-
-
[求助]逆向qt apktool 工具的一些问题。
-
发表于: 2017-9-10 12:09 2931
-
本算法需要用户输入的大于12位。
.text:0000FB74 ; KeyClass::_verifyKey(QString) .text:0000FB74 EXPORT _ZN8KeyClass10_verifyKeyE7QString .text:0000FB74 _ZN8KeyClass10_verifyKeyE7QString ; CODE XREF: sub_12040+48p .text:0000FB74 .text:0000FB74 var_50 = -0x50 .text:0000FB74 var_44 = -0x44 .text:0000FB74 var_40 = -0x40 .text:0000FB74 var_3C = -0x3C .text:0000FB74 var_38 = -0x38 .text:0000FB74 var_30 = -0x30 .text:0000FB74 .text:0000FB74 PUSH.W {R4-R10,LR} .text:0000FB78 ADD.W R7, R0, #0x10 .text:0000FB7C SUB SP, SP, #0x30 .text:0000FB7E MOV R9, R1 .text:0000FB80 MOVS R2, #0x10 ; int .text:0000FB82 MOV R4, R0 .text:0000FB84 MOVS R1, #0 ; bool * .text:0000FB86 MOV R0, R7 ; this .text:0000FB88 BLX _ZNK7QString10toLongLongEPbi ; QString::toLongLong(bool *,int) .text:0000FB8C ADD R5, SP, #0x50+var_44 .text:0000FB8E MOVS R6, #0xA .text:0000FB90 STR R6, [SP,#0x50+var_50] ; int .text:0000FB92 MOV R8, R6 .text:0000FB94 MOV R2, R0 ; __int64 .text:0000FB96 MOV R3, R1 .text:0000FB98 MOV R0, R5 ; this .text:0000FB9A BLX _ZN7QString6numberExi ; QString::number(long long,int) .text:0000FB9E MOV R0, R9 ; this .text:0000FBA0 MOVS R1, #0 ; bool * .text:0000FBA2 MOVS R2, #0x10 ; int .text:0000FBA4 BLX _ZNK7QString10toLongLongEPbi ; QString::toLongLong(bool *,int) .text:0000FBA8 ADD R6, SP, #0x50+var_40 .text:0000FBAA MOV R2, R0 ; __int64 .text:0000FBAC MOV R3, R1 .text:0000FBAE STR.W R8, [SP,#0x50+var_50] ; int .text:0000FBB2 MOV R0, R6 ; this .text:0000FBB4 BLX _ZN7QString6numberExi ; QString::number(long long,int) .text:0000FBB8 LDR R0, [R4,#0xC] ; this .text:0000FBBA BLX _ZN6QTimer4stopEv ; QTimer::stop(void) .text:0000FBBE LDR R0, [R4,#0xC] .text:0000FBC0 CBZ R0, loc_FBC8 .text:0000FBC2 LDR R3, [R0] .text:0000FBC4 LDR R3, [R3,#0x10] .text:0000FBC6 BLX R3 .text:0000FBC8 .text:0000FBC8 loc_FBC8 ; CODE XREF: KeyClass::_verifyKey(QString)+4Cj .text:0000FBC8 MOV R0, R5 ; this .text:0000FBCA MOVS R1, #0 ; bool * .text:0000FBCC MOVS R2, #0xA ; int .text:0000FBCE BLX _ZNK7QString10toLongLongEPbi ; QString::toLongLong(bool *,int)
.text:0000FBD2 LDR R3, =(_ZN9keyThread8_divisorE_ptr - 0xFBE0) .text:0000FBD4 ADDS.W R0, R0, #0xFFFFFFFF .text:0000FBD8 ADC.W R1, R1, #0xFFFFFFFF .text:0000FBDC ADD R3, PC ; _ZN9keyThread8_divisorE_ptr .text:0000FBDE LDR R3, [R3] ; "0x7e1" .text:0000FBE0 LDRD.W R2, R3, [R3] .text:0000FBE4 BLX __aeabi_uldivmod .text:0000FBE8 ORRS R3, R2 .text:0000FBEA BNE loc_FCB2 关键跳 .text:0000FBEC LDR R3, [SP,#0x50+var_44] .text:0000FBEE LDR R3, [R3,#4] .text:0000FBF0 SUB.W R8, R3, #2 .text:0000FBF4 .text:0000FBF4 loc_FBF4 ; CODE XREF: KeyClass::_verifyKey(QString)+94j .text:0000FBF4 CMP.W R8, #0 .text:0000FBF8 MOV R0, R5 ; this .text:0000FBFA BLE loc_FC0A .text:0000FBFC MOV R1, R8 ; int .text:0000FBFE MOVS R2, #1 ; int .text:0000FC00 BLX _ZN7QString6removeEii ; QString::remove(int,int) .text:0000FC04 SUB.W R8, R8, #3 .text:0000FC08 B loc_FBF4 .text:0000FC0A ; --------------------------------------------------------------------------- .text:0000FC0A .text:0000FC0A loc_FC0A ; CODE XREF: KeyClass::_verifyKey(QString)+86j .text:0000FC0A MOVS R1, #0 ; bool * .text:0000FC0C MOVS R2, #0xA ; int .text:0000FC0E BLX _ZNK7QString10toLongLongEPbi ; QString::toLongLong(bool *,int) .text:0000FC12 LDR R3, [SP,#0x50+var_40] .text:0000FC14 MOV R8, R0 .text:0000FC16 MOV R9, R1 .text:0000FC18 LDR R3, [R3,#4] .text:0000FC1A SUB.W R10, R3, #2 .text:0000FC1E .text:0000FC1E loc_FC1E ; CODE XREF: KeyClass::_verifyKey(QString)+BEj .text:0000FC1E CMP.W R10, #0 .text:0000FC22 MOV R0, R6 ; this .text:0000FC24 BLE loc_FC34 .text:0000FC26 MOV R1, R10 ; int .text:0000FC28 MOVS R2, #1 ; int .text:0000FC2A BLX _ZN7QString6removeEii ; QString::remove(int,int) .text:0000FC2E SUB.W R10, R10, #3 .text:0000FC32 B loc_FC1E .text:0000FC34 ; --------------------------------------------------------------------------- .text:0000FC34 .text:0000FC34 loc_FC34 ; CODE XREF: KeyClass::_verifyKey(QString)+B0j .text:0000FC34 MOVS R1, #0 ; bool * .text:0000FC36 MOVS R2, #0xA ; int .text:0000FC38 BLX _ZNK7QString10toLongLongEPbi ; QString::toLongLong(bool *,int) .text:0000FC3C SUBS.W R2, R8, R0 标志? .text:0000FC40 SBC.W R3, R9, R1 标志? text:0000FC44 CMP R2, #0 text:0000FC46 SBCS.W R1, R3, #0 R2是负值。 .text:0000FC4A BGE loc_FC52 现在的注册机就nop它就注册成功。 .text:0000FC4C NEGS R2, R2 .text:0000FC4E SBC.W R3, R3, R3,LSL#1 .text:0000FC52 .text:0000FC52 loc_FC52 ; CODE XREF: KeyClass::_verifyKey(QString)+D6j .text:0000FC52 LDR R0, =a9wzxj0eunoyw5n ; "9wZXJ0eUNoYW5nZXMgewogICAgICAgICAgICAgI"... 关键跳,不知道为什么就,条件成立。标志位问题。想爆破nop。 .text:0000FC54 MOVS R1, #0 .text:0000FC56 CMP R0, R2 .text:0000FC58 SBCS.W R3, R1, R3 .text:0000FC5C BLT loc_FCB2 .text:0000FC5E ADD.W R8, SP, #0x50+var_38 .text:0000FC62 MOVS R1, #0 ; QObject * .text:0000FC64 MOV R0, R8 ; this .text:0000FC66 BLX _ZN9QSettingsC1EP7QObject ; QSettings::QSettings(QObject *) .text:0000FC6A ADD.W R9, SP, #0x50+var_3C .text:0000FC6E LDR R1, =(aKeyUserkey - 0xFC76) .text:0000FC70 MOV R0, R9 .text:0000FC72 ADD R1, PC ; "key/userkey" .text:0000FC74 BL _ZN7QStringC2EPKc ; QString::QString(char const*) .text:0000FC78 ADD.W R10, SP, #0x50+var_30 .text:0000FC7C MOV R1, R7 .text:0000FC7E MOV R0, R10 .text:0000FC80 BLX _ZN8QVariantC1ERK7QString ; QVariant::QVariant(QString const&) .text:0000FC84 MOV R0, R8 ; this .text:0000FC86 MOV R1, R9 ; QString * .text:0000FC88 MOV R2, R10 ; QVariant * .text:0000FC8A BLX _ZN9QSettings8setValueERK7QStringRK8QVariant ; QSettings::setValue(QString const&,QVariant const&) .text:0000FC8E MOV R0, R10 ; this .text:0000FC90 BLX _ZN8QVariantD1Ev ; QVariant::~QVariant() .text:0000FC94 MOV R0, R9 ; this .text:0000FC96 BL _ZN7QStringD2Ev ; QString::~QString() .text:0000FC9A MOV R0, R4 ; this .text:0000FC9C BL _ZN8KeyClass13createKeyFileEv ; KeyClass::createKeyFile(void) .text:0000FCA0 MOV R0, R4 ; this .text:0000FCA2 BL _ZN8KeyClass11isRegisterdEv ; KeyClass::isRegisterd(void) .text:0000FCA6 CBNZ R0, loc_FCF4 关键跳,不用管 .text:0000FCA8 MOV R0, R4 ; this .text:0000FCAA BL _ZN8KeyClass13_secondVerifyEv ; KeyClass::_secondVerify(void) .text:0000FCAE CBNZ R0, loc_FCF4 同上 .text:0000FCB0 B loc_FD02 .text:0000FCB2 ; --------------------------------------------------------------------------- .text:0000FCB2 .text:0000FCB2 loc_FCB2 ; CODE XREF: KeyClass::_verifyKey(QString)+76j .text:0000FCB2 ; KeyClass::_verifyKey(QString)+E8j .text:0000FCB2 MOV R0, R4 ; this .text:0000FCB4 BL _ZN8KeyClass10verifyFailEv ; KeyClass::verifyFail(void) .text:0000FCB8 .text:0000FCB8 loc_FCB8 ; CODE XREF: KeyClass::_verifyKey(QString)+18Cj .text:0000FCB8 MOV R0, R6 ; this .text:0000FCBA BL _ZN7QStringD2Ev ; QString::~QString() .text:0000FCBE MOV R0, R5 ; this .text:0000FCC0 BL _ZN7QStringD2Ev ; QString::~QString() .text:0000FCC4 ADD SP, SP, #0x30 .text:0000FCC6 POP.W {R4-R10,PC} .text:0000FCCA ; --------------------------------------------------------------------------- .text:0000FCCA MOV R0, R10 ; this .text:0000FCCC BLX _ZN8QVariantD1Ev ; QVariant::~QVariant() .text:0000FCD0 B loc_FCD2 .text:0000FCD2 ; --------------------------------------------------------------------------- .text:0000FCD2 .text:0000FCD2 loc_FCD2 ; CODE XREF: KeyClass::_verifyKey(QString)+15Cj .text:0000FCD2 MOV R0, R9 ; this .text:0000FCD4 BL _ZN7QStringD2Ev ; QString::~QString() .text:0000FCD8 B loc_FCDA .text:0000FCDA ; --------------------------------------------------------------------------- .text:0000FCDA .text:0000FCDA loc_FCDA ; CODE XREF: KeyClass::_verifyKey(QString)+164j .text:0000FCDA MOV R0, R8 ; this .text:0000FCDC BLX _ZN9QSettingsD1Ev ; QSettings::~QSettings() .text:0000FCE0 B loc_FCE2 .text:0000FCE2 ; --------------------------------------------------------------------------- .text:0000FCE2 .text:0000FCE2 loc_FCE2 ; CODE XREF: KeyClass::_verifyKey(QString)+16Cj .text:0000FCE2 MOV R0, R6 ; this .text:0000FCE4 BL _ZN7QStringD2Ev ; QString::~QString() .text:0000FCE8 B loc_FCEA .text:0000FCEA ; --------------------------------------------------------------------------- .text:0000FCEA .text:0000FCEA loc_FCEA ; CODE XREF: KeyClass::_verifyKey(QString)+174j .text:0000FCEA MOV R0, R5 ; this .text:0000FCEC BL _ZN7QStringD2Ev ; QString::~QString() .text:0000FCF0 BLX __cxa_end_cleanup .text:0000FCF4 ; --------------------------------------------------------------------------- .text:0000FCF4 .text:0000FCF4 loc_FCF4 ; CODE XREF: KeyClass::_verifyKey(QString)+132j .text:0000FCF4 ; KeyClass::_verifyKey(QString)+13Aj .text:0000FCF4 MOV R0, R4 ; this .text:0000FCF6 BL _ZN8KeyClass13verifySuccessEv ; KeyClass::verifySuccess(void) .text:0000FCFA .text:0000FCFA loc_FCFA ; CODE XREF: KeyClass::_verifyKey(QString)+194j .text:0000FCFA MOV R0, R8 ; this .text:0000FCFC BLX _ZN9QSettingsD1Ev ; QSettings::~QSettings() .text:0000FD00 B loc_FCB8 .text:0000FD02 ; --------------------------------------------------------------------------- .text:0000FD02 .text:0000FD02 loc_FD02 ; CODE XREF: KeyClass::_verifyKey(QString)+13Cj .text:0000FD02 MOV R0, R4 ; this .text:0000FD04 BL _ZN8KeyClass11registerBugEv ; KeyClass::registerBug(void) .text:0000FD08 B loc_FCFA .text:0000FD08 ; End of function KeyClass::_verifyKey(QString)
py注册机源码:
l=100000001910 h=999999999999 i=0 g=0 j=0 def hh(l): le=len(l) ii=0 st=l[0] while ii<le: if i%3!=0: st+=l[ii] ii+=1 return int(st) while l<=h: i=int(str(l),16) j=(hh(str(i))- 0xd0)&0x80000000 条件不起作用。标志位怎么限制。 if i%0x7e1==0 and j!=0: print hex(i+1) l+=1 g+=1 j=0 if g>10000: break
就这些了。
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
赞赏
他的文章
看原图
赞赏
雪币:
留言: