// addr[]为 23 1E 封包// output[]为输出int r_ecx, i;DWORD r_edx;BYTE r_cl;r_edx = 0x0B;for (i = 0; i < BYTE_PTR(addr[0x0A]); i++){ r_ecx = i; r_ecx &= 0x80000001; r_cl = BYTE_PTR(addr_ptr[r_edx]); if (r_ecx < 0) { r_ecx --; r_ecx |= 0xFFFFFFFE; r_ecx ++; } if (r_ecx == 0) { r_cl &= 0x0F; } else{ r_cl >>= 4; r_edx++; } output = r_cl;}测试数据:接受的23 1E封包:0012F854 23 1E C2 D1 00 00 C9 00 E5 00 05 56 55 F5 12 00以上数据经过上面函数计算,其 56 55 F5 12 00 解密得到: 06 05 05 05 05 ,该序列就是走路过程的状态序列,长度代表步数路途每步的方向与数值对比:左:04右:00下:06上:02左上:03左下:05右上:01右下:07处理23 1E :0044ABA7 |> 0FB746 02 movzx eax,word ptr ds:[esi+2] ; Case 1E of switch 00449D590044ABAB |. 50 push eax0044ABAC |. E8 0FE7FEFF call TJ2Clien.004392C00044ABB1 |. 8BF8 mov edi,eax0044ABB3 |. 83C4 04 add esp,40044ABB6 |. 3BFB cmp edi,ebx具体计算:004461B0 |> /8BC8 /mov ecx,eax004461B2 |. |81E1 01000080 |and ecx,80000001004461B8 |. |79 05 |jns short TJ2Clien.004461BF004461BA |. |49 |dec ecx004461BB |. |83C9 FE |or ecx,FFFFFFFE004461BE |. |41 |inc ecx004461BF |> |8A0A |mov cl,byte ptr ds:[edx]004461C1 |. |75 05 |jnz short TJ2Clien.004461C8004461C3 |. |80E1 0F |and cl,0F004461C6 |. |EB 04 |jmp short TJ2Clien.004461CC004461C8 |> |C0E9 04 |shr cl,4004461CB |. |42 |inc edx004461CC |> |880C30 |mov byte ptr ds:[eax+esi],cl004461CF |. |0FB64F 0A |movzx ecx,byte ptr ds:[edi+A]004461D3 |. |40 |inc eax004461D4 |. |3BC1 |cmp eax,ecx004461D6 |.^7C D8 jl short TJ2Clien.004461B0030A19CB CC int3030A19CC CB retf030A19CD 38EF cmp bh,ch030A28C1 CC int3030A28C2 C010 03 rcl byte ptr ds:[eax],3030A28C5 B1 54 mov cl,54030A28C7 ^ E9 D1FDFFFF jmp 030A269D 作者:眼镜
扫一扫
4851
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
