32
社区成员
发帖
与我相关
我的任务
分享逆向工程,求助一段arm neon的代码转成c语言
有个so文件,用ida 转成了类c语言后,发现里面还有arm neon语言。编译不通过。neon转c又不熟悉
1)需求是:
把两个函数转成c语言,不能夹汇编。
3)大概的描述:
这是两个加密函数。
4)ida代码
第一个函数:
__int64 __fastcall data_rolling(const __int16 *a1, _WORD *a2)
{
int8x16_t v2; // q18
int8x16_t v3; // q17
const __int16 *v4; // x19
const __int16 *v5; // x20
unsigned int v6; // w14
unsigned int v7; // w15b
unsigned int v8; // w16
unsigned int v9; // w17
const __int16 *v10; // x21
unsigned int v11; // w7
unsigned int v12; // w9
unsigned int v13; // w6
int v14; // w8
char v15; // w11
unsigned int v16; // w0
char v17; // w10
unsigned __int64 v18; // x5
uint16x8_t v19; // q21
uint16x8_t v20; // q5
uint16x8_t v21; // q20
uint16x8_t v22; // q4
int v23; // w2
unsigned int v24; // w22
int v25; // w3
int v26; // w2
unsigned int v27; // w2
_OWORD v29[4]; // [xsp+70h] [xbp+70h]
int16x8x4_t v30; // 0:q0.16,16:q1.16,32:q2.16,48:q3.16
int16x8x4_t v31; // 0:q22.16,16:q23.16,32:q24.16,48:q25.16
v2.n128_u64[0] = 0xFF00FF00FF00FFLL;
v2.n128_u64[1] = 0xFF00FF00FF00FFLL;
v3.n128_u64[0] = 0xFF000000FFLL;
v3.n128_u64[1] = 0xFF000000FFLL;
v4 = a1;
*((_WORD *)a1 + 64) = 128;
v5 = a1 + 128;
v6 = 271733878;
v7 = -1732584194;
*((_WORD *)a1 + 120) = 0;
v8 = -271733879;
*((_WORD *)a1 + 121) = 2;
v9 = 1732584193;
*((_WORD *)a1 + 122) = 0;
*((_WORD *)a1 + 123) = 0;
do
{
v10 = v4;
v30 = vld4q_s16(v10);
v10 += 32;
v11 = v6;
v12 = v7;
v13 = v8;
v14 = 0;
v15 = 5;
v31 = vld4q_s16(v10);
v16 = v9;
v17 = 1;
v18 = 0LL;
v19 = vandq_s8(v30.val[0], v2);
v20 = vandq_s8(v30.val[2], v2);
v21 = vandq_s8(v31.val[0], v2);
v22 = vandq_s8(v31.val[2], v2);
v29[0] = vorrq_s8(
vorrq_s8(
vorrq_s8(
vshlq_n_s32(vmovl_u16((uint16x4_t)v30.val[3].n128_u64[0]), 0x18uLL),
vmovl_u16((uint16x4_t)v19.n128_u64[0])),
vandq_s8(vshlq_n_s32(vmovl_u16((uint16x4_t)v30.val[1].n128_u64[0]), 8uLL), v3)),
vshlq_n_s32(vmovl_u16((uint16x4_t)v20.n128_u64[0]), 0x10uLL));
v29[1] = vorrq_s8(
vorrq_s8(
vorrq_s8(vshlq_n_s32(vmovl_high_u16(v30.val[3]), 0x18uLL), vmovl_high_u16(v19)),
vandq_s8(vshlq_n_s32(vmovl_high_u16(v30.val[1]), 8uLL), v3)),
vshlq_n_s32(vmovl_high_u16(v20), 0x10uLL));
v29[2] = vorrq_s8(
vorrq_s8(
vorrq_s8(
vshlq_n_s32(vmovl_u16((uint16x4_t)v31.val[3].n128_u64[0]), 0x18uLL),
vmovl_u16((uint16x4_t)v21.n128_u64[0])),
vandq_s8(vshlq_n_s32(vmovl_u16((uint16x4_t)v31.val[1].n128_u64[0]), 8uLL), v3)),
vshlq_n_s32(vmovl_u16((uint16x4_t)v22.n128_u64[0]), 0x10uLL));
v29[3] = vorrq_s8(
vorrq_s8(
vorrq_s8(vshlq_n_s32(vmovl_high_u16(v31.val[3]), 0x18uLL), vmovl_high_u16(v21)),
vandq_s8(vshlq_n_s32(vmovl_high_u16(v31.val[1]), 8uLL), v3)),
vshlq_n_s32(vmovl_high_u16(v22), 0x10uLL));
while ( 1 )
{
v24 = v18;
if ( v18 <= 0xF )
{
v23 = v11 & ~v13 | v12 & v13;
}
else if ( (unsigned int)v18 <= 0x1F )
{
v23 = v12 & ~v11 | v11 & v13;
v24 = v17 & 0xF;
}
else if ( (unsigned int)v18 > 0x2F )
{
v24 = v14 & 0xF;
v23 = (v13 | ~v11) ^ v12;
}
else
{
v24 = v15 & 0xF;
v23 = v12 ^ v13 ^ v11;
}
v14 += 7;
v25 = v23 + dword_173F0[v18];
v26 = dword_173F0[v18++ + 128];
v17 += 5;
v15 += 3;
v27 = __ROR4__(v25 + *((_DWORD *)v29 + v24) + v16, -(char)v26) + v13;
v16 = v11;
if ( v14 == 448 )
break;
v11 = v12;
v12 = v13;
v13 = v27;
}
v4 += 64;
v9 += v11;
v8 += v27;
v7 += v13;
v6 += v12;
}
while ( v4 != v5 );
*a2 = (unsigned __int8)v9;
a2[2] = BYTE2(v9);
a2[4] = (unsigned __int8)v8;
a2[6] = BYTE2(v8);
a2[1] = BYTE1(v9);
a2[8] = (unsigned __int8)v7;
a2[5] = BYTE1(v8);
a2[10] = BYTE2(v7);
a2[9] = BYTE1(v7);
a2[12] = (unsigned __int8)v6;
a2[3] = HIBYTE(v9);
a2[14] = BYTE2(v6);
a2[13] = BYTE1(v6);
a2[7] = HIBYTE(v8);
a2[11] = HIBYTE(v7);
a2[15] = HIBYTE(v6);
return _stack_chk_guard;
}
第二个函数:
int16x8_t *__fastcall traffic_mapping(int16x8_t *a1, unsigned __int16 a2, uint16x4_t *a3)
{
int v3; // w22
__int16 *v6; // x3
unsigned int v7; // w4
__int16 v8; // w21
__int16 v9; // w18
int v10; // w13
unsigned int v11; // w9
__int16 v12; // w17
unsigned int v13; // w6
int v14; // w12
__int16 v15; // w16
unsigned int v16; // w5
int v17; // w11
unsigned int v18; // w4
__int16 v19; // w15
unsigned int v20; // w8
int v21; // w10
unsigned int v22; // w7
unsigned int v23; // w6
unsigned int v24; // w5
unsigned int v25; // w4
unsigned int v26; // w3
int16x8_t *result; // x0
int16x8_t *v28; // x2
unsigned __int16 v29; // w1
unsigned __int16 v30; // w0
__int16 v31; // w7
unsigned __int16 v32; // w6
unsigned __int16 v33; // w5
__int16 v34; // w4
unsigned __int16 v35; // w3
unsigned __int16 v36; // w2
__int16 v37; // w1
unsigned __int16 v38; // w0
unsigned __int16 v39; // w3
unsigned __int16 v40; // w2
__int16 v41; // w1
int v42; // w0
v3 = a2;
memset(&word_152880, 0, 0x200uLL);
if ( v3 )
v6 = &staticProjectKey;
else
v6 = staticPacketKey;
word_152880 = a1->n128_u8[0];
word_152882 = a1->n128_u8[1];
word_152884 = a1->n128_u8[2];
word_152886 = a1->n128_u8[3];
word_152888 = a1->n128_u8[4];
word_15288A = a1->n128_u8[5];
word_15288C = a1->n128_u8[6];
word_15288E = a1->n128_u8[7];
word_152890 = a1->n128_u8[8];
word_152892 = a1->n128_u8[9];
word_152894 = a1->n128_u8[10];
word_152896 = a1->n128_u8[11];
word_152898 = a1->n128_u8[12];
word_15289A = a1->n128_u8[13];
word_15289C = a1->n128_u8[14];
word_15289E = a1->n128_u8[15];
word_1528A0 = a1[1].n128_u8[0];
word_1528A2 = a1[1].n128_u8[1];
v7 = (unsigned __int16)*v6;
word_1528A4 = a1[1].n128_u8[2];
word_1528A6 = a1[1].n128_u8[3];
word_1528A8 = a1[1].n128_u8[4];
word_1528AA = a1[1].n128_u8[5];
word_1528AC = a1[1].n128_u8[6];
word_1528AE = a1[1].n128_u8[7];
word_1528B0 = a1[1].n128_u8[8];
word_1528B2 = a1[1].n128_u8[9];
word_1528B4 = a1[1].n128_u8[10];
word_1528B6 = a1[1].n128_u8[11];
word_1528B8 = a1[1].n128_u8[12];
word_1528BA = a1[1].n128_u8[13];
word_1528BC = a1[1].n128_u8[14];
word_1528BE = a1[1].n128_u8[15];
word_1528C0 = (unsigned __int8)v7;
word_1528C2 = v7 >> 8;
v8 = (unsigned __int8)v6[1];
v9 = (unsigned __int8)v6[2];
v10 = HIBYTE(v6[2]);
v11 = (unsigned __int16)v6[6];
v12 = (unsigned __int8)v6[3];
v13 = (unsigned __int16)v6[9];
v14 = HIBYTE(v6[3]);
v15 = (unsigned __int8)v6[4];
v16 = (unsigned __int16)v6[10];
v17 = HIBYTE(v6[4]);
v18 = (unsigned __int16)v6[11];
v19 = (unsigned __int8)v6[5];
v20 = (unsigned __int16)v6[7];
v21 = HIBYTE(v6[5]);
v22 = (unsigned __int16)v6[8];
word_1528C6 = HIBYTE(v6[1]);
word_1528D2 = v17;
word_1528D6 = v21;
word_1528DA = v11 >> 8;
word_1528CA = v10;
word_1528CE = v14;
word_1528DE = v20 >> 8;
word_1528E8 = (unsigned __int8)v16;
word_1528EA = v16 >> 8;
word_1528E2 = v22 >> 8;
word_1528EC = (unsigned __int8)v18;
word_1528EE = v18 >> 8;
word_1528C4 = v8;
word_1528C8 = v9;
word_1528CC = v12;
word_1528D0 = v15;
word_1528D4 = v19;
word_1528D8 = (unsigned __int8)v11;
word_1528DC = (unsigned __int8)v20;
word_1528E0 = (unsigned __int8)v22;
word_1528E4 = (unsigned __int8)v13;
word_1528E6 = v13 >> 8;
v23 = (unsigned __int16)v6[12];
v24 = (unsigned __int16)v6[13];
v25 = (unsigned __int16)v6[14];
LOWORD(v21) = (unsigned __int8)v6[12];
v26 = (unsigned __int16)v6[15];
word_1528F0 = v21;
word_1528F2 = v23 >> 8;
word_1528F4 = (unsigned __int8)v24;
word_1528F6 = v24 >> 8;
word_1528F8 = (unsigned __int8)v25;
word_1528FA = v25 >> 8;
word_1528FC = (unsigned __int8)v26;
word_1528FE = v26 >> 8;
data_rolling(&word_152880, a3);
result = a1 + 1;
v28 = (int16x8_t *)&a3[6];
if ( &a3[4] < (uint16x4_t *)&a1[1] && a1 < v28 )
{
v29 = a3->n64_u16[1];
v30 = a3->n64_u16[2];
a3[4].n64_u16[0] = 4 * a3->n64_u16[0] * a1->n128_u16[0];
v31 = 4 * a3->n64_u16[3];
v32 = a3[1].n64_u16[0];
v33 = a3[1].n64_u16[1];
a3[4].n64_u16[1] = 4 * v29 * a1->n128_u16[1];
v34 = 4 * a3[1].n64_u16[2];
v35 = a3[1].n64_u16[3];
v36 = a3[2].n64_u16[0];
a3[4].n64_u16[2] = 4 * v30 * a1->n128_u16[2];
v37 = 4 * a3[2].n64_u16[1];
v38 = a3[2].n64_u16[2];
a3[4].n64_u16[3] = v31 * a1->n128_u16[3];
a3[5].n64_u16[0] = 4 * v32 * a1->n128_u16[4];
a3[5].n64_u16[1] = 4 * v33 * a1->n128_u16[5];
a3[5].n64_u16[2] = v34 * a1->n128_u16[6];
a3[5].n64_u16[3] = 4 * v35 * a1->n128_u16[7];
a3[6].n64_u16[0] = 4 * v36 * a1[1].n128_u16[0];
a3[6].n64_u16[1] = v37 * a1[1].n128_u16[1];
a3[6].n64_u16[2] = 4 * v38 * a1[1].n128_u16[2];
v39 = a3[3].n64_u16[0];
v40 = a3[3].n64_u16[1];
a3[6].n64_u16[3] = 4 * a3[2].n64_u16[3] * a1[1].n128_u16[3];
v41 = 4 * a3[3].n64_u16[2];
v42 = a3[3].n64_u16[3];
a3[7].n64_u16[0] = 4 * v39 * a1[1].n128_u16[4];
a3[7].n64_u16[1] = 4 * v40 * a1[1].n128_u16[5];
a3[7].n64_u16[2] = v41 * a1[1].n128_u16[6];
result = (int16x8_t *)(4 * v42 * (unsigned int)a1[1].n128_u16[7]);
a3[7].n64_u16[3] = (unsigned __int16)result;
}
else
{
*(int16x8_t *)a3[4].n64_u64 = vmulq_s16(
vmovn_hight_s32(
vmovn_s32(vshlq_n_s32(vmovl_u16((uint16x4_t)a3->n64_u64[0]), 2uLL)),
vshlq_n_s32(vmovl_high_u16(*(uint16x8_t *)a3->n64_u64), 2uLL)),
*a1);
*v28 = vmulq_s16(
vmovn_hight_s32(
vmovn_s32(vshlq_n_s32(vmovl_u16(a3[2]), 2uLL)),
vshlq_n_s32(vmovl_high_u16(*(uint16x8_t *)a3[2].n64_u64), 2uLL)),
*result);
}
return result;
}
函数中有些用到的全局变量如下:
static unsigned short staticProjectkey[] =
{0x92dd, 0xb378, 0xd071, 0x11ec,0xBB7E, 0x5076,0xAFD5,0x894F, 0x1874,0xA689,0x50DC,0x4ECB,0xB703,0x5D17,0x507B,0x7427};
static unsigned short staticPacketKey[] =
{0x92EF, 0x4145, 0xD071, 0x11EC, 0x84C9, 0x5076,0xAFD5 ,0x894F,0xD90D, 0xDAAC,
0xB8D3, 0x4B74,0x8EA6,0x495C,0xB1FE ,0x467C};
static uint32 dword_173F0[256] = {
0xD76AA478, 0xE8C7B756, 0x242070DB, 0xC1BDCEEE, 0xF57C0FAF, 0x4787C62A, 0xA8304613, 0xFD469501, 0x698098D8, 0x8B44F7AF,0xFFFF5BB1, 0x895CD7BE, 0x6B901122, 0xFD987193, 0xA679438E,0x49B40821, 0xF61E2562, 0xC040B340, 0x265E5A51, 0xE9B6C7AA,
0xD62F105D, 0x2441453, 0xD8A1E681, 0xE7D3FBC8, 0x21E1CDE6,0xC33707D6, 0xF4D50D87, 0x455A14ED, 0xA9E3E905, 0xFCEFA3F8,0x676F02D9, 0x8D2A4C8A, 0xFFFA3942, 0x8771F681, 0x6D9D6122,
0xFDE5380C, 0xA4BEEA44, 0x4BDECFA9, 0xF6BB4B60, 0xBEBFBC70,0x289B7EC6, 0xEAA127FA, 0xD4EF3085, 0x4881D05, 0xD9D4D039, 0xE6DB99E5, 0x1FA27CF8, 0xC4AC5665, 0xF4292244, 0x432AFF97,
0xAB9423A7, 0xFC93A039, 0x655B59C3, 0x8F0CCC92, 0xFFEFF47D,0x85845DD1, 0x6FA87E4F, 0xFE2CE6E0, 0xA3014314, 0x4E0811A1,0xF7537E82, 0xBD3AF235, 0x2AD7D2BB, 0xEB86D391, 0,
//65
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
//51
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 7, 0xC, 0x11, 0x16,7, 0xC, 0x11, 0x16, 7, 0xC, 0x11, 0x16, 7, 0xC, 0x11,
//27
0x16, 5, 9, 0xE, 0x14, 5, 9, 0xE, 0x14, 5, 9, 0xE,
//12
0x14, 5, 9, 0xE, 0x14, 4, 0xB, 0x10, 0x17, 4, 0xB,
//11
0x10, 0x17, 4, 0xB, 0x10, 0x17, 4, 0xB, 0x10, 0x17,
//10
6, 0xA, 0xF, 0x15, 6, 0xA, 0xF, 0x15, 6, 0xA, 0xF,
//11
0x15, 6, 0xA, 0xF, 0x15, 0, 0, 0, 0, 0, 0, 0, 0, 0,
//14
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0,
//55
}
结果验证:
如果上面翻译成c了。有几串数据可以校验是否成功。
求助各位逆向大神
...全文
成就一亿技术人!
请发表友善的回复…
发表回复
Arm精选 2023-01-29
- 打赏
- 举报
我也不会
