-
-
[原创]KeyMe算法分析
-
发表于: 2014-4-23 15:22 3457
-
OD载入,在GetDlgItemTextA上下断点,F9运行一下,额,OD被关闭了,
再次载入,发现输入表中有TerminateProcess函数,
这个程序会终止它的父进程(除了资源管理器)和具有指定文件名的调试器。
我把它们patch了。
在GetDlgItemTextA上下断点,
00401280 |. E8 57050000 call <jmp.&user32.GetDlgItemTextA> ; \GetDlgItemTextA
00401285 |. E8 6D000000 call KeyMe21.004012F7
004012F7 /$ 83F8 00 cmp eax,0
004012FA |. 75 01 jnz short KeyMe21.004012FD
004012FC |. C3 retn
004012FD |> 33C0 xor eax,eax
004012FF |. 33DB xor ebx,ebx
00401301 |. 33C9 xor ecx,ecx
00401303 |. B8 04000000 mov eax,4
00401308 |> 81B8 50324000>/cmp dword ptr ds:[eax+403250],3D6F6E2E ;从第四位比较与字符串".no="
00401312 |. 75 03 |jnz short KeyMe21.00401317
00401314 |. 43 |inc ebx ;ebx-".no="出现的次数
00401315 |. 8BC8 |mov ecx,eax ;ecx-最后一次出现".no="的位置
00401317 |> 40 |inc eax
00401318 |. 83F8 09 |cmp eax,9 ;比较到name[8]
0040131B |.^ 75 EB \jnz short KeyMe21.00401308
0040131D |. 83FB 01 cmp ebx,1
00401320 |. 74 14 je short KeyMe21.00401336 ;".no="只能出现一次
00401322 |. 6A 30 push 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
00401324 |. 68 DE314000 push KeyMe21.004031DE ; |Input error
00401329 |. 68 EA314000 push KeyMe21.004031EA ; |Serial format is incorrect! Try again.
0040132E |. 6A 00 push 0 ; |hOwner = NULL
00401330 |. E8 B9040000 call <jmp.&user32.MessageBoxA> ; \MessageBoxA
00401335 |. C3 retn
00401336 |> E8 24000000 call KeyMe21.0040135F
{
0040135F /$ C781 50324000>mov dword ptr ds:[ecx+403250],0 ;".no="变为0
00401369 |. 33DB xor ebx,ebx
0040136B |. EB 24 jmp short KeyMe21.00401391
0040136D |. 47 6F 20 61 7>ascii "Go away!",0
00401376 |. 49 27 6D 20 6>ascii "I'm just",0
0040137F |. 63 68 61 6E 6>ascii "changing",0
00401388 |. 62 75 66 66 6>ascii "buffers.",0
00401391 |> 8B1D 50324000 mov ebx,dword ptr ds:[403250]
00401397 |. 891D 80324000 mov dword ptr ds:[403280],ebx
0040139D |. 8B1D 54324000 mov ebx,dword ptr ds:[403254]
004013A3 |. 891D 84324000 mov dword ptr ds:[403284],ebx
004013A9 |. C781 80324000>mov dword ptr ds:[ecx+403280],0 ;复制前8位到403280,设为b
004013B3 \. C3 retn
}
0040133B |. E8 74000000 call KeyMe21.004013B4
{
004013B4 /$ 80B9 5C324000>cmp byte ptr ds:[ecx+40325C],3A ;从".no="开始第12位为:
004013BB |. 74 17 je short KeyMe21.004013D4
004013BD |. 6A 30 push 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
004013BF |. 68 DE314000 push KeyMe21.004031DE ; |Input error
004013C4 |. 68 EA314000 push KeyMe21.004031EA ; |Serial format is incorrect! Try again.
004013C9 |. 6A 00 push 0 ; |hOwner = NULL
004013CB |. E8 1E040000 call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004013D0 |. 83C4 04 add esp,4
004013D3 |. C3 retn
004013D4 |> 80B9 65324000>cmp byte ptr ds:[ecx+403265],3A ;从".no="开始第21位为:
004013DB |. 74 17 je short KeyMe21.004013F4
004013DD |. 6A 30 push 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
004013DF |. 68 DE314000 push KeyMe21.004031DE ; |Input error
004013E4 |. 68 EA314000 push KeyMe21.004031EA ; |Serial format is incorrect! Try again.
004013E9 |. 6A 00 push 0 ; |hOwner = NULL
004013EB |. E8 FE030000 call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004013F0 |. 83C4 04 add esp,4
004013F3 |. C3 retn
004013F4 |> 80B9 6E324000>cmp byte ptr ds:[ecx+40326E],0 ;从".no="开始第30位为0
004013FB |. 74 17 je short KeyMe21.00401414
004013FD |. 6A 30 push 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
004013FF |. 68 DE314000 push KeyMe21.004031DE ; |Input error
00401404 |. 68 EA314000 push KeyMe21.004031EA ; |Serial format is incorrect! Try again.
00401409 |. 6A 00 push 0 ; |hOwner = NULL
0040140B |. E8 DE030000 call <jmp.&user32.MessageBoxA> ; \MessageBoxA
00401410 |. 83C4 04 add esp,4
00401413 |. C3 retn
00401414 |> C681 6E324000>mov byte ptr ds:[ecx+40326E],0
0040141B \. C3 retn
}
由以上知,name的格式应为:
XXXXXXXXXXXXXXXX.no=YYYYYYYY:YYYYYYYY:SSSSSSSS
00401340 |. E8 D7000000 call KeyMe21.0040141C
{
0040141C /$ 33DB xor ebx,ebx
0040141E |. 8B99 54324000 mov ebx,dword ptr ds:[ecx+403254]
00401424 |. 891D 90324000 mov dword ptr ds:[403290],ebx
0040142A |. 8B99 58324000 mov ebx,dword ptr ds:[ecx+403258]
00401430 |. 891D 94324000 mov dword ptr ds:[403294],ebx
00401436 |. 8B99 5D324000 mov ebx,dword ptr ds:[ecx+40325D]
0040143C |. 891D 98324000 mov dword ptr ds:[403298],ebx
00401442 |. 8B99 61324000 mov ebx,dword ptr ds:[ecx+403261]
00401448 |. 891D 9C324000 mov dword ptr ds:[40329C],ebx
0040144E |. 8B99 66324000 mov ebx,dword ptr ds:[ecx+403266]
00401454 |. 891D A0324000 mov dword ptr ds:[4032A0],ebx
0040145A |. 8B99 6A324000 mov ebx,dword ptr ds:[ecx+40326A]
00401460 |. 891D A4324000 mov dword ptr ds:[4032A4],ebx ;复制name的".no="后面(除去'=')到b+0x10
00401466 \. C3 retn
}
b变为:
XXXXXXXX00000000YYYYYYYYYYYYYYYYSSSSSSSS
00401345 |. E8 1D010000 call KeyMe21.00401467 ;清除name
0040134A |. E8 AD010000 call KeyMe21.004014FC ;前8位必为字母
为了方便,设前8位为c,以Y开始的16位为d,S为e
4032B0为f
0040134F |. E8 E5010000 call KeyMe21.00401539
{
00401539 /$ E8 EC020000 call <jmp.&kernel32.GetLogicalDrives> ; [GetLogicalDrives
0040153E |. A3 B0324000 mov dword ptr ds:[4032B0],eax
00401543 |. 33C0 xor eax,eax
00401545 |. E8 F2020000 call <jmp.&kernel32.GetVersion>
0040154A |. A3 B4324000 mov dword ptr ds:[4032B4],eax ;初始化f
0040154F |. 33C0 xor eax,eax
00401551 \. C3 retn
}
00401354 |. E8 F9010000 call KeyMe21.00401552
{
00401552 /$ 33C0 xor eax,eax
00401554 |. 33DB xor ebx,ebx ;ebx设为i
00401556 |. 33C9 xor ecx,ecx ;ecx设为j
00401558 |> 0FB683 803240>/movzx eax,byte ptr ds:[ebx+403280] ;c[i]!=0循环
0040155F |. 83F8 00 |cmp eax,0
00401562 |. 74 17 |je short KeyMe21.0040157B
00401564 |> 3081 B0324000 |/xor byte ptr ds:[ecx+4032B0],al ;f[j]^=c[i]
0040156A |. 41 ||inc ecx ;j++
0040156B |. D289 B0324000 ||ror byte ptr ds:[ecx+4032B0],cl ;f[j]循环右移j+1位
00401571 |. 83F9 08 ||cmp ecx,8 ;j==8退出循环
00401574 |.^ 75 EE |\jnz short KeyMe21.00401564
00401576 |. 33C9 |xor ecx,ecx
00401578 |. 43 |inc ebx ;i++
00401579 |.^ EB DD \jmp short KeyMe21.00401558
0040157B |> 33C0 xor eax,eax
0040157D |. 33DB xor ebx,ebx ;i
0040157F |. 33C9 xor ecx,ecx ;j
00401581 |> 0FB683 903240>/movzx eax,byte ptr ds:[ebx+403290] ;eax-d[i]
00401588 |> 3081 B0324000 |xor byte ptr ds:[ecx+4032B0],al ;f[j]^=d[i]
0040158E |. 41 |inc ecx ;j++
0040158F |. D289 B0324000 |ror byte ptr ds:[ecx+4032B0],cl ;f[j]循环右移j+1次
00401595 |. 83F9 08 |cmp ecx,8
00401598 |.^ 75 EE |jnz short KeyMe21.00401588 ;j==8退出循环
0040159A |. 33C9 |xor ecx,ecx
0040159C |. 43 |inc ebx ;i++
0040159D |. 83FB 10 |cmp ebx,10 ;i==16退出循环
004015A0 |.^ 75 DF \jnz short KeyMe21.00401581
004015A2 \. C3 retn
}
00401359 |. E8 45020000 call KeyMe21.004015A3
{
004015A3 /$ A1 B0324000 mov eax,dword ptr ds:[4032B0]
004015A8 |. 0305 B4324000 add eax,dword ptr ds:[4032B4] ;eax-f的前四位+f的后四位
004015AE |. 50 push eax
004015AF |. 68 22324000 push KeyMe21.00403222 ; /sprintf
004015B4 |. 68 17324000 push KeyMe21.00403217 ; |/msvcrt.dll
004015B9 |. E8 84020000 call <jmp.&kernel32.LoadLibraryA> ; |\LoadLibraryA
004015BE |. 50 push eax ; |hModule
004015BF |. E8 72020000 call <jmp.&kernel32.GetProcAddress> ; \GetProcAddress
004015C4 |. 68 11324000 push KeyMe21.00403211 ; %.8X
004015C9 |. 68 C0324000 push KeyMe21.004032C0 ; ASCII "3D095527"
004015CE |. FFD0 call eax
004015D0 |. 83C4 0C add esp,0C
004015D3 |. 8D05 A0324000 lea eax,dword ptr ds:[4032A0] ;e要等于f
004015D9 |. 50 push eax ; /String2 => "3D095527"
004015DA |. 68 C0324000 push KeyMe21.004032C0 ; |String1 = "3D095527"
004015DF |. E8 88020000 call <jmp.&kernel32.lstrcmpA> ; \lstrcmpA
004015E4 |. 83F8 00 cmp eax,0
004015E7 |. 74 14 je short KeyMe21.004015FD
004015E9 |. 6A 10 push 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
004015EB |. 68 A0314000 push KeyMe21.004031A0 ; |Serial not valid
004015F0 |. 68 B1314000 push KeyMe21.004031B1 ; |Serial number is not valid for this machine!
004015F5 |. 6A 00 push 0 ; |hOwner = NULL
004015F7 |. E8 F2010000 call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004015FC |. C3 retn
}
0040135E \. C3 retn
注册机:
int main(int argc, char* argv[])
{
char a[32]={0};
char b[32]={0};
char c[32]={0};
int d[32]={0};
d[0]=GetLogicalDrives();
d[1]=GetVersion();
int i,j;
unsigned char t;
printf("请输入a,b\n");
scanf("%s%s",a,b);
int na=strlen(a),nb=strlen(b);
while(na>8||nb!=16)
{
printf("a必须不大于8位且b应为16位\n");
scanf("%s %s",a,b);
na=strlen(a);nb=strlen(b);
}
for (i=0;i<na;i++)
{
for (j=0;j<8;j++)
{
*((char*)d+j)^=a[i];
t=*((char*)d+j+1);
*((char*)d+j+1)=(t>>(j+1))|(t<<(7-j));
}
}
for (i=0;i<16;i++)
{
for (j=0;j<8;j++)
{
*((char*)d+j)^=b[i];
t=*((char*)d+j+1);
*((char*)d+j+1)=(t>>(j+1))|(t<<(7-j));
}
}
sprintf(c,"%.8X",d[0]+d[1]);
char b8[16]={0};
strncpy(b8,b,8);
printf("%s.no=%s:%s:%s\n",a,b8,b+8,c);
return 0;
}
再次载入,发现输入表中有TerminateProcess函数,
这个程序会终止它的父进程(除了资源管理器)和具有指定文件名的调试器。
我把它们patch了。
在GetDlgItemTextA上下断点,
00401280 |. E8 57050000 call <jmp.&user32.GetDlgItemTextA> ; \GetDlgItemTextA
00401285 |. E8 6D000000 call KeyMe21.004012F7
004012F7 /$ 83F8 00 cmp eax,0
004012FA |. 75 01 jnz short KeyMe21.004012FD
004012FC |. C3 retn
004012FD |> 33C0 xor eax,eax
004012FF |. 33DB xor ebx,ebx
00401301 |. 33C9 xor ecx,ecx
00401303 |. B8 04000000 mov eax,4
00401308 |> 81B8 50324000>/cmp dword ptr ds:[eax+403250],3D6F6E2E ;从第四位比较与字符串".no="
00401312 |. 75 03 |jnz short KeyMe21.00401317
00401314 |. 43 |inc ebx ;ebx-".no="出现的次数
00401315 |. 8BC8 |mov ecx,eax ;ecx-最后一次出现".no="的位置
00401317 |> 40 |inc eax
00401318 |. 83F8 09 |cmp eax,9 ;比较到name[8]
0040131B |.^ 75 EB \jnz short KeyMe21.00401308
0040131D |. 83FB 01 cmp ebx,1
00401320 |. 74 14 je short KeyMe21.00401336 ;".no="只能出现一次
00401322 |. 6A 30 push 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
00401324 |. 68 DE314000 push KeyMe21.004031DE ; |Input error
00401329 |. 68 EA314000 push KeyMe21.004031EA ; |Serial format is incorrect! Try again.
0040132E |. 6A 00 push 0 ; |hOwner = NULL
00401330 |. E8 B9040000 call <jmp.&user32.MessageBoxA> ; \MessageBoxA
00401335 |. C3 retn
00401336 |> E8 24000000 call KeyMe21.0040135F
{
0040135F /$ C781 50324000>mov dword ptr ds:[ecx+403250],0 ;".no="变为0
00401369 |. 33DB xor ebx,ebx
0040136B |. EB 24 jmp short KeyMe21.00401391
0040136D |. 47 6F 20 61 7>ascii "Go away!",0
00401376 |. 49 27 6D 20 6>ascii "I'm just",0
0040137F |. 63 68 61 6E 6>ascii "changing",0
00401388 |. 62 75 66 66 6>ascii "buffers.",0
00401391 |> 8B1D 50324000 mov ebx,dword ptr ds:[403250]
00401397 |. 891D 80324000 mov dword ptr ds:[403280],ebx
0040139D |. 8B1D 54324000 mov ebx,dword ptr ds:[403254]
004013A3 |. 891D 84324000 mov dword ptr ds:[403284],ebx
004013A9 |. C781 80324000>mov dword ptr ds:[ecx+403280],0 ;复制前8位到403280,设为b
004013B3 \. C3 retn
}
0040133B |. E8 74000000 call KeyMe21.004013B4
{
004013B4 /$ 80B9 5C324000>cmp byte ptr ds:[ecx+40325C],3A ;从".no="开始第12位为:
004013BB |. 74 17 je short KeyMe21.004013D4
004013BD |. 6A 30 push 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
004013BF |. 68 DE314000 push KeyMe21.004031DE ; |Input error
004013C4 |. 68 EA314000 push KeyMe21.004031EA ; |Serial format is incorrect! Try again.
004013C9 |. 6A 00 push 0 ; |hOwner = NULL
004013CB |. E8 1E040000 call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004013D0 |. 83C4 04 add esp,4
004013D3 |. C3 retn
004013D4 |> 80B9 65324000>cmp byte ptr ds:[ecx+403265],3A ;从".no="开始第21位为:
004013DB |. 74 17 je short KeyMe21.004013F4
004013DD |. 6A 30 push 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
004013DF |. 68 DE314000 push KeyMe21.004031DE ; |Input error
004013E4 |. 68 EA314000 push KeyMe21.004031EA ; |Serial format is incorrect! Try again.
004013E9 |. 6A 00 push 0 ; |hOwner = NULL
004013EB |. E8 FE030000 call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004013F0 |. 83C4 04 add esp,4
004013F3 |. C3 retn
004013F4 |> 80B9 6E324000>cmp byte ptr ds:[ecx+40326E],0 ;从".no="开始第30位为0
004013FB |. 74 17 je short KeyMe21.00401414
004013FD |. 6A 30 push 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
004013FF |. 68 DE314000 push KeyMe21.004031DE ; |Input error
00401404 |. 68 EA314000 push KeyMe21.004031EA ; |Serial format is incorrect! Try again.
00401409 |. 6A 00 push 0 ; |hOwner = NULL
0040140B |. E8 DE030000 call <jmp.&user32.MessageBoxA> ; \MessageBoxA
00401410 |. 83C4 04 add esp,4
00401413 |. C3 retn
00401414 |> C681 6E324000>mov byte ptr ds:[ecx+40326E],0
0040141B \. C3 retn
}
由以上知,name的格式应为:
XXXXXXXXXXXXXXXX.no=YYYYYYYY:YYYYYYYY:SSSSSSSS
00401340 |. E8 D7000000 call KeyMe21.0040141C
{
0040141C /$ 33DB xor ebx,ebx
0040141E |. 8B99 54324000 mov ebx,dword ptr ds:[ecx+403254]
00401424 |. 891D 90324000 mov dword ptr ds:[403290],ebx
0040142A |. 8B99 58324000 mov ebx,dword ptr ds:[ecx+403258]
00401430 |. 891D 94324000 mov dword ptr ds:[403294],ebx
00401436 |. 8B99 5D324000 mov ebx,dword ptr ds:[ecx+40325D]
0040143C |. 891D 98324000 mov dword ptr ds:[403298],ebx
00401442 |. 8B99 61324000 mov ebx,dword ptr ds:[ecx+403261]
00401448 |. 891D 9C324000 mov dword ptr ds:[40329C],ebx
0040144E |. 8B99 66324000 mov ebx,dword ptr ds:[ecx+403266]
00401454 |. 891D A0324000 mov dword ptr ds:[4032A0],ebx
0040145A |. 8B99 6A324000 mov ebx,dword ptr ds:[ecx+40326A]
00401460 |. 891D A4324000 mov dword ptr ds:[4032A4],ebx ;复制name的".no="后面(除去'=')到b+0x10
00401466 \. C3 retn
}
b变为:
XXXXXXXX00000000YYYYYYYYYYYYYYYYSSSSSSSS
00401345 |. E8 1D010000 call KeyMe21.00401467 ;清除name
0040134A |. E8 AD010000 call KeyMe21.004014FC ;前8位必为字母
为了方便,设前8位为c,以Y开始的16位为d,S为e
4032B0为f
0040134F |. E8 E5010000 call KeyMe21.00401539
{
00401539 /$ E8 EC020000 call <jmp.&kernel32.GetLogicalDrives> ; [GetLogicalDrives
0040153E |. A3 B0324000 mov dword ptr ds:[4032B0],eax
00401543 |. 33C0 xor eax,eax
00401545 |. E8 F2020000 call <jmp.&kernel32.GetVersion>
0040154A |. A3 B4324000 mov dword ptr ds:[4032B4],eax ;初始化f
0040154F |. 33C0 xor eax,eax
00401551 \. C3 retn
}
00401354 |. E8 F9010000 call KeyMe21.00401552
{
00401552 /$ 33C0 xor eax,eax
00401554 |. 33DB xor ebx,ebx ;ebx设为i
00401556 |. 33C9 xor ecx,ecx ;ecx设为j
00401558 |> 0FB683 803240>/movzx eax,byte ptr ds:[ebx+403280] ;c[i]!=0循环
0040155F |. 83F8 00 |cmp eax,0
00401562 |. 74 17 |je short KeyMe21.0040157B
00401564 |> 3081 B0324000 |/xor byte ptr ds:[ecx+4032B0],al ;f[j]^=c[i]
0040156A |. 41 ||inc ecx ;j++
0040156B |. D289 B0324000 ||ror byte ptr ds:[ecx+4032B0],cl ;f[j]循环右移j+1位
00401571 |. 83F9 08 ||cmp ecx,8 ;j==8退出循环
00401574 |.^ 75 EE |\jnz short KeyMe21.00401564
00401576 |. 33C9 |xor ecx,ecx
00401578 |. 43 |inc ebx ;i++
00401579 |.^ EB DD \jmp short KeyMe21.00401558
0040157B |> 33C0 xor eax,eax
0040157D |. 33DB xor ebx,ebx ;i
0040157F |. 33C9 xor ecx,ecx ;j
00401581 |> 0FB683 903240>/movzx eax,byte ptr ds:[ebx+403290] ;eax-d[i]
00401588 |> 3081 B0324000 |xor byte ptr ds:[ecx+4032B0],al ;f[j]^=d[i]
0040158E |. 41 |inc ecx ;j++
0040158F |. D289 B0324000 |ror byte ptr ds:[ecx+4032B0],cl ;f[j]循环右移j+1次
00401595 |. 83F9 08 |cmp ecx,8
00401598 |.^ 75 EE |jnz short KeyMe21.00401588 ;j==8退出循环
0040159A |. 33C9 |xor ecx,ecx
0040159C |. 43 |inc ebx ;i++
0040159D |. 83FB 10 |cmp ebx,10 ;i==16退出循环
004015A0 |.^ 75 DF \jnz short KeyMe21.00401581
004015A2 \. C3 retn
}
00401359 |. E8 45020000 call KeyMe21.004015A3
{
004015A3 /$ A1 B0324000 mov eax,dword ptr ds:[4032B0]
004015A8 |. 0305 B4324000 add eax,dword ptr ds:[4032B4] ;eax-f的前四位+f的后四位
004015AE |. 50 push eax
004015AF |. 68 22324000 push KeyMe21.00403222 ; /sprintf
004015B4 |. 68 17324000 push KeyMe21.00403217 ; |/msvcrt.dll
004015B9 |. E8 84020000 call <jmp.&kernel32.LoadLibraryA> ; |\LoadLibraryA
004015BE |. 50 push eax ; |hModule
004015BF |. E8 72020000 call <jmp.&kernel32.GetProcAddress> ; \GetProcAddress
004015C4 |. 68 11324000 push KeyMe21.00403211 ; %.8X
004015C9 |. 68 C0324000 push KeyMe21.004032C0 ; ASCII "3D095527"
004015CE |. FFD0 call eax
004015D0 |. 83C4 0C add esp,0C
004015D3 |. 8D05 A0324000 lea eax,dword ptr ds:[4032A0] ;e要等于f
004015D9 |. 50 push eax ; /String2 => "3D095527"
004015DA |. 68 C0324000 push KeyMe21.004032C0 ; |String1 = "3D095527"
004015DF |. E8 88020000 call <jmp.&kernel32.lstrcmpA> ; \lstrcmpA
004015E4 |. 83F8 00 cmp eax,0
004015E7 |. 74 14 je short KeyMe21.004015FD
004015E9 |. 6A 10 push 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
004015EB |. 68 A0314000 push KeyMe21.004031A0 ; |Serial not valid
004015F0 |. 68 B1314000 push KeyMe21.004031B1 ; |Serial number is not valid for this machine!
004015F5 |. 6A 00 push 0 ; |hOwner = NULL
004015F7 |. E8 F2010000 call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004015FC |. C3 retn
}
0040135E \. C3 retn
注册机:
int main(int argc, char* argv[])
{
char a[32]={0};
char b[32]={0};
char c[32]={0};
int d[32]={0};
d[0]=GetLogicalDrives();
d[1]=GetVersion();
int i,j;
unsigned char t;
printf("请输入a,b\n");
scanf("%s%s",a,b);
int na=strlen(a),nb=strlen(b);
while(na>8||nb!=16)
{
printf("a必须不大于8位且b应为16位\n");
scanf("%s %s",a,b);
na=strlen(a);nb=strlen(b);
}
for (i=0;i<na;i++)
{
for (j=0;j<8;j++)
{
*((char*)d+j)^=a[i];
t=*((char*)d+j+1);
*((char*)d+j+1)=(t>>(j+1))|(t<<(7-j));
}
}
for (i=0;i<16;i++)
{
for (j=0;j<8;j++)
{
*((char*)d+j)^=b[i];
t=*((char*)d+j+1);
*((char*)d+j+1)=(t>>(j+1))|(t<<(7-j));
}
}
sprintf(c,"%.8X",d[0]+d[1]);
char b8[16]={0};
strncpy(b8,b,8);
printf("%s.no=%s:%s:%s\n",a,b8,b+8,c);
return 0;
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
|
|
|---|---|
|
|
赞赏
雪币:
留言:
