<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="http://wellformedweb.org/CommentAPI/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
	>

<channel>
	<title>破解 &#8211; swigger&#039;s BLOG</title>
	<atom:link href="https://www.swigger.net/tag/%E7%A0%B4%E8%A7%A3/feed/" rel="self" type="application/rss+xml" />
	<link>https://www.swigger.net</link>
	<description>醉卧沙场君莫笑 古来征战几人回</description>
	<lastBuildDate>Sat, 28 Jun 2008 18:26:28 +0000</lastBuildDate>
	<language>zh-Hans</language>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	<generator>https://wordpress.org/?v=7.0</generator>
	<item>
		<title>被sothink swf decompiler阴了一把</title>
		<link>https://www.swigger.net/2008/06/29/%e8%a2%absothink-swf-decompiler%e9%98%b4%e4%ba%86%e4%b8%80%e6%8a%8a/</link>
		
		<dc:creator><![CDATA[admin]]></dc:creator>
		<pubDate>Sat, 28 Jun 2008 18:15:51 +0000</pubDate>
				<category><![CDATA[破解狂]]></category>
		<category><![CDATA[decompile]]></category>
		<category><![CDATA[flash]]></category>
		<category><![CDATA[破解]]></category>
		<guid isPermaLink="false">http://www.swigger.net/?p=44</guid>

					<description><![CDATA[好久没写了，今天再灌一篇。 一个flash小游戏里的TEA算法，hack一把，结 &#8230; <a href="https://www.swigger.net/2008/06/29/%e8%a2%absothink-swf-decompiler%e9%98%b4%e4%ba%86%e4%b8%80%e6%8a%8a/">继续阅读 <span class="meta-nav">&#8594;</span></a>]]></description>
										<content:encoded><![CDATA[<p>好久没写了，今天再灌一篇。</p>
<p>一个flash小游戏里的TEA算法，hack一把，结果发现，decompile出来的as，改成js运行后，得到的结果跟原游戏运算出的结果是不一样的。</p>
<p>心想难道js跟as有些差别？不得已，去下了一个adobe flash cs3。</p>
<p>发现自己快不会用flash了，还是flash5时学了几天，做了点皮毛，主要也是那时为了应付交了一下某堂课的作业。想起来当时那老师也很好心，这个flash作业给了我满分。</p>
<p>不过今天对flash cs3感觉 很不顺手了。一开始就遇到个问题 ，在cs3中如何使用外部类？直接写一个，报错误“类不能嵌套”，搜了一把是写在一个.as文件里，就写在一个TEA.as里。</p>
<p>加入代码 import TEA; 结果又报错，说TEA没有实现，查文档，原来说是要放到一个包(package)里。那就放吧，放完发现还是不对，最后看了一下flash自己的实现，终于整明白了。先建一个crypto的文件夹，在里面建个TEA.as，代码这样：</p>
<p>package crypto{ //crypto要跟文件夹名一致。</p>
<p>public class TEA{ //TEA跟文件名即TEA.as一致。public好像不能少。</p>
<p>&#8230;//省略</p>
<p>}</p>
<p>}</p>
<p>OK，可以运行了，然后发现，其实另存为flash 8的文档，就可以直接用不放在包里的TEA.as!晕倒。</p>
<p>运行发现，这个flash得到的结果跟html里的js算出来是一样的。敢情从下载flash起，事情就白做了。</p>
<p>最后没办法，回到sothink swf decompiler中，仔细看，看到一个疑点：</p>
<p>var _loc11 = 2.671213E+009;</p>
<p>为什么是这样呢？算法中不应有这样的代码。打开raw code，找到这一行：</p>
<p> //96 09 00 06 ef e6 e3 41 00 00 20 37<br />
 _push 2.67121e+009</p>
<p>对比一下其它的_push语句，发现ef e6 e3 41 00 00 20 37 是一个double值。</p>
<p>写个小程序：</p>
<p>[code lang=&#8221;outline&#8221;]</p>
<p>debian:~# cat t2.c<br />
#include &lt;stdio.h&gt;</p>
<p>int main()<br />
{<br />
        double d = 2.67121e+009;<br />
        unsigned char * p = (unsigned char*)&amp;d;</p>
<p>        int i;<br />
        for ( i=0; i&lt;8; ++i)<br />
        {<br />
                printf(&#8220;%02x &#8220;, p[i]);<br />
        }<br />
        printf(&#8220;\n&#8221;);<br />
        return 0;<br />
}<br />
debian:~# gcc t2.c <br />
debian:~# ./a.out<br />
00 00 00 c2 ed e6 e3 41</p>
<p>[/code]</p>
<p>对比00 00 00 c2 ed e6 e3 41 与ef e6 e3 41 00 00 20 37</p>
<p>只有一点儿不同，原double值应该是00 00 20 37 ef e6 e3 41</p>
<p>好，这样： printf(&#8220;%.14g\n&#8221;, *(double*)&#8221;\x00\x00\x20\x37\xef\xe6\xe3\x41&#8243;);</p>
<p>得到： 2671212985</p>
<p>这就是正确的原flash的设定值。</p>
<p>修改一下TEA.as:</p>
<p>var _loc11 = 2.671213E+009;改为：</p>
<p>var _loc11 = 2671212985；</p>
<p>再运行一把，成功！算出来的值跟原flash是一样的，可以互相加/解密。</p>
<p>总结一下：sothink swf decompiler太土，居然不会用最恰当的方法格式化double值。bs之。</p>
<p>另外把TEA.as贴出来，版权不归我所有，是RE出来的，原作者如果有意见，请聊系本人删除。</p>
<p>hilight不支持actionscript，当就是javascript好了，反正差不多。</p>
<p>贴的这个是flash8格式，在CS3中使 用要放入一个 package里，前面说过了。</p>
<p>[code lang=&#8221;javascript&#8221;]</p>
<p>class TEA<br />
{<br />
    function TEA()<br />
    {<br />
    } // End of the function<br />
    static function encrypt(src, key)<br />
    {<br />
        if (!key || key.length == 0)<br />
        {<br />
            key = &#8220;9F3779B99F3779B9&#8221;;<br />
        } // end if<br />
        var _loc4 = TEA.charsToLongs(TEA.strToChars(src));<br />
        var _loc9 = TEA.charsToLongs(TEA.strToChars(key));<br />
        var _loc8 = _loc4.length;<br />
        if (_loc8 == 0)<br />
        {<br />
            return (&#8220;&#8221;);<br />
        } // end if<br />
        if (_loc8 == 1)<br />
        {<br />
            _loc4[_loc8++] = 0;<br />
        } // end if<br />
        var _loc2 = _loc4[_loc8 &#8211; 1];<br />
        var _loc3 = _loc4[0];<br />
        var _loc11 = 2671212985;<br />
        var _loc5;<br />
        var _loc7;<br />
        var _loc10 = Math.floor(6 + 52 / _loc8);<br />
        var _loc6 = 0;<br />
        while (_loc10&#8211; &gt; 0)<br />
        {<br />
            _loc6 = _loc6 + _loc11;<br />
            _loc7 = _loc6 &gt;&gt;&gt; 2 &amp; 3;<br />
            for (var _loc1 = 0; _loc1 &lt; _loc8 &#8211; 1; ++_loc1)<br />
            {<br />
                _loc3 = _loc4[_loc1 + 1];<br />
                _loc5 = (_loc2 &gt;&gt;&gt; 5 ^ _loc3 &lt;&lt; 2) + (_loc3 &gt;&gt;&gt; 3 ^ _loc2 &lt;&lt; 4) ^ (_loc6 ^ _loc3) + (_loc9[_loc1 &amp; 3 ^ _loc7] ^ _loc2);<br />
                _loc2 = _loc4[_loc1] = _loc4[_loc1] + _loc5;<br />
            } // end of for<br />
            _loc3 = _loc4[0];<br />
            _loc5 = (_loc2 &gt;&gt;&gt; 5 ^ _loc3 &lt;&lt; 2) + (_loc3 &gt;&gt;&gt; 3 ^ _loc2 &lt;&lt; 4) ^ (_loc6 ^ _loc3) + (_loc9[_loc1 &amp; 3 ^ _loc7] ^ _loc2);<br />
            _loc2 = _loc4[_loc8 &#8211; 1] = _loc4[_loc8 &#8211; 1] + _loc5;<br />
        } // end while<br />
        return (TEA.charsToHex(TEA.longsToChars(_loc4)));<br />
    } // End of the function<br />
    static function decrypt(src, key)<br />
    {<br />
        if (!key || key.length == 0)<br />
        {<br />
            key = &#8220;9F3779B99F3779B9&#8221;;<br />
        } // end if<br />
        var _loc4 = TEA.charsToLongs(TEA.hexToChars(src));<br />
        var _loc9 = TEA.charsToLongs(TEA.strToChars(key));<br />
        var _loc8 = _loc4.length;<br />
        if (_loc8 == 0)<br />
        {<br />
            return (&#8220;&#8221;);<br />
        } // end if<br />
        var _loc2 = _loc4[_loc8 &#8211; 1];<br />
        var _loc3 = _loc4[0];<br />
        var _loc10 = 2671212985;<br />
        var _loc6;<br />
        var _loc7;<br />
        var _loc12 = Math.floor(6 + 52 / _loc8);<br />
        for (var _loc5 = _loc12 * _loc10; _loc5 != 0; _loc5 = _loc5 &#8211; _loc10)<br />
        {<br />
            _loc7 = _loc5 &gt;&gt;&gt; 2 &amp; 3;<br />
            for (var _loc1 = _loc8 &#8211; 1; _loc1 &gt; 0; &#8211;_loc1)<br />
            {<br />
                _loc2 = _loc4[_loc1 &#8211; 1];<br />
                _loc6 = (_loc2 &gt;&gt;&gt; 5 ^ _loc3 &lt;&lt; 2) + (_loc3 &gt;&gt;&gt; 3 ^ _loc2 &lt;&lt; 4) ^ (_loc5 ^ _loc3) + (_loc9[_loc1 &amp; 3 ^ _loc7] ^ _loc2);<br />
                _loc3 = _loc4[_loc1] = _loc4[_loc1] &#8211; _loc6;<br />
            } // end of for<br />
            _loc2 = _loc4[_loc8 &#8211; 1];<br />
            _loc6 = (_loc2 &gt;&gt;&gt; 5 ^ _loc3 &lt;&lt; 2) + (_loc3 &gt;&gt;&gt; 3 ^ _loc2 &lt;&lt; 4) ^ (_loc5 ^ _loc3) + (_loc9[_loc1 &amp; 3 ^ _loc7] ^ _loc2);<br />
            _loc3 = _loc4[0] = _loc4[0] &#8211; _loc6;<br />
        } // end of for<br />
        return (TEA.charsToStr(TEA.longsToChars(_loc4)));<br />
    } // End of the function<br />
    static function charsToLongs(chars)<br />
    {<br />
        var _loc3 = new Array(Math.ceil(chars.length / 4));<br />
        for (var _loc1 = 0; _loc1 &lt; _loc3.length; ++_loc1)<br />
        {<br />
            _loc3[_loc1] = chars[_loc1 * 4] + (chars[_loc1 * 4 + 1] &lt;&lt; 8) + (chars[_loc1 * 4 + 2] &lt;&lt; 16) + (chars[_loc1 * 4 + 3] &lt;&lt; 24);<br />
        } // end of for<br />
        return (_loc3);<br />
    } // End of the function<br />
    static function longsToChars(longs)<br />
    {<br />
        var _loc3 = new Array();<br />
        for (var _loc1 = 0; _loc1 &lt; longs.length; ++_loc1)<br />
        {<br />
            _loc3.push(longs[_loc1] &amp; 255, longs[_loc1] &gt;&gt;&gt; 8 &amp; 255, longs[_loc1] &gt;&gt;&gt; 16 &amp; 255, longs[_loc1] &gt;&gt;&gt; 24 &amp; 255);<br />
        } // end of for<br />
        return (_loc3);<br />
    } // End of the function<br />
    static function charsToHex(chars)<br />
    {<br />
        var _loc4 = new String(&#8220;&#8221;);<br />
        var _loc3 = new Array(&#8220;0&#8221;, &#8220;1&#8221;, &#8220;2&#8221;, &#8220;3&#8221;, &#8220;4&#8221;, &#8220;5&#8221;, &#8220;6&#8221;, &#8220;7&#8221;, &#8220;8&#8221;, &#8220;9&#8221;, &#8220;a&#8221;, &#8220;b&#8221;, &#8220;c&#8221;, &#8220;d&#8221;, &#8220;e&#8221;, &#8220;f&#8221;);<br />
        for (var _loc1 = 0; _loc1 &lt; chars.length; ++_loc1)<br />
        {<br />
            _loc4 = _loc4 + (_loc3[chars[_loc1] &gt;&gt; 4] + _loc3[chars[_loc1] &amp; 15]);<br />
        } // end of for<br />
        return (_loc4);<br />
    } // End of the function<br />
    static function hexToChars(hex)<br />
    {<br />
        var _loc3 = new Array();<br />
        for (var _loc1 = hex.substr(0, 2) == &#8220;0x&#8221; ? (2) : (0); _loc1 &lt; hex.length; _loc1 = _loc1 + 2)<br />
        {<br />
            _loc3.push(parseInt(hex.substr(_loc1, 2), 16));<br />
        } // end of for<br />
        return (_loc3);<br />
    } // End of the function<br />
    static function charsToStr(chars)<br />
    {<br />
        var _loc3 = new String(&#8220;&#8221;);<br />
        for (var _loc1 = 0; _loc1 &lt; chars.length; ++_loc1)<br />
        {<br />
            _loc3 = _loc3 + String.fromCharCode(chars[_loc1]);<br />
        } // end of for<br />
        return (_loc3);<br />
    } // End of the function<br />
    static function strToChars(str)<br />
    {<br />
        var _loc3 = new Array();<br />
        for (var _loc1 = 0; _loc1 &lt; str.length; ++_loc1)<br />
        {<br />
            _loc3.push(str.charCodeAt(_loc1));<br />
        } // end of for<br />
        return (_loc3);<br />
    } // End of the function<br />
} // End of Class</p>
<p>[/code]</p>
]]></content:encoded>
					
		
		
			</item>
	</channel>
</rss>
