首页
社区
课程
招聘
[原创]游戏脱机之路(不知道能不能成功)
发表于: 2018-4-26 00:08 7698

[原创]游戏脱机之路(不知道能不能成功)

2018-4-26 00:08
7698
    最近闲的无聊,在玩一款游戏,玩到60级的时候,发现里面的各种宝石刚需量很大,所以突然有个想法:如果能自己刷图就好了,但是我又想,一个号刷太慢了,多开也不行,这游戏太吃硬件了,开一个号感觉都要炸了。而且这游戏的辅助网上已经有卖的了,所以我有个大胆的想法,搞脱机的!
    既然要脱机,第一步就是要抓包。毫不犹豫,直接替换掉ws2_32.dll(其实是我根本不知道有什么好用的、可以指定进程、IP、端口、socket号来抓包的工具)。用Depends工具,把ws2_32.dll所有的导出函数,200多个,尼玛,一个一个实现那得到什么时候。我只需要截获socket、connect、send、recv、sendto、recvfrom等几个函数,所以写了个小工具,批量输出了一些代码,然后稍加改动:
  PS:我实现的是64位的
  
  1、重写ws2_32.dll
  
   1)函数指针声明(部分):
   typedef unsigned int           SOCKET;
   
    extern FARPROC real_accept;
   
    typedef int (PASCAL FAR *Bind)(
      _In_ SOCKET s,
      _In_reads_bytes_(namelen) const struct sockaddr FAR * name,
      _In_ int namelen
     );
    extern Bind real_bind;
   
    typedef int
     (PASCAL FAR *CLOSESOCKET_FUNC)(
      _In_ SOCKET s
     );
   
    extern CLOSESOCKET_FUNC real_closesocket;
   
    typedef int
     (PASCAL FAR *Connect)(
      _In_ SOCKET s,
      _In_reads_bytes_(namelen) const struct sockaddr FAR * name,
      _In_ int namelen
     );
   
    extern Connect real_connect;
   
    typedef int (PASCAL FAR *Getpeername) (SOCKET s, struct sockaddr FAR *name,
                               int FAR * namelen);
    extern Getpeername real_getpeername;
   
    typedef int
     (PASCAL FAR *Getsockname)(
      _In_ SOCKET s,
      _Out_writes_bytes_to_(*namelen, *namelen) struct sockaddr FAR * name,
      _Inout_ int FAR * namelen
     );
   
    extern Getsockname real_getsockname;
   
    extern FARPROC real_getsockopt;
    typedef u_long (PASCAL FAR *HTONL_FUNC)(_In_ u_long hostlong);
   
    extern HTONL_FUNC real_htonl;
   
    typedef u_short (PASCAL FAR *HTONS_FUNC)( _In_ u_short hostshort);
   
    extern HTONS_FUNC real_htons;
   
    extern FARPROC real_ioctlsocket;
    extern FARPROC real_inet_addr;
    extern FARPROC real_inet_ntoa;
    extern FARPROC real_listen;
    extern FARPROC real_ntohl;
    extern FARPROC real_ntohs;
   2)从真实的ws2_32.dll中获取真实的函数地址(部分):
   BOOL APIENTRY DllMain( HANDLE hModule,
                          DWORD  ul_reason_for_call,
                          LPVOID lpReserved
         )
   {
       switch (ul_reason_for_call)
    {
     case DLL_PROCESS_ATTACH:
    g_hMod = LoadLibrary(_T("real_ws2_32.dll"));
    real_accept = GetProcAddress(g_hMod, "accept");
    real_bind = (Bind)GetProcAddress(g_hMod, "bind");
    real_closesocket = (CLOSESOCKET_FUNC)GetProcAddress(g_hMod, "closesocket");
    real_connect = (Connect)GetProcAddress(g_hMod, "connect");
    real_getpeername = (Getpeername)GetProcAddress(g_hMod, "getpeername");
    real_getsockname = (Getsockname)GetProcAddress(g_hMod, "getsockname");
    real_getsockopt = GetProcAddress(g_hMod, "getsockopt");
    real_htonl = (HTONL_FUNC)GetProcAddress(g_hMod, "htonl");
    real_htons = (HTONS_FUNC)GetProcAddress(g_hMod, "htons");
    real_ioctlsocket = GetProcAddress(g_hMod, "ioctlsocket");
    real_inet_addr = GetProcAddress(g_hMod, "inet_addr");
    real_inet_ntoa = GetProcAddress(g_hMod, "inet_ntoa");
    real_listen = GetProcAddress(g_hMod, "listen");
    real_ntohl = GetProcAddress(g_hMod, "ntohl");
    real_ntohs = GetProcAddress(g_hMod, "ntohs");
    real_recv = (Recv)GetProcAddress(g_hMod, "recv");
    real_recvfrom = (Recvfrom)GetProcAddress(g_hMod, "recvfrom");
    real_select = GetProcAddress(g_hMod, "select");
    real_send = (Send)GetProcAddress(g_hMod, "send");
    real_sendto = (Sendto)GetProcAddress(g_hMod, "sendto");
    ......中间还有好多
    GetModuleFileNameA(NULL, name, 260);
    AnsiLower(name);
    if ((strstr(name, "某某某.exe"))  && g_pMsgTransmitor == nullptr)
    {
     g_bFuck = TRUE;
     //g_pMsgTransmitor = new CMsgTransmitor(); 后来发现在dll一加载的时候创建线程游戏程序会死掉,改在socket函数里了
     //g_pMsgTransmitor->Start();
    }
       
   3)需要截获的函数:
    SOCKET PASCAL FAR socket(
     _In_ int af,
     _In_ int type,
     _In_ int protocol
     )
    {
     if (g_bFuck && g_pSopRulerManager == NULL)
     {  
      //创建过滤规则管理器,过滤管理是用的共享内存,在消息查看程序中创建共享内存,并设置过滤条件
      g_pSopRulerManager = new CStopRulerManager();
      if (g_pSopRulerManager->OpenMap())
      {
       //创建消息转发器,消息转发器会创建一个socket连接,连接到我的消息查看程序,并管理一个消息队列
       //并创建两个线程,一个线程轮询消息队列,,将消息发送到消息查看程序,一个线程读取消息查看程序发来的指令,比如过滤掉一些Ip,端口
       g_pMsgTransmitor = new CMsgTransmitor();
       g_pMsgTransmitor->Start();
      }  
     }
    
     //调用真正的socket函数
     SOCKET s =  real_socket(af, type, protocol);
     
     //原本我想用getsockname,getpeername来获取套接字的本地和远程IP、端口信息,后来发现该调用会导致recv失败,0x2733错误,
     //后来采用这个方法:自己管理一个套接字队列,包含了套接字与IP、端口的对应信息,分别在bind和connect时候将本地地址、远程地址保存起来
     //要发送给消息查看程序的时候一并处理
     if (s > 0) g_socketManager.Add(s, NULL, NULL); //向套接字管理器中添加一个套接字
     
     //将这条事件压进消息队列
     if (g_pMsgTransmitor) g_pMsgTransmitor->PushCreateSocketMsg(s, type, protocol);
     
     return s;
    }
    
    int PASCAL FAR bind(
     _In_ SOCKET s,
     _In_reads_bytes_(namelen) const struct sockaddr FAR * name,
     _In_ int namelen
    )
    {
     int rt = 0;
    
     rt = real_bind(s, name, namelen);
     if (g_bFuck && rt == 0 )
     {
      g_socketManager.Add(s, (struct sockaddr_in*)name, NULL); //设置套接字本地地址
     }
     return rt;
    }
    
    int PASCAL FAR closesocket(SOCKET s)
   {
    int ret = real_closesocket(s);
   
    g_socketManager.Delete(s); //删除一个套接字
   
    if (g_pMsgTransmitor != nullptr)
    {
     g_pMsgTransmitor->PushCloseSocketMsg(s);
    }
    return ret;
   }
   
   int
   PASCAL FAR connect(
    _In_ SOCKET s,
    _In_reads_bytes_(namelen) const struct sockaddr FAR * name,
    _In_ int namelen
    )
   {
    int  rt = real_connect(s, name, namelen);
    if (s > 0) g_socketManager.Add(s, NULL, (struct sockaddr_in*)name); //设置套接字远程地址
   
    if(g_pMsgTransmitor) g_pMsgTransmitor->PushConnectMsg(s, (struct sockaddr_in *)name);
    
    return rt;
   }
    
    4)不需要截获的函数(部分),由于vs2015不支持嵌套汇编,所以研究半天,直接用纯汇编加asm文件:
    .code
   
    real_accept PROTO C : vararg ;这句是声明有一个函数/过程real_accept在别处已经定义了
    accept PROC
     jmp qword ptr [real_accept] ;一开始,我直接用jmp real_accept,调试发现跳不对,的查看原始ws2_32.dll汇编代码后,发现它的跳转是这样的,改过来之后就成功了
    accept ENDP
    
    ;real_bind PROTO C : vararg
    ;bind PROC
    ; jmp qword ptr [real_bind]
    ;bind ENDP
    
    ;real_closesocket PROTO C : vararg
    ;closesocket PROC
    ; jmp qword ptr [real_closesocket]
    ;closesocket ENDP
    
    ;real_connect PROTO C : vararg
    ;connect PROC
    ; jmp qword ptr [real_connect]
    ;connect ENDP
    
    real_getpeername PROTO C : vararg
    getpeername PROC
     jmp qword ptr [real_getpeername]
    getpeername ENDP
    
    real_getsockname PROTO C : vararg
    getsockname PROC
     jmp qword ptr [real_getsockname]
    getsockname ENDP
    
    real_getsockopt PROTO C : vararg
    getsockopt PROC
     jmp qword ptr [real_getsockopt]
    getsockopt ENDP
    
    real_htonl PROTO C : vararg
    htonl PROC
     jmp qword ptr [real_htonl]
    htonl ENDP
     
    5)消息转发:
    
    //工作线程
    void CMsgTransmitor::_WorkThread()
   {
    static unsigned int timetickt = 0;
    
    //printf("工作线程启动成功!");
    while (WAIT_TIMEOUT == WaitForSingleObject(m_hWorkEndEvent, 20) && m_bRun)
    {
     ++timetickt;
   
     if (timetickt % 500 == 0)
     {
      SendHeart();
      //保持连接  
      if (!m_bConnected  && m_bRun)
      {
       if (!_ConnectToServer())
       {
        ClearMsg();
       }
      }
      continue;
     }
    
     
     Msg_t * pMsg = _PopMsg();  
     while (pMsg) {
      _SendMsg(pMsg, pMsg->head.len);
      delete pMsg;
      pMsg = _PopMsg();
     }
     
     
    } 
   }
   
   BOOL CMsgTransmitor::_SendMsg(void *data, int len)
   { 
    return m_tcp.WriteBytes((char*)data, len);
   }
   
   void CMsgTransmitor::_PushMsg(Msg_t * pMsg)
   {
    EnterCriticalSection(&m_csSend);
    m_lstSend.push_back(pMsg);
    LeaveCriticalSection(&m_csSend);
   }
   
   Msg_t * CMsgTransmitor::_PopMsg()
   {
    Msg_t *pMsg = NULL;
    
    if (m_lstSend.size() > 0)
    {  
     MsgList::iterator it;
     EnterCriticalSection(&m_csSend);
     it = m_lstSend.begin();
     if (it != m_lstSend.end())
     {
      pMsg = *it;
      m_lstSend.erase(it);
     }
     LeaveCriticalSection(&m_csSend);
    }
    return pMsg;
   }
   
   void CMsgTransmitor::PushCreateSocketMsg(SOCKET s, int type, int protol)
   {
    if (m_bNeedToTransmit )
    {
     MsgCreateSocket_t *pMsg = new MsgCreateSocket_t(s, type, protol, GetLastError());
     //_SendMsg(&Msg, Msg.head.len);
     
     _PushMsg(pMsg);
    }
   }
   
   6)消息定义(部分):
   typedef struct _MSG_HEAD
   {
    int flag;   //消息头标识
    unsigned int len; //消息体长度
    int   type; //消息类型
   }MsgHead_t;
   
   typedef struct _ST_MSG
   {
    MsgHead_t head;
   }Msg_t;
   
   typedef struct _SOCKET_INFO
   {
    unsigned int sock;
    int type;
    int protol;
    time_t tm;
    struct sockaddr_in localAddr;
    struct sockaddr_in remoteAddr;
    DWORD nError;   //错误码
    _SOCKET_INFO & operator=(const _SOCKET_INFO &info)
    {
     memcpy(this, &info, sizeof(_SOCKET_INFO));
     return *this;
    }
   }SocketInfo_t;
   
   
   typedef struct _MSG_CREAT_SOCKET :public _ST_MSG
   {
    SocketInfo_t socketInfo;
    _MSG_CREAT_SOCKET()
    {
     head.flag = MSG_FLAG;
     head.len = sizeof(*this);
     head.type = MsgType_CreateSocket;
   
     socketInfo.sock = -1;
     socketInfo.type = -1;
     socketInfo.protol = -1;
   
     ZeroMemory(&socketInfo.localAddr, sizeof(socketInfo.localAddr));
     ZeroMemory(&socketInfo.remoteAddr, sizeof(socketInfo.remoteAddr));
    }
   
    _MSG_CREAT_SOCKET(unsigned int s, int t, int p, DWORD nerr)
    {
     head.flag = MSG_FLAG;
     head.len = sizeof(*this);
     head.type = MsgType_CreateSocket;
     socketInfo.sock = s;
     socketInfo.type = t;
     socketInfo.protol = p;
     socketInfo.nError = nerr;
     socketInfo.tm = time(NULL);
   
     ZeroMemory(&socketInfo.localAddr, sizeof(socketInfo.localAddr));
     ZeroMemory(&socketInfo.remoteAddr, sizeof(socketInfo.remoteAddr));
     
    }
   }MsgCreateSocket_t;
   
   typedef struct _MSG_SEND :public _ST_MSG
   {
    SocketInfo_t socketInfo;
    int  nLenRequst;  //请求长度
    int  nLenCompleted; //完成长度 
    char  data[1];
   
   private:
    _MSG_SEND()
    {
   
    }
    void init(int len)
    {
     head.flag = MSG_FLAG;
     head.len = len;
     head.type = MsgType_Send;
    }
   public:
    static _MSG_SEND *Create(SOCKET s, void *pData, int lenToSend, int lenSended, DWORD nerr)
    {
     int msg_len = sizeof(_MSG_SEND) + lenToSend - 1;
     _MSG_SEND *pMsg = (_MSG_SEND*)new char[msg_len];
   
     if (pMsg != nullptr) {
      pMsg->init(msg_len);
      pMsg->nLenRequst = lenToSend;
      pMsg->nLenCompleted = lenSended;
      pMsg->socketInfo.sock = s;
      pMsg->socketInfo.nError = nerr;
      pMsg->socketInfo.tm = time(NULL);
   
      GetSocketManager().Get(s, &pMsg->socketInfo.localAddr, &pMsg->socketInfo.remoteAddr);
   
      memcpy_s(pMsg->data, lenToSend, pData, lenToSend);
      return pMsg;
     }
     return nullptr;
    }
   }MsgSend_t;
   
   7)消息查看程序就不说了,界面就是MFC dialog,通信是用的完成端口,主要用的以前项目的现在代码
  用深度工具制作U盘启动,进入PE系统,将原版ws2_32.dll(注意,system32下的为64位,也是我想要的,32位版本在wow64里面)改名为real_ws2_32.dll,然后将自己的重命名为ws2_32.dll放在system32目录下。
   效果就是这样:

下一楼接着追踪数据加密。

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

最后于 2018-4-26 00:11 被Flove编辑 ,原因:
收藏
免费 0
支持
分享
最新回复 (10)
雪    币: 202
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
网络包似乎就这样拿到了,有HTTP请求,也有加密的tcp、udp报文,下一步就是追踪加密函数了。

2、加密函数的追踪定位
     我觉得加密函数是很难定位的,以我写程序的经验,加密的动作可以放在数据刚产生的时候,也可以放在数据将要发送前,还可以放在两者之间,即:数据产生了,把它缓存到一个队列,这个队列是未加密的数据队列,然后有个线程专门来加密数据,从这个队列提取未加密的数据进行加密,然后放到待发送队列,这种情况是最难的,因为没有源头也没有终点供我们追踪,如果目标程序无法调试,只能静态分析的话,要定位到这样的加密代码,如同大海捞针。还好,也许是这种方法会影响实时性,这个游戏不是这样的。
     摸索过程就不讲太多了,简单说一下。CE可以打开进程,无法调试,看不到汇编代码,OD无法附加到进程。Dump出来的数据也无法用IDA分析。过驱动保护我是不会的,太难了。瞎猫碰到死耗子,我用vs调试dump出来的数据时候,试着用vs到附加到进程,居然成功了。然后我设了个函数断点。成功在send函数中断,并且这个send是我自己的send,就是那个假ws2_32.dll中的send,它还能定位到我的源码(难道是因为我用的debug版本的dll?)。
    停在中断的方不动,我CE加载进程,这时候可以看到汇编代码了,赶紧保存一份内存。Vs中可以看到各个模块的地址范围,然后把这个范围的内存用ce保存起来,不包含CE头。用IDA直接加载这个.CEM,IDA成功识别出了是64位exe文件,根据send函数调用的返回地址,在IDA中找到它,发现地下不对,没办法,16进制搜索,最后发现IDA中的地址比与vs中运行时的地址大了C00H。

这个ws2_send是我重命名的,IDA无法识别出任何系统API,通过调试,发现数据在上面那次函数调用时加密了
64位汇编函数调用参数传递顺序:function(rcx, rdx, r8x, r9x, 栈0,栈8,栈16),其中,当调用对象的方法时,rcx为this指针,
加密调用,一次封装:
加密处理:

加密函数1:这段代码根据数据长度小于8、8-32之间,大于32,作了优化,最终结果就是:原始数据[i]=原始数据[i] xor 密钥[i]

EncryptFunc1    proc near               ; CODE XREF: sub_140E37EC0+42↓p
                                        ; sub_140E37EC0+1AE↓p ...
arg_0           = qword ptr  8
arg_8           = qword ptr  10h
arg_10          = qword ptr  18h
arg_18          = qword ptr  20h
                mov     [rsp+arg_8], rbx
                mov     [rsp+arg_10], rbp
                mov     [rsp+arg_18], rsi
                push    rdi
                xor     ebx, ebx
                mov     r11, r9
                shr     r11, 3          ; 数据长度/8
                mov     r10, rcx
                mov     edi, ebx
                test    r11, r11
                jz      loc_140E3136A   ; 数据长度/8==0则跳转
                cmp     r11, 4
                jb      loc_140E31327
                add     rcx, 0FFFFFFFFFFFFFFF8h
                lea     rax, [r8-8]
                lea     rax, [rax+r11*8]
                lea     rcx, [rcx+r11*8]
                cmp     r10, rax
                ja      short loc_140E312BB
                cmp     rcx, r8
                jnb     short loc_140E31327
loc_140E312BB:                          ; CODE XREF: EncryptFunc1+44↑j
                lea     rax, [rdx-8]
                lea     rax, [rax+r11*8]
                cmp     r10, rax
                ja      short loc_140E312CD
                cmp     rcx, rdx
                jnb     short loc_140E31327
loc_140E312CD:                          ; CODE XREF: EncryptFunc1+56↑j
                mov     rax, r11
                mov     rbp, r11
                and     eax, 3
                mov     rcx, r10
                sub     rbp, rax
                sub     rcx, rdx
                mov     rsi, r8
                lea     rax, [rdx+10h]
                sub     rsi, rdx
                nop     dword ptr [rax+00000000h]
loc_140E312F0:                          ; CODE XREF: EncryptFunc1+B5↓j
                movdqu  xmm0, xmmword ptr [rax-10h]
                add     rdi, 4
                movdqu  xmm1, xmmword ptr [rsi+rax-10h]
                lea     rax, [rax+20h]
                pxor    xmm1, xmm0
                movdqu  xmmword ptr [rcx+rax-30h], xmm1
                movdqu  xmm1, xmmword ptr [rsi+rax-20h]
                movdqu  xmm0, xmmword ptr [rax-20h]
                pxor    xmm1, xmm0
                movdqu  xmmword ptr [rcx+rax-20h], xmm1
                cmp     rdi, rbp
                jb      short loc_140E312F0
loc_140E31327:                          ; CODE XREF: EncryptFunc1+2B↑j
                                        ; EncryptFunc1+49↑j ...
                cmp     rdi, r11
                jnb     short loc_140E3136A
                mov     [rsp+8+arg_0], r14
                lea     rcx, [r8+rdi*8]
                mov     r14, r10
                mov     rsi, rdx
                sub     r14, r8
                sub     rsi, r8
                sub     r11, rdi
                add     rdi, r11
                nop     word ptr [rax+rax+00000000h]
loc_140E31350:                          ; CODE XREF: EncryptFunc1+F3↓j
                mov     rax, [rsi+rcx]
                xor     rax, [rcx]
                mov     [r14+rcx], rax
                lea     rcx, [rcx+8]
                sub     r11, 1
                jnz     short loc_140E31350
                mov     r14, [rsp+8+arg_0]
loc_140E3136A:                          ; CODE XREF: EncryptFunc1+21↑j
                                        ; EncryptFunc1+BA↑j
                lea     rdi, ds:0[rdi*8]
                sub     r9, rdi
                jz      loc_140E31534
                add     r10, rdi
                add     rdx, rdi
                add     r8, rdi
                mov     r11, r9
                shr     r11, 2
                mov     rdi, rbx
                test    r11, r11
                jz      loc_140E31462
                cmp     r11, 8
                jb      loc_140E31427
                lea     rax, [r11-1]
                lea     rax, [r8+rax*4]
                lea     rcx, [r11-1]
                lea     rcx, [r10+rcx*4]
                cmp     r10, rax
                ja      short loc_140E313BB
                cmp     rcx, r8
                jnb     short loc_140E31427
loc_140E313BB:                          ; CODE XREF: EncryptFunc1+144↑j
                lea     rax, [r11-1]
                lea     rax, [rdx+rax*4]
                cmp     r10, rax
                ja      short loc_140E313CD
                cmp     rcx, rdx
                jnb     short loc_140E31427
loc_140E313CD:                          ; CODE XREF: EncryptFunc1+156↑j
                mov     rax, r11
                mov     rbp, r11
                and     eax, 7
                mov     rcx, r10
                sub     rbp, rax
                sub     rcx, rdx
                mov     rsi, r8
                lea     rax, [rdx+10h]
                sub     rsi, rdx
                nop     dword ptr [rax+00000000h]
loc_140E313F0:                          ; CODE XREF: EncryptFunc1+1B5↓j
                movdqu  xmm0, xmmword ptr [rax-10h]
                add     rdi, 8
                movdqu  xmm1, xmmword ptr [rax+rsi-10h]
                lea     rax, [rax+20h]
                pxor    xmm1, xmm0
                movdqu  xmmword ptr [rax+rcx-30h], xmm1
                movdqu  xmm1, xmmword ptr [rax+rsi-20h]
                movdqu  xmm0, xmmword ptr [rax-20h]
                pxor    xmm1, xmm0
                movdqu  xmmword ptr [rax+rcx-20h], xmm1
                cmp     rdi, rbp
                jb      short loc_140E313F0
loc_140E31427:                          ; CODE XREF: EncryptFunc1+12B↑j
                                        ; EncryptFunc1+149↑j ...
                cmp     rdi, r11
                jnb     short loc_140E31462
                mov     rsi, rdx
                lea     rcx, [r8+rdi*4]
                mov     rbp, r10
                sub     rsi, r8
                sub     rbp, r8
                sub     r11, rdi
                add     rdi, r11
                nop     dword ptr [rax+00h]
                db      66h, 66h
                nop     word ptr [rax+rax+00000000h]
loc_140E31450:                          ; CODE XREF: EncryptFunc1+1F0↓j
                mov     eax, [rcx+rsi]
                xor     eax, [rcx]
                mov     [rcx+rbp], eax
                lea     rcx, [rcx+4]
                sub     r11, 1
                jnz     short loc_140E31450
loc_140E31462:                          ; CODE XREF: EncryptFunc1+121↑j
                                        ; EncryptFunc1+1BA↑j
                lea     rdi, ds:0[rdi*4]
                sub     r9, rdi
                jz      loc_140E31534
                add     r10, rdi
                add     rdx, rdi
                add     r8, rdi
                test    r9, r9
                jz      loc_140E31534
                cmp     r9, 20h
                jb      short loc_140E31507
                lea     rcx, [r10-1]
                lea     rax, [r8-1]
                add     rcx, r9
                add     rax, r9
                cmp     r10, rax
                ja      short loc_140E314A3
                cmp     rcx, r8
                jnb     short loc_140E31507
loc_140E314A3:                          ; CODE XREF: EncryptFunc1+22C↑j
                lea     rax, [rdx-1]
                add     rax, r9
                cmp     r10, rax
                ja      short loc_140E314B4
                cmp     rcx, rdx
                jnb     short loc_140E31507
loc_140E314B4:                          ; CODE XREF: EncryptFunc1+23D↑j
                mov     rax, r9
                mov     rdi, r9
                and     eax, 1Fh
                mov     rcx, r10
                sub     rdi, rax
                sub     rcx, rdx
                mov     r11, r8
                mov     rax, rdx
                sub     r11, rdx
                nop
loc_140E314D0:                          ; CODE XREF: EncryptFunc1+295↓j
                movdqu  xmm0, xmmword ptr [rax]
                add     rbx, 20h
                movdqu  xmm1, xmmword ptr [rax+r11]
                lea     rax, [rax+20h]
                pxor    xmm1, xmm0
                movdqu  xmmword ptr [rax+rcx-20h], xmm1
                movdqu  xmm1, xmmword ptr [r11+rax-10h]
                movdqu  xmm0, xmmword ptr [rax-10h]
                pxor    xmm1, xmm0
                movdqu  xmmword ptr [rcx+rax-10h], xmm1
                cmp     rbx, rdi
                jb      short loc_140E314D0
loc_140E31507:                          ; CODE XREF: EncryptFunc1+219↑j
                                        ; EncryptFunc1+231↑j ...
                cmp     rbx, r9
                jnb     short loc_140E31534
                sub     rdx, r8
                lea     rcx, [rbx+r8]
                sub     r10, r8
                sub     r9, rbx
                nop     dword ptr [rax+00000000h]
loc_140E31520:                          ; CODE XREF: EncryptFunc1+2C2↓j
                movzx   eax, byte ptr [rcx+rdx]
                xor     al, [rcx]
                mov     [rcx+r10], al
                lea     rcx, [rcx+1]
                sub     r9, 1
                jnz     short loc_140E31520
loc_140E31534:                          ; CODE XREF: EncryptFunc1+105↑j
                                        ; EncryptFunc1+1FD↑j ...
                mov     rbx, [rsp+8+arg_8]
                mov     rbp, [rsp+8+arg_10]
                mov     rsi, [rsp+8+arg_18]
                pop     rdi
                retn
EncryptFunc1    endp


2018-4-26 02:08
0
雪    币: 10
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
好厉害虽然看不懂
2018-4-26 12:47
0
雪    币: 2
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4
虽然看不懂,但是感觉贼6!!!
2018-4-28 00:58
0
雪    币: 202
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5
目前加密、解密、密钥生成都找到了,但是原始密钥从哪来的还没找到。有兴趣一起弄的可以私聊我
2018-4-28 08:22
0
雪    币: 1
活跃值: (50)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
6
只要不断的摸索,总有一天你会成功的
2018-4-29 23:01
0
雪    币: 202
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
7
dengaaa 只要不断的摸索,总有一天你会成功的
多谢!
2018-4-30 15:00
0
雪    币: 202
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
8
dengaaa 只要不断的摸索,总有一天你会成功的
原始密钥为64个字节,有几个字节是固定的,有8个字节表示序号,每产一次新密钥就递增1,剩下的又不知道哪来的了
2018-4-30 15:02
0
雪    币: 2694
活跃值: (80)
能力值: ( LV2,RANK:15 )
在线值:
发帖
回帖
粉丝
9
学习
2018-5-2 00:10
0
雪    币: 106
活跃值: (569)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
10
现在有卖的驱动可以过任何反调试
2018-5-2 00:52
0
雪    币: 10
活跃值: (869)
能力值: ( LV3,RANK:27 )
在线值:
发帖
回帖
粉丝
11
脱机工作量不是一般的大,难点还在封号检测~!
2018-5-2 09:14
0
游客
登录 | 注册 方可回帖
返回
//