关于360 hookport.sys模块名加密

layout: post
title: 关于360 hookport.sys模块名加密
categories: WindowsDriver
description: 关于360 hookport.sys模块名加密
keywords:
url: https://lichao890427.github.io/ https://github.com/lichao890427/

关于360 hookport.sys模块名加密

简介

hookport用于hook nt*，其中会获取竞品模块地址。在ZwQuerySystemInformation => SystemModuleInformation得到模块文件名后，HookPort会将文件名经过加密与预先存储在程序中的加密过的模块名(一个4字节整数)作对比，以下程序可以根据整数求出文件名：

哈希	模块	产品
0x07848DA1	knbdrv.sys	猎豹安全浏览器
0x42503C81	bd0001.sys	百度安全
0x4D71E020	tsfltmgr.sys	qq管家
0xB8178767	kisknl.sys	金山毒霸

加密算法汇编源码

unsigned int __declspec(naked) encode(char* str)
{
    _asm
    {
        mov     esi, [esp+4]
        mov     ebx, [esp+4]
        mov     edi, [esp+4]
        xor     al, al
loc_17E37:
        scasb
        jnz     short loc_17E37
        sub     edi, ebx
        cld
        xor     ecx, ecx
        dec     ecx
        mov     edx, ecx
loc_17E42:
        xor     eax, eax
        xor     ebx, ebx
        lodsb
        xor     al, cl
        mov     cl, ch
        mov     ch, dl
        mov     dl, dh
        mov     dh, 8
loc_17E51:
        shr     bx, 1
        rcr     ax, 1
        jnb     short loc_17E62
        xor     ax, 0xC6B4
        xor     bx, 0xCE96
loc_17E62:
        dec     dh
        jnz     short loc_17E51
        xor     ecx, eax
        xor     edx, ebx
        dec     edi
        jnz     short loc_17E42
        not     edx
        not     ecx
        mov     eax, edx
        rol     eax, 10h
        mov     ax, cx
        ret
    }
}

破解哈希算法的C++源码

#include <stdio.h>

void main(int argc, char* argv[])
{
    char n[16]={0};
    n[14]='s';
    n[13]='y';
    n[12]='s';
    n[11]='.';
    for(int len=1;len<=7;len++)
    {
        int cf=0;
        for(int j=0;j<len;j++)
        {
            n[10-j]='a';
        }
        while(!cf)
        {
            unsigned int obj=encode(n+11-len);
            if(obj == 0x42503C81)
            {
                printf("%s\n",n+11-len);
                break;
            }
            n[10]++;
            for(int j=0;j<len;j++)
            {
                if(n[10-j] > 'z')
                {
                    n[10-j]='0';
                }
                if(n[10-j] > '9' && n[10-j] < 'a')
                {
                    n[10-j] = 'a';
                    if(j!=len-1)
                        n[10-j-1]++;
                    else
                        cf=1;
                }
            }
        }
    }

    getchar();
}

#include <Ntddk.h>
#include "DriverMonitor.h"
extern "C"
{
        int __security_cookie;
        extern POBJECT_TYPE *IoDriverObjectType;
        NTSTATUS __stdcall ObReferenceObjectByName(PUNICODE_STRING,ULONG,PACCESS_STATE,ACCESS_MASK,POBJECT_TYPE,KPROCESSOR_MODE,PVOID,PVOID);
        NTSTATUS __stdcall NtQuerySystemInformation (SYSTEM_INFORMATION_CLASS,PVOID,ULONG,PULONG);

};


VOID __stdcall unload(PDRIVER_OBJECT)
{

}

ULONG GetModuleBase(PCHAR modulename);


PWCHAR str[]=
{


};

extern "C"
{
        NTSTATUS __stdcall DriverEntry(PDRIVER_OBJECT pdr,PUNICODE_STRING pus)
        {                

                int ret=0;
                pdr->DriverUnload=unload;
                ULONG Base=GetModuleBase("tsksp.sys");
                if(Base)
                {
                        for(int i=0;i<sizeof(str)/sizeof(str[0]);i++)
                        {
                                ret=((int (__stdcall*)(PWCHAR))(Base+0xecba))(str[i]);
                                if(ret)
                                {
                                        __debugbreak();
                                }
                        }
                        ret=0;
                }
                __debugbreak();


                return STATUS_SUCCESS;
        }
};

ULONG GetModuleBase(PCHAR modulename)
{
        PVOID Buffer = NULL;
        ULONG ReturnLength = 0;
        NTSTATUS status;
        PRTL_PROCESS_MODULES modules = NULL;
        ULONG BaseAddr = NULL;
        NtQuerySystemInformation(SystemModuleInformation,&ReturnLength,0,&ReturnLength);
        if(ReturnLength)
                Buffer = ExAllocatePool(PagedPool,ReturnLength);
        if(Buffer)
                status = NtQuerySystemInformation(SystemModuleInformation,Buffer,ReturnLength,NULL);
        modules = (PRTL_PROCESS_MODULES)Buffer;
        if(NT_SUCCESS(status))
        {
                for(int i=0;i<modules->NumberOfModules;i++)
                {
                        int offset = modules->Modules[i].OffsetToFileName;
                        if(!_stricmp((const char*)(modules->Modules[i].FullPathName+offset),modulename))
                        {
                                BaseAddr = (ULONG)modules->Modules[i].ImageBase;
                        }
                }
        }
        if(Buffer)
                ExFreePool(Buffer);
        return BaseAddr;
}
NTSTATUS __stdcall DriverEntry(PDRIVER_OBJECT pdr,PUNICODE_STRING pus)
{
    int ret=0;
    pdr->DriverUnload=unload;
    ULONG Base=GetModuleBase("tsksp.sys");
    __debugbreak();
    if(Base)
    {
        WCHAR n[16]={0};
        n[14]='l';
        n[13]='l';
        n[12]='d';
        n[11]='.';
        for(int len=1;len<=7;len++)
        {
            int cf=0;
            for(int j=0;j<len;j++)
            {
                n[10-j]='0';
            }
            n[10-len]='\\';
            while(!cf)
            {
                ret=((int (__stdcall*)(PWCHAR))(Base+0xecba))(n+10-len);
                if(ret)
                {
                    __debugbreak();
                }
                n[10]++;
                for(int j=0;j<len;j++)
                {
                    if(n[10-j] > 'z')
                    {
                        n[10-j]='0';
                        if(j!=len-1)
                            n[10-j-1]++;
                        else
                            cf=1;
                    }
                    else if(n[10-j] == '\\')
                        n[10-j] = '\\'+1;
                }
            }
        }
    }
    __debugbreak();
    return STATUS_SUCCESS;
}

#include <windows.h>
#include <stdio.h>


void func(wchar_t* path)
{
    unsigned char data1[]={
        0x83,0x60,0x14,0x0,0x83,0x60,0x10,0x0,0xc7,0x0,0x1,0x23,0x45,0x67,0xc7,0x40,0x4,0x89,0xab,0xcd,
        0xef,0xc7,0x40,0x8,0xfe,0xdc,0xba,0x98,0xc7,0x40,0xc,0x76,0x54,0x32,0x10,0xc3,0x55,0x8b,0xec,0x51,
        0x53,0x56,0x8b,0xf1,0x8b,0x4e,0x10,0x8b,0xd8,0x8b,0xc1,0xc1,0xe8,0x3,0x8b,0xd3,0x8d,0xc,0xd9,0xc1,
        0xe2,0x3,0x83,0xe0,0x3f,0x3b,0xca,0x57,0x89,0x4e,0x10,0x73,0x3,0xff,0x46,0x14,0x6a,0x40,0x8b,0xcb,
        0xc1,0xe9,0x1d,0x1,0x4e,0x14,0x5f,0x2b,0xf8,0x3b,0xdf,0x72,0x4b,0x33,0xc9,0x85,0xff,0x76,0x12,0x8d,
        0x44,0x30,0x18,0x8b,0x55,0x8,0x8a,0x14,0x11,0x88,0x14,0x8,0x41,0x3b,0xcf,0x72,0xf2,0x8d,0x4e,0x18,
        0x56,0xe8,0xb0,0x0,0x0,0x0,0x8d,0x47,0x3f,0x3b,0xc3,0x73,0x1f,0x89,0x45,0xfc,0x8b,0x45,0x8,0x8b,
        0x4d,0xfc,0x8d,0x4c,0x8,0xc1,0x56,0xe8,0x96,0x0,0x0,0x0,0x83,0x45,0xfc,0x40,0x83,0xc7,0x40,0x39,
        0x5d,0xfc,0x72,0xe4,0x33,0xc0,0xeb,0x2,0x33,0xff,0x33,0xc9,0x2b,0xdf,0x74,0x14,0x8b,0x55,0x8,0x3,
        0xd7,0x8d,0x74,0x30,0x18,0x8a,0x4,0xa,0x88,0x4,0xe,0x41,0x3b,0xcb,0x72,0xf5,0x5f,0x5e,0x5b,0xc9,
        0xc2,0x4,0x0,0x55,0x8b,0xec,0x51,0x51,0x56,0x6a,0x8,0x8d,0x77,0x10,0x5a,0x8b,0xc6,0x8d,0x4d,0xf8,
        0xe8,0xe3,0x6,0x0,0x0,0x8b,0xe,0xc1,0xe9,0x3,0x6a,0x38,0x58,0x83,0xe1,0x3f,0x3b,0xc8,0x5e,0x72,
        0x3,0x6a,0x78,0x58,0x2b,0xc1,0x68,0xf8,0x5b,0x3,0x0,0x8b,0xcf,0xe8,0x22,0xff,0xff,0xff,0x8d,0x45,
        0xf8,0x50,0x6a,0x8,0x58,0x8b,0xcf,0xe8,0x14,0xff,0xff,0xff,0x8b,0x4d,0x8,0x6a,0x10,0x5a,0x8b,0xc7,
        0xe8,0xa7,0x6,0x0,0x0,0x6a,0x58,0x6a,0x0,0x57,0xe8,0x61,0x28,0x1,0x0,0x83,0xc4,0xc,0xc9,0xc2,
        0x4,0x0,0x55,0x8b,0xec,0x8b,0x45,0x8,0x83,0xec,0x48,0x53,0x56,0x57,0x6a,0x10,0x83,0xc1,0x2,0x8d,
        0x75,0xb8,0x5f,0xf,0xb6,0x59,0xff,0x33,0xd2,0x8a,0x71,0x1,0x8a,0x11,0x83,0xc1,0x4,0xc1,0xe2,0x8,
        0xb,0xd3,0xf,0xb6,0x59,0xfa,0xc1,0xe2,0x8,0xb,0xd3,0x89,0x16,0x83,0xc6,0x4,0x4f,0x75,0xdc,0x8b,
        0x70,0x4,0x8b,0x50,0x8,0x8b,0x48,0xc,0x8b,0x0,0x8b,0xfe,0xf7,0xd7,0x23,0xf9,0x8b,0xda,0x23,0xde,
        0xb,0xfb,0x3,0x7d,0xb8,0x8b,0xde,0x8d,0x84,0x7,0x78,0xa4,0x6a,0xd7,0xc1,0xc0,0x7,0x3,0xc6,0x23,
        0xd8,0x8b,0xf8,0xf7,0xd7,0x23,0xfa,0xb,0xfb,0x3,0x7d,0xbc,0x8d,0x8c,0xf,0x56,0xb7,0xc7,0xe8,0xc1,
        0xc1,0xc,0x3,0xc8,0x8b,0xf9,0xf7,0xd7,0x23,0xfe,0x8b,0xd9,0x23,0xd8,0xb,0xfb,0x3,0x7d,0xc0,0x8b,
        0xd9,0x8d,0x94,0x17,0xdb,0x70,0x20,0x24,0xc1,0xca,0xf,0x3,0xd1,0x23,0xda,0x8b,0xfa,0xf7,0xd7,0x23,
        0xf8,0xb,0xfb,0x3,0x7d,0xc4,0x8d,0xb4,0x37,0xee,0xce,0xbd,0xc1,0xc1,0xce,0xa,0x3,0xf2,0x89,0x75,
        0xfc,0x8b,0xfa,0x23,0x7d,0xfc,0xf7,0xd6,0x23,0xf1,0xb,0xf7,0x3,0x75,0xc8,0x8d,0x84,0x6,0xaf,0xf,
        0x7c,0xf5,0x8b,0x75,0xfc,0xc1,0xc0,0x7,0x3,0xc6,0x8b,0xf8,0xf7,0xd7,0x23,0xfa,0x8b,0xde,0x23,0xd8,
        0xb,0xfb,0x3,0x7d,0xcc,0x8d,0x8c,0xf,0x2a,0xc6,0x87,0x47,0xc1,0xc1,0xc,0x3,0xc8,0x8b,0xf9,0xf7,
        0xd7,0x23,0xfe,0x8b,0xd9,0x23,0xd8,0xb,0xfb,0x3,0x7d,0xd0,0x8b,0xd9,0x8d,0x94,0x17,0x13,0x46,0x30,
        0xa8,0xc1,0xca,0xf,0x3,0xd1,0x8b,0xfa,0xf7,0xd7,0x23,0xf8,0x23,0xda,0xb,0xfb,0x3,0x7d,0xd4,0x8d,
        0xb4,0x37,0x1,0x95,0x46,0xfd,0xc1,0xce,0xa,0x3,0xf2,0x89,0x75,0xfc,0xf7,0xd6,0x23,0xf1,0x8b,0xfa,
        0x23,0x7d,0xfc,0xb,0xf7,0x3,0x75,0xd8,0x8d,0x84,0x6,0xd8,0x98,0x80,0x69,0x8b,0x75,0xfc,0x8b,0xde,
        0xc1,0xc0,0x7,0x3,0xc6,0x23,0xd8,0x8b,0xf8,0xf7,0xd7,0x23,0xfa,0xb,0xfb,0x3,0x7d,0xdc,0x8d,0x8c,
        0xf,0xaf,0xf7,0x44,0x8b,0xc1,0xc1,0xc,0x3,0xc8,0x8b,0xf9,0xf7,0xd7,0x23,0xfe,0x8b,0xd9,0x23,0xd8,
        0xb,0xfb,0x3,0x7d,0xe0,0x8b,0xd9,0x8d,0x94,0x17,0xb1,0x5b,0xff,0xff,0xc1,0xca,0xf,0x3,0xd1,0x23,
        0xda,0x8b,0xfa,0xf7,0xd7,0x23,0xf8,0xb,0xfb,0x3,0x7d,0xe4,0x8d,0xb4,0x37,0xbe,0xd7,0x5c,0x89,0xc1,
        0xce,0xa,0x3,0xf2,0x89,0x75,0xfc,0xf7,0xd6,0x23,0xf1,0x8b,0xfa,0x23,0x7d,0xfc,0xb,0xf7,0x3,0x75,
        0xe8,0x8b,0x7d,0xfc,0x8d,0x84,0x6,0x22,0x11,0x90,0x6b,0xc1,0xc0,0x7,0x3,0x45,0xfc,0x23,0xf8,0x8b,
        0xf0,0xf7,0xd6,0x23,0xf2,0xb,0xf7,0x3,0x75,0xec,0x8d,0x8c,0xe,0x93,0x71,0x98,0xfd,0xc1,0xc1,0xc,
        0x3,0xc8,0x8b,0xf9,0xf7,0xd7,0x8b,0xf7,0x23,0x75,0xfc,0x8b,0xd9,0x23,0xd8,0xb,0xf3,0x3,0x75,0xf0,
        0x8b,0xd9,0x8d,0x94,0x16,0x8e,0x43,0x79,0xa6,0xc1,0xca,0xf,0x3,0xd1,0x89,0x55,0xf8,0xf7,0x55,0xf8,
        0x8b,0x75,0xf8,0x23,0xf0,0x23,0xfa,0x23,0xda,0xb,0xf3,0x3,0x75,0xf4,0x8b,0x5d,0xfc,0x8d,0xb4,0x1e,
        0x21,0x8,0xb4,0x49,0xc1,0xce,0xa,0x3,0xf2,0x8b,0xd9,0x23,0xde,0xb,0xfb,0x3,0x7d,0xbc,0x8b,0xda,
        0x8d,0x84,0x7,0x62,0x25,0x1e,0xf6,0x8b,0x7d,0xf8,0x23,0xfe,0xc1,0xc0,0x5,0x3,0xc6,0x23,0xd8,0xb,
        0xfb,0x3,0x7d,0xd0,0x8d,0x8c,0xf,0x40,0xb3,0x40,0xc0,0xc1,0xc1,0x9,0x3,0xc8,0x8b,0xfe,0xf7,0xd7,
        0x23,0xf8,0x8b,0xd9,0x23,0xde,0xb,0xfb,0x3,0x7d,0xe4,0x8d,0x94,0x17,0x51,0x5a,0x5e,0x26,0xc1,0xc2,
        0xe,0x3,0xd1,0x8b,0xf8,0xf7,0xd7,0x23,0xf9,0x8b,0xda,0x23,0xd8,0xb,0xfb,0x3,0x7d,0xb8,0x8b,0xd9,
        0x8d,0xb4,0x37,0xaa,0xc7,0xb6,0xe9,0xc1,0xce,0xc,0x3,0xf2,0x23,0xde,0x8b,0xf9,0xf7,0xd7,0x23,0xfa,
        0xb,0xfb,0x3,0x7d,0xcc,0x8b,0xda,0x8d,0x84,0x7,0x5d,0x10,0x2f,0xd6,0xc1,0xc0,0x5,0x3,0xc6,0x8b,
        0xfa,0xf7,0xd7,0x23,0xfe,0x23,0xd8,0xb,0xfb,0x3,0x7d,0xe0,0x8d,0x8c,0xf,0x53,0x14,0x44,0x2,0xc1,
        0xc1,0x9,0x3,0xc8,0x8b,0xfe,0xf7,0xd7,0x23,0xf8,0x8b,0xd9,0x23,0xde,0xb,0xfb,0x3,0x7d,0xf4,0x8d,
        0x94,0x17,0x81,0xe6,0xa1,0xd8,0xc1,0xc2,0xe,0x3,0xd1,0x8b,0xf8,0xf7,0xd7,0x8b,0xda,0x23,0xf9,0x23,
        0xd8,0xb,0xfb,0x3,0x7d,0xc8,0x8d,0xb4,0x37,0xc8,0xfb,0xd3,0xe7,0xc1,0xce,0xc,0x3,0xf2,0x8b,0xf9,
        0xf7,0xd7,0x23,0xfa,0x8b,0xd9,0x23,0xde,0xb,0xfb,0x3,0x7d,0xdc,0x8b,0xda,0x8d,0x84,0x7,0xe6,0xcd,
        0xe1,0x21,0xc1,0xc0,0x5,0x3,0xc6,0x23,0xd8,0x8b,0xfa,0xf7,0xd7,0x23,0xfe,0xb,0xfb,0x3,0x7d,0xf0,
        0x8d,0x8c,0xf,0xd6,0x7,0x37,0xc3,0xc1,0xc1,0x9,0x3,0xc8,0x8b,0xfe,0xf7,0xd7,0x23,0xf8,0x8b,0xd9,
        0x23,0xde,0xb,0xfb,0x3,0x7d,0xc4,0x8d,0x94,0x17,0x87,0xd,0xd5,0xf4,0xc1,0xc2,0xe,0x3,0xd1,0x8b,
        0xf8,0xf7,0xd7,0x23,0xf9,0x8b,0xda,0x23,0xd8,0xb,0xfb,0x3,0x7d,0xd8,0x8b,0xd9,0x8d,0xb4,0x37,0xed,
        0x14,0x5a,0x45,0xc1,0xce,0xc,0x3,0xf2,0x23,0xde,0x8b,0xf9,0xf7,0xd7,0x23,0xfa,0xb,0xfb,0x3,0x7d,
        0xec,0x8b,0xda,0x8d,0x84,0x7,0x5,0xe9,0xe3,0xa9,0xc1,0xc0,0x5,0x3,0xc6,0x8b,0xfa,0xf7,0xd7,0x23,
        0xfe,0x23,0xd8,0xb,0xfb,0x3,0x7d,0xc0,0x8d,0x8c,0xf,0xf8,0xa3,0xef,0xfc,0xc1,0xc1,0x9,0x3,0xc8,
        0x8b,0xfe,0xf7,0xd7,0x23,0xf8,0x8b,0xd9,0x23,0xde,0xb,0xfb,0x3,0x7d,0xd4,0x8d,0x94,0x17,0xd9,0x2,
        0x6f,0x67,0xc1,0xc2,0xe,0x3,0xd1,0x8b,0xf8,0xf7,0xd7,0x8b,0xda,0x23,0xf9,0x23,0xd8,0xb,0xfb,0x3,
        0x7d,0xe8,0x8d,0xb4,0x37,0x8a,0x4c,0x2a,0x8d,0xc1,0xce,0xc,0x3,0xf2,0x8b,0xf9,0x33,0xfa,0x33,0xfe,
        0x3,0x7d,0xcc,0x8d,0x84,0x7,0x42,0x39,0xfa,0xff,0xc1,0xc0,0x4,0x3,0xc6,0x8b,0xfa,0x33,0xfe,0x33,
        0xf8,0x3,0x7d,0xd8,0x8d,0x8c,0xf,0x81,0xf6,0x71,0x87,0xc1,0xc1,0xb,0x3,0xc8,0x8b,0xf9,0x33,0xfe,
        0x33,0xf8,0x3,0x7d,0xe4,0x8d,0x94,0x17,0x22,0x61,0x9d,0x6d,0xc1,0xc2,0x10,0x3,0xd1,0x8b,0xf9,0x33,
        0xfa,0x8b,0xdf,0x33,0xd8,0x3,0x5d,0xf0,0x8d,0xb4,0x33,0xc,0x38,0xe5,0xfd,0xc1,0xce,0x9,0x3,0xf2,
        0x33,0xfe,0x3,0x7d,0xbc,0x8d,0x84,0x7,0x44,0xea,0xbe,0xa4,0xc1,0xc0,0x4,0x3,0xc6,0x8b,0xfa,0x33,
        0xfe,0x33,0xf8,0x3,0x7d,0xc8,0x8d,0xbc,0xf,0xa9,0xcf,0xde,0x4b,0xc1,0xc7,0xb,0x3,0xf8,0x8b,0xcf,
        0x33,0xce,0x33,0xc8,0x3,0x4d,0xd4,0x8b,0xdf,0x8d,0x94,0x11,0x60,0x4b,0xbb,0xf6,0xc1,0xc2,0x10,0x3,
        0xd7,0x33,0xda,0x8b,0xcb,0x33,0xc8,0x3,0x4d,0xe0,0x8d,0x8c,0x31,0x70,0xbc,0xbf,0xbe,0xc1,0xc9,0x9,
        0x3,0xca,0x33,0xd9,0x3,0x5d,0xec,0x8b,0xf2,0x8d,0x84,0x3,0xc6,0x7e,0x9b,0x28,0x33,0xf1,0xc1,0xc0,
        0x4,0x3,0xc1,0x33,0xf0,0x3,0x75,0xb8,0x8d,0xb4,0x3e,0xfa,0x27,0xa1,0xea,0xc1,0xc6,0xb,0x3,0xf0,
        0x8b,0xfe,0x33,0xf9,0x33,0xf8,0x3,0x7d,0xc4,0x8d,0xbc,0x17,0x85,0x30,0xef,0xd4,0xc1,0xc7,0x10,0x3,
        0xfe,0x8b,0xd6,0x33,0xd7,0x8b,0xda,0x33,0xd8,0x3,0x5d,0xd0,0x8d,0x8c,0xb,0x5,0x1d,0x88,0x4,0xc1,
        0xc9,0x9,0x3,0xcf,0x33,0xd1,0x3,0x55,0xdc,0x8d,0x84,0x2,0x39,0xd0,0xd4,0xd9,0x8b,0xd7,0x33,0xd1,
        0xc1,0xc0,0x4,0x3,0xc1,0x33,0xd0,0x3,0x55,0xe8,0x8d,0x94,0x32,0xe5,0x99,0xdb,0xe6,0xc1,0xc2,0xb,
        0x3,0xd0,0x8b,0xf2,0x33,0xf1,0x33,0xf0,0x3,0x75,0xf4,0x8d,0xb4,0x3e,0xf8,0x7c,0xa2,0x1f,0xc1,0xc6,
        0x10,0x3,0xf2,0x8b,0xfa,0x33,0xfe,0x33,0xf8,0x3,0x7d,0xc0,0x8d,0x8c,0xf,0x65,0x56,0xac,0xc4,0xc1,
        0xc9,0x9,0x3,0xce,0x8b,0xfa,0xf7,0xd7,0xb,0xf9,0x33,0xfe,0x3,0x7d,0xb8,0x8d,0x84,0x7,0x44,0x22,
        0x29,0xf4,0xc1,0xc0,0x6,0x3,0xc1,0x8b,0xfe,0xf7,0xd7,0xb,0xf8,0x33,0xf9,0x3,0x7d,0xd4,0x8d,0x94,
        0x17,0x97,0xff,0x2a,0x43,0xc1,0xc2,0xa,0x3,0xd0,0x8b,0xf9,0xf7,0xd7,0xb,0xfa,0x33,0xf8,0x3,0x7d,
        0xf0,0x8d,0xb4,0x37,0xa7,0x23,0x94,0xab,0xc1,0xc6,0xf,0x3,0xf2,0x8b,0xf8,0xf7,0xd7,0xb,0xfe,0x33,
        0xfa,0x3,0x7d,0xcc,0x8d,0x8c,0xf,0x39,0xa0,0x93,0xfc,0xc1,0xc9,0xb,0x3,0xce,0x8b,0xfa,0xf7,0xd7,
        0xb,0xf9,0x33,0xfe,0x3,0x7d,0xe8,0x8d,0x84,0x7,0xc3,0x59,0x5b,0x65,0xc1,0xc0,0x6,0x3,0xc1,0x8b,
        0xfe,0xf7,0xd7,0xb,0xf8,0x33,0xf9,0x3,0x7d,0xc4,0x8d,0x94,0x17,0x92,0xcc,0xc,0x8f,0xc1,0xc2,0xa,
        0x8b,0xf9,0x3,0xd0,0xf7,0xd7,0xb,0xfa,0x33,0xf8,0x3,0x7d,0xe0,0x8d,0xb4,0x37,0x7d,0xf4,0xef,0xff,
        0xc1,0xc6,0xf,0x3,0xf2,0x8b,0xf8,0xf7,0xd7,0xb,0xfe,0x33,0xfa,0x3,0x7d,0xbc,0x8d,0x8c,0xf,0xd1,
        0x5d,0x84,0x85,0xc1,0xc9,0xb,0x3,0xce,0x8b,0xfa,0xf7,0xd7,0xb,0xf9,0x33,0xfe,0x3,0x7d,0xd8,0x8d,
        0x84,0x7,0x4f,0x7e,0xa8,0x6f,0xc1,0xc0,0x6,0x3,0xc1,0x8b,0xfe,0xf7,0xd7,0xb,0xf8,0x33,0xf9,0x3,
        0x7d,0xf4,0x8d,0x94,0x17,0xe0,0xe6,0x2c,0xfe,0x8b,0xf9,0xc1,0xc2,0xa,0x3,0xd0,0xf7,0xd7,0xb,0xfa,
        0x33,0xf8,0x3,0x7d,0xd0,0x8d,0xb4,0x37,0x14,0x43,0x1,0xa3,0x8b,0xf8,0xc1,0xc6,0xf,0x3,0xf2,0xf7,
        0xd7,0xb,0xfe,0x33,0xfa,0x3,0x7d,0xec,0x8d,0xbc,0xf,0xa1,0x11,0x8,0x4e,0xc1,0xcf,0xb,0x3,0xfe,
        0x8b,0xca,0xf7,0xd1,0xb,0xcf,0x33,0xce,0x3,0x4d,0xc8,0x8d,0x84,0x1,0x82,0x7e,0x53,0xf7,0xc1,0xc0,
        0x6,0x3,0xc7,0x8b,0xce,0xf7,0xd1,0xb,0xc8,0x33,0xcf,0x3,0x4d,0xe4,0x8d,0x94,0x11,0x35,0xf2,0x3a,
        0xbd,0xc1,0xc2,0xa,0x3,0xd0,0x8b,0xcf,0xf7,0xd1,0xb,0xca,0x33,0xc8,0x3,0x4d,0xc0,0x8d,0xb4,0x31,
        0xbb,0xd2,0xd7,0x2a,0x8b,0x4d,0x8,0x8b,0x19,0x3,0xd8,0xf7,0xd0,0xc1,0xc6,0xf,0x3,0xf2,0xb,0xc6,
        0x33,0xc2,0x3,0x45,0xdc,0x89,0x19,0x8d,0x84,0x38,0x91,0xd3,0x86,0xeb,0xc1,0xc8,0xb,0x3,0x41,0x4,
        0x3,0xc6,0x89,0x41,0x4,0x8b,0x41,0x8,0x3,0xc6,0x89,0x41,0x8,0x8b,0x41,0xc,0x5f,0x3,0xc2,0x5e,
        0x89,0x41,0xc,0x5b,0xc9,0xc2,0x4,0x0,0x85,0xd2,0x76,0x2c,0x56,0x8d,0x72,0xff,0xc1,0xee,0x2,0x41,
        0x83,0xc0,0x2,0x46,0x8a,0x50,0xfe,0x88,0x51,0xff,0x8a,0x50,0xff,0x88,0x11,0x8a,0x10,0x88,0x51,0x1,
        0x8a,0x50,0x1,0x88,0x51,0x2,0x83,0xc0,0x4,0x83,0xc1,0x4,0x4e,0x75,0xe1,0x5e,0xc3
    };//0x19d18~0x1A50D
    unsigned char* md5_encrypt_20=data1;
    unsigned char* md5_encrypt_21=data1+0x24;
    unsigned char* md5_encrypt_22=data1+0xcb;

    unsigned char data2[64]={0x80,0};
    *(long*)(data1+0xf7)=(long)data2;
    *(long*)(data1+0x123)=(long)memset-(long)(data1+0x127);

    unsigned char md5_data[][16]={
        {0x15,0xd1,0x26,0xd0,0xa5,0xa3,0x64,0xe3,0x1b,0x58,0x4,0xe5,0x8,0x5f,0x3,0x9,     },
        {0x61,0xf7,0xd,0x82,0x48,0x54,0xe8,0x77,0xc2,0x38,0x84,0x50,0xfe,0x3a,0xe3,0xd2,  },
        {0x88,0x9b,0xa2,0x4e,0x4a,0xfb,0xd6,0x9b,0x32,0x73,0xfe,0xda,0x3a,0x4e,0x4d,0xe8, },
        {0x74,0x8a,0xc3,0x52,0x68,0x3e,0x1e,0x7,0x0,0x53,0xe9,0x9b,0xb9,0xc1,0x3f,0x28,   },
        {0xd9,0xab,0xea,0xfe,0x1f,0x7f,0x4b,0x5c,0x63,0x94,0x8e,0x5d,0x13,0xf2,0x53,0xbf, },
        {0xc9,0xae,0xea,0x20,0x18,0xe8,0x3d,0x49,0xa6,0x11,0x7c,0xb1,0xd8,0xac,0x31,0x94, },
        {0xa4,0x56,0x73,0xf7,0x14,0xb4,0xf6,0x58,0x25,0x85,0x5c,0x32,0xee,0x9c,0x82,0x27, },
        {0x31,0x26,0x22,0x9a,0xd6,0xfc,0x81,0x4e,0x8e,0x9e,0xaf,0x9,0xaf,0x4b,0x94,0x9e,  },
        {0xcc,0xba,0xc4,0x42,0xfc,0x59,0xe5,0x32,0x40,0x21,0xd2,0x6b,0x30,0xb4,0x52,0xe3, },
        {0x20,0x77,0xbb,0xcd,0x70,0x80,0xde,0xf0,0x2b,0x5c,0x78,0x3c,0x47,0xcf,0xc3,0xf9, },
        {0x3,0xe,0xd0,0xc9,0xaa,0x3d,0xb,0xc6,0x57,0x9f,0x75,0x94,0x72,0xfc,0x53,0x15,    },
        {0x90,0x6c,0xb1,0xc1,0x13,0xef,0x25,0xeb,0x4,0x0,0x26,0xa1,0x4,0xba,0xc8,0xda,    },
        {0x1b,0x66,0x98,0xcf,0xbe,0x9d,0xf1,0x89,0xe4,0x5a,0xa5,0xd8,0x1f,0xda,0xd7,0x97, },
    };
    const int max=sizeof(md5_data)/sizeof(md5_data[0]);

    unsigned char key1[88]={0};
    unsigned char key2[16]={0};
    int len=2*wcslen(path);
    _asm
    {
        lea eax,key1;
        call md5_encrypt_20;
        mov eax,len;
        lea ecx,key1;
        mov esi,path;
        push esi;
        call md5_encrypt_21;
        lea eax,key2;
        push eax;
        lea edi,key1;
        call md5_encrypt_22;
    }
    for(int i=0;i<max;i++)
    {
        if(!memcmp(md5_data[i],key2,16))
        {
            printf("%d touched :%ws\n",i,path);
        }
    }
}



void main()
{
    wchar_t n[16]={0};
    for(int len=1;len<=7;len++)
    {
        int cf=0;
        for(int j=0;j<len;j++)
        {
            n[10-j]='0';
        }
        while(!cf)
        {
            n[14]='l';
            n[13]='l';
            n[12]='d';
            n[11]='.';
            func(n+11-len);
            n[14]='e';
            n[13]='x';
            n[12]='e';
            n[11]='.';
            func(n+11-len);
            n[10]++;
            for(int j=0;j<len;j++)
            {
                if(n[10-j] > 'z')
                {
                    n[10-j]='0';
                    if(j!=len-1)
                        n[10-j-1]++;
                    else
                        cf=1;
                }
                else if(n[10-j] == '\\')
                    n[10-j] = '\\'+1;
            }
        }
    }
}

人面猴
序言：七十年代末，一起剥皮案震惊了整个滨河市，随后出现的几起案子，更是在滨河造成了极大的恐慌，老刑警刘岩，带你破解...
沈念sama阅读 204,053评论 6赞 478
死咒
序言：滨河连续发生了三起死亡事件，死亡现场离奇诡异，居然都是意外死亡，警方通过查阅死者的电脑和手机，发现死者居然都...
沈念sama阅读 85,527评论 2赞 381
救了他两次的神仙让他今天三更去死
文/潘晓璐我一进店门，熙熙楼的掌柜王于贵愁眉苦脸地迎上来，“玉大人，你说我怎么就摊上这事。” “怎么了？”我有些...
开封第一讲书人阅读 150,779评论 0赞 337
道士缉凶录：失踪的卖姜人
文/不坏的土叔我叫张陵，是天一观的道长。经常有香客问我，道长，这世上最难降的妖魔是什么？我笑而不...
开封第一讲书人阅读 54,685评论 1赞 276
港岛之恋（遗憾婚礼）
正文为了忘掉前任，我火速办了婚礼，结果婚礼上，老公的妹妹穿的比我还像新娘。我一直安慰自己，他们只是感情好，可当我...
茶点故事阅读 63,699评论 5赞 366
恶毒庶女顶嫁案：这布局不是一般人想出来的
文/花漫我一把揭开白布。她就那样静静地躺着，像睡着了一般。火红的嫁衣衬着肌肤如雪。梳的纹丝不乱的头发上，一...
开封第一讲书人阅读 48,609评论 1赞 281
城市分裂传说
那天，我揣着相机与录音，去河边找鬼。笑死，一个胖子当着我的面吹牛，可吹牛的内容都是我干的。我是一名探鬼主播，决...
沈念sama阅读 37,989评论 3赞 396
双鸳鸯连环套：你想象不到人心有多黑
文/苍兰香墨我猛地睁开眼，长吁一口气：“原来是场噩梦啊……” “哼！你这毒妇竟也来了？” 一声冷哼从身侧响起，我...
开封第一讲书人阅读 36,654评论 0赞 258
万荣杀人案实录
序言：老挝万荣一对情侣失踪，失踪者是张志新（化名）和其女友刘颖，没想到半个月后，有当地人在树林里发现了一具尸体，经...
沈念sama阅读 40,890评论 1赞 298
护林员之死
正文独居荒郊野岭守林人离奇死亡，尸身上长有42处带血的脓包…… 初始之章·张勋以下内容为张勋视角年9月15日...
茶点故事阅读 35,634评论 2赞 321
白月光启示录
正文我和宋清朗相恋三年，在试婚纱的时候发现自己被绿了。大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
茶点故事阅读 37,716评论 1赞 330
活死人
序言：一个原本活蹦乱跳的男人离奇死亡，死状恐怖，灵堂内的尸体忽然破棺而出，到底是诈尸还是另有隐情，我是刑警宁泽，带...
沈念sama阅读 33,394评论 4赞 319
日本核电站爆炸内幕
正文年R本政府宣布，位于F岛的核电站，受9级特大地震影响，放射性物质发生泄漏。R本人自食恶果不足惜，却给世界环境...
茶点故事阅读 38,976评论 3赞 307
男人毒药：我在死后第九天来索命
文/蒙蒙一、第九天我趴在偏房一处隐蔽的房顶上张望。院中可真热闹，春花似锦、人声如沸。这庄子的主人今日做“春日...
开封第一讲书人阅读 29,950评论 0赞 19
一桩弑父案，背后竟有这般阴谋
文/苍兰香墨我抬头看了看天上的太阳。三九已至，却和暖如春，着一层夹袄步出监牢的瞬间，已是汗流浃背。一阵脚步声响...
开封第一讲书人阅读 31,191评论 1赞 260
情欲美人皮
我被黑心中介骗来泰国打工，没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留，地道东北人。一个月前我还...
沈念sama阅读 44,849评论 2赞 349
代替公主和亲
正文我出身青楼，却偏偏与公主长得像，于是被迫代替她去往敌国和亲。传闻我的和亲对象是个残疾皇子，可洞房花烛夜当晚...
茶点故事阅读 42,458评论 2赞 342

关于360 hookport.sys模块名加密

关于360 hookport.sys模块名加密

简介

加密算法汇编源码

破解哈希算法的C++源码

推荐阅读更多精彩内容