天堂亚洲免费视频,亚洲av片一区二区三区,亚洲精品线路一在线观看

[原]MIR3G反匯編分析（一）——命令體二次解密

服務(wù)器每次發(fā)來的密文，類似于
#eLrBHMNx<F=hgmlYA]X]ENtpGM`X@?PuN`LwT_m>RmleJ_l{PAMHQ?pUCpdbENa<F`pjBllQC=HSC\\pT?LduQ_y=PQM>JptK!
命令體部分經(jīng)過普通解密后，還需要根據(jù)一個掩碼來進行二次解密

這里是二次解密命令體的部分
push    ebp
mov     ebp, esp
and     esp, FFFFFFF8
push    -1
push    004C833C
mov     eax, dword ptr fs:[0]
push    eax
mov     dword ptr fs:[0], esp
push    ecx
mov     eax, 549C
call    004BC0B0
push    ebx
push    esi
push    edi
mov     edi, dword ptr [ebp+8]
cmp     byte ptr [edi], 2B                    <------判斷第一個字節(jié)是否為 +
mov     ebx, ecx
jnz L029
inc     edi
push    edi
call    0042B0D0
mov     ecx, dword ptr [esp+54AC]
mov     dword ptr fs:[0], ecx
pop     edi
pop     esi
pop     ebx
mov     esp, ebp
pop     ebp
retn    4
L029:
push    edi     <-----   密文
lea     eax, dword ptr [esp+3C]
push    eax   <------ 密文解密后被保存在這里
call    004A0CE0
mov     cx, word ptr [ebx+49B162]
xor     word ptr [esp+3C], cx
xor     edx, edx
mov     dh, byte ptr [esp+43]
mov     cl, byte ptr [ebx+49B161]
xor     eax, eax
mov     ah, byte ptr [esp+3F]
mov     dl, byte ptr [esp+41]
mov     al, byte ptr [esp+3D]
shl     edx, 10
or      edx, eax
mov     al, byte ptr [ebx+49B160]
mov     esi, edx
xor     cl, byte ptr [esp+3C]
xor     edx, edx
mov     dh, cl
xor     al, byte ptr [esp+38]
mov     dword ptr [esp+1C], esi
mov     dl, al
mov     eax, dword ptr [esp+38]
shr     eax, 10
mov     cx, dx
movzx   dx, byte ptr [esp+39]
mov     dh, byte ptr [esp+3E]
mov     word ptr [esp+20], cx
mov     word ptr [esp+22], dx
xor     edx, edx
mov     dh, byte ptr [esp+40]
mov     dl, al
movzx   ax, ah
mov     ah, byte ptr [esp+42]
mov     word ptr [esp+24], dx
mov     word ptr [esp+26], ax
movzx   eax, cx
add     eax, -138A
cmp     eax, 123
ja      0043BF9D
movzx   ecx, byte ptr [eax+43C220]
jmp     dword ptr [ecx*4+43BFB4]

在 MIR3G二次加解密反匯編分析（三）——跟蹤中有4個賦值
mov     byte ptr [ebx+49B160], al
mov     byte ptr [ebx+49B161], ah
mov     word ptr [ebx+49B162], ax
mov     word ptr [ebx+49B164], ax
這就是命令體二次解密時的掩碼

從一次解密的消息體中提取掩碼的部分
sub     eax, edx
cmp     eax, 3C                     ;判斷消息體長度是否為60
jnz     0043BF9D
mov     ecx, dword ptr [esp+CA8]      esp+CA8保存的就是經(jīng)過一次解密的消息體（不包含命令體）
mov     edx, dword ptr [esp+CAC]
mov     eax, dword ptr [esp+CB0]
mov     dword ptr [esp+38], ecx
mov     ecx, dword ptr [esp+CB4]
mov     dword ptr [esp+44], ecx
mov     ecx, dword ptr [esp+CC0]
mov     dword ptr [esp+3C], edx
mov     edx, dword ptr [esp+CB8]
mov     dword ptr [esp+40], eax
mov     eax, dword ptr [esp+CBC]
mov     dword ptr [esp+54], ecx
mov     ecx, dword ptr [esp+CCC]
mov     dword ptr [esp+48], edx
mov     edx, dword ptr [esp+CC4]
mov     dword ptr [esp+50], eax
mov     eax, dword ptr [esp+CC8]
mov     dword ptr [esp+60], ecx
mov     ecx, dword ptr [esp+CD8]
mov     dword ptr [esp+58], edx
mov     edx, dword ptr [esp+CD0]
mov     dword ptr [esp+5C], eax
mov     eax, dword ptr [esp+CD4]
mov     dword ptr [esp+24], ecx
lea     ecx, dword ptr [esp+1C]
mov     dword ptr [esp+1C], edx          ;最后20個字節(jié)
mov     edx, dword ptr [esp+CDC]
mov     dword ptr [esp+20], eax
mov     eax, dword ptr [esp+CE0]
push    ecx
mov     ecx, ebx
mov     byte ptr [esp+50], 0
mov     byte ptr [esp+68], 0
mov     dword ptr [esp+2C], edx
mov     dword ptr [esp+30], eax
mov     byte ptr [esp+34], 0
call    0042BD60
lea     edx, dword ptr [esp+38]           前20個字節(jié)
push    edx
mov     ecx, ebx
mov     byte ptr [ebx+49B160], al
mov     byte ptr [ebx+49B161], ah
call    0042BD60
mov     word ptr [ebx+49B162], ax
lea     eax, dword ptr [esp+50]
push    eax
mov     ecx, ebx
call    0042BD60
mov     word ptr [ebx+49B164], ax

提取掩碼的函數(shù) 0042BD60
push    ebx
push    esi
mov     esi, dword ptr [esp+C] esi = arg1    ;消息體
mov     eax, esi                eax = arg1
xor     ebx, ebx                ebx = 0
lea     edx, dword ptr [eax+1] edx = arg+1 ，從第二個字節(jié)開始
lea     ecx, dword ptr [ecx]
L007:
mov     cl, byte ptr [eax]
inc     eax
test    cl, cl
jnz L007
sub     eax, edx
cmp     eax, 14               檢查參數(shù)長度是否是20
jnb L018
pop     esi
xor     ax, ax
pop     ebx
retn    4
L018:
mov     eax, 2                ;eax =2
lea     edx, dword ptr [esi+1] ;edx指向第二個字節(jié) edx = 1
push    edi
L022:
mov     cl, byte ptr [edx-1]   ;cl = arg[edx-1]
movzx   esi, byte ptr [edx+8] ;esi = ((long)(arg[edx+8]))
movzx   ecx, cl                ;ecx = ((long)cl)
add     esi, ecx               ;esi = esi+ecx
movzx   ecx, byte ptr [edx]    ;ecx = (long)arg[edx]
cmp     ecx, esi               ;if(ecx < esi) 跳轉(zhuǎn)到 L033
jl L033
lea     ecx, dword ptr [eax-2] ; ecx = eax-2
mov     edi, 8000              ; edi = 0x8000
sar     edi, cl                ; edi = edi >> cl
or      ebx, edi               ; ebx = ebx | edi
L033:
movzx   ecx, byte ptr [edx+1] ;ecx = (long)arg[edx+1]
cmp     ecx, esi                ;if(ecx<esi) 跳轉(zhuǎn)到 L040
jl L040
lea     ecx, dword ptr [eax-1] ;ecx = eax-2
mov     edi, 8000              ;edi = 0x8000
sar     edi, cl                ;edi = edi >> arg[eax-1]
or      ebx, edi               ;ebx = ebx | edi
L040:
movzx   ecx, byte ptr [edx+2] ;ecx = (long)arg[edx+2]
cmp     ecx, esi               ;if(ecx < esi) 跳轉(zhuǎn)到 L047
jl L047
mov     edi, 8000              ;edi = 0x8000
mov     ecx, eax               ;ecx = eax
sar     edi, cl                ;edi = edi >> cl
or      ebx, edi               ;ebx = ebx | edi
L047:
movzx   ecx, byte ptr [edx+3] ;ecx = (long)arg[edx+3]
cmp     ecx, esi               ; if(ecx < esi) 跳轉(zhuǎn)到 L054
jl L054
lea     ecx, dword ptr [eax+1] ;ecx = eax+1
mov     edi, 8000              ;edi = 0x8000
sar     edi, cl                ;edi = edi >> cl
or      ebx, edi               ;ebx = ebx | edi
L054:
movzx   ecx, byte ptr [edx+4] ;ecx = (long)arg[edx+4]
cmp     ecx, esi               ; if(ecx < esi) 跳轉(zhuǎn)到 L061
jl L061
lea     ecx, dword ptr [eax+2] ;ecx = eax+2
mov     edi, 8000              ;edi = 0x8000
sar     edi, cl                ;edi = edi >> cl
or      ebx, edi               ;ebx = ebx | edi
L061:
movzx   ecx, byte ptr [edx+5]   ;ecx = (long)arg[edx+5]
cmp     ecx, esi                 ; if(ecx < esi) 跳轉(zhuǎn)到 L068
jl L068
lea     ecx, dword ptr [eax+3] ;ecx = eax+3
mov     edi, 8000              ;edi = 0x8000
sar     edi, cl                ;edi = edi >> cl
or      ebx, edi               ;ebx = ebx | edi
L068:
movzx   ecx, byte ptr [edx+6] ;ecx = (long)arg[edx+6]
cmp     ecx, esi               ; if(ecx < esi) 跳轉(zhuǎn)到 L075
jl L075
lea     ecx, dword ptr [eax+4] ;ecx = eax+4
mov     edi, 8000              ;edi = 0x8000
sar     edi, cl                ;edi = edi >> cl
or      ebx, edi               ;ebx = ebx | edi
L075:
movzx   ecx, byte ptr [edx+7]   ;ecx = (long)arg[edx+7]
cmp     ecx, esi               ; if(ecx < esi) 跳轉(zhuǎn)到 L082
jl L082
lea     ecx, dword ptr [eax+5] ;ecx = eax+5
mov     esi, 8000              ;edi = 0x8000
sar     esi, cl                ;edi = edi >> cl
or      ebx, esi               ;ebx = ebx | edi
L082:
add     eax, 8              ;eax = eax+8
add     edx, 0A             ;edx = edx+0x0A
cmp     eax, 0A             ;if(eax <= 0X0A) 跳轉(zhuǎn)到 L022
jle L022
movzx   edx, bl             ;edx = (long)bl   低8位0擴展
movzx   eax, bh             ;eax = (long)bh   高8位0擴展
pop     edi                 ;
xor     edx, 87             ;edx = edx ^ 0x87
xor     eax, 87             ;eax = eax ^ 0x87
shl     edx, 8              ;edx << 8
pop     esi
or      eax, edx            ;eax = eax | edx
pop     ebx
retn    4

至此，消息的加解密部分已經(jīng)全部還原

posted on 2008-06-07 16:06 Phrancol Yang 閱讀(586) 評論(0) 編輯收藏所屬分類: 反匯編

留言簿(16)

隨筆分類

隨筆檔案

文章分類

文章檔案

test

搜索

最新評論


只有注冊用戶登錄后才能發(fā)表評論。




網(wǎng)站導(dǎo)航: 博客園 IT新聞 Chat2DB C++博客博問管理
相關(guān)文章: [原]MIR3G反匯編分析（一）——命令體二次解密 [原]MIR3G二次加解密反匯編分析（四）——還原 [原]MIR3G二次加解密反匯編分析（三）——跟蹤 [原]MIR3G二次加解密反匯編分析（二）——分析 [原]MIR3G二次加解密反匯編分析（一）——初探