部分算法代码
#include "stdafx.h"
void SunEnCrpyt(DWORD key[4], UCHAR *content, int len)
{
int ilen = len / 8;
UCHAR *pos;
for(int idx = 0; idx < ilen; idx ++)
{
pos = (UCHAR*)&content[idx*8];
_asm
{
pushad
mov eax, key
mov ecx, pos
push eax
push ecx ;内容
call Sungame_005F20D0 ;加密
add esp, 8
jmp Sungame__005F20D0_END
Sungame_005F20D0: ;<= Procedure Start
sub esp, 0x10
mov ecx, dword ptr [esp+0x14]
mov eax, dword ptr [ecx]
mov ecx, dword ptr [ecx+4]
push ebx
push ebp
push esi
mov esi, dword ptr [esp+0x24]
push edi
mov edi, dword ptr [esi+4]
mov dword ptr [esp+0x14], edi
mov edi, dword ptr [esi]
mov dword ptr [esp+0x10], edi
mov edi, dword ptr [esi+8]
mov esi, dword ptr [esi+0xC]
mov dword ptr [esp+0x1C], edi
xor edx, edx
mov dword ptr [esp+0x18], esi
mov edi, 0x20
Sungame_005F2106:
mov ebx, dword ptr [esp+0x10]
mov ebp, dword ptr [esp+0x14]
mov esi, ecx
shl esi, 4
add esi, ebx
mov ebx, ecx
shr ebx, 5
add ebx, ebp
mov ebp, dword ptr [esp+0x1C]
xor esi, ebx
sub edx, 0x61C88647
lea ebx, dword ptr [edx+ecx]
xor esi, ebx
mov ebx, dword ptr [esp+0x18]
add eax, esi
mov esi, eax
shr esi, 5
add esi, ebx
mov ebx, eax
shl ebx, 4
add ebx, ebp
xor esi, ebx
lea ebx, dword ptr [edx+eax]
xor esi, ebx
add ecx, esi
dec edi
jnz Sungame_005F2106
mov edx, dword ptr [esp+0x24]
pop edi
pop esi
pop ebp
mov dword ptr [edx], eax
mov dword ptr [edx+4], ecx
pop ebx
add esp, 0x10
retn
Sungame__005F20D0_END: ;<= Procedure End
popad
}
}
}
#ifdef _DEBUG
int main(int argc, char* argv[])
{
DWORD KEY4[4] = { 0x017682, 0x017683, 0x017684, 0x017685 };
//BYTE DATA[8] = { 0x31, 0x31, 0x31, 0x31, 0x31, 0x31, 0x31, 0x31 };
BYTE DATA[24] = {
0x00, 0x00, 0x08, 0x30, 0x3B, 0x05, 0x00, 0x00, 0x00, 0x00,
0x38, 0xCA, 0x12, 0x00, 0x66, 0x00, 0x00, 0x00, 0xAC, 0xDB,
0x12, 0x00, 0xFB, 0x98
};
char *password = "helloworld";
memcpy(DATA, password, strlen(password));
SunEnCrpyt(KEY4, DATA, 24);
for (int idx = 0 ; idx < 24; idx++) {
printf( "%02X,", DATA[idx]);
if (idx % 8 == 7) {
printf("\n");
}
}
return 0;
}
#endif
汇编部分
connect 得到 KEY
key = 01 58 01 00
加密函数
005F20A4 |. 50 |push eax ;[0012C7A0](16) = E6 32 01 00
E7 32 01 00
E8 32 01 00
E9 32 01 00
005F20A5 |. 8D0C2E |lea ecx, dword ptr [esi+ebp]
005F20A8 |. 51 |push ecx ;内容
005F20A9 |. E8 22000000 |call 005F20D0 ;加密
/*
参数1, KEY4
参数2, 加密的内容
*/
8字节加密一次
EncryptCall(DWORD key[4], BYTE* content)
005F2040 /$ 83EC 10 sub esp, 10
005F2043 |. 8B4424 20 mov eax, dword ptr [esp+20]
005F2047 |. 8D48 01 lea ecx, dword ptr [eax+1]
005F204A |. 8D50 02 lea edx, dword ptr [eax+2]
005F204D |. 890424 mov dword ptr [esp], eax
005F2050 |. 83C0 03 add eax, 3
005F2053 |. 53 push ebx
005F2054 |. 8B5C24 1C mov ebx, dword ptr [esp+1C]
005F2058 |. 894424 10 mov dword ptr [esp+10], eax
005F205C |. 8BC3 mov eax, ebx
005F205E |. 25 07000080 and eax, 80000007
005F2063 |. 894C24 08 mov dword ptr [esp+8], ecx
005F2067 |. 895424 0C mov dword ptr [esp+C], edx
005F206B |. 79 05 jns short 005F2072
005F206D |. 48 dec eax
005F206E |. 83C8 F8 or eax, FFFFFFF8
005F2071 |. 40 inc eax
005F2072 |> 74 07 je short 005F207B
005F2074 |. 32C0 xor al, al
005F2076 |. 5B pop ebx
005F2077 |. 83C4 10 add esp, 10
005F207A |. C3 retn
005F207B |> 55 push ebp
005F207C |. 8B6C24 24 mov ebp, dword ptr [esp+24]
005F2080 |. 56 push esi
005F2081 |. 8B7424 20 mov esi, dword ptr [esp+20]
005F2085 |. 8BCB mov ecx, ebx
005F2087 |. 8BD1 mov edx, ecx
005F2089 |. C1E9 02 shr ecx, 2
005F208C |. 57 push edi
005F208D |. 8BFD mov edi, ebp
005F208F |. F3:A5 rep movs dword ptr es:[edi], dword ptr [esi>
005F2091 |. 8BCA mov ecx, edx
005F2093 |. 83E1 03 and ecx, 3
005F2096 |. F3:A4 rep movs byte ptr es:[edi], byte ptr [esi]
005F2098 |. 33F6 xor esi, esi
005F209A |. 85DB test ebx, ebx
005F209C |. 7E 1A jle short 005F20B8
005F209E |. 8BFF mov edi, edi
005F20A0 |> 8D4424 10 /lea eax, dword ptr [esp+10]
005F20A4 |. 50 |push eax
005F20A5 |. 8D0C2E |lea ecx, dword ptr [esi+ebp]
005F20A8 |. 51 |push ecx
005F20A9 |. E8 22000000 |call 005F20D0
005F20AE |. 83C6 08 |add esi, 8
005F20B1 |. 83C4 08 |add esp, 8
005F20B4 |. 3BF3 |cmp esi, ebx
005F20B6 |.^ 7C E8 \jl short 005F20A0
005F20B8 |> 5F pop edi
005F20B9 |. 5E pop esi
005F20BA |. 5D pop ebp
005F20BB |. B0 01 mov al, 1
005F20BD |. 5B pop ebx
005F20BE |. 83C4 10 add esp, 10
005F20C1 \. C3 retn
顺带发个多开工具,具体的就不说了
0041ED8E |. FF15 ACF06100 call dword ptr [<&KERNEL32.CreateSema>; \CreateSemaphoreA
前面JMP掉就可以了,可以开N个,只要你机器足够好
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课