上次分析的登录数据包是通过一个常量MD5数组进行加密变换的,对于登录后的其它数据包, 接着上次分析的代码,上次分析的最后有这样一段代码
_text:00434C88 loc_0_434C88:
_text:00434C88 lea ecx, [esp+0B8h+var_8C]
_text:00434C8C push 1
_text:00434C8E push ecx
_text:00434C8F mov ecx, esi
_text:00434C91 mov [esi+1ACh], ebx
_text:00434C97 mov [esi+1B0h], ebx
_text:00434C9D mov [esi+1B4h], ebx
_text:00434CA3 mov [esi+1B8h], ebx
_text:00434CA9 call sub_0_50AE20
_text:00434CAE lea edx, [esi+1C0h]
_text:00434CB4 push 2
_text:00434CB6 push edx
_text:00434CB7 mov ecx, esi
_text:00434CB9 call sub_0_50AE20
_text:00434CBE lea eax, [esi+1C4h]
_text:00434CC4 push 4
_text:00434CC6 push eax
_text:00434CC7 mov ecx, esi
_text:00434CC9 call sub_0_50AE20
_text:00434CCE cmp [esp+0B8h+arg_C], ebx
_text:00434CD5 jnz short loc_0_434CEB
_text:00434CD7 push ebp
_text:00434CD8 push offset aDLogin
_text:00434CDD push ebx
_text:00434CDE push offset stru_0_596558
_text:00434CE3 call sub_0_4AA400
_text:00434CE8 add esp, 10h
_text:00434CEB
_text:00434CEB loc_0_434CEB:
_text:00434CEB pop edi
_text:00434CEC pop esi
_text:00434CED pop ebp
_text:00434CEE xor eax, eax
_text:00434CF0 pop ebx
_text:00434CF1 add esp, 0A8h
_text:00434CF7 retn 10h
sub_0_50AE20这个子函数的功能就是接收数据并解密, 接收了两个参数,用于接收数据的Buf, 以及Buf的长度
对sub_0_50AE20进行分析如下
_text:0050AE20 push ecx
_text:0050AE21 push ebx
_text:0050AE22 mov ebx, [esp+8+buf]
_text:0050AE26 push ebp
_text:0050AE27 push esi
_text:0050AE28 mov esi, ecx
_text:0050AE2A push edi
_text:0050AE2B mov edi, [esp+14h+len]
_text:0050AE2F mov [esp+14h+var_4], 0Ah
_text:0050AE37 mov eax, [esi+4]
_text:0050AE3A mov ebp, ebx
_text:0050AE3C cmp eax, 0FFFFFFFFh
_text:0050AE3F jz loc_0_50AF12
_text:0050AE45 test ebx, ebx
_text:0050AE47 jz loc_0_50AF12
_text:0050AE4D test edi, edi
_text:0050AE4F jl loc_0_50AF12
_text:0050AE55 jle short loc_0_50AEA4
_text:0050AE57
_text:0050AE57 loc_0_50AE57:
_text:0050AE57 mov eax, [esi+4]
_text:0050AE5A push 0
_text:0050AE5C push edi
_text:0050AE5D push ebp
_text:0050AE5E push eax
_text:0050AE5F call recv
_text:0050AE64 cmp eax, 1
_text:0050AE67 jge short loc_0_50AE8C
_text:0050AE69 call WSAGetLastError
_text:0050AE6E cmp eax, 2733h
_text:0050AE73 jnz short loc_0_50AEF2
_text:0050AE75 mov eax, [esp+14h+var_4]
_text:0050AE79 dec eax
_text:0050AE7A test eax, eax
_text:0050AE7C mov [esp+14h+var_4], eax
_text:0050AE80 jle short loc_0_50AEF2
_text:0050AE82 push 64h
_text:0050AE84 call ds:Sleep
_text:0050AE8A jmp short loc_0_50AE9C
_text:0050AE8C
_text:0050AE8C
_text:0050AE8C loc_0_50AE8C:
_text:0050AE8C push eax
_text:0050AE8D push offset dword_0_5A1090
_text:0050AE92 sub edi, eax
_text:0050AE94 add ebp, eax
_text:0050AE96 call ds:InterlockedExchangeAdd
_text:0050AE9C
_text:0050AE9C loc_0_50AE9C:
_text:0050AE9C test edi, edi
_text:0050AE9E jg short loc_0_50AE57
_text:0050AEA0 mov edi, [esp+14h+len]
_text:0050AEA4
_text:0050AEA4 loc_0_50AEA4:
_text:0050AEA4 xor eax, eax
_text:0050AEA6 test edi, edi
_text:0050AEA6
_text:0050AEA8 jle short loc_0_50AEE5
_text:0050AEAA
_text:0050AEAA loc_0_50AEAA:
_text:0050AEAA mov edx, [esi+1B0h]
_text:0050AEB0 and edx, 0Fh
_text:0050AEB3 mov cl, [edx+esi+18Ch]
_text:0050AEBA mov dl, [esi+1ACh]
_text:0050AEC0 add cl, dl
_text:0050AEC2 mov dl, [eax+ebx]
_text:0050AEC5 xor dl, cl
_text:0050AEC7 mov [eax+ebx], dl
_text:0050AECA mov ebp, [esi+1B0h]
_text:0050AED0 movsx edx, dl
_text:0050AED3 inc ebp
_text:0050AED4 inc eax
_text:0050AED5 cmp eax, edi
_text:0050AED7 mov [esi+1ACh], edx
_text:0050AEDD mov [esi+1B0h], ebp
_text:0050AEE3 jl short loc_0_50AEAA
_text:0050AEE5
_text:0050AEE5 loc_0_50AEE5:
_text:0050AEE5 pop edi
_text:0050AEE6 pop esi
_text:0050AEE7 pop ebp
_text:0050AEE8 mov eax, 1
_text:0050AEED pop ebx
_text:0050AEEE pop ecx
_text:0050AEEF retn 8
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
解密是通过将上一字节以及MD5Psw(密码MD5运算的结果)中的一个字节做为参数, 进行异或运算,每一字节都是基于上一字节加密的, 由于第一字节使用随机数, 后面相同的内容也会加密成不一样的, 即
当前字节密文 = 当前字节明文 异或 (上一字节密文 + 密钥字节)
将通讯内容拦截下来,根据以上信息即可得到明文信息。
https://blog.csdn.net/mt4develop/article/details/51250318