找回密码
 立即注册→加入我们

QQ登录

只需一步,快速开始

搜索
热搜: 下载 VB C 实现 编写
查看: 3580|回复: 4

关于360 hookport.sys模块名加密

[复制链接]
发表于 2015-10-6 15:11:29 | 显示全部楼层 |阅读模式

欢迎访问技术宅的结界,请注册或者登录吧。

您需要 登录 才可以下载或查看,没有账号?立即注册→加入我们

×
hookport用于hook nt*,其中会获取竞品模块地址。在ZwQuerySystemInformation => SystemModuleInformation得到模块文件名后,HookPort会将文件名经过加密与预先存储在程序中的加密过的模块名(一个4字节整数)作对比

以下程序可以根据整数求出文件名:
0x07848DA1        knbdrv.sys                猎豹安全浏览器
0x42503C81        bd0001.sys                百度安全
0x4D71E020        tsfltmgr.sys                qq管家
0xB8178767        kisknl.sys                金山毒霸


  1. unsigned int __declspec(naked) encode(char* str)
  2. {
  3.         _asm
  4.         {
  5.                 mov     esi, [esp+4]
  6.                 mov     ebx, [esp+4]
  7.                 mov     edi, [esp+4]
  8.                 xor     al, al
  9. loc_17E37:
  10.                 scasb
  11.                 jnz     short loc_17E37
  12.                 sub     edi, ebx
  13.                 cld
  14.                 xor     ecx, ecx
  15.                 dec     ecx
  16.                 mov     edx, ecx
  17. loc_17E42:
  18.                 xor     eax, eax
  19.                 xor     ebx, ebx
  20.                 lodsb
  21.                 xor     al, cl
  22.                 mov     cl, ch
  23.                 mov     ch, dl
  24.                 mov     dl, dh
  25.                 mov     dh, 8
  26. loc_17E51:
  27.                 shr     bx, 1
  28.                 rcr     ax, 1
  29.                 jnb     short loc_17E62
  30.                 xor     ax, 0xC6B4
  31.                 xor     bx, 0xCE96
  32. loc_17E62:
  33.                 dec     dh
  34.                 jnz     short loc_17E51
  35.                 xor     ecx, eax
  36.                 xor     edx, ebx
  37.                 dec     edi
  38.                 jnz     short loc_17E42
  39.                 not     edx
  40.                 not     ecx
  41.                 mov     eax, edx
  42.                 rol     eax, 10h
  43.                 mov     ax, cx
  44.                 ret
  45.         }
  46. }

  47. #include <stdio.h>

  48. void main(int argc, char* argv[])
  49. {
  50.         char n[16]={0};
  51.         n[14]='s';
  52.         n[13]='y';
  53.         n[12]='s';
  54.         n[11]='.';
  55.         for(int len=1;len<=7;len++)
  56.         {
  57.                 int cf=0;
  58.                 for(int j=0;j<len;j++)
  59.                 {
  60.                         n[10-j]='a';
  61.                 }
  62.                 while(!cf)
  63.                 {
  64.                         unsigned int obj=encode(n+11-len);
  65.                         if(obj == 0x42503C81)
  66.                         {
  67.                                 printf("%s\n",n+11-len);
  68.                                 break;
  69.                         }
  70.                         n[10]++;
  71.                         for(int j=0;j<len;j++)
  72.                         {
  73.                                 if(n[10-j] > 'z')
  74.                                 {
  75.                                         n[10-j]='0';
  76.                                 }
  77.                                 if(n[10-j] > '9' && n[10-j] < 'a')
  78.                                 {
  79.                                         n[10-j] = 'a';
  80.                                         if(j!=len-1)
  81.                                                 n[10-j-1]++;
  82.                                         else
  83.                                                 cf=1;
  84.                                 }
  85.                         }
  86.                 }
  87.         }

  88.         getchar();
  89. }
复制代码

回复

使用道具 举报

 楼主| 发表于 2015-10-15 21:06:40 | 显示全部楼层
调用他人函数的模板:

  1. #include <Ntddk.h>
  2. #include "DriverMonitor.h"
  3. extern "C"
  4. {
  5.         int __security_cookie;
  6.         extern POBJECT_TYPE *IoDriverObjectType;
  7.         NTSTATUS __stdcall ObReferenceObjectByName(PUNICODE_STRING,ULONG,PACCESS_STATE,ACCESS_MASK,POBJECT_TYPE,KPROCESSOR_MODE,PVOID,PVOID);
  8.         NTSTATUS __stdcall NtQuerySystemInformation (SYSTEM_INFORMATION_CLASS,PVOID,ULONG,PULONG);

  9. };


  10. VOID __stdcall unload(PDRIVER_OBJECT)
  11. {

  12. }

  13. ULONG GetModuleBase(PCHAR modulename);


  14. PWCHAR str[]=
  15. {


  16. };

  17. extern "C"
  18. {
  19.         NTSTATUS __stdcall DriverEntry(PDRIVER_OBJECT pdr,PUNICODE_STRING pus)
  20.         {               

  21.                 int ret=0;
  22.                 pdr->DriverUnload=unload;
  23.                 ULONG Base=GetModuleBase("tsksp.sys");
  24.                 if(Base)
  25.                 {
  26.                         for(int i=0;i<sizeof(str)/sizeof(str[0]);i++)
  27.                         {
  28.                                 ret=((int (__stdcall*)(PWCHAR))(Base+0xecba))(str[i]);
  29.                                 if(ret)
  30.                                 {
  31.                                         __debugbreak();
  32.                                 }
  33.                         }
  34.                         ret=0;
  35.                 }
  36.                 __debugbreak();


  37.                 return STATUS_SUCCESS;
  38.         }
  39. };

  40. ULONG GetModuleBase(PCHAR modulename)
  41. {
  42.         PVOID Buffer = NULL;
  43.         ULONG ReturnLength = 0;
  44.         NTSTATUS status;
  45.         PRTL_PROCESS_MODULES modules = NULL;
  46.         ULONG BaseAddr = NULL;
  47.         NtQuerySystemInformation(SystemModuleInformation,&ReturnLength,0,&ReturnLength);
  48.         if(ReturnLength)
  49.                 Buffer = ExAllocatePool(PagedPool,ReturnLength);
  50.         if(Buffer)
  51.                 status = NtQuerySystemInformation(SystemModuleInformation,Buffer,ReturnLength,NULL);
  52.         modules = (PRTL_PROCESS_MODULES)Buffer;
  53.         if(NT_SUCCESS(status))
  54.         {
  55.                 for(int i=0;i<modules->NumberOfModules;i++)
  56.                 {
  57.                         int offset = modules->Modules[i].OffsetToFileName;
  58.                         if(!_stricmp((const char*)(modules->Modules[i].FullPathName+offset),modulename))
  59.                         {
  60.                                 BaseAddr = (ULONG)modules->Modules[i].ImageBase;
  61.                         }
  62.                 }
  63.         }
  64.         if(Buffer)
  65.                 ExFreePool(Buffer);
  66.         return BaseAddr;
  67. }
复制代码
回复 赞! 靠!

使用道具 举报

 楼主| 发表于 2015-10-16 01:28:57 | 显示全部楼层
  1.         NTSTATUS __stdcall DriverEntry(PDRIVER_OBJECT pdr,PUNICODE_STRING pus)
  2.         {
  3.                 int ret=0;
  4.                 pdr->DriverUnload=unload;
  5.                 ULONG Base=GetModuleBase("tsksp.sys");
  6.                 __debugbreak();
  7.                 if(Base)
  8.                 {
  9.                         WCHAR n[16]={0};
  10.                         n[14]='l';
  11.                         n[13]='l';
  12.                         n[12]='d';
  13.                         n[11]='.';
  14.                         for(int len=1;len<=7;len++)
  15.                         {
  16.                                 int cf=0;
  17.                                 for(int j=0;j<len;j++)
  18.                                 {
  19.                                         n[10-j]='0';
  20.                                 }
  21.                                 n[10-len]='\\';
  22.                                 while(!cf)
  23.                                 {
  24.                                         ret=((int (__stdcall*)(PWCHAR))(Base+0xecba))(n+10-len);
  25.                                         if(ret)
  26.                                         {
  27.                                                 __debugbreak();
  28.                                         }
  29.                                         n[10]++;
  30.                                         for(int j=0;j<len;j++)
  31.                                         {
  32.                                                 if(n[10-j] > 'z')
  33.                                                 {
  34.                                                         n[10-j]='0';
  35.                                                         if(j!=len-1)
  36.                                                                 n[10-j-1]++;
  37.                                                         else
  38.                                                                 cf=1;
  39.                                                 }
  40.                                                 else if(n[10-j] == '\\')
  41.                                                         n[10-j] = '\\'+1;
  42.                                         }
  43.                                 }
  44.                         }
  45.                 }
  46.                 __debugbreak();
  47.                 return STATUS_SUCCESS;
  48.         }
复制代码
回复 赞! 靠!

使用道具 举报

 楼主| 发表于 2015-10-28 09:05:21 | 显示全部楼层
  1. #include <windows.h>
  2. #include <stdio.h>


  3. void func(wchar_t* path)
  4. {
  5.         unsigned char data1[]={
  6.                 0x83,0x60,0x14,0x0,0x83,0x60,0x10,0x0,0xc7,0x0,0x1,0x23,0x45,0x67,0xc7,0x40,0x4,0x89,0xab,0xcd,
  7.                 0xef,0xc7,0x40,0x8,0xfe,0xdc,0xba,0x98,0xc7,0x40,0xc,0x76,0x54,0x32,0x10,0xc3,0x55,0x8b,0xec,0x51,
  8.                 0x53,0x56,0x8b,0xf1,0x8b,0x4e,0x10,0x8b,0xd8,0x8b,0xc1,0xc1,0xe8,0x3,0x8b,0xd3,0x8d,0xc,0xd9,0xc1,
  9.                 0xe2,0x3,0x83,0xe0,0x3f,0x3b,0xca,0x57,0x89,0x4e,0x10,0x73,0x3,0xff,0x46,0x14,0x6a,0x40,0x8b,0xcb,
  10.                 0xc1,0xe9,0x1d,0x1,0x4e,0x14,0x5f,0x2b,0xf8,0x3b,0xdf,0x72,0x4b,0x33,0xc9,0x85,0xff,0x76,0x12,0x8d,
  11.                 0x44,0x30,0x18,0x8b,0x55,0x8,0x8a,0x14,0x11,0x88,0x14,0x8,0x41,0x3b,0xcf,0x72,0xf2,0x8d,0x4e,0x18,
  12.                 0x56,0xe8,0xb0,0x0,0x0,0x0,0x8d,0x47,0x3f,0x3b,0xc3,0x73,0x1f,0x89,0x45,0xfc,0x8b,0x45,0x8,0x8b,
  13.                 0x4d,0xfc,0x8d,0x4c,0x8,0xc1,0x56,0xe8,0x96,0x0,0x0,0x0,0x83,0x45,0xfc,0x40,0x83,0xc7,0x40,0x39,
  14.                 0x5d,0xfc,0x72,0xe4,0x33,0xc0,0xeb,0x2,0x33,0xff,0x33,0xc9,0x2b,0xdf,0x74,0x14,0x8b,0x55,0x8,0x3,
  15.                 0xd7,0x8d,0x74,0x30,0x18,0x8a,0x4,0xa,0x88,0x4,0xe,0x41,0x3b,0xcb,0x72,0xf5,0x5f,0x5e,0x5b,0xc9,
  16.                 0xc2,0x4,0x0,0x55,0x8b,0xec,0x51,0x51,0x56,0x6a,0x8,0x8d,0x77,0x10,0x5a,0x8b,0xc6,0x8d,0x4d,0xf8,
  17.                 0xe8,0xe3,0x6,0x0,0x0,0x8b,0xe,0xc1,0xe9,0x3,0x6a,0x38,0x58,0x83,0xe1,0x3f,0x3b,0xc8,0x5e,0x72,
  18.                 0x3,0x6a,0x78,0x58,0x2b,0xc1,0x68,0xf8,0x5b,0x3,0x0,0x8b,0xcf,0xe8,0x22,0xff,0xff,0xff,0x8d,0x45,
  19.                 0xf8,0x50,0x6a,0x8,0x58,0x8b,0xcf,0xe8,0x14,0xff,0xff,0xff,0x8b,0x4d,0x8,0x6a,0x10,0x5a,0x8b,0xc7,
  20.                 0xe8,0xa7,0x6,0x0,0x0,0x6a,0x58,0x6a,0x0,0x57,0xe8,0x61,0x28,0x1,0x0,0x83,0xc4,0xc,0xc9,0xc2,
  21.                 0x4,0x0,0x55,0x8b,0xec,0x8b,0x45,0x8,0x83,0xec,0x48,0x53,0x56,0x57,0x6a,0x10,0x83,0xc1,0x2,0x8d,
  22.                 0x75,0xb8,0x5f,0xf,0xb6,0x59,0xff,0x33,0xd2,0x8a,0x71,0x1,0x8a,0x11,0x83,0xc1,0x4,0xc1,0xe2,0x8,
  23.                 0xb,0xd3,0xf,0xb6,0x59,0xfa,0xc1,0xe2,0x8,0xb,0xd3,0x89,0x16,0x83,0xc6,0x4,0x4f,0x75,0xdc,0x8b,
  24.                 0x70,0x4,0x8b,0x50,0x8,0x8b,0x48,0xc,0x8b,0x0,0x8b,0xfe,0xf7,0xd7,0x23,0xf9,0x8b,0xda,0x23,0xde,
  25.                 0xb,0xfb,0x3,0x7d,0xb8,0x8b,0xde,0x8d,0x84,0x7,0x78,0xa4,0x6a,0xd7,0xc1,0xc0,0x7,0x3,0xc6,0x23,
  26.                 0xd8,0x8b,0xf8,0xf7,0xd7,0x23,0xfa,0xb,0xfb,0x3,0x7d,0xbc,0x8d,0x8c,0xf,0x56,0xb7,0xc7,0xe8,0xc1,
  27.                 0xc1,0xc,0x3,0xc8,0x8b,0xf9,0xf7,0xd7,0x23,0xfe,0x8b,0xd9,0x23,0xd8,0xb,0xfb,0x3,0x7d,0xc0,0x8b,
  28.                 0xd9,0x8d,0x94,0x17,0xdb,0x70,0x20,0x24,0xc1,0xca,0xf,0x3,0xd1,0x23,0xda,0x8b,0xfa,0xf7,0xd7,0x23,
  29.                 0xf8,0xb,0xfb,0x3,0x7d,0xc4,0x8d,0xb4,0x37,0xee,0xce,0xbd,0xc1,0xc1,0xce,0xa,0x3,0xf2,0x89,0x75,
  30.                 0xfc,0x8b,0xfa,0x23,0x7d,0xfc,0xf7,0xd6,0x23,0xf1,0xb,0xf7,0x3,0x75,0xc8,0x8d,0x84,0x6,0xaf,0xf,
  31.                 0x7c,0xf5,0x8b,0x75,0xfc,0xc1,0xc0,0x7,0x3,0xc6,0x8b,0xf8,0xf7,0xd7,0x23,0xfa,0x8b,0xde,0x23,0xd8,
  32.                 0xb,0xfb,0x3,0x7d,0xcc,0x8d,0x8c,0xf,0x2a,0xc6,0x87,0x47,0xc1,0xc1,0xc,0x3,0xc8,0x8b,0xf9,0xf7,
  33.                 0xd7,0x23,0xfe,0x8b,0xd9,0x23,0xd8,0xb,0xfb,0x3,0x7d,0xd0,0x8b,0xd9,0x8d,0x94,0x17,0x13,0x46,0x30,
  34.                 0xa8,0xc1,0xca,0xf,0x3,0xd1,0x8b,0xfa,0xf7,0xd7,0x23,0xf8,0x23,0xda,0xb,0xfb,0x3,0x7d,0xd4,0x8d,
  35.                 0xb4,0x37,0x1,0x95,0x46,0xfd,0xc1,0xce,0xa,0x3,0xf2,0x89,0x75,0xfc,0xf7,0xd6,0x23,0xf1,0x8b,0xfa,
  36.                 0x23,0x7d,0xfc,0xb,0xf7,0x3,0x75,0xd8,0x8d,0x84,0x6,0xd8,0x98,0x80,0x69,0x8b,0x75,0xfc,0x8b,0xde,
  37.                 0xc1,0xc0,0x7,0x3,0xc6,0x23,0xd8,0x8b,0xf8,0xf7,0xd7,0x23,0xfa,0xb,0xfb,0x3,0x7d,0xdc,0x8d,0x8c,
  38.                 0xf,0xaf,0xf7,0x44,0x8b,0xc1,0xc1,0xc,0x3,0xc8,0x8b,0xf9,0xf7,0xd7,0x23,0xfe,0x8b,0xd9,0x23,0xd8,
  39.                 0xb,0xfb,0x3,0x7d,0xe0,0x8b,0xd9,0x8d,0x94,0x17,0xb1,0x5b,0xff,0xff,0xc1,0xca,0xf,0x3,0xd1,0x23,
  40.                 0xda,0x8b,0xfa,0xf7,0xd7,0x23,0xf8,0xb,0xfb,0x3,0x7d,0xe4,0x8d,0xb4,0x37,0xbe,0xd7,0x5c,0x89,0xc1,
  41.                 0xce,0xa,0x3,0xf2,0x89,0x75,0xfc,0xf7,0xd6,0x23,0xf1,0x8b,0xfa,0x23,0x7d,0xfc,0xb,0xf7,0x3,0x75,
  42.                 0xe8,0x8b,0x7d,0xfc,0x8d,0x84,0x6,0x22,0x11,0x90,0x6b,0xc1,0xc0,0x7,0x3,0x45,0xfc,0x23,0xf8,0x8b,
  43.                 0xf0,0xf7,0xd6,0x23,0xf2,0xb,0xf7,0x3,0x75,0xec,0x8d,0x8c,0xe,0x93,0x71,0x98,0xfd,0xc1,0xc1,0xc,
  44.                 0x3,0xc8,0x8b,0xf9,0xf7,0xd7,0x8b,0xf7,0x23,0x75,0xfc,0x8b,0xd9,0x23,0xd8,0xb,0xf3,0x3,0x75,0xf0,
  45.                 0x8b,0xd9,0x8d,0x94,0x16,0x8e,0x43,0x79,0xa6,0xc1,0xca,0xf,0x3,0xd1,0x89,0x55,0xf8,0xf7,0x55,0xf8,
  46.                 0x8b,0x75,0xf8,0x23,0xf0,0x23,0xfa,0x23,0xda,0xb,0xf3,0x3,0x75,0xf4,0x8b,0x5d,0xfc,0x8d,0xb4,0x1e,
  47.                 0x21,0x8,0xb4,0x49,0xc1,0xce,0xa,0x3,0xf2,0x8b,0xd9,0x23,0xde,0xb,0xfb,0x3,0x7d,0xbc,0x8b,0xda,
  48.                 0x8d,0x84,0x7,0x62,0x25,0x1e,0xf6,0x8b,0x7d,0xf8,0x23,0xfe,0xc1,0xc0,0x5,0x3,0xc6,0x23,0xd8,0xb,
  49.                 0xfb,0x3,0x7d,0xd0,0x8d,0x8c,0xf,0x40,0xb3,0x40,0xc0,0xc1,0xc1,0x9,0x3,0xc8,0x8b,0xfe,0xf7,0xd7,
  50.                 0x23,0xf8,0x8b,0xd9,0x23,0xde,0xb,0xfb,0x3,0x7d,0xe4,0x8d,0x94,0x17,0x51,0x5a,0x5e,0x26,0xc1,0xc2,
  51.                 0xe,0x3,0xd1,0x8b,0xf8,0xf7,0xd7,0x23,0xf9,0x8b,0xda,0x23,0xd8,0xb,0xfb,0x3,0x7d,0xb8,0x8b,0xd9,
  52.                 0x8d,0xb4,0x37,0xaa,0xc7,0xb6,0xe9,0xc1,0xce,0xc,0x3,0xf2,0x23,0xde,0x8b,0xf9,0xf7,0xd7,0x23,0xfa,
  53.                 0xb,0xfb,0x3,0x7d,0xcc,0x8b,0xda,0x8d,0x84,0x7,0x5d,0x10,0x2f,0xd6,0xc1,0xc0,0x5,0x3,0xc6,0x8b,
  54.                 0xfa,0xf7,0xd7,0x23,0xfe,0x23,0xd8,0xb,0xfb,0x3,0x7d,0xe0,0x8d,0x8c,0xf,0x53,0x14,0x44,0x2,0xc1,
  55.                 0xc1,0x9,0x3,0xc8,0x8b,0xfe,0xf7,0xd7,0x23,0xf8,0x8b,0xd9,0x23,0xde,0xb,0xfb,0x3,0x7d,0xf4,0x8d,
  56.                 0x94,0x17,0x81,0xe6,0xa1,0xd8,0xc1,0xc2,0xe,0x3,0xd1,0x8b,0xf8,0xf7,0xd7,0x8b,0xda,0x23,0xf9,0x23,
  57.                 0xd8,0xb,0xfb,0x3,0x7d,0xc8,0x8d,0xb4,0x37,0xc8,0xfb,0xd3,0xe7,0xc1,0xce,0xc,0x3,0xf2,0x8b,0xf9,
  58.                 0xf7,0xd7,0x23,0xfa,0x8b,0xd9,0x23,0xde,0xb,0xfb,0x3,0x7d,0xdc,0x8b,0xda,0x8d,0x84,0x7,0xe6,0xcd,
  59.                 0xe1,0x21,0xc1,0xc0,0x5,0x3,0xc6,0x23,0xd8,0x8b,0xfa,0xf7,0xd7,0x23,0xfe,0xb,0xfb,0x3,0x7d,0xf0,
  60.                 0x8d,0x8c,0xf,0xd6,0x7,0x37,0xc3,0xc1,0xc1,0x9,0x3,0xc8,0x8b,0xfe,0xf7,0xd7,0x23,0xf8,0x8b,0xd9,
  61.                 0x23,0xde,0xb,0xfb,0x3,0x7d,0xc4,0x8d,0x94,0x17,0x87,0xd,0xd5,0xf4,0xc1,0xc2,0xe,0x3,0xd1,0x8b,
  62.                 0xf8,0xf7,0xd7,0x23,0xf9,0x8b,0xda,0x23,0xd8,0xb,0xfb,0x3,0x7d,0xd8,0x8b,0xd9,0x8d,0xb4,0x37,0xed,
  63.                 0x14,0x5a,0x45,0xc1,0xce,0xc,0x3,0xf2,0x23,0xde,0x8b,0xf9,0xf7,0xd7,0x23,0xfa,0xb,0xfb,0x3,0x7d,
  64.                 0xec,0x8b,0xda,0x8d,0x84,0x7,0x5,0xe9,0xe3,0xa9,0xc1,0xc0,0x5,0x3,0xc6,0x8b,0xfa,0xf7,0xd7,0x23,
  65.                 0xfe,0x23,0xd8,0xb,0xfb,0x3,0x7d,0xc0,0x8d,0x8c,0xf,0xf8,0xa3,0xef,0xfc,0xc1,0xc1,0x9,0x3,0xc8,
  66.                 0x8b,0xfe,0xf7,0xd7,0x23,0xf8,0x8b,0xd9,0x23,0xde,0xb,0xfb,0x3,0x7d,0xd4,0x8d,0x94,0x17,0xd9,0x2,
  67.                 0x6f,0x67,0xc1,0xc2,0xe,0x3,0xd1,0x8b,0xf8,0xf7,0xd7,0x8b,0xda,0x23,0xf9,0x23,0xd8,0xb,0xfb,0x3,
  68.                 0x7d,0xe8,0x8d,0xb4,0x37,0x8a,0x4c,0x2a,0x8d,0xc1,0xce,0xc,0x3,0xf2,0x8b,0xf9,0x33,0xfa,0x33,0xfe,
  69.                 0x3,0x7d,0xcc,0x8d,0x84,0x7,0x42,0x39,0xfa,0xff,0xc1,0xc0,0x4,0x3,0xc6,0x8b,0xfa,0x33,0xfe,0x33,
  70.                 0xf8,0x3,0x7d,0xd8,0x8d,0x8c,0xf,0x81,0xf6,0x71,0x87,0xc1,0xc1,0xb,0x3,0xc8,0x8b,0xf9,0x33,0xfe,
  71.                 0x33,0xf8,0x3,0x7d,0xe4,0x8d,0x94,0x17,0x22,0x61,0x9d,0x6d,0xc1,0xc2,0x10,0x3,0xd1,0x8b,0xf9,0x33,
  72.                 0xfa,0x8b,0xdf,0x33,0xd8,0x3,0x5d,0xf0,0x8d,0xb4,0x33,0xc,0x38,0xe5,0xfd,0xc1,0xce,0x9,0x3,0xf2,
  73.                 0x33,0xfe,0x3,0x7d,0xbc,0x8d,0x84,0x7,0x44,0xea,0xbe,0xa4,0xc1,0xc0,0x4,0x3,0xc6,0x8b,0xfa,0x33,
  74.                 0xfe,0x33,0xf8,0x3,0x7d,0xc8,0x8d,0xbc,0xf,0xa9,0xcf,0xde,0x4b,0xc1,0xc7,0xb,0x3,0xf8,0x8b,0xcf,
  75.                 0x33,0xce,0x33,0xc8,0x3,0x4d,0xd4,0x8b,0xdf,0x8d,0x94,0x11,0x60,0x4b,0xbb,0xf6,0xc1,0xc2,0x10,0x3,
  76.                 0xd7,0x33,0xda,0x8b,0xcb,0x33,0xc8,0x3,0x4d,0xe0,0x8d,0x8c,0x31,0x70,0xbc,0xbf,0xbe,0xc1,0xc9,0x9,
  77.                 0x3,0xca,0x33,0xd9,0x3,0x5d,0xec,0x8b,0xf2,0x8d,0x84,0x3,0xc6,0x7e,0x9b,0x28,0x33,0xf1,0xc1,0xc0,
  78.                 0x4,0x3,0xc1,0x33,0xf0,0x3,0x75,0xb8,0x8d,0xb4,0x3e,0xfa,0x27,0xa1,0xea,0xc1,0xc6,0xb,0x3,0xf0,
  79.                 0x8b,0xfe,0x33,0xf9,0x33,0xf8,0x3,0x7d,0xc4,0x8d,0xbc,0x17,0x85,0x30,0xef,0xd4,0xc1,0xc7,0x10,0x3,
  80.                 0xfe,0x8b,0xd6,0x33,0xd7,0x8b,0xda,0x33,0xd8,0x3,0x5d,0xd0,0x8d,0x8c,0xb,0x5,0x1d,0x88,0x4,0xc1,
  81.                 0xc9,0x9,0x3,0xcf,0x33,0xd1,0x3,0x55,0xdc,0x8d,0x84,0x2,0x39,0xd0,0xd4,0xd9,0x8b,0xd7,0x33,0xd1,
  82.                 0xc1,0xc0,0x4,0x3,0xc1,0x33,0xd0,0x3,0x55,0xe8,0x8d,0x94,0x32,0xe5,0x99,0xdb,0xe6,0xc1,0xc2,0xb,
  83.                 0x3,0xd0,0x8b,0xf2,0x33,0xf1,0x33,0xf0,0x3,0x75,0xf4,0x8d,0xb4,0x3e,0xf8,0x7c,0xa2,0x1f,0xc1,0xc6,
  84.                 0x10,0x3,0xf2,0x8b,0xfa,0x33,0xfe,0x33,0xf8,0x3,0x7d,0xc0,0x8d,0x8c,0xf,0x65,0x56,0xac,0xc4,0xc1,
  85.                 0xc9,0x9,0x3,0xce,0x8b,0xfa,0xf7,0xd7,0xb,0xf9,0x33,0xfe,0x3,0x7d,0xb8,0x8d,0x84,0x7,0x44,0x22,
  86.                 0x29,0xf4,0xc1,0xc0,0x6,0x3,0xc1,0x8b,0xfe,0xf7,0xd7,0xb,0xf8,0x33,0xf9,0x3,0x7d,0xd4,0x8d,0x94,
  87.                 0x17,0x97,0xff,0x2a,0x43,0xc1,0xc2,0xa,0x3,0xd0,0x8b,0xf9,0xf7,0xd7,0xb,0xfa,0x33,0xf8,0x3,0x7d,
  88.                 0xf0,0x8d,0xb4,0x37,0xa7,0x23,0x94,0xab,0xc1,0xc6,0xf,0x3,0xf2,0x8b,0xf8,0xf7,0xd7,0xb,0xfe,0x33,
  89.                 0xfa,0x3,0x7d,0xcc,0x8d,0x8c,0xf,0x39,0xa0,0x93,0xfc,0xc1,0xc9,0xb,0x3,0xce,0x8b,0xfa,0xf7,0xd7,
  90.                 0xb,0xf9,0x33,0xfe,0x3,0x7d,0xe8,0x8d,0x84,0x7,0xc3,0x59,0x5b,0x65,0xc1,0xc0,0x6,0x3,0xc1,0x8b,
  91.                 0xfe,0xf7,0xd7,0xb,0xf8,0x33,0xf9,0x3,0x7d,0xc4,0x8d,0x94,0x17,0x92,0xcc,0xc,0x8f,0xc1,0xc2,0xa,
  92.                 0x8b,0xf9,0x3,0xd0,0xf7,0xd7,0xb,0xfa,0x33,0xf8,0x3,0x7d,0xe0,0x8d,0xb4,0x37,0x7d,0xf4,0xef,0xff,
  93.                 0xc1,0xc6,0xf,0x3,0xf2,0x8b,0xf8,0xf7,0xd7,0xb,0xfe,0x33,0xfa,0x3,0x7d,0xbc,0x8d,0x8c,0xf,0xd1,
  94.                 0x5d,0x84,0x85,0xc1,0xc9,0xb,0x3,0xce,0x8b,0xfa,0xf7,0xd7,0xb,0xf9,0x33,0xfe,0x3,0x7d,0xd8,0x8d,
  95.                 0x84,0x7,0x4f,0x7e,0xa8,0x6f,0xc1,0xc0,0x6,0x3,0xc1,0x8b,0xfe,0xf7,0xd7,0xb,0xf8,0x33,0xf9,0x3,
  96.                 0x7d,0xf4,0x8d,0x94,0x17,0xe0,0xe6,0x2c,0xfe,0x8b,0xf9,0xc1,0xc2,0xa,0x3,0xd0,0xf7,0xd7,0xb,0xfa,
  97.                 0x33,0xf8,0x3,0x7d,0xd0,0x8d,0xb4,0x37,0x14,0x43,0x1,0xa3,0x8b,0xf8,0xc1,0xc6,0xf,0x3,0xf2,0xf7,
  98.                 0xd7,0xb,0xfe,0x33,0xfa,0x3,0x7d,0xec,0x8d,0xbc,0xf,0xa1,0x11,0x8,0x4e,0xc1,0xcf,0xb,0x3,0xfe,
  99.                 0x8b,0xca,0xf7,0xd1,0xb,0xcf,0x33,0xce,0x3,0x4d,0xc8,0x8d,0x84,0x1,0x82,0x7e,0x53,0xf7,0xc1,0xc0,
  100.                 0x6,0x3,0xc7,0x8b,0xce,0xf7,0xd1,0xb,0xc8,0x33,0xcf,0x3,0x4d,0xe4,0x8d,0x94,0x11,0x35,0xf2,0x3a,
  101.                 0xbd,0xc1,0xc2,0xa,0x3,0xd0,0x8b,0xcf,0xf7,0xd1,0xb,0xca,0x33,0xc8,0x3,0x4d,0xc0,0x8d,0xb4,0x31,
  102.                 0xbb,0xd2,0xd7,0x2a,0x8b,0x4d,0x8,0x8b,0x19,0x3,0xd8,0xf7,0xd0,0xc1,0xc6,0xf,0x3,0xf2,0xb,0xc6,
  103.                 0x33,0xc2,0x3,0x45,0xdc,0x89,0x19,0x8d,0x84,0x38,0x91,0xd3,0x86,0xeb,0xc1,0xc8,0xb,0x3,0x41,0x4,
  104.                 0x3,0xc6,0x89,0x41,0x4,0x8b,0x41,0x8,0x3,0xc6,0x89,0x41,0x8,0x8b,0x41,0xc,0x5f,0x3,0xc2,0x5e,
  105.                 0x89,0x41,0xc,0x5b,0xc9,0xc2,0x4,0x0,0x85,0xd2,0x76,0x2c,0x56,0x8d,0x72,0xff,0xc1,0xee,0x2,0x41,
  106.                 0x83,0xc0,0x2,0x46,0x8a,0x50,0xfe,0x88,0x51,0xff,0x8a,0x50,0xff,0x88,0x11,0x8a,0x10,0x88,0x51,0x1,
  107.                 0x8a,0x50,0x1,0x88,0x51,0x2,0x83,0xc0,0x4,0x83,0xc1,0x4,0x4e,0x75,0xe1,0x5e,0xc3
  108.         };//0x19d18~0x1A50D
  109.         unsigned char* md5_encrypt_20=data1;
  110.         unsigned char* md5_encrypt_21=data1+0x24;
  111.         unsigned char* md5_encrypt_22=data1+0xcb;

  112.         unsigned char data2[64]={0x80,0};
  113.         *(long*)(data1+0xf7)=(long)data2;
  114.         *(long*)(data1+0x123)=(long)memset-(long)(data1+0x127);

  115.         unsigned char md5_data[][16]={
  116.                 {0x15,0xd1,0x26,0xd0,0xa5,0xa3,0x64,0xe3,0x1b,0x58,0x4,0xe5,0x8,0x5f,0x3,0x9,          },
  117.                 {0x61,0xf7,0xd,0x82,0x48,0x54,0xe8,0x77,0xc2,0x38,0x84,0x50,0xfe,0x3a,0xe3,0xd2,  },
  118.                 {0x88,0x9b,0xa2,0x4e,0x4a,0xfb,0xd6,0x9b,0x32,0x73,0xfe,0xda,0x3a,0x4e,0x4d,0xe8, },
  119.                 {0x74,0x8a,0xc3,0x52,0x68,0x3e,0x1e,0x7,0x0,0x53,0xe9,0x9b,0xb9,0xc1,0x3f,0x28,          },
  120.                 {0xd9,0xab,0xea,0xfe,0x1f,0x7f,0x4b,0x5c,0x63,0x94,0x8e,0x5d,0x13,0xf2,0x53,0xbf, },
  121.                 {0xc9,0xae,0xea,0x20,0x18,0xe8,0x3d,0x49,0xa6,0x11,0x7c,0xb1,0xd8,0xac,0x31,0x94, },
  122.                 {0xa4,0x56,0x73,0xf7,0x14,0xb4,0xf6,0x58,0x25,0x85,0x5c,0x32,0xee,0x9c,0x82,0x27, },
  123.                 {0x31,0x26,0x22,0x9a,0xd6,0xfc,0x81,0x4e,0x8e,0x9e,0xaf,0x9,0xaf,0x4b,0x94,0x9e,  },
  124.                 {0xcc,0xba,0xc4,0x42,0xfc,0x59,0xe5,0x32,0x40,0x21,0xd2,0x6b,0x30,0xb4,0x52,0xe3, },
  125.                 {0x20,0x77,0xbb,0xcd,0x70,0x80,0xde,0xf0,0x2b,0x5c,0x78,0x3c,0x47,0xcf,0xc3,0xf9, },
  126.                 {0x3,0xe,0xd0,0xc9,0xaa,0x3d,0xb,0xc6,0x57,0x9f,0x75,0x94,0x72,0xfc,0x53,0x15,          },
  127.                 {0x90,0x6c,0xb1,0xc1,0x13,0xef,0x25,0xeb,0x4,0x0,0x26,0xa1,0x4,0xba,0xc8,0xda,          },
  128.                 {0x1b,0x66,0x98,0xcf,0xbe,0x9d,0xf1,0x89,0xe4,0x5a,0xa5,0xd8,0x1f,0xda,0xd7,0x97, },
  129.         };
  130.         const int max=sizeof(md5_data)/sizeof(md5_data[0]);

  131.         unsigned char key1[88]={0};
  132.         unsigned char key2[16]={0};
  133.         int len=2*wcslen(path);
  134.         _asm
  135.         {
  136.                 lea eax,key1;
  137.                 call md5_encrypt_20;
  138.                 mov eax,len;
  139.                 lea ecx,key1;
  140.                 mov esi,path;
  141.                 push esi;
  142.                 call md5_encrypt_21;
  143.                 lea eax,key2;
  144.                 push eax;
  145.                 lea edi,key1;
  146.                 call md5_encrypt_22;
  147.         }
  148.         for(int i=0;i<max;i++)
  149.         {
  150.                 if(!memcmp(md5_data[i],key2,16))
  151.                 {
  152.                         printf("%d touched :%ws\n",i,path);
  153.                 }
  154.         }
  155. }



  156. void main()
  157. {
  158.         wchar_t n[16]={0};
  159.         for(int len=1;len<=7;len++)
  160.         {
  161.                 int cf=0;
  162.                 for(int j=0;j<len;j++)
  163.                 {
  164.                         n[10-j]='0';
  165.                 }
  166.                 while(!cf)
  167.                 {
  168.                         n[14]='l';
  169.                         n[13]='l';
  170.                         n[12]='d';
  171.                         n[11]='.';
  172.                         func(n+11-len);
  173.                         n[14]='e';
  174.                         n[13]='x';
  175.                         n[12]='e';
  176.                         n[11]='.';
  177.                         func(n+11-len);
  178.                         n[10]++;
  179.                         for(int j=0;j<len;j++)
  180.                         {
  181.                                 if(n[10-j] > 'z')
  182.                                 {
  183.                                         n[10-j]='0';
  184.                                         if(j!=len-1)
  185.                                                 n[10-j-1]++;
  186.                                         else
  187.                                                 cf=1;
  188.                                 }
  189.                                 else if(n[10-j] == '\\')
  190.                                         n[10-j] = '\\'+1;
  191.                         }
  192.                 }
  193.         }
  194. }
复制代码
回复 赞! 靠!

使用道具 举报

发表于 2018-1-14 15:25:41 | 显示全部楼层
可以可以!!
回复

使用道具 举报

本版积分规则

QQ|Archiver|小黑屋|技术宅的结界 ( 滇ICP备16008837号 )|网站地图

GMT+8, 2024-11-22 08:40 , Processed in 0.037655 second(s), 22 queries , Gzip On.

Powered by Discuz! X3.5

© 2001-2024 Discuz! Team.

快速回复 返回顶部 返回列表