我有一段二进制代码,它执行一些加密算法(很可能是修改过的 RC4)。我有四个与加密相关的变量(seed_key_arg [1-3] 和一个 seed_key)和加密的输出数据。很可能我也有一些明文。
我以前从来没有拆过东西,所以我很难开始。有没有办法让我用我拥有的材料运行程序,并尝试解密数据?由于我假设它是一个流密码,因此解密它的算法应该相同......
这是 Radare2 的输出,用于显示我正在处理的内容:
/ (fcn) fcn.00000000 380
| fcn.00000000 (int arg_8h, int arg_ch, int arg_10h, int arg_14h);
| ; var int local_10ch @ rbp-0x10c
| ; var int local_8h @ rbp-0x8
| ; var int local_4h @ rbp-0x4
| ; arg int arg_8h @ rbp+0x8
| ; arg int arg_ch @ rbp+0xc
| ; arg int arg_10h @ rbp+0x10
| ; arg int arg_14h @ rbp+0x14
| 0x00000000 89e5 mov ebp, esp
| 0x00000002 81ec14010000 sub esp, 0x114
| 0x00000008 8b4514 mov eax, dword [rbp + arg_14h] ; [0x14:4]=0x69007400
| 0x0000000b 89c1 mov ecx, eax
| 0x0000000d 8d95f4feffff lea edx, dword [rbp - local_10ch]
| 0x00000013 b800740069 mov eax, 0x69007400
| 0x00000018 0d73007200 or eax, 0x720073
| 0x0000001d 8902 mov dword [rdx], eax
| 0x0000001f 83c204 add edx, 4
| 0x00000022 b800677300 mov eax, 0x736700
| 0x00000027 356e000034 xor eax, 0x3400006e
| 0x0000002c 8902 mov dword [rdx], eax
| 0x0000002e 83c204 add edx, 4
| 0x00000031 b899939e98 mov eax, 0x989e9399
| 0x00000036 f7d0 not eax
| 0x00000038 8902 mov dword [rdx], eax
| 0x0000003a 31c0 xor eax, eax
| 0x0000003c 81c2fc000000 add edx, 0xfc
| 0x00000042 8902 mov dword [rdx], eax
| ,=< 0x00000044 eb0d jmp 0x53
| .--> 0x00000046 8b02 mov eax, dword [rdx]
| || 0x00000048 888c05f4feff. mov byte [rbp + rax - 0x10c], cl
| || 0x0000004f 40418902 mov dword [r10], eax
| || ; JMP XREF from 0x00000044 (fcn.00000000)
| |`-> 0x00000053 813aff000000 cmp dword [rdx], 0xff ; [0xff:4]=0xb60ff845 ; 255
| `==< 0x00000059 76eb jbe 0x46
| 0x0000005b 31c0 xor eax, eax
| 0x0000005d 8902 mov dword [rdx], eax
| 0x0000005f 83ea04 sub edx, 4
| 0x00000062 8902 mov dword [rdx], eax
| 0x00000064 53 push rbx
| 0x00000065 89d3 mov ebx, edx
| ,=< 0x00000067 eb5f jmp 0xc8
| .--> 0x00000069 8b03 mov eax, dword [rbx]
| || 0x0000006b 0fb68405f4fe. movzx eax, byte [rbp + rax - 0x10c]
| || 0x00000073 0fb6c0 movzx eax, al
| || 0x00000076 89c2 mov edx, eax
| || 0x00000078 0355f8 add edx, dword [rbp - local_8h]
| || 0x0000007b 8b03 mov eax, dword [rbx]
| || 0x0000007d 83e00f and eax, 0xf
| || 0x00000080 03450c add eax, dword [rbp + arg_ch]
| || 0x00000083 0fb600 movzx eax, byte [rax]
| || 0x00000086 0fb6c0 movzx eax, al
| || 0x00000089 8d0402 lea eax, dword [rdx + rax]
| || 0x0000008c 25ff000000 and eax, 0xff
| || 0x00000091 8945f8 mov dword [rbp - local_8h], eax
| || 0x00000094 8b03 mov eax, dword [rbx]
| || 0x00000096 0fb68405f4fe. movzx eax, byte [rbp + rax - 0x10c]
| || 0x0000009e 0fb6c0 movzx eax, al
| || 0x000000a1 8945fc mov dword [rbp - local_4h], eax
| || 0x000000a4 8b13 mov edx, dword [rbx]
| || 0x000000a6 8b45f8 mov eax, dword [rbp - local_8h]
| || 0x000000a9 0fb68405f4fe. movzx eax, byte [rbp + rax - 0x10c]
| || 0x000000b1 888415f4feff. mov byte [rbp + rdx - 0x10c], al
| || 0x000000b8 8b55f8 mov edx, dword [rbp - local_8h]
| || 0x000000bb 8b45fc mov eax, dword [rbp - local_4h]
| || 0x000000be 888415f4feff. mov byte [rbp + rdx - 0x10c], al
| || 0x000000c5 830301 add dword [rbx], 1
| || ; JMP XREF from 0x00000067 (fcn.00000000)
| |`-> 0x000000c8 813bff000000 cmp dword [rbx], 0xff ; [0xff:4]=0xb60ff845 ; 255
| `==< 0x000000ce 7699 jbe 0x69
| 0x000000d0 31c0 xor eax, eax
| 0x000000d2 8903 mov dword [rbx], eax
| 0x000000d4 83c304 add ebx, 4
| 0x000000d7 8903 mov dword [rbx], eax
| 0x000000d9 83eb04 sub ebx, 4
| ,=< 0x000000dc e98d000000 jmp 0x16e
| .--> 0x000000e1 830301 add dword [rbx], 1
| || 0x000000e4 8b03 mov eax, dword [rbx]
| || 0x000000e6 25ff000000 and eax, 0xff
| || 0x000000eb 0fb68405f4fe. movzx eax, byte [rbp + rax - 0x10c]
| || 0x000000f3 0fb6c0 movzx eax, al
| || 0x000000f6 0345f8 add eax, dword [rbp - local_8h]
| || 0x000000f9 25ff000000 and eax, 0xff
| || 0x000000fe 8945f8 mov dword [rbp - local_8h], eax
| || 0x00000101 0fb68405f4fe. movzx eax, byte [rbp + rax - 0x10c]
| || 0x00000109 0fb6c0 movzx eax, al
| || 0x0000010c 8945fc mov dword [rbp - local_4h], eax
| || 0x0000010f 8b55f8 mov edx, dword [rbp - local_8h]
| || 0x00000112 8b03 mov eax, dword [rbx]
| || 0x00000114 25ff000000 and eax, 0xff
| || 0x00000119 0fb68405f4fe. movzx eax, byte [rbp + rax - 0x10c]
| || 0x00000121 888415f4feff. mov byte [rbp + rdx - 0x10c], al
| || 0x00000128 8b03 mov eax, dword [rbx]
| || 0x0000012a 0fb6d0 movzx edx, al
| || 0x0000012d 8b45fc mov eax, dword [rbp - local_4h]
| || 0x00000130 888415f4feff. mov byte [rbp + rdx - 0x10c], al
| || 0x00000137 8b03 mov eax, dword [rbx]
| || 0x00000139 83e801 sub eax, 1
| || 0x0000013c 89c1 mov ecx, eax
| || 0x0000013e 034d08 add ecx, dword [rbp + arg_8h]
| || 0x00000141 8b03 mov eax, dword [rbx]
| || 0x00000143 83e801 sub eax, 1
| || 0x00000146 034508 add eax, dword [rbp + arg_8h]
| || 0x00000149 0fb610 movzx edx, byte [rax]
| || 0x0000014c 8b45f8 mov eax, dword [rbp - local_8h]
| || 0x0000014f 0fb68405f4fe. movzx eax, byte [rbp + rax - 0x10c]
| || 0x00000157 0fb6c0 movzx eax, al
| || 0x0000015a 0345fc add eax, dword [rbp - local_4h]
| || 0x0000015d 25ff000000 and eax, 0xff
| || 0x00000162 0fb68405f4fe. movzx eax, byte [rbp + rax - 0x10c]
| || 0x0000016a 31d0 xor eax, edx
| || 0x0000016c 8801 mov byte [rcx], al
| || ; JMP XREF from 0x000000dc (fcn.00000000)
| |`-> 0x0000016e 8b03 mov eax, dword [rbx]
| | 0x00000170 3b4510 cmp eax, dword [rbp + arg_10h] ; [0x10:4]=0xb8fffffe
| `==< 0x00000173 0f8268ffffff jb 0xe1
| 0x00000179 5b pop rbx
| 0x0000017a c9 leave
\ 0x0000017b c3 ret