吾爱破解安全大赛 cm7之浅析llvm
本帖最后由 czr27 于 2016-4-5 19:42 编辑零、
首先膜拜论坛几位大神共享这次比赛的CM的解题思路,对于小白的我只能在此膜拜啊。所以在这里我们不聊其他的,本帖通过crackme32中c6ec函数为例聊聊CM7中的llvm混淆与恢复吧。
ida载入后得到的其中一个混淆的函数流程图和F5是这样的:
int __fastcall sub_C6EC(int a1, int a2, int a3, int a4)
{
signed int v4; // r2@1
signed int v5; // r6@3
char v6; // r1@5
char v7; // r2@7
signed int v8; // r0@9
int v9; // r0@23
int v10; // r1@23
signed int v11; // r0@23
unsigned __int8 v12; // nf@25
unsigned __int8 v13; // vf@25
signed int v14; // r1@25
unsigned __int8 v15; // zf@32
int v16; // r1@71
signed int v17; // r0@71
signed int v18; // r1@73
int v19; // r0@81
int v20; // r1@81
signed int v21; // r0@81
signed int v22; // r1@83
int v23; // r1@98
signed int v24; // r0@98
signed int v25; // r1@100
int v26; // r1@106
signed int v27; // r0@106
signed int v28; // r1@108
char v29; // r0@122
int v30; // r1@124
int v31; // r0@124
int v32; // r1@124
signed int v33; // r0@124
signed int v34; // r1@126
int v35; // r0@132
int v36; // r1@132
signed int v37; // r0@132
signed int v38; // r1@134
unsigned int v39; // r1@140
int v40; // r0@146
int v41; // r1@149
signed int v42; // r0@149
signed int v43; // r1@151
int v44; // r2@157
int v45; // r1@157
signed int v46; // r0@157
signed int v47; // r1@159
int v48; // r2@165
int v49; // r0@165
int v50; // r1@165
int v51; // r0@165
signed int v52; // r1@167
int v53; // r0@173
int v54; // r1@173
signed int v55; // r0@173
signed int v56; // r1@175
char v57; // r0@185
int v58; // r1@187
int v59; // r0@187
int v60; // r1@187
signed int v61; // r0@187
signed int v62; // r1@189
int v63; // r0@201
int v64; // r1@201
signed int v65; // r0@201
signed int v66; // r1@203
char v67; // r0@211
int v68; // r0@218
int v69; // r1@218
signed int v70; // r0@218
signed int v71; // r1@220
int v72; // r1@245
int v73; // r0@245
int v74; // r1@245
signed int v75; // r0@245
signed int v76; // r1@247
int v77; // r0@254
int v78; // r1@254
signed int v79; // r0@254
signed int v80; // r1@256
int v81; // r0@277
int v82; // r1@277
signed int v83; // r0@277
signed int v84; // r1@279
int v85; // r1@289
signed int v86; // r0@289
signed int v87; // r1@291
int v88; // r0@301
int v89; // r1@301
signed int v90; // r0@301
signed int v91; // r1@303
int v92; // r0@325
int v93; // r1@325
signed int v94; // r0@325
signed int v95; // r1@327
char v96; // zf@341
int v97; // r1@347
signed int v98; // r0@347
signed int v99; // r1@349
int result; // r0@354
int *v101; // @9
int v102; // @9
int *v103; // @9
int *v104; // @9
int *v105; // @9
int *v106; // @9
int *v107; // @9
int *v108; // @9
int *v109; // @9
int *v110; // @9
int v111; // @1
int *v112; // @9
int *v113; // @9
int v114; // @9
int *v115; // @9
int *v116; // @9
int *v117; // @9
int *v118; // @9
int v119; // @9
int *v120; // @9
int *v121; // @9
int *v122; // @9
int *v123; // @9
int v124; // @5
int *v125; // @9
int v126; // @1
int v127; // @9
int v128; // @9
int v129; // @9
int v130; // @9
int v131; // @9
int v132; // @9
int v133; // @9
int v134; // @9
int v135; // @1
int *v136; // @9
int v137; // @1
char v138; // @7
char v139; // @9
int *v140; // @12
int v141; // @12
char v142; // @89
int *v143; // @12
int v144; // @122
char v145; // @142
char v146; // @124
int v147; // @165
int v148; // @310
int v149; // @157
int v150; // @165
int v151; // @140
int v152; // @32
int v153; // @32
int v154; // @157
int v155; // @32
unsigned int v156; // @140
unsigned int v157; // @140
char v158; // @32
int v159; // @32
int v160; // @32
int v161; // @32
int v162; // @120
char v163; // @230
char v164; // @120
int v165; // @120
int v166; // @227
int v167; // @227
int v168; // @17
int v169; // @17
int v170; // @17
int v171; // @17
int v172; // @218
int v173; // @1
v111 = a1;
v137 = a3;
v126 = a4;
v135 = a2;
v173 = unk_4E04C;
v4 = -579956637;
if ( !a2 )
v4 = 20066;
LOWORD(v5) = 9458;
if ( !a2 )
HIWORD(v4) = -22070;
v6 = 0;
v124 = v4;
if ( !(((unk_556A4 - 1) * unk_556A4 ^ 0xFFFFFFFE) & (unk_556A4 - 1) * unk_556A4) )
v6 = 1;
v138 = v6;
v7 = 0;
if ( unk_556D4 < 10 )
v7 = 1;
v139 = v7;
v127 = (int)&unk_4C000;
HIWORD(v5) = 30605;
v110 = &dword_4BFF4;
v109 = &dword_4BFF4;
v108 = &dword_4BFF4;
v107 = &dword_4BFF4;
v106 = &dword_4BFF4;
v105 = &dword_4BFF4;
v104 = &dword_4BFF4;
v103 = &dword_4BFF4;
v102 = (int)&unk_4C000;
v101 = &dword_4BFF4;
v112 = &dword_4BFF4;
v113 = &dword_4BFF4;
v114 = (int)&unk_474BF;
v134 = -19253;
v115 = &dword_4BFF4;
v133 = -19253;
v116 = &dword_4BFF4;
v132 = -19253;
v117 = &dword_4BFF4;
v131 = -19253;
v118 = &dword_4BFF4;
v128 = -19253;
v120 = &dword_4BFF4;
v129 = -19253;
v121 = &dword_4BFF4;
v130 = -19253;
v122 = &dword_4BFF4;
v119 = -19253;
v123 = &dword_4BFF4;
v125 = &dword_4BFF4;
v136 = &dword_4BFF4;
v8 = -768040915;
do
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( v8 <= -1901452613 )
{
if ( v8 == -2107012333 )
{
sub_14B4E(v137, v141, 0);
v143 = v140;
v8 = 615070360;
}
}
if ( v8 <= 2144827489 )
break;
if ( v8 == 2144827490 )
v8 = 1412174859;
}
if ( v8 <= 2005738737 )
break;
if ( v8 == v5 )
{
v9 = (*(_DWORD *)*(v136 - 120) - 1) * *(_DWORD *)*(v136 - 120);
v10 = *(_DWORD *)*(v136 - 119);
v15 = ((v9 ^ 0xFFFFFFFE) & v9) == 0;
v11 = 0;
if ( v15 )
v11 = 1;
v13 = __OFSUB__(v10, 10);
v12 = v10 - 10 < 0;
v14 = 0;
if ( v12 ^ v13 )
v14 = 1;
v15 = (v11 ^ v14 | v11 & v14) == 0;
v8 = 200515412;
if ( !v15 )
v8 = 1875019872;
}
}
if ( v8 > -1862303910 )
break;
if ( v8 == -1901452612 )
{
v168 = v131;
v169 = v132;
v170 = v133;
v171 = v134;
v8 = -1343014647;
if ( v133 < v135 )
v8 = -211159207;
}
}
if ( v8 > -1725333822 )
break;
if ( v8 == -1862303909 )
{
v159 = v152 + 1;
*(_BYTE *)v152 = v158;
v160 = v153 + 1;
v161 = *(_BYTE *)v155;
v15 = v161 == *(_BYTE *)v127;
v8 = 408476889;
v130 = v155;
if ( !v15 )
v8 = 5570;
v129 = v159;
if ( !v15 )
HIWORD(v8) = -8680;
v128 = v160;
}
}
if ( v8 > -1693408896 )
break;
if ( v8 == -1725333821 )
v8 = 1485624584;
}
if ( v8 <= 1926646756 )
break;
if ( v8 == 1926646757 )
v8 = 1265469521;
}
if ( v8 <= 1911860848 )
break;
if ( v8 == 1911860849 )
{
v19 = *(v125 - 120);
v141 = *(_DWORD *)v126;
v20 = *(_DWORD *)*(v125 - 119);
v15 = (((*(_DWORD *)v19 - 1) * *(_DWORD *)v19 ^ 0xFFFFFFFE) & (*(_DWORD *)v19 - 1) * *(_DWORD *)v19) == 0;
v21 = 0;
if ( v15 )
v21 = 1;
v13 = __OFSUB__(v20, 10);
v12 = v20 - 10 < 0;
v22 = 0;
if ( v12 ^ v13 )
v22 = 1;
v15 = (v21 ^ v22 | v21 & v22) == 0;
v8 = -1322783334;
if ( !v15 )
v8 = -787925199;
}
}
if ( v8 <= 1888903569 )
break;
if ( v8 == 1888903570 )
{
v8 = -2107012333;
if ( v142 )
v8 = -1446359454;
}
}
if ( v8 <= 1875019871 )
break;
if ( v8 == 1875019872 )
v8 = 1826254214;
}
if ( v8 <= 1826254213 )
break;
if ( v8 == 1826254214 )
v8 = v124;
}
if ( v8 <= 1786078353 )
break;
if ( v8 == 1786078354 )
{
v23 = *(_DWORD *)*(v123 - 119);
v24 = 0;
if ( (~((*(_DWORD *)*(v123 - 120)
- 1)
* *(_DWORD *)*(v123 - 120)) | 0xFFFFFFFE) == -1 )
v24 = 1;
v13 = __OFSUB__(v23, 10);
v12 = v23 - 10 < 0;
v25 = 0;
if ( v12 ^ v13 )
v25 = 1;
v15 = (v24 ^ v25 | v24 & v25) == 0;
v8 = -1725333821;
if ( !v15 )
v8 = 1485624584;
}
}
if ( v8 <= 1759492015 )
break;
if ( v8 == 1759492016 )
{
v26 = *(_DWORD *)*(v122 - 119);
v27 = 0;
if ( (~((*(_DWORD *)*(v122 - 120) - 1)
* *(_DWORD *)*(v122 - 120)) | 0xFFFFFFFE) != -1 )
v27 = 1;
v13 = __OFSUB__(v26, 9);
v15 = v26 == 9;
v12 = v26 - 9 < 0;
v28 = 0;
if ( !((unsigned __int8)(v12 ^ v13) | v15) )
v28 = 1;
v15 = (v27 ^ v28 | (v27 | v28) ^ 1) == 0;
v8 = -1224362487;
if ( !v15 )
v8 = 552383739;
}
}
if ( v8 <= 1668326195 )
break;
if ( v8 == 1668326196 )
v8 = 1386747132;
}
if ( v8 <= 1662374462 )
break;
if ( v8 == 1662374463 )
v8 = -709053658;
}
if ( v8 <= 1628979202 )
break;
if ( v8 == 1628979203 )
v8 = 1003626917;
}
if ( v8 <= 1559277927 )
break;
if ( v8 == 1559277928 )
{
*(_BYTE *)v159 = v164;
v130 = v162;
v128 = v160 + 1;
v129 = v165;
v8 = 408476889;
}
}
if ( v8 <= 1485624583 )
break;
if ( v8 == 1485624584 )
{
v29 = 0;
if ( v144 != 10 )
v29 = 1;
v30 = *v121;
v146 = v29;
v31 = (*(_DWORD *)v30 - 1) * *(_DWORD *)v30;
v32 = *(_DWORD *)*v121;
v15 = ((v31 ^ 0xFFFFFFFE) & v31) == 0;
v33 = 0;
if ( v15 )
v33 = 1;
v13 = __OFSUB__(v32, 10);
v12 = v32 - 10 < 0;
v34 = 0;
if ( v12 ^ v13 )
v34 = 1;
v15 = (v33 ^ v34 | v33 & v34) == 0;
v8 = -1725333821;
if ( !v15 )
v8 = 2144827490;
}
}
if ( v8 <= 1412174858 )
break;
if ( v8 == 1412174859 )
{
v35 = (*(_DWORD *)*v120 - 1) * *(_DWORD *)*v120;
v36 = *(_DWORD *)*v120;
v15 = ((v35 ^ 0xFFFFFFFE) & v35) == 0;
v37 = 0;
if ( v15 )
v37 = 1;
v13 = __OFSUB__(v36, 10);
v12 = v36 - 10 < 0;
v38 = 0;
if ( v12 ^ v13 )
v38 = 1;
v15 = (v37 & v38 | v37 ^ v38) == 0;
v8 = -329744832;
if ( !v15 )
v8 = -130772934;
}
}
if ( v8 <= 1386747131 )
break;
if ( v8 == 1386747132 )
{
v39 = ((v156 >> 4) ^ 0xFFFFFFC) & (v156 >> 4);
v157 = v151 + (v156 << 12) + v39;
v158 = (unsigned __int16)((_WORD)v151
+ ((_WORD)v156 << 12)
+ (_WORD)v39) >> 8;
v8 = -1862303909;
}
}
if ( v8 <= 1360782912 )
break;
if ( v8 == 1360782913 )
{
v8 = -206615233;
if ( v145 )
v8 = 1786078354;
}
}
if ( v8 <= 1324097311 )
break;
if ( v8 == 1324097312 )
{
v40 = v171;
goto LABEL_147;
}
}
if ( v8 <= 1291296763 )
break;
if ( v8 == 1291296764 )
{
v41 = *(_DWORD *)*v118;
v42 = 0;
if ( (~((*(_DWORD *)*v118 - 1) * *(_DWORD *)*v118) | 0xFFFFFFFE) == -1 )
v42 = 1;
v13 = __OFSUB__(v41, 10);
v12 = v41 - 10 < 0;
v43 = 0;
if ( v12 ^ v13 )
v43 = 1;
v15 = (v42 & v43 | v42 ^ v43) == 0;
v8 = 517347731;
if ( !v15 )
v8 = 1324097312;
}
}
if ( v8 <= 1265469520 )
break;
if ( v8 == 1265469521 )
{
v155 = v149 + 1;
v44 = *v117;
v156 = *((_BYTE *)v140 + v154);
v45 = *(_DWORD *)*v117;
v46 = 0;
if ( (~((*(_DWORD *)v44 - 1) * *(_DWORD *)v44) | 0xFFFFFFFE) == -1 )
v46 = 1;
v13 = __OFSUB__(v45, 10);
v12 = v45 - 10 < 0;
v47 = 0;
if ( v12 ^ v13 )
v47 = 1;
v15 = (v46 ^ v47 | v46 & v47) == 0;
v8 = 1926646757;
if ( !v15 )
v8 = 1668326196;
}
}
if ( v8 <= 1003626916 )
break;
if ( v8 == 1003626917 )
{
v149 = v147 + 1;
v48 = *v116;
v150 = *((_BYTE *)v140 + *(_BYTE *)v147);
