主体逻辑如下:
由于提供了一组可用的账号密码:
因此通过调试,先得到encode(v6, 8) == 0x13B88C77)中的v6为0x52a1ed5a,即v2 ^ num_serial。
由于已知用户名为KCTF,因此动调v2 = encode(name, name_length)得到v2为0x5EE54F4C。
从而得到num_serial为0x5EE54F4C^0x52a1ed5a=205824534。
int __cdecl sub_951340(HWND hDlg)
{
int name_length; // ebx
int v2; // ebx
int num_serial; // eax
signed int serial_length; // [esp+Ch] [ebp-260h]
char v6[200]; // [esp+10h] [ebp-25Ch] BYREF
CHAR name[200]; // [esp+D8h] [ebp-194h] BYREF
CHAR serial[200]; // [esp+1A0h] [ebp-CCh] BYREF
memset(name, 0, sizeof(name));
memset(v6, 0, sizeof(v6));
memset(serial, 0, sizeof(serial));
name_length = GetDlgItemTextA(hDlg, 1000, name, 201);
if ( name_length
&& (serial_length = GetDlgItemTextA(hDlg, 1001, serial, 201),
v2 = encode(name, name_length),
strspn(serial, "0123456789") == strlen(serial))
&& serial_length <= 10
&& (num_serial = sub_95307F((int)serial)) != 0
&& (unknown_libname_13(v2 ^ num_serial, (int)v6, 16), encode(v6, 8) == 0x13B88C77) )
{
SetDlgItemTextA(hDlg, 1001, "Success!");
return 1;
}
else
{
SetDlgItemTextA(hDlg, 1001, "Wrong Serial!");
return 0;
}
}
int __cdecl sub_951340(HWND hDlg)
{
int name_length; // ebx
int v2; // ebx
int num_serial; // eax
signed int serial_length; // [esp+Ch] [ebp-260h]
char v6[200]; // [esp+10h] [ebp-25Ch] BYREF
CHAR name[200]; // [esp+D8h] [ebp-194h] BYREF
CHAR serial[200]; // [esp+1A0h] [ebp-CCh] BYREF
memset(name, 0, sizeof(name));
memset(v6, 0, sizeof(v6));
memset(serial, 0, sizeof(serial));
name_length = GetDlgItemTextA(hDlg, 1000, name, 201);
if ( name_length
&& (serial_length = GetDlgItemTextA(hDlg, 1001, serial, 201),
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
