在浙江上大学的同学们肯定都对闪讯恨之入骨吧,在学校里上网只能用闪讯,这么贵,还不允许路由,正好响应超版狼大人的号召,来发篇原创,无奈本人技术太菜。。请大牛勿笑。。
在这里先给自己的blog打个小广告。希望杭电的同学看到以后能请我吃个饭
http://www.kkmonster.com/(李醒涵)
直接拿出客户端看看
先看看PE结构,结果悲剧了,用VMP处理过的,我也懒得直接去看了,VMP我搞不定呀!!
平时用闪讯的时候会注意到,当触发密码编辑框的killfocus消息时,输入的密码会被加密,长度变了14位的一个字符串
OD加载之,搞不定壳,直接F9跑起来。。。分析之
代码:
0041302053pushebx 0041302156pushesi 0041302257pushedi 004130238B7C24 10 mov edi, dword ptr [esp+10] 004130278BF1mov esi, ecx 0041302957pushedi 0041302AE8 11E1FEFF call00401140 0041302F8D86 E4250000 lea eax, dword ptr [esi+25E4] 0041303550pusheax 0041303668 17040000 push417 0041303B57pushedi 0041303CE8 73590200 call004389B4 004130418D8E B8260000 lea ecx, dword ptr [esi+26B8] 0041304751pushecx 0041304868 16040000 push416 0041304D57pushedi 0041304EE8 61590200 call004389B4 004130538D96 30270000 lea edx, dword ptr [esi+2730] 0041305952pushedx 0041305A68 15040000 push415 0041305F57pushedi 00413060E8 4F590200 call004389B4 004130658D86 A8270000 lea eax, dword ptr [esi+27A8] 0041306B50pusheax 0041306C68 14040000 push414 0041307157pushedi 00413072E8 3D590200 call004389B4 004130778D8E 20280000 lea ecx, dword ptr [esi+2820] 0041307D51pushecx 0041307E68 11040000 push411 0041308357pushedi 00413084E8 2B590200 call004389B4 004130898D96 60280000 lea edx, dword ptr [esi+2860] 0041308F52pushedx 0041309068 0E040000 push40E 0041309557pushedi 00413096E8 19590200 call004389B4 0041309B8D86 14290000 lea eax, dword ptr [esi+2914] 004130A150pusheax 004130A268 F2030000 push3F2 004130A757pushedi 004130A8E8 07590200 call004389B4 004130AD8D8E 8C290000 lea ecx, dword ptr [esi+298C] 004130B351pushecx 004130B468 03040000 push403 004130B957pushedi 004130BAE8 F5580200 call004389B4 004130BF8D9E CC290000 lea ebx, dword ptr [esi+29CC] 004130C553pushebx 004130C668 F1030000 push3F1 004130CB57pushedi 004130CCE8 875A0200 call00438B58 ; 获取密码框内容 004130D16A 1E push1E 004130D353pushebx 004130D457pushedi 004130D5E8 785A0200 call00438B52 004130DA8D96 D0290000 lea edx, dword ptr [esi+29D0] 004130E052pushedx 004130E168 F5030000 push3F5 004130E657pushedi 004130E7E8 605A0200 call00438B4C 004130EC8D86 D4290000 lea eax, dword ptr [esi+29D4] 004130F250pusheax 004130F368 F9030000 push3F9 004130F857pushedi 004130F9E8 5A5A0200 call00438B58 004130FE8D8E D8290000 lea ecx, dword ptr [esi+29D8] 0041310451pushecx 0041310568 0D040000 push40D 0041310A57pushedi 0041310BE8 3C5A0200 call00438B4C 0041311081C6 DC290000 add esi, 29DC 0041311656pushesi 0041311768 12040000 push412 0041311C57pushedi 0041311DE8 365A0200 call00438B58 004131225Fpop edi 004131235Epop esi 004131245Bpop ebx 00413125C2 0400 retn4
看看寄存器里的数据:
EAX 010633E8 ASCII "xinlianxiaohui"
ECX 0012F070
EDX 00000030
EBX 0012F070
ESP 0012B528
EBP 0012B540
ESI 004D2964 NetKeepe.004D2964
EDI 0012F070
EIP 75A370ED USER32.GetWindowTextA
从编辑框里获取到的字符串是xinlianxiaohui,其实到后来我发现这个是骗人的。。不管密码是什么编辑框里的串永远是这个
本来想看看下边的加密算法,进了call后发现全用vmp变形过了,悲剧了,先来看看他把帐号密码保存在哪里吧,监视注册表,发现程序对注册表没有操作,那应该是在文件里了,对CreateFile下断,中断4次后注意堆栈
代码:
0012AE18 75CF0BC7 /CALL 到 CreateFileW 来自 kernel32.75CF0BC2 0012AE1C 002A6FA8 |FileName = "C:\ChinaNetSn\bin\ams.nkd" 0012AE20 80000000 |Access = GENERIC_READ 0012AE24 00000000 |ShareMode = 0 0012AE28 0012AEA0 |pSecurity = 0012AEA0 0012AE2C 00000003 |Mode = OPEN_EXISTING 0012AE30 00000080 |Attributes = NORMAL 0012AE34 00000000 \hTemplateFile = NULL
继续看了半天,没有用到其它文件,除了这个和闪讯有点关系以外还有一个Credit文件,别的都是无关痛痒的,我感觉本地的密码应该保存在在这个ams.nkd文件里吧,于是再对WriteFile下断,登录一下,试试,结果登录出现异常,而且WriteFile也没调用,后来证明是被hook掉了
试着用PhantOm把OD给隐藏掉,结果OD遇到特权指令给卡死了,然后OD进程被隐藏了,想关都关不掉,妈的,一个拨号软件放这么多保护要死呀!
悲剧地重启一下机器,仔细想想,决定不看程序了,从文件入手吧!
试着把Credit文件给删了,然后运行OD后发现帐号列表成空了,猜想一下,大概应该就在这个文件里了!
打开文件看看,一堆乱码,晕,加密了还!
重新载入OD,对CreateFile下条件断byte ptr [esp+ 4] == ‘C’运行之,看中段时的堆栈
代码:
0012B0DC 75CF0BC7 /CALL 到 CreateFileW 来自 kernel32.75CF0BC2 0012B0E0 001C67E0 |FileName = "Credit" 0012B0E4 80000000 |Access = GENERIC_READ 0012B0E8 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE 0012B0EC 00000000 |pSecurity = NULL 0012B0F0 00000003 |Mode = OPEN_EXISTING 0012B0F4 00000080 |Attributes = NORMAL 0012B0F8 00000000 \hTemplateFile = NULL
代码:
0012B0F8 75CEDAFD /CALL 到 ReadFile 来自 kernel32.75CEDAF8 0012B0FC 00000154 |hFile = 00000154 (window) 0012B100 0012D5F4 |Buffer = 0012D5F4 0012B104 0000168C |BytesToRead = 168C (5772.) 0012B108 0012B164 |pBytesRead = 0012B164 0012B10C 00000000 \pOverlapped = NULL
代码:
00414CCC /0F84 29010000 je 00414DFB 00414CD2 |68 949E4500 push 00459E94 ; ASCII "EncodeCredit,encode",LF 00414CD7 |E8 5450FFFF call 00409D30
这里一个je,直接跳走了,来到这里:
代码:
00414DFB 68 7C9E4500 push 00459E7C ; ASCII "EncodeCredit,decode",LF 00414E00 E8 2B4FFFFF call 00409D30
代码:
00414E05 8B6C24 18 mov ebp, dword ptr [esp+18] ; 获取缓冲区头 00414E09 83C4 04 add esp, 4 ; 抬高栈顶 00414E0C 897424 18 mov dword ptr [esp+18], esi 00414E10 8B45 00 mov eax, dword ptr [ebp] ; 获取第一位 00414E13 40 inc eax ; 加1 00414E14 85C0 test eax, eax ; 是0?(判断是不是空文件) 00414E16 0F8E C5000000 jle 00414EE1 ; 空刚跳走 00414E1C 8D75 50 lea esi, dword ptr [ebp+50] ; 取第50位的地址 00414E1F 8D4E E0 lea ecx, dword ptr [esi-20] ; 第30位的指针
代码:
00414E22 6A 20 push 20 00414E24 51 push ecx 00414E25 E8 B6CBFFFF call 004119E0 00414E2A 6A 20 push 20 00414E2C 56 push esi 00414E2D E8 AECBFFFF call 004119E0 00414E32 8D56 20 lea edx, dword ptr [esi+20] 00414E35 6A 10 push 10 00414E37 52 push edx 00414E38 E8 A3CBFFFF call 004119E0 00414E3D 8D46 30 lea eax, dword ptr [esi+30] 00414E40 6A 10 push 10 00414E42 50 push eax 00414E43 E8 98CBFFFF call 004119E0 00414E48 8D4E B8 lea ecx, dword ptr [esi-48] 00414E4B 6A 28 push 28 00414E4D 51 push ecx 00414E4E E8 8DCBFFFF call 004119E0
不多废话,进去看看:
代码:
004119E0 56 push esi 004119E1 6A 01 push 1 004119E3 68 309B4500 push 00459B30 ; ASCII "xinlides" 004119E8 E8 9310FFFF call 00402A80 004119ED 8B4424 14 mov eax, dword ptr [esp+14] 004119F1 8B7424 10 mov esi, dword ptr [esp+10] 004119F5 83C4 08 add esp, 8 004119F8 85C0 test eax, eax 004119FA 7E 18 jle short 00411A14 004119FC 57 push edi 004119FD 8D78 07 lea edi, dword ptr [eax+7] 00411A00 C1EF 03 shr edi, 3 00411A03 56 push esi 00411A04 56 push esi 00411A05 E8 7612FFFF call 00402C80 00411A0A 83C4 08 add esp, 8 00411A0D 83C6 08 add esi, 8 00411A10 4F dec edi 00411A11 ^ 75 F0 jnz short 00411A03
总结一下解密算法,来模拟一下解密,
它以8位为一组来进行解密,每8位的解密过程按照我的思路来大概还原一下:
代码:
00402D30 8B4C24 04 mov ecx, dword ptr [esp+4] 00402D34 8B4424 08 mov eax, dword ptr [esp+8] ; 8位的首地址 00402D38 8B11 mov edx, dword ptr [ecx] ; 获取一个双字到edx 00402D3A 83C1 04 add ecx, 4 ; 修改指针指向下一个双字 00402D3D C1EA 18 shr edx, 18 ; 右移18位 00402D40 8810 mov byte ptr [eax], dl ; 取一个字节为解密的第一位 00402D42 8B51 FC mov edx, dword ptr [ecx-4] ; 取上一个双字 00402D45 40 inc eax ; 8位的第2位 00402D46 C1EA 10 shr edx, 10 ; 右移10位 00402D49 8810 mov byte ptr [eax], dl ; 取一个字节为解密的第2位 00402D4B 8B51 FC mov edx, dword ptr [ecx-4] ; 取上一个双字 00402D4E 40 inc eax ; 8位的第3位 00402D4F C1EA 08 shr edx, 8 ; 右移8位 00402D52 8810 mov byte ptr [eax], dl ; 取一个字节为解密的第3位 00402D54 8A51 FC mov dl, byte ptr [ecx-4] ; 取一个字节 00402D57 40 inc eax ; 8位的第4位 00402D58 8810 mov byte ptr [eax], dl ; 为解密的第4位 00402D5A 8B11 mov edx, dword ptr [ecx] ; 取一个双字 00402D5C 40 inc eax ; 8位的第5位 00402D5D C1EA 18 shr edx, 18 ; 右移18位 00402D60 8810 mov byte ptr [eax], dl ; 取一个字节为解密的第5位 00402D62 8B11 mov edx, dword ptr [ecx] ; 取一个双字 00402D64 40 inc eax ; 8位的第6位 00402D65 C1EA 10 shr edx, 10 ; 右移10位 00402D68 8810 mov byte ptr [eax], dl ; 取一个字节为解密的第6位 00402D6A 8B11 mov edx, dword ptr [ecx] ; 取一个双字 00402D6C 40 inc eax ; 8位的第7位 00402D6D C1EA 08 shr edx, 8 ; 右移8位 00402D70 8810 mov byte ptr [eax], dl ; 取一个字节为解密的第7位 00402D72 8A09 mov cl, byte ptr [ecx] ; 取一个字节 00402D74 8848 01 mov byte ptr [eax+1], cl ; 作为解密的第8位
代码:
00402CC0 8B4C24 04 mov ecx, dword ptr [esp+4] 00402CC4 33C0 xor eax, eax 00402CC6 56 push esi 00402CC7 8A01 mov al, byte ptr [ecx] 00402CC9 8BD0 mov edx, eax 00402CCB 8B4424 0C mov eax, dword ptr [esp+C] 00402CCF C1E2 18 shl edx, 18 00402CD2 8910 mov dword ptr [eax], edx 00402CD4 8B30 mov esi, dword ptr [eax] 00402CD6 41 inc ecx 00402CD7 33D2 xor edx, edx 00402CD9 83C0 04 add eax, 4 00402CDC 8A11 mov dl, byte ptr [ecx] 00402CDE C1E2 10 shl edx, 10 00402CE1 0BF2 or esi, edx 00402CE3 41 inc ecx 00402CE4 33D2 xor edx, edx 00402CE6 8970 FC mov dword ptr [eax-4], esi 00402CE9 8A31 mov dh, byte ptr [ecx] 00402CEB 0BF2 or esi, edx 00402CED 41 inc ecx 00402CEE 33D2 xor edx, edx 00402CF0 8970 FC mov dword ptr [eax-4], esi 00402CF3 8A11 mov dl, byte ptr [ecx] 00402CF5 0BF2 or esi, edx 00402CF7 41 inc ecx 00402CF8 33D2 xor edx, edx 00402CFA 8970 FC mov dword ptr [eax-4], esi 00402CFD 8A11 mov dl, byte ptr [ecx] 00402CFF C1E2 18 shl edx, 18 00402D02 8910 mov dword ptr [eax], edx 00402D04 8B30 mov esi, dword ptr [eax] 00402D06 41 inc ecx 00402D07 33D2 xor edx, edx 00402D09 8A11 mov dl, byte ptr [ecx] 00402D0B C1E2 10 shl edx, 10 00402D0E 0BF2 or esi, edx 00402D10 41 inc ecx 00402D11 33D2 xor edx, edx 00402D13 8930 mov dword ptr [eax], esi 00402D15 8A31 mov dh, byte ptr [ecx] 00402D17 0BF2 or esi, edx 00402D19 33D2 xor edx, edx 00402D1B 8930 mov dword ptr [eax], esi 00402D1D 8A51 01 mov dl, byte ptr [ecx+1] 00402D20 0BD6 or edx, esi 00402D22 5E pop esi 00402D23 8910 mov dword ptr [eax], edx 00402D25 C3 retn
代码:
00402D80 51 push ecx 00402D81 8B4C24 08 mov ecx, dword ptr [esp+8] 00402D85 53 push ebx 00402D86 55 push ebp 00402D87 56 push esi 00402D88 8B01 mov eax, dword ptr [ecx] 00402D8A 8B51 04 mov edx, dword ptr [ecx+4] 00402D8D 8BC8 mov ecx, eax 00402D8F 8BF2 mov esi, edx 00402D91 C1E9 04 shr ecx, 4 00402D94 81E1 0F0F0F>and ecx, 0F0F0F0F 00402D9A 81E6 0F0F0F>and esi, 0F0F0F0F 00402DA0 33CE xor ecx, esi 00402DA2 57 push edi 00402DA3 33D1 xor edx, ecx 00402DA5 C74424 10 0>mov dword ptr [esp+10], 8 00402DAD C1E1 04 shl ecx, 4 00402DB0 33C1 xor eax, ecx 00402DB2 8BF2 mov esi, edx 00402DB4 8BC8 mov ecx, eax 00402DB6 81E6 FFFF00>and esi, 0FFFF 00402DBC C1E9 10 shr ecx, 10 00402DBF 33CE xor ecx, esi 00402DC1 33D1 xor edx, ecx 00402DC3 C1E1 10 shl ecx, 10 00402DC6 33C1 xor eax, ecx 00402DC8 8BCA mov ecx, edx 00402DCA C1E9 02 shr ecx, 2 00402DCD 8BF0 mov esi, eax 00402DCF 81E1 333333>and ecx, 33333333 00402DD5 81E6 333333>and esi, 33333333 00402DDB 33CE xor ecx, esi 00402DDD 33C1 xor eax, ecx 00402DDF C1E1 02 shl ecx, 2 00402DE2 33D1 xor edx, ecx 00402DE4 8BF0 mov esi, eax 00402DE6 8BCA mov ecx, edx 00402DE8 81E6 FF00FF>and esi, 0FF00FF 00402DEE C1E9 08 shr ecx, 8 00402DF1 81E1 FF00FF>and ecx, 0FF00FF 00402DF7 33CE xor ecx, esi 00402DF9 8B7424 1C mov esi, dword ptr [esp+1C] 00402DFD 33C1 xor eax, ecx 00402DFF C1E1 08 shl ecx, 8 00402E02 33D1 xor edx, ecx 00402E04 8BCA mov ecx, edx 00402E06 03D2 add edx, edx 00402E08 C1E9 1F shr ecx, 1F 00402E0B 0BCA or ecx, edx 00402E0D 8BD1 mov edx, ecx 00402E0F 33D0 xor edx, eax 00402E11 81E2 AAAAAA>and edx, AAAAAAAA 00402E17 33C2 xor eax, edx 00402E19 33CA xor ecx, edx 00402E1B 8BD0 mov edx, eax 00402E1D 03C0 add eax, eax 00402E1F C1EA 1F shr edx, 1F 00402E22 0BD0 or edx, eax 00402E24 8B1E mov ebx, dword ptr [esi] 00402E26 8BC1 mov eax, ecx 00402E28 8BF9 mov edi, ecx 00402E2A 83C6 04 add esi, 4 00402E2D C1E0 1C shl eax, 1C 00402E30 C1EF 04 shr edi, 4 00402E33 0BC7 or eax, edi 00402E35 83C6 04 add esi, 4 00402E38 33C3 xor eax, ebx 00402E3A 83C6 04 add esi, 4 00402E3D 8BD8 mov ebx, eax 00402E3F 8BF8 mov edi, eax 00402E41 C1EB 10 shr ebx, 10 00402E44 83E3 3F and ebx, 3F 00402E47 83C6 04 add esi, 4 00402E4A C1EF 18 shr edi, 18 00402E4D 8B2C9D E483>mov ebp, dword ptr [ebx*4+4583E4] 00402E54 8BD8 mov ebx, eax 00402E56 83E7 3F and edi, 3F 00402E59 83E0 3F and eax, 3F 00402E5C C1EB 08 shr ebx, 8 00402E5F 8B3CBD E481>mov edi, dword ptr [edi*4+4581E4] 00402E66 83E3 3F and ebx, 3F 00402E69 0BFD or edi, ebp 00402E6B 8B2C9D E485>mov ebp, dword ptr [ebx*4+4585E4] 00402E72 8B1C85 E487>mov ebx, dword ptr [eax*4+4587E4] 00402E79 8B46 F4 mov eax, dword ptr [esi-C] 00402E7C 0BFD or edi, ebp 00402E7E 33C1 xor eax, ecx 00402E80 0BFB or edi, ebx 00402E82 8BD8 mov ebx, eax 00402E84 8BE8 mov ebp, eax 00402E86 C1EB 18 shr ebx, 18 00402E89 83E3 3F and ebx, 3F 00402E8C C1ED 10 shr ebp, 10 00402E8F 8B1C9D E482>mov ebx, dword ptr [ebx*4+4582E4] 00402E96 83E5 3F and ebp, 3F 00402E99 0B1CAD E484>or ebx, dword ptr [ebp*4+4584E4] 00402EA0 8BE8 mov ebp, eax 00402EA2 C1ED 08 shr ebp, 8 00402EA5 83E5 3F and ebp, 3F 00402EA8 83E0 3F and eax, 3F 00402EAB 0B1CAD E486>or ebx, dword ptr [ebp*4+4586E4] 00402EB2 8B2C85 E488>mov ebp, dword ptr [eax*4+4588E4] 00402EB9 0BDD or ebx, ebp 00402EBB 0BDF or ebx, edi 00402EBD 33D3 xor edx, ebx 00402EBF 8B5E F8 mov ebx, dword ptr [esi-8] 00402EC2 8BC2 mov eax, edx 00402EC4 8BFA mov edi, edx 00402EC6 C1E0 1C shl eax, 1C 00402EC9 C1EF 04 shr edi, 4 00402ECC 0BC7 or