a5656456 发表于 2015-10-5 17:15:30

网狐棋牌的加密模块,映射加密算法分析

//发送映射
const BYTE g_SendByteMap=
{
    0x70,0x2F,0x40,0x5F,0x44,0x8E,0x6E,0x45,0x7E,0xAB,0x2C,0x1F,0xB4,0xAC,0x9D,0x91,
    0x0D,0x36,0x9B,0x0B,0xD4,0xC4,0x39,0x74,0xBF,0x23,0x16,0x14,0x06,0xEB,0x04,0x3E,
    0x12,0x5C,0x8B,0xBC,0x61,0x63,0xF6,0xA5,0xE1,0x65,0xD8,0xF5,0x5A,0x07,0xF0,0x13,
    0xF2,0x20,0x6B,0x4A,0x24,0x59,0x89,0x64,0xD7,0x42,0x6A,0x5E,0x3D,0x0A,0x77,0xE0,
    0x80,0x27,0xB8,0xC5,0x8C,0x0E,0xFA,0x8A,0xD5,0x29,0x56,0x57,0x6C,0x53,0x67,0x41,
    0xE8,0x00,0x1A,0xCE,0x86,0x83,0xB0,0x22,0x28,0x4D,0x3F,0x26,0x46,0x4F,0x6F,0x2B,
    0x72,0x3A,0xF1,0x8D,0x97,0x95,0x49,0x84,0xE5,0xE3,0x79,0x8F,0x51,0x10,0xA8,0x82,
    0xC6,0xDD,0xFF,0xFC,0xE4,0xCF,0xB3,0x09,0x5D,0xEA,0x9C,0x34,0xF9,0x17,0x9F,0xDA,
    0x87,0xF8,0x15,0x05,0x3C,0xD3,0xA4,0x85,0x2E,0xFB,0xEE,0x47,0x3B,0xEF,0x37,0x7F,
    0x93,0xAF,0x69,0x0C,0x71,0x31,0xDE,0x21,0x75,0xA0,0xAA,0xBA,0x7C,0x38,0x02,0xB7,
    0x81,0x01,0xFD,0xE7,0x1D,0xCC,0xCD,0xBD,0x1B,0x7A,0x2A,0xAD,0x66,0xBE,0x55,0x33,
    0x03,0xDB,0x88,0xB2,0x1E,0x4E,0xB9,0xE6,0xC2,0xF7,0xCB,0x7D,0xC9,0x62,0xC3,0xA6,
    0xDC,0xA7,0x50,0xB5,0x4B,0x94,0xC0,0x92,0x4C,0x11,0x5B,0x78,0xD9,0xB1,0xED,0x19,
    0xE9,0xA1,0x1C,0xB6,0x32,0x99,0xA3,0x76,0x9E,0x7B,0x6D,0x9A,0x30,0xD6,0xA9,0x25,
    0xC7,0xAE,0x96,0x35,0xD0,0xBB,0xD2,0xC8,0xA2,0x08,0xF3,0xD1,0x73,0xF4,0x48,0x2D,
    0x90,0xCA,0xE2,0x58,0xC1,0x18,0x52,0xFE,0xDF,0x68,0x98,0x54,0xEC,0x60,0x43,0x0F
};

//接收映射
const BYTE g_RecvByteMap=
{
    0x51,0xA1,0x9E,0xB0,0x1E,0x83,0x1C,0x2D,0xE9,0x77,0x3D,0x13,0x93,0x10,0x45,0xFF,
    0x6D,0xC9,0x20,0x2F,0x1B,0x82,0x1A,0x7D,0xF5,0xCF,0x52,0xA8,0xD2,0xA4,0xB4,0x0B,
    0x31,0x97,0x57,0x19,0x34,0xDF,0x5B,0x41,0x58,0x49,0xAA,0x5F,0x0A,0xEF,0x88,0x01,
    0xDC,0x95,0xD4,0xAF,0x7B,0xE3,0x11,0x8E,0x9D,0x16,0x61,0x8C,0x84,0x3C,0x1F,0x5A,
    0x02,0x4F,0x39,0xFE,0x04,0x07,0x5C,0x8B,0xEE,0x66,0x33,0xC4,0xC8,0x59,0xB5,0x5D,
    0xC2,0x6C,0xF6,0x4D,0xFB,0xAE,0x4A,0x4B,0xF3,0x35,0x2C,0xCA,0x21,0x78,0x3B,0x03,
    0xFD,0x24,0xBD,0x25,0x37,0x29,0xAC,0x4E,0xF9,0x92,0x3A,0x32,0x4C,0xDA,0x06,0x5E,
    0x00,0x94,0x60,0xEC,0x17,0x98,0xD7,0x3E,0xCB,0x6A,0xA9,0xD9,0x9C,0xBB,0x08,0x8F,
    0x40,0xA0,0x6F,0x55,0x67,0x87,0x54,0x80,0xB2,0x36,0x47,0x22,0x44,0x63,0x05,0x6B,
    0xF0,0x0F,0xC7,0x90,0xC5,0x65,0xE2,0x64,0xFA,0xD5,0xDB,0x12,0x7A,0x0E,0xD8,0x7E,
    0x99,0xD1,0xE8,0xD6,0x86,0x27,0xBF,0xC1,0x6E,0xDE,0x9A,0x09,0x0D,0xAB,0xE1,0x91,
    0x56,0xCD,0xB3,0x76,0x0C,0xC3,0xD3,0x9F,0x42,0xB6,0x9B,0xE5,0x23,0xA7,0xAD,0x18,
    0xC6,0xF4,0xB8,0xBE,0x15,0x43,0x70,0xE0,0xE7,0xBC,0xF1,0xBA,0xA5,0xA6,0x53,0x75,
    0xE4,0xEB,0xE6,0x85,0x14,0x48,0xDD,0x38,0x2A,0xCC,0x7F,0xB1,0xC0,0x71,0x96,0xF8,
    0x3F,0x28,0xF2,0x69,0x74,0x68,0xB7,0xA3,0x50,0xD0,0x79,0x1D,0xFC,0xCE,0x8A,0x8D,
    0x2E,0x62,0x30,0xEA,0xED,0x2B,0x26,0xB9,0x81,0x7C,0x46,0x89,0x73,0xA2,0xF7,0x72
};
// MapSend
desData = g_SendByteMap[(BYTE)(srcData+m_cbSendRound)];
m_cbSendRound += 3;
// MapRecv
desData = g_RecvByteMap - m_cbRecvRound;
m_cbRecvRound += 3;
映射加密原理分析:
约定srcData表示准备加密的数据desData表示加密后的数据,sendMap表示发送Map,recvMap表示接收Map;
就以上代码中恒有:
推导:
if desData == sendMap
then srcData == recvMap - offset
这个公式可以自己取一个之间的值,带到上面两个map中去算,,,
分析:
BYTE可能的值是0到255,正好是map的索引。
sendMap提供把实际值变成recvMap的索引的能力。
recvMap提供把recvMap索引还原成真实值的能力。
offset的引入是为了加强破解难度,唯一可能疑惑的问题是BYTE溢出,这个可以参考计算机组成原理前几章。
我们可以这样山寨:
class CSendMapper;
class CRecvMapper;
很显然sendMap是和CSendMapper类紧耦合的,recvMapper和CRecvMapper类紧耦合
所以:
class CSendMapper
;
class CRecvMapper
static const BYTE ms_recvMap;
接下来是offset,在网狐的代码中每次都有如下操作:m_cbSendRound += 3;
所以offset是和Mapper对象耦合的,同时也是上下文相关的,这样也倒置mapper是上下文相关的。
class CSendMapper
static const BYTE ms_sendMap;
;
class CRecvMapper
static const BYTE ms_recvMap;
BYTE m_btOffset;

http://www.eenot.com/data/attachment/forum/201506/02/072859s4lb1bl1i4nizl29.png

这样,只要是offset匹配的recv和send协作就能实现数据加解映射了,,,

最后的测试代码如下(MAP函数被实现的时候改了,返回值的做法写起来是方便了,但是优化的时候比较麻烦):
nf6602::CSendMapper sendMapper;
_el::TBYTE btTem = 0;
sendMapper.SendMap(0, btTem);
if (0x70 != btTem)
{
    std::cout << "sendMapper.SendMap faild!" << std::endl;
}

nf6602::CRecvMapper recvMapper;
btTem = 0;
recvMapper.RecvMap(0, btTem);
if (0x51 != btTem)
{
    std::cout << "recvMapper.RecvMap faild!" << std::endl;
}

//if desData == sendMap
//then srcData == recvMap
for (int i = 0; i < _EL_MAX_TBYTE*10; i++)
{
    _el::TBYTE btSrcData = i;
    _el::TBYTE btDesData = 0;
    sendMapper.SendMap(btSrcData, btTem);
    recvMapper.RecvMap(btTem, btDesData);
    if (btSrcData != btDesData)
    {
      std::cout << "if desData == sendMap then srcData == recvMap faild!" << std::endl;
    }
    else
    {
      int j = 0 ;
    }
}






glaoepp0d 发表于 2015-10-5 17:16:34

支持一下,100块

femghzat1 发表于 2015-10-5 16:32:51

为了源码有什么不能舍得的

fcvbrls12 发表于 2015-10-5 16:53:07

支持支持再支持

9pindfiegs 发表于 2015-10-5 16:45:18

小白一个 顶一下

icx51ahxf 发表于 2015-10-5 17:06:04

嘘,低调。

lp0dcfml718 发表于 2015-10-5 17:44:26

这个东西找了很久了多谢楼主!!

ghoishi4j3 发表于 2015-10-5 18:07:41

路过,淡淡的忧伤

femghzat1 发表于 2015-10-5 17:24:16

介是神马?!!好高大上的感觉呀

78g8fS3yA3 发表于 2015-10-5 17:56:41

发发呆,回回帖,工作结束~
页: [1] 2
查看完整版本: 网狐棋牌的加密模块,映射加密算法分析