飄云閣(PYG官方)

 找回密碼
 快速注冊

QQ登錄

只需一步,快速開始

查看: 967|回復: 21
打印 上一主題 下一主題

[原創] MP4 Downloader Pro Version: 3.29.6 驗證算法描述

[復制鏈接]
  • TA的每日心情
    擦汗
    2016-4-19 21:35
  • 簽到天數: 3 天

    [LV.2]偶爾看看I

    跳轉到指定樓層
    樓主
    發表于 2019-12-18 00:12:47 | 只看該作者 回帖獎勵 |倒序瀏覽 |閱讀模式
    本帖最后由 wai1216 于 2019-12-18 00:19 編輯

    作者調用miracl大數據庫完成了rsa的加密,通過lstrenA巧妙了的截斷了密文數據,之后將0x3c長度的數據,分成0x1c(A)和0x20(B)兩段做check
    其中A段是段比較零散的驗證
    而B段是通過swprintf %s.{%s} 拼接 regedit的目錄以及用戶郵箱組成這樣格式的 {500188E5-47D9-4d40-8738-C820081E87B0}.{[email protected]}的md5


    先說加密:
    [Plain Text] 純文本查看 復制代碼
    sub_42C7CD(v8, v7, &v19, &String, 0x1001u, 60, 1180, aDh43ydl65izsin, aO2x)
    sub_42C7CD(int a1, int a2, char *a3, void *a4, size_t a5, int a6, int a7, int a8, int a9)
    
    LABEL_23:
      v15 = _mirsys(100, 0);
      *(v15 + 548) = 1;                             // ->ERCON
      *(v15 + 564) = a6;                            // ->IOBASE = 60
      v16 = __mirvar(0);
      v21 = __mirvar(0);
      v17 = __mirvar(0);
      v22 = __mirvar(0);
      __cinstr(v16, a3);                            // key
      __cinstr(v17, a8);                            // DH43Ydl65IZsIncKnCukuUZgGk8lLSBiC9JlaO5pxiioSXtl5iLTQEU1tnJMBYYUrjePIG9E6J210QFgWwjuRdsc2aw53GqaZ8NZn1itpwvhl52sBgi1RnIdSZhoMh5HDsHKqfILDCZFv6v28cEprsePAMJDPZRYkcZfO67eOCB7Nl66mjqbMZxkieIbqO773J8Qt94n
      __cinstr(v22, a9);                            // O2x --> 0x15233(16)
      if ( _mr_compare(v16, v17) == -1 )
      {
        __powmod(v16, v16, v22, v17, v21);
        _big_to_bytes(v23, v21, a4, 0);
      }
      _cleanup(v16);
      _cleanup(v21);
      _cleanup(v17);
      _cleanup(v22);
      _mirexit();
    LABEL_27:
    


    可以看到,這里使用powmod(key,n,e,c)完成了rsa加密算法,之后再將big_c轉換成bytes_c,注意到mip->IOBASE=60,即作者將n/e/key轉成60進制存儲
    另外mip->ERCON = 1,大概用于如果big_to_bytes沒有轉換成功,不退出程序 // v23 = 1180 / 8 - 1 = 146(0x92)

    之后將check A段
    [Plain Text] 純文本查看 復制代碼
    int __thiscall sub_427100(void *this, wchar_t *lpString)
    {
      // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
    
      v2 = lpString;
      v3 = this;
      if ( wcslen(lpString) != 60 )
        return -1;
      sub_544B54(&v20, v2);
      v5 = *v2;
      v21 = 0;
      sub_53D1A0(&lpString, v5, 1);
      LOBYTE(v21) = 1;
      sub_427752(lpString, v3);
      if ( !(GetTickCount() % 3) && *v3 > 0xAu )
        goto LABEL_75;
      v7 = sub_53D559(&v20, &v19, 1, 2);
      LOBYTE(v21) = 2;
      sub_544C27(&lpString, v7);
      LOBYTE(v21) = 1;
      sub_544AE0(&v19);
      v17 = (v3 + 4);
      sub_427752(lpString, v3 + 4);
      CString::operator=(v2[3]);
      sub_427752(lpString, v3 + 8);
      if ( !(GetTickCount() & 3) && *(v3 + 8) > 0x64u )
        goto LABEL_75;
      v8 = sub_53D559(&v20, &v19, 4, 2);
      LOBYTE(v21) = 3;
      sub_544C27(&lpString, v8);
      LOBYTE(v21) = 1;
      sub_544AE0(&v19);
      sub_427752(lpString, v3 + 12);
      if ( !(GetTickCount() % 5) && *(v3 + 12) > 0x3E8u )
        goto LABEL_75;
      CString::operator=(v2[6]);
      sub_427752(lpString, v3 + 16);
      if ( !(GetTickCount() % 3) && *(v3 + 16) > 0x64u )
        goto LABEL_75;
      CString::operator=(v2[7]);
      sub_427752(lpString, v3 + 20);
      if ( !(GetTickCount() & 3) && *(v3 + 20) > 0x64u )
        goto LABEL_75;
      CString::operator=(v2[8]);
      sub_427752(lpString, v3 + 24);
      if ( !(GetTickCount() % 5) && *(v3 + 24) > 0x64u )
        goto LABEL_75;
      v9 = sub_53D559(&v20, &v19, 9, 2);
      LOBYTE(v21) = 4;
      sub_544C27(&lpString, v9);
      LOBYTE(v21) = 1;
      sub_544AE0(&v19);
      sub_427752(lpString, v3 + 28);
      if ( !(GetTickCount() % 3) && *(v3 + 28) > 0x3E8u )
        goto LABEL_75;
      v10 = sub_53D559(&v20, &v19, 0xB, 2);
      LOBYTE(v21) = 5;
      sub_544C27(&lpString, v10);
      LOBYTE(v21) = 1;
      sub_544AE0(&v19);
      v19 = (v3 + 32);
      sub_427752(lpString, v3 + 32);
      CString::operator=(v2[13]);
      sub_427717(lpString, v3 + 36);
      if ( *(v3 + 36) < -1 || !(GetTickCount() & 3) && *(v3 + 36) > 0x64 )
        goto LABEL_75;
      CString::operator=(v2[14]);
      sub_427717(lpString, v3 + 40);
      if ( *(v3 + 40) < -1 || !(GetTickCount() % 5) && *(v3 + 40) > 0x64 )
        goto LABEL_75;
      CString::operator=(v2[15]);
      sub_427717(lpString, v3 + 44);
      if ( *(v3 + 44) < -1 || !(GetTickCount() % 3) && *(v3 + 44) > 0x64 )
        goto LABEL_75;
      CString::operator=(v2[16]);
      sub_427717(lpString, v3 + 48);
      if ( *(v3 + 48) < -1 || !(GetTickCount() & 3) && *(v3 + 48) > 0x64 )
        goto LABEL_75;
      CString::operator=(v2[17]);
      sub_427717(lpString, v3 + 52);
      if ( *(v3 + 52) < -1 || !(GetTickCount() % 5) && *(v3 + 52) > 0x64 )
        goto LABEL_75;
      CString::operator=(v2[18]);
      sub_427717(lpString, v3 + 56);
      if ( *(v3 + 56) < -1 || !(GetTickCount() % 3) && *(v3 + 56) > 0x64 )
        goto LABEL_75;
      CString::operator=(v2[19]);
      sub_427717(lpString, v3 + 60);
      v11 = *(v3 + 60);
      if ( v11 < -1 )
        goto LABEL_75;
      if ( v11 != -1 )
        *(v3 + 60) = v11 + 2000;
      if ( !(GetTickCount() & 3) )
      {
        v12 = *(v3 + 60);
        if ( v12 != -1 && v12 < 0x7D4 )
          goto LABEL_75;
      }
      CString::operator=(v2[20]);
      sub_427717(lpString, v3 + 64);
      if ( *(v3 + 64) < 0xFFFFFFFF || !(GetTickCount() % 5) && *(v3 + 64) > 0xC )
        goto LABEL_75;
      CString::operator=(v2[21]);
      sub_427717(lpString, v3 + 68);
      if ( *(v3 + 68) < -1 || !(GetTickCount() % 3) && *(v3 + 68) > 0x1F )
        goto LABEL_75;
      CString::operator=(v2[22]);
      sub_427717(lpString, v3 + 72);
      v13 = *(v3 + 72);
      if ( v13 < -1 )
        goto LABEL_75;
      if ( v13 != -1 )
        *(v3 + 72) = v13 + 0x7D0;
      if ( !(GetTickCount() & 3) && *(v3 + 72) > 0x7E8 )
        goto LABEL_75;
      CString::operator=(v2[23]);
      sub_427717(lpString, v3 + 76);
      if ( *(v3 + 76) < -1 || !(GetTickCount() % 5) && *(v3 + 76) > 0xC )
        goto LABEL_75;
      CString::operator=(v2[24]);
      sub_427717(lpString, v3 + 80);
      if ( *(v3 + 80) < -1 || !(GetTickCount() % 3) && *(v3 + 80) > 0x1F )
        goto LABEL_75;
      if ( ((CString::operator=(v2[25]), sub_427717(lpString, v3 + 84), GetTickCount() % 3) || !*(v3 + 84))
        && ((CString::operator=(v2[26]), sub_427717(lpString, v3 + 88), GetTickCount() & 3) || !*(v3 + 88))
        && ((CString::operator=(v2[27]), sub_427717(lpString, v3 + 92), GetTickCount() % 5) || !*(v3 + 92)) )
      {
        v14 = CString::Mid(&v20, &v18, 28);
        LOBYTE(v21) = 6;
        sub_544C27((v3 + 96), v14);
        LOBYTE(v21) = 1;
        sub_544AE0(&v18);
        if ( *v3 == 1 )
        {
          v15 = v19;
          v16 = *v17;
          if ( *v17 & 1 )
            *v19 |= 1u;
          if ( v16 & 2 )
            *v15 |= 2u;
          *v17 = 0;
        }
        v6 = 0;
      }
      else
      {
    LABEL_75:
        v6 = -1;
      }
      LOBYTE(v21) = 0;
      sub_544AE0(&lpString);
      v21 = -1;
      sub_544AE0(&v20);
      return v6;
    }
    


    除掉GetTickCount(),把其當作每個check都要滿足,即不goto LABEL_75

    通過如下數據進行舉例
    將得到密文
    [Plain Text] 純文本查看 復制代碼
    0343F768  25 00 00 00 74 F7 43 03 00 00 00 00 41 41 41 41  %...t÷C.....AAAA  
    0343F778  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA  
    0343F788  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA  
    0343F798  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA  
    0343F7A8  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA  
    0343F7B8  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA  
    0343F7C8  41 00 64 35 36 35 65 63 35 35 65 66 63 61 66 32  A.d565ec55efcaf2  
    0343F7D8  64 32 38 61 64 30 62 38 31 34 37 35 33 30 62 32  d28ad0b8147530b2  
    0343F7E8  61 65 21 21 21 33 2D 34 23 23 38 28 3F 25 25 25  ae!!!3-4##8(?%%%  
    0343F7F8  23 23 22 22 22 22 22 22 22 22 22 22 22 23 00 00  ##"""""""""""#..
    
      
    轉換后
    [Plain Text] 純文本查看 復制代碼
    0018D890  23 22 22 22 22 22 22 22 22 22 22 22 23 23 25 25  #"""""""""""##%%  
    0018D8A0  25 3F 28 38 23 23 34 2D 33 21 21 21 65 61 32 62  %?(8##4-3!!!ea2b  
    0018D8B0  30 33 35 37 34 31 38 62 30 64 61 38 32 64 32 66  0357418b0da82d2f  
    0018D8C0  61 63 66 65 35 35 63 65 35 36 35 64 00 41 41 41  acfe55ce565d.AAA  
    0018D8D0  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA  
    0018D8E0  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA  
    0018D8F0  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA  
    0018D900  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA  
    0018D910  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA  
    0018D920  41 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00  AA..............
    

    后面的AAAAAAAAAAA可以看作padding,沒有細看具體之后有啥作用

    作者在過程中使用的大小0x5e字符串表,從0x21開始 // 這里使用的wchat_t
    [Plain Text] 純文本查看 復制代碼
    0018CB54  21 00 22 00 23 00 24 00 25 00 26 00 27 00 28 00  !.".#.$.%.&.'.(.  
    0018CB64  29 00 2A 00 2B 00 2C 00 2D 00 2E 00 2F 00 30 00  ).*.+.,.-.../.0.  
    0018CB74  31 00 32 00 33 00 34 00 35 00 36 00 37 00 38 00  1.2.3.4.5.6.7.8.  
    0018CB84  39 00 3A 00 3B 00 3C 00 3D 00 3E 00 3F 00 40 00  9.:.;.<.=.>[email protected]  
    0018CB94  41 00 42 00 43 00 44 00 45 00 46 00 47 00 48 00  A.B.C.D.E.F.G.H.  
    0018CBA4  49 00 4A 00 4B 00 4C 00 4D 00 4E 00 4F 00 50 00  I.J.K.L.M.N.O.P.  
    0018CBB4  51 00 52 00 53 00 54 00 55 00 56 00 57 00 58 00  Q.R.S.T.U.V.W.X.  
    0018CBC4  59 00 5A 00 5B 00 5C 00 5D 00 5E 00 5F 00 60 00  Y.Z.[.\.].^._.`.  
    0018CBD4  61 00 62 00 63 00 64 00 65 00 66 00 67 00 68 00  a.b.c.d.e.f.g.h.  
    0018CBE4  69 00 6A 00 6B 00 6C 00 6D 00 6E 00 6F 00 70 00  i.j.k.l.m.n.o.p.  
    0018CBF4  71 00 72 00 73 00 74 00 75 00 76 00 77 00 78 00  q.r.s.t.u.v.w.x.  
    0018CC04  79 00 7A 00 7B 00 7C 00 7D 00 7E 00 00 00 00 00  y.z.{.|.}.~.....
    

    將0x1c數據 // char_t
    [Plain Text] 純文本查看 復制代碼
    0018D890  23 22 22 22 22 22 22 22 22 22 22 22 23 23 25 25  #"""""""""""##%%  
    0018D8A0  25 3F 28 38 23 23 34 2D 33 21 21 21 65 61
    

    轉化成 // TABLE_AFTER_CONVERT
    [Plain Text] 純文本查看 復制代碼
    0018EDA0  02 00 00 00 5F 00 00 00 01 00 00 00 5F 00 00 00  ...._......._...  
    0018EDB0  01 00 00 00 01 00 00 00 01 00 00 00 5F 00 00 00  ............_...  
    0018EDC0  60 00 00 00 02 00 00 00 04 00 00 00 04 00 00 00  `...............  
    0018EDD0  04 00 00 00 1E 00 00 00 07 00 00 00 E7 07 00 00  ............ç...  
    0018EDE0  02 00 00 00 02 00 00 00 E3 07 00 00 0C 00 00 00  ........ã.......  
    0018EDF0  12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    


    算法描述
    [Plain Text] 純文本查看 復制代碼
    signed int __cdecl sub_426B4A(_WORD *a1, __int16 a2)
    {
      // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
    
      v2 = a1;
      result = 0;
      while ( *v2 != a2 )
      {
        ++result;
        ++v2;
        if ( result >= 0x5E )
          return 0;
      }
      return result;
    }
    -->
    v12 = 1;
    *a2 = 1;
    v6 = wcslen(a1) - 1;
    if ( v6 >= 0 )
    {
        v7 = &a1[v6];
        v8 = v6 + 1;
        do
        {
            *a2 += v12 * sub_426B4A(&v10, *v7);       // 找到對應字符的位置
            --v7;
            --v8;
            v12 *= 94;
        }
        while ( v8 );
    }
    


    第一次:
    0x23
    獲得對應表中的位置為 2,故TABLE_AFTER_CONVERT[0] = 1 * 2 = 2 // index 從0開始算
    第二次:
    通過
    [Plain Text] 純文本查看 復制代碼
    v7 = sub_53D559(&v20, &v19, 1, 2);
    sub_544C27(&lpString, v7);
    v17 = (v3 + 4);
    sub_427752(lpString, v3 + 4);
    

    構成
    [Plain Text] 純文本查看 復制代碼
    wchat_t(0x22 0x22)
    TABLE_AFTER_CONVERT[1] = 1 * 1 + 94 * 1 = 0x5f
    

    第三次:
    [Plain Text] 純文本查看 復制代碼
    TABLE_AFTER_CONVERT[2] = 1
    

    后面根據代碼即可推斷出,然后對應到相應的驗證
    [Plain Text] 純文本查看 復制代碼
    TABLE_AFTER_CONVERT[0] <= 0xA
    TABLE_AFTER_CONVERT[2] <= 0x64
    ...
    TABLE_AFTER_CONVERT[15] + 0x7D0 >= 0x7d4
    


    注意到,后面的處理日期,還有一些需要滿足的check
    [Plain Text] 純文本查看 復制代碼
    int __thiscall sub_429A90(void *this)
    {
      // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
    
      v1 = this;
      sub_42B19D(&v42);
      v41 = *(v1 + 136);
      v36 = sub_53DD4E(&v42, 0)->tm_year + 1900;
      v37 = sub_53DD4E(&v42, 0)->tm_mon + 1;
      v38 = sub_53DD4E(&v42, 0)->tm_mday;
      v33 = sub_53DD4E(&v41, 0)->tm_year + 1900;
      v2 = sub_53DD4E(&v41, 0)->tm_mon + 1;
      v35 = sub_53DD4E(&v41, 0)->tm_mday;
      if ( !*(v1 + 120) )
      {
        .........
        .........
        .........
        if ( *(v1 + 122) )
          return 0;
        if ( *(*(v1 + 124) - 8) )
        {
          if ( sub_42790B(*(v1 + 124)) )            // check name
          {
            v4 = *(v1 + 128);
            if ( *(v4 - 2) )                        // check regcode
            {
              if ( sub_427A50(v4, 60) )
              {
                v33 = -1;
                v34 = -1;
                v35 = -1;
                sub_4266B3(*(v1 + 148), &v33);
                v6 = v5;
                if ( !(*(v1 + 44) & 2) || (*(*v1 + 8))(v1, &v33, v1 + 60) )
                {
                  if ( !(*(v1 + 44) & 1) || (*(*v1 + 4))(v1, &v33, v1 + 48) )
                  {
                    if ( !(*(v1 + 44) & 8) || (*(*v1 + 16))(v1, &v36, v1 + 0x54) )
                    {
                      if ( !(*(v1 + 44) & 4) )
                        return 0;
                      v10 = *v1;
                      v11 = v6;
                      unknown_libname_490(&v42);
                      if ( (*(v10 + 12))(v1, v11, v1 + 0x48) )
                        return 0;
                      v12 = GetTickCount();
                      if ( v12 % 3 != 1 )
                      {
                        if ( v12 % 3 != 2 )
                        {
                          v24 = 20;
                          goto LABEL_20;
                        }
                        v25 = 29;
                        v20 = 20;
                        goto LABEL_22;
                      }
                      v26 = 20;
                      v21 = 118;
                    }
                    else
                    {
                      v9 = GetTickCount();
                      if ( v9 % 3 != 1 )
                      {
                        if ( v9 % 3 != 2 )
                        {
                          v24 = 21;
                          goto LABEL_20;
                        }
                        v25 = 30;
                        v20 = 21;
                        goto LABEL_22;
                      }
                      v26 = 21;
                      v21 = 119;
                    }
                  }
                  else
                  {
                    v8 = GetTickCount();
                    if ( v8 % 3 != 1 )
                    {
                      if ( v8 % 3 != 2 )
                      {
                        v24 = 10;
                        goto LABEL_20;
                      }
                      v25 = 19;
                      v20 = 10;
    LABEL_22:
                      sub_42AED9(v1, 2u, v20, 0xCu, v25);
                      return 0;
                    }
                    v26 = 10;
                    v21 = 108;
                  }
                }
                else
                {
                  v7 = GetTickCount();
                  if ( v7 % 3 != 1 )
                  {
                    if ( v7 % 3 != 2 )
                    {
                      v24 = 11;
    LABEL_20:
                      sub_43DFD0(v1, 2u, v24);
                      return 0;
                    }
                    v25 = 20;
                    v20 = 11;
                    goto LABEL_22;
                  }
                  v26 = 11;
                  v21 = 109;
                }
                sub_427DC5(v1, 0x66u, v21, 2u, v26);
                return 0;
              }
            }
          }
        }
    LABEL_74:
        v17 = GetTickCount();
        if ( v17 % 3 == 1 )
        {
          sub_427DC5(v1, 0x68u, 0x6Cu, 4u, 0xAu);
        }
        else if ( v17 % 3 == 2 )
        {
          sub_42AED9(v1, 4u, 0xAu, 0xEu, 0x13u);
        }
        else
        {
          sub_43DFD0(v1, 4u, 0xAu);
        }
        return 0;
      }
      if ( *(v1 + 122) )
        return 0;
      if ( *(*(v1 + 124) - 8) || *(*(v1 + 128) - 8) )
        goto LABEL_74;
      v30 = -1;
      v31 = -1;
      v32 = -1;
      sub_4266B3(*(v1 + 148), &v30);
      v13 = *(v1 + 140);
      v14 = v13 == 0;
      if ( v13 <= 0 )
      {
    LABEL_66:
        if ( !v14 )
          goto LABEL_74;
        v16 = GetTickCount();
        if ( v16 % 3 != 1 )
        {
          if ( v16 % 3 != 2 )
          {
            v27 = 1;
    LABEL_84:
            sub_43DFD0(v1, 1u, v27);
            return 0;
          }
          v28 = 10;
          v22 = 1;
          goto LABEL_86;
        }
        v29 = 1;
        v23 = 99;
        goto LABEL_88;
      }
      if ( v13 > *(v1 + 8) )
      {
        v14 = v13 == 0;
        goto LABEL_66;
      }
      if ( *(v1 + 4) == 10 )
      {
        if ( !dword_689074 )
        {
          sub_429EF4(v1, v13 - 1);
          dword_689074 = 1;
        }
      }
      else if ( *(v1 + 4) == 20 )
      {
        if ( v36 != v33 || v37 != v2 || v38 != v35 )
        {
          sub_41F003(&v42, &v40, v41);
          v15 = *(v1 + 140) - abs(v40 / 86400);
          sub_429EF4(v1, v15);
        }
      }
      else if ( *(v1 + 4) == 21 && (v36 != v33 || v37 != v2 || v38 != v35) )
      {
        sub_429EF4(v1, v13 - 1);
      }
      return 0;
    }
    
    還有沒有其他check就不知道了
    B段就是銜接然后判斷md5了
    [mw_shl_code=text,true]
    {
      if ( sub_427100(v39 + 3, v36) )
      {
        v31 = -2;
        _CxxThrowException(&v31, &_TI1H);
      }
      lpWideCharStr = off_68360C;
      v13 = v12[31];
      LOBYTE(v42) = 3;
      sub_53DA79(&lpWideCharStr, aS_S, v12[36]);
      LOBYTE(v27) = HIBYTE(a2);
      std::basic_string<char,std::char_traits<char>,std::allocator<char>>::_Tidy(0);
      LOBYTE(v42) = 4;
      sub_425CF9(lpWideCharStr);
      sub_42B579(&v33);
      memset(&v23, 0, 0x41u);
      v14 = v28;
      if ( !v28 )
        v14 = MultiByteStr;
      v15 = *(a2 + 4);
      v16 = *a2;
      v11 = (*a2)-- < 1u;
      v17 = v29;
      *(a2 + 4) = v15 - v11;
      if ( _md5(v14, v16, v15, v14, v17, &v23) )
      {
        v30 = -2;
        _CxxThrowException(&v30, &_TI1H);
      }
      sub_544BA9(&v38, &v23);
      LOBYTE(v42) = 5;
      if ( wcscmp(v39[27], v38) )
      {
        v34 = -1;
        _CxxThrowException(&v34, &_TI1H);
      }
      v37 = 0;
      _CxxThrowException(&v37, &_TI1H);
    }
    


