Created
November 7, 2022 06:46
-
-
Save helloobaby/27a197fc6db89e37ab10ba31dfcbabfe to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| sub_4220B0 | |
| 字符串动态解密 demo | |
| */ | |
| #include <iostream> | |
| #include <windows.h> | |
| #include <memory> | |
| #include <format> | |
| #include <cstdint> | |
| using namespace std; | |
| __declspec(naked) uint8_t decrypt(uint8_t encrypt_char,uint8_t i) { | |
| __asm { | |
| push ebp | |
| mov ebp,esp | |
| mov al,[esp+8] | |
| mov dl,[esp+0xC] | |
| mov cl,67h | |
| add al,dl | |
| not al | |
| xor al,dl | |
| sub cl,al | |
| mov al,dl | |
| xor cl,62h | |
| add al,al | |
| add cl,dl | |
| xor cl,dl | |
| xor cl,0B7h | |
| sub cl,al | |
| inc cl | |
| xor cl,dl | |
| mov al,cl | |
| mov esp,ebp | |
| pop ebp | |
| ret | |
| } | |
| } | |
| int main(int argc, char* argv[]) { | |
| char ProcName[15]{}; | |
| *(uint32_t *)ProcName = 0x393A5418; | |
| *(uint32_t *)&ProcName[4] = 0x396C5035; | |
| *(uint32_t *)&ProcName[8] = 0xDAC82AE4; | |
| *(uint16_t *)&ProcName[12] = 0xFDB; | |
| ProcName[14] = 0x68; | |
| uint32_t v25 = 0; | |
| //一开始我以为F5有问题,自己把汇编的解密算法写了一下 | |
| #if 0 | |
| do | |
| { | |
| char de = decrypt(ProcName[v25], v25); | |
| ProcName[v25] = de; | |
| ++v25; | |
| } | |
| while ( v25 < 0xF ); | |
| #endif | |
| //不得不说IDA的F5真牛逼 | |
| do | |
| { | |
| ProcName[v25] = v25 ^ ((v25 ^ (v25 + ((103 - (v25 ^ ~(v25 + ProcName[v25]))) ^ 0x62)) ^ 0xB7) - 2 * v25 + 1); | |
| ++v25; | |
| } | |
| while ( v25 < 0xF ); | |
| wcout << "Api : " << ProcName << endl; | |
| return 0; | |
| } | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment