在分析pcqq协议时,0836包里有一个official算法,经多次测试发现,如果这个算法没有或者错误,会导致账号被冻结或屏蔽。为了解决这个问题,我们要逆向这个算法
1.用od调试找到这个算法的汇编代码为
mov eax, [ebp+0Ch]
mov eax, [eax]
add eax, 08h
push eax
mov edx, [ebp+08h]
mov edx, [edx]
add edx, 08h
mov ecx, [ebp+10h]
mov ecx, [ecx]
add ecx, 08h
call 00000024Chmov esp, ebp
pop ebp
retn 000Chsub esp, 14h
mov eax, [edx]
push ebx
mov [esp+14h], ecx
mov ebx, 00000010h
mov ecx, [esp+1Ch]
push ebp
push esi
mov esi, [edx+04h]
mov edx, [ecx+04h]
mov [esp+0Ch], edx
mov edx, [ecx]
mov ebp, [esp+0Ch]
mov [esp+10h], edx
mov edx, [ecx+0Ch]
mov ecx, [ecx+08h]
push edi
bswap esi
bswap eax
mov edi, 9E3779B9h
mov [esp+1Ch], edx
mov [esp+18h], ecx
mov edx, esi
mov ecx, esi
shr edx, 05h
shl ecx, 04h
add edx, ebp
add ecx, [esp+14h]
xor edx, ecx
lea ecx, [esi+edi]
xor edx, ecx
add eax, edx
mov edx, eax
mov ecx, eax
shl edx, 04h
add edx, [esp+18h]
shr ecx, 05h
add ecx, [esp+1Ch]
xor edx, ecx
lea ecx, [eax+edi]
xor edx, ecx
lea edi, [edi-61C88647h]
add esi, edx
dec ebx
jne 00000041h
mov ebp, [esp+20h]
bswap esi
pop edi
bswap eax
mov [ebp+04h], esi
mov [ebp+00h], eax
mov eax, ebp
pop esi
pop ebp
pop ebx
add esp, 14h
retn 0004h
2.汇编找到了,但是怎么在代码里面调用呢?第一种办法:vs可以直接在_asm{}块中嵌套汇编代码。但是我的call 00000024h这一段不知道为什么会报错,所以只能用第二种办法了,就是直接翻译成c源码。
3.这时默默地打开了从看雪论坛买来的加密与解密第四版一书,看了两章,然后直接开干。代码如下
// test.cpp : 定义控制台应用程序的入口点。#include "stdafx.h"typedef unsigned char BYTE;BYTE* Long2Bytes(unsigned long n);
unsigned long Bytes2Long(BYTE *bytes);
BYTE* ReverseBytes(BYTE* data, int size);
void Official(BYTE *data, BYTE *key, BYTE *result);
BYTE* SubBytes(BYTE *bytes, int start, int count);
void PrintBytes(BYTE *bytes, int size);int _tmain(int argc, _TCHAR* argv[])
{BYTE *data = new BYTE[8]{1, 2, 3, 4, 5, 6, 7, 8};//要加密的数据BYTE *key = new BYTE[16]{9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24};//加密keyBYTE *result = new BYTE[8]{0};//加密结果Official(data, key, result);PrintBytes(result,8);delete[] data;delete[] key;delete[] result;getchar();return 0;
}
void PrintBytes(BYTE *bytes, int size){for (int i = 0; i < size; i++){printf("%d ",bytes[i]);}
}
void Official(BYTE *data, BYTE *key, BYTE *result){unsigned long eax = Bytes2Long(SubBytes(data,0,4));unsigned long esi = Bytes2Long(SubBytes(data, 4, 4));unsigned long var4 = Bytes2Long(ReverseBytes(SubBytes(key, 0, 4), 4));unsigned long ebp = Bytes2Long(ReverseBytes(SubBytes(key, 4, 4), 4));unsigned long var3 = Bytes2Long(ReverseBytes(SubBytes(key, 8, 4), 4));unsigned long var2 = Bytes2Long(ReverseBytes(SubBytes(key, 12, 4), 4));//printf("%lu %lu %lu %lu %lu %lu\n", eax,esi,var4, ebp, var3, var2);unsigned long edi = 0x9E3779B9;unsigned long edx = 0;unsigned long ecx = 0;for (int i = 0; i < 16; i++){edx = esi;ecx = esi;edx = edx >> 5;ecx = ecx << 4;edx += ebp;ecx += var4;edx = edx ^ ecx;ecx = esi + edi;edx = edx ^ ecx;eax += edx;edx = eax;ecx = eax;edx = edx << 4;edx = edx + var3;ecx = ecx >> 5;ecx += var2;edx = edx ^ ecx;ecx = eax + edi;edx = edx ^ ecx;edi -= 0x61C88647;esi += edx;}memcpy(result,Long2Bytes(eax), 4);memcpy(result+4, Long2Bytes(esi), 4);
}
BYTE* Long2Bytes(unsigned long n){BYTE *temp = new BYTE[4];temp[0] = n / 16777216;temp[1] = (n - temp[0] * 16777216)/65536;temp[2] = (n - temp[0] * 16777216 - temp[1] * 65536) / 256;temp[3] = (n - temp[0] * 16777216 - temp[1] * 65536-temp[2]*256);return temp;
}
unsigned long Bytes2Long(BYTE *bytes){unsigned long a =bytes[0] * 16777216;unsigned long b = bytes[1] * 65536;unsigned long c = bytes[2] * 256;unsigned long d = bytes[3];unsigned long n = a + b + c + d;return n;
}
//因为数据在内存中是从低到高存放的,所以要反取字节
BYTE* ReverseBytes(BYTE* bytes, int size){BYTE *temp = new BYTE[size];for (int i = 0; i < size; i++){temp[i] = bytes[size - i - 1];}return temp;
}
BYTE* SubBytes(BYTE* bytes, int start, int count){BYTE *temp = new BYTE[count];for (int i = 0; i < count; i++){temp[i] = bytes[start + i];}return temp;
}
4.在这里有个要注意的地方就是数字类型必须是unsigned long,否则会数据溢出,导致算法计算错误…坑