a1[41-4i]作为下标运算KT0123生成a1[65+4i]
// a1[42-4i]作为下标运算KT0123生成a1[66+4i]
// a1[43-4i]作为下标运算KT0123生成a1[67+4i]
break;
*a1a68 = KT3[a1a36in] ^ KT0[a1a36in >> 24] ^ KT1[(a1a36in >> 16) & 0xFF] ^ KT2[a1a36in >> 8];
a1a68[1] = KT3[*(a44in - 28) & 0xFF] ^ KT0[*(a44in - 28) >> 24] ^ KT1[(*(a44in - 28) >> 16) & 0xFF] ^ KT2[*(a44in - 28) >> 8];
a1a68[2] = KT3[*(a44in - 24) & 0xFF] ^ KT0[*(a44in - 24) >> 24] ^ KT1[(*(a44in - 24) >> 16) & 0xFF] ^ KT2[*(a44in - 24) >> 8];
a1a39in = *(a44in - 20); // 相当于a1[44-5]
a44in -= 16; // a44in每次下标-4 因为他前面类型转换为int了 出循环时变为a1[8]
a1a68[3] = KT0[a1a39in >> 24] ^ KT1[(a1a39in >> 16) & 0xFF] ^ KT3[a1a39in] ^ KT2[a1a39in >> 8];
a1a68 += 4; // 出循环时变为a1[104]
++v53;
}
*a1a68 = a1a36in; // a44in循环9次最后变成a1[8],所以a36in变为a1[0]
// a1[104]=a1[0]
// a1[105]=a1[1]
// a1[106]=a1[2]
// a1[107]=a1[3]
//
result = 0;
a1a68[1] = *(a44in - 28);
a1a68[2] = *(a44in - 24);
a1a68[3] = *(a44in - 20);
return result;
}
四、my_sha256函数比较复杂,是把上一部生成的s数组与my_md5的结果v14经过一些计算,我看了半天,也没搞明白他跟sha256算法有什么关系,希望大佬来解释一下,密码学学的很渣 手动狗头
1.首先,分别取a1和a2前4个4字节运算生成v3v4v5v6
1.首先,分别取a1和a2前4个4字节运算生成v3v4v5v6
2.然后,通过a1的4567字节与v3456运算生成双字数组dword_6114,6514,6914,6d14的下标取出4个字节异或v78910循环到v35363738最后生成v54555339
3.如果a1[128]>10 通过a1的40-43与v54555339生成v41424344 通过v41424344与a1的44-47重新生成v54555339 v40=a1+44 如果a1[128]>12 通过a1的48-51与v54555339生成v45464748 通过v45464748与a1的52-55重新生成v54555339 v40=a1+52否则a1[128]<=10,通过上文我们知道a1[128]=10,所以直接跑这一句 v40=a1+36
4.通过v40的4-7与v54555339运算得到dword_4D14下标生成v495051与result返回值将v495051与result填充到v56的0-15位
3.如果a1[128]>10 通过a1的40-43与v54555339生成v41424344 通过v41424344与a1的44-47重新生成v54555339 v40=a1+44 如果a1[128]>12 通过a1的48-51与v54555339生成v45464748 通过v45464748与a1的52-55重新生成v54555339 v40=a1+52否则a1[128]<=10,通过上文我们知道a1[128]=10,所以直接跑这一句 v40=a1+36
4.通过v40的4-7与v54555339运算得到dword_4D14下标生成v495051与result返回值将v495051与result填充到v56的0-15位
int __fastcall my_sha256(_DWORD *a1, unsigned int *a2, _BYTE *a3)
{
unsigned int v3; // ST0C_4 a1是my_md5结果v14,a2是s数组,a3是结果存储
unsigned int v4; // ST10_4
unsigned int v5; // r7
unsigned int v6; // r6
unsigned int v7; // ST14_4
unsigned int v8; // ST18_4
unsigned int v9; // ST1C_4
unsigned int v10; // r6
unsigned int v11; // ST0C_4
unsigned int v12; // ST10_4
unsigned int v13; // ST24_4
unsigned int v14; // r6
unsigned int v15; // ST14_4
unsigned int v16; // ST18_4
unsigned int v17; // ST1C_4
unsigned int v18; // r7
unsigned int v19; // ST0C_4
unsigned int v20; // ST10_4
unsigned int v21; // ST28_4
unsigned int v22; // r5
unsigned int v23; // ST1C_4
unsigned int v24; // ST24_4
unsigned int v25; // ST2C_4
unsigned int v26; // r6
unsigned int v27; // ST0C_4
unsigned int v28; // ST10_4
unsigned int v29; // ST34_4
unsigned int v30; // r6
unsigned int v31; // ST1C_4
unsigned int v32; // ST24_4
unsigned int v33; // ST08_4
unsigned int v34; // r6
unsigned int v35; // ST2C_4
unsigned int v36; // ST34_4
unsigned int v37; // ST00_4
unsigned int v38; // r7
unsigned int v39; // r5
_DWORD *v40; // r7
unsigned int v41; // ST34_4
unsigned int v42; // r1
unsigned int v43; // r4
unsigned int v44; // r3
unsigned int v45; // ST14_4
unsigned int v46; // ST18_4
unsigned int v47; // ST28_4
unsigned int v48; // r5
int v49; // r1
int v50; // r2
int v51; // r4
int result; // r0
unsigned int v53; // [sp+8h] [bp-48h]
unsigned int v54; // [sp+Ch] [bp-44h]
unsigned int v55; // [sp+10h] [bp-40h]
_BYTE *v56; // [sp+20h] [bp-30h]
signed int v57; // [sp+24h] [bp-2Ch]
v56 = a3; // a2有16个字节 4个字
// a1有521个字节 128个字
v3 = _byteswap_ulong(*a2) ^ *a1;
v4 = _byteswap_ulong(a2[1]) ^ a1[1];
v5 = _byteswap_ulong(a2[2]) ^ a1[2];
v6 = _byteswap_ulong(a2[3]) ^ a1[3];
v7 = dword_6114[v6 + 10] ^ a1[4] ^ dword_6514[(v3 >> 24) + 10] ^ dword_6914[((v4 >> 16) & 0xFF) + 10] ^ dword_6D14[(v5 >> 8) + 10];
v8 = dword_6114[v3 + 10] ^ a1[5] ^ dword_6514[(v4 >> 24) + 10] ^ dword_6914[((v5 >> 16) & 0xFF) + 10] ^ dword_6D14[(v6 >> 8) + 10];
v9 = dword_6D14[(v3 >> 8) + 10] ^ dword_6114[v4 + 10] ^ a1[6] ^ dword_6514[(v5 >> 24) + 10] ^ dword_6914[((v6 >> 16) & 0xFF) + 10];
v10 = dword_6D14[(v4 >> 8) + 10] ^ a1[7] ^ dword_6114[v5 + 10] ^ dword_6514[(v6 >> 24) + 10] ^ dword_6914[((v3 >> 16) & 0xFF) + 10];
v11 = dword_6114[v10 + 10] ^ a1[8] ^ dword_6514[(v7 >> 24) + 10] ^ dword_6914[((v8 >> 16) & 0xFF) + 10] ^ dword_6D14[(v9 >> 8) + 10];
v12 = dword_6114[v7 + 10] ^ a1[9] ^ dword_6514[(v8 >> 24) + 10] ^ dword_6914[((v9 >> 16) & 0xFF) + 10] ^ dword_6D14[(v10 >> 8) + 10];
v13 = dword_6114[v8 + 10] ^ a1[10] ^ dword_6514[(v9 >> 24) + 10] ^ dword_6914[((v10 >> 16) & 0xFF) + 10] ^ dword_6D14[(v7 >> 8) + 10];
v14 = a1[11] ^ dword_6114[v9 + 10] ^ dword_6514[(v10 >> 24) + 10] ^ dword_6914[((v7 >> 16) & 0xFF) + 10] ^ dword_6D14[(v8 >> 8) + 10];
v15 = dword_6114[v14 + 10] ^ a1[12] ^ dword_6514[(v11 >> 24) + 10] ^ dword_6914[((v12 >> 16) & 0xFF) + 10] ^ dword_6D14[(v13 >> 8) + 10];
v16 = dword_6114[v11 + 10] ^ a1[13] ^ dword_6514[(v12 >> 24) + 10] ^ dword_6914[((v13 >> 16) & 0xFF) + 10] ^ dword_6D14[(v14 >> 8) + 10];
v17 = dword_6D14[(v11 >> 8) + 10] ^ dword_6114[v12 + 10] ^ a1[14] ^ dword_6514[(v13 >> 24) + 10] ^ dword_6914[((v14 >> 16) & 0xFF) + 10];
v18 = a1[15] ^ dword_6114[v13 + 10] ^ dword_6514[(v14 >> 24) + 10] ^ dword_6914[((v11 >> 16) & 0xFF) + 10] ^ dword_6D14[(v12 >> 8) + 10];
v19 = dword_6114[v18 + 10] ^ a1[16] ^ dword_6514[(v15 >> 24) + 10] ^ dword_6914[((v16 >> 16) & 0xFF) + 10] ^ dword_6D14[(v17 >> 8) + 10];
v20 = dword_6114[v15 + 10] ^ a1[17] ^ dword_6514[(v16 >> 24) + 10] ^ dword_6914[((v17 >> 16) & 0xFF) + 10] ^ dword_6D14[(v18 >> 8) + 10];
v21 = dword_6114[v16 + 10] ^ a1[18] ^ dword_6514[(v17 >> 24) + 10] ^ dword_6914[((v18 >> 16) & 0xFF) + 10] ^ dword_6D14[(v15 >> 8) + 10];
v22 = a1[19] ^ dword_6114[v17 + 10] ^ dword_6514[(v18 >> 24) + 10] ^ dword_6914[((v15 >> 16) & 0xFF) + 10] ^ dword_6D14[(v16 >> 8) + 10];
v23 = dword_6114[v22 + 10] ^ a1[20] ^ dword_6514[(v19 >> 24) + 10] ^ dword_6914[((v20 >> 16) & 0xFF) + 10] ^ dword_6D14[(v21 >> 8) + 10];
v24 = dword_6114[v19 + 10] ^ a1[21] ^ dword_6514[(v20 >> 24) + 10] ^ dword_6914[((v21 >> 16) & 0xFF) + 10] ^ dword_6D14[(v22 >> 8) + 10];
v25 = dword_6D14[(v19 >> 8) + 10] ^ dword_6114[v20 + 10] ^ a1[22] ^ dword_6514[(v21 >> 24) + 10] ^ dword_6914[((v22 >> 16) & 0xFF) + 10];
v26 = a1[23] ^ dword_6114[v21 + 10] ^ dword_6514[(v22 >> 24) + 10] ^ dword_6914[((v19 >> 16) & 0xFF) + 10] ^ dword_6D14[(v20 >> 8) + 10];
v27 = dword_6114[v26 + 10] ^ a1[24] ^ dword_6514[(v23 >> 24) + 10] ^ dword_6914[((v24 >> 16) & 0xFF) + 10] ^ dword_6D14[(v25 >> 8) + 10];
v28 = dword_6114[v23 + 10] ^ a1[25] ^ dword_6514[(v24 >> 24) + 10] ^ dword_6914[((v25 >> 16) & 0xFF) + 10] ^ dword_6D14[(v26 >> 8) + 10];
v29 = dword_6114[v24 + 10] ^ a1[26] ^ dword_6514[(v25 >> 24) + 10] ^ dword_6914[((v26 >> 16) & 0xFF) + 10] ^ dword_6D14[(v23 >> 8) + 10];
v30 = a1[27] ^ dword_6114[v25 + 10] ^ dword_6514[(v26 >> 24) + 10] ^ dword_6914[((v23 >> 16) & 0xFF) + 10] ^ dword_6D14[(v24 >> 8) + 10];
v31 = dword_6114[v30 + 10] ^ a1[28] ^ dword_6514[(v27 >> 24) + 10] ^ dword_6914[((v28 >> 16) & 0xFF) + 10] ^ dword_6D14[(v29 >> 8) + 10];
v32 = dword_6114[v27 + 10] ^ a1[29] ^ dword_6514[(v28 >> 24) + 10] ^ dword_6914[((v29 >> 16) & 0xFF) + 10] ^ dword_6D14[(v30 >> 8) + 10];
v33 = dword_6D14[(v27 >> 8) + 10] ^ dword_6114[v28 + 10] ^ a1[30] ^ dword_6514[(v29 >> 24) + 10] ^ dword_6914[((v30 >> 16) & 0xFF) + 10];
v34 = dword_6514[(v30 >> 24) + 10] ^ a1[31] ^ dword_6114[v29 + 10] ^ dword_6914[((v27 >> 16) & 0xFF) + 10] ^ dword_6D14[(v28 >> 8) + 10];
v35 = dword_6114[v34 + 10] ^ a1[32] ^ dword_6514[(v31 >> 24) + 10] ^ dword_6914[((v32 >> 16) & 0xFF) + 10] ^ dword_6D14[(v33 >> 8) + 10];
v36 = dword_6114[v31 + 10] ^ a1[33] ^ dword_6514[(v32 >> 24) + 10] ^ dword_6914[((v33 >> 16) & 0xFF) + 10] ^ dword_6D14[(v34 >> 8) + 10];
v37 = dword_6114[v32 + 10] ^ a1[34] ^ dword_6514[(v33 >> 24) + 10] ^ dword_6914[((v34 >> 16) & 0xFF) + 10] ^ dword_6D14[(v31 >> 8) + 10];
v38 = a1[35] ^ dword_6114[v33 + 10] ^ dword_6514[(v34 >> 24) + 10] ^ dword_6914[((v31 >> 16) & 0xFF) + 10] ^ dword_6D14[(v32 >> 8) + 10];
v54 = dword_6114[v38 + 10] ^ a1[36] ^ dword_6514[(v35 >> 24) + 10] ^ dword_6914[((v36 >> 16) & 0xFF) + 10] ^ dword_6D14[(v37 >> 8) + 10];
v55 = dword_6114[v35 + 10] ^ a1[37] ^ dword_6514[(v36 >> 24) + 10] ^ dword_6914[((v37 >> 16) & 0xFF) + 10] ^ dword_6D14[(v38 >> 8) + 10];
v53 = dword_6D14[(v35 >> 8) + 10] ^ dword_6114[v36 + 10] ^ a1[38] ^ dword_6514[(v37 >> 24) + 10] ^ dword_6914[((v38 >> 16) & 0xFF) + 10];
v39 = a1[39] ^ dword_6114[v37 + 10] ^ dword_6514[(v38 >> 24) + 10] ^ dword_6914[((v35 >> 16) & 0xFF) + 10] ^ dword_6D14[(v36 >> 8) + 10];
v57 = a1[128];
if ( v57 > 10 )
{
v41 = dword_6114[v39 + 10] ^ a1[40] ^ dword_6514[(v54 >> 24) + 10] ^ dword_6914[((v55 >> 16) & 0xFF) + 10] ^ dword_6D14[(v53 >> 8) + 10];
v42 = dword_6D14[(v39 >> 8) + 10] ^ dword_6114[v54 + 10] ^ a1[41] ^ dword_6514[(v55 >> 24) + 10] ^ dword_6914[((v53 >> 16) & 0xFF) + 10];
v43 = dword_6114[v55 + 10] ^ a1[42] ^ dword_6514[(v53 >> 24) + 10] ^ dword_6914[((v39 >> 16) & 0xFF) + 10] ^ dword_6D14[(v54 >> 8) + 10];
v44 = a1[43] ^ dword_6114[v53 + 10] ^ dword_6514[(v39 >> 24) + 10] ^ dword_6914[((v54 >> 16) & 0xFF) + 10] ^ dword_6D14[(v55 >> 8) + 10];
v54 = dword_6114[v44 + 10] ^ a1[44] ^ dword_6514[(v41 >> 24) + 10] ^ dword_6914[((v42 >> 16) & 0xFF) + 10] ^ dword_6D14[(v43 >> 8) + 10];
v55 = dword_6114[v41 + 10] ^ a1[45] ^ dword_6514[(v42 >> 24) + 10] ^ dword_6914[((v43 >> 16) & 0xFF) + 10] ^ dword_6D14[(v44 >> 8) + 10];
v53 = dword_6114[v42 + 10] ^ a1[46] ^ dword_6514[(v43 >> 24) + 10] ^ dword_6914[((v44 >> 16) & 0xFF) + 10] ^ dword_6D14[(v41 >> 8) + 10];
v39 = dword_6914[((v41 >> 16) & 0xFF) + 10] ^ a1[47] ^ dword_6114[v43 + 10] ^ dword_6514[(v44 >> 24) + 10] ^ dword_6D14[(v42 >> 8) + 10];
v40 = a1 + 44;
if ( v57 > 12 )
{
v45 = dword_6114[v39 + 10] ^ a1[48] ^ dword_6514[(v54 >> 24) + 10] ^ dword_6914[((v55 >> 16) & 0xFF) + 10] ^ dword_6D14[(v53 >> 8) + 10];
v46 = dword_6114[v54 + 10] ^ a1[49] ^ dword_6514[(v55 >> 24) + 10] ^ dword_6914[((v53 >> 16) & 0xFF) + 10] ^ dword_6D14[(v39 >> 8) + 10];
v47 = dword_6114[v55 + 10] ^ a1[50] ^ dword_6514[(v53 >> 24) + 10] ^ dword_6914[((v39 >> 16) & 0xFF) + 10] ^ dword_6D14[(v54 >> 8) + 10];
v40 = a1 + 52;
v48 = dword_6D14[(v55 >> 8) + 10] ^ a1[51] ^ dword_6114[v53 + 10] ^ dword_6514[(v39 >> 24) + 10] ^ dword_6914[((v54 >> 16) & 0xFF) + 10];
v54 = dword_6114[v48 + 10] ^ a1[52] ^ dword_6514[(v45 >> 24) + 10] ^ dword_6914[((v46 >> 16) & 0xFF) + 10] ^ dword_6D14[(v47 >> 8) + 10];
