先来看一段代码以及反汇编后的流程
// 公式管理器"修改"按钮入口
int __cdecl sub_54F555(int a1, void *a2, int a3)
{
void *v3; // ebx@1
int v4; // edi@1
double *v5; // ebx@5
int v6; // eax@6
void *v7; // eax@10
void *v8; // edi@10
int v9; // eax@12
const char *v10; // eax@13
signed int v11; // edi@14
int v12; // eax@15
const char *v13; // eax@16
char *v15; // eax@23
int v16; // eax@24
int v17; // eax@24
char v18; // [sp+0h] [bp-110h]@18
char v19; // [sp+A0h] [bp-70h]@19
char v20; // [sp+B4h] [bp-5Ch]@15
int v21; // [sp+C0h] [bp-50h]@17
char v22; // [sp+CCh] [bp-44h]@1
int v23; // [sp+D0h] [bp-40h]@1
void *v24; // [sp+D4h] [bp-3Ch]@1
int v25; // [sp+D8h] [bp-38h]@1
char v26; // [sp+DFh] [bp-31h]@24
int v27; // [sp+E0h] [bp-30h]@6
const void *v28[5]; // [sp+F8h] [bp-18h]@1
int v29; // [sp+10Ch] [bp-4h]@1
v3 = a2;
v23 = 0;
v24 = a2;
v25 = a3;
ATL__CSimpleStringT_char_1___Empty(a2, v28[2]);
ATL__CSimpleStringT_char_1___Empty(a3, v28[3]);
ATL__CStringT_char_StrTraitMFC_DLL_char_ATL__ChTraitsCRT_char_____CStringT_char_StrTraitMFC_DLL_char_ATL__ChTraitsCRT_char___(&v22);
v4 = 0;
v29 = 0;
if ( !sub_547DF5(a1) )
{
if ( *(_DWORD *)(a1 + 8) == 4 )
{
if ( *(_DWORD *)(a1 + 62) )
{
ATL__CStringT_char_StrTraitMFC_DLL_char_ATL__ChTraitsCRT_char_____operator__(a2, "REFLINE: ");
if ( *(_DWORD *)(a1 + 62) > 0 )
{
v5 = (double *)(a1 + 66);
do
{
sub_51C48E((int)&v27, *(float *)v5, 3);
ATL__CStringT_char_StrTraitMFC_DLL_char_ATL__ChTraitsCRT_char_____operator__(v24, &v27);
v6 = (int)";\n";
if ( v4 != *(_DWORD *)(a1 + 62) - 1 )
v6 = (int)", ";
ATL__CStringT_char_StrTraitMFC_DLL_char_ATL__ChTraitsCRT_char_____operator__(v24, v6);
++v4;
v5 = (double *)((char *)v5 + 4);
}
while ( v4 < *(_DWORD *)(a1 + 62) );
v3 = v24;
}
}
}
}
v28[2] = (const void *)(*(_DWORD *)(a1 + 30) + 1);
v7 = operator new__((unsigned int)v28[2]);
v28[1] = *(const void **)(a1 + 30);
v8 = v7;
v28[0] = *(const void **)(a1 + 34);
v24 = v7;
memcpy(v7, v28[0], (size_t)v28[1]);
*((_BYTE *)v8 + *(_DWORD *)(a1 + 30)) = 0;
if ( *(_DWORD *)(*(_DWORD *)(a1 + 155) + 4)
&& ((unsigned __int8)ATL__CSimpleStringT_char_1___IsEmpty(v25)
|| (v9 = ATL__CSimpleStringT_char_1___operator char_const__(v25),
sub_54952D(v9) != *(_DWORD *)(*(_DWORD *)(a1 + 155) + 4))
&& (v10 = (const char *)ATL__CSimpleStringT_char_1___operator char_const__(v25),
sub_549574(v10) != *(_DWORD *)(*(_DWORD *)(a1 + 155) + 4))) )
{
v11 = 1;
sub_566830("输入公式密码", a1 + 12, &byte_75C0CB, 0, 1, -1);
LOBYTE(v29) = 1;
while ( 1 )
{
if ( sub_65D411(&v18) != 1 )
{
LOBYTE(v29) = 0;
ATL__CStringT_char_StrTraitMFC_DLL_char_ATL__ChTraitsCRT_char______CStringT_char_StrTraitMFC_DLL_char_ATL__ChTraitsCRT_char___(&v20);
type_info___type_info(&v19);
CDialog___CDialog(&v18);
goto LABEL_20;
}
v12 = ATL__CSimpleStringT_char_1___operator char_const__(&v20); ATL::CSimpleStringT<char,1>::operator char const *(void)
if ( sub_54952D(v12) == *(_DWORD *)(*(_DWORD *)(a1 + 155) + 4) )
break;
v13 = (const char *)ATL__CSimpleStringT_char_1___operator char_const__(&v20);
if ( sub_549574(v13) == *(_DWORD *)(*(_DWORD *)(a1 + 155) + 4) )
break;
v21 = (int)"密码错误,请重新输入";
}
ATL__CStringT_char_StrTraitMFC_DLL_char_ATL__ChTraitsCRT_char_____operator_(v25, &v20);
LOBYTE(v29) = 0;
ATL__CStringT_char_StrTraitMFC_DLL_char_ATL__ChTraitsCRT_char______CStringT_char_StrTraitMFC_DLL_char_ATL__ChTraitsCRT_char___(&v20);
type_info___type_info(&v19);
CDialog___CDialog(&v18);
}
else
{
v11 = 1;
}
v15 = (char *)ATL__CSimpleStringT_char_1___operator char_const__(v25);
sub_5483B9(a1, (int)v24, v15);
ATL__CStringT_char_StrTraitMFC_DLL_char_ATL__ChTraitsCRT_char_____operator__(v3, v24);
ATL__CStringT_char_StrTraitMFC_DLL_char_ATL__ChTraitsCRT_char_____TrimRight(v3, " \r\n\t");
if ( !ATL__CSimpleStringT_char_1___GetLength(v3)
|| (v16 = ATL__CStringT_char_StrTraitMFC_DLL_char_ATL__ChTraitsCRT_char_____Right(v3, &v25, v11),
LOBYTE(v29) = 2,
v23 = v11,
v17 = ATL__CStringT_char_StrTraitMFC_DLL_char_ATL__ChTraitsCRT_char_____Compare(v16, L";"),
v26 = 1,
!v17) )
v26 = 0;
v29 = 0;
if ( v23 & 1 )
ATL__CStringT_char_StrTraitMFC_DLL_char_ATL__ChTraitsCRT_char______CStringT_char_StrTraitMFC_DLL_char_ATL__ChTraitsCRT_char___(&v25);
if ( v26 )
ATL__CStringT_char_StrTraitMFC_DLL_char_ATL__ChTraitsCRT_char_____operator__(v3, L";");
operator delete(v24);
LABEL_20:
ATL__CStringT_char_StrTraitMFC_DLL_char_ATL__ChTraitsCRT_char______CStringT_char_StrTraitMFC_DLL_char_ATL__ChTraitsCRT_char___(&v22);
return sub_7281BB();
}
好了,在有上文相关的资料后这里列出了反相出来的密码运算中涉及到的相关代码,供同学们参考,其实到这一步,关键点已经出来了
int __cdecl sub_447FE3(int a1, __int16 a2)
{
signed int v2; // ecx@1
int v3; // ebx@1
int v4; // eax@5
signed int v5; // eax@7
signed int v6; // edx@7
char *v7; // ecx@7
signed int v8; // edi@7
char *v9; // esi@7
char v10; // bl@9
int v11; // eax@12
signed int v12; // edi@12
