程序中充满着大量恶心的垃圾代码,直接挑选参数的传递函数去分析
先看弹窗逻辑
2a 62 53 31 //4字节,第四层的M
4a 00 //arr1长度
37 38 //???
arr1 //第七层,大数arr1
f550c4d11be88545a17edf49a600d30212a17760f814f054f252f5fac9e3c915b1195d9f2d52f3bbd2cb5690982c85dfbca0c4102132cff25e4740f3c9c71174802c59a7faf98daebc52
9d a4 72 43 //4字节,第四层的N
4a 00 //arr2长度
33 34 //???
arr2 //第七层,大数arr2
54449bc8e9713a6f2de69acceadb2bb55f550294d7f4d887d561c858c12d74aa218e45766d0799391a8c617f5e3fb00fd4995e9e5077100721858261a223fb4773736ce6027275e7a9ec
0B 73 5F 7A //crc32 7A5F730B
2a 62 53 31 //4字节,第四层的M
4a 00 //arr1长度
37 38 //???
arr1 //第七层,大数arr1
f550c4d11be88545a17edf49a600d30212a17760f814f054f252f5fac9e3c915b1195d9f2d52f3bbd2cb5690982c85dfbca0c4102132cff25e4740f3c9c71174802c59a7faf98daebc52
9d a4 72 43 //4字节,第四层的N
4a 00 //arr2长度
33 34 //???
arr2 //第七层,大数arr2
54449bc8e9713a6f2de69acceadb2bb55f550294d7f4d887d561c858c12d74aa218e45766d0799391a8c617f5e3fb00fd4995e9e5077100721858261a223fb4773736ce6027275e7a9ec
0B 73 5F 7A //crc32 7A5F730B
int __usercall sub_4EB910@<eax>(int ebx0@<ebx>, int edi0@<edi>, int a3@<esi>, int a1, int a2)
{
if ( a1 == 2 )
{
lstrlenA(*(LPCSTR *)(a2 + 4));
if ( sub_47B430(ebx0, edi0, a3, *(_DWORD *)(a2 + 4)) == 1 )
MessageBoxA(0, "OK!", 0, 0);
else
MessageBoxA(0, "Error!", 0, 0);
}
return 0;
}
int __usercall sub_4EB910@<eax>(int ebx0@<ebx>, int edi0@<edi>, int a3@<esi>, int a1, int a2)
{
if ( a1 == 2 )
{
lstrlenA(*(LPCSTR *)(a2 + 4));
if ( sub_47B430(ebx0, edi0, a3, *(_DWORD *)(a2 + 4)) == 1 )
MessageBoxA(0, "OK!", 0, 0);
else
MessageBoxA(0, "Error!", 0, 0);
}
return 0;
}
signed int __usercall sub_47B430@<eax>(int ebx0@<ebx>, int a2@<edi>, int a3@<esi>, int a1)
{
if ( sub_40A580(ebx0, a2, a3, a1, (char **)&input, &input_len) ) √ //3339 解base64,刚解密出来是正常的
{
if ( sub_455F80((int)input, input_len) ) ("4234567890", 10) Crc32("前len-4位")==后4位 √
{
if ( sub_458D90(ebx0, a2, input, input_len - 4, (int)&v2357, (int)&v2356) ) //字符串中有2个长度标记位,校验通过,√
{
if ( sub_474170(*v2357, *v2356) ) //对2个dword进行除法校验,满足的情况总共有2*4=8种
{
v1378 = v2357 + 8; //5153 .text:004870AC 这里就要篡改一次数据
for ( i169 = 0; i169 < v1379; ++i169 )
{
v5 = 16;
*(_BYTE *)(i169 + v1378) ^= *(&v1593 + i169 % 0x10u);
}
sub_4E1620(*(_DWORD *)v2357, v2357 + 8, *(unsigned __int16 *)(v2357 + 4)); //5298 将+8数组进行xor操作
sub_4E1620(*(_DWORD *)v2356, v2356 + 8, *(unsigned __int16 *)(v2356 + 4)); //5453
v1360 = v2357 + 8; //5602
for ( i214 = 0; i214 < v1361; ++i214 )
{
v5 = 16;
*(_BYTE *)(i214 + v1360) ^= *(&v1577 + i214 % 0x10u); //arr1比arr2多2次xor
}
if ( sub_45F640(
(int)(v2357 + 2),
*((unsigned __int16 *)v2357 + 2),
(int)(v2356 + 2),
*((unsigned __int16 *)v2356 + 2)) )
{
sub_4E81E0(ebx0, a2, v5, v2359);
result = 1;
}
else
result = 0;
}
else
result = 0;
}
else
result = 0;
}
else
result = 0;
}
else
result = 0;
}
signed int __usercall sub_47B430@<eax>(int ebx0@<ebx>, int a2@<edi>, int a3@<esi>, int a1)
{
if ( sub_40A580(ebx0, a2, a3, a1, (char **)&input, &input_len) ) √ //3339 解base64,刚解密出来是正常的
{
if ( sub_455F80((int)input, input_len) ) ("4234567890", 10) Crc32("前len-4位")==后4位 √
{
if ( sub_458D90(ebx0, a2, input, input_len - 4, (int)&v2357, (int)&v2356) ) //字符串中有2个长度标记位,校验通过,√
{
if ( sub_474170(*v2357, *v2356) ) //对2个dword进行除法校验,满足的情况总共有2*4=8种
{
v1378 = v2357 + 8; //5153 .text:004870AC 这里就要篡改一次数据
for ( i169 = 0; i169 < v1379; ++i169 )
{
v5 = 16;
*(_BYTE *)(i169 + v1378) ^= *(&v1593 + i169 % 0x10u);
}
sub_4E1620(*(_DWORD *)v2357, v2357 + 8, *(unsigned __int16 *)(v2357 + 4)); //5298 将+8数组进行xor操作
sub_4E1620(*(_DWORD *)v2356, v2356 + 8, *(unsigned __int16 *)(v2356 + 4)); //5453
v1360 = v2357 + 8; //5602
for ( i214 = 0; i214 < v1361; ++i214 )
{
v5 = 16;
*(_BYTE *)(i214 + v1360) ^= *(&v1577 + i214 % 0x10u); //arr1比arr2多2次xor
}
if ( sub_45F640(
(int)(v2357 + 2),
*((unsigned __int16 *)v2357 + 2),
(int)(v2356 + 2),
*((unsigned __int16 *)v2356 + 2)) )
{
sub_4E81E0(ebx0, a2, v5, v2359);
result = 1;
}
else
result = 0;
}
else
result = 0;
}
else
result = 0;
}
else
result = 0;
}
else
result = 0;
}
if ( BASE64_table_4FBD18[kk] == a1 )
break;
v347 = 119;
v232 = -1;
v274 = 104;
if ( BASE64_table_4FBD18[kk] == a1 )
break;
v347 = 119;
v232 = -1;
v274 = 104;
v207 = sub_453B90(v2, v3, v4, (char *)input, input_len - 4);
if ( v207 == *(_DWORD *)(input_len + input - 4) )
result = 1;
v207 = sub_453B90(v2, v3, v4, (char *)input, input_len - 4);
if ( v207 == *(_DWORD *)(input_len + input - 4) )
result = 1;
if ( (unsigned int)input_len_jian4 >= 0x10 ) //len-4>=16
{
*(_DWORD *)a5 = input; //1406
if ( (signed int)*(unsigned __int16 *)(*(_DWORD *)a5 + 4) > 0 //1547 45B83C
&& *(unsigned __int16 *)(*(_DWORD *)a5 + 4) <= (unsigned int)(input_len_jian4 - 16) )
{
*(_DWORD *)a6 = input + *(unsigned __int16 *)(*(_DWORD *)a5 + 4) + 8; //1655
if ( (signed int)*(unsigned __int16 *)(*(_DWORD *)a6 + 4) > 0 //1831 45d381
&& *(unsigned __int16 *)(*(_DWORD *)a6 + 4) <= input_len_jian4
- 16
- (unsigned int)*(unsigned __int16 *)(*(_DWORD *)a5 + 4) )
{
result = 1;
}
}
}
if ( (unsigned int)input_len_jian4 >= 0x10 ) //len-4>=16
{
*(_DWORD *)a5 = input; //1406
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
