Last active
July 16, 2021 09:03
Star
You must be signed in to star a gist
想定解
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <Windows.h> | |
#include <iostream> | |
using namespace std; | |
void DecodeRoutine(PBYTE resource, WORD& size, ULONGLONG& key, string& seccamp, WORD a = 11) { | |
int i = 0; | |
for (i = 0; i < size; ++i) { | |
/* | |
imul rax, [rsp+18h+key], 5 // keyに5をかけてその結果をraxに格納 | |
mov [rsp+18h+key], rax // raxをkeyに格納 | |
*/ | |
ULONGLONG key *= 5; | |
/* | |
mov rax, [rsp+18h+key] // keyをraxに格納 | |
add rax, 2365F703h // raxに0x2365F703 | |
mov [rsp+18h+key], rax // raxをkeyに格納 | |
*/ | |
key += 0x2365F703; | |
/* | |
movsxd rax, [rsp+18h+i] // iをraxに格納 | |
mov rcx, [rsp+18h+allocate] // allocateをrcxに格納 | |
movsx eax, byte ptr [rcx+rax] // [rcx+rax]に格納されている値をeaxに格納 | |
dec eax // eaxから1を引く | |
and eax, 0FFh // eaxと0xFFを&する | |
cmp eax, 0A0h // eaxと0xA0を比較 | |
jle short 1400000A1 // もし、フラグが立ったいれば | |
movsxd rax, [rsp+18h+i] // iをraxに格納 | |
mov rcx, [rsp+18h+allocate] // allocateをrcxに格納 | |
movsx eax, byte ptr [rcx+rax] // [rcx+rax]に格納されている値をeaxに格納 | |
dec eax // eaxから1を引く | |
and eax, 0FFh // eaxと0xFFを&する | |
cmp eax, 0FFh // eaxと0xFFを比較 | |
jge short 1400000A1 // もし、フラグが立ったいれば | |
*/ | |
if ((resource[i] - 1) > 0xA0 && (resource[i] - 1) < 0xFF) | |
/* | |
movsxd rax, [rsp+18h+i] // iをraxに格納 | |
mov rcx, [rsp+18h+allocate] // allocateをrcxに格納 | |
movsx eax, byte ptr [rcx+rax] // [rcx+rax]に格納されている値をeaxに格納 | |
dec eax // eaxから1を引く | |
movsxd rcx, [rsp+18h+i] // iをrcxに格納 | |
mov rdx, [rsp+18h+allocate] // allocateをrdxに格納 | |
mov [rdx+rcx], al // alを[rdx+rcx]に格納 | |
*/ | |
--resource[i]; | |
/* | |
movsxd rax, [rsp+18h+i] // iをraxに格納 | |
mov rcx, [rsp+18h+allocate] // allocateをrcxに格納 | |
movsx rax, byte ptr [rcx+rax] // [rcx+rax]に格納されている値をraxに格納 | |
xor rax, [rsp+18h+key] // keyをraxに格納 | |
movsxd rcx, [rsp+18h+i] // iをrcxに格納 | |
mov rdx, [rsp+18h+allocate] // allocateをrdxに格納 | |
mov [rdx+rcx], al // alを[rdx+rcx]に格納 | |
*/ | |
resource[i] ^= key; | |
/* | |
mov rax, [rsp+18h+key] // keyをraxに格納 | |
sar rax, 2 // raxの値を右に2だけシフト | |
mov [rsp+18h+key], rax // raxをkeyに格納 | |
*/ | |
key = key >> 2; | |
/* | |
mov rax, [rsp+18h+key] // keyをraxに格納 | |
sub rax, 1CA9h // raxから0x1CA9を引く | |
mov [rsp+18h+key], rax // raxをkeyに格納 | |
*/ | |
key -= 0x1CA9; | |
/* | |
mov eax, [rsp+18h+i] // iをeaxに格納 | |
cdq | |
idiv [rsp+18h+a11] // raxをa11で割る(割った値はraxに商でrdxに余りが格納) | |
mov eax, edx // edxをeaxに格納 | |
cdqe | |
mov rcx, [rsp+18h+aSeccamp2021] // aSeccamp2021をrcxを格納 | |
movsx eax, byte ptr [rcx+rax] // [rcx+rax]の値をeaxに格納 | |
mov [rsp+18h+var_14], eax // eaxをvar_14に格納 | |
mov eax, [rsp+18h+i] // eaxにiを格納 | |
cdq | |
idiv [rsp+18h+a11] // raxをa11で割る | |
mov eax, edx // edxをeaxに格納 | |
cdqe | |
mov rcx, [rsp+18h+aSeccamp2021] // aSeccamp2021をrcxを格納 | |
movsx eax, byte ptr [rcx+rax] // [rcx+rax]の値をeaxに格納 | |
mov ecx, [rsp+18h+var_14] // eaxをvar_14に格納 | |
add ecx, eax // ecxにeaxを足す | |
mov eax, ecx // ecxをeaxの格納 | |
cdqe | |
*/ | |
DWORD add = 2 * seccamp[i % 11]; | |
/* | |
movsxd rax, [rsp+18h+i] // iをraxに格納 | |
mov rcx, [rsp+18h+allocate] // allocateをrcxに格納 | |
movsx eax, byte ptr [rcx+rax] // [rcx+rax]の値をeaxに格納 | |
mov [rsp+18h+var_10], eax // eaxをvar_10に格納 | |
... | |
add rax, [rsp+18h+key] // raxにkeyを足す | |
movsx eax, al // eaxにalを格納 | |
mov ecx, [rsp+18h+var_10] // var_10をecxに格納 | |
xor ecx, eax // ecxをeaxでxorする | |
mov eax, ecx // ecxをeaxに格納 | |
movsxd rcx, [rsp+18h+i] // iをrcxに格納 | |
mov rdx, [rsp+18h+allocate] // allocateをrdxに格納 | |
mov [rdx+rcx], al // alを[rdx+rcx]に格納 | |
*/ | |
resource[i] ^= key + add; | |
} | |
} | |
int main() { | |
BYTE resource[] = "\x9D\xCB\x1E\xA7\x65\xED\x5F\x4D\x01\xD6\x49\x4A\x55\xBD\xD7\x83\x52\x07\x30\x40"; | |
WORD resource_size = sizeof(resource) - 1; | |
ULONGLONG key = 0x89192712; | |
string seccamp = "SECCAMP2021"; | |
DecodeRoutine(resource, resource_size, key, seccamp); | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
def DecodeRoutine(resource, resource_size, key, seccamp, seccamp_size): | |
for i in range(resource_size): | |
key = 5 * key + 0x2365F703 | |
if (resource[i] - 1) > 0xA0 and (resource[i] - 1) < 0xFF: | |
resource[i] -= 1 | |
resource[i] ^= key & 0xFF | |
key = (key >> 2) - 0x1CA9 | |
resource[i] ^= (key + 2 * ord(seccamp[i % seccamp_size])) & 0xFF | |
if __name__=='__main__': | |
# resource = [0x9D, 0xCB, 0x1E, 0xA7, 0x65, 0xED, 0x5F, 0x4D, 0x01, 0xD6, 0x49, 0x4A, 0x55, 0xBD, 0xD7, 0x83, 0x52, 0x07, 0x30, 0x40] | |
resource = [0x8d, 0x93, 0x13, 0x8a, 0x43, 0xb6, 0x59, 0x4d, 0x41, 0x80, 0x1b, 0x53, 0x02, 0x86, 0xf2, 0xed, 0x55, 0x55, 0x78, 0x59, 0x8b, 0x77, 0x35, 0x17, 0x56] | |
resource_size = len(resource) | |
key = 0x89192712 | |
seccamp = "SECCAMP2021" | |
DecodeRoutine(resource, resource_size, key, seccamp, 11) | |
print("".join([chr(i) for i in resource])) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment