Loading... 附件+OD分析的UDD: 链接:https://pan.baidu.com/s/1_oFsCQ7JDruRbLqVN8xJpA 提取码:8je9 <a href="#OVER" id='index' target="_self">点击到代码</a> # 目标 主要分析算法部分。因此这里不再阐述如何找到这个算法,直接上代码。 ![在这里插入图片描述](https://img-blog.csdnimg.cn/20201205144959535.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQwNTkxNDQw,size_16,color_FFFFFF,t_70) # 大致概况 ``先大致概括一下`` 在核心部分有两个CALL,但是第二个CALL内部会调用上面的一个CALL,所以直接分析第二个CALL即可。 ![在这里插入图片描述](https://img-blog.csdnimg.cn/2020120514345983.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQwNTkxNDQw,size_16,color_FFFFFF,t_70) 进入到第二个CALL里面,可以看到里面确实CALL 0015A826 这个地址 ,如果返回值EAX=0X2D 这个函数就会返回 0015A826->00159C9B <a id="index00159C9B" href="#00159C9B" target="_self">跳转到 call 010Edito.013483C8</a> ![在这里插入图片描述](https://img-blog.csdnimg.cn/20201205143622670.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQwNTkxNDQw,size_16,color_FFFFFF,t_70) ```成功的话就会跳转到 : 0110E5AF这个地址``` ``` 0110E506 /0F84 A3000000 je 010Edito.0110E5AF ``` ![在这里插入图片描述](https://img-blog.csdnimg.cn/20201205144001323.png) ``而在重要部分,关键跳。就是判断返回值是否为0xDB`` ![在这里插入图片描述](https://img-blog.csdnimg.cn/20201205144150832.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQwNTkxNDQw,size_16,color_FFFFFF,t_70) 大致流程图 ![在这里插入图片描述](https://img-blog.csdnimg.cn/20201205160200612.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQwNTkxNDQw,size_16,color_FFFFFF,t_70) # 进入主逻辑CALL ![在这里插入图片描述](https://img-blog.csdnimg.cn/20201205093903449.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQwNTkxNDQw,size_16,color_FFFFFF,t_70) ![在这里插入图片描述](https://img-blog.csdnimg.cn/20201205102749374.png) ![在这里插入图片描述](https://img-blog.csdnimg.cn/20201205102807228.png) ![在这里插入图片描述](https://img-blog.csdnimg.cn/20201205102825250.png) ``PS:输入的KEY:11 22 33 44 55 66 77 88 99 AA`` ``[ebp-0x24] = K[0] =11`` ``[ebp-0x23] = K[1] =22`` ``[ebp-0x22] = K[2] =33`` ``[ebp-0x21] = K[3] =44`` ``[ebp-0x20] = K[4] =55`` ``[ebp-0x1F] = K[5] =66`` ``[ebp-0x1E] = K[6] =77`` ``[ebp-0x1D] = K[7] =88`` ``[ebp-0x1C] = K[8] =99`` ``[ebp-0x1B] = K[9] =AA`` ``在图片中可以看到会比较三个值,K【3】= 0x9C,0xFC,0xAC`` ![在这里插入图片描述](https://img-blog.csdnimg.cn/20201205150328981.png) 代码如下显示 ```asciiarmor 022FDC5D 8A5D DF mov bl,byte ptr ss:[ebp-0x21] ; bl = k[3] 022FDC60 8A7D E1 mov bh,byte ptr ss:[ebp-0x1F] ; bh = k[5] 022FDC63 80FB 9C cmp bl,0x9C ; k[3]==0x9C 022FDC66 75 70 jnz short 010Edito.022FDCD8 ; 不等就继续比较 022FDCD8 80FB FC cmp bl,0xFC ;在这里有与0XFC 进行比较 022FDCDB 75 1F jnz short 010Edito.022FDCFC ;不相等继续跳转然后比较 如果不相等就跳向下面这个与AC 进行比较 022FDCFC 80FB AC cmp bl,0xAC ;不相等跳转比较 022FDCFF 0F85 70010000 jnz 010Edito.022FDE75 ``` 接下来继续看 ![在这里插入图片描述](https://img-blog.csdnimg.cn/20201205103042356.png) ```armor 022FDC68 8A45 DC mov al,byte ptr ss:[ebp-0x24] ; ebp-0x24 = k[0] = 11 022FDC6B 3245 E2 xor al,byte ptr ss:[ebp-0x1E] ; k[0]^k[6] | k6 = 0x0015A246 022FDC6E 8845 E8 mov byte ptr ss:[ebp-0x18],al ; 将一个字节移入一个变量? 022FDC71 8A45 DD mov al,byte ptr ss:[ebp-0x23] ; al=k[1] 022FDC74 3245 E3 xor al,byte ptr ss:[ebp-0x1D] ; k[1]^k[7] 022FDC77 FF75 E8 push dword ptr ss:[ebp-0x18] ; 将局部变量DWORDpush 入栈 022FDC7A 0FB6C8 movzx ecx,al ; (k[1]^k[7])&0xff 022FDC7D B8 00010000 mov eax,0x100 ; eax = 0x100 022FDC82 66:0FAFC8 imul cx,ax ; ((k[1]^k[7])&0xff)*0x100 022FDC86 8A45 DE mov al,byte ptr ss:[ebp-0x22] ; AL = K[2] |注意EAX 100 al只会用到 00 所以出现的是133 所幸后面所用的都是第二位,不会用到1 022FDC89 32C7 xor al,bh ; k[2]^k[5] 022FDC8B 0FB6C0 movzx eax,al ; (k[2]^k[5])&0xFF 022FDC8E 66:03C8 add cx,ax ; ((k[1]^k[7])&0xff)*0x100+(k[2]^k[5])&0xFF 022FDC91 0FB7F1 movzx esi,cx ; (((k[1]^k[7])&0xff)*0x100+(k[2]^k[5])&0xFF)&0xFFFF ``` <a id="index01347644" href="#01347644" target="_self">跳转到 call 010Edito.01347644</a> ```armor 在这里调用到了一个call 022FDC94 E8 AB9904FF call 010Edito.01347644 022FDC99 0FB6C0 movzx eax,al ; EAX = (((k[0]^k[6]^0x18)+0x3D)^0xA7)&0xff 022FDC9C 56 push esi 022FDC9D 8947 1C mov dword ptr ds:[edi+0x1C],eax 022FDCA0 E8 23A704FF call 010Edito.013483C8 ;(((EAX^0x7892+0x4D30)^0x3421)&FFFF)/0xB |如果余数是0就返回eax 否则eax为0|0为失败 ``` <a id="index013483C8" href="#013483C8" target="_self">跳转到 call 010Edito.013483C8</a> ```armor 0110DCA5 8B4F 1C mov ecx,dword ptr ds:[edi+0x1C] ; ECX = (((k[0]^k[6]^0x18)+0x3D)^0xA7)&0xff 0110DCA8 83C4 08 add esp,0x8 0110DCAB 0FB7C0 movzx eax,ax ; ((((EAX^0x7892+0x4D30)^0x3421)&FFFF)/0xB)&0XFF 0110DCAE 8947 20 mov dword ptr ds:[edi+0x20],eax 0110DCB1 85C9 test ecx,ecx 0110DCB3 0F84 BC010000 je 010Edito.0110DE75 ; !=0 0110DCB9 85C0 test eax,eax 0110DCBB 0F84 B4010000 je 010Edito.0110DE75 ; !=0 0110DCC1 3D E8030000 cmp eax,0x3E8 0110DCC6 0F87 A9010000 ja 010Edito.0110DE75 ; EAX<=0x3E8 0110DCCC 83F9 02 cmp ecx,0x2 0110DCCF 1BF6 sbb esi,esi 0110DCD1 23F1 and esi,ecx 0110DCD3 E9 B3000000 jmp 010Edito.0110DD8B ; 一路成功在这跳转到下个验证, ``` ![在这里插入图片描述](https://img-blog.csdnimg.cn/20201205133456877.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQwNTkxNDQw,size_16,color_FFFFFF,t_70) 如果上面都成功的情况下会跳向 0110DDD8B这个地址 ```armor 0110DD8B 8D45 EC lea eax,dword ptr ss:[ebp-0x14] 0110DD8E 50 push eax 0110DD8F 8D4F 04 lea ecx,dword ptr ds:[edi+0x4] ; ecx 中存有输入的用户名,激活码等信息 0110DD92 FF15 782BBC02 call dword ptr ds:[<&Qt5Core.QSt>; Qt5Core.QString::toUtf8 0110DD98 FF77 20 push dword ptr ds:[edi+0x20] 0110DD9B 33C0 xor eax,eax 0110DD9D C745 FC 00000000 mov dword ptr ss:[ebp-0x4],0x0 0110DDA4 80FB FC cmp bl,0xFC 0110DDA7 8D4D EC lea ecx,dword ptr ss:[ebp-0x14] 0110DDAA 56 push esi 0110DDAB 0f95c0 setne al 0110DDAE 50 push eax 0110DDAF FF15 8C24BC02 call dword ptr ds:[<&Qt5Core.QBy>; 返回值 EAX = 输入的名称 ``` <a id="index00152E50" href="#00152E50" target="_self">跳转到 call 010Edito.00152E50</a> ```armor //这个CALL直接丢IDA分析, 0110DDB5 50 push eax 0110DDB6 E8 955004FF call 010Edito.00152E50 ; 在这里应该对用户名进行某种计算的出值 0110DDBB 8BD0 mov edx,eax ;将算出的加密值,放入EDX中 0110DDBD 83C4 10 add esp,0x10 ;平衡堆栈 比较EDX 中底1个字节 一个字节 0110DDC0 3855 E0 cmp byte ptr ss:[ebp-0x20],dl ; k[4],return value&0xff 0110DDC3 0F85 81000000 jnz 010Edito.0110DE4A ECX = EDX 0110DDC9 8BCA mov ecx,edx //比较第二位,右移八位(去掉了第一个字节) 0110DDCB C1E9 08 shr ecx,0x8 ; ecx>>8 0110DDCE 3AF9 cmp bh,cl ; k[5],return value>>8&0xff 0110DDD0 75 78 jnz short 010Edito.0110DE4A //比较第三位,右移动十六位(去掉两字节) 0110DDD2 8BCA mov ecx,edx 0110DDD4 C1E9 10 shr ecx,0x10 ; ecx>>16 0110DDD7 384D E2 cmp byte ptr ss:[ebp-0x1E],cl ; k[6],result>>16&0xff 0110DDDA 75 6E jnz short 010Edito.0110DE4A //比较第四位,右移动18位(去掉三字节) 0110DDDC C1E8 18 shr eax,0x18 ; eax>>24 0110DDDF 3845 E3 cmp byte ptr ss:[ebp-0x1D],al ; k[7],result value>>24&0xff 0110DDE2 75 66 jnz short 010Edito.0110DE4A 0110DDE4 80FB 9C cmp bl,0x9C 0110DDE7 75 0F jnz short 010Edito.0110DDF8 0110DDE9 8B45 08 mov eax,dword ptr ss:[ebp+0x8] 0110DDEC 3B47 1C cmp eax,dword ptr ds:[edi+0x1C] 0110DDEF 76 52 jbe short 010Edito.0110DE43 ; 成功赋值的跳,成功会赋值2D ``` 中间代码省略 ```armor 0110DE43 BE 2D000000 mov esi,0x2D 0110DE48 EB 05 jmp short 010Edito.0110DE4F 0110DE4A BE E7000000 mov esi,0xE7 0110DE4F 8D4D EC lea ecx,dword ptr ss:[ebp-0x14] 0110DE52 C745 FC FFFFFFFF mov dword ptr ss:[ebp-0x4],-0x1 0110DE59 FF15 7C24BC02 call dword ptr ds:[<&Qt5Core.QByteArray::~QByteArr>; Qt5Core.QByteArray::~QByteArray 0110DE5F 8BC6 mov eax,esi 0110DE61 8B4D F4 mov ecx,dword ptr ss:[ebp-0xC] 0110DE64 64:890D 00000000 mov dword ptr fs:[0],ecx ; 010Edito.00A89B1E 0110DE6B 59 pop ecx ; 0682B8B9 0110DE6C 5F pop edi ; 0682B8B9 0110DE6D 5E pop esi ; 0682B8B9 0110DE6E 5B pop ebx ; 0682B8B9 0110DE6F 8BE5 mov esp,ebp 0110DE71 5D pop ebp ; 0682B8B9 0110DE72 C2 0800 retn 0x8 ``` 上面这段代码返回2D那么就分析完毕 2D之后-》变更DB-》跳向成功 ### <h1 id="01347644">call 010Edito.01347644</h1> <a href="#index01347644" target="_self">点击返回</a> ``这块函数表示:((k[0]^k[6]^0x18)+0x3D)^0xA7`` ```armor 022FD0B0 55 push ebp 022FD0B1 8BEC mov ebp,esp 022FD0B3 8B45 08 mov eax,dword ptr ss:[ebp+0x8] ; k[0]^k[6] 022FD0B6 34 18 xor al,0x18 ; k[0]^k[6]^0x18 022FD0B8 04 3D add al,0x3D ; (k[0]^k[6]^0x18)+0x3D 022FD0BA 34 A7 xor al,0xA7 ; ((k[0]^k[6]^0x18)+0x3D)^0xA7 022FD0BC 5D pop ebp ; Qt5Widge.6928FA66 022FD0BD C3 retn ``` ### <h1 id="013483C8">call 010Edito.013483C8</h1> <a href="#index013483C8" target="_self">点击返回</a> ```armor 022FD020 55 push ebp 022FD021 8BEC mov ebp,esp 022FD023 8B45 08 mov eax,dword ptr ss:[ebp+0x8] ; 获取ESI 算出来的结果 022FD026 B9 0B000000 mov ecx,0xB 022FD02B 35 92780000 xor eax,0x7892 ; EAX^0x7892 022FD030 05 304D0000 add eax,0x4D30 ; EAX^0x7892+0x4D30 022FD035 35 21340000 xor eax,0x3421 ; (EAX^0x7892+0x4D30)^0x3421 022FD03A 0FB7C0 movzx eax,ax ; ((EAX^0x7892+0x4D30)^0x3421)&FFFF 022FD03D 99 cdq ; 清除EDX 022FD03E F7F9 idiv ecx ; (((EAX^0x7892+0x4D30)^0x3421)&FFFF)/0xB 022FD040 85D2 test edx,edx 022FD042 74 02 je short 010Edito.022FD046 ; 如果被整除就返回 eax 否则 清除eax 返回edx 022FD044 33C0 xor eax,eax ; 返回0 022FD046 5D pop ebp 022FD047 C3 retn ``` ### <h1 id="00159C9B">call 010Edito.00159C9B</h1> <a href="#index00159C9B" target="_self">点击返回</a> ```armor 0110E4E0 55 push ebp 0110E4E1 8BEC mov ebp,esp 0110E4E3 56 push esi 0110E4E4 8BF1 mov esi,ecx 0110E4E6 837E 2C 00 cmp dword ptr ds:[esi+0x2C],0x0 0110E4EA 74 0A je short 010Edito.0110E4F6 0110E4EC B8 13010000 mov eax,0x113 0110E4F1 5E pop esi ; 0682B851 0110E4F2 5D pop ebp ; 0682B851 0110E4F3 C2 0800 retn 0x8 0110E4F6 57 push edi 0110E4F7 FF75 0C push dword ptr ss:[ebp+0xC] 0110E4FA 8B7D 08 mov edi,dword ptr ss:[ebp+0x8] 0110E4FD 57 push edi 0110E4FE E8 23C304FF call 010Edito.0015A826 ; 在这里计算了 0110E503 83F8 2D cmp eax,0x2D ; 2D 就是成功 0110E506 0F84 A3000000 je 010Edito.0110E5AF ;-----跳转 0110E50C 83F8 4E cmp eax,0x4E 0110E50F 74 78 je short 010Edito.0110E589 0110E511 3D E7000000 cmp eax,0xE7 0110E516 74 66 je short 010Edito.0110E57E 0110E518 57 push edi 0110E519 8BCE mov ecx,esi 0110E51B E8 A34404FF call 010Edito.001529C3 0110E520 83F8 17 cmp eax,0x17 0110E523 74 4E je short 010Edito.0110E573 0110E525 83F8 2A cmp eax,0x2A 0110E528 74 28 je short 010Edito.0110E552 0110E52A 3D 38010000 cmp eax,0x138 0110E52F 75 4D jnz short 010Edito.0110E57E 0110E531 8BCE mov ecx,esi 0110E533 E8 FEBC04FF call 010Edito.0015A236 0110E538 3D A3010000 cmp eax,0x1A3 0110E53D B9 2F000000 mov ecx,0x2F 0110E542 BA F9000000 mov edx,0xF9 0110E547 0F44CA cmove ecx,edx 0110E54A 5F pop edi ; 0682B851 0110E54B 8BC1 mov eax,ecx 0110E54D 5E pop esi ; 0682B851 0110E54E 5D pop ebp ; 0682B851 0110E54F C2 0800 retn 0x8 0110E552 8BCE mov ecx,esi 0110E554 E8 DDBC04FF call 010Edito.0015A236 0110E559 3D A3010000 cmp eax,0x1A3 0110E55E B9 77010000 mov ecx,0x177 0110E563 BA F9000000 mov edx,0xF9 0110E568 0F44CA cmove ecx,edx 0110E56B 5F pop edi ; 0682B851 0110E56C 8BC1 mov eax,ecx 0110E56E 5E pop esi ; 0682B851 0110E56F 5D pop ebp ; 0682B851 0110E570 C2 0800 retn 0x8 0110E573 5F pop edi ; 0682B851 0110E574 B8 71000000 mov eax,0x71 0110E579 5E pop esi ; 0682B851 0110E57A 5D pop ebp ; 0682B851 0110E57B C2 0800 retn 0x8 0110E57E 5F pop edi ; 0682B851 0110E57F B8 77010000 mov eax,0x177 0110E584 5E pop esi ; 0682B851 0110E585 5D pop ebp ; 0682B851 0110E586 C2 0800 retn 0x8 0110E589 57 push edi 0110E58A 8BCE mov ecx,esi 0110E58C E8 324404FF call 010Edito.001529C3 0110E591 83F8 17 cmp eax,0x17 0110E594 74 0E je short 010Edito.0110E5A4 0110E596 5F pop edi ; 0682B851 0110E597 83F8 2A cmp eax,0x2A 0110E59A B8 ED000000 mov eax,0xED 0110E59F 5E pop esi ; 0682B851 0110E5A0 5D pop ebp ; 0682B851 0110E5A1 C2 0800 retn 0x8 0110E5A4 5F pop edi ; 0682B851 0110E5A5 B8 0C020000 mov eax,0x20C 0110E5AA 5E pop esi ; 0682B851 0110E5AB 5D pop ebp ; 0682B851 0110E5AC C2 0800 retn 0x8 0110E5AF 5F pop edi ; 0682B851 0110E5B0 B8 DB000000 mov eax,0xDB ; -------在这里复制了DB 0110E5B5 5E pop esi ; 0682B851 0110E5B6 5D pop ebp ; 0682B851 0110E5B7 C2 0800 retn 0x8 ``` ### <h1 id="00152E50">call 010Edito.00152E50</h1> <a href="#index00152E50" target="_self">点击返回</a> ![在这里插入图片描述](https://img-blog.csdnimg.cn/2020120516064592.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQwNTkxNDQw,size_16,color_FFFFFF,t_70) ```cpp //这里用到了一个数组 //dword_2E64148 还需要提取出来 int __cdecl sub_13BD120(const char *a1, int a2, char a3, char a4) { const char *v4; // edx@1 signed int v5; // esi@1 signed int v6; // edi@1 unsigned __int8 v7; // bl@2 int v8; // eax@3 int v9; // ecx@3 int v10; // ecx@4 int result; // eax@4 int v12; // ecx@5 unsigned __int8 v13; // [sp+8h] [bp-10h]@2 unsigned __int8 v14; // [sp+Ch] [bp-Ch]@2 unsigned __int8 v15; // [sp+10h] [bp-8h]@2 int v16; // [sp+14h] [bp-4h]@1 v4 = a1; v16 = 0; v5 = strlen(a1); v6 = 0; if ( v5 <= 0 ) { result = 0; } else { v13 = 0; v14 = 0; v7 = 15 * a4; v15 = 17 * a3; do { v8 = toupper(v4[v6]); v9 = v16 + dword_2E64148[v8]; if ( a2 ) { v10 = dword_2E64148[v7] + dword_2E64148[v15] + dword_2E64148[(unsigned __int8)(v8 + 47)] * (dword_2E64148[(unsigned __int8)(v8 + 13)] ^ v9); result = dword_2E64148[v14] + v10; v16 = dword_2E64148[v14] + v10; } else { v12 = dword_2E64148[v7] + dword_2E64148[v15] + dword_2E64148[(unsigned __int8)(v8 + 23)] * (dword_2E64148[(unsigned __int8)(v8 + 63)] ^ v9); result = dword_2E64148[v13] + v12; v16 = dword_2E64148[v13] + v12; } v14 += 19; ++v6; v15 += 9; v7 += 13; v13 += 7; v4 = a1; } while ( v6 < v5 ); } return result; } ``` ## 代码编写 ![在这里插入图片描述](https://img-blog.csdnimg.cn/20201205162424105.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQwNTkxNDQw,size_16,color_FFFFFF,t_70) 可以写一个循环来简单的判断这一段代码,发现每次运行CALL不太可能位0,而且后面也没有用到。直接第二个CALL开始编写 ```cpp byte K[10] = { 0x11,0x22,0x33,0x9C,0x55,0x66,0x77,0x88,0x99,0xAA }; // esi ((k[1]^k[7])&0xFF)*0x100+((k[2]^k[5])&0xff)&0xFFFF //((((EAX^0x7892+0x4D30)^0x3421)&FFFF)/0xB)-为0返回0不为0返回商 while (true) { byte k1 = rand() % 0xFF; byte k7 = rand() % 0xFF; byte k2 = rand() % 0xFF; byte k5 = rand() % 0xFF; DWORD ESI = (0x100*(k1 ^ k7 & 0xFF) + k2 ^ k5 & 0xFF) & 0xFFFF; DWORD EAX = (((ESI ^ 0x7892) + 0x4D30) ^ 0x3421) & 0xFFFF; if (EAX%0xB==0&&EAX / 0xB==0x3E8) { K[1] = k1; K[7] = k7; K[2] = k2; K[5] = k5; break; } } printf("%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X", K[0],K[1], K[2], K[3], K[4], K[5], K[6], K[7], K[8], K[9]); ``` 因为下面有个对用户名计算的CALL,直接复制IDA中的代码,在计算完之后,返回DWORD 分别对 4 5 6 7 这几个位置进行了对比操作,所以直接赋值也可以省掉几次循环。 <h1 id="OVER">完善代码</h1> <a href="#index" target="_self">点击到到首页</a> ```cpp #include <iostream> #include <stdio.h> #include <Windows.h> #include <time.h> DWORD KArry[] = { 0x39cb44b8, 0x23754f67, 0x5f017211, 0x3ebb24da, 0x351707c6, 0x63f9774b, 0x17827288, 0x0fe74821, 0x5b5f670f, 0x48315ae8, 0x785b7769, 0x2b7a1547, 0x38d11292, 0x42a11b32, 0x35332244, 0x77437b60, 0x1eab3b10, 0x53810000, 0x1d0212ae, 0x6f0377a8, 0x43c03092, 0x2d3c0a8e, 0x62950cbf, 0x30f06ffa, 0x34f710e0, 0x28f417fb, 0x350d2f95, 0x5a361d5a, 0x15cc060b, 0x0afd13cc, 0x28603bcf, 0x3371066b, 0x30cd14e4, 0x175d3a67, 0x6dd66a13, 0x2d3409f9, 0x581e7b82, 0x76526b99, 0x5c8d5188, 0x2c857971, 0x15f51fc0, 0x68cc0d11, 0x49f55e5c, 0x275e4364, 0x2d1e0dbc, 0x4cee7ce3, 0x32555840, 0x112e2e08, 0x6978065a, 0x72921406, 0x314578e7, 0x175621b7, 0x40771dbf, 0x3fc238d6, 0x4a31128a, 0x2dad036e, 0x41a069d6, 0x25400192, 0x00dd4667, 0x6afc1f4f, 0x571040ce, 0x62fe66df, 0x41db4b3e, 0x3582231f, 0x55f6079a, 0x1ca70644, 0x1b1643d2, 0x3f7228c9, 0x5f141070, 0x3e1474ab, 0x444b256e, 0x537050d9, 0x0f42094b, 0x2fd820e6, 0x778b2e5e, 0x71176d02, 0x7fea7a69, 0x5bb54628, 0x19ba6c71, 0x39763a99, 0x178d54cd, 0x01246e88, 0x3313537e, 0x2b8e2d17, 0x2a3d10be, 0x59d10582, 0x37a163db, 0x30d6489a, 0x6a215c46, 0x0e1c7a76, 0x1fc760e7, 0x79b80c65, 0x27f459b4, 0x799a7326, 0x50ba1782, 0x2a116d5c, 0x63866e1b, 0x3f920e3c, 0x55023490, 0x55b56089, 0x2c391fd1, 0x2f8035c2, 0x64fd2b7a, 0x4ce8759a, 0x518504f0, 0x799501a8, 0x3f5b2cad, 0x38e60160, 0x637641d8, 0x33352a42, 0x51a22c19, 0x085c5851, 0x032917ab, 0x2b770ac7, 0x30ac77b3, 0x2bec1907, 0x035202d0, 0x0fa933d3, 0x61255df3, 0x22ad06bf, 0x58b86971, 0x5fca0de5, 0x700d6456, 0x56a973db, 0x5ab759fd, 0x330e0be2, 0x5b3c0ddd, 0x495d3c60, 0x53bd59a6, 0x4c5e6d91, 0x49d9318d, 0x103d5079, 0x61ce42e3, 0x7ed5121d, 0x14e160ed, 0x212d4ef2, 0x270133f0, 0x62435a96, 0x1fa75e8b, 0x6f092fbe, 0x4a000d49, 0x57ae1c70, 0x004e2477, 0x561e7e72, 0x468c0033, 0x5dcc2402, 0x78507ac6, 0x58af24c7, 0x0df62d34, 0x358a4708, 0x3cfb1e11, 0x2b71451c, 0x77a75295, 0x56890721, 0x0fef75f3, 0x120f24f1, 0x01990ae7, 0x339c4452, 0x27a15b8e, 0x0ba7276d, 0x60dc1b7b, 0x4f4b7f82, 0x67db7007, 0x4f4a57d9, 0x621252e8, 0x20532cfc, 0x6a390306, 0x18800423, 0x19f3778a, 0x462316f0, 0x56ae0937, 0x43c2675c, 0x65ca45fd, 0x0d604ff2, 0x0bfd22cb, 0x3afe643b, 0x3bf67fa6, 0x44623579, 0x184031f8, 0x32174f97, 0x4c6a092a, 0x5fb50261, 0x01650174, 0x33634af1, 0x712d18f4, 0x6e997169, 0x5dab7afe, 0x7c2b2ee8, 0x6edb75b4, 0x5f836fb6, 0x3c2a6dd6, 0x292d05c2, 0x052244db, 0x149a5f4f, 0x5d486540, 0x331d15ea, 0x4f456920, 0x483a699f, 0x3b450f05, 0x3b207c6c, 0x749d70fe, 0x417461f6, 0x62b031f1, 0x2750577b, 0x29131533, 0x588c3808, 0x1aef3456, 0x0f3c00ec, 0x7da74742, 0x4b797a6c, 0x5ebb3287, 0x786558b8, 0x00ed4ff2, 0x6269691e, 0x24a2255f, 0x62c11f7e, 0x2f8a7dcd, 0x643b17fe, 0x778318b8, 0x253b60fe, 0x34bb63a3, 0x5b03214f, 0x5f1571f4, 0x1a316e9f, 0x7acf2704, 0x28896838, 0x18614677, 0x1bf569eb, 0x0ba85ec9, 0x6aca6b46, 0x1e43422a, 0x514d5f0e, 0x413e018c, 0x307626e9, 0x01ed1dfa, 0x49f46f5a, 0x461b642b, 0x7d7007f2, 0x13652657, 0x6b160bc5, 0x65e04849, 0x1f526e1c, 0x5a0251b6, 0x2bd73f69, 0x2dbf7acd, 0x51e63e80, 0x5cf2670f, 0x21cd0a03, 0x5cff0261, 0x33ae061e, 0x3bb6345f, 0x5d814a75, 0x257b5df4, 0x0a5c2c5b, 0x16a45527, 0x16f23945 }; int __cdecl EnCodeUserName(const char* usUser, int a2, char a3, unsigned __int16 a4) { const char* v4; // edx signed int v5; // esi signed int v6; // edi unsigned __int8 v7; // bl int v8; // eax int v9; // ecx int v10; // ecx int result; // eax unsigned __int8 v12; // [esp+8h] [ebp-10h] unsigned __int8 v13; // [esp+Ch] [ebp-Ch] unsigned __int8 v14; // [esp+10h] [ebp-8h] int v15; // [esp+14h] [ebp-4h] v4 = usUser; v15 = 0; v5 = strlen(usUser); v6 = 0; if (v5 <= 0) return 0; v12 = 0; v13 = 0; v7 = 15 * a4; v14 = 17 * a3; do { v8 = toupper((unsigned __int8)v4[v6]); v9 = v15 + KArry[v8]; if (a2) v10 = KArry[v13] + KArry[v7] + KArry[v14] + KArry[(unsigned __int8)(v8 + 47)] * (KArry[(unsigned __int8)(v8 + 13)] ^ v9); else v10 = KArry[v12] + KArry[v7] + KArry[v14] + KArry[(unsigned __int8)(v8 + 23)] * (KArry[(unsigned __int8)(v8 + 63)] ^ v9); result = v10; v15 = v10; v13 += 19; ++v6; v14 += 9; v7 += 13; v12 += 7; v4 = usUser; } while (v6 < v5); return result; } int main() { DWORD dwKey = EnCodeUserName("15PB",1,0,0x3E8); srand(time(NULL)); byte K[10] = { 0x11,0x22,0x33,0x9C,0x55,0x66,0x77,0x88,0x99,0xAA }; K[4] = dwKey&0xFF; K[5] = dwKey >> 8 & 0xFF; K[6] = dwKey >> 16 & 0xFF; K[7] = dwKey >> 24 & 0xFF; //((k[0]^k[6]^0x18)+0x3D)^0xA7 while (true) { byte k0 = rand()%0xFF; byte k6 = K[6]; byte al = (K[0] ^ K[6] ^ 0x18 + 0x3D) ^ 0xA7; if (al > 0) { K[0] = k0; K[6] = k6; break; } } // esi ((k[1]^k[7])&0xFF)*0x100+((k[2]^k[5])&0xff)&0xFFFF //((((EAX^0x7892+0x4D30)^0x3421)&FFFF)/0xB)-为0返回0不为0返回商 while (true) { byte k1 = rand() % 0xFF; byte k7 = K[7]; byte k2 = rand() % 0xFF; byte k5 = K[5]; DWORD ESI = (0x100*(k1 ^ k7 & 0xFF) + k2 ^ k5 & 0xFF) & 0xFFFF; DWORD EAX = (((ESI ^ 0x7892) + 0x4D30) ^ 0x3421) & 0xFFFF; if (EAX%0xB==0&&EAX / 0xB==0x3E8) { K[1] = k1; K[7] = k7; K[2] = k2; K[5] = k5; break; } } printf("%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X", K[0],K[1], K[2], K[3], K[4], K[5], K[6], K[7], K[8], K[9]); } ``` ![在这里插入图片描述](https://img-blog.csdnimg.cn/20201205170518319.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQwNTkxNDQw,size_16,color_FFFFFF,t_70) ![在这里插入图片描述](https://img-blog.csdnimg.cn/20201205170534910.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQwNTkxNDQw,size_16,color_FFFFFF,t_70) 最后修改:2020 年 12 月 19 日 © 允许规范转载 赞 0 如果觉得我的文章对你有用,请随意赞赏