-
-
[原创]xyz_119的提高型CrackMe的中未知加密算法的还原分析(附分析源代码)
-
发表于: 2006-5-28 09:42 7972
-
【文章作者】
Ryosuke
【原帖以及相关帖】
http://bbs.pediy.com/showthread.php?s=&threadid=26144
http://bbs.pediy.com/showthread.php?s=&threadid=26281
【分析】
xyz_119的提高型CrackMe用到了3个未知的加密解密算法,经过一番静态加动态调试还原出其次两个算法,一个被我称之为unknown1,一个被我称之为类DES,后者在这里我叫XDES。
第一个算法unknown1的正向分析:
004027D0 /$ 51 push ecx
004027D1 |. 8B4C24 0C mov ecx, [esp+C]
004027D5 |. 33C0 xor eax, eax
004027D7 |. 33D2 xor edx, edx
004027D9 |. 53 push ebx
004027DA |. 8901 mov [ecx], eax
004027DC |. 8B5C24 0C mov ebx, [esp+C]
004027E0 |. 55 push ebp
004027E1 |. 56 push esi
004027E2 |. 8941 04 mov [ecx+4], eax
004027E5 |. 8B4424 1C mov eax, [esp+1C]
004027E9 |. 57 push edi
004027EA |. 8910 mov [eax], edx
004027EC |. 8950 04 mov [eax+4], edx
004027EF |. 33C0 xor eax, eax
004027F1 |. 894424 10 mov [esp+10], eax
004027F5 |> 8BC8 /mov ecx, eax
004027F7 |. 81E1 01000080 |and ecx, 80000001
004027FD |. 79 05 |jns short 00402804
004027FF |. 49 |dec ecx
00402800 |. 83C9 FE |or ecx, FFFFFFFE
00402803 |. 41 |inc ecx
00402804 |> 99 |cdq
00402805 |. 2BC2 |sub eax, edx
00402807 |. BE 1F000000 |mov esi, 1F
0040280C |. C1E1 04 |shl ecx, 4
0040280F |. D1F8 |sar eax, 1
00402811 |. 2BF1 |sub esi, ecx
00402813 |. 33FF |xor edi, edi
00402815 |. C1E0 02 |shl eax, 2
00402818 |. 897424 18 |mov [esp+18], esi
0040281C |. 33D2 |xor edx, edx
0040281E |. EB 04 |jmp short 00402824
00402820 |> 8B7424 18 |/mov esi, [esp+18]
00402824 |> 8B2B | mov ebp, [ebx]
00402826 |. 8BCA ||mov ecx, edx
00402828 |. D3ED ||shr ebp, cl
0040282A |. 2BF7 ||sub esi, edi
0040282C |. 8BCE ||mov ecx, esi
0040282E |. C1E5 1F ||shl ebp, 1F
00402831 |. D3ED ||shr ebp, cl
00402833 |. 8B4C24 1C ||mov ecx, [esp+1C]
00402837 |. 092C08 ||or [eax+ecx], ebp
0040283A |. 8B2B ||mov ebp, [ebx]
0040283C |. 8D4A 01 ||lea ecx, [edx+1]
0040283F |. 83C2 02 ||add edx, 2
00402842 |. D3ED ||shr ebp, cl
00402844 |. 8BCE ||mov ecx, esi
00402846 |. C1E5 1F ||shl ebp, 1F
00402849 |. D3ED ||shr ebp, cl
0040284B |. 8B4C24 20 ||mov ecx, [esp+20]
0040284F |. 8B3408 ||mov esi, [eax+ecx]
00402852 |. 0BF5 ||or esi, ebp
00402854 |. 47 ||inc edi
00402855 |. 83FA 20 ||cmp edx, 20
00402858 |. 893408 ||mov [eax+ecx], esi
0040285B |.^ 7C C3 |\jl short 00402820
0040285D |. 8B4424 10 |mov eax, [esp+10]
00402861 |. 83C3 04 |add ebx, 4
00402864 |. 40 |inc eax
00402865 |. 83F8 04 |cmp eax, 4
00402868 |. 894424 10 |mov [esp+10], eax
0040286C |.^ 7C 87 \jl short 004027F5
0040286E |. 5F pop edi
0040286F |. 5E pop esi
00402870 |. 5D pop ebp
00402871 |. 5B pop ebx
00402872 |. 59 pop ecx
00402873 \. C2 0C00 retn 0C
上面这个算法的功能其实很简单,它的函数原型是:
void reverse(BYTE serial[16],BYTE key[8],BYTE plain[8])
{
DWORD i,j,k;
DWORD dwSerial;
DWORD* pserial=(DWORD*)serial;
ZeroMemory(key,8);
ZeroMemory(plain,8);
for(i=0;i<4;i++)
{
for(j=0,k=0;j<0x20;j+=2,k++)
{
dwSerial=pserial[i]>>j;
dwSerial<<=0x1f;
dwSerial>>=0x1f-((i&0x80000001)<<4)-k;
*((DWORD*)&key[(i>>1)<<2])|=dwSerial;
dwSerial=pserial[i]>>(j+1);
dwSerial<<=0x1f;
dwSerial>>=0x1f-((i&0x80000001)<<4)-k;
*((DWORD*)&plain[(i>>1)<<2])|=dwSerial;
}
}
}
是把16个字节通过4*32轮循环,将其128bit的信息,打散送到两个BYTE[8]中,上面的代码是逆向分析的结果。知道其正向功能,它的逆向功能也很好出来。
void i_reverse(BYTE key[8],BYTE plain[8],BYTE serial[16])
{
DWORD i,j,k;
DWORD dwkey,dwplain;
DWORD* pserial=(DWORD*)serial;
ZeroMemory(serial,16);
for(i=0;i<2;i++)
{
for(j=0,k=0;j<0x40;j+=2,k++)
{
dwkey=((DWORD*)key)[i];
dwplain=((DWORD*)plain)[i];
if(j<0x20)
{
dwkey>>=k;
dwkey<<=0x1f;
dwkey>>=(0x1f-j);
dwplain>>=k;
dwplain<<=0x1f;
dwplain>>=(0x1e-j);
pserial[2*i]=(dwkey|dwplain)|pserial[2*i];
}
else
{
dwkey>>=k;
dwkey<<=0x1f;
dwkey>>=(0x3f-j);
dwplain>>=k;
dwplain<<=0x1f;
dwplain>>=(0x3e-j);
pserial[2*i+1]=(dwkey|dwplain)|pserial[2*i+1];
}
}
}
}
这段就是对应的逆向函数,相对来说,unknown1很简单。
下面来说XDES,这里我通过类比DES来静态结合跟踪调试,分析出这个XDES的原型。下面是XDES的解密过程。
XDES的Block是8 BYTE,密钥8 BYTE,子密钥32 DWORD,循环16轮。
解密函数的原型:XDES_Decipher(BYTE plain[8],BYTE cipher[8],BYTE key[8]);
加密函数的原型:XDES_Encipher(BYTE cipher[8],BYTE plain[8],BYTE key[8]);
下面是解密的过程。
0040F5D0 /$ 8B4C24 0C mov ecx, [esp+C] ; key
0040F5D4 |. 81EC 80000000 sub esp, 80 ; 分配内存,32个子密钥
0040F5DA |. 8D4424 00 lea eax, [esp]
0040F5DE |. 53 push ebx
0040F5DF |. 55 push ebp
0040F5E0 |. 56 push esi
0040F5E1 |. 57 push edi
0040F5E2 |. 50 push eax
0040F5E3 |. 51 push ecx
0040F5E4 |. E8 97F0FFFF call 0040E680 ;初始化子密钥
0040F5E9 |. 8B8424 9C000000 mov eax, [esp+9C]
0040F5F0 |. 8BB424 90000000 mov esi, [esp+90]
0040F5F7 |. 83C4 08 add esp, 8
0040F5FA |. 8B50 04 mov edx, [eax+4] ; r
0040F5FD |. 8B00 mov eax, [eax] ; l
0040F5FF |. 8BCA mov ecx, edx
0040F601 |. C1E1 1C shl ecx, 1C
0040F604 |. C1EA 04 shr edx, 4
0040F607 |. 0BCA or ecx, edx ; r=rotrFixed(r, 4U);
0040F609 |. 8BD0 mov edx, eax
0040F60B |. 33D1 xor edx, ecx ; work=l^r
0040F60D |. 81E2 0F0F0F0F and edx, 0F0F0F0F ; work&0xf0f0f0f=>work
0040F613 |. 33C2 xor eax, edx ; l=l^work
0040F615 |. 33D1 xor edx, ecx
0040F617 |. 8BCA mov ecx, edx
0040F619 |. C1E1 14 shl ecx, 14
0040F61C |. C1EA 0C shr edx, 0C
0040F61F |. 0BCA or ecx, edx ; r = rotlFixed(r^work, 20U);
0040F621 |. 8BD0 mov edx, eax
0040F623 |. 33D1 xor edx, ecx
0040F625 |. 81E2 0000FFFF and edx, FFFF0000 ; work=(l^r)&0xffff0000
0040F62B |. 33C2 xor eax, edx ; l^=work
0040F62D |. 33D1 xor edx, ecx
0040F62F |. 8BCA mov ecx, edx
0040F631 |. C1E9 12 shr ecx, 12
0040F634 |. C1E2 0E shl edx, 0E
0040F637 |. 0BCA or ecx, edx ; r=rotrFixed(r^work, 18U);
0040F639 |. 8BD0 mov edx, eax
0040F63B |. 33D1 xor edx, ecx
0040F63D |. 81E2 33333333 and edx, 33333333 ; work=(l^r)&0x33333333
0040F643 |. 33C2 xor eax, edx ; l^=work
0040F645 |. 33D1 xor edx, ecx
0040F647 |. 8BCA mov ecx, edx
0040F649 |. C1E9 16 shr ecx, 16
0040F64C |. C1E2 0A shl edx, 0A
0040F64F |. 0BCA or ecx, edx ; r=rotrFixed(r^work, 22);
0040F651 |. 8BD0 mov edx, eax
0040F653 |. 33D1 xor edx, ecx
0040F655 |. 81E2 00FF00FF and edx, FF00FF00 ; work=(l^r)&ff00ff00
0040F65B |. 33C2 xor eax, edx
0040F65D |. 33D1 xor edx, ecx
0040F65F |. 8BFA mov edi, edx
0040F661 |. 8BD8 mov ebx, eax
0040F663 |. C1E7 17 shl edi, 17
0040F666 |. C1EA 09 shr edx, 9
0040F669 |. 0BFA or edi, edx ; edi=rotrFixed(r^work, 23);
0040F66B |. 33DF xor ebx, edi ; ebx=l^edi
0040F66D |. 81E3 55555555 and ebx, 55555555 ; ebx&55555555
0040F673 |. 8BD3 mov edx, ebx ; work=edi
0040F675 |. 33DF xor ebx, edi
0040F677 |. 33D0 xor edx, eax
0040F679 |. 8BCA mov ecx, edx
0040F67B |. 03D2 add edx, edx
0040F67D |. C1E9 1F shr ecx, 1F
0040F680 |. 0BCA or ecx, edx ; rotlFixed(right, 1U);
0040F682 |. 8BD1 mov edx, ecx
0040F684 |. 8BC1 mov eax, ecx
以上进行XDES的初始置换。
//以上是进行16轮循环加密。
0040F686 |. C1EA 04 shr edx, 4
0040F689 |. 83E0 03 and eax, 3
0040F68C |. 81E2 3F3F3F0F and edx, 0F3F3F3F
0040F692 |. C1E0 1C shl eax, 1C
0040F695 |. 0BD0 or edx, eax ; edx=rotrFix(l,4)
0040F697 |. 8B8424 8C000000 mov eax, [esp+8C]
0040F69E |. 33F1 xor esi, ecx ; work=key[0]^l
0040F6A0 |. 25 3F3F3F3F and eax, 3F3F3F3F
0040F6A5 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040F6AB |. 33D0 xor edx, eax ; edx=rotrFix(l,4)^key[1]
0040F6AD |. 8BC6 mov eax, esi
0040F6AF |. 8BFE mov edi, esi
0040F6B1 |. C1E8 18 shr eax, 18
0040F6B4 |. C1EF 10 shr edi, 10
0040F6B7 |. 81E7 FF000000 and edi, 0FF
0040F6BD |. 8B0485 00714500 mov eax, [eax*4+457100]
0040F6C4 |. 8B2CBD 006F4500 mov ebp, [edi*4+456F00]
0040F6CB |. 8BFE mov edi, esi
0040F6CD |. C1EF 08 shr edi, 8
0040F6D0 |. 81E7 FF000000 and edi, 0FF
0040F6D6 |. 0BC5 or eax, ebp
0040F6D8 |. 81E6 FF000000 and esi, 0FF
0040F6DE |. 8B2CBD 006D4500 mov ebp, [edi*4+456D00]
0040F6E5 |. 8BFA mov edi, edx
0040F6E7 |. C1EF 18 shr edi, 18
0040F6EA |. 0BC5 or eax, ebp
0040F6EC |. 8B2CBD 00724500 mov ebp, [edi*4+457200]
0040F6F3 |. 8BFA mov edi, edx
0040F6F5 |. C1EF 10 shr edi, 10
0040F6F8 |. 81E7 FF000000 and edi, 0FF
0040F6FE |. 0BC5 or eax, ebp
0040F700 |. 8B2CBD 00704500 mov ebp, [edi*4+457000]
0040F707 |. 8BFA mov edi, edx
0040F709 |. C1EF 08 shr edi, 8
0040F70C |. 81E7 FF000000 and edi, 0FF
0040F712 |. 0BC5 or eax, ebp
0040F714 |. 81E2 FF000000 and edx, 0FF
0040F71A |. 8B2CBD 006E4500 mov ebp, [edi*4+456E00]
0040F721 |. 8B3C95 006C4500 mov edi, [edx*4+456C00]
0040F728 |. 0BC5 or eax, ebp
0040F72A |. 0BC7 or eax, edi
0040F72C |. 8B3CB5 006B4500 mov edi, [esi*4+456B00]
0040F733 |. 8BD3 mov edx, ebx
0040F735 |. 8D349D 00000000 lea esi, [ebx*4]
0040F73C |. C1EA 1E shr edx, 1E
0040F73F |. 0BC7 or eax, edi
0040F741 |. 0BD6 or edx, esi
0040F743 |. 33C2 xor eax, edx
0040F745 |. 8BD0 mov edx, eax
0040F747 |. 8BF0 mov esi, eax
0040F749 |. C1EA 04 shr edx, 4
0040F74C |. 83E6 03 and esi, 3
0040F74F |. 81E2 3F3F3F0F and edx, 0F3F3F3F
0040F755 |. C1E6 1C shl esi, 1C
0040F758 |. 0BD6 or edx, esi
0040F75A |. 8BB424 84000000 mov esi, [esp+84] ; 3
0040F761 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040F767 |. 33D6 xor edx, esi ; work2=rotrFixed(r,4)^key[4*i+3];
0040F769 |. 8BB424 80000000 mov esi, [esp+80] ; 2
0040F770 |. 33F0 xor esi, eax ; work=key[4*i+2]^r;
0040F772 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040F778 |. 8BDE mov ebx, esi
0040F77A |. 8BFE mov edi, esi
0040F77C |. C1EB 10 shr ebx, 10
0040F77F |. 81E3 FF000000 and ebx, 0FF
0040F785 |. C1EF 18 shr edi, 18
0040F788 |. 8B2C9D 006F4500 mov ebp, [ebx*4+456F00]
0040F78F |. 8BDE mov ebx, esi
0040F791 |. 8B3CBD 00714500 mov edi, [edi*4+457100]
0040F798 |. 81E6 FF000000 and esi, 0FF
0040F79E |. C1EB 08 shr ebx, 8
0040F7A1 |. 81E3 FF000000 and ebx, 0FF
0040F7A7 |. 0BFD or edi, ebp
0040F7A9 |. 8B2C9D 006D4500 mov ebp, [ebx*4+456D00]
0040F7B0 |. 8BDA mov ebx, edx
0040F7B2 |. C1EB 18 shr ebx, 18
0040F7B5 |. 0BFD or edi, ebp
0040F7B7 |. 8B2C9D 00724500 mov ebp, [ebx*4+457200]
0040F7BE |. 8BDA mov ebx, edx
0040F7C0 |. C1EB 10 shr ebx, 10
0040F7C3 |. 81E3 FF000000 and ebx, 0FF
0040F7C9 |. 0BFD or edi, ebp
0040F7CB |. 8B2C9D 00704500 mov ebp, [ebx*4+457000]
0040F7D2 |. 8BDA mov ebx, edx
0040F7D4 |. C1EB 08 shr ebx, 8
0040F7D7 |. 81E3 FF000000 and ebx, 0FF
0040F7DD |. 0BFD or edi, ebp
0040F7DF |. 81E2 FF000000 and edx, 0FF
0040F7E5 |. 8B2C9D 006E4500 mov ebp, [ebx*4+456E00]
0040F7EC |. 8B1C95 006C4500 mov ebx, [edx*4+456C00]
0040F7F3 |. 0BFD or edi, ebp
0040F7F5 |. 8B2CB5 006B4500 mov ebp, [esi*4+456B00]
0040F7FC |. 0BFB or edi, ebx
0040F7FE |. 0BFD or edi, ebp
0040F800 |. 33CF xor ecx, edi
0040F802 |. 8BD1 mov edx, ecx
0040F804 |. 8BF1 mov esi, ecx
0040F806 |. C1EA 04 shr edx, 4
0040F809 |. 83E6 03 and esi, 3
0040F80C |. 81E2 3F3F3F0F and edx, 0F3F3F3F
0040F812 |. C1E6 1C shl esi, 1C
0040F815 |. 0BD6 or edx, esi
0040F817 |. 8B7424 7C mov esi, [esp+7C]
0040F81B |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040F821 |. 33D6 xor edx, esi
0040F823 |. 8B7424 78 mov esi, [esp+78]
0040F827 |. 33F1 xor esi, ecx
0040F829 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040F82F |. 8BDE mov ebx, esi
0040F831 |. 8BFE mov edi, esi
0040F833 |. C1EB 10 shr ebx, 10
0040F836 |. 81E3 FF000000 and ebx, 0FF
0040F83C |. C1EF 18 shr edi, 18
0040F83F |. 8B2C9D 006F4500 mov ebp, [ebx*4+456F00]
0040F846 |. 8BDE mov ebx, esi
0040F848 |. 8B3CBD 00714500 mov edi, [edi*4+457100]
0040F84F |. 81E6 FF000000 and esi, 0FF
0040F855 |. C1EB 08 shr ebx, 8
0040F858 |. 81E3 FF000000 and ebx, 0FF
0040F85E |. 0BFD or edi, ebp
0040F860 |. 8B2C9D 006D4500 mov ebp, [ebx*4+456D00]
0040F867 |. 8BDA mov ebx, edx
0040F869 |. C1EB 18 shr ebx, 18
0040F86C |. 0BFD or edi, ebp
0040F86E |. 8B2C9D 00724500 mov ebp, [ebx*4+457200]
0040F875 |. 8BDA mov ebx, edx
0040F877 |. C1EB 10 shr ebx, 10
0040F87A |. 81E3 FF000000 and ebx, 0FF
0040F880 |. 0BFD or edi, ebp
0040F882 |. 8B2C9D 00704500 mov ebp, [ebx*4+457000]
0040F889 |. 8BDA mov ebx, edx
0040F88B |. C1EB 08 shr ebx, 8
0040F88E |. 81E3 FF000000 and ebx, 0FF
0040F894 |. 0BFD or edi, ebp
0040F896 |. 81E2 FF000000 and edx, 0FF
0040F89C |. 8B2C9D 006E4500 mov ebp, [ebx*4+456E00]
0040F8A3 |. 8B1C95 006C4500 mov ebx, [edx*4+456C00]
0040F8AA |. 0BFD or edi, ebp
0040F8AC |. 8B2CB5 006B4500 mov ebp, [esi*4+456B00]
0040F8B3 |. 0BFB or edi, ebx
0040F8B5 |. 0BFD or edi, ebp
0040F8B7 |. 33C7 xor eax, edi
0040F8B9 |. 8BD0 mov edx, eax
0040F8BB |. 8BF0 mov esi, eax
0040F8BD |. C1EA 04 shr edx, 4
0040F8C0 |. 83E6 03 and esi, 3
0040F8C3 |. 81E2 3F3F3F0F and edx, 0F3F3F3F
0040F8C9 |. C1E6 1C shl esi, 1C
0040F8CC |. 0BD6 or edx, esi
0040F8CE |. 8B7424 74 mov esi, [esp+74]
0040F8D2 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040F8D8 |. 33D6 xor edx, esi
0040F8DA |. 8B7424 70 mov esi, [esp+70]
0040F8DE |. 33F0 xor esi, eax
0040F8E0 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040F8E6 |. 8BDE mov ebx, esi
0040F8E8 |. 8BFE mov edi, esi
0040F8EA |. C1EB 10 shr ebx, 10
0040F8ED |. 81E3 FF000000 and ebx, 0FF
0040F8F3 |. C1EF 18 shr edi, 18
0040F8F6 |. 8B2C9D 006F4500 mov ebp, [ebx*4+456F00]
0040F8FD |. 8BDE mov ebx, esi
0040F8FF |. 8B3CBD 00714500 mov edi, [edi*4+457100]
0040F906 |. C1EB 08 shr ebx, 8
0040F909 |. 81E3 FF000000 and ebx, 0FF
0040F90F |. 0BFD or edi, ebp
0040F911 |. 8B2C9D 006D4500 mov ebp, [ebx*4+456D00]
0040F918 |. 8BDA mov ebx, edx
0040F91A |. C1EB 18 shr ebx, 18
0040F91D |. 0BFD or edi, ebp
0040F91F |. 8B2C9D 00724500 mov ebp, [ebx*4+457200]
0040F926 |. 8BDA mov ebx, edx
0040F928 |. C1EB 10 shr ebx, 10
0040F92B |. 0BFD or edi, ebp
0040F92D |. 81E3 FF000000 and ebx, 0FF
0040F933 |. 8B2C9D 00704500 mov ebp, [ebx*4+457000]
0040F93A |. 8BDA mov ebx, edx
0040F93C |. 0BFD or edi, ebp
0040F93E |. C1EB 08 shr ebx, 8
0040F941 |. 81E3 FF000000 and ebx, 0FF
0040F947 |. 81E2 FF000000 and edx, 0FF
0040F94D |. 81E6 FF000000 and esi, 0FF
0040F953 |. 8B2C9D 006E4500 mov ebp, [ebx*4+456E00]
0040F95A |. 8B1C95 006C4500 mov ebx, [edx*4+456C00]
0040F961 |. 0BFD or edi, ebp
0040F963 |. 8B2CB5 006B4500 mov ebp, [esi*4+456B00]
0040F96A |. 0BFB or edi, ebx
0040F96C |. 0BFD or edi, ebp
0040F96E |. 33CF xor ecx, edi
0040F970 |. 8BD1 mov edx, ecx
0040F972 |. 8BF1 mov esi, ecx
0040F974 |. C1EA 04 shr edx, 4
0040F977 |. 83E6 03 and esi, 3
0040F97A |. 81E2 3F3F3F0F and edx, 0F3F3F3F
0040F980 |. C1E6 1C shl esi, 1C
0040F983 |. 0BD6 or edx, esi
0040F985 |. 8B7424 6C mov esi, [esp+6C]
0040F989 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040F98F |. 33D6 xor edx, esi
0040F991 |. 8B7424 68 mov esi, [esp+68]
0040F995 |. 33F1 xor esi, ecx
0040F997 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040F99D |. 8BDE mov ebx, esi
0040F99F |. 8BFE mov edi, esi
0040F9A1 |. C1EB 10 shr ebx, 10
0040F9A4 |. 81E3 FF000000 and ebx, 0FF
0040F9AA |. C1EF 18 shr edi, 18
0040F9AD |. 8B2C9D 006F4500 mov ebp, [ebx*4+456F00]
0040F9B4 |. 8BDE mov ebx, esi
0040F9B6 |. 8B3CBD 00714500 mov edi, [edi*4+457100]
0040F9BD |. 81E6 FF000000 and esi, 0FF
0040F9C3 |. C1EB 08 shr ebx, 8
0040F9C6 |. 81E3 FF000000 and ebx, 0FF
0040F9CC |. 0BFD or edi, ebp
0040F9CE |. 8B2C9D 006D4500 mov ebp, [ebx*4+456D00]
0040F9D5 |. 8BDA mov ebx, edx
0040F9D7 |. C1EB 18 shr ebx, 18
0040F9DA |. 0BFD or edi, ebp
0040F9DC |. 8B2C9D 00724500 mov ebp, [ebx*4+457200]
0040F9E3 |. 8BDA mov ebx, edx
0040F9E5 |. C1EB 10 shr ebx, 10
0040F9E8 |. 81E3 FF000000 and ebx, 0FF
0040F9EE |. 0BFD or edi, ebp
0040F9F0 |. 8B2C9D 00704500 mov ebp, [ebx*4+457000]
0040F9F7 |. 8BDA mov ebx, edx
0040F9F9 |. C1EB 08 shr ebx, 8
0040F9FC |. 81E3 FF000000 and ebx, 0FF
0040FA02 |. 0BFD or edi, ebp
0040FA04 |. 81E2 FF000000 and edx, 0FF
0040FA0A |. 8B2C9D 006E4500 mov ebp, [ebx*4+456E00]
0040FA11 |. 8B1C95 006C4500 mov ebx, [edx*4+456C00]
0040FA18 |. 0BFD or edi, ebp
0040FA1A |. 8B2CB5 006B4500 mov ebp, [esi*4+456B00]
0040FA21 |. 0BFB or edi, ebx
0040FA23 |. 0BFD or edi, ebp
0040FA25 |. 33C7 xor eax, edi
0040FA27 |. 8BD0 mov edx, eax
0040FA29 |. 8BF0 mov esi, eax
0040FA2B |. C1EA 04 shr edx, 4
0040FA2E |. 83E6 03 and esi, 3
0040FA31 |. 81E2 3F3F3F0F and edx, 0F3F3F3F
0040FA37 |. C1E6 1C shl esi, 1C
0040FA3A |. 0BD6 or edx, esi
0040FA3C |. 8B7424 64 mov esi, [esp+64]
0040FA40 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040FA46 |. 33D6 xor edx, esi
0040FA48 |. 8B7424 60 mov esi, [esp+60]
0040FA4C |. 33F0 xor esi, eax
0040FA4E |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040FA54 |. 8BDE mov ebx, esi
0040FA56 |. 8BFE mov edi, esi
0040FA58 |. C1EB 10 shr ebx, 10
0040FA5B |. C1EF 18 shr edi, 18
0040FA5E |. 81E3 FF000000 and ebx, 0FF
0040FA64 |. 8B3CBD 00714500 mov edi, [edi*4+457100]
0040FA6B |. 0B3C9D 006F4500 or edi, [ebx*4+456F00]
0040FA72 |. 8BDE mov ebx, esi
0040FA74 |. 81E6 FF000000 and esi, 0FF
0040FA7A |. C1EB 08 shr ebx, 8
0040FA7D |. 81E3 FF000000 and ebx, 0FF
0040FA83 |. 8B2C9D 006D4500 mov ebp, [ebx*4+456D00]
0040FA8A |. 8BDA mov ebx, edx
0040FA8C |. C1EB 18 shr ebx, 18
0040FA8F |. 0BFD or edi, ebp
0040FA91 |. 8B2C9D 00724500 mov ebp, [ebx*4+457200]
0040FA98 |. 8BDA mov ebx, edx
0040FA9A |. C1EB 10 shr ebx, 10
0040FA9D |. 81E3 FF000000 and ebx, 0FF
0040FAA3 |. 0BFD or edi, ebp
0040FAA5 |. 8B2C9D 00704500 mov ebp, [ebx*4+457000]
0040FAAC |. 8BDA mov ebx, edx
0040FAAE |. C1EB 08 shr ebx, 8
0040FAB1 |. 81E3 FF000000 and ebx, 0FF
0040FAB7 |. 0BFD or edi, ebp
0040FAB9 |. 81E2 FF000000 and edx, 0FF
0040FABF |. 8B2C9D 006E4500 mov ebp, [ebx*4+456E00]
0040FAC6 |. 8B1C95 006C4500 mov ebx, [edx*4+456C00]
0040FACD |. 0BFD or edi, ebp
0040FACF |. 8B2CB5 006B4500 mov ebp, [esi*4+456B00]
0040FAD6 |. 0BFB or edi, ebx
0040FAD8 |. 0BFD or edi, ebp
0040FADA |. 33CF xor ecx, edi
0040FADC |. 8BD1 mov edx, ecx
0040FADE |. 8BF1 mov esi, ecx
0040FAE0 |. C1EA 04 shr edx, 4
0040FAE3 |. 83E6 03 and esi, 3
0040FAE6 |. 81E2 3F3F3F0F and edx, 0F3F3F3F
0040FAEC |. C1E6 1C shl esi, 1C
0040FAEF |. 0BD6 or edx, esi
0040FAF1 |. 8B7424 5C mov esi, [esp+5C]
0040FAF5 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040FAFB |. 33D6 xor edx, esi
0040FAFD |. 8B7424 58 mov esi, [esp+58]
0040FB01 |. 33F1 xor esi, ecx
0040FB03 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040FB09 |. 8BDE mov ebx, esi
0040FB0B |. 8BFE mov edi, esi
0040FB0D |. C1EB 10 shr ebx, 10
0040FB10 |. 81E3 FF000000 and ebx, 0FF
0040FB16 |. C1EF 18 shr edi, 18
0040FB19 |. 8B2C9D 006F4500 mov ebp, [ebx*4+456F00]
0040FB20 |. 8BDE mov ebx, esi
0040FB22 |. 8B3CBD 00714500 mov edi, [edi*4+457100]
0040FB29 |. 81E6 FF000000 and esi, 0FF
0040FB2F |. C1EB 08 shr ebx, 8
0040FB32 |. 81E3 FF000000 and ebx, 0FF
0040FB38 |. 0BFD or edi, ebp
0040FB3A |. 8B2C9D 006D4500 mov ebp, [ebx*4+456D00]
0040FB41 |. 8BDA mov ebx, edx
0040FB43 |. C1EB 18 shr ebx, 18
0040FB46 |. 0BFD or edi, ebp
0040FB48 |. 8B2C9D 00724500 mov ebp, [ebx*4+457200]
0040FB4F |. 8BDA mov ebx, edx
0040FB51 |. C1EB 10 shr ebx, 10
0040FB54 |. 81E3 FF000000 and ebx, 0FF
0040FB5A |. 0BFD or edi, ebp
0040FB5C |. 8B2C9D 00704500 mov ebp, [ebx*4+457000]
0040FB63 |. 8BDA mov ebx, edx
0040FB65 |. C1EB 08 shr ebx, 8
0040FB68 |. 81E3 FF000000 and ebx, 0FF
0040FB6E |. 0BFD or edi, ebp
0040FB70 |. 81E2 FF000000 and edx, 0FF
0040FB76 |. 8B2C9D 006E4500 mov ebp, [ebx*4+456E00]
0040FB7D |. 8B1C95 006C4500 mov ebx, [edx*4+456C00]
0040FB84 |. 0BFD or edi, ebp
0040FB86 |. 8B2CB5 006B4500 mov ebp, [esi*4+456B00]
0040FB8D |. 0BFB or edi, ebx
0040FB8F |. 0BFD or edi, ebp
0040FB91 |. 33C7 xor eax, edi
0040FB93 |. 8BD0 mov edx, eax
0040FB95 |. 8BF0 mov esi, eax
0040FB97 |. C1EA 04 shr edx, 4
0040FB9A |. 83E6 03 and esi, 3
0040FB9D |. 81E2 3F3F3F0F and edx, 0F3F3F3F
0040FBA3 |. C1E6 1C shl esi, 1C
0040FBA6 |. 0BD6 or edx, esi
0040FBA8 |. 8B7424 54 mov esi, [esp+54]
0040FBAC |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040FBB2 |. 33D6 xor edx, esi
0040FBB4 |. 8B7424 50 mov esi, [esp+50]
0040FBB8 |. 33F0 xor esi, eax
0040FBBA |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040FBC0 |. 8BDE mov ebx, esi
0040FBC2 |. 8BFE mov edi, esi
0040FBC4 |. C1EB 10 shr ebx, 10
0040FBC7 |. 81E3 FF000000 and ebx, 0FF
0040FBCD |. C1EF 18 shr edi, 18
0040FBD0 |. 8B2C9D 006F4500 mov ebp, [ebx*4+456F00]
0040FBD7 |. 8BDE mov ebx, esi
0040FBD9 |. 8B3CBD 00714500 mov edi, [edi*4+457100]
0040FBE0 |. 81E6 FF000000 and esi, 0FF
0040FBE6 |. C1EB 08 shr ebx, 8
0040FBE9 |. 81E3 FF000000 and ebx, 0FF
0040FBEF |. 0BFD or edi, ebp
0040FBF1 |. 8B2C9D 006D4500 mov ebp, [ebx*4+456D00]
0040FBF8 |. 8BDA mov ebx, edx
0040FBFA |. C1EB 18 shr ebx, 18
0040FBFD |. 0BFD or edi, ebp
0040FBFF |. 8B2C9D 00724500 mov ebp, [ebx*4+457200]
0040FC06 |. 8BDA mov ebx, edx
0040FC08 |. C1EB 10 shr ebx, 10
0040FC0B |. 81E3 FF000000 and ebx, 0FF
0040FC11 |. 0BFD or edi, ebp
0040FC13 |. 8B2C9D 00704500 mov ebp, [ebx*4+457000]
0040FC1A |. 8BDA mov ebx, edx
0040FC1C |. C1EB 08 shr ebx, 8
0040FC1F |. 81E3 FF000000 and ebx, 0FF
0040FC25 |. 0BFD or edi, ebp
0040FC27 |. 81E2 FF000000 and edx, 0FF
0040FC2D |. 8B2C9D 006E4500 mov ebp, [ebx*4+456E00]
0040FC34 |. 8B1C95 006C4500 mov ebx, [edx*4+456C00]
0040FC3B |. 0BFD or edi, ebp
0040FC3D |. 8B2CB5 006B4500 mov ebp, [esi*4+456B00]
0040FC44 |. 0BFB or edi, ebx
0040FC46 |. 0BFD or edi, ebp
0040FC48 |. 33CF xor ecx, edi
0040FC4A |. 8BD1 mov edx, ecx
0040FC4C |. 8BF1 mov esi, ecx
0040FC4E |. C1EA 04 shr edx, 4
0040FC51 |. 83E6 03 and esi, 3
0040FC54 |. 81E2 3F3F3F0F and edx, 0F3F3F3F
0040FC5A |. C1E6 1C shl esi, 1C
0040FC5D |. 0BD6 or edx, esi
0040FC5F |. 8B7424 4C mov esi, [esp+4C]
0040FC63 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040FC69 |. 33D6 xor edx, esi
0040FC6B |. 8B7424 48 mov esi, [esp+48]
0040FC6F |. 33F1 xor esi, ecx
0040FC71 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040FC77 |. 8BDE mov ebx, esi
0040FC79 |. 8BFE mov edi, esi
0040FC7B |. C1EB 10 shr ebx, 10
0040FC7E |. 81E3 FF000000 and ebx, 0FF
0040FC84 |. C1EF 18 shr edi, 18
0040FC87 |. 8B2C9D 006F4500 mov ebp, [ebx*4+456F00]
0040FC8E |. 8BDE mov ebx, esi
0040FC90 |. 8B3CBD 00714500 mov edi, [edi*4+457100]
0040FC97 |. C1EB 08 shr ebx, 8
0040FC9A |. 81E3 FF000000 and ebx, 0FF
0040FCA0 |. 0BFD or edi, ebp
0040FCA2 |. 8B2C9D 006D4500 mov ebp, [ebx*4+456D00]
0040FCA9 |. 8BDA mov ebx, edx
0040FCAB |. C1EB 18 shr ebx, 18
0040FCAE |. 0BFD or edi, ebp
0040FCB0 |. 8B2C9D 00724500 mov ebp, [ebx*4+457200]
0040FCB7 |. 8BDA mov ebx, edx
0040FCB9 |. C1EB 10 shr ebx, 10
0040FCBC |. 81E3 FF000000 and ebx, 0FF
0040FCC2 |. 0BFD or edi, ebp
0040FCC4 |. 8B2C9D 00704500 mov ebp, [ebx*4+457000]
0040FCCB |. 8BDA mov ebx, edx
0040FCCD |. C1EB 08 shr ebx, 8
0040FCD0 |. 81E3 FF000000 and ebx, 0FF
0040FCD6 |. 0BFD or edi, ebp
0040FCD8 |. 8B2C9D 006E4500 mov ebp, [ebx*4+456E00]
0040FCDF |. 0BFD or edi, ebp
0040FCE1 |. 81E2 FF000000 and edx, 0FF
0040FCE7 |. 8B1C95 006C4500 mov ebx, [edx*4+456C00]
0040FCEE |. 81E6 FF000000 and esi, 0FF
0040FCF4 |. 0BFB or edi, ebx
0040FCF6 |. 0B3CB5 006B4500 or edi, [esi*4+456B00]
0040FCFD |. 33C7 xor eax, edi
0040FCFF |. 8BD0 mov edx, eax
0040FD01 |. 8BF0 mov esi, eax
0040FD03 |. C1EA 04 shr edx, 4
0040FD06 |. 83E6 03 and esi, 3
0040FD09 |. 81E2 3F3F3F0F and edx, 0F3F3F3F
0040FD0F |. C1E6 1C shl esi, 1C
0040FD12 |. 0BD6 or edx, esi
0040FD14 |. 8B7424 44 mov esi, [esp+44]
0040FD18 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040FD1E |. 33D6 xor edx, esi
0040FD20 |. 8B7424 40 mov esi, [esp+40]
0040FD24 |. 33F0 xor esi, eax
0040FD26 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040FD2C |. 8BDE mov ebx, esi
0040FD2E |. 8BFE mov edi, esi
0040FD30 |. C1EB 10 shr ebx, 10
0040FD33 |. 81E3 FF000000 and ebx, 0FF
0040FD39 |. C1EF 18 shr edi, 18
0040FD3C |. 8B2C9D 006F4500 mov ebp, [ebx*4+456F00]
0040FD43 |. 8BDE mov ebx, esi
0040FD45 |. 8B3CBD 00714500 mov edi, [edi*4+457100]
0040FD4C |. 81E6 FF000000 and esi, 0FF
0040FD52 |. C1EB 08 shr ebx, 8
0040FD55 |. 81E3 FF000000 and ebx, 0FF
0040FD5B |. 0BFD or edi, ebp
0040FD5D |. 8B2C9D 006D4500 mov ebp, [ebx*4+456D00]
0040FD64 |. 8BDA mov ebx, edx
0040FD66 |. C1EB 18 shr ebx, 18
0040FD69 |. 0BFD or edi, ebp
0040FD6B |. 8B2C9D 00724500 mov ebp, [ebx*4+457200]
0040FD72 |. 8BDA mov ebx, edx
0040FD74 |. C1EB 10 shr ebx, 10
0040FD77 |. 81E3 FF000000 and ebx, 0FF
0040FD7D |. 0BFD or edi, ebp
0040FD7F |. 8B2C9D 00704500 mov ebp, [ebx*4+457000]
0040FD86 |. 8BDA mov ebx, edx
0040FD88 |. C1EB 08 shr ebx, 8
0040FD8B |. 81E3 FF000000 and ebx, 0FF
0040FD91 |. 0BFD or edi, ebp
0040FD93 |. 81E2 FF000000 and edx, 0FF
0040FD99 |. 8B2C9D 006E4500 mov ebp, [ebx*4+456E00]
0040FDA0 |. 8B1C95 006C4500 mov ebx, [edx*4+456C00]
0040FDA7 |. 0BFD or edi, ebp
0040FDA9 |. 8B2CB5 006B4500 mov ebp, [esi*4+456B00]
0040FDB0 |. 0BFB or edi, ebx
0040FDB2 |. 0BFD or edi, ebp
0040FDB4 |. 33CF xor ecx, edi
0040FDB6 |. 8BD1 mov edx, ecx
0040FDB8 |. 8BF1 mov esi, ecx
0040FDBA |. C1EA 04 shr edx, 4
0040FDBD |. 83E6 03 and esi, 3
0040FDC0 |. 81E2 3F3F3F0F and edx, 0F3F3F3F
0040FDC6 |. C1E6 1C shl esi, 1C
0040FDC9 |. 0BD6 or edx, esi
0040FDCB |. 8B7424 3C mov esi, [esp+3C]
0040FDCF |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040FDD5 |. 33D6 xor edx, esi
0040FDD7 |. 8B7424 38 mov esi, [esp+38]
0040FDDB |. 33F1 xor esi, ecx
0040FDDD |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040FDE3 |. 8BDE mov ebx, esi
0040FDE5 |. 8BFE mov edi, esi
0040FDE7 |. C1EB 10 shr ebx, 10
0040FDEA |. 81E3 FF000000 and ebx, 0FF
0040FDF0 |. C1EF 18 shr edi, 18
0040FDF3 |. 8B2C9D 006F4500 mov ebp, [ebx*4+456F00]
0040FDFA |. 8BDE mov ebx, esi
0040FDFC |. 8B3CBD 00714500 mov edi, [edi*4+457100]
0040FE03 |. C1EB 08 shr ebx, 8
0040FE06 |. 81E3 FF000000 and ebx, 0FF
0040FE0C |. 0BFD or edi, ebp
0040FE0E |. 8B2C9D 006D4500 mov ebp, [ebx*4+456D00]
0040FE15 |. 8BDA mov ebx, edx
0040FE17 |. 0BFD or edi, ebp
0040FE19 |. C1EB 18 shr ebx, 18
0040FE1C |. 8B2C9D 00724500 mov ebp, [ebx*4+457200]
0040FE23 |. 8BDA mov ebx, edx
0040FE25 |. 0BFD or edi, ebp
0040FE27 |. C1EB 10 shr ebx, 10
0040FE2A |. 81E3 FF000000 and ebx, 0FF
0040FE30 |. 81E6 FF000000 and esi, 0FF
0040FE36 |. 8B2C9D 00704500 mov ebp, [ebx*4+457000]
0040FE3D |. 8BDA mov ebx, edx
0040FE3F |. C1EB 08 shr ebx, 8
0040FE42 |. 81E3 FF000000 and ebx, 0FF
0040FE48 |. 0BFD or edi, ebp
0040FE4A |. 81E2 FF000000 and edx, 0FF
0040FE50 |. 8B2C9D 006E4500 mov ebp, [ebx*4+456E00]
0040FE57 |. 8B1C95 006C4500 mov ebx, [edx*4+456C00]
0040FE5E |. 0BFD or edi, ebp
0040FE60 |. 8B2CB5 006B4500 mov ebp, [esi*4+456B00]
0040FE67 |. 0BFB or edi, ebx
0040FE69 |. 0BFD or edi, ebp
0040FE6B |. 33C7 xor eax, edi
0040FE6D |. 8BD0 mov edx, eax
0040FE6F |. 8BF0 mov esi, eax
0040FE71 |. C1EA 04 shr edx, 4
0040FE74 |. 83E6 03 and esi, 3
0040FE77 |. 81E2 3F3F3F0F and edx, 0F3F3F3F
0040FE7D |. C1E6 1C shl esi, 1C
0040FE80 |. 0BD6 or edx, esi
0040FE82 |. 8B7424 34 mov esi, [esp+34]
0040FE86 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040FE8C |. 33D6 xor edx, esi
0040FE8E |. 8B7424 30 mov esi, [esp+30]
0040FE92 |. 33F0 xor esi, eax
0040FE94 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040FE9A |. 8BDE mov ebx, esi
0040FE9C |. 8BFE mov edi, esi
0040FE9E |. C1EB 10 shr ebx, 10
0040FEA1 |. 81E3 FF000000 and ebx, 0FF
0040FEA7 |. C1EF 18 shr edi, 18
0040FEAA |. 8B2C9D 006F4500 mov ebp, [ebx*4+456F00]
0040FEB1 |. 8BDE mov ebx, esi
0040FEB3 |. 8B3CBD 00714500 mov edi, [edi*4+457100]
0040FEBA |. 81E6 FF000000 and esi, 0FF
0040FEC0 |. C1EB 08 shr ebx, 8
0040FEC3 |. 81E3 FF000000 and ebx, 0FF
0040FEC9 |. 0BFD or edi, ebp
0040FECB |. 8B2C9D 006D4500 mov ebp, [ebx*4+456D00]
0040FED2 |. 8BDA mov ebx, edx
0040FED4 |. C1EB 18 shr ebx, 18
0040FED7 |. 0BFD or edi, ebp
0040FED9 |. 8B2C9D 00724500 mov ebp, [ebx*4+457200]
0040FEE0 |. 8BDA mov ebx, edx
0040FEE2 |. C1EB 10 shr ebx, 10
0040FEE5 |. 81E3 FF000000 and ebx, 0FF
0040FEEB |. 0BFD or edi, ebp
0040FEED |. 8B2C9D 00704500 mov ebp, [ebx*4+457000]
0040FEF4 |. 8BDA mov ebx, edx
0040FEF6 |. C1EB 08 shr ebx, 8
0040FEF9 |. 81E3 FF000000 and ebx, 0FF
0040FEFF |. 0BFD or edi, ebp
0040FF01 |. 81E2 FF000000 and edx, 0FF
0040FF07 |. 8B2C9D 006E4500 mov ebp, [ebx*4+456E00]
0040FF0E |. 8B1C95 006C4500 mov ebx, [edx*4+456C00]
0040FF15 |. 0BFD or edi, ebp
0040FF17 |. 8B2CB5 006B4500 mov ebp, [esi*4+456B00]
0040FF1E |. 0BFB or edi, ebx
0040FF20 |. 0BFD or edi, ebp
0040FF22 |. 33CF xor ecx, edi
0040FF24 |. 8BD1 mov edx, ecx
0040FF26 |. 8BF1 mov esi, ecx
0040FF28 |. C1EA 04 shr edx, 4
0040FF2B |. 83E6 03 and esi, 3
0040FF2E |. 81E2 3F3F3F0F and edx, 0F3F3F3F
0040FF34 |. C1E6 1C shl esi, 1C
0040FF37 |. 0BD6 or edx, esi
0040FF39 |. 8B7424 2C mov esi, [esp+2C]
0040FF3D |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040FF43 |. 33D6 xor edx, esi
0040FF45 |. 8B7424 28 mov esi, [esp+28]
0040FF49 |. 33F1 xor esi, ecx
0040FF4B |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040FF51 |. 8BFE mov edi, esi
0040FF53 |. 8BDE mov ebx, esi
0040FF55 |. C1EF 18 shr edi, 18
0040FF58 |. C1EB 10 shr ebx, 10
0040FF5B |. 81E3 FF000000 and ebx, 0FF
0040FF61 |. 8B3CBD 00714500 mov edi, [edi*4+457100]
0040FF68 |. 8B2C9D 006F4500 mov ebp, [ebx*4+456F00]
0040FF6F |. 8BDE mov ebx, esi
0040FF71 |. C1EB 08 shr ebx, 8
0040FF74 |. 81E3 FF000000 and ebx, 0FF
0040FF7A |. 0BFD or edi, ebp
0040FF7C |. 81E6 FF000000 and esi, 0FF
0040FF82 |. 8B2C9D 006D4500 mov ebp, [ebx*4+456D00]
0040FF89 |. 8BDA mov ebx, edx
0040FF8B |. C1EB 18 shr ebx, 18
0040FF8E |. 0BFD or edi, ebp
0040FF90 |. 8B2C9D 00724500 mov ebp, [ebx*4+457200]
0040FF97 |. 8BDA mov ebx, edx
0040FF99 |. C1EB 10 shr ebx, 10
0040FF9C |. 81E3 FF000000 and ebx, 0FF
0040FFA2 |. 0BFD or edi, ebp
0040FFA4 |. 8B2C9D 00704500 mov ebp, [ebx*4+457000]
0040FFAB |. 8BDA mov ebx, edx
0040FFAD |. C1EB 08 shr ebx, 8
0040FFB0 |. 81E3 FF000000 and ebx, 0FF
0040FFB6 |. 0BFD or edi, ebp
0040FFB8 |. 81E2 FF000000 and edx, 0FF
0040FFBE |. 8B2C9D 006E4500 mov ebp, [ebx*4+456E00]
0040FFC5 |. 8B1C95 006C4500 mov ebx, [edx*4+456C00]
0040FFCC |. 0BFD or edi, ebp
0040FFCE |. 8B2CB5 006B4500 mov ebp, [esi*4+456B00]
0040FFD5 |. 0BFB or edi, ebx
0040FFD7 |. 0BFD or edi, ebp
0040FFD9 |. 33C7 xor eax, edi
0040FFDB |. 8BD0 mov edx, eax
0040FFDD |. 8BF0 mov esi, eax
0040FFDF |. C1EA 04 shr edx, 4
0040FFE2 |. 83E6 03 and esi, 3
0040FFE5 |. 81E2 3F3F3F0F and edx, 0F3F3F3F
0040FFEB |. C1E6 1C shl esi, 1C
0040FFEE |. 0BD6 or edx, esi
0040FFF0 |. 8B7424 24 mov esi, [esp+24]
0040FFF4 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040FFFA |. 33D6 xor edx, esi
0040FFFC |. 8B7424 20 mov esi, [esp+20]
00410000 |. 33F0 xor esi, eax
00410002 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
00410008 |. 8BDE mov ebx, esi
0041000A |. 8BFE mov edi, esi
0041000C |. C1EB 10 shr ebx, 10
0041000F |. 81E3 FF000000 and ebx, 0FF
00410015 |. C1EF 18 shr edi, 18
00410018 |. 8B2C9D 006F4500 mov ebp, [ebx*4+456F00]
0041001F |. 8BDE mov ebx, esi
00410021 |. 8B3CBD 00714500 mov edi, [edi*4+457100]
00410028 |. 81E6 FF000000 and esi, 0FF
0041002E |. C1EB 08 shr ebx, 8
00410031 |. 81E3 FF000000 and ebx, 0FF
00410037 |. 0BFD or edi, ebp
00410039 |. 8B2C9D 006D4500 mov ebp, [ebx*4+456D00]
00410040 |. 8BDA mov ebx, edx
00410042 |. C1EB 18 shr ebx, 18
00410045 |. 0BFD or edi, ebp
00410047 |. 8B2C9D 00724500 mov ebp, [ebx*4+457200]
0041004E |. 8BDA mov ebx, edx
00410050 |. C1EB 10 shr ebx, 10
00410053 |. 81E3 FF000000 and ebx, 0FF
00410059 |. 0BFD or edi, ebp
0041005B |. 8B2C9D 00704500 mov ebp, [ebx*4+457000]
00410062 |. 8BDA mov ebx, edx
00410064 |. C1EB 08 shr ebx, 8
00410067 |. 81E3 FF000000 and ebx, 0FF
0041006D |. 0BFD or edi, ebp
0041006F |. 81E2 FF000000 and edx, 0FF
00410075 |. 8B2C9D 006E4500 mov ebp, [ebx*4+456E00]
0041007C |. 8B1C95 006C4500 mov ebx, [edx*4+456C00]
00410083 |. 0BFD or edi, ebp
00410085 |. 8B2CB5 006B4500 mov ebp, [esi*4+456B00]
0041008C |. 0BFB or edi, ebx
0041008E |. 0BFD or edi, ebp
00410090 |. 33CF xor ecx, edi
00410092 |. 8BD1 mov edx, ecx
00410094 |. C1EA 04 shr edx, 4
00410097 |. 81E2 3F3F3F0F and edx, 0F3F3F3F
0041009D |. 8BF1 mov esi, ecx
0041009F |. 83E6 03 and esi, 3
004100A2 |. C1E6 1C shl esi, 1C
004100A5 |. 0BD6 or edx, esi
004100A7 |. 8B7424 1C mov esi, [esp+1C]
004100AB |. 81E6 3F3F3F3F and esi, 3F3F3F3F
004100B1 |. 33D6 xor edx, esi
004100B3 |. 8B7424 18 mov esi, [esp+18]
004100B7 |. 33F1 xor esi, ecx
004100B9 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
004100BF |. 8BDE mov ebx, esi
004100C1 |. 8BFE mov edi, esi
004100C3 |. C1EB 10 shr ebx, 10
004100C6 |. 81E3 FF000000 and ebx, 0FF
004100CC |. C1EF 18 shr edi, 18
004100CF |. 8B2C9D 006F4500 mov ebp, [ebx*4+456F00]
004100D6 |. 8BDE mov ebx, esi
004100D8 |. 8B3CBD 00714500 mov edi, [edi*4+457100]
004100DF |. 81E6 FF000000 and esi, 0FF
004100E5 |. C1EB 08 shr ebx, 8
004100E8 |. 81E3 FF000000 and ebx, 0FF
004100EE |. 0BFD or edi, ebp
004100F0 |. 8B2C9D 006D4500 mov ebp, [ebx*4+456D00]
004100F7 |. 8BDA mov ebx, edx
004100F9 |. C1EB 18 shr ebx, 18
004100FC |. 0BFD or edi, ebp
004100FE |. 8B2C9D 00724500 mov ebp, [ebx*4+457200]
00410105 |. 8BDA mov ebx, edx
00410107 |. C1EB 10 shr ebx, 10
0041010A |. 81E3 FF000000 and ebx, 0FF
00410110 |. 0BFD or edi, ebp
00410112 |. 8B2C9D 00704500 mov ebp, [ebx*4+457000]
00410119 |. 8BDA mov ebx, edx
0041011B |. C1EB 08 shr ebx, 8
0041011E |. 81E3 FF000000 and ebx, 0FF
00410124 |. 0BFD or edi, ebp
00410126 |. 81E2 FF000000 and edx, 0FF
0041012C |. 8B2C9D 006E4500 mov ebp, [ebx*4+456E00]
00410133 |. 8B1C95 006C4500 mov ebx, [edx*4+456C00]
0041013A |. 0BFD or edi, ebp
0041013C |. 8B2CB5 006B4500 mov ebp, [esi*4+456B00]
00410143 |. 0BFB or edi, ebx
00410145 |. 0BFD or edi, ebp
00410147 |. 33C7 xor eax, edi
00410149 |. 8BD0 mov edx, eax
0041014B |. 8BF0 mov esi, eax
0041014D |. C1EA 04 shr edx, 4
00410150 |. 83E6 03 and esi, 3
00410153 |. 81E2 3F3F3F0F and edx, 0F3F3F3F
00410159 |. C1E6 1C shl esi, 1C
0041015C |. 0BD6 or edx, esi
0041015E |. 8B7424 14 mov esi, [esp+14]
00410162 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
00410168 |. 33D6 xor edx, esi
0041016A |. 8B7424 10 mov esi, [esp+10]
0041016E |. 33F0 xor esi, eax
00410170 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
00410176 |. 8BDE mov ebx, esi
00410178 |. 8BFE mov edi, esi
0041017A |. C1EB 10 shr ebx, 10
0041017D |. 81E3 FF000000 and ebx, 0FF
00410183 |. C1EF 18 shr edi, 18
00410186 |. 8B2C9D 006F4500 mov ebp, [ebx*4+456F00]
0041018D |. 8BDE mov ebx, esi
0041018F |. 8B3CBD 00714500 mov edi, [edi*4+457100]
00410196 |. C1EB 08 shr ebx, 8
00410199 |. 81E3 FF000000 and ebx, 0FF
0041019F |. 0BFD or edi, ebp
004101A1 |. 8B2C9D 006D4500 mov ebp, [ebx*4+456D00]
004101A8 |. 8BDA mov ebx, edx
004101AA |. C1EB 18 shr ebx, 18
004101AD |. 0BFD or edi, ebp
004101AF |. 8B2C9D 00724500 mov ebp, [ebx*4+457200]
004101B6 |. 8BDA mov ebx, edx
004101B8 |. C1EB 10 shr ebx, 10
004101BB |. 81E3 FF000000 and ebx, 0FF
004101C1 |. 0BFD or edi, ebp
004101C3 |. 8B2C9D 00704500 mov ebp, [ebx*4+457000]
004101CA |. 8BDA mov ebx, edx
004101CC |. 0BFD or edi, ebp
004101CE |. C1EB 08 shr ebx, 8
004101D1 |. 81E3 FF000000 and ebx, 0FF
004101D7 |. 81E2 FF000000 and edx, 0FF
004101DD |. 81E6 FF000000 and esi, 0FF
004101E3 |. 8B2C9D 006E4500 mov ebp, [ebx*4+456E00]
004101EA |. 8B1C95 006C4500 mov ebx, [edx*4+456C00]
004101F1 |. 8B14B5 006B4500 mov edx, [esi*4+456B00]
004101F8 |. 0BFD or edi, ebp
004101FA |. 0BFB or edi, ebx
004101FC |. 0BFA or edi, edx
004101FE |. 8BD0 mov edx, eax
00410200 |. C1E2 1F shl edx, 1F
00410203 |. D1E8 shr eax, 1
00410205 |. 33CF xor ecx, edi
00410207 |. 0BD0 or edx, eax
00410209 |. 8BC1 mov eax, ecx
//以上是进行16轮循环加密。
0041020B |. 5F pop edi
0041020C |. C1E0 1E shl eax, 1E ; right
0041020F |. C1E9 02 shr ecx, 2
00410212 |. 0BC1 or eax, ecx
00410214 |. 8BC8 mov ecx, eax
00410216 |. 33CA xor ecx, edx ; right^left
00410218 |. 81E1 55555555 and ecx, 55555555 ; wwork
0041021E |. 33D1 xor edx, ecx ; left^right
00410220 |. 33C8 xor ecx, eax ; work^right
00410222 |. 8BC1 mov eax, ecx ; =>right
00410224 |. C1E8 17 shr eax, 17
00410227 |. C1E1 09 shl ecx, 9
0041022A |. 0BC1 or eax, ecx ; right>>0x17
0041022C |. 8BC8 mov ecx, eax
0041022E |. 33CA xor ecx, edx
00410230 |. 81E1 00FF00FF and ecx, FF00FF00 ; work
00410236 |. 33D1 xor edx, ecx ; left^=work
00410238 |. 33C8 xor ecx, eax ; work^right
0041023A |. 8BC1 mov eax, ecx
0041023C |. C1E0 16 shl eax, 16
0041023F |. C1E9 0A shr ecx, 0A
00410242 |. 0BC1 or eax, ecx ; right<<16
00410244 |. 8BC8 mov ecx, eax
00410246 |. 33CA xor ecx, edx ; work^left
00410248 |. 81E1 33333333 and ecx, 33333333 ; work
0041024E |. 33D1 xor edx, ecx
00410250 |. 33C8 xor ecx, eax ; work^right
00410252 |. 8BC1 mov eax, ecx
00410254 |. C1E0 12 shl eax, 12
00410257 |. C1E9 0E shr ecx, 0E
0041025A |. 0BC1 or eax, ecx ; right<<12
0041025C |. 8BC8 mov ecx, eax
0041025E |. 33CA xor ecx, edx
00410260 |. 81E1 0000FFFF and ecx, FFFF0000
00410266 |. 33D1 xor edx, ecx ; left^work
00410268 |. 33C8 xor ecx, eax
0041026A |. 8BC1 mov eax, ecx
0041026C |. C1E8 14 shr eax, 14
0041026F |. C1E1 0C shl ecx, 0C
00410272 |. 0BC1 or eax, ecx
00410274 |. 8BC8 mov ecx, eax
00410276 |. 33CA xor ecx, edx
00410278 |. 81E1 0F0F0F0F and ecx, 0F0F0F0F
0041027E |. 8BF1 mov esi, ecx ; work
00410280 |. 33C8 xor ecx, eax ; work=work^right
00410282 |. 33F2 xor esi, edx ; left=work^left
00410284 |. 8B9424 94000000 mov edx, [esp+94]
0041028B |. 8BC1 mov eax, ecx
0041028D |. C1E8 1C shr eax, 1C
00410290 |. C1E1 04 shl ecx, 4
00410293 |. 8932 mov [edx], esi
00410295 |. 0BC1 or eax, ecx
00410297 |. 5E pop esi
00410298 |. 5D pop ebp
00410299 |. 8942 04 mov [edx+4], eax
上面是初始置换的逆置换,并送出结果
0041029C |. 5B pop ebx
0041029D |. 81C4 80000000 add esp, 80
004102A3 \. C3 retn
因为它是一个类似于DES的加密算法,我们可以大胆的假设,他的加密部分应该和这个过程一摸一样,唯一不同的地方就是子密钥的顺序相反。
基于这个思想,我们向下走。
这里先给出分析出来的置换和逆置换的源码。
static inline void IPERM(DWORD &left, DWORD &right)
{
DWORD work;
right = rotlFixed(right, 0x1c);
work = (left ^ right) & 0x0f0f0f0f;
left ^= work;
right = rotrFixed((right^work), 0xC);
work = (left ^ right) & 0xffff0000;
left ^= work;
right = rotrFixed((right^work), 0x12);
work = (left ^ right) & 0x33333333;
left ^= work;
right = rotrFixed((right^work), 0x16);
work = (left ^ right) & 0xff00ff00;
left ^= work;
right = rotlFixed((right^work), 0x17);
work = (left ^ right) & 0x55555555;
left = rotlFixed((left^work), 0x1);
right ^= work;
}
static inline void FPERM(DWORD &left, DWORD &right)
{
DWORD work;
right = rotrFixed(right, 0x2);
work = (left ^ right) & 0x55555555;
left ^= work;
right = rotrFixed((right^work), 0x17);
work = (left ^ right) & 0xff00ff00;
left ^= work;
right = rotlFixed((right^work), 0x16);
work = (left ^ right) & 0x33333333;
left ^= work;
right = rotlFixed((right^work), 0x12);
work = (left ^ right) & 0xffff0000;
left ^= work;
right = rotlFixed((right^work), 0xC);
work = (left ^ right) & 0x0f0f0f0f;
left ^= work;
right = rotrFixed((right^work), 0x1c);
}
可以看出,它和原始的DES已经大大不同了。呵呵。还有更多好玩的再后面。进入子密钥初始化部分,发现计较简单,就是通过相关运算,和一个DWORD table[8][64]表取或得出的,我就直接用其代码了,等有时间进行优化。
关键就是16轮的循环部分。
void CXDes::RawProcessBlock(DWORD &l_, DWORD &r_)
{
DWORD l = l_, r = r_;
const DWORD *kptr=key;
DWORD work=key[4*0]^l;
DWORD work2=rotrFixed(l,4)^key[4*0+1];
r=(Spbox[6][(work>>0x18) & 0x3f]
| Spbox[4][(work >> 0x10) & 0x3f]
| Spbox[2][(work >> 8) & 0x3f]
| Spbox[0][(work) & 0x3f]
| Spbox[7][(work2>>0x18) & 0x3f]
| Spbox[5][(work2>>0x10) & 0x3f]
| Spbox[3][(work2>>0x8) & 0x3f]
| Spbox[1][(work2) & 0x3f])^rotlFixed(r,2);
work=key[4*0+2]^r;
work2=rotrFixed(r,4)^key[4*0+3];
l^=(Spbox[6][(work>>0x18) & 0x3f]
| Spbox[4][(work >> 0x10) & 0x3f]
| Spbox[2][(work >> 8) & 0x3f]
| Spbox[0][(work) & 0x3f]
| Spbox[7][(work2>>0x18) & 0x3f]
| Spbox[5][(work2>>0x10) & 0x3f]
| Spbox[3][(work2>>0x8) & 0x3f]
| Spbox[1][(work2) & 0x3f]);
for (unsigned i=1; i<7; i++)
{
work=key[4*i]^l;
work2=rotrFixed(l,4)^key[4*i+1];
r=(Spbox[6][(work>>0x18) & 0x3f]
| Spbox[4][(work >> 0x10) & 0x3f]
| Spbox[2][(work >> 8) & 0x3f]
| Spbox[0][(work) & 0x3f]
| Spbox[7][(work2>>0x18) & 0x3f]
| Spbox[5][(work2>>0x10) & 0x3f]
| Spbox[3][(work2>>0x8) & 0x3f]
| Spbox[1][(work2) & 0x3f])^r;
work=key[4*i+2]^r;
work2=rotrFixed(r,4)^key[4*i+3];
l^=(Spbox[6][(work>>0x18) & 0x3f]
| Spbox[4][(work >> 0x10) & 0x3f]
| Spbox[2][(work >> 8) & 0x3f]
| Spbox[0][(work) & 0x3f]
| Spbox[7][(work2>>0x18) & 0x3f]
| Spbox[5][(work2>>0x10) & 0x3f]
| Spbox[3][(work2>>0x8) & 0x3f]
| Spbox[1][(work2) & 0x3f]);
}
work=key[4*7]^l;
work2=rotrFixed(l,4)^key[4*7+1];
r=(Spbox[6][(work>>0x18) & 0x3f]
| Spbox[4][(work >> 0x10) & 0x3f]
| Spbox[2][(work >> 8) & 0x3f]
| Spbox[0][(work) & 0x3f]
| Spbox[7][(work2>>0x18) & 0x3f]
| Spbox[5][(work2>>0x10) & 0x3f]
| Spbox[3][(work2>>0x8) & 0x3f]
| Spbox[1][(work2) & 0x3f])^r;
work=key[4*7+2]^r;
work2=rotrFixed(r,4)^key[4*7+3];
l^=(Spbox[6][(work>>0x18) & 0x3f]
| Spbox[4][(work >> 0x10) & 0x3f]
| Spbox[2][(work >> 8) & 0x3f]
| Spbox[0][(work) & 0x3f]
| Spbox[7][(work2>>0x18) & 0x3f]
| Spbox[5][(work2>>0x10) & 0x3f]
| Spbox[3][(work2>>0x8) & 0x3f]
| Spbox[1][(work2) & 0x3f]);
r=rotrFixed(r,1);
l_ = r; r_ = l;
}
这是我分析得出的循环部分,可以看出,它已经完全不同于正常的DES了,正常的DES是XOR SpBox的,这里是或的。它的SpBox全部如下:
const DWORD CXDes::Spbox[8][64]={
{
0x00820200 ,0x00020000 ,0x80800000 ,0x80820200,
0x00800000 ,0x80020200 ,0x80020000 ,0x80800000,
0x80020200 ,0x00820200 ,0x00820000 ,0x80000200,
0x80800200 ,0x00800000 ,0x00000000 ,0x80020000,
0x00020000 ,0x80000000 ,0x00800200 ,0x00020200,
0x80820200 ,0x00820000 ,0x80000200 ,0x00800200,
0x80000000 ,0x00000200 ,0x00020200 ,0x80820000,
0x00000200 ,0x80800200 ,0x80820000 ,0x00000000,
0x00000000 ,0x80820200 ,0x00800200 ,0x80020000,
0x00820200 ,0x00020000 ,0x80000200 ,0x00800200,
0x80820000 ,0x00000200 ,0x00020200 ,0x80800000,
0x80020200 ,0x80000000 ,0x80800000 ,0x00820000,
0x80820200 ,0x00020200 ,0x00820000 ,0x80800200,
0x00800000 ,0x80000200 ,0x80020000 ,0x00000000,
0x00020000 ,0x00800000 ,0x80800200 ,0x00820200,
0x80000000 ,0x80820000 ,0x00000200 ,0x80020200
},
{
0x10042004 ,0x00000000 ,0x00042000 ,0x10040000,
0x10000004 ,0x00002004 ,0x10002000 ,0x00042000,
0x00002000 ,0x10040004 ,0x00000004 ,0x10002000,
0x00040004 ,0x10042000 ,0x10040000 ,0x00000004,
0x00040000 ,0x10002004 ,0x10040004 ,0x00002000,
0x00042004 ,0x10000000 ,0x00000000 ,0x00040004,
0x10002004 ,0x00042004 ,0x10042000 ,0x10000004,
0x10000000 ,0x00040000 ,0x00002004 ,0x10042004,
0x00040004 ,0x10042000 ,0x10002000 ,0x00042004,
0x10042004 ,0x00040004 ,0x10000004 ,0x00000000,
0x10000000 ,0x00002004 ,0x00040000 ,0x10040004,
0x00002000 ,0x10000000 ,0x00042004 ,0x10002004,
0x10042000 ,0x00002000 ,0x00000000 ,0x10000004,
0x00000004 ,0x10042004 ,0x00042000 ,0x10040000,
0x10040004 ,0x00040000 ,0x00002004 ,0x10002000,
0x10002004 ,0x00000004 ,0x10040000 ,0x00042000
},
{
0x41000000 ,0x01010040 ,0x00000040 ,0x41000040,
0x40010000 ,0x01000000 ,0x41000040 ,0x00010040,
0x01000040 ,0x00010000 ,0x01010000 ,0x40000000,
0x41010040 ,0x40000040 ,0x40000000 ,0x41010000,
0x00000000 ,0x40010000 ,0x01010040 ,0x00000040,
0x40000040 ,0x41010040 ,0x00010000 ,0x41000000,
0x41010000 ,0x01000040 ,0x40010040 ,0x01010000,
0x00010040 ,0x00000000 ,0x01000000 ,0x40010040,
0x01010040 ,0x00000040 ,0x40000000 ,0x00010000,
0x40000040 ,0x40010000 ,0x01010000 ,0x41000040,
0x00000000 ,0x01010040 ,0x00010040 ,0x41010000,
0x40010000 ,0x01000000 ,0x41010040 ,0x40000000,
0x40010040 ,0x41000000 ,0x01000000 ,0x41010040,
0x00010000 ,0x01000040 ,0x41000040 ,0x00010040,
0x01000040 ,0x00000000 ,0x41010000 ,0x40000040,
0x41000000 ,0x40010040 ,0x00000040 ,0x01010000
},
{
0x00100402 ,0x04000400 ,0x00000002 ,0x04100402,
0x00000000 ,0x04100000 ,0x04000402 ,0x00100002,
0x04100400 ,0x04000002 ,0x04000000 ,0x00000402,
0x04000002 ,0x00100402 ,0x00100000 ,0x04000000,
0x04100002 ,0x00100400 ,0x00000400 ,0x00000002,
0x00100400 ,0x04000402 ,0x04100000 ,0x00000400,
0x00000402 ,0x00000000 ,0x00100002 ,0x04100400,
0x04000400 ,0x04100002 ,0x04100402 ,0x00100000,
0x04100002 ,0x00000402 ,0x00100000 ,0x04000002,
0x00100400 ,0x04000400 ,0x00000002 ,0x04100000,
0x04000402 ,0x00000000 ,0x00000400 ,0x00100002,
0x00000000 ,0x04100002 ,0x04100400 ,0x00000400,
0x04000000 ,0x04100402 ,0x00100402 ,0x00100000,
0x04100402 ,0x00000002 ,0x04000400 ,0x00100402,
0x00100002 ,0x00100400 ,0x04100000 ,0x04000402,
0x00000402 ,0x04000000 ,0x04000002 ,0x04100400
},
{
0x02000000 ,0x00004000 ,0x00000100 ,0x02004108,
0x02004008 ,0x02000100 ,0x00004108 ,0x02004000,
0x00004000 ,0x00000008 ,0x02000008 ,0x00004100,
0x02000108 ,0x02004008 ,0x02004100 ,0x00000000,
0x00004100 ,0x02000000 ,0x00004008 ,0x00000108,
0x02000100 ,0x00004108 ,0x00000000 ,0x02000008,
0x00000008 ,0x02000108 ,0x02004108 ,0x00004008,
0x02004000 ,0x00000100 ,0x00000108 ,0x02004100,
0x02004100 ,0x02000108 ,0x00004008 ,0x02004000,
0x00004000 ,0x00000008 ,0x02000008 ,0x02000100,
0x02000000 ,0x00004100 ,0x02004108 ,0x00000000,
0x00004108 ,0x02000000 ,0x00000100 ,0x00004008,
0x02000108 ,0x00000100 ,0x00000000 ,0x02004108,
0x02004008 ,0x02004100 ,0x00000108 ,0x00004000,
0x00004100 ,0x02004008 ,0x02000100 ,0x00000108,
0x00000008 ,0x00004108 ,0x02004000 ,0x02000008
},
{
0x20000010 ,0x00080010 ,0x00000000 ,0x20080800,
0x00080010 ,0x00000800 ,0x20000810 ,0x00080000,
0x00000810 ,0x20080810 ,0x00080800 ,0x20000000,
0x20000800 ,0x20000010 ,0x20080000 ,0x00080810,
0x00080000 ,0x20000810 ,0x20080010 ,0x00000000,
0x00000800 ,0x00000010 ,0x20080800 ,0x20080010,
0x20080810 ,0x20080000 ,0x20000000 ,0x00000810,
0x00000010 ,0x00080800 ,0x00080810 ,0x20000800,
0x00000810 ,0x20000000 ,0x20000800 ,0x00080810,
0x20080800 ,0x00080010 ,0x00000000 ,0x20000800,
0x20000000 ,0x00000800 ,0x20080010 ,0x00080000,
0x00080010 ,0x20080810 ,0x00080800 ,0x00000010,
0x20080810 ,0x00080800 ,0x00080000 ,0x20000810,
0x20000010 ,0x20080000 ,0x00080810 ,0x00000000,
0x00000800 ,0x20000010 ,0x20000810 ,0x20080800,
0x20080000 ,0x00000810 ,0x00000010 ,0x20080010
},
{
0x00001000 ,0x00000080 ,0x00400080 ,0x00400001,
0x00401081 ,0x00001001 ,0x00001080 ,0x00000000,
0x00400000 ,0x00400081 ,0x00000081 ,0x00401000,
0x00000001 ,0x00401080 ,0x00401000 ,0x00000081,
0x00400081 ,0x00001000 ,0x00001001 ,0x00401081,
0x00000000 ,0x00400080 ,0x00400001 ,0x00001080,
0x00401001 ,0x00001081 ,0x00401080 ,0x00000001,
0x00001081 ,0x00401001 ,0x00000080 ,0x00400000,
0x00001081 ,0x00401000 ,0x00401001 ,0x00000081,
0x00001000 ,0x00000080 ,0x00400000 ,0x00401001,
0x00400081 ,0x00001081 ,0x00001080 ,0x00000000,
0x00000080 ,0x00400001 ,0x00000001 ,0x00400080,
0x00000000 ,0x00400081 ,0x00400080 ,0x00001080,
0x00000081 ,0x00001000 ,0x00401081 ,0x00400000,
0x00401080 ,0x00000001 ,0x00001001 ,0x00401081,
0x00400001 ,0x00401080 ,0x00401000 ,0x00001001
},
{
0x08200020 ,0x08208000 ,0x00008020 ,0x00000000,
0x08008000 ,0x00200020 ,0x08200000 ,0x08208020,
0x00000020 ,0x08000000 ,0x00208000 ,0x00008020,
0x00208020 ,0x08008020 ,0x08000020 ,0x08200000,
0x00008000 ,0x00208020 ,0x00200020 ,0x08008000,
0x08208020 ,0x08000020 ,0x00000000 ,0x00208000,
0x08000000 ,0x00200000 ,0x08008020 ,0x08200020,
0x00200000 ,0x00008000 ,0x08208000 ,0x00000020,
0x00200000 ,0x00008000 ,0x08000020 ,0x08208020,
0x00008020 ,0x08000000 ,0x00000000 ,0x00208000,
0x08200020 ,0x08008020 ,0x08008000 ,0x00200020,
0x08208000 ,0x00000020 ,0x00200020 ,0x08008000,
0x08208020 ,0x00200000 ,0x08200000 ,0x08000020,
0x00208000 ,0x00008020 ,0x08008020 ,0x08200000,
0x00000020 ,0x08208000 ,0x00208020 ,0x00000000,
0x08000000 ,0x08200020 ,0x00008000 ,0x00208020
}
};
和一般的DES也已经大不一样了,通过对上面的分析,我便逆向出解密过程。
加密过程和解密过程一样,就是32轮子密钥的顺序相反。我在初始化密钥中做了。
if (decipher==1) // reverse key schedule order
for (i=0; i<16; i+=2)
{
std::swap(key[i], key[32-2-i]);
std::swap(key[i+1], key[32-1-i]);
}
【总结】
以上就是我对xyz_119的提高型CrackMe的算法的还原分析,还有一个被我称之为unknown2的算法,因为时间关系,未能加以分析,欢迎大家补充,附上我还原出的源代码。
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
赞赏
- [原创]VMProtect 1.6x的一点心得 23970
- [原创]Code Virtualizer的一点分析和还原 23139
- [原创]Private exe Protector主程序的VM分析 10997
- [原创]Enigma VM的分析 18310
- [招聘]北京某著名安全公司招安全研究工程师 8776