转自:http://blog.sina.com.cn/s/blog_65c4c7f501013ljn.html
因为星际2近来更新不多,而且我的程序功能已经非常完善,所以近来基本没有再更新.昨天接到个活,是破解一个软件的Url加密算法以让后台批量下载竞争对手的内容,拿到程序一看到署名震惊了,竟然是文哥和南哥的那个公司,去年去广州踩点的时候还见过他们,程序用VC6+SDK编写,没有什么强力保护,还是顺风顺水的.
程序的作用是把下面这样的乱码
"aHR0cDovL3IyLjI1cHAuY29t
L3NvZnQvMjAxMi8wMy8wNS8y
MDEyMDMwNV8xOTQ2NF8zMDkz
ODc0NTkxMS5pcGE="解码出来成为一个Url,例如上面这段密文对应的url是这样"r2.25pp.com/soft/2012/03/05/20120305_19464_30938745911.ipa"
解码的关键过程:
00540833
|> /8B55 FC
/mov edx,[local.1]
;
//Local.1=Pos
00540836
|. |3B55 0C
|cmp edx,[arg.2]
;
// Pos>Legend?
00540839
|. |0F8D EA000000 |jge ihelper.00540929
0054083F
|. |8B45 08
|mov eax,[arg.1]
;
//arg.1=p加密字母
00540842
|. |0345 FC
|add eax,[local.1]
;
//eax+=Pos;
00540845
|. |0FBE08
|movsx ecx,byte ptr ds:[eax]
;
// ecx=pszCode[Pos]
00540848
|. |8A91 107B6900 |mov dl,byte ptr ds:[ecx+0x697B10]
;
//Ecx为下标,查表得Byte1
0054084E
|. |8855 FA
|mov byte ptr ss:[ebp-0x6],dl
00540851
|. |8B45 08
|mov eax,[arg.1]
00540854
|. |0345 FC
|add eax,[local.1]
00540857
|. |0FBE48 01
|movsx ecx,byte ptr ds:[eax+0x1]
0054085B
|. |8A91 107B6900 |mov dl,byte ptr ds:[ecx+0x697B10]
;
//Byte2
00540861
|. |8855 FB
|mov byte ptr ss:[ebp-0x5],dl
00540864
|. |8B45 08
|mov eax,[arg.1]
00540867
|. |0345 FC
|add eax,[local.1]
0054086A
|. |0FBE48 02
|movsx ecx,byte ptr ds:[eax+0x2]
0054086E
|. |8A91 107B6900 |mov dl,byte ptr ds:[ecx+0x697B10]
;
//Byte3
00540874
|. |8855 EF
|mov byte ptr ss:[ebp-0x11],dl
00540877
|. |8B45 08
|mov eax,[arg.1]
0054087A
|. |0345 FC
|add eax,[local.1]
0054087D
|. |0FBE48 03
|movsx ecx,byte ptr ds:[eax+0x3]
00540881
|. |8A91 107B6900 |mov dl,byte ptr ds:[ecx+0x697B10]
;
//Byte4
00540887
|. |8855 F9
|mov byte ptr ss:[ebp-0x7],dl
0054088A
|. |0FBE45 FA
|movsx eax,byte ptr ss:[ebp-0x6]
0054088E
|. |C1E0 02
|shl eax,0x2
;
//解码Char1时 Byte1<<2
00540891
|. |0FBE4D FB
|movsx ecx,byte ptr ss:[ebp-0x5]
00540895
|. |C1F9 04
|sar ecx,0x4
;
//解码Char1时Byte2>>4
00540898
|. |0BC1
|or eax,ecx
0054089A
|. |8B55 F4
|mov edx,[local.3]
0054089D
|. |0355 F0
|add edx,[local.4]
005408A0
|. |8802
|mov byte ptr ds:[edx],al
;
//解码后写入Char1
005408A2
|. |0FBE45 EF
|movsx eax,byte ptr ss:[ebp-0x11]
005408A6
|. |83F8 FE
|cmp eax,-0x2
;//Byte3='='?,等号结尾
005408A9
|. |75 0B
|jnz Xihelper.005408B6
;
//Check Byte43,End?