v49 = ~-*(_DWORD *)v48 * *(_DWORD *)v48;
v50 = *(_DWORD *)*v116;
v51 = (v49 ^ 0xFFFFFFFE) & v49;
if ( v51 )
v51 = 1;
v13 = __OFSUB__(v50, 9);
v15 = v50 == 9;
v12 = v50 - 9 < 0;
v52 = 0;
if ( !((unsigned __int8)(v12 ^ v13) | v15) )
v52 = 1;
v15 = (v51 ^ v52 | (v51 | v52) ^ 1) == 0;
v8 = 1628979203;
if ( !v15 )
v8 = 27249737;
}
}
if ( v8 <= 881679339 )
break;
if ( v8 == 881679340 )
{
v53 = (*(_DWORD *)*v115 - 1) * *(_DWORD *)*v115;
v54 = *(_DWORD *)*v115;
v15 = ((v53 ^ 0xFFFFFFFE) & v53) == 0;
v55 = 0;
if ( v15 )
v55 = 1;
v13 = __OFSUB__(v54, 10);
v12 = v54 - 10 < 0;
v56 = 0;
if ( v12 ^ v13 )
v56 = 1;
v15 = (v55 & v56 | v55 ^ v56) == 0;
v8 = 517347731;
if ( !v15 )
v8 = 1291296764;
}
}
if ( v8 <= 782683747 )
break;
if ( v8 == 782683748 )
v8 = 416826029;
}
if ( v8 <= 615070359 )
break;
if ( v8 == 615070360 )
{
sub_14B4A(v143, v114, 256);
v8 = -1693408895;
}
}
if ( v8 <= 552383738 )
break;
if ( v8 == 552383739 )
{
v57 = 0;
if ( v144 != 13 )
v57 = 1;
v58 = *v113;
v145 = v57;
v59 = (*(_DWORD *)v58 - 1) * *(_DWORD *)v58;
v60 = *(_DWORD *)*v113;
v15 = ((v59 ^ 0xFFFFFFFE) & v59) == 0;
v61 = 0;
if ( v15 )
v61 = 1;
v13 = __OFSUB__(v60, 10);
v12 = v60 - 10 < 0;
v62 = 0;
if ( v12 ^ v13 )
v62 = 1;
v15 = (v61 ^ v62 | v61 & v62) == 0;
v8 = -1224362487;
if ( !v15 )
v8 = -327612536;
}
}
if ( v8 <= 517347730 )
break;
if ( v8 == 517347731 )
v8 = 1291296764;
}
if ( v8 <= 492339595 )
break;
if ( v8 == 492339596 )
{
v8 = -206615233;
if ( v146 )
v8 = -341342023;
}
}
if ( v8 <= 416826028 )
break;
if ( v8 == 416826029 )
{
v63 = (*(_DWORD *)*v112 - 1) * *(_DWORD *)*v112;
v64 = *(_DWORD *)*v112;
v15 = ((v63 ^ 0xFFFFFFFE) & v63) == 0;
v65 = 0;
if ( v15 )
v65 = 1;
v13 = __OFSUB__(v64, 10);
v12 = v64 - 10 < 0;
v66 = 0;
if ( v12 ^ v13 )
v66 = 1;
v15 = (v65 & v66 | v65 ^ v66) == 0;
v8 = 782683748;
if ( !v15 )
v8 = -594247879;
}
}
if ( v8 <= 408476888 )
break;
if ( v8 == 408476889 )
{
v134 = v128;
v133 = v170 + 4;
v8 = -1901452612;
v132 = v129;
v131 = v130;
}
}
if ( v8 <= 373449796 )
break;
if ( v8 == 373449797 )
{
v67 = 0;
if ( v141 < v135 )
v67 = 1;
v142 = v67;
v8 = 1888903570;
}
}
if ( v8 <= 268320251 )
break;
if ( v8 == 268320252 )
v8 = -968901991;
}
if ( v8 > -1687541981 )
break;
if ( v8 == -1693408895 )
{
v16 = *(_DWORD *)*(v110 - 119);
v17 = 0;
if ( (~((*(_DWORD *)*(v110 - 120) - 1) * *(_DWORD *)*(v110 - 120)) | 0xFFFFFFFE) == -1 )
v17 = 1;
v13 = __OFSUB__(v16, 10);
v12 = v16 - 10 < 0;
v18 = 0;
if ( v12 ^ v13 )
v18 = 1;
v15 = (v17 & v18 | v17 ^ v18) == 0;
v8 = 1662374463;
if ( !v15 )
v8 = -709053658;
}
}
if ( v8 > -1642076405 )
break;
if ( v8 == -1687541980 )
{
v172 = v119;
v68 = (*(_DWORD *)*v109 - 1) * *(_DWORD *)*v109;
v69 = *(_DWORD *)*v109;
v15 = ((v68 ^ 0xFFFFFFFE) & v68) == 0;
v70 = 0;
if ( v15 )
v70 = 1;
v13 = __OFSUB__(v69, 10);
v12 = v69 - 10 < 0;
v71 = 0;
if ( v12 ^ v13 )
v71 = 1;
v15 = (v70 & v71 | v70 ^ v71) == 0;
v8 = 782683748;
if ( !v15 )
v8 = 416826029;
}
}
if ( v8 > -1447795291 )
break;
if ( v8 == -1642076404 )
{
v131 = v166;
v133 = v167;
v134 = v171;
v132 = v169;
v8 = -1901452612;
}
}
if ( v8 > -1446359455 )
break;
if ( v8 == -1447795290 )
{
v164 = 4 * v163 + v157;
v165 = v159 + 1;
v8 = 1559277928;
}
}
if ( v8 > -1343014648 )
break;
if ( v8 == -1446359454 )
{
v40 = 0;
LABEL_147:
v119 = v40;
v8 = -1687541980;
}
}
if ( v8 > -1322783335 )
break;
if ( v8 == -1343014647 )
v8 = 881679340;
}
if ( v8 > -1224362488 )
break;
if ( v8 == -1322783334 )
v8 = 1911860849;
}
if ( v8 > -968901992 )
break;
if ( v8 == -1224362487 )
v8 = 552383739;
}
if ( v8 > -917428403 )
break;
if ( v8 == -968901991 )
{
v72 = *v108;
v140 = (int *)(&v101 - 64);
v73 = (*(_DWORD *)v72 - 1) * *(_DWORD *)v72;
v74 = *(_DWORD *)*v108;
v15 = ((v73 ^ 0xFFFFFFFE) & v73) == 0;
v75 = 0;
if ( v15 )
v75 = 1;
v13 = __OFSUB__(v74, 10);
v12 = v74 - 10 < 0;
v76 = 0;
if ( v12 ^ v13 )
v76 = 1;
v15 = (v75 ^ v76 | v75 & v76) == 0;
v8 = 268320252;
if ( !v15 )
v8 = -821278251;
}
}
if ( v8 > -858444357 )
break;
if ( v8 == -917428402 )
{
v77 = (*(_DWORD *)*v107 - 1) * *(_DWORD *)*v107;
v78 = *(_DWORD *)*v107;
v15 = ((v77 ^ 0xFFFFFFFE) & v77) == 0;
v79 = 0;
if ( v15 )
v79 = 1;
v13 = __OFSUB__(v78, 10);
v12 = v78 - 10 < 0;
v80 = 0;
if ( v12 ^ v13 )
v80 = 1;
v15 = (v79 & v80 | v79 ^ v80) == 0;
v8 = 200515412;
if ( !v15 )
v8 = 2005738738;
}
}
if ( v8 > -821278252 )
break;
if ( v8 == -858444356 )
{
v167 = v170 + 1;
v8 = -1642076404;
}
}
if ( v8 > -787925200 )
break;
if ( v8 == -821278251 )
v8 = -917428402;
}
if ( v8 > -768040916 )
break;
if ( v8 == -787925199 )
v8 = 373449797;
}
if ( v8 > -709053659 )
break;
if ( v8 == -768040915 )
{
v8 = 268320252;
if ( ((unsigned __int8)(v138 ^ v139) | (unsigned __int8)~(~v138 | (unsigned __int8)~v139)) & 1 )
v8 = -968901991;
}
}
if ( v8 > -594247880 )
break;
if ( v8 == -709053658 )
{
v81 = (*(_DWORD *)*v106 - 1) * *(_DWORD *)*v106;
v82 = *(_DWORD *)*v106;
v15 = ((v81 ^ 0xFFFFFFFE) & v81) == 0;
v83 = 0;
if ( v15 )
v83 = 1;
v13 = __OFSUB__(v82, 10);
v12 = v82 - 10 < 0;
v84 = 0;
if ( v12 ^ v13 )
v84 = 1;
v15 = (v83 ^ v84 | v83 & v84) == 0;
v8 = 1662374463;
if ( !v15 )
v8 = -121304508;
}
}
if ( v8 <= -579956638 )
break;
if ( v8 > -568846911 )
{
if ( v8 > -406745412 )
{
if ( v8 > -341342024 )
{
if ( v8 > -329744833 )
{
if ( v8 > -327612537 )
{
if ( v8 > -211159208 )
{
if ( v8 > -206615234 )
{
if ( v8 > -130772935 )
{
if ( v8 > -121304509 )
{
if ( v8 > 27249736 )
{
if ( v8 > 74139172 )
{
switch ( v8 )
{
case 74139173:
v151 = (((v150 << 22) ^ 0xFF000000) & (v150 << 22))
+ v148
+ (((v150 << 6) ^ 0xFFFFF0C0) & (v150 << 6));
v152 = v169 + 1;
*(_BYTE *)v169 = (unsigned int)v151 >> 16;
v153 = v171 + 1;
v154 = *(_BYTE *)v149;
v96 = v154 == *(_BYTE *)v102;
v8 = 408476889;
v130 = v149;
if ( !v96 )
v8 = 31171;
v129 = v152;
if ( !v96 )
HIWORD(v8) = 3061;
v128 = v153;
break;
case 200515412:
v8 = v5;
break;
case 200636867:
v97 = *(_DWORD *)*v101;
v98 = 0;
if ( (~((*(_DWORD *)*v101 - 1) * *(_DWORD *)*v101) | 0xFFFFFFFE) == -1 )
v98 = 1;
v13 = __OFSUB__(v97, 10);
v12 = v97 - 10 < 0;
v99 = 0;
if ( v12 ^ v13 )
v99 = 1;
v15 = (v98 & v99 | v98 ^ v99) == 0;
v8 = 1926646757;
if ( !v15 )
v8 = 1265469521;
break;
}
}
else if ( v8 == 27249737 )
{
v8 = 74139173;
}
}
else if ( v8 == -121304508 )
{
v133 = 0;
v134 = 0;
v8 = -1901452612;
v132 = v137;
v131 = v111;
}
}
else if ( v8 == -130772934 )
{
v92 = (*(_DWORD *)*v103 - 1) * *(_DWORD *)*v103;
v93 = *(_DWORD *)*v103;
v15 = ((v92 ^ 0xFFFFFFFE) & v92) == 0;
v94 = 0;
if ( v15 )
v94 = 1;
v13 = __OFSUB__(v93, 10);
v12 = v93 - 10 < 0;
v95 = 0;
if ( v12 ^ v13 )
v95 = 1;
v15 = (v94 & v95 | v94 ^ v95) == 0;
v8 = -329744832;
if ( !v15 )
v8 = 492339596;
}
}
else if ( v8 == -206615233 )
{
v166 = v168 + 1;
v8 = -858444356;
}
}
else if ( v8 == -211159207 )
{
v144 = *(_BYTE *)v168;
v8 = 1759492016;
}
}
else if ( v8 == -327612536 )
{
v8 = 1360782913;
}
}
else if ( v8 == -329744832 )
{
v8 = -130772934;
}
}
else if ( v8 == -341342023 )
{
v147 = v168 + 1;
v148 = *((_BYTE *)v140 + v144) << 16;
v8 = -406745411;
}
}
else if ( v8 == -406745411 )
{
v88 = ~-*(_DWORD *)*v104 * *(_DWORD *)*v104;
v89 = *(_DWORD *)*v104;
v15 = ((v88 ^ 0xFFFFFFFE) & v88) == 0;
v90 = 0;
if ( v15 )
v90 = 1;
v13 = __OFSUB__(v89, 10);
v12 = v89 - 10 < 0;
v91 = 0;
if ( v12 ^ v13 )
v91 = 1;
v15 = (v90 ^ v91 | v90 & v91) == 0;
v8 = 1628979203;
if ( !v15 )
v8 = 1003626917;
}
}
else if ( v8 == -568846910 )
{
v162 = v155 + 1;
v163 = *((_BYTE *)v140 + v161);
v8 = -1447795290;
}
}
else if ( v8 == -579956637 )
{
v85 = *(_DWORD *)*v105;
v86 = 0;
if ( (~(~-*(_DWORD *)*v105 * *(_DWORD *)*v105) | 0xFFFFFFFE) == -1 )
v86 = 1;
v13 = __OFSUB__(v85, 10);
v12 = v85 - 10 < 0;
v87 = 0;
if ( v12 ^ v13 )
v87 = 1;
v15 = (v86 & v87 | v86 ^ v87) == 0;
v8 = -1322783334;
if ( !v15 )
v8 = 1911860849;
}
}
}
while ( v8 != -594247879 );
result = v172;
if ( v0 != v173 )
{
((void (__fastcall *)(int, int))loc_19420)(v172, v0 - v173);
result = sub_DFA4();
}
return result;
}
由于在做本题之前,还不知道有llvm这回事,当时真是把本宝宝给吓尿了,不过可以看得出如此复杂并非人为。既然是程序混淆必定会有他的混淆规则,也就是“套路”。
一、混淆
经过总结我们得出了本次混淆的几点套路:
TL1.最明显的发现,用了非常多的if,while的嵌套以混淆对函数结构的整体把握
TL2.出现了必真必假的逻辑垃圾,这对我们后面分析有很大帮助
TL3.定义了相同意义的变量,仅仅被赋值过一次(不过未必是llvm的产物)
TL4.多出一堆无意义的变量来实现无意义代码和循环往复的跳转代码
如num2中看到的v12 v13
TL5.有一个关键变量,类似pc来实现跳转,本例为v8
TL6.多重嵌套时,真正有效的代码部分总是在条件判断pc全等的情况,可以直接忽略pc大于小于等判断
TL7.最后以while(类pc != xxx)来跳出准备结束函数
有了上述套路,对我们恢复llvm混淆函数有非常大的帮助。 哦?你问我套路怎么得来的,先挑一个相对短一点的混淆函数,然后让我们一起愉快的F8吧!
二、恢复
其实前面说了一堆混淆的内容要作为恢复的根据,我们现在开始尝试恢复。在恢复前不得不提一下本例c6ec因为花指令无法F5,需要修花。
来到c6ec,F5提示没有function,p报错,找到报错地址patch program并c,然后回到c6ec p,F5,反编译结束,注意的是不要在我们patch的地方F8或下断点。
恢复第一步,我命名为f,j变量聚类。
简单的说就是把变量分成功能变量,混淆变量,但是怎么区分呢:
我们手中已经有一些已知变量的分类:
FL1.类pc,单独一类
FL2.无效逻辑代码所用到的变量都可以认定为混淆变量(我起名为jx,j表示junk,x代表原变量名中的数字建议不改恢复方便)
FL3.本函数的输入参数,功能函数的输入参数都认为是f变量(我起名为fx,f表示func,x你懂了)
有了这些变量,开始聚类,和f变有比较,赋值,函数传参操作的全部定义为f变量,越吸越多跟画板中同色填充一样
同样的与j变量比较,赋值的变量互相吸收为同类
我们修复后会发现一部分f变量j变量互相操作的,要人工修复。优先设成f,宁可多分析无效的变量也绝对不可错杀f变量,还有一些始终不确定的保留原来的vx吧。
接下来同义变量吸收,这步需要一些写一些代码来分析,但是着实有些帮助。思路是找到某些变量,这些变量当左值仅仅一次并且分析后可以用右值代替。
然后前面有效代码只出现在类pc全等判断的块中,去这些块中找如果所有的不是全部j变量自己瞎玩,只要有函数调用或f变量操作全部下断,对,全部下断。去掉无效块后,估计只有十来个有效块。下断完全速跑,记录断点停留顺序,包括重复进入的顺序。如下图所示:
开一个编辑器,从小到大依次复制代码块,重复的只复制一次就可以了。
然后开始分析,只进入过一次的代码块很好分析一般只在开始和结束出现。出现过多次的肯定由if语句或循环语句实现,而在这里肯定是上文有代码块对类pc变量有过不同的赋值来实现if或循环。
知道这些,在根据我们得到的代码块进入次序。我们开始拼接代码,假设进入顺序为1的块和顺序为2的块可以直接合并,这种块只运行一次,常见于刚开始或快结束。
假设进入顺序为5,10,19和进入顺序为6,11,20,的可以直接合并,当然看一下前者代码块中没有对类pc变量有可能不同的辅助。
其他的如进入顺序为8,13,25和进入顺序为9,27的函数,去关注期间对类pc变量赋不同值的条件,非常重要,如上图的f138<keylen就是循环条件之一。
有了这些信息我们就可以完完整整还原这个函数了。
c6ec函数最后的恢复结果:
#include <stdio.h>
char bookBase={
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x0B,0x16,0x09,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x00,
0x11,0x26,0x23,0x1F,0x1D,0x0D,0x30,0x04,0x33,0x00,0x00,0x00,0x36,0x08,0x35,0x00,
0x1A,0x2F,0x0E,0x12,0x00,0x05,0x2A,0x1C,0x14,0x2B,0x28,0x07,0x3E,0x1E,0x00,0x3A,
0x3C,0x19,0x0C,0x10,0x0F,0x2E,0x13,0x34,0x0A,0x02,0x3B,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x39,0x3D,0x06,0x1B,0x3F,0x21,0x00,0x29,0x01,0x38,0x2C,0x20,0x25,0x27,
