本人初学调试,虽然早就注册了账户,但是无奈小弟水平太差没能够贡献一篇有价值的帖子,一直在潜水学习中,用了一周的时间来实践了一下现在学到的东西,找到加密算法后请各位前辈鉴定一下,我找的是不是加密算法?这样的加密算法常见么?有没有什么分类?具体情况请向下看:
过程是这样的,找了一个没名气的棋牌游戏做调试(想着没名气技术上应该不会很BT,像我这样的初学者应该比较合适)。
1.在send处下断,找到密文包,断下来看谁像send的buf写数据了。找到写数据所在的函数后发现是从一个密文buf到send的buf所以找到其调用函数下断(怀疑这个主调就是加密函数),通过跟踪发现对明文(以登陆包来调试的)做了2遍加密。第一遍似乎是.data段内的一段常量数据每隔3个字节取一个字节与明文做异或得到密文。通过几次的调试发现,说它是常量主要是因为多次调试没有发现这段数据发生变化(不同机器上没有测试,故认定是常量)。第二次加密具体不说大致是对用户名和密码明文做些操作再将第一次的密文与它再做运算。大概情况就是这样。请各位大哥帮忙鉴定,我以上所有得出的结论是否有问题?如果是加密算法,请问如何翻译成c语言?我用了code ripper为什么总是翻译成汇编?我明明设置了c/c++的选项啊。哪位前辈可以帮忙写出c语言加密算法以供参考?
004D37F0 /$ 55 push ebp
004D37F1 |. 8BEC mov ebp, esp
004D37F3 |. 83E4 F8 and esp, FFFFFFF8
004D37F6 |. B8 A4140000 mov eax, 14A4
004D37FB |. E8 608EFBFF call 0048C660
004D3800 |. A1 00975900 mov eax, dword ptr [599700]
004D3805 |. 53 push ebx
004D3806 |. 898424 A41400>mov dword ptr [esp+14A4], eax
004D380D |. 8B45 08 mov eax, dword ptr [ebp+8]
004D3810 |. 8BD9 mov ebx, ecx
004D3812 |. 83B8 5C020000>cmp dword ptr [eax+25C], 3
004D3819 |. 56 push esi
004D381A |. 57 push edi
004D381B |. 0F85 9D030000 jnz 004D3BBE
004D3821 |. 83FB 07 cmp ebx, 7
004D3824 |. 0F8C 94030000 jl 004D3BBE
004D382A |. 81FB 00040000 cmp ebx, 400
004D3830 |. 0F8D 88030000 jge 004D3BBE
004D3836 |. 43 inc ebx
004D3837 |. 8BCB mov ecx, ebx
004D3839 |. 81E1 03000080 and ecx, 80000003
004D383F |. 895C24 10 mov dword ptr [esp+10], ebx
004D3843 |. 79 05 jns short 004D384A
004D3845 |. 49 dec ecx
004D3846 |. 83C9 FC or ecx, FFFFFFFC
004D3849 |. 41 inc ecx
004D384A |> 74 16 je short 004D3862
004D384C |. 8BC3 mov eax, ebx
004D384E |. 99 cdq
004D384F |. 83E2 03 and edx, 3
004D3852 |. 03C2 add eax, edx
004D3854 |. C1F8 02 sar eax, 2
004D3857 |. 8D1485 040000>lea edx, dword ptr [eax*4+4]
004D385E |. 895424 10 mov dword ptr [esp+10], edx
004D3862 |> 8B75 14 mov esi, dword ptr [ebp+14]
004D3865 |. 8D4B FF lea ecx, dword ptr [ebx-1]
004D3868 |. 8BC1 mov eax, ecx
004D386A |. C1E9 02 shr ecx, 2
004D386D |. 8DBC24 A90000>lea edi, dword ptr [esp+A9]
004D3874 |. F3:A5 rep movs dword ptr es:[edi], dword p>
004D3876 |. 8BC8 mov ecx, eax
004D3878 |. 83E1 03 and ecx, 3
004D387B |. F3:A4 rep movs byte ptr es:[edi], byte ptr>
004D387D |. 8B4C24 10 mov ecx, dword ptr [esp+10]
004D3881 |. 2BCB sub ecx, ebx
004D3883 |. 8BD1 mov edx, ecx
004D3885 |. C1E9 02 shr ecx, 2
004D3888 |. 33C0 xor eax, eax
004D388A |. 8DBC1C A80000>lea edi, dword ptr [esp+ebx+A8]
004D3891 |. F3:AB rep stos dword ptr es:[edi]
004D3893 |. 8BCA mov ecx, edx
004D3895 |. 83E1 03 and ecx, 3
004D3898 |. F3:AA rep stos byte ptr es:[edi]
004D389A |. B9 01000000 mov ecx, 1
004D389F |. 32C0 xor al, al
004D38A1 |. 3BD9 cmp ebx, ecx
004D38A3 |. 7E 0C jle short 004D38B1
004D38A5 |> 02840C A80000>/add al, byte ptr [esp+ecx+A8]
004D38AC |. 41 |inc ecx
004D38AD |. 3BCB |cmp ecx, ebx
004D38AF |.^ 7C F4 \jl short 004D38A5
004D38B1 |> F6D0 not al
004D38B3 |. FEC0 inc al
004D38B5 |. 33C9 xor ecx, ecx
004D38B7 |. 85DB test ebx, ebx
004D38B9 |. 888424 A80000>mov byte ptr [esp+A8], al
004D38C0 |. 7E 29 jle short 004D38EB
004D38C2 |> 8B45 08 /mov eax, dword ptr [ebp+8] ;;从这里怀疑是第一次加密
004D38C5 |. 8A80 FC020000 |mov al, byte ptr [eax+2FC]
004D38CB |. 0FB6D0 |movzx edx, al
004D38CE |. 8A92 18B55900 |mov dl, byte ptr [edx+59B518]
004D38D4 |. 30940C A80000>|xor byte ptr [esp+ecx+A8], dl
004D38DB |. 8B55 08 |mov edx, dword ptr [ebp+8]
004D38DE |. 04 03 |add al, 3
004D38E0 |. 41 |inc ecx
004D38E1 |. 3BCB |cmp ecx, ebx
004D38E3 |. 8882 FC020000 |mov byte ptr [edx+2FC], al
004D38E9 |.^ 7C D7 \jl short 004D38C2 ;;第一次加密结束
004D38EB |> 8B3D D8C35300 mov edi, dword ptr [<&KERNEL32.GetTi>; kernel32.GetTickCount
004D38F1 |. FFD7 call edi ; [GetTickCount
004D38F3 |. 8BF0 mov esi, eax
004D38F5 |. FFD7 call edi ; [GetTickCount
004D38F7 |. 0FAFF0 imul esi, eax
004D38FA |. 8B45 0C mov eax, dword ptr [ebp+C]
004D38FD |. 897424 0C mov dword ptr [esp+C], esi
004D3901 |. 8D50 01 lea edx, dword ptr [eax+1]
004D3904 |> 8A08 /mov cl, byte ptr [eax]
004D3906 |. 40 |inc eax
004D3907 |. 84C9 |test cl, cl
004D3909 |.^ 75 F9 \jnz short 004D3904
004D390B |. 8B7D 10 mov edi, dword ptr [ebp+10]
004D390E |. 8BCF mov ecx, edi
004D3910 |. 2BC2 sub eax, edx
004D3912 |. 8D71 01 lea esi, dword ptr [ecx+1]
004D3915 |> 8A11 /mov dl, byte ptr [ecx]
004D3917 |. 41 |inc ecx
004D3918 |. 84D2 |test dl, dl
004D391A |.^ 75 F9 \jnz short 004D3915
004D391C |. 2BCE sub ecx, esi
004D391E |. 03C1 add eax, ecx
004D3920 |. 8BC8 mov ecx, eax
004D3922 |. 81E1 03000080 and ecx, 80000003
004D3928 |. 79 05 jns short 004D392F
004D392A |. 49 dec ecx
004D392B |. 83C9 FC or ecx, FFFFFFFC
004D392E |. 41 inc ecx
004D392F |> 74 10 je short 004D3941
004D3931 |. 99 cdq
004D3932 |. 83E2 03 and edx, 3
004D3935 |. 03C2 add eax, edx
004D3937 |. C1F8 02 sar eax, 2
004D393A |. 8D0485 040000>lea eax, dword ptr [eax*4+4]
004D3941 |> 8D7424 28 lea esi, dword ptr [esp+28]
004D3945 |. 8BCF mov ecx, edi
004D3947 |. 2BF7 sub esi, edi
004D3949 |. 8DA424 000000>lea esp, dword ptr [esp]
004D3950 |> 8A11 /mov dl, byte ptr [ecx]
004D3952 |. 88140E |mov byte ptr [esi+ecx], dl
004D3955 |. 41 |inc ecx
004D3956 |. 84D2 |test dl, dl
004D3958 |.^ 75 F6 \jnz short 004D3950
004D395A |. 8B4D 0C mov ecx, dword ptr [ebp+C]
004D395D |. 8BF1 mov esi, ecx
004D395F |. 90 nop
004D3960 |> 8A11 /mov dl, byte ptr [ecx]
004D3962 |. 41 |inc ecx
004D3963 |. 84D2 |test dl, dl
004D3965 |.^ 75 F9 \jnz short 004D3960
004D3967 |. 2BCE sub ecx, esi
004D3969 |. 8D7C24 28 lea edi, dword ptr [esp+28]
004D396D |. 8BD1 mov edx, ecx
004D396F |. 4F dec edi
004D3970 |> 8A4F 01 /mov cl, byte ptr [edi+1]
004D3973 |. 47 |inc edi
004D3974 |. 84C9 |test cl, cl
004D3976 |.^ 75 F8 \jnz short 004D3970
004D3978 |. 8BCA mov ecx, edx
004D397A |. C1E9 02 shr ecx, 2
004D397D |. F3:A5 rep movs dword ptr es:[edi], dword p>
004D397F |. 8BCA mov ecx, edx
004D3981 |. 99 cdq
004D3982 |. 83E2 03 and edx, 3
004D3985 |. 03C2 add eax, edx
004D3987 |. 83E1 03 and ecx, 3
004D398A |. C1F8 02 sar eax, 2
004D398D |. 85C0 test eax, eax
004D398F |. F3:A4 rep movs byte ptr es:[edi], byte ptr>
004D3991 |. 8D4C24 28 lea ecx, dword ptr [esp+28]
004D3995 |. 7E 12 jle short 004D39A9
004D3997 |> 8B11 /mov edx, dword ptr [ecx]
004D3999 |. 8B7C24 0C |mov edi, dword ptr [esp+C]
004D399D |. 33FA |xor edi, edx
004D399F |. 83C1 04 |add ecx, 4
004D39A2 |. 48 |dec eax
004D39A3 |. 897C24 0C |mov dword ptr [esp+C], edi
004D39A7 |.^ 75 EE \jnz short 004D3997
004D39A9 |> 8B4424 0C mov eax, dword ptr [esp+C]
004D39AD |. 8B55 08 mov edx, dword ptr [ebp+8]
004D39B0 |. 8BC8 mov ecx, eax
004D39B2 |. C1E9 10 shr ecx, 10
004D39B5 |. 0FB7C0 movzx eax, ax
004D39B8 |. 69C9 2D240400 imul ecx, ecx, 4242D
004D39BE |. 69C0 2D240400 imul eax, eax, 4242D
004D39C4 |. 81C1 EF082D00 add ecx, 2D08EF
004D39CA |. 05 EF082D00 add eax, 2D08EF
004D39CF |. C1E9 10 shr ecx, 10
004D39D2 |. C1E8 10 shr eax, 10
004D39D5 |. C1E1 10 shl ecx, 10
004D39D8 |. 0BC8 or ecx, eax
004D39DA |. 8B4424 10 mov eax, dword ptr [esp+10]
004D39DE |. 81F1 7DD77DD7 xor ecx, D77DD77D
004D39E4 |. 898A F8020000 mov dword ptr [edx+2F8], ecx
004D39EA |. 99 cdq
004D39EB |. 83E2 03 and edx, 3
004D39EE |. 03C2 add eax, edx
004D39F0 |. C1F8 02 sar eax, 2
004D39F3 |. 85C0 test eax, eax
004D39F5 |. 8DB424 A80000>lea esi, dword ptr [esp+A8]
004D39FC |. 894C24 0C mov dword ptr [esp+C], ecx
004D3A00 |. 8BFE mov edi, esi
004D3A02 |. 7E 40 jle short 004D3A44
004D3A04 |. 8BD0 mov edx, eax
004D3A06 |> 310F /xor dword ptr [edi], ecx ;;从这里怀疑进入第2次加密
004D3A08 |. 0FB70E |movzx ecx, word ptr [esi]
004D3A0B |. 0FB746 02 |movzx eax, word ptr [esi+2]
004D3A0F |. 69C9 2D240400 |imul ecx, ecx, 4242D
004D3A15 |. 83C6 02 |add esi, 2
004D3A18 |. 69C0 2D240400 |imul eax, eax, 4242D
004D3A1E |. 05 EF082D00 |add eax, 2D08EF
004D3A23 |. C1E8 10 |shr eax, 10
004D3A26 |. 81C1 EF082D00 |add ecx, 2D08EF
004D3A2C |. C1E0 10 |shl eax, 10
004D3A2F |. C1E9 10 |shr ecx, 10
004D3A32 |. 0BC1 |or eax, ecx
004D3A34 |. 35 7DD77DD7 |xor eax, D77DD77D
004D3A39 |. 83C7 04 |add edi, 4
004D3A3C |. 83C6 02 |add esi, 2
004D3A3F |. 4A |dec edx
004D3A40 |. 8BC8 |mov ecx, eax
004D3A42 |.^ 75 C2 \jnz short 004D3A06
004D3A44 |> 8B55 08 mov edx, dword ptr [ebp+8]
004D3A47 |. 8A8424 A80000>mov al, byte ptr [esp+A8]
004D3A4E |. 898A F4020000 mov dword ptr [edx+2F4], ecx
004D3A54 |. 8A8C24 A90000>mov cl, byte ptr [esp+A9]
004D3A5B |. 888C24 AA0400>mov byte ptr [esp+4AA], cl
004D3A62 |. 8A8C24 AB0000>mov cl, byte ptr [esp+AB]
004D3A69 |. 888424 A80400>mov byte ptr [esp+4A8], al
004D3A70 |. 8B4424 0C mov eax, dword ptr [esp+C]
004D3A74 |. 888C24 AD0400>mov byte ptr [esp+4AD], cl
004D3A7B |. 8A8C24 AC0000>mov cl, byte ptr [esp+AC]
004D3A82 |. 888424 A90400>mov byte ptr [esp+4A9], al
004D3A89 |. 8A8424 AA0000>mov al, byte ptr [esp+AA]
004D3A90 |. 888C24 AF0400>mov byte ptr [esp+4AF], cl
004D3A97 |. 88A424 AB0400>mov byte ptr [esp+4AB], ah
004D3A9E |. 888424 AC0400>mov byte ptr [esp+4AC], al
004D3AA5 |. 66:8B4424 0E mov ax, word ptr [esp+E]
004D3AAA |. 888424 AE0400>mov byte ptr [esp+4AE], al
004D3AB1 |. 88A424 B00400>mov byte ptr [esp+4B0], ah
004D3AB8 |. 8D4B FB lea ecx, dword ptr [ebx-5]
004D3ABB |. 8BC1 mov eax, ecx
004D3ABD |. C1E9 02 shr ecx, 2
004D3AC0 |. 8DB424 AD0000>lea esi, dword ptr [esp+AD]
004D3AC7 |. 8DBC24 B10400>lea edi, dword ptr [esp+4B1]
004D3ACE |. F3:A5 rep movs dword ptr es:[edi], dword p>
004D3AD0 |. 8BC8 mov ecx, eax
004D3AD2 |. B8 03000000 mov eax, 3
004D3AD7 |. 23C8 and ecx, eax
004D3AD9 |. 83C3 04 add ebx, 4
004D3ADC |. F3:A4 rep movs byte ptr es:[edi], byte ptr>
004D3ADE |. 8B8A 5C020000 mov ecx, dword ptr [edx+25C]
004D3AE4 |. 895C24 10 mov dword ptr [esp+10], ebx
004D3AE8 |. 32DB xor bl, bl
004D3AEA |. 3BC8 cmp ecx, eax
004D3AEC |. C64424 0C 26 mov byte ptr [esp+C], 26
004D3AF1 |. C64424 0D 01 mov byte ptr [esp+D], 1
004D3AF6 |. 0F85 99000000 jnz 004D3B95
004D3AFC |. 50 push eax
004D3AFD |. 66:894424 24 mov word ptr [esp+24], ax
004D3B02 |. E8 42700400 call 0051AB49
004D3B07 |. 8BF8 mov edi, eax
004D3B09 |. 83C4 04 add esp, 4
004D3B0C |. 85FF test edi, edi
004D3B0E |. 0F84 81000000 je 004D3B95
004D3B14 |. 66:8B5424 0C mov dx, word ptr [esp+C]
004D3B19 |. 8B75 08 mov esi, dword ptr [ebp+8]
004D3B1C |. 8BCF mov ecx, edi
004D3B1E |. 66:8911 mov word ptr [ecx], dx
004D3B21 |. 8859 02 mov byte ptr [ecx+2], bl
004D3B24 |. 8D9E 78020000 lea ebx, dword ptr [esi+278]
004D3B2A |. 53 push ebx ; /pCriticalSection
004D3B2B |. FF15 F8C35300 call dword ptr [<&KERNEL32.EnterCriti>; \EnterCriticalSection
004D3B31 |. FF15 D8C35300 call dword ptr [<&KERNEL32.GetTickCou>; [GetTickCount
004D3B37 |. 81C6 B8020000 add esi, 2B8
004D3B3D |. 894424 18 mov dword ptr [esp+18], eax
004D3B41 |. 8B46 08 mov eax, dword ptr [esi+8]
004D3B44 |. 6A 00 push 0
004D3B46 |. 50 push eax
004D3B47 |. E8 24B9F4FF call 0041F470
004D3B4C |. 8B5424 14 mov edx, dword ptr [esp+14]
004D3B50 |. 8D48 08 lea ecx, dword ptr [eax+8]
004D3B53 |. 8911 mov dword ptr [ecx], edx
004D3B55 |. 8B5424 18 mov edx, dword ptr [esp+18]
004D3B59 |. 8951 04 mov dword ptr [ecx+4], edx
004D3B5C |. 8B5424 1C mov edx, dword ptr [esp+1C]
004D3B60 |. 8951 08 mov dword ptr [ecx+8], edx
004D3B63 |. 8B5424 20 mov edx, dword ptr [esp+20]
004D3B67 |. 8951 0C mov dword ptr [ecx+C], edx
004D3B6A |. 8979 10 mov dword ptr [ecx+10], edi
004D3B6D |. 8B4E 08 mov ecx, dword ptr [esi+8]
004D3B70 |. 85C9 test ecx, ecx
004D3B72 |. 74 04 je short 004D3B78
004D3B74 |. 8901 mov dword ptr [ecx], eax
004D3B76 |. EB 03 jmp short 004D3B7B
004D3B78 |> 8946 04 mov dword ptr [esi+4], eax
004D3B7B |> 53 push ebx ; /pCriticalSection
004D3B7C |. 8946 08 mov dword ptr [esi+8], eax ; |
004D3B7F |. FF15 FCC35300 call dword ptr [<&KERNEL32.LeaveCriti>; \LeaveCriticalSection
004D3B85 |. 8B45 08 mov eax, dword ptr [ebp+8]
004D3B88 |. 8B88 6C020000 mov ecx, dword ptr [eax+26C]
004D3B8E |. 51 push ecx ; /hEvent
004D3B8F |. FF15 B4C35300 call dword ptr [<&KERNEL32.SetEvent>] ; \SetEvent
004D3B95 |> 8B5424 10 mov edx, dword ptr [esp+10]
004D3B99 |. 8B5D 08 mov ebx, dword ptr [ebp+8]
004D3B9C |. 52 push edx
004D3B9D |. 8D8424 AC0400>lea eax, dword ptr [esp+4AC]
004D3BA4 |. E8 C7F0FFFF call 004D2C70
004D3BA9 |. 8B8C24 AC1400>mov ecx, dword ptr [esp+14AC]
004D3BB0 |. E8 4998FBFF call 0048D3FE
004D3BB5 |. 5F pop edi
004D3BB6 |. 5E pop esi
004D3BB7 |. 5B pop ebx
004D3BB8 |. 8BE5 mov esp, ebp
004D3BBA |. 5D pop ebp
004D3BBB |. C2 1000 retn 10
004D3BBE |> 8B8C24 AC1400>mov ecx, dword ptr [esp+14AC]
004D3BC5 |. 33C0 xor eax, eax
004D3BC7 |. E8 3298FBFF call 0048D3FE
004D3BCC |. 5F pop edi
004D3BCD |. 5E pop esi
004D3BCE |. 5B pop ebx
004D3BCF |. 8BE5 mov esp, ebp
004D3BD1 |. 5D pop ebp
004D3BD2 \. C2 1000 retn 10
[课程]Android-CTF解题方法汇总!
