关于360 hookport.sys模块名加密

2015/10/06 WindowsDriver

关于360 hookport.sys模块名加密

简介

  hookport用于hook nt*,其中会获取竞品模块地址。在ZwQuerySystemInformation => SystemModuleInformation得到模块文件名后,HookPort会将文件名经过加密与预先存储在程序中的加密过的模块名(一个4字节整数)作对比,以下程序可以根据整数求出文件名:

哈希 模块 产品
0x07848DA1 knbdrv.sys 猎豹安全浏览器
0x42503C81 bd0001.sys 百度安全
0x4D71E020 tsfltmgr.sys qq管家
0xB8178767 kisknl.sys 金山毒霸

加密算法汇编源码

unsigned int __declspec(naked) encode(char* str)
{
	_asm
	{
		mov     esi, [esp+4]
		mov     ebx, [esp+4]
		mov     edi, [esp+4]
		xor     al, al
loc_17E37:
		scasb
		jnz     short loc_17E37
		sub     edi, ebx
		cld
		xor     ecx, ecx
		dec     ecx
		mov     edx, ecx
loc_17E42:
		xor     eax, eax
		xor     ebx, ebx
		lodsb
		xor     al, cl
		mov     cl, ch
		mov     ch, dl
		mov     dl, dh
		mov     dh, 8
loc_17E51:
		shr     bx, 1
		rcr     ax, 1
		jnb     short loc_17E62
		xor     ax, 0xC6B4
		xor     bx, 0xCE96
loc_17E62:
		dec     dh
		jnz     short loc_17E51
		xor     ecx, eax
		xor     edx, ebx
		dec     edi
		jnz     short loc_17E42
		not     edx
		not     ecx
		mov     eax, edx
		rol     eax, 10h
		mov     ax, cx
		ret
	}
}

破解哈希算法的C++源码

#include <stdio.h>

void main(int argc, char* argv[])
{
	char n[16]={0};
	n[14]='s';
	n[13]='y';
	n[12]='s';
	n[11]='.';
	for(int len=1;len<=7;len++)
	{
		int cf=0;
		for(int j=0;j<len;j++)
		{
			n[10-j]='a';
		}
		while(!cf)
		{
			unsigned int obj=encode(n+11-len);
			if(obj == 0x42503C81)
			{
				printf("%s\n",n+11-len);
				break;
			}
			n[10]++;
			for(int j=0;j<len;j++)
			{
				if(n[10-j] > 'z')
				{
					n[10-j]='0';
				}
				if(n[10-j] > '9' && n[10-j] < 'a')
				{
					n[10-j] = 'a';
					if(j!=len-1)
						n[10-j-1]++;
					else
						cf=1;
				}
			}
		}
	}

	getchar();
}

#include <Ntddk.h>
#include "DriverMonitor.h"
extern "C"
{
        int __security_cookie;
        extern POBJECT_TYPE *IoDriverObjectType;
        NTSTATUS __stdcall ObReferenceObjectByName(PUNICODE_STRING,ULONG,PACCESS_STATE,ACCESS_MASK,POBJECT_TYPE,KPROCESSOR_MODE,PVOID,PVOID);
        NTSTATUS __stdcall NtQuerySystemInformation (SYSTEM_INFORMATION_CLASS,PVOID,ULONG,PULONG);

};


VOID __stdcall unload(PDRIVER_OBJECT)
{

}

ULONG GetModuleBase(PCHAR modulename);


PWCHAR str[]=
{


};

extern "C"
{
        NTSTATUS __stdcall DriverEntry(PDRIVER_OBJECT pdr,PUNICODE_STRING pus)
        {                

                int ret=0;
                pdr->DriverUnload=unload;
                ULONG Base=GetModuleBase("tsksp.sys");
                if(Base)
                {
                        for(int i=0;i<sizeof(str)/sizeof(str[0]);i++)
                        {
                                ret=((int (__stdcall*)(PWCHAR))(Base+0xecba))(str[i]);
                                if(ret)
                                {
                                        __debugbreak();
                                }
                        }
                        ret=0;
                }
                __debugbreak();


                return STATUS_SUCCESS;
        }
};

