爆破
假码 pName = xuanci pKey = 00112233445566778899
登录出错 复制错误信息
---------------------------
010 Editor
---------------------------
Invalid name or password. Please enter your name and password exactly as given when you purchased 010 Editor (make sure no quotes are included).
---------------------------
&OK
---------------------------
字符串搜索下 看看能不能搜索到相关信息
也可以通过CreateWindowExW回溯找到 看自己来
这里看了下不让他跳 也没见到登录成功的地方,那我们一步一步跟上去看看
可以看出这里成功了 那么是不是我们在上面NOP掉直接就能成功,奔着这个思想 我们来验证下
好像真的可以了,那我们就来看看到底做了些什么可以让他走过这个地方
002A1D30 > \81FB DB000000 cmp ebx, 0xDB ; 根据这条汇编指令我们知道 ebx == 0xDB即可成功
002A1C40 . E8 747BE5FF call 000F97B9 ; eax == 0xDB即可成功
002A1C45 . 8B0D 7C257000 mov ecx, dword ptr [0x70257C]
002A1C4B . 8BD8 mov ebx, eax ; 可以看到ebx == eax
002A1C4D . 8B45 E0 mov eax, dword ptr [ebp-0x20]
002A1C50 . 3D E7000000 cmp eax, 0xE7
跳跟踪到上面我们可以找到ebx来自与eax eax == call 000F97B9 eax == 0xDB就能调到成功了呢? 我们看看他什么情况下恒与0xDB
进CALL 最下面 我们可以看到
003D5B99 |> \5F pop edi ; Case 2D of switch 003D5AF3
003D5B9A |. B8 DB000000 mov eax, 0xDB
003D5B9F |. 5E pop esi
003D5BA0 |. 5D pop ebp
003D5BA1 \. C2 0800 retn 0x8
003D5B99又是003D5AF6 |. /0F84 9D000000 je 003D5B99跳转来的 我们只需要让je满足条件即可
003D5AEE |. E8 DDC1D1FF call 000F1CD0
003D5AF3 |. 83F8 2D cmp eax, 0x2D ; Switch (cases 2D..E7)
003D5AF6 |. /0F84 9D000000 je 003D5B99
call 000F1CD0 返回值恒与 0x2D即可了
那么我们进CALL 给他
mov eax,0x2D
ret 8
注意这里涉及了重定位 纳闷我们先把随机基质给去除吧
可以先打开我们刚刚爆破的那个010Edit 然后把没修改的拖进去 去修改随机基质
按Install安装下模板 安装好 我们就去找dll标志的字段
这里我们改成0 Ctrl+s保存即可
这时候我们在回去找到原来的地方给他修改汇编代码即可
提示我这个 其实按正常来说 应该是可以OK的 但是这里多了个网络验证 我们就得把网络验证去掉
我们OD载入刚修改好的 然后在刚刚修改的地方下段即可 单不跟踪
我们继续往下找是否还有错误的地方
重新来过
这里给他置1 让他的zf标志位为0
成功 这里我们有很多种方法 可以爆破 可以使用
005B1CEA > \75 27 jnz short 005B1D13
改成
005B1CEA > \75 27 jz short 005B1D13
也可以根据上面爆破0x2D一样CALL里返回值让他恒为1
005B3460 B8 01000000 mov eax, 0x1
005B3465 C2 0400 retn 0x4
005B3468 90 nop
005B3469 90 nop
这里随便就看自己了
算法分析
综上所诉 我们得知 那个控制0x2D的CALL就是我们需要分析的地方 只要他==0x2D我们就可以过掉本地本地验证 分析出算法 我们就可以写出注册机
至于网络验证,我们就需要自己去打补丁也好 怎么搞也好 就要看自己了
那么我们来到返回0x2D的地方进行分析吧
005B1C1E . 8B0D 7C25A100 mov ecx, dword ptr [0xA1257C]
005B1C24 . 68 67480000 push 0x4867
005B1C29 . 6A 0C push 0xC
005B1C2B . E8 A000E5FF call 00401CD0
005B1C30 . 8B0D 7C25A100 mov ecx, dword ptr [0xA1257C]
首先看下参数 一个 0xC 0x4867 ecx我们去看下内存 看看到底是什么
看着是个地址 那么我们跟进去过去看看到底都是什么
我们在ECX + 4的地址哪里看到了用户名
在ECX + 8的地址哪里看到了KEY
那么我们可以猜测这里是不是一个对象 里面存放着账号密码 UNICODE类型的 还有一些我们不知道的值 具体用到再去分析
我们进CALL 去逐步分析
006E5229 > \8A45 E7 mov al, byte ptr [ebp-0x19] ; al == k[3]
006E522C . 3C 9C cmp al, 0x9C ; 这里判断K[3]是否等于0x9C; Switch (cases 9C..FC)
006E522E . 75 70 jnz short 006E52A0
这里K[3] != 0x9C就继续判断
006E52A0 > \3C FC cmp al, 0xFC
006E52A2 . 75 1F jnz short 006E52C3
判断是否等于0xFC不等于在继续判断
006E52C3 > \3C AC cmp al, 0xAC
006E52C5 . 0F85 94010000 jnz 006E545F
这里在判断是否等于0XAC 在不行就给EAX == 0XE7 那么我们想获取的是0x2D这里获取E7肯定不对
这样我们就可以猜测K[3] == 0x9C / 0xFC / 0xAC
分析一段逻辑 进行代码测试
006E5229 > \8A45 E7 mov al, byte ptr [ebp-0x19] ; al == k[3]
006E522C . 3C 9C cmp al, 0x9C ; 这里判断K[3]是否等于0x9C; Switch (cases 9C..FC)
006E522E . 75 70 jnz short 006E52A0
006E5230 . 8A45 E4 mov al, byte ptr [ebp-0x1C] ; al == K[0]; Case 9C of switch 006E522C
006E5233 . 3245 EA xor al, byte ptr [ebp-0x16] ; al == k[0]^k[6]
006E5236 . 8845 DC mov byte ptr [ebp-0x24], al
006E5239 . 8A45 E5 mov al, byte ptr [ebp-0x1B] ; al == k[1]
006E523C . 3245 EB xor al, byte ptr [ebp-0x15] ; al == k[1]^k[7]
006E523F . FF75 DC push dword ptr [ebp-0x24] ; push al == k[0]^k[6]
006E5242 . 0FB6C8 movzx ecx, al ; ecx == (k[1]^k[7])&0xFF
006E5245 . B8 00010000 mov eax, 0x100 ; eax == 0x100
006E524A . 0FAFC8 imul ecx, eax ; ecx = ((k[1]^k[7])&0xFF)*0x100
006E524D . 8A45 E6 mov al, byte ptr [ebp-0x1A] ; al == k[2]
006E5250 . 3245 E9 xor al, byte ptr [ebp-0x17] ; al == k[2]^k[5]
006E5253 . 0FB6C0 movzx eax, al ; eax == (k[2]^k[5])&0xFF
006E5256 . 66:03C8 add cx, ax ; cx = (((k[1]^k[7])&0xFF)*0x100)+((k[2]^k[5])&0xFF)
006E5259 . 0FB7F1 movzx esi, cx ; esi = (((k[1]^k[7])&0xFF)*0x100)+((k[2]^k[5])&0xFF)&0xFFFF
006E525C . E8 5309D2FF call 00405BB4 ; 处理K[0]和K[6] al == ((k[0]^k[6])^0x18 + 0x3D)^0xA7
006E5261 . 0FB6C0 movzx eax, al ; eax == (((k[0]^k[6])^0x18 + 0x3D)^0xA7)&0xFF
006E5264 . 56 push esi ; push esi = (((k[1]^k[7])&0xFF)*0x100)+((k[2]^k[5])&0xFF)&0xFFFF
006E5265 . 8943 1C mov dword ptr [ebx+0x1C], eax ; 下面CALL 返回 eax = ((((((k[1]^k[7])&0xFF)*0x100)+((k[2]^k[5])&0xFF)&0xFFFF)^0x7892 + 0x4D30)&0xFFFF)^0x3421
006E5268 . E8 D84FD2FF call 0040A245 ; 计算的值和0xB做除法 余数不为0则返回0 余数为0则返回商
006E526D . 8B4B 1C mov ecx, dword ptr [ebx+0x1C] ; ecx == (((k[0]^k[6])^0x18 + 0x3D)^0xA7)&0xFF
006E5270 . 83C4 08 add esp, 0x8
006E5273 . 0FB7C0 movzx eax, ax ; eax = ((((((((k[1]^k[7])&0xFF)*0x100)+((k[2]^k[5])&0xFF)&0xFFFF)^0x7892 + 0x4D30)&0xFFFF)^0x3421) / 0xB) &0xFFFF
006E5276 . 8943 20 mov dword ptr [ebx+0x20], eax
006E5279 . 85C9 test ecx, ecx ; 判断 (((k[0]^k[6])^0x18 + 0x3D)^0xA7)&0xFF != 0
006E527B . 0F84 DE010000 je 006E545F
006E5281 . 85C0 test eax, eax ; 判断 eax = (((((((k[1]^k[7])&0xFF)*0x100)+((k[2]^k[5])&0xFF)&0xFF)^0x7892 + 0x4D30)&0xFFFF)^0x3421)&0xFFFF != 0
006E5283 . 0F84 D6010000 je 006E545F
006E5289 . 3D E8030000 cmp eax, 0x3E8 ; 且 eax < 0x3E8
006E528E . 0F87 CB010000 ja 006E545F
可以看到 最后就是比较
判断 (((k[0]k[6])0x18 + 0x3D)^0xA7)&0xFF != 0
判断 eax = ((((((((k[1]k[7])&0xFF)*0x100)+((k[2]k[5])&0xFF)&0xFFFF)^0x7892 + 0x4D30)&0xFFFF)^0x3421) / 0xB) &0xFFFF != 0
判断 eax = ((((((((k[1]k[7])&0xFF)*0x100)+((k[2]k[5])&0xFF)&0xFFFF)^0x7892 + 0x4D30)&0xFFFF)^0x3421) / 0xB) &0xFFFF < 0x3E8
已知K[3] == 0x9C / 0xFC / 0xAC
那么我们就开始写代码测试吧
#include <stdio.h>
#include <windows.h>
#include <time.h>
int main()
{
/*
判断 (((k[0]^k[6])^0x18 + 0x3D)^0xA7)&0xFF != 0
判断 eax = ((((((((k[1]^k[7])&0xFF)*0x100)+((k[2]^k[5])&0xFF)&0xFFFF)^0x7892 + 0x4D30)&0xFFFF)^0x3421) / 0xB) &0xFFFF != 0
判断 eax = ((((((((k[1]^k[7])&0xFF)*0x100)+((k[2]^k[5])&0xFF)&0xFFFF)^0x7892 + 0x4D30)&0xFFFF)^0x3421) / 0xB) &0xFFFF < 0x3E8
已知K[3] == 0x9C / 0xFC / 0xAC
*/
byte bKey[10] = { 0 };
bKey[3] = 0x9C;
srand(time(NULL));
while (true)
{
byte k0 = rand() % 0xFF;
byte k6 = rand() % 0xFF;
byte s1 = (((k0 ^ k6) ^ 0x18 + 0x3D) ^ 0xA7) & 0xFF;
if (s1 != 0)
{
//获取到了K0 和 K6
bKey[0] = k0;
bKey[6] = k6;
break;
}
}
while (true)
{
byte k1 = rand() % 0xFF;
byte k7 = rand() % 0xFF;
byte k2 = rand() % 0xFF;
byte k5 = rand() % 0xFF;
DWORD s1 = (((((((k1 ^ k7) & 0xFF) * 0x100) + ((k2 ^ k5) & 0xFF) & 0xFFFF) ^ 0x7892) + 0x4D30) ^ 0x3421) & 0xFFFF;
if ((s1 % 0xB) == 0 && (s1 / 0xB) < 0x3E8)
{
bKey[1] = k1;
bKey[7] = k7;
bKey[2] = k2;
bKey[5] = k5;
break;
}
}
for (int i = 0; i < 10; i++)
{
printf("%02X", bKey[i]);
}
getchar();
return 0;
}
得出KEY:53BDF79C000D8D1F
我们输入KEY 重新来过 看看能不能到达我们想到达的地方
走到了我们想到达的地方
这里我们看到了 返回了 ASCII码的Name
006E5355 . 8BCF mov ecx, edi ; ecx == pName
006E5357 . 50 push eax ; /Arg1
006E5358 . FF15 104AA100 call dword ptr [<&Qt5Core.QString::to>; \QString::toUtf8
006E535E . FF73 20 push dword ptr [ebx+0x20] ; 这里是 call 0040A245的返回值
006E5361 . 33C0 xor eax, eax
006E5363 . C745 FC 00000>mov dword ptr [ebp-0x4], 0x0
006E536A . 807D E7 FC cmp byte ptr [ebp-0x19], 0xFC ; 判断K[3]是否为0xFC 因为我们写的是0x9C所以是个定值
006E536E . 8D4D D4 lea ecx, dword ptr [ebp-0x2C] ; ASCII Name的对象
006E5371 . 56 push esi ; 0
006E5372 . 0f95c0 setne al
006E5375 . 50 push eax ; 1
006E5376 . FF15 6C42A100 call dword ptr [<&Qt5Core.QByteArray:>; eax == ASCCName
006E537C . 50 push eax ; 用户名
006E537D . E8 B2ECD1FF call 00404034 ; 目前不知道是干嘛 进去看看好像也是加密 先不问
006E5382 . 8BD0 mov edx, eax ; edx == eax
006E5384 . 83C4 10 add esp, 0x10 ; 堆栈平衡 从这里可以猜测上面为4个参数
006E5387 . 3855 E8 cmp byte ptr [ebp-0x18], dl ; k[4] == edx&0xFF
006E538A . 0F85 BD000000 jnz 006E544D
006E5390 . 8BCA mov ecx, edx
006E5392 . C1E9 08 shr ecx, 0x8
006E5395 . 384D E9 cmp byte ptr [ebp-0x17], cl ; k[5] == edx >> 0x8 &0xFF
006E5398 . 0F85 AF000000 jnz 006E544D
006E539E . 8BCA mov ecx, edx
006E53A0 . C1E9 10 shr ecx, 0x10
006E53A3 . 384D EA cmp byte ptr [ebp-0x16], cl ; k[6] == edx >> 0x10 &0xFF
006E53A6 . 0F85 A1000000 jnz 006E544D
006E53AC . C1E8 18 shr eax, 0x18
006E53AF . 3845 EB cmp byte ptr [ebp-0x15], al ; k[7] == edx >> 0x18 &0xFF
006E53B2 . 0F85 95000000 jnz 006E544D
006E53B8 . 8A45 E7 mov al, byte ptr [ebp-0x19]
006E53BB . 3C 9C cmp al, 0x9C ; k[3] == 0x9C; Switch (cases 9C..FC)
006E53BD . 75 1D jnz short 006E53DC
006E53BF . 8B45 08 mov eax, dword ptr [ebp+0x8] ; Case 9C of switch 006E53BB
006E53C2 . 3B43 1C cmp eax, dword ptr [ebx+0x1C]
006E53C5 . 76 74 jbe short 006E543B ; 如果上述条件都成立就说明成功了 这样我们就可以确定那个CALL 就是在验证Name和K[4]-K[7]之间的关系
我们进入那个加密CALL 去IDA看下看看能不能之间提取出来用
地址:006E4300 /> \55 push ebp
int __cdecl sub_6E4300(const char *a1, int a2, char a3, int a4)
{
const char *v4; // edx
int v5; // esi
signed int v6; // edi
signed int v7; // ebx
int v8; // eax
int v9; // ecx
int v10; // edx
int v11; // esi
unsigned __int8 v12; // al
int v13; // esi
int v14; // eax
int v16; // [esp+Ch] [ebp-18h]
int v17; // [esp+10h] [ebp-14h]
unsigned __int8 v18; // [esp+14h] [ebp-10h]
unsigned __int8 v19; // [esp+18h] [ebp-Ch]
unsigned __int8 v20; // [esp+1Ch] [ebp-8h]
v4 = a1;
v5 = 0;
v6 = strlen(a1);
v7 = 0;
if ( v6 > 0 )
{
v17 = 15 * a4;
v18 = 0;
v19 = 0;
v20 = 17 * a3;
do
{
v8 = toupper((unsigned __int8)v4[v7]);
v16 = v20;
v9 = v17;
v17 = (unsigned __int8)v17;
v10 = v5 + dword_A04AD8[v8];
if ( a2 )
{
v11 = dword_A04AD8[(unsigned __int8)(v8 + 47)] * (v10 ^ dword_A04AD8[(unsigned __int8)(v8 + 13)]);
v12 = v19;
}
else
{
v11 = dword_A04AD8[(unsigned __int8)(v8 + 23)] * (v10 ^ dword_A04AD8[(unsigned __int8)(v8 + 63)]);
v12 = v18;
}
v20 += 9;
++v7;
v19 += 19;
v18 += 7;
v4 = a1;
v13 = dword_A04AD8[v12] + v11;
v14 = v17;
v17 = v9 + 13;
v5 = dword_A04AD8[v16] + dword_A04AD8[v14] + v13;
}
while ( v7 < v6 );
}
return v5;
}
先来修改修改参数类型 第一个参数是 字符串 一定是ASCII码 因为传过去的就是ASCII的字符串 第二个参数恒为1 第三个参数恒为0 第四个参数是call 0040A245的返回值 这个参数 我们返回的是/B返回的不是商就是0 然后在判断是否 < 0x3E8
这样我们就可以先用这个CALL 加载相应的Name 和 第四个参数大于0 小于 0x3E8
生成K[4] - K[7]
在随机生成别的值好像就可以了 我们开始修改代码
根据代码所看到的 基本上都在对一个数组进行操作 我们找到地址 用OD给copy出来
数组地址00A04AD8
DWORD dwBuff[] =
{
0x39cb44b8, 0x23754f67, 0x5f017211, 0x3ebb24da, 0x351707c6, 0x63f9774b, 0x17827288, 0x0fe74821, 0x5b5f670f, 0x48315ae8, 0x785b7769, 0x2b7a1547, 0x38d11292, 0x42a11b32, 0x35332244, 0x77437b60,
0x1eab3b10, 0x53810000, 0x1d0212ae, 0x6f0377a8, 0x43c03092, 0x2d3c0a8e, 0x62950cbf, 0x30f06ffa, 0x34f710e0, 0x28f417fb, 0x350d2f95, 0x5a361d5a, 0x15cc060b, 0x0afd13cc, 0x28603bcf, 0x3371066b,
0x30cd14e4, 0x175d3a67, 0x6dd66a13, 0x2d3409f9, 0x581e7b82, 0x76526b99, 0x5c8d5188, 0x2c857971, 0x15f51fc0, 0x68cc0d11, 0x49f55e5c, 0x275e4364, 0x2d1e0dbc, 0x4cee7ce3, 0x32555840, 0x112e2e08,
0x6978065a, 0x72921406, 0x314578e7, 0x175621b7, 0x40771dbf, 0x3fc238d6, 0x4a31128a, 0x2dad036e, 0x41a069d6, 0x25400192, 0x00dd4667, 0x6afc1f4f, 0x571040ce, 0x62fe66df, 0x41db4b3e, 0x3582231f,
0x55f6079a, 0x1ca70644, 0x1b1643d2, 0x3f7228c9, 0x5f141070, 0x3e1474ab, 0x444b256e, 0x537050d9, 0x0f42094b, 0x2fd820e6, 0x778b2e5e, 0x71176d02, 0x7fea7a69, 0x5bb54628, 0x19ba6c71, 0x39763a99,
0x178d54cd, 0x01246e88, 0x3313537e, 0x2b8e2d17, 0x2a3d10be, 0x59d10582, 0x37a163db, 0x30d6489a, 0x6a215c46, 0x0e1c7a76, 0x1fc760e7, 0x79b80c65, 0x27f459b4, 0x799a7326, 0x50ba1782, 0x2a116d5c,
0x63866e1b, 0x3f920e3c, 0x55023490, 0x55b56089, 0x2c391fd1, 0x2f8035c2, 0x64fd2b7a, 0x4ce8759a, 0x518504f0, 0x799501a8, 0x3f5b2cad, 0x38e60160, 0x637641d8, 0x33352a42, 0x51a22c19, 0x085c5851,
0x032917ab, 0x2b770ac7, 0x30ac77b3, 0x2bec1907, 0x035202d0, 0x0fa933d3, 0x61255df3, 0x22ad06bf, 0x58b86971, 0x5fca0de5, 0x700d6456, 0x56a973db, 0x5ab759fd, 0x330e0be2, 0x5b3c0ddd, 0x495d3c60,
0x53bd59a6, 0x4c5e6d91, 0x49d9318d, 0x103d5079, 0x61ce42e3, 0x7ed5121d, 0x14e160ed, 0x212d4ef2, 0x270133f0, 0x62435a96, 0x1fa75e8b, 0x6f092fbe, 0x4a000d49, 0x57ae1c70, 0x004e2477, 0x561e7e72,
0x468c0033, 0x5dcc2402, 0x78507ac6, 0x58af24c7, 0x0df62d34, 0x358a4708, 0x3cfb1e11, 0x2b71451c, 0x77a75295, 0x56890721, 0x0fef75f3, 0x120f24f1, 0x01990ae7, 0x339c4452, 0x27a15b8e, 0x0ba7276d,
0x60dc1b7b, 0x4f4b7f82, 0x67db7007, 0x4f4a57d9, 0x621252e8, 0x20532cfc, 0x6a390306, 0x18800423, 0x19f3778a, 0x462316f0, 0x56ae0937, 0x43c2675c, 0x65ca45fd, 0x0d604ff2, 0x0bfd22cb, 0x3afe643b,
0x3bf67fa6, 0x44623579, 0x184031f8, 0x32174f97, 0x4c6a092a, 0x5fb50261, 0x01650174, 0x33634af1, 0x712d18f4, 0x6e997169, 0x5dab7afe, 0x7c2b2ee8, 0x6edb75b4, 0x5f836fb6, 0x3c2a6dd6, 0x292d05c2,
0x052244db, 0x149a5f4f, 0x5d486540, 0x331d15ea, 0x4f456920, 0x483a699f, 0x3b450f05, 0x3b207c6c, 0x749d70fe, 0x417461f6, 0x62b031f1, 0x2750577b, 0x29131533, 0x588c3808, 0x1aef3456, 0x0f3c00ec,
0x7da74742, 0x4b797a6c, 0x5ebb3287, 0x786558b8, 0x00ed4ff2, 0x6269691e, 0x24a2255f, 0x62c11f7e, 0x2f8a7dcd, 0x643b17fe, 0x778318b8, 0x253b60fe, 0x34bb63a3, 0x5b03214f, 0x5f1571f4, 0x1a316e9f,
0x7acf2704, 0x28896838, 0x18614677, 0x1bf569eb, 0x0ba85ec9, 0x6aca6b46, 0x1e43422a, 0x514d5f0e, 0x413e018c, 0x307626e9, 0x01ed1dfa, 0x49f46f5a, 0x461b642b, 0x7d7007f2, 0x13652657, 0x6b160bc5,
0x65e04849, 0x1f526e1c, 0x5a0251b6, 0x2bd73f69, 0x2dbf7acd, 0x51e63e80, 0x5cf2670f, 0x21cd0a03, 0x5cff0261, 0x33ae061e, 0x3bb6345f, 0x5d814a75, 0x257b5df4, 0x0a5c2c5b, 0x16a45527, 0x16f23945
};
注册机完成
#include <stdio.h>
#include <windows.h>
#include <time.h>
DWORD dwBuff[] =
{
0x39cb44b8, 0x23754f67, 0x5f017211, 0x3ebb24da, 0x351707c6, 0x63f9774b, 0x17827288, 0x0fe74821, 0x5b5f670f, 0x48315ae8, 0x785b7769, 0x2b7a1547, 0x38d11292, 0x42a11b32, 0x35332244, 0x77437b60,
0x1eab3b10, 0x53810000, 0x1d0212ae, 0x6f0377a8, 0x43c03092, 0x2d3c0a8e, 0x62950cbf, 0x30f06ffa, 0x34f710e0, 0x28f417fb, 0x350d2f95, 0x5a361d5a, 0x15cc060b, 0x0afd13cc, 0x28603bcf, 0x3371066b,
0x30cd14e4, 0x175d3a67, 0x6dd66a13, 0x2d3409f9, 0x581e7b82, 0x76526b99, 0x5c8d5188, 0x2c857971, 0x15f51fc0, 0x68cc0d11, 0x49f55e5c, 0x275e4364, 0x2d1e0dbc, 0x4cee7ce3, 0x32555840, 0x112e2e08,
0x6978065a, 0x72921406, 0x314578e7, 0x175621b7, 0x40771dbf, 0x3fc238d6, 0x4a31128a, 0x2dad036e, 0x41a069d6, 0x25400192, 0x00dd4667, 0x6afc1f4f, 0x571040ce, 0x62fe66df, 0x41db4b3e, 0x3582231f,
0x55f6079a, 0x1ca70644, 0x1b1643d2, 0x3f7228c9, 0x5f141070, 0x3e1474ab, 0x444b256e, 0x537050d9, 0x0f42094b, 0x2fd820e6, 0x778b2e5e, 0x71176d02, 0x7fea7a69, 0x5bb54628, 0x19ba6c71, 0x39763a99,
0x178d54cd, 0x01246e88, 0x3313537e, 0x2b8e2d17, 0x2a3d10be, 0x59d10582, 0x37a163db, 0x30d6489a, 0x6a215c46, 0x0e1c7a76, 0x1fc760e7, 0x79b80c65, 0x27f459b4, 0x799a7326, 0x50ba1782, 0x2a116d5c,
0x63866e1b, 0x3f920e3c, 0x55023490, 0x55b56089, 0x2c391fd1, 0x2f8035c2, 0x64fd2b7a, 0x4ce8759a, 0x518504f0, 0x799501a8, 0x3f5b2cad, 0x38e60160, 0x637641d8, 0x33352a42, 0x51a22c19, 0x085c5851,
0x032917ab, 0x2b770ac7, 0x30ac77b3, 0x2bec1907, 0x035202d0, 0x0fa933d3, 0x61255df3, 0x22ad06bf, 0x58b86971, 0x5fca0de5, 0x700d6456, 0x56a973db, 0x5ab759fd, 0x330e0be2, 0x5b3c0ddd, 0x495d3c60,
0x53bd59a6, 0x4c5e6d91, 0x49d9318d, 0x103d5079, 0x61ce42e3, 0x7ed5121d, 0x14e160ed, 0x212d4ef2, 0x270133f0, 0x62435a96, 0x1fa75e8b, 0x6f092fbe, 0x4a000d49, 0x57ae1c70, 0x004e2477, 0x561e7e72,
0x468c0033, 0x5dcc2402, 0x78507ac6, 0x58af24c7, 0x0df62d34, 0x358a4708, 0x3cfb1e11, 0x2b71451c, 0x77a75295, 0x56890721, 0x0fef75f3, 0x120f24f1, 0x01990ae7, 0x339c4452, 0x27a15b8e, 0x0ba7276d,
0x60dc1b7b, 0x4f4b7f82, 0x67db7007, 0x4f4a57d9, 0x621252e8, 0x20532cfc, 0x6a390306, 0x18800423, 0x19f3778a, 0x462316f0, 0x56ae0937, 0x43c2675c, 0x65ca45fd, 0x0d604ff2, 0x0bfd22cb, 0x3afe643b,
0x3bf67fa6, 0x44623579, 0x184031f8, 0x32174f97, 0x4c6a092a, 0x5fb50261, 0x01650174, 0x33634af1, 0x712d18f4, 0x6e997169, 0x5dab7afe, 0x7c2b2ee8, 0x6edb75b4, 0x5f836fb6, 0x3c2a6dd6, 0x292d05c2,
0x052244db, 0x149a5f4f, 0x5d486540, 0x331d15ea, 0x4f456920, 0x483a699f, 0x3b450f05, 0x3b207c6c, 0x749d70fe, 0x417461f6, 0x62b031f1, 0x2750577b, 0x29131533, 0x588c3808, 0x1aef3456, 0x0f3c00ec,
0x7da74742, 0x4b797a6c, 0x5ebb3287, 0x786558b8, 0x00ed4ff2, 0x6269691e, 0x24a2255f, 0x62c11f7e, 0x2f8a7dcd, 0x643b17fe, 0x778318b8, 0x253b60fe, 0x34bb63a3, 0x5b03214f, 0x5f1571f4, 0x1a316e9f,
0x7acf2704, 0x28896838, 0x18614677, 0x1bf569eb, 0x0ba85ec9, 0x6aca6b46, 0x1e43422a, 0x514d5f0e, 0x413e018c, 0x307626e9, 0x01ed1dfa, 0x49f46f5a, 0x461b642b, 0x7d7007f2, 0x13652657, 0x6b160bc5,
0x65e04849, 0x1f526e1c, 0x5a0251b6, 0x2bd73f69, 0x2dbf7acd, 0x51e63e80, 0x5cf2670f, 0x21cd0a03, 0x5cff0261, 0x33ae061e, 0x3bb6345f, 0x5d814a75, 0x257b5df4, 0x0a5c2c5b, 0x16a45527, 0x16f23945
};
int EnCode(const char* a1, int a2, char a3, int a4)
{
const char* v4; // edx
int v5; // esi
signed int v6; // edi
signed int v7; // ebx
int v8; // eax
int v9; // ecx
int v10; // edx
int v11; // esi
unsigned __int8 v12; // al
int v13; // esi
int v14; // eax
int v16; // [esp+Ch] [ebp-18h]
int v17; // [esp+10h] [ebp-14h]
unsigned __int8 v18; // [esp+14h] [ebp-10h]
unsigned __int8 v19; // [esp+18h] [ebp-Ch]
unsigned __int8 v20; // [esp+1Ch] [ebp-8h]
v4 = a1;
v5 = 0;
v6 = strlen(a1);
v7 = 0;
if (v6 > 0)
{
v17 = 15 * a4;
v18 = 0;
v19 = 0;
v20 = 17 * a3;
do
{
v8 = toupper((unsigned __int8)v4[v7]);
v16 = v20;
v9 = v17;
v17 = (unsigned __int8)v17;
v10 = v5 + dwBuff[v8];
if (a2)
{
v11 = dwBuff[(unsigned __int8)(v8 + 47)] * (v10 ^ dwBuff[(unsigned __int8)(v8 + 13)]);
v12 = v19;
}
else
{
v11 = dwBuff[(unsigned __int8)(v8 + 23)] * (v10 ^ dwBuff[(unsigned __int8)(v8 + 63)]);
v12 = v18;
}
v20 += 9;
++v7;
v19 += 19;
v18 += 7;
v4 = a1;
v13 = dwBuff[v12] + v11;
v14 = v17;
v17 = v9 + 13;
v5 = dwBuff[v16] + dwBuff[v14] + v13;
} while (v7 < v6);
}
return v5;
}
int main()
{
/*
判断 (((k[0]^k[6])^0x18 + 0x3D)^0xA7)&0xFF != 0
判断 eax = ((((((((k[1]^k[7])&0xFF)*0x100)+((k[2]^k[5])&0xFF)&0xFFFF)^0x7892 + 0x4D30)&0xFFFF)^0x3421) / 0xB) &0xFFFF != 0
判断 eax = ((((((((k[1]^k[7])&0xFF)*0x100)+((k[2]^k[5])&0xFF)&0xFFFF)^0x7892 + 0x4D30)&0xFFFF)^0x3421) / 0xB) &0xFFFF < 0x3E8
已知K[3] == 0x9C / 0xFC / 0xAC
*/
DWORD nRet = 0x3E8; //0 - 0x3E8
byte bKey[10] = { 0 };
bKey[3] = 0x9C;
DWORD dwRet = EnCode("xuanci", 1, 0, nRet);
bKey[4] = dwRet & 0xFF;
bKey[5] = dwRet >> 0x8 & 0xFF;
bKey[6] = dwRet >> 0x10 & 0xFF;
bKey[7] = dwRet >> 0x18 & 0xFF;
srand(time(NULL));
while (true)
{
byte k0 = rand() % 0xFF;
byte s1 = (((k0 ^ bKey[6]) ^ 0x18 + 0x3D) ^ 0xA7) & 0xFF;
if (s1 != 0)
{
//获取到了K0 和 K6
bKey[0] = k0;
break;
}
}
while (true)
{
byte k1 = rand() % 0xFF;
byte k2 = rand() % 0xFF;
DWORD s1 = (((((((k1 ^ bKey[7]) & 0xFF) * 0x100) + ((k2 ^ bKey[5]) & 0xFF) & 0xFFFF) ^ 0x7892) + 0x4D30) ^ 0x3421) & 0xFFFF;
if ((s1 % 0xB) == 0 && (s1 / 0xB) == nRet)
{
bKey[1] = k1;
bKey[2] = k2;
break;
}
}
for (int i = 0; i < 10; i++)
{
printf("%02X", bKey[i]);
}
getchar();
return 0;
}
Key:B4812E9C62157C280000
测试下
OK 完毕 剩下的就是上面说的网络验证 直接爆破下就好了
扫一扫
5万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
