sn的sum必须是566h/79Ah/86Bh/5D5h/325h才不会弹错误提示
.text:00401B33 cmp [ebp+arg_0], 566h
.text:00401B3A jnz short loc_401B43
.text:00401B3C call sub_401DA0
.text:00401B41 jmp short locret_401B9D
.text:00401B43 cmp [ebp+arg_0], 79Ah
.text:00401B4A jnz short loc_401B53
.text:00401B4C call sub_401DC1
.text:00401B51 jmp short locret_401B9D
.text:00401B53 cmp [ebp+arg_0], 86Bh
.text:00401B5A jnz short loc_401B63
.text:00401B5C call sub_401E16
.text:00401B61 jmp short locret_401B9D
.text:00401B63 cmp [ebp+arg_0], 5D5h
.text:00401B6A jnz short loc_401B73
.text:00401B6C call sub_401DE2
.text:00401B71 jmp short locret_401B9D
.text:00401B73 cmp [ebp+arg_0], 325h
.text:00401B7A jnz short loc_401B83
.text:00401B7C call sub_401DE2
.text:00401B81 jmp short locret_401B9D
sn的长度为8位
DWORD v[2];
PBYTE buf=(PBYTE)v;
for(int i = 0; i < 8; i++)
{
buf[i] = sn[i] ^ 0x66;
}
.text:0040172B mov eax, offset st_GetDlgItemTextA
.text:00401730 mov bx, [eax+7]
.text:00401734 shl ebx, 10h
.text:00401737 add bx, [eax+9]
.text:0040173B push 100h
.text:00401740 lea eax, [ebp+var_100]
.text:00401746 push eax
.text:00401747 push 3E9h
.text:0040174C push hWnd
.text:00401752 call ebx
.text:00401754 xor edx, edx
.text:00401756 xor ecx, ecx
.text:00401758 lea eax, [ebp+var_100]
.text:0040175E lea esi, xor_key
.text:00401764 mov cl, [eax]
.text:00401766 mov ebx, 8
.text:0040176B jmp short loc_401779
.text:0040176D add edx, ecx
.text:0040176F xor cl, 66h
.text:00401772 mov [esi], cl
.text:00401774 inc esi
.text:00401775 inc eax
.text:00401776 dec ebx
.text:00401777 mov cl, [eax]
.text:00401779 cmp ebx, 0
.text:0040177C ja short loc_40176D
.text:0040177E or cl, cl
.text:00401780 jz short loc_401787
sn的sum必须是353h/325h/29Bh/363h, 得到sum(sn)=0x325
.text:0040178D cmp edx, 353h
.text:00401793 jnz short loc_40179C
.text:00401795 mov ebx, 0Ch
.text:0040179A jmp short loc_4017D3
.text:0040179C cmp edx, 325h
.text:004017A2 jnz short loc_4017AB
.text:004017A4 mov ebx, 4
.text:004017A9 jmp short loc_4017D3
.text:004017AB cmp edx, 29Bh
.text:004017B1 jnz short loc_4017BA
.text:004017B3 mov ebx, 8
.text:004017B8 jmp short loc_4017D3
.text:004017BA cmp edx, 363h
.text:004017C0 jnz short loc_4017C9
v[0]+v[1]==0x32113442时, 解密40331D处的代码并执行
.text:004018B6 lea ecx, unk_40331D
.text:004018BC mov esi, eax
.text:004018BE lea ebx, xor_key
.text:004018C4 mov edx, [ebx]
.text:004018C6 mov [ebp+_k1], edx
.text:004018C9 add ebx, 4
.text:004018CC mov edx, [ebx]
.text:004018CE mov [ebp+_k2], edx
.text:004018D1 add edx, [ebp+_k1]
.text:004018D4 cmp edx, 32113442h
.text:004018DA jz short loc_4018E1
.text:004018E5 mov ebx, 0Ah
.text:004018EA jmp short loc_4018FD
.text:004018EC mov edx, [ecx]
.text:004018EE add edx, [ebp+_k2]
.text:004018F1 xor edx, [ebp+_k1]
.text:004018F4 mov [eax], edx
.text:004018F6 add ecx, 4
.text:004018F9 add eax, 4
.text:004018FC dec ebx
.text:004018FD cmp ebx, 0
.text:00401900 ja short loc_4018EC
.text:00401902 call esi
计算sn:
先找出符合条件的sn, 并反汇编,
根据提示信息为"Good", 搜索4032B5即可得到sn
.data:004032B5 aGood db 'Good!',0
KAhuskey
push ebx
mov eax, 0x403b19
mov bx, [eax+0x7]
shl ebx, 0x10
add bx, [eax+0x9]
push 0x0
push 0x4032b5
push 0x4032b5
push 0x0
call ebx
pop ebx
ret
mov eax, 0x403b19
#include "udis86.h"
void test2()
{
for (int k1 = 0; k1 < 0x33; k1++)
for (int k2 = 0; k2 < 0x12; k2++)
for (int k3 = 0; k3 < 0x35; k3++)
for (int k4 = 0; k4 < 0x43; k4++)
{
DWORD v[2];
v[0] = MAKELONG(MAKEWORD(k4, k3), MAKEWORD(k2, k1));
v[1] = 0x32113442 - v[0];
DWORD t[2];
t[0] = v[0];
t[1] = v[1];
DWORD sum = 0;
DWORD i;
PBYTE buf = (PBYTE)t;
BOOL r = TRUE;
for (i = 0; i < 8; i++)
{
buf[i] ^= 0x66;
if (!isalnum(buf[i]))
{
r = FALSE;
break;
}
sum += buf[i];
}
if (!r)
{
continue;
}
if (sum != 0x325)
{
continue;
}
DWORD d[10 + 1] =
{
0x09149269, 0x79651A58, 0xD1CC1360, 0x2C0A3428,
0x5C0B400F, 0xF44B0883, 0x34398530, 0xCD0B4018,
0x8CCA6FE9, 0xF44B0F1F, 0
};
for (i = 0; i < 10; i++)
{
d[i] = v[0] ^ (d[i] + v[1]);
}
PBYTE pd = (PBYTE)d;
{
for (i = 0; i < 8; i++)
{
printf("%c", buf[i]);
}
printf("\n");
ud_t u;
ud_init(&u);
ud_set_input_buffer(&u, pd, 40);
ud_set_mode(&u, 32);
ud_set_syntax(&u, UD_SYN_INTEL);
while (ud_disassemble(&u)) {
printf("\t%s\n", ud_insn_asm(&u));
}
printf("\n");
}
}
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
