请问这是什么算法吗?小菜我孤陋寡闻,没见过.还请指教.如果是,有没有可用的工具啊?先
谢过了.
从下面看像MD5,但不是.而且这个算法好像是可逆的,由一个任意长度的串(好像有长度限
制,没仔细看那一部分),变换成一个定长的16个字符的字符串,如BOWPCCUYYMRPDIYV.
004160C0 /$ 8B4424 04 mov eax,dword ptr ss:[esp+4]
004160C4 |. 33C9 xor ecx,ecx
004160C6 |. 8948 14 mov dword ptr ds:[eax+14],ecx
004160C9 |. 8948 10 mov dword ptr ds:[eax+10],ecx
004160CC |. C700 01234576 mov dword ptr ds:[eax],76452301
004160D2 |. C740 04 89ABCDEF mov dword ptr ds:[eax+4],EFCDAB89
004160D9 |. C740 08 FEDCBA98 mov dword ptr ds:[eax+8],98BADCFE
004160E0 |. C740 0C 67543210 mov dword ptr ds:[eax+C],10325467
算法首先把每一个字符xor 51,程序如下:
00411E5E |> /8A08 |/mov cl,byte ptr ds:[eax]
00411E60 |. |80F1 51 ||xor cl,51
00411E63 |. |8808 ||mov byte ptr ds:[eax],cl
00411E65 |. |8B7C24 40 ||mov edi,dword ptr ss:[esp+40]
00411E69 |. |40 ||inc eax
00411E6A |. |42 ||inc edx
00411E6B |. |3BD7 ||cmp edx,edi
00411E6D |.^\7C EF |\jl short Pool_'m_.00411E5E
经过一些运算后,把算得的数每32位一组反转.如eax=21302235,变为eax=35223021.程序如
下:
00416291 |. 8A6E 01 mov ch,byte ptr ds:[esi+1]
00416294 |. 8A56 FF mov dl,byte ptr ds:[esi-1]
00416297 |. 8A0E mov cl,byte ptr ds:[esi]
00416299 |. 83C6 04 add esi,4
0041629C |. C1E1 08 shl ecx,8
0041629F |. 0BCA or ecx,edx
004162A1 |. 33D2 xor edx,edx
004162A3 |. 8A56 FA mov dl,byte ptr ds:[esi-6]
004162A6 |. 83C7 04 add edi,4
004162A9 |. C1E1 08 shl ecx,8
004162AC |. 0BCA or ecx,edx
004162AE |. 894F FC mov dword ptr ds:[edi-4],ecx
004162B1 |. 8D0C2E lea ecx,dword ptr ds:[esi+ebp]
004162B4 |. 83F9 40 cmp ecx,40
004162B7 |.^ 72 D4 jb short Pool_'m_.0041628D
然后就是运算繁长的程序,如下:(从004162B9一直到00416B77)
004162B9 |. 8B70 04 mov esi,dword ptr ds:[eax+4] //EFCDAB89
004162BC |. 8B78 08 mov edi,dword ptr ds:[eax+8] //98BADCFE
004162BF |. 8B50 0C mov edx,dword ptr ds:[eax+C] //10325467
004162C2 |. 8B6C24 10 mov ebp,dword ptr ss:[esp+10] //反转完后
的数35223021
004162C6 |. 8BCE mov ecx,esi
004162C8 |. 8B00 mov eax,dword ptr ds:[eax] //76452301
004162CA |. F7D1 not ecx
004162CC |. 8BDF mov ebx,edi
004162CE |. 23CA and ecx,edx
004162D0 |. 23DE and ebx,esi
004162D2 |. 0BCB or ecx,ebx
004162D4 |. 8BDE mov ebx,esi
004162D6 |. 03CD add ecx,ebp
004162D8 |. 8B6C24 14 mov ebp,dword ptr ss:[esp+14]
004162DC |. 8D8C08 78A46AD7 lea ecx,dword ptr ds:[eax+ecx+D76AA478]
004162E3 |. 8BC1 mov eax,ecx
004162E5 |. C1E8 19 shr eax,19
004162E8 |. C1E1 07 shl ecx,7
004162EB |. 0BC1 or eax,ecx
004162ED |. 03C6 add eax,esi
004162EF |. 8BC8 mov ecx,eax
004162F1 |. 23D8 and ebx,eax
004162F3 |. F7D1 not ecx
004162F5 |. 23CF and ecx,edi
004162F7 |. 0BCB or ecx,ebx
004162F9 |. 03CD add ecx,ebp
004162FB |. 8B6C24 18 mov ebp,dword ptr ss:[esp+18]
004162FF |. 8D940A 56B7C7E8 lea edx,dword ptr ds:[edx+ecx+E8C7B756]
00416306 |. 8BCA mov ecx,edx
00416308 |. C1E9 14 shr ecx,14
0041630B |. C1E2 0C shl edx,0C
0041630E |. 0BCA or ecx,edx
00416310 |. 03C8 add ecx,eax
00416312 |. 8BD1 mov edx,ecx
00416314 |. 8BD9 mov ebx,ecx
00416316 |. F7D2 not edx
00416318 |. 23D6 and edx,esi
0041631A |. 23D8 and ebx,eax
0041631C |. 0BD3 or edx,ebx
0041631E |. 8BD9 mov ebx,ecx
00416320 |. 03D5 add edx,ebp
00416322 |. 8B6C24 1C mov ebp,dword ptr ss:[esp+1C]
00416326 |. 8DBC17 DB702024 lea edi,dword ptr ds:[edi+edx+242070DB]
0041632D |. 8BD7 mov edx,edi
0041632F |. C1EA 0F shr edx,0F
00416332 |. C1E7 11 shl edi,11
00416335 |. 0BD7 or edx,edi
00416337 |. 03D1 add edx,ecx
00416339 |. 8BFA mov edi,edx
0041633B |. 23DA and ebx,edx
0041633D |. F7D7 not edi
0041633F |. 23F8 and edi,eax
00416341 |. 0BFB or edi,ebx
00416343 |. 8BDA mov ebx,edx
00416345 |. 03FD add edi,ebp
00416347 |. 8B6C24 20 mov ebp,dword ptr ss:[esp+20]
0041634B |. 8DBC3E EECEBDC1 lea edi,dword ptr ds:[esi+edi+C1BDCEEE]
00416352 |. 8BF7 mov esi,edi
00416354 |. C1E6 16 shl esi,16
00416357 |. C1EF 0A shr edi,0A
0041635A |. 0BF7 or esi,edi
0041635C |. 03F2 add esi,edx
0041635E |. 8BFE mov edi,esi
00416360 |. 23DE and ebx,esi
00416362 |. F7D7 not edi
00416364 |. 23F9 and edi,ecx
00416366 |. 0BFB or edi,ebx
00416368 |. 8BDE mov ebx,esi
0041636A |. 03FD add edi,ebp
0041636C |. 8B6C24 24 mov ebp,dword ptr ss:[esp+24]
00416370 |. 8DBC38 AF0F7CF5 lea edi,dword ptr ds:[eax+edi+F57C0FAF]
00416377 |. 8BC7 mov eax,edi
00416379 |. C1E8 19 shr eax,19
0041637C |. C1E7 07 shl edi,7
0041637F |. 0BC7 or eax,edi
00416381 |. 03C6 add eax,esi
00416383 |. 8BF8 mov edi,eax
00416385 |. 23D8 and ebx,eax
00416387 |. F7D7 not edi
00416389 |. 23FA and edi,edx
0041638B |. 0BFB or edi,ebx
0041638D |. 03FD add edi,ebp
0041638F |. 8B6C24 28 mov ebp,dword ptr ss:[esp+28]
00416393 |. 8DBC39 2AC68747 lea edi,dword ptr ds:[ecx+edi+4787C62A]
.............
.............
.............
00416B1E |. 8DB43E BBD2D72A lea esi,dword ptr ds:[esi+edi+2AD7D2BB]
00416B25 |. 8BFE mov edi,esi
00416B27 |. C1EF 11 shr edi,11
00416B2A |. C1E6 0F shl esi,0F
00416B2D |. 0BFE or edi,esi
00416B2F |. 8BF0 mov esi,eax
00416B31 |. 03FA add edi,edx
00416B33 |. F7D6 not esi
00416B35 |. 0BF7 or esi,edi
00416B37 |. 33F2 xor esi,edx
00416B39 |. 03F3 add esi,ebx
00416B3B |. 8D8C31 91D386EB lea ecx,dword ptr ds:[ecx+esi+EB86D391]
00416B42 |. 8B7424 54 mov esi,dword ptr ss:[esp+54]
00416B46 |. 8B1E mov ebx,dword ptr ds:[esi]
00416B48 |. 03C3 add eax,ebx
00416B4A |. 8906 mov dword ptr ds:[esi],eax
00416B4C |. 8BC1 mov eax,ecx
00416B4E |. 8B5E 04 mov ebx,dword ptr ds:[esi+4]
00416B51 |. C1E0 15 shl eax,15
00416B54 |. C1E9 0B shr ecx,0B
00416B57 |. 0BC1 or eax,ecx
00416B59 |. 03C3 add eax,ebx
00416B5B |. 03C7 add eax,edi
00416B5D |. 8946 04 mov dword ptr ds:[esi+4],eax
00416B60 |. 8B46 08 mov eax,dword ptr ds:[esi+8]
00416B63 |. 03C7 add eax,edi
00416B65 |. 5F pop edi
00416B66 |. 8946 08 mov dword ptr ds:[esi+8],eax
00416B69 |. 8B46 0C mov eax,dword ptr ds:[esi+C]
00416B6C |. 03C2 add eax,edx
00416B6E |. 8946 0C mov dword ptr ds:[esi+C],eax
00416B71 |. 5E pop esi
00416B72 |. 5D pop ebp
00416B73 |. 5B pop ebx
00416B74 |. 83C4 40 add esp,40
00416B77 \. C3 retn
之后再经下面运算,得到中间值.
00416232 |> /8A11 mov dl,byte ptr ds:[ecx]
00416234 |. |83C1 04 add ecx,4
00416237 |. |8850 FF mov byte ptr ds:[eax-1],dl
0041623A |. |8B51 FC mov edx,dword ptr ds:[ecx-4]
0041623D |. |C1EA 08 shr edx,8
00416240 |. |8810 mov byte ptr ds:[eax],dl
00416242 |. |8B51 FC mov edx,dword ptr ds:[ecx-4]
00416245 |. |C1EA 10 shr edx,10
00416248 |. |8850 01 mov byte ptr ds:[eax+1],dl
0041624B |. |8B51 FC mov edx,dword ptr ds:[ecx-4]
0041624E |. |C1EA 18 shr edx,18
00416251 |. |8850 02 mov byte ptr ds:[eax+2],dl
00416254 |. |83C0 04 add eax,4
00416257 |. |8D1406 lea edx,dword ptr ds:[esi+eax]
0041625A |. |83FA 10 cmp edx,10
0041625D |.^\72 D3 jb short Pool_'m_.00416232
最后把那些中间值放入al中,经下面运算就得到最终的结果.
00411EBB |> /33C0 |/xor eax,eax
00411EBD |. |BD 1A000000 ||mov ebp,1A
00411EC2 |. |8A040F ||mov al,byte ptr ds:{edi+ecx] //中间值
放入al中
00411EC5 |. |99 ||cdq
00411EC6 |. |F7FD ||idiv ebp
00411EC8 |. |8B4424 14 ||mov eax,dword ptr ss:[esp+14]
00411ECC |. |80C2 41 ||add dl,41
00411ECF |. |8811 ||mov byte ptr ds:[ecx],dl //结果存
放处
00411ED1 |. |41 ||inc ecx
00411ED2 |. |48 ||dec eax
00411ED3 |. |894424 14 ||mov dword ptr ss:[esp+14],eax
00411ED7 |.^\75 E2 |\jnz short Pool_'m_.00411EBB
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)