-
-
记一次算法还原
-
发表于: 2020-10-5 20:24
-
问朋友要的面试题玩玩。
目标:还原出key的算法
1.MFC程序OD载入,2编辑框,一个按钮,先猜测这两个编辑框用的DDX,编译一个MFC程序,查看UpDatadata特征码,按钮消息函数
2.调试得到程序输入
刚好 144 = 90h
DDX是绑定的int值
我还以为是字符串
3.
4.查看ecx 看下传入参数跟返回值确定是不是算法函数
观察ecx,调试发现有查ecx+c的位置,应该是一张表对这个地址访问看下生成表的位置,居然还有表
5.表的生成
ce添加访问得到访问代码
生成表的代码
快乐的一天
奥利个 还原,还原代码在附件里边。
#pragma once#include <stdlib.h>#include <stdio.h>#include <iostream>#include <Windows.h>struct Data{ unsigned int value1;
unsigned int value2;
unsigned int value3;
unsigned char valuetable[0x100];
};Data data;//value1 输入的值
char Initvaluetabl(Data* data, unsigned int value1, int value2, int value3)
{ unsigned int local2 = value2;
data->value2 = 0;
data->value3 = 0;
unsigned char* ecx = data->valuetable;
for (int i = 0; i < 0x100; i++)
{
data->valuetable[i] = i;
}
unsigned int local1 = 0;
unsigned int ebx = 0;
do
{
int edx = 0;
unsigned char* esi = data->valuetable;
unsigned int eax = ((unsigned char*)(&value1))[ebx%local2] + local1;
edx = eax + esi[ebx];
edx = edx % 256;
unsigned char cl = esi[ebx];
unsigned char al = esi[edx];
esi[ebx] = al;
esi[edx] = cl;
local1 = edx;
ebx++;
} while (ebx < 0x100);
return 1;
}int sub_401AF0(Data* data, unsigned char* xorvalue1, int value2, BYTE* destvalue)
{ unsigned int eax;
for (int i = 0; i < value2; i++)
{
int index = (data->value2 + 1) & 0xff;
data->value2 = index;
data->value3 = (data->valuetable[index] + data->value3) & 0xff;
unsigned char al = data->valuetable[data->value3];
unsigned char dl = data->valuetable[index];
data->valuetable[index] = al;
data->valuetable[data->value3] = dl;
unsigned int edx = data->valuetable[data->value3];
unsigned int eax = data->valuetable[data->value2];
edx += eax;
edx = edx % 256;
edx = data->valuetable[edx];
dl = edx ^ xorvalue1[i];
destvalue[i] = dl;
return value2;
}int main(int argc, char* argv[])
{ int inputvalue = 0;
printf("请输入:");
scanf("%d", &inputvalue);
Initvaluetabl(&data, inputvalue, 0x4, 0x300);
DWORD retvalue;
unsigned int xorvalue = inputvalue ^ 0x55AAAA55;
sub_401AF0(&data, (unsigned char*)&xorvalue, 4, (BYTE*)&retvalue);
printf("destvale:%u\r\n", retvalue);
system("pause");
return 0;
}#pragma once#include <stdlib.h>#include <stdio.h>#include <iostream>#include <Windows.h>struct Data{ unsigned int value1;
unsigned int value2;
unsigned int value3;
unsigned char valuetable[0x100];
};Data data;//value1 输入的值
char Initvaluetabl(Data* data, unsigned int value1, int value2, int value3)
{ unsigned int local2 = value2;
data->value2 = 0;
data->value3 = 0;
unsigned char* ecx = data->valuetable;
for (int i = 0; i < 0x100; i++)
{
data->valuetable[i] = i;
}
unsigned int local1 = 0;
unsigned int ebx = 0;
do
{
int edx = 0;
unsigned char* esi = data->valuetable;
unsigned int eax = ((unsigned char*)(&value1))[ebx%local2] + local1;
edx = eax + esi[ebx];
edx = edx % 256;
unsigned char cl = esi[ebx];
unsigned char al = esi[edx];
esi[ebx] = al;
esi[edx] = cl;
local1 = edx;
ebx++;
} while (ebx < 0x100);
return 1;
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
最后于 2021-1-12 18:33
被kanxue编辑
,原因:
