IDA 伪代码解密分析:解密步骤和密钥位置
易懂代码:
解密函数
System_Byte_array *__fastcall A2_Crypto_BasicCrypto__Decrypt_32629204(System_Byte_array *cryptoKey, System_Byte_array *data, const MethodInfo *method)
{
System_Security_Cryptography_RijndaelManaged_o *rijndael; // 存放RijndaelManaged实例的指针
System_Byte_array *result; // 存放解密结果的指针
rijndael = (System_Security_Cryptography_RijndaelManaged_o *)sub_154ACB8(System_Security_Cryptography_RijndaelManaged_TypeInfo);
System_Security_Cryptography_RijndaelManaged___ctor(rijndael, 0LL);
// 设置RijndaelManaged实例的属性
((void (__fastcall *)(System_Security_Cryptography_RijndaelManaged_o *, _QWORD, const MethodInfo *))rijndael->klass->vtable._7_set_BlockSize.methodPtr)(rijndael, (unsigned int)(8 * LODWORD(cryptoKey->max_length)), rijndael->klass->vtable._7_set_BlockSize.method);
((void (__fastcall *)(System_Security_Cryptography_RijndaelManaged_o *, _QWORD, const MethodInfo *))rijndael->klass->vtable._15_set_KeySize.methodPtr)(rijndael, (unsigned int)(8 * LODWORD(cryptoKey->max_length)), rijndael->klass->vtable._15_set_KeySize.method);
((void (__fastcall *)(System_Security_Cryptography_RijndaelManaged_o *, __int64, const MethodInfo *))rijndael->klass->vtable._10_set_IV.methodPtr)(rijndael, v6, rijndael->klass->vtable._10_set_IV.method);
((void (__fastcall *)(System_Security_Cryptography_RijndaelManaged_o *, System_Byte_array *, const MethodInfo *))rijndael->klass->vtable._12_set_Key.methodPtr)(rijndael, cryptoKey, rijndael->klass->vtable._12_set_Key.method);
((void (__fastcall *)(System_Security_Cryptography_RijndaelManaged_o *, __int64, const MethodInfo *))rijndael->klass->vtable._17_set_Mode.methodPtr)(rijndael, 1LL, rijndael->klass->vtable._17_set_Mode.method);
((void (__fastcall *)(System_Security_Cryptography_RijndaelManaged_o *, __int64, const MethodInfo *))rijndael->klass->vtable._19_set_Padding.methodPtr)(rijndael, 2LL, rijndael->klass->vtable._19_set_Padding.method);
// 创建解密器
_QWORD *decryptor = (__int64 (__fastcall *)(System_Security_Cryptography_RijndaelManaged_o *, const MethodInfo *))rijndael->klass->vtable._22_CreateDecryptor.methodPtr)(rijndael, rijndael->klass->vtable._22_CreateDecryptor.method);
// 解密数据
result = (System_Byte_array *)(*(__int64 (__fastcall **)(_QWORD *, __int64, _QWORD, _QWORD, _QWORD))decryptor)(decryptor, data, 0LL, data->max_length, *(_QWORD *)(decryptor + 2));
return result;
}
// 解密函数的包装函数,对密钥进行编码
System_Byte_array *__fastcall A2_Crypto_BasicCrypto__Decrypt_32630132(System_String_o *cryptoKey, System_Byte_array *data, const MethodInfo *method)
{
System_Text_Encoding_o *utf8 = System_Text_Encoding__get_UTF8(0LL);
System_Byte_array *keyBytes = (System_Byte_array *)((__int64 (__fastcall *)(System_Text_Encoding_o *, System_String_o *, const MethodInfo *))utf8->klass->vtable._18_GetBytes.methodPtr)(utf8, cryptoKey, utf8->klass->vtable._18_GetBytes.method);
return A2_Crypto_BasicCrypto__Decrypt_32629204(keyBytes, data, method);
}
// 主函数
void __fastcall A2_Http_PokkeMsgPackAPI___c__DisplayClass8_0_object__object____OnRequestFinish_b__0(A2_Http_PokkeMsgPackAPI___c__DisplayClass8_0_object__object__o *this, Il2CppObject *o, const MethodInfo_25E5F00 *method)
{
// ...
v12 = A2_Crypto_Hash__HashString(v11, 16, 0LL);
// ...
v13 = A2_Crypto_BasicCrypto__Decrypt_32630132(v12, this->fields.bytes, 0LL);
// ...
}
解密步骤
- 获取密钥字符串:
v11变量存储了密钥字符串。 - 计算密钥哈希值:
A2_Crypto_Hash__HashString(v11, 16, 0LL)函数计算了密钥字符串的哈希值,该哈希值可能是最终用来解密数据的密钥。 - 使用RijndaelManaged解密:
A2_Crypto_BasicCrypto__Decrypt_32630132(v12, this->fields.bytes, 0LL)函数使用哈希后的密钥对this->fields.bytes中的数据进行解密。
可能的密钥位置
- 代码中的
v11变量存储了密钥字符串,这个变量的值可能是从其他地方获取的,例如配置项、网络请求等等。 A2_Crypto_Hash__HashString函数可能会使用特定的算法对密钥字符串进行哈希运算,可能存在特定的算法配置信息,例如盐值、密钥长度等。A2_Crypto_BasicCrypto__Decrypt_32630132函数使用哈希后的密钥进行解密,可以通过分析该函数的实现细节,找到具体的密钥使用方式,以及可能存在的密钥配置信息。
分析总结 这段代码使用了RijndaelManaged算法进行数据解密,密钥可能是通过哈希计算获得的。可以通过对代码进行更深入的分析,找到具体的密钥位置,以及密钥的生成方式,从而实现对数据的完整解密。
免责声明: 本分析仅供学习研究使用,请勿用于任何非法目的。
原文地址: https://www.cveoy.top/t/topic/n6BH 著作权归作者所有。请勿转载和采集!