因此,我试图找出如何解密变量字符串。我了解寄存器的工作方式以及此代码的工作方式,但是我无法对我的代码进行反向工程。
我不明白ror命令的作用,我知道xor只是1 + 1 = 0、1 + 0 = 1、0 + 0 = 0。
我已尝试对运算进行“与”运算,并尝试将其减去一个不同的数字。我试图理解ROR命令,但不确定它有多大的区别。
.386
.model flat, stdcall
.stack 4096
ExitProcess PROTO, dwExitCode: DWORD
.data
; define your variables here
ptxt BYTE "Plain text for testing", 0
ctxt BYTE 5dh,0a5h,66h,0a7h,06h,9ch,39h,0e6h,
0a5h,5dh,0feh,0a5h,66h,0a7h,06h,9ch,
5dh,0c6h,38h,66h,66h,0e5h,0e6h,06h,58h,
9ch,0fbh,0e6h,46h,0d0h,27h,46h,30h,
5dh,0feh,0c6h,38h,66h,66h,0e5h,0e6h,
06h,58h,9ch,0
.code
main PROC
; Modify this to call sub_dec with ctxt
; instead of ptxt
; puts address of pxtext into stack
push OFFSET ctxt
; puts number of variables into stack
push LENGTHOF ctxt
call sub_dec
main ENDP
sub_enc PROC
; puts ebp into stack
push ebp
; makes the sp value go into ebp
mov ebp, esp
; Retrieve the arguments
; sets the loop counter to 17
mov ecx, [ebp+8]
; subtracts by 1 because we don't care about the null
dec ecx
; moves the value of the base pointer into esi, which is the register that holds the next direction
mov esi, [ebp+12]
; Encryption
xor eax, eax
MORE:
; whatever esi is pointing to goes into eax
mov al, [esi]
; adds 27 to eax
add al, 27
; compares the content of eax with 189
xor al, 189
; rotates the set z and s flag
ror al, 3
; updates the memory so eax value gets changed and encrypts the letter.
mov [esi], al
; moves esi to the next byte
inc esi
loop MORE
pop ebp
ret 8
sub_enc endp
sub_dec PROC
push ebp
mov ebp, esp
; Retrieve the arguments
mov ecx, [ebp+8]
dec ecx
mov esi, [ebp+12]
; Put your decryption code here
; Copy the encryption loop and modify it
xor eax, eax
MORE
mov al, [esi]
add al, 27
and al, 189
ror al, 3
mov [esi], al
inc esi
loop MORE
pop ebp
ret 8
sub_dec endp
end main
Invoke ExitProcess, 0
所以sub_enc只是加密的一个示例。我现在想解密ptxt字符串。 我知道我需要更改的三行是
add al, 27
and al, 189
ror al, 3
我从加密循环中偷了只是为了了解该过程如何在我的寄存器中工作,但是我想我不明白如何弄清楚的是如何发现一种模式,将ASCII字符转换为ASCII字符,会拼出一些东西。如果说得通?