这种应该是计算CRC（0xEDB88320），从而定位库函数位置

然后是字符串，对于每个signed char转为signed int，xor 996，取低8位就是结果

先写个脚本干，万一直接存在字符串里了呢

不在

有一个看起来像字符串的，异或值是1289，结果是Cabinet.Decompress

先看看起了哪些线程吧

这个线程里又起了

v3906 = *(_DWORD *)(***(_DWORD ***)(*(_DWORD *)(*(_DWORD *)(__readfsdword(0x18u) + 48) + 12) + 12) + 24);究竟是个啥？

8e7K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6W2L8W2)9J5k6i4N6A6K9$3W2H3k6h3c8A6j5g2)9J5k6h3!0J5k6#2)9J5c8Y4N6A6K9$3W2Q4x3V1k6i4K9h3^5K6x3W2)9#2k6W2c8Z5M7X3g2S2k6q4)9#2k6V1W2F1k6X3!0J5L8h3q4@1K9h3!0F1i4K6g2X3b7X3I4G2j5$3D9`.

17eK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2$3k6i4u0Y4K9h3I4A6N6i4y4H3M7X3!0B7k6h3y4@1i4K6u0W2j5$3!0E0i4K6u0r3K9$3g2J5L8X3g2D9M7#2)9J5c8Y4R3$3y4q4)9J5c8W2N6A6L8X3c8G2N6%4y4Q4x3U0f1J5x3o6p5H3i4K6t1#2x3U0m8Q4x3U0f1%4b7#2)9J5y4e0t1H3x3U0l9I4y4W2)9J5c8U0p5^5x3o6W2Q4x3U0f1J5x3q4u0W2k6s2y4@1L8$3&6W2i4K6t1#2x3U0l9#2i4K6t1#2x3U0m8Q4x3U0S2a6j5%4c8G2j5X3g2J5i4K6t1#2x3U0m8g2M7r3c8S2N6r3g2Q4x3U0W2Q4x3V1k6Q4y4h3k6b7c8f1t1`.

cedK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2Y4k6h3!0X3k6X3y4Z5j5i4m8H3k6h3I4D9i4K6u0W2j5$3!0E0i4K6u0r3M7%4c8#2k6r3W2W2M7#2)9J5c8Y4N6A6L8X3c8G2N6%4y4Q4x3V1k6%4K9h3^5K6x3W2)9J5c8X3&6@1k6r3I4D9i4K6u0r3M7%4c8J5N6h3y4@1M7#2)9J5c8Y4m8W2j5W2)9J5c8X3W2F1k6r3g2^5i4K6u0W2K9s2c8E0

6bfK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2Y4k6h3!0X3k6X3y4Z5j5i4m8H3k6h3I4D9i4K6u0W2j5$3!0E0i4K6u0r3M7%4c8#2k6r3W2W2M7#2)9J5c8Y4N6A6L8X3c8G2N6%4y4Q4x3V1k6%4K9h3^5K6x3W2)9J5c8X3&6@1k6r3I4D9i4K6u0r3M7%4c8J5N6h3y4@1M7#2)9J5c8Y4m8W2j5W2)9#2k6X3I4V1M7W2)9#2k6X3c8S2N6r3q4Q4x3X3g2Z5N6r3@1`.

a51K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2Y4k6h3!0X3k6X3y4Z5j5i4m8H3k6h3I4D9i4K6u0W2j5$3!0E0i4K6u0r3M7%4c8#2k6r3W2W2M7#2)9J5c8Y4N6A6L8X3c8G2N6%4y4Q4x3V1k6%4K9h3^5K6x3W2)9J5c8X3&6@1k6r3I4D9i4K6u0r3M7%4c8J5N6h3y4@1M7#2)9J5c8X3I4V1M7W2)9#2k6X3c8S2N6r3q4Q4y4h3k6@1j5h3u0D9k6g2)9#2k6X3g2F1N6s2u0&6i4K6u0W2K9s2c8E0

52eK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2$3k6i4u0Y4K9h3I4A6N6i4y4H3M7X3!0B7k6h3y4@1i4K6u0W2j5$3!0E0i4K6u0r3K9$3g2J5L8X3g2D9M7#2)9J5c8Y4R3^5y4W2)9J5c8W2N6A6L8X3c8G2N6%4y4Q4x3U0f1J5x3o6p5H3i4K6u0r3x3U0l9H3z5g2)9J5y4e0t1H3x3U0m8t1x3W2)9J5y4e0t1H3i4K6t1^5e0$3y4@1L8$3u0W2M7W2)9J5y4e0t1H3x3U0l9J5x3q4)9J5y4e0t1H3g2i4m8V1j5i4c8W2i4K6t1&6i4K6u0r3i4K6g2X3f1p5g2n7i4K6g2X3e0p5c8d9i4K6g2X3c8p5q4f1b7b7`.`.

646K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2$3k6i4u0Y4K9h3I4A6N6i4y4H3M7X3!0B7k6h3y4@1i4K6u0W2j5$3!0E0i4K6u0r3K9$3g2J5L8X3g2D9M7#2)9J5c8Y4R3^5y4W2)9J5c8W2N6A6L8X3c8G2N6%4y4Q4x3U0f1J5x3o6p5H3i4K6u0r3x3U0l9H3z5g2)9J5y4e0t1H3x3U0m8t1x3W2)9J5y4e0t1H3i4K6t1^5e0$3y4@1L8$3u0W2M7W2)9J5y4e0t1H3x3U0l9J5x3q4)9J5y4e0t1H3g2i4m8V1j5i4c8W2i4K6t1&6i4K6u0r3i4K6g2X3d9f1#2m8c8@1g2Q4y4h3k6p5e0#2y4Q4y4h3k6t1c8f1q4p5c8g2t1`.

TEB->PEB->PEB_LDR_DATA->InLoadOrderModuleList.Flink->InLoadOrderModuleList.Flink->DllBase(_IMAGE_DOS_HEADER)

想复杂了？直接调试解压的代码，搜字符串看到Correct，定位到C712B0

可以看出因为是内存快照，直接找到字符了。下面找到了输入

只有0123456789ABCDEF有效，按输入字符转为对应0-15。然后是两个字符合并成一个hex byte

后面是每两个hex byte转为两字节word，和两个数作比较

rand进去是这个，搜了一下才知道是伪随机数算法

那么那个0x18的偏移就是srand了

那么算法就是和pos_idx生成rand相等就写入idx，neg_idx生成的rand相等就跳过，相当于可以写入0-89到一个数组里，

进去看了一眼get_something

怎么还有纤程，不过看样子不重要。往下看，输入大于12个word

对作差有要求

后面就是关键算法

要求两两作差的绝对值值互不相等，不会爆破，找了算法队友求解了

解得

构造序列号

解（话说86-89也可以填充和neg_idx的rand数，不算多解？）

参考文献

5c8K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3c8S2N6r3q4Y4k6h3&6W2N6r3W2U0M7#2)9J5k6h3y4G2L8g2)9J5c8X3u0D9L8$3N6Q4x3V1k6X3k6h3u0J5N6h3q4J5P5e0t1J5x3o6p5K6i4K6u0r3

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课