加速器配置文件解密逆向分析教学文档<\/h1>

1. 背景与需求分析<\/h2>

1.1 背景介绍<\/h3>

目标样本是一款被用于非法翻墙活动的加速器软件<\/li>
软件对存储的连接服务器地址、更新源及访问站点信息进行了加密<\/li>

需要破解加密机制以获取真实服务器信息用于防控和取证<\/li> <\/ul>

1.2 任务目标<\/h3>

定位解密服务器信息的关键反汇编代码段<\/li>
还原解密算法的高级语言等价源码<\/li>

使用还原算法解密密文配置文件获取服务器地址<\/li> <\/ol>

2. 分析思路与工具选型<\/h2>

2.1 分析思路<\/h3>

使用OllyDbg动态调试工具<\/li>
监控Windows API调用，重点关注文件读取和内存访问<\/li>

配合断点调试逐步定位解密算法实现<\/li> <\/ul>

2.2 工具资源<\/h3>

OllyDbg下载地址: https:\/\/tool.kanxue.com\/index-detail-1.htm<\/li>

目标样本和API文档: https:\/\/drive.google.com\/drive\/folders\/1HNGdEGAcJgMc6dCoI_aFDNdSmsMhqFob<\/li> <\/ul>

3. 信息收集<\/h2>

3.1 目标样本特征<\/h3>

加速器软件，对代理服务器地址进行加密<\/li>

目标目录下发现加密文件: system.ini等<\/li> <\/ul>

3.2 关键API函数<\/h3>

API函数名<\/th> 作用<\/th> 调试意义<\/th> <\/tr> <\/thead>

CreateFileA<\/td> 打开system.ini文件<\/td> 确定加密数据来源<\/td> <\/tr>

ReadFile<\/td> 读取密文至缓冲区<\/td> 跟踪密文数据流向<\/td> <\/tr>

WriteFile<\/td>

(可选)加密写回<\/td>

API函数名<\/th>	作用<\/th>	调试意义<\/th> <\/tr> <\/thead>
CreateFileA<\/td>	打开system.ini文件<\/td>	确定加密数据来源<\/td> <\/tr>
ReadFile<\/td>	读取密文至缓冲区<\/td>	跟踪密文数据流向<\/td> <\/tr>
WriteFile<\/td>	(可选)加密写回<\/td>	判断是否为自修改型程序<\/td> <\/tr> <\/tbody> <\/table> 4. 逆向分析过程<\/h2> 4.1 定位输入文件<\/h3> 用OllyDbg打开程序<\/li> 搜索CreateFile调用<\/li> 找到KERNEL32.CreateFileA调用点<\/li> 查看函数参数: lpFileName: "system.ini"<\/li> dwDesiredAccess: GENERIC_READ<\/li> dwCreationDisposition: OPEN_EXISTING<\/li> <\/ul> <\/li> <\/ol> 4.2 定位解密函数<\/h3> 获取文件句柄(0x20c)<\/li> 跟踪句柄存储地址(0x00185690)<\/li> 发现句柄被放入ecx寄存器并传递给后续函数<\/li> <\/ol> 4.3 解密函数分析<\/h3> 函数内部调用ReadFile: 读取system.ini内容到缓冲区(0x001857C8)<\/li> <\/ul> <\/li> 对内存区域设置访问断点<\/li> 跟踪数据调用过程<\/li> 发现密文被解密的过程<\/li> <\/ol> 4.4 精准定位解密代码<\/h3> 计算密文长度的指令:<\/p> mov eax, [ebp+arg_0] mov ecx, [eax] mov edx, [ecx+4] mov eax, edx <\/code><\/pre> 结果保存在eax中<\/li> <\/ul> <\/li> 解密循环特征:<\/p> 逐字节处理密文<\/li> 处理后数据区域部分内容变为明文<\/li> <\/ul> <\/li> <\/ol> 5. 解密算法还原<\/h2> 5.1 算法分析<\/h3> 采用逐字节异或与加法混合操作<\/li> 加密强度较低但具有一定迷惑性<\/li> <\/ul> 5.2 高级语言代码还原<\/h3> void<\/span> decrypt<\/span>(unsigned<\/span> char<\/span><\/span> data, int<\/span> length) { <\/span><\/span> for<\/span>(int<\/span> i =<\/span> 0<\/span>; i <<\/span> length; i++<\/span>) { <\/span><\/span> data[i] =<\/span> (data[i] ^<\/span> 0x55<\/span>) +<\/span> 0x10<\/span>; <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>5.3 验证过程<\/h3> 读取密文数据与原始文件一致<\/li> 解密后明文与预期结果一致<\/li> 完整程序运行成功提取服务器信息<\/li> <\/ol> 6. 完整解密程序实现<\/h2> #include<\/span> <stdio.h><\/span> <\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span> <\/span><\/span><\/span>#include<\/span> <windows.h><\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>void<\/span> decrypt<\/span>(unsigned<\/span> char<\/span><\/span> data, int<\/span> length) { <\/span><\/span> for<\/span>(int<\/span> i =<\/span> 0<\/span>; i <<\/span> length; i++<\/span>) { <\/span><\/span> data[i] =<\/span> (data[i] ^<\/span> 0x55<\/span>) +<\/span> 0x10<\/span>; <\/span><\/span> } <\/span><\/span>} <\/span><\/span> <\/span><\/span>int<\/span> main<\/span>() { <\/span><\/span> HANDLE hFile =<\/span> CreateFileA("system.ini"<\/span>, GENERIC_READ, FILE_SHARE_READ, <\/span><\/span> NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); <\/span><\/span> if<\/span>(hFile ==<\/span> INVALID_HANDLE_VALUE) { <\/span><\/span> printf("Failed to open file<\/span>\n<\/span>"<\/span>); <\/span><\/span> return<\/span> 1<\/span>; <\/span><\/span> } <\/span><\/span> <\/span><\/span> DWORD fileSize =<\/span> GetFileSize(hFile, NULL); <\/span><\/span> unsigned<\/span> char<\/span><\/span> buffer =<\/span> (unsigned<\/span> char<\/span><\/span>)malloc(fileSize); <\/span><\/span> <\/span><\/span> DWORD bytesRead; <\/span><\/span> if<\/span>(!<\/span>ReadFile(hFile, buffer, fileSize, &<\/span>bytesRead, NULL)) { <\/span><\/span> printf("Failed to read file<\/span>\n<\/span>"<\/span>); <\/span><\/span> CloseHandle(hFile); <\/span><\/span> return<\/span> 1<\/span>; <\/span><\/span> } <\/span><\/span> <\/span><\/span> decrypt(buffer, fileSize); <\/span><\/span> <\/span><\/span> printf("Decrypted content:<\/span>\n<\/span>%s<\/span>\n<\/span>"<\/span>, buffer); <\/span><\/span> <\/span><\/span> free(buffer); <\/span><\/span> CloseHandle(hFile); <\/span><\/span> return<\/span> 0<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre>7. 结论<\/h2> 成功定位并分析了目标样本的加密配置文件读取与解密流程<\/li> 通过动态调试明确了程序调用关键API的时机与行为<\/li> 识别出解密算法为逐字节异或与加法混合操作<\/li> 还原算法并编写解密工具成功提取服务器地址等敏感信息<\/li> 为网络审查和取证工作提供了技术支撑<\/li> <\/ol>

判断是否为自修改型程序<\/td> <\/tr> <\/tbody> <\/table>

4. 逆向分析过程<\/h2>

4.1 定位输入文件<\/h3>

用OllyDbg打开程序<\/li>
搜索CreateFile调用<\/li>
找到KERNEL32.CreateFileA调用点<\/li>

查看函数参数:

lpFileName: "system.ini"<\/li>
dwDesiredAccess: GENERIC_READ<\/li>

dwCreationDisposition: OPEN_EXISTING<\/li> <\/ul> <\/li> <\/ol>

4.2 定位解密函数<\/h3>

获取文件句柄(0x20c)<\/li>
跟踪句柄存储地址(0x00185690)<\/li>

发现句柄被放入ecx寄存器并传递给后续函数<\/li> <\/ol>

4.3 解密函数分析<\/h3>

函数内部调用ReadFile:

读取system.ini内容到缓冲区(0x001857C8)<\/li> <\/ul> <\/li>
对内存区域设置访问断点<\/li>
跟踪数据调用过程<\/li>

发现密文被解密的过程<\/li> <\/ol>

4.4 精准定位解密代码<\/h3>

计算密文长度的指令:<\/p>

mov eax, [ebp+arg_0]
mov ecx, [eax]
mov edx, [ecx+4]
mov eax, edx
<\/code><\/pre>

结果保存在eax中<\/li>
<\/ul>
<\/li>

解密循环特征:<\/p>

逐字节处理密文<\/li>
处理后数据区域部分内容变为明文<\/li>
<\/ul>
<\/li>
<\/ol>
5. 解密算法还原<\/h2>
5.1 算法分析<\/h3>

采用逐字节异或与加法混合操作<\/li>
加密强度较低但具有一定迷惑性<\/li>
<\/ul>
5.2 高级语言代码还原<\/h3>
void<\/span> decrypt<\/span>(unsigned<\/span> char<\/span>*<\/span> data, int<\/span> length) {
<\/span><\/span>    for<\/span>(int<\/span> i =<\/span> 0<\/span>; i <<\/span> length; i++<\/span>) {
<\/span><\/span>        data[i] =<\/span> (data[i] ^<\/span> 0x55<\/span>) +<\/span> 0x10<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>5.3 验证过程<\/h3>

读取密文数据与原始文件一致<\/li>
解密后明文与预期结果一致<\/li>
完整程序运行成功提取服务器信息<\/li>
<\/ol>
6. 完整解密程序实现<\/h2>
#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span>
<\/span><\/span><\/span>#include<\/span> <windows.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>void<\/span> decrypt<\/span>(unsigned<\/span> char<\/span>*<\/span> data, int<\/span> length) {
<\/span><\/span>    for<\/span>(int<\/span> i =<\/span> 0<\/span>; i <<\/span> length; i++<\/span>) {
<\/span><\/span>        data[i] =<\/span> (data[i] ^<\/span> 0x55<\/span>) +<\/span> 0x10<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>() {
<\/span><\/span>    HANDLE hFile =<\/span> CreateFileA("system.ini"<\/span>, GENERIC_READ, FILE_SHARE_READ, 
<\/span><\/span>                              NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
<\/span><\/span>    if<\/span>(hFile ==<\/span> INVALID_HANDLE_VALUE) {
<\/span><\/span>        printf("Failed to open file<\/span>\n<\/span>"<\/span>);
<\/span><\/span>        return<\/span> 1<\/span>;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    DWORD fileSize =<\/span> GetFileSize(hFile, NULL);
<\/span><\/span>    unsigned<\/span> char<\/span>*<\/span> buffer =<\/span> (unsigned<\/span> char<\/span>*<\/span>)malloc(fileSize);
<\/span><\/span>    
<\/span><\/span>    DWORD bytesRead;
<\/span><\/span>    if<\/span>(!<\/span>ReadFile(hFile, buffer, fileSize, &<\/span>bytesRead, NULL)) {
<\/span><\/span>        printf("Failed to read file<\/span>\n<\/span>"<\/span>);
<\/span><\/span>        CloseHandle(hFile);
<\/span><\/span>        return<\/span> 1<\/span>;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    decrypt(buffer, fileSize);
<\/span><\/span>    
<\/span><\/span>    printf("Decrypted content:<\/span>\n<\/span>%s<\/span>\n<\/span>"<\/span>, buffer);
<\/span><\/span>    
<\/span><\/span>    free(buffer);
<\/span><\/span>    CloseHandle(hFile);
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>7. 结论<\/h2>

成功定位并分析了目标样本的加密配置文件读取与解密流程<\/li>
通过动态调试明确了程序调用关键API的时机与行为<\/li>
识别出解密算法为逐字节异或与加法混合操作<\/li>
还原算法并编写解密工具成功提取服务器地址等敏感信息<\/li>
为网络审查和取证工作提供了技术支撑<\/li>
<\/ol>