【文章标题】: 一个手机游戏追码
【文章作者】: wangdell
【软件名称】: ChessGenius.exe
【下载地址】: 自己搜索下载
【使用工具】: IDA WM5 emulator
【操作平台】: wm
【软件介绍】: 国际象棋
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
1、准备
1.1IDA 打开Texttwister.exe。静态分析。
1.2开Activesync。文件=>连接设置 中 选择DMA。
1.3开启WM6SDK带的设仿真器管理器,选Pocket pc 20003 SE仿真程序,右键“连接”。
1.4选Pocket pc 20003 SE仿真程序,右键“插入底座”。等待activysync和仿真器连接和同步。
1.5真机中试运行后,会马上提示输入用户名和密码提示注册,注册不成功会有失败信息对话框。
2、分析
2.1寻找关键代码:通过IDA的imports寻找MessageBoxW,DialogBoxIndirectParamW等函数的引用处,
并结合在string中搜索错误信息,可找到注册对话框的处理函数如下:
.text:000169C4 LDR R0, [R4,#0x144] ; hModule
.text:000169C8 MOV R2, #5 ; lpType
.text:000169CC MOV R1, #0x71 ; lpName
.text:000169D0 BL FindResourceW
.text:000169D4 MOV R1, R0 ; hResInfo
.text:000169D8 LDR R0, [R4,#0x144] ; hModule
.text:000169DC BL LoadResource
.text:000169E0 LDR R3, =dlgproc1 ; lpDialogFunc
.text:000169E4 MOV R1, R0 ; hDialogTemplate
.text:000169E8 LDR R2, [R4,#0x14C] ; hWndParent
.text:000169EC LDR R0, [R4,#0x144] ; hInstance
.text:000169F0 STR R6, [SP,#0x24+dwInitParam]
.text:000169F4 BL DialogBoxIndirectParamW
2.2 跟踪调试
进入.text:00014134 位置的dlgproc1。
.text:00014134 dlgproc1 ; DATA XREF: sub_168F0:off_16BA0o
.text:00014134
.text:00014134 String = -0x100
.text:00014134
.text:00014134 STMFD SP!, {R4-R6,LR}
.text:00014138 SUB SP, SP, #0xF0
.text:0001413C MOV R5, R0
.text:00014140 MOV R6, #1
.text:00014144 CMP R1, #5
.text:00014148 BEQ loc_1435C
.text:0001414C CMP R1, #0x14
.text:00014150 BEQ loc_14328
.text:00014154 CMP R1, #0x53
.text:00014158 BEQ loc_14318
.text:0001415C MOV R3, #WM_INITDIALOG
.text:00014160 CMP R1, R3
.text:00014164 BEQ loc_142D0
.text:00014168 MOVL R3, WM_COMMAND
.text:00014170 CMP R1, R3
.text:00014174 BNE loc_1436C
.text:00014178 MOV R3, R2,LSL#16
.text:0001417C LDR R4, =unk_336D8
.text:00014180 MOV R6, R3,LSR#16
.text:00014184 CMP R6, #1
.text:00014188 BEQ loc_141FC
.text:0001418C CMP R6, #0xE6
.text:00014190 BEQ loc_141E4
.text:00014194 CMP R6, #0xE7
.text:00014198 BEQ loc_141C4
.text:0001419C CMP R6, #0xED
.text:000141A0 BEQ loc_141C4
.text:000141A4 CMP R6, #0xF7
.text:000141A8 BNE loc_1436C
.text:000141AC
.text:000141AC loc_141AC ; CODE XREF: dlgproc1+ECj
.text:000141AC ; dlgproc1+16Cj
.text:000141AC MOV R1, R6
.text:000141B0 MOV R0, R5
.text:000141B4 BL sub_11810
.text:000141B8 MOV R0, #1
.text:000141BC B loc_1444C
.text:000141BC ; ---------------------------------------------------------------------------
.text:000141C0 off_141C0 DCD unk_336D8 ; DATA XREF: dlgproc1+48r
.text:000141C0 ; dlgproc1:loc_142D0r ...
.text:000141C4 ; ---------------------------------------------------------------------------
.text:000141C4
.text:000141C4 loc_141C4 ; CODE XREF: dlgproc1+64j
.text:000141C4 ; dlgproc1+6Cj
.text:000141C4 MOV R3, R2,LSR#16
.text:000141C8 MOV R2, #0x100
.text:000141CC CMP R3, R2
.text:000141D0 BNE loc_1436C
.text:000141D4 MOV R1, #0 ; st
.text:000141D8 MOV R0, R5 ; hwnd
.text:000141DC BL SHSipPreference
.text:000141E0 B loc_1436C
.text:000141E4 ; ---------------------------------------------------------------------------
.text:000141E4
.text:000141E4 loc_141E4 ; CODE XREF: dlgproc1+5Cj
.text:000141E4 MOV R3, #0xA ; nMaxCount
.text:000141E8 ADD R2, SP, #0x100+String ; lpString
.text:000141EC MOV R1, #0xE7 ; nIDDlgItem
.text:000141F0 MOV R0, R5 ; hDlg
.text:000141F4 BL GetDlgItemTextW
.text:000141F8 B loc_14224
.text:000141FC ; ---------------------------------------------------------------------------
.text:000141FC
.text:000141FC loc_141FC ; CODE XREF: dlgproc1+54j
.text:000141FC MOV R3, #0xA ; nMaxCount
.text:00014200 ADD R2, SP, #0x100+String ; lpString
.text:00014204 MOV R1, #0xE7 ; nIDDlgItem
.text:00014208 MOV R0, R5 ; hDlg
.text:0001420C BL GetDlgItemTextW
.text:00014210 ADD R0, SP, #0x100+String ; wchar_t *
.text:00014214 BL _wtol
.text:00014218 LDR R1, [R4,#0x58]
.text:0001421C CMP R1, R0
.text:00014220 BEQ loc_141AC
.text:00014224
.text:00014224 loc_14224 ; CODE XREF: dlgproc1+C4j
.text:00014224 ADD R0, SP, #0x100+String ; wchar_t *
.text:00014228 BL _wtol
.text:0001422C MOV R3, #0x32 ; nMaxCount
.text:00014230 STR R0, [R4,#0x58]
.text:00014234 ADD R2, SP, #0x100+String ; lpString
.text:00014238 STR R0, [R4,#0x158]
.text:0001423C MOV R1, #0xED ; nIDDlgItem
.text:00014240 MOV R0, R5 ; hDlg
.text:00014244 BL GetDlgItemTextW
.text:00014248 MOV R2, #0x32 ; count
.text:0001424C ADD R1, SP, #0x100+String ; wcstr
.text:00014250 ADD R0, R4, #0x15C ; mbstr
.text:00014254 BL wcstombs
.text:00014258 MOV R0, #3
.text:0001425C BL sub_17894
.text:00014260 LDR R0, [R4,#0x158]
.text:00014264 CMP R0, #0
.text:00014268 BEQ loc_142A4
.text:0001426C MOV R12, #0x15C
.text:00014270 LDRSB R0, [R4,R12]
.text:00014274 MOV R3, R0,LSL#24
.text:00014278 MOVS R3, R3,ASR#24
.text:0001427C BEQ loc_142A4
.text:00014280 MOV R2, #0
.text:00014284 ADD R1, R4, #0x158 ; code_val
.text:00014288 ADD R0, R4, #0x15C ; *name
.text:0001428C BL codecheck
.text:00014290 MOVS R3, R0 ; true/false=1/0
.text:00014294 BEQ loc_142A4
.text:00014298 MOV R0, #1
.text:0001429C BL sub_17894
.text:000142A0 B loc_141AC
.text:000142A4 ; ---------------------------------------------------------------------------
.text:000142A4
.text:000142A4 loc_142A4 ; CODE XREF: dlgproc1+134j
.text:000142A4 ; dlgproc1+148j ...
.text:000142A4 MOV R1, #1 ; st
.text:000142A8 MOV R0, R5 ; hwnd
.text:000142AC BL SHSipPreference
.text:000142B0 LDR R2, =aLicenseKeyNotV ; lpCaption
.text:000142B4 MOV R3, #0x30 ; uType
.text:000142B8 LDR R1, =aIfYouHaveRegis ; lpText
.text:000142BC MOV R0, R5 ; hWnd
.text:000142C0 BL MessageBoxW
.text:000142C4 B loc_1436C
.text:000142C4 ; ---------------------------------------------------------------------------
.text:000142C8 ; LPCWSTR off_142C8
.text:000142C8 off_142C8 DCD aIfYouHaveRegis ; DATA XREF: dlgproc1+184r
.text:000142C8 ; "If you have registered please check tha"...
.text:000142CC ; LPCWSTR off_142CC
.text:000142CC off_142CC DCD aLicenseKeyNotV ; DATA XREF: dlgproc1+17Cr
.text:000142CC ; "License Key not valid"
.text:000142D0 ; ---------------------------------------------------------------------------
.text:000142D0
.text:000142D0 loc_142D0 ; CODE XREF: dlgproc1+30j
.text:000142D0 LDR R4, =unk_336D8
.text:000142D4 MOV R0, #0
.text:000142D8 MOV R1, #0
.text:000142DC STR R0, [R4,#0x58]
.text:000142E0 LDR R0, [R4,#0x158]
.text:000142E4 CMP R0, #0
.text:000142E8 MOV R0, R5
.text:000142EC MOVEQ R1, #1
.text:000142F0 BL sub_140C4
.text:000142F4 MOV R2, #0x32 ; count
.text:000142F8 ADD R1, R4, #0x15C ; mbstr
.text:000142FC ADD R0, SP, #0x100+String ; wcstr
.text:00014300 BL mbstowcs
.text:00014304 ADD R2, SP, #0x100+String ; lpString
.text:00014308 MOV R1, #0xED ; nIDDlgItem
.text:0001430C MOV R0, R5 ; hDlg
.text:00014310 BL SetDlgItemTextW
.text:00014314 B loc_1439C
.text:00014318 ; ---------------------------------------------------------------------------
.text:00014318
.text:00014318 loc_14318 ; CODE XREF: dlgproc1+24j
.text:00014318 LDR R0, =aReg
.text:0001431C BL sub_11748
.text:00014320 B loc_1436C
.text:00014320 ; ---------------------------------------------------------------------------
.text:00014324 off_14324 DCD aReg ; DATA XREF: dlgproc1:loc_14318r
.text:00014324 ; "Reg"
.text:00014328 ; ---------------------------------------------------------------------------
.text:00014328
.text:00014328 loc_14328 ; CODE XREF: dlgproc1+1Cj
.text:00014328 LDR R0, =unk_336D8
.text:0001432C LDR R1, [R0,#0x158]
.text:00014330 CMP R1, #0
.text:00014334 BEQ loc_14350
.text:00014338 LDR R0, [R0,#0x14C] ; hwndRequester
.text:0001433C MOV R1, #8 ; dwState
.text:00014340 BL SHFullScreen
.text:00014344 MOV R1, #8 ; dwState
.text:00014348 MOV R0, R5 ; hwndRequester
.text:0001434C BL SHFullScreen
.text:00014350
.text:00014350 loc_14350 ; CODE XREF: dlgproc1+200j
.text:00014350 MOV R0, R5
.text:00014354 BL sub_117C4
.text:00014358 B loc_1436C
.text:0001435C ; ---------------------------------------------------------------------------
.text:0001435C
.text:0001435C loc_1435C ; CODE XREF: dlgproc1+14j
.text:0001435C LDR R4, =unk_336D8
.text:00014360 LDR R0, [R4,#0x158]
.text:00014364 CMP R0, #0
.text:00014368 BEQ loc_14374
.text:0001436C
.text:0001436C loc_1436C ; CODE XREF: dlgproc1+40j
.text:0001436C ; dlgproc1+74j ...
.text:0001436C MOV R0, #0
.text:00014370 B loc_1444C
.text:00014374 ; ---------------------------------------------------------------------------
.text:00014374
.text:00014374 loc_14374 ; CODE XREF: dlgproc1+234j
.text:00014374 MOV R6, #0x71
.text:00014378 BL sub_1169C
.text:0001437C MOVS R3, R0
.text:00014380 LDR R0, [R4,#0x144]
.text:00014384 MOVNE R6, #0x72
.text:00014388 MOV R3, R6,LSL#16
.text:0001438C MOV R2, R3,LSR#16
.text:00014390 MOV R1, R5
.text:00014394 BL sub_11000
.text:00014398 MOV R6, #0
.text:0001439C
.text:0001439C loc_1439C ; CODE XREF: dlgproc1+1E0j
.text:0001439C LDR R2, =aChessgeniusVer ; lpString
.text:000143A0 MOV R1, #0xEC ; nIDDlgItem
.text:000143A4 MOV R0, R5 ; hDlg
.text:000143A8 BL SetDlgItemTextW
.text:000143AC LDR R0, [R4,#0x158]
.text:000143B0 CMP R0, #0
.text:000143B4 BNE loc_14428
.text:000143B8 BL sub_1187C
.text:000143BC CMP R0, #4
.text:000143C0 BLE loc_143E0
.text:000143C4 MOV R2, R0
.text:000143C8 LDR R1, =aUnregisteredFo ; lpFormat
.text:000143CC ADD R0, SP, #0x100+String ; lpBuffer
.text:000143D0 BL wsprintfW
.text:000143D4 B loc_143EC
.text:000143D4 ; ---------------------------------------------------------------------------
.text:000143D8 ; LPCWSTR lpFormat
.text:000143D8 lpFormat DCD aUnregisteredFo ; DATA XREF: dlgproc1+294r
.text:000143D8 ; "Unregistered for %d days"
.text:000143DC ; LPCWSTR lpString
.text:000143DC lpString DCD aChessgeniusVer ; DATA XREF: dlgproc1:loc_1439Cr
.text:000143DC ; "ChessGenius Version 1.90"
.text:000143E0 ; ---------------------------------------------------------------------------
.text:000143E0
.text:000143E0 loc_143E0 ; CODE XREF: dlgproc1+28Cj
.text:000143E0 LDR R1, =aUnregistered_0 ; lpFormat
.text:000143E4 ADD R0, SP, #0x100+String ; lpBuffer
.text:000143E8 BL wsprintfW
.text:000143EC
.text:000143EC loc_143EC ; CODE XREF: dlgproc1+2A0j
.text:000143EC ADD R2, SP, #0x100+String ; lpString
.text:000143F0 MOV R1, #0xF4 ; nIDDlgItem
.text:000143F4 MOV R0, R5 ; hDlg
.text:000143F8 BL SetDlgItemTextW
.text:000143FC LDR R2, =aToUnlockTheFul ; lpString
.text:00014400 MOV R1, #0xF3 ; nIDDlgItem
.text:00014404 MOV R0, R5 ; hDlg
.text:00014408 BL SetDlgItemTextW
.text:0001440C LDR R2, =a2006
.text:00014410 LDR R1, =aCopyrightCSLan
.text:00014414 B loc_14430
.text:00014414 ; ---------------------------------------------------------------------------
.text:00014418 off_14418 DCD aCopyrightCSLan ; DATA XREF: dlgproc1+2DCr
.text:00014418 ; "Copyright (c) %S Lang Software Ltd.\nwww"...
.text:0001441C off_1441C DCD a2006 ; DATA XREF: dlgproc1+2D8r
.text:0001441C ; "2006"
.text:00014420 ; LPCWSTR off_14420
.text:00014420 off_14420 DCD aToUnlockTheFul ; DATA XREF: dlgproc1+2C8r
.text:00014420 ; "To unlock the full features register at"...
.text:00014424 ; LPCWSTR off_14424
.text:00014424 off_14424 DCD aUnregistered_0 ; DATA XREF: dlgproc1:loc_143E0r
.text:00014424 ; "Unregistered"
.text:00014428 ; ---------------------------------------------------------------------------
.text:00014428
.text:00014428 loc_14428 ; CODE XREF: dlgproc1+280j
.text:00014428 LDR R2, =a2006_0
.text:0001442C LDR R1, =aCopyrightCSL_0 ; lpFormat
.text:00014430
.text:00014430 loc_14430 ; CODE XREF: dlgproc1+2E0j
.text:00014430 ADD R0, SP, #0x100+String ; lpBuffer
.text:00014434 BL wsprintfW
.text:00014438 ADD R2, SP, #0x100+String ; lpString
.text:0001443C MOV R1, #0xF2 ; nIDDlgItem
.text:00014440 MOV R0, R5 ; hDlg
.text:00014444 BL SetDlgItemTextW
.text:00014448 MOV R0, R6
.text:0001444C
.text:0001444C loc_1444C ; CODE XREF: dlgproc1+88j
.text:0001444C ; dlgproc1+23Cj
.text:0001444C ADD SP, SP, #0xF0
.text:00014450 LDMFD SP!, {R4-R6,PC}
.text:00014450 ; End of function dlgproc1
粗略分析,可看到很多相关api函数,如GetDlgItemText,MessageBox等。
如:
.text:000142A4 loc_142A4 ; CODE XREF: dlgproc1+134j
.text:000142A4 ; dlgproc1+148j ...
.text:000142A4 MOV R1, #1 ; st
.text:000142A8 MOV R0, R5 ; hwnd
.text:000142AC BL SHSipPreference
.text:000142B0 LDR R2, =aLicenseKeyNotV ; lpCaption
.text:000142B4 MOV R3, #0x30 ; uType
.text:000142B8 LDR R1, =aIfYouHaveRegis ; lpText
.text:000142BC MOV R0, R5 ; hWnd
.text:000142C0 BL MessageBoxW
.text:000142C4 B loc_1436
这里是错误信息对话框,向上翻找code的检测代码。
可找到
.text:00014280 MOV R2, #0
.text:00014284 ADD R1, R4, #0x158 ; code_val
.text:00014288 ADD R0, R4, #0x15C ; *name
.text:0001428C BL codecheck
进入.text:00017AB8 codecheck
.text:00017ADC loc_17ADC ; CODE XREF: codecheck+90j
.text:00017ADC LDRSB R4, [R6] ; *name
.text:00017AE0 MOVS R3, R4
.text:00017AE4 BEQ loc_17B0C
.text:00017AE8 ORR R4, R4, #0x20
.text:00017AEC MOV R3, R4,LSL#24
.text:00017AF0 MOV R0, R3,ASR#24
.text:00017AF4 ADD R6, R6, #1
.text:00017AF8 CMP R0, #'a'
.text:00017AFC BLT loc_17B44
.text:00017B00 CMP R0, #'z'
.text:00017B04 BGT loc_17B44
.text:00017B08 ADD R7, R0, R7 ; r7=sum(*name)
.text:00017B0C
.text:00017B0C loc_17B0C ; CODE XREF: codecheck+2Cj
.text:00017B0C LDR R3, =__rt_udiv
.text:00017B10 ADD R1, R7, R5
.text:00017B14 MOV R0, #9
.text:00017B18 LDR R3, [R3]
.text:00017B1C MOV LR, PC
.text:00017B20 MOV PC, R3
.text:00017B24 MOVL R3, 0xE943
.text:00017B2C MOV R3, R3,ASR R1
.text:00017B30 ADD R2, SP, #0x68+nameval
.text:00017B34 MOV R3, R3,LSL#24
.text:00017B38 EOR R3, R4, R3,ASR#24
.text:00017B3C STRB R3, [R5,R2]
.text:00017B40 ADD R5, R5, #1
.text:00017B44
.text:00017B44 loc_17B44 ; CODE XREF: codecheck+44j
.text:00017B44 ; codecheck+4Cj
.text:00017B44 CMP R5, #0xF
.text:00017B48 BCC loc_17ADC ; *name
.text:00017B4C LDR R6, =unk_27880
.text:00017B50 MOV R4, R11
.text:00017B54 MOV R5, R11
.text:00017B58
.text:00017B58 loc_17B58 ; CODE XREF: codecheck+128j
.text:00017B58 CMP R5, #2
.text:00017B5C BNE loc_17B98
.text:00017B60 LDR R0, [R8]
.text:00017B64 MOVL R3, 0x1FF
.text:00017B6C ADD R0, R0, #0x57
.text:00017B70 ANDS R1, R3, R0,LSR#7
.text:00017B74 BEQ loc_17B84
.text:00017B78
.text:00017B78 loc_17B78 ; CODE XREF: codecheck+C8j
.text:00017B78 EOR R0, R1, R0
.text:00017B7C MOVS R1, R1,LSR#7
.text:00017B80 BNE loc_17B78
.text:00017B84
.text:00017B84 loc_17B84 ; CODE XREF: codecheck+BCj
.text:00017B84 AND R0, R0, #0x7F
.text:00017B88 ADD R2, R0, #1
.text:00017B8C B loc_17BB0
.text:00017B8C ; ---------------------------------------------------------------------------
.text:00017B90 off_17B90 DCD unk_27880 ; DATA XREF: codecheck+94r
.text:00017B94 off_17B94 DCD __rt_udiv ; DATA XREF: codecheck:loc_17B0Cr
.text:00017B98 ; ---------------------------------------------------------------------------
.text:00017B98
.text:00017B98 loc_17B98 ; CODE XREF: codecheck+A4j
.text:00017B98 LDRB R2, [R5,R6]
.text:00017B9C MOV R1, #0xF
.text:00017BA0 ADD R0, SP, #0x68+nameval
.text:00017BA4 BL codecheck_0 ; 497B
.text:00017BA8 MOV R3, R0,LSL#16
.text:00017BAC MOV R2, R3,LSR#16
.text:00017BB0
.text:00017BB0 loc_17BB0 ; CODE XREF: codecheck+D4j
.text:00017BB0 MOV R3, R4,LSL#16
.text:00017BB4 MOV R0, R3,LSR#16
.text:00017BB8 MOV R3, #0xFF
.text:00017BBC MOV R1, R3,LSL R0
.text:00017BC0 AND R3, R1, R2,LSL R0
.text:00017BC4 LDR R2, [R8] ; code_val
.text:00017BC8 AND R2, R2, R1
.text:00017BCC CMP R3, R2
.text:00017BD0 BNE loc_17BF0
.text:00017BD4 ADD R5, R5, #1
.text:00017BD8 ADD R4, R4, #8
.text:00017BDC CMP R5, #3
.text:00017BE0 BCC loc_17B58
.text:00017BE4 MOV R0, #1
.text:00017BE8
.text:00017BE8 loc_17BE8 ; CODE XREF: codecheck+1B0j
.text:00017BE8 ADD SP, SP, #0x44
.text:00017BEC LDMFD SP!, {R4-R11,PC}
.text:00017BF0 ; ---------------------------------------------------------------------------
.text:00017BF0
.text:00017BF0 loc_17BF0 ; CODE XREF: codecheck+118j
.text:00017BF0 CMP R10, #1
.text:00017BF4 ADD R0, SP, #0x68+var_58
.text:00017BF8 STREQB R11, [R9]
.text:00017BFC MOV R4, R11
.text:00017C00 BL reg
.text:00017C04 LDRSB R3, [SP,#0x68+var_58]
.text:00017C08 MOV R3, R3,LSL#24
.text:00017C0C MOVS R3, R3,ASR#24
.text:00017C10 BEQ loc_17C60
.text:00017C14 ADD R0, SP, #0x68+var_58
.text:00017C18 BL sub_179F4
.text:00017C1C LDR R3, [R8]
.text:00017C20 CMP R0, R3
.text:00017C24 BNE loc_17C30
.text:00017C28 CMP R0, #0
.text:00017C2C MOVNE R4, #1
.text:00017C30
.text:00017C30 loc_17C30 ; CODE XREF: codecheck+16Cj
.text:00017C30 LDRSB R3, [R9]
.text:00017C34 CMP R3, #0
.text:00017C38 BEQ loc_17C44
.text:00017C3C CMP R4, #0
.text:00017C40 BEQ loc_17C60
.text:00017C44
.text:00017C44 loc_17C44 ; CODE XREF: codecheck+180j
.text:00017C44 MOV R2, #0x32 ; size_t
.text:00017C48 ADD R1, SP, #0x68+var_58 ; void *
.text:00017C4C MOV R0, R9 ; void *
.text:00017C50 BL memcpy
.text:00017C54 STRB R11, [R9,#0x32]
.text:00017C58 CMP R4, #0
.text:00017C5C BNE loc_17C64
.text:00017C60
.text:00017C60 loc_17C60 ; CODE XREF: codecheck+158j
.text:00017C60 ; codecheck+188j
.text:00017C60 STR R11, [R8]
.text:00017C64
.text:00017C64 loc_17C64 ; CODE XREF: codecheck+1A4j
.text:00017C64 MOV R0, R4
.text:00017C68 B loc_17BE8
.text:00017C68 ; End of function codecheck
可以看到里面有对name简单的合法字符检查(a-z),及一些变换(移位、异或、加等等)。code要求为数字(0-9)。
最后,分三个字节,对code_val和name变换得到的BYTE进行比较。
输入用户名;ww 对应的三次变换分别得到0x4b 0x1b 0x16
因此可得code应为0x161b4b=1448779。
重新输入用户名ww,注册码:1448779。注册成功。
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2009年03月17日 0:24:34
[培训]内核驱动高级班,冲击BAT一流互联网大厂工
作,每周日13:00-18:00直播授课
