-
-
[求助]请教大家MSIL指令的分析
-
发表于: 2010-11-20 22:33
-
这段时间正学习MS IL指令,有下面一段代码,是个字符串解密函数,分析后得到后面的Delphi程序,但是算出结果居然有不可视字符,肯定哪里有问题了,请熟悉的人指点错误。
.method privatescope hidebysig static string
a$PST06000001(string A_0,
int32 A_1) cil managed
{
// Code size 90 (0x5a)
.maxstack 8
.locals init (char[] V_0,
int32 V_1,
int32 V_2,
uint8 V_3,
uint8 V_4)
IL_0000: ldarg.0
IL_0001: callvirt instance char[] [mscorlib]System.String::ToCharArray()
IL_0006: stloc.0
IL_0007: ldc.i4 0x6ec726d4
IL_000c: ldarg.1
IL_000d: add
IL_000e: stloc.1
IL_000f: ldc.i4.0
IL_0010: dup
IL_0011: ldc.i4.1
IL_0012: blt.s IL_0047
IL_0014: dup
IL_0015: stloc.2
IL_0016: ldloc.0
IL_0017: ldloc.2
IL_0018: ldloc.0
IL_0019: ldloc.2
IL_001a: ldelem.i2
IL_001b: dup
IL_001c: ldc.i4 0xff
IL_0021: and
IL_0022: ldloc.1
IL_0023: dup
IL_0024: ldc.i4.1
IL_0025: add
IL_0026: stloc.1
IL_0027: xor
IL_0028: conv.u1
IL_0029: stloc.3
IL_002a: dup
IL_002b: ldc.i4.8
IL_002c: shr
IL_002d: ldloc.1
IL_002e: dup
IL_002f: ldc.i4.1
IL_0030: add
IL_0031: stloc.1
IL_0032: xor
IL_0033: conv.u1
IL_0034: stloc.s V_4
IL_0036: pop
IL_0037: ldloc.s V_4
IL_0039: ldloc.3
IL_003a: stloc.s V_4
IL_003c: stloc.3
IL_003d: ldloc.s V_4
IL_003f: ldc.i4.8
IL_0040: shl
IL_0041: ldloc.3
IL_0042: or
IL_0043: conv.u2
IL_0044: stelem.i2
IL_0045: ldc.i4.1
IL_0046: add
IL_0047: dup
IL_0048: ldloc.0
IL_0049: ldlen
IL_004a: conv.i4
IL_004b: blt.s IL_0014
IL_004d: pop
IL_004e: ldloc.0
IL_004f: newobj instance void [mscorlib]System.String::.ctor(char[])
IL_0054: call string [mscorlib]System.String::Intern(string)
IL_0059: ret
} // end of method 'Global Functions'::a
下面是Delphi函数中的主要部分,看不出错误在哪里
var
a: array of integer;
num, i: integer;
num3, num4, temp, result: byte;
begin
num:=$6ec726d4 + A_1; //常数 + 传入的参数值
//string转换到整数数据,省略
for i := 0 to 26 do //传入的string长度为27个unicode字,转换成整数已放在数组a中
begin
num3 := byte((a[i] and $00FF) xor (num + i));
num4 := byte((a[i] shr 8) xor (num + i));
temp := num4;
num4 := num3;
num3 := temp;
result := (num4 shl 8) or num3;
edit1.Text := edit1.Text + chr(result);
end;
.method privatescope hidebysig static string
a$PST06000001(string A_0,
int32 A_1) cil managed
{
// Code size 90 (0x5a)
.maxstack 8
.locals init (char[] V_0,
int32 V_1,
int32 V_2,
uint8 V_3,
uint8 V_4)
IL_0000: ldarg.0
IL_0001: callvirt instance char[] [mscorlib]System.String::ToCharArray()
IL_0006: stloc.0
IL_0007: ldc.i4 0x6ec726d4
IL_000c: ldarg.1
IL_000d: add
IL_000e: stloc.1
IL_000f: ldc.i4.0
IL_0010: dup
IL_0011: ldc.i4.1
IL_0012: blt.s IL_0047
IL_0014: dup
IL_0015: stloc.2
IL_0016: ldloc.0
IL_0017: ldloc.2
IL_0018: ldloc.0
IL_0019: ldloc.2
IL_001a: ldelem.i2
IL_001b: dup
IL_001c: ldc.i4 0xff
IL_0021: and
IL_0022: ldloc.1
IL_0023: dup
IL_0024: ldc.i4.1
IL_0025: add
IL_0026: stloc.1
IL_0027: xor
IL_0028: conv.u1
IL_0029: stloc.3
IL_002a: dup
IL_002b: ldc.i4.8
IL_002c: shr
IL_002d: ldloc.1
IL_002e: dup
IL_002f: ldc.i4.1
IL_0030: add
IL_0031: stloc.1
IL_0032: xor
IL_0033: conv.u1
IL_0034: stloc.s V_4
IL_0036: pop
IL_0037: ldloc.s V_4
IL_0039: ldloc.3
IL_003a: stloc.s V_4
IL_003c: stloc.3
IL_003d: ldloc.s V_4
IL_003f: ldc.i4.8
IL_0040: shl
IL_0041: ldloc.3
IL_0042: or
IL_0043: conv.u2
IL_0044: stelem.i2
IL_0045: ldc.i4.1
IL_0046: add
IL_0047: dup
IL_0048: ldloc.0
IL_0049: ldlen
IL_004a: conv.i4
IL_004b: blt.s IL_0014
IL_004d: pop
IL_004e: ldloc.0
IL_004f: newobj instance void [mscorlib]System.String::.ctor(char[])
IL_0054: call string [mscorlib]System.String::Intern(string)
IL_0059: ret
} // end of method 'Global Functions'::a
下面是Delphi函数中的主要部分,看不出错误在哪里
var
a: array of integer;
num, i: integer;
num3, num4, temp, result: byte;
begin
num:=$6ec726d4 + A_1; //常数 + 传入的参数值
//string转换到整数数据,省略
for i := 0 to 26 do //传入的string长度为27个unicode字,转换成整数已放在数组a中
begin
num3 := byte((a[i] and $00FF) xor (num + i));
num4 := byte((a[i] shr 8) xor (num + i));
temp := num4;
num4 := num3;
num3 := temp;
result := (num4 shl 8) or num3;
edit1.Text := edit1.Text + chr(result);
end;
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
