大家帮忙忙看看这段汇编代码是如何加密密码的??
代码 如下 可能有点长
00401190 . 6A FF push -1
00401192 . 68 D0464000 push 004046D0 ; SE 处理程序安装
00401197 . 64:A1 0000000>mov eax, dword ptr fs:[0]
0040119D . 50 push eax
0040119E . 64:8925 00000>mov dword ptr fs:[0], esp
004011A5 . 83EC 0C sub esp, 0C
004011A8 . 53 push ebx
004011A9 . 55 push ebp
004011AA . 8BE9 mov ebp, ecx
004011AC . 56 push esi
004011AD . 57 push edi
004011AE . 68 C0744000 push 004074C0
004011B3 . 8D8D AC000000 lea ecx, dword ptr [ebp+AC]
004011B9 . E8 30300000 call <jmp.&MFC42.#860_CString::operat>
004011BE . 6A 00 push 0
004011C0 . 8BCD mov ecx, ebp
004011C2 . E8 6F300000 call <jmp.&MFC42.#6334_CWnd::UpdateDa>
004011C7 . 8B4424 2C mov eax, dword ptr [esp+2C]
004011CB . 8B4D 20 mov ecx, dword ptr [ebp+20]
004011CE . 50 push eax ; /TimerID
004011CF . 51 push ecx ; |hWnd
004011D0 . FF15 F4524000 call dword ptr [<&USER32.KillTimer>] ; \KillTimer
004011D6 . 8B85 A8000000 mov eax, dword ptr [ebp+A8]
004011DC . 8D8D A8000000 lea ecx, dword ptr [ebp+A8]
004011E2 . 33D2 xor edx, edx
004011E4 . 895424 14 mov dword ptr [esp+14], edx
004011E8 . 895424 18 mov dword ptr [esp+18], edx
004011EC . 8B40 F8 mov eax, dword ptr [eax-8]
004011EF . 83F8 08 cmp eax, 8
004011F2 . 8BD8 mov ebx, eax
004011F4 . 7C 05 jl short 004011FB
004011F6 . BB 08000000 mov ebx, 8
004011FB > 50 push eax
004011FC . E8 2F300000 call <jmp.&MFC42.#2915_CString::GetBu>
00401201 . 8BCB mov ecx, ebx
00401203 . 8BF0 mov esi, eax
00401205 . 8BD1 mov edx, ecx
00401207 . 8D7C24 14 lea edi, dword ptr [esp+14]
0040120B . C1E9 02 shr ecx, 2
0040120E . F3:A5 rep movs dword ptr es:[edi], dword p>
00401210 . 8BCA mov ecx, edx
00401212 . 8D4424 14 lea eax, dword ptr [esp+14]
00401216 . 83E1 03 and ecx, 3
00401219 . 50 push eax
0040121A . F3:A4 rep movs byte ptr es:[edi], byte ptr>
0040121C . E8 2F2E0000 call 00404050
00401221 . 83C4 04 add esp, 4
00401224 . B9 02000000 mov ecx, 2
00401229 . 8D7D 60 lea edi, dword ptr [ebp+60]
0040122C . 8D7424 14 lea esi, dword ptr [esp+14]
00401230 . 33D2 xor edx, edx
00401232 . F3:A7 repe cmps dword ptr es:[edi], dword p>
00401234 . 75 0C jnz short 00401242
00401236 . 8BCD mov ecx, ebp
00401238 . E8 ED2F0000 call <jmp.&MFC42.#4853_CDialog::OnOK>
0040123D . E9 BA000000 jmp 004012FC
00401242 > 8D4C24 10 lea ecx, dword ptr [esp+10]
00401246 . E8 A92F0000 call <jmp.&MFC42.#540_CString::CStrin>
0040124B . 8D4C24 2C lea ecx, dword ptr [esp+2C]
0040124F . C74424 24 000>mov dword ptr [esp+24], 0
00401257 . E8 982F0000 call <jmp.&MFC42.#540_CString::CStrin>
0040125C . 68 38EF0000 push 0EF38
00401261 . 8D4C24 14 lea ecx, dword ptr [esp+14]
00401265 . C64424 28 01 mov byte ptr [esp+28], 1
0040126A . E8 B52F0000 call <jmp.&MFC42.#4160_CString::LoadS>
0040126F . 6A 69 push 69
00401271 . 8D4C24 30 lea ecx, dword ptr [esp+30]
00401275 . E8 AA2F0000 call <jmp.&MFC42.#4160_CString::LoadS>
0040127A . 8B4424 2C mov eax, dword ptr [esp+2C]