v55 = dword_6114[v45 + 10] ^ a1[53] ^ dword_6514[(v46 >> 24) + 10] ^ dword_6914[((v47 >> 16) & 0xFF) + 10] ^ dword_6D14[(v48 >> 8) + 10];
v53 = dword_6D14[(v45 >> 8) + 10] ^ dword_6114[v46 + 10] ^ a1[54] ^ dword_6514[(v47 >> 24) + 10] ^ dword_6914[((v48 >> 16) & 0xFF) + 10];
v39 = dword_6D14[(v46 >> 8) + 10] ^ dword_6114[v47 + 10] ^ a1[55] ^ dword_6514[(v48 >> 24) + 10] ^ dword_6914[((v45 >> 16) & 0xFF) + 10];
}
}
else
{
v40 = a1 + 36;
}
v49 = dword_4D14[v39 + 10] ^ v40[4] ^ (dword_4D14[(v54 >> 24) + 10] << 24) ^ (dword_4D14[((v55 >> 16) & 0xFF) + 10] << 16) ^ (dword_4D14[(v53 >> 8) + 10] << 8);
v50 = v40[5] ^ dword_4D14[v54 + 10] ^ (dword_4D14[(v55 >> 24) + 10] << 24) ^ (dword_4D14[((v53 >> 16) & 0xFF) + 10] << 16) ^ (dword_4D14[(v39 >> 8) + 10] << 8);
v51 = dword_4D14[v55 + 10] ^ v40[6] ^ (dword_4D14[(v53 >> 24) + 10] << 24) ^ (dword_4D14[((v39 >> 16) & 0xFF) + 10] << 16) ^ (dword_4D14[(v54 >> 8) + 10] << 8);
result = (dword_4D14[(v39 >> 24) + 10] << 24) ^ v40[7] ^ dword_4D14[v53 + 10] ^ (dword_4D14[((v54 >> 16) & 0xFF) + 10] << 16) ^ (dword_4D14[(v55 >> 8) + 10] << 8);
*v56 = HIBYTE(v49);
v56[1] = BYTE2(v49);
v56[2] = BYTE1(v49);
v56[3] = v49;
v56[4] = HIBYTE(v50);
v56[5] = BYTE2(v50);
v56[6] = BYTE1(v50);
v56[8] = HIBYTE(v51);
v56[9] = BYTE2(v51);
v56[10] = BYTE1(v51);
v56[12] = HIBYTE(result);
v56[13] = BYTE2(result);
v56[7] = v50;
v56[11] = v51;
v56[14] = BYTE1(result);
v56[15] = result;
return result;
}
五、最后,my_sha256加密后放入v29中,最后用数组v29的11-16位模10生成动态密码result的1-6位,完结,感谢大家的支持
-00000240 v14 DCD 129 dup(?) v14是 my_md5加密结果129个dword -0000003C s DCB ? s数组开始 -0000003B anonymous_0 DCB ? -0000003A anonymous_1 DCB ? -00000039 tm_m DCB ? -00000038 tm_d DCB ? -00000037 tm_h DCB ? -00000036 tm_mi DCB ? -00000035 tm_sec DCB ? -00000034 strr_nor2 DCB ? -00000033 strr_nor3 DCB ? -00000032 strr_h DCB ? -00000031 strr_nor_b1 DCB ? -00000030 strr_nor_b2 DCB ? -0000002F strr_nor_h DCB ? -0000002E DCB ? ; undefined -0000002D DCB ? ; undefined s数组结束 -0000002C var_2C DCB 16 dup(?) 这是v29, my_sha256加密结果 -0000001C var_1C DCD ?
三、简单看下my_md5,比较清晰,生成v14共有129位,不算最后一位共512个字节 my_md5(v14,a5, 128); // 把a5按128位my_md5哈希结果放入v14
1.if a3=128 v5=10 a1[128]=10
2.fori=0:3 通过a2[i,i+3]字节生成a1字节a1[0-3]生成
3.通过a1[0-3]位与dword_4D14[a1[3]经过运算]生成a1[4-7] 循环到a1[40-43]停止
4.初始化KT0-KT4[256]
5.a1[64-67]=a1[40-43]
6.循环9次,通过a1[40-4i]作为下标运算KT0123生成a1[64+4i] a1[41-4i]作为下标运算KT0123生成a1[65+4i] a1[42-4i]作为下标运算KT0123生成a1[66+4i] a1[43-4i]作为下标运算KT0123生成a1[67+4i]
最终生成a1[68-103]
7.a1[104]=a1[0]a1[105]=a1[1]a1[106]=a1[2]a1[107]=a1[3]
signed int __fastcall my_md5(int *a1, unsigned __int8 *a2, int a3)
{
int *a1a; // r5
int a3a; // r6
signed int v5; // r2
unsigned __int8 *s22; // r2
int *a1aaa; // r0
int v8; // r1
int v9; // r3
int v10; // r7
int *a1aa; // r3
int *dword_4D14a; // r2
int dword_4D14_0; // r6
unsigned int a1aaa3; // r1
int v15; // r6
int a1aa1; // r7
int v17; // r7
int *v18; // r2
int v19; // r6
unsigned int v20; // r1
int v21; // r6
int v22; // r7
int v23; // r7
int v24; // r6
int v25; // r6
int v26; // r6
unsigned int v27; // r1
int v28; // r7
int v29; // r0
int v30; // r7
int v31; // r0
int v32; // r7
int v33; // r0
int v34; // r7
unsigned int v35; // r0
int v36; // r7
int v37; // r0
int v38; // r7
int v39; // r0
int v40; // r7
int v41; // r0
int v42; // r2
int v43; // r1
int v44; // ST10_4
_DWORD *v45; // r2
int v46; // r1
int a44in; // r3
int *a1a68; // r2
unsigned int a1a39in; // r1
unsigned int a1a36in; // r1
signed int result; // r0
unsigned __int8 *s2; // [sp+Ch] [bp-24h]
signed int v53; // [sp+14h] [bp-1Ch]
s2 = a2;
a1a = a1;
a3a = a3;
if ( do_init )
{
iVc3tO();
do_init = 0;
}
v5 = 10;
a1a[128] = v5;
s22 = s2;
a1aaa = a1a;
v8 = 0;
while ( v8 < a3a >> 5 ) // for i=0:3 通过a2[i,i+3]字节生成a1[i]字节 a1[0-3]生成
{
++v8;
v9 = (s22[1] << 16) | (*s22 << 24) | s22[3];
v10 = s22[2];
s22 += 4;
*a1aaa = (v10 << 8) | v9;
++a1aaa;
}
a1aa = a1a;
switch ( a3a )
{
case 128: // 通过a1[0-3]位与dword_4D14[fx(a1[3])] << 16]生成a1[4-7]
// 循环到生成a1[40-43]停止
dword_4D14a = dword_4D14;
do
{
dword_4D14_0 = *dword_4D14a;
++dword_4D14a;
a1aaa3 = a1aa[3];
v15 = (dword_4D14[(a1aaa3 >> 8) + 10] << 16) ^ dword_4D14_0 ^ *a1aa ^ (dword_4D14[a1aaa3 + 10] << 8) ^ dword_4D14[(a1aaa3 >> 24) + 10] ^ (dword_4D14[((a1aaa3 >> 16) & 0xFF) + 10] << 24);
a1aa1 = a1aa[1];
a1aa[4] = v15;
a1aa[5] = v15 ^ a1aa1;
v17 = v15 ^ a1aa1 ^ a1aa[2];
a1aa[7] = a1aaa3 ^ v17;
a1aa[6] = v17;
a1aa += 4;
}
while ( dword_4D14a != &dword_4D14[10] );
a1aa = a1a + 40;
break;
}
if ( KT_init ) // 初始化KT0-KT4[256],通过dword_4D14生成dword_5114、dword_5514、dword_5914、dword_5D14的下标生成KT0-KT4[256]
{
v42 = 0;
do
{
v43 = dword_4D14[v42 + 10];
v44 = dword_4D14[v42 + 10];
KT0[v42] = dword_5114[v43 + 10];
KT1[v42] = dword_5514[v43 + 10];
KT2[v42] = dword_5914[v44 + 10];
KT3[v42] = dword_5D14[v44 + 10];
++v42;
}
while ( v42 != 256 );
KT_init = 0;
}
v45 = a1a + 63;
v45[1] = *a1aa;
v45[2] = a1aa[1];
v53 = 1;
v45[3] = a1aa[2];
v46 = a1aa[3];
a44in = (a1aa + 4); // a44in=a1aa[4]
v45[4] = v46;
a1a68 = a1a + 68;
while ( 1 )
{
a1a36in = *(a44in - 32); // 00001400 sub r1 0x20 相当于a1[44-8],在此取出一个dword4位
if ( v53 >= a1a[128] ) // a1[128]=10,所以循环9次,通过a1[40-4i]作为下标运算KT0123生成a1[64+4i]
// a1[41-4i]作为下标运算KT0123生成a1[65+4i]
// a1[42-4i]作为下标运算KT0123生成a1[66+4i]
// a1[43-4i]作为下标运算KT0123生成a1[67+4i]
break;
*a1a68 = KT3[a1a36in] ^ KT0[a1a36in >> 24] ^ KT1[(a1a36in >> 16) & 0xFF] ^ KT2[a1a36in >> 8];
a1a68[1] = KT3[*(a44in - 28) & 0xFF] ^ KT0[*(a44in - 28) >> 24] ^ KT1[(*(a44in - 28) >> 16) & 0xFF] ^ KT2[*(a44in - 28) >> 8];
a1a68[2] = KT3[*(a44in - 24) & 0xFF] ^ KT0[*(a44in - 24) >> 24] ^ KT1[(*(a44in - 24) >> 16) & 0xFF] ^ KT2[*(a44in - 24) >> 8];
a1a39in = *(a44in - 20); // 相当于a1[44-5]
a44in -= 16; // a44in每次下标-4 因为他前面类型转换为int了 出循环时变为a1[8]
a1a68[3] = KT0[a1a39in >> 24] ^ KT1[(a1a39in >> 16) & 0xFF] ^ KT3[a1a39in] ^ KT2[a1a39in >> 8];
a1a68 += 4; // 出循环时变为a1[104]
++v53;
}
*a1a68 = a1a36in; // a44in循环9次最后变成a1[8],所以a36in变为a1[0]
// a1[104]=a1[0]
// a1[105]=a1[1]
// a1[106]=a1[2]
// a1[107]=a1[3]
//
result = 0;
a1a68[1] = *(a44in - 28);
a1a68[2] = *(a44in - 24);
a1a68[3] = *(a44in - 20);
return result;
}
四、my_sha256函数比较复杂,是把上一部生成的s数组与my_md5的结果v14经过一些计算,我看了半天,也没搞明白他跟sha256算法有什么关系,希望大佬来解释一下,密码学学的很渣 手动狗头
1.首先,分别取a1和a2前4个4字节运算生成v3v4v5v6
1.首先,分别取a1和a2前4个4字节运算生成v3v4v5v6
2.然后,通过a1的4567字节与v3456运算生成双字数组dword_6114,6514,6914,6d14的下标取出4个字节异或v78910循环到v35363738最后生成v54555339
3.如果a1[128]>10 通过a1的40-43与v54555339生成v41424344 通过v41424344与a1的44-47重新生成v54555339 v40=a1+44 如果a1[128]>12 通过a1的48-51与v54555339生成v45464748 通过v45464748与a1的52-55重新生成v54555339 v40=a1+52否则a1[128]<=10,通过上文我们知道a1[128]=10,所以直接跑这一句 v40=a1+36
4.通过v40的4-7与v54555339运算得到dword_4D14下标生成v495051与result返回值将v495051与result填充到v56的0-15位
3.如果a1[128]>10 通过a1的40-43与v54555339生成v41424344 通过v41424344与a1的44-47重新生成v54555339 v40=a1+44 如果a1[128]>12 通过a1的48-51与v54555339生成v45464748 通过v45464748与a1的52-55重新生成v54555339 v40=a1+52否则a1[128]<=10,通过上文我们知道a1[128]=10,所以直接跑这一句 v40=a1+36
4.通过v40的4-7与v54555339运算得到dword_4D14下标生成v495051与result返回值将v495051与result填充到v56的0-15位
int __fastcall my_sha256(_DWORD *a1, unsigned int *a2, _BYTE *a3)
{
unsigned int v3; // ST0C_4 a1是my_md5结果v14,a2是s数组,a3是结果存储
unsigned int v4; // ST10_4
unsigned int v5; // r7
unsigned int v6; // r6
unsigned int v7; // ST14_4
unsigned int v8; // ST18_4
unsigned int v9; // ST1C_4
unsigned int v10; // r6
unsigned int v11; // ST0C_4
unsigned int v12; // ST10_4
unsigned int v13; // ST24_4
unsigned int v14; // r6
unsigned int v15; // ST14_4
unsigned int v16; // ST18_4
unsigned int v17; // ST1C_4
unsigned int v18; // r7
unsigned int v19; // ST0C_4
unsigned int v20; // ST10_4
unsigned int v21; // ST28_4
unsigned int v22; // r5
unsigned int v23; // ST1C_4
unsigned int v24; // ST24_4
unsigned int v25; // ST2C_4
unsigned int v26; // r6
unsigned int v27; // ST0C_4
unsigned int v28; // ST10_4
unsigned int v29; // ST34_4
unsigned int v30; // r6
unsigned int v31; // ST1C_4
unsigned int v32; // ST24_4
unsigned int v33; // ST08_4
unsigned int v34; // r6
unsigned int v35; // ST2C_4
unsigned int v36; // ST34_4
unsigned int v37; // ST00_4
unsigned int v38; // r7
unsigned int v39; // r5
_DWORD *v40; // r7
unsigned int v41; // ST34_4
unsigned int v42; // r1
unsigned int v43; // r4
unsigned int v44; // r3
unsigned int v45; // ST14_4
unsigned int v46; // ST18_4
unsigned int v47; // ST28_4
unsigned int v48; // r5
int v49; // r1
int v50; // r2
int v51; // r4
int result; // r0
unsigned int v53; // [sp+8h] [bp-48h]
unsigned int v54; // [sp+Ch] [bp-44h]
unsigned int v55; // [sp+10h] [bp-40h]
_BYTE *v56; // [sp+20h] [bp-30h]
signed int v57; // [sp+24h] [bp-2Ch]
v56 = a3; // a2有16个字节 4个字
// a1有521个字节 128个字
v3 = _byteswap_ulong(*a2) ^ *a1;
v4 = _byteswap_ulong(a2[1]) ^ a1[1];
v5 = _byteswap_ulong(a2[2]) ^ a1[2];
v6 = _byteswap_ulong(a2[3]) ^ a1[3];
v7 = dword_6114[v6 + 10] ^ a1[4] ^ dword_6514[(v3 >> 24) + 10] ^ dword_6914[((v4 >> 16) & 0xFF) + 10] ^ dword_6D14[(v5 >> 8) + 10];
v8 = dword_6114[v3 + 10] ^ a1[5] ^ dword_6514[(v4 >> 24) + 10] ^ dword_6914[((v5 >> 16) & 0xFF) + 10] ^ dword_6D14[(v6 >> 8) + 10];
v9 = dword_6D14[(v3 >> 8) + 10] ^ dword_6114[v4 + 10] ^ a1[6] ^ dword_6514[(v5 >> 24) + 10] ^ dword_6914[((v6 >> 16) & 0xFF) + 10];
v10 = dword_6D14[(v4 >> 8) + 10] ^ a1[7] ^ dword_6114[v5 + 10] ^ dword_6514[(v6 >> 24) + 10] ^ dword_6914[((v3 >> 16) & 0xFF) + 10];
v11 = dword_6114[v10 + 10] ^ a1[8] ^ dword_6514[(v7 >> 24) + 10] ^ dword_6914[((v8 >> 16) & 0xFF) + 10] ^ dword_6D14[(v9 >> 8) + 10];
v12 = dword_6114[v7 + 10] ^ a1[9] ^ dword_6514[(v8 >> 24) + 10] ^ dword_6914[((v9 >> 16) & 0xFF) + 10] ^ dword_6D14[(v10 >> 8) + 10];
v13 = dword_6114[v8 + 10] ^ a1[10] ^ dword_6514[(v9 >> 24) + 10] ^ dword_6914[((v10 >> 16) & 0xFF) + 10] ^ dword_6D14[(v7 >> 8) + 10];
v14 = a1[11] ^ dword_6114[v9 + 10] ^ dword_6514[(v10 >> 24) + 10] ^ dword_6914[((v7 >> 16) & 0xFF) + 10] ^ dword_6D14[(v8 >> 8) + 10];
v15 = dword_6114[v14 + 10] ^ a1[12] ^ dword_6514[(v11 >> 24) + 10] ^ dword_6914[((v12 >> 16) & 0xFF) + 10] ^ dword_6D14[(v13 >> 8) + 10];
v16 = dword_6114[v11 + 10] ^ a1[13] ^ dword_6514[(v12 >> 24) + 10] ^ dword_6914[((v13 >> 16) & 0xFF) + 10] ^ dword_6D14[(v14 >> 8) + 10];
v17 = dword_6D14[(v11 >> 8) + 10] ^ dword_6114[v12 + 10] ^ a1[14] ^ dword_6514[(v13 >> 24) + 10] ^ dword_6914[((v14 >> 16) & 0xFF) + 10];
v18 = a1[15] ^ dword_6114[v13 + 10] ^ dword_6514[(v14 >> 24) + 10] ^ dword_6914[((v11 >> 16) & 0xFF) + 10] ^ dword_6D14[(v12 >> 8) + 10];
v19 = dword_6114[v18 + 10] ^ a1[16] ^ dword_6514[(v15 >> 24) + 10] ^ dword_6914[((v16 >> 16) & 0xFF) + 10] ^ dword_6D14[(v17 >> 8) + 10];
v20 = dword_6114[v15 + 10] ^ a1[17] ^ dword_6514[(v16 >> 24) + 10] ^ dword_6914[((v17 >> 16) & 0xFF) + 10] ^ dword_6D14[(v18 >> 8) + 10];
v21 = dword_6114[v16 + 10] ^ a1[18] ^ dword_6514[(v17 >> 24) + 10] ^ dword_6914[((v18 >> 16) & 0xFF) + 10] ^ dword_6D14[(v15 >> 8) + 10];
v22 = a1[19] ^ dword_6114[v17 + 10] ^ dword_6514[(v18 >> 24) + 10] ^ dword_6914[((v15 >> 16) & 0xFF) + 10] ^ dword_6D14[(v16 >> 8) + 10];
v23 = dword_6114[v22 + 10] ^ a1[20] ^ dword_6514[(v19 >> 24) + 10] ^ dword_6914[((v20 >> 16) & 0xFF) + 10] ^ dword_6D14[(v21 >> 8) + 10];
v24 = dword_6114[v19 + 10] ^ a1[21] ^ dword_6514[(v20 >> 24) + 10] ^ dword_6914[((v21 >> 16) & 0xFF) + 10] ^ dword_6D14[(v22 >> 8) + 10];
v25 = dword_6D14[(v19 >> 8) + 10] ^ dword_6114[v20 + 10] ^ a1[22] ^ dword_6514[(v21 >> 24) + 10] ^ dword_6914[((v22 >> 16) & 0xFF) + 10];
v26 = a1[23] ^ dword_6114[v21 + 10] ^ dword_6514[(v22 >> 24) + 10] ^ dword_6914[((v19 >> 16) & 0xFF) + 10] ^ dword_6D14[(v20 >> 8) + 10];
v27 = dword_6114[v26 + 10] ^ a1[24] ^ dword_6514[(v23 >> 24) + 10] ^ dword_6914[((v24 >> 16) & 0xFF) + 10] ^ dword_6D14[(v25 >> 8) + 10];
v28 = dword_6114[v23 + 10] ^ a1[25] ^ dword_6514[(v24 >> 24) + 10] ^ dword_6914[((v25 >> 16) & 0xFF) + 10] ^ dword_6D14[(v26 >> 8) + 10];
v29 = dword_6114[v24 + 10] ^ a1[26] ^ dword_6514[(v25 >> 24) + 10] ^ dword_6914[((v26 >> 16) & 0xFF) + 10] ^ dword_6D14[(v23 >> 8) + 10];
v30 = a1[27] ^ dword_6114[v25 + 10] ^ dword_6514[(v26 >> 24) + 10] ^ dword_6914[((v23 >> 16) & 0xFF) + 10] ^ dword_6D14[(v24 >> 8) + 10];
v31 = dword_6114[v30 + 10] ^ a1[28] ^ dword_6514[(v27 >> 24) + 10] ^ dword_6914[((v28 >> 16) & 0xFF) + 10] ^ dword_6D14[(v29 >> 8) + 10];
v32 = dword_6114[v27 + 10] ^ a1[29] ^ dword_6514[(v28 >> 24) + 10] ^ dword_6914[((v29 >> 16) & 0xFF) + 10] ^ dword_6D14[(v30 >> 8) + 10];
v33 = dword_6D14[(v27 >> 8) + 10] ^ dword_6114[v28 + 10] ^ a1[30] ^ dword_6514[(v29 >> 24) + 10] ^ dword_6914[((v30 >> 16) & 0xFF) + 10];
v34 = dword_6514[(v30 >> 24) + 10] ^ a1[31] ^ dword_6114[v29 + 10] ^ dword_6914[((v27 >> 16) & 0xFF) + 10] ^ dword_6D14[(v28 >> 8) + 10];
v35 = dword_6114[v34 + 10] ^ a1[32] ^ dword_6514[(v31 >> 24) + 10] ^ dword_6914[((v32 >> 16) & 0xFF) + 10] ^ dword_6D14[(v33 >> 8) + 10];
v36 = dword_6114[v31 + 10] ^ a1[33] ^ dword_6514[(v32 >> 24) + 10] ^ dword_6914[((v33 >> 16) & 0xFF) + 10] ^ dword_6D14[(v34 >> 8) + 10];
v37 = dword_6114[v32 + 10] ^ a1[34] ^ dword_6514[(v33 >> 24) + 10] ^ dword_6914[((v34 >> 16) & 0xFF) + 10] ^ dword_6D14[(v31 >> 8) + 10];
v38 = a1[35] ^ dword_6114[v33 + 10] ^ dword_6514[(v34 >> 24) + 10] ^ dword_6914[((v31 >> 16) & 0xFF) + 10] ^ dword_6D14[(v32 >> 8) + 10];
v54 = dword_6114[v38 + 10] ^ a1[36] ^ dword_6514[(v35 >> 24) + 10] ^ dword_6914[((v36 >> 16) & 0xFF) + 10] ^ dword_6D14[(v37 >> 8) + 10];
v55 = dword_6114[v35 + 10] ^ a1[37] ^ dword_6514[(v36 >> 24) + 10] ^ dword_6914[((v37 >> 16) & 0xFF) + 10] ^ dword_6D14[(v38 >> 8) + 10];
v53 = dword_6D14[(v35 >> 8) + 10] ^ dword_6114[v36 + 10] ^ a1[38] ^ dword_6514[(v37 >> 24) + 10] ^ dword_6914[((v38 >> 16) & 0xFF) + 10];
v39 = a1[39] ^ dword_6114[v37 + 10] ^ dword_6514[(v38 >> 24) + 10] ^ dword_6914[((v35 >> 16) & 0xFF) + 10] ^ dword_6D14[(v36 >> 8) + 10];
v57 = a1[128];
if ( v57 > 10 )
{
v41 = dword_6114[v39 + 10] ^ a1[40] ^ dword_6514[(v54 >> 24) + 10] ^ dword_6914[((v55 >> 16) & 0xFF) + 10] ^ dword_6D14[(v53 >> 8) + 10];
v42 = dword_6D14[(v39 >> 8) + 10] ^ dword_6114[v54 + 10] ^ a1[41] ^ dword_6514[(v55 >> 24) + 10] ^ dword_6914[((v53 >> 16) & 0xFF) + 10];
v43 = dword_6114[v55 + 10] ^ a1[42] ^ dword_6514[(v53 >> 24) + 10] ^ dword_6914[((v39 >> 16) & 0xFF) + 10] ^ dword_6D14[(v54 >> 8) + 10];
v44 = a1[43] ^ dword_6114[v53 + 10] ^ dword_6514[(v39 >> 24) + 10] ^ dword_6914[((v54 >> 16) & 0xFF) + 10] ^ dword_6D14[(v55 >> 8) + 10];
v54 = dword_6114[v44 + 10] ^ a1[44] ^ dword_6514[(v41 >> 24) + 10] ^ dword_6914[((v42 >> 16) & 0xFF) + 10] ^ dword_6D14[(v43 >> 8) + 10];
v55 = dword_6114[v41 + 10] ^ a1[45] ^ dword_6514[(v42 >> 24) + 10] ^ dword_6914[((v43 >> 16) & 0xFF) + 10] ^ dword_6D14[(v44 >> 8) + 10];
v53 = dword_6114[v42 + 10] ^ a1[46] ^ dword_6514[(v43 >> 24) + 10] ^ dword_6914[((v44 >> 16) & 0xFF) + 10] ^ dword_6D14[(v41 >> 8) + 10];
v39 = dword_6914[((v41 >> 16) & 0xFF) + 10] ^ a1[47] ^ dword_6114[v43 + 10] ^ dword_6514[(v44 >> 24) + 10] ^ dword_6D14[(v42 >> 8) + 10];
v40 = a1 + 44;
if ( v57 > 12 )
{
v45 = dword_6114[v39 + 10] ^ a1[48] ^ dword_6514[(v54 >> 24) + 10] ^ dword_6914[((v55 >> 16) & 0xFF) + 10] ^ dword_6D14[(v53 >> 8) + 10];
v46 = dword_6114[v54 + 10] ^ a1[49] ^ dword_6514[(v55 >> 24) + 10] ^ dword_6914[((v53 >> 16) & 0xFF) + 10] ^ dword_6D14[(v39 >> 8) + 10];
v47 = dword_6114[v55 + 10] ^ a1[50] ^ dword_6514[(v53 >> 24) + 10] ^ dword_6914[((v39 >> 16) & 0xFF) + 10] ^ dword_6D14[(v54 >> 8) + 10];
v40 = a1 + 52;
v48 = dword_6D14[(v55 >> 8) + 10] ^ a1[51] ^ dword_6114[v53 + 10] ^ dword_6514[(v39 >> 24) + 10] ^ dword_6914[((v54 >> 16) & 0xFF) + 10];
v54 = dword_6114[v48 + 10] ^ a1[52] ^ dword_6514[(v45 >> 24) + 10] ^ dword_6914[((v46 >> 16) & 0xFF) + 10] ^ dword_6D14[(v47 >> 8) + 10];
v55 = dword_6114[v45 + 10] ^ a1[53] ^ dword_6514[(v46 >> 24) + 10] ^ dword_6914[((v47 >> 16) & 0xFF) + 10] ^ dword_6D14[(v48 >> 8) + 10];
v53 = dword_6D14[(v45 >> 8) + 10] ^ dword_6114[v46 + 10] ^ a1[54] ^ dword_6514[(v47 >> 24) + 10] ^ dword_6914[((v48 >> 16) & 0xFF) + 10];
v39 = dword_6D14[(v46 >> 8) + 10] ^ dword_6114[v47 + 10] ^ a1[55] ^ dword_6514[(v48 >> 24) + 10] ^ dword_6914[((v45 >> 16) & 0xFF) + 10];
}
}
else
{
v40 = a1 + 36;
}
v49 = dword_4D14[v39 + 10] ^ v40[4] ^ (dword_4D14[(v54 >> 24) + 10] << 24) ^ (dword_4D14[((v55 >> 16) & 0xFF) + 10] << 16) ^ (dword_4D14[(v53 >> 8) + 10] << 8);
v50 = v40[5] ^ dword_4D14[v54 + 10] ^ (dword_4D14[(v55 >> 24) + 10] << 24) ^ (dword_4D14[((v53 >> 16) & 0xFF) + 10] << 16) ^ (dword_4D14[(v39 >> 8) + 10] << 8);
v51 = dword_4D14[v55 + 10] ^ v40[6] ^ (dword_4D14[(v53 >> 24) + 10] << 24) ^ (dword_4D14[((v39 >> 16) & 0xFF) + 10] << 16) ^ (dword_4D14[(v54 >> 8) + 10] << 8);
result = (dword_4D14[(v39 >> 24) + 10] << 24) ^ v40[7] ^ dword_4D14[v53 + 10] ^ (dword_4D14[((v54 >> 16) & 0xFF) + 10] << 16) ^ (dword_4D14[(v55 >> 8) + 10] << 8);
*v56 = HIBYTE(v49);
v56[1] = BYTE2(v49);
v56[2] = BYTE1(v49);
v56[3] = v49;
v56[4] = HIBYTE(v50);
v56[5] = BYTE2(v50);
v56[6] = BYTE1(v50);
v56[8] = HIBYTE(v51);
v56[9] = BYTE2(v51);
v56[10] = BYTE1(v51);
v56[12] = HIBYTE(result);
v56[13] = BYTE2(result);
v56[7] = v50;
v56[11] = v51;
v56[14] = BYTE1(result);
v56[15] = result;
return result;
}
五、最后,my_sha256加密后放入v29中,最后用数组v29的11-16位模10生成动态密码result的1-6位,完结,感谢大家的支持
赞赏
|
|
|---|---|
|
|
感谢分享
|
|
|
感谢分享,支持
|
|
|
感谢分享~
|
|
|
感谢分享
|
|
|
他的文章
- cocos2d逆向入门和某捕鱼游戏分析 27745
- [原创]capstone2llvmir入门---如何把汇编转换为llvmir 21786
- [原创]利用编译器优化干掉控制流平坦化flatten 41389
- [求助][原创]利用编译器优化干掉虚假控制流 15661
- [求助][原创]对类抽取加固的一点尝试与遇到的问题 9088
赞赏
雪币:
留言: