-
-
[求助]逆向程序以解开被加密压缩的key file,求大神指导。
-
发表于: 2013-10-17 21:01
-
最近公司的某个项目需要一些资源文件,这些资源在一套很久以前开发的程序资源包中,已经找不到算法了。所以只有靠逆向来分析出当初的加密或者压缩过程,最后还原。
由于小弟以前对汇编和C++学习得不够深入,只能看懂一些基本的功能。所以只有到此地求大神指导!
开始时加载一个配置文件aConfig_txt。这个文件是被压缩在一个大文件里面,调用 时的代码如下。其中的sub_4237f0个人分析认为是解密过程,之后就就可以读取配置文件的内容。
text:004238E8 56 push esi
.text:004238E9 57 push edi
.text:004238EA FF 15 EC 81 42 00 call ds:hycore_init
.text:004238F0 E8 FB FE FF FF call sub_4237F0
.text:004238F5 68 98 96 42 00 push offset aConfig_txt ; "config.txt"
.text:004238FA FF 15 DC 81 42 00 call ds:create_instance_from_file
.text:00423900 8B 0D 68 83 42 00 mov ecx, ds:g
.text:00423906 8B 35 C8 82 42 00 mov esi, ds:get_window_handle
sub_4237F0资源文件读取相关代码,应该就是解包程序。由于对汇编不熟悉,所以不知道这个其中解密是如何进行的。
.text:00423856 68 D0 8A 42 00 push offset Mode ; "rb"
.text:0042385B 68 58 96 42 00 push offset aResource_res ; "resource.res"
.text:00423860 FF 15 18 81 42 00 call ds:fopen
.text:00423866 83 C4 08 add esp, 8
.text:00423869 85 C0 test eax, eax
.text:0042386B 74 35 jz short loc_4238A2
.text:0042386D 50 push eax ; File
.text:0042386E FF 15 14 81 42 00 call ds:fclose
.text:00423874 68 58 96 42 00 push offset aResource_res ; "resource.res"
.text:00423879 6A 01 push 1
.text:0042387B 68 8F 8A 42 00 push offset unk_428A8F
.text:00423880 FF D7 call edi ; hy_files_mount
.text:00423882 8B F0 mov esi, eax
.text:00423884 83 C4 10 add esp, 10h
.text:00423887 83 FE FF cmp esi, 0FFFFFFFFh
.text:0042388A 74 16 jz short loc_4238A2
.text:0042388C 56 push esi
.text:0042388D FF 15 4C 82 42 00 call ds:hy_files_search_first
.text:00423893 68 80 96 42 00 push offset aIMHero ; "I'm hero"
.text:00423898 56 push esi
.text:00423899 FF 15 68 82 42 00 call ds:hy_files_set_password
.text:0042389F 83 C4 0C add esp, 0Ch
其中个人认为比较重要的调用,也是解压的函数。其中几个循环是否是解开文件的关键代码?是否是根据上面的"hy!by_luwangzhong"代码去解?
hy_files_mount
.text:10005810 public hy_files_mount
.text:10005810 hy_files_mount proc near ; CODE XREF: packfile_new+222 p
.text:10005810 ; .text:10035AEC p ...
.text:10005810
.text:10005810 arg_0 = dword ptr 4
.text:10005810 arg_4 = dword ptr 8
.text:10005810 arg_8 = dword ptr 0Ch
.text:10005810
.text:10005810 8B 15 30 9A 13 10 mov edx, dword_10139A30
.text:10005816 8B 0D 2C 9A 13 10 mov ecx, dword_10139A2C
.text:1000581C 57 push edi
.text:1000581D 33 FF xor edi, edi
.text:1000581F 85 D2 test edx, edx
.text:10005821 7E 0F jle short loc_10005832
.text:10005823 8B C1 mov eax, ecx
.text:10005825
.text:10005825 loc_10005825: ; CODE XREF: hy_files_mount+20 j
.text:10005825 83 38 00 cmp dword ptr [eax], 0
.text:10005828 74 08 jz short loc_10005832
.text:1000582A 47 inc edi
.text:1000582B 83 C0 14 add eax, 14h
.text:1000582E 3B FA cmp edi, edx
.text:10005830 7C F3 jl short loc_10005825
.text:10005832
.text:10005832 loc_10005832: ; CODE XREF: hy_files_mount+11 j
.text:10005832 ; hy_files_mount+18 j
.text:10005832 3B FA cmp edi, edx
.text:10005834 75 2D jnz short loc_10005863
.text:10005836 E8 05 FD FF FF call sub_10005540
.text:1000583B 85 C0 test eax, eax
.text:1000583D 75 1E jnz short loc_1000585D
.text:1000583F 68 84 3C 0A 10 push offset aExpandFileSyst ; "Expand file system failed!"
.text:10005844 68 FC 00 00 00 push 0FCh ; int
.text:10005849 68 20 3C 0A 10 push offset a_SrcHycoreBaseFi ;
.text:1000584E 6A 02 push 2 ; int
.text:10005850 E8 5B F6 FF FF call hy_dbg_output
.text:10005855 83 C4 10 add esp, 10h
.text:10005858 83 C8 FF or eax, 0FFFFFFFFh
.text:1000585B 5F pop edi
.text:1000585C C3 retn
.text:1000585D ; ---------------------------------------------------------------------------
.text:1000585D
.text:1000585D loc_1000585D: ; CODE XREF: hy_files_mount+2D j
.text:1000585D 8B 0D 2C 9A 13 10 mov ecx, dword_10139A2C
.text:10005863
.text:10005863 loc_10005863: ; CODE XREF: hy_files_mount+24 j
.text:10005863 8B 44 24 0C mov eax, [esp+4+arg_4]
.text:10005867 56 push esi ; char
.text:10005868 8D 34 BF lea esi, [edi+edi*4]
.text:1000586B 03 F6 add esi, esi
.text:1000586D 03 F6 add esi, esi
.text:1000586F 89 44 0E 04 mov [esi+ecx+4], eax
.text:10005873 85 C0 test eax, eax
.text:10005875 75 0A jnz short loc_10005881
.text:10005877 C7 44 0E 10 3C 51 13 10 mov dword ptr [esi+ecx+10h], offset off_1013513C
.text:1000587F EB 1C jmp short loc_1000589D
.text:10005881 ; ---------------------------------------------------------------------------
.text:10005881
.text:10005881 loc_10005881: ; CODE XREF: hy_files_mount+65 j
.text:10005881 83 F8 01 cmp eax, 1
.text:10005884 75 0A jnz short loc_10005890
.text:10005886 C7 44 0E 10 54 51 13 10 mov dword ptr [esi+ecx+10h], offset off_10135154
.text:1000588E EB 0D jmp short loc_1000589D
.text:10005890 ; ---------------------------------------------------------------------------
.text:10005890
.text:10005890 loc_10005890: ; CODE XREF: hy_files_mount+74 j
.text:10005890 83 F8 02 cmp eax, 2
.text:10005893 75 57 jnz short loc_100058EC
.text:10005895 C7 44 0E 10 48 51 13 10 mov dword ptr [esi+ecx+10h], offset off_10135148
.text:1000589D
.text:1000589D loc_1000589D: ; CODE XREF: hy_files_mount+6F j
.text:1000589D ; hy_files_mount+7E j
.text:1000589D 8B 44 24 0C mov eax, [esp+8+arg_0]
.text:100058A1 53 push ebx
.text:100058A2 50 push eax
.text:100058A3 C7 04 0E 01 00 00 00 mov dword ptr [esi+ecx], 1
.text:100058AA 8D 1C 0E lea ebx, [esi+ecx]
.text:100058AD E8 2E 18 00 00 call hy_make_str
.text:100058B2 8B 4B 10 mov ecx, [ebx+10h]
.text:100058B5 8B 54 24 1C mov edx, [esp+10h+arg_8]
.text:100058B9 89 43 08 mov [ebx+8], eax
.text:100058BC 8B 01 mov eax, [ecx]
.text:100058BE 52 push edx
.text:100058BF FF D0 call eax
.text:100058C1 8B 0D 2C 9A 13 10 mov ecx, dword_10139A2C
.text:100058C7 83 C4 08 add esp, 8
.text:100058CA 89 44 0E 0C mov [esi+ecx+0Ch], eax
.text:100058CE 5B pop ebx
.text:100058CF 85 C0 test eax, eax
.text:100058D1 75 1F jnz short loc_100058F2
.text:100058D3 68 64 3C 0A 10 push offset aFileSystemNode ; "File system node_new failed!"
.text:100058D8 68 0C 01 00 00 push 10Ch ; int
.text:100058DD 68 20 3C 0A 10 push offset a_SrcHycoreBaseFi ;
.text:100058E2 6A 02 push 2 ; int
.text:100058E4 E8 C7 F5 FF FF call hy_dbg_output
.text:100058E9 83 C4 10 add esp, 10h
.text:100058EC
.text:100058EC loc_100058EC: ; CODE XREF: hy_files_mount+83 j
.text:100058EC 5E pop esi
.text:100058ED 83 C8 FF or eax, 0FFFFFFFFh
.text:100058F0 5F pop edi
.text:100058F1 C3 retn
.text:100058F2 ; ---------------------------------------------------------------------------
.text:100058F2
.text:100058F2 loc_100058F2: ; CODE XREF: hy_files_mount+C1 j
.text:100058F2 5E pop esi
.text:100058F3 8B C7 mov eax, edi
.text:100058F5 5F pop edi
.text:100058F6 C3 retn
.text:100058F6 hy_files_mount endp
.text:100058F6
.text:100058F6 ; ---------------------------------------------------------------------------
以及函数hy_files_search_first是否是检测某个标志位?
hy_files_search_first
.text:10005930 public hy_files_search_first
.text:10005930 hy_files_search_first proc near ; DATA XREF: .rdata:off_101286F8 o
.text:10005930
.text:10005930 arg_0 = dword ptr 4
.text:10005930
.text:10005930 8B 44 24 04 mov eax, [esp+arg_0]
.text:10005934 85 C0 test eax, eax
.text:10005936 7C 1C jl short loc_10005954
.text:10005938 3B 05 30 9A 13 10 cmp eax, dword_10139A30
.text:1000593E 7D 14 jge short loc_10005954
.text:10005940 8B 15 2C 9A 13 10 mov edx, dword_10139A2C
.text:10005946 8D 0C 80 lea ecx, [eax+eax*4]
.text:10005949 83 3C 8A 00 cmp dword ptr [edx+ecx*4], 0
.text:1000594D 74 05 jz short loc_10005954
.text:1000594F A3 68 51 13 10 mov dword_10135168, eax
.text:10005954
.text:10005954 loc_10005954: ; CODE XREF: hy_files_search_first+6 j
.text:10005954 ; hy_files_search_first+E j ...
.text:10005954 83 F8 FF cmp eax, 0FFFFFFFFh
.text:10005957 75 05 jnz short locret_1000595E
.text:10005959 A3 68 51 13 10 mov dword_10135168, eax
.text:1000595E
.text:1000595E locret_1000595E: ; CODE XREF: hy_files_search_first+27 j
.text:1000595E C3 retn
.text:1000595E hy_files_search_first endp
相关附件:被加密文件【1a2K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4m8S2L8W2)9J5k6h3u0S2K9h3c8#2i4K6u0W2j5$3!0E0i4K6u0r3M7#2)9J5c8U0q4m8b7Y4g2G2y4H3`.`.】看雪附件上传到最近报错了
以上即为个人分析认为解开的关键代码所在,但是并没能从汇编看出是如何压缩或者加密的。希望有大神帮助指导一下,小弟先谢谢了。
由于小弟以前对汇编和C++学习得不够深入,只能看懂一些基本的功能。所以只有到此地求大神指导!
开始时加载一个配置文件aConfig_txt。这个文件是被压缩在一个大文件里面,调用 时的代码如下。其中的sub_4237f0个人分析认为是解密过程,之后就就可以读取配置文件的内容。
text:004238E8 56 push esi
.text:004238E9 57 push edi
.text:004238EA FF 15 EC 81 42 00 call ds:hycore_init
.text:004238F0 E8 FB FE FF FF call sub_4237F0
.text:004238F5 68 98 96 42 00 push offset aConfig_txt ; "config.txt"
.text:004238FA FF 15 DC 81 42 00 call ds:create_instance_from_file
.text:00423900 8B 0D 68 83 42 00 mov ecx, ds:g
.text:00423906 8B 35 C8 82 42 00 mov esi, ds:get_window_handle
sub_4237F0资源文件读取相关代码,应该就是解包程序。由于对汇编不熟悉,所以不知道这个其中解密是如何进行的。
.text:00423856 68 D0 8A 42 00 push offset Mode ; "rb"
.text:0042385B 68 58 96 42 00 push offset aResource_res ; "resource.res"
.text:00423860 FF 15 18 81 42 00 call ds:fopen
.text:00423866 83 C4 08 add esp, 8
.text:00423869 85 C0 test eax, eax
.text:0042386B 74 35 jz short loc_4238A2
.text:0042386D 50 push eax ; File
.text:0042386E FF 15 14 81 42 00 call ds:fclose
.text:00423874 68 58 96 42 00 push offset aResource_res ; "resource.res"
.text:00423879 6A 01 push 1
.text:0042387B 68 8F 8A 42 00 push offset unk_428A8F
.text:00423880 FF D7 call edi ; hy_files_mount
.text:00423882 8B F0 mov esi, eax
.text:00423884 83 C4 10 add esp, 10h
.text:00423887 83 FE FF cmp esi, 0FFFFFFFFh
.text:0042388A 74 16 jz short loc_4238A2
.text:0042388C 56 push esi
.text:0042388D FF 15 4C 82 42 00 call ds:hy_files_search_first
.text:00423893 68 80 96 42 00 push offset aIMHero ; "I'm hero"
.text:00423898 56 push esi
.text:00423899 FF 15 68 82 42 00 call ds:hy_files_set_password
.text:0042389F 83 C4 0C add esp, 0Ch
其中个人认为比较重要的调用,也是解压的函数。其中几个循环是否是解开文件的关键代码?是否是根据上面的"hy!by_luwangzhong"代码去解?
hy_files_mount
.text:10005810 public hy_files_mount
.text:10005810 hy_files_mount proc near ; CODE XREF: packfile_new+222 p
.text:10005810 ; .text:10035AEC p ...
.text:10005810
.text:10005810 arg_0 = dword ptr 4
.text:10005810 arg_4 = dword ptr 8
.text:10005810 arg_8 = dword ptr 0Ch
.text:10005810
.text:10005810 8B 15 30 9A 13 10 mov edx, dword_10139A30
.text:10005816 8B 0D 2C 9A 13 10 mov ecx, dword_10139A2C
.text:1000581C 57 push edi
.text:1000581D 33 FF xor edi, edi
.text:1000581F 85 D2 test edx, edx
.text:10005821 7E 0F jle short loc_10005832
.text:10005823 8B C1 mov eax, ecx
.text:10005825
.text:10005825 loc_10005825: ; CODE XREF: hy_files_mount+20 j
.text:10005825 83 38 00 cmp dword ptr [eax], 0
.text:10005828 74 08 jz short loc_10005832
.text:1000582A 47 inc edi
.text:1000582B 83 C0 14 add eax, 14h
.text:1000582E 3B FA cmp edi, edx
.text:10005830 7C F3 jl short loc_10005825
.text:10005832
.text:10005832 loc_10005832: ; CODE XREF: hy_files_mount+11 j
.text:10005832 ; hy_files_mount+18 j
.text:10005832 3B FA cmp edi, edx
.text:10005834 75 2D jnz short loc_10005863
.text:10005836 E8 05 FD FF FF call sub_10005540
.text:1000583B 85 C0 test eax, eax
.text:1000583D 75 1E jnz short loc_1000585D
.text:1000583F 68 84 3C 0A 10 push offset aExpandFileSyst ; "Expand file system failed!"
.text:10005844 68 FC 00 00 00 push 0FCh ; int
.text:10005849 68 20 3C 0A 10 push offset a_SrcHycoreBaseFi ;
.text:1000584E 6A 02 push 2 ; int
.text:10005850 E8 5B F6 FF FF call hy_dbg_output
.text:10005855 83 C4 10 add esp, 10h
.text:10005858 83 C8 FF or eax, 0FFFFFFFFh
.text:1000585B 5F pop edi
.text:1000585C C3 retn
.text:1000585D ; ---------------------------------------------------------------------------
.text:1000585D
.text:1000585D loc_1000585D: ; CODE XREF: hy_files_mount+2D j
.text:1000585D 8B 0D 2C 9A 13 10 mov ecx, dword_10139A2C
.text:10005863
.text:10005863 loc_10005863: ; CODE XREF: hy_files_mount+24 j
.text:10005863 8B 44 24 0C mov eax, [esp+4+arg_4]
.text:10005867 56 push esi ; char
.text:10005868 8D 34 BF lea esi, [edi+edi*4]
.text:1000586B 03 F6 add esi, esi
.text:1000586D 03 F6 add esi, esi
.text:1000586F 89 44 0E 04 mov [esi+ecx+4], eax
.text:10005873 85 C0 test eax, eax
.text:10005875 75 0A jnz short loc_10005881
.text:10005877 C7 44 0E 10 3C 51 13 10 mov dword ptr [esi+ecx+10h], offset off_1013513C
.text:1000587F EB 1C jmp short loc_1000589D
.text:10005881 ; ---------------------------------------------------------------------------
.text:10005881
.text:10005881 loc_10005881: ; CODE XREF: hy_files_mount+65 j
.text:10005881 83 F8 01 cmp eax, 1
.text:10005884 75 0A jnz short loc_10005890
.text:10005886 C7 44 0E 10 54 51 13 10 mov dword ptr [esi+ecx+10h], offset off_10135154
.text:1000588E EB 0D jmp short loc_1000589D
.text:10005890 ; ---------------------------------------------------------------------------
.text:10005890
.text:10005890 loc_10005890: ; CODE XREF: hy_files_mount+74 j
.text:10005890 83 F8 02 cmp eax, 2
.text:10005893 75 57 jnz short loc_100058EC
.text:10005895 C7 44 0E 10 48 51 13 10 mov dword ptr [esi+ecx+10h], offset off_10135148
.text:1000589D
.text:1000589D loc_1000589D: ; CODE XREF: hy_files_mount+6F j
.text:1000589D ; hy_files_mount+7E j
.text:1000589D 8B 44 24 0C mov eax, [esp+8+arg_0]
.text:100058A1 53 push ebx
.text:100058A2 50 push eax
.text:100058A3 C7 04 0E 01 00 00 00 mov dword ptr [esi+ecx], 1
.text:100058AA 8D 1C 0E lea ebx, [esi+ecx]
.text:100058AD E8 2E 18 00 00 call hy_make_str
.text:100058B2 8B 4B 10 mov ecx, [ebx+10h]
.text:100058B5 8B 54 24 1C mov edx, [esp+10h+arg_8]
.text:100058B9 89 43 08 mov [ebx+8], eax
.text:100058BC 8B 01 mov eax, [ecx]
.text:100058BE 52 push edx
.text:100058BF FF D0 call eax
.text:100058C1 8B 0D 2C 9A 13 10 mov ecx, dword_10139A2C
.text:100058C7 83 C4 08 add esp, 8
.text:100058CA 89 44 0E 0C mov [esi+ecx+0Ch], eax
.text:100058CE 5B pop ebx
.text:100058CF 85 C0 test eax, eax
.text:100058D1 75 1F jnz short loc_100058F2
.text:100058D3 68 64 3C 0A 10 push offset aFileSystemNode ; "File system node_new failed!"
.text:100058D8 68 0C 01 00 00 push 10Ch ; int
.text:100058DD 68 20 3C 0A 10 push offset a_SrcHycoreBaseFi ;
.text:100058E2 6A 02 push 2 ; int
.text:100058E4 E8 C7 F5 FF FF call hy_dbg_output
.text:100058E9 83 C4 10 add esp, 10h
.text:100058EC
.text:100058EC loc_100058EC: ; CODE XREF: hy_files_mount+83 j
.text:100058EC 5E pop esi
.text:100058ED 83 C8 FF or eax, 0FFFFFFFFh
.text:100058F0 5F pop edi
.text:100058F1 C3 retn
.text:100058F2 ; ---------------------------------------------------------------------------
.text:100058F2
.text:100058F2 loc_100058F2: ; CODE XREF: hy_files_mount+C1 j
.text:100058F2 5E pop esi
.text:100058F3 8B C7 mov eax, edi
.text:100058F5 5F pop edi
.text:100058F6 C3 retn
.text:100058F6 hy_files_mount endp
.text:100058F6
.text:100058F6 ; ---------------------------------------------------------------------------
以及函数hy_files_search_first是否是检测某个标志位?
hy_files_search_first
.text:10005930 public hy_files_search_first
.text:10005930 hy_files_search_first proc near ; DATA XREF: .rdata:off_101286F8 o
.text:10005930
.text:10005930 arg_0 = dword ptr 4
.text:10005930
.text:10005930 8B 44 24 04 mov eax, [esp+arg_0]
.text:10005934 85 C0 test eax, eax
.text:10005936 7C 1C jl short loc_10005954
.text:10005938 3B 05 30 9A 13 10 cmp eax, dword_10139A30
.text:1000593E 7D 14 jge short loc_10005954
.text:10005940 8B 15 2C 9A 13 10 mov edx, dword_10139A2C
.text:10005946 8D 0C 80 lea ecx, [eax+eax*4]
.text:10005949 83 3C 8A 00 cmp dword ptr [edx+ecx*4], 0
.text:1000594D 74 05 jz short loc_10005954
.text:1000594F A3 68 51 13 10 mov dword_10135168, eax
.text:10005954
.text:10005954 loc_10005954: ; CODE XREF: hy_files_search_first+6 j
.text:10005954 ; hy_files_search_first+E j ...
.text:10005954 83 F8 FF cmp eax, 0FFFFFFFFh
.text:10005957 75 05 jnz short locret_1000595E
.text:10005959 A3 68 51 13 10 mov dword_10135168, eax
.text:1000595E
.text:1000595E locret_1000595E: ; CODE XREF: hy_files_search_first+27 j
.text:1000595E C3 retn
.text:1000595E hy_files_search_first endp
相关附件:被加密文件【1a2K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4m8S2L8W2)9J5k6h3u0S2K9h3c8#2i4K6u0W2j5$3!0E0i4K6u0r3M7#2)9J5c8U0q4m8b7Y4g2G2y4H3`.`.】看雪附件上传到最近报错了
以上即为个人分析认为解开的关键代码所在,但是并没能从汇编看出是如何压缩或者加密的。希望有大神帮助指导一下,小弟先谢谢了。
[培训]传播安全知识、拓宽行业人脉——看雪讲师团队等你加入!
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
有这种软件啊?求分享
|
|
|
|
|
|
|
|
|
|
