逆向这个汇编函数
wardenseg1:0C3D1150 wardencrypt proc near ; CODE XREF: sub_C3D37D0+13p
wardenseg1:0C3D1150 ; wardenEntry3+33p
wardenseg1:0C3D1150 ; wardenalg1+A0p
wardenseg1:0C3D1150 ; wardenalg1+F6p
wardenseg1:0C3D1150 ; wardenalg3+843p
wardenseg1:0C3D1150
wardenseg1:0C3D1150 arg_0 = dword ptr 8
wardenseg1:0C3D1150 arg_4 = dword ptr 0Ch
wardenseg1:0C3D1150
wardenseg1:0C3D1150 55 push ebp
wardenseg1:0C3D1151 8B EC mov ebp, esp
wardenseg1:0C3D1153 8B 45 0C mov eax, [ebp+arg_4]
wardenseg1:0C3D1156 56 push esi
wardenseg1:0C3D1157 33 F6 xor esi, esi
wardenseg1:0C3D1159 85 C0 test eax, eax
wardenseg1:0C3D115B 76 67 jbe short loc_C3D11C4 //小于等于零退出
wardenseg1:0C3D115D 53 push ebx
wardenseg1:0C3D115E 57 push edi
wardenseg1:0C3D115F 90 nop
wardenseg1:0C3D1160
wardenseg1:0C3D1160 loc_C3D1160: ; CODE XREF: wardencrypt+70j
wardenseg1:0C3D1160 8A 81 00 01 00+ mov al, [ecx+100h]
wardenseg1:0C3D1166 8A 99 01 01 00+ mov bl, [ecx+101h]
wardenseg1:0C3D116C FE C0 inc al //累加1
wardenseg1:0C3D116E 88 81 00 01 00+ mov [ecx+100h], al //累加后回写[ecx+100h]
wardenseg1:0C3D1174 0F B6 C0 movzx eax, al
wardenseg1:0C3D1177 8A 14 08 mov dl, [eax+ecx]
wardenseg1:0C3D117A 8D 3C 08 lea edi, [eax+ecx]
wardenseg1:0C3D117D 02 DA add bl, dl
wardenseg1:0C3D117F 88 99 01 01 00+ mov [ecx+101h], bl //[ECX+101h]=[ECX+101h]+[ECX+100h]
wardenseg1:0C3D1185 8A 17 mov dl, [edi]
wardenseg1:0C3D1187 0F B6 C3 movzx eax, bl
wardenseg1:0C3D118A 8A 1C 08 mov bl, [eax+ecx]
wardenseg1:0C3D118D 03 C1 add eax, ecx
wardenseg1:0C3D118F 88 1F mov [edi], bl// 交换
wardenseg1:0C3D1191 88 10 mov [eax], dl// 交换
wardenseg1:0C3D1193 0F B6 81 01 01+ movzx eax, byte ptr [ecx+101h]
wardenseg1:0C3D119A 0F B6 91 00 01+ movzx edx, byte ptr [ecx+100h]
wardenseg1:0C3D11A1 8A 1C 0A mov bl, [edx+ecx]
wardenseg1:0C3D11A4 8A 04 08 mov al, [eax+ecx]
wardenseg1:0C3D11A7 02 C3 add al, bl
wardenseg1:0C3D11A9 0F B6 D0 movzx edx, al
wardenseg1:0C3D11AC 8B 45 08 mov eax, [ebp+arg_0]
wardenseg1:0C3D11AF 8A 1C 06 mov bl, [esi+eax]
wardenseg1:0C3D11B2 8A 14 0A mov dl, [edx+ecx]
wardenseg1:0C3D11B5 32 DA xor bl, dl //异或
wardenseg1:0C3D11B7 88 1C 06 mov [esi+eax], bl
wardenseg1:0C3D11BA 8B 45 0C mov eax, [ebp+arg_4]
wardenseg1:0C3D11BD 46 inc esi //循环控制变量
wardenseg1:0C3D11BE 3B F0 cmp esi, eax
wardenseg1:0C3D11C0 72 9E jb short loc_C3D1160 //小于则进行下次循环
wardenseg1:0C3D11C2 5F pop edi
wardenseg1:0C3D11C3 5B pop ebx
wardenseg1:0C3D11C4
wardenseg1:0C3D11C4 loc_C3D11C4: ; CODE XREF: wardencrypt+Bj//退出
wardenseg1:0C3D11C4 5E pop esi
wardenseg1:0C3D11C5 5D pop ebp
wardenseg1:0C3D11C6 C2 08 00 retn 8
wardenseg1:0C3D11C6 wardencrypt endp
//逆向的C代码如下
int WardEncrypt(char* pOutEnStr,int iCount,register char* ecx)
{
int i=0;char *ECX100h=ecx+0x100,*ECX101h=ecx+0x101, xchag_var;
if (iCount<=0) {return iCount;} //小于或等于零退出
Next_Loop: *ECX101h=*ECX101h+ecx[++*ECX100h];
xchag_var=ecx[*ECX100h]; //交
ecx[*ECX100h]=ecx[*ECX101h]; //换
ecx[*ECX101h]=xchag_var; //值
pOutEnStr[i]=(pOutEnStr[i]) ^ ecx[ ecx[*ECX100h] + ecx[*ECX101h] ];
if ((i=i+1)<iCount) {goto Next_Loop;}
return iCount;
} // END WardEncrypt
/*
从这段经IDA反汇编的代码分析,这是个用于加密的函数。其汇编代码工整,不像是高级语言编译后的代码。
函数有三个参数,两个参过栈传递,一个通过ecx寄存器传递。
算法分析:
检查[参数2]值如果为零或小于零,则返回,返回值为第二个参数值。
然后重复[参数2]值次循环(从0到小于[参数2]做循环),每次循环做以下计算,
[ecx+100h]值累加1,用累加后的值加上ecx的值所指的地址的值与[ecx+101h]的值相加,相加结
果存于[ecx+101]。然后交换ecx+[ecx+100h]地址与ecx+[ecx+101h]地址 所指的值,并相加这两
个值,相加后的和与[参数1+第N次循环]的值进行异或(xor)操作,结果存于[参数1+第N次循环]。
循还退出后,返回值为[参数2]的值。
编写工具: VC6
操作系统: XP sp2
[**VC6编译通过**]
*/
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。
