本帖最后由 yechen123 于 2020-1-3 22:29 编辑
考完试了看见论坛一师傅(@cyhcuichao )去年发过一个面试题,第一关有人解出来了,第二关好像还没人发解题思路,写一下解题思路。
原题目连接:https://www.52pojie.cn/thread-834380-1-1.html
mfc写的程序,可以通过mfcspy找到两个注册功能的主要函数。
第一关
位于.text:00401620
第一关比较简单
[Asm] 纯文本查看 复制代码 void __thiscall sub_401620(CWnd *this)
{
CWnd *v1; // esi
int v2; // edi
char *v3; // eax
char *v4; // eax
int password; // [esp+14h] [ebp-78h]
int username; // [esp+18h] [ebp-74h]
int v7; // [esp+1Ch] [ebp-70h]
int v8; // [esp+20h] [ebp-6Ch]
int *v9; // [esp+24h] [ebp-68h]
char v10; // [esp+28h] [ebp-64h]
char *v11; // [esp+2Ch] [ebp-60h]
int v12; // [esp+3Ch] [ebp-50h]
unsigned int v13; // [esp+40h] [ebp-4Ch]
void *v14; // [esp+48h] [ebp-44h]
int v15; // [esp+58h] [ebp-34h]
unsigned int v16; // [esp+5Ch] [ebp-30h]
char v17; // [esp+60h] [ebp-2Ch]
char *v18; // [esp+64h] [ebp-28h]
int v19; // [esp+74h] [ebp-18h]
unsigned int v20; // [esp+78h] [ebp-14h]
int v21; // [esp+88h] [ebp-4h]
v1 = this;
v20 = 15;
v19 = 0;
LOBYTE(v18) = 0;
v21 = 0;
v16 = 15;
v15 = 0;
LOBYTE(v14) = 0;
v13 = 15;
v12 = 0;
LOBYTE(v11) = 0;
LOBYTE(v21) = 2;
CWnd::UpdateData(this, 1);
v8 = 0;
v7 = 0;
v9 = 0;
string_to_hex("1937", (int)&v8);
string_to_hex("5", (int)&v7);
password = 0;
username = 0;
sub_402D10(&v17);
v2 = *((_DWORD *)v1 + 31);
if ( *(_DWORD *)(v2 - 12) && *(_DWORD *)(*((_DWORD *)v1 + 30) - 12) )
{
copy_value((int)&v17, *((_DWORD *)v1 + 31) + 1, *((void **)v1 + 31), strlen(*((const char **)v1 + 31)));// password
copy_value((int)&v10, *((_DWORD *)v1 + 30) + 1, *((void **)v1 + 30), strlen(*((const char **)v1 + 30)));// username
v3 = v18;
if ( v20 < 0x10 )
v3 = (char *)&v18;
string_to_hex(v3, (int)&password);
v4 = v11;
if ( v13 < 0x10 )
v4 = (char *)&v11;
string_to_hex(v4, (int)&username);
sub_411980(password, (_DWORD *)v7, v8, (int *)&v9);
if ( cmp((int *)username, v9) )
SendMessageA(*((HWND *)v1 + 8), 0x591u, 1u, 0);
else
SendMessageA(*((HWND *)v1 + 8), 0x591u, 1u, 1);
}
if ( v13 >= 0x10 )
operator delete(v11);
LOBYTE(v11) = 0;
v12 = 0;
v13 = 15;
if ( v16 >= 0x10 )
operator delete(v14);
LOBYTE(v14) = 0;
v15 = 0;
v16 = 15;
if ( v20 >= 0x10 )
operator delete(v18);
}
通过调试确定一些函数的功能。
获取账号密码 加密密码然后和账号比较。
一开始赋值了1937 和 5这两个数值,经过sub_411980函数加密。
[Asm] 纯文本查看 复制代码 sub_411980(password, (_DWORD *)v7, v8, (int *)&v9);
题目界面说用户名为0-1937,再通过这个函数的传参,可以很快反应这应该是RSA加密,
即username=password^5mod1937
第二关
这一关比较恶心,弄了挺久的。
[Asm] 纯文本查看 复制代码 void __thiscall sub_401840(CWnd *this)
{
CWnd *v1; // esi
int v2; // edi
int v3; // edx
void *v4; // eax
char v5; // [esp-28h] [ebp-ACh]
char password_value; // [esp-24h] [ebp-A8h]
int v7; // [esp-20h] [ebp-A4h]
int password; // [esp-1Ch] [ebp-A0h]
int v9; // [esp-18h] [ebp-9Ch]
int v10; // [esp-14h] [ebp-98h]
int v11; // [esp-10h] [ebp-94h]
int *v12; // [esp-Ch] [ebp-90h]
int *key; // [esp-8h] [ebp-8Ch]
int v14; // [esp-4h] [ebp-88h]
char *v15; // [esp+14h] [ebp-70h]
char v16; // [esp+18h] [ebp-6Ch]
void *v17; // [esp+1Ch] [ebp-68h]
unsigned int v18; // [esp+2Ch] [ebp-58h]
unsigned int v19; // [esp+30h] [ebp-54h]
int v20; // [esp+34h] [ebp-50h]
void *v21; // [esp+38h] [ebp-4Ch]
unsigned int v22; // [esp+48h] [ebp-3Ch]
unsigned int v23; // [esp+4Ch] [ebp-38h]
char v24; // [esp+50h] [ebp-34h]
void *v25; // [esp+54h] [ebp-30h]
int v26; // [esp+64h] [ebp-20h]
unsigned int v27; // [esp+68h] [ebp-1Ch]
int v28; // [esp+6Ch] [ebp-18h]
char v29; // [esp+70h] [ebp-14h]
char v30; // [esp+71h] [ebp-13h]
char v31; // [esp+72h] [ebp-12h]
char v32; // [esp+73h] [ebp-11h]
int v33; // [esp+80h] [ebp-4h]
v1 = this;
v27 = 15;
v26 = 0;
LOBYTE(v25) = 0;
v33 = 0;
v23 = 15;
v22 = 0;
LOBYTE(v21) = 0;
v19 = 15;
v18 = 0;
LOBYTE(v17) = 0;
LOBYTE(v33) = 2;
v28 = '0166'; // 6610394
v29 = '3';
v30 = '9';
v31 = '4';
v32 = 0;
CWnd::UpdateData(this, 1);
sub_402D10(&v16);
v2 = *((_DWORD *)v1 + 32);
if ( *(_DWORD *)(v2 - 12) && *(_DWORD *)(*((_DWORD *)v1 + 33) - 12) )
{
copy_value((int)&v16, *((_DWORD *)v1 + 32) + 1, *((void **)v1 + 32), strlen(*((const char **)v1 + 32)));// username
sub_402D10(&v24);
copy_value((int)&v24, v3, *((void **)v1 + 33), strlen(*((const char **)v1 + 33)));// password
sub_402D10(&v20);
v14 = 0;
key = &v28;
v12 = &v20;
v15 = &v5;
v11 = 15;
v10 = 0;
password_value = 0;
sub_4028D0((int)&v5, &v24, 0, (char *)0xFFFFFFFF);
sub_4179D0(v5, *(void **)&password_value, v7, password, v9, v10, v11, (int)v12, (int)key, v14);
v4 = v17;
if ( v19 < 0x10 )
v4 = &v17;
if ( sub_402100(&v20, 0, v22, (int)v4, v18) )
SendMessageA(*((HWND *)v1 + 8), 0x591u, 2u, 0);
else
SendMessageA(*((HWND *)v1 + 8), 0x591u, 2u, 1);
}
if ( v19 >= 0x10 )
operator delete(v17);
LOBYTE(v17) = 0;
v18 = 0;
v19 = 15;
if ( v23 >= 0x10 )
operator delete(v21);
LOBYTE(v21) = 0;
v22 = 0;
v23 = 15;
if ( v27 >= 0x10 )
operator delete(v25);
}
先获取账号密码
赋值"6610394" 估摸着可能是密钥
经过变种DES加密,然后和用户名对比。
sub_4179D0 为主要加密函数
[Asm] 纯文本查看 复制代码 void __cdecl sub_4179D0(char a1, void *password_value, int a3, int a4, int a5, int a6, int a7, int a8, int a9, int a10)
{
int v10; // ebx
int v11; // ebp
size_t v12; // edi
void *v13; // esi
void *v14; // eax
unsigned int v15; // edi
unsigned int v16; // esi
_DWORD *v17; // eax
int v18; // [esp+14h] [ebp-158h]
int v19; // [esp+18h] [ebp-154h]
char v20; // [esp+1Ch] [ebp-150h]
char v21; // [esp+98h] [ebp-D4h]
unsigned __int8 v22; // [esp+118h] [ebp-54h]
int v23; // [esp+119h] [ebp-53h]
__int16 v24; // [esp+11Dh] [ebp-4Fh]
unsigned __int8 v25; // [esp+11Fh] [ebp-4Dh]
char input[5]; // [esp+120h] [ebp-4Ch]
__int16 v27; // [esp+125h] [ebp-47h]
char v28; // [esp+127h] [ebp-45h]
char Src; // [esp+128h] [ebp-44h]
int v30; // [esp+168h] [ebp-4h]
v10 = a9;
v18 = a8;
*(_DWORD *)&input[1] = 0;
v27 = 0;
v28 = 0;
v22 = 0;
v23 = 0;
v24 = 0;
v25 = 0;
v30 = 0;
input[0] = 0;
v19 = 0;
memset(&v20, 0, 124u);
memset(&v21, 0, 128u);
sub_402D10((_DWORD *)a8);
if ( !a10 )
{
v11 = a6;
if ( a6 & 1 )
goto LABEL_15;
v12 = a6 + 1;
v13 = operator new[](a6 + 1);
memset(v13, 0, v12);
v14 = password_value;
if ( (unsigned int)a7 < 16 )
v14 = &password_value;
string_set_int((int)v14, (int)v13, v11);
copy_value((int)&a1, (int)v13 + 1, v13, strlen((const char *)v13));
operator delete(v13);
}
sub_417870(v10, (int)&v22);
sub_403450((int)&v19, (int)&v22); // 处理密钥
v15 = (unsigned int)a6 >> 3;
if ( a6 & 7 )
{
++v15;
sub_417D60((int)&a1, 7 - (a6 & 7), 0);
}
v16 = 0;
if ( v15 )
{
do
{
*(_DWORD *)input = 0;
*(_DWORD *)&input[4] = 0;
v17 = password_value;
if ( (unsigned int)a7 < 0x10 )
v17 = &password_value;
*(_DWORD *)input = v17[2 * v16];
*(_DWORD *)&input[4] = v17[2 * v16 + 1];
if ( a10 == 1 )
{
sub_4034A0(&v19, (unsigned __int8 *)input, &v22);
sprintf(
&Src,
"%02X%02X%02X%02X%02X%02X%02X%02X",
v22,
(unsigned __int8)v23,
BYTE1(v23),
BYTE2(v23),
HIBYTE(v23),
(unsigned __int8)v24,
HIBYTE(v24),
v25);
}
else // 这里
{
sub_4034A0(&v21, (unsigned __int8 *)input, &v22);
sprintf(
&Src,
"%C%C%C%C%C%C%C%C",
v22,
(unsigned __int8)v23,
BYTE1(v23),
BYTE2(v23),
HIBYTE(v23),
(unsigned __int8)v24,
HIBYTE(v24),
v25);
}
sub_417F10(v18, &Src, strlen(&Src));
++v16;
}
while ( v16 < v15 );
}
LABEL_15:
if ( (unsigned int)a7 >= 0x10 )
operator delete(password_value);
}
里边有个函数 被我改名为string_set_int
主要功能就是把16进制字符串改为内存存储形式,比如"9ABC"内存中储存为 " 39 41 42 43",函数让内存变为"9A BC"存储形式
[Asm] 纯文本查看 复制代码 int __cdecl string_set_int(int a1, int a2, unsigned int a3)
{
char *v3; // esi
unsigned int v4; // edi
char v5; // cl
char v6; // cl
char v7; // dl
char v8; // dl
int v10; // [esp+Ch] [ebp-4h]
v10 = 0;
if ( a3 > 2 && a3 != 1 )
{
v3 = (char *)(a1 + 1);
v4 = ((a3 - 2) >> 1) + 1;
do
{
v5 = *(v3 - 1);
if ( (unsigned __int8)(*(v3 - 1) - 48) > 9u )
{
if ( (unsigned __int8)(v5 - 65) > 5u )
v6 = 0;
else
v6 = v5 - 55;
}
else
{
v6 = v5 - 48;
}
v7 = *v3;
if ( (unsigned __int8)(*v3 - 48) > 9u )
{
if ( (unsigned __int8)(v7 - 65) > 5u )
v8 = 0;
else
v8 = v7 - 55;
}
else
{
v8 = v7 - 48;
}
*(_BYTE *)(a2 + v10++) = v8 + 16 * v6;
v3 += 2;
--v4;
}
while ( v4 );
}
return v10;
}
sub_417870 和 sub_403450 函数应该就是处理密钥用的 当输入的密钥为空时 默认存为"abcdef"
[Asm] 纯文本查看 复制代码 int __cdecl sub_417870(int a1, int a2)
{
unsigned int v2; // edx
_BYTE *v3; // eax
char v4; // cl
int result; // eax
int v6; // [esp+Ch] [ebp-10Ch]
char v7; // [esp+10h] [ebp-108h]
char v8; // [esp+8Ch] [ebp-8Ch]
char v9[5]; // [esp+10Ch] [ebp-Ch]
__int16 v10; // [esp+111h] [ebp-7h]
char v11; // [esp+113h] [ebp-5h]
*(_DWORD *)&v9[1] = 0;
v10 = 0;
v11 = 0;
v6 = 0;
v9[0] = 0;
memset(&v7, 0, 124u);
memset(&v8, 0, 128u);
*(_DWORD *)a2 = dword_45E188;
*(_DWORD *)(a2 + 4) = dword_45E18C;
if ( !strlen((const char *)a1) ) // 如果没有密码 默认为abcdef 设的密码为6610394
{
*(_DWORD *)a1 = 'dcba';
*(_WORD *)(a1 + 4) = 'fe';
*(_BYTE *)(a1 + 6) = 0;
}
v2 = 0;
v3 = (_BYTE *)a2;
do
{
v4 = v3[a1 - a2];
if ( !v4 )
break;
*v3 ^= v4 % 128;
++v2;
++v3;
}
while ( v2 < 8 ); // 密钥异或
sub_403450((int)&v6, (int)&dword_45E188);
sub_4034A0(&v6, (unsigned __int8 *)a2, v9);
sub_403450((int)&v6, (int)&byte_45E180);
sub_4034A0(&v8, (unsigned __int8 *)v9, (_BYTE *)a2);
sub_403450((int)&v6, (int)&dword_45E188);
sub_4034A0(&v6, (unsigned __int8 *)a2, v9);
result = *(_DWORD *)&v9[4];
*(_DWORD *)a2 = *(_DWORD *)v9;
*(_DWORD *)(a2 + 4) = result;
return result;
}
此时已经可以得知,密钥时固定的,经过密钥处理函数才会进入真正的加密函数。
下边的sub_4034A0函数为主要加密函数
[Asm] 纯文本查看 复制代码 unsigned int __cdecl sub_4034A0(_DWORD *a1, unsigned __int8 *a2, _BYTE *a3)
{
int password_right; // edx
unsigned int v4; // ecx
int v5; // edx
unsigned int v6; // eax
int v7; // ecx
unsigned int v8; // edx
int v9; // eax
int v10; // ecx
int v11; // eax
unsigned int v12; // edx
int v13; // ecx
int v14; // eax
int v15; // ecx
unsigned int v16; // edx
int v17; // ecx
int v18; // edx
int v19; // ecx
int v20; // edx
int v21; // ecx
int v22; // edx
int v23; // ecx
int v24; // edx
int v25; // ecx
int v26; // edx
int v27; // ecx
int v28; // edx
int v29; // ecx
int v30; // edx
int v31; // ecx
int v32; // edx
unsigned int v33; // ebx
unsigned int v34; // edi
int v35; // eax
unsigned int v36; // ecx
int v37; // eax
unsigned int v38; // ecx
int v39; // edx
int v40; // eax
unsigned int v41; // ecx
int v42; // edx
int v43; // eax
int v44; // ecx
int v45; // edx
int v46; // ecx
unsigned int v47; // eax
int v48; // edx
unsigned int v49; // ecx
int v50; // eax
unsigned int result; // eax
password_right = a2[7] | ((a2[6] | ((a2[5] | (a2[4] << 8)) << 8)) << 8);
v4 = (password_right ^ ((a2[3] | ((a2[2] | ((a2[1] | ((unsigned int)*a2 << 8)) << 8)) << 8)) >> 4)) & 0xF0F0F0F;// 前4^后4 &0xf0f0f0f0
v5 = v4 ^ password_right;
v6 = 16 * v4 ^ (a2[3] | ((a2[2] | ((a2[1] | (*a2 << 8)) << 8)) << 8));
v7 = (unsigned __int16)(v5 ^ (v6 >> 16));
v8 = v7 ^ v5;
v9 = (v7 << 16) ^ v6;
v10 = (v9 ^ (v8 >> 2)) & 0x33333333;
v11 = v10 ^ v9;
v12 = 4 * v10 ^ v8;
v13 = (v11 ^ (v12 >> 8)) & 0xFF00FF;
v14 = v13 ^ v11;
v15 = __ROL4__(v12 ^ (v13 << 8), 1); // 循环左移
v16 = (v14 ^ v15) & 0xAAAAAAAA;
v17 = v16 ^ v15;
v18 = dword_45C708[(a1[1] ^ __ROR4__(v17, 4)) & 0x3F] ^ dword_45C508[((unsigned int)(a1[1] ^ __ROR4__(v17, 4)) >> 8) & 0x3F] ^ dword_45C308[((unsigned int)(a1[1] ^ __ROR4__(v17, 4)) >> 16) & 0x3F] ^ dword_45C108[((unsigned int)(a1[1] ^ __ROR4__(v17, 4)) >> 24) & 0x3F] ^ dword_45C808[(v17 ^ *a1) & 0x3F] ^ dword_45C608[(((unsigned int)v17 ^ *a1) >> 8) & 0x3F] ^ dword_45C408[(((unsigned int)v17 ^ *a1) >> 16) & 0x3F] ^ dword_45C208[(((unsigned int)v17 ^ *a1) >> 24) & 0x3F] ^ __ROL4__(v14 ^ v16, 1);
v19 = dword_45C708[(a1[3] ^ __ROR4__(v18, 4)) & 0x3F] ^ dword_45C508[((unsigned int)(a1[3] ^ __ROR4__(v18, 4)) >> 8) & 0x3F] ^ dword_45C308[((unsigned int)(a1[3] ^ __ROR4__(v18, 4)) >> 16) & 0x3F] ^ dword_45C108[((unsigned int)(a1[3] ^ __ROR4__(v18, 4)) >> 24) & 0x3F] ^ dword_45C808[(v18 ^ a1[2]) & 0x3F] ^ dword_45C608[(((unsigned int)v18 ^ a1[2]) >> 8) & 0x3F] ^ dword_45C408[(((unsigned int)v18 ^ a1[2]) >> 16) & 0x3F] ^ dword_45C208[(((unsigned int)v18 ^ a1[2]) >> 24) & 0x3F] ^ v17;
v20 = dword_45C708[(a1[5] ^ __ROR4__(v19, 4)) & 0x3F] ^ dword_45C508[((unsigned int)(a1[5] ^ __ROR4__(v19, 4)) >> 8) & 0x3F] ^ dword_45C308[((unsigned int)(a1[5] ^ __ROR4__(v19, 4)) >> 16) & 0x3F] ^ dword_45C108[((unsigned int)(a1[5] ^ __ROR4__(v19, 4)) >> 24) & 0x3F] ^ dword_45C808[(v19 ^ a1[4]) & 0x3F] ^ dword_45C608[(((unsigned int)v19 ^ a1[4]) >> 8) & 0x3F] ^ dword_45C408[(((unsigned int)v19 ^ a1[4]) >> 16) & 0x3F] ^ dword_45C208[(((unsigned int)v19 ^ a1[4]) >> 24) & 0x3F] ^ v18;
v21 = dword_45C708[(a1[7] ^ __ROR4__(v20, 4)) & 0x3F] ^ dword_45C508[((unsigned int)(a1[7] ^ __ROR4__(v20, 4)) >> 8) & 0x3F] ^ dword_45C308[((unsigned int)(a1[7] ^ __ROR4__(v20, 4)) >> 16) & 0x3F] ^ dword_45C108[((unsigned int)(a1[7] ^ __ROR4__(v20, 4)) >> 24) & 0x3F] ^ dword_45C808[(v20 ^ a1[6]) & 0x3F] ^ dword_45C608[(((unsigned int)v20 ^ a1[6]) >> 8) & 0x3F] ^ dword_45C408[(((unsigned int)v20 ^ a1[6]) >> 16) & 0x3F] ^ dword_45C208[(((unsigned int)v20 ^ a1[6]) >> 24) & 0x3F] ^ v19;
v22 = dword_45C708[(a1[9] ^ __ROR4__(v21, 4)) & 0x3F] ^ dword_45C508[((unsigned int)(a1[9] ^ __ROR4__(v21, 4)) >> 8) & 0x3F] ^ dword_45C308[((unsigned int)(a1[9] ^ __ROR4__(v21, 4)) >> 16) & 0x3F] ^ dword_45C108[((unsigned int)(a1[9] ^ __ROR4__(v21, 4)) >> 24) & 0x3F] ^ dword_45C808[(v21 ^ a1[8]) & 0x3F] ^ dword_45C608[(((unsigned int)v21 ^ a1[8]) >> 8) & 0x3F] ^ dword_45C408[(((unsigned int)v21 ^ a1[8]) >> 16) & 0x3F] ^ dword_45C208[(((unsigned int)v21 ^ a1[8]) >> 24) & 0x3F] ^ v20;
v23 = dword_45C708[(a1[11] ^ __ROR4__(v22, 4)) & 0x3F] ^ dword_45C508[((unsigned int)(a1[11] ^ __ROR4__(v22, 4)) >> 8) & 0x3F] ^ dword_45C308[((unsigned int)(a1[11] ^ __ROR4__(v22, 4)) >> 16) & 0x3F] ^ dword_45C108[((unsigned int)(a1[11] ^ __ROR4__(v22, 4)) >> 24) & 0x3F] ^ dword_45C808[(v22 ^ a1[10]) & 0x3F] ^ dword_45C608[(((unsigned int)v22 ^ a1[10]) >> 8) & 0x3F] ^ dword_45C408[(((unsigned int)v22 ^ a1[10]) >> 16) & 0x3F] ^ dword_45C208[(((unsigned int)v22 ^ a1[10]) >> 24) & 0x3F] ^ v21;
v24 = dword_45C708[(a1[13] ^ __ROR4__(v23, 4)) & 0x3F] ^ dword_45C508[((unsigned int)(a1[13] ^ __ROR4__(v23, 4)) >> 8) & 0x3F] ^ dword_45C308[((unsigned int)(a1[13] ^ __ROR4__(v23, 4)) >> 16) & 0x3F] ^ dword_45C108[((unsigned int)(a1[13] ^ __ROR4__(v23, 4)) >> 24) & 0x3F] ^ dword_45C808[(v23 ^ a1[12]) & 0x3F] ^ dword_45C608[(((unsigned int)v23 ^ a1[12]) >> 8) & 0x3F] ^ dword_45C408[(((unsigned int)v23 ^ a1[12]) >> 16) & 0x3F] ^ dword_45C208[(((unsigned int)v23 ^ a1[12]) >> 24) & 0x3F] ^ v22;
v25 = dword_45C708[(a1[15] ^ __ROR4__(v24, 4)) & 0x3F] ^ dword_45C508[((unsigned int)(a1[15] ^ __ROR4__(v24, 4)) >> 8) & 0x3F] ^ dword_45C308[((unsigned int)(a1[15] ^ __ROR4__(v24, 4)) >> 16) & 0x3F] ^ dword_45C108[((unsigned int)(a1[15] ^ __ROR4__(v24, 4)) >> 24) & 0x3F] ^ dword_45C808[(v24 ^ a1[14]) & 0x3F] ^ dword_45C608[(((unsigned int)v24 ^ a1[14]) >> 8) & 0x3F] ^ dword_45C408[(((unsigned int)v24 ^ a1[14]) >> 16) & 0x3F] ^ dword_45C208[(((unsigned int)v24 ^ a1[14]) >> 24) & 0x3F] ^ v23;
v26 = dword_45C708[(a1[17] ^ __ROR4__(v25, 4)) & 0x3F] ^ dword_45C508[((unsigned int)(a1[17] ^ __ROR4__(v25, 4)) >> 8) & 0x3F] ^ dword_45C308[((unsigned int)(a1[17] ^ __ROR4__(v25, 4)) >> 16) & 0x3F] ^ dword_45C108[((unsigned int)(a1[17] ^ __ROR4__(v25, 4)) >> 24) & 0x3F] ^ dword_45C808[(v25 ^ a1[16]) & 0x3F] ^ dword_45C608[(((unsigned int)v25 ^ a1[16]) >> 8) & 0x3F] ^ dword_45C408[(((unsigned int)v25 ^ a1[16]) >> 16) & 0x3F] ^ dword_45C208[(((unsigned int)v25 ^ a1[16]) >> 24) & 0x3F] ^ v24;
v27 = dword_45C708[(a1[19] ^ __ROR4__(v26, 4)) & 0x3F] ^ dword_45C508[((unsigned int)(a1[19] ^ __ROR4__(v26, 4)) >> 8) & 0x3F] ^ dword_45C308[((unsigned int)(a1[19] ^ __ROR4__(v26, 4)) >> 16) & 0x3F] ^ dword_45C108[((unsigned int)(a1[19] ^ __ROR4__(v26, 4)) >> 24) & 0x3F] ^ dword_45C808[(v26 ^ a1[18]) & 0x3F] ^ dword_45C608[(((unsigned int)v26 ^ a1[18]) >> 8) & 0x3F] ^ dword_45C408[(((unsigned int)v26 ^ a1[18]) >> 16) & 0x3F] ^ dword_45C208[(((unsigned int)v26 ^ a1[18]) >> 24) & 0x3F] ^ v25;
v28 = dword_45C708[(a1[21] ^ __ROR4__(v27, 4)) & 0x3F] ^ dword_45C508[((unsigned int)(a1[21] ^ __ROR4__(v27, 4)) >> 8) & 0x3F] ^ dword_45C308[((unsigned int)(a1[21] ^ __ROR4__(v27, 4)) >> 16) & 0x3F] ^ dword_45C108[((unsigned int)(a1[21] ^ __ROR4__(v27, 4)) >> 24) & 0x3F] ^ dword_45C808[(v27 ^ a1[20]) & 0x3F] ^ dword_45C608[(((unsigned int)v27 ^ a1[20]) >> 8) & 0x3F] ^ dword_45C408[(((unsigned int)v27 ^ a1[20]) >> 16) & 0x3F] ^ dword_45C208[(((unsigned int)v27 ^ a1[20]) >> 24) & 0x3F] ^ v26;
v29 = dword_45C708[(a1[23] ^ __ROR4__(v28, 4)) & 0x3F] ^ dword_45C508[((unsigned int)(a1[23] ^ __ROR4__(v28, 4)) >> 8) & 0x3F] ^ dword_45C308[((unsigned int)(a1[23] ^ __ROR4__(v28, 4)) >> 16) & 0x3F] ^ dword_45C108[((unsigned int)(a1[23] ^ __ROR4__(v28, 4)) >> 24) & 0x3F] ^ dword_45C808[(v28 ^ a1[22]) & 0x3F] ^ dword_45C608[(((unsigned int)v28 ^ a1[22]) >> 8) & 0x3F] ^ dword_45C408[(((unsigned int)v28 ^ a1[22]) >> 16) & 0x3F] ^ dword_45C208[(((unsigned int)v28 ^ a1[22]) >> 24) & 0x3F] ^ v27;
v30 = dword_45C708[(a1[25] ^ __ROR4__(v29, 4)) & 0x3F] ^ dword_45C508[((unsigned int)(a1[25] ^ __ROR4__(v29, 4)) >> 8) & 0x3F] ^ dword_45C308[((unsigned int)(a1[25] ^ __ROR4__(v29, 4)) >> 16) & 0x3F] ^ dword_45C108[((unsigned int)(a1[25] ^ __ROR4__(v29, 4)) >> 24) & 0x3F] ^ dword_45C808[(v29 ^ a1[24]) & 0x3F] ^ dword_45C608[(((unsigned int)v29 ^ a1[24]) >> 8) & 0x3F] ^ dword_45C408[(((unsigned int)v29 ^ a1[24]) >> 16) & 0x3F] ^ dword_45C208[(((unsigned int)v29 ^ a1[24]) >> 24) & 0x3F] ^ v28;
v31 = dword_45C708[(a1[27] ^ __ROR4__(v30, 4)) & 0x3F] ^ dword_45C508[((unsigned int)(a1[27] ^ __ROR4__(v30, 4)) >> 8) & 0x3F] ^ dword_45C308[((unsigned int)(a1[27] ^ __ROR4__(v30, 4)) >> 16) & 0x3F] ^ dword_45C108[((unsigned int)(a1[27] ^ __ROR4__(v30, 4)) >> 24) & 0x3F] ^ dword_45C808[(v30 ^ a1[26]) & 0x3F] ^ dword_45C608[(((unsigned int)v30 ^ a1[26]) >> 8) & 0x3F] ^ dword_45C408[(((unsigned int)v30 ^ a1[26]) >> 16) & 0x3F] ^ dword_45C208[(((unsigned int)v30 ^ a1[26]) >> 24) & 0x3F] ^ v29;
v32 = dword_45C708[(a1[29] ^ __ROR4__(v31, 4)) & 0x3F] ^ dword_45C508[((unsigned int)(a1[29] ^ __ROR4__(v31, 4)) >> 8) & 0x3F] ^ dword_45C308[((unsigned int)(a1[29] ^ __ROR4__(v31, 4)) >> 16) & 0x3F] ^ dword_45C108[((unsigned int)(a1[29] ^ __ROR4__(v31, 4)) >> 24) & 0x3F] ^ dword_45C808[(v31 ^ a1[28]) & 0x3F] ^ dword_45C608[(((unsigned int)v31 ^ a1[28]) >> 8) & 0x3F] ^ dword_45C408[(((unsigned int)v31 ^ a1[28]) >> 16) & 0x3F] ^ dword_45C208[(((unsigned int)v31 ^ a1[28]) >> 24) & 0x3F] ^ v30;
v33 = (((unsigned int)v32 ^ a1[30]) >> 8) & 0x3F;
v34 = ((unsigned int)(a1[31] ^ __ROR4__(v32, 4)) >> 8) & 0x3F;
v35 = __ROR4__(
dword_45C808[(v32 ^ a1[30]) & 0x3F] ^ dword_45C608[v33] ^ dword_45C408[(((unsigned int)v32 ^ a1[30]) >> 16) & 0x3F] ^ dword_45C208[(((unsigned int)v32 ^ a1[30]) >> 24) & 0x3F] ^ v31 ^ dword_45C708[(a1[31] ^ __ROR4__(v32, 4)) & 0x3F] ^ dword_45C508[v34] ^ dword_45C308[((unsigned int)(a1[31] ^ __ROR4__(v32, 4)) >> 16) & 0x3F] ^ dword_45C108[((unsigned int)(a1[31] ^ __ROR4__(v32, 4)) >> 24) & 0x3F],
1);
v36 = (v32 ^ v35) & 0xAAAAAAAA;
v37 = v36 ^ v35;
v38 = __ROR4__(v32 ^ v36, 1);
v39 = (v37 ^ (v38 >> 8)) & 0xFF00FF;
v40 = v39 ^ v37;
v41 = (v39 << 8) ^ v38;
v42 = (v40 ^ (v41 >> 2)) & 0x33333333;
v43 = v42 ^ v40;
v44 = 4 * v42 ^ v41;
v45 = (unsigned __int16)(v44 ^ HIWORD(v43));
v46 = v45 ^ v44;
v47 = (v45 << 16) ^ v43;
v48 = (v46 ^ (v47 >> 4)) & 0xF0F0F0F;
v49 = v48 ^ v46;
v50 = 16 * v48 ^ v47;
*a3 = HIBYTE(v50);
a3[1] = BYTE2(v50);
a3[3] = v50;
a3[2] = BYTE1(v50);
a3[4] = HIBYTE(v49);
result = v49 >> 8;
a3[5] = BYTE2(v49);
a3[6] = BYTE1(v49);
a3[7] = v49;
return result;
}
该函数传入用户密码,还有生成的子密钥。
由于是变种的des加密,不是很想逆密钥处理函数,反正都是生成固定的子密钥。可以先用python还原一下sub_4034A0
[Asm] 纯文本查看 复制代码 #!/usr/bin/python
#coding:utf-8
table_45C708=[0x00200000,0x04200002,0x04000802,0x00000000, 0x00000800,0x04000802,0x00200802,0x04200800, 0x04200802,0x00200000,0x00000000,0x04000002, 0x00000002,0x04000000,0x04200002,0x00000802, 0x04000800,0x00200802,0x00200002,0x04000800, 0x04000002,0x04200000,0x04200800,0x00200002, 0x04200000,0x00000800,0x00000802,0x04200802, 0x00200800,0x00000002,0x04000000,0x00200800, 0x04000000,0x00200800,0x00200000,0x04000802, 0x04000802,0x04200002,0x04200002,0x00000002, 0x00200002,0x04000000,0x04000800,0x00200000, 0x04200800,0x00000802,0x00200802,0x04200800, 0x00000802,0x04000002,0x04200802,0x04200000, 0x00200800,0x00000000,0x00000002,0x04200802, 0x00000000,0x00200802,0x04200000,0x00000800, 0x04000002,0x04000800,0x00000800,0x00200002]
table_45C508 = [0x00000100, 0x02080100,0x02080000, 0x42000100, 0x00080000,0x00000100,0x40000000, 0x02080000, 0x40080100,0x00080000,0x02000100, 0x40080100, 0x42000100,0x42080000,0x00080100, 0x40000000, 0x02000000,0x40080000,0x40080000, 0x00000000, 0x40000100,0x42080100,0x42080100, 0x02000100, 0x42080000,0x40000100,0x00000000, 0x42000000, 0x02080100,0x02000000,0x42000000, 0x00080100, 0x00080000,0x42000100,0x00000100, 0x02000000, 0x40000000,0x02080000,0x42000100, 0x40080100, 0x02000100,0x40000000,0x42080000, 0x02080100, 0x40080100,0x00000100,0x02000000, 0x42080000, 0x42080100,0x00080100,0x42000000, 0x42080100, 0x02080000,0x00000000,0x40080000, 0x42000000, 0x00080100,0x02000100,0x40000100, 0x00080000, 0x00000000,0x40080000,0x02080100, 0x40000100]
table_45C308 = [0x00000208,0x08020200,0x00000000,0x08020008,0x08000200,0x00000000,0x00020208,0x08000200,0x00020008,0x08000008,0x08000008,0x00020000,0x08020208,0x00020008,0x08020000,0x00000208,0x08000000,0x00000008,0x08020200,0x00000200,0x00020200,0x08020000,0x08020008,0x00020208,0x08000208,0x00020200,0x00020000,0x08000208,0x00000008,0x08020208,0x00000200,0x08000000,0x08020200,0x08000000,0x00020008,0x00000208,0x00020000,0x08020200,0x08000200,0x00000000,0x00000200,0x00020008,0x08020208,0x08000200,0x08000008,0x00000200,0x00000000,0x08020008,0x08000208,0x00020000,0x08000000,0x08020208,0x00000008,0x00020208,0x00020200,0x08000008,0x08020000,0x08000208,0x00000208,0x08020000,0x00020208,0x00000008,0x08020008,0x00020200]
table_45C108 = [0x01010400,0x00000000,0x00010000,0x01010404,0x01010004,0x00010404,0x00000004,0x00010000,0x00000400,0x01010400,0x01010404,0x00000400,0x01000404,0x01010004,0x01000000,0x00000004,0x00000404,0x01000400,0x01000400,0x00010400,0x00010400,0x01010000,0x01010000,0x01000404,0x00010004,0x01000004,0x01000004,0x00010004,0x00000000,0x00000404,0x00010404,0x01000000,0x00010000,0x01010404,0x00000004,0x01010000,0x01010400,0x01000000,0x01000000,0x00000400,0x01010004,0x00010000,0x00010400,0x01000004,0x00000400,0x00000004,0x01000404,0x00010404,0x01010404,0x00010004,0x01010000,0x01000404,0x01000004,0x00000404,0x00010404,0x01010400,0x00000404,0x01000400,0x01000400,0x00000000,0x00010004,0x00010400,0x00000000,0x01010004]
table_45C808 = [0x10001040,0x00001000,0x00040000,0x10041040,0x10000000,0x10001040,0x00000040,0x10000000,0x00040040,0x10040000,0x10041040,0x00041000,0x10041000,0x00041040,0x00001000,0x00000040,0x10040000,0x10000040,0x10001000,0x00001040,0x00041000,0x00040040,0x10040040,0x10041000,0x00001040,0x00000000,0x00000000,0x10040040,0x10000040,0x10001000,0x00041040,0x00040000,0x00041040,0x00040000,0x10041000,0x00001000,0x00000040,0x10040040,0x00001000,0x00041040,0x10001000,0x00000040,0x10000040,0x10040000,0x10040040,0x10000000,0x00040000,0x10001040,0x00000000,0x10041040,0x00040040,0x10000040,0x10040000,0x10001000,0x10001040,0x00000000,0x10041040,0x00041000,0x00041000,0x00001040,0x00001040,0x00040040,0x10000000,0x10041000]
table_45C608 = [0x20000010,0x20400000,0x00004000,0x20404010,0x20400000,0x00000010,0x20404010,0x00400000,0x20004000,0x00404010,0x00400000,0x20000010,0x00400010,0x20004000,0x20000000,0x00004010,0x00000000,0x00400010,0x20004010,0x00004000,0x00404000,0x20004010,0x00000010,0x20400010,0x20400010,0x00000000,0x00404010,0x20404000,0x00004010,0x00404000,0x20404000,0x20000000,0x20004000,0x00000010,0x20400010,0x00404000,0x20404010,0x00400000,0x00004010,0x20000010,0x00400000,0x20004000,0x20000000,0x00004010,0x20000010,0x20404010,0x00404000,0x20400000,0x00404010,0x20404000,0x00000000,0x20400010,0x00000010,0x00004000,0x20400000,0x00404010,0x00004000,0x00400010,0x20004010,0x00000000,0x20404000,0x20000000,0x00400010,0x20004010]
table_45C408 = [0x00802001,0x00002081,0x00002081,0x00000080,0x00802080,0x00800081 ,0x00800001,0x00002001,0x00000000,0x00802000 ,0x00802000,0x00802081,0x00000081,0x00000000 ,0x00800080,0x00800001,0x00000001,0x00002000 ,0x00800000,0x00802001,0x00000080,0x00800000 ,0x00002001,0x00002080,0x00800081,0x00000001 ,0x00002080,0x00800080,0x00002000,0x00802080 ,0x00802081,0x00000081,0x00800080,0x00800001 ,0x00802000,0x00802081,0x00000081,0x00000000 ,0x00000000,0x00802000,0x00002080,0x00800080 ,0x00800081,0x00000001,0x00802001,0x00002081 ,0x00002081,0x00000080,0x00802081,0x00000081 ,0x00000001,0x00002000,0x00800001,0x00002001 ,0x00802080,0x00800081,0x00002001,0x00002080 ,0x00800000,0x00802001,0x00000080,0x00800000 ,0x00002000,0x00802080]
table_45C208 = [0x80108020,0x80008000,0x00008000,0x00108020,0x00100000,0x00000020,0x80100020,0x80008020,0x80000020,0x80108020,0x80108000,0x80000000,0x80008000,0x00100000,0x00000020,0x80100020,0x00108000,0x00100020,0x80008020,0x00000000,0x80000000,0x00008000,0x00108020,0x80100000,0x00100020,0x80000020,0x00000000,0x00108000,0x00008020,0x80108000,0x80100000,0x00008020,0x00000000,0x00108020,0x80100020,0x00100000,0x80008020,0x80100000,0x80108000,0x00008000,0x80100000,0x80008000,0x00000020,0x80108020,0x00108020,0x00000020,0x00008000,0x80000000,0x00008020,0x80108000,0x00100000,0x80000020,0x00100020,0x80008020,0x80000020,0x00100020,0x00108000,0x00000000,0x80008000,0x00008020,0x80000000,0x80100020,0x80108020,0x00108000]
a1 = [0x160B1E31,0x202F0705,0x391A0326,0x2720322E,0x2831352C,0x1F0A2814,0x301A3F19,0x39161604,0x1E373419,0x0B10123B,0x2A130835,0x18253736,0x0D062926,0x1D34003F,0x0E1A3D2D,0x181B2905,0x103E0A33,0x202B3E1C,0x19252B00,0x2E00283F,0x202F2E2D,0x1C0E2505,0x1C062503,0x2716170B,0x3E35140F,0x14032F1A,0x11010A16,0x15373A1E,0x17153E04,0x0C1E2831,0x221E043D,0x0B0B3D2A,0x72E43E90]
def circular_shift_left(int_value,k,bit = 32):
bit_string = '{:0%db}' % bit
bin_value = bit_string.format(int_value) # 8 bit binary
bin_value = bin_value[k:] + bin_value[:k]
int_value = int(bin_value,2)
return int_value
def circular_shift_right (int_value,k,bit = 32):
bit_string = '{:0%db}' % bit
bin_value = bit_string.format(int_value) # 8 bit binary
bin_value = bin_value[-k:] + bin_value[:-k]
int_value = int(bin_value,2)
return int_value
password_temp = "494C4F5645594F55"#输入必须为偶数
password_temp = password_temp.ljust(16,'0')
password_left = int(password_temp[0:8],16)
password_right = int(password_temp[8:16],16)
v4 = (password_right^(password_left)>>4)&0xf0f0f0f
v5 = v4^password_right
v6 = 16*v4^(password_left)
v7 = (v5^(v6>>16))&0x0ffff
v8 = (v7^v5)&0xffffffff
v9 = ((v7<<16)^v6)&0xffffffff
v10 = ((v9 ^ (v8 >> 2)) & 0x33333333)&0xffffffff
v11 = (v10 ^ v9)&0xffffffff
v12 = (4 * v10 ^ v8)&0xffffffff
v13 = ((v11 ^ (v12 >> 8)) & 0xFF00FF)&0xffffffff
v14 = (v13 ^ v11)&0xffffffff
v13_temp = (v13<<8)&0xffffffff
v12_temp = (v12^v13_temp)&0xffffffff
v15 = (v12_temp>>31)&0xffffffff+(v12_temp<<1)&0xffffffff
v15 = circular_shift_left(v12_temp,1)#循环左移
v16 = (v14 ^ v15) & 0xAAAAAAAA
v17 = (v16 ^ v15)&0xffffffff
# print table_45C208[((v17 ^ a1[0]) >> 24) & 0x3F]
# print table_45C108[((a1[1] ^ circular_shift_right(v17, 4)) >> 24) & 0x3F]^circular_shift_left(v14 ^ v16, 1)^table_45C808[(v17 ^ a1[0]) & 0x3F]^table_45C408[((v17 ^ a1[0]) >> 16) & 0x3F]^table_45C208[((v17 ^ a1[0]) >> 24) & 0x3F]^table_45C608[((v17 ^ a1[0]) >> 8) & 0x3F]
v18 = (table_45C708[(a1[1] ^ circular_shift_right(v17, 4)) & 0x3F] ^ table_45C508[((a1[1] ^ circular_shift_right(v17, 4)) >> 8) & 0x3F] ^ table_45C308[((a1[1] ^ circular_shift_right(v17, 4)) >> 16) & 0x3F] ^ table_45C108[((a1[1] ^ circular_shift_right(v17, 4)) >> 24) & 0x3F] ^ table_45C808[(v17 ^ a1[0]) & 0x3F] ^ table_45C608[((v17 ^ a1[0]) >> 8) & 0x3F] ^ table_45C408[((v17 ^ a1[0]) >> 16) & 0x3F] ^ table_45C208[((v17 ^ a1[0]) >> 24) & 0x3F] ^ circular_shift_left(v14 ^ v16, 1))&0xffffffff;
v19 = (table_45C708[(a1[3] ^ circular_shift_right(v18, 4)) & 0x3F] ^ table_45C508[((a1[3] ^ circular_shift_right(v18, 4)) >> 8) & 0x3F] ^ table_45C308[((a1[3] ^ circular_shift_right(v18, 4)) >> 16) & 0x3F] ^ table_45C108[((a1[3] ^ circular_shift_right(v18, 4)) >> 24) & 0x3F] ^ table_45C808[(v18 ^ a1[2]) & 0x3F] ^ table_45C608[((v18 ^ a1[2]) >> 8) & 0x3F] ^ table_45C408[((v18 ^ a1[2]) >> 16) & 0x3F] ^ table_45C208[((v18 ^ a1[2]) >> 24) & 0x3F] ^ v17)&0xffffffff;
v20 = (table_45C708[(a1[5] ^ circular_shift_right(v19, 4)) & 0x3F] ^ table_45C508[((a1[5] ^ circular_shift_right(v19, 4)) >> 8) & 0x3F] ^ table_45C308[((a1[5] ^ circular_shift_right(v19, 4)) >> 16) & 0x3F] ^ table_45C108[((a1[5] ^ circular_shift_right(v19, 4)) >> 24) & 0x3F] ^ table_45C808[(v19 ^ a1[4]) & 0x3F] ^ table_45C608[((v19 ^ a1[4]) >> 8) & 0x3F] ^ table_45C408[((v19 ^ a1[4]) >> 16) & 0x3F] ^ table_45C208[((v19 ^ a1[4]) >> 24) & 0x3F] ^ v18)&0xffffffff;
v21 = (table_45C708[(a1[7] ^ circular_shift_right(v20, 4)) & 0x3F] ^ table_45C508[((a1[7] ^ circular_shift_right(v20, 4)) >> 8) & 0x3F] ^ table_45C308[((a1[7] ^ circular_shift_right(v20, 4)) >> 16) & 0x3F] ^ table_45C108[((a1[7] ^ circular_shift_right(v20, 4)) >> 24) & 0x3F] ^ table_45C808[(v20 ^ a1[6]) & 0x3F] ^ table_45C608[((v20 ^ a1[6]) >> 8) & 0x3F] ^ table_45C408[((v20 ^ a1[6]) >> 16) & 0x3F] ^ table_45C208[((v20 ^ a1[6]) >> 24) & 0x3F] ^ v19)&0xffffffff;
v22 = (table_45C708[(a1[9] ^ circular_shift_right(v21, 4)) & 0x3F] ^ table_45C508[((a1[9] ^ circular_shift_right(v21, 4)) >> 8) & 0x3F] ^ table_45C308[((a1[9] ^ circular_shift_right(v21, 4)) >> 16) & 0x3F] ^ table_45C108[((a1[9] ^ circular_shift_right(v21, 4)) >> 24) & 0x3F] ^ table_45C808[(v21 ^ a1[8]) & 0x3F] ^ table_45C608[((v21 ^ a1[8]) >> 8) & 0x3F] ^ table_45C408[((v21 ^ a1[8]) >> 16) & 0x3F] ^ table_45C208[((v21 ^ a1[8]) >> 24) & 0x3F] ^ v20)&0xffffffff;
v23 = (table_45C708[(a1[11] ^ circular_shift_right(v22, 4)) & 0x3F] ^ table_45C508[((a1[11] ^ circular_shift_right(v22, 4)) >> 8) & 0x3F] ^ table_45C308[((a1[11] ^ circular_shift_right(v22, 4)) >> 16) & 0x3F] ^ table_45C108[((a1[11] ^ circular_shift_right(v22, 4)) >> 24) & 0x3F] ^ table_45C808[(v22 ^ a1[10]) & 0x3F] ^ table_45C608[((v22 ^ a1[10]) >> 8) & 0x3F] ^ table_45C408[((v22 ^ a1[10]) >> 16) & 0x3F] ^ table_45C208[((v22 ^ a1[10]) >> 24) & 0x3F] ^ v21)&0xffffffff;
v24 = (table_45C708[(a1[13] ^ circular_shift_right(v23, 4)) & 0x3F] ^ table_45C508[((a1[13] ^ circular_shift_right(v23, 4)) >> 8) & 0x3F] ^ table_45C308[((a1[13] ^ circular_shift_right(v23, 4)) >> 16) & 0x3F] ^ table_45C108[((a1[13] ^ circular_shift_right(v23, 4)) >> 24) & 0x3F] ^ table_45C808[(v23 ^ a1[12]) & 0x3F] ^ table_45C608[((v23 ^ a1[12]) >> 8) & 0x3F] ^ table_45C408[((v23 ^ a1[12]) >> 16) & 0x3F] ^ table_45C208[((v23 ^ a1[12]) >> 24) & 0x3F] ^ v22)&0xffffffff;
v25 = (table_45C708[(a1[15] ^ circular_shift_right(v24, 4)) & 0x3F] ^ table_45C508[((a1[15] ^ circular_shift_right(v24, 4)) >> 8) & 0x3F] ^ table_45C308[((a1[15] ^ circular_shift_right(v24, 4)) >> 16) & 0x3F] ^ table_45C108[((a1[15] ^ circular_shift_right(v24, 4)) >> 24) & 0x3F] ^ table_45C808[(v24 ^ a1[14]) & 0x3F] ^ table_45C608[((v24 ^ a1[14]) >> 8) & 0x3F] ^ table_45C408[((v24 ^ a1[14]) >> 16) & 0x3F] ^ table_45C208[((v24 ^ a1[14]) >> 24) & 0x3F] ^ v23)&0xffffffff;
v26 = (table_45C708[(a1[17] ^ circular_shift_right(v25, 4)) & 0x3F] ^ table_45C508[((a1[17] ^ circular_shift_right(v25, 4)) >> 8) & 0x3F] ^ table_45C308[((a1[17] ^ circular_shift_right(v25, 4)) >> 16) & 0x3F] ^ table_45C108[((a1[17] ^ circular_shift_right(v25, 4)) >> 24) & 0x3F] ^ table_45C808[(v25 ^ a1[16]) & 0x3F] ^ table_45C608[((v25 ^ a1[16]) >> 8) & 0x3F] ^ table_45C408[((v25 ^ a1[16]) >> 16) & 0x3F] ^ table_45C208[((v25 ^ a1[16]) >> 24) & 0x3F] ^ v24)&0xffffffff;
v27 = (table_45C708[(a1[19] ^ circular_shift_right(v26, 4)) & 0x3F] ^ table_45C508[((a1[19] ^ circular_shift_right(v26, 4)) >> 8) & 0x3F] ^ table_45C308[((a1[19] ^ circular_shift_right(v26, 4)) >> 16) & 0x3F] ^ table_45C108[((a1[19] ^ circular_shift_right(v26, 4)) >> 24) & 0x3F] ^ table_45C808[(v26 ^ a1[18]) & 0x3F] ^ table_45C608[((v26 ^ a1[18]) >> 8) & 0x3F] ^ table_45C408[((v26 ^ a1[18]) >> 16) & 0x3F] ^ table_45C208[((v26 ^ a1[18]) >> 24) & 0x3F] ^ v25)&0xffffffff;
v28 = (table_45C708[(a1[21] ^ circular_shift_right(v27, 4)) & 0x3F] ^ table_45C508[((a1[21] ^ circular_shift_right(v27, 4)) >> 8) & 0x3F] ^ table_45C308[((a1[21] ^ circular_shift_right(v27, 4)) >> 16) & 0x3F] ^ table_45C108[((a1[21] ^ circular_shift_right(v27, 4)) >> 24) & 0x3F] ^ table_45C808[(v27 ^ a1[20]) & 0x3F] ^ table_45C608[((v27 ^ a1[20]) >> 8) & 0x3F] ^ table_45C408[((v27 ^ a1[20]) >> 16) & 0x3F] ^ table_45C208[((v27 ^ a1[20]) >> 24) & 0x3F] ^ v26)&0xffffffff;
v29 = (table_45C708[(a1[23] ^ circular_shift_right(v28, 4)) & 0x3F] ^ table_45C508[((a1[23] ^ circular_shift_right(v28, 4)) >> 8) & 0x3F] ^ table_45C308[((a1[23] ^ circular_shift_right(v28, 4)) >> 16) & 0x3F] ^ table_45C108[((a1[23] ^ circular_shift_right(v28, 4)) >> 24) & 0x3F] ^ table_45C808[(v28 ^ a1[22]) & 0x3F] ^ table_45C608[((v28 ^ a1[22]) >> 8) & 0x3F] ^ table_45C408[((v28 ^ a1[22]) >> 16) & 0x3F] ^ table_45C208[((v28 ^ a1[22]) >> 24) & 0x3F] ^ v27)&0xffffffff;
v30 = (table_45C708[(a1[25] ^ circular_shift_right(v29, 4)) & 0x3F] ^ table_45C508[((a1[25] ^ circular_shift_right(v29, 4)) >> 8) & 0x3F] ^ table_45C308[((a1[25] ^ circular_shift_right(v29, 4)) >> 16) & 0x3F] ^ table_45C108[((a1[25] ^ circular_shift_right(v29, 4)) >> 24) & 0x3F] ^ table_45C808[(v29 ^ a1[24]) & 0x3F] ^ table_45C608[((v29 ^ a1[24]) >> 8) & 0x3F] ^ table_45C408[((v29 ^ a1[24]) >> 16) & 0x3F] ^ table_45C208[((v29 ^ a1[24]) >> 24) & 0x3F] ^ v28)&0xffffffff;
v31 = (table_45C708[(a1[27] ^ circular_shift_right(v30, 4)) & 0x3F] ^ table_45C508[((a1[27] ^ circular_shift_right(v30, 4)) >> 8) & 0x3F] ^ table_45C308[((a1[27] ^ circular_shift_right(v30, 4)) >> 16) & 0x3F] ^ table_45C108[((a1[27] ^ circular_shift_right(v30, 4)) >> 24) & 0x3F] ^ table_45C808[(v30 ^ a1[26]) & 0x3F] ^ table_45C608[((v30 ^ a1[26]) >> 8) & 0x3F] ^ table_45C408[((v30 ^ a1[26]) >> 16) & 0x3F] ^ table_45C208[((v30 ^ a1[26]) >> 24) & 0x3F] ^ v29)&0xffffffff;
v32 = (table_45C708[(a1[29] ^ circular_shift_right(v31, 4)) & 0x3F] ^ table_45C508[((a1[29] ^ circular_shift_right(v31, 4)) >> 8) & 0x3F] ^ table_45C308[((a1[29] ^ circular_shift_right(v31, 4)) >> 16) & 0x3F] ^ table_45C108[((a1[29] ^ circular_shift_right(v31, 4)) >> 24) & 0x3F] ^ table_45C808[(v31 ^ a1[28]) & 0x3F] ^ table_45C608[((v31 ^ a1[28]) >> 8) & 0x3F] ^ table_45C408[((v31 ^ a1[28]) >> 16) & 0x3F] ^ table_45C208[((v31 ^ a1[28]) >> 24) & 0x3F] ^ v30)&0xffffffff;
v35 = (table_45C708[(a1[31] ^ circular_shift_right(v32, 4)) & 0x3F] ^ table_45C508[((a1[31] ^ circular_shift_right(v32, 4)) >> 8) & 0x3F] ^ table_45C308[((a1[31] ^ circular_shift_right(v32, 4)) >> 16) & 0x3F] ^ table_45C108[((a1[31] ^ circular_shift_right(v32, 4)) >> 24) & 0x3F] ^ table_45C808[(v32 ^ a1[30]) & 0x3F] ^ table_45C608[((v32 ^ a1[30]) >> 8) & 0x3F] ^ table_45C408[((v32 ^ a1[30]) >> 16) & 0x3F] ^ table_45C208[((v32 ^ a1[30]) >> 24) & 0x3F] ^ v31)&0xffffffff;
v35 = circular_shift_right(v35,1)
v36 = ((v32 ^ v35) & 0xAAAAAAAA)&0xffffffff
v37 = (v36 ^ v35)&0xffffffff
v38 = (circular_shift_right(v32 ^ v36, 1))&0xffffffff
v39 = ((v37 ^ (v38 >> 8)) & 0xFF00FF)&0xffffffff
v40 = (v39 ^ v37)&0xffffffff
v41 = ((v39 << 8) ^ v38)&0xffffffff
v42 = ((v40 ^ (v41 >> 2)) & 0x33333333)&0xffffffff
v43 = (v42 ^ v40)&0xffffffff
v44 = (4 * v42 ^ v41)&0xffffffff
v45 = ((v44 ^ (v43>>16)))&0xffff
v46 = (v45 ^ v44)&0xffffffff
v47 = ((v45 << 16) ^ v43)&0xffffffff
v48 = ((v46 ^ (v47 >> 4)) & 0xF0F0F0F)&0xffffffff
out_right = (v48 ^ v46)&0xffffffff
out_left = (16 * v48 ^ v47)&0xffffffff
print hex(out_left)[2:-1].rjust(8,'0')+hex(out_right)[2:-1].rjust(8,'0')
# 0xE108379B
# 0x6661BB00
这个函数用password加密得到的密文就是username,后边会和输入的username对比。
此时已经可以从password逆推回来username,但我想题目要求应该还是从username到password。
现在可以换种思路,现在我们得到子密钥,其实改变一下子密钥的的顺序就可以把加密函数改为解密函数。
看下边的图,就是明文加密的过程。
明文进入之后先进行初始置换,分为两部分 和子密钥进行16轮交替加密。
再看回sub_4034A0函数
[Asm] 纯文本查看 复制代码 password_right = a2[7] | ((a2[6] | ((a2[5] | (a2[4] << 8)) << 8)) << 8);
v4 = (password_right ^ ((a2[3] | ((a2[2] | ((a2[1] | ((unsigned int)*a2 << 8)) << 8)) << 8)) >> 4)) & 0xF0F0F0F;// 前4^后4 &0xf0f0f0f0
v5 = v4 ^ password_right;
v6 = 16 * v4 ^ (a2[3] | ((a2[2] | ((a2[1] | (*a2 << 8)) << 8)) << 8));
v7 = (unsigned __int16)(v5 ^ (v6 >> 16));
v8 = v7 ^ v5;
v9 = (v7 << 16) ^ v6;
v10 = (v9 ^ (v8 >> 2)) & 0x33333333;
v11 = v10 ^ v9;
v12 = 4 * v10 ^ v8;
v13 = (v11 ^ (v12 >> 8)) & 0xFF00FF;
v14 = v13 ^ v11;
v15 = __ROL4__(v12 ^ (v13 << 8), 1); // 循环左移
v16 = (v14 ^ v15) & 0xAAAAAAAA;
v17 = v16 ^ v15;
这部分可以理解为初始置换
这部分可以理解为16轮交替加密。
[Asm] 纯文本查看 复制代码 v18 = dword_45C708[(a1[1] ^ __ROR4__(v17, 4)) & 0x3F] ^ dword_45C508[((unsigned int)(a1[1] ^ __ROR4__(v17, 4)) >> 8) & 0x3F] ^ dword_45C308[((unsigned int)(a1[1] ^ __ROR4__(v17, 4)) >> 16) & 0x3F] ^ dword_45C108[((unsigned int)(a1[1] ^ __ROR4__(v17, 4)) >> 24) & 0x3F] ^ dword_45C808[(v17 ^ *a1) & 0x3F] ^ dword_45C608[(((unsigned int)v17 ^ *a1) >> 8) & 0x3F] ^ dword_45C408[(((unsigned int)v17 ^ *a1) >> 16) & 0x3F] ^ dword_45C208[(((unsigned int)v17 ^ *a1) >> 24) & 0x3F] ^ __ROL4__(v14 ^ v16, 1);
v19 = dword_45C708[(a1[3] ^ __ROR4__(v18, 4)) & 0x3F] ^ dword_45C508[((unsigned int)(a1[3] ^ __ROR4__(v18, 4)) >> 8) & 0x3F] ^ dword_45C308[((unsigned int)(a1[3] ^ __ROR4__(v18, 4)) >> 16) & 0x3F] ^ dword_45C108[((unsigned int)(a1[3] ^ __ROR4__(v18, 4)) >> 24) & 0x3F] ^ dword_45C808[(v18 ^ a1[2]) & 0x3F] ^ dword_45C608[(((unsigned int)v18 ^ a1[2]) >> 8) & 0x3F] ^ dword_45C408[(((unsigned int)v18 ^ a1[2]) >> 16) & 0x3F] ^ dword_45C208[(((unsigned int)v18 ^ a1[2]) >> 24) & 0x3F] ^ v17;
v20 = dword_45C708[(a1[5] ^ __ROR4__(v19, 4)) & 0x3F] ^ dword_45C508[((unsigned int)(a1[5] ^ __ROR4__(v19, 4)) >> 8) & 0x3F] ^ dword_45C308[((unsigned int)(a1[5] ^ __ROR4__(v19, 4)) >> 16) & 0x3F] ^ dword_45C108[((unsigned int)(a1[5] ^ __ROR4__(v19, 4)) >> 24) & 0x3F] ^ dword_45C808[(v19 ^ a1[4]) & 0x3F] ^ dword_45C608[(((unsigned int)v19 ^ a1[4]) >> 8) & 0x3F] ^ dword_45C408[(((unsigned int)v19 ^ a1[4]) >> 16) & 0x3F] ^ dword_45C208[(((unsigned int)v19 ^ a1[4]) >> 24) & 0x3F] ^ v18;
v21 = dword_45C708[(a1[7] ^ __ROR4__(v20, 4)) & 0x3F] ^ dword_45C508[((unsigned int)(a1[7] ^ __ROR4__(v20, 4)) >> 8) & 0x3F] ^ dword_45C308[((unsigned int)(a1[7] ^ __ROR4__(v20, 4)) >> 16) & 0x3F] ^ dword_45C108[((unsigned int)(a1[7] ^ __ROR4__(v20, 4)) >> 24) & 0x3F] ^ dword_45C808[(v20 ^ a1[6]) & 0x3F] ^ dword_45C608[(((unsigned int)v20 ^ a1[6]) >> 8) & 0x3F] ^ dword_45C408[(((unsigned int)v20 ^ a1[6]) >> 16) & 0x3F] ^ dword_45C208[(((unsigned int)v20 ^ a1[6]) >> 24) & 0x3F] ^ v19;
v22 = dword_45C708[(a1[9] ^ __ROR4__(v21, 4)) & 0x3F] ^ dword_45C508[((unsigned int)(a1[9] ^ __ROR4__(v21, 4)) >> 8) & 0x3F] ^ dword_45C308[((unsigned int)(a1[9] ^ __ROR4__(v21, 4)) >> 16) & 0x3F] ^ dword_45C108[((unsigned int)(a1[9] ^ __ROR4__(v21, 4)) >> 24) & 0x3F] ^ dword_45C808[(v21 ^ a1[8]) & 0x3F] ^ dword_45C608[(((unsigned int)v21 ^ a1[8]) >> 8) & 0x3F] ^ dword_45C408[(((unsigned int)v21 ^ a1[8]) >> 16) & 0x3F] ^ dword_45C208[(((unsigned int)v21 ^ a1[8]) >> 24) & 0x3F] ^ v20;
v23 = dword_45C708[(a1[11] ^ __ROR4__(v22, 4)) & 0x3F] ^ dword_45C508[((unsigned int)(a1[11] ^ __ROR4__(v22, 4)) >> 8) & 0x3F] ^ dword_45C308[((unsigned int)(a1[11] ^ __ROR4__(v22, 4)) >> 16) & 0x3F] ^ dword_45C108[((unsigned int)(a1[11] ^ __ROR4__(v22, 4)) >> 24) & 0x3F] ^ dword_45C808[(v22 ^ a1[10]) & 0x3F] ^ dword_45C608[(((unsigned int)v22 ^ a1[10]) >> 8) & 0x3F] ^ dword_45C408[(((unsigned int)v22 ^ a1[10]) >> 16) & 0x3F] ^ dword_45C208[(((unsigned int)v22 ^ a1[10]) >> 24) & 0x3F] ^ v21;
v24 = dword_45C708[(a1[13] ^ __ROR4__(v23, 4)) & 0x3F] ^ dword_45C508[((unsigned int)(a1[13] ^ __ROR4__(v23, 4)) >> 8) & 0x3F] ^ dword_45C308[((unsigned int)(a1[13] ^ __ROR4__(v23, 4)) >> 16) & 0x3F] ^ dword_45C108[((unsigned int)(a1[13] ^ __ROR4__(v23, 4)) >> 24) & 0x3F] ^ dword_45C808[(v23 ^ a1[12]) & 0x3F] ^ dword_45C608[(((unsigned int)v23 ^ a1[12]) >> 8) & 0x3F] ^ dword_45C408[(((unsigned int)v23 ^ a1[12]) >> 16) & 0x3F] ^ dword_45C208[(((unsigned int)v23 ^ a1[12]) >> 24) & 0x3F] ^ v22;
v25 = dword_45C708[(a1[15] ^ __ROR4__(v24, 4)) & 0x3F] ^ dword_45C508[((unsigned int)(a1[15] ^ __ROR4__(v24, 4)) >> 8) & 0x3F] ^ dword_45C308[((unsigned int)(a1[15] ^ __ROR4__(v24, 4)) >> 16) & 0x3F] ^ dword_45C108[((unsigned int)(a1[15] ^ __ROR4__(v24, 4)) >> 24) & 0x3F] ^ dword_45C808[(v24 ^ a1[14]) & 0x3F] ^ dword_45C608[(((unsigned int)v24 ^ a1[14]) >> 8) & 0x3F] ^ dword_45C408[(((unsigned int)v24 ^ a1[14]) >> 16) & 0x3F] ^ dword_45C208[(((unsigned int)v24 ^ a1[14]) >> 24) & 0x3F] ^ v23;
v26 = dword_45C708[(a1[17] ^ __ROR4__(v25, 4)) & 0x3F] ^ dword_45C508[((unsigned int)(a1[17] ^ __ROR4__(v25, 4)) >> 8) & 0x3F] ^ dword_45C308[((unsigned int)(a1[17] ^ __ROR4__(v25, 4)) >> 16) & 0x3F] ^ dword_45C108[((unsigned int)(a1[17] ^ __ROR4__(v25, 4)) >> 24) & 0x3F] ^ dword_45C808[(v25 ^ a1[16]) & 0x3F] ^ dword_45C608[(((unsigned int)v25 ^ a1[16]) >> 8) & 0x3F] ^ dword_45C408[(((unsigned int)v25 ^ a1[16]) >> 16) & 0x3F] ^ dword_45C208[(((unsigned int)v25 ^ a1[16]) >> 24) & 0x3F] ^ v24;
v27 = dword_45C708[(a1[19] ^ __ROR4__(v26, 4)) & 0x3F] ^ dword_45C508[((unsigned int)(a1[19] ^ __ROR4__(v26, 4)) >> 8) & 0x3F] ^ dword_45C308[((unsigned int)(a1[19] ^ __ROR4__(v26, 4)) >> 16) & 0x3F] ^ dword_45C108[((unsigned int)(a1[19] ^ __ROR4__(v26, 4)) >> 24) & 0x3F] ^ dword_45C808[(v26 ^ a1[18]) & 0x3F] ^ dword_45C608[(((unsigned int)v26 ^ a1[18]) >> 8) & 0x3F] ^ dword_45C408[(((unsigned int)v26 ^ a1[18]) >> 16) & 0x3F] ^ dword_45C208[(((unsigned int)v26 ^ a1[18]) >> 24) & 0x3F] ^ v25;
v28 = dword_45C708[(a1[21] ^ __ROR4__(v27, 4)) & 0x3F] ^ dword_45C508[((unsigned int)(a1[21] ^ __ROR4__(v27, 4)) >> 8) & 0x3F] ^ dword_45C308[((unsigned int)(a1[21] ^ __ROR4__(v27, 4)) >> 16) & 0x3F] ^ dword_45C108[((unsigned int)(a1[21] ^ __ROR4__(v27, 4)) >> 24) & 0x3F] ^ dword_45C808[(v27 ^ a1[20]) & 0x3F] ^ dword_45C608[(((unsigned int)v27 ^ a1[20]) >> 8) & 0x3F] ^ dword_45C408[(((unsigned int)v27 ^ a1[20]) >> 16) & 0x3F] ^ dword_45C208[(((unsigned int)v27 ^ a1[20]) >> 24) & 0x3F] ^ v26;
v29 = dword_45C708[(a1[23] ^ __ROR4__(v28, 4)) & 0x3F] ^ dword_45C508[((unsigned int)(a1[23] ^ __ROR4__(v28, 4)) >> 8) & 0x3F] ^ dword_45C308[((unsigned int)(a1[23] ^ __ROR4__(v28, 4)) >> 16) & 0x3F] ^ dword_45C108[((unsigned int)(a1[23] ^ __ROR4__(v28, 4)) >> 24) & 0x3F] ^ dword_45C808[(v28 ^ a1[22]) & 0x3F] ^ dword_45C608[(((unsigned int)v28 ^ a1[22]) >> 8) & 0x3F] ^ dword_45C408[(((unsigned int)v28 ^ a1[22]) >> 16) & 0x3F] ^ dword_45C208[(((unsigned int)v28 ^ a1[22]) >> 24) & 0x3F] ^ v27;
v30 = dword_45C708[(a1[25] ^ __ROR4__(v29, 4)) & 0x3F] ^ dword_45C508[((unsigned int)(a1[25] ^ __ROR4__(v29, 4)) >> 8) & 0x3F] ^ dword_45C308[((unsigned int)(a1[25] ^ __ROR4__(v29, 4)) >> 16) & 0x3F] ^ dword_45C108[((unsigned int)(a1[25] ^ __ROR4__(v29, 4)) >> 24) & 0x3F] ^ dword_45C808[(v29 ^ a1[24]) & 0x3F] ^ dword_45C608[(((unsigned int)v29 ^ a1[24]) >> 8) & 0x3F] ^ dword_45C408[(((unsigned int)v29 ^ a1[24]) >> 16) & 0x3F] ^ dword_45C208[(((unsigned int)v29 ^ a1[24]) >> 24) & 0x3F] ^ v28;
v31 = dword_45C708[(a1[27] ^ __ROR4__(v30, 4)) & 0x3F] ^ dword_45C508[((unsigned int)(a1[27] ^ __ROR4__(v30, 4)) >> 8) & 0x3F] ^ dword_45C308[((unsigned int)(a1[27] ^ __ROR4__(v30, 4)) >> 16) & 0x3F] ^ dword_45C108[((unsigned int)(a1[27] ^ __ROR4__(v30, 4)) >> 24) & 0x3F] ^ dword_45C808[(v30 ^ a1[26]) & 0x3F] ^ dword_45C608[(((unsigned int)v30 ^ a1[26]) >> 8) & 0x3F] ^ dword_45C408[(((unsigned int)v30 ^ a1[26]) >> 16) & 0x3F] ^ dword_45C208[(((unsigned int)v30 ^ a1[26]) >> 24) & 0x3F] ^ v29;
v32 = dword_45C708[(a1[29] ^ __ROR4__(v31, 4)) & 0x3F] ^ dword_45C508[((unsigned int)(a1[29] ^ __ROR4__(v31, 4)) >> 8) & 0x3F] ^ dword_45C308[((unsigned int)(a1[29] ^ __ROR4__(v31, 4)) >> 16) & 0x3F] ^ dword_45C108[((unsigned int)(a1[29] ^ __ROR4__(v31, 4)) >> 24) & 0x3F] ^ dword_45C808[(v31 ^ a1[28]) & 0x3F] ^ dword_45C608[(((unsigned int)v31 ^ a1[28]) >> 8) & 0x3F] ^ dword_45C408[(((unsigned int)v31 ^ a1[28]) >> 16) & 0x3F] ^ dword_45C208[(((unsigned int)v31 ^ a1[28]) >> 24) & 0x3F] ^ v30;
v33 = (((unsigned int)v32 ^ a1[30]) >> 8) & 0x3F;
v34 = ((unsigned int)(a1[31] ^ __ROR4__(v32, 4)) >> 8) & 0x3F;
v35 = __ROR4__(
dword_45C808[(v32 ^ a1[30]) & 0x3F] ^ dword_45C608[v33] ^ dword_45C408[(((unsigned int)v32 ^ a1[30]) >> 16) & 0x3F] ^ dword_45C208[(((unsigned int)v32 ^ a1[30]) >> 24) & 0x3F] ^ v31 ^ dword_45C708[(a1[31] ^ __ROR4__(v32, 4)) & 0x3F] ^ dword_45C508[v34] ^ dword_45C308[((unsigned int)(a1[31] ^ __ROR4__(v32, 4)) >> 16) & 0x3F] ^ dword_45C108[((unsigned int)(a1[31] ^ __ROR4__(v32, 4)) >> 24) & 0x3F],
1);
上边已经还原过这个函数,已经得知子密钥,那么把子密钥的顺序取反就可以得到解密函数。
可以写脚本
[Asm] 纯文本查看 复制代码 #!/usr/bin/python
#coding:utf-8
table_45C708=[0x00200000,0x04200002,0x04000802,0x00000000, 0x00000800,0x04000802,0x00200802,0x04200800, 0x04200802,0x00200000,0x00000000,0x04000002, 0x00000002,0x04000000,0x04200002,0x00000802, 0x04000800,0x00200802,0x00200002,0x04000800, 0x04000002,0x04200000,0x04200800,0x00200002, 0x04200000,0x00000800,0x00000802,0x04200802, 0x00200800,0x00000002,0x04000000,0x00200800, 0x04000000,0x00200800,0x00200000,0x04000802, 0x04000802,0x04200002,0x04200002,0x00000002, 0x00200002,0x04000000,0x04000800,0x00200000, 0x04200800,0x00000802,0x00200802,0x04200800, 0x00000802,0x04000002,0x04200802,0x04200000, 0x00200800,0x00000000,0x00000002,0x04200802, 0x00000000,0x00200802,0x04200000,0x00000800, 0x04000002,0x04000800,0x00000800,0x00200002]
table_45C508 = [0x00000100, 0x02080100,0x02080000, 0x42000100, 0x00080000,0x00000100,0x40000000, 0x02080000, 0x40080100,0x00080000,0x02000100, 0x40080100, 0x42000100,0x42080000,0x00080100, 0x40000000, 0x02000000,0x40080000,0x40080000, 0x00000000, 0x40000100,0x42080100,0x42080100, 0x02000100, 0x42080000,0x40000100,0x00000000, 0x42000000, 0x02080100,0x02000000,0x42000000, 0x00080100, 0x00080000,0x42000100,0x00000100, 0x02000000, 0x40000000,0x02080000,0x42000100, 0x40080100, 0x02000100,0x40000000,0x42080000, 0x02080100, 0x40080100,0x00000100,0x02000000, 0x42080000, 0x42080100,0x00080100,0x42000000, 0x42080100, 0x02080000,0x00000000,0x40080000, 0x42000000, 0x00080100,0x02000100,0x40000100, 0x00080000, 0x00000000,0x40080000,0x02080100, 0x40000100]
table_45C308 = [0x00000208,0x08020200,0x00000000,0x08020008,0x08000200,0x00000000,0x00020208,0x08000200,0x00020008,0x08000008,0x08000008,0x00020000,0x08020208,0x00020008,0x08020000,0x00000208,0x08000000,0x00000008,0x08020200,0x00000200,0x00020200,0x08020000,0x08020008,0x00020208,0x08000208,0x00020200,0x00020000,0x08000208,0x00000008,0x08020208,0x00000200,0x08000000,0x08020200,0x08000000,0x00020008,0x00000208,0x00020000,0x08020200,0x08000200,0x00000000,0x00000200,0x00020008,0x08020208,0x08000200,0x08000008,0x00000200,0x00000000,0x08020008,0x08000208,0x00020000,0x08000000,0x08020208,0x00000008,0x00020208,0x00020200,0x08000008,0x08020000,0x08000208,0x00000208,0x08020000,0x00020208,0x00000008,0x08020008,0x00020200]
table_45C108 = [0x01010400,0x00000000,0x00010000,0x01010404,0x01010004,0x00010404,0x00000004,0x00010000,0x00000400,0x01010400,0x01010404,0x00000400,0x01000404,0x01010004,0x01000000,0x00000004,0x00000404,0x01000400,0x01000400,0x00010400,0x00010400,0x01010000,0x01010000,0x01000404,0x00010004,0x01000004,0x01000004,0x00010004,0x00000000,0x00000404,0x00010404,0x01000000,0x00010000,0x01010404,0x00000004,0x01010000,0x01010400,0x01000000,0x01000000,0x00000400,0x01010004,0x00010000,0x00010400,0x01000004,0x00000400,0x00000004,0x01000404,0x00010404,0x01010404,0x00010004,0x01010000,0x01000404,0x01000004,0x00000404,0x00010404,0x01010400,0x00000404,0x01000400,0x01000400,0x00000000,0x00010004,0x00010400,0x00000000,0x01010004]
table_45C808 = [0x10001040,0x00001000,0x00040000,0x10041040,0x10000000,0x10001040,0x00000040,0x10000000,0x00040040,0x10040000,0x10041040,0x00041000,0x10041000,0x00041040,0x00001000,0x00000040,0x10040000,0x10000040,0x10001000,0x00001040,0x00041000,0x00040040,0x10040040,0x10041000,0x00001040,0x00000000,0x00000000,0x10040040,0x10000040,0x10001000,0x00041040,0x00040000,0x00041040,0x00040000,0x10041000,0x00001000,0x00000040,0x10040040,0x00001000,0x00041040,0x10001000,0x00000040,0x10000040,0x10040000,0x10040040,0x10000000,0x00040000,0x10001040,0x00000000,0x10041040,0x00040040,0x10000040,0x10040000,0x10001000,0x10001040,0x00000000,0x10041040,0x00041000,0x00041000,0x00001040,0x00001040,0x00040040,0x10000000,0x10041000]
table_45C608 = [0x20000010,0x20400000,0x00004000,0x20404010,0x20400000,0x00000010,0x20404010,0x00400000,0x20004000,0x00404010,0x00400000,0x20000010,0x00400010,0x20004000,0x20000000,0x00004010,0x00000000,0x00400010,0x20004010,0x00004000,0x00404000,0x20004010,0x00000010,0x20400010,0x20400010,0x00000000,0x00404010,0x20404000,0x00004010,0x00404000,0x20404000,0x20000000,0x20004000,0x00000010,0x20400010,0x00404000,0x20404010,0x00400000,0x00004010,0x20000010,0x00400000,0x20004000,0x20000000,0x00004010,0x20000010,0x20404010,0x00404000,0x20400000,0x00404010,0x20404000,0x00000000,0x20400010,0x00000010,0x00004000,0x20400000,0x00404010,0x00004000,0x00400010,0x20004010,0x00000000,0x20404000,0x20000000,0x00400010,0x20004010]
table_45C408 = [0x00802001,0x00002081,0x00002081,0x00000080,0x00802080,0x00800081 ,0x00800001,0x00002001,0x00000000,0x00802000 ,0x00802000,0x00802081,0x00000081,0x00000000 ,0x00800080,0x00800001,0x00000001,0x00002000 ,0x00800000,0x00802001,0x00000080,0x00800000 ,0x00002001,0x00002080,0x00800081,0x00000001 ,0x00002080,0x00800080,0x00002000,0x00802080 ,0x00802081,0x00000081,0x00800080,0x00800001 ,0x00802000,0x00802081,0x00000081,0x00000000 ,0x00000000,0x00802000,0x00002080,0x00800080 ,0x00800081,0x00000001,0x00802001,0x00002081 ,0x00002081,0x00000080,0x00802081,0x00000081 ,0x00000001,0x00002000,0x00800001,0x00002001 ,0x00802080,0x00800081,0x00002001,0x00002080 ,0x00800000,0x00802001,0x00000080,0x00800000 ,0x00002000,0x00802080]
table_45C208 = [0x80108020,0x80008000,0x00008000,0x00108020,0x00100000,0x00000020,0x80100020,0x80008020,0x80000020,0x80108020,0x80108000,0x80000000,0x80008000,0x00100000,0x00000020,0x80100020,0x00108000,0x00100020,0x80008020,0x00000000,0x80000000,0x00008000,0x00108020,0x80100000,0x00100020,0x80000020,0x00000000,0x00108000,0x00008020,0x80108000,0x80100000,0x00008020,0x00000000,0x00108020,0x80100020,0x00100000,0x80008020,0x80100000,0x80108000,0x00008000,0x80100000,0x80008000,0x00000020,0x80108020,0x00108020,0x00000020,0x00008000,0x80000000,0x00008020,0x80108000,0x00100000,0x80000020,0x00100020,0x80008020,0x80000020,0x00100020,0x00108000,0x00000000,0x80008000,0x00008020,0x80000000,0x80100020,0x80108020,0x00108000]
a1 = [0x160B1E31,0x202F0705,0x391A0326,0x2720322E,0x2831352C,0x1F0A2814,0x301A3F19,0x39161604,0x1E373419,0x0B10123B,0x2A130835,0x18253736,0x0D062926,0x1D34003F,0x0E1A3D2D,0x181B2905,0x103E0A33,0x202B3E1C,0x19252B00,0x2E00283F,0x202F2E2D,0x1C0E2505,0x1C062503,0x2716170B,0x3E35140F,0x14032F1A,0x11010A16,0x15373A1E,0x17153E04,0x0C1E2831,0x221E043D,0x0B0B3D2A,0x72E43E90]
def circular_shift_left(int_value,k,bit = 32):
bit_string = '{:0%db}' % bit
bin_value = bit_string.format(int_value) # 8 bit binary
bin_value = bin_value[k:] + bin_value[:k]
int_value = int(bin_value,2)
return int_value
def circular_shift_right (int_value,k,bit = 32):
bit_string = '{:0%db}' % bit
bin_value = bit_string.format(int_value) # 8 bit binary
bin_value = bin_value[-k:] + bin_value[:-k]
int_value = int(bin_value,2)
return int_value
password_temp = "3532506F6A696521"#52Pojie!
password_temp = password_temp.ljust(16,'0')
password_left = int(password_temp[0:8],16)
password_right = int(password_temp[8:16],16)
v4 = (password_right^(password_left)>>4)&0xf0f0f0f
v5 = v4^password_right
v6 = 16*v4^(password_left)
v7 = (v5^(v6>>16))&0x0ffff
v8 = (v7^v5)&0xffffffff
v9 = ((v7<<16)^v6)&0xffffffff
v10 = ((v9 ^ (v8 >> 2)) & 0x33333333)&0xffffffff
v11 = (v10 ^ v9)&0xffffffff
v12 = (4 * v10 ^ v8)&0xffffffff
v13 = ((v11 ^ (v12 >> 8)) & 0xFF00FF)&0xffffffff
v14 = (v13 ^ v11)&0xffffffff
v13_temp = (v13<<8)&0xffffffff
v12_temp = (v12^v13_temp)&0xffffffff
v15 = (v12_temp>>31)&0xffffffff+(v12_temp<<1)&0xffffffff
v15 = circular_shift_left(v12_temp,1)#循环左移
v16 = (v14 ^ v15) & 0xAAAAAAAA
v17 = (v16 ^ v15)&0xffffffff
v18 = (table_45C708[(a1[31] ^ circular_shift_right(v17, 4)) & 0x3F] ^ table_45C508[((a1[31] ^ circular_shift_right(v17, 4)) >> 8) & 0x3F] ^ table_45C308[((a1[31] ^ circular_shift_right(v17, 4)) >> 16) & 0x3F] ^ table_45C108[((a1[31] ^ circular_shift_right(v17, 4)) >> 24) & 0x3F] ^ table_45C808[(v17 ^ a1[30]) & 0x3F] ^ table_45C608[((v17 ^ a1[30]) >> 8) & 0x3F] ^ table_45C408[((v17 ^ a1[30]) >> 16) & 0x3F] ^ table_45C208[((v17 ^ a1[30]) >> 24) & 0x3F] ^ circular_shift_left(v14 ^ v16, 1))&0xffffffff;
v19 = (table_45C708[(a1[29] ^ circular_shift_right(v18, 4)) & 0x3F] ^ table_45C508[((a1[29] ^ circular_shift_right(v18, 4)) >> 8) & 0x3F] ^ table_45C308[((a1[29] ^ circular_shift_right(v18, 4)) >> 16) & 0x3F] ^ table_45C108[((a1[29] ^ circular_shift_right(v18, 4)) >> 24) & 0x3F] ^ table_45C808[(v18 ^ a1[28]) & 0x3F] ^ table_45C608[((v18 ^ a1[28]) >> 8) & 0x3F] ^ table_45C408[((v18 ^ a1[28]) >> 16) & 0x3F] ^ table_45C208[((v18 ^ a1[28]) >> 24) & 0x3F] ^ v17)&0xffffffff;
v20 = (table_45C708[(a1[27] ^ circular_shift_right(v19, 4)) & 0x3F] ^ table_45C508[((a1[27] ^ circular_shift_right(v19, 4)) >> 8) & 0x3F] ^ table_45C308[((a1[27] ^ circular_shift_right(v19, 4)) >> 16) & 0x3F] ^ table_45C108[((a1[27] ^ circular_shift_right(v19, 4)) >> 24) & 0x3F] ^ table_45C808[(v19 ^ a1[26]) & 0x3F] ^ table_45C608[((v19 ^ a1[26]) >> 8) & 0x3F] ^ table_45C408[((v19 ^ a1[26]) >> 16) & 0x3F] ^ table_45C208[((v19 ^ a1[26]) >> 24) & 0x3F] ^ v18)&0xffffffff;
v21 = (table_45C708[(a1[25] ^ circular_shift_right(v20, 4)) & 0x3F] ^ table_45C508[((a1[25] ^ circular_shift_right(v20, 4)) >> 8) & 0x3F] ^ table_45C308[((a1[25] ^ circular_shift_right(v20, 4)) >> 16) & 0x3F] ^ table_45C108[((a1[25] ^ circular_shift_right(v20, 4)) >> 24) & 0x3F] ^ table_45C808[(v20 ^ a1[24]) & 0x3F] ^ table_45C608[((v20 ^ a1[24]) >> 8) & 0x3F] ^ table_45C408[((v20 ^ a1[24]) >> 16) & 0x3F] ^ table_45C208[((v20 ^ a1[24]) >> 24) & 0x3F] ^ v19)&0xffffffff;
v22 = (table_45C708[(a1[23] ^ circular_shift_right(v21, 4)) & 0x3F] ^ table_45C508[((a1[23] ^ circular_shift_right(v21, 4)) >> 8) & 0x3F] ^ table_45C308[((a1[23] ^ circular_shift_right(v21, 4)) >> 16) & 0x3F] ^ table_45C108[((a1[23] ^ circular_shift_right(v21, 4)) >> 24) & 0x3F] ^ table_45C808[(v21 ^ a1[22]) & 0x3F] ^ table_45C608[((v21 ^ a1[22]) >> 8) & 0x3F] ^ table_45C408[((v21 ^ a1[22]) >> 16) & 0x3F] ^ table_45C208[((v21 ^ a1[22]) >> 24) & 0x3F] ^ v20)&0xffffffff;
v23 = (table_45C708[(a1[21] ^ circular_shift_right(v22, 4)) & 0x3F] ^ table_45C508[((a1[21] ^ circular_shift_right(v22, 4)) >> 8) & 0x3F] ^ table_45C308[((a1[21] ^ circular_shift_right(v22, 4)) >> 16) & 0x3F] ^ table_45C108[((a1[21] ^ circular_shift_right(v22, 4)) >> 24) & 0x3F] ^ table_45C808[(v22 ^ a1[20]) & 0x3F] ^ table_45C608[((v22 ^ a1[20]) >> 8) & 0x3F] ^ table_45C408[((v22 ^ a1[20]) >> 16) & 0x3F] ^ table_45C208[((v22 ^ a1[20]) >> 24) & 0x3F] ^ v21)&0xffffffff;
v24 = (table_45C708[(a1[19] ^ circular_shift_right(v23, 4)) & 0x3F] ^ table_45C508[((a1[19] ^ circular_shift_right(v23, 4)) >> 8) & 0x3F] ^ table_45C308[((a1[19] ^ circular_shift_right(v23, 4)) >> 16) & 0x3F] ^ table_45C108[((a1[19] ^ circular_shift_right(v23, 4)) >> 24) & 0x3F] ^ table_45C808[(v23 ^ a1[18]) & 0x3F] ^ table_45C608[((v23 ^ a1[18]) >> 8) & 0x3F] ^ table_45C408[((v23 ^ a1[18]) >> 16) & 0x3F] ^ table_45C208[((v23 ^ a1[18]) >> 24) & 0x3F] ^ v22)&0xffffffff;
v25 = (table_45C708[(a1[17] ^ circular_shift_right(v24, 4)) & 0x3F] ^ table_45C508[((a1[17] ^ circular_shift_right(v24, 4)) >> 8) & 0x3F] ^ table_45C308[((a1[17] ^ circular_shift_right(v24, 4)) >> 16) & 0x3F] ^ table_45C108[((a1[17] ^ circular_shift_right(v24, 4)) >> 24) & 0x3F] ^ table_45C808[(v24 ^ a1[16]) & 0x3F] ^ table_45C608[((v24 ^ a1[16]) >> 8) & 0x3F] ^ table_45C408[((v24 ^ a1[16]) >> 16) & 0x3F] ^ table_45C208[((v24 ^ a1[16]) >> 24) & 0x3F] ^ v23)&0xffffffff;
v26 = (table_45C708[(a1[15] ^ circular_shift_right(v25, 4)) & 0x3F] ^ table_45C508[((a1[15] ^ circular_shift_right(v25, 4)) >> 8) & 0x3F] ^ table_45C308[((a1[15] ^ circular_shift_right(v25, 4)) >> 16) & 0x3F] ^ table_45C108[((a1[15] ^ circular_shift_right(v25, 4)) >> 24) & 0x3F] ^ table_45C808[(v25 ^ a1[14]) & 0x3F] ^ table_45C608[((v25 ^ a1[14]) >> 8) & 0x3F] ^ table_45C408[((v25 ^ a1[14]) >> 16) & 0x3F] ^ table_45C208[((v25 ^ a1[14]) >> 24) & 0x3F] ^ v24)&0xffffffff;
v27 = (table_45C708[(a1[13] ^ circular_shift_right(v26, 4)) & 0x3F] ^ table_45C508[((a1[13] ^ circular_shift_right(v26, 4)) >> 8) & 0x3F] ^ table_45C308[((a1[13] ^ circular_shift_right(v26, 4)) >> 16) & 0x3F] ^ table_45C108[((a1[13] ^ circular_shift_right(v26, 4)) >> 24) & 0x3F] ^ table_45C808[(v26 ^ a1[12]) & 0x3F] ^ table_45C608[((v26 ^ a1[12]) >> 8) & 0x3F] ^ table_45C408[((v26 ^ a1[12]) >> 16) & 0x3F] ^ table_45C208[((v26 ^ a1[12]) >> 24) & 0x3F] ^ v25)&0xffffffff;
v28 = (table_45C708[(a1[11] ^ circular_shift_right(v27, 4)) & 0x3F] ^ table_45C508[((a1[11] ^ circular_shift_right(v27, 4)) >> 8) & 0x3F] ^ table_45C308[((a1[11] ^ circular_shift_right(v27, 4)) >> 16) & 0x3F] ^ table_45C108[((a1[11] ^ circular_shift_right(v27, 4)) >> 24) & 0x3F] ^ table_45C808[(v27 ^ a1[10]) & 0x3F] ^ table_45C608[((v27 ^ a1[10]) >> 8) & 0x3F] ^ table_45C408[((v27 ^ a1[10]) >> 16) & 0x3F] ^ table_45C208[((v27 ^ a1[10]) >> 24) & 0x3F] ^ v26)&0xffffffff;
v29 = (table_45C708[(a1[9] ^ circular_shift_right(v28, 4)) & 0x3F] ^ table_45C508[((a1[9] ^ circular_shift_right(v28, 4))>> 8) & 0x3F] ^ table_45C308[((a1[9] ^ circular_shift_right(v28, 4)) >> 16) & 0x3F] ^ table_45C108[((a1[9] ^ circular_shift_right(v28, 4)) >> 24) & 0x3F] ^ table_45C808[(v28 ^ a1[8]) & 0x3F] ^ table_45C608[((v28 ^ a1[8]) >> 8) & 0x3F] ^ table_45C408[((v28 ^ a1[8]) >> 16) & 0x3F] ^ table_45C208[((v28 ^ a1[8]) >> 24) & 0x3F] ^ v27)&0xffffffff;
v30 = (table_45C708[(a1[7] ^ circular_shift_right(v29, 4)) & 0x3F] ^ table_45C508[((a1[7] ^ circular_shift_right(v29, 4))>> 8) & 0x3F] ^ table_45C308[((a1[7] ^ circular_shift_right(v29, 4)) >> 16) & 0x3F] ^ table_45C108[((a1[7] ^ circular_shift_right(v29, 4)) >> 24) & 0x3F] ^ table_45C808[(v29 ^ a1[6]) & 0x3F] ^ table_45C608[((v29 ^ a1[6]) >> 8) & 0x3F] ^ table_45C408[((v29 ^ a1[6]) >> 16) & 0x3F] ^ table_45C208[((v29 ^ a1[6]) >> 24) & 0x3F] ^ v28)&0xffffffff;
v31 = (table_45C708[(a1[5] ^ circular_shift_right(v30, 4)) & 0x3F] ^ table_45C508[((a1[5] ^ circular_shift_right(v30, 4))>> 8) & 0x3F] ^ table_45C308[((a1[5] ^ circular_shift_right(v30, 4)) >> 16) & 0x3F] ^ table_45C108[((a1[5] ^ circular_shift_right(v30, 4)) >> 24) & 0x3F] ^ table_45C808[(v30 ^ a1[4]) & 0x3F] ^ table_45C608[((v30 ^ a1[4]) >> 8) & 0x3F] ^ table_45C408[((v30 ^ a1[4]) >> 16) & 0x3F] ^ table_45C208[((v30 ^ a1[4]) >> 24) & 0x3F] ^ v29)&0xffffffff;
v32 = (table_45C708[(a1[3] ^ circular_shift_right(v31, 4)) & 0x3F] ^ table_45C508[((a1[3] ^ circular_shift_right(v31, 4))>> 8) & 0x3F] ^ table_45C308[((a1[3] ^ circular_shift_right(v31, 4)) >> 16) & 0x3F] ^ table_45C108[((a1[3] ^ circular_shift_right(v31, 4)) >> 24) & 0x3F] ^ table_45C808[(v31 ^ a1[2]) & 0x3F] ^ table_45C608[((v31 ^ a1[2]) >> 8) & 0x3F] ^ table_45C408[((v31 ^ a1[2]) >> 16) & 0x3F] ^ table_45C208[((v31 ^ a1[2]) >> 24) & 0x3F] ^ v30)&0xffffffff;
v35 = (table_45C708[(a1[1] ^ circular_shift_right(v32, 4)) & 0x3F] ^ table_45C508[((a1[1] ^ circular_shift_right(v32, 4))>> 8) & 0x3F] ^ table_45C308[((a1[1] ^ circular_shift_right(v32, 4)) >> 16) & 0x3F] ^ table_45C108[((a1[1] ^ circular_shift_right(v32, 4)) >> 24) & 0x3F] ^ table_45C808[(v32 ^ a1[0]) & 0x3F] ^ table_45C608[((v32 ^ a1[0]) >> 8) & 0x3F] ^ table_45C408[((v32 ^ a1[0]) >> 16) & 0x3F] ^ table_45C208[((v32 ^ a1[0]) >> 24) & 0x3F] ^ v31)&0xffffffff;
v35 = circular_shift_right(v35,1)
v36 = ((v32 ^ v35) & 0xAAAAAAAA)&0xffffffff
v37 = (v36 ^ v35)&0xffffffff
v38 = (circular_shift_right(v32 ^ v36, 1))&0xffffffff
v39 = ((v37 ^ (v38 >> 8)) & 0xFF00FF)&0xffffffff
v40 = (v39 ^ v37)&0xffffffff
v41 = ((v39 << 8) ^ v38)&0xffffffff
v42 = ((v40 ^ (v41 >> 2)) & 0x33333333)&0xffffffff
v43 = (v42 ^ v40)&0xffffffff
v44 = (4 * v42 ^ v41)&0xffffffff
v45 = ((v44 ^ (v43>>16)))&0xffff
v46 = (v45 ^ v44)&0xffffffff
v47 = ((v45 << 16) ^ v43)&0xffffffff
v48 = ((v46 ^ (v47 >> 4)) & 0xF0F0F0F)&0xffffffff
out_right = (v48 ^ v46)&0xffffffff
out_left = (16 * v48 ^ v47)&0xffffffff
temp = (hex(out_left)[2:-1].rjust(8,'0')+hex(out_right)[2:-1].rjust(8,'0')).upper()
print temp
|