1. 初步分析
加载names.in, 5*5的矩阵
.text:000000013FF01947 call load_names_in
sn格式为xxxxAyyyy
.text:000000013FF0195C lea r8, [rsp+448h+Dst]
.text:000000013FF01961 lea rdx, [rsp+448h+var_428]
.text:000000013FF01966 lea rcx, aDaS ; "%dA%s"
.text:000000013FF0196D call scanf
求sn前半部分的平方根
.text:000000013FF01972 call getch
.text:000000013FF01977 mov ecx, [rsp+448h+var_428]
.text:000000013FF0197B call sqr
.text:000000013FF01980 test eax, eax
.text:000000013FF01982 jnz short loc_13FF019AF
sn后半部分的字符为1/2/3/4
.text:000000013FF015B7 movsx ecx, byte ptr [r8]
.text:000000013FF015BB sub ecx, 31h
.text:000000013FF015BE jz loc_13FF01732
.text:000000013FF015C4 sub ecx, 1
.text:000000013FF015C7 jz loc_13FF016BC
.text:000000013FF015CD sub ecx, 1
.text:000000013FF015D0 jz short loc_13FF0164C
.text:000000013FF015D2 cmp ecx, 1
.text:000000013FF015D5 jnz loc_13FF01815
验证sn
.text:000000013FF018A7 movsxd rax, esi
.text:000000013FF018AA movsxd rdx, r14d
.text:000000013FF018AD lea rcx, [rax+rdx*4]
.text:000000013FF018B1 add rdx, rcx
.text:000000013FF018B4 lea rax, g_matrix_5_5
.text:000000013FF018BB mov ecx, cs:column_index
.text:000000013FF018C1 imul ecx, edi
.text:000000013FF018C4 add ecx, [rax+rdx*4]
.text:000000013FF018C7 lea eax, [rdi+rdi*2]
.text:000000013FF018CA cmp ecx, eax
.text:000000013FF018CC lea rcx, aZUVSJ ; "恭喜你注册成功!\n"
.text:000000013FF018D3 jz short loc_13FF018DC
.text:000000013FF018D5 lea rcx, aVSI_3 ; "注册码不正确\n"
.text:000000013FF018DC
.text:000000013FF018DC loc_13FF018DC: ; CODE XREF: sub_13FF014B0+423�j
.text:000000013FF018DC call printf
2. 测试sn
输入一个合法的sn: 121A12341234
跑到验证处后,
成功条件: g_matrix[2][2] == sqr(前半部分), 此时g_matrix[2][2]=0x1A6
所以sn前半部分为0x1A6 * 0x1A6 = 178084
连接起来得到sn: 178084A12341234
注册成功, 提交不成功
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