ULONG GetModuleBase(PCHAR modulename)
{
        PVOID Buffer = NULL;
        ULONG ReturnLength = 0;
        NTSTATUS status;
        PRTL_PROCESS_MODULES modules = NULL;
        ULONG BaseAddr = NULL;
        NtQuerySystemInformation(SystemModuleInformation,&ReturnLength,0,&ReturnLength);
        if(ReturnLength)
                Buffer = ExAllocatePool(PagedPool,ReturnLength);
        if(Buffer)
                status = NtQuerySystemInformation(SystemModuleInformation,Buffer,ReturnLength,NULL);
        modules = (PRTL_PROCESS_MODULES)Buffer;
        if(NT_SUCCESS(status))
        {
                for(int i=0;i<modules->NumberOfModules;i++)
                {
                        int offset = modules->Modules[i].OffsetToFileName;
                        if(!_stricmp((const char*)(modules->Modules[i].FullPathName+offset),modulename))
                        {
                                BaseAddr = (ULONG)modules->Modules[i].ImageBase;
                        }
                }
        }
        if(Buffer)
                ExFreePool(Buffer);
        return BaseAddr;
}
NTSTATUS __stdcall DriverEntry(PDRIVER_OBJECT pdr,PUNICODE_STRING pus)
{
	int ret=0;
	pdr->DriverUnload=unload;
	ULONG Base=GetModuleBase("tsksp.sys");
	__debugbreak();
	if(Base)
	{
		WCHAR n[16]={0};
		n[14]='l';
		n[13]='l';
		n[12]='d';
		n[11]='.';
		for(int len=1;len<=7;len++)
		{
			int cf=0;
			for(int j=0;j<len;j++)
			{
				n[10-j]='0';
			}
			n[10-len]='\\';
			while(!cf)
			{
				ret=((int (__stdcall*)(PWCHAR))(Base+0xecba))(n+10-len);
				if(ret)
				{
					__debugbreak();
				}
				n[10]++;
				for(int j=0;j<len;j++)
				{
					if(n[10-j] > 'z')
					{
						n[10-j]='0';
						if(j!=len-1)
							n[10-j-1]++;
						else
							cf=1;
					}
					else if(n[10-j] == '\\')
						n[10-j] = '\\'+1;
				}
			}
		}
	}
	__debugbreak();
	return STATUS_SUCCESS;
}

#include <windows.h>
#include <stdio.h>


void func(wchar_t* path)
{
	unsigned char data1[]={
		0x83,0x60,0x14,0x0,0x83,0x60,0x10,0x0,0xc7,0x0,0x1,0x23,0x45,0x67,0xc7,0x40,0x4,0x89,0xab,0xcd,
		0xef,0xc7,0x40,0x8,0xfe,0xdc,0xba,0x98,0xc7,0x40,0xc,0x76,0x54,0x32,0x10,0xc3,0x55,0x8b,0xec,0x51,
		0x53,0x56,0x8b,0xf1,0x8b,0x4e,0x10,0x8b,0xd8,0x8b,0xc1,0xc1,0xe8,0x3,0x8b,0xd3,0x8d,0xc,0xd9,0xc1,
		0xe2,0x3,0x83,0xe0,0x3f,0x3b,0xca,0x57,0x89,0x4e,0x10,0x73,0x3,0xff,0x46,0x14,0x6a,0x40,0x8b,0xcb,
		0xc1,0xe9,0x1d,0x1,0x4e,0x14,0x5f,0x2b,0xf8,0x3b,0xdf,0x72,0x4b,0x33,0xc9,0x85,0xff,0x76,0x12,0x8d,
		0x44,0x30,0x18,0x8b,0x55,0x8,0x8a,0x14,0x11,0x88,0x14,0x8,0x41,0x3b,0xcf,0x72,0xf2,0x8d,0x4e,0x18,
		0x56,0xe8,0xb0,0x0,0x0,0x0,0x8d,0x47,0x3f,0x3b,0xc3,0x73,0x1f,0x89,0x45,0xfc,0x8b,0x45,0x8,0x8b,
		0x4d,0xfc,0x8d,0x4c,0x8,0xc1,0x56,0xe8,0x96,0x0,0x0,0x0,0x83,0x45,0xfc,0x40,0x83,0xc7,0x40,0x39,
		0x5d,0xfc,0x72,0xe4,0x33,0xc0,0xeb,0x2,0x33,0xff,0x33,0xc9,0x2b,0xdf,0x74,0x14,0x8b,0x55,0x8,0x3,
		0xd7,0x8d,0x74,0x30,0x18,0x8a,0x4,0xa,0x88,0x4,0xe,0x41,0x3b,0xcb,0x72,0xf5,0x5f,0x5e,0x5b,0xc9,
		0xc2,0x4,0x0,0x55,0x8b,0xec,0x51,0x51,0x56,0x6a,0x8,0x8d,0x77,0x10,0x5a,0x8b,0xc6,0x8d,0x4d,0xf8,
		0xe8,0xe3,0x6,0x0,0x0,0x8b,0xe,0xc1,0xe9,0x3,0x6a,0x38,0x58,0x83,0xe1,0x3f,0x3b,0xc8,0x5e,0x72,
		0x3,0x6a,0x78,0x58,0x2b,0xc1,0x68,0xf8,0x5b,0x3,0x0,0x8b,0xcf,0xe8,0x22,0xff,0xff,0xff,0x8d,0x45,
		0xf8,0x50,0x6a,0x8,0x58,0x8b,0xcf,0xe8,0x14,0xff,0xff,0xff,0x8b,0x4d,0x8,0x6a,0x10,0x5a,0x8b,0xc7,
		0xe8,0xa7,0x6,0x0,0x0,0x6a,0x58,0x6a,0x0,0x57,0xe8,0x61,0x28,0x1,0x0,0x83,0xc4,0xc,0xc9,0xc2,
		0x4,0x0,0x55,0x8b,0xec,0x8b,0x45,0x8,0x83,0xec,0x48,0x53,0x56,0x57,0x6a,0x10,0x83,0xc1,0x2,0x8d,
		0x75,0xb8,0x5f,0xf,0xb6,0x59,0xff,0x33,0xd2,0x8a,0x71,0x1,0x8a,0x11,0x83,0xc1,0x4,0xc1,0xe2,0x8,
		0xb,0xd3,0xf,0xb6,0x59,0xfa,0xc1,0xe2,0x8,0xb,0xd3,0x89,0x16,0x83,0xc6,0x4,0x4f,0x75,0xdc,0x8b,
		0x70,0x4,0x8b,0x50,0x8,0x8b,0x48,0xc,0x8b,0x0,0x8b,0xfe,0xf7,0xd7,0x23,0xf9,0x8b,0xda,0x23,0xde,
		0xb,0xfb,0x3,0x7d,0xb8,0x8b,0xde,0x8d,0x84,0x7,0x78,0xa4,0x6a,0xd7,0xc1,0xc0,0x7,0x3,0xc6,0x23,
		0xd8,0x8b,0xf8,0xf7,0xd7,0x23,0xfa,0xb,0xfb,0x3,0x7d,0xbc,0x8d,0x8c,0xf,0x56,0xb7,0xc7,0xe8,0xc1,
		0xc1,0xc,0x3,0xc8,0x8b,0xf9,0xf7,0xd7,0x23,0xfe,0x8b,0xd9,0x23,0xd8,0xb,0xfb,0x3,0x7d,0xc0,0x8b,
		0xd9,0x8d,0x94,0x17,0xdb,0x70,0x20,0x24,0xc1,0xca,0xf,0x3,0xd1,0x23,0xda,0x8b,0xfa,0xf7,0xd7,0x23,
		0xf8,0xb,0xfb,0x3,0x7d,0xc4,0x8d,0xb4,0x37,0xee,0xce,0xbd,0xc1,0xc1,0xce,0xa,0x3,0xf2,0x89,0x75,
		0xfc,0x8b,0xfa,0x23,0x7d,0xfc,0xf7,0xd6,0x23,0xf1,0xb,0xf7,0x3,0x75,0xc8,0x8d,0x84,0x6,0xaf,0xf,
		0x7c,0xf5,0x8b,0x75,0xfc,0xc1,0xc0,0x7,0x3,0xc6,0x8b,0xf8,0xf7,0xd7,0x23,0xfa,0x8b,0xde,0x23,0xd8,
		0xb,0xfb,0x3,0x7d,0xcc,0x8d,0x8c,0xf,0x2a,0xc6,0x87,0x47,0xc1,0xc1,0xc,0x3,0xc8,0x8b,0xf9,0xf7,
		0xd7,0x23,0xfe,0x8b,0xd9,0x23,0xd8,0xb,0xfb,0x3,0x7d,0xd0,0x8b,0xd9,0x8d,0x94,0x17,0x13,0x46,0x30,
		0xa8,0xc1,0xca,0xf,0x3,0xd1,0x8b,0xfa,0xf7,0xd7,0x23,0xf8,0x23,0xda,0xb,0xfb,0x3,0x7d,0xd4,0x8d,
		0xb4,0x37,0x1,0x95,0x46,0xfd,0xc1,0xce,0xa,0x3,0xf2,0x89,0x75,0xfc,0xf7,0xd6,0x23,0xf1,0x8b,0xfa,
		0x23,0x7d,0xfc,0xb,0xf7,0x3,0x75,0xd8,0x8d,0x84,0x6,0xd8,0x98,0x80,0x69,0x8b,0x75,0xfc,0x8b,0xde,
		0xc1,0xc0,0x7,0x3,0xc6,0x23,0xd8,0x8b,0xf8,0xf7,0xd7,0x23,0xfa,0xb,0xfb,0x3,0x7d,0xdc,0x8d,0x8c,
		0xf,0xaf,0xf7,0x44,0x8b,0xc1,0xc1,0xc,0x3,0xc8,0x8b,0xf9,0xf7,0xd7,0x23,0xfe,0x8b,0xd9,0x23,0xd8,
		0xb,0xfb,0x3,0x7d,0xe0,0x8b,0xd9,0x8d,0x94,0x17,0xb1,0x5b,0xff,0xff,0xc1,0xca,0xf,0x3,0xd1,0x23,
		0xda,0x8b,0xfa,0xf7,0xd7,0x23,0xf8,0xb,0xfb,0x3,0x7d,0xe4,0x8d,0xb4,0x37,0xbe,0xd7,0x5c,0x89,0xc1,
		0xce,0xa,0x3,0xf2,0x89,0x75,0xfc,0xf7,0xd6,0x23,0xf1,0x8b,0xfa,0x23,0x7d,0xfc,0xb,0xf7,0x3,0x75,
		0xe8,0x8b,0x7d,0xfc,0x8d,0x84,0x6,0x22,0x11,0x90,0x6b,0xc1,0xc0,0x7,0x3,0x45,0xfc,0x23,0xf8,0x8b,
		0xf0,0xf7,0xd6,0x23,0xf2,0xb,0xf7,0x3,0x75,0xec,0x8d,0x8c,0xe,0x93,0x71,0x98,0xfd,0xc1,0xc1,0xc,
		0x3,0xc8,0x8b,0xf9,0xf7,0xd7,0x8b,0xf7,0x23,0x75,0xfc,0x8b,0xd9,0x23,0xd8,0xb,0xf3,0x3,0x75,0xf0,
		0x8b,0xd9,0x8d,0x94,0x16,0x8e,0x43,0x79,0xa6,0xc1,0xca,0xf,0x3,0xd1,0x89,0x55,0xf8,0xf7,0x55,0xf8,
		0x8b,0x75,0xf8,0x23,0xf0,0x23,0xfa,0x23,0xda,0xb,0xf3,0x3,0x75,0xf4,0x8b,0x5d,0xfc,0x8d,0xb4,0x1e,
		0x21,0x8,0xb4,0x49,0xc1,0xce,0xa,0x3,0xf2,0x8b,0xd9,0x23,0xde,0xb,0xfb,0x3,0x7d,0xbc,0x8b,0xda,
		0x8d,0x84,0x7,0x62,0x25,0x1e,0xf6,0x8b,0x7d,0xf8,0x23,0xfe,0xc1,0xc0,0x5,0x3,0xc6,0x23,0xd8,0xb,
		0xfb,0x3,0x7d,0xd0,0x8d,0x8c,0xf,0x40,0xb3,0x40,0xc0,0xc1,0xc1,0x9,0x3,0xc8,0x8b,0xfe,0xf7,0xd7,
		0x23,0xf8,0x8b,0xd9,0x23,0xde,0xb,0xfb,0x3,0x7d,0xe4,0x8d,0x94,0x17,0x51,0x5a,0x5e,0x26,0xc1,0xc2,
		0xe,0x3,0xd1,0x8b,0xf8,0xf7,0xd7,0x23,0xf9,0x8b,0xda,0x23,0xd8,0xb,0xfb,0x3,0x7d,0xb8,0x8b,0xd9,
		0x8d,0xb4,0x37,0xaa,0xc7,0xb6,0xe9,0xc1,0xce,0xc,0x3,0xf2,0x23,0xde,0x8b,0xf9,0xf7,0xd7,0x23,0xfa,
		0xb,0xfb,0x3,0x7d,0xcc,0x8b,0xda,0x8d,0x84,0x7,0x5d,0x10,0x2f,0xd6,0xc1,0xc0,0x5,0x3,0xc6,0x8b,
		0xfa,0xf7,0xd7,0x23,0xfe,0x23,0xd8,0xb,0xfb,0x3,0x7d,0xe0,0x8d,0x8c,0xf,0x53,0x14,0x44,0x2,0xc1,
		0xc1,0x9,0x3,0xc8,0x8b,0xfe,0xf7,0xd7,0x23,0xf8,0x8b,0xd9,0x23,0xde,0xb,0xfb,0x3,0x7d,0xf4,0x8d,
		0x94,0x17,0x81,0xe6,0xa1,0xd8,0xc1,0xc2,0xe,0x3,0xd1,0x8b,0xf8,0xf7,0xd7,0x8b,0xda,0x23,0xf9,0x23,
		0xd8,0xb,0xfb,0x3,0x7d,0xc8,0x8d,0xb4,0x37,0xc8,0xfb,0xd3,0xe7,0xc1,0xce,0xc,0x3,0xf2,0x8b,0xf9,
		0xf7,0xd7,0x23,0xfa,0x8b,0xd9,0x23,0xde,0xb,0xfb,0x3,0x7d,0xdc,0x8b,0xda,0x8d,0x84,0x7,0xe6,0xcd,
		0xe1,0x21,0xc1,0xc0,0x5,0x3,0xc6,0x23,0xd8,0x8b,0xfa,0xf7,0xd7,0x23,0xfe,0xb,0xfb,0x3,0x7d,0xf0,
		0x8d,0x8c,0xf,0xd6,0x7,0x37,0xc3,0xc1,0xc1,0x9,0x3,0xc8,0x8b,0xfe,0xf7,0xd7,0x23,0xf8,0x8b,0xd9,
		0x23,0xde,0xb,0xfb,0x3,0x7d,0xc4,0x8d,0x94,0x17,0x87,0xd,0xd5,0xf4,0xc1,0xc2,0xe,0x3,0xd1,0x8b,
		0xf8,0xf7,0xd7,0x23,0xf9,0x8b,0xda,0x23,0xd8,0xb,0xfb,0x3,0x7d,0xd8,0x8b,0xd9,0x8d,0xb4,0x37,0xed,
		0x14,0x5a,0x45,0xc1,0xce,0xc,0x3,0xf2,0x23,0xde,0x8b,0xf9,0xf7,0xd7,0x23,0xfa,0xb,0xfb,0x3,0x7d,
		0xec,0x8b,0xda,0x8d,0x84,0x7,0x5,0xe9,0xe3,0xa9,0xc1,0xc0,0x5,0x3,0xc6,0x8b,0xfa,0xf7,0xd7,0x23,
		0xfe,0x23,0xd8,0xb,0xfb,0x3,0x7d,0xc0,0x8d,0x8c,0xf,0xf8,0xa3,0xef,0xfc,0xc1,0xc1,0x9,0x3,0xc8,
		0x8b,0xfe,0xf7,0xd7,0x23,0xf8,0x8b,0xd9,0x23,0xde,0xb,0xfb,0x3,0x7d,0xd4,0x8d,0x94,0x17,0xd9,0x2,
		0x6f,0x67,0xc1,0xc2,0xe,0x3,0xd1,0x8b,0xf8,0xf7,0xd7,0x8b,0xda,0x23,0xf9,0x23,0xd8,0xb,0xfb,0x3,
		0x7d,0xe8,0x8d,0xb4,0x37,0x8a,0x4c,0x2a,0x8d,0xc1,0xce,0xc,0x3,0xf2,0x8b,0xf9,0x33,0xfa,0x33,0xfe,
		0x3,0x7d,0xcc,0x8d,0x84,0x7,0x42,0x39,0xfa,0xff,0xc1,0xc0,0x4,0x3,0xc6,0x8b,0xfa,0x33,0xfe,0x33,
		0xf8,0x3,0x7d,0xd8,0x8d,0x8c,0xf,0x81,0xf6,0x71,0x87,0xc1,0xc1,0xb,0x3,0xc8,0x8b,0xf9,0x33,0xfe,
		0x33,0xf8,0x3,0x7d,0xe4,0x8d,0x94,0x17,0x22,0x61,0x9d,0x6d,0xc1,0xc2,0x10,0x3,0xd1,0x8b,0xf9,0x33,
		0xfa,0x8b,0xdf,0x33,0xd8,0x3,0x5d,0xf0,0x8d,0xb4,0x33,0xc,0x38,0xe5,0xfd,0xc1,0xce,0x9,0x3,0xf2,
		0x33,0xfe,0x3,0x7d,0xbc,0x8d,0x84,0x7,0x44,0xea,0xbe,0xa4,0xc1,0xc0,0x4,0x3,0xc6,0x8b,0xfa,0x33,
		0xfe,0x33,0xf8,0x3,0x7d,0xc8,0x8d,0xbc,0xf,0xa9,0xcf,0xde,0x4b,0xc1,0xc7,0xb,0x3,0xf8,0x8b,0xcf,
		0x33,0xce,0x33,0xc8,0x3,0x4d,0xd4,0x8b,0xdf,0x8d,0x94,0x11,0x60,0x4b,0xbb,0xf6,0xc1,0xc2,0x10,0x3,
		0xd7,0x33,0xda,0x8b,0xcb,0x33,0xc8,0x3,0x4d,0xe0,0x8d,0x8c,0x31,0x70,0xbc,0xbf,0xbe,0xc1,0xc9,0x9,
		0x3,0xca,0x33,0xd9,0x3,0x5d,0xec,0x8b,0xf2,0x8d,0x84,0x3,0xc6,0x7e,0x9b,0x28,0x33,0xf1,0xc1,0xc0,
		0x4,0x3,0xc1,0x33,0xf0,0x3,0x75,0xb8,0x8d,0xb4,0x3e,0xfa,0x27,0xa1,0xea,0xc1,0xc6,0xb,0x3,0xf0,
		0x8b,0xfe,0x33,0xf9,0x33,0xf8,0x3,0x7d,0xc4,0x8d,0xbc,0x17,0x85,0x30,0xef,0xd4,0xc1,0xc7,0x10,0x3,
		0xfe,0x8b,0xd6,0x33,0xd7,0x8b,0xda,0x33,0xd8,0x3,0x5d,0xd0,0x8d,0x8c,0xb,0x5,0x1d,0x88,0x4,0xc1,
		0xc9,0x9,0x3,0xcf,0x33,0xd1,0x3,0x55,0xdc,0x8d,0x84,0x2,0x39,0xd0,0xd4,0xd9,0x8b,0xd7,0x33,0xd1,
		0xc1,0xc0,0x4,0x3,0xc1,0x33,0xd0,0x3,0x55,0xe8,0x8d,0x94,0x32,0xe5,0x99,0xdb,0xe6,0xc1,0xc2,0xb,
		0x3,0xd0,0x8b,0xf2,0x33,0xf1,0x33,0xf0,0x3,0x75,0xf4,0x8d,0xb4,0x3e,0xf8,0x7c,0xa2,0x1f,0xc1,0xc6,
		0x10,0x3,0xf2,0x8b,0xfa,0x33,0xfe,0x33,0xf8,0x3,0x7d,0xc0,0x8d,0x8c,0xf,0x65,0x56,0xac,0xc4,0xc1,
		0xc9,0x9,0x3,0xce,0x8b,0xfa,0xf7,0xd7,0xb,0xf9,0x33,0xfe,0x3,0x7d,0xb8,0x8d,0x84,0x7,0x44,0x22,
		0x29,0xf4,0xc1,0xc0,0x6,0x3,0xc1,0x8b,0xfe,0xf7,0xd7,0xb,0xf8,0x33,0xf9,0x3,0x7d,0xd4,0x8d,0x94,
		0x17,0x97,0xff,0x2a,0x43,0xc1,0xc2,0xa,0x3,0xd0,0x8b,0xf9,0xf7,0xd7,0xb,0xfa,0x33,0xf8,0x3,0x7d,
		0xf0,0x8d,0xb4,0x37,0xa7,0x23,0x94,0xab,0xc1,0xc6,0xf,0x3,0xf2,0x8b,0xf8,0xf7,0xd7,0xb,0xfe,0x33,
		0xfa,0x3,0x7d,0xcc,0x8d,0x8c,0xf,0x39,0xa0,0x93,0xfc,0xc1,0xc9,0xb,0x3,0xce,0x8b,0xfa,0xf7,0xd7,
		0xb,0xf9,0x33,0xfe,0x3,0x7d,0xe8,0x8d,0x84,0x7,0xc3,0x59,0x5b,0x65,0xc1,0xc0,0x6,0x3,0xc1,0x8b,
		0xfe,0xf7,0xd7,0xb,0xf8,0x33,0xf9,0x3,0x7d,0xc4,0x8d,0x94,0x17,0x92,0xcc,0xc,0x8f,0xc1,0xc2,0xa,
		0x8b,0xf9,0x3,0xd0,0xf7,0xd7,0xb,0xfa,0x33,0xf8,0x3,0x7d,0xe0,0x8d,0xb4,0x37,0x7d,0xf4,0xef,0xff,
		0xc1,0xc6,0xf,0x3,0xf2,0x8b,0xf8,0xf7,0xd7,0xb,0xfe,0x33,0xfa,0x3,0x7d,0xbc,0x8d,0x8c,0xf,0xd1,
		0x5d,0x84,0x85,0xc1,0xc9,0xb,0x3,0xce,0x8b,0xfa,0xf7,0xd7,0xb,0xf9,0x33,0xfe,0x3,0x7d,0xd8,0x8d,
		0x84,0x7,0x4f,0x7e,0xa8,0x6f,0xc1,0xc0,0x6,0x3,0xc1,0x8b,0xfe,0xf7,0xd7,0xb,0xf8,0x33,0xf9,0x3,
		0x7d,0xf4,0x8d,0x94,0x17,0xe0,0xe6,0x2c,0xfe,0x8b,0xf9,0xc1,0xc2,0xa,0x3,0xd0,0xf7,0xd7,0xb,0xfa,
		0x33,0xf8,0x3,0x7d,0xd0,0x8d,0xb4,0x37,0x14,0x43,0x1,0xa3,0x8b,0xf8,0xc1,0xc6,0xf,0x3,0xf2,0xf7,
		0xd7,0xb,0xfe,0x33,0xfa,0x3,0x7d,0xec,0x8d,0xbc,0xf,0xa1,0x11,0x8,0x4e,0xc1,0xcf,0xb,0x3,0xfe,
		0x8b,0xca,0xf7,0xd1,0xb,0xcf,0x33,0xce,0x3,0x4d,0xc8,0x8d,0x84,0x1,0x82,0x7e,0x53,0xf7,0xc1,0xc0,
		0x6,0x3,0xc7,0x8b,0xce,0xf7,0xd1,0xb,0xc8,0x33,0xcf,0x3,0x4d,0xe4,0x8d,0x94,0x11,0x35,0xf2,0x3a,
		0xbd,0xc1,0xc2,0xa,0x3,0xd0,0x8b,0xcf,0xf7,0xd1,0xb,0xca,0x33,0xc8,0x3,0x4d,0xc0,0x8d,0xb4,0x31,
		0xbb,0xd2,0xd7,0x2a,0x8b,0x4d,0x8,0x8b,0x19,0x3,0xd8,0xf7,0xd0,0xc1,0xc6,0xf,0x3,0xf2,0xb,0xc6,
		0x33,0xc2,0x3,0x45,0xdc,0x89,0x19,0x8d,0x84,0x38,0x91,0xd3,0x86,0xeb,0xc1,0xc8,0xb,0x3,0x41,0x4,
		0x3,0xc6,0x89,0x41,0x4,0x8b,0x41,0x8,0x3,0xc6,0x89,0x41,0x8,0x8b,0x41,0xc,0x5f,0x3,0xc2,0x5e,
		0x89,0x41,0xc,0x5b,0xc9,0xc2,0x4,0x0,0x85,0xd2,0x76,0x2c,0x56,0x8d,0x72,0xff,0xc1,0xee,0x2,0x41,
		0x83,0xc0,0x2,0x46,0x8a,0x50,0xfe,0x88,0x51,0xff,0x8a,0x50,0xff,0x88,0x11,0x8a,0x10,0x88,0x51,0x1,
		0x8a,0x50,0x1,0x88,0x51,0x2,0x83,0xc0,0x4,0x83,0xc1,0x4,0x4e,0x75,0xe1,0x5e,0xc3
	};//0x19d18~0x1A50D
	unsigned char* md5_encrypt_20=data1;
	unsigned char* md5_encrypt_21=data1+0x24;
	unsigned char* md5_encrypt_22=data1+0xcb;

	unsigned char data2[64]={0x80,0};
	*(long*)(data1+0xf7)=(long)data2;
	*(long*)(data1+0x123)=(long)memset-(long)(data1+0x127);

	unsigned char md5_data[][16]={
		{0x15,0xd1,0x26,0xd0,0xa5,0xa3,0x64,0xe3,0x1b,0x58,0x4,0xe5,0x8,0x5f,0x3,0x9,	  },
		{0x61,0xf7,0xd,0x82,0x48,0x54,0xe8,0x77,0xc2,0x38,0x84,0x50,0xfe,0x3a,0xe3,0xd2,  },
		{0x88,0x9b,0xa2,0x4e,0x4a,0xfb,0xd6,0x9b,0x32,0x73,0xfe,0xda,0x3a,0x4e,0x4d,0xe8, },
		{0x74,0x8a,0xc3,0x52,0x68,0x3e,0x1e,0x7,0x0,0x53,0xe9,0x9b,0xb9,0xc1,0x3f,0x28,	  },
		{0xd9,0xab,0xea,0xfe,0x1f,0x7f,0x4b,0x5c,0x63,0x94,0x8e,0x5d,0x13,0xf2,0x53,0xbf, },
		{0xc9,0xae,0xea,0x20,0x18,0xe8,0x3d,0x49,0xa6,0x11,0x7c,0xb1,0xd8,0xac,0x31,0x94, },
		{0xa4,0x56,0x73,0xf7,0x14,0xb4,0xf6,0x58,0x25,0x85,0x5c,0x32,0xee,0x9c,0x82,0x27, },
		{0x31,0x26,0x22,0x9a,0xd6,0xfc,0x81,0x4e,0x8e,0x9e,0xaf,0x9,0xaf,0x4b,0x94,0x9e,  },
		{0xcc,0xba,0xc4,0x42,0xfc,0x59,0xe5,0x32,0x40,0x21,0xd2,0x6b,0x30,0xb4,0x52,0xe3, },
		{0x20,0x77,0xbb,0xcd,0x70,0x80,0xde,0xf0,0x2b,0x5c,0x78,0x3c,0x47,0xcf,0xc3,0xf9, },
		{0x3,0xe,0xd0,0xc9,0xaa,0x3d,0xb,0xc6,0x57,0x9f,0x75,0x94,0x72,0xfc,0x53,0x15,	  },
		{0x90,0x6c,0xb1,0xc1,0x13,0xef,0x25,0xeb,0x4,0x0,0x26,0xa1,0x4,0xba,0xc8,0xda,	  },
		{0x1b,0x66,0x98,0xcf,0xbe,0x9d,0xf1,0x89,0xe4,0x5a,0xa5,0xd8,0x1f,0xda,0xd7,0x97, },
	};
	const int max=sizeof(md5_data)/sizeof(md5_data[0]);

	unsigned char key1[88]={0};
	unsigned char key2[16]={0};
	int len=2*wcslen(path);
	_asm
	{
		lea eax,key1;
		call md5_encrypt_20;
		mov eax,len;
		lea ecx,key1;
		mov esi,path;
		push esi;
		call md5_encrypt_21;
		lea eax,key2;
		push eax;
		lea edi,key1;
		call md5_encrypt_22;
	}
	for(int i=0;i<max;i++)
	{
		if(!memcmp(md5_data[i],key2,16))
		{
			printf("%d touched :%ws\n",i,path);
		}
	}
}



void main()
{
	wchar_t n[16]={0};
	for(int len=1;len<=7;len++)
	{
		int cf=0;
		for(int j=0;j<len;j++)
		{
			n[10-j]='0';
		}
		while(!cf)
		{
			n[14]='l';
			n[13]='l';
			n[12]='d';
			n[11]='.';
			func(n+11-len);
			n[14]='e';
			n[13]='x';
			n[12]='e';
			n[11]='.';
			func(n+11-len);
			n[10]++;
			for(int j=0;j<len;j++)
			{
				if(n[10-j] > 'z')
				{
					n[10-j]='0';
					if(j!=len-1)
						n[10-j-1]++;
					else
						cf=1;
				}
				else if(n[10-j] == '\\')
					n[10-j] = '\\'+1;
			}
		}
	}
}

Show Disqus Comments

Search

    Table of Contents