|
[原创]一网络验证脱机外挂的破解分析
我以前的做法是,NOP掉客户端的加密发送,接收解密函数,直接明文写服务器数据。剩下的问题就是找个能用的用户名分析一下返回数据的作用了。最后就是写个明文返回的服务器。 |
|
[求助]谁可以帮我下载这pudn的连连看源码呢
http://download.pudn.com/downloads119/sourcecode/game/97288426MyLLK.rar |
|
[求助]请问如何给后台窗口发送鼠标按键消息
游戏不是python写的,但是封包加密算法是python写的!当时不懂弯路走了很多啊! |
|
[讨论]Rustock.C 感染Ntdlr的Boot RootKit 多态壳
是一个反病毒的公司。帮助大公司做反病毒. 介绍一个公司。可能会介绍一些攻击方法,和这家公司的防御措施。 但是更细节的东西应该没有。 同学是搞俄语的,但是不懂编程,他只是简单看了看给我解释说没有什么实际的东西也许是他看不出来也不一定! |
|
[分享]辽宁沈阳的来哦
居然有锦州的呵呵!跟一帖吧! |
|
[讨论]成立“看雪逆向团队”
学习犹如逆水行舟,不进则退啊!既然有高手提出自然举双手赞成!呵呵!不知道进入这个团队有什么要求啊! |
|
[结束][第一阶段◇第一题]看雪论坛.珠海金山2007逆向分析挑战赛
昨天上班的时候发现的但是没有时间看!今天休息看了一下算法!呵呵!算法难度一般但是递归编程我是不行啦!汉诺塔我都写不好嘻嘻!等着看高手的源码了啊! |
|
[原创]含沙量高的->连连看v3.0 游戏修改器
function TSearch.CanConnect(pt1, pt2: TPoint): Boolean; begin //判断是否可以连接(共3种情况) Result := CanLine(pt1, pt2) or CanLineOneCorner(pt1, pt2) or CanLineTwoCorner(pt1, pt2); end; function TSearch.CanLine(pt1, pt2: TPoint): Boolean; var //测试2点是否可以直接连接(中间无障碍) i: Integer; pt: TPoint; begin Result := False; if pt1.X = pt2.X then begin if pt1.Y > pt2.Y then begin pt.Y := pt1.Y; pt1.Y := pt2.Y; pt2.Y := pt.Y; end; for i := pt1.Y +1 to pt2.Y -1 do begin if Maps[pt1.X,i] <> -1 then exit; end; Result := True; exit; end; if pt1.Y = pt2.Y then begin if pt1.X > pt2.X then begin pt.X := pt1.X; pt1.X := pt2.X; pt2.X := pt.X; end; for i := pt1.X +1 to pt2.X -1 do begin if Maps[i,pt2.Y] <> -1 then exit; end; Result := True; exit; end; end; function TSearch.CanLineOneCorner(pt1, pt2: TPoint): Boolean; var //判断2点是否由2条直线连接(一个拐点) pt: TPoint; begin Result := False; pt.X := pt1.X; pt.Y := pt2.Y; //拐点坐标(左下拐点) if (Maps[pt.X, pt.Y] = -1) and CanLine(pt,pt1) and CanLine(pt,pt2) then begin // Result := True; exit; end; pt.X := pt2.X; pt.Y := pt1.Y; //拐点坐标(右上拐点) if (Maps[pt.X, pt.Y] = -1) and CanLine(pt,pt1) and CanLine(pt,pt2) then begin Result := True; exit; end; end; function TSearch.CanLineTwoCorner(pt1, pt2: TPoint): Boolean; var //判断2点是否由3条直线连接(2个拐点) pt: TPoint; i: Integer; begin Result := False; pt.X := pt1.X; for i := 0 to iVCount - 1 do begin //由第1个点开始向下寻找 pt.Y := i; if (Maps[pt.X, pt.Y] = -1) and CanLine(pt,pt1) and CanLineOneCorner(pt,pt2) then begin //如果临时点可以经过1条或者2条直线连接就TRUE Result := True; exit; end; end; pt.Y := pt1.Y; for i := 0 to iHCount - 1 do begin //由第1个点开始向右寻找 pt.X := i; if (Maps[pt.X, pt.Y] = -1) and CanLine(pt,pt1) and CanLineOneCorner(pt,pt2) then begin //如果临时点可以经过1条或者2条直线连接就TRUE Result := True; exit; end; end; end; 这个东西以前我好像业分析过不过分析的数据是没有了!这个是我写的东西的核心代码部分!如果有了内存地图或者是屏幕上的地图数据然后模拟左键点击,你说连连看会怎么工作啊!!! |
|
[精华集]《看雪论坛精华8》,2007年1月发布
终于放假了!没想到头一天就赶上了啊! |
|
郁闷 跟踪了两天 sockmon2005 一点进展都没有!
SockMon5 这个版本的我以前为了使用分析过!不过因为是临时使用只是分析了一点点让他能够使用而已!因为最近单位非常的忙,根本没有时间,我就把我以前留的没有整理的分析记录给你做个参考吧! Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\0C5D07FF] "1E695187"=hex:1c,00,00,00 "8B3844DE"=hex:3f,2b,0b,00 注册名:POWERBOY 注册码:E3A5223D-A5E2CEB5-7BDD9AD5 然后把上面的数据导入注册表 004BB47C > $ 55 PUSH EBP 004BB47D . 8BEC MOV EBP,ESP 004BB47F . 83C4 F0 ADD ESP,-10 004BB482 . 53 PUSH EBX 004BB483 . B8 ECB14B00 MOV EAX,dumped2_.004BB1EC 004BB488 . E8 F3B3F4FF CALL dumped2_.00406880 004BB48D . 8B1D E8D74B00 MOV EBX,DWORD PTR DS:[4BD7E8] ; dumped2_.004BEC34 004BB493 . E8 D42BFEFF CALL dumped2_.0049E06C 004BB498 . 84C0 TEST AL,AL 004BB49A . 74 07 JE SHORT dumped2_.004BB4A3 ;检测DEDE 004BB49C . 6A 00 PUSH 0 ; /ExitCode = 0 004BB49E . E8 1DB6F4FF CALL <JMP.&kernel32.ExitProcess> ; \ExitProcess 对字符串的处理!看不懂他根本就不知道程序成功和错误的字符串都是什么啊! 0049E170 /$ 55 PUSH EBP 0049E171 |. 8BEC MOV EBP,ESP 0049E173 |. 81C4 F4F7FFFF ADD ESP,-80C 0049E179 |. 53 PUSH EBX 0049E17A |. 56 PUSH ESI 0049E17B |. 57 PUSH EDI 0049E17C |. 8955 F8 MOV DWORD PTR SS:[EBP-8],EDX 0049E17F |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 0049E182 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 0049E185 |. E8 8667F6FF CALL dumped2_.00404910 0049E18A |. 33C0 XOR EAX,EAX 0049E18C |. 55 PUSH EBP 0049E18D |. 68 13E24900 PUSH dumped2_.0049E213 0049E192 |. 64:FF30 PUSH DWORD PTR FS:[EAX] 0049E195 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP 0049E198 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 0049E19B |. E8 8067F6FF CALL dumped2_.00404920 0049E1A0 |. 8BD8 MOV EBX,EAX 0049E1A2 |. 8BD3 MOV EDX,EBX 0049E1A4 |. 8D85 F6F7FFFF LEA EAX,DWORD PTR SS:[EBP-80A] 0049E1AA |. E8 D9AFF6FF CALL dumped2_.00409188 0049E1AF |. 8BC3 MOV EAX,EBX 0049E1B1 |. E8 96AFF6FF CALL dumped2_.0040914C 0049E1B6 |. 8BF8 MOV EDI,EAX 0049E1B8 |. D1EF SHR EDI,1 0049E1BA |. 8BF7 MOV ESI,EDI 0049E1BC |. 4E DEC ESI 0049E1BD |. 85F6 TEST ESI,ESI 0049E1BF |. 7C 26 JL SHORT dumped2_.0049E1E7 0049E1C1 |. 46 INC ESI 0049E1C2 |. 8D85 F6F7FFFF LEA EAX,DWORD PTR SS:[EBP-80A] 0049E1C8 |. 8D95 F7FBFFFF LEA EDX,DWORD PTR SS:[EBP-409] 0049E1CE |> 8A08 /MOV CL,BYTE PTR DS:[EAX] 0049E1D0 |. 80E9 41 |SUB CL,41 0049E1D3 |. 8A58 01 |MOV BL,BYTE PTR DS:[EAX+1] 0049E1D6 |. 80EB 41 |SUB BL,41 0049E1D9 |. C1E3 04 |SHL EBX,4 0049E1DC |. 02CB |ADD CL,BL 0049E1DE |. 880A |MOV BYTE PTR DS:[EDX],CL 0049E1E0 |. 42 |INC EDX 0049E1E1 |. 83C0 02 |ADD EAX,2 0049E1E4 |. 4E |DEC ESI 0049E1E5 |.^ 75 E7 \JNZ SHORT dumped2_.0049E1CE 0049E1E7 |> C6843D F7FBFF>MOV BYTE PTR SS:[EBP+EDI-409],0 0049E1EF |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] 0049E1F2 |. 8D95 F7FBFFFF LEA EDX,DWORD PTR SS:[EBP-409] 0049E1F8 |. E8 6364F6FF CALL dumped2_.00404660 0049E1FD |. 33C0 XOR EAX,EAX 0049E1FF |. 5A POP EDX 0049E200 |. 59 POP ECX 0049E201 |. 59 POP ECX 0049E202 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX 0049E205 |. 68 1AE24900 PUSH dumped2_.0049E21A 0049E20A |> 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4] 0049E20D |. E8 5E62F6FF CALL dumped2_.00404470 0049E212 \. C3 RETN :004B7166 6A00 push 00000000 :004B7168 8D95F0FDFFFF lea edx, dword ptr [ebp+FFFFFDF0] * Possible StringData Ref from Data Obj ->"ILANANLLHNCKCLBODNDMLLHKKDACFCDH" //上面的字符串用字符串解密函数解密之后就是: 0012F7B7 B8 D0 D0 BB D7 A2 B2 E1 D3 C3 BB A7 3A 20 25 73 感谢注册用户: %s | :004B716E B808744B00 mov eax, 004B7408 :004B7173 E8F86FFEFF call 0049E170 :004B7178 8B85F0FDFFFF mov eax, dword ptr [ebp+FFFFFDF0] :004B717E E89DD7F4FF call 00404920 :004B7183 8BD0 mov edx, eax :004B7185 8D85FBFEFFFF lea eax, dword ptr [ebp+FFFFFEFB] :004B718B 8985E8FDFFFF mov dword ptr [ebp+FFFFFDE8], eax :004B7191 C685ECFDFFFF06 mov byte ptr [ebp+FFFFFDEC], 06 :004B7198 8D8DE8FDFFFF lea ecx, dword ptr [ebp+FFFFFDE8] :004B719E 8D85FAFDFFFF lea eax, dword ptr [ebp+FFFFFDFA] :004B71A4 E89726F5FF call 00409840 :004B71A9 6A00 push 00000000 :004B71AB E8A8F9F4FF call 00406B58 :004B71B0 3BF0 cmp esi, eax :004B71B2 745A je 004B720E :004B71B4 6A01 push 00000001 :004B71B6 8D95E4FDFFFF lea edx, dword ptr [ebp+FFFFFDE4] * Possible StringData Ref from Data Obj ->"EMDOLLJLDNANFCEGMMMODNLOFCEGELOMKMENDNDMFLEMGM" ->"KNPMON" | :004B71BC B834744B00 mov eax, 004B7434 :004B71C1 E8AA6FFEFF call 0049E170 :004B71C6 8B85E4FDFFFF mov eax, dword ptr [ebp+FFFFFDE4] :004B71CC E84FD7F4FF call 00404920 :004B71D1 8BD0 mov edx, eax :004B71D3 8BC6 mov eax, esi :004B71D5 C1E810 shr eax, 10 :004B71D8 25FF000000 and eax, 000000FF :004B71DD 8985D4FDFFFF mov dword ptr [ebp+FFFFFDD4], eax :004B71E3 C685D8FDFFFF00 mov byte ptr [ebp+FFFFFDD8], 00 :004B71EA 81E6FF000000 and esi, 000000FF :004B71F0 89B5DCFDFFFF mov dword ptr [ebp+FFFFFDDC], esi :004B71F6 C685E0FDFFFF00 mov byte ptr [ebp+FFFFFDE0], 00 :004B71FD 8D8DD4FDFFFF lea ecx, dword ptr [ebp+FFFFFDD4] :004B7203 8D85FAFDFFFF lea eax, dword ptr [ebp+FFFFFDFA] :004B7209 E83226F5FF call 00409840 入栈参数就是我们输入的用户名注册码: 004B6FCF . E8 006AFEFF CALL <JMP.&smcomm.SMVer_Check> ;检测函数返回值很有用 004B6FD4 . 8BF0 MOV ESI,EAX 004B6FD6 . 8BD6 MOV EDX,ESI 004B6FD8 . 8BC3 MOV EAX,EBX 0049D9D4 $- FF25 B4275000 JMP DWORD PTR DS:[<&smcomm.SMVer_Ch>; smcomm.SMVer_Check 004B7003 . E8 4C69FEFF CALL <JMP.&smcomm.SMCache_Open> 004B7008 . A3 94ED4B00 MOV DWORD PTR DS:[4BED94],EAX 004B700D . 833D 94ED4B00>CMP DWORD PTR DS:[4BED94],0 004B7014 . 75 22 JNZ SHORT pj.004B7038 ;检测函数是否被修改 10001FC0 > 8B442408 MOV EAX,DWORD PTR SS:[ESP+8] 10001FC4 8B542404 MOV EDX,DWORD PTR SS:[ESP+4] 10001FC8 8B0D D0A10010 MOV ECX,DWORD PTR DS:[1000A1D0] 10001FCE 50 PUSH EAX 10001FCF 52 PUSH EDX 10001FD0 E8 CB060000 CALL smcomm.100026A0 10001FD5 C2 0800 RETN 8 10001FC0 > 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8] 10001FC4 8B5424 04 MOV EDX,DWORD PTR SS:[ESP+4] 10001FC8 8B0D D0A10010 MOV ECX,DWORD PTR DS:[1000A1D0] 10001FCE B8 11110000 MOV EAX,1111 10001FD3 90 NOP 10001FD4 90 NOP 10001FD5 C2 0800 RETN 8 100026D3 8BCB MOV ECX,EBX 100026D5 E8 46000000 CALL smcomm.10002720 100026DA 85C0 TEST EAX,EAX 100026DC 74 1D JE SHORT smcomm.100026FB 算法 10002735 894424 24 MOV DWORD PTR SS:[ESP+24],EAX 10002739 8BFD MOV EDI,EBP 1000273B 83C9 FF OR ECX,FFFFFFFF 1000273E 894424 28 MOV DWORD PTR SS:[ESP+28],EAX 10002742 F2:AE REPNE SCAS BYTE PTR ES:[EDI] 10002744 F7D1 NOT ECX 10002746 49 DEC ECX 10002747 B2 47 MOV DL,47 10002749 8AC1 MOV AL,CL 1000274B 33DB XOR EBX,EBX 1000274D F6EA IMUL DL 1000274F 894C24 14 MOV DWORD PTR SS:[ESP+14],ECX 10002753 895C24 18 MOV DWORD PTR SS:[ESP+18],EBX 10002757 884424 50 MOV BYTE PTR SS:[ESP+50],AL ; AL=$47*LENGTH(NAME) 1000275B 8BC3 MOV EAX,EBX 1000275D 8D741C 1C LEA ESI,DWORD PTR SS:[ESP+EBX+1C] 10002761 99 CDQ 10002762 F7F9 IDIV ECX 10002764 8A4424 50 MOV AL,BYTE PTR SS:[ESP+50] 10002768 8A0C2A MOV CL,BYTE PTR DS:[EDX+EBP] ; 取名字 1000276B B2 11 MOV DL,11 1000276D 32C8 XOR CL,AL ; ORD(NAME[0]) XOR STRTOINT(LENGTH(NAME)) 1000276F 8AC3 MOV AL,BL 10002771 F6EA IMUL DL 10002773 02C8 ADD CL,AL 10002775 33D2 XOR EDX,EDX 10002777 880E MOV BYTE PTR DS:[ESI],CL 10002779 8B4C24 14 MOV ECX,DWORD PTR SS:[ESP+14] 1000277D 85C9 TEST ECX,ECX 1000277F 7E 2E JLE SHORT smcomm.100027AF 10002781 8AC3 MOV AL,BL 10002783 B1 47 MOV CL,47 10002785 F6E9 IMUL CL 10002787 884424 13 MOV BYTE PTR SS:[ESP+13],AL 1000278B 8A0C2A MOV CL,BYTE PTR DS:[EDX+EBP] 1000278E 8A1E MOV BL,BYTE PTR DS:[ESI] 10002790 32CB XOR CL,BL 10002792 8AC2 MOV AL,DL 10002794 B3 11 MOV BL,11 10002796 F6EB IMUL BL 10002798 8A5C24 13 MOV BL,BYTE PTR SS:[ESP+13] 1000279C 02C8 ADD CL,AL 1000279E 02CB ADD CL,BL 100027A0 42 INC EDX 100027A1 880E MOV BYTE PTR DS:[ESI],CL 100027A3 8B4C24 14 MOV ECX,DWORD PTR SS:[ESP+14] 100027A7 3BD1 CMP EDX,ECX 100027A9 ^ 7C E0 JL SHORT smcomm.1000278B 100027AB 8B5C24 18 MOV EBX,DWORD PTR SS:[ESP+18] 100027AF 43 INC EBX 100027B0 83FB 10 CMP EBX,10 100027B3 895C24 18 MOV DWORD PTR SS:[ESP+18],EBX 100027B7 ^ 7C A2 JL SHORT smcomm.1000275B 0012FB6C E3 A5 22 3D A5 E2 CE B5 7B DD 9A D5 9D DA 66 6D 悭"=モ蔚{??阪m 100027EE 68 089D0010 PUSH smcomm.10009D08 ; ASCII "%2.2X%2.2X%2.2X%2.2X-" 100027B9 8B5424 1F MOV EDX,DWORD PTR SS:[ESP+1F] 100027BD 8B4424 1E MOV EAX,DWORD PTR SS:[ESP+1E] 100027C1 8B4C24 1D MOV ECX,DWORD PTR SS:[ESP+1D] 100027C5 81E2 FF000000 AND EDX,0FF 100027CB 8B3D 14710010 MOV EDI,DWORD PTR DS:[10007114] ; user32.wsprintfA 100027D1 52 PUSH EDX 100027D2 8B5424 20 MOV EDX,DWORD PTR SS:[ESP+20] 100027D6 25 FF000000 AND EAX,0FF 100027DB 81E1 FF000000 AND ECX,0FF 100027E1 50 PUSH EAX 100027E2 81E2 FF000000 AND EDX,0FF 100027E8 51 PUSH ECX 100027E9 52 PUSH EDX 100027EA 8D4424 3C LEA EAX,DWORD PTR SS:[ESP+3C] 100027EE 68 089D0010 PUSH smcomm.10009D08 ; ASCII "%2.2X%2.2X%2.2X%2.2X-" 100027F3 50 PUSH EAX 100027F4 FFD7 CALL EDI 100027F6 8B4C24 3B MOV ECX,DWORD PTR SS:[ESP+3B] 100027FA 8B5424 3A MOV EDX,DWORD PTR SS:[ESP+3A] 100027FE 81E1 FF000000 AND ECX,0FF 10002804 8BF0 MOV ESI,EAX 10002806 8B4424 39 MOV EAX,DWORD PTR SS:[ESP+39] 1000280A 51 PUSH ECX 1000280B 8B4C24 3C MOV ECX,DWORD PTR SS:[ESP+3C] 1000280F 81E2 FF000000 AND EDX,0FF 10002815 25 FF000000 AND EAX,0FF 1000281A 52 PUSH EDX 1000281B 81E1 FF000000 AND ECX,0FF 10002821 50 PUSH EAX 10002822 51 PUSH ECX 10002823 8D5434 54 LEA EDX,DWORD PTR SS:[ESP+ESI+54] 10002827 68 089D0010 PUSH smcomm.10009D08 ; ASCII "%2.2X%2.2X%2.2X%2.2X-" 1000282C 52 PUSH EDX 1000282D FFD7 CALL EDI ; user32.wsprintfA 1000282F 8B4C24 56 MOV ECX,DWORD PTR SS:[ESP+56] 10002833 8B5424 55 MOV EDX,DWORD PTR SS:[ESP+55] 10002837 03F0 ADD ESI,EAX 10002839 8B4424 57 MOV EAX,DWORD PTR SS:[ESP+57] 1000283D 25 FF000000 AND EAX,0FF 10002842 81E1 FF000000 AND ECX,0FF 10002848 50 PUSH EAX 10002849 8B4424 58 MOV EAX,DWORD PTR SS:[ESP+58] 1000284D 81E2 FF000000 AND EDX,0FF 10002853 51 PUSH ECX 10002854 25 FF000000 AND EAX,0FF 10002859 52 PUSH EDX 1000285A 50 PUSH EAX 1000285B 8D4C34 6C LEA ECX,DWORD PTR SS:[ESP+ESI+6C] 1000285F 68 089D0010 PUSH smcomm.10009D08 ; ASCII "%2.2X%2.2X%2.2X%2.2X-" 10002864 51 PUSH ECX 10002865 FFD7 CALL EDI 10002867 8BBC24 9C000000 MOV EDI,DWORD PTR SS:[ESP+9C] 1000286E 03F0 ADD ESI,EAX 10002870 83C4 48 ADD ESP,48 10002873 33D2 XOR EDX,EDX 10002875 8D4E FF LEA ECX,DWORD PTR DS:[ESI-1] 10002878 8D7424 2C LEA ESI,DWORD PTR SS:[ESP+2C] 1000287C F3:A6 REPE CMPS BYTE PTR ES:[EDI],BYTE PTR DS:> 1000287E 8B4C24 28 MOV ECX,DWORD PTR SS:[ESP+28] 10002882 8BC2 MOV EAX,EDX 10002884 0F95C0 SETNE AL 10002887 5F POP EDI 10002888 48 DEC EAX 10002889 5E POP ESI 1000288A 5D POP EBP 1000288B 23C1 AND EAX,ECX 1000288D 5B POP EBX 1000288E 83C4 3C ADD ESP,3C 10002891 C2 0800 RETN 8 0012FB7B 6D 45 33 41 35 32 32 33 44 2D 41 35 45 32 43 45 mE3A5223D-A5E2CE 0012FB8B 42 35 2D 37 42 44 44 39 41 44 35 2D 00 0B 00 00 B5-7BDD9AD5-... 0012FB7C 45 33 41 35 32 32 33 44 2D 41 35 45 32 43 45 42 E3A5223D-A5E2CEB 0012FB8C 35 2D 37 42 44 44 39 41 44 35 2D 00 0B 00 00 00 5-7BDD9AD5-.... E3A5223D-A5E2CEB5-7BDD9AD5- 0012F978 38 42 33 38 34 34 44 45 00 8B3844DE. 0012F958 31 45 36 39 35 31 38 37 00 00 00 00 02 00 00 00 1E695187....... B2B2A-9= //4月 B2B48-9=B2B3F //5月 B2B66 SMC破解过程! 004B6FD4 8BF0 MOV ESI,EAX ;这里的EAX值决定着能否使用 004B6FD6 8BD6 MOV EDX,ESI 004B6FD8 . 8BC3 MOV EAX,EBX 004B6FDA . E8 5DFEFFFF CALL pj11.004B6E3C 004B6FD4 /E9 E0470000 JMP pj11.004BB7B9 ;跳过去 004B6FD9 |90 NOP ;跳回这里继续执行 004BB7B9 . 0000 ADD BYTE PTR DS:[EAX],AL ;我们在这里发现了一些空的地址 004BB7BB . 0000 ADD BYTE PTR DS:[EAX],AL 004BB7BD . 0000 ADD BYTE PTR DS:[EAX],AL 004BB7BF . 0000 ADD BYTE PTR DS:[EAX],AL 004BB7B9 B8 11110000 MOV EAX,1111 ;我们想执行的执行完了 004BB7BE 8BF0 MOV ESI,EAX 004BB7C0 8BD6 MOV EDX,ESI 004BB7C2 8BC3 MOV EAX,EBX 004BB7C4 ^ E9 10B8FFFF JMP pj11.004B6FD9 ;跳回去 |
|
有谁可以写出这样的代码
如果我没有记错!IPB的NO.2中就用到了背包算法!好像就是你介绍的算法!呵呵!我是穷举解决的!希望你找到好的方法! |
|
RSA算法中密钥长度1024是指最大密钥数值是2^1024么?
很长时间以前娃娃曾经写过一篇有关RSA的文章其中有对密钥长度的解释!产生这样的数据可以使用工具啊!看雪的主页就有下载! |
|
问一个算法的问题,我没有见过这种对称算法!
我的疏忽啊!居然没有写明白我的目的!我写的过程就是可以利用得到的KEY对密文进行解密了!我想知道这样的解密算法怎么得到加密算法!查表解密和加密我已经想明白了!就是: 00406227 > /8345 08 08 ADD DWORD PTR SS:[EBP+8],8 0040622B . |C745 9C 04000>MOV DWORD PTR SS:[EBP-64],4 00406232 . |8D75 D0 LEA ESI,DWORD PTR SS:[EBP-30] 00406235 > |8B55 08 MOV EDX,DWORD PTR SS:[EBP+8] 00406238 . |8B12 MOV EDX,DWORD PTR DS:[EDX] 0040623A . |8B06 MOV EAX,DWORD PTR DS:[ESI] 0040623C . |8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60] 0040623F . |8B0C81 MOV ECX,DWORD PTR DS:[ECX+EAX*4] 00406242 . |8B46 04 MOV EAX,DWORD PTR DS:[ESI+4] 00406245 . |8D7D A0 LEA EDI,DWORD PTR SS:[EBP-60] 00406248 . |8B0487 MOV EAX,DWORD PTR DS:[EDI+EAX*4] 0040624B . |8B5E 08 MOV EBX,DWORD PTR DS:[ESI+8] 0040624E . |8D7D A0 LEA EDI,DWORD PTR SS:[EBP-60] 00406251 . |8B1C9F MOV EBX,DWORD PTR DS:[EDI+EBX*4] 00406254 . |03D3 ADD EDX,EBX 00406256 . |03DA ADD EBX,EDX 00406258 . |8BFA MOV EDI,EDX 0040625A . |C1EF 07 SHR EDI,7 0040625D . |33D7 XOR EDX,EDI 0040625F . |03CA ADD ECX,EDX 00406261 . |03D1 ADD EDX,ECX 00406263 . |8BF9 MOV EDI,ECX 00406265 . |C1E7 0D SHL EDI,0D 00406268 . |33CF XOR ECX,EDI 0040626A . |03C1 ADD EAX,ECX 0040626C . |03C8 ADD ECX,EAX 0040626E . |8BF8 MOV EDI,EAX 00406270 . |C1EF 11 SHR EDI,11 00406273 . |33C7 XOR EAX,EDI 00406275 . |03D8 ADD EBX,EAX 00406277 . |03C3 ADD EAX,EBX 00406279 . |8BFB MOV EDI,EBX 0040627B . |C1E7 09 SHL EDI,9 0040627E . |33DF XOR EBX,EDI 00406280 . |03D3 ADD EDX,EBX 00406282 . |03DA ADD EBX,EDX 00406284 . |8BFA MOV EDI,EDX 00406286 . |C1EF 03 SHR EDI,3 00406289 . |33D7 XOR EDX,EDI 0040628B . |03CA ADD ECX,EDX 0040628D . |8BD1 MOV EDX,ECX 0040628F . |C1E2 07 SHL EDX,7 00406292 . |33CA XOR ECX,EDX 00406294 . |03C1 ADD EAX,ECX 00406296 . |8BD3 MOV EDX,EBX 00406298 . |C1EA 0F SHR EDX,0F 0040629B . |33C2 XOR EAX,EDX 0040629D . |03D8 ADD EBX,EAX 0040629F . |8BC3 MOV EAX,EBX 004062A1 . |C1E0 0B SHL EAX,0B 004062A4 . |33D8 XOR EBX,EAX 004062A6 . |8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] 004062A9 . |8B41 04 MOV EAX,DWORD PTR DS:[ECX+4] 004062AC . |33C3 XOR EAX,EBX 004062AE . |8B11 MOV EDX,DWORD PTR DS:[ECX] 004062B0 . |8951 04 MOV DWORD PTR DS:[ECX+4],EDX 004062B3 . |8901 MOV DWORD PTR DS:[ECX],EAX 004062B5 . |83C6 0C ADD ESI,0C 004062B8 . |FF4D 9C DEC DWORD PTR SS:[EBP-64] 004062BB . |837D 9C 00 CMP DWORD PTR SS:[EBP-64],0 004062BF .^|0F85 70FFFFFF JNZ unpacked.00406235 004062C5 . 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8] 004062C8 . 8B06 MOV EAX,DWORD PTR DS:[ESI] 004062CA . 8746 04 XCHG DWORD PTR DS:[ESI+4],EAX 004062CD . 8906 MOV DWORD PTR DS:[ESI],EAX 004062CF . FF4D 0C DEC DWORD PTR SS:[EBP+C] 004062D2 > 837D 0C 00 CMP DWORD PTR SS:[EBP+C],0 004062D6 .^ 0F87 4BFFFFFF JA unpacked.00406227 ////////////////////////////////////////////////////////// move(bbuff,buff,len ); //种子变成KEY缓冲区 生成 buff keytable keysy Zz_Key(Key_A,Key_B); //用keytable , keysy对buff进行欲处理 Mesi:=0; //每次用2个缓冲区数据 //Mebp:=(len-8)shr 3; //外循环一共循环15次 Mebp:=len shr 3; Repeat int:=4; //内循环一个循环4次 Mesp:=0; //每次用3个索引表数据 Repeat Medx:=buff[Mesi]; //0 Mecx:=keytable[keysy[Mesp]]; Meax:=keytable[Keysy[Mesp+1]]; Mebx:=keytable[keysy[Mesp+2]]; Medx:=Medx+Mebx; Mebx:=Mebx+Medx; Medi:=Medx; Medi:=Medi shr 7; Medx:=Medx xor Medi; Mecx:=Mecx+Medx; Medx:=Medx+Mecx; Medi:=Mecx; Medi:=Medi shl $d; Mecx:=Mecx xor Medi; Meax:=Meax+Mecx; Mecx:=Mecx+Meax; Medi:=Meax; Medi:=Medi shr $11; Meax:=Meax xor Medi; Mebx:=Mebx+Meax; Meax:=Meax+Mebx; Medi:=Mebx; Medi:=Medi shl 9; Mebx:=Mebx xor Medi; Medx:=Medx+Mebx; Mebx:=Mebx+Medx; Medi:=Medx; Medi:=Medi shr 3; Medx:=Medx xor Medi; Mecx:=Mecx+Medx; Medx:=Medx+Mecx; Medx:=Medx shl 7; Mecx:=Mecx xor Medx; Meax:=Meax+Mecx; Medx:=Mebx; Medx:=Medx shr $f; Meax:=Meax xor Medx; Mebx:=Mebx+Meax; Meax:=Mebx; Meax:=Meax shl $b; Mebx:=Mebx xor Meax; Meax:=buff[Mesi+1];//1 Meax:=Meax xor Mebx; Medx:=buff[Mesi]; //0 buff[Mesi+1]:=Medx; buff[Mesi]:=Meax; Mesp:=Mesp+3; int:=int-1; Until int=0; Meax:=buff[Mesi]; Medx:=buff[Mesi+1]; buff[Mesi]:=Medx; buff[Mesi+1]:=Meax; Mesi:=Mesi+2; Mebp:=Mebp-1; Until Mebp=0; 这段算法的逆算法我搞不出来啊! 如果能写出这段的逆算法这个算法我就可以全部搞定了!@而且这个算法确实在整体上存在问题!但上面这段的算法的逆算法我遇到点麻烦! |
|
问一个算法的问题,我没有见过这种对称算法!
unit EnDeClass; interface uses Windows, Messages, SysUtils, Classes; const keystar:array [0..5]of word=($01,$42,$C6,$78,$13,$64); type TEnDeclass = class private Okey:array [1..3,1..4]of dword;//变换之后的3组KEY keytab:array[0..47]of byte; keytable:array[0..11] of Dword; keysy:array[0..11]of Dword; zhongzhi1:Dword; //种子 table1:array[0..255] of word; //表1 加密表 table2:array[0..255] of word; //表2 Buff:array[0..35]of dword; procedure Zz_Key(Key_A,Key_B:Dword); function Sf1(Meax:Dword):word; procedure Sf2(Len,Mjs:Dword;var Tab1,tab2:array of word); procedure Table_Star(Key:Dword); { Private declarations } public { Public declarations } procedure key_key(var A,b:DWORD); procedure EnCode(Key_A,Key_B:Dword;var Bbuff:array of byte;Len:Word); procedure DeCode(Key_A,Key_B:Dword;var Buff:array of Byte;Len:Word); end; implementation procedure TEnDeclass.key_key(var A,b:DWORD); //获得初始KEY的种子 A,B var int:integer; begin A:=$641378C6;//文件大小获得的数据 a:=0; b:=0; //01 42 C6 78 13 64 for int:=0 to 5 do b:=b+keystar[int]; a:=GetTickCount; end; procedure TEnDeclass.Zz_Key(Key_A,Key_B:Dword); //种子-->KEY var a,b:dword; //A,B两个KEY种子 int:word; //循环计数 str:string;//中间变量 key,key1,key2,key3:string; Ikey,c,d:Dword; begin key1:=lowercase(inttohex(key_a,8)+inttohex(key_b,8)); key2:=uppercase(inttohex(key_a,8)+inttohex(key_b,8)); str:='00000000'+inttostr(key_a); if length(str)>16 then begin key3:=copy(str,length(str)-8,9); str:='0000'+inttostr(key_b); key3:=key3+copy(str,1,7); end else begin key3:=copy(str,length(str)-7,8); str:='00000000'+inttostr(key_b); key3:=key3+copy(str,length(str)-7,8); end; //KEY由3部分组成 key:=key1+key2+key3; //显示初始的KEY str:=''; //开始对KEY进行变换 //用A对KEY1进行变换 a:=Key_A; for int:=4 downto 1 do begin str:=copy(key1,int*4-3,4); key:='$'+inttohex(ord(str[4]),2)+inttohex(ord(str[3]),2)+ inttohex(ord(str[2]),2)+inttohex(ord(str[1]),2); Ikey:=strtoint(key); Ikey:=Ikey xor a; a:=a+1; Okey[1,int]:=Ikey; end; //用B对KEY2进行变换 B:=Key_B; for int:=4 downto 1 do begin str:=copy(key2,int*4-3,4); key:='$'+inttohex(ord(str[4]),2)+inttohex(ord(str[3]),2)+ inttohex(ord(str[2]),2)+inttohex(ord(str[1]),2); Ikey:=strtoint(key); Ikey:=Ikey xor B; B:=B+1; Okey[2,int]:=Ikey; end; //用A+B对KEY3进行变换 a:=Key_A+Key_B; for int:=4 downto 1 do begin str:=copy(key3,int*4-3,4); key:='$'+inttohex(ord(str[4]),2)+inttohex(ord(str[3]),2)+ inttohex(ord(str[2]),2)+inttohex(ord(str[1]),2); Ikey:=strtoint(key); Ikey:=Ikey xor a; a:=a+1; Okey[3,int]:=Ikey; end; move(Okey,keytab,12*sizeof(Dword)); move(Okey,keytable,12*sizeof(Dword)); for int:=0 to 11 do keysy[int]:=int; int:=0; Repeat a:=keytab[int] and $b; b:=keytab[int+1] and $b; if a<>b then begin c:=keysy[a]; d:=keysy; keysy[a]:=d; keysy:=c; end; int:=int+2; Until int>=$30; end; function TEnDeclass.Sf1(Meax:Dword):word; //生成初始表的数据 var Mecx:Dword; begin Mecx:=zhongzhi1; Mecx:=Mecx * $343FD + $269EC3; Mecx:=Mecx and $ffffffff; zhongzhi1:=Mecx; Mecx:=Mecx shr $10; Mecx:=Mecx and $7fff; sf1:=Mecx; end; procedure TEnDeclass.Sf2(Len,Mjs:Dword;var Tab1,tab2:array of word); //排序并记录交换顺序 var Mebx,Mebp:Dword; Mesp20,MDx,MDi,Meax:word; begin Mebx:=0; Mebp:=len; Mesp20:=0; while Mesp20=0 do begin if Mebx>Mebp then break; Mebp:=len; Mesp20:=1; Meax:=1; Repeat Mdx:=tab1[Meax-1]; Mdi:=tab1[Meax]; if Mdx>Mdi then begin tab1[Meax-1]:=Mdi; tab1[Meax]:=Mdx; Mdi:=tab2[Meax-1]; Mdx:=tab2[Meax]; tab2[Meax]:=Mdi; tab2[Meax-1]:=Mdx; Mesp20:=0; end; Meax:=Meax+1; Mebp:=Mebp-1; Until Mebp=0; end; end; procedure TEnDeclass.Table_Star(Key:Dword); //生成加密&解密用的表 var int,Mesi:word; Mecx:Dword; label label1; begin zhongzhi1:=Key; Mesi:=0; Repeat table2[Mesi]:=Mesi; int:=Sf1(zhongzhi1); Mecx:=0; if Mesi<>0 then begin Repeat //Medx:=Mecx; //Medx:=Medx and $ffff; if int=table1[Mecx] then begin int:=Sf1(zhongzhi1); Mecx:=0; goto label1; end; Mecx:=Mecx+1; label1: Until Mecx>Mesi; end; table1[Mesi]:=int; Mesi:=Mesi+1; Until Mesi>=$100; //到这里就是00405FDE Sf2($ff,0,Table1,table2); for int:=0 to 255 do table1[int]:=int; Sf2($ff,0,Table2,table1); //现在的TABLE1就是转换之后的TABLE了可以直接用来加密和解密了 end; procedure TEnDeclass.EnCode(Key_A,Key_B:Dword;var Bbuff:array of byte;Len:Word); var Mesi,Mesp,Mebp,int:word; Meax,Medi,Mebx,Mecx,Medx:Dword; begin move(bbuff,buff,len ); //种子变成KEY缓冲区 生成 buff keytable keysy Zz_Key(Key_A,Key_B); //用keytable , keysy对buff进行欲处理 Mesi:=0; //每次用2个缓冲区数据 //Mebp:=(len-8)shr 3; //外循环一共循环15次 Mebp:=len shr 3; Repeat int:=4; //内循环一个循环4次 Mesp:=0; //每次用3个索引表数据 Repeat Medx:=buff[Mesi]; //0 Mecx:=keytable[keysy[Mesp]]; Meax:=keytable[Keysy[Mesp+1]]; Mebx:=keytable[keysy[Mesp+2]]; Medx:=Medx+Mebx; Mebx:=Mebx+Medx; Medi:=Medx; Medi:=Medi shr 7; Medx:=Medx xor Medi; Mecx:=Mecx+Medx; Medx:=Medx+Mecx; Medi:=Mecx; Medi:=Medi shl $d; Mecx:=Mecx xor Medi; Meax:=Meax+Mecx; Mecx:=Mecx+Meax; Medi:=Meax; Medi:=Medi shr $11; Meax:=Meax xor Medi; Mebx:=Mebx+Meax; Meax:=Meax+Mebx; Medi:=Mebx; Medi:=Medi shl 9; Mebx:=Mebx xor Medi; Medx:=Medx+Mebx; Mebx:=Mebx+Medx; Medi:=Medx; Medi:=Medi shr 3; Medx:=Medx xor Medi; Mecx:=Mecx+Medx; Medx:=Medx+Mecx; Medx:=Medx shl 7; Mecx:=Mecx xor Medx; Meax:=Meax+Mecx; Medx:=Mebx; Medx:=Medx shr $f; Meax:=Meax xor Medx; Mebx:=Mebx+Meax; Meax:=Mebx; Meax:=Meax shl $b; Mebx:=Mebx xor Meax; Meax:=buff[Mesi+1];//1 Meax:=Meax xor Mebx; Medx:=buff[Mesi]; //0 buff[Mesi+1]:=Medx; buff[Mesi]:=Meax; Mesp:=Mesp+3; int:=int-1; Until int=0; Meax:=buff[Mesi]; Medx:=buff[Mesi+1]; buff[Mesi]:=Medx; buff[Mesi+1]:=Meax; Mesi:=Mesi+2; Mebp:=Mebp-1; Until Mebp=0; //生成用于加密的数据表 TABLE1 Table_Star(Key_A); //加密处理数据 move(buff,bbuff,len); for int:=0 to len-1 do begin Bbuff[int]:=table1[Bbuff[int]]; end; end; procedure TEnDeclass.DeCode(Key_A,Key_B:Dword;var Buff:array of Byte;Len:Word); var int,int2:word; begin Table_Star(Key_A); for int:=0 to len-1 do begin for int2:=0 to 255 do begin if buff[int]=table1[int2] then buff[int]:=int2; end; end; end; end. 代码是我按照程序中的算法描述的没有优化只是对数据处理的结果是一致的! 最近由于个人方面出了点问题,没有多余的时间去想这个事情!所以问题还没有能够完美的解决,这个加密解密的类是我没有时间整理和完成的算法描述!先贴出来各位帮忙想想办法! |
|
问一个算法的问题,我没有见过这种对称算法!
由于服务器端的程序我看不到,所以不知道是怎么回事只能靠猜!等我把算法都搞清楚我在贴出他的算法流程和我猜出的服务器端程序! |
|
问一个算法的问题,我没有见过这种对称算法!
00406227 > /8345 08 08 ADD DWORD PTR SS:[EBP+8],8 0040622B . |C745 9C 04000>MOV DWORD PTR SS:[EBP-64],4 00406232 . |8D75 D0 LEA ESI,DWORD PTR SS:[EBP-30] 00406235 > |8B55 08 MOV EDX,DWORD PTR SS:[EBP+8] 00406238 . |8B12 MOV EDX,DWORD PTR DS:[EDX] 0040623A . |8B06 MOV EAX,DWORD PTR DS:[ESI] 0040623C . |8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60] 0040623F . |8B0C81 MOV ECX,DWORD PTR DS:[ECX+EAX*4] 00406242 . |8B46 04 MOV EAX,DWORD PTR DS:[ESI+4] 00406245 . |8D7D A0 LEA EDI,DWORD PTR SS:[EBP-60] 00406248 . |8B0487 MOV EAX,DWORD PTR DS:[EDI+EAX*4] 0040624B . |8B5E 08 MOV EBX,DWORD PTR DS:[ESI+8] 0040624E . |8D7D A0 LEA EDI,DWORD PTR SS:[EBP-60] 00406251 . |8B1C9F MOV EBX,DWORD PTR DS:[EDI+EBX*4] 00406254 . |03D3 ADD EDX,EBX 00406256 . |03DA ADD EBX,EDX 00406258 . |8BFA MOV EDI,EDX 0040625A . |C1EF 07 SHR EDI,7 0040625D . |33D7 XOR EDX,EDI 0040625F . |03CA ADD ECX,EDX 00406261 . |03D1 ADD EDX,ECX 00406263 . |8BF9 MOV EDI,ECX 00406265 . |C1E7 0D SHL EDI,0D 00406268 . |33CF XOR ECX,EDI 0040626A . |03C1 ADD EAX,ECX 0040626C . |03C8 ADD ECX,EAX 0040626E . |8BF8 MOV EDI,EAX 00406270 . |C1EF 11 SHR EDI,11 00406273 . |33C7 XOR EAX,EDI 00406275 . |03D8 ADD EBX,EAX 00406277 . |03C3 ADD EAX,EBX 00406279 . |8BFB MOV EDI,EBX 0040627B . |C1E7 09 SHL EDI,9 0040627E . |33DF XOR EBX,EDI 00406280 . |03D3 ADD EDX,EBX 00406282 . |03DA ADD EBX,EDX 00406284 . |8BFA MOV EDI,EDX 00406286 . |C1EF 03 SHR EDI,3 00406289 . |33D7 XOR EDX,EDI 0040628B . |03CA ADD ECX,EDX 0040628D . |8BD1 MOV EDX,ECX 0040628F . |C1E2 07 SHL EDX,7 00406292 . |33CA XOR ECX,EDX 00406294 . |03C1 ADD EAX,ECX 00406296 . |8BD3 MOV EDX,EBX 00406298 . |C1EA 0F SHR EDX,0F 0040629B . |33C2 XOR EAX,EDX 0040629D . |03D8 ADD EBX,EAX 0040629F . |8BC3 MOV EAX,EBX 004062A1 . |C1E0 0B SHL EAX,0B 004062A4 . |33D8 XOR EBX,EAX 004062A6 . |8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] 004062A9 . |8B41 04 MOV EAX,DWORD PTR DS:[ECX+4] 004062AC . |33C3 XOR EAX,EBX 004062AE . |8B11 MOV EDX,DWORD PTR DS:[ECX] 004062B0 . |8951 04 MOV DWORD PTR DS:[ECX+4],EDX 004062B3 . |8901 MOV DWORD PTR DS:[ECX],EAX 004062B5 . |83C6 0C ADD ESI,0C 004062B8 . |FF4D 9C DEC DWORD PTR SS:[EBP-64] 004062BB . |837D 9C 00 CMP DWORD PTR SS:[EBP-64],0 004062BF .^|0F85 70FFFFFF JNZ unpacked.00406235 004062C5 . 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8] 004062C8 . 8B06 MOV EAX,DWORD PTR DS:[ESI] 004062CA . 8746 04 XCHG DWORD PTR DS:[ESI+4],EAX 004062CD . 8906 MOV DWORD PTR DS:[ESI],EAX 004062CF . FF4D 0C DEC DWORD PTR SS:[EBP+C] 004062D2 > 837D 0C 00 CMP DWORD PTR SS:[EBP+C],0 004062D6 .^ 0F87 4BFFFFFF JA unpacked.00406227 前面的问题都已经解决,并且用程序模拟出来了,已经核对没有错误! 我现在在想上面代码的求逆!这个算法组合还真的挺麻烦的! |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值