0040127E . 8B4C24 10 mov ecx, dword ptr [esp+10]
00401282 . 6A 10 push 10
00401284 . 50 push eax
00401285 . 51 push ecx
00401286 . 8BCD mov ecx, ebp
00401288 . E8 912F0000 call <jmp.&MFC42.#4224_CWnd::MessageB>
0040128D . 8B55 20 mov edx, dword ptr [ebp+20]
00401290 . 8B35 F8524000 mov esi, dword ptr [<&USER32.GetDlgI>; USER32.GetDlgItem
00401296 . 6A 01 push 1 ; /Enable = TRUE
00401298 . 6A 01 push 1 ; |/ControlID = 1
0040129A . 52 push edx ; ||hWnd
0040129B . FFD6 call esi ; |\GetDlgItem
0040129D . 8B3D FC524000 mov edi, dword ptr [<&USER32.EnableW>; |USER32.EnableWindow
004012A3 . 50 push eax ; |hWnd
004012A4 . FFD7 call edi ; \EnableWindow
004012A6 . 8B45 20 mov eax, dword ptr [ebp+20]
004012A9 . 6A 01 push 1 ; /Enable = TRUE
004012AB . 6A 02 push 2 ; |/ControlID = 2
004012AD . 50 push eax ; ||hWnd
004012AE . FFD6 call esi ; |\GetDlgItem
004012B0 . 50 push eax ; |hWnd
004012B1 . FFD7 call edi ; \EnableWindow
004012B3 . 8B8D 88000000 mov ecx, dword ptr [ebp+88]
004012B9 . 8B35 10534000 mov esi, dword ptr [<&USER32.SendMes>; USER32.SendMessageA
004012BF . 6A FF push -1 ; /lParam = FFFFFFFF
004012C1 . 6A 00 push 0 ; |wParam = 0
004012C3 . 68 B1000000 push 0B1 ; |Message = EM_SETSEL
004012C8 . 51 push ecx ; |hWnd
004012C9 . FFD6 call esi ; \SendMessageA
004012CB . 8B95 88000000 mov edx, dword ptr [ebp+88]
004012D1 . 6A 00 push 0 ; /lParam = 0
004012D3 . 6A 00 push 0 ; |wParam = 0
004012D5 . 68 B7000000 push 0B7 ; |Message = EM_SCROLLCARET
004012DA . 52 push edx ; |hWnd
004012DB . FFD6 call esi ; \SendMessageA
004012DD . 8D4C24 2C lea ecx, dword ptr [esp+2C]
004012E1 . C64424 24 00 mov byte ptr [esp+24], 0
004012E6 . E8 F12E0000 call <jmp.&MFC42.#800_CString::~CStri>
004012EB . 8D4C24 10 lea ecx, dword ptr [esp+10]
004012EF . C74424 24 FFF>mov dword ptr [esp+24], -1
004012F7 . E8 E02E0000 call <jmp.&MFC42.#800_CString::~CStri>
004012FC > 8BCD mov ecx, ebp
004012FE . E8 152F0000 call <jmp.&MFC42.#2379_CWnd::Default>
00401303 . 8B4C24 1C mov ecx, dword ptr [esp+1C]
00401307 . 5F pop edi
00401308 . 5E pop esi
00401309 . 5D pop ebp
0040130A . 5B pop ebx
0040130B . 64:890D 00000>mov dword ptr fs:[0], ecx
00401312 . 83C4 18 add esp, 18
00401315 . C2 0400 retn 4
------解决方案--------------------
00401190 . 6A FF push -100401192 . 68 D0464000 push 004046D0 ; SE 处理程序安装00401197 . 64:A1 0000000>mov eax, dword ptr fs:[0]0040119D . 50 push eax0040119E . 64:8925 00000>mov dword ptr fs:[0], esp004011A5 . 83EC 0C sub esp, 0C004011A8 . 53 push ebx004011A9 . 55 push ebp// 一般地VC将this指针放到ECX中再调用类方法, 所以可以肯定ecx指向某个CWnd对象,现在this指针被保存在EBP中。004011AA . 8BE9 mov ebp, ecx004011AC . 56 push esi004011AD . 57 push edi004011AE . 68 C0744000 push 004074C0004011B3 . 8D8D AC000000 lea ecx, dword ptr [ebp+AC]004011B9 . E8 30300000 call <jmp.&MFC42.#860_CString::operat>004011BE . 6A 00 push 0004011C0 . 8BCD mov ecx, ebp004011C2 . E8 6F300000 call <jmp.&MFC42.#6334_CWnd::UpdateDa>004011C7 . 8B4424 2C mov eax, dword ptr [esp+2C]004011CB . 8B4D 20 mov ecx, dword ptr [ebp+20]004011CE . 50 push eax ; /TimerID004011CF . 51 push ecx ; |hWnd004011D0 . FF15 F4524000 call dword ptr [<&USER32.KillTimer>] ; \KillTimer// 读this + 0xA8处的一个32位数据,你可以看看他读了什么,应该是一个指针p[1]。004011D6 . 8B85 A8000000 mov eax, dword ptr [ebp+A8]004011DC . 8D8D A8000000 lea ecx, dword ptr [ebp+A8]// struct DATA { int d1; int d2; }// 初始化加密函数void func(DWORD* pString, DATA* pData, int nCount)中pData->d1和pData->d2为零。004011E2 . 33D2 xor edx, edx004011E4 . 895424 14 mov dword ptr [esp+14], edx004011E8 . 895424 18 mov dword ptr [esp+18], edx// 读取p[1]-0x08地址所在的32位数据,有可能是用户输入的密码字符串长度,由CWnd::UpdateData计算得。004011EC . 8B40 F8 mov eax, dword ptr [eax-8]// 比较该数值是否小于8(可以理解为是否不足8个字符)004011EF . 83F8 08 cmp eax, 8// 临时保存该长度到ebx中004011F2 . 8BD8 mov ebx, eax004011F4 . 7C 05 jl short 004011FB// 如果该数值大于8就取8(可以理解为截断字符串只取前面8个有效字符)。004011F6 . BB 08000000 mov ebx, 8// 调用CString::GetBuffer()来获取缓冲区。004011FB > 50 push eax004011FC . E8 2F300000 call <jmp.&MFC42.#2915_CString::GetBu>// 用户输入的字符长度保存到循环计数寄存器ecx中。00401201 . 8BCB mov ecx, ebx// CString::GetBuffer()返回的内存指针保存在源变址寄存器esi中,看样子要复制字符串了。00401203 . 8BF0 mov esi, eax00401205 . 8BD1 mov edx, ecx// 获取DATA* pData00401207 . 8D7C24 14 lea edi, dword ptr [esp+14]// 计算要复制的字符(这里他不是按字符串来处理,而是按32位数据来处理,例如按int类型来处理),按分析最大只会复制2个int。0040120B . C1E9 02 shr ecx, 2// 将用户输入的数据复制到DATA* pData结构中。0040120E . F3:A5 rep movs dword ptr es:[edi], dword p>// 继续复制(可能是编译器优化速度而分成两次复制,一次按32位,一次按8位)。00401210 . 8BCA mov ecx, edx00401212 . 8D4424 14 lea eax, dword ptr [esp+14]00401216 . 83E1 03 and ecx, 300401219 . 50 push eax0040121A . F3:A4 rep movs byte ptr es:[edi], byte ptr>// 压入DATA* pData调用解码函数,由于没有压入this指针所以这个函数可能是静态函数。控制转到static void func1(DATA* pData) { func2(_T("NJYZ-NetRG-New30"), (DATA*)pData, 32); }0040121C . E8 2F2E0000 call 0040405000401221 . 83C4 04 add esp, 4// 准备将解码的数据按2个32位数据(int/long/DWORD)进行比较。00401224 . B9 02000000 mov ecx, 2// 取this + 0x60处的一个数据(是指针数据,记住this+0x60是绝对地址是字节单位)是CWnd::对象内偏移0x60处的一个数据,你可以dump它,也可以设置断点直接运行到这里看看edi是什么00401229 . 8D7D 60 lea edi, dword ptr [ebp+60]// 取处理过后的DATA* pData数据。0040122C . 8D7424 14 lea esi, dword ptr [esp+14]00401230 . 33D2 xor edx, edx// 比较两处的2个32位数据是否相同。00401232 . F3:A7 repe cmps dword ptr es:[edi], dword p>// 如相同就关闭对话框(CDialog::OnOK),否则转到其他地方显示出错信息。// 现在很明显了,他只是将你输入的密码经过00404050处的加密或解码函数处理后再跟this + 0x0060处的一个参照数据(2个32位数据)进行对比,相同就通过否则就判断你密码错误。// 你应该在00401229处设置断点获取[ebp + 0x0060]或edi所指处的两个32位数据,因为按推断这应该是密匙。// 他的原理是将你输入的密码进行处理看最终能不能还原成这个密匙,建议你先将这两个32位数据拿出来再说。00401234 . 75 0C jnz short 0040124200401236 . 8BCD mov ecx, ebp00401238 . E8 ED2F0000 call <jmp.&MFC42.#4853_CDialog::OnOK>0040123D . E9 BA000000 jmp 004012FC上面的C++逆向代码有一处是错误的, 其它基本上没有什么问题了.函数声明void func(DWORD* pString, DATA* pData, int nCount)循环改成for (short i = 32; i > 0; i--)