eax, edi 00402ECE 33C3 xor eax, ebx 00402ED0 8BD8 mov ebx, eax 00402ED2 8BF8 mov edi, eax 00402ED4 C1EB 10 shr ebx, 10 00402ED7 83E3 3F and ebx, 3F 00402EDA C1EF 18 shr edi, 18 00402EDD 8B2C9D E483>mov ebp, dword ptr [ebx*4+4583E4] 00402EE4 8BD8 mov ebx, eax 00402EE6 83E7 3F and edi, 3F 00402EE9 83E0 3F and eax, 3F 00402EEC C1EB 08 shr ebx, 8 00402EEF 8B3CBD E481>mov edi, dword ptr [edi*4+4581E4] 00402EF6 83E3 3F and ebx, 3F 00402EF9 0BFD or edi, ebp 00402EFB 8B2C9D E485>mov ebp, dword ptr [ebx*4+4585E4] 00402F02 8B1C85 E487>mov ebx, dword ptr [eax*4+4587E4] 00402F09 8B46 FC mov eax, dword ptr [esi-4] 00402F0C 0BFD or edi, ebp 00402F0E 33C2 xor eax, edx 00402F10 0BFB or edi, ebx 00402F12 8BD8 mov ebx, eax 00402F14 8BE8 mov ebp, eax 00402F16 C1EB 18 shr ebx, 18 00402F19 83E3 3F and ebx, 3F 00402F1C C1ED 10 shr ebp, 10 00402F1F 8B1C9D E482>mov ebx, dword ptr [ebx*4+4582E4] 00402F26 83E5 3F and ebp, 3F 00402F29 0B1CAD E484>or ebx, dword ptr [ebp*4+4584E4] 00402F30 8BE8 mov ebp, eax 00402F32 83E0 3F and eax, 3F 00402F35 C1ED 08 shr ebp, 8 00402F38 83E5 3F and ebp, 3F 00402F3B 0B1CAD E486>or ebx, dword ptr [ebp*4+4586E4] 00402F42 8B2C85 E488>mov ebp, dword ptr [eax*4+4588E4] 00402F49 8B4424 10 mov eax, dword ptr [esp+10] 00402F4D 0BDD or ebx, ebp 00402F4F 0BDF or ebx, edi 00402F51 33CB xor ecx, ebx 00402F53 48 dec eax 00402F54 894424 10 mov dword ptr [esp+10], eax 00402F58 ^ 0F85 C6FEFF>jnz 00402E24 00402F5E 8BC1 mov eax, ecx 00402F60 5F pop edi 00402F61 C1E0 1F shl eax, 1F 00402F64 D1E9 shr ecx, 1 00402F66 0BC1 or eax, ecx 00402F68 8BC8 mov ecx, eax 00402F6A 33CA xor ecx, edx 00402F6C 81E1 AAAAAA>and ecx, AAAAAAAA 00402F72 33D1 xor edx, ecx 00402F74 33C1 xor eax, ecx 00402F76 8BCA mov ecx, edx 00402F78 8BF0 mov esi, eax 00402F7A C1E1 1F shl ecx, 1F 00402F7D D1EA shr edx, 1 00402F7F 0BCA or ecx, edx 00402F81 81E6 FF00FF>and esi, 0FF00FF 00402F87 8BD1 mov edx, ecx 00402F89 C1EA 08 shr edx, 8 00402F8C 81E2 FF00FF>and edx, 0FF00FF 00402F92 33D6 xor edx, esi 00402F94 33C2 xor eax, edx 00402F96 C1E2 08 shl edx, 8 00402F99 33CA xor ecx, edx 00402F9B 8BF0 mov esi, eax 00402F9D 8BD1 mov edx, ecx 00402F9F 81E6 333333>and esi, 33333333 00402FA5 C1EA 02 shr edx, 2 00402FA8 81E2 333333>and edx, 33333333 00402FAE 33D6 xor edx, esi 00402FB0 33C2 xor eax, edx 00402FB2 C1E2 02 shl edx, 2 00402FB5 33CA xor ecx, edx 00402FB7 8BD0 mov edx, eax 00402FB9 8BF1 mov esi, ecx 00402FBB C1EA 10 shr edx, 10 00402FBE 81E6 FFFF00>and esi, 0FFFF 00402FC4 33D6 xor edx, esi 00402FC6 33CA xor ecx, edx 00402FC8 C1E2 10 shl edx, 10 00402FCB 33C2 xor eax, edx 00402FCD 8BF1 mov esi, ecx 00402FCF 8BD0 mov edx, eax 00402FD1 81E6 0F0F0F>and esi, 0F0F0F0F 00402FD7 C1EA 04 shr edx, 4 00402FDA 81E2 0F0F0F>and edx, 0F0F0F0F 00402FE0 33D6 xor edx, esi 00402FE2 8BF2 mov esi, edx 00402FE4 C1E6 04 shl esi, 4 00402FE7 33F0 xor esi, eax 00402FE9 8B4424 14 mov eax, dword ptr [esp+14] 00402FED 33D1 xor edx, ecx 00402FEF 8930 mov dword ptr [eax], esi 00402FF1 5E pop esi 00402FF2 5D pop ebp 00402FF3 8950 04 mov dword ptr [eax+4], edx 00402FF6 5B pop ebx 00402FF7 59 pop ecx
简单的做个马了,盗点闪讯号来自己用用。
不过这个也不值钱。。具体的解密代码发出来大家一起娱乐
代码:
char* readdir();
char* readfile();
void encode(char *buffer, int len);
char* encode1(char *buffer);
void encode2(char *buffer, char *key);
void encode3(char *buffer);
void rev(char *p);
char pass[] =
{
0x1E, 0x30, 0x38, 0x3C, 0x1A, 0x09, 0x26, 0x0B, 0x19, 0x10, 0x3A, 0x3C, 0x1A, 0x38, 0x26, 0x0B,
0x21, 0x3D, 0x3A, 0x34, 0x11, 0x0C, 0x2E, 0x1A, 0x2F, 0x03, 0x32, 0x36, 0x22, 0x02, 0x2D, 0x1A,
0x14, 0x29, 0x36, 0x16, 0x26, 0x25, 0x2D, 0x32, 0x00, 0x0E, 0x36, 0x07, 0x0B, 0x2B, 0x0D, 0x36,
0x1B, 0x18, 0x27, 0x07, 0x09, 0x16, 0x1D, 0x36, 0x02, 0x37, 0x27, 0x07, 0x14, 0x0A, 0x19, 0x35,
0x07, 0x15, 0x27, 0x0F, 0x14, 0x01, 0x19, 0x35, 0x28, 0x05, 0x0F, 0x0B, 0x0E, 0x34, 0x1B, 0x35,
0x0C, 0x3A, 0x0D, 0x2B, 0x33, 0x10, 0x1B, 0x3D, 0x32, 0x28, 0x0D, 0x3B, 0x10, 0x33, 0x33, 0x2D,
0x24, 0x00, 0x1D, 0x39, 0x3D, 0x0E, 0x32, 0x2D, 0x23, 0x16, 0x19, 0x39, 0x20, 0x25, 0x36, 0x0F,
0x18, 0x07, 0x39, 0x38, 0x2D, 0x11, 0x36, 0x0B, 0x14, 0x27, 0x39, 0x3C, 0x08, 0x1B, 0x26, 0x0B
};
char key1[] =
{
0x00, 0x04, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x04, 0x04, 0x01, 0x01,
0x04, 0x00, 0x01, 0x01, 0x04, 0x04, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
0x00, 0x04, 0x00, 0x00, 0x00, 0x04, 0x01, 0x01, 0x04, 0x04, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00,
0x04, 0x04, 0x00, 0x01, 0x04, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x01, 0x04, 0x00, 0x00, 0x00,
0x04, 0x04, 0x00, 0x00, 0x00, 0x04, 0x00, 0x01, 0x00, 0x04, 0x00, 0x01, 0x00, 0x04, 0x01, 0x00,
0x00, 0x04, 0x01, 0x00, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x04, 0x04, 0x00, 0x01,
0x04, 0x00, 0x01, 0x00, 0x04, 0x00, 0x00, 0x01, 0x04, 0x00, 0x00, 0x01, 0x04, 0x00, 0x01, 0x00,
0x00, 0x00, 0x00, 0x00, 0x04, 0x04, 0x00, 0x00, 0x04, 0x04, 0x01, 0x00, 0x00, 0x00, 0x00, 0x01,
0x00, 0x00, 0x01, 0x00, 0x04, 0x04, 0x01, 0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x01,
0x00, 0x04, 0x01, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x04, 0x00, 0x00,
0x04, 0x00, 0x01, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x04, 0x01, 0x00, 0x04, 0x00, 0x00, 0x01,
0x00, 0x04, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x04, 0x04, 0x00, 0x01, 0x04, 0x04, 0x01, 0x00,
0x04, 0x04, 0x01, 0x01, 0x04, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x01, 0x04, 0x04, 0x00, 0x01,
0x04, 0x00, 0x00, 0x01, 0x04, 0x04, 0x00, 0x00, 0x04, 0x04, 0x01, 0x00, 0x00, 0x04, 0x01, 0x01,
0x04, 0x04, 0x00, 0x00, 0x00, 0x04, 0x00, 0x01, 0x00, 0x04, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
0x04, 0x00, 0x01, 0x00, 0x00, 0x04, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x01, 0x01
};
char key2[] =
{
0x20, 0x80, 0x10, 0x80, 0x00, 0x80, 0x00, 0x80, 0x00, 0x80, 0x00, 0x00, 0x20, 0x80, 0x10, 0x00,
0x00, 0x00, 0x10, 0x00, 0x20, 0x00, 0x00, 0x00, 0x20, 0x00, 0x10, 0x80, 0x20, 0x80, 0x00, 0x80,
0x20, 0x00, 0x00, 0x80, 0x20, 0x80, 0x10, 0x80, 0x00, 0x80, 0x10, 0x80, 0x00, 0x00, 0x00, 0x80,
0x00, 0x80, 0x00, 0x80, 0x00, 0x00, 0x10, 0x00, 0x20, 0x00, 0x00, 0x00, 0x20, 0x00, 0x10, 0x80,
0x00, 0x80, 0x10, 0x00, 0x20, 0x00, 0x10, 0x00, 0x20, 0x80, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x80, 0x00, 0x80, 0x00, 0x00, 0x20, 0x80, 0x10, 0x00, 0x00, 0x00, 0x10, 0x80,
0x20, 0x00, 0x10, 0x00, 0x20, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x10, 0x00,
0x20, 0x80, 0x00, 0x00, 0x00, 0x80, 0x10, 0x80, 0x00, 0x00, 0x10, 0x80, 0x20, 0x80, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x20, 0x80, 0x10, 0x00, 0x20, 0x00, 0x10, 0x80, 0x00, 0x00, 0x10, 0x00,
0x20, 0x80, 0x00, 0x80, 0x00, 0x00, 0x10, 0x80, 0x00, 0x80, 0x10, 0x80, 0x00, 0x80, 0x00, 0x00,
0x00, 0x00, 0x10, 0x80, 0x00, 0x80, 0x00, 0x80, 0x20, 0x00, 0x00, 0x00, 0x20, 0x80, 0x10, 0x80,
0x20, 0x80, 0x10, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
0x20, 0x80, 0x00, 0x00, 0x00, 0x80, 0x10, 0x80, 0x00, 0x00, 0x10, 0x00, 0x20, 0x00, 0x00, 0x80,
0x20, 0x00, 0x10, 0x00, 0x20, 0x80, 0x00, 0x80, 0x20, 0x00, 0x00, 0x80, 0x20, 0x00, 0x10, 0x00,
0x00, 0x80, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x80, 0x20, 0x80, 0x00, 0x00,
0x00, 0x00, 0x00, 0x80, 0x20, 0x00, 0x10, 0x80, 0x20, 0x80, 0x10, 0x80, 0x00, 0x80, 0x10, 0x00
};
char key3[] =
{
0x08, 0x02, 0x00, 0x00, 0x00, 0x02, 0x02, 0x08, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x02, 0x08,
0x00, 0x02, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x08, 0x02, 0x02, 0x00, 0x00, 0x02, 0x00, 0x08,
0x08, 0x00, 0x02, 0x00, 0x08, 0x00, 0x00, 0x08, 0x08, 0x00, 0x00, 0x08, 0x00, 0x00, 0x02, 0x00,
0x08, 0x02, 0x02, 0x08, 0x08, 0x00, 0x02, 0x00, 0x00, 0x00, 0x02, 0x08, 0x08, 0x02, 0x00, 0x00,
0x00, 0x00, 0x00, 0x08, 0x08, 0x00, 0x00, 0x00, 0x00, 0x02, 0x02, 0x08, 0x00, 0x02, 0x00, 0x00,
0x00, 0x02, 0x02, 0x00, 0x00, 0x00, 0x02, 0x08, 0x08, 0x00, 0x02, 0x08, 0x08, 0x02, 0x02, 0x00,
0x08, 0x02, 0x00, 0x08, 0x00, 0x02, 0x02, 0x00, 0x00, 0x00, 0x02, 0x00, 0x08, 0x02, 0x00, 0x08,
0x08, 0x00, 0x00, 0x00, 0x08, 0x02, 0x02, 0x08, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08,
0x00, 0x02, 0x02, 0x08, 0x00, 0x00, 0x00, 0x08, 0x08, 0x00, 0x02, 0x00, 0x08, 0x02, 0x00, 0x00,
0x00, 0x00, 0x02, 0x00, 0x00, 0x02, 0x02, 0x08, 0x00, 0x02, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00,
0x00, 0x02, 0x00, 0x00, 0x08, 0x00, 0x02, 0x00, 0x08, 0x02, 0x02, 0x08, 0x00, 0x02, 0x00, 0x08,
0x08, 0x00, 0x00, 0x08, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x02, 0x08,
0x08, 0x02, 0x00, 0x08, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x08, 0x08, 0x02, 0x02, 0x08,
0x08, 0x00, 0x00, 0x00, 0x08, 0x02, 0x02, 0x00, 0x00, 0x02, 0x02, 0x00, 0x08, 0x00, 0x00, 0x08,
0x00, 0x00, 0x02, 0x08, 0x08, 0x02, 0x00, 0x08, 0x08, 0x02, 0x00, 0x00, 0x00, 0x00, 0x02, 0x08,
0x08, 0x02, 0x02, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x02, 0x08, 0x00, 0x02, 0x02, 0x00
};
char key4[] =
{
0x01, 0x20, 0x80, 0x00, 0x81, 0x20, 0x00, 0x00, 0x81, 0x20, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
0x80, 0x20, 0x80, 0x00, 0x81, 0x00, 0x80, 0x00, 0x01, 0x00, 0x80, 0x00, 0x01, 0x20, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x80, 0x00, 0x00, 0x20, 0x80, 0x00, 0x81, 0x20, 0x80, 0x00,
0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x80, 0x00, 0x01, 0x00, 0x80, 0x00,
0x01, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x01, 0x20, 0x80, 0x00,
0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x01, 0x20, 0x00, 0x00, 0x80, 0x20, 0x00, 0x00,
0x81, 0x00, 0x80, 0x00, 0x01, 0x00, 0x00, 0x00, 0x80, 0x20, 0x00, 0x00, 0x80, 0x00, 0x80, 0x00,
0x00, 0x20, 0x00, 0x00, 0x80, 0x20, 0x80, 0x00, 0x81, 0x20, 0x80, 0x00, 0x81, 0x00, 0x00, 0x00,
0x80, 0x00, 0x80, 0x00, 0x01, 0x00, 0x80, 0x00, 0x00, 0x20, 0x80, 0x00, 0x81, 0x20, 0x80, 0x00,
0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x80, 0x00,
0x80, 0x20, 0x00, 0x00, 0x80, 0x00, 0x80, 0x00, 0x81, 0x00, 0x80, 0x00, 0x01, 0x00, 0x00, 0x00,
0x01, 0x20, 0x80, 0x00, 0x81, 0x20, 0x00, 0x00, 0x81, 0x20, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
0x81, 0x20, 0x80, 0x00, 0x81, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00,
0x01, 0x00, 0x80, 0x00, 0x01, 0x20, 0x00, 0x00, 0x80, 0x20, 0x80, 0x00, 0x81, 0x00, 0x80, 0x00,
0x01, 0x20, 0x00, 0x00, 0x80, 0x20, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x01, 0x20, 0x80, 0x00,
0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x20, 0x00, 0x00, 0x80, 0x20, 0x80, 0x00
};
char key5[] =
{
0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x08, 0x02, 0x00, 0x00, 0x08, 0x02, 0x00, 0x01, 0x00, 0x42,
0x00, 0x00, 0x08, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x08, 0x02,
0x00, 0x01, 0x08, 0x40, 0x00, 0x00, 0x08, 0x00, 0x00, 0x01, 0x00, 0x02, 0x00, 0x01, 0x08, 0x40,
0x00, 0x01, 0x00, 0x42, 0x00, 0x00, 0x08, 0x42, 0x00, 0x01, 0x08, 0x00, 0x00, 0x00, 0x00, 0x40,
0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x08, 0x40, 0x00, 0x00, 0x08, 0x40, 0x00, 0x00, 0x00, 0x00,
0x00, 0x01, 0x00, 0x40, 0x00, 0x01, 0x08, 0x42, 0x00, 0x01, 0x08, 0x42, 0x00, 0x01, 0x00, 0x02,
0x00, 0x00, 0x08, 0x42, 0x00, 0x01, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42,
0x00, 0x01, 0x08, 0x02, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x42, 0x00, 0x01, 0x08, 0x00,
0x00, 0x00, 0x08, 0x00, 0x00, 0x01, 0x00, 0x42, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,
0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x08, 0x02, 0x00, 0x01, 0x00, 0x42, 0x00, 0x01, 0x08, 0x40,
0x00, 0x01, 0x00, 0x02, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x08, 0x42, 0x00, 0x01, 0x08, 0x02,
0x00, 0x01, 0x08, 0x40, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x08, 0x42,
0x00, 0x01, 0x08, 0x42, 0x00, 0x01, 0x08, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x01, 0x08, 0x42,
0x00, 0x00, 0x08, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x40, 0x00, 0x00, 0x00, 0x42,
0x00, 0x01, 0x08, 0x00, 0x00, 0x01, 0x00, 0x02, 0x00, 0x01, 0x00, 0x40, 0x00, 0x00, 0x08, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x40, 0x00, 0x01, 0x08, 0x02, 0x00, 0x01, 0x00, 0x40,
};
char key6[] =
{
0x10, 0x00, 0x00, 0x20, 0x00, 0x00, 0x40, 0x20, 0x00, 0x40, 0x00, 0x00, 0x10, 0x40, 0x40, 0x20,
0x00, 0x00, 0x40, 0x20, 0x10, 0x00, 0x00, 0x00, 0x10, 0x40, 0x40, 0x20, 0x00, 0x00, 0x40, 0x00,
0x00, 0x40, 0x00, 0x20, 0x10, 0x40, 0x40, 0x00, 0x00, 0x00, 0x40, 0x00, 0x10, 0x00, 0x00, 0x20,
0x10, 0x00, 0x40, 0x00, 0x00, 0x40, 0x00, 0x20, 0x00, 0x00, 0x00, 0x20, 0x10, 0x40, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x40, 0x00, 0x10, 0x40, 0x00, 0x20, 0x00, 0x40, 0x00, 0x00,
0x00, 0x40, 0x40, 0x00, 0x10, 0x40, 0x00, 0x20, 0x10, 0x00, 0x00, 0x00, 0x10, 0x00, 0x40, 0x20,
0x10, 0x00, 0x40, 0x20, 0x00, 0x00, 0x00, 0x00, 0x10, 0x40, 0x40, 0x00, 0x00, 0x40, 0x40, 0x20,
0x10, 0x40, 0x00, 0x00, 0x00, 0x40, 0x40, 0x00, 0x00, 0x40, 0x40, 0x20, 0x00, 0x00, 0x00, 0x20,
0x00, 0x40, 0x00, 0x20, 0x10, 0x00, 0x00, 0x00, 0x10, 0x00, 0x40, 0x20, 0x00, 0x40, 0x40, 0x00,
0x10, 0x40, 0x40, 0x20, 0x00, 0x00, 0x40, 0x00, 0x10, 0x40, 0x00, 0x00, 0x10, 0x00, 0x00, 0x20,
0x00, 0x00, 0x40, 0x00, 0x00, 0x40, 0x00, 0x20, 0x00, 0x00, 0x00, 0x20, 0x10, 0x40, 0x00, 0x00,
0x10, 0x00, 0x00, 0x20, 0x10, 0x40, 0x40, 0x20, 0x00, 0x40, 0x40, 0x00, 0x00, 0x00, 0x40, 0x20,
0x10, 0x40, 0x40, 0x00, 0x00, 0x40, 0x40, 0x20, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x40, 0x20,
0x10, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x40, 0x20, 0x10, 0x40, 0x40, 0x00,
0x00, 0x40, 0x00, 0x00, 0x10, 0x00, 0x40, 0x00, 0x10, 0x40, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00,
0x00, 0x40, 0x40, 0x20, 0x00, 0x00, 0x00, 0x20, 0x10, 0x00, 0x40, 0x00, 0x10, 0x40, 0x00, 0x20,
};
char key7[] =
{
0x00, 0x00, 0x20, 0x00, 0x02, 0x00, 0x20, 0x04, 0x02, 0x08, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00,
0x00, 0x08, 0x00, 0x00, 0x02, 0x08, 0x00, 0x04, 0x02, 0x08, 0x20, 0x00, 0x00, 0x08, 0x20, 0x04,
0x02, 0x08, 0x20, 0x04, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x04,
0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x02, 0x00, 0x20, 0x04, 0x02, 0x08, 0x00, 0x00,
0x00, 0x08, 0x00, 0x04, 0x02, 0x08, 0x20, 0x00, 0x02, 0x00, 0x20, 0x00, 0x00, 0x08, 0x00, 0x04,
0x02, 0x00, 0x00, 0x04, 0x00, 0x00, 0x20, 0x04, 0x00, 0x08, 0x20, 0x04, 0x02, 0x00, 0x20, 0x00,
0x00, 0x00, 0x20, 0x04, 0x00, 0x08, 0x00, 0x00, 0x02, 0x08, 0x00, 0x00, 0x02, 0x08, 0x20, 0x04,
0x00, 0x08, 0x20, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x08, 0x20, 0x00,
0x00, 0x00, 0x00, 0x04, 0x00, 0x08, 0x20, 0x00, 0x00, 0x00, 0x20, 0x00, 0x02, 0x08, 0x00, 0x04,
0x02, 0x08, 0x00, 0x04, 0x02, 0x00, 0x20, 0x04, 0x02, 0x00, 0x20, 0x04, 0x02, 0x00, 0x00, 0x00,
0x02, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x08, 0x00, 0x04, 0x00, 0x00, 0x20, 0x00,
0x00, 0x08, 0x20, 0x04, 0x02, 0x08, 0x00, 0x00, 0x02, 0x08, 0x20, 0x00, 0x00, 0x08, 0x20, 0x04,
0x02, 0x08, 0x00, 0x00, 0x02, 0x00, 0x00, 0x04, 0x02, 0x08, 0x20, 0x04, 0x00, 0x00, 0x20, 0x04,
0x00, 0x08, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x02, 0x08, 0x20, 0x04,
0x00, 0x00, 0x00, 0x00, 0x02, 0x08, 0x20, 0x00, 0x00, 0x00, 0x20, 0x04, 0x00, 0x08, 0x00, 0x00,
0x02, 0x00, 0x00, 0x04, 0x00, 0x08, 0x00, 0x04, 0x00, 0x08, 0x00, 0x00, 0x02, 0x00, 0x20, 0x00,
};
char key8[] =
{
0x40, 0x10, 0x00, 0x10, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x40, 0x10, 0x04, 0x10,
0x00, 0x00, 0x00, 0x10, 0x40, 0x10, 0x00, 0x10, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10,
0x40, 0x00, 0x04, 0x00, 0x00, 0x00, 0x04, 0x10, 0x40, 0x10, 0x04, 0x10, 0x00, 0x10, 0x04, 0x00,
0x00, 0x10, 0x04, 0x10, 0x40, 0x10, 0x04, 0x00, 0x00, 0x10, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x04, 0x10, 0x40, 0x00, 0x00, 0x10, 0x00, 0x10, 0x00, 0x10, 0x40, 0x10, 0x00, 0x00,
0x00, 0x10, 0x04, 0x00, 0x40, 0x00, 0x04, 0x00, 0x40, 0x00, 0x04, 0x10, 0x00, 0x10, 0x04, 0x10,
0x40, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x04, 0x10,
0x40, 0x00, 0x00, 0x10, 0x00, 0x10, 0x00, 0x10, 0x40, 0x10, 0x04, 0x00, 0x00, 0x00, 0x04, 0x00,
0x40, 0x10, 0x04, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x10, 0x04, 0x10, 0x00, 0x10, 0x00, 0x00,
0x40, 0x00, 0x00, 0x00, 0x40, 0x00, 0x04, 0x10, 0x00, 0x10, 0x00, 0x00, 0x40, 0x10, 0x04, 0x00,
0x00, 0x10, 0x00, 0x10, 0x40, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x10, 0x00, 0x00, 0x04, 0x10,
0x40, 0x00, 0x04, 0x10, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x04, 0x00, 0x40, 0x10, 0x00, 0x10,
0x00, 0x00, 0x00, 0x00, 0x40, 0x10, 0x04, 0x10, 0x40, 0x00, 0x04, 0x00, 0x40, 0x00, 0x00, 0x10,
0x00, 0x00, 0x04, 0x10, 0x00, 0x10, 0x00, 0x10, 0x40, 0x10, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00,
0x40, 0x10, 0x04, 0x10, 0x00, 0x10, 0x04, 0x00, 0x00, 0x10, 0x04, 0x00, 0x40, 0x10, 0x00, 0x00,
0x40, 0x10, 0x00, 0x00, 0x40, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x10, 0x04, 0x10,
};
int _tmain(int argc, _TCHAR* argv[])
{
char *p;
char *t;
p = readfile();
encode(p + 0x30, 0x20);
encode(p + 0x50, 0x20);
encode(p + 0x70, 0x10);
encode(p + 0x80, 0x10);
encode(p + 0x80, 0x10);
encode(p + 0x8, 0x28);
encode(p + 0xA4, 0x10);
encode(p + 0xE4, 0x10);
return 0;
}
char* readdir()
{
//读取注册表,获取安装路径
char *dir;
dir = new char[1024];
DWORD dwType = REG_SZ;
DWORD dwLength = 1024;
HKEY rp;
int l;
int f;
if (RegOpenKeyA(HKEY_LOCAL_MACHINE, "SOFTWARE\\Classes\\ecp\\", &rp) != ERROR_SUCCESS)
{
MessageBoxA(0, "打开注册表错误", "提示", 0);
ExitProcess(0);
}
l = sizeof(dir);
if (RegQueryValueExA(rp, "URL Protocol", 0, &dwType, (LPBYTE)dir, &dwLength) != ERROR_SUCCESS)
{
MessageBoxA(0, "读取注册表错误", "提示", 0);
ExitProcess(0);
}
l = strlen(dir);
f = 3;
while (f)
{
l--;
if (dir[l] == '\\')
{
f--;
}
dir[l] = 0;
}
strcat(dir, "\\bin\\Credit");
return dir;
}
char* readfile()
{
char* buffer;
buffer = new char[0x168c];
FILE *fp;
fp = fopen(readdir(), "rb");
if (!fp)
{
MessageBoxA(0, "读取文件出错", "提示", 0);
ExitProcess(0);
}
fread(buffer, sizeof(char), 0x168c, fp);
fclose(fp);
return buffer;
}
void encode(char *buffer, int len)
{
char *p;
while (len)
{
p = encode1(buffer);
encode2(buffer, p);
encode3(buffer);
len = len - 8;
buffer = buffer + 8;
}
}
char* encode1(char *buffer)
{
char *p;
p = new char[8];
p[0] = buffer[3];
p[1] = buffer[2];
p[2] = buffer[1];
p[3] = buffer[0];
p[4] = buffer[7];
p[5] = buffer[6];
p[6] = buffer[5];
p[7] = buffer[4];
return p;
}
void encode3(char *buffer)
{
char *p;
p = buffer;
char t;
t = p[0];
p[0] = p[3];
p[3] = t;
t = p[1];
p[1] = p[2];
p[2] = t;
p = p + 4;
t = p[0];
p[0] = p[3];
p[3] = t;
t = p[1];
p[1] = p[2];
p[2] = t;
}
void encode2(char *buffer, char *key)
{
__asm
{
lea eax, pass
push eax
lea eax, key
push eax
lea eax, buffer
push eax
mov ecx, dword ptr [esp+8]
push ebx
push ebp
push esi
mov eax, dword ptr [ecx]
mov edx, dword ptr [ecx+4]
mov ecx, eax
mov esi, edx
shr ecx, 4
and ecx, 0x0F0F0F0F
and esi, 0x0F0F0F0F
xor ecx, esi
push edi
xor edx, ecx
mov dword ptr [esp+0x10], 8
shl ecx, 4
xor eax, ecx
mov esi, edx
mov ecx, eax
and esi, 0x0FFFF
shr ecx, 0x10
xor ecx, esi
xor edx, ecx
shl ecx, 0x10
xor eax, ecx
mov ecx, edx
shr ecx, 2
mov esi, eax
and ecx, 0x33333333
and esi, 0x33333333
xor ecx, esi
xor eax, ecx
shl ecx, 2
xor edx, ecx
mov esi, eax
mov ecx, edx
and esi, 0x0FF00FF
shr ecx, 8
and ecx, 0x0FF00FF
xor ecx, esi
mov esi, dword ptr [esp+0x1C]
xor eax, ecx
shl ecx, 8
xor edx, ecx
mov ecx, edx
add edx, edx
shr ecx, 0x1F
or ecx, edx
mov edx, ecx
xor edx, eax
and edx, 0xAAAAAAAA
xor eax, edx
xor ecx, edx
mov edx, eax
add eax, eax
shr edx, 0x1F
or edx, eax
L058:
mov ebx, dword ptr [esi]
mov eax, ecx
mov edi, ecx
add esi, 4
shl eax, 0x1C
shr edi, 4
or eax, edi
add esi, 4
xor eax, ebx
add esi, 4
mov ebx, eax
mov edi, eax
shr ebx, 0x10
and ebx, 0x3F
add esi, 4
shr edi, 0x18
push eax
lea eax, key3
mov ebp, dword ptr [ebx*4+eax]
pop eax
mov ebx, eax
and edi, 0x3F
and eax, 0x3F
shr ebx, 8
push eax
lea eax, key1
mov edi, dword ptr [edi*4+eax]
pop eax
and ebx, 0x3F
or edi, ebp
push eax
lea eax, key5
mov ebp, dword ptr [ebx*4+eax]
pop eax
push ecx
lea ecx, key7
mov ebx, dword ptr [eax*4+ecx]
pop ecx
mov eax, dword ptr [esi-4]
or edi, ebp
xor eax, ecx
or edi, ebx
mov ebx, eax
mov ebp, eax
shr ebx, 0x18
and ebx, 0x3F
shr ebp, 0x10
push eax
lea eax, key2
mov ebx, dword ptr [ebx*4+eax]
pop eax
and ebp, 0x3F
push eax
lea eax, key4
or ebx, dword ptr [ebp*4+eax]
pop eax
mov ebp, eax
shr ebp, 8
and ebp, 0x3F
and eax, 0x3F
push eax
lea eax, key6
or ebx, dword ptr [ebp*4+eax]
pop eax
push ecx
lea ecx, key8
mov ebp, dword ptr [eax*4+ecx]
pop ecx
or ebx, ebp
or ebx, edi
xor edx, ebx
mov ebx, dword ptr [esi-8]
mov eax, edx
mov edi, edx
shl eax, 0x1C
shr edi, 4
or eax, edi
xor eax, ebx
mov ebx, eax
mov edi, eax
shr ebx, 0x10
and ebx, 0x3F
shr edi, 0x18
push ecx
lea ecx, key3
mov ebp, dword ptr [ebx*4+ecx]
pop ecx
mov ebx, eax
and edi, 0x3F
and eax, 0x3F
shr ebx, 8
push ecx
lea ecx, key1
mov edi, dword ptr [edi*4+ecx]
pop ecx
and ebx, 0x3F
or edi, ebp
push ecx
lea ecx, key5
mov ebp, dword ptr [ebx*4+ecx]
lea ecx, key7
mov ebx, dword ptr [eax*4+ecx]
pop ecx
mov eax, dword ptr [esi-4]
or edi, ebp
xor eax, edx
or edi, ebx
mov ebx, eax
mov ebp, eax
shr ebx, 0x18
and ebx, 0x3F
shr ebp, 0x10
push ecx
lea ecx, key2
mov ebx, dword ptr [ebx*4+ecx]
and ebp, 0x3F
lea ecx, key4
or ebx, dword ptr [ebp*4+ecx]
mov ebp, eax
and eax, 0x3F
shr ebp, 8
and ebp, 0x3F
lea ecx, key6
or ebx, dword ptr [ebp*4+ecx]
lea ecx, key8
mov ebp, dword ptr [eax*4+ecx]
pop ecx
mov eax, dword ptr [esp+0x10]
or ebx, ebp
or ebx, edi
xor ecx, ebx
dec eax
mov dword ptr [esp+10], eax
jnz L058
mov eax, ecx
pop edi
shl eax, 0x1F
shr ecx, 1
or eax, ecx
mov ecx, eax
xor ecx, edx
and ecx, 0xAAAAAAAA
xor edx, ecx
xor eax, ecx
mov ecx, edx
mov esi, eax
shl ecx, 0x1F
shr edx, 1
or ecx, edx
and esi, 0x0FF00FF
mov edx, ecx
shr edx, 8
and edx, 0x0FF00FF
xor edx, esi
xor eax, edx
shl edx, 8
xor ecx, edx
mov esi, eax
mov edx, ecx
and esi, 0x33333333
shr edx, 2
and edx, 0x33333333
xor edx, esi
xor eax, edx
shl edx, 2
xor ecx, edx
mov edx, eax
mov esi, ecx
shr edx, 0x10
and esi, 0x0FFFF
xor edx, esi
xor ecx, edx
shl edx, 0x10
xor eax, edx
mov esi, ecx
mov edx, eax
and esi, 0x0F0F0F0F
shr edx, 4
and edx, 0x0F0F0F0F
xor edx, esi
mov esi, edx
shl esi, 4
xor esi, eax
mov eax, dword ptr [esp+0x14]
xor edx, ecx
mov dword ptr [eax], esi
pop esi
pop ebp
mov dword ptr [eax+4], edx
pop ebx
pop ecx
}
}