题中出现的相关base64解码,对照如下:
"R2V0UHJvY0FkZHJlc3M=" GetProcAddress
"TG9hZExpYnJhcnlB" LoadLibraryA
"VXNlcjMyLmRsbA==" User32.dll
"bXN2Y3J0LmRsbA==" msvcrt.dll
"c2hsd2FwaS5kbGw=" shlwapi.dll
"cHJpbnRm" printf
"TWVzc2FnZUJveEE=" MessageBoxA
"RmFpbCE=" Fail!
"U3VjY2VzcyE=" Success!
"S2V5IE9LIQ==" Key OK!
"S2V5IHdyb25nIQ==" Key wrong!
V0hAdCFGbGFnPSg= WH@t!Flag=(
AAhBQkNERUZHSA== �ABCDEFGH
Q1RHTU5TUUdUKQ== CTGMNSQGT)
QUJDREVGRw== ABCDEFG
QUIyNDFBQw== AB241AC
....U3RyQ21wVw== StrCmpW
....U3RyQ3B5Vw== StrCpyW
下面是函数所有代码以及注释
00261530 /$ push ebp
00261531 |. mov ebp,esp
00261533 |. push -0x1
00261535 |. push jbwj.00262DBA
0026153A |.>mov eax,dword ptr fs:[0]
00261540 |. push eax
00261541 |. sub esp,0x53C
00261547 |. mov eax,dword ptr ds:[0x264004]
0026154C |. xor eax,ebp
0026154E |. mov [local.5],eax
00261551 |. push eax
00261552 |. lea eax,[local.3]
00261555 |.>mov dword ptr fs:[0],eax
0026155B |.>mov [local.161],0x0
00261565 |.>mov [local.24],0x0
0026156C |.>mov [local.165],0x0
00261576 |.>mov [local.160],0x0
00261580 |.>mov byte ptr ss:[ebp-0x4BC],0x0
00261587 |. push 0x103 ; /n = 103 (259.)
0026158C |. push 0x0 ; |c = 00
0026158E |. lea eax,dword ptr ss:[ebp-0x4BB] ; |
00261594 |. push eax ; |s = NULL
00261595 |. call <jmp.&MSVCR90.memset> ; \memset
0026159A |. add esp,0xC
0026159D |. mov ecx,dword ptr ds:[0x263158]
002615A3 |. mov [local.159],ecx
002615A9 |. mov edx,dword ptr ds:[0x26315C]
002615AF |. mov [local.158],edx
002615B5 |. mov eax,dword ptr ds:[0x263160]
002615BA |. mov [local.157],eax
002615C0 |. mov ecx,dword ptr ds:[0x263164]
002615C6 |. mov [local.156],ecx
002615CC |. mov dl,byte ptr ds:[0x263168]
002615D2 |. mov byte ptr ss:[ebp-0x26C],dl
002615D8 |. push 0xF3 ; /n = F3 (243.)
002615DD |. push 0x0 ; |c = 00
002615DF |. lea eax,dword ptr ss:[ebp-0x26B] ; |
002615E5 |. push eax ; |s = NULL
002615E6 |. call <jmp.&MSVCR90.memset> ; \memset
002615EB |. add esp,0xC
002615EE |. mov ecx,dword ptr ds:[0x26316C]
002615F4 |. mov [local.233],ecx
002615FA |. mov edx,dword ptr ds:[0x263170]
00261600 |. mov [local.232],edx
00261606 |. mov eax,dword ptr ds:[0x263174]
0026160B |. mov [local.231],eax
00261611 |. mov ecx,dword ptr ds:[0x263178]
00261617 |. mov [local.230],ecx
0026161D |. mov dl,byte ptr ds:[0x26317C]
00261623 |. mov byte ptr ss:[ebp-0x394],dl
00261629 |. push 0xF3 ; /n = F3 (243.)
0026162E |. push 0x0 ; |c = 00
00261630 |. lea eax,dword ptr ss:[ebp-0x393] ; |
00261636 |. push eax ; |s = NULL
00261637 |. call <jmp.&MSVCR90.memset> ; \memset
0026163C |. add esp,0xC
0026163F |. mov ecx,dword ptr ds:[0x263180]
00261645 |. mov [local.91],ecx
0026164B |. mov edx,dword ptr ds:[0x263184]
00261651 |. mov [local.90],edx
00261657 |. mov eax,dword ptr ds:[0x263188]
0026165C |. mov [local.89],eax
00261662 |. mov cl,byte ptr ds:[0x26318C]
00261668 |. mov byte ptr ss:[ebp-0x160],cl
0026166E |. push 0xF7 ; /n = F7 (247.)
00261673 |. push 0x0 ; |c = 00
00261675 |. lea edx,dword ptr ss:[ebp-0x15F] ; |
0026167B |. push edx ; |s = 00683020
0026167C |. call <jmp.&MSVCR90.memset> ; \memset
00261681 |. add esp,0xC
00261684 |.>mov [local.22],jbwj.00263190 ; ASCII "R2V0UHJvY0FkZHJlc3M="
0026168B |.>mov [local.164],jbwj.002631A8 ; ASCII "TG9hZExpYnJhcnlB"
00261695 |.>mov [local.4],jbwj.002631BC ; ASCII "VXNlcjMyLmRsbA=="
0026169C |.>mov [local.235],jbwj.002631D0 ; ASCII "bXN2Y3J0LmRsbA=="
002616A6 |.>mov [local.163],jbwj.002631E4 ; ASCII "c2hsd2FwaS5kbGw="
002616B0 |.>mov [local.237],jbwj.002631F8 ; ASCII "cHJpbnRm"
002616BA |.>mov [local.14],jbwj.00263204 ; ASCII "TWVzc2FnZUJveEE="
002616C1 |.>mov [local.92],jbwj.00263218 ; ASCII 52,"mFpbCE="
002616CB |.>mov [local.13],jbwj.00263224 ; ASCII 55,"3VjY2VzcyE="
002616D2 |.>mov [local.166],jbwj.00263234 ; ASCII 53,"2V5IE9LIQ=="
002616DC |.>mov [local.162],jbwj.00263244 ; ASCII 53,"2V5IHdyb25nIQ=="
002616E6 |.>mov dword ptr ds:[0x26438C],0x0
002616F0 |.>mov dword ptr ds:[0x264388],0x0
002616FA |.>mov dword ptr ds:[0x264384],0x0
00261704 |. lea eax,[local.161]
0026170A |. push eax
0026170B |. push 0x0
0026170D |. call jbwj.00261CA0
00261712 |. add esp,0x8
00261715 |. mov [local.234],eax
0026171B |. mov ecx,[local.234] ; kernel32.74FE0000
00261721 |. mov dword ptr ds:[0x26438C],ecx
00261727 |. mov edx,dword ptr ds:[0x26438C] ; kernel32.74FE0000
0026172D |. push edx
0026172E |. mov eax,[local.161]
00261734 |. push eax
00261735 |. mov ecx,[local.22] ; GetProcAddress
00261738 |. push ecx
00261739 |. call jbwj.00261E20
0026173E |. add esp,0xC
00261741 |. mov dword ptr ds:[0x264380],eax
00261746 |. mov edx,dword ptr ds:[0x26438C] ; kernel32.74FE0000
0026174C |. push edx
0026174D |. mov eax,[local.164] ; LoadLibraryA
00261753 |. push eax
00261754 |. call jbwj.002620F0
00261759 |. add esp,0x8
0026175C |. mov dword ptr ds:[0x264384],eax
00261761 |.>cmp dword ptr ds:[0x264384],0x0
00261768 |. jnz short jbwj.00261772
0026176A |. or eax,-0x1
0026176D |. jmp jbwj.00261C87
00261772 |> mov ecx,[local.235] ; msvcrt.dll
00261778 |. push ecx
00261779 |. call jbwj.00261FD0
0026177E |. add esp,0x4
00261781 |. mov [local.24],eax
00261784 |. cmp [local.24],0x0
00261788 |. jnz short jbwj.00261792
0026178A |. or eax,-0x1
0026178D |. jmp jbwj.00261C87
00261792 |> mov edx,[local.24] ; msvcrt.76E60000
00261795 |. push edx
00261796 |. mov eax,[local.237] ; printf
0026179C |. push eax
0026179D |. call jbwj.002620F0
002617A2 |. add esp,0x8
002617A5 |. mov [local.165],eax
002617AB |.>cmp [local.165],0x0
002617B2 |. jnz short jbwj.002617BC
002617B4 |. or eax,-0x1
002617B7 |. jmp jbwj.00261C87
002617BC |> mov ecx,[local.4] ; User32.dll
002617BF |. push ecx
002617C0 |. call jbwj.00261FD0
002617C5 |. add esp,0x4
002617C8 |. mov dword ptr ds:[0x264388],eax
002617CD |.>cmp dword ptr ds:[0x264388],0x0
002617D4 |. jnz short jbwj.002617F4
002617D6 |. mov edx,[local.165] ; msvcrt.printf
002617DC |. push edx
002617DD |. mov eax,[local.162] ; jbwj.00263244
002617E3 |. push eax
002617E4 |. call jbwj.002622D0
002617E9 |. add esp,0x8
002617EC |. or eax,-0x1
002617EF |. jmp jbwj.00261C87
002617F4 |> mov ecx,[local.163] ; shlwapi.dll
002617FA |. push ecx
002617FB |. call jbwj.00261FD0
00261800 |. add esp,0x4
00261803 |. mov [local.160],eax
00261809 |.>cmp [local.160],0x0
00261810 |. jnz short jbwj.00261830
00261812 |. mov edx,[local.165] ; msvcrt.printf
00261818 |. push edx
00261819 |. mov eax,[local.162] ; jbwj.00263244
0026181F |. push eax
00261820 |. call jbwj.002622D0
00261825 |. add esp,0x8
00261828 |. or eax,-0x1
0026182B |. jmp jbwj.00261C87
00261830 |> cmp [arg.1],0x2
00261834 |. jg short jbwj.0026183C
00261836 |. cmp [arg.1],0x2
0026183A |. jge short jbwj.0026185A
0026183C |> mov ecx,[local.165] ; msvcrt.printf
00261842 |. push ecx
00261843 |. mov edx,[local.162] ; jbwj.00263244
00261849 |. push edx
0026184A |. call jbwj.002622D0
0026184F |. add esp,0x8
00261852 |. or eax,-0x1
00261855 |. jmp jbwj.00261C87
0026185A |> push 0xB
0026185C |. mov eax,[arg.2]
0026185F |. mov ecx,dword ptr ds:[eax+0x4] ; param key < <
00261862 |. push ecx
00261863 |. lea edx,[local.21]
00261866 |. push edx
00261867 |. call jbwj.00261040
0026186C |. add esp,0xC
0026186F |.>mov [local.1],0x0
00261876 |. mov eax,[local.160] ; shlwapi.74DE0000
0026187C |. push eax
0026187D |. lea ecx,[local.21]
00261880 |. call dword ptr ds:[<&MSVCP90.std::basic_>; msvcp90.std::basic_string<char,std::char_traits<char>,std::allocator<char> >::data
00261886 |. push eax
00261887 |. lea ecx,[local.303] ; base64 key
0026188D |. push ecx
0026188E |. call jbwj.00262290
00261893 |. add esp,0xC
00261896 |. mov edx,[local.160] ; shlwapi.74DE0000
0026189C |. push edx
0026189D |. lea eax,[local.159] ; V0hAdCFGbGFnPSg=[WH@t!Flag=(]
002618A3 |. push eax
002618A4 |. lea ecx,[local.303]
002618AA |. push ecx
002618AB |. call jbwj.00262200
002618B0 |. add esp,0xC
002618B3 |. test eax,eax
002618B5 |. je short jbwj.002618F2 ; yi yang
002618B7 |. mov edx,[local.165] ; msvcrt.printf
002618BD |. push edx
002618BE |. mov eax,[local.162] ; jbwj.00263244
002618C4 |. push eax
002618C5 |. call jbwj.002622D0
002618CA |. add esp,0x8
002618CD |.>mov [local.304],-0x1
002618D7 |.>mov [local.1],-0x1
002618DE |. lea ecx,[local.21]
002618E1 |. call dword ptr ds:[<&MSVCP90.std::basic_>;
002618E7 |. mov eax,[local.304]
002618ED |. jmp jbwj.00261C87
002618F2 |> push 0x104
002618F7 |. call jbwj.002623C3
002618FC |. add esp,0x4
002618FF |. mov [local.305],eax
00261905 |. mov ecx,[local.305]
0026190B |. mov [local.236],ecx
00261911 |. mov edx,[local.160] ; shlwapi.74DE0000
00261917 |. push edx
00261918 |. mov eax,[arg.2]
0026191B |. mov ecx,dword ptr ds:[eax+0x4] ; key
0026191E |. push ecx
0026191F |. mov edx,[local.236]
00261925 |. push edx
00261926 |. call jbwj.00262290
0026192B |. add esp,0xC
0026192E |. push 0xA
00261930 |. mov eax,[local.236]
00261936 |. add eax,0x12
00261939 |. push eax
0026193A |. lea ecx,[local.312]
00261940 |. push ecx
00261941 |. call jbwj.00261040
00261946 |. add esp,0xC
00261949 |. mov [local.327],eax
0026194F |. mov edx,[local.327]
00261955 |. mov [local.328],edx
0026195B |. mov byte ptr ss:[ebp-0x4],0x1
0026195F |. mov eax,[local.328]
00261965 |. push eax
00261966 |. lea ecx,[local.21]
00261969 |. call dword ptr ds:[<&MSVCP90.std::basic_>; msvcp90.std::basic_string<char,std::char_traits<char>,std::allocator<char> >::operator=
0026196F |. mov byte ptr ss:[ebp-0x4],0x0
00261973 |. lea ecx,[local.312] ; �ABCDEFGH
00261979 |. call dword ptr ds:[<&MSVCP90.std::basic_>;
0026197F |. mov ecx,[local.160] ; shlwapi.74DE0000
00261985 |. push ecx
00261986 |. lea ecx,[local.21]
00261989 |. call dword ptr ds:[<&MSVCP90.std::basic_>; msvcp90.std::basic_string<char,std::char_traits<char>,std::allocator<char> >::data
0026198F |. push eax ; �ABCDEFGH
00261990 |. lea edx,[local.303] ; key
00261996 |. push edx
00261997 |. call jbwj.00262290
0026199C |. add esp,0xC
0026199F |. mov eax,[local.236]
002619A5 |. mov [local.313],eax
002619AB |. mov ecx,[local.313]
002619B1 |. push ecx
002619B2 |. call <jmp.&MSVCR90.operator delete[]>
002619B7 |. add esp,0x4
002619BA |. mov edx,[local.160] ; shlwapi.74DE0000
002619C0 |. push edx
002619C1 |. lea eax,[local.233] ; Q1RHTU5TUUdUKQ==[CTGMNSQGT)]
002619C7 |. push eax
002619C8 |. lea ecx,[local.303]
002619CE |. push ecx
002619CF |. call jbwj.00262200
002619D4 |. add esp,0xC
002619D7 |. test eax,eax
002619D9 |. je short jbwj.00261A16 ; yiyang
002619DB |. mov edx,[local.165] ; msvcrt.printf
002619E1 |. push edx
002619E2 |. mov eax,[local.162] ; jbwj.00263244
002619E8 |. push eax
002619E9 |. call jbwj.002622D0
002619EE |. add esp,0x8
002619F1 |.>mov [local.314],-0x1
002619FB |.>mov [local.1],-0x1
00261A02 |. lea ecx,[local.21]
00261A05 |. call dword ptr ds:[<&MSVCP90.std::basic_>;
00261A0B |. mov eax,[local.314]
00261A11 |. jmp jbwj.00261C87
00261A16 |> mov ecx,[arg.2]
00261A19 |. mov edx,dword ptr ds:[ecx+0x4]
00261A1C |. mov [local.329],edx
00261A22 |. mov eax,[local.329]
00261A28 |. add eax,0x1
00261A2B |. mov [local.330],eax
00261A31 |> /mov ecx,[local.329]
00261A37 |. |mov dl,byte ptr ds:[ecx]
00261A39 |. |mov byte ptr ss:[ebp-0x529],dl
00261A3F |.>|add [local.329],0x1
00261A46 |.>|cmp byte ptr ss:[ebp-0x529],0x0
00261A4D |. \jnz short jbwj.00261A31
00261A4F |. mov eax,[local.329]
00261A55 |. sub eax,[local.330]
00261A5B |. mov [local.332],eax
00261A61 |.>cmp [local.332],0x1C ; 0x1c
00261A68 |. jbe short jbwj.00261AA5
00261A6A |. mov ecx,[local.165] ; msvcrt.printf
00261A70 |. push ecx
00261A71 |. mov edx,[local.162] ; KeyOk
00261A77 |. push edx
00261A78 |. call jbwj.002622D0
00261A7D |. add esp,0x8
00261A80 |.>mov [local.315],-0x1
00261A8A |.>mov [local.1],-0x1
00261A91 |. lea ecx,[local.21]
00261A94 |. call dword ptr ds:[<&MSVCP90.std::basic_>;
00261A9A |. mov eax,[local.315]
00261AA0 |. jmp jbwj.00261C87
00261AA5 |> push 0x104
00261AAA |. call jbwj.002623C3
00261AAF |. add esp,0x4
00261AB2 |. mov [local.316],eax
00261AB8 |. mov eax,[local.316]
00261ABE |. mov [local.23],eax
00261AC1 |. mov ecx,[local.160] ; shlwapi.74DE0000
00261AC7 |. push ecx
00261AC8 |. mov edx,[arg.2]
00261ACB |. mov eax,dword ptr ds:[edx+0x4] ; key
00261ACE |. push eax
00261ACF |. mov ecx,[local.23]
00261AD2 |. push ecx
00261AD3 |. call jbwj.00262290
00261AD8 |. add esp,0xC
00261ADB |. push 0x7
00261ADD |. mov edx,[local.23]
00261AE0 |. add edx,0xB
00261AE3 |. push edx
00261AE4 |. lea eax,[local.323]
00261AEA |. push eax
00261AEB |. call jbwj.00261040
00261AF0 |. add esp,0xC
00261AF3 |. mov [local.333],eax
00261AF9 |. mov ecx,[local.333]
00261AFF |. mov [local.334],ecx
00261B05 |. mov byte ptr ss:[ebp-0x4],0x2
00261B09 |. mov edx,[local.334]
00261B0F |. push edx
00261B10 |. lea ecx,[local.21]
00261B13 |. call dword ptr ds:[<&MSVCP90.std::basic_>; msvcp90.std::basic_string<char,std::char_traits<char>,std::allocator<char> >::operator=
00261B19 |. mov byte ptr ss:[ebp-0x4],0x0
00261B1D |. lea ecx,[local.323] ; ABCDEFG
00261B23 |. call dword ptr ds:[<&MSVCP90.std::basic_>;
00261B29 |. lea eax,[local.21]
00261B2C |. push eax
00261B2D |. lea ecx,[local.12]
00261B30 |. push ecx
00261B31 |. call jbwj.00261280
00261B36 |. add esp,0x8
00261B39 |. mov byte ptr ss:[ebp-0x4],0x3
00261B3D |. lea edx,[local.303] ; key
00261B43 |. mov [local.335],edx
00261B49 |. mov eax,[local.335]
00261B4F |. add eax,0x1
00261B52 |. mov [local.336],eax
00261B58 |> /mov ecx,[local.335]
00261B5E |. |mov dl,byte ptr ds:[ecx]
00261B60 |. |mov byte ptr ss:[ebp-0x541],dl
00261B66 |.>|add [local.335],0x1
00261B6D |.>|cmp byte ptr ss:[ebp-0x541],0x0
00261B74 |. \jnz short jbwj.00261B58
00261B76 |. mov eax,[local.335]
00261B7C |. sub eax,[local.336]
00261B82 |. mov [local.338],eax
00261B88 |. push 0x0 ; /n = 0x0
00261B8A |. mov ecx,[local.338] ; |
00261B90 |. push ecx ; |c = F2
00261B91 |. lea edx,[local.303] ; |
00261B97 |. push edx ; |s = 00683020
00261B98 |. call <jmp.&MSVCR90.memset> ; \memset
00261B9D |. add esp,0xC
00261BA0 |. mov eax,[local.160] ; shlwapi.74DE0000
00261BA6 |. push eax
00261BA7 |. lea ecx,[local.21]
00261BAA |. call dword ptr ds:[<&MSVCP90.std::basic_>; msvcp90.std::basic_string<char,std::char_traits<char>,std::allocator<char> >::data
00261BB0 |. push eax
00261BB1 |. lea ecx,[local.303]
00261BB7 |. push ecx
00261BB8 |. call jbwj.00262290
00261BBD |. add esp,0xC
00261BC0 |. mov edx,[local.23] ; key
00261BC3 |. mov [local.324],edx
00261BC9 |. mov eax,[local.324]
00261BCF |. push eax
00261BD0 |. call <jmp.&MSVCR90.operator delete[]>
00261BD5 |. add esp,0x4
00261BD8 |. mov ecx,[local.160] ; shlwapi.74DE0000
00261BDE |. push ecx
00261BDF |. lea edx,[local.91] ; AB241AC
00261BE5 |. push edx
00261BE6 |. lea eax,[local.303]
00261BEC |. push eax
00261BED |. call jbwj.00262200
00261BF2 |. add esp,0xC
00261BF5 |. test eax,eax
00261BF7 |. je short jbwj.00261C3E
00261BF9 |. mov ecx,[local.165] ; msvcrt.printf
00261BFF |. push ecx
00261C00 |. mov edx,[local.162] ; jbwj.00263244
00261C06 |. push edx
00261C07 |. call jbwj.002622D0
00261C0C |. add esp,0x8
00261C0F |.>mov [local.325],-0x1
00261C19 |. mov byte ptr ss:[ebp-0x4],0x0
00261C1D |. lea ecx,[local.12]
00261C20 |. call dword ptr ds:[<&MSVCP90.std::basic_>;
00261C26 |.>mov [local.1],-0x1
00261C2D |. lea ecx,[local.21]
00261C30 |. call dword ptr ds:[<&MSVCP90.std::basic_>;
00261C36 |. mov eax,[local.325] ; ntdll_12.77322C35
00261C3C |. jmp short jbwj.00261C87
00261C3E |> mov eax,[local.165] ; msvcrt.printf
00261C44 |. push eax
00261C45 |. mov ecx,[local.166] ; key ok
00261C4B |. push ecx
00261C4C |. call jbwj.002622D0
00261C51 |. add esp,0x8
00261C54 |. call dword ptr ds:[<&MSVCR90._getch>] ; [_getch
00261C5A |.>mov [local.326],0x0
00261C64 |. mov byte ptr ss:[ebp-0x4],0x0
00261C68 |. lea ecx,[local.12]
00261C6B |. call dword ptr ds:[<&MSVCP90.std::basic_>;
00261C71 |.>mov [local.1],-0x1
00261C78 |. lea ecx,[local.21]
00261C7B |. call dword ptr ds:[<&MSVCP90.std::basic_>;
00261C81 |. mov eax,[local.326] ; ntdll_12.7732303D
00261C87 |> mov ecx,[local.3]
00261C8A |.>mov dword ptr fs:[0],ecx
00261C91 |. pop ecx
00261C92 |. mov ecx,[local.5]
00261C95 |. xor ecx,ebp
00261C97 |. call jbwj.002623CE
00261C9C |. mov esp,ebp
00261C9E |. pop ebp
00261C9F \. retn
可以看出程序中直接出现key:
V0hAdCFGbGFnPSg= WH@t!Flag=(
QUIyNDFBQw== AB241AC
Q1RHTU5TUUdUKQ== CTGMNSQGT)
发表于 2021-3-25 18:19:06
|
查看: 9825|
回复: 0
窥视卡
雷达卡
提升卡
置顶卡
关闭卡
开启卡
变色卡
千斤顶
照妖镜