【破文标题】 软件脱壳+变形MD5+BlowFish+Base64“变态”注册算法分析+汇编注册机
【破文作者】 snake
【软件名称】 Happy Home 个人财务助理 1.6.4.907
【下载地址】 http://yncnc.onlinedown.net/soft/18490.htm
【软件简介】 你是不是已经厌倦了那些要么庞大繁杂、要么简单却功能有限的个人财务软件,如果你需要换一换思路,找一个操作简单却实用 ,功能强大却不繁杂的软件,那就是“Happy Home 个人财务助理”
【加壳方式】 tElock 0.98b1 -> tE! + ASPack 2.12 -> Alexey Solodovnikov
【调试环境】 Win2000、PEiD、Ollydbg
【作者声明】 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
----------------------------------------------------------------------------------------------------
【算法总结】
因这个软件的注册算法比较变态,所以先大概说下它的注册算法及验证过程,便于理解下面详细的分析过程。
本人对这些加密算法不是很了解,若分析有误的话还请各方大侠指正,在此先谢过了。
软件用到的算法:
1、MD5算法,常数及填充数据全变了:把待加密字符串散列为16位数据。
2、某Hash算法:把16位数据再散列为128位数据,取前16位数做为结果。
3、BlowFish算法:用上述结果做为Key,加密字符串,结果依据字符串的长度取8的整数倍位数。
4、Base64算法:把加密结果转换为常用字符。
算法过程:以用户名snake为例
1、用MD5+某Hash算法将常字符串"R+Oc45UI16uU1J3sJdkaA1Ki7u"加密,结果为
6B 74 44 E6 00 F9 4C 1F B2 3D 67 54 AA 96 0F FC
2、以上述结果做为Key,用BlowFish算法加密常字符串"ptqGFrU6/rnz3LFQkLwIiJBsQJfTvbj",结果取32位为
EB 4E B0 45 7D 57 4B B8 B4 48 AF 78 08 69 58 DF F0 76 B6 4B 52 6F 5C FD CA 70 A7 56 4D 47 74 89
3、把上述结果用Base64算法加密,结果为"606wRX1XS7i0SK94CGlY3/B2tktSb1z9ynCnVk1HdIk="
4、再用MD5+某Hash算法将上述结果字符串散列加密,结果为
2B 29 1A AF F6 1D 1C C8 ED 94 4A 6F A4 5D DE 7D
5、取用户名snake首字符的ASCII值73h,令count=73h+1,即十进制116,做循环计数器
6、用上一步生成的散列值做为Key,用BlowFish+Base64算法加密用户名snake
7、保存加密结果
8、用MD5+某Hash算法将上一步结果字符串散列加密,做为下一步加密的Key
9、count值减1
10、判断count的值,不为0到第6步继续执行,为0循环结束,共循环加密116次 -_-!!!
最后一次循环中第7步保存的结果为字符串“YZE/4KpicY8=”,转换为大写“YZE/4KPICY8=”就是最终结果
验证过程:
注册码的形式为:****-****-****-****-*****共25位
先取注册码的第5、10、15、20位,判断是否为字符“-”
再取注册码的第2、7、9、14、17、19、21、25位,与取终结果“YZE/4KPICY8=”的前8位进行比较
若全都相等则验证通过,否则失败,注册码其它位任意
终于分析完了,吐血中......,软件采用如此变态的算法最后却用明码比较,我、我、我无语,再吐血......
给出一组有效信息,本机已验证通过
用户名:snake
注册码:XY59-FZNE-ZDH/-T41K-PFJNI、BYJN-VZDE-PTX/-94FK-PVZDI、WYEI-QZYE-+CG/-S4AK-PQUYI
最后附上汇编注册机算法部分代码,因对算法不是很了解,再加上标准算法都有变形,为方便起见,只好采用更变态的方法
直接扒软件反汇编的源码边分析边写,所以变量定义较混乱,代码写得凌乱冗长,各位看客见笑了
以上是该软件大致的算法及验证过程,下面带你一起进入这种变态算法的分析过程,进行一次变态之旅^_^
---------------------------------------------------------------------------------------------------
【破解过程】
一、程序脱壳
用PEiD查壳,tElock 0.98b1 -> tE!
Ollydbg载入主程序,下断bp GetProcAddress,Shift+F9运行,程序被断下
77E80C5F k> 55 push ebp ; 断在这里
77E80C60 8BEC mov ebp,esp
77E80C62 51 push ecx
77E80C63 51 push ecx
77E80C64 53 push ebx
77E80C65 57 push edi
77E80C66 8B7D 0C mov edi,dword ptr ss:[ebp+C]
77E80C69 BB FFFF0000 mov ebx,0FFFF
77E80C6E 3BFB cmp edi,ebx
......
F2取消断点,Alt+F9返回,来到处理输入表的地方
008D156D 53 push ebx
008D156E FFB5 4AD34000 push dword ptr ss:[ebp+40D34A]
008D1574 FF95 E0BA4000 call dword ptr ss:[ebp+40BAE0]
008D157A 40 inc eax ; 返回到这里
008D157B 48
dec eax
008D157C 75 33 jnz short LL.008D15B1
F8单步走来到下面处
008D138A 8B95 62D34000 mov edx,dword ptr ss:[ebp+40D362] ; LL.00400000
008D1390 8B06 mov eax,dword ptr ds:[esi]
008D1392 85C0 test eax,eax
008D1394 75 0B jnz short LL.008D13A1
008D1396 8B46 10 mov eax,dword ptr ds:[esi+10]
008D1399 85C0 test eax,eax
008D139B ^ 0F84 46FFFFFF je LL.008D12E7
008D13A1 03C2 add eax,edx
008D13A3 0385 4ED34000 add eax,dword ptr ss:[ebp+40D34E]
008D13A9 8B18 mov ebx,dword ptr ds:[eax]
008D13AB F7C3 00000080 test ebx,80000000
008D13B1 74 06 je short LL.008D13B9
008D13B3 8120 00000080 and dword ptr ds:[eax],80000000
008D13B9 8B7E 10 mov edi,dword ptr ds:[esi+10]
008D13BC 03FA add edi,edx
008D13BE 80A5 D6CC4000 FF and byte ptr ss:[ebp+40CCD6],0FF
008D13C5 0F84 30010000 je LL.008D14FB
008D13CB 80A5 D7CC4000 FF and byte ptr ss:[ebp+40CCD7],0FF
008D13D2 /0F84 23010000 je LL.008D14FB ; ★将je改成jmp得到完整输入表
008D13D8 89BD 5AD44000 mov dword ptr ss:[ebp+40D45A],edi
008D13DE 8B85 52D44000 mov eax,dword ptr ss:[ebp+40D452]
008D13E4 40 inc eax
008D13E5 0F84 10010000 je LL.008D14FB
008D13EB 48 dec eax
008D13EC 0F85 B2000000 jnz LL.008D14A4
008D13F2 60 pushad
Alt+M 查看内存,对401000段下内存访问断点,Shift+F9运行
00813757 53 push ebx
00813758 BE F8FFFFFF mov esi,-8
0081375D 8B02 mov eax,dword ptr ds:[edx]
0081375F 8A18 mov bl,byte ptr ds:[eax] ; 断在这里
00813761 40 inc eax
00813762 885C24 0C mov byte ptr ss:[esp+C],bl
00813766 8902 mov dword ptr ds:[edx],eax
00813768 8B42 08 mov eax,dword ptr ds:[edx+8]
0081376B 8B7C24 0C mov edi,dword ptr ss:[esp+C]
上下看看不像是程序的OEP,难道还加有壳,不管了已经走到这了那就接着脱吧。
取消内存访问断点,再下断点bp GetProcAddress
Shift+F9运行,程序被断下,F2取消断点,Alt+F9返回
008132F5 53 push ebx
008132F6 FFB5 45050000 push dword ptr ss:[ebp+545]
008132FC FF95 490F0000 call dword ptr ss:[ebp+F49]
00813302 85C0 test eax,eax ; 返回到这里
00813304 5B pop ebx
00813305 75 6F jnz short LL.00813376
00813307 F7C3 00000080 test ebx,80000000
Alt+M 查看内存,再对401000段下内存访问断点,Shift+F9运行
004017EC /EB 10 jmp short LL.004017FE ; 断在这里,程序的OEP处^_^
004017EE |66:623A bound di,dword ptr ds:[edx]
004017F1 |43 inc ebx
004017F2 |2B2B sub ebp,dword ptr ds:[ebx]
004017F4 |48 dec eax
004017F5 |4F dec edi
004017F6 |4F dec edi
004017F7 |4B dec ebx
004017F8 |90 nop
004017F9 -|E9 98F06700 jmp 00A80896
004017FE \A1 8BF06700 mov eax,dword ptr ds:[67F08B]
00401803 C1E0 02 shl eax,2
00401806 A3 8FF06700 mov dword ptr ds:[67F08F],eax
0040180B 52 push edx
0040180C 6A 00 push 0
0040180E E8 15C92700 call LL.0067E128 ; jmp to kernel32.GetModuleHandleA
00401813 8BD0 mov edx,eax
00401815 E8 C2CD2500 call LL.0065E5DC
0040181A 5A pop edx
用Ollydbg自带的插件OllyDump在程序OEP处dump,脱壳后程序可运行。
---------------------------------------------------------------------------------------------------
【算法总结】
二、算法分析
运行程序,输入注册信息
用户名:snake
注册码:1234-5678-9876-5432-12345
注册后提示:谢谢您的注册,请重新启动软件以完成注册校验!
Ollydbg载入脱壳后的程序
00404BA4 . 84C9 test cl,cl
00404BA6 . 74 0D je short xx.00404BB5
00404BA8 . 8B06 mov eax,dword ptr ds:[esi]
00404BAA . 64:A3 000000>mov dword ptr fs:[0],eax
00404BB0 . E9 A40B0000 jmp xx.00405759
00404BB5 > 8D83 1006000>lea eax,dword ptr ds:[ebx+610] ; 取注册码
00404BBB . 8338 00 cmp dword ptr ds:[eax],0 ; 是否为空
00404BBE . 74 07 je short xx.00404BC7
00404BC0 . 8B10 mov edx,dword ptr ds:[eax]
00404BC2 . 8B4A FC mov ecx,dword ptr ds:[edx-4] ; 注册码长度
00404BC5 . EB 02 jmp short xx.00404BC9
00404BC7 > 33C9 xor ecx,ecx
00404BC9 > 83F9 19 cmp ecx,19 ; 是否为25位
00404BCC . 7C 1D jl short xx.00404BEB
00404BCE . 8D83 1006000>lea eax,dword ptr ds:[ebx+610]
00404BD4 . 8338 00 cmp dword ptr ds:[eax],0
00404BD7 . 74 07 je short xx.00404BE0
00404BD9 . 8B10 mov edx,dword ptr ds:[eax]
00404BDB . 8B42 FC mov eax,dword ptr ds:[edx-4]
00404BDE . EB 02 jmp short xx.00404BE2
00404BE0 > 33C0 xor eax,eax
00404BE2 > 83F8 19 cmp eax,19
00404BE5 . 0F8E 3C01000>jle xx.00404D27
00404BEB > 66:C746 10 2>mov word ptr ds:[esi+10],2C
......(略过代码)
00404D2D . 6A 05 push 5 ; /Arg2 = 00000005
00404D2F . 57 push edi ; |Arg1
00404D30 . E8 87472600 call xx.006694BC ; \xx.006694BC
00404D35 . 83C4 08 add esp,8
00404D38 . 8BC7 mov eax,edi
00404D3A . E8 954B2600 call xx.006698D4
00404D3F . 8B17 mov edx,dword ptr ds:[edi]
00404D41 . 83C2 04 add edx,4
00404D44 . 0FBE0A movsx ecx,byte ptr ds:[edx] ; 取注册码第5位
00404D47 . 83F9 2D cmp ecx,2D ; 是否为'-'
00404D4A . 75 73 jnz short xx.00404DBF
00404D4C . 8DBB 10060000 lea edi,dword ptr ds:[ebx+610]
00404D52 . 6A 0A push 0A ; /Arg2 = 0000000A
00404D54 . 57 push edi ; |Arg1
00404D55 . E8 62472600 call xx.006694BC ; \xx.006694BC
00404D5A . 83C4 08 add esp,8
00404D5D . 8BC7 mov eax,edi
00404D5F . E8 704B2600 call xx.006698D4
00404D64 . 8B17 mov edx,dword ptr ds:[edi]
00404D66 . 83C2 09 add edx,9
00404D69 . 0FBE0A movsx ecx,byte ptr ds:[edx] ; 取注册码第10位
00404D6C . 83F9 2D cmp ecx,2D ; 是否为'-'
00404D6F . 75 4E jnz short xx.00404DBF
00404D71 . 8DBB 10060000 lea edi,dword ptr ds:[ebx+610]
00404D77 . 6A 0F push 0F ; /Arg2 = 0000000F
00404D79 . 57 push edi ; |Arg1
00404D7A . E8 3D472600 call xx.006694BC ; \xx.006694BC
00404D7F . 83C4 08 add esp,8
00404D82 . 8BC7 mov eax,edi
00404D84 . E8 4B4B2600 call xx.006698D4
00404D89 . 8B17 mov edx,dword ptr ds:[edi]
00404D8B . 83C2 0E add edx,0E
00404D8E . 0FBE0A movsx ecx,byte ptr ds:[edx] ; 取注册码第15位
00404D91 . 83F9 2D cmp ecx,2D ; 是否为'-'
00404D94 . 75 29 jnz short xx.00404DBF
00404D96 . 8DBB 10060000 lea edi,dword ptr ds:[ebx+610]
00404D9C . 6A 14 push 14 ; /Arg2 = 00000014
00404D9E . 57 push edi ; |Arg1
00404D9F . E8 18472600 call xx.006694BC ; \xx.006694BC
00404DA4 . 83C4 08 add esp,8
00404DA7 . 8BC7 mov eax,edi
00404DA9 . E8 264B2600 call xx.006698D4
00404DAE . 8B17 mov edx,dword ptr ds:[edi]
00404DB0 . 83C2 13 add edx,13
00404DB3 . 0FBE0A movsx ecx,byte ptr ds:[edx] ; 取注册码第20位
00404DB6 . 83F9 2D cmp ecx,2D ; 是否为'-'
00404DB9 . 0F84 37010000 je xx.00404EF6
......(略过代码)
00404F18 . 83C4 08 add esp,8
00404F1B . 8BC7 mov eax,edi
00404F1D . E8 B2492600 call xx.006698D4
00404F22 . 8B17 mov edx,dword ptr ds:[edi] ; 取用户名snake
00404F24 . 0FBE0A movsx ecx,byte ptr ds:[edx] ; 取用户名首字符的ASCII值
00404F27 . 898D 44FFFFFF mov dword ptr ss:[ebp-BC],ecx ; [12f9a0]=73h做为后面循环算法的判断值
00404F2D . 83BD 44FFFFFF>cmp dword ptr ss:[ebp-BC],0
00404F34 . 7F 08 jg short xx.00404F3E
00404F36 . 33C0 xor eax,eax
00404F38 . 8985 44FFFFFF mov dword ptr ss:[ebp-BC],eax
00404F3E > 8B93 00060000 mov edx,dword ptr ds:[ebx+600] ; 常串"R+Oc45UI16uU1J3sJdkaA1Ki7u"
00404F44 . 8B83 70050000 mov eax,dword ptr ds:[ebx+570]
00404F4A . 8B08 mov ecx,dword ptr ds:[eax]
00404F4C . FF51 4C call dword ptr ds:[ecx+4C] ; 变形MD5+某Hash算法call,将上面的字符串加密
00404F4F . 66:C746 10 B0>mov word ptr ds:[esi+10],0B0 ; 加密结果为16位值6B 74 44 E6 00 F9 4C 1F B2 3D 67 54 AA 96 0F FC
00404F55 . 33D2 xor edx,edx
00404F57 . 8955 C0 mov dword ptr ss:[ebp-40],edx
00404F5A . 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
00404F5D . FF46 1C inc dword ptr ds:[esi+1C]
00404F60 . 8B93 04060000 mov edx,dword ptr ds:[ebx+604]
00404F66 . 8B83 70050000 mov eax,dword ptr ds:[ebx+570] ; 常串"ptqGFrU6/rnz3LFQkLwIiJBsQJfTvbj"
00404F6C . 8B38 mov edi,dword ptr ds:[eax]
00404F6E . FF57 44 call dword ptr ds:[edi+44] ; BlowFish+Base64算法call,将上述加密结果做为Key加密常串
00404F71 . 8D55 C0 lea edx,dword ptr ss:[ebp-40]
00404F74 . 8D83 08060000 lea eax,dword ptr ds:[ebx+608]
00404F7A . E8 8D472600 call xx.0066970C
00404F7F . FF4E 1C dec dword ptr ds:[esi+1C]
00404F82 . 8D45 C0 lea eax,dword ptr ss:[ebp-40]
00404F85 . BA 02000000 mov edx,2
00404F8A . E8 4D472600 call xx.006696DC
00404F8F . 8B93 08060000 mov edx,dword ptr ds:[ebx+608] ; 加密后的字串"606wRX1XS7i0SK94CGlY3/B2tktSb1z9ynCnVk1HdIk="
00404F95 . 8B83 70050000 mov eax,dword ptr ds:[ebx+570]
00404F9B . 8B08 mov ecx,dword ptr ds:[eax]
00404F9D . FF51 4C call dword ptr ds:[ecx+4C] ; 变形MD5+某Hash算法call,将上面的字符串加密
00404FA0 . 33C0 xor eax,eax
00404FA2 . 8985 40FFFFFF mov dword ptr ss:[ebp-C0],eax ; [12f99c]做计数器
00404FA8 . 66:C746 10 A4>mov word ptr ds:[esi+10],0A4
00404FAE . 8B95 40FFFFFF mov edx,dword ptr ss:[ebp-C0]
00404FB4 . 3B95 44FFFFFF cmp edx,dword ptr ss:[ebp-BC]
00404FBA . 7F 5F jg short xx.0040501B
00404FBC > 66:C746 10 BC>mov word ptr ds:[esi+10],0BC ; 循环体
00404FC2 . 33C9 xor ecx,ecx
00404FC4 . 894D BC mov dword ptr ss:[ebp-44],ecx
00404FC7 . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
00404FCA . FF46 1C inc dword ptr ds:[esi+1C]
00404FCD . 8B93 0C060000 mov edx,dword ptr ds:[ebx+60C] ; 用户名snake
00404FD3 . 8B83 70050000 mov eax,dword ptr ds:[ebx+570]
00404FD9 . 8B38 mov edi,dword ptr ds:[eax]
00404FDB . FF57 44 call dword ptr ds:[edi+44] ; BlowFish+Base64算法call,将上次加密结果做为Key加密用户名
00404FDE . 8D55 BC lea edx,dword ptr ss:[ebp-44]
00404FE1 . 8D45 FC lea eax,dword ptr ss:[ebp-4]
00404FE4 . E8 23472600 call xx.0066970C
00404FE9 . FF4E 1C dec dword ptr ds:[esi+1C]
00404FEC . 8D45 BC lea eax,dword ptr ss:[ebp-44]
00404FEF . BA 02000000 mov edx,2
00404FF4 . E8 E3462600 call xx.006696DC
00404FF9 . 8B55 FC mov edx,dword ptr ss:[ebp-4] ; 每次循环加密后的字符串
00404FFC . 8B83 70050000 mov eax,dword ptr ds:[ebx+570]
00405002 . 8B08 mov ecx,dword ptr ds:[eax]
00405004 . FF51 4C call dword ptr ds:[ecx+4C] ; 变形MD5+某Hash算法call,将上面的字符串加密
00405007 . FF85 40FFFFFF inc dword ptr ss:[ebp-C0]
0040500D . 8B85 40FFFFFF mov eax,dword ptr ss:[ebp-C0]
00405013 . 3B85 44FFFFFF cmp eax,dword ptr ss:[ebp-BC] ; 与73h比较
00405019 .^ 7E A1 jle short xx.00404FBC ; 循环
0040501B > 66:C746 10 C8>mov word ptr ds:[esi+10],0C8
00405021 . 8DBB 10060000 lea edi,dword ptr ds:[ebx+610]
00405027 . 89BD 38FFFFFF mov dword ptr ss:[ebp-C8],edi
0040502D . 6A 07 push 7 ; /Arg2 = 00000007
0040502F . 8B85 38FFFFFF mov eax,dword ptr ss:[ebp-C8] ; |
00405035 . 50 push eax ; |Arg1
00405036 . E8 81442600 call xx.006694BC ; \xx.006694BC
0040503B . 83C4 08 add esp,8
0040503E . 8B85 38FFFFFF mov eax,dword ptr ss:[ebp-C8]
00405044 . E8 8B482600 call xx.006698D4
00405049 . 8B95 38FFFFFF mov edx,dword ptr ss:[ebp-C8]
0040504F . 8D45 B4 lea eax,dword ptr ss:[ebp-4C]
00405052 . 8B0A mov ecx,dword ptr ds:[edx] ; 注册码
00405054 . 83C1 06 add ecx,6 ; 取第7位
00405057 . 8A11 mov dl,byte ptr ds:[ecx]
00405059 . E8 EE452600 call xx.0066964C
0040505E . 50 push eax
0040505F . FF46 1C inc dword ptr ds:[esi+1C]
00405062 . 89BD 3CFFFFFF mov dword ptr ss:[ebp-C4],edi
00405068 . 6A 02 push 2 ; /Arg2 = 00000002
0040506A . 8B8D 3CFFFFFF mov ecx,dword ptr ss:[ebp-C4] ; |
00405070 . 51 push ecx ; |Arg1
00405071 . E8 46442600 call xx.006694BC ; \xx.006694BC
00405076 . 83C4 08 add esp,8
00405079 . 8B85 3CFFFFFF mov eax,dword ptr ss:[ebp-C4]
0040507F . E8 50482600 call xx.006698D4
00405084 . 8B95 3CFFFFFF mov edx,dword ptr ss:[ebp-C4]
0040508A . 8D45 B8 lea eax,dword ptr ss:[ebp-48]
0040508D . 8B0A mov ecx,dword ptr ds:[edx] ; 注册码
0040508F . 41 inc ecx ; 取第2位
00405090 . 8A11 mov dl,byte ptr ds:[ecx]
00405092 . E8 B5452600 call xx.0066964C
00405097 . FF46 1C inc dword ptr ds:[esi+1C]
0040509A . 33C9 xor ecx,ecx
0040509C . 894D B0 mov dword ptr ss:[ebp-50],ecx
0040509F . 8D4D B0 lea ecx,dword ptr ss:[ebp-50]
004050A2 . FF46 1C inc dword ptr ds:[esi+1C]
004050A5 . 5A pop edx
004050A6 . E8 89462600 call xx.00669734
004050AB . 8D45 B0 lea eax,dword ptr ss:[ebp-50]
004050AE . 50 push eax
004050AF . 89BD 34FFFFFF mov dword ptr ss:[ebp-CC],edi
004050B5 . 6A 09 push 9 ; /Arg2 = 00000009
004050B7 . 8B85 34FFFFFF mov eax,dword ptr ss:[ebp-CC] ; |
004050BD . 50 push eax ; |Arg1
004050BE . E8 F9432600 call xx.006694BC ; \xx.006694BC
004050C3 . 83C4 08 add esp,8
004050C6 . 8B85 34FFFFFF mov eax,dword ptr ss:[ebp-CC]
004050CC . E8 03482600 call xx.006698D4
004050D1 . 8B95 34FFFFFF mov edx,dword ptr ss:[ebp-CC]
004050D7 . 8D45 AC lea eax,dword ptr ss:[ebp-54]
004050DA . 8B0A mov ecx,dword ptr ds:[edx] ; 注册码
004050DC . 83C1 08 add ecx,8 ; 取第9位
004050DF . 8A11 mov dl,byte ptr ds:[ecx]
004050E1 . E8 66452600 call xx.0066964C
004050E6 . 8BD0 mov edx,eax
004050E8 . FF46 1C inc dword ptr ds:[esi+1C]
004050EB . 33C0 xor eax,eax
004050ED . 8945 A8 mov dword ptr ss:[ebp-58],eax
004050F0 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
004050F3 . FF46 1C inc dword ptr ds:[esi+1C]
004050F6 . 58 pop eax
004050F7 . E8 38462600 call xx.00669734
004050FC . 8D55 A8 lea edx,dword ptr ss:[ebp-58]
004050FF . 52 push edx
00405100 . 89BD 30FFFFFF mov dword ptr ss:[ebp-D0],edi
00405106 . 6A 0E push 0E ; /Arg2 = 0000000E
00405108 . 8B8D 30FFFFFF mov ecx,dword ptr ss:[ebp-D0] ; |
0040510E . 51 push ecx ; |Arg1
0040510F . E8 A8432600 call xx.006694BC ; \xx.006694BC
00405114 . 83C4 08 add esp,8
00405117 . 8B85 30FFFFFF mov eax,dword ptr ss:[ebp-D0]
0040511D . E8 B2472600 call xx.006698D4
00405122 . 8B95 30FFFFFF mov edx,dword ptr ss:[ebp-D0]
00405128 . 8D45 A4 lea eax,dword ptr ss:[ebp-5C]
0040512B . 8B0A mov ecx,dword ptr ds:[edx] ; 注册码
0040512D . 83C1 0D add ecx,0D ; 取第14位
00405130 . 8A11 mov dl,byte ptr ds:[ecx]
00405132 . E8 15452600 call xx.0066964C
00405137 . 8BD0 mov edx,eax
00405139 . FF46 1C inc dword ptr ds:[esi+1C]
0040513C . 33C0 xor eax,eax
0040513E . 8945 A0 mov dword ptr ss:[ebp-60],eax
00405141 . 8D4D A0 lea ecx,dword ptr ss:[ebp-60]
00405144 . FF46 1C inc dword ptr ds:[esi+1C]
00405147 . 58 pop eax
00405148 . E8 E7452600 call xx.00669734
0040514D . 8D55 A0 lea edx,dword ptr ss:[ebp-60]
00405150 . 52 push edx
00405151 . 89BD 2CFFFFFF mov dword ptr ss:[ebp-D4],edi
00405157 . 6A 11 push 11 ; /Arg2 = 00000011
00405159 . 8B8D 2CFFFFFF mov ecx,dword ptr ss:[ebp-D4] ; |
0040515F . 51 push ecx ; |Arg1
00405160 . E8 57432600 call xx.006694BC ; \xx.006694BC
00405165 . 83C4 08 add esp,8
00405168 . 8B85 2CFFFFFF mov eax,dword ptr ss:[ebp-D4]
0040516E . E8 61472600 call xx.006698D4
00405173 . 8B95 2CFFFFFF mov edx,dword ptr ss:[ebp-D4]
00405179 . 8D45 9C lea eax,dword ptr ss:[ebp-64]
0040517C . 8B0A mov ecx,dword ptr ds:[edx] ; 注册码
0040517E . 83C1 10 add ecx,10 ; 取第16位
00405181 . 8A11 mov dl,byte ptr ds:[ecx]
00405183 . E8 C4442600 call xx.0066964C
00405188 . 8BD0 mov edx,eax
0040518A . FF46 1C inc dword ptr ds:[esi+1C]
0040518D . 33C0 xor eax,eax
0040518F . 8945 98 mov dword ptr ss:[ebp-68],eax
00405192 . 8D4D 98 lea ecx,dword ptr ss:[ebp-68]
00405195 . FF46 1C inc dword ptr ds:[esi+1C]
00405198 . 58 pop eax
00405199 . E8 96452600 call xx.00669734
0040519E . 8D55 98 lea edx,dword ptr ss:[ebp-68]
004051A1 . 52 push edx
004051A2 . 89BD 28FFFFFF mov dword ptr ss:[ebp-D8],edi
004051A8 . 6A 13 push 13 ; /Arg2 = 00000013
004051AA . 8B8D 28FFFFFF mov ecx,dword ptr ss:[ebp-D8] ; |
004051B0 . 51 push ecx ; |Arg1
004051B1 . E8 06432600 call xx.006694BC ; \xx.006694BC
004051B6 . 83C4 08 add esp,8
004051B9 . 8B85 28FFFFFF mov eax,dword ptr ss:[ebp-D8]
004051BF . E8 10472600 call xx.006698D4
004051C4 . 8B95 28FFFFFF mov edx,dword ptr ss:[ebp-D8]
004051CA . 8D45 94 lea eax,dword ptr ss:[ebp-6C]
004051CD . 8B0A mov ecx,dword ptr ds:[edx]
004051CF . 83C1 12 add ecx,12 ; 注册码
004051D2 . 8A11 mov dl,byte ptr ds:[ecx] ; 取第19位
004051D4 . E8 73442600 call xx.0066964C
004051D9 . 8BD0 mov edx,eax
004051DB . FF46 1C inc dword ptr ds:[esi+1C]
004051DE . 33C0 xor eax,eax
004051E0 . 8945 90 mov dword ptr ss:[ebp-70],eax
004051E3 . 8D4D 90 lea ecx,dword ptr ss:[ebp-70]
004051E6 . FF46 1C inc dword ptr ds:[esi+1C]
004051E9 . 58 pop eax
004051EA . E8 45452600 call xx.00669734
004051EF . 8D55 90 lea edx,dword ptr ss:[ebp-70]
004051F2 . 52 push edx
004051F3 . 89BD 24FFFFFF mov dword ptr ss:[ebp-DC],edi
004051F9 . 6A 15 push 15 ; /Arg2 = 00000015
004051FB . 8B8D 24FFFFFF mov ecx,dword ptr ss:[ebp-DC] ; |
00405201 . 51 push ecx ; |Arg1
00405202 . E8 B5422600 call xx.006694BC ; \xx.006694BC
00405207 . 83C4 08 add esp,8
0040520A . 8B85 24FFFFFF mov eax,dword ptr ss:[ebp-DC]
00405210 . E8 BF462600 call xx.006698D4
00405215 . 8B95 24FFFFFF mov edx,dword ptr ss:[ebp-DC]
0040521B . 8D45 8C lea eax,dword ptr ss:[ebp-74]
0040521E . 8B0A mov ecx,dword ptr ds:[edx] ; 注册码
00405220 . 83C1 14 add ecx,14 ; 取第20位
00405223 . 8A11 mov dl,byte ptr ds:[ecx]
00405225 . E8 22442600 call xx.0066964C
0040522A . 8BD0 mov edx,eax
0040522C . FF46 1C inc dword ptr ds:[esi+1C]
0040522F . 33C0 xor eax,eax
00405231 . 8945 88 mov dword ptr ss:[ebp-78],eax
00405234 . 8D4D 88 lea ecx,dword ptr ss:[ebp-78]
00405237 . FF46 1C inc dword ptr ds:[esi+1C]
0040523A . 58 pop eax
0040523B . E8 F4442600 call xx.00669734
00405240 . 8D55 88 lea edx,dword ptr ss:[ebp-78]
00405243 . 52 push edx
00405244 . 89BD 20FFFFFF mov dword ptr ss:[ebp-E0],edi
0040524A . 6A 19 push 19 ; /Arg2 = 00000019
0040524C . 8B8D 20FFFFFF mov ecx,dword ptr ss:[ebp-E0] ; |
00405252 . 51 push ecx ; |Arg1
00405253 . E8 64422600 call xx.006694BC ; \xx.006694BC
00405258 . 83C4 08 add esp,8
0040525B . 8B85 20FFFFFF mov eax,dword ptr ss:[ebp-E0]
00405261 . E8 6E462600 call xx.006698D4
00405266 . 8B95 20FFFFFF mov edx,dword ptr ss:[ebp-E0]
0040526C . 8D45 84 lea eax,dword ptr ss:[ebp-7C]
0040526F . 8B0A mov ecx,dword ptr ds:[edx] ; 注册码
00405271 . 83C1 18 add ecx,18 ; 取第25位
00405274 . 8A11 mov dl,byte ptr ds:[ecx]
00405276 . E8 D1432600 call xx.0066964C
......(略过代码)
004053D2 . 83C4 08 add esp,8
004053D5 . 8D45 F8 lea eax,dword ptr ss:[ebp-8]
004053D8 . E8 F7442600 call xx.006698D4
004053DD . 8B55 F8 mov edx,dword ptr ss:[ebp-8] ; 将取出的字符组成新串
......(略过代码)
下面就是把取出的字符组成8位新字符串与最后一次循环加密结果的前8位进行比较,若正确验证通过,否则失败
===================== 跟进 00404F4C处call,开始变形MD5+某Hash算法的变态之旅^-^! ===============
00561082 |. E8 D9D>call xx.Lbcipher::GenerateLMDKey
0055E37E |. E8 C50F0000 call xx.Lbcipher::HashLMD
0055F348 x>/$ 55 push ebp
0055F349 |. 8BEC mov ebp,esp
0055F34B |. 81C4 E8FEFFF>add esp,-118
0055F351 |. 53 push ebx
0055F352 |. 56 push esi
0055F353 |. 57 push edi
0055F354 |. 8BF9 mov edi,ecx
0055F356 |. 8BF2 mov esi,edx
0055F358 |. 8BD8 mov ebx,eax
0055F35A |. 8D85 E8FEFFF>lea eax,[local.70]
0055F360 |. E8 8BFDFFFF call xx.Lbcipher::InitLMD ; 初始化MD5常数
0055F365 |. 8BD7 mov edx,edi ; edx待加密字符串
0055F367 |. 8D85 E8FEFFF>lea eax,[local.70] ; [12f838]初始化的数据
0055F36D |. 8B4D 08 mov ecx,[arg.1] ; 字符串长度
0055F370 |. E8 F7FDFFFF call xx.Lbcipher::UpdateLMD ; MD5加密字符串
0055F375 |. 8BD3 mov edx,ebx
0055F377 |. 8D85 E8FEFFF>lea eax,[local.70]
0055F37D |. 8BCE mov ecx,esi
0055F37F |. E8 24FFFFFF call xx.Lbcipher::FinalizeLMD ; 变换MD5加密结果最终生成16位值
0055F384 |. 5F pop edi
0055F385 |. 5E pop esi
0055F386 |. 5B pop ebx
0055F387 |. 8BE5 mov esp,ebp
0055F389 |. 5D pop ebp
0055F38A \. C2 0400 retn 4
=============================== 跟进 0055F360 call xx.Lbcipher::InitLMD ========================
0055F0F0 x>/$ 53 push ebx
0055F0F1 |. 56 push esi
0055F0F2 |. 57 push edi
0055F0F3 |. 81C4 E8FEFFF>add esp,-118
0055F0F9 |. 8BD8 mov ebx,eax
0055F0FB |. 8BD4 mov edx,esp
0055F0FD |. 8BC3 mov eax,ebx
0055F0FF |. B9 18010000 mov ecx,118
0055F104 |. E8 6FA90700 call xx.005D9A78
0055F109 |. 33C0 xor eax,eax
0055F10B |. 890424 mov dword ptr ss:[esp],eax ; [12f704]=0
0055F10E |. BE F8D56B00 mov esi,xx.006BD5F8
0055F113 |. 8D7C24 04 lea edi,dword ptr ss:[esp+4] ; 在[12f708]处填充256个常数
0055F117 |. B9 40000000 mov ecx,40
0055F11C |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi]
0055F11E |. 33C0 xor eax,eax
0055F120 |. 898424 04010>mov dword ptr ss:[esp+104],eax ; [12f808]=0
0055F127 |. C78424 08010>mov dword ptr ss:[esp+108],55555555 ; 填充4个常数
0055F132 |. C78424 0C010>mov dword ptr ss:[esp+10C],55555555
0055F13D |. C78424 10010>mov dword ptr ss:[esp+110],55555555
0055F148 |. C78424 14010>mov dword ptr ss:[esp+114],55555555
0055F153 |. 8BD3 mov edx,ebx
0055F155 |. 8BC4 mov eax,esp
0055F157 |. B9 18010000 mov ecx,118
0055F15C |. E8 17A90700 call xx.005D9A78 ; 将[12f704]处的280个数转存到[12f838]处,完成初始化
0055F161 |. 81C4 1801000>add esp,118
0055F167 |. 5F pop edi
0055F168 |. 5E pop esi
0055F169 |. 5B pop ebx
0055F16A \. C3 retn
=============================== 跟进 E8 F7FDFFFF call xx.Lbcipher::UpdateLMD ============================
0055F16C x>/$ 53 push ebx
0055F16D |. 56 push esi
0055F16E |. 57 push edi
0055F16F |. 55 push ebp
0055F170 |. 81C4 E0FEFFF>add esp,-120
0055F176 |. 8BF9 mov edi,ecx
0055F178 |. 8BDA mov ebx,edx
0055F17A |. 890424 mov dword ptr ss:[esp],eax
0055F17D |. 8D5424 08 lea edx,dword ptr ss:[esp+8]
0055F181 |. 8B0424 mov eax,dword ptr ss:[esp]
0055F184 |. B9 18010000 mov ecx,118
0055F189 |. E8 EAA80700 call xx.005D9A78 ; 将[12f838]处的280个数据转存到[12f700]处
0055F18E |. 4F dec edi
0055F18F |. 85FF test edi,edi
0055F191 |. 0F8C F400000>jl xx.0055F28B
0055F197 |. 47 inc edi
0055F198 |. 897C24 04 mov dword ptr ss:[esp+4],edi ; [12f6fc]=1a字符串长度,做计数器
0055F19C |. 8BF3 mov esi,ebx
0055F19E |> 8A06 /mov al,byte ptr ds:[esi] ; 依次取串中的字符
0055F1A0 |. 8B5424 08 |mov edx,dword ptr ss:[esp+8] ; edx=[12f700]的值递增
0055F1A4 |. 304414 0C |xor byte ptr ss:[esp+edx+C],al ; 填充的数据与字符异或
0055F1A8 |. FF4424 08 |inc dword ptr ss:[esp+8]
0055F1AC |. 817C24 08 00>|cmp dword ptr ss:[esp+8],100
0055F1B4 |. 75 06 |jnz short xx.0055F1BC
0055F1B6 |. 33D2 |xor edx,edx
0055F1B8 |. 895424 08 |mov dword ptr ss:[esp+8],edx
0055F1BC |> 8B9424 0C010>|mov edx,dword ptr ss:[esp+10C]
0055F1C3 |. 308414 10010>|xor byte ptr ss:[esp+edx+110],al ; 初始化的4个变量值与字符异或
0055F1CA |. FF8424 0C010>|inc dword ptr ss:[esp+10C]
0055F1D1 |. 83BC24 0C010>|cmp dword ptr ss:[esp+10C],8
0055F1D9 |. 0F85 A100000>|jnz xx.0055F280
0055F1DF |. 8B9424 1C010>|mov edx,dword ptr ss:[esp+11C] ; 取4个变量值
0055F1E6 |. 8B8C24 18010>|mov ecx,dword ptr ss:[esp+118]
0055F1ED |. 8B9C24 14010>|mov ebx,dword ptr ss:[esp+114]
0055F1F4 |. 8B8424 10010>|mov eax,dword ptr ss:[esp+110]
0055F1FB |. BF 04000000 |mov edi,4 ; 做4轮变换
0055F200 |> 03D0 |/add edx,eax
0055F202 |. 03C2 ||add eax,edx
0055F204 |. 8BEA ||mov ebp,edx
0055F206 |. C1ED 07 ||shr ebp,7
0055F209 |. 33D5 ||xor edx,ebp
0055F20B |. 03CA ||add ecx,edx
0055F20D |. 03D1 ||add edx,ecx
0055F20F |. 8BE9 ||mov ebp,ecx
0055F211 |. C1E5 0D ||shl ebp,0D
0055F214 |. 33CD ||xor ecx,ebp
0055F216 |. 03D9 ||add ebx,ecx
0055F218 |. 03CB ||add ecx,ebx
0055F21A |. 8BEB ||mov ebp,ebx
0055F21C |. C1ED 11 ||shr ebp,11
0055F21F |. 33DD ||xor ebx,ebp
0055F221 |. 03C3 ||add eax,ebx
0055F223 |. 03D8 ||add ebx,eax
0055F225 |. 8BE8 ||mov ebp,eax
0055F227 |. C1E5 09 ||shl ebp,9
0055F22A |. 33C5 ||xor eax,ebp
0055F22C |. 03D0 ||add edx,eax
0055F22E |. 03C2 ||add eax,edx
0055F230 |. 8BEA ||mov ebp,edx
0055F232 |. C1ED 03 ||shr ebp,3
0055F235 |. 33D5 ||xor edx,ebp
0055F237 |. 03CA ||add ecx,edx
0055F239 |. 03D1 ||add edx,ecx
0055F23B |. 8BE9 ||mov ebp,ecx
0055F23D |. C1E5 07 ||shl ebp,7
0055F240 |. 33CD ||xor ecx,ebp
0055F242 |. 03D9 ||add ebx,ecx
0055F244 |. 03CB ||add ecx,ebx
0055F246 |. 8BE8 ||mov ebp,eax
0055F248 |. C1ED 0F ||shr ebp,0F
0055F24B |. 33DD ||xor ebx,ebp
0055F24D |. 03C3 ||add eax,ebx
0055F24F |. 03D8 ||add ebx,eax
0055F251 |. 8BE8 ||mov ebp,eax
0055F253 |. C1E5 0B ||shl ebp,0B
0055F256 |. 33C5 ||xor eax,ebp
0055F258 |. 4F ||dec edi
0055F259 |.^ 75 A5 |\jnz short xx.0055F200
0055F25B |. 899424 10010>|mov dword ptr ss:[esp+110],edx ; 存储4个变量的变换结果
0055F262 |. 898C24 14010>|mov dword ptr ss:[esp+114],ecx
0055F269 |. 899C24 18010>|mov dword ptr ss:[esp+118],ebx
0055F270 |. 898424 1C010>|mov dword ptr ss:[esp+11C],eax
0055F277 |. 33C0 |xor eax,eax
0055F279 |. 898424 0C010>|mov dword ptr ss:[esp+10C],eax ; [12f804]=0
0055F280 |> 46 |inc esi
0055F281 |. FF4C24 04 |dec dword ptr ss:[esp+4]
0055F285 |.^ 0F85 13FFFFF>\jnz xx.0055F19E
0055F28B |> 8B1424 mov edx,dword ptr ss:[esp]
0055F28E |. 8D4424 08 lea eax,dword ptr ss:[esp+8]
0055F292 |. B9 18010000 mov ecx,118
0055F297 |. E8 DCA70700 call xx.005D9A78 ; 将[12f700]处的280个数据转存到[12f838]处
0055F29C |. 81C4 2001000>add esp,120
0055F2A2 |. 5D pop ebp
0055F2A3 |. 5F pop edi
0055F2A4 |. 5E pop esi
0055F2A5 |. 5B pop ebx
0055F2A6 \. C3 retn
============================ 跟进 0055F37F call xx.Lbcipher::FinalizeLMD =============================
0055F2A8 x>/$ 53 push ebx
0055F2A9 |. 56 push esi
0055F2AA |. 57 push edi
0055F2AB |. 55 push ebp
0055F2AC |. 81C4 60FEFFF>add esp,-1A0
0055F2B2 |. 8BE9 mov ebp,ecx
0055F2B4 |. 8BFA mov edi,edx
0055F2B6 |. 8BD8 mov ebx,eax
0055F2B8 |. 8BD4 mov edx,esp
0055F2BA |. 8BC3 mov eax,ebx
0055F2BC |. B9 18010000 mov ecx,118
0055F2C1 |. E8 B2A70700 call xx.005D9A78 ; 将[12f838]处的280个数据转存到[12f678]处
0055F2C6 |. B9 08000000 mov ecx,8
0055F2CB |. 2B8C24 04010>sub ecx,dword ptr ss:[esp+104] ; ecx=6
0055F2D2 |. BA B8126C00 mov edx,xx.006C12B8
0055F2D7 |. 8BC3 mov eax,ebx
0055F2D9 |. E8 8EFEFFFF call xx.Lbcipher::UpdateLMD ; 继续用MD5加密01 00 00 00 00 00这6个字符
0055F2DE |. 8BD4 mov edx,esp
0055F2E0 |. 8BC3 mov eax,ebx
0055F2E2 |. B9 18010000 mov ecx,118
0055F2E7 |. E8 8CA70700 call xx.005D9A78
0055F2EC |. 6A 01 push 1 ; /Arg1 = 00000001
0055F2EE |. 8D9424 1C010>lea edx,dword ptr ss:[esp+11C] ; |
0055F2F5 |. 8D8424 0C010>lea eax,dword ptr ss:[esp+10C] ; |
0055F2FC |. B9 08000000 mov ecx,8 ; |
0055F301 |. E8 2EE4FFFF call xx.Lbcipher::InitEncryptLBC ; \将MD5加密后的16位散列值在变换成为128位散列值
0055F306 |. BE 10000000 mov esi,10 ; esi计数器
0055F30B |. 8D5C24 04 lea ebx,dword ptr ss:[esp+4]
0055F30F |> 8BD3 mov edx,ebx
0055F311 |. 8D8424 18010>lea eax,dword ptr ss:[esp+118] ; eax是4个MD5变量值变换后的地址
0055F318 |. E8 4FE0FFFF call xx.Lbcipher::EncryptLBC ; 依次取128位散列值的16位进行加密运算
0055F31D |. 83C3 10 add ebx,10
0055F320 |. 4E dec esi
0055F321 |.^ 75 EC jnz short xx.0055F30F ; 循环变换128位散列值
0055F323 |. 8BD5 mov edx,ebp
0055F325 |. B8 00010000 mov eax,100
0055F32A |. E8 25DFFFFF call xx.Lbutils::Min
0055F32F |. 8BC8 mov ecx,eax
0055F331 |. 8BD7 mov edx,edi
0055F333 |. 8D4424 04 lea eax,dword ptr ss:[esp+4]
0055F337 |. E8 3CA70700 call xx.005D9A78 ; 将[12f67c]处的16个数据转存到[11f21a8]处
0055F33C |. 81C4 A001000>add esp,1A0 ; 这16位数为变换结果
0055F342 |. 5D pop ebp
0055F343 |. 5F pop edi
0055F344 |. 5E pop esi
0055F345 |. 5B pop ebx
0055F346 \. C3 retn
================== 跟进 0055F37F0055F301 call xx.Lbcipher::InitEncryptLBC ==============================
0055D734 x>/$ 55 push ebp
0055D735 |. 8BEC mov ebp,esp
0055D737 |. 81C4 5CFFFFF>add esp,-0A4
0055D73D |. 53 push ebx
0055D73E |. 56 push esi
0055D73F |. 57 push edi
0055D740 |. 8BD9 mov ebx,ecx
0055D742 |. 8955 FC mov [local.1],edx
0055D745 |. 8945 F8 mov [local.2],eax
0055D748 |. 8B45 FC mov eax,[local.1]
0055D74B |. 8A55 08 mov dl,byte ptr ss:[ebp+8]
0055D74E |. 8810 mov byte ptr ds:[eax],dl ; [12f790]=1
0055D750 |. 8BD3 mov edx,ebx
0055D752 |. B8 10000000 mov eax,10
0055D757 |. E8 F8FAFFFF call xx.Lbutils::Min
0055D75C |. 8BD0 mov edx,eax
0055D75E |. B8 04000000 mov eax,4
0055D763 |. E8 F4FAFFFF call xx.Lbutils::Max
0055D768 |. 8B55 FC mov edx,[local.1]
0055D76B |. 8942 04 mov dword ptr ds:[edx+4],eax ; [12f794]=8
0055D76E |. C745 E0 0400>mov [local.8],4 ; [12f64c]=4计算器
0055D775 |. C745 DC F8D6>mov [local.9],xx.006BD6F8 ; 载入字符55 55 55 55 AA AA AA AA 33 33 33 33 CC CC CC CC
0055D77C |. 8B45 FC mov eax,[local.1]
0055D77F |. 83C0 08 add eax,8
0055D782 |> 8B55 F8 /mov edx,[local.2]
0055D785 |. 8B12 |mov edx,dword ptr ds:[edx] ; 取第1个变量
0055D787 |. 8B4D DC |mov ecx,[local.9]
0055D78A |. 8B31 |mov esi,dword ptr ds:[ecx] ; 依次取4个载入的字符
0055D78C |. 8BCE |mov ecx,esi
0055D78E |. 8B5D F8 |mov ebx,[local.2]
0055D791 |. 8B5B 04 |mov ebx,dword ptr ds:[ebx+4] ; 取第2个变量
0055D794 |. 8975 F4 |mov [local.3],esi
0055D797 |. 8B7D F8 |mov edi,[local.2]
0055D79A |. 8B7F 08 |mov edi,dword ptr ds:[edi+8] ; 取第3个变量
0055D79D |. 897D F0 |mov [local.4],edi
0055D7A0 |. 8975 EC |mov [local.5],esi
0055D7A3 |. 8B7D F8 |mov edi,[local.2]
0055D7A6 |. 8B7F 0C |mov edi,dword ptr ds:[edi+C] ; 取第4个变量
0055D7A9 |. 897D E8 |mov [local.6],edi
0055D7AC |. 8975 E4 |mov [local.7],esi
0055D7AF |. BE 08000000 |mov esi,8 ; 做8轮变换
0055D7B4 |> 8BF9 |/mov edi,ecx
0055D7B6 |. C1E7 0B ||shl edi,0B
0055D7B9 |. 33D7 ||xor edx,edi
0055D7BB |. 0155 F4 ||add [local.3],edx
0055D7BE |. 03CB ||add ecx,ebx
0055D7C0 |. 8BFB ||mov edi,ebx
0055D7C2 |. C1EF 02 ||shr edi,2
0055D7C5 |. 33CF ||xor ecx,edi
0055D7C7 |. 014D F0 ||add [local.4],ecx
0055D7CA |. 035D F4 ||add ebx,[local.3]
0055D7CD |. 8B7D F4 ||mov edi,[local.3]
0055D7D0 |. C1E7 08 ||shl edi,8
0055D7D3 |. 33DF ||xor ebx,edi
0055D7D5 |. 015D EC ||add [local.5],ebx
0055D7D8 |. 8B7D F0 ||mov edi,[local.4]
0055D7DB |. 017D F4 ||add [local.3],edi
0055D7DE |. 8B7D F0 ||mov edi,[local.4]
0055D7E1 |. C1EF 10 ||shr edi,10
0055D7E4 |. 317D F4 ||xor [local.3],edi
0055D7E7 |. 8B7D F4 ||mov edi,[local.3]
0055D7EA |. 017D E8 ||add [local.6],edi
0055D7ED |. 8B7D EC ||mov edi,[local.5]
0055D7F0 |. 017D F0 ||add [local.4],edi
0055D7F3 |. 8B7D EC ||mov edi,[local.5]
0055D7F6 |. C1E7 0A ||shl edi,0A
0055D7F9 |. 317D F0 ||xor [local.4],edi
0055D7FC |. 8B7D F0 ||mov edi,[local.4]
0055D7FF |. 017D E4 ||add [local.7],edi
0055D802 |. 8B7D E8 ||mov edi,[local.6]
0055D805 |. 017D EC ||add [local.5],edi
0055D808 |. 8B7D E8 ||mov edi,[local.6]
0055D80B |. C1EF 04 ||shr edi,4
0055D80E |. 317D EC ||xor [local.5],edi
0055D811 |. 0355 EC ||add edx,[local.5]
0055D814 |. 8B7D E4 ||mov edi,[local.7]
0055D817 |. 017D E8 ||add [local.6],edi
0055D81A |. 8B7D E4 ||mov edi,[local.7]
0055D81D |. C1E7 08 ||shl edi,8
0055D820 |. 317D E8 ||xor [local.6],edi
0055D823 |. 034D E8 ||add ecx,[local.6]
0055D826 |. 0155 E4 ||add [local.7],edx
0055D829 |. 8BFA ||mov edi,edx
0055D82B |. C1EF 09 ||shr edi,9
0055D82E |. 317D E4 ||xor [local.7],edi
0055D831 |. 035D E4 ||add ebx,[local.7]
0055D834 |. 03D1 ||add edx,ecx
0055D836 |. 4E ||dec esi
0055D837 |.^ 0F85 77FFFFF>|\jnz xx.0055D7B4
0055D83D |. 8910 |mov dword ptr ds:[eax],edx ; 存储变换后结果
0055D83F |. 8948 04 |mov dword ptr ds:[eax+4],ecx
0055D842 |. 8958 08 |mov dword ptr ds:[eax+8],ebx
0055D845 |. 8B55 F4 |mov edx,[local.3]
0055D848 |. 8950 0C |mov dword ptr ds:[eax+C],edx
0055D84B |. 8B55 F0 |mov edx,[local.4]
0055D84E |. 8950 10 |mov dword ptr ds:[eax+10],edx
0055D851 |. 8B55 EC |mov edx,[local.5]
0055D854 |. 8950 14 |mov dword ptr ds:[eax+14],edx
0055D857 |. 8B55 E8 |mov edx,[local.6]
0055D85A |. 8950 18 |mov dword ptr ds:[eax+18],edx
0055D85D |. 8B55 E4 |mov edx,[local.7]
0055D860 |. 8950 1C |mov dword ptr ds:[eax+1C],edx
0055D863 |. 83C0 20 |add eax,20
0055D866 |. 8345 DC 04 |add [local.9],4
0055D86A |. FF4D E0 |dec [local.8]
0055D86D |.^ 0F85 0FFFFFF>\jnz xx.0055D782
0055D873 |. 807D 08 00 cmp byte ptr ss:[ebp+8],0
0055D877 |. 75 6A jnz short xx.0055D8E3
0055D879 |. 8B45 FC mov eax,[local.1]
0055D87C |. 8B40 04 mov eax,dword ptr ds:[eax+4]
0055D87F |. 48 dec eax
0055D880 |. 85C0 test eax,eax
0055D882 |. 7C 34 jl short xx.0055D8B8
0055D884 |. 40 inc eax
0055D885 |. C745 E0 0000>mov [local.8],0
0055D88C |. 8B55 FC mov edx,[local.1]
0055D88F |. 83C2 08 add edx,8
0055D892 |> 8B4D FC /mov ecx,[local.1]
0055D895 |. 8B49 04 |mov ecx,dword ptr ds:[ecx+4]
0055D898 |. 49 |dec ecx
0055D899 |. 2B4D E0 |sub ecx,[local.8]
0055D89C |. 8B1A |mov ebx,dword ptr ds:[edx]
0055D89E |. 899CCD 5CFFF>|mov dword ptr ss:[ebp+ecx*8-A4],ebx
0055D8A5 |. 8B5A 04 |mov ebx,dword ptr ds:[edx+4]
0055D8A8 |. 899CCD 60FFF>|mov dword ptr ss:[ebp+ecx*8-A0],ebx
0055D8AF |. FF45 E0 |inc [local.8]
0055D8B2 |. 83C2 08 |add edx,8
0055D8B5 |. 48 |dec eax
0055D8B6 |.^ 75 DA \jnz short xx.0055D892
0055D8B8 |> 8B45 FC mov eax,[local.1]
0055D8BB |. 8B40 04 mov eax,dword ptr ds:[eax+4]
0055D8BE |. 48 dec eax
0055D8BF |. 85C0 test eax,eax
0055D8C1 |. 7C 20 jl short xx.0055D8E3
0055D8C3 |. 40 inc eax
0055D8C4 |. 8D95 5CFFFFF>lea edx,[local.41]
0055D8CA |. 8B5D FC mov ebx,[local.1]
0055D8CD |. 83C3 08 add ebx,8
0055D8D0 |> 8B0A /mov ecx,dword ptr ds:[edx]
0055D8D2 |. 890B |mov dword ptr ds:[ebx],ecx
0055D8D4 |. 8B4A 04 |mov ecx,dword ptr ds:[edx+4]
0055D8D7 |. 894B 04 |mov dword ptr ds:[ebx+4],ecx
0055D8DA |. 83C3 08 |add ebx,8
0055D8DD |. 83C2 08 |add edx,8
0055D8E0 |. 48 |dec eax
0055D8E1 |.^ 75 ED \jnz short xx.0055D8D0
0055D8E3 |> 5F pop edi
0055D8E4 |. 5E pop esi
0055D8E5 |. 5B pop ebx
0055D8E6 |. 8BE5 mov esp,ebp
0055D8E8 |. 5D pop ebp
0055D8E9 \. C2 0400 retn 4
========================== 跟进0055F318 call xx.Lbcipher::EncryptLBC ============================
0055D36C x>/$ 53 push ebx
0055D36D |. 56 push esi
0055D36E |. 57 push edi
0055D36F |. 83C4 D0 add esp,-30
0055D372 |. 891424 mov dword ptr ss:[esp],edx
0055D375 |. 8BD8 mov ebx,eax
0055D377 |. 8D5424 20 lea edx,dword ptr ss:[esp+20]
0055D37B |. 8B0424 mov eax,dword ptr ss:[esp]
0055D37E |. B9 10000000 mov ecx,10
0055D383 |. E8 F0C60700 call xx.005D9A78 ; 将[12f790]处的16个数据转存到[12f658]处
0055D388 |. 8B4424 20 mov eax,dword ptr ss:[esp+20]
0055D38C |. 894424 0C mov dword ptr ss:[esp+C],eax ; 把16位值存储到[12f644]处
0055D390 |. 8B4424 24 mov eax,dword ptr ss:[esp+24]
0055D394 |. 894424 10 mov dword ptr ss:[esp+10],eax
0055D398 |. 8B4424 28 mov eax,dword ptr ss:[esp+28]
0055D39C |. 894424 14 mov dword ptr ss:[esp+14],eax
0055D3A0 |. 8B4424 2C mov eax,dword ptr ss:[esp+2C]
0055D3A4 |. 894424 18 mov dword ptr ss:[esp+18],eax
0055D3A8 |. 8B43 04 mov eax,dword ptr ds:[ebx+4]
0055D3AB |. 48 dec eax
0055D3AC |. 85C0 test eax,eax
0055D3AE |. 0F8C 1401000>jl xx.0055D4C8
0055D3B4 |. 40 inc eax
0055D3B5 |. 894424 1C mov dword ptr ss:[esp+1C],eax ; [12f654]=eax计数器
0055D3B9 |. 8D43 08 lea eax,dword ptr ds:[ebx+8]
0055D3BC |. 8BD8 mov ebx,eax
0055D3BE |> 8B5424 0C /mov edx,dword ptr ss:[esp+C]
0055D3C2 |. 8B0B |mov ecx,dword ptr ds:[ebx] ; 取第3个变量
0055D3C4 |. 8B7424 10 |mov esi,dword ptr ss:[esp+10]
0055D3C8 |. 8B43 04 |mov eax,dword ptr ds:[ebx+4] ; 取第4个变量
0055D3CB |. 03D0 |add edx,eax ; 继续变换
0055D3CD |. 03C2 |add eax,edx
0055D3CF |. 8BFA |mov edi,edx
0055D3D1 |. C1EF 07 |shr edi,7
0055D3D4 |. 33D7 |xor edx,edi
0055D3D6 |. 03CA |add ecx,edx
0055D3D8 |. 03D1 |add edx,ecx
0055D3DA |. 8BF9 |mov edi,ecx
0055D3DC |. C1E7 0D |shl edi,0D
0055D3DF |. 33CF |xor ecx,edi
0055D3E1 |. 03F1 |add esi,ecx
0055D3E3 |. 03CE |add ecx,esi
0055D3E5 |. 8BFE |mov edi,esi
0055D3E7 |. C1EF 11 |shr edi,11
0055D3EA |. 33F7 |xor esi,edi
0055D3EC |. 03C6 |add eax,esi
0055D3EE |. 03F0 |add esi,eax
0055D3F0 |. 8BF8 |mov edi,eax
0055D3F2 |. C1E7 09 |shl edi,9
0055D3F5 |. 33C7 |xor eax,edi
0055D3F7 |. 03D0 |add edx,eax
0055D3F9 |. 03C2 |add eax,edx
0055D3FB |. 8BFA |mov edi,edx
0055D3FD |. C1EF 03 |shr edi,3
0055D400 |. 33D7 |xor edx,edi
0055D402 |. 03CA |add ecx,edx
0055D404 |. 03D1 |add edx,ecx
0055D406 |. 8BF9 |mov edi,ecx
0055D408 |. C1E7 07 |shl edi,7
0055D40B |. 33CF |xor ecx,edi
0055D40D |. 03F1 |add esi,ecx
0055D40F |. 03CE |add ecx,esi
0055D411 |. 8BF8 |mov edi,eax
0055D413 |. C1EF 0F |shr edi,0F
0055D416 |. 33F7 |xor esi,edi
0055D418 |. 03C6 |add eax,esi
0055D41A |. 03F0 |add esi,eax
0055D41C |. 8BF8 |mov edi,eax
0055D41E |. C1E7 0B |shl edi,0B
0055D421 |. 33C7 |xor eax,edi
0055D423 |. 8BFA |mov edi,edx
0055D425 |. 8BD6 |mov edx,esi
0055D427 |. 8BF7 |mov esi,edi
0055D429 |. 8BF9 |mov edi,ecx
0055D42B |. 8BC8 |mov ecx,eax
0055D42D |. 8BC7 |mov eax,edi
0055D42F |. 03D0 |add edx,eax
0055D431 |. 03C2 |add eax,edx
0055D433 |. 8BFA |mov edi,edx
0055D435 |. C1EF 07 |shr edi,7
0055D438 |. 33D7 |xor edx,edi
0055D43A |. 03CA |add ecx,edx
0055D43C |. 03D1 |add edx,ecx
0055D43E |. 8BF9 |mov edi,ecx
0055D440 |. C1E7 0D |shl edi,0D
0055D443 |. 33CF |xor ecx,edi
0055D445 |. 03F1 |add esi,ecx
0055D447 |. 03CE |add ecx,esi
0055D449 |. 8BFE |mov edi,esi
0055D44B |. C1EF 11 |shr edi,11
0055D44E |. 33F7 |xor esi,edi
0055D450 |. 03C6 |add eax,esi
0055D452 |. 03F0 |add esi,eax
0055D454 |. 8BF8 |mov edi,eax
0055D456 |. C1E7 09 |shl edi,9
0055D459 |. 33C7 |xor eax,edi
0055D45B |. 03D0 |add edx,eax
0055D45D |. 03C2 |add eax,edx
0055D45F |. 8BFA |mov edi,edx
0055D461 |. C1EF 03 |shr edi,3
0055D464 |. 33D7 |xor edx,edi
0055D466 |. 03CA |add ecx,edx
0055D468 |. 03D1 |add edx,ecx
0055D46A |. 8BF9 |mov edi,ecx
0055D46C |. C1E7 07 |shl edi,7
0055D46F |. 33CF |xor ecx,edi
0055D471 |. 03F1 |add esi,ecx
0055D473 |. 03CE |add ecx,esi
0055D475 |. 8BF8 |mov edi,eax
0055D477 |. C1EF 0F |shr edi,0F
0055D47A |. 33F7 |xor esi,edi
0055D47C |. 03C6 |add eax,esi
0055D47E |. 03F0 |add esi,eax
0055D480 |. 8BF8 |mov edi,eax
0055D482 |. C1E7 0B |shl edi,0B
0055D485 |. 33C7 |xor eax,edi
0055D487 |. 335424 14 |xor edx,dword ptr ss:[esp+14]
0055D48B |. 33CA |xor ecx,edx
0055D48D |. 894C24 04 |mov dword ptr ss:[esp+4],ecx
0055D491 |. 337424 18 |xor esi,dword ptr ss:[esp+18]
0055D495 |. 33C6 |xor eax,esi
0055D497 |. 894424 08 |mov dword ptr ss:[esp+8],eax
0055D49B |. 8B4424 0C |mov eax,dword ptr ss:[esp+C]
0055D49F |. 894424 14 |mov dword ptr ss:[esp+14],eax
0055D4A3 |. 8B4424 10 |mov eax,dword ptr ss:[esp+10]
0055D4A7 |. 894424 18 |mov dword ptr ss:[esp+18],eax
0055D4AB |. 8B4424 04 |mov eax,dword ptr ss:[esp+4]
0055D4AF |. 894424 0C |mov dword ptr ss:[esp+C],eax
0055D4B3 |. 8B4424 08 |mov eax,dword ptr ss:[esp+8]
0055D4B7 |. 894424 10 |mov dword ptr ss:[esp+10],eax
0055D4BB |. 83C3 08 |add ebx,8
0055D4BE |. FF4C24 1C |dec dword ptr ss:[esp+1C]
0055D4C2 |.^ 0F85 F6FEFFF>\jnz xx.0055D3BE
0055D4C8 |> 8B4424 14 mov eax,dword ptr ss:[esp+14]
0055D4CC |. 894424 20 mov dword ptr ss:[esp+20],eax ; 存储变换结果
0055D4D0 |. 8B4424 18 mov eax,dword ptr ss:[esp+18]
0055D4D4 |. 894424 24 mov dword ptr ss:[esp+24],eax
0055D4D8 |. 8B4424 0C mov eax,dword ptr ss:[esp+C]
0055D4DC |. 894424 28 mov dword ptr ss:[esp+28],eax
0055D4E0 |. 8B4424 10 mov eax,dword ptr ss:[esp+10]
0055D4E4 |. 894424 2C mov dword ptr ss:[esp+2C],eax
0055D4E8 |. 8B1424 mov edx,dword ptr ss:[esp]
0055D4EB |. 8D4424 20 lea eax,dword ptr ss:[esp+20]
0055D4EF |. B9 10000000 mov ecx,10
0055D4F4 |. E8 7FC50700 call xx.005D9A78 ; 将[12f64c]处的16个数据转存到[12f67c]处
0055D4F9 |. 83C4 30 add esp,30
0055D4FC |. 5F pop edi
0055D4FD |. 5E pop esi
0055D4FE |. 5B pop ebx
0055D4FF \. C3 retn
跟进00404F6E处的call,开始BlowFish+Base64算法的变态之旅
00561060 |. E8 B73C0000 call xx.Lbstring::BFEncryptStringEx
00564D56 |. 8BF0 mov esi,eax
00564D58 |. 8BC7 mov eax,edi
00564D5A |. E8 396B0700 call xx.005DB898 ; 取待加密字串的长度
00564D5F |. 50 push eax
00564D60 |. 8BC7 mov eax,edi
00564D62 |. E8 296D0700 call xx.005DBA90
00564D67 |. 8BD0 mov edx,eax
00564D69 |. 8B45 F4 mov eax,[local.3]
00564D6C |. 59 pop ecx
00564D6D |. 8B38 mov edi,dword ptr ds:[eax]
00564D6F |. FF57 0C call dword ptr ds:[edi+C] ; 分配内存空间
00564D72 |. 6A 00 push 0 ; /Arg2 = 00000000
00564D74 |. 6A 00 push 0 ; |Arg1 = 00000000
00564D76 |. 8B45 F4 mov eax,[local.3] ; |
00564D79 |. E8 F22A0500 call xx.005B7870 ; \xx.005B7870
00564D7E |. 807D FB 00 cmp byte ptr ss:[ebp-5],0
00564D82 |. 74 25 je short xx.00564DA9
00564D84 |. 6A 01 push 1 ; /Arg1 = 00000001
00564D86 |. 8B4D FC mov ecx,[local.1] ; |[11f219c]取上次加密结果做为BlowFish加密的Key
00564D89 |. 8BD6 mov edx,esi ; |
00564D8B |. 8B45 F4 mov eax,[local.3] ; |12102e8
00564D8E |. E8 2DD6FFFF call xx.Lbproc::BFEncryptStream ; \Lbproc::BFEncryptStream
00564D93 |. 6A 00 push 0 ; /Arg2 = 00000000
00564D95 |. 6A 00 push 0 ; |Arg1 = 00000000
00564D97 |. 8BC6 mov eax,esi ; |
00564D99 |. E8 D22A0500 call xx.005B7870 ; \xx.005B7870
00564D9E |. 8BD3 mov edx,ebx
00564DA0 |. 8BC6 mov eax,esi
00564DA2 |. E8 E9FDFFFF call xx.Lbstring::LbEncodeBase64
00564DA7 |. EB 23 jmp short xx.00564DCC
......(略过代码)
========================== 跟进 00564D8E call xx.Lbproc::BFEncryptStream =================
005623C0 x>/$ 55 push ebp
005623C1 |. 8BEC mov ebp,esp
005623C3 |. 81C4 04F0FFF>add esp,-0FFC
005623C9 |. 50 push eax
005623CA |. 83C4 AC add esp,-54
005623CD |. 53 push ebx
005623CE |. 56 push esi
005623CF |. 57 push edi
005623D0 |. 8955 FC mov [local.1],edx
005623D3 |. 8BD8 mov ebx,eax
005623D5 |. 8D95 ACEFFFF>lea edx,[local.1045]
005623DB |. 8BC1 mov eax,ecx
005623DD |. E8 92BBFFFF call xx.Lbcipher::InitEncryptBF ; 密钥预处理
005623E2 |. 6A 00 push 0
005623E4 |. 6A 08 push 8
005623E6 |. 8BC3 mov eax,ebx
005623E8 |. E8 97540500 call xx.005B7884
005623ED |. E8 46A40700 call xx.005DC838
005623F2 |. 807D 08 00 cmp byte ptr ss:[ebp+8],0
005623F6 |. 74 01 je short xx.005623F9
005623F8 |. 40 inc eax
005623F9 |> 8BF0 mov esi,eax
005623FB |. 4E dec esi
005623FC |. 85F6 test esi,esi ; esi计数器
005623FE |. 0F8E 8F00000>jle xx.00562493
00562404 |> 8D55 F4 /lea edx,[local.3]
00562407 |. B9 08000000 |mov ecx,8 ; 把待加密信息分成8位一组,分别进行加密
0056240C |. 8BC3 |mov eax,ebx ; 若最后一组不足8位,则第8位的值为剩余位数
0056240E |. 8B38 |mov edi,dword ptr ds:[eax]
00562410 |. FF57 08 |call dword ptr ds:[edi+8]
00562413 |. 83F8 08 |cmp eax,8
00562416 |. 74 16 |je short xx.0056242E
00562418 |. B9 8C255600 |mov ecx,xx.0056258C
0056241D |. B2 01 |mov dl,1
0056241F |. A1 18225600 |mov eax,dword ptr ds:[562218]
00562424 |. E8 FF8B0600 |call xx.005CB028
00562429 |. E8 D68D0700 |call xx.005DB204
0056242E |> 8D55 F4 |lea edx,[local.3]
00562431 |. 8D85 ACEFFFF>|lea eax,[local.1045]
00562437 |. 8A4D 08 |mov cl,byte ptr ss:[ebp+8]
0056243A |. E8 11BCFFFF |call xx.Lbcipher::EncryptBF ; 信息加密
0056243F |. 8D55 F4 |lea edx,[local.3]
00562442 |. B9 08000000 |mov ecx,8
00562447 |. 8B45 FC |mov eax,[local.1]
0056244A |. 8B38 |mov edi,dword ptr ds:[eax]
0056244C |. FF57 0C |call dword ptr ds:[edi+C]
0056244F |. 833D 0CA36C0>|cmp dword ptr ds:[Lbproc::LbOnProgress],0
00562456 |. 74 34 |je short xx.0056248C
00562458 |. A1 10A36C00 |mov eax,dword ptr ds:[Lbproc::LbProgressSi>
0056245D |. 99 |cdq
0056245E |. 52 |push edx
0056245F |. 50 |push eax
00562460 |. 8BC3 |mov eax,ebx
00562462 |. E8 E9530500 |call xx.005B7850
00562467 |. E8 94A40700 |call xx.005DC900
0056246C |. 83FA 00 |cmp edx,0
0056246F |. 75 1B |jnz short xx.0056248C
00562471 |. 83F8 00 |cmp eax,0
00562474 |. 75 16 |jnz short xx.0056248C
00562476 |. 8BC3 |mov eax,ebx
00562478 |. E8 07540500 |call xx.005B7884
0056247D |. 50 |push eax
0056247E |. 8BC3 |mov eax,ebx
00562480 |. E8 CB530500 |call xx.005B7850
00562485 |. 5A |pop edx
00562486 |. FF15 0CA36C0>|call dword ptr ds:[Lbproc::LbOnProgress]
0056248C |> 4E |dec esi
0056248D |.^ 0F85 71FFFFF>\jnz xx.00562404
......(略过代码)
========================== 跟进 E8 92BBFFFF call xx.Lbcipher::InitEncryptBF =======================
0055DF74 x>/$ 53 push ebx
0055DF75 |. 56 push esi
0055DF76 |. 57 push edi
0055DF77 |. 55 push ebp
0055DF78 |. 83C4 E4 add esp,-1C
0055DF7B |. 8BF0 mov esi,eax
0055DF7D |. 8D7C24 0C lea edi,dword ptr ss:[esp+C]
0055DF81 |. A5 movs dword ptr es:[edi],dword ptr ds:[esi] ; [12e8ac]取上次加密结果做为Key
0055DF82 |. A5 movs dword ptr es:[edi],dword ptr ds:[esi]
0055DF83 |. A5 movs dword ptr es:[edi],dword ptr ds:[esi]
0055DF84 |. A5 movs dword ptr es:[edi],dword ptr ds:[esi]
0055DF85 |. 8BEA mov ebp,edx
0055DF87 |. 8BD5 mov edx,ebp
0055DF89 |. B8 08D76B00 mov eax,xx.006BD708
0055DF8E |. B9 48000000 mov ecx,48
0055DF93 |. E8 E0BA0700 call xx.005D9A78 ; 初始化KeypBox数据
0055DF98 |. 8D55 48 lea edx,[arg.17]
0055DF9B |. B8 50D76B00 mov eax,xx.006BD750
0055DFA0 |. B9 00100000 mov ecx,1000
0055DFA5 |. E8 CEBA0700 call xx.005D9A78 ; 初始化KeysBox数据
0055DFAA |. 33FF xor edi,edi
0055DFAC |. BE 12000000 mov esi,12 ; 置循环次数为18
0055DFB1 |. 896C24 08 mov dword ptr ss:[esp+8],ebp
0055DFB5 |> 33D2 /xor edx,edx
0055DFB7 |. B8 04000000 |mov eax,4
0055DFBC |> C1E2 08 |/shl edx,8
0055DFBF |. 33C9 ||xor ecx,ecx
0055DFC1 |. 8A4C3C 0C ||mov cl,byte ptr ss:[esp+edi+C]
0055DFC5 |. 0BD1 ||or edx,ecx
0055DFC7 |. 47 ||inc edi
0055DFC8 |. 83FF 10 ||cmp edi,10
0055DFCB |. 7C 02 ||jl short xx.0055DFCF
0055DFCD |. 33FF ||xor edi,edi
0055DFCF |> 48 ||dec eax
0055DFD0 |.^ 75 EA |\jnz short xx.0055DFBC
0055DFD2 |. 8B4424 08 |mov eax,dword ptr ss:[esp+8]
0055DFD6 |. 3110 |xor dword ptr ds:[eax],edx ; KeypBox数据与Key逐项异或
0055DFD8 |. 834424 08 04 |add dword ptr ss:[esp+8],4
0055DFDD |. 4E |dec esi
0055DFDE |.^ 75 D5 \jnz short xx.0055DFB5
0055DFE0 |. 33C0 xor eax,eax
0055DFE2 |. 890424 mov dword ptr ss:[esp],eax ; [12e8a0]保存XR先置0
0055DFE5 |. 33C0 xor eax,eax
0055DFE7 |. 894424 04 mov dword ptr ss:[esp+4],eax ; [12e8a4]保存了XL先置0
0055DFEB |. 33F6 xor esi,esi
0055DFED |> 8BD4 /mov edx,esp
0055DFEF |. 8BC5 |mov eax,ebp
0055DFF1 |. B1 01 |mov cl,1
0055DFF3 |. E8 58000000 |call xx.Lbcipher::EncryptBF ; 核心加密函数
0055DFF8 |. 8B0424 |mov eax,dword ptr ss:[esp]
0055DFFB |. 8944B5 00 |mov dword ptr ss:[ebp+esi*4],eax ; 替换KeypBox的数据
0055DFFF |. 8B4424 04 |mov eax,dword ptr ss:[esp+4]
0055E003 |. 8944B5 04 |mov dword ptr ss:[ebp+esi*4+4],eax ; 替换KeypBox的数据
0055E007 |. 83C6 02 |add esi,2
0055E00A |. 83FE 11 |cmp esi,11
0055E00D |.^ 7E DE \jle short xx.0055DFED
0055E00F |. BF 04000000 mov edi,4
0055E014 |. 8BDD mov ebx,ebp
0055E016 |> 33F6 /xor esi,esi
0055E018 |> 8BD4 |mov edx,esp
0055E01A |. 8BC5 |mov eax,ebp
0055E01C |. B1 01 |mov cl,1
0055E01E |. E8 2D000000 |call xx.Lbcipher::EncryptBF ; 核心加密函数
0055E023 |. 8B0424 |mov eax,dword ptr ss:[esp]
0055E026 |. 8944B3 48 |mov dword ptr ds:[ebx+esi*4+48],eax ; 替换KeysBox的数据
0055E02A |. 8B4424 04 |mov eax,dword ptr ss:[esp+4]
0055E02E |. 8944B3 4C |mov dword ptr ds:[ebx+esi*4+4C],eax ; 替换KeysBox的数据
0055E032 |. 83C6 02 |add esi,2
0055E035 |. 81FE FF00000>|cmp esi,0FF
0055E03B |.^ 7E DB |jle short xx.0055E018
0055E03D |. 81C3 0004000>|add ebx,400
0055E043 |. 4F |dec edi
0055E044 |.^ 75 D0 \jnz short xx.0055E016
0055E046 |. 83C4 1C add esp,1C
0055E049 |. 5D pop ebp
0055E04A |. 5F pop edi
0055E04B |. 5E pop esi
0055E04C |. 5B pop ebx
0055E04D \. C3 retn
========================== 跟进 0055E01E call xx.Lbcipher::EncryptBF ======================
0055E079 |. 8B03 mov eax,dword ptr ds:[ebx] ; 取KeypBox首值
0055E07B |. 3106 xor dword ptr ds:[esi],eax ; XL^eax
0055E07D |. B8 01000000 mov eax,1
0055E082 |> 33D2 /xor edx,edx ; 循环加密8位信息
0055E084 |. 8A57 03 |mov dl,byte ptr ds:[edi+3]
0055E087 |. 8B5493 48 |mov edx,dword ptr ds:[ebx+edx*4+48] ; 在KeysBox中查表取值
0055E08B |. 33C9 |xor ecx,ecx
0055E08D |. 8A4F 02 |mov cl,byte ptr ds:[edi+2]
0055E090 |. 03948B 48040>|add edx,dword ptr ds:[ebx+ecx*4+448]
0055E097 |. 33C9 |xor ecx,ecx
0055E099 |. 8A4F 01 |mov cl,byte ptr ds:[edi+1]
0055E09C |. 33948B 48080>|xor edx,dword ptr ds:[ebx+ecx*4+848]
0055E0A3 |. 33C9 |xor ecx,ecx
0055E0A5 |. 8A0F |mov cl,byte ptr ds:[edi]
0055E0A7 |. 03948B 480C0>|add edx,dword ptr ds:[ebx+ecx*4+C48]
0055E0AE |. 8B0C83 |mov ecx,dword ptr ds:[ebx+eax*4]
0055E0B1 |. 334E 04 |xor ecx,dword ptr ds:[esi+4]
0055E0B4 |. 33D1 |xor edx,ecx
0055E0B6 |. 8956 04 |mov dword ptr ds:[esi+4],edx ; 存储XR
0055E0B9 |. 33D2 |xor edx,edx
0055E0BB |. 8A57 07 |mov dl,byte ptr ds:[edi+7]
0055E0BE |. 8B5493 48 |mov edx,dword ptr ds:[ebx+edx*4+48]
0055E0C2 |. 33C9 |xor ecx,ecx
0055E0C4 |. 8A4F 06 |mov cl,byte ptr ds:[edi+6]
0055E0C7 |. 03948B 48040>|add edx,dword ptr ds:[ebx+ecx*4+448]
0055E0CE |. 33C9 |xor ecx,ecx
0055E0D0 |. 8A4F 05 |mov cl,byte ptr ds:[edi+5]
0055E0D3 |. 33948B 48080>|xor edx,dword ptr ds:[ebx+ecx*4+848]
0055E0DA |. 33C9 |xor ecx,ecx
0055E0DC |. 8A4F 04 |mov cl,byte ptr ds:[edi+4]
0055E0DF |. 03948B 480C0>|add edx,dword ptr ds:[ebx+ecx*4+C48]
0055E0E6 |. 8B4C83 04 |mov ecx,dword ptr ds:[ebx+eax*4+4]
0055E0EA |. 330E |xor ecx,dword ptr ds:[esi]
0055E0EC |. 33D1 |xor edx,ecx
0055E0EE |. 8916 |mov dword ptr ds:[esi],edx ; 存储XL
0055E0F0 |. 83C0 02 |add eax,2
0055E0F3 |. 83F8 10 |cmp eax,10
0055E0F6 |.^ 7E 8A \jle short xx.0055E082
0055E0F8 |. 8B43 44 mov eax,dword ptr ds:[ebx+44] ; 取KeypBox末值
0055E0FB |. 3146 04 xor dword ptr ds:[esi+4],eax ; XR^eax
......(略过代码)
========================== 跟进 00564DA2 xx.Lbstring::LbEncodeBase64 ===================
00564B90 x>/$ 53 push ebx
00564B91 |. 56 push esi
00564B92 |. 57 push edi
00564B93 |. 83C4 88 add esp,-78
00564B96 |. 895424 04 mov dword ptr ss:[esp+4],edx
00564B9A |. 890424 mov dword ptr ss:[esp],eax
00564B9D |. 8D4424 39 lea eax,dword ptr ss:[esp+39]
00564BA1 |. 33C9 xor ecx,ecx
00564BA3 |. BA 3F000000 mov edx,3F
00564BA8 |. E8 1B560700 call xx.005DA1C8
00564BAD |> 8D5424 0C /lea edx,dword ptr ss:[esp+C]
00564BB1 |. B9 2D000000 |mov ecx,2D
00564BB6 |. 8B0424 |mov eax,dword ptr ss:[esp]
00564BB9 |. 8B18 |mov ebx,dword ptr ds:[eax]
00564BBB |. FF53 08 |call dword ptr ds:[ebx+8] ; 取待加密串的长度
00564BBE |. 894424 08 |mov dword ptr ss:[esp+8],eax
00564BC2 |. 837C24 08 00 |cmp dword ptr ss:[esp+8],0 ; 是否为空
00564BC7 |. 0F84 4801000>|je xx.00564D15
00564BCD |. BF 01000000 |mov edi,1
00564BD2 |. 33F6 |xor esi,esi
00564BD4 |. EB 7F |jmp short xx.00564C55
00564BD6 |> 8A443C 0B |/mov al,byte ptr ss:[esp+edi+B] ; 取待加密字符
00564BDA |. 33D2 ||xor edx,edx
00564BDC |. 8AD0 ||mov dl,al
00564BDE |. C1EA 02 ||shr edx,2
00564BE1 |. 80E2 3F ||and dl,3F
00564BE4 |. 81E2 FF00000>||and edx,0FF ; 控制edx的值在有效范围
00564BEA |. 8A92 CC126C0>||mov dl,byte ptr ds:[edx+6C12CC] ; 查表取对应的字符
00564BF0 |. 885434 39 ||mov byte ptr ss:[esp+esi+39],dl ; 存储结果
00564BF4 |. 8BD0 ||mov edx,eax
00564BF6 |. C1E2 04 ||shl edx,4
00564BF9 |. 33C0 ||xor eax,eax
00564BFB |. 8A443C 0C ||mov al,byte ptr ss:[esp+edi+C]
00564BFF |. C1E8 04 ||shr eax,4
00564C02 |. 0AD0 ||or dl,al
00564C04 |. 80E2 3F ||and dl,3F
00564C07 |. 33C0 ||xor eax,eax
00564C09 |. 8AC2 ||mov al,dl
00564C0B |. 8A80 CC126C0>||mov al,byte ptr ds:[eax+6C12CC]
00564C11 |. 884434 3A ||mov byte ptr ss:[esp+esi+3A],al
00564C15 |. 8A543C 0C ||mov dl,byte ptr ss:[esp+edi+C]
00564C19 |. C1E2 02 ||shl edx,2
00564C1C |. 8A443C 0D ||mov al,byte ptr ss:[esp+edi+D]
00564C20 |. 33C9 ||xor ecx,ecx
00564C22 |. 8AC8 ||mov cl,al
00564C24 |. C1E9 06 ||shr ecx,6
00564C27 |. 0AD1 ||or dl,cl
00564C29 |. 80E2 3F ||and dl,3F
00564C2C |. 81E2 FF00000>||and edx,0FF
00564C32 |. 8A92 CC126C0>||mov dl,byte ptr ds:[edx+6C12CC]
00564C38 |. 885434 3B ||mov byte ptr ss:[esp+esi+3B],dl
00564C3C |. 8BD0 ||mov edx,eax
00564C3E |. 80E2 3F ||and dl,3F
00564C41 |. 33C0 ||xor eax,eax
00564C43 |. 8AC2 ||mov al,dl
00564C45 |. 8A80 CC126C0>||mov al,byte ptr ds:[eax+6C12CC]
00564C4B |. 884434 3C ||mov byte ptr ss:[esp+esi+3C],al
00564C4F |. 83C7 03 ||add edi,3
00564C52 |. 83C6 04 ||add esi,4
00564C55 |> 8B4424 08 | mov eax,dword ptr ss:[esp+8]
00564C59 |. 83E8 02 ||sub eax,2
00564C5C |. 3BF8 ||cmp edi,eax
00564C5E |.^ 0F8E 72FFFFF>|\jle xx.00564BD6
00564C64 |. 3B7C24 08 |cmp edi,dword ptr ss:[esp+8]
00564C68 |. 0F8F 8D00000>|jg xx.00564CFB
......(略过代码)
---------------------------------------------------------------------------------------------------------
【汇编注册机算法部分源码】
.data
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
szKeyStr1 db 'R+Oc45UI16uU1J3sJdkaA1Ki7u',0
szKeyStr2 db 'ptqGFrU6/rnz3LFQkLwIiJBsQJfTvbj',0
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;变形MD5算法中用到的数据
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
szSData dd 0886A3F24h,0D308A385h,02E8A1913h,044737003h
dd 0223809A4h,0D0319F29h,098FA2E08h,0896C4EECh
dd 0E6212845h,07713D038h,0CF6654BEh,06C0CE934h
dd 0B729ACC0h,0DD507CC9h,0B5D5843Fh,0170947B5h
dd 0D9D51692h,01BFB7989h,0A60B31D1h,0ACB5DF98h
dd 0DB72FD2Fh,0B7DF1AD0h,0EDAFE1B8h,0967E266Ah
dd 045907CBAh,0997F2CF1h,04799A124h,0F76C91B3h
dd 0E2F20108h,016FC8E85h,0D8206963h,0694E5771h
dd 0A3FE58A4h,07E3D93F4h,08F74950Dh,058B68E72h
dd 058CD8B71h,0EE4A1582h,01DA4547Bh,0B5595AC2h
dd 039D5309Ch,01360F22Ah,023B0D1C5h,0F0856028h
dd 0187941CAh,0EF38DBB8h,0B0DC798Eh,00E183A60h
dd 08B0E9E6Ch,03E8A1EB0h,0C17715D7h,0274B31BDh
dd 0DA2FAF78h,0605C6055h,0F32555E6h,094AB55AAh
dd 062984857h,04014E863h,06A39CA55h,0B610AB2Ah
dd 0345CCCB4h,0CEE84111h,0AF8654A1h,093E9727Ch
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;Base64算法中用到的数据
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
szBase dd 44434241h,48474645h,4C4B4A49h,504F4E4Dh
dd 54535251h,58575655h,62615A59h,66656463h
dd 6A696867h,6E6D6C6Bh,7271706Fh,76757473h
dd 7A797877h,33323130h,37363534h,2F2B3938h
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;加密中用到的常数
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
szKey1 dd 00000001h,00000000h,00000010h,00000018h
szKey2 dd 055555555h,0AAAAAAAAh,033333333h,0CCCCCCCCh
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;BlowFish算法中的pBox盒
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
szpBox dd 0243F6A88h,085A308D3h,013198A2Eh,003707344h
dd 0A4093822h,0299F31D0h,0082EFA98h,0EC4E6C89h
dd 0452821E6h,038D01377h,0BE5466CFh,034E90C6Ch
dd 0C0AC29B7h,0C97C50DDh,03F84D5B5h,0B5470917h
dd 09216D5D9h,08979FB1Bh
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;BlowFish算法中的sBox盒(第一个数据有变形)
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
szsBox dd 0D1310BCCh,098DFB5ACh,02FFD72DBh,0D01ADFB7h
dd 0B8E1AFEDh,06A267E96h,0BA7C9045h,0F12C7F99h
dd 024A19947h,0B3916CF7h,00801F2E2h,0858EFC16h
dd 0636920D8h,071574E69h,0A458FEA3h,0F4933D7Eh
dd 00D95748Fh,0728EB658h,0718BCD58h,082154AEEh
dd 07B54A41Dh,0C25A59B5h,09C30D539h,02AF26013h
dd 0C5D1B023h,0286085F0h,0CA417918h,0B8DB38EFh
dd 08E79DCB0h,0603A180Eh,06C9E0E8Bh,0B01E8A3Eh
dd 0D71577C1h,0BD314B27h,078AF2FDAh,055605C60h
dd 0E65525F3h,0AA55AB94h,057489862h,063E81440h
dd 055CA396Ah,02AAB10B6h,0B4CC5C34h,01141E8CEh
dd 0A15486AFh,07C72E993h,0B3EE1411h,0636FBC2Ah
dd 02BA9C55Dh,0741831F6h,0CE5C3E16h,09B87931Eh
dd 0AFD6BA33h,06C24CF5Ch,07A325381h,028958677h
dd 03B8F4898h,06B4BB9AFh,0C4BFE81Bh,066282193h
dd 061D809CCh,0FB21A991h,0487CAC60h,05DEC8032h
dd 0EF845D5Dh,0E98575B1h,0DC262302h,0EB651B88h
dd 023893E81h,0D396ACC5h,00F6D6FF3h,083F44239h
dd 02E0B4482h,0A4842004h,069C8F04Ah,09E1F9B5Eh
dd 021C66842h,0F6E96C9Ah,0670C9C61h,0ABD388F0h
dd 06A51A0D2h,0D8542F68h,0960FA728h,0AB5133A3h
dd 06EEF0B6Ch,0137A3BE4h,0BA3BF050h,07EFB2A98h
dd 0A1F1651Dh,039AF0176h,066CA593Eh,082430E88h
dd 08CEE8619h,0456F9FB4h,07D84A5C3h,03B8B5EBEh
dd 0E06F75D8h,085C12073h,0401A449Fh,056C16AA6h
dd 04ED3AA62h,0363F7706h,01BFEDF72h,0429B023Dh
dd 037D0D724h,0D00A1248h,0DB0FEAD3h,049F1C09Bh
dd 0075372C9h,080991B7Bh,025D479D8h,0F6E8DEF7h
dd 0E3FE501Ah,0B6794C3Bh,0976CE0BDh,004C006BAh
dd 0C1A94FB6h,0409F60C4h,05E5C9EC2h,0196A2463h
dd 068FB6FAFh,03E6C53B5h,01339B2EBh,03B52EC6Fh
dd 06DFC511Fh,09B30952Ch,0CC814544h,0AF5EBD09h
dd 0BEE3D004h,0DE334AFDh,0660F2807h,0192E4BB3h
dd 0C0CBA857h,045C8740Fh,0D20B5F39h,0B9D3FBDBh
dd 05579C0BDh,01A60320Ah,0D6A100C6h,0402C7279h
dd 0679F25FEh,0FB1FA3CCh,08EA5E9F8h,0DB3222F8h
dd 03C7516DFh,0FD616B15h,02F501EC8h,0AD0552ABh
dd 0323DB5FAh,0FD238760h,053317B48h,03E00DF82h
dd 09E5C57BBh,0CA6F8CA0h,01A87562Eh,0DF1769DBh
dd 0D542A8F6h,0287EFFC3h,0AC6732C6h,08C4F5573h
dd 0695B27B0h,0BBCA58C8h,0E1FFA35Dh,0B8F011A0h
dd 010FA3D98h,0FD2183B8h,04AFCB56Ch,02DD1D35Bh
dd 09A53E479h,0B6F84565h,0D28E49BCh,04BFB9790h
dd 0E1DDF2DAh,0A4CB7E33h,062FB1341h,0CEE4C6E8h
dd 0EF20CADAh,036774C01h,0D07E9EFEh,02BF11FB4h
dd 095DBDA4Dh,0AE909198h,0EAAD8E71h,06B93D5A0h
dd 0D08ED1D0h,0AFC725E0h,08E3C5B2Fh,08E7594B7h
dd 08FF6E2FBh,0F2122B64h,08888B812h,0900DF01Ch
dd 04FAD5EA0h,0688FC31Ch,0D1CFF191h,0B3A8C1ADh
dd 02F2F2218h,0BE0E1777h,0EA752DFEh,08B021FA1h
dd 0E5A0CC0Fh,0B56F74E8h,018ACF3D6h,0CE89E299h
dd 0B4A84FE0h,0FD13E0B7h,07CC43B81h,0D2ADA8D9h
dd 0165FA266h,080957705h,093CC7314h,0211A1477h
dd 0E6AD2065h,077B5FA86h,0C75442F5h,0FB9D35CFh
dd 0EBCDAF0Ch,07B3E89A0h,0D6411BD3h,0AE1E7E49h
dd 000250E2Dh,02071B35Eh,0226800BBh,057B8E0AFh
dd 02464369Bh,0F009B91Eh,05563911Dh,059DFA6AAh
dd 078C14389h,0D95A537Fh,0207D5BA2h,002E5B9C5h
dd 083260376h,06295CFA9h,011C81968h,04E734A41h
dd 0B3472DCAh,07B14A94Ah,01B510052h,09A532915h
dd 0D60F573Fh,0BC9BC6E4h,02B60A476h,081E67400h
dd 008BA6FB5h,0571BE91Fh,0F296EC6Bh,02A0DD915h
dd 0B6636521h,0E7B9F9B6h,0FF34052Eh,0C5855664h
dd 053B02D5Dh,0A99F8FA1h,008BA4799h,06E85076Ah
dd 04B7A70E9h,0B5B32944h,0DB75092Eh,0C4192623h
dd 0AD6EA6B0h,049A7DF7Dh,09CEE60B8h,08FEDB266h
dd 0ECAA8C71h,0699A17FFh,05664526Ch,0C2B19EE1h
dd 0193602A5h,075094C29h,0A0591340h,0E4183A3Eh
dd 03F54989Ah,05B429D65h,06B8FE4D6h,099F73FD6h
dd 0A1D29C07h,0EFE830F5h,04D2D38E6h,0F0255DC1h
dd 04CDD2086h,08470EB26h,06382E9C6h,0021ECC5Eh
dd 009686B3Fh,03EBAEFC9h,03C971814h,06B6A70A1h
dd 0687F3584h,052A0E286h,0B79C5305h,0AA500737h
dd 03E07841Ch,07FDEAE5Ch,08E7D44ECh,05716F2B8h
dd 0B03ADA37h,0F0500C0Dh,0F01C1F04h,00200B3FFh
dd 0AE0CF51Ah,03CB574B2h,025837A58h,0DC0921BDh
dd 0D19113F9h,07CA92FF6h,094324773h,022F54701h
dd 03AE5E581h,037C2DADCh,0C8B57634h,09AF3DDA7h
dd 0A9446146h,00FD0030Eh,0ECC8C73Eh,0A4751E41h
dd 0E238CD99h,03BEA0E2Fh,03280BBA1h,0183EB331h
dd 04E548B38h,04F6DB908h,06F420D03h,0F60A04BFh
dd 02CB81290h,024977C79h,05679B072h,0BCAF89AFh
dd 0DE9A771Fh,0D9930810h,0B38BAE12h,0DCCF3F2Eh
dd 05512721Fh,02E6B7124h,0501ADDE6h,09F84CD87h
dd 07A584718h,07408DA17h,0BC9F9ABCh,0E94B7D8Ch
dd 0EC7AEC3Ah,0DB851DFAh,063094366h,0C464C3D2h
dd 0EF1C1847h,03215D908h,0DD433B37h,024C2BA16h
dd 012A14D43h,02A65C451h,050940002h,0133AE4DDh
dd 071DFF89Eh,010314E55h,081AC77D6h,05F11199Bh
dd 0043556F1h,0D7A3C76Bh,03C11183Bh,05924A509h
dd 0F28FE6EDh,097F1FBFAh,09EBABF2Ch,01E153C6Eh
dd 086E34570h,0EAE96FB1h,0860E5E0Ah,05A3E2AB3h
dd 0771FE71Ch,04E3D06FAh,02965DCB9h,099E71D0Fh
dd 0803E89D6h,05266C825h,02E4CC978h,09C10B36Ah
dd 0C6150EBAh,094E2EA78h,0A5FC3C53h,01E0A2DF4h
dd 0F2F74EA7h,0361D2B3Dh,01939260Fh,019C27960h
dd 05223A708h,0F71312B6h,0EBADFE6Eh,0EAC31F66h
dd 0E3BC4595h,0A67BC883h,0B17F37D1h,0018CFF28h
dd 0C332DDEFh,0BE6C5AA5h,065582185h,068AB9802h
dd 0EECEA50Fh,0DB2F953Bh,02AEF7DADh,05B6E2F84h
dd 01521B628h,029076170h,0ECDD4775h,0619F1510h
dd 013CCA830h,0EB61BD96h,00334FE1Eh,0AA0363CFh
dd 0B5735C90h,04C70A239h,0D59E9E0Bh,0CBAADE14h
dd 0EECC86BCh,060622CA7h,09CAB5CABh,0B2F3846Eh
dd 0648B1EAFh,019BDF0CAh,0A02369B9h,0655ABB50h
dd 040685A32h,03C2AB4B3h,0319EE9D5h,0C021B8F7h
dd 09B540B19h,0875FA099h,095F7997Eh,0623D7DA8h
dd 0F837889Ah,097E32D77h,011ED935Fh,016681281h
dd 00E358829h,0C7E61FD6h,096DEDFA1h,07858BA99h
dd 057F584A5h,01B227263h,09B83C3FFh,01AC24696h
dd 0CDB30AEBh,0532E3054h,08FD948E4h,06DBC3128h
dd 058EBF2EFh,034C6FFEAh,0FE28ED61h,0EE7C3C73h
dd 05D4A14D9h,0E864B7E3h,042105D14h,0203E13E0h
dd 045EEE2B6h,0A3AAABEAh,0DB6C4F15h,0FACB4FD0h
dd 0C742F442h,0EF6ABBB5h,0654F3B1Dh,041CD2105h
dd 0D81E799Eh,086854DC7h,0E44B476Ah,03D816250h
dd 0CF62A1F2h,05B8D2646h,0FC8883A0h,0C1C7B6A3h
dd 07F1524C3h,069CB7492h,047848A0Bh,05692B285h
dd 0095BBF00h,0AD19489Dh,01462B174h,023820E00h
dd 058428D2Ah,00C55F5EAh,01DADF43Eh,0233F7061h
dd 03372F092h,08D937E41h,0D65FECF1h,06C223BDBh
dd 07CDE3759h,0CBEE7460h,04085F2A7h,0CE77326Eh
dd 0A6078084h,019F8509Eh,0E8EFD855h,061D99735h
dd 0A969A7AAh,0C50C06C2h,05A04ABFCh,0800BCADCh
dd 09E447A2Eh,0C3453484h,0FDD56705h,00E1E9EC9h
dd 0DB73DBD3h,0105588CDh,0675FDA79h,0E3674340h
dd 0C5C43465h,0713E38D8h,03D28F89Eh,0F16DFF20h
dd 0153E21E7h,08FB03D4Ah,0E6E39F2Bh,0DB83ADF7h
dd 0E93D5A68h,0948140F7h,0F64C261Ch,094692934h
dd 0411520F7h,07602D4F7h,0BCF46B2Eh,0D4A20068h
dd 0D4082471h,03320F46Ah,043B7D4B7h,0500061AFh
dd 01E39F62Eh,097244546h,014214F74h,0BF8B8840h
dd 04D95FC1Dh,096B591AFh,070F4DDD3h,066A02F45h
dd 0BFBC09ECh,003BD9785h,07FAC6DD0h,031CB8504h
dd 096EB27B3h,055FD3941h,0DA2547E6h,0ABCA0A9Ah
dd 028507825h,0530429F4h,00A2C86DAh,0E9B66DFBh
dd 068DC1462h,0D7486900h,0680EC0A4h,027A18DEEh
dd 04F3FFEA2h,0E887AD8Ch,0B58CE006h,07AF4D6B6h
dd 0AACE1E7Ch,0D3375FECh,0CE78A399h,0406B2A42h
dd 020FE9E35h,0D9F385B9h,0EE39D7ABh,03B124E8Bh
dd 01DC9FAF7h,04B6D1856h,026A36631h,0EAE397B2h
dd 03A6EFA74h,0DD5B4332h,06841E7F7h,0CA7820FBh
dd 0FB0AF54Eh,0D8FEB397h,0454056ACh,0BA489527h
dd 055533A3Ah,020838D87h,0FE6BA9B7h,0D096954Bh
dd 055A867BCh,0A1159A58h,0CCA92963h,099E1DB33h
dd 0A62A4A56h,03F3125F9h,05EF47E1Ch,09029317Ch
dd 0FDF8E802h,004272F70h,080BB155Ch,005282CE3h
dd 095C11548h,0E4C66D22h,048C1133Fh,0C70F86DCh
dd 007F9C9EEh,041041F0Fh,0404779A4h,05D886E17h
dd 0325F51EBh,0D59BC0D1h,0F2BCC18Fh,041113564h
dd 0257B7834h,0602A9C60h,0DFF8E8A3h,01F636C1Bh
dd 00E12B4C2h,002E1329Eh,0AF664FD1h,0CAD18115h
dd 06B2395E0h,0333E92E1h,03B240B62h,0EEBEB922h
dd 085B2A20Eh,0E6BA0D99h,0DE720C8Ch,02DA2F728h
dd 0D0127845h,095B794FDh,0647D0862h,0E7CCF5F0h
dd 05449A36Fh,0877D48FAh,0C39DFD27h,0F33E8D1Eh
dd 00A476341h,0992EFF74h,03A6F6EABh,0F4F8FD37h
dd 0A812DC60h,0A1EBDDF8h,0991BE14Ch,0DB6E6B0Dh
dd 0C67B5510h,06D672C37h,02765D43Bh,0DCD0E804h
dd 0F1290DC7h,0CC00FFA3h,0B5390F92h,0690FED0Bh
dd 0667B9FFBh,0CEDB7D9Ch,0A091CF0Bh,0D9155EA3h
dd 0BB132F88h,0515BAD24h,07B9479BFh,0763BD6EBh
dd 037392EB3h,0CC115979h,08026E297h,0F42E312Dh
dd 06842ADA7h,0C66A2B3Bh,012754CCCh,0782EF11Ch
dd 06A124237h,0B79251E7h,006A1BBE6h,04BFB6350h
dd 01A6B1018h,011CAEDFAh,03D25BDD8h,0E2E1C3C9h
dd 044421659h,00A121386h,0D90CEC6Eh,0D5ABEA2Ah
dd 064AF674Eh,0DA86A85Fh,0BEBFE988h,064E4C3FEh
dd 09DBC8057h,0F0F7C086h,060787BF8h,06003604Dh
dd 0D1FD8346h,0F6381FB0h,07745AE04h,0D736FCCCh
dd 083426B33h,0F01EAB71h,0B0804187h,03C005E5Fh
dd 077A057BEh,0BDE8AE24h,055464299h,0BF582E61h
dd 04E58F48Fh,0F2DDFDA2h,0F474EF38h,08789BDC2h
dd 05366F9C3h,0C8B38E74h,0B475F255h,046FCD9B9h
dd 07AEB2661h,08B1DDF84h,0846A0E79h,0915F95E2h
dd 0466E598Eh,020B45770h,08CD55591h,0C902DE4Ch
dd 0B90BACE1h,0BB8205D0h,011A86248h,07574A99Eh
dd 0B77F19B6h,0E0A9DC09h,0662D09A1h,0C4324633h
dd 0E85A1F02h,009F0BE8Ch,04A99A025h,01D6EFE10h
dd 01AB93D1Dh,00BA5A4DFh,0A186F20Fh,02868F169h
dd 0DCB7DA83h,0573906FEh,0A1E2CE9Bh,04FCD7F52h
dd 050115E01h,0A70683FAh,0A002B5C4h,00DE6D027h
dd 09AF88C27h,0773F8641h,0C3604C06h,061A806B5h
dd 0F0177A28h,0C0F586E0h,0006058AAh,030DC7D62h
dd 011E69ED7h,02338EA63h,053C2DD94h,0C2C21634h
dd 0BBCBEE56h,090BCB6DEh,0EBFC7DA1h,0CE591D76h
dd 06F05E409h,04B7C0188h,039720A3Dh,07C927C24h
dd 086E3725Fh,0724D9DB9h,01AC15BB4h,0D39EB8FCh
dd 0ED545578h,008FCA5B5h,0D83D7CD3h,04DAD0FC4h
dd 01E50EF5Eh,0B161E6F8h,0A28514D9h,06C51133Ch
dd 06FD5C7E7h,056E14EC4h,0362ABFCEh,0DDC6C837h
dd 0D79A3234h,092638212h,0670EFA8Eh,0406000E0h
dd 03A39CE37h,0D3FAF5CFh,0ABC27737h,05AC52D1Bh
dd 05CB0679Eh,04FA33742h,0D3822740h,099BC9BBEh
dd 0D5118E9Dh,0BF0F7315h,0D62D1C7Eh,0C700C47Bh
dd 0B78C1B6Bh,021A19045h,0B26EB1BEh,06A366EB4h
dd 05748AB2Fh,0BC946E79h,0C6A376D2h,06549C2C8h
dd 0530FF8EEh,0468DDE7Dh,0D5730A1Dh,04CD04DC6h
dd 02939BBDBh,0A9BA4650h,0AC9526E8h,0BE5EE304h
dd 0A1FAD5F0h,06A2D519Ah,063EF8CE2h,09A86EE22h
dd 0C089C2B8h,043242EF6h,0A51E03AAh,09CF2D0A4h
dd 083C061BAh,09BE96A4Dh,08FE51550h,0BA645BD6h
dd 02826A2F9h,0A73A3AE1h,04BA99586h,0EF5562E9h
dd 0C72FEFD3h,0F752F7DAh,03F046F69h,077FA0A59h
dd 080E4A915h,087B08601h,09B09E6ADh,03B3EE593h
dd 0E990FD5Ah,09E34D797h,02CF0B7D9h,0022B8B51h
dd 096D5AC3Ah,0017DA67Dh,0D1CF3ED6h,07C7D2D28h
dd 01F9F25CFh,0ADF2B89Bh,05AD6B472h,05A88F54Ch
dd 0E029AC71h,0E019A5E6h,047B0ACFDh,0ED93FA9Bh
dd 0E8D3C48Dh,0283B57CCh,0F8D56629h,079132E28h
dd 0785F0191h,0ED756055h,0F7960E44h,0E3D35E8Ch
dd 015056DD4h,088F46DBAh,003A16125h,00564F0BDh
dd 0C3EB9E15h,03C9057A2h,097271AECh,0A93A072Ah
dd 01B3F6D9Bh,01E6321F5h,0F59C66FBh,026DCF319h
dd 07533D928h,0B155FDF5h,003563482h,08ABA3CBBh
dd 028517711h,0C20AD9F8h,0ABCC5167h,0CCAD925Fh
dd 04DE81751h,03830DC8Eh,0379D5862h,09320F991h
dd 0EA7A90C2h,0FB3E7BCEh,05121CE64h,0774FBE32h
dd 0A8B6E37Eh,0C3293D46h,048DE5369h,06413E680h
dd 0A2AE0810h,0DD6DB224h,069852DFDh,009072166h
dd 0B39A460Ah,06445C0DDh,0586CDECFh,01C20C8AEh
dd 05BBEF7DDh,01B588D40h,0CCD2017Fh,06BB4E3BBh
dd 0DDA26A7Eh,03A59FF45h,03E350A44h,0BCB4CDD5h
dd 072EACEA8h,0FA6484BBh,08D6612AEh,0BF3C6F47h
dd 0D29BE463h,0542F5D9Eh,0AEC2771Bh,0F64E6370h
dd 0740E0D8Dh,0E75B1357h,0F8721671h,0AF537D5Dh
dd 04040CB08h,04EB4E2CCh,034D2466Ah,00115AF84h
dd 0E1B00428h,095983A1Dh,006B89FB4h,0CE6EA048h
dd 06F3F3B82h,03520AB82h,0011A1D4Bh,0277227F8h
dd 0611560B1h,0E7933FDCh,0BB3A792Bh,0344525BDh
dd 0A08839E1h,051CE794Bh,02F32C9B7h,0A01FBAC9h
dd 0E01CC87Eh,0BCC7D1F6h,0CF0111C3h,0A1E8AAC7h
dd 01A908749h,0D44FBD9Ah,0D0DADECBh,0D50ADA38h
dd 00339C32Ah,0C6913667h,08DF9317Ch,0E0B12B4Fh
dd 0F79E59B7h,043F5BB3Ah,0F2D519FFh,027D9459Ch
dd 0BF97222Ch,015E6FC2Ah,00F91FC71h,09B941525h
dd 0FAE59361h,0CEB69CEBh,0C2A86459h,012BAA8D1h
dd 0B6C1075Eh,0E3056A0Ch,010D25065h,0CB03A442h
dd 0E0EC6E0Eh,01698DB3Bh,04C98A0BEh,03278E964h
dd 09F1F9532h,0E0D392DFh,0D3A0342Bh,08971F21Eh
dd 01B0A7441h,04BA3348Ch,0C5BE7120h,0C37632D8h
dd 0DF359F8Dh,09B992F2Eh,0E60B6F47h,00FE3F11Dh
dd 0E54CDA54h,01EDAD891h,0CE6279CFh,0CD3E7E6Fh
dd 01618B166h,0FD2C1D05h,0848FD2C5h,0F6FB2299h
dd 0F523F357h,0A6327623h,093A83531h,056CCCD02h
dd 0ACF08162h,05A75EBB5h,06E163697h,088D273CCh
dd 0DE966292h,081B949D0h,04C50901Bh,071C65614h
dd 0E6C6C7BDh,0327A140Ah,045E1D006h,0C3F27B9Ah
dd 0C9AA53FDh,062A80F00h,0BB25BFE2h,035BDD2F6h
dd 071126905h,0B2040222h,0B6CBCF7Ch,0CD769C2Bh
dd 053113EC0h,01640E3D3h,038ABBD60h,02547ADF0h
dd 0BA38209Ch,0F746CE76h,077AFA1C5h,020756060h
dd 085CBFE4Eh,08AE88DD8h,07AAAF9B0h,04CF9AA7Eh
dd 01948C25Ch,002FB8A8Ch,001C36AE4h,0D6EBE1F9h
dd 090D4F869h,0A65CDEA0h,03F09252Dh,0C208E69Fh
dd 0B74E6132h,0CE77E25Bh,0578FDFE3h,03AC372E6h
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.code
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;函数功能:变形MD5初始化函数
;函数参数:
; lpSData: 指针,源数据的地址
; lpHData: 指针,目的数据的地址
; nNum: 初始化数据的个数
;返回值:没有
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
InitLMD proc lpSData:DWORD,lpHData:DWORD,nNum:DWORD
pushad
mov esi,lpSData
mov edi,lpHData
mov ecx,nNum
xor eax,eax
mov DWORD ptr [edi],eax
add edi,4
sar ecx,2
rep movs DWORD ptr [edi],DWORD ptr [esi]
mov edi,lpHData
xor eax,eax
mov DWORD ptr [edi+104h],eax
mov DWORD ptr [edi+108h],55555555h
mov DWORD ptr [edi+10ch],55555555h
mov DWORD ptr [edi+110h],55555555h
mov DWORD ptr [edi+114h],55555555h
popad
ret
InitLMD endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;函数功能:变形MD5算法函数
;函数参数:
; lpHData: 指针,初始化后数据的地址
; lpKey: 指针,待加密数据的地址
; nLen: 待加密数据的个数
;返回值:没有
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
UpdateLMD proc lpHData:DWORD,lpKey:DWORD,nLen:DWORD
local nCount:DWORD
pushad
mov edi,lpHData
mov esi,lpKey
mov ecx,nLen
mov nCount,ecx
@3:
mov al,BYTE ptr [esi]
mov edx,DWORD ptr [edi]
xor BYTE ptr [edi+edx+4],al
inc DWORD ptr [edi]
cmp DWORD ptr [edi],100h
jnz @1
xor edx,edx
mov DWORD ptr [edi],edx
@1:
mov edx,DWORD ptr [edi+104h]
xor BYTE ptr [edi+edx+108h],al
inc DWORD ptr [edi+104h]
cmp DWORD ptr [edi+104h],8
jnz @2
mov edx,DWORD ptr [edi+114h]
mov ecx,DWORD ptr [edi+110h]
mov ebx,DWORD ptr [edi+10ch]
mov eax,DWORD ptr [edi+108h]
push esi
push edi
mov edi,4
@4:
add edx,eax
add eax,edx
mov esi,edx
shr esi,7
xor edx,esi
add ecx,edx
add edx,ecx
mov esi,ecx
shl esi,0dh
xor ecx,esi
add ebx,ecx
add ecx,ebx
mov esi,ebx
shr esi,11h
xor ebx,esi
add eax,ebx
add ebx,eax
mov esi,eax
shl esi,9
xor eax,esi
add edx,eax
add eax,edx
mov esi,edx
shr esi,3
xor edx,esi
add ecx,edx
add edx,ecx
mov esi,ecx
shl esi,7
xor ecx,esi
add ebx,ecx
add ecx,ebx
mov esi,eax
shr esi,0fh
xor ebx,esi
add eax,ebx
add ebx,eax
mov esi,eax
shl esi,0bh
xor eax,esi
dec edi
jnz @4
pop edi
pop esi
mov DWORD ptr [edi+108h],edx
mov DWORD ptr [edi+10ch],ecx
mov DWORD ptr [edi+110h],ebx
mov DWORD ptr [edi+114h],eax
xor eax,eax
mov DWORD ptr [edi+104h],eax
@2:
inc esi
dec nCount
jnz @3
popad
ret
UpdateLMD endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;函数功能:Hash算法初始化函数
;函数参数:
; lpTStr: 指针,初始化数据的地址
; lpStr: 指针,MD5初始化的5个变量运算后的地址
; nNum: 后4个变量分组的位数(8位一组)
; nCon: 标志位(常数1)
;返回值:没有
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
InitEncryptLBC proc lpTStr:DWORD,lpStr:DWORD,nNum:DWORD,nCon:DWORD
local lpTmp1:DWORD,lpTmp2:DWORD,nTmp3:DWORD,nTmp4:DWORD,nTmp5:DWORD
local nTmp6:DWORD,nTmp7:DWORD,nTmp8:DWORD,lpTmp9:DWORD
pushad
mov edi,lpTStr
mov esi,lpStr
mov ebx,nCon
mov lpTmp1,edi
mov lpTmp2,esi
mov BYTE ptr [edi],bl
mov edx,nNum
mov eax,10h
cmp edx,eax
jg @1
mov eax,edx
@1:
mov edx,eax
mov eax,4
cmp edx,eax
jl @2
mov eax,edx
@2:
mov edx,lpTmp1
mov DWORD ptr [edx+4],eax
mov nTmp8,4
lea edi,szKey2
mov lpTmp9,edi
mov eax,lpTmp1
add eax,8
@4:
mov edx,lpTmp2
mov edx,DWORD ptr [edx]
mov ecx,lpTmp9
mov esi,DWORD ptr [ecx]
mov ecx,esi
mov ebx,lpTmp2
mov ebx,DWORD ptr [ebx+4]
mov nTmp3,esi
mov edi,lpTmp2
mov edi,DWORD ptr [edi+8]
mov nTmp4,edi
mov nTmp5,esi
mov edi,lpTmp2
mov edi,DWORD ptr [edi+0ch]
mov nTmp6,edi
mov nTmp7,esi
mov esi,8
@3:
mov edi,ecx
shl edi,0bh
xor edx,edi
add nTmp3,edx
add ecx,ebx
mov edi,ebx
shr edi,2
xor ecx,edi
add nTmp4,ecx
add ebx,nTmp3
mov edi,nTmp3
shl edi,8
xor ebx,edi
add nTmp5,ebx
mov edi,nTmp4
add nTmp3,edi
mov edi,nTmp4
shr edi,10h
xor nTmp3,edi
mov edi,nTmp3
add nTmp6,edi
mov edi,nTmp5
add nTmp4,edi
mov edi,nTmp5
shl edi,0ah
xor nTmp4,edi
mov edi,nTmp4
add nTmp7,edi
mov edi,nTmp6
add nTmp5,edi
mov edi,nTmp6
shr edi,4
xor nTmp5,edi
add edx,nTmp5
mov edi,nTmp7
add nTmp6,edi
mov edi,nTmp7
shl edi,8
xor nTmp6,edi
add ecx,nTmp6
add nTmp7,edx
mov edi,edx
shr edi,9
xor nTmp7,edi
add ebx,nTmp7
add edx,ecx
dec esi
jnz @3
mov DWORD ptr [eax],edx
mov DWORD ptr [eax+4],ecx
mov DWORD ptr [eax+8],ebx
mov edx,nTmp3
mov DWORD ptr [eax+0ch],edx
mov edx,nTmp4
mov DWORD ptr [eax+10h],edx
mov edx,nTmp5
mov DWORD ptr [eax+14h],edx
mov edx,nTmp6
mov DWORD ptr [eax+18h],edx
mov edx,nTmp7
mov DWORD ptr [eax+1ch],edx
add eax,20h
add lpTmp9,4
dec nTmp8
jnz @4
popad
ret
InitEncryptLBC endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;函数功能:Hash算法运算函数
;函数参数:
; lpTStr: 指针,初始化数据的地址
; lpData: 指针,待加密数据的地址(变形MD5算法中的4个变量)
; nNum: 运算中变换的次数
;返回值:没有
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
EncryptLBC proc lpTStr:DWORD,lpData:DWORD,nNum:DWORD
local szStr[32]:BYTE,nCon:DWORD
pushad
mov esi,lpData
mov ecx,nNum
mov nCon,ecx
@2:
mov eax,DWORD ptr [esi]
mov DWORD ptr [szStr+0ch],eax
mov eax,DWORD ptr [esi+4]
mov DWORD ptr [szStr+10h],eax
mov eax,DWORD ptr [esi+8]
mov DWORD ptr [szStr+14h],eax
mov eax,DWORD ptr [esi+0ch]
mov DWORD ptr [szStr+18h],eax
mov ebx,lpTStr
mov eax,DWORD ptr [ebx+4]
mov DWORD ptr [szStr+1ch],eax
add ebx,8
push esi
@1:
mov edx,DWORD ptr [szStr+0ch]
mov ecx,DWORD ptr [ebx]
mov esi,DWORD ptr [szStr+10h]
mov eax,DWORD ptr [ebx+4]
add edx,eax
add eax,edx
mov edi,edx
shr edi,7
xor edx,edi
add ecx,edx
add edx,ecx
mov edi,ecx
shl edi,0dh
xor ecx,edi
add esi,ecx
add ecx,esi
mov edi,esi
shr edi,11h
xor esi,edi
add eax,esi
add esi,eax
mov edi,eax
shl edi,9
xor eax,edi
add edx,eax
add eax,edx
mov edi,edx
shr edi,3
xor edx,edi
add ecx,edx
add edx,ecx
mov edi,ecx
shl edi,7
xor ecx,edi
add esi,ecx
add ecx,esi
mov edi,eax
shr edi,0fh
xor esi,edi
add eax,esi
add esi,eax
mov edi,eax
shl edi,0bh
xor eax,edi
mov edi,edx
mov edx,esi
mov esi,edi
mov edi,ecx
mov ecx,eax
mov eax,edi
add edx,eax
add eax,edx
mov edi,edx
shr edi,7
xor edx,edi
add ecx,edx
add edx,ecx
mov edi,ecx
shl edi,0dh
xor ecx,edi
add esi,ecx
add ecx,esi
mov edi,esi
shr edi,11h
xor esi,edi
add eax,esi
add esi,eax
mov edi,eax
shl edi,9
xor eax,edi
add edx,eax
add eax,edx
mov edi,edx
shr edi,3
xor edx,edi
add ecx,edx
add edx,ecx
mov edi,ecx
shl edi,7
xor ecx,edi
add esi,ecx
add ecx,esi
mov edi,eax
shr edi,0fh
xor esi,edi
add eax,esi
add esi,eax
mov edi,eax
shl edi,0bh
xor eax,edi
xor edx,DWORD ptr [szStr+14h]
xor ecx,edx
mov DWORD ptr [szStr+4],ecx
xor esi,DWORD ptr [szStr+18h]
xor eax,esi
mov DWORD ptr [szStr+8],eax
mov eax,DWORD ptr [szStr+0ch]
mov DWORD ptr [szStr+14h],eax
mov eax,DWORD ptr [szStr+10h]
mov DWORD ptr [szStr+18h],eax
mov eax,DWORD ptr [szStr+4]
mov DWORD ptr [szStr+0ch],eax
mov eax,DWORD ptr [szStr+8]
mov DWORD ptr [szStr+10h],eax
add ebx,8
dec DWORD ptr [szStr+1ch]
jnz @1
pop esi
mov eax,DWORD ptr [szStr+14h]
mov DWORD ptr [esi],eax
mov eax,DWORD ptr [szStr+18h]
mov DWORD ptr [esi+4],eax
mov eax,DWORD ptr [szStr+0ch]
mov DWORD ptr [esi+8],eax
mov eax,DWORD ptr [szStr+10h]
mov DWORD ptr [esi+0ch],eax
add esi,10h
dec nCon
jnz @2
popad
ret
EncryptLBC endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;函数功能:把MD5加密后的16位数据散列为128位运算后取前16位
;函数参数:
; lpENKey: 指针,加密后数据的地址
; lpHData: 指针,变形MD5初始化数据变换后的地址
; nNum: 取结果数据的位数
;返回值:没有
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
FinalizeLMD proc lpENKey:DWORD,lpHData:DWORD,nNum:DWORD
local szTStr[160]:BYTE
pushad
mov edi,lpENKey
mov ecx,nNum
mov esi,lpHData
mov ebx,8
sub ebx,DWORD ptr [esi+104h]
invoke UpdateLMD,esi,addr szKey1,ebx
lea edx,[esi+108h]
lea eax,szTStr
invoke InitEncryptLBC,eax,edx,8,1
add esi,4
invoke EncryptLBC,eax,esi,10h
rep movs BYTE ptr [edi],BYTE ptr [esi]
popad
ret
FinalizeLMD endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;函数功能:把待加密字符串散列为16位数据
;函数参数:
; lpENKey: 指针,加密后数据的地址
; lpKeyStr: 指针,待加密数据的地址
;返回值:没有
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
HashLMD proc lpENKey:DWORD,lpKeyStr:DWORD
local szHData[320]:BYTE
pushad
invoke InitLMD,addr szSData,addr szHData,118h
invoke lstrlen,lpKeyStr
invoke UpdateLMD,addr szHData,lpKeyStr,eax
invoke FinalizeLMD,lpENKey,addr szHData,10h
popad
ret
HashLMD endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;函数功能:BlowFish算法核心函数
;函数参数:
; lpKBox: 指针,初始化数据的地址
; lpBFStr: 指针,待加密信息的地址
;返回值:没有
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
EncryptBF proc lpKBox:DWORD,lpBFStr:DWORD
local nHigh:DWORD,nLow:DWORD
pushad
mov ebx,lpKBox
mov edi,lpBFStr
mov eax,DWORD ptr [edi]
mov nHigh,eax
mov eax,DWORD ptr [edi+4]
mov nLow,eax
mov eax,DWORD ptr [ebx]
xor nHigh,eax
mov eax,1
@1:
xor edx,edx
mov dl,BYTE ptr [edi+3]
mov edx,DWORD ptr [ebx+edx*4+48h]
xor ecx,ecx
mov cl,BYTE ptr [edi+2]
add edx,DWORD ptr [ebx+ecx*4+448h]
xor ecx,ecx
mov cl,BYTE ptr [edi+1]
xor edx,DWORD ptr [ebx+ecx*4+848h]
xor ecx,ecx
mov cl,BYTE ptr [edi]
add edx,DWORD ptr [ebx+ecx*4+0c48h]
mov ecx,DWORD ptr [ebx+eax*4]
xor ecx,nLow
xor edx,ecx
mov nLow,edx
xor edx,edx
mov dl,BYTE ptr [edi+7]
mov edx,DWORD ptr [ebx+edx*4+48h]
xor ecx,ecx
mov cl,BYTE ptr [edi+6]
add edx,DWORD ptr [ebx+ecx*4+448h]
xor ecx,ecx
mov cl,BYTE ptr [edi+5]
xor edx,DWORD ptr [ebx+ecx*4+848h]
xor ecx,ecx
mov cl,BYTE ptr [edi+4]
add edx,DWORD ptr [ebx+ecx*4+0c48h]
mov ecx,DWORD ptr [ebx+eax*4+4]
xor ecx,nHigh
xor edx,ecx
mov nHigh,edx
add eax,2
cmp eax,10h
jle @1
mov eax,DWORD ptr [ebx+44h]
xor nLow,eax
mov eax,nHigh
mov DWORD ptr [edi],eax
mov eax,nLow
mov DWORD ptr [edi+4],eax
popad
ret
EncryptBF endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;函数功能:BlowFish算法密匙初始化函数
;函数参数:
; lpKBox: 指针,初始化数据的地址
; lpKey: 指针,密匙的地址
;返回值:没有
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
InitEncryptBF proc lpKBox:DWORD,lpKey:DWORD
local szBFStr[8]:BYTE,nCon:DWORD
pushad
lea esi,szpBox
mov edi,lpKBox
mov ecx,48h
sar ecx,2
rep movs DWORD ptr [edi],DWORD ptr [esi]
lea esi,szsBox
mov ecx,1000h
sar ecx,2
rep movs DWORD ptr [edi],DWORD ptr [esi]
xor edi,edi
mov esi,12h
mov eax,lpKBox
mov ebx,lpKey
@3:
xor edx,edx
mov nCon,4
@2:
shl edx,8
xor ecx,ecx
mov cl,BYTE ptr [ebx+edi]
or edx,ecx
inc edi
cmp edi,10h
jl @1
xor edi,edi
@1:
dec nCon
jnz @2
xor DWORD ptr [eax],edx
add eax,4
dec esi
jnz @3
xor eax,eax
mov DWORD ptr [szBFStr],eax
mov DWORD ptr [szBFStr+4],eax
mov ebx,lpKBox
xor esi,esi
@4:
invoke EncryptBF,ebx,addr szBFStr
mov eax,DWORD ptr [szBFStr]
mov DWORD ptr [ebx+esi*4],eax
mov eax,DWORD ptr [szBFStr+4]
mov DWORD ptr [ebx+esi*4+4],eax
add esi,2
cmp esi,11h
jle @4
mov edi,4
@6:
xor esi,esi
@5:
mov edx,lpKBox
invoke EncryptBF,edx,addr szBFStr
mov eax,DWORD ptr [szBFStr]
mov DWORD ptr [ebx+esi*4+48h],eax
mov eax,DWORD ptr [szBFStr+4]
mov DWORD ptr [ebx+esi*4+4ch],eax
add esi,2
cmp esi,0ffh
jle @5
add ebx,400h
dec edi
jnz @6
popad
ret
InitEncryptBF endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;函数功能:Base64算法函数
;函数参数:
; lpBStr: 指针,加密后数据的地址
; lpTStr: 指针,待加密数据的地址
; nByte: 加密数据的位数
;返回值:没有
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
EncodeBase64 proc lpBStr:DWORD,lpTStr:DWORD,nByte:DWORD
local nNum:DWORD
pushad
mov edi,lpTStr
mov ebx,edi
mov eax,nByte
mov nNum,eax
mov ecx,lpBStr
@7:
cmp nNum,0
je @1
mov edi,1
xor esi,esi
jmp @2
@3:
mov al,BYTE ptr [ebx-1+edi]
xor edx,edx
mov dl,al
shr edx,2
and dl,3fh
and edx,0ffh
mov dl,BYTE ptr [szBase+edx]
mov BYTE ptr [ecx+esi],dl
mov edx,eax
shl edx,4
xor eax,eax
mov al,BYTE ptr [ebx+edi]
shr eax,4
or dl,al
and dl,3fh
xor eax,eax
mov al,dl
mov al,BYTE ptr [szBase+eax]
mov BYTE ptr [ecx+1+esi],al
mov dl,BYTE ptr [ebx+edi]
shl edx,2
mov al,BYTE ptr [ebx+1+edi]
push ecx
xor ecx,ecx
mov cl,al
shr ecx,6
or dl,cl
and dl,3fh
and edx,0ffh
mov dl,BYTE ptr [szBase+edx]
pop ecx
mov BYTE ptr [ecx+2+esi],dl
mov edx,eax
and dl,3fh
xor eax,eax
mov al,dl
mov al,BYTE ptr [szBase+eax]
mov BYTE ptr [ecx+3+esi],al
add edi,3
add esi,4
@2:
mov eax,nNum
sub eax,2
cmp edi,eax
jle @3
cmp edi,nNum
jg @4
mov al,BYTE ptr [ebx-1+edi]
xor edx,edx
mov dl,al
shr edx,2
and dl,3fh
and edx,0ffh
mov dl,BYTE ptr [szBase+edx]
mov BYTE ptr [ecx+esi],dl
cmp edi,nNum
jnz @5
mov edx,eax
shl edx,4
and dl,30h
and dl,3fh
xor eax,eax
mov al,dl
mov al,BYTE ptr [szBase+eax]
mov BYTE ptr [ecx+1+esi],al
mov BYTE ptr [ecx+2+esi],3dh
mov BYTE ptr [ecx+3+esi],0
jmp @6
@5:
mov edx,eax
shl edx,4
and dl,30h
xor eax,eax
mov al,BYTE ptr [ebx+edi]
shr eax,4
and al,0fh
or dl,al
and dl,3fh
xor eax,eax
mov al,dl
mov al,BYTE ptr [szBase+eax]
mov BYTE ptr [ecx+1+esi],al
mov dl,BYTE ptr [ebx+edi]
shl edx,2
and dl,3ch
and dl,3fh
xor eax,eax
mov al,dl
mov al,BYTE ptr [szBase+eax]
mov BYTE ptr [ecx+2+esi],al
@6:
mov BYTE ptr [ecx+3+esi],3dh
mov BYTE ptr [ecx+4+esi],0
add esi,4
@4:
cmp nNum,2dh
jge @7
@1:
popad
ret
EncodeBase64 endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;函数功能:把待加密字符串通过BlowFish+Base64算法加密
;函数参数:
; lpENKey: 指针,加密后数据的地址
; lpKeyStr: 指针,待加密数据的地址
; lpKey: 指针,密匙的地址
;返回值:没有
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
BFEncryptStream proc lpENStr:DWORD,lpKeyStr:DWORD,lpKey:DWORD
local szKBox[1060]:DWORD,szTStr[64]:BYTE
pushad
invoke RtlZeroMemory,addr szTStr,sizeof szTStr
invoke InitEncryptBF,addr szKBox,lpKey
mov esi,lpKeyStr
invoke lstrlen,esi
mov ecx,eax
mov ebx,eax
lea edi,szTStr
rep movs BYTE ptr [edi],BYTE ptr [esi]
mov ecx,8
xor edx,edx
div ecx
mov esi,eax
lea edi,szTStr
xor edx,edx
cmp eax,0
je @1
@2:
invoke EncryptBF,addr szKBox,edi
add edi,8
sub ebx,ecx
add edx,ecx
dec esi
jnz @2
cmp ebx,0
je @3
@1:
mov BYTE ptr [edi+7],bl
invoke EncryptBF,addr szKBox,edi
add edx,ecx
@3:
invoke EncodeBase64,lpENStr,addr szTStr,edx
popad
ret
BFEncryptStream endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 主算法函数
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
GetRegKey proc hDlg:DWORD
local szRegName[16]:BYTE,szRegNum[32]:BYTE
local szKeyTmp1[64]:BYTE,szKeyTmp2[64]:BYTE,szENStr[32]:BYTE
pushad
invoke RtlZeroMemory,addr szRegName,sizeof szRegName
invoke RtlZeroMemory,addr szRegNum,sizeof szRegNum
invoke GetDlgItemText,hDlg,IDC_NAME,addr szRegName,sizeof szRegName
.if !eax
invoke SetDlgItemText,hDlg,IDC_REG,CTXT("请输入用户名!")
.else
invoke HashLMD,addr szKeyTmp1,addr szKeyStr1
invoke BFEncryptStream,addr szKeyTmp2,addr szKeyStr2,addr szKeyTmp1
invoke HashLMD,addr szKeyTmp1,addr szKeyTmp2
movzx edi,BYTE ptr [szRegName]
inc edi
@@:
invoke BFEncryptStream,addr szKeyTmp2,addr szRegName,addr szKeyTmp1
invoke lstrcpy,addr szENStr,addr szKeyTmp2
invoke HashLMD,addr szKeyTmp1,addr szKeyTmp2
dec edi
jnz @b
lea edi,szRegNum
invoke GetTickCount
mov ecx,19h
xor edx,edx
@@:
and eax,3fh
mov bl,BYTE ptr [szBase+eax]
mov BYTE ptr [edi+edx],bl
add eax,4
inc edx
dec ecx
jnz @b
lea esi,szENStr
mov al,BYTE ptr [esi]
mov BYTE ptr [edi+1],al
mov al,BYTE ptr [esi+1]
mov BYTE ptr [edi+6],al
mov al,BYTE ptr [esi+2]
mov BYTE ptr [edi+8],al
mov al,BYTE ptr [esi+3]
mov BYTE ptr [edi+0dh],al
mov al,BYTE ptr [esi+4]
mov BYTE ptr [edi+10h],al
mov al,BYTE ptr [esi+5]
mov BYTE ptr [edi+12h],al
mov al,BYTE ptr [esi+6]
mov BYTE ptr [edi+14h],al
mov al,BYTE ptr [esi+7]
mov BYTE ptr [edi+18h],al
mov BYTE ptr [edi+4],2dh
mov BYTE ptr [edi+9],2dh
mov BYTE ptr [edi+0eh],2dh
mov BYTE ptr [edi+13h],2dh
invoke CharUpper,edi
invoke SetDlgItemText,hDlg,IDC_REG,edi
.endif
popad
ret
GetRegKey endp
---------------------------------------------------------------------------------------------------------
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
---------------------------------------------------------------------------------------------------------
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)