明文是:10:0C:29:E6:3C:94&-867757534&3102-13526&1.0&20130626&Microsoft Windows XP&2014-8-7&2&&2014-10-16 11:2
加密后密文是:21F067931962D2AB3F9BCE30D7E0B1DFEBB72D3C2E9846C945F525D3A3379FA171FE99AF79778CD8C0C8B1AB73BA45DEED10
调用下面的加密call
0042FAD5 mov esi,dword ptr ds:[edx+0x18C] ; esi赋值44c0048,里面是一堆0110
0042FADB push eax ; 明文长度
0042FADC mov ecx,ebx ; 明文地址
0042FADE call fm4.0043B390 ; 加密算法
然后f7跟进 call fm4.0043B390 下面贴出一部分关键代码,这是一段循环每次传2个字节的明文到 call fm4.0043AC10进去加密
0043B430 mov edx,dword ptr ds:[edi]
0043B432 mov eax,dword ptr ds:[edi+0x4]
0043B435 push esi
0043B436 lea ecx,[local.4] ; 33312d32
0043B439 mov [local.4],edx ; 一字节明文
0043B43C mov [local.3],eax ; 又一字节明文
0043B43F call fm4.0043AC10 ; 传两个明文进去加密,返回值到043f06c8
0043B444 mov ecx,dword ptr ds:[esi+0x680] ; 043f06c8
0043B44A mov dword ptr ds:[ebx],ecx
0043B44C mov edx,dword ptr ds:[esi+0x684]
0043B452 mov dword ptr ds:[ebx+0x4],edx
0043B455 add edi,0x8
0043B458 add ebx,0x8
0043B45B dec [local.6]
0043B45E jnz Xfm4.0043B430
最后把 call fm4.0043AC10 代码贴出来,看看有帮助么。 0043AC10 /$ 55 push ebp
0043AC11 |. 8BEC mov ebp,esp
0043AC13 |. 81EC E8000000 sub esp,0xE8
0043AC19 |. A1 E0764B00 mov eax,dword ptr ds:[0x4B76E0]
0043AC1E |. 33C5 xor eax,ebp
0043AC20 |. 8945 FC mov [local.1],eax
0043AC23 |. 8B45 08 mov eax,[arg.1]
0043AC26 |. 53 push ebx
0043AC27 |. 56 push esi
0043AC28 |. 57 push edi
0043AC29 |. 33DB xor ebx,ebx
0043AC2B |. 6A 3F push 0x3F
0043AC2D |. 8BF1 mov esi,ecx
0043AC2F |. 8D4D BD lea ecx,dword ptr ss:[ebp-0x43]
0043AC32 |. 53 push ebx
0043AC33 |. 51 push ecx
0043AC34 |. 8985 18FFFFFF mov [local.58],eax
0043AC3A |. 885D BC mov byte ptr ss:[ebp-0x44],bl
0043AC3D |. E8 AE1A0300 call fm4.0046C6F0
0043AC42 |. 6A 3F push 0x3F
0043AC44 |. 8D95 1DFFFFFF lea edx,dword ptr ss:[ebp-0xE3]
0043AC4A |. 53 push ebx
0043AC4B |. 52 push edx
0043AC4C |. 889D 1CFFFFFF mov byte ptr ss:[ebp-0xE4],bl
0043AC52 |. E8 991A0300 call fm4.0046C6F0
0043AC57 |. 6A 3F push 0x3F
0043AC59 |. 8D85 7DFFFFFF lea eax,dword ptr ss:[ebp-0x83]
0043AC5F |. 53 push ebx
0043AC60 |. 50 push eax
0043AC61 |. E8 8A1A0300 call fm4.0046C6F0
0043AC66 |. 83C4 24 add esp,0x24
0043AC69 |. 33C0 xor eax,eax
0043AC6B |. EB 03 jmp Xfm4.0043AC70
0043AC6D | 8D49 00 lea ecx,dword ptr ds:[ecx]
0043AC70 |> 8BC8 /mov ecx,eax
0043AC72 |. C1E9 03 |shr ecx,0x3
0043AC75 |. 0FBE1431 |movsx edx,byte ptr ds:[ecx+esi]
0043AC79 |. 8BC8 |mov ecx,eax
0043AC7B |. 83E1 07 |and ecx,0x7
0043AC7E |. D3E2 |shl edx,cl
0043AC80 |. 40 |inc eax
0043AC81 |. C1FA 07 |sar edx,0x7
0043AC84 |. 80E2 01 |and dl,0x1
0043AC87 |. 885405 BB |mov byte ptr ss:[ebp+eax-0x45],dl
0043AC8B |. 83F8 40 |cmp eax,0x40
0043AC8E |.^ 72 E0 \jb Xfm4.0043AC70
0043AC90 |. 8D85 1CFFFFFF lea eax,[local.57]
0043AC96 |. 8D4D BC lea ecx,[local.17]
0043AC99 |. E8 62030000 call fm4.0043B000
0043AC9E |. B9 08000000 mov ecx,0x8
0043ACA3 |. 8DB5 1CFFFFFF lea esi,[local.57]
0043ACA9 |. 8D7D DC lea edi,[local.9]
0043ACAC |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds>
0043ACAE |. B9 08000000 mov ecx,0x8
0043ACB3 |. 8DB5 3CFFFFFF lea esi,[local.49]
0043ACB9 |. 8DBD 5CFFFFFF lea edi,[local.41]
0043ACBF |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds>
0043ACC1 |. 33F6 xor esi,esi
0043ACC3 |> 8B95 18FFFFFF /mov edx,[local.58]
0043ACC9 |. 8D85 5CFFFFFF |lea eax,[local.41]
0043ACCF |. 50 |push eax
0043ACD0 |. 8BCE |mov ecx,esi
0043ACD2 |. 8D5D DC |lea ebx,[local.9]
0043ACD5 |. E8 B6000000 |call fm4.0043AD90
0043ACDA |. 46 |inc esi
0043ACDB |. 83FE 10 |cmp esi,0x10
0043ACDE |.^ 7C E3 \jl Xfm4.0043ACC3
0043ACE0 |. B9 08000000 mov ecx,0x8
0043ACE5 |. 8DB5 5CFFFFFF lea esi,[local.41]
0043ACEB |. 8DBD 7CFFFFFF lea edi,[local.33]
0043ACF1 |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds>
0043ACF3 |. B9 08000000 mov ecx,0x8
0043ACF8 |. 8BF3 mov esi,ebx
0043ACFA |. 8D7D 9C lea edi,[local.25]
0043ACFD |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds>
0043ACFF |. 33C0 xor eax,eax
0043AD01 |> 0FBE88 C8A249>movsx ecx,byte ptr ds:[eax+0x49A2C8]
0043AD08 |. 0FB6940D 7BFF>movzx edx,byte ptr ss:[ebp+ecx-0x85]
0043AD10 |. 8B8D 18FFFFFF mov ecx,[local.58]
0043AD16 |. 889401 000600>mov byte ptr ds:[ecx+eax+0x600],dl
0043AD1D |. 0FBE90 C9A249>movsx edx,byte ptr ds:[eax+0x49A2C9]
0043AD24 |. 0FB69415 7BFF>movzx edx,byte ptr ss:[ebp+edx-0x85]
0043AD2C |. 889401 010600>mov byte ptr ds:[ecx+eax+0x601],dl
0043AD33 |. 0FBE90 CAA249>movsx edx,byte ptr ds:[eax+0x49A2CA]
0043AD3A |. 0FB69415 7BFF>movzx edx,byte ptr ss:[ebp+edx-0x85]
0043AD42 |. 889401 020600>mov byte ptr ds:[ecx+eax+0x602],dl
0043AD49 |. 0FBE90 CBA249>movsx edx,byte ptr ds:[eax+0x49A2CB]
0043AD50 |. 0FB69415 7BFF>movzx edx,byte ptr ss:[ebp+edx-0x85]
0043AD58 |. 889401 030600>mov byte ptr ds:[ecx+eax+0x603],dl
0043AD5F |. 83C0 04 add eax,0x4
0043AD62 |. 83F8 40 cmp eax,0x40
0043AD65 |.^ 7C 9A jl Xfm4.0043AD01
0043AD67 |. 8BC1 mov eax,ecx
0043AD69 |. 8DB8 00060000 lea edi,dword ptr ds:[eax+0x600]
0043AD6F |. 8DB0 80060000 lea esi,dword ptr ds:[eax+0x680]
0043AD75 |. E8 06050000 call fm4.0043B280 ; 保存了 加密数据到043f06c8
0043AD7A |. 8B4D FC mov ecx,[local.1]
0043AD7D |. 5F pop edi
0043AD7E |. 5E pop esi
0043AD7F |. 33CD xor ecx,ebp
0043AD81 |. 5B pop ebx
0043AD82 |. E8 F6A80200 call fm4.0046567D
0043AD87 |. 8BE5 mov esp,ebp
0043AD89 |. 5D pop ebp
0043AD8A \. C2 0400 retn 0x4
本人超级大菜鸟 完全无解密经验,观察这个加密,明文固定密文就是固定的,相同明文在字符串位置不一样加密出来的也不一样
[峰会]看雪.第八届安全开发者峰会10月23日上海龙之梦大酒店举办!