首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 看雪峰会 看雪商城 证书查询
  1. 社区
  2. 资源下载
    3. 发新帖
[转帖]Sentinel original packet decryption routines
发表于: 2007-3-18 16:50 2503

[转帖]Sentinel original packet decryption routines

ngoksun 活跃值
2007-3-18 16:50
2503
;------------------------------------------------------------------------
;
; (c)2001 by MeteO, meteo@null.net
; 25.10.2001 05:01
;
; Sentinel original packet decryption routines
;
;------------------------------------------------------------------------
CODESEG
;
decrypt proc near
lpApiPacket = dword ptr 10h
push ebx
push esi
push edi
mov esi, [esp+lpApiPacket]
test byte ptr [esi+10h], 8
jnz short @@quit
push esi
call GetCryptedDataOffs
mov edi, eax
push esi
call GetCryptedDataSize
mov bx, ax
push esi
call GetDecryptValue
mov cx, [esi+4]
cmp cx, 3
jnb short @@encrypt_2
push ebx
push eax
push edi
call @DecryptPacketData_0
jmp @@quit
@@encrypt_2:
cmp cx, 5
jnb short @@encrypt_3
push ebx
push eax
push edi
call @DecryptPacketData_1
jmp @@quit

@@encrypt_3:
push ebx
push eax
push edi
jnz short @@encrypt_4
call @DecryptPacketData_3
jmp @@quit
@@encrypt_4:
call @DecryptPacketData_4
@@quit:
pop edi
pop esi
pop ebx
retn 4
decrypt endp

;------------------------------------------------------------------------
encrypt proc near
lpApiPacket = dword ptr 14h
push ebx
push esi
push edi
push ebp
mov edi, [esp+lpApiPacket]
test byte ptr [edi+10h], 8
jnz @@quit
push edi
call GetCryptedDataOffs
mov ebx, eax
push edi
call GetCryptedDataSize
mov si, ax
push edi
call GetDecryptValue
mov cx, [edi+4]
cmp cx, 3
jnb short @@encrypt_2
push eax
call SubDecrypt_0
mov ebp, eax
push ebp
push edi
call StoreEncryptValue
push esi
push ebp
push ebx
call DoEncrypt_3
jmp @@quit
@@encrypt_2:
cmp cx, 5
jnb short @@encrypt_4
push eax
call GetEncryptValue_2
mov ebp, eax
push ebp
push edi
call StoreEncryptValue
push esi
push ebp
push ebx
call DoEncrypt_2
jmp @@quit
@@encrypt_4:
push eax
jnz short @@encrypt_5
call SubDecrypt_0
mov ebp, eax
push ebp
push edi
call StoreEncryptValue
push esi
push ebp
push ebx
call DoEncrypt_4
jmp @@quit
@@encrypt_5:
call SubDecrypt_4
mov ebp, eax
push ebp
push edi
call StoreEncryptValue
push esi
push ebp
push ebx
call DoEncrypt_5
@@quit:
pop ebp
pop edi
pop esi
pop ebx
retn 4
encrypt endp

;------------------------------------------------------------------------
GetDecryptValue proc near
var_4 = byte ptr -4
var_2 = byte ptr -2
var_1 = byte ptr -1
lpApiPacket = dword ptr 4
sub esp, 4
mov ecx, [esp+4+lpApiPacket]
xor eax, eax
mov ax, [ecx+2]
mov al, [ecx+eax-4]
mov [esp+4+var_4], al
xor eax, eax
mov ax, [ecx+2]
mov al, [ecx+eax-3]
mov [esp+1], al
xor eax, eax
mov ax, [ecx+2]
mov al, [ecx+eax-2]
mov [esp+4+var_2], al
xor eax, eax
mov ax, [ecx+2]
mov al, [ecx+eax-1]
mov [esp+4+var_1], al
mov eax, dword ptr [esp+4+var_4]
add esp, 4
retn 4
GetDecryptValue endp
;------------------------------------------------------------------------
StoreEncryptValue proc near
lpApiPacket = dword ptr 4
dwValue = dword ptr 8
mov edx, [esp+lpApiPacket]
mov cl, byte ptr [esp+dwValue]
xor eax, eax
mov ax, [edx+2]
mov [edx+eax-4], cl
mov cl, byte ptr [esp+dwValue+1]
xor eax, eax
mov ax, [edx+2]
mov [edx+eax-3], cl
mov cl, byte ptr [esp+dwValue+2]
xor eax, eax
mov ax, [edx+2]
mov [edx+eax-2], cl
mov cl, byte ptr [esp+dwValue+3]
xor eax, eax
mov ax, [edx+2]
mov [edx+eax-1], cl
retn 8
StoreEncryptValue endp
;------------------------------------------------------------------------
mov_eax_0D073239h proc
mov eax, 0D073239h
ret
mov_eax_0D073239h endp
;------------------------------------------------------------------------
GetCryptedDataOffs proc near
lpApiPacket = dword ptr 4
mov edx, [esp+lpApiPacket]
mov cx, 8
cmp word ptr [edx+4], 1
jz short @@1
mov cx, 14h
@@1:
mov ax, cx
and ax, 3
jz short @@2
sub cx, ax
add cx, 4
@@2:
mov eax, ecx
and eax, 0FFFFh
add eax, edx
retn 4
GetCryptedDataOffs endp
;------------------------------------------------------------------------
GetCryptedDataSize proc near
lpApiPacket = dword ptr 4
mov eax, [esp+lpApiPacket]
cmp word ptr [eax+4], 1
mov ax, [eax+2]
jnz short @@1
sub ax, 0Ch
retn 4
@@1:
sub ax, 18h
retn 4
GetCryptedDataSize endp
;------------------------------------------------------------------------
SubDecrypt_0 proc near
dwVal = dword ptr 8
push esi
cmp [esp+dwVal], 0
jnz short @@1
call mov_eax_0D073239h
mov [esp+dwVal], eax
@@1:
mov esi, [esp+dwVal]
push 1
lea eax, [esp+4+dwVal]
push 4
push eax
call SubDecrypt_0_0
mov ecx, [esp+dwVal]
shr ecx, 10h
xor cx, si
shr esi, 10h
xor si, word ptr [esp+dwVal]
imul si, 2B8Dh
lea eax, [esi+27C5h]
imul ax, cx
or si, si
jnz short @@2
or ax, ax
jnz short @@2
mov eax, 27C52B8Dh
pop esi
retn 4
@@2:
and eax, 0FFFFh
shl eax, 10h
mov ecx, esi
and ecx, 0FFFFh
or eax, ecx
pop esi
retn 4
SubDecrypt_0 endp
;------------------------------------------------------------------------
SubDecrypt_2 proc near
dwVal = dword ptr 8
push esi
cmp [esp+dwVal], 0
jnz short @@not_zero
call mov_eax_0D073239h
mov [esp+dwVal], eax
@@not_zero:
mov esi, [esp+dwVal]
push 1
lea eax, [esp+4+dwVal]
push 4
push eax
call SubDecrypt_0_0
mov eax, [esp+dwVal]
shr eax, 10h
xor ax, si
shr esi, 10h
xor si, word ptr [esp+dwVal]
imul si, 2E75h
lea ecx, [esi+294Ch]
imul cx, ax
or si, si
jnz short @@1
or cx, cx
jnz short @@1
mov eax, 294C2E75h
pop esi
retn 4
@@1:
mov eax, esi
and eax, 0FFFFh
shl eax, 10h
and ecx, 0FFFFh
or eax, ecx
pop esi
retn 4
SubDecrypt_2 endp
;------------------------------------------------------------------------
GetEncryptValue_2_Sub1 proc near
arg_0 = dword ptr 8
push esi
mov edx, [esp+arg_0]
mov si, [edx]
mov ax, si
shl ax, 0Ah
mov cx, si
shl cx, 0Ch
xor ax, cx
mov cx, si
shl cx, 0Dh
xor ax, cx
and ax, 8000h
mov cx, si
shl cx, 0Fh
xor ax, cx
shr si, 1
or ax, si
mov [edx], ax
and ax, 1
pop esi
retn 4
GetEncryptValue_2_Sub1 endp
;------------------------------------------------------------------------
GetEncryptValue_2_Sub2 proc near
arg_0 = dword ptr 8
push esi
mov ecx, [esp+arg_0]
mov dx, [ecx]
lea eax, [edx*4]
xor ax, dx
add ax, ax
xor ax, dx
and ax, 0C000h
mov si, dx
shl si, 0Eh
xor ax, si
add ax, ax
shr dx, 1
or ax, dx
mov [ecx], ax
and ax, 1
pop esi
retn 4
GetEncryptValue_2_Sub2 endp
;------------------------------------------------------------------------
GetEncryptValue_2 proc near
var_8 = word ptr -8
var_6 = word ptr -6
var_4 = dword ptr -4
arg_0 = dword ptr 4
sub esp, 8
push ebx
push esi
push edi
push ebp
mov eax, [esp+18h+arg_0]
or eax, eax
jnz short @@loop
call mov_eax_0D073239h
@@loop:
mov word ptr [esp+18h+var_4], 0
mov word ptr [esp+18h+var_4+2], 0
mov ecx, eax
shr ecx, 10h
inc cx
imul cx, 2F51h
mov [esp+18h+var_6], cx
inc ax
imul ax, 4A0Fh
mov [esp+18h+var_8], ax
sub di, di
@@1:
mov eax, edi
and eax, 0FFFFh
lea ebx, [esp+eax*2+18h+var_4]
mov si, 8
@@2:
lea eax, [esp+18h+var_6]
push eax
call GetEncryptValue_2_Sub1
xor ax, 1
mov bp, ax
or bp, bp
jz short @@3
lea eax, [esp+18h+var_8]
push eax
call GetEncryptValue_2_Sub2
jmp short @@4
@@3:
mov ax, [esp+18h+var_8]
and ax, 1
@@4:
mov cx, bp
xor cx, ax
mov ax, [ebx]
lea edx, [eax*4]
mov [ebx], dx
lea eax, [ecx*2]
or ax, bp
or ax, dx
mov [ebx], ax
dec si
jnz short @@2
inc di
cmp di, 2
jb short @@1
mov eax, [esp+18h+var_4]
and eax, 0FFFFh
xor ecx, ecx
mov cx, word ptr [esp+18h+var_4+2]
shl eax, 10h
or eax, ecx
jnz short @@quit
mov eax, 0FFFFFE1Dh
@@quit:
pop ebp
pop edi
pop esi
pop ebx
add esp, 8
retn 4
GetEncryptValue_2 endp
;------------------------------------------------------------------------
SubDecrypt_4 proc near
var_8 = word ptr -8
var_6 = word ptr -6
var_4 = dword ptr -4
dwVal = dword ptr 4
sub esp, 8
push ebx
push esi
push edi
push ebp
mov eax, [esp+18h+dwVal]
or eax, eax
jnz short @@non_zero
call mov_eax_0D073239h
@@non_zero:
mov word ptr [esp+18h+var_4], 0
mov word ptr [esp+18h+var_4+2], 0
mov ecx, eax
shr ecx, 10h
inc cx
imul cx, 3105h
mov [esp+18h+var_6], cx
inc ax
imul ax, 3FE6h
mov [esp+18h+var_8], ax
sub di, di
@@loop_0:
mov eax, edi
and eax, 0FFFFh
lea ebx, [esp+eax*2+18h+var_4]
mov si, 8
@@loop_1:
lea eax, [esp+18h+var_6]
push eax
call GetEncryptValue_2_Sub1
xor ax, 1
mov bp, ax
or bp, bp
jz short @@BP_zero
lea eax, [esp+18h+var_8]
push eax
call GetEncryptValue_2_Sub2
jmp short @@1
@@BP_zero:
mov ax, [esp+18h+var_8]
and ax, 1
@@1:
mov cx, bp
xor cx, ax
mov ax, [ebx]
lea edx, [eax*4]
mov [ebx], dx
lea eax, [ecx*2]
or ax, bp
or ax, dx
mov [ebx], ax
dec si
jnz short @@loop_1
inc di
cmp di, 2
jb short @@loop_0
xor eax, eax
mov ax, word ptr [esp+18h+var_4+2]
shl eax, 10h
mov ecx, [esp+18h+var_4]
and ecx, 0FFFFh
or eax, ecx
jnz short @@quit
mov eax, 0E9F19FDFh
@@quit:
pop ebp
pop edi
pop esi
pop ebx
add esp, 8
retn 4
SubDecrypt_4 endp
;------------------------------------------------------------------------
@DecryptPacketData_4 proc near
@@Addr = dword ptr 0Ch
@@Val = dword ptr 10h
@@Size = word ptr 14h
push esi
push edi
mov esi, [esp+@@Addr]
mov eax, [esp+@@Val]
mov di, [esp+@@Size]
movsx ecx, di
cmp ecx, 4
jb short @@quit
@@loop:
mov ecx, [esi]
xor eax, ecx
mov [esi], eax
test di, 0Fh
push ecx
jz short @@DoSubDecrypt_4
call SubDecrypt_2
jmp short @@continue

@@DoSubDecrypt_4:
call SubDecrypt_4
@@continue:
add esi, 4
sub di, 4
movsx ecx, di
cmp ecx, 4
jnb short @@loop
@@quit:
pop edi
pop esi
retn 0Ch
@DecryptPacketData_4 endp
;------------------------------------------------------------------------
DoEncrypt_5 proc near
@@Size = dword ptr 0Ch
@@Value = dword ptr 10h
@@Addr = word ptr 14h
push esi
push edi
mov esi, [esp+@@Size]
mov eax, [esp+@@Value]
mov di, [esp+@@Addr]
movsx ecx, di
cmp ecx, 4
jb short @@quit
@@loop:
mov ecx, [esi]
xor ecx, eax
mov [esi], ecx
test di, 0Fh
push ecx
jz short @@1
call SubDecrypt_2
jmp short @@2

@@1:
call SubDecrypt_4
@@2:
add esi, 4
sub di, 4
movsx ecx, di
cmp ecx, 4
jnb short @@loop
@@quit:
pop edi
pop esi
retn 0Ch
DoEncrypt_5 endp
;------------------------------------------------------------------------
@DecryptPacketData_1 proc near
arg_0 = dword ptr 0Ch
arg_4 = dword ptr 10h
arg_8 = word ptr 14h
push esi
push edi
mov esi, [esp+arg_0]
mov eax, [esp+arg_4]
mov di, [esp+arg_8]
movsx ecx, di
cmp ecx, 4
jb short @@quit
@@decrypt_loop:
mov ecx, [esi]
xor eax, ecx
mov [esi], eax
test di, 0Fh
push ecx
jz short @@1
call SubDecrypt_0
jmp short @@continue
@@1:
call GetEncryptValue_2
@@continue:
add esi, 4
sub di, 4
movsx ecx, di
cmp ecx, 4
jnb short @@decrypt_loop
@@quit:
pop edi
pop esi
retn 0Ch
@DecryptPacketData_1 endp
;------------------------------------------------------------------------
DoEncrypt_2 proc near
@@Size = dword ptr 0Ch
@@Value = dword ptr 10h
@@Addr = word ptr 14h
push esi
push edi
mov esi, [esp+@@Size]
mov eax, [esp+@@Value]
mov di, [esp+@@Addr]
movsx ecx, di
cmp ecx, 4
jb short @@quit
@@loop:
mov ecx, [esi]
xor ecx, eax
mov [esi], ecx
test di, 0Fh
push ecx
jz short @@1
call SubDecrypt_0
jmp short @@2
@@1:
call GetEncryptValue_2
@@2:
add esi, 4
sub di, 4
movsx ecx, di
cmp ecx, 4
jnb short @@loop
@@quit:
pop edi
pop esi
retn 0Ch
DoEncrypt_2 endp
;------------------------------------------------------------------------
@DecryptPacketData_0 proc near
@@Addr = dword ptr 0Ch
@@Val = dword ptr 10h
@@Size = word ptr 14h
push esi
push edi
mov esi, [esp+@@Addr]
mov di, [esp+@@Size]
movsx eax, di
cmp eax, 4
jb short @@quit
@@loop:
mov eax, [esi]
movsx ecx, di
shl ecx, 9
sub eax, ecx
xor eax, [esp+@@Val]
mov [esi], eax
push 1
lea eax, [esp+4+@@Val]
push 4
add esi, 4
push eax
call SubDecrypt_0_0
sub di, 4
movsx eax, di
cmp eax, 4
jnb short @@loop
@@quit:
pop edi
pop esi
retn 0Ch
@DecryptPacketData_0 endp
;------------------------------------------------------------------------
@DecryptPacketData_3 proc near
@@Addr = dword ptr 0Ch
@@Val = dword ptr 10h
@@Size = word ptr 14h
push esi
push edi
mov esi, [esp+@@Addr]
mov di, [esp+@@Size]
movsx eax, di
cmp eax, 4
jb short @@quit
@@loop:
mov eax, [esi]
movsx ecx, di
shl ecx, 9
sub eax, ecx
xor eax, [esp+@@Val]
mov [esi], eax
push 1
lea eax, [esp+4+@@Val]
push 4
add esi, 4
push eax
call SubDecrypt_3
sub di, 4
movsx eax, di
cmp eax, 4
jnb short @@loop
@@quit:
pop edi
pop esi
retn 0Ch
@DecryptPacketData_3 endp

;------------------------------------------------------------------------

DoEncrypt_3 proc near
@@Size = dword ptr 0Ch
@@Value = dword ptr 10h
@@Addr = word ptr 14h
push esi
push edi
mov esi, [esp+@@Size]
mov di, [esp+@@Addr]
movsx eax, di
cmp eax, 4
jb short @@quit
@@loop:
mov eax, [esi]
xor eax, [esp+@@Value]
movsx ecx, di
shl ecx, 9
add eax, ecx
mov [esi], eax
push 1
lea eax, [esp+4+@@Value]
push 4
add esi, 4
push eax
call SubDecrypt_0_0
sub di, 4
movsx eax, di
cmp eax, 4
jnb short @@loop
@@quit:
pop edi
pop esi
retn 0Ch
DoEncrypt_3 endp

;------------------------------------------------------------------------
DoEncrypt_4 proc near
@@Size = dword ptr 0Ch
@@Value = dword ptr 10h
@@Addr = word ptr 14h
push esi
push edi
mov esi, [esp+@@Size]
mov di, [esp+@@Addr]
movsx eax, di
cmp eax, 4
jb short @@quit
@@loop:
mov eax, [esi]
xor eax, [esp+@@Value]
movsx ecx, di
shl ecx, 9
add eax, ecx
mov [esi], eax
push 1
lea eax, [esp+4+@@Value]
push 4
add esi, 4
push eax
call SubDecrypt_3
sub di, 4
movsx eax, di
cmp eax, 4
jnb short @@loop
@@quit:
pop edi
pop esi
retn 0Ch
DoEncrypt_4 endp
;------------------------------------------------------------------------
SubDecrypt_3 proc near
@@Const_0x01 = dword ptr 8
@@Const_0x04 = word ptr 0Ch
@@CryptVal = word ptr 10h

push esi
mov ax, [esp+@@Const_0x04]
cmp ax, 1
jnz short @@is2
mov edx, [esp+@@Const_0x01]
mov si, [esp+@@CryptVal]
mov al, [edx]
or si, si
jz short @@store0

@@loop0:
mov cl, al
shr cl, 1
shl al, 7
or cl, al
mov al, cl
dec si
jnz short @@loop0
@@store0:
mov [edx], al
pop esi
retn 0Ch
@@is2:
cmp ax, 2
jnz short @@is4
mov edx, [esp+@@Const_0x01]
mov si, [esp+@@CryptVal]
mov ax, [edx]
or si, si
jz short @@store1
@@loop1:
mov cx, ax
shl cx, 0Fh
shr ax, 1
or cx, ax
mov ax, cx
dec si
jnz short @@loop1
@@store1:
mov [edx], ax
pop esi
retn 0Ch
@@is4:
cmp ax, 4
jnz short @@quit
mov edx, [esp+@@Const_0x01]
mov si, [esp+@@CryptVal]
mov eax, [edx]
or si, si
jz short @@store2
@@loop2:
mov ecx, eax
shr ecx, 1
shl eax, 1Fh
or ecx, eax
mov eax, ecx
dec si
jnz short @@loop2

@@store2:
mov [edx], eax
@@quit:
pop esi
retn 0Ch
SubDecrypt_3 endp
;------------------------------------------------------------------------
SubDecrypt_0_0 proc near
@@Const_0x01 = dword ptr 8
@@Const_0x04 = dword ptr 0Ch
@@wCryptVal = word ptr 10h

push esi
mov ax, word ptr [esp+@@Const_0x04]
cmp ax, 1
jnz short @@2
mov edx, [esp+@@Const_0x01]
mov si, [esp+@@wCryptVal]
mov al, [edx+0]
or si, si
jz short @@1

@@0:
mov cl, al
shr cl, 7
add al, al
or cl, al
mov al, cl
dec si
jnz short @@0
@@1:
mov [edx], al
pop esi
retn 0Ch
@@2:
cmp ax, 2
jnz short @@4
mov edx, [esp+@@Const_0x01]
mov si, [esp+@@wCryptVal]
mov ax, [edx+0]
or si, si
jz short @@quit_0_0_0
@@3:
mov cx, ax
shr cx, 0Fh
add ax, ax
or cx, ax
mov ax, cx
dec si
jnz short @@3
@@quit_0_0_0:
mov [edx], ax
pop esi
retn 0Ch
@@4:
cmp ax, 4
jnz short @@quit_0_0_1
mov edx, [esp+@@Const_0x01]
mov si, [esp+@@wCryptVal]
mov eax, [edx]
or si, si
jz short @@6
@@5:
mov ecx, eax
shr ecx, 1Fh
add eax, eax
or ecx, eax
mov eax, ecx
dec si
jnz short @@5
@@6:
mov [edx], eax

@@quit_0_0_1:
pop esi
retn 0Ch
SubDecrypt_0_0 endp

[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法

收藏
免费 0
支持
分享
最新回复 (2)
脱壳请教
雪    币: 244
活跃值: (105)
能力值: ( LV5,RANK:60 )
在线值:
发帖
回帖
粉丝
私信
2
这个是查询算法的还原代码?
2007-3-18 23:51
0
向日葵
雪    币: 207
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
3
应该是壳的
2007-3-20 08:25
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//