这是在面试启明X辰时,公司要求分析的 CreakMe,这里做一份记录。
整理一下各个按钮的 id 与对应的linstener
这个方法起初看起来有点复杂,一直以为是个加密的方法,但仔细观察,这其实就是个十六进制字符串转十进制的方法,将传入的十六进制字符串转换成了对应的十进制字节数组
方法D 由两个方法组成,分别是方法F 和方法E,而方法D只是简单的判断方法E的返回值真假
根据之前分析过的方法G,其实可以直接判断这显然是方法G的逆运算,也就是AES的解密方法,该方法返回了解密后的明文字节数组
按钮 generate2的分析较为困难,主要问题在于 OpenSSL 库函数较为生疏,而OpenSSL的所以这里先补充一下本次分析中遇到的数据结构和函数知识。
这个函数较为简单,通过函数 sub_46660 向 dest 中写入数据,回传到屏幕作为密码
这个函数就是 generate2 按钮的主体逻辑了,首先将该函数分为四个部分依次分析:
这个函数总的来讲就是不断的将求得的hash作为key再次求hash,在分析这个函数时遇到的问题主要在于作者使用了 HMAC_Update 并且还总是在参数中不该传0的传0,无法确定是否对上下文产生了影响,解决方法是花了一些时间在 VS 中搭了一下环境,写了一个简单的 demo 进行简单的测试。
测试demo
这个函数的总的来说就是使用上一层传入的 hash 作为 key,加密用户名得到 encrypt_data,然后将 encrypt_data分段赋值给最终的 res_encrypt_data,分析这个函数的问题也还是在于作者使用了 EVP_EncryptUpdate 这个不熟悉的函数,并且还总是在参数中不该传0的传0,无法确定是否对上下文产生了影响,解决方法是花了一些时间在 VS 中搭了一下环境,测试了各种情况的结果。
测试demo
这一部分主要就是通过 hash 第二次加密 encrypt_data 得到 encrypt_data2
这个函数主要分为三个部分:
初始化数组 v21、v22,需要注意的是 v21 与 v22 在内存中相邻
第一次循环加密
这个循环的赋值有点混乱,利用两个相邻的数组越界赋值,所以这里我们先进行一个初步整理
这样看依然不是很清晰,所以进一步整理:
这时可以看出是 v10 每次加上v21[i],避免v10作为下标时越界又与256取余,随后利用一个中间变量交换v21[v10]和v21[i]的值,实际上这一部分的结果是固定的。
第二次循环加密
整个循环中不好分析的难点在于 v15 = v12 + 1 - ((v12 + ((unsigned int)((v12 + 1) >> 31) >> 24) + 1) & 0xFFFFFF00);
这里做下该语句的简要分析:
(v12+1)>>31 因为v12是有符号类型,也就是说该结果不是0就是0xffffffff, 关键在于v12的最高位判断
而 v12 的值来自于 v15,纵观整个循环 v15 又来自 v12,看似互相套娃但由于v15和v12的初值都为0
所以在循环量较小的时候 v12 的高位必然为0,所以 ((v12 + ((unsigned int)((v12 + 1) >> 31) >> 24) + 1) & 0xFFFFFF00) = 0
那么看似复杂的第一行代码可以直接简化为 v15 = v12 + 1
随后将代码进一步进行化简,执行流程就更为清晰
由于已经详细的分析了 generate2, 简单观察便可知check2只是其流程的逆运算,这里附上一些分析代码片段:
代码片段1
代码片段2
代码片段3
代码片段4
check2 按钮总结
分析完 check2 按钮后,发现相比较 generate2 缺少一个流程,那就是求用户名 hash 作为key,于是回溯了一下这个 key,通过追溯发现,这个 key 已经通过两个异或加密函数加密在了 password 中,只需要将其逆运算取出来即可使用。
在分析按钮 generate3 时很多数据静态分析时并不存在,所以这里还需要分析 _init 函数,该函数地址并没有被 IDA 分析出来,可以通过以下两个办法找到:
使用 readelf 工具查看
使用 IDA 动态调试,在被写入数据的地址下内存写入断点
这个函数就是 _init 函数,其主要分为三个函数,分别是 set_buff1、 set_buff2、 set_buff3
这个函数首先将 19ca9c + image_base 存到 buff1_60[0-3] 中,根据后面的分析结果这里存的是一个函数地址,之后在 buff1_60[28-43] 中填入了一些随机数,随后调用了 sub_48840,并传入了一个字符串
该函数主要是一些范围的判断,主要还是调用函数 sub_488E0,并传入了一个字符串
这里就是 buff1 真正调用的函数,作用是初始化 buff1 空间中的数据
这个函数比较浅,主要就是计算随机数的 hash,然后初始化 buff2 的内存数据,结果是:
基本上和 set_buff2 如出一辙,调用了一个新的函数 get_hash2,不过和之前求hash函数的也是基本一致,这里直接列出 buff3 内存布局:
可以轻易发现,主要是调用了 MainActivity.this.getbt 方法
这里的 fun3 就是 buff3 的前四个字节指向的地址(19ca8c + image_base),整个按钮 generate3 的真正核心逻辑自此真正展开
函数 fun3 的大致逻辑如下:
主要功能为设置 dest 区域的内存数据
主要功能为设置 src 区域的内存数据,并返回一个影响密码长度的值,另外我记着在分析这个函数的时候遇到了阻碍 IDA 分析的一连串 nop,我的解决方法是把 nop 改为 mov eax, eax ,然后依次使用快捷键 u 、c、p、f5,重新识别。
这个函数总的来讲就是不断的修改 fun3 区域内的数据并最后计算出了一个 hash
这个函数主要就是在一个循环中通过一系列的变换,不断的在修改 src 中的数据
利用启动应用时初始化的数据,不断的求 hash、加密、更新数据区的内容,最终计算出 password
可以轻易发现,主要是调用了 MainActivity.this.getck 方法,通过其返回值判断成功失败
可以发现主要就是在调用函数 dword_1A50BC[0] + 4 而这个地址其实就是在 _init 初始化的 [19ca8c + image_base]+4(函数sub_43280)
这个函数是解密的核心函数,这里总结一下流程:
没有找到这个函数对应的加密流程,应该是导致解密失败的主要原因
EVP_DecryptFinal_ex 解密失败,这里我查阅了一下 openssl 源码,结合动态调试返回的地方,对应在 EVP_R_INVALID_OPERATION 处返回,正好源码里有注释,翻译了一下是:防止解密时意外使用加密上下文。 应该是解密的数据不对导致的失败返回 0。
和 generate3 相比,check3 的代码量少了许多,并没有像check2那样完全逆向流程解密,导致验证失败,而且我思考了一下,注册机应该是写不了的,因为最开始在 _init 函数中初始化的数据是随机的。
本次样本分析共历时七天,总的来讲主要集中在 OpenSSL 函数、SSE指令集的用法的细节问题,但最终经过网络搜索、动态调试和搭建实验环境调试 demo 予以解决。
[1] OpenSSL之EVP(一)——数据结构及源码结构介绍
https://blog.csdn.net/scuyxi/article/details/60365001
[2] OpenSSL学习之一:HMAC算法分析
https://blog.csdn.net/KXue0703/article/details/120795546
[3] SSE指令集优化学习:双线性插值
https://blog.csdn.net/djzhao/article/details/78408198
[4] OpenSSL中文手册之EVP库详解
https://blog.csdn.net/liao20081228/article/details/76285896
[5] Intel白皮书SSE2相关指令查询
https://software.intel.com/sites/landingpage/IntrinsicsGuide/#techs=SSE2&text=_mm_cmpeq_epi32&expand=773
最后附上样本
http://gofile.me/6J4EF/mzW5XxJtC
| 分析报告 |
分析环境 |
| 分析人 |
刘XX |
| 时间 |
2023年2月28日 |
| 平台 |
x86 模拟器 |
| 样本 |
分析环境 |
| 样本名称 |
20230221.demo.apk |
| MD5值 |
2A006D76B461ECE94596D46B3C9B3072 |
| SHA1值 |
CF7810FA84DCCFA7F4F21847188E133A4C80CBA7 |
| CRC32 |
6D81EAF7 |
| text |
id |
button |
linstener |
| generate1 |
btn_login |
this.s = button |
g |
| GENERATE2 |
btn_gen2 |
this.t = button2 |
e |
| generate3 |
btn_gen3 |
this.u = button3 |
f |
| check1 |
btn_check |
this.v = button4 |
d |
| check2 |
btn_check2 |
this.w = button5 |
b |
| check3 |
btn_check3 |
this.x = button6 |
c |
class g implements View.OnClickListener {
g() {
}
@Override
public void onClick(View view) {
String obj = MainActivity.this.y.getText().toString();
MainActivity.this.z.getText().toString();
if (obj.length() != 16) {
Toast.makeText(MainActivity.this.getApplicationContext(), "用户名长度必须为16字节", 0).show();
return;
}
MainActivity.this.v.setEnabled(true);
MainActivity.this.w.setEnabled(false);
MainActivity.this.x.setEnabled(false);
MainActivity.this.z.setText(com.test.pac.demo.a.a.a(MainActivity.this.G(obj.getBytes())));
}
}
class g implements View.OnClickListener {
g() {
}
@Override
public void onClick(View view) {
String obj = MainActivity.this.y.getText().toString();
MainActivity.this.z.getText().toString();
if (obj.length() != 16) {
Toast.makeText(MainActivity.this.getApplicationContext(), "用户名长度必须为16字节", 0).show();
return;
}
MainActivity.this.v.setEnabled(true);
MainActivity.this.w.setEnabled(false);
MainActivity.this.x.setEnabled(false);
MainActivity.this.z.setText(com.test.pac.demo.a.a.a(MainActivity.this.G(obj.getBytes())));
}
}
public byte[] G(byte[] bArr) {
try {
byte[] bArr2 = new byte[16];
new Random().nextBytes(bArr2);
Cipher cipher = Cipher.getInstance("AES/CBC/NoPadding");
cipher.init(1, new SecretKeySpec("6SvMO4msTk1OqA8n".getBytes(), "AES"), new IvParameterSpec(bArr2));
byte[] doFinal = cipher.doFinal(bArr);
byte[] bArr3 = new byte[doFinal.length + 16];
System.arraycopy(bArr2, 8, bArr3, 0, 8);
System.arraycopy(doFinal, 0, bArr3, 8, doFinal.length);
System.arraycopy(bArr2, 0, bArr3, doFinal.length + 8, 8);
return bArr3;
} catch (Exception e2) {
e2.printStackTrace();
return null;
}
}
public byte[] G(byte[] bArr) {
try {
byte[] bArr2 = new byte[16];
new Random().nextBytes(bArr2);
Cipher cipher = Cipher.getInstance("AES/CBC/NoPadding");
cipher.init(1, new SecretKeySpec("6SvMO4msTk1OqA8n".getBytes(), "AES"), new IvParameterSpec(bArr2));
byte[] doFinal = cipher.doFinal(bArr);
byte[] bArr3 = new byte[doFinal.length + 16];
System.arraycopy(bArr2, 8, bArr3, 0, 8);
System.arraycopy(doFinal, 0, bArr3, 8, doFinal.length);
System.arraycopy(bArr2, 0, bArr3, doFinal.length + 8, 8);
return bArr3;
} catch (Exception e2) {
e2.printStackTrace();
return null;
}
}
public static String a(byte[] bArr) {
StringBuffer stringBuffer = new StringBuffer();
for (byte b : bArr) {
String hexString = Integer.toHexString(b & 255);
if (hexString.length() == 1) {
hexString = '0' + hexString;
}
stringBuffer.append(hexString.toUpperCase());
}
return stringBuffer.toString();
}
public static String a(byte[] bArr) {
StringBuffer stringBuffer = new StringBuffer();
for (byte b : bArr) {
String hexString = Integer.toHexString(b & 255);
if (hexString.length() == 1) {
hexString = '0' + hexString;
}
stringBuffer.append(hexString.toUpperCase());
}
return stringBuffer.toString();
}
class d implements View.OnClickListener {
d() {
}
@Override
public void onClick(View view) {
Context applicationContext;
String str;
String obj = MainActivity.this.y.getText().toString();
String obj2 = MainActivity.this.z.getText().toString();
if (obj.length() != 16) {
Toast.makeText(MainActivity.this.getApplicationContext(), "用户名长度必须为16字节", 0).show();
return;
}
if (MainActivity.this.D(com.test.pac.demo.a.a.b(obj2), obj.getBytes()) > 0) {
applicationContext = MainActivity.this.getApplicationContext();
str = "verify success!";
} else {
applicationContext = MainActivity.this.getApplicationContext();
str = "verify failed!";
}
Toast.makeText(applicationContext, str, 0).show();
}
}
class d implements View.OnClickListener {
d() {
}
@Override
public void onClick(View view) {
Context applicationContext;
String str;
String obj = MainActivity.this.y.getText().toString();
String obj2 = MainActivity.this.z.getText().toString();
if (obj.length() != 16) {
Toast.makeText(MainActivity.this.getApplicationContext(), "用户名长度必须为16字节", 0).show();
return;
}
if (MainActivity.this.D(com.test.pac.demo.a.a.b(obj2), obj.getBytes()) > 0) {
applicationContext = MainActivity.this.getApplicationContext();
str = "verify success!";
} else {
applicationContext = MainActivity.this.getApplicationContext();
str = "verify failed!";
}
Toast.makeText(applicationContext, str, 0).show();
}
}
public static byte[] b(String str) {
if (str.length() < 1) {
return null;
}
byte[] bArr = new byte[str.length() / 2];
for (int i = 0; i < str.length() / 2; i++) {
int i2 = i * 2;
int i3 = i2 + 1;
bArr[i] = (byte) ((Integer.parseInt(str.substring(i2, i3), 16) * 16) + Integer.parseInt(str.substring(i3, i2 + 2), 16));
}
return bArr;
}
public static byte[] b(String str) {
if (str.length() < 1) {
return null;
}
byte[] bArr = new byte[str.length() / 2];
for (int i = 0; i < str.length() / 2; i++) {
int i2 = i * 2;
int i3 = i2 + 1;
bArr[i] = (byte) ((Integer.parseInt(str.substring(i2, i3), 16) * 16) + Integer.parseInt(str.substring(i3, i2 + 2), 16));
}
return bArr;
}
public int D(byte[] bArr, byte[] bArr2) {
return E(F(bArr), bArr2) ? 1 : 0;
}
public int D(byte[] bArr, byte[] bArr2) {
return E(F(bArr), bArr2) ? 1 : 0;
}
private byte[] F(byte[] bArr) {
try {
byte[] bArr2 = new byte[16];
System.arraycopy(bArr, 0, bArr2, 8, 8);
System.arraycopy(bArr, bArr.length - 8, bArr2, 0, 8);
Cipher cipher = Cipher.getInstance("AES/CBC/NoPadding");
cipher.init(2, new SecretKeySpec("6SvMO4msTk1OqA8n".getBytes(), "AES"), new IvParameterSpec(bArr2));
byte[] bArr3 = new byte[bArr.length - 16];
System.arraycopy(bArr, 8, bArr3, 0, bArr.length - 16);
return cipher.doFinal(bArr3);
} catch (Exception e2) {
e2.printStackTrace();
return null;
}
}
private byte[] F(byte[] bArr) {
try {
byte[] bArr2 = new byte[16];
