articles
articles copied to clipboard
Published
20 hours ago •
xinali
xinali
逆向中的base64加解密
base64 加密
EXTRN @__security_check_cookie@4:PROC
_i$ = -28 ; size = 4
_j$ = -24 ; size = 4
_k$ = -20 ; size = 4
_s$ = -16 ; size = 12
__$ArrayPad$ = -4 ; size = 4
_in$ = 8 ; size = 4
_in_len$ = 12 ; size = 4
_out$ = 16 ; size = 4
b64_encode PROC
push ebp
mov ebp, esp
sub esp, 28 ; 0000001cH
mov eax, DWORD PTR ___security_cookie
xor eax, ebp
mov DWORD PTR __$ArrayPad$[ebp], eax
mov DWORD PTR _i$[ebp], 0
mov DWORD PTR _j$[ebp], 0
mov DWORD PTR _k$[ebp], 0
mov DWORD PTR _i$[ebp], 0
jmp SHORT $LN4@b64_encode
$LN2@b64_encode:
mov eax, DWORD PTR _i$[ebp]
add eax, 1
mov DWORD PTR _i$[ebp], eax
$LN4@b64_encode:
mov ecx, DWORD PTR _i$[ebp]
cmp ecx, DWORD PTR _in_len$[ebp]
jae $LN3@b64_encode
mov edx, DWORD PTR _j$[ebp]
mov eax, DWORD PTR _i$[ebp]
mov ecx, DWORD PTR _in$[ebp]
mov eax, DWORD PTR [ecx+eax*4]
mov DWORD PTR _s$[ebp+edx*4], eax
mov ecx, DWORD PTR _j$[ebp]
add ecx, 1
mov DWORD PTR _j$[ebp], ecx
cmp DWORD PTR _j$[ebp], 3
jne $LN5@b64_encode
mov edx, 4
imul eax, edx, 0
mov ecx, DWORD PTR _s$[ebp+eax]
shr ecx, 2
mov edx, DWORD PTR _out$[ebp]
add edx, DWORD PTR _k$[ebp]
mov al, BYTE PTR ?b64_chr@@3PAEA[ecx]
mov BYTE PTR [edx], al
mov ecx, 4
imul edx, ecx, 0
mov eax, DWORD PTR _s$[ebp+edx]
and eax, 3
shl eax, 4
mov ecx, 4
shl ecx, 0
mov edx, DWORD PTR _s$[ebp+ecx]
and edx, 240 ; 000000f0H
shr edx, 4
mov ecx, DWORD PTR _out$[ebp]
add ecx, DWORD PTR _k$[ebp]
mov dl, BYTE PTR ?b64_chr@@3PAEA[eax+edx]
mov BYTE PTR [ecx+1], dl
mov eax, 4
shl eax, 0
mov ecx, DWORD PTR _s$[ebp+eax]
and ecx, 15 ; 0000000fH
mov edx, 4
shl edx, 1
mov eax, DWORD PTR _s$[ebp+edx]
and eax, 192 ; 000000c0H
shr eax, 6
mov edx, DWORD PTR _out$[ebp]
add edx, DWORD PTR _k$[ebp]
mov al, BYTE PTR ?b64_chr@@3PAEA[eax+ecx*4]
mov BYTE PTR [edx+2], al
mov ecx, 4
shl ecx, 1
mov edx, DWORD PTR _s$[ebp+ecx]
and edx, 63 ; 0000003fH
mov eax, DWORD PTR _out$[ebp]
add eax, DWORD PTR _k$[ebp]
mov cl, BYTE PTR ?b64_chr@@3PAEA[edx]
mov BYTE PTR [eax+3], cl
mov DWORD PTR _j$[ebp], 0
mov edx, DWORD PTR _k$[ebp]
add edx, 4
mov DWORD PTR _k$[ebp], edx
$LN5@b64_encode:
jmp $LN2@b64_encode
$LN3@b64_encode:
cmp DWORD PTR _j$[ebp], 0
je $LN6@b64_encode
cmp DWORD PTR _j$[ebp], 1
jne SHORT $LN7@b64_encode
mov eax, 4
shl eax, 0
mov DWORD PTR _s$[ebp+eax], 0
$LN7@b64_encode:
mov ecx, 4
imul edx, ecx, 0
mov eax, DWORD PTR _s$[ebp+edx]
shr eax, 2
mov ecx, DWORD PTR _out$[ebp]
add ecx, DWORD PTR _k$[ebp]
mov dl, BYTE PTR ?b64_chr@@3PAEA[eax]
mov BYTE PTR [ecx], dl
mov eax, 4
imul ecx, eax, 0
mov edx, DWORD PTR _s$[ebp+ecx]
and edx, 3
shl edx, 4
mov eax, 4
shl eax, 0
mov ecx, DWORD PTR _s$[ebp+eax]
and ecx, 240 ; 000000f0H
shr ecx, 4
mov eax, DWORD PTR _out$[ebp]
add eax, DWORD PTR _k$[ebp]
mov cl, BYTE PTR ?b64_chr@@3PAEA[edx+ecx]
mov BYTE PTR [eax+1], cl
cmp DWORD PTR _j$[ebp], 2
jne SHORT $LN8@b64_encode
mov edx, 4
shl edx, 0
mov eax, DWORD PTR _s$[ebp+edx]
and eax, 15 ; 0000000fH
mov ecx, DWORD PTR _out$[ebp]
add ecx, DWORD PTR _k$[ebp]
mov dl, BYTE PTR ?b64_chr@@3PAEA[eax*4]
mov BYTE PTR [ecx+2], dl
jmp SHORT $LN9@b64_encode
$LN8@b64_encode:
mov eax, DWORD PTR _out$[ebp]
add eax, DWORD PTR _k$[ebp]
mov BYTE PTR [eax+2], 61 ; 0000003dH
$LN9@b64_encode:
mov ecx, DWORD PTR _out$[ebp]
add ecx, DWORD PTR _k$[ebp]
mov BYTE PTR [ecx+3], 61 ; 0000003dH
mov edx, DWORD PTR _k$[ebp]
add edx, 4
mov DWORD PTR _k$[ebp], edx
$LN6@b64_encode:
mov eax, DWORD PTR _out$[ebp]
add eax, DWORD PTR _k$[ebp]
mov BYTE PTR [eax], 0
mov eax, DWORD PTR _k$[ebp]
mov ecx, DWORD PTR __$ArrayPad$[ebp]
xor ecx, ebp
call @__security_check_cookie@4
mov esp, ebp
pop ebp
ret 0
b64_encode ENDP
base64解密
EXTRN @__security_check_cookie@4:PROC
_j$ = -32 ; size = 4
_i$ = -28 ; size = 4
_k$ = -24 ; size = 4
_s$ = -20 ; size = 16
__$ArrayPad$ = -4 ; size = 4
_in$ = 8 ; size = 4
_in_len$ = 12 ; size = 4
_out$ = 16 ; size = 4
b64_decode PROC
push ebp
mov ebp, esp
sub esp, 32 ; 00000020H
mov eax, DWORD PTR ___security_cookie
xor eax, ebp
mov DWORD PTR __$ArrayPad$[ebp], eax
mov DWORD PTR _i$[ebp], 0
mov DWORD PTR _j$[ebp], 0
mov DWORD PTR _k$[ebp], 0
mov DWORD PTR _i$[ebp], 0
jmp SHORT $LN4@b64_decode
$LN2@b64_decode:
mov eax, DWORD PTR _i$[ebp]
add eax, 1
mov DWORD PTR _i$[ebp], eax
$LN4@b64_decode:
mov ecx, DWORD PTR _i$[ebp]
cmp ecx, DWORD PTR _in_len$[ebp]
jae $LN3@b64_decode
mov edx, DWORD PTR _in$[ebp]
add edx, DWORD PTR _i$[ebp]
movzx eax, BYTE PTR [edx]
push eax
call ?b64_int@@YAII@Z
add esp, 4
mov ecx, DWORD PTR _j$[ebp]
mov DWORD PTR _s$[ebp+ecx*4], eax
mov edx, DWORD PTR _j$[ebp]
add edx, 1
mov DWORD PTR _j$[ebp], edx
cmp DWORD PTR _j$[ebp], 4
jne $LN5@b64_decode
mov eax, 4
imul ecx, eax, 0
mov edx, DWORD PTR _s$[ebp+ecx]
mov eax, 4
shl eax, 0
mov ecx, DWORD PTR _s$[ebp+eax]
and ecx, 48 ; 00000030H
shr ecx, 4
lea edx, DWORD PTR [ecx+edx*4]
mov eax, DWORD PTR _k$[ebp]
mov ecx, DWORD PTR _out$[ebp]