005408AB
|. |8B4D F0
|mov ecx,[local.4]
005408AE
|. |83C1 01
|add ecx,0x1
005408B1
|. |894D F0
|mov [local.4],ecx
005408B4
|. |EB 65
|jmp Xihelper.0054091B
005408B6
|> |0FBE55 F9
|movsx edx,byte ptr ss:[ebp-0x7]
005408BA
|. |83FA FE
|cmp edx,-0x2 ;//Byte4='='?,等号结尾
005408BD
|. |75 24
|jnz Xihelper.005408E3
005408BF
|. |0FBE45 FB
|movsx eax,byte ptr ss:[ebp-0x5]
005408C3
|. |C1E0 04
|shl eax,0x4
005408C6
|. |0FBE4D EF
|movsx ecx,byte ptr ss:[ebp-0x11]
005408CA
|. |C1F9 02
|sar ecx,0x2
005408CD
|. |0BC1
|or eax,ecx
005408CF
|. |8B55 F4
|mov edx,[local.3]
005408D2
|. |0355 F0
|add edx,[local.4]
005408D5
|. |8842 01
|mov byte ptr ds:[edx+0x1],al
005408D8
|. |8B45 F0
|mov eax,[local.4]
005408DB
|. |83C0 02
|add eax,0x2
005408DE
|. |8945 F0
|mov [local.4],eax
005408E1
|. |EB 38
|jmp Xihelper.0054091B
005408E3
|> |0FBE4D FB
|movsx ecx,byte ptr ss:[ebp-0x5]
005408E7
|. |C1E1 04
|shl ecx,0x4
;
//解码Char1时 Byte1<<4
005408EA
|. |0FBE55 EF
|movsx edx,byte ptr ss:[ebp-0x11]
005408EE
|. |C1FA 02
|sar edx,0x2
;
//解码Char1时 Byte2>>2
005408F1
|. |0BCA
|or ecx,edx
005408F3
|. |8B45 F4
|mov eax,[local.3]
005408F6
|. |0345 F0
|add eax,[local.4]
005408F9
|. |8848 01
|mov byte ptr ds:[eax+0x1],cl
;
//解码后写入Char2
005408FC
|. |0FBE4D EF
|movsx ecx,byte ptr ss:[ebp-0x11]
00540900
|. |C1E1 06
|shl ecx,0x6
;
//解码Char3时 Byte1<<6
00540903
|. |0FBE55 F9
|movsx edx,byte ptr ss:[ebp-0x7]
00540907
|. |0BCA
|or ecx,edx
00540909
|. |8B45 F4
|mov eax,[local.3]
0054090C
|. |0345 F0
|add eax,[local.4]
0054090F
|. |8848 02
|mov byte ptr ds:[eax+0x2],cl
;
//解码后写入Char3
00540912
|. |8B4D F0
|mov ecx,[local.4]
00540915
|. |83C1 03
|add ecx,0x3
00540918
|. |894D F0
|mov [local.4],ecx
;
//Local.4=CharCount
0054091B
|> |8B55 FC
|mov edx,[local.1]
0054091E
|. |83C2 04
|add edx,0x4
;
//Pos+=4
00540921
|. |8955 FC
|mov [local.1],edx
00540924
|.^\E9 0AFFFFFF
\jmp ihelper.00540833
;
//Loop
\\**********************************************************************
#include "stdafx.h"
#include <atlstr.h>
#include <iostream>
using namespace std;
char LISTCODE[]={0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,\
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,\
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0x3F,0xFF,0xFF,0xFF,0x3F,\
0x34,0x35,0x36,0x37,0x38,0x39,0x3A,0x3B,0x3C,0x3D,0xFF,0xFF,0xFF,0xFE,0xFF,0xFF,\
0xFF,0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0A,0x0B,0x0C,0x0D,0x0E,\
0x0F,0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,0x18,0x19,0xFF,0xFF,0xFF,0xFF,0xFF,\
0xFF,0x1A,0x1B,0x1C,0x1D,0x1E,0x1F,0x20,0x21,0x22,0x23,0x24,0x25,0x26,0x27,0x28,\
0x29,0x2A,0x2B,0x2C,0x2D,0x2E,0x2F,0x30,0x31,0x32,0x33,0xFF,0xFF,0xFF,0xFF,0xFF};
#define LISTSIZE 16*8
int DeCode25pp(CStringA szCode,CStringA& szDeCode)
{
char b1,b2,b3,b4;
szDeCode.Empty();
for ( unsigned int Pos=0;Pos<szCode.GetLength()-2;Pos+=4)
{
char AddChar;
//Byte1
b1=szCode[Pos];
if (b1<LISTSIZE)
{
b1=LISTCODE[b1];
}else{
return -1;
}
//Byte2
b2=szCode[Pos+1];
if (b2<LISTSIZE)
{
b2=LISTCODE[b2];
}else{
return -1;
}
AddChar=b1<<2 | b2>>4;
szDeCode+=AddChar;
if (Pos==szCode.GetLength()-2)
break;
//Byte3
b3=szCode[Pos+2];
if (b3<LISTSIZE)
{
b3=LISTCODE[b3];
}else{
return -1;
}
AddChar=b2<<4 | b3>>2;
szDeCode+=AddChar;
if (Pos==szCode.GetLength()-3)
break;
//Byte4
b4=szCode[Pos+3];
if (b4<LISTSIZE)
{
b4=LISTCODE[b4];
}else{
return -1;
}
AddChar=b3<<6 | b4;
szDeCode+=AddChar;
}
return szDeCode.GetLength();
}
int _tmain(int argc, _TCHAR* argv[])
{
CStringA strIn="aHR0cDovL3IyLjI1cHAuY29t L3NvZnQvMjAxMi8wMy8wNS8y MDEyMDMwNV8xOTQ2NF8zMDkz ODc0NTkxMS5pcGE=";
CStringA strOut;
DeCode25pp(strIn,strOut);
cout<<strOut.GetBuffer()<<endl;
getchar();
return 0;
}