System.arraycopy(bArr, 0, bArr2, 8, 8);
System.arraycopy(bArr, bArr.length - 8, bArr2, 0, 8);
Cipher cipher = Cipher.getInstance("AES/CBC/NoPadding");
cipher.init(2, new SecretKeySpec("6SvMO4msTk1OqA8n".getBytes(), "AES"), new IvParameterSpec(bArr2));
byte[] bArr3 = new byte[bArr.length - 16];
System.arraycopy(bArr, 8, bArr3, 0, bArr.length - 16);
return cipher.doFinal(bArr3);
} catch (Exception e2) {
e2.printStackTrace();
return null;
}
}
private boolean E(byte[] bArr, byte[] bArr2) {
if (bArr.length == 0 || bArr2.length == 0 || bArr.length != bArr2.length) {
return false;
}
for (int i = 0; i < bArr.length && i < bArr2.length; i++) {
if (bArr[i] != bArr2[i]) {
System.out.println("different");
return false;
}
}
return true;
}
private boolean E(byte[] bArr, byte[] bArr2) {
if (bArr.length == 0 || bArr2.length == 0 || bArr.length != bArr2.length) {
return false;
}
for (int i = 0; i < bArr.length && i < bArr2.length; i++) {
if (bArr[i] != bArr2[i]) {
System.out.println("different");
return false;
}
}
return true;
}
| 数据结构与函数 |
功能说明 |
|
| HMAC_CTX_init |
初始化一个 HMAC_CTX |
|
| HMAC_CTX |
是一个上下文,保存状态数据和中间计算 |
|
| EVP_sha256 |
返回 sha256 的 EVP_MD |
|
| EVP_MD |
用来存放摘要算法信息以及各种计算函数。 |
|
| HMAC_Init_ex |
初始化HAMC_CTX上下文结构,key为秘钥,len为秘钥长度,md为计算hash |
|
| HMAC_Update |
向HMAC上下文输入字节流 |
|
| HMAC_Final |
生成最终的HMAC串,成功时len更新为HMAC的长度 |
|
jbyteArray __cdecl Java_com_test_pac_demo_MainActivity_M1(JNIEnv *env, jobject a2, BYTE *bytes_)
{
jbyteArray v4;
int v6;
unsigned int user_name_length;
jbyte *byte_user_name;
char dest[4096];
unsigned int v10;
v10 = __readgsdword(0x14u);
user_name_length = (*env)->GetArrayLength(env, bytes_);
byte_user_name = (*env)->GetByteArrayElements(env, bytes_, 0);
memset(dest, 0, sizeof(dest));
v6 = sub_46660((int)byte_user_name, user_name_length, dest);
v4 = (*env)->NewByteArray(env, v6);
(*env)->SetByteArrayRegion(env, v4, 0, v6, dest);
(*env)->ReleaseByteArrayElements(env, bytes_, byte_user_name, 0);
return v4;
}
jbyteArray __cdecl Java_com_test_pac_demo_MainActivity_M1(JNIEnv *env, jobject a2, BYTE *bytes_)
{
jbyteArray v4;
int v6;
unsigned int user_name_length;
jbyte *byte_user_name;
char dest[4096];
unsigned int v10;
v10 = __readgsdword(0x14u);
user_name_length = (*env)->GetArrayLength(env, bytes_);
byte_user_name = (*env)->GetByteArrayElements(env, bytes_, 0);
memset(dest, 0, sizeof(dest));
v6 = sub_46660((int)byte_user_name, user_name_length, dest);
v4 = (*env)->NewByteArray(env, v6);
(*env)->SetByteArrayRegion(env, v4, 0, v6, dest);
(*env)->ReleaseByteArrayElements(env, bytes_, byte_user_name, 0);
return v4;
}
int __cdecl sub_46660(BYTE *byte_user_name, unsigned int user_name_length, char *dest)
{
......
canary = __readgsdword(0x14u);
memset(&key_data[32], 0, 32);
v3 = -32;
do
{
v4 = lrand48();
key_data[v3++ + 64] = v4 + v4 / 255;
}
while ( v3 );
memset(key_data, 0, 32);
v5 = -32;
do
{
v_eax = lrand48();
key_data[v5++ + 32] = v_eax + v_eax / 255;
}
while ( v5 );
memset(hash, 0, sizeof(hash));
hmac_ctx_hash(&key_data[32], key_data, hash);
strcpy((char *)const_key, "123456awxzcdfqwqt2wetbwerw");
memset(encrypt_data, 0, sizeof(encrypt_data));
evp_encrypt((int)hash, (int)&hash[32], 12, const_key, 27, (int)byte_user_name, user_name_length, encrypt_data);
memset(encrypt_data2, 0, sizeof(encrypt_data2));
*(__m128i *)hash_temp = _mm_load_si128((const __m128i *)&hash[48]);
__memcpy_chk((int)encrypt_data2, (int)encrypt_data, user_name_length + 16, 0x2800);
if ( !(((int)(user_name_length + 16) < 0) ^ __OFADD__(16, user_name_length) | (user_name_length == -16)) )
{
v_esi = 0;
v8 = user_name_length + 16;
if ( user_name_length >= 4294967280 )
goto LABEL_15;
if ( user_name_length + 15 > 15 )
goto LABEL_15;
v_esi = v8 & 0xFFFFFFF0;
si128 = _mm_load_si128((const __m128i *)(&(&off_1A25DC)[-11535] + 1));
v10 = _mm_load_si128((const __m128i *)(&off_1A25DC - 92275));
v11 = _mm_load_si128((const __m128i *)(&(&off_1A25DC)[-11534] + 1));
v12 = _mm_load_si128((const __m128i *)(&off_1A25DC - 92267));
v13 = 0;
v34 = *(__m128i *)hash_temp;
v31 = *(__m128i *)(&(&off_1A25DC)[-11533] + 1);
v33 = *(__m128i *)(&off_1A25DC - 92259);
v32 = _mm_load_si128((const __m128i *)(&(&off_1A25DC)[-11532] + 1));
......
while ( v_esi != v13 );
if ( v8 != v_esi )
{
LABEL_15:
do
{
v28 = (v_esi + 1) ^ hash_temp[v_esi & 0xF];
encrypt_data2[v_esi] = v28 ^ (((unsigned __int8)(encrypt_data[v_esi] + v28) >> 4) | (16
* (encrypt_data[v_esi] + v28)));
}
while ( v8 != ++v_esi );
}
}
memset(s, 0, 960u);
*(_OWORD *)hash_temp = *(_OWORD *)hash;
*(_OWORD *)&hash_temp[16] = *(_OWORD *)&hash[16];
*(_OWORD *)&hash_temp[32] = *(_OWORD *)&hash[32];
*(_OWORD *)&hash_temp[48] = *(_OWORD *)&hash[48];
__memcpy_chk((int)s, (int)encrypt_data2, user_name_length + 16, 960);
*(_OWORD *)v39 = 0LL;
return encrypt_4(hash_temp, user_name_length + 80, (int)v39, 16, dest);
}
int __cdecl sub_46660(BYTE *byte_user_name, unsigned int user_name_length, char *dest)
{
......
canary = __readgsdword(0x14u);
memset(&key_data[32], 0, 32);
v3 = -32;
do
{
v4 = lrand48();
key_data[v3++ + 64] = v4 + v4 / 255;
}
while ( v3 );
memset(key_data, 0, 32);
v5 = -32;
do
{
v_eax = lrand48();
key_data[v5++ + 32] = v_eax + v_eax / 255;
}
while ( v5 );
memset(hash, 0, sizeof(hash));
hmac_ctx_hash(&key_data[32], key_data, hash);
strcpy((char *)const_key, "123456awxzcdfqwqt2wetbwerw");
memset(encrypt_data, 0, sizeof(encrypt_data));
evp_encrypt((int)hash, (int)&hash[32], 12, const_key, 27, (int)byte_user_name, user_name_length, encrypt_data);
memset(encrypt_data2, 0, sizeof(encrypt_data2));
*(__m128i *)hash_temp = _mm_load_si128((const __m128i *)&hash[48]);
__memcpy_chk((int)encrypt_data2, (int)encrypt_data, user_name_length + 16, 0x2800);
if ( !(((int)(user_name_length + 16) < 0) ^ __OFADD__(16, user_name_length) | (user_name_length == -16)) )
{
v_esi = 0;
v8 = user_name_length + 16;
if ( user_name_length >= 4294967280 )
goto LABEL_15;
if ( user_name_length + 15 > 15 )
goto LABEL_15;
v_esi = v8 & 0xFFFFFFF0;
si128 = _mm_load_si128((const __m128i *)(&(&off_1A25DC)[-11535] + 1));
v10 = _mm_load_si128((const __m128i *)(&off_1A25DC - 92275));
v11 = _mm_load_si128((const __m128i *)(&(&off_1A25DC)[-11534] + 1));
v12 = _mm_load_si128((const __m128i *)(&off_1A25DC - 92267));
v13 = 0;
v34 = *(__m128i *)hash_temp;
v31 = *(__m128i *)(&(&off_1A25DC)[-11533] + 1);
v33 = *(__m128i *)(&off_1A25DC - 92259);
v32 = _mm_load_si128((const __m128i *)(&(&off_1A25DC)[-11532] + 1));
......
while ( v_esi != v13 );
if ( v8 != v_esi )
{
LABEL_15:
do
{
v28 = (v_esi + 1) ^ hash_temp[v_esi & 0xF];
encrypt_data2[v_esi] = v28 ^ (((unsigned __int8)(encrypt_data[v_esi] + v28) >> 4) | (16
* (encrypt_data[v_esi] + v28)));
}
while ( v8 != ++v_esi );
}
}
memset(s, 0, 960u);
*(_OWORD *)hash_temp = *(_OWORD *)hash;
*(_OWORD *)&hash_temp[16] = *(_OWORD *)&hash[16];
*(_OWORD *)&hash_temp[32] = *(_OWORD *)&hash[32];
*(_OWORD *)&hash_temp[48] = *(_OWORD *)&hash[48];
__memcpy_chk((int)s, (int)encrypt_data2, user_name_length + 16, 960);
*(_OWORD *)v39 = 0LL;
return encrypt_4(hash_temp, user_name_length + 80, (int)v39, 16, dest);
}
unsigned int __cdecl hmac_ctx_hash(BYTE *data, BYTE *key, BYTE *res)
{
int md;
__int64 v4;
__int64 v5;
int len;
char v8;
char v9;
BYTE hash3[32];
BYTE hash2[32];
int ctx[52];
BYTE hash1[40];
unsigned int canary;
canary = __readgsdword(0x14u);
memset(hash1, 0, 32);
HMAC_CTX_init((int)ctx);
md = EVP_sha256();
HMAC_Init_ex((int)ctx, (int)key, 32, md, 0);
HMAC_Update((int)ctx, (int)data, 0);
len = 0;
HMAC_Final((int)ctx, (int)hash1, (int)&len);
memset(hash2, 0, sizeof(hash2));
v9 = 1;
HMAC_CTX_init((int)ctx);
HMAC_Init_ex((int)ctx, (int)hash1, 32, md, 0);
HMAC_Update((int)ctx, (int)data, 0);
HMAC_Update((int)ctx, (int)&v9, 1);
len = 0;
HMAC_Final((int)ctx, (int)hash2, (int)&len);
memset(hash3, 0, sizeof(hash3));
v8 = 2;
HMAC_CTX_init((int)ctx);
HMAC_Init_ex((int)ctx, (int)hash1, 32, md, 0);
HMAC_Update((int)ctx, (int)hash2, 32);
HMAC_Update((int)ctx, (int)&v8, 1);
len = 0;
HMAC_Final((int)ctx, (int)hash3, (int)&len);
v4 = *(_QWORD *)&hash2[8];
*(_QWORD *)res = *(_QWORD *)hash2;
*((_QWORD *)res + 1) = v4;
*((_QWORD *)res + 2) = *(_QWORD *)&hash2[16];
*((_QWORD *)res + 3) = *(_QWORD *)&hash2[24];
*((_QWORD *)res + 7) = *(_QWORD *)&hash3[24];
*((_QWORD *)res + 6) = *(_QWORD *)&hash3[16];
v5 = *(_QWORD *)hash3;
*((_QWORD *)res + 5) = *(_QWORD *)&hash3[8];
*((_QWORD *)res + 4) = v5;
return __readgsdword(0x14u);
}
unsigned int __cdecl hmac_ctx_hash(BYTE *data, BYTE *key, BYTE *res)
{
int md;
__int64 v4;
__int64 v5;
int len;
char v8;
char v9;
BYTE hash3[32];
BYTE hash2[32];
int ctx[52];
BYTE hash1[40];
unsigned int canary;
canary = __readgsdword(0x14u);
memset(hash1, 0, 32);
HMAC_CTX_init((int)ctx);
md = EVP_sha256();
HMAC_Init_ex((int)ctx, (int)key, 32, md, 0);
HMAC_Update((int)ctx, (int)data, 0);
len = 0;
HMAC_Final((int)ctx, (int)hash1, (int)&len);
memset(hash2, 0, sizeof(hash2));
v9 = 1;
HMAC_CTX_init((int)ctx);
HMAC_Init_ex((int)ctx, (int)hash1, 32, md, 0);
HMAC_Update((int)ctx, (int)data, 0);
HMAC_Update((int)ctx, (int)&v9, 1);
len = 0;
HMAC_Final((int)ctx, (int)hash2, (int)&len);
memset(hash3, 0, sizeof(hash3));
v8 = 2;
HMAC_CTX_init((int)ctx);
HMAC_Init_ex((int)ctx, (int)hash1, 32, md, 0);
HMAC_Update((int)ctx, (int)hash2, 32);
HMAC_Update((int)ctx, (int)&v8, 1);
len = 0;
HMAC_Final((int)ctx, (int)hash3, (int)&len);
v4 = *(_QWORD *)&hash2[8];
*(_QWORD *)res = *(_QWORD *)hash2;
*((_QWORD *)res + 1) = v4;
*((_QWORD *)res + 2) = *(_QWORD *)&hash2[16];
*((_QWORD *)res + 3) = *(_QWORD *)&hash2[24];
*((_QWORD *)res + 7) = *(_QWORD *)&hash3[24];
*((_QWORD *)res + 6) = *(_QWORD *)&hash3[16];
v5 = *(_QWORD *)hash3;
*((_QWORD *)res + 5) = *(_QWORD *)&hash3[8];
*((_QWORD *)res + 4) = v5;
return __readgsdword(0x14u);
}
#include "openssl/hmac.h"
#include "openssl/evp.h"
#include "openssl/aes.h"
#pragma comment(lib, "libcrypto.lib")
int main()
{
unsigned char key[32] = { 0 };
unsigned char data[32] = { 0 };
unsigned char hash[32] = { 0 };
unsigned int len = 0;
for (int i = 0; i < 32; i++)
{
key[i] = i;
data[i] = i*2;
}
HMAC_CTX *ctx = HMAC_CTX_new();
const EVP_MD *md = EVP_sha256();
HMAC_Init_ex(ctx, key, 32, md, 0);
HMAC_Final(ctx, hash, &len);
}
#include "openssl/hmac.h"
#include "openssl/evp.h"
#include "openssl/aes.h"
#pragma comment(lib, "libcrypto.lib")
int main()
{
unsigned char key[32] = { 0 };
unsigned char data[32] = { 0 };
unsigned char hash[32] = { 0 };
unsigned int len = 0;
for (int i = 0; i < 32; i++)
{
key[i] = i;
data[i] = i*2;
}
HMAC_CTX *ctx = HMAC_CTX_new();
const EVP_MD *md = EVP_sha256();
HMAC_Init_ex(ctx, key, 32, md, 0);
HMAC_Final(ctx, hash, &len);
}
int __cdecl evp_encrypt(
int hash,
int iv,
int iv_len,
BYTE *const_key,
int const_key_length,
int byte_user_name,
int user_name_length,
char *res_encrypt_data)
{
int ctx;
int cipher;
size_t v10;
__int64 v11;
int v13;
size_t encrypt_data_len;
BYTE encrypt_data[1024];
unsigned int v16;
v16 = __readgsdword(0x14u);
ctx = EVP_CIPHER_CTX_new();
cipher = EVP_aes_256_gcm();
EVP_EncryptInit_ex(ctx, cipher, 0, 0, 0);
EVP_CIPHER_CTX_ctrl(ctx, 9, iv_len, 0);
EVP_EncryptInit_ex(ctx, 0, 0, hash, iv);
EVP_EncryptUpdate(ctx, 0, (int)&encrypt_data_len, (int)const_key, const_key_length);
EVP_EncryptUpdate(ctx, (int)encrypt_data, (int)&encrypt_data_len, byte_user_name, user_name_length);
memcpy(res_encrypt_data, encrypt_data, encrypt_data_len);
EVP_EncryptFinal_ex(ctx, (int)encrypt_data, (int)&v13);
EVP_CIPHER_CTX_ctrl(ctx, 16, 16, (int)encrypt_data);
v10 = encrypt_data_len;
v11 = *(_QWORD *)&encrypt_data[8];
*(_QWORD *)&res_encrypt_data[encrypt_data_len] = *(_QWORD *)encrypt_data;
*(_QWORD *)&res_encrypt_data[v10 + 8] = v11;
EVP_CIPHER_CTX_free(ctx);
return encrypt_data_len + 16;
}
int __cdecl evp_encrypt(
int hash,
int iv,
int iv_len,
BYTE *const_key,
int const_key_length,
int byte_user_name,
int user_name_length,
char *res_encrypt_data)
{
int ctx;
int cipher;
size_t v10;
__int64 v11;
int v13;
size_t encrypt_data_len;
BYTE encrypt_data[1024];
unsigned int v16;
v16 = __readgsdword(0x14u);
ctx = EVP_CIPHER_CTX_new();
cipher = EVP_aes_256_gcm();
EVP_EncryptInit_ex(ctx, cipher, 0, 0, 0);
EVP_CIPHER_CTX_ctrl(ctx, 9, iv_len, 0);
EVP_EncryptInit_ex(ctx, 0, 0, hash, iv);
EVP_EncryptUpdate(ctx, 0, (int)&encrypt_data_len, (int)const_key, const_key_length);
EVP_EncryptUpdate(ctx, (int)encrypt_data, (int)&encrypt_data_len, byte_user_name, user_name_length);
memcpy(res_encrypt_data, encrypt_data, encrypt_data_len);
EVP_EncryptFinal_ex(ctx, (int)encrypt_data, (int)&v13);
EVP_CIPHER_CTX_ctrl(ctx, 16, 16, (int)encrypt_data);
v10 = encrypt_data_len;
v11 = *(_QWORD *)&encrypt_data[8];
*(_QWORD *)&res_encrypt_data[encrypt_data_len] = *(_QWORD *)encrypt_data;
*(_QWORD *)&res_encrypt_data[v10 + 8] = v11;
EVP_CIPHER_CTX_free(ctx);
return encrypt_data_len + 16;
}
#include "openssl/hmac.h"
#include "openssl/evp.h"
#include "openssl/aes.h"
#pragma comment(lib, "libcrypto.lib")
int main()
{
unsigned char key[32] = { 0 };
unsigned char iv[32] = { 0 };
unsigned char encrypt_data[32] = { 0 };
unsigned char user_name[16] = { 'a','b','c','d', 'a','b','c','d','a','b','c','d', 'a','b','c','d' };
const unsigned char *const_key = (const unsigned char *)"123456awxzcdfqwqt2wetbwerw";
int len = 0;
for (int i = 0; i < 32; i++)
{
key[i] = i;
iv[i] = i;
}
EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
const EVP_CIPHER *cipher = EVP_aes_256_gcm();
EVP_EncryptInit_ex(ctx, cipher, 0, key, iv);
EVP_CIPHER_CTX_ctrl(ctx, 9, 12, 0);
len = 0;
EVP_EncryptUpdate(ctx, encrypt_data, &len, user_name, 16);
len = 0;
EVP_EncryptFinal_ex(ctx, encrypt_data, &len);
}
#include "openssl/hmac.h"
#include "openssl/evp.h"
#include "openssl/aes.h"
#pragma comment(lib, "libcrypto.lib")
int main()
{
unsigned char key[32] = { 0 };
unsigned char iv[32] = { 0 };
unsigned char encrypt_data[32] = { 0 };
unsigned char user_name[16] = { 'a','b','c','d', 'a','b','c','d','a','b','c','d', 'a','b','c','d' };
const unsigned char *const_key = (const unsigned char *)"123456awxzcdfqwqt2wetbwerw";
int len = 0;
for (int i = 0; i < 32; i++)
{
key[i] = i;
iv[i] = i;
}
EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
const EVP_CIPHER *cipher = EVP_aes_256_gcm();
EVP_EncryptInit_ex(ctx, cipher, 0, key, iv);
EVP_CIPHER_CTX_ctrl(ctx, 9, 12, 0);
len = 0;
EVP_EncryptUpdate(ctx, encrypt_data, &len, user_name, 16);
len = 0;
EVP_EncryptFinal_ex(ctx, encrypt_data, &len);
}
*(__m128i *)hash_temp = _mm_load_si128((const __m128i *)&hash[48]);
......
do
{
v28 = (v_esi + 1) ^ hash_temp[v_esi & 0xF];
encrypt_data2[v_esi] =
v28 ^ (((unsigned __int8)(encrypt_data[v_esi] + v28) >> 4) | (16* (encrypt_data[v_esi] + v28)));
}while ( v8 != ++v_esi );
*(__m128i *)hash_temp = _mm_load_si128((const __m128i *)&hash[48]);
......
do
{
v28 = (v_esi + 1) ^ hash_temp[v_esi & 0xF];
encrypt_data2[v_esi] =
v28 ^ (((unsigned __int8)(encrypt_data[v_esi] + v28) >> 4) | (16* (encrypt_data[v_esi] + v28)));
}while ( v8 != ++v_esi );
_BYTE v21[256];
_BYTE v22[264];
unsigned int v23;
v23 = __readgsdword(0x14u);
memcpy(dest, hash_temp, user_name_length_add_80);
memset(v22, 0, 256);
memset(v21, 0, sizeof(v21));
for ( i = 0; i != 256; ++i )
{
v21[i] = i;
v22[i] = v39[i % c_16];
}
v_dest = dest;
_BYTE v21[256];
_BYTE v22[264];
unsigned int v23;
v23 = __readgsdword(0x14u);
memcpy(dest, hash_temp, user_name_length_add_80);
memset(v22, 0, 256);
memset(v21, 0, sizeof(v21));
for ( i = 0; i != 256; ++i )
{
v21[i] = i;
v22[i] = v39[i % c_16];
}
v_dest = dest;
v6 = dest;
v7 = 0;
v8 = -256;
do
{
v9 = (unsigned __int8)v22[v8];
v10 = v9 + v7 + (unsigned __int8)v22[v8 + 256];
v10 %= 256;
v11 = v21[v10];
v21[v10] = v9;
v22[v8++] = v11;
v7 = v10;
}
while ( v8 );
v6 = dest;
v7 = 0;
v8 = -256;
do
{
v9 = (unsigned __int8)v22[v8];
v10 = v9 + v7 + (unsigned __int8)v22[v8 + 256];
v10 %= 256;
v11 = v21[v10];
v21[v10] = v9;
v22[v8++] = v11;
v7 = v10;
}
while ( v8 );
unsigned char v21[256] = {0};
for (int i = 0; i < 256; i++)
v21[i] = i;
int v7 = 0;
int v8 = 0;
int v9 = 0;
int v10 = 0;
char v11 = 0;
for (int i = 0; i < 256; i++)
{
v9 = v21[i];
v10 = v9 + v7;
v10 %= 256;
v11 = v21[v10];
v21[v10] = v9;
v21[i] = v11;
v7 = v10;
}
unsigned char v21[256] = {0};
for (int i = 0; i < 256; i++)
v21[i] = i;
int v7 = 0;
int v8 = 0;
int v9 = 0;
int v10 = 0;
char v11 = 0;
for (int i = 0; i < 256; i++)
{
v9 = v21[i];
v10 = v9 + v7;
v10 %= 256;
v11 = v21[v10];
v21[v10] = v9;
v21[i] = v11;
v7 = v10;
}
int v_tmp = 0;
for (int i = 0; i < 256; i++)
{
v10 += v21[i];
v10 %= 256;
v_tmp = v21[v10];
v21[v10] = v21[i];
v21[i] = v_tmp;
}
int v_tmp = 0;
for (int i = 0; i < 256; i++)
{
v10 += v21[i];
v10 %= 256;
v_tmp = v21[v10];
v21[v10] = v21[i];
v21[i] = v_tmp;
}
v12 = 0;
v13 = 0;
v14 = user_name_length_add_80;
do
{
v15 = v12 + 1 - ((v12 + ((unsigned int)((v12 + 1) >> 31) >> 24) + 1) & 0xFFFFFF00);
v16 = (unsigned __int8)v21[v15];
v13 = (v16 + v13) % 256;
v17 = v14;
v18 = v21[v13];
v21[v13] = v16;
v21[v15] = v18;
*v_dest++ ^= v21[(unsigned __int8)(v21[v13] + v18)];
v14 = v17 - 1;
v19 = v17 == 1;
v12 = v15;
}
v12 = 0;
v13 = 0;
v14 = user_name_length_add_80;
do
{
v15 = v12 + 1 - ((v12 + ((unsigned int)((v12 + 1) >> 31) >> 24) + 1) & 0xFFFFFF00);
v16 = (unsigned __int8)v21[v15];
v13 = (v16 + v13) % 256;
v17 = v14;
v18 = v21[v13];
v21[v13] = v16;
v21[v15] = v18;
*v_dest++ ^= v21[(unsigned __int8)(v21[v13] + v18)];
v14 = v17 - 1;
v19 = v17 == 1;
v12 = v15;
}
char tmp = 0;
do
{
v15++;
v13 = (v21[v15] + v13) % 256;
tmp = v21[v13];
v21[v13] = v21[v15];
v21[v15] = tmp;
*hash_temp++ ^= v21[(unsigned char)(v21[v13] + v21[v15])];
v14--;
} while (v14!=0);
char tmp = 0;
do
{
v15++;
v13 = (v21[v15] + v13) % 256;
tmp = v21[v13];
v21[v13] = v21[v15];
v21[v15] = tmp;
*hash_temp++ ^= v21[(unsigned char)(v21[v13] + v21[v15])];
v14--;
} while (v14!=0);
v21 = encrypt_4(pass_word, pass_word_len, (BYTE *)&v32, 16, v33);
v23 = v19;
*(_QWORD *)v34 = *(_QWORD *)v33;
*(_QWORD *)&v34[8] = *(_QWORD *)&v33[8];
*(_QWORD *)&v34[16] = *(_QWORD *)&v33[16];
*(_QWORD *)&v34[24] = *(_QWORD *)&v33[24];
*(_QWORD *)&v34[32] = *(_QWORD *)&v33[32];
*(_QWORD *)&v34[40] = *(_QWORD *)&v33[40];
v21 = encrypt_4(pass_word, pass_word_len, (BYTE *)&v32, 16, v33);
v23 = v19;
*(_QWORD *)v34 = *(_QWORD *)v33;
*(_QWORD *)&v34[8] = *(_QWORD *)&v33[8];
*(_QWORD *)&v34[16] = *(_QWORD *)&v33[16];
*(_QWORD *)&v34[24] = *(_QWORD *)&v33[24];
*(_QWORD *)&v34[32] = *(_QWORD *)&v33[32];
*(_QWORD *)&v34[40] = *(_QWORD *)&v33[40];
do
{
v15 = v7 ^ v24[((_BYTE)v7 - 1) & 0xF];
v5[v7 - 1] = __ROL1__(v15 ^ v33[v7 + 63], 4) - v15;
--v7;
}
while ( v7 > 0 );
do
{
v15 = v7 ^ v24[((_BYTE)v7 - 1) & 0xF];
v5[v7 - 1] = __ROL1__(v15 ^ v33[v7 + 63], 4) - v15;
--v7;
}
while ( v7 > 0 );
v21 = v6 - 80;
v16 = Decrypt((int)v34, (int)&v34[32], 12, (int)v31, 27, (int)&v5[v20 - 16], 16, (int)v5, v6 - 80, v24);
v4 = 0;
if ( v16 && v21 == user_name_len && !memcmp(v24, user_name, user_name_len) )
return 1;
v21 = v6 - 80;
v16 = Decrypt((int)v34, (int)&v34[32], 12, (int)v31, 27, (int)&v5[v20 - 16], 16, (int)v5, v6 - 80, v24);
v4 = 0;
if ( v16 && v21 == user_name_len && !memcmp(v24, user_name, user_name_len) )
return 1;
int __cdecl Decrypt(int key, int a2, int a3, int a4, int a5, int a6, int a7, int a8, int a9, void *dest)
{
int ctx;
int v11;
int v12;
size_t v14;
char src[1024];
unsigned int v16;
v16 = __readgsdword(0x14u);
ctx = EVP_CIPHER_CTX_new();
v11 = EVP_aes_256_gcm();
EVP_DecryptInit_ex(ctx, v11, 0, 0, 0);
EVP_CIPHER_CTX_ctrl(ctx, 9, a3, 0);
EVP_DecryptInit_ex(ctx, 0, 0, key, a2);
if ( a5 )
EVP_DecryptUpdate(ctx, 0, &v14, a4, a5);
EVP_DecryptUpdate(ctx, src, &v14, a8, a9);
memcpy(dest, src, v14);
EVP_CIPHER_CTX_ctrl(ctx, 17, a7, a6);
v12 = EVP_DecryptFinal_ex(ctx, src, &v14);
EVP_CIPHER_CTX_free(ctx);
return v12;
}
int __cdecl Decrypt(int key, int a2, int a3, int a4, int a5, int a6, int a7, int a8, int a9, void *dest)
{
int ctx;
int v11;
int v12;
size_t v14;
char src[1024];
unsigned int v16;
v16 = __readgsdword(0x14u);
ctx = EVP_CIPHER_CTX_new();
v11 = EVP_aes_256_gcm();
EVP_DecryptInit_ex(ctx, v11, 0, 0, 0);
EVP_CIPHER_CTX_ctrl(ctx, 9, a3, 0);
EVP_DecryptInit_ex(ctx, 0, 0, key, a2);
if ( a5 )
EVP_DecryptUpdate(ctx, 0, &v14, a4, a5);
EVP_DecryptUpdate(ctx, src, &v14, a8, a9);
memcpy(dest, src, v14);
EVP_CIPHER_CTX_ctrl(ctx, 17, a7, a6);
v12 = EVP_DecryptFinal_ex(ctx, src, &v14);
EVP_CIPHER_CTX_free(ctx);
return v12;
}
BYTE *__cdecl set_buff1(BYTE *buff1)
{
*(_DWORD *)buff1 = &off_19CA9C;
*((_DWORD *)buff1 + 5) = 0;
*((_DWORD *)buff1 + 4) = 0;
*((_DWORD *)buff1 + 6) = 0;
*((_DWORD *)buff1 + 12) = 0;
*((_DWORD *)buff1 + 11) = 0;
*((_DWORD *)buff1 + 14) = 0;
*((_DWORD *)buff1 + 13) = 0;
v1 = lrand48();
buff1[28] = v1 + v1 / 255;
v2 = lrand48();
......
buff1[42] = v15 + v15 / 255;
v16 = lrand48();
buff1[43] = v16 + v16 / -16777216;
return sub_48840(buff1 + 16, "3390fd362dfdda0030d5737632d3d213", 32u);
}
BYTE *__cdecl set_buff1(BYTE *buff1)
{
*(_DWORD *)buff1 = &off_19CA9C;
*((_DWORD *)buff1 + 5) = 0;
*((_DWORD *)buff1 + 4) = 0;
*((_DWORD *)buff1 + 6) = 0;
*((_DWORD *)buff1 + 12) = 0;
*((_DWORD *)buff1 + 11) = 0;
*((_DWORD *)buff1 + 14) = 0;
*((_DWORD *)buff1 + 13) = 0;
v1 = lrand48();
buff1[28] = v1 + v1 / 255;
v2 = lrand48();
......
buff1[42] = v15 + v15 / 255;
v16 = lrand48();
buff1[43] = v16 + v16 / -16777216;
return sub_48840(buff1 + 16, "3390fd362dfdda0030d5737632d3d213", 32u);
}
BYTE *__cdecl sub_48840(BYTE *buff1_16, void *src, size_t len_32)
{
v3 = *buff1_16;
v4 = 10;
if ( (v3 & 1) != 0 )
v4 = (*(_DWORD *)buff1_16 & 0xFFFFFFFE) - 1;
if ( v4 >= len_32 )
{
......
}
else
{
if ( (v3 & 1) != 0 )
v5 = *((_DWORD *)buff1_16 + 1);
else
v5 = v3 >> 1;
sub_488E0(buff1_16, v4, len_32 - v4, v5, 0, v5, len_32, src);
}
return buff1_16;
}
BYTE *__cdecl sub_48840(BYTE *buff1_16, void *src, size_t len_32)
{
v3 = *buff1_16;
v4 = 10;
if ( (v3 & 1) != 0 )
v4 = (*(_DWORD *)buff1_16 & 0xFFFFFFFE) - 1;
if ( v4 >= len_32 )
{
......
}
else
{
if ( (v3 & 1) != 0 )
v5 = *((_DWORD *)buff1_16 + 1);
else
v5 = v3 >> 1;
sub_488E0(buff1_16, v4, len_32 - v4, v5, 0, v5, len_32, src);
}
return buff1_16;
}
BYTE *__cdecl sub_488E0(BYTE *buff1_60_16,unsigned int a2,unsigned int a3,int a4,size_t n,int a6,size_t a7,void *src)
{
if ( 0xFFFFFFEE - a2 < a3 )
sub_48A20();
if ( (*buff1_16 & 1) != 0 )
v8 = (BYTE *)*((_DWORD *)buff1_16 + 2);
else
v8 = buff1_16 + 1;
v18 = v8;
v9 = -17;
if ( a2 <= 0x7FFFFFE6 )
{
v10 = a2 + a3;
if ( a2 + a3 < 2 * a2 )
v10 = 2 * a2;
v9 = 11;
if ( v10 >= 0xB )
v9 = (v10 + 16) & 0xFFFFFFF0;
}
v20 = v9;
buff_48 = (char *)operator new(v9);
buff_48_ = buff_48;
if ( n )
memcpy(buff_48, v18, n);
buff_48__ = buff_48_;
v13 = a6;
v14 = a7;
if ( a7 )
{
memcpy(&buff_48_[n], src, a7);
v13 = a6;
v14 = a7;
}
v15 = a4 - v13;
if ( a4 - v13 != n )
{
memcpy(&buff_48__[n + v14], &v18[n + a6], v15 - n);
v14 = a7;
}
if ( a2 != 10 )
{
operator delete(v18);
v14 = a7;
}
result = buff1_16;
*((_DWORD *)buff1_16 + 2) = buff_48__;
*(_DWORD *)buff1_16 = v20 | 1;
v17 = v14 + v15;
*((_DWORD *)buff1_16 + 1) = v17;
buff_48__[v17] = 0;
return result;
}
BYTE *__cdecl sub_488E0(BYTE *buff1_60_16,unsigned int a2,unsigned int a3,int a4,size_t n,int a6,size_t a7,void *src)
{
if ( 0xFFFFFFEE - a2 < a3 )
sub_48A20();
if ( (*buff1_16 & 1) != 0 )
v8 = (BYTE *)*((_DWORD *)buff1_16 + 2);
else
v8 = buff1_16 + 1;
v18 = v8;
v9 = -17;
if ( a2 <= 0x7FFFFFE6 )
{
v10 = a2 + a3;
if ( a2 + a3 < 2 * a2 )
v10 = 2 * a2;
v9 = 11;
if ( v10 >= 0xB )
v9 = (v10 + 16) & 0xFFFFFFF0;
}
v20 = v9;
buff_48 = (char *)operator new(v9);
buff_48_ = buff_48;
if ( n )
memcpy(buff_48, v18, n);
buff_48__ = buff_48_;
v13 = a6;
v14 = a7;
if ( a7 )
{
memcpy(&buff_48_[n], src, a7);
v13 = a6;
v14 = a7;
}
v15 = a4 - v13;
if ( a4 - v13 != n )
{
memcpy(&buff_48__[n + v14], &v18[n + a6], v15 - n);
v14 = a7;
}
if ( a2 != 10 )
{
operator delete(v18);
v14 = a7;
}
result = buff1_16;
*((_DWORD *)buff1_16 + 2) = buff_48__;
*(_DWORD *)buff1_16 = v20 | 1;
v17 = v14 + v15;
*((_DWORD *)buff1_16 + 1) = v17;
buff_48__[v17] = 0;
return result;
}
unsigned int __cdecl set_buff2(BYTE *buff2)
{
v31 = __readgsdword(0x14u);
*(_DWORD *)buff2 = &off_19CAAC;
*((_DWORD *)buff2 + 2) = 0;
*((_DWORD *)buff2 + 1) = 0;
*((_DWORD *)buff2 + 4) = 0;
*((_DWORD *)buff2 + 3) = 0;
memcpy(dest, byte_151F3A, sizeof(dest));
memcpy(buff2 + 20, dest, 512u);
RAND_bytes(v29, 32);
v1 = v29[3];
v28[3] = v29[3];
v2 = v29[2];
v28[2] = v29[2];
v3 = v29[1];
v28[1] = v29[1];
v28[0] = v29[0];
*(_QWORD *)(buff2 + 532) = v29[0];
*(_QWORD *)(buff2 + 540) = v3;
*(_QWORD *)(buff2 + 548) = v2;
*(_QWORD *)(buff2 + 556) = v1;
*(_QWORD *)(buff2 + 588) = v28[3];
v4 = v28[1];
*(_QWORD *)(buff2 + 564) = v28[0];
*(_QWORD *)(buff2 + 580) = v28[2];
*(_QWORD *)(buff2 + 572) = v4;
v5 = -64;
v6 = 0;
do
v6 = *(_WORD *)&buff2[2 * (buff2[v5++ + 596] ^ HIBYTE(v6)) + 20] ^ (v6 << 8);
while ( v5 );
v27 = v6;
*(_WORD *)((char *)v28 + 5) = v6;
hmac_ctx_hash((BYTE *)v28, (BYTE *)v29, buff2 + 532);
v7 = -32;
v8 = 0;
do
v8 = *(_WORD *)&buff2[2 * (*((unsigned __int8 *)v29 + v7++) ^ HIBYTE(v8)) + 20] ^ (v8 << 8);
while ( v7 );
v9 = lrand48() % 12;
*(_WORD *)&buff2[v9 + 532] = v8;
*(_WORD *)&buff2[v9 + 534] = v27;
v10 = _mm_xor_ps(*(__m128 *)(buff2 + 36), (__m128)xmmword_148490);
*(__m128 *)(buff2 + 20) = _mm_xor_ps(*(__m128 *)(buff2 + 20), (__m128)xmmword_148490);
*(__m128 *)(buff2 + 36) = v10;
v11 = _mm_xor_ps(*(__m128 *)(buff2 + 68), (__m128)xmmword_148490);
*(__m128 *)(buff2 + 52) = _mm_xor_ps(*(__m128 *)(buff2 + 52), (__m128)xmmword_148490);
......
v25 = _mm_xor_ps(*(__m128 *)(buff2 + 516), (__m128)xmmword_148490);
*(__m128 *)(buff2 + 500) = _mm_xor_ps(*(__m128 *)(buff2 + 500), (__m128)xmmword_148490);
*(__m128 *)(buff2 + 516) = v25;
return __readgsdword(0x14u);
}
unsigned int __cdecl set_buff2(BYTE *buff2)
{
v31 = __readgsdword(0x14u);
*(_DWORD *)buff2 = &off_19CAAC;
*((_DWORD *)buff2 + 2) = 0;
*((_DWORD *)buff2 + 1) = 0;
*((_DWORD *)buff2 + 4) = 0;
*((_DWORD *)buff2 + 3) = 0;
memcpy(dest, byte_151F3A, sizeof(dest));
memcpy(buff2 + 20, dest, 512u);
RAND_bytes(v29, 32);
v1 = v29[3];
v28[3] = v29[3];
v2 = v29[2];
v28[2] = v29[2];
v3 = v29[1];
v28[1] = v29[1];
v28[0] = v29[0];
*(_QWORD *)(buff2 + 532) = v29[0];
*(_QWORD *)(buff2 + 540) = v3;
*(_QWORD *)(buff2 + 548) = v2;
*(_QWORD *)(buff2 + 556) = v1;
*(_QWORD *)(buff2 + 588) = v28[3];
v4 = v28[1];
*(_QWORD *)(buff2 + 564) = v28[0];
*(_QWORD *)(buff2 + 580) = v28[2];
*(_QWORD *)(buff2 + 572) = v4;
v5 = -64;
v6 = 0;
do
v6 = *(_WORD *)&buff2[2 * (buff2[v5++ + 596] ^ HIBYTE(v6)) + 20] ^ (v6 << 8);
while ( v5 );
v27 = v6;
*(_WORD *)((char *)v28 + 5) = v6;
hmac_ctx_hash((BYTE *)v28, (BYTE *)v29, buff2 + 532);
v7 = -32;
v8 = 0;
do
v8 = *(_WORD *)&buff2[2 * (*((unsigned __int8 *)v29 + v7++) ^ HIBYTE(v8)) + 20] ^ (v8 << 8);
while ( v7 );
v9 = lrand48() % 12;
*(_WORD *)&buff2[v9 + 532] = v8;
*(_WORD *)&buff2[v9 + 534] = v27;
v10 = _mm_xor_ps(*(__m128 *)(buff2 + 36), (__m128)xmmword_148490);
*(__m128 *)(buff2 + 20) = _mm_xor_ps(*(__m128 *)(buff2 + 20), (__m128)xmmword_148490);
*(__m128 *)(buff2 + 36) = v10;
v11 = _mm_xor_ps(*(__m128 *)(buff2 + 68), (__m128)xmmword_148490);
*(__m128 *)(buff2 + 52) = _mm_xor_ps(*(__m128 *)(buff2 + 52), (__m128)xmmword_148490);
......
v25 = _mm_xor_ps(*(__m128 *)(buff2 + 516), (__m128)xmmword_148490);
*(__m128 *)(buff2 + 500) = _mm_xor_ps(*(__m128 *)(buff2 + 500), (__m128)xmmword_148490);
*(__m128 *)(buff2 + 516) = v25;
return __readgsdword(0x14u);
}
unsigned int __cdecl set_buff3(BYTE *buff3)
{
v32 = __readgsdword(0x14u);
*(_DWORD *)buff3 = &off_19CA8C;
*((_DWORD *)buff3 + 18) = 0;
*((_DWORD *)buff3 + 17) = 0;
*((_DWORD *)buff3 + 20) = 0;
*((_DWORD *)buff3 + 19) = 0;
memcpy(dest, &unk_1485A0, sizeof(dest));
memcpy(buff3 + 84, dest, 512u);
RAND_bytes(key, 32);
v1 = *(_QWORD *)&key[24];
*(_QWORD *)&data[24] = *(_QWORD *)&key[24];
v2 = *(_QWORD *)&key[16];
*(_QWORD *)&data[16] = *(_QWORD *)&key[16];
v3 = *(_QWORD *)&key[8];
*(_QWORD *)&data[8] = *(_QWORD *)&key[8];
*(_QWORD *)data = *(_QWORD *)key;
*(_QWORD *)(buff3 + 4) = *(_QWORD *)key;
*(_QWORD *)(buff3 + 12) = v3;
*(_QWORD *)(buff3 + 20) = v2;
*(_QWORD *)(buff3 + 28) = v1;
*(_QWORD *)(buff3 + 60) = *(_QWORD *)&data[24];
v4 = *(_QWORD *)&data[8];
*(_QWORD *)(buff3 + 36) = *(_QWORD *)data;
*(_QWORD *)(buff3 + 52) = *(_QWORD *)&data[16];
*(_QWORD *)(buff3 + 44) = v4;
v5 = -64;
v6 = 0;
do
v6 = *(_WORD *)&buff3[2 * (buff3[v5++ + 68] ^ HIBYTE(v6)) + 84] ^ (v6 << 8);
while ( v5 );
v28 = v6;
*(_WORD *)&data[5] = v6;
get_hash2(v27, (int)data, (int)key, buff3 + 4);
v7 = -32;
v8 = 0;
do
v8 = *(_WORD *)&buff3[2 * (key[v7++] ^ HIBYTE(v8)) + 84] ^ (v8 << 8);
while ( v7 );
v9 = lrand48() % 30;
*(_WORD *)&buff3[v9 + 4] = v8;
*(_WORD *)&buff3[v9 + 6] = v28;
v10 = _mm_xor_ps(*(__m128 *)(buff3 + 100), (__m128)xmmword_1483D0);
......
v25 = _mm_xor_ps(*(__m128 *)(buff3 + 580), (__m128)xmmword_1483D0);
*(__m128 *)(buff3 + 564) = _mm_xor_ps(*(__m128 *)(buff3 + 564), (__m128)xmmword_1483D0);
*(__m128 *)(buff3 + 580) = v25;
return __readgsdword(0x14u);
}
unsigned int __cdecl set_buff3(BYTE *buff3)
{
v32 = __readgsdword(0x14u);
*(_DWORD *)buff3 = &off_19CA8C;
*((_DWORD *)buff3 + 18) = 0;
*((_DWORD *)buff3 + 17) = 0;
*((_DWORD *)buff3 + 20) = 0;
*((_DWORD *)buff3 + 19) = 0;
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
最后于 2024-1-12 22:27
被简单的简单编辑
,原因:
badboyl
