在unpack发过了,来这里看看有没有答案
该开发公司已经倒闭了,国内也没有代理,所以放上来应该无大碍。
某线上游戏的封包加密算法,可逆,找不到头绪,放上来给大家看看,好象是非公开算法,大家看看是否眼熟。
;push var (只有push一个参数,var+4=大密匙表,var+8=小密匙表)
;附加参数 esi:BYTE *, ecx:DWORD * (esi为欲加密的缓冲指针)
sub esp, 28
mov eax, dword ptr [674498] ;堆栈越界标记
mov dword ptr [esp+24], eax
push ebx
mov ax, 400
sub ax, word ptr [esi]
push ebp
cmp ax, 7
push edi
mov edi, ecx
jl L023
call 00501A89 ;从Tls中取值,好象可以是任意值
and eax, 80000007
jns L017
dec eax
or eax, FFFFFFF8
inc eax
L017:
mov ecx, dword ptr [esp+29]
and ecx, 1FFFFFFF
shl eax, 1D
or eax, ecx
mov ecx, eax
jmp L025
L023:
mov ecx, dword ptr [esp+29]
and ecx, 1FFFFFFF
L025:
mov eax, dword ptr [edi]
mov edx, dword ptr [esp+38]
and eax, 1FF
mov dword ptr [edi], eax
mov edx, dword ptr [edx+8] ;访问小密匙表,大小未知
movzx ebx, word ptr [edx+eax*2]
inc eax
mov dword ptr [edi], eax
mov edi, ecx
shr edi, 1D
add edi, eax
and edi, 0F
and ecx, E0003FFF
mov eax, edi
and eax, 0F
shl eax, 0B
mov edx, ebx
and edx, 7FF
or eax, edx
shl eax, 0E
or eax, ecx
xor ecx, ecx
mov cx, word ptr [esi]
mov dword ptr [esp+29], eax
shr eax, 1D
and eax, 7
mov dword ptr [esp+20], ebx
add eax, ecx
mov dword ptr [esp+18], ecx
xor ecx, ecx
mov cx, word ptr [esi+2]
mov dword ptr [esp+1C], eax
and eax, 7FF
and ecx, 7FF
shl ecx, 0B
or ecx, eax
mov eax, dword ptr [esp+28]
and eax, FFC00000
or ecx, eax
mov al, byte ptr [esi+4]
mov edx, ecx
shr edx, 9
shl dl, 6
and al, 38
or dl, al
mov eax, ecx
shr eax, 11
and al, 7
xor dl, al
mov byte ptr [esi+4], dl
mov dword ptr [esp+28], ecx
mov eax, dword ptr [esp+29]
mov edx, eax
shr edx, 0E
mov dword ptr [esp+10], edx
mov edx, ecx
and edx, 1C0
shl edx, 2
mov ebp, ecx
and ebp, 38
or edx, ebp
shl edx, 7
mov ebp, ecx
and ebp, 300000
or edx, ebp
shl edx, 2
mov ebp, ecx
and ebp, 7
or edx, ebp
shl edx, 1
mov ebp, eax
and ebp, FE000000
or edx, ebp
mov ebp, ecx
shl edx, 4
and ebp, 3800
or edx, ebp
shr ecx, 8
shl edx, 1
and ecx, 1C0
and eax, 18000000
or ecx, eax
mov eax, dword ptr [esi]
shr ecx, 6
or edx, ecx
mov ecx, dword ptr [esp+10]
and eax, 0C000E38
or edx, eax
and ecx, 38000
or edx, ecx
mov dword ptr [esi], edx
lea eax, dword ptr [esp+28]
xor edx, edx
xor ecx, ecx
sub eax, esi
mov ebp, esi
mov dword ptr [esp+14], eax
mov dword ptr [esp+C], 5
jmp L125
L124:
mov eax, dword ptr [esp+14]
L125:
movzx eax, byte ptr [eax+ebp]
movzx edx, dx
xor eax, edx
movzx dx, byte ptr [eax+62F830]
mov eax, dword ptr [esp+38]
mov eax, dword ptr [eax+4] ;访问大密匙表
mov eax, dword ptr [ecx+eax]
mov al, byte ptr [eax+ebx*4]
xor byte ptr [ebp], al
mov eax, dword ptr [esp+C]
add ecx, 4
inc ebp
dec eax
mov dword ptr [esp+C], eax
jnz L124
mov ecx, dword ptr [esp+18]
mov ebp, 6
cmp cx, bp
jbe L181
add ecx, -6
movzx ecx, cx
mov eax, edi
sub eax, ebx
sub ebx, esi
mov dword ptr [esp+C], ecx
add ecx, 6
lea ebp, dword ptr [esi+6]
mov dword ptr [esp+18], eax
mov dword ptr [esp+14], ebx
mov dword ptr [esp+24], ecx
jmp L159
L156:
mov eax, dword ptr [esp+18]
mov ebx, dword ptr [esp+14]
lea esp, dword ptr [esp]
L159:
movzx ecx, byte ptr [ebp]
movzx edx, dx
xor ecx, edx
movzx dx, byte ptr [ecx+62F830]
lea ecx, dword ptr [ebx+ebp]
mov ebx, dword ptr [esp+38]
mov ebx, dword ptr [ebx+4]
add eax, ecx
and eax, 0F
mov eax, dword ptr [ebx+eax*4]
mov bl, byte ptr [ebp]
and ecx, 7FF
mov cl, byte ptr [eax+ecx*4]
mov eax, dword ptr [esp+C]
xor cl, bl
mov byte ptr [ebp], cl
inc ebp
dec eax
mov dword ptr [esp+C], eax
jnz L156
mov ebx, dword ptr [esp+20]
mov ebp, dword ptr [esp+24]
L181:
mov eax, dword ptr [esp+10]
mov ecx, dword ptr [esp+29]
mov byte ptr [esi+5], dl
mov edx, dword ptr [esp+1C]
cmp bp, dx
jnb L212
movzx ecx, bp
sub edi, ebx
add ecx, esi
sub ebx, esi
sub edx, ebp
movzx edx, dx
mov dword ptr [esp+C], edx
mov edi, edi
L195:
mov ebp, dword ptr [esp+38]
mov ebp, dword ptr [ebp+4]
lea edx, dword ptr [ecx+ebx]
lea eax, dword ptr [edx+edi]
and eax, 0F
mov eax, dword ptr [ebp+eax*4]
and edx, 7FF
mov dl, byte ptr [eax+edx*4]
xor byte ptr [ecx], dl
mov eax, dword ptr [esp+C]
inc ecx
dec eax
mov dword ptr [esp+C], eax
jnz L195
mov edx, dword ptr [esp+1C]
mov ecx, dword ptr [esp+29]
mov eax, dword ptr [esp+10]
L212:
mov edi, ecx
shr edi, 0B
and ecx, 1800000
and edi, 0E00
shl ecx, 3
or edi, ecx
mov ecx, dword ptr [esi]
mov bl, al
and ecx, F3FFF1C7
or edi, ecx
mov ecx, dword ptr [esp+30] ;堆栈越界标记
shl bl, 3
xor bl, byte ptr [esi+4]
and eax, 38
or edi, eax
and bl, 38
xor byte ptr [esi+4], bl
mov dword ptr [esi], edi
pop edi
pop ebp
mov ax, dx
pop ebx
call 005018B0 ;用来检测堆栈是否越界,可删除
add esp, 28
retn 4
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课