能力值:
( LV4,RANK:50 )
|
-
-
5 楼
//#include "stdafx.h"
#include "Crypt.h"
#include "StaticDecode.h"
#include "md5_c.h"
CCrypt::CCrypt()
{
/*InitTable();*/
dwEnPackByteCount = 0;
dwEnTempCount = 0;
dwDePackByteCount = 0;
dwDeTempCount = 0;
memset(ProcEnTable, 0 ,sizeof(ProcEnTable));
memset(ProcDeTable, 0 ,sizeof(ProcDeTable));
memset(m_bMD5Key, 0 , sizeof(m_bMD5Key));
memset(m_bSeed, 0 , sizeof(m_bMD5Key));
memset(m_szKey, 0, 0x20);
memset(m_szRandSeed, 0, 0x20);
//memset(&m_tmpDataIn , 0, sizeof(m_tmpDataIn));
SDF = (pStaticDecodeFunc)((PVOID)(PDWORD)g_bStaticDecode);
m_pStaticDecodeInfo = new st_Decode;
memset(m_pStaticDecodeInfo, 0, sizeof(st_Decode));
m_pStaticDecodeInfo->BufStart = PtrToUint(m_pStaticDecodeInfo);
//m_pStaticDecodeInfo->dwUnknow = 0x8a7b54;
//m_pStaticDecodeInfo->dt_SrcInfo.dwUnknow = 0x8a7b54;
//m_pStaticDecodeInfo->
}
CCrypt::~CCrypt()
{
}
bool CCrypt::Encrypt(char* pInData, int nInlen, char* pOutData, int& nOutlen)
{
DataIn *pdi = new DataIn();
char *pbuff = new char[0x2000];
memset(pbuff, 0, 0x2000);
memcpy(pbuff, pInData, nInlen);
pdi->dwBufStart = pbuff;
pdi->dwBufEnd = pbuff + nInlen;
pdi->dwMaxLen = 0x2000;
this->ProcEnMessage(pdi);
nOutlen = PtrToUlong(pdi->dwBufEnd) - PtrToUlong(pdi->dwBufStart);
memcpy(pOutData, pdi->dwBufStart, nOutlen );
delete pbuff;
if(nOutlen)
return 1;
return 0;
}
void CCrypt::XorWithByte(char * szXorResult, char * szForXor, char chSeed, int xorlen)
{
int i = 0;
char chTmp = 0;
if(IsBadWritePtr(szForXor, xorlen))
return ;
while( i < xorlen)
{
chTmp = szForXor[i];
chTmp ^= chSeed;
szXorResult[i] = chTmp;
i++;
}
}
bool CCrypt::Decrypt(char* pInData, int nInlen, char* pOutData, int& nOutlen)
{
DataIn *pdi = new DataIn();
char *pbuff = new char[0x2000 * 8];
memset(pbuff, 0, 0x2000 * 8);
memcpy(pbuff, pInData, nInlen);
pdi->dwBufStart = pbuff;
pdi->dwBufEnd = pbuff + nInlen;
pdi->dwBufStart = pInData;
pdi->dwBufEnd = pInData + nInlen;
pdi->dwMaxLen = 0x2000 * 8;
ProcDeMessage(pdi);
StaticDecode(pdi);
nOutlen = PtrToUlong(pdi->dwBufEnd) - PtrToUlong(pdi->dwBufStart);
memcpy(pOutData, pdi->dwBufStart, nOutlen );
memset(pbuff, 0, 0x2000 * 8);
delete pbuff;
if(nOutlen)
return 1;
return 0;
}
//以 0-0xFF 填充 ProcTable
//同时收包计数归0
void CCrypt::InitDeTable()
{
dwDePackByteCount = 0;
dwDeTempCount = 0;
int i = 0;
while(i++ < 0x100)
ProcDeTable[i-1] = BYTE(i-1);
//ReplaceCopyFunc((PBYTE)SDF, g_lenStaticDecode);
}
void CCrypt::InitEnTable()
{
//dwEnPackByteCount = 0;
//dwEnTempCount = 0;
int i = 0;
while(i++ < 0x100)
ProcEnTable[i-1] = BYTE(i-1);
//ReplaceCopyFunc((PBYTE)SDF, g_lenStaticDecode);
}
/********************************************************
函数功能:计算协商解码的MD5KEY,存入m_bMD5Key
计算协商加密的MD5KEY,存入bEecodeMD5KeyRand
参数说明:
szUser —— 登陆的用户名
szDecodeSeed —— 收到02 打头包中包含的 16bytes的key
szLoginMD5Key —— 在处理01 包之后生成的MD5 key
备注:
此函数私有
*********************************************************/
void CCrypt::GetDecodeMD5Key(PBYTE szUser, PBYTE szDecodeSeed, PBYTE szLoginMD5Key)
{
MD5_CTX md5;
unsigned char bufx36md5[16] = {0};
unsigned char bufx5cmd5[16] = {0};
unsigned char bufx36[] = "\x36\x36\x36\x36\x36\x36\x36\x36\x36\x36\x36\x36\x36\x36\x36\x36"
"\x36\x36\x36\x36\x36\x36\x36\x36\x36\x36\x36\x36\x36\x36\x36\x36"
"\x36\x36\x36\x36\x36\x36\x36\x36\x36\x36\x36\x36\x36\x36\x36\x36"
"\x36\x36\x36\x36\x36\x36\x36\x36\x36\x36\x36\x36\x36\x36\x36\x36";
unsigned char bufx5c[] = "\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c"
"\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c"
"\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c"
"\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c";
unsigned char bufMix[] =
"\x5D\xC3\x7E\x1F\x6B\xA5\x53\x08\x8E\x74\x21\x2B\xC4\x36\x45\xD7" //01包 的生成KEY
"\xAB\x20\x07\x44\x28\x29\x64\x1C\xA3\x31\xB1\x09\xDE\x2C\x86\x1B" //02包 收到的KEY
"\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" //
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00";
unsigned char bufMixMD5[] =
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" //
"\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" //
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" //
"\x00\x00\x00\x00\x00\x00\x00\x00\x80\x02\x00\x00\x00\x00\x00\x00";
memcpy(m_bSeed, szDecodeSeed, 0x16);
memcpy(bufx36, szUser, strlen((const char *)szUser));
memcpy(bufx5c, szUser, strlen((const char *)szUser));
XorWithByte((char *)bufx36, (char *)szUser, 0x36, (int)strlen((const char *)szUser));
XorWithByte((char *)bufx5c, (char *)szUser, 0x5c , (int)strlen((const char *)szUser));
///////////////////////////////////
// 生成解码部分
memcpy(bufMix, szLoginMD5Key, 0x10);
memcpy(bufMix + 0x10, szDecodeSeed, 0x10);
unsigned long state[4] = {0};
state[0] = 0x67452301;
state[1] = 0xefcdab89;
state[2] = 0x98badcfe;
state[3] = 0x10325476;
md5.MD5Transform(state, bufx36);
md5.MD5Transform(state, bufMix);
memcpy(bufMixMD5, state, 4*sizeof(unsigned long));
state[0] = 0x67452301;
state[1] = 0xefcdab89;
state[2] = 0x98badcfe;
state[3] = 0x10325476;
md5.MD5Transform(state, bufx5c);
md5.MD5Transform(state, bufMixMD5);
md5.Encode(m_bMD5Key, state, 16);
///////////////////////////////////////////////
//// 生成加密部分
//memcpy(bufMix + 0x10, szDecodeSeed, 0x10);
//state[0] = 0x67452301;
//state[1] = 0xefcdab89;
//state[2] = 0x98badcfe;
//state[3] = 0x10325476;
//md5.MD5Transform(state, bufx36);
//md5.MD5Transform(state, bufMix);
//memcpy(bufMixMD5, state, 4*sizeof(unsigned long));
//state[0] = 0x67452301;
//state[1] = 0xefcdab89;
//state[2] = 0x98badcfe;
//state[3] = 0x10325476;
//md5.MD5Transform(state, bufx5c);
//md5.MD5Transform(state, bufMixMD5);
//md5.Encode(bEncodeMD5KeyRand, state, 16);
//MakeProcTable(m_bMD5Key);
}
VOID CCrypt:: MakeRandSeedKey(IN char * szKey, IN int length)
{
srand(GetTickCount()+length);
memset(szKey, 0, length + 1);
char temp=0;
int i=0;
while((int)strlen(szKey) < length )
{
temp =rand()%('z'+1);
if(temp>'A'&&temp<'Z'||temp>'a'&&temp<'z'|| temp>'0'&&temp<'9')
{
if(!strlen(szKey) && temp>'0'&&temp<'9')
continue;
szKey[i]=temp;
i++;
}
}
}
void CCrypt::Init(char * szUser, char * szKey)
{
RefreshEnProcTable((PBYTE)szUser, (PBYTE)szKey, (PBYTE)m_szKey);
MakeRandSeedKey(m_szRandSeed, 0x10);
RefreshDeProcTable((PBYTE)szUser, (PBYTE)m_szRandSeed, (PBYTE)m_szKey);
}
void CCrypt::RefreshEnProcTable(PBYTE szUser, PBYTE szDecodeSeed, PBYTE szLoginMD5Key)
{
InitEnTable();
GetDecodeMD5Key(szUser, szDecodeSeed, szLoginMD5Key);
unsigned char * pTable = ProcEnTable;
unsigned char * pKey = m_bMD5Key;
//DWORD dwTable = (PDWORD)ProcTable;
//DWORD dwDecodeMD5Key = (PDWORD)DecodeMD5Key;
/*
00595885 > /8B5C24 10 mov ebx, dword ptr [esp+10] ; MD5 KEY
00595889 > |8D0437 lea eax, dword ptr [edi+esi] ; EAX为从0到0XFF
0059588C . |33D2 xor edx, edx
0059588E . |F7F1 div ecx ; ECX始终为0x10,除数到EAX,余数到EDX
00595890 . |8A041A mov al, byte ptr [edx+ebx]
00595893 . |8A1E mov bl, byte ptr [esi]
00595895 . |8A5424 18 mov dl, byte ptr [esp+18]
00595899 . |02C3 add al, bl
0059589B . |02D0 add dl, al
0059589D . |885424 18 mov byte ptr [esp+18], dl
005958A1 . |8B5424 18 mov edx, dword ptr [esp+18]
005958A5 . |81E2 FF000000 and edx, 0FF
005958AB . |46 inc esi
005958AC . |8D442A 08 lea eax, dword ptr [edx+ebp+8]
005958B0 . |8AD3 mov dl, bl
005958B2 . |8A18 mov bl, byte ptr [eax]
005958B4 . |885E FF mov byte ptr [esi-1], bl ; 指令换位
005958B7 . |8810 mov byte ptr [eax], dl
005958B9 . |8D0437 lea eax, dword ptr [edi+esi]
005958BC . |3D 00010000 cmp eax, 100
005958C1 .^\72 C2 jb short 00595885
*/
DWORD count = 0;
_asm
{
pushad
mov ecx,0x10
mov esi, 0
MakeTable:
//mov ebx, DecodeMD5Key ; MD5 KEY
//mov
//mov ebx, [ebx]
//mov eax, [pTable ]
//mov eax, dword ptr [eax + esi]
mov eax, esi ; EAX为从0到0XFF
xor edx, edx
div ecx ; ECX始终为0x10,除数到EAX,余数到EDX
mov eax, pKey
mov al, byte ptr [eax + edx]//
//mov al, byte ptr [edx+pKey]
mov ebx, pTable
mov bl, byte ptr [ebx + esi]//mov bl, byte ptr [dwTable + esi]
//mov bl, byte ptr [pTable + esi]
mov dl, byte ptr [count]
add al, bl
add dl, al
mov byte ptr [count], dl
mov edx, dword ptr [count]
and edx, 0xFF
mov eax, pTable
lea eax, [eax + edx]
mov dl, bl
mov bl, byte ptr [eax]
push eax
mov eax, pTable
mov byte ptr [eax + esi], bl//mov byte ptr [dwTable + esi], bl ; 指令换位
pop eax
inc esi
mov byte ptr [eax], dl//lea eax, dword ptr [edi+esi]
cmp esi, 0x100
jb MakeTable
popad
}
}
/********************************************************
函数功能:解密包
参数说明:
szDest —— 目的串
szSrc —— 源串
srclen —— 源串长度
备注:
ProcMessage 每次调用也会更新解码表
*********************************************************/
void CCrypt::ProcDeMessage(/*char * szDest, */pDataIn pdi/*char * szSrc, int srclen*/)
{
//
PDWORD pCount = &dwDePackByteCount;
PDWORD pTmpCount = &dwDeTempCount;
char * szSrc = (char *)pdi->dwBufStart;
char * szDest = (char *)pdi->dwBufStart;
int srclen = PtrToInt(pdi->dwBufEnd) - PtrToInt(pdi->dwBufStart) ;
unsigned char * pTable = ProcDeTable;
_asm
{
pushad
mov edx, 0
//005958FC > /8A99 08010000 mov bl, byte ptr [ecx+108]
//00595902 . |FEC3 inc bl
//00595904 . |8899 08010000 mov byte ptr [ecx+108], bl
//0059590A . |81E3 FF000000 and ebx, 0FF
//00595910 . |8A440B 08 mov al, byte ptr [ebx+ecx+8]
//00595914 . |8D740B 08 lea esi, dword ptr [ebx+ecx+8]
//00595918 . |8A99 09010000 mov bl, byte ptr [ecx+109]
//0059591E . |02D8 add bl, al
//00595920 . |8899 09010000 mov byte ptr [ecx+109], bl
//00595926 . |81E3 FF000000 and ebx, 0FF
//0059592C . |8A440B 08 mov al, byte ptr [ebx+ecx+8]
//00595930 . |8D7C0B 08 lea edi, dword ptr [ebx+ecx+8]
//00595934 . |8A1E mov bl, byte ptr [esi]
//00595936 . |8806 mov byte ptr [esi], al
//00595938 . |33C0 xor eax, eax
//0059593A . |881F mov byte ptr [edi], bl
//0059593C . |8A81 09010000 mov al, byte ptr [ecx+109]
//00595942 . |33DB xor ebx, ebx
//00595944 . |8A99 08010000 mov bl, byte ptr [ecx+108]
//0059594A . |8A4408 08 mov al, byte ptr [eax+ecx+8]
//0059594E . |02440B 08 add al, byte ptr [ebx+ecx+8]
//00595952 . |8A1C2A mov bl, byte ptr [edx+ebp]
//00595955 . |25 FF000000 and eax, 0FF
//0059595A . |8A4408 08 mov al, byte ptr [eax+ecx+8]
//0059595E . |32D8 xor bl, al
//00595960 . |8B4424 10 mov eax, dword ptr [esp+10]
//00595964 . |881C2A mov byte ptr [edx+ebp], bl
//00595967 . |42 inc edx
//00595968 . |3BD0 cmp edx, eax
//0059596A .^\72 90 jb short 005958FC
procpack:
mov esi, pCount
mov bl, byte ptr [esi]
inc bl
mov byte ptr [esi], bl
and ebx, 0xFF
mov esi, pTable
mov al, [esi + ebx]//mov al, byte ptr [ebx + ProcTable]
lea esi, dword ptr [ebx+esi]
mov edi, pTmpCount
mov bl, byte ptr [edi]
add bl, al
mov byte ptr [edi], bl
and ebx, 0xFF
mov edi, pTable
mov al, [edi + ebx]//mov al, byte ptr [ebx+ProcTable]
//mov
lea edi, dword ptr [ebx+edi]
mov bl, byte ptr [esi]
mov byte ptr [esi], al
xor eax, eax
mov byte ptr [edi], bl
mov ebx, pTmpCount
mov al, byte ptr [ebx]
xor ebx, ebx
mov esi, pCount
mov bl, byte ptr [esi]
mov esi, pTable
mov al, byte ptr [eax + esi]
//mov al, byte ptr [eax+ProcTable]
add al, byte ptr [ebx+esi]
mov esi, szSrc
mov bl, byte ptr [edx+esi]
and eax, 0xFF
mov esi, pTable
mov al, byte ptr [eax+esi]
xor bl, al
mov eax, srclen
mov edi, szDest
mov byte ptr [edx+edi], bl
inc edx
cmp edx, eax
jb procpack
popad
}
}
void CCrypt::ProcEnMessage(/*char * szDest, */pDataIn pdi/*char * szSrc, int srclen*/)
{
//
PDWORD pCount = &dwEnPackByteCount;
PDWORD pTmpCount = &dwEnTempCount;
char * szSrc = (char *)pdi->dwBufStart;
char * szDest = (char *)pdi->dwBufStart;
int srclen = PtrToInt(pdi->dwBufEnd) - PtrToInt(pdi->dwBufStart) ;
unsigned char * pTable = ProcEnTable;
_asm
{
pushad
mov edx, 0
//005958FC > /8A99 08010000 mov bl, byte ptr [ecx+108]
//00595902 . |FEC3 inc bl
//00595904 . |8899 08010000 mov byte ptr [ecx+108], bl
//0059590A . |81E3 FF000000 and ebx, 0FF
//00595910 . |8A440B 08 mov al, byte ptr [ebx+ecx+8]
//00595914 . |8D740B 08 lea esi, dword ptr [ebx+ecx+8]
//00595918 . |8A99 09010000 mov bl, byte ptr [ecx+109]
//0059591E . |02D8 add bl, al
//00595920 . |8899 09010000 mov byte ptr [ecx+109], bl
//00595926 . |81E3 FF000000 and ebx, 0FF
//0059592C . |8A440B 08 mov al, byte ptr [ebx+ecx+8]
//00595930 . |8D7C0B 08 lea edi, dword ptr [ebx+ecx+8]
//00595934 . |8A1E mov bl, byte ptr [esi]
//00595936 . |8806 mov byte ptr [esi], al
//00595938 . |33C0 xor eax, eax
//0059593A . |881F mov byte ptr [edi], bl
//0059593C . |8A81 09010000 mov al, byte ptr [ecx+109]
//00595942 . |33DB xor ebx, ebx
//00595944 . |8A99 08010000 mov bl, byte ptr [ecx+108]
//0059594A . |8A4408 08 mov al, byte ptr [eax+ecx+8]
//0059594E . |02440B 08 add al, byte ptr [ebx+ecx+8]
//00595952 . |8A1C2A mov bl, byte ptr [edx+ebp]
//00595955 . |25 FF000000 and eax, 0FF
//0059595A . |8A4408 08 mov al, byte ptr [eax+ecx+8]
//0059595E . |32D8 xor bl, al
//00595960 . |8B4424 10 mov eax, dword ptr [esp+10]
//00595964 . |881C2A mov byte ptr [edx+ebp], bl
//00595967 . |42 inc edx
//00595968 . |3BD0 cmp edx, eax
//0059596A .^\72 90 jb short 005958FC
procpack:
mov esi, pCount
mov bl, byte ptr [esi]
inc bl
mov byte ptr [esi], bl
and ebx, 0xFF
mov esi, pTable
mov al, [esi + ebx]//mov al, byte ptr [ebx + ProcTable]
lea esi, dword ptr [ebx+esi]
mov edi, pTmpCount
mov bl, byte ptr [edi]
add bl, al
mov byte ptr [edi], bl
and ebx, 0xFF
mov edi, pTable
mov al, [edi + ebx]//mov al, byte ptr [ebx+ProcTable]
//mov
lea edi, dword ptr [ebx+edi]
mov bl, byte ptr [esi]
mov byte ptr [esi], al
xor eax, eax
mov byte ptr [edi], bl
mov ebx, pTmpCount
mov al, byte ptr [ebx]
xor ebx, ebx
mov esi, pCount
mov bl, byte ptr [esi]
mov esi, pTable
mov al, byte ptr [eax + esi]
//mov al, byte ptr [eax+ProcTable]
add al, byte ptr [ebx+esi]
mov esi, szSrc
mov bl, byte ptr [edx+esi]
and eax, 0xFF
mov esi, pTable
mov al, byte ptr [eax+esi]
xor bl, al
mov eax, srclen
mov edi, szDest
mov byte ptr [edx+edi], bl
inc edx
cmp edx, eax
jb procpack
popad
}
}
/***********************************************************************
函数功能:替换Binary Code 里面函数
***********************************************************************/
void CCrypt::ReplaceCopyFunc(PBYTE pbFuncStart, int len)
{
PBYTE p = pbFuncStart;
//PBYTE pCDF = (PBYTE)g_bCopyDataFunc;.
PBYTE pCDF = (PBYTE)CopyFunc;
PBYTE pAF = (PBYTE)AllocFunc;
PBYTE pMMove = (PBYTE)memmove;
for (int i = 0; i < len; i++)
{
if ( *(PDWORD)(p+i)== 0xFFE9E271) // E8 71E2E9FF call 004350A0 ; 数据考入
*(PDWORD)(p+i) = (DWORD)(pCDF - (p+i) - 4);
if(*(PDWORD)(p+i)== 0x008A63EC)
{
*(PWORD)(p+i-2) = 0xE890; //长CALL,改为段内CALL
*(PDWORD)(p+i) = (DWORD)(pMMove - (p+i) - 4);
//00597557 |. FF15 EC638A00 call dword ptr [<&MSVCRT.memmove>] ; \memmove
}
if(*(PDWORD)(p+i)== 0xFFE9DF92 || *(PDWORD)(p+i)== 0xFFE9DA91)
*(PDWORD)(p+i) = (DWORD)(pAF - (p+i) - 4);
//00597039 |. E8 92DFE9FF |call 00434FD0
}
}
//长度为实际长度,不包括最后的0x00,请一定要把握好,否则会造成函数错误
//传入的缓冲区请分配0x2000大小,不然函数内部会产生错误
//0902修改:不用管长度,内部已做好处理
void CCrypt::StaticDecode(pDataIn pdi/*TCHAR * pszBuf, int szlen*/)
{
ReplaceCopyFunc((PBYTE)SDF, g_lenStaticDecode);
//m_tmpDataIn.dwBufStart = (DWORD)pszBuf;
//m_tmpDataIn.dwBufEnd = (DWORD)pszBuf + szlen;
//m_tmpDataIn.dwLen = 0x2000;
DWORD ptmpDataIn = PtrToUint(pdi);
DWORD dwSDF = PtrToUint(SDF);
DWORD dwSDI = PtrToUint(m_pStaticDecodeInfo);
__try
{
_asm
{
pushad
mov eax, ptmpDataIn
push eax
mov ecx, dwSDI
//mov ecx,
mov eax, dwSDF
call eax
popad
}
}
__except(1)
{
//DBP("wrong in CCrypt::StaticDecode");
}
}
|
能力值:
( LV4,RANK:50 )
|
-
-
6 楼
#ifndef __STATIC_DECODE__
#define __STATIC_DECODE__
#include "windows.h"
#include "stdio.h"
#pragma code_seg("StaticDecode")
typedef struct dt_StaticDecode
{
BYTE DecodeBuf[0x2000];
DWORD BufStart; //0x2000
DWORD ShfNum; //0x2004
DWORD SaveShfNum; //0x2008
DWORD IncreaseNum; //0x200c
DWORD TopNum; //0x2010
DWORD StepGetBytePt; //0x2014
DWORD StepGetBytePt1; //0x2018
/*struct dt_SrcInfo
{*/
DWORD dwUnknow; //0x201c
DWORD SrcStart; //0x2020
DWORD SrcEnd; //0x2024 原来解密完的不完整数据开头
DWORD Len; //0x2028
//};
}st_Decode, *pst_Decode;
static void _declspec(naked) CopyFunc()
{
_asm
{
push ebx
push ebp
mov ebp, dword ptr [esp+0x14]
push esi
mov ebx, dword ptr [esp+0x10]
mov esi, ecx
push edi
mov eax, dword ptr [esi+4]
mov edi, dword ptr [esi+8]
mov edx, dword ptr [esi+0xC]
sub edi, eax
sub ebx, eax
lea ecx, dword ptr [edi+ebp]
cmp ecx, edx
jbe Fun004350F2
dec ecx
mov dword ptr [esi+0xC], 2
shr ecx, 1
je Fun004350DC
mov edx, 2
Fun004350D3:
add edx, edx
shr ecx, 1
jnz Fun004350D3
mov dword ptr [esi+0xC], edx
Fun004350DC:
mov ecx, dword ptr [esi+0xC]
push ecx ; /size
push eax ; |block
call dword ptr [realloc] ; \realloc
add esp, 8
mov dword ptr [esi+4], eax
add eax, edi
mov dword ptr [esi+8], eax
Fun004350F2:
mov eax, dword ptr [esp+0x14]
test eax, eax
je Fun0043512F
mov edi, dword ptr [esi+4]
mov edx, dword ptr [esi+8]
add edi, ebx
mov ebx, dword ptr [memmove]; MSVCRT.memmove
sub edx, edi
push edx ; /n
lea eax, dword ptr [edi+ebp] ; |
push edi ; |src
push eax ; |dest
call ebx ; \memmove
mov ecx, dword ptr [esp+0x24]
push ebp
push ecx
push edi
call ebx
mov eax, dword ptr [esi+8]
add esp, 0x18
add eax, ebp
mov dword ptr [esi+8], eax
mov eax, esi
pop edi
pop esi
pop ebp
pop ebx
retn 0xC
Fun0043512F:
mov edx, dword ptr [esp+0x18]
mov eax, dword ptr [esi+4]
push ebp ; /n
push edx ; |src
push eax ; |dest
call dword ptr [memmove] ; \memmove
mov ecx, dword ptr [esi+4]
add esp, 0xC
add ecx, ebp
mov eax, esi
mov dword ptr [esi+8], ecx
pop edi
pop esi
pop ebp
pop ebx
retn 0xC
}
}
static void _declspec(naked) NakeCopyFunc()
{
_asm
{
call dword ptr [memmove] ; \memmove
}
}
static void _declspec(naked) AllocFunc()
{
_asm
{
mov eax, dword ptr [esp+4]
push esi
mov esi, ecx
cmp eax, dword ptr [esi+0xC]
jbe FUN00435012
dec eax
mov ecx, 2
shr eax, 1
mov dword ptr [esi+0xC], ecx
je FUN00434FF2
FUN00434FE9:
add ecx, ecx
shr eax, 1
jnz short FUN00434FE9
mov dword ptr [esi+0xC], ecx
FUN00434FF2:
mov ecx, dword ptr [esi+0xC]
mov eax, dword ptr [esi+4]
push edi
mov edi, dword ptr [esi+8]
push ecx ; /size
push eax ; |block
sub edi, eax ; |
call dword ptr [realloc] ; \realloc
add esp, 8
mov dword ptr [esi+4], eax
add eax, edi
mov dword ptr [esi+8], eax
pop edi
FUN00435012:
mov eax, esi
pop esi
retn 4
}
}
static BYTE g_bCopyDataFunc[] =
"\x53\x55\x8B\x6C\x24\x14\x56\x8B\x5C\x24\x10\x8B\xF1\x57\x8B\x46\x04\x8B\x7E\x08\x8B\x56\x0C\x2B\xF8\x2B\xD8\x8D\x0C\x2F\x3B\xCA"
"\x76\x30\x49\xC7\x46\x0C\x02\x00\x00\x00\xD1\xE9\x74\x0E\xBA\x02\x00\x00\x00\x03\xD2\xD1\xE9\x75\xFA\x89\x56\x0C\x8B\x4E\x0C\x51"
"\x50\xFF\x15\x2C\x64\x8A\x00\x83\xC4\x08\x89\x46\x04\x03\xC7\x89\x46\x08\x8B\x44\x24\x14\x85\xC0\x74\x35\x8B\x7E\x04\x8B\x56\x08"
"\x03\xFB\x8B\x1D\xEC\x63\x8A\x00\x2B\xD7\x52\x8D\x04\x2F\x57\x50\xFF\xD3\x8B\x4C\x24\x24\x55\x51\x57\xFF\xD3\x8B\x46\x08\x83\xC4"
"\x18\x03\xC5\x89\x46\x08\x8B\xC6\x5F\x5E\x5D\x5B\xC2\x0C\x00\x8B\x54\x24\x18\x8B\x46\x04\x55\x52\x50\xFF\x15\xEC\x63\x8A\x00\x8B"
"\x4E\x04\x83\xC4\x0C\x03\xCD\x8B\xC6\x89\x4E\x08\x5F\x5E\x5D\x5B\xC2\x0C\x00";
static BYTE g_bStaticDecode[] =
"\x83\xEC\x0C\x53\x55\x8B\x6C\x24\x18\x56\x8B\xF1\x57\x8B\x45\x04\x8B\x4D\x08\x8B\x96\x24\x20\x00\x00\x2B\xC8\x8D\xBE\x1C\x20\x00"
"\x00\x51\x50\x52\x8B\xCF\x89\x7C\x24\x24\xE8\x71\xE2\xE9\xFF\x8B\x47\x08\x8B\x5F\x04\x8B\x8E\x04\x20\x00\x00\x2B\xC3\xC1\xE0\x03"
"\x2B\xC1\x89\x86\x10\x20\x00\x00\x8B\x47\x08\x8B\x5F\x04\x8B\x4F\x0C\x2B\xC3\x83\xC0\x03\x3B\xC1\x76\x34\x48\xB9\x02\x00\x00\x00"
"\xD1\xE8\x89\x4F\x0C\x74\x09\x03\xC9\xD1\xE8\x75\xFA\x89\x4F\x0C\x8B\x4F\x0C\x8B\x47\x04\x8B\x5F\x08\x51\x50\x2B\xD8\xFF\x15\x2C"
"\x64\x8A\x00\x83\xC4\x08\x89\x47\x04\x03\xC3\x89\x47\x08\x8B\x96\x20\x20\x00\x00\xC7\x86\x0C\x20\x00\x00\x07\x00\x00\x00\x89\x96"
"\x14\x20\x00\x00\x8B\x45\x04\x89\x45\x08\x8B\x96\x10\x20\x00\x00\x8B\x86\x0C\x20\x00\x00\x8B\x8E\x00\x20\x00\x00\x3B\xD0\x89\x4C"
"\x24\x10\x0F\x86\x51\x06\x00\x00\x8B\x86\x04\x20\x00\x00\x8B\x8E\x14\x20\x00\x00\x8B\xD0\x89\x86\x08\x20\x00\x00\xC1\xEA\x03\x83"
"\xE0\x07\x03\xD1\x89\x86\x04\x20\x00\x00\x8B\xC2\x89\x8E\x18\x20\x00\x00\x89\x96\x14\x20\x00\x00\x8B\x08\x89\x4C\x24\x14\x8B\x44"
"\x24\x14\x0F\xC8\x89\x44\x24\x14\x8B\x8E\x04\x20\x00\x00\x8B\x44\x24\x14\xD3\xE0\x3D\x00\x00\x00\x80\x73\x45\x8B\xBE\x0C\x20\x00"
"\x00\x8B\x96\x10\x20\x00\x00\x83\xC1\x08\x83\xC7\x08\x89\x8E\x04\x20\x00\x00\x8B\xCF\x3B\xCA\x89\xBE\x0C\x20\x00\x00\x0F\x83\xBE"
"\x05\x00\x00\x8B\x96\x00\x20\x00\x00\xC1\xE8\x18\x88\x02\x8B\x86\x00\x20\x00\x00\x40\x89\x86\x00\x20\x00\x00\xE9\x57\x05\x00\x00"
"\x3D\x00\x00\x00\xC0\x73\x47\x8B\xBE\x0C\x20\x00\x00\x8B\x96\x10\x20\x00\x00\x83\xC1\x09\x83\xC7\x09\x89\x8E\x04\x20\x00\x00\x8B"
"\xCF\x3B\xCA\x89\xBE\x0C\x20\x00\x00\x0F\x83\x3E\x05\x00\x00\x8B\x8E\x00\x20\x00\x00\xC1\xE8\x17\x0C\x80\x88\x01\x8B\x86\x00\x20"
"\x00\x00\x40\x89\x86\x00\x20\x00\x00\xE9\x09\x05\x00\x00\x3D\x00\x00\x00\xF0\x0F\x82\xFF\x00\x00\x00\x8B\xAE\x0C\x20\x00\x00\x8B"
"\xBE\x10\x20\x00\x00\x83\xC5\x0A\x83\xC1\x0A\x8B\xD5\x89\x8E\x04\x20\x00\x00\x3B\xD7\x89\xAE\x0C\x20\x00\x00\x0F\x83\x06\x05\x00"
"\x00\xC1\xE8\x16\x83\xE0\x3F\x8B\xD8\x0F\x85\x30\x01\x00\x00\x8B\xD9\xB8\x08\x00\x00\x00\x83\xE3\x07\x2B\xC3\x83\xF8\x08\x73\x18"
"\x03\xC8\x03\xC2\x3B\xC7\x89\x8E\x04\x20\x00\x00\x89\x86\x0C\x20\x00\x00\x0F\x83\xE9\x04\x00\x00\x8B\xBE\x00\x20\x00\x00\x8B\x5C"
"\x24\x10\x8B\x4C\x24\x20\x2B\xFB\x8B\x59\x08\x8B\x41\x04\x8B\xD3\x8B\xEB\x2B\xD0\x2B\xE8\x03\xD7\x52\xE8\x92\xDF\xE9\xFF\x85\xDB"
"\x74\x33\x8B\x44\x24\x20\x8B\x58\x04\x8B\x40\x08\x03\xDD\x2B\xC3\x50\x8D\x0C\x3B\x53\x51\xFF\x15\xEC\x63\x8A\x00\x8B\x54\x24\x1C"
"\x57\x52\x53\xFF\x15\xEC\x63\x8A\x00\x8B\x44\x24\x38\x83\xC4\x18\x01\x78\x08\xEB\x1F\x8B\x5C\x24\x20\x8B\x44\x24\x10\x57\x50\x8B"
"\x4B\x04\x51\xFF\x15\xEC\x63\x8A\x00\x8B\x53\x04\x83\xC4\x0C\x03\xD7\x89\x53\x08\x8B\x86\x00\x20\x00\x00\x2B\xC6\x3D\x00\x20\x00"
"\x00\x75\x06\x89\xB6\x00\x20\x00\x00\x8B\x8E\x00\x20\x00\x00\x89\x4C\x24\x10\xE9\xFF\x03\x00\x00\x8B\x96\x10\x20\x00\x00\x8B\xBE"
"\x0C\x20\x00\x00\x3D\x00\x00\x00\xE0\x72\x29\x83\xC1\x0C\x83\xC7\x0C\x89\x8E\x04\x20\x00\x00\x8B\xCF\x3B\xCA\x89\xBE\x0C\x20\x00"
"\x00\x0F\x83\xE6\x03\x00\x00\xC1\xE8\x14\x25\xFF\x00\x00\x00\x83\xC0\x40\xEB\x29\x83\xC1\x10\x83\xC7\x10\x89\x8E\x04\x20\x00\x00"
"\x8B\xCF\x3B\xCA\x89\xBE\x0C\x20\x00\x00\x0F\x83\xD7\x03\x00\x00\xC1\xE8\x10\x25\xFF\x1F\x00\x00\x05\x40\x01\x00\x00\x8B\xD8\x8B"
"\x86\x04\x20\x00\x00\x8B\x8E\x14\x20\x00\x00\x8B\xD0\x83\xE0\x07\xC1\xEA\x03\x03\xCA\x89\x86\x04\x20\x00\x00\x8B\xC1\x89\x8E\x14"
"\x20\x00\x00\x8B\x08\x89\x4C\x24\x14\x8B\x44\x24\x14\x0F\xC8\x89\x44\x24\x14\x8B\x8E\x04\x20\x00\x00\x8B\x44\x24\x14\xD3\xE0\x3D"
"\x00\x00\x00\x80\x73\x2E\x8B\x96\x0C\x20\x00\x00\x41\x42\x89\x8E\x04\x20\x00\x00\x8B\x8E\x10\x20\x00\x00\x8B\xC2\x3B\xC1\x89\x96"
"\x0C\x20\x00\x00\x0F\x83\x77\x03\x00\x00\xB8\x03\x00\x00\x00\xE9\xC4\x02\x00\x00\x3D\x00\x00\x00\xC0\x73\x3A\x8B\xBE\x0C\x20\x00"
"\x00\x8B\x96\x10\x20\x00\x00\x83\xC1\x04\x83\xC7\x04\x89\x8E\x04\x20\x00\x00\x8B\xCF\x3B\xCA\x89\xBE\x0C\x20\x00\x00\x0F\x83\x0A"
"\x03\x00\x00\x25\x00\x00\x00\x30\x0D\x00\x00\x00\x40\xC1\xE8\x1C\xE9\x83\x02\x00\x00\x3D\x00\x00\x00\xE0\x73\x3A\x8B\xBE\x0C\x20"
"\x00\x00\x8B\x96\x10\x20\x00\x00\x83\xC1\x06\x83\xC7\x06\x89\x8E\x04\x20\x00\x00\x8B\xCF\x3B\xCA\x89\xBE\x0C\x20\x00\x00\x0F\x83"
"\xE3\x02\x00\x00\x25\x00\x00\x00\x1C\x0D\x00\x00\x00\x20\xC1\xE8\x1A\xE9\x42\x02\x00\x00\x3D\x00\x00\x00\xF0\x73\x3A\x8B\xBE\x0C"
"\x20\x00\x00\x8B\x96\x10\x20\x00\x00\x83\xC1\x08\x83\xC7\x08\x89\x8E\x04\x20\x00\x00\x8B\xCF\x3B\xCA\x89\xBE\x0C\x20\x00\x00\x0F"
"\x83\xBC\x02\x00\x00\x25\x00\x00\x00\x0F\x0D\x00\x00\x00\x10\xC1\xE8\x18\xE9\x01\x02\x00\x00\x3D\x00\x00\x00\xF8\x73\x3A\x8B\xBE"
"\x0C\x20\x00\x00\x8B\x96\x10\x20\x00\x00\x83\xC1\x0A\x83\xC7\x0A\x89\x8E\x04\x20\x00\x00\x8B\xCF\x3B\xCA\x89\xBE\x0C\x20\x00\x00"
"\x0F\x83\x47\x02\x00\x00\x25\x00\x00\xC0\x07\x0D\x00\x00\x00\x08\xC1\xE8\x16\xE9\xC0\x01\x00\x00\x3D\x00\x00\x00\xFC\x73\x3A\x8B"
"\xBE\x0C\x20\x00\x00\x8B\x96\x10\x20\x00\x00\x83\xC1\x0C\x83\xC7\x0C\x89\x8E\x04\x20\x00\x00\x8B\xCF\x3B\xCA\x89\xBE\x0C\x20\x00"
"\x00\x0F\x83\x20\x02\x00\x00\x25\x00\x00\xF0\x03\x0D\x00\x00\x00\x04\xC1\xE8\x14\xE9\x7F\x01\x00\x00\x3D\x00\x00\x00\xFE\x73\x3A"
"\x8B\xBE\x0C\x20\x00\x00\x8B\x96\x10\x20\x00\x00\x83\xC1\x0E\x83\xC7\x0E\x89\x8E\x04\x20\x00\x00\x8B\xCF\x3B\xCA\x89\xBE\x0C\x20"
"\x00\x00\x0F\x83\xF9\x01\x00\x00\x25\x00\x00\xFC\x01\x0D\x00\x00\x00\x02\xC1\xE8\x12\xE9\x3E\x01\x00\x00\x3D\x00\x00\x00\xFF\x73"
"\x3A\x8B\xBE\x0C\x20\x00\x00\x8B\x96\x10\x20\x00\x00\x83\xC1\x10\x83\xC7\x10\x89\x8E\x04\x20\x00\x00\x8B\xCF\x3B\xCA\x89\xBE\x0C"
"\x20\x00\x00\x0F\x83\x84\x01\x00\x00\x25\x00\x00\xFF\x00\x0D\x00\x00\x00\x01\xC1\xE8\x10\xE9\xFD\x00\x00\x00\x3D\x00\x00\x80\xFF"
"\x73\x3A\x8B\xBE\x0C\x20\x00\x00\x8B\x96\x10\x20\x00\x00\x83\xC1\x12\x83\xC7\x12\x89\x8E\x04\x20\x00\x00\x8B\xCF\x3B\xCA\x89\xBE"
"\x0C\x20\x00\x00\x0F\x83\x5D\x01\x00\x00\x25\x00\xC0\x7F\x00\x0D\x00\x00\x80\x00\xC1\xE8\x0E\xE9\xBC\x00\x00\x00\x3D\x00\x00\xC0"
"\xFF\x73\x37\x8B\xBE\x0C\x20\x00\x00\x8B\x96\x10\x20\x00\x00\x83\xC1\x14\x83\xC7\x14\x89\x8E\x04\x20\x00\x00\x8B\xCF\x3B\xCA\x89"
"\xBE\x0C\x20\x00\x00\x0F\x83\x36\x01\x00\x00\x25\x00\xF0\x3F\x00\x0D\x00\x00\x40\x00\xC1\xE8\x0C\xEB\x7E\x3D\x00\x00\xE0\xFF\x73"
"\x37\x8B\xBE\x0C\x20\x00\x00\x8B\x96\x10\x20\x00\x00\x83\xC1\x16\x83\xC7\x16\x89\x8E\x04\x20\x00\x00\x8B\xCF\x3B\xCA\x89\xBE\x0C"
"\x20\x00\x00\x0F\x83\xC4\x00\x00\x00\x25\x00\xFC\x1F\x00\x0D\x00\x00\x20\x00\xC1\xE8\x0A\xEB\x40\x3D\x00\x00\xF0\xFF\x0F\x83\xDE"
"\x00\x00\x00\x8B\xBE\x0C\x20\x00\x00\x8B\x96\x10\x20\x00\x00\x83\xC1\x18\x83\xC7\x18\x89\x8E\x04\x20\x00\x00\x8B\xCF\x3B\xCA\x89"
"\xBE\x0C\x20\x00\x00\x0F\x83\x9C\x00\x00\x00\x25\x00\xFF\x0F\x00\x0D\x00\x00\x10\x00\xC1\xE8\x08\x8B\x8E\x00\x20\x00\x00\x8D\x96"
"\x00\x20\x00\x00\x8B\xF9\x2B\xFB\x3B\xFE\x0F\x82\xA9\x00\x00\x00\x8D\x1C\x01\x3B\xDA\x0F\x87\x9E\x00\x00\x00\x8B\xD9\x8B\xD0\x2B"
"\xDF\x83\xFB\x03\x7E\x1C\x83\xF8\x03\x76\x17\x8D\x58\xFC\xC1\xEB\x02\x43\x8B\x2F\x83\xC7\x04\x89\x29\x83\xC1\x04\x83\xEA\x04\x4B"
"\x75\xF0\x85\xD2\x74\x0B\x8B\xEA\x8A\x17\x88\x11\x41\x47\x4D\x75\xF7\x01\x86\x00\x20\x00\x00\x8B\x86\x10\x20\x00\x00\x8B\x8E\x0C"
"\x20\x00\x00\x3B\xC1\x0F\x87\xFD\xF9\xFF\xFF\xEB\x4C\x8B\x86\x08\x20\x00\x00\x8B\x8E\x18\x20\x00\x00\x89\x86\x04\x20\x00\x00\x89"
"\x8E\x14\x20\x00\x00\xEB\x32\x8B\x96\x08\x20\x00\x00\x8B\x86\x18\x20\x00\x00\x89\x96\x04\x20\x00\x00\x89\x86\x14\x20\x00\x00\xEB"
"\x18\x8B\x8E\x08\x20\x00\x00\x8B\x96\x18\x20\x00\x00\x89\x8E\x04\x20\x00\x00\x89\x96\x14\x20\x00\x00\x8B\xBE\x00\x20\x00\x00\x8B"
"\x5C\x24\x10\x8B\x4C\x24\x20\x2B\xFB\x8B\x59\x08\x8B\x41\x04\x8B\xD3\x8B\xEB\x2B\xD0\x2B\xE8\x03\xD7\x52\xE8\x91\xDA\xE9\xFF\x85"
"\xDB\x74\x35\x8B\x44\x24\x20\x8B\x58\x04\x8B\x40\x08\x03\xDD\x2B\xC3\x50\x8D\x0C\x3B\x53\x51\xFF\x15\xEC\x63\x8A\x00\x8B\x54\x24"
"\x1C\x57\x52\x53\xFF\x15\xEC\x63\x8A\x00\x8B\x44\x24\x38\x83\xC4\x18\x8B\xE8\x01\x78\x08\xEB\x1F\x8B\x6C\x24\x20\x8B\x44\x24\x10"
"\x57\x50\x8B\x4D\x04\x51\xFF\x15\xEC\x63\x8A\x00\x8B\x55\x04\x83\xC4\x0C\x03\xD7\x89\x55\x08\x8B\xBE\x20\x20\x00\x00\x8B\xB6\x14"
"\x20\x00\x00\x3B\xFE\x74\x1F\x8B\x5C\x24\x18\x8B\x43\x08\x2B\xC6\x50\x56\x57\xFF\x15\xEC\x63\x8A\x00\x8B\x43\x08\x2B\xFE\x83\xC4"
"\x0C\x03\xC7\x89\x43\x08\x5F\x8B\xC5\x5E\x5D\x5B\x83\xC4\x0C\xC2\x04\x00";
static int g_lenStaticDecode = sizeof(g_bStaticDecode);
#pragma code_seg("StaticDecode")
#pragma comment(linker,"/section:StaticDecode,RWE")
#endif
|
多多指点。。。
