-
-
[求助]逆向qt apktool 工具的一些问题。
-
发表于: 2017-9-10 12:09 2901
-
本算法需要用户输入的大于12位。
.text:0000FB74 ; KeyClass::_verifyKey(QString)
.text:0000FB74 EXPORT _ZN8KeyClass10_verifyKeyE7QString
.text:0000FB74 _ZN8KeyClass10_verifyKeyE7QString ; CODE XREF: sub_12040+48p
.text:0000FB74
.text:0000FB74 var_50 = -0x50
.text:0000FB74 var_44 = -0x44
.text:0000FB74 var_40 = -0x40
.text:0000FB74 var_3C = -0x3C
.text:0000FB74 var_38 = -0x38
.text:0000FB74 var_30 = -0x30
.text:0000FB74
.text:0000FB74 PUSH.W {R4-R10,LR}
.text:0000FB78 ADD.W R7, R0, #0x10
.text:0000FB7C SUB SP, SP, #0x30
.text:0000FB7E MOV R9, R1
.text:0000FB80 MOVS R2, #0x10 ; int
.text:0000FB82 MOV R4, R0
.text:0000FB84 MOVS R1, #0 ; bool *
.text:0000FB86 MOV R0, R7 ; this
.text:0000FB88 BLX _ZNK7QString10toLongLongEPbi ; QString::toLongLong(bool *,int)
.text:0000FB8C ADD R5, SP, #0x50+var_44
.text:0000FB8E MOVS R6, #0xA
.text:0000FB90 STR R6, [SP,#0x50+var_50] ; int
.text:0000FB92 MOV R8, R6
.text:0000FB94 MOV R2, R0 ; __int64
.text:0000FB96 MOV R3, R1
.text:0000FB98 MOV R0, R5 ; this
.text:0000FB9A BLX _ZN7QString6numberExi ; QString::number(long long,int)
.text:0000FB9E MOV R0, R9 ; this
.text:0000FBA0 MOVS R1, #0 ; bool *
.text:0000FBA2 MOVS R2, #0x10 ; int
.text:0000FBA4 BLX _ZNK7QString10toLongLongEPbi ; QString::toLongLong(bool *,int)
.text:0000FBA8 ADD R6, SP, #0x50+var_40
.text:0000FBAA MOV R2, R0 ; __int64
.text:0000FBAC MOV R3, R1
.text:0000FBAE STR.W R8, [SP,#0x50+var_50] ; int
.text:0000FBB2 MOV R0, R6 ; this
.text:0000FBB4 BLX _ZN7QString6numberExi ; QString::number(long long,int)
.text:0000FBB8 LDR R0, [R4,#0xC] ; this
.text:0000FBBA BLX _ZN6QTimer4stopEv ; QTimer::stop(void)
.text:0000FBBE LDR R0, [R4,#0xC]
.text:0000FBC0 CBZ R0, loc_FBC8
.text:0000FBC2 LDR R3, [R0]
.text:0000FBC4 LDR R3, [R3,#0x10]
.text:0000FBC6 BLX R3
.text:0000FBC8
.text:0000FBC8 loc_FBC8 ; CODE XREF: KeyClass::_verifyKey(QString)+4Cj
.text:0000FBC8 MOV R0, R5 ; this
.text:0000FBCA MOVS R1, #0 ; bool *
.text:0000FBCC MOVS R2, #0xA ; int
.text:0000FBCE BLX _ZNK7QString10toLongLongEPbi ; QString::toLongLong(bool *,int)
.text:0000FBD2 LDR R3, =(_ZN9keyThread8_divisorE_ptr - 0xFBE0)
.text:0000FBD4 ADDS.W R0, R0, #0xFFFFFFFF
.text:0000FBD8 ADC.W R1, R1, #0xFFFFFFFF
.text:0000FBDC ADD R3, PC ; _ZN9keyThread8_divisorE_ptr
.text:0000FBDE LDR R3, [R3] ; "0x7e1"
.text:0000FBE0 LDRD.W R2, R3, [R3]
.text:0000FBE4 BLX __aeabi_uldivmod
.text:0000FBE8 ORRS R3, R2
.text:0000FBEA BNE loc_FCB2 关键跳
.text:0000FBEC LDR R3, [SP,#0x50+var_44]
.text:0000FBEE LDR R3, [R3,#4]
.text:0000FBF0 SUB.W R8, R3, #2
.text:0000FBF4
.text:0000FBF4 loc_FBF4 ; CODE XREF: KeyClass::_verifyKey(QString)+94j
.text:0000FBF4 CMP.W R8, #0
.text:0000FBF8 MOV R0, R5 ; this
.text:0000FBFA BLE loc_FC0A
.text:0000FBFC MOV R1, R8 ; int
.text:0000FBFE MOVS R2, #1 ; int
.text:0000FC00 BLX _ZN7QString6removeEii ; QString::remove(int,int)
.text:0000FC04 SUB.W R8, R8, #3
.text:0000FC08 B loc_FBF4
.text:0000FC0A ; ---------------------------------------------------------------------------
.text:0000FC0A
.text:0000FC0A loc_FC0A ; CODE XREF: KeyClass::_verifyKey(QString)+86j
.text:0000FC0A MOVS R1, #0 ; bool *
.text:0000FC0C MOVS R2, #0xA ; int
.text:0000FC0E BLX _ZNK7QString10toLongLongEPbi ; QString::toLongLong(bool *,int)
.text:0000FC12 LDR R3, [SP,#0x50+var_40]
.text:0000FC14 MOV R8, R0
.text:0000FC16 MOV R9, R1
.text:0000FC18 LDR R3, [R3,#4]
.text:0000FC1A SUB.W R10, R3, #2
.text:0000FC1E
.text:0000FC1E loc_FC1E ; CODE XREF: KeyClass::_verifyKey(QString)+BEj
.text:0000FC1E CMP.W R10, #0
.text:0000FC22 MOV R0, R6 ; this
.text:0000FC24 BLE loc_FC34
.text:0000FC26 MOV R1, R10 ; int
.text:0000FC28 MOVS R2, #1 ; int
.text:0000FC2A BLX _ZN7QString6removeEii ; QString::remove(int,int)
.text:0000FC2E SUB.W R10, R10, #3
.text:0000FC32 B loc_FC1E
.text:0000FC34 ; ---------------------------------------------------------------------------
.text:0000FC34
.text:0000FC34 loc_FC34 ; CODE XREF: KeyClass::_verifyKey(QString)+B0j
.text:0000FC34 MOVS R1, #0 ; bool *
.text:0000FC36 MOVS R2, #0xA ; int
.text:0000FC38 BLX _ZNK7QString10toLongLongEPbi ; QString::toLongLong(bool *,int)
.text:0000FC3C SUBS.W R2, R8, R0 标志?
.text:0000FC40 SBC.W R3, R9, R1 标志?
text:0000FC44 CMP R2, #0
text:0000FC46 SBCS.W R1, R3, #0 R2是负值。
.text:0000FC4A BGE loc_FC52 现在的注册机就nop它就注册成功。
.text:0000FC4C NEGS R2, R2
.text:0000FC4E SBC.W R3, R3, R3,LSL#1
.text:0000FC52
.text:0000FC52 loc_FC52 ; CODE XREF: KeyClass::_verifyKey(QString)+D6j
.text:0000FC52 LDR R0, =a9wzxj0eunoyw5n ; "9wZXJ0eUNoYW5nZXMgewogICAgICAgICAgICAgI"... 关键跳,不知道为什么就,条件成立。标志位问题。想爆破nop。
.text:0000FC54 MOVS R1, #0
.text:0000FC56 CMP R0, R2
.text:0000FC58 SBCS.W R3, R1, R3
.text:0000FC5C BLT loc_FCB2
.text:0000FC5E ADD.W R8, SP, #0x50+var_38
.text:0000FC62 MOVS R1, #0 ; QObject *
.text:0000FC64 MOV R0, R8 ; this
.text:0000FC66 BLX _ZN9QSettingsC1EP7QObject ; QSettings::QSettings(QObject *)
.text:0000FC6A ADD.W R9, SP, #0x50+var_3C
.text:0000FC6E LDR R1, =(aKeyUserkey - 0xFC76)
.text:0000FC70 MOV R0, R9
.text:0000FC72 ADD R1, PC ; "key/userkey"
.text:0000FC74 BL _ZN7QStringC2EPKc ; QString::QString(char const*)
.text:0000FC78 ADD.W R10, SP, #0x50+var_30
.text:0000FC7C MOV R1, R7
.text:0000FC7E MOV R0, R10
.text:0000FC80 BLX _ZN8QVariantC1ERK7QString ; QVariant::QVariant(QString const&)
.text:0000FC84 MOV R0, R8 ; this
.text:0000FC86 MOV R1, R9 ; QString *
.text:0000FC88 MOV R2, R10 ; QVariant *
.text:0000FC8A BLX _ZN9QSettings8setValueERK7QStringRK8QVariant ; QSettings::setValue(QString const&,QVariant const&)
.text:0000FC8E MOV R0, R10 ; this
.text:0000FC90 BLX _ZN8QVariantD1Ev ; QVariant::~QVariant()
.text:0000FC94 MOV R0, R9 ; this
.text:0000FC96 BL _ZN7QStringD2Ev ; QString::~QString()
.text:0000FC9A MOV R0, R4 ; this
.text:0000FC9C BL _ZN8KeyClass13createKeyFileEv ; KeyClass::createKeyFile(void)
.text:0000FCA0 MOV R0, R4 ; this
.text:0000FCA2 BL _ZN8KeyClass11isRegisterdEv ; KeyClass::isRegisterd(void)
.text:0000FCA6 CBNZ R0, loc_FCF4 关键跳,不用管
.text:0000FCA8 MOV R0, R4 ; this
.text:0000FCAA BL _ZN8KeyClass13_secondVerifyEv ; KeyClass::_secondVerify(void)
.text:0000FCAE CBNZ R0, loc_FCF4 同上
.text:0000FCB0 B loc_FD02
.text:0000FCB2 ; ---------------------------------------------------------------------------
.text:0000FCB2
.text:0000FCB2 loc_FCB2 ; CODE XREF: KeyClass::_verifyKey(QString)+76j
.text:0000FCB2 ; KeyClass::_verifyKey(QString)+E8j
