0x0 环境
——————–
环境:
系统:Windows 10
工具:ida pro,ollydbg
——————–
0x1 跑起来
这玩意跑起来能够知道是使用没饭吃来做的UI,并且作者很贱的使用了对话框来进行错误提示,而非MessageBox进行错误提示。
既然是MFC程序并且通过点击Button进行输入的KEY校验,还是想着使用IDA进行静态分析慢慢磨所以只需要“奥利给”一下知道了Check的Button回调地址为0x00252420,然后设置IDA rebase为0x250000就可以了。
知道了回调地址后还可以利用IDA里面的自带的没饭吃sig文件来屏蔽一些的内置函数避免深入浅出到没饭吃中出不来那就笑话了。
0x2 程序分析
虽然这个名字叫做“直言直语”但是里面的玩玩套套真的不少。错误信息弹框用DLG显示就不说了,还写了一些花指令,不过都是很基础的指令替换并没有用很复杂以及大量跳转的辣鸡指令。如果用OD调试的话右键->分析->从模块中删除分析即可。
说实话我是没有认出程序里面用到的是开源的CR4加密算法我以为算法是作者自己撸的。之前我并没有去了解过网上有哪些算法还是自己太水了。
#include <iostream>
#include <stdlib.h>
#include <windows.h>
bool check1(char* pw)
{
int length = strlen(pw);
if (length < 38)
{
return true;
}
char tmp[256] = { 0x0 };
length -= 6;
strncpy(tmp, pw + 5, length);
for (int i = 0; i < 0x10; i++)
{
char t = tmp[i];
tmp[i] = tmp[31 - i];
tmp[31 - i] = t;
}
strncpy(pw, tmp, 0x20);
return false;
}
bool check2(BYTE* buf1, char* buf2, int buf2_len)
{
char tmpbuf[256] = { 0x0 };
for (int i = 0; i < 0x100; i++)
{
buf1[i] = (BYTE)i;
tmpbuf[i] = buf2[i % buf2_len];
}
DWORD var_114 = 0;
for (int i = 0; i < 0x100; i++)
{
DWORD tmp = (DWORD)buf1[i] + var_114 + (DWORD)tmpbuf[i];
if ((tmp = (tmp & 0x800000FF)) < 0)
{
tmp--;
tmp ^= -0x100;
tmp++;
}
var_114 = tmp;
char var_10D = buf1[i];
buf1[i] = buf1[var_114];
buf1[var_114] = var_10D;
}
return false;
}
bool check3(BYTE* pbuf1, char* inkey, int inkey_len)
{
int var_BYTE_10 = 0;
int var_BYTE_18 = 0;
int var_BYTE_1C = 0;
for (int i = 0; i < inkey_len; i++)
{
var_BYTE_10++;
if ((var_BYTE_10 = (var_BYTE_10 & 0x800000FF)) < 0)
{
var_BYTE_10--;
var_BYTE_10 ^= -0x100;
var_BYTE_10++;
}
int tmp = (DWORD)pbuf1[var_BYTE_10] + var_BYTE_18;
tmp &= 0x800000FF;
if (tmp < 0)
{
tmp--;
tmp ^= -0x100;
tmp++;
}
var_BYTE_18 = tmp;
char var_9 = pbuf1[var_BYTE_10];
pbuf1[var_BYTE_10] = pbuf1[var_BYTE_18];
pbuf1[var_BYTE_18] = var_9;
tmp = (DWORD)((DWORD)pbuf1[var_BYTE_10] + (DWORD)pbuf1[var_BYTE_18]);
tmp &= 0x800000FF;
if (tmp < 0)
{
tmp--;
tmp ^= -0x100;
tmp++;
}
var_BYTE_1C = tmp;
if (i == (inkey_len - 1))
{
int i = 0;
}
tmp = pbuf1[var_BYTE_1C];
inkey[i] ^= tmp;
}
return false;
}
int main()
{
char password[256] = "00000973387a11fa3f724d74802857d3e052f0";
if (check1(password))
{
return 0;
}
BYTE buf256[256] = { 0x0 };
char tmp[256] = "qwertyuiop";
if (check2(buf256, tmp, strlen(tmp)))
{
return 0;
}
BYTE check_buf[0x20] = { 0x5B, 0x0D6, 0x0D0, 0x26, 0x0C8, 0x0DD, 0x19, 0x7E, 0x6E, 0x3E, 0x0CB, 0x16, 0x91, 0x7D, 0x0FF, 0x0AF, 0x0DD, 0x76, 0x64, 0x0B0, 0x0F7, 0x0E5, 0x89, 0x57, 0x82, 0x9F, 0x0C, 0x0, 0x9E, 0x0D0, 0x45, 0x0FA };
check3(buf256, (char*)password, 0x20);
for (int i = 0x1F; i >= 0; i--)
{
if (password[i] != check_buf[i])
{
std::cout << "err \n";
return 0;
}
}
std::cout << "ok \n";
return 0;
.text:00F82600 ; Attributes: bp-based frame .text:00F82600 .text:00F82600 $star_check proc near ; CODE XREF: $button_callback+64↑p .text:00F82600 .text:00F82600 array_512 = byte ptr -4BCh .text:00F82600 varstr_qwertyuiop_length= dword ptr -2BCh .text:00F82600 var_2B8 = dword ptr -2B8h .text:00F82600 input_buf_copy_length= dword ptr -2B4h .text:00F82600 Count = dword ptr -2B0h .text:00F82600 var_2AC = dword ptr -2ACh .text:00F82600 var_2A8 = dword ptr -2A8h .text:00F82600 var_2A4 = dword ptr -2A4h .text:00F82600 var_2A0 = dword ptr -2A0h .text:00F82600 var_29C = dword ptr -29Ch .text:00F82600 var_298 = byte ptr -298h .text:00F82600 Source = dword ptr -294h .text:00F82600 pThis = dword ptr -290h .text:00F82600 array_0x20 = byte ptr -28Ch .text:00F82600 var_26C = dword ptr -26Ch .text:00F82600 var_268 = dword ptr -268h .text:00F82600 do_while2_count = dword ptr -264h .text:00F82600 var_260 = dword ptr -260h .text:00F82600 var_25A = byte ptr -25Ah .text:00F82600 var_259 = byte ptr -259h .text:00F82600 var_258 = byte ptr -258h .text:00F82600 var_257 = byte ptr -257h .text:00F82600 var_256 = byte ptr -256h .text:00F82600 var_255 = byte ptr -255h .text:00F82600 var_254 = byte ptr -254h .text:00F82600 var_23C = dword ptr -23Ch .text:00F82600 aray2_256 = byte ptr -238h .text:00F82600 varstr_qwertyuiop_buf= byte ptr -138h .text:00F82600 input_buf_copy = byte ptr -38h .text:00F82600 cookie = dword ptr -10h .text:00F82600 var_C = dword ptr -0Ch .text:00F82600 var_4 = dword ptr -4 .text:00F82600 CString_input_key= dword ptr 8 .text:00F82600 arg_4 = dword ptr 0Ch .text:00F82600 .text:00F82600 ; FUNCTION CHUNK AT .text:010CD5B0 SIZE 00000046 BYTES .text:00F82600 .text:00F82600 push ebp .text:00F82601 mov ebp, esp .text:00F82603 push 0FFFFFFFFh .text:00F82605 push offset SEH_402600 .text:00F8260A mov eax, large fs:0 .text:00F82610 push eax .text:00F82611 sub esp, 4B0h .text:00F82617 mov eax, ___security_cookie .text:00F8261C xor eax, ebp .text:00F8261E mov [ebp+cookie], eax .text:00F82621 push ebx .text:00F82622 push eax .text:00F82623 lea eax, [ebp+var_C] .text:00F82626 mov large fs:0, eax ; .text:00F82626 ; ; .text:00F8262C mov [ebp+pThis], ecx .text:00F82632 mov [ebp+var_4], 0 .text:00F82639 mov [ebp+array_0x20], 5Bh ; '[' .text:00F82640 mov [ebp+array_0x20+1], 0D6h .text:00F82647 mov [ebp+array_0x20+2], 0D0h .text:00F8264E mov [ebp+array_0x20+3], 26h ; '&' .text:00F82655 mov [ebp+array_0x20+4], 0C8h .text:00F8265C mov [ebp+array_0x20+5], 0DDh .text:00F82663 mov [ebp+array_0x20+6], 19h .text:00F8266A mov [ebp+array_0x20+7], 7Eh ; '~' .text:00F82671 mov [ebp+array_0x20+8], 6Eh ; 'n' .text:00F82678 mov [ebp+array_0x20+9], 3Eh ; '>' .text:00F8267F mov [ebp+array_0x20+0Ah], 0CBh .text:00F82686 mov [ebp+array_0x20+0Bh], 16h .text:00F8268D mov [ebp+array_0x20+0Ch], 91h .text:00F82694 mov [ebp+array_0x20+0Dh], 7Dh ; '}' .text:00F8269B mov [ebp+array_0x20+0Eh], 0FFh .text:00F826A2 mov [ebp+array_0x20+0Fh], 0AFh .text:00F826A9 mov [ebp+array_0x20+10h], 0DDh .text:00F826B0 mov [ebp+array_0x20+11h], 76h ; 'v' .text:00F826B7 .text:00F826B7 loc_F826B7: ; DATA XREF: $star_check+418↓r .text:00F826B7 mov [ebp+array_0x20+12h], 64h ; 'd' .text:00F826BE mov [ebp+array_0x20+13h], 0B0h .text:00F826C5 mov [ebp+array_0x20+14h], 0F7h .text:00F826CC mov [ebp+array_0x20+15h], 0E5h .text:00F826D3 mov [ebp+array_0x20+16h], 89h .text:00F826DA mov [ebp+array_0x20+17h], 57h ; 'W' .text:00F826E1 mov [ebp+array_0x20+18h], 82h .text:00F826E8 mov [ebp+array_0x20+19h], 9Fh .text:00F826EF mov [ebp+array_0x20+1Ah], 0Ch .text:00F826F6 mov [ebp+array_0x20+1Bh], 0 .text:00F826FD mov [ebp+array_0x20+1Ch], 9Eh .text:00F82704 mov [ebp+array_0x20+1Dh], 0D0h .text:00F8270B mov [ebp+array_0x20+1Eh], 45h ; 'E' .text:00F82712 mov [ebp+array_0x20+1Fh], 0FAh ; .text:00F82712 ; ; .text:00F82719 lea ecx, [ebp+CString_input_key] .text:00F8271C call CString_GetBuffer .text:00F82721 push eax .text:00F82722 lea ecx, [ebp+var_298] .text:00F82728 call sub_F830A0 .text:00F8272D mov [ebp+var_29C], eax ; .text:00F8272D ; ; .text:00F82733 mov eax, [ebp+var_29C] .text:00F82739 mov [ebp+var_2AC], eax .text:00F8273F mov byte ptr [ebp+var_4], 1 .text:00F82743 mov ecx, [ebp+var_2AC] .text:00F82749 call CString_GetBuffer .text:00F8274E push eax .text:00F8274F lea ecx, [ebp+var_254] .text:00F82755 call sub_F83000 ; .text:00F82755 ; ; .text:00F8275A mov byte ptr [ebp+var_4], 3 .text:00F8275E lea ecx, [ebp+var_298] ; void * .text:00F82764 call _free2 .text:00F82769 lea ecx, [ebp+var_254] .text:00F8276F call unknown_libname_1 ; Microsoft VisualC 2-14/net runtime .text:00F82774 mov [ebp+Source], eax ; .text:00F82774 ; ; .text:00F8277A mov ecx, [ebp+Source] .text:00F82780 mov [ebp+var_268], ecx .text:00F82786 mov edx, [ebp+var_268] .text:00F8278C add edx, 1 .text:00F8278F mov [ebp+var_2A0], edx .text:00F82795 .text:00F82795 do_while: ; CODE XREF: $star_check+1B1↓j .text:00F82795 mov eax, [ebp+var_268] .text:00F8279B mov cl, [eax] .text:00F8279D mov [ebp+var_259], cl .text:00F827A3 add [ebp+var_268], 1 .text:00F827AA cmp [ebp+var_259], 0 .text:00F827B1 jnz short do_while ; .text:00F827B1 ; ; .text:00F827B3 mov edx, [ebp+var_268] .text:00F827B9 sub edx, [ebp+var_2A0] .text:00F827BF mov [ebp+var_2A8], edx .text:00F827C5 mov eax, [ebp+var_2A8] .text:00F827CB mov [ebp+Count], eax ; .text:00F827CB ; ; .text:00F827D1 mov [ebp+input_buf_copy], 0 .text:00F827D5 push 27h ; ''' ; Size .text:00F827D7 push 0 ; Val .text:00F827D9 lea ecx, [ebp+input_buf_copy+1] .text:00F827DC push ecx ; void * .text:00F827DD call _memset .text:00F827E2 add esp, 0Ch ; .text:00F827E2 ; ; .text:00F827E5 mov edx, [ebp+Count] .text:00F827EB push edx ; Count .text:00F827EC mov eax, [ebp+Source] .text:00F827F2 push eax ; Source .text:00F827F3 lea ecx, [ebp+input_buf_copy] .text:00F827F6 push ecx ; Destination .text:00F827F7 call _strncpy .text:00F827FC add esp, 0Ch ; .text:00F827FC ; ; .text:00F827FF lea edx, [ebp+input_buf_copy] .text:00F82802 push edx ; param_str .text:00F82803 mov ecx, [ebp+pThis] .text:00F82809 call $check_key ; $check_key: .text:00F82809 ; 1. 检查输入的字符串长度必须满足38字节 .text:00F82809 ; 2. 去掉输入的字符串前6个字符,保留后32字节使用 .text:00F82809 ; 3. 将输入的后32字节颠倒 .text:00F8280E test eax, eax .text:00F82810 jz short loc_F82853 ; .text:00F82810 ; ; .text:00F82812 mov [ebp+var_257], 0 .text:00F82819 mov al, [ebp+var_257] .text:00F8281F mov [ebp+var_255], al .text:00F82825 jmp ret_0_2 .text:00F8282A ; --------------------------------------------------------------------------- .text:00F8282A mov byte ptr [ebp+var_4], 0 .text:00F8282E lea ecx, [ebp+var_254] .text:00F82834 call _this_string_free .text:00F82839 mov [ebp+var_4], 0FFFFFFFFh .text:00F82840 lea ecx, [ebp+CString_input_key] ; void * .text:00F82843 call _free2 .text:00F82848 mov al, [ebp+var_257] .text:00F8284E jmp ret .text:00F82853 ; --------------------------------------------------------------------------- .text:00F82853 .text:00F82853 loc_F82853: ; CODE XREF: $star_check+210↑j .text:00F82853 mov ecx, dword ptr ds:aQwertyuiop ; "qwertyuiop" .text:00F82859 mov dword ptr [ebp+varstr_qwertyuiop_buf], ecx .text:00F8285F mov edx, dword ptr ds:aQwertyuiop+4 ; "tyuiop" .text:00F82865 mov dword ptr [ebp+varstr_qwertyuiop_buf+4], edx .text:00F8286B mov ax, word ptr ds:aQwertyuiop+8 ; "op" .text:00F82871 mov word ptr [ebp+varstr_qwertyuiop_buf+8], ax .text:00F82878 mov cl, byte ptr ds:aQwertyuiop+0Ah ; "" .text:00F8287E mov [ebp+varstr_qwertyuiop_buf+0Ah], cl .text:00F82884 push 0F5h ; Size .text:00F82889 push 0 ; Val .text:00F8288B lea edx, [ebp+varstr_qwertyuiop_buf+0Bh] .text:00F82891 push edx ; void * .text:00F82892 call _memset .text:00F82897 add esp, 0Ch ; .text:00F82897 ; ; .text:00F8289A mov [ebp+aray2_256], 0 .text:00F828A1 push 0FFh ; Size .text:00F828A6 push 0 ; Val .text:00F828A8 lea eax, [ebp+aray2_256+1] .text:00F828AE push eax ; void * .text:00F828AF call _memset .text:00F828B4 add esp, 0Ch ; .text:00F828B4 ; ; .text:00F828B7 mov [ebp+array_512], 0 .text:00F828BE push 1FFh ; Size .text:00F828C3 push 0 ; Val .text:00F828C5 lea ecx, [ebp+array_512+1] .text:00F828CB push ecx ; void * .text:00F828CC call _memset .text:00F828D1 add esp, 0Ch ; .text:00F828D1 ; ; .text:00F828D4 lea edx, [ebp+varstr_qwertyuiop_buf] .text:00F828DA mov [ebp+var_26C], edx .text:00F828E0 mov eax, [ebp+var_26C] .text:00F828E6 add eax, 1 .text:00F828E9 mov [ebp+var_2B8], eax .text:00F828EF .text:00F828EF loc_F828EF: ; CODE XREF: $star_check+30B↓j .text:00F828EF mov ecx, [ebp+var_26C] .text:00F828F5 mov dl, [ecx] .text:00F828F7 mov [ebp+var_25A], dl .text:00F828FD add [ebp+var_26C], 1 .text:00F82904 cmp [ebp+var_25A], 0 ; array_256 = "qwertyuiop" .text:00F8290B jnz short loc_F828EF ; 计算array_256的字符串长度 .text:00F8290B ; ; .text:00F8290D mov eax, [ebp+var_26C] .text:00F82913 sub eax, [ebp+var_2B8] .text:00F82919 mov [ebp+varstr_qwertyuiop_length], eax ; .text:00F82919 ; .text:00F82919 ; ; .text:00F8291F mov ecx, [ebp+varstr_qwertyuiop_length] .text:00F82925 push ecx .text:00F82926 lea edx, [ebp+varstr_qwertyuiop_buf] .text:00F8292C push edx .text:00F8292D lea eax, [ebp+aray2_256] .text:00F82933 push eax .text:00F82934 mov ecx, [ebp+pThis] .text:00F8293A call $check_key2 ; $check_key2: .text:00F8293A ; 1. 程序内置了key“qwertyuiop” .text:00F8293A ; 2. 对“qwertyuiop”进行了加密操作 .text:00F8293A ; 这部分完全是由程序内置的并没有利用外部参数所以所有机器上计算出来的数据都是相同的。 .text:00F8293F call $+5 ; call 008B2944 .text:00F82944 .text:00F82944 loc_F82944: ; DATA XREF: $star_check+398↓r .text:00F82944 pop eax .text:00F82945 mov [ebp+var_23C], eax .text:00F8294B call loc_F82953 .text:00F8294B ; --------------------------------------------------------------------------- .text:00F82950 db 0EAh .text:00F82951 ; --------------------------------------------------------------------------- .text:00F82951 jmp short loc_F8295C .text:00F82953 ; --------------------------------------------------------------------------- .text:00F82953 .text:00F82953 loc_F82953: ; CODE XREF: $star_check+34B↑j .text:00F82953 pop ebx .text:00F82954 inc ebx .text:00F82955 push ebx .text:00F82956 mov eax, 11111111h .text:00F8295B retn .text:00F8295C ; --------------------------------------------------------------------------- .text:00F8295C .text:00F8295C loc_F8295C: ; CODE XREF: $star_check+351↑j .text:00F8295C call loc_F82968 .text:00F82961 mov ebx, 33333333h .text:00F82966 jmp short loc_F82975 ; .text:00F82966 ; ; .text:00F82968 ; --------------------------------------------------------------------------- .text:00F82968 .text:00F82968 loc_F82968: ; CODE XREF: $star_check:loc_F8295C↑p .text:00F82968 mov ebx, 11111111h .text:00F8296D pop ebx .text:00F8296E mov ebx, offset loc_F82975 ; .text:00F8296E ; ; .text:00F82973 push ebx .text:00F82974 retn .text:00F82975 ; --------------------------------------------------------------------------- .text:00F82975 .text:00F82975 loc_F82975: ; CODE XREF: $star_check+366↑j .text:00F82975 ; DATA XREF: $star_check+36E↑o .text:00F82975 mov ebx, 22222222h ; .text:00F82975 ; ; .text:00F8297A lea ecx, [ebp+input_buf_copy] .text:00F8297D mov [ebp+var_260], ecx .text:00F82983 mov edx, [ebp+var_260] .text:00F82989 add edx, 1 .text:00F8298C mov [ebp+var_2A4], edx .text:00F82992 .text:00F82992 loc_F82992: ; CODE XREF: $star_check+3AE↓j .text:00F82992 mov eax, [ebp+var_260] .text:00F82998 mov cl, byte ptr ds:(loc_F82944 - 0F82944h)[eax] .text:00F8299A mov [ebp+var_258], cl .text:00F829A0 add [ebp+var_260], 1 .text:00F829A7 cmp [ebp+var_258], 0 .text:00F829AE jnz short loc_F82992 ; 计算array_40保存字符串的长度 .text:00F829AE ; ; .text:00F829B0 mov edx, [ebp+var_260] .text:00F829B6 sub edx, [ebp+var_2A4] .text:00F829BC mov [ebp+input_buf_copy_length], edx ; .text:00F829BC ; ; .text:00F829C2 mov eax, [ebp+input_buf_copy_length] .text:00F829C8 push eax .text:00F829C9 lea ecx, [ebp+input_buf_copy] .text:00F829CC push ecx .text:00F829CD lea edx, [ebp+aray2_256] .text:00F829D3 push edx .text:00F829D4 mov ecx, [ebp+pThis] .text:00F829DA call $check_key3 ; .text:00F829DA ; ; .text:00F829DF mov [ebp+do_while2_count], 1Fh .text:00F829E9 jmp short loc_F829FA .text:00F829EB ; --------------------------------------------------------------------------- .text:00F829EB .text:00F829EB do_while2: ; CODE XREF: $star_check:_continue↓j .text:00F829EB mov eax, [ebp+do_while2_count] .text:00F829F1 sub eax, 1 .text:00F829F4 mov [ebp+do_while2_count], eax .text:00F829FA .text:00F829FA loc_F829FA: ; CODE XREF: $star_check+3E9↑j .text:00F829FA cmp [ebp+do_while2_count], 0 .text:00F82A01 jl ret_1 .text:00F82A07 mov ecx, [ebp+do_while2_count] .text:00F82A0D movsx edx, [ebp+ecx+input_buf_copy] .text:00F82A12 mov eax, [ebp+do_while2_count] .text:00F82A18 movsx ecx, byte ptr ss:(loc_F826B7+1 - 0F82944h)[ebp+eax] ; array_0x20 .text:00F82A20 cmp edx, ecx .text:00F82A22 jz short _continue .text:00F82A24 call $+5 .text:00F82A29 pop eax .text:00F82A2A mov [ebp+var_23C], eax .text:00F82A30 call ret_0_3__ .text:00F82A30 ; --------------------------------------------------------------------------- .text:00F82A35 byte_F82A35 db 0EAh .text:00F82A36 ; --------------------------------------------------------------------------- .text:00F82A36 jmp short ret_0_3_ .text:00F82A38 ; --------------------------------------------------------------------------- .text:00F82A38 .text:00F82A38 ret_0_3__: ; CODE XREF: $star_check+430↑j .text:00F82A38 pop ebx .text:00F82A39 inc ebx .text:00F82A3A push ebx .text:00F82A3B mov eax, 11111111h .text:00F82A40 retn .text:00F82A41 ; --------------------------------------------------------------------------- .text:00F82A41 .text:00F82A41 ret_0_3_: ; CODE XREF: $star_check+436↑j .text:00F82A41 call loc_F82A4D .text:00F82A46 mov ebx, 33333333h .text:00F82A4B jmp short ret_0_3 .text:00F82A4D ; --------------------------------------------------------------------------- .text:00F82A4D .text:00F82A4D loc_F82A4D: ; CODE XREF: $star_check:ret_0_3_↑p .text:00F82A4D mov ebx, 11111111h .text:00F82A52 pop ebx .text:00F82A53 mov ebx, offset ret_0_3 .text:00F82A58 push ebx .text:00F82A59 retn .text:00F82A5A ; --------------------------------------------------------------------------- .text:00F82A5A .text:00F82A5A