阿虚
Hello World!
Hello World!
直言直语

0x0 环境

——————–

环境:

系统:Windows 10

工具:ida pro,ollydbg

——————–

0x1 跑起来

http://www.xuwu.org/wp-content/uploads/2020/03/zyzy1.png

这玩意跑起来能够知道是使用没饭吃来做的UI,并且作者很贱的使用了对话框来进行错误提示,而非MessageBox进行错误提示。

       既然是MFC程序并且通过点击Button进行输入的KEY校验,还是想着使用IDA进行静态分析慢慢磨所以只需要“奥利给”一下知道了Check的Button回调地址为0x00252420,然后设置IDA rebase为0x250000就可以了。

       知道了回调地址后还可以利用IDA里面的自带的没饭吃sig文件来屏蔽一些的内置函数避免深入浅出到没饭吃中出不来那就笑话了。

0x2 程序分析

虽然这个名字叫做“直言直语”但是里面的玩玩套套真的不少。错误信息弹框用DLG显示就不说了,还写了一些花指令,不过都是很基础的指令替换并没有用很复杂以及大量跳转的辣鸡指令。如果用OD调试的话右键->分析->从模块中删除分析即可。

       说实话我是没有认出程序里面用到的是开源的CR4加密算法我以为算法是作者自己撸的。之前我并没有去了解过网上有哪些算法还是自己太水了。

#include <iostream>
#include <stdlib.h>
#include <windows.h>

bool check1(char* pw)
{
    int length = strlen(pw);
    if (length < 38)
    {
        return true;
    }

    char tmp[256] = { 0x0 };
    length -= 6;
    strncpy(tmp, pw + 5, length);
     
    for (int i = 0; i < 0x10; i++)
    {
        char t = tmp[i];

        tmp[i] = tmp[31 - i];
        tmp[31 - i] = t;
    }

    strncpy(pw, tmp, 0x20);
    return false;
}

bool check2(BYTE* buf1, char* buf2, int buf2_len)
{
    char tmpbuf[256] = { 0x0 };
    for (int i = 0; i < 0x100; i++)
    {
        buf1[i] = (BYTE)i;
        tmpbuf[i] = buf2[i % buf2_len];
    }
     
    DWORD var_114 = 0;
    for (int i = 0; i < 0x100; i++)
    {
        DWORD tmp = (DWORD)buf1[i] + var_114 + (DWORD)tmpbuf[i];
        if ((tmp = (tmp &amp; 0x800000FF)) < 0)
        {
            tmp--;
            tmp ^= -0x100;
            tmp++;
        }
        var_114 = tmp;

        char var_10D = buf1[i];
        buf1[i] = buf1[var_114];
        buf1[var_114] = var_10D;
    }

    return false;
}

bool check3(BYTE* pbuf1, char* inkey, int inkey_len)
{
    int var_BYTE_10 = 0;
    int var_BYTE_18 = 0;
    int var_BYTE_1C = 0;
    for (int i = 0; i < inkey_len; i++)
    {
        var_BYTE_10++;
        if ((var_BYTE_10 = (var_BYTE_10 &amp; 0x800000FF)) < 0)
        {
            var_BYTE_10--;
            var_BYTE_10 ^= -0x100;
            var_BYTE_10++;
        }

        int tmp = (DWORD)pbuf1[var_BYTE_10] + var_BYTE_18;
        tmp &amp;= 0x800000FF;
        if (tmp < 0)
        {
            tmp--;
            tmp ^= -0x100;
            tmp++;
        }
        var_BYTE_18 = tmp;

        char var_9 = pbuf1[var_BYTE_10];

        pbuf1[var_BYTE_10] = pbuf1[var_BYTE_18];
        pbuf1[var_BYTE_18] = var_9;

        tmp = (DWORD)((DWORD)pbuf1[var_BYTE_10] + (DWORD)pbuf1[var_BYTE_18]);
        tmp &amp;= 0x800000FF;
        if (tmp < 0)
        {
            tmp--;
            tmp ^= -0x100;
            tmp++;
        }
        var_BYTE_1C = tmp;

        if (i == (inkey_len - 1))
        {
            int i = 0;
        }
        tmp = pbuf1[var_BYTE_1C];
        inkey[i] ^= tmp;
         
    }
     

    return false;
}

int main()
{ 
    char password[256] = "00000973387a11fa3f724d74802857d3e052f0";
    if (check1(password))
    {
        return 0;
    }

    BYTE buf256[256] = { 0x0 };
    char tmp[256] = "qwertyuiop";
    if (check2(buf256, tmp, strlen(tmp)))
    {
        return 0;
    }

    BYTE check_buf[0x20] = { 0x5B, 0x0D6, 0x0D0, 0x26, 0x0C8, 0x0DD, 0x19, 0x7E, 0x6E, 0x3E, 0x0CB, 0x16, 0x91, 0x7D, 0x0FF, 0x0AF, 0x0DD, 0x76, 0x64, 0x0B0, 0x0F7, 0x0E5, 0x89, 0x57, 0x82, 0x9F, 0x0C, 0x0, 0x9E, 0x0D0, 0x45, 0x0FA };

    check3(buf256, (char*)password, 0x20);

    for (int i = 0x1F; i >= 0; i--)
    {
        if (password[i] != check_buf[i])
        {
            std::cout << "err \n";
            return 0;
        }
    }

    std::cout << "ok \n";

    return 0;

.text:00F82600 ; Attributes: bp-based frame
.text:00F82600
.text:00F82600 $star_check     proc near               ; CODE XREF: $button_callback+64↑p
.text:00F82600
.text:00F82600 array_512       = byte ptr -4BCh
.text:00F82600 varstr_qwertyuiop_length= dword ptr -2BCh
.text:00F82600 var_2B8         = dword ptr -2B8h
.text:00F82600 input_buf_copy_length= dword ptr -2B4h
.text:00F82600 Count           = dword ptr -2B0h
.text:00F82600 var_2AC         = dword ptr -2ACh
.text:00F82600 var_2A8         = dword ptr -2A8h
.text:00F82600 var_2A4         = dword ptr -2A4h
.text:00F82600 var_2A0         = dword ptr -2A0h
.text:00F82600 var_29C         = dword ptr -29Ch
.text:00F82600 var_298         = byte ptr -298h
.text:00F82600 Source          = dword ptr -294h
.text:00F82600 pThis           = dword ptr -290h
.text:00F82600 array_0x20      = byte ptr -28Ch
.text:00F82600 var_26C         = dword ptr -26Ch
.text:00F82600 var_268         = dword ptr -268h
.text:00F82600 do_while2_count = dword ptr -264h
.text:00F82600 var_260         = dword ptr -260h
.text:00F82600 var_25A         = byte ptr -25Ah
.text:00F82600 var_259         = byte ptr -259h
.text:00F82600 var_258         = byte ptr -258h
.text:00F82600 var_257         = byte ptr -257h
.text:00F82600 var_256         = byte ptr -256h
.text:00F82600 var_255         = byte ptr -255h
.text:00F82600 var_254         = byte ptr -254h
.text:00F82600 var_23C         = dword ptr -23Ch
.text:00F82600 aray2_256       = byte ptr -238h
.text:00F82600 varstr_qwertyuiop_buf= byte ptr -138h
.text:00F82600 input_buf_copy  = byte ptr -38h
.text:00F82600 cookie          = dword ptr -10h
.text:00F82600 var_C           = dword ptr -0Ch
.text:00F82600 var_4           = dword ptr -4
.text:00F82600 CString_input_key= dword ptr  8
.text:00F82600 arg_4           = dword ptr  0Ch
.text:00F82600
.text:00F82600 ; FUNCTION CHUNK AT .text:010CD5B0 SIZE 00000046 BYTES
.text:00F82600
.text:00F82600                 push    ebp
.text:00F82601                 mov     ebp, esp
.text:00F82603                 push    0FFFFFFFFh
.text:00F82605                 push    offset SEH_402600
.text:00F8260A                 mov     eax, large fs:0
.text:00F82610                 push    eax
.text:00F82611                 sub     esp, 4B0h
.text:00F82617                 mov     eax, ___security_cookie
.text:00F8261C                 xor     eax, ebp
.text:00F8261E                 mov     [ebp+cookie], eax
.text:00F82621                 push    ebx
.text:00F82622                 push    eax
.text:00F82623                 lea     eax, [ebp+var_C]
.text:00F82626                 mov     large fs:0, eax ;
.text:00F82626                                         ; ;
.text:00F8262C                 mov     [ebp+pThis], ecx
.text:00F82632                 mov     [ebp+var_4], 0
.text:00F82639                 mov     [ebp+array_0x20], 5Bh ; '['
.text:00F82640                 mov     [ebp+array_0x20+1], 0D6h
.text:00F82647                 mov     [ebp+array_0x20+2], 0D0h
.text:00F8264E                 mov     [ebp+array_0x20+3], 26h ; '&amp;'
.text:00F82655                 mov     [ebp+array_0x20+4], 0C8h
.text:00F8265C                 mov     [ebp+array_0x20+5], 0DDh
.text:00F82663                 mov     [ebp+array_0x20+6], 19h
.text:00F8266A                 mov     [ebp+array_0x20+7], 7Eh ; '~'
.text:00F82671                 mov     [ebp+array_0x20+8], 6Eh ; 'n'
.text:00F82678                 mov     [ebp+array_0x20+9], 3Eh ; '>'
.text:00F8267F                 mov     [ebp+array_0x20+0Ah], 0CBh
.text:00F82686                 mov     [ebp+array_0x20+0Bh], 16h
.text:00F8268D                 mov     [ebp+array_0x20+0Ch], 91h
.text:00F82694                 mov     [ebp+array_0x20+0Dh], 7Dh ; '}'
.text:00F8269B                 mov     [ebp+array_0x20+0Eh], 0FFh
.text:00F826A2                 mov     [ebp+array_0x20+0Fh], 0AFh
.text:00F826A9                 mov     [ebp+array_0x20+10h], 0DDh
.text:00F826B0                 mov     [ebp+array_0x20+11h], 76h ; 'v'
.text:00F826B7
.text:00F826B7 loc_F826B7:                             ; DATA XREF: $star_check+418↓r
.text:00F826B7                 mov     [ebp+array_0x20+12h], 64h ; 'd'
.text:00F826BE                 mov     [ebp+array_0x20+13h], 0B0h
.text:00F826C5                 mov     [ebp+array_0x20+14h], 0F7h
.text:00F826CC                 mov     [ebp+array_0x20+15h], 0E5h
.text:00F826D3                 mov     [ebp+array_0x20+16h], 89h
.text:00F826DA                 mov     [ebp+array_0x20+17h], 57h ; 'W'
.text:00F826E1                 mov     [ebp+array_0x20+18h], 82h
.text:00F826E8                 mov     [ebp+array_0x20+19h], 9Fh
.text:00F826EF                 mov     [ebp+array_0x20+1Ah], 0Ch
.text:00F826F6                 mov     [ebp+array_0x20+1Bh], 0
.text:00F826FD                 mov     [ebp+array_0x20+1Ch], 9Eh
.text:00F82704                 mov     [ebp+array_0x20+1Dh], 0D0h
.text:00F8270B                 mov     [ebp+array_0x20+1Eh], 45h ; 'E'
.text:00F82712                 mov     [ebp+array_0x20+1Fh], 0FAh ;
.text:00F82712                                         ; ;
.text:00F82719                 lea     ecx, [ebp+CString_input_key]
.text:00F8271C                 call    CString_GetBuffer
.text:00F82721                 push    eax
.text:00F82722                 lea     ecx, [ebp+var_298]
.text:00F82728                 call    sub_F830A0
.text:00F8272D                 mov     [ebp+var_29C], eax ;
.text:00F8272D                                         ; ;
.text:00F82733                 mov     eax, [ebp+var_29C]
.text:00F82739                 mov     [ebp+var_2AC], eax
.text:00F8273F                 mov     byte ptr [ebp+var_4], 1
.text:00F82743                 mov     ecx, [ebp+var_2AC]
.text:00F82749                 call    CString_GetBuffer
.text:00F8274E                 push    eax
.text:00F8274F                 lea     ecx, [ebp+var_254]
.text:00F82755                 call    sub_F83000      ;
.text:00F82755                                         ; ;
.text:00F8275A                 mov     byte ptr [ebp+var_4], 3
.text:00F8275E                 lea     ecx, [ebp+var_298] ; void *
.text:00F82764                 call    _free2
.text:00F82769                 lea     ecx, [ebp+var_254]
.text:00F8276F                 call    unknown_libname_1 ; Microsoft VisualC 2-14/net runtime
.text:00F82774                 mov     [ebp+Source], eax ;
.text:00F82774                                         ; ;
.text:00F8277A                 mov     ecx, [ebp+Source]
.text:00F82780                 mov     [ebp+var_268], ecx
.text:00F82786                 mov     edx, [ebp+var_268]
.text:00F8278C                 add     edx, 1
.text:00F8278F                 mov     [ebp+var_2A0], edx
.text:00F82795
.text:00F82795 do_while:                               ; CODE XREF: $star_check+1B1↓j
.text:00F82795                 mov     eax, [ebp+var_268]
.text:00F8279B                 mov     cl, [eax]
.text:00F8279D                 mov     [ebp+var_259], cl
.text:00F827A3                 add     [ebp+var_268], 1
.text:00F827AA                 cmp     [ebp+var_259], 0
.text:00F827B1                 jnz     short do_while  ;
.text:00F827B1                                         ; ;
.text:00F827B3                 mov     edx, [ebp+var_268]
.text:00F827B9                 sub     edx, [ebp+var_2A0]
.text:00F827BF                 mov     [ebp+var_2A8], edx
.text:00F827C5                 mov     eax, [ebp+var_2A8]
.text:00F827CB                 mov     [ebp+Count], eax ;
.text:00F827CB                                         ; ;
.text:00F827D1                 mov     [ebp+input_buf_copy], 0
.text:00F827D5                 push    27h ; '''       ; Size
.text:00F827D7                 push    0               ; Val
.text:00F827D9                 lea     ecx, [ebp+input_buf_copy+1]
.text:00F827DC                 push    ecx             ; void *
.text:00F827DD                 call    _memset
.text:00F827E2                 add     esp, 0Ch        ;
.text:00F827E2                                         ; ;
.text:00F827E5                 mov     edx, [ebp+Count]
.text:00F827EB                 push    edx             ; Count
.text:00F827EC                 mov     eax, [ebp+Source]
.text:00F827F2                 push    eax             ; Source
.text:00F827F3                 lea     ecx, [ebp+input_buf_copy]
.text:00F827F6                 push    ecx             ; Destination
.text:00F827F7                 call    _strncpy
.text:00F827FC                 add     esp, 0Ch        ;
.text:00F827FC                                         ; ;
.text:00F827FF                 lea     edx, [ebp+input_buf_copy]
.text:00F82802                 push    edx             ; param_str
.text:00F82803                 mov     ecx, [ebp+pThis]
.text:00F82809                 call    $check_key      ; $check_key:
.text:00F82809                                         ; 1. 检查输入的字符串长度必须满足38字节
.text:00F82809                                         ; 2. 去掉输入的字符串前6个字符,保留后32字节使用
.text:00F82809                                         ; 3. 将输入的后32字节颠倒
.text:00F8280E                 test    eax, eax
.text:00F82810                 jz      short loc_F82853 ;
.text:00F82810                                         ; ;
.text:00F82812                 mov     [ebp+var_257], 0
.text:00F82819                 mov     al, [ebp+var_257]
.text:00F8281F                 mov     [ebp+var_255], al
.text:00F82825                 jmp     ret_0_2
.text:00F8282A ; ---------------------------------------------------------------------------
.text:00F8282A                 mov     byte ptr [ebp+var_4], 0
.text:00F8282E                 lea     ecx, [ebp+var_254]
.text:00F82834                 call    _this_string_free
.text:00F82839                 mov     [ebp+var_4], 0FFFFFFFFh
.text:00F82840                 lea     ecx, [ebp+CString_input_key] ; void *
.text:00F82843                 call    _free2
.text:00F82848                 mov     al, [ebp+var_257]
.text:00F8284E                 jmp     ret
.text:00F82853 ; ---------------------------------------------------------------------------
.text:00F82853
.text:00F82853 loc_F82853:                             ; CODE XREF: $star_check+210↑j
.text:00F82853                 mov     ecx, dword ptr ds:aQwertyuiop ; "qwertyuiop"
.text:00F82859                 mov     dword ptr [ebp+varstr_qwertyuiop_buf], ecx
.text:00F8285F                 mov     edx, dword ptr ds:aQwertyuiop+4 ; "tyuiop"
.text:00F82865                 mov     dword ptr [ebp+varstr_qwertyuiop_buf+4], edx
.text:00F8286B                 mov     ax, word ptr ds:aQwertyuiop+8 ; "op"
.text:00F82871                 mov     word ptr [ebp+varstr_qwertyuiop_buf+8], ax
.text:00F82878                 mov     cl, byte ptr ds:aQwertyuiop+0Ah ; ""
.text:00F8287E                 mov     [ebp+varstr_qwertyuiop_buf+0Ah], cl
.text:00F82884                 push    0F5h            ; Size
.text:00F82889                 push    0               ; Val
.text:00F8288B                 lea     edx, [ebp+varstr_qwertyuiop_buf+0Bh]
.text:00F82891                 push    edx             ; void *
.text:00F82892                 call    _memset
.text:00F82897                 add     esp, 0Ch        ;
.text:00F82897                                         ; ;
.text:00F8289A                 mov     [ebp+aray2_256], 0
.text:00F828A1                 push    0FFh            ; Size
.text:00F828A6                 push    0               ; Val
.text:00F828A8                 lea     eax, [ebp+aray2_256+1]
.text:00F828AE                 push    eax             ; void *
.text:00F828AF                 call    _memset
.text:00F828B4                 add     esp, 0Ch        ;
.text:00F828B4                                         ; ;
.text:00F828B7                 mov     [ebp+array_512], 0
.text:00F828BE                 push    1FFh            ; Size
.text:00F828C3                 push    0               ; Val
.text:00F828C5                 lea     ecx, [ebp+array_512+1]
.text:00F828CB                 push    ecx             ; void *
.text:00F828CC                 call    _memset
.text:00F828D1                 add     esp, 0Ch        ;
.text:00F828D1                                         ; ;
.text:00F828D4                 lea     edx, [ebp+varstr_qwertyuiop_buf]
.text:00F828DA                 mov     [ebp+var_26C], edx
.text:00F828E0                 mov     eax, [ebp+var_26C]
.text:00F828E6                 add     eax, 1
.text:00F828E9                 mov     [ebp+var_2B8], eax
.text:00F828EF
.text:00F828EF loc_F828EF:                             ; CODE XREF: $star_check+30B↓j
.text:00F828EF                 mov     ecx, [ebp+var_26C]
.text:00F828F5                 mov     dl, [ecx]
.text:00F828F7                 mov     [ebp+var_25A], dl
.text:00F828FD                 add     [ebp+var_26C], 1
.text:00F82904                 cmp     [ebp+var_25A], 0 ; array_256 = "qwertyuiop"
.text:00F8290B                 jnz     short loc_F828EF ; 计算array_256的字符串长度
.text:00F8290B                                         ; ;
.text:00F8290D                 mov     eax, [ebp+var_26C]
.text:00F82913                 sub     eax, [ebp+var_2B8]
.text:00F82919                 mov     [ebp+varstr_qwertyuiop_length], eax ;
.text:00F82919                                         ;
.text:00F82919                                         ; ;
.text:00F8291F                 mov     ecx, [ebp+varstr_qwertyuiop_length]
.text:00F82925                 push    ecx
.text:00F82926                 lea     edx, [ebp+varstr_qwertyuiop_buf]
.text:00F8292C                 push    edx
.text:00F8292D                 lea     eax, [ebp+aray2_256]
.text:00F82933                 push    eax
.text:00F82934                 mov     ecx, [ebp+pThis]
.text:00F8293A                 call    $check_key2     ; $check_key2:
.text:00F8293A                                         ; 1. 程序内置了key“qwertyuiop”
.text:00F8293A                                         ; 2. 对“qwertyuiop”进行了加密操作
.text:00F8293A                                         ; 这部分完全是由程序内置的并没有利用外部参数所以所有机器上计算出来的数据都是相同的。
.text:00F8293F                 call    $+5             ; call 008B2944
.text:00F82944
.text:00F82944 loc_F82944:                             ; DATA XREF: $star_check+398↓r
.text:00F82944                 pop     eax
.text:00F82945                 mov     [ebp+var_23C], eax
.text:00F8294B                 call    loc_F82953
.text:00F8294B ; ---------------------------------------------------------------------------
.text:00F82950                 db 0EAh
.text:00F82951 ; ---------------------------------------------------------------------------
.text:00F82951                 jmp     short loc_F8295C
.text:00F82953 ; ---------------------------------------------------------------------------
.text:00F82953
.text:00F82953 loc_F82953:                             ; CODE XREF: $star_check+34B↑j
.text:00F82953                 pop     ebx
.text:00F82954                 inc     ebx
.text:00F82955                 push    ebx
.text:00F82956                 mov     eax, 11111111h
.text:00F8295B                 retn
.text:00F8295C ; ---------------------------------------------------------------------------
.text:00F8295C
.text:00F8295C loc_F8295C:                             ; CODE XREF: $star_check+351↑j
.text:00F8295C                 call    loc_F82968
.text:00F82961                 mov     ebx, 33333333h
.text:00F82966                 jmp     short loc_F82975 ;
.text:00F82966                                         ; ;
.text:00F82968 ; ---------------------------------------------------------------------------
.text:00F82968
.text:00F82968 loc_F82968:                             ; CODE XREF: $star_check:loc_F8295C↑p
.text:00F82968                 mov     ebx, 11111111h
.text:00F8296D                 pop     ebx
.text:00F8296E                 mov     ebx, offset loc_F82975 ;
.text:00F8296E                                         ; ;
.text:00F82973                 push    ebx
.text:00F82974                 retn
.text:00F82975 ; ---------------------------------------------------------------------------
.text:00F82975
.text:00F82975 loc_F82975:                             ; CODE XREF: $star_check+366↑j
.text:00F82975                                         ; DATA XREF: $star_check+36E↑o
.text:00F82975                 mov     ebx, 22222222h  ;
.text:00F82975                                         ; ;
.text:00F8297A                 lea     ecx, [ebp+input_buf_copy]
.text:00F8297D                 mov     [ebp+var_260], ecx
.text:00F82983                 mov     edx, [ebp+var_260]
.text:00F82989                 add     edx, 1
.text:00F8298C                 mov     [ebp+var_2A4], edx
.text:00F82992
.text:00F82992 loc_F82992:                             ; CODE XREF: $star_check+3AE↓j
.text:00F82992                 mov     eax, [ebp+var_260]
.text:00F82998                 mov     cl, byte ptr ds:(loc_F82944 - 0F82944h)[eax]
.text:00F8299A                 mov     [ebp+var_258], cl
.text:00F829A0                 add     [ebp+var_260], 1
.text:00F829A7                 cmp     [ebp+var_258], 0
.text:00F829AE                 jnz     short loc_F82992 ; 计算array_40保存字符串的长度
.text:00F829AE                                         ; ;
.text:00F829B0                 mov     edx, [ebp+var_260]
.text:00F829B6                 sub     edx, [ebp+var_2A4]
.text:00F829BC                 mov     [ebp+input_buf_copy_length], edx ;
.text:00F829BC                                         ; ;
.text:00F829C2                 mov     eax, [ebp+input_buf_copy_length]
.text:00F829C8                 push    eax
.text:00F829C9                 lea     ecx, [ebp+input_buf_copy]
.text:00F829CC                 push    ecx
.text:00F829CD                 lea     edx, [ebp+aray2_256]
.text:00F829D3                 push    edx
.text:00F829D4                 mov     ecx, [ebp+pThis]
.text:00F829DA                 call    $check_key3     ;
.text:00F829DA                                         ; ;
.text:00F829DF                 mov     [ebp+do_while2_count], 1Fh
.text:00F829E9                 jmp     short loc_F829FA
.text:00F829EB ; ---------------------------------------------------------------------------
.text:00F829EB
.text:00F829EB do_while2:                              ; CODE XREF: $star_check:_continue↓j
.text:00F829EB                 mov     eax, [ebp+do_while2_count]
.text:00F829F1                 sub     eax, 1
.text:00F829F4                 mov     [ebp+do_while2_count], eax
.text:00F829FA
.text:00F829FA loc_F829FA:                             ; CODE XREF: $star_check+3E9↑j
.text:00F829FA                 cmp     [ebp+do_while2_count], 0
.text:00F82A01                 jl      ret_1
.text:00F82A07                 mov     ecx, [ebp+do_while2_count]
.text:00F82A0D                 movsx   edx, [ebp+ecx+input_buf_copy]
.text:00F82A12                 mov     eax, [ebp+do_while2_count]
.text:00F82A18                 movsx   ecx, byte ptr ss:(loc_F826B7+1 - 0F82944h)[ebp+eax] ; array_0x20
.text:00F82A20                 cmp     edx, ecx
.text:00F82A22                 jz      short _continue
.text:00F82A24                 call    $+5
.text:00F82A29                 pop     eax
.text:00F82A2A                 mov     [ebp+var_23C], eax
.text:00F82A30                 call    ret_0_3__
.text:00F82A30 ; ---------------------------------------------------------------------------
.text:00F82A35 byte_F82A35     db 0EAh
.text:00F82A36 ; ---------------------------------------------------------------------------
.text:00F82A36                 jmp     short ret_0_3_
.text:00F82A38 ; ---------------------------------------------------------------------------
.text:00F82A38
.text:00F82A38 ret_0_3__:                              ; CODE XREF: $star_check+430↑j
.text:00F82A38                 pop     ebx
.text:00F82A39                 inc     ebx
.text:00F82A3A                 push    ebx
.text:00F82A3B                 mov     eax, 11111111h
.text:00F82A40                 retn
.text:00F82A41 ; ---------------------------------------------------------------------------
.text:00F82A41
.text:00F82A41 ret_0_3_:                               ; CODE XREF: $star_check+436↑j
.text:00F82A41                 call    loc_F82A4D
.text:00F82A46                 mov     ebx, 33333333h
.text:00F82A4B                 jmp     short ret_0_3
.text:00F82A4D ; ---------------------------------------------------------------------------
.text:00F82A4D
.text:00F82A4D loc_F82A4D:                             ; CODE XREF: $star_check:ret_0_3_↑p
.text:00F82A4D                 mov     ebx, 11111111h
.text:00F82A52                 pop     ebx
.text:00F82A53                 mov     ebx, offset ret_0_3
.text:00F82A58                 push    ebx
.text:00F82A59                 retn
.text:00F82A5A ; ---------------------------------------------------------------------------
.text:00F82A5A
.text:00F82A5A ret_0_3:                                ; CODE XREF: $star_check+44B↑j
.text:00F82A5A                                         ; DATA XREF: $star_check+453↑o
.text:00F82A5A                 mov     ebx, 22222222h
.text:00F82A5F                 mov     [ebp+var_255], 0
.text:00F82A66
.text:00F82A66 ret_0_2:                                ; CODE XREF: $star_check+225↑j
.text:00F82A66                 mov     dl, [ebp+var_255]
.text:00F82A6C                 mov     [ebp+var_256], dl
.text:00F82A72                 jmp     short ret_0
.text:00F82A74 ; ---------------------------------------------------------------------------
.text:00F82A74                 mov     byte ptr [ebp+var_4], 0
.text:00F82A78                 lea     ecx, [ebp+var_254]
.text:00F82A7E                 call    _this_string_free
.text:00F82A83                 mov     [ebp+var_4], 0FFFFFFFFh
.text:00F82A8A                 lea     ecx, [ebp+CString_input_key] ; void *
.text:00F82A8D                 call    _free2
.text:00F82A92                 mov     al, [ebp+var_255]
.text:00F82A98                 jmp     short ret
.text:00F82A9A ; ---------------------------------------------------------------------------
.text:00F82A9A
.text:00F82A9A _continue:                              ; CODE XREF: $star_check+422↑j
.text:00F82A9A                 jmp     do_while2
.text:00F82A9F ; ---------------------------------------------------------------------------
.text:00F82A9F
.text:00F82A9F ret_1:                                  ; CODE XREF: $star_check+401↑j
.text:00F82A9F                 mov     [ebp+var_256], 1
.text:00F82AA6
.text:00F82AA6 ret_0:                                  ; CODE XREF: $star_check+472↑j
.text:00F82AA6                 mov     byte ptr [ebp+var_4], 0
.text:00F82AAA                 lea     ecx, [ebp+var_254]
.text:00F82AB0                 call    _this_string_free
.text:00F82AB5                 mov     [ebp+var_4], 0FFFFFFFFh
.text:00F82ABC                 lea     ecx, [ebp+CString_input_key] ; void *
.text:00F82ABF                 call    _free2
.text:00F82AC4                 mov     al, [ebp+var_256]
.text:00F82ACA
.text:00F82ACA ret:                                    ; CODE XREF: $star_check+24E↑j
.text:00F82ACA                                         ; $star_check+498↑j
.text:00F82ACA                 mov     ecx, [ebp+var_C]
.text:00F82ACD                 mov     large fs:0, ecx
.text:00F82AD4                 pop     ecx
.text:00F82AD5                 pop     ebx
.text:00F82AD6                 mov     ecx, [ebp+cookie]
.text:00F82AD9                 xor     ecx, ebp        ; StackCookie
.text:00F82ADB                 call    @__security_check_cookie@4 ; __security_check_cookie(x)
.text:00F82AE0                 mov     esp, ebp
.text:00F82AE2                 pop     ebp
.text:00F82AE3                 retn    4
.text:00F82AE3 $star_check     endp ; sp-analysis failed


.text:00F82AF0 $check_key      proc near               ; CODE XREF: $star_check+209↑p
.text:00F82AF0
.text:00F82AF0 pThis           = dword ptr -4Ch
.text:00F82AF0 var_pos1        = dword ptr -48h
.text:00F82AF0 input_buf_length= dword ptr -44h
.text:00F82AF0 param_str_length= dword ptr -40h
.text:00F82AF0 var_3C          = dword ptr -3Ch
.text:00F82AF0 input_buf       = dword ptr -38h
.text:00F82AF0 var_pos0        = dword ptr -34h
.text:00F82AF0 var_2F          = byte ptr -2Fh
.text:00F82AF0 var_2E          = byte ptr -2Eh
.text:00F82AF0 var_inputbut_i_to_byte= byte ptr -2Dh
.text:00F82AF0 intput_count    = dword ptr -2Ch
.text:00F82AF0 var_28          = dword ptr -28h
.text:00F82AF0 var_input_buf_copy= byte ptr -24h
.text:00F82AF0 cookie          = dword ptr -4
.text:00F82AF0 param_str       = dword ptr  8
.text:00F82AF0
.text:00F82AF0                 push    ebp
.text:00F82AF1                 mov     ebp, esp
.text:00F82AF3                 sub     esp, 4Ch
.text:00F82AF6                 mov     eax, ___security_cookie
.text:00F82AFB                 xor     eax, ebp
.text:00F82AFD                 mov     [ebp+cookie], eax
.text:00F82B00                 push    ebx
.text:00F82B01                 mov     [ebp+pThis], ecx
.text:00F82B04                 mov     [ebp+intput_count], 0
.text:00F82B0B                 mov     eax, [ebp+param_str]
.text:00F82B0E                 mov     [ebp+input_buf], eax
.text:00F82B11                 mov     ecx, [ebp+input_buf]
.text:00F82B14                 add     ecx, 1
.text:00F82B17                 mov     [ebp+var_3C], ecx
.text:00F82B1A
.text:00F82B1A do_while:                               ; CODE XREF: $check_key+3A↓j
.text:00F82B1A                 mov     edx, [ebp+input_buf]
.text:00F82B1D                 mov     al, [edx]
.text:00F82B1F                 mov     [ebp+var_2F], al
.text:00F82B22                 add     [ebp+input_buf], 1
.text:00F82B26                 cmp     [ebp+var_2F], 0
.text:00F82B2A                 jnz     short do_while  ;
.text:00F82B2A                                         ; ;
.text:00F82B2C                 mov     ecx, [ebp+input_buf]
.text:00F82B2F                 sub     ecx, [ebp+var_3C] ;
.text:00F82B2F                                         ; ;
.text:00F82B32                 mov     [ebp+input_buf_length], ecx
.text:00F82B35                 mov     edx, [ebp+input_buf_length]
.text:00F82B38                 sub     edx, 6
.text:00F82B3B                 mov     [ebp+intput_count], edx
.text:00F82B3E                 cmp     [ebp+intput_count], 32
.text:00F82B42                 jz      short loc_F82B4C
.text:00F82B44                 or      eax, 0FFFFFFFFh
.text:00F82B47                 jmp     ret_not_1
.text:00F82B4C ; ---------------------------------------------------------------------------
.text:00F82B4C
.text:00F82B4C loc_F82B4C:                             ; CODE XREF: $check_key+52↑j
.text:00F82B4C                 mov     [ebp+var_input_buf_copy], 0
.text:00F82B50                 xor     eax, eax
.text:00F82B52                 mov     dword ptr [ebp+var_input_buf_copy+1], eax
.text:00F82B55                 mov     dword ptr [ebp+var_input_buf_copy+5], eax
.text:00F82B58                 mov     dword ptr [ebp+var_input_buf_copy+9], eax
.text:00F82B5B                 mov     dword ptr [ebp+var_input_buf_copy+0Dh], eax
.text:00F82B5E                 mov     dword ptr [ebp+var_input_buf_copy+11h], eax
.text:00F82B61                 mov     dword ptr [ebp+var_input_buf_copy+15h], eax
.text:00F82B64                 mov     dword ptr [ebp+var_input_buf_copy+19h], eax
.text:00F82B67                 mov     word ptr [ebp+var_input_buf_copy+1Dh], ax
.text:00F82B6B                 mov     [ebp+var_input_buf_copy+1Fh], al
.text:00F82B6E                 call    $+5
.text:00F82B73                 pop     eax
.text:00F82B74                 mov     [ebp+var_28], eax
.text:00F82B77                 call    loc_F82B7F
.text:00F82B77 ; ---------------------------------------------------------------------------
.text:00F82B7C byte_F82B7C     db 0EAh
.text:00F82B7D ; ---------------------------------------------------------------------------
.text:00F82B7D                 jmp     short loc_F82B88
.text:00F82B7F ; ---------------------------------------------------------------------------
.text:00F82B7F
.text:00F82B7F loc_F82B7F:                             ; CODE XREF: $check_key+87↑j
.text:00F82B7F                 pop     ebx
.text:00F82B80                 inc     ebx
.text:00F82B81                 push    ebx
.text:00F82B82                 mov     eax, 11111111h
.text:00F82B87                 retn
.text:00F82B88 ; ---------------------------------------------------------------------------
.text:00F82B88
.text:00F82B88 loc_F82B88:                             ; CODE XREF: $check_key+8D↑j
.text:00F82B88                 call    loc_F82B94
.text:00F82B8D                 mov     ebx, 33333333h
.text:00F82B92                 jmp     short loc_F82BA1
.text:00F82B94 ; ---------------------------------------------------------------------------
.text:00F82B94
.text:00F82B94 loc_F82B94:                             ; CODE XREF: $check_key:loc_F82B88↑p
.text:00F82B94                 mov     ebx, 11111111h
.text:00F82B99                 pop     ebx
.text:00F82B9A                 mov     ebx, offset loc_F82BA1
.text:00F82B9F                 push    ebx
.text:00F82BA0                 retn
.text:00F82BA1 ; ---------------------------------------------------------------------------
.text:00F82BA1
.text:00F82BA1 loc_F82BA1:                             ; CODE XREF: $check_key+A2↑j
.text:00F82BA1                                         ; DATA XREF: $check_key+AA↑o
.text:00F82BA1                 mov     ebx, 22222222h
.text:00F82BA6                 mov     ecx, [ebp+intput_count]
.text:00F82BA9                 push    ecx             ; Count
.text:00F82BAA                 mov     edx, [ebp+param_str] ; 输入的字符串真正开始做校验的是从第五个字节开始
.text:00F82BAD                 add     edx, 5
.text:00F82BB0                 push    edx             ; Source
.text:00F82BB1                 lea     eax, [ebp+var_input_buf_copy]
.text:00F82BB4                 push    eax             ; Destination
.text:00F82BB5                 call    _strncpy
.text:00F82BBA                 add     esp, 0Ch
.text:00F82BBD                 mov     [ebp+intput_count], 0
.text:00F82BC4                 jmp     short for1
.text:00F82BC6 ; ---------------------------------------------------------------------------
.text:00F82BC6
.text:00F82BC6 for1_continue:                          ; CODE XREF: $check_key+149↓j
.text:00F82BC6                 mov     ecx, [ebp+intput_count]
.text:00F82BC9                 add     ecx, 1
.text:00F82BCC                 mov     [ebp+intput_count], ecx
.text:00F82BCF
.text:00F82BCF for1:                                   ; CODE XREF: $check_key+D4↑j
.text:00F82BCF                 cmp     [ebp+intput_count], 10h
.text:00F82BD3                 jge     short for1_break ;
.text:00F82BD3                                         ; ;
.text:00F82BD5                 mov     edx, [ebp+intput_count]
.text:00F82BD8                 mov     al, [ebp+edx+var_input_buf_copy]
.text:00F82BDC                 mov     [ebp+var_inputbut_i_to_byte], al ; array_32[i]
.text:00F82BDF                 call    $+5
.text:00F82BE4                 pop     eax
.text:00F82BE5                 mov     [ebp+var_28], eax
.text:00F82BE8                 call    loc_F82BF0
.text:00F82BE8 ; ---------------------------------------------------------------------------
.text:00F82BED byte_F82BED     db 0EAh
.text:00F82BEE ; ---------------------------------------------------------------------------
.text:00F82BEE                 jmp     short loc_F82BF9
.text:00F82BF0 ; ---------------------------------------------------------------------------
.text:00F82BF0
.text:00F82BF0 loc_F82BF0:                             ; CODE XREF: $check_key+F8↑j
.text:00F82BF0                 pop     ebx
.text:00F82BF1                 inc     ebx
.text:00F82BF2                 push    ebx
.text:00F82BF3                 mov     eax, 11111111h
.text:00F82BF8                 retn
.text:00F82BF9 ; ---------------------------------------------------------------------------
.text:00F82BF9
.text:00F82BF9 loc_F82BF9:                             ; CODE XREF: $check_key+FE↑j
.text:00F82BF9                 call    loc_F82C05
.text:00F82BFE                 mov     ebx, 33333333h
.text:00F82C03                 jmp     short loc_F82C12 ;
.text:00F82C03                                         ; ;
.text:00F82C05 ; ---------------------------------------------------------------------------
.text:00F82C05
.text:00F82C05 loc_F82C05:                             ; CODE XREF: $check_key:loc_F82BF9↑p
.text:00F82C05                 mov     ebx, 11111111h
.text:00F82C0A                 pop     ebx
.text:00F82C0B                 mov     ebx, offset loc_F82C12 ;
.text:00F82C0B                                         ; ;
.text:00F82C10                 push    ebx
.text:00F82C11                 retn
.text:00F82C12 ; ---------------------------------------------------------------------------
.text:00F82C12
.text:00F82C12 loc_F82C12:                             ; CODE XREF: $check_key+113↑j
.text:00F82C12                                         ; DATA XREF: $check_key+11B↑o
.text:00F82C12                 mov     ebx, 22222222h  ;
.text:00F82C12                                         ; ;
.text:00F82C17                 mov     ecx, 31
.text:00F82C1C                 sub     ecx, [ebp+intput_count] ; ecx = 31 - count;
.text:00F82C1F                 mov     edx, [ebp+intput_count]
.text:00F82C22                 mov     al, [ebp+ecx+var_input_buf_copy]
.text:00F82C26                 mov     [ebp+edx+var_input_buf_copy], al ; var_input_buf_copy[i] = var_input_buf_copy[31-count];
.text:00F82C2A                 mov     ecx, 31
.text:00F82C2F                 sub     ecx, [ebp+intput_count]
.text:00F82C32                 mov     dl, [ebp+var_inputbut_i_to_byte]
.text:00F82C35                 mov     [ebp+ecx+var_input_buf_copy], dl ; array_32[0x1F - count] = var_array_i;
.text:00F82C39                 jmp     short for1_continue
.text:00F82C3B ; ---------------------------------------------------------------------------
.text:00F82C3B
.text:00F82C3B for1_break:                             ; CODE XREF: $check_key+E3↑j
.text:00F82C3B                 mov     eax, [ebp+param_str]
.text:00F82C3E                 mov     [ebp+var_pos0], eax
.text:00F82C41                 mov     ecx, [ebp+var_pos0]
.text:00F82C44                 add     ecx, 1
.text:00F82C47                 mov     [ebp+var_pos1], ecx
.text:00F82C4A
.text:00F82C4A do_while3:                              ; CODE XREF: $check_key+16A↓j
.text:00F82C4A                 mov     edx, [ebp+var_pos0]
.text:00F82C4D                 mov     al, [edx]
.text:00F82C4F                 mov     [ebp+var_2E], al
.text:00F82C52                 add     [ebp+var_pos0], 1
.text:00F82C56                 cmp     [ebp+var_2E], 0
.text:00F82C5A                 jnz     short do_while3 ; 计算param_str长度
.text:00F82C5A                                         ; ;
.text:00F82C5C                 mov     ecx, [ebp+var_pos0]
.text:00F82C5F                 sub     ecx, [ebp+var_pos1]
.text:00F82C62                 mov     [ebp+param_str_length], ecx
.text:00F82C65                 mov     edx, [ebp+param_str_length] ;
.text:00F82C65                                         ; ;
.text:00F82C68                 push    edx             ; Size
.text:00F82C69                 push    0               ; Val
.text:00F82C6B                 mov     eax, [ebp+param_str]
.text:00F82C6E                 push    eax             ; void *
.text:00F82C6F                 call    _memset         ; 清空参数buf
.text:00F82C74                 add     esp, 0Ch        ;
.text:00F82C74                                         ; ;
.text:00F82C77                 push    20h ; ' '       ; Count
.text:00F82C79                 lea     ecx, [ebp+var_input_buf_copy]
.text:00F82C7C                 push    ecx             ; Source
.text:00F82C7D                 mov     edx, [ebp+param_str]
.text:00F82C80                 push    edx             ; Destination
.text:00F82C81                 call    _strncpy        ; 把颠倒后的buf拷贝给参数
.text:00F82C86                 add     esp, 0Ch
.text:00F82C89                 xor     eax, eax        ; ret 0;
.text:00F82C8B
.text:00F82C8B ret_not_1:                              ; CODE XREF: $check_key+57↑j
.text:00F82C8B                 pop     ebx
.text:00F82C8C                 mov     ecx, [ebp+cookie]
.text:00F82C8F                 xor     ecx, ebp        ; StackCookie
.text:00F82C91                 call    @__security_check_cookie@4 ; __security_check_cookie(x)
.text:00F82C96                 mov     esp, ebp
.text:00F82C98                 pop     ebp
.text:00F82C99                 retn    4
.text:00F82C99 $check_key      endp ; sp-analysis failed


.text:00F82CA0 $check_key2     proc near               ; CODE XREF: $star_check+33A↑p
.text:00F82CA0
.text:00F82CA0 pThis           = dword ptr -118h
.text:00F82CA0 var_114         = dword ptr -114h
.text:00F82CA0 var_10D         = byte ptr -10Dh
.text:00F82CA0 for2_index      = dword ptr -10Ch
.text:00F82CA0 var_108         = dword ptr -108h
.text:00F82CA0 array_256       = byte ptr -104h
.text:00F82CA0 var_cookie      = dword ptr -4
.text:00F82CA0 param_str_buf   = dword ptr  8
.text:00F82CA0 param_str_buf2  = dword ptr  0Ch
.text:00F82CA0 param_str_buf2_length= dword ptr  10h
.text:00F82CA0
.text:00F82CA0                 push    ebp
.text:00F82CA1                 mov     ebp, esp
.text:00F82CA3                 sub     esp, 118h
.text:00F82CA9                 mov     eax, ___security_cookie
.text:00F82CAE                 xor     eax, ebp
.text:00F82CB0                 mov     [ebp+var_cookie], eax
.text:00F82CB3                 push    ebx
.text:00F82CB4                 mov     [ebp+pThis], ecx
.text:00F82CBA                 mov     [ebp+for2_index], 0
.text:00F82CC4                 mov     [ebp+var_114], 0
.text:00F82CCE                 mov     [ebp+array_256], 0
.text:00F82CD5                 push    0FFh            ; Size
.text:00F82CDA                 push    0               ; Val
.text:00F82CDC                 lea     eax, [ebp+array_256+1]
.text:00F82CE2                 push    eax             ; void *
.text:00F82CE3                 call    _memset
.text:00F82CE8                 add     esp, 0Ch        ;
.text:00F82CE8                                         ; ;
.text:00F82CEB                 mov     [ebp+var_10D], 0
.text:00F82CF2                 mov     [ebp+for2_index], 0
.text:00F82CFC                 jmp     short for1
.text:00F82CFE ; ---------------------------------------------------------------------------
.text:00F82CFE
.text:00F82CFE for1_continue:                          ; CODE XREF: $check_key2+E3↓j
.text:00F82CFE                 mov     ecx, [ebp+for2_index]
.text:00F82D04                 add     ecx, 1
.text:00F82D07                 mov     [ebp+for2_index], ecx
.text:00F82D0D
.text:00F82D0D for1:                                   ; CODE XREF: $check_key2+5C↑j
.text:00F82D0D                 cmp     [ebp+for2_index], 100h
.text:00F82D17                 jge     short for1_break
.text:00F82D19                 mov     edx, [ebp+param_str_buf]
.text:00F82D1C                 add     edx, [ebp+for2_index]
.text:00F82D22                 mov     al, byte ptr [ebp+for2_index]
.text:00F82D28                 mov     [edx], al       ; param_str_buf[index] = (BYTE)index;
.text:00F82D2A                 call    $+5
.text:00F82D2F
.text:00F82D2F loc_F82D2F:                             ; DATA XREF: $check_key2+D9↓r
.text:00F82D2F                 pop     eax
.text:00F82D30                 mov     [ebp+var_108], eax
.text:00F82D36                 call    loc_F82D3E
.text:00F82D36 ; ---------------------------------------------------------------------------
.text:00F82D3B                 db 0EAh
.text:00F82D3C ; ---------------------------------------------------------------------------
.text:00F82D3C                 jmp     short loc_F82D47
.text:00F82D3E ; ---------------------------------------------------------------------------
.text:00F82D3E
.text:00F82D3E loc_F82D3E:                             ; CODE XREF: $check_key2+96↑j
.text:00F82D3E                 pop     ebx
.text:00F82D3F                 inc     ebx
.text:00F82D40                 push    ebx
.text:00F82D41                 mov     eax, 11111111h
.text:00F82D46                 retn
.text:00F82D47 ; ---------------------------------------------------------------------------
.text:00F82D47
.text:00F82D47 loc_F82D47:                             ; CODE XREF: $check_key2+9C↑j
.text:00F82D47                 call    loc_F82D53
.text:00F82D4C                 mov     ebx, 33333333h
.text:00F82D51                 jmp     short loc_F82D60 ;
.text:00F82D51                                         ; ;
.text:00F82D53 ; ---------------------------------------------------------------------------
.text:00F82D53
.text:00F82D53 loc_F82D53:                             ; CODE XREF: $check_key2:loc_F82D47↑p
.text:00F82D53                 mov     ebx, 11111111h
.text:00F82D58                 pop     ebx
.text:00F82D59                 mov     ebx, offset loc_F82D60 ;
.text:00F82D59                                         ; ;
.text:00F82D5E                 push    ebx
.text:00F82D5F                 retn
.text:00F82D60 ; ---------------------------------------------------------------------------
.text:00F82D60
.text:00F82D60 loc_F82D60:                             ; CODE XREF: $check_key2+B1↑j
.text:00F82D60                                         ; DATA XREF: $check_key2+B9↑o
.text:00F82D60                 mov     ebx, 22222222h  ;
.text:00F82D60                                         ; ;
.text:00F82D65                 mov     eax, [ebp+for2_index]
.text:00F82D6B                 xor     edx, edx
.text:00F82D6D                 div     [ebp+param_str_buf2_length]
.text:00F82D70                 mov     ecx, [ebp+for2_index]
.text:00F82D76                 mov     eax, [ebp+param_str_buf2]
.text:00F82D79                 mov     dl, byte ptr ds:(loc_F82D2F - 0F82D2Fh)[eax+edx] ; tmp = param_str_buf2[index % param_str_buf2_length]
.text:00F82D7C                 mov     [ebp+ecx+array_256], dl ; array_256[index] = tmp;
.text:00F82D83                 jmp     for1_continue
.text:00F82D88 ; ---------------------------------------------------------------------------
.text:00F82D88
.text:00F82D88 for1_break:                             ; CODE XREF: $check_key2+77↑j
.text:00F82D88                 mov     [ebp+for2_index], 0
.text:00F82D92                 jmp     short for2
.text:00F82D94 ; ---------------------------------------------------------------------------
.text:00F82D94
.text:00F82D94 for2_continue:                          ; CODE XREF: $check_key2+1BE↓j
.text:00F82D94                 mov     eax, [ebp+for2_index]
.text:00F82D9A                 add     eax, 1
.text:00F82D9D                 mov     [ebp+for2_index], eax
.text:00F82DA3
.text:00F82DA3 for2:                                   ; CODE XREF: $check_key2+F2↑j
.text:00F82DA3                 cmp     [ebp+for2_index], 100h
.text:00F82DAD                 jge     for2_break      ;
.text:00F82DAD                                         ; ;
.text:00F82DB3                 mov     ecx, [ebp+param_str_buf]
.text:00F82DB6                 add     ecx, [ebp+for2_index]
.text:00F82DBC                 movzx   edx, byte ptr [ecx] ; tmp = param_str_buf[index];
.text:00F82DBF                 add     edx, [ebp+var_114] ; tmp += var_114; //var_114 one == 0
.text:00F82DBF                                         ; ;
.text:00F82DC5                 mov     eax, [ebp+for2_index]
.text:00F82DCB                 movsx   ecx, [ebp+eax+array_256] ; tmp2 = array_256[index];
.text:00F82DD3                 add     edx, ecx        ; tmp += tmp2;
.text:00F82DD3                                         ; ;
.text:00F82DD5                 and     edx, 800000FFh
.text:00F82DDB                 jns     short loc_F82DE5 ; if (!(tmp &amp; 800000FFh))
.text:00F82DDD                 dec     edx             ; tmp--;
.text:00F82DDE                 or      edx, 0FFFFFF00h ; tmp |= 0FFFFFF00h;
.text:00F82DE4                 inc     edx             ; tmp++;
.text:00F82DE5
.text:00F82DE5 loc_F82DE5:                             ; CODE XREF: $check_key2+13B↑j
.text:00F82DE5                 mov     [ebp+var_114], edx ; var_114 = tmp;
.text:00F82DEB                 call    $+5
.text:00F82DF0                 pop     eax
.text:00F82DF1                 mov     [ebp+var_108], eax
.text:00F82DF7                 call    loc_F82DFF
.text:00F82DF7 ; ---------------------------------------------------------------------------
.text:00F82DFC byte_F82DFC     db 0EAh
.text:00F82DFD ; ---------------------------------------------------------------------------
.text:00F82DFD                 jmp     short loc_F82E08
.text:00F82DFF ; ---------------------------------------------------------------------------
.text:00F82DFF
.text:00F82DFF loc_F82DFF:                             ; CODE XREF: $check_key2+157↑j
.text:00F82DFF                 pop     ebx
.text:00F82E00                 inc     ebx
.text:00F82E01                 push    ebx
.text:00F82E02                 mov     eax, 11111111h
.text:00F82E07                 retn
.text:00F82E08 ; ---------------------------------------------------------------------------
.text:00F82E08
.text:00F82E08 loc_F82E08:                             ; CODE XREF: $check_key2+15D↑j
.text:00F82E08                 call    loc_F82E14
.text:00F82E0D                 mov     ebx, 33333333h
.text:00F82E12                 jmp     short loc_F82E21 ;
.text:00F82E12                                         ;
.text:00F82E12                                         ; ;
.text:00F82E14 ; ---------------------------------------------------------------------------
.text:00F82E14
.text:00F82E14 loc_F82E14:                             ; CODE XREF: $check_key2:loc_F82E08↑p
.text:00F82E14                 mov     ebx, 11111111h
.text:00F82E19                 pop     ebx
.text:00F82E1A                 mov     ebx, offset loc_F82E21 ;
.text:00F82E1A                                         ;
.text:00F82E1A                                         ; ;
.text:00F82E1F                 push    ebx
.text:00F82E20                 retn
.text:00F82E21 ; ---------------------------------------------------------------------------
.text:00F82E21
.text:00F82E21 loc_F82E21:                             ; CODE XREF: $check_key2+172↑j
.text:00F82E21                                         ; DATA XREF: $check_key2+17A↑o
.text:00F82E21                 mov     ebx, 22222222h  ;
.text:00F82E21                                         ;
.text:00F82E21                                         ; ;
.text:00F82E26                 mov     edx, [ebp+param_str_buf]
.text:00F82E29                 add     edx, [ebp+for2_index]
.text:00F82E2F                 mov     al, [edx]
.text:00F82E31                 mov     [ebp+var_10D], al ; var_10D = param_str_buf[index];
.text:00F82E31                                         ; ;
.text:00F82E37                 mov     ecx, [ebp+param_str_buf]
.text:00F82E3A                 add     ecx, [ebp+for2_index]
.text:00F82E40                 mov     edx, [ebp+param_str_buf]
.text:00F82E43                 add     edx, [ebp+var_114]
.text:00F82E49                 mov     al, [edx]
.text:00F82E4B                 mov     [ecx], al       ; param_str_buf[index] = param_str_buf[var_114];
.text:00F82E4B                                         ; ;
.text:00F82E4D                 mov     ecx, [ebp+param_str_buf]
.text:00F82E50                 add     ecx, [ebp+var_114]
.text:00F82E56                 mov     dl, [ebp+var_10D]
.text:00F82E5C                 mov     [ecx], dl       ; param_str_buf[var_114] = var_110;
.text:00F82E5E                 jmp     for2_continue
.text:00F82E63 ; ---------------------------------------------------------------------------
.text:00F82E63
.text:00F82E63 for2_break:                             ; CODE XREF: $check_key2+10D↑j
.text:00F82E63                 pop     ebx
.text:00F82E64                 mov     ecx, [ebp+var_cookie]
.text:00F82E67                 xor     ecx, ebp        ; StackCookie
.text:00F82E69                 call    @__security_check_cookie@4 ; __security_check_cookie(x)
.text:00F82E6E                 mov     esp, ebp
.text:00F82E70                 pop     ebp
.text:00F82E71                 retn    0Ch
.text:00F82E71 $check_key2     endp ; sp-analysis failed


.text:00F82E80 $check_key3     proc near               ; CODE XREF: $star_check+3DA↑p
.text:00F82E80
.text:00F82E80 pThis           = dword ptr -20h
.text:00F82E80 var_1C          = dword ptr -1Ch
.text:00F82E80 var_BYTE_18     = dword ptr -18h
.text:00F82E80 index           = dword ptr -14h
.text:00F82E80 var_BYTE_10     = dword ptr -10h
.text:00F82E80 var_9           = byte ptr -9
.text:00F82E80 var_8           = dword ptr -8
.text:00F82E80 cookie          = dword ptr -4
.text:00F82E80 param1_buf_256  = dword ptr  8
.text:00F82E80 param_inputbuf_length= dword ptr  10h
.text:00F82E80
.text:00F82E80 ; FUNCTION CHUNK AT .text:00F82EE3 SIZE 0000000E BYTES
.text:00F82E80 ; FUNCTION CHUNK AT .text:00F82EFA SIZE 0000005D BYTES
.text:00F82E80 ; FUNCTION CHUNK AT .text:00F82F5A SIZE 00000009 BYTES
.text:00F82E80 ; FUNCTION CHUNK AT .text:00F82FE4 SIZE 00000011 BYTES
.text:00F82E80
.text:00F82E80                 push    ebp
.text:00F82E81                 mov     ebp, esp
.text:00F82E83                 sub     esp, 20h
.text:00F82E86                 mov     eax, ___security_cookie
.text:00F82E8B                 xor     eax, ebp
.text:00F82E8D                 mov     [ebp+cookie], eax
.text:00F82E90                 push    ebx
.text:00F82E91                 mov     [ebp+pThis], ecx
.text:00F82E94                 mov     [ebp+var_BYTE_10], 0
.text:00F82E9B                 mov     [ebp+var_BYTE_18], 0
.text:00F82EA2                 mov     [ebp+var_1C], 0
.text:00F82EA9                 mov     [ebp+index], 0
.text:00F82EB0                 call    $+5
.text:00F82EB5
.text:00F82EB5 loc_F82EB5:                             ; DATA XREF: $check_key3+A5↓r
.text:00F82EB5                 pop     eax
.text:00F82EB6                 mov     [ebp+var_8], eax
.text:00F82EB9                 call    loc_F82EC1
.text:00F82EB9 ; ---------------------------------------------------------------------------
.text:00F82EBE                 db 0EAh
.text:00F82EBF ; ---------------------------------------------------------------------------
.text:00F82EBF                 jmp     short loc_F82ECA
.text:00F82EC1 ; ---------------------------------------------------------------------------
.text:00F82EC1
.text:00F82EC1 loc_F82EC1:                             ; CODE XREF: $check_key3+39↑j
.text:00F82EC1                 pop     ebx
.text:00F82EC2                 inc     ebx
.text:00F82EC3                 push    ebx
.text:00F82EC4                 mov     eax, 11111111h
.text:00F82EC9                 retn
.text:00F82ECA ; ---------------------------------------------------------------------------
.text:00F82ECA
.text:00F82ECA loc_F82ECA:                             ; CODE XREF: $check_key3+3F↑j
.text:00F82ECA                 call    sub_F82ED6
.text:00F82ECF                 mov     ebx, 33333333h
.text:00F82ED4                 jmp     short loc_F82EE3
.text:00F82ED4 $check_key3     endp ; sp-analysis failed
.text:00F82ED4
.text:00F82ED6
.text:00F82ED6 ; =============== S U B R O U T I N E =======================================
.text:00F82ED6
.text:00F82ED6
.text:00F82ED6 sub_F82ED6      proc near               ; CODE XREF: $check_key3:loc_F82ECA↑p
.text:00F82ED6                 mov     ebx, 11111111h
.text:00F82EDB                 pop     ebx
.text:00F82EDC                 mov     ebx, offset loc_F82EE3
.text:00F82EE1                 push    ebx
.text:00F82EE2                 retn
.text:00F82EE2 sub_F82ED6      endp
.text:00F82EE2
.text:00F82EE3 ; ---------------------------------------------------------------------------
.text:00F82EE3 ; START OF FUNCTION CHUNK FOR $check_key3
.text:00F82EE3
.text:00F82EE3 loc_F82EE3:                             ; CODE XREF: $check_key3+54↑j
.text:00F82EE3                                         ; DATA XREF: sub_F82ED6+6↑o
.text:00F82EE3                 mov     ebx, 22222222h
.text:00F82EE8                 mov     [ebp+index], 0
.text:00F82EEF                 jmp     short loc_F82EFA
.text:00F82EEF ; END OF FUNCTION CHUNK FOR $check_key3
.text:00F82EF1 ; [00000009 BYTES: COLLAPSED FUNCTION sub_F82EF1. PRESS CTRL-NUMPAD+ TO EXPAND]
.text:00F82EFA ; START OF FUNCTION CHUNK FOR $check_key3
.text:00F82EFA
.text:00F82EFA loc_F82EFA:                             ; CODE XREF: $check_key3+6F↑j
.text:00F82EFA                 mov     ecx, [ebp+index]
.text:00F82EFD                 cmp     ecx, [ebp+param_inputbuf_length] ; ebp+10h param_inputbuf_length
.text:00F82F00                 jnb     fun_end         ;
.text:00F82F00                                         ; ;
.text:00F82F06                 mov     edx, [ebp+var_BYTE_10]
.text:00F82F09                 add     edx, 1
.text:00F82F0C                 and     edx, 800000FFh
.text:00F82F12                 jns     short loc_F82F1C ; if (tmp >= 0)
.text:00F82F12                                         ; ;
.text:00F82F14                 dec     edx
.text:00F82F15                 or      edx, 0FFFFFF00h ; tmp = 0;
.text:00F82F1B                 inc     edx
.text:00F82F1C
.text:00F82F1C loc_F82F1C:                             ; CODE XREF: $check_key3+92↑j
.text:00F82F1C                 mov     [ebp+var_BYTE_10], edx ; var_BYTE_10 += 1;
.text:00F82F1C                                         ; ;
.text:00F82F1F                 mov     eax, [ebp+param1_buf_256]
.text:00F82F22                 add     eax, [ebp+var_BYTE_10]
.text:00F82F25                 movzx   ecx, byte ptr ds:(loc_F82EB5 - 0F82EB5h)[eax] ; tmp = param1_buf_256[var_BYTE_10];
.text:00F82F28                 add     ecx, [ebp+var_BYTE_18]
.text:00F82F2B                 and     ecx, 800000FFh
.text:00F82F31                 jns     short loc_F82F3B ; var_BYTE_18++;
.text:00F82F31                                         ; ;
.text:00F82F33                 dec     ecx
.text:00F82F34                 or      ecx, 0FFFFFF00h
.text:00F82F3A                 inc     ecx
.text:00F82F3B
.text:00F82F3B loc_F82F3B:                             ; CODE XREF: $check_key3+B1↑j
.text:00F82F3B                 mov     [ebp+var_BYTE_18], ecx ; var_BYTE_18++;
.text:00F82F3B                                         ; ;
.text:00F82F3E                 mov     edx, [ebp+param1_buf_256]
.text:00F82F41                 add     edx, [ebp+var_BYTE_10]
.text:00F82F44                 mov     al, [edx]
.text:00F82F46                 mov     [ebp+var_9], al ; var_9 = param1_buf_256[var_BYTE_10];
.text:00F82F49                 call    $+5
.text:00F82F4E
.text:00F82F4E loc_F82F4E:                             ; DATA XREF: .text:00F82FA2↓r
.text:00F82F4E                                         ; .text:00F82FD2↓r
.text:00F82F4E                 pop     eax
.text:00F82F4F                 mov     [ebp+var_8], eax
.text:00F82F52                 call    loc_F82F5A
.text:00F82F52 ; END OF FUNCTION CHUNK FOR $check_key3
.text:00F82F52 ; ---------------------------------------------------------------------------
.text:00F82F57                 db 0EAh
.text:00F82F58 ; ---------------------------------------------------------------------------
.text:00F82F58                 jmp     short loc_F82F63
.text:00F82F5A ; ---------------------------------------------------------------------------
.text:00F82F5A ; START OF FUNCTION CHUNK FOR $check_key3
.text:00F82F5A
.text:00F82F5A loc_F82F5A:                             ; CODE XREF: $check_key3+D2↑j
.text:00F82F5A                 pop     ebx
.text:00F82F5B                 inc     ebx
.text:00F82F5C                 push    ebx
.text:00F82F5D                 mov     eax, 11111111h
.text:00F82F62                 retn
.text:00F82F62 ; END OF FUNCTION CHUNK FOR $check_key3
.text:00F82F63 ; ---------------------------------------------------------------------------
.text:00F82F63
.text:00F82F63 loc_F82F63:                             ; CODE XREF: .text:00F82F58↑j
.text:00F82F63                 call    sub_F82F6F
.text:00F82F68                 mov     ebx, 33333333h
.text:00F82F6D                 jmp     short loc_F82F7C ;
.text:00F82F6D                                         ; ;
.text:00F82F6F
.text:00F82F6F ; =============== S U B R O U T I N E =======================================
.text:00F82F6F
.text:00F82F6F
.text:00F82F6F sub_F82F6F      proc near               ; CODE XREF: .text:loc_F82F63↑p
.text:00F82F6F                 mov     ebx, 11111111h
.text:00F82F74                 pop     ebx
.text:00F82F75                 mov     ebx, offset loc_F82F7C ;
.text:00F82F75                                         ; ;
.text:00F82F7A                 push    ebx
.text:00F82F7B                 retn
.text:00F82F7B sub_F82F6F      endp
.text:00F82F7B
.text:00F82F7C ; ---------------------------------------------------------------------------
.text:00F82F7C
.text:00F82F7C loc_F82F7C:                             ; CODE XREF: .text:00F82F6D↑j
.text:00F82F7C                                         ; DATA XREF: sub_F82F6F+6↑o
.text:00F82F7C                 mov     ebx, 22222222h  ;
.text:00F82F7C                                         ; ;
.text:00F82F81                 mov     ecx, [ebp+8]    ; ebp+8 == param1_buf_256
.text:00F82F84                 add     ecx, [ebp-10h]  ;
.text:00F82F84                                         ; ;
.text:00F82F87                 mov     edx, [ebp+8]
.text:00F82F8A                 add     edx, [ebp-18h]
.text:00F82F8D                 mov     al, [edx]
.text:00F82F8F                 mov     [ecx], al       ; param1_buf_256[var_BYTE_10] = param1_buf_256[var_BYTE_18];
.text:00F82F8F                                         ; ;
.text:00F82F91                 mov     ecx, [ebp+8]
.text:00F82F94                 add     ecx, [ebp-18h]
.text:00F82F97                 mov     dl, [ebp-9]
.text:00F82F9A                 mov     [ecx], dl       ; param1_buf_256[var_BYTE_18] = var_9;
.text:00F82F9A                                         ; ;
.text:00F82F9C                 mov     eax, [ebp+8]
.text:00F82F9F                 add     eax, [ebp-10h]
.text:00F82FA2                 movzx   ecx, byte ptr ds:(loc_F82F4E - 0F82F4Eh)[eax] ; tmp = param1_buf_256[var_BYTE_10];
.text:00F82FA2                                         ; ;
.text:00F82FA5                 mov     edx, [ebp+8]
.text:00F82FA8                 add     edx, [ebp-18h]
.text:00F82FAB                 movzx   eax, byte ptr [edx]
.text:00F82FAE                 add     ecx, eax        ; tmp += param1_buf_256[var_BYTE_18];
.text:00F82FB0                 and     ecx, 800000FFh
.text:00F82FB6                 jns     short loc_F82FC0 ; if ((tmp &amp; -0x100) < 0)
.text:00F82FB8                 dec     ecx             ; tmp--;
.text:00F82FB9                 or      ecx, 0FFFFFF00h ; tmp |= 0x100;
.text:00F82FBF                 inc     ecx             ; tmp++;
.text:00F82FC0
.text:00F82FC0 loc_F82FC0:                             ; CODE XREF: .text:00F82FB6↑j
.text:00F82FC0                 mov     [ebp-1Ch], ecx  ; var_BYTE_1C = tmp;
.text:00F82FC0                                         ; ;
.text:00F82FC3                 mov     ecx, [ebp+8]
.text:00F82FC6                 add     ecx, [ebp-1Ch]
.text:00F82FC9                 movzx   edx, byte ptr [ecx] ; tmp = param1_buf_256[var_BYTE_1C];
.text:00F82FC9                                         ; ;
.text:00F82FCC                 mov     eax, [ebp+0Ch]  ; ebp+0Ch = param1_input_buf
.text:00F82FCF                 add     eax, [ebp-14h]
.text:00F82FD2                 movzx   ecx, byte ptr ds:(loc_F82F4E - 0F82F4Eh)[eax] ; //////tmp2 = param1_input_buf[index];
.text:00F82FD5                 xor     ecx, edx
.text:00F82FD7                 mov     edx, [ebp+0Ch]
.text:00F82FDA                 add     edx, [ebp-14h]
.text:00F82FDD                 mov     [edx], cl       ; param1_input_buf[index] ^= tmp;
.text:00F82FDF                 jmp     sub_F82EF1
.text:00F82FE4 ; ---------------------------------------------------------------------------
.text:00F82FE4 ; START OF FUNCTION CHUNK FOR $check_key3
.text:00F82FE4
.text:00F82FE4 fun_end:                                ; CODE XREF: $check_key3+80↑j
.text:00F82FE4                 pop     ebx
.text:00F82FE5                 mov     ecx, [ebp+cookie]
.text:00F82FE8                 xor     ecx, ebp        ; StackCookie
.text:00F82FEA                 call    @__security_check_cookie@4 ; __security_check_cookie(x)
.text:00F82FEF                 mov     esp, ebp
.text:00F82FF1                 pop     ebp
.text:00F82FF2                 retn    0Ch
.text:00F82FF2 ; END OF FUNCTION CHUNK FOR $check_key3

阿虚

文章作者

发表评论

textsms
account_circle
email

Hello World!

直言直语
0x0 环境 -------------------- 环境: 系统:Windows 10 工具:ida pro,ollydbg -------------------- 0x1 跑起来 这玩意跑起来能够知道是使用没饭吃来做的UI…
扫描二维码继续阅读
2020-03-23