char v13; // dl@14
signed int v14; // eax@17
signed int v16; // [sp+Ch] [bp-FCh]@3
int v17; // [sp+10h] [bp-F8h]@3
char v18[4]; // [sp+14h] [bp-F4h]@7
char v19[96]; // [sp+18h] [bp-F0h]@7
char v20[28]; // [sp+78h] [bp-90h]@10
char v21[56]; // [sp+94h] [bp-74h]@2
char v22[56]; // [sp+CCh] [bp-3Ch]@11
unsigned int v23; // [sp+104h] [bp-4h]@1
int v24; // [sp+108h] [bp+0h]@1
v23 = (unsigned int)&v24 ^ dword_80F360;
v3 = 0;
v2 = 0;
do
{
v21[v2] = (*(_BYTE *)(((signed int)(unsigned __int8)byte_7FBD28[v2] >> 3) + a1) & (unsigned __int8)byte_7FBCB8[2 * (byte_7FBD28[v2] & 7)]) != 0;
++v2;
}
while ( v2 < 56 );
v17 = 0;
v16 = 30;
do
{
if ( a2 == 1 )
v4 = v16;
else
v4 = 2 * v17;
v7 = &v19[4 * v4];
v9 = &v18[4 * v4];
v5 = (unsigned __int8)byte_7FBD60[v17];
*(_DWORD *)v7 = v3;
*(_DWORD *)v9 = v3;
v6 = 0;
v8 = v5;
do
{
if ( v8 >= 28 )
v10 = v20[v8];
else
v10 = v21[v8];
v22[v6++] = v10;
++v8;
}
while ( v6 < 28 );
v12 = 28;
v11 = v5 + 28;
do
{
if ( v11 >= 56 )
v13 = v20[v11];
else
v13 = v21[v11];
v22[v12++] = v13;
++v11;
}
while ( v12 < 56 );
v3 = 0;
v14 = 0;
do
{
if ( v22[(unsigned __int8)byte_7FBD70[v14]] )
*(_DWORD *)v9 |= (unsigned int)*(&off_7FBCC8 + v14);
if ( v22[(unsigned __int8)byte_7FBD88[v14]] )
*(_DWORD *)v7 |= (unsigned int)*(&off_7FBCC8 + v14);
++v14;
}
while ( v14 < 24 );
v16 -= 2;
++v17;
}
while ( v16 > -2 );
return sub_4612F2(v18);
}
unsigned int __cdecl sub_44811B(int a1)
{
unsigned int result; // eax@1
result = (unsigned int)&unk_80F5C0;
do
{
*(_DWORD *)result = *(_DWORD *)(a1 - (_DWORD)&unk_80F5C0 + result);
result += 4;
}
while ( result < (unsigned int)&unk_80F640 );
return result;
}
int __usercall sub_448139<eax>(int result<eax>, int a2<ecx>)
{
*(_DWORD *)result = *(_BYTE *)a2 << 24;
*(_DWORD *)result |= *(_BYTE *)(a2 + 1) << 16;
*(_DWORD *)result |= *(_BYTE *)(a2 + 2) << 8;
*(_DWORD *)result |= *(_BYTE *)(a2 + 3);
*(_DWORD *)(result + 4) = *(_BYTE *)(a2 + 4) << 24;
*(_DWORD *)(result + 4) |= *(_BYTE *)(a2 + 5) << 16;
*(_DWORD *)(result + 4) |= *(_BYTE *)(a2 + 6) << 8;
*(_DWORD *)(result + 4) |= *(_BYTE *)(a2 + 7);
return result;
}
int __usercall sub_448182<eax>(int result<eax>, int a2<ecx>)
{
*(_BYTE *)result = *(_BYTE *)(a2 + 3);
*(_BYTE *)(result + 1) = *(_BYTE *)(a2 + 2);
*(_BYTE *)(result + 2) = *(_BYTE *)(a2 + 1);
*(_BYTE *)(result + 3) = *(_BYTE *)a2;
*(_BYTE *)(result + 4) = *(_BYTE *)(a2 + 7);
*(_BYTE *)(result + 5) = *(_BYTE *)(a2 + 6);
*(_BYTE *)(result + 6) = *(_BYTE *)(a2 + 5);
*(_BYTE *)(result + 7) = *(_BYTE *)(a2 + 4);
return result;
}
int __cdecl sub_4481B1(int a1, int a2)
{
int v2; // eax@1
int v3; // ecx@1
int v4; // eax@1
int v5; // ecx@1
int v6; // edx@1
int v7; // eax@1
int v8; // ecx@1
int v9; // edx@1
int v10; // eax@1
int v11; // edx@1
int v12; // ecx@1
int v13; // eax@1
int v14; // edx@1
int v15; // eax@1
int v16; // ecx@1
int v17; // ecx@1
int v18; // esi@2
int v19; // esi@2
int v20; // ecx@2
int v21; // esi@2
int v22; // esi@2
int v23; // edx@2
int v24; // esi@2
int v26; // eax@3
int result; // eax@3
int v28; // edx@3
int v29; // eax@3
unsigned int v30; // edx@3
int v31; // ecx@3
int v32; // eax@3
int v33; // edx@3
int v34; // ecx@3
int v35; // eax@3
int v36; // edx@3
int v37; // ecx@3
int v38; // edx@3
int v39; // eax@3
int v40; // ecx@3
int v41; // esi@3
signed int v42; // [sp+0h] [bp-8h]@1
int v43; // [sp+4h] [bp-4h]@1
v3 = *(_DWORD *)(a1 + 4);
v4 = (v3 ^ (*(_DWORD *)a1 >> 4)) & 0xF0F0F0F;
v5 = v4 ^ v3;
v6 = 16 * v4 ^ *(_DWORD *)a1;
v7 = (unsigned __int16)(v5 ^ (((unsigned int)(16 * v4) ^ *(_DWORD *)a1) >> 16));
v8 = v7 ^ v5;
v9 = (v7 << 16) ^ v6;
v10 = (v9 ^ ((unsigned int)v8 >> 2)) & 0x33333333;
v11 = v10 ^ v9;
v12 = 4 * v10 ^ v8;
v13 = v11 ^ ((unsigned int)v12 >> 8);
v13 &= 0xFF00FFu;
v14 = v13 ^ v11;
v15 = __ROL__(v12 ^ (v13 << 8), 1);
v16 = (v14 ^ v15) & 0xAAAAAAAA;
v2 = v16 ^ v15;
v17 = __ROL__(v14 ^ v16, 1);
v43 = v17;
v42 = 8;
do
{
v18 = __ROR__(v2, 4);
v19 = *(_DWORD *)a2 ^ v18;
v20 = a2 + 8;
v43 ^= dword_7FC3A0[v19 & 0x3F] | dword_7FC1A0[((unsigned int)v19 >> 8) & 0x3F] | dword_7FBFA0[((unsigned int)v19 >> 16) & 0x3F] | RawDES_Spbox[((unsigned int)v19 >> 24) & 0x3F] | dword_7FC4A0[(v2 ^ *(_DWORD *)(v20 - 4)) & 0x3F] | dword_7FC2A0[(((unsigned int)v2 ^ *(_DWORD *)(v20 - 4)) >> 8) & 0x3F] | (unsigned int)*(&off_7FC0A0 + ((((unsigned int)v2 ^ *(_DWORD *)(v20 - 4)) >> 16) & 0x3F)) | dword_7FBEA0[(((unsigned int)v2 ^ *(_DWORD *)(v20 - 4)) >> 24) & 0x3F];
v21 = __ROR__(v43, 4);
v22 = *(_DWORD *)(a2 + 8) ^ v21;
v23 = dword_7FC3A0[v22 & 0x3F] | dword_7FC1A0[((unsigned int)v22 >> 8) & 0x3F] | dword_7FBFA0[((unsigned int)v22 >> 16) & 0x3F] | RawDES_Spbox[((unsigned int)v22 >> 24) & 0x3F];
v24 = v43 ^ *(_DWORD *)(a2 + 12);
a2 += 16;
v2 ^= v23 | dword_7FC4A0[v24 & 0x3F] | dword_7FC2A0[((unsigned int)v24 >> 8) & 0x3F] | (unsigned int)*(&off_7FC0A0 + (((unsigned int)v24 >> 16) & 0x3F)) | dword_7FBEA0[((unsigned int)v24 >> 24) & 0x3F];
}
while ( v42-- != 1 );
v26 = __ROR__(v2, 1);
v28 = (v43 ^ v26) & 0xAAAAAAAA;
v29 = v28 ^ v26;
v30 = __ROR__(v43 ^ v28, 1);
v31 = v29 ^ (v30 >> 8);
v31 &= 0xFF00FFu;
v32 = v31 ^ v29;
v33 = (v31 << 8) ^ v30;
v34 = (v32 ^ ((unsigned int)v33 >> 2)) & 0x33333333;
v35 = v34 ^ v32;
v36 = 4 * v34 ^ v33;
v37 = (unsigned __int16)(v36 ^ ((unsigned int)v35 >> 16));
v38 = v37 ^ v36;
v39 = (v37 << 16) ^ v35;
v40 = (v38 ^ ((unsigned int)v39 >> 4)) & 0xF0F0F0F;
v41 = v39 ^ 16 * ((v38 ^ ((unsigned int)v39 >> 4)) & 0xF0F0F0F);
result = a1;
*(_DWORD *)a1 = v41;
*(_DWORD *)(a1 + 4) = v38 ^ v40;
return result;
}
int __cdecl sub_4483A9(int a1)
{
int v2; // eax@1
char v3; // [sp+0h] [bp-8h]@1
v2 = sub_448139(a1);
sub_4481B1(v2, &unk_80F5C0);
return sub_448182(&v3);
}
int __cdecl sub_4611CA(int a1, int a2, int a3, signed int a4, int a5)
{
signed int v5; // ebx@3
int v6; // edi@4
int v7; // ST30_4@5
int v8; // eax@5
int v9; // edx@5
int v10; // eax@5
signed int v12; // [sp+1Ch] [bp-24h]@4
int v13; // [sp+24h] [bp-1Ch]@5
int v14; // [sp+28h] [bp-18h]@5
int v15; // [sp+2Ch] [bp-14h]@5
int v16; // [sp+30h] [bp-10h]@5
int v17; // [sp+34h] [bp-Ch]@3
int v18; // [sp+38h] [bp-8h]@3
unsigned int v19; // [sp+3Ch] [bp-4h]@1
int v20; // [sp+40h] [bp+0h]@1
v19 = (unsigned int)&v20 ^ dword_80F360;
if ( a4 % 8 )
memcpy((void *)(a3 + a4 - a4 % 8), (const void *)(a4 - a4 % 8 + a2), a4 % 8);
v17 = *(_DWORD *)a5;
v5 = 0;
v18 = *(_DWORD *)(a5 + 4);
if ( a4 / 8 > 0 )
{
v12 = 3;
v6 = a3 + 4;
do
{
sub_447FE3(&v17, a1 != 0);
v13 = *(_DWORD *)(a2 + 8 * v5);
v14 = *(_DWORD *)(a2 - a3 + v6);
sub_4483A9(&v13, &v15);
*(_DWORD *)(v6 - 4) = v15;
*(_DWORD *)v6 = v16;
v7 = *(_DWORD *)(a5 + 4 * v5 % 2);
v6 += 8;
v8 = __ROL__(v7 + *(_DWORD *)a5, v12 % 13);
v17 = v8;
v9 = v12 % 9;
v12 += 7;
++v5;
v10 = __ROL__(*(_DWORD *)(a5 + 4) - v7, v9);
v18 = v10;
}
while ( v5 < a4 / 8 );
}
return v5 + 4;
}
int __cdecl sub_4612F2(int a1)
{
char *v1; // edx@1
int v2; // eax@2
unsigned int v3; // ecx@2
int v4; // edi@2
int v5; // esi@2
int v6; // edi@2
signed int v9; // [sp+Ch] [bp-88h]@1
char v10; // [sp+10h] [bp-84h]@1
unsigned int v11; // [sp+90h] [bp-4h]@1
int v12; // [sp+94h] [bp+0h]@1
int v13; // [sp+9Ch] [bp+8h]@2
v11 = (unsigned int)&v12 ^ dword_80F360;
v1 = &v10;
v9 = 16;
do
{
v2 = *(_DWORD *)a1;
v13 = a1 + 4;
v3 = *(_DWORD *)v13;
v4 = v2;
v5 = v4 & 0xFC0000 | 16 * (v2 & 0xFC0);
v6 = *(_DWORD *)v13 >> 4;
a1 = v13 + 4;
*(_DWORD *)v1 = ((v3 & 0xFC0 | v6 & 0xFC000) >> 6) | (v5 << 6);
*((_DWORD *)v1 + 1) = v3 & 0x3F | (v3 >> 4) & 0x3F00 | ((v2 & 0x3F000 | 16 * (v2 & 0x3F)) << 12);
v1 += 8;
}
while ( v9-- != 1 );
return sub_44811B(&v10);
}
signed int __cdecl sub_54952D(int a1)
{
signed int v1; // ebx@1
int v2; // esi@1
char v3; // al@2
signed int v4; // edi@3
int v5; // eax@4
v2 = a1;
v1 = 801575476;
if ( a1 )
{
v3 = *(_BYTE *)a1;
if ( *(_BYTE *)a1 )
{
v4 = 4600;
do
{
v5 = v4 / toupper(v3);
v4 += 400;
v1 *= v5 + 1;
++v2;
v3 = *(_BYTE *)v2;
}
while ( *(_BYTE *)v2 );
}
}
return v1;
}
signed int __cdecl sub_549574(const char *Str)
{
signed int v1; // edi@1
signed int v2; // edi@2
signed int v3; // eax@3
size_t v5; // [sp+8h] [bp-20h]@1
char Dst; // [sp+Ch] [bp-1Ch]@7
int v7; // [sp+14h] [bp-14h]@7
int v8; // [sp+1Ch] [bp-Ch]@2
int v9; // [sp+20h] [bp-8h]@2
unsigned int v10; // [sp+24h] [bp-4h]@1
int v11; // [sp+28h] [bp+0h]@1
v10 = (unsigned int)&v11 ^ dword_80F360;
v1 = 747297946;
v5 = strlen(Str);
if ( v5 )
{
v2 = 0;
v8 = -767312295;
v9 = -618152290;
while ( 1 )
{
v3 = v5;
if ( (signed int)v5 >= 8 )
v3 = 8;
if ( v2 >= v3 )
break;
*((_BYTE *)&v8 + v2) = toupper(*((_BYTE *)&v8 + v2 + Str - (const char *)&v8));
++v2;
}
memset(&Dst, 201, 0x10u);
sub_4611CA(1, (int)&Dst, (int)&v7, 8, (int)&v8);
v1 = v7;
}
return v1;
}
BOOL __cdecl sub_656898()
{
BOOL result; // eax@4
if ( dword_A53C60 )
{
if ( IsWindow(*(HWND *)(dword_A53C60 + 32)) )
(*(void (**)(void))(*(_DWORD *)dword_A53C60 + 104))();
}
result = sub_50799B();
if ( result )
result = UpdateWindow(*(HWND *)(result + 32));
return result;
}
int __thiscall sub_65D411(void *this)
{
void *v1; // esi@1
v1 = this;
if ( dword_A53C60 )
sub_656898();
return CDialog__DoModal(v1);
}
BOOL __usercall sub_7280C0<eax>(void *this<ecx>, char _CF<cf>, char _ZF<ZF>, char _SF<sf>, char _OF<of>, int a5<eax>, int a6<edx>, int a8<ebx>, int a9<edi>, int a10<esi>, char a2)
{
if ( this == (void *)dword_80F360 )
__asm { rep retn }
return __report_gsfailure(
(unsigned int)this < dword_80F360,
this == (void *)dword_80F360,
(signed int)((char *)this - dword_80F360) < 0,
__SETO__(this, dword_80F360),
a5,
a6,
(int)this,
a8,
a9,
a10,
a2);
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课