ret_0_3: ; CODE XREF: $star_check+44B↑j .text:00F82A5A ; DATA XREF: $star_check+453↑o .text:00F82A5A mov ebx, 22222222h .text:00F82A5F mov [ebp+var_255], 0 .text:00F82A66 .text:00F82A66 ret_0_2: ; CODE XREF: $star_check+225↑j .text:00F82A66 mov dl, [ebp+var_255] .text:00F82A6C mov [ebp+var_256], dl .text:00F82A72 jmp short ret_0 .text:00F82A74 ; --------------------------------------------------------------------------- .text:00F82A74 mov byte ptr [ebp+var_4], 0 .text:00F82A78 lea ecx, [ebp+var_254] .text:00F82A7E call _this_string_free .text:00F82A83 mov [ebp+var_4], 0FFFFFFFFh .text:00F82A8A lea ecx, [ebp+CString_input_key] ; void * .text:00F82A8D call _free2 .text:00F82A92 mov al, [ebp+var_255] .text:00F82A98 jmp short ret .text:00F82A9A ; --------------------------------------------------------------------------- .text:00F82A9A .text:00F82A9A _continue: ; CODE XREF: $star_check+422↑j .text:00F82A9A jmp do_while2 .text:00F82A9F ; --------------------------------------------------------------------------- .text:00F82A9F .text:00F82A9F ret_1: ; CODE XREF: $star_check+401↑j .text:00F82A9F mov [ebp+var_256], 1 .text:00F82AA6 .text:00F82AA6 ret_0: ; CODE XREF: $star_check+472↑j .text:00F82AA6 mov byte ptr [ebp+var_4], 0 .text:00F82AAA lea ecx, [ebp+var_254] .text:00F82AB0 call _this_string_free .text:00F82AB5 mov [ebp+var_4], 0FFFFFFFFh .text:00F82ABC lea ecx, [ebp+CString_input_key] ; void * .text:00F82ABF call _free2 .text:00F82AC4 mov al, [ebp+var_256] .text:00F82ACA .text:00F82ACA ret: ; CODE XREF: $star_check+24E↑j .text:00F82ACA ; $star_check+498↑j .text:00F82ACA mov ecx, [ebp+var_C] .text:00F82ACD mov large fs:0, ecx .text:00F82AD4 pop ecx .text:00F82AD5 pop ebx .text:00F82AD6 mov ecx, [ebp+cookie] .text:00F82AD9 xor ecx, ebp ; StackCookie .text:00F82ADB call @__security_check_cookie@4 ; __security_check_cookie(x) .text:00F82AE0 mov esp, ebp .text:00F82AE2 pop ebp .text:00F82AE3 retn 4 .text:00F82AE3 $star_check endp ; sp-analysis failed .text:00F82AF0 $check_key proc near ; CODE XREF: $star_check+209↑p .text:00F82AF0 .text:00F82AF0 pThis = dword ptr -4Ch .text:00F82AF0 var_pos1 = dword ptr -48h .text:00F82AF0 input_buf_length= dword ptr -44h .text:00F82AF0 param_str_length= dword ptr -40h .text:00F82AF0 var_3C = dword ptr -3Ch .text:00F82AF0 input_buf = dword ptr -38h .text:00F82AF0 var_pos0 = dword ptr -34h .text:00F82AF0 var_2F = byte ptr -2Fh .text:00F82AF0 var_2E = byte ptr -2Eh .text:00F82AF0 var_inputbut_i_to_byte= byte ptr -2Dh .text:00F82AF0 intput_count = dword ptr -2Ch .text:00F82AF0 var_28 = dword ptr -28h .text:00F82AF0 var_input_buf_copy= byte ptr -24h .text:00F82AF0 cookie = dword ptr -4 .text:00F82AF0 param_str = dword ptr 8 .text:00F82AF0 .text:00F82AF0 push ebp .text:00F82AF1 mov ebp, esp .text:00F82AF3 sub esp, 4Ch .text:00F82AF6 mov eax, ___security_cookie .text:00F82AFB xor eax, ebp .text:00F82AFD mov [ebp+cookie], eax .text:00F82B00 push ebx .text:00F82B01 mov [ebp+pThis], ecx .text:00F82B04 mov [ebp+intput_count], 0 .text:00F82B0B mov eax, [ebp+param_str] .text:00F82B0E mov [ebp+input_buf], eax .text:00F82B11 mov ecx, [ebp+input_buf] .text:00F82B14 add ecx, 1 .text:00F82B17 mov [ebp+var_3C], ecx .text:00F82B1A .text:00F82B1A do_while: ; CODE XREF: $check_key+3A↓j .text:00F82B1A mov edx, [ebp+input_buf] .text:00F82B1D mov al, [edx] .text:00F82B1F mov [ebp+var_2F], al .text:00F82B22 add [ebp+input_buf], 1 .text:00F82B26 cmp [ebp+var_2F], 0 .text:00F82B2A jnz short do_while ; .text:00F82B2A ; ; .text:00F82B2C mov ecx, [ebp+input_buf] .text:00F82B2F sub ecx, [ebp+var_3C] ; .text:00F82B2F ; ; .text:00F82B32 mov [ebp+input_buf_length], ecx .text:00F82B35 mov edx, [ebp+input_buf_length] .text:00F82B38 sub edx, 6 .text:00F82B3B mov [ebp+intput_count], edx .text:00F82B3E cmp [ebp+intput_count], 32 .text:00F82B42 jz short loc_F82B4C .text:00F82B44 or eax, 0FFFFFFFFh .text:00F82B47 jmp ret_not_1 .text:00F82B4C ; --------------------------------------------------------------------------- .text:00F82B4C .text:00F82B4C loc_F82B4C: ; CODE XREF: $check_key+52↑j .text:00F82B4C mov [ebp+var_input_buf_copy], 0 .text:00F82B50 xor eax, eax .text:00F82B52 mov dword ptr [ebp+var_input_buf_copy+1], eax .text:00F82B55 mov dword ptr [ebp+var_input_buf_copy+5], eax .text:00F82B58 mov dword ptr [ebp+var_input_buf_copy+9], eax .text:00F82B5B mov dword ptr [ebp+var_input_buf_copy+0Dh], eax .text:00F82B5E mov dword ptr [ebp+var_input_buf_copy+11h], eax .text:00F82B61 mov dword ptr [ebp+var_input_buf_copy+15h], eax .text:00F82B64 mov dword ptr [ebp+var_input_buf_copy+19h], eax .text:00F82B67 mov word ptr [ebp+var_input_buf_copy+1Dh], ax .text:00F82B6B mov [ebp+var_input_buf_copy+1Fh], al .text:00F82B6E call $+5 .text:00F82B73 pop eax .text:00F82B74 mov [ebp+var_28], eax .text:00F82B77 call loc_F82B7F .text:00F82B77 ; --------------------------------------------------------------------------- .text:00F82B7C byte_F82B7C db 0EAh .text:00F82B7D ; --------------------------------------------------------------------------- .text:00F82B7D jmp short loc_F82B88 .text:00F82B7F ; --------------------------------------------------------------------------- .text:00F82B7F .text:00F82B7F loc_F82B7F: ; CODE XREF: $check_key+87↑j .text:00F82B7F pop ebx .text:00F82B80 inc ebx .text:00F82B81 push ebx .text:00F82B82 mov eax, 11111111h .text:00F82B87 retn .text:00F82B88 ; --------------------------------------------------------------------------- .text:00F82B88 .text:00F82B88 loc_F82B88: ; CODE XREF: $check_key+8D↑j .text:00F82B88 call loc_F82B94 .text:00F82B8D mov ebx, 33333333h .text:00F82B92 jmp short loc_F82BA1 .text:00F82B94 ; --------------------------------------------------------------------------- .text:00F82B94 .text:00F82B94 loc_F82B94: ; CODE XREF: $check_key:loc_F82B88↑p .text:00F82B94 mov ebx, 11111111h .text:00F82B99 pop ebx .text:00F82B9A mov ebx, offset loc_F82BA1 .text:00F82B9F push ebx .text:00F82BA0 retn .text:00F82BA1 ; --------------------------------------------------------------------------- .text:00F82BA1 .text:00F82BA1 loc_F82BA1: ; CODE XREF: $check_key+A2↑j .text:00F82BA1 ; DATA XREF: $check_key+AA↑o .text:00F82BA1 mov ebx, 22222222h .text:00F82BA6 mov ecx, [ebp+intput_count] .text:00F82BA9 push ecx ; Count .text:00F82BAA mov edx, [ebp+param_str] ; 输入的字符串真正开始做校验的是从第五个字节开始 .text:00F82BAD add edx, 5 .text:00F82BB0 push edx ; Source .text:00F82BB1 lea eax, [ebp+var_input_buf_copy] .text:00F82BB4 push eax ; Destination .text:00F82BB5 call _strncpy .text:00F82BBA add esp, 0Ch .text:00F82BBD mov [ebp+intput_count], 0 .text:00F82BC4 jmp short for1 .text:00F82BC6 ; --------------------------------------------------------------------------- .text:00F82BC6 .text:00F82BC6 for1_continue: ; CODE XREF: $check_key+149↓j .text:00F82BC6 mov ecx, [ebp+intput_count] .text:00F82BC9 add ecx, 1 .text:00F82BCC mov [ebp+intput_count], ecx .text:00F82BCF .text:00F82BCF for1: ; CODE XREF: $check_key+D4↑j .text:00F82BCF cmp [ebp+intput_count], 10h .text:00F82BD3 jge short for1_break ; .text:00F82BD3 ; ; .text:00F82BD5 mov edx, [ebp+intput_count] .text:00F82BD8 mov al, [ebp+edx+var_input_buf_copy] .text:00F82BDC mov [ebp+var_inputbut_i_to_byte], al ; array_32[i] .text:00F82BDF call $+5 .text:00F82BE4 pop eax .text:00F82BE5 mov [ebp+var_28], eax .text:00F82BE8 call loc_F82BF0 .text:00F82BE8 ; --------------------------------------------------------------------------- .text:00F82BED byte_F82BED db 0EAh .text:00F82BEE ; --------------------------------------------------------------------------- .text:00F82BEE jmp short loc_F82BF9 .text:00F82BF0 ; --------------------------------------------------------------------------- .text:00F82BF0 .text:00F82BF0 loc_F82BF0: ; CODE XREF: $check_key+F8↑j .text:00F82BF0 pop ebx .text:00F82BF1 inc ebx .text:00F82BF2 push ebx .text:00F82BF3 mov eax, 11111111h .text:00F82BF8 retn .text:00F82BF9 ; --------------------------------------------------------------------------- .text:00F82BF9 .text:00F82BF9 loc_F82BF9: ; CODE XREF: $check_key+FE↑j .text:00F82BF9 call loc_F82C05 .text:00F82BFE mov ebx, 33333333h .text:00F82C03 jmp short loc_F82C12 ; .text:00F82C03 ; ; .text:00F82C05 ; --------------------------------------------------------------------------- .text:00F82C05 .text:00F82C05 loc_F82C05: ; CODE XREF: $check_key:loc_F82BF9↑p .text:00F82C05 mov ebx, 11111111h .text:00F82C0A pop ebx .text:00F82C0B mov ebx, offset loc_F82C12 ; .text:00F82C0B ; ; .text:00F82C10 push ebx .text:00F82C11 retn .text:00F82C12 ; --------------------------------------------------------------------------- .text:00F82C12 .text:00F82C12 loc_F82C12: ; CODE XREF: $check_key+113↑j .text:00F82C12 ; DATA XREF: $check_key+11B↑o .text:00F82C12 mov ebx, 22222222h ; .text:00F82C12 ; ; .text:00F82C17 mov ecx, 31 .text:00F82C1C sub ecx, [ebp+intput_count] ; ecx = 31 - count; .text:00F82C1F mov edx, [ebp+intput_count] .text:00F82C22 mov al, [ebp+ecx+var_input_buf_copy] .text:00F82C26 mov [ebp+edx+var_input_buf_copy], al ; var_input_buf_copy[i] = var_input_buf_copy[31-count]; .text:00F82C2A mov ecx, 31 .text:00F82C2F sub ecx, [ebp+intput_count] .text:00F82C32 mov dl, [ebp+var_inputbut_i_to_byte] .text:00F82C35 mov [ebp+ecx+var_input_buf_copy], dl ; array_32[0x1F - count] = var_array_i; .text:00F82C39 jmp short for1_continue .text:00F82C3B ; --------------------------------------------------------------------------- .text:00F82C3B .text:00F82C3B for1_break: ; CODE XREF: $check_key+E3↑j .text:00F82C3B mov eax, [ebp+param_str] .text:00F82C3E mov [ebp+var_pos0], eax .text:00F82C41 mov ecx, [ebp+var_pos0] .text:00F82C44 add ecx, 1 .text:00F82C47 mov [ebp+var_pos1], ecx .text:00F82C4A .text:00F82C4A do_while3: ; CODE XREF: $check_key+16A↓j .text:00F82C4A mov edx, [ebp+var_pos0] .text:00F82C4D mov al, [edx] .text:00F82C4F mov [ebp+var_2E], al .text:00F82C52 add [ebp+var_pos0], 1 .text:00F82C56 cmp [ebp+var_2E], 0 .text:00F82C5A jnz short do_while3 ; 计算param_str长度 .text:00F82C5A ; ; .text:00F82C5C mov ecx, [ebp+var_pos0] .text:00F82C5F sub ecx, [ebp+var_pos1] .text:00F82C62 mov [ebp+param_str_length], ecx .text:00F82C65 mov edx, [ebp+param_str_length] ; .text:00F82C65 ; ; .text:00F82C68 push edx ; Size .text:00F82C69 push 0 ; Val .text:00F82C6B mov eax, [ebp+param_str] .text:00F82C6E push eax ; void * .text:00F82C6F call _memset ; 清空参数buf .text:00F82C74 add esp, 0Ch ; .text:00F82C74 ; ; .text:00F82C77 push 20h ; ' ' ; Count .text:00F82C79 lea ecx, [ebp+var_input_buf_copy] .text:00F82C7C push ecx ; Source .text:00F82C7D mov edx, [ebp+param_str] .text:00F82C80 push edx ; Destination .text:00F82C81 call _strncpy ; 把颠倒后的buf拷贝给参数 .text:00F82C86 add esp, 0Ch .text:00F82C89 xor eax, eax ; ret 0; .text:00F82C8B .text:00F82C8B ret_not_1: ; CODE XREF: $check_key+57↑j .text:00F82C8B pop ebx .text:00F82C8C mov ecx, [ebp+cookie] .text:00F82C8F xor ecx, ebp ; StackCookie .text:00F82C91 call @__security_check_cookie@4 ; __security_check_cookie(x) .text:00F82C96 mov esp, ebp .text:00F82C98 pop ebp .text:00F82C99 retn 4 .text:00F82C99 $check_key endp ; sp-analysis failed .text:00F82CA0 $check_key2 proc near ; CODE XREF: $star_check+33A↑p .text:00F82CA0 .text:00F82CA0 pThis = dword ptr -118h .text:00F82CA0 var_114 = dword ptr -114h .text:00F82CA0 var_10D = byte ptr -10Dh .text:00F82CA0 for2_index = dword ptr -10Ch .text:00F82CA0 var_108 = dword ptr -108h .text:00F82CA0 array_256 = byte ptr -104h .text:00F82CA0 var_cookie = dword ptr -4 .text:00F82CA0 param_str_buf = dword ptr 8 .text:00F82CA0 param_str_buf2 = dword ptr 0Ch .text:00F82CA0 param_str_buf2_length= dword ptr 10h .text:00F82CA0 .text:00F82CA0 push ebp .text:00F82CA1 mov ebp, esp .text:00F82CA3 sub esp, 118h .text:00F82CA9 mov eax, ___security_cookie .text:00F82CAE xor eax, ebp .text:00F82CB0 mov [ebp+var_cookie], eax .text:00F82CB3 push ebx .text:00F82CB4 mov [ebp+pThis], ecx .text:00F82CBA mov [ebp+for2_index], 0 .text:00F82CC4 mov [ebp+var_114], 0 .text:00F82CCE mov [ebp+array_256], 0 .text:00F82CD5 push 0FFh ; Size .text:00F82CDA push 0 ; Val .text:00F82CDC lea eax, [ebp+array_256+1] .text:00F82CE2 push eax ; void * .text:00F82CE3 call _memset .text:00F82CE8 add esp, 0Ch ; .text:00F82CE8 ; ; .text:00F82CEB mov [ebp+var_10D], 0 .text:00F82CF2 mov [ebp+for2_index], 0 .text:00F82CFC jmp short for1 .text:00F82CFE ; --------------------------------------------------------------------------- .text:00F82CFE .text:00F82CFE for1_continue: ; CODE XREF: $check_key2+E3↓j .text:00F82CFE mov ecx, [ebp+for2_index] .text:00F82D04 add ecx, 1 .text:00F82D07 mov [ebp+for2_index], ecx .text:00F82D0D .text:00F82D0D for1: ; CODE XREF: $check_key2+5C↑j .text:00F82D0D cmp [ebp+for2_index], 100h .text:00F82D17 jge short for1_break .text:00F82D19 mov edx, [ebp+param_str_buf] .text:00F82D1C add edx, [ebp+for2_index] .text:00F82D22 mov al, byte ptr [ebp+for2_index] .text:00F82D28 mov [edx], al ; param_str_buf[index] = (BYTE)index; .text:00F82D2A call $+5 .text:00F82D2F .text:00F82D2F loc_F82D2F: ; DATA XREF: $check_key2+D9↓r .text:00F82D2F pop eax .text:00F82D30 mov [ebp+var_108], eax .text:00F82D36 call loc_F82D3E .text:00F82D36 ; --------------------------------------------------------------------------- .text:00F82D3B db 0EAh .text:00F82D3C ; --------------------------------------------------------------------------- .text:00F82D3C jmp short loc_F82D47 .text:00F82D3E ; --------------------------------------------------------------------------- .text:00F82D3E .text:00F82D3E loc_F82D3E: ; CODE XREF: $check_key2+96↑j .text:00F82D3E pop ebx .text:00F82D3F inc ebx .text:00F82D40 push ebx .text:00F82D41 mov eax, 11111111h .text:00F82D46 retn .text:00F82D47 ; --------------------------------------------------------------------------- .text:00F82D47 .text:00F82D47 loc_F82D47: ; CODE XREF: $check_key2+9C↑j .text:00F82D47 call loc_F82D53 .text:00F82D4C mov ebx, 33333333h .text:00F82D51 jmp short loc_F82D60 ; .text:00F82D51 ; ; .text:00F82D53 ; --------------------------------------------------------------------------- .text:00F82D53 .text:00F82D53 loc_F82D53: ; CODE XREF: $check_key2:loc_F82D47↑p .text:00F82D53 mov ebx, 11111111h .text:00F82D58 pop ebx .text:00F82D59 mov ebx, offset loc_F82D60 ; .text:00F82D59 ; ; .text:00F82D5E push ebx .text:00F82D5F retn .text:00F82D60 ; --------------------------------------------------------------------------- .text:00F82D60 .text:00F82D60 loc_F82D60: ; CODE XREF: $check_key2+B1↑j .text:00F82D60 ; DATA XREF: $check_key2+B9↑o .text:00F82D60 mov ebx, 22222222h ; .text:00F82D60 ; ; .text:00F82D65 mov eax, [ebp+for2_index] .text:00F82D6B xor edx, edx .text:00F82D6D div [ebp+param_str_buf2_length] .text:00F82D70 mov ecx, [ebp+for2_index] .text:00F82D76 mov eax, [ebp+param_str_buf2] .text:00F82D79 mov dl, byte ptr ds:(loc_F82D2F - 0F82D2Fh)[eax+edx] ; tmp = param_str_buf2[index % param_str_buf2_length] .text:00F82D7C mov [ebp+ecx+array_256], dl ; array_256[index] = tmp; .text:00F82D83 jmp for1_continue .text:00F82D88 ; --------------------------------------------------------------------------- .text:00F82D88 .text:00F82D88 for1_break: ; CODE XREF: $check_key2+77↑j .text:00F82D88 mov [ebp+for2_index], 0 .text:00F82D92 jmp short for2 .text:00F82D94 ; --------------------------------------------------------------------------- .text:00F82D94 .text:00F82D94 for2_continue: ; CODE XREF: $check_key2+1BE↓j .text:00F82D94 mov eax, [ebp+for2_index] .text:00F82D9A add eax, 1 .text:00F82D9D mov [ebp+for2_index], eax .text:00F82DA3 .text:00F82DA3 for2: ; CODE XREF: $check_key2+F2↑j .text:00F82DA3 cmp [ebp+for2_index], 100h .text:00F82DAD jge for2_break ; .text:00F82DAD ; ; .text:00F82DB3 mov ecx, [ebp+param_str_buf] .text:00F82DB6 add ecx, [ebp+for2_index] .text:00F82DBC movzx edx, byte ptr [ecx] ; tmp = param_str_buf[index]; .text:00F82DBF add edx, [ebp+var_114] ; tmp += var_114; //var_114 one == 0 .text:00F82DBF ; ; .text:00F82DC5 mov eax, [ebp+for2_index] .text:00F82DCB movsx ecx, [ebp+eax+array_256] ; tmp2 = array_256[index]; .text:00F82DD3 add edx, ecx ; tmp += tmp2; .text:00F82DD3 ; ; .text:00F82DD5 and edx, 800000FFh .text:00F82DDB jns short loc_F82DE5 ; if (!