    v37=0的話,走到像catch的這種地方
    [Plain Text] 純文本查看 復制代碼
    .text:0042996E                         loc_42996E:                             ; DATA XREF: .rdata:stru_5929A0↓o
    .text:0042996E                         ;   catch(int) // owned by 429423
    .text:0042996E 83 7D 0C 00                             cmp     [ebp+_regcode], 0
    .text:00429972 0F 85 E6 00 00 00                       jnz     loc_429A5E
    .text:00429978 8D 45 B0                                lea     eax, [ebp+var_50]
    .text:0042997B 50                                      push    eax
    .text:0042997C E8 1C 18 00 00                          call    sub_42B19D
    .text:00429981 8B 7D B4                                mov     edi, [ebp+var_4C]
    .text:00429984 8B 00                                   mov     eax, [eax]
    .text:00429986 8B 1D 88 12 57 00                       mov     ebx, ds:GetTickCount
    .text:0042998C 59                                      pop     ecx
    .text:0042998D 89 87 84 00 00 00                       mov     [edi+84h], eax
    .text:00429993 89 87 88 00 00 00                       mov     [edi+88h], eax
    .text:00429999 FF D3                                   call    ebx ; GetTickCount
    .text:0042999B 6A 03                                   push    3
    .text:0042999D 33 D2                                   xor     edx, edx
    .text:0042999F 59                                      pop     ecx
    .text:004299A0 F7 F1                                   div     ecx
    .text:004299A2 4A                                      dec     edx
    .text:004299A3 74 21                                   jz      short loc_4299C6
    .text:004299A5 4A                                      dec     edx
    .text:004299A6 74 0D                                   jz      short loc_4299B5
    .text:004299A8 6A 00                                   push    0
    .text:004299AA 6A 02                                   push    2
    .text:004299AC 8B CF                                   mov     ecx, edi
    .text:004299AE E8 1D 46 01 00                          call    sub_43DFD0
    .text:004299B3 EB 20                                   jmp     short loc_4299D5
    .text:004299B5                         ; ---------------------------------------------------------------------------
    .text:004299B5
    .text:004299B5                         loc_4299B5:                             ; CODE XREF: sub_429389+61D↑j
    .text:004299B5 6A 09                                   push    9
    .text:004299B7 6A 0C                                   push    0Ch
    .text:004299B9 6A 00                                   push    0
    .text:004299BB 6A 02                                   push    2
    .text:004299BD 8B CF                                   mov     ecx, edi
    .text:004299BF E8 15 15 00 00                          call    sub_42AED9
    .text:004299C4 EB 0F                                   jmp     short loc_4299D5
    .text:004299C6                         ; ---------------------------------------------------------------------------
    .text:004299C6
    .text:004299C6                         loc_4299C6:                             ; CODE XREF: sub_429389+61A↑j
    .text:004299C6 6A 00                                   push    0
    .text:004299C8 6A 02                                   push    2
    .text:004299CA 6A 62                                   push    62h
    .text:004299CC 6A 66                                   push    66h
    .text:004299CE 8B CF                                   mov     ecx, edi
    .text:004299D0 E8 F0 E3 FF FF                          call    sub_427DC5
    .text:004299D5
    .text:004299D5                         loc_4299D5:                             ; CODE XREF: sub_429389+62A↑j
    .text:004299D5                                                                 ; sub_429389+63B↑j
    .text:004299D5 8B CF                                   mov     ecx, edi
    .text:004299D7 E8 B4 00 00 00                          call    sub_429A90
    .text:004299DC 66 83 7F 78 02                          cmp     word ptr [edi+78h], 2
    .text:004299E1 75 07                                   jnz     short loc_4299EA
    .text:004299E3 66 83 7F 7A 00                          cmp     word ptr [edi+7Ah], 0
    .text:004299E8 74 0E                                   jz      short loc_4299F8
    


    如上述所說,注意到sub_429A90還有一些check

    最后手工構造了下(上面的密文),顯示成功,但可能有些check沒處理完,看了下注冊表解密生成的這樣的
    [Plain Text] 純文本查看 復制代碼
    L"1\n2\[url=mailto:[email protected]][email protected][/url]\nttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttt\n5DF8F0F7\n5DF8F0F7\n0\n"
    


    KeyGen的話,生成一組rsa數據,其中模數長度為0x1180,指數為0x15233,然后得到明文,模數轉成60進制,前者用于輸入,后者用于patch

    評分

    參與人數 9威望 +35 飄云幣 +45 收起 理由
    zhouwensmile + 1 + 1 PYG有你更精彩!
    Nisy + 10 + 10 感謝發布原創作品,PYG有你更精彩!
    風輕云淡 + 1 + 1 PYG有你更精彩!
    F-T + 1 + 1 原創精品 感謝分享!
    dryzh + 5 + 5 支持表哥來個Pythone算法注冊機
    俠骨留香 + 1 + 1 感謝發布原創作品,PYG有你更精彩!
    不破不立 + 1 + 1
    Rooking + 10 + 20 贊一個,這個帖子很給力!
    gagmeng + 5 + 5 原創精品 感謝分享!

    查看全部評分

    分享到:  QQ好友和群QQ好友和群 QQ空間QQ空間 騰訊微博騰訊微博 騰訊朋友騰訊朋友
    收藏收藏4 轉播轉播 分享分享 分享淘帖 頂 踩 掃碼贊助微信 微信分享
  • TA的每日心情
    無聊
    2020-1-20 11:01
  • 簽到天數: 1532 天

    [LV.Master]伴壇終老

    沙發
    發表于 2019-12-18 09:05:23 | 只看該作者
    膜拜下大神!
    回復 支持 反對

    使用道具 舉報

  • TA的每日心情
    開心
    2019-3-25 15:21
  • 簽到天數: 487 天

    [LV.9]以壇為家II

    藤椅
    發表于 2019-12-18 10:09:20 | 只看該作者
    膜拜大神 我就看了一下 沒敢看算法 對我來說太復雜了 感謝分享 學習了
    回復 支持 反對

    使用道具 舉報

  • TA的每日心情
    開心
    3 小時前
  • 簽到天數: 803 天

    [LV.10]以壇為家III

    板凳
    發表于 2019-12-18 10:30:34 | 只看該作者
    精彩的分析,收藏學習
    回復 支持 反對

    使用道具 舉報

  • TA的每日心情
    開心
    2020-1-3 10:15
  • 簽到天數: 39 天

    [LV.5]常住居民I

    報紙
    發表于 2019-12-18 11:02:48 | 只看該作者
    這個一定要頂一下
    回復 支持 反對

    使用道具 舉報

  • TA的每日心情
    開心
    2018-7-9 22:48
  • 簽到天數: 16 天

    [LV.4]偶爾看看III

    地板
    發表于 2019-12-18 11:09:01 | 只看該作者
    表哥靜態能力好強大,先Mark,坐等表哥Python算法學習
    回復 支持 反對

    使用道具 舉報

  • TA的每日心情
    擦汗
    3 小時前
  • 簽到天數: 900 天

    [LV.10]以壇為家III

    8#
    發表于 2019-12-18 18:28:36 | 只看該作者
    太過精彩,小白們亞歷山大
    回復 支持 反對

    使用道具 舉報

  • TA的每日心情

    昨天 07:48
  • 簽到天數: 898 天

    [LV.10]以壇為家III

    9#
    發表于 2019-12-19 07:21:37 | 只看該作者
    雖然看不懂,但這么多人加分,應該很難牛逼。
    回復 支持 反對

    使用道具 舉報

  • TA的每日心情
    慵懶
    5 天前
  • 簽到天數: 64 天

    [LV.6]常住居民II

    10#
    發表于 2019-12-20 07:41:28 | 只看該作者
    雖然看不懂,但是后期應該會看懂。謝謝大神分享
    回復 支持 反對

    使用道具 舉報

    您需要登錄后才可以回帖 登錄 | 快速注冊

    本版積分規則

    關閉

    站長推薦上一條 /1 下一條

    小黑屋|手機版|Archiver|飄云閣安全論壇 ( 粵ICP備15107817號-2 )|掃碼贊助

    Powered by Discuz! X3.3© 2001-2017 Comsenz Inc.

      
    快速回復 返回頂部 返回列表
    北单赔率为什么高