.text:0000FCB2 MOV R0, R4 ; this
.text:0000FCB4 BL _ZN8KeyClass10verifyFailEv ; KeyClass::verifyFail(void)
.text:0000FCB8
.text:0000FCB8 loc_FCB8 ; CODE XREF: KeyClass::_verifyKey(QString)+18Cj
.text:0000FCB8 MOV R0, R6 ; this
.text:0000FCBA BL _ZN7QStringD2Ev ; QString::~QString()
.text:0000FCBE MOV R0, R5 ; this
.text:0000FCC0 BL _ZN7QStringD2Ev ; QString::~QString()
.text:0000FCC4 ADD SP, SP, #0x30
.text:0000FCC6 POP.W {R4-R10,PC}
.text:0000FCCA ; ---------------------------------------------------------------------------
.text:0000FCCA MOV R0, R10 ; this
.text:0000FCCC BLX _ZN8QVariantD1Ev ; QVariant::~QVariant()
.text:0000FCD0 B loc_FCD2
.text:0000FCD2 ; ---------------------------------------------------------------------------
.text:0000FCD2
.text:0000FCD2 loc_FCD2 ; CODE XREF: KeyClass::_verifyKey(QString)+15Cj
.text:0000FCD2 MOV R0, R9 ; this
.text:0000FCD4 BL _ZN7QStringD2Ev ; QString::~QString()
.text:0000FCD8 B loc_FCDA
.text:0000FCDA ; ---------------------------------------------------------------------------
.text:0000FCDA
.text:0000FCDA loc_FCDA ; CODE XREF: KeyClass::_verifyKey(QString)+164j
.text:0000FCDA MOV R0, R8 ; this
.text:0000FCDC BLX _ZN9QSettingsD1Ev ; QSettings::~QSettings()
.text:0000FCE0 B loc_FCE2
.text:0000FCE2 ; ---------------------------------------------------------------------------
.text:0000FCE2
.text:0000FCE2 loc_FCE2 ; CODE XREF: KeyClass::_verifyKey(QString)+16Cj
.text:0000FCE2 MOV R0, R6 ; this
.text:0000FCE4 BL _ZN7QStringD2Ev ; QString::~QString()
.text:0000FCE8 B loc_FCEA
.text:0000FCEA ; ---------------------------------------------------------------------------
.text:0000FCEA
.text:0000FCEA loc_FCEA ; CODE XREF: KeyClass::_verifyKey(QString)+174j
.text:0000FCEA MOV R0, R5 ; this
.text:0000FCEC BL _ZN7QStringD2Ev ; QString::~QString()
.text:0000FCF0 BLX __cxa_end_cleanup
.text:0000FCF4 ; ---------------------------------------------------------------------------
.text:0000FCF4
.text:0000FCF4 loc_FCF4 ; CODE XREF: KeyClass::_verifyKey(QString)+132j
.text:0000FCF4 ; KeyClass::_verifyKey(QString)+13Aj
.text:0000FCF4 MOV R0, R4 ; this
.text:0000FCF6 BL _ZN8KeyClass13verifySuccessEv ; KeyClass::verifySuccess(void)
.text:0000FCFA
.text:0000FCFA loc_FCFA ; CODE XREF: KeyClass::_verifyKey(QString)+194j
.text:0000FCFA MOV R0, R8 ; this
.text:0000FCFC BLX _ZN9QSettingsD1Ev ; QSettings::~QSettings()
.text:0000FD00 B loc_FCB8
.text:0000FD02 ; ---------------------------------------------------------------------------
.text:0000FD02
.text:0000FD02 loc_FD02 ; CODE XREF: KeyClass::_verifyKey(QString)+13Cj
.text:0000FD02 MOV R0, R4 ; this
.text:0000FD04 BL _ZN8KeyClass11registerBugEv ; KeyClass::registerBug(void)
.text:0000FD08 B loc_FCFA
.text:0000FD08 ; End of function KeyClass::_verifyKey(QString)
py注册机源码:
l=100000001910
h=999999999999
i=0
g=0
j=0
def hh(l):
le=len(l)
ii=0
st=l[0]
while ii<le:
if i%3!=0:
st+=l[ii]
ii+=1
return int(st)
while l<=h:
i=int(str(l),16)
j=(hh(str(i))- 0xd0)&0x80000000 条件不起作用。标志位怎么限制。
if i%0x7e1==0 and j!=0:
print hex(i+1)
l+=1
g+=1
j=0
if g>10000:
break
就这些了。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
|
|
|---|---|
|
|
他的文章
赞赏
雪币:
留言:
