逆向工程,求助一段arm neon的代码转成c语言

null-pionter 2022-11-28 12:23:21

有个so文件,用ida 转成了类c语言后,发现里面还有arm neon语言。编译不通过。neon转c又不熟悉


1)需求是:
把两个函数转成c语言,不能夹汇编。

3)大概的描述:

这是两个加密函数。

4)ida代码

 

第一个函数:

__int64 __fastcall data_rolling(const __int16 *a1, _WORD *a2)
{
  int8x16_t v2; // q18
  int8x16_t v3; // q17
  const __int16 *v4; // x19
  const __int16 *v5; // x20
  unsigned int v6; // w14
  unsigned int v7; // w15b
  unsigned int v8; // w16
  unsigned int v9; // w17
  const __int16 *v10; // x21
  unsigned int v11; // w7
  unsigned int v12; // w9
  unsigned int v13; // w6
  int v14; // w8
  char v15; // w11
  unsigned int v16; // w0
  char v17; // w10
  unsigned __int64 v18; // x5
  uint16x8_t v19; // q21
  uint16x8_t v20; // q5
  uint16x8_t v21; // q20
  uint16x8_t v22; // q4
  int v23; // w2
  unsigned int v24; // w22
  int v25; // w3
  int v26; // w2
  unsigned int v27; // w2
  _OWORD v29[4]; // [xsp+70h] [xbp+70h]
  int16x8x4_t v30; // 0:q0.16,16:q1.16,32:q2.16,48:q3.16
  int16x8x4_t v31; // 0:q22.16,16:q23.16,32:q24.16,48:q25.16

  v2.n128_u64[0] = 0xFF00FF00FF00FFLL;
  v2.n128_u64[1] = 0xFF00FF00FF00FFLL;
  v3.n128_u64[0] = 0xFF000000FFLL;
  v3.n128_u64[1] = 0xFF000000FFLL;
  v4 = a1;
  *((_WORD *)a1 + 64) = 128;
  v5 = a1 + 128;
  v6 = 271733878;
  v7 = -1732584194;
  *((_WORD *)a1 + 120) = 0;
  v8 = -271733879;
  *((_WORD *)a1 + 121) = 2;
  v9 = 1732584193;
  *((_WORD *)a1 + 122) = 0;
  *((_WORD *)a1 + 123) = 0;
  do
  {
    v10 = v4;
    v30 = vld4q_s16(v10);
    v10 += 32;
    v11 = v6;
    v12 = v7;
    v13 = v8;
    v14 = 0;
    v15 = 5;
    v31 = vld4q_s16(v10);
    v16 = v9;
    v17 = 1;
    v18 = 0LL;
    v19 = vandq_s8(v30.val[0], v2);
    v20 = vandq_s8(v30.val[2], v2);
    v21 = vandq_s8(v31.val[0], v2);
    v22 = vandq_s8(v31.val[2], v2);
    v29[0] = vorrq_s8(
               vorrq_s8(
                 vorrq_s8(
                   vshlq_n_s32(vmovl_u16((uint16x4_t)v30.val[3].n128_u64[0]), 0x18uLL),
                   vmovl_u16((uint16x4_t)v19.n128_u64[0])),
                 vandq_s8(vshlq_n_s32(vmovl_u16((uint16x4_t)v30.val[1].n128_u64[0]), 8uLL), v3)),
               vshlq_n_s32(vmovl_u16((uint16x4_t)v20.n128_u64[0]), 0x10uLL));
    v29[1] = vorrq_s8(
               vorrq_s8(
                 vorrq_s8(vshlq_n_s32(vmovl_high_u16(v30.val[3]), 0x18uLL), vmovl_high_u16(v19)),
                 vandq_s8(vshlq_n_s32(vmovl_high_u16(v30.val[1]), 8uLL), v3)),
               vshlq_n_s32(vmovl_high_u16(v20), 0x10uLL));
    v29[2] = vorrq_s8(
               vorrq_s8(
                 vorrq_s8(
                   vshlq_n_s32(vmovl_u16((uint16x4_t)v31.val[3].n128_u64[0]), 0x18uLL),
                   vmovl_u16((uint16x4_t)v21.n128_u64[0])),
                 vandq_s8(vshlq_n_s32(vmovl_u16((uint16x4_t)v31.val[1].n128_u64[0]), 8uLL), v3)),
               vshlq_n_s32(vmovl_u16((uint16x4_t)v22.n128_u64[0]), 0x10uLL));
    v29[3] = vorrq_s8(
               vorrq_s8(
                 vorrq_s8(vshlq_n_s32(vmovl_high_u16(v31.val[3]), 0x18uLL), vmovl_high_u16(v21)),
                 vandq_s8(vshlq_n_s32(vmovl_high_u16(v31.val[1]), 8uLL), v3)),
               vshlq_n_s32(vmovl_high_u16(v22), 0x10uLL));
    while ( 1 )
    {
      v24 = v18;
      if ( v18 <= 0xF )
      {
        v23 = v11 & ~v13 | v12 & v13;
      }
      else if ( (unsigned int)v18 <= 0x1F )
      {
        v23 = v12 & ~v11 | v11 & v13;
        v24 = v17 & 0xF;
      }
      else if ( (unsigned int)v18 > 0x2F )
      {
        v24 = v14 & 0xF;
        v23 = (v13 | ~v11) ^ v12;
      }
      else
      {
        v24 = v15 & 0xF;
        v23 = v12 ^ v13 ^ v11;
      }
      v14 += 7;
      v25 = v23 + dword_173F0[v18];
      v26 = dword_173F0[v18++ + 128];
      v17 += 5;
      v15 += 3;
      v27 = __ROR4__(v25 + *((_DWORD *)v29 + v24) + v16, -(char)v26) + v13;
      v16 = v11;
      if ( v14 == 448 )
        break;
      v11 = v12;
      v12 = v13;
      v13 = v27;
    }
    v4 += 64;
    v9 += v11;
    v8 += v27;
    v7 += v13;
    v6 += v12;
  }
  while ( v4 != v5 );
  *a2 = (unsigned __int8)v9;
  a2[2] = BYTE2(v9);
  a2[4] = (unsigned __int8)v8;
  a2[6] = BYTE2(v8);
  a2[1] = BYTE1(v9);
  a2[8] = (unsigned __int8)v7;
  a2[5] = BYTE1(v8);
  a2[10] = BYTE2(v7);
  a2[9] = BYTE1(v7);
  a2[12] = (unsigned __int8)v6;
  a2[3] = HIBYTE(v9);
  a2[14] = BYTE2(v6);
  a2[13] = BYTE1(v6);
  a2[7] = HIBYTE(v8);
  a2[11] = HIBYTE(v7);
  a2[15] = HIBYTE(v6);
  return _stack_chk_guard;
}
第二个函数:

int16x8_t *__fastcall traffic_mapping(int16x8_t *a1, unsigned __int16 a2, uint16x4_t *a3)
{
  int v3; // w22
  __int16 *v6; // x3
  unsigned int v7; // w4
  __int16 v8; // w21
  __int16 v9; // w18
  int v10; // w13
  unsigned int v11; // w9
  __int16 v12; // w17
  unsigned int v13; // w6
  int v14; // w12
  __int16 v15; // w16
  unsigned int v16; // w5
  int v17; // w11
  unsigned int v18; // w4
  __int16 v19; // w15
  unsigned int v20; // w8
  int v21; // w10
  unsigned int v22; // w7
  unsigned int v23; // w6
  unsigned int v24; // w5
  unsigned int v25; // w4
  unsigned int v26; // w3
  int16x8_t *result; // x0
  int16x8_t *v28; // x2
  unsigned __int16 v29; // w1
  unsigned __int16 v30; // w0
  __int16 v31; // w7
  unsigned __int16 v32; // w6
  unsigned __int16 v33; // w5
  __int16 v34; // w4
  unsigned __int16 v35; // w3
  unsigned __int16 v36; // w2
  __int16 v37; // w1
  unsigned __int16 v38; // w0
  unsigned __int16 v39; // w3
  unsigned __int16 v40; // w2
  __int16 v41; // w1
  int v42; // w0

  v3 = a2;
  memset(&word_152880, 0, 0x200uLL);
  if ( v3 )
    v6 = &staticProjectKey;
  else
    v6 = staticPacketKey;
  word_152880 = a1->n128_u8[0];
  word_152882 = a1->n128_u8[1];
  word_152884 = a1->n128_u8[2];
  word_152886 = a1->n128_u8[3];
  word_152888 = a1->n128_u8[4];
  word_15288A = a1->n128_u8[5];
  word_15288C = a1->n128_u8[6];
  word_15288E = a1->n128_u8[7];
  word_152890 = a1->n128_u8[8];
  word_152892 = a1->n128_u8[9];
  word_152894 = a1->n128_u8[10];
  word_152896 = a1->n128_u8[11];
  word_152898 = a1->n128_u8[12];
  word_15289A = a1->n128_u8[13];
  word_15289C = a1->n128_u8[14];
  word_15289E = a1->n128_u8[15];
  word_1528A0 = a1[1].n128_u8[0];
  word_1528A2 = a1[1].n128_u8[1];
  v7 = (unsigned __int16)*v6;
  word_1528A4 = a1[1].n128_u8[2];
  word_1528A6 = a1[1].n128_u8[3];
  word_1528A8 = a1[1].n128_u8[4];
  word_1528AA = a1[1].n128_u8[5];
  word_1528AC = a1[1].n128_u8[6];
  word_1528AE = a1[1].n128_u8[7];
  word_1528B0 = a1[1].n128_u8[8];
  word_1528B2 = a1[1].n128_u8[9];
  word_1528B4 = a1[1].n128_u8[10];
  word_1528B6 = a1[1].n128_u8[11];
  word_1528B8 = a1[1].n128_u8[12];
  word_1528BA = a1[1].n128_u8[13];
  word_1528BC = a1[1].n128_u8[14];
  word_1528BE = a1[1].n128_u8[15];
  word_1528C0 = (unsigned __int8)v7;
  word_1528C2 = v7 >> 8;
  v8 = (unsigned __int8)v6[1];
  v9 = (unsigned __int8)v6[2];
  v10 = HIBYTE(v6[2]);
  v11 = (unsigned __int16)v6[6];
  v12 = (unsigned __int8)v6[3];
  v13 = (unsigned __int16)v6[9];
  v14 = HIBYTE(v6[3]);
  v15 = (unsigned __int8)v6[4];
  v16 = (unsigned __int16)v6[10];
  v17 = HIBYTE(v6[4]);
  v18 = (unsigned __int16)v6[11];
  v19 = (unsigned __int8)v6[5];
  v20 = (unsigned __int16)v6[7];
  v21 = HIBYTE(v6[5]);
  v22 = (unsigned __int16)v6[8];
  word_1528C6 = HIBYTE(v6[1]);
  word_1528D2 = v17;
  word_1528D6 = v21;
  word_1528DA = v11 >> 8;
  word_1528CA = v10;
  word_1528CE = v14;
  word_1528DE = v20 >> 8;
  word_1528E8 = (unsigned __int8)v16;
  word_1528EA = v16 >> 8;
  word_1528E2 = v22 >> 8;
  word_1528EC = (unsigned __int8)v18;
  word_1528EE = v18 >> 8;
  word_1528C4 = v8;
  word_1528C8 = v9;
  word_1528CC = v12;
  word_1528D0 = v15;
  word_1528D4 = v19;
  word_1528D8 = (unsigned __int8)v11;
  word_1528DC = (unsigned __int8)v20;
  word_1528E0 = (unsigned __int8)v22;
  word_1528E4 = (unsigned __int8)v13;
  word_1528E6 = v13 >> 8;
  v23 = (unsigned __int16)v6[12];
  v24 = (unsigned __int16)v6[13];
  v25 = (unsigned __int16)v6[14];
  LOWORD(v21) = (unsigned __int8)v6[12];
  v26 = (unsigned __int16)v6[15];
  word_1528F0 = v21;
  word_1528F2 = v23 >> 8;
  word_1528F4 = (unsigned __int8)v24;
  word_1528F6 = v24 >> 8;
  word_1528F8 = (unsigned __int8)v25;
  word_1528FA = v25 >> 8;
  word_1528FC = (unsigned __int8)v26;
  word_1528FE = v26 >> 8;
  data_rolling(&word_152880, a3);
  result = a1 + 1;
  v28 = (int16x8_t *)&a3[6];
  if ( &a3[4] < (uint16x4_t *)&a1[1] && a1 < v28 )
  {
    v29 = a3->n64_u16[1];
    v30 = a3->n64_u16[2];
    a3[4].n64_u16[0] = 4 * a3->n64_u16[0] * a1->n128_u16[0];
    v31 = 4 * a3->n64_u16[3];
    v32 = a3[1].n64_u16[0];
    v33 = a3[1].n64_u16[1];
    a3[4].n64_u16[1] = 4 * v29 * a1->n128_u16[1];
    v34 = 4 * a3[1].n64_u16[2];
    v35 = a3[1].n64_u16[3];
    v36 = a3[2].n64_u16[0];
    a3[4].n64_u16[2] = 4 * v30 * a1->n128_u16[2];
    v37 = 4 * a3[2].n64_u16[1];
    v38 = a3[2].n64_u16[2];
    a3[4].n64_u16[3] = v31 * a1->n128_u16[3];
    a3[5].n64_u16[0] = 4 * v32 * a1->n128_u16[4];
    a3[5].n64_u16[1] = 4 * v33 * a1->n128_u16[5];
    a3[5].n64_u16[2] = v34 * a1->n128_u16[6];
    a3[5].n64_u16[3] = 4 * v35 * a1->n128_u16[7];
    a3[6].n64_u16[0] = 4 * v36 * a1[1].n128_u16[0];
    a3[6].n64_u16[1] = v37 * a1[1].n128_u16[1];
    a3[6].n64_u16[2] = 4 * v38 * a1[1].n128_u16[2];
    v39 = a3[3].n64_u16[0];
    v40 = a3[3].n64_u16[1];
    a3[6].n64_u16[3] = 4 * a3[2].n64_u16[3] * a1[1].n128_u16[3];
    v41 = 4 * a3[3].n64_u16[2];
    v42 = a3[3].n64_u16[3];
    a3[7].n64_u16[0] = 4 * v39 * a1[1].n128_u16[4];
    a3[7].n64_u16[1] = 4 * v40 * a1[1].n128_u16[5];
    a3[7].n64_u16[2] = v41 * a1[1].n128_u16[6];
    result = (int16x8_t *)(4 * v42 * (unsigned int)a1[1].n128_u16[7]);
    a3[7].n64_u16[3] = (unsigned __int16)result;
  }
  else
  {
    *(int16x8_t *)a3[4].n64_u64 = vmulq_s16(
                                    vmovn_hight_s32(
                                      vmovn_s32(vshlq_n_s32(vmovl_u16((uint16x4_t)a3->n64_u64[0]), 2uLL)),
                                      vshlq_n_s32(vmovl_high_u16(*(uint16x8_t *)a3->n64_u64), 2uLL)),
                                    *a1);
    *v28 = vmulq_s16(
             vmovn_hight_s32(
               vmovn_s32(vshlq_n_s32(vmovl_u16(a3[2]), 2uLL)),
               vshlq_n_s32(vmovl_high_u16(*(uint16x8_t *)a3[2].n64_u64), 2uLL)),
             *result);
  }
  return result;
}

函数中有些用到的全局变量如下:

static unsigned short staticProjectkey[] = 
{0x92dd, 0xb378, 0xd071, 0x11ec,0xBB7E, 0x5076,0xAFD5,0x894F, 0x1874,0xA689,0x50DC,0x4ECB,0xB703,0x5D17,0x507B,0x7427};


static unsigned short staticPacketKey[] = 
{0x92EF, 0x4145, 0xD071, 0x11EC, 0x84C9, 0x5076,0xAFD5 ,0x894F,0xD90D, 0xDAAC,
0xB8D3, 0x4B74,0x8EA6,0x495C,0xB1FE ,0x467C};


static uint32 dword_173F0[256] = {
0xD76AA478, 0xE8C7B756, 0x242070DB, 0xC1BDCEEE, 0xF57C0FAF,	0x4787C62A, 0xA8304613, 0xFD469501, 0x698098D8, 0x8B44F7AF,0xFFFF5BB1, 0x895CD7BE, 0x6B901122, 0xFD987193, 0xA679438E,0x49B40821, 0xF61E2562, 0xC040B340, 0x265E5A51, 0xE9B6C7AA,
0xD62F105D, 0x2441453, 0xD8A1E681, 0xE7D3FBC8, 0x21E1CDE6,0xC33707D6, 0xF4D50D87, 0x455A14ED, 0xA9E3E905, 0xFCEFA3F8,0x676F02D9, 0x8D2A4C8A, 0xFFFA3942, 0x8771F681, 0x6D9D6122,
0xFDE5380C, 0xA4BEEA44, 0x4BDECFA9, 0xF6BB4B60, 0xBEBFBC70,0x289B7EC6, 0xEAA127FA, 0xD4EF3085, 0x4881D05, 0xD9D4D039, 0xE6DB99E5, 0x1FA27CF8, 0xC4AC5665, 0xF4292244, 0x432AFF97,
0xAB9423A7, 0xFC93A039, 0x655B59C3, 0x8F0CCC92, 0xFFEFF47D,0x85845DD1, 0x6FA87E4F, 0xFE2CE6E0, 0xA3014314, 0x4E0811A1,0xF7537E82, 0xBD3AF235, 0x2AD7D2BB, 0xEB86D391, 0,
//65
 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
 //51
 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 7, 0xC, 0x11, 0x16,7, 0xC, 0x11, 0x16, 7, 0xC, 0x11, 0x16, 7, 0xC, 0x11,
 //27
 0x16, 5, 9, 0xE, 0x14, 5, 9, 0xE, 0x14, 5, 9, 0xE,
 //12
 0x14, 5, 9, 0xE, 0x14, 4, 0xB, 0x10, 0x17, 4, 0xB,
 //11
 0x10, 0x17, 4, 0xB, 0x10, 0x17, 4, 0xB, 0x10, 0x17,
 //10
 6, 0xA, 0xF, 0x15, 6, 0xA, 0xF, 0x15, 6, 0xA, 0xF,
 //11
 0x15, 6, 0xA, 0xF, 0x15, 0, 0, 0, 0, 0, 0, 0, 0, 0,
 //14
 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
 0, 0, 0, 0,
 //55
}

 

结果验证:

如果上面翻译成c了。有几串数据可以校验是否成功。

 

求助各位逆向大神

...全文
成就一亿技术人!
拼手气红包 10.00元
698 1 打赏 收藏 转发到动态 举报
AI 作业
写回复
用AI写文章
1 条回复
切换为时间正序
请发表友善的回复…
发表回复
Arm精选 2023-01-29
  • 打赏
  • 举报
 回复

我也不会

深入解剖cpu编译到执行二进制代码全过程:ARM/X86双修圣典之看懂这份objdump就可以理解CPU如何执行二进制 一份雷军也说这汇编我服了的CPU级汇编分解剖析 嵌入式硬核玩家的汇编透视
当你敲下 gcc main.c -o a.out,再执行 ./a.out,屏幕上蹦出“Hello World!”的时候,你有没有想过,这背后到底发生了什么?你的C语言代码,是如何一步步变成CPU能够理解的机器指令,又是如何被操作系统加载并执行的?今天,咱们就通过一份你提供的真实的 objdump -d a.out 输出,来深入探索程序的“骨架”——汇编代码
区块链在游戏中的应用.pptx
区块链在游戏中的应用.pptx
远为GOFAR智能门锁sdk接口函数
一:函数定义 function integer opencomm( integer com) library "larkdll.dll" function integer closecomm() library "larkdll.dll" function integer deletecard(string a) library "larkdll.dll" alias for "deletecard;Ansi" function integer makecard(string a1,string a2,string a3,string a4,string a5,string a6,string a7) library "larkdll.dll" alias for "makecard;Ansi" function integer readcard(ref string a1,string a) library "larkdll.dll" alias for "readcard;Ansi" 二:打开串口 integer dd if ddlb_1.text = "串口1" then dd = 0 if ddlb_1.text = "串口2" then dd = 1 if ddlb_1.text = "串口3" then dd = 2 if ddlb_1.text = "串口4" then dd = 3 if opencomm(dd) = 0 then messagebox("提示信息","ok!",question!,YesNo!) else messagebox("提示信息",opencomm(dd),question!,YesNo!) end if 三:读卡 string buf integer stat =
基于RF-RFE算法的地铁车站洪涝灾害预测研究.docx
基于RF-RFE算法的地铁车站洪涝灾害预测研究.docx
极简精致苹果IOS风格PPT模板.pptx
极简精致苹果IOS风格PPT模板.pptx
ARM学习问答社区

32

社区成员

13

社区内容

发帖
与我相关
我的任务
社区描述
ARMv8/ARMv9/SOC/芯片/Trustzone/TEE/安全/ATF/TF-A/ARM....,”ARM-Trustzone-TEE-ATF-SOC“群的问答与交流
arm开发 个人社区 上海·浦东新区
社区管理员
  • Arm精选
加入社区
  • 近7日
  • 近30日
  • 至今

加载中

查看更多榜单
社区公告
暂无公告

试试用AI创作助手写篇文章吧

+ 用AI写文章