sn处理事件
.rdata:00402360 dd 3E8h
.rdata:00402364 dd 3E8h
.rdata:00402368 dd WM_SETTEXT
.rdata:0040236C dd offset sub_401570
sn长度>=11
.text:004015B5 cmp ebp, 0Bh
.text:004015B8 jl loc_401696
解密401540处的代码
int i;
BYTE key;
BYTE buf1[20]; // 403020
BYTE buf2[44]; // 401540
key=0;
for (i = 0; i < sn_len; i++) key ^= sn[i];
for (i = 0; i < 20; i++) buf1[i] ^= key;
key=0;
for (i = 0; i < 20; i++) key ^= 94 * buf1[i];
for (i = 0; i < 44; i++) buf2[i] ^= key;
.text:004015F8 mov cl, [esp+edx+88h+Buffer]
.text:004015FC xor eax, eax
.text:004015FE
.text:004015FE xor byte_403020[eax], cl
.text:00401604 inc eax
.text:00401605 cmp eax, 14h
.text:00401608 jl short loc_4015FE
.text:0040160A inc edx
.text:0040160B cmp edx, ebp
.text:0040160D jl short loc_4015F8
.text:0040164B mov al, byte_403020[esi]
.text:00401651 mov dl, 5Eh
.text:00401653 xor ecx, ecx
.text:00401655 imul dl
.text:00401657 mov dl, [esp+ecx+88h+Buffer]
.text:0040165B xor dl, al
.text:0040165D mov [esp+ecx+88h+Buffer], dl
.text:00401661 inc ecx
.text:00401662 cmp ecx, 2Ch
.text:00401665 jl short loc_401657
.text:00401667 inc esi
.text:00401668 cmp esi, 14h
.text:0040166B jl short loc_40164B
.text:00401689 mov edx, [esp+88h+a1]
.text:0040168D push edx ; a1
.text:0040168E call sub_401540
.text:00401693 add esp, 4
根据sub_401540的调用约定, 可知其最后一个字节为0xC3(retn)
key=0xC3 ^ 0x07 = 0xC4;
再逆推跑一下可得sn的xor key:
key=1E
key=3E
key=5E
key=7E
key=9E
key=BE
key=DE
key=FE
选取key=5E, 易得一组解: 00000000000n
sn长度只限制了大于11即可, 只要sn的xor key满足条件, 可有很多解
.text:00401540 push 1 ; uType
.text:00401542 push offset Caption ; "成功"
.text:00401547 push offset Caption ; "成功"
.text:0040154C push 0 ; hWnd
.text:0040154E call ds:MessageBoxA
.text:00401554 mov ecx, [esp+arg_0] ; this
.text:00401558 push 3E8h ; int
.text:0040155D call ?GetDlgItem@CWnd@@QBEPAV1@H@Z ; CWnd::GetDlgItem(int)
.text:00401562 push 0 ; int
.text:00401564 mov ecx, eax ; this
.text:00401566 call ?EnableWindow@CWnd@@QAEHH@Z ; CWnd::EnableWindow(int)
.text:0040156B retn
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
