symencrypt.asm

OICQ黑客工具。可以查看对方IP地址

.386p

extrn   _ntohl@4: near
extrn   _htonl@4: near
extrn   _memset : near
extrn   _rand : near

; Segment type:	Pure code
_text		segment	para public 'CODE' use32
		assume cs:_text
		assume es:nothing, ss:nothing, ds:_text, fs:nothing, gs:nothing

TeaEncrypt	proc near

pTemp		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

pBuf1		= dword	ptr  8
arg_8		= dword	ptr  0Ch
arg_C		= dword	ptr  10h

		push	ebp
		mov	ebp, esp
		sub	esp, 10h		//alloc stack for local var
		push	ebx
		push	esi
		mov	esi, [ebp+pBuf1]	//esi=pBuf1;
		push	edi
		push	dword ptr [esi]		//
		call	_ntohl@4		//
		push	dword ptr [esi+4]	//
		mov	edi, eax		//edi=ntohl(pBuf1[0]);
		call	_ntohl@4		//
		mov	ebx, eax		//ebx=ntohl(pBuf[1]);
		mov	eax, [ebp+arg_8]	//eax=arg_8
		lea	ecx, [ebp+pTemp]	//ecx=ebp-pTemp;
		lea	esi, [ebp+pTemp]	//esi=ebppTemp;
		sub	eax, ecx		//eax=arg_8-ebp+pTemp;
		mov	[ebp+pBuf1], 4		//pBuf1=4;
		mov	[ebp+arg_8], eax	//arg_8=arg_8-pTemp;
		jmp	short loc_0_43D04D

loc_0_43D04A:
		mov	eax, [ebp+arg_8]	//eax=arg_8;

loc_0_43D04D:
		push	dword ptr [eax+esi]	//arg_8-pTemp+pTemp;
		call	_ntohl@4
		mov	[esi], eax		//*esi=ntohl(arg_8);
		add	esi, 4			//esi+=4;   notice! pdwBuf++;
		dec	[ebp+pBuf1]		//pBuf1--;
		jnz	short loc_0_43D04A	//while(pBuf1<>0);
		push	10h			//push 16;
		xor	eax, eax		//eax=0;
		pop	ecx			//ecx=16;

loc_0_43D064:
		mov	edx, ebx		//e
		mov	esi, ebx
		shr	edx, 5			//edx=htohl(edx>>5);
		add	edx, [ebp+var_C]	//edx+=var_C;
		sub	eax, 61C88647h		//eax-=0x61c88647
		shl	esi, 4			//esi<<4;
		add	esi, [ebp+pTemp]	//
		xor	edx, esi
		lea	esi, [eax+ebx]
		xor	edx, esi
		add	edi, edx
		mov	edx, edi
		mov	esi, edi
		shr	edx, 5
		add	edx, [ebp+var_4]
		shl	esi, 4
		add	esi, [ebp+var_8]
		xor	edx, esi
		lea	esi, [eax+edi]
		xor	edx, esi
		add	ebx, edx
		dec	ecx
		jnz	short loc_0_43D064
		push	edi
		call	_htonl@4
		mov	esi, [ebp+arg_C]
		push	ebx
		mov	[esi], eax
		call	_htonl@4
		mov	[esi+4], eax
		pop	edi
		pop	esi
		pop	ebx
		leave	
		retn	
TeaEncrypt	endp

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

            public  _SymmetryEncrypt

_SymmetryEncrypt		proc near

pBuf3		= byte ptr -14h
pBuf2		= byte ptr -0Dh
pBuf1		= byte ptr -0Ch			随机数缓冲区指针?
i	        = dword	ptr -4			DWORD left byte number
arg_0		= dword	ptr  8             	DWORD Length?
arg_4		= dword	ptr  0Ch		DWORD PlainText Buffer Length   UNKNOW
arg_8		= dword	ptr  10h		DWORD pointer unknow
arg_C		= dword	ptr  14h		DWORD Buffer pinter
arg_10		= dword	ptr  18h		DWORD

//处理数据包长度
		push	ebp
		mov	ebp, esp
		sub	esp, 14h		//alloc local var
		mov	eax, [ebp+arg_4]	//eax=arg_4
		push	ebx
		push	esi
		push	edi
		push	8
		add	eax, 0Ah		//eax=arg_4+10;
		pop	ebx			//ebx=8;
		cdq				//edx=signed bit of eax
		mov	ecx, ebx		//ecx=8//估计是数据包长度/8
		idiv	ecx			//eax=arg_4/8   edx=arg_4 mod 8
		test	edx, edx		//edx=0?
		mov	[ebp+i], edx		//i=arg_4 mod 8
		jz	short loc_0_43D182	//if(i!=0){
		mov	eax, ebx		//	eax=8;
		sub	eax, edx		//	eax=8-(arg_4 mod 8)
		mov	[ebp+i], eax		//	i=eax
						//}

loc_0_43D182:				
		call	_rand
		mov	ecx, eax		//ecx=rand()
		mov	eax, [ebp+i]		//eax=i
		and	cl, 0F8h		//cl&=0xf8  cl=8
		push	1
		or	cl, al			//cl=8|al
		pop	edi			//edi=1
		mov	[ebp+pBuf1], cl		//将（数据包长度or随机数)存入缓冲区[0]
						//pBuf1[0]=(BYTE)rand()|8;
		mov	ecx, eax		//ecx=i
		dec	eax			//eax--;
		test	ecx, ecx
		jz	short loc_0_43D1AE	//
						//if(i==0)goto
		lea	esi, [eax+1]		//esi=i;

//生成随机数缓冲区
loc_0_43D1A1:					//do	{
		call	_rand			//	
		mov	[ebp+edi+pBuf1], al	//	pBuf1[edi]=rand();
		inc	edi			//	edi++;
		dec	esi			//	esi--;
		jnz	short loc_0_43D1A1	//while(esi!=0);
//处理完成后
loc_0_43D1AE:			
		push	ebx			//push 8??
		lea	eax, [ebp+pBuf3]	//eax=pBuf3;
		push	0			//
		push	eax			
		call	_memset			//memset(pBuf3,0,ebx),ebx is length of pBuf3
		mov	esi, [ebp+arg_10]	//esi=arg_10
		lea	eax, [ebp+pBuf3]	//eax=pBuf3;
		add	esp, 0Ch		//restore stack
		mov	[ebp+i], eax		//i=pBuf3
		and	dword ptr [esi], 0	//*arg_10=0
		mov	[ebp+arg_10], 1		//arg_10=1

loc_0_43D1D0:					//do	{
		cmp	edi, ebx		
		jge	short loc_0_43D1E3	//  if(edi<ebx){
		call	_rand			
		mov	[ebp+edi+pBuf1], al	//	pBuf1[edi]=rand()
		inc	edi			//	edi++
		inc	[ebp+arg_10]		//	arg_10++
						//  }
		cmp	edi, ebx

loc_0_43D1E3:			
		jnz	short loc_0_43D21C	//  if(edi==ebx){
		mov	ecx, [ebp+i]		//	ecx=i		i=pBuf3;
		lea	eax, [ebp+pBuf1]	//	eax=pBuf1
		xor	edi, edi		//	edi=0;
		sub	ecx, eax		//	ecx=i-pBuf1;	ecx=pBuf3-pBuf1;

loc_0_43D1EF:					//  do{
		lea	eax, [ebp+edi+pBuf1]	//	
		mov	dl, [ecx+eax]		//	
		xor	[eax], dl		//	pBuf1[edi]^=pBuf3[edi];
		inc	edi			//	edi++
		cmp	edi, ebx		//
		jl	short loc_0_43D1EF	//  }while(edi<ebx);
		push	[ebp+arg_C]		//  push arg_C
		lea	eax, [ebp+pBuf1]	//  eax=pBuf1
		push	[ebp+arg_8]		//  push arg_8
		push	eax
		call	TeaEncrypt		//  TeaEncrypt(pBuf1,arg_8,arg_c);
		mov	eax, [ebp+arg_C]	//  eax=arg_C;
		add	[esi], ebx		//  *esi+=ebx;maybe ebx=8
		add	esp, 0Ch		//  restore stack
		xor	edi, edi		//  edi=0;
		add	[ebp+arg_C], ebx	//  arg_C+=ebx;
		mov	[ebp+i], eax	//	//  i=arg_C;

loc_0_43D21C:					//
		cmp	[ebp+arg_10], 2
		jle	short loc_0_43D1D0	//}while(arg_10>=2);
		
		

loc_0_43D222:					
		cmp	[ebp+arg_4], 0
		jz	short loc_0_43D279	//while(arg_4!=0){
		cmp	edi, ebx		//  if(edi<ebx){
		jge	short loc_0_43D23E	//	
		mov	eax, [ebp+arg_0]	//	eax=arg_0;
		inc	edi			//	edi++;
		inc	[ebp+arg_0]		//	arg_0++;
		dec	[ebp+arg_4]		//	arg_4--;
		mov	al, [eax]		//	
		cmp	edi, ebx		//	
		mov	[ebp+edi+pBuf2], al	//	pBuf2[edi]=*arg_0;
						//  }

loc_0_43D23E:			
		jnz	short loc_0_43D222	//  if(edi!=ebx)continue;
		mov	ecx, [ebp+i]		//  ecx=i;
		lea	eax, [ebp+pBuf1]	//  eax=pBuf1;
		xor	edi, edi		//  edi=0;
		sub	ecx, eax		//  ecx=arg_C-pBuf1;

loc_0_43D24A:					//  do {
		lea	eax, [ebp+edi+pBuf1]	//	eax=pBuf1+edi
		mov	dl, [ecx+eax]		//	dl=arg_C+edi;
		xor	[eax], dl		//	pBuf1[edi]^=arg_C[edi];
		inc	edi			//	edi++;
		cmp	edi, ebx		//	
		jl	short loc_0_43D24A	//  while(edi>ebx);
		push	[ebp+arg_C]		//  
		lea	eax, [ebp+pBuf1]
		push	[ebp+arg_8]
		push	eax
		call	TeaEncrypt		//  TeaEncrypt(pBuf1,arg_8,arg_c);
		mov	eax, [ebp+arg_C]	//  eax=arg_C;
		add	[esi], ebx		//  *esi+=ebx;
		add	esp, 0Ch
		xor	edi, edi		//  edi+0;
		add	[ebp+arg_C], ebx	//  arg_C+=ebx;
		mov	[ebp+i], eax		//  i=arg_C;
		jmp	short loc_0_43D222	//}arg_4!=0;

loc_0_43D279:
		mov	[ebp+arg_10], 1		//arg_10=1;

loc_0_43D280:					//do{
		cmp	edi, ebx		//
		jge	short loc_0_43D28F	//  if(edi<ebx){
		and	[ebp+edi+pBuf1], 0	//  	pBuf1[edi]=0;
		inc	edi			//  	edi++;
		inc	[ebp+arg_10]		//  	arg_10++;
		cmp	edi, ebx		//  }

loc_0_43D28F:
		jnz	short loc_0_43D2C8	//  else if(edi==ebx){
		mov	ecx, [ebp+i]		//  	ecx=arg_C;
		lea	eax, [ebp+pBuf1]	//  	eax=pBuf1;
		xor	edi, edi		//  	edi=0;
		sub	ecx, eax		//  	ecx=i-pBuf1;

loc_0_43D29B:					//  	do{
		lea	eax, [ebp+edi+pBuf1]	//	
		mov	dl, [ecx+eax]		//	
		xor	[eax], dl		//	  pBuf1[edi]^=arg_c[edi];
		inc	edi			//	  edi++;
		cmp	edi, ebx
		jl	short loc_0_43D29B	//  	while(edi>ebx);
		push	[ebp+arg_C]		//
		lea	eax, [ebp+pBuf1]
		push	[ebp+arg_8]
		push	eax
		call	TeaEncrypt		//  	TeaEncrypt(pBuf1,arg_8,arg_c);
		mov	eax, [ebp+arg_C]	//  	eax=arg_c;
		add	[esi], ebx		//  	*esi+=ebx;
		add	esp, 0Ch		//  
		xor	edi, edi		//  	edi=0;
		add	[ebp+arg_C], ebx	//  	arg_c+=ebx;
		mov	[ebp+i], eax		//  	i=arg_c;

loc_0_43D2C8:					//  	}
		cmp	[ebp+arg_10], 7
		jle	short loc_0_43D280	//}while(arg_10>=7);
		pop	edi
		pop	esi
		pop	ebx
		leave	
		retn	
_SymmetryEncrypt		endp


_text   ends