服务器每次发来的密文,类似于
#eLrBHMNx<F=hgmlYA]X]ENtpGM`X@?PuN`LwT_m>RmleJ_l{PAMHQ?pUCpdbENa<F`pjBllQC=HSC\\pT?LduQ_y=PQM>JptK!
命令体部分经过普通解密后,还需要根据一个掩码来进行二次解密
这里是二次解密命令体的部分
push ebp
mov ebp, esp
and esp, FFFFFFF8
push -1
push 004C833C
mov eax, dword ptr fs:[0]
push eax
mov dword ptr fs:[0], esp
push ecx
mov eax, 549C
call 004BC0B0
push ebx
push esi
push edi
mov edi, dword ptr [ebp+8]
cmp byte ptr [edi], 2B <------判断第一个字节是否为 +
mov ebx, ecx
jnz L029
inc edi
push edi
call 0042B0D0
mov ecx, dword ptr [esp+54AC]
mov dword ptr fs:[0], ecx
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
retn 4
L029:
push edi <----- 密文
lea eax, dword ptr [esp+3C]
push eax <------ 密文解密后被保存在这里
call 004A0CE0
mov cx, word ptr [ebx+49B162]
xor word ptr [esp+3C], cx
xor edx, edx
mov dh, byte ptr [esp+43]
mov cl, byte ptr [ebx+49B161]
xor eax, eax
mov ah, byte ptr [esp+3F]
mov dl, byte ptr [esp+41]
mov al, byte ptr [esp+3D]
shl edx, 10
or edx, eax
mov al, byte ptr [ebx+49B160]
mov esi, edx
xor cl, byte ptr [esp+3C]
xor edx, edx
mov dh, cl
xor al, byte ptr [esp+38]
mov dword ptr [esp+1C], esi
mov dl, al
mov eax, dword ptr [esp+38]
shr eax, 10
mov cx, dx
movzx dx, byte ptr [esp+39]
mov dh, byte ptr [esp+3E]
mov word ptr [esp+20], cx
mov word ptr [esp+22], dx
xor edx, edx
mov dh, byte ptr [esp+40]
mov dl, al
movzx ax, ah
mov ah, byte ptr [esp+42]
mov word ptr [esp+24], dx
mov word ptr [esp+26], ax
movzx eax, cx
add eax, -138A
cmp eax, 123
ja 0043BF9D
movzx ecx, byte ptr [eax+43C220]
jmp dword ptr [ecx*4+43BFB4]
在 MIR3G二次加解密反汇编分析(三)——跟踪 中有4个赋值
mov byte ptr [ebx+49B160], al
mov byte ptr [ebx+49B161], ah
mov word ptr [ebx+49B162], ax
mov word ptr [ebx+49B164], ax
这就是命令体二次解密时的掩码
从一次解密的消息体中提取掩码的部分
sub eax, edx
cmp eax, 3C ;判断消息体长度是否为60
jnz 0043BF9D
mov ecx, dword ptr [esp+CA8] esp+CA8保存的就是经过一次解密的消息体(不包含命令体)
mov edx, dword ptr [esp+CAC]
mov eax, dword ptr [esp+CB0]
mov dword ptr [esp+38], ecx
mov ecx, dword ptr [esp+CB4]
mov dword ptr [esp+44], ecx
mov ecx, dword ptr [esp+CC0]
mov dword ptr [esp+3C], edx
mov edx, dword ptr [esp+CB8]
mov dword ptr [esp+40], eax
mov eax, dword ptr [esp+CBC]
mov dword ptr [esp+54], ecx
mov ecx, dword ptr [esp+CCC]
mov dword ptr [esp+48], edx
mov edx, dword ptr [esp+CC4]
mov dword ptr [esp+50], eax
mov eax, dword ptr [esp+CC8]
mov dword ptr [esp+60], ecx
mov ecx, dword ptr [esp+CD8]
mov dword ptr [esp+58], edx
mov edx, dword ptr [esp+CD0]
mov dword ptr [esp+5C], eax
mov eax, dword ptr [esp+CD4]
mov dword ptr [esp+24], ecx
lea ecx, dword ptr [esp+1C]
mov dword ptr [esp+1C], edx ;最后20个字节
mov edx, dword ptr [esp+CDC]
mov dword ptr [esp+20], eax
mov eax, dword ptr [esp+CE0]
push ecx
mov ecx, ebx
mov byte ptr [esp+50], 0
mov byte ptr [esp+68], 0
mov dword ptr [esp+2C], edx
mov dword ptr [esp+30], eax
mov byte ptr [esp+34], 0
call 0042BD60
lea edx, dword ptr [esp+38] 前20个字节
push edx
mov ecx, ebx
mov byte ptr [ebx+49B160], al
mov byte ptr [ebx+49B161], ah
call 0042BD60
mov word ptr [ebx+49B162], ax
lea eax, dword ptr [esp+50]
push eax
mov ecx, ebx
call 0042BD60
mov word ptr [ebx+49B164], ax
提取掩码的函数 0042BD60
push ebx
push esi
mov esi, dword ptr [esp+C] esi = arg1 ;消息体
mov eax, esi eax = arg1
xor ebx, ebx ebx = 0
lea edx, dword ptr [eax+1] edx = arg+1 ,从第二个字节开始
lea ecx, dword ptr [ecx]
L007:
mov cl, byte ptr [eax]
inc eax
test cl, cl
jnz L007
sub eax, edx
cmp eax, 14 检查参数长度是否是20
jnb L018
pop esi
xor ax, ax
pop ebx
retn 4
L018:
mov eax, 2 ;eax =2
lea edx, dword ptr [esi+1] ;edx指向第二个字节 edx = 1
push edi
L022:
mov cl, byte ptr [edx-1] ;cl = arg[edx-1]
movzx esi, byte ptr [edx+8] ;esi = ((long)(arg[edx+8]))
movzx ecx, cl ;ecx = ((long)cl)
add esi, ecx ;esi = esi+ecx
movzx ecx, byte ptr [edx] ;ecx = (long)arg[edx]
cmp ecx, esi ;if(ecx < esi) 跳转到 L033
jl L033
lea ecx, dword ptr [eax-2] ; ecx = eax-2
mov edi, 8000 ; edi = 0x8000
sar edi, cl ; edi = edi >> cl
or ebx, edi ; ebx = ebx | edi
L033:
movzx ecx, byte ptr [edx+1] ;ecx = (long)arg[edx+1]
cmp ecx, esi ;if(ecx<esi) 跳转到 L040
jl L040
lea ecx, dword ptr [eax-1] ;ecx = eax-2
mov edi, 8000 ;edi = 0x8000
sar edi, cl ;edi = edi >> arg[eax-1]
or ebx, edi ;ebx = ebx | edi
L040:
movzx ecx, byte ptr [edx+2] ;ecx = (long)arg[edx+2]
cmp ecx, esi ;if(ecx < esi) 跳转到 L047
jl L047
mov edi, 8000 ;edi = 0x8000
mov ecx, eax ;ecx = eax
sar edi, cl ;edi = edi >> cl
or ebx, edi ;ebx = ebx | edi
L047:
movzx ecx, byte ptr [edx+3] ;ecx = (long)arg[edx+3]
cmp ecx, esi ; if(ecx < esi) 跳转到 L054
jl L054
lea ecx, dword ptr [eax+1] ;ecx = eax+1
mov edi, 8000 ;edi = 0x8000
sar edi, cl ;edi = edi >> cl
or ebx, edi ;ebx = ebx | edi
L054:
movzx ecx, byte ptr [edx+4] ;ecx = (long)arg[edx+4]
cmp ecx, esi ; if(ecx < esi) 跳转到 L061
jl L061
lea ecx, dword ptr [eax+2] ;ecx = eax+2
mov edi, 8000 ;edi = 0x8000
sar edi, cl ;edi = edi >> cl
or ebx, edi ;ebx = ebx | edi
L061:
movzx ecx, byte ptr [edx+5] ;ecx = (long)arg[edx+5]
cmp ecx, esi ; if(ecx < esi) 跳转到 L068
jl L068
lea ecx, dword ptr [eax+3] ;ecx = eax+3
mov edi, 8000 ;edi = 0x8000
sar edi, cl ;edi = edi >> cl
or ebx, edi ;ebx = ebx | edi
L068:
movzx ecx, byte ptr [edx+6] ;ecx = (long)arg[edx+6]
cmp ecx, esi ; if(ecx < esi) 跳转到 L075
jl L075
lea ecx, dword ptr [eax+4] ;ecx = eax+4
mov edi, 8000 ;edi = 0x8000
sar edi, cl ;edi = edi >> cl
or ebx, edi ;ebx = ebx | edi
L075:
movzx ecx, byte ptr [edx+7] ;ecx = (long)arg[edx+7]
cmp ecx, esi ; if(ecx < esi) 跳转到 L082
jl L082
lea ecx, dword ptr [eax+5] ;ecx = eax+5
mov esi, 8000 ;edi = 0x8000
sar esi, cl ;edi = edi >> cl
or ebx, esi ;ebx = ebx | edi
L082:
add eax, 8 ;eax = eax+8
add edx, 0A ;edx = edx+0x0A
cmp eax, 0A ;if(eax <= 0X0A) 跳转到 L022
jle L022
movzx edx, bl ;edx = (long)bl 低8位0扩展
movzx eax, bh ;eax = (long)bh 高8位0扩展
pop edi ;
xor edx, 87 ;edx = edx ^ 0x87
xor eax, 87 ;eax = eax ^ 0x87
shl edx, 8 ;edx << 8
pop esi
or eax, edx ;eax = eax | edx
pop ebx
retn 4
至此,消息的加解密部分已经全部还原
posted on 2008-06-07 16:06
Phrancol Yang 阅读(582)
评论(0) 编辑 收藏 所属分类:
反汇编