mov DWORD PTR [ecx+eax*4], edx
mov edx, 4
shl edx, 1
cmp DWORD PTR _s$[ebp+edx], 64 ; 00000040H
je SHORT $LN6@b64_decode
mov eax, 4
shl eax, 0
mov ecx, DWORD PTR _s$[ebp+eax]
and ecx, 15 ; 0000000fH
shl ecx, 4
mov edx, 4
shl edx, 1
mov eax, DWORD PTR _s$[ebp+edx]
and eax, 60 ; 0000003cH
shr eax, 2
add ecx, eax
mov edx, DWORD PTR _k$[ebp]
mov eax, DWORD PTR _out$[ebp]
mov DWORD PTR [eax+edx*4+4], ecx
mov ecx, 4
imul edx, ecx, 3
cmp DWORD PTR _s$[ebp+edx], 64 ; 00000040H
je SHORT $LN8@b64_decode
mov eax, 4
shl eax, 1
mov ecx, DWORD PTR _s$[ebp+eax]
and ecx, 3
shl ecx, 6
mov edx, 4
imul eax, edx, 3
add ecx, DWORD PTR _s$[ebp+eax]
mov edx, DWORD PTR _k$[ebp]
mov eax, DWORD PTR _out$[ebp]
mov DWORD PTR [eax+edx*4+8], ecx
mov ecx, DWORD PTR _k$[ebp]
add ecx, 3
mov DWORD PTR _k$[ebp], ecx
jmp SHORT $LN9@b64_decode
$LN8@b64_decode:
mov edx, DWORD PTR _k$[ebp]
add edx, 2
mov DWORD PTR _k$[ebp], edx
$LN9@b64_decode:
jmp SHORT $LN7@b64_decode
$LN6@b64_decode:
mov eax, DWORD PTR _k$[ebp]
add eax, 1
mov DWORD PTR _k$[ebp], eax
$LN7@b64_decode:
mov DWORD PTR _j$[ebp], 0
$LN5@b64_decode:
jmp $LN2@b64_decode
$LN3@b64_decode:
mov eax, DWORD PTR _k$[ebp]
mov ecx, DWORD PTR __$ArrayPad$[ebp]
xor ecx, ebp
call @__security_check_cookie@4
mov esp, ebp
pop ebp
ret 0
b64_decode ENDP
_ch$ = 8 ; size = 4
b64_int PROC ; 这个变形的话,可以通过打表解决!注意这种思维!
push ebp
mov ebp, esp
cmp DWORD PTR _ch$[ebp], 43 ; 0000002bH
jne SHORT $LN2@b64_int
mov eax, 62 ; 0000003eH
jmp SHORT $LN1@b64_int
$LN2@b64_int:
cmp DWORD PTR _ch$[ebp], 47 ; 0000002fH
jne SHORT $LN3@b64_int
mov eax, 63 ; 0000003fH
jmp SHORT $LN1@b64_int
$LN3@b64_int:
cmp DWORD PTR _ch$[ebp], 61 ; 0000003dH
jne SHORT $LN4@b64_int
mov eax, 64 ; 00000040H
jmp SHORT $LN1@b64_int
$LN4@b64_int:
cmp DWORD PTR _ch$[ebp], 47 ; 0000002fH
jbe SHORT $LN5@b64_int
cmp DWORD PTR _ch$[ebp], 58 ; 0000003aH
jae SHORT $LN5@b64_int
mov eax, DWORD PTR _ch$[ebp]
add eax, 4
jmp SHORT $LN1@b64_int
$LN5@b64_int:
cmp DWORD PTR _ch$[ebp], 64 ; 00000040H
jbe SHORT $LN6@b64_int
cmp DWORD PTR _ch$[ebp], 91 ; 0000005bH
jae SHORT $LN6@b64_int
mov eax, DWORD PTR _ch$[ebp]
sub eax, 65 ; 00000041H
jmp SHORT $LN1@b64_int
$LN6@b64_int:
cmp DWORD PTR _ch$[ebp], 96 ; 00000060H
jbe SHORT $LN7@b64_int
cmp DWORD PTR _ch$[ebp], 123 ; 0000007bH
jae SHORT $LN7@b64_int
mov eax, DWORD PTR _ch$[ebp]
sub eax, 71 ; 00000047H
jmp SHORT $LN1@b64_int
$LN7@b64_int:
xor eax, eax
$LN1@b64_int:
pop ebp
ret 0
b64_int ENDP