(tmp & 800000FFh)) .text:00F82DDD dec edx ; tmp--; .text:00F82DDE or edx, 0FFFFFF00h ; tmp |= 0FFFFFF00h; .text:00F82DE4 inc edx ; tmp++; .text:00F82DE5 .text:00F82DE5 loc_F82DE5: ; CODE XREF: $check_key2+13B↑j .text:00F82DE5 mov [ebp+var_114], edx ; var_114 = tmp; .text:00F82DEB call $+5 .text:00F82DF0 pop eax .text:00F82DF1 mov [ebp+var_108], eax .text:00F82DF7 call loc_F82DFF .text:00F82DF7 ; --------------------------------------------------------------------------- .text:00F82DFC byte_F82DFC db 0EAh .text:00F82DFD ; --------------------------------------------------------------------------- .text:00F82DFD jmp short loc_F82E08 .text:00F82DFF ; --------------------------------------------------------------------------- .text:00F82DFF .text:00F82DFF loc_F82DFF: ; CODE XREF: $check_key2+157↑j .text:00F82DFF pop ebx .text:00F82E00 inc ebx .text:00F82E01 push ebx .text:00F82E02 mov eax, 11111111h .text:00F82E07 retn .text:00F82E08 ; --------------------------------------------------------------------------- .text:00F82E08 .text:00F82E08 loc_F82E08: ; CODE XREF: $check_key2+15D↑j .text:00F82E08 call loc_F82E14 .text:00F82E0D mov ebx, 33333333h .text:00F82E12 jmp short loc_F82E21 ; .text:00F82E12 ; .text:00F82E12 ; ; .text:00F82E14 ; --------------------------------------------------------------------------- .text:00F82E14 .text:00F82E14 loc_F82E14: ; CODE XREF: $check_key2:loc_F82E08↑p .text:00F82E14 mov ebx, 11111111h .text:00F82E19 pop ebx .text:00F82E1A mov ebx, offset loc_F82E21 ; .text:00F82E1A ; .text:00F82E1A ; ; .text:00F82E1F push ebx .text:00F82E20 retn .text:00F82E21 ; --------------------------------------------------------------------------- .text:00F82E21 .text:00F82E21 loc_F82E21: ; CODE XREF: $check_key2+172↑j .text:00F82E21 ; DATA XREF: $check_key2+17A↑o .text:00F82E21 mov ebx, 22222222h ; .text:00F82E21 ; .text:00F82E21 ; ; .text:00F82E26 mov edx, [ebp+param_str_buf] .text:00F82E29 add edx, [ebp+for2_index] .text:00F82E2F mov al, [edx] .text:00F82E31 mov [ebp+var_10D], al ; var_10D = param_str_buf[index]; .text:00F82E31 ; ; .text:00F82E37 mov ecx, [ebp+param_str_buf] .text:00F82E3A add ecx, [ebp+for2_index] .text:00F82E40 mov edx, [ebp+param_str_buf] .text:00F82E43 add edx, [ebp+var_114] .text:00F82E49 mov al, [edx] .text:00F82E4B mov [ecx], al ; param_str_buf[index] = param_str_buf[var_114]; .text:00F82E4B ; ; .text:00F82E4D mov ecx, [ebp+param_str_buf] .text:00F82E50 add ecx, [ebp+var_114] .text:00F82E56 mov dl, [ebp+var_10D] .text:00F82E5C mov [ecx], dl ; param_str_buf[var_114] = var_110; .text:00F82E5E jmp for2_continue .text:00F82E63 ; --------------------------------------------------------------------------- .text:00F82E63 .text:00F82E63 for2_break: ; CODE XREF: $check_key2+10D↑j .text:00F82E63 pop ebx .text:00F82E64 mov ecx, [ebp+var_cookie] .text:00F82E67 xor ecx, ebp ; StackCookie .text:00F82E69 call @__security_check_cookie@4 ; __security_check_cookie(x) .text:00F82E6E mov esp, ebp .text:00F82E70 pop ebp .text:00F82E71 retn 0Ch .text:00F82E71 $check_key2 endp ; sp-analysis failed .text:00F82E80 $check_key3 proc near ; CODE XREF: $star_check+3DA↑p .text:00F82E80 .text:00F82E80 pThis = dword ptr -20h .text:00F82E80 var_1C = dword ptr -1Ch .text:00F82E80 var_BYTE_18 = dword ptr -18h .text:00F82E80 index = dword ptr -14h .text:00F82E80 var_BYTE_10 = dword ptr -10h .text:00F82E80 var_9 = byte ptr -9 .text:00F82E80 var_8 = dword ptr -8 .text:00F82E80 cookie = dword ptr -4 .text:00F82E80 param1_buf_256 = dword ptr 8 .text:00F82E80 param_inputbuf_length= dword ptr 10h .text:00F82E80 .text:00F82E80 ; FUNCTION CHUNK AT .text:00F82EE3 SIZE 0000000E BYTES .text:00F82E80 ; FUNCTION CHUNK AT .text:00F82EFA SIZE 0000005D BYTES .text:00F82E80 ; FUNCTION CHUNK AT .text:00F82F5A SIZE 00000009 BYTES .text:00F82E80 ; FUNCTION CHUNK AT .text:00F82FE4 SIZE 00000011 BYTES .text:00F82E80 .text:00F82E80 push ebp .text:00F82E81 mov ebp, esp .text:00F82E83 sub esp, 20h .text:00F82E86 mov eax, ___security_cookie .text:00F82E8B xor eax, ebp .text:00F82E8D mov [ebp+cookie], eax .text:00F82E90 push ebx .text:00F82E91 mov [ebp+pThis], ecx .text:00F82E94 mov [ebp+var_BYTE_10], 0 .text:00F82E9B mov [ebp+var_BYTE_18], 0 .text:00F82EA2 mov [ebp+var_1C], 0 .text:00F82EA9 mov [ebp+index], 0 .text:00F82EB0 call $+5 .text:00F82EB5 .text:00F82EB5 loc_F82EB5: ; DATA XREF: $check_key3+A5↓r .text:00F82EB5 pop eax .text:00F82EB6 mov [ebp+var_8], eax .text:00F82EB9 call loc_F82EC1 .text:00F82EB9 ; --------------------------------------------------------------------------- .text:00F82EBE db 0EAh .text:00F82EBF ; --------------------------------------------------------------------------- .text:00F82EBF jmp short loc_F82ECA .text:00F82EC1 ; --------------------------------------------------------------------------- .text:00F82EC1 .text:00F82EC1 loc_F82EC1: ; CODE XREF: $check_key3+39↑j .text:00F82EC1 pop ebx .text:00F82EC2 inc ebx .text:00F82EC3 push ebx .text:00F82EC4 mov eax, 11111111h .text:00F82EC9 retn .text:00F82ECA ; --------------------------------------------------------------------------- .text:00F82ECA .text:00F82ECA loc_F82ECA: ; CODE XREF: $check_key3+3F↑j .text:00F82ECA call sub_F82ED6 .text:00F82ECF mov ebx, 33333333h .text:00F82ED4 jmp short loc_F82EE3 .text:00F82ED4 $check_key3 endp ; sp-analysis failed .text:00F82ED4 .text:00F82ED6 .text:00F82ED6 ; =============== S U B R O U T I N E ======================================= .text:00F82ED6 .text:00F82ED6 .text:00F82ED6 sub_F82ED6 proc near ; CODE XREF: $check_key3:loc_F82ECA↑p .text:00F82ED6 mov ebx, 11111111h .text:00F82EDB pop ebx .text:00F82EDC mov ebx, offset loc_F82EE3 .text:00F82EE1 push ebx .text:00F82EE2 retn .text:00F82EE2 sub_F82ED6 endp .text:00F82EE2 .text:00F82EE3 ; --------------------------------------------------------------------------- .text:00F82EE3 ; START OF FUNCTION CHUNK FOR $check_key3 .text:00F82EE3 .text:00F82EE3 loc_F82EE3: ; CODE XREF: $check_key3+54↑j .text:00F82EE3 ; DATA XREF: sub_F82ED6+6↑o .text:00F82EE3 mov ebx, 22222222h .text:00F82EE8 mov [ebp+index], 0 .text:00F82EEF jmp short loc_F82EFA .text:00F82EEF ; END OF FUNCTION CHUNK FOR $check_key3 .text:00F82EF1 ; [00000009 BYTES: COLLAPSED FUNCTION sub_F82EF1. PRESS CTRL-NUMPAD+ TO EXPAND] .text:00F82EFA ; START OF FUNCTION CHUNK FOR $check_key3 .text:00F82EFA .text:00F82EFA loc_F82EFA: ; CODE XREF: $check_key3+6F↑j .text:00F82EFA mov ecx, [ebp+index] .text:00F82EFD cmp ecx, [ebp+param_inputbuf_length] ; ebp+10h param_inputbuf_length .text:00F82F00 jnb fun_end ; .text:00F82F00 ; ; .text:00F82F06 mov edx, [ebp+var_BYTE_10] .text:00F82F09 add edx, 1 .text:00F82F0C and edx, 800000FFh .text:00F82F12 jns short loc_F82F1C ; if (tmp >= 0) .text:00F82F12 ; ; .text:00F82F14 dec edx .text:00F82F15 or edx, 0FFFFFF00h ; tmp = 0; .text:00F82F1B inc edx .text:00F82F1C .text:00F82F1C loc_F82F1C: ; CODE XREF: $check_key3+92↑j .text:00F82F1C mov [ebp+var_BYTE_10], edx ; var_BYTE_10 += 1; .text:00F82F1C ; ; .text:00F82F1F mov eax, [ebp+param1_buf_256] .text:00F82F22 add eax, [ebp+var_BYTE_10] .text:00F82F25 movzx ecx, byte ptr ds:(loc_F82EB5 - 0F82EB5h)[eax] ; tmp = param1_buf_256[var_BYTE_10]; .text:00F82F28 add ecx, [ebp+var_BYTE_18] .text:00F82F2B and ecx, 800000FFh .text:00F82F31 jns short loc_F82F3B ; var_BYTE_18++; .text:00F82F31 ; ; .text:00F82F33 dec ecx .text:00F82F34 or ecx, 0FFFFFF00h .text:00F82F3A inc ecx .text:00F82F3B .text:00F82F3B loc_F82F3B: ; CODE XREF: $check_key3+B1↑j .text:00F82F3B mov [ebp+var_BYTE_18], ecx ; var_BYTE_18++; .text:00F82F3B ; ; .text:00F82F3E mov edx, [ebp+param1_buf_256] .text:00F82F41 add edx, [ebp+var_BYTE_10] .text:00F82F44 mov al, [edx] .text:00F82F46 mov [ebp+var_9], al ; var_9 = param1_buf_256[var_BYTE_10]; .text:00F82F49 call $+5 .text:00F82F4E .text:00F82F4E loc_F82F4E: ; DATA XREF: .text:00F82FA2↓r .text:00F82F4E ; .text:00F82FD2↓r .text:00F82F4E pop eax .text:00F82F4F mov [ebp+var_8], eax .text:00F82F52 call loc_F82F5A .text:00F82F52 ; END OF FUNCTION CHUNK FOR $check_key3 .text:00F82F52 ; --------------------------------------------------------------------------- .text:00F82F57 db 0EAh .text:00F82F58 ; --------------------------------------------------------------------------- .text:00F82F58 jmp short loc_F82F63 .text:00F82F5A ; --------------------------------------------------------------------------- .text:00F82F5A ; START OF FUNCTION CHUNK FOR $check_key3 .text:00F82F5A .text:00F82F5A loc_F82F5A: ; CODE XREF: $check_key3+D2↑j .text:00F82F5A pop ebx .text:00F82F5B inc ebx .text:00F82F5C push ebx .text:00F82F5D mov eax, 11111111h .text:00F82F62 retn .text:00F82F62 ; END OF FUNCTION CHUNK FOR $check_key3 .text:00F82F63 ; --------------------------------------------------------------------------- .text:00F82F63 .text:00F82F63 loc_F82F63: ; CODE XREF: .text:00F82F58↑j .text:00F82F63 call sub_F82F6F .text:00F82F68 mov ebx, 33333333h .text:00F82F6D jmp short loc_F82F7C ; .text:00F82F6D ; ; .text:00F82F6F .text:00F82F6F ; =============== S U B R O U T I N E ======================================= .text:00F82F6F .text:00F82F6F .text:00F82F6F sub_F82F6F proc near ; CODE XREF: .text:loc_F82F63↑p .text:00F82F6F mov ebx, 11111111h .text:00F82F74 pop ebx .text:00F82F75 mov ebx, offset loc_F82F7C ; .text:00F82F75 ; ; .text:00F82F7A push ebx .text:00F82F7B retn .text:00F82F7B sub_F82F6F endp .text:00F82F7B .text:00F82F7C ; --------------------------------------------------------------------------- .text:00F82F7C .text:00F82F7C loc_F82F7C: ; CODE XREF: .text:00F82F6D↑j .text:00F82F7C ; DATA XREF: sub_F82F6F+6↑o .text:00F82F7C mov ebx, 22222222h ; .text:00F82F7C ; ; .text:00F82F81 mov ecx, [ebp+8] ; ebp+8 == param1_buf_256 .text:00F82F84 add ecx, [ebp-10h] ; .text:00F82F84 ; ; .text:00F82F87 mov edx, [ebp+8] .text:00F82F8A add edx, [ebp-18h] .text:00F82F8D mov al, [edx] .text:00F82F8F mov [ecx], al ; param1_buf_256[var_BYTE_10] = param1_buf_256[var_BYTE_18]; .text:00F82F8F ; ; .text:00F82F91 mov ecx, [ebp+8] .text:00F82F94 add ecx, [ebp-18h] .text:00F82F97 mov dl, [ebp-9] .text:00F82F9A mov [ecx], dl ; param1_buf_256[var_BYTE_18] = var_9; .text:00F82F9A ; ; .text:00F82F9C mov eax, [ebp+8] .text:00F82F9F add eax, [ebp-10h] .text:00F82FA2 movzx ecx, byte ptr ds:(loc_F82F4E - 0F82F4Eh)[eax] ; tmp = param1_buf_256[var_BYTE_10]; .text:00F82FA2 ; ; .text:00F82FA5 mov edx, [ebp+8] .text:00F82FA8 add edx, [ebp-18h] .text:00F82FAB movzx eax, byte ptr [edx] .text:00F82FAE add ecx, eax ; tmp += param1_buf_256[var_BYTE_18]; .text:00F82FB0 and ecx, 800000FFh .text:00F82FB6 jns short loc_F82FC0 ; if ((tmp & -0x100) < 0) .text:00F82FB8 dec ecx ; tmp--; .text:00F82FB9 or ecx, 0FFFFFF00h ; tmp |= 0x100; .text:00F82FBF inc ecx ; tmp++; .text:00F82FC0 .text:00F82FC0 loc_F82FC0: ; CODE XREF: .text:00F82FB6↑j .text:00F82FC0 mov [ebp-1Ch], ecx ; var_BYTE_1C = tmp; .text:00F82FC0 ; ; .text:00F82FC3 mov ecx, [ebp+8] .text:00F82FC6 add ecx, [ebp-1Ch] .text:00F82FC9 movzx edx, byte ptr [ecx] ; tmp = param1_buf_256[var_BYTE_1C]; .text:00F82FC9 ; ; .text:00F82FCC mov eax, [ebp+0Ch] ; ebp+0Ch = param1_input_buf .text:00F82FCF add eax, [ebp-14h] .text:00F82FD2 movzx ecx, byte ptr ds:(loc_F82F4E - 0F82F4Eh)[eax] ; //////tmp2 = param1_input_buf[index]; .text:00F82FD5 xor ecx, edx .text:00F82FD7 mov edx, [ebp+0Ch] .text:00F82FDA add edx, [ebp-14h] .text:00F82FDD mov [edx], cl ; param1_input_buf[index] ^= tmp; .text:00F82FDF jmp sub_F82EF1 .text:00F82FE4 ; --------------------------------------------------------------------------- .text:00F82FE4 ; START OF FUNCTION CHUNK FOR $check_key3 .text:00F82FE4 .text:00F82FE4 fun_end: ; CODE XREF: $check_key3+80↑j .text:00F82FE4 pop ebx .text:00F82FE5 mov ecx, [ebp+cookie] .text:00F82FE8 xor ecx, ebp ; StackCookie .text:00F82FEA call @__security_check_cookie@4 ; __security_check_cookie(x) .text:00F82FEF mov esp, ebp .text:00F82FF1 pop ebp .text:00F82FF2 retn 0Ch .text:00F82FF2 ; END OF FUNCTION CHUNK FOR $check_key3
发表评论