各位大牛下面是什么解压缩算法-经典问答-看雪-安全社区|安全招聘|kanxue.com

各位大牛下面是什么解压缩算法

发表于: 2013-8-1 10:02 5416

各位大牛下面是什么解压缩算法

yuansunxue 活跃值

2013-8-1 10:02

5416

下面的函数，如果arg_8为0，运行后arg_c返回的是解压缩后的数据的大小，
如果arg_8不为0，则对数据进行解压缩

.text:00401000 ; arg_0_compressed_data= dword ptr  4
.text:00401000 ; arg_4_size_of_compressed_data= dword ptr  8
.text:00401000 ; arg_8_decompress_content= dword ptr  0Ch
.text:00401000 ; arg_C_p_len_of_decompress= dword ptr  10h
.text:00401000
.text:00401000 decompress      proc near               ; CODE XREF: decrypt_and_write_to_file+1B4p
.text:00401000                                         ; decrypt_and_write_to_file+1CDp
.text:00401000
.text:00401000 counter         = dword ptr -8
.text:00401000 var_4           = dword ptr -4          ; = {arg_0[edx+1] & 0x0f} + 2
.text:00401000 arg_0_compressed_data= dword ptr  4
.text:00401000 arg_4_size_of_compressed_data= dword ptr  8
.text:00401000 arg_8_decompress_content= dword ptr  0Ch
.text:00401000 arg_C_p_len_of_decompress= dword ptr  10h
.text:00401000
.text:00401000                 sub     esp, 8
.text:00401003                 push    ebx
.text:00401004                 push    ebp
.text:00401005                 push    esi
.text:00401006                 push    edi             ; first time
.text:00401006                                         ; 0012FBEC   009635A8
.text:00401006                                         ; 0012FBF0   000002C1
.text:00401006                                         ; 0012FBF4   00000000
.text:00401006                                         ; 0012FBF8   0012FC0C
.text:00401007                 mov     ecx, 3FBh
.text:0040100C                 mov     eax, 20202020h
.text:00401011                 mov     edi, offset table
.text:00401016                 mov     ebx, [esp+18h+arg_C_p_len_of_decompress]
.text:0040101A                 rep stosd
.text:0040101C                 xor     ebp, ebp
.text:0040101E                 xor     edx, edx
.text:00401020                 stosw
.text:00401022                 mov     edi, 0FEEh
.text:00401027                 mov     [esp+18h+counter], ebp ; counter = 0
.text:0040102B
.text:0040102B loop:                                   ; CODE XREF: decompress+90j
.text:0040102B                                         ; decompress+CCj ...
.text:0040102B                 mov     eax, [esp+18h+counter]
.text:0040102F                 shr     eax, 1          ; eax = counter >> 1
.text:00401031                 test    ah, 1
.text:00401034                 mov     [esp+18h+counter], eax ; counter = counter >> 1
.text:00401038                 jnz     short loc_401059
.text:0040103A                 mov     ecx, [esp+18h+arg_0_compressed_data]
.text:0040103E                 mov     esi, [esp+18h+arg_4_size_of_compressed_data]
.text:00401042                 xor     eax, eax
.text:00401044                 mov     al, [edx+ecx]   ; al = arg_0[edx]
.text:00401047                 inc     edx             ; edx ++
.text:00401048                 cmp     edx, esi
.text:0040104A                 jg      retn
.text:00401050                 or      ah, 0FFh
.text:00401053                 mov     [esp+18h+counter], eax
.text:00401057                 jmp     short test_counter
.text:00401059 ; ---------------------------------------------------------------------------
.text:00401059
.text:00401059 loc_401059:                             ; CODE XREF: decompress+38j
.text:00401059                 mov     ecx, [esp+18h+arg_0_compressed_data]
.text:0040105D
.text:0040105D test_counter:                           ; CODE XREF: decompress+57j
.text:0040105D                 test    byte ptr [esp+18h+counter], 1
.text:00401062                 jz      short loc_401092 ; (counter & 1)  == 0
.text:00401064                 xor     eax, eax        ; (counter & 1)  != 0
.text:00401066                 mov     al, [edx+ecx]   ; al = arg_0[edx]
.text:00401069                 mov     ecx, [esp+18h+arg_4_size_of_compressed_data]
.text:0040106D                 inc     edx
.text:0040106E                 cmp     edx, ecx        ; is edx > size_of_content
.text:00401070                 jg      retn
.text:00401076                 cmp     dword ptr [ebx], 0
.text:00401079                 jz      short update_table_ ; ebp ++
.text:0040107B                 mov     ecx, [esp+18h+arg_8_decompress_content] ; dword(arg_c) != 0
.text:0040107F                 mov     [ecx+ebp], al   ; arg_8[ebp] = al
.text:00401082
.text:00401082 update_table_:                          ; CODE XREF: decompress+79j
.text:00401082                 inc     ebp             ; ebp ++
.text:00401083                 mov     table[edi], al
.text:00401089                 inc     edi
.text:0040108A                 and     edi, 0FFFh
.text:00401090                 jmp     short loop
.text:00401092 ; ---------------------------------------------------------------------------
.text:00401092
.text:00401092 loc_401092:                             ; CODE XREF: decompress+62j
.text:00401092                 xor     eax, eax        ; (counter & 1)  == 0
.text:00401094                 mov     al, [edx+ecx]   ; al = arg_0[edx]
.text:00401097                 inc     edx             ; edx ++
.text:00401098                 mov     esi, eax
.text:0040109A                 mov     eax, [esp+18h+arg_4_size_of_compressed_data]
.text:0040109E                 cmp     edx, eax        ; is edx > size_of_content?
.text:004010A0                 jg      short retn
.text:004010A2                 xor     eax, eax
.text:004010A4                 mov     al, [edx+ecx]   ; al = arg_0[edx]
.text:004010A7                 mov     ecx, [esp+18h+arg_4_size_of_compressed_data]
.text:004010AB                 inc     edx
.text:004010AC                 cmp     edx, ecx        ; is edx > size_of_content?
.text:004010AE                 jg      short retn
.text:004010B0                 mov     ecx, eax        ; ecx = eax = arg_0[edx+1]
.text:004010B2                 and     eax, 0Fh        ; eax = arg_0[edx+1] & 0x0f
.text:004010B5                 and     ecx, 0F0h       ; ecx = arg_0[edx+1] & 0xf0
.text:004010BB                 shl     ecx, 4          ; ecx = ecx << 4
.text:004010BE                 or      esi, ecx        ; esi = arg_0[edx] | { (arg_0[edx+1] & 0xf0) << 4 }
.text:004010C0                 add     eax, 2
.text:004010C3                 mov     [esp+18h+var_4], eax ; eax = {arg_0[edx+1] & 0x0f} + 2
.text:004010C7                 mov     ecx, 0
.text:004010CC                 js      loop
.text:004010D2
.text:004010D2 loc_4010D2:                             ; CODE XREF: decompress+110j
.text:004010D2                 lea     ebx, [ecx+esi]  ; ebx = esi + ecx
.text:004010D5                 xor     eax, eax
.text:004010D7                 and     ebx, 0FFFh
.text:004010DD                 mov     al, table[ebx]
.text:004010E3                 mov     ebx, [esp+18h+arg_C_p_len_of_decompress]
.text:004010E7                 cmp     dword ptr [ebx], 0
.text:004010EA                 jnz     short mov_value_to_arg_8
.text:004010EC                 inc     ebp             ; ebp++ dword(arg_C_u)  is 0
.text:004010ED                 jmp     short update_table
.text:004010EF ; ---------------------------------------------------------------------------
.text:004010EF
.text:004010EF mov_value_to_arg_8:                     ; CODE XREF: decompress+EAj
.text:004010EF                 mov     ebx, [esp+18h+arg_8_decompress_content]
.text:004010F3                 inc     ebp             ; ebp++
.text:004010F4                 mov     [ebx+ebp-1], al ; arg_8[ebp -1] = al
.text:004010F8                 mov     ebx, [esp+18h+arg_C_p_len_of_decompress]
.text:004010FC
.text:004010FC update_table:                           ; CODE XREF: decompress+EDj
.text:004010FC                 mov     table[edi], al
.text:00401102                 mov     eax, [esp+18h+var_4] ; = {arg_0[edx+1] & 0x0f} + 2
.text:00401106                 inc     edi
.text:00401107                 and     edi, 0FFFh
.text:0040110D                 inc     ecx             ; ecx ++
.text:0040110E                 cmp     ecx, eax
.text:00401110                 jle     short loc_4010D2 ; ebx = esi + ecx
.text:00401112                 jmp     loop
.text:00401117 ; ---------------------------------------------------------------------------
.text:00401117
.text:00401117 retn:                                   ; CODE XREF: decompress+4Aj
.text:00401117                                         ; decompress+70j ...
.text:00401117                 pop     edi
.text:00401118                 mov     [ebx], ebp
.text:0040111A                 mov     eax, ebp
.text:0040111C                 pop     esi
.text:0040111D                 pop     ebp
.text:0040111E                 pop     ebx
.text:0040111F                 add     esp, 8
.text:00401122                 retn
.text:00401122 decompress      endp

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・1

免费・0

支持

最新回复 (2)
疯子雪币： 2242 活跃值： (488) 能力值： ( LV9，RANK：200 ) 在线值：发帖 9 回帖 461 粉丝 8 关注私信	疯子 4 2 楼目测为lzss static void decompress(void) { unsigned r, flags; int c, i, j, k; memset(g_ring_buffer, ' ', N - F); r = N - F; for(flags = 0; ; flags >>= 1) { /* Get a byte. For each bit of this byte: 1=copy one byte literally, from input to output 0=get two more bytes describing length and position of previously-seen data, and copy that data from the ring buffer to output / if((flags & 0x100) == 0) { c = getc(g_infile); if(c == EOF) break; / uses higher byte cleverly to count eight / flags = c \| 0xFF00; } / 1=copy one byte literally, from input to output / if(flags & 1) { c = getc(g_infile); if(c == EOF) break; putc(c, g_outfile); g_ring_buffer[r] = c; r = (r + 1) & (N - 1); } / 0=get two more bytes describing length and position of previously- seen data, and copy that data from the ring buffer to output */ else { i = getc(g_infile); if(i == EOF) break; j = getc(g_infile); if(j == EOF) break; i \|= ((j & 0xF0) << 4); j = (j & 0x0F) + THRESHOLD; for(k = 0; k <= j; k++) { c = g_ring_buffer[(i + k) & (N - 1)]; putc(c, g_outfile); g_ring_buffer[r] = c; r = (r + 1) & (N - 1); } } } } 2013-8-1 10:18 0
yuansunxue 雪币： 1024 活跃值： (240) 能力值： ( LV12，RANK：310 ) 在线值：发帖 26 回帖 267 粉丝 1 关注私信	yuansunxue 6 3 楼 lz正解 123456 2013-8-1 11:29 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

最新回复 (2)

疯子

雪币： 2242

活跃值： (488)

能力值：

( LV9，RANK：200 )

在线值：

发帖

回帖

461

粉丝

关注

私信

疯子 4: 2 楼

目测为lzss

static void decompress(void)
{
	unsigned r, flags;
	int c, i, j, k;

	memset(g_ring_buffer, ' ', N - F);
	r = N - F;
	for(flags = 0; ; flags >>= 1)
	{
/* Get a byte. For each bit of this byte:
1=copy one byte literally, from input to output
0=get two more bytes describing length and position of previously-seen
  data, and copy that data from the ring buffer to output */
		if((flags & 0x100) == 0)
		{
			c = getc(g_infile);
			if(c == EOF)
				break;
/* uses higher byte cleverly to count eight */
			flags = c | 0xFF00;
		}
/* 1=copy one byte literally, from input to output */
		if(flags & 1)
		{
			c = getc(g_infile);
			if(c == EOF)
				break;
			putc(c, g_outfile);
			g_ring_buffer[r] = c;
			r = (r + 1) & (N - 1);
		}
/* 0=get two more bytes describing length and position of previously-
seen data, and copy that data from the ring buffer to output */
		else
		{
			i = getc(g_infile);
			if(i == EOF)
				break;
			j = getc(g_infile);
			if(j == EOF)
				break;
			i |= ((j & 0xF0) << 4);
			j = (j & 0x0F) + THRESHOLD;
			for(k = 0; k <= j; k++)
			{
				c = g_ring_buffer[(i + k) & (N - 1)];
				putc(c, g_outfile);
				g_ring_buffer[r] = c;
				r = (r + 1) & (N - 1);
			}
		}
	}
}

2013-8-1 10:18