首页
社区
课程
招聘
[原创]第3题WP之手撕AES
发表于: 2022-5-13 18:40 7447

[原创]第3题WP之手撕AES

2022-5-13 18:40
7447

解出5个算法即可

算法未强解,有挺多都是自旋,调用加密函数3次或1次就解密了。

代码如下

 
 
#define _CRT_SECURE_NO_WARNINGS
#include <windows.h>
#include <iostream>
#include "IDAH.h"
 
 
 
 
//2222222222222222
unsigned char g_Arr_test[] = { 0xF6,0x6B,0xDE,0xFF,0x2C,0xD0,0x19,0x7A,0xFA,0xAA,0x74,0xEF,0xC4,0x80,0x61,0xD1 };
 
unsigned char g_Arr[] = { 0x57,0x7C,0xF5,0x6D,0x56,0x96,0x77,0x45,0xB0,0xBD,0xA1,0xC7,0x89,0xA5,0xAB,0xDC,0xF2,0xF4,0x4B,0xFE,0xBE,0xF5,0xF5,0x5C,0x4D,0x30,0x42,0x0F,0x2B,0x3B,0xE6,0xCB };
unsigned char g_Arr1[] = { 0x57,0x7C,0xF5,0x6D,0x56,0x96,0x77,0x45,0xB0,0xBD,0xA1,0xC7,0x89,0xA5,0xAB,0xDC};
unsigned char g_Arr2[] = { 0xF2,0xF4,0x4B,0xFE,0xBE,0xF5,0xF5,0x5C,0x4D,0x30,0x42,0x0F,0x2B,0x3B,0xE6,0xCB };
 
unsigned char g_Key1[] = { 0xFF, 0xB1, 0x65, 0x2F, 0xD0, 0x86, 0xED, 0x31, 0x0F, 0x5C, 0x28, 0x9A, 0x9D, 0x05, 0x48, 0x40 };
unsigned char g_Key2[] = { 0xF6, 0xEF, 0x0E, 0x7C, 0x26, 0x69, 0xE3, 0x4D, 0x29, 0x35, 0xCB, 0xD7, 0xB4, 0x30, 0x83, 0x97 };
unsigned char g_Key3[] = { 0x7E, 0x62, 0x0A, 0x92, 0x58, 0x0B, 0xE9, 0xDF, 0x71, 0x3E, 0x22, 0x08, 0xC5, 0x0E, 0xA1, 0x9F };
unsigned char g_Key4[] = { 0xA5, 0xC4, 0xA1, 0xA4, 0xFD, 0xCF, 0x48, 0x7B, 0x8C, 0xF1, 0x6A, 0x73, 0x49, 0xFF, 0xCB, 0xEC };
unsigned char g_Key5[] = { 0x6B, 0xFF, 0xB7, 0xB3, 0x96, 0x30, 0xFF, 0xC8, 0x1A, 0xC1, 0x95, 0xBB, 0x53, 0x3E, 0x5E, 0x57 };
unsigned char g_Key6[] = { 0x30, 0x12, 0x05, 0xFB, 0xA6, 0x22, 0xFA, 0x33, 0xBC, 0xE3, 0x6F, 0x88, 0xEF, 0xDD, 0x31, 0xDF };
unsigned char g_Key7[] = { 0xAE, 0xCD, 0xC4, 0x1C, 0x08, 0xEF, 0x3E, 0x2F, 0xB4, 0x0C, 0x51, 0xA7, 0x5B, 0xD1, 0x60, 0x78 };
unsigned char g_Key8[] = { 0x12, 0xF4, 0xFA, 0x8C, 0x1A, 0x1B, 0xC4, 0xA3, 0xAE, 0x17, 0x95, 0x04, 0xF5, 0xC6, 0xF5, 0x7C };
unsigned char g_Key9[] = { 0x02, 0x12, 0x4E, 0xEA, 0x18, 0x09, 0x8A, 0x49, 0xB6, 0x1E, 0x1F, 0x4D, 0x43, 0xD8, 0xEA, 0x31 };
unsigned char g_Key10[] = { 0xC5, 0x08, 0x2F, 0x76, 0xDD, 0x01, 0xA5, 0x3F, 0x6B, 0x1F, 0xBA, 0x72, 0x28, 0xC7, 0x50, 0x43 };
unsigned char g_Key11[] = { 0xDF, 0x3C, 0xE9, 0x13, 0x02, 0x3D, 0x4C, 0x2C, 0x69, 0x22, 0xF6, 0x5E, 0x41, 0xE5, 0xA6, 0x1D };
 
unsigned char byte_27B000[] = { 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16,
0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87, 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02, 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D, 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D };
 
//constexpr BYTE aaa = byte_27B000[0x71];
//constexpr BYTE aaa2 = byte_27B000[0xA3];
 
std::string ArrayToStr(unsigned char* arr, size_t length)
{
    char* buffer = new char[length * 5];
    memset(buffer, 0, length * 5);
 
    char tmp_buffer[5] = { 0 };
    for (size_t i = 0; i < length; i++)
    {
        if (i == length - 1)
        {
            sprintf_s(tmp_buffer, sizeof(tmp_buffer) - 1, "%02X", arr[i]);
        }
        else
        {
            sprintf_s(tmp_buffer, sizeof(tmp_buffer) - 1, "%02X ", arr[i]);
        }
        strcat_s(buffer, length * 5 - 1, tmp_buffer);
    }
    std::string strRet = buffer;
    delete[] buffer;
    return strRet;
}
 
//算法0 自旋?
int __cdecl sub_271500(int a1, _BYTE* a2)
{
    int j; // [esp+0h] [ebp-8h]
    int i; // [esp+4h] [ebp-4h]
 
    for (i = 0; i < 4; ++i)
    {
        for (j = 0; j < 4; ++j)
            *(_BYTE*)(a1 + 4 * j + i) = *a2++;
    }
    return 0;
}
 
//算法1
int __cdecl sub_271A60(BYTE* a1)
{
    int j; // [esp+0h] [ebp-8h]
    int i; // [esp+4h] [ebp-4h]
 
    for (i = 0; i < 4; ++i)
    {
        for (j = 0; j < 4; ++j)
        {
            BYTE bTmp = a1[4 * i + j];
            a1[4 * i + j] = byte_27B000[bTmp];
        }
    }
    //for (i = 0; i < 16; ++i)
    //{
    //    BYTE bTmp = a1[i];
    //    a1[i] = byte_27B000[bTmp];
    //}
    return 0;
}
 
//算法1解密
int __cdecl sub_271A60_decode(BYTE* a1)
{
    int j; // [esp+0h] [ebp-8h]
    int i; // [esp+4h] [ebp-4h]
 
    for (i = 0; i < 16; ++i)
    {
        BYTE bTmp = a1[i];
        for (j = 0; j <= 0xFF; j++)
        {
            if (byte_27B000[j] == bTmp)
            {
                a1[i] = (BYTE)j;
                break;
            }
        }
    }
    return 0;
}
 
//算法2
//对称-加解密不同函数
//翻转int
static int sub_271AE0_decode_reverse_int(int value)
{
    int new_value = 0;
    *(BYTE*)((BYTE*)&new_value + 3) = *(BYTE*)((BYTE*)&value + 0);
    *(BYTE*)((BYTE*)&new_value + 2) = *(BYTE*)((BYTE*)&value + 1);
    *(BYTE*)((BYTE*)&new_value + 1) = *(BYTE*)((BYTE*)&value + 2);
    *(BYTE*)((BYTE*)&new_value + 0) = *(BYTE*)((BYTE*)&value + 3);
    return new_value;
}
int __cdecl sub_271AE0_decode(BYTE* data)
{
    int data2[4] = { 0 };
    data2[0] = *(int*)&data[0];
 
 
 
    data2[1] = sub_271AE0_decode_reverse_int((sub_271AE0_decode_reverse_int(*(int*)&data[4]) << 8) | ((sub_271AE0_decode_reverse_int(*(int*)&data[4]) >> 24) & 0x000000FF));
    data2[2] = sub_271AE0_decode_reverse_int((sub_271AE0_decode_reverse_int(*(int*)&data[8]) << 16) | ((sub_271AE0_decode_reverse_int(*(int*)&data[8]) >> 16) & 0x0000FFFF));
    data2[3] = sub_271AE0_decode_reverse_int((sub_271AE0_decode_reverse_int(*(int*)&data[12]) << 24) | ((sub_271AE0_decode_reverse_int(*(int*)&data[12]) >> 8) & 0x00FFFFFF));
 
    memcpy(data, data2, 16);
 
    return 0;
}
 
//算法3
char __cdecl sub_271D50(unsigned __int8 a1, char a2)
{
    int v3; // [esp+10h] [ebp-24h]
    int i; // [esp+14h] [ebp-20h]
    char v5; // [esp+1Bh] [ebp-19h]
 
    v5 = 0;
    //printf("%x  %x\n", a1, a2);
    for (i = 0; i < 8; ++i)
    {
        if ((a1 & 1) != 0)    //如果a1最后一位是1  只存在3种清空 1 2 3    01 10  11
            v5 ^= a2;
        v3 = a2 & 0x80;        // > 0x80  *2^0x1B     < 0x80*2
        a2 *= 2;
        if (v3)
            a2 ^= 0x1Bu;
        a1 >>= 1;
    }
    //printf("%x\n", v5);
    return v5;
}
int __cdecl sub_271E50(BYTE* a1)
{
    char v1; // bl
    char v2; // bl
    char v3; // bl
    int l; // [esp+Ch] [ebp-40h]
    int k; // [esp+10h] [ebp-3Ch]
    int j; // [esp+14h] [ebp-38h]
    int i; // [esp+18h] [ebp-34h]
    char v9[44]; // [esp+20h] [ebp-2Ch] BYREF
 
    v9[0] = 2;
    v9[1] = 3;
    v9[2] = 1;
    v9[3] = 1;
    v9[4] = 1;
    v9[5] = 2;
    v9[6] = 3;
    v9[7] = 1;
    v9[8] = 1;
    v9[9] = 1;
    v9[0xA] = 2;
    v9[0xB] = 3;
    v9[0xC] = 3;
    v9[0xD] = 1;
    v9[0xE] = 1;
    v9[0xF] = 2;
    //for (i = 0; i < 4; ++i)
    //{
    //    for (j = 0; j < 4; ++j)
    //        v9[4 * i + 0x18 + j] = a1[4 * i + j];
    //}
    for (i = 0; i < 16; ++i)
    {
        v9[i + 0x18] = a1[i];
    }
    for (k = 0; k < 4; ++k)
    {
        for (l = 0; l < 4; ++l)
        {
            v1 = sub_271D50(v9[4 * k], v9[l + 0x18]);
            v2 = sub_271D50(v9[4 * k + 1], v9[l + 0x1C]) ^ v1;
            v3 = sub_271D50(v9[4 * k + 2], v9[l + 0x20]) ^ v2;
            a1[4 * k + l] = sub_271D50(v9[4 * k + 3], v9[l + 0x24]) ^ v3;
        }
    }
    return 0;
}
int __cdecl sub_271E50_decode(BYTE* a1)
{
    //旋转?  旋3下解密
    sub_271E50(a1);
    sub_271E50(a1);
    sub_271E50(a1);
    return 0;
}
 
 
//算法4
//ok 对称-加解密同函数
int __cdecl sub_271970(BYTE* a1, BYTE* a2)
{
    int j; // [esp+0h] [ebp-20h]
    int i; // [esp+4h] [ebp-1Ch]
    int v5[5]; // [esp+Ch] [ebp-14h] BYREF
 
    v5[0] = 0xCCCCCCCC;
    v5[1] = 0xCCCCCCCC;
    v5[2] = 0xCCCCCCCC;
    v5[3] = 0xCCCCCCCC;
    v5[4] = 0xCCCCCCCC;
    for (i = 0; i < 4; ++i)
    {
        for (j = 0; j < 4; ++j)
        {
            *((BYTE*)&v5[i] + j) = *(DWORD*)&a2[4 * j] >> (8 * (3 - i));
            a1[4 * i + j] ^= *((BYTE*)&v5[i] + j);
        }
    }
    return 0;
}
 
 
//算法5-输出
//ok 对称-加解密同函数
int __cdecl sub_271570(BYTE* a1, BYTE* a2)
{
    int j; // [esp+0h] [ebp-8h]
    int i; // [esp+4h] [ebp-4h]
 
    for (i = 0; i < 4; ++i)
    {
        for (j = 0; j < 4; ++j)
            *a2++ = *(BYTE*)(a1 + 4 * j + i);
    }
    return 0;
}
 
 
 
 
 
std::string decode(BYTE* arr)
{
 
    unsigned char tmp_arr[17] = { 0 };
    sub_271570(arr, tmp_arr);
 
    sub_271970(tmp_arr, g_Key11);    //4
    sub_271AE0_decode(tmp_arr);        //2
    sub_271A60_decode(tmp_arr);        //1
 
 
    printf("%s\n", ArrayToStr(tmp_arr, 16).c_str());
 
    //循环9
    sub_271970(tmp_arr, g_Key10);    //4
    printf("1:%s\n", ArrayToStr(tmp_arr, 16).c_str());
    sub_271E50_decode(tmp_arr);        //3
    printf("2:%s\n", ArrayToStr(tmp_arr, 16).c_str());
    sub_271AE0_decode(tmp_arr);        //2
    printf("3:%s\n", ArrayToStr(tmp_arr, 16).c_str());
    sub_271A60_decode(tmp_arr);        //1
    printf("4:%s\n", ArrayToStr(tmp_arr, 16).c_str());
 
    //循环8
    sub_271970(tmp_arr, g_Key9);    //4
    printf("1:%s\n", ArrayToStr(tmp_arr, 16).c_str());
    sub_271E50_decode(tmp_arr);        //3
    printf("2:%s\n", ArrayToStr(tmp_arr, 16).c_str());
    sub_271AE0_decode(tmp_arr);        //2
    printf("3:%s\n", ArrayToStr(tmp_arr, 16).c_str());
    sub_271A60_decode(tmp_arr);        //1
    printf("4:%s\n", ArrayToStr(tmp_arr, 16).c_str());
 
    //循环7
    sub_271970(tmp_arr, g_Key8);    //4
    printf("1:%s\n", ArrayToStr(tmp_arr, 16).c_str());
    sub_271E50_decode(tmp_arr);        //3
    printf("2:%s\n", ArrayToStr(tmp_arr, 16).c_str());
    sub_271AE0_decode(tmp_arr);        //2
    printf("3:%s\n", ArrayToStr(tmp_arr, 16).c_str());
    sub_271A60_decode(tmp_arr);        //1
    printf("4:%s\n", ArrayToStr(tmp_arr, 16).c_str());
 
    //循环6
    sub_271970(tmp_arr, g_Key7);    //4
    printf("1:%s\n", ArrayToStr(tmp_arr, 16).c_str());
    sub_271E50_decode(tmp_arr);        //3
    printf("2:%s\n", ArrayToStr(tmp_arr, 16).c_str());
    sub_271AE0_decode(tmp_arr);        //2
    printf("3:%s\n", ArrayToStr(tmp_arr, 16).c_str());
    sub_271A60_decode(tmp_arr);        //1
    printf("4:%s\n", ArrayToStr(tmp_arr, 16).c_str());
 
    //循环5
    sub_271970(tmp_arr, g_Key6);    //4
    printf("1:%s\n", ArrayToStr(tmp_arr, 16).c_str());
    sub_271E50_decode(tmp_arr);        //3
    printf("2:%s\n", ArrayToStr(tmp_arr, 16).c_str());
    sub_271AE0_decode(tmp_arr);        //2
    printf("3:%s\n", ArrayToStr(tmp_arr, 16).c_str());
    sub_271A60_decode(tmp_arr);        //1
    printf("4:%s\n", ArrayToStr(tmp_arr, 16).c_str());
 
    //循环4
    sub_271970(tmp_arr, g_Key5);    //4
    printf("1:%s\n", ArrayToStr(tmp_arr, 16).c_str());
    sub_271E50_decode(tmp_arr);        //3
    printf("2:%s\n", ArrayToStr(tmp_arr, 16).c_str());
    sub_271AE0_decode(tmp_arr);        //2
    printf("3:%s\n", ArrayToStr(tmp_arr, 16).c_str());
    sub_271A60_decode(tmp_arr);        //1
    printf("4:%s\n", ArrayToStr(tmp_arr, 16).c_str());
 
    //循环3
    sub_271970(tmp_arr, g_Key4);    //4
    printf("1:%s\n", ArrayToStr(tmp_arr, 16).c_str());
    sub_271E50_decode(tmp_arr);        //3
    printf("2:%s\n", ArrayToStr(tmp_arr, 16).c_str());
    sub_271AE0_decode(tmp_arr);        //2
    printf("3:%s\n", ArrayToStr(tmp_arr, 16).c_str());
    sub_271A60_decode(tmp_arr);        //1
    printf("4:%s\n", ArrayToStr(tmp_arr, 16).c_str());
 
    //循环2
    sub_271970(tmp_arr, g_Key3);    //4
    printf("1:%s\n", ArrayToStr(tmp_arr, 16).c_str());
    sub_271E50_decode(tmp_arr);        //3
    printf("2:%s\n", ArrayToStr(tmp_arr, 16).c_str());
    sub_271AE0_decode(tmp_arr);        //2
    printf("3:%s\n", ArrayToStr(tmp_arr, 16).c_str());
    sub_271A60_decode(tmp_arr);        //1
    printf("4:%s\n", ArrayToStr(tmp_arr, 16).c_str());
 
    //循环1
    sub_271970(tmp_arr, g_Key2);    //4
    printf("1:%s\n", ArrayToStr(tmp_arr, 16).c_str());
    sub_271E50_decode(tmp_arr);        //3
    printf("2:%s\n", ArrayToStr(tmp_arr, 16).c_str());
    sub_271AE0_decode(tmp_arr);        //2
    printf("3:%s\n", ArrayToStr(tmp_arr, 16).c_str());
    sub_271A60_decode(tmp_arr);        //1
    printf("4:%s\n", ArrayToStr(tmp_arr, 16).c_str());
 
    //最后算法4解出明文
    sub_271970(tmp_arr, g_Key1);    //4
    printf("%s [%s]\n", ArrayToStr(tmp_arr, 16).c_str(),(const char*)tmp_arr);
 
    //自旋一下
    BYTE key_arr[17] = { 0 };
    sub_271500((int)key_arr, tmp_arr);
    printf("%s\n", (const char*)key_arr);
    //TODO 4321循环9次  算法3未解密
    std::string strRet = (const char*)key_arr;
    return strRet;
}
 
int main()
{
    //作者放的干扰
    byte_27B000[0x71] ^= byte_27B000[0xA3];
    byte_27B000[0xA3] ^= byte_27B000[0x71];
    byte_27B000[0x71] ^= byte_27B000[0xA3];
 
    //干扰2
    //byte_27B200[0x10] = 0xF4;
    //byte_27B200[0x11] = 0xF2;
    g_Arr2[0] = 0xF4;
    g_Arr2[1] = 0xF2;
 
 
 
    std::string strKey1 = decode(g_Arr1);
    std::string strKey2 = decode(g_Arr2);
    std::string strKey = strKey1 + strKey2;
 
    printf("%s\n", strKey.c_str());
 
 
    system("pause");
    return 0;
}
#define _CRT_SECURE_NO_WARNINGS
#include <windows.h>
#include <iostream>
#include "IDAH.h"
 
 
 
 
//2222222222222222
unsigned char g_Arr_test[] = { 0xF6,0x6B,0xDE,0xFF,0x2C,0xD0,0x19,0x7A,0xFA,0xAA,0x74,0xEF,0xC4,0x80,0x61,0xD1 };
 
unsigned char g_Arr[] = { 0x57,0x7C,0xF5,0x6D,0x56,0x96,0x77,0x45,0xB0,0xBD,0xA1,0xC7,0x89,0xA5,0xAB,0xDC,0xF2,0xF4,0x4B,0xFE,0xBE,0xF5,0xF5,0x5C,0x4D,0x30,0x42,0x0F,0x2B,0x3B,0xE6,0xCB };
unsigned char g_Arr1[] = { 0x57,0x7C,0xF5,0x6D,0x56,0x96,0x77,0x45,0xB0,0xBD,0xA1,0xC7,0x89,0xA5,0xAB,0xDC};
unsigned char g_Arr2[] = { 0xF2,0xF4,0x4B,0xFE,0xBE,0xF5,0xF5,0x5C,0x4D,0x30,0x42,0x0F,0x2B,0x3B,0xE6,0xCB };
 
unsigned char g_Key1[] = { 0xFF, 0xB1, 0x65, 0x2F, 0xD0, 0x86, 0xED, 0x31, 0x0F, 0x5C, 0x28, 0x9A, 0x9D, 0x05, 0x48, 0x40 };
unsigned char g_Key2[] = { 0xF6, 0xEF, 0x0E, 0x7C, 0x26, 0x69, 0xE3, 0x4D, 0x29, 0x35, 0xCB, 0xD7, 0xB4, 0x30, 0x83, 0x97 };
unsigned char g_Key3[] = { 0x7E, 0x62, 0x0A, 0x92, 0x58, 0x0B, 0xE9, 0xDF, 0x71, 0x3E, 0x22, 0x08, 0xC5, 0x0E, 0xA1, 0x9F };
unsigned char g_Key4[] = { 0xA5, 0xC4, 0xA1, 0xA4, 0xFD, 0xCF, 0x48, 0x7B, 0x8C, 0xF1, 0x6A, 0x73, 0x49, 0xFF, 0xCB, 0xEC };
unsigned char g_Key5[] = { 0x6B, 0xFF, 0xB7, 0xB3, 0x96, 0x30, 0xFF, 0xC8, 0x1A, 0xC1, 0x95, 0xBB, 0x53, 0x3E, 0x5E, 0x57 };
unsigned char g_Key6[] = { 0x30, 0x12, 0x05, 0xFB, 0xA6, 0x22, 0xFA, 0x33, 0xBC, 0xE3, 0x6F, 0x88, 0xEF, 0xDD, 0x31, 0xDF };
unsigned char g_Key7[] = { 0xAE, 0xCD, 0xC4, 0x1C, 0x08, 0xEF, 0x3E, 0x2F, 0xB4, 0x0C, 0x51, 0xA7, 0x5B, 0xD1, 0x60, 0x78 };
unsigned char g_Key8[] = { 0x12, 0xF4, 0xFA, 0x8C, 0x1A, 0x1B, 0xC4, 0xA3, 0xAE, 0x17, 0x95, 0x04, 0xF5, 0xC6, 0xF5, 0x7C };
unsigned char g_Key9[] = { 0x02, 0x12, 0x4E, 0xEA, 0x18, 0x09, 0x8A, 0x49, 0xB6, 0x1E, 0x1F, 0x4D, 0x43, 0xD8, 0xEA, 0x31 };
unsigned char g_Key10[] = { 0xC5, 0x08, 0x2F, 0x76, 0xDD, 0x01, 0xA5, 0x3F, 0x6B, 0x1F, 0xBA, 0x72, 0x28, 0xC7, 0x50, 0x43 };
unsigned char g_Key11[] = { 0xDF, 0x3C, 0xE9, 0x13, 0x02, 0x3D, 0x4C, 0x2C, 0x69, 0x22, 0xF6, 0x5E, 0x41, 0xE5, 0xA6, 0x1D };
 
unsigned char byte_27B000[] = { 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16,
0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87, 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02, 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D, 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D };
 
//constexpr BYTE aaa = byte_27B000[0x71];
//constexpr BYTE aaa2 = byte_27B000[0xA3];
 
std::string ArrayToStr(unsigned char* arr, size_t length)
{
    char* buffer = new char[length * 5];
    memset(buffer, 0, length * 5);
 
    char tmp_buffer[5] = { 0 };
    for (size_t i = 0; i < length; i++)
    {
        if (i == length - 1)
        {
            sprintf_s(tmp_buffer, sizeof(tmp_buffer) - 1, "%02X", arr[i]);
        }
        else
        {
            sprintf_s(tmp_buffer, sizeof(tmp_buffer) - 1, "%02X ", arr[i]);
        }
        strcat_s(buffer, length * 5 - 1, tmp_buffer);
    }
    std::string strRet = buffer;
    delete[] buffer;
    return strRet;
}
 
//算法0 自旋?
int __cdecl sub_271500(int a1, _BYTE* a2)
{
    int j; // [esp+0h] [ebp-8h]
    int i; // [esp+4h] [ebp-4h]
 
    for (i = 0; i < 4; ++i)
    {
        for (j = 0; j < 4; ++j)
            *(_BYTE*)(a1 + 4 * j + i) = *a2++;
    }
    return 0;
}
 
//算法1
int __cdecl sub_271A60(BYTE* a1)
{
    int j; // [esp+0h] [ebp-8h]
    int i; // [esp+4h] [ebp-4h]
 
    for (i = 0; i < 4; ++i)
    {
        for (j = 0; j < 4; ++j)
        {
            BYTE bTmp = a1[4 * i + j];
            a1[4 * i + j] = byte_27B000[bTmp];
        }
    }
    //for (i = 0; i < 16; ++i)
    //{
    //    BYTE bTmp = a1[i];
    //    a1[i] = byte_27B000[bTmp];
    //}
    return 0;
}
 
//算法1解密
int __cdecl sub_271A60_decode(BYTE* a1)
{
    int j; // [esp+0h] [ebp-8h]
    int i; // [esp+4h] [ebp-4h]
 
    for (i = 0; i < 16; ++i)
    {
        BYTE bTmp = a1[i];
        for (j = 0; j <= 0xFF; j++)
        {
            if (byte_27B000[j] == bTmp)
            {
                a1[i] = (BYTE)j;
                break;
            }
        }
    }
    return 0;
}
 
//算法2
//对称-加解密不同函数
//翻转int
static int sub_271AE0_decode_reverse_int(int value)
{
    int new_value = 0;
    *(BYTE*)((BYTE*)&new_value + 3) = *(BYTE*)((BYTE*)&value + 0);
    *(BYTE*)((BYTE*)&new_value + 2) = *(BYTE*)((BYTE*)&value + 1);
    *(BYTE*)((BYTE*)&new_value + 1) = *(BYTE*)((BYTE*)&value + 2);
    *(BYTE*)((BYTE*)&new_value + 0) = *(BYTE*)((BYTE*)&value + 3);
    return new_value;
}
int __cdecl sub_271AE0_decode(BYTE* data)
{
    int data2[4] = { 0 };
    data2[0] = *(int*)&data[0];
 
 
 
    data2[1] = sub_271AE0_decode_reverse_int((sub_271AE0_decode_reverse_int(*(int*)&data[4]) << 8) | ((sub_271AE0_decode_reverse_int(*(int*)&data[4]) >> 24) & 0x000000FF));
    data2[2] = sub_271AE0_decode_reverse_int((sub_271AE0_decode_reverse_int(*(int*)&data[8]) << 16) | ((sub_271AE0_decode_reverse_int(*(int*)&data[8]) >> 16) & 0x0000FFFF));
    data2[3] = sub_271AE0_decode_reverse_int((sub_271AE0_decode_reverse_int(*(int*)&data[12]) << 24) | ((sub_271AE0_decode_reverse_int(*(int*)&data[12]) >> 8) & 0x00FFFFFF));
 
    memcpy(data, data2, 16);
 
    return 0;
}
 
//算法3
char __cdecl sub_271D50(unsigned __int8 a1, char a2)
{
    int v3; // [esp+10h] [ebp-24h]
    int i; // [esp+14h] [ebp-20h]
    char v5; // [esp+1Bh] [ebp-19h]
 
    v5 = 0;
    //printf("%x  %x\n", a1, a2);
    for (i = 0; i < 8; ++i)
    {
        if ((a1 & 1) != 0)    //如果a1最后一位是1  只存在3种清空 1 2 3    01 10  11
            v5 ^= a2;
        v3 = a2 & 0x80;        // > 0x80  *2^0x1B     < 0x80*2
        a2 *= 2;
        if (v3)
            a2 ^= 0x1Bu;
        a1 >>= 1;
    }
    //printf("%x\n", v5);
    return v5;
}
int __cdecl sub_271E50(BYTE* a1)
{
    char v1; // bl
    char v2; // bl
    char v3; // bl
    int l; // [esp+Ch] [ebp-40h]
    int k; // [esp+10h] [ebp-3Ch]
    int j; // [esp+14h] [ebp-38h]
    int i; // [esp+18h] [ebp-34h]
    char v9[44]; // [esp+20h] [ebp-2Ch] BYREF
 
    v9[0] = 2;
    v9[1] = 3;
    v9[2] = 1;
    v9[3] = 1;
    v9[4] = 1;
    v9[5] = 2;
    v9[6] = 3;
    v9[7] = 1;
    v9[8] = 1;
    v9[9] = 1;
    v9[0xA] = 2;
    v9[0xB] = 3;

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

最后于 2022-6-1 10:53 被wx_孤城编辑 ,原因:
上传的附件:
收藏
免费 4
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回
//