0x18,0x22,0x31,0x32,0x24,0x15,0x00,0x37,0x17,0x2D,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
};
int main()/* fix sub_C6EC */
{
char key="11111111111";
char out={0};
int f156_OK,f40_OK,f162_OK,i;
int returnValue = 0;
for(i=0;i<3;i++){
f156_OK = (((bookBase] << 22) ^ 0xFF000000) & (bookBase] << 22))// 9 20 31
+ (bookBase]<<16)
+ (((bookBase] << 6) ^ 0xFFFFF0C0) & (bookBase] << 6));
out = (unsigned int)f156_OK >> 16;
f40_OK = ((bookBase] >> 4) ^ 0xFFFFFFC) & (bookBase] >> 4);// 10 21 32
f162_OK = f156_OK + (bookBase] << 12) + f40_OK;
out= (short)((short)f156_OK + ((short)bookBase] << 12) + (short)f40_OK) >> 8;
out = 4 * bookBase] + f162_OK;
}
returnValue = i*3;
printf("%02x %02x %02x %02x ",out&0xFF,out&0xFF,out&0xFF,out&0xFF);
printf("%02x %02x %02x %02x\n",out&0xFF,out&0xFF,out&0xFF,out&0xFF);
return 0;
}
再贴上f,j聚类后的ida反编译代码:
int __fastcall keyGen0GostencodeA_C6EC(char *key, int keylen, int a3, int a4, int *a5)
{
signed int j5; // r2@1
signed int j6; // r6@3
char v7; // r1@5
char v8; // r2@7
signed int u9; // r0@9
int j10; // r0@23
int j11; // r1@23
signed int j12; // r0@23
unsigned __int8 j13; // nf@25
unsigned __int8 j14; // vf@25
signed int j15; // r1@25
unsigned __int8 j16; // zf@32
int j17; // r1@71
signed int j18; // r0@71
signed int j19; // r1@73
int j20; // r0@81
int j21; // r1@81
signed int j22; // r0@81
signed int j23; // r1@83
int j24; // r1@98
signed int j25; // r0@98
signed int j26; // r1@100
int j27; // r1@106
signed int j28; // r0@106
signed int j29; // r1@108
char notKeyEnd2Flag; // r0@122
int j31; // r1@124
int j32; // r0@124
int j33; // r1@124
signed int j34; // r0@124
signed int j35; // r1@126
int j36; // r0@132
int j37; // r1@132
signed int j38; // r0@132
signed int j39; // r1@134
unsigned int f40; // r1@140
int result_; // r0@146
int j42; // r1@149
signed int j43; // r0@149
signed int j44; // r1@151
int j45; // r2@157
int j46; // r1@157
signed int j47; // r0@157
signed int j48; // r1@159
int j49; // r2@165
int j50; // r0@165
int j51; // r1@165
int j52; // r0@165
signed int j53; // r1@167
int j54; // r0@173
int j55; // r1@173
signed int j56; // r0@173
signed int j57; // r1@175
char NotKeyEndFlag; // r0@185
int j59; // r1@187
int j60; // r0@187
int j61; // r1@187
signed int j62; // r0@187
signed int j63; // r1@189
int j64; // r0@201
int j65; // r1@201
signed int notEndFlag; // r0@201
signed int j67; // r1@203
char f68; // r0@211
int j69; // r0@218
int j70; // r1@218
signed int j71; // r0@218
signed int j72; // r1@220
int j73; // r1@245
int j74; // r0@245
int j75; // r1@245
signed int j76; // r0@245
signed int j77; // r1@247
int j78; // r0@254
int j79; // r1@254
signed int j80; // r0@254
signed int j81; // r1@256
int j82; // r0@277
int j83; // r1@277
signed int j84; // r0@277
signed int j85; // r1@279
int j86; // r1@289
signed int j87; // r0@289
signed int j88; // r1@291
int j89; // r0@301
int j90; // r1@301
signed int j91; // r0@301
signed int j92; // r1@303
int j93; // r0@325
int j94; // r1@325
signed int j95; // r0@325
signed int j96; // r1@327
char v97; // zf@341
int j98; // r1@347
signed int j99; // r0@347
signed int j100; // r1@349
int result; // r0@354
int v102; // r0@355
char *v103; // r1@355
int v104; // r2@355
int v105; // r3@355
int *j106; // @9
int v107; // @9
int *j108; // @9
int *j109; // @9
int *j110; // @9
int *j111; // @9
int *j112; // @9
int *j113; // @9
int *j114; // @9
int *j115; // @9
char *key_; // @1
int *j117; // @9
int *j118; // @9
int v119; // @9
int *j120; // @9
int *j121; // @9
int *v122; // @9
int *j123; // @9
int result__; // @9
int *j125; // @9
int *j126; // @9
int *j127; // @9
int *j128; // @9
int v129; // @5
int *j130; // @9
int i4_; // @1
int j132; // @9
int v133; // @9
int f134; // @9
int v135; // @9
int f136; // @9
int f137; // @9
int f138; // @9
int result___; // @9
int keylen_; // @1
int *j141; // @9
int f142; // @1
char j143; // @7
char j144; // @9
int *bookBase; // @12
int f146; // @12
char notEndFlag_; // @89
int *bookBase_; // @12
int nowKeyChar; // @122
char NotKeyEndFlag_; // @142
char notKeyEnd2Flag_; // @124
int f152; // @165
int f153; // @310
int j154; // @157
int j155; // @165
int f156; // @140
int f157; // @32
int v158; // @32
int f159; // @157
int j160; // @32
unsigned int f161; // @140
unsigned int f162; // @140
char f163; // @32
int f164; // @32
int v165; // @32
int f166; // @32
int j167; // @120
char f168; // @230
char f169; // @120
int f170; // @120
int j171; // @227
int v172; // @227
int f136_; // @17
int f174; // @17
int f175; // @17
int result_____; // @17
int result____; // @218
int v178; // @1
key_ = key;
f142 = a3;
i4_ = a4;
keylen_ = keylen;
v178 = unk_4E04C;
j5 = -579956637;
if ( !keylen )
j5 = 20066;
LOWORD(j6) = 9458;
if ( !keylen )
HIWORD(j5) = -22070;
v7 = 0;
v129 = j5;
if ( !(((unk_556A4 - 1) * unk_556A4 ^ 0xFFFFFFFE) & (unk_556A4 - 1) * unk_556A4) )
v7 = 1;
j143 = v7;
v8 = 0;
if ( unk_556D4 < 10 )
v8 = 1;
j144 = v8;
j132 = (int)&unk_4C000;
HIWORD(j6) = 30605;
j115 = &dword_4BFF4;
j114 = &dword_4BFF4;
j113 = &dword_4BFF4;
j112 = &dword_4BFF4;
j111 = &dword_4BFF4;
j110 = &dword_4BFF4;
j109 = &dword_4BFF4;
j108 = &dword_4BFF4;
v107 = (int)&unk_4C000;
j106 = &dword_4BFF4;
j117 = &dword_4BFF4;
j118 = &dword_4BFF4;
v119 = (int)&unk_474BF;
result___ = -19253;
j120 = &dword_4BFF4;
f138 = -19253;
j121 = &dword_4BFF4;
f137 = -19253;
v122 = &dword_4BFF4;
f136 = -19253;
j123 = &dword_4BFF4;
v133 = -19253;
j125 = &dword_4BFF4;
f134 = -19253;
j126 = &dword_4BFF4;
v135 = -19253;
j127 = &dword_4BFF4;
result__ = -19253;
j128 = &dword_4BFF4;
j130 = &dword_4BFF4;
j141 = &dword_4BFF4;
u9 = -768040915;
do
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( u9 <= -1901452613 )
{
if ( u9 == -2107012333 )
{
ClearMemory(f142, f146, 0);// 3
bookBase_ = bookBase;
u9 = 615070360;
}
}
if ( u9 <= 2144827489 )
break;
if ( u9 == 2144827490 )
u9 = 1412174859;
}
if ( u9 <= 2005738737 )
break;
if ( u9 == j6 )// rubbish
{
j10 = (*(_DWORD *)*(j141 - 120) - 1) * *(_DWORD *)*(j141 - 120);
j11 = *(_DWORD *)*(j141 - 119);
j16 = ((j10 ^ 0xFFFFFFFE) & j10) == 0;
j12 = 0;
if ( j16 )
j12 = 1;
j14 = __OFSUB__(j11, 10);
j13 = j11 - 10 < 0;
j15 = 0;
if ( j13 ^ j14 )
j15 = 1;
j16 = (j12 ^ j15 | j12 & j15) == 0;
u9 = 200515412;
if ( !j16 )
u9 = 1875019872;
}
}
if ( u9 > -1862303910 )
break;
if ( u9 == -1901452612 )
{
f136_ = f136;// 6 16 27 35
f174 = f137;
f175 = f138;
result_____ = result___;
u9 = -1343014647;
if ( f138 < keylen_ )
u9 = -211159207;
}
}
if ( u9 > -1725333822 )
break;
if ( u9 == -1862303909 )
{
f164 = f157 + 1;// 11 22 33
*(_BYTE *)f157 = f163;// out
v165 = v158 + 1;
f166 = *(_BYTE *)j160;
j16 = f166 == *(_BYTE *)j132;
u9 = 408476889;
v135 = j160;
if ( !j16 )
u9 = 5570;
f134 = f164;
if ( !j16 )
HIWORD(u9) = -8680;
v133 = v165;
}
}
if ( u9 > -1693408896 )
break;
if ( u9 == -1725333821 )
u9 = 1485624584;
}
if ( u9 <= 1926646756 )
break;
if ( u9 == 1926646757 )
u9 = 1265469521;
}
if ( u9 <= 1911860848 )
break;
if ( u9 == 1911860849 )
{
j20 = *(j130 - 120);
f146 = *(_DWORD *)i4_;// 1
j21 = *(_DWORD *)*(j130 - 119);
j16 = (((*(_DWORD *)j20 - 1) * *(_DWORD *)j20 ^ 0xFFFFFFFE) & (*(_DWORD *)j20 - 1) * *(_DWORD *)j20) == 0;
j22 = 0;
if ( j16 )
j22 = 1;
j14 = __OFSUB__(j21, 10);
j13 = j21 - 10 < 0;
j23 = 0;
if ( j13 ^ j14 )
j23 = 1;
j16 = (j22 ^ j23 | j22 & j23) == 0;
u9 = -1322783334;
if ( !j16 )
u9 = -787925199;
}
}
if ( u9 <= 1888903569 )
break;
if ( u9 == 1888903570 )
{
u9 = -2107012333;
if ( notEndFlag_ )
u9 = -1446359454;
}
}
if ( u9 <= 1875019871 )
break;
if ( u9 == 1875019872 )
u9 = 1826254214;
}
if ( u9 <= 1826254213 )
break;
if ( u9 == 1826254214 )
u9 = v129;
}
if ( u9 <= 1786078353 )
break;
if ( u9 == 1786078354 )// rubbish
{
j24 = *(_DWORD *)*(j128 - 119);
j25 = 0;
if ( (~((*(_DWORD *)*(j128 - 120)
- 1)
* *(_DWORD *)*(j128 - 120)) | 0xFFFFFFFE) == -1 )
j25 = 1;
j14 = __OFSUB__(j24, 10);
j13 = j24 - 10 < 0;
j26 = 0;
if ( j13 ^ j14 )
j26 = 1;
j16 = (j25 ^ j26 | j25 & j26) == 0;
u9 = -1725333821;
if ( !j16 )
u9 = 1485624584;
}
}
if ( u9 <= 1759492015 )
break;
if ( u9 == 1759492016 )// rubbish
{
j27 = *(_DWORD *)*(j127 - 119);
j28 = 0;
if ( (~((*(_DWORD *)*(j127 - 120) - 1)
* *(_DWORD *)*(j127 - 120)) | 0xFFFFFFFE) != -1 )
j28 = 1;
j14 = __OFSUB__(j27, 9);
j16 = j27 == 9;
j13 = j27 - 9 < 0;
j29 = 0;
if ( !((unsigned __int8)(j13 ^ j14) | j16) )
j29 = 1;
j16 = (j28 ^ j29 | (j28 | j29) ^ 1) == 0;
u9 = -1224362487;
if ( !j16 )
u9 = 552383739;
}
}
if ( u9 <= 1668326195 )
break;
if ( u9 == 1668326196 )
u9 = 1386747132;
}
if ( u9 <= 1662374462 )
break;
if ( u9 == 1662374463 )
u9 = -709053658;
}
if ( u9 <= 1628979202 )
break;
if ( u9 == 1628979203 )
u9 = 1003626917;
}
if ( u9 <= 1559277927 )
break;
if ( u9 == 1559277928 )
{
*(_BYTE *)f164 = f169;// 14 25 out
v135 = j167;
v133 = v165 + 1;
f134 = f170;
u9 = 408476889;
}
}
if ( u9 <= 1485624583 )
break;
if ( u9 == 1485624584 )
{
notKeyEnd2Flag = 0;
if ( nowKeyChar != 10 )// 8 18 29
notKeyEnd2Flag = 1;
j31 = *j126;
notKeyEnd2Flag_ = notKeyEnd2Flag;
j32 = (*(_DWORD *)j31 - 1) * *(_DWORD *)j31;
j33 = *(_DWORD *)*j126;
j16 = ((j32 ^ 0xFFFFFFFE) & j32) == 0;
j34 = 0;
if ( j16 )
j34 = 1;
j14 = __OFSUB__(j33, 10);
j13 = j33 - 10 < 0;
j35 = 0;
if ( j13 ^ j14 )
j35 = 1;
j16 = (j34 ^ j35 | j34 & j35) == 0;
u9 = -1725333821;
if ( !j16 )
u9 = 2144827490;
}
}
if ( u9 <= 1412174858 )
break;
if ( u9 == 1412174859 )// rubbish
{
j36 = (*(_DWORD *)*j125 - 1) * *(_DWORD *)*j125;
j37 = *(_DWORD *)*j125;
j16 = ((j36 ^ 0xFFFFFFFE) & j36) == 0;
j38 = 0;
if ( j16 )
j38 = 1;
j14 = __OFSUB__(j37, 10);
j13 = j37 - 10 < 0;
j39 = 0;
if ( j13 ^ j14 )
j39 = 1;
j16 = (j38 & j39 | j38 ^ j39) == 0;
u9 = -329744832;
if ( !j16 )
u9 = -130772934;
}
}
if ( u9 <= 1386747131 )
break;
if ( u9 == 1386747132 )
{
f40 = ((f161 >> 4) ^ 0xFFFFFFC) & (f161 >> 4);// 10 21 32
f162 = f156 + (f161 << 12) + f40;
f163 = (unsigned __int16)((_WORD)f156
+ ((_WORD)f161 << 12)
+ (_WORD)f40) >> 8;
u9 = -1862303909;
}
}
if ( u9 <= 1360782912 )
break;
if ( u9 == 1360782913 )
{
u9 = -206615233;
if ( NotKeyEndFlag_ )
u9 = 1786078354;
}
}
if ( u9 <= 1324097311 )
break;
if ( u9 == 1324097312 )
{
result_ = result_____;// 36
goto LABEL_147;
}
}
if ( u9 <= 1291296763 )
break;
if ( u9 == 1291296764 )// rubbish
{
j42 = *(_DWORD *)*j123;
j43 = 0;
if ( (~((*(_DWORD *)*j123 - 1) * *(_DWORD *)*j123) | 0xFFFFFFFE) == -1 )
j43 = 1;
j14 = __OFSUB__(j42, 10);
j13 = j42 - 10 < 0;
j44 = 0;
if ( j13 ^ j14 )
j44 = 1;
j16 = (j43 & j44 | j43 ^ j44) == 0;
u9 = 517347731;
if ( !j16 )
u9 = 1324097312;
}
}
if ( u9 <= 1265469520 )
break;
if ( u9 == 1265469521 )// rubbish
{
j160 = j154 + 1;
j45 = *v122;
f161 = *((_BYTE *)bookBase + f159);
j46 = *(_DWORD *)*v122;
j47 = 0;
if ( (~((*(_DWORD *)j45 - 1) * *(_DWORD *)j45) | 0xFFFFFFFE) == -1 )
j47 = 1;
j14 = __OFSUB__(j46, 10);
j13 = j46 - 10 < 0;
j48 = 0;
if ( j13 ^ j14 )
j48 = 1;
j16 = (j47 ^ j48 | j47 & j48) == 0;
u9 = 1926646757;
if ( !j16 )
u9 = 1668326196;
}
}
if ( u9 <= 1003626916 )
break;
if ( u9 == 1003626917 )// rubbish
{
j154 = f152 + 1;
j49 = *j121;
j155 = *((_BYTE *)bookBase + *(_BYTE *)f152);
j50 = ~-*(_DWORD *)j49 * *(_DWORD *)j49;
j51 = *(_DWORD *)*j121;
j52 = (j50 ^ 0xFFFFFFFE) & j50;
if ( j52 )
j52 = 1;
j14 = __OFSUB__(j51, 9);
j16 = j51 == 9;
j13 = j51 - 9 < 0;
j53 = 0;
if ( !((unsigned __int8)(j13 ^ j14) | j16) )
j53 = 1;
j16 = (j52 ^ j53 | (j52 | j53) ^ 1) == 0;
u9 = 1628979203;
if ( !j16 )
u9 = 27249737;
}
}
if ( u9 <= 881679339 )
break;
if ( u9 == 881679340 )// rubbish
{
j54 = (*(_DWORD *)*j120 - 1) * *(_DWORD *)*j120;
j55 = *(_DWORD *)*j120;
j16 = ((j54 ^ 0xFFFFFFFE) & j54) == 0;
j56 = 0;
if ( j16 )
j56 = 1;
j14 = __OFSUB__(j55, 10);
j13 = j55 - 10 < 0;
j57 = 0;
if ( j13 ^ j14 )
j57 = 1;
j16 = (j56 & j57 | j56 ^ j57) == 0;
u9 = 517347731;
if ( !j16 )
u9 = 1291296764;
}
}
if ( u9 <= 782683747 )
break;
if ( u9 == 782683748 )
u9 = 416826029;
}
if ( u9 <= 615070359 )
break;
if ( u9 == 615070360 )
{
((void (__fastcall *)(int *, int, signed int))sub_14B4A)(
bookBase_,
v119,
256);// 4
u9 = -1693408895;
}
}
if ( u9 <= 552383738 )
break;
if ( u9 == 552383739 )
{
NotKeyEndFlag = 0;// 7 17 28
if ( nowKeyChar != 13 )
NotKeyEndFlag = 1;
j59 = *j118;
NotKeyEndFlag_ = NotKeyEndFlag;
j60 = (*(_DWORD *)j59 - 1) * *(_DWORD *)j59;
j61 = *(_DWORD *)*j118;
j16 = ((j60 ^ 0xFFFFFFFE) & j60) == 0;
j62 = 0;
if ( j16 )
j62 = 1;
j14 = __OFSUB__(j61, 10);
j13 = j61 - 10 < 0;
j63 = 0;
if ( j13 ^ j14 )
j63 = 1;
j16 = (j62 ^ j63 | j62 & j63) == 0;
u9 = -1224362487;
if ( !j16 )
u9 = -327612536;
}
}
if ( u9 <= 517347730 )
break;
if ( u9 == 517347731 )
u9 = 1291296764;
}
if ( u9 <= 492339595 )
break;
if ( u9 == 492339596 )
{
u9 = -206615233;
if ( notKeyEnd2Flag_ )
u9 = -341342023;
}
}
if ( u9 <= 416826028 )
break;
if ( u9 == 416826029 )// rubbish
{
j64 = (*(_DWORD *)*j117 - 1) * *(_DWORD *)*j117;
j65 = *(_DWORD *)*j117;
j16 = ((j64 ^ 0xFFFFFFFE) & j64) == 0;
notEndFlag = 0;
if ( j16 )
notEndFlag = 1;
j14 = __OFSUB__(j65, 10);
j13 = j65 - 10 < 0;
j67 = 0;
if ( j13 ^ j14 )
j67 = 1;
j16 = (notEndFlag & j67 | notEndFlag ^ j67) == 0;
u9 = 782683748;
if ( !j16 )
u9 = -594247879;
}
}
if ( u9 <= 408476888 )
break;
if ( u9 == 408476889 )
{
result___ = v133;
f138 = f175 + 4;
u9 = -1901452612;
f137 = f134;
f136 = v135;// 15 26 34
}
}
if ( u9 <= 373449796 )
break;
if ( u9 == 373449797 )
{
f68 = 0;
if ( f146 < keylen_ )
f68 = 1;// 2
notEndFlag_ = f68;
u9 = 1888903570;
}
}
if ( u9 <= 268320251 )
break;
if ( u9 == 268320252 )
u9 = -968901991;
}
if ( u9 > -1687541981 )
break;
if ( u9 == -1693408895 )
{
j17 = *(_DWORD *)*(j115 - 119);
j18 = 0;
if ( (~((*(_DWORD *)*(j115 - 120) - 1) * *(_DWORD *)*(j115 - 120)) | 0xFFFFFFFE) == -1 )
j18 = 1;
j14 = __OFSUB__(j17, 10);
j13 = j17 - 10 < 0;
j19 = 0;
if ( j13 ^ j14 )// rubbish
j19 = 1;
j16 = (j18 & j19 | j18 ^ j19) == 0;
u9 = 1662374463;
if ( !j16 )
u9 = -709053658;
}
}
if ( u9 > -1642076405 )
break;
if ( u9 == -1687541980 )
{
result____ = result__;
j69 = (*(_DWORD *)*j114 - 1) * *(_DWORD *)*j114;
j70 = *(_DWORD *)*j114;
j16 = ((j69 ^ 0xFFFFFFFE) & j69) == 0;
j71 = 0;
if ( j16 )
j71 = 1;
j14 = __OFSUB__(j70, 10);
j13 = j70 - 10 < 0;
j72 = 0;
if ( j13 ^ j14 )
j72 = 1;
j16 = (j71 & j72 | j71 ^ j72) == 0;
u9 = 782683748;
if ( !j16 )
u9 = 416826029;
}
}
if ( u9 > -1447795291 )
break;
if ( u9 == -1642076404 )// dead code
{
f136 = j171;
f138 = v172;
result___ = result_____;
f137 = f174;
u9 = -1901452612;
}
}
if ( u9 > -1446359455 )
break;
if ( u9 == -1447795290 )
{
f169 = 4 * f168 + f162;// 13 24
f170 = f164 + 1;
u9 = 1559277928;
}
}
if ( u9 > -1343014648 )
break;
if ( u9 == -1446359454 )
{
result_ = 0; // dead code
LABEL_147:
result__ = result_;// 37
u9 = -1687541980;
}
}
if ( u9 > -1322783335 )
break;
if ( u9 == -1343014647 )
u9 = 881679340;
}
if ( u9 > -1224362488 )
break;
if ( u9 == -1322783334 )
u9 = 1911860849;
}
if ( u9 > -968901992 )
break;
if ( u9 == -1224362487 )
u9 = 552383739;
}
if ( u9 > -917428403 )
break;
if ( u9 == -968901991 ) // rubbish
{
j73 = *j113;
bookBase = (int *)(&j106 - 64);
j74 = (*(_DWORD *)j73 - 1) * *(_DWORD *)j73;
j75 = *(_DWORD *)*j113;
j16 = ((j74 ^ 0xFFFFFFFE) & j74) == 0;
j76 = 0;
if ( j16 )
j76 = 1;
j14 = __OFSUB__(j75, 10);
j13 = j75 - 10 < 0;
j77 = 0;
if ( j13 ^ j14 )
j77 = 1;
j16 = (j76 ^ j77 | j76 & j77) == 0;
u9 = 268320252;
if ( !j16 )
u9 = -821278251;
}
}
if ( u9 > -858444357 )
break;
if ( u9 == -917428402 ) // rubbish
{
j78 = (*(_DWORD *)*j112 - 1) * *(_DWORD *)*j112;
j79 = *(_DWORD *)*j112;
j16 = ((j78 ^ 0xFFFFFFFE) & j78) == 0;
j80 = 0;
if ( j16 )
j80 = 1;
j14 = __OFSUB__(j79, 10);
j13 = j79 - 10 < 0;
j81 = 0;
if ( j13 ^ j14 )
j81 = 1;
j16 = (j80 & j81 | j80 ^ j81) == 0;
u9 = 200515412;
if ( !j16 )
u9 = 2005738738;
}
}
if ( u9 > -821278252 )
break;
if ( u9 == -858444356 )
{
v172 = f175 + 1; // dead code
u9 = -1642076404;
}
}
if ( u9 > -787925200 )
break;
if ( u9 == -821278251 )
u9 = -917428402;
}
if ( u9 > -768040916 )
break;
if ( u9 == -787925199 )
u9 = 373449797;
}
if ( u9 > -709053659 )
break;
if ( u9 == -768040915 )
{
u9 = 268320252;
if ( ((unsigned __int8)(j143 ^ j144) | (unsigned __int8)~(~j143 | (unsigned __int8)~j144)) & 1 )
u9 = -968901991;
}
}
if ( u9 > -594247880 )
break;
if ( u9 == -709053658 )
{
j82 = (*(_DWORD *)*j111 - 1) * *(_DWORD *)*j111;
j83 = *(_DWORD *)*j111;
j16 = ((j82 ^ 0xFFFFFFFE) & j82) == 0;
j84 = 0;
if ( j16 )
j84 = 1;
j14 = __OFSUB__(j83, 10);
j13 = j83 - 10 < 0;
j85 = 0;
if ( j13 ^ j14 )
j85 = 1;
j16 = (j84 ^ j85 | j84 & j85) == 0;
u9 = 1662374463;
if ( !j16 )
u9 = -121304508;
}
}
if ( u9 <= -579956638 )
break;
if ( u9 > -568846911 )
{
if ( u9 > -406745412 )
{
if ( u9 > -341342024 )
{
if ( u9 > -329744833 )
{
if ( u9 > -327612537 )
{
if ( u9 > -211159208 )
{
if ( u9 > -206615234 )
{
if ( u9 > -130772935 )
{
if ( u9 > -121304509 )
{
if ( u9 > 27249736 )
{
if ( u9 > 74139172 )
{
switch ( u9 )
{
case 74139173:
f156 = (((j155 << 22) ^ 0xFF000000) & (j155 << 22))// 9 20 31
+ f153
+ (((j155 << 6) ^ 0xFFFFF0C0) & (j155 << 6));
f157 = f174 + 1;
*(_BYTE *)f174 = (unsigned int)f156 >> 16;// out
v158 = result_____ + 1;
f159 = *(_BYTE *)j154;
v97 = f159 == *(_BYTE *)v107;
u9 = 408476889;
v135 = j154;
if ( !v97 )
u9 = 31171;
f134 = f157;
if ( !v97 )
HIWORD(u9) = 3061;
v133 = v158;
break;
case 200515412:
u9 = j6;
break;
case 200636867: // rubbish
j98 = *(_DWORD *)*j106;
j99 = 0;
if ( (~((*(_DWORD *)*j106 - 1) * *(_DWORD *)*j106) | 0xFFFFFFFE) == -1 )
j99 = 1;
j14 = __OFSUB__(j98, 10);
j13 = j98 - 10 < 0;
j100 = 0;
if ( j13 ^ j14 )
j100 = 1;
j16 = (j99 & j100 | j99 ^ j100) == 0;
u9 = 1926646757;
if ( !j16 )
u9 = 1265469521;
break;
}
}
else if ( u9 == 27249737 )
{
u9 = 74139173;
}
}
else if ( u9 == -121304508 )
{
f138 = 0;
result___ = 0;
u9 = -1901452612;
f137 = f142; // 5
f136 = (int)key_;
}
}
else if ( u9 == -130772934 ) // rubbish
{
j93 = (*(_DWORD *)*j108 - 1) * *(_DWORD *)*j108;
j94 = *(_DWORD *)*j108;
j16 = ((j93 ^ 0xFFFFFFFE) & j93) == 0;
j95 = 0;
if ( j16 )
j95 = 1;
j14 = __OFSUB__(j94, 10);
j13 = j94 - 10 < 0;
j96 = 0;
if ( j13 ^ j14 )
j96 = 1;
j16 = (j95 & j96 | j95 ^ j96) == 0;
u9 = -329744832;
if ( !j16 )
u9 = 492339596;
}
}
else if ( u9 == -206615233 )
{
j171 = f136_ + 1;
u9 = -858444356;
}
}
else if ( u9 == -211159207 )
{
nowKeyChar = *(_BYTE *)f136_;
u9 = 1759492016;
}
}
else if ( u9 == -327612536 )
{
u9 = 1360782913;
}
}
else if ( u9 == -329744832 )
{
u9 = -130772934;
}
}
else if ( u9 == -341342023 )
{
f152 = f136_ + 1;
f153 = *((_BYTE *)bookBase + nowKeyChar) << 16;// 8 19 30 f153=bookBase<<16
u9 = -406745411;
}
}
else if ( u9 == -406745411 ) // rubbish
{
j89 = ~-*(_DWORD *)*j109 * *(_DWORD *)*j109;
j90 = *(_DWORD *)*j109;
j16 = ((j89 ^ 0xFFFFFFFE) & j89) == 0;
j91 = 0;
if ( j16 )
j91 = 1;
j14 = __OFSUB__(j90, 10);
j13 = j90 - 10 < 0;
j92 = 0;
if ( j13 ^ j14 )
j92 = 1;
j16 = (j91 ^ j92 | j91 & j92) == 0;
u9 = 1628979203;
if ( !j16 )
u9 = 1003626917;
}
}
else if ( u9 == -568846910 )
{
j167 = j160 + 1; // 12 23
f168 = *((_BYTE *)bookBase + f166);
u9 = -1447795290;
}
}
else if ( u9 == -579956637 ) // rubbish
{
j86 = *(_DWORD *)*j110;
j87 = 0;
if ( (~(~-*(_DWORD *)*j110 * *(_DWORD *)*j110) | 0xFFFFFFFE) == -1 )
j87 = 1;
j14 = __OFSUB__(j86, 10);
j13 = j86 - 10 < 0;
j88 = 0;
if ( j13 ^ j14 )
j88 = 1;
j16 = (j87 & j88 | j87 ^ j88) == 0;
u9 = -1322783334;
if ( !j16 )
u9 = 1911860849;
}
}
}
while ( u9 != -594247879 );
result = result____;
if ( v0 != v178 )
{
v102 = sub_19420();
result = keyGenGostencodeA_DFA4(v102, v103, v104, v105, a5);
}
return result;
}
同学,今天,你逆了吗?
枫叶飘零 发表于 2016-4-5 19:31
前排膜拜大牛。对了,cm7为啥子无后缀
.so或.elf格式的文件,实际内容为带地址的二进制代码,也带其他信息,还可以带一些符号信息,cm7可以直接在手机上运行 本帖最后由 枫叶飘零 于 2016-4-5 19:33 编辑
前排膜拜大牛。对了,cm7为啥子无后缀 膜拜大牛虽然没看懂 看不懂分析的,可能是我太笨。 同学,今天,你逆了吗? 基本没看懂 都是套路 我就来打个酱油 看不懂分析的,可能是我太笨。